From 5527f50a3b1680b1e43c8292e058c6c3a26c1040 Mon Sep 17 00:00:00 2001 From: Lillian-Violet Date: Thu, 12 Mar 2026 14:26:14 +0100 Subject: [PATCH] start refactoring shared code into modules, update the lock, do some other minor fixes --- README.md | 4 + flake.lock | 96 ++++---- .../plasma-desktop/default.nix | 12 +- home-manager/hosts/GLaDOS/lillian.nix | 19 ++ modules/nixos/preservation/default.nix | 208 ++++++++++++++++++ modules/nixos/shared-packages/default.nix | 159 +++++++++++++ .../desktop-settings/default.nix | 144 ++++++++++++ .../desktop-settings/firefox/default.nix | 182 +++++++++++++++ .../server-settings/akkoma/default.nix | 48 ++++ .../server-settings/aria2/container.nix | 101 +++++++++ .../server-settings/aria2/default.nix | 15 ++ .../server-settings/caddy/default.nix | 56 +++++ .../server-settings/cinny/default.nix | 17 ++ .../server-settings/conduit/default.nix | 153 +++++++++++++ .../server-settings/coturn/default.nix | 44 ++++ .../server-settings/dashboard/default.nix | 8 + .../dashboard/grafana/default.nix | 44 ++++ .../dashboard/loki/default.nix | 6 + .../server-settings/dashboard/loki/loki.yaml | 40 ++++ .../dashboard/prometheus/default.nix | 34 +++ .../dashboard/telegraf/default.nix | 49 +++++ .../server-settings/default.nix | 19 ++ .../server-settings/firefox-sync/default.nix | 30 +++ .../server-settings/forgejo/default.nix | 71 ++++++ .../server-settings/gotosocial/default.nix | 43 ++++ .../server-settings/jellyfin/default.nix | 20 ++ .../server-settings/mail-server/default.nix | 108 +++++++++ .../server-settings/mollysocket/default.nix | 25 +++ .../server-settings/nextcloud/default.nix | 126 +++++++++++ .../server-settings/ombi/default.nix | 55 +++++ .../server-settings/phanpy/default.nix | 17 ++ .../server-settings/postgres/default.nix | 38 ++++ .../server-settings/postgres/upgrade.nix | 36 +++ .../server-settings/roundcube/default.nix | 39 ++++ .../server-settings/writefreely/default.nix | 39 ++++ modules/nixos/sops/default.nix | 44 ++++ modules/nixos/stylix/background.jpg | Bin 0 -> 161326 bytes modules/nixos/stylix/default.nix | 60 +++++ nixos/desktop/default.nix | 1 + nixos/shared/default.nix | 1 + .../packages/package-configs/default.nix | 5 + .../package-configs/firefox/default.nix | 182 +++++++++++++++ nixos/shared/preservation.nix | 1 + 43 files changed, 2348 insertions(+), 51 deletions(-) create mode 100644 modules/nixos/preservation/default.nix create mode 100644 modules/nixos/shared-packages/default.nix create mode 100644 modules/nixos/shared-packages/desktop-settings/default.nix create mode 100644 modules/nixos/shared-packages/desktop-settings/firefox/default.nix create mode 100644 modules/nixos/shared-packages/server-settings/akkoma/default.nix create mode 100644 modules/nixos/shared-packages/server-settings/aria2/container.nix create mode 100644 modules/nixos/shared-packages/server-settings/aria2/default.nix create mode 100644 modules/nixos/shared-packages/server-settings/caddy/default.nix create mode 100644 modules/nixos/shared-packages/server-settings/cinny/default.nix create mode 100644 modules/nixos/shared-packages/server-settings/conduit/default.nix create mode 100644 modules/nixos/shared-packages/server-settings/coturn/default.nix create mode 100644 modules/nixos/shared-packages/server-settings/dashboard/default.nix create mode 100644 modules/nixos/shared-packages/server-settings/dashboard/grafana/default.nix create mode 100644 modules/nixos/shared-packages/server-settings/dashboard/loki/default.nix create mode 100644 modules/nixos/shared-packages/server-settings/dashboard/loki/loki.yaml create mode 100644 modules/nixos/shared-packages/server-settings/dashboard/prometheus/default.nix create mode 100644 modules/nixos/shared-packages/server-settings/dashboard/telegraf/default.nix create mode 100644 modules/nixos/shared-packages/server-settings/default.nix create mode 100644 modules/nixos/shared-packages/server-settings/firefox-sync/default.nix create mode 100644 modules/nixos/shared-packages/server-settings/forgejo/default.nix create mode 100644 modules/nixos/shared-packages/server-settings/gotosocial/default.nix create mode 100644 modules/nixos/shared-packages/server-settings/jellyfin/default.nix create mode 100644 modules/nixos/shared-packages/server-settings/mail-server/default.nix create mode 100644 modules/nixos/shared-packages/server-settings/mollysocket/default.nix create mode 100644 modules/nixos/shared-packages/server-settings/nextcloud/default.nix create mode 100644 modules/nixos/shared-packages/server-settings/ombi/default.nix create mode 100644 modules/nixos/shared-packages/server-settings/phanpy/default.nix create mode 100644 modules/nixos/shared-packages/server-settings/postgres/default.nix create mode 100644 modules/nixos/shared-packages/server-settings/postgres/upgrade.nix create mode 100644 modules/nixos/shared-packages/server-settings/roundcube/default.nix create mode 100644 modules/nixos/shared-packages/server-settings/writefreely/default.nix create mode 100644 modules/nixos/sops/default.nix create mode 100644 modules/nixos/stylix/background.jpg create mode 100644 modules/nixos/stylix/default.nix create mode 100644 nixos/shared/packages/package-configs/default.nix create mode 100644 nixos/shared/packages/package-configs/firefox/default.nix diff --git a/README.md b/README.md index a3071c5..c203603 100644 --- a/README.md +++ b/README.md @@ -58,6 +58,10 @@ I have made a few commands for post installation (and for an iso installer to us ## Technical details +### Project structure + +The project is set up to + ### [Home manager](https://github.com/nix-community/home-manager) Home manager is imported as a module within the global configuration, it is therefor not needed to build home-manager packages separately in this configuration. On multi user systems it might be useful to pull the home-manager configurations from separate repos for different users, so you don't have to give your users access to the global configuration. diff --git a/flake.lock b/flake.lock index 401d4d2..3528af8 100644 --- a/flake.lock +++ b/flake.lock @@ -89,11 +89,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1772153824, - "narHash": "sha256-T65qXmlcD9qFpPTi+mOXsn4dIkO2N8Ls67nqmuzepv0=", + "lastModified": 1773146250, + "narHash": "sha256-azzOjRqTxAqByzRP87jUUsmfOQ85i7h/YkrgTX0jZgg=", "owner": "catppuccin", "repo": "nix", - "rev": "4b0f5b7bf7b3eeb484d49524f3c9791864ab9362", + "rev": "0fa0d06dd3cd09f37f76d19b389d7ff947dfd7e8", "type": "github" }, "original": { @@ -139,11 +139,11 @@ ] }, "locked": { - "lastModified": 1772420042, - "narHash": "sha256-naZz40TUFMa0E0CutvwWsSPhgD5JldyTUDEgP9ADpfU=", + "lastModified": 1773025010, + "narHash": "sha256-khlHllTsovXgT2GZ0WxT4+RvuMjNeR5OW0UYeEHPYQo=", "owner": "nix-community", "repo": "disko", - "rev": "5af7af10f14706e4095bd6bc0d9373eb097283c6", + "rev": "7b9f7f88ab3b339f8142dc246445abb3c370d3d3", "type": "github" }, "original": { @@ -306,11 +306,11 @@ ] }, "locked": { - "lastModified": 1769939035, - "narHash": "sha256-Fok2AmefgVA0+eprw2NDwqKkPGEI5wvR+twiZagBvrg=", + "lastModified": 1772893680, + "narHash": "sha256-JDqZMgxUTCq85ObSaFw0HhE+lvdOre1lx9iI6vYyOEs=", "owner": "cachix", "repo": "git-hooks.nix", - "rev": "a8ca480175326551d6c4121498316261cbb5b260", + "rev": "8baab586afc9c9b57645a734c820e4ac0a604af9", "type": "github" }, "original": { @@ -389,11 +389,11 @@ ] }, "locked": { - "lastModified": 1772633327, - "narHash": "sha256-jl+DJB2DUx7EbWLRng+6HNWW/1/VQOnf0NsQB4PlA7I=", + "lastModified": 1773286336, + "narHash": "sha256-+yFtmhOHterllxWmV6YbdevTXpJdGS0mS0UmJ0k9fh0=", "owner": "nix-community", "repo": "home-manager", - "rev": "5a75730e6f21ee624cbf86f4915c6e7489c74acc", + "rev": "7d06e0cefe6e4a1e85b2b3274dcb0b3da242a557", "type": "github" }, "original": { @@ -409,11 +409,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1772517207, - "narHash": "sha256-qxHfxqbigqBTn//U4leIS5he22Wp1GS0+zmwGV7Pozs=", + "lastModified": 1773237643, + "narHash": "sha256-L1/RhR9gBGon3+vUwt8LxFnkwBqZMNdQTHnjwGodjtw=", "owner": "Jovian-Experiments", "repo": "Jovian-NixOS", - "rev": "7ca1501c2d80900b5967baea4d42581f84b388dd", + "rev": "cff48bb8dad9d56abd761825d02b892c543a1f38", "type": "github" }, "original": { @@ -472,11 +472,11 @@ ] }, "locked": { - "lastModified": 1772341813, - "narHash": "sha256-/PQ0ubBCMj/MVCWEI/XMStn55a8dIKsvztj4ZVLvUrQ=", + "lastModified": 1772945408, + "narHash": "sha256-PMt48sEQ8cgCeljQ9I/32uoBq/8t8y+7W/nAZhf72TQ=", "owner": "nix-community", "repo": "nix-index-database", - "rev": "a2051ff239ce2e8a0148fa7a152903d9a78e854f", + "rev": "1c1d8ea87b047788fd7567adf531418c5da321ec", "type": "github" }, "original": { @@ -523,11 +523,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1771969195, - "narHash": "sha256-qwcDBtrRvJbrrnv1lf/pREQi8t2hWZxVAyeMo7/E9sw=", + "lastModified": 1772972630, + "narHash": "sha256-mUJxsNOrBMNOUJzN0pfdVJ1r2pxeqm9gI/yIKXzVVbk=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "41c6b421bdc301b2624486e11905c9af7b8ec68e", + "rev": "3966ce987e1a9a164205ac8259a5fe8a64528f72", "type": "github" }, "original": { @@ -539,11 +539,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1771848320, - "narHash": "sha256-0MAd+0mun3K/Ns8JATeHT1sX28faLII5hVLq0L3BdZU=", + "lastModified": 1772773019, + "narHash": "sha256-E1bxHxNKfDoQUuvriG71+f+s/NT0qWkImXsYZNFFfCs=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "2fc6539b481e1d2569f25f8799236694180c0993", + "rev": "aca4d95fce4914b3892661bcb80b8087293536c6", "type": "github" }, "original": { @@ -555,11 +555,11 @@ }, "nixpkgs-edge": { "locked": { - "lastModified": 1772650872, - "narHash": "sha256-3ntx/EmA6eaMLYX0nGXCXm75YdCbyfEO2eJopgZuKrk=", + "lastModified": 1773321471, + "narHash": "sha256-H8Rxavz5NavZFNEBRR5nUdGtwipp5R+uE0i7sZ9RAek=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "468dfc97e8f0b074cba09361bceeacdd87893060", + "rev": "eea6fb66b4f4a7abe59b10be3875cd87fba366f5", "type": "github" }, "original": { @@ -570,11 +570,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1772542754, - "narHash": "sha256-WGV2hy+VIeQsYXpsLjdr4GvHv5eECMISX1zKLTedhdg=", + "lastModified": 1773122722, + "narHash": "sha256-FIqHByVqxCprNjor1NqF80F2QQoiiyqanNNefdlvOg4=", "owner": "nixos", "repo": "nixpkgs", - "rev": "8c809a146a140c5c8806f13399592dbcb1bb5dc4", + "rev": "62dc67aa6a52b4364dd75994ec00b51fbf474e50", "type": "github" }, "original": { @@ -618,11 +618,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1772542754, - "narHash": "sha256-WGV2hy+VIeQsYXpsLjdr4GvHv5eECMISX1zKLTedhdg=", + "lastModified": 1773122722, + "narHash": "sha256-FIqHByVqxCprNjor1NqF80F2QQoiiyqanNNefdlvOg4=", "owner": "nixos", "repo": "nixpkgs", - "rev": "8c809a146a140c5c8806f13399592dbcb1bb5dc4", + "rev": "62dc67aa6a52b4364dd75994ec00b51fbf474e50", "type": "github" }, "original": { @@ -634,11 +634,11 @@ }, "nixpkgs_5": { "locked": { - "lastModified": 1770650459, - "narHash": "sha256-hGeOnueXorzwDD1V9ldZr+y+zad4SNyqMnQsa/mIlvI=", + "lastModified": 1773046814, + "narHash": "sha256-3CEw64UyzEk5QjfbcXNIl4TfmIpa2oY+duuo6aiawcU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "fff0554c67696d76a0cdd9cfe14403fbdbf1f378", + "rev": "0c6c0dd2469abaa216599bb19bbf77a328af6564", "type": "github" }, "original": { @@ -650,11 +650,11 @@ }, "nixpkgs_6": { "locked": { - "lastModified": 1772173633, - "narHash": "sha256-MOH58F4AIbCkh6qlQcwMycyk5SWvsqnS/TCfnqDlpj4=", + "lastModified": 1772736753, + "narHash": "sha256-au/m3+EuBLoSzWUCb64a/MZq6QUtOV8oC0D9tY2scPQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "c0f3d81a7ddbc2b1332be0d8481a672b4f6004d6", + "rev": "917fec990948658ef1ccd07cef2a1ef060786846", "type": "github" }, "original": { @@ -855,11 +855,11 @@ "nixpkgs": "nixpkgs_5" }, "locked": { - "lastModified": 1772636567, - "narHash": "sha256-1QlCWLQ5mhkbViPhOxkaW7ifp+IEiYFg7KgMDK0Uvm4=", + "lastModified": 1773319868, + "narHash": "sha256-r9pCiDafaa7CEUjYpz5976svX7KGsDV8MI0Yh8K5WXg=", "owner": "simple-nixos-mailserver", "repo": "nixos-mailserver", - "rev": "e1afec5b08a82092271376b4fc909c91de89e260", + "rev": "86579c67151f83e1ca6e8101a6ab8adfe8e78484", "type": "gitlab" }, "original": { @@ -874,11 +874,11 @@ "nixpkgs": "nixpkgs_6" }, "locked": { - "lastModified": 1772495394, - "narHash": "sha256-hmIvE/slLKEFKNEJz27IZ8BKlAaZDcjIHmkZ7GCEjfw=", + "lastModified": 1773096132, + "narHash": "sha256-M3zEnq9OElB7zqc+mjgPlByPm1O5t2fbUrH3t/Hm5Ag=", "owner": "Mic92", "repo": "sops-nix", - "rev": "1d9b98a29a45abe9c4d3174bd36de9f28755e3ff", + "rev": "d1ff3b1034d5bab5d7d8086a7803c5a5968cd784", "type": "github" }, "original": { @@ -1053,11 +1053,11 @@ "rust-overlay": "rust-overlay_2" }, "locked": { - "lastModified": 1771148613, - "narHash": "sha256-nLzdw8jskekSRrunxBDCA0NCHr/2aJjcXqZ1Fcqm5eY=", + "lastModified": 1773119656, + "narHash": "sha256-AE6SthrvDyUU70myW7wAq4mzQbtmK5Spng7Y/OdCdhI=", "owner": "dj95", "repo": "zjstatus", - "rev": "7a039f56da80681408454d6e175fde3f54b9e592", + "rev": "e80d508ffbff6ab6b39a481ae9986109d3c313ac", "type": "github" }, "original": { diff --git a/home-manager/desktop/package-configs/plasma-desktop/default.nix b/home-manager/desktop/package-configs/plasma-desktop/default.nix index cf7da00..73021f0 100644 --- a/home-manager/desktop/package-configs/plasma-desktop/default.nix +++ b/home-manager/desktop/package-configs/plasma-desktop/default.nix @@ -16,10 +16,10 @@ WantedBy = ["default.target"]; }; Service = { - Type = "OneShot"; + Type = "oneshot"; ExecStart = "${pkgs.writeShellScript "set-kde-connect-commands" '' #!/run/current-system/sw/bin/bash - find ${config.home.homeDirectory}/.config/kdeconnect/ -type d -name 'kdeconnect_runcommand' -execdir mkdir -p {}/config \; -execdir cp ${builtins.toPath ./kde-connect-commands} {}/config \; + find ${config.home.homeDirectory}/.config/kdeconnect/ -type d -name 'kdeconnect_runcommand' -execdir mkdir -p {}/config \; -execdir cp -rf ${builtins.toPath ./kde-connect-commands} {}/config \; -execdir chmod --recursive +rwx {}/config/ \; ''}"; RemainAfterExit = true; }; @@ -309,7 +309,13 @@ "services/services.services.org.kde.spectacle.desktop"."_launch" = "Print"; }; configFile = { - kwinrc.Plugins.rememberwindowpositionsEnabled = true; + kwinrc = { + Plugins.rememberwindowpositionsEnabled = true; + Script-rememberwindowpositions = { + restoreType = 3; + whitelist = "org.mozilla.firefox\nfirefox\nlibrewolf\nkonsole\nvesktop\nsignal-dekstop\nthunderbird"; + }; + }; }; }; } diff --git a/home-manager/hosts/GLaDOS/lillian.nix b/home-manager/hosts/GLaDOS/lillian.nix index 4ac2123..3d0af5d 100644 --- a/home-manager/hosts/GLaDOS/lillian.nix +++ b/home-manager/hosts/GLaDOS/lillian.nix @@ -39,6 +39,25 @@ # enableSessionWide = true; }; + programs.plasma.configFile.kwinrc = { + "Tiling/Desktop_1/593113fc-a693-4eb3-acfd-6048b9bcfffd".padding = 0; + "Tiling/Desktop_1/593113fc-a693-4eb3-acfd-6048b9bcfffd".tiles = "{\"layoutDirection\":\"horizontal\",\"tiles\":[{\"width\":0.5},{\"width\":0.5}]}"; + "Tiling/Desktop_1/98696f59-53d4-4598-8e46-1a0feee68c27".padding = 0; + "Tiling/Desktop_1/98696f59-53d4-4598-8e46-1a0feee68c27".tiles = "{\"layoutDirection\":\"horizontal\",\"tiles\":[{\"width\":0.5},{\"width\":0.5}]}"; + "Tiling/Desktop_2/593113fc-a693-4eb3-acfd-6048b9bcfffd".padding = 0; + "Tiling/Desktop_2/593113fc-a693-4eb3-acfd-6048b9bcfffd".tiles = "{\"layoutDirection\":\"horizontal\",\"tiles\":[{\"width\":0.5},{\"width\":0.5}]}"; + "Tiling/Desktop_2/98696f59-53d4-4598-8e46-1a0feee68c27".padding = 0; + "Tiling/Desktop_2/98696f59-53d4-4598-8e46-1a0feee68c27".tiles = "{\"layoutDirection\":\"horizontal\",\"tiles\":[{\"width\":0.5},{\"width\":0.5}]}"; + "Tiling/Desktop_3/593113fc-a693-4eb3-acfd-6048b9bcfffd".padding = 0; + "Tiling/Desktop_3/593113fc-a693-4eb3-acfd-6048b9bcfffd".tiles = "{\"layoutDirection\":\"horizontal\",\"tiles\":[{\"width\":0.5},{\"width\":0.5}]}"; + "Tiling/Desktop_3/98696f59-53d4-4598-8e46-1a0feee68c27".padding = 0; + "Tiling/Desktop_3/98696f59-53d4-4598-8e46-1a0feee68c27".tiles = "{\"layoutDirection\":\"horizontal\",\"tiles\":[{\"width\":0.5},{\"width\":0.5}]}"; + "Tiling/Desktop_4/593113fc-a693-4eb3-acfd-6048b9bcfffd".padding = 0; + "Tiling/Desktop_4/593113fc-a693-4eb3-acfd-6048b9bcfffd".tiles = "{\"layoutDirection\":\"horizontal\",\"tiles\":[{\"width\":0.5},{\"width\":0.5}]}"; + "Tiling/Desktop_4/98696f59-53d4-4598-8e46-1a0feee68c27".padding = 0; + "Tiling/Desktop_4/98696f59-53d4-4598-8e46-1a0feee68c27".tiles = "{\"layoutDirection\":\"horizontal\",\"tiles\":[{\"width\":0.5},{\"width\":0.5}]}"; + }; + # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion home.stateVersion = "26.05"; } diff --git a/modules/nixos/preservation/default.nix b/modules/nixos/preservation/default.nix new file mode 100644 index 0000000..234f137 --- /dev/null +++ b/modules/nixos/preservation/default.nix @@ -0,0 +1,208 @@ +{ lib, config, ...}: +let cfg = config.preservationSetup; in { + options = { + preservationSetup.enable = lib.mkEnableOption "Enable setup of preservation of files in /persistent"; + global.desktop = lib.mkOption { + type = lib.types.bool; + default = false; + description = "Whether or not we should make desktop preservation files."; + }; + global.server = lib.mkOption { + type = lib.types.bool; + default = false; + description = "Whether or not we should make server preservation files."; + }; + }; + + config = lib.mkIf cfg.enable { + + preservation = { + # the module doesn't do anything unless it is enabled + enable = true; + + preserveAt."/persistent" = { + # preserve system directories + directories = [ + #Shared + "/var/lib/sbctl" + "/var/lib/bluetooth" + "/var/lib/fprint" + "/var/lib/fwupd" + "/var/lib/libvirt" + "/var/lib/tpm2-tss" + "/var/lib/tpm2-udev-trigger" + "/var/lib/power-profiles-daemon" + "/var/lib/systemd/coredump" + "/var/lib/systemd/rfkill" + "/var/lib/systemd/timers" + "/var/log" + { + directory = "/var/lib/nixos"; + inInitrd = true; + } + { + directory = "/var/secrets"; + inInitrd = true; + } + ] ++ lib.mkIf (cfg.desktop == true) [ + #Desktop + "/var/lib/decky-loader" + "/var/lib/flatpak" + ] ++ lib.mkIf (cfg.server == true) [ + #Server + "/var/lib/continuwuity" + "/var/lib/dhcpcd" + "/var/lib/docker" + "/var/lib/dovecot" + "/var/lib/forgejo" + "/var/lib/gotosocial" + "/var/lib/grafana" + "/var/lib/jellyfin" + "/var/lib/media" + "/var/lib/mollysocket" + "/var/lib/private" + "/var/lib/mysql" + "/var/lib/nextcloud" + "/var/lib/onlyoffice" + "/var/lib/postfix" + "/var/lib/postgresql" + "/var/lib/prometheus2" + "/var/lib/rabbitmq" + "/var/lib/redis-nextcloud" + "/var/lib/redis-rspamd" + "/var/lib/secrets" + "/var/lib/writefreely" + "/var/db" + "/var/dkim" + "/var/secrets" + "/var/sieve" + "/var/vmail" + "/var/mysql" + ]; + + # preserve system files + files = [ + { + file = "/etc/machine-id"; + inInitrd = true; + how = "symlink"; + } + "/var/lib/usbguard/rules.conf" + + # creates a symlink on the volatile root + # creates an empty directory on the persistent volume, i.e. /persistent/var/lib/systemd + # does not create an empty file at the symlink's target (would require `createLinkTarget = true`) + { + file = "/var/lib/systemd/random-seed"; + how = "symlink"; + inInitrd = true; + configureParent = true; + } + "/var/lib/systemd/tpm2-srk-public-key.pem" + "/var/lib/systemd/tpm2-srk-public-key.tpm2b_public" + ]; + + # preserve user-specific files, implies ownership + users = { + lillian = { + commonMountOptions = [ + "x-gvfs-hide" + ]; + directories = [ + { + directory = ".ssh"; + mode = "0700"; + } + ] ++ lib.mkIf (cfg.desktop == true) [ + #Desktop + ".local/state/wireplumber" + ".local/share/direnv" + ".local/state/nix" + ".local/state/comma" + ".local/state/home-manager" + ".local/share/PrismLauncher" + ".local/share/qBittorrent" + ".local/share/kwalletd" + ".local/share/kwin" #TODO: add the window script via nix instead of saving it imperatively and keeping it + ".local/share/lutris" + ".local/share/Nextcloud" + ".local/share/Steam" + ".local/share/zoxide" + ".local/share/flatpak" + ".local/share/applications" + ".local/share/firefoxpwa/" + ".local/share/zoxide" + ".mozilla" + ".steam" + ".zsh" + ".pki" + ".tldrc" + ".thunderbird" + "Code" + "Writing" + "Games" + ".config/kdeconnect" + ".config/Nextcloud" + ".config/noisetorch" + ".config/qBittorrent" + ".config/r2modman" + ".config/r2modmanPlus-local" + ".config/Ryujinx" + ".config/Signal" + ".config/sops" + ".config/vesktop" + ".config/kde.org" + ]; + #Shared + files = [ + ".z" + ".zsh_history" + ]; + }; + root = { + # specify user home when it is not `/home/${user}` + home = "/root"; + directories = [ + { + directory = ".ssh"; + mode = "0700"; + } + ]; + }; + }; + }; + }; + systemd.services.systemd-machine-id-commit = { + unitConfig.ConditionPathIsMountPoint = [ + "" + "/persistent/etc/machine-id" + ]; + serviceConfig.ExecStart = [ + "" + "systemd-machine-id-setup --commit --root /persistent" + ]; + }; + systemd.tmpfiles.settings.preservation = { + "/home/lillian/.config".d = { + user = "lillian"; + group = "users"; + mode = "0755"; + }; + "/home/lillian/.local".d = { + user = "lillian"; + group = "users"; + mode = "0755"; + }; + "/home/lillian/.local/share".d = { + user = "lillian"; + group = "users"; + mode = "0755"; + }; + "/home/lillian/.local/state".d = { + user = "lillian"; + group = "users"; + mode = "0755"; + }; + }; + }; +} diff --git a/modules/nixos/shared-packages/default.nix b/modules/nixos/shared-packages/default.nix new file mode 100644 index 0000000..afad336 --- /dev/null +++ b/modules/nixos/shared-packages/default.nix @@ -0,0 +1,159 @@ +{ + outputs, + pkgs, + pkgs-edge, + lib, + config, + ... +}: +let cfg = config.sharedPackages; in { + options = { + sharedPackages.enable = lib.mkEnableOption "Whether or not to install shared packages and settings"; + global.desktopPackages = lib.mkOption { + type = lib.types.bool; + default = false; + description = "Whether or not to install shared desktop packages and settings."; + }; + global.serverPackages = lib.mkOption { + type = lib.types.bool; + default = false; + description = "Whether or not to install shared server packages and settings."; + }; + }; + + config = lib.mkIf cfg.enable { + imports = [] ++ lib.mkIf (cfg.desktopPackages == true) [ + ./desktop-settings + ] ++ lib.mkIf (cfg.serverPackages == true) [ + ./server-settings + ]; + nixpkgs = { + # You can add overlays here + overlays = [ + # Add overlays your own flake exports (from overlays and pkgs dir): + outputs.overlays.additions + outputs.overlays.modifications + ]; + }; + + environment.systemPackages = + (with pkgs; [ + # Custom tools + rebuild + rebuild-no-inhibit + install-nix + install-nix-no-inhibit + update + upgrade + simple-completion-language-server + + # System tools + age + alejandra + e2fsprogs + # uutils-findutils + git + git-filter-repo + pre-commit + helix + home-manager + htop + just + killall + oh-my-zsh + rsync + tre-command + wget + zsh + tldr + nmap + knot-dns + libressl + nettools + starship + + # System libraries + ] ++ lib.mkIf (cfg.desktop == true) [ + # Custom tools + dvd + dvt + servo + restart + + # System tools + aha + ttf-ms-win10 + wineWow64Packages.stable + bottles + tpm2-abrmd + jdk21_headless + #bcachefs-tools + clinfo + direnv + exfat + exfatprogs + gamemode + git-filter-repo + gnupg + pciutils + podman + podman-compose + python3Minimal + sbctl + tpm2-tools + tpm2-tss + virtualgl + vulkan-tools + # waydroid + waypipe + wayland-utils + yubikey-personalization + zsh + + # KDE/QT + kdePackages.plasma-desktop + kdePackages.plasma-wayland-protocols + kdePackages.libplasma + kdePackages.plasma-integration + kdePackages.plasma-activities + kdePackages.plasma-workspace + kdePackages.discover + kdePackages.filelight + kdePackages.kcalc + kdePackages.kdepim-addons + kdePackages.kirigami + kdePackages.kdeconnect-kde + kdePackages.konsole + # kdePackages.krunner-ssh + # kdePackages.krunner-symbols + kdePackages.packagekit-qt + kdePackages.plasma-pa + kdePackages.sddm-kcm + kdePackages.dolphin-plugins + kdePackages.qtstyleplugin-kvantum + kdePackages.krdc + kdePackages.krfb + kdePackages.kate + kdePackages.qrca + libportal-qt5 + libportal + + # User tools + freetube + noisetorch + qjackctl + wireplumber + intiface-central + #rustdesk + ] + + ) + ++ (with pkgs-edge; [ + # list of latest packages from nixpkgs master + # Can be used to install latest version of some packages + ] ++ lib.mkIf (cfg.desktop == true) [ + kdePackages.plasma-vault + ] + ); +}; +} diff --git a/modules/nixos/shared-packages/desktop-settings/default.nix b/modules/nixos/shared-packages/desktop-settings/default.nix new file mode 100644 index 0000000..7935bf4 --- /dev/null +++ b/modules/nixos/shared-packages/desktop-settings/default.nix @@ -0,0 +1,144 @@ +{ + pkgs, + lib, + config, + ... +}: { + imports = [ + ./firefox + ]; + services.udev.extraRules = '' + KERNEL=="hidraw*", ATTRS{idVendor}=="057e", MODE="0660", TAG+="uaccess" + KERNEL=="hidraw*", KERNELS=="*057e:*", MODE="0660", TAG+="uaccess" + KERNEL=="hidraw*", ATTRS{idVendor}=="2dc8", MODE="0660", TAG+="uaccess" + KERNEL=="hidraw*", KERNELS=="*2DC8:*", MODE="0660", TAG+="uaccess" + KERNEL=="hidraw*", ATTRS{idProduct}=="6012", ATTRS{idVendor}=="2dc8", MODE="0660", TAG+="uaccess" + KERNEL=="hidraw*", KERNELS=="*2DC8:6012*", MODE="0660", TAG+="uaccess" + ''; + + fonts.packages = [pkgs.ttf-ms-win10]; + + programs = { + # Allow executing of anything on the system with a , eg: , python executes python from the nix store even if not in $PATH currently + command-not-found.enable = lib.mkForce false; + # nix-index.enable = true; + nix-index-database.comma.enable = true; + + direnv = { + enable = true; + }; + + # steam = { + # enable = true; + # remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play + # dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server + # extest.enable = true; + # }; + kdeconnect.enable = true; + + noisetorch = { + enable = true; + }; + }; + + xdg.portal.enable = true; + + # Enable networking + networking.networkmanager.enable = true; # Enables support for 32bit libs that steam uses + + # Set your time zone. + time.timeZone = "Europe/Amsterdam"; + services = { + # Enable the X11 windowing system. + xserver.enable = true; + + # Enable the KDE Plasma Desktop Environment. + # displayManager.sddm = { + # enable = true; + # wayland.enable = true; + # }; + displayManager.defaultSession = lib.mkDefault "plasma"; + desktopManager.plasma6.enable = true; + desktopManager.plasma6.notoPackage = pkgs.atkinson-hyperlegible; + + # Enable flatpak support + flatpak.enable = true; + packagekit.enable = true; + + # Configure keymap in X11 + xserver.xkb = { + layout = "us"; + variant = ""; + options = "terminate:ctrl_alt_bksp,compose:caps_toggle"; + }; + + # Enable CUPS to print documents. + printing.enable = true; + + # Enable fwupd daemon and user space client + fwupd.enable = true; + pipewire = { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + jack.enable = true; + wireplumber.enable = true; + }; + + avahi = { + nssmdns4 = true; + enable = true; + ipv4 = true; + ipv6 = true; + publish = { + enable = true; + addresses = true; + workstation = true; + }; + }; + }; + hardware = { + graphics.enable32Bit = true; + + # Enable bluetooth hardware + bluetooth.enable = true; + }; + security.rtkit.enable = true; + + services.pulseaudio.enable = false; + virtualisation.podman = { + enable = true; + dockerCompat = true; + }; + security.tpm2 = { + enable = true; + pkcs11.enable = true; # expose /run/current-system/sw/lib/libtpm2_pkcs11.so + tctiEnvironment.enable = true; + }; # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables + users.users.lillian.extraGroups = ["tss"]; + boot = { + # tss group has access to TPM devices + bootspec.enable = true; + binfmt.emulatedSystems = ["aarch64-linux"]; + #boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest; + #boot.supportedFilesystems = ["bcachefs"]; + extraModulePackages = with config.boot.kernelPackages; [v4l2loopback.out]; + kernelModules = [ + # Virtual Camera + "v4l2loopback" + # Virtual Microphone, built-in + "snd-aloop" + ]; + + # Set initial kernel module settings + extraModprobeConfig = '' + # exclusive_caps: Skype, Zoom, Teams etc. will only show device when actually streaming + # card_label: Name of virtual camera, how it'll show up in Skype, Zoom, Teams + # https://github.com/umlaeute/v4l2loopback + options v4l2loopback exclusive_caps=1 card_label="Virtual Camera" + ''; + loader.systemd-boot.configurationLimit = 3; + loader.efi.canTouchEfiVariables = true; +}; +} diff --git a/modules/nixos/shared-packages/desktop-settings/firefox/default.nix b/modules/nixos/shared-packages/desktop-settings/firefox/default.nix new file mode 100644 index 0000000..c57887f --- /dev/null +++ b/modules/nixos/shared-packages/desktop-settings/firefox/default.nix @@ -0,0 +1,182 @@ +{pkgs, ...}: { + programs.firefox = { + enable = true; + package = pkgs.librewolf; + policies = { + DisableTelemetry = true; + DisableFirefoxStudies = true; + DisablePocket = true; + DisableFirefoxAccounts = true; + DisableAccounts = true; + DisableProfileImport = true; + OverrideFirstRunPage = ""; + OverridePostUpdatePage = ""; + DontCheckDefaultBrowser = true; + DisplayBookmarksToolbar = "newtab"; + ManualAppUpdateOnly = true; + OfferToSaveLogins = false; + PasswordManagerEnabled = false; + DownloadDirectory = "\${home}/Downloads"; + EnableTrackingProtection = { + Value = true; + Cryptomining = true; + Fingerprinting = true; + }; + ExtensionSettings = { + # "*".installation_mode = "blocked"; # blocks all addons except the ones specified below + # Catppuccin Macchiato - Mauve theme: + "{55750c61-e5f3-4d9a-898d-0643b3093678}" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/catppuccin-macchiato-mauve/latest.xpi"; + installation_mode = "force_installed"; + }; + # Sideberry: + #"{3c078156-979c-498b-8990-85f7987dd929}" = { + # install_url = "https://addons.mozilla.org/firefox/downloads/latest/sidebery/latest.xpi"; + # installation_mode = "force_installed"; + #}; + # Privacy Badger: + "jid1-MnnxcxisBPnSXQ@jetpack" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/privacy-badger17/latest.xpi"; + installation_mode = "force_installed"; + }; + # Bitwarden: + "{446900e4-71c2-419f-a6a7-df9c091e268b}" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/bitwarden-password-manager/latest.xpi"; + installation_mode = "force_installed"; + }; + # Libredirect: + "7esoorv3@alefvanoon.anonaddy.me" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/libredirect/latest.xpi"; + installation_mode = "force_installed"; + }; + # DarkReader: + "addon@darkreader.org" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/darkreader/latest.xpi"; + installation_mode = "force_installed"; + }; + # SimpleLogin: + "addon@simplelogin" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/simplelogin/latest.xpi"; + installation_mode = "force_installed"; + }; + # Cookie Auto Delete: + "CookieAutoDelete@kennydo.com" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/cookie-autodelete/latest.xpi"; + installation_mode = "force_installed"; + }; + # Don't fuck with paste: + "DontFuckWithPaste@raim.ist" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/don-t-fuck-with-paste/latest.xpi"; + installation_mode = "force_installed"; + }; + # Firefox pwas: + "firefoxpwa@filips.si" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/pwas-for-firefox/latest.xpi"; + installation_mode = "force_installed"; + }; + # Consent o matic: + "gdpr@cavi.au.dk" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/consent-o-matic/latest.xpi"; + installation_mode = "force_installed"; + }; + # Mailvelope: + "jid1-AQqSMBYb0a8ADg@jetpack" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/mailvelope/latest.xpi"; + installation_mode = "force_installed"; + }; + # KDE connect: + "kde-connect@0xc0dedbad.com" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/kde-connect/latest.xpi"; + installation_mode = "force_installed"; + }; + # Plasma browser integration: + "plasma-browser-integration@kde.org" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/plasma-integration/latest.xpi"; + installation_mode = "force_installed"; + }; + # Shinigami eyes: + "shinigamieyes@shinigamieyes" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/shinigami-eyes/latest.xpi"; + installation_mode = "force_installed"; + }; + # uBlock Origin: + "uBlock0@raymondhill.net" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi"; + installation_mode = "force_installed"; + }; + # uBlock Scope: + "uBO-Scope@raymondhill.net" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/ubo-scope/latest.xpi"; + installation_mode = "force_installed"; + }; + # Wayback machine: + "wayback_machine@mozilla.org" = { + install_url = "https://addons.mozilla.org/firefox/downloads/file/4047136/wayback_machine_new-3.2.xpi"; + installation_mode = "force_installed"; + }; + # Tree Style Tabs + # "treestyletab@piro.sakura.ne.jp" = { + # install_url = "https://addons.mozilla.org/firefox/downloads/latest/tree-style-tab/latest.xpi"; + # installation_mode = "force_installed"; + # }; + # Adaptive Tab Bar Colour + "ATBC@EasonWong" = { + install_url = "https://addons.mozilla.org/firefox/downloads/latest/Adaptive-Tab-Bar-Colour/latest.xpi"; + installation_mode = "force_installed"; + }; + }; + FirefoxHome = { + Search = true; + TopSites = false; + SponsoredTopSites = false; + Highlights = false; + Pocket = false; + SponsoredPocket = false; + Snippets = false; + }; + FirefoxSuggest = { + WebSuggestions = false; + SponsoredSuggestions = false; + ImproveSuggest = false; + }; + Preferences = { + "browser.compactmode.show" = true; + "browser.uidensity" = 0; + # "browser.newtabpage.activity-stream.feeds.topsites" = false; + "browser.newtabpage.activity-stream.showSponsoredTopSites" = false; + "browser.newtabpage.activity-stream.showSponsored" = false; + "browser.newtabpage.activity-stream.system.showSponsored" = false; + "font.name.serif.x-western" = "Crimson"; + "font.name.sans-serif.x-western" = "Atkinson Hyperlegible"; + "font.name.monospace.x-western" = "FiraCode Nerd Font"; + "font.size.variable.x-western" = 14; + "floorp.browser.sidebar.useIconProvider" = "duckduckgo"; + "floorp.browser.tabbar.settings" = 2; + "floorp.browser.tabs.verticaltab" = true; + "floorp.tabbar.style" = 2; + "floorp.browser.user.interface" = 8; + "signon.rememberSignons" = true; + "browser.ml.chat.enabled" = false; + "browser.ml.chat.shortcuts" = false; + }; + # TODO: switch to ManagedBookmarks as this will be dropped at some point https://mozilla.github.io/policy-templates/#managedbookmarks + # Bookmarks = [ + # { + # Title = "NixOS wiki"; + # Placement = "toolbar"; + # URL = "https://nixos.wiki/"; + # } + # { + # Title = "NixOS options"; + # Placement = "toolbar"; + # URL = "https://nixos.org/manual/nixos/stable/options"; + # } + # { + # Title = "NixOS home-manager options"; + # Placement = "toolbar"; + # URL = "https://nix-community.github.io/home-manager/options.xhtml"; + # } + # ]; + }; + }; +} diff --git a/modules/nixos/shared-packages/server-settings/akkoma/default.nix b/modules/nixos/shared-packages/server-settings/akkoma/default.nix new file mode 100644 index 0000000..d0495bf --- /dev/null +++ b/modules/nixos/shared-packages/server-settings/akkoma/default.nix @@ -0,0 +1,48 @@ +{ + config, + pkgs, + ... +}: { + sops.secrets."releaseCookie".mode = "0440"; + sops.secrets."releaseCookie".owner = config.users.users.akkoma.name; + + users.groups.akkoma = {}; + + users.users = { + akkoma = { + isSystemUser = true; + group = "akkoma"; + }; + }; + + services.akkoma = { + enable = true; + package = pkgs.akkoma; + extraPackages = with pkgs; [ffmpeg exiftool imagemagick]; + nginx = { + enableACME = true; + forceSSL = true; + serverName = "akkoma.gladtherescake.eu"; + }; + #dist.cookie._secret = config.sops.secrets."releaseCookie".path; + config = { + ":pleroma".":instance" = { + name = "GLaDTheresCake Akkoma"; + email = "akkoma@gladtherescake.eu"; + notify_email = "no-reply@akkoma.gladtherescake.eu"; + emails.mailer = { + enabled = true; + adapter = "Swoosh.Adapters.Sendmail"; + cmd_path = "sendmail"; + cmd_args = "-N delay,failure,success"; + qmail = true; + }; + description = "Lillian's Akkoma server!"; + languages = ["en" "nl"]; + registrations_open = true; + max_pinned_statuses = 10; + cleanup_attachments = true; + }; + }; + }; +} diff --git a/modules/nixos/shared-packages/server-settings/aria2/container.nix b/modules/nixos/shared-packages/server-settings/aria2/container.nix new file mode 100644 index 0000000..c76c97c --- /dev/null +++ b/modules/nixos/shared-packages/server-settings/aria2/container.nix @@ -0,0 +1,101 @@ +{config, ...}: { + users.users.aria2.group = "aria2"; + users.groups.aria2 = {}; + users.users.aria2.isSystemUser = true; + + sops.secrets."wg-private".mode = "0440"; + sops.secrets."wg-private".owner = config.users.users.aria2.name; + containers.aria2 = { + forwardPorts = [ + { + containerPort = 6969; + hostPort = 6969; + protocol = "udp"; + } + ]; + bindMounts = { + "/var/lib/media" = { + hostPath = "/var/lib/media"; + isReadOnly = false; + }; + "/var/lib/wg/private-key" = { + hostPath = config.sops.secrets."wg-private".path; + isReadOnly = true; + }; + }; + autoStart = true; + privateNetwork = true; + hostAddress = "192.168.100.10"; + localAddress = "192.168.100.11"; + hostAddress6 = "fc00::1"; + localAddress6 = "fc00::2"; + config = { + config, + pkgs, + ... + }: { + system.stateVersion = "unstable"; + networking.firewall.allowedTCPPorts = [6969]; + networking.firewall.allowedUDPPorts = [6969 51820]; + users.users = { + aria2.extraGroups = ["jellyfin" "nextcloud"]; + }; + services.aria2 = { + enable = true; + downloadDir = "/var/lib/media"; + rpcListenPort = 6969; + }; + networking.wg-quick.interfaces = { + wg0 = { + postUp = '' + # Mark packets on the wg0 interface + wg set wg0 fwmark 51820 + + # Forbid anything else which doesn't go through wireguard VPN on + # ipV4 and ipV6 + ${pkgs.iptables}/bin/iptables -A OUTPUT \ + ! -d 192.168.0.0/16 \ + ! -o wg0 \ + -m mark ! --mark $(wg show wg0 fwmark) \ + -m addrtype ! --dst-type LOCAL \ + -j REJECT + ${pkgs.iptables}/bin/ip6tables -A OUTPUT \ + ! -o wg0 \ + -m mark ! --mark $(wg show wg0 fwmark) \ + -m addrtype ! --dst-type LOCAL \ + -j REJECT + ${pkgs.iptables}/bin/iptables -I OUTPUT -o lo -p tcp \ + --dport 6969 -m state --state NEW,ESTABLISHED -j ACCEPT + ${pkgs.iptables}/bin/iptables -I OUTPUT -s 192.168.100.10/24 -d 192.168.100.11/24 \ + -j ACCEPT + ''; + postDown = '' + ${pkgs.iptables}/bin/iptables -D OUTPUT \ + ! -o wg0 \ + -m mark ! --mark $(wg show wg0 fwmark) \ + -m addrtype ! --dst-type LOCAL \ + -j REJECT + ${pkgs.iptables}/bin/ip6tables -D OUTPUT \ + ! -o wg0 -m mark \ + ! --mark $(wg show wg0 fwmark) \ + -m addrtype ! --dst-type LOCAL \ + -j REJECT + ''; + + address = ["10.2.0.2/32"]; + dns = ["10.2.0.1"]; + privateKeyFile = "/var/lib/wg/private-key"; + + peers = [ + { + publicKey = "7A19/lMrfmpFZARivC7FS8DcGxMn5uUq9LcOqFjzlDo="; + allowedIPs = ["0.0.0.0/0"]; + endpoint = "185.159.158.182:51820"; + persistentKeepalive = 25; + } + ]; + }; + }; + }; + }; +} diff --git a/modules/nixos/shared-packages/server-settings/aria2/default.nix b/modules/nixos/shared-packages/server-settings/aria2/default.nix new file mode 100644 index 0000000..e7d15bd --- /dev/null +++ b/modules/nixos/shared-packages/server-settings/aria2/default.nix @@ -0,0 +1,15 @@ +{config, ...}: { + users.users.aria2.group = "aria2"; + users.groups.aria2 = {}; + users.users.aria2.isSystemUser = true; + + sops.secrets."rpcSecret".mode = "0440"; + sops.secrets."rpcSecret".owner = config.users.users.aria2.name; + + services.aria2 = { + enable = true; + downloadDir = "/var/lib/media"; + rpcListenPort = 6969; + rpcSecretFile = config.sops.secrets."rpcSecret".path; + }; +} diff --git a/modules/nixos/shared-packages/server-settings/caddy/default.nix b/modules/nixos/shared-packages/server-settings/caddy/default.nix new file mode 100644 index 0000000..029c590 --- /dev/null +++ b/modules/nixos/shared-packages/server-settings/caddy/default.nix @@ -0,0 +1,56 @@ +{config, ...}: { + services.phpfpm.pools.nextcloud.settings = { + "listen.owner" = config.services.caddy.user; + "listen.group" = config.services.caddy.group; + }; + + users.users.caddy.extraGroups = ["nextcloud"]; + + services.caddy = { + enable = true; + + # Setup Nextcloud virtual host to listen on ports + virtualHosts = { + "${config.services.nextcloud.hostName}" = { + useACMEHost = "${config.services.nextcloud.hostName}"; + extraConfig = '' + redir /.well-known/carddav /remote.php/dav 301 + redir /.well-known/caldav /remote.php/dav 301 + redir /.well-known/webfinger /index.php/.well-known/webfinger 301 + redir /.well-known/nodeinfo /index.php/.well-known/nodeinfo 301 + + encode gzip + reverse_proxy localhost:9000 + header Strict-Transport-Security max-age=31536000; + @forbidden { + path /.htaccess + path /data/* + path /config/* + path /db_structure + path /.xml + path /README + path /3rdparty/* + path /lib/* + path /templates/* + path /occ + path /console.php + } + handle @forbidden { + respond 404 + } + + handle { + root * /var/www/html + php_fastcgi 127.0.0.1:9000 { + # Tells nextcloud to remove /index.php from URLs in links + env front_controller_active true + } + file_server + } + ''; + }; + "onlyoffice.gladtherescake.eu" = { + }; + }; + }; +} diff --git a/modules/nixos/shared-packages/server-settings/cinny/default.nix b/modules/nixos/shared-packages/server-settings/cinny/default.nix new file mode 100644 index 0000000..63891b4 --- /dev/null +++ b/modules/nixos/shared-packages/server-settings/cinny/default.nix @@ -0,0 +1,17 @@ +{pkgs, ...}: { + services.nginx = { + enable = true; + virtualHosts = { + "cinny.gladtherescake.eu" = { + root = "${pkgs.cinny}"; + ## Force HTTP redirect to HTTPS + forceSSL = true; + ## LetsEncrypt + enableACME = true; + locations."/" = { + index = "index.html"; + }; + }; + }; + }; +} diff --git a/modules/nixos/shared-packages/server-settings/conduit/default.nix b/modules/nixos/shared-packages/server-settings/conduit/default.nix new file mode 100644 index 0000000..09268ee --- /dev/null +++ b/modules/nixos/shared-packages/server-settings/conduit/default.nix @@ -0,0 +1,153 @@ +{ + config, + pkgs, + ... +}: let + # You'll need to edit these values + # The hostname that will appear in your user and room IDs + server_name = "matrix.gladtherescake.eu"; + + # An admin email for TLS certificate notifications + admin_email = "letsencrypt@gladtherescake.eu"; + + # These ones you can leave alone + + # Build a dervation that stores the content of `${server_name}/.well-known/matrix/server` + well_known_server = pkgs.writeText "well-known-matrix-server" '' + { + "m.server": "${server_name}" + } + ''; + + # Build a dervation that stores the content of `${server_name}/.well-known/matrix/client` + well_known_client = pkgs.writeText "well-known-matrix-client" '' + { + "m.homeserver": { + "base_url": "https://${server_name}" + } + } + ''; +in { + # Configure continuwuity itself + services.matrix-continuwuity = { + enable = true; + + settings.global = { + inherit server_name; + allow_registration = false; + # emergency_password = "testpassword"; + turn_uris = ["turn:turn.gladtherescake.eu.url?transport=udp" "turn:turn.gladtherescake.eu?transport=tcp"]; + turn_secret = "cPKWEn4Fo5TAJoE7iX3xeVOaMVE4afeRN1iRGWYfbkWbkaZMxTpnmazHyH6c6yXT"; + well_known = { + server = "matrix.gladtherescake.eu:443"; + client = "https://matrix.gladtherescake.eu"; + }; + }; + }; + + # Configure automated TLS acquisition/renewal + security.acme = { + acceptTerms = true; + defaults = { + email = admin_email; + }; + }; + + # ACME data must be readable by the NGINX user + users.users.nginx.extraGroups = [ + "acme" + ]; + + # Configure NGINX as a reverse proxy + services.nginx = { + enable = true; + + virtualHosts = { + "${server_name}" = { + forceSSL = true; + enableACME = true; + + listen = [ + { + addr = "0.0.0.0"; + port = 443; + ssl = true; + } + { + addr = "[::]"; + port = 443; + ssl = true; + } + { + addr = "0.0.0.0"; + port = 8448; + ssl = true; + } + { + addr = "[::]"; + port = 8448; + ssl = true; + } + ]; + + locations."/_matrix/" = { + proxyPass = "http://backend_continuwuity"; + proxyWebsockets = true; + extraConfig = '' + proxy_set_header Host $host; + proxy_buffering off; + ''; + }; + locations."=/.well-known/matrix/server" = { + # Use the contents of the derivation built previously + alias = "${well_known_server}"; + + extraConfig = '' + # Set the header since by default NGINX thinks it's just bytes + default_type application/json; + ''; + }; + + locations."=/.well-known/matrix/client" = { + # Use the contents of the derivation built previously + alias = "${well_known_client}"; + return = "200 '{\"m.homeserver\": {\"base_url\": \"https://${server_name}\"}, \"org.matrix.msc3575.proxy\": {\"url\": \"https://${server_name}\"}}'"; + + extraConfig = '' + # Set the header since by default NGINX thinks it's just bytes + default_type application/json; + + # https://matrix.org/docs/spec/client_server/r0.4.0#web-browser-clients + add_header Access-Control-Allow-Origin "*"; + ''; + }; + locations."/_matrix/client/unstable/org.matrix.msc3575/sync" = { + proxyPass = "http://matrix.gladtherescake.eu/client/unstable/org.matrix.msc3575/sync"; + proxyWebsockets = true; + recommendedProxySettings = false; + return = "200 '{\"contacts\": [{\"matrix_id\": \"@admin:server.name\", \"email_address\": \"admin@server.name\", \"role\": \"m.role.admin\"}]}'"; + extraConfig = '' + proxy_set_header Host $host; + proxy_buffering off; + ''; + }; + + extraConfig = '' + merge_slashes off; + ''; + }; + }; + + upstreams = { + "backend_continuwuity" = { + servers = { + "[::1]:${toString config.services.matrix-continuwuity.settings.global.port}" = {}; + }; + }; + }; + }; + + # Open firewall ports for HTTP, HTTPS, and Matrix federation + networking.firewall.allowedTCPPorts = [80 443 8448]; + networking.firewall.allowedUDPPorts = [80 443 8448]; +} diff --git a/modules/nixos/shared-packages/server-settings/coturn/default.nix b/modules/nixos/shared-packages/server-settings/coturn/default.nix new file mode 100644 index 0000000..db36913 --- /dev/null +++ b/modules/nixos/shared-packages/server-settings/coturn/default.nix @@ -0,0 +1,44 @@ +{config, ...}: { + sops.secrets."coturn-auth-secret".mode = "0440"; + sops.secrets."coturn-auth-secret".owner = config.users.users.turnserver.name; + users.users.nginx.extraGroups = ["turnserver"]; + services.coturn = { + enable = true; + use-auth-secret = true; + static-auth-secret-file = config.sops.secrets."coturn-auth-secret".path; + realm = "turn.gladtherescake.eu"; + relay-ips = [ + "62.171.160.195" + "2a02:c207:2063:2448::1" + ]; + extraConfig = " + cipher-list=\"HIGH\" + no-loopback-peers + no-multicast-peers + "; + secure-stun = true; + cert = "/var/lib/acme/turn.gladtherescake.eu/fullchain.pem"; + pkey = "/var/lib/acme/turn.gladtherescake.eu/key.pem"; + min-port = 49152; + max-port = 49999; + }; + + # setup certs + services.nginx = { + enable = true; + virtualHosts = { + "turn.gladtherescake.eu" = { + forceSSL = true; + enableACME = true; + }; + }; + }; + + # share certs with coturn and restart on renewal + security.acme.certs = { + "turn.gladtherescake.eu" = { + group = "turnserver"; + postRun = "systemctl reload nginx.service; systemctl restart coturn.service"; + }; + }; +} diff --git a/modules/nixos/shared-packages/server-settings/dashboard/default.nix b/modules/nixos/shared-packages/server-settings/dashboard/default.nix new file mode 100644 index 0000000..7bbb7fc --- /dev/null +++ b/modules/nixos/shared-packages/server-settings/dashboard/default.nix @@ -0,0 +1,8 @@ +{...}: { + imports = [ + ./grafana + #./loki + ./prometheus + ./telegraf + ]; +} diff --git a/modules/nixos/shared-packages/server-settings/dashboard/grafana/default.nix b/modules/nixos/shared-packages/server-settings/dashboard/grafana/default.nix new file mode 100644 index 0000000..41f696e --- /dev/null +++ b/modules/nixos/shared-packages/server-settings/dashboard/grafana/default.nix @@ -0,0 +1,44 @@ +{config, ...}: { + # grafana configuration + services.grafana = { + enable = true; + settings.server = { + domain = "grafana.lillianviolet.dev"; + http_port = 2342; + http_addr = "127.0.0.1"; + }; + provision = { + datasources.settings = { + apiVersion = 1; + datasources = [ + { + name = "Prometheus"; + type = "prometheus"; + access = "proxy"; + url = "http://localhost:${toString config.services.prometheus.port}"; + isDefault = true; + } + { + name = "Loki"; + type = "loki"; + access = "proxy"; + url = "http://localhost:3100"; + isDefault = true; + } + ]; + }; + }; + }; + + # nginx reverse proxy + services.nginx.virtualHosts.${config.services.grafana.settings.server.domain} = { + ## Force HTTP redirect to HTTPS + forceSSL = true; + ## LetsEncrypt + enableACME = true; + locations."/" = { + proxyPass = "http://${toString config.services.grafana.settings.server.http_addr}:${toString config.services.grafana.settings.server.http_port}"; + proxyWebsockets = true; + }; + }; +} diff --git a/modules/nixos/shared-packages/server-settings/dashboard/loki/default.nix b/modules/nixos/shared-packages/server-settings/dashboard/loki/default.nix new file mode 100644 index 0000000..e83159b --- /dev/null +++ b/modules/nixos/shared-packages/server-settings/dashboard/loki/default.nix @@ -0,0 +1,6 @@ +{...}: { + services.loki = { + enable = true; + configFile = ./loki.yaml; + }; +} diff --git a/modules/nixos/shared-packages/server-settings/dashboard/loki/loki.yaml b/modules/nixos/shared-packages/server-settings/dashboard/loki/loki.yaml new file mode 100644 index 0000000..d0e9699 --- /dev/null +++ b/modules/nixos/shared-packages/server-settings/dashboard/loki/loki.yaml @@ -0,0 +1,40 @@ +# Enables authentication through the X-Scope-OrgID header, which must be present +# if true. If false, the OrgID will always be set to "fake". +auth_enabled: false + +server: + http_listen_address: "0.0.0.0" + http_listen_port: 3100 + +ingester: + lifecycler: + address: "127.0.0.1" + ring: + kvstore: + store: inmemory + replication_factor: 1 + final_sleep: 0s + chunk_idle_period: 5m + chunk_retain_period: 30s + +schema_config: + configs: + - from: 2020-05-15 + store: boltdb + object_store: filesystem + schema: v11 + index: + prefix: index_ + period: 168h + +storage_config: + boltdb: + directory: /tmp/loki/index + + filesystem: + directory: /tmp/loki/chunks + +limits_config: + enforce_metric_name: false + reject_old_samples: true + reject_old_samples_max_age: 168h \ No newline at end of file diff --git a/modules/nixos/shared-packages/server-settings/dashboard/prometheus/default.nix b/modules/nixos/shared-packages/server-settings/dashboard/prometheus/default.nix new file mode 100644 index 0000000..fd08b3e --- /dev/null +++ b/modules/nixos/shared-packages/server-settings/dashboard/prometheus/default.nix @@ -0,0 +1,34 @@ +{config, ...}: { + services.prometheus = { + enable = true; + port = 9001; + # Export the current system metrics + exporters = { + node = { + enable = true; + enabledCollectors = ["systemd"]; + port = 9002; + }; + }; + scrapeConfigs = [ + # Scrape the current system + { + job_name = "GrafanaService system"; + static_configs = [ + { + targets = ["127.0.0.1:${toString config.services.prometheus.exporters.node.port}"]; + } + ]; + } + # Scrape the Loki service + { + job_name = "Loki service"; + static_configs = [ + { + targets = ["127.0.0.1:3100"]; + } + ]; + } + ]; + }; +} diff --git a/modules/nixos/shared-packages/server-settings/dashboard/telegraf/default.nix b/modules/nixos/shared-packages/server-settings/dashboard/telegraf/default.nix new file mode 100644 index 0000000..591e279 --- /dev/null +++ b/modules/nixos/shared-packages/server-settings/dashboard/telegraf/default.nix @@ -0,0 +1,49 @@ +{config, ...}: { + sops.secrets."grafana-telegraf-key".mode = "0440"; + sops.secrets."grafana-telegraf-key".owner = config.users.users.telegraf.name; + services.telegraf = { + enable = true; + extraConfig = { + agent = { + interval = "10s"; + round_interval = true; + metric_batch_size = 1000; + metric_buffer_limit = 10000; + collection_jitter = "0s"; + flush_interval = "10s"; + flush_jitter = "0s"; + precision = ""; + debug = false; + quiet = false; + logfile = ""; + hostname = "queen"; + omit_hostname = false; + }; + inputs = { + cpu = { + percpu = true; + totalcpu = true; + collect_cpu_time = false; + report_active = false; + core_tags = false; + }; + disk = { + ignore_fs = ["tmpfs" "devtmpfs" "devfs" "overlay" "aufs" "squashfs"]; + }; + diskio = {}; + kernel = {}; + mem = {}; + system = {}; + }; + outputs = { + websocket = { + url = "ws://localhost:${toString config.services.prometheus.port}/api/live/push/telegraf"; + data_format = "influx"; + headers = { + Authorisation = "Bearer glsa_lqpcKV34Pp0d7eIhKN79E2HTwzWWwN4m_fe64e398"; + }; + }; + }; + }; + }; +} diff --git a/modules/nixos/shared-packages/server-settings/default.nix b/modules/nixos/shared-packages/server-settings/default.nix new file mode 100644 index 0000000..9c129cb --- /dev/null +++ b/modules/nixos/shared-packages/server-settings/default.nix @@ -0,0 +1,19 @@ +{...}: { + imports = [ + ./conduit + ./forgejo + ./gotosocial + ./mail-server + ./nextcloud + # ./phanpy + ./postgres + ./roundcube + ./coturn + # ./dashboard + #./cinny + #./firefox-sync + ./writefreely + ./mollysocket + ./jellyfin + ]; +} diff --git a/modules/nixos/shared-packages/server-settings/firefox-sync/default.nix b/modules/nixos/shared-packages/server-settings/firefox-sync/default.nix new file mode 100644 index 0000000..a97abf3 --- /dev/null +++ b/modules/nixos/shared-packages/server-settings/firefox-sync/default.nix @@ -0,0 +1,30 @@ +{ + config, + pkgs, + ... +}: let + port = 5126; +in { + sops.secrets."sync-secrets".mode = "0440"; + sops.secrets."sync-secrets".owner = config.users.users.firefox-syncserver.name; + + users.groups.firefox-syncserver = {}; + users.users.firefox-syncserver = { + isSystemUser = true; + group = "firefox-syncserver"; + extraGroups = [config.users.groups.keys.name]; + }; + + services.mysql.package = pkgs.mariadb; + services.firefox-syncserver = { + enable = true; + secrets = config.sops.secrets."sync-secrets".path; + singleNode = { + enable = true; + hostname = "sync.gladtherescake.eu"; + url = "http://localhost:${toString port}"; + enableNginx = true; + enableTLS = true; + }; + }; +} diff --git a/modules/nixos/shared-packages/server-settings/forgejo/default.nix b/modules/nixos/shared-packages/server-settings/forgejo/default.nix new file mode 100644 index 0000000..b4efc44 --- /dev/null +++ b/modules/nixos/shared-packages/server-settings/forgejo/default.nix @@ -0,0 +1,71 @@ +{pkgs, ...}: { + imports = []; + + #sops.secrets."mailpassunhash".mode = "0440"; + #sops.secrets."mailpassunhash".owner = config.users.users.virtualMail.name; + + services.forgejo = { + enable = true; + #TODO: different mail passwords for different services + #mailerPasswordFile = config.sops.secrets."mailpassunhash".path; + database = { + type = "postgres"; + }; + settings = { + "cron.sync_external_users" = { + RUN_AT_START = true; + SCHEDULE = "@every 24h"; + UPDATE_EXISTING = true; + }; + mailer = { + ENABLED = true; + PROTOCOL = "sendmail"; + FROM = "no-reply@git.lillianviolet.dev"; + SENDMAIL_PATH = "${pkgs.system-sendmail}/bin/sendmail"; + SENDMAIL_ARGS = "-bs"; + }; + repository = { + ENABLE_PUSH_CREATE_USER = true; + }; + federation = { + ENABLED = true; + }; + other = { + SHOW_FOOTER_VERSION = false; + }; + service.DISABLE_REGISTRATION = true; + server = { + DOMAIN = "git.lillianviolet.dev"; + ROOT_URL = "https://git.lillianviolet.dev/"; + HTTP_PORT = 3218; + }; + "markup.jupyter" = { + ENABLED = true; + FILE_EXTENSIONS = ".ipynb"; + RENDER_COMMAND = "${pkgs.jupyter}/bin/jupyter nbconvert --stdout --to html --template full"; + IS_INPUT_FILE = true; + RENDER_CONTENT_MODE = "no-sanitizer"; + }; + "markup.sanitizer.jupyter0" = { + ELEMENT = "div"; + ALLOW_ATTR = "class"; + REGEXP = ""; + }; + "markup.sanitizer.jupyter0.img" = { + ALLOW_DATA_URI_IMAGES = true; + }; + }; + }; + + services.nginx = { + virtualHosts = { + "git.lillianviolet.dev" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:3218"; + }; + }; + }; + }; +} diff --git a/modules/nixos/shared-packages/server-settings/gotosocial/default.nix b/modules/nixos/shared-packages/server-settings/gotosocial/default.nix new file mode 100644 index 0000000..3740c15 --- /dev/null +++ b/modules/nixos/shared-packages/server-settings/gotosocial/default.nix @@ -0,0 +1,43 @@ +{pkgs, ...}: { + users.users.gotosocial.extraGroups = ["virtualMail"]; + + services.nginx = { + virtualHosts = { + "social.gladtherescake.eu" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:4257"; + }; + }; + }; + }; + + services.gotosocial = { + enable = true; + package = pkgs.gotosocial; + setupPostgresqlDB = true; + settings = { + application-name = "gotosocial"; + host = "social.gladtherescake.eu"; + bind-address = "localhost"; + port = 4257; + protocol = "https"; + storage-local-base-path = "/var/lib/gotosocial/storage"; + instance-languages = ["en-gb" "nl"]; + media-image-max-size = 41943040; + media-video-max-size = 209715200; + media-description-max-chars = 2000; + #smtp-host = "localhost"; + #smtp-port = 587; + #smtp-username = "no-reply@social.gladtherescake.eu"; + #smtp-password = config.sops.secrets."mailpassunhash".path; + #smtp-from = "no-reply@social.gladtherescake.eu"; + }; + }; + + systemd.services."gotosocial" = { + requires = ["postgresql.service"]; + after = ["postgresql.service"]; + }; +} diff --git a/modules/nixos/shared-packages/server-settings/jellyfin/default.nix b/modules/nixos/shared-packages/server-settings/jellyfin/default.nix new file mode 100644 index 0000000..d172e97 --- /dev/null +++ b/modules/nixos/shared-packages/server-settings/jellyfin/default.nix @@ -0,0 +1,20 @@ +{...}: { + services.nginx = { + virtualHosts = { + "video.gladtherescake.eu" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:8096"; + proxyWebsockets = true; # needed if you need to use WebSocket + }; + }; + }; + }; + + services.jellyfin = { + enable = true; + user = "nextcloud"; + group = "nextcloud"; + }; +} diff --git a/modules/nixos/shared-packages/server-settings/mail-server/default.nix b/modules/nixos/shared-packages/server-settings/mail-server/default.nix new file mode 100644 index 0000000..ae56e4c --- /dev/null +++ b/modules/nixos/shared-packages/server-settings/mail-server/default.nix @@ -0,0 +1,108 @@ +{config, ...}: { + sops.secrets."mailpass".mode = "0440"; + sops.secrets."mailpass".owner = config.users.users.virtualMail.name; + + #Fix for the dovecot update + # services.dovecot2.sieve.extensions = ["fileinto"]; + + mailserver = { + stateVersion = 3; + enable = true; + enableImap = true; + enableSubmission = true; + fqdn = "mail.gladtherescake.eu"; + domains = [ + "nextcloud.gladtherescake.eu" + "akkoma.gladtherescake.eu" + "social.gladtherescake.eu" + "gladtherescake.eu" + "lillianviolet.dev" + "git.lillianviolet.dev" + ]; + + loginAccounts = { + "me@gladtherescake.eu" = { + hashedPasswordFile = config.sops.secrets."mailpass".path; + aliases = [ + "@gladtherescake.eu" + ]; + catchAll = [ + "gladtherescake.eu" + ]; + }; + "no-reply@nextcloud.gladtherescake.eu" = { + hashedPasswordFile = config.sops.secrets."mailpass".path; + }; + "no-reply@akkoma.gladtherescake.eu" = { + hashedPasswordFile = config.sops.secrets."mailpass".path; + }; + "no-reply@social.gladtherescake.eu" = { + hashedPasswordFile = config.sops.secrets."mailpass".path; + }; + "info@lillianviolet.dev" = { + hashedPasswordFile = config.sops.secrets."mailpass".path; + aliases = [ + "@lillianviolet.dev" + ]; + catchAll = [ + "lillianviolet.dev" + ]; + }; + "no-reply@git.lillianviolet.dev" = { + hashedPasswordFile = config.sops.secrets."mailpass".path; + }; + }; + + mailboxes = { + All = { + auto = "subscribe"; + specialUse = "All"; + }; + Archive = { + auto = "subscribe"; + specialUse = "Archive"; + }; + Drafts = { + auto = "subscribe"; + specialUse = "Drafts"; + }; + Junk = { + auto = "subscribe"; + specialUse = "Junk"; + }; + Sent = { + auto = "subscribe"; + specialUse = "Sent"; + }; + Trash = { + auto = "no"; + specialUse = "Trash"; + }; + }; + + rejectRecipients = [ + "no-reply@nextcloud.gladtherescake.eu" + "no-reply@akkoma.gladtherescake.eu" + "no-reply@social.gladtherescake.eu" + "no-reply@git.lillianviolet.dev" + "ongebonden@gladtherescake.eu" + "teluyep_canoja_52868396@gladtherescake.eu" + "me.belsimpel@gladtherescake.eu" + "me.tele2@gladtherescake.eu" + "me+tele2@gladtherescake.eu" + "me.archiveorg@gladtherescake.eu" + ]; + x509.useACMEHost = config.mailserver.fqdn; + }; + security.acme.certs.${config.mailserver.fqdn} = { + webroot = "/var/lib/acme/acme-challenge/"; + extraDomainNames = [ + "imap.lillianviolet.dev" + "mail.lillianviolet.dev" + "pop3.lillianviolet.dev" + "lillianviolet.dev" + "gladtherescake.eu" + "mail.gladtherescake.eu" + ]; + }; +} diff --git a/modules/nixos/shared-packages/server-settings/mollysocket/default.nix b/modules/nixos/shared-packages/server-settings/mollysocket/default.nix new file mode 100644 index 0000000..1d445ea --- /dev/null +++ b/modules/nixos/shared-packages/server-settings/mollysocket/default.nix @@ -0,0 +1,25 @@ +{config, ...}: { + sops.secrets."mollysocket-vapid-key".mode = "0440"; + + services.mollysocket = { + enable = true; + environmentFile = config.sops.secrets."mollysocket-vapid-key".path; + settings = { + port = 4381; + allowed_endpoints = ["https://molly.gladtherescake.eu" "https://nextcloud.gladtherescake.eu"]; + allowed_uuids = ["db639f29-b7e7-431a-9c75-bcdcb87b6bdf"]; + webserver = true; + }; + }; + services.nginx = { + virtualHosts = { + "molly.gladtherescake.eu" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:4381"; + }; + }; + }; + }; +} diff --git a/modules/nixos/shared-packages/server-settings/nextcloud/default.nix b/modules/nixos/shared-packages/server-settings/nextcloud/default.nix new file mode 100644 index 0000000..8afd0e5 --- /dev/null +++ b/modules/nixos/shared-packages/server-settings/nextcloud/default.nix @@ -0,0 +1,126 @@ +{ + config, + pkgs, + ... +}: { + sops.secrets."nextcloudadmin".mode = "0440"; + sops.secrets."nextcloudadmin".owner = config.users.users.nextcloud.name; + sops.secrets."nextclouddb".mode = "0440"; + sops.secrets."nextclouddb".owner = config.users.users.nextcloud.name; + # sops.secrets."local.json".mode = "0440"; + # sops.secrets."local.json".owner = config.users.users.onlyoffice.name; + + users.users = { + # nextcloud.extraGroups = [config.users.groups.keys.name config.users.users.onlyoffice.name]; + nextcloud.extraGroups = [config.users.groups.keys.name]; + #aria2.extraGroups = ["nextcloud"]; + # onlyoffice.extraGroups = [config.users.users.nextcloud.name]; + }; + + # Enable Nginx + services.nginx = { + enable = true; + + # Use recommended settings + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + # Only allow PFS-enabled ciphers with AES256 + sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; + + # Setup Nextcloud virtual host to listen on ports + virtualHosts = { + "nextcloud.gladtherescake.eu" = { + ## Force HTTP redirect to HTTPS + forceSSL = true; + ## LetsEncrypt + enableACME = true; + }; + "onlyoffice.gladtherescake.eu" = { + forceSSL = true; + enableACME = true; + }; + }; + }; + + # Actual Nextcloud Config + services.nextcloud = { + enable = true; + hostName = "nextcloud.gladtherescake.eu"; + + package = pkgs.nextcloud33; + + # Use HTTPS for links + https = true; + + # Auto-update Nextcloud Apps + autoUpdateApps.enable = true; + # Set what time makes sense for you + autoUpdateApps.startAt = "05:00:00"; + configureRedis = true; + maxUploadSize = "16G"; + + #Increase opcache string buffer + phpOptions."opcache.interned_strings_buffer" = "23"; + # Further forces Nextcloud to use HTTPS + settings = { + overwriteprotocol = "https"; + default_phone_region = "NL"; + maintenance_window_start = 3; + log_type = "file"; + }; + appstoreEnable = true; + extraAppsEnable = true; + #extraApps = with config.services.nextcloud.package.packages.apps; { + # List of apps we want to install and are already packaged in + # https://github.com/NixOS/nixpkgs/blob/master/pkgs/servers/nextcloud/packages/nextcloud-apps.json + # inherit calendar contacts deck forms notes onlyoffice polls twofactor_nextcloud_notification unsplash; + #}; + + config = { + # Nextcloud PostegreSQL database configuration, recommended over using SQLite + dbtype = "pgsql"; + dbuser = "nextcloud"; + dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself + dbname = "nextcloud"; + dbpassFile = config.sops.secrets."nextclouddb".path; + + adminpassFile = config.sops.secrets."nextcloudadmin".path; + adminuser = "GLaDTheresCake"; + }; + }; + + # services.onlyoffice = { + # port = 16783; + # enable = true; + # hostname = "onlyoffice.gladtherescake.eu"; + # #postgresHost = "/run/postgesql"; + # #postgresUser = "onlyoffice"; + # #postgresName = "onlyoffice"; + # #jwtSecretFile = config.sops.secrets."local.json".path; + # }; + + # services.rabbitmq = { + # enable = true; + # }; + + systemd.services."sops-nix.service" = { + before = [ + "nextcloud-setup.service" + "postgresql.service" + "onlyoffice-converter.service" + "onlyoffice-docservice.service" + "nginx.service" + "phpfpm-nextcloud.service" + "redis-nextcloud.service" + ]; + }; + + # Ensure that postgres is running before running the setup + systemd.services."nextcloud-setup" = { + requires = ["postgresql.service"]; + after = ["postgresql.service"]; + }; +} diff --git a/modules/nixos/shared-packages/server-settings/ombi/default.nix b/modules/nixos/shared-packages/server-settings/ombi/default.nix new file mode 100644 index 0000000..c82156c --- /dev/null +++ b/modules/nixos/shared-packages/server-settings/ombi/default.nix @@ -0,0 +1,55 @@ +{...}: { + users.users = { + ombi.extraGroups = ["radarr" "sonarr" "aria2" "nextcloud"]; + }; + services.ombi = { + enable = true; + port = 2368; + }; + + users.users = { + radarr.extraGroups = ["aria2" "nextcloud"]; + sonarr.extraGroups = ["aria2" "nextcloud"]; + }; + + services = { + #uses port 7878 + radarr.enable = true; + #uses port 8989 + sonarr.enable = true; + prowlarr.enable = true; + }; + + services.nginx = { + virtualHosts = { + "ombi.gladtherescake.eu" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:2368"; + }; + }; + "radarr.gladtherescake.eu" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:7878"; + }; + }; + "sonarr.gladtherescake.eu" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:8989"; + }; + }; + "prowlarr.gladtherescake.eu" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:9696"; + }; + }; + }; + }; +} diff --git a/modules/nixos/shared-packages/server-settings/phanpy/default.nix b/modules/nixos/shared-packages/server-settings/phanpy/default.nix new file mode 100644 index 0000000..362f8f7 --- /dev/null +++ b/modules/nixos/shared-packages/server-settings/phanpy/default.nix @@ -0,0 +1,17 @@ +{pkgs, ...}: { + services.nginx = { + enable = true; + virtualHosts = { + "phanpy.gladtherescake.eu" = { + root = "${pkgs.phanpy}"; + ## Force HTTP redirect to HTTPS + forceSSL = true; + ## LetsEncrypt + enableACME = true; + locations."/" = { + index = "index.html"; + }; + }; + }; + }; +} diff --git a/modules/nixos/shared-packages/server-settings/postgres/default.nix b/modules/nixos/shared-packages/server-settings/postgres/default.nix new file mode 100644 index 0000000..0a3e4f6 --- /dev/null +++ b/modules/nixos/shared-packages/server-settings/postgres/default.nix @@ -0,0 +1,38 @@ +{pkgs, ...}: { + services.postgresql = { + # https://nixos.org/manual/nixos/stable/#module-postgresql + package = pkgs.postgresql_16; + enable = true; + + # Ensure the database, user, and ownership is set + ensureDatabases = [ + "nextcloud" + "onlyoffice" + "akkoma" + "gotosocial" + "gitea" + ]; + ensureUsers = [ + { + name = "nextcloud"; + ensureDBOwnership = true; + } + { + name = "onlyoffice"; + ensureDBOwnership = true; + } + { + name = "akkoma"; + ensureDBOwnership = true; + } + { + name = "gotosocial"; + ensureDBOwnership = true; + } + { + name = "gitea"; + ensureDBOwnership = true; + } + ]; + }; +} diff --git a/modules/nixos/shared-packages/server-settings/postgres/upgrade.nix b/modules/nixos/shared-packages/server-settings/postgres/upgrade.nix new file mode 100644 index 0000000..081a123 --- /dev/null +++ b/modules/nixos/shared-packages/server-settings/postgres/upgrade.nix @@ -0,0 +1,36 @@ +{ + config, + pkgs, + ... +}: { + environment.systemPackages = [ + (let + # XXX specify the postgresql package you'd like to upgrade to. + # Do not forget to list the extensions you need. + newPostgres = pkgs.postgresql_16.withPackages (pp: [ + # pp.plv8 + ]); + in + pkgs.writeScriptBin "upgrade-pg-cluster" '' + set -eux + # XXX it's perhaps advisable to stop all services that depend on postgresql + systemctl stop postgresql + + export NEWDATA="/var/lib/postgresql/${newPostgres.psqlSchema}" + + export NEWBIN="${newPostgres}/bin" + + export OLDDATA="${config.services.postgresql.dataDir}" + export OLDBIN="${config.services.postgresql.package}/bin" + + install -d -m 0700 -o postgres -g postgres "$NEWDATA" + cd "$NEWDATA" + sudo -u postgres $NEWBIN/initdb -D "$NEWDATA" + + sudo -u postgres $NEWBIN/pg_upgrade \ + --old-datadir "$OLDDATA" --new-datadir "$NEWDATA" \ + --old-bindir $OLDBIN --new-bindir $NEWBIN \ + "$@" + '') + ]; +} diff --git a/modules/nixos/shared-packages/server-settings/roundcube/default.nix b/modules/nixos/shared-packages/server-settings/roundcube/default.nix new file mode 100644 index 0000000..59ee43d --- /dev/null +++ b/modules/nixos/shared-packages/server-settings/roundcube/default.nix @@ -0,0 +1,39 @@ +{ + config, + pkgs, + ... +}: { + # TODO: Figure out how to create packages for some plugins for roundcube! + # https://packagist.org/search/?query=roundcube + # https://discourse.nixos.org/t/roundcube-with-plugins/28292/7 + services.roundcube = { + enable = true; + package = pkgs.roundcube.withPlugins ( + plugins: [ + plugins.contextmenu + plugins.carddav + plugins.custom_from + plugins.persistent_login + plugins.thunderbird_labels + ] + ); + plugins = [ + "contextmenu" + "carddav" + "custom_from" + "persistent_login" + "thunderbird_labels" + ]; + + # this is the url of the vhost, not necessarily the same as the fqdn of + # the mailserver + hostName = "webmail.lillianviolet.dev"; + extraConfig = '' + # starttls needed for authentication, so the fqdn required to match + # the certificate + $config['smtp_server'] = "tls://${config.mailserver.fqdn}"; + $config['smtp_user'] = "%u"; + $config['smtp_pass'] = "%p"; + ''; + }; +} diff --git a/modules/nixos/shared-packages/server-settings/writefreely/default.nix b/modules/nixos/shared-packages/server-settings/writefreely/default.nix new file mode 100644 index 0000000..aeb9fa2 --- /dev/null +++ b/modules/nixos/shared-packages/server-settings/writefreely/default.nix @@ -0,0 +1,39 @@ +{ + config, + pkgs, + ... +}: { + sops.secrets."writefreely".mode = "0440"; + sops.secrets."writefreely".owner = config.users.users.writefreely.name; + sops.secrets."writefreelymysql".mode = "0440"; + sops.secrets."writefreelymysql".owner = config.users.users.writefreely.name; + services.writefreely = { + enable = true; + host = "writefreely.gladtherescake.eu"; + nginx.enable = true; + nginx.forceSSL = true; + acme.enable = true; + # database = { + # type = "mysql"; + # createLocally = true; + # passwordFile = config.sops.secrets."writefreelymysql".path; + # }; + admin = { + initialPasswordFile = config.sops.secrets."writefreely".path; + name = "GLaDTheresCake"; + }; + settings = { + app = { + min_username_len = 2; + max_blogs = 100; + default_visibility = "public"; + federation = true; + local_timeline = true; + }; + server.port = 1212; + }; + }; + systemd.services.writefreely = { + path = [pkgs.libressl]; + }; +} diff --git a/modules/nixos/sops/default.nix b/modules/nixos/sops/default.nix new file mode 100644 index 0000000..bb15447 --- /dev/null +++ b/modules/nixos/sops/default.nix @@ -0,0 +1,44 @@ +{ lib, config, ...}: +let cfg = config.sopsSetup; in { + options = { + sopsSetup.enable = lib.mkEnableOption "Enable Module"; + global.desktop= lib.mkOption { + type = lib.types.bool; + default = false; + description = "Whether or not to install shared desktop secrets."; + }; + }; + + config = lib.mkIf cfg.enable { + sops = { + age.keyFile = "/var/secrets/keys.txt"; + secrets."lillian-password".neededForUsers = true; + + defaultSopsFile = ../hosts/${config.networking.hostName}/secrets/sops.yaml; + + secrets."wg-private-key".mode = "0440"; + secrets."wg-private-key".owner = config.users.users.root.name; + + secrets."ssh-private-key" = { + mode = "0600"; + owner = config.users.users.lillian.name; + path = "/home/lillian/.ssh/id_ed25519"; + }; + }; + secrets."nextcloud-password" = lib.mkIf (cfg.desktop == true) { + mode = "0600"; + owner = config.users.users.lillian.name; + path = "/home/lillian/.netrc"; + }; + secrets."prod.keys" = lib.mkIf (cfg.desktop == true) { + mode = "0600"; + owner = config.users.users.lillian.name; + path = "/home/lillian/.config/Ryujinx/system/prod.keys"; + }; + secrets."title.keys" = lib.mkIf (cfg.desktop == true) { + mode = "0600"; + owner = config.users.users.lillian.name; + path = "/home/lillian/.config/Ryujinx/system/title.keys"; + }; + }; +} diff --git a/modules/nixos/stylix/background.jpg b/modules/nixos/stylix/background.jpg new file mode 100644 index 0000000000000000000000000000000000000000..2ad658c36b07fc29fa67c0b790f30fa0db2541ae GIT binary patch literal 161326 zcmex=oIr{vToxnIsfL#yc`{tY*b(=T60s{JU{S`>thSrTjM|wic@$N?(4|_e#NC+w-z^m*!8evN1Z|zXYfCSS4(~pPsE5 zz2)@#o*sv@{Vs8DM z^X|&>Z9X62c57Re)mhm+bCOpz&fER^ZSj4pmvipEGhaV<_mcDRhL&HxZ1#Hdxj&B6 z0n;ShB4*j&kKES#yypG0pL42D#l?R0yr`G;c)_E(#up!J&gc7HPF{X~g$^?`F!m8<=&aFq8o~v&wQ_a z-nZxV(@U>8>{z+SjV~YU>-q52Dr;}V z`#F`>uhl;7T(oWHuIE<&q-%D)vp-+?^+@^xBzwM}UAF9O0!SdW!}fDgjML@(%d^^F z*6{7T&Sy6>HdSQbzAEX;kE>$i9k^R|dp0~j-krKm+UCB^yhk&gZtu#Ta(H#|>$ABNms{^zIr&`Va^d!seV*9` z8`|g1+VgQPa%sf4nV*68)~>gopP7F96O<|Oih&{ZaZ&cM65;!citgqwKW=@#;LDG! zH>=icyk_&qEPMXEJsbO~rk}~q{k%#>N9*UeSB6)2Z=W~odYa|cmT}X>+>aE&ofqzTwgY2S%rcIA^$<-S^Cb;ym-Ame9`tzub($Y=J);lT=#X#oL^7t z`NH$0jBfWHd+{&F-^^|0teNH~*?P7WAKUq>?D3j=MJ1lAE}yfTU&ETZB<2;zanw2> zwSU>^s@|$IKa4kc)a4wvI-o;%l&WYW3KYf3F&h(77t}^~(H5ATz+;+C_Uld}U`RnCZ3B`yy`^wG{TvtbDVjMO>$BazFt4 z@&-wXh7-x}X9ow)dcdsMVfIid^o(a!m`{64#wj<;Xr6Qj2KLPfztjGh{_uZiSAD1K z(~W|?)7e)VZ|Th47xA3kZjMUs_p`}B*_bt0A@aOCYB4d?-ebK4icY<|3&t54NbDD3CC1=@(kC$H8)_cGF_+i`U zz2|mj_o${<{hhnIW^I(w%j0LByxC;Gd(X}_D_@#CUN0!V>+zm{cT^IEt#7jH6kb&3 z+-|M@bNlvrpZeU+etJ^!?N0jqn`^$y+8%Q`t#Y%-xA=4YjOWW|eM^=rvH9+~r#SAn zzI5y6$l`+=ZEjnsEpeP%t!A^^_V%j75sN>4o0QEsH|q8J(~(n!kL)(QzvT0svSU`8 zB)0v^OmE;~;E!Au`_$e0)klv`E%kc2>P;WMpRe565qL*Zf@){(kBrbLTa|mAS2F@(t$(vHdi8`#kOKgEz%*RdGP1o zjq8kG1U0$bdRx3{`}1FMdu-e7)PAOVC)!*8TvPYD^;50B>g&sM?*yOQe$C|I?zPvn z48DciU99r9l>M{EJiPYQ&2uMT{`?m^EAi>PnWxrzU%2uxagAeoT2S`Rm9zFQJDq!` z;`f&HMBTT>vF9pI-3=%_EpzRTPR@FdBfU>%ynZl+KmEYwo!z&8C%^hwSZ$?y(y%S| z&yMu-C6(9KeEc5ySvT72=)5)WEq;WbmiODcr&b_4C+7FXWzNrUpV{*%GJLA7dA_}- z*sIm^b1TlY&wf8Cc^+|9G0(P_n>TF>o83K2cH1;@6S1o|ulbpw{^Dk#?fdly`A^H3pVpo6bYI5q z57T?5UjKc14`1=7t7~e`r(f3ISygGhUfJ7j@}fsiueM27{3^d&{P(_}@W1R*ha}4? zwXEB6&-0?pq?3Pc+Hn7w#!dOcHp^GjWjq((?RfX-?yo)3rf)v)?|0fae}3KO6m7ma zh1YkVo>Q7V)5Lb?ah{jYHr$NNKD{^2SRuXO#V^0=_SO6~)91~4dhK?$sbucuxyFZ{ zDjYt4^mHU~nUnEd^l!<1LE({~-zL{C4c{*P*wi=c{z}R0FHzBRV*zrqBMRUtG@7s3W@)Fz6rskBN#WCXkEi*pb?7gOC`R{R^)s@Q1XPX_cZ_OBkB*9{xr?MZLA{3Xur?3SXBdsgQqeXYE&xZE<_!06U=xBIrfABqlbOJ9ED zdj#*Q_u9GJmEWJ%eUuXUJEvPLWwwU)uReCE*K0JYcpnSjI();^{N=g5IVw2^6N5^l zHt$QG^GjUve5hQ+(X-d>w)sxV&U?vkWmjH1qjK#mqDB7 zZ*^b4WNp%RYoC72KVNm$Xs2&4EVWL8}=S!*;oY~{VRq4xftw`+H9c>O_tUk$zqjc`0!wvs50OEffB*GkZFdiL_p9UD)RRw(QHE_w}u-RgMjt#n+YX zc4o2eee>#|fc*B>hqntiX@33$!)Av7K7P_zNvCkd8uI;9+$4aH&>jjx#+R>Js zllkjg6`%N$r_$>tOZh&QAXo!3=PgK|xPpO!fj{iiM^w|*NvCHdY)Il=&Y^8@AtiKliN3C zoOaDU`+PU=wNq)cOA|MIzHh8qa%$2s!L)<6$*fj3rbqIp@0q>o)A3AGvt`$m)@i+! zTJ&_6*X?8bOt0|-Wt{rjSG;(#;J!nyscXJm{do7}hw|vZ*R7_1x*R z##I&B?}~o@I_LLls@1KVF_*r~)fEr4E}kp5T0_XmO%Lt89I$8REC>JoDC6Tv>5FodOIvGuuG&RUH$2-WHnp>= z`<=k+n;(m{Bu`83^(wrZBiDO5tzUS}P19(x`(ag5w>O{hjZ0A7t0%d^aP9Vwc9Fub zM5dp0zjgLo+39P1GiS_X{d`x#SU-kaNoKBuz{KSn?Ne%^^R9NT<9#Y@zCk7F+PU~O z7tU3G{JO*7Sw?bAq&0`-<d)zIz-aE6V_3ELT<7=jhecrTYde2?|=;L`i zUnj&ow$56yZ>7i06Z2+&yeWC9e^yw$LR@*tretp;!Sv`$1p&{q@0Byph+Hm|Z1b?l7b?jUliy|d z&bV|udC5(_=$b!zyM%>SY|GPC{@q-l_p&(cdhZ)opR-m%HhSHYcD!2RGTZ9+xi7!E zc6*&&bL!_i)9Vd!;0_H_is2VKr_Cp~Rm9!7_|r(K0@I6_B5Y@q>IC;pnfj7b$+m&< z{WR%it6Wd;Y`T`Z*?-CWq+i>DKdznCe)0EJbBk|PkHYU<+4<^w*t44IiQ7)8_nyAK zxa$4!`yu@b>krp0)3NQ;-J|{1#$%GHn{Q>-joE1_S+cqJmK;jWZ!I~UBRpk#s$i$o z-bvR^Y}#h}ggffVbhT9%m!|#GJil}Dr}uhxvsZV&SoZO{wd!4Sw_{h!uCBDsvonp4 zzUYu-C%$y${Y_eqb61>sm9sW%(JRk2X4SH*_Nm_xKPEl{>L)$TgZsh30OjMRgciNI zX7*~zW|dbH&EwfVXBB%(oH>4;wSn<{1M_`bGw;h<*`clG9@l*nKimB)pS?cu+VSu4YwO0DGzG&aM9(>2|r~Ag|L8aGE@8a&8{!BLA;MnwiaduBzF29^} zH%<8B1&?P{o;hDKx0HV8`oZoh#=7bGYMpB`$JnHn9-UmG`A@W97uV@IJ5sctUC}qd z?LkZ#CZFO149sa8r$rriU9@`J+{)9@7QHXlzcM*}F!B0@d!{Qlt~1@1mXSJf?e3&w zH&c^!ye+2d?RryMZ53S|Zn<}7C1-8_=4-XCXC`jk^BwcM1)nYPP-)58FWNk0TcvRqY8}F{r;Z*BD~d1>|f01 zThA};%yGJP=8w(U6*nq3&JF)s?)$v7uXx|IH{nh(C3E}dnNHuRDpA!ldDgadK?RpK zyncFa$4%u~7j@5-l)c<-ld|>f>)C9dKA)YcbKqiM__QB0eH2<4cy~O#ake^8y?VW( zdfevUBCl$Io1^c(L>Jt~?WqKYQ+{7JoYTFz3aS@HMl$ zESDb5yRG)n_t?(V^ysAdR-5*&+@tk!x1HhHX~uern-4HBm?b{Y$$7SO>(ty6cs!0G z#W=6Z`M#}9Y6s)?!~Dfp^0qDh7S|mrmK)_XH*e38ykmyG&wUNosV~{wvMnllxliHs z9asAzg}y$CF=NZ|UX~+m&i(8*n_bGk&5SJDw8)}&7M8(x8@~oXTG~- zTgP{vrR}a4KTn?!v#T!oX0_!N;kdp!J?lGGoHb$B*8P0Hupmu(@z2U-ZU=6!Fwfkw zI?~?t=k!{uo1d@jTDt4$(${+y$6fTY>M%&LQg@jXb@th_T{mxpEqiPF;@-96v${B^ z#*}_8`StL=x_0l)c^PpLzT>OfI;%d-o~$Hu>|>*yQTj7! zHXWajcNeTWoo6on=Wx-DoYnKqtEbjn_nC23=wV2#<-wINOe6VD$q29Pe7AD%ov$LR zkDce8A-VTx<=xG?F+U^4LU^99)jF{{YqLOu?FY%e^K;j}Snky^>F>_g2PcG-e{c94 zS0Ogv=Vy7O^<&SAg*m_HyI6{dOZhg8W zX#M=@^Yt40mu5Zqy32dLzOar1`|<|HY0CE{XQ(-2PX=hBLL9FKcz!#hwpFC+L(Z%x&8VzJM-3WPP=?lFg+@AYT$cqj(eHDf4?(c z-j%;>L&u&UdmI>8_qus&hcz+S@_e0lrgg*Xm#cSmUZ4AF$A5-}I`gV-&zWo0EkEs! zdVHW&^m6Uz@vm*#Y5^)8Q056N%Hne(b(>x?^e8$&CeCavzqikwlQvwV0_?f9!*YB(D>@B&w^33BaN7LsXi&w2I`Ez8pT4lAg z2aogVuq`v+ZF+y5`N;hR8+ZFJom)O*1;I`R$YwBRE}Pr(;-g!U5@+$scJJs2v*@5_ zwL&2|KDn!M!^7uIlACMPIdRka*jYti^|rpf5c=X~qw&_~%OWp>_8{bv#Un8&k z)NcRhOY`?VNRj<#Gyj73o~_R6KbLuiE(;N=$+*jT{*!&+k3_z29VKOV%sy|v>Z`GG z{mY++Bez_C`ZZC2fq{*vW*^v(3=B+HR+W5z&Ux)d;qz3_6MU=JJ+U(K>)qJ(a%1|u z@H)z|YQ-}AjR{Ft^cZoqKd#`y0Qy3d@O?YM<2WDjf$-7f5 zzZrJjzBOy{s`by>cc#}BM}FHUGVf@g=jFFE%S)#O?JH5tW zjchhe`=qj2C8zfl=aLuq9@LcQmNrILdOl!aRu%wz0!pYI60=&^w|wLCUrM&_7qa`b zYuj6RcO+Fh)}NcTBp}DCbIv~Z;KiD*E`0r+CJYSbk-=|Fn~sTXfNCd1u?79^U2d+o zXuY-}Up?wgWKXwEsAan(_ek$d39rrG zow>Q}g|)%yArUvPpHQiE-_w{nZ&GN@9{w(~YzFg8X@h(2)jHih|F%3)^hXIz#=Bpq zl({=UiEOc)QI&N}?vcLq7r%m^LEk!<%iYgr+ch4~xRSuq0ZXQYJix%fz`Lt~fq^M+ zE<=uKqmZ^%hM%4Tv4q3@=LYdSY^xI;E8v$4|tuAbDKZw zulBQ6)9rdfi~71YF>JWlzie;ikBG2_GY72$CGAi&7?YRBov%M32w!WO>xZ&ciu|@=K})+)UZuleG9hs$psH@`^DP`T{1LFMU%x0e6H z_x)6yB7J&t>(=``m*p-=u0QL1dzYcU+kSteT`P?H7#L!GEn9mFV20qPd2f|Vfh&8- z2Mm%Aq)X@NBuafcZm7PhC8yDNzHY`w*_d@@nyZ&Sw^DXBFZJ=-|KQ>L;1~O9zX;3M z9{9BO=WJQ(TWgm;QxlWgHo@f16;TF;P3y4C665v@ z0|SHf+m7#7uBPr)7V?i?^{2CNapK|6+fCIN;x9yrRbKdO^Q`dcM(ZfOM~P?4=WGu! zzPzNhbaCS5vvtw}pHyn@zpUYW`jquy;psb{j+?HxcAj_j;^zk5U2PFf=l1=0{w?dC z_ug$=?Sl0eJojH&)BMI>!4T>g;eVTtp0cvMGw1U1i6_6P{hexZJU0AvLf+?Tzc?37 z%e$bv}`-b*9T_Lh79?!qTCsy(&^Je`=9edhb@ z7g^`zcl`XOI^X<4v09*Nl+2@;rj760{z`w5uDzQR=Dh#8&#rU9Z&W-dS{Q|fRdvs+ z-v4vwG-wTYTH5%P;m&%$ZIc!+P&&Km%l&0Ohj{KzZP#7I;&j`^?#{F2cN}zftmd=n zZxAY<`aoAn5T($7h7&GID4Bt0BS@0BZOe;i^Q(3nH@vLs-n4#Ix5DS}nKO=^PE>YT zo5HE_}~ z&Xf}4$9Lzbmd%BFLfX1^Z{rz{y+>wF@lBa4w9@zARZr6od+RmAZj{)(WM1`XlU?)j znO~-#O)YY4)l<;%dUiHhCq*t}$A=YONBSm9fLurlKAk4iX}$WZ*j#-Rl_NJzUgod- zCA7_@hePbnlTR<723l>dw<@c+7Bw^R*&)3@W%7ETU&UNJ`Il{fr2Uh*+eMsqHGg?L z=Xv@?{ zh(7}ZgNi#TJ_D(hcUk(zYp02ABT*S2^Bffj_h8G34oVpfxdi{2thi5w?9ATju1|E0mH`LmXaikDhbxwC|Bw>$7}+ zxLzr-TJ=%O;`UBfe&;h~sn1pO56q8yQrVjx$Q^6gpdJy>*F6{HWYX}~+g>^bndVOK zEuD7d_;j!S7rxW#tiAp(POZ3=DG@hQl9_HFcDuWg*Ie`$*X@q5BmI(cmGj&7ala5< zenR=~_4yeO@=NDi9kOq~T*0jsbS&kCEAM&xFHDafpOct+{I|sR1v9^FezterZs(`> zd^?gD7@~e(lJH=k*DJg%E&K42D`8RIcfvgGpA-BRQj)g!*A~g->8(E6bqgMEkNtDx zW#zv9!oyi}A2KkAePv)^VEF;6L`m_V?kii{yK+Y^X4>bxyixcgPa&}6&SmpinR>#@ zZblcpy!vM0$=$nt`JT)-pMEQP)d#iIvp(LZ{oIb`Z(O2#s?Vrsi@o!+o6mk*tqN1m ze5pIvu6qBADeje@E9d-{3%`?L+j%8$YP4#p_l4LGo5aKwm$^P)edf!u4V)_3otu_D zOO5PIpTli>_;gm-uIMbT$2+b&?p%FUVEdDjjCAW=IYE!5YE#Q*1kCw2Z}Hblx0cVl zb%gJD>#Vur_ROI(e(jmo`F>jL`Dbs#CSLnI>8QB2*2PM>^(7`}4knwu1`T(R5Dcju z)mMUQ?MfG{+5D+w(TcYft4~{0em!%sRAygpSq+!sm)G+1zZqXNl3Bs)e7RJx(_m|g z%jWePHLa?&O*fuCA8T+~O=ap#_sNwHqcc3Bw;xpVTk}Hd$uG-U*W-jXWcvjvs&CM< z5Hok1-ujsR-tcM<{(}RxBeA8Ugy<+ov`{&_G z8@67TD!bnsdUD;WOOe7iub!UUHuu%VeOB+UZWo?6ah_fr<06-)y0g-E3l5iUHs5$s zuFCMqt{XX5WAZ*ceW$y1iRF$b*Ju8UmCQM+z2RH2^~Z}l_mmx8 z8`enVpX{)U$ljbMP%4>wTj6v1tY=Fcd)Xd|Xj`@O-c`5WSRJ!!;kmDpua5ovCFOmi zZ~CX5ua5nW`W5Nz%$K7+Cp8UP!h`)o1i^MTxxVnsskvq)HsXGF*6CaFxL%lWY^J#M z?M9{9EECgXE3SsTOS?L6)!xVJ?j&b=OUEUvzS1;4yYhR)Z>!(yZMob2R;tb2U8KEn zv!L_GSp1O1AaczrN*S9-b-}rsY_CRaB~ z`h3{jqvZP5H9i-mRa&>pNZdJn^!lP>rtXu)QrZlsrS<+4*|>JqdyCTYuV)<3vmUEp z;52NjV7QSTkvUCc1Ah$>zC%(XcGWiIdh`+hr?TmH?%zCHb6W3NY0dr(=i7^4|Ma-I z@v`s4Vq1ChHUS@9abB+W`5tyRde+7LCst~omA3qoViw9XXRe~brrkW_Vu2AZd5+?{n@RbfDa~0{V&R*2A*ONqjugMn z^@k3b&7Ji7+0uDG_~T~$e!!R*uN3h!X>-nsr7yA{yqxxG-{q|9F%egHdF*)jK77sH zcweipF``S2rE*vP-LrdD_o>Qz>(0-cU0EswyceGfm*4r|xZ)mvTvFCy&dzBSDVJxz z47XuNhoPia5`AnXtND z&*$D1$zOPU)z0UO?zp6xK6P38zV@)o*Q|+CUFLm?&DULLn-i~QzPw)jqUzMzDVh7i zF0sr$E_u&w*8I%FW!&3ie08G_Uk^=r`D@XUS1&%jnK;GXcjk-x{54-|zspPypWV4W zeX)Mg$%5xr89pC&>#WM3ck6SX>D9}RFPR=ozLc5PSRHmI?Trqoy+WivFqEAZn9p2v zrazG_+ADS=@28Sier>1b39onDKkHX?;kS>mQ(n%?+PQ4!rJR1xONA?AuNB@^eVV*D zHs_9oojzaJuI*RvYwf!nvd#;N=znrwIKoqcA1eqJl9H~*#b-L>|*md=j6 z&#G4!<*`YZ=4zRLzFOX2$~Nh0Wov8glbdVi8qb<&l`gz&O5y2MWh%!Hg}QPO>u3yh zIoFJiD+^yvzhYONZuQ;n>Mj4EeTOz$L|oR^@4L3TWYgsZ&)42v{p4@v+j*%`q*jKD%(AdsMf! z_u9$nJ5D~|T=(;tn_c=^iydNH!%t0?Opgx?Of;9WPj(6IZmZy%ce-t|RYdUD-_tuI z!{h2muIHg1W1Lvap8Dpc=koN3{r266S{J@~%E*r8>yXK|V{+06zPFHm|fQKZY?j@S~e&iDa!`(iMw!bXru0Q|# z^|^iYI&1FYp9|)P7W(+K_be;B8S*xJ)9GpZ<}UgaYn%JrSIf?P zdb<6Tm+6ZZ&w69I+@k3-v*iTt_cL>R6&P4%99}c~u-9DOm%C+s3zI$)?FEEF#%Xr* zj1MrJS6m_cpMmlIxw)K=udcHbkl1naWRBnDDK9cFFS;!hy{u~6gN+YkD&|{#-f`;V zqhHahcJ45pe&ObV!}}NRd_GNdP31I8$M@~ayZa(?HnE(jesb~MOwYx^+NSvzRQFCd zjn%H1wer=EGmF;rqd|cO9OEaWlTlxEJ4U{Zjir{#>`zsb*P|#9fzV&A09bYm{iurAP!}(*vDl4ANTP$t%Y?vveS?!7tMnsJ)aXBTe0IbW{FUr75R{Il-^Rwpf;8Jf-(X)3(((t4%&G~B%z4^Iz_v7Rf-|x(fu=wS0t~M_$|DsmuS#6zS@c3{# zDPt^9mqRGo!`>WrY$?cz8?O7fg7M1nodGLbM7w2a6&uzIo@5H9vm3vPIJx|H4 zNH6~SraLXD^o@VQ=}TM9zQ~GMxv#&!=2_J{r*Qf3!1yya?p*(3b39*PknP&){^bYf zzWp3`KH=nC_Wp%BrI+A1aeSSt|YG2l+Woest?bb=# zBh#yfr^{_Q0jL9IG?=!H@P2GB~XG`9-vaskYUK`eJQ-}(Wh&l30{QT~|dl^%Ie|s%v zwDs}z_St)Gr_U6(`5OCIfBx;${rbCH_v+sF3;FaY;p6i&O+mgJ1S^3!6 zYp!0M3=68$!#2OL3pnxRN3QlWkDWhXm(5qdz{ zyOojQdWaVGZC}M_9W`0;^K`1`ZjUXi&&*d2Tl+ZoFYB_OKAZdZZ=W0zY5cnKy`Nq6 z^VV3|=i<-4JAL?ET~;#Z=(V5M?p^r0>$phu>HVOTy=~QP*cuc&IjIpx~V^5>nE__5W-{(=R+`h^dLUw)^D zn>~~5Evyj&xq0KdQ^$-GoqQ6wHmtv$`ftsHFOOqeX587$)SxnPw&?=hX}@y5_7}X^ z`SeJ-gL$Uv5?ihhUJT>`_I=U@=UG1JMKlQQ;;Ucy`uW$sSc_BppFaKaG}&r$-Ny7c zoV%V!ety58U|#&fB?X{SA_fKqv+SE`e<$RBomab=C;PwxzYQy02Iz0U5TRWVsKggYJwtFTgZF-7}K`2M_ z?e}wYl0mTmQAIK7)zz>bJYE3lEKzJ8%mAJbcP1_HAa&~F>o+4GBC0- z{eAr_{pD{h(<@q%EBLLZw@o;<_YX1aF!zp} zUkN+{DQ@pRND9ur^=qa^$NN91f3^0*KM(!fiR%oX z_0RuZqP^~LkjXLaXptpN&e{^|j(*cSyfJNKOcs|V)46FzraCtscFvZyI$9o)7q!Yv zKaTV1%Hk6v| zR&$;;>G@LI%eKxhF2n@6)6WCoi95UgvY}{(bgD|Hzicvg^0+PuWowBM`LF z?V{Uci*z+-L)M^$G0E#bT$^$E-ygrpcAK9rzQVTXR?XUV>(UMqoCt zTPxKbr^%sb?u1O6ZMyc%Li|qj-2mV*O+2Sw&)&7h z(o1`NrdCOD&PuOW{DD^uZrZ%Lw}tQV&rdvjOST@eul>@}b1q(Kw%@%GuL+K z1uT8=z_&y+^@!8!r8)H>d`iwc{5SN>nOn9d&AI20!+w!7nNMd-{LipR^_22TUQuFr$68I#zAT6rPV^Z+un!0rCcaEkx5YB#(OtMDi+v=dFxlJ33#`GT>=hM9^j5G&_-NVP{h|ABm2Y zl645Mb$Z^Z_bA9%PV2gV*Z!M5Sz*q}&c085)4qRM>R={dFy-33ng1Ewd+)C7bag*ZrFYRaH#Q2cId)_2 zXTz7fW7W_8s{0rmoTEEibyKjR&&?>EkFM+PFK4XC5mq=Q>ULT0ib%xn%0v5&&TiUz zqUA@CR_ux$!byKO262_n|B(>w(Op=-VCSt2OZL!hp|R)YPM781eAA@2bLADuM^+P> z-xTW+ zCChrw2P{8u=yJ@&V-^by_c5(?-V$X5`UdI*~e0O3uv< z(eb?{7?ZpH@D84x`Wmy-D_e5EZD8Nxw$tvCZ?p5fN7XJKOPhAYcE>3gF`TJ?buwGF z^Nh`x+wPxtEw&BLyjq}VwTNTVy_rtW+fIk=@mQ;{@T}py=FhCg^I8R#9usuv-Q>9^ z+hFqL7rh;?M47gH@94F!DLH2IvD?S%N!g@B{*4ye42J|YL>DZdSeToxH(fh>(M(?l z7gf`hZ)Te+G$m_aX=9!p=Qgz=#&*uShDkk>W}c9o@twI+Hzz^V~{i(P@8Y*7EV)`c?Pk%Po%1 zO5?W36WNxxB^8XP?OmNb|M<;$ zcfNGQ$Wija7ILnT$cHEj#IL~ z?bbWTlV2KaKi;qLGg@4>WX++s@=M(<*XiDwcI$!COr^JmYkV@|h5s`M$7?W38gOv9 zdDXqu`X{wNbAG|RorYhl|1Gsnj?iiSc(nhF+n%4VcOBxMpqwDNR5F)QyFXh(sN%)1 zcdMSbXLQc{VAcQbMBHkVk58s}Bt%TzJN5NfhHKgWew76R$DaE&Oi*)ko4fpy;^}#} zw^)2R&KPy-WEIzu;sw1M?3}(m6cPWkZtCW?uVq`SCY^q>=9|IuBi0&PO4&E1nOi@0 z_2=|0eUkp*k=lm+JgcNsg*FGikI(#Z`*p-Ny)4%4(d!y5gkS zs>npYHu)20de$$W(%ZhfqoZza$F1|4e3$++OmJ2w*$kPf_-Wx z6Ta~4pJCs+`GehodFtItA?kT4UMCML-FW)lZ7N^dwkM}_HMk~R&TI8_IJ{7BnzonC z=9l)nre_H)v*^s?W)D@=_MBsuXuMdOnYnbC=&kh0%Col#O1xy+wz8d>i*c&nlx3O_ zYiG*s$n8jG4nFj?@r&H82Z`=i56PYqZ4yp+l>LNfnos6z0j*@t$?D3}X8CAp&WT;w z(R_!~-)Pn%&*v|HZ{aMM6Cb=`!^gLs{}#PHxlvnn$M+(6b)|>F#%(WWu6Vz4f6LCT z8F{z38WK)vPm%GASd(FOUAc9#P1&-mZ9k^T<#(R6lw_XEvqflf&z(rSxetpCzp1I& z-@0vh%Y1^K+S=LEe&$@i6fd}=iADOG)8%U_ms8$r%-Eigv?_)1p_*~g8IN0APOjP< z)j2^zl~vH#P@etvlXWhy18jBbilmQ($?~3@t2nLJ@8FE@(I=C{PSr_mE@8$@7=az4JTE=a9r%+qQASuN9Bnb6n297r(8(TB&5>TvZ*@>0e$4OZg-% z6<9ZEt#Hk9-{bsu5+?o0#m|C8JB<(T47ix}u=$wD@s*C|qLDqE z9rusFIhOm5ab51rSx>(z?D3Hh?(J5UueB~Y5g7TZPasS)<(a^V>FF^MNPw_4?nbfcFuS!xK1SZ_W_neOFgpLOg37*Z4`Vf zyv`$=$*QbaT%docSWl9Xwe_c>mF}XOI@7`xdA2YwUsjbl(aJ~Q&EFeL)`3yJwR(r*Jd(r=eDE0ZAGC-~my}ON+)Q zFLypXeYjjeS)c91u_c#cw;VIM+bT2juUp7^hID^_zyA!&6BSzzW=^y;7Kpc8R+Ex@ z`O9wxp_EBnEX$dX)$th_)!EEBxby15rOUZ)HJW}a+psBFa+2f0Ctv6NPS1aLqEm-e z+W2tC^G=Rt;gaIbvG;m)7e?Q@A?U;L_P|%=Z|D4vMuJj!~D$&}PX7co`TRmGixFhYzflu>}+*Fw1wYKf;%pDciq&F;6D_(v}@wm>E z8*!`NhiTJ3jxzw#9D)T?JS01mwsQtt+#?3ZpdfmIGiKouRHzqpDT#w65Xw+G-;6!1c zS*rcq^zx2-F_%@gojK#aWr}grPL3vpiD`>}m2J*)JaVzrYw8}GsVb+pADP;e-}JRqnj?<FO!>*BU7U9`Bi88Pg6hDva-+RE3M3Sye|()*z|z!WdGZb%7P3;d+ zoyim(RcYJUONwt_E=lQ#ozwr*O=P#>h`anR&M zO4_cUv6pZDeI3Nd)-PSH-`&9;GkM}s|22I(oR_gbGMYG9R*743R)*md24$_1W2=sA zcl2mjcIYnKjib{Z&b(|}(wp!&CUWLabDrL1%tjuOVea|a^;7RU@0}LPD7ilOUhkhZ zcLMBpUS|4mBc}J|5$1<(3?&^~e_lP9-oEVL#nfu;dEc^|?Y^?_GJkjWR=P#;6TiJ{ zW+=JL@{QkByLq;|azMt!k8fm^O1py>96feq;o?jKJGnz=wwo;TNt0reUU-yC{D%7U zNqbiWeOgg8X?sCk=O01gb^Pm$%O{n;JH6_eQ&oUlDZ7o)>?>a)AAgiwGf$^{WAEzY zNq3h_FJ0!NlxFhCxv-e?Y<{KApojdvRoUeWx?RO=|`o-^^wr1Ah zY6I?mc`Y5;$v3l~DD|pq{?j#`vFgOp7B`Q5vUV!Pvn-O1M8C4gxbt#GPpRt8MRSc) zGB+t*^nC2l(B^YUSkg*Bm*waO^HLM9psVjSesXpmvRHN8LSVI-*J+yr2ElH#9vS>+ zVA`+GSJLsNF=ukkwwy>K&v?g(k2;ojZ-pDS2Zza)U7w_DyzJCY?o4y0Rm;U9PF(nQ z&V9+mya~1od3tx)ch$~_w>^?_YOdlcv)8^&OCwhIyk44A$ulMEsqUdeQl4^)Zp^y2 z$9<9)yXjZqNpltYyNrEV9=f(#-+Z}vd3Ci&rpcElI|X^)Mz1_2kg8U_jQzV+P`<^A zB~zcRn7U_)LuY{RlOr9{{2n%)m-osaea+Th)ZuI@zB-sm^A+cP|3E+g@QucPCn7x? z%vj2fC&m;%yuiG{JHegjjqko+6&fn1!KAC&!0jDR&JH1U;y-tZvo!>1kv%cOhY4+{FnSU=| zyvLm%I3x0O_rxqs%@wRVA&o~eZ-2dfE6d^fk5l_*?kZZfwC%(V#Slr$YxRd-PRm-5 zBOu#i^V&4**)OHR?fM3uY2mlz@}*ub+7q@?^xPRx_Bo> z$>9pq)R-%ZW(VAr)Qa}__=RPvRVFOW7IiD_|FC=E^T@4hTNj))vNb-WA-g^9QsJ@r zJ{uCL^KIwFHqBdC{P0)7e}>F-f37P&+rKW_X6U;~g!6pv^#scX z`)%8P+h2%zo5bkG|6z5W%A~_V}FwQ6T&wYoh@Gd@*P5r zy#+q6yRv;|n93H`m#tErG7QTn%y^p={EGjNwycX^Ws-X2>8*zjNiFjHR(vJ%UDw$S zp}(9CDNC zS#JV%mz%nN7Paz=ZM%ARn!wg8#`ksqGe}!CW_y0O@y(mmQ8NF^YGzfu=ce%0icix8OsXKhc6DKuoNILW7 z^69Wk4E8G~ojBz)RjSdu zLGJV6>!Q|8OiI<6FY{JxlUn5Yok2}BuD^+i`HAA)X6d90dA@@4;?CS`R$g*&2E!Zv znR88M$bJyesrmIJ@s{YUnX2Ne4S($73X$mBDR**=-GeZ6cdldsty@@-p`Ryv1y z>a3NTZ`879KU0aH{dJDz1%|RVo$b$`9)CH}wnyRNm$0vU*&}xbFW+=7Y}FF|HysDk zuRhhhkbYg^o8Ny1|BH4TA~i3wPBt?+EE^ZiEbVaaQbX9DO)Rku=4%#b$~|qcNK>;E z**Nu3^3nT}lBY$dT;7<%R#!CR!_~z}T#K(PF>Gcw)j2#hdv;s1?X)Cbuf`s$Q#M`) z)RZH1XV3P`m|b@2_U`ci3}1hgNo1buem$u$vaD*!M4vO~6E&I4W=q^YUln|*b?ck1 zYoWhpUtqi%&YXDX?cYl|#u{55_65%QcW3kA*DagnZa>e~HC=Ud&dO=}(o?sTovAKz z_vkfJODcaiKh$|wb58iF-8G?0-@Ee7KiL+&e23Vj&TIU4Dqk-$vbWy1@6Bc1Q0}ai zm&yd5WUdp;?U~du@3u)dyFyn_;xXwmlUb@lu526bsvdcBQ(L9q^)~v4Y=4oc&)xF=JZGDZ2VT!$Nt49#NClUoD{Tid(PXO{^@zF@}^q>hn&5|4%I@hn=5L^@Sd48kj zor*ad?k4R@Wm4bIVeW8^aq{)t(6_w?$zf0YcIXLLOxxiqID1;z2JLSOTJ5r zIIQb(+984Bjtj0{Ygv)Rv8y$ZVRfwUkxzxHjY=C8qa{~geQDvx zqV#n0w)06h2JMyxKU4}XE6h76HUIVPn9#Xw>wO~U&FlYp z^3S=)>v(c|^d04!zR3M&SW#|w7KzrAbsw&cisoyeyX zCe1i%&gI6F@|=O^QrE-yEgr8n-)DKzsefR`#Yn@2e~$Stu~{anbICh$s@w{R3ngDG zea@`A(O@UC^hV@?6I+i+M_Ikz?I6_L7S14S9K6=!M4rGV^GlZ*M0@-;WC@?_Rg2RK zo$a3TpW)ieYf7tiw#g=cmzZ{Grss3Ulw*^>Z+$BuJjd8#M#sjo{mc_%%{0$=ocDWq z=kiC1hu?k%zB)NqiMvGR^(|$OH!r_y?7iEgaD-v&)W4pxj;flOIoWQDjwLA>uAVea z=d{RzH?J=7Ce1M8G8a705p1byvBWs&L5#=3z(xNVL^eD~-f+veA$H0p!<;AW+1pI+ zL><$po9CH1`*cCoF|$c`Zhfuaq4iDK#&NmQt=Y_qTVBt6vQEX#vf)KfV#%fEj&uRH zi}TwjEXj$`X8*Uh`e@w#cNuey=cU`tbXl>;W>vufvn>TbIZ|p)=}UCI*E+X}F(o)j zV%}w`!*0&ZAHH>57k}1!Q z!E0GkBiMD6G3L~zF3Heh)5~vW%srO8!mnwAVvoi&BRidUA5O)(JZ-T3t>pygMqRGu440!dcP(AGW!*9B zChar)lG#Th3J);~8&B-jox#c~`RiNy1NX> z?!J99Rd{BSqtLR*DZEqU3a=VwiGx^*_M+D^Tzco2s(agDE}Bb6=$U z7Cef&mCCs`E%I{1$-5?PDrt6i&TUqGlzl;x)wT3f&xr@q-pt`YY`jb`@8tFRqA!zV zcNi}dU-fF`_CXHDQV0sv+>yOS*g=L?Jsnxc)#qm(Zy~-G5s6C;@y9a zZ;ObOS2Z?jS@QbqEU(4!t5i)VUYYV*y_V^;?sBf{oh!ByA!O|eCOj|^s6N@F=>+8{`*SP zB>rwNioCu_jEVi~RKbZKPsvPcl34G0M4_kFUD>Bq(B;?+WmTK>^~}Zxkz&Yiesmgwc1Ym4u0Ha+pRfhRF1;zqB!li2zR!UD>N8TFsUN%MT-pCxrr z!G6wNX7;2g&!1-fI_F+~s#{mC^Q7lU+OCJ84_@9q;gQTz z`EAiZLX1~ri*anP^u5# z-GtBg&UdK2maAaW=$JX{am=Bw7LJeQuJz|$Uh;Zf=G$kfQ+%qe0#8Jmbv`}4N%S|r z|7Hp45Pnq+%^8t0$t?Pd!1b*o)x=2%Nl7P2rCGpf$f=~Bowp17-Q%glMV ze4fAhn)CTE7pv%HPSZ)7_MY@J_`Z4ja=GmF8J(I2s`L3a>Uc4kO?tCQ;wERzwO0So z;vEIQ4lwK9obBt~%hr9$WKLcW|D3>=wliMNyl*V{(|_%wRV7IR<cKE8^p@b| zzf+59jbk+DG|%Bb_x6~j)VKK&{3$(I5%ET>k2tk0OT!LMNRi|d@oQy1`gCKw&t2=V z<}_QQ1F6OFGngU{1_!Yxbli=TnB&FyV~KE%{nDH@r)o-eyPTM|A$K9O>3iGW4d2VQ zXYeq(tK3`k?ee_&e-~V^Q@Y)msd7EleS(FG>~*VV)5gDH*0buT#}#*0pJAQwZ^Gu2 zQ5w9hvu59#?_(_>tF+>H;LFD`H4DpTiKacy^?z?$GkbByls?ail`ba=th$d07f(@B zN?5&SW64EkZiddU67mi|&L4g=NUj0I|&Ba!=Jd>!j z%KYo?-)=f5NG_0q0g64TNqnQx=Me7c{>(YeJRI;QRDKdihabIIz@ z=?}s;{MM6Xzp{*J-egOs>D|dy9?e0)w!5}&{qVil?!<;>wY2mtJm*}C=S;kmRC0d) zU8~9?YvopXV=y&1I307 zt!#!WZlx_Mk_>lC8+eb}H;Kf=E~}Q?wawJ&dC`XME8a2N_PU?E{FYy0efZN!^Kw;^ zmq)JR&bhj=eAN=MKOJ{<;^k9!Ih-q(6P$R?nJes7!>y?v7P}5REc>eUdaa?MrP~!f zUWXT|5^jtFNxJ6*R~3{s)@huy-TP}+Q}lm^<6PaV3Wck7M+&DN2~IqE=lUjtY0k1o zQkJy2)qMECXfF8gamO_u4({`+#&W4A9FLxila4rd<#6!^dmZLH|0V8wmVeB)+;3-; z9@8JAeAjY)25*6qQ;3yY-pqLy4jNuBncK*@KEa#)W6zu|Z}t6-MaZ+ZzY?9lndPvW z=|uTxog3?Qt5-MXUUfM0%CBU{2h)3}WL6}2-Mp2Qd@}Q7Mw#ouDZ36#J-j?YY)-Q8 z-pSjzBwwF9%Vv7C(WvZPSlM9{&6z@9TukJ+|46=%AC@n7g{tPQ^FsiYh_H&CAwIn1AQt6&{!MoKGSdt<7v4kImTVnBKl}o}{Fxd;OQY zH*Ga<+FG4S3D{`7NW5jav4Uzv&^E^(Iih*zU!Fa@;=zG6#aaRDxJ-`Lq#WBQtWf8> zuk~%rInI}}-km=@@uR%q$GiOjk8?A$>=SibyLEfG_iZ?o@k8O_*6`!ol)P-kTR%#~ zdp?eAXHnVI?c1TGJb(M;H}6*6{hqUtZNZGor|ljb)NP%Tl60-q&?_^bvc)jEAbZM^ z^h}4>jUTMqbeC+pC}t#bbYpnQ*_Ab3b66jpEfSkld9~xj2A*kkx^3@NdE%zH3T2qT zJHGtg!@xNyCXa2LH^tpNP`I}1mA8i7qK>BhLd6Br-Mrq?@8tg-w(|M)XkSsfkHPno znfGjy^!5i**wwotbnMiwIk>Q#7h0&I~ z%+J}>?pB%7ZF%L76K}M~T@_y=lrGB3eMrzEfoXEnCB}7spRW6pYWU=a#ceV1^y!D5 zoL|jZ$d$d7b7seBUfqKQW&4inF}`hO`?e}%)zgA=d42n{dJ{GrHxA$0a;@^(+pZU{ z)@A1gC5N3bdby>HQ8$U_mD{vsM~sYublO8E%Ao*R#`9SB?# zUD~(eRZH-izrATS6Rjq`z5d~OJciIW|&wYGQGTW-*E zS>O>)@9hv!Q9Kz~iH95Lb!4d7c=Q@A?XRvVIzK7>bRU^CKCQ;tBIWOO2 zYt4BT>yom0>M7N)?F<*Un;mFMon8B6gN~J=MaW$VZ-tYZlG4Y5wyjzCc!$1z8q{|rG}W^7Hh znddZ9=?VzwzNtW)#NIN7TrBV-&WbD~4y?Cl#4 zm(yiFMqNKtarE)x{|vo9L^*{OM0WMA(K*b?bV5_^>sqgrd?mNj&koo9n9@JZu=><) zH-^{oNh~odV!MwN-(I|Jo!DMNbqW7XRrEqsp}`A!sC3KPR^YFWudOlhjWKwdU|b( z53k}44d3UcSSa_OLDBDz!0nrxU#`p5JkZpm*(+%%v}sc7H8n35*A%CXv#Mq=Y_pvd zZMWvh?$>Wc%hz9F>`&{dUa#}3F5J%SiOV_bW!?^LE-RL*Z9BqUy=kMa{Hrg=i-TV? zF{khJd*m8i$5bPoJzt^l+}^#0?c0^FtJ^p|);l?=#@keShMGFt1RJdi&xC|&H>FvZ zbQqss|K7Dn^3-ZRalVO$!lx|x4X4CtW=p$#ijFek7Qb?D#p2>)y6wx{&&~Q?@~A!N zP>P%2`!|9M3~JTyt5^nYJJBg5xvg>XeuG>6(v|`iyH2%Fcqh@T>|-I>m+SBIS~O|x zSCdJ{jH1q6nR{YY+QxNa0f$~s-I4Edrm}Rd{nfRZQ=^t{`nusi!#O3k=WZ(Jgw81S z=&X!r=$ilY@!c?obd!@Emopx2Vpe)%(X~OO_?nyfkvqQYX2z}c@z&PO-Xm0K5ZJPG zT9m)A-J5g!cW?dj+fXPtXnWIILDl)|_D#O|{HtK^T=p$B@4jUEo&0(9Sof3Laom+J zC1xt!6|J97_sq&!_dN&RF1XH)3p7uQ0Zm#2$Bj?-&4x4>ARyR$@>B(!u1ydSj zcz9B$dgXj)o3+HMF}**`*6D{vhYs@%-}RXvHD>7Ff3@!VS-Y7JPwsVE^>J@Pl4ex$ z%wLHGKLRJCfK%GnyP3%b@^=dG_U60>=kR=Ha%V` zo!iYL>G@A>emsYjSK-2`RiD0><}K;goN=i-WXG-C+^$&n<;j6s{NE;Ba$Z%sYQ5N3 zuIRX%)sIZ4e7W^1N@D7Rn=|`DH9d;@O*`KjFY{mHq`<|+y*)@oXjxZLw#3$#C7Xp7 zrljrjbH03HLh`kvLfzl@*3C~k$M3sNho$7{!LMAMr?>arEPHwS)}{?pxn#DlQYueM zzP)UR=Nye0t?Ol^+iZA#zc70po+I?f+ zZ(_#>waFA`=6np?A@D{9a-1r+5|BxeJa`*mgdpo61u8DQ&szzh4HWM zg7=b6>)3ks9TKkSE{;30!6sMN@bhZB2iFS^sy6OhHxcmt}mG*&*g}#f7G4Z(cf_aBgDjkLiY+RVSY*+~MkC_?d0*jv3#V7M{6y zgVnC1Q|;x;C%310r$#MgPx}5-QhZt9e+CsDiN`u;p4e>KC2_-7d8)jB!9kxR`j5A~ zxj9`@Ym@jnqm{+C)C)Gpoe3}r;an{q8T02gpPOCJ%Gy1-y&N6OzlZI8kh0WP?ewOq z)To8#ul4O$o49V1dG|VUOZ&2>MSHXO+aj0y>)g$q6U2LYhp3(EInj3y>vm<%I^uEW zwf5KRK6iV5BrnepyBS!URB$X?xWQU>o%!U>=pUVvbvI`pek98ud+4T@x{qt+rnvgc z|4bw2^ZOn>IW1fFfUM0EwW%G4Bqh)LybAnk;L#MBacj$-$y^CrN)AVCkP=!}`F+~` zyBnoWgjVy$3LSiMVQsWzY1YhFVH=!-!?xn7;cCO5f^7$R8g*G}v-z&yxSX~#F3o>u&%3H= z*&QrezZG_s&pFVryXIS!+MfRmhhJVi>9@8}?()?C3~X7veWEW;t&({iz%XAyQfFd~ zpSjD^&CQ$dL~gOK_%dr%Y_@IOE~DeYoBqt4^f`1>Xw+#ltM0jBTP1Usnb|aFg+1Dv zuqn-}dgY{Li%#Wmb0@s!J#L!W9{qIV<$L*C3Oh23w&o-h8WeI*J-NkM<#uUoS2)iI{w2;w<(R2Hib51rtrA=WOJ?1 z@C|5Px_{~ws|mr~d)@NfYnLw5k*aW3w%=Pmh5zQN_k7=Ew$4v8IUxJY@yN{_-iB96 ze^M8$RrKf;*ZQz|`I4(Kn>PHdJN{#-^voo?uBqyilnRtNjvZTEP<}b7*Uf7JkGucY zbn{tG8_y4gqZpWG^9@$A6zQ?&4z9(iS87}yf?47l1 zb4q^9X0bK5`zAm96#V7Y?TBTk9hbFFt<0IYNuhg7xX{|)f6{ZlUB7%X#Qeqw0hODI zGR*>^EW*0ky%X9DT~B@#xXU4RQ&Xd-;=TGBE$YD#WWpW+eqcP zX_oqxy=j{>Cf#H;d@49uEi`M|0^w;Zo$U9imCm;~_GoErhTn~I3)Q}FbXmDXTf6ko z-m2Uj9mTSBkM3lsM|N=Pg!pV+{e*#c;f-%^o1zy?+*M(AY@=k2#rx;y{FhvJO$(Yk zPwMNVU3sbetmVtkTI+E{*S&k6{_D&2vxQftxx9*5u<6Qcvn6^~9glNl+uD1a4j
WMXFPo|`L zuUpIiDnF*T+1hCC&Ag`RK`Se|YK@DFK0gtk5^SKfUS!5ouEurezHvLO+RL=2*B63!ldZEQ!vLd(cExZ`9@wRnN_?lfe7|M7!l2p=^-#Ga6XVuz%UpU$OSNgBN zl1A?qI0)uUYIQjpFP?ecQ821dd3j{Ub)ThaJ5nmRe&pTwwe+;buZ2_J_*SNVo9De` z^0Th1Dt-#yXQM8Ksi#ddS?%%fuISAEdy{7VE)+I4RMya4Q|t9L`MAff^MTLP&#YeJ z^E^1qhDW65OTyf{o*l((%(?odrGJHA_I?c6WbJX}ZVKGq=W@%gWbuTEvwttH81{~!4)`V`i*&|nKeQLPmTT!F(1XdN1xb(jY z7CtFl3mR{24s`YY8r>o0uDlEEm=%vxo^PYu9 zhr+rF`#GNcPS}}N5%!R$=jV6z_U}oDBAi}*4ZB?skfSEHcUA1a>kV62UQVhmdip%F zSKaTA!>&%rCfjLK6Kldm+;|pV5xsKFL&Vv+c$w)mj~>9Cpz!YE7?GutwE17B^K{?C}~JH*ff~iEYk&@v2Y%sNkA@ z7Y(`TAupcxpMAAFc5}e|)7dNY!{z+X{|b~k?<2Zy>cf&<`FcCHK2B^-3Kv~D+b<)0 z&c9i`ZoL&JzqNmPGKuZe_B$Jobh$r#B@&UdY{gs7o3iPjpDe4dJCdytTX_8LBzfBk zwlhauet!4s+V-h{q7=Te%z=(|U{d)}r_%mbtE9ccrG4?Ek8H;8S~m%ABv>!Sh7UCSIDk!D4b-j!^K{ zlh?PN?q0UqHtpydA14LPq76w(25%QeKHAxJSherXVg}_b4{N>q5~fWj|Gwr^jGr9; zWv;{IOKX0#PV=dnwBU4~lI(hc9tS(SNlIm>ISihemG6%%d$!$U#nw{3c|T{BXqPhfNpr~N3DT`r?jQ&pm#nJ0UyDBot~uT}NlZFgSHwc8t2VihWR zdRorq$@9{MOMA19%t>Y~h;{Um4Bb6r#d*0f9^6KpE9o8q%$epn`Ubn?Q@-+YUQa_{L;^3z5fG_ zp9ZR;&PfZ!Ci5?QSJbUlx7YYPSBJ4QehozF7Xdsko-`VEN@_rAI%X zf6!7Bw`W{-u=$Chu-KRDS6><2_M9hO8(>v8|MJ?)D^6}oDl_V3-j&n!h3&+ftOIkd zOuTmfFN^YFm%Q08N=whYQ%;l#SKf7c%DK6d)TK1O)m{bg09c! zSd7_y+;+t6*^pA2%`?Nna(32*L%UwHbTJ8E5#wzM30b@{a=Y)_wy!+frmkM{Y)Pu1 zs@Y1jCEPOvXfdvjis08v40I% z=wMYPEX+OO>bH9BBU4i2D<7XKtya=n%VV}qr;X!n8{da75{9}EshK;E@M+%fPSl)#Jzg^Ha_$zN>3SQU^Riw~otE=--M6rE zzu^3@+$W<~U#xKWTK2hAC#dtxj9c+#duxkoH#U7^cxSqC&l=kaKD`ThUZw9(G~KHG zfl-8GhU3QTvQC>P7M@wMTO%lAZQ;YRC%0OAvez~Uy?k-=yi}^Af33;<5l;-sc;&@lsFZt9UF|qvuv_5B`>ennJ&~US6kTcI3~4@MKm~m4{y!83dh7 z43OvbnxdGsba}SVfeAhT?(xLTJY1^hZR;rT_Lk`&Zsqrm2J^At<`wyyoJ+F;!U%l=(b@w;%ON>oB%lhnAd$9h^oM&}D zGV{Eff!3j1KH@tDfGt{@n+VpnM)?=m7dSOo8yxJ*I zEC0IY^D}m;e)%_1JiFwViraVdWsz&c1+Toh?lM#0`-?B4sj-fVaksoPe=PHky>fm9 zd*B}D%83g_cpR*g{C10Qg=~JiP-5%bHwVA+A2VicjA=AZ_~ROJb=E_fm-{MWuC22d zL{v0)jD}~RUXIMIjC^tXo^vTPUQXhhw`@iF zBjvErFDGYoblw&IC@;k1d@Z{na-+_4o;*8?man@q)~!0%^(HG~&O%=qvjgIJSD98_ zvHT)*O?Y6(n_UjM zv2SiotWWp^m6J1O{Qjp<@FcCiZl{dX3Zd-C%i)&}W`4MpcJo$PQf7UquT;+~arvxy z$Ai6gJeTRLESM4#u4iWZT)`_uXyLU)iIr;0!ncKQ2!9cHKW1x4>|Fm9uHTqW1YfpV z5fvW2Mt8OCs;_Qg%a^3qb@=x4X|0_rIbmV#mTNwxtGQBF=k9p6W!@FFxLbd#s?*0N`xPMw*Sc&%~j+Y4GZA3j;NZFk@lKk;hU*H@S6?t3bB zafXt_*3-wcHim9gUZSez>CEb?Ee8cRUwP2B`rctS$DZ@6RT6A00#*h@lvRpeUOji! zccoLu_WZQm6Y_Opg#5Hk7f$?}FWm0cWS zXiDO9SS2X4s^_y_)?InW9%0W*(DY{DSex zsfpfY9jkX`)m7!F&yPNMQ-x3SFf4tf34Gq2(G*yG1<}9D0|P*ds_L| zL*~3QP(H2|lDec)WO8A>|E$mLANHMGeS$SMcv|RTP1~z)8m-0GXm3Aexu;cdR@$Af zJq6B}lRFD`3Z__?*&PU%+!J(h=c1!6ydRB@otWj99(n$ivDVv#d==hesdH^ob0*9; zF*$DIz1+O#;oC`ne>*Sx)Z49mxoGR&?^d%L*Dxixcb3fz?^0ftVRAcDfHP&~mAj7u zXC2!Xxj<{nnc_UXh^ZSoCT#g@Df{I=L$IBx`?1V-^^4j{dlZG+0z8>!znXdRKf_gR z@A&++Q&K6Ojo8V@%3?OdO3Uh`6L_Tuu|jh5Py$3s`# z$c-r3yzDj0+)W1>=0yEWT~e{maz4{N?~>U8d#ufL%(rNZ$hgg2v$W=^bV|15^?%IF zVSgVlx0+YXtS!4+(jZuHSN)>@4EZO7G*VZcN}loPRIJOYb!*lM3kW1f=PuiwvT4F& zL5@R7Gba=tQ&w8)xN))2wernBwSIi^e`dTy<&2Aik-hjUt8b!0cbTQWy7~9SK8iUy z`_h!#Yi8-_KI1m?`sF(gJj*sa3biT&1 z&9FNg<-<5C_BWcO9gUoF@MdbG+Ad|5C7gE?d;BWe3PKm0W_)0I?r8Fg>?gU)92XsS ziP#_?)V^U&%M7d4%-SmMayOYG`fHDFmzG*vZ|5oNW9zI|()v%Ip3r0ytKb}-+|jxykchbD$6g4&~}Rm=MaAsc|LZ}%eOfl zVSh{iF>lB=ySC)D#jK>QrL7!Ro0kSXo@U}+Xv-e6BXYsDlm{0ReSoL|MYN8=jL->=(6JK|bi%QpLZ*_QNZ zNc1_+czj(kaEX6%ik@`xB*XhtyKQ$&pENt|iNf-gk0W`@8iKw4mZ*KaoKfy_E( zp2e$-7;XL3a(2(XyZrl)w^y2d7MZ#)U%k>baNX^i@Vv`6PgSaGps zhmOjbbjF0`c>+aTd)Ya*9XefJIY0dckC@wxuk0$5zvs#e2(0>i&*<{gfNtxD;cA}K z%$Mm3KKOl6aCy2kL*IVIr3@X_Y02UX6Zs~ulYD=|?M#f|^M{`-Yq}F0*zDBYw=bJ) zY!}ADll}4!Z&0`Hk&w{nRAn)p(n72AQ@vGJ&zksY%Ivct7V$;doEx8=QM{1xpJ8tP z@>ge;o#?y2T*J?^>cOAo*Y*as*?Y*{dLXaiwrHzClvMTZ=?~u}?{TU4+}9}T#~hGit^80s(SO~E*7u_l3VMD(#8+ePOHM>`6M>-Ul=ckJj;AkLkE%ozoCo?Um_rf8dY1(z~m&_g4S-%D@p(w|1>=uJ1ne_&TEleN~&BuiF_uQ=BDj zSS)QHlfQSt2If(C!_2$!?kHuZjAX3UtsW%UsYv0&Y#md~A0b^l)aH}tJf;!{iM z+RAcGbIvB48QOw;8x2IhPrEaJ-jt8CdaEvo>r~8U3SvFQt0$l~VGVcH=c29OW@Y;? z({-unWwL0wQPt7Dv9|TGMWsBC?t=MYNpF@P;}A%2c^;6h`fAscrdc}C3H_#1XH1!% zcJ6Zjp+hVW1SVul&)XNO^l)kChTPMJG8__VZZCCa&bb^ITe`|G*~wC4>dWqa&u@lv zmNzu=C?4S5cw=Xa#C#$wA)Sj4YSawUojdk+&AB@4Pyln4!-RXT=I@RO$Mzi=k z9&LW!F&%H$O$uJ;e=huR+8ySrp4$puuW8zt_U3Hs{p73(%~yW&zdXObRxC->y2IQp z+CJ*>f)veylRqN!#1wN+i*?pVXQ zG9?O-Kf~Y9gjkg`LUT7uIm~;bc}dc)A-c`DZ0Gj3 z`yMDZ9LU(nm18$^Rki#1*?~8oisd$bc-|UQob&JZ`m1uS(*wE}zS#DyW9E@CYl$b5 z_zeCth}Dz}PMUY9$aeXq_4z@k%#_y7l68vA`gH7AO={lKM9KJ7s!uKL1D6DB6uP4l z<>@ko;p53D2hRh0eI=)Uke(Xcwo-gaip#r*w{H#Cc)rk*y`bygw(R8W9yZB6+n62} z@OIo_iC%N;Ls%EPc|yZSjV-s7U;RC_>(-n3G4nn?pZqSE!8jq}#)oT02P)iKAI`db zm0!(L`K@DyU80eU@qPQfSu0{*nOsghE5Y{tx=+Wo+^|{8r847Ah95JSRlQeb>u|y48$xm+Vb$ zk0{9cP+;bLsCVmqS+6{p^$W~~FI4Z z_bV((Ex#kdvpP%ia#+MIy)Yl2dcjLOA3S>=XsvO|tZjGtN|Q6}xjQ2G;tkR?wn@EJ zJ(|cEu{L^kM9QOro|#?S9tH<)JCY^#%JR_GN!fM#B-W`NE#jL$#q`6CyvAP1tfO`Y zTNj?bu}#X!k2hwwp28f_!-t-B%P{j8xTbzw`km2bbc^%VC_-ta5iL}i14SdM0=nnn|7n%KdgGhv(Z9m$I3cs`I~>Dcx?gI+pjntX6fm{W5de zz!h(d61!jd^jzy*W0miwzhaB(To)yd6Q@rLu9@&w|KSA7$WN-r4&7!+@H#OgyPk9X zN)hKg%fpxdGn_vw)jg+qx6;Lmt^9RM|D}a(lon%}vx8UjGxrPuhCG9arG-*yKaQ{P z7LCk4dR|B5ZAZWFF1~C7g_woAxj*!8Q!0HgxV+pVK=`UrRr8anS3c%NZ@MdCGvDv^ zhAU5^e0%22VP_Rm{o}^GXYJJ}v7eEBH!m;;WT)=Dl&$kz@7iqcr&gjDUQ~G`Z2mHD z*}Kq9QY#rIeK@@JYRmGwk>7NRpY7fH=|blvTkjan3(s>>j?EB=I5b0a-cGv>#oHO4 zm$_scODa#W@+sS%-*7e8=j0}ab4ym5mJ3Z#`D(Li;+CCj9?CuVrma>w|KX3`%i&8o zS}v@LsMXqdxT{DaS z+H!rV5@F&c4NEX&7)tHYU`Fo9Oy4L&y;;;{gw0DJ+&+AL~=Sd za^HOt+^e#0P=bn81t#qzNU9hl%+D zg$DNuJ$vuI)8(1>DOhXIT{~YRqdTwjH${0`n%oP@UU}fEQ2$9`Wz%2N7i#T2Q173# zzwO(!d$-QbovmecS1;#S@b*XTTfcF=TscwXk?FLRowmImCBJUnd6hZye9)}dQ^QYQ zS21S2 zh5fW;F3Yk?Q7(&^cc)9!cK!@{?74iU#>cC|S(2Ww{zZB>ZeLNik7>VZ@5HQM`?|TEC1>{ht-08}tAH`R;d?$Ghmo1z1*XLC^+(0xL?7*4 zSXTe-v!C%jotPDSIyMWKJ=|^cI&;OutIE=$Vn?q^^*_w`S*1`kb?Wt(TXhcQO#N~+ zHS{@`b<)PG&fW*Eo@Wg*&nQV*cS!c|+6ukB( zZ8Tf$H2qeQvig~1VQY1-M5Sd>^E@`G+SDBTk=5eU(DCTVgcIkkR78D~jx7jqo}P2c zq06f<-!!$dt!z(+zKKuI#O}p!)*hSWA1riuY19$(r3QsvNy~p2HZw<`6kPLM=Hs^) z_aBzYR-ZWN;?VUc=}G(N#V21FX8qAveOGLSg!*(H&4_D7+XYiz3(Mr`Z#90$mf4=z zG_m(+zDHGzr}-UeF2&26|1Rr4zd7g4S#G8^#t&k*vv>wK%UyZ%VdC^vHCwl$&bd=($lhbYk#~^l{o74@!vXT z)wxqWq*!=QZql{BooFE7;&)d)F3D*3wn=y2@3K$Kd3MQ&GEJ1lfzxkBpsbW{A91^~j?jziM^19T* zqBB#&9F|TIU}3B+)GaM`bE!JNk*j>9xmB%Jo(P$FCrny6{LJPF)*FS= z?X;Gu$Hi=t$^XR6S>gNZ(8Gi%S=m4Sm(qVbZc#ZXYaJESxo!)`kz>;o7^|PBdiL2U z-dC1NS+U*i!h7a-mt#Z^ocNQRp}Y1=(CHP7BEO@=LKBafzI|G$7kVY@W~SR|>qvob z0?gZs9%QP#-JjsoYkKq8X{|?DOQtymI2Y|V`m=G4p+QQH{ufXkkvGkHb!!6i%r|98 z((5K=iV2$}ZVgn8QA~VX`&jOVZpsbq$?_gQo_+1SE4|la`P81d?y>6%KSd|3)n2Zt zF|i;z#KGmn2^Z5Mm4zIdvB$hTopfVA-Ynkvt9_Qb=OK++ldM}M@&>`{V#1~OY%~_; z`>NX8c-j9^-sFF3yS|6-JMvOVb&Ub1R+~828-a&M@t&?k^X~{wQb=zFNRM30;glzh}Uc`8rW>>uw97c?i%3rv@KyJ2Sfj%hPLKA&_&d*1Q&zq8+P zga;&M_Qq?>I3YeWXX?adI;($7>pjnvzi&m?-94MGo4|7TbPYuHaXT$1$G+hq)9TuUbkk;kdemKRsAOYHEyo=Jz?%)_uNq zY{y!sZ70L0Zm??qInRH_Z!!0x$Zcm`1q~xh>+VQ0clN5Ej5@O5U3jxh*K_5Me>^Ym z(~S8TV8&H7JwP`;Vo6TqoIl5#1Z7T$jy1+>o+K`pxB88`Dl5o#^GW%w*P6gH=3_HwSEw z-}^5qJ$v5CG?>sy7EhX#Rtz(-%79KhkE^{EX z+c+&}#)PoW+2VECziw`@)^T_}@pJc&nRo508a;JZcZ$646uuKanLGW4bH%Bnb#|w! zg>6o3=3SB9|A=eiZY{poBKyz2l7IGXUFu@>u#yXHX6t`uf93YMQ@1nNPlnB1#jTZD z(6VgP)!-G!rtVfN$$j`MbFOUtpK~9B)R+AI<@cy8Tk2Qpl=uEO*Ztj@wq;SZ?y)tK z*b-M9{!!PzI-n+R`M>nQUj4EK(sw@Isx|o*>AvlTiDSC*8LeqahdZQS32oGPe`Wu{ zR|2WQ8>(b4HwD#OuXLNX`OA5cldGS0T=Pg#WoJ0PzH?qx|Kr#j-?VeqOIZ8Axwe@} zKb*UI<+C*cYqMm1PyUmAxp3c2m(Gy?4B9JAq|>*GIo;1G(VPAAqqY9Y*RvH{iZmi- zp9|kVdrR4?_y>1tdhHJXSf8t^{(0A?ZS(I)eiZ#PEtK(&dSG*V(1N=~M%RDFdCXO- zS-jm}Cn6>7t2N)wo_gMr`JekzdfAUXo_qX;ms{?%7pslg?Vq^?bIh3#rSN9T=JW|$ z&n^AOd|&?)`+8rWx8>oN5C1)&+n$-sdS_9r^A^8J9Y#6tg0(hJE!&%0S?{kEKmKgY zm?vNAzBl-uOwzj7xmrT+md#*#Rl2orX`J8P z1unZ+@vLlDtADlT$Ias8=CgKR-p%ZPbX7&lX#di0>T!meAMIC5f7LtIsA$K(x%{L> z+4*0ympO0h&y#qgua&0ob;|S`5%2XMdCjpt@B5!2sa`dBb;0q>_#gUyv*!zaD@yKC zslOq=N-ko4X5W{xsFRbGmrwD|jO6&IH}hAZm0yI0xp`r@t^Ja+nKS=0WOzBu6I?!( zr*X1ud($VDpQ~Q{`Yh%Dv2k-z{k`RjIbLtzK2>;PzVE)0Z9%6`UD!YQSc=D*EzeI! zC0Ft^*7ggtdjDs5)wVwUGfT~F-ShwAW3rC_EC0`M5Og-Dfgl4D6C(>F6Dtc7GXpaN z0|Nsilb|BAfRLerup^67KwyHXfl;D}1FKU(QqcnNv7F3|jP{Jb{{H1#d*jw>MUlCS zc(1vw@pVoAkn5@*Q`dEWLwDxIh+9#Uo_k#D**~d5Q7`ld^T)pRXD;8|rFin`U%uR> zjbA5Uo0j4p>hWBztn;A8tn8;Z|1qxqD5L7py|p^~=&`Jnf6AS*Ax{ri|7WNQF3_+1 zl+9YRMP-*uot(DvYqfcsrmW8X^*T)L(rWO zhbsv@{&)Ll_^FIne*VvH2Tw1s+^Oom;?XLX(oZ*ERdsjS$=Rq*JgcPlZ@;GIDwE|E zDa#hE>3MXGb@j>1nz7TjHP0?XG0539^1)w`QORQ4*q4Dek!c{meicUh30n0 z57}F?&D#3)*o#ePGi!dx-gt5|SLvizh~NhPi_9XEp+nbE#WKtY-D9ur>mF^pDELpifeo3zW>^J^gPQ`UAvi*C+))A z!~9LM%r&EpLxMz-%zGw;oeaIXY_;{#{|u`x)pku2pSI-3vEwH@jr^`R-_rVR;c_^} z&9^2L|iZ%h$ZnR;1i(woAcoyT_B{}!Cj-uUsYRLNBtujuoEt^!wr z<6qpov1m10-kwaOi5~@P>Vh9G?w@h(ioc-6I_qO0C%m2%o}HDYCUz$&{F>0hE&hQk zYnHDR%c|Km?f8nBnp*nI?m7W8IWKSa51;woN#)qznKCv~Rdc4j_j`J});&_c&bz#{ z$;dxX``g#As&6l}eeaEPxvsmA`^0q>RgZ_CB|Fi|Rf>EtL&k!Y14b1tfH zQ9jM|Gw{@AVeh~!GQYmTdQ zW+{1^CUvRYdU54Vx!|{8eG$iKV>a)=P~$Mui+`$=*;Smy`pnMFTm4(yFEH9k>5_>H#bM@yQ7K_K_F>1a?pk&3Mc-nVr+F78Zfz3${bv4T&wkIFvZnIfVr9`0zi%G3o#{N+ zaF=pxa?CVVIor8MdR9)It$Jg^hfeRen{Qc76+F53%coDC7B+mof7AXmB>VAie79%v zEq|8i)c!^MId7ZqRDTk9u>0m0r9ht-Q`PieOxl=m<;wnBQ|?UIw>nPrX}2Ql=}g`0 zuJ7M(&6^};5TwoYy2Q`d_?p;~NGG{-mKHN_^8|WSs9XQxW*6FXQP{71yU=$3G~LZ7 zVy~T@x8TW%S3!%cdY)#p?Al~C^W>`cYbQMW+p+E3#S@Vq7A`8z|KM@iVvdrHJQe1>*Bf5EGXSQoonKXl|NT({99?( zS6{T~9Q!hj;Lp(?+y!sl3lu4^c)uic;VNZ`tCQB}Zn@_cEBNBUs&77ozL_9zFkh) zb-wFUWJu=sN%?QwL#wCEvNi6uG%50#6J_|Wa9>w_#M<@WR`jrL{*W}yMrXCkCE?%Q zn>Ph6YI#vq6u*7Z@lU6jujJ=iCUxr^Jf^bLr{q+|-t`~6^-rDF*}MMGe}>DOPT%^^ z@aJq*-kJw%ret^>T~fuqpvwN{i+K~a_&a=YUuMzmcYM*`b}oxatyUt^w)S%DjF~sS zMA-^ouw}k%t9)7GL09zJNy**uO_{EC=ZoqK)s^(S)vZ(1Gg52Yj<}~OF5OaD-K8lK zXns`oo7Z%w?xc(9EGDj8mNygMJc;`u6BxO;S4KY7Wlg70*nXC_*=fORCuexhNp@%b zZY8W~yf8mHV2{e=H-VvzP8x9QYm zPv_}8IdNae=wxb_PwvLjy&_@ven%`#t+3u0DZXW5-RUyjTPk~A{$u9aGi%a+hE>W- zR;w@SadKJm#LeK5W?}V0!H*l?zDoHf=v}Ur`XKUlpSSeQj-(Gu{Qd7%7N;)%A#^pQ zs@HJ0=J!V}=X`qZ_TJi}8^2@8jNNyaoGMhZy~(#NUtK-*?K^u*uRfpY;=j$mUip*z z?~tYFyKvEzRBf3RS0-gMwkJ<4*%bTl$mDEhUoQ94DuovNk4!uJ_LSQEGixVK z?OEc_&BFE}@-$PrO`wQxq)gp$=Q)0cwS0O?6I0gT|0r?v#Fxm>d*>IsFFbx%?#TPw znOg<7?NPqp`XuSrw&Kh=YxB?FoD=*abN!JmPmgxq)N9|8-?{Ae%}JAerkd6T+}+c4 zs{Enex7{-3!N2=7|1${9f4DL}sV7QtdCr$8<>e|T|F$kUzU;QLlyi;CTP{&;Ro6v( zDg(uvCyC13?OeWhQQ+S9NB!Rw`Y&Ad$K3OIS>GN@y|xeLIXkY;*H8L9DgN5YiBlJq z-Md(!wm;SXoyD=Wb&^Y7xm(OzwE5~u%Ok@@ylI#wR`6d;HL`iA~=(npFQd z7UH?upd?Q7$NnRAs(;$m98dO@#OzkPzF}?mo{gt1M3(4AE_IuKrYN&4bN`f0Cw*g$ z>JPIOKKQNhA?r@cjJd0CF7iBjORQexNB;w_y&X{%diOlScRYIXaa+X1No(4*4|1$~ z;l*@go)+VOQr76L``T3dOr;3Lu zZnB-#<@uy5t0XJ)lz+z-sY=rg9rg0+7ydo^87Y3ULhaGZf1qjQ)txU@Zi;@A>ilqE zp?y(6VZEV5(TQ7L+uY_&E;%k2n$#54{&(9fU(TS<*ZwJ&WqAMF$7iOKI49~w(C>fB zdYvUF>V;~B{;?lfy|89QW%AlBDIcr7e=7gG?Q4GhjcHcD-%_VMqmNlf?)#V8AAbJF z?~!ZJBCm_{*cPdLb}rq2_}I0}kv_B6x<0>r%Wu}LLequ+8Io)(vvqV zEGwljW2yV0{nImf^>1gaDHM;3sXej#!}=qo)wc>yYD}ro|L}KbvYk-(H%t3`JInn? zq}NM28eew45a#~yL4B{ZBFE9>@5()OW>%r_iHY%xclQ|+Vy{{ zj$Z%A`~L`o9;j{4zzS;GGl5(7;I=)pfRLi0LV~b?gJXb*l2Kq{fm0z%!vb*2o(a^l zf2X}faoac5@NJ=;@<7ID^*igKY0A7dzOhFd%N58 zB|ZBd)qE2%*s86vTE}eGC3mjlZI|}EzOFJe^4OZaZ*uzuHx_w`tbcytlJbs?GG)?x z7N0v5nzlW3?o+9~XMDArg7$}PPg7BvcGGFcghi80qHk1GOO;p~#x32j=-BG#kLHxC z%a^#By(p}E))f{Rnd>SZ8Nb?1?#ygIXQ#kIMXAVBW=Y2;Y_;Dqb?v^QE{&$&<$@kd z0v5H3cyW|;TF1@39yH0T!#!9eNK>Ti+>zdy9j~14Ketd;`Z96al7e3*dHE~mY|g%P z$ZDp=%i0RV@270J3qL2BTs$$kb6a%y8P_GQntj@h2L(NK-aff2xJz~4&HY}pWBBgd z2J~(W^In*8S8C?_U#6Oy)^-yk>qEUJDsR>vId$)ps&t5-=qxAa z`;!XSe9etKyl7rl+iLB)IFX|AJ&_)bM%guse_06SKV1_fvSRP& z;DyO570-Lq`)o@7_RH4w%S2qMcznd?9}dTuBXONPyJ>6S-j|a`u$_q)9rfq z8fk04JN}i5>lt@lyb*UR_4-mmoS->qfA8q0z;r<^@|_EcSN**X3vfhw)iW)C_y)-NmwGEsXo?U3i> z=qUk%HwTjxjyQ^D&a-CEx@bH@$YqZGsH{XfB$EMV??9^XA#qnad ze9fEHZ+$F7dNU?G+ac{F7QW9TC8Kmn&!jsah27*;cD{C3nQGUyHG9iS5!cH$ZpZ#T zvY)t0X;OAl(89d;mVVvqczut2JEdQ^_t%G?f*pH*2``>|G5b#8ThSApMeY;p+yuTS z-Q?EsS^Q)E<0;uE{ARAYcbM^w_tzI7^O&WF;Lb zv5Ay3UKEr+-|+qI%%4I!b=haT7kS^`Rkr53S9S2eYxNiI|3AXuCcwbR%*@Ef%*M>l z#KOwL%)rRNB*-kJXec18pZnAV|Vv<-|03dom$Iw*v_?FZvV_^ zMx4=~-iDCcwXYVj2ue>ANO`kD?sTV&`XU>NdXw9ddB$@?roAd?*6dzwe@QH1I{#IZeI2~z zN4U}@Bu+e=`*yv^gY-`dvvMW~W^ZsityXrwbn!GnS+U9Qy-zSz)vucIe9MhXFJ5kJ zntW3InsB`0g0IoD7w$JIHF%lDVy#_P>{0xpd*xM?*I#^6vywi4Tz~W4gKvNIxl)g< zK4<)V`^U3ZX%kZS3%D-NsWgx0IaPgN<^}a1U5$G^=1vz?-OkssbqR;CDnGYJ)Wi1q z2i_&mG@hewr{tAwAM$;!l<+DmndiG=x__30cvsFd5I((5#DD3gwI2v_TQ`7 z-*X4_qmzi7g%81gZ|=tWj)S>iA4 zwS2dkLyKoTuv*q|PcPN+KSM;GB8)fUIHcnYMPjPRZNuIzH?%Tr4j{TUG+<2?6TPfmgNV`y#Q}LX8N(EIp$+sMo zSCzV3cg*xRIdVf~!LR(LC$W}cv)pbR{;hjA-e375+ve}N|NeP$-jrUI{MBt|1@i<4 z{eY4$PH!!jafzz-{X6w+&o^tI_Ob*Ivq8 zSaQoRvyRh>g*)}rhPeS|GH-)xJo*@?dLIoIh;G^*y@*ljl+x6|;7z$!CCB+)_k5fo zuOGT|(Ftas>?fNa-s16pTpm!@?is%Md)~j(QaQ}C{?2pE(CBzrRFJ1o?6-99of&6Z zYt0MI%|)~s|(EpihTrD zU#W}l)R?4Oen!+iR=z9Za4TXO^ZpBIygYBoKKv#K-Sv+ugK3rF?#w`Ft11XuRH?blc52wCRiZ*u6?_7l6R6rKgKSa?rd;r4cc%amvA0(`6eckP6C9J(&_zN5rPdINXm*Bc%zZLj~WG2GsHdRPA~Udewix7-Zb{p^&|>=sMAxn41$ z#>JB*E{kf)@|!&P;LY!HOGK*TpHg##lFg2Q@C8cGGXzZ-8Lie7Y!Ar_`NHGit5YU> z;wS&(xwm6<@`^-e>8N}QxOO~Yv*+@a+TVTtGb}CGxcG&L<-)_edJh}^Sz%)Eo+C8# z%JRlV^?a=c8Gc^HnVX*Tzni-!+jvH=;N2}TA_A*IbPu~(ugY8QyPZFv<=GB~(kai6 zc&RTtd{@Xs>OaGh6Pf*$qWu?2{Y!gO7qjrLEzGE%qvrMZvi-~WUFmXZrG;x5%0BI4S-4@|i-)OoFXw+*P(RC{;lo#M^?-oYVN1W~^dH-M`PFX0m+v?1 zTsuK@y+DY1@JzF&K;yoSO~FfQ&ALl&XdYi})Vsd%iki{PJ-q%Q+*wC?3-&IF@-g*{ zz4~^ETv&`0{~@y(Kc<(?^Kd&SH~)p|kH+WOcJXEE?|Pe$W-m1a@?~Q9r+oo7txiZhur0sB@@=E{I zvUbxOlTWfW`g%0A^DdteKE2@8*5IeBZY5p1a(zp@=Gi4Y#Xg0*tM5;0FEsz7c!b$< zeR>;T*7NLbBK3F2dyb>6sPZLK|fLO{MtCV$7jE@`Ld zyPdA`OUbmzTzfT#J%rcI!Mbqkv64Sg97dkq!OdrE+yum)6yLbjD=0Jd%Uu5d44*@z zx^Hn_e$i`Y6vwmR@psqDEixrHdl&a^s`NXZ{BFT#zw8)}#6wn$7sa+;+3s&unb*4f zSMcqUkivf_x4hgU_gX^vF1uK}yV9IjIlON-{OD?m^#8NSq2rSm`>EiHM}p3)npZfy zJ+|6vo$_DBd^YxDZLe0E%>6rAYg0bE=9+DmbC)^I-S}gjlz^$0$t`==eP1`;I<9K+ zO7N@uOsh%TzjPc|ZHvAa_N1b+m@jVL_l`LXYpkZGc|;zFT6E}=?B!KknAY;Ke3_ym z@b1p#8;oMgI~7izDi=7UBgr0md|~+J(BiX4@4x&IEbrSmts{KreZPBO40lb@II=bB z*nv;{#p;uGvk9zp`S6*;Ibn??w}#a;u6x(7KXjXW&EH^q>aC2xypIc)hi2+IX=SzB z{b%TryOn!-=M?D${~5F%#$7AfX}InrW7Oq_1z~1?g%@;kDcyLsqmA7}#%SU3SP_@L zjOe!I64P1U-c+#U>Mz++;+t{t6w|}3f~7k329=8=ZyLVjiaW!+NNo4bFTnxD$A8rv zGZWi5lf$5AyF^g!wZM-uTe4V>iE|&kajW>)6Eisv-kQb9vjT+~)-m_a;8tXMp&uDH zPcAj#L+hjvyBL9jP(2AHCY`eVJ#sQ9E5FRVoRHJb_psoW-H9CzQ(m4ZTVeb?F%X%N&)-SH&s9RSfBDfll7)i=$@;GFJE8u?Ht3`SB(oZpHH3k zt4ce|W`YRQ!otk!36r1BFP{Hcd4iAW%EuAWr-IJ7tkask|5<=(V1&f?ux*PQeyuF- zw7t@l>agm?uZ4l{_APE(CH3j@iB{?B|5hElTB%y?)p{;6Nbq5A!y85Or+z94%XL*b zxV0PI^;LH$ddGFoOPRts>HYMNl|Q$c>{_>{NpX_9?sSfcSL5%>-YAY03MeSLtZ~m^ ztu8~6Td@BDwlEp4Y8fSycf!7be6qrMa&yhNJrX&X7ld7U*b*H$^XVqVD3eHQ)kPw6 zCk5(#S$1&iapqk*6-_qNGyWy7ySHK8mfP3wC#N;MIX_S0rq-`3>l2ROHEpPNdK(g2 zdUS{HF5?Y$MN59)Et+-Qf_=MWc#Pf?5uP1uo-MrcW}e5yC2xz~?bsT5bMCe?npbl8 z1h$+qx~VPSlX+P;gXiV8@J(OmWz06d6!>OUzEo`R!xwXdY9oAQCOn&?u+nOgis0Qm z_cg2M9;s40T$z2b+F0}0yqH<97I(UJUC&rHSx+^%@XH~U3D@{it8J}T+?=~J;G(LD z_^k`83|#kf#&5o6ccCh#TTY?hB-CaDzln{h0lTp@v-C>W<$>FpcWya8DJkSgF7FTb ziG9^7+3d6QMZVXcS`~5g_|$7v=S{=rcvO}A`&77@t!Co;<|x&po@bp`-psg~n&3WT z{Ja zr|9Fm-w3x!doFe@ku#x8&P>yPBA|xc*6t@7nXri%e%q zd^IV$&68R9W?9juqRP4J@@?MS|6?rYkuhnt}D+>%$uiN}u(2 z?zUU;ou$})-^sK)E$Q(kQWsTL+`aRkp<`uYgwt}v^%oP9Pf1&b`&hEIO<$R}J4K?E zU4y~m@6n6>M|Yfh$Ze@TOVs2=L*a#$+^<$KynH9VD(3CPlj%7o>P|YPvNwNK>N*Ka z9Ip5=?Sb9p+mmvvJNH~}?p@d8ZW6h|>dn0?Up~o(9>|#UpJCJ93tZ=IR4jjja(lSa^^UR&-?H{+e0bdcDE;*2_GO_FKPQ|k+dID`QgZ5VNtv>H3wlGk$4)D;3^%^Hf6=x(-{a4%E0ZwQW@0;k^E9uU^+VTn0>Sf@ zW%l%muAFZ3^LcuG;l66lv_=NDN``f1St7r;PC0ElcMpqu?i|0?HHy*}E9_rMwX<0- zc(~BPWr5%MUDICKY*?G&mnh$Trr2r1;pf_Ad|s^?N|rinEIIugUH6w>(4Wbf!M(_~ zO!)H2Tm#l!Q{*0}hwj<;lDn$jC4yszcI+wIi$hI?_` zYvrC_6DkvS6uW*cy8fS`g>#wQKS$SV+ZPvZm|$Rf>yo8nKvfp^gyhhMXx|;&T?=9N;SJ~^Haouk*B(lFmzt2|6pIc}BT<*S8eSCuuk-V(WXse|*{fy^^gH2&!Pd(|s+ zlTUt8sZ~RSKbL-=a_i)E9r@A*eTQ$FZ8g-jTEI5j?ev@kO{*fg=o#UB{05E75+9tu z>g#qpcy;iK5c4fE3dcB@Q`GKUNLa(UTO;Nh3j@RMnSP~Wr}-667Mk?02u@zS>f6^F z7cXd)WClEtviTBrzk27bzPH<2WzL7PI67```>yfcxUMzoThpAg3CFJAH~(X;D6gX6 zbZ%e4wNBNTH&>ojX>y*syz60Ej{!nn_>W?z?!s%lDjP0Oi_3| z@1V`K*XETfb1T($d({drd1^L!$C+1wHrES+=LT+=b>qv6CcU}hJat_jk0dlM{g9oo z_UTpei$=fdmVNcD_TxKQb*|a*X|1_|ZQqT|Er+*qPUq7&HMiZGdvfyn$y0K+C2PIv z(|aSZ%tG@MZ(ue{)|J247Zq+`DtR^QW~ae+)@9L$Y~4Fz z;sUO9s`9@4c0BG>REpk-t+zxT7fx>2)%^GB;mqFf?O!W%e~2(nO+Vrn9Obji?4`8C z=~`=!6?u&<4!8H@xN8RfSk1Y3lDYdiDCy9QIcz-dijPqHm z7JJ2uQ(aq5aO9m@@#=U_W>H~B=H=vdA9(~+G;Zrj1aqwW_rP?KXV9A~R`a@^S$I5| zlO?lzl3Azb?PpQxT$Zcjzd261;a@u8lHd`+Cnp)53Us%Lugsjc+kD-Rz=B9c>9S)h z&h43AS6yBfE2Z>!(iwcNy$(Q2X>n|kl3@|P|YxU78Y zX@ToH8;^F$tW6&^qJD(D-1#an|t|w zYacw+w4gZl-0JqUK&~6n*B`JJZ+T)>-JSXP*HpKSmlFI=M0`rfId$y1_1mrMcU?Mq z>{wm*cb~t)-BD7HFIs+$R|?QwoSe+U8~BL#UBH45QhKK+H(W?Gy&9>nRO)6alEv7{ z=a4hi4wS~3zBdNXQ_Xw(&`P#(&xOFV@%FiWc{?tqTE3Hb(wFM(CRqI?#K!R!^eH(}7_{Sqz=5p=rrxt;y60U?|KWB};qR2loSf`5Jwwg2Y#&(8T~uPv zKkA>nAoi@#sZE}**0af8WqLL{OqQe7x_WKJzTL7L*I8!msB&8vbNxe({I$7z5C6-U z@;x|rjXEROlyjlRF8qHT>O@j6Z?aSpd%5=E?9^;)73K278<;nl1llAA%<=0g@7X?K zC);%XRoiC2e^qw*&K3O?r8$|Kq*RveJiCL>bKj9WRw6Gm^Tll!pRrPWs`fs~Qe(q* zn=7o$E_J0-laC2(+`UWJb<4s0O4qAeTUTzcDEfS2Yku}FnK!rYd6*yW)AQUced2NN zBAdwzZZn4}ob_9M>s6yvi#n^EWYIfQj>}ulP3k#&G`L_jk5ns12BSq}r62E)$yqhL zS=k#{J~S@~iFp1Y`1-EwS&C~9eU#pIqG(z0o4h&aP2?UjPfE2svZypTKq}$$HNm?Z zb_wKqV;jX{8h`XtUD)&dau0m z$->{Ie5#J%`kD7`Y~kgQS`%B;Rl@!J%3H+@w-aR|pFTZxc)rcd-Lz>_*@^I-+xnbS zXPGGdi&BtLpH<*`%DJg9&w1))y`N>hGh?^0ZSmCB+4($Z33uq%{godMI$X&;>r>2f zr?;?qA;)1y_RxLVY?X_+n`2K#2CrJZZ}`Dp5r)=O>aQ` zvXxIPSG6v8TVvko+_97C1GgK~bo00_Blb`qpQfiGcUh{MYVQiJj$Oap^Y~S6?n>Va zB^?10c}0^apWtm>TgmYHM~+o}W2TkYS0=Ca5XOh%bGdf8=-qQzo8o2i>Vt(MR{)<8 z-}#?y7jDfGi3(V8c*^y@L}wpOOO4*X>iPXso#r+QY`w{MC8J6^#&~N_F2f}|eU;#x z@4*rGs)_vg2=WTzti9fxM_xXeSLYr3O=II>JMSn?)!0Y;e-=hvYp~+C zUMOVJyT`lLcHhhk3vSMM)^+OPMZQ&Lw;X+SPjh9@D0$Mns?d@{+OTQ=Os6*+S{2W$ zdK|8rqIs==IWknYa()YI)4X5j_3BRve&pfHPr27D~V(Zrqw@(UY@!o@3r| zlh?8HvSi+Tky`P^c)<;+iz>@5S*RQm&D?qHe&|u7l^yl26$yp!W``+Ns;31jU;nWp zWaqk?s>(x;6XkL~`&MT1mbE7&mugp=o6pak`AI7MnyqSh@*MA~QE9hMI z>1N~&nY&JMsyCLo+`j8@AXvLIIng0UTP|j`?5ij5IyNmhcY3eRtMJWvmGkOeb8oU{ zbb2TGdc)+a?x8Ja44e8Y`~tE|q@^4WJl(vD*J^5so?pZv)uY~9t`pqG~-&njOck;*L;PV;91x|a9cdrte_lE!7 zjOQT*DjC~zGk5MNw7J@J-F#R3kHl{p`xxH-SoPe>tM{Su!c&hHUH)?D>X~0p3-+#y z%)FVeaw@N!yX1!4T_=&lx%qalychfxUnAS_H8M!#?7II9S}u1_9^?vDc$Rn5@2#p$ zlz}SORrk$LtbX3QzwgX)5WUdx@r=3c`6XiCwjW-! z^G3efmrr){&&s*qU>Dl?PS5twO@mG*Yu(%J3#z7GNqYQBHZXgud{4ongu=nZjXl zvv;q*D`@y6&LrZ7j7b(x^25~F4X1dPrM>GsSGF{xztnO{pj~*7u&&VDo9Ss?QVL4H zDhsc!?uoj3aV^)!w%nEtm)@~2Vq47HX`1CBfwjzVA<@`VIRM4J|pLOe);mBH<>@qlL;4g z3_9JsOSWgVlKd9VzJDIkyB7Vb<=0;%nlj6(p;XIKaYLoyS;i+1ub*XiP2OKptG;Nu z1m{6>O|-gRAEbm-hd3)8jRtXBGFJ`)sYNvRcXyt4k;jYpO_4PDaAdu9Zl zPuU&9q{^jZ@VxlNoRfQ(vRTc(DLehWwB}E?J4zc@P0x8)-1u+FvF6gdVQ>C;&WXsp z8gY7^Ricc0s8+IVh|;e%hDaM_$3NDqtY#J`sTBFIkj^N){88ocyDcW?b6OAb%b(i( zhkr%?rU#1mT`qj=JhM*T^J0Q)z=Bt;QHyVWk~h2gxz?<~X2arXm#$}oJ=?H@-+Sso z!K?Cob!)YY{#I(9j0h6QE(oY8bUVN>ZO23Q4c>vz!rty%muflZxanM{_Z;U?Yl{fg^4Boi@l2vh>()GO?Ds^n^U+s9QQL?olgjG27Nnc0E zv%7-3F9n#qd{JbzdSyueD&3VVUu7;txPFyc^72HzU{FVL%=NE-{9BJ7vtF@h`^I1) ztA4Y0i&a7QS0*MFq!Uh4AcMwRkaw_KeGF#prN#T%Bdb3{fh_I=Q>!_oQXTN;@|WK zD+-#QbROT$m)Ru#R&ZtWSEt837De}d6y-iy?#}CWN#NAQjNMZUFP~IC6&PR|dF%j} zWY~{c234(Z z_W0CmU$OtUY@Kky+xJ!Wf0kcbWg*{u)44@K;&sgBrsijISL8D@Up{;ErIm~AhO|mi zRL+L1rWxlhJe#vZ+2#JC{M_kITOY?|Uiu&seBjlbPnFs+;t3miEspv;^;#db&e!b2 zGJZbphOb`lE-J>bs0#-KD~F1#>s!heS~7Wo)Yd$SLq7%e0-q$`yFK%Q?rA%{uK90E znF~ApYF_p>r}hSG$K;&5lQYv%L~z9)*1`i%1ls+d$ZR=wGP7yT>faX^|5_(eq`T6; z;T0GElGh&BMD94L&0hCr%lE28c{;>F6G>+05B zDB-$gqdqG;`(x}%j&9~z_m*pE@!ot=sZ`dxCrT%0ivm}JkK)<k%*W6J06b*Ba|5dn0R?&N@MB#YJA- zKI^@9p3C6+)i+h-;};IUn_2z33(Ie3oze?%t5WzlBlcoS%FDY9{!)CI20P|>E%$i9 zm$`=dQsYgPLyc|PTc&UbT|DVOU7Nvlv0HDG+iul-t*Uvh`}`C+vRkAT{Eb?SJC_Rk z9$sgucjsE%>s`x3_nxg=b$yr9#FkfL+ho#0FIKC+vpuL5>+5jv{gWDPbJ>^sUX~`&MmztPwTV|9;TddjaZrE^j5*UoA)HqP^tw;iusC#Cads>+%NB@TBpxo$5{ zjuF@)8E$w@ekS|f#NmgqWB0vQ98Y}i>b3lKX7L%mxwSX9J1l%+{Bt5t@hZ7p{6~MD zdXT$#`L07>Mfo!doK$MVQ{Nnn@zL1#)-osY$4SR6DUWAO4=&*HH{L8=wes_gy4&T+ zUww2h&zf}StLuRnF{$^LQ;*NeWRHu>zPa3B?UN-uYHgo_S9~^Y4odV*x^S$6L8q!p zIem4+jn_%;dMg4i9$zKBxp?;al2==!*&m*};I`2F8hzoNf=Y|$*CV$!YCT&cEgs68;hq-g8oxXDZld!o z4%aJpqTbD!%$)h&CV0!7MYkrF+iu@;>-@Vg=eb`sLYA5pzkQbXZt{BWZr&I6GOh~~ zQ+`(XXgstJ=smlAzv|SNf5jKot!`Yn-*@9C%bY{+pSLz`DzljQC19_kgI2P}rjqa& zA7!b^^?9u(Ww&xW0%{r$2Q=R@<%pT{;Lf3yA=`K!EO?e=>QjC6eV+B|TPbrGnq@vk znaD*=?D0{GxlwQ^@6F5~OADC-J4C@9&cL*~xW&Mdpr7nTzGIJvz$| z3Orc%;g`(%jEh{)_P6gl)OTRh#+SE)zI)6Q`JVBX(Pgok)ZO6RLY?PYmN|D!PWNp* zeR6(r)8_4rnesgcxSr4aH}%aP3;8oo%9<;_Ts5^;j`xL+S0|-R__z-ZEbgI zmR@kP-}7qK1a5B4v-vJ@ZtPQ>3T%b_^HuNK?4JJMkH+k6AsII28I3mA-ffPOH7=A| z#Wcs_^NU$gN)IP)5?>*FJE7t$i+}8-$JVUcJM^aRd|?o)&7mxcH; z>zB>^s-a|-cXzp}j#8MLS;3B0exn_Y99MR?mff6?yzZ8%);`S_PS<+phvv5}IdFd2 zYMyNWP_@O&U+q}6=kK?kE$4kFxl}5ornv8D>pwC~8WT#&deSm&#HLrm|i#b7ooGE5K*NT5axrF>_CPZXmDai_IJUWXN>&S_y9O z>wV;3dV72J&DgNrkvDDLzc1JL#Bl7Xch91i61NpSZ_X8GPX1^iy-Lk$Yhgu{`kUt4 z4{uzuo+6vNG_~-G?r;4+@&AtYi=Dsd{#Io1nsxHRK5H!7-|ZFt9+{%;E%SY0e*5+p zSIXzf%zL?{qWD`xuG`LpQ&;z|I&JSdPn6d=N4xfVzU?}rwMz`TnNy}7X`Z|;|6;*5 z>#46w7E8Q;W-&u6$!@iUcBr25dzq{&bMMD>o?Ghid_vGimKS0*+r`s8ZYn41f0?|w z>~wVTvkR*(F8BH#^6%uu6NmOR-_DHCda%Rq-E!C7YVEB4UAq|HEt~7v=NETvO0D=h zyA@0acR%@fKJ|=2ux#ihMyJ(Mx2BxibNShwUm=zYCoWz5@y^yIy)&xY@78_&&#>z6 z>;DX)domxzU2Z)s^nTNhz^v2EUV@uBa;+UBzsqiOJP{=3c0zMa9^2`dXFHa?o6Yb! z=vmA{#!cX;p zjjX~B)27^hSj#Se^kCZ5_O;Fnf1gQ&T`M1FRW7+{=?>@C+`2K-?w@7 zhP`X6cN}|Xq7CQ2$Ny=>e75A24B%50cq}Kfv+&{^N>%p64J3hw*@Lw&E2r#`lnJaMB`@6?P*MC|0qiWr$Buj=Z zhaMSpZ*z8;+gtHuhd=kG<)Jd?KUm(X*2v!PlCwIo;89kl;hdh;uO*H97a7eKIr%SP zuU{sY%(dOSio26|w3m84O3-dRy4vCWqDPq=7Fi8t?5SOoH$^*1f7Zy3@iKW;$UpU! zeUaasLkfqJXH7SMCy;t@$yc}8Te-Cx*Uh)xz3p$k@acukKd0rbsCQVqjMea_r|};R zUG{sanHypoc2rEB^Xx-!IJZGyLR!^|fOB5I&xM&K3TAgt*x!55rg6s9vsOzy>bhSw zeZCewm8o#m-8q-T-?OgL{IET9sXLB z5Tld-VzYeWwwtZL&mY+kBYkIWY{0+90%!J5YyLB^cIDZp{$5_!#Z$NX`sFiJ z$m^@Tz3e00(B95dP{5GG@^TZ~iu6vgxlSv7Eqd`}&cy|GUZp8w`_vJ_sh0TXZx=GpFt?5erk8yr|LDGF(xzYcTKxx|CA&D^%ar-3{z9T-u)gU z!ufA`PFq((y;I3HnY)1*auK&1w`ez=YHEJIYoCa?x&zmR%%d6(}-seF( zUfb;6CV0p0gQaYl*|UjdPRrBpzgiV%ksB&enmx_o_JZhBy@n?gPL*x=&tNp`oc^yF zTpGbUzAU@)s=DEr_3SRw{*FB_7+!BGu4?CwKIvU#R%p01`BKTB3KsqnhAWHDKG*xc zE0@tK@crhNBd<12Q)F>h)vsY*#JY8su&cf2j|ulUsucS&ZTn7{T5Y@kpTRyf^;?6= z$`37j4~L1ShDDXJ_c~=%Gh{ru!YlLr#fo`}_m6F>3zp{Dm9E|XNXRLpc!{~I$z9nA zOD-xexL9~?zhH(0_hro+hiv?WHw53gvdUlKj-J}(C00CB%$HuZU$KJ8EM%FB^PWl9 zogQcW)|F}QjmU6ew*3~%@He24C$L!k*M0@1+1%59?LM;I@Py74zBhMPEcAc(#Q8vP zD(?iFM@}W$tFjuUb>~dw<0zQ(V(#ZxWt?BOnq6j5G%fz(yIf_x&^7*4ubKU;_O4Sr zJZouKkz3sg`OaklD}9fylezMvt8B-sXUi@wV0C&|xTtyCuk=?|tES5G7DrD!BRl18 zag3b0{LxK|`GtKJRv%UW%=e#Rmw823`ioS%g+IC)_HGy6x9XJq??AqX@0MO|DOHuu zGI_r0dRkdbY-{u8-kwswppA-LQ%)P6Xo=m`|MJGm6;cjIK7Wp`>|Z}+V^5mp>R9&K%}REATikJa`j!<;`{s4t^U)P~yQSrVnAf?5 z3=g%A_xrUu{3ov9 zv~*CueLnK|WKLgpSLSJljz780@SkC+z%V4d43ka85qgN%fC$vlBR@*!Z7?S9ERu zJ0&>rH%Hi|?8v{@x2$-cyR}zO!}?fwuKiP~#k)Uz<#zw$E~Bx8dG5vi-vb`={B$zw z;q|B-x1Y0(`INLcfZQK+DbF? zM#Nh#9h<#JK~v5zxQ<;a`73focbR?Y+gSUc#fP`(glvDY^qrpVH|cqjOd%#h)tYys ztafwNxYoYj=N11wdOy44mYG*$BjyW-ziwr@b_5!@_j1eZwol0= zzM1U;R*HL9T>I;FG_3y0+S&y2HtCr%SbxxiwcMC(fJa#FY2JN0045 z=!b^~DyzF=6n;i=&w4%EM*XjV*RJ%;UvGZIh%el~Nbhc|^UbK|X*JtT4h9Cdo@TY^ zSDwvmyI<05-}-X9F3Gp@w_RUvDakrH-|XXBzNb@eRWUDi>%O(W>OaF2?OL9n(N9a= z44W!T;`j6~npD$U@g#gx!LMSj0Od(L-!(L{Y@4CAV8^@1yfy~k;(E?nJ6LLG3rl3+(seRj$!7{*&YgE|qVl?~rLv4Rj;7n3 z+t$5WzufoT_G^_oGec}F7rp&i7Pt0EM`=I;cjV>2Qj+Rg{85VLxkL^H^5x+{z!@0ZfepY{KKan?6 zh-=sE&nKlyHGg}~-d1q#!>cMSKZToRyQQ>_So^O#v*1C))Je0dL{&X*E?f2VBKs}w zTNYl$tA*mvmA!iz+Wm2=cis1}>>cwg7ls6jXoT7bFDhlbQk=PaxoPR4D(zW`hn*H5 z-IsZ6LB=Y}&6$Nt!4 zzStW#C0ZlyQ2bw`xv5fZ)=oPv=}0N_D3qN#Sbv{O>&K$l3!2t`Y3KXRuhyE%{AXCz?o%87?rJu}>4~L26PF!& zX2bu~U5M-9L(VN5neFQTxCJs^zJET~OW{9*(ccT@e^%ez_}0FC&a*8O?p9a-`MraS zPvBe90*mdda?|!L75}q7XW9OWtj4Pwx?9!y*Oi%`UwOdgamcBXdz>r|T#l`Qe-;Up zntOlIxZ_c-a?mpBQ=}!I@(F%}g#{0CGG0o{MLoK_Ok~-QWtY1W4mB^l89I&mp_bK~ ztV;_xHMYLhEqD@Y7eaC9?*)6kI{%1&KaAs@H-X6-GcRlAn z18?*Zn*)c1w@m8|F`RU7snoIs8&cz6bH3Ht#?-uR@xQRi8@^28Sn>X9%puvYuIm>a zc)$Fyxam3t>$v|62M=6N-SO8=UYFmBC1)l@HzqD$?emhR}sfZUe{Ldg{ zqP5j);nsWK4r>+3rySom*XYv8>QigqHcQ>vR;POSkX3cVNwdEAW1B0_#MHgm*~4ok za`_)l{W90&laJOm-z;+wp1fiE^yyr(Qy*!D zX6PqAWM5SFj`?t{wc;`^#XEDvH!rVbnEF=xwv^e;u$bJJPk9ggT5;QVdThW)i@w-x zY{$H|o%prJ=3aMflc>RuZI!ELKikf$Qua@3uKbL(2fLNT-gOsjI?3IVv&;B;9`Ey? z!I2AoIvv&DJw- ztFF7mF?;S5=|Y89z2})kw%n;=?MR66FAUov6x?5*KCZ>(*ttaIJusubNeY+7(Ad*($czYib3S}pT-;5+p= zIg%l9Uvjc%&)gQ~bt?>e^$MSeuA7yAQRaLpBk$XQ>tC3HSM0oQ_{Z0pG5OsJ!(QQX z-{QAt7g|j<6NrDcGxdOO`VR}AWoM&b{aVRuR@5RLY+9$`w)E7k2=)0!>(_AP*LwZE zQ!DbZZuR%#uWlFSWVgTP7rxIq#l}L-Q1ebqx@*ss${9`(kG};6t1oIhz`369YRW&` zL%WacdHf)6Y2J(N#qLk@?bq+P8&aIvJon*~4Jp+fQx69G6<%e3C0NVlR;t}>E$f0x zEjiVusG{Q2sisrS9*P$2c^JiZe&3m_O#-#Eeod7McU9Zny(1($AW=8vtmPmqMp+(*DtU+Wv6sMEmruhao2;73U5^`I$By8^C~i)iEhd4e6{H*Uxc)N<@4nsnZX&k=1F2K`&aE-yir@? zM&1hbMUP6?{B$b(%XZJId=aa(f8_1FM>Bt|6gg}+zjsZZef#3DbLzWdZ!h|APx|1F zm}94BUdfrNS};jmh&RHo;41el6Kf_#mo>KR^(AC>#^ zrZ4%Uadj>KisLDQEzc_ocQ1ROx|p-6IV<0C^0I@o-9ytgW8xQ;rZvj?sY;bfIkzis zdNot;jMh{i?+uL{S61Y2D7hH);mWfEN}sP<9y#D<@=u^*)#B+4{~1bRo{NjmVU;;# z6L9au<)yrZ7rp0szO>+06P>d3X`x5{i{1-yg2j%@{Z|=0a6hxAx@T?-n^%3C?zS0U zwl6y|<&^&Fg3jx%J9q4yxXJmDZW-e(IVG+wueUv5j7$!H$Ef{1rB-I2;@|7M&i@(w zpNOu{%=BCBb&uE4X=zk?g>iAf8rhlC(?cJbzx(!;Px?Yp%ctYsY#R~-*ZOV?S*9F0 z<-r4~i~fF}T6om9I$rhatM>jW@-E?lGUw)1r^H_DSR|OdiQ`nRmcLGFjOl-dH|_r! zj&E8ZDjoc0e&okD$5*fV@NwB2-Tw?72@jslduDWOa@(70r;@LHnsq+dHuBo?{|p>E z-||*(PWTZVVf0+WcR`engusmFb-yY?ctfrF*6-PJM8rSj!sC|$V(+@6POVE_Z_^Py zy-;GJ%#|yv66Z~uTAS6nol{`d#kDGp2iy+d|H1J5#dgR0CD-rj=NZkpE~nIcj6G;} z;?Bd1+O{s<)%8zh?|%l3L-Y0*tyyq8{cCuL`A(^DwqCEqOslN5j0@*|!N4 zt!=mbx^pR07_Kave#CmYDsOc|^yT1KiFaAoj5w`Id@4#0Jop>JE`MUJz@DA&E+_^I znjLv6Bqe3Vx-a1YoAB(2oeTF%JLxVBTk3G-dfS~@V#2<@o%JN;Kf|Vzla{BL zbL?Jr;z@Jm9*5`+3cc0ZGB4kA2Zip|n;Y`^#v#e0WqYpj^L?}8=Q$>@;Mm76J*<3d z%Ht(N6}NRZh;7@FdhW%_kP4-_ii&&v|6cqUy8k2pX~|D4G5+Evw|WeoJyAOy@t&f_xQ`7tZpmUWaYWBPLwbCHMP0deCE#fOG~WQ|Mdu7b|brl^Gh%L-e1vq z_MtBsLly@gzMa-OOQ1b@bGOR{6W0^pgG_y`M68t@u4eY_W@JiD73(#dCgk#2X5xo^ z%10Sp=j2xJQ+1fdUo7?Un2UePbK}DY)o$h5ONPovEj2UUS(dV%kNbi7EvfqN{`H*& zc`vG^QeIW9%Ukhju4kLO@zo&dZFhGa-g!oC&z82`&R0FIrk`~EDs9p|)oXn@zbfB{ zM{~^|Xj;W3XV$qp&O-ZJ*Vo(1ZkLU<%Xc^MG@sAk62)3;FI2u?r_O29 z(!f;Vc~8UA+lswcZf0CjkXtQ>PTWo@a0V-skj< z{n+HG>5I+^n8ubC{@!4+{BGT)_t|0lw##~nN*|9~vHSghh7`}~wnzDeEv#;zPF!@n zyZ%tN=i!o1p{paevpq1iobu&A1Bd5FrT zciNxW&}(<9v^R43t?296Vphf;J#R$_@3;JG!mVndsU8P?WxbaDay!81WOD1Fdi=7J zOFkW5CZH#z?)pX}c-j4zQ|%|lZ+`Fhw(c}f?lJSZ!ZW?Le*Cz3meSO4v(l!$YtwhX zD!aU#f${vRl{+)G9#U9tAp4X(_1zP$hB?a2p{*Id^{#%>%9bx?+n8E9u|DH>IVf>e zD(9<3*8DvOta$ruFHZ~UUAlBZ^GWu7OHBHt5|pyGY&||vpy5^68$OBcT64V;44)j~ z%X;j){)qGB^4@I^6@#Rg?TS{JxN5~Iw+LCrpyYX%E9Ng+m$7%>2K99-ugbqFTM<^c zZTfe|MKcro11xebdG3 zON-ktXj=U==x$C~9dYpsBYV$|?3RZtO}*}?v*g-cUO#9^(0gSku(a@DwRuz645x<$ zj=Q^8?!T(JRa0up`xAVeec1}8^H(}o8db7n{kyzt<)5R~_QGxp-aI{Ysjgee_Fu;3 z7~THkSMJDNXYV|eQN1?j$(PWX54+Kex*{>{^6G5nNN)-iYV#^c2fK z?OXHF++lrxriFuB<&@`^o0cvzOMbO>ZkeaS?i}6y%BgH^>_L3fSE#tV{Jra8wqk|v z;?C!r3Rb!pO#aBDpBQAANnQ294XI@+Sp@LxWni7~fUSp1M`$p?|oES~ZjZ(W!o!yq9-B zQE+6D>79G+WnWX}+RJm~uevGP#a0x~S#g`!DM~S&(ZuKgW&TnN+S6->Ki+$#Dn;V?DIcTw-&G}H?==t2=EB$tE z`jqz5w=$!GE!XDqJn5X7{if$HFS{eJFkQOis_7)d%`tCxOo{O;i!O*PS*gZUoEg0F z$*-s4_D63VdvYhh+G2}EoZ?%R>1M*N7Q1(4`&E}l@2b&XxlXjFQswp25BH=moMBqA zv6o5u^qIGBqxn@2#?Ab_-uJ#MeWG2*NB^}6m7 zncDbOyfV5{46~z;TrPgRF2tI*aH`j|_UWnncy}(}7p&1g(`>EQOqs6yxBOkPeS$f6 zq}Qkmo>?ZHV(uC6Hq2()#!UhDp8U)!UZAl>r^+kyg>c-lNy5%s`_(`7>$V)aYc$Vo zord_fXJ33u4wQ9>7hlkQd8LY7Va}`eitjZxO?!73YwTL>>b+4`%rU!Z?lh}j^CXko zB?7ZUkL6!k&X#2oWAeu4^RtK5?RQh3{0$dodMIEopPzjq@k`&zDKE{U>iD{=A8k>R zsAMs(c-iU7MG_SgYaJ4bUbQ@2 z?5b-N+)>tD@!eVAZi+@wsdMISK89A_+@)rdSMFTbzwOX*kAEqT-8(NH=Bf$3*5|T1 z;(~}C8$;E~l|GhvH(x%nQr}mxs>t=-y660p7x5+(udLY{xN^r9InS-p{%yuwo%?)u z`pyq{zD-J%{YQKKDM7|J2p?Q zu1gp-W@nqJ;X}jG&#YE2jj}P{n>w~ zJ=t|D_vJ^?ean?*+NXH;?Uwbs-G2DSvaMUAzGoGm&Cm;L*|EyeF&nNxuX-m|N zmNcwUOElecclm_r-826Q>eg(%r5&*B*~}}}i%gzZ*d?wycJq_mJSVqFi+0y8FSQd} z!Tv-wU+KoXdC$`ddc9l(?1aSLO}M-N&+_2=cJC+txv-4=-A}cxk2p?#inII8arXX% z&9j{v?$pFyopQ4;>$v58-^Rm%QzEXhO@P0b?y4pq)zE$kvrR63!E-&KWoYc!pMHy&vwM^7z6{yu ztC6k``&>d-d{0Wzzk8>Cw&ub$@+ln8mM5=!wV;#La#8R6GY#2=27U+pR`&fYdwRO% zgm0<7zgdoM+TJqZGwXI2g;_`~-SKYM+lMC|R!`hj?Nppq$avM^#@m}m9vaNpxnC$X zZHvGg(S7q&-F0B(dr=|^VB6d zcdxHFz+URNRz0m!&r*0vYj%W!;!)<%9VcY3y;mvn%{*S3c`AoTwqe3D<;)wwi%+Za zE>DiJl-<-?z{yd_vux*K-OFi4J7#Ne9G|dDO}M*Fup(j74vze*OwH;lxwgRxhh|Pq zwvU~8bMAzL%+IuC+*dt1chgEcdfDO4Q@)1Rtzfvlb4~E^tKzpAK1G=Q4O|-79_yCM z9`LZ{W!8$=#Xc+fwv=$`u-**`6}+SLFJ`~O<_(s&_din&S?)Gx+sl--Ps^D260(GS zjCSwj>paY0=^<&YdSuduM~#`=Ov@T0z2m!F&wddDD-tLG0r)r%8d64{upL@2509(5^~CV^$|uSW5RSbe>r+Y!X$HLo_roH?zGHP_Jg z>N#_fe2W*0r%z(rwXD?IaQm+FQzv|QDct8}uXr+(H{)5bt|1LXR;sn6&E~kp~$zS=Tpe?Xa05HJ8$ydh$yu# zc(~n4-9YJ9v!A!btv7q%9g z)9gFl_~38Bj+sB1u1(aDEHZ02_Nvo{b>6gNtFG-ZJ>W4VKJu;bO254=Y|Fhl|K)XD zVYt2YgjK~Hl_{@u9;*wVWRUX@ylDD0j+w7;)hw2sk0(BB-J>TvIZrs`(S;6WMdpjn zCV^_=V%^QYI}4dN?Oaz_^yn*V!}D4ueku9FY{4a$kK9`==kv@=dP~6bf)eg4Aq~58 ziq5UzJbC-Bn8)r##j-D-G`s6g7yqz0Z^Ggfb5)^Imz?((3k$X{Vkr8QepWF>Q!Ok? z^$+V)u1EWv5RZe6WceGJM$H#jUL6xpxX#C%+}wf~@tq-x#!-)oG2uai+S zOLomv3fYlbU=%LHyEEvDVDQE-t=chldMl<*iAXWX5M66zy}(iUBHQ+NVNRFKScF%H zlymXrMTIEcnfp8JKxX$&77t}(R>MHK^E#}|G*K~iTbIZmPM&(nsifiy~{m-C1ZNkXLod3SW)9N)vEFjc3d^~izF zd||Wa=a-Am(#?zsH-0(w&1=)UTY}~L4qL=rT(a10|0Z^K{_k!tDx`gi+-@8X&EA%r zD7=mBvdo`NtxhWHmsd7?)_v2yZE z@e^6NUO7bbs&PQE+vHWekGtmfJ)U^c?XZU73`Uvdfh)saT;`hZE6(d3)$=D}ig`hl zAQ#g+aUoOoQ!6hstLxoJwYsPkqcFd+cj>tcO5ZKt+D_Pe@cmyd>FJhI?bl4X+hzy9 zI_>`H_a>{KA3`3#{c*$a{1&Z+?;qxMp3R)V$3KNdD(<@6iKi06TF>=8V)kB^-mG!( zI%`mRxPp|zhOCt_j-|$mcP?vR{t_nq-E~p&w_<8X!dt>7za?kkss_L0*v>T1DitTVd{@ty6#xv{b zrO9DWZ@lYv_lQbl-yX2}fP09N%$3}URuk4q-Vh6wQuYt@(_zbD@5-*arX=ZogsD_q}y zmF@pdkl{V@6R_wd?a(2A>By*$h zpBiR;H;#>;T7d^R+=Vvf8{ReV*7J`6;Vw!rR$*9X@M(H`e#y!@}T#-`Y`^yqecP`SWJ^ zwAn{GjGD_8`{mZXTyMGE<#yKXU~`>a_nykF*dx66$*fxwuDzZc_RaUqxlpUzrTmqr zf9Zs9nC!58ptDY6-fa#JZj0U8mb_w5XZ-Bq)8&)p;=3Rht}#LE-xo5f~&;myg5G4=HfPY?q991(qAn-EbDf9md87h z5XOg@yUSm!Tky#}H8)Q2@AXY=|CT5{msCH?(SLHm!xfHS=Xn0ut?ao~Z@H0hbc#js z>kav`8CFvdm0YZLyAzmM&iKP=@zR{E@`|0)woeQ%y;Z*?hqv$%=Y>y> zXG((X%b#yuub?5Rb?o(-H(Kwq9=$A5vj6G8_U7D~7Fp?(HMz%b&)MkxRV$Bqi+;xW z9Wi{Y@gB~*N&~kyJ}C=)l-W>Mwmvo7X8A0ISN59B?k1;W^)%aN>$ZK=>?!pxZM}GY zk&LcjkM7TUVgBU_+ppafHM5BM{C7fyQ<(?v_NTtpC0dUz+6J25kx_rK*GAp>qQuj` z7kW&JzVpB6c)3YAG$&`$?iJR>@1!o=w3^!P_#$-uv~w*lnvWlTvU3?%*Wq_!|JwWw zmRv5WwV9(ARIj0sweBNR?58jBJF^bx{t}7x@7)`{YIpFJ#np>S{T38lN_i+{k|A7f zJ7ufT7HjU9n~rM*cCA_TX6xMvOJ1;V>pa-^WzLEf4`nZA6i%Cwqs=eee)O*Uj{cU_ zovj7N)+sac?qqLJ*daaNdUwvoN5ASdgCG7~tCv%@(3^SY)jp}p)V|iYk>9f(cJEGD znJ)2mYeO*amZIlBt*xDBuQ-+Kc>ZMIxh-)irz)2E-@M=Mv~S^bwI9o_Zu3)k>h&Qn zw=nShNqMb}Yp1&`crGVDm3_O@Zr*Kji7_Sr88qLens3=3a-QdR`wYJbym;^|oiLQ{qpR za$WeX&FAj4wxapzgoM@E^;bl1*dChpar>vd*FL4Ur8C7$Oy52%uY0xZ*`{}{dWJ}U$?Yw37W)|8is=XlD|LIsb~5w4Y1vY<6$vbhTlAzfG8&)j z{fIq(I{ReuPusflk8W}Pi2ba$#;S5%V!%JXPLYzn7Ha*aQ)T2VLz80K4qzUHo5ech*!1a$><53Z&n6xy!|<# zu=cWa8e3kdw{&r$>BDuKXSzMf;`~(-aQ~`Q@DZaj`^xkFi%k61UVgDw$ua!)wDNZs_#HAHmDPSd;L;wrydcj*bLN}ldw-1TQ+&64Wr!4-#^pWY1<5B|@< zxx9MM;*<9tMLZG-6}+SUa-wb2raPtblWsoib;`G4!^TC|!nf$j@~gak z=B^aFdFq7ghYm1`TO8oLz5Kc3#>T_CQPnG=wAUTDYCGljkt^Pxth8lrr7_FH_)!A3o7F4wI3vfne4JG5>+ekXdi z|5eufV5|O<5pzlcPv!tMVViIE?Vhb_0>iq_=vi}Qo(jm8 zm-c&HS!TJ&Qoh39C8l!a^8XBP3(YPq+%+}(OxuffnN3SCT>ttcM3B|@c&(M<-eqs^ zD_>+cIbqEl{iNnRT}J1#t8ebe{+(jm zx_i_7Ivm{SX>g7A1cF8~0CsgSB=kS31t1CYq&JT%t$oGBH ztZTpGCoGWk&9V=1J5kml8&#rlJVoY?Kyyd;(UWVd*XD<0N=$osm+4uIx@&n$CEria zQ`?Vh?tXS*^^E+y1II0H{u6uq+@?R|dhOn0u4kWJ+P=m2%72F4bt{hR%s<)jY2H2O zzvd~(oq|dBYFoDFMQgWB_#1MQ zIseaXj_pmRL7Te$&e=yXsm)0h6a4aN(j$g&X5;M@7t;SIuz2|DcRNniGZ0?zcS5p* z;rT_Ee=lQXwyJEVu=dYp6vs=FPGWwQ>r=R6o-d=um!h*kChA%CpxznQF zf7>xuTcP1d|uxnq6$p~n{sC5!kb#S~mySZ_OF!=~2o?pd|k)#Y2Bb;qtU zbLpAs@-<}E{rz(+vV^nE-8&urj;ltoU;VaB>izXbs3CvHU65%ZMTq}d; ze`1>yUKKF$*ZI3nTkyeJ;n^!;`Hwd042eh0D_{ARJouwwA*0@}Q1DCMrnjN~$nt-p zUh(<@(Tf*eOq96r{A>%Skh^KEeYpRr;=gh3J9@d!b#eOZJ_;9{I;UxqaC*e2bBDRD zQ+L>g{bx9meL^=pVK%eS+Kfpnxl_;Hyj1G+U061>Jv?=x?RkN!N^24KIeeWtP zn&G>hSJkO`RrB)++qe9Uwb$(FOmx_^U{dRahgWj8R0Zt*5@WyUaS3a#P4ijLFUt&g zMa|E-t=0}<$XR@4S*%f6!kU>kJYA1FsG3g9uopVupTQz{HGQ41)IWtc>Oo6hWc#qz zKE2ze)_iy3QIGi_)~-n2#lOY7fUEM;@tw=VA74D>zDkwdI$`Cvo7o#G<;_3Mb^5z# z+MI7O7YpA0^bXj4>CAEu#A%cvT-*4+*+z!U9X;(sjyhuec<`ChvPCT6lH-yL~77Z0@X5lY4niW8=+a<1a2^mNuQQr|uT= zwD8&O>C#)N^mx6c8~c@&SGi{kZs7$lWTj?vwg%6i zq1F4e$aY#;>_wr<-`~CXCihNQm)CyhiFajdwXyFl**SczZ(I9+Htlh~`Puwa+lK!P zmo@m;{|MQ?GUV1Xe$SJxA(_t(&HQ>Z?WM*({~1!aD^||syC<&8Ec1{Z|GRDG%gt}vuNG>zMJ=lcQE+p4%2O%-?LUK7^SOyzYD3C>eyv~eiA$b;HW$|; zq03DjPfy=*bv}IJi|?Al6J|a8eBQ+Er@c-LzDYwrsU z+j;FzD)pb;U9jj_!FzEh(NoK>-;25%B3pCmxIp;U-1cWlJ12ZA&3|&Dx>T+z{!*jE z_nS9XIzC*|5Yn%b^?r)hbQ6>0`SrT_ucS4%{IUCah5zdQc*SM>oS(Q|EO$B|34S@{ z+qd~uk8>~eYyAgpC}5Ab*)kz~TZ;V5RZ_p(<4?Y-_wBu9s3HF&@5%Zni;OnyO3>kZ`2BNMsrV1~r!DR~dG>SL^ys^SPbX|&`}cEg?0*K01pb2i z3jCKRHFdAq@>8pJ|M?FK=4IPWUNyh=I?hH1rr2CwCJ=I%)g=vDp^aL+k+`K8jpXYEz7 zO>+z{-#PwN^L{4B?dAGK_g6+*E3Arlb-jD;+J~r_vi6}Fq ze+Ib>d-wkgQyxTB)EruFcqqKSKu%!QeeeGaCMsE-de`F(m%aBsqI7x1ckAg{CjS}U zE!}(Deh#DDjXw`E-p&8|pW%)6|04{#0*nkyOiYZ-%*?EejEsy742%qdiiVDXi2{X< z3KJJ@Jb2L{q2S>MhmQdb|8FsHFfuYQ+AIG1xTaR(dzEHy?*2CmwuPTaN?IgRxlheb z?{eWxsjJ%j8ZoB|yI05@Yg=LFvUqjfi-&e>dxeVcUVFv0cITz13I$I+1*N^??H^>t zdt7~_u+epg*b0T>mMXcc$5-jNg&flExL}Zay8cG~$5nTo`Wu$M3t*XWvTfnyEeqZW zM`|zq$h=wN+V_tdT!PoG?|&4~a{2JLGiOehPg;4Ug6Y=QgJOaaniKCBi^WK%7Q`r= z3)g>ZSY6>_Ica;(F{Z`sf7qrmyzJfftNO{uk3rMB*BjfdxIAN-R_(G4)xP#l>Ply? zMR%=TSGT9Lzv1qYWlJAz{Lk>_N%G;HPDk%va@i%cNBwVs(M|u=eNV5hNf+QXyH?_K zBsA)Tv(4T0f$FD@kK9v zbj}`Lb$5x#y8e}sN1k&X`*@dKpf@~d!Iq_K^PU#4zMj&%i2dE>i5#Emk6E}zF4pb- zaW3>qu4#i!^YIyd_djr4{&G!SOXG$^W2o}+g)5HnUQb_reQxx+^q5sGYZoQ2f7xp; z%jzR#|2OcSRr0h5uEa*g)-Ahcbu?FUE${eot~z{+_~Rne?&<3Jhcza;y$)JfCcL@r z?6zM!iYi$n?K4CITN0`|HXGWPoJ>peiNDa*`;|9CltH zIU3qCYrLbsNBm9Hv0So=<6x;J!{I|uw#J+loUpO`N#(P>PtV@7|NBdA-J*@}U!8MV zwE45FVdkR3gl&8L<`n)Ch}C58TbdC*UviSOV%|dLORAsFERCpIEbJJ!DSDE{=Kl;8 zQ^W(hUK)xn-@mZ%S$O*?g>pScz5DMMJM9X5F>%#{D?1#FmL}gad!(JMre9F-%Y@_f z8IhRyX^yM^E-egPP;h8Q_Kc^NuP#2|Iy3FsI?bfQGn}QmIqN=uSz&egsz%l0>;3;3 zyc!nnh(El&kRx~6)&Mi12@?Ame&tw5Tk7eCyXx-as5o!3yQ=F*fS$;cU_W~g&wnqj%%#h1Q+bzJqcr?F)GsILuQn2^1_ z@2^olPsV?SRf>DwHZ+Di8nke&DmIX^uxz|`%=^^K-b>~+>_V*>PP2*Z)YsK5fPqV7{7BJ2g9kiriENit=BJRKR@Tib87WvV~+iGTUH4Ix^>hnsBBONl z>A$Z`Ro1_?-*P6qNVQJ&M|hdmiG);(tIg&ebA`|EdDYBbw5CYs@``YkI>z!9VX3=B z_8fYA!eYh&-r2v8a+W<@LXa47zfpgw?|8)G&SXs*;Dm-%zvvk3A`;I9d*R^L( zHoLlc_3NEmq~euJt=X^FJxa()pCd5$k{!qOX?Gw0XSig>X86jnVMYG3@9)kC1sJ!m z9;DXP2`p+8kNT88&0Q35JSFp-l5+B#eJ3*C_ukvPxWDHf zmm$k)E77S5kq7?Fn!n_NEW6A4t?@cpYqNT;rA|C?L2B>u<|(IRYb(CjS9F>Aq)Yr~ z*p|+IY;O1w8Eszg?{*ijEq%1M`TnJ+Gs3Ey4HpOAU$$UXZkTgf*mc8&Kc`g8xh?cw z@cfm+Ien5V1e+b-6>eHT=RZS+_}iBmw;#?*Zdf3vIjv;%gX#Yn9!^|onc32?UP}H) zrr>SOV8x?)H$=lOPPcKqn-Dv@Uws|p4yMJn+S)u`X)3$^ZvH;?ZVJ;urk@u!6u;-4 za&Ye-uZ-2DJO-N-XP#Vra>lgIg-`x7tbcFBET-#PEGiH+S@D;_br6 zvX}pon@?Ek*L}8>sn!=-rCi&lmikGwUw)6WLYU>JQ+5}aj!)V;a}iT>`5hm|H+`I$ zXWgB;uD&u8-d*;ieb?30u4!I5k$Vg8gui_mH%;~A;@?kO)^ckVDRbq&=UDOHRnX7j zfN0bFZFBCtYpR&X^k|lxQ^qWjtCdp{qBu9-Gh_|n^(wQwGUvmGgHclsN&8H{$gsXc z*~7PU60_oqwF|3+^sM?#BUs}*re^Ck2lR#*=Sbz{PCa4DzVz1X{|tw-ML&NHNRnRv zivN#CT;iMA8k?`5+snP8fT8VMf&V`%oqxBO82qxePf0IQxm~;EV@b=!SU+1UafTVk z7H_}Wvii(Am)&w69Xh=F226~yJ?EQiI6bruRiy>)YnY>7G}$!Xf9W3idpjOy-|tv# z#wJ~?rP4d|&7-3VQCl4Ip6~HqvD@O6e8GyV2SoE82Ar1s>F@CLN*%&BxaanfWv(wHyUN;1lb{=2aC2@03^SeezjY8qYw%!}I z?48VPwe)`dKMvW=9y_PKuKLO!Z5gH=-B-WV`K~^{;54zM+i8Ud=QRnOT(3EC={lyA zWaE2#MVz)g%2}7V^2m9+>5<7E>lO-R?_1E+Qq^l37B;I%byn){>{*W_mUgBr7t*!3 zX{E4dch5sD-4e&uA7!q8UpalnvYhV?$EGcugiPOLcQu zSB0b)Sg7USOYXYWoD(u_uiuj$G2S_bqS1SfhTZ?q!1wZj;OgTSI3G83^D|AFbNl)i zhoyTyRE76Dgl#)4daCmEgFJ4WGyMT_;W3HRW-~qJNiG*1XedeY2nAkfDUe!q4YY@9fStmlfSE_v!u1C*@xj=FP4D z&v0tP;RR<^Tf?q2_g6&xXK+}5fr&M5nc=HvE8Um9TwvYiGR^&B@SKCZM&}u-uKtpq z(cyYeaetQ7t#F>pCj|bc-_uZ^@r>=S#P`0?Rk?AG9x~qCX6`comlKaj+@FM2$+~$G zzxM0re|!}hUF&`8>aMTH#m|3_i=D9jpsZoQ6^Z0|)2i$)Kc18)V!CF(-=g@;b$^#7 z2xJs%moXlGn`65sqh~|V<4t0-j}=`x)?jir;(6p971m28Z`wkRu4j?sy&>jp^fR+_ z|BTfohjn?|0}dT|Dr-=-F#Gn*sA;E!U6$G!cwdp`$d_P$>8%wb|Ig{p!YyAp7e6>V z=@83>l8;8GeCi$aXMN?@%}|ZG==XrOjl<;&3$N5aUsyez*2X5w~LJ{5c{JbUl4$?~MC9<>LpCdqG&L$2f(yl;mzZ~8?e1yICAg9T3&S;zm}DhhwQAfNb~0I)vF>?FWpOs& z-;16C7Zx?eJY8(E)J{d~rNKwt9K#Fw_fngux&~QaIoWhtp*QM|*pjd5%frts`NbHu zezDj3zh0Yam#NMu&idVTYqn+c+E!luTVbXv3-&2pSXCf!!s*TP_=~HW+)AYUZGXmS zd2jfYc!WiD&&2~3bI%nQ+cZJKp!r`p3+hxHdWM`@;bY_;T{q2sR{_{nptAxj?56;WNAbHax> z+mF~={jkMV8;uE^1u*Jhz zb;r8p%q!u&rHnYD4Hd7-g{m}jM2S^FH;#W7Tj5QRQ0fI z+w3bB#BcvTa$>E>9hs1`7k(cLxF-4L0@MADjM--5G7tLhsm=*nb>XvQk0^fz)0Ww( zA3`itS$Cdjow)7JWB&xsN2Y!nNB{72dpISv^X}3xH?cI_ZOeE}1 zhgfu$^xV3V6a2!F>+qYYB6StjeN#79gqU+Jw4KQ)zXF7OI`Y?yK=d1vYCOH-yUG2>xvlUc5^BOvdS_hy0MX@3O@7I!Sn z=~GA&37R*fIqi4zQp;+$W9Hg=*H?7~_I#Fmw9mV-B3ve3{;pz9!Lc3M7fW|t$W5|3 zpX<2iu>ZZquegs|&5*xT{e1>|yXB3Fl6@T#jb87RSuZ?_ja$UC{@;{+U&LqTu3r=gbE>+>+uPT0tz>hPIl+>+%p>pJc&|JH!^kWK_U#Yu9Mu^Nh zXwJ5Fqh=-NQ)8iPnqTic`Na@i_4rytx&U*umqex1XVI{ut$Pkj-Cq%UMQTdX`7gmt z2Eqjm8?QGN-rRWey^vM(k%jBN^i|ew7ie}VGJ3{c)fn$y6UEiqW~v)8X}Q2tiylUE z{h6U%>%F=6tV{bM!%}NvnR@ou@7}7oJjW+7SC`L(-ExM#0Y-j*mMXFZ^+8b>H4G&DvY{Y1gXw zl7wG(Tr>71U+B8}RlxRx#;*3_#mf5)40@a{>+E~G>BAI_r=4jQQ~8z%U#R-Z^I7xv z@%b^_XSj+^968_jbLQt;Kbx0EXq}N4YUsKp^TDM;VtuGq+qn~;+NJYP4}$;)hg41%Zq>pt)-TVC*iq0SnwZf*UQ zakHOZ7g+X0Vb;>4wbfG#5+eJ)9e5hRI(ok|_jb(+r4JLsvR{XB75c8Gv^IRWwaCR(GZo#w78l@x?Anf#LunM%}z;A zn)>pZ!op-xiFJ=vy>s`8C3r-Y__|tsTYPzW+~l2EEmDe?7c(+GW0~=8dHQ>9W8Z?A zQm?j`zG%EDw)PNcwo6 zc-l7wbuj+Ac(I{p^__)@d;3{->c}4vc=&Lg_W5Gr)!Vm)?0e?BDrB+kgqJV%5n-~uqE@FSv+revhT^2hE3$&-OlrGtbLYJ4ouj-V zmw7Kwt@W;V*r8v@Bk=L*X`|ie4OcmRST10)BJv%RV%DCSe(Mcib}5T43c9niZRQjK z`#9^4MK!83ieJv%`)t9f^G~Pc^;w-?Y|PxR&iRZh``h#%Q{8*E#!1Fxq-NVM*7m$~ zY_Gwoms3849?g6PDFf#RRME}xP3eQ;k%^!F<( zw%zal($Sx$cmGnTbJ5c#@7%4zD=d;5=FV-|5!zeN^mg z_i65~8Tk@BJIZFay-nS;x#(aQpB^{szQ{5r=Zofd_c+!&8HF+$tmJG6DdJ11fs(C$^R*Y1i?&()sboADIN_0NBP4mLx!U;Ux zU%h9~BvCTe@HR`)ozh$4ED%GI4 za8-k7QJTcXbnbu&;WbsoOs5-HO0J0)W{mJ$^5Nim8L=}H_T<0SJT?8IMuR)E&^dv< z$roH-AJ%wf|CV`2bm-mx3=y&$f2bNeZ4KmNmXcd=;y;6Dr)r<(>_X$s%edC9*})Qc z{$7+oE3<*R;jydp`-OWBd#}Dy)z!9o#^qkuw~oh)-o3uXzhr*jJh|tFdGa^o7Of0a z*q6%WBC&Th!`by8C1-DD-zbo=ky+zz`W0o5=eJ*;`K2QB-0Ec0iqwK~{VlUr@YiQB zyr}CldYS8^wJ_af`68y-G0JxiE zqlHJm3tXMO>iY2u)4XonI@J`-b-{&W(S@BW*aEe_>K@pVx9t7K7bT2OiY;3cH;6sR zI@}TZ{IaChr_{DXAG@Y3{m)SHsOZsBhFhDugEhsXC(FH8Ucqv(XM60zqsE2=!}P1uk;Vx&rH2?B2aJd!5rqW zjgu-04wg?@!nCL{O3V2of2&@K-7V>+&hs0!16xuE;DRIqWBtvyrRyjgrn>u6VD^M{&Z-&mLMOJTzh_(0&N2OS{)~0UG%Q{f z8{Ii%UDcnO+L{#=WFPb2{T4*R6l;4^}bH>^Ss~k!eS0P0XTZ zi5*(D2?nvzvRYe;%|0KBt9r`kk;k6DU*{W_$syL`kKUd4Rz3CRvFq;CxEC#J5AE)f zuoV}0m|@6ndpJi{Zf2mtXPTuH6w4Mi8I$zC$0%QYJ9?HbRApv*Pf?U zMs!)S%jcVH&W$@eSy%1u6?ImPJ#t9z9FM^nyKv`KEfXr=|7@OPd$3+Ed696!p{qj8 zE8Sg=Y;k(klcg~8io|2HH#&k1MuJ&-53Y$fu&@^HVm`t9_pg-bgab=75;Fn?1s|l= z&-nQw;SPWF(OL@y^Q`^9r9N`+iL2$?5T9|n)oZ=ml0`EElpoayvR+#HHuQ^0nzUGt z>ggR!uXW1ogre4c4iaYJ3plvka%qzE?>E!k1GlEOzAu=(hAd~-cYI)cmbbAzSVyN&O1G}%#VY2RPU6*5FN#0l%3VLh zv^be}P1_VrqEVipgYN0q4tF<2Y>T&>-||;7=w0D~*GKjy?BjH3 z-gv3xkmmJ?^PfJPvBF9_Zd$m*i$+yEW|+#TZL z6c%+CZfaQd=l3Cj1y84c?7by-_pngznhlQHE0>EuzV^X**0wKOeu?!hOm)5QbNm|f z>bJ%s5o}oaaWwgnhf zdkLJ^sXVLe^4->pjrqOcy^l8y@-y7uotblJX6v_(B%bcd#&ZY4er>pH6!N-Ev4n}e zp(U(PVuyIsQh^Oe7H6K>Rh%O3kvM0AXqK&`>{@{fyhjf{=+V*HXd0ZDI_ZEuTdGwQsAHS0|MJWwJ=QxfYU0GFi<50(? z^&VlZ?*amPQg>%D^(|Og^v5}%%k<2x!&m%goLSZOY2W*gT5ET1a-O_Rxy9~TD36KK zezw$(U1xWwF1-h@>m$*Efrt7%vMXE)Z0{08wz!-kF2dkJ870eQ> z6t{$(;+@Qx+99T3C869mCrP?N$ZC;Ad%a-wl=xjqHqkLRR~)D?DEWOfT=3$NY2FU; z{BrG82bvzWJ4bi;M4RlNVdK}kURwVnb7hr5W!$n0Ir1~}GDEUwxceH!J=`$u+=Iu_ z7e2IaoYbdqOXece_Rx(Jr*2|)KQCxuwC%@{tGknocBX7R?sIJJme`*=e+37=T$$Wg zzwNHFR=E8SpU{SloEsxfGx4@vKcX1J`6zp%dEv)|7r$6#k3@;?E)|??RjJm?p)6SW z(Ij4~Lw3UQJQtf^oifpDKH4$;UCMA=cCG{TJ{G4WSU`n2k+PpD|CZvX6QR~LFcKcgT$^}Tvve)JW=WXBt;9=6O*QeRrQ zCbM>tibjCF(8`_8N78eI-mI|6<2z$q&UCB4>6c}tV8g#FBJ;#puFtWyRQ?{Qr@_Nx z?vr?@?eLMXbqXhb?vVI7tGM9nR_(<{qMxdM_SsSC+JBp2!e*T#YkH5J?#<^F>P%tH zzPQpVSwbOf{vZ0;a>i`e8Ih+4S8G4(tiG1m@dF^enw5p zP5I!kf?!>(W8zQ0ce@5puAcs-$<^f4qIK)d7JZ3bUyxXrth;yNr=Hlwt5zJdSKRr7 z|6;@99pc$$3#OL&x>rX={|OXa@!9jD@xMv^N8=Z;Dm+WgjVtHd=*S@TMS;=L#bkrj zl=TsvjnnN`WE@eAubC1gKl!rg^9z2n89CO^{kQ%jC+7>hNurqs+t%ll=7?LAF8cLU z>Q3IOkFtDRJo`Sr-5R>>%-0@=nJ&*BuWo%MxAu*jJI5nclcPI)mmDZO>hmD8w)*%( z-t8`mA^Jj_ITLkuE1b)yOWm9^b#>!5-g74>{bzU>)GibA@3Q{P)|=wVpBvwuu9WX; zxwO}-oIOd#?B@!_0#iYSR+H6*;4^ zX8%<01TT~6&n!t5x-~`9sV(pV(|uvqqhH16yE*2q{QXN%g5hCY-yR0x9Vd=fe}5;` ztfL+HruqH;jt6%Bb$^f9vjzxPPTHr|BdyG@;vUHtwdYEDK;Y$DWns6zTse1l_Uj|- ztj_Gq{=M?jfd>gk{3d^@by}i!OzqN>841xwB2&Bs`UI*(FRWj1G0p$R?0HFfTQ;rD zxLLG!*R1~xk9k}jmMt=#^!dfdpd^W{;h#@GvRpQYQIly?%7O0+9A#DUmKW^}{FJyq zT*=y8c}1ElByXeOq2QN}EgsGH;*Ts)yzY5_(IK0%zq_Y+nZ_kVQ|XJiX zbO~qA4__GCsUsTsP)~gK{_=wG+-Kq}T&s4+vkQbWGn7hguiXE%>tP8W|GQb9*>g9) zJ)nQ)?^k=5wb?&Z|1^8r?rLFx8&A~P24TAES%i4Zd^mV+po4F&i?(&I` z0YX8UGk<=XawTB(t*b6duP!Wqe&K@BOaDiF51eFu!z}%OcP`X0kgW<|%Kg2;<6+zK zyC$K}IKq_-J{Lw-{@q*I&AQ@KRbZaYv5%?satb#@=O#b>r;w@D#<6Dm{snQnKAJN# zynKF9XT>T6kxJV3pfj2aV&>Z%+Hmg)M@HA= zMO?ONg$JI+uXGPMdtOw>t8?OSgX_zk8rK`Jr@EEpJ)N<+y?s(#oWP^kIzkPvv@S5U zTlBQ9%rEbpdM^2*(c^m?!!$Nq_Oi%qoqQ{?*_3t&Z;%eQGFf6=%rkXqT zjoO0L58r(9S^btJ-`c=Ys$s;II8AWN`C|JlZl&$k`-LNUqvRcoJ?-Tkzjtz1thji5 z>R0LD-e(LeODy^~oxW38yuh3D(eFdE=1u;6AULk0|C!0kPj1^k9JH+0{?VCO#nj4l z;@g1($(N4)l00sx;Z-YI5O(VLqrCZ6PyaJWrSDTxVmFJCdd0>qk@xqXlCd3o+_c!@ zFBOV2@}}n5F7=H*%&YLQXyQ?GfwJB4Azz(T8MC=2ZBjQnB$#zVWMTMzXGi@LsF#VtD6#B-hO}1xZE;uTzZn{%7!QBl9z%$Px)!xYUf5xyVthol$Q3`R?kz_ z;F4e#)oeV!^j{;lO+bai%D_lgp~#qD&hCq@Y}W4GsP&^|VaAfC`#5QS@mn?}t#I6)AJKQoXLY0hj2>;b z8`aB{f1h&aII6hZ>|dfPYjpcP7M*q8y|Z|vS1w3Wi2kkQvGSRfZ&ut5Rk5`PpBC_O z&iprV!FlGJ=PcXvi!@vwsOxW&>@`dk+7fOknv-zwcl)jQRlC>N&;Rqv_lAJj8vb{# zfuaS5W`EDWFc&}dN$l@-p@#lRs)cX=CM{b!eezp@^Ey#9q6K=-9`l@F z{-`N2HP+|G#^ZYevzGr_I(ymXgRR>``uy^j8@jWeKe^Q8+mWg%EL=(rs~WZihw87r zvvKYk_P1iK4Qp3iGFW$ElIVMBP9LqE&oAiSdG_hx=KbDhJ2yC7$!z@-mn@dvY9Jf_ zJlwwUh-k$3mUjg)Ub;OlOE+?@oFQ)TlAW)2%E`|LE%JY2ysmd*zYc}~_T=ZvH@{XU-rk%NS+2SHWsKIQ^Z9{uj)vVm z;M;d8A#7hDbIPITuO%L}>Z$%%r3K$8_FgW%l3Yv~82ho+`<_-42%17W}%alk7MpJm_hB zQF$|0qH@JKj(mO7F9)wBXdV_UJay&IpJR`Bg*H6(cx%9!weg`I^XzGJZ|21dU0=O) zzK#)JK>YgRx2a1Gue>|upPJb`N%8j#tGNp*=5Ap(ablBoTs3<~JE!^C{)3E;i(-vz zmrl_tD0|9@>tQO&caAFgg|b-{Z7D$>F$sO1iA=sUyGh&u?Ep`$VeunzPym@5z18-N%_W zxskO{=DJ>5>d$%c;UEP4yqDA~n z<{9}lmnO4?T;eQIYz|;vGy4w1?}X|Hf79)q7&1+ch;8uiIaub>RZ%LQYqNH~pqSLu z)r>!<9Bk!!8h?CgyvWWDZ>3w&U(&dfrf&QGLhD%H!j34frA;TFbTlR=B{rBV9gPsQ zj4PB{@X1CnOkMotKZYo~>nm63XMJ$9I+?dlF?t8%=bayXH-Ed6!SwI=^PmG~Dv#+M z{wMWs!Qzzt|H^+Dm}_0!&a?CA^ObYL>{Ti=-)KL47oCw?ch7D@YTG+0&UC?*zm80= zXxkhvJIA6Wr}MTRXQe>S44D<%59)nRDtNCSFokL2lc}fs*7)uJb?(B3KL_*GtUDIi zuq@(O!y98_op8GU`u$hROS|WNlulW=<5PVSL-9@z&xnU2H=e~Vxve+taceW1-5-Yt znfJS=^-om_H9X8Oy}yI!xNeVn$e!dgJFh+CKeCt8KW-JL(Xv-zBB6m7FKTKWU3B1s z)6!bUv%ge6pPs_}EcLTf*gco^HICdq1!vF53Ld*A^GoW@em#XnFXlJ$+6zuy_Imp* zn_~}tD16b03fq66?7`NQ&6RgHHe9moe8-xSQu19etWK)lu)!++N!!M2hIN$KOXS;?u$4_-(4aqiIrgcj$A%5B3kEW_}5fSpDX^%D}PiKhQu)Ax9b?TAr zMZ8`MyaJ3>ns@roh+8TphSq0ji`t&;IvBFSXR~PUr$;}OS9me)-K!t< zF2U#h>Tgs0Hcab1c<7bO?X=r7d4YNLP3Tkih4{_x9+>B|=$QFiLs z%G7->OUdlTuGXXCMc<@Z6q;|zyZWEEf4|_A?83j^hqWaX9X;-DHQ{TDaP^B4Z9lR* z;+DGLxfDL#^Q=0nW_Zl@u|1hLGs<(n-(q$4(j8rsmd+^=wEmOTZf*OK@#kH>YfEok zlv@5(P=V{1vKWKZGwI~u5H9QPbeCw02VXs(r832S{}Q|-FRE1N!51HuK%wf^a&ztLLC>xXR_H{eYkD_<{6JIWM-q9#@KajbHeWF~y0z9l*Rs!KZ zi=(~t-0{CoANl6|bw5;=E_m24>G#K=xvL#37Vl70dGvH*&{o|k(PyTbvM!Zx-o(*l zR>fj|&vt3Ph=i0m@99Z;%pFWeFS0mlDy}N+JZ~v}>zVKBJN@SO7jV2Ql1xm#$m~kCF^aMxf;)qZc%e|iM;qF za5Ho8Q6BZRlcZ;H-<6QQUV7$rvbag*QBw(l_NH4|Ka!f&K2Mn=BlDT3Iow~y$?fu{ zrFX;?t?s>vnx+%K>rNRfXT03jFFVYWub7GLQd*}acjwA#)r{Ei1yf#WuaA+@Ocvg| z>-ohs+G`dR)crZEA>uw!%Buc#vtDY_gNJkY`Dz)X6s|{X@Lqo_n$_TfJ@4^-+Tl4n zj;C+@%=@FyxK=Ic%+H?i&Gi@me3aUg{d<4fm#4q}GX!>jGgAvHz5jcPj7`pu>Bb^w*t`oISFPTbI`iW7 zMNh)pxaAErf1iKo`+XM2q;1C?XZ~lfns+3*wCSDTf|Z3QgWdl#^n2}_dc}15_6q_Q zP5-0}HMj1Y^8DNaD~AgX&w9^Bu{9j|$dWs4YgT(s*4ewA0vm3Y8`wyT38j86e?LX_ zunWVTM|n$l<~lr+++Sw8M9+5DuNSO!YNm~$yL!~F9dgO?PPfxan){CN)yMC-A3Hsd z1Z~~#%$|9mSkO$!m}j@%#p;=oGmqv!QoW!T@8aBmGyh-Qq!`%r^IW9 zZs^jIl~C2VVQn?(Qm0i`*Uj@@1MS0wotN0j?v;=9z4>K}((ZGe^DE+~WH4^qs5K*hg;|XDUd5sZT?!uq z0`=Vf3a*^=YKCifx?ID;%fhLB^;=e1JX3vS%JjU3N#fA5a;-|Mr-DsI`ENz|*m5Uu z$?xG*5fh)e=j^gutFzZHH?d|HX1ie?U>BUTGVv|<#wT`b9TvXVGL00AD7a9y-XP%W zxA#Z9ij8}vH~VkOpR;UM%k*=6nrFSH1RUSKy4^F`_@DN(uGwan9^Rea+;0%JlWBj5 zId`JdkC;LW*&NBBNrC?v9E}2Jn+7`=SYBaT|3qzp9Piu-v$wn{a4ZhFJLzh}m&e!6 zp4q`Cr`UDiC5uU#Mz<6DH~IR?`A178{cCe&I5H!nc6qLb;QH+=ci-Eeq#*nLhoWw> zYu^3iR~E*-+x&D#-k0p~E8L5eEdRaPnrHUlmkfjLQC()f<#lcA1*JnDHWm8+I8qX) z=)`2Fm@sMYgx)FNc0BmT>bBzDX2B08Zqp0RyieQ?Qd4H8r9W@>!wUSWBF^+kJh`o;>$QDYOPo= zeWxsE>izkd`;PSSFSxVB%{6{rR_wBr;`h8;7W46UIz@>^Ms&vI`Wt=iEq!G8MO8bS zNlR+6bN8ztt)SDlW6rRKMcJ}@E{!>myVWd&C-la&8jUqg75jO@XMNVXJJCaJ=_K2S zVwq>WjpO@68lw9;`#NLRe$?(*xJ^;yTJLX{dxrNvifmvwTE!{*ESLZOOTPaM3wNE& z3j4L$ov5sxVSx=A7K*0fURkp63;{tU4-JEl*YpZV>G=;TTJ zI%_uy??~ddIb!h4==J0aA-{c0o*WU`wc_Z;o{iy#IwDd#Hf!tNIa>E%T0lQj)QT!? z%}sModweqc6?1`w_1vzRsZl%Kx1KIkE#+-JF(b$8yxjuFoe%pYYJ%a_dhtHR9jne}rTC*(rE8&>EBE$M| z`{L~QIZcvIQD62x4b5N7HfufKIyv0{yP_sB6?T^pyvT;A`)zLT<>c6dg{Aarq2uq%F17tWKKVJ-$(wa*om6`cfP!ldfJ^PH}RL-7W4jliP^4} zyL;A#ubOdw@6%bor{tae?&5y`Kf^~Ro&7xgulye=#%Fk)x}G&zL2yZwy`VS4h54&@ zPIph#3T{gL&+sg%#&A{p`O;7}z4<)F%jYa8__NgS^wwvg?K7WWn48&War{Dd;Ax#( zk>?^N%BL_i?B4y?FkavTuNybsT$Ow; zLV0n~)tR0<`dSUcUmW48J@utv)w$DOWETkvzx~5U)1omN$euF?C?5LusD ze@{{C&TAf@KY5|MkBA69Nqm#qvhTS6p7n`$E{o0jS#)Tkh5SmxyoN(H?_%S3KE9VM zQ_hev&v5F=Ij4W``1Zx-@+GGgMjwweqP(5Mf;k8c0HbwS#N zgP(OJCx2_z`sZ_7efOLr+nyzw&*YZ$`{rsNp`i77Mr^se!3wUulMZYTI(&8KenF`~!z!=qB~Qo;qKBp7CSHyljfS)g=$(UxL&=D;&Q z!DCVL>m94ZZ0iceI-E9q3=~yWzutIr=IooD38!V9F39fIH9c0y;I*vvm-n8$Xeo|* zeYfBcO>3{6{B_s4{%BvH_?Q2iip7XKQR+6!t{|DHE>h3P(TkG=OT)_;~i@_qj8;7VHwyZe_m89wfq)MdNy zg??J9#*g`us~XRrNj~<`c4D-SSdZLPt?bLzXZBB+wyN)B0PANXlTA|}XX~$8&Z2DM zGjD2wtlP1+*o!ZhiJMGxDeZDt8h7>dvMDha7a+NySgyJ=Dy-%#`?t=u zoT@lu)6;#&!wVvXBTQ8C9?zBTGUuPhEFo6W`N*TLS2X6po^zewUWR{JQ8wwR!Zr3a z7N(ljllIMCS@T&mI<-jL`jHz$)D!bK;j&YUSvWe|Igb=^ER+pBCb9g;qW=uZ?!4}= z<(EyZWEu zVNs?|!XM|p^+pfhzYIETm%vpe*1@`7=mlS@=8C>cmnJdJ(0ghXu&W`R(SL@;w6*-k z436UIM(@~~SQKX@=b{hsQRx?uhbJ8bpsx))zGXD`~hqJwMYBVk*k>|ai^>K23w z#wz`>n=Z&K?Gn2^>{(jme$Ime93{-ZeCB9f;pVO^Ikj3Q z6zk%A#vjjWJdg3D;6dy7Gk@*~N-lV3tZ!7T?XqXf!Aqu_ch*hLk@(LLe8`e>Wti}; zX3mSbf0xGo>Akr@uZ(VXZF~42U+GUmE_nVDX#z zf7Op`pT9f($nNO>45t>(F)7q^_rLUE@6o3bk&?NmrYhRZ=xNssVfx~-`O{(5>U5Sc zzQqE<{F4i#W?!vHv@UrU|3=`4~&tH&<_o{14IG%`bLM z+q9jpM}C%jZ^|^w*)#0bw|oxRdM36$T_-g6%aOp^W?`X>-CwqTSz!>Mxx|BOY3Zg! zhVLD@wkw`p$F*^s(jeSSsnnuk|5+}O{g-BImy zqV8MQgWBe6ZQVtuOZ870Ub8#@T`?eQYw{1){|vV>_$DlWzhmvvpZ^(-{y0>;r}iTA zwb~iIv(it6*)u)=+I6PbX}@4*Ljvb_iO1L7x3D?~7iTtw)jnK%^m>N*i#Zm3Q&Un( zOT5W|#jWK=liGIN3VBBQT*X&Z9n9$nbKWWfxD z{m;_A+NNcxv`A>3Sk0c1SSz?NtSM}UkLizwR#lb#UJI-48)q%C>tfRVRPvwU>6L=J zw_|?%aZ`w0U%vf?Rp(lPtpUwtlQuqS;i^!zUwbH0XM2j*c8M2Satn?vFlRiRf5g!4 zXqexM-@fYm{xfhE$fsPqezVQ){f7zM=2@Mm1Vs9J|9xsU-u->*SIzt17c}0_X-r=d ze^-I)ju+$a(+z#=)WWCafAw-$uKvN{&7rq5l76KA`}FAX{zo0=t}-DKiU;^F#dGbG z%AX`5Y<)zbAb-WgMG6I8R(6*fWDafHs_|k*LVU(y#cxw$1GV{smNqKfICFCmU*s(Q zJ(^+Lqk28UJLj%#N||vdc=L`J!B~Nro#DR@UWnYp!MM_|vn}za4y*T+R~gKUSMRoa zth4+NXZUmtjqO)<%%A6{$avLcpK=*{d73Ka#iG1dFH6DquuS( zuL~RqJ>92zH{i2uqHfIjq@{c-bf>9LJuj%Cf2A-k$wxGCv)vQxncwcz?PEwx*WYZ+ zw7697UgyLQCuYxCvcjv%@L>JM9X_Sc&sHef?pXS}PjzR$&9B68RV#l_>1{?$`tmi5 zK^OkafBl~!f9~I__2MsU#I~hAuQKQHYFPBaH8OWi|B*KWZtYVWPS5I`^nF`)_$D=t z&yVzbTeloo;KgkhezH(nVH5k4D;m{q#c#EHN`zA!!y2mg)QX2byu&8?TrzRtx8@l$ zR(be%JScu~OrSuO>uPFX$JB-o{}~vn?;dP^#`!AY&lm-_Fb7w@X~c70vF)$95H?OGJz@QN>1{IQ1&`z+Cq!BS<4 z7Y_=2((Wi+Jnb%%K}cBP@zcfzYx0@pA9*P6c%ZmKKK+8ns%;B4RL*iT=ilTn^!Vb% zP%-zEno0M(!gxx$3kn6LJg4UJJ6#R$U;OdZ)h{bm-Z4#0s3($%p6Pir%_6Jz3D?%)-4JndTbIJTdL} zJAtlgs&{5i-&m16%|+lrg!gN)-A78&9&tK+*O+coGyhDk2;01;>~6<>mR-2ucz1{B z_FT7ZjLVNK{q)4<{(pvqC(~|TNod_D|4S`Sp>pBZT{(BQuH9bm7P3fl_o>B8bNB22 zyVSY%l+>JG23t}NrO)1;ve2JhV(F~SAB|cHn(HeMZ(`hhJ7p8YJ~kckq%VKY=53l) zFTCWR{IlQ-6^%M`15Ku$H~%QmWu}+^{L=KW$m0wDGt?;TRjxlNd*RTkz`xqH87yy_ z-ruX=dFb}~m!Xms3R^5A9X~Jl*>y96dH+ipj-xY|?+MM#o&I=zy)&0DW6qN0)20e- zczWaQLxZn*27iuPR9^VcP`EZ#`0CHaD=hpTi_DtZdTR5|(1oRj3nj%LiBA?Zy2*HY zWmD#krmam&MGW2vw~FhDF#I*$9qJq7|7BH6?UyNALwMxcqyJd{XLu^46r;CynaCxM zB@&*YXV&|`=*Am|r`CB0LydVFu zhu+6UIor&uUGop<+1*eYMN>{;9v`z)?|UEDg4 z+^ZMmcFA1kynM;Y?A-Ccyd2E_bAGMfzBDblXnp&Ch9gy3OWAj*U0<+KjrH=EtxJ5Z zyr*4R_`+G=Vc&uiy4Me0fBtfxJ&Wf1Irc{w6Xr?IbU6Aw-uc$v3(LPxlbd&MU;n+B ztuZ#X_aEuq{`Q~Y+@opTTYqht81a&EMOP@lezA_mG394roCiC;Jid^*|S%1rF`}g zuM2L=Oz#Ky9qn5vyX2PfM9VpbA`A`x88!z-uDpJMS!<>HpYw~uo0i|ykMY{$xIX|qrqojJbd=HwS`Yj=m)>T>xWDq}kq{(Z#?@ePlEInA8axN^_5{g=+pl2a=< z>GFc&B3~b8*p)fe3x+uXJ;s5GPN69)RX`U>;Ju815S#tgFN|!q=%!Vsh1a7k_d^w|VcEIn=EnF9F ziZHY*|EQSxzE`!mGq{#ZubS^z+4qktlUTo%^I0jx$uDGClYRR?!_j3Pk>9%I7i{fH z-%)mer9g$-X2r&<#mARKIeYBMGQ3%O*_;2CnrXxSm{Xw@ynA2%s?yNE`J}1X^q5eb z$In%fVGK{bp6Of<_R^J`+9AE|{10aB@Yg=s&tGzX3#yo&$<}$s{?5AB7s?IG`Gs0k zcio)TlR6>v#HrZ%OP&N4UV2eI<@~Ct0dKSE;_9sGMWbb(NSZ zqgeQe|zozmW+~xUR%PTDVfY`?1tt&!rPFtOkxW-MZ z!MLx!evLC5Z}n-foHKVPJ-B+q{Qd=l+>8e8Wvf29Zs7}hx^ix4ea+N{!|q=Un9hAs z{mZ6TyT|*--=)9W8dpDUd3B)cz~`a`qAQbwjwgs6{m*d1J~-R>HpiZgd|Z#8ajn_# z$6?!+x$A;M8$a$iV7ZN7IB}Xf??>ELKA-iv&^sYBrniagSuO9ix-fFt-$fr!nfzyn2xo}ib^c#B z!-kWOo(8_R=sjjg{GNJ6TcQ83p7^`&`m7l&%euX4iZuhdx4Sn^ zT{e3=pPpfNpq1}@)dM{54}JMD_fKcrl^y=#w|;N9nP}Ui$-}v|g8S>H*E94_bF6kf zvhl+aF`4yOwRr-M9u1yiKKZgp^Cq=r$tSM)ZPaXB!E*Zk%BAZiu0vNW1l{yMF)kLh1(?ePU6 zKet5NZ*OtD&1=7YXT48E)E2>$D~fEqF3*^GdU;z!+5^#=a@J#J0=f;NQ}p~EFAYt2 zSt=v0n!>1hQ8(gT8%JpB;jYeaj)xx^76=~wSa_)=bVlXvI-nzvN$b!XIp^?VZFv(H`;v~gIKxUTo#@>`Nc3Cue8C-6-Y z@ls%w7d{uS5|!)pA*}yJU7-HM+lKpY{ae8GHF(CV+b`a&y4U~b=wE@q@mHGIn!+zX zE12pc9QK|*=!dVi*U)4w;Y6}DiG+IJ}Cx%102MMujyb{u2;^_~6T$}}h0tH})i z8FtS5Ui|vHN)(UU$J4W`k8reG8D6-YenqNkYSg~hfuE!Gk5*c>&))U2kNNAIgq}6o zr2^M){^bvE+}Y7^P4!&yBVnz)y#~H57q2*%fA{fw`F73uX$|^|)KZy3=LPCJaNnPy zTca+eRn^gR)#=6GlT}s@2BEWJG}nf_+dNNm+DEgwd-*GCo9?#PUkDW!i)O#-dHi2N zQROUHsIT}}H|FZ}56`KG*B$yvTXt$%;yzi>r{NA#jZoil4yVw}$5?``5sYgVcL zWzBf~IoLPMa;nHhbKa&~4;bD0z4?;bp6;0_!*_XsRD9UZM^VZSrFpN&!B38T;-y6EFMd;MJANyAE zhpm)&+mhe>Nb3oM#f9k;Eaq&IC4|d zfBU}scNf3hcdaR=<*DuB{T0fq;)1@eGI4(Dsv5`d9DeH+_hDI;8o%3@m`)sK))C5; zE4|~faNE3pT}MLN*|i_(ES~FhVwe7tbYG3?LW!m~vLRBrT*o*6XzK3Z5l&tue^PT< z@NuI(^MrOVC*Lw!w?8R9xQ->ju5h-%u7AlTnhWESa^AZ(v_($|z6L`V3qc-IPSHV z)ysd*goqVaOWHj?ga&I0gw1#;ute)_{nNsi+n?TlD}6=gW}x_+X}!HX>lMX)&x*Z1 ze1ZnFAx7NobIx_e$SiwNn5J-cwcyIwxO!yhmE{z z@k`%(MJLjiT#GyZS(a%HV@YM#xi^9Px2W@Pnjs;!eEQ_)*MrWTF<)EPvPNNw#F|t7 z-mLR%7au&`JiF__`6Rl-n0JYw5lsumq{U7bCqfrus+$bwCKR)djk5t zsoxuTrk<%-x%SVsL@tr?{|vnhl1XWy@87Z+I{m&sH)VT%H;I&8p3; z*Jktg4HM&!&N7?#=->q&mK^q#sn(fSy=q+L7&xQ_7gv4ODo$FM@kq)1wnNLw7cc&$ zN_=UG>g`qdBfOW6C?3ncppctrvY!I<@(lp@xXu({=aPPYDm_ zSG6{)UG%^@NRv@k)|9{T!(sM-ZI_v~|1+#eY5o+lv}FBKsb=LJ3Y7<094mIVISN^n zYnDe&@x1VRfhL~Oij{+A{3_r)i zX|css_kJ&bDQls(i$9Em>%i9FMN;~4i_{vYSk7};{hy)QY=O12{`t#o`#;qDie;{O zz4)_S-5;k_ydQUD329HNV?F-aQO{MsrKOosBjLb{sSUZVr#W>4vbT0_zOJUX0xM^vZi@~$rj4{nX(pK;Vkv^cgddD0=z^Kmyj4}RiR{?@;4 z9V64(tH%P?&8|s*#4z#Xzntn*6Ha#?KEC~*dBZB^8Q1tu?PpnkYM=WaX8E1vQeln# zEH_;*HKm`QzOun>su7pb7VnT6tKY|N&U2byR(9u<^A72Dn-;l0T5Cj~X-n<6*p@rv zvw?H?EWuA7-|Bveec+V&qP^k$#l32er#HVA(%K^Y`A2xB*r5*ZN*VYM{8JrNbIH>ubVXOJ2o0(pxHI7(Jt+Ctda60MX z!q-KNcMga3eoq&y{?D-Trg8q;{|p?_iZ7SH|HmlCy}I0{L}bO}h`T<0%6VD>OCO!D zco)5HY1!e|dmHOd3+9C`X-`Q%v~;1&vsm$vycg%6F)8!pE|go?Bq+A4CH8pA!I`Ns zIea>My>D!>GL%lc+QIT}<`i+hBo9rADPJN}nx1a3mS{}0no+h&>4Dh=ZMFD4IWuc+ zY0hH)I?K22xPkD?t(i98xxX1{^{HOTZExde&skX=Wc=bd^Uf9Cuk_ZR?`)VXe%mnG zh5ueyA6wqe{elP9n)ujFaY;Y_=r0aluKEw5Ym5YJSQD%{=Z9r3WJmSbF{r``7)`Q4@!wZ87o`6QO5v29DaXRPdFlW-9Cnk#jF&mDuU z;(s?Ty~Nm1|8CLJN3#oL1tZ!PHyo7J;k(!Wck#^njOFR+29ABslNAt1JGGue(_i9sj&9TZtgfs% z`u&1A1_$H#pZ(>|zADSRs(#HI>HiFE`e%$DE{)AC7Qb^@>z!(p)$4}>!TELx7ua<+ zJ&-#6?CDI$l3hJpio)4hTnwTGG|Ehc()Ff2{m)ReJ#xnLl~Y8YJh}O> zZGZ6hQPh<+>nHbjc2B*h6=yEZTlV|F(a>_MZXT_T0Rc(NcRl~!yrkgTb>8ZuqH%KU z>0d&4;?Dm4&u}2Z*!ROd>kyy$t8^~~e^>2jkEj>wXKIR5@Y$X6E&R-Z3{giTu{Aeu zeM@XqEHXT(uQ_?&!c6{a62Ao-4|Gg%IIN?f?xi3iJMU4-y|g>${A_$01VWf&Rc~?b z54gj-wO$rmF!mU{J}5K z`O|At=lOW!^+F#-mIQpRKF!H{OmoM(Q-VUPBUW9lQ=QqSAGrFUdw^s{+^jnck9JvB zaURYpv9XPD`=k>gbtS{MOYhX~Kfm}KGNq>H{$~ig5O6AI_TRrIywAn86C~OA1w(n? zUa=6}@L=`UIWfsgj>XFQ&NkWH-RLSX%in%e^i_=skJ(KP`S%7)4c__dl!C`rk$T)Y+$Fe}%_xVcxq{=>$q+5BMFyZna?)!s{Ew>NxKo1C(7 z>9kkBBWK=z8uV*w{>uKDzL_$bdpC1xTn_Hw`Mauf`|aiI&r`c0YLrQzZG7yX@VX}tSL#2mM2pB_bt zWXm4eFi*2RaQCal5^lR5=Pa+_*ixMQ{+F|ZWR0NH&ZMLJE06o`bPrrD7=2+{!L6*T z*`NPfzgUp`pP~6u-!eh1py{SiD7j4Sx?jB`O1 zN7v46VS1A7U6pQr^E@ZFJXq$LwA6p{{EV368F8~yr!SOhTfn{F?*s$e)@Sqjqq+6g zOx=6vc6zXS{DGF=Yxaj`AB=ynYRl?S*X!ZCrsiA`6MFZ@ivNo2=zQ|q zv>j2`lC&~zS=prpDQmC0(HPwk5*DGjV3l6nG{p}>*A^LW{A|v|5^-eytzSufoRbSO z`V6l;w&IM*O1iYw;zeuI_V{m4)wCa`X$Yq5RAMleds43Zle^IPc;eGLb%*Ze9QN1| z71gd9J2P}wgVKZfyFQ#+!MrpsFLq{wto?0W(c-Fn`MxOW=-dAp@-Hwjz1+OGV|z^0 z&A!!#E&ug?O?p%_|Kcl#9&_`9J6dE`MfG$|+b$;l<#lL9(?add9XA>GEoYxG>*9l# zXAZFb>s%M|`>^2|4OwlT1to1k`V)=i_oy6sb(rznXHAApi}t@ap5^_={MTufU7`HO zT6r%_AO4;3_qRsfnJ5b>aoHuY>R;d7`z93i;%oi=qXA1kemI@1EPMGDdy$dxdv!T= z)(zoLi%yoDE1sL!J-vPJk+XG@^TpS%_5Jx#M0o@Ellq-)o9n0Uadk2l>$nqPP*mR$ zcJt{DX;Y4~>kB_L<~@(Uu2U*#qc~;9jX0|aR}rbAGm9_1ZfMxL+<{?5t$r_a zDMjy^vkcr{)Ut23?3r}qj?VW}*$>|`32Mrpn0mOL`OLC?FUyTQ+^&AttJITwxcBqa zhXqWRE6y)J`La1)m+{v3-_9*!V)0zlWL~qoM;cmOIFL~)S9q({r{Z3?^VA;8%iQV( zzR^)UamJdN4uO|$R^B-o5U23XG4b-(rb7>!=l!lVQTF~bA=+yDyu=B~&mzO8d+q2E z(_HU(;lir#X|nG5nc*w6ZeBFztZiejpJ5!4^L_gH_pGdWeirj>m+VfPI)~SbOLOC_ zyli{lE018zcz`G}m$NLsb zYD{c>78tknf=^u%uY?hcwD!EB_}7x>)kLFvlc!l7O?j3Qyt6x7ehc#(KDmoh&RcaS zi5qMv^ZhVY-*lq$(rvd?ReImVq#4PxSHqUgn}Ro~9kMs()cgLU>1)4%F4wVTg|=rF)*Vw`p!2My zhIQNN4>B9NX6msPOG##y*Z9;L?ba9l**Bv+##G~)w|o9H!L1BY3U0Sr_sC6s-5_Eq zU0QVQZo;FFUn2uv9~OBi8xy?m+w*k@p^+_*(H zZ|M}tD^lU_%}#$PaO&K;GVTKVr@oJmRA-9K(dQ31(>OKYU*fEVQjGyg;VB0dQ~4CU z!tYbgZb*9d861_F>+c_MFqWfWGGEi`8Ko-x`&TvQt+KOc zyg##eW!&N?r<%371z%NP*%zM~!+3T(SKs~4{u<=@y$)9E;v>efG4r`HlW|dEbq@zp=`1xbvSO!dU-g z|0QkS3)}yGyPA9@+l1SH`j!>JYo~p_@#Xnj?G2i&)dqIcS!VY)?{-_h)7fr1lfiTG zXQ3G#PdgLxJvRC@-y}8WS!I5@10ul%36Ho^e-RhO;UKNyT(gl>9UZ5<2KidrF3{j zHg@aO_TE={o2Rq-w{ugCb7a8GzIe-Z39gAwA9a;o19#a}$8gQs@oIbE=essfK5A-T zv)CiTb6}zSmPehDC9|`F#0qAtI;eHMK=bDDwGY;_Jo~L&w?-)>AT;o1)vEVAXW6=I z966S~Gy353?Ptf4C#zRY3pv{!v@cDQ`@q4t<2U{@7`;gS(OEuARd3C{y?P&|Wq!=w zbcla7L+mq+fJ!~?RTmF_n=&mVCxqMZ4BLah6XG9<9Wwgx#ZWPDhd9@ZXM1PJJo>iw z$+JX8R@tRWE7$V;Otv|?VU^Mb?xqJ^3?)_i`=`y-ajlj(6tSe}cYPysBkQ#9uWxZ^ zY)r23h?yBvR)6L~V97LZNe8Q=4jwg(GNDUZEUjOE@d}kJI6uuWifO0+mc3SMd8)K^ zqW?4SdcD?mSatem(zLeJryZ@E`p#50T&(IA>7V&XvcNy9P_Da8X+KNiRb#!I(MPXv z%$3)-cYpEd8~??^psYoid^$HDuZ(JUe09gb6BG;^0(kE4&MIG3%v{ndEZ9+$vu*M9qVN z>CNkvX{t?gyk%~$Eqv7+79Xhaa^*IjgWhLd(^dNxd@8&9`q9$;f4L-MBX?vLcs(z< zUu>$OU*oo{w9j^~VerCj`U(vT`W#J zEB;UDuZ?sU7mwMO#7xKcOw0lLkJr1F7ipdej>xQc)Zliup3hw}L8c;$BrQ)bop|uHSay`qV#Wtqj15ieOrOsE)|9Vxo^$6BPbmX)t$T`#K7YAl z+N7NxHz$Q-z1E%OvsOizR$pJdBIENJo_E*d+&_xVKJxrY>&!d0avV&@nz$=>@0?_F z^p`2CLd5}2cLP1E$E8=K*>~u=rUu>K!^K(gLO15LU-Z_bi>wVRq;s$BKE7z_AyeC8 z-NqA6vAHRa9|f{4OM3C;qwb?%zGrD{6SjoaF74=-*~q{1nZd^G<~m2Bb|;!}?^uPfr?M-1`!qvdbvTNEMZYA~9Wix9Z2D4Q88!x;6PoXX7q0OYd z+UssC7t~%FRezvoV}P8qQH$lQ4lQ2R)j29fEjC`^K6jmV=z3o9eX>aKgn*+|$&nj> zCUu0LQQYWx+D_4w&nkPy5@u)hFWq;VKFh2s&&TaKq8YHISR>kd*P5@)#>M6riu4{8b&A?_ z3D4;EHC$7i;o+UPtK((AanX5SZ{3ii~o|??aHwJ8P3^t%FBZu zuFkoprsBT!_Tx)4?QFT8vM$RCUneeiG9xM4#%cf5!uK3PP3L$2>^ZyD;rD`P(;`~_ zDoMvrd;C!+>y3)iZl3_d;~$PLU)p%_)$!l|UL}=l-nhvXnlvT)<@7IC=knJckn0xy z_WX8XNP1#_`A4Y^w+p6kHC&dnmm2Lkuf8z1SGRr7sm?vYce~vWyohgZih1ff_eiA4 z59JRHVZUcRpAf~#=o-I(|GhBN?V3YN{g&=roGz-Za7%ld(az+vhus&&9IY{Qop30j z$>GgK4Z+`+ALWWwPW#L{XmC)XEx07`0c&aU57`DKlASdTF%62F9$Eu2AuQgISzmIf=3Y z)$_d=Gq)vts_a@@a(d>2-IcYx*H-MSDkxM(}`)kjg9 z$L6kz)a=QxIizFuBz4c^la?2S_WN0G7r)}=k$SYWbjQR;LhT!TUZl63uZ&Om{gG91 z*7Wx>hBmB+UnXWBF-t$QIp0mx$hC zzrUr*Xk_D^voY3To9oUWo^_KPwch?{EnM%!(47+$cy_a9L3V%|^SJ}5OsBgyshWjq znlc!i+I0Q?rPHg`R2OW~Q=avS>&li5A77bRrJgOhlUZj3cOKxA; zdqqpkdwt4+?Z&DVQOa?PeH;}o*!-GOCH{sQG+O^TCyZr-CTQIh)+PJ*#V@9jioHT#0=2_R5b)*`c zEBdS>ASJ2+5HTiw&$oOn@qv!@MHcydl^s5Dpcv~ z$TM#)YI${`MPnMj#g~hQ76uEJ8s0ARX32Ax>sMKl6=g2E!A&51+oQkEZu+P1IQcPK zee2xQ=sYPdYuhi5EdP7yA{Jj<3#LkaS;ES|@Gx21>BuuN%iPA?lNY}8t~!;w<&)!q z-8^e8lKURVJr}sO>g9QHF{VC#zZ+Z1^Sq`B@I-Bvxp?!=W93~_!adz5g$M~q$;IAh zImMmpbM0A?LC(~ICpM?_etz9>*ZG3S(UWh#EaP79oRiMn{;57Rw5!@n@aISI9rkx! z*1!KVv26N1)vm3RpXmf#t&2VUchUAgi(jU@KKP}dyrH8!&VT97xJ zU{S-4;+R8CyLvzMoZ9wFgH>`}+RvRg+d{6##soCH-@Zkopupl;u&!dvK{-vIet`>? z7q0hv8=kyht{lk*4?n-s;^M9moReIp*}o}s%Go1k z;Y>HC#aew`DEa-XN}+e;_k*uzo_yP7)8bsL#$&td=ij6X-sg8YR(U0`37>Uu%j}sg z{$5K?V8OSxe@7HNT9f+UX^iHVM#OOzoSsiwYXX_lc_6GK+#2dVu=#*ym zRkJCiZRb?8XGg-#%9%BEE_E<^Mvl3}Lt|kFe!~+1-?VtE zKEIgy!t}-Sg8fb=A>~{;>~|DY7wpe)@7}!i{v)f1t-p46B>d)Aic?vkoL{F{6uxYg zsL`3X{QJ)w>b~@OMa4J${|rLC8)b`MUAe1J!ds<#%Ve&Oa`Md_+tZp;nCEXfGqv-w zMEJGl8G(jJU!Pg>F<*{OLdsZCnj1^oBEcvkS{ zO32w?!iNI(FaIfY+Qz}dbcLKr+S0ql)1E50Je+#O{>`1$aUTupjy3*EzFPI`m)0Ax zw^t5$Yn`=!V6#ZwOTiAo8;K96a9iK;`tnHCDt>Ld;nFD{yepuf~>TTAgS04YG{^DM!gS&nH(o(bb z)Ur}G=@N_EzmGcUx_YULdhg%FB(?auft1$DxFCBUM&p9$(-TdZ409#*&$zQosmkSr z$aeW$VaZBTy5DiLDdW*YN73HX!oq9p-d7lyep>Y)I5;P3a`B9h9T`tPi!mI?n>BsS zJhxZMMNfH}%Ej*~DqTCgdBt|ykFCa8CXS-40p~lbd^Jj3>P-Y637&MG+Nvm_`68ft zndIGFfBcMiB0XY`K1<R3{yZi#WRXnWLPzUH76lQawx` z{xeu+L_TDHI5Tg`lNrb7&k0wuyY%)ygP?{B!#3}*E}!33+$t__I~>xFEwwe-_T=3D zjv|RSEJ7*~c**=ufoq0a2-|MUDYdz`eN3Yp&n@f-im>`D#l^0sdA9cGRJQVq zmOU4btUEoUZM(*;M8+nYV?56<_b-kQC=q5ZxGs3&`tgg&MQ{IF_3$m${9P#i?Z@iB zGqmjw%L7-u*$Fm-nwOa3K`Y@<~z(Ra3J@GHt*70bHeXUlv_YP!mv zRqLmj@h3d_m%7*^B6lB$3v=Ew{#?fR=*zh030w01{Qn*m?v?0SK%ucEu!Eko}luq}(Yx>>00me<56 zkxdIYc9v>i*dD%iF*n;I4HxPBOA9k(-QFbu0DU|n6~YiTc#)fNv-*vvt#LjRiYo>sq)@gwS7mD^zyI2 zLVOu~<&Mbw7F(rk#gY{wtMB-FZMV42>!R0^;_VA&{yl$2t8&@ibzylSZma%Gn%<^j zA?l}e)?2$QG3M%p3)R1_)rLCV=JjW-NpstGb=UW_2kR$JUEGkW)RuHO<|r$hA5)|! z+th}x_-99Bw>;vq+VzY>XP@jDL*LVSyBeM(%npAs?G^V!jm%n|J`;B1pYOk%`e4gi zmn!j}Vfl*k9drIJcxhSjpJ5AE=+wg~b&-}*VzbETPx742nt)8C$RD2hPH+Q^4w0$SoPtZ^^fI(Q6?wB%g*!LI~-w~B+9vO|CK4n=EnSI*cr0!V%+lJ_86Cxt#|)3bOBKFTfNmn-dODF$;)TBzC7bobXkAnpK2JV=7fTn+!ChOD@^Ay@!Zb4*?qw55C88K zM_f0S2)G11VNmf}(=zjvTJhyZzLRtt;|Fe;p_|c_>TNv4OYy^GCfK z%POb7_{dqR<59ITsU*g^{I&2~roiIJ_?eBB;znmd)PIrNe(8b(B4TfH= zXXQ~-yq(^}p30e9IB#jN-u$p5HQvj&zkOx<`Fe`8(>62vj&rZ--yRlLKlx>5L8d}W z^zV63*6Dn^{O>cj-#lmao&Ti&Dr|gxCi%LYi`^%^soI;pkA@p-{18um`|5Jkf;l^O z>+N8Bs-(Oizo%Xv_P`3G&MFLBx3A>?&!1;cG#x21I&iMGfW<8~} z?bw5zCqLMnI>NJ9)6Km@mrv%iVW9hRqjf?{tNIrmjScx|pmU-xMqz7^4YsXOB+L+swab$A&%2f24XbCH{2mv)%QX-)?JX{pl@&f=iaKu-c!L zG4o{UDMPNix)*0`6q|LsScRWgZh0HW3#m(YuM1{7to5t>t1KqXrzID5XPN8cBgKlL zvDJ=k&-fOxOeyqPW$t-=lab!yIa{Wzczr=+&RVOAkWlWKb^RUNj%c}TY!LWYzbI<5 z7w7$sG^Ypa--{M37J6{H=~(L7NqhB$)jv$xxG<*X*cP)lQ`R`d8a)W-@Y}i8$*<7VL{r=T4)*UPG5;+53j>ukMQg>^nWh^ZI5rTWz9){Wn%0~nKA)^0qI^ytOP zTg=~@WlvvjjHoO9a^>*TS!=#_>*#XcIQ%-F#mMc;m$R#;{Ix8SI`f^gaQ{==-KybV zY#W75*pK#43TmwCUHMJ7`aeT!#+=;`xo*BXeyL)0-^}RgH>PRFwH|X|T4>@B9LyA* z6B%@%Du3py+Am5MtQ&6bu~I5}w7GC$h|1$5Czl;Rthc#$OXy*rUiKX8qK!=FXQVJL zJd^eCKf{UHb7srzwcEBVBAQh|w9&QdPQj=1tRaVQ^~STPDM&QzoV&+RDPe}MLl>)t zE8~)xE6#tj>bxRj5PkT8%I3qj>QA*cM5I1Ta-Y2@`c%>O7xxmLJZzPjVpIOYd(H9v z_JLC!m(0k~m975sv!mDIU+-r*lfy=TBYr9{71+u5I;^qVHjSks|BrOLxqh$w@=Hg| zew9>)umAh5gW-N%Z*OsKb=3wQ_o)vK9?lM%;aySe8k66 zI6Xxswl0BX;fAOEk>QI3y#tEA{Op&RXJOmF;7UN_mw+RBu~~-kPaNb9OMdHNyXtUG zx4LD?v>k~8Gewi^`4;Zr=J;6SFlX65r^1`dUAAowU42G+4y&YIfareDJ1LH*e`j<& zmuuPg`u0xGh|8RoQ|3?K{CaoMF~6|3`7gCQUKEOF*vR}ots1p^`M3WJY%9a=X1~td zQTX~lgZAPpYgbn&UXYn8y=q?5%|OnRnmd9P-duHp@99M?pYqvXs>8IS_zflY-S6LW z_te@gJEklW$P}7TFqv|qiJ77XXMm|b+`T%+H`t-c&?+% z;U8{kU1xrD6;|x<$u`@|B04?W@Imo@@5c3gCnJ{aKmU8m2l-OLNn1O^SREc85y^S_ zQSb7R6MT#0hl|KUjNi?u<+o)uN#X*Z~qhE&a&Os!!Ewp9mCJr5bTX)RuS_U-;@u?}J+Dc1LsFQn!0NU|7mf3Dom7vurKaB2=X++p zy3~4(UH(7E-Rth2d0+DW>LuQ8pN-`cs!NW{aAq?3R{Q?vU)4vepQ(pjGyLE<@1ohF zOiSx257g$$8{}jy%v|Y~9uYt9uO7Qxy~QWTYwh+I>(BW8YFz&!Vq2@poBs^lyv8}J zq|Rg|)|{Mi_3_0Rd9~1n+7FLEN_{O0ufOoc{ytNZ-j1$0YVX{*Q*#UXeSLoWXvfYy z)s;4V>8aa((5!d+I@O z(WA!W7fa9NTv=_hQ#m4RMb?k0OBdEIe3<9k(=g@X{4e(PK5HNRwd>BwURkd-U(>|v z*3u}U$3c#X7p9$f_V>P5p>Hx<*GEgydvXCmb=_b*Bp zbqXsRyeeBNvI4uOJ?-fh+{-i9Yl1!tv&lQb*;+3jPSs{xsn1iebcu-LZ0FpqN#*jU zmX)a&U!>jjUX^K)nh=^lZ?VGR>jMA!&Kne&*1b8i&Ud>(+k;1}5#b_tTts(ByQ)3? z!1bdmAjG&~*V&J6`4+6L_|MSc-munO4M+=)!fTK_Y2ao5{lXqdQr;XApSZTqH7o?4YC60+-6 zu!zNJDcw1Hj;`RGrMf~||FY~Shg_k>T-OWx65pR+>Lq(;YK#j@@{`afj3o*JWm%tvX4^x^fFR5>!{H2utr zauS>P!`c4Ag3SS+%6a}o>|FQw$eH^VM|^U05`rEbpS*r0^NE?7G3(iXHZ*!|NdM2k z86o=ipSWYM*k4YU?&n7qb=_YSGwsZc?Dic&Ph(Q<{AYMFEA#n^`*~rCuG3cUIm9}p zSR-VrX2Xh*ODE<`TAG*1cS1*W+0ta^g2e_k{t25kWV^TRnQXZHR>Z*v8w#0U%lRIN zFwZxPSktU0_}lYH&c+7bqKTo2?l({B*ep$ZEc)$>)cFM#TeM$gcdhsTcJV*MR71It z{f$pMLgL${Uu{(JOL}(dx7|lQ<9#2!Cjar-P+WhZapTGTQLDuQV~)%XFd*eamU-~nYRkKM zyjU{xm3{2Lv@bteH{EYN%w75Pr>vV{(2vjJVh`iWri4e_j4svFo3SY_m*d3gbTrO@FcUUvjLHdB>UTd#dU>jI0UE zHp?)nXsjG`#ZQur z*-n1r@Ji5Kd~aFv%`?AT{`^wfxTI_6p3`#|P31n2{p-+|ADVG;5*Zte;%wIbRP#$< zI2$SZOSH0S+IgSZARJn zW9{(0miBY%Yx-a6cYch&ro6V-Ic|TV%;o9z*?$-1@YWjy*r>l0UtnBT9{N_WD5J^9XVUjmGC6izsD8=FpE-qFzo3~>wmmpaFMUy;GiSGS z!P_HR*$qujQBjZN-kE=!Rv|K>@#60HT60BKz4vY?3VflpCc5xy)Y^ah<=J)Inbs^T zTeBxsh55~2`-@NC%UPEAzQ0|o%lYv5t;9X`?e}8taYcT<{-aR)rTh;`HTN6#nm;(S zAN}QzwvFJ=Ed9*B`_T8}3#@F6CVt$%$019#(09Maw09liIbxN{x8>%#ERB}?%lzfc z_CwWL^ZSErUNYn*^WGKzY*e+juI2g)l?AI$uD|_D2X{;Aqs zCp1Z#_vXX-&3_XXS;f1pjGijp%vWvoYf59b;jBOAT)QSe?5?iXJO3j5$^FVJwOb!A zi`C)2vrxFL(!_qrgst=boQ!xU+VJw1;Ocpw`H!5MKVkk-GuzyMDXzF)m&;$35ukeE**| zs*;!D+l4;9Xq1iNa*9&la^_EcL`=Z?{(t`&!j3-CdHTft#rg=Z+M4^{InO-WuX3vD znX7bL|I4YJDI$Nh^Gm<9ni?iJcG%SYJ<&Glle}%se}=Yi`yVZyJ1LCw>@ta6K~;@e z9=Vo#_8v0YKC@3L%tT|o;fhz>yQUh3iA{9%qe9-;z_F9)2&{Z@*gZ{R-Z& zcS=?g{;O{b`nv3iU-`#7_T8@U7XKM|{;U-<9Br4I3a%DSVpglDS%b$)uo6RbA$V{~5}KW3^&e15Rw#jOan{5AlVF@NT+#$z*_nKkNzM3 zR7oGH)M5}{5wn>8&uZI<<>%KvU*4X6-1cuwg+kEErIGa)Zxu&;?~H%sbZ5nZU1zG- z+;9KlTlt?MiFIql^GDXbp0n&d?4LiXKeh9V%v|qNGyeWLU06E(-~5!qC%@*b3y$&g zs9*5w>B~pPt7^=@EIVSZml6Kv^FKZFS@xSktlJ)6&s+Ugc0s{!QH!H;cJWc%VO#$* ztUPqm{!;0aUt7igGic)SD9uIx>)BhRvT}V3KC)i}E zwlq!E^o!cf`u2YxnU0nn{L4FS_Gbn&?)~;p8TlPI_NuH6o>{qL`xi~#_V)JoJhQy& z7hTsk|1)d*U-SB>Ldgqj{xi(rZJ$xvweVj;tAqDANXc_G5RqOK8Les9;Fq7H~5S`f9a){eOl9AOC1zDBBUA z^6SIvlzz~$yML;a@^!<#(@?Gum`aoB)3Jo}eFW_Q`b$ZpaXw-O{k zB>w#E>}U6iKMQ2OSzzigORkFN`+L*-u!?)}0ZeHeB68syOD?zMFE;x#oexPDR|}&P z0|SG(f`qHa`^Anbxu!^xIE;b|i#%DM#4u-;W_4p$5L^(%sNe`%z#!6NUlLe3WBzBk zH7^2wohLR-!`7_3sCIMzkBf?DP@TfeTK<87k?re=FJY=p_1=NDudBg<46={_X0mCy zoVZ-|nBr{NWAje9=Wsb_!wPgI3lBU|D(eJ&V%#pj&>cq6Ua8l{{l=Kewxwr z@HEpI{U3Q4KDi!yUGr1(hDN}{8#bDggG@LpY}IEluzc9iFrnqNv_P!H!mp^|gUe)2 z$zJZWj`Oq@mg-(EFMd$^p!uUfqV~zn{f+Y%8O`LZ{Mqv*X1%4Lo?Dwj%(S{HT*jb^ zbIo3|*=1(b^e3OJr?q>=vfSnNY{<+Y98c~b zi~6rUxaalRfyu=4M3u)w$=ByS!wz5DuIzg2*M{W`d!6PzNH=l}Olb;Ga{Sdibpc2R zVH~73;i}x%56=bo&Y3Kc;yu>HZAqJo>yW;BtKF*a@T;Z(7&VU{(o%nw1;Lx6XLfnic8kB3g-^QNa? zF3SWsOnFx6ezV)Q^zhu{XMXMFlsxZb)PB*BfGKFwLJbTII@{j!ubT8d`~6YLO^NEM zFT&#_3b?cjju>oS+_fle)Bd@(3)2%A7$p8P5Sc$27#LX@m|3fT)jydo^~~+QW~$fP zORQ3idmW4!TxYpfM&8P~Rw~n+T-q7Z;9SA*l-2M9nzOKRjRhDOoEd~WdaYJ<^DTYj zdQ9n>f=saJe5U)yK6tKxaHl!1kTL+1*beym)c`hD9S7#QsT zHXMJGc0l_1e}iaMLOk9)oW^U~TE}~Kav;IE?kY%ig zzr3pd-R!9sALJk$I!FB7e}?rSaR!qH#^TdqzFYizmKt@-PbmQl5+XP_Kq|Z>%C6`Z z-MQg9P4Ui++WJWxe?=HzwY2VHhgkQknUg#c7P>PqutaP*j~y*0p0YXUVsQc0%u9zA4m+7BI;b#W_yLa%j1CM84hqG-421_&Hk{=tJj%ep zfM}yR9u=C%$Kb%ppv1rsz=+2fs8j%$ZeZ3BX0j1D!tjWZ>+?wsC0_;x1_?%Z(7Njx zAGcV*C<9hYJYmqpr?P=nVM zF!gMB)U4s$W#9w}Jw}O1&Nj@ADi0cY0uO`Y6s(q5;!}gtA@3d|4u;2PHJA>o1U9l1 zfVF<+lzWyh(%8wcfq}sQEJ8fN>}oRUz@k7Ofx|vFlY4obSTzzrp(kL>tn>1WMPjc= z1UD&deTc;zHVmvP2fIWH`gIzPY8>*`xNsPhgFYXV`PeH_a7^X^g9rnI04eDdq+Lz* zy2NKgRat3KLHYx9Y+KaPJ7AtgVnQh;(aVD{5!PGHbWjS5dFUq}6F_y*U!yXds3qa6tQ>t*gs#zL~lx^|Y)3 zgMwsmWRaiU!2_2s`$X-U=ydSK$JG*DOXQn>mc7@MlHbR!Kw^4= z7|jc6fbhuVO;|hYYt=Vi>0`_OEwc69Q#|c{>GN*!%|zAC5R))Sp^ks=SPe7pa#Vde zxACpa{jG~5tWpn1T%K3J@R7vWN0`lf<3;)NRoYnNZ(U;G&%Z!cm@+Uh7;}~|n4eg$Ga=zenRV`E zmwA!PUa4x`4N#uIQ2KmY{zkwN71A6K*81%`)KU7z>+=E?o-SJ(V!SaW~I0fwy$7?{owV+gt$g%2lc zEaX<$@Tln}E^|s)V3+gSL13Z2D07?-x>C~k`WA~OEGga*F!!%+s=!i?1I(8-B^YGe zz^RGIJ`|>f-wg%tJ8(uU?9JWHasP@w0|W0`^X<&PcVns~T7;XgWLZI6@ub-N)|LhT z874b0a5Fgls6F_dC19}!(Wam)WbV-_H^1+dFh@DcAf&~CiQS!nU0S|?!Rg}r??NOF zbRn4?misq=MRQ>V?$4_*1r1O!-NqiV&|1dC+ zRFUAfP`Cip)&mX9;a5kBEYmMiRFkXr{}Bc~K}H59CMHH^W)>zUCeR2qBZHu#p<|$c zLSkV+!a{?_i5ndbUVQlBV?o1&|F;-87?~Lv?FD|_?T(p{``LS4UCVv`GoG#5Khl_D zTq4V5i+wl9uG9Y3vNCe_Y4^?+g~|!&*}aKp-{167H^yFM>a0tk-d}aw_s|CTVK2T_I0iMKOK;smYg5# z+?vLuw#Ca!rGqbx?UIUkSG>;+Q=+-|D71) z>?V!1#dpL*#Wo$VH1ZZY>-=Y9rtAT3{Vk8gbj~QnJ?$_)BEeBuASUAG_9RbXThOHK zzdl^#y5n}{^yAk#T$xI~&#g0D9{UQ=6Wc(cFFpnOJ8T!(k{`S+r)SdJSPMlE7A)bA+1 z8vaZniy>%p!K(m~PK_Ip{sM9N}K;wA1+v-I_H3+vBW~h^F_C| zS=0ZD-o?%rJQctBxVx-$#bMZAonnPuqmPpD)_@{QC-Bs|yx? zAFfw35xwFRY4M+dG5f;lO?$NiA{+`eUMz7;H=4WV;*NKA26^iiNlH(NxTcqzA`x%d z)F^-b+SRZu#lDjc{AR~iiTF+oeZHdi7?0z!%}fugh2AnwdvW#4$B(SsUIkwnxD>9W z_tbZt@a{fR^<|sm`{E9_`*jO05*)4e?Zp5j3b)ucbH?j>hJZ<;^3=bkJftKZl8E5S!}m~Y5kUk(>rEN$$O=xZ#3_T+nuk5U-c*HY~wu=AYr$Gsi`9|zSD=zYy*d` zZkDOnLnT4iH6M-FbI*Guwz%s@$CbSI^E(=XS1b;#-*HmL)+=Pr{C8YhK}o_DY_D|u zeytN?^%G8SU9~S&tDsQqjm+VD2_+s)>t}9S#>8>qNBFlHjQ>*CS{?rU&^5R~>+=ph z&lw44qNcwHI4u$Qvz)J3uqHZ`L9*pU!Rcd4N;gzLJT_X;nweU`^=s>in9bU*30Di* z#6AkH{m*b`L$9Nvo4J6r-fKJAON`=ajOM@3JldAJ!8sFm=Sv)~IKR3^KA!P2H%4qTgZ1Bqo1DAuYuRH(8G>_TRyk)KzfBt8fk(I1i%FEPz+~9~p{LN{h1*+99VQYItrMkGf z*O%{}+OfW3;@0IA{GEZJmZ|DT)*Q`w++R^Wq4dG2<{72+-`bgGJXU>t|7%nIYa=iFEwS7`rb+GC6fAOU`>GzZ zor@pExQB|Jl*kJa?YP;<^xzEhzDGB{ew?vQb6%Ea$rX0%*p2%cDtf)IKMGs>C-s=N zQbo2f*2x`Sf>u|(4ytv75{i<8?w5uJ4B6>kvJ4(VER~2(8M|r0>9na7cVQS;J zdgWkhjHiyPT+;0h#Z9a`r^WS1aHgMD>IgXVOgrn*ZH>HuXs*>kTeGHW+!j$>@u4rM zk?B$Irmj1Sj!rUUo|nq2_fUGmi5(}T)O;U?i{745$QE+x8SC?a(la-`rk>II{58Ne zs?*o8QcsU3q%cmxvSD4oouWgn1||~@&)hnzC!1-h_FQM}IR`wFX52d>BG6c&R?Lyh z-qk6UIF%*pS^m*zp&8AEg?hOh8aElX8_bZ1IwQXx@`ZyPR(+s45qqnK;8@M{8$=vDhL}v!0j(t`gP_41#7!5eXkN((G=! zY>M4-s4Gz5La)IYZo{r5Zqtq;9^@ryKWvhWLZ`*>yins8;~O~J!LdtN8M z+>j@-DRDNtO!bdvZT=FD`OGP9Y$w_ck8z|}?cjAt=n-0-bY$im z4R>mOx{b4LTbs#2!Rdx=hQflJGaSo7LYC+9$H0hXKN;KmCKwI+W2V7oll`CF0wCFwHvC-a?vQFdH&PN&?5{FxPHZ8d3S#D5XtngB@ zIsQtTW86j2i89(bv1 z&dmoR2Bti$zKt)|#ApaLu?5GKKbZA+(SL?m2g|w(zA9X;Ttz-xu5aA%G(ac9lF zG{PN43`VCiRxMneJ@jZ6JOS#5SFDqf4 zUgUw)^#3A(#qcU8ULow{`QwA0noPN#0VboX?*?wxH>Q9rlje{Ea#C)V4$ zT=&lQotbsI{~2E9%m4e&aQ&`ht|QZx3(|9Da4oXVd{nb^cSEvVf?R@CYIXlU%ViJv z;#9Nc6y*Y^S|;4GOj0=O^KxZyuGd)?xA_b^6n@UtQ(DAW-nq0#_ssf2HMW{Xhk3HD z9$US~+p?ipXgkB(^;`#h-%qrhQgB>8-ZN}*ZaZ6_g1gRU-&sw(@kfIE6a~*4>TzsX zanSF9P)9&k&Dn@GT{juE*wY`{mGAW4(YT>8amVG5{VYsTSI%6VE;)6Dprh`y^eqi4 zeO`?Vu7oIBD7(vfb4(Z9#CoCTsBWZzv`d%nUf&Rt1E%IejqY!>X3iBnwWBX;T4LXG zo~feu4eljgG4hj4>eJHw-od57WO$NG&S;jK#fMynKp7Q|y%k;x8p>yOdWNN}Dilz1 z{oqn`hAmx^)nQ?hMa1f0qs8AGT5oHIURk^Pjq=j=ouRka3JR_4Kf_wMLtwSf0>=bT z^Fo6dSL^v2noi}sK?aM3rUq@A)#!5m@UiKCBV$Nj0MOsn` z2GVI0vs9;?nwwN4x5eT&i&CcUi+MkrB8-<-bVUn@X|Z|C+}O1)LZ4Z5I=?1&;);ds zhusz}IqUdN!O2@%;L)5Tn}mKQ&PcIJjTUCzm}Mbk(y_DIg?n12k-~blat1Bdss=-` zlofMpn?HRBl>I0eZJ5}ZTP12PbuDRy&K!gHnW{ewx+Nz?T;8$bz~vc?JZs9L_oZqr zh!k5aG;e1^tiZ;FQ<*I0xaxZ4@dj~Ji7jMXEOhR~iKOr~!76Kmd}<50Hra73z2V)p zN9exCg&zmSw62tEJ#ES|KT>KKP+WRPG~<}UiXPj(w5OJRVJFi(TnrgZPKN}Yy>!ZJ z>tV}2wLft+I!1TYo^+e_wR9ATev4S$pPYR$Xe&=Jz5?rY(!# z64l$on6fgx^Vr-Y+g3G&T$b!oUN7cluHm?1;;E?jm$z=}-Vydx!<^OV?qQ>kFF4k5 znfW|z{m)Re=xpU10|*E{hr#;5d-VxpGBi5Nqn z8wTG_drf5u5$g#$-KRQ3Dv__;KHG%9mG|IQ^Rq|Rvz|&)pXf8`Qt#x_e-}mVQ&?|5 zyBR9Eeq!+%fne5}K=Iritn1PhMA!UWuc4E{RFJ7%wx&CE1Jjp-n^=NNkBAiV_Dri3 z(F$J>tg>ZsN^Sq9cdR|%JKAncJ$S`c*@7ilq{|@u%nPl|ZIO+$8VV*lhil&16saxn zOysxH9jPg*^N(mv?0K5J@n2f}&zWU{Q-f-%*k*&`KFRAt^9&9bgEtLvi7O0w^%7bu zk8BY$oc&JMPrWXXGQzh;UEuSK#_&cCI{KUM}WGiM6C zBmLX=c8cGjr7L-_obK^bxOMkP@acjpsYiHaPMPPpPFw2OxxBfnF>sEw$+d6jC=2h&R#5cSzc@Q6qcO6SRb?eV5MXW#9$8!Dn!7S8o{@S$Q^5E{mw=-}V1hwFVxhyrjg18p zCLa6%9{XYfjeY&TYg(v1E9=*9!Pp5Qp?7#MT`}r@f<(ul~l{aK>D>-r7HJjGpRwaIbjlyR;+!e%#{d#-d|S zm3=DKKjC%J`_;8`ec)n$=Aa2{mR|j*q#2#qA(0THR(c>Y;o|yzT15_G=A4Q4?^g&F z3r34F)E8)&bhvF0m=41Q}^U^ zHs-Q-w%-1;E4aE-EMtZ_tKmf>nf-T)#X