From d5cadc560c61716e0915785e3c5371ff7a112789 Mon Sep 17 00:00:00 2001
From: Bastian de Byl <bastian@bdebyl.net>
Date: Sun, 2 Oct 2022 21:32:26 -0400
Subject: [PATCH] added back nextcloud, finalized photoprism

---
 .../podman/tasks/configuration-nginx-http.yml |  24 ++---
 .../tasks/configuration-nginx-https.yml       |   6 +-
 .../roles/podman/tasks/container-cloud.yml    |  89 ++++++++++++++++++
 .../roles/podman/tasks/container-photos.yml   |   2 +-
 ansible/roles/podman/tasks/main.yml           |   1 +
 .../nginx/sites/cloud.bdebyl.net.conf.j2      |  16 ++++
 .../sites/cloud.bdebyl.net.https.conf.j2      |  42 +++++++++
 ansible/roles/ssl/tasks/certbot.yml           |   3 +-
 ansible/vars/vault.yml                        | Bin 9449 -> 9060 bytes
 9 files changed, 168 insertions(+), 15 deletions(-)
 create mode 100644 ansible/roles/podman/tasks/container-cloud.yml
 create mode 100644 ansible/roles/podman/templates/nginx/sites/cloud.bdebyl.net.conf.j2
 create mode 100644 ansible/roles/podman/templates/nginx/sites/cloud.bdebyl.net.https.conf.j2

diff --git a/ansible/roles/podman/tasks/configuration-nginx-http.yml b/ansible/roles/podman/tasks/configuration-nginx-http.yml
index 11bad1e..29bedf5 100644
--- a/ansible/roles/podman/tasks/configuration-nginx-http.yml
+++ b/ansible/roles/podman/tasks/configuration-nginx-http.yml
@@ -61,15 +61,16 @@
     group: "{{ podman_user }}"
     mode: 0644
   loop:
-    - "{{ ci_server_name }}.http.conf"
-    - "{{ pi_server_name }}.conf"
-    - "{{ home_server_name }}.conf"
     - "{{ assistant_server_name }}.conf"
     - "{{ bookstack_server_name }}.conf"
-    - "{{ video_server_name }}.conf"
+    - "{{ ci_server_name }}.http.conf"
+    - "{{ cloud_server_name }}.conf"
+    - "{{ home_server_name }}.conf"
+    - "{{ logs_server_name }}.conf"
     - "{{ parts_server_name }}.conf"
     - "{{ photos_server_name }}.conf"
-    - "{{ logs_server_name }}.conf"
+    - "{{ pi_server_name }}.conf"
+    - "{{ video_server_name }}.conf"
   notify:
     - restorecon podman
     - restart nginx
@@ -84,15 +85,16 @@
     group: "{{ podman_user }}"
     state: link
   loop:
-    - "{{ ci_server_name }}.http.conf"
-    - "{{ pi_server_name }}.conf"
-    - "{{ parts_server_name }}.conf"
-    - "{{ photos_server_name }}.conf"
-    - "{{ home_server_name }}.conf"
     - "{{ assistant_server_name }}.conf"
     - "{{ bookstack_server_name }}.conf"
-    - "{{ video_server_name }}.conf"
+    - "{{ ci_server_name }}.http.conf"
+    - "{{ cloud_server_name }}.conf"
+    - "{{ home_server_name }}.conf"
     - "{{ logs_server_name }}.conf"
+    - "{{ parts_server_name }}.conf"
+    - "{{ photos_server_name }}.conf"
+    - "{{ pi_server_name }}.conf"
+    - "{{ video_server_name }}.conf"
   notify:
     - restorecon podman
     - restart nginx
diff --git a/ansible/roles/podman/tasks/configuration-nginx-https.yml b/ansible/roles/podman/tasks/configuration-nginx-https.yml
index 161fffc..1b3016b 100644
--- a/ansible/roles/podman/tasks/configuration-nginx-https.yml
+++ b/ansible/roles/podman/tasks/configuration-nginx-https.yml
@@ -34,10 +34,11 @@
     group: "{{ podman_user }}"
     mode: 0644
   loop:
+    - "{{ bookstack_server_name }}.https.conf"
     - "{{ ci_server_name }}.https.conf"
+    - "{{ cloud_server_name }}.https.conf"
     - "{{ parts_server_name }}.https.conf"
     - "{{ photos_server_name }}.https.conf"
-    - "{{ bookstack_server_name }}.https.conf"
   notify:
     - restorecon podman
     - restart nginx
@@ -52,10 +53,11 @@
     group: "{{ podman_user }}"
     state: link
   loop:
+    - "{{ bookstack_server_name }}.https.conf"
     - "{{ ci_server_name }}.https.conf"
+    - "{{ cloud_server_name }}.https.conf"
     - "{{ parts_server_name }}.https.conf"
     - "{{ photos_server_name }}.https.conf"
-    - "{{ bookstack_server_name }}.https.conf"
   notify:
     - restorecon podman
     - restart nginx
diff --git a/ansible/roles/podman/tasks/container-cloud.yml b/ansible/roles/podman/tasks/container-cloud.yml
new file mode 100644
index 0000000..5be9630
--- /dev/null
+++ b/ansible/roles/podman/tasks/container-cloud.yml
@@ -0,0 +1,89 @@
+---
+- name: create required cloud volumes
+  become: true
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    owner: "{{ podman_subuid.stdout }}"
+    group: "{{ podman_subuid.stdout }}"
+    mode: 0755
+  notify: restorecon podman
+  loop:
+    - "{{ cloud_path }}/mysql"
+    - "{{ cloud_path }}/data"
+  tags: cloud
+
+- name: unshare chown the elastic volume
+  become: true
+  become_user: "{{ podman_user }}"
+  changed_when: false
+  ansible.builtin.command: |
+    podman unshare chown -R 33:33 {{ cloud_path }}/data
+  tags: cloud
+
+- name: get user/group id from unshare
+  become: true
+  ansible.builtin.stat:
+    path: "{{ cloud_path }}/data"
+  register: cloud_owner
+  tags: cloud
+
+- name: flush handlers
+  ansible.builtin.meta: flush_handlers
+  tags: cloud
+
+- name: create cloud-db container
+  become: true
+  become_user: "{{ podman_user }}"
+  containers.podman.podman_container:
+    name: cloud-db
+    image: docker.io/mariadb:10.5
+    recreate: false
+    restart: false
+    restart_policy: on-failure
+    log_driver: journald
+    network:
+      - shared
+    env:
+      MYSQL_ROOT_PASSWORD: "{{ cloud_db_root_pass }}"
+      MYSQL_DATABASE: cloud
+      MYSQL_PASSWORD: "{{ cloud_db_pass }}"
+      MYSQL_USER: cloud
+    volumes:
+      - "{{ cloud_path }}/mysql:/var/lib/mysql"
+  tags: cloud
+
+- name: create systemd startup job for cloud-db
+  include_tasks: systemd-generate.yml
+  vars:
+    container_name: cloud-db
+  tags: cloud
+
+- name: create cloud container
+  become: true
+  become_user: "{{ podman_user }}"
+  containers.podman.podman_container:
+    name: cloud
+    image: docker.io/nextcloud:24.0.5-apache
+    recreate: false
+    restart: false
+    restart_policy: on-failure
+    log_driver: journald
+    network:
+      - shared
+    env:
+      MYSQL_PASSWORD: "{{ cloud_db_pass }}"
+      MYSQL_DATABASE: cloud
+      MYSQL_HOST: cloud-db
+      MYSQL_USER: cloud
+    volumes:
+      - "{{ cloud_path }}/data:/var/www/html/data"
+    ports:
+      - "8089:80"
+  tags: cloud
+
+- name: create systemd startup job for cloud
+  include_tasks: systemd-generate.yml
+  vars:
+    container_name: cloud
+  tags: cloud
diff --git a/ansible/roles/podman/tasks/container-photos.yml b/ansible/roles/podman/tasks/container-photos.yml
index a9f6c8a..ed6c6aa 100644
--- a/ansible/roles/podman/tasks/container-photos.yml
+++ b/ansible/roles/podman/tasks/container-photos.yml
@@ -70,7 +70,7 @@
     env:
       PHOTOPRISM_ADMIN_PASSWORD: "{{ photos_user_pass }}"
       PHOTOPRISM_AUTH_MODE: "password"
-      PHOTOPRISM_SITE_URL: "http://localhost:2342/"
+      PHOTOPRISM_SITE_URL: "https://photos.bdebyl.net/"
       PHOTOPRISM_ORIGINALS_LIMIT: 5000
       PHOTOPRISM_HTTP_COMPRESSION: "gzip"
       PHOTOPRISM_LOG_LEVEL: "info"
diff --git a/ansible/roles/podman/tasks/main.yml b/ansible/roles/podman/tasks/main.yml
index 03a945f..e4e58f4 100644
--- a/ansible/roles/podman/tasks/main.yml
+++ b/ansible/roles/podman/tasks/main.yml
@@ -10,4 +10,5 @@
 - import_tasks: container-pihole.yml
 - import_tasks: container-bookstack.yml
 - import_tasks: container-photos.yml
+- import_tasks: container-cloud.yml
 - import_tasks: container-nginx.yml
diff --git a/ansible/roles/podman/templates/nginx/sites/cloud.bdebyl.net.conf.j2 b/ansible/roles/podman/templates/nginx/sites/cloud.bdebyl.net.conf.j2
new file mode 100644
index 0000000..b437a48
--- /dev/null
+++ b/ansible/roles/podman/templates/nginx/sites/cloud.bdebyl.net.conf.j2
@@ -0,0 +1,16 @@
+server {
+  modsecurity on;
+  modsecurity_rules_file /etc/nginx/modsec_includes.conf;
+
+  listen 80;
+  server_name {{ cloud_server_name }};
+
+  location '/.well-known/acme-challenge' {
+   default_type "text/plain";
+   root /srv/http/letsencrypt;
+  }
+
+  location / {
+   return 302 https://$host$request_uri;
+  }
+}
\ No newline at end of file
diff --git a/ansible/roles/podman/templates/nginx/sites/cloud.bdebyl.net.https.conf.j2 b/ansible/roles/podman/templates/nginx/sites/cloud.bdebyl.net.https.conf.j2
new file mode 100644
index 0000000..4465d54
--- /dev/null
+++ b/ansible/roles/podman/templates/nginx/sites/cloud.bdebyl.net.https.conf.j2
@@ -0,0 +1,42 @@
+upstream cloud {
+  server 127.0.0.1:8089;
+}
+
+server {
+  modsecurity on;
+  modsecurity_rules_file /etc/nginx/modsec_includes.conf;
+
+  resolver 127.0.0.1 127.0.0.53 9.9.9.9 valid=60s;
+
+  listen 443 ssl http2;
+  server_name {{ cloud_server_name }};
+  client_max_body_size 500M;
+
+  ssl_certificate         /etc/letsencrypt/live/{{ cloud_server_name }}/fullchain.pem;
+  ssl_certificate_key     /etc/letsencrypt/live/{{ cloud_server_name }}/privkey.pem;
+  ssl_trusted_certificate /etc/letsencrypt/live/{{ cloud_server_name }}/fullchain.pem;
+  ssl_dhparam             /etc/nginx/ssl/dhparam.pem;
+
+  ssl_ciphers               ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+  ssl_prefer_server_ciphers off;
+  ssl_protocols             TLSv1.2 TLSv1.3;
+  ssl_session_cache         shared:SSL:10m;
+  ssl_session_tickets       off;
+  ssl_session_timeout       1d;
+  ssl_stapling              on;
+  ssl_stapling_verify       on;
+
+  location / {
+    add_header Referrer-Policy           "same-origin"                                                                                                                                                                            always;
+    # add_header Strict-Transport-Security "max-age=630720000; includeSubDomains"                                                                                                                                                   always;
+    add_header X-Content-Type-Options    "nosniff"                                                                                                                                                                                always;
+
+    proxy_set_header Host              $http_host;
+    proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+    proxy_set_header Upgrade           $http_upgrade;
+
+    proxy_buffering    off;
+    proxy_http_version 1.1;
+    proxy_pass         http://cloud;
+  }
+}
\ No newline at end of file
diff --git a/ansible/roles/ssl/tasks/certbot.yml b/ansible/roles/ssl/tasks/certbot.yml
index fb7c54e..c2efce7 100644
--- a/ansible/roles/ssl/tasks/certbot.yml
+++ b/ansible/roles/ssl/tasks/certbot.yml
@@ -10,8 +10,9 @@
   loop:
     - "{{ bookstack_server_name }}"
     - "{{ ci_server_name }}"
-    - "{{ photos_server_name }}"
+    - "{{ cloud_server_name }}"
     - "{{ parts_server_name }}"
+    - "{{ photos_server_name }}"
   tags: ssl
 
 - name: set group ownership for /etc/letsencrypt/
diff --git a/ansible/vars/vault.yml b/ansible/vars/vault.yml
index 1ff343b6e077709531862f88409f3a94515ba83e..5632919d25fb9c79563d7e6bebde5bc07284e698 100644
GIT binary patch
literal 9060
zcmV-qBb(d+M@dveQdv+`0NOm<)4sKoq4@%>)oXZ#^6b7dPtn;(JQ%ie>595ZK>$jL
zc;w4%&{czik}Dqz1+@476|`HS_FGkX1#Tr0u=J3blhRuSOMwgKzLN`A=n`PG;i5pM
z2Of*Yl)qQ83D5&Eo_d@*(Waki)<9zW&A>MP_lp`mp#$8L9RxD}u71W3PzO0dYvfa2
zXp(Ix&N>FgD6faBU$?^&+za8)eV4D;Ej4_~gVb+h@wqE7hO#$;4z9TVQT|Qpbg+<i
znfuQWnp&T;{DLUrJjY1D``jXLo;fk(HHMvjoR{EuBi9;`H@u$hL&$WF(VeYG2JlIt
zua#;sE0V2E;Ap#tyML~-qw*Qv+AbbSC5s(z`!#uR4nYB*D)mNSIg}h*!I~?%I5KxS
zQK{0VPY9Fu97I#+(8<5mDuynol*O3aiIuRmipbckV%eA{E9aAf9q^MfGTgA_l{>bP
zQ037m?6}utW|1Vwn@$il-I;v`p;A$Vp0|qSw+y}*d*2g0|11x>DDM}Kd2qwfA0{@~
z<}-N4E0G1MiKm_^L-a{A!6%Qo!|cr}ijV+S=9;)R#!C`(JX0u!GK%o9ZFFE7p>z%^
zP>IDsYAH{`egbxIVl>OcL0+BPr+6QBmOhCE`;3tOUs`Lb&GL+`E8;eVlO?6-w4bsU
zM`kLLsh1m=oDAC4ub!gDY{hDH^o0%ApnjNO8}*~A45n{rnFz_4BD~iI9c%qaO}7E;
ze_%)?#0#&?d)VRCXI1Cy`y8xb7p3SSO-nTdzmQYvF#(=#=e*4W%rp{?2eR__w!wM0
z;i~(sVXj=9d9j$4Shy25OH%s2QW}53%lX*VVGP<AWR2jWR#+F>4ccXjD3-usp6@``
z0C0J>!|reRt=$ZAgU}kjeWLmLV$3IL+Y~`vJ9U0S4*}SRx;v2KYr=*ukR38q^U`c<
zjVB=oGR5HbTrtf`2&-saf&EFHK>Xz)hZoMt=Zm-(ISS>p#%bhXZ?8_BP2shc>BF%w
z|Ij)R06>Hd9n^Ff3EUFtRltJ+)=~qAV4E7eQd%v$xZog5Ydcs^)zgU6yV(Is4>vzz
zw#3K$0YJmtnNkj0X>NR2<{)=2thCK$trp`o13f^;+lMMxJ&L4!_p0XnCcO9wvXR)^
z^LGAD{H5YkVS2+qM<}BX$|2F)4O)Nv^tiiGcq;BssM9GREH<(9I@YX3Jypw89wJVb
z#u9nS#;t?58rpEWVpi=H_)%|+++f`$r1iOe*Hbu>9J;#OZ?`0USK#`)9&!JvFz8sm
zm3EW(Jg4Um{V&Gh!ui7*Ij?g{=)-|j_UwxTrYr6w)s`bMI?h_E4D3U94MDRMor+2P
z;s1O#tcxn!TYiEpH=NHbT5`zOSd=!-TTpVnf1_x_78aOiY`s>utqt@WhQ9(a`;k8+
z$<zMA^dVkyCNa%vSyZnfCH2DX7AcFbdU!um^^2Hz4K*L7<gl(>4b+}M@e@*Ht*}XF
zEXGOEk>Ba?tRN5z$?k{kKt4N;XOx0)8&?WU^jk7up7H8RyH{Dt5J)tc3z90%&FUQ%
zojWkYg*=3FdpmZykgu4@89#$ZL;*1>CWzfrmedj&yUA}}MV-HUOIoF6hl=9c)Ve8j
z{*o*=Uu7APjVX$q<i6@VzVFboS6w7mUE>f~%p98;aBa7%xi?XX%p4al)v);1#9o#|
z?H}`LG#{auMX@9j8w7u$EXp{0r5hHY;FmX>Ub3*m?dn&Y0H3+nm23i9J%{O)<_glF
z<?M+eyP#(^O3QK*%dn@dcmOU@<0}V4=2hNv=K~SFbTteLBC8J<&w4^`2gYPH7_P5%
z1J<nA8p?XX>cpb$<9AcT)}-{q;_A}k0=df8XGlT0F@LqTbb-;iT2I`@Nj)K(i*a1B
zrV(C8lYxdIm@~k4xq}Lhvb9JP(kRwNnqU=a{qStLCzcVvaX4u$o@$4HqY!{Ezl^TL
z`M^0Io1x)lU0EfpLp99U;n7+s4=2w1E!d;<S$>n7=QFITs~mu`4Dx$J1`m}yXx;(t
zdih!pURyxs(i4J@0&ks0C>O3$?Fn_VvJebG42@S!cZNrRN?Im<R#m>Lv(+V&JtSgA
z&1-PuUbzEh!9_<+Hh27>cD^JqWTfZ+bdciVm-kDOj$;cbt4>`$y~$eCZGP0jWLNHL
zLXnxWx-YT#f{$7DoL5yfCa4APb+C{F3>2CxBpeC`KBC_vSiVA^;EOuW7l)IMC@!G6
zvMr^v{QK`48i%WJCya>-dt&8UitKFDxVZx>hJttPknVoKr_<kN-~QBNq>(TNVwH@v
zWlmY5ueqaV(npesWjx;`DEpfQtKrfq@q;=GR%A!$B#c_Z&2ls!s4DaC7RULE=~AM_
z_C}(~>2`TwxeJ|lD5CJBsA`8w4zO`Q;m}CjnPgrjJ}6T03}w=Y_a5}<trYd<3(U&g
z+}G+h#_KR-1dlXs!bXvYCMBwOPkw?U@=t}@gcXQNNuH6M8|Feur(rI;0`-;j(Hml!
zFrP44TQt}&U}eqxGlbcRX--YLV5~zyr@pl8(&J>B_$|Sv60m#?;Xt5BYvCjWrl_)h
z>~{`Z?9+gEd}@jQ1HbIQ4wbmeP5qQmvhW)h=%>`!U>o`O{q8CBxcS%I(p3v;q9ed^
zou`Hab}YrV<H;Y9^Lmu4f0f`M;WbJ3XlN%oiUnT`|4@nL4H2kKtCVm0H>j9n4*iIX
zDv|n+Fjiw1YL(_*@*qZ7ATfH4&8_?O&+O1R57Vmvi}XZbghkV5QN>X_y@#Nm7OO*D
zjp`8P6aH``jTO5ss+@Vibi|_9!4OfL6Q)9A*-Q9@i)A07<+wDh$`^3fdj@Mkm*jnU
zc^ghK!DOncLkT}YRruskFWjHpo>a55#>HB}v`}9|-&={E5%&tA4iV;5<d#o~%R&QO
zLgD0cf1Jy+9!uWpyY-;I$o|N>4)G|yu(47xFzx2k!Ev=H=}83;GrrR49<Rmnf2aP4
zfp2a2NYoHa6G6+$Ujz$5&;Cz75mX78Olo@|#Vcr0Gzp_69Tm?OsJwy@Vb6qI1w4lD
zx{=$I6lA|nsP^;M_WlO*OOL^`L7c!_?l-0LG!1Zw2Fw>5>$q9jb8n7n!8;t<P2;r;
z@IO2g`o%x@3L8TsTeTv`7qZw!(xMSpXWucpYq11D7Y{7!ERxVKueOko4<b>u4&%ho
z*(WYkas5uRsb_DJDpr7HU#H@!tCxXreSGf*>5lTVPkDe5!cuGTt5)p{>H-d5>`W(b
zotY?XGsP@=<X<mnpLiU_f$zxhns!w-S#aduQOm?<n7MK&np^(|28-r`wYa8<1TOV<
z^VX7lY*Y!>7U#`XUg`E&0in^<>FlU%&Zy)`ih`98a#Rj>T`4p;5l7>mo%?cQpU3z?
zuph~!f!FNwr9>e#xvB$*r>LlDr{2V5_x&LskV$_@x_^|T6^9OWN8Q|yPhgJL!IxoR
zv5zATZLl&!BGZqjqm6!eFwG1<`pnw6One&;)9WkUQ3ZCBQo6fZDW99DUM%XQ2yQIC
z7G~_zDkDd`1dzM;868j;7q}U9<j)tw0Uotk1s=c4nuZAdVz!FXz=!_5d#eUcZo0$?
z2(Of1HDOD3eTTZW+c2wuw&BO-inETBOfxY;S9)4jQ$iY*0XQumDezNJhNs`ANFJc_
zI;O~ps5wa~heqx)4!>sKTbzX{nT1#~zXDzZ!XgsWvea>!&kZP)fW;`+8D<h`=$R*=
zQ;&Md=q-d*D{zKItA!D=1IzZ`R7TCf8~B`?{-w4{I><z8);Em7h(1yi48<Aa@qEjn
zlAx1!3Ag=tky~crw(*l_63cS-=NmboPSE9Zb8XgT4(t8`cf^p$_{FJ_$W2{E#O>z%
zoRTPTR;_L0?RYm^r7Xo`9zmlWG@^I}XvuO7k?L`Y{01(_<tX5dk>%@#^>#$HiIODh
z#mGZR@a|Mx?+ts^fAQj)pi+5G6pcb67}QEIYJCk63{}Yd<<ijsR%3S}oa+jiHqdZ1
ztWhlpCSEDnIdU}q-&RO~Y<B%HC2)4(o}yX9?&*HmR~4j{07R7Tf%8wHKC8D=VcfL7
zMMWZ->`RCK-IGA3kpGUSf;hT8av#@HVt04e7uoYq0Jc~_vohd;Pwk}Loj}adeo64v
z2R-V7?m1{dhVWP|1_B<ZapgpIJ4&Evjqwyh<d)BsN5ZsUeP-(Bokhi^EOv_6$8(2d
z5A0XcKU~%$!37}WO^(Fa>*iiE>)b<E^%q4;3Z5S$1%XA-)JHkPRBKy5T|&s>PXA%6
z#$~=P!=)9-Gf1|fs+XIq5~bcIZaWd?q{T~2i0hE1a6NOc<W6n$gBlNwQR>iHM$p|?
zVuv_**_SU^g#>AlX6KMm4C*{K8*V->HmJ<$2z_4nSLI3sx<*vG*&I3kc40~Vu#1}B
zc(P<IK$mF(7RP}pWkuIsCbJEsJx<dmrE@t(pKiN`7|`M_QdsWat}u-MTSVkGWZ#x~
z^*{sm@hJxXxn}>SBQPX<S_S^{Cf8Q`oHdah)ebO6wR-?MnrRwEC$9b+(%X4zE`u%7
zg;~JT2#!MK{>$DA6};tIbB}FCstOKi4TFQSJ3FZ+v51#uL<tkD^U2<eG-C1}_gv=M
z-T4uuv<ueU<2vc7bwmXIWC)6Bg#p<7wU^gbs$;m$ndyQ0py^pvsf=P<07Y|}n{$Nw
z_-f6mppQC@ekV|v{iMP>R$$vO$U-p+c4$x%tlSZt2om2ms_QMi#NGpwcd{i7rT+F)
zgRn%B^t(jf*g@cCY6p%?e1Vo7>Ji1<XV*P&6)w|sLR+e2+_tXW66pE?&;$F>$qFL}
z{hSaBmd^fEwXS%*rsrTPln;E4w95ECAD$KECHa?bC1-pU3i&K}-cYSwky!L(2}^ho
z*<cK{1(|T?b(<;$21sXgDAdR*$Rj{=5ajOQ=Tu|^N*|;MD}L_%{C2ABxH_mBhe}D+
z!NE!vbeeXwTe$q?j!NoQwR78vaKu3kq|wxM?!igk4%P1T09PmY7sXN#b47vTHmY%q
zo&<{jomtR-6?uIktW-%%dERW@&2~Nu2ePCDsI|W7=L~r-M+_VT$?s-31M2L=dUzxF
zWO@16Ed$U*TA-D_qPDsmBwu#L^nVibYNnPjh5@_@dn>Zzmm-y(o;(z-^ae4h>(Ax#
z4$zEB<(w@gf;=A9aAGdepTr1dUQj$cbY@awxXwJsC8f346m$sCwAvGG`>E2U_1Kts
z9h}{$J3n0Jj7y8!qd+oZ%Vnc38@jN4)peVkQg38CivW?nQd9bV#4bb0CS|Z~df_|~
zAYvC=krsSOfA+YfYPebpBdR^xE;R&nmrrZZdAJ@Ez9K5T%=jn-p%D=`iJI_fh`7nQ
zsy4I~ua&nL0v~8>#XJ6LsTLo9i+ni@nubZPTEu=B(*FdT6b@Y<CPx8tC*B}rn4}~g
z!6<j;TO8w8VYvU($}gCc-E%KddESy%w&`cU#lng+l*V|Zoz4&LDkP3a)reod-j?+3
zhV04ql3vIYg|B$HZ^h#5oJ(}W$ugAjyxq5%BMOF(l!J__>sr3-0#&%FimC%f?W4p?
zwB2PU6tZ2T+WYOQ@ilcr&A!}~DjO4i)t%1T$_5-72EB;j4QE%lmldN;fSZ>~M4Mo+
zcRek-UZDd974ov7axEM8Cc6cVR%;`228YyI<0ii}VCCl^4;SukhSuUaZotg~@GN*0
zLnqVJWQGZpLyIiT3iuGAyStassvAYJE9RhnNtO_$dYGF@X!9rvP)lq30Qwo7O&poY
zN{)AS*N=b5Tq^Kld%dC>Ip231zvo7rOe&-V<)fWWZPo`2^;X1erD$8S(Ez#Uul#J~
zGnBy5{^%Vb7ViF$QN8OV7B#B*mW#!%<aasRq|E%cvba_U!I5SWtiIU=pQZr;&M8KS
zPZp2@c=|!Q32XADMx;J`^{0{hjK8Rz+l6RA%B6a<|0-OdhV_%NDoj6u@m#IP%yYPX
z)cHAYLvXYGDoMyta`W%lmdrM2>}l=xFs!DhUM!-JwZhRqUdtv-**O3PcBI_%kB0l<
z^b}}naUFvZ`<!*z!;m#X=3DgUvP_1SHb4%IR#V<8x5<*M6mfU(im70;fUNkOX{_}n
z+<4Lu@=0LQkZ;aHuKqg8rmx(b=Xo&0<`UL~r)Lp%X@CyjZxhi**M{n|=3g-<xfU*T
zMI9$lq_45Q(<Ox1%D2dJ1mPe5IR%a0z(N`<58j%Nf?QJP$iKE}SCe9PRY4ZHW!XY5
z=FmtVNM0MZu?6Ln0KOBY8^6nzo=$VlwLOv^KL{bWi8u+8W_Yr^pwxHvwN`&Lf$;o#
zrS<ejpwKJByse>6R|wRKC|MIq8))S+Gdi3Djh;C4H0AStT!arSuPKLz7hZLeU9hC{
zZ^xHSZ+``y>0Ee^`Dep^xcX}&-%t9-gP|(Q%Gg_<5bxAs9rP7tqq3rcPjyP=k5Cx4
zmab_fp`TSHI~A;O?^aUKPaZnVkyhMwtec2Itz~;Jn!7uktaf?=7#gI>1cssu-;;Kv
z`nntdr`g34!}udXFXl>jTD=&}yVDB^c2g6fKjrW9b4RtcKWLH`qa9TGp}6!Ytr)|q
zm0Q83>H0NNcauhX_Xfk$Acg(O@MKXs42>0I8g5!bfNVc*&uQ3UB$l5-x4Yxsf!8^r
zXiyM&D_WNmNwup?vk@c|(94o~<Z}KO_)3#hp;t}E6eVm1CMV&dVAUJH)5|SF;y+S#
zB6ZXfKZit?Iyv-p$4xdx#9m{B6V}ro$@h?)v}3zCQuSF}_W0GYys%(xPq%wSz+U-f
zvBIH{-NBYJ9P=FOAb~Yan~6&UGdG7kRx@xcU)>MH71QYXpFs8fggiiAQx~llS2}*x
ziJqR#E7SS5SCbbi)6+waaBQ0wmB#MUUDwBB2UR7VrBMhAYR=O$idqyKp4h5wIESZH
z@BT=jV%ZeN1wHyy@9YYuV8^m_-X^tgPL&qqx>#3hN9jWH`Qibta277h_A06Mo(yLl
zr8g^@(YX@qSe$xc{46Cmq(!yhSZ`qSLGS=79W*Pl-jS6)+YGf-SSJ7gpSE1i0fcJy
zPvhoQUa97v-R%o1$DM}NYe@`<wi*Z3^m%vWZA0IgrfB#!RLCSB2M<t<Q)g1V3`Uu1
zc;!{K8ZN+@+Obdld-sL?o5)VpMJUFp8dsXMs2mDX8Jz>uXBu`DdT#N@=>to*71D)#
z<|<|s6;2@_Gi@&bKHTYG^bbajNP6W85$B7RvE`Y^L`T5sY2zJ2Ei;7WmO$(d8vxu6
zSO`@~^92+{`hxJe8r-C{Rgy=<2#1)$lG{9ExtiFB;C7^oUNSE%7<CYzCk(B@SBMzt
zVG_trMi}67O=gr%PlH9muix4KV@n9=3%>wA9xkb3Llog-J#7bB`o6>(Hs0tq+=FH$
zgSK#T*S7b_$+>g>Ntj9-pnJ;&bzC+KNK{QB9~n|iWYKA3n@Ku%jCDY#;p5-EQ-+cV
z$`{t+&T<wi$mN|_`1Wz3^&G1BL{eK%wnzK1_xa$XCVx2soFuGJ8tlX>b}=hr=_i!g
z_u@ZtWMkS{!>wz{xAfC($fdw9IiM7=&}1RI>uB(nHTrqnLD9Yg`t^Xv-W30L;)qAM
z(yaK!D%4=|a^EN{jXkly{e`#t`tSk$^wu`M^m6AJC~-$nIm=+h-m^jnFEcgXdz=K~
z3k#QyfHYHuZ_M9m`R^ZsC%=IhBE#)wNA)}E-%n%-M=zkcXFB4-pCDlI$;LkfRzeGy
z%j$jYY74EcimCY&WTuevFtm>2B|Q;gPW}^(W=ITZN=X>)hty|9KD380)lHOfPn*%O
zF_HWDf9C@IFNmnP$#@{fK!UC)BhGMl@eIc9cS4N6{cV6(69$2IC$i7)I8|kBvYB=l
z(DS7Zrle8w<?W?Jg%Yb<dG#G<)~BOuQH}H{<Nb@y_(sdkE-s5XUIb72r<nqV&`~W`
z)Z0M4C!|!PM`lw*eq!&RZ@FC;>WAc}q6K-FMPSC(J<kMD!q<bGE1rBNYN~2JO)vKU
zm7ADT6Ok?evIi!ykgu<=E!^MQvDOga`*W_eF__o;LCOSedpW8AQ@F|4c46JfVx&Jf
z9gp^-8&yRgYx)!(P)K=RA${iJ9(sn1v(%7+nVG-wceiI@rLG7`{`H{A{+t7EK*;1l
zRz>cXg#6yl@Yyjo!zRn{tglc`OTX_xSm@5WS0qpCtE(mG^I9_J4x`?Stb3=@H#nDJ
z89$zJaY<klaOj_}bGm+_i2yw`KJ3Xee5J|Rl)35xm-MedudY7>#fQ}7TkM+D!4{8B
z40vc>*HA}f&fB`<jN@$>+tcUdn#JSF=M{(`JHDNlmhL{9MlxWhot2cwQf*3>S`AYJ
z2j%+UG@JRU@dA4m`LF2A6iIEF;`FxxAk_t2@%qvj*ct+#`do#apjk0=q)*VOijaTc
z>{XfeU)|H#g<}qt{RQDI(hYIDe#i9N)`SrXYT{Zsi?n!X^8*KUqwm^rTWmB;ne<LA
z<P%!Myo9*cAR^$Jj&)Yp&x;TL!(^NvxH@w2ZTM%eeOHhB+@66D4V;;M<V;M}c*`;x
z`xx=#DA9bXrz8$sFJHeWA?f1GU~u%v(mF>|-gmYrWdDe79EQN43oozn(wwD1gD|b0
z-P1Om&sILh$rj8GMhX(%t)h=StTwqI4u3o|EjBF43KNh@WB@kHY$Pw1E_q)f%o^{^
zh;cMKT)I7s@bOR%yBz_YH=z|nQ@Av1>sx!MFGn_+pF6taftioO5_+TfpoFvJr(=nj
zOKgmxHcOb@24V3&dAghsQQNN)W2G6nosW~Ij<aM+B?5{94SWZl1VNw+U_pHHNz{7O
z3!CZ6ULTecrP2WQzp1YF<uL{oKf=RS@0s7uV`bpTylf^jJOOipplf&NB_`0;R109`
zmqX&BY1v!)L})u=SsUmfWP3)!*x+4iy-AUg6E9e&%mPo*2WnO)YM5&~sk>lgB{lB)
zt;Wpsir*piFjz;?Gp1VIds#DFH`U%^JRwhF=uPXQM$W)UZg@saxNe;ydr0$<F!e%?
z7zdg>+RXZ<1Dstlso1eB#YW9ex!+5yisiPHY}At*m_MHX{m+31zwu4VFiw<DIv#{&
z)-md~Us=^N>!btm{d*qXgOC9>ONLynhWR{ik*=2)&AqHgtk3uy#1(=amqbjG9>Zk&
zpIG2m+2DW=FH?5pWm62n6uDY!+!Cp;YHn*oglUq!5ImFKc7Wy5oC{@2sKDDW2PoOq
z0UJL-7w&=efZe4V+}VHh*RbanLiC#7xU}gP!sl+VQ)n)aP)oiVTf%s;FA~FJ?MV8f
zrvDh^H|DkUcr2UyZ4F>ZnN6OfVIhRvu55&CHK=rhi(I}pLeW-JKK}D)$wZ1IyLgKw
zsN3AdNq)hvCz+ux{7RY(UpJtAWZU3tP2Sn;5ESH`Tt-TVS+=#7vW2^xmV9jQfu2S7
zxb9SSUR20q<Xq)irC&**0>cu$>ops26GPSr?W*w)E~yMu(WTVs&N)MJ1wSR_5JHnf
z<dMw%e!iOaOTQn0v4W@#OJ!v$i1P%7u4TrAjya2wy+TU+ZZ_1&MMRBmLJ?BT)AO2m
zl{~x6$f+CZ=$6AQb|RhpDI}#jXA08r0uLzZ`3{s<eI=rp{P7$#!k2wxiq2GmnTBE8
zT&3J<Ug1=jR{|(D+%4wBgfTJiQ^6Vz;gr(ca=Q2OTCQ|JG;Tkz9LncRg$~_-RE^M=
zN&o#)1wton_F*KA8H*5`DYV2v0xNG`mKnY2A`oTMjjwy%ib$Q!oH;a}nTpN$Nu%$f
z0%y5d`$Pue0t5ZZ42fr3)U=w!T*U9!IW$ECM{Ow$m#<@B6R<B-E4WKVVX(n>aM!&#
zl}HOiN?)lF|K7FTeywn%QPs^c{d!|tPx~Z}@yhSlCz#aBKYE{6_nVV%z$TkjF_Ikq
zo;v|Gxj`9VbW<8>f`LdW&-&>IOoXjOKW-rhd)y}ZKOW>TYFN*72b<N*a(HBK?C^bd
z)}@GJ$UDq5M`|QSR2^SR;HOO2#1nNKx|AyfA4RKuzK4mm3B?l9aTdl?EibxePn3cL
zQf~6x4XOzt>e;gXgWhYedrLR;{ceP>T8}qY*tvbrDo04bI26BPqgbw`!yZw#rP9~3
z=rq-EyIXtbWn5(){C#J%(VF6gC2n~V06G{!Pf6t;CRi-xFAO#Vm?02WD-4=9BRkSl
zShRwVmnH<;HM)viCL%Z4SJY5-TppIc83EkWHqAq9%RT}IJcJ!+5%RKQ)mIS!NZ0D-
zj*#&9X5L@a*8JMrNstw*fHmj|B^H{8jZf@bD!&UsNdRu4`HxsmK8w3jz>2;Yz~O|j
zav}Ph2d_^{0(aI9l6GdeKK9t--fi^oN407yQ?MGzh-?v(E>@(Yl8=X^^^%yLbui1u
z+#3wl;z&UwJ^suBE|Q|4MZ*YZiCI82)zp5{yCYIr(xl$WU0FK?GJ_3{svUDldtz!j
z9$}TwVBy~F0h9xLASX@QQDL<i|B<%-;GFAwM6Bam4v9WE-xK2#Mg;W|#d#uJLF64@
z1=oI5y$i>ay}D2gc-Fz=2B9hHLuu*>W$gQCeTbrIM~Npp%O6PL0_fskiC->r7y?a|
z@ACDOz$H$3T73P`0$|LNGg=hrH;PWz^s*}gp(bU)@uR9zQEW+(+|{k&#t~GqLU8+=
zAi8lkB!mP!u<UW%yzp$qR49%AOQx(yGKnLmt%Lg|!kHV9j`HXku9U7czXA*;eld#C
z+5J>nCu4QH&(6(-bkZ!dw5C!ko;}s=e1YkYwHBW=k`rBhBMc+ihxx-~VNxaX(yOUG
zBQ%C+fH9t4E%gkSS)!(6@JGs=d(v#y9?t`9zzp-F@5vixP(mUe-z}(i5FI^HDR6RQ
zin^v2l0Gsq2hW3AZ9+ofEW=k~+?mP$)SZ`7hGPkj>RgX~#bIyh-O2OK(0a5?@Qw|a
z7-GjDUbDJU*2uR-0R#Do5!ZCaqB=_qi`_~}7h<$`VzP#yK-{rE*SwICw%hCX?v`@(
zyN!zt>J&!feygwbIz|DS%Rld+_1S;9vn-|xtObo_@llswQMee5<z3cj_!q7-Z?Wfj
z_1d0B#$I*20MqayUGm{@xCT>dTEyL>29aJ;Yjf;ZEcU28T(s;Huo?A`I!9I&MazlM
zxHBY6SjE)Yc?hu8mnr#Ph&er*6=)(7)x#OgeESG591PXaz>Z6OQ%gGm^=X@58Y@Y&
zsp0_W6k?n{J~q;NjH53`f=F<t#gK`2OO#DgM@531B`vuX$^SBVCKwi#<R;OX#7FLT
z5$Y^!QNgD6;rTeMq+QPJXAGjBD@moA{bu?oV1B~ZMOw_Ei+fx}1`D7l5Z<3!yw5!L
z#nSPBO<$j^m7o&}SWvaTq{t1GRq>L$LkmSfu+TDeIVBy~;rYr)Z+Xe#IDoW_d3uXs
zmCx9-4X2v+74JTlkD`#xgz-Y1c85<KB#*u*hpg07%M8(K*J}QCkT1s!RKxZe6(|eh
zazKa&-E<5VjW`jh6^iT#usDnh?<9MKne_T*@~C~=28*hz!52qlcu<#)Kx-|@lqIY$
zgH2>r8BPfkZ$7~7kX+QPjd07Sg>0*H!t>_)EH-f9jL@0<Vl7~9MNdYWN)ta6c#6-B
z>yp*FSj6xTh@ld21sqUQJ?Yfoku}9hAEjk$UIqvWI)vtGz;sN4i7|R9k!c8p_NIhc
zWf(V+<%Tk=)GoRKBeWeBD&L#IG$v++O6wn(b+wf8Ysna(?K;DSEI%_J4*QfN*n7@d
z=R>aa51<3QLCh=~55c@1Ot07sA`dWUc7u6_6HOaTmDfZrW+{z@n91uat0oxee$Ls6
W>NVH{V)W4?e1tTT46D150a&{GU%P$)

literal 9449
zcmV<FBo^BMM@dveQdv+`0K7p{mWT;R5~nKdIyX29<RUtzw0rn68qGHF3#Qh7I2c@P
z&E#)rwQZG?H(lr?-GyNi&(2(CJg2V3s*n5i{JRf#3)gjl47-;?;>~88OtZM6dXb+Y
zdFT?az5&x0w)0E0|J@1}V&kb=&^s&^$82=b+?5&yk1`@BIk4+S=`k9zRAXkvY`G=0
zSa&q1c^o4$hD}v_5!>|Rd`a`eVG_XND`+7T%qZ3QPNO+Z*BnDcg)zpY!9zwwdg_SX
zpWW={!TKhTrj%Gg3a(M~ST5Z>nYgG=!GBZk(}NuIm*(q7tGrIhj~bM5T3(vv=$?^{
zqI%}|sIsgKrff!@r>v0M|IFh~%@*2)icP39L$mXDMuQp3*J({VMzi@jJ5{!=E)xD<
zXzr3^@{$S0%XDwe8<J|Lb~WLG;&-ejCms6>4mNmYH!v@4Yt)|-w(?>y5=R~!v|!^0
zZm?Ax5YqA*Bstv8XfZJ9Tlqp!)vgu-BlEA2Z}Z0}djE_LMCNa2laEpYjad9f@Lpj(
zr}gAz^9#C>M^q#&oaC=s39&G8ipWj|Nou3pH%(S~<N#&?GWh3}WLm16L~rC6PE?ia
zJ4AFM00-}cz;I?yMoA)souozg2cC0yz5GNeHQIgE2HLw-Bmyk<O3kJ$4MDr1)g4>3
zjPbsJb4My-qrmW9f=VsBh&Q_3wv@}VkXlHQYIzu4<7F~IA4hC)!ONtg;v>n~A_*R9
z%G?FP0P<g~t`PSKoEZP9>M{t%SgOm|t(8}0cL5>yj&=~GS8%Acj9gWlvKlFXznWoT
z>s7xIET~3H>&}cyyX^Q~2cv_;4=zWR)9FhR18U6&MD#YN-PQ@b24;IzqNd^&JE#Hj
z!l=2>lo-S{;5W}Ic+4!BS%%_p4iw94Z89vuMU1{*o)Ek&0580F*YeE%#BGi5yGa><
za<?%d#E-vqytC)ALgHhsbUtae+!|>ij)Gf<vgs*bh5>HSlut5Yw{GtwPsYkfTKub#
zXF}*8Y@z<By<Tz#G^5y#VOEpaK74Qvd$^T)mL&gI)DzOU&%D0RD1L#qY>`4$xae(s
zeD_|_t7vQlzIf1L=ZSHa8N3n084Ghm{#=UNL}W#rGv#&MYv3y{>V~lr@Z<mFD|Kpv
zH}F%IUuNVB^sv)@13B>c02|zB<~=V6e-HC0G^#OBr9)ax_12<4%)Sr1jsak(@$ufS
zUuzM4p2q6rc4}W1|F6RNy|HkI!z4}{If@=<W7&EPk27knhZG6y$<h(MJRaH3H!M>t
zv4YcV*+(t26dHWJFO?@-U>P@ZHU36Bsc>du4j(D#d;bP-X?t*=TN;F}J+dZo$0eV{
zgP(5l324*%5ST0XD8-&E@L(U(I&l!M^_Dfhpe1;t`kg+pl}kEiNztlfp<o60AV4VF
z8Ra+&4e~(r-aO<4P_Zhc=It(|Y^2imHM>=Xw#m?)qVXv87bMWl9E_A14|$H2AQci_
z&Iq^BPV@IdQtp9`?-2zqZOVRvynTsOTL#17nC;*9WXtenKlhKe+Om&?0poD3JjvNS
zP=1#zChdqRlpxxiC^U*d4^S~MyA)Qaa+GJKf;?8Vb;nQ0Dt|A+<j<h6G0r3p2adv8
z0_V7Kv?xA$R#}h+EtFnVW;Axo!#wgP*FYK#8Xg3h>~z8kLF2i6t(S!W+fHkSlGiPM
z$(*NN11kUhOSaUGY)1wJfM_)9O-Xk}8NO6=n9PI^P))lvVD*4rGw^sgecv^X=b!9!
zesA2MhG2h9Vq6iejB?Lrj?rzfVLT`?-r#qY{|1B6-T!=bEe>_Zm96Z?I&vJ2iLHK3
zM04;hmk+480cRDEu9q#cN%E%U;56wvLU*tzfSFo3AoN0jhyhTv<>$OoTIb0Jv<x&o
zmS0(V05y_znk2CTb76V|P3zbh%(S1gJ8CXMm9Sz3*|-Kr@g3Dq$9gpzhh&xgTTiRd
z%JTp=pg^ekWUlYMz|cv}j&G*<rk~hBixtGw_eRmgmv-@J8N1o9ZDz9EdBS)Brx)8w
z`co5(IDB=?^h?(A?(Gha^Y4H+KMSG^<X3Z3ZE|de!(0KO@Djr8j)ST%_v>sVI-bCQ
z%e!rH5-TyzaDE-wrk=iwcuM%1N`;3hWORo=M;oDl(xAU;KOfi?g*{yHrMiWVEV@dL
zT7WIDfe8PlqDbstxK;XO<wO<ER5Kbny7dhB%mQh3iqsqQshV3RBt3`QAA1K|i8aPU
z+N|><rQL32dfzn+wK9J?0eT2sbw%t;CZ^Fhd4_mZVYIf`#t(cWwR=_wwmHeEi1fd<
z2dRW{t1+vv`_tw(B{<<yj5M$_2iGp_xPpCF8JhuD+~goJhv)ctb{}qLLUiUC$AKVN
zy3=;W0fTYnGt)Yy<1E)AkMDWreGFV<q}YpjU+9c0zOp}Nvl(2CC`GrPtpA%E;tB1_
zS>U)uu{ae}yZ=8bKRxg0NI!-vS|jq<Sf}-msjvqyOSdZKjKEjoQGd`5i-DqLhkZhi
zC>$B>uosB52aANr8ccHCiruDqhFV~|B#`JVyoAJsvlU?|&#o5uUu<LaY0#L@F=kvw
z<h^abb5hsrQs(CBeJ^y%)s{}+LAgQ9Wrg+|PFU8a{o99&UdDhM;v^QsAvX<t$URXq
zLmJ)33TV5agKW-Uu+FD*rE(bh7N0!-uy(T%E`;WWoOd5_&!%6$FiaH+rh|qJ37XIG
z8+=%eNtxUQ4$PaN!me1+z^wqM9F}2Dex&Z&=a~j3Q|qI8+3N`@v+Z^&GynSdT3aI*
zV#gZ=N%!|z4T*ER(VQL{dLKlCvP#trR^$*)5_}5somSG_2C8XtY=*x7Ar#<Qk&MC9
zhj~pj4Dy3y9vS^csCScN2Ipiv_^#-l$T4%lEF`0EZFa}PPn?&0Fm1~{zcq*3kkHQz
zs!LqN)oxAla_=;|7g(+)3lpI$6w1QarG%84YzjB<M<`$$9AF~e1AbvANV^kmK=vz7
zfgY__$LoKzQ9r4!IV34lm!w+J3V+!W@<A&~bP6gn&TIi^d;RkoZ61plKDpD1OzI@Q
zMBnD1E;4j)S!%seodV!PO{FchG?5d}-ua$FZNXJw`m)6@=2m{F7b+rcD$d~UjAyG>
zlk3?@g%fQp`iv=74*p>;J<e*76n6yI+aH|0cw`chrLw&_v=(N8dwLv$GNn-#mWjJE
za7x7~R!r@MdCCu3xy);2itn3nHAejQX}^4nmU*{&URKTG6=AVhoygvAqD;4y+KVO7
zsz8&#ZoU=y#HuvL&h@lPqVHxBk*zxqP#WMpW}j;AOUD-QJ5VZE&oN)Z>10)CUOP-~
z*eC=Kn{>+VsU`8~zBu0*ObY9!Z$M!NZ!2NU7MIkuziNQkoH(O=ajMxDg+~zO&Yu-<
z3pX$2t@TC>7+S0E>nlBTg#2PQX%v8zga6V~Q%U;5_YgEgqy2EoaV%#=X}QLJa=*>o
z%{!*ZLmhz1e-*`mNxo*Wh&4HvV}$^#Ds8CXFZ<s!VNX%eWTfCc?9Id?NiM9q;w&*h
zrs-Rr_f#{>*KRx!?rbdB?U8TZWE|r#a7n57nFk|6rX}JFbg7A2>@DOaSrs(7v7~;_
zje)6NL!L-OX@i7jT(kseGqY+Fyj)RxS&f(oy}VGaT0FLSjak(ObQG96Gj}fe?`ja@
zyzzs)h1O2wU^wUs*IgU$`7#p59rGszu4N;{sM*kW7u;9cZ;Y^Q4tjmaRe#c2*lDa3
zSs!&+qlE7SvoV~}SY9{USEhr;wqqmTpYUc!!Ka~_PF@jD;zQU>B6X1RX3BfT4p14-
zsMF{CH#)hS*!rh##nZ-PzHEWN$u>Dq8i7y`?%;0Lrw<|&*ld9_&VzG`d*7S0lSt}K
zB9FgqC2U#UT8P6?3$Gu?yH$zh$=5gX(A7QBYFTZnsgM$p$iC5?q%Z|xRssBHJ|{}{
z`FMa;AF=Ayz^50Qz_S4h2P7@EOvG~e@n5V+e8pwWsZ=`FXda@p^kzR#-NS$~_1)Y&
z4NrlOh3Tr(9k^9O%yy=a{vtOgG7zV=jhj{#D#t}58)$*XLrog#d?33m4#~+-HRiaT
zz&nL7wAgPRe_U+eB1W_9!jnjbw1hEAFoBdC@tX4~i&!*!RdGC!Cgy6%r6M#dulubN
zj4DUg;Mnm&pan;#Rly(I7UzitH(*=mdtrWX+?MWrN9d|_WyeJ+9fsag1|#!;%i!x+
z*9T7f6INrYE!e6+^1;X|u?Q&_nKdyZ<gVn|O+5lc4L+WnWgRG3<YAfb5QJN`edAPQ
z(HL}Q!L`mW1)a9|HYRw3WegE2Q#4}Fn^27Yr_EVP+Kv3&eu$IB<bs5Na62{kpB0~=
zP9uPdM>YTIy+H&aZGJnq@BRuMV;#^r41ggU>D@#$p}8y(9qS-J-tC%qGIkxuoCqtg
zh%z`|k;NP(J!#BkrT450O#rMpP~~ozk{hT3$y8s>l0n+LXX)4DB60^|&gy<0^P+Gg
zIWjM#rw_8Df(!z$M>HE^LkZ|3Vgq2Fqgpn+dI}}t;;s0LPUNNS0HHcWkz^^h&jYTZ
z3{l9m3zgLbpNtM%q)?cLD$s&&2{iF%_7|H1wsW=%7AR6#?)Eq#kn%8o!J~{@*j?F;
zij%xk5ay*y2chyt!B@jO@H|Z}{He1ZZg)w1?;(_i3y&(O#cD;Ayzw&e1r_Jpa~u;n
zhSY|Stm({gbQV{ygIBV}kOo4Z2Zi>UCP~6qMqJrcodb+O;z0H10^ozTg55R$1iC$5
zmnl}g?g@0HYFoc!T3_+H-yT_CNU0jG?@>GA>Y=n;#)BFEw0<KLvDmIwWPR!8#p>9$
zv6$QMbVaJ5raOOxPv}?|s&$};viiNWYjuh;BLmiMCsDVpoH>jp>Rj4BYkK8Z1P#U`
zmZ{TuJ_!VSm5wAJYC9x&oY%CU#kd&l-kZ3Or{m}0)C;kybYVlpPdVg32mI>@Q)nM(
zq)tx%_2m6snvCmBwZgIr`jKVq7MG=Vew9q6@s0l-<0fGAK1^Gx@L|m2O%m}zR#+%a
z%YFHX#R)+7WN#evX$~?fmc~b~lvI_VOy=h8G&M>XLgIS;w?_x^Dps;XQP(M4BdTD-
zT_!6#HTX4h$tw3{wWTF=dDE9SjE*cue^Otn45XXyJJiAD0uRzq9V178Gdk=Cd2d`>
z@9c&AGP7{?MR(m4*M~AKULGsmAb+@(yjimTk4@*B)!HDWAy*`cdiNhD*J<r|n-O0a
z*}VhP03HS0T>Mi;SEo&<3d6~W1m8NF_A<`Cz~eZgSIJw|4YW;&fe<h>P=hYTv+7c&
z5KzJD#&Jagz@4|d)n#zZgzPBbS{#aGpk-)tGg=WWsj%gE$4i2A{H^>~xJ`VlkWz;j
zmzW|)|HDq5jAmFmk4Dke9AuKJo#(`mvDrnB`~MEEXg*#yV+W*~pC<w?Abp|#sk7X*
zn|~L#WQ?WCxeL6M{LRj492N_FxmUnKh_Am&du*&}%o+b3Ec<cIlua16U}{YN+iaIB
zw!P&60Ku}Nj=w(a&YSK%<ytE`1IpCkT*yqmil6>qpUDN?u2ILAJ(2#(F$Aix2;06(
zfB)~8m|}bz`$i88S3v{+OmB3m!H&g1tcI`OMubIO1PLx#qlXB{_^|#9fhn%!bqGGm
z)(wM9K5}P47H3fulwda6C>^`HOy@5_tfUGzixu}F(K=0}uj0(x#f_w~-3qTJ7HX%6
z$^T87WY{5%b)-*zoTFanW7MS)&Pd9UR3);%a(YPJ1KlwxsAl6wobQHxw!;oIB}OEO
zZyyNk4M)0+!w^#rCTu6qVRc`h_IKOshRrIV_=#s7y8^a*N?or*+ZZSQ>E>;qqiZD&
z=Zk^7wpEEQ7(20I0K;|*-w%u5cP<oXD1rOz%bFJ`RJS(3B$6aAc3-onk9?r=YUYzM
zGH<i6Veo=_KFV#64@e*7$h3Eu!z$c=oE&HKqQf!4;&V&+;Mc-am4^YSzHlZO8b!HT
zte^PchxZY8*{N3!6n7&3iQPxZdEZqGWCgZ1Ln@Xzo5$tf7_QWJ;khNOm{RW_&PPAJ
zO{LT->@QX>i3;ak(RV@J%xP&LJgT7EItNZ+8_E&Dmncx_Ak5o?SwQ5EEirzoKNQr9
zWVVyH4D$gG_xB>djHv1RS2t&M0eACDj^A@4u!yuwA{o!;Gl+oPQYUBmE_qZx!!2wB
z(9YKei=-<#KGpWj`tZQ5^jM)JEbZ9+i=;Zc%%+~f1im#OiMXh^O&*Pk_A5g3`d*NG
zczGrN`T@Wk0z&rwa@ILet5F(ej}HHpz2}c~$ze(Hn$eA{fP(yvi9>t7;~VXz%ASTC
zPE_9-Q^P*%aB;BSj~8L|_B{sGb%^SFkpK--3`*5|>eeAX#Re-J$SswGd6JB|C)K&{
zB)7--S|-W<u{ZEFYgInf)Yew~R4R(f#9CjOR4U4cYT$zgkbv7aB24B8YD~M>l<64=
z9bRTGcB=!{8~O9(1GcfAhRxnAh4F<Q8_yi;P{7(8%kqRPf#$--I6IDhiavH*Z?aC)
zZzm0Y4fp)Tk>L4t@AbN%75Iz0W#~QWuJ+d38~Pa)z#hAyxZGq8%piap{|ENeb!kT^
z|7*htTY6nFOmn=Hk&#baUHDc^W69xG2mBISy&r-h6{Atp+IF6ya5j^G`5YqxWqg6=
zLzj;ROabfMlnEf2*;4w%`;J}-_;9b^H+W221iFet2?z?I^i2|IBvXEnd711VbeW9Z
zyBe$X@b<3T`gdOa7FbQgb@F7)=Y#Ax6g-)PuHrMV*QAZP?E`pv4g8>99cb}b-;QYa
z-{O)Mk*D<BBfwtG%4ks<>TPhY)2<@0aE}e9Q!=wb^Y<&+T?0MHC?bjX0WKEk%UnB?
zi65mD?I|BzwP~1ZD`9^ny#nZg3K`VxK<XbV33jGBbmhXQv>1DbAa*&q0Jk+17)DfV
z?2gTII?(fvU^JOIj_c4B5>e;%#kvrMO|AB;bC#~H7+9>rdPvmD8xr9ijPv!?WeJgU
zaHtjAG?()$r~!8Na-8hGbA_~zzMz%mGk3$p6P2@smboE+4{2_I>1|@+J@)GtTi+gF
zwwuvr9M%@Ic8Yn9`0q91bVAyyhxKNX68sSvFOpW2SwdLckzFMtO-!=KSblJ|4R=15
z*vIGE?wLVj4u5?ds|U@f9+E5%9rX2uQB7Vz@g?B=En6Qb27{!VN`qo6r?FMV_hGtF
z^)Q}yX=_Hv2kdbpU9fV!;Y-_~7TZR97zYPC7i!|05H`8@<~LF&fiSr>i+hr)1r`_1
z5mk>gtKaQPH~lEyDPi~!75el-4D>mz4^s~>We;Yb)WU)HoRvLxRHT_{#neS_9gR1S
zS&Z=HUWTw^ea+13(k<|l5e0nX>8!{w1dro^%RGbG7S4NiZv21#t?YHtTe4K~R2WSF
z{><)l`;<2&gaVA@Qq}Y6Ft5=IyQ8*h+2;$PvO+D>n3rl~jL;RjY0+2XG(_;tu{^YT
z!1w#KG;rVyaW!MjDe@ew5Iko2?LQJbjA6;>5qO+Z>&?d2qi=ZHgqrJ;4Q+LTqO8Dw
z^j-w0#$}pdT?Z{N9G(i-dv9aMn|Fp6v&0R9k)*3HjkW-k6l8obhMgw#%Lbj&HqHmy
z-uH;Via5jb)NrF{A@%yxnI<>Uu(M!cIDNWVNgWa3y|=FC-ZKsS)gXFGoKkPB`X)zS
z8le4?Q?<2?tw}h?BTTiYCuf$`JeG65#EXo+-BA95E>R2YBSyx3n@_U*v_YqRXJGB?
ztP!zO=1v}2MwmOt!2V_3Q&mHf+W|tM&I#C;`=uM>|5<QJ-|rb~cVoa8!J3`7=2g%0
znoL9G;7f3YR51m<PtLF}<>S_I4zOnhcIU#Z#z-F!SJ>zJRi|VeQu1F9-Lnib<OW$a
z7oc)cSWKN>tHJyv(TN!vf?&ccDViUU$y7I{%f6wA2tsg&7FK@2f8WtAUD<E2+J><5
zZO{s}(eD>dBcZy^!A%sqiy^FjUWt`2e1&8MH|+|pnYo!+Q0-*(PE=o4HA817CM$2*
z^BmwqUu{%4>Q-qyzGgi$aw9sD*5=)#Z{2_1<{d29{Y5CpV>D*I$nsEfl^I>-6W2t|
zTjM_e0r^|g_L9t?ol_)Y<$&ZF-nmO8dHdGb9r78+%@9>rhQYzi#i#L!6miN@!Rm-@
z6w!p%T^FRCK4!6^>P39rA4WXFV16_=x;ZzlZqX1V0=lW+!NR}4;Mu+Bl=i@d8k4+7
zpg67(d>moAlffepP2oA)mef@bLGYJF#;rERaKRe>nP;WjRc{d#ZGo?5MZ#kcDxDr+
zokUtnZWtHy70LJX+6_9#34S)o&<nAaL493I)5Up_+Oq$@dk@-BwT_pO<-h6zKtBbj
zS0;xX_v&oQ0)$VaB4CRh!iZS7{jsnML4q2+EqT?I8T={vsBQatM8j05Nu&LZ7uqlj
zWP6%fwRdDEum6U$)Lc$u{F+w7;n|uib=wZig<1IzWe2+tH~&Q2+OhsQEDF^Fp!yB`
z^nY@M+l@3;Hax5179H7+aZu@;{`HarwpUcKJUirlfIa0c0xkUCt@MJiv11{br8~Q&
zNhcwR(3|B}wYsTWB8TP<iCc!zFkpE}^oz}CRI(>1s%LQP=zF+$@tFgYknAGnz{M;g
zJ<`P!;s3*u213>zo?&M9Sz8-e1szX}l*crdj$OuBVDaQ?X5h5sXfrZS&Z7-^v(Ch4
zN5u^v?U(iw+jB=h;Y3@QAg|SpRf?30hyI6TO7Mc%^bcqFk$*@weM0=|M|M}%3@nk1
zBRt5gN9qkZ3o+n?8q#|1OMTU3(5YA>p5hOlMp-;oO&uEz7(P_`Iq0Qqf|Jd%qDKdm
zi6Ck`5kP-XkF%{2yfS|<OTE9_;n__eo%`H(wB3iclm_W$SsYYpFzd;3Dv*3+DI`=t
zvVlH}9@FF6k+_T#LPuAVD5+#Y7m6Ff_XUMV{Dx{?Xww}JV}#b-ldHTX(m|y9=2%G-
zVt0r<dI(C&+pwBEAyG}4p90~pBsZdBg4tR41la;oBmIub+IqyH9Ywb2Bk}<5DAUug
zn$yJO`1?`-PTD80{{JW7BAJ<~=hrWSIxfG%b`uQSLqUH6wOSi}zVDMcG@SwE=bf8x
z;$^5j>smM`<m$7JDOQ^~nAHXd4M|(i)*bb5r7H5(qdXrV3i~4;XEIiL-mo=iguy)1
zG&`nPY2EWZbcDd3*=itkl*Ba$_mDCH>g4f=NRD2908du67UE{%4?w#e8t^!d?W}{=
zR@MquGy>pe%6Ll7Fy4{LnbSorQivuhiyV|J?GKiAL)Wh31E<@nGy2l2`2Hv*pP>S0
zHx+Ljse)*r!uR!q-U!yWtxkudpU;5#LhS{g&k-J+N4QW~b(zzs=ixiYYaY5N88oW0
zjNl62s9Z6$lV>DO2)M~{`|+;#FDaVM(S;k0%o32jzDar7ljZLrmYZnwYMqug{*&!*
zvksEkW6lHIszT^ISA)g_yROJ$e#Lo<_scRM9tv3r;{REK^6q^Ap0HoCq;$|4GykYY
zh;Iw!3<>)Ww;==VsIyG~rf&SMfno^^+GDpHnbR~*Li?rLFvm<~(NR)*@2b@ErAc;2
zq1QZBi^O(T^e91HEdj~C)JJP1)nUDzqsiar^Gt|<zhnx@uXJHJ2_I+w4M^ZnTJ{vs
zw+XY!fj_cW=-^S1({wJpG`d9btMYzB00AorogmBNi|81|6H1a`Z3f@>lFs>*m>0S+
ziKG_-tQYTDrKUP<MExJP@X!ExfN78svF-loklu2bvL4O2Oidy;y5my>{DdIKDdUvF
zmP2xw0jHL1YoI7ImeFCU+0o|W7}kNHrqcb0F~zP=!Ue32b{!PTFis1(B|fH&<xzO^
zTrY9?tDI6lqN7lWipOb=8~(H@5H``9>>dilqY4uq-n)U!oiar<snHM_q%!2UT8Y`B
zjg`787l3_5-O9P362JXn+u72?Wib&tMA3{{-v04HEiG}Sf6IspSBpb6h4#R*Tuule
zGG)2Q_6oT~h-ri2Gc3WujJA<Ajt>+2`C>VHOO^rE%ZvtmC3S22acj1aT?$_)0Kr^f
zqx9A6ee6!~RudHhR#Iesuy=?Z1#2-+@z1b?1{q9GjpqlxY*xYi<^kJxn%kyHJqvk7
zHSQ>{K{jgdl~R%{tl=?tz(}l(88_ho{8IJn&YG#`wDh6QGm0vBS(BUDEL!MGQb!0$
z-G-&icao4L?g#7UofG^W&GVNViCdN#L$Wb}p@|LgCH@;X05K_u?K2rCL$-p)lUvXj
znTQTx`t4Is@Jk*|*-7a^Njsu~({H&*>Exj>Hv^s5^tYpq!ua<q5-v`BZXZ(9h%Wua
zxaS)YJYeH(Dl|_cGTv!Ar!q2bqMn9f=)^{+PSA2vaw*3$;|F#gNmqMS!aerzX8rMW
zSU6FSaL^cyupZt~#n=&Tc(p3vV!ggG<th%j^l$~Jo=^Sh4QmnJnwcFVgDSCA;v3Iw
zF|5uLO{2T@>;-aPsZNgCdhy)B$*Frmc(#9i1MeU5^h_WO76-1aK^Q`AA;wf&-$#x;
z%y>gc`wKLopv2`_XPyK$rQMKD{>2m=|9*flr}c9t2Ti_@hBs6*UrsB63vr*$^FetF
zuum6)HgJL~e5fgvSz+FK>!zSo5{aJ?6UiW)7L{_k>0N8`ZtQpz)};I}9Lwy!hHxNx
zc3EDWHCXV8AA~16(wqwEQAK`ml*|5M46jssgt;;%M3SsgINJaRA2|4l)x)$Gy<h;N
zLaD1w<<t75iT^lFFQ<Eig>{PzRvdTax{#2JFJs@LsumHeIwiwlrdt!BZ;T|be!6M0
zNIzL~Q>;)5HZGJv*W>V2+e$|1X`DtIU4rXNGD?%QK?7+_0geOyk>J9|S~>Puk>%2|
zvTgJ@%}bi<Sm}EDy{{VYJ`DEMyV}`7dUoA>+hPc2C+2K!^9z$NMa+H>PhCK@!Gy;L
zFW9Y<Rc)3L$b-9psQZltX#Db(`B;hJn>y9{FEPRj&v+x>Kjj%1DLnNyBcRDj=_M4~
z=eCt~)cJ|!>*;~Vewcv|s|Wr`Mk^xTu3o4chy{Ujgwn2bg97>BNfc7X$1-Lz<ZqhP
zGyk?f8>w-yX2HFWql8k|x>JU~l_vn~|0Bk6%29N`DX*aJB+X}D5g>vC6m*wW$zMBt
zd4OlUGD(Id4irNi$rVc|<k1bY)S~YQ7=EQ!fkIJhr5?9H>ZQyxKwf$bBOaZYA#+s@
zRq|>s@rNdpqY$a40JmD0;dRh+q3MeN<cQq;?2ox=)6%hioT8QZk~u5TCV~0eyiXM#
z3cg$?j$TXMYiRm63a)UMjQ?+3Ac96ibE++3GxAa2X0<kdwHQvqo}KJRa=Zs<4}ikQ
z9#u2h4#zkPtX)B4>2CFFFT3~m-vTlGRp^ZUav19JV6o}wSC1RO^p&Sxw_5d@?L~SP
z!tJ#IVIFgMpO?96hK;oi3_}%;bL2OEi!pZ$fTE!kL{sfVqjj>ifeRC?(QyzhXCj%@
zdv+et0@30D+g|W2v}bpgy?=@IPr*+a9y2u7(K>;HU4DY7T!<p;-JzYOdt>&Q)RtX}
z6T6m6LIf+Cx!qC|{hoxH@sRo8#X~K1GToYaEOOe(64XEgX8gY%-!Hhaom8aD^v4S=
zS7RA#7n})PGz)wZ*;C3Zt>i-Csm{ApQxfZ5RR49B7Y#XuGWG~}LVRV*^Y-C;j1Cf8
zexu$uY#>1=v3L!8E*rVEe05g&(zT?dsVVPfAxoIHQVVP6>7)~G@qOr4r(FCB`KnIn
zJ1py^le_KITEgCyqiF-YO@r$o9%_LtYf*=!GUJ6Fq$Z|ii`szZZSJV|U~Zd)>+Sz@
z)PTw-l3+H!d7u=)K`0)rkdxiy<~g!G10UuZZagdIYUhi-cZLjtzP!!sA(UG0gmqEl
z!iI)-XNx>f4JA#+0Vvq%-8S$_dsG2^%iU|DhTz4VHpBpMUxfb4^2&*2a$96p+^*Q;
zT_PhFxwKC|IM`f`T-Dvl5YN#2Mq_m33!c9!o<-8_FJx&61{^;-9T?zIPXl+um@}Ra
zQ-`RfYQ_IJb|4)&!i<X4e`%9ycgSQ5MD}pl!i7n_74_N#AArl3f)mK5X4+Us9g;KF
zVnlssULB9bpVjlrA!0Icz77%HR~yU8l6;g5H@;E=soAC>%s;Z?VypB5aTS*^b7)Zl
zOZ>EK3*}D@^8EBca#zL@g|wnIvWqmPBeliULDAb*S=RESPsb``*6&f(!=IV>#90Yi
zP$J+DRk@=I)fuT(werV#4NtEd1AL0>Oy~!WSUpHYpPdergJN?bDTxHL3|dV*b6hHg
vL0>LHf<t+gOA3MZN4W2t-5eqV2Gh4b+zc}T%CV<McJ>Jv^kc}Rn2I_TtfXXZ