From 6af3c5dc6944acf7007be549b3a45140e21ed96c Mon Sep 17 00:00:00 2001 From: Bastian de Byl Date: Fri, 9 Jan 2026 15:16:21 -0500 Subject: [PATCH] feat: add comprehensive access logging to Graylog with GeoIP - Add fluent-bit inputs for Caddy access logs (JSON) and SSH logs - Create GeoIP task to download MaxMind GeoLite2-City database - Mount GeoIP database in Graylog container - Enable Gitea access logging via environment variables - Add parsers.conf for Caddy JSON log parsing - Remove unused nosql/redis container and configuration Co-Authored-By: Claude Opus 4.5 --- ansible/roles/git/tasks/gitea.yml | 4 ++ ansible/roles/podman/defaults/main.yml | 24 ++++++- .../tasks/containers/base/fluent-bit.yml | 19 ++++++ .../tasks/containers/debyltech/geoip.yml | 59 ++++++++++++++++++ .../tasks/containers/debyltech/graylog.yml | 1 + .../podman/tasks/containers/home/nosql.yml | 44 ------------- ansible/roles/podman/tasks/main.yml | 10 ++- .../templates/fluent-bit/fluent-bit.conf.j2 | 59 +++++++++++++++--- .../templates/fluent-bit/parsers.conf.j2 | 5 ++ ansible/vars/vault.yml | Bin 15864 -> 16512 bytes 10 files changed, 167 insertions(+), 58 deletions(-) create mode 100644 ansible/roles/podman/tasks/containers/debyltech/geoip.yml delete mode 100644 ansible/roles/podman/tasks/containers/home/nosql.yml create mode 100644 ansible/roles/podman/templates/fluent-bit/parsers.conf.j2 diff --git a/ansible/roles/git/tasks/gitea.yml b/ansible/roles/git/tasks/gitea.yml index 601b297..b0cc991 100644 --- a/ansible/roles/git/tasks/gitea.yml +++ b/ansible/roles/git/tasks/gitea.yml @@ -59,6 +59,10 @@ GITEA__security__INSTALL_LOCK: "true" GITEA__service__DISABLE_REGISTRATION: "true" GITEA__service__REQUIRE_SIGNIN_VIEW: "false" + # Logging configuration - output to journald for fluent-bit capture + GITEA__log__MODE: console + GITEA__log__LEVEL: Info + GITEA__log__ENABLE_ACCESS_LOG: "true" volumes: - "{{ git_home }}/volumes/gitea/data:/data" - /etc/localtime:/etc/localtime:ro diff --git a/ansible/roles/podman/defaults/main.yml b/ansible/roles/podman/defaults/main.yml index c66759a..bafaf42 100644 --- a/ansible/roles/podman/defaults/main.yml +++ b/ansible/roles/podman/defaults/main.yml @@ -10,7 +10,7 @@ fulfillr_path: "{{ podman_volumes }}/fulfillr" gregtime_path: "{{ podman_volumes }}/gregtime" hass_path: "{{ podman_volumes }}/hass" # nginx_path: removed - nginx no longer used -nosql_path: "{{ podman_volumes }}/nosql" +# nosql_path: removed - nosql/redis no longer used partkeepr_path: "{{ podman_volumes }}/partkeepr" partsy_path: "{{ podman_volumes }}/partsy" photos_path: "{{ podman_volumes }}/photos" @@ -112,3 +112,25 @@ logs_server_name: logs.debyl.io # Fluent Bit is deployed as a systemd service (not container) # for direct journal access - see containers/base/fluent-bit.yml + +# Fluent-bit Caddy log forwarding +caddy_log_path: "{{ caddy_path }}/logs" +caddy_log_names: + - caddy + - photos + - wiki + - assistant + - parts + - uptime-kuma + - graylog + - cloud + - cloud-skudak + - gitea-debyl + - fulfillr + +# GeoIP configuration for Graylog +# Requires free MaxMind account: https://dev.maxmind.com/geoip/geolite2-free-geolocation-data +geoip_path: "{{ graylog_path }}/geoip" +geoip_database_edition: GeoLite2-City +# geoip_maxmind_account_id: defined in vault +# geoip_maxmind_license_key: defined in vault diff --git a/ansible/roles/podman/tasks/containers/base/fluent-bit.yml b/ansible/roles/podman/tasks/containers/base/fluent-bit.yml index 8cf2a09..bb81659 100644 --- a/ansible/roles/podman/tasks/containers/base/fluent-bit.yml +++ b/ansible/roles/podman/tasks/containers/base/fluent-bit.yml @@ -27,6 +27,25 @@ name: fluent-bit state: present +- name: create fluent-bit state directory for tail db files + become: true + ansible.builtin.file: + path: /var/lib/fluent-bit + state: directory + owner: root + group: root + mode: '0755' + +- name: deploy fluent-bit parsers configuration + become: true + ansible.builtin.template: + src: fluent-bit/parsers.conf.j2 + dest: /etc/fluent-bit/parsers.conf + owner: root + group: root + mode: '0644' + notify: restart fluent-bit + - name: deploy fluent-bit configuration become: true ansible.builtin.template: diff --git a/ansible/roles/podman/tasks/containers/debyltech/geoip.yml b/ansible/roles/podman/tasks/containers/debyltech/geoip.yml new file mode 100644 index 0000000..023e285 --- /dev/null +++ b/ansible/roles/podman/tasks/containers/debyltech/geoip.yml @@ -0,0 +1,59 @@ +--- +# Download MaxMind GeoLite2 database for Graylog GeoIP enrichment +# Requires free MaxMind account: https://dev.maxmind.com/geoip/geolite2-free-geolocation-data + +- name: create geoip directory + become: true + ansible.builtin.file: + path: "{{ geoip_path }}" + state: directory + owner: "{{ podman_subuid.stdout }}" + group: "{{ podman_subuid.stdout }}" + mode: '0755' + notify: restorecon podman + tags: graylog, geoip + +- name: download GeoLite2 database + become: true + ansible.builtin.get_url: + url: "https://download.maxmind.com/geoip/databases/{{ geoip_database_edition }}/download?suffix=tar.gz" + dest: "{{ geoip_path }}/{{ geoip_database_edition }}.tar.gz" + url_username: "{{ geoip_maxmind_account_id }}" + url_password: "{{ geoip_maxmind_license_key }}" + force: false + mode: '0644' + register: geoip_download + tags: graylog, geoip + +- name: extract GeoLite2 database + become: true + ansible.builtin.unarchive: + src: "{{ geoip_path }}/{{ geoip_database_edition }}.tar.gz" + dest: "{{ geoip_path }}" + remote_src: true + extra_opts: + - --strip-components=1 + - --wildcards + - "*/{{ geoip_database_edition }}.mmdb" + when: geoip_download.changed + tags: graylog, geoip + +# Fix ownership of downloaded files to podman user's subuid range +- name: fix geoip files ownership for podman user + become: true + ansible.builtin.file: + path: "{{ geoip_path }}" + state: directory + owner: "{{ podman_subuid.stdout }}" + group: "{{ podman_subuid.stdout }}" + recurse: true + tags: graylog, geoip + +# Graylog runs as UID 1100 inside the container +- name: fix geoip database ownership for graylog container + become: true + become_user: "{{ podman_user }}" + changed_when: false + ansible.builtin.command: | + podman unshare chown -R 1100:1100 {{ geoip_path }} + tags: graylog, geoip diff --git a/ansible/roles/podman/tasks/containers/debyltech/graylog.yml b/ansible/roles/podman/tasks/containers/debyltech/graylog.yml index a149833..043bde0 100644 --- a/ansible/roles/podman/tasks/containers/debyltech/graylog.yml +++ b/ansible/roles/podman/tasks/containers/debyltech/graylog.yml @@ -159,6 +159,7 @@ GRAYLOG_MONGODB_URI: "mongodb://127.0.0.1:27017/graylog" volumes: - "{{ graylog_path }}/graylog/data:/usr/share/graylog/data:z" + - "{{ geoip_path }}/{{ geoip_database_edition }}.mmdb:/etc/graylog/server/GeoLite2-City.mmdb:ro" requires: - graylog-mongo - graylog-opensearch diff --git a/ansible/roles/podman/tasks/containers/home/nosql.yml b/ansible/roles/podman/tasks/containers/home/nosql.yml deleted file mode 100644 index d58bfef..0000000 --- a/ansible/roles/podman/tasks/containers/home/nosql.yml +++ /dev/null @@ -1,44 +0,0 @@ ---- -- name: create nosql host directory volumes - become: true - ansible.builtin.file: - path: "{{ item }}" - state: directory - owner: "{{ podman_user }}" - group: "{{ podman_user }}" - mode: 0755 - notify: restorecon podman - loop: - - "{{ nosql_path }}/conf" - - "{{ nosql_path }}/data" - -- name: flush handlers - ansible.builtin.meta: flush_handlers - -- import_tasks: podman/podman-check.yml - vars: - container_name: nosql - container_image: "{{ image }}" - -- name: create nosql container - become: true - become_user: "{{ podman_user }}" - containers.podman.podman_container: - name: nosql - image: "{{ image }}" - command: redis-server --requirepass {{ nosql_password }} - restart_policy: on-failure:3 - log_driver: journald - volumes: - - "{{ nosql_path }}/conf:/usr/local/etc/redis/" - - "{{ nosql_path }}/data:/var/lib/redis" - env: - TZ: America/New_York - REDIS_REPLICATION_MODE: master - ports: - - 6379:6379/tcp - -- name: create systemd startup job for nosql - include_tasks: podman/systemd-generate.yml - vars: - container_name: nosql diff --git a/ansible/roles/podman/tasks/main.yml b/ansible/roles/podman/tasks/main.yml index 21390a3..9074a2f 100644 --- a/ansible/roles/podman/tasks/main.yml +++ b/ansible/roles/podman/tasks/main.yml @@ -73,7 +73,7 @@ - import_tasks: containers/debyltech/fulfillr.yml vars: - image: "git.debyl.io/debyltech/fulfillr:20260104.0001" + image: "git.debyl.io/debyltech/fulfillr:20260109.0522" tags: debyltech, fulfillr - import_tasks: containers/debyltech/uptime-kuma.yml @@ -81,17 +81,15 @@ image: docker.io/louislam/uptime-kuma:1 tags: debyltech, uptime-kuma +- import_tasks: containers/debyltech/geoip.yml + tags: debyltech, graylog, geoip + - import_tasks: containers/debyltech/graylog.yml tags: debyltech, graylog - import_tasks: containers/base/fluent-bit.yml tags: fluent-bit, graylog -- import_tasks: containers/home/nosql.yml - vars: - image: docker.io/redis:7.2.1-alpine - tags: nosql - - import_tasks: containers/home/gregtime.yml vars: image: localhost/greg-time-bot:1.5.2 diff --git a/ansible/roles/podman/templates/fluent-bit/fluent-bit.conf.j2 b/ansible/roles/podman/templates/fluent-bit/fluent-bit.conf.j2 index 165458e..77b902f 100644 --- a/ansible/roles/podman/templates/fluent-bit/fluent-bit.conf.j2 +++ b/ansible/roles/podman/templates/fluent-bit/fluent-bit.conf.j2 @@ -4,27 +4,72 @@ Log_Level info Parsers_File parsers.conf -# Read from systemd journal - filter for Podman container logs +# ============================================================================= +# INPUT: Podman container logs +# ============================================================================= # Container logs come from conmon process with CONTAINER_NAME field [INPUT] Name systemd - Tag journal.* + Tag podman.* Systemd_Filter _COMM=conmon Read_From_Tail On Strip_Underscores On -# Extract container name for better filtering in Graylog +# ============================================================================= +# INPUT: SSH logs for security monitoring +# ============================================================================= +[INPUT] + Name systemd + Tag ssh.* + Systemd_Filter _SYSTEMD_UNIT=sshd.service + Read_From_Tail On + Strip_Underscores On + +# ============================================================================= +# INPUT: Caddy access logs (JSON format) +# ============================================================================= +{% for log_name in caddy_log_names %} +[INPUT] + Name tail + Tag caddy.{{ log_name }} + Path {{ caddy_log_path }}/{{ log_name }}.log + Parser caddy_json + Read_From_Head False + Refresh_Interval 5 + DB /var/lib/fluent-bit/caddy_{{ log_name }}.db + +{% endfor %} +# ============================================================================= +# FILTERS: Add metadata for Graylog categorization +# ============================================================================= [FILTER] Name record_modifier - Match journal.* + Match podman.* Record host {{ ansible_hostname }} Record source podman + Record log_type container -# Output to Graylog GELF UDP (local, port 12203) -# Graylog needs a GELF UDP input configured on this port +[FILTER] + Name record_modifier + Match ssh.* + Record host {{ ansible_hostname }} + Record source sshd + Record log_type security + +[FILTER] + Name record_modifier + Match caddy.* + Record host {{ ansible_hostname }} + Record source caddy + Record log_type access + +# ============================================================================= +# OUTPUT: All logs to Graylog GELF UDP +# ============================================================================= +# Graylog needs a GELF UDP input configured on port 12203 [OUTPUT] Name gelf - Match journal.* + Match * Host 127.0.0.1 Port 12203 Mode udp diff --git a/ansible/roles/podman/templates/fluent-bit/parsers.conf.j2 b/ansible/roles/podman/templates/fluent-bit/parsers.conf.j2 new file mode 100644 index 0000000..bd8919a --- /dev/null +++ b/ansible/roles/podman/templates/fluent-bit/parsers.conf.j2 @@ -0,0 +1,5 @@ +[PARSER] + Name caddy_json + Format json + Time_Key ts + Time_Format %s.%L diff --git a/ansible/vars/vault.yml b/ansible/vars/vault.yml index 19e4a43b2ca5f79ce60dcb4e76ad38fe291d3097..61330837874f45326eb3cd0ea0af174c23ed085b 100644 GIT binary patch literal 16512 zcmV(vK=LjRDwp3dLaX}RM$xS&|^ zKi<2b`1-sPv<1F8W_ySWMK7oFV3Wj#>@#9`gdVv>A9mSep@zMb#54GcBl)N+@~L{ft;opF7y@CjO`YT(8E`dTxG!r1!fMX_VS$bSF$ zc?{0VqMyD$60v(q`~NdRW*!PjV>He0AGvU{bn#o1ekPX2XU%gSk9mBX*k9(@ADLtT zXotFx=mR!EuKB0V+s;Bg}yl4*+QQgJNtmGJfoJsK7BNU7b} zz^*PX7~&zXltZWoDBI&2Ay%voIE)NO5Gs@pNhjaV&~FZP)yPgUsbK_?yNHO~@g<&A zeOIe3HF$^B`7FK9{2CX;qM`AIdhsY+ajU_la-K3N7xlpxZYjUha)CcZB#gcVL`;1+ z*E}Sf1lbI-nJ{9%Eb}cO9CnyhVa)olV&ln8uf2MEWnF**F3Ol2-e2Y!BC}d`PfLj} zV~AQ2v75I@;eN`%h~ez3@Kl}TH%w#u@<`q*8Y|c~fsX6SAiRy&1BpZU< zhs&Mz5#PVHLTa%xJ0K~@XYwo1#naYQ9pkGH+0$5$;}DG_id6ICMkT$$vp(7xtBs}w zO0=j>mIfX=Zf8MrX6@E7Lps!XWTp^;z+upSvBZ5x@5KaQhxWu)ZT3lQ!or`7o1yZz z%;Q4r;@4%dP7JAt&kWM^JlA1Kb(p`t`m{=~kE-&1?b#X69o4R--yKX?6>44yITC&7 z>-V`xS4ZL)*!af;Wwe;Q&9?Vd3XzKq??tsu@UK2f4&bnEou*sJ6u+Czy|n@4Lw)@0 z4##=aVX2j6f1vjM6lgbJlCW1eULR1rvmp7fYUQlDtXh@Fi>+uS?xIwu9jP9MO6NJU z);qouZ9m#)b%4oiXJNv<1gnldfPMCbK4OfNW2v2*pUi>t)SN+e&4)>TD zhkYHb4ew}=A`=1V1n;bB;8hx7QLr1%V|r&8LGpWRhiv{K-NR-*9t2+5j-?+M(i%b` zFL$i3GKcq?nDQvr{j%>Lf~Q z*Y{S9IU>+<7Ob~?e;wUYz-wb%A4mGkUr7mqJ=~xmzF(4jaKKhPgUEc}efFtr`bZi) z@EwE(vlCidd_3dJM?;SAZzV-|ut-RE_~zbo$Bw)kZtFQqCjjt*9q|!4fX*seH+s|R zOV+vg2jo@T1bU;vyQ{x3bOEheL!(BnXaXOy2Ixv(bW z1$hT^ADI^bO>~1|)}@?3?;RpB$DY#;91v)CI?+rV!V0AbWv>qEfH2!{;3Vh6ipxjN z>*fuh;w^-&LNdNORQ$SQ#b|e;lXuC6yTsn65?1@J$8SzSS-@%sRzMCAl9RDCTEpJ% z9tR`Tq*VBeCawIt_i^hJ{O1hnB@c5>8m|=j}^tq4sA>wl4q9U%)D$s9fw~D~b&b-z# zZYtEqVQMTnq7;w~UMZ)7am9*NJIzdU_)Zeu9g;Y5Vd@8#|HW+pj0n2p5!s{WE2|f! zJuXngYezJ_qM`_E!r<#J5*bQMQkbqRpZb!Tf?rh;=1#pinF)q%j_*i;E+0Q!;P>b{ znKe-ctr!*C)gdol6f-bEnRUqnskVy3AF#dbDw4U?c%5bG!{lCa5Ge#2RQ9c$f=~J9$ zEKn!BM8v4C=_W11J~et{qYpxFnkI zEA5bnou+opBXvnEPX)(oup@2`WiFQY=~QT?bs6R$)=j+Bwhy!`T+9udtUkB$cdrw_F+igA&pB@1`2m-KLO zAV8VAKEIL&buwaj@6g5W8Wn~5mmYr8M+fZ9Y8tW4Geiv~r)9GdVq0nL0>V}$YMFqW zhe_IvJBTWdHPRAYRQrHmEiAdf!YGJ{aJ$m&*}$<>(l+yWPy_ey3%ko%PZ|%^NE>CR zHp8HHi6f!~j7jw0@W;39(6rq33x$X>(34XGA*>@qwh5zB_}JGxi9u zDhKI>?3kIcC!i+?{@=HSSm=IBQ90!@G7IO<6^F&I9@=od&lC+$hS<+a?SOmi|FXep z3-3HAJ9%wE=7-3db0?JSj{?E|nd)?@DYU>BLwZ3HkJJPn`Eu zd*%WQSEvZ)jemxd(Lf3SWr`!p?gb(g^x zWU&m_zYL?pP>$Rkj3?x!pk%R!uXD#)T3J+*bj3EQ*e%euZ?|w*7-(F|57=zQS%R0H zT3Q!%^4EcE+8T^PeIOjwM_7+DS{LjXnulHZ^EOku&jr7QurRe6M>mD4Poq@+a&glV zaNi@{^$NkrHDC44Z4w3L_ox`53R(q1TSL2GVlmsz!uZk)3^U{}Z7AZB>>pU8^L^pO zTu|lSuL`OM$=P!y6a6ZpT@ zXlKDa@RJmY%g7<5@as!*8UrJ(kzc%ns{QiYo%AO~K3MNKujLg-&F_otyPyzn2fkkc z6i<2)g(a_;ebDF(pv4&)tw$S|!wfbw0#^*;I&ISfgUu|*R4%H7tr-nc>sGhOuX_Sw zXP0~e@448PS0MW3X4k;-TkW1q#xt~5GK+&mu=@b2FmI&4oD?PjfEbkPs$NG2vRdYq zg^)Zf%rAJ-MchG#v^S8RfuIJ?+DWZ(P3M;kt{qb?gQjIZQINgBN z2)pjq!E$I8$Ux?-CZTUHunbs?AZ%eMpdy@@5QPSr1!U>jgeWO39{pn2u4MBOOD}|{ z^YUAbEybViN>kbWk&aoi>r{S=+AuIuy#Wx}lAa~)F8mIlF_q0o2F9QYl9foyJH@qK zz#)X|+$YdE=FQ>Mi7tN`i(b-H>m{UNIAJV*gaFKIv;Oa|EbWH@&UKUHlPQzFX*(b= zL8KJT7&yFu4`=qFt}j$*LC&{!^PRK^8buX8+6h>K<&OqnB~DDC>03RkgGNVdZyg%n z1OIr(B=?Zn)N=AmpeySEKNa0Eh;|XtNRz851(#RQ)!!WQ9?%ac3W58{Jf*K3c&Ji~J-`|i4$ocBO~4?JljrC2tCJx0NMhoQB9U%VQt0ul{IBdQH60rO zz#*elY2(bI0Es6Grgy7@D;A$^?>sV6367I2xo3RYlsUFItmtH%z{6LU@z{cDm=OL_ zm=iy!1<`08qQj=*XcE6sFrOBcLV@mM^Zm&Xuu-<)lbb$xUPgw|fDyXe(d>Xyu*{#` z^82(5p?LwCLzmJio=|=D@vREvwU{*k5MS~aYMGF)7p0>Wz7YKzF&V~`OBRm&-dJ1?tZIe{&r8=evA z&{|G6-PN~M9ZQ|5)m>dXmi$DX*mohHbp!bkf;|%e5%RQ1*ry$P6WK)TaV_wB4zsdn z%!|5WFu9k#z|X_7>rrly9bbufN55hlWw`3B1MT{x6_F12L)$2^O|1csPfT5C{pYHm zTd7(~DU6I;&K$}NX+FRlP#KbN^c4{H;P>NO z)f7C-f$0nyb!aI3D>?64TzwN+f4EuVd2o)s-hBeUO@V`fWnL#wLKlz4(gaJftJD}D zFMc$m@OM0S+P5ru^JFDXQMbNMspl8ZD+riELkQnrO+xm?1oG#kSHdpC|ePz`H%($zq>l6c}d%5|u52_9Z^Q><0=J?1n-+>X& zle+C>iP5Y0^Fwn^*F&<-s;ZyO%xukuTjmg|L^_k0?w@m{<)IY;oUb?Z`q! z5x*xlN?)8hv>ea^NI08jdFVOlIn$o8#kcK6QSHwCaEXBkHa3V$wo%=bzY74B^a=*S z#UxrY`s#!%K?!;FUea8v-NA*}Uykj5o}vgc)E^$fze`{p^}*@YAJDQTSP7Ge7Eu`z z!qV=`3e{=J%P}clwF^fvHv4J=g2YWtuE$m=@^)_!GH5M)Cf1)3=(UD2F5&ft)O+ zhP7=~5t2Qq9i3cRKQ2qwVh>&hjt;DjT#RnN4^ZJ2csc@%;O1ebU}x9YhBpiSH%V0K zP(h2tSb^`KYJz9k4)HY7T1e#eKbmP_Cht1IKxR$XR;-bRK84{U&(Cx$qQ!3_5%18b zveivOuFIIXWC=<6BsfkXdbODwSss?c*G(j%A$gXC({gp(ltg_-wYXDqb*_5MX7I%LZN%r3Atd|Mgz(d| zj3DxvbiePhW{z;Oa1kINh`VuGx$9xx-S|2pB6VMK2duBw6!x#>R6@fDQ%snhBpuB1 zYVsTYGI3KMZn4}mpKfHo!9JKJIqDCtlB#e3q_{6rtKNc8DQCGndLQ731 zreAa}jU%_qC71>2?cWBEeXP&a+Sr;|0Ym(=qHu^)p0*WJ$5sAU;gUG;$Kor&k zb%ZZR#055QTz zGf{d}vfoZ(dDrD2St#8+DKzF;Sl_u0*oT!=kz%SPU2}ua%?671G;F`^{57g$i_Yr1 z*3hOBIS7pJ8yLH+2Snf(`yhZqcf`m349cTECm9(U-f@+p^nP;f9`lXe0e(w79sL75 zVL(iwbg$ESh6Q3L`;L{vvox58hch@2(M=_iR1vf5CaV$lN=ah!Q{q#ab}JVPP2snsjPGKW^M z?U}p;T?-WsB!yVyTqu)zDQQse$RtM8WWbGoI(`??;?MqSKu#zy9E$zy1 z^>R6aDFF`2ONB%UFmB$;mdsnOa%mk$Jd5`&qfM9GgAS>R{^lD)2CTu(Kn-E9VVfN= zCK$K_M1Hg{3+eKf*Q+f~e%l<)i}%R$u{z*1fNtb0m$BLa7xdA3yCvI=8D0j< zig4Z+N*`)>5@u||25lCwgm*g2t7ZRFC&YLt)f~wuC9z^CAV8B+rQ_AKR4xl>8xldm z)XR-Ikn;P=xN_VI?D8CB8RCt&!9)Wfvv?au&aR#=)}+|DW_0@!}eVB%x=x*Nd<|8cUcJz z->a6ZLxg>W0z%*7ZtlBz4vR15NF zpaUeW+us}4xe!7HRfqgfuq2xOYo}(={7w?*+l3tCPmXw$0j(sYqX;qTnmK%%O^LIpQe?D@h>JfbfASFp2xc$~;nxVuJs1B^PLB~}}!o$+1TjElL z$)Z?Gb%J!AxxmW0W!v=YWkj%w&v^rQ>`KEok;NA%sB_F4*~*U6HA&?BV<3(-#p(PJ z=4u0Sh3BndfvRMkG{Wcg4ibyLedxwak`8dUAh|3}&&EdsldQD;x!f3e1@N1X>d0}t zNG_A#>JHru85W6`c>slkr!Z4*jVq_`xDp>iQ(bvR@or`W%oO}j4?-lCRq?vyGDI!W zHt|7}N5j@j4W)z4SP!RyM%VI5KBmI3%FUU*qRGlv&a8rIAzWA;m)Z_@f` z9`t`%!FM{RZcF{kTgLz~}vQf?U***%ZDL-QZLnw8lwOvko&kf*4S;v8S_qv3~ zm!+1plGz>;G!a9KD-pN>h-t)l`4EROAbFT}G4wDa*XPXKw>g$f#XKexjVF?u_4ewG zhxoGO)9}^Jdf{sn3w&HUK3TJi<}@sS_;6XALxPO}A1cjt*a>X3af$5$OI(y&l)XP( zc8v6!1xVMcrU`{4kqQ|a-mPpkHOrkgCE4nx1nwT!y?Nt@Y#rNeAY)IrhT_SKpD%F6 zKV#@)+E#I_^Q)S3P6bQy(V>V~;Z8l2)KTYjinqV{_vj6~*5WA5%({cA4n-tsI$(_6wMshG84{OCtdVteqCVjR)AlU7}peCgZ!qn4G&xQ1GF!Q}-d@yPAzI$+vavCP*2D04@wvr{}LQFrTO5!LQ zGtkI+20-;Ke@n#&#%l#6MxF}`(q8J1(Oc%SLVdJcP47-A)k_G0w!YaHsN8?u_{ZtX5CKxs}HoXGG9&p;0++;R3l!OO+8 z#9k()+0p*M%&5r?42=p?(bg1ME_VEL2RSRLm}gpz-zzSNd}+G;#Fv`YH>Hsd5*G6p zo2*&M5ggpgBeF(}DW_@a)s(}3uGm+>e4wkvFxHII=fd9$%Tbl4J)_=Pal{vX2}DI?=^|{?bi{h{>QmdcTc=Sh;MS60l;RP`liJ4Jl}m7UptCR zvQ!*Nalrmc>Bh!jom{b{gx0BO_fN60uFB1~m2PKI@6ikR2?<2+Kb%6ew5K6>#Oe>J z(_gnc^_+#MmXGE5njKjV-#UXWr-$d~w8|>vMIQHmbrIi1wO0PmWLnFa{m`3X^1Z~W>?lcxMzzeg<0ZrevU=h5r49-aS2;uMNE zvZDW_^`$#n{UarveknquQq;!@Pt)hPAxKPWaU89TU|Rw{>n`^7PrC+Jx!HZ$H{szH z)i59DJlE8~&e__=n8S{bf?E31Hy1ax;09~15A&9!FG!1S#~jbvhX!c|11m8=(QX8z zXGr8>*hN}UC=pFgbD&lf60qk+1Sr9pPlq`%29X*}bwU|8|MtC>#20E?^Tt{B%`tay z^2WG{nJv;hN|R1JzGR;MFjzD1=>`mf9DY91OswS;Oyf&VB;t`>+>Dc2q|&lZ^2)j- z+b;kz-J~$~T;^wj_cH|{6wjll+(mS5*Qvn#ooIrR1GAJJ0c#pXfnspQmi{>>e|0);nflz;2&?7a!8`9M{0!S~esQ^TBsZ(udmGdzMMnGXCvmp#*kew--lu{oLUqjq_ zRr`0Gr{MGGdwPj=iDA`HyEw;wl@l546bMaep6&RgaSQ8)qmI5wod<3bY$5J$Gj=n*!Fmq8PKqtSX~Go z0do0kDx5WC6N$EKcF{%rHR8Z%$8l5FBCuNzzQ^?3LW_-x{-kjCIzAFXz{&@eEQJHx=SNA+lk}0}L$X+7i z0YBA}tw^z{+BFF}_(#yn!%}p(14!w?kE%c2d!+bS=Jm3LJ6QAw_)-IMr#(AKd0W-o zTlsLENIrL`vSv?mLP3+qf8VuDO%Qv|2lQ{6JsMhCuwjVK0E8+)ekGp*TT#78r*Qve zZ$>LP#OYXI<;Xq+5yMlaIImZS9&T%MjAt zNUU~($kQhro&novwu2nxoL^ok{K#3@JXN(I0t@(BkMi@LI4yfCfSW0-*C>ghs^`!X zt)!f(pA#zP+3MYbo`>Vf0A?z}mpyJ7W(2mDaRV0%sQ**cCuudG@dq-$yF~^QJg+~n zNP$pE1PSJUWl`MAiz*a6mrj$Z8Y$4W?UuQjQ2C7meWwuwv_muK-Vu_+!>Jttc_Z$1 z<Cako!grFE7CGP$qhRe*djWUBUjdRFw z|8j6R(vWECpb51R#T+NkJg%wfX8+2zZP?+>>s2(l_N;-xnBD)&Y23jO|kU5DHz`w#84PWF837IBep<%e1 zHpfky3yE0#cZR} zZ}zCfU5CGd6;O^;n5>bqRK8suMZ&5M?+5kPea zhX5Euwfs+ns5PV+`MWRHc&gjaQWl+C)%sVs9^zpwZ(s?mGWhBlIfNleEAw*m9?^+fS^J)sj-R;#Gi8oOff zCFzt?@blklN9U`%zl00z?reV2FzWCDGLO4zpQ^RJ=J=04&{7o=>7`n#n;lFR)26$r z5b{KjWJIx%=|em=DD^6(@M0eGG1oNSLEkWD`n_MSt?l0B4*thk&>ZK3k>3Qbe8D4h z&jYgbY#t?HcJov6YtUlRP>fIYj7N?9HNK^WB*CKbXR{ z4cz?G>>)>E(YrV2=&~l7H6g;(5jl$j7FFmb;HUdUAi`?Qqc~WWD~r7`!=eA(!C(YK z-axY5%utG#b`F&^<0j-2{JpuBCsoX`qz1RFqrUGHZ2&s}0slJA8@5Hg6c>2RLu} zyX=017aK}!xgTDo8U7rd@>?z2RXntbk zyZh{53Ye`%nf@6s!}lmfh6^Psp&&XvS98t*v)p$?a=9t3W`qZxi-v9* zbIZJ}NUyS2~zu zl&rrp-3rkXjXh2ZVpv)~4lKMx6!$1ZWwC)Su&G3c3!cR6sYvEJzC`Cti3JS8OY;H! z@UP_WTw%>V{jk8p(^NL3=!*?Foenld^ysS~?aA3K=N33KMc{^)DDk}uDFV&AB?Qi4 zmo-8(L`kwYaFXE?S7~zGQm=@H3{bGWdpA5tE-FciO3_~#{WM=&3k4{F$Y^(c+!U$- z1<+l^_%7Vn-};>P=XL*?Kk@3tL0dNgEa#AXZr&c?Iv5c6x73^b1No(^4N!_hE1 z_fxYM+Am?4-tk6fiv==h96t$EHOVL>4SeTI$%cq{3uY+$z+icz53Kot1s4Q^6Dl>P zo}MDRzvjD+-+`#9Y@M-|PP)DX$4Bt7pA5@%t&?vWgLlfEjRA-bzE#h&f{Ss&&?j`*- z`;`QLODvX$kIwVt*TkZ(1wpAz+aRa#6eac<8oNi;HyWWO+FIU9%h}*)8n}JN!eml? z^0I>4pRvU7zFMs7;>Z5T8sRh8q)&>YmH;u16P3hH-=k7oC={d_Ky?jBn>!Ost|C zve@8}9zF8fsaIO`BFucj38J!mRDEo^AFf?Lpao{WMME&zLp*+lWpSo8ZDNp{MT-5Yc>9CQ^s*by{y(?PL!M z9^2wV+43Y}2&CPQ0}|748&3J-ti0#MhgRj5;;-<1r1WHDMz*Hb<@=h1Y|Et{WZb?h zzq1d~OMcvpRa571b&7oQ@|8O(&`^+T(dSs9u7R0I9YgSC{*BA5OY#U}{RqnCxwx>v z8f5dN2*c|6Eo!4EP>%|r2a|rC95~%S{i9o>*j0s(icNC7d`SD|T5e#jTCv5G$>dAZ z2t$T+mHFnRpq6o+%@i`$Y{||ZK|z!lIzI0THE)0V5|X^z*}V(Us+G@^W7+DH86gFS z3^5P%X1zhhAaE5!-fPAyzl{?3PF#|lcB+U zxKzfDaAxmtd{MyFtt(s4;b&hfYFeP~-90~j50(UMg;1}?!%0O9zYA`cyACNS7kzm= zDrotY9k@xXTQyNkg^ts3C|>9AarRfcJ3RLVVNS0TQ_KamFmtuWx~}Q<2Sqs3?m>ba zkGNY}NoBwR#h0 zWsxFGyflGni_2>LAzHxm%&k+Ee>33eY9u6sIJ6IPkE|>s5~gzsHjvpl+qvxjALt&{ z1zL$-<*{Sg=Q!z)R`8IPIXPpkXkl3h08x4rtW^Yy6Inor#pQlZhYCss9cZ_nL5C{2 zQ){~*@zSjZrN5s&`$zSSk4T7UTuA#sqwXp)JG8o5Xs%Au32W}K=9 zUD52Kb#@jIUEvxpedJAKUBJL%wSw^fp9HrUoCU5X`xK#N`z6SGYM#?S{eQD>Q@Ifv z$|>X|dFsHqZuHBgmrs*LC87CuCi5KVfzh3tPdVXuOlv@wgFY00YoH-FgD*3Y#;Ky# zn2ky^x^9i-pt)|4bTwie$#)IE;nkz2yI2jLgrAA%Ea(Lf&ZtNa@=48>yPGP9ALTx% z<<-Qk51eKNe7W20zE7RKIg4jyVNtZW7}4r8TH2^>gRvz<$C{hD6gv6ZUNl4Ac@(o- zcsUyy%1MAKUD2tRnCB*y+9BF%;1R}R=+CfCO{GJ;Yf?%4$5ruBg|C?XZHrP7qA9gI zGH+pgBWDNg)hJP#w!lRxjgArNW2SOreM{HWodS4k^m58E@TB$`L}dmAmWDrqEa7V* zbh#qavOxs`WZqDqBS@7(tt}MHW}9L2Ea9DU-oRK0)mKGYsSAj|xgeIGYSBQLER~wM zy1>Eq%Cz}Ur+qG5Pq=#~n!hz-ce5c(!|=SPuqI@&E03DJh|QZl4CL;2TXdoJApHn3 zebTZ)SXVc#;DmX$Q4)Ufx4zKQ1T6CKD#C8BEve!2;t96350btJAju`BjuuQ~4t#F@ zV3>Mw)X4Q-(+V)jC#)wzY1ZQrX(-1>Rj5$;dS=k^X8F2yhE5r45 zZu#_a0}pmGTD*Z-twIGeOT`~}?R0MqBvd}ZWV4am(e-v6ed9aaZ1C$eY7FBvoS;Bq z&OX@Cfd#oI8vskYusd0tX5#FCh}MN`<88gRL}nqPK7|`@=AY?3RLJj<_A=%PFs(oc zh3{kvqU3Pu`AojWhkD4g-3x_n<(!SIStyBB$%b1U#_f$$8|4Ao(*_6&r%n)m2nZI* zhGfO4iM(;ZICi6s$tIl)cxF6z1_d|wLJWM$pnZIVNKT*YI>UG0L{+GmG{5lj6){*- zG@p>0Yz>zLO9Ff{HV$Me1Fm&*2^?3Z z+WjscVddFnIg*EabQ(wIHqzc&J53FpF&?2<(%=#Rq;eRg>rKmwBeb7Latg(yv%BX; zb#?Ji2KKGLF#m`jFB7O>-k6^i|#P8@g&e7q|8_jr$5iW3pEFDnnJ ztFB+`Jr^eh5+x|NflCSASR^YLQgkSt8l^=ua!jHvxdCvxJDc?|T5TjFkL1Nrn>0a# z0QQtD;uWF5_}79CR5Cu>+8QJ>0Ib;*ngcv&3I(Y*S`u-AkgW)7&Hk!nH>^8m4hVz8 z!^eZnF9Iw|g|LpwL}!Q3O{qy9R`A=rW#xj&4gtpSB+&c;TWd8c8!zqgtbV8LtI-tU z*q}b+wM*QRusJ++4qm%n>ml1IFJzU4fOo&l12|b`Sk&}hO^gBP-G>F(_5yDqfp(}} z1y~E)T3%21$iOaF!ulr&0ac^sNW-DMrxjNR$lr1cTi-<(Ig3a;>B+|LbN1g$WYpPO zK|y2H5!90cGb z2HTh|M({5YCL{Oj7;K>pxkV&J^wb|9N20 zT+DTAl%4DnWfQA)5+6fMCG4b=HAZ@WLO!yB8*B?7w$gcITCwgWLo{{c zN$p+ap01tskSmyVO{}yO!M*h05;hEF*$UqU$pUu5z6?9sA7ks-^G*C>RL4kl{+ z8poF8%>`cs)w{G*4I)tnD?pK0CD}3Ch=m#mUkT5**1$$y4}Zqp0(i7pYW$UG&BYK( z!3DpLR9LsAI|etFOi4(xZmvZB(IPh_p)HYU_|MV>-wEyIthPZ=Ebs!k{8;d?^6#b0 z9*wq|sv`;&qF*}EHgN)i%nu_oxh}09rGb9pT#DBVbC}K-X{w+t zM?t=dGr#e2UKb&%t5RXCf^&@Xj}Ao7agT?L=d0R|NO7=MuI^R2#4BtiD6pHPwf1=; z#^G<#2U_~;q{REmS7q*;%s(r_d0Q^SI~#`Sd~%gtQ*EQ71#;>Y$Fg}5ufyDq!$XVj za=6{Is~?pTRFc!pGw0^nY*VknmP#~7KyPeH=5J|P?FC&rc)Bs!bPkqREn&5)x^q!L zjeHKsSK&huo<CiH|$BKN*5#^H%JTfk-i+D(AKW^{Azd zev_N%y{j}rC5FhhNv93aJn)f0<^=qlZ=%6FOH}N_3?xIG2)HEF?)22&3wmbFEvBJE zE9o&)9~qL9AL=GQj);~)u~zwMq|#X39+cV>U>in4`k|L{Eqe0c$~s(;2!jdSm_4Ln z^nEX~X1eN}L^@|iZ4%Epln1%;MMn{;Ph1fKo)>wC!g!oU?(M8Nf+ zDa~YzBAX#9vqAOEO*&_`|NIU*U+9|qJR_fentc+O5v6aEu9)?Do?ked%!|hso8YgX zuT#v>yic0C_L@RiwX3_}eF{DNdY>s24_l`U&joLAG6vmrF+=3$;sGB|R-B72xhLPF zqHyIt7LXA@Lc3>L;=p0j1I?~7ZSE>-eX=XYPx8os#uLT~W$wonLsEyM?Np+ur{_9F z9iuLQEquTcinRyx3L;GI9YW_FV1^_~2|U8tWXpXFjRay-D=hTOH15ihcNq|MHE8}X z`C3hAOnedpBQS6QA}_7j(*z*%Z{gK$$%M{WOV0-Xy`0JC2$ZSyEoC4EQPq;@q{XV| zb2`j7nv!EceU6f}i-sXY<)^TZ@Na_A$|jMmTE79uS; z8H#bpcSM-nbt=YCTBLGEn`MYtwq)&2VE=UK*nljxCbUv>#~)fgcM&5FwfuE&_Uvzz zjAJoTvh!**4L7Wa{5f}ukHzC0_}9btw}knrCFlS-QY`-jH7sj$tf7-=Z6=E}flPcg z5@h9VNS{BWPZo$VA8Q~0zTdf5ytTByN?3-z6KU5BaH6eXJ|SVjX6I>d{(ehZ>HY}r zE6vN}hX;+1pow?i#_Uyc%Ey$~_X3;PbF!mrPL{-D zK4~#uW^YEiT^N5BP^)03!xIJZ5jDy0HktXq#?8+!WNO$grA^6vQ0h#AndJch^0$xT z8T9pG$2PNzIKndjoNJPEe#$x+U$i`e!ztkT8p zd*NHi#qH_7UTaRHp`TLZ9n+OZ6;bu%x*0vOMe3fFH<(*?Q%Sn1KYm~qi*T4iZO!Y^ zzb-y7Yz(_e9}ndKWR;Do2vHFCopNsqH9ri4T5$Se9CWtND~WRLA=6lSU)zjU7cXv6 z+D@se7sN``g>(@7G7$}c&@~nzJTtHCcPYlF9VW&@;POQ6ZqLyY0~S%V87)Y18XxkRe{s92zBAcyEUj{#p}|_kn4hFxdaug z^j)w%7yrG^E5G-P3FoDw#%f06ZUGgWodi_JG1PXkylV?}+g^xUu@VuF1Wg#a47i$6 z;9N6clWk&oiWx*$jDusA(@nYydpRh=fR1y}ICJoAA0w~mf1st#DsH&I;fGcuLC`=& zW3X8bpAY3xtsPv@&GF6*i7%XO0s;9^i;icF#yyK>5^@^ycZoCR4d?{YCwVodKDptLTS{*^J3i*WbB0Gyh?(hJKf6v-pwJ2nf% zO0o0*$yr8@Ld@K4jj) z7#ot8Kh4jwy%)!0IG{{uKsvch=3upzsyHFOnn^a~+2Fv|o%D-go;MUNu$S&B`_x)m z*|c0Yxdd`J%oQ{*KxP^XcheZUJFvVn<8T!geYRFYE;%<3_8yFoDbjkU@U#hiQxtRL!W5dOI#5%cD4v?I_D3(*&h zY7K(`MvrN`ayh|hXMqu>V#p1xD?BB4Pq>8KH8S2Rg`$Ml$*Lsc*eFpV4q%0HOK$wf rKfly&)q8jX5M$d_Bo=3}jdwVYXo#nU%dD6Vvm`J*>NR~d0GPD;+^adO literal 15864 zcmVoJvbdMQk9O^-a#yg7%5&_~M99kt&j!_@XOzZrZsQ-vu*_vnJXie5 zI{xdPH~)^rWb6X699$1}43O0SES&;ztVOS-6D_opd4$0%JM4P#!JL5t+${HZr$;BJ zTmXS~PKXKvvkLc(6?Jq>uB!-!fqrjHW@dTORq)`XnJcSjA_TfTO450#c0kSLbN=8I z)+x@SNof?^Iy9TGY~wAYGJlW^WkOYx@STO>)C2|T?DI)n6qku_29Xfs&NC&j&R7*} z$LaH{kTfrgTc)vJ-XdHT#Al+Ij?=Uw#2=R_-)Ji-LS!$fCMaEA@SQFVO-L_=$fdlh zEu8LqLNVhaIOX?DrjS+b9%DB=L=O5yI~>#21g7@VZ#}lz6&6Arrredff8}vWGUs)_ zt|rMc!pxIhTMW8m(!=WTZuH`mXv$GK8@Ni8B-*}(n@`ieUY`KIPSj~hXI&0xJ0j$1 zEo-PYZd9#X?|;{HKk{QgPyzXN8lkDOjz*lf{to;~!Ae&{+6Dg@5*ihf zqDiYlVKb48b?z-dJ0@M-c?DauI{)*9yNGTa0{YT^>C=ZaH54;BkQ+S_L91^|CizeN z`=5=#W+l+>J}3yN8rMJ|7{qSD{@jPSS-=OELtk!=XbZ7EID{zF$#028RS!)77TUhq z-qb(s%3+q9h&pRijb=Pk+n$l44)LI#h;S(@T!ke#ikeyV)R>|I!X^&nZL5AqY09lM zG@E)7+mV@Uv(o6JW@X=GNn;LduCcG_x-DVofHbxi5m0ko!(1&EUAXl{!lYIU#GMvP zFr;=z-PH)enexFNxiBc(*epB3QRhq!;8R?)x844Bp#F z?GXx_oSkCJT2ztWPd6IJAb1}XV(o|PY&0WciiqkB2%7^omw9@J%{sY5cjF%DQ)cn} zy!>`_Evg;B)a-bS^wQ$Cy>(mq#^h>**W|m^G=!feU_LwCI>?>8nEo15fBN)6rRFoj ze5fk_(c4%B*b+Rk80o_5E{8|A+995-`7z1+I3?I<8elKp@8t#H?n=jH&oWFzlxcRG zxgU~ZmSa+^E1&>$cU@tlF`-V_+5`;aW6BFeV>5iTEkPoo=|Y8U`QXHfiM)k11dbjq z!_XyxDoR12w$kJHo5E^j@^hUcqHN+<3Y%ZVx~ru5GvXoWE))*`2@?GiEdrSNduZhr>ndsRely)(`sOy;lEZ_ccI^iph2eg%u4@6LF?J*Lr_rJ9kPwbNDDr%2nCBNeohW zr~4`Z+eL!L-nVWrtM_}X_rLGZmO6+WGvQ>%dEe2u|GEdJ6mPWrYnbnYD2x7yz#c^+ zw+W2W07eGDur&|-QSKUU57;d00)Q_j`KtbfhE5k}f%2XK7pcwl`3>Y)lKy;qz@m=l zHR!*5-kM`idxeTizDr~H^M!nr9HnWV0D#*r<5#;-kweushKVSx_}%Z~sO5U+nt$D~!7Eja3vxYZ4^B}=c_)kn>Sw%9_0 z>RBd3MR&2-7y*_F1hwhG&F7T&_~?0cd&Tx+%<|~-^BNpVdZ=xU=Qn!X(ROY|hlun_*NA!Ef-6vZG-g%|XR4ShKpuww*GFE-c1)KP$ zd4#zpn}})-9zks7EfHbP_yikkKbXzo`5SomMH$aKsT#};&n`$>xnDk_o9Hhf$5>>v zVcnIH)iYPNEZlDsA-2J*?F~AXDpaCXH;;l1oS?*0c&%;4Ob{2jIo!~LL+B}^L)|(p zmIgZHP$=^xRbC8O>3ezjm^}$=WELVg7mampr{AWD4>KqCJ!-y-@AZrpGbZi7p1vfM z7i&bpS6$53q-LRMf}tb^JtaC~~r z+~;#{@m#2?4L|{NS!`2x@$l41fbtEeh>+*{hf$`~!{H5hAR{8;U^U zN6A?U^`yerVM##=ZdoN;QffqxfkdjjcsLN0$<3)^yLCR%vt@Cy^2*vT z1~hvpFBx5Xzv_(&tRGozykav5TA7L5+YTy~euKJJW``zum(+1(&z^ry#vbxP5=I#2 zt=^H=`=gte^ACgF6U+a5^Wm2g4B+dFm`~kFV*9*9fTSODe3}JFZW|Lp7VPLYRMj3A}qoO~JYOXg3C)%Ty0eO({CLpwr zd4n02O*$yhJlgM#9IM4XWJYqCUGwVQeFkaJ2H&^^$!suYEIK1e7mD&QtkqocYweX;>@!z-I`wSWFL5;XTD| z_S^PzcE_nNtKk(yq)q{lz(7;G7IsYn_e?2GC@T|+DJx+Mcq+@VdX}Q_X0sLcHZR5c zY6(MWAmuw9QBGrS^F2c-HB~I#$g}VAYHLMA%dP)Pi=<6LcRRx#N4D-9S4=Ugv3JXL zG2bF^^%C*PzE09f{;=z@tpe+z*a%_tY2+9q5d(xKAqy+*+_0@QBVzL}4Wi~+0HDoG z>P^evvt@dZ)b--C0%V6OHg$vvAQD0-N}61!o!>l}fg8a(nKhgD+$2`~QN%EWtX0So zzm)@Jo+?$oPfY8cvmGTM>Ss7T5!MBnSFWg^Kp?hK1K+Fn7mgwm7NCqP9dts#AN;vo z3^`udnF)+hieEnLjuy47mThC3E*Od_o}|8*KR*c`OQw--u&JZxh`hOg4eVUG>|vZV z09VO7!`1gemDfF-Q#O)wwK6q)04KCSZb!_KJH~@0w9UVQo)i9u=t{~FshL2^2iR4l z)PGaU%GKKqXsQ0|jrK@SwrEi^6HWzNEch=F!~V{q>Bqm>XcZ0o9kP(_8vXs64=963 z3*fh&3SCEVbqvHG=W%?1oKD%wIxXk4OtKwj?Qo4dmjuT1vYrBBmnms)&N~na-x<>H zFUtv_F;<#f%(F+!=2d4gE6u}P zHL6_jZ}_{!h7>bS*l9|K#fG<+OUOZ&Aw~f~N6^AO8WV1MOg?C$szv_QN8r5lfKPPX zz1?n7-K4OVM!8pYu5r&4;lczA$gkqPPQ5WVKkh=t$8=zVgT2=$gn{VyyAy7irnW9o zMcZDkMOc8&YTc2Ur}0<|+G3?rL9fJ2DKkIl(yEZhB@IS-I{=>MyYoehz3Oh}K9BOS ze9tZB#vu%bmDF7&UseuGkEY`MEQS`=SQ)`g%cm8#8wo92&=2|>#9 zz}-^2+ReLbb2KQ|+BTt814}3ViuvgFj;Wt!`{%=BZmR?4%X;I4DxYKjzY!0^p<)@U za+jz2-NO9D+c`mHHS6JED1?m<>gb8B8+RWK5r zyh|irR4O+b?Kyn4Z|?4dG~R;s4?D0U)f6IYG&={ydY#Ib-dga`VsLbh3|9O%EP zgW8lYtWw(XLtYgpG@V;X&+u#z4#I*v*&?6tjGe$w1AEwXgq-8nZQqip#T{W;;!i*X z${A)){d7=9fpJ=G@xIsvK6dXY_0yYutI`|vMchOAO4iN1ck+yd7vYSyd1;c9qVs@B z#QM-UNYajG{l(7>8>31DL67M`BqiB`_9>NSp^w4P{LX7^#!ZzYHvVccNLe`BAbvumzNsqG)eoJEq97>K`sN#=TdqZke z=q9M)$D5l;6B0RV&49Q6*F3G!;&3RBT-y_#q2*sNqMu~a+w1|bjEeS=x~fh?8rgt> zK5&EVKCzzRYzdZbFBO)g+psvS;C<0;830(8*0V_B>Q_J4T1zT}x2OcHN2GAvP|0Gnor$`Iv{zY+gH?t!fZa zrp@N8V{EEBmiVYvY$YijigAR(A#+9_;qQz1t%T7|GO3$8c5~^6jDq+@Ur3uPWXE15 z2QT^xhnV$$&%AL}&X+7&-=Vc}?8xk4%#I=aV$8@pxJ zB*2g%W7g7pDN_NA3$BtS3L1iO2KOVxa!emKmmVNN7dehD`Pk#iM$N8PuS;-smKnd> z!3{`thz-u#J0X*r4$%! zo)}D0E@&)(jb_#!_!m6tV{P|PADfBAE|>;;J*c%bH%do0Ii_GL<%+YXyu5U@>5n{; zwiUsT9|+pfphm}>F#Rqrut1Gy{JoX;jO2~Ld9O-x7W~}j$0Godyx%Z$Bh1zBwnXxI z0hhow>}DF30qP+7j`yvXJTM5q+yTXt1PVXtHqVG1U3k^e#(mcN?ZF&)jWt=#Qg z|2qL*`b{3`2n7E^J0&Bw%9hT?jfUBXdHigh?JjkoBZe&baZx7~cM?(_PZVjA2apAH`;{vCPb*(v61Q z7J_rfN67ENF$+j%#`d1Q53ZEFVP^c`Uni5hautb<2JLL{;oFMvJ*ks(fOw%@Ya7mw zp4BCOh9$Yo0#~@Q{u7XBN zc&glsPb6*IYDQLvPc=h)D~FT@Y>|Sex~gm;ujD2oDT?#EjS`t&Erw9z0aWKs=6Hz? zf|c$%FS?l}B0yWXM9MoBWR9pMHGNodj5`ILUqDSqJgh)J)6FY{JKFq(HE4`%t8A7t=_vtRH??&P}QNs*>PC_`50WiK#m%?5bBRAm_& z^w~=4jGr6kmqzKrz;y^3BiUU_9pPle#F8^y6tic8i~!p4B!Gi+;7-XAh*zUG60<~nGkj$IgrvgQY5ijeaohg|udOTUsepzk`Z#4HOptL-m|=GZz7WzQ6-*W{`%Sl&(mJ zMsVdH`ej8~shpqReW?7Z`FVGx!12tB$49>{ru}I*qvp?nbWc{ImiasDuK`s2v?85YDQ^ZgeB=Vf*g; z&?rc??!+2n87F4T8+eVs=;CM_FfgUY=z(W#_OFh>WG!;hd?Hq8Y!NGjzZm1=Hz7&! z=`gXG9s0Qk&iN1(dSq5(Yy%U34W@GDLfv~{Ya;Q_{ z%z%HuH3Ry2!rsf~epk9qeD1b@4KVDnHl?GJ4cDi-)_vF_13sX{H%2e~n!RweR&TJ2 zVNG{=v0UTWozS0XP9BLfQmO!1Dn(+`Bp&?W^sa$yC&RrK=)+`AGhw~m5dPOBf$cL8 z;oN=vs!HyGovU*aJdbOo5`7TMJ4?ZRwYBm3N3q<))LS@n(;mN*c7l2NB3MPQV8=!m zcYNTH_*czE{r9>PO0%Rg4YCvf(lC%H!(O#A_Y!T*;P81zDaU-Zu@Tujs0`H#5@Jn{ z^5Mv>uer8_%*|}en;&Akcv9{eZUm$t0O6#1FnRsaT9zFdH$@La3Rmr&((j}GEtXwT zrX-qM2w#j!+?s_)9S>PzkOxu1LFCu<5DbLD^MZE0J16$rB`XW}QWBcUBJd;SJE``T z@(aQZmy|O@YdnCI+KJ!>5D6BaMgk|f2)^{TvO-}sjwry?h|W2zWCs@Z9PiVs@qm$M z&si|)k90nlUNvyK=jNPZPIX~HjXx@rek8aXjG*J@*oam#jE{4Mz|ST&&Q)H*vloNN z*7fx=h8qv`)-zW+<9%Piq3OYG%U5kAHd|iHE44Sf?S(y2TY*p`Pwpl@O5;t?%J|FM z!~vWqwJ^KX_oN^x(q#$etZK#~--E3V;L$FNd5Io9nRQ6yBkV4Di=n0cHMxSb;i-~B zV(ntB{}|%NZDX;ZRs|9gcWUKnD^fPWRGn!nXo|0lJVG{Wm}^o8#~~lTH%W8)bH~hH zZng*Ji6irhz$XXbTupE9!{h93Z*BKQ5M@1)4)aocNY5g%_(rvefjQ>>(xErVl5xOMPoGrs{L0SBk9|T*T66?p~TN$@+ zSIsN!Fd4CG%=2lQemT0su5^boS3V=_kfcv^;r3$fY(QN^Tj9h5U=|@TDa1~uZ{?EV z51-%dy;TVqqtl>&6Yxul^CV@hZ9g9Ze^x($9=?UC%(1GJ_|Ce4CRx#OQv4cKR1>%T z>WKe{6D1xx;mnsh;x5>Wnu%IK(JghgGgNNsLY0t%^-WnBX*W%WIk5=uLVk&g8?)hw zLw=a-C(Ee=dE)W%Jd96&zjtktv7%D(2$Yv&)wXUx9M&W6pHdq8aVwwUtGg*0!Q^k9 zqeV$VsSI?|38ZYSi?h}|mjZ$AV^49_6A;|zMkP}Xmg6YkhF}$62P%U&_uu-$RSy4p zF8I;L+k{BlR1&|YXCHV+zHfXVHJYBJN>N36M3ZYw*BM&Khub&<#xLwY3)>GJD62AL z3d9nRxTJDWUbJ~xrDLCz`to!=@9Df$1NVfOMp@4b9Se5O7vlMzk1}374O&m4k5WGwFXAo`^nk%OnX>9D8g&J&X^fFh$F z_GKAi&0Eik>gV~sk-cV6$H^Gu+t^3~m?y>YL@O1Smk1wMfo^3MWjEkA{9qJA=+sy3 zl2wF=4aEBrr{{k#S=G0~dt>rskI&M$>x7FR>H;^bPl?Gl@$(jsKr)sOen96q`pP>2 z!S+Ao+e5{mb_Jp)8?Sr--wY=bSUuU3i_?SpcqR^NbnKBylA*K*8(8(*cO zo_ja#RV*FY8l!+%LMWwdY6bMHq^KrN%~!dEQF=yC_12LAqwMBI-PfegON*#Adnza> zEroHq>MN5Kg_$2hd9ah=gw{^2M$0=rW_a|W-Vp&lcF)0BiyF@-r{cOv1S&*{1!XRG z&vAnWE>O%4k_cj5Yk54wpHDC#Z#%uViaO$CP3-D{_&4sCJiVffrhRZx4?-eH32TnTt$IW|-9@#h6ptYB*u8Y#Z=7-iyDbd9l zzDKP5P1AGtb`SehBBj0}1%#=rkm>h6B3pY{11VNS)9ZaOof{k;M#L)UW6LR_RlfEZ zbKeRCu-xC4??2EeN+I?hIK#41xHb}?J}3)Ov$Uom7ND}!&DuzMyC$M+?L=BDNk0Fz zgBISwU9*CIRWay{LgN0~`3*sGO;AkM!-23n-dlbTau zg{}NOMeKQ;upE7?@4!t{Vbwh$kwD`u^1T>cet3ih@<^J!YN9@LHBI|&4W$tNI#KFqS@CRO~etXvx zQ1t;$zL5P=p>Q9`F)e9V!U>{4SnIH{>H~vNinQbyk*UX6dpy z3760XQ^Lsrj*?}y$E;oq#9ZJwAiY6~M^sBZM6RqBY9 zd?fs+AG+>?w0=@3*`#0Lwv1k{oYguxY8ySdV{e)4yhC~JESspWYoe)AO$@6}x{d?d z@us0gFiq@GZqutKaaUtp6OQ}u^cm76Hy+s=T*f96*X6E3)GRYCz{|0Eh`fYmorQw) z8;bMPgW{h?>LzeD_2p}0?3ySkAqBMfBTYiy;A0I85pW#QN*F9HLj%PBA zQ(-re;z=FFa5IOwptUdSvHBY6L1VD46Q!ui&xc$&zVZF7@RX$?{ac3ssLGt%Am7q-! zmYVI5gtyCgq&^EcgYmXj>V~l_8Rm(JKd8Um z=n2HDNOcM`&rc(vokW6+%%>!ZHm8m^zLX!{IwRJ>5|>_}V@ z%IMZNAi?}$!2!v0()b0i%3WT4-%>1M_Dizdmn`aLn8j%>k~l*&rMcTY+PNKi)Lnn~ z&@RhPHnq$Zumsz@tK%JdmfUeYD z;p742UjWlWN9NpO1*cfY8kaXB>ccw5ijH?s%tp`Lz0+oy;`MaM>Jf8b(daF&t5}jS z*WLtji{=XiZ1jo!W*IIY!;cBmOOtAn5BC)oX`RY$8@|jIN%u%ZAqAhMx6|E+Bc%Jc zQ<8?#<#^LIz6Q4yGO79o*m-%Z-ZS_@J2ZJa3`T2dcpmMMP*$k4g`Q^#Vt`2gQ`)c} zY`{bPYfhK(WEYAA6s~-poXG=*`o7tYluWQz*^26P`M8hHyJpelo!>z|LH(Sr6Oii} z9GBz9C6cD}G^T$$d<(-%bPn!&I%{dBiy$e4Ww;QQCwA!1bG*?4&c}2g&pKMl+nh|E z2F1#n5q9qHLFc9S_5$fcPe-U5!5#NGUMaY$eUG_Oo5{k+h>EIM zT_Oyvo~a5MCtny|ijc{z@Y`=C?lQlNZv#ojF*OuKI-D`k@W(}P^s zvN9-Q5DA(dYP`a9)8OXHUIWP&Kg)Dy%tt4&WfS}V{&}UY#W+B3O27+7NePq8^}4^S zSSjHrP13+pD6cktk4@YkkJY&10dz?LS~Ld=?1wQsn^%=Qf#5a}_7Nb7WzC28mF@ zMK$Ywc1R+;S3(TNCX}|LCP=@*QEohT+(>-8RRNK7wyP`FAN_9^TgJbG4b&xdPwr5z z#>l)q2_(^3Kmek~iUQ)Vd4cS_tLlX1&flnlXV(G=6TNB1C(YEk}oZx+D zm*gzPT8yDyIE%pFr{r>Z8~Wo-jS6dZ4pfSx#NS?ckKguCvi*mU-VL5d-6jWn{?h|# z1O$R%kOKI^Q}S9P#t4abxelTXo2@i15q5+j&Hm!T@=BOcgoS>6B%&t?MZ^b_4Dz2) z#=Y1en^hm|d}$vdKmH=-HeGG-u{j0gijF{l(Uh^;Rep-}|ibv$%mqHmHFl-bO0J8lm~xPks>%Tk&p-?WZRp?xa{gT)Zr1AeIjt_lKd z7kW1nIRg z50P&AG5M|1#Mk74@aS}TC#xBEj*mZ0Y?~yF<_hW#{Ixo0Ezx%T&%SCS)X^07jPi(~8aV0Fwk#dAR*sQiZz`7xO9rsqYvCTpy0!54aD09cbZP}^g_EKXmP zaRP9WmE47XM%`0Sp^pO4`0VkkyO7i`-_lsJR{%zrGHY_$`u0}7ztXEIBQ*!7-qhZO zt!>gzFEtDRh^L`g>osx4FGGRv43UHi$f^QF{A^9+Q8Y)(l19<+=HrszlQDe8R zEijq4(nG6}w_boSM+qxW%f&vj#ik{RU&Q3F)rL3lLU)QB+XNs7$ZrOC-&f-vf+tRP z1TGx&eATDIKexD~#Td6Rex#b9)hYmQ%WCxAQKI;w5Tz@KT`xHMP|05SwQ+)Pm$9N+ zgqU!o<9Zt(R>%g|ldR9hwnUq;;%^Al65J?a^_D=%GT)NMgi&x( zw=5mtQ12KV7Ot6Jy)^p4{vxjr%+hJ*x^~3Z!=s0l0(IDnyNjro*Pz1}mLHSIWTN>oo{Qq*tmlaPrNq<@5YT+PZ`2-VjomX*&D?nrd2Corr4p%8#atk1mTzrwE$(Td{y@ zdQXmn@Uh0M&UES^`laN)cd!$ggLzl&_Uh5=s<=J!E$AwltwNk1 zvp3>-LSxBIZtz;ZFM*bM)#_clD3MfM{#;kg7ub)$+z)=qM1KOLo&vEX`#PE!O#C*y zp(;Wn5T{lKl|f)Nhw<(@v{#G9$+|g@0Kg1vGSOt;x*BoS~2Pr)#`PDTqJvhmE2mx2-#&RcIOobgssLT-CJq0$P?K!hu@}X$lwu%Bpw{;kF13{?ijduVOT3bP`8fOd4G9t01~>MDjmDJ z>a~j7Bj9uU?gob*yhfCmTtivF+l+|Mgp3r!c~;MTy}8#Uo6s0PlGCd74*EAw(Zv$8 zT-$-=S9^@4K{emmibbTI2+jtb3w6eHi`i^X428|!DO&WO_xb7J3&^HCtjhG@%cdI) zem-t;5$TC=D;%cD^U!`%F4oM=irspezA&Afws=xozO_h(z%D|Jo-qc?FNi&`I|`bl6I3hVDqyq3@vHo|=L5gC z@8ToQ-|)l?AzMUw)?R;A7~}-(qD7`=-g|qyg?&*BS59L0axdhFZfh!|8QTDdxAK|t zThCZO8;!6(OB4y+tN0SEMPbc9gJqG%6>c ztxL&}7(^ZJjO_BM_!qt-3(1}^i0k|T92Uj*rbcb^q4zb5ie#J2z@H35_kBRrKb=!? z0Z=U~ms1jePjgp{r7?G5PWUA7q|MOzItOBhkOvX;?5^;;(XvPDcK}c$THd}6`*5WV z6XeO%y4q1kwHK1kc=}%M{V&TTcIjbB(EFaz@#563{cUPJYfRR4?}5tOOJ!T2-vcYm zYV?zffA_5KLq|HGMq2uF0jFX6*-ND5 z|JMy3JWVT#2n7A4q@J-VFedtbL^L|Z4g26MpYAGoRUMI`!NIRAFyUzu^5(HR`lh7@ zOF^B!=|SXI`KVJW+0_9#qi3e?V1G~8dtvye?v?W(aZ(m8OylmYooG;2VA^^|S7h^l zyfTO}PVMYpPDyxdR7mL$x%=K|uertwWC%kmWuEExS5qZR@bb(htc(fI(B>xU`u zaE{3co-HaAEAXgoE<&8FK}8+#VM+LRVgHhk~6V988X{C0@*7|22;5~ zGgJ#vzHYN{EYD_bvOT4#e#r9xo!9J^+PQ7|3c*!8j9; zUv@@~&%3B90mR+{qB|^DngKy1TI(X5Y2j!~@J5G~`2}?LfRDdYJMomI#kx_X_F5b? zW^GP7#o>lovY~>_7N=|1*T`I^I>(sSDwI8+9j^mb=2b)@h<1XuDw19v-S9W zloKKkt~U^7S9Umr<9nQ7H&5>{X5$u$Ap!BR{V&Sg=5Ddz&JC}gUdaxBD7u6zJ9D>P6Q?i@4bnliQAedvQ!22G*&1(T$_JycY`BPC{O zN)#4cTlhcKf2p$3>@ISukrd>OdG>y%i4ZouQ3O)O!j9qkFi13+?WgH7JnsTsNdjrl}qEFmJ> z)g;)(B7=XTL`As$#Le>8m3?wH8NxmvVJ)l{PCRXTcS@Xtt)#<(cA`4Z>rYWE&EZP&s*2q5t$uY3&z`XV$5iYV_UxpluE5G;pL({3k zy%@|n)c)wzeFTYN?&!Z{w?E#MZzDHu;M0|0HW*u$(W1ivzLFCvSWX}@8u+qq)tSO% zvif$bdi~<3R;uNVOU0QNrZF|kH)!awxeESSS2(=D1G_eMYT7fZe{;seoxt=^OR)aY z!r4gw7j|3kr={dO z($&yRvR;VmEQ#)X^-cxJ82a?~+pltXod+!;Nv0^!Qbxm&Zp}JOYXZxJieP{aQAPI& zHg%l%eo7YT=B>Ee{}ydJM8iLGLER%bB8U*PiJ>wPE=g>AfWOiM3#T)sTK>OZH0Fe6 z(Sx}3vw}aHhPBH#B)sp>oYUS8xf>uHza1D27EB4++s_Z7t$-PVZSW_BC+SEJe8Q7| z4F-~*!ZOX}4*I9l_Pqxqd;Eh~h7~JX*VTM1j>n8(SAKw1Nf^#rNB{Zr@a=`)ASi=W z>;|KhL1yut1rlm=8t#FqF6c2My`R(#_v%A)oeTpr7qKD>hag<{Nvx$zUuf*rxPpEN zxS5))wJkg+Vfph6X3YA_r3iII`GE_ShF6mMvDLtlkvcTVQFG*1sD!jz9*6ZUjsDi) zLB$%BdiJ&L&LbH%BY;tDNA*sH@Qwv%iiUuM!*z%SS~L>paKKSksp(`PeSoaTJs|+U zzCpwCLC6m=2tU(2-`M)WW5CbA0iT?ce&-e`GvU0pSl#_h|M8Vb?79As_Ws&P5GreR zx7Q@fO%DKNQk6;uN=yC{VbZ}lbdJQ&SJx^xWWF@F54!!c-DJ3Pv3R8faZ?4SFZPJ4 z=Q`dQXSK_&acAtO9OO?F@~lOMZi~u`bA$tFA6w-z29@r087QP348fs$%6@f{3fKa( zT-*fYX>h%{qmNnAt5ktt;NkmtP}o;?NWrY;Fn+WFeKL)9n&N5~OJiJI)!4n8C?jOf zoyuuCbdSCanV2Hc`{D*2l=PS2-wE)qK{u6Zz#X;60DT6eYtT-c8^D zIwS+`ws}o+?M|2RzA~(TUV|qG*IVY545%G<93@8cMMokTLOC9OsCfFfacu2MB zDrVSUa*r%@%J6)|ot0~)1Xw&w09iQ8jhV|l51BBD&ISs2{3{GYqD{mmhm8?{&T}@4 zotQr>@HWJJ7NW$&PB_`O8(zgHSb>6kI(|P(t#itt#O@q;cs(1jo}(qtEZx12yTOnD)eEk}T7#~>&=kPCU`>{zinU8cyw6qt^p~^CLKEBx zS+Ur_mv>8ic4jBP6C8o&8S!6B*bmH|@26Y_S2+aNVFpmWO-*>*d{kb~5C}$$d>CI^ zOw<00qX2xx#CELQ+I7L#{Irjh;c}+<5Oil5XTZ^}1#*e{7l*KUvX?c^VUOhRS$ zxC9Dd^vuDifW@ul1VdA_a=Mwz%{N>fv?H1lzCx%lhH?{_yr_ToIZLGa5Q%B7?yJ*t{<^Ot3VPKc*q~4hN zv1#z&QOK+lHT?51nY3sYW0z@F*vt(ef9Ymt4g_)f>^!E%5jE_Ym^YwKut-SoKpi98 zC!#14DoylsbMXTr>6){X#V<}P80vx)XR!kls`TH4Wd=Z9G+)D~a(ERSvGnA4T}*dI zOM~n3;$}n768@4^jb1Dkgxp3;D*vF0DA3+($_}~jcQUJR)ErRuj6BKDCeF)RU+-o- zqnyfWTn`F|;L@WUKt}z>%_0E7ks_)xsg`V{S^ZZ*EN~*8x+fhcXQ?&{Uc>jV)v4U}5&T$8i;|xB7=;Q~8Q03_MH2*nxF*3f0b` z4MZk207rMR!J@w1?jVZUS@HDMa zJLH<^-(@&bbp9e}P@8Cv3(~6=!Q#N&qrxkJMqp;MD+i-#Gu1?nmP+J{;~g~YH;jNqcpy90t`$LeWiirM&GH@phh{~f(WXL1HF;@bP$wF?r-@oV8M4Ka0o z3P3V6^^EGw9Y|JC1O&<2;8A_KrfFbS#aL7nf!T8fp`wEsY0QRwV3g)>}aNfr=Y}fnhJrgm|IiMbm03n0k!R(aaoCzr_;S($rlku z?j+E0DSR=7C_$W;L^pgKZBm|d`k~j#Jq|t|DQ51HU9~O;I=VpaDNrJ(hCFB~YUZgH ObH1hpbV^prrKj*ZAk~2Y