From 7fba5179c4f0fbf0ffacf6ece804e32e8adbd508 Mon Sep 17 00:00:00 2001 From: Bastian de Byl Date: Sun, 30 Apr 2023 00:31:10 -0400 Subject: [PATCH] debyltech updates, satisfactory --- Makefile | 6 +-- ansible/roles/podman/defaults/main.yml | 4 +- .../podman/tasks/configuration-nginx-http.yml | 2 + .../tasks/configuration-nginx-https.yml | 2 + .../roles/podman/tasks/container-awsddns.yml | 4 +- .../podman/tasks/container-bookstack.yml | 4 +- .../roles/podman/tasks/container-cloud.yml | 4 +- .../podman/tasks/container-debyltech.yml | 51 ++++++++++++++++++ .../roles/podman/tasks/container-drone.yml | 8 +-- .../roles/podman/tasks/container-graylog.yml | 6 +-- ansible/roles/podman/tasks/container-hass.yml | 2 +- .../podman/tasks/container-partkeepr.yml | 4 +- .../roles/podman/tasks/container-photos.yml | 4 +- .../roles/podman/tasks/container-pihole.yml | 2 +- .../podman/tasks/container-satisfactory.yml | 46 ++++++++++++++++ ansible/roles/podman/tasks/firewall.yml | 4 ++ ansible/roles/podman/tasks/main.yml | 2 + .../podman/templates/debyltech/config.json.j2 | 21 ++++++++ .../nginx/sites/api.debyltech.com.conf.j2 | 16 ++++++ .../sites/api.debyltech.com.https.conf.j2 | 42 +++++++++++++++ ansible/roles/ssl/tasks/certbot.yml | 1 + ansible/vars/vault.yml | Bin 9254 -> 9967 bytes 22 files changed, 212 insertions(+), 23 deletions(-) create mode 100644 ansible/roles/podman/tasks/container-debyltech.yml create mode 100644 ansible/roles/podman/tasks/container-satisfactory.yml create mode 100644 ansible/roles/podman/templates/debyltech/config.json.j2 create mode 100644 ansible/roles/podman/templates/nginx/sites/api.debyltech.com.conf.j2 create mode 100644 ansible/roles/podman/templates/nginx/sites/api.debyltech.com.https.conf.j2 diff --git a/Makefile b/Makefile index feca4c8..d010db0 100644 --- a/Makefile +++ b/Makefile @@ -22,7 +22,7 @@ VAULT_FILE=ansible/vars/vault.yml # Variables ANSIBLE_INVENTORY=ansible/inventories/home/hosts.yml -SSH_KEY=${HOME}/.ssh/id_rsa_home_ansible +#SSH_KEY=${HOME}/.ssh/id_rsa_home_ansible # Default to all ansible tags to run (passed via 'make deploy TAGS=sometag') TAGS?=all @@ -52,7 +52,7 @@ SKIP_FILE=./.lint-vars.sh # Targets deploy: ${ANSIBLE} ${VAULT_FILE} - ${ANSIBLE} --diff --private-key ${SSH_KEY} -t ${TAGS} --skip-tags ${SKIP_TAGS} -i ${ANSIBLE_INVENTORY} -l ${TARGET} --vault-password-file ${VAULT_PASS_FILE} ansible/deploy.yml + ${ANSIBLE} --diff -t ${TAGS} --skip-tags ${SKIP_TAGS} -i ${ANSIBLE_INVENTORY} -l ${TARGET} --vault-password-file ${VAULT_PASS_FILE} ansible/deploy.yml list-tags: ${ANSIBLE} ${VAULT_FILE} ${ANSIBLE} --list-tags -i ${ANSIBLE_INVENTORY} -l ${TARGET} --vault-password-file ${VAULT_PASS_FILE} ansible/deploy.yml @@ -61,7 +61,7 @@ list-tasks: ${ANSIBLE} ${VAULT_FILE} ${ANSIBLE} --list-tasks -i ${ANSIBLE_INVENTORY} -l ${TARGET} --vault-password-file ${VAULT_PASS_FILE} ansible/deploy.yml check: ${ANSIBLE} ${VAULT_FILE} - ${ANSIBLE} --check --diff --private-key ${SSH_KEY} -t ${TAGS} --skip-tags ${SKIP_TAGS} -i ${ANSIBLE_INVENTORY} -l ${TARGET} --vault-password-file ${VAULT_PASS_FILE} ansible/deploy.yml + ${ANSIBLE} --check --diff --private-key -t ${TAGS} --skip-tags ${SKIP_TAGS} -i ${ANSIBLE_INVENTORY} -l ${TARGET} --vault-password-file ${VAULT_PASS_FILE} ansible/deploy.yml vault: ${ANSIBLE_VAULT} ${VAULT_FILE} ${ANSIBLE_VAULT} edit --vault-password-file ${VAULT_PASS_FILE} ${VAULT_FILE} diff --git a/ansible/roles/podman/defaults/main.yml b/ansible/roles/podman/defaults/main.yml index 5fc7626..910c3dd 100644 --- a/ansible/roles/podman/defaults/main.yml +++ b/ansible/roles/podman/defaults/main.yml @@ -1,6 +1,7 @@ --- bookstack_path: "{{ podman_volumes }}/bookstack" cloud_path: "{{ podman_volumes }}/cloud" +debyltech_path: "{{ podman_volumes }}/debyltech" drone_path: "{{ podman_volumes }}/drone" graylog_path: "{{ podman_volumes }}/graylog" hass_path: "{{ podman_volumes }}/hass" @@ -8,12 +9,13 @@ nginx_path: "{{ podman_volumes }}/nginx" partkeepr_path: "{{ podman_volumes }}/partkeepr" photos_path: "{{ podman_volumes }}/photos" pihole_path: "{{ podman_volumes }}/pihole" -valheim_path: "{{ podman_volumes }}/valheim" +satisfactory_path: "{{ podman_volumes }}/satisfactory" drone_server_proto: "http" drone_runner_capacity: "8" # nginx and modsec configuration +api_debyltech_server_name: api.debyltech.com assistant_server_name: assistant.bdebyl.net bookstack_server_name: wiki.skudakrennsport.com ci_server_name: ci.bdebyl.net diff --git a/ansible/roles/podman/tasks/configuration-nginx-http.yml b/ansible/roles/podman/tasks/configuration-nginx-http.yml index 29bedf5..b9e07c0 100644 --- a/ansible/roles/podman/tasks/configuration-nginx-http.yml +++ b/ansible/roles/podman/tasks/configuration-nginx-http.yml @@ -71,6 +71,7 @@ - "{{ photos_server_name }}.conf" - "{{ pi_server_name }}.conf" - "{{ video_server_name }}.conf" + - "{{ api_debyltech_server_name }}.conf" notify: - restorecon podman - restart nginx @@ -95,6 +96,7 @@ - "{{ photos_server_name }}.conf" - "{{ pi_server_name }}.conf" - "{{ video_server_name }}.conf" + - "{{ api_debyltech_server_name }}.conf" notify: - restorecon podman - restart nginx diff --git a/ansible/roles/podman/tasks/configuration-nginx-https.yml b/ansible/roles/podman/tasks/configuration-nginx-https.yml index 1b3016b..10a0911 100644 --- a/ansible/roles/podman/tasks/configuration-nginx-https.yml +++ b/ansible/roles/podman/tasks/configuration-nginx-https.yml @@ -39,6 +39,7 @@ - "{{ cloud_server_name }}.https.conf" - "{{ parts_server_name }}.https.conf" - "{{ photos_server_name }}.https.conf" + - "{{ api_debyltech_server_name }}.https.conf" notify: - restorecon podman - restart nginx @@ -58,6 +59,7 @@ - "{{ cloud_server_name }}.https.conf" - "{{ parts_server_name }}.https.conf" - "{{ photos_server_name }}.https.conf" + - "{{ api_debyltech_server_name }}.https.conf" notify: - restorecon podman - restart nginx diff --git a/ansible/roles/podman/tasks/container-awsddns.yml b/ansible/roles/podman/tasks/container-awsddns.yml index cb01b51..a0d2d65 100644 --- a/ansible/roles/podman/tasks/container-awsddns.yml +++ b/ansible/roles/podman/tasks/container-awsddns.yml @@ -8,7 +8,7 @@ image: docker.io/bdebyl/awsddns:1.0.34 recreate: false restart: true - restart_policy: on-failure + restart_policy: on-failure:3 log_driver: journald env: AWS_ZONE_TTL: 60 @@ -34,7 +34,7 @@ image: docker.io/bdebyl/awsddns:1.0.34 recreate: false restart: true - restart_policy: on-failure + restart_policy: on-failure:3 log_driver: journald env: AWS_ZONE_TTL: 60 diff --git a/ansible/roles/podman/tasks/container-bookstack.yml b/ansible/roles/podman/tasks/container-bookstack.yml index c9c605c..c2edac9 100644 --- a/ansible/roles/podman/tasks/container-bookstack.yml +++ b/ansible/roles/podman/tasks/container-bookstack.yml @@ -34,7 +34,7 @@ image: docker.io/mysql:5.7.21 recreate: false restart: false - restart_policy: on-failure + restart_policy: on-failure:3 log_driver: journald network: - shared @@ -62,7 +62,7 @@ image: docker.io/solidnerd/bookstack:22.11.1 recreate: true restart: false - restart_policy: on-failure + restart_policy: on-failure:3 log_driver: journald network: - shared diff --git a/ansible/roles/podman/tasks/container-cloud.yml b/ansible/roles/podman/tasks/container-cloud.yml index 42bd23d..ea96787 100644 --- a/ansible/roles/podman/tasks/container-cloud.yml +++ b/ansible/roles/podman/tasks/container-cloud.yml @@ -52,7 +52,7 @@ image: docker.io/mariadb:10.5 recreate: false restart: false - restart_policy: on-failure + restart_policy: on-failure:3 log_driver: journald network: - shared @@ -79,7 +79,7 @@ image: docker.io/nextcloud:24.0.5-apache recreate: false restart: false - restart_policy: on-failure + restart_policy: on-failure:3 log_driver: journald network: - shared diff --git a/ansible/roles/podman/tasks/container-debyltech.yml b/ansible/roles/podman/tasks/container-debyltech.yml new file mode 100644 index 0000000..1db8958 --- /dev/null +++ b/ansible/roles/podman/tasks/container-debyltech.yml @@ -0,0 +1,51 @@ +--- +- name: create required debyltech volumes + become: true + ansible.builtin.file: + path: "{{ item }}" + state: directory + owner: "{{ podman_subuid.stdout }}" + group: "{{ podman_subuid.stdout }}" + mode: 0755 + notify: restorecon podman + loop: + - "{{ debyltech_path }}/api" + - "{{ debyltech_path }}/api/config" + tags: debyltech + +- name: template api.debyltech.com files + become: true + ansible.builtin.template: + src: "debyltech/{{ item }}.j2" + dest: "{{ debyltech_path }}/api/config/{{ item }}" + owner: "{{ podman_user }}" + group: "{{ podman_user }}" + mode: 0644 + loop: + - "config.json" + tags: debyltech + +- name: create api.debyltech.com container + become: true + become_user: "{{ podman_user }}" + containers.podman.podman_container: + name: apidebyltech + image: docker.io/debyltech/go-snipcart-webhook:0.1.34 + command: --config /conf/config.json --release + recreate: true + restart: true + restart_policy: on-failure:3 + log_driver: journald + network: + - shared + volumes: + - "{{ debyltech_path }}/api/config:/conf" + ports: + - "8040:8080" + tags: debyltech + +- name: create systemd startup job for api.debyltech.com + include_tasks: systemd-generate.yml + vars: + container_name: apidebyltech + tags: debyltech diff --git a/ansible/roles/podman/tasks/container-drone.yml b/ansible/roles/podman/tasks/container-drone.yml index 0475913..80a1984 100644 --- a/ansible/roles/podman/tasks/container-drone.yml +++ b/ansible/roles/podman/tasks/container-drone.yml @@ -22,9 +22,9 @@ containers.podman.podman_container: name: drone image: docker.io/drone/drone:2.16.0 - recreate: false + recreate: true restart: true - restart_policy: on-failure + restart_policy: on-failure:3 log_driver: journald network: - shared @@ -54,10 +54,10 @@ become_user: "{{ podman_user }}" containers.podman.podman_container: name: drone-runner - image: docker.io/drone/drone-runner-docker:1.8.1 + image: docker.io/drone/drone-runner-docker:1.8.3 recreate: false restart: true - restart_policy: on-failure + restart_policy: on-failure:3 log_driver: journald network: - shared diff --git a/ansible/roles/podman/tasks/container-graylog.yml b/ansible/roles/podman/tasks/container-graylog.yml index be5f263..6ac5c5b 100644 --- a/ansible/roles/podman/tasks/container-graylog.yml +++ b/ansible/roles/podman/tasks/container-graylog.yml @@ -51,7 +51,7 @@ image: docker.io/mongo:4.2 recreate: false restart: false - restart_policy: on-failure + restart_policy: on-failure:3 network: - shared volumes: @@ -72,7 +72,7 @@ image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.10.2 recreate: false restart: false - restart_policy: on-failure + restart_policy: on-failure:3 network: - shared volumes: @@ -99,7 +99,7 @@ image: docker.io/graylog/graylog:4.3.11 recreate: true restart: true - restart_policy: on-failure + restart_policy: on-failure:3 sysctl: net.ipv6.conf.all.disable_ipv6: 1 net.ipv6.conf.default.disable_ipv6: 1 diff --git a/ansible/roles/podman/tasks/container-hass.yml b/ansible/roles/podman/tasks/container-hass.yml index 7f35eee..e0c7573 100644 --- a/ansible/roles/podman/tasks/container-hass.yml +++ b/ansible/roles/podman/tasks/container-hass.yml @@ -39,7 +39,7 @@ image: ghcr.io/home-assistant/home-assistant:stable recreate: false restart: true - restart_policy: on-failure + restart_policy: on-failure:3 log_driver: journald cap_add: - CAP_NET_RAW diff --git a/ansible/roles/podman/tasks/container-partkeepr.yml b/ansible/roles/podman/tasks/container-partkeepr.yml index 11f9c02..2481026 100644 --- a/ansible/roles/podman/tasks/container-partkeepr.yml +++ b/ansible/roles/podman/tasks/container-partkeepr.yml @@ -24,7 +24,7 @@ image: docker.io/mariadb:10.0 recreate: false restart: false - restart_policy: on-failure + restart_policy: on-failure:3 log_driver: journald network: - shared @@ -51,7 +51,7 @@ image: docker.io/bdebyl/partkeepr:0.1.10 recreate: false restart: false - restart_policy: on-failure + restart_policy: on-failure:3 log_driver: journald network: - shared diff --git a/ansible/roles/podman/tasks/container-photos.yml b/ansible/roles/podman/tasks/container-photos.yml index 52f58bd..6c2a384 100644 --- a/ansible/roles/podman/tasks/container-photos.yml +++ b/ansible/roles/podman/tasks/container-photos.yml @@ -35,7 +35,7 @@ image: docker.io/mariadb:10.8 recreate: false restart: false - restart_policy: on-failure + restart_policy: on-failure:3 log_driver: journald network: - shared @@ -63,7 +63,7 @@ image: docker.io/photoprism/photoprism:221118-jammy recreate: false restart: false - restart_policy: on-failure + restart_policy: on-failure:3 log_driver: journald network: - shared diff --git a/ansible/roles/podman/tasks/container-pihole.yml b/ansible/roles/podman/tasks/container-pihole.yml index 6086ab5..8e77fb4 100644 --- a/ansible/roles/podman/tasks/container-pihole.yml +++ b/ansible/roles/podman/tasks/container-pihole.yml @@ -25,7 +25,7 @@ image: docker.io/pihole/pihole:2022.04.3 recreate: false restart: true - restart_policy: on-failure + restart_policy: on-failure:3 log_driver: journald cap_add: - CAP_NET_BIND_SERVICE diff --git a/ansible/roles/podman/tasks/container-satisfactory.yml b/ansible/roles/podman/tasks/container-satisfactory.yml new file mode 100644 index 0000000..1c75096 --- /dev/null +++ b/ansible/roles/podman/tasks/container-satisfactory.yml @@ -0,0 +1,46 @@ +--- +- name: create satisfactory host directory volumes + become: true + ansible.builtin.file: + path: "{{ item }}" + state: directory + owner: "{{ podman_user }}" + group: "{{ podman_user }}" + mode: 0755 + notify: restorecon podman + loop: + - "{{ satisfactory_path }}/config" + tags: satisfactory + +- name: flush handlers + ansible.builtin.meta: flush_handlers + tags: satisfactory + +- name: create satisfactory server container + become: true + become_user: "{{ podman_user }}" + containers.podman.podman_container: + name: satisfactory + image: docker.io/wolveix/satisfactory-server:latest + recreate: true + restart: true + restart_policy: on-failure:3 + log_driver: journald + memory: 16g + memory_reservation: 12g + volumes: + - "{{ satisfactory_path }}/config:/config" + env: + MAXPLAYERS: 4 + STEAMBETA: "false" + ports: + - "7777:7777/udp" + - "15000:15000/udp" + - "15777:15777/udp" + tags: satisfactory + +- name: create systemd startup job for satisfactory + include_tasks: systemd-generate.yml + vars: + container_name: satisfactory + tags: satisfactory diff --git a/ansible/roles/podman/tasks/firewall.yml b/ansible/roles/podman/tasks/firewall.yml index 21cee42..af72177 100644 --- a/ansible/roles/podman/tasks/firewall.yml +++ b/ansible/roles/podman/tasks/firewall.yml @@ -18,6 +18,10 @@ - 53/udp - 6875/tcp - 80/tcp + # satisfactory + - 7777/udp + - 15000/udp + - 15777/udp notify: restart firewalld tags: firewall diff --git a/ansible/roles/podman/tasks/main.yml b/ansible/roles/podman/tasks/main.yml index e4e58f4..220cf6b 100644 --- a/ansible/roles/podman/tasks/main.yml +++ b/ansible/roles/podman/tasks/main.yml @@ -11,4 +11,6 @@ - import_tasks: container-bookstack.yml - import_tasks: container-photos.yml - import_tasks: container-cloud.yml +- import_tasks: container-debyltech.yml - import_tasks: container-nginx.yml +- import_tasks: container-satisfactory.yml diff --git a/ansible/roles/podman/templates/debyltech/config.json.j2 b/ansible/roles/podman/templates/debyltech/config.json.j2 new file mode 100644 index 0000000..c9a6b9a --- /dev/null +++ b/ansible/roles/podman/templates/debyltech/config.json.j2 @@ -0,0 +1,21 @@ +{ + "snipcart_api_key": "{{ snipcart_api_key }}", + "shippo_api_key": "{{ shippo_api_key }}", + "weight_unit": "g", + "dimension_unit": "cm", + "manufacture_country": "US", + "sender_address": { + "name": "de Byl Technologies LLC", + "address1": "176 Lull Rd", + "city": "Weare", + "state": "NH", + "country": "US", + "zip": "03281", + "email": "sales@debyltech.com" + }, + "default_parcel": { + "length": "10", + "width": "19", + "height": "16.5" + } +} diff --git a/ansible/roles/podman/templates/nginx/sites/api.debyltech.com.conf.j2 b/ansible/roles/podman/templates/nginx/sites/api.debyltech.com.conf.j2 new file mode 100644 index 0000000..7adde35 --- /dev/null +++ b/ansible/roles/podman/templates/nginx/sites/api.debyltech.com.conf.j2 @@ -0,0 +1,16 @@ +server { + modsecurity on; + modsecurity_rules_file /etc/nginx/modsec_includes.conf; + + listen 80; + server_name {{ api_debyltech_server_name }}; + + location '/.well-known/acme-challenge' { + default_type "text/plain"; + root /srv/http/letsencrypt; + } + + location / { + return 302 https://$host$request_uri; + } +} \ No newline at end of file diff --git a/ansible/roles/podman/templates/nginx/sites/api.debyltech.com.https.conf.j2 b/ansible/roles/podman/templates/nginx/sites/api.debyltech.com.https.conf.j2 new file mode 100644 index 0000000..5a57fa5 --- /dev/null +++ b/ansible/roles/podman/templates/nginx/sites/api.debyltech.com.https.conf.j2 @@ -0,0 +1,42 @@ +upstream apidebyltech { + server 127.0.0.1:8040; +} + +server { + modsecurity on; + modsecurity_rules_file /etc/nginx/modsec_includes.conf; + + resolver 127.0.0.1 127.0.0.53 9.9.9.9 valid=60s; + + listen 443 ssl http2; + server_name {{ api_debyltech_server_name }}; + client_max_body_size 500M; + + ssl_certificate /etc/letsencrypt/live/{{ api_debyltech_server_name }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ api_debyltech_server_name }}/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/{{ api_debyltech_server_name }}/fullchain.pem; + ssl_dhparam /etc/nginx/ssl/dhparam.pem; + + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_session_cache shared:SSL:10m; + ssl_session_tickets off; + ssl_session_timeout 1d; + ssl_stapling on; + ssl_stapling_verify on; + + location / { + add_header Referrer-Policy "same-origin" always; + add_header Strict-Transport-Security "max-age=630720000; includeSubDomains" always; + add_header X-Content-Type-Options "nosniff" always; + + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Upgrade $http_upgrade; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_pass http://apidebyltech; + } +} \ No newline at end of file diff --git a/ansible/roles/ssl/tasks/certbot.yml b/ansible/roles/ssl/tasks/certbot.yml index c2efce7..a0ed4f2 100644 --- a/ansible/roles/ssl/tasks/certbot.yml +++ b/ansible/roles/ssl/tasks/certbot.yml @@ -13,6 +13,7 @@ - "{{ cloud_server_name }}" - "{{ parts_server_name }}" - "{{ photos_server_name }}" + - "{{ api_debyltech_server_name }}" tags: ssl - name: set group ownership for /etc/letsencrypt/ diff --git a/ansible/vars/vault.yml b/ansible/vars/vault.yml index 0f70cb336ac7d419b4e39b03cb5e4fdbcc53e05c..28cf17eb49153bd67405aa875d0fe430e54ed5d5 100644 GIT binary patch literal 9967 zcmVL%rodDS~DGLq9tVvIZLiI;G6 zDA4U|R2MxX(I}fJ1gTv*=XI$SS$>W1ZncV40$;|u_E zdJbzm1FT3;F1HUkYR1gGM*Xl}eSHp4vs8~$BIdZ5l_P+m+bs<`e1Caa5c7;=QPSnS zfV+%QA?!4P)|Q&-o~^E**?{iMS zc5$qew43oMhV!WyYpR~ty~n=jL4?Y64m(qrS0ZR2G%g1;Qr+8fXQW)?va^KWLooUr zhb6&r8oUq+cm8DXZryG2W$&CDFQv|&WAAB-gP=mk7m*mX$}Xe{6O2_%dL*$ynA?|A zikmc;P9H=Kh$?oK=8K$56CE!4?Ls{jXDOUGCP*F8<^NR*teE&2^FP&$F+U?D#$e*#>VFl!g8)+^ z1vPJrYY!dp;B3*J1G`@nMor}B@aXL=V{AL>IM8tEG=k1{H93LWNe|e{PEmlcQ_9#p ztO2@!1)*}%ZfvlwJ9#4*cpOn`INvF6FfM%9${5~n`Ua}dM?H)QJl`r`;Q9Pv%G1{c ziR$4w@nii=d)gjCP5>i~u($%X4!s&#Z*8_fVuCW(+#7a+v8BR^yv24egml&hz~`%*+G5uByaGO?_*m%y?a(e}-QIJn@mLDzEs)UXP{gNrW3ZK^|a95|dg z@M!+2>N>GQ!Ufj?HjnA!GuBN=w7duDMgrzzI}uFX>m(?ex5<;UzC?vxjyqE4{8785=3ov!?Yp{;_h18!T?x4Ym19$mW8Z!c`lETri(!7?O|xYfV~lFVP3;jbR`Gu0`{Tcd`toZSMnU`pzA>hVby=6(Jcf2I8S}NI0||+0 zn5UYsdn9N1RE9J?2zQVfyNXs0-1o(VkEOh(l6li4oH`XGfZ|ad2yL;)y8c%az!LiR zv;Bv0vehZnsNRb)^MgY9hiDze*$(P5&&*{1z@8jlm4U8AX?@h7-@TRCXG1{<<$+3W6g}o{Ua+P=@s8LwK`Pq+)O*A+0IByt`|BCcY^vx{nYOi*Y%#le zJ}^?diq+0~Gg;|JCiC>NS#@XdEoJq|>B#6$GIwM;SYy5iNH}7=bsoqIK)kCma5Gj& z>uk#|6MQhzhHDrAa?{3KpZNIZCZ#Q2D#4{au*$N5*q-+v(|Yjvh$g$#%kmgctD_BgvR5QJ$^KjVt%gx@pT$pf6IVdb+Z>5R8=AD~O@ zfX&Aqh?WL`z((jB{t6(p)eGj@^j)}F-7bY7)KnVmRZ{gV57*cWcjUf4&@4ITWe@H7 zdz?Np+^m*(_6+6|$QTv(Wr5C60feYhc!WY729%<7-0Vtfq$Fm6(n;jpxU!viKbC%$ z9!LaG@}6HAh(<%hA@fTiYl5ALPk1XAKGrIyR+b=1mV0o00wtE2>Lm5boG70QCxiDE z_IcFbQ?iu-DSdDEK%{JuII&A8?%DbEnO43FWo0vz@I1%8!7%4w&eMBmC}eba>YotczOU;m$2##rwd2^Vh;wL-3!=KPH%h9vAo0Gm_n^cIO%de&S;e%&n; zD?o$C|2>lwt%0EfL{%BTqf!iotssdJ^6HoIDKkzY63aS{)D$;PyiZHFjP7#GOIuuHvHa#!JI3KH9gn#!d1fp>yGQQHB2!6(9ySU z*}>Xr8#q9+pubqYEq^e!+LZk`<)SeYsqCKX9F5ibwgN|X1F~x? z->VHMWjo!0Dkk9*XWZ_;Ta*V4!6X64t$*g3EU2f9}Q$HUlPyh zXJIJFf?}iGCl$}HWhP}*`?JeU;E~Rn5ju8C*5XEFDa-B`}fO8=01OfDw7TmTWixt z+}?uYL&DQR!$rETdWv9q4~mgON<~X5l`V3tBrxa4&h%2Oy)N%x0900+5^Q^H}=F1wL^9qq*!w#3n zxL{Erir>a!zb#5X(~rsLPbZyftEcE8WAUMaBwj(yL0M32Oi@`_g+f}F_+zXwPlPV$ zJ&#n+CRHlt?Vt!I@csC$ut1JjHXIUMbl%FEZ@#Y5$+}75-xd=vX0OeQA_<*7(U~f6 z*;zpsRbcLd-NWml|CUS%{JduH39lA;Z@u1y}}wxd&)hoz|l zNp*Z77Y-?G#200=vf#m&LH3CS{Z73?87Gl5R9w zNUd8OgsiGU{{4c{{j?Hgfb=MNQEC4!RZnW zzxx2_pV{bc2{Ps59~0n~aC%suQ_*`hrInw{h>LIEaVBlcoztj#RW`|Y5Rl{Mf{K%I=O);nx_Dw>4Ggnp1% z+q63+*GG6uctbxYx;VgZvaa7^PyVfMVIY(WSi*j_>t4>*&zE<>mZVN|dyANcO|WVb zx=?ddA+K&(eAi|~qha-QwembUfWCNq@VpNaRAX7)e-aW^xtlG49d;NpdFF?yO+~qn z=JN>_P!ijA0Z$cl@zVYwfU)7S213BI@bX`8{P)t+a{7Abwd82Nm6AD^o%{E0p~L}) z83NV_g@JX<$ z_Vt3ih`~R;pCszu9foxe^p|_g6ZU zNo7g*js#)tZKq8u$2%lYHDaQPX-HeB1d3|ZOXx~inkv$Vc%;|#AH5ioSRp2QhwhFR zUoTerh+1I0!Sbj^WUw@sOgq5RaL8GBM4**Xt9eMLAlm#z!Cd#Jdl$>ANS8oCxX;pe z=RGQ$nj7EtnZ?~dc9zn>I?1hYUEKVXc}I*5ro$~*2yh`iuUo4?t|o$IF)3psYiMgH zGIJFq$;4j;X(JKtz_=N24r^!I0t_Evr#sBn>qpQt0Oq&>Wzi4rNebYnZwCZqSc!JD6x|CfQ=51< zmssQeuc1P}hoofi<-qdj;rk>^_T{zNvE@b!@%P4xLbH<$BGkNjw(h{j5;qZ}Kyqqn za179{o#zGllS1%ZMB~aBZNgnrn*Rz6$hZw{;e|R|wAgM7l)0zb%n^c$EhiT$r8)5w-jOnQ;K zx)?)>r;W&>AUOXK#FXy3GRFD}hq!C`rnROoHelU=yb9&IAT2C~SxLI_(e3|yaUmO!AP5YG{Ktm>Nj!HwF2C2HnqI$&%RJI4YGpe4Dm_t2oO*|fUDMx-VFy-O;BzMf@*|F0u)}XR&mbo0_ z_}LYg7AKL?B2eXzRomPy_FA(Ay*hllg1?g_WH158Be2h&5u0nnS6;;TaqbWW|1dlp zwOZden^o~!MNC8|(yv<~JA47}aiX&sVad#dES-*}?=0Ve&&W{T_eXDtDXumPuUeN} z{sQ0R=4JulVk^VN+g;lz8q@?TQa*1*XGf;RD4-; zvLe{A%R)FVqF}RoLXv(F1;Q^*idM7C#+rsO-^MgRN7M(86)l`-m#M73FYVrAYxpKb z)DI0KTvFzcY!Y6v_L=U2kwE|Jtk0CGX>ytu%gP);4uH&H&%z zE{?gpp?zQ*$=@}31Y_MT0zUh*eDGRO(94$EVcDD1zCaS)4Xv0eGFe15O%(pC*im4u zDbHPl&ZRRvR9A5E1;EaeRL-*5&{05-b`Ze(>i<$k>qfHrST05Wx31u3DdPn!zp38@ zx#l@6Ffo)*mHF)q!d)^LMDeCP`U-ZO(_dHcPGDX_B`Ek`~Y`3=~4Kh06Ytz`a( zzi2>hDf0p5$SM4_alSn1j&DeKBiRRS-n=1a2ZfXciUbIbbx{O6G#PK&5)RwD){A^f z-O1MB0=I^?x)_Cumk%tXrd*^p2;6`fYX;3Ct#Yy6MRkY3${KecXzfUM27me6TLJXs zQiN2p(#C9|QQJjC!RC4uM!r1b!CPHw-~AnHFTK!NwiIBNA#h*hWRklTUv+D2t}xMk zMWGAK**9o0{ROg&02$l7i?$gxG0Cmfv`!&UM|3X-B|Mc=tiW4b=AcOb_mkuWgU1}6 z@}3LhR}Tk~w~hpwpT?^huj%)Y5cxd&1urt~9|hTS_3|7S5(50e8ANz|HS(28^iE

3M9~4@?~4?X^S>L$TXE`;k&bjP*aRP_D%w`&lnyqqbqq94ztnsG z5OwF!_wGqN!qLNN(oy#2)Yy`_Y8uDu*E*U_v-(OlIpPpSZM{a~(7|PUg3~Ugs0`_o z53M zQI(v`jA~)SPuECO9VQZH+haC|B;x7-2Ym)r;Y4~(8&7X>qpMeh>2#Clh1)z52-WQH zn?yR8ll5xhW4S5BER*!=7{I@~fDz3IRg$;C`hRfRrVz~8yciRNZgC3e3g>{Uk2CC8 zD9=#m*^YD>gPq3>gh9KntZ49Xhi^M?(b3qXe>1IH!4uz;7UVKmL(-vs8#zTX+8rKL zFXF?h#L(b_q_At+hW~5EkD2GS9RI8f{?W1NaUCt&JC9!ChT`hdh?p(_IAfsrO9qz6 zsiqmImM_pF_4+Q4>jfY$yhFq?$+tqE@;Q|#XSd7-b$Zr9@ zP6V2ebk`+gZwCZP?QxA|k93KLB}}NdlBH;36nkgq$$BXFq~s4J6u~CaYxXl<$i;ww zb3r%Tk=)7aYJ|Z`yPXgesrno=qJ-FxT>`xtniu_7JLzGgvb!;&i#*FOJ5Xybi5xrf=C`eiDKwau*s$Dj;Xp#$vPmJs2_Y8qC?q|;u+wbtfkQw zc(Pub1DiJqk&-*hI21|eZLANrv0VlTJ5)XdQ`uJuvEH40owlizAVzg=TkiX z6vT8}LK_v!s|*9F@Yxm~w(hIAw zP-R}E+S)%b?X(B#oTIEhso?5@oBM?Ao#i)|r~VbT#8xIh8d zV{^WDc`kQjoN+fz{fo3W37$DTaahtaA>OkyzIK6|BB8Yh4!PACw{h|+eYneS()fi% z>qkx2SY0~_EA=TrC9KpHU z`l}svmgrkZdXJ;xH9d0X&6Y-f*o_AVd^y}W)b#oyu`6N1( zFC>IxOX>9!ti1Z)Cp?2%z!J;~5Xyc3 z#C<^3-IxuJa@hCL^#Ak`T;h`~Lc<^34i^ya$m-kSDaFop7f)sUl;Hlw;->S)>mfbWgqLBG{c05A;(ecW z)X-{V-T-s)e3g~&?$XZ2kb5#smI#Zz9oe}Wb=U9Q+L}z`v{MbOmrjekOfkhlEl%S0 z70Fp$|5DKxgeF*sa=CsQU3+$Nxb~-Lx?iXWpP;<8qv` z*s1>PM21)k1$59S0*DoM;=yZMS28%egbxI9##;wVA_gh|-Ox3^BCpd$)5^?DhSv03 zA&f;eaQ`~EXjHHU+%?gswq_LVv%%M*kKiFVeniN)QAedxa;0#3b6baBn{utfZDj1* z7D1M`Bj9yNn)hWZv}XWU75Qo_S$TngHfPlC^Q9 zwx^23<XnJkf3v#*jpf#YzGu$H|B9qRW!yQHbQkyOl%D9)4wf^t< zNJ>`Izp0uYbW+G73)Zt`j&)!+>D!{8NIR_nF%&doN9wosO0$5as|ez)lf<}m@$4j` z=DwvpN0^P_4->i7b%>w~1EBS~D}A*viwFas1i{H~_Q0LyMt?Dh06~`B$ zNxP`9D_E&XrZG;mvrH1uX@2?q4S`@w1~EA>%naz78Wxqbm*Cgj6GhKp`lNsxGn!%U zrl=SJ?bL?40$c^!TaI+NJ_ypifE&H0GepBfXY8a&f}()*{&*FATIsgW+> zE5D5^etDP(UH0b|z*#Sq`$E?qNG_opQ;QDTKO&2Pxf6CNW5C%^PoQ*|F$zU%crZ?~ z)T}zE(St2tNtvh*+?i}CTcpAR`*AovTa9$GM!*?>O4Sy{&Rp6&V>IT&(eH*BM)d?{ z9W10_(U&Fs#AkpVnKp7D=@A9&-D#Ww=M1(LbaKpZIgZvjQhKM1oJ0E2Gersps>ZgESVtg?a|+N{0++xk+m1XMM2U&|BrR- zLde#(Isr5EdSpCZlHV=~(AYWNnJ~Ot07|5$v$n_Lm+ZY$+#de0IASZ=`0ZaD z;$t8t(!n~Tf681L)4L2a=%R`6Gfi!?na2M|k{tg7k&c3yIS)lhX>0pPB(6jDJKUkx z0hwW79~O8hRwx5`JEBj^{q}K8NILh!6vJz|!I|!3ZeWnq5Epg#Fi4<)vZYg}6-50n zvIcK@gOqpkF}1QsXVjx(pC}xZPMZ}P=P+S@n@mOBO7`%gpX^2!6Wv=MZP&9i+pOdK=e&?- zK|tWHDc_RsGj6cEAw1vCfQgTrZt~_g-_xl+jtfjFtWAvTsg11R#y;rW&Gw&Ie5u$pz}F$^Ib?4HjpLRtspzKp>|uaWr*Mv1~>s0Y)kS`jU3# z!BQgL5S{3PWmpDRy(R!)Ab5t|BNeCD(V889nzf_Y9(ck~1YhI-;?-DTd(G5*Y~1rh zAL4N3862)4A|$A8eq1J=4GI5%%Ndc2Ofg(~k{IqTpJJ!zsD}ZIxtgH{S4t&y5}T|y zl0eZ`l1KB#q{<$eRem4VGt_2XXkHI*oR|LKVo$$wD3gzzH`;^hD{w2c;E%M%1JRyC zk!kt|PrC`)bmW-ges&eV3gX9X@r7JDP&en!*P5uDwO^240|>YKUb?uf(;+$6=8Pjgg3UxoLu(?*Wdn=>jnopfRu1gGM! z?%J@!8I8oNRs z!xx7?s5|YOs5F9E+$3I0_?jU>9Z7(u0upAb88(o!7KwbCFw-(lcbuw6sJ#c0SgKIM z7L6-h0)>1=av60(5@m{ih2@}dV8zTPc@||DSg+Jd3%NqmMp;t?`LiHcD6sLQ1hCYQ_ybs_Q~lNT2TNOjaFc+d%}ef-o-JfwMR`el_D-x#h-ShzfxTCQ}%__>1Zl zuLWh2)dDF*tk%V|e0D?vqOY)F>j!)G>)y{iz z`;uTTmJO_zy)JvS<#T-N`-5W<^n(UWx+an-L}&-K*Fjm#e1@|AQPOGhYm|yL&FpL& z^CIJ;rB(GXBTrld*oz$kJ)-5so<;cdBu7eB?A^O9PTbHE4!OhSGN5U~P^m07k<{mJ z*xA}46u=M^;U%eJnipm7hO7G}jex*r+bM+lAk(=Rxv7Aly)%PpalzRKIyuKs5ohh( zG@f)(#c$JRyz`Q$h*So%Ew3#XKJ5zu#@MAib?tJckPFZ!f5_7*9>Mx3F(|5nx)Gy6 z0zKQ{zO=m@$`?e9FKm>6hd={dmn%A`Vh++=35UysgxlBHD2>Ws1kp^&mogUIH0gqz z|87l;`hW_(5@{%XCR{Q?;N5!A5z(|1e!{+&O*X@;+9RNcZN)i-(Bdq8$NfnoXQHOYj2y<}81QcX|1)B{AE@<|Wr>(ElZevsvT&q)r t>~*lfu*T#-(fy`hA(KEPl$bhmc_1MbS4&70?HV%C`T-{i!0bVL9E literal 9254 zcmV+>B-z^lM@dveQdv+`0Pz1IB!$V!Li^D+O4;LY^~=J&6i00qD{TCO!TNE8ug>n4s8kPKur(W&nw_n-c~B zC5)ZItDHma7?`#8I|0eUv#X($)w>v|?4$h)g(M_Ku(y}iHQ*{U#uX04u4TdAM2ipI4a#|y(o{>B zWMwP(G(d5y?;+nA(^_G*z?fuA0vIP zcQ{uVvkmc-eGgE)vgFFUtzgq7N_Co{|CTEf`!~_%AS)t-;x<_P))&Z$_R;fyM&u9s$6B zgDg@Ity-~QKfxl(LMDO99oWWeg5fp9Za;pa72(P~wJ!6krmgFYR8*9wQ2Fy%=;+aI zq;7kHEylsR&ZdNZLKD7;+{_o!*lns7ioQgL;7|g{hlLKf z2O2n#Q#p0%nmchG6Eppp5@3GlG4_p)xUBm5clw(txmrWQ6}5kl2mu>_-2^&V>~~4C zmFAI;b01)nWy}*=&MLa~Kst9ab+AtEW0b0;$ML-l+v_bbOOa`Jx3W(?Q&K0K%2_uZ zbQ2U}W;BOWAM${k3|#6J;V&iA3qkJp-+XIizFFk}m>L~S|Eh#ST8HACo=x07_bQMQ zu}aRlnU?`6>;wXxnNNn4bI~dq>L|9y;1yK5G%j~?A(?vz7htj(d-Pclh8akb>mM4* z;t}Bi&+qihG329pVVCkrRS3HjO_3k|JcIKVmXVlzFx%&U#x~p+EVipA zzbu?}&-egZ;-b>;L0$5%Aw;F5Sr7V;L_H2}_)pea_SXNapBW!56!y(TEI091BlV&| z9`yZx?{X#>$Q#XncZ|#_h!y`32a9VkAKoxILq`8=6YB8YpBTqlI&P{&&wQ7G4S^yT z5$#i3dmJ_#z;&d}8$$sjyzF9b_iz`!x&wg0A=fF+*$4qzJ)KD0M&CNbMCUV;7vQRW=>1$ET7-VOW%fDEQQsJYW3%x1Z0v(pT> zMwuZO+|@KD0^m!}#+4`Lv63s0_pQm;s^1DTN##ASmq2e*;Tqaz;n+g=^`5h>dKf~3 zBJvmP$pkq;)dkAcf&LBE5ROoYCYigqmQ%*r(GgV$v){SKnnh{R-Yp9W4ON z<8F^2Tj!z8wNGpnK|T{AYR*}rNv>9lIKwvI$yF!80`8ZLneywbaJnvqY{*4s0W(~! z0(Hi0HvWVJ%iaWBTcY1rdoLmtUNmbDNVINfMdZI@-4s!e-0L*7G)V~X(TTx>Lv7cI zwRCuU$;N}%pyH{pw;P;mkR-JhUCzscZW?;d$OSVxs0)|D>19iy^Z05gPqzp<)#VTB zvBV;pfYSn@H|(t_cXu_FiL$*T%Z~z?ava`AgMybfMvYjiB%y}VEsJttnQp>aGjaWA z>rK)yswfAGOwczfSnh-9?;(nO?eA$?lfKWl!j|PZ{QoO}~r%Y7Lbc0y~ zw5>q1y;=LoFx6uZ?WFK7=-*BeE`;~~9J{?QKMV?5{JNBD6yM_@^@-U^}Lg?LUL!L&&HO1VTuaZEmINitb>rq7?b>7r(!Gqyl+T5A)g z6HRRcKs+60;Khs`@m-4j3*si;f%1qX7A*uUGM1P=TR0tAc?8-#Mk^LWiS+wlVjPA) zQ}X%p+dDj_LjB8e*o@6eRIh$wG1dxC#rn6nz^GrBR2g&!#FRk6yO8gy@PMqO9DOX& zyfk5+WMq4)8~t3Y>s)N&1of`+ZL@aAEdJJ!5tXc%I!pLOao%h)!U@58$-E4f5#H}J z`)uf88E`0B-mv~P#@Y)cuwCcDP1Ad?P-|F{<$q8KPq{_Y=7XTJkWy1^(~`xR$egK0 zoB~zjM!XiM&`G~+aMakqVCZFbuv_gpjQgm2e4LT=8)`l;_+@%7%v8x^L8t5LV0(^$ z;a&yBVFsKCCCLo^R;Q)!^AL|?HgG8jxCvy!plUZ;;}G*m5ykI2g0$G6>?>F}cN=Nm z=Nl(SoCm9yD$iC4QWV96AP0VZ|J)EZIbVlqmD*Wb2%gPAEI@S9f= z?wJ5;yX{aR@EpgKQE+CyPkFdX1}jp2Re84{#&hZ))+I5n4+<;ht;MPR3rY;DxC1aa z17V!JUJT%hyR`M#Fm(UfN6yXcxH#_+_j5p1`?F#=^XqZ)`ry7$$}Cq(__mkn6`6sh zdviRqb$k=;*+}2A!!8-<8d@BVWKS?my+{h-1k(D&uHemFGcIEjw_9#@CrXay zTahH&+2zh`zCxy+IoP>8(5W{>oL5PWALN`YBdE)UpXKUt%o}&*vF;CHKtvXCTShj9 zR{p5h`tlTo0V_JMB3ckCWfr2|nM|BxnVkbUMd~-E!!?sk~$DbYej^ z2ihtw8KbQ}Gz@V9njvN1SN;?2rNoRR7Uv}uV2X9FkmaiIEJc(VzOS2dB$v$b_A>Md z>H5zoQJdiU!@}I5D`lgpCBD2%V+4_W8WZe|MhNWZmwR%)t zLk(j(Y))2qrAyiM+m-bb%x2p zmgujNr&&mDZao93!!q4*(beG0LzF#UllBf??rc01@9$wvM!zJW1pq>HpOv*L`{~m^ zj8v39TjB-7!e#lh`2Vjxl`*l_lJq2rEy`*kTJ~J!%M7!}Js7}P3Ad87;cK_)`-1kB zBNI9e>F_W?D-oQ^ugS$vg%P=8zqUBz*2$14@VVj&j$Fk~`*bqp=Vyh)pWRRIVt5N` zb!Kb(vT~Iom6HPWPK_P1S71#BC8nl9BC+jSqR;e3 zXqBqeQChY)iG~+rIKUw4B)pLO{nE3nh630GO^W@Vv0dB@QvrD1!6vIXdf-Y)2f%vO zaEb`9mAVKd^bPF*9HXS%$E&FTS8q-#21FMv=*_aRJ)3=fn~pMJ&z}HwOewkWIO6_j zvM&-|F7K0V2&%mA{@zUNersp9HpRR;<<$v3A~XXabm=Hn5?whG_=Cl z4l5~C?DH}mUFyj(J+)_fbwOZM#k{2qd0uy89I&}v2$9JtgJ~-iXa}Ci|ENJiNn4^#BtTVBWCDbJ9tU^bKX99i8?Z(vXZ)zLdQ^Zfe2$lR2vE?1F<%K$I>$Mqdx`^ z{4~SCU)Q&r=X4wxC5Z2|f=cusqL<`^( zHlE_Tu4gi6nfp1Mz;9P^3Uts)jt_YTfD!mKDJgT!UGTNVUZcwfwy zjg9W~z_xfPcF&BiNz{bpkBCfZ#~fAkshE~*aA(5#!Woxv?sC`?c2yq=9R-P;go6?c ze}w0qSB7VsVW_eumsj&YXb=48{rHyk9O%sS^oGw?K-{#{`hS;Ognpti%xHmyqT(^G z{W8!6K)FjHyu+EnI{1P(o~U{jYyUOwTdgV|q()6>GF2?0MM=eE7m>2HWM5r?07(e) zE)Qc}>w0y*cESTzOm~89C81hRAHn!goBN0iOuzxv0L(vOC|r`DC=#FB(SAsnJSLvd zyG%GY(fIZw`yv&WmZQwAYtQNmf>a@OC!QuOxhrRr~tM=*P3SdNjN>~@s` zjTR~y6IOpzd$vrB`5(e989;A@pY#dxB>}i_$3|3iG9KHbQoj}uqs8n}2m&UQHe(P- zo6%TG5FFo3WzLj0@j|)fN_qvGXFzr zEVFAmBR#KHA_jWQNZgjx#8r>TS`s`JdOY+pr>OUse;&jQz+O4IKDJK9;1+X5nNRcq zA`?0bv;e@?ll>eh88=q!lnP5wY)$-oE0sPT0*dkyERLc*vw)HE0QKKZ6kPiClcJV- zef_-m<8X(cu@}YX<|e=nQtj&T2q zyM(~-o0;K9aW^nm(Q`x^K@Pof_{JM=(|?~)7}lp5-5weGy^+@i&^@cJ&bO~?K=kgi z*)ufya910v>H*MG?_9Zg$4isH``_23-kPubn~EkxwH|}X34557AM!Yp$DzHxDHt4ewVpl9dMfMcBMir1@9d;+HYJo>b~TA|BBYcRSQz;LEA(r z2kDmTLNQ;(O>_KlAy|pi|ByN@<{{p$YQp~NZM|HccqRx0zV$%%edUEtea>2JmmeEh z^n9yclC{f@@~vRC>YkKYAFU%SLGI_rm&i&D&a4A@@!S5HRp^#I&8mg0O(l{8!R4j; z?QIGMz9~6{xaI6Ye+uwN#0zks+9UyMtl6&1?jC_@bx<{-><&xZWAHHpNlK?2T>tAC3j8b2K}{_bQiF%yKX0kik#X+0d3zf3Q}mzn_Bms zK1rn%ukV!q_OxQ}Q^AMEg`}x8Sn8aafrw0fm}7B|#-gu}k6K*#NDyg_Vxs;zNyFWO z?AJBYLyXn;tx2@uC-pQrsMH}MAj|s~VSx`U7CIJu?_0QM0u0LVu0H zouh?Jz9y&y5C0K`_`5VvZCMiDMLBmY6WZJeu>$>P)?=?O0F(fag}W}Y*m-aE@x&0Xdd5SDGkBd;S~Cs^O2=T&rV za!wI}p~A(CuQt2`07w_Hrmjrzf)PIQx|UYtT2WcnIV=kp0rPoYhpi65GdjCP<&7^W z>ox&SQp1}W3nYr<&00L8@LeeFIfPu!qIc=&>A%WnnX%@P=TQ z3E2XJuxN^n{0~1`#-f?@jZ104IX)E5qnFl?kT-u#`P83$N->_AU!O@dZG}dIbKcLu zmxbj?tnZjKIc=D9Nuj*B0@Bv|fRKyCe_W5JXfF#w+56{B!S^oU=HnWtrJdzti49JH z5&!kMuRUbTFwaoUtaAjDbSqDLX{p-fSJiC7rrx|*G2>|uupYR>K3re0(Y;y3-GI5( zlXlOCnVkOOCYyLD!<@S~3G}X)BeNNQDn>NMA?G7Dv)45(sbK5>6cI_EJk=t+flshJ z11IFduMGavSm))Edk>remQs~-20<;&Qp1`r!pizGkp0AHjCf9b z=3eN;fu2=V6|z{6oX0ay{}Y&xf@+&xN(7CPMgD1VoCOWE%ys?hu!SwI)3Z|dLuyM~ z$oJ0TN55DXP90KboA5Dp$4?zE(=Qsva-U!nNX7?!pzL0Hu9MDHd~Zm;e!E9B=yS$t zJ^k##HDg<)$eti|S5HNaSjgu8l~6;nXATc~RQXAtn{F>WnA0sa(O4c3n%!xg z5*Dw0%>Ulq{~E6t?Y>zJoH##al(arB@tc`4viJ)p?&V7Z2(8+1q6nzp6i7dgnf{Zq zY;IQQc|(Ov=rWrnZ51J&Wgv$NeCiTXjb+kq>IUaxiXq?G?sv5pnT8c7WM zv3a*#n*b(eOy_?s9g`PSyOU_`W02q#MK3ymG~!rnRJN<^S`HvwmR!fyks11~$D|>M zqBuub;r`R6G7D=TWz=c3kEiy@8{mry(!S~YabV>GPHTV-sajN}r58QP1Q}YjfO`O` z(*)pFR+c#ISq|*la6JQbyIpZ`h2O%Eqoj0K*eL_3xZx*JN1xIZwWmgLb`ENe7Dq4X z#kk%k4FC~?>jvT+2;_1s%PDRrm~nZ7-$C|*=iv`XC})z zvqC0)B>D>7g%+sKlwti0ze+^;`zQ|aQV!Iyd7fnX$xKke;=c{%&vSDvzHed7?tu}U zyU;nW^bs_qC=PC0KCeorN!C1m->?4slf+LMd}yycR+3Qm0oSJtqi6T7wMSP$!!ymT zh2^+F7U=5O_tZnEH_^-LvoVEsr)7sZ&39*AT9w@TXKGt11?*_F ziKuXTEUAJ!rNte4)(TTKd72t?5Bt2Y1;;q6(Y` zZl}K7V_NqldbMXjiZ^9y=$0y9;lFvIcw_@H_g&ZgwwSw&5tdFxp1MrW2mln2n^e{#<;-mPhbdfYQ1O?D!H88Dc-Z!x7fPeUY9 zSUg?KMYMe2_6NOeh$7M&r9!pF+PQP}K}*)Wky%b4Kk!mL2osd^p+PXd;B}~=ADmyE zi=QBTY7?&jyOXy>weyc9x(eQZZ=}5GsJN{L>6vPe8>YF}r_fiLL3ndnV9XM6Tflx^ zlPyCin`XdGW3XxrMqk?WStxT0_4dca>$f;Qw|PMX9>vANLwHPbm4$LklSyo>TsGw-zZ`}_I;MXE(WGU zb>R62?YH!k-`szw3Nh4o2d>H3ragtg^wm<3-s3C!li5bXwMI`;dP@0C#zYLJ_;zkf z{JuXzoMhXZi@E<@!FZDJGGZ*hS_FK_#Das*w#=@!&ny_^TEI)&Ap$o5m?I_w{^{^K z6;soHkQ8DfH8zo8#6@l%f|9)N1$ogy`xPnYo!f@V>M$0hhT>fsD}(lP5AvA5WqxCp z$HSJd#0*IkiqNWcZDvbY?6vsI&Dm(akf-AmN0IeARDS^qBGxgLD!5n^+#@mANbE|1 z_q^p66gt!*ds$0PfehT4D2a})M$vbFZ=XdM?l~6Dq@MvY|N+|I@GfnE~RI1V~Ffd{9mH0e*Rnv_s zigzYxQ#^DLLQ0*{E4Rk#ZM)nP3jjI?f6&hn9qxuho9}9fp4X8YH27#n=j?p$<+&qJ zk!)(FAb~qII&a{4CL}+u3ySJK;Yhrqo3MacDVcPhGI~6pn2DFJ->v4E9MB=1mCg^5xbl$vKKYros5Mj^P zp!xW+g@$<8xoC{2x{pBL9Q;lUI4$0fxb4TADSKSv6sS1OOxeROk@4#R0BV=sL?9?b z;za=QJ&eG=1?O(nQjfm!HbL)!bJYlL!Nm!GgKYsY7<=dyi(ULcSW~`9aKUT@ZZE84ZaMuSb5sj#`tN5o5 zlZ4OKh^Q|6xm?v-CGdB(1R^mx0^6XbupnU<_EXg+b$2jwL=kbM!{eFx04s^b*7dnb zNUKIUNv%Y({$zJn-ZRWgUhdFX;ak?E<(|*J2RLk61IJGza30`|=#kJCfH{(dXAF)7 zOh%67_>!sDB;cbi51kTG_E)!yxsPI2a$(mDq+t3kl$j)gdFg8f=P|O~G=bXquHhQR z%^?2;<4D`i)G5!Ov3E6)GPF>KiwzF&eZ~!=A(g{nDRS=gH53+-P4qU(5PNL${xqUM#T3(rL+viD#O-%;E)set)hDxOBJMV?pk*}Q1W?C_alHRC zSOSmR8~R)EN^h;V$@=9;p*W|gkNFFpAS|0Mx$Opf!SH$w)tu}M2iv#Y>Dr_twxzN; zS}n2!vCvm8xGK2qSJ0goSEv~*n_d?Eqp}n}x3D@df~ZRt7z*3_U=ioFt zbX+%n1pm`-^anXgLd6VU5?rfg2B&Zv3r7&|I>K8D2Ers#hfW4{JxCk`BnnK{owoctut1fI