From e905220f61dfb32ef69281a2f209dfc94c20b3f2 Mon Sep 17 00:00:00 2001 From: TC1977 <37350377+TC1977@users.noreply.github.com> Date: Wed, 9 May 2018 16:14:31 -0400 Subject: [PATCH 01/91] Update config.cfg (#936) Fix typos - this puzzled me when I was attempting to install algo with dnscrypt last week. --- config.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config.cfg b/config.cfg index 6c38dc93..02a9ec54 100644 --- a/config.cfg +++ b/config.cfg @@ -29,7 +29,7 @@ adblock_lists: - "https://www.malwaredomainlist.com/hostslist/hosts.txt" - "https://hosts-file.net/ad_servers.txt" -# Enalbe DNS encryption. Use dns_encrypted_provider to specify the provider. If false dns_servers should be specified +# Enable DNS encryption. Use dns_encryption_provider to specify the provider. If false dns_servers should be specified dns_encryption: true # Possible values: google, cloudflare From 6f3ec658fe73ce2d85e60d628c9aaafb882d186b Mon Sep 17 00:00:00 2001 From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com> Date: Thu, 10 May 2018 09:03:05 +0300 Subject: [PATCH 02/91] Move to LXD (#935) --- .travis.yml | 35 +++++++++++++++++++---------------- tests/local-deploy.sh | 2 +- tests/lxd-bridge | 16 ++++++++++++++++ tests/update-users.sh | 2 +- 4 files changed, 37 insertions(+), 18 deletions(-) create mode 100644 tests/lxd-bridge diff --git a/.travis.yml b/.travis.yml index 6971d1ff..e3ccf43a 100644 --- a/.travis.yml +++ b/.travis.yml @@ -13,15 +13,20 @@ matrix: addons: apt: sources: - - sourceline: 'ppa:ubuntu-lxc/stable' + - sourceline: 'ppa:ubuntu-lxc/stable' packages: - - python-pip - - lxc - - lxc-templates - - expect-dev - - debootstrap - - shellcheck - - tree + - python-pip + - lxd + - expect-dev + - debootstrap + - shellcheck + - tree + - bridge-utils + - dnsutils + - build-essential + - libssl-dev + - libffi-dev + - python-dev cache: directories: @@ -43,16 +48,14 @@ before_install: install: - sudo tar xf $HOME/lxc/cache.tar -C / || echo "Didn't extract cache." - - export LXC_ROOTFS=/var/lib/lxc/$LXC_NAME/rootfs - - 'sudo lxc-create -n $LXC_NAME -t ubuntu -- -r $LXC_RELEASE --mirror http://mirrors.us.kernel.org/ubuntu --packages python || true' - - 'sudo lxc-start -n $LXC_NAME && until (sudo lxc-info -n $LXC_NAME | grep -q ^IP:); do printf . && sleep 1; done && sleep 2' - - export LXC_IP="$(sudo lxc-info -Hin $LXC_NAME)" - - sudo /bin/bash -c "printf '\n$LXC_IP test.lxc\n' >> /etc/hosts" - ssh-keygen -f ~/.ssh/id_rsa -t rsa -N '' - chmod 0644 ~/.ssh/config - - sudo mkdir -vm 0700 $LXC_ROOTFS/root/.ssh/ - - sudo cp -v ~/.ssh/id_rsa.pub $LXC_ROOTFS/root/.ssh/authorized_keys - - sudo apt-get install build-essential libssl-dev libffi-dev python-dev + - echo -e "#cloud-config\nssh_authorized_keys:\n - $(cat ~/.ssh/id_rsa.pub)" | sudo lxc profile set default user.user-data - + - sudo cp -f tests/lxd-bridge /etc/default/lxd-bridge + - sudo service lxd restart + - sudo lxc launch ${LXC_DISTRO}:${LXC_RELEASE} ${LXC_NAME} + - until host ${LXC_NAME}.lxd 10.0.8.1 -t A; do sleep 3; done + - export LXC_IP="$(dig ${LXC_NAME}.lxd @10.0.8.1 +short)" - pip install -r requirements.txt - pip install ansible-lint - gem install awesome_bot diff --git a/tests/local-deploy.sh b/tests/local-deploy.sh index 5cb7c3f2..c151488f 100755 --- a/tests/local-deploy.sh +++ b/tests/local-deploy.sh @@ -2,7 +2,7 @@ set -ex -DEPLOY_ARGS="server_ip=$LXC_IP server_user=root IP_subject_alt_name=$LXC_IP local_dns=true dns_over_https=true apparmor_enabled=false" +DEPLOY_ARGS="server_ip=$LXC_IP server_user=ubuntu IP_subject_alt_name=$LXC_IP local_dns=true dns_over_https=true apparmor_enabled=false" if [ "${LXC_NAME}" == "docker" ] then diff --git a/tests/lxd-bridge b/tests/lxd-bridge new file mode 100644 index 00000000..0614e87b --- /dev/null +++ b/tests/lxd-bridge @@ -0,0 +1,16 @@ +USE_LXD_BRIDGE="true" +LXD_BRIDGE="lxdbr0" +UPDATE_PROFILE="true" +LXD_CONFILE="" +LXD_DOMAIN="lxd" +LXD_IPV4_ADDR="10.0.8.1" +LXD_IPV4_NETMASK="255.255.255.0" +LXD_IPV4_NETWORK="10.0.8.0/24" +LXD_IPV4_DHCP_RANGE="10.0.8.2,10.0.8.254" +LXD_IPV4_DHCP_MAX="250" +LXD_IPV4_NAT="true" +LXD_IPV6_ADDR="" +LXD_IPV6_MASK="" +LXD_IPV6_NETWORK="" +LXD_IPV6_NAT="false" +LXD_IPV6_PROXY="true" diff --git a/tests/update-users.sh b/tests/update-users.sh index df7066d1..8122a156 100755 --- a/tests/update-users.sh +++ b/tests/update-users.sh @@ -3,7 +3,7 @@ set -ex CAPW=`cat /tmp/ca_password` -USER_ARGS="server_ip=$LXC_IP server_user=root ssh_tunneling_enabled=y IP_subject=$LXC_IP easyrsa_CA_password=$CAPW" +USER_ARGS="server_ip=$LXC_IP server_user=ubuntu ssh_tunneling_enabled=y IP_subject=$LXC_IP easyrsa_CA_password=$CAPW" sed -i 's/- jack$/- jack_test/' config.cfg From 0de0952cf00a518ec5424ca966aeaf576260b15e Mon Sep 17 00:00:00 2001 From: Alexey Bogomolov <11698866+movalex@users.noreply.github.com> Date: Fri, 18 May 2018 12:35:56 +0300 Subject: [PATCH 03/91] fix requirements.txt SecretStorage version (#914) Related to issue #877. Latest SecretStorage build requires Python '>=3.5' but Algo is running on Python 2 --- requirements.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/requirements.txt b/requirements.txt index e7443ab0..dae2ab65 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,4 +1,5 @@ setuptools>=11.3 +SecretStorage < 3 ansible[azure]==2.4.3 dopy==0.3.5 boto>=2.5 From 9fdbfb0977147beba8fc681a46413e22018b2615 Mon Sep 17 00:00:00 2001 From: Stijn Balk Date: Wed, 23 May 2018 19:17:10 +0300 Subject: [PATCH 04/91] Update GCP regions (#957) * Update GCP regions according to https://cloud.google.com/compute/docs/regions-zones/ * Update GCP regions according to https://cloud.google.com/compute/docs/regions-zones/ * set default back to belgium B --- algo | 170 +++++++++++++++++++++++++++++++++-------------------------- 1 file changed, 95 insertions(+), 75 deletions(-) diff --git a/algo b/algo index 7b4d4377..8091789d 100755 --- a/algo +++ b/algo @@ -425,84 +425,104 @@ Name the vpn server: read -p " What zone should the server be located in? - 1. Western US (Oregon A) - 2. Western US (Oregon B) - 3. Western US (Oregon C) - 4. Central US (Iowa A) - 5. Central US (Iowa B) - 6. Central US (Iowa C) - 7. Central US (Iowa F) - 8. Eastern US (Northern Virginia A) - 9. Eastern US (Northern Virginia B) - 10. Eastern US (Northern Virginia C) - 11. Eastern US (South Carolina B) - 12. Eastern US (South Carolina C) - 13. Eastern US (South Carolina D) - 14. Western Europe (Belgium B) - 15. Western Europe (Belgium C) - 16. Western Europe (Belgium D) - 17. Western Europe (London A) - 18. Western Europe (London B) - 19. Western Europe (London C) - 20. Western Europe (Frankfurt A) - 21. Western Europe (Frankfurt B) - 22. Western Europe (Frankfurt C) - 23. Southeast Asia (Singapore A) - 24. Southeast Asia (Singapore B) - 25. East Asia (Taiwan A) - 26. East Asia (Taiwan B) - 27. East Asia (Taiwan C) - 28. Northeast Asia (Tokyo A) - 29. Northeast Asia (Tokyo B) - 30. Northeast Asia (Tokyo C) - 31. Australia (Sydney A) - 32. Australia (Sydney B) - 33. Australia (Sydney C) - 34. South America (São Paulo A) - 35. South America (São Paulo B) - 36. South America (São Paulo C) + 1. Eastern Canada (Montreal A) + 2. Eastern Canada (Montreal B) + 3. Eastern Canada (Montreal C) + 4. Central US (Iowa A) + 5. Central US (Iowa B) + 6. Central US (Iowa C) + 7. Central US (Iowa F) + 8. Western US (Oregon A) + 9. Western US (Oregon B) + 10. Western US (Oregon C) + 11. Eastern US (Northern Virginia A) + 12. Eastern US (Northern Virginia B) + 13. Eastern US (Northern Virginia C) + 14. Eastern US (South Carolina B) + 15. Eastern US (South Carolina C) + 16. Eastern US (South Carolina D) + 17. South America East (São Paulo A) + 18. South America East (São Paulo B) + 19. South America East (São Paulo C) + 20. Western Europe (Belgium B) + 21. Western Europe (Belgium C) + 22. Western Europe (Belgium D) + 23. Western Europe (London A) + 24. Western Europe (London B) + 25. Western Europe (London C) + 26. Western Europe (Frankfurt A) + 27. Western Europe (Frankfurt B) + 28. Western Europe (Frankfurt C) + 29. Western Europe (Netherlands A) + 30. Western Europe (Netherlands B) + 31. Western Europe (Netherlands C) + 32. South Asia (Mumbai A) + 33. South Asia (Mumbai B) + 34. South Asia (Mumbai C) + 35. Southeast Asia (Singapore A) + 36. Southeast Asia (Singapore B) + 37. Southeast Asia (Singapore C) + 38. East Asia (Taiwan A) + 39. East Asia (Taiwan B) + 40. East Asia (Taiwan C) + 41. Northeast Asia (Tokyo A) + 42. Northeast Asia (Tokyo B) + 43. Northeast Asia (Tokyo C) + 44. Australia (Sydney A) + 45. Australia (Sydney B) + 46. Australia (Sydney C) -Please choose the number of your zone. Press enter for default (#14) zone. -[14]: " -r region - region=${region:-14} +Please choose the number of your zone. Press enter for default (#20) zone. +[20]: " -r region + region=${region:-20} case "$region" in - 1) zone="us-west1-a" ;; - 2) zone="us-west1-b" ;; - 3) zone="us-west1-c" ;; - 4) zone="us-central1-a" ;; - 5) zone="us-central1-b" ;; - 6) zone="us-central1-c" ;; - 7) zone="us-central1-f" ;; - 8) zone="us-east4-a" ;; - 9) zone="us-east4-b" ;; - 10) zone="us-east4-c" ;; - 11) zone="us-east1-b" ;; - 12) zone="us-east1-c" ;; - 13) zone="us-east1-d" ;; - 14) zone="europe-west1-b" ;; - 15) zone="europe-west1-c" ;; - 16) zone="europe-west1-d" ;; - 17) zone="europe-west2-a" ;; - 18) zone="europe-west2-b" ;; - 19) zone="europe-west2-c" ;; - 20) zone="europe-west3-a" ;; - 21) zone="europe-west3-b" ;; - 22) zone="europe-west3-c" ;; - 23) zone="asia-southeast1-a" ;; - 24) zone="asia-southeast1-b" ;; - 25) zone="asia-east1-a" ;; - 26) zone="asia-east1-b" ;; - 27) zone="asia-east1-c" ;; - 28) zone="asia-northeast1-a" ;; - 29) zone="asia-northeast1-b" ;; - 30) zone="asia-northeast1-c" ;; - 31) zone="australia-southeast1-a" ;; - 32) zone="australia-southeast1-b" ;; - 33) zone="australia-southeast1-c" ;; - 34) zone="southamerica-east1-a" ;; - 35) zone="southamerica-east1-b" ;; - 36) zone="southamerica-east1-c" ;; + 1) zone="northamerica-northeast1-a" ;; + 2) zone="northamerica-northeast1-b" ;; + 3) zone="northamerica-northeast1-c" ;; + 4) zone="us-central1-a" ;; + 5) zone="us-central1-b" ;; + 6) zone="us-central1-c" ;; + 7) zone="us-central1-f" ;; + 8) zone="us-west1-a" ;; + 9) zone="us-west1-b" ;; + 10) zone="us-west1-c" ;; + 11) zone="us-east4-a" ;; + 12) zone="us-east4-b" ;; + 13) zone="us-east4-c" ;; + 14) zone="us-east1-b" ;; + 15) zone="us-east1-c" ;; + 16) zone="us-east1-d" ;; + 17) zone="southamerica-east1-a" ;; + 18) zone="southamerica-east1-b" ;; + 19) zone="southamerica-east1-c" ;; + 20) zone="europe-west1-b" ;; + 21) zone="europe-west1-c" ;; + 22) zone="europe-west1-d" ;; + 23) zone="europe-west2-a" ;; + 24) zone="europe-west2-b" ;; + 25) zone="europe-west2-c" ;; + 26) zone="europe-west3-a" ;; + 27) zone="europe-west3-b" ;; + 28) zone="europe-west3-c" ;; + 29) zone="europe-west4-a" ;; + 30) zone="europe-west4-b" ;; + 31) zone="europe-west4-c" ;; + 32) zone="asia-south1-a" ;; + 33) zone="asia-south1-b" ;; + 34) zone="asia-south1-c" ;; + 35) zone="asia-southeast1-a" ;; + 36) zone="asia-southeast1-b" ;; + 37) zone="asia-southeast1-c" ;; + 38) zone="asia-east1-a" ;; + 39) zone="asia-east1-b" ;; + 40) zone="asia-east1-c" ;; + 41) zone="asia-northeast1-a" ;; + 42) zone="asia-northeast1-b" ;; + 43) zone="asia-northeast1-c" ;; + 44) zone="australia-southeast1-a" ;; + 45) zone="australia-southeast1-b" ;; + 46) zone="australia-southeast1-c" ;; esac ROLES="gce vpn cloud" From 87836e0358c3ae7e408aaae1b6fb11b7a4850064 Mon Sep 17 00:00:00 2001 From: Evgeny Aleksandrov Date: Thu, 24 May 2018 09:00:38 +0300 Subject: [PATCH 05/91] Fix typo (#960) --- .../tasks/{ipec_configuration.yml => ipsec_configuration.yml} | 0 roles/vpn/tasks/main.yml | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) rename roles/vpn/tasks/{ipec_configuration.yml => ipsec_configuration.yml} (100%) diff --git a/roles/vpn/tasks/ipec_configuration.yml b/roles/vpn/tasks/ipsec_configuration.yml similarity index 100% rename from roles/vpn/tasks/ipec_configuration.yml rename to roles/vpn/tasks/ipsec_configuration.yml diff --git a/roles/vpn/tasks/main.yml b/roles/vpn/tasks/main.yml index e0d0d1bf..003c4761 100644 --- a/roles/vpn/tasks/main.yml +++ b/roles/vpn/tasks/main.yml @@ -15,7 +15,7 @@ - name: Install strongSwan package: name=strongswan state=present - - include_tasks: ipec_configuration.yml + - include_tasks: ipsec_configuration.yml - include_tasks: openssl.yml tags: update-users - include_tasks: distribute_keys.yml From d9dc68164f80520e263f8cca6c138f58e590c1a0 Mon Sep 17 00:00:00 2001 From: Evgeny Aleksandrov Date: Thu, 24 May 2018 09:01:26 +0300 Subject: [PATCH 06/91] Remove algo_params (#961) --- roles/vpn/tasks/openssl.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/vpn/tasks/openssl.yml b/roles/vpn/tasks/openssl.yml index 8dbd4ef8..053470fb 100644 --- a/roles/vpn/tasks/openssl.yml +++ b/roles/vpn/tasks/openssl.yml @@ -44,7 +44,7 @@ shell: > {{ openssl_bin }} ecparam -name prime256v1 -out ecparams/prime256v1.pem && {{ openssl_bin }} req -utf8 -new - -newkey {{ algo_params | default('ec:ecparams/prime256v1.pem') }} + -newkey ec:ecparams/prime256v1.pem -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName={{ subjectAltName }}")) -keyout private/cakey.pem -out cacert.pem -x509 -days 3650 @@ -71,7 +71,7 @@ - name: Build the server pair shell: > {{ openssl_bin }} req -utf8 -new - -newkey {{ algo_params | default('ec:ecparams/prime256v1.pem') }} + -newkey ec:ecparams/prime256v1.pem -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName={{ subjectAltName }}")) -keyout private/{{ IP_subject_alt_name }}.key -out reqs/{{ IP_subject_alt_name }}.req -nodes @@ -93,7 +93,7 @@ - name: Build the client's pair shell: > {{ openssl_bin }} req -utf8 -new - -newkey {{ algo_params | default('ec:ecparams/prime256v1.pem') }} + -newkey ec:ecparams/prime256v1.pem -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=DNS:{{ item }}")) -keyout private/{{ item }}.key -out reqs/{{ item }}.req -nodes From d27b849f24a4d69531601ec09692bc080993546a Mon Sep 17 00:00:00 2001 From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com> Date: Thu, 24 May 2018 17:08:14 +0300 Subject: [PATCH 07/91] Ubuntu1804 (#925) - Fixes #897 #944 #956 Work in progress. Lightsail is not ready for Ubuntu 18.04 yet - [x] DigitalOcean ~~- [ ] Amazon Lightsail~~ - [x] Amazon EC2 - [x] Microsoft Azure - [x] Google Compute Engine - [x] Scaleway - [x] OpenStack (DreamCompute optimised) --- .travis.yml | 7 ++-- algo | 34 +++++++++---------- config.cfg | 14 ++++---- deploy.yml | 1 - playbooks/common.yml | 2 +- playbooks/ubuntu.yml | 7 +++- roles/cloud-ec2/files/stack.yml | 18 ++-------- roles/cloud-scaleway/tasks/image_facts.yml | 9 +++++ roles/cloud-scaleway/tasks/main.yml | 24 ++++++++----- roles/common/handlers/main.yml | 7 ++-- roles/common/tasks/ubuntu.yml | 33 ++++++------------ .../common/templates/10-algo-lo100.network.j2 | 7 ++++ .../templates/10-loopback-services.cfg.j2 | 9 ----- roles/dns_encryption/tasks/ubuntu.yml | 20 +++++------ 14 files changed, 91 insertions(+), 101 deletions(-) create mode 100644 roles/cloud-scaleway/tasks/image_facts.yml create mode 100644 roles/common/templates/10-algo-lo100.network.j2 delete mode 100644 roles/common/templates/10-loopback-services.cfg.j2 diff --git a/.travis.yml b/.travis.yml index e3ccf43a..b06bf3b6 100644 --- a/.travis.yml +++ b/.travis.yml @@ -35,13 +35,12 @@ cache: before_cache: - mkdir $HOME/lxc - - sudo tar cf $HOME/lxc/cache.tar /var/cache/lxc/ + - sudo tar cf $HOME/lxc/cache.tar /var/lib/lxd/images/ - sudo chown $USER. $HOME/lxc/cache.tar env: - - LXC_NAME=ubuntu1604 LXC_DISTRO=ubuntu LXC_RELEASE=xenial - - LXC_NAME=ubuntu1710 LXC_DISTRO=ubuntu LXC_RELEASE=artful - - LXC_NAME=docker LXC_DISTRO=ubuntu LXC_RELEASE=artful + - LXC_NAME=ubuntu1804 LXC_DISTRO=ubuntu LXC_RELEASE=18.04 + - LXC_NAME=docker LXC_DISTRO=ubuntu LXC_RELEASE=18.04 before_install: - test "${LXC_NAME}" != "docker" || docker build -t travis/algo . diff --git a/algo b/algo index 8091789d..73e39657 100755 --- a/algo +++ b/algo @@ -211,7 +211,7 @@ Name the vpn server: 10. Singapore 11. Toronto 12. Bangalore - + Enter the number of your desired region: [7]: " -r region region=${region:-7} @@ -273,7 +273,7 @@ Name the vpn server: 14. ap-southeast-2 Asia Pacific (Sydney) 15. ap-south-1 Asia Pacific (Mumbai) 16. sa-east-1 South America (São Paulo) - + Enter the number of your desired region: [1]: " -r aws_region aws_region=${aws_region:-1} @@ -335,7 +335,7 @@ Name the vpn server: 10. eu-central-1 EU (Frankfurt) 11. eu-west-1 EU (Ireland) 12. eu-west-2 EU (London) - + Enter the number of your desired region: [1]: " -r algo_region algo_region=${algo_region:-1} @@ -471,7 +471,7 @@ Name the vpn server: 44. Australia (Sydney A) 45. Australia (Sydney B) 46. Australia (Sydney C) - + Please choose the number of your zone. Press enter for default (#20) zone. [20]: " -r region region=${region:-20} @@ -575,13 +575,12 @@ algo_provisioning () { echo -n " What provider would you like to use? 1. DigitalOcean - 2. Amazon Lightsail - 3. Amazon EC2 - 4. Microsoft Azure - 5. Google Compute Engine - 6. Scaleway - 7. OpenStack (DreamCompute optimised) - 8. Install to existing Ubuntu 16.04 server (Advanced) + 2. Amazon EC2 + 3. Microsoft Azure + 4. Google Compute Engine + 5. Scaleway + 6. OpenStack (DreamCompute optimised) + 7. Install to existing Ubuntu 16.04 server (Advanced) Enter the number of your desired provider : " @@ -590,13 +589,12 @@ Enter the number of your desired provider case "$N" in 1) digitalocean; ;; - 2) lightsail; ;; - 3) ec2; ;; - 4) azure; ;; - 5) gce; ;; - 6) scaleway; ;; - 7) openstack; ;; - 8) non_cloud; ;; + 2) ec2; ;; + 3) azure; ;; + 4) gce; ;; + 5) scaleway; ;; + 6) openstack; ;; + 7) non_cloud; ;; *) exit 1 ;; esac diff --git a/config.cfg b/config.cfg index 02a9ec54..e71e7d01 100644 --- a/config.cfg +++ b/config.cfg @@ -80,29 +80,29 @@ cloud_providers: image: offer: UbuntuServer publisher: Canonical - sku: '16.04-LTS' # 16.04-LTS / 17.04 + sku: '18.04-LTS' version: latest digitalocean: size: s-1vcpu-1gb - image: "ubuntu-16-04-x64" # ubuntu-16-04-x64 / ubuntu-17-10-x64 + image: "ubuntu-18-04-x64" ec2: size: t2.micro image: - name: "ubuntu-xenial-16.04" # ubuntu-xenial-16.04 / ubuntu-zesty-17.04 + name: "ubuntu-bionic-18.04" owner: "099720109477" gce: size: f1-micro - image: ubuntu-1604 # ubuntu-1604 / ubuntu-1704 + image: ubuntu-1804 lightsail: size: nano_1_0 image: ubuntu_16_04 scaleway: - size: VC1S - image: Ubuntu Xenial + size: START1-S + image: Ubuntu Bionic Beaver arch: x86_64 openstack: flavor_ram: ">=512" - image: Ubuntu-16.04 + image: Ubuntu-18.04 local: fail_hint: diff --git a/deploy.yml b/deploy.yml index 5ee93809..e58f3c5a 100644 --- a/deploy.yml +++ b/deploy.yml @@ -26,7 +26,6 @@ - { role: cloud-ec2, tags: ['ec2'] } - { role: cloud-gce, tags: ['gce'] } - { role: cloud-azure, tags: ['azure'] } - - { role: cloud-lightsail, tags: ['lightsail'] } - { role: cloud-scaleway, tags: ['scaleway'] } - { role: cloud-openstack, tags: ['openstack'] } - { role: local, tags: ['local'] } diff --git a/playbooks/common.yml b/playbooks/common.yml index 5628c37f..e0aea2bb 100644 --- a/playbooks/common.yml +++ b/playbooks/common.yml @@ -6,7 +6,7 @@ - name: Ubuntu pre-tasks include_tasks: ubuntu.yml - when: '"Ubuntu" in OS.stdout' + when: '"Ubuntu" in OS.stdout or "Linux" in OS.stdout' - name: FreeBSD pre-tasks include_tasks: freebsd.yml diff --git a/playbooks/ubuntu.yml b/playbooks/ubuntu.yml index d67cbde4..bf7ac5b5 100644 --- a/playbooks/ubuntu.yml +++ b/playbooks/ubuntu.yml @@ -1,7 +1,12 @@ --- - name: Ubuntu | Install prerequisites - raw: sleep 10 && sudo apt-get update -qq && sudo apt-get install -qq -y python2.7 + raw: "{{ item }}" + with_items: + - sleep 10 + - apt-get update -qq + - apt-get install -qq -y python2.7 sudo + become: true - name: Ubuntu | Configure defaults raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1 diff --git a/roles/cloud-ec2/files/stack.yml b/roles/cloud-ec2/files/stack.yml index 7f814e35..5a8abf52 100644 --- a/roles/cloud-ec2/files/stack.yml +++ b/roles/cloud-ec2/files/stack.yml @@ -147,11 +147,6 @@ Resources: Metadata: AWS::CloudFormation::Init: config: - users: - ubuntu: - groups: - - "sudo" - homeDir: "/home/ubuntu/" files: /home/ubuntu/.ssh/authorized_keys: content: @@ -173,18 +168,9 @@ Resources: "Fn::Base64": !Sub | #!/bin/bash -xe - # http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-migrate-ipv6.html - # https://bugs.launchpad.net/ubuntu/+source/ifupdown/+bug/1013597 - cat < /etc/network/interfaces.d/60-default-with-ipv6.cfg - iface eth0 inet6 dhcp - up sysctl net.ipv6.conf.\$IFACE.accept_ra=2 - pre-down ip link set dev \$IFACE up - EOF - ifdown eth0; ifup eth0 - dhclient -6 apt-get update - apt-get -y install python-setuptools - easy_install https://s3.amazonaws.com/cloudformation-examples/aws-cfn-bootstrap-latest.tar.gz + apt-get -y install python-pip + pip install https://s3.amazonaws.com/cloudformation-examples/aws-cfn-bootstrap-latest.tar.gz cfn-init -v --stack ${AWS::StackName} --resource EC2Instance --region ${AWS::Region} cfn-signal -e $? --stack ${AWS::StackName} --resource EC2Instance --region ${AWS::Region} Tags: diff --git a/roles/cloud-scaleway/tasks/image_facts.yml b/roles/cloud-scaleway/tasks/image_facts.yml new file mode 100644 index 00000000..1faa3d33 --- /dev/null +++ b/roles/cloud-scaleway/tasks/image_facts.yml @@ -0,0 +1,9 @@ +--- +- name: Set image id as a fact + set_fact: + image_id: "{{ item.id }}" + no_log: true + when: + - cloud_providers.scaleway.image == item.name + - cloud_providers.scaleway.arch == item.arch + with_items: "{{ outer_item['json']['images'] }}" diff --git a/roles/cloud-scaleway/tasks/main.yml b/roles/cloud-scaleway/tasks/main.yml index 805b4de4..7664d278 100644 --- a/roles/cloud-scaleway/tasks/main.yml +++ b/roles/cloud-scaleway/tasks/main.yml @@ -35,7 +35,7 @@ when: scaleway_organization == item.name with_items: "{{ scaleway_organizations.json.organizations }}" - - name: Get images + - name: Get total count of images uri: url: "https://cp-{{ algo_region }}.scaleway.com/images" method: GET @@ -43,16 +43,24 @@ Content-Type: 'application/json' X-Auth-Token: "{{ scaleway_auth_token }}" status_code: 200 + register: scaleway_pages + + - name: Get images + uri: + url: "https://cp-{{ algo_region }}.scaleway.com/images?per_page=100&page={{ item }}" + method: GET + headers: + Content-Type: 'application/json' + X-Auth-Token: "{{ scaleway_auth_token }}" + status_code: 200 register: scaleway_images + with_sequence: start=1 end={{ ((scaleway_pages.x_total_count|int / 100)| round )|int }} - name: Set image id as a fact - set_fact: - image_id: "{{ item.id }}" - no_log: true - when: - - cloud_providers.scaleway.image in item.name - - cloud_providers.scaleway.arch == item.arch - with_items: "{{ scaleway_images.json.images }}" + include_tasks: image_facts.yml + with_items: "{{ scaleway_images['results'] }}" + loop_control: + loop_var: outer_item - name: Create a server uri: diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml index 2272403c..1415245e 100644 --- a/roles/common/handlers/main.yml +++ b/roles/common/handlers/main.yml @@ -7,8 +7,11 @@ - name: flush routing cache shell: echo 1 > /proc/sys/net/ipv4/route/flush -- name: restart loopback - shell: ifdown lo:100 && ifup lo:100 +- name: restart systemd-networkd + systemd: + name: systemd-networkd + state: restarted + daemon_reload: true - name: restart loopback bsd shell: > diff --git a/roles/common/tasks/ubuntu.yml b/roles/common/tasks/ubuntu.yml index 8b09374c..e1d97149 100644 --- a/roles/common/tasks/ubuntu.yml +++ b/roles/common/tasks/ubuntu.yml @@ -48,34 +48,21 @@ tags: - cloud -- name: Install system specific tools - package: name="{{ item }}" state=present - with_items: - - ifupdown - tags: - - always - -- name: Ensure the interfaces directory exists - file: - path: /etc/network/interfaces.d/ - state: directory - mode: 0755 - owner: root - group: root - tags: - - always - - name: Loopback for services configured - template: src=10-loopback-services.cfg.j2 dest=/etc/network/interfaces.d/10-loopback-services.cfg + template: + src: 10-algo-lo100.network.j2 + dest: /etc/systemd/network/10-algo-lo100.network notify: - - restart loopback + - restart systemd-networkd tags: - always -- name: Loopback included into the network config - lineinfile: dest=/etc/network/interfaces line='source /etc/network/interfaces.d/10-loopback-services.cfg' state=present - notify: - - restart loopback +- name: systemd-networkd enabled and started + systemd: + name: systemd-networkd + state: started + enabled: true + daemon_reload: true tags: - always diff --git a/roles/common/templates/10-algo-lo100.network.j2 b/roles/common/templates/10-algo-lo100.network.j2 new file mode 100644 index 00000000..257396c6 --- /dev/null +++ b/roles/common/templates/10-algo-lo100.network.j2 @@ -0,0 +1,7 @@ +[Match] +Name=lo + +[Network] +Label=lo:100 +Address={{ local_service_ip }}/32 +Address=FCAA::1/64 diff --git a/roles/common/templates/10-loopback-services.cfg.j2 b/roles/common/templates/10-loopback-services.cfg.j2 deleted file mode 100644 index 09f572de..00000000 --- a/roles/common/templates/10-loopback-services.cfg.j2 +++ /dev/null @@ -1,9 +0,0 @@ -auto lo:100 -iface lo:100 inet static - address {{ local_service_ip }} - netmask 255.255.255.255 - -iface lo:100 inet6 static - address FCAA::1 - netmask 64 - autoconf 0 diff --git a/roles/dns_encryption/tasks/ubuntu.yml b/roles/dns_encryption/tasks/ubuntu.yml index a543f842..9290cf43 100644 --- a/roles/dns_encryption/tasks/ubuntu.yml +++ b/roles/dns_encryption/tasks/ubuntu.yml @@ -35,14 +35,12 @@ owner: root group: root -#- name: Ubuntu | Setup the cgroup limitations for dnscrypt-proxy -# copy: -# dest: /etc/systemd/system/dnscrypt-proxy.service.d/100-CustomLimitations.conf -# content: | -# [Service] -# MemoryLimit=16777216 -# CPUAccounting=true -# CPUQuota=5% -# notify: -# - daemon-reload -# - restart dnscrypt-proxy +- name: Ubuntu | Add capabilities to bind ports + copy: + dest: /etc/systemd/system/dnscrypt-proxy.service.d/99-capabilities.conf + content: | + [Service] + AmbientCapabilities=CAP_NET_BIND_SERVICE + notify: + - daemon-reload + - restart dnscrypt-proxy From 3488e660ad3535332f59ba5c613d0e1b558e630b Mon Sep 17 00:00:00 2001 From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com> Date: Thu, 24 May 2018 18:15:27 +0300 Subject: [PATCH 08/91] Add WireGuard support for Android (#910) * WireGuard Implementation * Update client-android.md * Update README.md * WireGuard unattended upgrades * Update README.md * reload-module-on-update and syntax fix * SaveConfig to true * Azure firewall. Fixes #962 * Update README.md * Update client-android.md --- .travis.yml | 9 ++- CHANGELOG.md | 10 ++++ README.md | 4 +- config.cfg | 2 + deploy.yml | 1 + docs/client-android.md | 48 +-------------- roles/cloud-azure/tasks/main.yml | 6 ++ roles/cloud-ec2/files/stack.yml | 6 ++ roles/cloud-ec2/tasks/cloudformation.yml | 1 + roles/cloud-gce/tasks/main.yml | 2 +- roles/cloud-lightsail/tasks/main.yml | 3 + roles/cloud-openstack/tasks/main.yml | 1 + roles/common/tasks/ubuntu.yml | 1 + .../common/templates/50unattended-upgrades.j2 | 3 + roles/vpn/tasks/client_configs.yml | 19 ------ roles/vpn/templates/android_html_helper.j2 | 1 - roles/vpn/templates/rules.v4.j2 | 14 +++-- roles/vpn/templates/rules.v6.j2 | 11 ++-- roles/vpn/templates/sswan.j2 | 15 ----- roles/wireguard/defaults/main.yml | 18 ++++++ roles/wireguard/handlers/main.yml | 5 ++ roles/wireguard/meta/main.yml | 3 + roles/wireguard/tasks/keys.yml | 60 +++++++++++++++++++ roles/wireguard/tasks/main.yml | 57 ++++++++++++++++++ roles/wireguard/templates/client.conf.j2 | 10 ++++ roles/wireguard/templates/server.conf.j2 | 18 ++++++ tests/local-deploy.sh | 2 +- 27 files changed, 235 insertions(+), 95 deletions(-) delete mode 100644 roles/vpn/templates/android_html_helper.j2 delete mode 100644 roles/vpn/templates/sswan.j2 create mode 100644 roles/wireguard/defaults/main.yml create mode 100644 roles/wireguard/handlers/main.yml create mode 100644 roles/wireguard/meta/main.yml create mode 100644 roles/wireguard/tasks/keys.yml create mode 100644 roles/wireguard/tasks/main.yml create mode 100644 roles/wireguard/templates/client.conf.j2 create mode 100644 roles/wireguard/templates/server.conf.j2 diff --git a/.travis.yml b/.travis.yml index b06bf3b6..2a2fa1d9 100644 --- a/.travis.yml +++ b/.travis.yml @@ -14,6 +14,7 @@ addons: apt: sources: - sourceline: 'ppa:ubuntu-lxc/stable' + - sourceline: 'ppa:wireguard/wireguard' packages: - python-pip - lxd @@ -27,6 +28,8 @@ addons: - libssl-dev - libffi-dev - python-dev + - linux-headers-$(uname -r) + - wireguard-dkms cache: directories: @@ -43,7 +46,7 @@ env: - LXC_NAME=docker LXC_DISTRO=ubuntu LXC_RELEASE=18.04 before_install: - - test "${LXC_NAME}" != "docker" || docker build -t travis/algo . + - test "${LXC_NAME}" != "docker" && sudo modprobe wireguard || docker build -t travis/algo . install: - sudo tar xf $HOME/lxc/cache.tar -C / || echo "Didn't extract cache." @@ -63,8 +66,8 @@ install: script: # - awesome_bot --allow-dupe --skip-save-results *.md docs/*.md --white-list paypal.com,do.co,microsoft.com,https://github.com/trailofbits/algo/archive/master.zip,https://github.com/trailofbits/algo/issues/new -# - shellcheck algo -# - ansible-lint deploy.yml users.yml deploy_client.yml +# - shellcheck algo +# - ansible-lint deploy.yml users.yml deploy_client.yml - ansible-playbook deploy.yml --syntax-check - ./tests/local-deploy.sh diff --git a/CHANGELOG.md b/CHANGELOG.md index 78644798..5d3028a5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,13 @@ +## 30 Apr 2018 +### Added +- WireGuard support + +### Removed +- Android StrongSwan profiles + +### Release notes +- StrongSwan profiles for Android are deprecated now. Use WireGuard + ## 25 Apr 2018 ### Added - DNScrypt-proxy added diff --git a/README.md b/README.md index 53619d10..61d61c54 100644 --- a/README.md +++ b/README.md @@ -8,7 +8,7 @@ Algo VPN is a set of Ansible scripts that simplify the setup of a personal IPSEC ## Features -* Supports only IKEv2 with strong crypto: AES-GCM, SHA2, and P-256 +* Supports only IKEv2 with strong crypto (AES-GCM, SHA2, and P-256) and [WireGuard](https://www.wireguard.com/) * Generates Apple profiles to auto-configure iOS and macOS devices * Includes a helper script to add and remove users * Blocks ads with a local DNS resolver (optional) @@ -97,7 +97,7 @@ Certificates and configuration files that users will need are placed in the `con ### Android Devices -No version of Android supports IKEv2. Install the [strongSwan VPN Client for Android 4 and newer](https://play.google.com/store/apps/details?id=org.strongswan.android). Import the corresponding user.p12 certificate to your device. See the [Android setup instructions](/docs/client-android.md) for more a more detailed walkthrough. +WireGuard is used to provide VPN services on Android. Install the [WireGuard VPN Client](https://play.google.com/store/apps/details?id=com.wireguard.android). Import the corresponding `wireguard/.conf` file to your device, then setup a new connection with it. See the [Android setup instructions](/docs/client-android.md) for more detailed walkthrough. ### Windows 10 diff --git a/config.cfg b/config.cfg index e71e7d01..731c71de 100644 --- a/config.cfg +++ b/config.cfg @@ -15,6 +15,8 @@ easyrsa_reinit_existent: False vpn_network: 10.19.48.0/24 vpn_network_ipv6: 'fd9d:bc11:4020::/48' +wireguard_enabled: true +wireguard_port: 51820 server_name: "{{ ansible_ssh_host }}" IP_subject_alt_name: "{{ ansible_ssh_host }}" diff --git a/deploy.yml b/deploy.yml index e58f3c5a..532820c7 100644 --- a/deploy.yml +++ b/deploy.yml @@ -64,6 +64,7 @@ roles: - { role: dns_adblocking, tags: [ 'dns', 'adblock' ] } - { role: ssh_tunneling, tags: [ 'ssh_tunneling' ] } + - { role: wireguard, tags: [ 'vpn', 'wireguard' ], when: wireguard_enabled } - { role: vpn, tags: [ 'vpn' ] } post_tasks: diff --git a/docs/client-android.md b/docs/client-android.md index 1175da79..1e98f6d7 100644 --- a/docs/client-android.md +++ b/docs/client-android.md @@ -2,48 +2,6 @@ ## Installation via profiles -1. [Install the strongSwan VPN Client](https://play.google.com/store/apps/details?id=org.strongswan.android). -2. Copy `android_{username}.sswan` and `android_{username}_helper.html` to your phone's internal storage. -3. Open the StrongSwan app and go to 'Import VPN profile'. -4. Select the `android_{username}.sswan` file to configure the VPN with your profile. - -## Manual installation - -**NOTE:** If you are a Project Fi user, you must disable WiFi Assistant before continuing. See the [strongSwan documentation](https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVPNClient) for details. - -| Instruction | Screenshot(s) | -| ----------- | ---------- | -| 1. Copy your `{username}.p12` certificate to your phone's internal storage. | | -| 2. [Install the strongSwan VPN Client](https://play.google.com/store/apps/details?id=org.strongswan.android) (Android 4+) | | -| 3. Open the app and tap "ADD VPN PROFILE" in the top right. | [![step3-thumb]][step3-screen] | -| 4. Enter the IP address or hostname of your Algo server and set the "VPN Type" to "IKEv2 Certificate". | [![step4-thumb]][step4-screen] | -| 5. Tap "Select user certificate". You will be shown a prompt, tap "INSTALL". | [![step5-thumb]][step5-screen] | -| 6. Use the "Open from" menu to select your certificate. If you downloaded your certificate to your phone, you may find that using the "Downloads" shortcut results in your `{username}.p12` certificate being grayed out. If this happens go back to the "Open from" menu and tap on the name of your phone. This will bring up the filesystem. From here, navigate to the folder where you saved your cert (such as "Downloads"), and try again. | [![step6-thumb]][step6-screen] | -| 7. Enter the password for your certificate. This password was printed to your console at the end of running the `algo` deployment script. Please note that in some cases, extracting the certificate can take several minutes. | [![step7-thumb]][step7-screen] | -| 8. Give your certificate a name (it will default to your Algo username), and ensure that "Credential use" is set to "VPN and apps". Tap "OK". | [![step8-thumb]][step8-screen] | -| 9. You'll then be brought to another prompt. Ensure your newly imported certificate is selected, and tap "ALLOW". Then, tap "SAVE" in the top right. | [![step9-thumb]][step9-screen] | -| 10. You will be returned to the main menu, and your newly-configured VPN profile should be listed. Tap the profile to connect. | [![step10-thumb]][step10-screen] | - -## Troubleshooting -### Tapping the VPN profile in strongSwan has no effect. -Ensure that "WiFi Assistant" and any other always-on VPNs are disabled before attempting to enable a strongSwan VPN. If any other VPN is active, strongSwan may silently fail to initialize a VPN connection. On Android 7, your can manage your VPNs by going to: Settings > Tap "More" under "Wireless & networks" > VPN > tap the gear icon next to any non-strongSwan VPNs listed and ensure they are disabled. - - -[step3-thumb]: https://i.imgur.com/LPwIGJE.png -[step4-thumb]: https://i.imgur.com/sFkDILg.png -[step5-thumb]: https://i.imgur.com/IliT5oD.png -[step6-thumb]: https://i.imgur.com/oghdCVp.png -[step7-thumb]: https://i.imgur.com/nDzJ7KS.png -[step8-thumb]: https://i.imgur.com/RPXSpCo.png -[step9-thumb]: https://i.imgur.com/uMinDPe.png -[step10-thumb]: https://i.imgur.com/hUEDjdo.png - - -[step3-screen]: https://i.imgur.com/xNMihCd.png -[step4-screen]: https://i.imgur.com/xYjoNNO.png -[step5-screen]: https://i.imgur.com/4qhKT1Z.png -[step6-screen]: https://i.imgur.com/MAaQuxH.png -[step7-screen]: https://i.imgur.com/aT2MPih.png -[step8-screen]: https://i.imgur.com/gvaKzkh.png -[step9-screen]: https://i.imgur.com/eZp8DNb.png -[step10-screen]: https://i.imgur.com/Nd8rYMJ.png +1. [Install the WireGuard VPN Client](https://play.google.com/store/apps/details?id=com.wireguard.android). +2. Copy `wireguard/{username}.conf` to your phone's internal storage. +3. Open the WireGuard app and add a connection using your AlgoVPN configuration file. diff --git a/roles/cloud-azure/tasks/main.yml b/roles/cloud-azure/tasks/main.yml index bee7e982..6a6e9de4 100644 --- a/roles/cloud-azure/tasks/main.yml +++ b/roles/cloud-azure/tasks/main.yml @@ -58,6 +58,12 @@ access: Allow priority: 120 direction: Inbound + - name: AllowWireGuard + protocol: Udp + destination_port_range: "{{ wireguard_port }}" + access: Allow + priority: 130 + direction: Inbound - name: Create a subnet azure_rm_subnet: diff --git a/roles/cloud-ec2/files/stack.yml b/roles/cloud-ec2/files/stack.yml index 5a8abf52..3660613b 100644 --- a/roles/cloud-ec2/files/stack.yml +++ b/roles/cloud-ec2/files/stack.yml @@ -9,6 +9,8 @@ Parameters: Type: String ImageIdParameter: Type: String + WireGuardPort: + Type: String Resources: VPC: Type: AWS::EC2::VPC @@ -132,6 +134,10 @@ Resources: FromPort: '4500' ToPort: '4500' CidrIp: 0.0.0.0/0 + - IpProtocol: udp + FromPort: !Ref WireGuardPort + ToPort: !Ref WireGuardPort + CidrIp: 0.0.0.0/0 Tags: - Key: Name Value: Algo diff --git a/roles/cloud-ec2/tasks/cloudformation.yml b/roles/cloud-ec2/tasks/cloudformation.yml index 032a59b6..7c6fe374 100644 --- a/roles/cloud-ec2/tasks/cloudformation.yml +++ b/roles/cloud-ec2/tasks/cloudformation.yml @@ -11,6 +11,7 @@ InstanceTypeParameter: "{{ cloud_providers.ec2.size }}" PublicSSHKeyParameter: "{{ lookup('file', SSH_keys.public) }}" ImageIdParameter: "{{ ami_image }}" + WireGuardPort: "{{ wireguard_port }}" tags: Environment: Algo register: stack diff --git a/roles/cloud-gce/tasks/main.yml b/roles/cloud-gce/tasks/main.yml index dafa7553..24a825cf 100644 --- a/roles/cloud-gce/tasks/main.yml +++ b/roles/cloud-gce/tasks/main.yml @@ -15,7 +15,7 @@ gce_net: name: "algo-net-{{ server_name }}" fwname: "algo-net-{{ server_name }}-fw" - allowed: "udp:500,4500;tcp:22" + allowed: "udp:500,4500,{{ wireguard_port }};tcp:22" state: "present" mode: auto src_range: 0.0.0.0/0 diff --git a/roles/cloud-lightsail/tasks/main.yml b/roles/cloud-lightsail/tasks/main.yml index 437e8448..31f73e6f 100644 --- a/roles/cloud-lightsail/tasks/main.yml +++ b/roles/cloud-lightsail/tasks/main.yml @@ -22,6 +22,9 @@ - from_port: 500 to_port: 500 protocol: udp + - from_port: "{{ wireguard_port }}" + to_port: "{{ wireguard_port }}" + protocol: udp user_data: | #!/bin/bash mkdir -p /home/ubuntu/.ssh/ diff --git a/roles/cloud-openstack/tasks/main.yml b/roles/cloud-openstack/tasks/main.yml index 63dbb726..d470e89e 100644 --- a/roles/cloud-openstack/tasks/main.yml +++ b/roles/cloud-openstack/tasks/main.yml @@ -20,6 +20,7 @@ - { proto: icmp, port_min: -1, port_max: -1, range: 0.0.0.0/0 } - { proto: udp, port_min: 4500, port_max: 4500, range: 0.0.0.0/0 } - { proto: udp, port_min: 500, port_max: 500, range: 0.0.0.0/0 } + - { proto: udp, port_min: "{{ wireguard_port }}", port_max: "{{ wireguard_port }}", range: 0.0.0.0/0 } - name: Keypair created os_keypair: diff --git a/roles/common/tasks/ubuntu.yml b/roles/common/tasks/ubuntu.yml index e1d97149..e5d9165a 100644 --- a/roles/common/tasks/ubuntu.yml +++ b/roles/common/tasks/ubuntu.yml @@ -89,6 +89,7 @@ - iptables-persistent - cgroup-tools - openssl + - resolvconf sysctl: - item: net.ipv4.ip_forward value: 1 diff --git a/roles/common/templates/50unattended-upgrades.j2 b/roles/common/templates/50unattended-upgrades.j2 index 0c55b702..a902c7ad 100644 --- a/roles/common/templates/50unattended-upgrades.j2 +++ b/roles/common/templates/50unattended-upgrades.j2 @@ -2,6 +2,9 @@ Unattended-Upgrade::Allowed-Origins { "${distro_id}:${distro_codename}-security"; "${distro_id}:${distro_codename}-updates"; +{% if wireguard_enabled %} + "LP-PPA-wireguard-wireguard:${distro_codename}"; +{% endif %} // "${distro_id}:${distro_codename}-proposed"; // "${distro_id}:${distro_codename}-backports"; }; diff --git a/roles/vpn/tasks/client_configs.yml b/roles/vpn/tasks/client_configs.yml index 4c6cbe92..52dff83c 100644 --- a/roles/vpn/tasks/client_configs.yml +++ b/roles/vpn/tasks/client_configs.yml @@ -21,25 +21,6 @@ - "{{ PayloadContent.results }}" no_log: True -- name: Build the strongswan app android config - template: - src: sswan.j2 - dest: configs/{{ IP_subject_alt_name }}/android_{{ item.0 }}.sswan - mode: 0600 - with_together: - - "{{ users }}" - - "{{ PayloadContent.results }}" - no_log: True - -- name: Build the android helper html - template: - src: android_html_helper.j2 - dest: configs/{{ IP_subject_alt_name }}/android_{{ item.0 }}_helper.html - mode: 0600 - with_together: - - "{{ users }}" - no_log: True - - name: Build the client ipsec config file template: src: client_ipsec.conf.j2 diff --git a/roles/vpn/templates/android_html_helper.j2 b/roles/vpn/templates/android_html_helper.j2 deleted file mode 100644 index d27528aa..00000000 --- a/roles/vpn/templates/android_html_helper.j2 +++ /dev/null @@ -1 +0,0 @@ -{{ item.0 }} diff --git a/roles/vpn/templates/rules.v4.j2 b/roles/vpn/templates/rules.v4.j2 index c51568aa..fe2878d6 100644 --- a/roles/vpn/templates/rules.v4.j2 +++ b/roles/vpn/templates/rules.v4.j2 @@ -19,7 +19,7 @@ # - https://github.com/trailofbits/algo/issues/216 # - https://github.com/trailofbits/algo/issues?utf8=%E2%9C%93&q=is%3Aissue%20mtu # - https://serverfault.com/questions/601143/ssh-not-working-over-ipsec-tunnel-strongswan --A FORWARD -s {{ vpn_network }} -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss {{ max_mss }} +-A FORWARD -s {{ vpn_network }}{% if wireguard_enabled %},{{ wireguard_vpn_network }}{% endif %} -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss {{ max_mss }} {% endif %} COMMIT @@ -35,7 +35,8 @@ COMMIT :POSTROUTING ACCEPT [0:0] # Allow traffic from the VPN network to the outside world, and replies --A POSTROUTING -s {{ vpn_network }} -m policy --pol none --dir out -j MASQUERADE +-A POSTROUTING -s {{ vpn_network }}{% if wireguard_enabled %},{{ wireguard_vpn_network }}{% endif %} -m policy --pol none --dir out -j MASQUERADE + COMMIT @@ -62,7 +63,7 @@ COMMIT # rate limit ICMP traffic per source -A INPUT -p icmp --icmp-type echo-request -m hashlimit --hashlimit-upto 5/s --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name icmp-echo-drop -j ACCEPT # Accept IPSEC traffic to ports 500 (IPSEC) and 4500 (MOBIKE aka IKE + NAT traversal) --A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT +-A INPUT -p udp -m multiport --dports 500,4500{% if wireguard_enabled %},{{ wireguard_port}}{% endif %} -j ACCEPT # Allow new traffic to port 22 (SSH) -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT # Allow any traffic from the VPN @@ -78,7 +79,7 @@ COMMIT {% if BetweenClients_DROP is defined and BetweenClients_DROP == "Y" %} # Drop traffic between VPN clients --A FORWARD -s {{ vpn_network }} -d {{ vpn_network }} -j DROP +-A FORWARD -s {{ vpn_network }}{% if wireguard_enabled %},{{ wireguard_vpn_network }}{% endif %} -d {{ vpn_network }}{% if wireguard_enabled %},{{ wireguard_vpn_network }}{% endif %} -j DROP {% endif %} # Forward any packet that's part of an established connection @@ -92,4 +93,9 @@ COMMIT # Forward any IPSEC traffic from the VPN network -A FORWARD -m conntrack --ctstate NEW -s {{ vpn_network }} -m policy --pol ipsec --dir in -j ACCEPT +# Forward any traffic from the WireGuard VPN network +{% if wireguard_enabled %} +-A FORWARD -m conntrack --ctstate NEW -s {{ wireguard_vpn_network }} -m policy --pol none --dir in -j ACCEPT +{% endif %} + COMMIT diff --git a/roles/vpn/templates/rules.v6.j2 b/roles/vpn/templates/rules.v6.j2 index 82ca8e16..df0603a8 100644 --- a/roles/vpn/templates/rules.v6.j2 +++ b/roles/vpn/templates/rules.v6.j2 @@ -13,7 +13,7 @@ {% if max_mss is defined %} # MSS is the TCP Max Segment Size # See rules.v4 for a more complete explanation --A FORWARD -s {{ vpn_network_ipv6 }} -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss {{ max_mss }} +-A FORWARD -s {{ vpn_network_ipv6 }}{% if wireguard_enabled %},{{ wireguard_vpn_network_ipv6 }}{% endif %} -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss {{ max_mss }} {% endif %} COMMIT @@ -28,7 +28,7 @@ COMMIT :POSTROUTING ACCEPT [0:0] # Allow traffic from the VPN network to the outside world, and replies --A POSTROUTING -s {{ vpn_network_ipv6 }} -m policy --pol none --dir out -j MASQUERADE +-A POSTROUTING -s {{ vpn_network_ipv6 }}{% if wireguard_enabled %},{{ wireguard_vpn_network_ipv6 }}{% endif %} -m policy --pol none --dir out -j MASQUERADE COMMIT @@ -63,7 +63,7 @@ COMMIT # rate limit ICMP traffic per source -A INPUT -p icmpv6 --icmpv6-type echo-request -m hashlimit --hashlimit-upto 5/s --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name icmp-echo-drop -j ACCEPT # Accept IPSEC traffic to ports 500 (IPSEC) and 4500 (MOBIKE aka IKE + NAT traversal) --A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT +-A INPUT -p udp -m multiport --dports 500,4500{% if wireguard_enabled %},{{ wireguard_port}}{% endif %} -j ACCEPT # Allow new traffic to port 22 (SSH) -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT @@ -85,7 +85,7 @@ COMMIT -A INPUT -d fcaa::1 -p udp --dport 53 -j ACCEPT {% if BetweenClients_DROP is defined and BetweenClients_DROP == "Y" %} --A FORWARD -s {{ vpn_network_ipv6 }} -d {{ vpn_network_ipv6 }} -j DROP +-A FORWARD -s {{ vpn_network_ipv6 }}{% if wireguard_enabled %},{{ wireguard_vpn_network_ipv6 }}{% endif %} -d {{ vpn_network_ipv6 }}{% if wireguard_enabled %},{{ wireguard_vpn_network_ipv6 }}{% endif %} -j DROP {% endif %} -A FORWARD -j ICMPV6-CHECK -A FORWARD -p tcp --dport 445 -j DROP @@ -93,6 +93,9 @@ COMMIT -A FORWARD -p tcp -m multiport --ports 137,139 -j DROP -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -m conntrack --ctstate NEW -s {{ vpn_network_ipv6 }} -m policy --pol ipsec --dir in -j ACCEPT +{% if wireguard_enabled %} +-A FORWARD -m conntrack --ctstate NEW -s {{ wireguard_vpn_network_ipv6 }} -m policy --pol none --dir in -j ACCEPT +{% endif %} # Use the ICMPV6-CHECK chain, described above -A ICMPV6-CHECK -p icmpv6 -m hl ! --hl-eq 255 --icmpv6-type router-solicitation -j ICMPV6-CHECK-LOG diff --git a/roles/vpn/templates/sswan.j2 b/roles/vpn/templates/sswan.j2 deleted file mode 100644 index 405d44a2..00000000 --- a/roles/vpn/templates/sswan.j2 +++ /dev/null @@ -1,15 +0,0 @@ -{ - "uuid": "{{ 600000 | random | to_uuid }}", - "name": "Algo {{ IP_subject_alt_name }}", - "type": "ikev2-cert", - "remote": { - "addr": "{{ IP_subject_alt_name }}", - "cert": "{{ PayloadContentCA }}" - }, - "local": { - "p12": "{{ item.1.stdout }}" - }, - "ike-proposal": "{{ ciphers.defaults.ike | replace('!', '') }}", - "esp-proposal": "{{ ciphers.defaults.esp | replace('!', '') }}", - "mtu": 1280 -} diff --git a/roles/wireguard/defaults/main.yml b/roles/wireguard/defaults/main.yml new file mode 100644 index 00000000..d94f3ff6 --- /dev/null +++ b/roles/wireguard/defaults/main.yml @@ -0,0 +1,18 @@ +--- +wireguard_config_path: "configs/{{ IP_subject_alt_name }}/wireguard/" +wireguard_interface: wg0 +wireguard_network_ipv4: + subnet: 10.19.49.0 + prefix: 24 + gateway: 10.19.49.1 + clients_range: 10.19.49 + clients_start: 100 +wireguard_network_ipv6: + subnet: 'fd9d:bc11:4021::' + prefix: 48 + gateway: 'fd9d:bc11:4021::1' + clients_range: 'fd9d:bc11:4021::' + clients_start: 100 +wireguard_vpn_network: "{{ wireguard_network_ipv4['subnet'] }}/{{ wireguard_network_ipv4['prefix'] }}" +wireguard_vpn_network_ipv6: "{{ wireguard_network_ipv6['subnet'] }}/{{ wireguard_network_ipv6['prefix'] }}" +easyrsa_reinit_existent: false diff --git a/roles/wireguard/handlers/main.yml b/roles/wireguard/handlers/main.yml new file mode 100644 index 00000000..1063f5e6 --- /dev/null +++ b/roles/wireguard/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: restart wireguard + service: + name: "wg-quick@{{ wireguard_interface }}" + state: restarted diff --git a/roles/wireguard/meta/main.yml b/roles/wireguard/meta/main.yml new file mode 100644 index 00000000..a766ccc1 --- /dev/null +++ b/roles/wireguard/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - { role: common, tags: common } diff --git a/roles/wireguard/tasks/keys.yml b/roles/wireguard/tasks/keys.yml new file mode 100644 index 00000000..322f974f --- /dev/null +++ b/roles/wireguard/tasks/keys.yml @@ -0,0 +1,60 @@ +--- +- name: Delete the lock files + file: + dest: "/etc/wireguard/private_{{ item }}.lock" + state: absent + when: easyrsa_reinit_existent|bool == True + with_items: + - "{{ users }}" + - "{{ IP_subject_alt_name }}" + +- name: Generate private keys + command: wg genkey + register: wg_genkey + args: + creates: "/etc/wireguard/private_{{ item }}.lock" + executable: bash + with_items: + - "{{ users }}" + - "{{ IP_subject_alt_name }}" + +- block: + - name: Save private keys + copy: + dest: "{{ wireguard_config_path }}/private/{{ item['item'] }}" + content: "{{ item['stdout'] }}" + mode: "0600" + no_log: true + when: item.changed + with_items: "{{ wg_genkey['results'] }}" + delegate_to: localhost + become: false + + - name: Touch the lock file + file: + dest: "/etc/wireguard/private_{{ item }}.lock" + state: touch + with_items: + - "{{ users }}" + - "{{ IP_subject_alt_name }}" + when: wg_genkey.changed + +- name: Generate public keys + shell: echo "{{ lookup('file', wireguard_config_path + '/private/' + item) }}" | wg pubkey + register: wg_pubkey + changed_when: false + args: + executable: bash + with_items: + - "{{ users }}" + - "{{ IP_subject_alt_name }}" + +- name: Save public keys + copy: + dest: "{{ wireguard_config_path }}/public/{{ item['item'] }}" + content: "{{ item['stdout'] }}" + mode: "0600" + no_log: true + with_items: "{{ wg_pubkey['results'] }}" + delegate_to: localhost + become: false diff --git a/roles/wireguard/tasks/main.yml b/roles/wireguard/tasks/main.yml new file mode 100644 index 00000000..017e2ac3 --- /dev/null +++ b/roles/wireguard/tasks/main.yml @@ -0,0 +1,57 @@ +--- +- name: WireGuard repository configured + apt_repository: + repo: ppa:wireguard/wireguard + state: present + +- name: WireGuard installed + apt: + name: wireguard + state: present + update_cache: true + +- name: Ensure the required directories exist + file: + dest: "{{ wireguard_config_path }}/{{ item }}" + state: directory + recurse: true + with_items: + - private + - public + delegate_to: localhost + become: false + +- name: Generate keys + import_tasks: keys.yml + tags: update-users + +- name: WireGuard configured + template: + src: server.conf.j2 + dest: "/etc/wireguard/{{ wireguard_interface }}.conf" + mode: "0600" + notify: restart wireguard + tags: update-users + +- name: WireGuard reload-module-on-update + file: + dest: /etc/wireguard/.reload-module-on-update + state: touch + +- name: WireGuard users config generated + template: + src: client.conf.j2 + dest: "{{ wireguard_config_path }}/{{ item.1 }}.conf" + mode: "0600" + with_indexed_items: "{{ users }}" + tags: update-users + delegate_to: localhost + become: false + +- name: WireGuard enabled and started + service: + name: "wg-quick@{{ wireguard_interface }}" + state: started + enabled: true + +- meta: flush_handlers diff --git a/roles/wireguard/templates/client.conf.j2 b/roles/wireguard/templates/client.conf.j2 new file mode 100644 index 00000000..59e5d52d --- /dev/null +++ b/roles/wireguard/templates/client.conf.j2 @@ -0,0 +1,10 @@ +[Interface] +PrivateKey = {{ lookup('file', wireguard_config_path + '/private/' + item.1) }} +Address = {{ wireguard_network_ipv4['clients_range'] }}.{{ wireguard_network_ipv4['clients_start'] + item.0 + 1 }}/32{% if ipv6_support %},{{ wireguard_network_ipv6['clients_range'] }}{{ wireguard_network_ipv6['clients_start'] + item.0 + 1 }}/{{ wireguard_network_ipv6['prefix'] }} +{% endif %} +DNS = {{ local_service_ip }} + +[Peer] +PublicKey = {{ lookup('file', wireguard_config_path + '/public/' + IP_subject_alt_name) }} +AllowedIPs = 0.0.0.0/0, ::/0 +Endpoint = {{ IP_subject_alt_name }}:{{ wireguard_port }} diff --git a/roles/wireguard/templates/server.conf.j2 b/roles/wireguard/templates/server.conf.j2 new file mode 100644 index 00000000..a90e3fdc --- /dev/null +++ b/roles/wireguard/templates/server.conf.j2 @@ -0,0 +1,18 @@ +[Interface] +Address = {{ wireguard_network_ipv4['subnet'] }}/{{ wireguard_network_ipv4['prefix'] }}{% if ipv6_support %},{{ wireguard_network_ipv6['gateway'] }}/{{ wireguard_network_ipv6['prefix'] }} +{% endif %} + +DNS = {{ local_service_ip }} +ListenPort = {{ wireguard_port }} +PrivateKey = {{ lookup('file', wireguard_config_path + '/private/' + IP_subject_alt_name) }} +SaveConfig = true +Table = off + +{% for u in users %} + +[Peer] +# {{ u }} +PublicKey = {{ lookup('file', wireguard_config_path + '/public/' + u) }} +AllowedIPs = {{ wireguard_network_ipv4['clients_range'] }}.{{ wireguard_network_ipv4['clients_start'] + loop.index }}/32{% if ipv6_support %},{{ wireguard_network_ipv6['clients_range'] }}{{ wireguard_network_ipv6['clients_start'] + loop.index }}/128 +{% endif %} +{% endfor %} diff --git a/tests/local-deploy.sh b/tests/local-deploy.sh index c151488f..efd127cb 100755 --- a/tests/local-deploy.sh +++ b/tests/local-deploy.sh @@ -6,7 +6,7 @@ DEPLOY_ARGS="server_ip=$LXC_IP server_user=ubuntu IP_subject_alt_name=$LXC_IP lo if [ "${LXC_NAME}" == "docker" ] then - docker run -it -v $(pwd)/config.cfg:/algo/config.cfg -v ~/.ssh:/root/.ssh -e "DEPLOY_ARGS=${DEPLOY_ARGS}" travis/algo /bin/sh -c "chown -R 0:0 /root/.ssh && source env/bin/activate && ansible-playbook deploy.yml -t cloud,local,vpn,dns,ssh_tunneling,security,tests,dns_over_https -e \"${DEPLOY_ARGS}\" --skip-tags apparmor" + docker run -it -v $(pwd)/config.cfg:/algo/config.cfg -v ~/.ssh:/root/.ssh -e "DEPLOY_ARGS=${DEPLOY_ARGS}" travis/algo /bin/sh -c "chown -R 0:0 /root/.ssh && source env/bin/activate && ansible-playbook deploy.yml -t cloud,local,vpn,dns,ssh_tunneling,security,tests,dns_over_https -e \"${DEPLOY_ARGS}\" --skip-tags apparmor,wireguard" else ansible-playbook deploy.yml -t cloud,local,vpn,dns,dns_over_https,ssh_tunneling,tests -e "${DEPLOY_ARGS}" --skip-tags apparmor fi From b928e4ff06ec14bdf3e4f23a65b218a099c40493 Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Fri, 25 May 2018 21:02:16 +0800 Subject: [PATCH 09/91] fix faq entry about cryptography build failure (#967) --- docs/troubleshooting.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/troubleshooting.md b/docs/troubleshooting.md index 2c860a58..09f3fbf8 100644 --- a/docs/troubleshooting.md +++ b/docs/troubleshooting.md @@ -75,7 +75,7 @@ You don't have a working compiler installed. You should install the XCode compil ### Error: "fatal error: 'openssl/opensslv.h' file not found" -On macOS, you tried to install pycrypto and encountered the following error: +On macOS, you tried to install `cryptography` and encountered the following error: ``` build/temp.macosx-10.12-intel-2.7/_openssl.c:434:10: fatal error: 'openssl/opensslv.h' file not found @@ -94,7 +94,7 @@ Command /usr/bin/python -c "import setuptools, tokenize;__file__='/private/tmp/p Storing debug log for failure in /Users/algore/Library/Logs/pip.log ``` -You are running an old version of `pip` that cannot build the `pycrypto` dependency. Upgrade to a new version of `pip` by running `sudo pip install -U pip`. +You are running an old version of `pip` that cannot download the binary `cryptography` dependency. Upgrade to a new version of `pip` by running `sudo pip install -U pip`. ### Error: "TypeError: must be str, not bytes" From d56f50180bc1bd877ace14d8a75750f38b3328a2 Mon Sep 17 00:00:00 2001 From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com> Date: Fri, 25 May 2018 20:37:13 +0300 Subject: [PATCH 10/91] Extra line and better DNS configuration for WireGuard (#968) - Adds an extra line after the if statement. Jinja2 trims such blocks by default in Ansible. Fixes #965 - More appropriate way to configure DNS servers - Removes `DNS` option from the wireguard server config - Fixes dnscrypt-proxy restart --- roles/common/tasks/ubuntu.yml | 1 - roles/dns_encryption/handlers/main.yml | 3 ++- roles/dns_encryption/tasks/ubuntu.yml | 1 - roles/wireguard/defaults/main.yml | 6 ++++++ roles/wireguard/templates/client.conf.j2 | 3 ++- roles/wireguard/templates/server.conf.j2 | 1 - 6 files changed, 10 insertions(+), 5 deletions(-) diff --git a/roles/common/tasks/ubuntu.yml b/roles/common/tasks/ubuntu.yml index e5d9165a..e1d97149 100644 --- a/roles/common/tasks/ubuntu.yml +++ b/roles/common/tasks/ubuntu.yml @@ -89,7 +89,6 @@ - iptables-persistent - cgroup-tools - openssl - - resolvconf sysctl: - item: net.ipv4.ip_forward value: 1 diff --git a/roles/dns_encryption/handlers/main.yml b/roles/dns_encryption/handlers/main.yml index c46912b9..7947ef11 100644 --- a/roles/dns_encryption/handlers/main.yml +++ b/roles/dns_encryption/handlers/main.yml @@ -4,6 +4,7 @@ daemon_reload: true - name: restart dnscrypt-proxy - service: + systemd: name: dnscrypt-proxy state: restarted + daemon_reload: true diff --git a/roles/dns_encryption/tasks/ubuntu.yml b/roles/dns_encryption/tasks/ubuntu.yml index 9290cf43..0f1cffcf 100644 --- a/roles/dns_encryption/tasks/ubuntu.yml +++ b/roles/dns_encryption/tasks/ubuntu.yml @@ -42,5 +42,4 @@ [Service] AmbientCapabilities=CAP_NET_BIND_SERVICE notify: - - daemon-reload - restart dnscrypt-proxy diff --git a/roles/wireguard/defaults/main.yml b/roles/wireguard/defaults/main.yml index d94f3ff6..0559c50b 100644 --- a/roles/wireguard/defaults/main.yml +++ b/roles/wireguard/defaults/main.yml @@ -16,3 +16,9 @@ wireguard_network_ipv6: wireguard_vpn_network: "{{ wireguard_network_ipv4['subnet'] }}/{{ wireguard_network_ipv4['prefix'] }}" wireguard_vpn_network_ipv6: "{{ wireguard_network_ipv6['subnet'] }}/{{ wireguard_network_ipv6['prefix'] }}" easyrsa_reinit_existent: false +wireguard_dns_servers: >- + {% if local_dns|default(false)|bool or dns_encryption|default(false)|bool == true %} + {{ local_service_ip }} + {% else %} + {% for host in dns_servers.ipv4 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% if ipv6_support %},{% for host in dns_servers.ipv6 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% endif %} + {% endif %} diff --git a/roles/wireguard/templates/client.conf.j2 b/roles/wireguard/templates/client.conf.j2 index 59e5d52d..f75f0f43 100644 --- a/roles/wireguard/templates/client.conf.j2 +++ b/roles/wireguard/templates/client.conf.j2 @@ -2,7 +2,8 @@ PrivateKey = {{ lookup('file', wireguard_config_path + '/private/' + item.1) }} Address = {{ wireguard_network_ipv4['clients_range'] }}.{{ wireguard_network_ipv4['clients_start'] + item.0 + 1 }}/32{% if ipv6_support %},{{ wireguard_network_ipv6['clients_range'] }}{{ wireguard_network_ipv6['clients_start'] + item.0 + 1 }}/{{ wireguard_network_ipv6['prefix'] }} {% endif %} -DNS = {{ local_service_ip }} + +DNS = {{ wireguard_dns_servers }} [Peer] PublicKey = {{ lookup('file', wireguard_config_path + '/public/' + IP_subject_alt_name) }} diff --git a/roles/wireguard/templates/server.conf.j2 b/roles/wireguard/templates/server.conf.j2 index a90e3fdc..3f9f45dd 100644 --- a/roles/wireguard/templates/server.conf.j2 +++ b/roles/wireguard/templates/server.conf.j2 @@ -2,7 +2,6 @@ Address = {{ wireguard_network_ipv4['subnet'] }}/{{ wireguard_network_ipv4['prefix'] }}{% if ipv6_support %},{{ wireguard_network_ipv6['gateway'] }}/{{ wireguard_network_ipv6['prefix'] }} {% endif %} -DNS = {{ local_service_ip }} ListenPort = {{ wireguard_port }} PrivateKey = {{ lookup('file', wireguard_config_path + '/private/' + IP_subject_alt_name) }} SaveConfig = true From 2d9a36d13aaf55719379a661aefb4561cabced6c Mon Sep 17 00:00:00 2001 From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com> Date: Mon, 28 May 2018 22:16:06 +0300 Subject: [PATCH 11/91] Scaleway: enable ipv6 and switch to local boot (#974) - Enables IPv6 on Scaleway - Adds local boot on scaleway - Fixes #966 --- roles/cloud-scaleway/tasks/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/cloud-scaleway/tasks/main.yml b/roles/cloud-scaleway/tasks/main.yml index 7664d278..31cc3f99 100644 --- a/roles/cloud-scaleway/tasks/main.yml +++ b/roles/cloud-scaleway/tasks/main.yml @@ -74,6 +74,8 @@ name: "{{ algo_server_name }}" image: "{{ image_id }}" commercial_type: "{{cloud_providers.scaleway.size }}" + enable_ipv6: true + boot_type: local tags: - Environment:Algo - AUTHORIZED_KEY={{ lookup('file', SSH_keys.public)|regex_replace(' ', '_') }} From aee043977f5fc1e89e01b7a1bbc9396a89c63076 Mon Sep 17 00:00:00 2001 From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com> Date: Wed, 30 May 2018 07:43:06 +0300 Subject: [PATCH 12/91] explicit installation of linux headers (#975) --- roles/common/tasks/ubuntu.yml | 2 +- tests/local-deploy.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/common/tasks/ubuntu.yml b/roles/common/tasks/ubuntu.yml index e1d97149..b0f347d7 100644 --- a/roles/common/tasks/ubuntu.yml +++ b/roles/common/tasks/ubuntu.yml @@ -88,7 +88,7 @@ - coreutils - iptables-persistent - cgroup-tools - - openssl + - "openssl{% if install_headers|default(true)|bool %},linux-headers-{{ ansible_kernel }}{% endif %}" sysctl: - item: net.ipv4.ip_forward value: 1 diff --git a/tests/local-deploy.sh b/tests/local-deploy.sh index efd127cb..246132f8 100755 --- a/tests/local-deploy.sh +++ b/tests/local-deploy.sh @@ -2,7 +2,7 @@ set -ex -DEPLOY_ARGS="server_ip=$LXC_IP server_user=ubuntu IP_subject_alt_name=$LXC_IP local_dns=true dns_over_https=true apparmor_enabled=false" +DEPLOY_ARGS="server_ip=$LXC_IP server_user=ubuntu IP_subject_alt_name=$LXC_IP local_dns=true dns_over_https=true apparmor_enabled=false install_headers=false" if [ "${LXC_NAME}" == "docker" ] then From daca84b6405258a7b247626efe9c87078aac1c46 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Wed, 30 May 2018 17:11:32 +0300 Subject: [PATCH 13/91] Update references to 18.04 --- README.md | 6 +++--- docs/cloud-do.md | 16 ++++++++-------- docs/deploy-to-ubuntu.md | 4 ++-- docs/deploy-to-unsupported-cloud.md | 2 +- docs/index.md | 3 +-- docs/troubleshooting.md | 2 +- 6 files changed, 16 insertions(+), 17 deletions(-) diff --git a/README.md b/README.md index 61d61c54..6f0b42c1 100644 --- a/README.md +++ b/README.md @@ -14,7 +14,7 @@ Algo VPN is a set of Ansible scripts that simplify the setup of a personal IPSEC * Blocks ads with a local DNS resolver (optional) * Sets up limited SSH users for tunneling traffic (optional) * Based on current versions of Ubuntu and strongSwan -* Installs to DigitalOcean, Amazon Lightsail, Amazon EC2, Microsoft Azure, Google Compute Engine, Scaleway, OpenStack or your own Ubuntu 16.04 LTS server +* Installs to DigitalOcean, Amazon Lightsail, Amazon EC2, Microsoft Azure, Google Compute Engine, Scaleway, OpenStack or your own Ubuntu 18.04 LTS server ## Anti-features @@ -116,7 +116,7 @@ Network Manager does not support AES-GCM. In order to support Linux Desktop clie Install strongSwan, then copy the included ipsec_user.conf, ipsec_user.secrets, user.crt (user certificate), and user.key (private key) files to your client device. These will require customization based on your exact use case. These files were originally generated with a point-to-point OpenWRT-based VPN in mind. -#### Ubuntu Server 16.04 example +#### Ubuntu Server 18.04 example 1. `sudo apt-get install strongswan strongswan-plugin-openssl`: install strongSwan 2. `/etc/ipsec.d/certs`: copy `.crt` from `algo-master/configs//pki/certs/.crt` @@ -195,7 +195,7 @@ After this process completes, the Algo VPN server will contains only the users l - Configure [DigitalOcean](docs/cloud-do.md) * Advanced Deployment - Deploy to your own [FreeBSD](docs/deploy-to-freebsd.md) server - - Deploy to your own [Ubuntu 16.04](docs/deploy-to-ubuntu.md) server + - Deploy to your own [Ubuntu 18.04](docs/deploy-to-ubuntu.md) server - Deploy to an [unsupported cloud provider](docs/deploy-to-unsupported-cloud.md) * [FAQ](docs/faq.md) * [Troubleshooting](docs/troubleshooting.md) diff --git a/docs/cloud-do.md b/docs/cloud-do.md index 15c8e288..b8f84681 100644 --- a/docs/cloud-do.md +++ b/docs/cloud-do.md @@ -12,7 +12,7 @@ On the **Tokens/Keys** tab, select **Generate New Token**. A dialog will pop up. ![The new token dialog, showing a form requesting a name and confirmation on the scope for the new token.](/docs/images/do-new-token.png) -You will be returned to the **Tokens/Keys** tab, and your new key will be shown under the **Personal Access Tokens** header. +You will be returned to the **Tokens/Keys** tab, and your new key will be shown under the **Personal Access Tokens** header. ![The new token in the listing.](/docs/images/do-view-token.png) @@ -20,9 +20,9 @@ Copy or note down the hash that shows below the name you entered, as this will b ## Using DigitalOcean with Algo (command) -These steps are for people who run Algo using Docker or using the "algo" command. +These steps are for people who run Algo using Docker or using the "algo" command. -First you will be asked which server type to setup. You would want to enter "1" to use DigitalOcean. +First you will be asked which server type to setup. You would want to enter "1" to use DigitalOcean. ``` What provider would you like to use? @@ -33,7 +33,7 @@ First you will be asked which server type to setup. You would want to enter "1" 5. Google Compute Engine 6. Scaleway 7. OpenStack (DreamCompute optimised) - 8. Install to existing Ubuntu 16.04 server + 8. Install to existing Ubuntu 18.04 server Enter the number of your desired provider : 1 @@ -44,17 +44,17 @@ Next you will be asked for the API Token value. Paste the API Token value you co ``` Enter your API token. The token must have read and write permissions (https://cloud.digitalocean.com/settings/api/tokens): [pasted values will not be displayed] -: +: ``` You will be prompted for the server name to enter. Feel free to leave this as the default ("algo.local") if you are not certain how this will affect your setup. ``` Name the vpn server: -[algo.local]: +[algo.local]: ``` -After entering the server name the script ask which region you wish to setup your new Algo instance in. Enter the number next to name of the region. +After entering the server name the script ask which region you wish to setup your new Algo instance in. Enter the number next to name of the region. ``` What region should the server be located in? @@ -83,5 +83,5 @@ If you are using Ansible to deploy to DigitalOcean, you will need to pass the AP For example, ansible-playbook deploy.yml -t digitalocean,vpn,cloud -e 'do_access_token=my_secret_token do_server_name=algo.local do_region=ams2 - + Where "my_secret_token" is your API Token. diff --git a/docs/deploy-to-ubuntu.md b/docs/deploy-to-ubuntu.md index 5516611b..13113a38 100644 --- a/docs/deploy-to-ubuntu.md +++ b/docs/deploy-to-ubuntu.md @@ -1,8 +1,8 @@ # Local deployment -It is possible to download the Algo scripts to your own Ubuntu 16.04 server and run the scripts locally. +It is possible to download the Algo scripts to your own Ubuntu 18.04 server and run the scripts locally. -In order to start, you need to install Ansible. Installing Ansible via pip requires pulling in a lot of dependencies, including a full compiler suite. It would be easier to use apt, however, Ubuntu 16.04 only comes with Ansible 2.0.0.2. The easiest solution is to install the Ansible PPA for a newer version of Ansible via apt, however, using a PPA requires installing `software-properties-common`. +In order to start, you need to install Ansible. Installing Ansible via pip requires pulling in a lot of dependencies, including a full compiler suite. It would be easier to use apt, however, Ubuntu 18.04 only comes with Ansible 2.0.0.2. The easiest solution is to install the Ansible PPA for a newer version of Ansible via apt, however, using a PPA requires installing `software-properties-common`. tl;dr: diff --git a/docs/deploy-to-unsupported-cloud.md b/docs/deploy-to-unsupported-cloud.md index 3e1e5dab..7fd176f7 100644 --- a/docs/deploy-to-unsupported-cloud.md +++ b/docs/deploy-to-unsupported-cloud.md @@ -2,7 +2,7 @@ Algo officially supports DigitalOcean, Amazon Web Services, Microsoft Azure, and Google Cloud Engine. If you want to deploy Algo on another virtual hosting provider, that provider must support: -1. the base operating system image that Algo uses (Ubuntu 16.04), and +1. the base operating system image that Algo uses (Ubuntu 18.04), and 2. a minimum of certain kernel modules required for the strongSwan IPsec server. Please see the [Required Kernel Modules](https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules) documentation from strongSwan for a list of the specific required modules and a script to check for them. As a first step, we recommend running their shell script to determine initial compatibility with your new hosting provider. diff --git a/docs/index.md b/docs/index.md index e5c7050c..47705b7a 100644 --- a/docs/index.md +++ b/docs/index.md @@ -14,8 +14,7 @@ - Configure [DigitalOcean](cloud-do.md) * Advanced Deployment - Deploy to your own [FreeBSD](deploy-to-freebsd.md) server - - Deploy to your own [Ubuntu 16.04](deploy-to-ubuntu.md) server + - Deploy to your own [Ubuntu 18.04](deploy-to-ubuntu.md) server - Deploy to an [unsupported cloud provider](deploy-to-unsupported-cloud.md) * [FAQ](faq.md) * [Troubleshooting](troubleshooting.md) - diff --git a/docs/troubleshooting.md b/docs/troubleshooting.md index 09f3fbf8..6dbc79e8 100644 --- a/docs/troubleshooting.md +++ b/docs/troubleshooting.md @@ -198,7 +198,7 @@ You're trying to connect Ubuntu or Debian to the Algo server through the Network This issue appears intermittently due to issues with MTU size. If you experience this issue, we recommend [filing an issue](https://github.com/trailofbits/algo/issues/new) for assistance. Advanced users can troubleshoot the correct MTU size by retrying `ping` with the "don't fragment" bit set, then decreasing packet size until it works. This will determine the correct MTU size for your network, which you then need to update on your network adapter. -E.g., On Linux (client -- Ubuntu 16.04), connect to your IPsec tunnel then use the following commands to determine the correct MTU size: +E.g., On Linux (client -- Ubuntu 18.04), connect to your IPsec tunnel then use the following commands to determine the correct MTU size: ``` $ ping -M do -s 1500 www.google.com PING www.google.com (74.125.22.147) 1500(1528) bytes of data. From 16e78087d175c79b1a7c27b0314afdaefa7a9ed7 Mon Sep 17 00:00:00 2001 From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com> Date: Wed, 30 May 2018 17:17:08 +0300 Subject: [PATCH 14/91] Update CHANGELOG.md --- CHANGELOG.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5d3028a5..da715362 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,13 @@ +## 24 May 2018 +### Changed +- Switched to Ubuntu 18.04 + +### Removed +- Lightsail support until they have Ubuntu 18.04 + +### Fixed +- Scaleway API paginagion + ## 30 Apr 2018 ### Added - WireGuard support From d7bce687388638e871a20bc8e5a83a8c64c69b34 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Thu, 31 May 2018 19:32:41 +0300 Subject: [PATCH 15/91] TravisCI fixes --- .travis.yml | 2 -- tests/local-deploy.sh | 3 ++- tests/update-users.sh | 12 +++++------- 3 files changed, 7 insertions(+), 10 deletions(-) diff --git a/.travis.yml b/.travis.yml index 2a2fa1d9..9d91089e 100644 --- a/.travis.yml +++ b/.travis.yml @@ -70,8 +70,6 @@ script: # - ansible-lint deploy.yml users.yml deploy_client.yml - ansible-playbook deploy.yml --syntax-check - ./tests/local-deploy.sh - -after_script: - ./tests/update-users.sh notifications: diff --git a/tests/local-deploy.sh b/tests/local-deploy.sh index 246132f8..b82ea149 100755 --- a/tests/local-deploy.sh +++ b/tests/local-deploy.sh @@ -3,10 +3,11 @@ set -ex DEPLOY_ARGS="server_ip=$LXC_IP server_user=ubuntu IP_subject_alt_name=$LXC_IP local_dns=true dns_over_https=true apparmor_enabled=false install_headers=false" +touch /tmp/ca_password if [ "${LXC_NAME}" == "docker" ] then - docker run -it -v $(pwd)/config.cfg:/algo/config.cfg -v ~/.ssh:/root/.ssh -e "DEPLOY_ARGS=${DEPLOY_ARGS}" travis/algo /bin/sh -c "chown -R 0:0 /root/.ssh && source env/bin/activate && ansible-playbook deploy.yml -t cloud,local,vpn,dns,ssh_tunneling,security,tests,dns_over_https -e \"${DEPLOY_ARGS}\" --skip-tags apparmor,wireguard" + docker run -it -v /tmp/ca_password:/tmp/ca_password -v $(pwd)/config.cfg:/algo/config.cfg -v ~/.ssh:/root/.ssh -v $(pwd)/configs:/algo/configs -e "DEPLOY_ARGS=${DEPLOY_ARGS}" travis/algo /bin/sh -c "chown -R 0:0 /root/.ssh && source env/bin/activate && ansible-playbook deploy.yml -t cloud,local,vpn,dns,ssh_tunneling,security,tests,dns_over_https -e \"${DEPLOY_ARGS}\" --skip-tags apparmor,wireguard" else ansible-playbook deploy.yml -t cloud,local,vpn,dns,dns_over_https,ssh_tunneling,tests -e "${DEPLOY_ARGS}" --skip-tags apparmor fi diff --git a/tests/update-users.sh b/tests/update-users.sh index 8122a156..bea5a8cb 100755 --- a/tests/update-users.sh +++ b/tests/update-users.sh @@ -3,20 +3,18 @@ set -ex CAPW=`cat /tmp/ca_password` -USER_ARGS="server_ip=$LXC_IP server_user=ubuntu ssh_tunneling_enabled=y IP_subject=$LXC_IP easyrsa_CA_password=$CAPW" +USER_ARGS="server_ip=$LXC_IP server_user=ubuntu ssh_tunneling_enabled=y IP_subject=$LXC_IP easyrsa_CA_password=$CAPW apparmor_enabled=false install_headers=false" sed -i 's/- jack$/- jack_test/' config.cfg if [ "${LXC_NAME}" == "docker" ] then - docker run -it -v $(pwd)/config.cfg:/algo/config.cfg -v ~/.ssh:/root/.ssh -e "USER_ARGS=${USER_ARGS}" travis/algo /bin/sh -c "chown -R 0:0 /root/.ssh && source env/bin/activate && ansible-playbook users.yml -e \"${USER_ARGS}\"" + docker run -it -v $(pwd)/config.cfg:/algo/config.cfg -v ~/.ssh:/root/.ssh -v $(pwd)/configs:/algo/configs -e "USER_ARGS=${USER_ARGS}" travis/algo /bin/sh -c "chown -R 0:0 /root/.ssh && source env/bin/activate && ansible-playbook users.yml -e \"${USER_ARGS}\" -t update-users --skip-tags common" else - ansible-playbook users.yml -e "${USER_ARGS}" + ansible-playbook users.yml -e "${USER_ARGS}" -t update-users --skip-tags common fi -cd configs/$LXC_IP/pki/ - -if openssl crl -inform pem -noout -text -in crl/jack.crt | grep CRL +if sudo openssl crl -inform pem -noout -text -in configs/$LXC_IP/pki/crl/jack.crt | grep CRL then echo "The CRL check passed" else @@ -24,7 +22,7 @@ if openssl crl -inform pem -noout -text -in crl/jack.crt | grep CRL exit 1 fi -if openssl x509 -inform pem -noout -text -in certs/jack_test.crt | grep CN=jack_test +if sudo openssl x509 -inform pem -noout -text -in configs/$LXC_IP/pki/certs/jack_test.crt | grep CN=jack_test then echo "The new user exists" else From ffb5a1f737d1a77db43697bf10067c284eee4b3a Mon Sep 17 00:00:00 2001 From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com> Date: Fri, 1 Jun 2018 17:06:03 +0300 Subject: [PATCH 16/91] WireGuard: disable SaveConfig, update-users fix (#985) - Disables SaveConfig. SaveConfig totally breaks the idea of configuration management and it breaks update-users - WireGuard update-users fix. Mentioned in https://github.com/trailofbits/algo/issues/980#issuecomment-393720561 --- roles/wireguard/templates/server.conf.j2 | 2 +- users.yml | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/wireguard/templates/server.conf.j2 b/roles/wireguard/templates/server.conf.j2 index 3f9f45dd..17b388fc 100644 --- a/roles/wireguard/templates/server.conf.j2 +++ b/roles/wireguard/templates/server.conf.j2 @@ -4,7 +4,7 @@ Address = {{ wireguard_network_ipv4['subnet'] }}/{{ wireguard_network_ipv4['pref ListenPort = {{ wireguard_port }} PrivateKey = {{ lookup('file', wireguard_config_path + '/private/' + IP_subject_alt_name) }} -SaveConfig = true +SaveConfig = false Table = off {% for u in users %} diff --git a/users.yml b/users.yml index 46a2d79c..f60cbb3b 100644 --- a/users.yml +++ b/users.yml @@ -55,6 +55,7 @@ roles: - { role: ssh_tunneling, tags: always, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" } + - { role: wireguard, tags: [ 'vpn', 'wireguard' ], when: wireguard_enabled } - { role: vpn } post_tasks: From 030cb9a83036a8a2266acdb1f5182001a61f2396 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Fri, 1 Jun 2018 17:41:30 +0300 Subject: [PATCH 17/91] Test fixes --- tests/local-deploy.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/local-deploy.sh b/tests/local-deploy.sh index b82ea149..b586aaac 100755 --- a/tests/local-deploy.sh +++ b/tests/local-deploy.sh @@ -7,7 +7,7 @@ touch /tmp/ca_password if [ "${LXC_NAME}" == "docker" ] then - docker run -it -v /tmp/ca_password:/tmp/ca_password -v $(pwd)/config.cfg:/algo/config.cfg -v ~/.ssh:/root/.ssh -v $(pwd)/configs:/algo/configs -e "DEPLOY_ARGS=${DEPLOY_ARGS}" travis/algo /bin/sh -c "chown -R 0:0 /root/.ssh && source env/bin/activate && ansible-playbook deploy.yml -t cloud,local,vpn,dns,ssh_tunneling,security,tests,dns_over_https -e \"${DEPLOY_ARGS}\" --skip-tags apparmor,wireguard" + docker run -it -v /tmp/ca_password:/tmp/ca_password -v $(pwd)/config.cfg:/algo/config.cfg -v ~/.ssh:/root/.ssh -v $(pwd)/configs:/algo/configs -e "DEPLOY_ARGS=${DEPLOY_ARGS}" travis/algo /bin/sh -c "chown -R 0:0 /root/.ssh && source env/bin/activate && ansible-playbook deploy.yml -t cloud,local,vpn,dns,ssh_tunneling,security,tests,dns_over_https -e \"${DEPLOY_ARGS}\" --skip-tags apparmor" else ansible-playbook deploy.yml -t cloud,local,vpn,dns,dns_over_https,ssh_tunneling,tests -e "${DEPLOY_ARGS}" --skip-tags apparmor fi From 6faac307afe98465a3d8bf9f7ddd6566dd8a6506 Mon Sep 17 00:00:00 2001 From: TC1977 <37350377+TC1977@users.noreply.github.com> Date: Mon, 4 Jun 2018 11:09:01 -0400 Subject: [PATCH 18/91] Update troubleshooting.md (#992) Many times people are reaching VPC limits not because they're running other VPCs on AWS, but because they've already deployed several times (AWS allows five VPCs per region). This lets people know they can simply delete their old VPCs instead of contacting AWS support. --- docs/troubleshooting.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/troubleshooting.md b/docs/troubleshooting.md index 6dbc79e8..4fbcdc65 100644 --- a/docs/troubleshooting.md +++ b/docs/troubleshooting.md @@ -160,7 +160,7 @@ fatal: [localhost]: FAILED! => {"changed": true, "events": ["StackEvent AWS::Clo Algo builds a [Cloudformation](https://aws.amazon.com/cloudformation/) template to deploy to AWS. You can find the entire contents of the Cloudformation template in `configs/algo.yml`. In order to troubleshoot this issue, login to the AWS console, go to the Cloudformation service, find the failed deployment, click the events tab, and find the corresponding "CREATE_FAILED" events. Note that all AWS resources created by Algo are tagged with `Environment => Algo` for easy identification. -In many cases, failed deployments are the result of [service limits](http://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html) being reached, such as "CREATE_FAILED AWS::EC2::VPC VPC The maximum number of VPCs has been reached." In these cases, you must [contact AWS support](https://console.aws.amazon.com/support/home?region=us-east-1#/case/create?issueType=service-limit-increase&limitType=service-code-direct-connect) to increase the limits on your account. +In many cases, failed deployments are the result of [service limits](http://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html) being reached, such as "CREATE_FAILED AWS::EC2::VPC VPC The maximum number of VPCs has been reached." In these cases, you must either [delete the VPCs from previous deployments](https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/working-with-vpcs.html#VPC_Deleting), or [contact AWS support](https://console.aws.amazon.com/support/home?region=us-east-1#/case/create?issueType=service-limit-increase&limitType=service-code-direct-connect) to increase the limits on your account. ## Connection Problems From 2f142f6dccdff933a552a3939e4904fa67851f84 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Emir=20Beganovi=C4=87?= Date: Mon, 25 Jun 2018 12:40:51 +0200 Subject: [PATCH 19/91] Remove duplicate dict key (enable_ipv6) (#999) Warning in yaml file: ` [WARNING]: While constructing a mapping from /root/algo/roles/cloud-scaleway/tasks/main.yml, line 73, column 11, found a duplicate dict key (enable_ipv6). Using last defined value only.` --- roles/cloud-scaleway/tasks/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/cloud-scaleway/tasks/main.yml b/roles/cloud-scaleway/tasks/main.yml index 31cc3f99..1bc939b8 100644 --- a/roles/cloud-scaleway/tasks/main.yml +++ b/roles/cloud-scaleway/tasks/main.yml @@ -79,7 +79,6 @@ tags: - Environment:Algo - AUTHORIZED_KEY={{ lookup('file', SSH_keys.public)|regex_replace(' ', '_') }} - enable_ipv6: true status_code: 201 body_format: json register: algo_instance From 2931227db4286233d660dade4876ee6cf93be1ff Mon Sep 17 00:00:00 2001 From: Mikael Forsgren Date: Tue, 26 Jun 2018 12:01:45 +0200 Subject: [PATCH 20/91] New Google Cloud Region (#1013) Added the new Google Cloud Region Finland (europe-north1) with 3 zones --- algo | 114 +++++++++++++++++++----------------- docs/deploy-from-ansible.md | 3 + 2 files changed, 63 insertions(+), 54 deletions(-) diff --git a/algo b/algo index 73e39657..3c17a7d8 100755 --- a/algo +++ b/algo @@ -444,33 +444,36 @@ Name the vpn server: 17. South America East (São Paulo A) 18. South America East (São Paulo B) 19. South America East (São Paulo C) - 20. Western Europe (Belgium B) - 21. Western Europe (Belgium C) - 22. Western Europe (Belgium D) - 23. Western Europe (London A) - 24. Western Europe (London B) - 25. Western Europe (London C) - 26. Western Europe (Frankfurt A) - 27. Western Europe (Frankfurt B) - 28. Western Europe (Frankfurt C) - 29. Western Europe (Netherlands A) - 30. Western Europe (Netherlands B) - 31. Western Europe (Netherlands C) - 32. South Asia (Mumbai A) - 33. South Asia (Mumbai B) - 34. South Asia (Mumbai C) - 35. Southeast Asia (Singapore A) - 36. Southeast Asia (Singapore B) - 37. Southeast Asia (Singapore C) - 38. East Asia (Taiwan A) - 39. East Asia (Taiwan B) - 40. East Asia (Taiwan C) - 41. Northeast Asia (Tokyo A) - 42. Northeast Asia (Tokyo B) - 43. Northeast Asia (Tokyo C) - 44. Australia (Sydney A) - 45. Australia (Sydney B) - 46. Australia (Sydney C) + 20. Northern Europe (Hamina A) + 21. Northern Europe (Hamina B) + 22. Northern Europe (Hamina C) + 23. Western Europe (Belgium B) + 24. Western Europe (Belgium C) + 25. Western Europe (Belgium D) + 26. Western Europe (London A) + 27. Western Europe (London B) + 28. Western Europe (London C) + 29. Western Europe (Frankfurt A) + 30. Western Europe (Frankfurt B) + 31. Western Europe (Frankfurt C) + 32. Western Europe (Netherlands A) + 33. Western Europe (Netherlands B) + 34. Western Europe (Netherlands C) + 35. South Asia (Mumbai A) + 36. South Asia (Mumbai B) + 37. South Asia (Mumbai C) + 38. Southeast Asia (Singapore A) + 39. Southeast Asia (Singapore B) + 40. Southeast Asia (Singapore C) + 41. East Asia (Taiwan A) + 42. East Asia (Taiwan B) + 43. East Asia (Taiwan C) + 44. Northeast Asia (Tokyo A) + 45. Northeast Asia (Tokyo B) + 46. Northeast Asia (Tokyo C) + 47. Australia (Sydney A) + 48. Australia (Sydney B) + 49. Australia (Sydney C) Please choose the number of your zone. Press enter for default (#20) zone. [20]: " -r region @@ -496,33 +499,36 @@ Please choose the number of your zone. Press enter for default (#20) zone. 17) zone="southamerica-east1-a" ;; 18) zone="southamerica-east1-b" ;; 19) zone="southamerica-east1-c" ;; - 20) zone="europe-west1-b" ;; - 21) zone="europe-west1-c" ;; - 22) zone="europe-west1-d" ;; - 23) zone="europe-west2-a" ;; - 24) zone="europe-west2-b" ;; - 25) zone="europe-west2-c" ;; - 26) zone="europe-west3-a" ;; - 27) zone="europe-west3-b" ;; - 28) zone="europe-west3-c" ;; - 29) zone="europe-west4-a" ;; - 30) zone="europe-west4-b" ;; - 31) zone="europe-west4-c" ;; - 32) zone="asia-south1-a" ;; - 33) zone="asia-south1-b" ;; - 34) zone="asia-south1-c" ;; - 35) zone="asia-southeast1-a" ;; - 36) zone="asia-southeast1-b" ;; - 37) zone="asia-southeast1-c" ;; - 38) zone="asia-east1-a" ;; - 39) zone="asia-east1-b" ;; - 40) zone="asia-east1-c" ;; - 41) zone="asia-northeast1-a" ;; - 42) zone="asia-northeast1-b" ;; - 43) zone="asia-northeast1-c" ;; - 44) zone="australia-southeast1-a" ;; - 45) zone="australia-southeast1-b" ;; - 46) zone="australia-southeast1-c" ;; + 20) zone="europe-north1-a" ;; + 21) zone="europe-north1-b" ;; + 22) zone="europe-north1-c" ;; + 23) zone="europe-west1-b" ;; + 24) zone="europe-west1-c" ;; + 25) zone="europe-west1-d" ;; + 26) zone="europe-west2-a" ;; + 27) zone="europe-west2-b" ;; + 28) zone="europe-west2-c" ;; + 29) zone="europe-west3-a" ;; + 30) zone="europe-west3-b" ;; + 31) zone="europe-west3-c" ;; + 32) zone="europe-west4-a" ;; + 33) zone="europe-west4-b" ;; + 34) zone="europe-west4-c" ;; + 35) zone="asia-south1-a" ;; + 36) zone="asia-south1-b" ;; + 37) zone="asia-south1-c" ;; + 38) zone="asia-southeast1-a" ;; + 39) zone="asia-southeast1-b" ;; + 40) zone="asia-southeast1-c" ;; + 41) zone="asia-east1-a" ;; + 42) zone="asia-east1-b" ;; + 43) zone="asia-east1-c" ;; + 44) zone="asia-northeast1-a" ;; + 45) zone="asia-northeast1-b" ;; + 46) zone="asia-northeast1-c" ;; + 47) zone="australia-southeast1-a" ;; + 48) zone="australia-southeast1-b" ;; + 49) zone="australia-southeast1-c" ;; esac ROLES="gce vpn cloud" diff --git a/docs/deploy-from-ansible.md b/docs/deploy-from-ansible.md index e6fb2b05..f7bcf6da 100644 --- a/docs/deploy-from-ansible.md +++ b/docs/deploy-from-ansible.md @@ -198,6 +198,9 @@ Possible options for `zone`: - us-east1-b - us-east1-c - us-east1-d +- europe-north1-a +- europe-north1-b +- europe-north1-c - europe-west1-b - europe-west1-c - europe-west1-d From b061df66310f656ac555c03764bf2f64817d01b5 Mon Sep 17 00:00:00 2001 From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com> Date: Tue, 26 Jun 2018 13:11:09 +0300 Subject: [PATCH 21/91] Move DNSCrypt proxy fallback_resolver to systemd resolved (#1011) --- roles/common/tasks/ubuntu.yml | 7 +++++-- roles/dns_encryption/templates/dnscrypt-proxy.toml.j2 | 2 +- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/roles/common/tasks/ubuntu.yml b/roles/common/tasks/ubuntu.yml index b0f347d7..f2799ab0 100644 --- a/roles/common/tasks/ubuntu.yml +++ b/roles/common/tasks/ubuntu.yml @@ -57,12 +57,15 @@ tags: - always -- name: systemd-networkd enabled and started +- name: systemd services enabled and started systemd: - name: systemd-networkd + name: "{{ item }}" state: started enabled: true daemon_reload: true + with_items: + - systemd-networkd + - systemd-resolved tags: - always diff --git a/roles/dns_encryption/templates/dnscrypt-proxy.toml.j2 b/roles/dns_encryption/templates/dnscrypt-proxy.toml.j2 index 72eb898d..22e9cfc5 100644 --- a/roles/dns_encryption/templates/dnscrypt-proxy.toml.j2 +++ b/roles/dns_encryption/templates/dnscrypt-proxy.toml.j2 @@ -151,7 +151,7 @@ tls_cipher_suite = [49195] ## People in China may need to use 114.114.114.114:53 here. ## Other popular options include 8.8.8.8 and 1.1.1.1. -fallback_resolver = '1.1.1.1:53' +fallback_resolver = '127.0.0.53:53' ## Never try to use the system DNS settings; unconditionally use the From 4ca8c03e3c952981ada128525e6ee5039a520af6 Mon Sep 17 00:00:00 2001 From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com> Date: Wed, 27 Jun 2018 18:22:45 +0300 Subject: [PATCH 22/91] New default cipher suite (#991) * New ciphers enabled * Update CHANGELOG.md * Switch ecparam to secp384r1 * Change CertificateType to ECDSA384 --- CHANGELOG.md | 4 ++++ docs/client-linux.md | 4 ++-- docs/client-windows.md | 10 +++++----- roles/vpn/defaults/main.yml | 8 ++++---- roles/vpn/tasks/openssl.yml | 8 ++++---- roles/vpn/templates/client_windows.ps1.j2 | 10 +++++----- roles/vpn/templates/mobileconfig.j2 | 10 +++++----- 7 files changed, 29 insertions(+), 25 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index da715362..897352b7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,7 @@ +## 04 Jun 2018 +### Changed +- Switched to [new cipher suite](https://github.com/trailofbits/algo/issues/981) + ## 24 May 2018 ### Changed - Switched to Ubuntu 18.04 diff --git a/docs/client-linux.md b/docs/client-linux.md index a24eda1d..94a6445f 100644 --- a/docs/client-linux.md +++ b/docs/client-linux.md @@ -73,6 +73,6 @@ In this example we'll assume the IP of our Algo VPN server is `1.2.3.4` and the * For the later 2 options, hover to option in the settings to see a description * Cipher proposal: * Check *Enable custom proposals* - * IKE: `aes128gcm16-prfsha512-ecp256,aes128-sha2_512-prfsha512-ecp256,aes128-sha2_384-prfsha384-ecp256` - * ESP: `aes128gcm16-ecp256,aes128-sha2_512-prfsha512-ecp256` + * IKE: `aes256gcm16-prfsha512-ecp384,aes256-sha2_512-prfsha512-ecp384,aes256-sha2_384-prfsha384-ecp384` + * ESP: `aes256gcm16-ecp384,aes256-sha2_512-prfsha512-ecp384` * Apply and turn the connection on, you should now be connected diff --git a/docs/client-windows.md b/docs/client-windows.md index d7d89151..6e071cf1 100644 --- a/docs/client-windows.md +++ b/docs/client-windows.md @@ -48,12 +48,12 @@ Add-VpnConnection @addVpnParams $setVpnParams = @{ ConnectionName = $VpnName - AuthenticationTransformConstants = "GCMAES128" - CipherTransformConstants = "GCMAES128" - EncryptionMethod = "AES128" + AuthenticationTransformConstants = "GCMAES256" + CipherTransformConstants = "GCMAES256" + EncryptionMethod = "AES256" IntegrityCheckMethod = "SHA384" - DHGroup = "ECP256" - PfsGroup = "ECP256" + DHGroup = "ECP384" + PfsGroup = "ECP384" Force = $true } Set-VpnConnectionIPsecConfiguration @setVpnParams diff --git a/roles/vpn/defaults/main.yml b/roles/vpn/defaults/main.yml index 2efc124d..f969fb29 100644 --- a/roles/vpn/defaults/main.yml +++ b/roles/vpn/defaults/main.yml @@ -25,8 +25,8 @@ strongswan_enabled_plugins: ciphers: defaults: - ike: aes128gcm16-prfsha512-ecp256! - esp: aes128gcm16-ecp256! + ike: aes256gcm16-prfsha512-ecp384! + esp: aes256gcm16-ecp384! compat: - ike: aes128gcm16-prfsha512-ecp256,aes128-sha2_512-prfsha512-ecp256,aes128-sha2_384-prfsha384-ecp256! - esp: aes128gcm16-ecp256,aes128-sha2_512-prfsha512-ecp256! + ike: aes256gcm16-prfsha512-ecp384,aes256-sha2_512-prfsha512-ecp384,aes256-sha2_384-prfsha384-ecp384! + esp: aes256gcm16-ecp384,aes256-sha2_512-prfsha512-ecp384! diff --git a/roles/vpn/tasks/openssl.yml b/roles/vpn/tasks/openssl.yml index 053470fb..af19ae2b 100644 --- a/roles/vpn/tasks/openssl.yml +++ b/roles/vpn/tasks/openssl.yml @@ -42,9 +42,9 @@ - name: Build the CA pair shell: > - {{ openssl_bin }} ecparam -name prime256v1 -out ecparams/prime256v1.pem && + {{ openssl_bin }} ecparam -name secp384r1 -out ecparams/secp384r1.pem && {{ openssl_bin }} req -utf8 -new - -newkey ec:ecparams/prime256v1.pem + -newkey ec:ecparams/secp384r1.pem -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName={{ subjectAltName }}")) -keyout private/cakey.pem -out cacert.pem -x509 -days 3650 @@ -71,7 +71,7 @@ - name: Build the server pair shell: > {{ openssl_bin }} req -utf8 -new - -newkey ec:ecparams/prime256v1.pem + -newkey ec:ecparams/secp384r1.pem -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName={{ subjectAltName }}")) -keyout private/{{ IP_subject_alt_name }}.key -out reqs/{{ IP_subject_alt_name }}.req -nodes @@ -93,7 +93,7 @@ - name: Build the client's pair shell: > {{ openssl_bin }} req -utf8 -new - -newkey ec:ecparams/prime256v1.pem + -newkey ec:ecparams/secp384r1.pem -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=DNS:{{ item }}")) -keyout private/{{ item }}.key -out reqs/{{ item }}.req -nodes diff --git a/roles/vpn/templates/client_windows.ps1.j2 b/roles/vpn/templates/client_windows.ps1.j2 index 93269c7f..4ffce674 100644 --- a/roles/vpn/templates/client_windows.ps1.j2 +++ b/roles/vpn/templates/client_windows.ps1.j2 @@ -169,12 +169,12 @@ function Add-AlgoVPN { $setVpnParams = @{ ConnectionName = $VpnName - AuthenticationTransformConstants = "GCMAES128" - CipherTransformConstants = "GCMAES128" - EncryptionMethod = "AES128" + AuthenticationTransformConstants = "GCMAES256" + CipherTransformConstants = "GCMAES256" + EncryptionMethod = "AES256" IntegrityCheckMethod = "SHA384" - DHGroup = "ECP256" - PfsGroup = "ECP256" + DHGroup = "ECP384" + PfsGroup = "ECP384" Force = $true } Set-VpnConnectionIPsecConfiguration @setVpnParams diff --git a/roles/vpn/templates/mobileconfig.j2 b/roles/vpn/templates/mobileconfig.j2 index b8013df2..9a342b4b 100644 --- a/roles/vpn/templates/mobileconfig.j2 +++ b/roles/vpn/templates/mobileconfig.j2 @@ -60,9 +60,9 @@ ChildSecurityAssociationParameters DiffieHellmanGroup - 19 + 20 EncryptionAlgorithm - AES-128-GCM + AES-256-GCM IntegrityAlgorithm SHA2-512 LifeTimeInMinutes @@ -81,9 +81,9 @@ IKESecurityAssociationParameters DiffieHellmanGroup - 19 + 20 EncryptionAlgorithm - AES-128-GCM + AES-256-GCM IntegrityAlgorithm SHA2-512 LifeTimeInMinutes @@ -94,7 +94,7 @@ PayloadCertificateUUID {{ pkcs12_PayloadCertificateUUID }} CertificateType - ECDSA256 + ECDSA384 ServerCertificateIssuerCommonName {{ IP_subject_alt_name }} RemoteAddress From d1c58f0d282fcf7a4e15ac8aa7def680b944460a Mon Sep 17 00:00:00 2001 From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com> Date: Mon, 2 Jul 2018 16:33:31 +0300 Subject: [PATCH 23/91] apt_repository fix (#1017) --- roles/dns_encryption/tasks/ubuntu.yml | 6 +++++- roles/wireguard/tasks/main.yml | 4 ++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/roles/dns_encryption/tasks/ubuntu.yml b/roles/dns_encryption/tasks/ubuntu.yml index 0f1cffcf..5485f682 100644 --- a/roles/dns_encryption/tasks/ubuntu.yml +++ b/roles/dns_encryption/tasks/ubuntu.yml @@ -4,7 +4,11 @@ state: present codename: artful repo: ppa:shevchuk/dnscrypt-proxy - + register: result + until: result|succeeded + retries: 10 + delay: 3 + - name: Install dnscrypt-proxy apt: name: dnscrypt-proxy diff --git a/roles/wireguard/tasks/main.yml b/roles/wireguard/tasks/main.yml index 017e2ac3..4b70a3a2 100644 --- a/roles/wireguard/tasks/main.yml +++ b/roles/wireguard/tasks/main.yml @@ -3,6 +3,10 @@ apt_repository: repo: ppa:wireguard/wireguard state: present + register: result + until: result|succeeded + retries: 10 + delay: 3 - name: WireGuard installed apt: From 07a6bbe652d42529cce367b48ae362f229b35a52 Mon Sep 17 00:00:00 2001 From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com> Date: Tue, 3 Jul 2018 09:06:45 +0300 Subject: [PATCH 24/91] Move max_mss to config.cfg (#1015) * Move max_mss to config.cfg * Add docs about max_mss * Update troubleshooting.md --- config.cfg | 10 ++++++++++ docs/troubleshooting.md | 6 +++++- roles/vpn/templates/rules.v4.j2 | 8 -------- 3 files changed, 15 insertions(+), 9 deletions(-) diff --git a/config.cfg b/config.cfg index 731c71de..a8fa915a 100644 --- a/config.cfg +++ b/config.cfg @@ -18,6 +18,16 @@ vpn_network_ipv6: 'fd9d:bc11:4020::/48' wireguard_enabled: true wireguard_port: 51820 +# MSS is the TCP Max Segment Size +# Setting the 'max_mss' Ansible variable can solve some issues related to packet fragmentation +# This appears to be necessary on (at least) Google Cloud, +# however, some routers also require a change to this parameter +# See also: +# - https://github.com/trailofbits/algo/issues/216 +# - https://github.com/trailofbits/algo/issues?utf8=%E2%9C%93&q=is%3Aissue%20mtu +# - https://serverfault.com/questions/601143/ssh-not-working-over-ipsec-tunnel-strongswan +#max_mss: 1316 + server_name: "{{ ansible_ssh_host }}" IP_subject_alt_name: "{{ ansible_ssh_host }}" diff --git a/docs/troubleshooting.md b/docs/troubleshooting.md index 4fbcdc65..c16ed9fb 100644 --- a/docs/troubleshooting.md +++ b/docs/troubleshooting.md @@ -196,7 +196,9 @@ You're trying to connect Ubuntu or Debian to the Algo server through the Network ### Various websites appear to be offline through the VPN -This issue appears intermittently due to issues with MTU size. If you experience this issue, we recommend [filing an issue](https://github.com/trailofbits/algo/issues/new) for assistance. Advanced users can troubleshoot the correct MTU size by retrying `ping` with the "don't fragment" bit set, then decreasing packet size until it works. This will determine the correct MTU size for your network, which you then need to update on your network adapter. +This issue appears intermittently due to issues with MTU size. Different networks may require the MTU within a specific range to correctly pass traffic. We made an effort to set the MTU to the most conservative, most compatible size by default but problems may still occur. + +Advanced users can troubleshoot the correct MTU size by retrying `ping` with the "don't fragment" bit set, then decreasing packet size until it works. This will determine the correct MTU size for your network, which you then need to update on your network adapter. E.g., On Linux (client -- Ubuntu 18.04), connect to your IPsec tunnel then use the following commands to determine the correct MTU size: ``` @@ -209,6 +211,8 @@ Then, set the MTU size on your network adapter (wlan0 or eth0): $ sudo ifconfig wlan0 mtu 1438 ``` +You can also set the `max_mss` variable to a new value in config.cfg, and then redeploy your server rather than reconfigure the current one in-place. + ### "Error 809" or IKE_AUTH requests that never make it to the server On Windows, this issue may manifest with an error message that says "The network connection between your computer and the VPN server could not be established because the remote server is not responding... This is Error 809." On other operating systems, you may try to debug the issue by capturing packets with tcpdump and notice that, while IKE_SA_INIT request and responses are exchanged between the client and server, IKE_AUTH requests never make it to the server. diff --git a/roles/vpn/templates/rules.v4.j2 b/roles/vpn/templates/rules.v4.j2 index fe2878d6..dbcc368f 100644 --- a/roles/vpn/templates/rules.v4.j2 +++ b/roles/vpn/templates/rules.v4.j2 @@ -11,14 +11,6 @@ :POSTROUTING ACCEPT [0:0] {% if max_mss is defined %} -# MSS is the TCP Max Segment Size -# Setting the 'max_mss' Ansible variable can solve some issues related to packet fragmentation -# This appears to be necessary on (at least) Google Cloud, -# however, some routers also require a change to this parameter -# See also: -# - https://github.com/trailofbits/algo/issues/216 -# - https://github.com/trailofbits/algo/issues?utf8=%E2%9C%93&q=is%3Aissue%20mtu -# - https://serverfault.com/questions/601143/ssh-not-working-over-ipsec-tunnel-strongswan -A FORWARD -s {{ vpn_network }}{% if wireguard_enabled %},{{ wireguard_vpn_network }}{% endif %} -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss {{ max_mss }} {% endif %} From facd55c6355a50a4e45e9f223da30321c6bf78c4 Mon Sep 17 00:00:00 2001 From: TC1977 <37350377+TC1977@users.noreply.github.com> Date: Tue, 3 Jul 2018 10:02:54 -0400 Subject: [PATCH 25/91] Update deploy-to-ubuntu.md (#1019) * Update deploy-to-ubuntu.md rewrite of #813 * Update deploy-to-ubuntu.md --- docs/deploy-to-ubuntu.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/deploy-to-ubuntu.md b/docs/deploy-to-ubuntu.md index 13113a38..36956a30 100644 --- a/docs/deploy-to-ubuntu.md +++ b/docs/deploy-to-ubuntu.md @@ -17,4 +17,4 @@ python -m virtualenv env && source env/bin/activate && python -m pip install -U ./algo ``` -**Warning**: If you run Algo on your existing server, the iptables rules will be overwritten. If you don't want to overwrite the rules, you must deploy via `ansible-playbook` and skip the `iptables` tag as described in [deploy-from-ansible.md](deploy-from-ansible.md). +**Warning**: Algo is intended to be run on a standalone server. If you run Algo on your existing server, the iptables rules will be overwritten. If you don't want to overwrite the rules, you must deploy via `ansible-playbook` and skip the `iptables` tag as described in [deploy-from-ansible.md](deploy-from-ansible.md). Other changes are also made, which can break other services running on your server (web, mail, etc.). From e6281bc7dfca226cc6d63f9a5ab5ffd490142ff2 Mon Sep 17 00:00:00 2001 From: adamluk Date: Thu, 12 Jul 2018 15:03:36 +0100 Subject: [PATCH 26/91] Update dnscrypt-proxy.toml.j2 (#1022) --- .../dns_encryption/templates/dnscrypt-proxy.toml.j2 | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/roles/dns_encryption/templates/dnscrypt-proxy.toml.j2 b/roles/dns_encryption/templates/dnscrypt-proxy.toml.j2 index 22e9cfc5..c5bd6ccc 100644 --- a/roles/dns_encryption/templates/dnscrypt-proxy.toml.j2 +++ b/roles/dns_encryption/templates/dnscrypt-proxy.toml.j2 @@ -41,6 +41,18 @@ listen_addresses = ['{{ local_service_ip }}:{{ listen_port }}'] max_clients = 250 +## Switch to a non-privileged system user after listening sockets have been created. +## Two processes will be running. +## The first one will keep root privileges, but is only a supervisor, that does nothing +## except create the sockets, manage the service, and restart it if it crashes. +## The second process is the service itself, and that one will always run as a different +## user. +## Note (1): this feature is currently unsupported on Windows. +## Note (2): this feature is not compatible with systemd socket activation. + +user_name = 'nobody' + + ## Require servers (from static + remote sources) to satisfy specific properties # Use servers reachable over IPv4 From 952e759af4d7c921aabe37eda7049a22dfdd913f Mon Sep 17 00:00:00 2001 From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com> Date: Fri, 20 Jul 2018 09:48:59 +0300 Subject: [PATCH 27/91] Revert "Update dnscrypt-proxy.toml.j2 (#1022)" (#1030) This reverts commit e6281bc7dfca226cc6d63f9a5ab5ffd490142ff2. --- .../dns_encryption/templates/dnscrypt-proxy.toml.j2 | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/roles/dns_encryption/templates/dnscrypt-proxy.toml.j2 b/roles/dns_encryption/templates/dnscrypt-proxy.toml.j2 index c5bd6ccc..22e9cfc5 100644 --- a/roles/dns_encryption/templates/dnscrypt-proxy.toml.j2 +++ b/roles/dns_encryption/templates/dnscrypt-proxy.toml.j2 @@ -41,18 +41,6 @@ listen_addresses = ['{{ local_service_ip }}:{{ listen_port }}'] max_clients = 250 -## Switch to a non-privileged system user after listening sockets have been created. -## Two processes will be running. -## The first one will keep root privileges, but is only a supervisor, that does nothing -## except create the sockets, manage the service, and restart it if it crashes. -## The second process is the service itself, and that one will always run as a different -## user. -## Note (1): this feature is currently unsupported on Windows. -## Note (2): this feature is not compatible with systemd socket activation. - -user_name = 'nobody' - - ## Require servers (from static + remote sources) to satisfy specific properties # Use servers reachable over IPv4 From ca59eeb5c31b11ed086d8aa1d56676c512e3ec3a Mon Sep 17 00:00:00 2001 From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com> Date: Fri, 20 Jul 2018 17:31:27 +0300 Subject: [PATCH 28/91] Explicitly allow traffic between clients if enabled (#1028) --- roles/vpn/templates/rules.v4.j2 | 5 +++-- roles/vpn/templates/rules.v6.j2 | 5 ++++- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/roles/vpn/templates/rules.v4.j2 b/roles/vpn/templates/rules.v4.j2 index dbcc368f..820589f3 100644 --- a/roles/vpn/templates/rules.v4.j2 +++ b/roles/vpn/templates/rules.v4.j2 @@ -69,10 +69,11 @@ COMMIT # Accept DNS traffic to the local DNS resolver -A INPUT -d {{ local_service_ip }} -p udp --dport 53 -j ACCEPT -{% if BetweenClients_DROP is defined and BetweenClients_DROP == "Y" %} # Drop traffic between VPN clients --A FORWARD -s {{ vpn_network }}{% if wireguard_enabled %},{{ wireguard_vpn_network }}{% endif %} -d {{ vpn_network }}{% if wireguard_enabled %},{{ wireguard_vpn_network }}{% endif %} -j DROP +{% if BetweenClients_DROP is defined and BetweenClients_DROP == "Y" %} +{% set BetweenClientsPolicy = "DROP" %} {% endif %} +-A FORWARD -s {{ vpn_network }}{% if wireguard_enabled %},{{ wireguard_vpn_network }}{% endif %} -d {{ vpn_network }}{% if wireguard_enabled %},{{ wireguard_vpn_network }}{% endif %} -j {{ BetweenClientsPolicy | default("ACCEPT") }} # Forward any packet that's part of an established connection -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT diff --git a/roles/vpn/templates/rules.v6.j2 b/roles/vpn/templates/rules.v6.j2 index df0603a8..4f00c309 100644 --- a/roles/vpn/templates/rules.v6.j2 +++ b/roles/vpn/templates/rules.v6.j2 @@ -84,9 +84,12 @@ COMMIT # Accept DNS traffic to the local DNS resolver -A INPUT -d fcaa::1 -p udp --dport 53 -j ACCEPT +# Drop traffic between VPN clients {% if BetweenClients_DROP is defined and BetweenClients_DROP == "Y" %} --A FORWARD -s {{ vpn_network_ipv6 }}{% if wireguard_enabled %},{{ wireguard_vpn_network_ipv6 }}{% endif %} -d {{ vpn_network_ipv6 }}{% if wireguard_enabled %},{{ wireguard_vpn_network_ipv6 }}{% endif %} -j DROP +{% set BetweenClientsPolicy = "DROP" %} {% endif %} +-A FORWARD -s {{ vpn_network_ipv6 }}{% if wireguard_enabled %},{{ wireguard_vpn_network_ipv6 }}{% endif %} -d {{ vpn_network_ipv6 }}{% if wireguard_enabled %},{{ wireguard_vpn_network_ipv6 }}{% endif %} -j {{ BetweenClientsPolicy | default("ACCEPT") }} + -A FORWARD -j ICMPV6-CHECK -A FORWARD -p tcp --dport 445 -j DROP -A FORWARD -p udp -m multiport --ports 137,138 -j DROP From c65961a1f3db68d919ac17cc99bed7ce97946639 Mon Sep 17 00:00:00 2001 From: Mike Myers Date: Sun, 22 Jul 2018 14:58:09 -0700 Subject: [PATCH 29/91] Amazon ec2 documentation (#1035) * Add link to documentation on Amazon EC2 setup * Add images to document the AWS EC2 account setup * Create AWS EC2 setup instructions * remove line breaks * remove line breaks * Add images documenting AWS EC2 policy creation * Update image showing advised minimum AWS policy * Add instructions for minimum AWS permission policy * Delete aws-ec2-attach-policy.png * Updated image to reflect new AWS policy guidance * Delete aws-ec2-new-user-confirm.png * Updated image to reflect new AWS policy guidance --- README.md | 1 + docs/cloud-amazon-ec2.md | 114 ++++++++++++++++++++++ docs/images/aws-ec2-attach-policy.png | Bin 0 -> 98275 bytes docs/images/aws-ec2-new-policy-review.png | Bin 0 -> 104314 bytes docs/images/aws-ec2-new-policy.png | Bin 0 -> 82947 bytes docs/images/aws-ec2-new-user-confirm.png | Bin 0 -> 78745 bytes docs/images/aws-ec2-new-user-csv.png | Bin 0 -> 77993 bytes docs/images/aws-ec2-new-user-name.png | Bin 0 -> 104457 bytes docs/images/aws-ec2-new-user.png | Bin 0 -> 112857 bytes 9 files changed, 115 insertions(+) create mode 100644 docs/cloud-amazon-ec2.md create mode 100644 docs/images/aws-ec2-attach-policy.png create mode 100644 docs/images/aws-ec2-new-policy-review.png create mode 100644 docs/images/aws-ec2-new-policy.png create mode 100644 docs/images/aws-ec2-new-user-confirm.png create mode 100644 docs/images/aws-ec2-new-user-csv.png create mode 100644 docs/images/aws-ec2-new-user-name.png create mode 100644 docs/images/aws-ec2-new-user.png diff --git a/README.md b/README.md index 6f0b42c1..8f5ca043 100644 --- a/README.md +++ b/README.md @@ -191,6 +191,7 @@ After this process completes, the Algo VPN server will contains only the users l - Setup [Android](docs/client-android.md) clients - Setup [Generic/Linux](docs/client-linux.md) clients with Ansible * Cloud setup + - Configure [Amazon EC2](docs/cloud-amazon-ec2.md) - Configure [Azure](docs/cloud-azure.md) - Configure [DigitalOcean](docs/cloud-do.md) * Advanced Deployment diff --git a/docs/cloud-amazon-ec2.md b/docs/cloud-amazon-ec2.md new file mode 100644 index 00000000..63831d55 --- /dev/null +++ b/docs/cloud-amazon-ec2.md @@ -0,0 +1,114 @@ +# Amazon EC2 cloud setup + +## AWS account creation + +Creating an Amazon AWS account requires giving Amazon a phone number that can receive a call and has a number pad to enter a PIN challenge displayed in the browser. This phone system prompt occasionally fails to correctly validate input, but try again (request a new PIN in the browser) until you succeed. + +### Select an EC2 plan + +The cheapest EC2 plan you can choose is the "Free Plan" a.k.a. the "AWS Free Tier." It is only available to new AWS customers, it has limits on usage, and is converts to standard pricing after 12 months (the "introductory period"). After you exceed the usage limits, after the 12 month period, or if you are an existing AWS customer, then you will pay standard pay-as-you-go service prices. + +*Note*: Your Algo instance will not stop working when you hit the bandwidth limit, you will just start accumulating service charges on your AWS account. + +As of the time of this writing (July 2018), the Free Tier limits include "750 hours of Amazon EC2 Linux t2.micro instance usage" per month, 15 GB of bandwidth (outbound) per month, and 30 GB of cloud storage. Algo will not even use 1% of the storage limit, but you may have to monitor your bandwidth usage or keep an eye out for the email from Amazon when you are about to exceed the Free Tier limits. + +### Create an AWS permissions policy + +In the AWS console, find the policies menu: click Services > IAM > Policies. Click Create Policy. + +Here, you have the policy editor. Switch to the JSON tab and copy-paste over the existing empty policy with [the minimum required AWS policy needed for Algo deployment](https://github.com/trailofbits/algo/blob/master/docs/deploy-from-ansible.md#minimum-required-iam-permissions-for-deployment). + +![Creating a new permissions policy in the AWS console.](/docs/images/aws-ec2-new-policy.png) + +### Set up an AWS user + +In the AWS console, find the users (“Identiy and Access Management”, a.k.a. IAM users) menu: click Services > IAM. + +Activate multi-factor authentication (MFA) on your root account. The simplest choice is the mobile app "Google Authenticator." A hardware U2F token is ideal (less prone to a phishing attack), but a TOTP authenticator like this is good enough. + +![The new user screen in the AWS console.](/docs/images/aws-ec2-new-user.png) + +Now "Create individual IAM users" and click Add User. Create a user name. I chose “algovpn”. Then click the box next to Programmatic Access. Then click Next. + +![The IAM user naming screen in the AWS console.](/docs/images/aws-ec2-new-user-name.png) + +Next, click “Attach existing policies directly.” Type “Algo” in the search box to filter the policies. Find “AlgoVPN_Provisioning” (the policy you created) and click the checkbox next to that. Click Next when you’re done. + +![Attaching a policy to an IAM user in the AWS console.](/docs/images/aws-ec2-attach-policy.png) + +The user creation confirmation screen should look like this if you've done everything correctly. + +![New user creation confirmation screen in the AWS console.](/docs/images/aws-ec2-new-user-confirm.png) + +On the final screen, click the Download CSV button. This file includes the AWS access keys you’ll need during the Algo set-up process. Click Close, and you’re all set. + +![Downloading the credentials for an AWS IAM user.](/docs/images/aws-ec2-new-user-csv.png) + +## Using EC2 during Algo setup + +After you have downloaded Algo and installed its dependencies, the next step is running Algo to provision the VPN server on your AWS account. + +First you will be asked which server type to setup. You would want to enter "2" to use Amazon EC2. + +``` +$ ./algo + + What provider would you like to use? + 1. DigitalOcean + 2. Amazon EC2 + 3. Microsoft Azure + 4. Google Compute Engine + 5. Scaleway + 6. OpenStack (DreamCompute optimised) + 7. Install to existing Ubuntu 16.04 server (Advanced) + +Enter the number of your desired provider +: 2 +``` + +Next you will be asked for the AWS Access Key (Access Key ID) and AWS Secret Key (Secret Access Key) that you received in the CSV file when you setup the account (don't worry if you don't see your text entered in the console; the key input is hidden here by Algo). + +``` +Enter your aws_access_key (http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html) +Note: Make sure to use an IAM user with an acceptable policy attached (see https://github.com/trailofbits/algo/blob/master/docs/deploy-from-ansible.md). +[pasted values will not be displayed] +[AKIA...]: + +Enter your aws_secret_key (http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html) +[pasted values will not be displayed] +[ABCD...]: +``` + +You will be prompted for the server name to enter. Feel free to leave this as the default ("algo") if you are not certain how this will affect your setup. Here we chose to call it "algovpn". + +``` +Name the vpn server: +[algo]: algovpn +``` + +After entering the server name, the script ask which region you wish to setup your new Algo instance in. Enter the number next to name of the region. + +``` + What region should the server be located in? + 1. us-east-1 US East (N. Virginia) + 2. us-east-2 US East (Ohio) + 3. us-west-1 US West (N. California) + 4. us-west-2 US West (Oregon) + 5. ca-central-1 Canada (Central) + 6. eu-central-1 EU (Frankfurt) + 7. eu-west-1 EU (Ireland) + 8. eu-west-2 EU (London) + 9. eu-west-3 EU (Paris) + 10. ap-northeast-1 Asia Pacific (Tokyo) + 11. ap-northeast-2 Asia Pacific (Seoul) + 12. ap-northeast-3 Asia Pacific (Osaka-Local) + 13. ap-southeast-1 Asia Pacific (Singapore) + 14. ap-southeast-2 Asia Pacific (Sydney) + 15. ap-south-1 Asia Pacific (Mumbai) + 16. sa-east-1 South America (São Paulo) + +Enter the number of your desired region: +[1]: 10 +``` + +You will then be asked the remainder of the standard Algo setup questions. diff --git a/docs/images/aws-ec2-attach-policy.png b/docs/images/aws-ec2-attach-policy.png new file mode 100644 index 0000000000000000000000000000000000000000..00108240f74ab5c35e18b72d606890c44edac0ec GIT binary patch literal 98275 zcmafab9`pOl4vj!PHfw@ZA@%qCYac^ZQHhO+qSJQ$rr!5cX#jJ{k^xp*MD_ab*cMQ zojz5k!xZEs;9#&}KtMp?q$EX^KtR3~fPjE5KtcS4yzOqdfPi3fn2U%gNQsCLD%jhY zm|Ok^0nrFba)VSs{n_9=Gi{RG>U)^!5KG8qI;Qy@JsDS*nOYhV6$upyNdXa26crT> zN$5K?1gh9~aAHjbQN*~ydjz4KXYU=ZFTR$UvozC+f424xXOP`(>99~JAtq2nY;>^( z4mLzvCkKpPIB=+1Fyvkkr*QdSf!$SAXoBN8&tJ3x?nu^!ow2$Jk2_aiJN>ecQ23U#H{GXw?!Lo%>WRcjI!L`YR8Y2|G!ry%@5clGs;ou|~IiUNH zx4+^Kz65@`ey9wY4&wHOUMWWVDIQ1TcqyuAwSE+Ps$|*})(sHI=2gWs4JRPsT^9CGJy`nIybz>C zL4!uqsU&f3@N$zKjdu&5H5{hp$1(dOy=? z5alcAaPiX;4Q_6VWA@n^Mj1--AEF@d5Af`9g6j9M#w0&F#HphdFb2|+!DVi`i;H)agFmM{hh z0s1~=IP#jiE!)@)+a#EgB%G)k{)mSz0QZ{Oo&v4_#Xw}Be!&}IdoZC>)m4ufSfr1c zhH)j*@(&CDBvFSvr`dEfn!~aX6|zQd_YH!s&%KdI<80$#rW(e8RE})FvBs}i9S}>% zfY502jE0BL=gV26P!+UBP%WIem{IYDf;L}TcN*q+ek}|v?eBS?+AF6$ET1FE8TC*w z-%t%P^agHjG3VZhDrP-#6}a9vI(KK1xS7?ghB^L~hwyQLOz4 z`hVX3Bm~(B!r7&7b%XnQjGA-W0kWijwDb3cX7+wz$JBEjr!Ntsm7|fPd0RL8QSP*s zHW@JehzTwE{t77yeM-{NRO9QG8j~668}CnCA5nevfulW<`SF?!U+3~A@}LeT_!~V8 z@6N}}uLPtuY7o!*S%8&k@B~W>#5MH-lA_XtV~_>MOOzD=6q6|>7U>fO{%}x(CWVg+ z9~DR|rYJm?qAwaR(kv35v;4t_V8ok*hwZPg<+g;{=)JBbkPSfD`@xAoA7rsB{;Np8 zH{cevGjKS6%nY=VcE85NjG__2or4=GD~w)HUvQ;hW0ql78W9=2`OVZ^Erz~E>4ki)CG`}oNaDIiX4XsYCiL5rPU95VnrL^2y&+Y7Y9Ni|T)A4De zbGC8;I6b+TIsb6!+0i<{*kU_CIN+ajj=f~VPLU1$9zmOMO0LMV2+v5;PS^jBw8GGk`_j_-9cX<(j zu7y5@4TL&`ZG@hLx`#@K7KhD7@uY4gCZ#_lO{7(!0qCVtR?=TmWYTO>^OE#4)a(AL zk!%{(R`f4zH}gHEnvqkkU75nE;(Ym2{RsHg-NSJgPPUKUO!PIYu_I zm6(x?5$BR3K)*xvr7a{zB$}tQmqi?rA7oT-RItxMMny(YBwUm-4j3mNe@ntiG;NW# zdE9b$zOX>6A9qf2Oj1kIFaJ}{x`e$X#fHSj&_vwC@1*9W{V4kgxxu*cqxouQxzS2W zM3qFkK<=QTxYDHdSZoTK&W=vM%DxK8ipVPbiR(%T4-}6f3pqjO###6k$7A)?o!Z!$?U^Ru+F zu(DjZ)wvj2G20GXf3%NxTswGO4j-YPF7HM=xH#9?=Ij`D9vnv3Wl{4iI6qw@@1V6@ z5U{s{wHPTOff{{? z_mXy&@N!zZKlffxq3NwD-=NwsgFk=|%d_mE^9&5aJOwUp#?1G&%GZICHx< z++Ob7R~}TJD}i{Zy2p`=$mDl^H5C%eNBj zxPQ$&YkO6yo9|?{)RbLwZF6utaeI7FMbkl(p!QY`R)yEA?U_|8Qd4z`J27%*E9Y)^ zzn`C$nW4wgwJwdT;!>Z`^EiZQMfN&cP_3!xa!PipT3M`F(!uD`a}4k#DZnp}smW=> zvURBKtJ-^^i_or$N{`~Op4h6kM7E^1G_jcO7U@iIH+{73-+J*tdM?&_*A~~})85%~ z>H4als=hMs`27|DpAh|)^_t~EU?yPZUV3-CO!6qfK~TY8eWP^NekXb~7FAL%f6=kj zj+1TWu?*C?c*(-w%1*`*XW-UL@9}&ee_eXeE7@N0;(3G6SJs#Bgmz-t{7fKE znBl(yvOaO`Ka8uaV;nPxEg&zf^qhNLrQ2m;WfV*6x3&@tOQb7Nar95I`4)FiH5jZ-04rFGc(vv*}Sg-%543tUWUO&v||jo=NS zNlNOP8(3`C`V{-PCaQ)Krr(0~g$NaIi)tGs!%scz;KDq|2572@WD-$nN zTvZkpyR97-&E}Ek`3qU9Oly1wVh1Rvfl+1cYg7+zG7=T%S0wDew7ohM-jw0#q7SA; zF{IQ{I1pUcqZ6}6oYCAfA1ZI#12l38v^8V&A1o_E=%Tj zC()DZjK=ZN&eDK6MJE2bC%e}>W@zmvL6736rz;Do&c?4rzrw=VUn{5sDs2He=BbTq zfKL$wc>NhluJ|-JfSI$Jn)7m9<$;7lbS7tFhNr#0-eOs-=gq?O_v4^+F=kWO>G>>O zdVB^q_iHV4@3n3Fn+Fp#`=rVw8jRoyeBDkhU0bRbd&wx}s%x~dio=SY3-ao&)@|E@ z($C(XIS>ch`%%E*u#K#rCm9LXmz@>PF=yMqWMnKpKWfk* z4V-nXoxGjQ_YUtXDLXsr>MJWdm_-N^0}H3u+>4Hxw4-5x9H2rn^MUj-}0*nyIZsXCFH0K$9zZ`)b z+EDgOvyYdwM3;`250$t4nKkD&L;HhpCVd`szJf)Ib%t4z%9_^Ap24c$IH<*BbJBp` z64#>ItlXsTq~M(BgzR+eZ0PvCT7L^-Gw0H5)6IGXGzKr5S}#&BA(8zCIfqY$Lf=gw ze<$^;%eTLGm9WDg4N+&**34n`%vLLK$(ji}w=1d>-HCNwKwKc1=gDJp0XQCb$j9?! zy(O{Ek?rc@^XWHAy7DUvbx+0f9MG3y9(6_*0*?>|GMF{k z(f7QmC9A!3Ez@Y%#NwFCjm}d-5XtBHRr+k_vNAxSE8o$PBj9n@*>dt2(ZcYi4+nsM zg6qNeV)=YJ=#c+VzA=S3=6}c3!44J|m8croAE6QGPW$!w>*EEum|iARPH*BMy;an3Zu%Ly_|ibdCEEL3H#{*UL7|eOEin06Qh;0ow?Pyovh8G zb>^zIalr@UtC~N?IQv*HRvm?`&m-g6U!IR`Tz$-Cxn@~_Rgl_%xRy8+n-=k%zmRZ| zD-w4Z&zrR0lEdWLOG~Lx?r^45d(MuDnyI0V&93im|BeKDD72*Z=4ve^$*h@R+viJ= ze4i$NtbuB(3=1-AA#kC)c!xjHdzC+c;b0*SCk--M%cRZ}?zcWSy2B=62vfQBeuRRIX znW6RbNg2PCpB96E=9&uBul4CFWZJ~LtnEY!^!AEf!N2ID#g{iGe@;$Sy0qSeZ!7;{ z`s36=u$H`~w=uWS22j|Ys~!=Nhj+5^VqaFipYKsWXG&}tPXRa+F66~#p+NHj~T6m@Rr#M0M<*prWOC9JnfCbD{T_#w1W5R;^ zo&mQL(`&42_%_@V@5?FK-3YuGX+zW}hmOK#>t&;C)ZThZIa zL(uqkJ#<#%b!1O|Tp4-+j%C3C>;WA%PNqcN`U_iUM}Y9K+3!24AVjAinC182UQnPv zr!8t?0QoHBF(J7m7_+alu$=%1DOM^tyRXRJf-NL(2)Z~= zu5#SFC-T_%Rjf`Y)&m|*#N$Y^p}?-I9gm$@>$58;FPeT(4pAveJd~~|d_Kb+HlFN> zq`HuB+`E+g+0xlWTqQ@4p&wJ?9Z3Sh0#t**1FH-#mIVJ4^~|epRQO>5nsz2mV~JzhBP+lQ&K`~@QcX5dc3`r6sz-xbbI8i3 zWv_9|YUPOV%yra!d}z99PS;Z6nm$q@^MsYG*CX)!fajb5l@TQowI5px&l;6UR3;ob z>^eLu8bi*t?O7rJ`m?AoI1w1oezq!thgFsqtZD0fau83_aH=@hXIibU_`OZ#xC@bLEQ+sOTkY|-Z5TOLW$Lqee z@CS~ zNay$aD~X~<#T&!AS^ygngk=|EUl1*ou#NymNsy=%lFtA_(*tW1_daAkkGd2#U8pXv zQ9)%N!j~`1E8t+{W$%yOge!_C zy?0`+G^Z?3P=&|@iQ+8sY+TZ@(5uh}AOtx0p%M%|Y&(orENfzT+(Enji`$;Wf-{44 z!<4i>fisf}trfG?r1i~J%k2V44UG5>^L+*?33?@zHH;ti0wpIgu+X)T?Kkglgt4ty z0`)^hdqw`H$E@;Dt-x12IFl*CDrY>TtpRrji0$C6VRmv|6ZYe-Wd6TN4MTQg=ju(p3nkG2l`>UCW|ynyuIR~FyE0ix3>tY(7!^F%iT1J6cEfx@xYCuaW?k~# zcuITq1;)h!PA3jqI%Wps&2r=5)`~SGo(sXHTj4!$B4OUT<>Uunh(53P_s8#S5z|!i&U2}{Ride!Mzniz3kagrukBZzvce%H2W*ZyM zLfMovI2wiwlCYlFCMJ zPeD>}5JvEd3I`*QU3(Cqlc$qYk)zY2I##?T0Nj@0*Fne3tLDHrLB$X3b4FRd+ngQ! zPXY$c<=m%POYOh)gluya4M&ZivfRctR`iCyY>a->yIR@)Eir(A@VavU?OOeIG$eGj zvb1*KcI6}f=M3(@{eOTNhzb8W#nFO~SmUPxp@@zBZ$dVDR(eKaei%YRLSFk{CfrJ* z;{Qqhcf?0*=ICh4&A{N|;zIAjLT_Vl%D}|M#l^tL%)rb{_jd-JgPXOZp(~xW1Id3d z`7b`Aza5P2&21gcZLA6Z!Pn5p#>tV7nD`%p{?-0N&)=@*|1HVd;Xlp#YaqivFbque zj12$c{g;&YA5d-ubJyRN8lvV_zpWkq%HU^W;^g4{C&B-P`fri{MymPWq^#`!gYw@n z|4GTq@DB_A&7%KUu75)Rt`|QHFT=mqo*$<9fS48pL=Z$uR7k}Y^fC)l2X*CX#7FX` zE8L&ZpRjZljRsq0aW%m#pQ-EQMX#LUh^%YpD0%Ol7S(r{I~yghM$GFZ;;~34>pd$|BL^B@#yWR%m)A8lrR8W ziS*S})@Ej6>dW=+V&rzGY=>|Oj%lHwrlz(dV!`pT+z2A@c~RwVX=oafx5#UXCqAWxm?!MB)8<#DR*IGJ3?-|Gz44dw^nA&-iB@@8I^@M=w@fMO8JZ zKi{aeqdix|!v=7(fFc6%I3Ob56M7#Gvx&}!DNN~f??|jxsmGw4%4tn%BHOLYEiaJb zC${rJsE;G*UoCMwE&Tg88NW^|=96=?#>3kc?pFe*JpJ-`mXGwTfUOBlrcL!$B zC;q>RrERZ0U;*DRezzJQi$I;BMDY($L1yQ4)o6=fs7TGA+znoVq#^utFr5@JGsb1JOt1 z2XPWlQ2zG^04GN1^$k-)Wh+F$Lnv!^K7(Px`#PS zfqb>zB;w@6mUf($s~%&UDa8XzBO@c~d_%5};sk>th}3)ul;MU^7DNg(pm{TjM#Xr{ z43&@NR|5MQ`QLX)8Of~PL`9?k**jCTwz)Yun&%nUm+{EK*c-(WhA-|KCpbyD)vqQFjd=Y~L z4rw4N@AHlGLsxw2;C%zp_CE3W`HF;?sdwethUGHjckX^x$9_hT>)X=FU2m65e^0^9 z)V$L*#lOOrEi4Kn8`}_1O_y(xzPIQy*HV0rv5h=JrT$%1;Ub~8?7`n?*Bd2~E0wNT zeE59UwW1%$36rD1(D_8q+`u4RP*=-1k{`3vKU?|92*NOsPP|SRx7}Wc~un^9pWz8L55o-L!$WNMF5Yr1W4L@*W-9Y>dP)mdu7X0 z-HA%&`*RkQeG@CDsdYbl=jW>MC5NQdR)Pcu{XoE8wBQ-lrhqs9zE;btb_e@T*=naJ z`(|X6l5X_n0uSTY8ABSC@ZECC10vo&=n-rgV4sTC+lt>?k`*F$p&AYJ?i0OuUS5D% z{Z&!0QCsZu?S9mh5c1y~Q^yAEd4~mW&#(_uHbYOBN_lJx8Xl%M{da^dIUAnEvQ6Rw z*ZnggA|fsf&mj@Z9kD%{NHiu78hDkQ@!a|_yXeEnCL~0z?Mw}jtWH!>wtZl#S|8lME#0&ZtB258@J>GETSZE}cY(=^o7d%Fe< z`GgEd=_DTvlh5&EDT!HCbk;abn0V_RB4%P|{Z! z6w^0Aw*b{^@h~yA64T%B9(0fwAcoBsH627i*@p!EEV^so!nRKRmje-k?RSiNv6LKa z#q=;Dib8W5dA$sjJGI&@vzk0|5HlX7t<+hJxL0Zc;JdXOF*B&TUA9tyGg*1aL59jE z2Yq2(I26dd-(of$Fs||EJR@jtN~u!4X1;x6+a8BYA~CvOSbZ-sc&4g*L#*4)(9P1MX|S@O8g<5Ft3=it|UPa8RwUin9ZmDv5>iB>5_rBplxF zhkV-;2>&TCU*k zb78JlZX@uefqeWjo>~_PYtz$DM;YP|rDl0a;H-wU6pw_Q1b4Bb=@615w z`H$yGK}ALA%uHNFw%nM;3thV~ai#hw*++bjUHr9@L?xE<*|`HHi!OIFPpOZ*TMRa% zQ^GM?Mz*WUMi68z#UWBpWVy59n6TvWk9Iejz~RLz{6CXUBq~G~n^@mOe}I*{7{8BX z)ZWzb|5{E&NJ0tp79_ao>8XpB%NdpwKHt@Lv92~6$$Wb+*7}Ds~gVDWbCoN z!UHUBLi6{H%rOQkyLR@r5uBx?ro0@8t}l**_bYp9?>!NZpPT}?1<+?^J|vBmmL0&7 z-z~V?mE4&87K_|Mw;oaOUv?47I)OIh2Q|BUc6_@gG)IEY{rsNq^AfAost+0WlQgY9 zuAH5?Y{el(L1~P2*16`en=5-x+)37_E#oi?NK#c6{S%hxxYBwt2f%g4F1C=iJ zL*)wk{vN;eC|5V~g5Ia9G;HcS1Fg63dovntpTNxv)ZRL8T8IxB$}E2>7cJruh48*rT`gRm?(&qc38+mDs0r7AI`n9|Shg_V`r=a>w zl1@}|mm1-1HW$b2X{hv`sEWGl1ItP*Ee;Fv`z1jH24i){WjEuP*1Msu&oLR^IgRE+ zG&2G})5~t+W=c;CtgGFax&Sj2r+E2T&(&R!c1O}{aJ<;p*#G_Rsz5?i<0f7#siK>o zKrQxIF@AU0c}I3}HzA(j#@)Lzzf#T)%i-6BjKOMP+|1d`%f*FM_wlFb&UK2tF{{*M zg-r@Gw~fwiLiO6BrR1h3g`@^BY1~xU+O-;mt))0_N4cqHng{ zkmn9Y%(1ZWi+LZ|KiQ~$fYC|M7_HH;np{1*=e^F`tv;-J>eo6lj5A!0G(30Gw2dKM zl$Qj*NL?^1sR$+D-d)&)~kq{k$W|}QhBe{VqK_vM=>YCG&i%)LKg%g zN~Hpz=}I0j>PZ*)bdATT&RSCwVCz0i{=9N!%JCL-1oFKh>^Tb8|8@S3r=MAzYTe|X zNtGW?EM-RCR3%&Eag(T7!J%mRUu~!!1Y;t9jF62GEQcFsA(0R;fX;BfL!%?LpGi#V zA))BAMS$@-r^kV;8c*@Mx4WDxRa+;QqBro!ZlC7J%Fa!&YwKiNZ0;XOq>};o5hQSlc&>DF!>I(1-fB{BZXO@ibz$Oo1DaI>|zc$+*6``UJxeT zA1o$uNJ(jZ!<}_l3&gvGgLgk}@NO4@E4FcZ-VYSeOOkB%Eb)q##{qJB{FvS|5y1ER z0av3c#B4S`OZ^_5Y2N*4k0V#FGy7l*EG8RBW#y>@lRxaJA6`=9#Qv|epVGO;#?LpW zgzq<19lK=VsJ}?K2u^3mV1>LWb|)BQm`>}GFz+@;TzzzMOI3YC#$_k{1ZCYml^b0M zs|9oevm$V|7_?K{HDpXu`fHbmhoR++j8gwx*U`(*)^-5Oi_}bjyCX4-o60N@cKTJN zkv6WZTj~t$H4k+@qQ(xj%LMhigpP^ZuKJtt{9c z!Ct_1^K`nmGrs>zmKZ-w@zreB@W-TTjP{pjU_@JmnotpY02+u@S|h2SFM|nrVyPg$~NUf#**Xx=@SA8^L0>K9a|{AYd2hxV)+pe zWbvz#o1^RI=-Md2$Tb?QU8Xmtx2p;3OPVT)+XjrM?Ku21KOYjp=K(#f8^DLtb&sIc zW?w}#mQfl?h#0>WWiL8O<6Qz78WMfi3t4oiQp1d@#7UgV#(-BTv}V>YHW?z<{NvJ%m8AKArZPY?cgLv_K4-H zUQXVJ9)oC>+-LS`&oxaY<#ps5z!=y8TQVO55GW|-#R%cB9I4?6^(@)Ay(t;l|KLDj z3SJ(Vf@^YH;P7mQ&|_BQUy5% z9oU{S+&ewJ{aw#wS;?XK*qODYpD~vlp5`>fJ%ZoGc)b?#&L_lqmmotr*9V^6c(1+z z^L3VFT`PTdgJeYBptp1^^=;6>^*Mpz_LhagaMw!tc1`_jAgI!ElmEawlKf33E5Kf{ z2+?TE?pY+2^}$d!5qPocK!xV<h071BKgu2zZqGUVorN;O+x}uM z!zK0>^1yk?y^HKNO*X*4Jgq^5!2%`40(C53?!N;fZU^GG>LiPYx-=o@!j6NGNW@3K zJ0etHQ_@q`Okma64K`oU4#sxbPv!_L+~NIrLhh$TYxcUwe@bQD`*dp^(Azk?kIJt!8cy~tMyiYLiB^p=2|>+prAg5~MJ06H#+=IN1z90V%k_nt5(W768(<*WYb3PP(Ch0Z-LnDT-A`rAjmlXoH5dsV^uqddtC*~h9uyG+B=|f- zcWAFzL7t*VQU5WvCPfeY%Ocfv>ZOwr+;o`F5!vs zjbBWawb0#nzfMz}9`1l%jq0li2`Ofg<6d5o3ivwF+k*XDR9Fuc{F|pJ%;K}DO;%w~ z5>93}Qh&N=gRT7zEx0%)GkdV@QfE2U0<@HY@Jfpu*&4{{Rqy%mSNGwU)qN5psQW=( zm6!9|4_ISz;1}cFw~rt&ETuJ%cKP*9K*lKT*fyray8&Ck5-MQ^T3C3 zkURm;x-E5Jxn4w&CVDD!e7Dfa_3-)!HQ*G@SJ?-TH0Zm!mhqdi-W|9D1bVAu@93Jm z!M#XM?_3(XADP%F6@BkbPfc%RD17Se9Q62#tAe*_m)_2Ai}9iSVvv-Frq3wJ3Cpqg zAdQE|5sjC}65#pTDK|Kl0Pzn=ZNIsiPk(Sbp1WQzeIybBS?^x`aT+ztyPfI2E}Jjk zp)W7!oGW@?tCem{!7~|scT9#4d;C5T>w#HYkHZD8dIzL*>nQ{dupZ|kfderueUpq= zLjYhc^=p|&L+oN@N}oT#PdLEOKm9XL+}wjw$x#V{sbv37aInku;ce$`JV2f(ITe7< zqeorg0Z)AMfq-7~33`yDF~>SZS;qRIuAvgS^(&l+ziB{>d4mO=ej!?B-F zC`W<0qA}HP|FjYU2s4UUgS3t>*hn7-xJ=rqxoZX%UVD8~?l_UF?gA2~Au1gfD*G6N zDLd^`r+HB+AHXdAu*?C+!2&=C>QqkdYK&{+MmO`U9i}>ge;%g7_gYy%czIDiPc0)p zQ46IrfZKSdK0#sUSmw&r@L0QNwgk7$yo|K;1zw(>TQFUNeSPyM?`lg5`qf5@O$yAS z8|eJw1;MFMk*T_;^5;*o%05l^RFSjfS8;)`%R>r9tysSW ziRaxbimwP@UyON>Dz)VcP&d(;AksIT)l<5E_~?1=r~SEao?N^0S!tXi6>_BL(wJ)i z>)NNI)1WTOSJ7B*_((p2{Ja-IDy0VT7C6&2D7z-dM=6`(GqWQ%QroE6HcihVl;D4dX9)a8Ou6C=D)woj;#~rT2MHamt7^a z(+GQ-f6q{XlV?6d>8m?tou1_$D;95vPDZv8HuIvs{%*^AjmtQgnaFy1yB>a(io73s z54K(x<1Ls%B*T^QvJ=%CgQ^2x?S`?n-G)GP$kHy~(uc`vf?Nz2Hr#VUFbph8XG*f* zWnN+tMA3+CifBxyAWJ9K>PgoOODl&(KRqpLLr`Nk`MDA~kJf_}T?_zePQdTS$>Xrv z2suHg?~k_Hh;uv@Sbd!OGJI+bgCcz>a?`&`If8y7ot>o|nHx}vjd{<+Jv=;2@TJh4 zXP4$l^0yS@V94YYL&#*IwYoI0ZXwW?Gv8*^3ozZg&Q4F!S?}J7vsT1m?jkzk(1f!r z407RdR}b#3(Uu2(4;DX@Qhq3H@@47%!P7-)AEVbWC{ zA!?++d6T>Vsxp;x;TuT;-NoHf{v6*c{%wFoJRC1>V-KTBS>8Mh>`yDtU2I7PyY=4Q zt%c4zCd@@Sfnyz7p)~fXmK9s%=g`>jH}}{9PYeuCw2H5ZlDXA+lj4=HAsM0Crn;h@ zgZ7^FDo$%73;NnLjoe6FjPn30ey>~}6FLpybp>-u%A&~R=u=Vuijrm2@jd8rWzbdTO(JdkO%_G|`1d$smXelnf^ zEO;wS_t~mBPiVGfT1!Ydyt{foBgZU*>MKm+W!x;D@M@Ui4VUsp^H+Gyd|}+t-U9yi z_BOy=UX4zd(bO%ym_A-LZM3JLd0V zy>h_Fcwe&AG|12e1rmw*bMO*+fzkV1gp<5`zQQ7bKf<9+n7&k-K@mTJ5r~8lppf?^ z#XGCt5L^$N?H@)O8m`F+yR8dhIJ=mp;U+HTFq!-7L9Uub0O;PoFpT$E=%}Ek5roIX zaj-;D?2CG_dn9iGVoqlsbW5an-x~f1!IsV%5T*q#p(UJ*amHG5Xp}C=Gcg>bXw6L} zQB}WkznE@)PN=_|#?J;cG=eiCnDtDSFYUwAt^O@v?WCQXPBh|OXjWD1c6XjoE z3c?+?W%7xZr4ouheQeHIqgz!mzmjVM&^UV-WPqk5+2O!wm?o0CyG+wIU$Pyvm9?xr zUm=CkRQQ(qZNM8pqw*M$JJ3Lbk8fB$hjL zXzsAz*8-rx25<#rAwx*|J;d4Yg?a6D0$E7^g3-U|lkXymfy_JEf35Sgi%!)lF}-se zp>{FM{j;GqwlOSFT(QKNr;bmNLW!NEX&)tOyC>al=D>E{eUoPv|3*|I4mu6?*k=Bd zsO~CKNDfUafkQje-7~!z#W|IQSp$VaBE(}F99?T33GWq!@ zztwh5e%l|M$hCNE#w>WxANmPtdv7*9AtS`f*mwc<@X|?WRedm3VH9qrBhRn|gCG?5 z7-9@BkUM%IJRLks=W*AIxa5a4(lBII0@n(!-vvo9!A+uWime)dv=tcw{~R!Rz5=Z% zb-19jc;XH0wjr)OIRa{)ViKxTrnt999n^Ucad0dm@z`YX)r6J84?8;xY&@X!y>b7o zAZtqp&HHleCCQxtu~*WXS8G27(b~>wJiVoiGwz(A$1)UV<0DwVp3KfwFM262qi9Ce zO@VPR!#5^4t8@AK1Q&_RjZR|98}VD)XT)LaXH?`80jzrUV0cT8(DhgW(0xsBY$_b< z!)&{fuzLZ9pxd!?x$kiFL_^vFw#M-A=CO+lbG8o-)a!Ncse?e2BJcDUd6^tlyI3Ur z@7~G_(s$EJfufDQxfSvRYgMYJYhJ1&6dLOgUnp}cL`GZqY=WDJ`P8mend8VK$0;TQ zkk{bHevyZsUXjL!_*(zAa$CHYAbD5N3>VL+7JSSoKfH|rnpzxuty*00P~G?L55a!L zS$kxnfDxkJF_Z?gf%-P2reVutKPF?5J@FL+uPas2S-{%U!80;4Q9QE)eE(HnHWU=T z@0Z5`d>5Il*Q{Pd{#MWF{z!l zLw#y7rjTTQ_# zFdjE;tum40vt5attt|##CT41NSstIk@w)^$C>Yw)d5U=5P1$?O3P%oxzpV*pO4n5p(Si{H!+{Lr8rd1YdR7t!-qAxL$AK z#9o3eQ#Vs2!pbj2TjxyL?_f;JIP>Q(mSSp(8h9c_^B0~mUTe`bGo`^bOf`Dzh&iB% z8FKwKf1n{oKvl|et5`=)ov|iaQZ!oQI2b6QKX59+wxYV$nD8{wVNO@_)?7j75`Zr| znRU0*mf-vKhK(SaU~_S#e3+eVLSeiW3_jnMokP{!_4#Aj@e_T)Y@pB# z!>5aF2|Jnh6j*2N3`DaqyoMAtjkVX^Ykv3oPRKUO%YCm$p~1LHn>^O@LIGhuk!j?~b^E%LlUq?%1?i9XNb;H6NT_3g}sb>f9JD~4wLFN-tDM~e! z#vwJpGi>%ig;le+#-9bmczd822ROcxB}yel{EYbWJ6T2@Nc4>9x}9R4Jf(XVKNGRO zXYb^F#2ak=^9|&chQqw_#kck-bK&2z6h=EJVGKro7WVP?kHzhW`PJW;?=d+|>xxIMmIP5vJA6Uc)~{}* z<545?DJO=C#6^nw*qH(F+(_|}e&nq%De{i}Cq5sL#v+f@IsP*5#ZINTjBs012aKkh zG_Ce06&fF{25P=V&y#(o7_5(pEyJxgUtscPIWaoS6iwHQQcn(Q>CJEmG5Wru2t24f zKZe$Aa)e9${SfPit$~;<+k8+S6I#eRLkc!Qr@h`?qnFKyB?;4`18JPjq~tLKbXL|x z6!wAt=5kh&1`Fv$g;$4xRvk}lWoWRl4x3EYsLt)g%+pFwBqq70#Px^l@00edsT8&w=Rf2T%P(+_ zQi;Qmua?u-TJQQYpApVy@5ZFtFqxP^#n(`x!#LyRwbbFE%}eVm29sVN1jZr)X?C zi;c;8t-9(lhoE=OUrQbYKk%j)M3XYzTQtH5xC2p2t`;&%>8@=duT%O-H9gmbNQ_=a ze}CI_K1&9SV`=Em)Z$VG^9J3BXKJ+^e4+MNcykAf|5tR#1Y2ux0l4Ixc% zo`3y?@-BT52Rqb`YvqCpR)^%>3#ev8^xy7S$&fsDBZw;P+jx_`)z#T(@*-K((beWWq-j80^k3nh(vvl92aLNC2a?P32Dj`gUGjk!YfY)D1N@hk`nprW0kn?L6MEn64NkjCw%I7Qc*yPlrY z=rYne{=n)ko--Cl82)6_rXC|3%;>7rzwPIU-mQJIPMcI4D+A?}|Mt(fk>b8LiK6mq z#Ag<0OimNpw6nDZ0`gZ9BxR@@xlgT;wIzk4B9etX6gz~(Rsy{yl(j73y~A9qj$+)P zGp18+GiLXxv|cK~ zs9kmWKH;qo#Ah;w&;G4W$~JvflnI(oYw9>&M{Zrwed5D5c zQqvRD5rs*6{~zw&DZJ8VYZvZL$LZKkI<`8tZQJhHwr$%pwr$(C(Q(qjpLebATkGY2vQPH4 z59gfEtQx9ORd?ObsOfRxmz+Xwv9!o8!C{rf^3G|Sg>cbFm)AnqM#VSGoUI)C|M316 zy?IQm;Vzn9nO63d-}r)M_r})Z9J5h;N#Og0RJ_i)DIW^!ZXrEY+F^Q1p30FxIXd97 zB%OMdXNk8@IbL1)aR|;mi5;7T+2yZW%MOXOm4)nGBuOiM%jrkQ;Ym)ZSE$r~;9Aa1 ze2surmwW>Gw(DXJFtw{nb+p&4y;z`|%1@Jdrn>d3vxJE@3x$X%y$^@iM;YNopuh%a z3*3AsOI%YADGKBc^YG;y$0vFyLa7|Ys+~Xbc(>Kl{tO%`}338OD+(Ros(#y>Uv>8C2a0cw=lT z!lXR|L)<%V!)uh9W&S}m6H$pE6sM;b{os;E1MYe?G;A*!;Y=FNEm6+EGcA=+7Xb(% zJ0DSYOAHk<1IQ3Pi)a3nh~Uh=7O+|o&vkhA$XlFwe2vp`)x($?t;*Oq&GyvsEp1}H zycr>$Gy=c_2b z$_%m6XpNEU(eWk;Pu{AJ#tXi-lRbd^MBGEaET>tMV56r`WzUqlH!!e!@pl`Ct`F|b zR-BVo0MV1_`C=>Bx#xkm7tJFa_gh=e6Y{zN(X(_bRPUJ7&K)udesfsM@blz)J0p0L z(AR$cSMSQsjQ|b;{u5?T1ki0lt~W_5-Ra_#%ota=J-&%Pw?!R$ZxtppKIHOI>R4%` z9I^y5E+QnF4?ZmoBAaEX4lj^^75fSx6Ihzd{)d&eU*z74_M_hkkFX{jS8ihZr;ad2 zUb=q4$K45xGSTndi-U}ZFWkSu+u8lV0PO0m(MD0u#qcqe&7K>~iTWmT>Y?AW{H)I* z9-UowJ{T_F2ua~qoi2M(H$9_9Mn=pxW6am|99-zg0aQAM7JWnmj2BSM4-Z5#@&$aX zE)I=#)v<;GVi@!LM0MMV$meqvjZKquK%NAOBI zJxKB-V>9z59EH)9`^Z0uRm2ln1$#8xnSwL!F3y$w2H$C86#DFs-3@*t2G#|Cda58F z8xdeN4O?#h)m=zNQ-{LX7w`wS{QJWez+aZlJ(AEL`v5Hby0UvJlF(oVs?}aK)g4Jq zrgXUR-pW{l5Rpe0QiUD7yhMY3xwPC=ksUXS;Xfny&&=616<{?%v;wTys{-tU3cC86 zob&g!p`cXEr_@+3q(*!T(hSxtgBg;sr_kYaX*M8Ldj%*jmfvqS|3n40WCbdx4sY29 z|LOfV8vGA=SS`Z4y1YuQ+_ob4cT@hKWg~^Cq7@VM+x_$R|K%TBh<)&dEkcthjQ@^e z`7g<25Oj3oV?hT$_?7>m5dS_dx`0>WKSAZKAkipK{PFwWiJwjQK|3abj{Ijk){%Wi z5vnKCs!0Dwg?L1}2#JXcg;Kg~e#f)>uQLBub4m$V!i=;|abJVxp9KC8>_aOC&i`|P zKCCB(f%VVEGm!_P3^$W+(_sBaS-fLEtQY^C<)4i=RS2wtHecx6Z2Qk@6Ma~Z%+&gy zjh8L?5exvypSJt|91UV0!phBTvHYW~JZT@nppdq+Kl0Df5dR@;L4Nl?yU2%$sH>-# zsed%#pQGXbxyb#0El`X`;?$`!9mqk+`ptrQl~P)AjkEBU>PGNNqg~HvYbq4FR~W!! zGB{H;%?&*vBhyEGSH?hjISIB+m(R%G3PHY~F^tYv)jbGL(rO>SX~CkkxTzTGfpi9o zJg(IKcyL_{Dr|5$9+M^1rt~W*0Q=_JxX_wiQf|lf=OJJT3KU>yMyN&EeO!h>s6i>n z$An!g9^=~l^)vMX_|KYxC~Q6si|P4QnC?tR>$(mbL5lhL`Qoy&crLU06+BBLBTzd# zyW_m@M)Spc^Ht2GrTK}Ok*{aVZb(m|u0LLYrf2gQvl9t!46t@ai?8L$tj}mMea4Z9 z6_GQ9HQZz8TIXz;$8c6;r{yCTqZ|l*lOpN z`?<6L1fj)I)@!{FcrxkbIdT>#U%5#8cUn+tT__`D{G$6Oyp zL?9waf5P{W<9j2hDSW)>vE2i5ytc8Sg`j~>;l*gW7&SG2+cI6#&w`#NOQP&zMp;8~ zN@&+3Dbyub%rn!gr>D10&#OZbvA8yYqoj}oN1>)Vj8LNlcm*vh%m68KSkL|W1}#*E zNrn68Y}W(=kv>K#l;w24^Q4WSMjR|h3-3!Q8&xbl=f>#^M`&nl%x}W#;^x-7yxgqC ztKjj9XylfgPD*nEe;4Aa&VHoGuGV^Rs-mr^MZObokPg1EaaBLUE7Xxn=+7D~PUfu~ z9Cv{6?uCd@#hW$!kT(fEWhcLQk^E}?fSFCQ2J&ZPe#DFkj1RZ;p7{=vXn^mC7!SK+`hPu`QoO>!id&H`Cf5YDawf`-)K5NDU$(p`uMJKASK4fWMRw8x!L)brXf;_;EvZ7s$J;cd^1xhk^B^gQFAl5 z(J?~5C(BM`hzu7M6Oci$rlC2lV3TJA35_r5K&dp9o;1f zss#6YgIXK(uN-0s3r0%Hlg2?sWaRAZVwn~v;LxSj?(SuXhPlf?zMB!#3qi(+*|r>4 ziletZvJ2R|{(ys6$uG>sOx!ZqJNFXr%wxYt}E5ke>x8D9c29r6dQtNZ*7W_%%&R zN!>@-mUKptBf%LTryx7Xd065+8<&K7!WZKkdm4Q&I)NI;wlh>D8k4*;Y8^OLoMkZ7 zyONle7wVLmYW4QDd^63=(MxG0;54SL&tx!s?TOStwZGrm@rbr-7I01a{(^NPb{+G_ zwbYsh@O{yN{u(NsjPgk*Y~umAzqj~Yr<)e{S8!{~aX`cZ(F@1^-d@-Gx+Z-iLuyGt z2pg_^t|xvp!dsCV!J2DN@d;MC#9WD>D*pE&T}QDHWs?^~Rsgsu_`@J5wF3NLyFC1b@7rZnmIc*JcN z@TjIbK(01k2qs!nTM;fj3E{aacnNx>N>Gs*Thn|a(Q&o1>O~o)+39M~3?3z=l~~MN zb_3JD3MPGoJkI!LaHe>j_Bm_JW67P8KZYN*p6?+BahfK(qEK6WAg{Fkz8X&#Q|Vla zPC|)jr>H+9^?Rjflb4>;m(R2Pd#_9FhxyaZhI&R()a_vUG6JKHd}Y)VUE1o61a!jJ zT82wB$77J)enPq?D&@a)35&Q&AdRCg`YMu z3Y4GsM#%c(;@l_AhsP)fQXU1{f`KFal~_xcTi&PSd8>cj{n-W$~HnZLiU)v!L<2YwFR6!DojcQ=0FZq=U%i z*(HUAUkf049c52&UarhveMw7(!&%DSJ;QwLekCT(-icsQm>z-{7L$u~g%+HiA`67H z^{a*~J@&$~q-s`Bik%pUd6u5Q3xs?l@3Yhl=&i@fsUL8T$0l!a=5M2~&VBGQ;J}_X+b% zpF)!|$zVU1|B0okw+Tx9Ox)v|cv!8A+O{FJxv z6;UXuHPpKZxAbu9+FXZ64p3!rc*LW(m&bU{ZxXiyzdQFZ}$y#*Jr~M_S#x5`}1MEzst>i4NCgLqd zvp5qWovSU#A7VwrETJr92YCfHM$=taEyZuv?O|KO2SwqHj_}})M_PG&MwQj{j?ae= zYXiN~JaP;?W15j3>kTKen7lRoR^CQrY=$kSRAO)R*{TD%vFm0P=nQXEvkXvNI zPXRlo3-R)YqPt`QvbDsiNwIj1R{M*R3&3+6V9%amYb`DZI%1Ka(3ysKo~LZiW2q6; z7^+Gcj^7~;`s$MU=2}kZr7l*juCN9U1i#JPop^zi6xm1_{Sg4M5ZfBnJTz&KT`aVi ztI+reNDsYa?Q?Nu4{FD8L^ZMUZ2|yU2K+hrrb4b}_2|Yt@P5mi*-10q2nxw={)Aq5 z;_$YQ>kX0mJ6uy5A%SqLh|#XVGjce%%u4oWbUH9(AYh8Gsjjd+8V)1+I9K=3JdXii z9&@d^>V1B& zy!!S;S6LuC7MY+l1L9vrPH^)z{SWjWF6=ceo$s)MLOk5}?WC=^?V&`wq`A!l$P6MK zt|SO8Pc|px+ZC>XF_W16Iui#dq3#9!ydx3?Q=f?;=F{V8m+DyA;r<>L z8^UZJ(B3sp#q<#mvGVBK6y)YLHQyMUDNJ3rvxc85f2^UBAzqxn>>HYfJDQA5%S6h5~*x$)U$>&8pT0)-j0$0)n# zC(T@r-hxqSw+-@P%Fq~Bj9l(iSKb=aEolKj6~$;`1JSHg2#dA*?g?@D>H#{MnW$h*kTA^Rz*pI{g$!v`PzYg)Z+|mOk{%*St5F=wG&=n_ zdTrhIyjcM!Fg#pkv5AY=vwjN^x>OLi=OxPZ(4!K7Cngoh`5fLUNy9OtZNfVS$xloQ zENcsG1Rm0X?bCwHc&yl$IT2fdLWngFC6?~CJbJZ{NNc4CxIj>YFj1w_s@{L@zl%cIhqEhvDDSWgD+>kY%U&d_x#yO zs1Q_ba0~sKC@iE54Rz@qks5t{Ck_MtR#XLeVo8%T6tVu^S}pSN#JB-`tin=3&D=ud zz_Kk+N}lWRWoZ)$%}p9niO2I%!i(Rq1Bx6q@pz*s#peo<)42f1_o2YX;TidG0>>jU zFp7J95K~cY{&gwe?c^tB;)69mvHjN4w?e53!or!L0ek1rfW&+$!$g%RS@7IFwKG3j zvuLek@*?>?v%$3qf=?OsM(cWwlYJ|Nt~~?E`JK82(LlS*@PtHr8~l$rTvIiKdmAG(i1Jq|s0ziX zuwu<=PxHW!y}l@c*qN&nm7j^UiAczOC9%e;mbRocCRJKk6U#aP+8}qnAhHTSTUhx_ zgd0#oc1Rc-MgX51=cG`Aq$cYK4&_+hD0mrcS;bZ@&y+E3SVlT84t&;PAJlrmcb?Zw z;|i>%D;zqJUF;Z0oZ0Hc?*S=}=Mj(7-X3kslcy+~?h*nlwn3Vsxo+Q0F@<>&i=Z)0 zHBgUgX13BD@3{Rf0a_9=h1sa2C6B*6!Q&`fN9m}Ttco=} z3GA6Hxc_O1aEwNB5h_os6I5jo9VQRWrz?!pZxp+}I)L%~2}A3jxusX+BP2$IP-p?*)AVxAlAeEUix`t4{<8&9-fcC)FAP);3PVk%Cqz z^z-Icnqq{B_N~6yWGO0MLPA3KTDk$&t*PkHq(part{6+xbI)J~3fuVCmIguYA3wgX z<1*F*N>PUy>kF91i-h#ba?XpEswuMSJjM2;xvtI0z9FXLm$P<$5PG>fhwRgwu`@Ac)n5ky zNEf3D_iPDnhE$*fO=0T&R;c|MTRUZ5KkskpiTD}tsl^oc^ zEvWID%J#N^s95Z=k2)x7J$2Q_^E04KcZxJoi3EQ<*w{KCtP-vEQ63fA^4{D)3ysP% zdo5la8>#5PO$7~r6FIY7e2ESbd`Rso@G!PNUqL?SJkzzk{ASRgLq)iP`f6g@#OMh{ z!x<*87Bn;tB%2cX2u1$Y%nF2p8FwX(LR82lJSO>@hNz$8 zj+u&#LcwxUyXty*Msrzl3}z+MnE~UE>F!CGke2m{H3HhUG(>W8B;U`?@bcFqG*SQ^ zy=@ro&jMs3OiBXOZm-`CDn18iVtMN(6b!XGL!i=6Y`;7~4Kc}>l6CtyboQuL`)P`g z&f}DnfKa_S6k}uv*NZQ5R?dVqoM`>PE2tls+8L68S$ofZ+5y@1Yzx`K&pkE-y2!^%tm6p8F$*qama>>pMiw+1ON@Q7@ z1ca&fU&0f1zyE2ohX}_Kue4ZXE#LBbmHlZA{UAJ=RvLUY3NgZ?(lUQ0@jlP79vK;# zYDVPw^i|dQ%x$av&c@l@A63fo5%`M{XCP{BknWQQetnwh)tWD5dWFWcdJtps@=(7z zADROhos?ExH#wTq1P)-cyL2KutlGF=tj~PhLJC_{p!0rRbaq(H>RQPb2ECxz3+i?U zYN|pT+N@ED5>$TD;M)jI*H+6l;mw%KzG>JF(UVJE;BBdLDIvG;&o0&#@i5i>on~fAN~-BdN&MMZYNneg zzl;nS^cnCx>h$rzjga&XGWgPwJSX3n7IpJ67@zg64hBivLTZUS+bQG}QS=q5?`OSI z&SIm~WddNOu5(!capapZESLpofGj#p`kz;yR6KZOjfQ-P%2r^Htd0DRaxhpur+1L+ z27FZK!snpm6cp+@xk*v_G-tp#T2Y52f#QnySx@AN?yoQh7t&@8v|`C8A)a;L*MN*% z16XV{I;$Lt%4e`K^L3*v*FEl7Yoxc!tWgXFJ(c(BH6Zk)k5GJ{%UV=~&P30z6_avV zSDH^UGE3zm(KOq{SScoVom~mkBm)&Oxkp0;bNMz5l1t!7q|Mx~gYAuRVMR^$&q^Qm zjh`i_7mK-He6! zXI_U%r9}McKz}QdDEnJ~K%&3X0+#UM15DoHp>T|VqQ*J%@oxiaGvJGzd<2>Nxj1zC z>hAq(T9w;|jz?zfu1YH+8cJbw%uyv18sd4_Z?3uRDIPg<&L3JZ;q&XtlSPrr@Izkh zOo}GB5my*MZ+CSWHoVzo(vvn@FNX}1d(hEu^8}-A{v?>r=StpCHaR%p04B58sEVHw zY+<(GtGXPh+lJt_U`ZG>7+A7H>9UBD9<#5h1P;5v!rf4i(XwY+DAsqNIV{A%r-<+9 z6s}Q{P$c|OTi>?f6oZZ^f>4t*a?{TrNS`K6Z!cjePH<#n#lKqg>~t&w-^eUk_p zPm<2~_EIZL-?Fzs61nyJo`LrFHqr^P$?Zmmpu6Kjqlo0y8HUw**tLDv2<}?d!J~i- z-W7SFx9hrtJ)Xu?^fXVCm9fKchncuP+ZcZU9 z)85KyV1xcVEn&dp8E-EZ7ZfthzG$9}!7X`x1r0L6UO33=dV%;-<%5yVOjcJiKJt{h z*`c8jdNeQab=E4iHh#&#LwlVcE;~u|Xx4m?@)hpDFwjqpTb^}LI-8arqhcMj>!C}{ zMY-d#oO>tT3e7d(G4=}Z)fB=ec(Pa-IYiB7F#ApG@yT21lzYVPAV!0aANif*`i>7({=Eb8lz{p6^fD~` z3&wcmOCR>*g$B^K7O?Ksei-C{L!0X%h&>a^q+(2^qt(IA;q_)M^l?u1nCSE5`;7#h z2Y{i-@eH(2M@3b3zti&mO)z&%zK#`9N`J~~LzxEuu6+cW$juR|3r@ks8~SK05Ip(} z`n?f(x^ysOvM@361=^Z23Otj7L*Am=NX~R54=F7`qJs)`q%^oa`@vmP71H^4qb<)kFNJ|)`RDh z2;iod(~L;ZE0PlZo8r}a(CFjVyhgt0e*SD-A^ilvzH81hE;nXE_Q~P3ZlDwvvZX(F zEXJvV0olSEO^dyYt(5{Q^qIZ{5)vN%;n*5 zaO-)Jd&cn>GEI{x1bBIVBBZ}u15MxFkue^}HTAL=1R^`RI}BsY;Jk@o2(hK5Zu|*{ z6lprM!v)Sv-{+JZyT*?~1E!MdCb}MM=5Wt$t@^j&_>ZRZmdjv@q61`Sxzh4}=6x(* zCsiY`)r1e~&^e^~&xB^pP1MBoUMsW>0MR&3-dsW>Y(aV}7Wkm38U&WTS1mV~ofx?#Q)MFv&!;msm=BG+7Am7+G z5A?S#U`q%frNlxLD#Yf}&)=S>F?hjq04C;E47CTL_6kdFI+Oz)Er{E&UZJy>T#;~x z2MamqJ|>+7J+!j?exvCN-gAi##n;rNb(HS#7gn=-2R~kWk%%3-nrl-7ic93djV7AE zz;{RuoYs6hFM^1hlE3H7kNze?GzN#{!AuN&3}bAk%BLffRtOX2-|BGwW{%Nddp&q1T1!hVaS1k> zEe_4WAE}jTy8v2K&xh07k>+;Sy>>heZch>-%GtfLjOsVA9$^FTYB!OX$WY&qpvZW- z#=puV(c#7R9OshXk@TEg^<;Z<8Nz-rCXgIPk8MKDjS$quD=R2IC=W|7SOfhW85Y=C zo1rIRzZ~wUrLcFhsc^;WbK&)$IAI!@th%A)1v)pDkBjc=k zteqID+q=P@?C%X5?L8_pD)9))@O4CPClnnhw@}>UzC4f55XNZ}Tq2VJinD&DY-dAt z4p37+aE6VNvxGE>rP=C0d*+%^EB5?lD^gaTBqyqKjn_|OM-_+30VWp+>+4KF76(nn zK=L&x#sNJ`ZE5e|7X6eGEXH z8VxlmPeBP)86Z?f&H{vlB&akM44SE^ZHahSmTAhmO-}Knf)&OROIjXF(e3+kD`rzM zpbd758xam9)?KxllD}4Nh_Wh4(L7*`k4l#U;NY%gNLQ@TlUdc*C}yIJ+fOATzlz+L zuU4ffBkLMutf%RA`)cDRwE3u+Yj86W$XCO3=I1?R(>UFYEj`x^IQ zx=-UKkz_~U+4;6Y{hsa1Gj4KvRwet&dpqgd*K|91_nh(aUak5vW|x!JOQ1 z-%JV2pZaLwBOHYjFl{1WTuNhW&ZnDtAHEPDP7_>rJ#O-rv42PjGoX$GIxlT5ea`ln zr^(>gp4ow#SNozN6E~NU)!Dopbi#A6Gq-l0ZnUX1qGzdla84V%{XOiU;zz=+O*?Jo z2KMyw+-sAE)8YV^Es>Kn?y&M`#g~>9*2{L9dZN zxA@d257j1sY;s|7iSvD*{lhFTp*UYz#h}}5zYXc`^~QoFq+M7VBt3aVKUor~^sfGy z=z`|BnuThgsuT_@6~pu(3f`csvdGWJly zD6#+JlYdEZSji)BbvZRWh!|9w#%^W?&4)A2S^7ocm-4C!H5kzq)gW<2#1>vkCoL^&*#@u0*X*3J=K_SL}Y7p>cm9lpw3m2 z_17|(*)E;LdJZ{=$~6Kz5tUZkCXEZi@fz85-;2@Q{T6 zPGLJ%{45H472%gne9%he%Da{0Cp%$U)LUD9O~OS|5tGZ8>GBKwrq8|2c}^CFWs=i?(Y`a9mxJ8jjaJ*bSDy;k{WJ;6 z^zfS+{*EIJWiU=jdXb*n>Uhrk1RG?d@XXy9lXgai{*Zc1k-5=LUb@;>i=F;#xG!D71J zT)Ftdt{gd9?g{YG)ZCkzo*pfL2q^{ZZ#1>Uw>Ga7kH*9$*T=1w&?$K1Ep=CXGvn?Y z$RDtl^U3uCgEjLDYuw{fT;xco9ML{6Dj<$TpO=dr3;L^IpBv#x-`>#P>dv5$Jecy zk4+s5``eaTOkY4upMKG@JHZ0X!^f!`qZ+}Cgfs$%b(MQYch?;F*a`gVO0AaJU2lt- zikmT(+Q@tek=^CWbLON6BeCnP#?5CT{VEyI=Fj9KFy;O?;r`c0*7)F90Jad+g(SU= z0eT)FHfm{v;uKe5yiAM@C{6cvjg7K;#JB5F8a1AikDRm6vRH4miKC^ZrKTem@hcxl zg528S`PQ`jZgx11q@J$G%-r1OXFsaBPjMKvS$j6dhd(_)X}$h1uKz8?8sF9t1VIOv zOh7Cypz4%|(NS^8T#!)=HjAfH>fFY{JL=_eXT_51XmuTR(f&qo@P7OfW^sj-oU}lV zy##muZo*Z|VOPGqa4zc3-5fM$Y;aU3Ue&kq-{JCK4gV(!si#~mD%9GK);|ADKpp)ccs?_u=+KTtP(%q9{Wf3yx$z6)E}i(+d9+dSKmYQZFl#E_-K5MF z94Hxo<6_9Bv`>Dr7fSk+G=I}DlC}P4(7d&#YZd#yu^{P|CD2!)X7z~bw!c%lD*^;9 z+;(?FfBN^C<9~(!zgJ;cX6n}7TxDGH-ot<_{lyJPtT=`9Hg|Yy7a9#zq;M|I7i`Nx zW*@i;9XLhUobT!8YoL&u+?lnDr5YO!G8f+Obi)#C16sQ zQw@gBnGUVVZC71+cE>n-8gV>lO4E_)6Nx!`hRGLsOSS*X33>-XC$Lu`5fq0O83TB0 z8<5xR@?#aUpCT&;pdqICf4Sl}lVajiW4Lfw2rvZwiywTT2N=a>Z=AwfS5e<2q+yK~VXWA(MWi4!2VM@>9 zED;0hOH#Q15+PkNT_7{SMF^(O>a;nzyg6mMpWIvXw&2l5hUS)!%fLR#NSi>$se zOduKW&hpEm&Gf&0UQoc{Glbs4o$4p9TsaZLV#lZ0`Ydf__4xQal3rT^io730*bK(e z_Bz$yS$)qv9wvlt4vojN3K)UM~D8FbcaA zJ1p{ko z^tw}`t!k@lX+=jod5wD`M>MR_&;m)1hYXH?cIakEnq7$3St%Bc=G1*V0XeclMlB=N z2&)S)g+6Iq#QRbxg&xM0NH<_s#dSxsQY|f|?H`GGper>2Gg@7ol08(CjLE%b9$L9y!uC^9%L}8L#g_8jqcZ{029*lCLdA9xUD?Nk4m-)(?HGICZ zDJzbi*It??BDhB_PREdIS;du3@h%$A7y@@cg&bn`=0()9lYseA^4?SU1ctp=9DbFK zu3PzkJ>VqDxAYlbvniup3mXIVp-U6ECPpi=?E%xPp4fn?mvq~1UPRqJ zppO2O!4M~L=B!s&z^L}x-g3QhRxp!TCeoEZrgs~f8P!ksYEz7d4NG*$GF(WVJQrVA z`~-<8%!z*}Mgu`l-SAbX!_9(xXZAY%tP<78pu->kGr0`OeYKvIS;(PD9uGtr6&=Vz zs)CR(x-IKp62cY`e3LaOZ4zX&{!#?BVpwBT6cL=F*B4HyS*U57*=V+R5RFsKi1(Lq ztl(HBNz)XShY8TOn+dc0$?(KW!`Y(otdv~DJJ)4FiOeYG#Wp|aST08DwfGjK<}4Ay zVP^2K#I{i7L+L6c0=*M=gN|oNln96#%39{xiuOA>vc(sPwp!kigt!pX=>vay$bKo~dE9Q+?EN!U-gOv-C43}Uk@7-P&GxO~w-Gf$XUu0VzR-87vSJD^hdUaqX zkO|z>n}5v2*FEEm@h7=8(4AN7A!gP9=eFP;112CTgMgDp($%^OesWxd1RYTB}7U(gS90 zEZvv9r1DXPd-`BdCpox`4}G-c4GGSN=#o-MLII8M`N1bj7#RS#6WC_R?7s5+d=(2y zkAuT?#PB#7yx?}Y{a7u3XUAuv!G<7ozc^?Wdy6j{g*Ss#wp9HfEP5G%a@v1skXRiW&F-J2g;oeFe>*thO0+~B3qu|t#A;Owge zxY9N^_luOGFR-hIbSeE07GwjO+B%6aaqZ9}b)fp!<47`RrkPvGaO4!{#Ruz zDB<@{UgH}@!r(hNj38@~3E6F8MBKmV7gotO|GEHMQ{&;BZhe@e1vRkyxQ{Dw$J@`+ z)V$Hd?+ETV&WI5`Gh8q`LX5euBhl}j^<39X(omrOtL5A7!)DH79;3=hRjU%snv?N* zlgKl5+tl)0?(iC)u(lTJ3#$tt=1UEEDHA3ejMHruSyhAckl*fhqh$rKTBPp#wweMi zbp!CZ=b=^KMJz%(o1KvOYGDNMPd0n{efLkT9hE)MN;d6*#D)3SGZbu)9zPr}^;rkH zy1(dN;1^qMgK(#zXgWO2jXx0_DTS!)i)@vBhk}Lug#;fc+eGypyxmPR5)9Q~x4WfJ zQp~(Q#k2w8{Z+-PbC21X{36CO@vcZ6hbdcq;zxPH?BaXEmSOfX1bA>q{%}Nd& zl@=>4VRALcnPiwBa-)M*C*+y$9wpz&wU~kW;;L>{d6?HhWO4XBKjh+s*nm{Z+03Nc z;@h0qrdk5@OUv+P+#ylo<)lY*pId~YjG~RQ)K;DtfAP9vdyGWeJuC<`HEETZuF~Ot z<-h>(i+SN#h1Zto*Nx=j`53_R+SvD}Y31iTNZvYKpj@z1pN_(O3l$|Al@@l#v)p=1 zv*>|$j2B)#eN_a^)#mrAvI;062cFlPqV9zi-&%^iSB~cRzpU-HDu66;!+o7JuT0ig zad%_X%Q_{cTLPhB{BRm*m1Utj)C<7!#>7vwD*dy@y?M+eiE0Yhq6(C>lTq;22P+`k zFcv|6=@o?I?`Ll-YBn5xP>zG{Ei3^)>gOG(DivgbfLwF<3|U-PliOdon}L ziK$*E^2EKy#PXZaM8qoWc~^p4N?_EJE>t;Ez0_wA8b?5MW(C@&K! z@@m_yvHy~~yEuW%@?b7xcb*GwFZ^QYCvJ1kYxo9)S5!Qig;tImj5f-Q9?S+cPl0Io z8(qK63tFiH$#%!gUX4AjP6?`s9mfH?Tq}LcQ@Ok_+8C^SQd6n{6S}on0u&8!tT9df z0*HSWFDpPTZ2PuJxL75O0U)Q)z5M~}mF0MC;R>lh%uf6qy6|gLMLuBU;}%yd^hoDB zf>uCDSyv>Lc{LuD_$j?|;uEuY=IJM+Ht^GXS-@~+v*({Oeu@Pw^*}VGR3fN z;{};J8|W!YWK{W~sskgTf-)3d)a<5CixUA`3n?(%0-&jG4)`Jq4W`>j9iHI=(Y0Ul zdE`_wpj0`vV_cFg@u@x_s_tMWXotFgq*45&Ah8ko6yD|iwaM#N#6TT(&SEludx5I4 zuL*N9BD9Ymc0CFe${?J0cJCb5J359=g@tOYZjVJO-I4SBXP`iA6gLomK5VAM;I&p? z>n{vqa#!<&{_6Mn_4+!==Sqk{{myX76->mxu97F*e4y~qh_;Kl9_BpUup0EPk3xp1 zmm)?mIGc3JO5&-tmy=n@aa<(N<&8~c6~YrrA#)y_8FplrjmB`&{PpCKm9xssL+19> zxIKhA9;CCxI@bb1Lm{yMWj1ta`pL`}qGg+^IrV2g)fj^2axw9S7^~#8piUrSc9@%| zKezBatj~7};-XVEO@5XD9wDKO#u(0NzJ5`Bwqta$7lh^H@^=`X)VGjjHH!e?L=*!^ zyD>|zC5cWW#aEg$8{+)@UrpWO>O^(~Zh8x}oiS*)M5G&f|fJW84QxZrxmlnh0}mWc1#SD@Vx zW9q<=%oCjl78$RZkF0*-&q|MYXdu>WB^(+RiOp(>KWOHa$L-s{9+2Iow`030Weqm+ z^t!KnLt~{wP_4BiEY-^=isVntkoW>EdtDwRDN2!YR4q!yY`5+V{8dPQ}BxcNH+4MW``^me{07`CFQbP}hy8`A~%ADokL+~sNSg9+;`ZdHg4A#PxCmX zv8tN*ZsJbD-3|l+Q?xv0FJKSq4z^G=L+5wR&{=nKTW!EqRs!i4-YK z6Q_po4u5^6kQj_XcB^E9bIaC+PYh4UX)bWv$QjX>;auTxr{P826oQnaIF1r=RaArJ z2DUHxrPQOn{Yhg(P;wt%-iZ&^`PWmovN!g;p8O0OIZyrBW%5G1{Qco2tk(zkmzDUIFE+zTPlXTx`F+Cn)lYeo z%@Puz_3YO508LyDw!Z|{gEk&}zyuSmtkXXz=JI=D3^BMgwbo9rkwg4XhR)rYd zUuU%6aDy&YC|Wd!1^=kU%=7G}%l`SKwLMzr7; zTFqF}U&j1zHp%w+u)zOc&uHOhRH_Gm3l5S_@pyL^gA!`|y>X}1KD=I^NO@E6N2CAG z(3)M`~WM2P9a-ofjL4R0UaKmU`R?z+Wo;Np0MQI@A!sgu3?$+HA8l^(?q+Vp@jUsAr=y~rh0uM z06KXO3!+J@ND8ueV%GQDi~Wjds*;vrN1zxv;Oy*}MGO*B=HuQzbK@H*n`svr zGkuQEOYMa$0xH|r23J9Au-}g}6V~5Eoj>a@JD!bsT$lhQuixzO+uIW*t$xs0#j8Js z>R4xi8VGR~UyHSs&8vJozZ)B8c zR@58rt&-!@!~3(|oRxkxWixTXo|MgVYH|%cFPc)Ucd8wEmvalN?LAxM*k;uJSi7*> zP8YQq{Eq>)eBrF$b>f3iTmC=x-YP1tu3Og)7D8|mEV#RS@Zj$5?(Uw1;O-8AV1>K8 zyBDs(Dcq{?UH@9&`q$d+>~nQ4&u(qrR;xM3m}AV*dw<@y%W9P7y-zBsW;}U6&5gR4 z4TME!A?caMHC$|6NG9dKNN?Jcci|RljOEK1E7d%(3bH0BO|+o8=qz_YytTio%VZDL z`Y!G5W9#%3g8skGJgZ+!qI-! zXZh;t_|eR(x@rlqF?koV*~#{{qQ1V?e#Ox*!)(=DHa;nx$NlYkIdYE*!NW%bhm_9& z83QBcaQMDj?^Q34pX8*X5!AD9RuPobwD?kPfwuhURwz-ml}fkBH!-*&ggZrs?e*Wg z74y4)O?L);{#BK?GS|S8?Gf%<&YQc9G%l=T3b&Fi@$jCdNuFnQB;brX^b^Q zTQ#PJRcdU>P!4vp(tp`!-Fe7>oeX0JTi*s{<_jYG?B%)=5^AM&G>ku{6Ah=8YmqlY ze$!dRObVeOAuDT}pv`dpwVN^lf06I-OZ)&+p6i2GTVH?Yn4HoUl)Mmg9hZ|DTOfAO zp+KP5iHD9YGef?pZls#FvLcma;wmoUqm#b@n`^4a_Rb3xZRPjZ^lLU%yGkSK z6O1hT02^Ty3-IZn`S|$ApRP-pF9^Q`f3_%Zizu>do@uV()gFYH^I1K!a_vtat!lRx z+}`x~w=E=Br-1^wWeHC=@AV`5l64r2Z5p&RLNx&M^27P(1W2k%zJ;wSaBeV+)m(~G zqBM8p!xxvE8r@TSRgE^s_HsTYOwv+i*(?Cvav?q?qMXB2_SGpudLP_+`NOP-Hpba6 zQ(S^9ylul}IBaSt;W>?CuG5t(oy2Md1@Uc~=d;|yM?HO09=fUyP-nEFj;T|715z!| z-6j9=t)%fqmSi_)n1=B_^}^MFlV|Q_C!3Q!U6tXP?XLOl&G)=d{x!{=yHDAlmwWFD z4dm{Ha0zob?#jjdE>0ioHhNO*mS$blKQpF$P1gYPIa_CW8X2{0`U~@z)~^o_PZ-*{ zz44@pjC+}G9Lk?WGNrng1=5VY&`@Xy(+k@ZI=a+FUPM2pyKZU-joKPOR# zLh8EnWILJ#(2uY~^d8rLviig`8@A~px1`UP8|ye1!sOR+x|tbZRJ2(OUhk8wVc^oy zoeCgX<1ZK+9mCj9PfGY)e2~vH@8JRtYNraI=}R}Eqe#nrad8{bxMV*U8+#cGLaf51 z5Hk--c9<6ZE9SeYsRybb+VDQl7vHlN{uQ1sla8^1q=Sz?!oW1R^QlDn$&Al4S!U&L zQi9$=*bI!|<$R_(CE&4J_F<5$!-}iPlG@B7;oR%_$#joVR`dWY8lFWDYS$#CabRC0 zaflm-t^S7CcxXm6bFm1T0T={h?MT~XEGXf)Mt-%6oef?!mRr;xC$1CvWSdDXhPoSjj64$w^)`9%OvA;pO~SJoe58rfOxzSW)j3(NBp1{GM^sK}lRB|K z72XC4&Rkyx1mbpJo(Nc$*j@x!4?Q231Cxo@Vs`IMvs|-N-9}k;+7QtOVk;o?v=EuzP>7;Z$}e7hRz-SmAh^;I-R_FR%%wR&8r>8ga?)m zqG`^-nw$Ntd?O51A}b~@Up&2Y^@PtdclOBq#tI*neM`eU6_vs}B-@z}yEF=mtW^!C z&TEMUSx;ljm76^94M#N5Z(W6B^TLRR-;+O930-%cceq>EcJFxjM(CF;f>{pt9oDBN zOamQGGo51muBkQxTq?+M2|SNrR5Vhnd8(3c+L5c;^>t5mm16Y!>1~3a6g!8?VgiIX zmtXy?zr);`(Ya9TO{fNtx9zRVr@AG_w1zNr|=i z2`))&WCb*lH|+6`sjvLO^{zT+q4od%koPdb3#=C;GbxXdbZ=6%LQEEd%~;uI2q-Sv zFp=~0p@B8rJ}8YsYf&+9A2qr|H9;VJ%}+t>c`jucpCA4O^b%{-%{z4MFp`|gkpM7J z)2*qVz#W}PsKt$lg1aQyuEKutQk-Y0(%^8tQvyDpp% zjveP=L&j|8bZO1_<>=9I-9hrRcf>Dwm;~)sUc(cK;`l1aUOwM)P!9>4%=}K{u44rO zH~#$4y_y|?ys!V*>J>BmL>GY#pAId)@H;=FvG{o>cuh;i*_*g70y$K43Q&e6qgUkto54vWTTv4y(j85dhWy1lTG<0f17HpI`9d#3 z56>!oJ*yl!pWJ5;Lmb|+q~n0QgJ9L#Bc=dER0eP)^d zpUi`&&9*MG2*31OL69&~A6?#|qCHZdDtii#q|Y18vu=a>%$@EBZyvaQ8y-NHGB>)f z9(<S$ckRclK2xuBTj0RN9c= z1)EQos)T=s?_By!&TZbJFN+wTra{)6Dm5#$(Op?QRJHTDwR@@iLfe74o@;q;?`Fqa z9qhYCQ0qBH8wPG=vw0yjR1$ueu6t^oNuIW_T1q=}0e030oe9m1y!f*A)u0gYT!{Kh z7A4UNu zl0}mtcuk_1fP89vqvRo_A55dcDGM6<-@9{PMEu5rWREiScfay&e4YgGvN`nKSo2 zwUbEQ?o-WuktX&m*@%4?2bKpAc8iOz>o?Dp2oJ?vid}~xDnCuS*c?**2u|QxdSO4= zz?}^hv3XJZc@g7!>RHTz70&mZB)~7eX?3^F7*uOe2lMzR@s+iNyOQ}ye@&`qabJ4b z_gfpbdwkHAb?f4>6q_Ra|^j5@#zzoRp zLV*|)hm!Dl$_JSDCeQ{%VTXauAyMUqRtN60yHdJCSRjJVchy_!zhZRcYG0z1YCPIo zjl=~3A0w0bc|l__H1qbk%@J0sLj>q zL=8Nz=}F+%Ruf~V@$+^gzu<}Puuqaf@Ego$nRTwLf!b)WKM_r| zAqMHM>r6-Mi-{ex8N?<@7|mqp_}AtAKS{KY9 z^7eRDPP0M%Ys*Yqzgo!ysD$3GKYdOsbJ_7-i9WNO?lELwv^q4FThN( >EgVsIk z+Cr>_7TU{#N-!apoqKp7{#dTGRqIVdgR<6aY1Vs~SHSAj{!3_KHmjI=uZUl6NuLJ1 zT$&M8qXT<1=*oc{E4TD&ZM>QC0L(}_@jSTw>Y-|wb~+Kl+WEEn;I7TtUFo&Ax3cic zukM!|4Lq5bPLn%7Q7ou1B=+O-zy|+s!{hC_0N`wZ)bweZq%etnvv5Se;<+2w<`Vhf z%AGmbt@nY?EMR7;iUs7pcynL9F|Qc63-7x6LEO42wba% zQ^DM$Mw~pPJPcw_5#Em)>lUj=*IfZjl|-wzNQp3AozC+`U5h&0*=bc6c7=oSnPoS1 z@|9W74dCG>^WE{Woeyj;q2BsG@rhx?C`al(=n!-b{04E4^c(O{J{#)70i$B9@wHz{ z0wqF9fUp^7+vR~0cRx!?9F@zzJZLMOEsUH=skp8Bn)LgSuvC81-T1gGvyj{M;p|rU z1vIYUqeW;Rr{~m;)o3;KTOmv6L!04GULGUrE;6)$PoXE3vL~L#{D)*ac)!g$jS4$| z6XiOnp5>IJ*-9>;5o=miU&$L7fU?~CQMHb``^v!*4Dw7R&p$CSF=GMU!l6D!Ntb2wVxy_^~fn>XX}-OvjIR5=w#d2`@w*rS2o~R0LhjwHekVKWUi~qFmu`$JMCAHMyv&afOuD5GK+v{$dTU!;%c8xo~SC|PuN-Y4vA3msDBc^-!jRny#b8GN;x zh}Z{0511(vmW#8Epl9Cic44vaT{rs=B?7Jz_8`*Uyj@Ac?*5O1X_xD|j6vzrl~4Vl zlf*e432;JxPUO1?i_VkAxdY7h>l7yc=bMgG;{(s%9d+{C-C<2k@TdJ&8+MA>Q$bZg zFy`7~SvS7dAf3-Wi(XzVm0z`(?6WpX>=%XvisM(RUGab>@HW};}B*!fJ_G5U{JJZ|dGeE2eW zG-7yU?(|h@G|ZLA5qudrT6g2eG{RPjlN(M_^~xPU+dmjr?)32`4<~=6RM`F z6jGh-c`|-2ezCKFi}q8+kofUWaY@?sbnijkRXDq_x`zFbEfTCd;LV(gPOxEHM@WcC zu4lja)*=gN^v8il>1IA!+rPFA&p~pc$4~9{T&{He=U^0NvR2xNr`T<%yu?v)bq!G0qP>%``|F-c#FEpqI=*q}BCw!& z+r9kSQ|ZA}nW;-r^+JL11T}rPsVtV=^?|v1?TTE`rj+0!2g-R%{bG%-^5oc zD}LwTJoH)Fp+euG^KQHLVO`ZH)n4ULQj5#ZN>xjfS%@i!kizfi&d+*$>uTmyU*IL^ zJrf4@!)aFd(i0$`QSUK+bfFmPsnUS@g%44$V9KAlQ?ec1exnW7OaY8!_JFe|>)bOt z3$mzxd)usBMg17HnBI0NTYA*R~KQ^I-Pf$qc+4%+C5oXtRR-QLKT}bs{qi z0Tj&Y(BeS4mhmYx^QX!rt&!Vlw!sZtn^C04&z+;(bv4I;Cqk1^S1IsbbG_M2{3gR(Bt{G`X%8F{N@`{jJ|rH_XTlkc{N8ihBUreuZLdHH(Gy}tuol4dJ`8|1y~eYQ z%L`SwjUn7m`ZJzhq`bD~ctC1~ljqu~1m z011w);FU){xo48s5K^`<4w3`2@hSFWPpXG4VLdMO zZ#JWb_=!V}#>#`CJhj~27{b7ErSY!V%6^J^tx=xM(Fdv@#RC)UNFoyX)tpyt0rq%M zjB^A}x?H)=DX&S$GZ%ila5lEpLcNiSBBR!!$E34(*2n6wt=?l1AB_L6)F<7Rjg8R} zlOD7c~T|4yLVjc*U zLp&BKilEY+uI#*E8Z`go%U5W#1JR$KPlS{+Q^G@5vKm3OKKhxSxp^u|Gn1K3X7h+4 zv`J1b`fPS6b-(INK~j*Zg|=xRBSHIc>WJ~%Ngy^8IJuT>G@f{9BromPb;2eAkLm>Gy#V$2_E$wtm!%;tN((6e)l}kZF4TT2I91u0KS>N#+D>d zZ;?|46Va4)AAr=1y-^P2iHbb#j-D5vC9zn>li76yQ3k0z>fgt!N(;s6>U8ni`0XTuGdqgnyvoV_*cP&!j6&(d${Ot1adX?FFz;lEyS6*YE1?j;v~zcb&1M&i@d+h-Hd z4%WwNY%c(xk@O^MS)6DYn`vWd+;L404)&HiVZ)q=!;(o!-MTUs;a^gr6f88=%rP+* zi0cofFy%=cY<|}`ObX88@IQGDP3?vl{ki>%fSw0B=uC*6`^f^yF>&Gt>x6|xr;^|- z&2L@GfSm<~&r9bz)LY)o@_L83gb}#8QFC1?fc|Zogs=IU@2ibMWgZ?MzxT39XJC-q z+)0Jy9^8nfHr%-tjVG+e1Wsu$0iY3#62H~mtwv6!Q~3N>0N+8WzroH%69sXmFx=K; zx|v4abvX6mE?huSN4rNyzvmE~nv}WVapm@E&)jlRf-6kGm9;!AR+=TbO8ZQ^OtX9| znp@{=@8(9;I0mCkOm8wJAFjgTd)W88t=;%DY}+Wg#AI96EzEF94Qk~CeH7mk(%Ok^ zk_`LfskF3lfwo=cIRSjah!=)A=g`&XnlqZiY}?!Yec_lL143A7p=g|*efZG2D$S{h z(2&_EG+l`^ZvXaFZ0dZjz9+3L-M;A;Lg6}twr4-tmo*5s19Pr15gsA{c%;C~=lh_m z9#y3BU&1lMcEKZXW`_bXU=+8jQ)DO(s`{usC1-WmL?1Qj;d_IX^_1(N1LOx?a}O)l zIXh35^LO6(u^R_W>Q3`_)0DfGv)%Pk?Ina%UgLB3sEGATR$~jYfSzKz3eSTMEo{8E zK03SR-8kY>F3nSiEzNJEqVquXo!zJO4YkDQvu{A<&feUPO^@Cl{z1TM1FPZuiy62j z)Tr;##BpT7x5mGNstG7DazjXp2wJ!=1B2OR#rE^n*xo+uWd+o;2B@Z{_OZ}@VG$sy z3{cb#Y_6%V)ZJ^)ZsMSqIm2e*~^S0`DwCImp`P(HNU)guL@7An`LeJ8JM|-)J&Jqx;F0&PN+PZ&`Y|S9+v&I z)C^+g>k4up{PYqEJ}{bHPlA0U$xh7d2qE;`Pz^Qs(}cI+THrgmvk6)=m{FxHZergJ zf^rod5ZU4A%IkF?Ap;87w7-Vae60BlxUjI@K=>;zF2@l!^M<9)koebGPTsw8X8VMW z0k58xQ&81{Os4{)lbvm$&|sfVfG!q~%aBcLVQx&_uF+~!ya(a$3yGcqos^?F_()|RxV$4;Vxp^B<64I^8M`1a1@xdlg{+J5A^nP^=pw- zuqxWmR+iZIar`j-^xl;$MLMWHT@0)NrxBUpm^xpc^yjNfsIxg@42Y2R>1f5nkx;Y#MGsDEdCln$i#w~sv zH8cqfdH17pgS%;hQ`!$W&6PN3L>x)|H7#252$Z*ZmKdA)dwW`W@&Hw`ti65>Z)=F{KqT^R)E@OPX!4L zweF_9(D7HgS9qp|rbMmo{@Uk!?egp@eI!N3*U_QPV8w3M*Nmy)!)HfJBC%XPK3}Dc zp!?xkQU93+Nt`Rl_MbsEc01MYH~{4dGvg}6*6s*CkX~zbK(X(-LNRT;*Q0NwvS-uB zjeli-oTd(rhU)r0fk1wofr4B+**4HhoDt=)Tn=H_Zj8P*1$3k2X}_rOpDB0i4|!ol z`tPJ%90CM1;iJ!&S};m_MkX5UY&Ko*^Pyqy;GTmRrvJ*ajpnsh0GUDUU_>l~t=eG$D9QXDK9Js_25@W zCh2y|wVWiot^*A2>Z!gZq5Skr$8G|?^8XD^JtuWG@tAi*bV*J4Kj9@ zDZ^s_S6%k6bN~Mj<#gLSjtEson|*zKk5Q0Z*w4Jfuw-Op%qicOs^#S6#eW!S^Z-H4 zlN7DpwyiB3P~^zv2M3E3XKpy%KWDqcAMf-ea}ZN{$p4=r87N4#75ROwIhtK7xjbl; ztK<+Wah|z`opd-J05$J}e)6gQ2Ea~s26kt8d8v5~-hTcqf{d)seV2nXm9V1npFowa z)_0~qx=U&Q2RYckZb2JLNLhsR{_g_r|3a~TEJ6XZGLL`^{(rB}|4A%;Pl57Nnt0j& zFN~7`6wUg-fBau#`TupOzlQ+@tp2TU>8WPEJno{HXmalu-CDdD!q>^^`JQY>S(X3q-yKSS z-?%00$>Vc-4^<FD4?h3FwrdG+7h<9RgI_AbcYXcFZ0>7v%{P%$|zZFeBzQElt^Is_ELThJCkRE$m}|`3U!3W|*d}^1As~WfnH4Ob<xA zd&BPcc06f4M{_vx<~Y{JBFTJPK3MU(H70Qn4pH5?Lb{>T!ptHoKQeKq*K|S~5oIqQ za4mSBwq&!LUDJtTKqY=z5y6bbu=SouR?~&i$GbRPsH4q;3q# zfr^!Ijr@NY1wITWI%RP?IB$3??NmWcT}u>m7{~vm;b_SH-iD?TuVb(aZHaSvdn^NyRUZaBL@+KI*=f^~}4<2Fj2aZ3FnQE_=hTW4s zu=8$G+monBmre&N&Emw9Yj-dmyq<)MGDLkWUxLGK9q!pUo!-{R6250ef*YAC5bo-u}$N*dY{Mg}Lc`KXgP*qrfz*sOeEhB^g4X+3CTaoZK!zqm6_ zAPsN1{dIAvcXjsoL*F4B@Sb~<8}UuPW$;+?F7D#VL#@_X>{qgjEJNC?P3>uQ#YR*^ z>-^=iTuF9f}E6B*95-!5`J|r6^(_uf=Jld06bsbUcueNBMB5Pvl5j+?}qnwiFYCk z;Q$+Nb8lg9xrk_>1qAFCp`FQwq!XY;(RQIDRLjjfcH<}7?NUw3Md*AsW&5VBOOF1; z$5Xf9jkiWcjd^vNCEYUk0Ovr#=iB#HpCTea{R<@S8T`tfmi=};+( z?ap(%qa(`4``gQd(kmKF11QEusicRd=8AvXCqO=C5#!T8JO305bgfpL?A}ZZd*OxG z$%c-N$({`pMt^nP`v4uJ2IHi(w6w*tzjJadjrIk)#-)q6Q`EqK3!}G3T;iZ-7pV6p zP)D^23Ik`7#iyl}AS4;A-2RCZ>TBK#L=Nu#9!tdERwt7*hd0h+I_pWgT=PLKbgA+C z^(B({EywhB)CgsAz!Sv`4@T*F3^uY+-$^CEGfLnGluo!fs-c1)+}41lQ^~Qt70AOX z#&-SWvLP8A?9Z#7KM~%Ssl>E;-53!J)7v3hSTj-*?dD}0&BRH$+7UY}9nqyii*XUd zwbULTg>1b(F$+H;xi+QBoH*hU3c@H2p-3P)fWCaL@Wp58tVOG1fQOed9#e~>pzMJg ziu9MyxuQZ*+KfbhOO4jYtGSH}yLx`=g6#ItPmF8R@Ig#!$Y9VBi3U0jIh5&r+(Fo( zzYg=n!wIKfC(CQSrGyzzNj}7_28`&&hgNi$p0&XJbn5#Pq2?@y&WAw*vcHZOB&OGm zdSJ0I@dLQyUL%V@jv~@IJ!?D#xZ0PDuTM>*eNH9KX{Lj13lEm;Sc&B_BWpxzUFt|; z`frVZ=Z)T!La2y)FIFsqvCDS}-t>Fj5W6d2cqiZ^vMT#k*n<=KL1Zu*Xih&Bkpy`t zC=u7j0_j7{P*N?=PLf1W5)RZL1TkJD+S~t&Y2RMQ_JaA3R5WR#^?UAn(syx_QN!(O zR@)n3Io8WKS3$XW`dz^1&!bfS{$d|Vqz=Q68_sCh;jUJtM z!}xy8Pr7_kV^nE3DHeUZwJ?72+!Hxm%f+C0_ z%FuC4&!d`#an~x`cRP$Cn8`mR#ltH83l_Y4nnBOA zG&!E*sgYv*dW+H@@Q1lyD({h$jc&~SEg?o;ZKWLmd1{JsIRpytp7C7oLw*p$N%miA zGgh71!}7Kftl%Fn*Eob7%$td{O!|(KB9)+y*R<&HK+B5YR2zvgr{9wOQH@FY|Ci-y|uZ^WJ zomnA*Pl!ik|cu{E*M2tYEGHd1* zS3tc_A?~?f*G~q=_7uvz*H<%$wkQK?$Z#D20Mr>t8X7 zNOltD*hd+V`6O~MIegd)5F2|_D_X-9SZ1(3Gv`F_S%79tpvdDtq+qaN>MF^2?H~Eg zVL8&W3G{q8-`~1JjdW|dR6k13SO=hVA8rkm8`|F__L<{Yr0^)>UvNba(!P&dtNnWs z6nXilNiWvHy5=;4rZ)d3=S~^WM|atke|!l8sk4q`hd~`nWN?UO< z5ygiGNdJC0 z{+hx^V5WN0$d;o>5cm65MCbsTZN~h>%EyfL502;3CxgEbSV40k*R~4|4&JZDR_&T< zIUefb^?|&Th2mh8KT6>Odt09WQYijwm9}DqU&m&DM@q;q#b_T`7B|<}3U3*GufI}^ zqC*Fub$x9{1r@k-<%*2QkZD9rzKtRJ#ty}FI`v*4zVp-UiV0qQ?U=2!a$?f|Rd#>G zarqVEaTMKScL#d$J`~YE-M|snG%o&(dAFrFTNa-KEQh zk4$9^d>yi02aCWfo{kN6NF}OJn^E5(w||1vVz5j>N<4`I@8U|Xrm8-o#4H3i37@T! z{oq2{kd8kK0nkBC#huo9T(Hj3Y~zRsaCTOBs1WOeLtY#0Yj#!J%6Z36rA?VxQ3 zv(O8PH$1u^MyRV#9u^1s6L#D>Kga7c?PjWo`t}F7bE4U;218*>y}VD$R|;hJ#0gnt z_F&TqbtG}3J_mI9zGcMsrqfOG6TYVSu_Ka;!|Lrk1Zu@BeQ0zyon|O4wf$%vFG~^H zjeq7^Q_iLyV*fK*zs$nk-m;R{sMeJr60Uk}I`F;*gQe{4D;8D1A>=kWr4^&1Q3G{P zpu+Z$6P()~ICK$@ClxaZKy7KZf*<%CsH=kj56>$%ph!u#f1dD-mmn$u6~!T5ZZ*qe|aKwrE-0-s3aw>lo83VR%w-@46)e*LVGeHS=X9 z#}+08D0c;NQ||58Fqg;$fB6@)M@ChaH?i?Qp}iZzz(JX4MSmlzU3VNNx8SwQ zCjB9=36vx>pPua}6zwYs>T6GdSi~YKW%WLe%XRD@3PI^VTf%O~P*XqoJgbxX7-Cf= z-dIh0BI({{f5(@Z)s-u~Bugu>o%xSPvovByUKllv}6p48#4 z@Y)#LLsNcw(j`?f^GM&VP2M&%eP%#qBW1A5LICRheNWG`OV`Ry#m#*U6Wt~kdt8;! zLLTr%wh%DA-;5tm8&b#D6}KR1cp^Mrc&)&lvSZu2Sj_Tw4K1 z|HX&Nf!%tJs{_CGt8T2Ia$x|mpRj)oY~CnngClK6)Zw`_;RxKWOW6rQLQ_|Y_bbg@ zU;`SD&!rW4Xu}^czn#NWTBR-;Uyg?FRlX)MD=uh+OJ!~)vLoP5Zp094?+6BJ3E4}4-j>aie~ z{pi!Se!wy)v8Q*9{64yPWE{WUD8xd%2!2LUF0HN~u`8)A%p{o(qX=z4c#l~8(cG>v%$8qI> zEtOpN$kVMza??7Tn3N>BgB)7dDws;vLgycRPM709@HxQ!`PX;pKUJUr+zGm6-9fZ3 z;SE6y89hc3wG)ZMbNUaslcBuhWf@}1eV?VrgvJ<@7b5p|&Oc*gy$}<=IU;9_(2%W= zFs%8=K`JnH^6m`l$&XvP^y8CVvdIFQot*67iwTXPE^ zeL}Flm)LR=hg`$j@ImjjQ$DZ+0-tBI(brJO%eCOf>fc*@$ zf&>U+vKpbICvC@Agb*X|G|6(%@zu!>d)kqo861M<8X8z$`FhapdbYU;XW-)`!;TosF(wceZ5sE-B@;@DwV7sedA~z<$_bnqONr-;ZZBcm%EHNnS4z zOI?01v~X0tFPL}${7BFMx8ogCv)eAv`oG*QU03R`3;hZP)YkDXM@K=!Szp*P5XdSI z(CwDDal4;pWO}6B>Cv~cU+5HIV`QW8U4AdfFGCy>euwD zN+7JJ=Um7D<51R4h;|;B?7E1+)N)nx;W)&~C`$hw8@l3>b&m>tbd2eZakP+ch)Ca^d>!}o?Di}}VWZhv>;Y-#Fz zTguA5KjI717xPi;A4a&LnQM2x zu&SH!pdp?Q&8W!zkgW0=f0xwMxWzd2gN~CN%Mv>~^AufL@Ov#pRvw~zC1Ic4P(8m) zU9x-8JmcSXrEQ)-^{Bj{su`=I!8x#NzM=k`>iq|C{evLZ)7=&SWeKJ&-p}%q|5+b&cKQ*u-VR~X zdW2H1{1X)h?Vfn-=HZJmEW$<}nKq9NR@20#)k#`D036jRYAXwuCZZ*1>aGd)>He(V zU}nOrtkG0XQAi6Ve#&f4R-shAm+SY)0WDusRvl`bS0>W?@dJ4 zX4-lhq`9slc(0F7`6j3LD2?M#nGgEU}5ax@{j}faQ$03OXFvlx9QD{o+Wn= zhv!j3{Ae;ZoJUN?`OuaeL#-d`?4z6a1vY1{&b^gL~L8Wy>Q|OX9SA(TQ134x< z8@#A=yf_xmX!Ct5n40I0JXBH|=*9bVT7SR#<~Hpyoz%GGIiVdtpEWWOmi&_Lp0Tr5 zkv)!r&Rob}!8EDT?msKwqn$yZJ|tj_|2oa>K)+;{S3PJNq5i1i_Z;eEb&m_`UG^N= zdm_(4?o-V|Cm@UHl?b;5(*@qq#h<@Jq z=z{-g(HX?{WZpn?pnmq%PGARxFx;`*ATuh-to)SmB4pB#myw$q+=lN(xiBHZR zZG2j98+XERjJMY|cKrBTs|)YB*8WVtqnO9^uJx}N5FazH8=)UX+lqgO^sh^Vj8cSc z%z3U{9gw(lT&?mal$xB5jZSD2(%gZPWz`}kp;f91O@N}Tl@etb)?2lfsLPgq(<@Jo|+e`*PM^2}{X*YZrvP5`)z zz30IyGDm*A%Z!{1qnd4|Rqel*!1Z|a5V6hv7|G;>elrnf(^{uDF6E6vEWRlCyd+8lBwv0`9Yj)-^LNw1hWh$ePe zPh6J<$3Sj(7Pu}y!AyBQkw@R7h3Yu4EYww_R{ErHJ8IXXwANt0RCa!EWLIlf&C&-9YF&L^S0-G&r}^m= z#aqn0Dc0_ME6@7#Z6kV`k|a6P-*f-eXMmqaq#}4pv7YgD1{sUvUOI4)r-6;dW=c1onLqgWA|y!&>{e= zM&fgHy0CB8_%}!QDHc6MRwe1^2%2Ku!^7{$_T*`^xKi~HaF%D!SrdrVNF?eagTW$&UO)QedTxUj`{YC=H)~A9PS;yM9V;X- zs1-*KQ8%mL;4+s+Gt9V7YmXWo5NFDx&U%ihHQEA|n=05o)zos|EQ!fUnypqnx%Tto zy=8$?=otm?YF(DOdw~I{F6To(@LoJwtI~d;>yj&w!QbU7x}JI(6lcZIM63 zGp^TPyb8g(jhME%dd%f5OiTA)7tdo^gu!#?NS&5}QT%Guy;hsN5leGviv3o*s4~k; z$PO|xJ|>xfKdPEVo5>YgqYjbD3r`iUl6ToJbX9?0C(YNfQn=cHJ z&H@Koqg(S5SO7U3XH<7xKN|y>$lvE25KR~bM}Cb9C?Ol|;m4mZ%z$XYRBm1OY&H^5 z{;VeX(!GXCaOl`G)_SNim;n{ zFC-FhX?H`=Q9LCE*^5|iGDc~#VIrJ$+50BIQZT~ju|dnmAUB9ZRLm$bFfqE^H(UwnW zt^BQv5!fIsbiR*-OfWs6gD>zG`9JpacSxTtVJ++IeGFe(F9FWCcXzTMUWlb}m*oS!|Z2jV3_ds?e1&1$cJxK6Ek&^J5n$f&6$$wejP>e4`10Qjm~@< zBRb9Sr*~xaDo9?g1rRd9X-w)n?cmq%jv!yyJSrL zesl-KG>66xtxYEW;fe0L;<`XG=NV(AKu^ZIgG4e#@>6YjTQ0;o`0|KfJ$6%xZzf^T zMNqra=K4<_ovkMVf(UBO!s7e`*S7CaLTJUR6TwvUiW_)Qj%Hc4N~z>0pQpW>d$l(^ zmd8H&^Q?T7!A{w4wDIu50t>Pdx9(-r8jo zN30|?PZ|@XRBIcgRFV`ls(&rtQk@k3se2yklRQ0K)%GorOEr*gHi_QrTWc~!ip>Uv z@R)xwJ*sl5y)udj_>$cFc4(_>=bru184Hu;hK(+8g@t{{6ws~2QDbUTj*B$Ep9!vD zzx)ZL6oLKMbvc14eV25YaU-lmsM%{mPcIvxT-|y9MF_GD2Q7jiEL8!h0)JdOXB?6h ziAP|yxF09p3(+WfdV1=rtCupaIqKRjRmDJyoPE8$Fk3-yg6gn0(4J&a?Zxc>;_fY& z<63rb(HLTinH{rZX0~HyW@e1pj+vR6nVFfHnc|q4nVIQM_SySnpZjwEz^j^?nyFgV zttF||(kH3APL=Ka%f%oR!jBSIA%;dn2usj0?FJwgfiN4TazWCR88fVi;Gij!E?R{M zn6547T1IwqxbPQ9)MvxHUdrSx<$6iDn{tcr)peRd`h2nc)EELFHT}S`u8)Zc=(KI%XV2e#CK8;{Wot@MO*UK2nU@KyF%^P4% zHCzJP?Q#4lXfETK_QW7@w2gKTPNDm@oJS2Qw1`jlG#e40TeJJtI|=N0gXZ3TV*7@o zebYc|=*bs^gLWPL4BmM^a3$)l%j^l_5|lJ>vdFnJT-Qhn zEFFnztfIR2mZz-OQ)TH3_hW&jCrPkZhOV8N*#1YjS#Gd+iP^+A?)8|iSi%isGk?ca zt|R$Wrbw=J8)DB8SykK4u11?vHjwR8j~*KOe(OW6M})17kcju>Ko)JO`#}iv5f*{l zJ;iH@JcoULQ_xULLk1jc1Awp6<^pi74PceG(T_ z)2cUBv=D4d%MiA2BNzMTa=+>*tC54QKp2OZDV4zyTwdeWEc*Zj1vN#Gzp_Fv#a#C3 z5pyla%s#UiO>61)#Q$-yt$NrpNdRT>i_`uDfdCMvVMW&m>07jp3S-4wQWq)uZ?3@{ z-iibQUpqK(#0A@A^UYG9&=)NjUnFmdEh0BXZ(^Z|;vNEHYUCkVEOUet)!+qT6!#+n zwM9kADW`)wQ1D0U=glck%QJBv98%Sc=N(Z!*wB4&z^-ZFwEe6#ry>?_i6Dn7b%>{L z#%Mh^S)0@cbXJFUZ4@lV)@ae_H82j2jc@F=C6;SG1cKFxGHKF*Eq7`Yg{$dI-pArI zqu%p_$(>;qPlikeMxDxM*Oi>bw$tV1hc=wg7EoO7v09cbeD(_-1~PsEsW)=J z@mE7#1Gq4jNFBa@=QZ)ImrG$4kwfPObzSo-@Wyjx7|iAiQTl)jI7^hM9y#_0^^OCg zwWWs_7}Oml65ioG)}HLRYAcYF)YqXq0_@%l2)!+!A4FY#!hjj z#Eo3GMJ&i;djN*Y^b0*bz5npRfiacX(d+&CpzQ=_qF$!;cHjANU1Olb3sm3-v%b}} zN()QPPF(k+hQU{MWrJ1(wRv$^CP&j5sh!l@8si!PC{2hc67SsFH7G%m=9v@CJ4SN`(c4f}7bPqm2?g-&6>&T00BTa_WQ^)u`eUEfhKIO~(w;#`M2f$%lO^Ysv4R6w#Zqs#D&0GGu0p=i_8_O+@oG0MwQSHh6U1G%0>K(y;Munp6l^c zmRj2+X3Ykn@U~&q*z$JBz+ zdd=L#2&}hDBDxQX;N(~ICTz~Xb|37^h^d_nOlCzFk&0KA=Coc#I;5r08fzB^B&Z+N zy&GgD(}f&>HIz1cKB<~4(G_RrNX*0+)e6@K6%I_1-fcNZsJh^QaAW%5)7W)KUB<+U zr84jPb_IW_?+cu+F>6AyYUhqn-e>$e(lo_(IXM`v}UW6DbS)5^+q z@I})Us}pwe2N0V)Gux;vR%Rq{zXC{E38z3?>!QY`i}Ls!mbd-Dv5S2A&shM(=MY6? zRpjrfDK5{;mYtg?i?xxA-*t7pzpu7rTW=36bhxtvY8?XE?2kCESeXG~{17{^;0_I$ z*6qk%aQAG7a&(sX5Ry70-(Q}?fBc6iSKvi?Ae(jVj_NEwQWWPnRoUqqm-{oA+meu! zxx#`4GF_2f=cQIhOT$33XN4byENf2u>cpCY{KW!8Vo@%K`H5L~&aST8XREErOR}RD zjz=@1N?~+GwDiLkm60jxb6_;d5V9jd<@&F*u2%hc)q)Wt01bd%#YF90=avd=P-%qVw4R!xZmz$RqB(F22b=}9@incF zayauFC2FuNtAjabgu8ioGKhNaK`;EtJ<6uw6=UmU5tCCx_!ax zclJ#Mxu)fc<%pNK#Dz#wZ(Mq)1U6w-JN51<*q0rhL$hZOAizfTygu_j; zwbFy)PiWL#tE-yYxc0EiuSi4~PWyIBgC#+*?WUt8HpkYiZMdjoxDnO8d%APR2qt+= zj4l}U6DNpY#ZlCq#$Qk!2O@kXwnSYJ#FT2Ttsn)x%4B05J||ecw$pk_kP?qwbvNm9EqT<_uU$NTky)D(TAz;-y+~$}+6uqPpT1ah z;?HUDfgOhN07DQ9D5#=Q1`o$_ukyHr&a&Z${)O=bg5;t->*Qo}18OfHu0nARp*X2& z!h3U?a?sgFF}LqR6%&Pw3H3P(47Ww;_{njxIOu+(S92^eVd}kmlC*@vj)Ome!f9QS zS%h$9a?)yp0(v}3sZOAk69yK4L0T9OVx>auT)hi-DA0EgSF8}Eo1*0s#RPcag26JT zOk)+Aty=)lVd}0}@h&GPM~6(jG?82pO0h&?GNlwt9#D@fhL2o&tR=a6y4+YfH)nh= z+Nq_*4TaR`FhIjD)Pp{eQ~}olPx+Z1h8lOmKQUE9gKnSBWs21<<1uu{dh}+_1zoyT{e;B!!#n04Sp+BLYadX>t zGfPqVJYwFoBK+G5H52L(6NrhS5G8_T-fWVail9hKPng?tT5kz_V-%DkqEKcjy}NU< z7l4!^myR<_Ly{IdJD_1r7y?B&jZrB*hfQCFA79Dt@%TlC7$%@6SaM zYv+W7@!=owQvi!)YwlK79iW;zl?H$vL+IEiSRtdxEb=rq4_as>e3?UB7*Dy4m^Mz> z9-T@U?rj_}`eEG#mzs3kd1%Zo_fpDT^e)I>d<5If7lw=o!bb^EkG8g>b?|{R4y9Ci zFa8E#4yZ=&i*0q%mGzm~5+<~2|3Y?@0!j&B(5N+n097>x3vDXZdP_5{H3p-ml_l9J zBZYm$w<)T1dXqVVObDurPM-zQ5WB5fk4lQV z+Ly9srvQ~OOI4o^*xr4Q<*nSBK&_?SPZv|Gi*bhujv-I@OVGJ%SP{ew?}3e(vBzw4 za7b%7zHER5(K3!RrQ0q7Mv5~%=zjnc=>q<{fA*hd!l=Q{7@Na!Bo2*T-{B&KG8H<} zpruAj+y?W-n1bRE8@Wd#1ul&Gt&GcTr6s^&`AH3Y8ERxSoZaHV(tr!!`Zv0L>&d*t z(vIdUGaV#SBA`)53e(WUS%bO~RIB62yj0(5IYu%FnHnb+Qu2d@`lsjn=xyn?-4kLI z+MJeHD`vnsni`}Dx={5elC=(=1%BnldeEyNYVL&`+u zw{BUuqVM&-DPIa__%aUG5-fwp9h4T#84wGQ<%*fhMRs*{ncrudmvV8vT=0wbSSFlq z$HE3d^^Ckz``vqgD7F#EJ@ch?5OG}qv*@{~Hrre~mk*;YqdwecK$0h%U&wl7kloIN zQTZ(MNt=R>{EonF?}zUMwP!Nd5k%sWB(2>I#EfSZNN?a+qG)+n3gr35xy$+HakYKb z^Ru?BWlUg@tn~t;0dR$rgMaVk`DQz}f`%3Ey~j3Po;cOGpk@+oM|%5*%AW?#lXOSnhf8b7JqvxsPoar=1dOXh=2Ky@A*RL761ItCa5Csfs^65&Rx422S29 zx~gT8_sA#X+J#{F&lAY2)fnf(-?_8)Wfso0gH(^lX9iYh4HisX49Ku z9vSZnnGPN>J05h08yB7{TeviSI{a)MuIO9u@y_({e?j$kFvbq$N-WHChR#Kc036xK62yRLIPx7tMY=`^9_B=`qz7~rak z-Xvy2t{HlaWiC%N63(@Lzv$Wed}f7xWe4~0Lo;t_!q1Ddv<5VHQw|cT4@g=`H7dBG z@h3#<(f`Ta0lvHBiK2dB-^kzY2isQ^OmLPIk#VXw9=%_s%BmBI6%%dOwwkwvq^Q-K zq6ENTg2hv+N-oO7B@7C8jhlfPE?4&4mon=Ne7B#bU|G28?T~iehT*}vw~z(Rz@hqC zRl|>iS2*SxqpF{1p!Ss?leHYNfMw4irSg;QMxpscLoH|igEFY)UBLZ}cTj9U2G~r!&^M6}ZNkTe zA6uP7I=DWK!*HPh1MeYXD2{%$?BE8eSeHh^h}ZY4=1qFtbV~kl7Nm3z!~e+YS*FFN z&QSQS{Q?9`{n*3C0XC6X8)HWG0h0uF_Aaqx5oRxOUbjy`wJlfTQ`?=EqQ+w{CT8bn zKURLbY3@)k{q6{vIMXGN*CY0g^UMVO-9AS`$4yWL<0Ef&Pw*@e|CS>8&K8LxY3hCr zLW1W4xI6F;@cAdHrHBnqZhXQT<_wCN^rEh&rXH!?Nh@R1c+AoSDB^Hr7_uN;4>rvwP1kgO}e;x+vKwNDDM0~E>^+Y=g>fE8bGmm4f@P?S~WLX*mg5f z&=?6!#eQ`DBI2o@e0C)&>>O>)sanQ}o3sE5mM;jOA5wMef1m`+vbE+U^ooStpmZvMnf4PcD5SdEw?yoPIWD8>p&;@q)a-k*&)R1QfZ}QUkdNJ&az|c3sgQ6d4 ztI{@|(T;eE|J?YfzCxx6tLyt$=mfWLq!u`Tqs;0HdWmTUJKr3f^hqeLg~wK!wc>Rx z;*r3uE|==r?;>(}an)4XqW_ImH%yQ=Xr7^ebp5)ta)l1#k6n~RGfhfK%s2g+CK4DJvP!wQ|Gsz346VhT!acHBUZ zMn+V$-R3YjNi3q7Xwxq}L!o`5MWqetZ>MwX%k~dyabB0o6UkhtexB{ZCOtSayqY@G z!NC)qZVOz80U$;b5>+8Ei~EKG?l1FMQ8Mi`*dH;Qg7mXs69_@e4PP)SD_Y|wQyI2;R0_uzMheOj0t_| z{~HUqf&&VX#Yp=Ue}5>7%rq{&TP`~~Pz$J(*h%Bz@j{fzFqd`T69}UR+#VH&LO+VG z!EAf&<=aQaL{^xYV8=a{L;*OJVZwilXjn3_#R*m=L|f~w|4!4jTD<_-b%Gr)vgE=1 zmXC3C>ZBkpnn0{gu75<$-$n%IYwSC|U9k01M;VvknryPgjl3`Yoo$6jO7vJt`H9k} z;A)qTr9!7mRSsojj5o`7utIvOr|G9qz}`QHRKlLAEGv$OSnELr*N|TgWTDCC&#MGv z=`u6W^IfR)t}y1f#-n+fP0w;rkKIeQv@n(KCc631$`tcdp!rR=^!2l1$07=*uWp13 z+#K95?H9^Z0zkZVtG;$>Iymr8j~oU~lEH1G{+%`gFoVMyn7Hw?blbVxa<&@N`OD+A z^jK$B7G8*~bQm)`c@ZeJb^_5}hSji1W&><~-!!e=89O3XcsEM+Go9`5$GEuoGrR0% zI+rz%rn*D_J(l)rk0W%(7Xy?OjO7yR0Z`q^CKRhf7F13!rxAU^9$1=KV?f~1i5zSg z;6-INda@p*1~`fvyw#e~iIBYIC=xEAAB&zGwT9H2yukhAnewUlDE|vqbaW;gDWYNh z@-{brTMVi!#99XgCP7FLx&g7PDinn`c+FACeKv`wCU;1qKfkC+4JOHtNS;O0r{gbg zN8GH`^{PK!RBAb&pf6&I?VfB5<_TW#GanJ9Q0hK10l(0UGIAi4Dg^(k2#OSrzDL~( zrG6rxHj~uWccPw!u$%!^dZWdhr~a7h(n&`eodd-38*{?*gr}Xr{k}s(Gjo&L)N~>U zv||X$Vp;Owh6=z>SKysuI5c8T~LU!93+yxIzb_==W$9>xUG=7i8eAOMqAkMm4eH8O=K zgz=?;(btW@yHKL5eikz&sKsSW;RG`3m_>)(Fj6I^Sb1rTquie}<<=M^P0J^8|7jx) zLWo2#D5XgUBtldr-rp9at`s^=oe9Cr;c@ech`TKLtEM_{Wv!a7Tw$c)&1yY@a3t99 zZG6i@j&&rC7oiL{N$HEd$!HP`YuQj;k0kdx=u}Jwqu_7BH_H8hOuSo)$jEGnDL~NL$}do2YPD*u`K{fw=`VuFT#vnO>M~`t++O z>K7oZUvr`Y=>UT(^@H6IZq!fE8BsHsC25l%=fhaT1 zGYTqmw#4~Gzj?I1sTV0qFm#dpov-^M*Lq#3Xc_o>pc*gf`BiT4E?W7w$x=mWWb3VVEZYbhch|_v$Xq?|y9tjqv zqm#W#CsNJm6ViI|$0y#QReJS+q3JyRs0`jNobCBTpz=`o;_%4cshbRh#-8nha`BZ+Qy1vXT8*J<0CifkC1M=173| z79uY?ZMg+=gvhEw;6ZE5i)ca5(xQbadgH)UD~^vdi$qI9SMFIK4k6ec(?O;EeA=eH%}~+ zTK{BE-`W^|K0emL&Tu{R}W347^sw9%5WhWLP;rF9%4*^-_Izk+JCCf*NB zS1)AAS%;ZucU_V7uk}opb3rs*3v{aDW}CBZ8>0N)M0U`Ck#ny`le2LDdih8QWJfb! z1csgHNVgn{kBL0n~E-y`=TNF`uEIy$;461iSxTxcIAfu>#VHsa@ks-an-O zsssD?$GZ$M3q4*@&ir4<&2Pu}7st&2B-n&Uf&Dhk|Mj*0`cWh1rKg}IT8;gi?BDbM zhXk3h5hlLR|1v-rw}#l>)?J5Rbh4 zJLvmw^!L|~os_HuAUs_nYy*lt1&=?!omH!Or*3 zPe6eHr0c&)X&d%`js5rEC}{|QdXSL#eE%P<`L6(Zbn$rTN@&vzBBK91!4)K6g2x?! zpD_Qc+5c!5DKtPkPy%Yl=wkjm=)ZsPaNz^gD>DtEh4){q`Iq|ndjqtm$135g(4Qw5 zBKc(vVv%_N<-Pn{RkLW}t0*CS!@|P_0oP{Za5#DO_4WDC=JBzBF)%P7lgWYhhoS|B zhf8K-a)V3!frhU{@Mvg(7Z(?9*`es?=i+gsKxSsgc7flBx5gRD*H&5`;gl;hc>6<8 zbS=+6*xG`*=DQYLI~(xv0q5ip#Qrb<;EC7GgLZ$CVFnjaeyE?HUzXb=l$Dj!Q%g`w zXJlAd-)t#i>j(`I8!Ec_BH?*+m263-yy&g=hhFRYGbvW|o_5W^2-_m|2QBuG<&mSQA1`_JoRwc_a9`N0y z3e7v_FpE~4K|7wZP|W4dMrzBimr*xI*C%qm0U~h55|ESYF&k#+elWeKzGC=C$aE6V zNXN1U{UbDWgHj}q71|H}yb+^dRLn&GSc%{4@^%x(Yi$WiNx8pWX-)Y%)OVZtA2`qKJ}9w`o}81Ez11dw#tulH;;%ok_d8)1C>J-jO&)A|L> z%4BptNplepcu_50ETvt2U7S&?mVNUlO6b=CZy~Xrhqpg6scjUmAaM z7~>Mry5L(!k$B+6>Qp@|4#AuOG>V4$#wrl!rp>NrQu`gcOc{bu*exH1Noi{X+%%dw zKQ#H)E2Qt`iag{!qOi&zY)V!X{7?n84c!9=K<|CY6-%;od!P7*6)-Qtu|G~PeEvkwE98ELip(u-?4k8!g(Fl)tD6`Vw1A0Ly??R)?niU6JEZrZg%pl;(S0(zP-nu> zakMOBR&UWw0})CTX zOK66Ra%ilej`?2zgo!c!TFAd)mZ5skPm8wU~ikl6CmUEMCJDECBfFXrAm15 zvnAGxhU$=Kt|u5C9YYB1R6_S7-G^1VST;0&d}KI?T?dIgZHe_EF8Ke)13b14W?tM=sc*|;Cm#r~|;q7!&}2hrD<4yYW|YiFcuwNYKC z9f4Cu0@u5``pVky4)NlV7QFuQ*1br}?>6bn+SfmT-@T%=uB8OxhW`2i&QfE1#qb+J zT8tuH`&6!~RoC-*2PwYnWL42mC{8o?&~quE_a|*Ze$c~b;|ngW5*;F0*-PW6xm2sS zSBjM=30cRF-q9H;pG@6ou2G_sF5nx_kKjD>rQujP!v@^1_i3*S>lPE8;okhYe2ggLs(wun^zkq|T16-0sNduUKn z4ynyKA=lwO#*fbtc9wIgp(yY<5;PfzCNxf-OI$P@mN5M~!$mmcreJq7F7N-)aQ>cvuCmm;t@FzN%auu>vnWuHW0aingwc&K`5+X|_@&g)%G zYY4w*ECg9H;)}`g*MAR?6Md4PQn0R>da9{mgi==gX*ng~_SKWC1M8icJkiF_wRexy z^;z2&Uhxxyfy?rk_4Z_;`0h7jQRaNHoLIY>SJKqkIG?--26tmrOP${Dkp6PFF^#6j zTJB>?<3|QEc}{fYf;$oKn{iWfdE@z=4aC8EN=NAWbW2Q&N{Dgf>@2uKZ4K{i9oVeM z`~lGYk#F}|wH3kNmrnXbhWk7P&6Xc$!K!GNMutlb{iXlN994p-RaZ--T*H`xLO^9y zRb7-55fVE;`Jr(Cm$nH`b#xL4MxeF{m34Bv;Ps-a+s-e`p1=s!R#64|tX2Xd$3?3a$2(jyjaMG&0=QsG; zRFjSFsbB{hq5>4b`@9lr%yjapm7{cIjAF?f z#atvMX_^c$?~B?95S>1>as}hM&Y{5+`#GvLOX8u3FQpU7k<{ur+-)GjaUIn`mC@zm#OiAV^Lu zk)IzrgXtsFH}VWqef8Q7iP`Bydd=mWnB)#FPS097BieqnKR8x+-jwh|Bkc_)m=qMB z7>$2^sNMg;_xf~OheNI1;RonX)}6@cv^rg4k_;+QZ-gC?MhABtBv^XwEDkSgn;5cZ zkZq3P*QGa&k34R)T&LbR+8^N;7Z+bxT*N1)2acv=6CKmU5_Bo3<5MVyJN`=tgd&IfM$d^WSHHvGiqL@GYrQxe@=|mb+jN8mta#5RqB!6 zKa|;UruaKVCXR?p+7Z>a%E;965-*()KS&(>#vEXo5gs<{gAO%9EK1qqy zwcu8uc}Rp8ZJ)1&|9n!s71E?-NG%xTPxM+=>$ebC2^VTAt25Ho4FE^jBunWZBngVj zLra-?YkDRdM2s$ZO=ov075Y+LO&1hC8+e{f(idz@f~n^0g*58XWvJgv?*22!N6nwc zalh9%;x8=nUl756mR=-rl%{6inieQ1*}%5xjFqoT9`(R$@v&{ICSG5WpGJtRD7+w+ z+}9`@IeHGt{DSz7L+GV%#?!|AErc#`=w7YN`La?<_o1F~5OKWRLbj1ElJK$=24p^H z+>dZ0Lc@9edhs%iT1+ZpH;P9}WRaWyN;mxuy?L|{hZr;oY0^jflzus^NMU9j2J}-t zO`~Oi>(=B{L(4)U5>}L?(|n0WSd4?k=*MLwA;VnZsUT-R9X68&Wzs|h|9?W5tWdF48{eDjXhSQY`xudK} zSo{2Jq!ngkW5d@}CZe1p5G@JBXV;!#@7|4jN1cEpk5C5zT_4OY9=c1OAS%-? zx@=_~4TA27EZxjO{7(!8XkC;f@WcyayLm+7`0q5%zY!-d&YG8}<{ZM}ZKXLI9W;r{KfMAJGyo zP$}^&HhXu zsrfHZuz}&n<)1;pE_p!D{}EY_(fpt3lUV?umgMF}Y1@B55CE8hccF-v-i*B8M8%)! z%c?@Ca+?D`IX-?a1KeHo2Xz1_2#+`6#^GVIp~gfTdcM%kks8%_m&*SGq$Iq!fdB>1 zly1BRU{KwZ_^aK&DmnjGDgOS8=ZQdyuBYIm`j#VR`R7NxK&Oag0Kf)=kWjv>jjHIM zmEbX)=a+%OK#yPNQoafN^K}0ih%lv)omJ`2yap5w&;Wnr3lkF&8Pircg!!|?qj*|C zq5RN4+Ex@Ko-G;>{rRaKhF>GmZ=1S2p6ClY{`u|j-2a;HL*Ze*r;Fh5KwfBfQ=oVl(b-E3xD&MYG087sjFiGw)pO~HCR+s)W;d|7Quh9 z>w*yC7kJ3!U3$nF3@6Te_J!B4=;u!vK$AqSUcXpX9VL9C5HFVj7AC-)F$nP#PH)bY zt2a4NAyZTD>PYb(VX*t!CH`jZRRoWB(>60WQqumaaE_H4R3~Nyq^!Yc0#(`vR?}a~ z?lcA(H)Qz|(N3}6oG+H(HpV%{@h@iac>E>Vg0PWF+)ATC8YZSnK&uhR}PE*UM&RJ4-C}?}dF~ju6!E zea_XN)5$m0WO2R-t{rI#uJH=UbFV=!ICgJYy5<9VBq$UKsX6Lxx823#luKd8_^zLCqu;Y-*_x;3`N>rOkYCSq0?btYo6BVQoa`a z(oF_&PpdK_?>1tqvz4z!g8**pn3;tFdOUgorSak(8T0PD{_VWJV1RQz^PP1=n168% zPa5*#{fwhuRR15UB@lyPm*NNon%ifvX_`@b`}tEZ2Zw0|9^bsQrChek36!3yARlzPT$`S8C~Z3 zG0N%1O;-No@$?fFRA>{-cu)mMU6iw%4>&TOM?nF(t-bwng8M!1U>{JbOUuF{3^@Gc zXS1!*se1_6%75Z}k;D)0=Tc~&DE>BoSuzMBZ=4%`5v%JwNUH03ils`VocHqPoyZYp zXy3nduX^q9k~(~UfL(6HiYK%4GTUaM`^Ll0pQpg#^QIOGsA3$b2d`-qft;~;B6qnp z2TDB#r@dds4ia>}!MO+0u+Y1lulc%Q%LKfu?iK`Op^4zSOEaeVfTkB3H^`3L8PSB9 z-2^y&PYy=C_hms^<-rv_5qOb?g)eRH;7KW!{uR= z)1{`(5i-veTXXNozy|&!)|`XsW4g^yZn?B$fk~zq=cJR6&WPD}&5&9v!Fj1!>w|q< z>mm^}H}+=EAEz3=nJlt6BMya&VeR_Wexl(pwnKJybS`jj~KRRPfy zU?^Y7MtUd%M3ZD78y*tbJ3M_4Z={2S-(TLJfI>@Vx|$qN5Ng5*-)cUBa`rJ!di%B6`18sqgp#!^>B;4K=xpH`g$37;tnc%_z-y(EfBc}hd}i#J#NEux!|l- zI-=QiNJUZ-wG^T=?(Kb7u`}>f+xw1_g^;(G1Z3NUA!B+cavS#kyfS z6ppwaq%w&W#2z@%DVYZtv1FnGltj63`A!T>|6#5~YueTHy@zsP*|swzeAm$Jv6-VL zn-@ea_8ebV5apNIaa3M#pNrvYa8l(KiifR}vpz!!&h6C%a)(h%~XDS&+5* zsR=&`<9j#7FCZAb&4mhox5yBtyGBQ*+mP>69z%ptm!jFaKE%yhImLc3et{#v^WQWV zA=JRdVqUQA0cSAW=ns*7us;GVgOgJ&9Mj1+&tt<*AmaF0;R_Cr>jy$0R6Ke7EGE1h zmCP#S=>>IwpQ8yAI-10(3@LEuWO+qtXGamz^*-LUPvCQ^QiEebqV&_e)Wo?K|zok{wm zpn-rzH!66&IM7-Hiv?6eQX}I-ttqf@tS}NbAeL=&nYM4%W3F2CyX>qZ!%|-H`6DTn z{6rMDlhIrR`c@ZGSn!3tX=QiGOcOS%`hFz^5$q3s;`_trlPl%{?lVB6)@lo?HJZ?yuh1NdK}W&#!xjsY+r7$UwJ!8U zjVZBESIJIltELAW-+uHU@XPc07{P=3eok$*z325`na4n?WDh@Q>KV*au)f@ToN(HJ zzVSYhrWIw4qc;wH6mLOSfP3DboYKT)n>=x5G1n?3OatxHjxE9+&qC5VRZv%27Uww( z(41T~VVDao9-TkizMX>+3}cIk@jnDGRt=!LUt>< zdaAzQ#4mLSqRxS=KhQv+ymhY)Qq8CWXaa2WzYE3PT7Fa9G{lBm2T7!T-{90pn2?1u zqquR(r+1mLjq1&*J_*!$`7)(+j(WFH|H`(fp4ju)jUq3gsQL1YMU3kag!Y+L%xMGr z1R_56SjQiZy*Vc^(AvR-0QkKl=%efTwnExTV*^jCngMNIZEc@*@)P+v6(u|xPN=OT z(k2#8#CH zckNGnAblJuHxXaZM%!Jx=7&DpAZMCn?J$9Hb9f7fFwr?a35Zx-69oTC@>e}Tlr|*c zJ8r5rXP)-o9uyC7WFilv1N93Sc#ocJ{07R$oHSCP$aTxgw;9L-l*TY;zIQSwCCPTo1~2f~S9H!+BT6DmXl${JD=C z5wJMUJM*z;^DdBWAigO+w|?S3Bq&dJ4#wSt~f;USU# zJ&-cB-xm?1{P%?capbt%FC%N7UXS~`glv6!K?@R$4bpX9iW-!#Lgcza+Q9s|mpn!h zz3Q(&PjPRf8IWhcud1%p6oqFi;_9vMs+cD#m~?6?O~2;_Io--E&RLpFOm5OGP$MWW zJBqFkAYz1Wnn{1DmUh1>(hKfdeKW3|hZoIV3c^Ei+9BW5p4(grM3Ho3;@7i-X3hwU z^Y9L_!6zaf&|OU9kwDxO(cW2LXER58o_84$G)}fziAJNz-GgHZ58qW>pKr{0(K^ut zV^7E&h>|HzfGC^S^jhcJwz4`mNNcR?_fd+pT@*)3%=o!1GF+G+qV{z{%O==BAuTPf zPV-1ycsEJzl!5xb%5l5X%hu7Ug}IM&GRtGJ4XIHej68iW%Lz-B4wCx~8)W~fGOM&y zz_k2bUj8k;^pG2Fu)R?4@C{-?sU(uxUcAflI#Z?74vOGg3hrMp)s8Z->RTs!C#;vp zf3dEe7#;-VU>Kn&38PO?DZVM%l0vaH4z!6o+x=MKo-1fTq?5D;ghFTbF!xiU_tP~N znl&X7TCrVt2)R;VYeK#OHp=$L$PR%AtEF1yl!)SSLgLK^%Xs&7DNTyqAmOR4x`jcq z_+a&=e8+}XQ+6M=p~>xOENsp*>S&s!PHB{LQL6;muHO-k-H)?0`_)xCbOJkURo`g* z!)N+-ob)G`lFc!XqZRf8M)E_0I3dwQQw)`X&cl*@*vJERwctILFVMEcSOlAc_>;bR zf|so>>-Ma0Rl)zT1(!hnDrHEW(MrVu?ZyvmMRz3Gw7lwj&YdDg;;W=4B6sfcu9%)p z{;~#A9J`UKk?_l%NggzU@pZ0Ax*0zUeHhpwy$^`5Ztei8B$Ta1Of?+%W_q=>x9YM` zy@-1n5!7?20#(Re0UEeGKPiQjGge)c$=+6?vb|F=ZQQsI#I^2(Vd)_UHC#9Zb*)7c z*g|BnnPr}Ola3`Q52`LS>sP2rxHtBxNBQ0xp_PBKy%GfVvtQACW@VT&w%C?Km*C8G zH04`1OVw@(!x8Z#`8D^h8q=MbA!;PMH$E8t2-bDq1difZwezAVbQ83j#|HCL0~59* zCG)#9jX=Gn3gl>Od`#8g@j(?KvNu|VzO)LYA13wOUHzzzRO1x-xhul;Td-tdTJ|3>HPVK@^W>HyMTfo z-ncs37$h3p?gfbO7MV{YOWV+#zMeKNxiV@^M z=Q{)rkeXHyA}ik9rygms9cpQ=s~PJ3 zWze|l_)2>z9V?WQhkRAw;Y29nyMeiMLsEWyEgR-6e`=4(p|Q}udTm?ME|dD?v;`+} zzd-8<&1}qxo}m}x&Rj0#lG#ENds=6KBcerisQx|IqO{%XJBnKsZ^52BlQB9+s`9`g z{~%NL_**}iQ~P&6F8o$PgG{G=f{aQ#a3g3i3S~0L<(!Csay$uKrn~n=b|kNokk?30 z?@?HC2q-9WC{*gAtiA7N&AU^42@9oeDRZ`D;-?1Guj0q5Dai%W*B=d&^9@6q&zt!| z@II4M7vVK|YoG#F|JVH$|5F>@xY1n}qI*h)&c|`1xodU?+YKY>Mkzg> zdE+0UJ9qA!kR(1rx|8hf`TNr0oi%SM{&eIt%8_ySz|Bv@cql?H>iGO)8M&%Lx28*Y z()!Z`%VAN;g> z{HXewY%(4)?>$?QjHXVu7A42UQIC#8d39@X7|Jq*OzW9(-RRYL`ABP6`_r`5`S`nJ3-C+)V)KuqjPh>4`6%)r9GH;RhbPWwN8>HvVn(owZ}bgcbFd=+}b*stu?vZD$*8Nu>CcvGE&0^w4irAZ?vY z@b0MAu@8kh;zD4@*K`V^6Mg7HLh^JBeP&_Emp{rIOcV)g(-aQpXvvk)+lUNLBvl%~ zW8T;+3lnx0z^45f&r$Y??(ME?hIw(QMuH0RsQVnQ9^K3K=-Q4NL{?qMSeeXfofaUA zaWV_$gx>Q}Pbz!A!=q*|AE{3oiDp18Eyh(6jJ1>f`Q18;55i|0q3Of6vesVCncXun zBReV7Q(S|`$@OeTmZjuTVz8`xwr<15#x%SVUHo;18{E4JQ2Dy>Ttjiy#3fVoTyDE1 z;n4Bi(^j@8IxoNFVg{a&=LwOvOu?3x5!@+?d0UtA>`PrXSf*cX#r%zI`Fw1Az901@ zN4%B9@5(F1kz&*5ysbo#;WXw1cmA3)NV*)lyVdxP8Qr~uIc>fK5&is!U|VCoh_PkH zC-k6P#s50 z2YM`069Y0FSrNwS3;m%v4-%M51n%CX(?1Fg#pE>A=iS{Np(g_CA!; z->|uuX*qKu*Qs^S%z^S!DF#;Bh%W^%308_Guxpdr2V<@bl^us4c7PKHI&bIsd_S1V zXi@+()@=F15Ae{nXLwjdz0LXY+Nf-WLt+N-3U;Q&b{7%J=6OLoBsABP^c8$MbXt#s zhVsH$GNl`1Em}*6Pi0ccT<3&^WbU@HGi2OlYFei))_oTpb{<)*)@P>4SZg%Fk?;)@ zz9d%U)DteQw_I6gHS{e^8Xb=wh@=NpGQ{V&@ty=USV`~0J_1xy76xL4ZAIWEUh7d9 zGO6j_CfBp3r8qKIVIgehg zFY98wDy1Ef*0%YGn^-m$Pr|I&e)km(AxD!A&Onh|hi0B6>%|NPXQxG$ZNs(KT^~?C zqSX6D-a#sB-o(J>8EdO4ongP})55{i+c;#+U@R#6HLvtA$Q3!p&bN}~muTGC=j zC;|!b4>fi5Jh^<~7MCl6w})N0LRk}wC6Q6eFSZx_fMpPuT6;Vru>PU zQ0E9D3PL~r3P0ATYMNQ-T$L1{3IF;;qKok@eyXNbi*N$}y=}Ozv|jX?!ZDp`P(jPB zXE?EI%A_FW*USU}%)!yyx+C}6vCAQ9XCY!L8#p}Z#O>Y|-4 z8JleGEzkG7`pSgMIMPz@2QAlkXK@xZZMthczTO@N%}!JK!e1zf6s_vM8XCb>w+-%6 z)riJpDWZdv(~|Alijh+R9300W0stDVqliRMHMVi1|TyZaN>(YwvRh+B=(Dn?%(I{v+N{Tn zYQ*_@B*Ylc;kDA+_#bx$2blOSv?w3nqVKu(Y%j?1jWPub8R!gX5%FE&e2~?~3Yf(i< zC=!#o0A_My-9blzij_!1q~N_VIO+JjH}D&6zT*b8rBe0CvoW3B7drlET0F>LNc@3;6Zlv?7z}q7IQg&Ibj?D?3hczi?d^o`XCzmE?L9 z)t($prJ)jig_fV@E`G%p=uO|}DEB=y_WClc!>T(y#mpv-mAq_ziTo4&4sn$dsc?)q z3FOZvrby*e`qfT}fhRKk-+JLoA?1^NtaN;4uumDrC#C>SDb6$gkA=qp(k?1C=oR^E z?*F>VCcwnp7U_c%WLJe8PXF}>-y(jGr}N?{lPZdg}^W3Vy2lzpY zNj|0)Lh0k4&W+T-88-i#1VBR%S60Uj<-3KOW>Ogo5a$z>uALnN7dLmg6ThnaM?1ji z@ZT#*OG;;n_@7 zT5QPw3|xs80gz!Ipqo7b5UOjc5{!9*8kDP=KF?N2Q#8tv|F&q+2|jA*`BV=UZqW@f zifG%)HGck?{jdpRn>JNhnnj{!RS< zV(#zG=LM>#6ZTy`PW2YsM+S)QA6@(p{*1rNm1AG)xhfCJF}?)(7JH382Xuqs;o2&A$fL<$j*f;piiB0QxM1rUuuA%Q-e zWX>4UmYeo|eGJk+M7e*EG*qk%0qsn%qPwmhZO7S5_q$_0ULw>B0E=1a5P~;%I?*%R6 z0IE7v;s#gq{woi%$Uh2wEoA~?zf{;jF#J1}?~X)Q{JY@YRA^bc8;yVx>n~M%5?v}l zzo9sN@4t&8s|1k}NI#aav{+B0)JReDQ*!GH9x&U^RY8hDsVT5#5JeiqPkEM5AquQ$v=tzMIrDF(eECirZ&4`pV=AocfNRr_j=4%1ENiN_gda|f$9$$*mQF0c67rJd;h1s9; zO)KqBXw^8H5wy((J+;%%s`tP(F@{C)!Nr^JVEG{CNACLufGq=&@Ke}OYb|iPdtJ{b z7UZW+7c@}fbA}!tZ`YkEM1ppZ;L9?s7iHt94Ym*QxG>*5q>0v=%s!>2d@Wq#bhWa> zbH#G;?IY{x@8y9P)6yCT5?yW3G1cjCv5x%BPabUFK|3Vy`cRObwrP)_>UdP^+!C5# zDAepwqddFeE#BI~y^u_Dx}!nHXz~q@J%a!0o@DrkE>P*}F({T7&?w)6MSc+^Q3PZhq|7inhIu7xkG!s`be-IB-e>qS5V#YF7k0mP6+6 z44RgFm32)hO|m~seOJ`OPf^x+);KJlku}8JK94V(PlHSLctD_Q&^F#>$eKQd3_P$E z$acr#qD37mP+#8lA=p%cDmqzxhv!;|eX1*}VJs`G<&(E$k~ifmo01d52QZ6>I41X3 ziTPT;0L%!*^h)c*KEGlUpOQQpx0k?h#IQZjHDyC=?B;IeXC_X=RFsuN0JI`cJZ}$!HX+i zM^p+WuX$*Ak}+;{Th&a`Ymp|iF%TQVu=3@$Nu>v~V9t)sHyoXxhl@{)}Q7p1amyt@1hRG;#CiMUOtUa+Uid-oOPxEfs5-rqy6j)k^X77PGmp-?$wi} za3$|i70J21zbukh*lv6kt}Fy_t%(uoiXv++k0MI#IVBkEc3HRa@LnZ{y5=VhNK zNT_~ZqIo?SBMnJ;p-@yckj`U`~_VhC?IQsJ()$8c(|| zD?5B8lh?U}CVVNt z7o#EYe&MD1Qk<4j_c=WeOkYtVE!WfrTS2{ZJ_6|X9C}QU5|i-tDFZfPwna2%E9>R% z%f8|-EWMdeI@oGRVg2`jSJxTfRhsNF%Jec^IV@zhn~+qG`2laGiIC~2o_>xHcIM5M z8KEsC)4DJ4!N3d^$4yTs^e@(nZW(PPw5(O{hNRF~kBE`OrY~iSgD~fQCp!;GICWij zAn*(qQlQr17caWFbj+cs87NbA;dia2S^b#78a9MYmsIx)Cq zlXoa1+e|js_QU}jRwu0A_IHit0i#2rFlJxqB?fDa_oiM5ec*76Wn0luv;qmCW;-e! zj=3Y`5|sz^4R*yAdF6@8wm>q-{Ry6^4SOGu%&T ziueUp4U;cN!9fG3( z*IwcoFxUCE;doGG97O6U&g+x0U|gMDJ+cnQ$i$R@lrtyAbe`3~wje*=E$Qz0Ag}XR zj;NEObi6F7aDG7Q1jMByl#2wmiu|^q)Xg0=UT{ILcOKNUnFVW#ar3tKJBM{o6MW&% z%0tiggnTt@s0O=`Rmfd?F+1*gsL>X9Z>7V>7`c(XVFgzBTjh*@`tq;6chGeV{y`5N38}V2dhs zU$WthX*jmW1Q{}2gf}Qihzz%(IF_Pvo%}2}d);CV6d6f$=z@2mk!;o>gxSK}JEC$E zlWNzs_hxp&xu?P@8j$u>Yf3~I-bUexk@t%J>^tX0wmKj*=R(DR8jt1~#@D{4u5~-? za?;YTdRYjkJmC(O*kCR<9tHQ;nc@3$R1No#h##G%C=JK$#-ZdLcCBS1qtC*H9pNC# z(6L}@Xp3+S!ymIgdVaWU{j?tSf)I~pnQOAcyy94k_QEW|Et>V&D6|tB({D60ggVT2 z1cBD;7SHXgvfiPI!6h$d{@E9qp7lcw-QnL2*k;pu>#n8j7dQ$NJlg&L#S?Vt?mji;SS7IB{k^=5-O;OO90kqBqU-uV2 z8$#dApByZCGV$PS;0~io4uy%vYO_YX-6}W?&`Un(em-|C9D-T>#J0T`U57t*ZZ?q# zDF3V@I`li9)Bqf&V(GjyBK6fXVFC5M{`E|&qmifUA$@GoI_P<;^%DyydVnDq>-ehh z(HN($l%v@GERaAae{Jm8^BV{RI$a(Q0qmIYPEIcOmLS|+orUl3?zEs!!{w^<-#PB* z(7iXRMP?2i-KmnH<)T~yPxQUJF+(<(;Ib>ihoY=m^?T}O=PW51`Mx)a(KSIICq2%@ znkJ(VJQ;~=cDu4Dx9$celTPw~$^%rNVUxF{igDVl*}ksJ;bx%-D#=MU(YN#F9r*PO z#;82j)|ccVkgM4Rlj9$cU|kr`xUln<;oxxB&?os*wSrPjKTdb| z3>b-J@7-vABdlJ<6_Td8`fC3Ka#93Ga>BwL?r>?|bK=W%#5hF}NLco9z8nqVTYs_t z{8OV1?WDi^>&1TUsx8VS<8b)98^+tkh0O$e!CqA0g14HfC(1nU_twZnJ&DWb+bj8Z zmP>zP^l#6TrMq6U@mHVRlP#csc$#wEQ*_wx*63ba3YH+j-@7yU`BggBLVJS8XG0C# zWkS&js7@g5*aok{%UB6aG%VTFeH@w1KMrY$)mk31j}PTVG;OIy$4qOY(3%ca>_5HR zSu3i3$t7tm4CTC0>xxZm0D~Kptf5*K1h1E~%3l^38zXPb*W=9E;v!Cy`(t+>()CP> zwY}dK41N)v^h?aA)U?mo79J`=zN1h3#)SSGb{uX22b@>PKdkQ>`4~2H=0|rD(P?Q^ z*Gio5f_eILF@f68?>ke$Y6#I-&1Xn!Ra_1R+S6T=VA%>%Njk`72 zC=!KeZ_QQE9yRu#wwZP5)Y~B6@2>bo@y<{rtdM?vW!{gv)dQlBw_S72)=!6*vd$qE z*?$g7J8>dsd^MbYX|DT%t`P)Czb}n_yefC@DDLB*NqoY!4L2hJMDgX}r83rG77B;c zxj$SW+jqQC2PP@`!JauWS_gEewM(kN1=A5PfR8~qG_~BWqm4(HuKqVx0IdmgZ}zZ^ z-lCrx8;Yy8dKu{j#Cy=~Rn1(Xz=O#!=tLr4>M6VLO!Xlj%WJW1VYI#4xdfhRdLmS$bR4SjhCorbMD@|N3ES4fh zJ?8GPy$UWD8@ytp0q{Sc;W0o;^dT}S6O~l5{T9be$;+tFQKJ(#N2LKY?&=UC?&Tr&SJ}pVL{$Yp<%M}qG-}Fa##N6RTy+J) zc*EZm6ly$NjXS6cSGw`;OG&k8EkEwAZDj^Vr(Pfun6vLB0yP=TjxE}=E)j=H5;|2M zH_3jW&*afkqfHJA!SG`xHc6_Pjj?WwFE>4zul!i{*8)Rv>pn2uvJ79aB>kQ_7qYE0 zPpE5&F@^?{W&?2;o01NPXT;(YDZbpMrVxIH$c7kx$TS?K#c5-s18p@6?cdM2G}CS1 zVy$kk2G(dln2fg1!hNl#X2w(>sJK_){3%Vo{0clx2`fkp%4rM@+nlh*09=#D1GE7% zShMS!r*TCJ5U;iYVf}8mu@s*|y10a)FAu*4xEVXuc{!2s45Z5N2102uOtirnOe4rI zvsEC@PB&=-PRxD?ZnF_lZ==KAb1E$)lQfI#TJ13Llk8i5)%l|uo6}rxD+B6Hw7SX) z=1Be~qHj^lP+pGb#2D;u#_U>T2yr-nuUr&KfX)rXj3};VY!6X1fiGvSafSJm7Kml) zT|mA-nuBMPq)BJ;kOsPRAMZj@~`o21&QN72wQVH$gkv=mtA{T~T8zKEJ z#3lvTTrMX8>*<1}FTzcHUhCj?2mN9~Ds_D6iIU6cmjBvwp;~W)XC*W&%Dx4^0xnfa zZhdDI%9&>5hCzT!{EK<{NF~!oo?h@#uWe;IG|ryGl4DS4OuX%Q4yx8eaAXFGc3g2! z{7MawCgF+6o+64$wt8pt*SsWsTb73#=^L99PFAM>R?e)z1M3#gnGiC06|pyoSl5tq zSvZ_~>{*`~(^r3MC0k(OB$V$I%ti{D@OnaOwHCf!x0W>w!jUPau1h-ECVskwDoIGN zf?r)#71ZsL!*|!5M|RGrbS+Bh1zq$8I2n)oK^-WWVY}a&;NaG?`3=&@`}gIBjOx52 zsRSH7LC7HTVxxMev7~o&`a$$0+%L`{c=L!Rp$eMs0>V z8+*!BzPhHBuJWHYw_INbl&>cNiPZdB_|ma3hjMZwQY(`hQTE*cg?xwf_)P71BDbH- zgEPvwaIT9^f(a1!6u;~2p_0dgfX1->n+OoS^6456aOGggy&R=8^5Ah}hv;d`jO469 zqr1^38yJn{*7*HPyF>qO3K7U14auRJ5wr`gcUH&ecc+Vyu+4~OlgfOy4m!^(GGZED zCWrdvJN&dai5JXS-qPDS57xv86IW@WA(J#~U))t!NLtok(z~^a*qlWXSXfMc`9D*X zjY@A#Fu4Pg2w-vT$sY%K{~DiA=-*Yp-bc)(d6*(ifo%l!(lV)AVnnt6 zk`@Vn!f4p8d%^8^-eTF~g=^Gs$p001u8;%*EWrdPEgRO6(fiFzw3rMit1K)6NxV4{uLpW48!UZSZ zMF?bjDaYZ9$Ubdicye!>QqH>;w}XGC%e>ZTyFc62gGgwMoJo=jQ>7?ZY!*C+#9qmc zkkdeM1fFdSROqeqpv3;w^~|ciqE%ejTxaz4G8NXwY)8~xx-y^j0ODb~MU08E5Pu3c zil`r?a_ZzK7-3kcy*SZ}0Rd&J(yFP_0s0F;*9#c_Cm{GCtBtxZ%RU?rBCOh(373M9G*eDknRt!Fq2{HhG}0A56{kmVCq#|$lGrW-`$8e0-#}h)T3$=4Ao6v zRiQ{4Id|)iF&-?f$i7!2fjk<>!5*=kXhB=ZcVxLyps{BxBpS!XB4w;7(E<-HSI1$f zs&Y`Up2yIR70DZCWLZiS`Blz!B(HY1=i@JaEB$FU#*p~DdU6wzbRVAw5z@H{s7iV& z<`wkn&QjN<8c=y?jelKZiF^;~0TizdvoJ=hM%bnB12lq005$UJ9uU=9@51gRuYKBn z@VeQPPV1P&b($_|kMOFwXHqMR{T7R%JLY>Ag z5kv+~tFus4=u04Mkrpefx=H#J{MF`{rr?}i&!r=;yozkPc)2=*kI{Lf#w7>E4M6j_s{xU61_)@a|%|=5*Widp}B4*!K5T}=r*NX zV90lxEvvo)m(|`pQs<%-48{~IGG@cdV=mO2A#bH?5+F6swk->|CA6CYK_n3b`O2qq zDR*t3dETwSzgyv!o*5~nua^I&FUcjmJ^}$0!Of&m=axl+71t>Z4uku9y_*yFMRhN} zyr6}WXf-6{i;G*x58}jMRzxJqP+E5N3!+N%L%U6|fFLDw-!UIviA+dH*kDX%-SRWN zye?bJ;QSrs8o(&?!iL*tZ~hJB@0$-s^Kzm4A!_57l7y{HSvv3D4=(er4?Mh3j9{*W zchY4gmL<8RmTtH9r8GtIdQFATu!HN%H)Fvh{5c&)WR!_4)zgTa?Ik5r4!JKhB;Q&a zK(yUZ?G*Qhb4}aT)LrEiu+g z*h-S$Nwb0#cn#)SW*1T_ybHSdtRk%@m4POQE1CR^^r%4;h89oohk@4kc}`-kPJ^jrtP>zyeP$%Sy!Far+WicxEhwP0a0?stmm`@m~G}Gw1>r34h#c>Axe-+g3=p zUgudQ(|@t;mfC!25{dWu%4A1R9JMco5UdAGjNr0TcOFpu(+j6j-dM@%Ba zp~~v?@T$Xr0<-C^FdPmmS(*kf6%lAkMPUqPDG-7S6Zk-7y4Bl_i8!$E&-HH^#Rsr6 zt1b|~J>8Z-OR0&~DEv#T=ec|2$h8>F7yN1lo(g zb@WbDVl)F5w+lKI2}T+UiB1OiKou}J!*tzPss0Dvosj&;wjPb+6z!;@DU3oa`9q|T z`~eH&;VqOfKfpqSooC6MlMk@)?j}azAEO-f2Q=!NbLg5KYeT28@koYHbpAk_6n}S= zlpP;3C@R@U-5CQ90s2{SQQrRp+bPBWGoSJQ%Y2ZiMfH-=j`W&a4>U+6_W*dYv+O=q zP6!BqZRKGMn=|?{zyrtxQ$0)k3lo$P0NnsUvD6tf5!K`}RX9}>lFNq=_~+_Dev)2^ z2*4hSSiBKE&^%Gk-8$1vVB?=vq4R|#{NuVHxw#LtDXRW3{3h8$^#>A5@+tq82SBL& zB@c*{-2u2(xhI0|rw?}rsGbzir^Ev(4SldJ#WQmol)*Qc0Dut=2oMK=sC+DCVo(;L zF>rL`r{$aBpftjN<`O5+#T_c)0>Eh6Jg4$vLaF&iz)JofP^OYUx`kQ_0Hf*?e8_-E z!2^Jc2g$`51pk1Nq93a0`dC!&%YG_f<8y@p@b5o=P$?(N$Wu=70i-2n=yRv?Jwn)U z)ADk{{!0k{A3~5c)8amrXNKgl7zL#W{{y)W`s{kL0Z>WYD7;`}U?pDwons*a+BI1_0cBsSo~M1hL0pScEY?st@c2z$H(6w*>xDNhbk} z`nXqSHwJi2P*(R;!TEQv{~NjP0i8(V`!FjFO0EWqvB+1S|91b6fPsI0#1rdsoUTct zB2W(fckIOfg{{lVfv%t{$q}i+{%`Z8@Rfcvp&+>bpFsIP5+(WnY!pQl;u4CH(W$8+ zK)JO-Zww3!Fr}vEW&mhYemgxhG?b&$^^b`ElK&r!>0$$gd)N)RR<3r{)z!gcVTA+I zpGts{P*PI*LyS#MCPpX&9$fl&ck=>rAi+ExrvDFP{4-!7Qcaprm4mg?<}e^h?AE~n zn6tC9s(Mlvhunj$gF^tFdSO99&){I;i2$81@?OEu-dqLpks8~8^n7iey&}SEL&$5b z%?iJpLkfJC0@-_8{AbLXV^lP+PkoVh#dt*pyI~1R z^4N>FZpM%V_rHdwv^Z_a7*NHW?YB#i7b#Qnle~x347SFm@nCR7+$HE>Z_syR7&WJAa-a^WC2!-ZT@99rKni5 zz$AFG&Ca@~%YwVZxg#R0yxX$;l^;{$0JQnCRCvEsQ)SXb` z_;;T$ne|Jlv|3}H;K@si;eh@8OmO*8*IFJ4k(;St})&8#a^I%=3=c=2g_h&r~ zc8S7xYr2oX^S$2YPY^a-jL1Dpa2MCbp?r)kYk*_n;)?R+YNTnC&mQ1UDOUM|{MtW7#s;OHVLx?aQLqM|&# z{ve|zNvcJp`ur6oXx~>}Y@uoeS3Ut|h9chF)AhQGZM<oHslmL%%v zA-ndcmd+ZKTd5Fs)*XZzE?Al0js3sgmS=2#-02VUt`UCf26M;1Sv7Kaj(Sk zPiTySKF-{kklPAtC@MReh_l? z2B-A_?xITrXwhVf@mD{+2L_izLTeLo`K_@a=S#f@KJ#6Yv((4 z#E&>W%n8kDwYDz@><>0ZTs%*<;Oaj$qtQrcly04ibTB(BVESK%dR6N!8(1QCa)G_- zYQtMzxh!#;qT&415{f6FT#`?I_qd+Yk(Uq%L-@@y>EC{)ha~IcV$8a>jL0zI!H1by z+^h`A4(`@f4XzudO*u4z(g^LcN31b?!FK6r{?z~Ka!GBMr=RUlNpCF?u1?iX`Q1$0 zmO&65;oi1|P$VixES_ZUta2D((;%AgltdXqAi*XXP{(ggCa1XE12Pek$HCO(HKts+ zQj@MJ7$@nM*ud;wlFN{m$!j#Xt-pRv-$GTRZ~Haj+pSzCJ?RKgs>5M#r(%WHGuqI3 zXy0@u*Co|4QR{?-%b_!E08EihSUqaB=b2*7k|x=)N~|7PR&pn09p-S9{d=}f-s94->`>4? zu+iNX2~E+UF9||jIVkWw3sZozlizl0B3$vxc|m)fPXuF#m>cBziMe`(V!?W&PoN42 ziy$|)KI|kYMPd)2R2R7yrK(ZJzyJbc49}TC1@=4`yBho4-FP={(rRk3>!8X{P!{*| z?v!PynaNCYHF>p{B&tE|i-o>Rp_`e(F0nx3qT4PKaBy$bebE*o%b!@$Ip6dJVILfh zVPfb{s#}m5gk43KtAw-SynMf8NCB-Arwfrt<8=zom-)@kQRAeO#LM-!q8(7D27HB+ zdtyLn^uqtC)rP8LbrIMa<{=~-__7k?<_LK1HbpfSuZ84sb;ZTTN?!zq;Xi{YjhMgl zT4pzQEUe{GYs(Cbn;JP#13PG;e694#Mf)SUbVIB^`|9c_*1!c&;%)v(?j+w`-aDbT z#xnoQ%P;Tu{seM`n2Zd|g!i(8V>dxA<@x;Os#0ot#2>1TCAu66cZdo0ha^1N-B_sB zLG#@ks<*@J9(49_O9Lk3UGmnuYeLWPUpF>`@NWnaTt!$MK0BE6dD&eF4B&8wnp3+TeJJ}#-RwL-A7%42knfC zbp^ykOK*vK0Q0%HOO0d}W@N0ND zZgXSBffW8vDlhsJdZXIycb)E&`586Z>_-a0KJ{EXu#{OZ-bN7;6+o|!Xl*&hH#=>Eui@G%K|FM zb~c8Ch7;O&lpVWP>sAxESbjX7PdU?<@RB+$7|mqwyUo-C;kyE(B8bLabYQ0j``2-Z zjTrNHFVj%mC5f3Bzd47ZGQznlbkx4mq|XvWxlTg+01>-vhWtJP=0PyUq$!nydA3Kx4gH34)!ahXerrfHC#Oa0 zeEiaz3ANIAEJCHzrTO&R{sDo=h};X0h=7X75a^4`1uE0Q~^c~s&9 z!!BL))8U>lj+f%4fER4P{edON!`&BgwQg z4hjb}>Btc+(yjF-##HJ!o1=y!u@NKfLEj?}7YFNTb@tml2~Aj2f55FK;6a8!&!q}o zg^+;@r>S;W$Y~fMnEi0n!0l%!I<5KXAju&a5kw}QBNeTj3RpZ&m{X|rW!FVonH_V2 zM7c;!dg;{XcrF%rBR7{3;DJ!qxiF;qp<(kI0sBPZw$OHZGw8+W7D83Jpp)?w*}0J! zHjx0=kh+-oh>dcu-oocRp2SWneXaEa*Q06-q^N}m2$&mGy&-uG#9B^d zLNm*Hf-+MW3N3Ju^JqCEeqMIsQwz3i#)2!oAFCm8cc`|B3rk|Vt8YjJC~&;5&qfic zl~@8N#RY9R_4H!{b}s-A*VsH}tgmQuWJPuuYQv+0egMsIt5sB>Kwr}e@@Kjew!$=T zPlj)o>f#_K603I4dI5BS;at4K1&+t%n_L8Ed{mTHM{PqmBTJ@?;LI(rZBmx6;?KKF zjLs0X&O;8SgOUua&=m2^$pUQ{$gV;KlnUV5Lr5&ajLWz5Zz&1c{%<wNBf~G zdFNidG@(yC?pTvZ)pp8#Bk6`I!R?zx^5>hc49)YbE|oD^GF!vmuoNzT$nsX0TL&+a z((0cmr>X#{jUJ~wNl*Of1Lz{iJguH$I6MNxlL+f}rtR_enQ_BfQFZyClH!4i=gB zG9F-HL{%7`9{kowD=d={vZV~mR=ZCr`Q!^t$5Q2z7x;2;1xP{zdlN$l6D=p;vPA}y? z8Hv;baIky_k+L4!@ljBcQFe)|Dm$XLt`i`Ek& z9I_f%MK3ncUs|ltXoz@xtka#onC|$sL&!axFB8u3J@;0Yi{?~MYlnsLhZ!g|K$!xs zWiSb1bIXu;f3;eMTX|e2R&9C6lS((Xk(TJ`icF8`S$vd}4LaKX^oiJ4Oz@lHKGnDp zAf#@lGiAmFpHOL)hDxgzuX9*x01E_@z-?K6;#r7=MzA6!1cS1rZLf_?ewWFr%LGJw)Rrw0 zT}35fUh~B8oPU^}P`vJbv#5^a2H&PI+zcask=}TyAv8KS&@R8a=Bz9VMqEF_fKuN zSbY0NAh4ztj1<-mXOdwtK;r5$F~G}>nDZqkfJX(E5SME*9)PP;0E+)j}K>eRxaJ0T%OD= zN=%yFt$v@~t@M5{HeOlMib!tQWhR|4Cnuc@X2DylSi-NjZC#LAEaUW|m{1zV)QV=h z1V_;K>B?gXq|4`16cx>Ic7ijnU(Tw^P-%Lh*gLuEeWP`&q0DE*j;>>O^A~P;{KnW) z9#6NIY1v?T4;m$9N^o9&7u}U*lWv2Jw5&Cd!VWXC;sm7dd$UL6{PpNftAaNzyx5(E zAH)rgBBLRPjy3yW`jdg%!wz1j8JOU&BGadhZ`jqPj6I`JaQ3yw$&`EZ5C}R>0y#&e zV5~wW448L$lSsce?{n{7>k7AmOFJ*?qD@&mVlWy(Bo_JVMfGHi`J$An%Iiw} zX!T8@0c}K~!9QDIEwEZ|Dru07tBn*m5!;OOf^q^!`udWp4i4^{>Jwds8jtoWNS=|THN9nVG&`` z1I2|3AiIp1I+M^zClgy)cea*C!44wOm*2lmE?%JrEshV3KY_OHu7t3+xZUu~RZh?H zwbS#wxzTVe5d1m{edY|-&1NI2pKMYpKW=7Bsz`(2%{A|Ks=?twG zrQEr2HZ1U1m8Ft2Fy~~ko|y#B6K(eTCdi>O@13h9@$00erEEJ3*M@pOhaDV&G)az` z3GI3-zBWipPd_tSEEb#`WX6oa!1yH+AyLCOoJGttuHURyhK_ud>H4mWTN_q%Pt8{e zQQxh!zxHckGFS=eO$SQ0e1`71guMn4=Iq8)eY-)>Y{`PH4*Cp!Bd_}g$nnr)KuTvd zin*FC7*Xs-@Z1A$*&!1tb6`fLkj_451LK(p;i3B?RT(&uwW7smbi35k$2phpZ?v<+{^ZoQ?EF;)?T%?vUuylb56v}5t1>YM*^0`(?oB~2@%{Hs@XR3yNF=Ub zoDoU)j~EeFQWm-c(6bt3((@t~Q{j(`4Hy@{GFg_();R_tCYl%ai<}Dx9x-hm_gt~`>dND{=XJbpe?uE^4pkM0|R;=$^<5b0In+|4R;EH7$Lh<YatB{bP7DeWH^SD>4p>xx~53ebjz9zXyu{~wB@BAu8xBZYFX%OCfFSB z_L#!VNQqHeqcWc+isT_o0l*?46-0ggZGdd)6PM*4>Hlf(Dx2bJx@{7ICAd2T2|8GC zhu{z#jEgVh8EHyQ0{wb55IsZD>&0##N-Fc!oT*9m0V{h=zh&nJj*{tGz zLT7OLtcD}WPP@gn+40r!oG^?sN=*x1E9!EGKx-z133)2x@}jC%%50(7h11C2)qJM` zf@AuAd0oK(^l!>bwm?L>n2AcABW?T2{Ed$7v2PZFu$sM0`B$I^ ziWsbZ2PK}3Lc7YKr&(>MB5BS=l={$RzDjMiF)RWM(TwE7^v`DEKaiN27|XBkh0tsf$ZG#A7Q(FJMS(lq3Aizl%5 z7pMdOb}CR?XmuuyjtrM}?fEb$?thn90uD!=*ChJ+qnAxN{gU~v#OZo`X6m@``^uRu z^uPomQ@*51UYTl5M!3qe zIfqcIt&s}#^jg17@qlvY(CvrdQvV|jF*o}0;WDMh9{-?_Z)Z9N{6rDYeV{%&sYdB+ zXCj^?$sQBv{jtI!kYKkKQwhwN2wNZ)cAolXg`8;@3N%J_(|%li*2*5qW|->NIkS?} z#+A*?8r#@PDE9cR_7)<=`%<^iuh~D1&T?qE>ksRk>Da3u^zn0c7_{P#C+$bQrwdD>&7bGRWbhO9-n0 z+HMRgw~gDU;gPSWdIA~W2KOSEyiD|meKw}QqnV0E!^ySYZ_G=Diehz!Pn5*->H+#Q zYr-_=I;E4pmPx(qAYmiy{TKj&Q!`O!>#-$f*yvMAvNz}Z* z*vIo{fSp29ly5FsUmesLX)NZIdTdyV2S1PcGljEjfaDLw3GZ(X*iUs@EwB_n^j#oe zxz1l$9rb1~IF;Uw-^K!|?2R8rrNu-IkzjtNhP6`IofZE=V6s~eyR3pTtn(#YN5OJ_ zflA?CJ^=ox8w<5&!3T5~DTC2&yv=qJ?k%l3Y*~wf=kc zpAYB@s%ofh)Fp@3(O}m!nzO1ltpH5zrs3!LgF}REX^vb|s%`D6(p(qwYD9H99RwGN zNTxPRtt;Z;Y)T;Un?RG?j2l)4EdG5|*xFsniP5afhn>Wj<)oo1Y(E!_FG-tDku!ZU z?VB57HquLv-a_Gb1}T4AH&t#9(N5(xdS6s;(Pkz@iN)X)!z;#W^8q{kZG4T3P=ry= zq1-(SaP|_yV$#lb%6k7ZVodXcVOe!6^^X_T?-oOU@d(NJy6SvNxqKzF6=ru3JeYtc zUc2*4_Hd~qWbV?rd#RE5_u|qzrW5+}z1--!(&j_V)>bxdUlDTQy>Ex~>#uR$sBZ)d zW3=3SKOhUx9kOzZWXmF&Un;Rm_P|mLfq;1)(a6EF?v{$%zQ#*TYV4h1mR zo$#q%4(Q<;zW_M-yK z%$rFRpk>7!%WHZ;Oghiy{!8Y~O3hJdTBDB{{M8gf4^b))`nzf|-m_VnX>h~+JLrX>&swCp(y`AA zH@KBR?g671>|{G0Na5JVC;|!mJsI}q9vV>?DIT#%p?vEzB8>KOuM#4&Tw}id~1#5bi+zJMus=5 zNTNQ!Wz-vvWN%G=HX*yu>SzuPSSoXoeqo%LamC>En|HI%>?68~hESawz{0*F6m+ul ztKALH3#KJ0exsFV)qcS)@Ee9v6(@unj;-hQ+L&xa7f-Of0LZAkabK`O25|na;g(&+ z0}zEr%+L-S+U0SlAn%#g6u%{ngvYPAhwDZ5{P zYo0!TA&}nhzgCedn`hSHM=**Sv(VFVn_;nDFa=sKWUC7#U$WOdtn=$-H;3VwdZs|3 z5t>_McxK}v+iLEvgUJnamBkC>!ZjNo)s6z0K|MsZs!A_7+mV(sAir)SZ%X5Xv&$Q5rYNC21z~j4?b-9M%|fInK)j-@&p|%9 zII5OiC1!)%Oh(H!pKQgGd~f6#t00x7+0!0-S?%PSl1w-l=;4$iuHO$-?b!<6sg7DskE-AS=%_JSoI_r0G8e{7g>AT6Z!}9=A?A=7*V~`Ok`98 zBPR-#3nm#6y2qxHfvRF>E+uZtzB+og(*^V^bkZiqz3WYYo`JSY0dv5IO0J5fg8P#- zW=dNCMo{=sa>~Hwu`HLdd?fHdu5hs+#C0u!A^|RNznW@yYZa+#)cEW#Nkw^|%@H?q zJl^|xX7GvPGpI0WD=;YieQqYoJJ?++W~KK7a3*$Jmr)mS6MDEi*#bU$Uc5?*!rr0e^F^0F>yTX~;8V z_J^w8TT1^ao8c_)&=;L8Ve{VbS+ersgonFT-ABCjXsFHM-}3{`?*-GRk0~Faj;Y1C z*qs*ZE(J4c4Z2teHPECAtZ)3nT>8LzxqR~%%UPZzC|R zHOh`=SDIjc+ZZH3vxHo`*sgaUI^%KKvXr2lU4c&&a55{30VImp*rhpsa8XcuyY3Mq z4o$3>v{l-vwXTB7i@HZHU>>|BcYFq~QR~8rp!rll?nNKDh=AhBv!|*ewVJ0CDq)He z7eC(cJ)?S?(k3p+rQ@3(MjISmT7aZr0L;y?3{6x^ZBOmFA#wQ(y(xiS=lyVx`w>>9 z-)dHjUJtG`PZv+@10@zlAzl@PS6ATiT4s60fmc=ohFK*sYs9&8eD*SGe{)KNQKOUa zdo^gsw3hGg+zXCD*|1|-1EW%!r=vuD4N@h7_1*hNgkRgG=t?)LHWsh_`4ZD$@p}gf zHiBz9yK4U6wGjZqpxZKWg?sP$pw5<$`!5Ajww6>zLcAN^l>Ix34Ll8Jx*KsdElIt0bPoP9Cb6GF=# zu?fYe~DsTDh+}OTwMuK zx@~;0Jbj9i$}_lYD2@?$#W*B-UZhWfw!7!CZd;(HJ}Lyi4@(N$U+75DBo?<7va5i0 zgG(W7hyG^GL%awI_K|0!DVw=8D}Vit?oz7L;QODB+xEaN-3 z1M6h+S7%VBIw@;qtQYdD7N*_awYmOQmk4~!>ixQl*I0e*XaD?59b(j|ze-|GcTON- zbZIqO;=j+qo&ajdV9^4mPB-QvBn8GD^yf~P|eV_R=4gc!+_XBO~ zPsz}*)^tA1Lcbn3g-|ThMC19V5AfuRxJAM!$s;b*UV|}?-iA*A3!7tNn@F*3U-gzTbtKHx}J*UipT4q=|zr2zhh zPhP2HA}4`&iwge35ozNVe^}KnU;8#a!JLXKi-FFQa0w1nHQftVZ{niR#=|Xv;CMv( z#I9zE?YP%Eh7x5SGwR`{O;8e9GFI|nq70t zbt;-pw|XxYlpdo?ji*#WngYPJR{`7u-d8%eq_^yWa}YByD|$o!w}-PqBqeiG9$T2L zb==?!o-R0cIf#C+`3NQ0epI)sf`-Pc?|hE(gHl^q?E)&D=CO`0U;rCY?9#I!B2A_l zpRGar-9P<;*9Ek$nMBI|mWHw$z@;(-JJzGb2Mg(gyG+srpq?3=OwP262c5NY8mg~# z-PFBUCH8uf*d)ZEdBx@kZ$n$9>*o|m-ePJ!b2t#A@I5Q3U+_z;nY|1ZSFC;!c5pkn z+hdMiGA$i{a6KTQ9>gvqcCmkf5&9q!-JoU*Z!>Tk$7Eekm^$ggm6;SBJPC@k zBc2=SvBO^MQ%GiTywSHUI1eF4+SdJ@ z%U%etF85VG{}cDgK)c*VL=aG}@l9z8VIwUnNNgK3` zr&-Ardly=rE0p1rptOUw-08a_=QUTo>AM;;L|0{(j>@viPs52_Tk|{~6vJZXWdFqX z{M*|DAytJd-97lr<5cU36L3qw#_8WJ9i{Z!jWOzc>lbNU$<<}crn#n!^moSi(aOKr zAFtMyC}ui+S3a`Cf4L4Lt4B-l&C=Z^ACllV7*e)IUbfj1w|Q{VWbCKUx3#*jdmZ`L z!V3y7-uZ{R`vtbIxx+hci#r6}j^XHyjWkI|wLQTlbG%!Eq$PMfipIIh}u0>t$J=qz=+ZWMXyEq7Tk-?nw%9){x z!4aU>fJo;Y`&d;=Ag7#mX@3un-OXydDgBgsHSZ(hv;JMQv9(H~ zAdRNFKrVHjcRaJ}RT*v^ZAw=bKgr%bPywbzg`0g3%3f9Nkd4oR!1t!nv#-XlSqWOS z)P2?aPR>ymo{ewL?+&@L_i5J5PP|vW#CJY67VE-vK(8E2gPA5lH=Q20-;Gw>kFz2N zbzEMUd1&_(X~bDnRGYLA?VqI`!4>cB?)XJS*iuvd(!0+*?r(j|zkk1(X_w{Euj>Ab z*xYgttAn~ibrgP{bOirxs}vJs$mVg#Aai-KTj3IxOuPLS4q7NSB6Qfw1q8R+L9W~f(xAE_ucoz}}#yf@&QL6M%{ zgH6j_qO2O{#?9+FKHxNT0_(! z>0&r+owiMmrLjBy1o!?c$4TACxgVjj08Tb^ze;hitg?#%#(>27l>%eE9Y4-~Yfo+7 zV+oBLe|M(5WgE5PlUr=x!YeP|y7Jd0F$#$jNvUuPx> z1hMq))w_$ziTm6+N4XOLGIIMA_C=ND0ajFdesx2gD{`n&j0^JQ*#fr6(b#(iHkKR9 zs6Ia0AES2nXe{0+TtgN-YRJfkQJRITP zdYPG^gm;+t3_wJxZE#KVG2~i;tiam;P22q&2j7X6+IASC$3T&6P`;Aw&U}oswOjql zT_AVpp~{+tYZNi_EK=HDizjQ+T@Px+a`FK|Y-`jR;EQA}%3>|30wJpK5LJ7NS##sV zC5YMCaTU>*9R$F&vihtJMu79x=t*bbx0Ik6R>-|VZmf}SMF9KS8qNuf=H4Y!;S;{c zlgqH3NNeP;z5H9jKZSuyi$V1RTc>L%(o+&&Yr~(}6DWHY?tIy@KI2a@aq?Zkiec}C zmAVZ6bj@?pgZ5KTvW`;k7CRZfIZs!GcillcEvny(ZL}H~v57kWKz(>$*8Y>kDig_E zJ^5I?#Djz7UOP>e0hcZ1#x`K;ovzIJxA?DfI+5JD5_AC0D#P(#%)fchg+yBqn|u$dHmm>rNjJ5TehTx?OU3{$o7Bvbs{d`hViV~nGBTPAQfQi zJ3H@%5p@mhMr@AnYJv2BhJKYCvaangMoP^MT6m;N)TRk zKsepuk8HF&FUaC(J%;=Vltc{51uP7wWfW~5(vC_5(tftKa#in(h2amhd+>fWT$nsX zFXrO3c-2`#8g1rTYRbDx&NfHv?&;~t);$AMFk&8I%{i`>+;tbWGD)QHRktO@up88{Pp#=sdSF3Kr zw~du*)rA=E&D04xUyW*Uq18q?v2Q0Cmwk%`V2d#F$74-NnA?!IiJ4@O7GBPDTf4CC zKJ{ZZgJfeyv=;7Nq_*gD0+}Zv*CfqbE4XJ{vEldL=Z5(adR}W<<%S?0YG?1RQ=x-d zyZ|;+*2UsMea^NohbhLk9iKLFM9GrgeP;jRt3K8nB;-UKqZpz9e>d5D!OZyS$ulg5 ze>Y?0pCV)}w(IXnBLBOSAwlWc^TM+awwk*Cpn3YQhG7*QOL6NjUD5r2`egVdLx)Z9 zd89B~L6`79&7On=kTX!Ep7zU~%bDho;+5N{o zA9sDS&`{s{jE3%lZ!a7h?)_dU4Q`;2?s;C zj*SJ$4(N#44G;dk8Vscy1Q;%B6xdl&fzCgg{q#k{=ZpKD|FCuOwbd*25Oog< zQY&1|#xhHR*0Ti4U-l|Aod?n_MeMY*T=M;!Au=r}HM~4h4~gZn4|rLX{uR7c!{nZs zZKxgqw=R&aF^k=hW2?=J{nOQfARXn1&0dN$}D zl+CZ-dtZD;?q7-GxzAq%xQ^-o*Zl6`P$Y@>uNk~A4`}$XPo`jc1#wVjrnd%;suf!H zbq9FTRzbwx_6lpHasTaPzj@#%3pW9h^3$G1cVYQ_JVE97Ky@xE`kxvDD@!V{E(4A zX2c#KcZj}!xOTH*Mn7ZIWU|lCqg$Ooc4>*l`^wFVObD=xasz#@Ij z)C|j!7vU`Z6NMaefzxSb)cd6&N@Vq%?rVe{pF2a5hFONe3{~_2DQsDOBlTa?S|C2-IXPv_GHp-SlWpc=SwF~cHt`7ORQ?$nIGc{MPxH6e08HJ6UNm_CP+(rdrN zd_&WR6^J3a$;P1q~tTie1Su+p>Ty-rnzOUV8-_gG(f0PWb-STnl2wt-^quTfp z_DWw%6M<|6;cnA4yTN}wM9l!Vo|)1jLlL>|NNxBlm&W;f1pu^W0D2`7A?)cmrwdBI!~9tXTe4VnixL% z>mXl3K3VRe1Y_QCo_e0>l*xhsk{*8?0k*fcn$zn0TK8o&p;Q3s4jeloU6AFrh*6<# zcfd7Td*EQ+h#6=-&2E*68AUy!I~yl*W*8m6F8@;g+B9HV@EH5v7LF$viZp7bJH=3o z;WI@|3Wpp~(XYkNT-3l6?hZU+pw@7p#zO48ML(e0qdIk&X<6f(=iKr9yE8#ZpZ#uu z{VF>y9t38PWMAf>cJIc(!}g$EgexaEpANLGzspd_PW+AAbHp>(Gr_y)JB(i#k;F97 zGEzyP>o3;ajA^lB@r+q{5`yFg!3!FvX{$ zr&^~7rZS}h82OB{^m=MSYq09%)D_f6)h_EIWA$t4S7OfvWr&mG*G3G>)l}?N92bce zNz0Sfvuh`-YpSh{9Zez(sf{d6aE(G%29_sQ1efbp&Xzq^lAEq=X0~?Q4z82ZXn8a- z*qb@-**!TJ*)2G9>}ecf>~I_*9SM%wM_#gEC&&hjhtS7>NoARq;pvH*@oOPm0d3K5 zw20xN;X_%bh_cwSm{Z&U!YWGJZ&&7sE-!r0 z)zHVVf#3IG>!HWL-+oVn7J1LYp26{U?#f=oxkfNX&* zfNV;PH~yD+sThP9x&%-%zd*SVyl_g4FS%#fDjqtXGVvsyY~*xoa9CvwVWehEeS~am zBOyHrGtMQMk8X?dOH)9YSSVL(CzB*1FUX+QAb*#QjFOD7@K<5-==~`9=vyLgf@zb4 z?Zbw<^O+@j?Wl92Q=&?u?jMUk%nLXR;w;E4fCiEVUZ4t4^FitXYK?vkuJK}PvEEu- zP?=OBUuLhYsNAIbPf%D9~2*uiIORxEubB4Q+ipQRZXB= z_3J9Xv%ov{lkCGB90EM82R;Bo5WdeV_$gA4R52eezj%;lP-YNf5S;uM`6u}TIa3i; zk%!b(s{T05M0EN?>RsAfifZbVT8a93omt%vbxt)5H3Us@^_g;@EHFz5VE#Oe(H9=f_KwE%c_d zT&QHxP|-Sye2Rg)G|a)VfwR0N*>L#61jZ}tOYME0J;P(i(IY11m^8`E`-R7en~&q- zi{w4FovI6;ULQt&HX?u?)iixIksa$WO$oah@iKWcqbo~4Sph2=;VHU1btD-LdpT_e zfSc~!Ezn6wqkr2bYJ%Kq;SbXsIDdiS3q6h-tV42v9(8hDOc zYFeu8O7A<*G0^1DM^8CV&*$bF)Xi+>SJS*7UPmaoLRbBZAH8piPciuPJa)ukDQFq@ zKh%jiC|*3mB_#~0Y)}2>;{uAH%I2_U&CI<{(oP0KrbECGd3ee_pYM0Ju;(L1MbV=7 z@n2F;;$MzSc4yx6%hbKqW$TpdrU?27V7V4Ow4R=W@D4KqGvZL!Wap1y_D%M^`A*z! z^*0yWcNO~;XNn>3DsFLQA~JZLUrh!0d&+(V^sbU*<@E`}nwFTlPo8F0P#)6qDzs~% zsNKG1oV2_u)XcUsTB%E|xVAXD9l1T+DWhwli&A+j2P-4!RCi6Q6sjl#0(?YTJ~=RdA?|>3HnJG^2PO%qdrubpVrq6-)C~3tE^RI!*zer1=DYVyd!R zu>* zTsppLCn_(@+l=1=5aOfXGG8-Y2+jD++)Hk*7fByP*$B&cE3XtzT5p67Mxu)U$ey(= zwBlx2dn`U{oxNldY-A;2iU2ru(z-m~M_(82bc#2Zytv*Vbrp4G+o9c<-dGPWM%%zY zQa&S}q^|BDT_Gj-#Jo%JmGG?y7;#Quqq)K1wyTsK8OW0X-PP^II^ zUt}+3H%$jup9|9q3*TX)YQ52YLifeL6n|`3Pto!4t;9d~eidF&N9pYFzIFyJ3EH}EHg=Ys0la)Xx4T2Gd$a{H z`lv|3^806O4Q&UnylJwP_TjyPSbHeioSZJig|mOAQeJsb)9(0@KR z(ATloFt>BJGu}GBFC}knsj4n5ZDAE6j`htQV@Po>f>MN-_WAs9LZUuq6lb{4f-{M< zkZK=y8t)ppEhn&QIoHOcFUC;?dE&@=^3-~F22=Of?iE5-oCz>MB)k5Np`bnsFn&1z z+qeDME5SNi+!S3h`e)!zlf|?-ry05h;)%p*(CHF34fY9EaSC&4Cu=&hZhgN7gY8ir zMpImqa-(8{Dp1Zj0f+)Tbk=u*sMOtnT+co?TX(Zr0*%4XqSA@fiBDj?LdoV)qR@5Y z%iBu%>hSIDUM6bOOGVNewli~FKC#mXT(Dul$?1q{#{e>~@`>;zaXosh&pnR@?(=Xx z+H8ofvSqot_`#qA{;_k$JCg40#ld;FZ z!6kEi2$S)Rf^UC=NBMWQQ<{RF+)u4QIvlP!x5huuV&cmjYYGR9jkN=}E=N~N2`c2e z*OiRTKb7EBW3*a*TH47AliUZ6|A^tY+T3frJ>0P=oRzXg;RxC2+e))^wt5wp{(0%o z>~HINTGx=$T)331w{Ku_%HhP|DkhBN@%$=zvUgePqtKRZYs=>IxM^=XdWdKOyy?Q< zBRs-)5qL3uKJK;2ekfjmr+Io{a4Na7WtVfDOq5N-ruv6ffKZFcmbJ0nY`?n&Frm=&Cac4 zEtbtw7tQr^KA2yXyfKDZhdQyUsAN4J=}-Q$JS?NCBQA?oi+s%dRC*-UB%wGoNbkG_ zMDrYxc#HVnKYFd$OrE?n6bfYar%E(u>=~#S>S|c*dv11bNTCNpi>t3LR+1CV8VNUj zzWB*^sq;qaC?`s>p)%(J=Q@kFcoV#rc>@4@b8)z-P|+GDHKy>!x||q}>qH?8#a}|o zHsj)b+=uOciVH6{#nLcpu)(p4j$7Deby}tr;b)QxQydB5NtFo?NxB@_@&Xm}9o=3# zqRLYPtEc0Ve#z37{T4F~`Kp(?v}KYlA{{pNg84c-MXumqw9z7qYva=66Xh<=SK*tA z77P}^Ho}#p4V|@_xt4pm?U~9UL0JT#trzQ};_Ymg>QTeI=E~;<_)5T*$Ya!)jQ^CQ zZrIlSQ61)ycW_n3*PxG+B}5qvKL_kCQWc0@_+s7AgfA@*Nc0-WDG?#RH8I%F zy0fbnP-0n{9B>+6*iaC+oS^+w8=~*$petgmZm=VS6vSA&BDF%W!%(YG2ZBp+G}qMO zpkxuN(J-R;qS~SzA|L)idXDU1lcKlxQ^V>;z6gStxrDjN^eAFFNq*+No&zw3+BNFS z2+0<;+4$JqN_q22?k6a82PR$Lb z4;S||^>6*GmYtRh{c*3+{OgCx{4XgXJQTtNv&3>C=T>%XU3Dl9LpOK`VPQ%#2IHBE zU8>nX5*BHv;cGuwgjj+agzCwh_JJ(-H1{qzLf9s_3s_GnH0fcfT$)B|jT#@dthFOG z_%*67?BN;SuXF>IWtR!~_-#f!x9vm{%}-E&I&6!(bh;~uKDH~TGxeE}L(C205c6Gz zZihOghF2})hg-h{XA=|d12#|GLr$1p871p_V@?j}v$1&G&XgWce1G*ZftjjG21~4s zSyJ5s@Y=DwMmh$s!#(l8fJyEK;6=!5LOvmPSx#m8xP_z_0vq`|6d4;bQ+GNJ4=SDV z-Yy>ehS#g1(`v6nJF=sS&~xxibBV%h4%?lz*_HVHf&42ww=_zCo2>r+~Bi3hvC=L2-v* zh;Zd7#=U!@jEr8yYPDnE;ZsLE3?=FFZM)iY*$X#6xq@<|>jq^Lm!SUst}TR+2e`q( zmpT$t75EkRE-rhra55HG&K9Ka$B=MC8jm>ly^imWS&|!Dly`z^>eV+Yd_NyuGlM-8 z?}_8d(cJOl(B@!d8@P|UpMGGA`4cG;r4~I2Qy=+-nDghOP`h}ZO6{*dYOP{La*yR& zEuK-o@^?uKK@Z%}MU=5wB!My3GdL@03mP%?#ZIXY%=cdK4)9!&DpCnjedB*7y40xD z2dr(IcIr2*mkx+dT!+m^2PPY4w5>!h=^{llj+n{1JpxbnxK0Vt=us2UdT})HZO|Bm zB*Rg{F2kduF=bp^p5*c_KMM*ZX!_^DMs9EZzEve!;PlK zG1;;u0d;&+x(vXb#{tsha?9a{t11=khz@<{_%{8<8+*lp%z!6P&55;ru4O`g#A1Rj zuiNIfmzM?1dezzvLfzzc;0Z-%*GrFSD7~lsyp`3q;d1|N@jm7AnBPfaYUoNF$I#W2 zw-{ib*3bAWk)lh<8`Gwe4+jZ^X&Z8vA3cSrh7d-9pST2yM-Nin1A7?nHe@!JssuJo zpeDCoPHA3V3ETqBB={jVln<(le{WjjSnOW-{(CTH*rS#dViLreFHe|Pz~0cyj)nc0 zE2<}*cS4Q?yVNtk60r#~#YyDJsF+iMSAp%l!2KSaQZV$O-5`3Al!^Xf8_lK>rvs@a zdph%)>5tlY_6!d6W~^qD<~LUjx3g!e=LiTGh^g<1&`Y7rVZ3N(sM!gD1+E1w#@xn; zBO9@Vs{8T|^1KZXnSVkx0$=grO(ys&obi!2`rI8MH-kF{S;@6cSPwgrc>g9f^jQs^ zvmU{tvt;(@b}G9zVlL3O7IsgB1w2$0wco2ho4`r^2LywAC1TrJT=%W+Gnda@vw1Y$ zmQjxo+hscAH4>9teiHXlDpE#dbhvtM3muKLDv}k)pp$2ZQ6g|0X&wSM>t^%A6)x=5 zYm#n8lUpm#Fwf?2+i_Xau+pKf7VG;rmTaK#T?o(J3T~gr;%9A|j^KDgbh*7D9{xN8 zwbQxH-67nMb-Lh%e#Ek=G0ii+8x^?RFD&2PG{yi?h2!6N-Mm! zw6NelNMEk)Yt6W%yUo8R61HK4!Y*OD(CR1C0oDM3%8ZxNH^*buQQMuZiZUI`Gs2VN z@_KJi{vY5V^x$P>js_sx4j|7!Pav?+3HYFj{oCpu+zw#0*EaR4-uI1P{sZTfUW(^B zdrS9|5Wv2e^Ehp#2?7F|Wv-;=q$VxJX=rOrr*C9yU`*#~ZTGjt00P48%J~6kg=nogSnlPxvdS+Klth!*aDq+NJ#!6=-=&s=4tF|{vSy;j{mFHUj+gG=m9X$ z(F6X?`!6Z?Kd_u~=B~z8YC`7L#x{e!{YT_~k*fcPl$DMCzbXH# z=YJ`=0sqk8zcl(EbNv(h*Iv9Z+<<@Eo)>29+*k<&gdap)NI=OI^n3%#Q%QLh@|uE& zxZ`&q2ysFnhWnK;B^U`223kSMvYc~8xv};+u*Vi%ULQFKT@D#t?qs$=96k^P8b!>P zpYtU3ipRwQhf?Yn(bNuGDpym6vWDBeQ#p`jm5GahCFBn=52*gkR{{sCq ze&}gNJO;J>`Y+^vgVMeN)LGyE58Xe9G{|&s;&>Pt8V2ZWaOw}|c$;Bw!u1F|#HFW) z)E%MRjJ-}gZ@KVURBdQ!-;6rSk^uM!uf|hD66To|Zyr8AuIKX=iPiNd+k?c!+VwO{ zY;9w@cv#UZD<9~O;)9wqGQa?`h*IgUY{3YZAvxV3Xc%a_&m(H(+D*_~o=>Q=vrJNJ zj{g5wslSuk9z>~@n6_BI=(}0u%bv5)k(2YCuXlQWd(F`gAac5z1@-a(_60CyiOSf} z+2GGZQMm%2&6tyDzIqB+ES~iuyY^Twfa|(9DNWm!bG2D0NFJ`Y-}VmUk*sKSutyJ#A<}%bXCoy~qi^Ud|=g zy{`g7j~TyfLq`5;63B1BPz*QZ&n7tj8**Yet=4)alNab{7ER)lNCVoOtW48XPAc)|s0YSv}i8d0y>s;p1N4 zK$>YUZIr6OoXIQ2Sl4JWFJrwjyNAATySHxI?Gbme+<<7nei!^ds{SO;8I=2cN(WdP zl45H1C!^)?(_&OhNKz|zy@Gxoua@GsN-T9AN~aT%GNJlpazs=QM%^zY*Ay!$1XNwU z+!3_`FLQv{-0tt+IB{FSFMs5rG> zen%*eIWpx9PmPi3Yvg;>d#J*#d2Nas9vN9!+#~$w_g8`qx?rFZCAnNLZs_^`vP;6Y zT9V46NBM74w4cRn)myw0Ao|LhfJ=io5V+sbmiYVg@Ew#CR1-wQ4Ro{a|Tiv5Iq zJood%|Al<0tZFggzK9K4^}71vwbmVdjJ&I2`o}9@Ny+Pw?!}XC)AdDNs^g0;kQJsy z-Z}G4{D0p`w=|8Osc8tCt{XxGubZy>8=A!)J=6kXH=-o(5)NMp;YP|&e!o>(y9wHg zb0e)kO}btLr|MDa59`#nJ6gML6^qf)2q{lJXU9uz9>_t!^rjs`S-#4KaRtI37D&!4 zC9U?Je_+Lv>)k9!=Ui2A@AuTPnIt5qrg@#_0k3ftr1eRvE}P!Cy#-}EX8@ikk76Ek zt%pPJOL`2+FMG_iH%|0Y)7hE_*N3>4WqG4YpsrN*8(C4q!#Bnlz0pv0cC(Fh+spM| zg9aD7Vb|0ZNiQ5?+^xuUCZ4|(>wC|#$NO_aLDam}jI;RsU#iA?mu3n<9dx9jOQviW zggplP;u{DNm0BPeJGaTO=VHVDybZ6%`l@%w+}Q1@ z5U9P?tkb5#T8WV`Heqa<1083M;*8`EhV>0+=3agtdg*RPZTw->XIB=~eW_|GRL&2Eujh{=$sh%4yZ$KIvl~c2+s;+ZZBjT`r_qQ-Mma?!a1L4z!Rs#l)@^K!b z$&9fUl4Uw^aoaur)N$Jr9HxBu@iZd3h<4coBx{ z4S_9A)lnS^447H2M0%afUXUM^PAi^7c$MFjD9!Fb1zSTHpvYFfx}h%I*I+F}$N0P_ z4@QGkE6sGO*ur5t@`{AEQg+>lR_DPqeW`td&Pu(hrqnBR7Wwea^=97&Brjb|SL^-D z$qDg$VY+Q^a@{OK5n@8CQQ`r;ULI-_UG;j|H5Q2d7-T!cCvbhbYu#)OdfH#qsOQ#H zy#0MP7bFyq`AkTPqE59s#awl{J-0TRP4x~uTp=C^0>Yl6gzj!7OO-8!HW|PzeH5J? z`)v@CyuQGlKYuKNftPh*jU1rtr} zZ#nj_BckM%W8O^bEOH&!2}CJ4V}I%s(vyoPR4S_H^{&`F!rOi5f59h4YB1pPK7jAc zd9da&J}_MfzUjHMJkGk=dV1VnZs77p74_mdw682wsPcWR!0c004vj<4F*qJNji

E7nyuHz7b7+oV6RueRc}DArB1Ndl4 zR4S?PxgFp{qY2ootGw;x_B0vf{}na(osn&m@Kr-BJ|*8IASSlLT4Wf{J&zSu_N21K zcLy$E=q(;UHdh-HlSiIL$>)>nEw)M8DPTq-lX{pbFB}+?>Jl6j!KurtNXWLSUH&0c z8Ezq|bBI$>GZ4SX++q24HIDTyd6^}JML%KW(lraf8LY}{r@9i35yhzNY^ko>;LC~q zmJHXq_8l;sa}3+55iEplD$(Ga=CI{jP-xseHU{3|;WTr3o1B#!Q&OHx=N}{0F~xkC zXe?Q#{q|_-Fzfh|Tr{nUe9=-Ab(J6Qg;5%QT~0D~qS*yF)>+`h-O6dW&f6cx5`ANxq)G ze!O;ESmfWWxp>|VdaCJ}Znqnc2k4LbHh#aKcX1n+;tA2_^A0oZESa2)F4`!&3Cn;z zsy-RVHuo#y-^&y>IsS2^go36e7NK&4dtnZu;qPf zDUI0aF7+9TjN3pmaO!YE>GCArL#hayJLTRh!N znn9#}I`waO;U4QA3>i4jg{dvp660OS?yYd?2u^1Ei+Hm<KBdnqS9>rk(UaL!#5BC_^nKMpd_` zKSY#7NSo6*tKaAIlZ__w(rAG|cGQ5V`ILkxtyy8>6Ju$>!)^8UeKU4g7pY-dBv4Izk z7@vE-B`dAl@#wH1nJf9KQ+wlYcBXNdyzHKP>L`St%C9WTI^I%iqf<=(lk1U{nCoFP zzvJ}I$(*cjeOt4is(QUA+_G8EvbJEk3C>G<**)skSL6Ijnu1wn0Vn1C#x(59j&-x% zUaU$oHjtG=di$4 zIgrhb)V=L3vo*XaCj8YVc*>Svjo4;$iocGQcGHAp~Y!up^m*^K6ThJt4 z`Djr~^YbxGw53u^W->Rj+Yjb+(e^fm0Ctq_?eUgdF!nU01<^c_W*On40|oBIaGCZRBrB6W!dB)p}OSMj7io-}Ic5!+dA=5`VAbXq2wL73o zztb>9UzZ%-53=GABJM%SOrHnXd>I9ojdX=LIuLYNG+X$=L@0j4Al8H^65p){*L>yn zesnA7dhUU4ROY&R-Dfa23U1rA#jL&PIS0eSv7-me#f82fTdDl`G0h{C$3S(EJ$N;= z-_pLmn*uh!`smAOiD1 zis?~~Ur4jJBY_RCw?n&@{?T3@@JR{Z{cPdRKbe!^{C;S;S?2E3B|W{Kb8TSO<~a9`n9+*f&TS$*;U^=pQ(H0<65*xyY61dMDeePF>YzCOQ ztX5pu;x9~}3@;eONSp{U=)Y@Te1E=edXWk7&WD3eAaKQ16imeS;Wl{x(ghzwU{Ie zOOCo{m!;h*+NFxhli|&a19ukOF$~*Z`5=6X49*HmvCcg9LXf7lF4J_ZQez}nK7y5! znxqyBTI1T8;U3u@7^nvxUhRLk6qqpgpv9r+#B2j`cP6O>!ilXkE*0ERyeKH4kqe`-I2G8ty0cQMxA9vq%4HzPaVVhp|> zf3i26(O%)VSj@K&O|$Ute*5#1(#e#a-i8QvpsKClju&EE<@G#r=w>h^-Ee) z;C>5n-wuT1eZB8uPmc{<8cGt<6kfpOmOo(jP7x)Q`lj zu;+BSCWmv1`<56F5j4NesMb96Qd+%Tq5X~Pb~Z#GK+DdTm5=eKk>J7I4ZYf1_g#9Y zDN%+gX<{M62NPnzsShPo8`NEW4v;^jmQ=8i>Ed~ya$7LOhWmqUeG=mpzs`a*#Dnlm zxLIbAswMi1QNgC=(xAOsMbn_gVa{3QE?-$O;^9Hdz$J@FoAm|1MZPNWfn-{GykDde zgnn1d#Z3HteMT{rt7&9Nv+e-Gfby-{w!}Hl!F;>huLwTU)^4v(L$77M-T+>9Ob8MU|L}9P$XpYg#4E z@pA&Hc_cc{k*GPhemgCihw_g+_4LIhRAIw!iPt^#9BTR)d6OAEc|sLN!n=eNmJ}XG z@~oEzKT18I-iXvi^P{&*L=vf%rr~(E@9mVp$Le7hHfP_anB^oNA}*Lp?(UC_Z#vG2#gF|76A zq+=8+P-^iP@sR78>osHoZd|TB10>w^Z&Q%3+GXRqV~%sKlQ`MRyh&r!@wUM7x7&2W zJaIF@Icg zToO4y_)Lgbx4tkswQeAIUzO8J_eFQIKx201vOD|6wl0&j5d<)S*a@Za*|vTqvJ?iV zZ(I7G9)#P~TC;`c&qyC8-jRSVci6GK+JhlGXuM_iy$uM5j>CCK#o$tgkoEmRb>!a< zPbul!p$q{BxK6Veo?WE47hFL*!&g3HeUQ2>g9wSh1;m+~l#4l}01Dnl4H;G5)vh1K35$C}+b#OnJx zj_3Om0WvB^13gP3XXxPecYJ4p^}td@Pb!g~W!TMh*txYOP@W<@vkn->zO39 z=En1I0!E)1Sj3&6t4X5vtBT{LMf?$mjCD_?v6j)|)os)C7uu}kvoWEzK`e(Op>g*Q zX`1-6rG{+ou&h6Y0R^5fP?^TrqAWvL#&SnWXhkBMF-x7V*Z^q{FsS~5yK3as#=$3n zp|`KFm$9zF(4nN^M)>K<0A|m)y`08I2?=S*A&e8SJc5Baw-Y)wjaC|$6or`C->m^T z?g@$W{FkTl$?;K&Al{zVB!@iv(W$n)K|NlaxyEX!uIBK-jA@5wsrRF*7Wz)U3|xdB zfJ2QfpxAd(Tod~70XIKnM@TVAoQrobbV;RqYy`BiYi(}_iZd?^4sH`DCK`ETQO2kL z`_W*)TQy~^xs+CLX47sa3%dcsao3%=JQHpb5HS9+-m95p+UIir7Mz1IZFBx6hQ$T- z^5Ts0uvnaPI8psE);HY6A~Xu!-%;g55rg+*AnUj9Bp5fZZE^kiA5*n9f7wg;`iM7p zTvjvOgy)=ugC)KZT#e1WQ{t#3xDkTr%1gUybE1ux`?^tX?;(}#`t}pe5n_1kdv+8< z0#OqQ?&!<4a5jQ3KA{J;Tt& znVAoejuXqH>y`Dlu6-;KBEFNeOzhmudrzUGe}pHi4uf@i49gcz@XDFs_HrY-&fKA{ zVF&Fdp*;0h1b*CZ$k_AoTOZcFkSS#kBCRG~@0AaEt}!CtGL-WW6odRTKX4|JH#B?G z3-8VVw`X8xu|63+t(kaI+e>ZW4k?SvC?t3+mNS~ICfCy9vQveD0;`i z+vlI9Pgv770yA_HO#Df&n^TVsxg2ZCWRO{0Qf2u1A6pG^+0pUVZ$xTuuNt8Tl1n*L zOt<)Ncb6%&5sEVB-62!$LD`aB32ggju2heiDiaG}3@mQ=MLGKt^#VEErCX{%)!5Wz zSgsQuRgGe)_iv2CGiKR*E2I~laB8#yvjph%RbkD zoT>okL%Tj|Nmf0nKne$ieT1M}!8T}h&AQ({76IAJfiH#wnr3&0;GwY$6>aq=0Xl-B zhFV(!&qL)KST$n0#dsfLa>h#2kkPXqB5i5OgRJHb9~M{TlS+mTLiw++d)r#Fld>(l zur~7$1P*vqZs^A2)sMVuBe)AH9(9YGUiFJvJWMVGtd(27du^X#6WL$5s6$b|6i--L z?&k1|ngiOt@!m(>?n@{Cj@*yHw7)T^{pN2_zbIKFDnl}35Hd-?Nn$Hy%f8?k5U_^u z?k@Btj<#$Hc6pNXMIX8G$+U|XK{`fJdV(q&^7q)=TH#qFl4GBaV7AT-R`fG4AvraR z=FJ{?WF%}hQR0z|6=Q~CYUj4qN8+qZU9H9&aW{Tm{pwp6IW5C|?#l8@oKt0`1Y`RQ zEnCG6qQqElgtRGvTBNTp$T!I`W|mm*$acSl^!llS($M*pWS@7dMguWBTXThWNckJ_ zS)g>Qv3pR?U3c5f!lmqtqz22WqMs-Gn?=`jiLP$#UDVLDI+#(g^8ScSngfpFQFPDX z2+7ooX|%qeUFSSDo=Ove)T?oPs$%G-3rbJ`( zfPy&?XxLIG7{vNyzb`M(>l4tsuh>@%z2L-yuCP1Iw7!O{vUeZb_pOca2MkT90h7H@ z8f@R0jB|QZ3ofaY4ml0g0TMDr6{lMvRA@V%n;V_?t&3NXEVmCBnT1=&rCJQyzI64@ z`Jx4^5Ep50skdKh2E?ZSE@Sywpvd*1MPhTHl`XzIFQBMYe8Qt%;%Qr6aofJLdNfE3 zH%%IdcO`mi4;*db#Wq6ZSKk*BqnNMyBQ|*qw-(#WcqJxb=z#XXBcY-Fh=H7yEP^1X zjb1n+V*tlhEa=7v=}M0(y2bbGb;6!AAHiT}JM)7o2GXcpD(h%?7IzRV=|er@C2VIi zy>5{rPz`(qhmj8H_b)@;6u(Mj>uS9+e@ZCa2<|=nE;pRRiBhH+U_40k;k3p1(-rIh zOBf)JQoYLL0_LxA|EsFz$>1c+ierd|t$hC;_$VmmHD7fUBWIowo2cO%mA<%pFf_=I zb4pCFR0&#dDQ;SSfot~n{zOYaw6{(isxp*pOW?RTQ)54)by0Tp0!eWwkEa+HLXl$4 zvIV;PiD_i8lG(+n`iL-scNNn12py*0)6#EhFkc8Ns$wdygLBACf68F zcHFdw5{cFMzFNX3i-m?K%V2Vy)669QiHN6Ul#BLI$B|d2nFe!2xcSE40!!K6@Pr*V zRJ`s_49%Au#Do}B2Zl#o4{tNTY3t{UeX@Py!oB`zKKrk9-M#tVu6*F9?J?fUFEBLJ zYBKR`Tjg{m3t^orw$?^e<9BmT+Ri}20aw+ zqQ$x4cQN#}2Rvv_96s*FOZHOTQ=I59jXOiPl{;il@(tWAw>@j_*&Cx4U^O>X!}zR< zURbVWX(VGz)uD_aA^>|z;*%-maZqA?VX|zQ09%){TV$|yRw4M|Y(v6Zei~}p7n*bx z3ufY%f{CSP>#OXz+r3Hw9e$Ka)DI92$HX1aCehFxK88IVmD3j1?6%al%_9 zlMP02Wl2u1c|9KwSgl<#JznfP6vVxXl?~zkX7DJ|JHC2IS{lEf1NLS*d7yc4UWv;k z+18z>n3?6_i_aU1)G*q}MA~-sw;Y&1IcSs)+w@)_W4aE+sB?%>Y+Dl52ldejN`1X=wJbkgzE%O@W}u{g`o-;G}GRdqxP zGI-Cvo)Sg!eyKigPS|U@dIbhOb$5LMxz6iiwx9BY_v~oxs_v88GQ}YY&ue>5<}F7` zPuFCuV4V;b%|C?l0g|ekrS?$f%8P=VurEQJ?{@1XoEi@X7CTAKYVG%`>pUI_{gD?l z)}z$RObk$|5VIRHZH}p{2SVi^HeAlee=iB0Kprl<*!SBI1_WAB1hUfCr*YQ&+H&Yu z6C5+E9hZE0VG|N3)LnRxk__Xjd2Vn2`RH~?POG)~X~YEC#VZD>8q>|i=M~(HrX0=t zJ?Te9UE}4Zudbn}ffA|*oco3BdAc*kbyEDMqSv;u!P81a^KVk{FL9zt%VF5%t{sew z=G`cS(?zV`FpPEecN17NGbSpBQ$WvrRVOy<^L4vl8X39Tj$vwV`SDL=p6$1%Lx9I; zj%E)8|1wis8nmO#kl)Cwow=RE=VtGpLke2U_FN`nODtW{@zpOrA8}TMp-8&uJxPS> zi=F`i{;S7AjMECe`+tA(7?g#LO}H{=XMHUXe_tR(v0f|{-XgNlpx_YApx<7BP~-SS zX%`H5(0<-u*KB@dc8aRhfvR};Z4Am<`D``YhSh!stpBZjYssb1x))WiCCFFt+4M8% zzTtO@Wv_y#`GNad2;877HECQ5E%?OJ5}WK8_ciKaws^m1703$`WN>FK1a63kz*0_P zJKF>0&HjLahx$lz!~42&K*pcSO^fqCF?_m_U&Hy1A&qL!*-z6l8f%G9K{dZ|v@-u) zxJ#g%ZczMN{JK&zzxZ%XJ;TB*xdPl_ct@qiNDnM#wl(06VWQ#U}6ihfk{XhMhic&xKkXpCdH)H71{}m#VdCy=v{R2fw5V;NRbv zr0{-t_*v-`tMboDaUn=Sh5EbLhuJzvo_V`@SaNk3xt zh`|Z^HQY)PvYR1dWOZOPTgG)7O|i&hT=6Uqh`~2WbTk?%-4v-Ifd%rv^g5;@7%bPOi6<8CN_DmPkAB7>$ z!u&ag5^+|5!|3=#`n1i4IM-#R(0d|JdAg%GrdisC z!sH8~gpF3m%fws%IQ6-y&n?xRpQW(>dT0N+5OPG*8xZG^m~{(9zI6kMaHu7eEM9lB zI4>}bV{G2CPwG7-!Odn&kmq%_Guoop{xxTbwYa{lBdjti)0_4pyOWB3QXOA2llAs4 z8F^Jc*uYp^kn-Saf1bX)SB8j|lDwXy2tR1Jp^941(D~chJ3JRq&Z=B+(*f99gW?)F z^L*z$k{^F|zgmdV?Vxe$lx=xxuuHCB+N(Jq7;!cA;X%`q7}(OO0wk>(@cB(08S%#yd$gsh#h40dAROJb97* zGNa+rUM_MSGX8e3Q;hfXX9UIcXfHp6A!7L}$llf~_@&GMNe6~<2R6Bf^VyFLFGc(N zXJ|#B2s~~imk8X9&8&Xf2=srBSW#e>Dm1?r6?N3Q+&qFL?46vtFZyhI2De8N!FKcFXZQy#fVCq+?>%1E->;w% zO&>aHK~5-|NLR{8aj+}n900;2NYtI*6EUb?317JkPHd~XJ?_r1-dE`&&ZzMne#`Ea zYZ^w{?nOI>$QqW_TbM7iqB(OMA-O2HqcX)x1MhwFH z=L8?N*#DmAc%Yda9LRgBzHxwuD}7?L;@ZOU`|Poc3nmnf5e2Q(Vh7EB{FosFVQ(>m z$kTKRYKsWWc1nGgj1GbsFmoIEZZzhs&2M-jVoI@hZ9;(`qH5$*Z!bGkd*HEi?gYxw zi9g*x^>>Bgpsc`98^2q9Jh<67;Bjj_ z@ne?W_8rSrCdQPd^SogJ3;{7A+MW>tZ*s+l&LY7X_t zaRLK}{T6++4hpjc-zi%(x1Z_0+l|a_I{C0h3i-xxSvg^|yIjjwP{->=5M0Z7(a|bg z7Mk@B=}sTIvRy#hvU%N!&v{mT4`h8@;+==7rQ039F~nl@{+$4>wcPO?S8F$7N8(ysCZ70PaK6wx6ZT|67A7SH> z_vowaW!wS{eGBPs`L~^kCluix7FgpB7L|d>ffh6c z1z>*48>4oQR`o+#5i&Zkc3}uZ+B&BVrQk}`g?R2i+6?N=Y?xWf*N=8+vY<`clNF-G z_BL~Pew-gPOx_*G-n(}zi8U^1WZ@2V&dT zT%lj-nqtrio8YJFqlrd~RAY&HQ3Rc4?DMR2H%4%c@ry z`Me5H*BY$-8rm?_wz&?qUayMhiA6W(qCz{@R(Al6hH)|_pPfR&eHCx*TNKmxVbEvR z7|)Uyk#|lj_;K;okM_Dw@-5S`Ic3ArHFX{#I3*JqC-8;D3n5Y)c^q1ed_|j#Z)=XT zg$304g3YZZ5$VgHD()6a;3hFL1y9Pu&rMVo@fNOv3g&}9JKZ$b?I}E8O!4E-m=P1D z)a_29k76j69nKHri(DY1Z%HmTe&tUxs_FQKly2AhE#rFWaJ!=DWhB&let(Xk9VvIG zIGy4CJ6Qgh%_H+zp#lf%NK1nIk^e>Sq8zc-Bx>!Qo3y4aBvciH(acARy*gPh^{`6y z{Hh?8V(7%b=S9Hal(g5oIdp>J!pW9O9XuMBQemE%9{HZmmH@!B(SvsZ`TUE^97SsyTW*CCp;$HR$FYMC&SZ9y~dOof8{>u)JM<& zNV*d?S{^;ab)jI{+Su^?x1yaHuIqv51B6u4@@l0e?yzl2ut8!DVi9nq&hN_|TEU|B z)evmj0AV-wcWgm3UBVsy5bWZKWx;N0BY*xJe1H1+jlx$WTz zHjWjBC5?$8 z)sTEhr$-KG>(?_`I%Ka!frPv)W!^I;Gezc&;i%73uklKcvJU-Kc?*?QCB6YFT!%|H zk1p7Lz1hEL8Nm~bf}2dB(acQJdg+gAttbDTx)5(>%(O4zpK|#On=)$3n4QU{o6w4^ z0}sAM$a_GeZFA{F%ys{#hW)$!0h&~{RfL~5ojA-(Fx>g?KmTWdx#XSv;z?^s0vAj6 zFN4khwv`|N61%1-6t_O>kJk&7!JtcvfQiY9e@!|4$HqT3`N3DHxTwGm@9%8mKaU2D zESh8JP86xTC3F2*7yp-!?l2zD;A<+f9I*Pc?3D6a;OyKIGeEA(+&>DJ2@-yuuY%fq zIq2`w-;qgTPkZ#O(jCTJXUHyj&0jMC| z{O_ax;W+=R@V|WPzlG8Nt(#Sp4~cR-upeN_ZVYS~aAJH32|xC9a5_%k*ue_frBf&2 zC55~mk>YfMfZZnl(z8m2Rm*p6Jqfk}CL7dB-%%*wvZX1@pSCPKndJm~xc%7&0$=!) z^q&#!w@59osv6SL!g~_)<%^Et;_50P5)#s4xBcR5-Ax^amNh1J-b9IWZVm+ z@&IF!)qQ49PVT^lgho*-P1~I=vot9h-%@-)J#-dqfr`f(@$Ahof9q?VXM4@z*~SB1 zY5X_Fl$&sM^v`e~)edu6pk-1*^7>p8^bq;~+cNxbrAwmAcNR@gD}Bw)?Hn9@O;1m6 z>*zQQuH@|OTv1u+2Uq&$%^Op{lI3MhLn9*+3JMrPLc;T_D-kO=ZE~aS%@ZBjjaH}1 zXaa`Pq1^E}cYeNx*BN+d&;lI&-{va6FQ*{JsJZRY0JYo^5*SuOw)OEAc$zzxmZ01Y z4#Wos>Qqz0SBl$37dt#A%9ERWpBDL&9UWQNMUIXpEziBMv6X`t!xngwkRn?>ZQn@b zB|7cJGbs49{kCC6@^yirQd19{QpeEfC}L-4r+Q{ljkMCbWNn24GRCxmAN3414H+4P z$#}+$c5`#H1z6d)y7JF%jrX6Ds!5Q_%lQ4IhqX;G=rnm(A5Y%!-~V7}VQ#_6z{iFY zdpxwFROBdIzeKAnQtcQjHZwukU&VYb+ZBZQ&Wz%qi&uBb6T#ap6t;TK=YJ$8a*6lW z+Q=f`U+Ezen65=mnuozBVKZ@^ri3o4S4kBe!l`CGku$K8_fL41X91^PkB^W43RURu z?_Z;JCt@VYgAxq`MChGO; zW0(H(86uO5>**U)bWJa?IBwJ$?%Exdx9al2*92jmsBM@I2ysZ(rmJqST`2^ebHjBw z?*$g_e%uKrr zOSMDBLXI(LufMm8*&+Kd!p+^(QJVq7yG*MdB2fkfbuZ7i3HSZlsKDP6Ude;WBbnld z#mR{zf#;Lt5Y*dzNga&?4|pD|yCJ;6sjBPbp@J?6L=lsm(v$T}&W@XgWK6k8!?dj-6uZQRKuw z>YSM(&^|3AKUVr;oL(kBGVB3=AY*A1UHN^E&SShG@YjX8NJlV2*y&>P!`LWEu-uE@;YCQKqH;vZt?_~|8+PX3( zt{eN_`@(YH*hcz@T0KCWA1quKOPJuTC4?2o%UWXSx28@T<3yGAF8GwITd2Q^(*k^LwJ~NngA&r{i{)z*4M zT`P392fWu&%ax)=g=4zVEEoQ*^l@+%t}vm-5AwR6BbaBGF#Jf5W|iY7n%d2@zqYFU z9jG(!GNBbzz{qE)B_pH&1QI*N-&J-Btb?gT09pr{=InhVODa}iG+W-qzDd+3X9Dgd z^VR+lO5u2kmzu3)#y~~aYlb#|MKOS{#1~DC8e!cJ7RQsgaYXL0Q+YDo!pITKP+a!q z`@*{H?DXP%wGdJ&XH;l+A4i{S;@!~J7@q3FeSzv^c#})sJ>N_7uZ~imcgc)@pp~>q zc1SKg=(8%*sp;tJx+${vzN0-$bTwbPy>njq^5JI5{@N0Ft1@iIJY{cvKgG2us7s9- zA1=V2Kv<#BxSii`a5?m0-krKsBoB(Jzrt`5*$BF18v5Y%r0S3Bx%tE-Mg7NbCfnfCCUWH% zSU{JATYCPAc1w`c*vi`4+B29H%(E&`WlCH{Er*hym`xwN;E{-#O0(xi=jtem@Btar zb18+{B={ByZY$s6kPyop7k24=gJhf@-f?rUe6U<{9bnbv$%IzD6f+RO7!&U+AD-RH zKG2mYE*kS<^1L!dz?ncKvEE$~k5mtKV%lAo(cZMStl1yiKPI9sO$gGx+K<6zZoo>p z*AVfzlp{SXarAPu6}mh(hP9c2BRR#4*u#I1vQPx2E^_l;MVO{I-k@E71=Y;nP@LXx zW1nZ6eVN}Lwh7~P(OZKb^{FxDnw8+=53v!#^G6)#ND)208)Q<0L?P<+X#I2$2A{Al zF01H1sE6a!6LEPma>ZEhX))2-Zz1^}ct`%%@XcJJ^fYqTS1 z$R27~r9XIaD5N6$=Ue(b8>W$99r(`IFq{&+(Q}XRC1yo}7xOa1F+`}@-Yf1*e45Bz z6SQg#OyB!zk=3T5wOv87PiVSKQ_J~Uqprv7s8GOeKNFT=ika?ZHnyFL5g3uqV=$pF?_iY<|5%TS!`MEv z-aN@O(p}>vFOE&Ban>CR@IdJ7GJI;gWIa7uo3D}0eFukL>Cnzqb+Vkv^KKc_j63q% zAa(?qy6$DH4N9qi5~urHBrWh%vK9lHrwgfgWzD_|GVxfi3WP!l59TyZOY092S(fw)O4Gcz;#BgYnN0aD40u68pQ7UKnQTqCje zXQyb8Ix79tmRk04sm-~-QWnkhaG9wV)a_y$azJd>p@TXCVU#x}7|qO(`Pr(7Vvv;> zA`483w8IH1(>^;Z3wuf|rXodz)(8S!<8)C3*?Sp{B#Pr5B`v)zTDLVwRolF>n? zdSZnz#mEyDm`^P{>+E5^KqfMtHQ4aurI9-{yN~&ApA_!5(YQ0kJBE@1(i4Z)@C}E! zoUlKuyR^PN=F+tW+g){cjqwHAdE|FQqM5?8wuu;z@b{#G2j(qcq=<95Pb{Os`C%L5 zR50(Xf3{xfmMO1d$QN|FbFf~<&B|-M2vMe6rB&1>jifl-ndVfF(F4FgsTmKN{i84f zRgM*Hg6irivt2{1%Td>1lx$*v40F5Op?c#7T`gLLGNp_6_qZ-^WrhGd8Z;}*bfs|B zG06s&WJ#_E`GR#z@FED5Gt zrZ75YPOe>yvkF(0kdDU~{?V&BOr`l&gOnCo+i}T3m-&&p#aZM)rt(mJlY#WRaHddqq8Fn?NlUSNG}M~H zgc16D2z5j{`t%x|+u{;mQxlOc&(QWpoS_FNvX{xsZ>HF<5umBQ%=B94Fiuf5H8d($ z`K#gY3G(5ai9xo?!)z>UQ)~Q>={p$X8c?NZ=;#{<2UHwLG`Jj;ZPp*OO@=e~FY8q6 z!?ZsP)oO|XU%s91+B!3G6jf?!Cm*EpnC`5@A@dN>n8rESeJ$P+F3q%!*#8_&f5`#61ln!eVDlmTq z#^!uV)gWtR(Tz!`e8?WS!4Vf95`j09Ra=PvVqy6S29l%D2RM3?+h{ykFDbutW6R$l z(cEpYagg&(pSBAnje3!-!fI)vczg82Z<%c?WK~tw`uch%Ur`e>mK>q5_77uNXBxK^ zRqc$vsu}O;VinRZ`PE(WgmQjQutb*8xo2`^N)u6y#z!4wA0GUu@t!<=g3zIb=^9mF z`Hg{eumv)tvi5Wh9!FOodYTeE2^}Z+*W99y?KF#qlmr@B3?FJpl&AHk4RMAGOo{sh z2FfAd-|UFcg?!|jFT?rkEC78WE|x0z@R%&aW6f(aq<6{}$CTA+j%flqK;B|BT8Dsc zKyx{FXBj0qoV`PhwaenEiDpn!duMIC)^JZW)Bz{D4JXq!Frx9Q*hLYZLs+r?Xb3vPLfBSbX#Vrn7!s#U18vv&xU1nSe&yNL!Vd zF$Ax5a=RD3uVOdCpG2{Sq&n3UTl&DR)1>NZsOcs)j_2gL>j^me22mDVUbVo%y?v{1 zDPgo~=41j6G-P^84IG%pIM%4u1Xo_PJc(*`fmLU-LeSA+xN~(Muwq(?sc_&@CSrBw zXDRo%rgCAmJPtD53fX+NS7~S09vG!-)M2h_US<>8QGSId)<~9ZhjL$xrCZ4g;Z`)9 zaj#jgn)i-e5I}owu}A4gtCl_Ld?}P0Myve(o z62)~P(U0$a#h?OkoiR;{q-aD$S=%MUvcNy*?WQyn?P_%~h4}(h*DA5`v-%RNWbJD> z>UP1^9WA4FBZi#^h6jb(mW4WnNZWt{63o$*T15o!4A8>Gf#WxMvw zvLyV~^^W&6Ijf({FqfK12Fgn?hUc|Yt&ruAG1^*6S|vkdz;O#Y^r)yF5!!UV<9)*j z^myC1GP&R=osL&86aq=LHDinwwdJWt^Ok_mYM=+Pw7b;h2_gCWfA&cKo4Y7^8%@y- zUP$i_lrhV9HdxA{t?@bJw|ux&0j{(RJQR7>63vSD#}%PH+4mMiew#axe&b#;4O5^@ zw-Q{o5}aA>Gm{dpWF;U87jMb0WS@@b9?4&zTh`V2#fR?2+QH4FLN6aPXo9^4*$nI@ zRFcahE2h#&Px*~=2K8egSJfdrt#%8x&hxE`0vRwS0t`A`~UK$mK`86*^p4=^SD3r8DQzMEnGA>Lt zl^3y@ah`&l;=>eEdm`*N$L!GFlE$`rFGyi0TI+hK6ts=b3l8|{BQV$Y(?a6&Mbq*0 zboul{^TrFzWvX?&STf%G#1K_Sip)rsFA)6^S`ZLRfGnW;?3fYBHjsbZ!S<0Q{^CeBm>YMOTM%1Ab1$YBQ zabh=%>WIj1r#xr0?H6R2`;qxP)ao)NdJcPwQ4HDuS~2dJU%zw}^;$@~cq@7>yWf1K ztQwoqX~;3+xzshFnEerMkQ)zl*^oPCPDi$ey^2+q+YOQzoHcqIk7oMAVtkxAD3;4s z-(sPvcs>#%3EE|j!PaV7T^$N1wuW1ynX8Z2w8gH?@ilLSQPcs@;m0e*V$!J*IO*+P zo9=NKG|94L!hjh(*_7QSc55^2mSyC0?&KBb$QOU7{t=g37VBtdcM5Oi0CAjHjbeIA z_UR^+OFB!BFXN8@(YBC8rbWTw z88))zr!JT)vvZM}*8so4f1 zEDcL0TO*YaA)y?%ol9%HBc@he zO|APp3(V^LSu5f#drTMrzE0PEC%C$*&pPRQ0lE+kTZQY<2D&feaK%YrqoU?RFXwTB zm>SjBZh3?=G^N?i;*s0#37*HTrJYpiQtMb*!X9I{cyans+eczyDf(by$9Td1gsHxQ zkIYD?%ix#FA0U*e%fs&i?&z3cZlx!Y8Fkw2(APuk!YtqR^_zWI6x)`V7y@gHsn-|$ zemjqCg+0JWBQz8pT&FxKAmhFg1RFKP-lypGG~!ondGW)*Kyxx2v0NRIP=nS-0O1Rx zcwf|_Z&*-X%))1iN-aY2I1rW*_@O8!zE>k_|2|5EcTMOQnV4vxlihZmA|pzAW693u zN26dFyit#<{s|+Qj^Q{IVW2GGp~f7leY5!YM&2|v7)A+obaT$al1}@12=$t}5Q_;# zGquZT>ZQETNOWas75XOAVz*>n*R^-tslMu@BCj2y)WLzY3W23&OKV#L?mO%#4} z>FsUDfsRP01S=NJE!R!*s1?>dS^;;F#R*2rGWtZHhKkGe>ULQG#XB$j7?sHo|Dg_! zHPPatud>ob%=LC7iT%XcfkVJbrg7!PHTr`f!2>`mEfwQ^lP%pX0YzNSBn!#TJUo zOgplU$jJU~XCsQtcNkCadDd?vZnJBnc06AbG&ZEvRaRm)6nRJWCKRVs` zmNJb0rbcs^uL2`zjRjHb{a1JsoI$lF?Ubk#2z60yVfYH>p>@mON}DoYHW;Du!wi5E z4mI$t1lThZf3&pE5FIO;p8`ESN|pgpycfRSIN z5@S+;-;8=m`{+4mE zX-G?;9jZz6rQKpOa=tW*PipWp|Xq2maaTb|ZW6>9Gcv_)~hl^K$$kPO_ZUi0#< ztIcY?NUnU`8ljnQ+@`^weqe9Xo8R`BlxG_9&iiWkennJi=WKW5llxd7N~+ybRR(-C zy|tTjnJvAzuxJ(ws5!E(T3eI=5RbWEFryM5j^n}Q-XrFsYwxQ2#4Nh7N8@sI`Tf+l z(8U>ayc2?+F)3XtFls3!oUD!g<6Z&?6KHB zR>E(-J-BA77B53ErMy2TMLra!y+8jJp4}Ss-2ho)qNqxUQSc;~O(7joT@512ZQ95W z+|W>5ik5@I@ZIz0Qad&1aKRdjkApFfN6chLzchB&x#0>jf#z0#9eVdMf{Si8M^MUM z6ugLR@pZ!re4VVdpWY;;KZTw{r;#dk{Avg$Z)ivbRNQpqeiov!pk$6}qKHNhK1(PO zt2+cYyHH!lSjY|UTs$H~wUGX23puk6z5r}uWo0Gz<9q0q*5cXLGxfuQpT)Zsu``T@ z^w|=uO$pUWknvnqKE|3d@Qn6RFTyZgv!s$@WGe`3U~KD@Co$MV|o1#_ta2%5~_B zForla0$y6-@p2ddQqQ?Y+{DXRM;V838VB}frG_iE8MQZ|_rJ!{Pa@k7_l5xHpdalIa|Q)F;Gq8C`R%Qk zf`URVh`jBP+$kUWxC1bOyK(Gund0eMl?=#EtSzVZ0Yp-dFaC6tFlK>YArNFB(D)1m z1qEHEBdEDy742xD{NCxc(tQyK`10Q=L^0Zwc-K_NtMGv_1IveWfQkg44b%a_)R$lX zrsV%FQ`dtq28M^H)J3>BIZXp{mzGq1@H-#U`xWtI4kdJ{^C&7Z=MBv+%T6rKZlhIMwyjbf<0%`eoVH zl&>OrBB&?NbN%rUwote?n3(2%#Wgjor5azt!r(z)AE|wnfSV`@m96AkoS7+TAp=ZJ zEsppMjEjRnMnctNshR$qz?D;N|e8@rnovhZ_`=ls%QgE%Eji8W+GE}hW%@W{4bvsw88`pim($AoZ|iIdO;32g8IxP#JKsd ziTA%ee37;z6JW*9z0C0kkE4_q`#Io}1CufH2StDmQd0v>uq=8yHrV{>)iWdE7)=3U z$h^fe|HQWc63@K)Re*Bs{l4wmAEG8xkl^QNP$Z$Na_aBV4&nxkL8CS1my;W9zqjc@ zam!5&l8S)uyoCLaDjEH$lHHtcubkgw!x!912_zM_`?{LdA61h2QzfHf!H<8PW%G}F z92S72a=PlMUi_m<*x^AcNsU6fjrgNfA3;(b?)#b4{voz9|JTsJsr3J`p^q&t$Fz>x zPF9+4)vMQUetZ1C+d#J>@)N&}p-t@m zd~c_pep8RC_-EU){>1Om|Iwije@bOdmiO!U(SI!kra$pJ1t+cdPw)-$8#<6wE27eW zj)sX5aOY7??Mp0`*syR#C_yVatF2IL!qeJ!mDassF+e+9tVw7s-sY}_reqzCM&P#b z#`Ji$?bhi2;i~eXOybe*c4hW&BKy6=te{HF{XE=|w~%j@7FcM(a`+L3K{|~ns4{@} zD5fq(0uFg&u!C{C0|WKKZa-&}t<+ZHGg9aAyk!HlD6zFUkuQDeIkj%w@8CTH|8y7( zgG=A2wDz5*F3;ekOCn?*=+sMCY*SImVZ5OJsCqD3?_xWr%*~C>x37OK6@l|}koup> zD^u}XgdWu@w<^k7)ef1zN|-Gk)J^V^582|G)4K_Uw6fTY#eOo|=XI=>HaKzWmxX=( zT1ZxdVR=^4Lk%D$nP{%o5cBIzDJO8D)IUzZRn#Z$9=;@x*QVn=iH^P(+0_f|H5tAk zvaLheS7u8xYzSO_;>AXAwzYTqlp2=96%|yr;HG`*82^I z%;X7UJmUM*yD$#Jv#y$G^4Kpl?^Sw<=amRy#IGB_k=cH8$90Uy>I7hUshz_YZJEC%LX7kPq;x^=Z;giF#Ic zWQ1}+z)|HlJ_ZV557rQ~5mxuhbo*&`6qfQ_ReS{7bir@V9w>nzvH+vOkiIx6BjtnM zHY*IZTTm)#8DDHg*fLf@R4okT5?5uyo61Hu6I*CZ$!3BQU%qXvlX)@fsQjUWy|%X= zmt#VE16&_K!l;PtZ5QB`v6`+|eQFB~7p883{`#(@l~gyk&V-_0{~<|@GroKk2kSK~ zo!i^5>NIb@lHJr6CbgKi*R<5-x+iYgT{4<&0KsU0ist&P@50sn5eDZ=9XMWZ6_OJW z9ZOHm()#QWJt~2YHMIhRIE2kqBOGx0ljmqXS_=!|Mp6kSTi_h4?Kg-r&d@GnJ+5vgu9H^#G z@4K(&8GG_D!026w2XqAJ4f;PO8HnXq$T^WQ(+^4%QZltNrFHG~jp>6Suc;i_3iq?; z1xyz+?9xWWG#z);-C>WwpIR*^hgQthD{Z%%++WK7XrA6=(uJF~T=chEsv|L;;XRnk zWjMIln2#pCE;nlIBKP1hE@8j6zwCvliEvtY$oQb;the*>O?S=-CF5#FDC&m?%ou>W z-xoq7qAi02dl8t9Kyz`9_?s(betKP#oe2Qb#<_(hbl*nh)qld_b7$=fPxT#8HIVON zL3z<+)Wq`-e)^$$t5@gT^ps!nUR9pRik?Da>E;}dAA{+VaOMV>-$%lQ)gUnNW?=Et zI6!x>W}B${MyZttuuk-N=$3k;)dy_Hh=7v7u9A%uk!4W4uQw&LbCrf8{%Z(n7jUF#-CoV{T}@Xt?;8|gQKK|ae; ztul*=FJfRiJ1c^9oKb6eJ5N+Un>2#qpugIILS&$Y&m*OUNj$M1`>?n$y( zgA&DugF(V0=`A{tPocnE==bcov|c^P$Hm@-wHoS#aGcSm-69)#-L*q zW6I>^bVys%`Uhhc=>#xT(|~w1`zx;U<;4lVB67oP*zRO;q*9 z)8{Dhc{!a;^ig3php1E0qPhjFsGBo&VYlU92(F*2o1heG0WOp&)wQ|5yJO!~ZkVkc z4_>m^5N}L;);f%(>lWKFP!_=cTB>3fOhEc%i(ZFqU;bloAo-LYzN&KNsQu3Rq;%lJ z{l=s&h?AEIW*4zFCvuEy6VUN287JGh*oSqUD>!*|8QtPKlJv$V*=y(e_^lykM6kxv zDmK0FhO!hx8J~xo?revU_>zmfl*e2*nXS#ETm=n3j1E3m0P*#T3ZWKZQhMkd`vi&8@ZBMiA5CpP3#FH$Gcn^F5O_Cf3#kY1;752 zl+NI#l%`Pei8HTGR$+3;6VTI1gpY3sgxjuStI9)ST=jMZawhUqR=Gai-!snF`=y2v z)>IyGqjVC|pwNJ26G-$kRk@b)vre#~fUV9L>V8aD*lOw@Xbgb^O$-`nvb`Z`KW9!` zUZ!>za9h44<|g~-Zxwug|4cXmP2R-+%I3grdv{8#ONA(VJ(Wyc(ma2zdrNPbDt+Lv z*)Z)+_JQ(VbD_Ji2S2T;bdRoMM~1PG)aTY+iWAp_5LsTz1>*Ic;nqUt`q&a=9r#xzjGsk z@Nd@BlouuJg2n|6kiW9~;vVmA&Ma}7C~>boo_(f~)4FknjKm3Gii&uz*&DcKjg49| zUJ##NffQrmY~FtljV#np13Kw*Grak1E}wcl(u;`V%B+C)24bn3s2iKg=4zyL_w&fg zQ;ja(Tg%!9;EcL%-bp4u+CXe?D;A-ATs+oW{XsM@(=?xT8$GVrG6k@i)|k(;=rbZm zfCS;xwJG=9!chWEPXD6xY&Xtcge2WltmN;vulSdX7v7 zEU&z4{~p!jaSkhv)?EV)C0>QNxR^AD*Sld0IA8|XpD!FXUxFILu5WI=pFSG!$@E_W ze@jyZ{Sv5ky~k_{*(~$i7rN&mC^+O&NARuAelE~GQiYRKsHiTm_v#F!nT(G#w5dd9 zB@6P)duFE}W}Mbd`Q`!9p~45|uhMBmk#EYXFPFv0W!~QMsz|zoKb+ae;{FKVU$V$II<&w=gPjX^*O$l%&1q<1J@z{KN19EHN?J0pRTV0o%fMr(f!S}4eMCXYmRAOM zf8fFV5@_Vl_!;QxUn`fXb((Od{GbgQ=9ocDeuU$fO+mz9kkll2C!mtRraPvZyuYMx z*93Hgdp#w-;D{i5;1n^+ngYCO)ARUJu zYSNx%t5vCjTq7Ys>OGE0%-7m4zN{g|M{T5jAVW=R64>!3o8{~<9BcPQ zn<$c^8!UK4i&mM1wKzNw12*PMQCNS@<;5QV_0f@$z1{a`vR#1(5=?JOzS^&Is`HRu z`j3)sQsE4{Sd+#=Ez)hI!VRcV-3bj_s!z<@>!2T9<}RL{|Tla&h648PB15UTMqOz zlSrk4-6CFj$3YT$HnL02^3fp=T6tedFUqjmiPmXHZ0QjS?z%TZjdc52GZQ(k+Tl~M$CT{8R{WPR@GV=BIXphyw4+uW!%$S7 zgWJWgR~aNUmBuYm>>^AYI*asV&&P|au(x%2Ht;1`+{|B@I8^GZ&}ld-i*PN9HwL)b zhi$u;H7POK?#@MB>0jk-*0P6aJ{mq1E8N5=dhmsfel_?d_Dbrz~_W|hE&Sg z(XUx-3c84P>11=)I>l(%-l4i|Nt4<8Q+9eyD~S*{uuY=m`0XoYBW&FW(){x;lo%D@ zyr9m?f^ccyRztv_f}a?~2uN|lmjui}hRXJAG7Lv$%h)kTnxR)T>vwH2*JEM*p$aIY z0nrR)#Zxo9K)QjMVJ?$Hvl-rA_5Ao@C~>*O!Q+T9n|*zR+N8bVn)LEts_mbYNsT4g znAuF#_&8fZI@p4MA#wQ~^P=NE*!Vk~-8sim=53$g9xWU)yL0U{jbo!EA{`kmOd^?Bl_vxCA78& z-^f89i82$wV$iO!KmE&VC)^J2Z^EWK1{>yFFxiLVr-41stPqB=j zPOG4q8I^1rryspmlj#f0((LSw%9=6zze)KCC2%7nqeTJmbbc>fetv$?_D##8>?DT2 z98ehr6e@5bBmUqrq$rg`v7_{}o$)$`rPz%Uqy+o}iCq6wlPABmNr+ zHRZt5rVib?HA*as(Hm?x{Aat1X4umHy3Cs8i%VMY+-LvSLY8UtGjgiNkuBzipr#q2 zkzQNwV1cFnS2C!KCGVp#v!+V_S3rYc2)b1L=3ejQPmv^8{02m|0y3Q0Q~rQFKQZk8 z;XhYc085Q?sLpAy7`IJ`?~C!5x4k%8_|is7*|y2Z?>!uwnvrQaQqiY<=*Wx&?CIA6 zn;%`fvmxmMp2FXFrq4mQ)z^1&C?L;kY) z>hhw1N`kL`u6@Mac);*4RsI{M)N2HHD0(op0Lqczq?!Kc!EHizZd}}J^g>7+Q{Orw(zLHU^L2--h#e;Kt~_XAk-IBG zWRe#1Z*--!W`-pY#9YA{DU9)gJd(x&xT&%5-i?a#it3*zs04oMS55`0oRhX-EF$M7 ze}>heG}8>Y@YbZH?N&@)!X&2k#%4cB3RSnDIdLcB#b1~KZgZm*vyb?@%nYbInH{y3 zqAVE)lkw}KItN}CUl)vwR`;5Ht@@9`Z;M>9=s!ude?!P;Bm zQdtP7Y!7Znt(%)L?dlm*TyEZObu#%;8GnQzme!fw^7^zt&lJY<%1tyE0#PmatuEA^ z9L}fIV}cqlu*+G!r3AWpT7gu3WfDVQm~RH%7wrfaOnE{=w3z*QfT7{G(lE&CMdiZ+ z0F~cCM9r|;EFU1U70>%WWKioai|1X!6AcjsENv7^9SX+AE2sHzMdd=ZMzjm$68F>aJk)xWfq5q zd6}c~LVk=MN83-We{K$=aB|#0r7pv# zw-Zs-&e=97E}rcVZmp1*VHE<-IPd+H z9*N#hY`cXleaQtT)tX@VzsDr*70+VF%?BY&(H(S6ayvzqR7UUI+5f=={Iy5$kh^)<;KS$Z4>ijOXKAy$@}-Cd$z87ax#jdrqgnJK7!i ziBZV(&kJSPHlN|prYra_6vtgr57^eT`S^_RvX*D-%QVJDMa_|eYb%~>oOyGeA(wbv8#^x3ND?+VmmA+5u)9yF179b@m&V9A+i35lDPFbGJ+rSH&k?@ zsD&+Ay_p1Z=H)R6VSg`FqIBQx1)n~7s}Nm!=YG)VyRsTopim>22&;av z;XAfdx&eu;SKo@{hZ+pLxr#Eq;v>l=%3#x&Avn^dMI5`#TTb055}?-n(?XeZr`4z2 z^~bC7E8k|l(gq`OZJHyuR3iv81lZdEO#WWR{=(iiP`*m{f?pX_3-^`m`1)kN(vXpQ zT;B<4Qt>Tpwv7EYoQ@9G*F0k~HSkxLnjWO@rsW79qR7bDguUMm=&M)7RqEHd*Kp85 ziAP5D9Ibfh4N}S->tKYQyC$nHH@tcCRUgz}8_>Ao&%1Hx9%KNWbAXYN&Ol7Ihn~j% zgp-liGkR`5!0n4|=AhdnUy$lC-+)pg9@#k?zlU;||DI!){IMDtgkXWRUNBofro%tx ztWP;(8u#xLs(n5KZ7%7!XG$_hSbQowa}R$V*2(kQOciY#@vM`~cVGNCn#5mtr`(>|ia69?i7u1um=pNe+bxX3uwX%vQfazR zSP=w5ZLUOrKtz^~a6^RmJ}%u9N6Q@&Qm9%@SnsTtKpDfPyhQAM9QNPPj`tsolISq+ zz_(Oo)P$#pe(`>V8J-b2&$e`7sN{R~RwLpr&~OBwRr1DUgX}f98)TG-ib1dAB-$Iv z7IeaHM&lMp5hEwlGmY~hA4$D}eb&6D7ohGVE=I-o-fyGBndy=10v$dJkhIcwFgKr& zfcGs*G`>H3Y~rbb7O;}Hyg{Q-yMl4|w6n2wZxPQVw6w&=#HLGx)HBFVFFMHLlueJG zKK!#RSa(NRKkqo&pskFYfxX+>386wGj3wtnJ5n6$xPKRB_`&4dD~5)b_d)mh(N49F z7CH=^$KrJra)vLz$k^T888?a)hm~+Rq_lLH&%VO(`~{(Z>lK~b0@UJpRl6A&4d^>f zl@d2+9pB`A=!BluR)r%2Kc7Bsy$Nh-fwRb76|p@Rxl_Jp=T&@`xqjFYvs0gabbf+4 znk(=3`0QR@9@x-Y5b^~ZULe(5dKOwY8V(;Pkp~(oNjWCbL39@4oX4O;^2GM&lE+G1 zS2=@Fr1Ek|hUb%J}=cSOH2xb!M(G0FV z1OV!dpw)mK>;oX1P!M*|h`R4f`hg!7Rz&$Sf4o^I-CPI7wJ$IsOp_%?bWk0vjVqa< zya>b3wZneawXmu2W>Kh5hb^CuE4SXtu%i_NX5I}+B;;;?&b!yR?3cX4v=TfaDx9t^ zwgelh?9D*8j0@C8Z;TzR)PT^4|NVXm_gNAqmH_QS1@5DOOzbKLY6y=fN+Fu-w}dbt z44OOt4d>HzJ<2Md$U{fZu&2EC-Bymb`nOJDcQR%8)BWyY=?^`0FElmh(U9Ubxx_eX zp9G0;yg9X(*1>Ro%(R3d>@A@ccQG;}&@o{$EvE3(mJ(AT>Fgql5m8v>+ze~)`ovbC z9MkbbAv7q(bZEod)Ud!fUgc!&igGYm!@}N(9fywIQQzu$76(B;jCX1QzrBiTJ(ml= zt)yH|69TePguC;DYxE6#eX!}#i;?>gpiE6x-mfh1vKle-8U!w$eQ)6Ce z5_DapxL(zR_#o}}G1XM#9Z_tCET+_RViMbfM4(uisHOkN(DWt!>kokT`GL195BjHJ zhBgMv_Ja-CtL8#bwF<9H{ttC;85dWweSroK9y~ZfgIjP9E&+lxu8q4(^=p*fl8j6<7#4kDoEB;Yna2BfW7?P5*M(M2>WsM}1WIe`#+ocQN6aOI zp3Z9Fea6_2ku5mMhIc=!L_c*`tx4>k1H2ujRY=4#K|XD#S;$|C`y~JjTI}(94K0g~ zb^LGBSp^$4O2k~Mp*y$%$%TudW}VlK*lt^{4vpv7C3)Jrb&1#k+hnFi&@a3vLe5w~ z`!<}Pb{pMoIHAtj8?A~&jdrCaQJ;#F*if4gtfE~DjXuy=!L90G(!u3zoeg{rZiW!m zF2D4a3Afgk#ofETuqly~A9L5VG-s%L5;NCOn7qXrKvHx2Kn5EM^^TU^{%^;Y-!#OY zG(14DHY7{R;XTf<@S;o~rlIEtzTD}}V2-+@_R4sj-t6|IPC#y!nO9A$HN!Lxql|Vn z(okk5`P%u}0eM%~3H~>2Wf0CxTJrU+CpJD~BCKvcyFe_L7gah07>|!$TYzP|jxs$b zddX(zdOVOU(>;8_Jc_g~PPR%Jlgc?Ky3WS_rNL(kyLppMV)zOeMhJ>Ii-AicFr7%2 zgydl%=9!F+-udXo>rjW_#Adb6?M^xUu?56v2pWXF9n85Y%NlppR6d(nIhABurOvWi;GKD?zM)qcv3rx z6)Ed#JzPXWq-ZP(d=0{w$H4a~DC+q_SxQVA-K1g3TuaaA#2(jkJTaquCO0YsYrV($s$|!2Y9jYSJlFsY#`0Iu7BFA zXb@AKqP;!Wq}}P?K4oE?Xn$kvo>;Gf2wl&=h*~HxRijxe9WzSX%_~{oz@WuU+O5)> z!$9;Xw`zT2O2(HoTap~EvPa+j!v@R7PE=6$4f6PGov-$z#EuF*w!Vl6k*HV@Jl^2DU z_zn^DuDMg%u4O$uLv|_estpJca#9i!C?qEP6!isvk$zK?fjpgX&aUQ0D`=HFSPL{6 z9^qYy!|$a}4KKb&q)#!ZWg6JCCB{j)U*&C!?;Gb*rBPHFiL<^yOeZSZ**?GznbSdL zhaJfFtbrC7F)S1|m!`GUxZ!_yP6`-0>xGs)#v(bEkO7y9lDNJ8H^_5--d`H%=7dGn z#1Tv&DRc(P+u9@;X@aeFqY3?sk6qk-4`85O{ONj<&iN|b?&+Fuep1Wlv2lFwGNQQ{gBG!U-d`V44ImGdlI04$!6>bF*iw%3!m zq|Hw4?0Wdy9=1(UmJ!Do^Veoe<0Oh{8nttK;MKBit7zc@mMB{?WKU&2d(K&X++Wo) zPf|3ZTr^1S>?v&-H@teAZ#rORZf)tv9D}*BSy7hbVXW)r_WV>hR95ZA@xB?<`PDys zaYi4tjOb%yL$Y`6cj?>|4)bK9wSd$cvoKed(T*RFFc7*g&1eEOCXe~G>FmE5+{v@Lq-=)#n#NR8RA2$ zJM2+`RFT1j&vZn0knE!1@-%(lY#mZjj@zzW|HGzqioHX}L+f)*ZK%K**J5nkx^Z8a zNt=1zYF81(%ze`Aj`-8rbKPAV$_f*U14^&gne%p@d#K_h*~raQS>aWT`EY7G@b?Tf z+kQ{T?U_BAE$?4YtmfQr+^Uh^qu5;w(rI$5XJin9Ryj8{7=L+XCHa%CvdU8F{3#V* zhip3JNy}Wbbje)#NbakIg*qE5nOAf`xR*rVj$*^dBOcAxYgtGDO@Mk>i8U@j+Idaa z!O_gmjZ(I|(vT%R;VJ)m2`qgUIJdow=#Ep`Ggpsit!KNUmVqbm?y88qbAB+bZtK8a zNlzN~j=euw|6g{~cqh#KRN?n@5|bBbz(UM#D><;H`=cnKUi)Laqm(1)P4#qzTAs`Sw z1^ni-{v2lc=f49UIe0<*>Jt+F7uWdr5Hh%aUmL|R?l)sKqX+)I&BkY<3kJ-t@y&x? zg#UdwW4?J`y{RndgH0!&f*mjry|*P|yCaqB!9*PW`T$XAQJRt;c{<6?ACAjRbucWN zfvtGif`V-dsOvtfaOI-&}R)YWiw0oY01zo}GwxAxlnrai6%@ zx`)%Zes>R>f?QHO5Xk5GbFuK#PH%IyA7{$M(+;~~astO6yQiKA9HK^|QS`(4K^Unb z(>9AH1H}=iL(4+zQ~cOcOs84edR+U){ZbNM&$W>e)l6-r1y^|K8HX3C!Q^s&Sb{KD zh)4}fro9;o7f1DvMy*${+Q^6^7yfVQRwv8XqqQd#QW#t3Gq`n%%zMwKJS|+Dz5EV9 zH9^RDk|^jXN+__}oHx{A3;it`b~Rj3a|ewz#T6T!;hazR?9I&1Tz1b4@|%F-%Vn9hQX-?7Y3r3~6&S9pQl z;ZU@^75gH|gkoiHLptq$W=%-)3mqL1+MW+tsm7*$2kbwu=cE}2vzDKi)Kxq-xijyFh*R+gOn4GTo==!r^b!8L zvn1dj1-)SuaK|?FKY362sB{|Ptnw;A&_7(Z+VOF6on4X@$(365^+uh5Q_Yth4D1cL znpO+5brf6-)ypf?ylOJ@FC@GzW6qjrIT&D_Eof!T!F}yna%QBgu8B%U3D+z znFVu~%uXsABUuEvywi!!yT7PUvJfnn&ULtFLr@c!^tElG3TnAhQmu8aB-CBmKW+5j zoC|V@Yf3Emo+;~)-0k2@Tp!s!H$IPysW#k^U4b%aovarb`gneVn|}X%OiZ1xzRh+z zetp4(Cve@-*lT4`!86?RYVTkiZSPvcSvwx-G2CjM40-0HIUF0oMbv4)IlW2?EJI-s zGO|KDsfs_;j@!tB>so^OMfB-iQ@rs{iCX2B?LwY_Tg1%9mfI&P1RbOObWy$?`(wt% zJ@xCb15goYjpJ&u;r?!EoH2DLArdE$!d|?+AuXLbw81F`>yO0saeVQ2?yb>*uy}Q3 zkPiuuEA6Q$?PA)?VR||*MZ9C8fuu&i?Vrc?$q#SqD-U92J}&sc+3H5Wx}2!i&|-+I zidO-V#~WbYC%~M|cVp$E!P82*k&|w7WWaAX8MYC&j+?;hipfB*@Z;>)Sg7PSGt1t4 z1P`LVltj6oLu&AumeE8!HQSaSU*HqPoybm4@@R;GioR16d$uo`1?ei(cHyZatsUMh z!px&aMC}2I+6i37q$dml{>WcXGtXLs-X^od_Ak>yaL*{_zroiDYCrMSM(6aExl>%c~ z+>6oFu7+mbr>D!YMLF%XW`TH>!|}Q+sPv8Ajqr@^DrHW2{&!`fCG9^rs3et_nOwTN z?nC)5q0#3oUPsxaL9ue_w~{yt5MJ5po`tp z6a3>lDZ5bn%5T;lH`Z5(ySR7Pb)>g!Yd<1?E#m(+<>w{h1>cF8SgL^!Ww)~$yyk#O zW<1)F@VKsISuHNdGu2&ChE=wu?O^Si(`2||WX z`!&G0|2}YfUq!Ef2A`J4Amf#G5P#^FH^B?1fgt#v#xkRU5Ve-0-&UydiH9&uKV}UyRg@DVQxnqubad@7x^ZKU+q`pcRtiL0%_ul+suKB`9v2@ zWOPTUXECdvWIgIOf2B2@ADOh=&Zom!bu8V(#u&N#u1p$I*vOKAoMZjGaD2%mr7MK} zP5DYI?V@x?I^UJ-4Fv&d>ZxN_;>k`rx@D8qXlpv)x#MbGw5nu zXU20YS#<{GsRtf=sOweuQr$+sZ(PYVCzrAmSI#$P0B5LN_VM@DO+wxzMBxy39Wu7$ zTn{r_PU@^MS*p?V+mH(%_q9p0@7j3h2F;P5F*BpdTKG2D z-ud9-eF(7=w)RdjoxUrHn1Q0#brd+SQM9>X@=e)bd-EU!kpJn)V1;@(+alQ+X@NQD`gvE#A{xbx24#uz)tG+VY$2$;*WN_26j|hm=iW7>zRr(e1qzCTFvhzS zN&ZALI;+AcwBBj_o@jZ^lI-RuG3@d_bvpBi&2fTI!=Iv5^&0Sbw&dZe>U=K1n{2SG zUh#|E@TiL_2-o8^{8jfJ(zQG`=QbjbslpgHYzXwyXRY_pw`laNVjS#fS%b{YZ4B(0 z9>9i(7)3A6Z_f9`biTDIn|A@q5v#5FqtlmvsDKWa#d?(S$lkWC?rm01ItZT#cvUi> zq(!;N5?CFQN?saYxO1T0pr%iJDDlT$SQzqaCa0sF=yVB;cXimT!F(ti?V(_j&>a|9 zTjNw3YOcC+uWh#VEeeKTMDffL&YqK=$=R@^8F`f)Thf106zAabVjD3vq*M4(OMGuD zD+=TEY*^X4YKj?0j~6c_fR@Kfkx%VI{Y?J)?XHer?Dnf(|3VD}1)rZy zz$MJn-k1FX0Q0Uj32D~n!mF3UCK10B#JmqLyITZ}`VJB*$L$ywO%Ink!Pc?%bNjna z^Nk>)RW`H%-meE2r6tSyerEMVcY-Zt(Fdm$@&eW+^fk{kE!#huh=~00v8guu@<622 z{22Tgc^Oc{966RvH|@?73AG#9Tt%Zdpp1eR;$GyVkR3Psar^CY+ENWi@5UFxqtLk$ z4}8uA&JJxhMeGvA zi(ls~?hT)(N?y{LRlJVhC-?nVu0Md0kuxbF@_mD85(GJ_*Vg$i0SN-M0~)2 zU36|3pA9!d5i@_?S&U`fRdHub@TgC_x_HL0d7@6q$^mhlrs~b*$CFt-44Y%z)-!i+ zwW|%NZ2NTF7U<%P<1gbb>5uK`cl^C8ftLe-h^_`(sx)vfP~?dQ+TNLz%a!o4DAX&k zUX4YG&+r9({J#G|(|^`ON8j%R6o8J4qeShP!;!0-2-JXw?7x^UDjIJC3s|ZjVG?yb zzgKFs*enpx<~tn4S|f4RpQlU2r_ll**EB00%@z#~v*-GHNque3?Q$wSvF1|qLzN5}sb==eNl}kydGC%ECJTz;^CF0KU5x@6& zir0?>H^d~k@6#-SOQ+Cd*IFXGr z>cq1AV$3|0Ap%a8xRH`ILK6)qbXrpEt=I&=j}8_AX)RXqB=K|?&1OvsTXl-?zItGP^$%f;IYXm@v~juz{zkLxqU3J()xosKr{LUB*AYg7}f~ zvz!LH_5`m!352U>&#D|IJLf>9@_?HSo*YJhq~{Co!e5)(?J9`L4dbX?X`ayVC+YDl z*Dxxq6#j`M`Xf+1c#Ql^Woq-tF&xR3w&USf>RmxK(w;)C-tkG6%{!c-9ka#lU;AX& z4T1Uj^qh*CKkTWjy&%Xx%hSzCz2ff`TeiKqNIH~J$LczI=a zF*M4NzS8RSY-i}HKekCID*9*`@7o114%)K=xAyY38~MWhUc)|5o?Fb%T*y&e-?YR8 zuqup%oe*wp%KyONnbU28{=_)+u2p?VIsUPSY(Cmn)|dRcS$1&JyuOdTT;EiKKAEPR z%%5)=ca4yfv};>z9c6!0$;cK1Pw7pSJ=OB`D4Hv7I?(SxYwu%+$+jMFyXoUTKdiJ0 zT~tE`OT|-3YAi@j=#UFw*%8aWSpVszwJ=7H-g;2>IKmr?Ny#_5u8zJtk=3|5{nGBa zp}uK|?HtW1jg##5cI*!9|8u`9#BtSHV|P}TYj0w`0jNP>H%TS2V1rSQ6BK{ipD~ty=v@i~Ickf}OmpOnFpXNX z+HZCRsy1PJtuz6a)?U(>->)>Kx;Ly|_V;@dTDN?X7ASpQNnkeB&1ncqX@Lbw+-e1e zCln#)n6D|0$i@U+6BBh+#c7pP6O59Y`7kr)ttPM^qIsyMrMdN3Ut9VX76F7W*a@L< z-(2@A`jxM*>?ANKZp75ZlgNmUR+6?D3`}jsB8rK0x1D!Jeo?;| zog_0pNboKOKX0J+awzNksJLDKO2D^-jpO&Et6_)G*T&=f!N1}c4FpD8MKE*U zv)0qrv-5f4lDJ9uWq+jVOgq(Xf1MaeW#p)Et?tqdGMac)Y`UpTf2@fHpCcrR>+2(I zcQs8z(x_L92jPjJgs!znulQ!e$b;i#Q58b5*k-F?*^DYf+6gTa}hl z3=P~-Ko=h%PJ5wNs)}Y6B#FwA7rxd5h5C4~H2vMUInIsu{oA^h(=7^1f-;Pg2yL4P zM(X(+Q*8dB(-2ceq^Z&=f$uPzg58wOZf6WgEISs5AD=h3watNzOfo!l+Bqq9xDoSr zkAtLRg+)6Tp%J~w`_1k`-s(=G^#0#!Y2$vf#(!{`|HNy{0*N2T$b_=u7^R)2S6^p0 zjKHSFvtrfXmf4c47skd#nH>_7m`@j1)a-Ntx`uJ;19s5f2Ws-yE|d}mC)xigL8+F4 zNVZc`Hym0pLC`dY?7_LH*7M|$2rs-Djhn(Q^6y8IW2vYL1>$om?F*RJD}@Xh)|w~| z`B|Epq77OQY!n++GPDFrvvA0Y^0R~wUyhZuKkLz+!^!bz##rAJ(U%n#*X(MsRqQ`A z#@kd>Hw*0~ps=;!$!pTB@Ej3bIVCzzSLPA}frlaL_1W0LY&B7#j?x;PB7Y#)rqqRAP5hL6329o12X2uM@IyLZu@tmu!lsc86}M)9&GFv(E>!*W8>xA{(ou z8MVJzCbM7P6gnpY8p;l|)JNb$ugl{v0cf1142~^hKlj&RIbY052^E*_rT$=kc&0+u zyu9}47)LMAAZVsTjvjL>C50E-(H^bO=RPbgjQ%{)^~uT#=HkJ+V`+bi96~*&;c@HGP^;WERbv#?j2rHdnpN zXW0KzfN%7q2J)Y7>_1XIE_ARh_|OvV?w5@KNCHje8<-jF=cxOeD;rSkO)fM{VkuV? z<;H>@2UE0nhq`4;af2_leotN7thLX~O#Hb{rPL3&#rSd%Ts!EY>@kbHsJ;f8ek4ee zvi9BrpQM;;{!2BmK1bc2251|-90YuA2SFN&_TRB%$nt?Uc4VG5hg0#OqLt=H_{HKcWzYKiv0S-yMrn{<>`!DeG z|6RiezyQXxY1`iXyO!|Z7ygaIqk|;}W0{VoH!xpq_nXap57WN;Pbj`m z+(+=NqU%?#lasR{2h`VoHzew zY5!&B>Y3nK(VrKW%l_qq|0^eC#Qx@c4>G=CPyeU-LAA*5S#7H6rT$a#;s3u2?X5*? zEs!kdb10SZ)L2MQEB(h~;otKt5o*s3!W+m?#^_+tKu{HKXOU30x))<9yQs~q&wVJ* z|L9Ho*LaSbK_6Tm6->^n@`k7vvkwLd6^Wgn>mqy#_1+imz|5cIf0LbWXXzITT`Z#^ zvy_xeH2mkY{68zMORWnGkuBI$z`svFQ21Hk_1BEOx-*P47WBk0i*7&?>6t=;Hj^b~ z&|f)|V66=$+IZ$y?3SYJcQyO4TQ~UIMK4M=2e9`gy>O;Hp^RXz1X$_>2s9sa{a1-e3sNt&?xKQ+cb*J6Ada#67;CR6O`R|gHf1Vvl* z?S(hUuQ*=%OzLIIb5I%5F+qxq5m^ho0rKBZDQ3V!%T!PuD|^P8c2L7BNoE(ytQL94 zZs5S{4G`*3TFdy*VpT`IR_g*Vl!Dd%Q&#+QFVR3N*+{{pU#VbaSNfD3=ou=a@a&uA z_yTG#GSnGp&5j~U4(tti#rT>Ef%ui+jq{E^H%AZyA^%Ox0e23h(t{iqQl(Wyek_7g z!8HrKX6%58AXYU?4zp-U%~o=`=kVWz5b9;#2ug`*0?Or5F!|LaGsx&EQL#GPuF5TO zON;HYZh|ub@P*nciy58%V#V8>;LUh?-5XcO1VL{^VQV}UA*k4XPzhavg#J^ZEPhA% z)HDZD6|^qJBl{dB`uJ`_<^J#LOkFGpMJo8~;R1a*P`MPUW`SUA3xc|72aTdFdVSQY z3VY?3^t6_ZmSQDYu+1Isy_AnRxjdQ!%T1aBF|3(H27*+9;0(q6eZ@KpdK-Ov-o7a3 z{bi21k|Orsb`fSi-T0Om9MX-QkRYSV@}^nY@wBf7Sk5b}s@{jBu}}!oz#~`KpPUan9QU_p z~djx|napvpj_ zv1^O=W$LEw;K4(cC&WO0p~`TMQ2I&BHmZV*qhzmMkREK;XD^{UHNa~8*OUP+&V#I! z$I5bz)vh&*(yYH|eX52p!Ba&77qFp$c3_`bZz9*(tcinNfPh&&$v;H+nlvK~_+_jb zWKE0J+}QYCsHn((>nmpY5AXfn8IbA#{ZoWT7}nCbs1`DX}Ly`5*1rl#9gp@?`DMra*v zMRIc+GFr$Ij$c~e-_UQUSeQe;$Gy8aB*=I!`L(rW3wB#23ooLXM}Q+-^m?1`pe>U) zcyBg`(V{uF@ynFz?)F^7e(mWV*KQ@o;d2`(CEh=qt>$d*-b_$TiUmQ_Iv_nSSve_x z0lU6)t?b5}gyZ;K>*D}X-Q#1&h)YF2uq|roaMZK1B$NG~v*OhpbB+8qrS3kB71Qv; zeG%_f%+|_|i?Am)*yQ0yh~h#$G@QfbGd=9>rN5#m|EyMpg|Qw~Dc|92XHo;(YfVHt z*u^|7)#uXknW?{TB`LI^f9Qgj?SysUfgdY&8{yBGw6kHDEWe638_gJX%qfuA@8Q1< zA1MX*PiXNw-#z?UKU1-|@};%nlRbWC=T=UNpv5Bd%w|X9Zst@iLm%xc4~lcy+D1+J z*N<&Kc+EyzTyMX9513KVCBcS1?e?A5yRI#usDeEmT;|2!fG5j2QgciL2gcGyw6q8c zp~BLMa}x?%Ph3@?XquPR)@QlRQ4`7^i7pk--+-D~R~xC*|DYq^9&S!g&w*yQc*%c5 z>so-A!gPt5k5^qGtozZ<>dVj2kdokcM5$r-r>E_ydz(x~4`#q;t(}@TfuTa#Dom^4 z2qm1o3GFnDamP=NnsOs<^f3ngT*=w#tYr}=U$CnydF6Hmf6Zt@=19c2QLr;X^5ot$ zBq5cKF#FRLC)K_svR@U6xUG2>PdA5ZSNP+YDtHV&KhB(VwamPo=gIF=;4|6TKMYS! zk&3wfLQ}cJRlTlC_ri!d{|@6v*bKqabTR?YwWx`NM$FoL(+eNxg{Ppb7_1!w_UF*} znx-V)q(;5#VXw>Gk*G=RTAXnG-g+BMIEGFEs+G{nNft}DUAV_LbG6rX1;!26l1_c! z*aF|aS)3)a6`q_WYdYi%!uJJ;>1Iq>0?dW+;Tl+X@bYVg(<)+~wk_4$rCPp(JY$X_ zBm09=ZU{)IFR*EVeu`JtK{SUR0EXagO9tV$%-@Rv&s741+X9H?8rN(+@JqJVd!(HsIzCer;tT9UajPADx|gOIA_!JF5k{FoHx zN5}S?o#1!T?g|QnQ7zbV!-HLidd{RPq^LDRl|%;~;Z6P<0|Ro0sOuMuI};nywn(YW zChhd|7)`iTIq&0%Zo!-m`*At*BJRR{92}gjshpB3Kth!tYswM1guHED(XjyO2PfRs zVA+TlhSD=+7xb|)cwg-i^rLXC&^mpLYLe`LQ;A{s7p|@QLe1Bx>XL*CCajJr_X-Mk znC;=NE`j&H_MhTpYEc4!-_K| zMBKnod0X7M42{~{LN0+=oqs5!l}zlI@C`)S*&!Y#N&Nap)_q85U$6_SNsXzt?v`rY)nfjk?*95^AL zg-WiE!xiNfw=V>f(mX5x+mJ{5ZbvGk*+aU=A+e4@{vrZ;+5EmY!G%C1rxXUx>3 z%4q?3yF4(oezN)xohC;k4}P;%gQHm-u>Fxia8n^IWj}0OR9G~h;o2#<;3cUS-e-dh zV^cbb3c|$Co^4oDL>qtDqSnJXgT*7t)fi8{X(H=sNbL=cB*JL5VoxxVVYfe*?it^u zlS44UXCS>z^KSSlOk0?qOnPG7L#l?ge&FNXN4e2(?niS|6g92ydR(CK;ZdFdK<6dL zqjP}QqH~doyNqhQy_oP!boL-%+@WEGUlU_s(TB9a`E*@ZboI^ju12??|65y`s^2$* z7Cs+V%62j~Z0eTX{+b2krnr%IW4`Iex{9+;BD@vvTB<9*?$wNsAC~8uf3P%%&MlRg zJ}4(KU`f-YYw>p1luxeXrevwXpzF2a@nW+_Mm*sqkMavANzHsMTr!f6?^mP z_!ctY_SfEMmkPg^5m~*C%1Y7XDd|0(hT^%}?!itt6_t!|M7DA|1Y7!Ej?LX1diH&2 z`xold0goL1KKJwOV8w~^`L=Q_ssI7HUK6=SoyLD)~+4u}|khh!ruIt(_i zl$|KmKMHcei$pI!c>gX0SKpU!A}~Z&ncz{eSh+NBq_+T6-065A z7xVu{%9%kHwMBM*1vX>Vev?Ua`QqaxenKLZ>+3x6360fS&2```Z9g|I(sDbwq0-dV zbt?45aKW->L}5v}YQ}P=mR$OHWSGG$H!dmOPLxJTq1l@>^R3<9tJ`Rz4}_7fH?DzE zt1*tzu4dZM9@pOd{WR(FAxWDgm=2q=7CjdvUuPgAg+bD&%wtBsa;%V= zaMnA1-K(})qM}DD<~YzZ8*bRi;F?gczsaUZYkwK3n764%qx_PNVrq00mKq?yxRSLK ziA!A6lzt|@oh|v^)}FF<&=rl%D>+*W#4M1`vZX>MHJbXI$YH)8_ABXo3GMFs!Zm#T zPqmC?V)m^=PDj1NA#07b_;wTE@?@cVcA3*rC$mXhn`vJbK+!KQOp_H~)|Ke_jQ*4THH>DgZ$lXi%!EiM!MAc0?3 z-c3!9^Tn`Z42twtu7q|~hr!G81c`1t@9Y7cK8wyxvfcZMRHk4g+crMGJyvhzx(s~k zSZD6;9TIqJ7{@35TD&sEvV_!`Eg5M-_6nej_D~^^D639o9V6`6HAF1mOt8N#d={=Ss`Q&01}a4erol z#;m^ZKVI1~PTpePw&nAP>Px0bwh!q7)W@)YQKm}Y6pdn3a@!6y&F8WQgtQB&49B>Z zDwKaZK(mO*m~hjfT(9`F4%D5%xZr@O=@9!?Q;Evd&h$<`+&hdRMk7k zwsf}8eC<+Y`zb9fmg+R(W3k5N$L8&yv(qi?6U9`aZfV(?;9OJ22`nnp8g93bzQ34Z zY!Oy(YroFeH_A%1#0#X`B^aLY71UnT+wGIGv%^amh32zenqrNexjM*#abMi{&L%xB zKu(-&6c!bRLso7yBD0T3F1`J>I1n#qKjxTtJ8LEa{Ow6HcctUO~ zPy|z%m`r2PoW^axna}oNs6pOiEVu0uP0YV=$(0=T8-Fl0?P}kIz=KLc9pF7;+h$#9 z{GlwU94Tti#eY2#&Bul7hL!w9PVO5BM5-xT;&j@5n#jVjaPEQLj387u`t$7(qf>5Y{V?B!qA9n=BA@9;ZF2>hZ#$QW zC9Gw^9bE~+A{uUW&;3=q<&OOCoK;L*^V6&r&uaP~C(Jj1F0PjXXMR_`W}2l|2Pyr% zH_mhYMXrr#Z$pSev3On)%PPnWjTqo#Je=M{yP-s*{1{;2RRAr9B&aW64)QKc9)CS= z826giv+OtAe)7_bI`~dAH>5>~uiMNHm(Hxb!BSJ>%D;R1WvM92*>LZt>%)P^&`bEH ztLckdu6yV}S+|7sqD67KY4UBxzBC%^z?JWQ|}&6;#~|}dyeV+@*%43 zXB)TbmyEmYrHVA9s(8KoxW=hYENCKN1=~1QM~pcu@7N ze?1mqEP!46uZlwgG9D=`j2S}&?T54|ik+C%BG^Q@^SL~t33hU+atV4WFX_*hP1dmk z2^6a2die>q!rOW|gs>^D=~jW{c|9Z#VRk5lf5`-cis@NA##i?~ zjLd88uNI)<4Nc&p3cL@~qTPyk5+<0Wx}oDIJ*w5HhRX&V^9*pqs|)Q8MP1Yu>ogBJ zdS=nE!a67R@)u0LCyrso@QR9ykncRXWwNik%8Zsz5s)q9v(fY*%ZklVR#i2(OyAUb zc8h^Vx(bvz&#km>T%+W(4Uw)YKe;$DH^7QHeoJnMLJ;bi+n-)W6VFTQM9WpX5&9+j zyu{r$liF`{E-5EI3x$|j4H9q=GQ^xl+_rw5IME+v`N9&S%zZr|YbwFxsmw~qD&qes zG0wZx#XyEczm>V9{JF+qbrPR?C&kI;=&3;dX9nE>&tafLbd=#->GMqg<0pP)VfUQV zzBp9Cmbk0)O$Od{J-*J7Tu%%S9@+LRPtBNkSYGA^KfHv0h=|+Iv;9?_Sw>;a$}6Tv z+cw@SxzFNQ77D@E(jlo0?||up-TU2Jfsd#B7OnyS5T~TvV7Kx4cjyl>x%Zhfj>AwO zaHs9{pun%da+h0J0@+626ea4N1o7crjf-weGI7XcmG!ykeTuyd*UZUe>MuN_yen@+ z7+%#oJsw!>6mTT<`NE7)h3D+o%!N9r#GGkkf9wnI-{jwE)+gjH7UIAz7eWFaChO?CV-^fbD_@k3x+X-I;ZV!1O!Fby)F@bU-7~*^1ybu$Xt3<~mz*%pmcf|f$3oNT zNZaAh#G#Q{akNI`G{g}_XB-ghpBpTevKyuSn7hPtbQ^f`Xw?f0F{5hvv}Ma6fIhpV zW+kW)7V*I&cn)DJoU37Y?i`$er=<@|nxsT4dTWqSs&BvN= z{wqo+K6TS57eD(g?6k}LuZOH=1>y~WwoP>^lD%oGxv4WGB2$wn8zWbq?_i8JniN_l zWSX?=R7^1vQx=sT6ne(RNj}{BGM*f*EvovVyp5mN??0xOIyQUxz%k~MVQVO%EBS8R zT|oMDBs^AJ)bhNt8kp$#kZ71z23BcSrSE5j?}x_D73Si+Q&o_nw+uS0J|Xdu0#4To zyKpu`S;t)}w2{~i2h$jym02G!0viOeV&{0R6{*#o4!-5)W^;d&?jO*g6l9FC3B)Ww za5W}cg=GWDhpH?#8-=FnXW%u*_#juT>1`4MH)t=_k)zlIP99Ji1jw^i`b$Bl8Gx0V zjShjMdCC>~nHW{RYVotDZ9bRl9@S-BRxmTJwK9&d(M+JLH!Pm3QEcd}ek_6sn4xAP zH3oP_VQR9fsp%y#@kffMor*8rCb=GkRs>m|=e?;Ctf^H1IT`J_bWS z1-oWGxwWOzOl6P1FU=%&gZSOc2!H?NLkoL0)wHi`R&~3=h0hn&*A?n&A_uBb3-xal zYfoVsC*d8Btim?RlzW~^lsU1uS>=x^!so*KyU0yv0$R#)h2(Su9AEM6Tuz@HS$O4j zkc?1qdX;yy(c4x-W5l}*3a{Lc9vre-wMaQ~h};dor635!x>C}l0k@OCxP=P)PgY#= zxYESucs|}-Sh{>)bh{oZI_l`rICx3+zS&^WMKmGiBUJP+a5j_dd$>Q9=t$#W>svZ-lG?05XVB$|bPvkp_k6gu*<$3eS@L5Dv7=~i@ zOK3)4Jj_~?Hw+L+hL4E6Zf-m4zwiW^psf~6HcJQh*Hmc36h3UOgzpZ@gN+;A;>7eu z{cq2K2dei@?eDILFat}_bpd?FX}<^yPd{F2t*mg!?;fh>dU$5K(H_qzg1(&a+d{`X zzfcO%ddwGi3cg9IL;v>N+GF(qdalEJiKFX+kEU{D`?_%_M{|bZdvfe&BU5YaUWGHD z2*S3OdpMO_?D(*=tH>g!meWL75ZxKVXKJ9jcJx)%odq3#PVTed))G?%V)@+)hpklW zOvw;N)epDj7}=gdD%w5YwpoBi1*4un^zjvms^{c~{VvMX$>FHMPfbvUFE?36?#T-` z2y5yCOL3RwoeqXsX5nDvM>Uj1J$5yVYJneuNrBB>xByXKHq(@AHtHH3%*V&O)eN{X z*=Hlql^kGQlJ^&XpE|%(E1QL}aUr7GGGa=T}~+!bn){B2aa z6Q-@Lt?J_i=CBT7a1F6n?wB5h97&z?RaamTu$t8HNZq^7Xtby5D>$X_Z6Y5TfIin% zOkafhhl`8|%3S%WW;jwnJgf-FyS=@*Vn=x^qwQxaoLLjl9i?;#j8Nkuim~hNuY)ZO zn!0uQ72ZP6Zxc^|x{Vvnp`${z2KNmZ!drZ*{qB2CGRpeZz6-o69~qxsE$LL5=RIk> zgUH9Wl1er#0*#K`L4}!G4zn3;Z4O}1L#l)Xr#BWWmAMbZb-Q_4j{{78`MkGy_S!_G zp^HW9a7|1?AQXCe5}gihy`p~|2-a~*My{Jb^!uS9Xv%t(%`U3WI z03V5pFsydk9bGMzHKaaq-Nbth%YaP&h^#k_t`lXtxOq^#IP81Bl-6Ij64@c@tBf0$??h0JGE`;;PosXP z>0h7DAn5CBEe56U6c%YV&f*hT)lkn8qh=w6D}u}Sy)ELcIiJ?@l;2G}=$o&`rUvYc zez#Kt%q`LVlq&t+JXlI0DW%m#wau$uFIk#11#jmC`q~ut5JrD5CP^<2&&#jRySH1q z>VJ0!rTTm%(tl;}i^4vC|Cyj@c9dqNQZ~uU@OGpU&Jy7m}-V1A!E0r(B4s6iw_%#t(S9)^00Rh#A0dQ0TVPE+) z4vK_H&&oK;HWTyKW?OgUTFIs31Va*Tl4LlGGS$oU7JJ&v)}HDdM-YGt$M3EO36?X{ z{0#5bC)L_n(ceh$S8BZ0R<>&=+#F0T^0FVCtI@w03D;b)T{JD<)d_wx=-u$*3VBvQ-8lV_N-}&?qh!PYy z2AnVNGjq)3q+O+7J1SElYO+W@Qkazr!&t#Cv!n zlt#po;Zf_ML%(-ir+m5-w5k=3$h-aFru!`V+-Yu7>EWZ*rPJn3+V%H$2=`)AD{S(R zfU-7j0MBp~0!t2ofZ?@(Fn2UY@;375A;zwl5s=lf z64#47dJ4h;mqe#+#rz5_`U*`@cygWi_dVa`sTV7YBADJW*zovA=vNPm8^j{qd!K!BV5K!7pDbakHTn)J~K2-ex^CEbx4iN&RWGi zWyDGe7sAq(4!GX%`Jh#9UvaJ;r8E<-(`|BlAydMUkd`-i$fxNcNolFWDz{rPId_vv z{uuV@1}R2a+0ulEW$l95`~CmvO{v)8#ZBH#ZP z`vk0Xl5yYdA23ThJq(g)Wxe5u+P*qwf8Wei(IPMDwIQS{{_filGP zp~kOL^4@A2vmhNDg38>g3Fuw>;oe$}7t4Vi$IJ~T4 zwPoW$ZPiz%rwNEDGz&5^Hu_wck;yuen|=e17k-77bDPiQB}3G94YRsqeI>e z&(ZttKVAT0Kq(6y+^`!HTcir3oe}Z>hrPE7i*s4pK*Qjk;K37I0)*f$!QI^*f&_OB zuEE`cySogo!QI{6oinVxv$FQizBo7M;yllP$HUAwUv+nNb#>KSZyDxrWhi=H@KH9# zpIt>a4a5~4EFnEmZ!7F6Tz)>HiqjF;RwPvv3hkceU+Tt&jWh_>@KVPF1KT{p_pCG0 zjOi`6bc2xJ)SsLy&J-*pUIO6 zz&jzG8lV$)`)E;W>L%`6L}%HRo#sEug;}s~PMOxEs0t-!7h%a9ihar8NBxKpZhta? z!1<+)TfvdG(1bl{Qlz<jUA!+C*` zXPgjcFFe9tkD%xN-Gi>)+xnz&ct=y@yvyRrj&Ze`xP27;n%Ytbd}@xO#6z7!bIp<^ z|5f=p^w};{-q6C+SE|W%xCHW1>%pi6=aw99;KXH0+rcV2U~VLia)k;f7sYfyBYfiC zVQD$h?O1FJ`N}g@r04|C!E>hKMw(JrG;8?MDN&QUF4?;C zd!aXX`^s+-SYg%+P|IW?tK)0(p~e(Z%EmEoWrHF=x_8@c%}eyiuU5A=DU6z8)fJW0 zs-RPT@X2Nq9+CZ^RGL>(%xma3XIj`wy*zL*F=Sv}ovf6Qa`TVgM(LuUOszs-Fgtq^ z&-oJSM~V{^i@o{2*`T4bhB8mfLj0YvR*gfb$>hOLbq<&pNEC1VRH(X!TRe}My4R*X zHRG%05zB2KtTpy_Z%k*op^>>ScE&I{=ae7M{STcq{q1X-trntw!&HFko*m#n8E;Yn z)zs2T{?JqO;D53;W4^NCf!m*`3J{$#JPaKO{utUz`3nK}k00g%Q$htHQ72WS zFMko#{^N%|0W=`;?HG85_l5uQ%r6nuB|sd}N@g-s|D!J}7+jqv=*~+s67YWm{%gMe zZ-xIu@BdGwf9;~bHtqk<_i!!-9ZoZcJp0-t zyhVGOGu6_c4gYKuI0BIgswyC<+6J{|S8K|-vjidETJXZNJn2fal8 z5vl&SVLbSd4p1D3qotKpge(k7GZ7Og5lwXob|~3E^ihm?_4N}ZE`{{oT}((7{5)1T zQ##CL|ItcsJKdk%VtLRZ`k{&@GWJ*%Ifn}bE^B3n>$k)b!ncz8o3E*B{ir~w-u?IK z&_x$O1wNiqqK?@&9Hv|80Wh--F=F*+>*lsgvM}l)?&3Rth3xT}iX!1@YdN z~f=6AqT7XzWmxu>6ooGgI~c{;$UmJ>MylU!%k_G z^Cy(GOaur*FX0uXs!g63I)^C?SE@>ZxD`o;>rJ6Kt+SVAo3MiP%bhHbgu&ouGm4zR%vQy<0q($LX z^9f^|Q)8gj%o~Au+v=B%1z=PL{pm5XD|}vTgy}Te=-5&F{0dmTsxRhexq<1sOo8w|q z%WEWPT*tXgiz)UFftepo{`HM>5Lnw8*&|L_Ed z><1NKE1IU*Ytac7i8?FfSF8W&JyyR<=PuuSEV#(<%Gp+sJGz2V&ac9%q7OWa0oX|c z(VFOK6P=DJ&oBQ+GpjsvFgeeD4lNhEVh~Z`R)MRO7aOVeE+2F2J7qZ2$#TjvmR~#M z*SxIg0%B7Y@MHv_ig7dg87QR10M&Ls^0N2naQ=II={)70ci!~>WAXm_W}e&&UNe77 zTj$R~y}UL0B^`tOzdzec27PE(BBD(A$4md(+fc=hNWUchPq%o2739S4sYjLZ{P)QI z^*sdDQ`}$WRzM2?tIAtpu}1GfKqE=tw|~g80BS={#cb}VIPU}zSwkaeYs(OO$f8s- z0)^DA9ZkF*0V$H$#+-wd1q%=`D&II zjT?G9wVNz>+xYVN{9?L{k*l~aL%u=7&YrXaNgK24PtJZZY0d8BRED^gi0E3h}d`t1P5R*@7J(&WfYaY3u*L@voR$Sc~ z&wjFnV5SBZN3LG78=ZYWc|_{W-IV{4$?@&Cfk}T4no`QKRVKIzFt3A)LRAX)yNCNR zWGfWy8(mQC>$gcKN(hT4J8Jx<;@Qh$gEsU|f(QJxrgM}jJTW0nO%aWu!yD+>FEhbl zsD|3z>)fY9Ts*Y5$`0o1!;WjTc;%$jaZ{q>w zA;XE_VJ+XRxBO$JRPg*qi-qEo(z^^s_V$i}{!_|{By)o#H$@{7SHFbP;`R^W!);AU zdUPgZUmgxEhu5bnap<;p87JY@4b<2~sK}4)*o_ca%J#q?v>Wi0q(58yqbe^i(bH(s zetQWm9cYJI_kf3#iWds@le6l*`i&E&{7sI2U!0~$;VA*^S=NB)vft{>`k?WJMWT1i zaEtGtm)u8lM`*%rh}fSh2ncT2*K6b`XKH#UKjTiW%+y9sOJZkQj>K4(Fl)o_iB!|> zq4w=lzO^x9T|YWO9l@GGOrD#WPr(f0lbG~H-gN1@Cex<*W6UP|*{AQuK@^7_J-$`B zoPQ6qEn&9F2*2#%j>h|@lCCDap9IZg2RXlw| z;c@HR<3iQu%mN%?&u)3l9NJxVqaxJq<~SBOi(qQ89^X!OEw$^G-#whCAPNgBy-6gz zaJd-{ztzmlpUR(;t$Enhvi2Vtk+GSfVIr0p$`pBP~6Wuo{3n@@7 zc2&$)Flu>fy>Q%NwK!K*Z*zHBXkqhsf&IBAk z6XUz&g&QUsW~-}iinq#3)fo(&PRcY(_%w#MJwKVSG)c^FDon076G1Ty-9moNEio~F zeY-(?Ve(-W|8}}B!VPzSs>$oHF|2Q?4eNFTA*3PujW&sStDM@&oImDBp#nV@txbsA z&^!S5K_6Dp4L#S_lWoB1G%FeNHZby-ECI{*+{v|U7dO@QispbF?&2*1ta_hQlRczv z?S2orf9?|p?p_t677f`^nPbaFURCh~EK2uM`4*mQ`lP~8xsFDbdTfVl!mg6E^n!%U z@a;rcwXpFcGy)v@aUwNjZkbgZ=>pC<)Eut5r%_xMA$hOog)J=GBE#!9T=OTJqxY{T zs|O*KWl{y4>LN8t2IB2M^Qv-y=rEZ<#ZC@vm1czv+aXT#A6(xEEEiLH5SVX)2j4Dz z_pg0EBVCj4!;t9c`d+!QG&7WQuD{n#_SL?6(@eaO{GX(^o}9&wDAMUe@WQQWEACix zx7bsbk3W^?s1I)SX;p;~1k6;TXovk+VbhG8BO5q4(1&|I|0v`TEPgOXKI2r?+bNUo zG*|Yt9M))Sxqk9Xqj6|=dsF;9;SS!tp3o;g%U{A&6ql*!9+t>(u)S^xvCLsnw1|BY z>65PEiUq8zx%yMg)cF3MFDgqhr0zwgz7~^v2_JSgh-`4}i7b^zegb0Qi0l-Gzi+BZ zJ$<0Kt&7UL(U1Rf>|?S>g#WoVgSqkChEF#NWN)md>TLom9RxGY?k38}=c_@%_T4eJ z0JxzeVDe^CgxkJxCkHpU17k=>tERIW!0WQA=gF*RD1G?buA{ZOCGLC+iWb?HGIK0% zFs2-mP7H{zs{vVH+R((&<_TID4$n_zxMyWGz;EWVjeV}{gV`-M+mf#r^KJV`4go%{ z`zKeL2TvnR^KYv|r}2#IU#ptS;4P_dKAZVG4BD_%t%AG8%;6(*j3H~a)C0bLfHrgD zwAx2^ZE^#M6z5>RDS%>B{~M zR6HFKRAr{n+F1tT4RwhvPM&iXF)p9!{>OkoCln30^|HHCF)KbhJ0HxTpfDX5KA0R) z%ZAZKTD@`6N8GAddtP@8S;?dJZH%z;9;c+6E?4U3Jr*c#E^s-r&ntP!m<8Kuv6k&h zC}nqekKG}>jb`~QZ{rHS61&n96cTIO#W`(#?feuxsQdU z*}#htsO`zk!Dihc2()?B57`{nifQVnEprFMl+F9RYS-bK_B`12s(Y)X zfKjZaO+na=dHYld*YeIaM#YAfhu<~U3u-)1G<~4jzPx$B8H5(vH!dQ-^#SGnIp^1z(6-%}^Q~h+$4+|4Aue^$NBARPe#yag`6&cfkJgenfs>{qX>>;`;;t+X zH3$2_{#wZhlREnqP16KlFLhWRbB5YI>2?uEof)|1Yq7(J9AR|M(&vxbKs<8k!p_+F zUA7@tZ3i|AV{~|CPl@n>GP5-|1*z{S>IwuoOf(!gMq1<|_L6;Fopi5v7p9aIXKC6P zK0wKmZlZF3iDi7GGg`AcY-6##!gcJy=i}u6Uh{l7I;`!8ygTW`v{P$AK%>76{4|qT zj<0OSX^WBCsC5Z90POvW{KKI06$A4|du=t`hbJZXS7x{G>)4%ZRf7qvpzoGYg1$*D zeQ$1jw}h@toepXJr?CT*lSLhpQS&{kqivicx%@=> z8oh$|neQFr?lFbVj9Jh=j!{YC-PJ(|OAV=iTO=!4aW`KkgiREDC(h*Ovg8};e#?@Wuw{6b(mZjcdodNA?3vvi=RR`4yd2x% zc8(_SfJEqmU-a?n^AE$HqQx=@ULRVG*d&h)~OHq7fz97ijCGXSJ+f)M()335l7V0 zM{n9wJ}NuFO(=l**h-sBWNcr7iY zi~dbDHZY5}P1O}>+EO9c^nivwyqgVx;9i|fklOXf@ko>C82Hd)%77>r|Lk><(gDkQlV8+ zs?;%*NMZ!$7!2#i>Ca0^nI>i*FOs(8nQ7}mHbgHT!kxcG;iz>*)CSw{H_R47HY9=_WlD)TCh-OV(G z)@nmakYv@KE-ed?6+_CLQV4UJB-??PW<}!Jx4*MVb>*JBt#=FYo(j12 zo-upo)?e@xkN3R-n-yp?>BYV~eajnUstkvcvl5%q7>Kk$ri|29{UY8`O8{bn&N69aGK-K|)1v$E&VPx*90_#fg2vT>q z+i12Cz!4M9{`6y7#-CRQ0SUp&UQ$yeosV^}VjH-(8&fojF5SJ348qWK`bMG?9bfv` zoRq!4@WPnQzfzK=&AcY^=z0vbwxU@jWA#v6{n^UgQFIko99u}7um50nBuadhE3H=~ojEO9GA9yasJw5m2hPK7Jr-I(S1G|G zxWB~{5q>=*%-K``p871Q*5=nWcBmxv$fv=_mvh9`C7l*d@7>@ zJ=kPa?)u6*V1AlaQ64(f5+!fEcO)13trH3doJ9~0&JE#*Qx{i4n*ku1l8c|%!=X&SUO&8j&)OQhQ@JGj69^_~T>Y zXy{XhFSpnJXZ4t>@u^gyZ)%tIWUr38Mf8W=UJM<0Q1X*)I__ z0&>?$vEfgKcpsRL*Ti5+H~L-+2BO4LYg!`_+`pn~mHI5%GFV$W+Km74`iZYPEOBbrmOyZs^|h5l7Y24NNt@ewvK~CHd*i5mQUTr&^OdYI$NJh?mBOy zgWe?({Aj%vI-klgo-9IFWjNy%K2I7cQZcJCofKaChJO;nWcGgjY|taI->qwS;K#)+ zanx$5o8HG3iAYd+*{utmA%f)5VlYNWcVEO%{muQEfup-Av2!1XImNw)Z?d4h%EP=} z-0hEwa_27QI`Xy!c>h*l{~>pqS_z|>n8MIov+0{^drr!q*JBA$!UGpI?y1K7f?}d3 zhuBp8tOkZ^72N-*8*o6Q<07rsn^ZA^V+r;gq~9oZNINl}!h6HJf5PAMZYPhFp#O9N z$}B&zs@?^`n;3ZB#AM%xnbJ7GA?jbFXQPgD5LfTmAQ2xtRB+$P|LN;}DrUKUA9MVo zC>}+ye|T(IYntdp|5|S8F$+0LaV>3}jv1x+MzFS)US|%RiE~>K##pgS3v5GDmusz=rc|_uyoEzk2&7p;y z4li5cisq92aA)4Rqs#Os)w?ZFDz}MIMg8`je$}bad3Tc)1 zV*7P#!5O0;RU65KO}m1Hpa&gY$+t??16z04Gj*=NVv*Ruq9+TtkLvlq{{H-0HPIpE zyH6t*1Kv7)oZeyqZ8a&LGLx`!|kp6iKVQ5 zwR)Gq*-=Q|$5my*sAukK8C^C+wI6zP#L5k?Y9G1tf22_akw$F|Fw3Q?GZKu47z8-F z(#Vqmi-IE)Pm`%6l@Kqe;VKjDk7qfl35Z~4)|(C=xrYfq-r7++Eje;A9r*1=-Ggm& z)5Mhemp+W|#X zP%`2_g@hEVlVxk4ZF0=tU*rhd@hb5VGT}d@&i)>gK9qZSce~*P=^utC5RUNZm^QMi ze4`Fd?R37Ze34DyZ6I4c0BRwuj_aeeMEz_Y7&}&Lk|HI<@llUKQ>zN;*)nmDlM?TF zLk;(Me}$HFYJ(qf_(hwyTf@o{OXkjjfoZ z?E9;g%wKU`pu}I0Dw9PObGW*69wEi${A-ovu~KU7T6KBmLv5_-WwcMcS`)oEwy~`ZO3HL; z)y^4@j7-PZbfaB}P=~alcml&!@Hek0THkXsi)~pA^L~fG!(oh|Q8d7)=FIH{2jemT zB-TVzkwH(xk%XmJtF?%;Xh;_zu1|CMY{q{RK(>oGXM$H?OQRHN6lV+}pkmRYCeZ#` zOy5U!Lau-r%$`^*zs;wUVdUE*@7NNbt#DP`zy-(Aba7sEAn4-W;)*q%c8fJ?*;)h* zEY3=ait!S^#qPM{MHC%!fWODcBGI01tIYPt9B|iUuHsKC$q8ui1+P|cR>S6akU6T+ zK75@toDfvjd4)R(&e8pI<&?oaZqhulHY?I0H6u$%cxgbup z{@tVq^p^IgI*` zT;N}?^NfN8A#(H)yVw3CNCK&g!%Ht}JkB#kho;8vFDb)27WU5V;}I~y-*Y)F~J3Y_Ob@}wObd~ zdH>E;{d-U={V!lW>-`Fg5+Z41tCWT^(m%Hh4rsqrfCV;6uQitPJ9DrIa$^d79HTxwxX(P-c?+{$5=a}j+tr=z$>O?TtoWrSFEVMNTKL5 zwK}J-cb~a?v%gK&AM>&7n4yW=0qtSHd^JedE7Q5l^7bE1YkrLY>E&5|s%bAa!)_0G z+_F9T_i!ET%f|z?p#dFeTTSv(mXE2o;70=ZmZ2~<0dJmhJ zPiwng@6DDuYv5LK$LPfwmun?EI!ygrR3oX+BT{KA#i92b>8}K*yU(4aoy7ACogZReE~**X+k8ReKL_pf)YL>P+CP zBm~+rjLC$^NC|ikyiHCln%`WD5gzmgqMm(1RttsI-^?N6@3-6N#o!?2E!0*APCwt_ z2EOGfeUdZ9D2wDkc(~$`lRN!`LUG~qOMcp9XJ12Nc?fyU_apS_85FuF0Oi`U3+|HW z7`%h%bZS3pWU50Ncj1&?g5zkj_^{M{cRvKI1nBN~t_32Dr9FOcIs|2&rWv)=+0?6D z6yOd~PH(5ETJbq#a0~(eBmD8;LGU6iXAoqge$uyC!{$a@2ON8yhcpb~JSuRJ?b7!> zRCr!qUdGlo#27=t(exxbPcwltl>QrAnbur?51N~Jv5xw~q2wT`2UT)Hdced~qwqGWvCO^&KS5cCa z^B5XpR8&+%q@>7Iht&P609BrRWq%*s!^7h((-AUqxad=P0Ue3OKirEvaS(l4|F^nD zB!J4zmnEv1L~BGmf`GQ@@+dlK_p?u^r)}p_dOzR5!s1D_De&9qX_B3~m@-+I>;^~b z_+|&|^v2*z&FSI_ksnJmSDx8OELMdyVrf-r%APHiW?&e|5+Ma+rmZ>9hfbwtV_6K7BELgOF$E=U-RbA(J_iLLwrz@_K+VtjNp1 zUB*VZlfbExWbwfYPv*Vt2k*MN!n5=D4K3Fgchv}<{@Ho~lHnBC)Qbh60xkavZeSW`c_ zmIIWLYa}||ch5*ZXipX;Z12U&|Wm5@0W80@(!Y3 z+RYZhaI^COQJaYf0QQA%izHXFdjtnQD|&f~yIZI_hrabBOe3xP@cAl2#wTq!AtXuz zd!Tcx`=d*RUTR3hr!>ia+ba~iqmVs;Q;RzF+Ys5J;t(9af6ar zL1S$U-AmepG>v&x%8QL+p`f7tgYn){+unhZIW=wl7$#Pwg> z2{B;tgGLt};Mjw69LuWGIwZ6Z8J8vfrV!DoPzh1s3+g%#Hzo z<+K*zDv4{32COiWp1ww1x6R?@xA!7n9S_^(Gb&^Ja#YmCK$dyhRBCF=8TO{SYj9U; zg|CEJ_1k6pp$H z5E1gg&BLCbPx1E!M;WA^{gjBz(&=yjeCEvO-f{(&bkoNEDhhiQdIRIFL`E~KoskUL zUAO1Q>pZ1We8CVbFPGzHB^NDIX!n;Z6%SZ2;HrUJO+1mBL5{MjmbBpX%;W075 zFHxx2+S>YLO3iZhVt1TQc-nJiMcejZ=FN18Mh7UN8bqa3qCK7?QD?i0g70=Q3a0~S zL$f-_n&2?_W6%PUp2Xb>{>CVUUsRKD&W{0D9c&a4c^EwP!2+W7HX{U+8+6+mqSf}l zuRJFzgZkTF0)BkC*mTF_%K}RPewm5>F7iC0AcQQlrbHqG>|&z>EzOTRF2BqD>Gi_W zmiD8?#%lB01#7X>s|w3AS=5t`mgRwxDX!WE8#L9lg-|!6B%+%(cVYGx=zDjib<*hx(^W-*e^UsqdVyBuoiX|)R9E#+3Yk;J7CJgBxpFSsPF9tmc~wbwUdQuGjCloNgX-n{RG!R5p4~ z_|kw|JEOJ8s*HL5=U>^&XfL4_<~Wd{k@18oTYii*`f7cRbbV>w3UZGpE}mSQ2ZkU1 z)*2p-7r&UM7HL2b><5nwqCd1|Gv&EdUuFvh9U&nw-t;!EI~2!^N@19q5ju9RHFHz7 z+d#eWn2NJF#AWiF&*#p)cc3MpNdB1K-#Nown{cesT3UL=D}4)8{|HHZcrWXRY}lu+ zY(84!9zoj3dW z;DcJt=f}It3}(=JRbZgbc>USz;S3~{E$!_W?hh#ntR>$hDgwO znK%z=u(uZovNGvgEwTe;IvrKh{qBrrqX^6k%1+_bg}Ycj8mz3T#@M)d&{eO$;TTXB zdB%>hA2c1T$h1cC#7|Dtd%a+lJ0MM+J?tI962SiU)~$3wagXG>Q)S!hH{^UjbMNrj zY{|p$ISVAJo^H3(^zN??VGt1~NsYNd1{36E1oL`4-5OPyO_$tMRx?9FP9o&IZFL*T z{VE45j3=ahb68g?2d>97ZROa*m9F{IIZlP@(_gVG5Z;&bX!wd6dHgqsuLRUwHioL2 zbbqY^AQ0mkob~}-skt~uBFRsR`w>m8)_JvF*V=sTw)jJqO2zS;dNN%)+K*^uY5w?!p?jn7BJ!RMzD-}jM2^gRu zd%-~*eDx?HbovL7&;rzPI7W?`o9dVvaA~?UDq2_&7l(=OxB~Y1^Jn9>e7Rgn6V#GI zd?iZl&FyV}kLP<3tEoe&gjeA!s^zWi&3!F#vnNf%Qoi}2Vyg#flr_L^(ro-ZB|5BU4; z&l30&SsRn4&T)Z9!)`SwtwEDt*?YP_E-gNY|ErI5E_&YKedRb``O4oXPdYZp-YbBI z`b($RKqB~=x{GO9it$XRRVBroZyBm53Y~5fNVlR(=LFvPuJRP{34`KiEiKSg$j+<0Q zo0sDz=*xj|_Eu*9@UVX_8SSB|-Z{_9uQS2qxfC~S&pCV4yc0S4ZAi$a1wEx|40u45 zmv*x0d8razXP1{N@v>S{qE9xXl< zHAlgqVPMS4%X&QD2}?>&U73$%!Mdo=W_AD74`GHT-B~%`Gp1ph$#ep%W+}~l*vsV~ zLDP6p6op;{L_lGulAdb5j89IaFp~F`NMHRY(02m9ci?B?K(+4d%iWG8#WSupZmL6c z(QJ|vv+VHcz!u%W>-Uj@_tHQbi2)GIhN06` z0O!E}-Qk4tr45HQ(GjoLK8-ZYydSjYwRgpyyx7-7 z9Gd&boc!yxphnXoJYYtzS9W-ej7ehu2nQd4+GWJxeM~@u#3cd7$NbPw_#-9^g4KY~ z?4|={>S%N?MWP5kmVeLJzXRLA4=-WgU_(Qa6fI93s%=aDsegx%e#bit-h&!*C{)$a zLY72%wppdn8~zUx_I;2UoV4=>@w4Xz0e#`~6=qZJ{}>ZwNifg;l=(p{t&gJp4}Cr~ zt7INyW0xM1p=gSgPCy`tzjwbQ5GO()7gY0l!nN^N&1*UenCAAsinm^d4E{BN0rG%U zo4iU*7PNn9$bkDDn~BlrnV#dYphs*ax&dWlcDF4bN$($)Ao8kO%KTl5wIXKtbYCOLvATB4HSw4N-$6 zOHd0p$n`XP84UJeuc|Z%4X?S4zH5a83Q~d|S^tti4;qZLyz;Px$;Wqab&0P^k^fbX zJ46P&k2tS>D<*@9qbPOkw%kbofgbQYQ)5!0YP$vg}a%Z)-rMF74 zf&yqluK)b00tGEk8YG)9$AU1J|4XidPL)&~>>kz%q4|+IA#xuU^h7h0K`8mk7tj-| zYQg1AXn75EEr_D>~-|tqgfSswgFeY!q5%({@8nOufgss-1;{%#i z7D%$N34=MbvM8R(I~9X>t1Itt*}r1!o(M*DzcXI0#^J-coylh~h@`0VzDWyT#pW2@ z$g!$2U6C<_cF*$EgDkLj%d0?JQFp~1+T83IFMQkHk=VvMJO>~a;iOUL|Df(toe-xt zjF}?|CImC%OwbUC7OsbRwxV*>3Va+n$gwwGJ5F{W5{jpnfSX_hO_^P;09;8j-$J=O zVHrt7&3W;KO4h^^UgA_rP#G~3Z1g?Zc+L+{0TsFQ0D#HeMOzVoA?XeaO&xu7M79LX zYWYe1C4aRb8CCgW3ZO4a@9=CuL273%-2vgm0$D(*y?&`9%Cz6=_*mV_`y?k68|!$q zcnfpRY;K!5ovd}TWp-ZejPTve(wnHXd2VnZFws*Wn7%{wJ-0dIkuw<+N8^#S<9={eGDs+YgT7kO92J zpqpV~J6Y)w3jr&P#lmLAGJhC5J!}XSjtCg59l-dpY<^~Cag3zYB0)!E%|Npam2PDG z>dS}yOD2OSP%2^4=4c^YEfiErXN9fi&f!1gz)qOHZ>(ESyFloa*P}&X$#OMU__GQ3 zu=@f;Mhm8P%&)nWQ>d6)?YtBkfYTh2l;pR#j6d>pQ+aAxXw|cqVBCeIgk(%YD&mz0 zTeog!QRfPkpDRVg$PS-+whUn6ikv{0^ZViU2)JmrIPq4hH~Q|H)k(lx@Bl5V=;eR4 zEYu>=Kx7?)J6=ZQx-ZT7C6ChK4ai_RVoL*IA>hpKI>Hdf+4G(+r&@cgI9Sds@@^(H z7L!&tm8Mo@V+m+-Fw)Bspi77ky6*`}I);t()!#gf>>hn}bamA_EJYGwSJd8(l}B*C zaM!+uR<0%j1NXn~vh0z{H1UW2Xzq$^POi|7DRxqN967RA;{Q4^**gl;=BwT{n6aGJ z69`xbruDGx=30G^sV{ODitW2n@)gxe3RzE^kP7zs`uJJE)89(&~#=@li zS=7OMynG0Kv}V6U{(x$xCc{>%6I|;+@J<6c{&BMS6)ZbfyFX5A*IQQJ$45&Ze|Npp z-pA(9d-)np=;uen4_r47E?Fi$%tD}Xk*Jq_YhqCouGJ*MY z$R7s*Iz7(cOqnkRe=@ndoXwQu{w%=#>Xu(;x9gxK9f1M5a9R$cZC=};#p z-o!H2@M_fbvVc0>1f-I@kqQVWOH+UlTYW zFkc0BXSH2cd(2-ORRK4QNZ-jn`g_djP(SuS5ohRYTpp36lo@r+&tN$yTGmd4pKL6M z1vnXcr-nP3DPAoVBbt;4*>1o&@|Kyzv&9HyPDR_I6}3j`<@ja_3_Hy;?fr21oq9^Gyql!{u#Rez?m-?#K7X2X*T=PKSor$TIF5*fo1WI+kHsrvb3?U;R%m3$(G=YlWzO zP|er~hnRTg;Q8w{Sy~oz{XmQHNTmZ)ROQqGCUc;YV*)0t1VczjjlE)Nm|)m!QD=3Y zPA+EwwfHHkTU%j$Vy)gWx;im<)riNmGkGzh813GQMAQ_RPjXEWQO<8qF9bK^x>j#> z&O+n^!h>?37wee3r+Vmx+mA=W_EV? zd^M#t@i7zpi^zZFkhR}JEd)RO}W#T{P`VK;7LdAqtO(&>-A+}LkjVsb@1bTx%1u>L%hLf z8BLz{CHS4?OjNsGNgcDgh%8pW`Gof&MeL%{jn#@c#AjneYLT%X@jU2c(pzj9D(KrZ z*4FtnBK^kbG+H@r(HmcM%$*5l;~aLJ6kS$M#-z$L<+W^FSXgBm1!CA8*OlrlI0$U+ z*k##kBIZ6yB%+1QmFry;abv{z5o}$7kI@i?q+a&cBUZm}+`3JRN(^lxrI^s{9Ov%( z4*7%F`b{;z$9-Pyqs_WWIGpH`ydprVI@RUf{+CyVC9(Gq02TY2cVFZiw(V3S;5IFo zB>e7GmdAY84%=>UJhC)frNHPk(YuL*}SVy}uYzvF!v@RdR z6(v2vUTuZLe{Q8z-^1*>r|E*Iu$`{r#Ce48#?Sl-r}{{uTBCx*+yO)VctMqaOuQ-f znA5EL`aP?u-0>1QR&dinU}e9U>uQR`p)!kXdZxu}Ih|;$Zs!Lg?b1xj#Jr{w_s4;Wi`jyVw zVA^-|2C#S2jpHr}*tbsg2q#^I_&-O=G)YSiSVWM!&S8SxJaaI%qa}+_ovW(-&XAz^ zhUPOG(Xu^RHPg-^q1fN*E{~PpB&4Fc__U9HqWB!9mJ1zwbDQ~H1kOEy-WT66uKZM* zdP~+wEo~mv3HsPFY!nk>*@=BkK@;^e?T_ug%A!mD=-c)-aO=^-=8?)Dn6mptJv4g} zk4`7_&LP&M>))`xD55D|f#-!q80ehIc)0Rmyq@i0de@)(u4eZ%99JIEjMz7Z^-18m zwahqZ=Ez@QVqoF^QSsugC}V7wUTB$lsmIKG@T>76GEBXw?qYNJMlXyCm#W!*Xy5rt zQ00jh-Z%Mm(_Td-AqjJhBE?2RtWJU(38_WVPX9;e5kjTtbu1JzN5btiRBKHO&Jm7t zEUpQnYtNX}AoU5doF;rfC-=`wI)LGiUKLY;rngaMYp1s}qXGdJSln=-h1=SVOGb9k zS$%$BWygD=yFb`hr$(1g23E!L^n@?v@Pe1od}GE(q)ulGOX|?CaB`?~FSRnK^gL{7 zFPPFh7B7oz?+bLfif-}o12!b}ndfz{EzZrbAt-csjF34rz7`d3sb{4-&GQG7+DhkBk zh#otho{q(8vuVekC}G44_7>)sHzF^_%T~^oQb{$>Gp=WB7P!AgZW)4uv6?;3U_pp7ws=^IFA2$SiZm-;- zt}d7?+_uRx9D{QQD=ahVhWJ8K4n3sqD>J0n8#b2}Kt0#w!crwDqdd9Gzy7^;ggkr- zGL>&1VAMmTEyRN1Fk0oskeW~r;iI;(T05MhjhXF4#+r1`n~1YQVXk6w8O>wEB);+$ zhT~N;Cq?ilGe6jYX&uK23fv!FyX8dh0+ci(zF9ordP$J3Q8U)GcO5@MR=$4{vQ)7Y z**As>&YPJ)VDLO6wtgELE@Y?FQjo((i@Aa+%aMW*{7vm=rS*G@#Z_Zkt&jLHVw}i8ywmm%voA$r*NojMF zIE;=Y8mBaX-*uO2ap&iv$*@pyvdfUg%N(*GZ(m1=aFaa(I6Kv^XzuYgTQAqm3y_u4 ze;N+&Vi#YzC6%6HJ587VKqKDOI{||%|B6dn)NM4BRdkL#GjZ9Ve|cLJugd`#4>d=zdk<8Wz3JE z<8%=zrgg8ZdhbAV&$TDbb`Z~FKyqTc?}TfOsxRxdv=hpo$uV)`^-Jh%&&S@)yj&kxX$ErU*Hn06#ygtnLFJlf?rUIw*ra%q6GXy0sGLzN}@pH`BiUT%Wy>k^D zXzK^;3o+>mLT;KCBW0jd$x#bRxi6IC!#{EzawvP(d(q660~6+i7ji*xOq4X zB#(wZ)5a{4?0Y1*Q zM{&@b`gg=dYK;3&V1`j?n;C!ZtVF)m76yP>&M0~SmWm_P1}`RpJAc?26&FZEqariL zRfylntypcMJ6uloe*=9ljg@H_QcD!K^jTl?!It(wSJ#COP8wE_pyW3M5heWSj{`xu zu60cN_`!nWy z^cOBC)q;0KM{dzF9m|vV(S3E3K>S#zWD!@V_CjKobvmj{tj@ud4gk3EFd(YHZk=E3 z>JXy^kNTe+_UVN++c*x0HFTar6fyZTR?hBnFG%pw_=DR6etVjnbn&=oAyxYVF0ATZ zdFuN#Gdf43lBYl>g-RWTOdj)RsF>km`Y=4&JjH2uit2oJZyKDo{AM6CeEuV)$02E} zHJ$F$T^c~+^PT8;sI)?aZ@ML}jA{tPmuoY_D!`gJLOdK;GeC|7}tq4cCyIa0~Eo|=R; zCPCCSYjszePS#^mJue<0Q?^RSWFU{2gUIfNA-UfOe$Owbh=8Ql&3m*T$_K7LX#!L@TyG%8*+vdGO~vJC*y;E22bV9c zCseXZT8feAt$9vBZyD6)F^7^#J08XAxFt2O{B76&Ja}ODa4cIcJG&;WlF@rZtEh zlg$HqIOA|{^V(oP!qx=Rl?3m}x<~Lb@qtv_-Gq9*rNrE4+yfU857=oceQmFguLxnp zpm(WqUII^xx!pziZeUE`mbx)4bjWPiZwyNEQ_fI&J=pJ$U~ zc&r0Mmm77wdzh+m+i(~u|;?Kogb&2s2^qc}VM>}w)Nf@uY*;~$}@_L!yQ zLkofHGP+iZXt93n>PFwM{ObJy22vx&C|L2agMikaA2J8Xj@yDfG4IV16){4e5aM@^ z-m`YP*na{ZKp2>Lg+)__K?2;mb-7Q0TNc75K&x(}_G{+m2-e)N?OWaF+)44ia0M91 zESFdPhe^U8+tqP29rTWVD8Wn$C`I!4?B2r7A}yn=spuq`{fz z?EEVG&OW~qG zqd<&ACDk@k_|J<0quFmMmpb``ZR7~jkUyA}871Uf$juD~)!&>^xSnD>e|hMe?y3rF zd$->q&$cPZP>XwV1{`)nZEmMWQe_Jp(R5&H*SaHAeZ}K7gCZ>*=jQP262O4@yjY>qpKbRL+a~76l$`6igzHxOO1|}s@_BNU zwFdTN{GHa=LPaPnT-i1@`+2p-mD18_!kjd&;xjYTO3*PKN+}4~xHd((8cnV5c*0pc zTuDfj`yPodv+6gSo4fPZ>?J;jYb#WGb1|d6$aBo~2Ciznu;hZ3TuY{h&gI7MUMYS- z6<2nR+a{^T8GFDARx+|R6QEMshti(vJWIJ^D@ENvWF&lFu5Td9A1&^kf9z3{Qt(hp zC&9Aq_*w)*?WT|#lk_F8^`c|!TJzLpG4olsJe2?i3>!(sb77|J0Vy-Rt|ja95?HK} z_vHd+I>N5YqoS6uc6LLM1q$;L3FxQZtYwY9eh14@mb!vYG`3MXG@fpF)K9`^4_ILs zv{xkMqpKnnRfJgSKU7{h9>VSS4zV1ZJ0ofxJZ$nTYh2za+eV24mG=UAKA1J2*+sx|8M2*`-tq9^N25a!h1!1KV>n zmNK5k1!?9NmVKO zH9Kqz^}A~)@XBLB`Q6%hwesa;M^_c-6*B-3Ubx{zgFozn7C?O5`W-+>z6^za`bX)Q z7OCEEU+-<%!Oz;Pj$m$ewIx2)Rb?Q$$Ufv=FqzziT3Bj6r=yj7nU?90)6K5PeXm-= z-qKOZN<6FcZM!~38?T78jb}ICX7K)ae)ediD2+dBqdnB2x0UTG8HFCO})JpOr7UFvb(lkXHu4l>z8iyi~m|V zP>jibT*7u4fb2Kc;`CIPC|WOQ>zZfBRQ6!~E}ovGqL@8m{RK0>=ar+S+U+H%npCgf za#wb|RI0$Jbs7_kMEX z$*4s|(WD`4w4|#dUlv8ZDNz=7MRL@gOc>|G7S-)Z`Dc{MHr;h&F7-*CAWV;4t_mTg zIBr$Z&zcH?jh&$xzS6E#mH^e(#0bG#Hz*9Q)7!TK@EU!7DMxC6LGnU_qc zPjA3cJyb~rsdh=*jjrRlHJQQ6V+BqqnA$omu@av~_)T@Ejc3(>{k86;gN84A9wn7v zXB-xa%eh4%Bz#0Xe;4Z9z?TgEiE`?%4>VPDY9i3OHs0C;!}ZCXR-SdArW2C(l;2ro zFlAnA_ni=#wW*oWk83zA|CoThfMqXkscaQOSk3h~3>_(z3v7Kgq53$?J-d7*^jw6$ z&L4Z0`cfLOQL?*{S=D8XROl={j_cWkc*jGldVmZq?%x?Hk2kERu2X&&!%)kFD{59z z=AjU!qyI4`M#-l4A54;a2bSVPDb1)Jb*t^2=%&Wn>Bzj#^{dsZ=tOe56M3brWyY1U zKR$eCQw4WgbK$rWl|%NGOXVFOTI`pMsH#S2j0NgwbTciyuZW;(=g)`?9TmxMDxoZ@ zbnh!gcfHdDgUNay3;Ol3(IcT%u|PHv)Y4?8z^nSfsD=4jY@e{jwMqucrF@j@4r>lo zgKJ{R<0CstM3uK4Vsq} zxcc}TbY!502S`++Dc3kCn2vT5q?mjlG_MiJl0})=55V+BRrq->ajW}Gi(&|(5ChaA zq7cJ&JP4MJ253AJ&U>u01YJ8{UcLjY`zbB7+xH<&L=HO!mJJPDO)vw-V?GX+`V$@4 zF0|3`h91RT9@>G=Po9AmqoN-LFkrzwqO^o4K;>%RtI&2JWphaZSV$8O90T%>?%H6j zc%IsYTm#Wo*l@+YDDqU;I}$+DyPgWY($Qa0YI9ppX!CcPuSIfY$-EFa!Y%H~^CWTm<~===K^Uw`%Qi`-1Wv@g#T zbYlMZ_x}`rBmo$;qmg(O<9{plj~0O3bY&woMQkSAf7kqf-z4~g1W^B_?lAHHpzwdh z0m6Hls&Qyiih=)Aum0CfioRf)mTJDVTx9=+&HtA0UpV+X5d+4<31n>S{{is7-;_uI zppTLWWaPvCf%3m^`u_(_uOWWh9pJsR0BmwQp-Y#}Mr4(vf^Jw^QxRhhGX(W?Xb!C_ z)TB6FsX@Y8mRz>6vFhSDG0*}xtYBBQGx*KAO(Uwq`NDI2w?a~_;BSRRXu=bNS4U-j zg-Hpfw{urk(ZL+j>BI*Mmm%W#A}G~`{dCpS#5zvV=g8!SJZCn-A-kY;L|YUO1`ED&hBuF{?@MbUh4Oy?D6ariU&k?tXx zm5d)cG}e(NJdUp;b-FWh9n28f00ttzQ~c;-uqGqV}&KmC3VqscSOYsOI&7gNM4atQhW4J z;C{nD;4Sq8i;O({^zlgS41lW|FQCkX02s~?@+fy`8_O}V)}2f5{!X`lL>n$M&Dpm} zy;iK+8}Z)P79_VD8QRTExCo*9I$xVN;{=+W1k2|S8G(yPa0rj+0Pa&tv##?{s7qO! zxBZH1enDrH%LLOcg?{WEw>lMi-q-1Gy^xpI=r~+^voMhcSRgvrLpOdKMHZ=rhLIj_ zSj=N1UXDQ9Kafs02aDSXjJK#9)emSHJ#Vc#$zQCe`7&%bufR216HLx|2sQ-VomLi# z9px^xS|L{xqMI|!`}0;QCVX(eKEOQRv*`L9^3JiU^SAgkZm<2TpNm`IovJBvXJ(|H z_q(dydyYu-Zp=YnnVh>k8F793Z5({sXewo-&W-w$<5kDD*Qio!X>skk^_U7=9ar}7 zL3+5NnQoUHE#fe^)5fHRfL&8l%qv}k!Oe}0jUe+*Ea?Cmj8}hx%C;Cq2lX^82I*0d?ak6H`5!Sq9N0VlDIE0 zOBs>LuZ%t|Y)kdFsF(yN{aG88%Q>d0T=(+m(?aG%IXCkSUX?)BzTe?^>*ok(w--2 z53Ywx;EYw0Raz`sEyJ^zo!$!k*u_1a&W=c0_xuFQc|sRcbS5?E)z1lrRbNWne&3PF zVdxL>uE3Rc?%g|r9pj;E2{FnsJvhDqbz7d^ykhl+6j$H_f%FP!<$m?3f}QCheB1BT zR3_N{pNY2p>u{4$g;j-G7yp6RN_~LhrvOI zqeT2Lw6uOzYTCShQoLhflfCgg_VS=?3%z-UC=Oi>WHPk$HBVTdSmFd;tJ{f3{lNPr z1arm{GhAZtmWUb?w~?~f(WNn0I78a0&VrA@FieyH1)VCvXbCF_vmuP1=DTs zqPAM@a28{5vv3{ipmJv)mE*gp0LvugYixhAO-A>dF{~!u|)%axQVKPcyeY1 zX&og$K8bAa$GSauDpGA}%sg8(2XeJGX9qb@DtrL+J#vdcUK>~F zQXk#8`>BfjI+nz$4tWGOmNjQP(6i=Tu{i7wEc$&~n^^}8FvOy$&lbb#9M+Pf*RrZ= zZwQR2DLN)wQKjaZ9BGrJNcAd+x;@{>+21n*?pyrv#TphwkLdoJXNdy>EKz@j@TCeK zQRK>V!lYkHOamX3y!ESJ3||d~1=Xhki`k_ID@bu6$7M!NPRg2)j}W`xGe662$V-#L zY8HwS60?KgAm|}e9qb$MAR!4I2ecf-&nj)gjr>MLB1bT5f>B@@7bb;Y4nCjvpR|Ru zjxR#4Dq8X-<&N!_Zrz~5#);B>37Wo^tMu^WeRm5X)EX848mlX*oxT>K-AMU~E#8={ zRxiGg7`CcH^lOGv)$SfWRlt#Vc)`yAGHdYuTYNxI=nj55^C=UQ51BP_R0@?%))@D2 zKl&BJVv2nE^=!Jvd^R06Dt*l>GrC_RTpv>1XtQOIxEZO64V3x}ZlI48X$m*`g!r85 zz^=;6Q5atnit|oZu!C_~cZMu(*jI>Ys?3V0?sDRrs<Sr{DnXKSpaq#$~s(aXZTi>^X6mXej8;a%5n6?Tx=}pq?F(l*}Hi}Z! zqEUmHQ*f$pgAgR*%L-#7<27O=IB0s0`vAgywoO`F-*H$|4nYB#g*lQ-!qKnRar>gVosEH!=!dA8DNQ zU2^g$B{;MT62ozfBmtWJ{ax z;_JXN6ym(XX#LI7cQlFb!Uq=yst-|FldG{zf%cpzuGLpcx&cbtzMONVF_gwP{VaNB z$Ch5NBHyU~W@z4`weuw4n*r+i3>qc&cZPUoIPyk*Eg@PFSffx^g5w0(L>=(%&XIpF zK&2^iO`Q}y4H5dl0QOGoU}qmoTPs5FaJmjF)%;mFI6m0i6?dYy*)F#}L_#*S?pjY4 zcR%`~`5^99U-*i39nMxu{C+!flrm@g(?&1B;{kP^-y-}*F)E%C>sZQpj`gFk&<3bV zW+|>R*d_A}VtS05<}g0JuQm@Ox%z4R8}iEtvv>PdqRXc5O@vrwr5*kUo!?o`^>M{m z_ylU-j&G!?mn2fd9R^%pQ<85(LtkkcDFfBz?*(oBOW2IBSU$zK?T;c}`W>zyK4}j& z;Zl?UCNWLVK2U>6Z&>q^%f!w|_#xs)@)N#CoCkFf^SFAmzEGN@JMITj>mhgPTk?Wh z*l}$=bj*io3HO37@IO^r{sS76qVo90PoF`CNU54WBG&F)sTRuz;ex%N6R8Wr3COm1 z5JrDmuPh7;0(M%R0Y@@B&TF%^z$GmFWby1s0ManMjI8BBmM+;r%|_U6sLP~n08B`- z;3a$$2*}+|j#^#q_X!Z@nRKWfRty%Z>FJ}Mys!9S&m)dT=R)1nWke6OfC9>XD>n|AfjB#|+uBk(>uYp3_h@KCh+~2*-zSkQOYqa1Sn|A{d zSxP7$T&*WXMJ-ssQvkN$c9{e_6XXotRumF8$`2U0^jv(jlJFK8uakT{?5xJ+bga%% zUYf8pHYM;e32Wm{;+Nn1eV1!)&M$*Aa<)IB9qJgxo-s`mHV3s(9h3DZlf7MwtW9is#M}aA8pXxklWg!+(658Bi({Ykv zM|c7%@(M4_Y!EF;3-_CTY>j!+q|ydX@42|kWGf%+HgT8QeWmhbvAci%Y2*_FeS>%28G@+ab^LSU56myJdt?}Z(t$FXqWj0v`=zd? z5l1F7I3hy&C%1v67z}4mT{wt*FmU3D)%+zM4}O?@lL;9C@2e#2ia~OLOwYdOcsGK( zc`I*HZQhEP=7tsLVu%Tw+xLu0hl1ISo;SD+G1~goc-`NYh1yRGGy@&0Mbbaq+3LzJtVIrm z#|>te4i0HT3y$|kYu5(Oki;^bt3;c}Fx}0mrO_020#^}xi4gvViWJex%dLXJ*QC)v z5v+Ylyf+vYKk$3Am4xcD`@|%JU}3f!SUp{rEDe8qtIZwQ=d&&5OWsz7T4=t(ioT{^ z%{;;~Mw~Ih)lM0Li(|gXsr&9`%@OY3Aw40|tP2koB)}?Xu>2dHAuY9RhJq`HLth~G zbr}N&b_Njn=mhbrHb^=Etbu(bSp!~rSkjLa^fXU@h?U%-MN6xVeN*M1-Q5Rq-9~J} z?A{TaV(|NGb4nEOTcGvRtu(A)A&NV^{#xJBf9pI%W`2TipHSDGGF`>J=cpd;#_Onknh{|=Vn#tCV$F*GRFKz;YA%C0o-|2ia|+QEuI!Rfsh?4r zGho*$pqkEu)jm9bmYqF4>Mm?t7ir-4>xE&_8e43MsWe#>Mbc3lwmq7K6W3nZnpNai zJkFUAg>MjNL;>M!kyuD4msCMoQ9dk*8KjzqFe`ouvy|T#KLMBJH3}lwaSmuQg>SUm zQha^#-~t}N&=tN}lJ#DdN2s3H-jObVQHgZBTcD{I(Mo5p8|pz)c=`du%uvc$@9fhl z%PxZQ)gHX?XCFI`SV{*=l`?MK3>%i*NJ1joPNpQJvAtUv4V|qns4i{!<4295XQsHk zrJXU65lfA(|7FWc;pXR7G5v6t6}(LSD)n@_RJxP7vF7lbW@VF_x29`!p)1NZw>*D^ zb2%L3Q>~>>JgOZumARjyQa5!TV@FK&!sqZe0+*1IB*Nl(Osz4?a#IKL7j=_6%TLpP zr=v{C6iaz@mMw7qQuX0-g24qkLyeqH=m<9sH4N~*LkccXRcWFnZgv7;{@cpGjQwQK zSc{}wO>9KMOH?ob3s22D(yYFm@LRbF^h9#GntM|4F$ll2Cw{Tsq_>bM5z`MS{M4CLwLL@tKr zvM3en;@^P4`Hh}DqE@{T(<`~rqBAe7ExKP&Oa&g}4ZN>#3W)ZO09FL8%8~7zM5+$c zkqHY_C-wuT>MQuqL7j!KpA=Gx%h@*@9^_DQKJK`1yOu-_RIzk#pw-4pp_Q;i^|U%< znR(W{78*Ht+QUgaJ*rKJeH4F@JSm4$?Qi81I(zqX+%Ts@Y3Pv8 zL7#|Lrct7dpn8N;=T^)B0KPm2TBVk2i7*ZH&YHXv|Q87z#=4$MEF_ z=MZ0>$l1rhag~rR_2)`^##|h%ur2@I+bnsyxsJp(M*Yhs(YGh04kw6Ajb=<*a;)tk z%7@RJxn8SVnf3MB0n7}uzwsfJn}|NATWAEGv#yauTLz}etF@a2pC=L~(S#dme6P2^ znY^kiCupnWy0;~bcS$+R9j_;LS$gq2)Ol%?x|SZ@G@&y*pZ*v@OKI-$-A%@tmAOnj z*~~;;9A+SpiMr96Ze?jz#?oaPsyYhhDk^j$MTF&lXJG*eELGRP8R9cHpp>r{(%2v9 zJrl2J?vZbBEJG#FsBRt$tlpy59Ht>Q{lTAltR)e4Q#wXaS~HcTuvJ;GJ40ySzHP$g ziOm$n>fcz=XS}gqY{H`#HpZi>7BX6zsi1IOv6@Gr17S=zhf=^erO1y7ge;dbxX=(2 zW0{!Dr91}QcO}%_i4df(7jeScgH`(Jj0BA3m2hNggvP>7@>a!m^%JaNPE=ri9oe_(wPeXYrjI?2mn_ap1lQwexJ$eQnM*r7;f0^r8}X?eUb{uEE?PfCS*oB%sa zg!Ke8BtS+E!e?h-apAsTy=WW3`AqB=dzpV_{S5&Te#gmz{bfJ?B!^g!aj+ z8j$!3N}0PoUpP7O!!jtw+>402WE|MS4GFG1Jp>!7iE9*9|CqLQbjfAwKS-E8-e@SS zZ3o4u58-B8lWHpgwl483EF?bGghUWdGd2v%j@}PKYiC=jsd6mSa+o^nXc@}uR)0R% z<>jV_O+Z!O(pf)nyEay&%En?rZVG>$Sx!FI4?y7kGo7h;3CsoYH;5e~`^zAi z(`RZY1vgIOVy0{7nuUc2OCYjX5ul^0RPSZRxnFY3C%*HS7H1l14Hxb zOA?ZlUyEGC$i|ZQH9{E!Ow|FSRnI4G^;)2;U)*n8Aqva;G1ue+4_`jOXmBeg%{W0( z>cGM-KDEg;1PhLRJ1_-7+PH_}PW}tmR&K*a%;q`?^3+}4CrLAp<1qsfA(5_F*cm+NA>DYgY+HE6N%uZIXZ1k+Q zgQuUom)!Nx(B_L-iJTbxC&K@W(kv|p8&|P>1Un{IU78p;GW+*Z?jKB%yDs2?>!}-n z`>$U8lb)2#-TcdYZ^k(V{G;7JjUF%qVq^duW{gbi!M~p7|8lU2Jbx)c9%cD|b?RS| zb{zqd&K#kgy#F1k{D-CeE8gFU;xG9qF%HfAPw)LNNxbxb_pZ?kMbG@daQQE_6|cbH zCiuku>f-N2=CIcv>?9Y10wAFOrO*GmxG98c?dV9+nP0+>rD<8@B>Eq91148Q00Yp| zT!M$B|4st@(@Bh{{3T&iC`yL^XYCOFlCTJfT+sicEdM()01kIYV`WVLBMyn6e-Q^2 zl@Iu*8U3q=x!!-r*4x9$>i^L5|G<9qx2oU>C@$f@!28E={6{vW!C!vbAUhNLU*7Pa z7lK@W3s?TXp!sR^LO$}hOE;6yrS(Y2=|2}7u_Qy0(%I|%Q@lVI+2Y7L@KSR1i|HfuPZtuel-Byb^GDKI4NT2lq#aPx{v4zj!QINFh4H#& z`j1BbPDHWTXyFqaQM2WNG?h*G!*0gY#LNT8c)ECTWlc3`g}QggqJS}UX9inzGj_Ps zMLy$l`}rMjE1l--3C$I>m1oI=InB9Tc9)Ax@sct}FB%Al4^v81NENv4xY0(JmR#`& z%4Ar#k4A=JKUUQVv{49uTIy|hmAwKIf`eI9bJwnwpfW;drz39}g)k8d31R{*jPuVD zkozvT{_9C2vBKWuMRqD&uru`wCq{<)XD|uf`gacj94gIK1tA9kJDGY{cVchp9ZKF^DH-#5d; z1WlB&ZPHr;Rqz(x?}x4^nHMdDjV{BXXI zTosZx;;@;_XMmz)_NpA(%olXcb7KW+EkrsD*oJN`Zkln^73h-q9_AO})iOp^W-j{o2wvdjXi*fM;xMR*;_*3=Pdi z&Jr*m&RF1bVk)M0BP)mq`kdfJ$221|GmvbQg~f+SCRGtU<^lm1D5&OKacBw6r~3ec z)sl~+y5rLAg>70n2@4U%+d10k(W^EF?zylJd{k?@f%jUEfR0aAR4heh&AS|KuXf^`Ze%l~UU23$+KU2AJbUf(>w@>j$!`7mtRAP*rdU-j|Ar=oOb;uQI{dp+9Vo}xm zo&5|M`7gMLzw}v{i!;XNg+0ZsuQ4(ZbN-h7>?1M8d-e*76QYBA8om4qI4+G76Z)uj z4`>ht{D@4+YhJQ1JsuC3t+^?^Z2}~9S;97%8*BzfWWHGGKgzE zj?U_nStylV6TG;k(M0x!<&q9lA~$IfA%H_JNJ+V z+E&E`5g!Jeeqc64Z6jyHGq5rO*`2^$fQeHyKVhW&?fUt(cf_0*f-PaGZe=D@)YzDn zd8v@nS5#v_Ik}_S5o>W0LcCPwB@uJE5G$GPVL(x=J6?=ga5+gdv#W@nOOl9y>=6P0ZY4sW1}3`7BWKV&fXsL127BeaNvQ#vOkM zjT>v8vg28*qA^Gqg*?gELzX5Ccx&WIe2r)FOuPz9=q8Rky{;1^{{Ibn2{l^IPbBL_Xo832zJ*5uB z?9PqUms0^uKO$H?UL2#Q60&9k`JlJSf?uRXiP~9#mt0(uQ&hF0%I0SCZ8j!x#=rlx zu{b=RQu~s16gJgx^|i=D3=_yQBtpmfQlLzm%W=$Narcv%}7lR){Kpv)IZSv zCdDzNtzt>?V#zX*?TxK+tM#-{nXCox-bO(f8N&{Zx6hwgiHmnSUGF|P zsZW9^fxoQ1WkceR>CYKTkN7s*>W@_@<G2KoOkG8jXd;;NVaF3iCY0OAmO|y-lN);>zz*H0mx7wx-)2x$ zg7CLCwp=-Q;q*Q#b|T%=NV&&>MeZ@YeGb;D2RlsY%1hryMzp0N$M+>Wtvw@)@XhlT zBs@p-xv&*P&TGAAi3!u~*GJMx&2Am+o2@WTpdKpzm)qkP0!qbH#hX&lPgczW1j>(? z`+Ero(Q<^=XV3~s1OZXhNH*8^A>dQ}2)8rT3xf`5rnLPlIwQkW6yP4mYhlbHQ!qMm zvQ1vm!*8q+3hMkaZQAR($z?>cQ&UEEb}-J?5|QrKv4=kA$+WfG2tSfBRc90-mV8Px zRcc>sgkF}y@-(vrp#JogXZ2B9%UN&E1s+NcmRW~;QnP^wsSYD#7fy!r$Jb1@J0GD2 zgS5L^1?7X@o^v)_YJg=a#9hU#P=HBVPJ8*_veU#qBr6d238-ZYo?2vyEhfG2QNiRR1%yneH#<6yn)jK&xFG;#mL(pG>fi`^MxoX?5y56Am?4T1Ml*ybed=?ZcF7iv9WqT@u&Twsts3K05E?7<5&qwe+-ymzt<-sTe}HY zSu#H0wIvz}$}!`NmhlYQ#Mu5a|H+W z*CD_0MxBOlt{EovRbT^4XN)zv#F{DEZYLl^n5*Qp%T>&2L$09Bc+9SOp{Ef}^DRIOYiYInmfCg- z=`{&sGl*!6rfTx-L>Qp;)*7gLVYd-~-j zX8+c-u@}1%fgsEJkX-h5LqhjKCNC89Br>CehYOr-#DIr8wY`ZG^s_Y7d^@+F?XAO_ zEI^5iGYVPm(o;HDq6=FLTYaC9k6%ZopQ2K~=)2dB$bmA`G}YVK*0MS* z1O@}fW&eR~d;+@+N#a*G#kNNc!G6r-uz-g0-jzP2hCH|mr9xxL=@M6Hu(F{*@pXwx zxH93XH)r%pTLhAv?d*IJmHa$kywVENaxp|v;!Ha$(ppbA;;+@7v@1T0$P-gY%=Nt~ z;ABn2R!}DU4iV2tUeZwg1a+fV!gSw6XY>P*g1JR=EMH7I1vk98d+-OWd$Lcj#OV^{ z{vTaT-i;g=mM!Mz5UD*Kj+{vk_&Sh9^m1Q@7LK+Lb5lG zEueyUbRM`<@C|T*1h|CRHw9NA>nu5`H z$y3`{@ZruN;Os`xW~x=@jcc_fJi8-$+8{@S0 zI|y1VAe5xu6*G!U?JYnYRVqG5!_i0zv}RozY3>e=b~~HGZ1u1n+DT<1Ma~XIG|I7*~h0(mLz**eYyqG_d zf#YOa_NU~-5@=aJTeVOruE(Q$7K1Ce}A<&W-g=*Q2dyN>Ye59e;tkg3=7-mp3Pk!;D+QmK0h_AaTrFL|K=&L zEd}bpR0y$-Wzd(3rr{vdXbbs8Qw3be2X(dG4^xn6O)NJ1^nD!@zi{hL0NEcGdsZTr z8HPT=qVJXchS)LiGkgf_37Zp57P}9@KA>9*_(hMMF0o1pCbnvmdt4;f?Scy%76+lmUMO(yvk z_}eR`2s%Qn@PyN9Mt#3@xY4iZKnSIwn~|Ya9&T7EnQbv&7t^*Rmq1~cpBfv0{U{$3 z_q9)^@hrw!_*@CI`Cl}o$1s(cZ!qesZH7NJI36?RE z1VucVCf^}r2u}?~L-R6#!3^ij$b_}x%H~QVmqv5E?$P;!w#qZe7akIXu&2 z(U3oqi^=%21Sl?J3O#|FxoV8-9UvZpG&>W z_TRU^;}g+ED;q(x;&Fpi?@u^g>J#$>(Lt4r@z%h{S7CN~w#Uv(!wE(>i_eycb7?pb zY9nBD9r1MfnbD=m6j7FE!RfZ)N4O064W?=wwG{u@V*HVcSG-`nhiz_Q2hYtKe)*No?n*X$k3L4^C=rmysc;P?Zz-L0(ubyPd9}(~mZnbh*btc#9 zqQRemt`)vRWh^5|_;e8Wa%4x&!&NwqH9Sz&3wbdva-};45atLR?fN$YQLVHJnY_Yf za#nJ;lXI3o@jyToh+HeN(}{v`(lxnrD&B zCuB%ndIfG4@ibEMDiUrNTk8m+ZYUK4UP!2|+OGtRfr*ZMroqkP5P(1;T;XRWc*%>= z$jxc$$B-GV%Q9t^bewLvXuiHy;_67^8DSGeRF<|BgOymge3j0?YWREC@KRx*^z>1H>8i0 zA}<vK&4|HrdxP|7dY9?%ll>Z@p85JMXOtAilYYqe} zY0_43E$aH5velfDXI-*vqBPYDjg<0ddROSy@7-sE!rHUL0LW|BWRemC5gcW0EF7yb zNmIJ%u_Kv9svR{`y%-4e7+O_Ft=qN|sh^ek;}>^m9N;jxFIN-;LQ)MXp3=kl-B1O* zbQIga%rdxo8?@v~=T$9i(*5zmd;X-K-+>%!BTZPYEIP(!`x_~NJD;wFPrDLC<}hko zOZRKGPM*Y|>98O4^VroR*9;>3AXc9feijxmU&+Jh^o$ni$sV~W>QPj;)Xq#V%~QFA zQ%ZOrFKz_EZu3yI(5AT91;#Dza>N@|4cBFv;Wt^U!|=nKOrjMOZ!Bt7b!rE7JTeKx z!52&fRKb#hSiN^?QI_-8{q|!$Qajg2&^i(^sDDSJQ0|&ATvFwgzc;HQGj(flOkmtI zo#OKb94g!mi9hS?GY+#F^?$YZol#9S+xvoa1VJe(N=KwgFVd0TYbc3?B1i{C0uq|2 zfKsFv=^&ki4uJrns35(EUZg|l9YXo%z2$xH{d@2C--mlX%sOkGvuE%9%$!*>`~I7ujtcVudS-M=m+q4i0*2Zu2@h(DbnR5yiK9bgOCc1du{Ad<9J%Y@sq^jkXqbAZj^5GEd z(FsMGykSbLy$%}>JT$N;A9udd$*cQvEHM{4QH{D4(zLad8ea;?r@IFY>v^qPg%yKyFI2r9Emr%WA!RoYLSn33NbjnW`&4u@Z9ZoR> z{yEnj=fA7%IZIP2P3Q67FgTT^$lt@GFP%!DOQP*yJmVxw`3zPK{cNpZh*CNL`4WYE zH7Gd0YWC(Chm4CU$VJ5HvNxC9qW;-Nadywv*H_xw+B)az#K^!|R>4a+LPT`A#-8H_ z_s_%RUBU!@i_c66S4>Fp>JWIWaI&appq=4(z;;bQoR2W0fqac=DqgE>1{_O~ZHnubx-B%oMezBt zTb!oY!xwrP(`;O@V7{r3Z#jm3NzL0<39xR~y(F^vX``Rwd9+ZAw(ef9H54h-a02F$ z6t{m7bLRl@3GP3-cDIUB4J73);IcIq&0BNJA%ZtKU46wuuNR}P(cYytXv~$b@hHQS zD($DQ9)x7-$$N{n;A)1W(9f+J*X&2_?p(aEd>w@b<%V!PpSkz#XVT8k#CbNttl>80 zs8+{&#zRJ9u;d7<`#v$~k14@DA$&IdkswcEf&&zFT)_qti;7kBs_Aa-Z_x z+lLWOhnJgSiT37&6A{V!W6URRvf%{)6>U2qWPLhJ3oVJfa3`l6s<-7!tG%=tOC&YAh3~6t5<~vOS}1Uk zG|6gyeyd>r`J+q78F$T4Q(MoSG0NBALe2-tW?vk2hU`o6E~Pdfx0Tj@47i{vN)>N! zD||3u7*6fLQCN2!K8NC=+&YMtuBdB$r?Z^&dg|ITk^K9T2d_3>kRUgZWTWIJ$^;GL zW7nEuVzk_ef(IE!zQ>#;=PqV&g(Jz#T-4ixRNgAbTZdMJE0ULx0)!#jqPuA+DqLTB?{DW1FS zk(Wh%7CBWTJ~zxFjha_-|8(L$f5%+if%$M&`7A$kUFA{NfQ-!}Ga|m77OOsW(>)zx z0=UGd3r%0D%F)}^3z2VM^hNJ~?=N3oJ#r@|=$99Kb#*IT{fr!95Xqc+U_SBKdYVS- z#?L&$*noaufC{NXD2vrB6-ty!3IoC0a)5pNsnrU50`=lkQ)j&6+9Dlx_rye8HOC@` zICvQtOLptnK=P=x`D?wD0UFbRU>;}nK_3QDEc;K@y0AjZF6ci}9?5jyA0Qo1ylnPZ zw**mQ!goa%HT;(Q@sx(0BC8BRfgR&RSQH^*{y&4EK(q+-U0N)M7inXOU_30hKU~Y)kC->EFM9l z6+6z^sfiIxZ>^5Epk3m*YBsX^BP8FiDoxG|W^*pBfkh?45L`yegyM4BZR)89`j*-@ zzcV`w$o8&2JHYvQL6>m)w!BH$*(+Z923qVLEA5FMTIMo-}VdOm6x(8vR9uO9k(GA$dN;YOK<#Xg_+ z59k=`9ZEdAw}r$z{YWZJOi(1le0)FdeHe~H!yOi`=B7ssyz&ijF-kI-KXpE(cv;Q#YBd%))^ z5?@GCa#S`~het*zEp8^Qa4VMi%3==!YtPlMPABws(E~L;B&e4hoBa466>hEEsj~XBh1& zkAGGEDQglq7obD)qCrRjSoSQmrO0@x@D_oHl@fq8;)2_9MAX6usHD{jj+>4<)OEnjne{`9C)3F`85esSE2qxsuaEZS`uvaN zKzB=C5d~-bGFkhI7JzMRcF=B%+}PGlv^CcT97Vvf?BCuj#nbW>O}#T#hSTx#Fy7&< zTo`ui>E|Z@9#4Brap#Hdjc2K51>X-c9?7{RuWK+?k#EfG)zgn*21Nu1ON)HTHx3VY z!$uo|ZUfA$8fBcBCtRe2Hkp@z^^TQ3J@o-j2<=-~ue3wJt`rL` z`FRFdFFn(*x!!$a&6ourv3t&^%|a05`?W-iO7$OWM{e1W{0fuh0<=#5V1r8nxZ9y~ z^!1|`R42vc9;Z@};ee;nf^@9w$AT*e2q#~&jF=>J&dx8ak!qP%NC2> zymh$PL87dBT)d;W)lEbaeghAe?{z^sT9bfE{#qb4cfT!tTyK)QjN-R(jHlC2uK832 zh5+-lO~)(K&`%6wa|fx-b*8fKgRM-Qs<%uNO0k_9@gilL-k#%-gC zEMJmq%U-&QQzkWRAlma49d%saSJYHAJ#LQu~d3@Zq_dQ(KQ1+$)C+Q!$@o>c) zIfs1zIynT%#fwkE{Pr5Y9sk_H&O|nCAlS~X2^-MDxXHcer@M=}G7odU!T9i>a@PWP zsF>|(8CRkW{*d~c=wF2uNAn!76-1Kj#{d6>gqeyFp8(#vAZvxOZT$n{$0nv zh~W{mYP`(^n5OBFz5mSzk`E!*6pD8wBIEG?wC_(@5*}P5{&xqdf9c=Q2$Vk|8y*=6 za{Kk@?!UtzZ%WF}!QpM3&hO_KYgZUe_3w}WVG1M3OP@^QkL-cJo5nl`zox+BCZkUA zyJ_;x*KxKnGRF}7hg#nvaNsu_vWxx`@jpGnfpZfFzV}s^}lecjVt@#{X9bXGCT^Zipz>(r}tHD zO$ew?oX9<@#S4#mz9CgI=edH8x>bIkXwBMth0Y*r<&0EzXAX%DAb66z0ge zUshdG{BXVOGmMi3yEN4TSH>r%`>w$1SNSq!=8KOy0)zzQykjo+i4!rbK1*`777jNX z;Vbw~Q?tj9acfjQ`e0rwy1;0*IWdBppeS@U@`B-$4p(YexA@V6gx(8eOkR72Ukh@g zI^Q#c&|4ML+Et?W)Sl;H!w@t6wXqP4r3@(8=SLX~wW%KQGI``l-CXgVu8Cl>0eM~E zncGAx`i~C0f9RD*{s2@jJGwLqT&TCp_Z-<4iQMmb4J@@Yv8y!iMy$;%?9HXKT@jdL z&CY#3ciq5elg}(xA4ilJ!EGU6&vJCnCY;SD)Sxkc8^ z>Xcy)hm%Imn23yFa!LQra5{eR?Bw;s6v+$1OVy_XeZaRRx9zmsC`oP@27Z)>^n%l2 zw^Ock9$b08{@KSXZV9n5fiskyEr)YKk7r#6@+0~B^P6hTAPDU!%KO7!p(*f}OzYI* zmWQ^0nPY9p`3VDe!<#rpp5mb);`(5RUmbM#`ScQcryt$j(c^t=69K++HSIUgjWO=- zRjzSYjT-Ii9mU6NYTV$Jp=fxI=55nC2_E#5%`LqQ zCR+O{QiUEPhnOJy-Whp04GiD$!YaBA7v<*atJcF*7wl4dKT#}V-w9sd!ahivFBm{J zC#1VimK#<(D5fWPthia?w{UzNu4_{EndpU~INAGNd!09J9|Y%9Ze1#RS=R$*E5}O3 zy~H$j9gxy*B;SQpH3=I#>(AtIkgY;iN7_`X{V40Ba=s{A-XT2!04mHi8bEU1mRZB5 zIVMl>QFh4#!F$rSi}6Jzj>W$FE5-Jaw@Htj?9@@dh5Mqj38xi%fYCwo$O~=mjxK{D zz6?3J5%iLSU1ihCOSn&GeA=(q$0-@>hBN5(bW5NnB+z#}SEdy1R^&-%Ylh3GJRMNh z;8DG$ui&Y|EF%Rr-ZDOH+t!WM)%4MI2oyqgML7muWf!3+uF|!H-!}`;scD6e%w$&= zk)c}@_Mk}U=z%p#2sUFBzkG~lE8frQsKa6n>Md$;#BAVDGzEIWcsFU+3HDK6C;6?8T${50EQt^LE_h%RF9$3<+ry=78d{ z@s3cFFvlZP>)u7Vg7rqaO6050xD`-bycNZIa9U?ynTki7apQ%?ml~snuaWmU<6mL8 zCk?slwkJIYW~NQIocqyJu=KEFMj!E4{wxAd34j)(hQ>Ez-0HwXr78Jb37h%gHw!S~ z*%43Ei1;8NqTH0P{8KUwLm@JIq?4;iZ#Y$iyp`W*WrhsCzf{n&ZQ^jGK?^_?(~!ev zH#N&4@ttP+tLVz!vs-+iO0((+eGN_B(N;|mzGO zqX_QtBnKH|-TgfJ7-8Jd!HE9}=sl}=G(MIUA?J(iTk#bLP#lrE`sL?X1+6SE18Q!A z;Rit$L*U~5n^)V-cJQVw5j{6iO-t#B*ByG?{B2cA^4XiXPX^38 zL3D2{F;1?!g?b+jkGlcA9Dy9K^M3@F+>?;w*5DfDJm8f(SOy_&F<3ElpGmbd)Q!2= z?)nQVlIwvB+oFXPd1zMdp~Gpduu=*7Fdv4^c3@&lVXkq?=$M#{VTdC_t|)}lB0EAH zvic)b!wIZ@JF$BdBRU;;&u7|7CfE^T+Do|ZWlVdx;o@XuSfMZ4!+GGlh5umMEVDZT zZHh_1$D=uQ@UAqi$p!15PpNrkdaUP>g$Yi-GOcHD60PYey{oMY{8skVaM|ozKZ>G+ zi_4uMc!3dH_*f&UXtj+F;-TcQ+~euAJH}%0IVlIj>j*G(km*9_K0>{2>ZGvlkO?S# zb$QRl|CGiNoc#SD0Zs%@E=L-CBKT>&UL)$4*NaLR94}^Lof5sA>pv%^c z9*f-q|3e?p*1??bo0p;-UA2|K^T8in%zOGt| zJ9Rd8T#%iVH4Yov8qWTp#)n*TT)OJI9V*3npw`VMFhvN2u(~3*rpt^(pZtKrq?PN! zpr!CMaI_*?ijXnW!>eUTBaP015T)K;oLB%`c%E{M@gfW|2GAANN_3%^E4W;;LVdf8 z_V&4_Pv5NDVMMobzI|vGpgFn06#1=;#)cG+07`J#KHD>>Tlz$`J+)Ldt>e=Fw78Kz zrN>1FQQSgLRw3zc1nDE$3O2;ngT=bbAZ7$cXIQ88uy^|ASY-#Av zCNNLfNT&L5OuiEKAAoUAA0!ptAhP_^k$z!-(5pQ-7 zHv{}~%iey{;2}XULcY@9aQ=hq^TXC5(9-Zn#rn+)MbR@CmtvvP2LW{BUS~$VLvj*$ zJSmbXmvbnS@1xR%u;k}QdLJKQx6Qq#Fa4ODb|cXFU9OtX1Ow{lZ^w!T%T(pU~3Jssr*vIA(=HoYdXH`q5HO3azeHdH;htaK3siGzO;!0?B@6V^?X zH}9D>9g3Vv!!%vZolmD=Jv{VIuYI%WW|Fc&=u5pJVxL+ifmfHT0{00w+@-cA>Z_nf zo-Q-zZ#`#>VC3yYr8GM0t5Ju&g(jMi_Y7t0k2C#zC$7ZOj8ZCr*n^kG!Jo%{jf~=s zBxe(U)R?Jtsa$_$EX+dn@Q*dZFxK%Pc0(tT*;r zX+uXV-y}T0pJuw|QGeL4wz^MrRb*?QMpSL94k^jLoMQn?9^WboUt#+oeGGJ&PdvXv zpGg>o95F#nm>{LPpj~(~B5#)qSSJF;)JU0R1#+=U>g)#cpy#st4vu5I^PTQ^63sl8 zC7n8Z{gC)$)4b#)OvUFIu|8$aZx;DkIoZ+qd8tPEQqb9R&H4i z3>E-`!G#I2QXPI{6s#zejMlBBJcDaur~8U5PvB%W>aG7Ok>AX0>cqX6#OBAhX(sdI z2RNFpYClT>Ch`oIgoRktr8-ND4#Qpm8Wm|dg0}ivoypsJAZH&1Sp;GTV2HU1X_o%)s1s}OD(wjnrrMvk(sfB{&iIkF_D^#jBqWIr{ znSJdYWxZTq6t4ve(@6ZNHGJMTD%Ts8?t^iWnG{i<)gd8uu6|&!i>G-xPcG7e$~f&% z)M;Mtf_i^D)To=ISxd8W9lH@|#cA1?-TP*pbn1ZU~EZ;nT{5KVzr74wjhMd7e!!X8er=a)uR zi0;q};CsLD-_Q8niNy zJcf<*dlQEl{v6$#Ma)i>^Cqxr!Qz+=PEEK}SQT%+QvIw<(f+1O-hx+Y zA%`#*l>nmgChC+}9G8Nh2lJg%Y;qTsni7LAdL%P)+%`D9d3NbOgWxurJeT21zGLrL zWqf7Sg*JJF-3`%6>l>gJOScTH*=TykAe_j<0jY!ZIO?TO-)pGfEt?)v>n|!5E>-y; z|18EGmEnwNr{m6VbC+J?7N69~FCH4H7v=`dKEs~%nqZiL^mX2T6? z*Wd%c{QQ4Dz_;VmtK5Geb8PV5|Dt}bPgVwjy{^gml-%v6G~tfa&8rZxhL`eKO8?C1 z`lF8H_cGAlnz4iz$CKisj)x(GOTujq9-5Wl6FNp z0tzp-^cs!5#9*nASZND6*RJO zd&Fs_xU@dx)2Gm(2nRa%t+A4B80#ji)C8iQE<}D^hRvv z$S1PIXNhCe{ie|OlpmINt?uG~Q?i_Y=d*;l48Li^1^o&2I)hDKdI1}!K?Stl97SI1 zp?)Q$z8>{OvtA`9U#Lj<@h-J-TX1tkNXC?RGp5KFWND(?M?4R`CAWD<&o2DF#_d-& zLNmKh*JikdfRkHwDhTb+{()fm#3=FEv)B@!VqI?Nn<*2I(^`49itT$~7To*?meMFy zy*dEkIeUS=XV3(Fl(S+rTb;2xLJILZVzv8^(o>ozVIr2%n^JO22UD2f_!MZ9+9Ap5e8c;Nup6=V=N-HqC{LyDIbVMJJu z6XFZbpVpgiE0uXAL1I55O~ox{Q}i;eYR&5e$Io;$-pN8a`vt-&>k2b%Lvn>*m6tTK zsH>*S_Pm<5VH0`Yd*A1SWp1Me8W8(#`!+Rlo(KdU3h;IV6QxPr{pr&~-lX3eVuC>u zA{;b+Ny3|WK;v~@Tnfa8UC$W4qn@X4Eo!{bdrC*iAGkc~S*yDa^22oF-3?3iY)oha zHhZZ?$m(D=wP~J|c=0vfrEH_uZJbdWqG!Z0;TEi2S zD+32%Mi1EIQ&9?DT9L+!2is1u(=GLRWlB$qHKq>BKRG~8T11Yi2KEQzkDf+okd4+O zR=8hf4aOAPisO6fUhE0UDueb0ej~@0?1hY^P{Vm!j@Q7F$7qqXW*$ME_a%qRJ z3>T1Sm&wy?qACe&_Nh5=@%G|)vEZ)EA({+-Na;q0Kl*9KX+?V?<}JhhiDD(6TPCP| z_QyU#Cg^!lu{^-`?V5GXit3^Qv7M?Cso_R2vOcpr{opoy*|9$AnT7QQr*r7BLrO#@ z%FQX=JydazS`IXh*&dxDSm_)lQhHo#!GIuc?+8WAkR8#;fo}Vqzmfb0+$jat4>RU2VFM(>nY5Nt28_2rGZLascUPRBq))C|Vb09^ObKBf5c$PCl zbje>gsMqk$!VthXHShM}AB4^8?dF5>7YHtU`fh>%YWd8r*}|`vx6z6NPn9lYr!H!? zatLeNRaB4B1I%A!)XVk@C?sj`eqFtknh?9})iJ9Gm0I9b@F=XjD9|xY?39oKU#)qZ z#>FNsaEdw(n<`VrBwjk~-V3DW5m0JmsCZV>)YPTIB5^lsb=9BN|7Y6xwZLdx+~3hA zmDByxAAxLvr-Z4hol!XYq;@d0gQWl#~8;*AkuS!e+PV9wZHBfXmOMaoU@SSPv`&A z`-T}ux%|(;-<#rpE%?7K`qwA)=iUFUZ?O4_c$Z$3zGPUZk8rF%dZ< zG9tdYA{6ArVWF^~0001BB_%|Z004lV|NN*S!2VFIf?BQt05I4sgoPC(g@p+e9PLak ztW5v_G(u85z*SIW8(n9nO;g+a53-%&2{_HhG(pi)adereq!3ULQ4kRo5D-LAP*4#C zK_S6VL_vXxG!;Y;5{mEO1-GAlw>iIgTW3x)%qsu7IyzkecDAGt*z z5$s)@(EDJ4A?kpT`T$%a<&A@Ts;f~2#`B)PY4|-6ZHv3&b(0>qFTb}3WFBK400A0A z>)2W6$x-@O00k=FL}m*C`eX>5cUQ|GK#UM+0jXgX5&DU&R{el0YYnbpt(&L!&F#W} z&;#6%K!qH^0}N*B0WtD@h2wgq8+(4INEW<&4`VxN(z_S+jfNvgeSFX1e0xE{Mtm`cGAKy`vM|3lbJniWa{P9L zCGHT0ALy#KL6{8ONeftX`C{e4L$En&8tXklwg_K^sRQ;WQlu11g*XzdQ_u)+ULw;S zp`RVX=?}kDj15pcipBO(RMBet{OPTdZC6}Bh%Zx69oPIT2@&_AxR>(Y+Q0S{KO+Vb zFqRJ6voLoUgiD(^9kBm1p&u?aizg2W2&Ve`X14Hh#aV0_2h5iR`5hKdgM{U7rt3$H zzkt)ZtTig?j(N)*`qNE8)%mZ09fEBM^-6wEC7+mR_9Ia8_fSroGx%c>5zJM)yEO6O zRolBk*&f25R?dVV{4voEFAHvDP!26IuZ4ml$<_Ozw&u$Oks+6%aORXhKw$z95dh{S z9>I1AAVBzXIygf<*3B6KQ3Qa$`p`#hmA)SAHSHjUbKwX8y#?dx!#_4=esnLP4-q`* z`;}wMYwomeVKr_MV?+~kplAdl9JoDr*4FhFaRw;{BfaPsy%ThV61Y@f_L>7l`5eb4FuSc3KPpf&+&VJF0miZvFs`_p(*GbQqAp<`-;7JO;1ob)n(jihEZKtO?@ z7(ffg5!~isF-S0$eWWy)miuiO3e#WrE;D^>+~wUfe58Grjc(lWbM6Y?u(l!F2H+3K z-pCRFY=>a)(6xEMem};{xop2MXMT3@^@nHoePhKna2{nY5usL~lA-$AwggaYx0N;j zV1$VaF9m%A7lAw>?rg60_ehV+j`mLsBx;DNx%|Y|p2+@u%Z00V`xd@e2NEzri@?40 zGY=>QXp0%bwSDGiVH`Tf)Be0cN}p)E;v&AS)lT$sg_pg9o^_k9$b{ zSDzUJu&+NVM4&wauSh5dp|1o=VrVjfiv&1RXcd9iDC}L}M*#x`);e^FfOtMm82}f! zs-Sv-wgU76f+t*eKxn??33gL-pdtwhbtF1zXrg#|(Su?th4>;}GQTA|6<|u_xX@vd zlwz8~V;S0_(IWLC!5On99vB1eBpmcWLmihj#75s$9llHu@-7SqJY9&@j+k+YeqYcH zN>}i&!ZCBeCYrrkQ*-hrcu#gN#GD8^0eyj$qK#SlS>Y4R2Rj(vP;layxxREG9mcP8 z4H+ylc;$fh01I(LGnjkesNn{q;d)Dni*|#cI9K!giBxJzk<-xL@!-#6O?{A_$~r304ux zg58DK3bJPz$h>no0!Y_w>_i%7=a}YM!xVSq6I)I&Doz+k9 zW?|=O6Eq~0NQCF*lvpUER3tmZJ%uxiN=wm;R*Kw8;|gaAYYThj`2~7M1x(|O7|imS zF3c#5%gjy;(oIPiBAL#ZJsHRtju`cfE=;oxi5ManF_{$8kusn%Y#ARJrsM#md8Fs#L22+I+sC2fouRcWX>s5vbYEE89y zY34Od*VWhAm^hh68BrTsnPMAN(IjLD^$DfjQwFca6Q~LQjznn~b1NxTIF*SVd-~XeVuiaR+tAzSF`- zibsy*n!(Fs%A?Ql(Bs!q+JRhKY`u3WdtZ2adJB5Dd%L}my^eiweFS{8f4IH!L)Jl_ zKnFt{KsP~7Lfk=QLW)7>B70M{5s}axkR;QnP(SFUQ&iDikY`i>rs5$Upl{GMu9avW z)m98F>oE5}p`4SO17&nzM6Y+Q&oV^b!`VC9gWOx%`$T#`>Okrwl_J%XG9+Ch4I-V9 z;7bycESCV4K$UWlE-F?n0WO)5;7{uxwN8ReqD(nWA{{%M_%*6F0XJ4Zp*co6v6-Be zik{$>#!t6R`K>J|N+?pGvztQ{RTyH}U|6)rPD)9NUm{eJHvTY9HvXQ1oov=BW%s!0 z>3VL3+A!{#;+&$EqF-TI!Lo$4B*}`%O5aS>%;%!!qWviI2)@Cv0n>81z1(CYDXdB? zRV24x`LoKj?nrbBlGcG%zuK`H(T30_@`>|O5El@aJ_jjBP*+el(zg7nF1HR(wN~i5 zsHfOB{)_a}0vHrHvmZ7HR2X*9C-gb`2eEPyOi}4CnqP9iKz{*~36Xt~Es-(*r26S4 zbDd!@Ni!9j^_X#=`JS$xF{4qYdC_RzNTSK5fu;ecEvY$Ih1FWrqHWDz-@UE1$Tj)) z6Sj`AmDAvUOYOI7>!l5MRZg{T!Dd@`;iula9C$-e>7ZyBek@q*TI_W;Np@k5Rt{#4 z8<#pKeH%vmK^siRc;}Uq&&97pw3FqXSSL5vTKl|hgRcF9*!mnQ?giJUE2M4I*7E}J zH1TlpM)D%^;rmSVUlYUUg)8!ruqDY%*EUzW2fX`6Cr;zX%&Kvj(m4-HPgA#_C#9EZ z`|P{5mwp3&Oakl#^gpO(8R`h^*+yx~ILrxG$=aCQS%*lA*--G$P(7)mNohE$XtU{g z=srAxokg^Uc5Gud$=zmVX)I6^6b@=eLn+h_5;sw45q%guDa6QsGMF+hb3SR|IO%BU zsCTJ+?7qZ7l0hCn=Rdz(SZq?av0Gfv@_qUoBNd2T4=sNVyemJ);WF^r6Go(?WIvE- z5^|EidPPc08By7t1uP~6{RFREz?e6;@Hx#q9S)lf1A^z}t@3_(*xkllj20J1i9Nu5 z%{WbZJt^Cp`zWf^^wpGaRBfEW8^nX=UiQ*?ehI-j$_~y>K;DpFJcc?jJ@Dl}^|&+G zTJG9Y9#Wnw1-q}l!LC0h109+omDGQQ*}u=HgsjJ;Og+a zo1d1Rp~Kd-Ela58RG-lEI)G|J@;O{kt*z{KNp-1SS*%^sLGRXc4)P{0!mEg@&1=WB zcdF~J-hHKw(yorljA6H(*sQTevZk^&wVLh`?n?4Bd$b+ceDy+n{;Bn$EvCh*y}jwy z{oOECb7|3O@*V`26#Jg@mg9zR&TsBnc6+l-{3y-{nQwsfyoy0zlN{SKzDtS{dM>B0QYc62%33H+J< z75yx8eGldiCdDt|TZXHGYmLW*b%y1N;mf|qeCNU9_;9Ro#_{RCCH@tsiY$dJn?#m0 z!*}_@^2E7!Kd!Qlenc<2fV8mEd**YQ>5zk&RWeoMJCVJgUHQ@T=yl$8`Oz0Qi%$)W z8I>J{p1PREm8P4@Uo-SI^f~!W`dWG0dU*Y{G`q9}0Tt8Wi|U^cd3O)IqfH9%U<(kR z2Pp8nJ|W8n4Wr#VKfaaO8KW6nP5jE;C>?xNN{5XvcSriS;IT+Uk(+6qnX}oQA>0p0 z;?nw-MrOOUe#L&yiR$5`>Gx25K?22_lDZ~|$P+II*a+`2{P|d>mBZD8ebmt8s^oJO zca??39$TkH^LeCszGCKTvs%Bw_(6*4mzeU7HOhMrY4OUlOJX)-ZJ$nscV#%**!^h{ zbV+q&c6hh-*yNlMS5(jJ`>LA`f%1o%2g;({N8Y2>ZGM_Q;#n>UY7MSn?qoV=PHUzQ z7m?$utfukNuCkyxMMl2*Cx^FNCP?ik0k5A=PnTAbT}|JM0ma3$#w#d;D(yi!7U@lE z4`0IYaQZV8oQWA859Y3FYOc%mRr}&jvDqBSS>BHNdW+@p-q#D$phqE@qD*G))AKpH zba?b0o>y8HzH3{K*Y~EVjww|s)aap=c)DF$y7rW>juJ7-)mNxvl?Ro*=VUeAZCmz5 zWnX==d0_k6doeG+A~telkF%1lF1jjR<4(7XrKPRDKI_;9U8kScV$E_^@D6xo+z)P7 z^QHG72a{e)KR0b==y>_pl3oVBOD?Hn^mh5)dO}u&?L4Eh{Px^wziN!#95S6^A##wdZG7+g3(li^whBo8wi^doUbpgv)eWPHelF^#sA z>6&z&>>azS!n1C_(8XaW#Zm`&=FENe*7Mm7w!S27=D0y}8rssl8V4k}V@ves@e4nhVQ1zZici_mkJ}g_rT*177YY z+fDIx_FQ*2zpsE%k`?0|lwB3?vxojPiN{37>4a0YC$JZ*!YGnF1 zHB4<3DzNHtIvsxPU1TMxp2H^<61W|<4_fb!_v}jN%xd^Z31PyIPMQqgv_T^bg)9jM8vB{_C~1rdoql_j6Yvr7PBnMYblwDx2uk9 zXQ;o+bXD{^x()9duibWz-X;X|6wQ8sv*7taBL}GtPw!#fM1U|8!8?T3#3YO35B->= z7=6jYoEVTxHQfAVI(gMa8om#3ELk)0`;rH^YvQ8{2r6({Xm>!9C{46;_=tpq#HHk; zgxREK^l9u<2|2?;w+iVA}csFgG|+`*EK;d#x6r9|w9HM+Z}zYX@n& zRol#EThoFc`gaXqoKfzPUc5RoX}?$2bD%sg>$v)u+j8wPKZ^j>528Ava4Z^x558i8 zMb2oPWn5p90c&>CXCE!4V!4BvGVM7BMk>a}dRB-2+r3+2$l>tPy6elev=s9e{4Kw4 z0kS>n!m&omsd7y4oQ2?po}b%%$-b+6LG=3z3D_Cnv0A3}X0RsuTxd?e3BnjlzeQAS zCnX1Yj=BPrmtJp6WuY{nL*td5wlOOkbU(Ov+A9Rk^iYM{X%w zGFrNH;;*G{>TS#|v_B~9%+-tt%fq?Y`LHc3-_7@`A2%;*uYFwtuLW(3J;hAO1 zM{GYFH=-Z=hSpYp|MGLT0QBoH5W4|zMu0D1LkL9C zcz*o~NGMN}4@~0^9S-1;A99dkO8{{JxF*5o0X>FKPKdE5)*u2s3ce10D7=zDb3+{o zNE)>s3nh*#t}EUx_8A!R!-)fETKw)|W>nMIA5Iv(0KXuO0ZBqHHNaxPdlk$<`aKwZ2vf`B{ZZIalqwO|4h~FxO>j;l4_Hu9QA$!qley|W zs`&~j%gnRL4H8xn){thACQ|1E7uE-w2RAGcOjGP7jOTQktcVP5ZDWlVtBfP$(?fYohuEnONcK8H;Z=3vp3~t?)4lW)p`_t z-Mj>hZq~zRHQq*c<;RsF7hsteoPh4ppcAA^)os7Abhh~k4q5_0Nd&;U1c0nTL;C<< z0y*qal7q-*!H)>YB!HOwU45TcP9P*c$j5MK$oD4s;RBn#CVgeo*TBz`J9Rq3>Q z#|Rbe5tjfSdZ3D_VzNrR#M#VYtz|B0#Wj^WXFRez_`o{Ca!0GlB+Cp=R!sG3P-za^ z*tPC9ZQ86H5}dk^T8s}*H_z!>i(k=2i)SCRkoI{6pY3y>;iE7hC!-8tY2n(UFp5Y= zB1K$9#>Aq_xwk(n6kdIm6o)3i1a+LQ3gcpyXM}3nyB^<0BQKMWdDz`WL4QOV&rG7T z=SkBy^3Uiqy6ip;6Q@;KjW%D`s_8~`8@MKQ8noOxC=cfZJ$q|UZ5(i~;tRl+;`RF6 zwROI}E}=K6H+19cr**lUlK1q!_M3$>csndwTkjaH4&9X=P`*qAoTg-iuO)DfTtE9t z&>zqSn0%*@_p11!+t%=7ApkJ%fb9vOrW4fTLn#RmmVxvB0Mqos9L2c{n=ha$gU%GJ zFKALwSyWU3wnQ-veT)z12k#ZwpVc~%co2Pn2t|*0(vg8r1wHrYjqnNDA9>xibeM2Q z_NMbq&X?klc@a<{G({vojXoWha4z;KwtEnK*oRRGh5Tjz3-zarslibv&6Y8jBe4}n z7R!biNkbAxHYaKuMw@BdyStXh`3u!c6etwv3`7d#N;pddAIdp$UUG1;doimCj|u$P zW<0+7fuf@#U-M&5MYvY*8!oKrlt8sBF5>2(rxVy#X!kERGF?-)qwZ9`KSd1#HY3;E zC*aszxqZ6bn%>R0OO)-Uy;D&^FLh43BbTkl`JzarOMA`w z)Z6j2j+%4y^9AfKY}QPSEb!~)rlHLhTX0-A{0oobyO)WidE3@w7~U{_9$(PMipP*H zI*)~WxQB@zH=OX#cy zR_sUFtBnJlIkzm2#g7#HPPB076?8XRgETt&4SM>T?AP*lrxW#YyWQ>TN5?}xZ;L1uTLx3GefEO2U7nc%emq&HXMC%7&dwS#j&Y3sOK@b7OPpmTr8Qz<` zZT&BNdXDA%r&()l006)o3l$A#4Otm3BRd;917kZw6FPSr`#%r^0056W*PmM(6K4Yg zcN=S4CoXqhqQ5w}{@nkAOix7c7mKqMFOi0<0)eodqX_{k9Sa=;5g!x*0RfMru_>35 zh}hraf1Y@W%$=R>x#;QL+}!BgnCa{s&FC39IXUSWnCO|9X#a4~I(gVS8@SWjIuZY~ zlYjLiV&Y`vXkqVcVP{M5kA4jd?OdFBiHQC&(7&&L&eO!*;y)wVI{m$@KMSP)M+-e8 z9RvNp`~D-!^A9SQf`z+@wT6g=jft((pE3B@Svh(B;{U%|{xjl#NoxK_l9iS9za{^x z=tW(GXp|vb3sFNlPM{O#~ck@@XE{WwM-XWlm~_Wr|#R?6OMo&n1OLC8TE6cnu=M z2pTFW(- zfMon3834)pK+*+b$Q3Go9s4u?x&NOAe-Zx>uNsJdGyc`MLrB;+@F}bmpAGvD;r|Hi zD5OAKTwKhSnyJG;oyWCQYZodGg0=Z{g81o-55%VPzR-C#I$!Qy#ky@}M<6w0ee2zU z-r4?MB&`gHW7o_2Vxpj+c{N0(Gt-^hbh5Ya)BnC>`n|bXXZ%W~Gcy&Wp0l3Lv+Dul z+rW?Y_F7og1aqvkQ17!+8y>k8nDq+E_3b_I-}C7M!6O4wrTWePJc&T#{VW@yZec-b z`+G7>{?pTZzKzh+Jdf3O_hL&-smJ`RgVr_BNbQ-f*(4VBY1| zb;iryxt+_ir}Buw*^mPTC1rnMiT=RCAntk38%(tpTbNi;!k&|(qflw=WwCzFdUO3r zBfZPlYw+I+{#!>pG9VQyw8sO(GTvX?OYTR*{6(_Q49@rrK)i!uQp7hvd;Y$0yY+aw zB)i_%c44G7d+W2#=QvfJ7h9wvZgg^<&nHy6_&nYyub?6G;oS%q^rm`3+x;^IR^J8? zr_30{`q_cQ6FmdBNn>JPuYv#f;LZnM_5+aNc?F0S%+iwGrYFk4vrG&CK3*<^c40^e z_ve5xm>d9cF4uut&6WjKRnaOA7qiXE;@R@O0O)3B&XA}1o#X>3RQv-U4PJT9C>8tz z;juz$PpYRn!A?xC(GN*9FYy1pvjC9YB_LH!N4r@~h2Zrt)Ya8bU(UZcAeM4E^ju~; zO!AFai1N#weS*0l#F1i)T1vs!L7L;QAl+=Vn&Y_uJAF6l*K+v0^tfVi-cY_i=I;|T zV~zX${%h0y*@1n;0{K$nSD?LMJ$xr~tRTD+C1hoyPADj7d(TmR1a+FqnDnQ=po!7u ze&I`t%-H6Ts^%;lPZwpW!5%X}KGD%lW3YNNtbr20T1VOjf1gB<=uEZKg&<<0#@rwV z&5hOq9!+M(YA%rP_Z7HXf10qjT>XyO+uKOw{`%XJp2Pgp15nR@YO&abnotwRu*tOX zQ|@T|HO)A*04mh05UeS;$}eCqrA9<(om!o#gcH84PVkG%%ZY?7(F)E;`|roh>$z$t z@v*7hB65;u9EZ7_;P<6--(U?H>Ph-~uacsdBqv&QVR3npq5EA7_BYIOBg8j%yYTIY zF~oExC%SohoyB%P6uGWXV1(aIgbL1>n5UQ$6J98eQy$*N5bmr3=A8m<9Vq*6?M@u& zW1R-7r44plRgioiBiqG*cnNfjvjbLn70QqfT7Ty4jsdBXVNVb8<~Nl`4EZEf`ZeW- zwx^`lGBi6jhN$m-2l)1UX)@%zk_-IueqJj@4@CG8HQZ$AP*uq9M|zxTOwM!qaA{=X z<3&nPzf__zL@gE`xY3#*b|=oyj1o}1ci-Q&a=Uks5xEfdzWSavDTDQdhIDOn1Mg=3HDl;?0OFoCQPP2-S?ac5jX9A) zxxO28*od(F3q3SO!{CY1`*m9T<*AC(-`cGgBK%3aOl&%x3vqf{PN}J+>FX4$y4~>a zcc&_yKkj^$#b!YRxk&VC=;tX~hrVK1`@Y`HJ4{&&dvVAtsY@Q>d^?<)E+6ug)G~=u z^c0EM@!YfZC|P$6hWNFX%%Vepiti*giIOeB730RI6U})|mz@1@vJPoz_YtOmr<#;9LB+{M6@58DK&`7P$pUYdkL5L5sW53g(~s$k3vTr4SK0D0 zIixdHwQjJK3W{M&v>GMS!EPR>sZTS=QEQocAWp$)TSKSO>&dy5&ZtVh8g&r`h|kzZ zwCKG0w^Lt2EMwZ;Vi=2!{RQOm-cpS)Ur>D@a^YoX9&8!QQ2X^tdTQRb5$nk3v@UYG zC3i{3xmO71f)-rU&FPf&)Q>I}eHJC!3Ev4B>y8AtE<;x9hyRH6QlPi}oS;LY%?0u> zNd2WMZZMZFce2q+f5z&A`BtO3H2ho_LbIYKkb@eexv$q>rCGaEU6K`Fa#_ULdJ%w* zZ?NlfqFq~9)Y-ClFZbh=nt0Z2h*t>0A6Cyg~aq$yc)=`6l5 zwp%p*Y3eo)K2@Dfl`*TOdg&NSQyEWp?iS=Y4mKQ)elI5u2BbD|l(F0}50}F4&k2kE z^X3~ew?c?TPp>4CZssdkgJ5Bh$E#gFX~pmKx;#UEEU{8YDs3O{9w1=Pfa6bwtK=Iu z8%|gV3ZsZ%g5}Mti&9&*{Jn4B_p{oaA@xkoi+pCAi>6 zD%OhTQa_@kO6j^nk-Z8T9*b}j{cg#<-*{v&=OMSQ5}}QAUSablKQZdpGd^xI?inlu z#9x*YRAZp*bOv^(DsO+OtCkxVOK~CpCQf_uTJic)8JU^L^(b+Frd%rSOdyPr=>5uqD$7->s#aff4)LyyYMxasfz2d&j zaD=yhu>uEmH2LdP4Uh74<4b?ntEktY9tuV(JeNY}`gPTNm&lF0(~|AHx5(}s*aP}u zKeA=!yZ{l>C10ZvLVzsM+HftUA>SO>r{A+$Ud*KoPm)g~rb{~|2uLSaz*ry z4uXr??VY|wD+z8dIP$%g{dU)+glNwjJ8Xzj^3vT>k08Q`agunH0o<#{EQ5=#nG%*O4M5b(vIBvHw`LEV zZ#`w~Z}tmZEO^OzU>nY2z$U2?&w0u|AjkPrt?{*vpvv18+n!= zakIe%A$!<^dl&m1eZ2wRx27jz4j(6m>E5BptMEwV(u)QGVH=F_+~LTj%@^CM6^U(p zVMQ2x$9rFMU+u@o71>d#CRpN{Z{1n6-*>tiZW#S>qduwe#a51hNbUJ+UU`0ZjRax~ zFy|&so^K!qZ~=jqbo_}w^{kB4YeTrljV@%o_$6WrhAb94=1{-7KU)0&Q~j3o_S^d* z7bRo$l*aIk2Es*#?VnM)y&Z%~xt83Y7|`8%heGCK0$ZcaJ)=om_PTW7b}jOIH*P`` zgUb{NEJS{mHXT(HDJRfO@1^lUb?um}%P?8GK%8I6%kDvXAx3O>SX#&%((R^^-ry+v z_2oGcb-r-DxAz$lOc|$k=3U`T0t56VUhm+83Ei%mpAeceS=}`ly9V{5vCc4?K6AG2KGGe_m27{786|Fx zXg)%#|7&PneYQ*z`6X5ZusmvS3)0VLpRoxNg{Xpo^Tp&f>jd*ROyyIq02HJ&oU8~D zm6?#RunQhafdpqHcIdMU-1U8g*M>v*_9yb5+n2-$=*cm8uotQ!+Bfw3r8NcrdZ=1w z1E?nC`P_B6FUI{G8A)mJj*=#?^8;3JuO+CCD%4Vdn5?=M#StNbIdVR%pAAc@6T_JPmGXs+Au6%M_ttFR$RRH#Hq_la;q# zP%Iluf9R3Kra&J6KK*ary_WCbhlw`lzE+r=hn@pwRj%cpZ#2`XsFC|;qV3Qb zaXlWrTN{y&Ulw_UeSSYULJMg-z$J8b%ADl(8VP6eU5cI^7&t*sPdUqqa)KFTE1Ina zJIWU|4=Fw{w_4GrKii(;K%?e(@*^H@`@6cb4hvDX=@8G${*EU4x``D`h@Yj9?0!#< z=w*7M@+&9FT5=slzeHBQWH1|!;M_JE4?)Zp@j)3MUqnrPXZzFtbT?cMT)8pstue=5 z#nGGZt7Tq?%LtkA(~tCIv80QZP7+-GQ(6R$sj$jEoHGamo4QHIC|t_S4w_)N$UEOX zya?BN$6;C6B>6MPKdJP*YlGPY4qQUnhqY@YD= zvis7ms@qX3^qGKf72-#5uoma=x<;x{d3mVl=QzhuM(V4b1M;Z+g%XFa_d$^9J3J~W zPu%}()%7NdGlkL?F>1}88$(J+!N#U`r!2=&_zu5S76ALy{vXQHgb{wLe;pWD{`PqCY!GVAHU}fpX52~C+e5#%VAOo17e7i(UJT+p zmekX$y4UVRdjoQmNB#!53HiK!OeI+4vgYSc+0iSePnOwL?x2by9rzIG7-pRbf9*XT zCQECtYl|-YefU4==#Bi?72UnfjW>zi2RwYvI-S;;^mRgnCWCzJ3mkHpU09>t1rx zTEGhsC-&a~nHvbzt6IAo;`Vj?#i^*y#Eyw~?|yIIZFl_x^hIpMaQoo3;mo)^<8C{m zx!@U8qZ$s$tu9+G2|seIXvaPVA zDO`DUJXdlWe@6&k9ILomKKxYT*iV!Y(nrbqkmwxfcIENe5H2Jwa_73|MS9=s<&uQ2 z(Eg0KJ3W=e1J9ez@4ijIB;&0^3Ygai6s(2_V z?0VkRE}TGz>)OJ(H|GP?MB!sDb2;3AZ|zk7ZysVd=VX<2@2Vr06$X48?N*kq)rI+M z`Z+TNk&eN&G`|r}QLsW8?hf;?2v7iScJE$JL80B9O{A%A2)630-^d;~ht!LzI^(1P zq0wGZBM4MEb9-wm-w`u>*>N*`Z_vN@XRK7i7sKCGQklcWS!T;D#4DmCyQ~g3243y{u&1wa$B9(slAQ6BY)asq?~hJ z!=`L&TjTDzgWN%r%b7++`_txZTSE)Fq_dy=@4#UO0;2pPH_Pp9{t6G}j6Cepe)ktI z{MJtZa%T`v)_H<7u(@eH@=ZG>ylWY56F#wZv@<4HU#`+`WI3k4lx!tfmQyv-ID`;|Be_7bsR-rXorKi$~ILQX!r8LJyvtN z*b%s)S8bQMHSL<7k`PfPALU>vp9{8JNJ2@PiV`CiR@Wyy4tZt_h=Rk4E4~x0XRK74 zCOzNNW4iuEIgH=u55rV@IBrbnfH|3?nkqTNJ;LYqhda#af>gv?x_Se-*SP{ULHHld z_kr;^v#FssxPdpjskI43HAS@8%uO&_$xU{J@jUI+ONeGLFB>bX97kAZ zU@VEMW@T5^>%M@QKbP+bVnVUSjE-Z!dma#Tc|HKw6%)I-;mBFjcSGq8oP7Az+~S&C zNsQb)aMiZ=y}4ibBWSUM5=sg|2VoCRV+WA6Zw`lPyiX6I?arKFe9h=x;pIYqI&gck znIxrns(QJGg<0yk4YSJzN0!W1qvNA}Wc%(->{s&Xlh}mOuqphjO8lJKhdUv>oOru} z!7Z8oWl{wu4Q@HRG?RH=(cZd;!EkHF9p3bD?~nV_wslb3%Q&E?uGn&~imu>j_zT-; zOF!;`r`i*Ml9)QMn~EHi+O*rBzHu|5=}$hgO+w%0QnM{Vy;_;jQeTUJ$ zH9mdF(So;3eMNG;70QF$k5{2hvc57fwRwMY7KtHo&a&y#9N3MOaeK~qzf@gJtqbi0 z)*ER<$%z7Ju>{VN6e6w)*Fu{U88^MQ|ISW68*cNnSnXitC-z%pHR_m)oD__y{F@xR zR+YTL6hC!`L6t_LtE^`HNlZLo3^fgZXCpPE*RWnhC-9~J!gGY}O{pfDivij4bWRNL z6A6X94_qbOxXz|UP6*9vWqj8uaWEYZ<>L}t_dVrab0Y~{6URoa9AIJ+vq|4ip{D*u zlk0?V10%kH2pmQD9E;?R1QpYYY~w2TOFIrpeY$EHTotLsHFCVc%$`7-v9~w!ZDnGQ z4Nna7qx^ggO(eZQLz6vWXM`(<9w!N(su`>Rx$n#J{>@Ms&=Zq6mbt0E;#(cjTyV z^j^l~ltx}TRD$6B8V6S*j=Xt!Tup{O+A`3aDQ6emdqvQ>>IY*TP<{KHnCJ8E*0 zI#G5LjaPAHP?Bq9&8t~ZfEi!%hK{x)GU|Bx$835U1>Vkhf?eIa82F3F$`aHODaE9m zuxob>#=<6gji~y~6g;H)Y-F&z1*-*Sq$894YaExmrwq6S;YkU}Iw5H(EY|z0KvlUr zMKqvO>rdTXb@g6_HW?R8OtVu!qW#SdcFWFHZF+u3b9QlJ%G6U@o zSQcx%eBDt^u%%`gor=xuw$}JI{MRpaV^%xx+V%A|*5S4U#JCopTw&<-TgJyM43bw) zBKoLctF%-I^GyWH5<2%;m#EOUX|*-l16_$w{Tt*Hx!kCl;=OlZzkEg?gY`8*I+jWo z1>@!Hx!+>DOVFb=8%XrLTY@#)Uc?S3YS@|SQomeOjaVSzf(I|Hi}N_e3112w?5#M? z&&GI1-70Hd?v4*n#JVSu_4%UeI7!{FO3(@&_rqS8SZqWdm5RHo;xTZ@!Mf)P5UW-5 z&92^UAj`}~S9S349XlP2#P&w=S_D;fKH`s)8%O>DtF-n0K`+|SH4Cci89T$kX6Crn zA$}B+CrI4wOgnRnjMJLv9BciF*t6cF^JcE*cz`4G@|K*8Chf5pUM(U?s=)JO zK-L6PYXWTB=x;bJAAtccQq}r;_m&HC&X0We&5zu|!HOLg3^Z|_A?7RO#gd^CJYH7$ z(2(Ri@g)Im03Xy0UL68ZT|=ybf$|px2v_D-nIkcDtXffhV_0_(W`W+VNT5Y^By(|_ zuShIvTHYce6Y;`10Avl^GR~@2nlm9*j*1RE^>mP;|9D6leXQD9)ZX;`t?gYkQJQ1SfmE0u6#tj>Kf@Y@1xOx--7SP{jg7S}akXlTgMt9| z>V0IdLur04x1u>uQ6F)oUBol)*Ww;x+*9lnXBB84!+)>$uX)PsAd)H22EU7^^PA=T zFRJ#N8E9F3cC*o(gW!M1{iCW(0O)5`+4MoP{~)dZ00N&Q{?MNxS;YT8Fzo;T{QkP$ z-d*kR9cnIJIDG#L)BTxNx_?gSBrjZ2(7(3wzrfucK!hL7+28;-L}koSuG zaRa8mVB~)x!2#d`f9U^@AL#$-=dbBWvYer)WBlHx3@Y@_>3XA-aD~7%ASr} zYjpZbvP#NI0C}*$`&KUJGMXs6JrEjZ2(Q1_LTh!UfQOt8+Hv;EN` zf7iP7ga4OtFOmSo#Ri*|tK2Ey44%mzf_Qk`aJ+iHQCPmvK1%-Lq<5T*lEYgTW&xf7imzi zvy&fuwk83Zu6ck!K@XU*7#dUfm+5MH%UC);NruG!S_)=L={ZCcA87#{MGGM0NmnU!xW7v^l*NJXYA()I(HIZ3(X6MecrwGqvxKB9s?Gh|Rn>qqFkY z2U_e$9oR^5)w1XeVD*jHZ$h0^w0f*g*P93NygG)UP3!3EA`WZ^Mz8qv3^PaJo(Jny ztWTl$f$dE-!d?_{cJCPXbqVpsfL%WSeLnac?!?wL^H3ug(t&JI$F)N zWp@K1KaKfyu0|KuC)080Hr~LnongI}CH_WCGwJ`bJ99{$!huiP;vBTVHtXNoA${_g z*6K90xK^zrLzI_)2Qt8aE8ZMNnD@ah{-`gf6_N9wyKz6)fiGx zJJe~s)oAK=c|+%IfgqK#1f)i^PFPcH7~3;BRrMLe1ua%Fc_?Asoa#g5!OwtsIO{&T z%hZG;ZwZ6i_P{!aqB)^$e1_x2(Hae{GJ@hG9h`Na(UaWW5H5aXFE-zxN_oDxo`7ap zy8@PLn8KcI?V2LP6N>LUP3zAmppF=fC_3L3YcJ(!?RB|OG3DR^romY$2g`FUoYBRZ zD~v7FyRvF-t9a9?dws&bDv2Lmor%A(pkus>C$>($Abrx1iGD6Q#=~P3q21Y*x5WL z)FoR%#U8huJa+FxwYs=MPV^4nXLe);Rj^unFSQ#PiauA^v_~!3?Lpi=9$N*D@1z2^ zd4~HwD&fcV*$URCuvTGB5|*Y#sr`w{Pqw-C@K*=;E(?{8*u)s9SVvOjRHBL4b1;x1 zExa!V4;2HpC0mZ#)X2qqTjG)XXB;5UATMwtlk#bC!C+ ziIE#X1|0>j*HJR!e!czOuq$2ezFxXv_fH@sU+z#G+Uegz)f`9+h?}2UL_=oua28SD zlVdW@9)+5mTp{Q)=iF{C8_VgUYlln&X#eq>&BQ+_HdH!?R5b&oYW5uqW&zVmtli9* ziz?l4+ljUK`7nGoSQbxb^`(CY!{kJthZWGr2pF08udSd@1+MSQOg^t>QAxj8yvOc{ zDWsE#n3bBIC>_l0Idowxi@CvWhnl0UV!^_QWiDA3;9SLAeF~GhrR~!tNX1o6BYiv& zJlru)I>9|%ErngLctD6buf&nDo3Fy)uFsCX#;qqfVWsdn_dw@bT1cLXJc-x4DtEcIkf6Ws(d~#b z2R73wS&^G)hI7|AqnTTGJJ3gCV^vX$YheVK+GrWftW#t!x&D&N8zl~WD89tvGwk8w>rJBd~ zny7|JXHiHk9IhuQKin;xuhuG{Kc4jBxv;Qg@fw_@chx%~JfQwm#eO#@`HJXwyIxT)pb=L^rugs)2AWbvVozQ z@IzL@_Wp->bOPK(e_~SOy!pz*3_6YU3%nhu<9gS(_*GdEr6Szp0?-8B%2#DO>-!>d zITUS6zzx}vmzI}-J zBuNTf5$L;ZD3hFS0*IKdam+wRJ+=IPwt(j)+-4Y)dIqOMczyi*>aLU7snsP&t>Ow3 zwY83#bOR7brD6j9LjvnrVG26|-=u>aG_>5uUf-FOeq< z6J!`7bxOt(I&ovE5Mky2fU7JzaCDLF<#!p_5qCeTY-4O00q?4P?%_z^#Jz3U49!z9 zTxkkkdmCvy$7^eWU&M#;AK(3Palg^N5X3&2n4k5l6b^;Jk~}j#7S?L8wH$*XoDo|b zM+<8C)LBeJ-Jg2oXlJZk-Q4u;H{n(>%gMb=wbpwdgp!PN*($4{pCCp6VYdOI4H6zr zXuaUV<$rLJ;xZ|qfF!w?b{Bjj7El_{=MDSr_D1uiD@o z*w{!oVUGNOeMG2}zzSo!n2)^Uk{;JqkSQkk*#(DWM07f`S*ZXP?y;r9!}HMnkKMv4 zU4#^CoY_udcrY;=O@^kANeVu9LX`t3`O;cm&CV|XX+A<~o2P{axu?8yGN*xhZ2#5o zYUqA6!th@8%7qUK_RuC!-(R~1v&ye5T3VVc+3f6Pjlq1CwK(vLQjB1T`}<{QaXzCe zD)u`j)a?{OhX|01NN7+*%0_?M33H|q#P3_QA~2!`RCb{N@N26oy~8DE!AGqzo*wxG zFGouELTDcsim6eWwUY!o(=$PsP_U^OgLn`c^vZXEUWg>{CVtML$yDkwH7L}}BLF#r6t-i|3t)-5hR`&>5V zT0J?jXtjQDVj}#v!^wBH8L^fMT0V~@T)FRiH$a-~-cwzjl;)Usg(IyEmb-gpv~#D! zp?KFDWy6IrU!(9rK=>3#(UFN|<46+H!YD2ru@k$8U6^=~b`QpwJ3{b~@*nPFGGTU- z{@A)#(Rtf+YxH)AB}#*cwLqA+1xnsp(m|n~!XC@IG^s!%z@?K##JWt!HPH9=qnRlbcAEky7)^ zi{=Z;t>E*RTCFF|$my$oS|)d`%Vap#+9AD@*I{>1u63s{artmzvp=Iduv_DPCg?L% z-zO>TClo5GExE{UPG6b9t44|TK6KaoKyZ>~h>LS_D%27S=S;r;U#nuOBv&CN`$K$f zE3g7tkeer+LM0PD7ndsd8>HW?)R}{2uvOM*TKpuA5C5d+pkf8uWKDofi5x7RBY3GfZw4UN^+xEyerrlj_H}$+Fx{xCNEhJripFDp5Jk$ojr%@1u>K>v zy^{5O`662KyiDj~dHw0-kr5mQLZH_jr^#!VAQnM-r^I@_9Matpwn%6qGULO}lu@~G zSZAsHQa!A+j(hKVPx2hB=(mRG-SPad!{KDiKMjwfWju?(S}S$G3j=S`aZdL|YwB|w%9v~)>9IZ|uuEy=NLn#dam1(9?c;zfKMsZskruT36K?U5sY*$Nn z><2tT%T0U!(uS-Jy`#ib1&$_Y`@>-}PO(wA*UaMkoF>{}DAc z8GC)ng(ld-TIaYL*3SAP+8dbn<)~^Esvfc-iN1+4y>>DYEt2(A8N2PT>l^`P;~=Db!88Pf3v4;wCvvEvb>DT9 zdPw_l8U?JoI8F3VvkeonmAQ&DK=f4kve0+FW;6gsNN%XxK6 zv_x@@{59tL2qx^Ew=>$CQwi6eK>6lMO`FFpi_|NOVA3h?R?$s&u|HMc<+M~Wn%fE2 z9y#Re{3<4O8FJ=Hy@kn5zj|Kw(?1U$xCm$0AgpK!D|2(l`Qp9+4?yL}-M56vw>`(V zywnLT)gp>j*_dzmEi9}ctg1U{=-mMhr`Wqz1<+`~!Et<12?VywAwxPeIgi-6Hl!;v zfx)~w$0oWF%RQjG_l75r<}CnIW-gdkR8b%6*M^7RnlPRaON60M$X_Sf@QOZ7xj3^S zJvE_;4ZIk%+JNbF_t>B;b#!dZZq-7Wa(S+nV~%jLGoC9(L z@66YywptZ~jvary@R@Mk&V-xlOipFC*xvb(_YX|yURT-Og+cZ&Ag+tZs?DmHaznqN zwcOlU1mn|6in#d5XVmESp<3MMAA~e?yU^$9;=?o;|Fz7M>?_bEEhy5wMJTHrADwQo zXqQ(cwh~qo|B&ZsfA3FwoV;kqigbPfME%loHr~dyRuFB@o`5vN^F&jmQ`sPm$BGH^ zJUlusO3lg|zdvgk0BIGVw#wH;rL;Ygpg9BI7#y6$%B6K#_Ngpyi^ytIY^!lLDE{(l zU2l;Wm9J$zMxt2V7T8p8@rUdf$!+U6lr}fCOYC@TloCMAY9q1jG53&bC7e(Zva>i- zjr81C-nW5Glg}zAdmy0Uw-A(a8LIX(d*-1e&8Jv*FVgml|A1rS3Jf8Q9=9~_HrU>cdyAqoz@?u4yhpRhzV_3}*YQu6x zSr!iGoQdFcbr&Y2Q#?zi;yY;2ex}oB4RqzHkQxZ#ARnPPM-<9wGIPe+}S3~XPfF*3isz5%wAGwPIe8h^; zcc;PI$dVck_9`nV{%1jdtwlCL0#jM9fpR^VWBTc@KfJaeu5v91sbG-0!Fqsn?vzAmH1)BS^?|0~_#4qTR)XVPu*S3LVa>c|#B z)ZOk7LB%D_{EPSh@z0MSs%$I&|KIXw;oGFyqfc`A@V<=wCwm7ICaJ$L*o7?A^mqeX-VAG^MA(Z z-*sON6&-w6ZK^x~?Hm4IDXp*ew>OmK&!YZ~eMJXgsx_5c;GI4CzZbawj}54@wV@<; z{$FHE*nvB1f@EAuzs=F8^x@4?um{6%;5SJ?W$ z$@-Z~f9284wfWMy{;daH$}hTB#QhilCdz}HGFS-q}`Y!(_ zo1OX}8<2_$M;iTaJuLnDI`;YhNc~qskdG&Aj(z9Rg1-_+l#N{uq%(s1n!X!KOc%vu zq6POwv~fa~B6I-W`ZEToG2e?I8LDjtjV+h6{Cj#Nu{h#GxauP_OZ!sBD4KtckdhMT zXnx!Ia8IW9g6 z96HUJ9dL7p(^F)TcDNAc_PKJJ*Brs&ZuO9>#Njqi-)$w(z4LCr{WF8O6S3mh`v*x4 zpRjOgDs|H08_+aKKXJjXb|}Nk)kPMSirQFoo2}1P_;NC<56;I;Ww{b%NU{9&MH~Cm zbvzsU%tg4*W{}&h@s^_>wRY`w76jt;MsB`p%?nutzD?mUdS=#v}8=WLl(P%8M~y zLJc*DgcAvN$_VkP_HVgnwEBwq6jc_ZpScP@iNkj`4FEN&S(a-BMj2c73?S*{-|`+$wZ1jC37U(N(5{;x3{k&5HIm1c{fV!nZyro4_+GN= z@bX&WLT~fH65DnWIUQ_5Fq+bqbRlKwf-;gvy;dqs$U&k*P$(WY5R=XsU>ZjYM*8$e zkW_Sg1#(*gb!Yc*b!qS38jHQvJ@)a3ZCx!s(!En3Vif-6r*DQ%l<+M|Z}ruC^z_Q| zkIu(2acZRWNs%3=cH8qkQT8j_b`$y#-%@l*j|Gta!`l{3FWV{yfq; z8bn(Wlk%QnL3H0uRmVG;z5>uuph-Hah_#3e&b;GBbX*xokeS@8;Y7#s&l4w8*6U8y zr)x3SHQ|~IVKf&MFCK3R8PSRr?T3paBJ2z-%?mQN*H}uiQ5nCNj)i;9U*`3XiV05s zqs1$zp8?|8)35gvaZ{d4Y01-(L7NR7!9}w#ncl`{@?`+yw$(Z#w1u~cm1IsCrSV&} z^-Kj7(%23zZoE$7i_AhEE(NuTy>`b(xph16=sMdhrz=vTn61}|n#XCNWul|325<(W zQ30Vbt)QcMNO&GwydN_*Keb2?jsj)(@^$Z9E6py0lUgfnD6F^p2AG#p0TCdZJ>EZA z2{d6?^-nY{#gXLqlss8oxQxpq7*nM=u%*nBYtYb*MdlbEMfH@0n&LaIiXp3=Wf%f? zD<)NP(nVrE{6Ko?U6x_Y_8RbvAP0E41IWIK@_zD4W^{tGKOa_kD^XR*qbQN5(L22X zpM|gbsja*P%Vb0^IeJytBQ)w(uw3|U*H*cA63msvptVPci0r=wic0p6tbbh=#$%Q} zvEW}Ecg+nAIJ9|(gNMJhYmvnv9_DzbRHjL$*tgJi{hnwA|12Nz({9tN6(?T82~pa%&OCYe;JhpV+I>mWc!>bNxkDYIwjeE}l(K z5w)6D9HjGudn=!$TUHg!MI6(1LIbjL@y_luVc1))omKQGoDEH@TdRyE zh{K1Kx2aI`iY8_%NL(^7ij_4;AUC4BEmhlhL@k%~Z*CtE#}-2M;mxv@7mnMz8r@M* z)}%K-#+tRGT&r6-L?S3dpm&e89>Sws++K|?-gW&5%2Sc0{Vi|9ZMH8W-o(69+Agaj zBdGlLgDN_LKRU!L83jJbu_g1pM^p^eo~YQ33XK~(2248Vz6e|>;^)FfRxna|gdv)> zvpoWg39`7d-5qd>%r=25m39_A`iIJHwc!KgQj8jEsQ*1jNHi0E`4U$z*ycKC}!z1H}g3O1LVQJmA^|D%2I-K+p@WQxBemW&T~En05!y5f2KZiL{6X0RN=-_|Bdl$lx$+U|gd| z3c$7reU5V)((-kLjNVkHEH4&>?)=^i{C2n}h?ucjkP?WfEIrgs=N*dm=jVP1KAGf7 z7(4tyb9i=)!*>fYx=ZdR)_!;j<~@rB3(-UD)Gd1PmguBYfo(U-0-li}RPCPIbMd21 zN*4-6R2c*lUEOFDUqL~~{FeZbaJnE4#p!B0vB?p9_zH*uT5Z4MoDYHpdlJ^jC+oA0*?f0uIzb;n7`q`bf5E zOmm+-k7OPb_7m=BhJwiRfU`Q)F*gaC+T67~F z`w~cs@JAt0SqQ;jwxE-~^&CXnM2RzaJM;_{+NK+#6{X(e{?oM<67gmx1+fj*eA;RB z`zNIKFx&O$xVwB&oqaF+a^?Alx4rkFOc~0s<(y1Oxnx(+LRzTjmcA_VV7xv}dnVhZ zM}jTV4HRCu1aUQ6vtwX^g?W1|SqDMYaij)frviOK6N68I)v>RXCNKo2XHEfBYXi;Y z;%s*9eO=N%=FQyMVAJY6WFZbs#aSRi3yaQfZ+{!AyekWA;>iq#5Wg`@{F8|R-gXs)G+)P~q|QU~V?Aj}7z3KLgtRH#{7 z%ui+G-6ADUW=08PN_SU!!D&X8rpwh(>KAonMl$KMnD7(TaC2shpL3O75*)LS$;91c z3n`}h$fY*75N{aWjhO(96jtkyQ>eceg4fYV_Nd&FU_=^IdXHjLk|8=+B^BezFLR+6 zc4K%LBpFw>wdj9n=s8lN;8sTUN6~&t*-&lWgZlW(fV!0?m)k`I7OD{XuN*%0EXcPq zF#*726ND3`P@JtDWSS_2D2(HWE#mhW6S z)}*IA$~UL@|GY6yZ3{E}ZgGhNHrs`hVBvItFEnF%S`?TA2lt}`&M*HuW+|NwBragw z>DsVW?y|D?PJ08PU{GUz0PVlZGx6gQyABy-sP{+S@Eg5qosM&=cwTDH<=Cfpv>p(_;$)uBmZqdm z^N(Q#F>tR!7-^{VpqNk95D0!6qPnvPO&WARs5nhL$B6F(>NA+CpySGs{diyDf@LaX}lH|-xrH|Efq!w>;&gpD- z2s~dkNH&-WRkNZ(MR>;NBcSu_?XP;D@Nrye%^7Dt=a9#-v8Fz%JBW%d1x2>0=ES)r z1-wBV%@?sUqg}owUgl4y%NEJtf^vwCK&S;QcF-M=MkN9sB*h@3izI znEykuBPa3?lRM5@$T%={nh5B2a*`}n^nwIGTMm>k*-%c7O(*H~+Hc#F*guO8k#s&@ z^mFD3{T{@zczD1uX;ourr;}Z)R{7w16)^dwBC64%iYn!H*O$TUmn?mXC8b^;TwsVR zp)Ky3EfzFqkR=eN?)Ov)26!8vmO$>}f$(AeT9dl4&*nV3z#ET^y|c6DRd=`SrWSBX zNJWBh+Gv;|Petc!EO?Y*B2nB&DJ{1 zq4P^%6U*Jf`2A0_FKl6OVfkfP7y`{k7YNcp zwvg7(;i?tQ6(~z=8fp><0Vz4iF^=X>FyMiQ@g`UE9dS*}iqII8LRl#i#hUNLv>Diw z20JsiP13vi)+?!IqqPA)SCQF;TNv;k6@oRqE2HXfuo8Tvi{oxmjh=Pi!ff+i4BNF3 zj_YQOk8yf_ zOjYDs7z@$ebn)=gK4#DB2IWfhQTzC<9M#~!Gp0h{ewvI(SmN~qj zc0`3sv$rp%^x6=O1myc3e^g2iaG;P#^E! zsn|@U!io1GZ}!;Q8(%^uLIDAPqUb-=>F@9#D}~@b^>8W2#cWPDbPbiE0%IeOaB&|f z4ddvt71GEG9bBU5NsGREc~yp=KZvxcgsYJY%**+>ooDEK1VIn1ex3!sJXE>Uszr&vP%hG1 zO!}TJX<}2zYsdufGu;&b(oiYB)l*d&52O|$Twj&$YJkoO;f0IrAB@8DQ!FoX7OQ0; z=+dvBIwcnh{S!4_7j_;Lh?ph3B4f2|!zrkYO;4`)5d(08^ z%j)b|hIBikCa9VwyI;2V(B;Nm$V8qcQZ>~-)!9)cB-;o zFLi@OX!XL1y1RRS9*5&EQ2%zZnQ^Z_rVhw`p%+ z=TRuW+Hf_Wxe8ie2$~>$G(FTil$9U8O8f#}A#deDA>skRA*tv5+D6B(K-EdE?sW8x zbdtr^as!o<^|$UPZELl~rnF_GI?a1fTm8@4A47x)i955ar@P3`JJ*R33mm552^Sc_Q{6*o1Cj1a@h$UQtSq1B_txlfb%>u|c4e+z!R z>^~1s1II!Ukm61u$uNruEMWDC3=A@Sg_&&;+b^F8>jk?M%2`|sL_^ww`OMZmW+i(Q zo+1hqzh4jZBZCG$*>X(^QoEIosZ)%4Q4CTN8$ePB#KBsx-EAoC?ko?+7rM5! zWi$*2c^-{w{I2j&mdq^)8E!8^B#}#Ojpqd5paeeK z<496jmOF$s_RZJQamI2y0y-EB#n7}bGopnh^5R!nu&^D?oXmK}^jld}F=L+_7H|fS zJ6eMSNAv_KpfZM_FfBH9T^?vC;N%NvOjbAyV!2q4jSdW%=ya1|_SYI1syCe1r846U z(@bnuJ)}p%RXm`s@|t)3WR5l(8}_B}@o}Y=F*b=$q-R!zZOS_$cV^V@E;@sZ;F(5+ z0}Q>_d!~H4kf3njf`xUo64#VZmW#8sVhCBuzOus-m-8b$q6>Q!BSD#%&#rzr1b&=LAU=o0iO{=j{~{nP^J%%D$hB`I@7%^$Y%T3Owk zq+$?i#a|Kv8ymGmYhV)2H@K`!<}pvUJwcTI2BBoY(e1tE_T$Dc90<2Hygt}E`+0@Irk0QM+>d8jjXcUg%S$XgHr zO;{Ne?mwWgk~s63+KkyVwKskRGC!D}Ua%E|{U!jHvawz$;fqntYS$-zNSYx?*m@cu zoCSS=bheQgZx8LA4~FG4#To7MQvepU=mQU<#42Ae4DnYQX%#qAtrkTVYS$JPSalK- z$VRX!N2>@(9%yQOEuPNOH#(zt?x*{y!w#=v6eX=o>r9qsERiL3!Z~nX;=*=RG}ZYl z*ru^5VH7@ZO0KvIA?tJFYV2!=kn?*{8Vah7t=1z;<5ta&ORM+qb5w6$Rp0I^;)s@_ zbJtG`Mq7T1MQ`A{HP*61_rEv^pO5HcKp~2dBU)T4L9^G~v&&~Hz>(q!jy_*J~jF zsnK6ZX^3CWFp75ymimZS)K&`~=~C|ap?{*xItOo~^JoN3E3w$@EH_dRiZNt8yU0-Y zhTultYAi``=7*4X0{!rBA8M6Y-9QrhJU%krcX=0Kh6+OtRPL$e0PCYq0W=7B-rf6WKy5~h-|z8odJRrNd;*(~ zIfwWG&#^2f)Yf{pWL_^GeV8|(NWW|gmK+jp6+u>F43|67Zqc|pEJRdK(m^TO4)XA# zT0szjk~73QoCofe1OgQDIxoGR5AIkFC}!fIZnO-O^EV(3eMDO=`6Rj)BhT$=oNeqg zQ|i(seo~;6l)Cog9#*qDt{kcafZPNla=48t3_aPcaR?j~2z2io*b}eEr9+?t3>YXEn0NT3-eo(@r2B%)dF^EF zqW8keruQrK!-bqRLmvo5Q+PPj>xab+=hhBZNrH*^gi}?esFGxTa(~LnrN(}~!63Cv z*IeC?PxHE0ywLS%na_mC*&A#R3vCLPq~Sn^MeB4qO*?ZW$Tun;WZu=?21?!Kp)l+# z%4Y6A$Z>}4OREZ^$p>=Doh}-5P6HTjn zUvUM7omSketOtf6q0YL~q5Bp9n>RT#nHlN$WeEZ?E0K*9YLL zCz!fteR+>%vE`R}fVcTgdMzTE@o&}g`>gY>!(f^4)&R{sBkQ=_iDDaR4y;vKZ_QB_ z+QH!En~X#yDep%B16wv|?{a{2rA0+${ff)tjgW9A5v{T^LL74CUPCoMU53uM?h+E> zyNtE0PbrV8*=!GXyvFVyzMG$j&#Ds8MESEv9eQxQvqAHk~n~ zcrKgV{o540QuCYHe%9D5q6HQY3=KqastNNub>gMgN;boD@i-S%_27uHE)j7i-9{Q$ zYc-E{Z)0X>Z=I-BI~Hyf=`RjXKg^6TRc-*P&)l1ol)t33iDfbjleb!D^Ofl@&YGRH zs^Rx`Tt-L?T@7I(n z*dw!QM;=E5&vPvVG8x!6XqcX~YBuaw4$O^LHJ8Cl#t)ww2kBKbxK~y?%Dit})X0hH z&v~47vb}CA`a|kEb}Fhtb%wy(-rXBU@>Oy6VK}3c3==@89ed}JbePuh9tN|ty?#!P z$BHN1W-;YI_SYd#j)+xZVVr@L#^XX$3+*gQsO-GWPKHTb#x0eJ1nI3YR_Z4k(AuYkz-KealjkfBe*6fia2=K5}>^qI#M9 z2zgA4E`IirB_$p1K~rDxwG;DM;-Ucbn|<#4KOUKu=`?{-qF@ioSbL1KOxIO%V=RiS z-nr`9{Rlf8M_$ZdP7HN_l=eY4uzGjR-%FwWz%NLVB*P(3bPdSv)T5TP8QtsC>##Y#TwtH+dpFY)-Ll# zo0(ol4|&RoA))QccfPBODv93__+S#Re=#aPpACYEwXzQp7NwFP>v@6e&5q3rm~3Qs z+0Qhb0p^+`1+JH#6}Z|JmkOc~o1j(M1QJZSbr8Em-4+NAD*v-0(7Nl_U9EaQjlt!! z#ar#v;jkP=sg+eNv;7dA*^`*`_0T}$HX8Snh2?TR`XvrVIQk;79$#{qW}SJ=Q{sIu zbW|qN(W~ysy77e9>)hkw-%J5A3 z&!V)8{-$ou`QbJS)>a=WO<2vk-3&q4Tzb&e%P=irF=u=Uy&H|f_lpm9cuq$a?Q)nw zDm8qQheLUvvu{u#)LkFHq){b|hUr;hrjA#IUgmgWUiAThTgBCy2{GjdV_I6}lWu&10Z_SUAvwx=c1fl}AEgH!@~nL~ zF4eglHVajs8kN2RUvgqdrZvuQtGu!EcLi2GS+f{AmsUorm#rNYibMCK9Wt8l6+iNd ziZA5?E{}J=9?UvJwz_G#g9PhzP=+UIH+h$?Xe@A0(Y&&bwU}7k;aa;Q_miJUIL`%? zJ_I7Vaj+|tH>4X{KeaMl{b((GkkWE6VY>lyF(PbwI_KvO(D>fr%~=0YF~@pJN$etJ zq~;|quI3dP7n`uZf4_fYmv{kCZI`bA0012${M`zd;}xB!73lZD$e^h|nU$pXO@%EK z-;uC2xWv{I5)ueD`3Z@nif46g|11E9nZEBN>p+IM$o$S}>!`XCeP+rR6@E`Ec9}2i zc&?{VF*pD?Xwf^#P&PU!DRc0;Xyr4PZP|B%gry(M%~ov`L|K@d?|B#>Xe#I^pS*dj zsU|L%xV-D7?OrzADWrJ%j8b4{ZLU1FmQ|~g(pOY~sVu;}{!EMAFX7e9C$IPHJZyhi z++4NkEv?~kc+fhjuj|o{q~x)GO;?xzY8Fwe5M;Jrr)F&`(wRU+eOJG{X*t-af0)zR zf8lu&5xbUjjN_r=)cnh#IGC|v;(N*BlYQ`FRM11vj7g%yVhR`Pb=bzl8I)*$`bP!J zs|V3c+O@{QoYQbjMT6Z>(tVGMCv(fR*}Bc&*5iqX**_iPJ*+G;Bd4w~j2KCZ*YfDt z2)FW}iWL=0DM5w8CiMZ!3cdV5ULmJ)5MaV{Wciwc)dRVfmhP{Jo>juy04De9Uh$O3 zz2Vgt0z&Ndyi|t~Q*ALyr}nvW7ZUXufxTIE{zakAI^}j}dl11XH6CkF^rsTK@}Gc3 z)-yLuh>GMDLyJ(Y_Ohy7s-|BSst5n<8z%+`?PpW|;3;q`q{?D@(4C&^q)y|VJYZe< zmviSl`ox+UnH-u9m#B`-#2Of9&Hc_bXSO1d{q3;O(hu8&f;pv>P6d%Eu4QtBwTunlS_OXLVk*=B6c@+Kkq za>Qm0W%~egngU`AvqmPU;x2aM>H-vI&bCeTsD!#f0*7_P$I3_3ag_D=i+tU8YJ*`H z{UsaGu`Q;tjI~Z;A^D(SxFdH9oi!8-ccx2x4ms$-?<3Mfuf)z;Jzfer15KFeo8Q=J z*6j>zTy^2KVU~UCF?qUjv3EQW7NnFZ)I%XU>BdPu6 z7jysLtJ$~0so$gG?&QQA2^F<8Yh>itq*8q9GCcUtp8}4KbuSR$;8hX|Fy<0ILia}fSwJAQ1h@{ zGTmQbbi@M2o}m^+e~yffzGQ1(gVDf1K?!0snOLen^Asnq`0T%gn{mK<`0 z2av|s_d10fPoqM>FDSWC+(d5=MH~4>^S+%}$e!X&Cd{4JSozw2x4j`2+h7^eIU?r&If(?#m3DyeFdN|u@v1}D*-jSS8VRI<{(XHh{$WAYB zl~R4j^x%2TEbXI%$CV53qXm11`6puN$0m{BwB6Z;$G5_t6B5nRO${~-*0@Vx3yb0@ zdy8{jylr4Fn^VgI(#5-_geKdY#bB{kJJje+f`4m78k~tvJbh2UF3>lt;=2u%8gPGG zw0KIeio6X|{=EKT$zjz&k^K@TKb!xrWz2`OQ`fUX_yVr-+G4h6*tRAjL~!x$Qws&V z{(AI|e#!!tsN_eEf$b~;pENRF;L6T-G6M74tAVzJp^7$?*{rOnOy%%;Ck$65fU@3d z+wv0Cqq$xl>hAmCYaZDvH5ZphJBZbb{x#?5luqqu%B}$@?l=!GOfC4d<~;O3%c7VuY z!E*bdos7k#f+H-WL=TpT>k5*K!JBFz>K*!`nP)CN@4lhso0N0mH#g-eV1C>n(>OHY znhpn_2wYB-UDEqt?MT+Gt7$HzgW*|V>ReEYdoFlA`c!Fppby_`HfL`eSdKD(3j*Vn;QQWuCf&Se85(bCz2 z+|j$$9xdYT$PXRW2$wh=As#qcksd^|fd*N-v^GAzYjKA;zrdpgv+2!TT~%c$mGp8bu}D|9Y3cgMDTOg<6ofi;VRLtH9lS z5p(9i$uq7QbO?5EXIa+w+S>76LY7^X*#)r`8bia(fn2bbCDyw+j5oKzNqUV0i(m2_ zssB)PD!(t`I3HO z;cI_o3}N1Wcg7TX6L4UlXiW19dz;G`!$v8x(-rS)iRmP%GsmgLO!CI~MX8^P?B5NHOXQRV#AdS#Gf8}?icNBbj zXwausPGosRAFX=BKkupH%_D*c%sPkMT!^)idbRB=I25cgdRQQD_pEgPti_t?z2-7C zv!{ltY`(ztx07t0-(MQM=Yqk>Ye(Qpxrt1oS1_Dk z={1e8H$)C+8o7h>w|Qg=|1z1z+YCl9$59@!_3wFEA#zkaN3D-$KWuu2{6Z2B@%dTo zAv@SDIezi2C_r9~oKEVi+B3vfCUt+R6N`^pX^?asbjfJ+;x6okitk zQ4Od2Y;@~DTs!A!Yj@5(J|F>_tnk95&37JrP%5ooqbIzIeTwdEe*j%8IU)Oa#`QEx z1Xv-8=q|LOUhO1nKU`;e0$PD4X)+D%d*Ov4Vf02{kdxnCF+?`FL2m> z8jRx}>hB0LR*iDFUevVZkZtaazRL{&bK!UFR9Z5aX~cxjibj>>9qF$atbvaU7pzuI z+wT!9t+ko*Y>ULFYWfFpzfcm92~Og3(;LSdx1k#2_6vuzHRHQ}$lY~TlkQk5W7H7o z)MJ|o%E5<){n~F1-JNRwWNZ5z26JWi;<&(GTQolk7w^5AUu zWO=6zB-T4Q6F1K{!lmv%i5@qJGvG#(_7MXSse2`|6KdX-QE{c!MCCjP<5U zr7Sr$p|Qf?lnqytpExcuoM`)HXX82LS~^x5uDPFM_0+GQ}(2&{X{+)k5nz1j}GzUuvq?A^ftSp^l&*ZKL-5tzbg zqCc_INw^*LO7F12Fh8Y3H_WB>!1?A&ljyx%FOkxzix{zKu;_ix<}54oiflVVkt2f@ z%pQ<%+-$VeVU#4rfAP1o;rsf9fY!+o9upy0D61`{+?KtiL-}awcLQc^^;e)0o6HE6 zK5FCgCKuC(bGf%yfD`z~TXezo`HsR+gGle$0wRNJYEx^Q|E7!&+J&^>e2U6Uj7Ch| zGGx_Oep1y|aj>mcA>Cbz5!_2(GOGGoAhr%U&y&4{oh7UD(p;qo$Fqt-80%)z*_&uX z*=6N#$fZ^lOh1_B4|i28sdVWVW{4Jb%y3Fc&<=Lx?*`M0OBNWWokWi$dfoGEjz@40 zHadaxxZVaB>#+QbVz)hc_#sDgV6e%S?+R&IeWjdHf(4RYc&7_CnVb>}Bhx+Wf^k?4 z_Dc~aIqrvSl14=TFcnf=3>B-6$_G`XaQ+%W8)2-`7qvp1_QP@rk@=*yiX^Ex+#HaH zgHZy7xV)^*BShIcF7&ssW&{+@?+~!q@dhaoCuE9PZ{IL^ntX50T#Uw%9|d$9bI{VN zATCD?7f?xg{4~IHqI+8(itmG=T9Jz%-=Pc)7Pi&}@NWA_ug}ZZ?c_-&Tc8FoW=H75 z#)79T&bY=rUB9yot3M&XDjUqKeZhzeD&?~@NY238uabT|mFE1T_h{~5 zwNXqY-ZC^M57_Rj7_J2D5>K7nS1xn#>^OklEwHuSf;LU`Zzr@X=9Q8SZ07}*vH2hb zE=BBQh?w+OrQl?6W;Z}@gw7|h45bz#r4^}^70AHk9fmdR@Ym$)3?175AO!6Je}~0@ zNAc^Wrv1E?Jw?02;k7#w=X8jMw&T0499&6IBLhZ=MGSPm;7px}cCO>C?=_R0bm0~=hNooi7{6F_omkdgo^DHdqJe6 zGR^#WhskbSCfqGAX{v{@lXnMfSi6d5@fDRjtDBnA6pNZ{ z`9&O@LZYhZgRJHhW+FMb2?X|{wipDg`av~|N`!UAz6$_jF3>dMpoZmt@D<*-su)qz zgk;J?5&*CxE$n2%IGd$2I08T36EKme$==O9ETe2T7DB>i8!Rp1<2BjT+mwZQEvJ+iKi64IA5yZ8f&-8{4-2xBaTW*Ux$0Ay_^PSR)q46!QE2|oTCJ^uRe)f9felCJ6!`gtaY1oC;Cj88yIOG_&B+FgV1 z^`7YR>Z-L3$Le2dzIp&-ReKHp!!uYtE#TOPxf{!`$;s8#~5B|S&~!+&fBF6IjwkV~tx zx-&o==noJk4Ty4_A;Td3`8)BB7N8ltD}T+Y|6khT-bHv6m?ixQ%kY0#6#cb|5aZN`XoGzsz?9LP=-ZFCy0e0~&Qu z0M{WqN&km`45a-h(6jUSe`PWM9&?^QiIJ(PYb9z;)1ON}i2x3tihHuw-ad-p`oHu5 zc}3Iz|7R2I1j}T6aJXDXb_>0Z`}+HrS+TFz?KKxab)eqxkzTh$CCZPS_#2qrg6R`q1yR>*nm)<+y z|0yf^=CgH~*<5Ohl0TzkH?9}zRl%w$@8+M!w&N2dkTt!x`9Q5F77-H6ymMxpdc_L8ETWI5Wi|Kp$TBQX%J z+IKwbOrMUkpliKW%%zs&xlzt#-$URt(4CW&s%|%q;`)zwK;aPwhIXq9mZa&^)6)pp z*j5kZ{igvnx?b~-?e zi+)T=!E`RcZb1rXLAkFw=MJ@E1P=mT#I{fTL*hHIfLiCSPp4*5gJFMfBpJjN#v^Z^ zr9qB=uC1G#D>JOgpGALsg$DkL~-D=P7W6BoRb$5gO$HQ~h4{7p81U#x9Md)j2S^-g+aEB#S%4I`i-ce_g+l{Me z3Vh$hgtO#6S!#wJOUF+0bghrqWCuPdV*jTfYH8l5I9d-cn_J)XL1~e<=q2hn9(<6L zvAO0|s4@UFoV&9I*&tD6-6WncH7-xQUv>erI{6oW?5dc+| z$73-Hb1Q25_zUPk(Ovc(OBF=pJxC<(8``T^F=)O2W0^dI$e+5o_5%>|sr{gAi-@sw z!bg9^^6({gY9{{A{UHF#F;`EQ_#d>rM?B~KfZfz^P!kdYk(zs3g#|n)^WQuDWo*l; z!*<^P$E)xB9{50~>~-e z!^`5fximyb?Q`Xy4@+yV!xU~|3T;m~d5)xSJgv7|e%yvhOuHWtS!TMmJ;j1sB}T6TFmAF=|M%TaMumjC;a0yg>V& zrSFHmCkE6MaxAPmR%J@69Ck?4oGMid2yDqzX|=!Mhz(U(JPkR{uczR8*^Sc8XU(!O z;C3SW=p)a-ae+<^IwPrgySBS$-JqjKay)WX^z!z)rGqKAwP56xtaSxCr($`o z#@xdx7%EOz?n0L7s^W=xy{;+XdpWsmH^VyfR22*n{o2NT^j}JW;6+Qx6SKdKMzIbO z8cG0yQb9rETh33S!qVwnp9VX)$y(>xLWXZ=sA#a-iNZgIE`rYAnVs#yRs}v8Ot6SnUf`&{RHeD+0-SI#57o!}cR^WDUn+f@k7YkSXDM zAQ-z*_jTvEOfMY)UkqHjMj;32h9{M^2i<%y7FIC<3zcDv1`XJj_RFLcdD^o{XBE*p z!~A5&@N!qEuAH^g!t=2c^48i}*JoZuLou~fDPxMev9H&I+yEiTz5UTkA&Ih+jux6% z8&O%c?o#`5GUp-l_kqevN348xsh0i9&-Z9XDh4t194efF) zMA*_{vTMx~Nh~nkYfSy2N9s-@I;Fxg`2O7Fvn<+!HK-Drmlq%Av zJvA@o1)`Cs^RxCI@jlzF(7h1IhH3MVGG8P5o|tv8{Z+dHSzjw1rQL;VivC%{p|O)2 zwZSXSejFvIrzR#&~pgt>4jrW&J34gg)fmuS*A`cO5Ul~L<>Ztn$WuiRtsltRcb zcR}Vwd&V$zTPHmmVlfu>P0g#ekCs8Pes2bg9Dkx- z^7OBiTdmLsr{Rn5vNxY1gwAYKyLA+(o>SOQ3L4AD#s<#e<26MhXut8OG|jRYupDyc zreecjWQ5BrSt~RE@*;N)AJ*&ytCRdMw%e=3VPj0fMd9EYjc3F3ZQDo~jutqV$pOs# z!1hG2+!kfCpW6%0Ka7teg*)D1RLeb5Jm-x)N~uKjJdpx?3on3E55n7xw=NN9hN+}v zYkc7k|3YF+Pl(d31KGzoLwRS0Sj=`hH|Ei;q15&sVm!l;?Q_M>%xjBEf%SW|ryCKn z*=8>jX|b6MW|jgsVu0d^_6yBNt+Pgz0st)-^iPm%qM$|3Q+~TBc$xccUBZcL;|r-7 zoAX1%CGKVXi)nKGDEmshwU!GaV(Ju?PPD}kpfET*Bjfb$P-?wbUS-3>xg@p2n z1hcirW|UD`(}Ut#G(4pg+XSDg|8VkkbgaxGV+QW#{Ji6rX z;^7s6)tn8aDho}2Ay#9`+Jh7O3dD9VA3l}6-eS4rNOIr^+6pS)N;(zk27KSnOcKpn zQEJdnKaEF3%g&$(8PSMZFuo(|Fk)k)KB|9(`NYZLQXtzevSZ%=LI;_s9?)*r9&u5= z;`EW266Sk>_@#C+(?aAuS3;lqUl!^N7?Z6EJyqo2Bg2MBMP8!wFaRIJuvomb2qcve z)Ud}mRpzl2WYBkI7|MsKEE11;L+26WS$!TC%D+eSeB1?FlzPU_J%&hqy!!id8}h#`D+C=S6Oz0Nw;5Nf@(XGO|hkk9d0YD*a$=~!ZR8yr&-cl zJUVQ{CWn(ysp<_rbBH6~WuL6+&>!HZ9x8g)?V-!!03vrVFz)Y{rRJDZTZvLlHk-M~ z41{bDcT3d+ADDvhsSGcI`D6aM3xG2ww_i^z+hkpLXf1FAX8K|c=}h#}zvep&F-nop zwy44B>s{Q)* z&AwtnF-DAi_hj8YNB~FiG;ulYomVn*i*{r)fz_tm>_Q4%yJCZ{>zzV_GdOFu^o6Y) z2J{L%iR66|`!&SzyjUy2*Q!42OnWisVw9#UI%Zq}i7Hyh=8ASHhB;xj!&(#8GYo~> z5oYB&!tKS zW2lR^>~f3DUh4zD$dj&;%B+U0R79x3teHox2G>@;s$XA&Cvg~HDszdqy-ye{ppddN zxSHNCAMWi9havUx$vb59^pISH?aYYM?dGpp;daeNG>2U2rxhMk=V0D7i1VqIag##L zG9t_8t=1w`yjX0iYa|kVfZ`1T2Ok&C1Wz=)?~0PIkv1twsT~4*59GkAVes+fb0fSU zEWc@j4U0t45NjYQkj10is@~NbAIC1Sab96CKEXz|dcXvk5?zX`8s3@njp7w%s%Pmu zk8tp&P#{Yutx$9X+k1xWv`BrAH@&S3N}lclM)ER0%nH3>X_9r?q)k4q7^XGHXX>nz zKu;Fb?g*CL?{qAEN9i{*Hvr}>={2IQt={#LqcIX+;Uw#&KgpaA0YhN;CRoKsW3Wz>XzmyhKeCOP&4<6e~E7^Qm!-FNcJv|~c)f=5B{ z`{2x2SJtwq{^0Qey5pVoz71-YarLX~#-qIVuBDqdegmXb20g~@=c-jhpQs0k;pnz! z9M2kYhSR$5&6HT5dMoDznR_%r*=b_Qj15~qGLp1Z9kA&W)XUlt8GbS@;vy{BxK6S*4%+Uqi(@l-dn1?(ks zy3Vp=!KBn^27Jm@6ZfSL@V;NeF(4`1ozU0$?Q9N!Y9$fiU<|96c~~>RV&9`OwowPY zlo*GpAdwP&Qlk?5gX7 zBe>f}if6eksaro6I@ABWMv{m;v7Mydn&%*FbP)m!c`xHl5MvheKVvsXjY8j!KN_8e$4# zX7~Ed5YLCf)`eOdBv^8xw=(qNS2`gtB#ZT1V_0CwZPDJ=(CzvDQZqHOl6^F$;#Dtq ziI3OuG_Y+$CU*5$3dxMZ(k6(@IpvDg^k}Q14CXAi^vN8FR>~*!vfL$o)|}Rm`$t(1 za?HSQOs z$v3e6xi7o@wtB|SgwR2D;mNE5H+%CWfUuLRSbA!EPKv=xfzY1%k;2to7d)4+r12n` z!mPZ@XSNyBQ#G=orFn<c;aRf%DwIN+w8-k~C_92HBBgqIP*YR&6&WW{Tz)K$lAKa&GbH*qErN zXLsH%>NDW#~+u47XK6Q;bPVz}haNmKQVWMX5| za3Tp}_)Z{u!M(vZ8Wfu9<8)qHHHrD1@SO*C`$s~~l?kkB@`(O`rJq}cZTMP&f#s%n z7_)civjD}Oi1=I6PY^;^Mu#CC|A+UAsZ?E1e@S0?Qim~|fsXws@?VhD`g_o!ivlx-<6dKH z!!ZNQTigjE<=;?tdBCr9MRtGnFL-eM22_yYq6bp?XMT%VlZ6|PD(hc44MgDdYLMI| zzmX_80{H3HmV!b-p1)wh^6y{Wk`JhmyEp%Y7=fSFQh{TatbhP(PyPfDKZm?qarg{D z+*=F(J{JM(VSjt}$IzfTGr4W->|m;-TX8+S{=7jsn2!)aBsNc^5?>tagv{KH+&-OZ$5)+`rMSuZBQ?%5@}f)bNNh%#N50%j4EFa-8=GI@6~O{0SCUKtaSh^~iyR zYDAj}Oh7;Yz2*@j{2}=~@g*y|BIk#%;*J|vmD3P8@zZ^W81JA^u))v}&Rili%fPtM z9Yo{s8jtzu4kh0++I5o~{b|ct8(609x~T*YurdYfw#~yKIqdJ1aS{SKggbRqhq7l^ zUMsk|u@!YbV0S-1n{~O#fj!3iH3#;(OWaYZr8iJ$o&=#t@+|-y0>zR(%@a+3e&w46 zM)Cj-BZi}iv}i#owUP819bHK^%#J#nWcZsxiGmH5SMpO+$@I3U0WxfDK;`hvhGb|{ zZadd=g)n%q@e2s`Wb9ibtY$-7@ZG8hTq;|8u+QmWry-k|##Gb4Wo_#z@9 zyb0|0SME5SzQHogYWNyHwFwItlZ?eHXFDc#uukt-sLpVlk{0nIwIb#kYkmzYX1uLX zTxmT(VPSQi#Vz%+%DPQhFs71E(hZ_#>3tl}I<^ojjZSQxH}Ip?^rxa)sC_*>Z)e2O zN^ILfGyLAgM&12| z!Dk=m2!sh|Q8o@tMsAF3)G|psE3pK`u)!_qpw^UpF=?%ElYPz054Q~;Ss?+=;#uae zuwixTM$QorivnTae&GK-*S`EO4A#z7mvN?ODNuwJJL*<1uR@+BS++!SKeaIFYH~jw z)Ci;4`bX%p;!lU9K%QVI>&+9_2(Ts&crqM+PIc|F<|B0D>Oxk5d0x8kz=e97_fw)U zA`X}G;gYF-6iWGeJN2>o;fk`a7Sa~V%Ar;w2?vIBW!PM7G#&EOTJP{OvsoR!{#xJd>f!9_$4e0zH>^x3xBQ%5^U^Jpd zV~^Skm~S_KMa?GXsFY2;qIaUWLVj-_z40?!U}h{Ipn_nT^Z6 z7i94~qRn1^Ix}XphVc|Kupg%3L2yWJ(AREpX|*_M`WYHQj%KKahf*Bbg*7ClHxo!O zV^Wv)(|UZpIXX=Ff@#i1>@h&U@@j~7Ei7B#zvtN%QE@KE>In42{3`((lYdN=)@X_! z22*qP{<@3Rz)FM4IjyH@jr7|c`?n%i$vC8hVh+{Pt_9My=Z-HItqMO+y2 zZ)%QYSTf%JRXqSA{!EWM_Bx63r5J8(UPU7{H8W|nf}j^bljF%HCHN;)YBS_LZ3NDM zP<>n2$BDimovx6Fd#hPD00#@mFd1y39F(fHuAfA=yQK{Wu+Gruh>M-7?~H6*Mp)E_ za<1(v3;k+nqQ&!r^aJtB%0Y^LCgYo-RT`Hd(|tr!<9?=<{p{Jx0N3|T_R3=c>LJOl zn7V^~8cK_)=A4$n{L!^~d6wf?Qrn)>`M#3sd>(hasjf%E$!R>j-4OF#lW#0-P-U*-4K~J@;}^&wRpgkLW|!impbz;=DB+>0!v8&!e2-`#2xFe=0y6Uf{#->VC(b z@6diBsR_t`uzdL1M#043rp6A{9MR{MXugnYZ2xb@YJw3cEe+89sL`8i2VekqOTt47 zOS^1xytTdb?p|BR^S}+!=Tg%>QDL;{L|5ZNi^w{@p}GRQ4NDL zSJF|}M{39BG~iaY(^69jFfwZOuS8i3bohRoLY=LK4F-LFHjZ#L26plb3U(vRvta8U zbNLqgO_QIlVoZA9<{=B|Fzmmb2lK5z>}8(e2erlvn04`UxAKA)$(42!`I8b-84~8h zV20cvxu-HF<8;QO>9fG@6u=dib5TS^1u#O{Kyoezve8r(PGa9@kKD}SBB)Q}Q(gEJ z$zG$}C0#4*XWFEiwD>5%Do#APKOADzrG~^!x)$ANsx3IFB}klp@23fBMO89%JJi#x zv3#+1bokfMc4$Is<&!luu+9%(!ybkv;fw5XqSrOmMPO#3-{VYHHhe^2v-|LxQllEN zRB3#MQep11-OZ-V=XS*2Y;9d&znhk;8Az|?Q?vPy5m2_KlGD}(#!`J5c5{_6NVi5j zEE-^Nx*TjWR80ryiDr69CGRu(Tj%1xufYEW%{3R5kNMu{xS<9PX(oFL!Eb({*O+ZH zY}{1ml0+>sN4`dwJp7^9V}WEpiZRo9TS{l&CxGE*n1sp5w`$x(FtFBy=!H9zKc8Z( zUhm!u81F^UkZZS}*vQueFFF`r1<+{XIB_2JtMA?)2pDomN=pq@7j@>nvOWM-Shfw9 z^JNAAZc`hv2(G>Kc>m<2_=kbH{WS;b3US4YDzAI1H3H96AJ{xJx}5zH$WaopA3;4N z>YjBKg)uG)jo6lb_j)r-RK10OFaSX7c%=#wsRApn9G;2qW{*NbrK%%(^FZ~(!B#>xSfSu9_vKqfd_ubv488ltP_Zdy|xqe zmQvtD%TJ|42HWZ1qeu$qICXu9+{xHo;H!*|^td*v45H{#Xz`wc#ut+!I9wOp$B*a< zy*?#)@?q96n&>w&x~W16?Gg!cTsgN^t*5%$RgU{_R%Dhxtc|aQIx~3~xTxb9S@DHj znuFA#I1#t-nj_wpa)t^hB^quHz=RS*3Z0K-Dz8y2%KcBIF%0sRcto8=+{2@s)18*h z%HpN-d;Y*7Pkof}h}TIFbzUiA*G*-7mMFzroUyBw;Pm6Nk&EGcdyU3CK?u}VUJs1X zh~VEv2W7Hfj{vFg9$lPwEb%CXrNuFcMBl<9Y2WE@Y@D}unNqDbjJ0~~dAjNIj%Boy z^PVKyL3WD&%x23OITGZASI|)m35&0Gmyu^Sz%*e_AmV!?e9mpbC!K*Inw9r^Hn>Q< zgcD3mD(rK#%=6A`lOz!V_~xW-+h^r>7be8zsjdgT!lIZXoAa+mZxuqy3E!~~Pw_-J zu%PI-jJ*`6NdhCZ9HLajzJL0K_Sb>BHdXeW9Q~>0mX=jTpO}~b{XHN3>ir1|{0qFVH^`r{AK)I_RT*r${wWEn# zhnAGZ>vW5~9BQeF!mH@^p><-$S}OT0Zv0nVAfEL{?^6eY@5JhseWCZyT;jfen~<1e zJ5b!6*lJi!{;kjbtNO=`1z0kn2}AR-MQVK_Tje_m6sli3Z!X z`l67!|LR2exqfB2T~<3+C%BEbSC^rmW1eH#J-5ln60s04)?j$tZ$;C%hRxiCg5|~j z9kk+Cd5%y^dHyxDENYw(9!AuWA)OD5J)Ct$`ez;E1uR*E1AiX+BcT>jy|D}fYHW04 zyusg@&%X&a1QNWA-l#b{8&62KhfGOa$P^%)K0c0ffJU{wrlZo%MyYpvyL#N$pt7Si<22csDB!t*@cB)lPxFqw~Pg1gfK-Gk1~&V(q3w?olBH~ROld%&u)*1cO8mj7)O zHTh-KskKG`n4sK?H2ty8mJw}P(*N@Icc!rAsY2WAY!JzUN29@I^1%x9pKuc_5a<)Sx)&2Q$cC3yIcx&WOvy{mrY~WzvFN@Mwi{utu?U<_Q>GoJRNK{fAzqp8&V+@Lv>>k2#gSmXa(`0EU z6UE!On`pUy`yn$31fA$6vbKoLbrfACk)b52BPkQoM*fl_!>^-~aw+`82S9q^$= z`$aOP5Q%SiM3n)7P@*^af|Dxpw;P6%MIb<{M7E z;;e^7BbMz_OJpe|ZDW708cKK6y!^XMd^_zO&52f{2hyQlM_>yIE0IEq=4AQOVBar| z`Bm^M-NNB^pAUE9Fu(^mYX)hS+UBtQL3W-JhLIUMk_Pk^S??<7Kf#UrIV~c z{ATxqDtL#rc@PGb*b2=lVokHKWcA(pz|!!ZLGxjx~Kr9~2Z$*IrTqyjGbE&XFw=pr$!$2DMh7 zvhrB&Tsn0c@*|z>C0pbK5)08s_M}faZX0@2^wGj9&tAjV&4?`80AXQrrC%BDkZFPU zPwdb0eMR;9aZu4ZwBYK^Y2dvE=e#GIsn|&SR2{b|RF8FTyr3|s=MBLG z2{DnwVrDj8&de3U5L{fnVxR$FUb!yCsshofRKfPz6OmBZ8s{0D!qkx26Fc)&XO@}r zx0!_b)tD{5U5w}YllEeJ(q3+E)U#NW@>a532d8MZzprQ#SZ86csYI`8$(8J3w-A_l zH#m|fp33+U*eKj1y+}J6r>|R(4a&tActYn7DUc=-@HqmF>Bt z=OHeqiwBIhsznsOa*vZ{e@JAd>DF-6<~1i@bXiKV;f_E&NR6>J-TpRWu2nhn^iGno zy=vF8PiJ&&ls(bPB6Y^YWe5{pQaW9ao9Jd#cw=PLOnNe8Xg18A)fxkO%_P@shFfch zDF zx`5l>MrHf&i{E`;^*=5&?v11KO{|XV#H(nBR@`C>85CR%i~w=4)ckdGM-rE1ZfYEN z91~-TXd!yHzR^af!z^vs9eifa=0dTg$`2>ZJ4NdLpOKX7FFoWdJMAO$>*qUJ?3 zk(oaO)stBCkwi)G<52!H)DDINx%s1nwmi=Z5xS^s-$T@V&UDC^LCv7UaHYcbTCly0 z)xgibyQzp_%_ASsMP-C8Onn5danety9PE|r%yC2U7D+g|;43%P&N*HnixX@`CHi;+ zGCe*LFjSqxy}}0V1l#HF>p96H;EZG&@zKhz0IN{UJ!S(00Rtb|h2C`Y7))a-)T z$1`pt;}gpcwRD!!zERCsvj-YHOVxjzqVw9}`~p#jkxD{~s;%3C_Z_RN=7mkuqA-;O z?PCpf@Wh!LxB|%N6$T-K0_hc&^q!yhrMr{cjNCobFPp>vMATuK8hl+;abTJ+i<_&a zs=97)z~Sk!jql=>;lJtfYP1q7*3YBCc2!g|9ZX0$V+9=+jfb+-p~j26rOW3_LLvE0 znwxQ-lemDUW0iXtzL2u`X(4c6@BvwqZxMo}q{$C#IbF&p7xPwviFH%!rQnP8B4eqK zZQkcTW_k-s{faPNW~glU{w+u^B@+V&Nhn2=(%xS{oMn6{pR;m^@rN?o!p2qhqUrwd z(r0MNg0@18eInZ`fV5@XL#RGp*hHG^g!2m?!h%FmuT?mfJgX+tF-SwX$hBU>P?ZiJJ!q- zWM_diZ24Li`mGnj>x%BA^O3vLtGWl2{LPfuX$wmHu}G1{!d?8g9^2gMT3sUdMR(zL zCUpz;z_3pZ!}|@_8%%F`a~ez*FvTh)wO|9>m+6yJe-&>oefphsiS?f3vD-^`Eza!pw-H&xy(muo zcqnO4z85#D=#86W_o;Ye(EB8#RI{d;e+@^@wycwFdA?Zm%W04kbTcjVxKV}`bzeMI znDp4FeDE>Z)(Kx^u(3Xdnla}51UYG~E0oT1Gm2)SOy!VOTnP!0(dBVcGCP;DmUtIw zj)M>ea&Gh0^b3{>BC#B2S41Ca5LiQT$5Tw0#Zngt8i$^dDG9U&u|+yLS5} z1Hwmq^c)Zn@3Jnx1ryt_3tDF&-O}N2zjJxoPG9^EhxnrdF4PTa7 zfb@(?HXU*M=(OTK_7D?U9lt=l-O#hlx^6=RupqttLJau9@%37B zT)+0YOCh~H`@`eR!%U|8UG$>$%d2RFT(PW7^jdxTA|(Wvnf^nD6e%qL4sx(uEyXI2(RyAa$#7rjmA)rE$m~tn`qLtKFkF8_Rep}O!@RQ0Kgzgg3)#S z>84rp#8me)inE%gT$ydyGk`j|65~NUG83h^a8K zw`@RbY;mr=!NBcI?4}d%eJU1u?>ja*?z*^$CLx^G_V2Xbw?{4=wohU)GicdxO zZjvQe{8A~Y94-!!1?9E=%>9tjn?{vv+*ubAXztd!z{E9}mzWKdG*sNSO;^YUZBUBL zgO&~S!$Q3|5~FLzjOVbniA{2kdrh`y)27kKgbo5lcGs}xv^;|mO+L|?1h&GCAXDvC z**NY-DX3rqqvMF`S%UL9oobryJhr={epL;F{X~_;mgR*3MS#C#L3s?Lf$W;If3x-V zIBPq_WWiP4q0UN)=85NlC7e;$cM=JTZg?{$G>-dr(vr3-79_OJN&z?b@1gj2r;su% zL-|c3r6lR652UN5hsJLK9p<RRNKOSf@v=}>F@rEf_+QmfKZBBJDf61 zsN8A)h9fX5dlot{@ebWc&|1g0{?+-5pkPTkjCUQvU*YMlO*=+psgQgo8-vd*61syX zUC%d_H|IGl^!N-CLPa}Gx_+rvb^KzI>4hqi_^(!!%QjH1zYbDduc?}5xb-nVlVB?Sswv9jYgd<(Tf z;;{^b>Sse*N-`UPljq+1L9G%vpOunfg}B6!$BOnK1=R)xzq4XD)Vq|g7jpP^7sATl zo`x4U?IGOwRre?c#b(!7vnaP{or)3*KuGfrS=$4r&O6Ub#=1$0q%hFWlbOI3x(#GF zj@fSThN0MJFE$C0g4X-{i$q)Gy6ghRePGaxoindo!&Z1)Av~dAv!0`AEH>8BPUpi- zY6{6QS`)ujqnV_~pf^!SycBWdVJz=5SduU3uYHqB+KkoZvSbbIDj+H}r4Mg;4J{7& zw$C`~t0^ax4HG%+`0A&iWLi{phJK5`ci;=-aQ?g5ggcf0=*7?7rG-b9OZzKhQTd0x zF;A+qS!QruVKP8S+k9%GBU67vMHyLCq(`-lP3FhVv^3&Z+ykYW<1k{GzJ5)eK7R0e zuf`ZAM-FBWkKd&-f#}aR%P!kGOxReg)Ll;Bun9|ct)%6;t|kY`=cl!e=_)Vv5FxreaeSNbzU_I(=05!m`WIs|S{%Bp;HdLFRZP3L!yc zkmO`0SySCLa;CCYxZb+hN^^{D7jiuyVMGbXoh~nZV-?5v<#68akc^-Fp9h^_>j`opvKaL4U zWROap$V<-!`qHO=R~xS0AZ1}*L_HC4^yPky9ARsIRyG>Ofp4S(%=cC4Nl z_^5@5M*kL~etm#DuQw>|sN-4>w!Mee%}0*OP;YtIqBNtA3vwBWEhh7Yu(^Nn-j99c z=vy=x`qhp^YWseESimV%@=QGPpfi8C=>^AK*tc5DlOXIg7UY{1xLIwbgJKm8 z`MRVjkC%k#@kM9`7*D;<^#E~ZWVKgm%pp`1eD*yMVRrggtX)?xK=nwRF{|Y#DFwCM z*akQ$tdt{0quf#kI;59!tdAp$k!gY5R*H?kgU1ZHtc!`Ty(54P%k|ACVY9}OtP{P? z-v+c{H=WeIr-x*qz%4IrZ;ptzyf;9C#hv&X)d#Nv#(jSi8-_|($KNwI4QruT7-R7k zVQXzK)C5%1`3myHO2cdSt>%vQor3oK>b-4{+c|nr@XycyPz53taX*RT`J^0X85zxR z(XDn-#S=a}(Wf`%DOL;jo!vuM{}gZoTjGt!_WbyT&q`&?Y9}BTAg=~YsQy6DqfaTnJg<>ZArZoYeLuCmyXyr@sR!tBoFuh);zGd<$TYob3@B1M1m7oJ2T_1ve z!#luv!OTc)Y{{PEiWRf}gQXH5#6oFT-)FkJn3wIQ!2ZaqcH!lv<9CcW^h753YmCWIL*xvBn0@+djE{YuLk_W8VZ67-!a61 z1{baADgeirX;MIGn<*NOH8eI%V7@HX>>WbtdzM+1!s22M9WP+K+VM()XS8t1`JlA6qjz@fjbipugB54#0?r>MTqg&lJq)$?McT3jErbYHY`v*1{n57PVU*VyIm3~YqLSi7&B6+ z{NAiS*UU1g;aLF)D9QdwldQ*dV`R84L#{DN_xS*&v(~_dRd?{SpF|HoMa(^9qg~HW zvo~hA#Fc_KPcJCMB_ulUTh98}8d_jw941rkoGe*qvJDwB%oG*-woa=U7Q9o?n`E*b z_LMxIGTlo;pT`no@VvWB#$cf_#OkHYrp3X3h%t5#Apa-A(@V zB3q)uYT>pO81B~M$dD6~GX{23=?FR!?f28eb{};rJW$Qp-|*H4KcA&eJfipSVb?0V zIGKaD82_~yzRMBs90T22Jopvct6m9Tbx5$KDqtsxAWUkVlN8pbzDYn5UFhLSY(0iJ zEZH|fO*-sG1S`jX1+OMoO$peSZ?*`CRcnP)t=pJpQ_~aS$n1Wis)Lt8mAjI)WDhMU zpxb)!tXOkK|1{O5pz92c#oTJ>)TwZ9m7};U_QGJ+sz49F*IDrTX9Lt6+RfOofC?8!i zGUqI!c6oLR7YS@Z7b$JYL-?db80IMsG#2KKp)+GVNj+-6PiUR8*420mFkweCivnhn znIaPu{Zm=%;0x?#h+y4ot+hs|rhjuqQ{*e;T|?-)-cAGCMjH7-@R}pv6r#w*hy}ml zQyJbcqq-HW2!{j8aZ~+JGFvvC)+Y6Y04gTM!8An^dU6yoWK{1Nzc+i{=K4;%feWz@ ze9?J8?bWIQ)`XT9=FT#Malnp(=wMmZF{tr9chGXevXi5)Ap(J$~{&iAD4XAbU=Ud+vKC5|&HnhiWIyGlRYd+*?1GXv(D4Cnyxd-8kxXD5Ju*Vs?Bc|(= z_%X^B3U{Ut4F9F4^dJVH-kT&4#h%i8y5Rs0&W6tIaXT}%BA87SqJ?rH<0YmEOj}%l zVt=g*O3Ei*V3t3|&p23FKb8@0rNxsT5U>ETPe=&A@wneSepcb_?l(^Frszjy7^S9T zB)j5g8|vp3CET5c9?KkEF=;>|p@|Y`@01vwJZJrZ>5EmM&=r2svC^4;$~$|P6c3uE z$4LoBbNfI?datSd=8I;|verZb5~q|PvC6$8WVmrf;-JYgsKW#7>S%cBe@LEZ2&u&_^s9Plv9?`_m{fx6rh@Er;Dv7V0hzw-Uzh^N(PCkXvMwrF)Rs zz41i_RP7p5V4vjTLOmKCC`S8yh%vr!=IWL3iB5!mVkVaN_y`htwiuuR^%42m6ty0& z=r#x5#)|z3cxRoA<0J*Wr7G(xrw-8+BHZ;jCF7d@4|jm4+q}fG`2)97414?+;?q1g zxu&8$RkqALuaDTeHT5}tE$CG`YqXNMJ}~CB<_@@M!=_LWNOl)-{8%1v*q6Z0KF@o< z`4_!4J8*dxy74}>(EfmN;8oM<#YiRQ!pl-kW}ZiJUp7xjaz=Yc8^%J$xhC2u5>>&< zq3)W6&B%A*(d5#sVVn}7W#&ynn-&BA;Sb&~{&+1&S-3!~%FHm_V-6C_)Me%#KD(t= zG>0$s=`YZbZEU*;@08*sGTD~5Ne({1%baldxp2Nh*0R-Ynaf732~AvQoAb16F(7u$ zCbgy1;1u-$F0$ndXXU5KULuqX%)zYW)R45HRqc#+N)UuTFp711)n{0{Ot&_0BS-PZ z20K&_(oq9Ks2OiHcucux*+DaX|)a3iuGdmm>Gozh~SzwIk#ZY{r=fvVNRO7U3DS9Gx0)6k2iTqLr)TM6+?>ilF#*xzRrRoR#GyqY>Qi?9Z(fuJEw_-BH_LAUv7 zE%5qLlbt7Ir*QG~jb_H}En> zDIDfBZdC$W4Rx{8sS>j12tsG`1!WXW;4=LhdbR5`YN`>h$!0G zE%+h#z!$UsW9%Kn>+GVo-A2udjmB!+B#mvmvDwD9ZQD*`+iq;zwi;`%>UsD3ef!7$ zonz%#Yu6%~irBM@L z_lDN2nYOZd16|(;k9;yKniLmc{rRV_rMbZDqRf|dJBV4SswB+Ashn_{O4idx4Syq` zRLlB8=T4YF5-Wm!_2a9Bs?VTxhO!rpH5PgltoAon(QbF_J!(}ig>n5Vb~L#Tfy3`# zSWZYcJtRqAGa*zDD6y2^UcU3nXl2l3aQR2TQyJfuHB$M;3=hki6KrZ3c4pp7H5Dz~ zg~nTSX$=(e`!(Vdq#sEX{GgDM5N$jUrzK3}S#K6ob$ZfC;8A@qY5I7r{m{B3q#@Cb z^s^f^DIuMBI*l>~L<-lciOYadp+|*ZMsA-_67__QUFg~Dpy5Plc!`QG-IUMD1~rel z`-?i{@ETPun=X#=T}9_}mk?{adwNDMUn=7Q3PJ=5`d`7PLymNCJIxgrUsdhO=k**H z808(8OyXuf0?t>tFFNZ&Le`)4>c+LCK9FhmUBq@yLX4PRwcLjbGC$4vx}zp>W0i&F zCqboa;#a1+ODLr=xx5CUch%k)ptwmN`#2K~+-z#oI?6^;LyMd<$TanRK99IJvgE%h zN2k)3cfSs{DA_-qnSYImRTjDF=Zh^2=+W_^JOybct4WN}uWV}A zj?BW}5gAa_;{QmA(51jNkj{U>+BCIH-K{u9PsWMo5ND0zyt!Um86;`d$M>WIjeF1J zucQRuRk?*zNg}3aK|?iDW3d(H_%RzPbgMlzJKm)>h_q3rGZmOxqERaA%_QLsT(cq6v|hr#EB}O5lcj9dz{g7qCO|TyVAvp z7(BjfmHbqgT>*+!#<#OTcOf%4a(7cIW^+#jCSOj=!xFXIu)hfk99(#6>$dQW;YCvn zP()~nj?2Vqn~^rsdpx1!2*(s&+mg_Fu)-vMdfFr%U!&Oq+;wjVIjHKMX`$qk^kCn6 zPs5&RwAQ0$TW-SN;xE`@Fy3&mSulucX;ErYpsO5S!6q0zy;0t3J~;PEOzgNtuY;#G z|AZ?gYv6cT&fxpHs9i;M{@DmNoK?9V?9J@}7e}Lau@FYLd*%ZwMc2|{38F14!ME@6Ulp9x9q9B?V z5Aua0R41hwBi(q>>SS0*=PMQa9O@MnVCWMqKgM_+6CP!Xx~hb?7n`vUL8cpzVO5W1 zwW3ULboI9FitMH7h-Otn!MY)Pa0o`hLs}vd{h!LNvy7MywZoucY&KnmpO*wLi5<^y zOe3JG>is^J5Mu2YQHjhSPjvWYm48aL_w;z;Aq~!k!%pu~S)9nC<3yo+R^8{xR?pa` z@C1mM-BdtMLkue&mQCVXN~C&Iat^<9pbO~GYZ-Th{eYv@>8;nJ-qtt?A|#tux5X8; zppij$4>+W%*Ii6Qj-~{AT02-Q=qO2BD?cK~xc(3Xz|B$Cz22{kVj$RY!&eK|8Nd84 z>Vdg5LzFc91|Pb~HfUT2+CMghLKnR;8feJ{Z|>6QM6C7Ws?_uj+JNT+`+->FK0oiH zZ4mp1ko-dqUA4w9KVM~Bd~&3M+}1vt1@fk{!S_v3O&9?1?7hIjEk8iQm^Z@(Io`#n zWLsh=Vm5qH2E+&Q2s1$4y~?y{e5|DUol0~7_n}_hVqNQ!xzVq{w-$(s5`0=bg@{(p(?I&?`4ww?X z{uax^QLd4%8Eq20&9oU)o@j?FO=UYQTEz(7&XlV4--3Js1E}&aCZofx)|D;cHWoz@ z&mbqL6Ml)ns867ytkw1ud!?Ux6ZCJKtVtbnKw$oUj!pwm30K$S&sb8R4E`$*`ldO@ zQW=C*aA14as1rMPaTgq5YU%jAq;p}a90Nm>cW9p9+rM`KEc?8hUJ0#a7=1DS;8`jM zOussDggS*~eQ;+xIyTUq|4I#59?%|rFSh4XJ*I!V(VUkTBa`!BEzv@NK_&k8x6%1Q z1mqmTX7k~AeY<9lM22g^;{cscK%nxEP3Tl2>U6*85DpG~paZpWV4*Nvdk@PxJn%ov zp|eoPD|t6;sT`LLZo78d1}$fIB(){boHWUd68x&1*qkoe%nr+pz-mNPGV>- z=r{aZKT0GW9ya>JxroQ{OQBE*%5QhQsDYz=Wa6ZRTIcSCk&-GM-M5y}3$iea$W4noS0NL1pR19-qGohK#!PE!rYpD}akbuAe>zLP0sEQ<-xkU*uqz!V zr4I5HHT%VPKX3)T1qcsBb5Sg7LTEM|RWY*hB--Z~peKKJ6%%rZ4qCm=izYWOL0C5& z_r*#r(1qh}&%j|O{6jJVKJQS@0>PEuV3?S-MBH<8=fmvM(4g)zV)0!+;&>zM{4N08 zluM8=c+q>sV-ZJj$%~=(Vl@pbu2{}!!NjjI^q3rv4r81!9cg(J1>{%bUW6nST@mB1 zU=vP?JJ0fp+G0v(h{*2x5gN<2V9qza6(zATDgr4na;XxwcH`s z(=nmdI5&9ok;w>7JxCW?K=hFQ>NiXqAUNXLL3~o;`?0Fs&+1-)Q5ADSsaCEfNGwK; z^aYFqdaZ;vdF@Z6@;kE&uHl7*iu_TOd1~sySXSI!5)?SRZUNLWi7*oaUuk_MF><~u66^TjCO0N;M;&e9eVjtRp1Up*bNL{z z^QFmmA#VR%I8fVsT5e$vF({?+ChX{KhN`l-dRXegocD1$n==@)6sn~YdEEUCZ(r6% zGz0VSnX}zzeanwp%QIhg6E_N2c1^8+R)0sNrF7`|7tFk){omCzCF*h=U!$S|8P&3uwNgR+^67*1wU?kEPeN0yG!;M`VpGy{UD4MUoR--kWz5d5#!|TYHyWO-lGy{O}ItE zhRO@gNZ6j1$hiJyn8tVNm4Fdt_%1bG{?@NOlr|w&Wf#sQ$h2%IhMSYE$Z3rVehSLi z1E+blFW${-EH%=DLqcOvTt|JQJ&t7d$*}gi@vHx{>Aw?nGTv1m7s01J?Le~*ulm(0 z_}!5%PG2i)IYR&~+-C@mJjlL(Hb-Xr>&`f&)78h&cD{MQh_fz~XUAQoVTZse*>0

A&J%ve3-YNg_!D99AC%SVAUW&%-C=(X!#Q zw9HiV@?N#mbYtOCzQp_o93ddQN3B2sIk@-z1ltW#!#t+Lp2}{W`p1bG#YQwDP)P~{ ze6{N-cX=5iE&BG7oP6-3cB)KJP7i^6W0r!0nX%%_7|7=SCIjz8cgluj*|21h) z_)h?g2(l?Z$}(!||7h#KGI@fA3-Tgl3-~)&Vm5t;W9;exq5qoZ|9Dm1-|wLL`cE>= zKR~n4JIKf$riJ?_XwCuw$egS}DUyGP@c%a>5NLkkGlu(z2*2JzvuSPUkAHyXU+tA0lMG zL*HM9m>>UglJp*P{VSssqF-D4j8mU*4#gW9lHVEQ`6knGSg>e`8TL$u?^1pGOLQ zgya=BG(kzN0TM}z6Wr-kpHb5?JQ#G&@dZT=&t6Qncfy+6`Zfa+OEIjnu^j=?1oNXI zzI7VAjK%K;kI33kCf$1blikM3QUu41%>IOh4LDgY0Pp93(pWSlPnDoJY~LD#s(yyf zxUIt@X5win5=JE7t1;WY&lh*5IY%Q;)OnK!WW*NeKYhm`A22?D4R%u<$BPX>lE?ct2|}f>t(J5NMB!N zeKI1FGFc3WeZhd;KC324BzeNeS#Vkz0evObrQwJlCw2E;jXxs~RJL=6C)7Rmz6JRs zK9qVc4y*+$#iJN7WQIw6DOtSCMrVmwC&G7z_wd~t`xWlu7Z?4)y_7Y;) z?s??KcM~Kk&4OcY#$I4@A1rV8Dg5+_a1h%7Z(?|kODwdSMd0I#*Bh&`5#V(b(_hb| zOIX^TBb-e77ru4(z|HWlwN1;`pS=O7wnD%64W$Si{f;{5OrB7u$+GRC+WH@57sjkb z-#VtD-xq)u8n{-Rn?yCM92#~vWU9cIMhPM1e0rA$X&i{Tu?pXxg>|eR^Tin|UG75; z$lM;ko87F--=vh~62e-XTk>|jxsoxIkp1Z+e_k!x-v4H|X~CP{A@g$*aPUUFug--+ z;Tdlr!F_$UwrSm|~2B_iHu=hscdKy?V62AB8(=Q6H7}R!9nU6@!>@ zI;DuXI0h@c`JC2Km3zOU!JLJf0i4A^xSS|OVO}Y0F@H5|l;}AI7NXjVEkt_#_0TsKY5+|j6xVz96GAGq?oBodNl`s`gX6AT9I5m8_re^CDd26 zn#mC+jj|g1h*+^uPinLoOe?pug=CqeZQhl zMxS%Sc--aw>ejmxE3aTuYHPLRC?eA0IN;D#!iV>rbTU>Ndd{S@s5UqL?$?EqlIGmy z2+SRt>p+4@QsDdc#TfrVOo1sL|0SlIm_qK`MJRh#h18yQJVzi&H>Pdt7Ng4-Wcj9x zDZ#W|ZM@K{gc#-VS^UQjMWj?)8wuxWXOP=Scbx5yk)Lv{&8a`}^C%JwCx14=-`;l0 zu9-uPh?thdUnppe8E|&mf7|||{#iy`vv6%nz7RTSyXLoCI2(;yMMJ>-&OSXp&wTN+ z&iR8Py~jyX@@{FsT$-oioY1rDvD0N0dt$n+<^^dVP-X%6xO^0y@rqwND)6%eikG`3 z!uR|n;C?PoQPhiU1+dx*dyKc1gYk^Q=HR#H2MJYsuBqqN} zt30DqErJ24J`$4IuMH*ZO|V^)f>1@UbtuQm0r@9TQkkD|A_6{hE0KI}mhL8t>fe#y zD#S6nK3j>bc;r$NkdZ-W=B0&-f@)4X>DmxEAe?~0cT*%m3IEQjrlzhMQhsl${Dtcr zg`3bD_0LYza07G?DcRIB=-v-?i|@a6LR@G_P;LjzpPjtg9UOk6;N$p}b$Q{fu(B$> zRTfR=o;ncFTG+>+WYFCiu4xT%dvtK&z~TTdl5qo*#ejLWx>#3rD*6kj?#$lzT*YS8 z-GK=ox1Cr%?TA>8PLXvgAvZ%Cn4Kh0uV#MqRA4=8b%(cRzMXu@pE=i89|N*CKaj9; zBAgC}Q9R>Yy13HLuQB6tJvHam=YC>Pb=@398X;AJkhG9w+0F->S?fFzw{W4i?h{)~ zPYC!;W^&OUE*vGVX!XjXyAeulSvE^TZAsHEmetpZz|Xq<=FhAB4Z?YL8R2-SkV37k zi_rR2PwlL%SJ26jl)+0N@Z1HHZO}7h)^%z~IXQ?a@GQ*l*FnCnUK*JbQwN$XkSb@u zsx-B8zqaGoxomIk6ycCtU!_S~aES5GCohNToQ_VyM~J=qJq#Ln2Ia*hoiI22FUnu3 zJqq|d^e?{ZuKXT2K za(s$sRkEx@sEA|TMQ_KhL6_O?56363up5johv9aD9am9{iA$H$Cu1t)6pXs?r>9w# zbiER*i&uPUOt?1}YGl;}OO09{eWSTWG)no9@rZ9gS9A+MYgN_(D| zr2Cp7Bz`Th6Z3Y#f$8N+eO?RxGUaP-=yRA6%7p6ql^;oys^QiXpY0Vq;@l#yY~oeX zQ1Sxv;?gk=Xvv=%roikB{PgVS9qNAe06YIo0k7)7dv^xOngkTmTrT#DibAKQJ(8zI z91&fM7(xRqsyTnylBcOI9vUAnHbnvC{f3#oCEqHvv0Rbmt{m)TNl}^R$`kJb12~#g z+l;gC^0%PiBPD1w>>6SGP$2XxL%vf6YmR>A!TK6v0Tuqy{hykKbRngdkQ z@wKAE>aqSq==dqFY1im;UZe^~S7d`lXSX=c zI6e&lT*AkG^T8m^p^jJ;-f;W^m_1)*^+}TM@!*r@tkDK!&NGRC`UT%==&dF*lKIm& z^z{$~{{t~^MX~K(BWVl&)hu_KO@czF z&@sgJPeJY<#5*}cedK_ zUzX%AKpej%`_q`~!HACHA#X~<4tu&m&PUbtzDzkSK5K!u$2XOm#Y?0}swZ_RN?WL1 zIf<4YD;{h{)|gZ??=g2;Vp7btezPeC)WpmG>%=n8QG1o;IZLhiAq&M5t2fLlz>&*o zh^+)(QZ&&4lG@m~yFu;ZLZe-04d#60G&dW(#@iLvzEaiS17n5{4Kx#K&AExWG{bo#R@YPf->VeFiC6(8s&A^Tci8b|*E4&UVib15R29L*jm07@f{-+Ww zjm=M=@)H>-JU+@hrWT}p^i-?p$Wq+q zFnmoZJ3d@)RJKorx(mEIy?OG9R?TZcL8QVg+QP8colq7!*1hU^U<~}rA-!iB-j!sR zE!4$Rx!Fh0q%{;0?(;`T*IFt9Q5sa=6y0`D7)0XFrC=Mu9u#VhjRm1N;Fav2-*ZyF zujs!kQ;)oBSixiE^d^(80ZdaNz6wGQxpov@^EA+xGP_W@x0Dl z{5>v@650?0KeEf2s(k0JdT=7IXBHV1bIGN(nfBSniTF1eQC)R)3Mm4e>_ zDUhkeAsR8D1j!9;r6Aj~G&a9HG_{P6A|OjOw2*!iw41v21<{9)a6lSpazC z3(hos@_&C|CmiduuTs@7H${6Zy_c)Q02mG*Dc$EHluUMpSLN%KjxDm=uorOKT_6C~ zGx2H+wcCgGeRtCtE;ulVuOHy_lEOqBzb7AG5Uw+S_a>GDI=ouXi#|s`3!`~BipAhQ zYz$#~rSQUEd?{!1Dxxjsp_g8X{1w7Ty+B1OP>1okYb5}>E=fY$QwJE+@hR(V6jjE_ zsT4(qPyi;S?L*l9{m2as&I87pw^KZI@d(|1__Er30R1lvrMVz}%E?T`L(J}?!BpFR z)PkmNBCuGQx)c{16kQbsX|CQ+<2B*zZUF_`0c|6ffdc3SMEJtrOE?`DPINxIxk^`e zLV};w-w$5=QQf$i>xff@)Ea576RJ^}!kI^nlsl4P6(^F^bTS;s zv|C72xHca%|D8>h%%*U^X{O2#EA~oT$Wa~Esqnn#iHJ}b5TOvw$E@{h1+ENK_*i-p z@Nr`eHGfnIM{iWIYSfw5?gNu`FtBsiplr-gj>iDQ{`XMS?BU}BPEB%5j-Sn@=l#+o zVVrc9sC?qh!idtV^{LW^iePSf|M&}{)Hg)^EfNAu&GHf7{dxCCd}1neqEU?bw2?4K zS?->g0RGx`;;YswWh1x4`n0}F?{aYHiG%Xuc@miF`N;g{)T~CC%)MMDqu-IkTx#v# zJVy!aUU_6B2!72i!j&oW+{L>>tsV4(==LO&Ux!3gLaWGn8uv-0o|FGfRk-kOhsuu5 z>`}i(mP`?qln$<%DI8sYR%0iFwib9zMrDVm^Wp`p0hU(+zo|Z)5)$8?v+2)UY*6nB-btCwXD?28zqNm9)~qNyKUZ9%3q|u2da;N?9t;o9k0V=5Dbk* zz1QvHI-oYt~C~n%JD> zpMSt6cV)~%TN@kmlF8mVo)=TJ@{2J~50R3BRc*fiTb0xs!C{!-i5J*7>yO=S9&jeB zDe&V7uj{C&txJvZPRavWmlF}QkC{ArxCvGRF@bE<2ugJmz-udX>6UxGwM)zwl+# zX z-33Ee09-5~P*K$nzl?{zG0h~4M7JqGmOMdO>3AB%Vh*ie3l6EoDp*|2X@$0a$~iAz zZGSE#i0BcSN3o8O6JvId?H+b@kyXh!4`Z`pD~zdb(zmeWs)}UeB?{xMJeK1caZUwl zID!rxk$SGO*vX9Q)=$*m|lhnDpSw8%=KGcCmGDSGcQp2K}=sF;}!qPzvmFu)JuVm7jqbfGDxdk znqwZ_ymkRKcrl8doS4CzsAaqRwh-Q%{};wTbzB#D7j}CrI~FYG2@h)HTg})nm|g<1 zdL&;qlXR9=#mD+!0={#!27YvkAVJaNHnATs)r7oGQ63Z__ znoOswc?!#Os@|i&KJP7k$`jaGF426B(VT3td60zSL|CKfLIx2;3wTbSdHc#Q)k^$gqHKFMbmTziv=enXC{3EV~7 z0{cC_JnH2ZZmk7*alEkC;1>IX9C7tFDOiC{8fQ&1) zl4JQ(^|~Wo)s;)vbMv+wTOjMRLgAS}rXoD_0o`6EQXSU7a9!C81ANEF2purhk=BX6 zzEj&~6A;0@0G;Msxjgk0YDi;P))3K2)=62?QP1jRkVI*oSWHy3*gGbM;CQ?u+j6E1V3w8CS#mhg2WkR{sX`X zokoy|=b4Z?hAt=YL{k9Ie*X>AiOZ$TG5Rf5O|f=;-$@XRH>pIvewHK*;t)%Tk>5tQ%q;&wx_=KsEdbEXM zwOxh+w_{+wOQq3S`+JWn)3r)UFzYC~G2>#oZd- zDij?RH(u*hDtA2tq~C-o7m4lX50)Z&8Tq%|vlXx`)O}v5TxwavEWa$R5-nKf+6+o* zYIC|$ODn3_QvyzhYA@w2g$Q%4uJd6k7vfdP0*(?HdZ@t(Ra?5_zM8R2su_B_Rg@#m1#HPUx;X^-^a9P| z1^*`@7(%@(kAu0LjX7wZrps1dcGk^z=v^}8ftylGBcD-Qce!jb8~H=b`v~bSi=TY2 z4#xtEVmte!PfL@r?EzQ?@Vdk@ZQ_lXp2ipDj|r(QHCIY{r*+fxag7uomk^!~cm@5e z(=>tndM}CexHbRX4%@kGS-o&I19H2lG7a39fFP_&MAe-IMw@n_njc*8M%vHAimK z`_oeX8(FX!X);b8N~uYqQzYy|UwJv+H0B{xHXlxTzo$u^t|aD39kbyrRoKbH)EYjP z)#A+bG&?g_)-2{5x)Wa{5^dq8-5TU*?gqV>6%1{lM5Zphd^gItS2emDY%kVLe^BBS zi5(Bte|@s|pS%>7UN6$v%>(wh)WRhsG+bdtpikf1z2tte5}>mQ7#g05*)6tcib{jfhGG z+B&!t;#FVJ1E3V4bx9G$Y~Y$7e=Z{KF`HZ#dyNJB?B9&%zR`(#I{j;0E(Vb@3k7-N%Bg-vZTCr!5Cx!B#EFHaEW1nM?viQq{j9{Jtd%_M&t7hEK;DX9%Crm z{N`&HeeHd%XKuh}DU&mqno|wD7D!6||6$5ffQ=;6^8G;B)(J`1=hv=uff=O?{!tJ& zZpa$z1M4hoJmn-M*GE(XNw=NTE^prW5IrT^Ev@pf33@Um#j;Bgp0=09Yg||<5%IP$ z_d^?q(3%ExS8rq%+n;s*O=9*EDpUrMm?@nY_3w=CoHlX*TiXnE_@W~UU0J&AxRLYf zDjG*o?vzfu9jvrAoH7dz`+VOXAf*@$2u`~h)x-Z)umXXRVjT=wflk0HHju!MY zw2dvO+tfq8BS-d!LbDq&{hJsM+c9=6H=4ExJ!swMm#La+ zls^TZ5SA3DC>k{B-{4zGmK&`l+{jdze;MKWz_o*{{y=Fofzj%bYv8&amkgqWM;hD1 zL38y>?5vb0)AByIj+mC0w>cmWTC1NIThb|d5);T42Irc?$(V@_K64VJ}N-Wcf-Ag|OU$#a&uIvq#j`_m_hkrHp+A0s0mTWj3Aa}|ifykldDT7A;p_ung8h#ioq9$1V9UqH@PT z)ZtcPXcKN;hx%(oM~cOp2E$pR_;Yt_ZhvJa!!kSz$29J|^1XOLUS9Vl zBefp3#@v!|LPnXjiMmtH;B&hf>hE|f;a44M6ocWW5Az?OQySM|ST%FPo(eyu$2}aY za;KrK`Pt{?d}M&?UIM_cv{x!g*BuQysX;w-77NWE@bI)bsQ)Q-;mmDN#(Bkjkts}c z<}_~8(=SStq_fa;Qkj5yJnW|z@q`&Q)*kw!$DEmfkF#|6z)Utf;#;%g!H%u*{Vbh+ zEs5_$g(U{-M_s81WE$(L)7@d!l0tqy6kNSXN zghaDmf(=S`x{~#WB(yQyzxU=tWIBC*!9aTlNvt*Ow8~ zP6uK77f0rF84NNC#XzJA9{NCGo)oC}{JTuH?g3q`p)m00J2x2kZ9K0`gsI{^)!w~F z{_B8qVGkqpJ7`@XsDS5=wKU(l4rFv(KhlvEHb&%XIT7^N+)jmcl%G3%p95-Fc&1De z;HPi?QoPt+SOREbnL2G0?U+5}OKAieLAscq@L54n#vRm|;Lg?UPyt*&%`GH)+{!T8 zp7M0hQISAJk%4%>weoYe&yH<`ZL#yPTp1pDY@bGVL9^j| zM95l?0D|>@WAA2nfgar^VXyt2ISWdAvVzJDm~b?pK$3#O%K!cPr2~5O^fmnKpJFiL zfYS3x2n-OE|N80o>b?KGelvj{y-)z}{xa6T#!Y(X1Ah%n1pB8L*GZs9uV{Jh|7W28 z8S($34M}tFkSYGZS1?3(Q-CPJH?cWJ-TxHhh2jfELs#GL%zx-i@vsI%XbI>Gnd@t`61FPR@@IG!J{}K3* z{qLecUof%m%5P&naiQQb-O;4FqTe2Zih1E3tQUCoR~<94kL_sE0uKBvODlS)5I1_J zPCrStuJ3t3dv+LD3cD^9anD&t)ikX_-HoOrb^Dlaxm{gTub%M2Ch@!BrH4y5++V~& zZH69iJrQ8g;K_T~sO+U|1urZ(qjw>Naaj-M#dV6L98u1mStk^&2i>nOEoNW^!AG2e z=8$38c%C7=9}az?AkL~Cb=z=y&AOau5-6FuPQ{nUlx(8Y_u`ctW;no;FIMHZf?fi1 z)83o`VI_u4yw61uJgyNDg2nZ_lehryUFF!dkc>9RE<^f;J>uP;eA!&Aq`|Mp*V9;CML0`+Z9%8Xxl6`*s3~xRmz%O$RMufwVun2Tq69{{%n_Ki;DS z?}+Y3@)S0iceN?`R7`&hnLwc-+147`)^ntP8mbw~pazPaRfJQ0DTHQYH{of>ar(pj zA}`<8+)Z=?lk}8+={;xa?@x3bJWrf^Oq@sFxlgv3Ocaf_^#lUs2=GtH{JONQ;Y3y> zCOo0U%Ug3~x!N3Rl0`ZT1Q?hGAs)5At@mgbd4Ey2qPg~LTV+RluYT#KkoFr#x>RG4A24SgoL_!RreIoQNkF=p)j-Kwl(x&R4{;jpabe5chK*lri^PZx&&F zEu9p<2c|QzKDN8fI6;OlpGc!0f5Wz4#o!Tk)FF*3G=>12!$X6AD!vZZoFrhNf{~s; zeI(mYFk$YQK^1ed8c5yNQ!9~@wc-oD#*`4BWQIp9A?xR@m%Izj zSe3nwyx(bwgj!r?*}5(qOiD;h#N2cUkjs&J$OX}YO;9vt+O>z&^lBzJjT24A^b7FW zzB|5XE42-Gl$8Jl(*-{Z>6QN#<8!TRsjUQ%G}F6_>Ge4YdsUZoeJtfzKDp*o8JA({ z%kddMs8z*2*_Cf2*9p&_jqj3CfhIGTTf*bFw#$d2izU!)npYHLyas8!mj#^|$8Ytx zX0H7TUkU+16FqfPJC|{NfD={ z^XtL}1*u*qEt<@$2P6drwC#umJ2QSU&G^raSgzcAxrX?UPzczJj?aYXL3AS;jO&fB z=v7t^FhNlk0^hhi@H4%PaRXa#`wvI*sLQ5*9%o)+g91UT@-G9ejziD3UFM^X-O|a- z9B{Icx0sp?RxZRRUg`J0H|{Sq_qJU=2p0~Lu&NCklnBg;wlV2+HWAu%HsEZ8hGlZ` z2X71l^_qimIMlC8;Eu5v0oLO;E|e@#BA7Lr-+T&~igNIm1qP!4*)VsJo{1rYnC{hf z59TKfXufQw7=-ODz%tG2^u*mB?_;QZtB2;4yn~z9;N(AD*r&(K)*Ax2D8#4VdqgG~ z`dn@#-?*pIwSQ)&LLp>aljiz)h7T}}v^|u%D}y+#Dfg)0L@he<(L7l2)1%DP-1ux& z75$oK>cL_6V8fb;+o?pfa$1a8c^oxZ*hhYkrF`)RNqXv?Sfs|215>AX(HWqA+WIWa z4wM6T4^T9RpM%}4QP$P*BI5*4MIN-BxwBDmzRQa<*olbuSsvDiED}31B(Gzc@fz>U zAVpe5oAm(k;MyN!9i&2}6DovYqQXT_lMaU@zjm+ZUAoXQVz-u7$y5HYGt1-^Hkkx; zi7crlCH&~av;H|k1?}|PPa!Hv!B^s_3?cWE3CRpUN{qdC*z&VOei4(^77m_PJU-Hq;M}5_81p3iRFb9 z=6F8X9osS2T%u6>_)aw+#3n1?t}XPeG6op~r$)u-iXg^<)^`}d;URSf51QA=1DV~$ zOT6W5WGEMU@d&EoenQ*p4>iL zDt{Zf50M9$!*`putNi-nX?S9Zo}VKz7Wwd(b&ky;WzlS2WC8*ir9kXufrwusZtviFZtG^?(bZD_gq9)}T<0DEw zwb)&zYJP{){1mysC@?w_gOO%4=ELJUPutZlKC2VsCR9aG447#BIAk_K;nxgceYpnc zSjND6eCyZVJxI#azrYYZ`Wl1MfuS!1bcL|}CW0C|dX*o^cP-z{raQB7)_rTWL|O}$Me}F(hC7z5h)mHTm1S;z-(W4*BYx7G;Bv<^bw#eR zya2Jd0`NHf5vJJyBGAJir?cLSKq`$vWSO=fo?&j^gw$zd(#1-Q56WqOrWk!FZYstO zhu|4dl~5)4_|YyjY|pQ85`aqG(?OOccFQRGeEpGDWKLL}kyUe5-Z{aTd?=u6-q>a< zSOhR_l%R$&=fAKKX0xxq+=LX=DJ)+Bfh+L*X@@Lm)W9)|ghTamlprp%%LRN6EVtHN z@Jmn6`IM@tz77rz-Ndk>SZTY+xnI&5T{|`S9GCv*d8xQI;@C_C!ocq{Nn1KuDw`=~ zbKiWt$=B6zDkB4v$~UNa*I3?eymi~7p6f6?5JL%dK48_<%wldRGoA%L&d=H+z zSAHz6)JRmm@Ir}_hL3wq%za%T-Z};TzG+2@%HX_i&=)~%J+JykMFCOm@dpk;6{@F) z2(USFs8)YkwMc-2Alu8lbF#~Y08WctGneD;Km5hdyLQktoPE(%lnwT%43fQvxl7%jVW!8L_i#gQzet{v2 z@#@YUao;zrELh?868t+PS3zO!!m$Q`8H0}exShfG(o{(W1PEDJP?Iqd@30=Ummu)PTGEmG*DlEQ4!66;#_K9w0{pa&9Vi2CfS;N6+ zSgs;e1|}PK)Pv)3Qjn4}qxg#W@C+92ABIR49<3rm`5r|sNu*U941VI{(u>v*Fj1$K zRMyiq^>c=ag-LN((^^B>TLmuCP%eyDGU*x%qSHxQvZB39)7ioJU4lP7-Z@jmW-iOX1iG}&1?vrwb?rQal-6!YDB)k>FrgEPfUlY%B+t69AcA5q~xHhHV?Z{miDA`WiPyP^4)tz?fbuS0x z#2OIOONUW1%AQMBdZQ980aso+*yY9DQt(*eZJVQi8&PbsLfC-4|Gj% zi3|-95-zptEkSTcp3Ro8@_=60aWHUCY>E08R@~Hrz3AL%i8c6)#*GEuV8j|~CNTC1 zH!Cz&^I<||6;>H~f926o$@PRukK91|BiBT9 ze-2Z=l1Lo8kL?w6ERsijO>h@2g_TI(=}acN%E|c2J)+=Iiom8sWi1u;q1t@KsLuxV zETeGwDffce+M@nsW^%k|;UiMU*zEC;$yx}JGEqB~6qlCnXz{Ojl>8BP848YJm!127 z;pQ4$EGN%K#7h>PvKfduzpH8b$OHmP&oHp4ZVP3BQggwdouO3naf;=iaCnWR*u)$M zKYE!7H}v`PiM2YV@=VXSK0eMYXO8SlG#_;0{aT!bgbvENNRqqieA4(_T;B`dq*El( zKED@{#W8NkOv$TEV!>y6B|vJ2$Qi-VeS0Ds9hVSLpU?Mz=ihHrIUo){$jDWr_r0!3 zUbHP`Rg#%WZwh*+-ad}B(zCDFjCB>egujFfeXCG?_Ee=md{8=|jq;xNR+(mI@rN?U z*2(-dR=}|VN*ZNTG%OJ@UCZ$eSDh+DvPO{DVWSJx<{plUU61mJNXQU zxPDC{tKu{g1U`=De)F_l;IJNnM5FxI*@Le&ad!;p!ZXP@@?WT6=h;i*l9D}Fd!sex z%B<`0Q=&IZJ#5m(fb@)vsa;q8A3qG0*oaXUzOCo}@^}eMhLvu}HW9R%RR&^)4{yag zQMds&ScRsgP-t)ng7gpP7gz*YF~HVY@k#X?sJYO;8jwXND}qhNOfAN@W22JzE(3~! zPtwOQLK<)+(<|FDDN}otRD{I%y2#&nRb}{y+BKDy*)hi53k6_Z2)? zfFQx$HMqOGyE_DTCpf{~-QC?S5Zv9}xhq@#Wbb{>eYnr}ZSqaNURBjSyQ^x9s;2lp z_wpg=?#Q1!MfEOaY6kwj>2^Iw>CHY8f}$Df6`fW5XAudUdvk0lI~#gY>p_nuf0q~z zqh|7RX#QSGUez6@FN+h1ot-Zb#XDAp?uRy5U7)e+%c|zeseY8(qAPF28-(Or;d3II zx*ek0-;?uJ?-01Ia3nDz`MO-DeQwwC00^v1N$s>(yGFoI#Syq@a@d+e4p-;UD#zew z?}v8xDr4T@kkwn4jFo&gfH6A`OdlMLjkn(-w?Ol*cXK0jqrBIiguHZ(l@-;9qhqsF zo%5!?9RdJOe6eRYM&PJl!XvKF(ihpL@@%=Um)ZU0B>kfuMw3| z8*_L)1r;XB4WE<1qbWAaJKEmn=`T<(x|Vm%yrb89;fgrE%_Y)GS$Yt&aS~6Yq6hsL zKkJOpj5*8w=2_h1wy1s(RHpCY?#~`-)+b=3vg4^ZV$mHc$kw=9fjZp*I(KL5XO~zo zQk!oAiqW4?!bwez?1n3Bw?#`d&S6flw%(R!dSGzyoXlg%hAPvYe7%h!UNovKES?X( zd)0{G~s#i$J zJN=Jbp|MBiGpzMJl`2VgPZL`VZ`=`f35jl0^pD753;T)YtJMHsx`wvNVEe@b=ay&; zhm>VllM*?pQPbmMwUt~6vf_+_wttLhyJ$}7R_*zka1tw;)~`E3W66+mhsu7?rDQ6_ zMgY+{ivf&|ec5NW4#F7vY$`}4Dh3<%9yxa`#+sIPbvfggEw_jhB&lzU!aeya5QPpk-V$FY54M>YlIuyNzDdN zKrSnqoE(kHCGm2G zBCM$pq*1ls#L%^I-SmfS&jZQ6NyAA2dtH7GR#627C5IIjwO;NA@TA z5|9dMBB@nR0$*M?2y!SwECc~4jTlmQ8s79cxOTmjZz<(OTk#Sjx4C&0lO_6L?P}U= z&?~PG$kz{MOsAWY$xT)&w)hSeF<{_fdPY}E`OIUhv}5S1nNZ5xN}ee~#7Np2!cv3J zZtcFNMQ2b(?BMyFWoX>ZYcEul2ei4|Aj)dq-{aNV-nl6aH7+R;S2S%fO9^RT`Y?PP z8C9T!@bmkit%PAAJ2Y=9Z_$Z>4NF=mGc^{P;5hcW)7GZhBoLjIe7fSQECnhYS z2BQ)xA+h4U?ralMHy>XoxoFupcP2T`7s2s&CTP6Fo!isnWlXd2ZqiQeIe!aMO zXX6K}h_bGFjijPsgciGyMgi>H03q_p{(!g&jJhXefU7CM1<*n%h{m!x1nm z=JvX%E%ZeNzb$qbSom$y#QVim0n)E;Gj312(h1mNk3z=tB(JxSH%PhV&9vnsG;PdF z228<^!DNG3IVBZVXLQZ*gmeU%-daThX>&?xi(p}kX$T!;B6EIpL5fvBlWr*|_0<71 znM`1~s2_gqcK?tiDyUbp<^N;&HKbyFp;y<4O98zkp|HVZ^cWEip$p(pyTEfzB6np~ zyR))jgeZTa5^3C6!3?)Splyy6VKf|4AK-DHJ8N^wyHX$@TPfZquUOMcwVTA`Ze|R3 zQxewUVnU0f`uR-Ag5Ra_n@d6MPqoU*uA(+QI&) zcy?9>{QJ?VpGrP4#Y2{md#fYtgo18Z@E=}vh8whWjw7{}Dv5VB$p>^%M#hV$G!AZu zGW3jH=|c6Cx#3z9Y5+>rM`1HworXJhLRi|yq4V#7YIAeSTE41DK1WCEAai4M^;9Ka zxP~8Q2xN`IXZDE+F^|oHugrlP11=GYkkCRMIf$k6leKw6*5&akYGJ9b9QRo<`yFvDcj4saiUoqBjcIpg05 zm_{D6u>lWX?Qt-e7(PIuz6>@`=D`j|mJ+95aj2?OaP;R`h>_wzKe z8gKfaNSb;08-b$IYpCa+WET*8X^kex=5{u!ah;}(9l-5SwdHX*A~F!s{ktT19uFi$ z{_#+*4p=w(Ph`)P0^|iu;xAc#$L@GQZ-l%EW?vp+DGB~Y=KcoMaK*d`YWp2=aQ=fK zJ`(bLHT85KLi=BZ^j|XYL=y3QUC?Wei1;^j=k*NCXVtcI8HD~zG~tZ?cNxORl^R0* z|HcnHUZA9N7PQi<1pW=qP3Qra!p(eH_U6CeXnO)(oa1t-AHW7f|5RwN68Of=d~VX_ z-)}0oK~V~C=JL(|F4g{@MX!{BZ#e4?_gH>e`OlaCueJ`E!CiE)Px<#O97O`>^ZELd z8vnns!QYq4|35wdnz;XedZPY6emyJ;S~2rkW%v_bR|P^*sw-`bPN#3gBSQLWCixb} ztwC?`_ z9&|u4XY&y2+Hz8}ZEoaV(|nXxOGxq0#hZWt5=bnPAZhnQ_7J)zEGJ+X${=SDDpyk} zd>JcVPsX(^5w;_}zNCXv^1Ir}LCQmuXe?f#|09ocPJ^eWxMJ zt^Z7knv{-`HP#ER1dkDNE@y;q?pLo``Qi+{qWlOgIF@9ERLF*6zU)*v&>e2fF)hDTBX`ecE61v%Ie>{Nn41}LDYE~?jZDxPEAGKY|07kWQd)bj zoKtGofxnqF1yQSi|C$@|x|0m@x&_OneH{4wS-r&FQ^zfmzV*3%-^3zr*GQ7i*}j=| zZEF44@T|7mMe*I<%(F6$6^Hsai@hkq$5l?cH&X2=;hB=(%6I!-z6_Zn%qpR*tzy-E zs6S$tS7H|iQef={N)un~Q3Bjxau9TPUOzwRE@qO`xa+`KGN!ICJ0lf#HAB6HKQ^;u zVg7x?c7*}~Zf;XD=yRhh7RBYoJR+t0CuBK-;sUO@b>qv6IB{_X1>$NUM@ul~s_gK% zMv}Uo9<)PS)XdAuiu_a&x^9kuA%4{@BeKWk^%G6;BBE=Utm*v)VO$8t`l`N;{ zIM8fC4TIYBH0%V*Hq_R};#hsKpg#@B3LGezf@y5#gByH}BPAQ+GuTKD!d=%9z#Ug~ zM4d(zPUFH!>SGEyW;-WpC&Rh_v7eaQf~mu&;r*aDdQ4k4Jv=P2`8CO}MN9o$bLp*h z$%_9#kN}M{nFU1A7Uo*f1TixDiJYM5DH-4H;16*kj+mH<3 z=Q8pHAB!oLeNjDwkYx&UiYKLdcue|4B{EzCKbTCr4G0f+e6L9W6zG4F>RxpWsXE-& zCWvoA0<>eB0Gs}lwyN^aY-bzlZ9ZZS3^*fFOJd~2#&7u#^e`L^2=n#1l@rS2@Ras` z#XG3!HZ0FSOJ5E-vg=>k68{wAjl*8I)+;@#xP!2bscLqSh^fFG`{dThn*p(wJI5Rv zsr%TsNEePZZ4WesVTCc=7YCg`m$GF#N+TY+3k3Q z&-Jat0pg*CP8U1l`1k{)>b(%DSD z>kz*V>?_irhj>vlRYY|Xv`iw)y$#1p!wov1^^Hn^f+rvPD?(cY{QPs<#TPOfr%7|T z%P1MTR$TYi)4uB9^@EobCvN|-%U7(N7Z!QCrYX?H61pt-hNgeu2rU4X2ZMLRlI3} zH2lE806HlZZiyEAj;Z0Z!i5)EmV`P(IHpp2APw&zi7r?DXUuo;ALV>kN98&o)^(~` zI}T*p{^tY%AFhxG^wEf`&f#}XI~wy zm;`E24z)Bddu!`}7}+b^@_67SW0o}2mZLZP&vh}_l9)nVi>&iwWtqsE6+~zC^XHvH zcMMj{7sF&SDG9kRl!z(ePVoVq-#B*i)Fk7kDc^RDs;DoiE-bZ7H%f^mCp&#JXMq<` z??dCL+T}Z1N(z;-gOMiUK8}gYd!p<<%8`J=GHfD?$}C~r4x`VND5`F8;W`>GH8&CD z$P&;m5=mo5z-9#TU~bg8Y`Ut`txZilhxY)}lx?GM$BGCQUaqGU6K^Cu%G8NZ9?JgR z)n)?beuftFmUHaTV>&*y(oq=k<}_&rvbTCy4e>fNI=~Ai8kF+#mW5eeE7ER>UONlPdjY58^NNC%U1|l4fwf>(uR+ zL4ux~zndEZ=1U#vZRD%Y6?%w1emF_>MenV2rL=MMq_lr^kSdc)iwKCbB9O61yQI^y43JK>EK;0F9v7HGp#N%-)M56Q%O&> zfK8Cd3gP%D*&qOSrTc8+*~!%9p@!PIlx+6^oIAI58!sb6l|H`(t?ii_qmN3>Q8SEk z85)~@hTS?yCS!;&&+P>tQ~|5Vk+%8AWLiuF#&wVWbw`t5u4!|hB&J>!i;|l`!=K>Q zpOIt7cWCQ@&hKt}1P^mBAIENR-rvuh(vsSN3{@qpe{IEtY8eD4k&@3=&RZZeY2)Ay zqSrD5y~(L+vm6d-GYz=W9J7osH|!k6o6ap#xHnKnIi~^j>Dy>(yGSlzby<*VZCHiD zQzE};sC6*j@*MBZu&64sQDMvDegX*khjk2EIc8>vKLX+^&%Z8IM}6BcH{-cUq-#Cb zQIQw*h|Uvj;A~mM(>razZR&oEQp%xi-pngrsMXPEB&WF}{*uEzP4DQ# zCpoo%rzZl5j3!9!u?vPUr9AB$TS4wza4ySuVnpWpN-J*aYZ5heHVhf_=V`J9BNB1d zJ2pdzPs4kl0xmxW=%D0JJETioDOEiNdcJXtTGntV9ngXnuZr^vdv)c)G^(gTc(XwP zs7nRZE2P9S5$cxI)zI8+FH(c%(8v9J;Np4*(A>W9Tz}qsQV7CaZdCkxVIGWtxIANI7=tU~$a0065afC&rNb>(UxX69W+kWtQi4@iYG_Vg+MH>oPH zB3&5>>hmhAl4Ac|FZ6J)QutzZ2BZ=oQ91(>FoDBkF0XzmHS5Ry3I=Y9c)->4Td%Zu zV5&kjt6L8^LY+v*AndxHP$qUlx98GkB16|S({ql}?_(QD0J~9+zsH3A{gD0h*&ZFF z>|{|x-z4GR=>y@l5@6ONjgb!RUjZ`k&pj%jkFzWg@A&T=iWk_}w>JU@DujCf%!d3N z!ux~(n63H0{nQzW@!0zxxiT3U8EaFBmf!!f9FwNrF|IyXx_aK4F0_ZKc zncQ-#{f7k2Bmm4d4b#dq|s`nj9Ueu46l4h+A>h~QFnJ^+0X6m^n-g28++&9V28MGa4b1YTo zgTZSUPFCS-Y|qWhNmCi6KIf(V5OiacI%2Myr~6a-L*R-~9Y2U3YNW9Q+1S`vcy?R& z_a|jf2}joq>Rr?#|9t)=H~7GsSgrjjIy!#c_pL)J28aLAJa}Td1J6a0rIYNDIl>{r z2S;9tskWnUH>nb{sla<>>~L0)(JHap_gm(BEn`%k^DJnVEtlcCE1gP>wGOj(FI2R= zw+cx0W8VwdysaY^@9hekva9@F6!tyd1+%yGCjGI$ulrP|(}$JRS-{MNmGvvmEwCFFX_X``=cN0>|k2$ zvQxhqHf2(r1-|d1H`p5Q=(_=N^OUsMBPUWF86Z0a(#i5gw|=nXMb6md?MR&(GymxB z&XTJWvwK-@{`R&r4>fIB-mvto1}aSX@wdwEGD|TanfZJQwiO5Nt5?;6 z?B1hk0M26r=!xZCNcGBy0@lNX+~WLfr2(JDXQe;C3o2gViO~wizWj}ty|JlF;RXA# zsk>D~wBd&DwJl=erd~bEqw<;Y;|NT5gUu!q6FCU$b{~K=qsf|lgRn+#vrD%^6Od&w zWn-?+0$DheX|>vQ1+`fq@%F}CJvgYs24c}>U|w!A&wddHC!rYFth*w}e>D4Z!Hf8{ z)wW}{mg|vdT3{ixnoK!&M9SQ1UniSD3WN4=7sf}c!OjOisM&NI9Uut$;9z(CaPawK zzmQ3P-zX55gm`B(N{9K?Yz$^kw9@{&d{4RZZRWy$x5q*@Wj*#zC^E*FUOZlv@UoYBp`a7bV?I$xUoIh)NcBtT3M zCn_5s4zbm>79lMGXrUXN18K>-Y@|w>Y!?_)iFLtqp$6t}bc~fcy@uOu$HJP%TkNRN zh3v`4evi*O4{7 zKRlFIXLv4p#|L~dwSE%Gs#>)T_TAjB>A5r7F5jTjJ1e;a-MO^mAer&%y4B3Qme}J6 z-MPf^qRSl4b~6~@MJvuNw=*wf0(}h>2F8az_pTw0 zBq4hzAB0v&E+kNW<`Ics$TXyJDST*xawC^2a=R%>@%O7S*LG&v84m^)*?#%hE7^Gi zBe0iPw-2Q#9wDf@qT|Ou!tZ?cX3L1G`wF#r%cWaxASkA7h|6yhP)*CO%Wx1{RjKV7 zLbfJegyy~#kvAloV?{laCRak<`TfXNe#gQp&F4YEk&Vo(oX4|YkUr1Qk>bl<@m|&j zg+AJi(AH8T6rwGU<-r-y-?WdJ_w@KdA)(rr_XnfasDdVrc%P*>BDm5tJ!`A8B@1W25KaPTwv5NeOD z&MG!6z>bz=LlR{-7yrSjus{%brcT&>Uu$)ODI&+2_duQTMB@ame)aT+CW>8C z3np1v?oQw8U0uV0YtkV}-i^ftdtJ(>QN_SGfgx-B|0a^H07(sZdi9S@~=Qx`H>36?K-zPN<|TtyWMOH zA|h^e*CJ&H;jaUog&FkwNC^k?FolB%5>$|K1nP7^vBkB}r!3jF4xMG>J4=TUao7|u zc#}(gx~v>vSK#;OC{s$i+6Uh%;`e>rtvYHNxHF~ByXVoaxP#J}#LFUJ&SeczmxM<9 zv8cn9E(5sV`T57}d~hFiyBAB&dcW)lKk_?k(%BI59EXJlo2Uw@jV0<^)R|YP?zVd5?sQ7xnPWP zU#B}|XU1R&5y89z$YL$f%7gISGdYNJlHUo*>t3~$!~%zrp5&k1kkDQYJ_(X(5OK}9 z-$8N3Q<9`l2B|qS8ipr_XS@b?*XYRp=t-`f$7WUvmB7p#A&2nUDf_&{kJtOg^7I)e zulxaF=s9e~<#1LRO6m*zSHf5r;tj`gxx}_3JM7YQpB)xaGc2Jq7N6REgR?k0)A02a zS2|~mJ_)S=X0Fl>O10QeH(l$e)Qol*iDzK(+hm$GqV92*2jF(A?5yQ^W$;$4)V(RE zZ>KBf`~OEl7HLm7nmR~IeS+u;AWH>=$u;A4?yxnA5S-6_eSLlRiVk7cqUy46kd1~D zfxre!ThJYd_V}fRcs?gxOI$5{a>WpY{92`Ic|)?KMGPZ2~gtQZS+Gn3*r7T5RM_;&@c(Q6~fiH<^Yjqw^#_RKkLvBXaXL$T0y9 zRElLCzJM+A6_d9GlnMik4Y!Gq4BkaY4woHox+n1vf=qdl1QF#FBAcA%-SxaB`Avlf zmLXs-cG$3|NgDJzNfeAZW~?obsb4=+qFb8I>7g(kNmDTq?MIlMUbto*xH-6OMjPw1 zvt+FFg2M}ZD_C*MfUb|k1j{kf?Q0Nsh6K}Dnh!kd8YY}%)fq#W022CowQ^i(~~g7?eW$aan{^???WX=o?ZQQ{3bz7WJl0oYiAM(&1(w`j!^n!E$YCbw!*<3+!NgF~N^GfPdaiy?w8HAt`E!et#Mz zi?r%42d>p^ku?2}-tt zw`qZl-?yw;ihECbG1M##98g4+Ff5wmDBvXo`;A4x4dM+*){k$n2h&DbR3P!9eojI-#S>-8s0+O~{UKuk5XfZ!DMX z9G^%vX*bW`-s(Etfg}#iczC0Q@~|#Pd)Zv6ckb>=#`S939_E8OD4?zziew=d-pDtU zTN3ShE3=b*_pS+Hr@6Z0yN@!jKX}17P^e|w!AxGM_}4!es53%2k!9u8o-xmujV7BN3SNKD zD!9qfOihC&*DG!N_%>!Yr$8YB3PIrRX|cjVrRatulQAMFMAYcwb?^`aV1 zk83@apC%5r_Gf2I1O1tl?K~1Aqw5*JgKbB6tGP*aGBFpszm{8=m85byka)zl4!OJu z+oOR{vcGuFO64xI>?2hI_JgoDcVncgpAn=dKmHO$R?3AZT61yi5%|7MOv0>!*pV`o z1dUMO$?>WU3$T(UR}Bkr@Lht68rmHeZnMqa`O-EnvDjhp*YR5s@AV@$w$?u}608J& z4T%P~JrcpJ?SyhQEo_u=thBs(G10c^LRG;T`(<1QV@F>!?fsSoYUd`7x3_KYl}oa$ ztnXLpVTlPnumQpU26K?h8b-qH3Kft zeN9#DO^1B!fjBA&!K`wJ_UI%!zTR@B@htg3+%A>T__aUc2@2FFsIAdI`fi8 z^VP>8POqU7YKbH&{kaJhF?Na=Md zqjQs?haWs^-T4eh1+JWBU`>m71vgf=B!jZq{A+KzH3~v-Cr8$~(|1IuBxW#SYTW7X zEJyDr>niH<>x*RB*oux%M_#|@y0JDEHjAqyY?1AbzPTr_Me=neom{j@ug^Z4`36T_ zWvybX-hb}iZnEN77w25^d`4gG!E!O{!I)p)obsxehB(ShvQU`as*&1T)_bX6kwTJs zPe~8ylOGY?Ib;8%(P*)W8__(A@!hh)VWgSU>aU^+V5Tav!(dk_C6}5A)KJfN$2Y_f zLz1~sd!$C20X0|qVJe)I)fow#Ksr0#KsNy{HgOoFI%@%PoSl}j14O{2Qkitz*aMi9 z{oX(Bm9-AqEi`Pb1z8wl8xqT)$wNkHb)xrnc6j~p!ts`mR^=oaygTV< zRQOLa(DP0CNX>MLx{@Sv?xr6q1oca*fY-LrKtfMK4~#wHO1PJQ zPVc_2Ivc4Tm{$n$g%qnWswaRkh_4oV%$BPU1NJb5>E>D5AhhDDABe9rvOS}$a!4z5 z#PUd}0Qg^A(uh*@=Ea2yL;I$OaizPLZ0qgzgOj3j9ik77lLs%xxuj=(PMRv3%i^$l zWFJ^2dr ztX_Hgu4dYPve1AOS`~-k^E48di*Yn7l5R#&%LmwFSS#6V&P}>l&b#3wHXIl0H6kLK zk4p>Mi~Z8ri4v^cEkRa11{u1VNy+%lsur(#70a-g^nCKfWy3UemCH#gmg`e@-I8e7 zH(EtvLGr@O)63{<+NzL?lDcBjWcG2XztXVUjNX#hKC|(OlWou}w~SaI$J;CAzBdS7 zq5N^T1x8UU)c~8r?>dqZRTDu~)bGTMB8>Bw42IS+MQlGOQgF!COQWHQs*#Onng;q1 zpbzUZhRmDNP=sY2D+wai%&4#uB@oWQ3ai*S+D}N=CiZ76Zg)}OaQlTZx)G08sXNH` zmp@#gP43WwzB)e>wY*FB$^o~nB%?Dh-&58%GAzDXbd$j=yu9fz%KO zWJKEi?tv)&xJmYO=Q&R3u2NDXEOG+nNrl-tv_Z=jL(5zbaCVqg=U^v+7Sjb%(o4L9 zfSg)EUJY7<`_Q|WUIAehlwzD1CI44sk7K#>GsJf?-y)tm+-Rkr6)}U{1afzFA=lG% zC=FEW;EKP#FR8!Mv2)nL@&&cIbUH-B%I%GI;~~{_XBDSP-+uQ%p=)uccS%cT#zmLV z%Zn-3n^6e`PbO%n$+kk}3U?_8_fOI8-1d zx$uXoYJJpgRx9n92;&lou$~r{Pu$E(X1=$iEl>GSjceT5?o4is!GxHDFky*~%%9gMggSaEO{4Dm<>~?mW&qS?q1Kn3{E6 zzi<4pmKHIBg88of1%V^u2`t=%HtLrH{}|Qm&RPCq1*Ylmz7T>ADD=6s7Gj13|`iquj8y4 zapQ(cSn=2%5iGVDD0)xwvifamWjm%^bp2O1Sh@rohwaAR(s;-ZhnH4Aa#eQ&O@}txbY80+_kB z;ywtrKAn{73Pm=hJ6Jb$jUF(WJ`)fQlp~mFw6tNq}SQp2E_H1RrzYhytrR6plPD98Q!-1xEM)9!Jqkowv zusGVtHXqe=n1lCWI(|82!KTGmcei=*+x+nn2dh#0c+Bm6UF!Cqi7qM}VD3IaQmZ<5 znV(0i5eHF-LQaUl=#>kstpBotLLuPC7s3jYV}|Zn)|jE~e4f0a@zJGZ(s9NjZaH1s zu;kytnUB`N$PL!@p42uI=55dKtgmn*B?ep1Bj=_nb@mBd=%#VJGwo=t`g-a>6*?z| zF$wiuk8tMFpP`bUW%Y-D2SS8-2s^&Y3xfUzMg7Uu^%_N5J7{B?Mz#Mx+{#K2NBd72 z-B01P>4EH3i#+l@sQ(Q1Mu1H3pLE}!GISXJB+rT~O#uG#%YFlmLgf4Y<_!PBVSq9L z8M;Yj8HE2Z#vh`f6o&m5J_1R`2hxD)HF$;oq4OW2kji4d{qHbLd_eTau*oOl*RTF9 zhjb1d#D9k|4*)_xqxRr9|Au}*fSh52|HH+y^Kd_LpM4m%KN#5ml;GQ$@K;rh(m_VoDi5nI(k}cbcr}lgfq>7 z^~H@kK;!(z6i)^sh^BJOI%;EQKX?}p5Z%rLYz(M52OWRSFwZS;T^-|=IqJ-MPrDyy z;aQXd!pPMQ0S~`nb9Fy)!Mca;ycX8!9wJNgBA{}Z|1Zi7Q*F{0-b_T+eTV3a`yWOA z&pBHBDU;f>j@-(VYe4bif_&h7Fnt&~`@S%f?=MWXDHzDkXZEgztX5y^!*!j!S?Fk} zYURol`n71Z#eRNsh0Nxo=wmmvwLmj@{?|;%Kr>l_njsoCnn!b9WgXXg+ZedHe~$dM zm^*%A!wa%j^NG~ogM;Z=6lKHo^1W|-M9Lw{a5o~0sZR~`O0(I~L%keqh*nbX!HFK* zyG4Fr(`+finMdIBjSPB&FfaLeKR;-eSmpmKF`^V>x_EdJEV9EQPF~a?}__hLec+?n_8&$bH5#3v=Udyu!1Z}vR*`GF6jE7 z9bNwT6z5TaA5inbSeZrGTkH~=d8|1&ypYUU_sM!I!l6*n%mW1_Jg__0jLJ%gv^lm= zA~SOp8Jy}XXHdod&*du(vZ}=)GY6x}x0B0v-Oq0gBHu2>zI|t`bR$zjTj%;kx&q`k z^L_@-IT!@PPh68iJI6S+{Pjb&i@qddr6SaPrt37gJyarydM;QqXe9$X)s ze4asCM>F}054D+;?wWTk~D(Mt5AX(qA zB|33^G7)c70(3?9>@>gLp*x;X2kKU>X1JZtgcUXzyvZ*s{&M%**0lWB*XpkVNuF=O z#H@%b&X_ly|AqwfgiSR>7W14f=@zF?{Jc9!?|#0fT;8@(`--2_mP}vm-c0g(9@sc# zSBhPy*K;`{V2aY&buw=!d+035_KVi+r<}epkaR%?-f20e((q!Yd$P0s*i_+Atl*Wt zIx-jRqVt{0^8wjFbqyN(0(w!gVwtP+_A{aS!-@@nc72aJ_(!zRFmR%y5GK7zJ0Q`F zfnkP_+<>;M(T1__ialgYWn9ncQf9J5fc>nWJ9e|Nmbz=)8M1eah52^|LKATRHl4Gs z5hF*CNJuqkrZP)%{se3v&jEN+e&hI54TZ|?w3$!xe156fZO}f>59frAZzjC?aw~OL z-dxtz#;nzsUM(uqsz=@id&@V-CXw+F_V`va$r18Oh^r@M_r?3cCw$)SifhS}QK&Wy z&TXi9)@Byl6D0A{vtD-@@74by%i->Jj&E%pzcdcuMrxzzi5-ZgzP`U7nvd4AUgpu! zc71uai!)oW;`xSzFL3CtIi91RUsq&HW4@UHqVO>`ct0&jy$bABySzuCXbIG$qjHl( z=6pLD$gXL@6GJAXl@`={#YFbSnO)VH779F@>TZJw{X+QLak*y-JSj9JW+ILl*Ug1w zJsFcS3(a3)(wqA_<@ik2M|P)IX)qeC$xa?Ng9v03>{`3s4{4binPDaOuIC7SI68ehrsRb+uWx; z-HgP04H_j+=#)$HEG7=7N9X2fHU-=qf9j~m^z3!(^(QT5(w|@~vN0avG!@V2Nkz8A zv@0k5fkU^;4CRDi{}~TVH${q!Nv!45%d_=WqGHZEd5I>A(sG%!kg50SaC;!`oNv8Q znEd^p#l?R(3K~CahRj?R;%bQ%n9?L-M(_yahqX=uSK+`{q5|L0&$Z`;d+0!&;H?Me zbweylwr=~ZN~=+md_@v{0K{?EhSiX{rKF^0*tJ18sXMX0H^Z{2RkQoFO(TbhZ_Q+5 z5LPf9E&&x3)E5tv)*?9U1fnX=aFqc%hLQK9Rrz5tbFC$bWgkx zS~`bY{z+Wl`LoU_@3-f^q`(V!QLsLZLkh04^UyJ`O@}#2%dSGsY3&m`6rkNr#Xu=z zDYbtqStyRRX#!LmE&I+h5=(`M!ZFH!F$qe_3{px%KZgAhhZf20UH}(LW@D@?l=Qh| zo~|#=RXx~ldpzpnIHPY_+*d`+>)Tgqj#p2_qU^l>_6MZXQ_hfLU%`&v1ttuOi_~A| zpK!;|WvQ6mbVbLe?pOyi@v)r`Ic)n8aw#zLPC34Ga_Sio-Zy)mi^!#B2Do8P-hIqS zr!Xh%`YgglXydEq*}#1g8TqOb#%cEA71F}KCew&0a8NVMPUCSQwIBA{4siSZj)+v0z@M5kp=?h67cY357hew|!pSfh)YyD_tsY2IplLe%9eFXBE z;uwxczL)0_N-Nfm@)GmDkKPN|xo8d4?Q(yvyokZuUK3t&nntx1k6<=BL43t0ky)aU z?$_?TZ1<1ZYGiW8-I>kN-e#wBuO6WBuWsiy?B!oqh5U*}+%&JuxN4EiW2bJvlXq2$ zMj&Y%tvvJa0P}QnOMlM0#CC0@6Kmj+3c($wa*L`xN`gwdaE=h7PjC{2&vkdg4k)5? zdXlfkSqtH6ooz6W;6zkX&zna}GKK43xp*vTzd`IOJ|{Upn7S?~AnmhMxEva%ln52r z)28%bw@d#=aokwA7hg<{9r=*#jX02=^+w6fE!_zjE5hA>**}-mc~=8vxMukUv2SBs z&PwK(=}Ut559)Su(JR^#cLRd4r;8Yl(>Zh{&6Tlf52N?z!_>MNN?PhGE9aLtu@F>X z-gqcYpJV_jG?!B6Txv z^vCYzSMF=}r5$0udm1a7pgx~(^{A=hLUP!t(m%^_+S8R^UXYi`dy?fWHxoy=udhhq zGR4lE*o?l@a(m-l7F2xm%_XTAb_pJ`iAvD5^FCxa*|RI}@ThJM^yK$lRT}72(IHSE z(QpBb@x@32TLcC0bvvLteqj0rMs~m})y*FrI$#mx4IpZ2diaJ(*B+hrd_=r;20c2& zUG+ErJMIAbsrG~*lDEf#4V*vhl_YMD2jTYI=8*Ts_S-a0DJlOfb^p_wRfqe@;=!14 z6HaYsvQfywol@W&lIT;2JfLC|`^An!PXV&hz=c-q$m|=!+E1tKT#I*|hZ+u8-36q6 z9gb_dK)3j>!G=Qe#6M2V0$p_tiP)RpJjb@5o}-edqlFnZ%W}P$_tZC0FPmPT-@}*+ z9-tQmnj-cxQLgTP9UbX?@}{HV0HLVnH@=?Z&$!F7sp=4GqXST07AP93txgN|>vz1s zD1KIF^6$Rm{@&v~BgO&Rlz$&qe6lWD{F}Q*{j;(%m!vrpN21-0u z=gn{b^%WSg32-Fb@V=yN1F3n-v#xy#PG561er>81h`@~p7;P+1!Emw9Qz}!tWQP@t zae+bo7Q|8jh_?19;y<(G`+THDv{Pkzg*GdfspCq>E>!zvCzx9=`p85tx!$^L z8U@sVI|{!1g$s(3P`IeYvEG0?Xa3RD&^z^Sd7p9))Xnc%ukn^Yo!f(f?8( z&Shd1yD>f~Qt_b8-5Oo7v*tpfoDz0?z*hME7^Xza4h&cK9$!3SjDH7S1X%mKF6wZy z5gLXih-PN}p%P|q0$lSL-jhsYah`Xw3nJpmbUG7fM|_W#_y{L+k#!V!MFRUQnQcB&Xp_$9sl2G11foBZ1HNW<-Q9NUozt3+$3mf|40#Fl z*yz7+3n-A?m0tdM^reR0C(#M{0MYCaRAL~z=}>g zS8(EU2YSILnh=qrckzv$#hHeWizF~Z^%Xg!M{H?69*untw==z6N$**euiaCUforao z1>;uge(9Jbovu<_1r!aN!5!&?)2P+oYa#LfY3{n;nrgPS2Bb)@h9AjZ_iXb3J?*gGWL23|@79d1v(iG`LN(dmAbH4NGJ@@+u?*46_nf=VXYwi8c zTJQ7Bn(!Pdp@o2)vj?cl3e^Yg`yroAZ|UY9b!EE0@U4>GCQo

>G3)#xB)5=vRr zSHRk`KnDYQ4;T2%Sxh!815(cmJT1tT?07SBH203m6Vb z_%4hRB=3s|b+XQbWFNd&ytjaP=6zT}w}Q&FO7ZlL9C=|rI5fy2EJ#M#vT;7UU%Zx5)ZNA$8D;$7ql&9q>FZ#bsTP$hCw{b^ zR?o1j_MnY13&2=@)vVv~0(_zh+1Mwz%pW2eRNdHSeI=;uK9DL3xhE&cBt>IXXv_dF zx~&M?GS1`VQe<}R9n%5nnb6wXU#O$aH0XVAw?4g764G`82^QN=e!O#*rL2bUNW8rg zInu4zFGzNp=MmJ#_`aYZHaZJl4O1 z1zy8>Vj%!8{IG_p$^sOEEMbw6RrBddg&9>}T!!Kcrzy79ZmZg--kw%?E%lw@Hm7Rv zQ6Eb*(&g~vOH*JFoa^ouM*h<2BY#6}Gxb9g2V4CraR63w)!H0ti}HKYuG1gz6H~Wo z?ZqH!549bmBav?Q8_Y46Xb?5$W{n8rw1$(>;}d(F-2$J@qPS%(ias0%@q57%(Gt4b zklF4x4|l4PFk@}$HZyZ2H;p#lfa7NGkej0!O`!WJW#f+p6!IVv$eJOSrf-3qCwcsX z^IfA2c8Lu4$xQ6#p#kxdEQcZu#wL*Xd?^Bf=Lv#OkCaOdnb=;G+UiyvkSivYYLEEK zoZ$r$d-SF7TIvT^14oHM;h)W8@o~t8Uh)h7pAHGS!+keCC>H(d`}^LKXM6irBr=)&C{M2{lhMz#EWw4WUA8r9T< zF!73)*y+b2ZIo^YYuFV%RVUG_Up~b9bP0td^B$nyyYrO%QwVO#f{D{|k!QPdH*5|2 z)3hy@Wz>7Hp=i!Xt1zp#B5!s1Kbf@?d8!&8T;;I!zufN1#w|DHZU{!Wm>-N^)S{Xd z?u-tLxAJN6_oTOj8RM*HxIR(LRp|8cGi?j;OOt?GyoCnpxe;rmY^tJod(oRptDtA% z)Xz^}1v|OU%6d1?)v+DW!q_Ui+D)gT52<%8EW`7qdFw=!{^NwTbVvE`!A zDd7g|V%(RvKR3iI-{7VS_mt5oEG!e>OO1ca+oQ;)O>VF&R7NH@_JOJzx$@m)!hULD z+>FLNzARzf?1%k3#O$C&2J_xBRMu~)MMmS!(ZlmxO08co(!EQo-m0%wtDTFdDt_>v zea-}*)8fL*>NxrZSywm31?YEFHY6y*&>$6mzc_vlbFreF!C<*)luPf2CI9_=(3So(j3xKEmy*qO8%q1f2E>uFZe; zA<@f4r{lQFceC96sqlv?Hz=;D(rgLkuY9Ef5N~<0sqh6FxBzAL`oU#%T@6P$U1vJ3 zBqP#YY-4@$)RGa^LM}-M%@lK+3!8BmGzRp`)xE^kUrCYxNANkO(Nb>|HVS5O2Pfs^ z3)+l!@&%u^tEE@1JXikfZbpWhjF=JvW`n<0i;}39oohU9Dmk3M9Bb z0*swz11C8Mxay6>s)9FOya6sP3z2>oPD)EXkdh@(eotsPVsO8wB3@Vx%?+n1$yhdu zmwvE0sAPbh3ijl{PbnD2VnpLF9jh<_50#4K6W=mC^JKMDKCTt6hO+3Dtsg!!U1a@O zPb5;wR6YtY=5bov<5JNTTu4`*PO2vYY=T}qNflA46`P%#r6CdHt6T1gYTEEiHMM}) zQ8wJH_f;LYw#FGd5a-CXU3h8}wzEm{_Dfm>b*IseTQWbe`o8ax(B<2c-FtO}^_`DX zb{^3qaOH9B@DPvsW612qB0pG>|&()tHVx<2&q9ngLw@PqTL5jBCk zt+ErfeXb@8;wf;tGyujQyp0mKAu$iNr${_qy<^qL0;6SPh``s$97pAo29Sf-pHNF6 zHvGW41=l~TvPG6*nIkwOp@n9`LZEG!45azDY6lpkp6G?!y&aof^9LO z`}C~3=DL3CUX5wXme><8{u%1yE@$Gc&#T6_V?)3JEhJCLzDO<2Q*}snOZ6>b%#~j+ zZ91eY0f{oV)~6ZfNO&ju9mIZVBKQuJ=Pvb`05JKH9xkm%G%(UkaVx_uDrX+) z^yFe%e7B1Qo=~25SFo=DuZ6q<3kn(S=sUxSTw+cjThP);8HeEQBePGeFNJwm#bVtq z2vvh*bJapT6k34`;6xt&^{T#>NRXIL|Bypj4EZ}B<^>#-HkrhxqtA|ay@8@5#)tNe zA!4XrvpHd=F|$N?&FC(vL)PTcg5BWt5vN5xsR^*@cHjPOTT%Y4m-iDzq_xSM96N7j zkx$X2o3IB%dCC`W1TcZ&Qh)ZMEcNT#Y_bBZ3i>N?6(6Jtgy|aXW3F0_G^>KN9uP;PTxC>cD94n-x>D`d$r24=ueH7;m}52E=&$%c zYj?4MG0|wWy^FBtDm5dO#FNJ1O}}paf*y(*lQ5mcMKY^#lD)4C4B|C;jc5s)z}u41 zicFMAWm!Ctl8vx#FV`~6N3w)!YwjJ6RPiIn3*#{zvX2EdR%T32 zE2ou_14kuY$uD(CJ-B7=%pgt`MII%s8(~3`EsA7{$!)ulV@Ez*cF*sd+^vneqMlPx zh$-PMg`^hi4uqyM)Ycrcos^_WX20AU8vRfwe7Ucret)9$&g-`n;|hXq?-z#j17{F} zlXrRN(?a7+fb$Vr1IY0&F1Jt*9=Z%E9jBRjJ^4G&`=-=;R5xJp?x{in6QDVEOtK>Y zdS~cO>UW76_#P1ozFeDJS~Jxnjj2)Uvv`b^MA1tN}Zia zD$3lzA9OGrduCy>96fKAiSpCxrQDH8i+PDLCP40kwD?z5bW3JonPws~lp~Ki^c*>D z)h8)A%B{fN)BM@kMjG^Le}l*`T=Y+G@-~Mzz%ptj#aMq=`(Zl(?P{v){`3K`dXi## zxUFhC1!Q(|ukwNi~f(T(K!sbFb*JMxDMx23TO1 zsdf-O10rc4&>lA=@9YQR&L;sCM4y;HV;#cOe`=T{V-Q_}3a!S?$?4F$cR}dLlXzF8 zUua`Cvz!20Sn09@e!Q&y`ly{j_3<(C?ryIyhGlS5=@g1QT5)OHO*~tC3)}U;>tCIf z%rK8Wo>E|mE?>t>evu^+YG5N)+YRpX9ehTeE#AIDZI!E{IW=MSMX&laaauCXJfgts zHZNME_}$W7OQ-5O){)jt#~?UJ2J+J4OMc)!@6n<*TgOAcWM5}^92XjOoi(p!MBQ5L zIA2V+koJ3-t4qWX3s?QUr}r9iPbT|O>V^pH^iH!(_LI6*S)aF}OM8%S4u0YyOM?bf ztqh&D-{V&ksRnAj#;?Ep3F8lx9|H0oA4Tj>HlZ@Fag zC(A=D*?^Wv;1S*Tgu%-n9Gk5J{Hz35sCU2u6;R(+jFM~V5Lp*|6T%{URobxO8O3VHX##;~}|G zlV=Ptj`i%Bx{N!&j_zbCCL^#5BRx#ces=g;z%7CK*1Wd%(c^5fP6oHFX`vSQ%c&GI zpLU?Ch9z-?dZHPZz^_~HturBhcA`~j;%srP1L&FU^qc1(3|lc?L^H$gCvCb$ebpU; z)95yjo7)C8br{Qi#tV-_P-LthawGShf}{o}Pd$WH>Adgi2)v-wIA6FP%FJBL>~e83 zAmI_@Mh_sH-g_6vIa;(P2U~EOE(hUs4up;Rx^5$xq9E{l%HWt%j{u5CqR)hWj@AIt zIYOM->FJVV3~Da!wM8}D4t@dluzON=uS%y7Tn(6e4v$%03Tf}$N$cQaQQTs zQi{RrRR`?7=_eJi%~5}KVB+V;My8s!=J@#CVl#ehsAkI8-kBTB(V=uHcag!m>eY1H&pE#)qePaadxhRrUmK3J`swj?O&Drp_`J86 zRIHiGV`oYuxd6i!I3ntklv1EPcTXa%-8DIZe0Fkz!g)I^0`UeZsBr7HL|x`e@L6{S z@w~LOtql}Dw_eg-RXbg1U`QsD>s9Ak`HJ}qxn+>J&(LGuuTH1oEzR#|imKC*EeI`q z)%oE)nDfN5=eFnW;*4@w8w2aJbtLtaJ6r)!Vm;JmNRoC?4)GwomeKzD(QI^Z-@xT^ zr4DVa!#DxADXsc7HGJ5$0LQi&k!&)xx7_%-!9?n=PBd-gckV>BUs7vh_dPv$G{HxB ziNz;+eU|YSTNwaS($1da94t=0T!;!4zDYmh*DYyQ7L8xo*cn&?`mSBOZ9cppLDOY` z^nEAVF89~@#*!RLSJdvi06LIQN%Q+?6S@x86P3Cy8-3A4Y<&?MI(HN(%oV1pKSK)g zAL6m&!PGPdb$TmnI;~Y~sMcspxKS#m^SG`hXZOl`ai9-3`CK!dy!R)s*ny=k6Ar4d zbFq+=!KxqiM++5bd+HXw)fZ1Go+6&3KulKv6`xYxk=LN9l=nzAvE1rQU{=Q;gB&DN zepTBN4YWhm4zqiRN)TS5sN+h01T>#Camt1`viqFi`iN1sKpi_g`Hzc?%|ga;^lg_Q zFT&j{y3V}3)}ohR+#AI7LY>yQq2EMZzh${s&SK^z&QP9*q_w8aD&eNO0-?hYq(Sak zFDj()8&~V__pkfSwn(xgBd2JWAOWM}xVBNM8qf04zvRwqKgmYnnw82&amQHxiC_OM zgYlmco#s&oc*CPJi5M}FSn@!fC z?fUrpyZBoZzXm5@aPN}%C+2^l`dckmz6L;-FYqGspSXWq<9>{#`*!$G|9^_V1|TZ^ zXov5gxDkXfwU#5%Piyx70FX^_4dAIyBg*)nxXY+8VbU8wEx8+7YB#PQb+C?dosv!D F{{Zr_pEm#i literal 0 HcmV?d00001 diff --git a/docs/images/aws-ec2-new-user-csv.png b/docs/images/aws-ec2-new-user-csv.png new file mode 100644 index 0000000000000000000000000000000000000000..5ecea6746e5f238b6d133b28082772f6d2e5c42f GIT binary patch literal 77993 zcmeFZWl&hlvM7u@1lQp1?!n#N-QC?GxVyU(+}#PD;O_43&PVpSXP@NW{r-JFUe&v+ zR#C&u>Yka_>F$A0S!oeiC`>2-003AqQ9*eC0FVR#0Kg;&u#X-Z^~FN~0CZL}0RdSt z0RcQ&dmCdjOCtaP)xbnIa7ARPI_L2*n#K=PP0IdyTHBlfHrB*LLm>F* z0pT%Gh3Z(D;ccB9(7IuPA*z88y8)cSWDEm3D=JWUN3!qVsd(HGtP9#>wBm2qPv6&j zC2u2d00C-+s#%$*NRfNy0eQ=w1Sj$Ux+U=)Hy27EKnxJ50V!eS;Cl!x7JPuqs`Sob zEgQzRO>IJSX#p;XpaS`S z6`^B=>_J?6kK2CdF?4@V6w7^h@5gdbqjk;i9twdMe|ew${O$n>8~Vl=L?$i(>E zz+SaT&9-6>OV}##skgnt3jW8}jby(Wr#I#=IPg|`^}}5UNM<1mFx9}m1ajoUNf3K{ z)v~G~4YMR#gR~RhKlg;3%0>Cf?L}dE$tkKgzZQ8aX4n+e^x;b8Rzx=p#3Nvz6m*ea zTl!W#;-*GI0!Gnbx#wl|gK%gNrU3T5#`eG^rGLpr1cIq}znI87op%(T`wZsIg!BxH zqe{edHQufp>C5YIEM?qS-61j?>4@-dH3Fri{Q$l7!cFD&ph2+ovT z7Zk=10Ulsd^cHLr4+4Zcvz0yYWyzEt5SbVFts8B~TK?_ER?P-dAPWu;(33BQHsob_ zT(@Hu?K|F$j?XtN8MTe3HO#s-Li7kiHe}VW@H;Ly?p4)Y`Rx930f-Me`OkQ*L3mCT zr(LE%5k97>2IUBIFcx1E1s!soCelnPcfJKH64!IMFXMK+Z4O2lWElj}SJC;Wux9xU z*S}9_0$76kheVO2*ImEepG@e7D5BH@s$<1Q4++=hxA;=IQ!>PHtD|9Pfabnw%pY_y zz6~a&*Fr#nAnQT%MdMv&W73Jzm%Jp_8h`Uy))$~X@0w$HS-#4?rh7?#Eg4$A;$hzu zxL|HZvi8I6mAa6^16U8l+MsE6gMGh^oOD`$U`%^$CD(4~io4k-qG0vCilAZ%->@^wpz&WP}h`$|w7UU~Y8r7@cE`jiD%0|0w4A30;9ozbzhl&3CK88AgYsxW_RQO^}?mP}UFGz%Ffh`cX;dvad zaRG>;AISvpKsV3=fXD{e7kEx^Ja2K}8eLjZAhQh!HZbY0K(a6+-JrG@Gk)ngkoCTB z7wBJrtGYSAs|<9T&;fhX9z0C^B97?`udVfM~1ls zUC1kv^SK0o16+wuC09ch`Uc(|uEQ@VN9+KrKH{q!5i(^M8gWpZ$hZ6(xg;`?8JYwh zb5;t##IOr${D;PMspl6I_w{C(7m3Vv>AP@N4li6VW$;xdsmJuQlkeF&8~)(etnNs7_sATu?vZI&nCG zaK;Jlv)d}LTVlid42l*g(U&=()w|k%yD?xJ?#l6nM;p@StIJ^UX8fhwL-+&d1I~-c z3zT0dp7;db0(?n;D?dwa#)RkrNd$s&$PYogJeJ8=bU{giJtT{e)9>C}pRuts;a6EW zI9qvJfgK+mRSs|_U?-_#RYm2A1g50rnaINx#acz&1=8}1i_!Au^IeLg^TzY4^15Vr zc)NypjbjYxOmY}bOvnsNOb+x?jEU&N7>*d-=}74I=(P<_j5G8J=tAi+801nAQ=w9= z>2K+OGRCK(q*|p2q%x+`GVmB?>Gsrw)S%bNs>!R3sGikD#OT%1EykP(NaH8RFAp1( zt18IT(i9_llvI{!5tg2) z5x*SF>E9OhO#LZLBy2Ft5LXaskiyVeNS+kU1Vl7DL z3O8Icsy0kKx|)!lgcj?P%tNzI{;t6%gfEz@xtU22o)@TJtDnEcN=#0STgYFSJaRKa zGV+{=m0;2&Zgacp?tE;4Qaj?D=$NRSs8ecQ$~22PE5?k#Oxr-v!0n{$q;V^G3%*RZ z4AXeJK38ugCZI$po-e&!R#a|Wy(jb&lG=`1r^3Dh!3y6h?2i4E4;v7hHWM+EPm510 z%=+6|byhWwQWgJserJJq%p38m889etS`Vy0r~quASI~WgE}=p`On&hI)qwN>=m0PY zKgk=(ED2)~MUjW(d8*zIs-IEmx2e}@&nYUYS59T(a99*2MY_r$(+P8P2YBDJ} zr=9Q45Z6(fj&s42MM6aCNb^biuhY;5M*ENR=4HZQ3lkX5t!m zGH+(@eqO#F6rUzQYS5RpZ&R3{jP^nc^>yG&8s|e5o zai@$RreZ6n&Y=B5^WqlZD5(B@!#Z-6)Mb2v$_yn|cBgVEh)j7WZWVw0}7iXznNJ7BJi?l^eIy_ufw#%{@{sVpif*}<(>~W zo9h@e5h5bUQ9Ia=sfY282PIpRFZpF^-fA*+N_FEneK^pZa~_)a4}qWeG6FJUk(Om< z_Mvu+cf5HH-LCZ3=GwOuzAH=?gI!l#VM&K)a63Pl@bUJP@%#5K5oG1{2|=5bn7EG} zWmb^yQFF_;Ya*&%J!KrWJjvHgwKG_%NiMp!IJoV*-Cir9XrhQvcq;`d!D&}_O(+*C zD>=pP>pL@-a?m&8`EtBh)U>_9amdhJdtRh4x(B{@~h&s5E7qIGCH z`g;=QHF_h#Kv7zE`qCXeflCRE5uOo_mNb*hk*t-(Q~CYv`|FQ);>WVfrrq7+t6GxLPeK=i6!s437I!2qt9=RU&(Te`~vF9KiK0LXL!s>d_umcY}*ig@5+^Hyr z`Q3$`ZIqyd@`PhWSHPHTr5(<#I$?gGXNlPaISm_D+xhsbZOi{#gC5+Y?sr-Uqq z8eVO(&kAtVQQKpJXksczte;$#q7pI(ol)E~uFEf4dB5FM-jL^K-E!?Ut@BWI6Hai5 zQmS$Ua3;_=vRg8|I0^2brPq%PwU_u$%F%Pz+}S-{GC*qF@p=^9-JM#9wb#GT_!SgP z7|tX2DYp1)nx)h)-nAG{dkR!1L*%$v<{JLs2PQ%5s82`}wUU*6wslCbl)EPK0VB@~l*jaW= z>*eFQ(H(rzqa}daM?nab|9#TNz-Hjwn<`s08|JP4wQdF3tn^%B*zrQ80po|{`bnY9 zHwW$Y+kGJ)y0?c0x;nNRruHxG3|9^>^U3S$Dk}5y>*$4_M*F4@P$fC$07-*Q`h18S z;VBOo#OQCbV2mToCEI^E{^%OMD#x*GInnw|SB$9waL=A~@2UCX45ao|t5*;~VbWj! z6Y)hHs=V41tT_MkFANO^Wvxs>9v9n<7>Wyv%HXfQda-5N_DM8y`^m*saE z8f*KnT=vfu6O>7GE-D$C$rNE#qBUE6TG~kplid3cN=30-t#8zyZ?9S9kH4`-VhUR8 z*+?;Wwt5wRD}DT)`Ms^@ennkUWA;p<-mZbsF^2<{vlusm%k#bD-p*ydk5o&htu33! z{}H%BjI}ap7l88dx@5!c58?JRo%JE#@^E?U$&fyE;tj87c`Q;QvcW%=0zw7 zBf%%TpvuSu5!~;(Kgfn2(lJJRrIYkm2aJE5wG)SI1MG`cj;@@30d60CDF=f3I>*1+ zt45G4)YiX8#75*)_)^GdR5^4v{3;Kx$Rr0PJGS61wi|ksz+sji5R^)yWYOguD;;Uw zu%`BE=`Yx)OQ>SNg+#CL^)NuK?NKe9Oah5gxvb|Dt-_3@lx4K>r*r5X=G`@%%4h#f z!Ax#8v}U$ehGyqh;ueeM@zdt|X&wRdYN{ zycD_w)dV4!RPZm{1$Z;;5ufL&Sn8!vN2m4w&vNTIWviUf}kp-JXucN(GNnH?A>( zHPYcgby&d*rZ0XMRI>gd*7s$v-A`fm@v>M7N)Qa^r{yELDNttpt(n>)4PE+(yNFHcUl+{kWBRt^ftz&Y7?vCJu4O?9d4H_T`( zzMTRu`mYP$MUF~;9e2CS5%dYlCH zrRD;NS_U}6!{xQY2O_IGK7Rznm!Zl5rt*aj0dUI++)1^@gE#?P6lHOP9>yibN8b{z z6@(rFUjpA1n2)8ppbP^f4qu9b62TVH66p|r{Tit2zy>rXa&WmM zBMOkyu#D3VK-Z|yu@c29*6)~_>pXZn zjeej+ykPCTK$f6E-GC2Y*=&&${7ELj_wYzWff#(9`R!zB6oboOS&=aczuF6(3SB*e zmtdp-v-k>ZPTPWi2}Tv>%u$Ga@kAURIgQb5$GFC(48I*r(&O21wd1rCYQA>`{DPtr zn2le86bGRt2$x5DiHR+_FRH@FANwLEb2xiA8e7g9sOLwYa7h^dX&R!A=bB043x){y zPm1v;-^j3?d=!lgwvf;F?Dr044zGLGyTcn!J4id}yEbTK@DYf$C`o8~2#@$2WOst? zVtLB7{H3a`qD8WI<(e&?k^K2vgoS{+ZYaV^7|aq*(N>d~i)pj!(e=fSskclwUaoXMMj}XySCiR=AFG276c_c__rP|2w-D;OAS)9b>6>> zK$;^RcC)z(hkgk&9RGpFnk_+F$1|=&@3eW>PncY8G1PEgrK}a+q30amrq_6Br_i72 zfA6XBb9skz0hjkvF;17)Rdd_p<1AXeN^J+OPI9}`A!%pVV~QQ949Kcn|V(k?}BH0w$pOn3ms4X`a7{1R|3 zT`)BdjG@n0!Be>uCD3VnHM#Y&iZgPGz~;!tLANm>Jm6it+Y{;sqBlY}5J706cbbx) zl0c7rxkA1Cw+A0L&Fw~AkvwU<6LQ4aBp-Mc@r@Bk4&vf3T$rpZnj|*gCGZN z2T+P6jrI20sMZWQ>fY6jE%6`=k5Tu7Su7o zLZW5Nve%Ks{gKqrV=-{fx&w~NlHR7-tn6BiK1E)i-8vNF^H5RHdZ~VE0w(<0FA&r# z9@Ez1x?_2hxp3l|&87alfVBUqUAi+~Ju%6J48Mb{eLh;Ys zZr;j#))D7jiqg}arQTW@EzDTAQfJFMnv*W+ZZj{5xNWE*(DP_6)OyJ@w9B-#l^KuU zo*fQUMr=0ME6TJjj&To*%j>;8d5M4l=zz=09P|M;>;WE}Je`~h9i47fFybt4fNg0F zx7)^_)cQbp<= z1_tVnFQ^^dtR3}SsjVFd|Apk=cm$0c4D8Kp9nEa4@qXde)3f@W4m z)(#&_<7T2``SRB^|6}Ao3;hjJ^*@mG^sEfOgZ?)38|bg4aLCx38GTUc7cIEyztH}V zzW@6E3+*pL{YJQdapkYx54LbaeWCrE#oSO8ZOGaH0K5QVf_#dufG3%dp2$K^_dY3p zL`3+2KmnZgqCg=8C3qCU5ToC|hCxx{kZnMZv=R)_H22bMd2OsiqadIN0`dh!;?3LZ z#KMa<0~7K4^713b#Xz>p+^)o@W{ENQeeQZPWLTY5lHnR}DlKcv{#IIPF9d`x>I?GE zZ?^={yjyD2@IQ}!K=Bgt1|wntLB;_5)5{wRF_EiCq$w#0M8x}#Z!qHWKSF+V{yz$g z9+t2~b2;3>Y0EYZL7dZF#j>=%ggAQ|h2~QSAfn&2z0(f_GG`I0p*}-hTk>)pT;p&q zh7LPBS^G*|vae%^@Z(QPCnk08jwZ)uXIFVe2M1j&GuTHgWTyoN#H)!){uJIKf83C|AbIBlx<56j9>N7gC8Ep?v!l0aNv4 za8caDdfFE8g4k~>)9-P3q1p~@Y}rh{!_1++>Nq@H6z44>y07yyLgzglKNe5ao{%F1 ziYA+1vllqiY1B^O_GP8i3DYjgpJL-n2{a-W8yo8fjYiYGzK-kX=eOiyYfJa?@*-O( zj-uIO5Bl+>#UD-;N(_yR@M~-1n9r2>O-#rp5D&@=)rrii3Dq51&JnjGIDptxaX^`A zR;Cp$w)`5k8Z4yloVj+FJXnR^ua1s--fm3AhrOq{zJ}riAi%Z1XEK}(-_6rqcNFGb0T@|1BKWV zXNHJw<={wn1?BTo6AZ|SiG`LwK|)Su$W&hGL^g*RN9!w3TDBUtM|@Hy-E7zmj>)v3 za<7YFdA=JVeAw|Byfj}&brxWY;}qLriUy4Cm6Hr2SsDe8A0RWWA|_)Qe3=|h_1`Qy4fWI<#D=RhnkpON;%Rr=;*=&&uS%cVTHBQds#;-%pC$Pz&o0EFsyi` z!=7f72LtEuAQS!bR_2A~_k?gyUK9a{rL|e$OpQ4Qw=btd&gI(o;A8t}+H4d#(v&wx zt0)L}Ra0%AP!e6LP)h2e>7B0i5@h;5&$NxCYDp5Gy1Aqb0pN=CD%UfkbU7$zJ)Jz4Kc> zG-d#pYTlz15Roht$cl%zCbIKpb$PsDXcb0e5`L{h1NV}k>Wlp2!t)@cL>T{i%kVP2 z$EJGn7*XOvN@_p~C=dQ!Ij4y{Nh9qOkcB2kd_sWd=Vb(c(5``RnR&sKYixN}w%n_G zBem3+S$?oQV-ClX@*|q`#`@!F#1GUp7ch6l`<^k%v*DGyF{t1tbX_BVY2M1%)28P5_@RaO1Q9#0jMs34Y@KSKFa_Cq|% zDdMD(jQ~&ebcXA80^6r7!IT$EKPzQXB>RDg=G;Ia_v9-2zWRKwF`p`Nl1TA3pvw_j zHlBMZ2X3<)n1vWvK~k;%GM6U(Mb30)&-n)1mIv(SG}JkE(|J(S24}tc$K)dN3PjWW zLHP4Iu5Xr0qrijGRdzGQ-d1epf(ZsX(NVBaBwAk@HC!M&= z3vAh4Rt*V6glXY!hYhdI%34t@GtQND$2wXi(tIqtD5$EYuF0MC_ezDv;jc>m7J1Tw z0w8F)LDc%cIQ6$@lC^^@X=?d4$#1T{Gz*b*Xj8f}1@X&7l;kbm47YBp*6~y@m9AGv z{%70GSCP#$)Yo`h6>#xs%{6W*%v!RB$VZCoA&hC@56E{!T7uEWcMf&FJJ=c(`DVTV zju>BHtjsmqv7O|)gKGfy)L6e zxC|W1RTHUpBkO#Mmc${>zXl7jN`#osAj?&x>s_wAt7E*nZ8990Dgck`zdjL3$P3n= zhx;`xWr*G$u?j7h2)#LZHR-^xBd{QWDqJG>}2p$!ub2MnhG`KNzB{R;(Tp1zeXu5gkWb<{<*wHP&E&; z`A&zq*AVH~lMJyrQxN8p06^AOoNtaC+HKdVQud1RT4FiZlpgJG%kkQCxG$|u9KJ~ zzJgJw0R`V{I9H9hsHW4HHl2enyjZs|#F+-)$w8riJ;3G zMBkf>F0m*ceKd=mJZLL=uq!Qg%KpBuSD-y461fyPkt01hAAi-rHFAQuNHlH`{Hc(j z%iL+EY#xAlloy*inkUj>v2h=pwye>%b^;IPdc41>7<;b=S$dy9II-#meTKWYUrsm{ z05T!K7mY9>Vxeo>P0IahVK8I905mx{X{yQ!qV)De{^n>GekvxTvy?wVQ7NSs%9HCc zyJU)gCpa2?+`wO|KP3~IHRIy8lFU+3?Qt11+S?uqQxcxQ+NysRAK4*x$`C1YV@sYI zOC;L@>H21d|BQaO)WP+`Li15et}HPT)S!All5#PMEPRu)+X4#LW#;R=iXN=aEavrN~Oc5q@a^)k}7JF@{ien z1d%&9*YY*OV3~`zI#iksI6RUmehtlEJ;bX!?HbHyZ7=hz_V~m~3!Cp=&VS~jzgjV@ zsUimNy9?rZA9@^oabzM{nTB=94xxw>@2nR=(fpDgwcT+rSbaBuR_(TkTo210oL$82 zYZ4^c?Y}5t8~&EBfbZdDHr<$i7`TH*-TO&`WaTSZ9Qml~3wT!Cu^dxHY8nUyG+;Db z;q>#iiZXgQc6fid=HKU5DKtprBym8L-dmR9~XD zwpJQw*CWp_eW~59*~(ya_?@IV@<>DD*P0%8Z2HRPmSH4)2&2_$8g`$_5>Hj5o ziw-z7NGyQkG(DrhHZwB^Hw(x=vY4S|thr?kgX3sV!eN!~lp#i;_Hj0x8A`+15@atzm4Si~Zg%2OMs+?HYb>-|5?{l% z!5rQ}#?@SIBy&33%oKHY!5-o9+S^8MdYeO#A(S{(g)>0QOcse+VnL3fJR>z%Mfc(W9!`Sdhpm6 zYhGz&JX&}qtFj1L<XQaadT$5CxPz=eg|U2e3v@ay;t%E$e0W@3SxW`K%Z-sBf2Q+(e$9a< zpGDC3>QF~zDd!>ULO_N)G&w<~Nybkv^?)^B0-KXiIrDyT$t-IJUFh%*R?_9|XeE1O z2vW9N`8~EPAp$8?ByXQ9o-e|>w(BuV=$v=^2`Qo28QvR4Gw!>W`S!IfZ$=d7<9d$n zly9eM*yzLZYlW1Z(1Xs+6&EyZ)DHkRe{J6%l#e%!L8eQUpSV?IFhAY$IV^8S?tlGB z9;VPa-`gRL9*~KY7t>~fcE$-ZLmq^!jn*IV;avMkay-m&)~xowd_xK}J}dgRh<3h? zY()UGV6N?Q_ygA?#%`3Wgc|2cSOZmK9kt13*7LK?3>bDEW+*TPxCqjAHLaRWloht) zA+lefhIFbpCvGqRml#!V>5OAYO!-XcLd6%Uiu8U*JUk%e4p@cc&EjKAr6BS!DnvYskDa8kIl zzBj{kfnhuwZMw&tUb{9)FNrn%5fAUK9j>epXVwP6SM{Fe1UsNh&ijoBCrn)c>o(>o zWu~S-0{M@un>omj21oP6t?S63P{sq_AeuuKb?*}{%ek8>#ZgHNVi_@#{FJI{38I_T;A z)2K6fv)D)IgbLB@LbjXLjnmd2p}vB=yGthktR6yWbo>pNR3w?*ZXR8-C0jD>di~|I+r(A%9t;|TU;{am7DS% z_I#Y;H#~r>xsY1S$ek4iF*gT9&q>ulg&J$pv%o&{7~3a21PX1|Y~JT;<!6#fMym``fBF)cg{^`2-6|E(bfy&=2YU_rw)`=HL0@G) zn6CMmx&-OKw!74fSCy!Bod@~8v8IC9h^vHUL4;#tmM1+Zh7UQD{A%~7!9 zf#hj64ZFFz43n^ro_7 zD^_RyVXDpjMmQ{~o9a7hMkGQ4@_hCGM!xih!5LL#^SdX zc}nGM=ZsMXMo`}9d6E~_iXlq~bEH7gL(6-^IGzs&LuHQu$cGP)8;5EM?d(BXWNr&P zlk^GrH$?(~drVHf#t&KD4OqE59vWn^e;gP^yI}#D>G9dwF+PILr5Os= zVR348sls3BOiX6;op`5&kHjUErcxl<~khW|X|~ zQ%t-DF+iPRl*nj+3!+5bGguKa%tRTnWCFxhS?S=Y(C&Ap6X_Dr$O_IwbAfV#lQWrF4;W@O_xrPW`UlsahzK7z@bk6>~Zt~BTn*yh5h!Gl^N zv24WTmsnr}b)HU2h=_<2|CW>d7`Q+HWR@!DT_Y(MhS7@58IjxlW-mebE4h~ckz6~d zl$z*JI-M%MgsZp{A@9n#b`42;Q5rEwpX-6VG>8NZyxYpDfgq5a*`yTdASn`Z1DWJkE@9G zze-=?*}RFAh~i!7Nx$W0eqokHh1}WSw;&8HRjw$d&ak3G534A0Pft(VDl#l3*AU;E zh5MDWs>)kLem5Zr@_q#0l4tOm`?ACg)8itu9?=LZZc;&$O)kzyBp?j);Y!YMdS|TTQgoKG%N=>1)i&?3o@F6@->i?r+AYC_m z1pzxTgi1WMYvx z2kH+=Oz`?ZAMu&+uGkoV(-0L=p)S@{yi>+#d#L3zQyEG~NeJE}2w|xezuUZz_#fi__>IzB z{Eyh-Z|O4n`XRtZd6*?2e{AY+Rwm#AIg%x2x8@c74f01rmgE=rNlN|1{|5P^@xKfB zUkdy$1wJUCdr@$7Sw5ZOVhY>IdBb^^!Ffc^9{mqm%bQASYfy1aU*FH=S})|n1X-!E zcU$d_nFve*YQ< zTYR@Qm=*6uk=!eqlZP~+C156W1!rX_FBHuC{2#~nZzo7W3doEl!u9;C-ijRQTPZ;P zJS8OUK#3_+^m|e9UsI5YfXqzM94-D;1TqD2#1Yw?;%KUEf{5}j;Vs4Td;XfO! zhnSCX?f|hr$`SuTCX4aQUSXK0vc&yuB!6%Ce)_PuI|3=lf96{LMv(Zw)BoR0eBYkn zT5+WrAp@K!ZMJWTc3zQBCDs?TvsYvpzn#ziEvCN&x0~6I;Z#;$x}aZ#bt_oF;^KLj zO|wNaM@?>*gJ(sd3p=R(APT(loPR&=xYda2pM@>~%8%h#R$P=PDz{8qME@z2KZtU0 zsx(3M^m^5R2*eI#c6NI_?tkjgM^7b* zAH$*SQl>Nd{Tm0QT5>H{tt?z|rNp3tQP*MfH)n_FL$6F-n-$9!uVwyn7sQW0gVgo3 zJ&!j<*>Uu3`&(xJXvmI1CbS5()J3+q8qPXaWr(5Pja)Jr?)v0hY5%k(y5nh{-I9a~ z8IX|j*e<*fl?uEyLCbq>Z?fxUk~lXn?XUgEm5SylLME^WPn8GkvL&S+B~D@=)eBC? zxT`O1s}<*7X*bB)LY$wjl%uddM%~-lEoh{;pQ}oCyc24=-dMF4M82wrvu?*#rioL9 z{4<{_!TcClcdeZDBUGF}MVv&maFJ|yYNNVSr-uMz49mI=uCfi4y%0+$WQQvl8?~ilkpw8$YPB6|dE$moE9tX#&AN?F)9`)hGL9 zl15zFzBcei0qb%&DZ7S7VhV#;YvHHs-Q1w9P2bXAZbK6ExK6+fm%>aVLh|FVO>|14<+IeCSfUl~a_sbfot)t}8*QY91wnd{|n>r3}) zroDpmoZdE4>=^TH_0wyv^Vay8TX02z0qfs;8lODYm<@<;JnZxAMzYp!0l+aADQK&t zVE8&myP4-ng@1Tq@0pqyP$EGB9#6cM;-kKWWb5Ki^HxLv9e44xLZ4zRJ;#!RGbh1) z`*;=nQ}y{kq*>}kj`Xf0QaOFD^fTgDJJ#=zi8R?(H6dczLAdAERoLtfrYvcdS|wI} z@DYu|Vh$`|U6mm{!5y7_AtZbY&3o)C9t&S6B&YCH8h06ePK{pYPNcmqjgi;CJahd2yC*NT*h=3rd0MxWlWq8ksaBb!`EzKJsbJf&=tle%LlPZc-F zH%HcP%WooK=cWYnQix;-P01Q2A(osYOHAA=NXJNHaGxzR}yN#<<+NKNX$WQipmD(+whZ! zex9dCys*TW&mWrjZ>N^%%bSXsYdGE};0hh^IBJRkne8$=aE4dBfwswR z(>owzcpSFWag=L!T*EfMp-mO46_g!S(OdNXCIh8jrno9z1&zN(u6 zYEs4z!GXXphP!9qlaEv%9MEZ}4`CQy#~^$h4;kQWu(6{qTj*7N%tP2+P&=cwqOh!w z{gfLl@-^;Rt2-{WGcL;lHOnj{X(LlClK$JpkpB{Jzc8sBN%jOx@cEjlx4mwP75F)H z+D0sxE{b_G>B3PJ8V^U3#nEag%Kk{-YBHEZ8r=4Pl@q4VoS7l-#BUM%3g77y+E86y z4x;;HB5tMqU-B0c3gd*g29}IX;@FGvPgq_m-mR9_)+)9e&b^)TGc(x099z7IT2ro1 zRv&`Rj!y#9ozb#@;IJ+W< z%r`vyBMtKJ4+5 zYn*Wr#y_)?`s)c3)gd5CBbDb}Cb|2hX$My&c!b;Sc%+AJ7+w4mK2ziX49yT_3N>1` zK|i{&FXbAzp{){=Bd^m^Ew%2&bD$f>TnaMemGUtIt2g*S?pK~iqj=2g-G*A#7R8rm zJ5mTgg*kp)=owU8 zD?{Ng)#*((F_@ftPnpd%)N$rrg>&US7)VExAEBjV_uD}+zZxSZ06_=@J^>#((<2EPi$7DEJ=>p3X6g|FVC|M^UUJ$(GhGZZjVV|0d7 z?czBIqgK>KBe?#s*r4Y1%S59wP2=e@;EZ`Vcx%LWVD!-YE5_>g4T3K%X82pnt zjaGH-;E2LzB>DVM5-#ptYRN?e8!e+D`JK0gmOa)6(7ZHU*{UoyKcW|V*D7Mj80=`; zZKDoii;~EwP4f&Hinq&WMAN$UdILArIt%W(QRn5Siir|!+fsbZ$Gxt>kg?MHSQ?p ziqhM4f=Y8ur(4n9@*X=4=`THLr&JBE)BnjW=JX(s}(RgbxAr*-%-y{1;CRilDD7zhj+NrLQ zw<*l~Y44uC&Hx%+hL$g~uuc*A4DL8+E!Qo@#gfr*B^vc9RRjTJdVVu1dySzVE04a# z4Cy5m(Vuo!W7*Iue^+2HUn2xFlu1&UAXQU3TJT0#qH8)ON#9<&!HNTP`HZ=u$*{_x z>*5ZAes6312IMDuU=%{56VT zaH=rOA<5k%AK~4=&;BlF>Uxftav^krOTGPMx;&)<=A&qAo9!r`IrV$JgNRQWK;xvA z!d<4RNpnJxoIthG6@8RtYYd#RKZb!h48+Fin^_5FKF3BT9-C}*0^bp4_|i{S>B=Y5 zKrj{qT~%8hOGYf#%^kJN2jiGMeSVwHr#%`yAm1t0wf=F8?nWVoT^rQa2fmT%A(9uV z4lt6=G?(#5UGkTm^t<|%JiSs-nW;a4C#!=a4m`-C{}di={ryw$+{S&pU9Gypd2#uBEiD*BKa$N%=RtF%W73T}ps!-Q=_Pgm{bnr)RoO!{!Niiyq|xvWOIt;W zYHRK5VhGg(hf1n^OQVjt%-Gw-w)vUz|NCh$ryMay;9L0|%q_(z$Vk1wFiwU&4R(jE ze0Xc8@GHZHVC{U=^8d6+yNMrB+it^N$$bOShCakdgW{mqqB*jBx_ayx(gnmnoew^= zy;})ic5m&2-b8G)?j$2bZWHse2s zi@du;ALw_>UDSWS1Nd*x{(0vK5n)Ez05hG}>im@XG?3_meO;OR{B00 z&3PLH&B=V0pf&C{eKd$ob8(`O+HTgvLX>GaYN?GS^U}8DKbn=>qe#ljwAdY^nME7O zBeNuS!JwW&~ymA3;U(D!KLT+TgO`#%b ztkO&48^m1#+{b@R`E|?%{~#v&#)bW$F7MXKw-gp{7}W3VT%MV$AvFdh`b!CkLs#;e zMiNQM^&mdj>=?LXFX-3K88^D#ICBx%VPcd~q8!gwpB5`OH`@ym(VsVbVh(1Q!t$m< z*Wam6DF+%9rc%C+i$wNJ`4<6QMODS#u^@!slNW33LL1G!wG*ar8&T-Pq1EA=K9U-U zz07`7@xNqROJ_l${r^aN%b+;E=vy=i34|m-(BK3Q?rtFj2u^T^Ft`owk_2~mcXt__ zV1p0N;I0FM4>ri-_rLGH54Ya?^s4&9>8kFouHAk1-e;e+*2eOq7|0-Rk7DtnU<+q4 zg!8Lz5YLBZ7j}_@UT6l_RiBo2+H-;-a+f+ecG;Va2~>2cg!cupg$@V!Z#ah^v z48cS7*!fl2Vn;A^l%g=Zn3T?Cf2gK->!SUO~0zlAS{qp}Z5B}bPYSk*wi0wo2 z_V52?qJTFS|NUaWlV9&EpW`F|>Xe0VAl%%EgST5^wO%*F;HiV^aB2p^@o}O^U9 zbGr59YCT&7yU!%&=)JXWv|btdVC!s|)xi-+#H?Kk{r+5OOKTUK@FBeV>(@s6&oqRn z$yA)Ra0?s=(U^3(#u9kyjU!I_~pliCT zBu8GrVufwf`4s5a;^>&;FebRGo!`)wXkUiRH5PpR!+NGvXn&F)9S`8F|f5*{KsP*F=-mNM;5%7&32QE zRW*$;-#WW3;7B7!@e=!suG-a0dC1nfFwcE$Tb@PzeH`Dxb$X%>YXe!jRq0{)U{Z)k zzK`%fWcQhwE&}8s%TL%qm<(=iM-z1*4vSIYNlyIf;P6%Sg&!-YL{joP#(cyBA#lT} zPol?uK74f5y{{QAiusX-q|>Jl;Yw{od#j3D46!^`bjDbAz0&ysXC)`!KMmZGoaK>< znUXZcCe`3f7c#4Z!VczTvMD*p_zAdhqjitG`b@IR;v1TG+!1HeqZQySB!&#*A}MDL zY~*R3LqWq&-u+4X{%lX%V)d;Y&IL$g?ZKeOa>0<>gCDG@|2KRW&<5yCx?@i~n=g4X z(vNG56G;Fv^*MPtt`YDs*e!+g>(WOKOf^erAwsQ`wy?9|;z)EWIf^JOa6xowR>k}87|}gbk)L+(0K1V!~X6>c(1QQ!68Cn zLFVQla%k>ilj9d?W|_|tet8C}wLFxSXV2z?*sfar@?Cw zsN4AD-ME>PnAzsU<8o;8%Zl&(^oSRp(Zs=H9Nz%PR!!Djic&|5B`?3Tx2E{~FtcpC z%P9h4+A7uZHi7qMC-F9u@7eU|+jtzSatl@W2yEz+@TRU;88#B8)NM%1vvYad%q(fu z7-V|En3+h0uS`A4d?NWk)za*n{h(Tr1xM7DlX`tawv1u6BAa-;Ybc`R_?rZQ#wa>aluhEUQ)?k1<9vS84%ij3QO@293Zdh^L zcF||8#O={~AfqaF;f;BX>lGD^DZWLBNF$f3$eeeo7l_c&7o*Q-PddYfLZjA-gru6NRpf_G!Wj_I=?U=#|eaI3rAZT_OBbq+qvJDc3XIJ6Bx=9g;u*U zqJ>~HY$}I{C0lEHvf^;6IstddH(x+S=u>Gs_=kPqTZ}^TwFh)oZDHbM-+%x5l zh|s7VF&~wmlNz-6dA@$RI}xhYbiwS2;f0wW?DD+_?BVWkX;UnGl#CR(d{vxot{ zplaJ#(DLT=<=3EP5>Yvw%yCHRIt$n)ixL;RNr=n5&JgL{0|orv~l?oIgl?*su%m&`(6D6=dhT> zGt1y@HPCmJj$46}%@SqzL_yL$UNFgI4k#jYp-4}?Ve!F$j0?Yu3_}W;PW9xlPTcA>?4?AsQ)0#8f_;9on3GsEiTV1;kuKf7Uo{|P>y@#}HBJ9fxm;my znk{aJnY=!9MnO%$w;5YZE?EpiPZ3kd_?yNhPyTIE4r@`nTI8xX#Fm} zDu5EWEQRC6CuaO+14s7;i_z!Ur4tOU?sn=6S0EvUqa<0Z?9A71pbU;f-K9mcc2q2Rf9vbRA1`O6lImzhuEgZnFHv?|sBj(H|0 zYhf;>&knRGwnOdH(j(zbo#o{Y-*hMVipS|}NU=V?J+`~}Abz?}?F?mi~>LA;(i&r5Re(%vN`#mMiyr zzVEZrkXtc(8?U+~$rC;Fa(rfaK7dbNsHN4WM&G;XHDlNGZQ^)rYFiR09|QLygCzN- zp}LRz`&rC_749K$60q1f%VW5~t_{b0z2RA*Fdf#L?TJYpBq^7Ud@*7ozyz(r8}}LJ z5ukTos#%8~YVO#BAq#{ewwO2t6zb3n1B?O+eWN>$f!xk9p*tUK@}$nZMJW0*#}U!5 zMaet&TZjFF@ttB!#MhI~aaWfPdr}!4?*&%uedvP+cuQ&@xtKN(J>6wkeb zC-9YP(Qrr5bYrPmK3K9f$c)}Q*qm#9@$^w-y|O)_-vRV6!E ztabykNG5I@l-3kQQ2w`wo1$NLr%=1wQLn+7!RW=SAmvogkgN{3?IsjKpwB>}2D*F| zCGC?xv3m`7oF-Fat*#MGqjd&I*8BG6ligVhwc8lY!h-gU#`3{3*27-2zRDT zsN>FDKu`%ewq1@yQ-bz847d0~$sQI!DpgjDSR0VRA@{R#k00JP30HDzNHo-~?#G{B zpE{c#ABN^tRi}uYR>-a0_mtb29}C0*8e2o9Y?QKb^j0vPWvVpdtXo2z_1s`;?6!42 zn%$M~rdPM?Cvvn-=9itNP1+&1Ol$^F2n2iA*)|Ap)rOVZR6rrbj;;_qR--uNRpW(+ zD*Et}z(%(FJvN$YpA-$9A3p{tsI*-_7J>X|6H{5V5^P*2T#rSJ(taCTr)0NlkU=Z4 z?**9S1LU?$1>L_f6cZ&47c~f%UbFn`u_>(L!al8s=F_?sfbLI6)y;W1Sdn#i4xD-8 zm#u;Y@QRk$GdJh~Og;`O&Q}(O5csUIE6G?zN)R&fY0{sQ_f0A}4?kUsR{AXBZx~O{ zWnC^B%SI@AdF-00O%r?5&_O&X+`bcjd@B4J=L9xwbDjEDtv4dD4tYeW-wkQ7NHxAC zSS%yLk|6)bauVGafuC)(G<`9-_2{W}eSzu`a};*Eg|wGv5<+h?h38+v>uRhe31Fhj z`sHnMuoV7Cb05JewPdoMTBrTPAEGRnd2d~O1yI!kulAD5mTFZ%Yoq$XFROXGHQz6T z>Sf&KO-e7^Gmoya?`g9-RIMfV-Im;L4huX|+U`HnA@1LwUXUIM#s!z`$A{q4$Gj5) z4M~V!d-AvXG#(+qESq@egguLZyogRxk*!bi>6E4YtDpL1Fb|-eXTQ3N*7#h&NgZE{ zYfsis9!RVhLFJyW^UcY-1su|b0+d;rt1fawR5Gi0xW9M(irxIK7v;a;)5vRYR2e#; zKPk@NB|)oZD~wg{GM*?@5IEYs_>{gAZ2Z5q0LZ}gWL8@@QDXA6M=O7D!N`xP?YbG@ ze<5u;X`ApzbF<>`d`te-tn(PxPQ-x$g%FxTBA(POVGgt^3VtIVZ@m`m))^o#Fnsh zn;HV9hq8-~@6g(l5s&F_aVA?{x7AUfI(c62dqULjhT?5Jt#ETaRlOzWdA)WI zWMh@R&UwRx>#{;}bkzzi^lSG`PqMBtSiAXqn+Av7i|LzN)_g7h#^tKESCXf{p)LJHj?8ub~W><{pz<>TT_l7aI#+ypEK-gWPCzZf2+VxAqIK= zwT0eu%v(uK>;hYUiFOYZf&ily*N+xO949d(mr?5@<<1ObG)2g1{&Qw3RO@53wFzNW zpN)I%diy@@Y#gpMhLB$=jcvqd#^i`3T%EY3!+))az4PDBH5&n;*$>Zyet<#k(o<|V zgxL|K5lS%0d`+m(9;t=lX;RWAKQMRi{1gy z9<|8I6~tAotxApR*amE}vG;feCVbnGn}m7^a9GbzuTr%^fefJxQ!6GBAg`&$lmFuI z+XSQbyEc~LUrgiMHEjvib~iH^ISk7)XPzT;RCx*Qvx6MZIntNzw3T1IWBjPWyELjkH5MRVPq4yJj&ODB8{x{~s;Afo-x)W6xWMw+t!;VMjV7sEo@bY&GSn~fz_s`M2gG_*`KYSvt7T6|BQ z3)zM$py+FKa03P>@mWX&Yl86cBGGY;h+qn2%WmKN87rFiP3ThkDaK=-uB#OZYDdZJ zTd4IIKo{27E8&l&HZ?Kv@xGX4El_ACau{~FKh5OrSlPDJ){||6gt&;L0QOATIWa~u59!yFpvti?9qk}1czWSRRtx4&ab)0@dh zvZAzFizTYIwO3xT=R)TlVtl$~N;xCCd(%5Y65Oo8NyUYqY0|eeRK07I-H`e327@Y} z#4g&IQO`I(s6B82Gyp(g)nm7L(Kj8*$7!|YOjmJ^mtPFmVpXqfkUPXa=0$Qg#^>3Z zQSb^#BHQ4q5ougIR@t~&i}uP523=NjE#ses%yVC6QovX+Y5P~&j1EV>VXyG0R8e#p zIiDDs^qH7n?mMs`_2QA!oI&+#9LD*S{cJf)^2LT?YxYr0 zTF_os#Ip)?Ms=*L^n+`Wiq>BP5uGXbN7vb8u=Ta+G15s>#nu*jTT(MuN|JcTv(l*+ zOZ=NPjcbTmS2*T;kJJ5VWVGe7>ZHi)%?X?jL1uR>iDf?6sATh&=r<&ZLjF~`wOt)1 zpFXgWvcR?3^+AKQqp>?}VFUvycy7}rN=!n0z?s*#gkXHP|1Gej3H@o{QOd@&JKPAccYZ_?113jC)vF&DtPg`%A zyH9xoOzGchTUyxIu)7&E=M$$`-xY0uO6I|?kb#wcO8<}hfE=_cA=CKePr(2cUbIx z9>R}{n{k%h>cCH8@SSv7NAuzX3z6lSzILNxfro?om(6epUC|_p#h?B3Z8Z22@!;46 zjY4FL>oaG$THHZoA2!wjqO@X;}}XP7d8OT8a{BZdT98?J$g6v%ux>J0tJo6QUCk%=dS#x6QS>;}96)m6&e@VBS0ogHY;E zK4hV8DyN0s1nAaiFRtaZ0qqAXyKn>M_#{U@7L#&U0Ucv*S`DWU)7O&&1(ZZ86%Nam za!HPl9=VU$aIBRCc}8h;7<;^Ux?(ra+ z{W?pl;@$^kt}>+CTif0DQJ%=-Zp9hP$1DyH;MQUPv&3uRX)-yp+C=VTea2j?YG_fs z*iR?D5iAppt74drV;ecOaC%2Q zG!wNEIIPJq@R=>gBXcZ4Aqi+Vu?PV4e+z*w|bQ+jc;aZn&iP@oBIP4&AJr6cG~E-B^4TP2x!Q$djY6n^5DKp@#~OTIz`V)Kx92W zUWKP+wQZTGNi^JUFtQQkqbf?RtDbBX8u1uzFnfw|5V!@T7HrH&wO@GP{GEcX&$>mg zmzGkSzEd<5780L>PZVLZ^sV}+pB;j#qRC4}@Wku&KGG`onmq8l9wsR5#0Z({FNiD}QR{rHOE%j$c)o zCnfwT1dhHcBer*rPt&27cuGzSejI7|tCsq$E;nuKz@*0S#?pyRDzbB2XRA!nPo_F5 zO+m-X6dnx%GL>o}Dqqy#+0OmD9qEK*M&mEKsdjdRF-D7fS;u+i)V8o5EyWw?k}8k* zc$E_E4oW2!(!W>4q+MxX%_x)Yq%A3R)$RgH!1k{+3g|Zzz2rVZKMG;Q?ypc2a+!5f zQhS*UPhG@vzA2)%cP1zrSI#dhvQRZ{_#k;-4C%}iirNg_Z`#c$UHl<9h*dl*(!hnx z`%w3YZt{H?TtLr0!TD-;h7L}d+tjkscs!{~;==Qw?_uxmj%pPQ#U9WiSoL^t8CoI& z82|;_j&@+SBy6d`f3qSj+<1o9)^x?7!_I@J4k}gFZM=Q9@P1M2V~J>%$FTytjiLhc zpj)jkt(fqL+mpwT1=ue-6Lve7NllAT7YM$@$kNVeGD51TlUBwnU)|kyW*;{cSOD*n z9i{ejIbKQV`_RWC6VsSw&^_g#ul72o6MOS8{$jMA1GSREAUqRoATQSg@6XR7Xlaub z5q{|q_tX3HJf#+by?|ogqf$ej17=lKIAqH|oi}{;zbdCQl2f~P?_$X5<5{1a`{}{e zIZ-&bw)4Xf!+UHm=Jzlg|8!R)hjp#za4M@&XXrqW%&R&|Bd=1Y4)>{ao|$sBJwGP4 z8uIb%7c3AVGbK-Ccz@N!oL>};1x}upS9{0d&|A|Q%nLstwwWB520gfp#?7e;)fcE9 z3b#}b*f@OAK89BaEZgy47iK};tTY`K;elMZ3e&KVDkn(J4(lt!zaoa?M`IsmT0W^? z6P$a=VE?`5-A6~LNqb%;?{>sxL4^M&E*46zw@%^cmF@(&^-elIAeEOsu5Xfbpu^5#6ou#x={SC_P9Xmw`qk<)q$ z#@uJaYC<=BcyBn+M@`E>ZrF7d#Ore?o{Blq0R0@B8AwD;2gq#CJk-i)pS2x5)B>H+ z+<*9FnwezCer1~46Z@IB&$e$@-}rMHWzX6}ZR?{f*MM^UPp;6AZfN*UB`F%h1CF%8Y-MYI$SC5O zPl=uO!x{&9h4f4WOe+jY!T~+<9cR|D%aa*Nu{sP^uT?r*50(1w4Cgi`wEdQ871@q5 z1AhYVL%yr~ZORiPkJ;v(6}^dm@mZRZ>9S)}u&mOZy)@97ZN%E~^qv%Mu zL5xEq)A=tKsE^YD&V_-^eQ+!dw8p>!qN$}ATV8I4jjsbq+eOA{OBZZjAc=k zeMSpcK{p5wly9jUHm{&eV-&Brp z{JKHQa}W_;q?eV$n}M;GL)=yuwKie7_58yH&z#|kbW6sPp9I$$!0?$>6N@g-`h@3KuO zwNi3+o78l7s7lFzK4-zX6Q)37hx8fS>~xYmmOPc}^c5 zIcArmS<^#h-p9RL0!B^3NA3@E79Bi(g56UeS@z;#ZXjD;eRcoxV1m+d=7Qf@eDQxKvF?v1-<6rS z+ycnutHQwT14;L_sba=UzWr;@p$EL%nO(--mFjwUc3b7u#z-NR?Sv9c5459Xd>972z;z7aXcFTv+ras zA;(#KqO31eKVH7g>+`y7W=)#^dXbwsO@L@*bjmX_^AFNA;CC)$ZNf6JUEoCjqV}*Y z*YA@D5(*B~A{BcJNDJelGNDZJxg(g^HY4ih!K@ZZ4AwNQOib1spDdV#bLwp-jJztU zGr)e#9@gDe3y=>Ftx9GDa@93{!MDW_A7ihP6Y-|Bela%x##^MZ2obX-#ZrkebD`WR zLB3H6&2nDK6P9bUW=l%5)En9UqHGEqc6^q+tK1lMD4t2uuYXt>_~j|Mtq}U2V{BQ& zf9V5w#u94?5XTVE1ZS?)m!fyxj{q-PE)!<{Sf(jH| zW>uwLhxiPCM(&d-$)u?;@#?lw>VosS7#hgOfOK-shVOQdM5C%-Z2T>}m#W2!fn`kj zkjGVXvQ=#kIS5gqk%%*V+MtMTNcYRYm~`-XLhq_OGoU{hh)WUl@rD+Tm#TX zH~F3Vbc1vM$~4z~AFg>?+%DhiDmp}U>KIAR{Js$>Q9Lf1 zSEQ?5>G;zb-6WiQ#oDp?u~B7uZOXj{7q7{qj6v_lF^nK&5fL;uKl(85|ZetR!zo= zFM$7cC37y(|6}3kbEu1UeflJ=MP9s8XxvWz5@5hv=M?ewEx~ot#41sK~(ne&Cof>7~&zd}YJQdJe* zTN>jwJeN{chk@r|dhitSs3HA4i3y?I80967gU?J%0r+#(_EvHc?ftuFlqqYQZP)#t+te^MuB^Zjx^tBZa!sF%`%5`W(bURwWOBZ7Telk~MrX+e- zC{uLKNc4ff>LeO~_xC$`%!#g>S{WlEK0dQ8$^pI##X!zP>W8S?_PPpM)siQtQd4xQ z!p`j(SFb7pxw;Hhk16R9B0E@DO-wl*MVYdYPq~L%QCbTvQ?|pBDEJ_Kyo!- z9R?wCBya1~Xjxy+WgCfiQi^L9&6b_Vl%>)=(J>X&n6WN=&#R+0S(RHxF~$^w#BgZy z@LJn^)H`1;LLiCVcs-)7=OIVm_viBUTQ_ZBneWSf!PcMxi6yFhqHwwJspL>ayAxeW zAAMxz==3ol+!6TmOPBulpEflk8Wz+4?dBMUUCRdInFfGfm-$UnXlCgj*g6(HM~RQm zAf{TP1l?DqoIWQ5hRGv%Ni@QblUVK(JI?Wr*5vr~|3RJpE0|LMv$iPBEi`%_JIX%8 z`5bi|)R1X7&Btj;kRF+w*RMITYzfR&Fg+vF#LZRE`8k>X2k7>7=f4|w%AIunx43L4 z-9K#EPC8kS=f&XvaqNV>kp7Zb4$G@E4ft;q8~J929#uhd_pA)hEeyNCIlj(NS$oLaJ7zji1jZ?nf>%T zX4%lDhC-;=;_w#|U7hrBr?sT;YEx|331b6Cu+vDVFw)i>&d7ui&;9 zouXri_zYWY)%_(e?ZCPu*?>|*xd5+7x%_#mhAm_K>g@qfD0mb;IolB#I+j~LTBL=_ zh5O7R7NCFruntV@CvWK#QbRo2wP0R1z?96o21<%RUVSs|8N z1pFd{x>(7JQU+5v_b%He-uxGU(Itnvnc>OT$THsqcEe%Ey4LS5KR27UmU+)>% z{6qoaON!Dw%=DtIIJXFb{ZytU8fHHhX(t^H>Agq8ee`n0z> zxnXNsleBhRV+fSF6l_g;CU%b&jY$!VC6*a1*;U=02Q>c$zKJEg+;pp%Z8~f(q_DP{ zj+fP{_80)1!V-quUE<2e)#QmUaE<*QJ{2j1Ie1+dEIV~H->%PyZIc=1XG(-$C!VGi zGAi8l9rOTXywObs4z!v@_(9z^eLpC84uT&7g z{|Ct^;ampH;@zPoJ)725VD z`co#c-RBdMdAF2SM)E(~rL@@M6F*JHiq)Ox(um1wOXi5^X$w~z<3S_O?Y{Du4^WkQ zH+QwjaQxs630bJF3{sbjFsb`F&vfl4RhaF1)q!Bpl^KqdnyN&3HZ~*2d#aj%V$Ko^+t5Wf9 zZWWSi5#7j68bu?zW)9A=G^-Rbf{nMD#1rf=xZluo_!@nA=c(8$Ce7n-K)R}!#J5GZ$&uC>c@KX>{18Jef7Bc z^~-4qP_=a@hNx^+b7lt!w=joP4LGcs@HX~9*3ltc}u?EA>EUyG%Xt& zIyY1FyFV|PngFx^v>SM2<87DHn~f*b%Of3Ho-jxduP@Z;{=FWi`V&mSmLSPUJ2d@J z9-?25p&)7*0@J)U_MT_kfAZxz%4qsninrS0OA?Vq`pVD^Ht3?`-L{@R@A?_v!(OUU ziVbi%Z^X?qAAKe+7o+e9QXun%r>_;MW%#ZbyFCi$l+*3)dj zV?h8dZa$3@%ZRQXD0&^}|1^Q_4$Zzv8>-WtqtW$ac~ic}CZQIW^w>geBu~HHcjQ07 zKU^PNNDGhC)?OBClh%*^kv4e{utwF2D;jyZWhU5Z&_MbVJ*;Zhdh(C6?Q3F97M0Jf z+@nlIB$O)Nu2!UT5Ci$Uvcx;(L2f z$evFx_c%Cg$Z*)Ms8DcLQZ#`fbK7jkKLo)pIg_|VREqa8ANB}rl{px&L&eNLE093pf8LadF3jX|Q8ah_7K-PuUG7w2gcfGgOQQ;Ynsv#o77SZz;pt ztZ&AO1>4;5IesMFZ656g`fkzZdrdRO9L>Uni2lWas{3JZvCr|a{1VkluLy9nn?Y{E zyW*nof;POz{ayS(M4nDQtGl1^XQFZL7z77|NJM9MGU9WgXcIYJ1c=0-w?{j+j$EyL zjr_!q;1y6Jb>vROt;2?7{oCzZ4+@mU7FA*6tKS$MC$E|A&NzfwX0CDOf_@U~wf^Eg z$YN*z0zr>_Sd&~o!@W6&@dyA0LOX4tE{V<|chZU-nLpzz3kEN3(<_If6R9InGWMx6 zi}LOrm<_QppX*n6d(RC*vFin1rE3ffHm$Z-a#tS`llXiaS(MU7jlI11yiw7JHNC20 zk`Dg9*xk0LK|B>1>0 zx>=Nvy2y~k;XMV`vgjhi#Z(RG2vDMQbrAG(3pMZMtWx>I?uDlMB3#c~$!E(-Vr_qi z?=_2y$(ZJh-nZIJ-o#exMhx^n9=D-Qij|ezP!0s|SGxGlk}hp_%r%&&(Q$!dT?fAH zt~5#AS@iAnq)J0*tMe!c0-Y2!D1S+0q&CLGdv`$U0Brbk8q2%>)#4g%g6H=KiGN7S zeE?xwi1WNvZzQLDR}+z5xM37JQ`N6`kxLO+8|UN4eZdrPiLRE5)4Td)+bh*wcn|~Y z&KG(YiX>^fp4{m?E|(xe`gSn~Zea{8ox1qzUy@*BVrh#5L4+X?3mi=Cjj^R9DYfB- zKJdDZbT?e|eagc4Gxbkpk(6X>yoY}jleOQ^Uy`YbNqw1inq+8Hisxa5h50E>0nf_9rfvE z?<7U4l@57pEzRz85D>V|3e@Ag3ZHgy{_3GmuQIJ=>hZdj>LJ3P;SJH;1xIFd(vqP zd@dXg;3B3~r^`Iz=f^pU=HE^JQopu8Q!I;;h1Xy+#lZL9xlypeAO~hGcDN1h2Ojr^ zSCR#06X#){Iq6LKd)u^am-(GuFLW93$(3T7=c~p#>ZiISWVgP|FZxb(+k}RS))fp< zc>fV3h&SzOmM`_Nm*B9$BJJL288PhKrDDJJnlsuU;rv{+tGfnWZZKs#{GUiuN|2qknGPJOTN)5i}RP=u&SJ>1HGD-O1lA z?}&O|4P1f|`zs;&-3dv$*JQkI@6yny&%z%!oR=>N{s| z4tq|b_^R9s`_0*U&L)=d@1$ej+6;0Ml0(M#M@M?9Yyh9ntR>w@Ei4z>J1M8;w@KsL5aIm#t0~hJ)U$y@fcEzG(}c&w$JfpkVcTTyv70}4 z4|8%#m_Va`;S%}lxLIP1&ygudD+0rAwOdL`BQ?GEPyab^xP`o#Y(LTz0BWNl1s8U7G;M`$k*CfVc#FWZd5d2fsv7FR!B#Y z(y@m9;ODO4cxYkyF5lRyY3 z8@`v--g{(<_z9)`#K@0AQBRwkx^0kqmxq4gO3{_Yl?8L0PyW6%66Nf$1Wql{+?`{> zX4`aFh2ZULzn@u>RkfVAMv)gKJ8h778A)5_ChCl0koEDBnBm>nI4=kt|P3MB(n*Da85~M5$)ux|G#%R^^M{ zO(Y52*dJiWNA%>YM4($F)kssj5ph_p-eNdBKQ6@pA87D}?d}4HvKe~th5%HQZ62&KQYz>MVa9`<#d|`APpgJpg zU>O_|hm4V$=ntugLLD78hE3lY$K@qKWXJjC^pPA2rS#gC!8;Nq9USxrtU(!%RK~6a zQ~YJD+>Abftq{SIt8PK2Yq9=FV=KHHVqBwFPfV}$G%4cR9b#Df+%et_9Jvw8g<`}; z8MPj?cl7q?9R2_=(%`6k+jFF&h9u$xcWI3}D$w%IyUF;!uOi2^qh31ls%yFnD*a2SE}?EZ7^PjB z%Ksy~Ky1Q4!&)VjY%D5Gs(+o``tGDDzU5zfwaq^vRo=}Jk%N@Uk%(M>Ayj$BGLl<5 z%)@Y}W@ks1u@sb7$$paUl0;pBuE(kzt_Z1u$a4nozg9o;?q!y`{LQQ;rk9{!M2Pt= zubrfBl0*hcHzPfXG1_$+DYukgLH5w{r-0IyO<5#qyw1TR2>=bP>ms{~gtz11)+@OlhAqzV$;A)XU zS_)*5&>?w>yQefHlUV(;mgBIQ-N_F!OKQJPJMMiXbijmKny9OvndWz5(ex79UaI-M z-JMGK_!Dq1IP+EI>lZTgt-&`g`URe~p5X+D5|&W*23j9M_dH}s;Jo80&MT8;$c@pg zqrk{}8lgtu7t*1p5B^WYpgYQ=8~w1z#h}7iZvT?^R8TY~&y{P83Nqo>OG$lsPjyg* z9euSEr*dNpjt6#=z8c!2y zf64uhrm-~K6O&i9R=YsIFC$q|&BdtCZw>da1=g;*BE*BrsxD(%^-?e{P-gFpg{tT7 z#GGntCZ*8DWY^3uA4*{U+T^x<`twQ&tv)stD!YQDU)~_)kbHxpbVj?5A8aXigIp!2 ztpr~~lzMjVe+9w-M|_f9H6h;GwjeaMJ}FLe0k@3bAu^pfC5FLfDR}HerJ#O8FH0s{ zl5dFAjM{s<(#FK8;*D@dsh4C)CKZ#X2)^HBhxYdwm{|tNmef9yQaED)Z^qom_&t9s zI(N%)%gu2UaQ3P8Q2dc%*R=#Qr=(Oqabm6%LDg-0!<)FQK9CA8cCXRm{Pc?ZI8((m z+buUQ4M?>DcKy*&JJBe)R1G5%Zy-rxeS&Gj%vU&Eey0370I{84T}!qH@?D&nm^TMr z^-YnjeYU+}BIso8PwO(EWS#jO=3L)*7=+fsq3t3&7 zvAkHo3Z#Tg@NGB_o>-n;N#viR1X(`3zc9E!zjZa1)$(^2;Xf3-BP=gR59`O@vl8+~ zlFKGegx)2{lz$A8)P28RmC=w4F}1a9XvC})dkAvVRqMV5&?ndzM{oS?L|bOdN;n|B zwbCcm;?_3R%Pp#B;C`$Z>AbCJrF<~E77OCK?|q%}4_EP@z1(R)@wrl5yBQmlP2SRF zeAn6g#T!pe_uEz!U03Rw5j&mZIaD$s*Pgx!%>>h5twN4D&evJ)n~a`6`rmvgGzEag z%DOz4Kl>*-jlbaX_s6|s4*y0$1Tms%W;#|26YL<}7Q7}kGW#%*)1S`$Iou%Fkju$Z zCXNv7;vdaTN7SQwLW>rF$vwLoXcosz5`8>k!K*%ixqov<__|Tqt|uH!2O`dm_iSYt z7t0Ql7rgSDZvGJR$nQ>N6eBd&e1q?3923zdf~w6yhrU2w?Lu26SL5sqWG-ab%k){= zK!j%hQ)Ld!EsfCy!U`a4jyDOsn<{Rhqibss!gHigfo4;r3Q4GG z-|(GF0*@)3CPcnaBy)1cq&eatEpmuJo&=i>xHXZew;Ci(OCBZLXQ+bl%L&i99J11${M2S#Q}Iz7hlL~#=i3}epp@Q1DdoEPlnfQlkkiB`+_OD9prGYL;AST8WCW@vk4b%EgdX<84}$1yF5Q zXNq?BRNrQ+1TjsC64Gizb&;*cu*`_K4_#%5e#JD~f=N7o5i;)vL^o%&#-_%kD&h*; z!pw>EYyDrDDjg9XrDU9FzC|7`1V>}5cZ9w^o|UEKokF8CEtoT$eLL{0lM~11+4rK$c_ew5#Cl7>CS;)4-?jWje40|EB0ukJNqmW z{i(lK+g$9TwhGmD74{94mRKl8bqesDmIJx#WN=NikY{YWRC(A~0 z0-foyz>#w3#wX$!p`y27_~h^d!;z+KwauZ;W6K!KrPoNA@%ABll-Q5sCEe-kk2Ria zh}Q*&N~r;D;Ghf@Aop4bnLcr}Rs@@&9Jur0EF?UtyC~%Q-2`qP#`}r551jp(Bx$qi zW&pgdq6~(+;|GBaKKs0)2 zh)4~|&}AxgQ^Y2tl-Z@0HjS?Mho(&i1D7lAo9lj4Y&VP+8s#(FTlo4aep?eyZ+A!S zrP|JmE4$EyY)E`EbxGw=b>~-YRxM`~ZGj0Mk9=xCDFc1KeNR%o`W&$~CMNr?Qb1R< zS5u#s2vDv`ecX(m=Ul3%aIolKLkmEXONmyn0n$CMHFNHbJx;vi&RuZM5S?sI0EOPG z)`s9Vp-!E37}~0Ri(#FNG6-2Dji#)$ka_{nr^yPZpZtAlXG{R=Sop5ZX4poAQTv

5BUyk@{wH8hARqJ$~BShHK@)osWI`=y))kV^Q9p8CXGl_CM2-@ zFW;a=%XRs~;E^Pl!?Wj5sD*5(lkqtG1M7Px)aV#hNO_}0v@4lZj%qNqR)fxmdwGb4 zK%uu~O03ifw-EAn)4z#je=JDX^lMwIg>vGNHU6n=TkG%`A@RR*qJ>3+QuKS{ur>FB z{ZfzARBlZTdPaXiay9~D?QG!8$DK?=cCOacV0AMxV$C$eEcF-|8PCD$^w$rg~b!^+VlNsB#ZQHhO>twCu0VQJY6#Pg~te)&$5JHzsI%eynLqlWl!hy+#N+}dI; znq(~%DAKZ4u~-Yw()xH*AB7d~9lZ#(Bf@YF$YGIUp#p3)ZF}c(VhjL&bnFWvVu)SW zW<2vSex%%6%yZl>fjpitT6Y;IW4^i38J+Rf*KNFV4rp+BTbb=dFIlYhDJ5Tn$2SJKm`63Oh7b$V4 ziFer`FxZi{a9uuVY5f7p!4ta(Is$9Fm4}}qvl+&&5e3_M8HW`>NHR23dZbB>l&F~Z1$23Iaul^#Ak<>9qH0s0HjY=#) zU<^6)i1v$Yt08J(uARY)6Rc(+Sgr+8ZvX{kQseKi5!+omhDm)Hk+td=sXD&Cf+!Q0 z)Z>-ue1acBi?J2=S&dE2+xw9_#po8Kl3GFyC6&&3@9|pqHpB#x^jFx&n!*{2#!$vc za|(MO_6aazfg=Q!tl2`?EcD!pq`FHoeHfkn7SeuFR^88~Y!Enz;-76lW)kYQJ`8fv z_A+0z=x^cId25T1*T>d6l$$LRqI$lef;Y3)$AMYbwb>@>xDZ(qdtVqF5mEkRAwn?}=fUEf>IJ{E zcmDN|W?|O6{Z_xb#6Q4ZcO^7FQsH>olGJWET3pYNtQVN5@_^g3pp-K|5yrhu5YOGc zQ{0xE1rB3mjyp!U%qz*%m>c%WS+g06!ny(zTih03!sX8ppfXj}1e9f5yOR!*pLp9FfEKeoD23D3SAg`S9j+PPG`rsf^-mJJJwHx! z@O^NJi8UofNaxtXd^C0+F}D*F1|NB?#4Yr|o^Tdyq8rJ?MB0>nMw$rkniaO>3ado+ zFz=+KBiu9MXn9yUjxO#2TSQ!PU{PL35A*w@r@BjTnyGV(O7uH}1r(Qfp!A}t3Dl#s zE=v9uwEOshu^cx$mHroq>0IpOw zpKJPiUo5p#EkUaaaM)2~>*qJNZ>nsrX>&|5lcM~na@_qJf{cP2fwdKw{alNuSiCp4 zKe%nlcck(OZWXW$!KUeJ{YU#BJ(`~xEH)(lo-;J5!bN|Z&MvmjI^j496;4-zWmKXk z!qxHB_B3jkOzkOB9QO0}XR&nGvP4hBZlp_gSL7oNi3pDD-a0MGs%O27LeMUir*XXG z+8}7ovyzKl+nH0&h*U<(VSv#P5Fl{%wp&v-S{Fd4lO9|^*22OLA>fAj6|1Q+3mZ&1 zCCo8dsDa%**iRS#YLWkd8^`rQksWTbr;7*|#ho21RoNR|BtQ$3+XtP$St6e&CDJy-Q)smy8P0a=< z`K&$47?U$q2OsBL=5nv%OklK}f0!1vz}iwHf5`CUGDuhdN#9x(@vP8cQO%Mvn~E34 zK5wsRLcEHZZ!rK&6Chr}!J59?y-ZET} z2Bgl63`eLb8sjeek`pOaQaG68pgLTc~gi4}Mw9OE*QZ2+Q%lI_o%q1j`OesyC1|dBqh`IwO6~zjP#`m#}B`bKLb}g9w6bft{E? z_t+SrX9Sny7$8_`Ba9|1ErOfI(LspYv|zIA>mQOLpw2ebh@6;*U0+d4s<{45;nspE z%suprOZvnHGL!uHq-OG}Ns54NIyfF-mXlIfGt;XDgJN@CC%))0Sz8YE;U4Bz% zm%9N0>o)o)Jf|*rIu51K=F*2|K#T9_tvtyRf z@<`G~n+yShdiQM|wt6{I-TCT_2Zg{3zE`aFYF_PbV9!(cKr9qPFf^>dUhl!aj4)8Q zLX^wZ_t?REgO&tT)!`?G))+a$M3U(jwG$<^p&}IU)DKWqVUK{ZW4wDjU(PVx>YK5# zIW+!C=4OBfd!b*gEy!QL$ zc3d=35)0p6L|Pcj02MqSb)13(a48=2IO>4`{Qff~Ghq-8r#wDF=#dCNh&j~BY$gy) zp}J|kIz3=Rh37JqJC8+$Hf%$n4ngORj-4j^mM6>sVN1pFs04s>Rd!q2#DyTs5OUk{YG5p}6V@+NXerQ;*r@qwri^ z1O&V&K&$OdWN}B&+IZPW!2)7z-;hE{d`R&Yd*^l>jqhjp#YKRBVTUB$rvA+9vg!} z4fWxChsu%+>XHuPkd_r32ZISc@m}-B5BuE^APnsLT)_j>nx?~HrWQ^4lpHWcoyMZQ z0*%TWS|+5^D27*(_)$1Yekq5kZv+je>QNYaTV7QeJRuB$AzvOzmnJg9tS#ME^Mq> z!SqrKMBAOmSPuLMf51SVD2-u|lg50Lbv=vp5i7zxcrW5>>5mePnjfrzE6QfiFvjG! z!eb6EMa39U)GcmbtYjpv37#InmHf`ud+l2NF?6(9G<C5ZR@Qpwf2l$OE-+ad+KkWh$1E5(FD3ipv_E987nso35;}>kh95EMpHhjTV;bWgHZD$lWit7P2C0A<2$ReEAP6j zXj@JqK)A%}H`RTe@UTa)$FNvdp2D=lW4}AUpO*)>twSA+?}1u~!*%v)fXjydDzD2F zkD!5)?_FvT)pm8Hma6+LoC!9pb?Hc|` zfe?3IP1&TC3K}ot6mb9@gEV}SFasockPuh>26u@qsbULhM(W(eEI<4rVtwz)vD^xa zX|?gLpqYd6SzcK#@p(++uP;EZR1Z=Qr>qf(Jm6+f1D{xTEw7r+k<5leo*XPewOaX- z(j)cbm~7%zAqy_Hc8Ula3&taTI&mp6tS$bJh7l#&DZ3TG=ytKIx^GwdCR2QEejwcI z41LH|YHnoJlP!cE55%GwifGG%>mxQpQQSz>K*S4vnixO``(g%(&PfZ5)LE^H`iS$5zplgqb2D%nv(NZp zDwp}@sPc^e8x;c*gOgClCm6XQ$qYAd^<7^jPlpDx3^yNjZx)-GBP1ucW?d@sLlJ|?JM?dS_L~Z6xg-SQvVMX{awV%1=w8XWwi7g$Ujg1AI&B49{<%F z`?e*Pe+B11ihSIBwQ`rJ3aPd{_k)9y`r~$$SS^Lno3}p zEm4B#QpxUVd9@>4m!7*JP6tr36^+-}`(_cgv~bFFk4l4HVX`H_*9J}fpH;yNegzRe zAPR&B1}NPT*Z0*uvhFP?M(&|UYv~iChq!NRyLyj+-5%7?QksQ#M0m_!Mq=50fSYlh zZ7hu$g+pHKk9!SG`P5*X`~iG-0WFLBe|Grk6mja!p>~4pQyaS|tI{;6V)*9>QCoLTt}~tsNxQUxIJ_gxSQCq-9+7cGH%+8#EZa{S2ch~(clE4Edv*eN*)pf-5C6zLa z#Qs%@u`AYEtWU{64BVZK`J<65=jtVInIp!ajt+U$iyO|94UOP6*#1>-FR3_~JD$KJ zUwB-QHbC-22SjM5zP_;U3we?Lmu6jlByxL`a;^w^;e0m#cMSTr)ipD>njZ`&NlcsLcJaO1G_#GNePSLkuSv* z2w3WPc#EUJKr`zAdLj;ZqEy$=6qk|_}#@bn}zv{2>_E^F|={Stgm?Jz4NX{vCyu0Ju3`DFn?zCDCTG590XSx6vY;5z5<#{tS=I7>6a>IRk= z8x0fQVgxBCbD>47CF)=vB%(^*!bA=j;qh~74VUjCZN_~ObVrdlE(o=NHRp= z#sVG&&J#X86&26YfwUkbUqT-y8M)?1P{ll85$y3U+Gcz`1-}6~TIzO-h3$NT_yEqsuC$mGUl9uN(ncU zUAZx>5_(#SPEG8lSsblMy~LD!^eI`JS0BcjbSSAkL(acom1oSh6ZMl&!mdo9fjWOd z{ExoP1XM0g@fgEs&wyxWkg?x6Hr^3^Sk+|-(@u_V=9mWGP?%h%lR6Dbj}hyr{z-RB zUw}xH|L|WL9ik3Bki}?Gzi<{b`D)wW5U8?GrV&54$ja3+hOC*~7*Q=m1>z&yLu9@1 zJh2yWhbS0Hi}(4{`M%E;eWvLqw(LVxGDpZJ8~Pe#N(ss>V2c&QP0Ra{R@53_KalP$ zVk*`MtR()L%}b!4Rs8~}1OWu`Hh9PW|0vJErho6VbYc&@b~3A5>nzSd1J5jYsRB^GjmEN8GOYL;CX|&A z$6Fy61gN^B-Qo~Kg(h8mK}9KMlC@VE7TCyxK@FmIIqG@v*x{rM7%4;OP@ehE2th z7k)hyZeCf2k+XW8`Qu;S(P>OQdcXF^>CXWRb)3keM_q5te892_cmW$y4^E+0*w3Lz zmLC6L<$+AR-4t?Rs~y6QTcqM$J$WRPZnroz(b6<0+>P17*7*``XJZh5mk>I!K*)sy zSGbve=idge8uz_X6@d4lY3a|w|jH(P{E5JwFXBn49LcPOj65Nn%~z!B6H zY}X{^nB!_l)jQ8%bkxGo@__w~#|iwYeLJEbX)y*t2CVjJq|G2Qd%hOJ}6ab_-L zkA&HVc$^TE?a{X$YmUW;aLd9&Vn1g)ki)W8^rC5rV;Ej46RP0i5TUFwBMBdU+Z?H> zFf)AYstOdL;LNrB_TofY0eSI@;o9tMNCn?q>81twp8-Muh9n+lh{oe4T|wczP)I!L z#a~5`xeBt2XZtS!g(Ysxg}Wf6Q>$@`(AaM51eU_|w)|QG^cd4>@VLHz^P*}Mhe?Ri zwkx?P7}B9Fn9Dil?b8*>w8Uf;N{La`rD3cSgJfcjwVM$1#36|D#RtbPRxYuPpQrfi zV25)_hIMRuFP_)hT)6C{LL#Ryq)mQObm41M^!p;gj#qu*N#i2Y?17bumVLujep!$t9n!b%yRg8A#&$tu*@QJ8yjgA3(Te=pB-1@K)sDR?c&$TK-ig_mW32Pd?< zeq$z8%{lb?--`?Y5;(9mmp&$OFfD}qh_Mc~LGUcQ5m4XNO{K~xZ{*uH-Tuod(}wSR z7_!Nh`FN<_Ra~N7dSsczGp$CYO2-gWP0!H<&-eG{%PAgz!`rf-JfVr}j-zg-1Ejihc(r=xNCrQX7A!R3d&S-SM=WMc6<_~S5vmPHdIpP9lp6W3XDh}4v!)z^r^&Vw#-IytBp{^5~$v68Fh8YZykjMok5SH@> z!h^qz{0nsk{Bfp{Od5usHySKigyy%42C_|(z#TIhq8+NELx32`dJR{p&5wzz-9AM~B zPe0+D)85p9PZ5Ps7;Q|@#>lK1HGNZtqB+EK-##bowIcJT$-kDo+Mgq7o6rv;3sySG zG!Wk9W4vmHC)p=9*yjBsjWsbMr`C!dE;QNo;eI-2%ph-vqOp%%9zAc!r<`52FZH+* zg}ES%h(oRtT<}kV1mUah-*1)we)QwK2K{*GE4&hw%92OAJ3f*~r6-w{^s;Kx&=fTX z`2?~ZULKj=t)k%mP8Rg|XC^veh=796i$|Ju&RI(<>g7N^&$yno>DkUdEFx(bgP4QV zcdrr2ed7Vl^1tYpD;`X7lTXY_pUR&Hj6}PGOZxhz@_XvV4bzmFXZ`{j^kX-4NCloM z?QCx*-&Ideq^p^UzbA@ptYFmcBermNT=e&{GYLEjb!9*ANUHxARiL-;qq4^l>mx8W z6dKjvtw2Rpjt^Fc7B`g7OvUfQvB6a>FNx~8h8=Wg2IuS`{5Y1Qic71nB z7GWvQZ-{nqDo;<`ozIdoYG7$w5BL?FZm(cU{A^&E9NxbgCG(uW{TB;BL)|T9MT1)c zBT+o@FT$zNItBLHUSUj@XK+AlLHL-;yL)u#n@H^xbs9r^tAq&I&wA=w5alK2PJo7}W;7(I)4G>mw@xwH|~Zk5fST&a~SSTl3;XOzP*{K9yfI$*_e zoao47lQ_@oz&1Kem{ye#-n0M1MrjG$e=+;Hw(PQ2ytrl1NnIB+qGS*E)OsB8M`{B? z`|a0no}5PB07+)T5ojN1;@t8y|Gkju-gY{Jdm#zYC6UE-W6>nE2O;He?Pq04rT+l! zf!1oKjLd4y8k3h?5@!qF6mLF!7N+kOs-NW%h^XhSzA{$0A}RGKnM*@-s4=`g4U;xFTbtQ%qne^+kWxba5H*ph$CwyS+6w;>q^-j<3V(hhT z;>yl4<8uT#V`m?pnq}`V6-g9=kw(*#@Cpg&hmmedUUX1yfoksR<`#S%n1$O zG?u{Q8^U$xk)1-_es5$>dg=exL~ckw=Q6-}JEq0{wPpn0*U0oo3ygyN1;Y-gyO;>b zLsvGtFXNjO@IZl7FD86>gDoLWh~FpoG% z#vs@w{J*!&FN6uu_4%HdR$lkM87kGpC6_{G?(#gEIl0CiZ|Jy|O=M&@#yrlfGrfN( z{w2JOlfPDFu5+pT`0!Zs8Ucb+f)OPq3nXZ^LJY|M{zpm>_(*iYW8H(5bsCoPd8o74 zkDrLb1{KNl-CyJpdnL8dx7I9VreJZOptCE~ODr++hLjoI_J_&BA%SwCPpL%VeN#X6 zIsoP9Ub=g@nDCGJ5JDktK4q9Os2;hxTF0T7f!X4+Xi$wbima_QX$8sert~Yv-NtP` zG8X!Mbo>4$?F7ow934{F=ep8{z=cxPcFTj$?7M3|`vFQzH;0+AQv#kkRd^g13Ciey ze+Ax>MJ#HX!Tt1b+RQ~Bu1WgJYI_y!bZU?hH4bx9Nu)Q*@`@m61!Z?(vesGDj3?fl_X~tCBwsB?h(Tp;#)8Oypc}Gc0ZGV&Sv)N8 zE&073Ka@C~6pXp1oU_dhP(vw4fSx*8QQf5S7L{&qY>p8d9((4`;!1IDHEk;|37+2_ z!cAl&R|!4Z4tNpS7At1}6vZwK$L4+Vy(8~GXW6o1{pZFjO48*<%Jm0wz0)QmT(r7q zXBO8^2t_;g-dmRq{i`^jCMedXEy!s;ZD35B0sreKtEpRHm|gW3rXlL z(n$Xe^j*U50wYq_f8zYt1oGjb^RYGI;h$}O&141l%Fb)F^7Vz?d=H=>Q#JVS*)ReO zq;>OMJ)K*MG%;zN^mK!u1t$j8U=Yp@C>YH1vs)SUyNA$h9zt&{F^LaR} zcDS#bz6^lo1)50NbZm1BxJnJwumcj1p_S^)VMrSnUfE_nTWJHLP%7`PC<4`x^GPd} zBuGBkrt&9v%(3MXG{Y#(|1zkE^QHzL<~i$LEKQJiG3UL5A0DDZjUVTYI`o}8mRIBS zUg6FFO}JK>TLB2iIxK$_;2lDeZgD8vMPJ!nAQhQ4R(l;L3;U)9a2f(XUTz88C~CBS zLhN_|YH;{$Rr+>`tPcifpNw|mI0l+sw#gA^GWs5FuM?042mXrg)7K&2Z^kbn;{wZ2 z3c6odeKu5dDm{vCsqXqov42UHa_aM{F916Z0kuYu?%;?maq1-?23zfgeF1)vKPYk`Su z>~MR~*{oodX|y9$t2gKx^ihI>g?Bxom8;WHpJnpX^V2H=K$pT) z&RFjZ_9d1>p(`u zb-iOIwI4&#Uvf3`dsyf~u~XHodvZ%@V4?jp7CF&{u+%>458Mp_+5;cnTqVE&mY`0&XZz! zR>~6C2_2p64klFV_c1~f%B)~tdqEp;OLb^MdG$g_ASdDsAcE2JK%NFsHY%%n+_ z=H=4YnFeSQKL=z3Nj@6^yb2%jo(q=0v(K5q6NK(TD)&E6%E^hjejZ&GUKkMEF0dV8 zoA&`SeTVs=V_>Z$v^u`R97h?&6h_h|4j4Rw(4b%bZUOPECv7$o$K1;5w|Mtaon|50 zXfAL5>>7LvH>qQ2jNZcadGwf8UHT~)t68xo&-)$LygvG;2T(_=9p)p{>8xg-{;9R( zr?6w^C*N8IMUhOWW6a#mCeL@EATd_f5`>op`IpTgvD>dG%Rp{-MWuGl%O@}ShoVo1 zf@w+@F*IbZDf481?;HO66$s${t#O;kJMSQ$_dKVqKzQUqQKdtNWjzmM!t&yXlM%Id1@HBv)P7e%m}3onl{*1EK@=AukAfyu%qpx|8tfiy9WYH6pv0lUOZ|iLmamI~rqgMfZFw z)bT*X`f=Kh#<~Zct21Xuo5pzLHg8ywGnHDbM(!({Yt;1*(lpX6{+ow-mG*aVeZy&Y z5Hyy$3%Z}X8!iDeaZyK8(l*;fUaYv<())t76-O<9dp&H*kBo?}2kpnCS|8OV#q5W> zQn7EnhvaUnifT*0>may#%yH z0iCa9bF_l*_ImPVK4R)l))DHo}&;% zJHYV-^GMMcY%`$STgK4Be$_i`!fC3_ywmSs6@FQu`Nsz%(SWVcLOn>L1*gfBePx6` zenYmu7fr9QKu2LoP(Kc+Qc02bz+_m7(1^6{U-lb$*K$XB<@QaGiqj_7=e}OLt3C?4 z2jQj>S_4Pb-Nvfw%?!%_*d~OP4+kBKv}1{C$2sZ__e9jBfj<82`=OmppkLIM;5&bt z_={Xr{4=;znkD=v%MVx>2#Z4g@^qP2L$Std5iZyU2P`nI(|;UFWKNPzHI>OS#jnLu z5jW;E7bHg+|Hn3?X<4CnH_tPXRV!xtRT-hx5HrPn=Eptx@!5hT0p@OHIlUvNx#Z{N z*6P$TV59;fb7B6EGm98vXAiA{ce*SIt(7#K+>uwOp~Kbl5E!WltB+@@ZQh|1N#Cv? zj^$GGGpA=B0}u5(WcB^&A4zM?Gj&f;@Db$!I~SHKn-bdkM1C1JCkeM!Y7+!DP3jJf zS7>~xjf9&|tw9v|Am#vR*e_jDS}z9z+V*@tyr;C7YzUqiUCqh5Qi^GEWd#xK-?~{I#8W8@n$=qSzuP^=gKj#B5sF|A;&aiD?ZN=GS5yeLpD^)SA^Q z@-gz_qPbmZ`Yjlac>vjXw>jmYO&yZ+vRK1?0B;v`=4vIs{!AZnB84-LjllAZI|Jjv z#YA`tksyC>j{s@yEcUT6!?raWLL-}Tf&c3S%^!QHI|_e%K8>zInE&oRp~L245Gl!i z2I#UQi$5xzu&-=m5f9VO#tE%@RsP4vEG*gOC83plC-Kof*%pxU?8GnoS;4Xqr4g&Q z(n%fN%9War(Wc1w-YKEStAt+_SyDLY(_3)ds&Qn=AMI)e{+?4~B>vHKWbu{-n0TMTDU@~!aLy~)-;%+< zuBHp{gB57+=td{ThvRyog5cJ$q_Ksw(ra*T7BNFvrtuz3hk55xta-HUeJfB~CpNyG zxxFD)eUgsYh|rK8=}odMN{R_~nRQf2M=o(x-*-!R*T4)z^TU2a3-}1p&da?t;yBT3brZ$`rxR!QEF1M(o2C1PLhB zVE#o@UF$11^tD-#WYJbSr&9Eu6C3Mp<1qp~ITZRe(8%M6(>{hs7`~O$kyx0Ar6Gf+BFy+|3su6MK8YbyN1M6a35{jmk|Ye*Hg~W!&}>@LqOoKhNcsb(K8_EVbcNWCGim3hiXExaPU`Pp#GGIBbr!XH@g%J^!vG_(8F zW&Xg1m#4OF`6c^1mN6c3c7Cn~8f1q<<_%-*s2lMQyW!6qZR?AVO_}9!jLJFd0r7i{ z>)2jw^A>B&OcI1 zaQH=zPRhd>hvV;vb^ad6^U{-rCl4~6@C{qBz+=LpP|n*~lme$eLXbVD|ekG+*JoGh0F4 zHm(MCLQao_(#J&U%&HSBz^Fe%D?)Odq0iR}bt%sg0L&$9Bg)7>*63W;f$Q>B*~vXIz6vu)u0pos^4A077UmWHi3`;11Qr%gWsuRn zeG0-id&}IhkK%a)M8ggBfbR&c2=%VNJOE24&vyeyj~je?bf+UJt?w{u?aSB{xdeYx zNeWebG|668g5MfkOtl z`7zK`CHN*=lp13b!k*2wjJ2cK@@N6s`R(MA&j~$KmMWm+eVd>$L|$yc78S3tV0|U9} zwlo*HGu>@S><8hBTrVxgT1&W}VHoTlZreokWdUE79x(_V&O$`kjCBGVOi;TEK&AG8I68W4p zNh?qC<+o@0+f89xOjvWeE(Ol#HqM&O>l<|uz-Bg~VHL8Txi86b_cH$-Q(=Y{=BFaI zavq?pqBK5=jw!T2|GkdCpm;NFAAL$;d*_%FNWKHVH!qn&wapOdXo|J)w-kMyEQ_pW zpNXxhfkvet)4P>#KBf|1Ww8K*uth5ql2-mQeooI^;KgBP)lLJ>C(|G*#k?avB6@N^q{B??AF#TzE4x$q|-5F~n=mPv*tqK4nL z<)M6xsnu}UjwV+W0~f9ETox;5XV>_ipJUjMX{jE&I?8^f;xh;Hu?g;Ec zJuQ+LWsPU2T-UMclu+z6X%`l#te>jd1RIJ7?54BCi2lyI7_J>z?1a9UwqIg@qJR2s z@^m&|fd9dyHMjaXWjpc{Jqmis`Hc8uIuCy$AN}F9CE9Q7753`wQn@on|0QP@xGJX3I-#{Lf{HKMx@XN>eT!V8h z7#D%ZItmYXW>)@dqj!N5?#tmY6?s%dpcejbOj>7gFm2KnqNU^SA*sN8K;n?m7wrVW43E!GE` z(#*6o3s!>#09^e`Ldq!$TDC^bEjs*qTiCx_U(uC7q{809lF;IkU2DbB#(jZG{X17_|!7J&UegxleVKXmft_){DqlRcUqe5u8hMLvhocFssD7< zV%YN^Mt1j_{dqsx9ZH_VD$FrSo?AW7yWRuK2x)vC6_WSKOk$8&sQgX4J z776c7jF#j^r_t$u*@56q>=Z>>D13OE`Zp&Ya7SJrf3j6alYC!B0VW`~}p))r7^r}O1DV3MO z0nw8Vg9>@F;PPJ{4g`p)IbM8^UBs-U3A^*S0jPI-_JzYFoUaqzDN1ClRW7ix(!|>` zu?uJ9*m5p^i8f%kcS65J8wbJsB$Yl(4dq<1yH2{-pGKG5Te(Fo%-%f5@iM;|yyry1 zM1IFi@kQg~>3;vt4GOK)1&kV+;~Sc@1sxoWPfkwW4oMn=D&R`OOPWoTEjWX>&*5aK zzG8_el0-OpMX;Q1d${%q7)xunb2{u?dOn0ZpXQrqr+Ch*gNWVqU?*qsur8m5ii%Gm z4mB0&COY5P`oWET4UD)~-*^VSf_53-LW(x^Vqv%LdZILAXpC*H$|K>SSzMf$bAGO@ ztludDXm-tsPmrLGCqb)TaVTq(T&NI1`h{yq@j%(jM72Pfdyg=4_iitNIHG(%kNCTz z{q=a5(4vGQWo;2fg$_JOnl&_+@uacz*Wd&q%z2G~+EGA`-r$7u`})C^Q+$F{ta*)g z0~_~i1IDB6>#FRk)Qaot5}};O)l_)Cvxrio(}n3XM)-o0>MWdMOItv{rUK>ll7$hb za=l%KNCSgpygA3wDt95ezLfB5(^zb)-ulJ^5ZnqVik(C{{O@TowcVs3R}1!U$%tah zl`J@&9h8t9scjP% z%2pvaQU7$vRENHATIC-Hx!N8DD#C*#R}@ONT>!Z^?GtTgv+r$@xmJ3##R~QB>c1U6 zx_3chEW=xs8%;UV$>hoZ@JtXI%ynDC_v2NNa8Q5*ha_R1nde+H$ShDcKnrDXGEf; zVw@s1mU70qBw-|pC^z(3mL^fom~8%4F_!=8YH-fP!rFL}ZS3V2a4LSq7D6cGq2|q>T&3D3tba9GxVfzMvN4%gY8;1AGcqC ztGsg#hGwsb5>`{?0I)mJF$h`jP#Z!H^yG~8Fv&oMapLFOs?VcLvA%KKjDXCpy-NOy1 zpCYsNb?Uq4uF2t>y`(tva%HMo>dzU8O++^oE6FAA&phh2-`*Aa4LkZc04>(DPf{a&jD|7QO3BC!JZ`(<;mN%%|PN z%DT_T$QQ(PiTHB4%8LCR2p?F&_MONApbZ%^luNkR>FN|O66fzp6N8K~F{mQwtQeK82)CD}g}QhHVCer_JUKrS$z>2f8! zNMb6&X=bwnwAJV_vtpoN7D6DjA57W1(OjT}luvlQSdOh_x(q5`@L`x-(Mh|geL*1>q6ok>3t?v4jL4Y3#qBIWaBALKbp!ln!%|+*Rflay+YNQ%d}m2ShOYrzwm1 zH>XXGJ>cu6hYd%}A_NriWO?2d{ZaT^oaA>;qD=0K*dl|}y~`a5OSqDel7@4DFcPkC z^xEMHobrQbP_|XY@64#qVe4*7j;IH<+A3V(t1X(Z^m5oL?T#QlN@YFL@+_lXCf^@= zUsXd#Y4PJ~9e1O1Edq(oEroB>HZEMDX>Q%(UBsmv=<>nHa{w+N#teCQss_+|8v|Nc z+_8VgjybP?2c=E^N{({#m}l$X@(cdTO<=S7KGxP~ggIloUsuZWZY#=r^eeyjuYFwgpc%FHpE&ToQ#Bg%$ zV)7&Hp&&s%-E9@l@?~5vjdNj6Blgqi_oUA7ft?DLClJlMqu>W_@5!TDPW-cwnz|DE zu9mG3&T4tY5BX8#Rs83bCgAEsq-k?=bRqFf4=aC_UHjPw5Tm6F95V9mXoDeEsdtPC z6A`KU2{Uffx?A~z?~c^8_5QJ*p+b#C!Ou>jxZIuTwPW+Vh#b+vYYjNz1LPPSB?gLV zvBZ3s55m2gI1KV3{;P9q^QOOa)1h}tb(|}Hm^r}4hkZ}&o@TFCtu%_j zRf`=gz&khKB<@6rY$PO`Zje&F1Hcd92vFi^RUneS{HWE7T39))zKFPPtE-dqd)CM& z@w8qk9LkM!3_6qQsPXRbD2F5erH4a($wOA& z%UQ)FU}d4-FzoqWV`VbhV$ecto!}qYEb#6m^(wiGH7PC0fExX*S&@oQZc@P_2wwLkQTLu8Y*HTfoD0Cm#lXR@m%x|84?gkCG{oghv4-SesH12J4dO zGIZM5ay(l2=eEb?h8|ho%T?U1ZCvAG;n+4 zxOl2s_KdAgKzL%F^#8-&TSmpbEd9a>2@nVbcMIP^E}VldDmU{+gSOc_5nJ%3U(> zBAZe*M`cN>4#)2Iej+G&R>l}};o^q_zd$q?`DT8&?GAHpO7E_aqiiz!u|04#^22v0 zTRZ)l{TdeSwRgi^5=0ch#%c|DFRT^`K11agAzC(GSW;TWiBV!b9FomnDE6TwFaqnJ8tGTg5pQlu2Goh3TUg^y^l`R?micrT;u9B zdm6J3zo9)j3E!XMpGjFi>7ME7VPhTuzx8UlUKLR2(%~RqIbK!y2)!2yrKRbTu~asd zAJ28^1U`d5^wzAC5jyGlM1_Y0=x%-**<8JY1BXqF=ba@k(9)iq5oEJVwX__qxp7YH zDS}A{S829nR*?DxoVq*R4sze~O)}T~e54@!QwE<@rSCKRG^6 zi=G#eW>03hLpqI{vn@Ej!?AqYvF^+4%HqlMoa6bOWUJB$gL||3BsD(M(aGsF$GteD z6mVHQEGcm^9gf4F!v%ypX)-(m8%eUXsoAtMfRi zx>j*aWfeUQZPY-LobAnAa&8|hl|g-Rej#RJ<5vFNk?MunF&MYL{* zC%j+1OKA%EbP0~yW`@LIQW$n;k34mlNfL3Zln_YV_^a@FN=Osd{7TV6pn*ffH7aIT zpFeZ#97?Q!RO+uOmJadfx&||+A|xLRqB-dNXk|uAhN|anq?6HAUl-F2m3d320DI=w z#i;G3bDp;u)uuh;Cv%2QeJEx-kUS+kyqX3!4gpEDL(ec4NQEJ<2!I|$Zq(8}rR%vS zZL>}F?)6NJwz(|q{EMJ=Y5Wl$^3jdLNBIW5+|)zOH~G~ zV&-eoyJk8soU|v_b5o79(_hxTKg4G;eM^2Vb09Sz^?7m7T8uITkzd~rBt1jmaS#V) z4Mrq?f^0qe$k4t_YhJ*%6>=U(Tx=QTv}c6@m(y1pKU_1$=35|6>H4zRw*tL^e!@JY zM)29JJM0hy-LL-DU(95{2e6CEX-uz2YR8N(dW&pvjzpz%1+Dh|l^R~b9#NFQTcB<) zSNMbk$C%WhcI6$dVtgZP-rQr zOh9X?mFAl^I&#|PsC3DQwzpg(mYmFr-AqDRZGgvy#}Q4uoNTn6heBewanmC%RaOpX zV(LMhky*7IfHDNy8ghdMxV4~vNe%|=E6SXy3%9&_G(qiDuSW7}qDh%3D6%jCE)o&c zd*pUFi$9@dKHBqrD1H2d3`g(V`Zg`!A;Aj$7Y+3U0}=bZN(dxVS4$-yHcw1f%6C2- ztEY!0E~Wi80wIFME4c?IY^|?x43zmtIG!VLAgBFQ!!@1~O?hvO7Cawrlj4HJ3XdO6w7DAJK%+pB{$H2ueg0{tnhX4<*xg*=GD0Tst*2@IwUVn|r_E0pfYs2Zl68F_> z2X^lJrVNQi+m@A>F$)|im{ibnBH(5_2mjaAAwoRa#87qvR7*7fTzaBxe*v0c>6*5| zY>1J16CnO-CEocpNRBruqo{I&pe5Y0MblQd3^H2~i@teCJhWTsX<$;z$X@!cc(Gck zYmsKB1b>qAm7NFb@qkK-y|q*R92UqYVE3A=@#y0P5;q1VO90S8LcOG7{F}6*9k8*Y zgwz~bW+4QUdwUsP?dTJ8+EcG<7)hyqX)(CtM33q;I=}I zuvhe^#Qud@RTP)EbSI5a(v~7N!W!v?L|J@x+sL~ljn&_G0a(#iSg}x1qbOTpc}Q0! zcM_24#)?(5;r9aHZ)3{egSyPhUB-c2vz~QWOeg#2MN09#tviK&xz%!WZ3>5h`CX)F zdd9{yYj^}XvwHzt6AKi2(zTu!61RR(j0MyHv=-w#iz{2&T_2?L?<+-9DKRAKP;Rh4 zCN36(V-05bELL|OSD+4+%gW@DgF1orxaF0nA+kiU_4*Lk1`d~{eI66 zWVXqY9pMN8mnw zmtU`)A^7}ww6E)A+sdE90Hm(PYmH3=$CkUR|@2wK=jgd_y%8g{sN|}~;Iq~UvN>8+s zxZwJrQwY}`Z*T??l*0KXjM=>9>9z<|+dAPIm&I@lF7jCLGcTbgqEh`e0Ad=0P413x z_~j>WV(zX-8&`{t7ByknI_#VAyxPAg?5!ur?soNtq1_41w(*9}d(FjBuW^07>k)|Z zR*J@(<_nh0!F*KUuPD&5;9hQykeb*F=fdZd8^z@xX{tpD3SISSU)_GK5iu=h%sV$b zp4)NcbX+{nSs=||>ir1C=jjAd7^ASqsaFqN#W#3AZ!yqzxATOXH{B9w_r*!Z#|pfS-M

zweaF7ggq&V6^ZTzjyl0Tp!6 zW)OQBQ+rrVk`W|BPJfGi);9UQ30szTdd6kkE5MVR+>9laQzqU!wej~ zb5#tv@|JifmMr{UrS?D*5ZPW2QdgSc=X^I2^BmLw6VjFkl{{@639PJnY& z7FCd^bh?`;?EXOA@R)ICSynsc7MH0!)@gd)952n#M50(VyFukcZNlH&BetU(U$yB^ z61q{e)(q$rgJ8HQWB$c=t7lU)^z9bFcw4wYkA5`pIEA1|ZD+<}OBo)ivv(>G=8K!s zvZ@!4vS**GVKSpQ@cl=%8bfFJT7X~~aXtc(kM=TGVXI{5&lbHR?Ji^PuUk#2=*pU! z4KwARMaD@K>aN}<53|#kqWe{`T@2(`9N^65SBXwP0Q|U(>+&!8UDaOUHK*YzA>?_(1kD{3nUvbe31NwjkY669Vj2E%@-p|maXMp@%@ z&h(Z|!zQ71+3hTEvQ=HyZp*HxoN1S-$h-9T5R8|gfcBGAm}sQuPC^0FO|!O6ommU)-0?g90cbf3*Qw$bYCkvaXNJ?nBo7WDF5RY(9GlM%-mJ{J(l-F)B)S>+Re@?_x%%fiTsjg^Pe>CG{RH% zc64?)VG&}aQ!zD|_;mTcB=-!FFOP+>ji2|~Y9zNr>_?(%hj-+<{P+djq1K&?j7wA8 zMBTp-wG!OOwJS<=*N(FbqRbe*%Kv^|GF)={V>jiKv`o_}Mt9D|EBUhaMd zvFi=}H5NP%Ba9Mhk13Y%^2pY?j47RB)7X8uNu_q@cYtrwsG^OTRGiOqMB_3LkI;e~FIu|{ZhM2Xy78lXKf1A5uI$p|a$%F3kViJqsnBw^_oxsC)| z%FK-i{Fve_dC^61heacfh?fm{2+qn7bJfW4bzEvf-ct{c$5?)!5h$;9|I+oTO2XZ8 zs|)k0Pi~30I(3vL3iP4L!QgF9g)rBSj}fo0%^D^(!KqmMfttv~>&`Wem?ZEkPHNLU z9d*yi1EUy#P0c0f&O#iIrq$(*rK13$G8i@IHxM>Ku^e_D$q?}qnLYF8zciZgUF1hE zUk@*iFDrN*qtWcyMeZMm1GQy>}-P}TzqTcCy=a2`|F)o#pW&An_935#|x^?fJcGl)p??2uq z**8-1FxARD4_EU$T-huuzhKNKAsJ=|wdMtq+}Gk9R_dY4Ppbgy(kB=flPvJfKo5y2 zt;6l5&!vgVW}FD7dI%R>w`maUTHRi%2>JXrBi`$Wy&CwC5hVh1)N_WKKOriTdDZ}W zi-JVr$P#>Y6Rb*Gg|Pq zO*F3b2#nh-eGG<048I=GAF$(kpPQ`ckiPDUewMt`KOHExWg8}Gh?V3R*(#Mw!XY?s z*4r`qT-mY;8r|*^!mo|S<(;XCU9P>*PkVH&e?2u4Z)3tda;IqH#_d(y!J+K4?bjI8 zVWELujnW5y3`kWoal8LMMpvnJ+E)MT&S#(t^W0m_UCeGUaS@o0rl-e3lhsn+>vdv} zgP}{IDfWONg9q=mB+=?Q@};mNN4iDYFI3yM7q7Yl&2ecQ#ol$Kkw$Ia%3X%5+E<3l z=y`XO>a+uqHbYVhm>==loTfqy);snoo=3)q%mV1>kYWsej)5wiWPOFki+P?hr**`^ z=-#YXC7SU<&q9oKxV=2@7EeYk9NXiD<6iLgW{0izFw*|&y54tKimh%zr)#XLaL=vU z%XdU-Rk=5=sPe%UicSn1|78Dwv^}I(%LyGtQ_QA-O%(0g*Xstg5mdWB?P;2=py9ao z6sKgin^Z7I;x;5b4rm#wuvEX(^ z@6SI(m7~l!v^-B#s65tpbvE7@Sczu2F=jRKmF^M2he_?qU^}Yk{K&$NPg&|-^2Qot zOZ+7o`zz@xFAm|oT@jnzg8lEm{*Kj9846z!crfp}8YmB=To{T1W=)$4zK5k=b_9ADFfkeB!O*T2X8`->11eW79dwBXkY|03tV z8iKnvde4w!e0bFN>t&e#*%0j5ZNB{~&$L2jAn+d}{`GP90)#XLme)N4*FPG*WSTi% zlO@76Nnj%W#le4c&CvJ?Me_f#`~PP5A3FJeoigjQ=WGLxzm(0Re9?I$`eMZXr%b*V z`M2(=fI4w01OnP&7Gx+~%9c?1MITa|kU81^v9_|q-W7Z4x}1y#K%jn4^DpaI5ne-gwT@o5Y$9zqn^UNWUeSAe`q z)MzcP>$ESfVZn)UYOOq7^dDqWAVat%mxT`jSAsfSxHeqZBSeTyp(I`t!*GDD1f}|* z&_9~I7&m($grM` z6~giG@D%@Hjs+Nz?c+%lqBU}xn>o_CTwrHQRf1w-=+iS6v%%L<-$PVLYHDI{0je~w z3HbTDAan@c7yWY^%RYU3*eK8Cc}X#nL=CN{r$?K6d0F2Z8D&K^1u-Qcv1~WfnRlJH zv9Up`Azwi{(rz&1BxVjq zH#=1fWBnDE{Lj^%EdYaP|5aX6rtNHK)%Rf&`r&pj3)^fc8t>=H*^tyL+A{HfGWQBH zqR785cxwC?|NhOH_$RTf`M0ycGzHVM72I;PKPqsiKOk7~oA>kmI6iFdSQ;Mj=pWS) z^}A}ffeLx z8Sj+a0kX>U8H}B2Xgx_Nq4peHA9gHRg>0U+)Rxm!2$KJ>E(Cs}+kbuS5P#w^I*EvZ z5$gB6N)}m2%*HmT80`5tpJlb(f%1*b27;fTf3zM~kAz?#5wtGm+{nBVZN}#fy?T&5 z;c6KWEzReTu;wck3GA#{-zeD#3@5Z)CGoEQ2-OMt(gTuXrTaluWB;f1z9Ig?Cn>96 zOgkQr^IN4N-`C4?5>#LF#9|Ca66rU#w}aW&yx$WN%HR%Aw2-?crnD#v4L6wzuPDr+ zNE9I$Jl~cv?UHoj-V*T?`313|;i(RtwVpGDE_?+zI=P7YR^V1lwIymw!9DP{!&>7- z8*VuNi4J|R7y^dv-WQM&_F(e3Gju-P0cj*ilcW`=XL!D=yr;0DF3Ftiiu83^Z3v$6 z3q=Q%sF`k+KHPf`5;S{Bt9d-oLWa&w^rhe8ASK1Va=$0eS0R8qScl3qn*;RGtA2!; zWpF=~pSczvT-qlvJSveYp1X#GJJQ4%CZF5to17yWF2lz6dH6u{tpOchQ08YhFT|+o zNl;=KSI*<<`HxD93~(){g%ha*SyoT{$)2IcSH7wyKfIOu?*f-F6}C)rgA++z8!0Nt z>yRqn*dNN~`iLiaKL0r2TjCL$pB%u@t4LPHviA}sRo}XgJ+Y zno<1r>GiLh8^lX%?2nQ8`s*VeH$A40DmaZp8yNV)v(%|R`CMXZTN(6EQ0$Aj4utPZ{)(L*juBPytzT&buh&9!GETBNo)@6VG~Gkw2Y z+1M=h6|>a6AI~Gz4SaeL&d%CS`|^=E&JOo5=NMm!rO5Q(aJDr}QL&nTgfG7aZ0BG~ zW5-2PUg(DGO)R=U)}bXgWN3HEOVL;m_fOR&8ZwP18fe-mkCrP#M`4eOg~Gpw3Ku8!t&x@_f*Moifif?ofK%VUu!Ir993uj5Sd*#4w*I zZTaJbmqxwzZQT%Gz8pUbG_}#2pHhw-mJ78&xJofG{m>^>WbS)=^kELvPAMFvE-UIA ziT1mVNI?SM7?Vg-z~;BRuTnKInz)5n`9%~T*&Z;In1(Ure9noJX>Q@G+-5Nr7y!_? z5;B9sZ`3xlN|2ZMSs|IprMt-|8yV1$K3_--ze_WdBx7~QtxKjE$X&F{4e=m7Uv4~J z?1)}%{E;YqKJY97CzbLPg&}kap-Qv*xegkXDp?lrnwVUF4g~ngO7ga+K?iY92>~H> zceVbhxEu)EJ74Om*zE(p?g&UR1e~NJt9bSFuej{L`y|;5?>MY;63J-o9J%}Z#ii0D z2nYpvElsf{lc+u;5$g`rO?p}yVY69>DddT6bv-{ZPeRz)*|pyt0E^{w0!_3-FsP&q zu$8l<8yO3Ry)I(isUV;m*pq&gN%@crk@pq}B3zbTQv32Cq;vS7J#tAxnE7$Y9xs03 zeHt2%965P+xKsm;qwzW|FEeNkwk1gGllTha>XAG0e~%ZRFXtRcOs#b!N4~`&R9k z0m|uR=sTBCJ8uZ&4jjO6W)g#GxU#^Usg|3M36@_bx4tAMD`uD%X-Jvc^iSVyH}m+| z5M_3~{3GtyG>X)m(QZ&{2sbOyjYr&h>%zPWi~HD;F0B{~Ptb;qhl6MLTS#PIy8NNc zRVU@Mxj&qjLXWEK(i{7|XHeD&tE8H0yWJD=Xwp!xb5G;j{@#~Sf%;LaHv zMkNS~{>SSeMNG)vk<11nFps{?W)02Z0~5 zAN{@NQ`JzL)0*HT6m5aX3;~BPD_otab=+Es@w=lafhHi|npIH8)z^_uOc&grdy`uWIjc9DkMlLs zK38dQZXoL*$0t@&tlW^Yg$_Nk;`51<9!aHWV05>nIHe2paY_F8TiObxJfv@HtIB$^ zlNZ@{9XZAN%S_aQuuKDmz8X-=?B`2m(iS#Tv$K&kdP$@J*>Wv9n}Ew6+A~C7X3~V# z=*JKIvL4WrZXMGsD!v}`0_O0KHsCv^#Z`8SvIYqJzEWj(r~#~>^f;qFca04pbd?XL zlAsA|RQQ+qX&EhCt%~!2RxaE*X&;OfW``i+p36q2z} zRq~+86JbAxyvT*Kjng3a&Gf_ILz^f+oV5-vf6N(~M+IK_*UC5dGE?7}mkB5h{IP@>7BS8AYe2`ZJK zMoDgI@e=I=tDQiauKDRK{{lV2TF3nq&|DE=0bDcInTao#YfI@?e4?R*kY14mq8%Z) z5?ugEHSEX3#*2-#|Hw5m8cXXyVZ| zMMyj?lr%&q88Z+9xrSW`F&PC;YKMN+pPhk&sc%*=D)%=PuA) z4!YRHNjF8tbg0l+ZynqG(Vm~j)laFJtbg=eV0n`{ZsYcK=N*uPh$J;1Y8_jL(Q*t? z*;#f58>DP82hkZXuNdR>8A>gFhv!GL5AVZWohMW!?{WEN?m+ypv1S#IY>}Z744&Er zv&r%K7c(}tf{t|i)dsG$R7TjW=!~%OJvj*`3G`UPd~nv%LV!0P{6yHs<m#n=FT` z)2y4PYVTC-tB9#63D&ySFeit3d$XpLGtI-H8}~Ece$irMbw~?A)I4$@rV6E`qixf* zV6=_h^kmYI4$UUnPIG>9k~{Y6&uZUs-1&T|o|+u_+30UH&cp#* zPG!QHEAN$+kr`;PnvYGlKIWFl5^*^{3Pjazp?ZY!xa(bB)c{hgtd!K()iFz^%n`^b zWdxO>D`sX+&ByV07VWk;?nJ1@mX%Q}7j0R#wxBp%cuPn~OwlXkszy`E(dH$qRQY&& z$9}^_(BS2Hc-V-Kf6Lm1y|S{h0oaUa4mJ)ShqjHcR|F{I(d%`>snDZ^mU$DeplS4r zCA&$sK_MU@*!b)^*7t6QMn=AWFve&7nlgzSRMb!W+CtTmZwIgmvCqN-L#Zg%(7Ao% zt|Z0C8hY74vPMN_VzoTn%ExNQ?{>TrPN&nlZ9_OA^H1^k8$jZcB_6ky#Tf*-p?UzlX7hN5d7ixAEj-?>t zEL!#xeuV(KU>H%^aOVG+!^!qPdm(aaTA3Q-PtoIxAMxYm3;pRcmY;vv^wKe4ikNhzKmAsmEa9M5 z`H_nYJ0~XxvXig!9|8ntuX<5l(n)IvTU%T9m%kMH2M2{nVL0SJvO^p=NX#-xkdi(= zJUG_9+spYw0wC-iIFE!D=gA=b2Wt)PTnO2oF8|7&^$(1Kr91G+AEv;tmQVx!Pp#$E z!Kom$WS03q1g7BFIvkwr888;E#r{*@+121A6BUg`W$2$$L8vIN$r2-mLyTGfAkb_9 z0~m%JW%ViTKPH(d$X=*QfFHK}?{4OA!3Ojq>kE}s=eOYhkt69Bs>pESXaC@-f{VmR zyMq-CB%FBv$kEq#V5+3qNXq_Tj9x*)N`Xb$8^7!MM~)bgz*K#;7FP}Wqd1bm8A&wo z4lurEEc@q#1H~?c%r}-{MPYC{h1G5RTSFa`fuPXgY z+JmK(7kcZSo)QZ`ZmF1!`L6gv#Wkoe7&(2aR_k~!%7~_EFvF_gceB&Kn%y+)VN=R8 zy)=tD8q-wF{tC+>OHsgyRdf(Fz_A<{_gmuf)exes$CL}-YMozPDf~TBx8=HBR0^mU zCsY<{~A@4OLmLT^R~c#Wd@@y9_SkmnPyCM;H8B5S9)Pppoaw1604(NyYmor;NH3*)AS9TajW3g>N?!mvcf!1cCEK@d5bEPKGoC23baUzbF6u=a=stk?738i}swb z8^A+gt{n`{kVb(MQi_(X4y_SJG$D(2nD2hO2#_@T`M^wwN~*{rfpD}92VFyUUTWC@ zLqf29+di~T=S#$ts#(}m2NU_Xt~(OGG|&zn)c`MZ?{}vhlhD{0;L+fS|FVdd>2@Cf z8$%f9M{oV_4Dc4fa|ShN`1LX5zb4@aSf)_azgla(VH1^Kl)`1SZVi^Su6k2(N;F^2} zxedGD0-=blLYRs-BC0-7&i&PrGof>3Q^_5HTzrcSQ!HOZSgJvv37e1XQ1oF#e9R>h zYvR|54zo6CTh5`)tU^VgTR?xekW{5WpR}kpBYwmXsZTQ;cXK{1he+L=v3^GYH3wp5 zBsW|&BQVt9*_gg{@#Z|8IK1Ud{+AI5K&FbF2WA>SaN6MdhW%&}(z`>QWT%f{|2Aip zKT$Q>phSGppwx2+Rm48lT{JqAr0LPl=ft!^b5d71NnXvphChojd&8-(iW@y#Bw!nJ zVQihw`eAxr#6%-TE+OD6PdkdON-MMDIE{DbF2#sy8*~+~A8_kCgc2h0OvkF&!Pu+|!B*ll63b2a%?9qqqa;=ST1aJ8dY&TE7nyRwW(KR zQI1Z`dLRIZZGV~ntNuyhtXL7Qw@;h}Ev{F4FP@iOdzQ=5`O9fOTY`PlQv>NBx1n8@xv zBhy^9kJG!5%~G}If2*ND0L+3e^R_8z9M01ZzV6yFoHKG)ybv`ZhC zch>YVV?f2EACCv`Ey6v7DXP9%CODm^g z<8IHg6UW*E5}Oq)`Z0H&UEYG;X)kvQgXOls%-BqX-0IN7`91O>cj5Y;yBBn}$BD0d zzRt%>VVb?>`rf1d3K=(fyEc%9>!gn7EDgWS$x-@FdYmKd1=+ahr`q&+h*rbx*z42p zjLE1E%y!tSqUmC{ra@=gO#&6_v%OZkh0~|7=AmjPx7M=Z$+H)bkWpk{Q~Q>DnZK@y z;~^I_(q`*YSx$34_7_8ZnIp)@y>6N6qXtGf^6*59^k*}=tl3YXV}%f z-m3Arb++dBgRcu|5>`A!`ZP@b#))siDwUjX*3~EZr}uA1LqGwsTAO*BY#~y;OS}u} zoyUWQ@`tp59fcb8mNUd}peZ{|B6PoCH@`(QN*Y2!{F?Vg`t!GDj7PW09J~5=m7G;Z z=LhfEM#c1>X4vgL`pqyAw}My+IztF%KS#-_yd9w;Cdx%*dsa$!@PnoYKfsHyTRxXu zfvpZLf#jG`=R-Kyo)rD;bDd3@V?wv&`DGj60v|`sKO}Z>)yy4p^LCuN)!;sTlXLL= z#wN4Y7ES!^)0cxN+jH-w8kw>hwYl)~fZ}Zj(d@H6ZSGT?3Sg|aD zALljlBiz>+z5b$C`Vo4qmrM6#C733b&$Z@5<0SEJ3#l>>h!9(#Balb|O&2F%(dtio)04g=py zPisQbuh(~d;>dN)FOp$3gosn7sCE~N=kO_rvXv@ z+j6%JT@xsLIO$rPd4JJr{tkooM^CR$OD&V%0)W$wd~RR%Ri`zPu10D*B>Py8cznI? z;W_6^Vc^epPgPIF>$>1aTJ?TTd_h72p4x+!;!l&EKvh6QG=#UTeh}abq*PLIDfGR; zHj1>!S)v2mm?FMr;ilxK!X;xoQ2v{g*63`Tem}FhNQxa+TrH zyeCtMw=M*M&{{L1N#8na`9{qa9hyIc0xW~y_qQywn~&)_ut_^7U`e53OmxkKvN_>Yokn6ZfMh%x`Y?J zEYxtfx#J?SenLZfEYpw6*oXGwFeprxKJNh-@rgDG@Z+lUAe~IEN6s>%=iaA0+V8~U zo6RQsFjxvWX|J##IL#4=dZ?LwBH+<4{iJeAFD<%{Azb!udoCa+yt>Ng{--gFCx^ zydf3a?EZV4YlUftP*9rdQQ>ZU&n+8EG3;TIBQLY|^nSu^0>mxS_ald6jUo))gLVQX z)iPsB#0GZUi&;O9BNTUnHT*>kb$&Uyw@G#}FestodU}jsnY}qwN1-P#<}OYCZIAQXulE&9@Ut^5c@T1rz z;e7_Fs1|tJNvA!;W`1mJfo{28_d7ki7F^T>8H|ZvVIFHdoTScIYn;o^R~2neHJZ2r z4m=)%SNHKILzgSSm9btR4N9=R(rAp?d8k3ig7bnrqe|IbeQPI!PY1*8VQKv3(T1T> z*zAUeho~bn*Z`DT^kdkFo-K7^71UTh?!~^jEnoju8}D;k^jOvwhi2|ZA;!3Rxi6Kk z72b^1MJyD^pBs_H4m7fFvMJVABQM(!Kv?l(f3wnD;|y*s)~OylS9P*S3)=T}JYDH= zigDOb_`)-yJ{_(3EAR`ls&-tZ6>@3e{J(uV3PXrFE2yD>6P>mx79~>c7``vhD=SwZ z7+^K!IpfM6c1}ZiT-&G1wyv6d>nZt`9RY9r1(XsxJ_B!2H3`1DUohM1QmVDD2LRI=4-` z8@)nARAptlJbt|4tFCkFEw<#^!Mx=hHOpfMAA!BhQ!4bb71ssFQ=z~bq@!PYTh5~Y z&zr^}O6$d1Bw&+moT{5=WY0~QiMx@eN&BInDuO`t@bech4KG@Fw1!RRZHx3yYso_> zzOdtf&ZW$C-vtbF)D$?3EJtzv4*4vN36!ds;}~vI!FYT9q96b*eCBax;m*_!e!u6# zH_=||YG^(@HJr4@<6icJA%ppA;w6B)Wozkki|{potLeM5?rVC!Nl~vSDLV7YqX?ZY1%pnxyx~j(Y zV7HMnD_e!>r`X*L(IQTv@m#!iV7c(rLoZpQ4ym)9Z{h2PRU|zxe%?;MxL_)&Sl2f zjuE7INog*hRFdQ)bV94TmMTEBXwFsj9~tIXwL@BS8a`NBhJetiJ*@X;_%+MOS=|O; z`BHc5lY7)qzefrT^3oNNqEwqMVJx7gMSauB5_z_bAyR%SlGNjUPwwL{f;1()YfNL9 zeN1I6-u!Bk>fF4f-3C)pCwkKOHpQPsDRZ%{J!{9eXK@yC!V%xT#|7A_*8pRg8lAL) zYnN;!dM=q7Lx?spaOA{jeU5#lSWEx(4#p+`C9N+ft6`gG`y-v$G=OfQ$}PU*zB~uz zEPd5!o_8z7p?YSXh0EY-PksLOeSOww$oKBTiD?Xf|mibPjlp>3LP zZ5@P0EZ$-PTGaZt3F$_d7K0w!@FI-KEacxwQ`l&pkKI;y&mCqir3AMNyO3S>OV)_K(Rq?>=4+ z4+sl=b?$u>pto?U7Wbs%43y!f&-P_*xen8gz!)rnHZ9%yG6}tq@pPb-Q^=|;vW{fb zko-O@vfD1Q*S@27wRp!BpI_zyHdNt_k6xz#9*<(p9!TOw{R-&J_5rEP3;>cbvlpAs z`TAfCN%E<(C(OZV+j93^Bc6^N=WzoJ#w{Ol_weGuayQE?OJA5J>inn8RyY^l22J2^y}xz!J{=|jL&r^ zGq_BNL%cF&Wg*JA6!rj!#iIlb$*aJo6&&2S{-1GSlk#p`<}6*~ICPmN3ayD2yO+RX z?K0SE9sF=B4n(_-H3=_6Leoj?@`pV*TdUc(CbDJRkrWSxtiS&d#tc z29?b|nqIQ5%8`uNDQVNSaI8hA#$ajCk*3|H^SjHxpK2SBAH!Ty)E(0Q#+gGB6YFu8 zRD&~rPkSUsu)5$2t`y({_N5=!eGuCy>Uy3yTS=n18jh8Z_u}>`j=)&+!uI0B45|)( z>;1S{_3o*j9s<|;jUDA=TO3LIjx2*DzR1k9grK?Bde$Cl0*xOU?TgbxZU%U0poy<> zpY3^b)XvB%O=p^`YIGPm1;x|%0};e_5vp{l+VU%b|JAwQa3`s92%@tG5xm6iMErJBTso6-lHKo(>3f5~@lz)GMwW_! zXKH}Y*>!Pc;n13ivNYyh%vW0a>#dW#$B%LWg4jnN4Fc3bC$hi6&^ccqi|ZIeMYH=Yl`!kvn) zz`G8AQIm2;&7xB@$aA{bRld{)RPwi=Uv$H{dM1jfotRfq^_OuZU z*SbVM8m!~Oc>?u3{#`c_2-%vx>CrvNu1AN$CTb0SNh_{*r0Sjjq^SctZc61NLkNhhvq# zn@whZuBsxKA_aPvJ?nMc=^=d?zP7?ajKKCI^UCth7IS|7lus z_}w~sz%7i62>d5i&%yFEu`uUBvha^IXh1nX511 zVITy9U;4#RIIH|%?iG5;sPAtxh-v%i&}Y+a)9vGb{|Xe4+k&ut*Gm3G(Rpk8W^21P z+ontK9ZalP&Di{_wR7`_yCe>x+jx{SmD5A&pbanEDrYL6*FVjS>Va_2vGg!xY@+8myc~{a5EG&qv&mK1=L~D^tsUOr&>DM9=S@-LXTafSOxzVe z@jI1PIvvvChKaJ6Y(aaJ8y%iNovAJIgALzXbV@V_l@v?Shy_Oi!z@14Fa$L&!DPGHp1~-Rk)LriXj@Vu1kd5eHf| zj0&Lp=E4MTbFnRQWf_6xspxWNA49zrFNeoE9j%U}!DNU|SY)K2ay{3C@twcIulY}& z+AiQiKiblb%V@v+O?}*4`cmUkc1<1@xHrqQ0!ssL)UQE=+1k7-^EI!v8*cFM?qw;I zSYPe+K8q^nT3Y=2+;##Cj;Ne-vb$Y=W6xwAl#Y_$u=Uiz5w{I}0t{c`B&pFha)v9l zVyDA^c4*@$ZhE{g*Jo*TIxeN5#b?G{rmT6VRV&z;R)M|bX7>d)=~$p8!Kwyu=vg+L{fxDd z#9&Vs`$wW{249_a5$fubX8NBEq9M>~=Z!=YG64{X-%lJeX=oFW;{l{ZEd&(6lyL_V z5Q@W@Jg-NsMJa7D3;2Q^{WdE^g8qb`zI1Ul?(JF5lO7b$!usbE3q7F4h&XcPhmcJGRu8f!?5_6}QO zL**}X4us8>riqtZznN{?!LCpRJmBsfpXb!w+2PmXi#hTuEXggw?hDWD$L>6C`%O%b zn=C&~Jh|6p^gUUjC1BS^4z=g!H6O~kDcjxum2ld9<@CrMs$MB#aJ}MDDCQfm@j636 z_qgdOb=xy3Jr1Jjr7S=q)3XE8V5eSkFg^ip=&wV>V1Pz`BKYQR#3<6XSiJ}-5Lj)a7{F2YLkI<2I2&)a z1xt%5Mr}wF9n6vOJN>*x^a3H|njA!ZlUdF!BsFhIW}Vn6C#CAl_D2Ro5WUxL_L$7q zY9bq^pjzh}p$5QCZpRCNq1o!-nQlhYvR<8@@Vm2I+P^xZ9sWhB{{jgOuChf%L7>{x zyZ{*6hlkCHLf?XFP?1^Geg^^Fv=|IiE|auF`maza3L$tVBKJc~8YsZH)e9)Rz5F_g zi2*&&8fNg{c`(8EFSt-PaO9j)UhxGNnxUQaRLXXL0YQ6)IbzxwlecQ7YtVngHrqmA z+)2OXT}mAoG`U3t<4y=HbYPSTQ>5ELh;m$Dou^wps&<{>!*8{L)qDY}Aa&G|*$Sox0xU=}U{21UR=N8bxY z1vte4$VQA~zI_6}-4F`>*Tgy?RC^T-9!SY@Fzkffwy)s;i~9cc5KI9JzfF`e~*qrw;J_YlqI||E_F|enI{K9GVm05x2#_$d>O+GaUGw z66y;@&H$eC-Twa&k@{aE(pK@Y(3*So3hhwhlb|xXTmUjPSX}+Ko~r3D;-b_ENw=&8 zLz?Mi4m`h+g5T5f7lH+@=r*6qmq^xJlA$n3O(Xs-qThL{zfms9c7HHfNPU(T`09VO z{taB3zksqVjVO7)5zya2@LxE62pD!9W=Q)lpzy!L_W`+tV7T|^f^1a$zozqlVEdS& zFNe#lVWEDblK&d=?*Sr0z#x@~5jUgcZ`Jwl^y_23R_puJ`|oK7^Ayo2AjA`!tXU82 z{&hjOvGb<6dE1AR?(caP(R>jYkrkql+rILs+Rozz4mz^U+56 zOPrWO{xR)XhRh7_{zQPh^IOSJ-~x4Ccy4;!fy+m!AJ0|cOMX|HUzDb8$72J(uWl~* zJe*f(@XkyAi)(=z6!8|^@KgBBFpiYO8e7Vg8n4mha)3!?@tbADPG6jfQKFQX6VaPv z@qA-#?C23*M3dG`37Ls{lJ(@b0YRa1d%jteFdrdRhGyO`bn#OO?;k8gagfJ+TY|eK zAP12z_ab>LUc=cF1FQp?I-)pTup`xuhZ4bes}07#3(k_P9!o@ag8{mw50Ub*S}|_E zhXt2nn54srBAknEaVOZn=2eRxOw%$mS{$Zb@L^QEuhRAN(5HOjs(Y_f$|^$1euASR z!_-2S-%yx$G z$Gv%M^LTB3zHcTwp7EZzc4DACLpH`vgc%Q}SuXK^z-6+Da8rTg_Q*V2oXFmoF|VyG zq4uQ=DC=)+j+iqR8y#P#8d}Q#m~F*H`&_1mpnp^6m$Mq=V$XKRwMC~raD~#Pe0j8mZ;E7AGJhu=j6j7dlkRY7Cih z>tXQ&Z^il~1aBsR3MXw!H~SkV>CsOJbqL!1^S~HDxfRxBIUp$5DAa!F`2+FCYO3SP z4b>m{G+7X+%`gzjz^F8N)nuaHzCMLER~zMGdBV~9UQCB`OO_=X{0~>$MFx*8yzg{w zkmo?(qLzKAcUiOoqTH(BlpXhmYX$5zDE?l++4(Rec-<#f&(oF}ogg>sFGoRaJ2LMo zkAGAST32#6`mn?0?H&u4c^$BRHlzi}H#UJU!l%7^J)lcH3R{K85LBS!U8Z4x#4=v8r8{v!m`M zin2TVn65yqX?DY3y*ikvOE7|!cM!*w?fk7R_XtvX0zELOzliPDeeY>?eXdmc`}U9U?>F|@3pWKCOpzq!V|@p70G|DPM2$`-D9CD061~+)Gus;pLIca`nI&yxNaBX&lh(lMC;! zH@nkMry;0O#=l6odU{&@By~#_y;|exG?yPn>b@HeqfXEX+b07&xftWVVUEvY&=kCl z_}ftFTL(C$VHnU;864K1z3cUmpu_u)Y#&(9Dc^TzF=;-WuZa-VLtkjDn4Bs@?5Jid zE9K-Zf%<)%PYGG)T+d9-8S@$+KNcacA!ip+8gm7=O4egm(HN*ko-3xW&jvU!W~Kvr zgIEdt5kgs5lhod$6nzl;f__V2mL{$EnM}fpinZPnH=8_R1}AIkrc3P2&$1|l$|B7+ z!o_9-_K+AIm?E>3yq^m)>K+H*{=d4eGpwm>Yg0m11f&}&3epr%sz?_EY0^6gp+khw zrG;W4!qB9b&>)q$9y`J-& zwReUE=c2G}N77yK1eYfR6<_d)^>(MX>YfQ2_n$Ky4%{cfk+!O}oj)pg3#>ZNFWp>b zZIbr7)d8~-P3@Rt%>A8)n$h{8db{6`-gJuuLu#2CAaG!-rU&OyUY|C0a_hb{(iK=)YLmz9p@S84b|bwZoO_w+0+TZq7i z*~-i9Dnf-jE;@F5<2`iNc#g|#SpG6jR0O(!0yHMs^(48JGVY=uv_0+7LnSV6E605O zly-lEf@@{*9z1dXNe+^^@07NE@chu(vuWtiPDSI1fW*qx*sKc%Ol&s5hch}ACQpR1 z1KtJoLaO9PgAE)^S%0pDQbzNl=V{H%C8HEVBo?^^(=6Lrb-F_uY%uJ0wW$J_b=Jz` zaxw>NoJbBh5nY`Wjnk~uXcUyf=?7aUkbN9r>>O(iCinD>u$hf&^cSC3fG2~GCQ5K0 zF)J>n*chIaCy!k4rYoVA)csccF;c6-Uz2X^dmbcc^h|etjHYfGy`7&LeN7rCA}ba| zdp^zZQp{6e=RNbAM-0l}5%B%`y;Gr8It#pCFUE@Pd{v|X#RAJMD$o~M=o@daSv&WC zRbLT-F4qL@zV&v-cJN-;@>60v6u&bYKu&LN;$AvYEpaWV;wz|K39pQO_pKlFC0Tr= zwZNxi{)kY@-PsVPt^74Ob-_c)Ti=C{1-w2uLcLf53V9v}oh;*C|H0p$l37jz;sAm>MtyrRYkbFUm<=mwwP$W@iB z(}QnGp{urC+o^X|tXMm9Ib2XOhgL4_g|w@*Iq^Pvmz-1i5uWLxD~Rddo*ifxg9o;1 zEd4ZkbP>@a=*^-UGm0^Yhz91f2noH3aH%A@Hzr<&rHKaPrumzv)nIuo0!KhLC&7mo zE9_wqHQuEq2(8^0h2pyg=U`>D{?Wz3Hd#rxXx!3K91{~gnM6X9y-Er~HzF$1J(9Py zt_WFEOGem+L8ea3Y{9U;%^hs8XusrunD*>(v_Z|()D7APMAnvb#U%Ry+Ek@HI%ia> zJHk|MO|Ayeu6lgDp70x8&tZBvZZ^B;RQek?<^r0%3Y9=Vn1QzGVivk^cFA@2g*Ec+ zmeN-H9pi#xO8JA$6m?V4{AS)4ar+Z{bWWi|z7*nTuf58HFolv|<5IBQN!Cw`*LID% z6`rZ)003*{ck)TyL1|*;!6TQ_l&wDl{zlN!Q}A+hKyB2e>_ zWGmmHBp1ExM^=)cC^Pvy2$T~$Khr}(Ldg|IL_&EM4>-Vd`eoGc9r`*rIVbZ776e%uDeRvLLRCf=OBrZnAv+jW#B#xf4_e#JTM1#x|@#H!~~!A`KIZcMbDZ)A zFCM@r)m#*bhSl)&L8_PA#C@x)jAdkY#o&#zVxKvQ$Zk0999Y_s%}Ml@ zPPQ(L^6~xlC%0TX%2)5=c-?&`EesrEQC7lY0C~*{w*&G-!{pR*yrWN(wjV2Uiw2KG z*)nGCl_d1e(Kwj7c(Lz^IW3Z_n{*OyyZt7)m%AV1U-($AssPQ|z>9pz@Zc)&C0MqEUwlEyhGc4^>PAO`y#PJ#jo2yL306Ik?Vn85FaiwMJ z11a7hJ5+nJv9a4X{#dRrBuLox0*_ zM>Dgn0+L|IlQm!{aWNFTrrvDkrGkQ1sKKA*eHN{DOWd@Zn|gvjMO6)@cH{GRGgSGy z_w&*5;-7vA$}rOV#-)pk+<{(3;gXqKRBwNf`)6HTqCFjz096FsgbOXD)9$U33|~Sg zwrQweXtg88hp?G5=>*qNMpBYmPOSQT%vX+8|Y~Z+=3arDeL->$&V6HT9gFyU=SXcHZ%+8_$#pk1>Jz@N9;X;|4#D5)=FGn=x+RqpCkiwD+c& zCKojGk$0U#Fw-SiX?HCGZ~U`oTk);N7Sy-<=C9(uMQ%-48U!k>Y)fqu?C3V|c zGf=YLS0r_nZ_OR({pL{a1KR-GKzD;-Pb3Y zeZ)lcZ64#Oq-AwU#V5#L^nRVKln<#(cnFITVA2j@x@)eU1 z`J1Ox#-C)D^`S?Jz8@-CxJO4vOShxb`Q5AV3GWT|OU=dnCW2i81!cSqC(UHU{ZFzq zqFq?WEv!ncg+dj=KOMzuoqVRrd%MlKZ zEH_J&m5Y9r%HLWAhqI%uLJfCI4K{ndPCF73!0;F`l z_1aIiR=L?jbdu z?s_wZT}bV}O(85gDq&&zaa9HaKmGcDE(DR0pj-n%Adm%e685V~uANX}Iv^0Wc$suv z+qF8G=2w#mHyzR2bY^n0N^<{u;J;h7!UQ6GS?X{8E%}q%Ke|WsT)E2>5qi+f>t|%`F4}${(1Ox>CMM_Kw2nehX2na+D3gUOmtnhLw5D*rpg{Y|F z7g13nMF(3`3o8>KAobv6cSsd9xdxZ1Nz;^8zr8HSI3jMdQ4Mg66g(Xk8fhdnWHe-C zMI&G;wfH5)DN$r1+v6MB&XxpH1#h{+6lZbhC_~Rbj+j00pis3SC_O;V5emjZ-BnfSLSwm)pLBvA$TmftaXN|jo9CaK zeX{q_cfdgP;rg>49nCzasULST6a3R@4|= z!do>>?wZ?%=`#Xdk--EXAOiJg=z=f{e1zeJ$QDJDN8w=_9|l79P~!Ta=th7bQ>4PjFH0?fwx z+QeP6OwYCE08iR3irCj#WsNiuu$AgR=lsFWM}TB~&^QV>LbV86f~y7fBl$`#kpguf zT&t)a)-+F{Gt4+WfY%##{x!z`>p={z_g59o*7qM?Dp|Hgb^V00`Bkw^Ly5@vXGH+& zTPwesXTtPoXy6zIT#tgBK`P{L0fI|1F|TDYXhg4<+yDD9!_L%GVHX>l4I7 zF){2V+nZF$pe37|ez|VqAC^wUV1m(6_D{2}6fpM9(a#0KVo6oIAvWd$VfmlQuh$sL{MM?+3noHZ!6}^z-U6CA3c~OHcB6Nb{e+OqB#gez+S>}jA3u9 zQ~F)=m;*$2dcI}23L0B28#oOcq*zg;TxjY6NPDh#9yPUqLhit?K`2jpg|9^IAwI z#?NVOAS=kguo#NWhTD(FvuVRH74$}6P2Bj{5s8MvHa|KKT9yO>O-yVp@ca+0#UlXg z$8bt!JroQWngOhEEYWo?4wDpf>05HWX_@b;p(x`eV1ear^(Ob0=`HoWbY%5Lkb7J7 zioF%p#-FfH?n;gbXfqghi=ovW{_{S1#(DFJHRHWqpf@b5=MyKkp8FtUo&>!dodVs* zrrDorv$eEIpBXMTtOWc8QVjZtw43-{w(}jd|b@TNB7F?G#lmayc)5kpN2wEJ~`#4n)BCGC|0+ z2u#JFVj6U)2V@CIatneFi5HT{M;f$FpHT|LVhf53LOuXQ5pJvp+zxxrKQj-y(GTGY zix0G>hj&12sK<;6)W;7UD!>kjUo3=+*hdO2AtZ^&SqhRRq>{*U1pX%AEuV=BX9c!c zNHPzv6o?1%o3L8GmLlvOk_SSUe@Nb!BizQQfUjg|v=Nx(AqkRYg?C?5s3hkYk_5kV z(f}t%jEU?QN`FmNyf4L=Gn%8FBRXOIP5{A#KY;+-S6|Cx1-069QA;Qrh`J5Og~$+W zxg}v-tk)BGh1MA~R4{4|+(@@mV`@&>i0Hw|gPa}CAfzX>ShzaPI4ydFeP;{D9|B1l zJ=2qBq|N-1rY?&^fvD`?=5HZsXa;u+8aY^RG+6gt>a5Kmu-3CSeTj8R^Njz@@eIm^ zAhh3pr^tSV3l|R@GgziSdq}5meeiy3$S%^2hfh!!+BU#-ICMMl+Wjf=iT8=%P4W%K zKb%NWCr=Sv71z%)WqQCLT*nmgE4{GVFZ7X9o`-KO1SCgNL_W zs2$Yl*-7n)U>bggK3-i)iA?mDyb>FAq{^3eNe|JC!jclq!o@<@lGuW&f|>$=f}jv! zM94JGh{-IE<;;xAxYX>(AkCDFDT3vM)q{zG>3~_+=*%?Bkc26m8Jp#68cI4$x()L^ z^H0{qbo6xVG|_a{bVe3I;~f3oy0AK|21N}ejWP9$hNw7$dZy*LGf{cs)Wp?Mqe^vE zdsW8;q6N~*RE^yF$=bSFYZFJ)NF!QfOH*9q(B;9UpUa|44a=uXp3A8%S2i=7J01I1 zDH-(qS{Pid+;?1F+$>z*xpnR79AWHm93dPD4m(Gmb6|gx51I_4k2|MSWLrjLCTk_G zhVlk>#JtiYMo2~s=a?ZXU@Krw@i7wCP}_oCT5P;_Dtn!Id3XtXwRyQdQ9O^n@x1xJ zwY|AM3qsdIAHfDe?ZGxePe9#3Wk5^7=Ae4fw33i9?2#qWsnFi(rcqTgoKa@cuF>$3 z_A%D$7}rQOjc9!hC~Y_QJEESEp8;pKXU42^s>?J)-ND;A*n!@e-+4#5Lup6pAeScB zl{O@wCl4f_k`hQ1`BEkYE`=`bEK^wYtr)a;N=h)bcf=|YI*~g0IFWqxWPE5ubsS-| zZd_xOe0)7AGX*o=HC2#dlloIjSe#faUwb>7B(fmbu->q6hm)L|oUmA=ICbo9jAHCH z88^wSMcVd$-NWV761{%RCD|!iHCeCxdpX-Y&iog4WOl|Tk|qIXRcEbx*?Y)Urd7D+ z^UZ}u>o20;NTmzqcPoBWn${kO|AeNur`M};s6w_TwvKq_hRa@X?SN{ z9xhNe(OXXQAyXy8BpWCTDF<&eFo(tmPYV_mBH)XYST3zEboTgnjgB104q3m&X2@jU z%|HCSem^QXPu=C*t~vMZ^JNj@Bx2O3nP#dbvf~(`E9EjLUZQAaabq7KFXBKWJVE!M zjUuPxs-(|im!u zZ$})ShL&|lra{b2`Ro}XBW*-ud*VMAANT{ZVixO{xrO&}#_?e2bSMZSKYyjy)7|za z_FR;tBwEZK{&V_q;`34I&dgh3g@%uYLc_O)DT00iSl$Is?Z>BJyo0Quta#K_g}FnR zJ<~lO!DIIugN=pG9pwS#nG%TGsvBJS$SeVu7c*g@-U^Yxz7>+3f_`yWvr;pU$&>6V z>H~TKrA}=W^_!Qh&)kvRkw>(ZlTCrf>b(6Z!Fn z=9`v;CcoC^x@*^G{m<%iiw=|5K!n7Y*X);US3+|^bC1&Ns|C_~NlwBFf$B@8a)r~5`F7kKYtMxz?bGLMg7usfObJFF-3)-&+t|zet!~N2qBrj=gr2gVLMOC4 z>nq2>`B(?&d)i0TqwM7^gd2pkpp;K3z6!n-0SnFvjtiC#=ML+QJDbDZq528eyW583 zN9;FLX;isHio_{_^Cz|k?w#8)l@-hbM)6sc*+syK_j!hWHg;z5&uX9Xtlg}Nx9)q- z)6Vm^p4e$ZT3GDJtVqn1xm2E1ofN_9fscXriBIz9itCpB%a8f#`FSXq=z1S?zxaro zThJ{na-cgKptxLMp|!gBOlu6RHm|(67FH*$CR|m?3pb-Q$R%lQ4uPC4nKj`y5J$SJniAby+#Rt#jq^y zFYWE3ha^=dovOI0%+7V&IL?{>Lir_7#9C!mJ9acrcsG;roCvq0U0{mV5AwAO===Z}YnbIUKCjh}P=MMcxb zi)j5SZGqYrX^qQwAEJl|dQ()~3F+>4<}RwLE(>*)yONGESzJk(UJiP?b7gT}m$Q@L z2f-QQEM{(#zp`~02pHWxE;KECmNy(OZ%xr1k}H#GF+(Z{bUHP4?5Lj|q@tCpF3?9S z_9_6U6xCg=8+L`IA3bup5W8AC(N9C+tJ!jgnTZ!?ofR&z#~a2nGL|3jwH*B}lMl-= zX4#7bd;GF)d)G^OGCR=yiO(hP>()~Y{DRAgPko=o=d{tf+X64$!Hc4{9vjWw6{n2e zzFu2Bp;x^+q8R-&q#%U@Gqy&yLzg~uxl*}sAC2z~YiJhbmolSHS87ez6SA9U#kOUR zx|{ch;=W8DPfbh>Ty<=ne4Q*ej&F;po11ECi;J6B#fanmvqu=RJPW{-p=SNQWKKx5 zM=W2M?{eTwqrS^_PB={fMsF$!tlG|W@R&+))PNqja~{34-&{a60(APskdG|BiSpeG+`Kh)sumj8&4xmfp>g z$)?vhpvi1|*nrUz-}0?lxk=4g(Iv?l#reR+zzMusZyjPS_so3F-DVLu7C(nZH%d1# ziQ^I_mtTca&t0%!Gwrj>udio`s6#&;NqfZ3+;QpHPBUoUh8ZWXE4mZInQcW-LNJB* z!Ep`j|WvfdFB$mcJljG`-Ek ziS1O_iE;Bc;{LukS78s@A-a7xcgj}Z#C4EII?H~pm-dXqN@+YY;OWdnU`z+1% zgEy{+mnuoB6na3@M^Kz?Y?cD6vZhXgGc33`0X}#ny>e_oJyx33LPD}f}Yo% zEr<7!EsU>v@OKCg@BjjD){lqX4uyB+OEZWAfj2B|oDc~y$*SR_vfd% zOpCG_YF5(C$^)Az+RsuQ72WnO!<&Xn*R6w>apByrX8Mq91m3Wyf!_uvcW|!4!B|NU z?L(@glOzcT^e3oBo-(n=`{Yv$*N03eE;`A>c7YDRRFAKn^MQ7bzg2?31T2Vb_i2!% zigyeika3YY7rzy=npBTGjJ_)&sjz*8QJh@z__7~?@(ebPiNhO0yt6I@}j#*{FQO+^m{L>};0q5ZsK@Bf3TP$0E z3$vB0ou$>KoxIJmb?Usean={}vsxh5DCa;oP7Rg3*E91mK!KlqOl{P4p=LplO^8OH zq?RNMhYsmYponOWI|^?B--oQviqrJbTT`h>es8K&YsQ|LhPk1R-M;sF=b99HFs!8Z z@_acp*}R!>!}n8&Vu!Y1w1N6(88&40Y|w1?k4=FjpCy4n#@*R?+;qqoP18CvcoRJy z497L1Q09_Pv2QjLU;6nDI{lUBpRY^gVANql;*=dXu`3$1%_t*IWt674lOj^8lkQXW zxO2Y>SIu?xcyCL7n;Kj>nUL{Mm9rf9KGRgFcA-aKA=4(&Wn(W|sJs2c4fK;fMq*)g zLT=(`rEBYD#D?;B=I_oOgv%-Gx~ns@ZFh=WGu6YQ3JA`&-W&_cH@^UChfQ-@%OB^U z%YmB`57FcD0aK28;hT4d4VZ^MAvIN>L%vRy;1w`J+^{=HH9&R|Ydr<+BhNG7e)Rl6 zF{?l)M1(@t#2{1+rO#8^8L^(U8G(yh|!L?=kIVe3xXPTfvwU(`{8 z=VYfu0jVFLfyAQdr0LA@*RY9@v#_Qz2MA=T$3$B3dUZ9QNba=f%zj6A=ZYhSZHhaO^_WJN8J^Co zWvt$;`CiXaKU#-hr{>BPk>&HkFj!r2k%W)mVa$KiNhIC+2wC1`TLRGSsUmvcs-Dg^ zU_}nKFpNhmbRE7K?vfo@u}mCk{}la|oOBnsaqJO#%=*G2)6f@tyw8-2#qWNq@^I`Y z($5NFrX~|2y*h45bHj+&iRC@oHFOo>h5zZC;$aB-19?@Oc{ zYh8ZoR@dQPwfn1&tEZ6B)k@g3`pfXP!k9AjEIjM1BgicVY`jc~n$0JU_NE}wUb8Ja4vBv zY66sw7(xN#H4eV)p_H1iNc`Iuh2#0-@%T#4U;}^Vq-)Yd#962Y!CN*NK5R*WpEOf1 ze$f$oh3HyYTw!>R+>eeHj_(IH`=eXVd#HPv`?i==NKq*D=qZ>6$j`()R1adEUkX&~ zMatFNrG6+rRBE?*MT->fkQM{)yQ52d!)BLpjpROcWZl8EV%e6E(%F{3T!`K62-?ZOApbob2+?@LS3L7 zb+^5Vgnf%Jo|?eq%#~qm5S-FucHVv%Bu%Zf9BI0&QPqj;GH^-kFlfHES02m`eDu=# zxw^-@L@0z{f=fDavv8a2ni6{oz^^(x)Z;H3c(D2(3V9^0YCNQ z5BCn-9e&>aZa?mZ>c!xblqbz4`y`}7Y>G^I9CbV<#QoID)R9?TZeCkrhokMvGPuv)BHWF4yW)kt$8oB&&au217rEZeFWp`@$2y~mC%y`}`=|=r zL|p<@`!nXIwMg=iZVDJ21jv7cpJw4N@5xR~Z?rv!2Ud9goz; zY_~V7Ds(MR36D!E8-2Wl$UuRZKr1R74S}{CfS#PaoSloEobT1J6Rhq)?HG-BJEmSV z`oV<0zT=!Q$?{+2Zt8syGIA~CJxp6^0RaK$Sg5Ewsmsao7};7g7#Q0cnlQLo+x>ZN|xmjD;IP$phll+5%=lA3`~swlKq>N@2^%KMGH3*D|ImoYZDvC-(v_cvoLe<{e$6ub^UwD zzp-lko0Xl5`|q58>-i@qALCyZ{LP~Oa@RjvfBQ=ShL7=Iz88RDW4&_)0uloHA||Zj z27I;->-F>g6Y^^D?99}R(}mkKjoH;PGwzj2yqY|jid_6XNrmBEy10N4<=t0otj0;1 z1f@MsED4&`5&M88N-k69%!+sQBX{aiyCqvEn{~KTAa>Zk`|$PMOEC5D(K72%Aa`n! zx>9FKgz2jv2wENxIF%4EjN;#3^Fm@KWXxyn2?5W{r@BHRtl0n(OF9C z#2MNDlKT&KP=ij$|18%A8aTPj^LTGB=t76bKnSp5zT8P2a0*V$$%%N#NVYv(1=y}= z+N8~$&&f$+KiAkhc6ypBK#X%?U!QBt1M=nLJhl%js67fyZcTGqc9Jbt+I}t}3@tIU zrqgUk`7HX;yEu%yJ1pSW@$x9aFGmD(18etY4AT5|L#tY|9(ETcJNvx$AKdX(f;jmL-^Cy?v&iH4W@82<#4owt}ej=qb>qt6J__?kvE&=3RZA% zu(Wq|b+!3sbMnp2^~2EHV`}E)A;f?5Wlt5c{$p9Z*(CW6fY2u*ACcc5Bl|Vqag+Gy zmu(tLy$s6Z`7->v&1orEz02EmY5{|w){hYc#p*s;-Q;7d5So}a*Lj2YxgWj7iiT1`> zMvo&S2hoOwT_40}YZdQ~aKZ&Y)Pc#{`NM(6%e0SZ~kq0DwftXKVAg5ie&l0tlOiry2^!-LK2((0tVZOGL6=N%x58sP^+dUcr z2@bK1YVi= z6GfQG)s+*D&?|Kb)4$c|`bWHxFJY9p!LD0u{vtdu`-3hSkd*;y%`(F zdn10P&qhpEmNq%z=Re}q{{%UX)N`LFRt|@=F9E$Gf)B3PL$gQo&-o>ZX+B%do#Spu zcX70e%EK)6{rR)I=Nk0|Sf$yj<1Z7+q5!tf65&VuZktGKaAl#YhA%t)g(0+sZ4s^q zn9Tf26uUeI@%Sq=xt}kqe1r83P(h<)m}9BOCDy!2uFsNV$trL-+z6K+uHXzh@*$a- zv;`jPG0(Q$QPCBG61x)cvhKFY@SkytV(T05U-3nd4?HXGGTu8)z`O#JUOg36B%NTt zZnCU*Yw*zc9{AK5GH>|Ylk*9fqKV*!tkKDt@lyXiMfrb6vU716%F>v<8vO-sn4<4r zKk3z#Csg@q7|hc1<->42Wwe^KFKduT@3K<>|3;@8n8SKOTU)BVsBv?C9-OfA6~p84 zNV7-~@YW2=2)K%336M1$3BK9ydmOs&W+>7A`Y@U(dm3mxTZ3pyN5xO7?4L-ANTS)I zC=nKo#{*?xn6a-_)9DvFBxpII*|5pG7Rjhb5Pa2cBmR=^;6$sN+lti@dDe6uT7uyl zac%AGSK04&mXjV0*C1FTdLpNGkr;kf{#Pi4J@>VZMS;Ob%Z);LinEv*zfCBU8rP%_36P8 zHG!KOy_V%#^ue})`t30!m;DLbLgl9MifIo%(zpXSN8lkoVU=UK=|DwuCO=iOEo&ik)9e@FA4FuAcilD*#P%~ zQhu6)JJSP{X;&B0tX^h?aa)zLXQ@hxUS?Ic2I|9oZ-(n|MxZ`VcA4@A{foi&*!7R8 zhb22^99~Qz!RvW~rnzYr*z9~g_9^L46`SeCE?61C#>@K#rG~)s@4?Bqhx$TwL}^w< zW{Q@w&-&03j(5B89i~nEYlDL7GS@qMlybsM%UI7c$j{?YTAvb!A=cW6!yzpt%1wKea^fvkY9DE*9$lSSt{(Wt`*`fgV1ry$RB_ zB{v$oJEL18BucDQO6#z=l}?TOH0p#LL?@777k%HB7o|{6T}HoZ#PWLy{+eaoK0S>l zSm&WtaGe;LleB1#IF3gp^j&HUN!t&r1$+qPp>39R`JC4h(l0AfhYaRjdVl?Cikyl|7^Tkx(pR zsec7{*QLwiL)#V>7(;8wqBXl(PiSGX&CD9YiEyXY8?^R$UV1*qctXI6V7T{=%ZbnD ztGeB(j%7C8sF60=-O!GbTzw+l-MM_a(dHUjKS0zu5$e3++|sb|%w|xZRH~ z8E+2=1XK+r-ukFarus&u-N8`6St0r=kV7WKeE7SX(e-fjTa_bEbq5T;GzSk!3a+!B zo`ApIzn8dOlX}YEv9Z^za5^yP_0$|rhUX^)Q#~0myxCj^W0IPH$wqGpT~la}b^F{r z1*&r$BLpqhRJcyHMFa)%GMTNw%-)Ta4wo3-Y%xGFx9f6;6AGf7@>mO0-MQaY4yH{n z6OKZ54|som=q_V&c+sQ?GAta+tcD&E>iRW@@L@jqF#cF~84~r*AUd2@JK}feH0@@^ z2Ib-K|END8x*n0I^Kq^_ZckZ+EEbt1#J?7*d3jN22b-{A!O&~50#cjD?qqx0GpWPn$TKksDCyTX+_`&m@r1N=t@z{c8^z>>^^Fa5u(jpmlR>S}s z+Uy%(Z;N|r%^dA`t$Z|7DZsaW_vkWqtX`?hhe-Qqmf@kQ%&|B1;ZI8VjUeu3OeS$K zY|V85$AGbKQ2aB{V(3;OGMD(p=d<}#LAxVGN4b5{=g%cQ87Zy-+=Rw@A#5$znpvkF zMLad*n-6J&77fyA?}Xbsex+tJk^|UMK+8wf9J!=%7vK%Ga=jM(6!3<$tVz$uZ`qFp zl?Y779jz2|!Q=W-z@qbOY2+!f#GaZP{3br5L_T*g-iR_PwAS%akIR8g7usvIM0taE z&t{gnjpJwgWsCkrhm73o_nV>M#G!cRi=)Rk%BA}~^ei41Jjh3@Uhk?QQUqtDUo3Fd z@05n`w64O?wBd}G8dpJP>k?S^W3Ps%%$?2jgwCKR5vQPVZdR4ybd1NNdk2(b$YsxgPy6eTM50_I(tdQz=Zmuq3_S2z zLD7cPb)FyZq!NH<;vY__Gx$QZIdtVH$=@~a`g{d$hX5Dp!7_!qy%PrUW6#v#*CUGH zg>@8I-h??ZpC7Ei3N?xT9T6qgr)udelJNLOD-6~EYEfsK*13R&hL4)EhH}pKkT9rN z*>={a_fj{;%a`|c{7=tQVDmj{i!Wgc;5cjxL~qT#>g{Z>>y$p>rI?$8z7QPo#nNu( z-);!Z1CSZ%MZ9gd+h0)ToZklTZ-N~05lzY~vL>`Uni;+Jqqi#oLqmMq-ULFeN@-91 zI>GLG^g^3N-h_M3&X|Wmjpvlr6%yKu=}Y+EHu%-)6zBNx;P34fi}0U-^;!^uGaD+W zu}`*UTX|a%k~H?^<&bcYqg--)UR*fNgVW{U;T@}kT?#g*bX@^IeFay>Jk?5qRZCFT zAH-I9DYkj{^p{ovhBv=_BQ3J}q~Gvm!W8_}0_~ncn}=sFC;R8SQR^0_Demc;B7h%w||dz;E?@j0i4JoI9_^R;8z_r2N_MM8_0ZnH+x#dkYEO&B%de zYr33;KvHzYWTz?^EPfIMTGF#0$o+!sZG^_1Cand=0ek3K5W|+R>(_}5-%=D7aFCPW z!P9O~mz~WF2j9eBxV*Ot_RNUtj<(43!dOQV2RD z1ZSp+K_9{zUUZB?p7Y?!ID{Rb4+(IC>4nE3vKwKc+UA>jaQhgvF-NB8=VmG1Dk+|w zCNDr%z2FLSLsnO0kBctVj);h0$<~J>!rI&i9^d^DHQ%|t?7&vgQX_dcwHfiqeN-0j z&qUwM;04K>O=I^C0;;bbj`-zuA@4Ao-~O``J}feJI5>dE{FE1H3O7J_#mycOj1!6U zXO4(dh7W>iDr62)VY%@yy{Wf8uiFe;3{cwpe41N!g~-jQW#u1RgSjV}e<__-puI?N z>q14|*T60z2A<-Jc;cA(IYGzP2*K4LxPSx(JLtRU70s`;K)SsnuHET|jTy@*?0Kv4 zLT?SyoyL!-SEfNK?5aVfkY4Hu(r_UmKfh4)2#v9mycSYQ19ewxw>b^|8@WdZbMNHwK~XRbLYKRKD+&ygBv)R`-}631=f7 z7x*WC2bS}IIbHf1E?iG6iC-Q{VH3>yU15xhaP+hs!aH+O(z=Y@RHo(D=|O-dpyFz; z5PwFUZo_BQF9vISRW;ouG|5}tu?O{_&h2JTv5^xDq<*Jaf9CiC%94^G@9IkbZF)ih zZ?WK_7Cb}LbmTr0^Z^;Pib|;3!Bc@ZlY0JuWi+c1XwKJawTy?5f6qVPB&0BEPoh| zT;3N*{*z`jfZi-*ih~+on4xE<)5KSgUINi{I z7WbMHoR;2(*3-J!!K$sbw&hGVogY?rE+yAoKl?ABwnKfdKHAmqUe$_9dkN_?@%t`c zm8a`71ywSt-8cmhF2|0`h7D`&H&~yD@`?GhX`gw+Gj}%TE5=Jc7<8_&b9_xZeL@Fw zUl9pZ35*>?-gbw?{x}F)^8k5&z3a*8dX+hE#k(Q{Fy39x;uHGZd@FmVam-8D?50s} z+}(G^(9^Wk@UnOA#8{~oXJq&QTK#R)H9)uDmUg3m=`|!TJdK6JWZ4G!uDgB(vFoGg+eThIwh*vH4NqADcPgVTq{3TtNGk&WO?QEfE+ zY8a90ToX?N4u6ajt%z34dSAwue$HkYBznb3sE~qQKf)@^N&~yB0Dn|UP7Y;uL`(|> z#qMkm{Oxw!(lBXBwsILKdH}60Ckyutw`D*F)zoO}wI3c`<>n`nVlAHxw%jg~Fq473 z9XbdoC^DVI^k^vlz<93*$=vL1{4ny@Qku^f?(+e^ErPViLDK>9A7K`rhSKG>P$Y!} zJ!YP%`5jo^WeU$DV->U%m=Sw>3^&*{`5jR0*!5wYW{kIi^d!6xnTYCE$CLPj&08KM z-}P|)H@?5ed*L^R2o*b?>(5#LLZKh%X8{S&9=i+_Uv`*1R-%Zal@4|~p%sy1$?hvW zAMD3Ind_|&JOFClZwWxc91N7oZ=*|4fm26Jksm06eQWpBp@%ZKdsPz6`d z7oc!lHU^-^c^$)Lfd^Fa_$6?DV__(YVEiO;=Qs|bGLfN+`s~Ye`#fK~{^%^(#`f-G zidGKgzdT;G*8&JXJ@29KnV4-2T)bnk9y(@ea-&x{3zD)Fq(gZ`4aJ~&w|(E8<`7*@ z_Go~j;!;AAJr1m>V2O~9Df+H`s%FLe!#6JoE(9HefadW99l;CQ6LrC8;#@avwk9;K zSq+kv6IVjUgG1bPQ@fu{RAG(zSO7E=C-#n0mi;GBc=jQXT0hC*g(1v$U(sp_XE@<% z!zFH#IEzlm<}-mZ!INb?qf3rGfH#Q%nlkU_?E`Px(zS7$cWozRa^J7TE!h4>&1*6s zuVy#C_UDNEUXfG%x7AGp72a`TtCVO*|3r0M*)QqMm#!5ZA=m*9Jx87^STvIo(yEqp ztBr(_6zky?dI+MkAta^TCV|^NYQ$oV9b=>MmpY;)-xnWx)?M$Iov)9s6URiJ;YCkG ztJg>VM{dXfnUZxw8&)6_sz%jQeR22+F;}%4DoN1UQfY-QKv9V4@}|Y~nQM1R(2y@o{j6LRXJ>7jor%rifigF zjCz(H*rONZM329<>(&6fpwrdjX5X{M^4Pm6Tu+*1%~lE=)$h7&u%nQI(u`d`EZ*K6 zlYt}x_-M}+T&A1$^@SV{0K}Nc`Kv6!H1PEpsUmKU6u4$YzCpQNXV>-M-cY;k}vrz>??3WpZmWqffYk^_uNBDPOBM29PhB*Gzsy?@aBLfw*;V+9)Zn z5PfUDgJLt>#^r|1O z0xRKP{rBGs)yPqE{){KC#vbeJmF=0(3-kuD9O{TCK+ znFVq<0e&WxWmxfm?cm&SH%qh#OUu>4=2*9;lfz~i?a<)R`%Ja%yF*RxY#n-9yH)5; zHHt#O*$gELvEf|~11+-NL|TN-BuVMrp0|3N*5wKHLh$VGqCRYu3Gu5VBDMWb_=XM9 zMuWR-X+AgM-Nf+LRxy6NYrn+7O?oqDxQjMl0)!tUuhVi-J}|1)=^W$;<2jztp#ue> z$!(C)YIF2NIFD>zFqyj(kGUUd2=0b1U)i33vUeGLoWHZ?zr{ugUB_7hV3;uwm#xUHxhi>CeM`LlAu^dh1XdlrrR*)`i zY}~f>P{$ZrK_s&Wl4v7GZPB?36Eq+=!S{}s+N3-?v67nvHlR0ifhNsV>hoxfU6BpC zOC@?nQi89XfC;oOi)6#Kk-mkseA@L5Gk>GHqu?nfqJ$qUK`i{b=Y6#HBSt-v8rRJ5 z(a=#A<0LewM-C)BDb*f0yktO`u#{?(Ux54Hr z}@ z&}cv|aaeL_rA&!knLOp%CN~nna_aRc=PMFf4#{>|C7Pb!S<-B)+XkfT=B9+k-n&Sp zo07gX?A#)lP&Kd`X+p63c}RBNHLD<4o{%SUNo+Vkh~$|QfWL7uX`&|>&-j^PCuon> zvgzEChI1Sol~}ig=Z$`k6N-aj!RYreW}$s$L${Vmb>Rv4K>rf0)w{T==xTsaof9K5 ze({+9g=m1k9=#3+vxq!gD9KYfh@%EF`&w5qa!T$b9W)VqG0ueoAtOxSh)#a8+Y3eS zk|*{B{-j^77+`L)5m?`_pk%;MpD?wRpr_3Dt0Ma2W1|knSJ#plf^TS>(At|V3@VW3 z5d|fN0FxZ7z(>rnHT?n=_pU>OlJ3)hnq&~DHgNn>9B}O3dKph~b1=j?18$B*cOkR< z5I|>OCxo>Y!_jMK&3^5Aar*OBaroDgCZXk1_sk<=f6FOn>PzV!&W5*3?B7q#TPlSr z4z{s)j^wYM+-EV_)`&4C5npFNrXx0XfExLTOgo z_{eu@9$Lf~sGABVwIUK5hGJ)XhhUVI{1n}+8HA@U{N7(Dt1iLs&{zQ;L1;TJ%;P_` zCW56g_Q&J(SEqnx+c9>wIfQbjvh4<2cOIM+;+U@=?Es^9`B`XEf+Mrc_eu%_&p;zWXg;(S7)n9P@xwuX(WyBP%-+kr{Ov23ApD zU2CK)g@5(CO~S5ivhVwzH__36UY};)`k21rF-=W$>(dy&e(~&B7ui@TIR}|&P)gP72 zC1#v5JjchqR?@-QGcN$eOLhur$|CX%EBEcBXjB3##IGoK zx=n=$=Pp2)V;>JQE{#r>nd}X8g3$_^;jdWvxImV)zsA*070Sm@W7HLj!6Gj~Fb`Tm zfA)9LLBBEn<3Q;zueUPm9!D53pWBtZDzkDYMJJaLDJXT5pBt> z?@PLi1^pzsWMpxeMZ%zD+P6{=(?4_Qf1BG{25w_cG@&G4y}H38B-q8Qt^?&;C(!~> z*OGM)KVLCKOS6Y5W{Fmk&!0e2rb>3*DsWpIy^sBe-hXZi{(+I|i}x6S7^toc>HKHN z6s%744V4(+#aynX3f{Qs=J3;J)}sypej{+>7f zMcVTfEUTcf5Ej3f`Tt{hAn-HtEfuPSE*P`6f3f|6QK9`-K|b0kiMH3}-!A!k94vkN zZD7Yuz1`m%|4sV;Ywuw}IsQMx|5srC-~7c@Vtyet2ma1%?qCcAF+-zp_ZKY7{#p= z^wx~3{yLd-E(c~*Nk)@x^8`1AvA#0jdSumMP!tMaNg?13zZnbp$8lD86_K~ zKj!)Zm=cTQ^<-=b(`PDJUhT9dhNvQ)GG2$Vz{Oq=<_qUgBe21hT1Up?<`zA+cALjN z&9B+n?Slh|zwWi@RH^naFJsFWtOpn5K0iN8+tG1yVy363kBpA`x3qA2d3kM_1J`9N zl;F-2LiE{O>B*}q_-D!yox92Y#=fmS^F>Q$^7Yc>+6x>wFbV@I?tOiuu`2-;+On_T zir+wO#(LoYo?_N^K-$_t=vG{CYHWG@>8h%4aCSb|ZhZxUivhWVmHu+qRw`85-H(?4WSMrK zWaw;sFrN?5$M8-RX48nFQ%Lb7O@K2bCnpz)$!Gp^|ZK0jw;S~A8lt($~>L#gm^$fu(Yw337eU6_U`qW@{jdo z>k34W@Qd&suP@O-r*)ueJ)cH39e^iMwPJ8E5|dcc?)mkVwy?9h#D`m2HidLNaewTl zg7>fCq)S7l7bN{N)wg8N43tmbwKiimbYHKYA7;n8XMG6=n=o`}8_j)m7rtqK zk?U_-^Wy4Q2&vK2d2%}`VN*3{auH_urBuE3-LzS~a#I7&=s{S=SFbfd52R(zCgFa5@OFX-h~`ptwDVCM%+{Elh3vUhkG<~R9 zSEeIsu3~xQtNa7f`wizZ)~$N?;eI$rN7|}Zo?QQ+Oj%zuMnFGK?=0K=+zp-0-)>f{ zje&G16dP_Om>=DgfA}8Ozd1PEB;UBo9tYSM_?Vb9jWV}Yt2sEZfPjD`QO9sl&nbr4 z%Q0*C=WWH7cz7+lLh`| zsn!tG*jl#=a;Nt~VCi!fhoGLPn0%M zInEVL2+$3Dr!EHXWvO*Nhp}qG0ZSy`+m^kHeR>JSdd|Not0e($#4GxdE^2o$_*P?h z$f=j|n1yTKEwA&Z21UC-jb3_go(x^#MI&!J2G{c$zG zS$2>uVeX#ttx@%q75GH8h}U-hKKkYc?sGZnk*)i_4WCKn!ZPOop$$r7&{7$%t`Uu z7HPK{SN8&VFEFiHDdeO`8_m%}oGY5sq8N%WiG0VnJt znHZ9FFRS<-g6GU{?ggY5Ry3iz8ee>>#PsW6Pp}uX8WI9K{=2OHjY`^l^{4$m?EUpu zT}!hz3?~rWU4sU9cM0z9?(Xg$Y~k(@2oT)e-66QUySu$B``+g}+56mMeE-1n+hmO% zP4}$os;jQ5>Z#uJa38$Q_T!#OxDCOnJfu0RoVBDQC+CB?x%se?a5|cXf56U9`X;yb z!otE^mOv^w5p#8*Q^2j`>$lC#*M>OzjoSTsdqPGn9n3YpXYHcCYhc%!8?D)IZODhR zY>kPR(%iYO@D)s?l?PG>=oPG9l&+%%E^FXpxp1hIW*QF{cdY_dbK1u3`!$bi_nV}B znkBOh+7WfIhovITlEvWW+6QgobpE_aeiZDFk%e!fwo8*8GzIA{odf`alq#$JW*YiN zRmE-5j3_R!lJC6ERNU;<5P^E66gGc=5H;x5XGxH$^3>$VN^X<$Qz!X~()AQ1tTX?!JJ_Jbr*UI<)Svbs6ro`ZA>TDztW2=Oj881oo|F2e2{_O% z_qsIw+`@D1X{eeyy^i;s$J_zdvj8*Ven6sBllmSD?9A8_VU7{{D_$~Ut*t>>(3DK& zm{0bHYe){G{>}8=?5)B~-|d+`szGE~=Y%4i5OP>7#!rH0C(zp-Z>g%IJyR^wM_-du zp*Wltt`f7dzG*m9kH$r9=O&V|H5}nl2>46=8L*I3f+Ig&B$2iSUY;lAnV;Y|y`2(3;`RmVY*o`B9K@vh zjMe7JQ^;yFn?TwuL9)A#K2&L}d270g3awbAY=6^WaG=s~9|He5^U(|yJ$!GI21#Ka z_vgqcGZm?@Z8zB@nz;?0gCw_XC&KrxJqIcU=<7dZx55dMZa}x4O?~~&Q!;g3@1JFs z5&sRYK-iK>HM~@}-cSfadRL}4j*E*6hn9BBGt^C)BwvR;O!CnEq8uk+!*95P&ZJbc zKF{Seccfb>pXVy$_$dB?*X630WT$CHL{5(WWhN2fcA;5zeik35cNFI8*$h(Slj<2~ z;w*j?WX*>?QZRBkE&dQg2tYY8LAFl{r3kHYnvMabUKNsrxhQ;U0mPoRG%LgyBVBr+ zL0^diFPC7x?zin~F{7_|- z=|AZ!u;uH+;KK{%Elu{9OddW16e$X`mP$n^%?oB0zvAbJ4ZZwPWGlx6#;VDkQDnh$ z)8EhLvAv3yrOdTzH+S10s2c-YJy^)D!mHg0VVEIT=%ZL`wTOHR+P1;G2dY(hrF(KU zoOCSAV{p|Sm7-n2^C zMfFC|{I$p{r81X=5g&})?i$7@vr8XPh@{de=w68AsslK?UEMsxr!L^a!`SW>Qkeg$ z4%*$zEwPjEAUX)sb=zil^24Xy*su8{R`!u&{yx1N`o2o2e+lw}S1QwDQZuuSKc4tTBk0Qxw1gYFCN%Djpy&e#{{1M$nffK__fd^Ds`XxN`}YA z%BI9h*Wa12QTRaD)bRtw<*|Eh)Ix3Y$P6?(c-3yr09&&OkBhUjX!GT%rsWB#O&|~@ zbA>f(3l3j=teF#>xThgaA^&1bN4oUUCcgRtDuZJoiX zXk8}a;)=e4BFP;+Or5`G$|p9#9?!HCHtwqO;iJz{FW8M4s)@RN>?sV{INGDuB*J5} zmg1a10%lSHpGr&=K;5BNb+Ycmm4ibLifoy^gG*pb33Qz|C=#h|85jA!@t4p26X`C5 zeTayXJU+-+M2LG93?8NG19y-OZU=rv48d@QpJ}()WM8_pwL-H0;CF_R*|QYt{G?Ys z*35QPVZ;aGH&^Rt5+{42w*+-`bkGWf3k=?Cb^W1^FQ;PaC1SPlJ4-wNB2euSqjlLL(pmhL3$Qnjq| zQM9li!mBMKsm(zkFC(hSTd_%O-pkn3Q%_Os?lJ?!Z--XG?nJOSbMMDWGXfbfWCa9@ zw7m)VL=TQ4wD5c7!5!vHI;8M;63qJ)^@(ouDtr#53qH=;*9MnM@y{`8OC4byarLd~2PwIZOuTDXpZG zcM3skAHqG(==VFa8^g8HMJY{l2DQhq_NeHN1;Z2#bI##^1aAoxIb%gjr~w?7@HvNE zo|A_izT1uD-8bt`jFwcdddkc4twK$REj2#FLYIQZUU%I&tLasS60(k2qo8W{RKE)A z`tC8WCm9=zUh8$JJEpu9Tzhp5Cf_hx!Ur{pwc{^%zoeMx)elYmKvu zT_SHHC$nBakhXby_C?fPVKSHN~UBzwLP2FgIdaNDbzwT0~ z_ey8QnE1wAAXR1dW_;O&kjZHt!4->L1H~nq=rv>aRFt`ZdLK=Zy&G%`fUhL~nBKk| zSdxU5a9Xl(y=pSOWJCg=TmuY@xyLED-Ebv>x~pZj3d=54B#PkZrnj+~svJeRrL54K zrsHVv$a6+8;&DGth?MnJM+g7l38v{#=VHT$a23LF?BXFutXGekR{FyB2Z|w=i}F)T zY0to&^Q5og4hh4@?q<$6B-ii&mTr^Kr?AjJZt0Q)9#z>J<*x+l3{Rl@Oe3?q$`SrWmIKx;kv?v==-eP;RwlnG+tX|?1OdNk zG2ruaxd2Dtu9S(#oAE5U!jAO^3uhf9l7EfW7u?9NS_bOJ=$~>tRpHuK<9}4puz;5& zXA2$=)w@jslg!|QihAR!YJ5>p?aD=4pEN4gz^wnRiUm1W2*A8RsNWqfygK#V zY^^o`x?D0}KoRM~6VqX1J3G=CpF@@}v@*0l^cg zZ{TUL@O58>ogKRe1f`Au2a7waV8buIs#W$nh2(&?<@yA7h4Rg0IcMT0f~y@8Is-Xgr_7pxB>6B8lDQ?e2B1|uge_V*76jvIUlW0z4%KolqyH3P{o9709s>p$rtFxy-`Kfx_ulJ1Vt-0{@~0^R3FvbY^z%|Bh~=4g|MW&|@(KWU(+&6=ALO~B2^UfG~?cfN4As@E+g!=N{D1+`j5qmu9 z0Q8W+e>A^(Q|iszRPM`Z7PUvB|vMd}}y# zvv$ILV}BB5{ia&v+)VsK*_HcYFcXq7ldJ^!^@s=g{_ZsNLo^YD)T!M)obbASp1tU? z0yx<6-aAUcQ{x}01-Y6}X^*Nez@nOyrm`jZC8C4fy4M4Y3CgdPY;)QCqt!#o@Bu>} z<*p15Th?U~*^Gv4dOM9RRhyx}CL$N~8<@$Rw0mW{ktFY83Ev!>01Cib7uVKoo2M&m zM@uTB1%lv{zL62Ans#78M0?^KJ{f~j>B08IFnLhOZ^N=6L_mjQewaF#6wPSw^3BxR z)~%!r!e639Ha#oY$-4eQ8gb+3dvJ0ChL$zj(!@Lw4Gm14#k`2Wn%C6OGy-oHnr${K z6{vb@lUgfUvU}e@z2mITA1nnilP3-c8$(p zSq~?ODkt2opFf<1KH8#c&AkUF@fj;OWnA)LZ}f!R%375=5N`ESsg{%Hbpbg=O8HUs zQ74Na4sR2^YaG`e7OIgOdVz_j%wIKevVE;Uj?#(q^N|MkLJ4vtMQojf_wY*KcO8Sw zntGH&T8?I{D1m&-EvYiBF2T%A7A16)?P5Xo07) z%5UuyWqkeLF-VHH;eT_HE-1iq1zYXQ<|ycuHg7^*7xD44T<>6K5N>Wt?QboG7(yqK z;(On2s8k{VOE}JbfPZvF)gw2yICnaOclSb)Po^Bd-j-U0(8Ps2@HJrWl>bntRm>F7a zyMlR_(|Z5x)>gLt_-CBiC0eaQ6 zK!=~4;t`vgsvcWxoh3R)b=+`k@HjtB=33{O7^sIlIOpxKW7*4}GWIS}$^R!8{8zZ- zX9&f;-oemnsrr6EQABW@c)QFvWFE%oMm&F5JpSc4{&vYh<44siOPOrc5)g()xZy#rP|25T1UO3>@W7~Zs1OJ ze9jeQBJe)Zd4~j=*2Tz`AS#&k`cCL9?z_VvhLtUa0ys)y>0DT{{lQLqbCG z18J`lG}zzNu{vBsuFvY*6%F@wd#O-)S{UyFBkjM8P} z6Q&7`n;0QUkBiEcrk{4iUhOGSi<)V_{N~dC&vXo*4CsvXZbTsv9eI09;KF~Nf1AL! zjb`n-(-bYK?cdwor66w5($Y!*J5{DsHdh~6rOSq=C=?iG+@0Z7--{IcE!bZ`!2%uE zDChr`EIdI>2~}sVb>Zbx0m|UiQSl0qtSg!coK?7Kp1@{tvwi%;j#@S_Nubr{fo4&s z;jT;?N&?E_fSTg<`0zjuv(2?=A6XObH($%UdI0p(DzPn5?*HC}9|(&Y0SObv`HLI$ zwXgUGN+x@$PhmO->zLEvL0!71NAv< zb0J>}w<#qoFS*)|S-h3Zcyoqt5wc|4A01ovQXx+`hD>8lG0!~)n-@wmTc{Lc%lZ217H??Pq*_Ft?8PTG%1lA~m&X77zt{tSlSkR1Er9>~Nc?9&3k)yF@YvHu)!LJM5mYMA=R|F`i!U(ElL`2SP&f25aDD_i`A&sZu!fYA*&q**Mc z>xXB=!v6?mV`lKE#zgve7R*U}ncgH$7;%&emdE3! zr}O6-B;)NKD!Q}}>~fq_0Z-!EudH58#X^Ilo1z6f1-`A)DdU-16s2-V`Wp&W5y+Cb zlMM^3C`bESRSmR_BZb7dOWc2%u36eneT-R|acBy=8c4G$=Sf^lhyb|kCfxWZR#rBj zewLF*3s#*+a*dOb&J5x7Nz3t#V(Cq$Pu@ERWc^B`z4L9xg7cm52!;`u+2~U(L(Xgf zuzy+4MtPv&TP1g&ll&NhLEf296)fW7`w@jYP;dBb>ENl8TI$6SGO0ftYc4FAV89_U zg`j9eSYnCq*P)W#{Z&9kp(Y1U!}S5tWLD{@lablS#1;rIZ=MnOHRa~lT+geF1m6#? zx)0CI$!#!P;}V zG=hS-N$2~b)m^AaYLM6mVpLKX)n&oZZM89)m@>uI>tzs2^ZAb2{bNNbR|Kmey58nO zD3NGQRB3Q8hQnpX?Sk>0;1CcTR0R9 zI8}OUL_%chcu?J)rn=o7XJLrn3&Wd8`@EusuhB86M3b{8u>`zfw>r#Rj`$wpf&LIRM26vV1JroZhfyfh7e zh)E4S2d2QTfaw5=>2ru(p`j@S+Ng8hQruP(7LjB__Dk%mgaQ9AhJ6qADgkob&$kLgBeY>VnLN~zBWac!KAp3Af>%@)>f)>$&Eu|G{)g}d9Ll&UEz+p zt5H<~ylZDNB1rn-KIJf!!W{;SasyZj{SQR&3}Yvh@*1fQ3TC6=zl3?ULSCBIu3`RO zR3^#rwG}!LJ5RK58F8^3bV-z1G_<2x=>6_xz2u>*vQe!g%<*!j)8)cpsC!eFcVOo6 zSm;gBZMUp$q0$Z!olch`_X`(;&5@`C2dJ)^AB3i-;C?xUeEBXs8^VZezHJM8n7Id3 zhamTboVa!HL}zVPL(lpulsS}VmEP2GjNzPt>WiOa9?>s;E7jIl;skl40tOlJCz+62 z%y06boH<|3V7&8H-eyQ_dT(Z*^zabFQY8y=O&j@~QpF#(OPW#)IZf;xmSm)SJ>z{s zNTD6~rG#1#S!%^aFAhs447CGdw0S<4c>1bF9kW=aGz`nx;j~toVL!1>=b%@|RPIYk zd1^-up>z#)pwJVw<_m)kFU=U-d$?O0PbDuFrm9KlrU!S-jSt|I2>Hnb-OatFhKBx} z5_zH^y9RPy|L_tnC>x>lEtA!H&?_$>?V0_Cvnyd{+s0>r>HJS8OSRa5J*k04h>-0l zB*lxvXwhCu)!>AB2rA!SqM1Zwv|TqynHyAdAr3BgUwi$;)mRK;;;QIfXmS-Zkfzu_ z5soc|{R-oqwO;s?79)qG=g4-_^w#hKTcwjsSa*i}F>*<}v}70j{Q@tg&aKsQ)*wBU>UUvD_GyOqb$K0;fQOV z+MXD}Yo|JumC6;|iCPEpFpX1?+-dR{WlLs=Sme!d5$CW!3#Zx`WHPbU@p(jfqeWA( z#bSUM3;!bz3OuzoF&{c&R|woxB>mHc`KQf4p_hLSNa)=TUBr*D!8=V5?y4!q`?f?(k%_B31#Jj&{)CdHs44i5uhz4(w~cAcZvNfaZJW9#-O4$zMLV z;KYa=*cc+eZr0cX?Q3v|jnTu*MdyI#k?e2%b?rZ}aoe+OV)|qA!X}>jYP^q_cG+r| zNMvxfY|>WV#H|6a007)KE z0-<~esTD}@g2SWYq{wneN$}(IeL}xhwVrkL*e7aj;6Z+$N&yv2-;)Z~C(2e%>44AZ zdk96INUcq~Z+3YS*{Ta$WpF+OraToV`ShyX4&yP1AR@cBqt^fh?OUR`lE%yHGc&c7 z%S(Cnhl-0h{f7x@;9bLFmB>wP7F5PqCMn@P<@B-;+99T7n1zH%?24rf^^)9;demN- zWw=Zy3Ssgd_Iy4e&YJaxrlky>Djsj)xaO|!fP>2sr4uD=Z|HOt8f3cHR2}_HdW+F* z%vs`AB4GxEe;KhBU>s(Gp@J^qpRP-=e-rIyJy~H;t^>-=YKhzp7*$g0QbmdSXjqu% z+A!y4Hf3PEGqo9?{1GrIjV+C7k&KSjoD|_L(&)YPHmewNx*^T_apVEs~phozRef72R1{w@&OcVf*0z z>~gZ!f)H#x9b<2SuhQC%pxLL$n~dQ(Z0f#y#s04yYeFf_H^^z$CGP^IKl>#|l8-Dv z*a7R&u#rjnQ#Un;R+6+G!g=^xTHkO4I|;L4_;Ju?6GHNL#n=yNZ=<8N%m=+%yt=Z$ z1l0(#b)~gMU==mTEghUYUL=Fw%$Hp-ZQ3|wc>V2xbA9Jp*zi7s-F{-X=~`AV;bmKR zRTdj$v(n0pdo9fD!NWvH<-MIk5km+!2s)k*XJ#NwV>DbeGNlLy0KC%VA^UEXh zVy(G2d#fWcI;}=oscllF1xeIO2O>?`3dWq|uFk(qY(2_`!DD@mkvQs4c@P`toof{1 z;m!=#xo+IE$#a(1R8)X&L|{p;j4VSnxfF*Rbaok^!LZ4a*b`EZXjJc@{=J^Hz>rvE z2|!J>6l4e!wK++X`zXKXj&2@3{(3X}EftNi}67%QH9lK{#Z)b{?UXo9}3M1S3} zg>TaBR2B zg(Hq+Z)bR8T7hqU*K~X?5JlwHj|M)pL4Tz`*t*=?*mS$-ihbzdp(rqEdA9gPQ6FDT|D@xYiaqULmtQRP4%hFzB3p3+5Vhkr*wH<0y0c5r$k z55|3suRQmZ!ZOtP1!T?{s^nJT5u8-1$ok7uBAP7k38hQ;$e0ch(c3xK{gA(nN5b_4 zT){~D*DFFq6H!n=QJAX`@sP@>ewv+^6_nCwz+E3W1f}D&hORGj`v}OLmgd+M$#Fx@ z=e6!0fng(>l&e4KiN){eW9^wFh3ge~Q#S9|d>L*PUc0X(^aS6F_C#9VR=km1wyZFi zIGVp0ZjL*4scSY3+RQMM@-cwFBMFanc8JD=La(tW+yj=W-8Z(h`3R|*mlrJPQ}aGs z;8)*#BOuvyZKW+}>BqJh8m3`+F(1^wEP&<@<*g6F*KvozF+_&D4~I_$y8K&JkzJ3U zJ(GIqb}K*r!PFHib{5I~I4X^C1|n;=Sbh~)6WDZUL9hJL;07d1J{sooS0(@J=8j6- z3OIUheRjdS=JqoIwv=@bzN1GJDb3xOF4a?CdT2)+3{@r&_Y<6j zn++fL=6|V;J5l%D9wVvRzo&4ZX+Vq?jR|=**nJxJ;slFV?IW_90hz8HCGNW;In@ea zs7S5~?J!d?EJsp#`nHGkj}ro9lW>v#;)8%Cv7JmHj`d#OFhp+oi$*#vi5Se!BpeZ? zTvW5}GaG+YJPw zs^n2&*Ihv#H>$ko0Q$p`M9lRH>7f^cXi^7ubT1BB{7>;5l#4!fh4BjIkM8lq0}k(@ zn01JfCQ$-%VHx_Eye5t29mY*ad3$<~r3{cY4qr78(n5ESVZYL=n^2Tf>eqU83H6|= zj10FSve>htxBi-_t)VAT?66iFFN;bJIm8SQ*#sr-+3S-Y~`N*`Qmb01Wm} z$(h8I&o1uoY4(evpIl7x^9g$BPiIDC1BdxM`K2^RN0BS6!anNCS6o_{g+9{(Hum)=ezyY4`m?Ifj0u6dF(U@iN^XVx zFE{a@;eMyT8*$=S{}Tw<@&9hfxyY>)|KnZ#@mP-mEUvvPppN}#0QL7F>ih_t z+_4kTP5Q6E^zUHn|L@X)lYgXxPXF(%N_w8awOQE?BmZCS`}YcQ<@k5~tPSFUTY*4a zXt2!&tqqX=Gs^qVA{S(UNBqk&+Cbd@?D=0~Hc~(`un$w_zm@&>7Ou*w-3 z?DFkv>gWGDJO4JS9zm)79gO9l^#lK#l(G8;RECyrV0FrWoju1MnjUeE{rOv6Zs$3b z+#?KQ#}l+C({)aReEe31)X8dke^tu|dD+fQ*k1 z`dqvB3W@3)nyBAupq_u7nKA3_^$MCg(o8$8*~X_s1$<^#m4q3IK1Yl`94x2#O7pBe zeq`Z1xo>E#gvz>$`6TB0X_8@5?4^LWs|@;w(170E9dWW^Bx#fE<7B3r!3q&>HRq3X zBg2Tq^11zeAmR0idL_YdCA>#-*O|NF&Tu~A*G1>j;N)xB_4aiMfu1*BBeXE97Sgc0 zIc?U0+t1DL2RIIVSs&~PSzm}-j-EM{(Zs>L`qt0t+4p^HjZ}9BEZ4kep>WfG6~^;l z15a}4<2{3>nEwdk#n*?D5kzuNQjrRgtizGV>xG*wC@T4+Kz*DBa^}ajFRb^(4p`~VRO!S8{+D4bPkGR+R z7Jq5E*%}D#Sc|(AP-*QJL39Y!ZcZSDS`z{uFYgKMEg-`c=Lu;`pu1w}41V~6-L*es z&%K!9KpUB*xavWYN_ik}gS#XUIX@W9!g|fQv!X{G7bt&C4m6IY>8GLVh_YY(l44kQ z0ANDu*kbuoxIct$dxOo4KAn{cNmB%mmA)q6bu}=k40An@Q#DQRy2Vdm3S&Y&+#N(_ zJ5Z3aJE(96j~hX@Ki+@gm$pmpTtY)fqb3)S300+*oKWneh==>c4xWSoimtv}NUGo0 z{KZIIyA@Pa&+1(_UkUID-FjrX30jixwj2LByXUIW+F}`8bhO*BExhujj~!}MjGoet z-K6aSR=`VJE~XiM!s>dUIe&ZO`(EC_T99dFjWsHI1PtRo^{J1+kp=2-nrpTvtnO{5 zU!tRj;r-M7BwGOn$jWu4Q$JD0DH6!ZdZ1H&`CHe+H1Gzk;=5Q5s_ne3(K5BmVNDAS zHwfab!^0GI_RhvdrwYZJ6RCATDh>w0;30XONuj8!lAsxF zpKZ3jNj{-EvnNb-HkNTQSyah$DPfH%?XO2pCRt znr%BO$>>dw#2(Bvr5nIJQRtned3D^p2|Xy4so$WlP1+({P*n8x#Pa!W7HV8r=g?LI zA2?RwywChy_gh1~6;7v4=?J%K(izTg!R!Pi#otlt$;!HegRCull`3kAfEKKV6}s5b zH!}l5hbi0D5fK8LV) zU-I;=QH)wVb--6Pm`Hj}$yNxGb?#ive63_=`~+$%*DhGmyB6Kv2W-%}*sO4%X>Xx2 zS(^ow9B@w9)`^ZBnf8hp7A%q(bh||u^k#x<`kFaO`3zZrTPk<&4qWPscaYbl zQQg6n5C6llDLu)H#|sxP1dh@3Dw}I(xSj70QlAj40jgiitDj?io8hM4e~BzVpP0A4 zRh(C<1i$z|m~y+-;G=WGBe#e9&`@6Ng`0Xsb%zL;5X2;FOS@}cgIIK#~m z{6Nj0pe{+RfhmCPv2H0AXXNK}wp=Ll_L2IV`-R>x=FOGpGPGVrB#I z0@0g+u390fS51)cFXC@=#wj?-uq(LXhtq|6LdlFjNc!~xwd&Q2_ySkDSJkM$(u@7F z=ue<`+bJ+Oe0g8W=o!_~vGCJhG@?!>NLjzIqmblHICV#XqA>m55Bh_a1Pdyqmi#M- zjW-g9A-I4ocWCdAn>1_2(n&Nt0UeLHPhC?;48ljWJtqn%7=}kH?6qzC_K(qT1gLvw z{VS$*PgzfIlBh3sOGF*exNBM8Y-Kf@>TbSv=IA{xe9@lDM>vCQ!m_#Y=jCDhyjZxa z2;k;T(+s^iU5;H>wg>RvS5voAcqb%io5Xh9$tBl7ZRZ)r(w>HgMs(^;P=BEf7Z5NR z1NbRjPpw#ZtE+nme71J}sv9NkXxx!th>6SqrbrZ=Lrn$75Wh8(qpiK0F~S$xcu<7= zfeZ3oXLaLo%raEvsoj^|WHeOBb%*FMzsP~(=T!d@V71-Z8gSO7A$Pt4=Wn)cgDGqp zE3EDkXA*Ple=#T)DODceCd;CaV=UUgfNaK{R^e zR)?HMtfz2Y@`FlJzzN+9!N^@SyjaC>E}#GD);8)db>0_CZ=Zt*2+mI{rC^{EJio5T z*UU0JPVg{X zo@FTA-U_L$0Gd&~@ePK<33d;O!}g4>#hXNO07qb$i6Zf7x}iGWa}oh zp4?ih-z|s6%sY6fyWV=y7oUTj_%MNA!zLHbsYK&D-*KNl6ZoTgXW)9uKOw6^F9w$oI-vrT$Z+5r?KyFyDX=$=6Cos2uk$ zL89t?qt%T28ixD@oOe9B=i2hljQhLI9>rt}CFP0^@{je?Zu|jyc!9RvPhD#dHv{pI z?hK$zPGy(pAzVXTiSSHoyne6y#`nWaZg=Op`r)6t&Tv>vJbOiXBPxze zW_Ko?B;rW|Q?AXWz+8)`g|%)Zv_05g5TBXr<9715v2uN&IU=_s`Lx1dGmd=X^+hB= z3qT@hJF3Qw;c4EiIXi~3gmN^vdN z%Qxb}*p`q{2n(MHyP>Y6^T+PKk?S!S!Kf9BOeAzS5w#z8h6#)MJt#^)F4H5AjR!9kgeWQwqvR9J4Gm2kG7 z+SIa71b(Bjs|RIZ=>BYKN9VNa;MGBEW?p$*tdRmVWhZy#G0c))NCeH8l$&s(jbU#R z3iI;@?Mj2;ER*f`$TS&oOP!Nj>(0tBwW&!c1S#k4BNj&_rR`POkjzV436n0hDtD46 z@{LVjp$_HvO1EXp2Sx{WFSs^(<5LkVs6wYVJEaqM$n=S!F2cLxh9NN$nDbacPQ7ko zfE__0W*dAv39+0XmhB5fo~;73FRCD@v5{0aIBqyLuoKNPv9E2JVCYfWt94&g3huIR zGUD~FyTOzOh%7NE5 zfz)z!P>B5E*FCtJnlYr?l64&%Z@MC@AO~zKaSWu6!@#u6XzZtXYlLK0t?!J)!yOk` z>?b1fdGYu#$YgMmeawzLvbW+rkM7cLsO^5hgz}oNHdAHM^jJrD7e*jp<$zj@x9vmX z+ON7~f=j&%@9kGcmP#yKwC$j3xaH%saL2>xi-s1Aq zVx4EFyFo!fwAIUR}j7J z=&Kr3khTJ!n_INU0#WB)K$kCcBL70+o;Nj~@(={6TXY{H31k8FS(XKR{(ITpQ@ssU z^7s$|&1qh2QmIZuGt98f&lm)qxT-O20l`Fsj$q*>M)L$V175m>%Aj2bsKP|s+1NtY7%(#LCW)K3ytNb^lQ7Mh2;8Lk&5sB{0fYu>*=uX8($k;dtcq&zWFz< zJ#xFu%gZ!%vrqyrRiJoWWfX|Y|Do0^68W{%mo5mt4TgB1nqT%kjiq|NK|*KOBR|f# z@u!foMe8%x6RTB#u-q`%t7s%heOnlQRH7Jx)FgZlA`2ubLSi4{59$%F96YYgq&42a zD*bs{7WKX5VFudds$sKwR5G#zcef3%BnLvei`!V_n?pn1JHpML=be=0%vO97CQrSN zPYd8fkagK8$QPLrKg`|b!ernE2%un9&Ih4cQYayU(kfgOJu_*LQ}O1Qi@kjf(_g38 zx=U+e7(u25-##l|b6$CWSE|aR&>aNJsl&&J8y!DZ7!!(udG~zJ@%f;VwZ0%2hM2+c z+2kdqt<}82`qcbP=Fh6pMZQ{-wGZ}Q*f=HXFAOfJ!CrjtO z8VNMC@XqW6b^#b%m(99&^5{W!w{6D&KXRJFVFwFeNbaA%iCLrtZRNH(@1jFKk%&}Z zH`^qVz0{yc_48)=m%av~l=|kb;Ze`jG|R+u`|DYvoD*a1MR1y69nS5G+}JW$k4Ok1 zD+^XC8Ku0<{!1=fhJFuOH0$i9!^DJ)Gw#G))U6;o&D7d+uweutWP#NclslsSTG+#s zflyu9eFMxBr;Z}}F8kBPN|oY+oJ;fbGCtzvDPcyUB%CG|e3q@l$S==sZT8s)M9l^- z05eus>yhZ889fP zFR?KF@(8Z>#^#*~AZuS|hnWmRW{z<$5fBvByTg~L@^V(FL#Cunqf#_~xSF5axlOg5 z&rEi1(eR+?38Y3Z2~BiNoP`GbsK=xH4mL7rbriy&2?ckIJF=P)s}U7!sd4zdzE7DK zIgLp5i1il6E489jvLWjy<$V1rGA^v@Io>VwuS~92z)l{=H=*(#Ph!SOrd`LABuOR| z!|5G5M9DREie%ei1xpT%rYxO3i57^6{_>r6vDbAnMgfcDQD?Nmw{N^Hcs0T5;2M5U zH)Tr;BTccC=J;uCR`>(KJrhq25I4KKj3V8O%!JN`IRq&IE(=SI%#4GVQ= z8;fhFre}`?c)h`fsf;IwvIMu z%Td?Xar-De5GE{KijNI{ChOY9H-(ZzKOH=q{e zP|k9qEBYMad6D%OyPQ_RU-$0Aylzr$49t7lBE_69&aOtjW4YQ+e|_z=f4Q*N%d!6= z2{lzetOoK9=@j?wbr#PvEQSBRd%5X-G!XN~N|ozHzZm8HD63zqzoTS-#K)ks_r;U- zk|$#!1FTT~`m!Tcu(nN7p~|K%BF91>K4oFFzJD0m%aDw20>@UKkJ=~Oc(GjIM2b4b z#XOZF`7F_=72?~~_QzA$NBlP;X}raEJLNpey3&}5UkaUcM+?NK+s=gT$y=v1<+QVW zB3RRuEKeTmNJ8M|$q@o3hZ3;}eRbY&=cwGsvNE4dv8fXq9BEjSYfF(J9g`6Fh7Hth zT#6YbhGgFyDqZ$8FS5Bs_ZFdJJJiXOhSmoLzUaR*w0W5#%;-cB22hws02D$Vh}){1 zj)Y+G*yQ1V;8G_x)!*UAB8kp|=-)lhrDQv-=Prd1U!#}Vb`;MwkhMRnNN=25FE2DU z?89Zw%=h|_Zl{oU(K=5WZ_pX;b#GtRrR?X|wqoXyj&Hf6C>D;&S~* zj}y0h%uoH}ea*X7?Bt?*HTPIi;){J}?%zv5flyETc4^jYFSni4#ZY&g+KDludS=A9 zV|Y>N@u+Vuw^anD{#-=g2!HzVJ~RSZg>>aNg25odmh2I9g9p?+NZ%{b2F85(gcz{;bv^%)*EZrKA8Jxq|hpI`{{3O&XiiOiN2X8EQs3 ze2q4RS!W&X@??*!&NBUmt#iTIi`-JWWXbprBz^?1*CyDu7Gg~0cuvd3%rQ}0sGz3i z1!y00aqO%5Z`iP}SS>O){f3#aG?biCb;G65!xe_u=)^^@cd64j_uD-G3G?_qW}T+% zW>*WNnz?;ke@j6;2`UACRUqN90RHoE=khhFU|7`+3_ekwR?hgX5@m-{0}C+($5n}i ztSH%>Mn%pqdkaKDmnVQ2PXgIt!xo3JfzP>J(~5Y2_SI0?(e-M9b&b&)$>S7$)1s(U z9<7zJPt{ZMM4V7NTz!1<+P+Ifyvr`Bu;Fe&8@mTHjyS-iuv@a!f`Qp+(s%O3BYomnZQBuLjC$*QP z_xChKIn?r}uo4Nbf;D&B8Yw*X9oZ)l8yo-dDF9dBolZ&WbkY=Er#z&klC#&i2tQiYNr8-p|9?!FW7^hJ3IpmDWvaLK2Dobiz&%Luoz(4C$#KgHEE6;UGoY8)S{7i_?|83S& zh>vA(%H0oHL?r`aXg5`Yz2{D$@|eeJHPc_W7@?ptbHSrbo4BM`r)_3la_I`PbT!TY z<;9Ale~*Bc1Z-c!qDx^K@64wT4`XduYUxfVStSoc+I<-Gc)ro&gk7Pcc^t~+iN(td z0~RV-7llH)|C)-85cmOlnpVGsK*s5npzjwKrK^Rd#;15Xcz5;c`1b*N$J`sU7@H0+ zxKi=k4XW&C^!*ehO{>=dnVj*I=NGNE9R@EJY zkN38KHRTB&EQhRcnbG)-dG=33^pu|a3{bI)6Z8IM$}Ul+bO@gNoky?p)=ohlw2^?c z?^$$A_cnc{p}SXW&aJa57xZr?7~r^^u{21gqZ^f58z z=^kHt9XApI69fAm?`fh+4${e58g^#XF3);m8XH19H^b_r_WrW$CrRa5RnLVnD#IO8 zb5(Ac33qI9`>PRy;c*8J6S{X0EalAtuam%u%0)GmpFJyVDD*rmU&naa7jS|Pvu5^_ z*cg|SSU>d`%2{^CcbuGvW!8RH&PQcNj(M0C{h3~Q##^B4}ICv?=)Any1mGwSVcSbYxE3labj_BKHwvGbjdDlVTUd2 z%%y}sY?*R&zu)=(!Cd79%fwRP_;62p1 zy050_d92Kjo1kfWBHsgYX`u*>8am${tVgkcOsfQjR~yaFE4!_9Q;(f@2|L4W=x9t1 z*kjb%TCCg>ZaL(#Jia~J2TjzffC$-%UMW0;>US+2XU~{Sy$*?YX=rza8HDv z_7^W?Nq?u##d~D5%1tqcAwM8y?Jv8eC5z9Ly(^638gq3uJtBieAUB2Gld(hm7GZdH zQ4d{*b!e^Q7se5uW2_ORm4O#~b#yRIt{W};U(u-i_NEI`cM`Zq9T$~^T8@-x^Zo#b zcneak%M*&>m*W=;0YNe70=1lCjUMQi#ESce_R?IB(iaUqIRQcg}P4HDFs zwv-6Q?i-BKJlNUVdZ(m33n^#?MBAd?JI~stsZkOZ6dy$;(AC9gN=5*pKmfImOkCtM zwo}F7Evr{6Ux?`UW$#PXX z-*v7S$6)D1>BhO0L{Deg9Ebk)P^LKWN6#u#ao((Ra-GTd=c+uoVuR_TgE>2F7V7z8 zyPD2J9VJSSFycj*wL<@1BCpMt6T@&;=S-#y&AJLshf{%v4=(Dlf{I~lzJkrtX$Ls5^>efqB)^R z#nT(1&BS#wg3hnuA*VjgaK%&|D_y0#PvK#%GmBi9CJlcgUy>u*&z>x2+_4srpwz2@ zsgNkn3va4JLY{>aPae$8eHTQiJ7}Fkw7&U>XIbf)5-u&MmX``?Qdv4Y6EF5C_{hUL zLHaj=h?pAGSVolY#VtBv?TsGl7fZc7@h&QqC+5oLu{0{*epBFF-a(}^)4(DX8sMLF z8`Me@<9w_=<TpO>ueJaBN>SZIJzek$qhL5>b>)Ckv@MxT!s_h&0m*9r(%wM$ z#TB;mM1#tXKS@B*T^PU=*g!8ydPpE*-fI~UCE-<#KN`NJqb}aS_rCMI%AJzPS5lVy z1y90=c}E>)F5c47_#Zg-zaUx+iSLB`7||%{^ZpIB`3uNpEDnh0V$56B*7$Yj-=SR? z;sCf5Shhj$Z-BPnF2h8AqN%1aOQ8Q5@8k;!04!<$7*70WJQMBD$BC}K4*v+%`d~~0 zK(Aqh#-sn1rSP{=G7$ZIEN4|g^;?gAyM!eIV6}WF==6Tg)xQnVyO#j)Snm*a*8iV7 z*8zeCVMe2BDE=>e)^DLdNAbJ{%=+=# zN>dtO%U1MWsWU;+?e=&U+Uq(RzL~d>_1PqKh)<<1R zfVXx{!^_U^n zM46|7-!FlWX$#Kq&+-iId0v;R`OVJw$L?UtWKxhShRD;M6wbo2XO!_xx5z7{ioME>KPt33|Mc;m3xVCM)*X-Hfx zF}_liHO;GvcNWb>;cJb&ZCKe-NQnz`@x^q=TEv3+EH6`$9me8r;&D zLi2ozS?R`yR7D`6eOH-??m#}dsnv0dJGg#u5SSUWi)ZWXrC7WDaB6lje|rOO>e9M$ z)`3i)g|K<%%fm#6v>SrRAeKav}xGV$2vQf8M+1YGX*x`V7RWdIOsS#vM_RmC0rp3 zA3n}kSrgd%2S%o(5FboQn21s*;}pSPqe4Y}CnoIIO76+Kwy1P|*ws{KTZD#`%Yxx0 zwE_Wm!y_+#cd)cYGxlUi5DxB`kHb#|hc~1SV>^XRtMM8tW@17b9WR(IH}PS{rQU4Nu60mE}%u^LOJFKHfVG^ zdj&3$cyfTvdv;(#bY&KokHG0_-@bhgknwrsC`m&Jlf&2QP1kq}=`krqK(R-`M3S3+ ze*fgJqiX-*@xGBKq52~|ijhv|kEIGy!-fqObU)%fF5eBHU2UT-vr3SE@w;~(Ub`56 zil|iO_n&iK#tXFa?QD8I04WF^lM%caiM#!{f_Hz;3?YNOZ#GU9fr7>y((!oFpYnp9 zAeX}A=v<|ht}vbzZIarZNq4SytCDNiVMe3{v0)SYcrhyIoX29wgwR&*mOebzMNFIw zU z2R27+0-~TjNml0@p_?2ncoNyx$)S&&cHgzO(0<0l8rnocZ2N>1!EKMZ3~Qhs*RR+NvG+`Jyqn)d0Ubinu`Q-g^B2mF4t+}>P9C^;2iIyig{Y+ zbh3sJQ-N)uA^3@o4oky!3K5ka5)z%RFHwrUJ^|&EO_%0A3~R#9F|Vy9sgKVhpC=nU zsH|lwNCz0dct>myqA6!qAGOeTd#l`623u&^3S}Q{h_Kkpu60uH$=s{A;_#~KB8opT zg1=%buK6@_{*p239^Uaas0S-mpv&wxg4`l_ZD~Q>4Ty9`@uB?~?(n_hIDs3l4bFH{ zOWe#4jN(s@oYt+v*o*{Q#nw6JSZtWpXUy1QctVSwQ&+9vU9bsiaM-iZA`Rd*Eu2r< z2fZxEFBGsU--aqo-sbvcf%OM%Gu4}zmsg$Mw4FuHDfPEGc}(dLtZ@VS`w5s~I_AB0 zgc+vm&hH^DBC1}T4+Y{CBKzRdy>M1&^mTLM4Xs&l7`HuZP6vbGvfp_tUykLX z6@4>5L>Ok}H>i=!CEsx~lw?jg|h99tkz-I?8pJdi$=)(xXbdtH68XqdwDj zWMaVLgKKkRWem9rI6qVK?r}D1OV7=cywzZ(sU@v#0{d9j;)2N0ohy7%Ud$@DrsIfi zingLXidqPWGKu6_)&@bz8O)7jOb8BHbV#67b2GuD+~uLKgSoHSZ?4r4q#&a~s3BQ&{2XfNJz0J=N(-z<5tR_=-!c%jA zz_n>I2@z}8=6CM<0%;V7Jy#nT*3iX~HNpw8f%GgYHrzWVy0*p)C#)VG`_i*d&mWJf^Q@40w}u>tubv zzisn0(C3rF)u6b4LJ z_wslnGFVvSlzpMW3M->{aMiJdv-UATH$_Ajsr{GxV_`-JLx{B`sM6+79V99xdm~D~ zE`yuqLA!BkSH&_NTA6?orI0u5pvZ!`+Yb*>KF{_fLhXJVoHH*qDYM2V=pXHEXu)S- z3PXW}cM54=9bn(~3wZsVep7;KK`7qLOw8El{)(3>tM`&x%S0L%l_k!Xk_zqM+hyIU zsoJ(}|4zpt=6M)ug7;)1&_D;|N*h`&zp{J-#xdQ1TiYXgzMTuP{c43!HYUZ_==yEr z6UPU_sUVGS$#vF@+tL1ERxM$z{kB^W)O9xfZ1mM(Na0v(2Ct5{TPULz!Z&-S6hJ7bQSTtIq9o_;Zu50Ja_2 zx;iW2QKsGju0IT+D|~T-4k%6lYXlGFdv3O7OpH!R_57vJH$J4$Brua7A z8?=)Ps4V&VLPPzEjyJ=I*B! z0yB<__Xy2SkNs$2ph-W}BSKZj5HJyXq@gB^@uuT!)? z?nc0g%C`yS`&&zZ#jt+j5;LQvJ1B)DVr&+{MX z37hCj?oJ`c_a#EfDi8|``cc8~ziCHhj6nHhDrGf-)h&Ncoim6%VGoH+Syaq;f)l2e zv#MmCK~WwcA9oyYxl=%30!TvW`+(4;n~x-7U44D-A~`l!arJWvaU07$WX=HG zc#qcC*U7SIyF)@B%~mc(s)wd$ceB%^s3`Bq$jD?&^HS1*?#_V;VftsHcfdlQj(dHD z<9QVJt2{G3p0z4!-k=Bs$+FvnD@_*cg2W~S2SCFi{DlS`QxhPM=SY#~k1j86vs{Fy z0}cywVT09u8aCcjE*5u<`bX%vB;&?6*NrkbQ#_pz({N6_&%_@c%8lujarREE+7t+l z!DSlXvFJfdO5}F$aSJ-m_8%LpTI-!Z0M}<&5|xa%Dz<9)X_>S$lB|!rtuyX-5y`Eq z0^AbEsz)}pfZ`87^%)VMKyDB$uF%1=>dZ4Fh`QDm@2&-sw_OBv%M;i=HOr{IKyN;+ z%`HA+8CEtZ{1t=N3M`em3%u`%Ehx;Z#M$kxWYrsDsv=qsD|O=rp705)bsd!b6>ZV0 z6&fRBhYtgO`4#JZZs&`6M&n;r-h}Ga;;rH|Dc2I$7#D`j8UC<+=8>%LImZ==)PK5@ zF}=y}aviHb>+tjkT}* zXft?lyfs4o!(jQPas<5FgQ)iIRQOY3d7Ejj-!6H_5Wm~eR59mzLuVFvVi9j;C!VRtXok0mm2#oCzCbo&j3eQC$5yAl?uIp=fb_JtLe$e$;;Egs&oGwG!UZn>Qn3; z&mYEpD4;QPLg&9SPa5|Em#Wru0-`8VY@iny{%nCq0%)g2$_0M=r!(u{&0cRqit$W7 z@Kg>LBmn^dEcDsXrz8mg@DVU#2_AIFyyiX9Gmk;HPk(sP1b^~xsMN2vGI*{&78Ddn z3;C0-g=^JYXFf2+QvUHRfGQaVL-EE-wWW`Hhlj2sZU_K_mgZ;1zuI;De;PIqpd&vO zd7Hf|lfMS}AFmk#e38Q_?*ANyJ01$KZOwYqhVuS7$Tt!2m|pE1@gHq@9(q7XY6-d% zRmyL5YJT%XY6Bh*n|BEPbH7HEe>w`58_Y5O@z1?f01k~`s>Z)`xxbWV20g&2lK@mX$+=@kOZ+aPWp6g#E^EOj% zFBFY8tA8^heH9{bHB_cIW* z@b1&mU(326u>E2Rl}7(TljQC;e$+xuckI|(`t+ztoun-Y*OM%MTVWr2ymfS?b%@+c zE#$~rtPj&XZ$?S;%k70+{p!-k6OW}u@hi6y4pnQgTvV#*;;=TM7iB<^jbC);SpiPP zFR{eW`$ZWOAcNyOJ*%&Bln}dH6TlBc0mYt!dRti_gRwutLs8p24Zt3o-FaSHc^@}$ z!&DZU+Xxa2Z(Urt8`~novq3?brnXVz3Qc@8g=-sLOiPw8Z)~nL&S|q&moriFr`feP z5@gF^)En&&Oy#`|esicWcmW*OuwH`{f9;%MBJ0(uT9JwwJcqL+(rCe06PKzVOpP5$|ilCDG zKhCR;D^T`|ACdeQ_k%WJ{8chWlZQ83#U-9UCCY64S=Q%p{dJ#pJH zpJLh6`JK-k=d~BJI7ukU`}RFg0i^)OvZR{C?)yCI3NT00>o~&->DZ3W&W`(@*3vrA z({L=7%e%T-G%g19_%;X-izmuYqh5wCy4TB`O{WkUM@nDYg{n^l#h6Q1j6|umkCQ#_ z^VXYHXA9KSFLt+l^_wtbA912^k)`9)rJjQ_hraR*(q~Wa4UQB>(=9g~i={lg%Bu%o zK(2|l?hzOee#braHNwHlIeofd=Kjp~pyp0v@J>@~pf8w{*yhq7$o3(>yiub;h63zO z5B_xD9q}RpkZx%0b2H5#svg*Ka8~q{^Zkvz+=`WHX#&U77SWrdsjJYD^o?slBd*oo zi>$o{kWzKNW_-vT|BscYJ_Q^IJtTfImdwqM4QiEdF7C3$b(`^ zm3#GCFt73OjQ~Ne_U2vQ_k#94B>u*_K$O^p$5$Z8`)Bj{5fxzFL3Q0-0Z3DcFv*U+ z0EHy~xs6x;rv#+QN*n z2;i5sdvp~kFyV?qV2kvJ?jI5^=aPAFXT!q2mN(jdb(4DSB7~k656=a}sp4&Ug?vv9 z>FCTN=cB1-QauLy=gmld^i-1fPq$h&pSaO6^8-HbPpY6Bq3$QKO&rKB3D%bO7a7`U{J$WN-jR(2&Z$t)R3tOMLLO#;d54>M=RI;#!QqlDkltj zb`9iB`pZ5sIwIH)y5oxT4Fq}Nq=p!_0y8+nG}$xy*ObiFru$lrOvu*XS!pYV)gG0&)e*a7k+2iH%mkOKSam6DoTBB8Zj4}at;y*^{QSY!z2rm zdH*GKl&2v0&ZO{G*0J22>|>V=ACgnO2t@vmnuN#a&T{Ud9XFu!n`;_%rUTytPvdOM zBU?2D!%Z|r^jmv2H$@Ky6MgDyi|k?Q-B4~W3>f`W`kaEV`NOogi$i=i_kCLDcDpjm zbq_*V9%8?|=`NdF)Npx6;aN(Wj1zSI&l2>wxHDDnHy^%n>!Ru$HyFt6> zmlgVrE?_M;WlA|wpwFPs@M)WNvRN%UH{pwt@=-M%w|x@8QP3S|S-F_*PFX*ccThN# zHX=;=J2S~od<5W((`K*2^iLt^P5v3d(Tu%h)kA(nH0k{?3w$E26(NMKYOUao}-rbU#Gn zM^|^fFK{fHXB<8TSR5iZm>lRxW|vl{S>?`9i@;r7`5>XF(X>Mo8j-DM!6?vEOnh#2 z0P9dq-ZG?{9BM9)?rEG0z;~CTV#-PFc5RqsFr14xT=T?h#0Zf-^EAUQGUz4#m())J z_r?UYqGaz9xAh+Rfs2#}q%JSKWgKUP*1nhht|9XWyj$j4`mc%mhu|ZT5f|TXxB3 zTX-4Zu((bxy}Swuy-IVzJFCg87kMR)IdOx;eVt>0PjaDF(tGYNbfp=Zv0m6Hl9JLH z@ntSz&vAEDZ)wYKa!kslO@Q7TNubA=TNs=x^@j#?X4~khB5S_7*5+^xK^iXRcU`2# ziY0RsrYW9|^saQ*`x<{IX?u`g^#PYsR;XNqxJ~-OWKk-QU{L?D{FNM<`Q|j#57l+E zG{lJZs8HU)Pb11LgvW2;(Vx9qsF! z08u2jauA?SsZNv*P8G&CGZk9HF9;ReY9%XQ->C%VY(rbpp|_xDtI>&KLe6z6U`i-n zUdgb$P-5=9VX28(_Rc6cKfkT`?al4#JQo8BS;WUn=Mk_IT@?Uv-Fx1FVjve?B_@4W z=Co!C(M@V!~)pex~@@yN=5!u?ML@%zFR@eVEPPe zF>i$m-}4Lu&LPNcKzBgX(em=e0S)fW0-p^!5(xXZLf*yedrAZTc$W!amEFBTd?knO zB&9&O{ueVZ)!jXz8$fDPawcxh51gtdPb=ds*_o?@S4`H9w66(;x9%@b*X^w|7Jdu0 zU8vLV;zPs_-&Vxl7b#?y=9hB7h^VhbGRdY$NnEff;sMo$FIuysCY=w9SW1eY7$*9? z;ki<-m5=f<+3Dkk?r#Q=%Lba(>>&TGCyzISr0R#mcYy+r6ziD7{+c^RP%^@xo0S1s z_arqRYTKG9B~J)*U-tJN<4wNIsRne90m@Xd2hwl=fEI?3y-J*IAyV!hm1xP}$JNu` zj2H!sko>sD5EiWi5cq*HN#y}ucr|zfAJ2yA3faS*mz2xO!KHB&VpLRTm+48(VvUk? zMa}80V}DU+mxd1On*xPsveY?+es`l$YqJAjC9^7WY4Bp;huFW3T?Xi%W{UuG72@AA zf!qUEUlZuP5zp-?NOL_0q`zYB;~jM0Gi%iT zu3k;Y>C}~Quqy;)P&@bq@`euc$&LjDDU}x-Ac=ZV{=tJiUH$Q zV8T@XNUGn+pKjM*w4(xep9M9Eu$;01UW3Rw2gE!~U+vcx8a##%_>Z6k64b&{ozp_` zcv|QLyZg2s6WE6-tsrMY0-toBpGXSNs7N}6Fk?R@R(-&;ajU%@w_d6|J2_Xx$@la| zRiP-48C`MEa{?oFCSLn|=tRwX$c@6L&-AcxafqzN#D|PU-FNYVK;@ zxU7!@ots6+&m>>5bJ;XYdG-xf8ULD^Kg3-|6yOlIUvQPT1PAmhv-c%5iv`K^D0`zq zaX^Ta)bmauqOc1oXhB6NMx3_Pr0cWO-B&DXGT;1sT-O!M@IGR=K&=|AB5u+s?di7F zMZargA)D7`)aS;)PaL|y0e3&@1!c6n(%w`fB+{|J$f%%mxO+^HTGJ2-as_vQf7c8R7Tu ztSEI3uwMBoim-1wc9mkU!(yM22%HVDGfiTCc%(G?fv@xno^L+yXi&I`86@njA@nhveQSC%ZTa^iU)&>QGGCYsG(qZHn8_?m%Ozz_e^;5e3#+s$e~^6USj0 zWhkOB)`lQJ3b_73u`dK(z?;?lVq(gqmoFid;*_P|7IC3*ArGUpY1D{6UktYGGr`T1 z#4;=+#&~4P{P-+|Kzl%l)|XLZwnx|sT4ZB?Sgzcrhr>o@bnU9_4`K3pYLNIt9ysZ6 z6V|hVf`MA>K}=}zn}ISasYSel!(Abc+ngXC(E?3K>UE~PXsMc_A_i1^i*KQ<_KHcU zw-8@kEW4V=;mpSu*PP9D-u0Cgy$PpOltlUH1bqvkXsq{=9WN6Hn>Ni=l-Lcz37(5t zSTTE0+w&yiezwaL&PK3c#X#MUKc*rf&;Ctw@Ft@Cc?M&DS9$rtmThhxA&!!f04bb^saW((efTRi8UCQ|$VOgutinMifSV=aM;>?SQTe%z& z!aCt2oN7^$@(R}DIVB?m3K|oxn&U}l0PKM6w?n8AR3RDTdedqy#XJRVQAXw0(|$F8?Ogfy&Qvs4%)G``J4c5Uo#>ce@dV#PE?Zy}Z`Qlf?^9!KIT z7Fe+tD}?j zu6qaN-q-RM4!F2KL@}Kj_HL5yA8Y})Xu>nUvC|l-)T_>{;C}VCWl<=0T-fkfG{$}q z=*<^&^bI-Ao@?5At9IhDmQiqddrS1{$0h8_xs-~GCD8?qr&5MY3TT8%iQ)_&GkvD9 zL1jFFBzxP5880i-ZHlB?NbR(KFm~_w1Q&H`a1Tzh-w@QCR*-6hgIMkk*KIa4j;cuT02?uBv8$UYMPxN^tvOWO%aDhw)$%`3Lse@Mpd2!xr@8I za(LzETz<%q-*?f!h!aB*IfoPQ9LyTa?!fzC+lmD4jr;^Jy2dL7KdBbCFeV$kc$j_G ze-IQT{rR>B@sR-%wUPW}lO(gn7?r%EMSh!x1mhwK=<&K4SgU(-9|8m%wi7g2&{!(P zRCqgDgOlsUnLS*7Hk#)!6tR-L()B==0&7RW!mcNrMigO+n%?5@kQqZyprx2DvfNG0 zHxDZvCDK*M>cD;0xRrp0{USm(JvQ3$O7NOp?4ynyCLHs;n$(of1sAe5u(%f_4G>W~ zNa8!dk2*XcGpTQNx*qkzfcwkZz@wV)5z)zCkuwU5dj|9j?gf<*AZ?1sP_OcxdV1m0 zdwC5;p0^V(gqh?5b{DVe{X8)rQtuT}LZyFTjD@ROZ09ermKV0`kXqp0-zf0Y^h|Y_ zq3NQ+Pk~xY)#Y)3t9+Tpt8+C0ZgrgC**XqQ5B3W~TSzj{|MK$m&RHy5Uy9>02cC|O zO!}Gcqo4*0iAppql!tsRTcan!05uP92XjHU97#55Z0DE5!oa7Xoa<4l_#`|1C_!AY z)$?=AZwH)1l}}S2%-QZKTd5U}@s@G&>6I1QzP2aH9=ygtlKLJlppgs zN1PJPgi=iVcP*Xe(I#W;GDbzZ%pXx5a6fPW>-9=?CbqB2PTu-O4QY=VQHv)c`JEIB z%r{;^^a_Ay)Eeg#oIdai3|izd??d+>n2Z+iHsZWL{{U%%enVw#Gfn%x)o}R< zW^zm7*Np#~eoJ&<3cnRPi5^e`VCDob%gjqIsh&@cKbqlUssoAL-wO%9jR{$Fh0qQZ zlvDHNGR2yA>d!5Qt;yrL&%D( z>p!VIY9TTprxOS+e$30AOC*gL_V`zt$Po2TZ4{JTZyt9tuAhf#)QrwDoqbA7 zyMb?=GH?SXr#phlaGPUl!Mp|Y=p9H#iJ=Rd9=qh%8uoNlx5-;#)*a#&F|Sk;Mhw{wQR0d|nK?Qu?>J`{ zxtlOpZJ-bLi1u7|ZxU+MI{j@PizDI^b=V5anXlM(<4QB4lt*8x$pRjogHL6wC(`&vNwQ_nF;y}i+BdWwITyp;LRh0F#4q={eR%K(Dv3u(^)YzfHfB2Y9Y!Y^z1 zZKCtOGuwUXX;2MIV|~1V{W&mXXWL}sQK9J?g$Yl6Au z@E*A~E`~IAlo6+co%TZcc6RAL6HwY6*zb#Mn3Iw|MowvmQp!|r&-Iz-{FpLGcAdg^ zI>Zrsk&v@N&ZNm{K@b5QXDcO^rp8W%JE>hWAf2eHAP1KBE{y_L8c%>qsi85^w(!v2 zqd4MN=hwJpsIA?v1sl2#9t$=8xiJmt#0+~jf+EFIo@o$*^m5Q|ym*P`0(*ESwoVH@ zMQ(52`s@NjPkSZ&yND)H%%lzy1~{{OPyVL6M(UZbOR!Qo*HPIp zBEE^Qi@tF$APV}`Y^v52zW?$)okT#njzFerA3EhZ$A&x7y||K&b;?-grPDK~AH_?P zZ(?a?)K!%f!;SWDIsK>9us%Ydx$Ad0iv2D&2$IOtglK&m&M!Mn)jeh3o;vN)zaTty z0SuOmXm z?3NLAg%;3o4aFTLWNQv0Q4alOPAoy%?Y@G*`m-}wfZHU^%_Z)JW~A_}Kw%<6QedUj z9p4S}k_-W%#MDNoeb$r#g9Z}ohflW;!p@uwpk}Hn!4r57N6RYn=O-y)ySoH^?^JEj=RoedUESix2Lk#+Gs!=XS#z5HMvSaH#$47WowW3mr z8`?P7x>htY6<44kJ;U|&AfWM77B66vov(;_z(XkJJe!k+Xgc8J;8I%8pUq*B2FR!! zZVB8!VugPlHHu2ZA1*TX*_bD}Us%esR29$8(~vMLZpn2;dF{~IUlQ=$Tn27{T?vew zXXtlC%XCO~h+mSYNXFgx9!^n6{ixS@juJIaQwaS~nE0UqT1N_=XC;&419=*=>8Rbl z2$0+2j1#Qfw#9#Pgrx#-8fr|F0`%C9A+UIc2jue8el^;nSjbr$duaL*ruAbEhUtyS zGsQK96K(<0YDe<~e80c-X_!&E3xWcJkc5Ut*i`;l*6tn{)Luk=_eY4k6TywL_48Q? zmUR}8m_B%KeC&q12^q9)`LLEBgKjqmQw4>Ey!hC6@DW|XN?j9S$BJhe%r9Y>tKi%y zdmGme)g;`i;Zv~;&0iwV^Z7YugbJ8CS+i4)T-+}lSgEvHLwj-fE;iA)RZ~iOOp0$e z(v;dF%tRFbop;XG3b=A;trQj`zz4%##>#`RjH8*j`~Tb}8scXn7@YQ51~{03f? zD(?1G7*fl6&-d^qngTgXPQ9G^ov&M;@h{<#uVQvcl+xpEp=BufH$$~mKK&?`z&;-j zl4g04_wgk@vW|ZgX1zh22+-t3RKDF)UOqFILh~??U@EC8#NY2sS;uhz^=eDHw}hJxpjc-ak|b^*9EUZC?h9qX`G%Uo*-M$~@o&wr>#KXsx; z5H`k`CWnwQLL*@D^<9MVtjbyxZf4_m;70W;F2o$_P0GWKg_UqO3C5OLd`ix)L4`KA zEU<^Bm^q}08Y`SSqz`6dOW&WZ6ccMJ8K~k=U}3|?#}_q6Epe>zy+v3im=ds-gKDDa zz?+m!sI$vXeTLIC1J+FoFfjBjtyIHcQTIL>d0%?esQcP{WUW5dmZd=%d2lv$c1_I)V=)eQmAPUFuK(XfN(yZFUDmSj z(oQGo9dbP>2-f=Hfxz3X!EDdWdyV6nwrdf#7#^KZ`uh=>R_bbty(Z6%ZWekb>Wbj? z4G#I9TiIpb3AE91qi>IOch>orEtpGMOd6nQN5oaG14+13bgsQA&5e&TxJ0tdZ;YZL z!0sUY(1W#!CSECTt@Jr1CigV{58q(_REgLudI$~v+~s+B>|n0;4WI_;9D-c8Tue%- z@mZ8oWbompHRBcYw(7VrCN{AD{a>t?khDJ^*IKxivHa9^*HH-9m!V~@XC)aMb;b)s z&~S}=vr30n61nIx9Lm1#Y6V$`D5iys{HYE9P5bs6#C68bvIyKh00aN7FaP$VUH~G| zLu-*z){%3~o=Eq7+Os_6ei;Qyti13sOX@baf= zlCk0W_u>BQ1sZR)BtT1bwnsJ#0D}HU6TcciCR*2a5{BysNo=(OtThMA_&6_GgLhCz4+If~%*TUPoj9F@wK);JxJcvsWT~c8ve6SJq9) z0FpVL0jYcbx4|tFfha>XNnj)w5B%45(tft%2EYFJ-zIUL=`%o8w3r-M|3Aw3-^_mc zvz-;UcXR3gFeiV!RR{T#STO;+rgZ;>SnH0&fObw+-`Bs2w}W}BI?y^A7=EH8gvDgC z5U6aN6@*EvLphB85{p$ng>77CWs!#Ab{C%^xn!v_pH`7~2muu`v;R(@vS}EbR(s_F z>6o%OIwY@@Peg~di1CM6{R$%VSKmQ`M|+*Gp9hQia}Dy@6-}lmY6>Vw1$A`LL&tuE zkSsLKeR>s${kV%qulHVdax$`k5}p{-p0w_yskXVkE7i(^?7>ri4ROnyc3RLQOG2LI zoDo_3mf@4#TMU|V+Z^Itb!W6$8+8TNTkopTO8*n;kU{G%a#@$qwB|FY%ai2hyuYW@ zeU&W`fU575A+|IDE71!SSoK5xNXK@fGli4{-|Zf{uvQ($1#L`Jq)Yb~tgfzvD0(ZP zT_aq24rhy{MbVt@?oZXt6Xwr($gIv+BQE#*L6sl0na*Lk=Iz~44f&}$5Oa;W&E1fp zH=Wio7y~fX8`YQ_kX6dpN9y4XY=rD!LQuQ6wz{TU1D5J6Z_MMLQ|@+kI-)@nZzP%Q zWfOgO>+O$ArG{WP(|I48ohg(N0@WQto{LHcyPBET_y^~V_Ei+Z6rzw3>OLVBnjGA7 z;J+^%u+nku{%~A0oogAHQzId2CScxd-`bLp4-q%p=|s@>*58WXyWl*0-~OGpAuLQs zZ`nf66r18+z+8W6j9^0hSxPqE=6Lht}3fpa>2%Y5gX=mLRr~CVR19E>|Y5-5LK>^kr zo2ZyIYa$Ogen#mauY0e~z28{hE_PE?QUhjF^(@~$^1=NAHA*tVdW60M}15&i29ZR;$Bd^;{JcTBM zzgZ)@u(M_k2q#`YL~z;TJlW`v#H~(YBn)h^$x%-ma%OW;IMR?JsD^{$$fCp zrFq}}KB_pTV$&Z8B_*R6S)*gWm8Vs%5^XpuaOb}Esy30t<;UJj$f@SO>QM=Koe8=_ z-^o+!fL@}nuRMiOpW#z*UnYQ!?-d{`5N?Y%_lA>r`UuDE6~7kX&^_BY_s==Dm%@LK zNP@+s)>5A!gGUJ4nXhn$6AZ%;c#9GiUNE2&D9#P9AzX^g2#)O%9PJ5kuUVB-Q}c=S zL-Sy>L$UIrc{den)e~y8wI78&f884rq!Mj%vGKHCcB4$kC&_Kwi&PaUGyH?3EcOm2 zF1ij%1oLvo9wXwDNbVQaOi7FSpi&W9X-dn1{4#xH`KXW^MXkm!#ZIN2SCyE?br>N; zQ9Y_E_-vWvC+UKYy=44k;=4o!S)y;vxx5>B3bEhU8KH_A$Yo0Irn3m>{V9g^+k|Ie za!zO~lq*tdz}yr^XlfnDWARC4bCqW_+_-j@qG@~&#z= z0yw2K2b}42H59XnQm!fZn*_?gR_S9(?pSpsALC{`Y1HHr z0(G6lPw$j2R;4L(D3L=PDTLvVE)Rok~up zGT1sRvf|<;b=8p>l)aZ*8yqH;1HSIgmb&|5ckne;{!vb0f_Zz-R~t8jWiLY(m2&WQ zcl^Sd<9Nr5T!OChou`$DAkHd2?NP2ajO+C&Q(}NwWJ)Dy+OrX!%Z4&fT0pa?M_>FT z0A3sR2$zPeJN!+)l)pjn!`gF0Vd=7OgZ-&_R_p4fX@&RWLbSMPO5Rq#aB?yCnu1-7 zwDH8Gq_3_`_)#D4M-;2^8(s`Ilre$9S#@*eNn5U5bF<3ZNyU$P3Y{lJJjf-0qL;w_OUVt#GHT*d~s6q7`Yn)=SpL zC=}(%EDP&)@Ou1iIb7qckt3U|XBy(&G6xLl6Ze=hgsJ!_2`%p;)~zJ7HoP2}bM_SA zF=PH{FQn~k5uS<|A)ebpcJ)f6(Ig537TJ3#-WWdCUbYp+^1}eXO3W-)cUnhj5y_*~ zPRX*0C-%ElzPPc3geww)QXM_0||ScZuh!pB-^X z0!6na-tZG}JH2COluNhKX^2sa+g=+8H~p`it!@$^B0Gn6SkJ3DPUO_=u!{TzNaU4t z559<6Z8%MeLzvx|i6qt~^7MUb|DxPy3{C}#yl)Mn?tzopXZFdggP<{K&FguSPJYH@ z{g@NZY!X!`F<-h*Qg^3YIR`bBr~Z(T-~X0hX4Y0*ElH^EqPH!`WIxa5vRS{12pw4A z2h``XTwyIFd`ME=!`U~4ciHQxj#6=`p`S@gH7g!CGPS81;s3hvUPX^iIK@ zEEoef`neCT!Ef0C+PH|iCM=GN#FD)9M$3$&^dYHS4Vz0%3NK!YAm9Oxk3>Z~KF=b` zPaCoIExRpq4A0$D_8OA1^`+VCy3FL>N&yX0-$h!?XB7Q|ERy90FF`&Kr|XJPdV918 zJ)mMWG~rI1u{kiXrgEr)9p6cvX30uKSnkOENaC9I`nj};`+WUXWNhtyJ>xxa8rFcO zoS090NabWAy~oCzFEw_Ry=9TxZ2)~5`w`vUpdQGKLiQ-1tI0>#+a}DU3x@EWXFtTE zq{KoD-aUIb6mhYcx+EL~3;D_SuFWicPl5PUmPDP8j9H&NfSAan=24{*@XQ?WCZ*sz zhaa}rs-aW{sw>5U0Hy3HqDcE*X^CId!uVS5{c;g(`oX{``x0nkmW*RsIoJU@@3Ze$8pN#Pn%YVx zOXb`5jjS4eY)1KXaN~(@J&qW5A?H0#mx)XFUCjNNv~_P8T=uQ14OFs_YV@U*t8c>E zKkihui(m6x?i{TuY|Asx&L3e<9-!nW=F^kE`}XBr(TN`vd&WPunml?mItb{9hT2hZ^D~C4C zxsWAZ%D!<;=QsOWIK)=HLG$#-y}7zt^`GjZ6%UZS?+4t!b+llUV_qpdojtDiC_p=P zB39Bao(}Cjk1n+RSFm7redv+8UYK-0vpP~FPQ9Svj{TJ(=|+)Ku2`aG-~9_4aj~X; z4_rA*R$p0|^m8Bm0J~QhyJw6D zfB-cNo>6x;QN<>)g>DEK-eUtP!-&&++_`a!M4Z$9je|R}y2%Wd&t4g=OqkcAWw#ajfX3(V~e z?^REvoJdo`E(C0+R2c%~Zok>3Z{lrG*wtr3x_y3>x`VXm_U_wBdEEp*4wtB}wjuqF zJP%m#4iCm7ARmi=H!k$>5x;hjG1Hw)_o0Dt$jf_%HD{vSmO0SQOSlc3_C;s0@EZjH8TV+?&;SwxKO=^DRyM>je*_(8AJ$N`E>GT;F z;d^D!mEe)U^AM36BIXXlo>F3tKW*xqVEc44@)A8cFj-txO zUh%rhr#Z3N_xtrA8$%$SyZf%=B-b3kCmO$M3BgVH<>RU zp)9AB99oQH7gjpF$G#%J@1x#NUR1s*mqf%L3f>I% zMB2*tA?A(kmzzRMPz7bJ3{4zL@BY2a_Dqw(y~YoBgC~9{Hpb3@E62SI6OVSJsVvND zgUKRZCwOI{xn`?vJ+g-|gvVfcAI&c3XQp<1$H+01VB6R77^1pobwFENTcAvcIungd zFb_8T{%{SGf}9m~zjBb`c{nu7k*`^Us|3;y!Hx^E@yAfttps^-5&chbg!&Srlc)s8 zbW1i?^3e`wkKo3XP79vW-d4cej!BK@yalmzfo=GzcWh$Ka~EA>Y=M|0P_U%? zo)F$(MCffyBLNx`>a(ULmKYVFzJcNAbaBny=>q3j)pWP@HU=`<$oG||CT#TMK)|ch zoUaY&{i5NLw)xV4ybGn{G=qw@mfwNHxZ!7;n@H_q!=Wa>WbMMsX@HK-X6|K0cKgJZ zc}mL%g(rpKac~F@>5{N>rIANLFKB#g=;?Aq`LE{S@gcBqQK>`Y`2c-tT)f~2mNxpI zmgF*0aw3Zl?BpH`QYjh-$MKQ`NJPcre>sr(|mzinRY89oH_8NAGw zJ^8sUs#!;LhgkK_fuV)*&goSRAnYKL@>iND4r2kh%_7jixMvv{$D>Vl-WS)u^;=)Ig+-1uC>|j_8*xbSnRYR~ zL%dA^tY&M92?~y`n~>C74zX3a@gLpqI`B;N@Wii21T9x+!|%gg&3znnF^~hm&CiGz+><-UXny7Bn_Ga zhm!zNG&F7ML_D_#oHA=I|IR1;@~2`<7CUs|j<1J8I)Nf>U8li|%5SvJq) zqa;~JGQUT3<|8!3vJ%n@BK9Q2I9O9!$zd&kk;G1v>GS+S)h0A&L3??XfOI%BWx@4u z;*N=p_y=j>0W;u=EUWuy3DqDwnMu;FqNY;F=We@X-(>H!r`mjqO#N4=yfhMFijB_t zj@%zNj*>bC$^{(X9J#$z6JrC}?3VOhUSiJH_#>BZj`lycyB{b);{!J_+`@O9`#Vn! za=ZcwQ-r(i~d&;#z(~l zZm({@!_AOjIn5Ro@VX#ueL<*apO<;f2D7TVlnDJZdp(m9=gq`L^tRJ7MDmn^H*s=i zV)PbRM3Dawh)bA@3ASq9MJ#5T;BnM2ki(`6ETLUK-Yk|>);)@;>{=p-y=kN7)*ohBPOAu(dD;ZXDTc)4 zj6PY*ugax+Qe0awYu|5Zm=N7^m6HujR8+D5;3?yTlYO7kjyJzN^#zU5fulaUUnIO9JM&qM&U;n ze+YQ8L-_BF81z@gc>G0UnNz<%&kV3ru)h-6K9Z5s(e?)=M6$b>;z?5VuiEq4DE~H) zHblQni)cG6xaLLPLqU)ReE@%>fdD;z3M!YI`b~Ba+TVi!qBVH!D;MA^eVFfX@Wec@ zadw{@WvKhQ48ex5q_178@i=x$dFV$rzTwOJ8)R-i0l2kEW7l1sPrO&aSo>bstb z&>r{ZuQhe7yozXwo_<@L`?B~HH|Ot}nY>0D4sf%xVe(j?TLSGm{n;NXju z;lD`%9TOi*N#?#24-8gvTAoGs_j3JYIh^8bKW5>duf&hFIkatYkuoCYthp6Pb<&9j zc{c5W1%5^-y2cL}V@#Un(f@+XG%Hyfc5~-`ll7tr?W`M$2`SC$mfI5#{F1cpC-=t# zF4-uWcBK2TN8FLPYW#w_9K5Z5INPM%_+%Kelb;_SecJt4uAjhEgs}_eb&+0ktr0;i z*WLK$dsQn8%FXc-R5IF;?RbqjI!B!bH}P_rNMA?a~?pC_d?)>;AAGJH{blWlVAI~7Yi*%=)R8W+_29z5Or$o@7&JWZs6 zG0R6Q5E|V~12ZTuWFVCsntEw`O)M3@3%OI4s1&BAGKbQa)r==IF>y3Mg61DI-FLb7 zI8#5z??%uAzwg}`Twdrj#|bEz^?o|N1VqH8xGvsQIab^-ac*bR#iwk#RXj6$Q=K^D zjSz&{Ux|ABQI#Hk#dg2By>_)it-wnP?9XQRh-2?uNT>iJB8xkE!hlVB+A){hJ*cM7 zAXL!*Yzp31=dYC&jw1$+F@16!1p72IrODd9>12~4Za2{L0BoM8R znYOxty(3a*6!0!Xm%T4>^%G9D5Z7uN@;K**s*BGtHN~lf*+eqqu<5MENh}?j?8zS{^a`z-#LnK66F36o6A~p;b3NWi5|!aw zySQvb8|?BiBgQ|J_t*biS$0kcP#!^48l6591B~F-W)sp;$~v`bGd73UE&!wk)lzt+ zRV%od^(ZUyOsTL^zyG5_7AokZy$gqKH6EVf8Z3}cTsEgO2YN<>)&Bo zz)}rXW>m#UDecV0Lmg#NBk{eZGX}PQHyimeAQ)DN5*!?C@L_%OwK0>Z)Hk!TpV&xk zyECfnEzwT?bu;Y8->%gGs^CNz>>?~8X`II>$U$UcgZkscg4BA>qLNeV!HoIow}hE` z+@lU`t|_*D>5R)9oDfg}v_Vsf)2yee&vS`*)yzR7fU$e$-@GFjrF%mACan! zjp+o*kT}tYVkujwvE*4SdC? zdA2lLP5yQAO<~>KZV0lLTo+!|TBVRzk*-2FK8P+;lh#pX#a$lhyy(rZWT5dG5bHq* zSw_@9*IvNeEJ7Jw@S)XlYCUfSWV|Nh`K%OfDfvfS^uD}+jS+PkVIgc{be?fVOUV2= zB3i0X?9MKfAF&SC6DGc7pg}27qdc}8nV4HknRwu6QQ-~6$4NUk2ezkX zn{EihxP!%vSU!vvpvXYI#je(6RyT^}-N{6=L@SU5-eFl!}UcK>*hEj}vw?kxvw)c;t0!72c7^;7xHq@CF z9*Mn{r*0o&0C)ODVU$nVc7y4&X=242*B6(}713^;7244rqeweS$I$WaA7R zk}l;P(#8e{{EU%Rd?N!4nRlt*=eWWsx_ONG7FdD#+l*qLLurlFxbu?E4MlT-xda;5 zUemq{pwX)TJ-i`Ky^VG4gbgGiU?OQ|@rg@3s{AW)b)V;UTs{#r;036N`{5-Et2%h= z^*95?j61sphWC1d&)dB1g9n?DkKCF=%mM0O@G3zgYw{jIJ;VjA*!fjEon2d=(tjN3 zajA*6o2laPMP_K*%9dun!{UOvM=FBnBAuQAf8#V!6U*y9F!;(Op#XJl$tGJJDFXER zN5{1j5|j7DuW^Yd!V;}W@jQ>LT=;IWW!j5};*KGfl@wteAv$>IlNL8A*aMBh28g93 zSH8>53K`j(Q5KR|39el4k(17l8FTO`XXfc?_IZwX@hK0O;ozr*`f1X{WSQK!F)zTC8R5gXs8sP-{2;g z2-et>ceLYsLKu+HBbar>lhU|Pgd_wum-O9PWL-fGFjdq-zSNOACMe$wBbe_^hD@zC zv$h$gprIj3xNI&yF(M$O#-@4npyjsGt#yaWAt_ZMYWtBqi_B~wWsvE33SAJ4?Ph<_ zxNEnY8mjiE;1pzI*n^XeEjI*}B+8WqX5eRnngni#y06vC3|`0h#xr?t9{)KmDsd>g zCmzyGhQ8cfsmB1w_f%Wudj)kaDZeaUn%vgQdrsdLr|E{orl}hP7S@0WVvB| zr;8hz?eiXuzj9}tmBh>EH7fZ0RSKtJ!De0_Y3_=kH-m*Sa90^iI;Wla?j;mQKoi^L z1@`M`ZI9qt1eMV13IG>EH!^Y>JhIl))4GQXo{lSczZpew=hSZbOhR5{-(sVNY1|(l zCmJ8wP> zM(&2#va3~4WJ|;afYQO-XIZ^quOxg6nI;YpWRc-26B|xoxDl$hmt)T)&;5R+CuFP( z5rs!5w8Qo)Y}4G5!b>nscR1gX-Zi=qZEsIT6YJ(BvciD56yd#+jL7hG1>-4;5udD& z7TI(_Tu2=fOM?&Ncg)5$7Vfh%jmGRXm!c(Z4TwOXq>#|#D>P@81CSR6GxNex?+{nw?l-MD@75K4md|Pd& zMKGUuz`RJ8Kn)?}g%-wTQ6Jf0+n1I#yma3~cE9vhg*lZHb0Y}wI?Ab(qMHU+nlxx7 zU9;6eK0eN%`C-|Dy1d5Q+FsRgnLkJ!Gl^nree=L=TY1+D1@LejY4mW19YAhnO;&Ud zJ-v)28d#2@$6*G+6i^^auopBCrRyUvEuuJbiy5-;4?)1Q|Y=cCifQYsL2sOZ^hLSCwagj%=hxY8wH~0+3ONi5gr$i_E%{I zH?KR+8dSxY5_ck#PoSu$BS&&vo2fH$=|%0L_5wRX8aM2vE1;mxo=Oe*m7FVoB|onBXwg3_tE*v2TEq&E zPK1SnEF48fmPjJ=qSJNf{YiRne-+h#@~q+laQ(51(wJ?gSEn}RYq-9oNNqL-6n7-9 z^eGBD28W0{izUfqqxu;mdRp;7-Cg=O65`q+Gna$=--Sr<(N-+~X^>csK7wgN(B-a+oIO-=hYsGaahy2B($b0!k+3_Er(QAskhTw(S|mYgq2`|saeQ9cJRQb<7d$aUj7cH<80y(LqODoVLGqiDsc9op)>~h<1@Wb(5O#224eTQNeuAgsH zFQ5r23E$PX8Mm2;nh=^pL-9`nZiml6@4aAzK_MVqykx<@4dDhZYKpdTE7U;y#ao|XA*Bfu8J&dis^M*^QiB;X*RHzwtXmc zJXu#r5SlACTTQg->>)BG7_x})%smjp(OMGG9GQF4G|u~MIQXjEd2Xtt?px+viYGF^ zz{j!4@WJu~AKdPn>-$xRYZ zGe>#)$cBnNGzk1&SRuQZ6nb6$E=&7nC#xCmrIB!w3|`W?~0TuYMD$2yCdoX%cmXw)8LguWGswi_v@)8 zT0_!~gPX2JG%AISYFAx&!Q-U1oeXv(3px8sK+>s+-X?Y!#JVc+}6dkD$xzCQh0kc*9*N(l0322GlJ8BI-Rp#*>QY4f4XHmp0X z5;$FgEL!6i-$-8afre@CitGA6U#8U_q^>!?usCBR5l21@T(hxyjCyGPyxtxHQwkyO ztz4PmoLM%CKU5txk z*2Q9|g>)&{fgJ7`dzzJH=7cWu9uQtwgMg`7HR%6#?nnr$vQS)^HY#Yb?uuzZH;tvA zm|yxpEYM(qhw7D567rJ}Y(rguGrZz7FcnzCDr?c#a-qW!nliJYMk9iZxp37;&N?T9 z@dJfBz7|Ev6DOZt)_Bk@{h;ovY<qE9`U8P$Cq8E3EoFk85f&ik`5 zO3>{;9Bu&O(e8-=9QWd=vFv;;{ASOHQH@ET4eVXDadTl*&KAsaVfzNRCh9{w5QVNi zA}sNstNLtsaYp5x^=5-F%SNsGfotCl0*R$m%lOinD2^jOfy&!h6nYG}@qY2gQ0CYRP*G(_ea_|{)2jtbmEbkPkT47yiVPViU!bf{M= zF0&j`bioY`QoEAaMYUKb&GV`g+DFv)rU#x322=aVrG#Q76kl`@hUPig-~6C!8^?z? zqf@=XgUw}tl8O#uRtg~fBU?A_BT)+P8EArcI?dGQTCsu_EYk;PaFV;ujl5MpB3pL+ zVlsKCqxuS68z{5>%cHW*skl_&v}~hYHPrWhT`l)6i(5-}BC9bJAPR-KJ2062)FLsn z>#mn3-E_Ka{3SJ)GRtn}R{eA9%lpY@^E}nW(CA`aTWUm1{!E_KEl2jck9huU5Wq6L(RYL46ZB$Q|f|S|GkxZR|Tgd{Qrb3wh zMg{M#5YPS?0yaX^?q5!&f_L0FUET--wMbs+F=u8iV&BC(WvXVlrqSdY#}PoNV=#GX zRt*nZlRZa;n`xl}Hfw#)dzTh|(rVXilDy7*1vQ)o&tipYZ<2g(&NvtHd6jv!IZ#gJ z7bEFbBI5crX4CQ)ulj!)PXFSUTag20o*%%-Bq05JN8jJ+_BfIMNC#JlG;{xT-~S!) zT+k=5+NozW^gr>jeg4swMjhZ-kGga7e;?$p0qdc@IJT?bsmQ)MtNtRd{~N*kE6S{f zU!2hl80-7b*U)}3$j#BpGsyoVYo1?>=!-fgW{yA$_n)t6gV!f0*QvJ4{m(D{|0d`E zP0qhr=obl}|NmFZfyJrd*T(%<+eY>~xOS%p#^F>}@&}zxs}W0HrA}L}STyczSA2Z@ zLiO3dwQpE`|1VDj^7{ef|9rhmV%a4n5I=wZY`*M#CAKZIKb%xWYInOYB~HoYbcFQs z@;aI=2w%AR_rW+h|G|=XgR*`8>jPfL2S!0bv2k`5oBGYOmS89&19NhEy0f=8SLlMB z^1nMgzA%EDr8chtJURFuC$6%Dw@)|{kl#b7j6BxQKZ18o58kqr+a9XI8(~R;C$qh? z@wBb@t~KXegy%b8aBFO;cj>pxhqs zMd;ui!hPh;{eDtSwNkEu|TLw{Moe?2cX{C1lRl>QU_KjBuJ%(t{-SRSiT zAyUq60Uh`bhRKnoO1bvOCA zn^`0pgrIKO~7_BG=_Co7;^!wR-8$m#rE8EG1Roj zp$##0m>?Zwa|c>FaK$*p_t4^oW3w2kvC2dg2Y|W{6G@q(Xul-ng7AmXK90IB9Jrk{jRet8)TY>*8DJ z59@wemHmcKwFnG^Yvn07c-o{%P8V)RdybHl5(awlyk)*GL1gx7Z65^mQ$4B8hgz~Jx` zc_J&7-umZ*79khJqs*oWkaTh|z8dGLlQ?7djbuDp&!LEJk1VZi;h{-Mk&F?!lw8fc_SHPCsLLM@bB^G7(k1Oy$4$N6;hzC#lXzQdjdg=*_j)O|b-;o0Ssvrz7n_s&!l&+nJ%Z+0t zdb;|Q?_yAtM`$oaqWygSZj^cqmD5jRP>*I8|69yZ_HIECtB9nq;29nF87HhIO*jRdK+e<FJ|G8b!+eYyGL}VK`ih<)(D+3XtMOI{xlI5-r z{DFe^i;-mIYMoKZnroJ-DOOKm6gjPx!s0zbr(coN+23nWo9a++`?>*jYGdM9X#&c9 zaODd3Z|)p5Vsl?EocmvR*=!657Q%H&oyxG za?J_w_=h--I)JLz1=(*lvMJPAZU} zX`&Wd6yf^3#1ZGq9qFL4D~x%5EKjwHP*Y-FP%85t`2|G;1d@Rv{3UjZm`krUwwDzB zR+J(hiwf;8GYaFMPsR15DYQCD2-41PqMl_<<${8Oz<(xH4B83(e9una@ZcMzXilrX zE4;@mEfU@&!-RqViAo*GrL!0~1srU~wQ<87$Q%sI3s=XamW_C`sZK%9pe@zJdns*R zMRm`jlwDtVv+SwoafL?usy`W!s#Z!5&4L?jfhnI;2>}je-A+4ncWz@FxS(!@_K!<* z+i#bwdK$Z?lGh^h+vAO9jGst-LJE$TJ4i6*%Z$WwuLg0rVi=V;a%sQ1g#5$e>}^gL zpbVIlVmj?eHsAee2W^$v;H(xtovKL8IRfMF5Wib;u#yv|$R(_2ZF=))kJj;;@I=J~ zro@_a0~$8b8u&D2s>)|tKVwg{zY3*24(AP6RJjN7Y^QQq3YL3sb#52GB7gOA{mt1o zWdiz*xngXD{ohW21%hclg*T^E#YGfLF}J-2B62{i)M8X$NW{I+JqJhP6$a({R$yZr z=q_D4pD@p{5s#_DQ{Jb1K)Jx&H5Z?&-BMjRE5J1KM^yc?^7AK!DqAF2^;xu1e*b*f zz_c7+Mt_GK3=m_0xQg$SMEzh=8=PPkZsakY=q_)QUC7W4AtK%Eo{BgbMIYb3Swt3Y zsC)^%qTLTXS$Gi(TU_vW9q`%YL!tMBrQ$RfSUqvqSAA_8>+O8RxbnUabI|j6tcPCY zC!-JwAC_WE?jLC+lr3T9U51M}j}lU43gvqzw&krrdG2ui^GCjlDbq(KcH3Cb5~}*W zmb^BioASJCTA=Z@B~|2KYZ0_dxc{MQI`1}zzE9dD%^>ZKXQqXG@ys^T!V32kT zz~01#X|f+4yd22gIM}maw}BkmeLm=RYZo!{(2BNucDeV@H=+Vs#N?Gr9bh2|!d(jA zqq(6o8gJZB#(JOe{{$K!)@>4fhQPg(3Z3!`>V-Fw4-wif{ptuUYPjPze^9@7=6kQ1 zP4*pE`Sh2LEz>Mf@ivQ+qK=~+;&CTWGW=WwJ9E&G-79^l{YU|j(cGA79%_Y&q`SoOn-)Xa*~6Xop<5lj zWbM=xLLDaRps`~(;D8+%A&Nu8&H=l!p6GnmE!tP*c-P|4oX(xADsZjkVkx$oXe%(2eRlNc3X%Yd42CqCaqZTOSmR z!X9b_k@Pi2w}RhEm6zt0W?iB@gBjy%uVvBE98UJfW+_h1toTsGpTE?uSCdITC9Kax zw}9S>y<-lhZ&b>vjVC0>aq$A$+8zb2mUq}2EKyKDEs-igCk92+D3cR&rFn=~^0GbP z5I>rM0}p>}PaUT&cd&@?d7fX*ES_SHV2orPdc~qz1Fr|+E2f>RR5e+Jxm?%+dIUPY zyE0EGG_P7elKX|j{n&J8drQD@GN_^(qNMy>O|;&F$l5$QI1L7KJ4wLgn0k0ZKJ|{o z@o3^bPABmTg>HL!GT83+1qTQB$mT zO_6s|D_2!E(-Qv7G_J>z<=S;Y%d&xR5UKt_QQaVXhnhT}qZOHLd?}N+%#~P|e-rQN zMg_{l1GoHc{4arnMsVdn)@q<3x-I~bI4?-d)Es;gJH%RXvDKRywI`bw;e5Jfzn8az z6xK(qyGojAxh6=QZJC0NsFxHw0|n^1@H``QqGdS4y?i$^-wQb+1A;&7@g}3dQl#68>Um z8p(vPd++SzR7zdZ4nhl~t^z?_8*E;6Zro@-G?7~>ri7~=bQWP$3r)o0p&PR)fJqFQ zWMXX(7cyM)gWuX6zD3c?0ku-jZk_(Rio|_#DOv;s0}aLcaK&WiNYcfLN{IDN;{>GO zXfj_;dL2kWVhV`~`j8^Jd(rdW%p7+70JB&N9Vi%c9{)HC@gWL=|2H)~ z;i!AT;|EG*3%#I`wR4HYUiOo-d&%pb7Z`Lu#_};n6F6gD9)l&4iZAsoEpKHt>vy0$ z80U4NSHh(##@U(2dah8HR^9@s4#!XTwW1ahlqE0(3~1`2m82ExfnAGXp(kFw-|OJD ziWWZwe&%gvYU9CB+I^Un z(PXtn^O+iQE(`iL{VnFyM+0gEuY*DYGyJD~$Se4C?lqU)LAHPbx{=ZHzORD9jo%9S z=)iGLT?`|iU>dKgN@)oHg+PduS9$=9WbX=G=p~(Sh`O;vIR#0m{sp)v1q2=3E%A3F z;>D_vcp3vrarw9aQs;o7ia}*frE%+%wGgOBwAff7s7aH3$dVqg(gG;>ZJf{s2nEGW zlxK{3{I9;Km!aUwgIhoPQ{#(k37TIq zI1QmXdz_l6#BS(gvxs^r;k{o*t9VJ58a(1+C*-B-v3O7AYo1n<6}z`CTcoTk?Zb$d zst7%TWIuv!)smxvL#A=&hY^VYn)48X~%eA#Z z+Fj+w){YrGZ|V^Cu35@>sdW=LgiTksG_J@g$(SfnxH_CScMeL;pNS7Dym#?k?xqk9 zEwn)0Yvb39Vp`Y|=deJzbAw}MVaX{khko2}#&f$n%4veGOQ@^{ zMIu}-Q7STp%)@JSn2~X z)OtS2NdKmtnKA}W#$6l495}481_35NsRhAXC+=JiDIQyxFWc*6`|Jl>?R4G#{>PF? zSJH1Y_KHH^*_rN~GBEBtA8DbH*N6EvRX5i6_h<>wAed|P z-xGq{jU@jNi&?wVw*99k)$9bUnQ(Zp-PSs0bAJ>(6b#ng*Bv7ECH;`8_a5?x>lH9R z?6au)Yw0(`P`zMwtr48vE!@uCcbJT}jqvUm6M8~^wuxy;;fMc*g#RAZ@~foaw8qS$ zmhksq|9cIjiOn}jMc>*QR@?ob_x!D%^H-t5_tWO9!tox=Mz8k2-s11$NPkHO38FuO z{^vo~{Qe=KBf?})^0)c_o5IjPlFeUIFTDSD=r6 z2J2vdyXW7|TR{QCHi^)*#QiH4`f6gzzHotvQq}Rz%ac&3{KoSG+P7)wem%)Fhn7On zGr9--==@il@3P8U8w`KLhw#d&B0%cuLHy!7-Roc`_YsZuQr_U8Gtmfj< zw@+_z{@!l2#o!6S{NOYld?aY1qRK0Dx;py{E>)6BN|!c*NZU0;4bay(A1PkBtW zG!LvnDYwMd82irbk@kw1S$II}4h0s%TfRyF;nAT%n*`{YzGqB<0$DsK^yGdM?{U!95EgHXwiFMW_0g;Id(x7_FxHX zw=4(l+~r+h+pO%bEcz(Q=1=XA$lc`?g2&Q!_ zha&^S-pZg=NoHmc+PRJ$c6J9(KHUfy%kUp4!CX5mb2zMMdHl5g5Zd2>>Z~BqVxsH* zN}7Bb`gS|G^3M|ZWEp1}(cZU&4)uc#d#azrBly9bF)WX|?Z|O{Y@;;6jL z(7^p%ce+MRzy$M63VkPQJrhS5T2bO78{fluK%!X!#n3-Kv_Y+~Ib2%Mh(uIW$s=Dm zmbK7-;-hLu#L>xMIJ&0SJTy%0Y`ej+5>q#~S}U(n)({f|$;eMPkN7r~n`>j%@)wbU z^~7QrUelJ!3`3L6IH~7=xSA6w*q;6>hj7e`qn&Y-Efd(~E)D(#?xGkOuoBm;(qw{? z+qi)5HFOH@5NEVG*~$YRwJJ*CU)@HJ3OIOJI1kOQ$K<{>B(Qp?1%vAs$L2o+YLy4? zVS#RI5L8{N~4Z*0z1tPSzs%S#hkcEza-bTTHn_0~&PLO}^>ppI>!2P#2w%kdMiw@t(B z(fO|TDi%w_Ygif>{J1-dAM!7P8&r49-4SQO9QnPNX7R=Wyj;QR*~jAntO&7~MEsrn zZ20g15~3(7MIJD;BpLd>f zxpxJgH$9~L9TmP!0-As<20m<>fx_m<<%hSi=JZKddnsVP{o5L(*LY$C3oj2$T-Xe1 zw{o*J7MBBS+u_j=(Z*NafEMvR)9&!hK!*pobIoPnr8uy|xvB~ixxMthOClaKs6~;* z9c#LaUg)+DCzT8BKu|}Ro#>&;fbKCuhv<6Lez_sN{jX*6`>$oHhA$-Qx%?jhB_WxP zoO1wS`~eV6>kIpM4Vr9y57E$yB#GV(%E*s|_wrF|e%YA`aCw62vYMMv{yFJn^aoeC zBiocb;Y#NT9I@Brq-c)WOWEh{Wn!3SPTo!IDUfDp58@=^NMqB840q zM4puTVwxv7M(2Y)s<5U89H{6PN^a~6GIuN(R5|F|5Q7JS8V@Zklkwnb-v8_n0Pe`t7 z?Bp2d4`kRqS20T)%67yaCk8EBa7i@wH56`PuuTRC1+JR2@m(l+^zKkBGA{?~%7WZL z4nvm@<9BFb*=R=VaK+-bS7%ZpI}#tU?v=5c`M9dRCzRNCaG=|wo%nSm-(>*wMjC{< zsM4sGpqlbAi9r=B1-a4TCewD~XM`;J-*^jMm13E3AKsXdz+iC@Ui)^EIMfl4BzAp0 zK1{J<<6BT#!1xMWv`*;AKxsWebC@!x9m~H#jBwc8!Srblx#e4p52`Pq<_EPwcW)qk zPhS$!xlWu<8nkpFe?a~%73G(nxX!IZWxmzx?Q|h<5F4MX)63p!EGVS-0(GRTyb(blP6gj_v&fszAKoC82&5^P5dQ9DY!8q-x*xVLWct{q8V7mmPGBTe8xwR z6Jr9np9pF1fGHXI^=2@qD;%R1kIrcxi+xMYn{Tk3)&*4RY}Fh88HSdJX}%?@YKK`H zei|7uBU^f__rjU@TR{E3AHV~Uq}kXN6*Fv8#)f_ZyVX>MfGiR!G%*68zs_0X^0NO?YJB%kI2tpeaSnVB-2hA4&t><6l zm9K-wyEMZT9vkZsgM*^}pT=>`KK844@>|Lgj>LYxpaCg~1l1*UA~#G`(*byz5203& zNQ`#A>3;Ay9f&}a=j2Lc25O1;qu+=ExiZo`_EjSVgr%W-JtpMSI)Gx24-DIPq)c>R zQHKg*llzd136-zvDuU7q(SNEmWY_HD?WgkJOT!6COM_Yo@YJ#i6BNl-*UFiGd@IXk z%PC)xD7SYVrkPgWH|!fzG3=czoKny$Bt<9(C7=RSa}Q%Ih+v4jwp7Xq^j=69RYV96 z`Z8XN4zH}BTFS^24^Q#uYEo7?$sy)SOv77|Ynpk<0suT=^X4_w1t~_9`qfW2ci_bN zvE4;edXbi=gt5A^hLMf1=6P`n$`t~y>L$|FmLi^>7_+;mdD#l#e{Q7v3u47Zooiqx zC#%gYg<%?KPIfYhKcTVD%BON^$q*pc!W5L0{3)aW;-GcC-Hr75O*^M^7=KVe^4j%2^6_r+jp4tqT+6W7HN|8urw>?_1@r#X$om6bwwkx)iifyA}RBYR} zZQD+TH~XA#?_KBI_HXSz-F6@D`)X^hHP)JA4)or~bMQ2VGSH_0o$?)W#D*tAk0zo~ zoZ#2$NNXPK;>y5xv;h^r6FV`%%z;q_)Nl5Z`%fY#mC)Z~AS8bnG1e8P$!XI?M1Loq zN(QjuS#VnTxkFHMM1KM27usMc&FLQL>>lA z&ni$SglC=Muz1y4rR`6JHjpJ_V|9HCqE5HYjtMe}AR0&r83vcw3oTAeljGSM87YyL zQRkT+2K0`zfc1=K&`NKy3Kw#%eJaU91yHQh_n_U8&_`#9V(ZSotYm;70s!EL&l1%i zHI(^`67FF_fEFF%7|4aZtG*|T!0>dOu`-53TmejozVec}6r^ue`2P{-8B3yy)RaT-Pa2y#s5jWWWcDy_#%Lqbvr~&`53Jqd8`I z*J0No66;~)-ee5X)#&4^bc)1Lm*rwSY;Ua-aIxx^jpXAf|~+`ojn8CAv2!P*$;`_O3F`^}wH|br>YX`djsuHTmL% zpoTSz`OkIApR{dGJ6kY4bMe2I@^yq8l~H;Q2qo_kYjnv6&Sx!-eSo_WXuE;YsVEOv zKI0!wFB4k?%I^Sy7jY!`qXpYH-Z%zD$GI!f)o%CeC=}_+naT~SSr;ND$I|P;lsNb5 z%JVv&K(E|4O&lv#zG7m8m^qX&dqnGmp9B<*P?5pr)7NC!XKSSEd`&^+gD?Qb=_eJ+ zBJlx^u`3snh)-i~ha$OWL(YGe6f_%09XX58&;M z#a{$(-q#Q43Hi4;9fa~i&=qRc9EsLcRI$%%qfb$4jnib)(KB$UH;SCq@oG+pC`3x+Rl_qh<`E#vlAe7$jn6zf|6^_~vX`zQ|4 z#t1eiS}#Y20N*KhBSP*s@Z^7TQK2q3TL^HRN7|c_K8o_=;Bpcq%p-Y330bPa)xStu z%5tqd>W+J{CwUK+!Su9+>V6hA=^d^HOiO~}fwbD&R}JffxlP8{W-IAea7;Bf) z$V~}|8`?k-(UItftwH4l(1I}InwWN99Ne^%o@+Qh6b(PQZFX4ItPjr;%lDHv&hqZg zJt~xHA5!ywTfbuMObkTdDD%y|K*|X=Xp;9W>`|Usk*yn;A-y-ZJNZRA>4={P4u;^C z&M^)>I4i+87EZ~x_YB(PqO1>=5e?nxdZr_tY4TlWsl7uDS!(vY0ZmWbIC-PXC)tsh z`iSvDbR*;{pip0(5dq?0fPg{kO5)7NE21PaLjDDL4^9I?-?OIthWUa2V|b6h4)F1) z1G0bt$T1JMKjOL*Qu|U&bs#|vRnyyY_BQo8j7@uRaMjcsEmV$#V-ek7lp8FRV}9}- zo!m=S^)AB2%<)O^WjXkJ8dnL?rPuIw6tzO&s#XxlahHE1RWCCj*%; zTj*lr?ENGiU<0@;1x9>sBADY+FkoN;DL#a^p{^se-lAhb>?=cDKzHiSH~BoppjRC( zll^T%RQ93MWBlRO@QTZcMHtj~g>Go{0a24I5|lgj`SmrCEJx!VrwWaBnT`e!X6EnY{+U}nH z*@E~*ADoITrpSg3AqXg%4gF%*>jz4lu?c~GvS2yVB24g{@IG+ip|_czR@Y7J#&nSU z8fLU5G8n|5>(t>6YUZ&>*r8GIEuJ+EBGN?p^67pKeDpExU}mx1V!6e<{4Q^JzOrR3 z&nPUKkG5@@r_o_GIC);Lgp|YXqA{4Dl~5FrR`A`_z0F3BbmZ&sCo@Br4LV{Q8NN3z zBXZ@WvZ2xNp_#e{XJ#$!-11bFv%6tpsRtw;p$@5U7&?x+u;tCb@MN3cFe{%9Q0+86 zD<%^MonJ+l5Wy&a*pzoIE{>zO=LZbaoq(dw5o@{4VDWX23T(?#jk3DS5YiII!~|>g zfH;IEQoSC68Y~MkS)?NhA4tBbSdN1vP0%-~%u1Tq(G~n&)OfhDpvZB59ES*o z1pk0DW2GM1IZu3fj`dZ(v95EUV|I~uxUBXd7BEmpr0Jre=N`_vLCG0FV_{(TnQl|N z`{~f*c2!jBqKM+r^Lea$&nxJI)UCeaA+Kpw@cY{SCXl&rK1Gy@%8-!N9m_u+dVEBU z`yqwaIJ7MT>+B$Kck057%eoG+GKG1_EYn)IZh&iY>}buaLlyZGjPXvfRewKG9 z=$L3j*$47G*MM@muuO?yhkm-{EdQ0n+P%{bTci1{K33w%R0@+C;=W`acG~cZ~Vb&==anOKvmkOazh(CVYLBA-; zs16~bBb-9X$a`}6Pa`f8;%JJk4wcY?zz-~4V?Hiw%LM1e)w zLa6~k4bq^Qx}Kl~$C`5j<`}fNPO~|&*Ciua&z+#XHeB+hN34w@PVz9@dE&3oAHhg2 z1l_#Q?z1+%7H*Y0()uUr7TjSDj7OcInh%9okTErwo|~pvvq5LeVsH+H^Jh-616I`q ztGBIa5Cj&2fD#8?J}mP-*jotoLvhuT?bfD;cn?1JG8A+5pRN4G^irhO2n$&XL7CSS zXQu<@D57suoLCFaB1W<|6%6CnSs}htc1ML%Z znCMv>eVUumh+y%Bw|8J%IG0cToUwzkEO)o4G^ik7G;j zxRveJi%1JyDyQ~m&y(4&Db06hh8A&%TP?S=A)QsVC=*o^Lt_JIV4J$Y__Uu-_!!TK z_CvW0xkt=%<*DnJKW?^x%*H5I%rfYmiseAuNM|H1n04}hteer)SToJ?qt<-ug*Z2< z_TksDwk@TUmTj z9UIG_N4byo2(wIQOIUM}h&q}pYu;`sQzrbi6~Wf(M7e1KIdLFF_RB>oZfL8?Ps7~? zn|>w1=ZI5(6Csx@koJ>ZT+*vi#HNFv#X%OIM5TZFA%LmP*bKTz{OjQk^W<@F@IdzB zkoYb0a zYm=jg2`p)_W3e?iSg)LIwfGW|?GDFlk;~j%Y5R%H#$2PGaZKr#CEbvOK5|e9aKjc` z2je28dt%n+d9PPNbg%22_S`r|h|wKj}!^basm zh|o&b#pd91m-*Jq1W-{VujNh+D>7P6-!6^as1N%t;8?jz8eXA&!jqicFLG z9SWzG=UVm@DN0dsWyG3|GfSIM++%?FgaSLy^iq=>V}rG{uv8U71vWEY$L(d;(6nLS zlS*m}DP4T<$XKu$HT3|9Eb7A&AD%!9J<3H(ou5hU8DcIkvE>n0M*u~3AiH^)xE45q zKZ=U~60_Q?-g(CWXyZw59gq4~X=%?|z+=UPkpA}PAW#qDQ!FpU#ji~C^Ln$Wliv#r zJ8Umzl=TdEy!)Ik!E1#PJ!l=%HQr>9nxee**>p7IlE|baGr&!#KyJZTadz$p7Ul(U zayzID5bGsc9?CWD5k)?PPM6g0+C^rNv5LLT6mY)j{yGK9xZUBE&eF!;3As4Yeu{A< zT_%^nREzCUYdtWJLJ8FXejs~hNh(wQ0OLNJt>%g*Ua~F~*^seuQ z+r>4Tl%P91$rW=PVV@$0=3rOqoJhj?Q4~r?Lb>v8TI^<4_Q4NJxtZvZy-2qJ``#_c$S$PjKF1-*uV=9Im|*C zr%sO(0n*z3tF^uNP_>PrDQT z7y!`U`&A^_bt$!lPB8Tt_6Vaito(0Vrc)Sr=9vb6cm6Gk$!fn0uN$*vwc~h#J$cDN z48L%dZB<%V{m9+nv9+K4Ef*O_c9DRaFw$Dx3|i@2-gJGR?yU}dxz{354VwqVq|-G6 z54jSM<$PehNb`aMMH1I2-^5$9V610$gUQwGO3D#6UUr8g4nE)L zKvt9sx4H|U)26R&2g`9>Y>d4iyjc|9=Iqq8%}dat3D`mo8*X4ti*RvC1Nxlt=qB{J z<6=mzU~GE}g=c2rP;X5PhU?HYIK#Ovjy_`J@9**^jKw7H6hEXK1Cr3*D~qS6yisII zdbX~ds)uxwzcLESRe(e0Chl&Zf3SJXQJI~PhQdZ)4#3`Xe;;iCvI<2UsmX|d@I0@| zDU+sF2O!Q(O6C=g;1OO>yYZ_Xp)QhIM(C`>OKse!H)Cyp$W$|JWa$PE_b7GF?14Ne z0#3|=BF@Z~KC@5Zn9f_j*dzH~vR=@v9n1(( zDle!bFzw9)G!N`Dhd$ybnN@5MWCdstjdbblwdk=Wpw;v!IdWikA^c4{>q(Ggr?Wek ztrC2!_B8_iWW^yg|)+kRX0stHD=@+(&{uY&xOVX^Jd3=M(^f@10@pAljPO#kjV6`A6dQH6>Sz9$)1FY zo9&pXJ4y*hy?38>d%)v+T{*qp`xxUJG`Z_SunTLy+ZF4i_V9sv6##wKTJXxzXvX>n zH?YMj#)l|b5?e3)gtX2{j!m|;c`NeBQ?!W4krLADDiZAtSkG=D?G4us`5|Qh%QLaV&_|rV3Ka20&aVSPxkHmvk5w)rFm7j$P z+}OF*E&DjiUX7X8vq@()xD~+jWic|Q>{&_q(wla%d=NLW_L7Wt z_fK8`x~HGH`z*F?7nAE}6MX*No!pP59E{7( zR|+nv*`|qk=ob{zvpZ1tWGoN?j>avqC;Sk8yWAr@Fn%>ASe-}FP{WRdf&t_B#%OwO z1%BYd><_%>J+`lHrsbT-&Oq?~eUo^3>mUv<7F%p;GV0Os(PV&l=%QNU9JOtv0A}oq zQ#!{ZY!)muCe-N>3#gs98?(1xDoWq;aw+MZ5H$mUgLq`}PaM%f_1i2(S5t*jPZk}@ zuOroD!{a1%ly{;bTK0Zu!m(P?Tc|_MVcW+hX$7C!Y?@GscsESJ|25cc%zv)YTLckVirFt#;okDPX z?iPRJ;=u*NF3w&tuzeX{Dvrx~u4cv@oMIwxF1K zt^k%r$ViSSM=hvoh+z>rT*JH8sgUr(ro{IZzMNG2?1w2);r0CDqx;lGlx#Bg+&tXb zMG+HNd%-u5To$pcyc@7Yeo$+s$(zh?JaV7_nf5CXr-6sO;Ri@Z%Z6`6dKXD~4^Ws4 z66F`i^H|g(YEybzyZ)d&a*!qu2SIM~03BHig*mvlCBr?) z45D__@iWq7885G`#m&fYeAigU#M}*1fj4shqDec$hB~pxa-xULfgj8^YDX@TCgs3> za%Li@%9+|MK@V?wg9K<^$E`fTxQ0AcwkFdEAY+)R-&nhFv8_6NOPQrQ zCg5B-P@vX$b>T`(BjV{Z=-TT<%*t6JibQV#AI_5OVZOi-fqh;svcdMWuA4d>pkp7n zce({frvD_p(-X-(A^r)o>M|mpQVE@k0d+gczv`=%(l}GsaXT7J}H=>LSnlhXV0X%M(CK?winC)U#bT&cC? zIbQQ`g@COR!l~sa_7N)Psdqn`nFdoi9i8wfN%g`8Fy+soASZ1JiCQ#97CFU~qVv^B zrTP48@c(Sgt#5w~#{1^-MfKn5dSak0QK)*tM;aa*wCCQjk4$k$I-;v|kVU6Yr(zOe zBIo&Kb+_aT#3WmZsZ?@n(<}ts-;mgy?8)v=)8O~Ywf&gco!$&+&$=*C`bh|RK8^y7 z4z>QV)Thd(;ODpF;dA}@j~SY{KtVjF3xYw7GbBBuVav5}_=g; zLnpu2gK>bubF+gWAT7>c1SB%QnGzwiM6SB6Ij4F_y#z2i%YtU8{GF2WbR-r_+>OWu zE8}8GE;Uk(-TNpE<;?5QVMG=P|?s3|aSb!h#m z&LMWUzlwu>xMjHmhU(edQ=Av#$^ov$0Mqf!FNqR|>#Vk&k`J(GboofStx<%WBr3dk zO4StPHe2ik-~q1j|9mfuzXmS)f7vnp+o)1oJBZ}6(Lyr~Af_(xd_qDP>8Dh&v2`fw ziNrMOQ3EuYv4k`nBZZV7{;oo9zYM9O|;sXl%?aYe0 z{_f)cup+K0(U`i|1~F&)Efyjn&>;epRV;J#l3$qr4MuX&I4AW+^mD-9(KA+2Efp-5 zJ8&^fZZ<7v6v4cG!0%{b;R_LJX&PVu8}K@or0uT3yyv0qT9DSMr5{A3n`}sl>I?>& zRt3TO&6JSm^WVcMp`1LKvCF}S5g?uBwvrH0l?Zh{kpW+=t7)ysqUKq1zVhP3A^RiZ zmiN${&o7Cr)reE02n@2$v&B>cPAYABM-ufhRyF)10?5l0z5S~ary;Mah3|bMhsYBx znT=N2&k>4jCx;8^9_?D*qUNCx=cW?D5lUn4ZJM7^&bQe2Wz$gYA6*X9pO zh@Kws0f?v_>>qB37RmR4@@&Y;uZIq=RTUy^7Pt4}zCU%#^t%mBSKOFwnaj7{HgZNw zH$tF`JGlG?p%QnaXX}6#C}iR{yMjHPGYd}X)eN>L0dVPz^l0r9Wu}x^fhDf*#drb_ zF#T#cL^#=70N?dAah$jZSRGFJwo{Uo$L=KW%Ai)cSHD&Uuk){#)QNG-D3+o;Rs*ju zB-BmvPa}5(7xvOZN(;1e!aU)K!W{Mp9wBO-dghZ*ZFbqHBUQgKHh*KjCut*~&y!lh zJtD!lPkDbkpj{97aIXZixJVd5*TD{R{*}BTs8R~p7j^hTvBqdfh9@Rx=+5Kj4;C7n z4Jj7D(XG1%^^g^Y3bPwiUyJcb`XYG6>u-VKY!ivN$_^(ANU;OG=G5WKMqc)ulrAEY zt(ZjcmLBI0l|pXd_G(wkB3sU+T)pt+pu9Bn*hh>CU|uxrUrW4ta{%rkgPDTu8Nvo+ zUNKQy9Bg;3VGsw&f){P7rX9J=Z>~dNqQk&a9tmkWuol}o*m}E?4=6@-4#KIu*rQKC z!#fI~+x-E!?jitvqUt5^VN3mYzw!7!?A8|*8VI0`9jV`rj^OH3q9+tvT+={dE}Dt& z@o`Q-k3>De317KFcT>xQ=1LRB#3wV^U7MsM;h(F8CoG9MI!*~mSXj(K%E*Q(PNj-> zNa&BEVF0=V{JhYFQTsnX1we{TDDnBf+XQx(O2|;6C=Zq)0U1&o2^VE_d|O)NQqc(Gn%S z_}w*-q{KCk9l=5@%p1HUkX|zeM*RGYeXl#=<>*NhsszXDq;Vh=a^LpXIPcHfyy7@< zxqPv4_A1>DCXz+4GzqDP8lt6FNn!M73uIABk#zp*8R~2b1rxA1WftH8Pndpk`yurm z0}PI2UE>R!;a4unT0X5FB#_L_bzu)y<4|pBO`DL}k&JE2n)$ve6@h6w{H+@e{*P0M z{&Uz`G7#*>-(AZtP+B-&z=7Wom}ADd;=36C(QiOTob?P2;Ds@7h8#YSehWWtt)DsALxX>@|CN?$iWVJt3D#pmmLh-Su_5jP$j!aS&%F z!m9`Dvn^*q@|bFP66W!$lHptw!YgF1s*=3E|5asY2m~#~+$F!s(@G_1hcZ|!;)#nR zIfETTBjY=Xh;>*AfubHpDqiQ<77yVeGc!5jAtPh)i2sdXsTrC4Jhq$}HIwKH;P2T27xIi1bC6q^OIq- zD0zmu;mlr1{RH7Wz;XI1L}oPa3;ragVK+$yDhhk(mr!2XanMFatU(QF4Blqcua2aw zNniJM?=h@ob#unr0o%ae&qsPfE3vkl?P>eISKt}Av6hGMD`hjS$Ex&+%8Yb=3E$9d zr=||%u$TX(9wdjp+*?u&`Z82I&hMe{OQr5$Dp(Y-O)FiCf=4cwAPrS?aSPXQsGn9` zLo;rq2_f;FqTZp(D~tX|mECkCf|JvfKgbMngJAO+RDiJStT%P)Xl)f61vb9tyof+@ zMZ6>CQ^r3VQxEtJN^AB55&w_Ef0r=n7Co*c*SK7HR4dEaSRW+j>CMfqHnPpO4 z*R#65f;RG}8b5|pOCc$|X%O56^rNVY6L=EoCI5M~VG%Ka+MXy>ViO^Gn85Fb4xWJI z?90xgvE=W^!mm*alQUpHc{dPL>kQ6ogxZvqA*7WV7DUR0<(C(a(46p^VKu7Se<}M; zZMKT5pK~EfSkbH&3H;C@!NM{Z2XzO=6c#qEZJ0%+>u9BslgHgtL&Nk>kE2vdJe*df zW>qMUk^_TM#38JiMr@pGvp2;$DJnDRs~>&6xGik*?HtLNrwBKo=*d%r_FrDug(N*Z zaYG)R4MWD4SGl5;7(LbNirZ4evT5108hnENMhm-Q!i<(QNEHKk3>Z3D zs@6#8^cE|doCqrLT)05Vic3jWTr_0*^YF?>@ZI2*d%WXe#-yOVsA_cTbLxrE{}_S+F&t4MK)ZmC1Eo|WO{>|pc(L> z@rjK^!eQ!RAU?Yn-N?d4*IK|f5EP+R&MKx7q%!5=0?r!1zumK2Rvymh-&FlOe?jJ?gp*Qd7*%3%GlVfzx8C;R9b{TK=o4Dtbb7< z+7Yh*RFt5_1+p^1UNM!Y$L4e&Vmt~`#dM=^GWQ;6b~vc2KhJ%K&Hp~KIU^#uf?yhr zc7DE7i&^Z^9>AOsXUAi8ZfO%-RkkQrBDe|t19(4ft8***_yurb9MzD-q6Tkz7$Y@9 z#(}?jml9OXpyuh{kFB!)iNAzYp;HNha!vbVPk|s#c~4>yWd4~2ZT&)`Z>;fuBaoEJ zPz^jts=}IJ#Tv1(*{l`w`e>n()64anC@fbQ5NdFkxlFX;jkUli=QB3(zFz45T=SWc z{e#GVo>i?)KT<{IkW38g;15T))hOMiw;j020%^_tN3i7O1S+D|yV{H1$o{CKd8TSY zhTZp%Bc%7G3iu)$*(SgdHvaFC@xM7o7Bc+}zG}V#*8PMBqkjwNNZf zk}uwt>9ed$I)=1cs_O+U4xs@gjPX$7S?#9JG}4#6LB}t9!FOg^xB+2y`P6+Fo3LKQ zoB3ow_=>xyUBbw(N`_klvmCHSPUoqyaU`8hYs0wE@xYFwb=e&h09JL3TfSL3qVC@m z(a~NP`Aq-C>;zP*VVVWdn+ok}rv5>#b-6#uS(LW*<)>TdElrW_A|!5jFoH z4k!Vi0i5OS?DhZoD}BU)Bk>6|4U>OCRiatYGtPn0<41FfLzNbNk)Z1Mg4VS4G>HE| zY+c@kKJJt2#Jv%p(G2X7E}udD9L~Ru9%h699yWUhY{Egv;tY|xYBjZ129_@6yw{0>7n)bkZVjCa||Zf=}h! zsIUbXDjKQ#N`{KbM?LU~NPvaIJfhStcp{)e>VtC!eI<52aL6lp`k!4a3LD;3U0 zZ*MN;s-{fX+AA^nAZe4X7rE4U*MHpGzh#GNL^#I|8!wDI@GvfS%b0CZzO=h@VOT0r zf2lmGON~L0?P6R~=sT8^t29fAMh|_w@z(|miK}QDbDZa}Cwbe9-lM3FKsQ4aRFzbkOPZb_Lz z7a(?8VcR2kQ8x5DpV1_D5-S*!t1KV(qula{n>FS?(7c));wj;=QzXiII-)0j6!N*4 zJ(o8C*i$t3pRLTsdH$P;#AKYGEo{~89n(yuYmR;Yb5IKv5B@Q}5GJjmFuwxhLt@h( zYlrOaaH(1c(rZti`s(Yo3q4B>*z3T5cF2}FX;=8Z?s)sC)!!nqdVJY6HAov9=q&RV zY;JH;eCHEtLZziZ2&hPxMZ)%Ip#A>;}$*z={v4jU%yw6;@0WvEZ#NeWW5`-r6?G(yPU`#l{v!5V#Rit-E`5yP7 zXLNwmDXUsFeZ|l7AhRDfFz237zVKu*Ty#kN?L=mi$Y~Gx20PaoY8W)qs^@8aWTeOr zrMod&#BPV;*A)piRBf<@>RZ`3M=NmZm`qYtRxTP|R>($&HS= zJPjtjsNU{&RK{wmaBCuqiA$YMJn$77K6O|l#kPTk4y^a_b7YxRv$0s_(T*pBTI;sQ z#b4g9F)7a-zI@>>6c^%G;*7yK%EQl9=ycCnL%B`)Udum)wX}JD1gvUaAJoT2Sk!PP z*yJAE&Gv0bERB$2E_egJXgxmU$m&hh_bUN_j^rt~CxM%Xm%v#EM72>dmAxO1BraxupBO!=zS`M8?F<&myy1G# zkCRtWQq9vRA7RO*L?wF~KaX#OIP-{V;B6c+$5T^$@DyEC`Hbfr6$MGaFOrcO=FN3N zg)XBAQ~Y~8tBoXFFDm47q*zanw%qZ7tAfPnfWd1exgSN z5R1E02X^p&qDFf3Yp)v|`I~H{k+Bz-HcLe+8IMKqaqN^hND-C~&Pus5MxpQOk+@*o zv%<3d$y~YDD8;VtQ0z;2oCG0Gfu2J2H5KjehR8cOPlwqF5b>0AdJ zOXT5tBZ$M9o@Ozra?#!$N>CB>vyIcD^>{C#{68X?SmeAxH!UW2<{pt$7TG0Z(o;im zWrMm02azY3`s<}T?;$Uhd7)ktc3kB+fMsaJTi!)(!Tnw5R%Hj8y#=kf8F0A$BZ7$H z)(FK}}Ko6xBkWX??U>wTI~N%BIg>$oBl z*lg73V%-**iQy+E^gv#0o%5B|8)?RW6$ zg11r*!%4hhvvi^cXlN~#0TXuR$4^icvM-`bS4&8CnnVI*!S!_H6WX*23=r=k|c+Et(lqbMw1*>OVNhxTo(D+T@mAMbWlJ zQmw;cqvCJJ-2+}ia zA0LM|14-I`0JC~D*Q$)cWaT%R)G(16e~1TKK`g{+{igBy%3o8+%oJ~ncmQX`q`W9Y zso+}ggy8?<4|sc-#-@otTSfGCHSA-v(JNm39hklN2c1o7bkU9s;j8C-aoVmE9VI`J5X0t=E0R+$$h!y*R9 zH1%XHc%h;gQOoa(V&@4qi+6`d^Wlr3=(d_tm@nMEV(QB?9`OQ=*V}9rA4&fro8b(O zLLd*=t^*^TNS1t85H>BL6R0SvX5X>y6n`oZOP*PvSzf!LFu)J_*=}XJlbwaHg)JHR zgCiw_P+1hVK~8Nn?M@}G2J&>zEC5;+>G9P{PHT;b{8*vkeTnu*HI(kmL?(AGCoJPz zV}r`lREuH*ZXTA~^Hza8(Y4`EZrBpPEl*<5Q~4SR2Mt|VP)~7mFD?oy+49J$lr7)c z!tt$LcjWwI0aX{yir6#+2!54#zlR8>d0Ew<_w}hSZ~Pk10Vevd%lo5(Gf*6F{u1 ztNZlaG$fL=eJ`tNx{4F;X>$MVwSj_l>ivF4;F%lnp8S>8XEU^ynYj*L3G6*KDN@AE zJne0%8iR(+S?*}wKl7}mJc?y$NtVBA0(QIUCOX;JCbIUN12v@J5%)t5t()um@hwnH zyB#Z*a3+C6Tb^`tTt@Hb+WYUiOx1}66t0e|1|4-$SDDxcss=q5HxLahs@R7z>XI0= zIjfx8M*IG-|HclVK?YNWa^TIHbXy5k?gZ5_>c`b4Opsw=v)T+Sloy9UJ#;(e4)nUb z<36dA-C;nQfuKp5!RAwXa!|1bjLd$V)b7UUXoKkFAUBzD^ME>aLp>;}Cbh%lf`zWb;ucx6 zpgAe-{C2BPt<#2qz@-ei8mcJ1gDk)d??n#Po#8~c3lyf?mb_5GxCr>h15Wxb7tuG! zlJoi^?wYyKMzxj&pNc{el-f%sT?2Ry0QpZ@$#)YN$bU1{3ub(u9!;n&N6fmdt|x#}UX7iA&DfPsyq=P7Dbb{M4yLI$5CG zzB#D4l`ZxRP`K^bI205hM!t8wy>SPsq!|tE9^jjDRCT%W(XXO7U>Z)dXvKL`Ut9={ zvIt5E9F-(@R<$3&2rP1$05fFY(V)JqgL{c2h|vis8$Lc{B>QPt#;*-NCvbLIH~Qsq zrB;Z3TpE`$Y-58#f2-N=oB7W5QtTjJHzbUSt4v0dZ)OGVD^y_J*qUR%EHaCA8jDy1 z`bh+Rsw-03%S+}(226#rfd7VN0gD~6UCBb+_gdtZ`#ycgjkI}C?ur1E+lk&@6u>sW zjsRuj5ALu$3KeP2Mc-KVVeos;1O?-fb&uLh!_u3UTlpJnvrDztUBXD(n3aAfbwDO` zO8CM|q#DW#kM%{7Kt2;P8p3<$YH{IS#>Vo!yT(m8r$Yc*h)uc3U6w2#371ptRS1d= zH@~v46&p+eQznTiy>mhU>gNx^OrVP6d z%$8-BLRwrvVr-J?m9AMFzn?7#4-WXL-VuMl%9#7DS_74!LXZS!E?iFnzpv10kQ%~M z;Vo$X$ZqBVW4KpDe3pnr7Dp8HO~)Rg7MlojMH)P59*DD8m-^b!_oq5TTjPTd}PiA@x?0KZQ}^=lQdnetODca)<7@bQrfnH(M8o6;- zDP08KoYa9&AmJQ2k-X9;lu#P`!oNI`GtPyJsDGA8GXwGfSwQD|ok)g$6=0Rs@jyVQ z@+CK~|E>7!%nEbpBdlO>B=9e!;=SGF^Jgm+=wqM4Rm}sKBs9pv+0e*`9!pc6|7$WI z-*KV9^QMlCOFT(%U8G z0M>tTL-Z2arKK?S_4OF6);J>3c-%!M$y-pQkS4m`Z_I1!>kRgJ)*4CEJKkUr^`#$}OEACnu7(GXXd zQQyvO8Hqhzx^=6+LAqqk->?eL^*ItuSMnaa0-~T)X?0n|Fdz9~;Xz5p8$^0l@NHSd zV%$u$YamK!if0+ZFt^rs^Y2QjR^(r3A1wF8)xQh%pMWZpiF80e4gVI0XR6W{9LubO5WJe2plJU&^jzj9h6WIKNz{nY(A-H8EV_peThXXu*?5}1cUu+P>kSi zU-3VY|ECz)F_fvMoVt<^0?*>so@`f>cxDsTmUR>Ro!xQsU6L)_Kgr}5}$>yeXFPjbvdDQSXZz^4+Vcl_m zxMspM+aP4!udP^c$ed@AcNiS58PX`_G3ZbS8LV5-2O{VbuLO2sU!HDsVQAM~FF&i% ze`%HZMgK(ZD=qb)&BWyfY*@qp@bQB~otL(~yE}HmwXP`bQ(dvUa#js9OJhzfdVP{i zH?<7hHx+dqYXaGz<=#JnL177K`7gz_G@yxn8IDe#ZkIxcuuEmE%R8cMVL@ef310RH zMJt~Sd#-}bV;Glw?aqYGC!lK_9_Yd14cofsev3osl&%=a2sJ@{F$#9TAHAs{{;lwz zyRlc%o@}mHdY2!K@H-}#fyr*YwjB&EJBcK*V(rG1O0zcf2KhKP7utJ{knE5x0(7n$lx{GWNl5~ zNoF|O5HAjynOxwIjCH+4S`f6D5#9?-N&+Fh8ETO&w^S#&h;W~%3Y zG+9ID!EK?s7+lT0p6h(r?X|ELJhF7Pb%6D#}8w1HQdIO_U)ai3a#ovBf zWPYl81;JVSfHpt(pda+K^kxjWeV>%o_r6YJV`hN#nqX<4WkS=R?w$PA^yKNfiBGz` z$k}h>P&xTT5A8eiy`S61#HHOoy43utehS~{a{GSG()6rg7h&MJ*OdR~5yAc22rAT3 zs=(rlzGsE**Ow+WQa;e2+gU1*e=F+AT`^EL+DMj3O_;J1f>mQ@7WrmYEm3^*05v=vV4HK;g$RL3Z&r=D8RPEIBPOgaTU zEpY3ICh4+h>$lk$))xA2TlunOv$UniRgkOAJfTsL=@L!Cxdj^Yx+Z_@fT?q@UC&3a z(+{>@iUlhDbqBCEPxHj*>3uepHoKlCfJm2;D#KeWeroLBVwYZho*-uDC zgtdI}f_T95Iynb(0pEQ2d-uT)%6>rC=hGE+e)(SUcLU}N@|PAnEV+p8L(~_4%UC<#8?@0H-8?iuwG4$eF&=8+cFmWgiqr1@c_UcJ8CNebg$!Ca)QqOulBw& zD6VA-H^|@tLV{axfiu|s&;Hd_-Me>p_3CeZd#%;I(sun=6E4OAjb1M}T*>w<4664d0+X zSxHHoIO+&wnT&RSdqc;XTNg)0H6Y;-RHJgecPd1ZFaC14kD}(h9cFUZ9h&E5Dw4J8j%!lX zTFu0&!{#^9)w0WfC`fluAQZW{(Ot59=VPB>f|^}7((w?wb!}@cl!jYs%vheqX}cdn z^vbb6>eb7^;ku7abg269lL5vjWBP_RS1e=W9uBYbIRkxx*3t=sRE8ZJ@t+Q=!cjN$ z{Zudn(3qrPV-BYe4pRZ{y&=w1!-aH#_3NK`pxHF(N=Wt2WLmF&Lpre% z9bJChedagMKK4nU(^>>>*lP!1v1ai2=zK21;^l@P)GiYGfthrE+MwANJK){6yHHXK zvS!snaCpDl0~toLDEg=mmLL8>y#6*F+#d;S3|jEfwYuIc)8ikA0%g#xW?5u@Qo9~L zNNM`m=8$57dA)130jDD<2!kKB&^TPb znoPcSz_`WGVVu9M6U2(n* zZD1*>V>;rS?cbBdtaxn+GG%v?KL*XiLSkjLtqPF`H|ukBM$RN5Uc`c4wB!Cy4GsC< zJd}kjnIA@Vy=r^w=yaY;Y}a zr?~6Xj}028u>*eXWBK)y7X5zctW?0=_m^-JG`P}$921QwwyBt+=adHg(Lp?YHVct!iu|ijNpIg4mLjD}H#JIs1`UwZt#iOZnS;&X?#NhdQ z#Z$Z28nunT!;L=Ukbc1Es8r_D&<`k(y_lko=o{IkX)M4fo_Hk6mk1qdc)3{P1xO-n z=!TEvmpD}P&Hu!ywQFa+nWs`~qt|#Il*NOyMqC3th=$CHU zC)O!c?t5|+sxilogH`ey#CP!vXq4wQg*!wXTLUsDguWhC8!o0c!#CBPFH~{wYX6t?5worTt9b{A+{QMsR_ym3i9i(zGhBxx7>!9pX`ap&qBG zE;FWwn-Sfd`#GA6=6Bi`?#M-F;-`WS8gOWPB$p=WcI9pnd-ZJdiR>UQKm#8-UUpIW zdPo1FMkUCsCyzx=g?p=FHc|s!fHy0#t3_!~q+D8EMF2yDG`6>JnhncILjC&Vp}j^o z@xsi0e*NNlfz!J4JtN6BnZg9CtkUL3Av|G)@oz?!Z6^Nv{cKQOpG<8hMG{|g6*;lX z6nB1x`L}HON-=A;F6Ilmpp$a4% z#Q#>)VRg4f0X^ZXMRz{V5W!2&lO~g}SW1m<@aGkQX;i;_r^LxuYIU0kEEB`B(r)Bw z1_B$e`AA7Ib<87J!@+cmTVWW^A-#II^s<`O#mlwr)(pej6^(MFCupgcQ%NoC47RW= zlkl;^fzPe{>g5bQg{z~=AbFtflz!}|y+Q@t3gRjBAy3*}COubIb*7_aKgUe5`A2y? zWZ0XjBw4c7eC>tDat6NP}+G| zQtJXfT9u6(R@CEnoRgo2(;1A9;1%fWh~Wpeo-{id&EmBCS0q(j=Qpc+L`6(4Hy_iT zkBh$9Z}p&22CNH`#y8NR6m{yBb*FCCD~(P`m5_B>ZG29=-#x>{FebCyw=I85RDj zDzLfZy|4I|17WFr)BvZNKYqa+{-`?Q%_L{mX@n*@UcQfZ9j{+|5@B_olK9_~-FB()!u{~LGtw#!t^i)@|_Z&6O4Mn{e^L%6p!DV{Os^ zKr)K1-w$l#IdNy*84DEI7$Z*X*XETqHpa@AQ*HA3uSO{ij>4m61Z3Kl$xl&V5jFj(ggPofjQHS2`(<`&J|Zg>j% z-S7DEW2Y)jr3h8L0-j$|kZ!RO4@Ti6zBQs?VXpX7HrAI7&F7S@1ZE>zoQ`hII6s!S z%B7c2WTd48Yu9v_tfvMRjB3Er+D$-Jv0@M?u-Zn3`j>xV=&iGe4Op-%8MG|b;PE}2nyh?pkfR`4@KvKN z6Lk%-&#T zY}jRc2X5u$6(OLpvfaJ~*6dzgOiK=c$YYoJUI*9T3z0Bm&eKSEm(6aoLKmEynQA*g zm#*_!*%Ps)W)(h2tjXk8iw4xQ1sOGR&~D#LNr=xEbnA7+ngU!3sT=F# zdsK_~5s$UZQfKGjRlq&c@MF@$5L%QWK$0uq62d+%4mmui4{mbXkWI!eHW&z( zDIBeDs|K7+lM+mOM_;IlmsRRQwS0}Bnu5ReJ{)83x9%Aw6lj1V2KWCs{x4@B(>4~~a zy#;q>^}b$^JLhV)Uk~jwou+^SJ>U;e#r-3?b^iP+^$?&?Cd*i|6aHK4#D`qVGI_(Z zj-flxx0Npp6`*Hdsyix2w&G5fF&)RJI;K^U7t28|PNccn@2?Z@6ap#Ly86JVq8n?? z%>Mz87l5Y_WUa=04j~$0VAb)I?q(2HDe>HvpGxD}Jm@3~*uTcKeE5rh-{6(q_%BLF za5n{zq73^)wveZ{F#V*>s1c=ibS~HoV(+AsO&)w0K|P!C#{}mVpWC3Eez@yi z0T>cT#YepWLgR~6SI66|*?sHto6Iu3pT-+voYHKM-=E6XetL=-lT7+Xb~r9i!jfDd zz;6HXi$Q{VJ400Q3l@bYUCfBPm`E9;!4bS1=(M*DZEw1I-0P_JL|A;S007237uR^a z4~hHcV*ipWAHf!9G;WJLda(7=$L^k*rtwxJnm3u-`MEZ%yK==mnsR*BgB;-I+Te}l z^Y_hYtbP0QH#;aJ-JYGYzhto~dk5JsyL1N+Ki_5xS(A?QAzt_qm%a4nQuZPu_>K=q zcp6|RSO`A~QrY3zYINzO^2cW%UN{GPC-klto7w`#xM_?K&7l&rJF{nrJW;zq^tD0l z7K=nDV;liGKH7ICYOnAJJNHp;)MLp|C%2Sg#ctGWgo(8b9+bJN9HU8M`-ysCoo;Do z&*1_;@Jrur>5;8Wef_*oe%aV2>VOzSsG!}kxk5j#DuwS_ zJ`(v?Mv$|L`?YXW*~t;%YNK}h1d(uI%)QH-Qdd~M%l2OO4_*g6mE>%?kP^kHxa%px z@6-cG={Q?bhD~+G(@gA16VueI6b?ai-e_Z;Btb|nS*p>bCww8HDALpp7PLuq-1%p> zVI^Kpv0Cj4mAcyu%$RX_<_X+vnd6z1LEl7q6?>Uco#x;qyYX(*it+~GJ2RGl_Sptd zK#hft!}8;Om#a=W9p04Zyo1#XH#dq-+94bUt?%M2ne~`{K|VjIKlh-GLci%9 zEpjko|3|Y8twXjJ0DkMW0#5cSW6iD|JU`nP@NVX64duE3a)7ZTA*c%@A|Xb)m^M_) zNG*OzUI%vFFK4ehZG>a&M(5Jd25BuvfVUBgz1C4i4XIwSd?@wFk(Sxa|H)+|9{*tH?HYIjGlr6!_<`Y$oZZ%|A9R_l6p=!#Q9-{$TL#xU3Y+ zrKdf~K1D@XZBe|=ZZY6)E8gEZyds;Q_gNvR0TsJ5HV|(TD|~1&_ybply~k9q-yHki zmRk05ouj{Z3O%gc_+Q*Iddw! z=AH_RTmY*(SF;|zi#k#x=erZ^41w0wi7sH zp(1gyUMlpaq_hx`)YVdLTkKKS0l&bODLyA&=*s?U2TF|M1gG1~gQ2X?GMlJ9=5`;m zB|U{|gqu+|@9|2&5v$~90~22IPW@1Veha$_k_7$OFU|g=-CO4izQtmTX9{jp?|L}b z>s}80z+K#r_VV1nA&(H!M^sC{Hy)7ql2BH_Irh{=sbP#@WOQjO=j;hy$E z{soOR?Y$SK+}brQG6zPWJ6!dJs}3g-X|giG_ueqUb11lQX?y5-sm6+5&)qS{>8JrR z9$JlBu*7?X&Ch@E-c=mAAWNJ?bTuR4p_M221e6BH{mv^}NKl1E8-N>7QVk!)U(>6` zN6r@od(OE3CL!~!G%(Db{Sfa!^5CSqw3cZ8=?Wb8wg-9nVC@&SaOCxzQOEV(yLizA z!Cdmge2T@_lqJ%*huMcUfOJ1i59<%tm}=POVGNi=)3|3#QNnf&JP z1TBv|j)=zEf1dMg24DT2&SYR#qrQ?yzx?o$M>z@Btn6-}e89BFeR3`eIY_qiFt}+8 zn~~3rao_7jy~nlI4A8;~9&-Ft-Lznz-%w^a+|Yt7fly zBBV(C-6JWh@}s3ppo73>?}4?U81WXcMjtGM8JEs_lvW4Wa=3u6-BOV3AkbP}-7JU3 zLaupdk=^>UUB3$2U--0_3{I+zhGR;qJCf`Im3K9i-jK}M&WM0o8?@F9R$Y|<-5;~= zXcFxAK3V)$amZbGu}>s0sJoW@Tg(DOMgdk-)bHX(vHv}`Q@}8d6X=Ig1W`RH!mw;x z2`E3xK4QK(gYtT}>EJjT)e*_RzY@#y)z9VFvigS63^VzYS*`wf+WMQIGRpm7Kwhd{&#LT_Drc3Y^9py()0H72GLjsQi5aOr zGn=~(9eEp#X?%`Z`#{%vkjbS*=J11xqfgGuESjLrwnVUMby9Cx>sb8yPntuCt-Vw| zGMNS@3Ec)hvvATS1&8-}M+yOD>FR-<-#yPP=%J?J_?OaM-xDTrs>^-#3ZoaR&R%k^ zNulN$54H^{1m1Au8>hVpbN@g>3XJO%z}9J&b1HjaR=I8)c6|;bWXE^L+$jxB(i*_+ z-KV;aq;IZXbCO=;A$CknC|TX>>+srJ%7?r>Zmd+6km(GeH)cZn-$G+*qpk5yZ7ho@+V^ic1m%JRVdXsbV@WT|R|Y|MX*<=ldrO3^e)Z8;r7L$R zOxJU*m8g5#Y%B9fOMQU3nJw+2k5J)qQ}ozJ_D z3v1g8sY5+q`^QBl;amT>K({onzA@kN(^Dv(+pxO-lBBzdNJX1pwN{ z&g(Rt;*rM6egnge%e+ft;!E4a6MpoSUs>(`u zQ-$}5mUU(i{ms#Z!?l&GQ+3g1-!GThL*}F~gpw|B9UxgM(ED%$=DS?(_wrYrm%2u; zw46~w*bNk_=9uWSS!!0hGQlxT5%9-LNX1aE`GSeQ1#7wJ`&C!r#EyI<9 zEH;YkC|6WN=?i>@os3iTUI&frxoyfR@-EE_8v6^RnuiPyEyGCo&Ijk)&c-w~uxj3+-SCl9$7$Plhh` z(^)6XqX|BqrMb~Zw*@r-@f*F%Ez>5HKA4@F$t`sPxoYK`%2ajRL0fAh)Q5#sL!w0IKlpT1NYGv@^;+f_VaxdrAlQ*AR zs?Ld&xH9x5ylW;yQ2g>ad*FAK@Spcb6nCypMde;O>~aKrAudTkHt6%SMRE!uidQHI!KOBl1SM@0MGY z^7Ca>{%5-Lg!Q>C+RAK)4aniP@p#(Yy4v``UwXvIo0H%_W@j z8ww|tg<0oGxNx$BPQ9><1OqRwOyMqWlB7>MZ+rLbqE=6_#)WDS@s+h12WMt*(4zXG zZk@BiAByDTmS5N+kZEpf9c@-`>EKsPEo5?nDvnaxI9>aA>fpQb%>h6$hY-iA;^#b3 zFiF86#%Y=&ACidMb*s%;aB^NnDZVzowhL)3Zj?>QT#yZ$1>uuuVothzmV0X02UN;# zQsC-rFhYmpf%w&^gi^=zJu?8k!W;RPC{X6t9FrRxC=eE8a%EXf<0KM3wiwhfH)7SK z@6nE?>M7$mPX33Z)k}tZdnzp)4QG1ypai`Adfp9;Q6Fw*h+$zUHm;6j&-N#N$|t+RN6&Y5mN}zx-@9a>;52 zmU|cbVLNrIGdaj$`R!7x37=*0yKH{iQnk8DA*YNoq@kTQHVh>80Nlv+4{*Yd!%18B za596UNwcJOA#RNE7iGOQmdK;3RT4qv=J7!l6AgI0mxEfdDe-PL*D{`w*pv2V@jU?38u+7c0p?)>LE3z~?$-60l1V6PGbk@RWCm7~*?0+rI zF@IgYZhy-x#qNjTx+C%>Gujct`_Ac>uRhGhv2;neIA`(8_N_yg=J`PSAwGVLbWtfm zg>v))#4WLS-BB;1IC*G>h5SeoEul7hnqp&e3i`yi(txUAc|5HXJM5OB;b<>A9Pi-? z0}l8%41h++i2p@lV-Zb^xj?b|?`{7}VNYXU$1%{j5BjsSJ7H0U9ES(<+ zV^`(pBN4I>vv2v`a}f0)#dUUgeDR|>81Adhp4kay0VbzQc=_PW-&m!DlZBFL?%k=} z+Q1H^mXpa(n}2oQ0F(w$L~R~^Ye|LMruYT1^g+CefjbB*VD&ic>Wc6<|7wycGe_UX6#s2 z8ESz|3T>iwshMxgn49o6OS$)0H1Vn%QttNMDLQnN?IJl|Y1rU`CTnqgQ3!dm4!AsY zRnI7E(*{u%^%W3*oCd$dmodl@4_#*X|gO53dyLhEZm^YbcLmp9H!*S-tFm*uP<7QdO? z&{loWa(XQ|kv$-dCAN^tWdAtwDcoBwYolzyc(RTcDaj31bB+@toOQVL?b^Ma8JwM= zxbD_c;riR~r~-*~%mLz&*9cD}+FghFOlDciw$|aCcU!^COo#r|$GX5@yZ4)zVcW){oW3lE26!b@ed9 z8Gc_Yfq+4T$$@Ka-$VCrC+YvRX8g-v`kx{NZCA03x0*Q@^WWF^BVv6eUjB^!SNs2? zRRAhF2kx$T$WX<`pw*UYD literal 0 HcmV?d00001 diff --git a/docs/images/aws-ec2-new-user.png b/docs/images/aws-ec2-new-user.png new file mode 100644 index 0000000000000000000000000000000000000000..86651f3eff6c93ee1349b9e4788dcfb850068379 GIT binary patch literal 112857 zcmdqHW0+vcvMyY7%UVP6aWAKtc19*JOBWQAOHXm4FuTlp2u?-GXMY#HZvh1SqUK_0$F<- zV>3%5007mXBsXwHl<#%UQ!YC-H zhytLHU??J>z(i`Y!U%DNx9|d6Pu^P`Up!4yCut^S|9V>6oB_5sCBs4?1Q-Dku+T*6 z*uEjyIysUTA^iM zw}&Ne6@u?=udqTG_uo$On|J#B#*K$ybyz>rb&PBlx(rhd>`Np^DVhv%C{Qh{8rrZx zrZq%A-H+1~dLb9>CwCZ)?IowE-u&^?Q!&$~u%-`RIIFY7 z3KB4y4%E@V)4jZrW80>X(Ed%@PGiv;087r}6*l)9iWeuxMF zGvW_mI|L9QyjiUrLGP=kjDRToz@Odd!`AYj_qJ*_kV4sT1c06bvGk$uYg4)%3+Vj> z_c}hmuw~S?n>MlPHi?lY|}eoTk%FsrP?{D3aE5y077PeC`ZI8e|&;GgdJKq_SoEjnsclYXVq; z2ZTnGWz^k$KAlhNhbp4h1FB=k#SDwq6}0%$xKlI5^Qxm`YJlc_YAhXhF@FvvXVgMK zfuQI?3&arI{}HA-fNSa*^7n|9+`J_`41SPE@j_c5Uc;++e&a$AML)7> z;K6R7WdN~lFm41cZ~|{h;2K?eaUip82zIa^{y?%YqurpknDc%axsdg~aMu{zz*XH` z{VIdqCJeydzNirXwg^1J!R&N zoZw0VDtQ{R(Dw-La2~;(7 zR@t#}K+%Jw`mzSKdN&3hwg+t^TsgV|Q$U4}w-5^mg{Bc8dQ@!rMWq5Q%KB&P|M z5lRAG1zGblr^S!SA`z8C$A#_kS!d!fgr$iNku5?m`n`8?aB;H`Hdr~iTKQXn9bX(( zj`5~pXK3S8#pOwaW`D@DP(~<9w2HY4r56+zqZcd{xD?0aPvuwTcggVacMbC!#~Lu0 zeVu=#GVWNAWTVE8!;$XRkl-hSR_~^ zE>BU*shzB@skSn5Fpe;wHncFtHVj!ASe{rBTCQ6;TlQE#+ucEX8xiZ^)Ygh0*_jLCZ@NDsPc_w=qdFOohdvAGndEtYs zhCGH2gxH6!ha88vg-C}Kh0aFyq-rK2q1z`(q*0{4*G{D>?;th2(7{&IW7cn0deWGkg^1{1hm4fe_d8*SK}#F z30@U+7JA2il75&0g94}bzy^Q{!S;CtKSk;iD-^&K6c5r2{ul%u1SS(C`y^W+WBy6? z(?j|yO>dlLB0A$C?JoT-RV8gowM6Z_&a{q1jZ+m(6;4A!ZKfQnsi0BAlCP#?OMRYm z{PibnHDeQp-rc71x^vTo6<2vyg;w51b4UJ%_S+Be+JNFdkr4c7u;`WOt4xy2{4Dh> z%q$m96%P7ljF$aonAXv@O9!v>!2`78#qDSZ7w0P5oGrcfz5VE#EGn)!=f_K=E!3v7 zJn$5;P_a7l0`h^obo9ZofwTN2nQ+*mM5ZgNORasLJ%eM1(IaN1m~^SE`-R7en~&q- zi~_@}7u)RCk#?B%qX z^xSmsZh?-%>iyf+Q5)ngQ`0nNsByCUmBYal%KPyfsI-V)4DJ-7OkDhX$p3luTsGHf$uBLfEypE9ags=J+KYHI3o?>trcx(y7Qc*JR zNz@2A$X`6dr6digY)<{=;{twym(5|!nwoi?q@N6gOosr$^YD~=KHu+bVa`X2iJ?UA zTNEz?<({w%oKy&Ror6#h{)u1el-!`?c!V7*rDK$lhtz}&jSHYn&rtPs0)r{nIFsD>i*5Q=wRIxN)wV;XKq3sypNnC(e8dH_i zf@$ke-BYpiLK~q`5tSarW<9o1X^CV>Woc|N*(ubX;BN9@-MjJPf%x=O{ar&;okwG9 z!=>Y^cB1matj*{x04^c=E$cPQ1>cm<)V<{9dXe}+j19kxxAIE$&2d^Oh-XSrXA9a`Hl7PVzdqT zBlR=#N&4yz%oR+MPu#l%R}t3|j|uA(%NfI)ZI}7hjm7@{NcEKc!*x^aGe!wn68U=q zS;7?W#WTwz$L`&z;wt(fy~rHW+)~%6*G0Nr7G_4#M5Xsw=3Zvmd*_44S^LF%cg!?C zH8f^KW(0cjd?I__CxXD{uC;)VjctaBYE$akYt~$*n$| zE+lbrO=BIi%}S44564)=K*Ho(u#NzM+;vfPy?FSshaGH~=Lr66G}F?-^8OxbaAJAl znWC%W+sJ0>_m%gQ1=$ZghfQ02G~LA0oZ{4~oPk`4bdDUB zOz%#@N0%A(qr>eb0W)%pyfu$@uQyDP8jt)QKOY}2EF{|Nzvlf43#Sd2Q2G>G0yNE1 z>sRhSh2Y_IrYJb#)7*N!~5D9v?OHXzS-DWc1G{zYLWb?~Gd+Xsy#E0SY zxq+dMy@sWoyPfIQ;e9D(YfD9CX=w|i2!5<@?ifv)a}kg{#H7!M#1Vn|m`Q^1J{!h3 z(plJz`^i)D-5E&DU#nLbQDG)PAD;9&9!*|tmfq;) z0BGNaqF0i2w74m{WVCdkw8?zhjMEg=9R5V|H0X2*lLqqyqd1i%t&=r_MW?=Bozdo~ z4y`G!NvTnxLB&bdInfEp>Cjov5wucg18hC#+;rW|dI>NFH=9a3Qad4$^$ID6N0D5| zjW2&I^{d0Tw|kkOO*aiebJ*6@Vfn;XJ#fLA5i7SNsvXUVWtC5qFPZDnV}0&(P2cY?UqB)y3!2Z(FJG0^MXbWP#T!r#kvjyVJ3pN3$Bbx6vOY= z9j6$6&cGb&{gJG{F=#w~*-jd|2XG`&IktYm4ctEVUJeB1zbLrVt45R}(l&5N!cO8; z^j^elR5|=O@*$6)$RYVN>nHGC;UbmsrJs z2bod9|0GbY?L{quLJFB$xvb{`y~2#Oly$6e!a3{_>+udw1t%a&IE$AZy_vn0soA-e zw8f%%>Y}-R&IkRgk~hX6`%pVp1(~$RBjd?mhUeR;%81Ki)gm7YKb0;~HBl%Q4Z=Hb zA;COHB+eqPH%YH0oAHyEx_se}{iza-89PQQ#=4qsc0D({H^h(wp~cl#7b_`Arj7WU zK41J~yVUt3b(9moFu}9t0_Qq^Zt*61FY^Y_@6E+wr-4VS8`qe?8tHJNIjj?eFcyCa zD_M_A^l=}y`zb8E+!TL@QiTqVRdCqCEUVKrArC*3lAq#83{S31d`Q;e$dMDMnD6NJ z+7VNl8dyCYm-0*bZqaW((@>ytsY6>P)gszqZ6{Qqz4Ox*_=`4Lba8F``}jn;OY>Fu zrh+-6xl!QN#Y?sPW!@S1I=LPUez?SG^)YuRI zDF>aft^1=o^ds-!s*0~cA4dz&GAMoy=v{;=0Ne2O?)=u_ml;rBS{{JtHGoqBe10oJ zAd0%Ps~12*8Jb*R8eiy80Jq$r{WNO=h;zUdaaK3z5qxq&j9t-MVd!D-Rqz9$r8t^v z>Tp2Ph}CE)F{~%olcA!bI+xw|uHA7!GA@n@_yc7l`aqVP3vtG{uCP!SPIQbwbh zie0MNQc3gl)9^KtZ^GY#8ieaf9rvBS-P7E=UB)Uwu& z)Zo^rxUh$3dcV>QRF+*P;^MX$^4zu)NH#x#mv-0`cWHN55PWP`PG{*cBZipi$H5o4 z4BZZONDr@CBn-EH3C$)Y-Un=+xQCoDzcNYH^~RhWFyvtHxSc6Jp7;v(F$0;XNCiu- zjag9L(&Myac#U)nUWa?)emNz(>jVEpTod*QxyyDe)59(zz7W_b*dfo{_%U^-ZU3O$ zDd+9t!EbQA8al1|IMOJ}XA909 zf+ot9s}T3@i8L~L5v$pbd523K@i3IE$G7cj$7Ltd{NxJAjj9urLs)_w51}Otmrs9# zg)4m|t|A~9_bwrGvT!mMSI!os=f{|ML!1CV2T{j&$0EgzDaJcNHTCKn6~149s*%Ya ziu1(r_1;Kb*E){|u+T+Cl-!D_b7M>mnki{vA2Hn$Pb@8O11 z1*16cu2o*ENt`&`TT{P4wi zU0%1%Z7(ki==CbK9r!va?M^4;on0?ICZPj!*^|Ffda*Dv_D8|7Lv7vn6UHp5~>c`^uBKHu%=wXkV((uWkXTCgPUIBYUFFWRT zW3I@abl!=%lI+sY{ECFeh~y`cC!^wyg4G8M7XCB=i1GYUr^V zIA=csM`!=oquZ(M+K9P8*;?2=5fSiEQP6s?{%is!_8$-m?v;#fYjNGTyw6%bcg^8Z ze_KXAf^YxPnV_DO>_S15H5dV zt5%bIGn&#`d4_&Ahux0-Egd5R{A#hje`CoS9M=W^+^z8Tc`RYpy6FgpCq#$a8}y;{ zA*h|sZSD^4eyr04C-fthO_h0`>D{o<<$huL?xr!u30WlJjn~avS-?8-s!Q?5TxY4b zR%XjL?1%4{Yx|lrE*Wm~?@9P=Xra(c=q|K+DRlH}^z@aPFTdU#j#Wl&cD5?Yv@Oo? zPm0Uyy*>F!fB_hQ%gP+|0k-V{o}E0MoQfQs9#k;nE$@MC=?(YVre4+hK=|c8uud7I zd9HJ|bUyLv*%xykr!6&p*Aqa^6jdEnze{r(*jUl&8QSO@(YadL{w^^90C2l<{(iMG za?~SmwX(E!;B@67`qvE3-|v5P(-RT=Yl@=<50UD3Spp#&dn1BxbS!iXM7&T01O(jn zhQ^%o!lM5}{=3CPWa{W>%Slh~;^IQ*!c1plZ$i(=!NEb#z(mi)MEiRNt%IAjqn<0R zwFB|L7x~XR!bT1T_GY$@W;WIYf2^ygZ{y_1LqzlkqyK&WEvJ#I*`J)O9sWnH-wM+I zF+$Hs$3Xv2WR7OW|Ap+2k$;o@ORs;kKYc2=l#vS(7e-nWPs{le%bL-e^{FU|dv@UUp<6rFRlEc*Rc!Qb_ACIJfcq8BoKUYLS~?y&qw!Ij_lD z_)C%M{UmB>`*;~eDp_oA^?|#Y#U?lul3ss5L1;#K1M4aLa>vn_wbAQ|M}MzzyXie6 z`0VAc>ik8w5-p$yb;R5ERNe8MyJ+G1k`f3u?=i8m;8$ z#mc{)j$H2%;Ze}hr5?UnuVZw$J0|c>WPI!Eol?Q7JOchlz@>AYA?MGE7)_>*wsXGJ z0~qPQ0JYx0@~)7la($-j;*CPO-}|@yFqW%g3Wt~9`ecyY?5weX+}|*Nygi>< zJlv&B!oS}$-`bdyN+INdaO5}u28i;)f8`ZSGux76dvPE|qag*(Uc#+`}qa|sY^!i`kI`f+6JG+d>-QI za--mYf%W=o0l3RBCn%tU=k@;nTVWW}KrJ?+^Z6#ZSHuAu5kyh=;VkNjYN7+pN8x=O z(KG!2?Q;JX=(-zX-XbFQwgjpRmx#q|R`~VP+lQ(DHVut#V&(u*hH|pZLG0w6fKmYt zkJI0H^2hP%1!+;3rxyN0JPO&CSC>vWm)$A)$=k{nPY_@GYks|=X!thYf6+FJK(>lj z5M+n7LL)E7N9Ml3h;~yOuld))?)r<)&dRTXb-?{GA&?z{ZwIziui*E|$zz%9AJ9OF zMGSm#Nc}xMcm`rIh3tHVIin1!(eIutuqyUd5=Q;~gM|BOai+!A0cmmy2;WG7B=~+3 z=nYwuoUcc5xm-%V{73zHI6%D>@^@}GH^<&uB}U`PYKvk}P3XU3!>>gwTZKxfPdWA_ z@&(*jKQF>g-{DEBvdgz$<6Yg*K)ZmxHFJy6L1g%_T7@v(7Ls^WoD(A{Wza97BOh3< z_5~YQp!nMmtJGc*d@U+fdoFvuh>!XZgE82|lzPFiZZNydq(m@rbH;>k=Waru!M59n zo0#6XYd}r(yV8%Ch6mq3eyI(D33V6220PseBZqJ`JHN8P?O#{QI{muh;dJUIzxq;> z4~}q#EMj>xFO}lyx6=DFoOA~e%G#h33clQ&=$J@KBJ2R~XTcxt`5(p$x7ZnQdETrH zVQ`xIVm@3wlI(O~+DP)H2jvU1OQJ^0Jbd!f9cd@+_KSdh5wsb85xn~MKQ{LYl)2s= zFLjg|5;9qjUu{c_S@LG{0Mm;}&zV$gZFS`Iy*>%bk?wLpUx_U<(gei~*^=)?6C|V)DShPy==Cl7j5c;{F5f>VSJjUM& zINl)HN0+Mjhu*chK+lw?)v<%P2`6=(RH-s02y_bdv$o2>V$)dFQI`wc3p_)aT`a~Y z5&$9`9&Q*NzIq(jU&1H`-iyNdh-+WbX0w}NC=zH9i@{s$0f{gce@#-g+|mbwq}*!7a8{1;J;zE#ga~aix<1H?1BM za;ndQ^e|W~5S6$(0di4F4i5`W@dq=uW%lS zvC)H#mkEd8vesfSH;hg6xof;4(IK6c;Q3UrEJm*cK%e>mlIh~#-qenKwWRh=T~A3y z(iHR4FWq@uc2MPZf@xo4NlC_7Z*fPv8RH%F*V4ySFrf+c#{W=9(feXs+h)>-d2OyedTS;8+T|_hyNbH@ww~7F3+D@=k593?$BQ~X+1nOc ziV&!p(;k@NsY$KZZFB5+MrJZ%B?|E9nUEU=oEX8sUMUw@E>fKfknTM20%8&0O_yVb;rD%alcmc`9NW$MiWx? zrFng(kI(ES+Ph2o5?OCrt2X=SvTe%+h>rfArxFMO8muZxT+TK5-YY3IcnQ9Oit-HUtXd1Pdn#e;;T0qFZ?y=|bu*bj)T4-VY# z{h3-KrYohS5AY27yCA@|TrOAzNf|tv!Mt#M@_~i%UBP;QS*G#e`*XLXe!X_uuEsk#gJNe6w=1wY$CE;108mZfa%oeDnf11l_$&3+}Q zE>GA0g4XQsu14ncIYNmFVTF3t30A&nqK#aW<4xbNh?5hJ!K_`XwB{K`> zCI%E=GARtVtCvhfLW-!Y%9$?gFINWX+)Cto#;Uec@q{0A|G*H9-zl@#Ke_rRrzSDEJzS7iz8r&AQ>Gq{@o z_wg~G?%^Ztf%-I`fvx27Se&1oPdh-7g`CFYpThF3si>+lGWIUxy=~ahlE{LD`8<@k zp06vv>%)-HKZhk_{m*R}OPs_UEtw(0IP|g1V&ae`IBcsR24O>- z*jx1|Y3E$gBX(oP_Ho+u6wx_7X&^Rd_Z1_ww$1^`*JO2V?hO|1Rh6ILOE58MJSe5$knBM5o;z30<6$mvTe(QbK@z zcGwwFvO?)v!@1Ae!FMZv?QY@XC>x`4N!ab>3gHcoe}6&q3pj6#CwMAgsJm)T6GwcC z-`SZioqCX#G(&x}KpxK^VmmoU$-PPCjKa3Z3_xr2+POu@oG5E! z%HXA}Sq!r6uPTCdt=aLd&-Oh@u)e zc6KKB@?`$2_g1R*hjOluo+whTdFy$=^9<}*lVkI#51)7dQ{XVDGH!-ZM_v)VglK%un63%cuFox3 zaOioNwI&r}qv_Fp%5}j9JNG$q*Hu-ZXsB`$S}*2zA|-84baq zxWw@eP&77x!-~1#gl7&sn%cuRlSUWi_ASEa^sNi4uw2f-;!D^)Q8tZy#NmD6 zX4%5#*hmXa;{%s~u|0FU!@R*A^_t{jE1m*A(-7n4gdIo}%hwq7WIPkK5vQ{>%Hw~^ zMrx(CE-bzk;tu|MqLoU1*!NV|Swy3WM=m7s!)FA##8q)W5OMMK|K?!6{aH`^a@ zQlc}FP)D5arA?k@6yE#c+cRnz)g@oX2gZyy0$TZ6_@E@%D_o+?RtQ|7qg?HDN=4mFjU9iE^B_n9@y1KS@tLBHTyDFXVfuW`9}8o7Dr_F7^KTj8HzO+lbxrIVUDUYYGs^nRI)}=s9u0< zb|*|P$EK$cNl}}bMOX)9jm|(B-woC~DV-AKYiN_(7m@dlL=#ZOS#RqTXF55!-@*1` z#^84F4GfE7JCl+=EB6eR6yb8{Vp6juhk8vEO`oxKNyRByaC-hsOZkBb>Z|BMF#-84E z6A0dM(d8{w6_+cKp~X5$%{<`Gj6F?%Y<6-dx-PL!rURZrm)&Rf;TgATd6b)qANsh) zGN6(HFA-m|j^`Hw-9t8&<)I&)d+*!n54~h|E7mh(K@cnUr>MGvYh6I8q{=mGv?O^k?}-Yn_pbeW=#(Cjz@}5x>v)dLboJgvzni1 zwU9CrSW8DKK!SFl3mG(V&20$^Xj;(8}eQ`**sO;C$q7`zj!5ety5czaD}m%I40ZI`_HDR$#M% zfJ<#g)~v;@2XBUpvKDnK#5!+q?aVhA9Mj%)pIvbAG+XdhB6V}33spk%MO}?`_~&2S z6kxMR5GlTFaUVhubZE;3%olV-f{*mr`)up8m>)HaM@dgzS>ic}B(!a@wWjfi4q=PB z;>Mt_5&fTJY&R#jJg&EU1opnGs6K1A^qC{b55wU}nzckLKDOx2hB1T8cvK)>_r%`O z�y|+0G$|O(AIDJ{|rVF2fwulrEa0`oS=(-d5ydtgVNt*Bq%qT}q=WuRo_l6N>WlJneWE73=rEZ~m^I-i7CRDRGwU8T?K$3Yw)AT!YqH zD#3h8<%j$Ce$FT{ufODJD1Y2-X3=aDl%jt1asIlm=lUe&=&H{9ebXkF* z#a1^9T*$*n1Y+u|1(#U90{UFaqgfeop(n^+Q@TOAmOFhuj&H#)yV2!k?j{M=$1lQf zP;XO*^HkD0H7dK6`B}PPJa_;uwVN|$4%OC+jwCDb@_Ms(p}YhRP9$9nwMc~kCtGyg z)h|ON9g9u)@3@rV4^iPbSEU(S!tUEPV4;F z9m`$Mrr3?Qnguaw9`e1)P$Ey?IU9ds59MUagxptP>(+9Dv0WW+e4y<{Z{~_pD3q#Q zYO41-6}wp!Adzq(#?gO;WFqPGlod8hpu;Fm%n;iWymLa6=AwypWkrNeq|k(^+Uz>+ zZ;P^5p-on$cp`rPv>rY^+tzEp>)~$y=BD2fmjL>gtRet%b+j*RT1N&AfA!^VYqrNd zv2QgT;tx*dVJZWKU|7~Kp!am0JKEwbF~)LahRI@#=zXo5qVKG;@u?zx;Ws1jtg2b+ zcUG>k-`3j_La0rm3lzHVj?c~{J29;HELR0Azc1u>v~it-5vPx;e^14x|M z#qq!aB3((GOUo^+C#p)}GS7euD<%KpslI<3g3%SG^J2IOYQsUtiU&kRVKCXS{K#%k z#}#eMay8ta%jLACkOuE>89j+VNZ$E~*>U)$rhD6FN z+?weqI*SXmYzG8Mv2WvY^Q~xLnFWvqOev8$>S^d21&Bu#^id-vI^TFu9;VUC>tSo7 zXfJpTYA8i0kS-d`Ks46k$;cFaZg|WhjAoEBM8B;pz9luVR#i2B^|KQ=IwG?YUDhIv zmk0Tm9b=z*n!%)!j*`!+<}+da3T+Fzzs=vb__c+-BB}8!c~YYWrl=|pV|BJkoP1o~ z)U#|9LjjFmk?2b7a@YC!sqx@gB7E~cH7&LJwRt|d){q8m4Suec+b$rCdy$Do2Ihys zpQ-yl%7XC7fOjhA@CswpD~lF|wyrTKh+iC{(Ne(SjQ-lokA+R6JR0c4rTDgC;|oDS z!=N{LNdR4&^^9CyTKeBb4brijoboUDB~E6dJJ-0-3k;Z7zQn*^7r}Rs_wR(dPYYOw zRm%5%6V4_E7l0tr1lICj5z9~gyl+Zw8R}FX34b4mx{e zO|XUflvBu3oBPE8fTXE(U{rFh%9Lp8EPKOVt_oHM^gyoPzMRCYeg880+KJy1(a;>5 z6!2J~G%e1B8FyQW6U;iV{F?K(gzxVx+cn5(hluzHo_8TA!;H*k%Rnbmg1^ST13?T; zaS&>Us@qK9;n_il!~{uK^x3RcbzJ$54|7d38rN{(3!1^GGj?c7?Z0mzPa?U^0Bm&H z-MF>!cIFF^->L8T+p3^m^#7Ve2PBi_gJ5A73GG}tByik z#Mj9IX?)iwrfsV!JVIC`YN?n0Sr`=7$@4z(=K=Vy1>AXVKd>?gMiJ_FXJ;EydKg%=W;?OUS(BtTI|;T?b`L1#ns~F#i>*KPxs3V!o(^4MXV` z`v1%Tj{z_vF)?u$d>yPZ`>zSFKZVo0TJiGPEWr%}{l8QB14w?a1GaKO!}3p9`UOk;b~@O)Ej9Chv=wap zZ!TDdO?A`%=nGh6zc&rbxVOo#f7F6S{I?y=VmBrQ|Iy`5Q-Ax(EW=w?k?}uy{4~Mu zEn6ty%mw|AQ6^UpNmoR?@7yIh{hv0&|F`0QY?MBftfI;?5bO13KWdfA?ZpZW3L2XF zWoaKDpNJcrk$>9Bx!gbtr4TJ1Pjr=9ZDd~7Tb)|k9hu595WoKt0I963oGrH78+@W& z7)c-}JqYQPmgD`~&ES7cv>=kZibCjex!x0oOg`P|#qq1sOfM4P(-doVcI1m9y1MzBkA(*|`G zi^X&A@a=!1@r6v3`a==@Fp#bh`V^;*A1Ge*gWVs29#5Ay7_Ioep0xkqc#7iuN_udU zza8F}127A1Wd$9e)#E&qt9xUjhg&Q2L{IKmls`%v{|v%;NvtV`Z{ z%BsweqN~3($6d#ZU?b<{V5`pwUtprC+Be&2)*-UA)*(2gO(V!j@(KAxK}CQYpV~)8 zNtMCmFSRdzQb_J+oued63KIh$r(j{jnOOvED=t`# zba+aVGjSdygRv&JwG$9Gjk&TlB=wK%#v+q}V3Vo%_~2io6JxYV_tQgW4otSUSib_# zHD@M^0bOqH}^yYOuPQfo`Y;rJ~|a%{0Q~#Q|N2 zK5#DDL7Ls20@@;O5UXrr(qInu>E&*P+)7hgsJvopP7I{glE}ui2E9II1%DlinvlGs zDkM{99;e-ZzOuv6si4P4b%lr!NtlJKxRxI_+Sx5gIPGC>vB<&34x+@RP2&$5h^VQiU52G-_4v)(_51N$iMa+e%-{t~*Dp=YoCDw~mR zD(fGrXmR;#w#ZJ}3aO;x$jWN8-|63hlfRGjcK{4td!l*qLO5PE$+dUFlAp4WN-XU0 z^D>0gg`j-qXe(?aK@Wkaa03F`(et#kX%2^{BGXMhZZy{{P7+K~$x)y1Aus-7E^-ToX% zu%jbN-*mR7s-J}F<;Ze$&tN>^3Hp)3J+{01@=%J?5p;NBEZ|46e?T3wCJt`olG3es zMoPpx5UwH>ID1QTcb-322Y*IL#tZ25FGX8tdm*Dznq1D?5;$30I%~xci8Wz2H^uA{ zox&syuW!Q^@(lxhrNbsQxlBY(`{ac5F^O6vHpsiQn*NE@bri)=_UQX&u~NZ!RHxJ7 zZzGvwzp@*;_Fed*xBYEX|H6JQBTW%dcI(u2u=;x z)?ty%@(~vu*@l@E5+oW+vybvnvMROIBe;R>y{0Z8J`+Xl{La~pSrDXC-ke?niLo5m!no!XJD^pIRC1v`RW+41TDsZQP z$#wxHv8kq6HJLe-zBDJVvpa@?t3chbq#!*jke=}1De}bferN9ZJD4a9G>t{$P#(AD$lc;tAR_QD_ zSxO3L;fQ-VlNvnECyJ<}L(-*Q>s$>fDY_i+x}+8nQF+Hx`KZnbqYy0Ru)z8jx}ID9 z$p@wSab#}j)3tI**N&QzlD3?1TF<>VIIA^>e{2b0k^Ry67R<{JyWmw0e5|{%!uM~y z+K%<-W(V=|Q)+T8=_oq*-VA`o)Tj-Zs&%@A`tjpeH@TrBrpfJS*eBW08YnT4-h)0v z4rb%@RNoF4AhI7>KiNm8aslQKEX7=(1xZa)ogJ#uVn z#OL~~N@NPJ7UPR_uc=m`=(My}v@KD+wI^Y9`~2s+!%YHWZe}KpSo`Q1^>DLA_+m@N zG?gvrZVuHMp%c>_z|jz0%J2l@e6<;!m>DmHMZ;FK-7DwW1=Q}X+Y8O%aS+#|Iqc$L7Fv5`|z}F+qP}nwrzXbwry+LwryL} zoVL5C`|H`=XTN9n-CsogapH~>b?2$NvMMX{$}Bb#@zd}TS`4VeLP?~rs1#&EVj@*` z&nr`V{u94k+iDWBHghZ7?B27#GR3x2uRJtng*0e=Lc9gzCLgRu)|NzH{>1P; znr{8`0XLrwQAy7|Xu?D@Tk1F`0vl93UW#f!*kI$J3OF9m&ZL^eaLNmKriDcSq%p~m z{&=gzYUv!5YLL{LpjJZckrI&RfMEc#Pc4pz8utYE|- z!QBJ$nGrkPGt3~F7VhD)2KYCFqOsN=g1T+4d6YhRJmIioD0@_lNYN@k;B5sU2!p1?_AAoUP^kEF`JvP)b6cR*P3Hi@!oU*@ znISUc^8K9AZx0PNG(9%mLu3c9X^Zs&7N6Y(aF;s~Om8@-GRh?gz?K{KqkO7lhN{dY z`qTv>2yaPiG`|8lgEu-zbo?A0s0SpGM!JDPBnvmg6+-)n6q{|X5{hBRWHbWq5F}xv zak;3G*QL3`i-?l&KI=(6X^qK*RC+BgPnsqgK?_{^bmQDlF ze>90pXQ79WLd@i2b*WGAbV6y6A`NQ#n^A4puCBAzXuC-ICYO(am9xoydTX|If3rAE zof@xivLVdX~XEL4a_4~NPo4~N7Sg!QbD=tyS zUZH|EpTF(;u&LJrWA}XSQyWhX$z{AtdiP-O6!W0NL?+juBli2~?jsYJJ$!lgyi>K_ zdSyYKLa)?L3|_;_{5(-XJfxeVmDZ_gA-)-^DrQ)1cOq-Hjp?hBZv(ksz>(@v!NySh za7z(?+n#-}6rR)xpVBIyc8}-ll|K%(s}1~kY-FpJ?=08Gi_PY0F~^o8S%}sR1$Zp`bjlj+qmbN{v zRwfutw+?)v@QWd6^w^Y^g|uz-Nd1%07_R{AoB3KAud=4@X+Xt;e>d&KPTMMK<(FwB zT3Bj~a1^rl>P2ot;|u@FzaSs%HIw1Bl)<1B*R?Xs_O+@Lkoq#+Y)3szY?E!^a1>Qb zes}+^FQcpEFv0bRfms#hv*tO>TuW=#lW$Wf2HIPmSHvMM6N@(gnf;8)5MdDdqXf}= zkcry&H)9Y8IT51`o^h%yr?nn^_Qm%@c=*TeJzTT{HON*|?PC5sVhHs%q*OVN}V#7iE z^Lul>t<_}{WNyn(!)uIx9a8*51Nf`S1tIOUQ}r8ft{G`X9L&Q%0#8Qb0-+)h|1fVfS5|@8I?Ms*3?)<`6{M za|S>J&(EjMEEbdAmCgFIJKU&rGMU&cHk+9=l@*Pl6l2>LAT+kG!XQkg(;+Elwd3&BHsG$ zh1t!qDL3-6@p^nP>75sP;5fSizQSd)V)1^sKhOM{7Hly#q&Pfb2J1l(t{spt!B9HI zf&_ZPVYvscUnb#OrOsC<8)18^;yz&ua(SZ%^%E-l^NTcsvqFXea} zmNj|jE`}^kLJqN+q3#Gn`edHb@bL&Na}m_BnIadZNcw%oaK4*-W&!dwUDyrHZQ<4S z|Tl<{7@$6>j`v=Gngc{mSpWFD0O5^Xr?Fz z`C6nMzbmTDf_Id2_XckJ!4a8DONJ@OT;slb1yLdmXuYI7E|!byR#a2^$hXIvGL($_ z*BODLCvk5JiBUyht#f*fKr~oYI9`o`DDUewIZh%U=`l4{d-?H|jjhFA%kBN-LC2#` zPBxy-v6Y`Q8qDYn5uD&@1?6h71&2s#0wSq4i?Q9P3gbbQYwgIJb#B0*C=MBcT5@M;H%av&9N{#@NVxxAC2k4FsuaHUk?$0GaGgt56E;Gp8yvqQ9 z%g5&cfV67mnZHGO*aY z=L--v8P1~Pm(p3C?7%)7XL>iApjqvCEgKrxsFDf10=ICd1(EE68=B46XMn~zfJgiC z5`Zoe5QHpib5Q=w8&iZhqGty6uIPI)cYMDRixIf`#P8(9?lGjV3>Osh)|}8i5I%lP za933&suA^$z^psnjC0Jci-blYkrA7DI0`sN&J*jwVrI45BLzMHsfQQqU9kIn$0QK! z6|P4n_t5Il-#o9uD(IPd!&}P{hWVa_;GJh4}NVl}H&v8!c`v>RP`- zhW!~ncA#$eGgSqK!%xL;<;ixUP)$+Di@|a%I3*Px<@K#sX zY#&)t6%73&fCVKs>Pl5 zVMj~X&M?nS(07CzJ+c1fF@;w*U3UJdsjeu!hFGIJP0I$v!QaN6df7LUVcR*Pxj^=0 z=V&v*;UOOgGkXVM_kry!&c{sV8tDoSGOy%~7s4y0@gG4|dAIbdd4qYSl)9dRS5#s( z12yFzACDqEVp7~dza%vqG__hj+)`O)P|rktO4E7lqNSh1{^eEa9T3htj4C%>zuXOH zCr6?s=w!+1>)cO`@Zl8x`jyYWt8q)B>+ou~y@z7n#fJ|}%$>#(CRu7CyywUS z!x&MRHd^Oi>zy1^nGlf}g@nMW6TeKzf0Wk=3TeyWxpOmM<`jXC6@0ROrUCgW-k;Vd zl9+tA@5FdbatoG`=U655c_SUP*$6IT{!LuhKOs-y0W)Jk^_tgN0VRvCS~p4P0%jWH z)gHAOzMAsNNm%4yfo+we`UlvxO`em$`qPK}(y7>M3CI)>>VkM2>_qtN$VdaZL}a7R zD;?_bEzpR?1!D>QeRjkF;uu0u&G0R3K!IcN&f9as#1iRa1}E?gdn^6c79ooAUpeaK zuqf70^L63W!frldMjMBZ${G6aj6be|nx|275@2x<#8qW9LJVxMp^6v>7R9?1r__t~ z#1n&@)*|glJOOlkJ1A7L9(AY(0RsfNxK3&k9|QZ-t!Us8IRMZa z80+|M#I!q$2%z9^N`}U)OH*indrGLHfuv3gB`p_sjLkrg)EK`~Qc;YScO$R6+7jW- z?x5Oi0ERZ$tG(~izxT2dXW}61a#OrLj}|^&pxJa1EtPUPL30G_L`NWd`s}YZlW`u< zQ%Fn~+R2k;aSG0JJcOuCkg}VqQs#0;0e8NF%vY+tl1NV=$r@vi2%L)5jmgpzCshd9 z$7EyIs+7+ zggSCxhIjK9&7-@s4efM0H{gZ#QejWplIpE+ZpEPYR)MighMkStnDs4pg zm?V+ShfV{(sGX*cs{eMMW$;%|y57oO3iMleMR}NhOBd%F*h)+SxyP8jB3`cEfto6| zIw?_iVQ*`T_Y{JtsXncar{U~C#dnxuyJyYbW^HRLOf>t}9`{?^u|nSMBoK)6WTl_V zP7WEb^c9+%Q0c~tzFmZZQjt*+_ILa|^Z-i=EMshTT!Bhsv4Lm%J5l21SN)L_m!h2M zKrgoiw$M-?LnR&RKLO76)v5Z6}wObpo@a|_CtCPTSzmU~otcLMzV zS-(7_fw1-nQqYk19lR%0@D=PF+HL$PlBj}@k0$D`zdhI+eX;$*&tkdm6BHnw@s%S; ztCJ7zWDR2({cg|lsI60#ES7zMcvld31y#FUVot=-RsT^XR*)Ne5x=%q;$3C+W z(Z%x-qI}r0F$SjyLrVyF=DLu)jPNmrCljIyeYcp5CF&tD^>S-0p~a zUv}@nz~bliGD1wnnt?f>g6Yww{+_#*)1LIp6gCFSNlNUsE)Uihi;D1FvS_|sHjt) z+^X*6hw=&PGjfjSSGsG9e~K@~>YQtfAjJN|pu2S5!-x=A91^?MQLYctRIu*N-fU+u zb6rQ85hDflWPj@1-1F<~(OY68J=n;Xtz2;jzy8~lkdVj%4Et3&>$&O>o8eeKV-3qU zU*F<M=I9e7^!|^f|%rB37$WwJ`4FB9|TA`u@qeN-hc|;nDtenfe47&ZW;e>yd_oVS~+v zLIkyOhw@S5NLCvY6A@oS>V&&{w6mVOA1*_pj!FpuNfW_I8z8ubTJn%D;h(+D))`4D z;N|zAYIA|TS98rIidR?nA4g5{eo9J0ZyBjGbvkIpv3GTzOWTM_rj~lPj7Lailz-I% zP{mBq82wd^&_P zS^Xh!uhlKWw1*fsUX`|_*5~DT zo{`lR&-pD|!|hsJmkBEmm2QFA&~c-(97Ml=Z3`daPntXuD#y{O9uTYBv&f2zmhmpW z{-RJ!n-(6goC5q32PFLhcXADNm{>H0Yy$`bbc%54Wc;L*cDr1SNNg>yao;X-SDOns zQ;U7#wOw?T+`}+kpCht1QrE6vn^KG8s`=B5{gJ+d(KdGk4vmp`_zsQNx)R$3>}s!jLMeEh$Km0<=e5XI z???9TXe3@9-@xis%kTZgQO<|j-BD42T%)<6>Inq{OH!!Y<*m-cg|fX5i#V%^o~UYc zxkEWqJ5qeyo~|}F%%5?RET4rf&L-3XqO=keE5ow8q;ice{ zvQg(%Wrp5cg+`UKE-WPcTb~1i9eFc`@2Or?6(t>dcP@U)Ym~tc093VVbFZ z#cs~|?TjTPh%Sfx>ADJ%(ql>D?ewKAW0=!dP!0(=TwzP7U>WjZ2k0YRC{xvr&bz-* zcAAXDo>J{Enn<;E%tD*H!QY8U-a^D@fxE5S4Amx?dlZis%@N-K6G1FwWhH1Uv^NgG z<9R>Kt5HrC9tzs#aU|VFIZ2mQ0xBMStfWC$_LaaB;HN_|brCCYl^sH71SdfCmD)Qx zwH?Y~FkBsKx3$!=dT|yZ_vQIFNy_M^k(E#&A|CCC(l&lxa4Kt@lra|9>Ii;a{faw{ zzpKWiFE=X1VIy8|@6(Jbyy~)p@YM0dyt|I}RR&U3ja6!!4y8hc1e3FcIVLmPN@B@k zOjMoT2(p~g?A7o03=%}YZwQo5CFgoDh)!)*ZzO5(04Lr*x$koe(`>-X8NI4CGMLH&YMyBXh9W8`B+;#3giLc3U=GBF=1Bn)9Ol zl~$0q43YHIQ1psXL^e`;a;(TP<_RyV0P4jA#L%kD*6=et^a2WVtxdewjxikB* z5NO#v*iRLGf<^`+4 zUUg|^ticMzocWG{k8}!Z8U4jCj@5K#opnz(hZpHIP4n|$=qvQYN*|!b?Xq8o`ow;0d`wYw;3ERm1Pk=+8T$-X!NgyleWyTF?xz9@0-<8l&&7 z5q-wtR8ltzD)@I^l*{*Kmt(M_#|bQ!q=~BuTS|n^t&9(9|}*7$v;hB-&ZJ2r@^1=xKg!StdouK>hS z$B$`rLXOY}*o%yx1P-m;^6i_cLhB00@z_}SbT9VivZ;?p4LDCc7?`BF>8L>zNqd;F z5hnH#B%hw2#+^894g`bdMighYl){hC3c{`!d{B7QzG^RpN+ds8#(9++O0OkLRtX2W zxM1nwt6b_PV#)u!Q>|UB73SjjtNw$3yI`IwwP4T>*hA`vbclHHTzXu(u4}|$xwP*q zqX1{Km!b_`Vs7iQY_}}ZdCWKAS?B?m^D)q_Cm)Lw?lj(j!?CHgP`;Ew(*p>&AMDy& zU~{)gsdHn>Y{4O5?jZU8zwYVPbdVd0?=aZb{A9wHh>NL=T^$Ip&xfCdgP_+6NU=zI|rV-)L-H%pz5niJ+#cU^69cqoY}&Dr&tTU6D@ee2)GDgF$-Wg29km}PQJ*xWI9=dXHt;qMT`<$Gue|4Fe z_*M=_VJa<)5D|`E3o|yVV2?gM0GfOi5WmepF?tznqgqG*lt`x83P|$e$B7^?Nkcfj zD$l^98}#`pDGf{M)5GZnYH&IK0?yiIcN?q{rr*N?ns`bQErAGQa3h@)OMkRy(f-h= zcfwue%?F)hiZ(jx9Y|(m@{a9}uA4wkp3Spc(Gw~)$KvxnNt#)%QgSP~d!_8`Hm8L| zYxwvtF4`FdG zS=pAf8Co)haA>EtCZQnf+C86UYqifb9Mm@n6x z7my+*{LmiT`a*GsWY$#IZ-oNu0nKixzTdCNl*{2RO9dlWG`+4g(swc#gk%++#>VPn zo-44icMlJN!Nw|Efe^GJ4#52Ggi-62bt3<^u7q;>_5{i4DB4Av}hqh@gCvy}(X z+33378^AQ&UT6-K|2n$41oD&kRjl(H%Qf63ZXiB7&Xz;o^ zJ1}Wf7;(r&4{f(}qO??%94T?M&MuFjvY>Ondl{ibLdbFRjcSsFl_`sK z1h>tWIs;(`C)7AQCmU8Qf~i!LcSin+xKG+mrR76(YMJB$Eg#azy<19DzT6ZL#?anV zpeV=4cbp$I)H$9hTeKB8%~DroazMj^f|vm`fBN|EgM~GZ+gvGEkRvE8%-}>OQ^v#9 zU*4_{S^OImkbj80$vL~O|6stLK?Bejn*D|l8$A$@@MSB?Q%fR2aVd%4geR2`1m@It zk7H6qyc_#9&mG0vjg)T$G?!n83TCKAAVH+|3mZAy!19AaB@m}iEcVbZ~6`?@Ait2syIF@ZUN7u&em?>_}(7fyX%=q))^-89^EjM(0Uf$=f;2 z8Bu2r-}=RaV*hfoaC86R6<^<@v?TpG&&W#wUm)BcW7v1)i5QKzf}?YOJA1p|Q;>o= zwoKz^L6kS@?_}prbOI!k%N+=&@@P$$lSEj7J=v(`^WKzt11TRKZzKO}W~K8$|4=AF z_Z;Vz5zH6M5F#QXM$xhjsF2SgcQ?NVOc@CPg&Q=AUxhnBSqZ2WomAcoytVaB|C`U> zD#<*A@)w>Vib(4Y5vK?Z5X<90LW|v&Ja5?butlWs!SU!{K*nb^J|4!(w;LlSkl~vUl>KIlJj$~p2NdMl%hUxTQ z$qj$7>)$Srx9%OZ2;0?A)oZt~18I_|jX0LA})fuH9OY1nf)pBnam%*r2h zv3}`B(o~4je|P*(qNBg3=ocIKp-M;t``-}yi}n4FkIJ+DBJ@&Z!j%3c(BBA>e_nWq z`jYQVBeb6V{~_SoA7(f!mh69IQ2qa%oMHUY-3C|_hyRCw^?&ee&6?H!znHn-Ar_hb z5Xa4M#`hNy0d#N`6B8W>$!djzHM8=b4;QgdB#Zbn1BH@YM-?+hD~n1^4^ujC33yfr zxL7dC*GMo_3fUF;iU?bfFCxxICuEC#$5UP^~Oc1yac%yP~%s1k+m&J875Chc=dvrk>|x&MrH7;!Ry6o7>6ZKom03|S#I+_Y15_lyYpmDd$;1I zOl>7cU#szdPmg89_lgq8pN{GLU8MR}p{jzt!>*);XFvE@bvah_?=G#MV{hq8Hds_+ z8sdKNf%y_`MqAA4n^|XgZ&xr#OR0`xo&tF%x%8dKRVX8!*&eE zd~Zk`Y}b00oP-0UREjutQB@m9`)>qX_d@*mBK2PZ+V&1e@1|HBG>O%*QsDVBp&Dr7 z$2EFVQPViyCKG&tT!(DHdYsjfGTK_gp1mQ9?E>{iI{DQRzN!EAqsMSKEfFK4tRA))5+`w2XYz(A zJQZ&;zTJ(U__M07rgf+uTG?*#ot=D&Imy5^uOnda1ZK3mTu5LTRT?rg)@N)3fuzZc zU66FDuf|$w-c$`scKRxIWISl0Rfr*(rc}O-la56;!D4=2hdd8AHk&E@aMf^LF2wTr zKlJF2x^wb>>6%L(QY*wmAphefjPXkT@JYTeIx{2s=uTJ{21znlH+VEO2s6W~9peDs z^Au$-6LKy0xm33x^^T~77@vQ zMB(bhWa3a&nSl!x2=jG1WCVl0*%A_c(^c!RpIdENfsNFhxr|s48q?q>YoJ=DB8Dpa z8qlzrQDX*y6n=!Jp>$*~l0lGXUC!Jvd=|D+XckH<_}-6{MSXCIX3_(@CE@Dz^q>~$ zh7OS7_NT=435N7`FT7FN+%O1z*>NeY*tx!m1jSk(PFQ?q#k+@1fXJsc1X77%aAtJC z0YvmRx9aSsBnI1WJ4wNd^2U8lx$zGR9;co4N9^*Kor~&GncZ2&o`?;f?9j054Pi3l zf~pmuo+9D-i2qrX=xhDRlZF3EYH=yRYDIwK^Vhc4$p!?T4(LfEfOAI$5bs^50YgA! zSrzWoGT$&F4uF@kI7LU;Bcov0NA&-WA#lBj%RFY~OI}+wM^~#bZ|(y28x9#oGK3hw zNC<&*91NWWGAD9OE}Uv>AEaCzBNJrihlu*u22cpkS%no6N;jCwcewkjSrK^`%l{!# zXiqeUaXCmK>s2Bu6CSYcyP5iv>+^XC*X-9ZaiLVyojDNythoazY8+>G%ZUktLS z(!Sv-7`OE`BKIqZawsBHUpV9>;VYHY1~~Bpt440cFxjQvKpJ}3264m2M*vGk3dforw9t-5<`xB^Ld1}g z;uA+G>|&3kfy{1nDSu0LtAe7i%2mikQz@a%i!zX!s3JC-*w}dpBmB}KjC?qz4?2bA3igytyY%A<~4=eu>X7D;M-rerQ#>7s#go%v9!!op zLJxpX>v!8thnpVVfP_}=wsR*^O9Zq+GB0^$R!M;3GNod`s0a^-X;8mRR^{%#s8#OY ztek%??DA$1NmcaVs>$jH)9dD_zgmO<2ZwFAUzqX2?83X z5YLSuIjwvm0ZBIz94%t;T|p=$q4*~WA9gl|7gH(Mpkrf3Y)6|^Mt8Vn?^=G52Wh*s z%(asWR{WHQUaUoq+(Dy*&*iY{93D&E4ez*-Oj1bz*kk_7T={d#|4QUQ`;`9qENTA6 zwnpdwk=65ON8$Hn+(%@#hxNsCFrCn^XE1Xo=D6GRUkR0=zXT>SJ-+-cAWERl!lEsR z#O)Tg7J($y33;Vx{h<;TOjtj@&nRntm<6)7akKJO$2yA(L6>n1iNQE{mmn#e!(Gp}i>TOdTwTq1_&^h;)ghekI6+6abnRC>2YNF-F~Z76N4IC6mK4|MhPDIXP^2#5#@oW*(0%2OlY zcFjgNr;`-+>~n~Pr8WItemlXnrm&Si;HW_ST{4z?upVi41@a0@;vPl}l&GJhz=JkZfgCmjMPli)NWraP+TPS1IRJI)3>yJEbPPt9(hZt;A@IaC z?x-I*oX@3I!{wXwdf+XfaQx|o4Tbv& z-#J^m9ciAR$aV3jjj?&qsAgP7ur(-5YYh7sLWnla1-ke3^Gkk?Tvp93F0TcL=9?)E zB^-lYk(SJzc)oU=bzHTOj&#)!>L1>}gpFnZ+-<6$w=h5+)k8B9r%@t7#C`i)<3A?0 zpOQeVB=Sl2YsHPPV|Kd8#Z^sN(|CihUSKtTTYsVAUvb<4#c< zG%B=kbb8DMCE6wUn*{%m=A9eRrWNJY1Lp?|L|pF>Ngh(6un|&d1DqVgcjnK!$HmjV z4R51T_!U*Mhm91?OSO21SM?hAhN8U#x_ySD?r+N0IxvYfyH|z@X1+0q#n+Hm~M#{9ge;u2;uLW*7hbE0cEMQlKc%de-Pv^ zCA)izC3vAiKFJs4R6|19$l&?Zi2wjFjGE)z5-XAn?9T1{?&bc35j6X~U4=GF@j?Y< z)vruYkoDQfyv&cv_H$Y_)%;vv@%$)SKuBoM>t$w~1QUHI;X4-qj^GHXetKuxAF=-4 z@(RJVKeR5Hiq*O8aFZUWF-!R&E}t40^^&eWWUi>eus5ZrtPrEBeebG2(xD-YUj^*Y#GDLlzD zyw`7}Jin3qqhi7mX--cx{O>)a9N-1QysY7QHGhj8x{nwf?2BKx8&Pae^HiBfb6uW< z6RL22#{XSm{(9Dy1jMlf=kS^)HClj%?Cz_3wmIaa2{Rm`Sd|ZVk&_Faw2e3B7Z1Y~ z5kWmPD<)X8XOfn49gt#DR0ayz*O>2V1{X2$P|ryMqgz1TJj^p4n+cNsKBwryGD&fV zz_=MiFwHH6EA4_3XC^B^;n|x659&3jI=Q@J?d z30TL}b92N{S?^;19Hg2;447@wP1aQW0ZQ`0D_ ze>{3^wUJX{l0vdR@5DU0{rDX%u@iJ{Et8&)RDP;HZ6$x!bYQs{mMDw?w35w)$m;-7 zxJ+>T`llBNKNY7Y4>4+G0}?QyfiI;h^)m`1wrE_~DOJ&qbyXJ5X~huE|3K}RLW<=n zVF+%9ddT8MB)O^Wr%SXP{GdQ-*f(OJQ*wcef1x$YJ7)vlvkbIM`#EehndWZ&yP0iR z+5^)F2zx=bh}(XW9r$$UidY}GfSD`8i*4T;F;Fk|F_jxf^urXgk+O;1?Sor($x@{- z=Y>T%{#BnF0j3 z@)Tads3MHXdc^IkHa9n}Ljaf8blnO}2DS@|H$jR4zmd?v5%H20e8L&d=1=@D~% zRx&%!_=h^ByrTB^`@?d3 zPH*ACuj?0mFX;n<^vk8CG@A7RN;peu$dRp4HsZ5dkvn8z`wf*q>)EQEJyfu{i(a%F z!&6L%T$8MnEXLhTJ5nB0CdqVg0C_j>F&Z&dMyHkne9%FG_cK(TtIqj=*>>_U}R2l^Ly1%xpRsLZiuU(`621 z`1-XKy&pm-h+r#tLPEbY!}S*GB2-cA1~Q(c81Co%M$92DD~Zi?t3EXE>3G)aAnVHt#Xs;MFAUj8D;ZZN3OE-;|Sj|+E(GF&BuJ*Rf;01wvFO&LN-6kT`00Fc( zChhEmn{IT82VEamrCgKHE=L?R;;Luz^1-jWp7~5Zu0B8DKJWNG0|9_QciWD0oU;4W z^n6hCd|yaHU~$gI5B>>Telucy5r?m>1qLQ~XQ)Toc^E*c)D>}eG0hdw$OTazJd2|p z#p!rzU=u`3;i+miI~t~qDiHyX4+euoRZKw1f<7_u0{1i z^xUJ|q+ABo)lu83;`%+?^~{_GLqO-#wpUnqxPNSHtmVBtG~W2c#8-Ub&Ixp;`45Qg zo8W)o_D{A+Jg=lzn($+f43YA`tqze&dh|d8>c#}ec)2K~YT8=PjyxU@7y?*c$O-|^ zD(foQ__^vH>84ExOX_o9!pWlsrW~fA9jcWd-T0M~%r-q`i-$b{c*5E~@+|8fdF^n( z-0+UfnXN|uvKfC>WAUf7o*7Ld+#tykjr;r>dr=LI^jAyp zqM{<;&-Y_KlO|4$`RRB;At46qRr+Isf2kjiOz!}c=u5|FYIqDT%3DtuFl`3Gp&@O$ z7s7~`0 zIqHneH`G#Fkrjc!y;w!#Bis~J&md8mJ|~F6rsODVlu>anq;xO10m`2DhhbfGTpo~x z15ti8m8d4G=6&KxZwPDjRR}T-$>% z&G>{d#Vw{^mK(WdJr9o5M_MqF<0cg|WZ`eBx;K3e+lZ`aje~XqpKV2KVZ5lQlSu75 zQS5lO;_gozchhO>D0dS*wkX|iq;V`=)dx&= zZqOO&*rB#qHA0tj-%WaVL|t)o2stZ;l&&9`Vsk)sPP)C~r#;4ZjMQTs5jkwp1Cb4c zH$y+&ewZ$duoplGeasFCbq9CkQd4vlTq_@riGkjv}0+v)={g z=5j&5RizVMHmEGyfGRAR6zMP=UmMS-p4&7>+q_aOlAlJwAx}u%G*$M~XduCqQZU_e$VQXY0(56$!u8 zo93ee3H3av9{z1*!-6DTb)gPdoT$@{y$!q%TUvi;cas(8t@MJ?vp7_oEIj6NNJ_(- za7OJz6rc-yh5yc6_PE{8t6Sg^5d*q?-YPV9e4cPzFIN3otd`j;?f+?i*asv0_^m%+ zp$!$-4W&K3sJ4n;X8Q)-_!~{|?XaE|;++v(-7zjjmu>OA>d5_9331lAQjUscxu&oD zaW33oI1$XPJ+>=WoE|A(b8;$`3eikfzaw;8wbR?>>so*#apk~BYn zVJ-GIQ;5jqrVAO+$UIc2;?A$@IG{}Cx4jOb7cX?9i;mJOQv7d+Ym(bV zJV+;Ksn2N8)B!4o1q`T-5 zDdxo92fvW#c7ZyLyh^2pVjuU)&`I&8khOIY2;2JpM109Xlzd!l}ObS#ohi@jsu$qZKMcB^;}6 zJk=qguRuf^+(J6c55;vG-30@ z8W0-!x&cA4moD==0EE;Ekyj*ygFj}t($2$>)*2T46?=?UJHXnhQ`|QFRrT1JOlYFs z!acK?8oeIg^*$i%Ms<+0=MhGg#u z=_wrG7Ear5m_L_t-k0ZMGN<|TPMx$$)6uL~X?0;OA;Uv0q*z(2B~b5DQ#zBQCwmoJ z>alQpz%%O`>KGXWE9DmJZDJKgrUbAVDR$+O`%~jP>3q=H<4qg z!Sc-&%H_sxTy?PC5l}nm_e+YLt3}4+iXuO_gzc>>_#Jc0FYV)iA&sSofPx!y4KVJ^ zsHS97n%rG&Ys4lxH9UL~orbgbZjH|1^&o2fbtN~cFL^npo{v@_(~=53Iy5-6T(9VY zmit5_XnYK*naTJ-wOn<72+X`~;@E?Rs%EHM#P`}R;7T0PxVUF!YlP(z5eLaSb;^Yw zZG*p7lJ3_}xcUpc`Oizox31cvq#>vdxrBz}&}){)-lYI2on*dFod63|zLlFki3zO}%0btxPw!Le6mr5CzO3Ldtx;gVO1(I$dl#cb&C8pJ+ zf%}CHe|xTPzp7``D#qlDx6~|0;mi7%WUXs8fLk>ux1KKC*3@%O-k&bi8IK{ZP%$zp z+8pwl44XUq-fE_dDE`B=^_P|1T~ye-kwkC>`G6dX6g{}d6D_oNMr2nA3xujE_-&%#k!euJh7(x{1p!ByI^9L5+HG`+;{w_Y0ys;3bP{;xlLOKPd zgB5N=IioO!9=a2y+{wnxV7N~_A|pmZY2_=3*T$f%sPR)U3XchNERzx*n*l#WVL;W3Ga_E9!nfc%|S1PaENlWji$Kog?hGazMEjhBC zU-qZDbhPDb2=((L!I@H&FHk^}DEY_@YCv#Pc{eXI#Z}E9Q=;vNffA+Zm~)PY>{E~? z!X+2*9PELfuP-kwGM>XdO-X1V*bl#%V@qkUQ8Ur>npw8Nwlh(TpS--FMmd_%OuubM zlxAc@{03Ugtb95=0f(bH#Gs=*gQC6oCt$Dxy#ViLK{f*+V1Fk89yJ(g)_pq&RXK>A!K+56d@%DKj_w#GBlFVeV7>VvgaEJ{l&t*CY3lDS4in*=D zUY05@H0>cu>Tf?}gbwBo77I)sWATjgasZMhMOyBG4>vjrZ5-c|+cRj=4xLjX<%p8o z*#&F4!(u0Z&96_0a9I6qxGk@Uj~l6K=*Rq?lR!bw$RmDJL@zu{s9w6r6MImaL<7&l zqMK=Zj1|IXtxnfoHFBTN%YNieC(3hYRjrK|MV1A+sRMS?wcNQ@cm4|FZ+cK3VqwcY z92GvYZ0BV(nN-T4`tzyDtV&XCBv#d&NAro0g#mY=gy;A+i{o}kjWPW6xVY#2=(fashO$&xPCJ~CO&;J+&nmWdKb_zV zCNhTeHMkqw7md(q*LRbl5%*Hzn3i1JSW#Nx;IBRu_# zfi%a9UV=fsFaMI@Nmll=R+~(+oB6q!yYY}NH=iDrm+=x`{M#wO=2cR<0zoX<;LVLO z%JyfeN{yM>&1C|d$Z%+@o^EXCYn?UUknT~twihB*k@V8>+AsHG{^)hEPZqiFA#p#~ zegpw)lFd$xm}EC~Y=yP5UF_d3l}*?r9sf!>*!$&fYu8tIRnzzXarTu#aW+faK|&z7 z6D+{u4#C~s9fG?AcXxM(puyeU-QC^YA-H~Z`jK z-ltR$II|IS*EX|=M@s~%a-k!~Fc)h@*vlD6rz^B)2+E^1FSp*5|_zI7$S1eSRV>SQ)99Ffn(HrccfM$$L=zzN8kqErNq65QH zqULi`XmI$Vr4f)i!Z70Gmf*z4YQR=kdaI$Vb-5=aSC7l3mbaa!!D_`UrF5nl3?&~^ z!Lb^a+9l>U6ze%zqgk}jCXv^^W9EzxrNSt#n=uf5#V;U!^WbRTu;Zq+%ONaR47-jP zLTU7Dz@LFj4VIUmkIvC+d`QOW!rF!k(|SDg<9PE5bn4prnY)b8oDu_2o z*19{okeR-gn1~FwaG7F>S;^$(r9R>(o_ugi>#QSs7k~f(5i!CW$t?d&9xr}5St^|) z`1;x|IY6P*B{U3C&kopi&;?i=TS~M<>K_1Wq7m{rNDsBc-4S#1zIQ{;vIA_BmJ^5Y z!QrGjO)&RVSU9-`(YL4GA^G*{b>B&MowX&y4*erB*5zY_E+y9j>@@KQotT+)J5Rj4 z0S4VC=G=zMQTh|~@>q@FA0h{rV7SiaBo1$Q%7(bj<1x^wZB=3DS| z=RF5E`cCw6Pb-9sp>C+=QncgO!spD(o;1A=8@s|5on68&vK})bkz)ti*L6C*;u-jt zAGF+J?AVzG?3TzZ_jH=KI|IzLR|A|Kz}u&h&wx;m%P+TB`5p8#J!-CDrBgg3pZ8sVX_SRHu@n572{)ZgcoTzOz?J z&y6)?{#9E&4qR(iPTqNb02W1lA5TVIbM?BhG(Y`=3!6n%bwX}-Mb*dM#&c~^&F#B{ zsghO-HzwtExeC=*Cn6DRb7nE?f<&d}A0|Ap+LD zUC*a1D$>43v>v0?1|YHA5J4q4GjSjiUz#p8&`(a*K{{)t3Uuz(sx&jF!<3I~v3yv3D)iHxCi ztz1N`A!2DLPso3^JY(kr#YtJ^YHmvBoMoD2{X}ZFGLK&3fr(5a)w50G2B{%^`sHhy zqO#_zP5^~e*z|<#yfxOX{--6$5Ueo#kJ&yrKMz*E8yK9#Wq64dbsR@ZE7*%JYwgmL zx;Gqt5q3tkv1Rm)*5SzvmABQaSNtYyvn6-J#tIoK`DtLS2I)H#EDNc;3DhA>SXRwD6B zd(&dQIPeeG)}RZf&pf5RM9d7FpMO2a4g-jGU#QSX!(ifiK^A_|zaPaw+z8*&2njs7 zSs>RW0r}vm#}V%S^^j%D6Ym4z0PUh0jh~Iz zoimgm=yQf<6+p~&0~9iqzjhmf)J%uN27q*V=HrUF`!a~A#M5Z4PQN?9fVn0Ps=;=a z2P&+`1CQf?o515UE12}~Sqqvi@2EqtLpwotH&!o=0nKedk^g;DL-%Z-fL9JMJRHBL5RH@6AX%Hzaw(y*=uo% z3%cVq&`f8#5$addacM!fCN_oEy~ZxR#<$q2Z3tsMZCe-R6b zLCpdUfQ`E1PCOoMAO&VJN5$#8|W=LE{T!`RBxwLj{c*$XY{c-sLYf=>MGv+Z<^qQB$ z{0ytp+W8_7IU137SifUmcAB7D^eUQ9dVrTU3NAnY=9Y>BsLytmGDXh>h|}N!5|I2$ zm!KS%d(^dkQ7K{fKP`8Kqc{j;+ySRU+2D<{XnOroK^|3Y*#Kt@T7`7;=S|n#%8!>V!KPyv5k2UpmTYBl;v~Ax%U!M+(~mFa%Ywci zqRRVeK|uSF;x&`Q`?gylnG4~ETlvrte4ZWh72&`S-l4>{E7EHzPnW`d#o7ZJ^@fypih`bi06LUAj0f#NcgNj>@!kqT=V z9k55&J`k{}fk$;DO%%3R*rJBIjYRd#l@!Xw=d-=CbH&hZzMt*i?~jZ#1S9TLlwfaP zKt`K>uk3_JoV*fJl4l86$K!tYY|#t${X1>n%KnwY$MolqNZD~sRZAgcID6Q;Qfvs9 zp?mlWTw-G;#9-m8MCrm`ALm?77fZbx`^WR6K?*_}I{dh9!_YS5^LCP^r=#oz&L3NV zr5-kqv|`n$D27yK4iT5eKTC(X^KKakm~PY9VDQe2?>;Wx=%qGnmfqoPzAh@VO}+;h zjJlmxQ?r=}A%GDe%h9>}N!%IBoH6+L^%LsFSLK9#E%Nk;2W2KwUzg9nyu=*MWb#m` z_-bapG&QtHM-Fd5uGyv=N#_T!?xiT|6ilAmp)6M#8b$&3h)Hc`46@aFS}6T`S9uJo zTdC&5MX?@fQ1vL=L?+DW<3FI1j&;0VR#~*a%z|l2BRSJzH*|#qoJSUtvUU}wbne>4 zcg~BLJO9ORO3GfcO5U=XLv+814IQ&09mw@CR~_CsT3g1gn=e5t?TMQ=G~*reC(t2u zpy^{@4JlrAVu$1O-5rmF!;%>=xl3a{M2mI?y{`F8a3?fLew|+;ZI6UQNfihu5SBE$ zEOoL}Ki`cz9C5V3!ZJ)HI;y+HNLP6zB7RvuO=1;jzMFV3UZx7|+sxmE-&#q5&vY_{ z)NDI{bdhwH0ftqsYPRzqRXGT}DSUZ&c|p3mj@IAV35}i(VK!dHA9A&?B|GNnQvng2 z{AX{dsumOMF=fRe%)QkO5?)L!;*`;kDW}*ic3cz3-);7)eoV;`F;jY6OtTNC3?UDm zw}KIlnJm1IWcT6OdV^oCZnxZB0rfwejv`$97lK#N?b;{T8R`k$oq>De&56a`-O65~ zlFouz@7{uQch-#SU%nQg-HLPGdWo1GHK4F>c-JikRiTE96R>~YhPxVpGCWnUg|EsX zlHT6_;q}rn`qCQ}OA|Y=L%MEzu$o^6V_o=~H57GfjLDqgRXkWz(-r&f&B&YM9y2`O zN=1XK-bE2%E&XS-gm1J5I&3r)^L{2vI)=+@kbiJ<)E7!fR(XhypDL^_Z4MaFy?XlT z-6}T0q*{}@Dff%kf{}qku{`;Jjl;$J{e~~+BdoK|a4fQ=YEka)FW=L~%VHHN?ZO2c z!<9d@3k|a|#qZDgHK+OT9PcZYO(JF+jEN?5@M=Z$_fwWnf8A2%;HYWDT5K{!Hyf7^ zLq)G;esDW*|LUgKtk4eJbNyBfWDhAhrNqnF`CbXO)|H-mysFx(x}&VvbF9E>sV|Z} zJTqI3mvJ_iN{t&kP_1FLxif8*AsoFdGcg@#LvanCVf8#oh2VC31^&6OTiqaDoS=Hi zi#l*L)_`}8d+uUtU-{`IdDf$)9Iq20n7-A%SGjW}JNwb^9--#=;(`$~e20Ji0AGu( z;plet^zH^XxVC3rD?y$tm=N^AEEmSrf$3?jMAEEuZx)RO+D5(@qjgssw|3d;&)S3>25Qh3sc|wk?7r zCL|C50NH}&(S}&nzxfv%QwYYs!Xg^|+*x}coLLGRAe|02rmY|zoSP|gDb@nk!rdWH zjK)GPx719g8%m_wP73Kg{PIV%%$K(_TuPUn@U~^Pe4Ly@xJD&gO|lELcxsi#7HGWQ z1&V;;h;&TTpiEXG-CWq@U$!UQboFVRX)bEXgSV`Lk})WrCFK8%Wi5!^-A(A%_{DG% z-cW9TL@jH7bz#&L5pP|w9p|J%tq%Jq&Y3BXjKD8+hc<#7qVpp;!z^8+nL*8?e(*;f zUiRQ4dK}rdF*fOm4oNiw%{<{_c z(2%oJ_CDO(Nh4AkHFp?a_m6_{BVu0L?qNBqjVb(|!Eb^6=Q9%-;Q)_cglJ??K03Xe zvXLa(!T`3_)EvF9VDWysq%zU!Oo1d*3iZ!-|1$uaAI}F2zLSOYqEEa8`T1Lpl{%(= zj?JS!r6x4G&T~jPYit?iU`$m^kZO^9@|o6;XH0dHmzRnjIw?t@3&`$9LxCx zJe#5IgntL2|05UR!^RMi)gmXKX&beoNjNTJ1C*(U2(1Btm#Q)=FAFj+=hIO%9U;W3 zOvFsT5uUJ3m);g)7=04`muQAdijtK$pSD|h(qiiF!s&hWs&QpcBIn!!PI#vb@<5_? z7?TGc{bxJXln3aX0} z2L8W^a3UE>-GP5#((?oz*BkQen1OOZw&K>HWb6rdi9Dv3C*#t|`RwJOh*};c=pm1p zZt5U7#2i`yATr{HY#4?zk0=Vi-iQ`C&bWD6g4BXgV#s(uFUWZ-_hxpC+e@hy`3X>y zS#q~Fg@e3r(Dgh>C=ibmqXrQcnc{cw4kxQ0w!dnBEx@uKg1}kiZ_~391n#iBUehN` z>Ml2kb!_=CJhlTnwi#S9{>e^x88^1EAjuvCMny&+Qafp!H=$SIEuBC_fx(}!t{8Mk z-)gsJOm-_|uL=?YpordqUB^m!msk$me1vz}i)1TEteUq)m2O8)VZj;x2Itrv4XiY} zHSN>J^3oXae^uBrTF}H*K#t{sxzB)KYHK_sP9X;2bx?XU%p{zZ|KX*`5GVsY92q0a zT^vVm)MRUC2)*XTBs(T^Wnm!)S>st>BJRN+m#MULB8LVKLlrX||5@GXz~HD*0;{CE zAW?Z|$t29$61b+}UwCdEsDc|+u6_r;XM7EKLu&WJaU$>J@AS(TB6Cx$ueE!L}x zby)^`NOmn?sn{!JzdJcz`UH*%m#*{{kNIY^(9}zLnIa5!2@ znZK{|>o~L8j6zq)C>6-cY1}L1zHoetoi!eUuHW9xVIX59u=s}Xt^W?dZHtdqvKoP8 zqE+!z&#kPk?5CJ4{KMa9N+KH}gd1FhLLL_M<8yy2gzQgQ-D%cUcPu(YxZWI+sgM zBO|!Jl6iv{HG@|zQ{|DC@~7q%>8$YZk!467vywc*KDz7S|0W5`a((%W&StWL;&>#M z-`&Jo6`o470V%vGgzt*-uS`{Vtr;rQ{gHHfl=BmnyFW(g(Ph?j6HkXB7{>maSoweH z$#zVjiQGaWACM+)up*+Oy~`AJ*(oWod5x6a|6Z+!jd&KiNIMH_sChJu_69s zXsHWtWU ztU|*Pz#sbOT^#g|ldmi*cJPNCjCZx9-B-m6=2^%r6xAwv8DsOT7>Z$^uvFc7*_Sl( zZ<^Vkc;lYs^T%gtEaqhyud1hL?YltZ7M5nC;{PPCZWQ4ISyzg-u%xW+Sg#zWXy*;^7{I~w^+?HKya)JqRmUu$p89}0x zKPHM4b(V+bFD8?pF1ku83$RKtB9-!VrW6?IuY?n#kSIpxK7J6qBG;tg@3jI+`7x^~4R_)s z_|&6PW_f1ky#|ulFPshGBtB(qGXKavw%9o(x);xD@WtpteDi|Mljv=ls+;L8*5MXo zr+_oK zPe=7J%3KNqSR|3-r!92DLK{I7447FtlFxg)S3}}GeR0MIrMW7J$?&0c7&jyjslvUl z94PVcw*r5L1WhkwXc0D{;Ex+X7bz|)h>XOMMI@1laSKhBj1ZJ(x$U^ehtwl=<+Q#( zyu75g#Ppqf7fNbQmy1VI4*HABxy}?ZOowOj$MH~x^hbwwr>lAp3s^i=l9Qep=NHRybPNYlepud zpmb065gJ-X2CsazIl9^Xi=0s}fJ%#Ta$}8m>r{uL4;Y3fG`$u3HaNf|bW2Pb0?v?uJC7b0=dGp&N2P3;ew;N4AiN0cxP~JCA&49RM$$~efZ+F5A>%YyocX8l5 zSbXL2#vKth5bvUADkN`yxqHHSa$4TWScPm}`!Ti~;?^JEjhbLP_~}9_b6`9dWzR_K z2uS#UmSKG6L}{`;4Yl~5nC_F4)0o7rtod_KM`y@p2Zc-s0nbqIW0!t3)-k%P0zY&Y z@?~=+??uhBPW>^ht_{)_N;gc^Md4S4*`qG(Z(~$K@w0GgZz9h+qaQ~yxIe#WBdczW z{$PL#>kowjXvk|m^XXMG$bKo&Pv(yPeky$_uB>x)AcOI8%>rO6e(@vJwkWY}3QtPw z^6(Xeq6>oj9CqH$>94Vjf{YZ^V8!O+&S{{YRc#Hvm(y4Hz?#Bke>gSOFf;Tl{NGl~ zN)ZvrwJbiev!TTi=h;$E!r_(sxz1;EC0sF>)(#g4%&Z_Boj^pxk&zy)c7O*Di}1%U zg?!k zu>!&%9XMqjX!g0F>`Xz?grgJ`MOBNKw0??N&9lCpQWb=yZ+@IBOh}8(#AvJMPv(u) z)bEoTj>WjIL^C2JpuY0qg02sD1)uD^$)E07V@J3|CYlpgWr9{zCDyy>TRtfWv+!J^@U0fxAx%sePWCr-xC4-aTrqAgq42rx`* zvS|2o*A0*gEQ1@c^;qOX-ftB}HslV7K$gyLCue`9wbUe*V>Sdxqyyctj(CC03ou~E znOO|R&&7G`aH)yxHjK_4+t<8=(y5_YM-n?IZ|qw>tHODHu(JSqCLoVYmA2dk>@_!p zT?DUhU2EO7r&Uq>$!NBa;RY7}0xNpGt8VcAZXyE_-Vx*w1Qi`EQ^HG>|s3C+d5=RTF>Mc2usx z9GQ+u^ml9IWfthsJrHDsJfb^sVC*4la&qpx%R_jmA-j}9*Ru^4z_2GS2Iop+LnnjQ z;uVFpVtBG&%m`Jba13qa6-~d0SJdiTbqt)#3I*qBbq*pgX0wD++7Ef(n_Tqq^09^T zhSaU42X6AN50A*D$SL=v)J_TXH>?DvyuD3wZm3YacW<87ag%Sv{cV^jyts_$?oXkhfhMj4dU(fno7N~r z**|_!+8(t}CXL02gs`@b{0_{#&-SfBn?owmXhF*3*d1&H*`%AMHR@9dmev*&x`OWL z0TxeH4<(MTUI1UqRO)b(W>}N9RN+oXKOQf+SC$TZgz&{Q#Oq)(aEiP=z4q|8DkKXS z1G%vCshBAOe2wezel(>s7wn$duL`g`a8B$))Ph}~%+=8KO$eu$%Ga>MhwuxjblKz( z3lzC0h)To~0Iv#!Q`SsVPGH95Hmk&r_ujNp592oqYQ#X;f8 z!xO{D5H^=Gs6p#Z(^i7ZbZbmrg021SQ&m9CZ5!Ysk1`RfkW@p1_);x|0T6@_9xN`2 zK`~Tgul}9q^*5mZpB&u=HOOC{>M$FI>ZH!nJ>iU)I;gyF1NhulZ4&L5uN*8A9gij= z^cg%`M~;Z496I%h+KaZ9dd5?s4ZGUpd6a{(RaA0$thI4Tv2=i!xSAKRkT+YPBLhme zeoZVi6oTb{I691Zx_%A2ZD7zfMjiA!9MeTzK!wFfsLdZ=a+D?Eez>x?k^ru?YikAZB#UB?Ej1rCdeYW@15eIWgK|T^4oka>8?(O0 zO$cEUYw0-UVNu&rnl*Cyy}ILdM<*0)^`xRW^2ghzsu1FTI8$XXz_SE_ z!1fJTNe%=JE6=vpNJBMb+2yuRXJEAshqZBWfIh#lykLhBW4~aR+Zch6%{##dB2?T1 zePwd~!xN#fWkKwEOo?jtOB&Muq|W|^AclZ>p!`94XPzFKxJASt#I59wsVP7qd31C8bt3ie`bkbI7q)G%<=l-~O z&e@$deM9l8vd1qYAb)J=Z_uIvn6j%~XgaUBkp9XhH{wh!7?;*D0N%pD4u`a^;FGNu zRkD_7iWnd$U?fE&;>>S{&3wv{CT#$FcV`#DR(!F zz8SE7Q2mre_7s$tM{+%i&V(x(T7{`>^!N0)S;38~e#pkAduxW@Wa>XYl@WjtN?B&C zpyD5z_}j>N;Ce@-VgCGSXJm$SKnp4yfqhufwn+EiH^^UfMI7(fm#2B08lA|1C?+0V zR3u}O%+}8}0jJLYux&#=+@x8OVjwPM%cjs7t0pF?)vAZ{Uh&#cfY`ErG{E|*T0uT@S|6XuMwO*4!IiXcN0*fc6D|{+XB#$S|f#!Od z@!KYfLws7ddG}*Sek|;~rde;arSvv7$7Fs6P1(-_{f~0LGj_elBs;8M*pF4;mOeP? z@MwR&zOqPpTvv4S&H7%}U?wBoNT9K#|Mmm(jm;iHv#G41G7*GL^NE_uO6-?e@RpL; zkkhhdyPPP*gi;3wHImvIbi4(niFE{3gG15VdhQmkQ7+XH#Po_+Lb8E`gFU+L z`+D5w5WDvNeB1*8{^{p&2kb}3-@B$pfH&Vx*!b!`Bav3)N9V*Qur6Vu;qY+gw$eNu zBwv2lV{gBR?tad5O9J`wM8@2>y0hfiuKv{2uxp+84@|U?$d~!!(_13FMMNw(H5>>$ zJa`b{?kuVEueJjZ#{z}7SkF>)KKH9ZUFg|Xrnj^bU8)>ceIBU?0;Y1P|L7f%(alrl zxhmNEbcP)BlWlkY~%I!li<*xY#ITdTXDw^sS%@0VS2pZQNp%|#PX&vVSX0VaVm z@+7OZ%C^@Suf)RV(#<&hWye0p&z}CM(wN>~`mHjl+Ep}S{u9;VaipP1*4={od`^9F zcoeK@qmgVM$pOlu$A9A-J`v0xNPD_Vd5XzQ0zKaTW)M41np>yl2poA8zLLCsEOfh> zMx1U~a;&B{(5h>)e{$7zXX$$&m=R`1{MM>L%%OMOeP=_VEBbZo1KRT|Z*q;x9=Mnp z*8IOto{m}RjjN}w&*l?6*wq``R->U@2!(ni1hz9bodL+i~b7;xAyg z|B739VV%l}CFe5}%z@7dPOivvd)mbpp>5{&qRy;+N8Pq(k*`i~@2**_VS+PWkekQs zJJ$x?FS`dZCA4bgac13_*Mh#kWauf_R=Icva$|FagK3l^y=7aIbC+OfHFat^hwY1K za*p>jD7oe>V2j?D6GfWtV&x?Rhm&RUzV`6^=-k!Jjk`CBDqbI&Vw)5 zh5KM)QoG(~rqK6#mR(*hSLRx{aZN;1btF@`ClTGij!4(`85u9x z7$dLy-~%J@tk3b?Cb!v6oO0mFhpAZbq=`!4x`UcGGG%oZt|;(wioeW9WFhTZ^TOXZ zU8NeV{64LoksyJVc_3MiGMyPd!SJ9jzpQ_Uw%t%HZP6$ymH~b*NkM-c($>&M95gM# zYj^lukQu%w5-X&i5UpSDZtdM0H#U!SB`@|U6$${dLg%(!G}}=NDIla+S?cshmN}fx%4DfkLQQ$W8bHX zTz%Sq!RI{7P^3&Z_Uv5UjO>_ohdxy8(9t}b4lOB#7`$#W7e`|$8hZS@+KbY_r#cxZXM5nl+c<6;279TVX(^T5^UNm*aW?bHj>>SNs| zE$0EPk2ruo;qdEE{FXqX!KH%X0!GZiip1~Ytb1;hKa1GHkgV% zGF=GWxq?amUKozhcKAdXH%x=A~X%IUnW_<9VK%kY^0N{)Bbl64hBh{ zG_<36P!N>zHHJTJ`QT>>XMkQk$~g)w^4;+k~uxHc7mor^I-;Qd_Bh?KlO-2sm%T zJA1gXNbst$?@32jeNE1lb*__iRBqMdFa*zdt9C5Q3%u*uG1(fPTlhpxxKbQ@&Kg2t{5g3%~j%B7LhTbUmL&bq5N7n5AvLw-^ZIx3g% z^QhiFv{+*Ky@@q^_AloSOWh=BX@LLKV<(3~=)0X+?< zzMQup)NKpD+7=YYmm9NWHCtZ}4wk^#-L3amfo7EydE9QN>)YL)WRaLIS>+PRtQW6= zkgL|3y3t|wDFNAo)X&#iM`Jk%oFP~3ezRvXn)6`rFh6bCNZ3&~f74nv(0MZXVepGK zxoAP@>hA&`8`OCcPlg1ddwoJI%_}^VDLt@|sgpOwX=1?Q?-9KX^3w)b1q63E96tz?5ovp`B}hB_$g419j~nTp z6zn zi;lOW$5&sHHz!DVR;57RdE5p1Cx;;4%I^WU1+J!ZStVcAH!>SgyEiH_S(ciaw$xe< z7I{fsUl4E~wn@|+?lei0m>SNi_lib-Uz$OXj03#70aJ30&NhlOcTxG0Rg|t}yG$G$ zThu5D=P~iqZC$ON&tj!tcKSS=&Xe(rDm7E83K>taJkTB7n~@#eWkM#hrliS!m`R zl=Vp;diP9{lF!0XQ#AY1-;%seWW{x2a_2{;iSb$`bUk}uI)TuZoI_vF!8YY8L#-)wm$6)oT~^ z{Z%J5=&@y4+dW|?7bm{?TAhc;g2LM3?MvDG;TrlHG=thHw5i0b;{3#eMf}@|ITU@? ze_J4)Mnl!zk7T^k?wA^Hm@o=QOFK5k+@4f!m>S|~^J2MS^W_jbPQMvJ6GEUk4(|&& zi{BgD9Tql20YD9gMmoDIh+yIdDXU5j(1k$~@pC>pr}RqqU__?$BM|Ij1Rr}SV3 z%KEqAO#GFhrr`NJf5dns8|D~J#=Xt{vFd;Pk45VQSGeeoZPc_}@tiQW?@dgIUl`aW&<>xZ@a`mCS zz7tsU*1Q6c&~z+nstC(aHC8Ff`l73&ziW4|T-%L|h$>TH0g$4u6fmASwYskLXb46n zBj`Bbev$;3@;&@dy#AM5Hqe35q<%;f61C>h5X@!PgI^`-M!)IR7ut%AXWaQ|u4h)o zsg9=x1_~=5sG-hC5vjKFL)tZA;N$Rlr~R+jUK7XzX2$FKT{FEYovoEpc&V?A!+sP? zJg4M`c}}>TYWSa|fqy1Jj&Jp#=ci7z!2GGG zx5~J`Ad?nbq42*#5Y$n?vC$zTM*pQI|Jjs(9?Cd=u}+-#!!Z9!u~EnS#b`mmPWd}! z#rYTO+Ew!m*Vso@F;QP}LJeKGxCL zvXVp~;=XT&ivU_WDxIhxi&VzHO|Gw*WAg4O6Jm z(6+mB&1mZmd;-6XbaG>u3-y2cr(XXZllS+JIRTAM zUl{3O*$=FAoXh-bgKux$=&)^68*X`bd&0LmGAp(q=HA-YHleo zp#}oI0P|QB^6_2Wk$xlV`!o{_lR5naCSfJCXP9+QW*{b(-|mo!wY!X<}j%sxawmGh1k3# ze_xSFL(>q>*R8KJ?`%^O>LcHzU+fPmRWvprwX^U_(OZ>ed=N57S zgyIiTmkA^x==QFmL-3cr)dk7AWT+KP(50?eC*ooV`E{7tRx=@WvJ=MytKwR^^?vM9;K&c~ltc-M@!&(Yyzojwb1tyx` zZ>2|{jU;z__+DRCGv`SVr}9Qv7Hfl2gGC$+}G4PQ}HJ z@_t^kXq%Ltw0-(YUtj!OLY5tmLoAOvxY$ujQ7-PTtglZ7t592qSaT2KkSi$mN_@@8jV$zdCsxHm!%VUK65bKox)+zml^CGGnjP-Khp-2u)FKt6buvYeTS^ zcVQ11D=W@+@bTlxM|F<)P&}~aJ&Q4+A6qpc(}Ti6k}+epwPPHWiVlz14paLPjgdMk z@W|H{r-3)s{&;q9$&X-)?U3jHG;KRm1Eus^sSS*PJ%Z5q8-CS->N{jR5n>2sd?Y%t9#giOGScS<,`rt;dRa2JS&19T__N z&LeeB_T)3Gk;+iCy2g<6FGkY&N?hhZQU;1`#FgL@P5>b5D&ey5q{mVEYHFGJO<&3; z9s%sO2l}~6dI#FjFxhNxO*F3i7J)k z!!lqZ47zPuJO+E*v8pO72Ou}4;dw+dF#T{v`jKTDCmd>d5{pbnmR%uSDzhoy7!pus zHxQf4?Ca!T+7p*&hwZ3Iq_SVnQQGKgdAO%TlUk{fkBg{wtRc^h{K8EZojmHd7Ukl~ z@tJxN<`H4}U!kn4bD+QZhlWvOd<{~RGmWzU!S}g01xm0g@v1>z4|F18J-|cto-|7 zM0*qYSZiDN)Z~{VlsR0=F3e5a6;e{ixwv5#1J~Ja@Xz)QRiwrJ{K8hBNBdtrg~e!F zdDOiyJ1wUGNm911`H_vE>&}g)-V+L@+;rAkHu9UzyywKM{UH!`Y%$lfRe(yG!~PA- zV_*H;@cWMO?*qMo0?N2D5#j|8k#HMUt(!mftq-2BeSkB`h3|0Uum^@Rf3!3-BiA+t z0ViPdumKF?Y8Fag;{1bN+Wr6ubjA;Rt{&D}Zt}=J{H-BHm>h_DP;W4K&8OkdN2)s}{R1z;?vS0FGfB<75hm=$daCcW`g!fBDSFfSXEF9p7Is`d z>#nr#@{s#{Y@XDBSSl>*Xmab-vWYdL3Bha4U1NR5{3GnMlYZ!s@ zDE~61mWUIPYiFgJ)|N>f<^H)0q z@dQD%9r9ClQ7PprA*G48nk*51~ zr=FrB3OLk$A$FR$S|YJahrCMt;C5ln;UM#9z$UH9RU8BxD5b33!jZ`J4xY^CKxI-} zJsST2n|wuxbX<{6#F8bbyy+vIV7?l~SlSl0QSg3xUB^}VRkSQ43y^|4nJ_49+rf11-Zkp_X{9_H z$ac)z9dswGN^nN=W(yDQjD6vrBGfFeDRN$G%b_WZuLMBZNJ!F!JR&vi(=wgW@p)y# zwg_{D7(}cZR1K9tKQio)$cunA@!{m7Y8X4nm=|zpg;^SpH!}q=|I?%84g$nCqiJ~t z-yDiwuF5)oPxr{TGI^n{CllYn+_fp71b}`A>*yUWHsgrtuAZhnD`qKn^(9Kf`Lht5 zi7BS<8s@7$s5yx?dk{588(VJk1fq{0RNfP}|6vpP6jx;T7+`0%c=?>jAK9Q^Me{m2 ziaS^*Q*ikJG_O%cjUe?~d^4LEF1ckxF#(8>vWoe!*YWv+w&xVti5Pd_ZlKK$#ZG&l z&Z5Y!Pr;!BO64||+ISAk-F%s=oQGh~*J@^w=?RvE--Yn6N!W3q;yWM2G8hgzEh=VX zt4?{rz5zHEQ>5HT4zTr1S2j`$#+|k^;Ibif7nBbd_^0(oq|jyF6IRt+?8K5uH)!`O zTxA;LW2AR~9U!j7h_}}gaNrDZ7G{8~Y9;67aSSug^WenR$YmZIRj0lu55>CaVJ~i> z1?&>u=4Ip`3K~^LYgX9u9D)We*}BNzrr4t@6QbG?=^^Aa5SCfM&@jPFImiBUXGugd z7G!I9-&!=(>pGm^ouK;-o01dp(gfke|JXy^`$(md5<}YGTriWL8f~(U#QZ~J4MPK% zl%$klemrQJ z;njSK18`|v3$9wA7wQv#_}4#77&533kbL-_ML2TmH2ZkE(ryzr3np`PrzX_&UJ5H1 z>XDK3AocEXpQz$!DVbQmh6ItAJ~^HA%THDIn5z`{p{#<@ zd}ayRN7pt@PwCwtMkX&Vw5^s>pL}8IjnG(?X2~E9_f5m>)M5kT)vvC$$e~@-_ghG> zkBR-pOQm41VwxmRyK!k8`jZT43AlRCUTH~`U&G3Ol5d<8tmLuYR3F4b1#lO%-_q8k z*Z<>iIMR6cwGY%c(FpZjMbw7hiJdGpLoe5d&Kp6d>_f%%>D+im)LVee;!7D4Z*l0c zy)#n^&{=vHsx-{WVFc)!lQ5HowX8)N>i~y=!cg5TO@^0|pbMb8b*DqNNa8O$)h z0H8!($Jom~Wph+P!suhw{@B~vz{Z;(E=~N2(;A(U7CQg>|EPQC?@Y3HeYlg3{lp#H?%1|%r(@f;t&Z)a zJGO0G9UD*3;WsmL=A1M0e$F58{#dJ4RqeI+T{o`lM!e898I;>>1bQ}gaq!VBpq?0G zMVXi5BMm;K=qNu)wZ>P6Tjt;#NR|V7`-tLAc}U9L#fWQOLN}dggJ8tbLQIddmiq2% zF>(v>hi|%#D9z7-d&~`xz5*&anTW<_dNVSir0;%rB=|xX+K(zv3WsSecUX_r{Qml> zb3W^5fNBXbP`E{xddAfHNr@V(a&Yt2Np_A$r;61m+HidHGRDZ)BVOA}1qyI6HQiEq zgiO0Fc{l)=SWhlpie1IZTrcGcJ$?2>Pu!Fe*&Ts(ijnP&;~_azhwmoYn23hNKbG?@ zE-NQ5ud_?gL9ui=J~ijFq0-zlCZ;Xqy?Rw9$)OQ+apCPOE;$RklYWW|OKK6~Zn4R^ z*=vR9P=4_K1WRcnp^WU3O(XhEk~90gJnFkSUawt8n|UBp``90jTeBAQ`bRr;T*|K~ zUrSZ?o(O5>`v!(!W8&>8$``Am2Z~2d9E_}YiMJl=XRgl)`%>tR#F|d z<>oUKC6=c1`Ygal;P!*5)yVrnV#>EzwHZ{%eWO!X?_ZHgkKS>za00~6QhB+CB$^(& zWBjg?X&~W*pu2wKZ9O#vkLMQ{n_?8zj8X_2>r`=j;g?R!tKkNIOBDMh>1X$1S5z;U zy%I#n_2S&d_RRui^R(oX;5L+fF~^j-C_^gSvT#TJeW(#j@$8&g(nlYY_7{@%{tea| z@+*lQSD^A2O`bQu1kTAAZD*d#lE{TycB%snEh^WOr1@6YNPk)O7obU0xpn4&6c=Aq zvdx*4idcBlp9aQPAG97_#P_7Lc@;TtYFL3?+be7myTy((p8D4}Ui~0i(|xk4Q-jFZ zcg2vE_wm86PmU?(Y-c(zn0SRW>AjAH;I@d7n~P8kMd0!e#-I-mJvn>K2;LhVSBE`h zZt;tU%kBvm74S_7`QC_PTv*FFJ)CWCZqk>*`P7Qf0&GkDLFUmt$1SW?Js~?B+Ca7j zAOlak@h8(Z?Zyz$F1 zjPA=WoapfxD38oHYWFa1@vv~+TmRyPO6?=Rc4wgYt}mYQjdO$O$$Fl3X6vTc#9tH6 zj_klVbxQ2Cs>;W^*GD2hb=^JMEyk@DH-JB1y?kF_c+d$vT1kQOB>M!NbaHYYO6Zgk zy_rICk5osEdOz%kzrg4+q56o(N!uhg?gd1K?Mjary^H3nO_qvBEfrLq;i-tJY*$?}jqxq(>-ljT zWK=cQ%~lQw?79C6b=TX#j@s?(Udp)T zc(krEZOkpKcEF$5ez{YlQG9BfOgx{InQHlJZ{uV#0|P-Nh4EF*+`=Xnn{G{V;rsX> zzwQwMm<=$sPG=l_(^+HYQh%T&uO5#5Tv>--Q8J}+&GqaPDoH!J2-4;L43v`+I%^h_ z;n!@~m_adn4yYmxX86Fg7WKF*TVw(8aj0jgH-`=+dbmrSaE^-DZS9sWn;yydpU8S* zaZrMm3BqEKBU~U?cfv_qaQ$Aj_+Pj1p?2(dPtIZW=#eek+oyfc6<_9WW44K;*w<;n zXj(ItHlSNU3W7h)S~29`3HDbQK0I&b# zW5q|S2sqjYH%^R?$BEz(*3yU;m63)dctgkE?f}f8)gDT=cdlV*2Q}L!-K}NXd%!MG zL4I!XFglvK>b3)AaX;Cl{^h)JlKGc2ojqT`AL@qoa&52$8JON7_L5r>6KY zmp11+$BDnttq;&l612FZ&Sjy#ZPtl3vSw8AA2LHZ%1MH>%p*vTxLchT!59Id=if6A?bHCxud!1d0^G^_`$)1R#Rmt`IT9-{-GM50N>Hg#CC?XO^*yT2T5`M_=B{}PNp|Fpk% z!6t~mFaA9`se{&ip$htojHW=o=tC>{5OcZ+ewm`s22F5rKfqhyBYyh(iGMtP!3x^s z8y(jcjkNZsU-G|p^uH#Qu73qnhiWlJAaxD;51;>dnOXEFSi-75hG6}FMduIaE}O7h zaG1xDqJ{WBt{{!y^5X;M(MTnKE24j`;Q8N{CTpV!xH z3RR2bFoh#|0rj6xXc`Md#q!G^kNY*X7q*^o4pPI`r>iszu=I5Soo~ z6&(rn>^kxRQkuDHQx`{b4cCk|H7U(_|J-1^3h1kavnsOjyRBz13(4BISKHd{%GrfK zxC1onOOBA>shD2P*v+n3kcD@fqlelo4m^6`X`k97Ozzbepw~VAS;3Jlzg=5jNAG5+!VHsTAVOX)0QTVq`5q&Qo zR&#kb|0R`8iTtnEqvuxXYlff?U?8--?STW{xkp;v9gw=+k?FKgwpZTf57?cUADNzdU&1(0?V3!#i&yDeZ zB=^ce)kOXH)r9E*5C7;%3~cmUgGi8#YH@mWlZ%_3K$Q*{d{32+j=Uya~T{2)~lb#aA0|!4_Nv z1aeTxne;srY}IxTVP*32hR_mil#_2}@gOH!1>@w2IK0F{$;|5??qeY%O4nXNiv`Jg z%d?>sfqrxk2J_`nra48h^ZC?4hYH$gBJU^ukhrCZ zye}syitQP9Fs8ZG$FWJ4ds9)w{EwI z_x`HG*-BR6(2F%gZiNHQ!zFt_@)jCZqo#8o^&I|?(=PB2u4CdnTn@*BO36i&Jp@B; zpU8L&x{^A-6RE~8@AdjV62akV;&_kvDxzYL+%~HCGJF$h!&HSZ|M;25q#YI)Tg1VA z=OaCp{z><}>k^i+h$X&6!1=FG@PE`DCn!i~))F8Fbj@xF`7wD>2FajYs%Fre;paf; zY4HwjQ}*;n0`SjrP?2P2yCraI4a$M!ymrw@xh4Gm@0BpzY@2vFQB8xkrm&1;G~kB| z7I3&$0)o)+%O8-BY@n{Q45O}|k9Y)nfhbUDFU)2+-4~tC_ZfXEK+v-C{Cw4`8TIP!tqIsUQORr6+tu} z>INQ~>XjxaRJf1-vsFdsV}JUnPdaP@Zj!uGkj$2v{y|u0ngrvhUrsw5FVZV*;8NoK zGSyj|^u4vX2;EM6B^^d@mM{`KVy+W1Q$)n|_@EII)5P)Tt@tMJ38B_5#75bMA;k); zO0Kw&=oP`*=8)ISuEDP)0m~fsiO!a@lSDu(mKa?{<+Qyi6ovz8_}0~jf#Pe{e$7Ay zU$teOamfK8Ee8p&;}97o-0iJX#rxiB25`apV^OO>+4xl($!@>C+IJv z5mn*y7!RL?f9mPo(0uU|C`!Fr4{Q`^M?7G zrFa0>_(7o;C|zFBeo;aB>&|vJtp$-a&C6&Jc9SGcdohyxDe7h9pYGNLGUyq=Ar*&$ z^`{YXDMb}QUu&)}3T#lLP2H}EzF^?im?8Jt0>nFyGX-AZgeiovp^qSZRORzdmODCo z>lIS=wGSvgqVkT@u0W7tw#wIyYc;ifx{k|QCtwt3a06td*?CBHDQa{g!}VzQflSUQ`uho3aQLHI_^ zN4v-9y$U)a?r3g~@1aIRl|Dbt>In}RbhBui6rAz$LaB!P48WjaB{zPGy+p|x3|;NS zin!4zEHA@g zTk>&xr)O>uiBhQ$r^t)7sKPXSDf>}+KUk8oH3Q%1|(Kop+@YM^fvPj0lp-<=5q_6$O(0Sq~}^ zQ2kVoQ@bcU%|nx0zbqvENr{@^_-wfywUXOq+|-D|??lMBV2Gs3+4Q}#t8l*UvAi%; zYoSQy88Y6aa_L_&jGvmv3$Dh-391dF5sSPy!!ZIS;;;^^Y#BrfKWGzq9df$)#U(o- zkCr%wxDtgl=zFEJ%4@zUgrOuKGV$j!_@N4eB8bKizLh4r21`C1^(DCr(}=(#SXw+G zCU4Xg49Qaut97HGPh!|^v0h2&Mk>M-$r>0yb5StBLgbsX5@mjPHOB@j$t#{O6UhJe zwfx&6`8U+hE`DTInSkO3_*J1|${I{f?c3qm=x&i^By8V4TwcTTP!<8}o+J!w>V+Sz zDL#+K&ynZ58H2cxVCb&_;1A9zikIwhyv9D;z(bS`DyA`*6I4(8b?)eR1eU>ibQDwe zh+bYZ{z)oiny-D{G+s;WD4RtgQB2Di6A`!@nefe+17_2y`)p(E@rvxi91}>rSKz~c zAKUZOq*RM=O(oZdj;0YLG_Q3%YViN+cqTf?-oxsXCQ0iU>5`+ zk-Q!Is~BT^WBtbvF5lk>5x3;E!@Su__Y%d-D9UCLHI4yo$F0fC<&jqxo{+Uol^EaT z@WXK{ig%V)dSP=xL#L>OoD~{6D{q2Qeloub(<90o?obL(Z`WG}Hc$z-EC!^fV{T*h zxUP!RWEOeyEJQ+d?Tr&+oLNDGrubM!%%S6KpaUY5-F;MYJf-NLT|NxjA~j z3EZ-Xp0)51Ks7-9>=6lB#Sp`b;nA{N^VB)%5TwGxZcg)mD>CDusRz! zbbSi!&25}>kuFQLt8}!1P+cD1n`Wx2It_jimv)#j&Oh~0w~n}9a9rC}ZruoOnBU5) z+b<1G?0m_<&=masLuRu{T8iFOu7s;;3=*fb)oouhn8?*u^5VD^z_o@rHO1gtbD-T+ z{@OWexy*Q8F*uXn`bSsw;_oFl7+2P!@zST|#UO6c3AUH6Lv?%|P@ji5hFf*Dvj}cW zicI@1FNcnxDaq6sikoPb*0rikgXjX|U?HL!OP(yY-yS|cGPOaqkSK#y$%-9?-z*Nk z%di=3V7ya*`yr2cU

z@yjIn2qm~MiQ5=Cvj5Ro^Ib@qx=dj6%MA?Uw5zdbV3P%* zc-T`+_TXFM0CPvkldR=8W5xOKm#y4$gUD@2zpT*Cq0vVrBr9F$v6SQ4xxR4--(sM% z9?AB`XK?na7C*THgx!Hk!K5tr&jvHPH?4;3a2)=|i=mF2-&uj@=Tp{9uie>T0V+1cgv=Q>ixU8($8o3DD z0PrWIG3lGy<9a*%*$iZnsLJhA>2Wz@j#Mb8poNd2E*Y#qHBAC`oN@VvY#LA ztT%o^JP6JEB8uSygia0H@0{40y_{h_GBp%}pas9v)^blk9f;~&%~tfqe{enYHotZE zQVe$HCewK0F4hY$-nf^+=!^Fa4<#}bQJCOzXxanZmGwDeE)MEw`}tqIfQweAw} zk45pQNDjPSQkllzOj)y6?8Ha(SK&P|_{cD9&|+_scZFW_;qT#Y)3%Q#fIJ)dJ?}B6 zTJ$+p8m6Vs@IAVRj&337Drj;A0Gbp|S0OVj9>9K%278mb#-~PIffnL3wjR_RpRmVA z)b)3F`N2u2#-8y4tje`S(43jX>t0K|PdtQ&13bqLATyNpWP{^0(KZ$_F!ba2f%)(w z>b1n+QckB95N2ci6#w1ECBj7251s!zw4fe%ZA`UnMf&L?ecRiYI4E>{&fL z7!Ud>{NUa@KK&kyEhGOZX2C~ao^T0Z>DGF+4)Dt{<|?Zv-18i9 z=+`%=;LaRVhLarABqru6vs1mJ$5{guB1I{K-bfp$uDCF8&sh?=ycm&5mq4woJX*9v z=6{LB&PP_P>`tSmN;XW6d5@nfrr~Fu3@c9JQOHQc?B2yk{ukbse4IA5_9)bnef1q9 zIqPJC-d`M6j(Xvb+wo3^EuR22l|d7`4?9L%b^C!)4S4FPhZ52O8ODm)0DtqyMnWr3 zZf#B%wG8e9Hk9-~;QiF%E+IChtxNiXfq_Vs(p+&2ibHOFW?L@D}Y7|x+E zj|o*(6(O4Fyy9ajnWXAewKHYiycgig;!8ADDTe(AQjh8i2g{*TtZUeIX;xNKL;|Yr zqViO(_bh0=3L(a_t4>+67FSDjv!wjXP{kC;K-E{$=3uZRuKN|C)i;P5JnhK?hKJTf zxx<+|>E3cWI7X$wNFbKEQ{AWGxPD7u_gic#g_?j~6q$9Eshrf1e9qz*bQy29(}g)V zu{!^h`l4T?ITmy5utWbu^8DKZ__YQ#&({F0fs&JlPAJX4wMuoQDME`x`dDCXdl86} z4lUvgD&Q{okprfl7`V&uaw{rOLvL>wRHd3kxZK>_CPjlOEhb85N5gm%{uns$&6OQm!(JbhVz zF9EjzEQjBtoE4&@vWyt}VtTck_Z7E;lJV9%!D&faj#!XZowL^KVjTWY4Em>4a82NU);n&hV{@LHk*cM) zz~zmS5Ts0Y1_FnM%LOqfFDXWsqggJ!gHYl3Yn_7hroF};eip3v{`w{J-6abyGD#*( zc2=H~2kWM23Gj%D)VPiN!mm(df7yMx2IA)3XUX1S1nc7j*H3UxNCO2|VyZGtEWG6g zBKE!5z)6MM2j>cA^A=x&i+~FcJA~~%-B892=?qScC>auBCUHk1>6F5@T>4g;d(MD7C!5qZRIR$%MO0jOY$oc4f zP;=a2hPF0$f;=`^ZNJK#$&dx&rOd_r<8yZ!jg56ATmw;-gT&ch)y9BA{K*k zs^{Q=C`Fe%^_yY$9QSaTLst6On$wpz%9=6$5;fEWbD8 zeX=Y8Pk_3C<$itHIkkySvaYzET@~ht7S!?rafgnFA_E8u^(yMkDUl=u5gm_y(#WYv z{BlQ)BankvQx(sa)~zGdT}iH+#s~p2GYQ@-v8WjG)dYwRG8M4^%mtB&mt5+25rAYztbw2xLK6Itmr$mMyuzabW0)?jdVI|Vp zm|Xoh7_njZ1Nzm-&rSW)CDe=Wmf*uy-ImBt)oyqdiDsFCJ)IQh4*}8d{;65){hgSW zO{o3~T6Q$uRW46a&jCDufrZF;QlCoa1XY?i&H9>hzCzTh&y!=|Ue~k%=p$iGISs{jx zZ0>IwyP-J}VP*_&9(ZBoAKoz~q$#8ph1M#{Ek&lE!U;ef(MBW8wmgebIg*}~-J*mc z`$cy8=}9r~>JgDTu%OLF>>TEZd@>{FOtRJ&2Q$m%!-@#Vy{X05=A zDid(^laQ8#@H2>uT47k7TW_DUJ6sbSdOGTi=&Y9TNUrV7Vh_l}@z^qAkvTt^TRS3c zc?KP72Csu=oV4l+A-fAkF_};FX9u<3wXHlyiZn zm;0bqPeEVPj~(U)6_=-RQNG1MBpB8*Mih6cKN$vD8&ye`9qM;@_>h4Jb=5|!=961% z^*YMp{v^ohp?E?&TIsO&PW}&!C?yjmIl{hR@tkLW&Q z{A}~1g8;J5z*b^S>{+^W!T!Vv>?D%@uE+@+G%!ET>xCWJs22%S;vD!eAdVhWVHxS^!KTU%N}30+b>N;}hy6k#+>h(|snlO<;?K_#T89e9hv*)u&Gis(in zA<42t&WKo)m5^8o@mtD|^WcW$_yQT9BpQGKk?WedK<0h=Z`AUyP%`%yve_A)U4?bg z9mPcn>*Scr{1x;@*ltlI5=x6Sfd7b+EQS@!gD9fxyYB3UHDm7!H2?=K_&2n|kE97R z-=NMt!8K>5K-~0F=Sh1fO~^ec1FKjO)`)j! zidx;@dJQY{LN{n4qI!P(-n$m)N$5{ev3*`_nDeIa64jdZz+X%Q7P<-7BG2=jE}kOY z1)-g!kx)wG;7YVBq=4kvwCOKAfvYp|;p9b%n*n-e(WKZqVHC#f1%|tSiJBY+-bJ#w z89BoRIJ<-oq0*~&A<3{84xc>!AF}k(M&B6*x5v)fqzE`HU$!8_H!7+XE=fz9qgfEp z^1Eum_Qoich~NkEscRLBdR#q7(J0)bj4oJgm`<9B94{KF3B!*g1ZOSjg3hGW8PF;V z*tDiH{=mk&Hf1^Jg#w#KosVJ9$-ye)6Yxoh-oHh2o?b-zn{8U<3#@QSh*((A=;#EI ze*MD={(bS$MQ)YJ%2rFJ>#N#N(6CNjG@gZhbgc?n$$^sh@S%HaN}y9}?STlAL848B z+=>Y@vl(cl`@@BYl-7G;XPT=mWS;-Y@undU8x_`u+1p~0pCl$y&)N!d;$hqNvro&gWKDg}jm?Y|d5tDy^@#6*Pf}AJu z25tX%?|)zTyO4jNx^2Y!F#qR5KTwt!594LJf5vP7z2O_sA2i{Gc#GiwalZgrpRlk1 z?@MFke^N{zY`p77QA<6SVs+eqzJFBu!M6YZeGBBBmHR$+(Cz`LR5<>Cn=Zv-#2C#( zeG9ST;-qcpMa#_G#2ql1(*`9`EQPpkYY9%~2s!fO2SoIE8E|I1ujh;lT4fcmb7iW509v1&`jzk{(D*! zj?6w!*uAQgMC419vGHE&dcT*5U}r zRNB0NP&>Hn)6PL-udZoT&@x$WGy8%*VBF-nro97?Jbj>Vfd#SV zfVpvuOVsmAxQTId{lOcY@S=RS)`1;96nR2E%tJdWB`H6RUbp0sC5z(K4hn{1nJ zK?YRL&N*w6Rfn4oE}+|{eYGO%#QOr$nG z_%76xzV&r1As(+CK1)!zuBVJB@5jfV^!C7hdI~nS(1v7MQMrs@3^If~H1VUMy+@l$ z&D0?K$gO^1&s$AULGfp;<8y>lD^|Ql2;X{S+bfe{JSkdo zdZiLOxuCyt7et1MfD!1|xBeC^Mm8njmx?lZ7HKwnzZ4+4E#FV&rNn|@3n5de_#_|x z3NTo9KHvrGM1%62)uCc3TmG@*h%-X_2^Tp{E7PEx7-i=@0ny4d0#6{8-CYUKi04St1Bjq3|WH5$||eEoXPiPS&H7xZ^C#Qq%>3 z@TD3(wNV$vlOC3*q~tN>6>;(vE1hTXDJPMVN#&SPy@H$ER?a!ui91W61onJ&?MGRR zRj**W+I!3-QS_*Mz&L5dk%M#oeT@QcmM{-fjAS@WX~^l4r4vj1c~kA{X%<&s|1#!A zt8-v@c(_^n0zq{o23TcCd;h{d9*-@&DsywSbwfU@3B}L_8a?rVImd#Yul98DZc-T& zANmxy@aWm=D_+nVQr`@S4%^{nKeJA&K^FCK@vq_5NS(eygrDA=2H+_J+`(1X{zsb; zDmTrvoKe9u)C_y*52rEEgc+AE1hA~?c-Jt7pHt&09B^zpg)C;wBAIIKCm@$oh&nq{ z>~MJC{c9#>;VVbun}6dkH}imCVacxmU4t*FBe(YppL>(`^lw|CtmH;Nz@78UCsbVx z)KBEpXwmSlMm-5SY0W3zk4K{B$>6|PrW`-tR?rjMC89Gs`bW;!km+IeBI}2A^&iWS z8@FXv`pw#iLC+0*_B4~7&d`R;CKgL=JYJ!GYu51rQ`Z}e*g8?%`uky^*3GnfY@&gs`P#4UFeg?d|j2wHS+HtQ8xbLcJ>sqSISZ>{~V z@2<1~=(2%7vv9|q15Gobd%{Z8bfyVLrw|#P(u8YCE@7j|5HpVCNl4K2PeXt1Aqw@p zF^mI1Bj8ei`1u0aA-Wor;+!ZUh_5`MOp03{{= z9K|1TVl{=B>A{=Txd}m`g_R`BDRlk06Vai_ohhXYtt^I6|(c51RSNKxM^x+iO|Svje1`mf62X_zx@wC=$C6KuMC|a4M<;+ zXe830UV^HADuxca zvtFBOV17Ok@MHnDxVXVJy681}3kHc&1WAo%s~KuC1><@kgETBgJ7`(VwP#4ywP&+= zTV@b5k6SGePOA?)mrXTUQcD!vs`i^F^LJqC1cXYG_G9q)PTvBYtd{4P*3cJvT@}=+4z7{-Igyf-|w%Rv6~Zh}Dm(XTaye zCR3V^)ET5~AK2RNOM7Ed5#py#{(>l8jNV--g$qzRT#v1YR?6XDF~t@+-B6 zpheRR%bANjS1$Sf+pIJhb#NTa@5Q28(x4)E5%3W4EJdb;)72o% z&jS{j;xUR-8?ujuQnL~mLs9cyd1$?#SB zNG%aO{e;I{EUFI6T7v1nj1FmnA6R)L^0?GJdvap+Sd$6LdEqQ3cq?gb;HuBK1dz|e zjB*JyD>DPm-kI^U9U7%5k@E$S7>uyEyS#I2V6~< zSAM{P&=sPkz6Z%Df*r^1XEqY^vSQU;d)5u=Aq!ok8#0@Ex+0fV3P;cX4&iHldRGJJ z`CJ6OOw{3Yd|DfcQ8(-n%5 z-l`qZ&u_B%ZxuxNW$;9N4bE979dxTU#ok5@Sc4~Y@)gl}7lxn>;gr(HCRXM7)<$Wi zGG<#~I?~5VBId<|z_L9Q_lc;o_OP!i1(9`>^GV+f*TKn>^paSLJyhzgrL)_}^1qkL z6)N~NgquAtHrfh$GaVCIF^g!JYn*O%+`u9=rEaLv`DbRKjaQv9T1v#>^r59jFlwL( ztc&Xb!0-_f-P|7a>14d8D2U!r`=fy^ymzUhNNltF2@t6<#8wwM`_4Y*>s(j2U)2wC zKN8KwV>Dp-@D;isz0AguGArFg4nGk0ul_ShT7hUj^Rnlh(9USz$0Q5tZo#+>Y+*Ay zy$wuF#ptPzX?0U8Y^2taV%0g-8cCl}>J7ibsk!{YS`<0HCVenth-=@)H)D%4AEGbWw%a?3yaAgUI?tMWM1G5bZVd{CdQ;5|0_e+avrpY!^><~zn zJp#*(%!WDICGz#p?b)9>AdWc1wO+lP8X*iE4SfozY{~NPc`qkWJ6D)i11^&MR;!an#H#`$_14K#GYS6J~=8=L9(sq#}YnXXo#=cGw zLS}T@UiV|f4+|lL$1jCscK9_Z>fAg`&aXQn z76nTrrj_33#7-qWrXV~9!Y@j6%a8byC`aCmi#C*?1&!O1-J$9$7(lsCmG1l4j24Nyd=pv@! z-_1rohRSVelIn92LbcQ@F_ENxoyH@@dWBA^h`s<2!;L<=~ zm>cf6I^Qu5-6Aty9r-|NYXXzx>iSAX? zoWQ2u!q6I`iv|10GuO*;6xOmJ89tfRBfRDn4Mn~DD2UP*P1(((m^@!-x7K>;fkak1 z>Aiwu%SS?2wfiVNF~ilG*q@lfg^P^z;$u{$xA^er=iy9ZQu9o&a8Y<26xue8FbZTk zaUO-TWPGPvkhEWi(E-_Vy%VYr(d6F-4>po2Z?ZNsesrYYW_F7AP0dDuoyp?(g-_le z$-e)(wAGBQe<6CxK}I`{73@>|yP3mBfcnv;!>s=ac`su+yx0t?PEh)5{3dR_2yzJU zh=31fl!%*_BIL#ySrCd;f$}$9;~px?4NQDCE>U(lAe(qs$<08UEdh{EnO7brj4UyX zEqEv}tNolcEFvUAhrLuYr^7JQS^hOD2m`z!Z&^eY>Jr}K$1TfA;4;}1Li`<8N4OlZ z#VMA1#q{16NsJguV?Ot0r(zEa{+xU^(foIyg!vC$fS5a1d{0xk_e^YtEJ?q7W|j=s zFN@?KM|=Pa-Zb8zWU18rCH@T-viNk{md_<^Hvnfn(Q%W=+&cUCi|{wqDRd8ICA*Lco4m zRr+KRvH;h5*hnid6k-nkS~N8$ncZDkh)u45VTD+-Y~csrLC3Z0WApHuF9hvO@nji6 z_+VjgS$DQ5=FSW=>tt05-jq(vkp3W%0^$Vb)q|M12i$JH&{bbc(IaAXO_9;3iBa_| zK{mz1iM|$ZtvLQ;3FY2}HGCAA7-A+ekRID*gXd6PipiMK2lFGaxVu(UM! zJ=IJ?PCH}oHK!O5`&m|B_3X7+%pFX5lMq*Y1)R@{W@iMrpXWtM1P2nTm`#SiF~59_ zi?DTNj+O(JmyzoNF7dqn5cq7p*+DEgET=ap`5AG@7a_8Mtn^Jr9~_VU#T{{Thm$7<+S*2#ad8w8SErHWJcODBMYP-6Chgy3 z!i<1HosCK~$uKP!BJe@BY+@R@HDwMOwB}(-1fVgu_@($XuL23onQ{%>b) zB4B`Ib*I3F$HFViO$85p_@>ZPOy08tgrlIil(QtXE3HhZQuC)^xm-8!f**xYrVg>c zYOnUhbAOdfbmyl^176Fxd{Ff?VQxJ0tQLLgsRl=W?WWDh%}x`-hip+r0pSZ%75Cio zZ&nUmrEJ|;_l=e$!C4F1kGdFQ`Xkj}lz9Pk2O{i9#GN&-jK3w;R3$Tw!ZKsMz%8j2 z3ONFQ9ftxiP~fkHH%J_0v@LO?2?F1hTJH?xO&>Khr<;<`OgtvsUkSRdE(*s86saJC%;FHvI!!XPLz>KcMAUnSa7od-`2*Kb8 zq2fYAzT**-Acz>pDM^Z>Hp^z?2x>RWf`U?hsVCe6&)_90&W76OUo;g~QN%K7p(`1e zZ&yvqV*`{*I8f&0&!;Q{PQ<^SyXJE%?jhL{HQ8K5nB8%PV;inUiW6?3kBn5VWR~q2ifPaMMW?yR9dy4j+(llk8~0J}!1iLwg~Uj^z#9z=H*FSA@4+?0;D% z5ssUQygrTyzv0|+Ju$0Hla|w1Z$|uT9`TaNx*Oug4XR4T)^8b&fxUXmP81qNB29zf zx3Pc%oQ6PF4EU`7s$o^&%&O%?MUfMph&`ZELoCy$Q6b%T{lADyy)KtLQgqwZpzua! zimYi!u^cUkuU#xqSw)q&%O&%WW3%OZ3vFf0i)g2O@WDWos|>JAv?&5FEx4F2Wj&}C z#vwn+GXx?)f5JygAV^9hT|GHX8+`~v-etLUFRZBaLPBewwpT$YO64}gBn1O^LAd;) zve{U?BExPKCI#1_XWmvW>t#gRDrI{=^G;@oeYVV&=B zG5BEvq>?GtMbyJQRWU-^tHUd9&VBJcYFN)V<0tgu0(tplW^67B^4= zx!AZ_o5{%_MGd8Js(!BUdzp`v`K`mm=?eGhT&6=<#+P2DrDC{~3jaY+GY@D-g_i6{ z5C(+hvL+Jm4}~Dg-ye5q(YL!Wjx7o4|H27h-UgbkCxl)n&qfUj*M991@LEDLJ zDz^79^oCI?znE(Vyrx&m^;3k|dGr@Td-bO`WMl+C{I9Ze^Qc+7s_79NiGcEM?@P7RWdhY17*5-t5^);+akiwgi|dY&2w$!!3PCSnRMi zyg!d%69O4DF-T}HL5uIsBs9!75;+9y=3;A@!=cvVVzZfb1nGmO=i5EO@FUCww$rDiR{2vX2fFsDm)Ssjjv3Mt7F(9#b&* zBE`rgzRND_NWXp*24>0KvE=#i7g# z9ZPovBTI-Vt5rSb)reI;FNFr!8leLEXAoyDCjz41QmM9*f{^kIn~;v41m#L~>CQO{ zQFOg2MkGYAUg_9d+zIVSIszIfX7;vkuh@_h6(g)69VDRaXG{;}{+kTiMwH~2Mg$0k zXpbwq2|_i&z&J!mlh;9n$-__xRvrrwg(2ZoC$i`6l{g48AngWR5dqAzjx^=ml;XsR zii^XTMmZ~z!dK(72?Y5GMFhhLv&2ahxEV{ml+Ixt3tdC5-jEVigLry5sc73}oE9SP zId#+&xEF|p5#oiyNP52^vj(9OtzvBA?H+&45?@F1Mga{^Lnp3`%O)g}y~_1kl2``F zIk(WBqwpD+W(rC`sB$-n$8c@Ds_m+5#XIA@!BaiHvdv;EFY7OfyW*}LA?wBbrpr?# z4`8NHZK_}ycy&RXn^1ZMXEaA~=^J*;OwlzH^irrU&2*tMdn3|a(%#s2(|N8h($>O` zQ8>}F&YWX!(`8Ui$);dYPgN>Bb!=E*ti|U>~PF7~j{Sd-EX#1Q3cTzosWfKP?FY}!XT z^lVb#Gvp}nobg>i)Q6X6(g|G9Nv@cIyIxsjPJqTnnDBTES6q5>hO1`bpsM`}WkUe5 zCt~9HIDO%_I1iB4C$4O;Hj_PTl}=<>N~(^J81na*=Q<*WplmD$*>o636*nt0JALwG zw8*LYSyk%-8LMTv@01&%M4#V6Hr{hO9Q`B9S05hf1;8N#W`~`QZQHhO=gYJ9S`YSK@9*#5tfOXC-F3Uh zb&fIiLG}h~h&*oN5z`8`5#^={@zpr;NXe2S(-#gmLjd^3yF`b%1;MERgIK|Ma72`? zZHPnphmQFyKcKG|UjDBs**}&%&+Zp~SF+2AKgOdP_Z9OK>O=NoTc!~Q<1&2~;XhgtBF;HPdaM0-7~uSX)cMB5 zXFihn%GnVr(*g%XGmwuzYW6cc_kM`QS~%ZRL!)O(<5o-5aP#<>Kxr;HF+=p$<5>f( zbewKLIvR248H+diD3rDST@$JOB z&Y1y#@dmCnLS;md-ggG^?Da=?S~6#phfl0xu?_wl%@xp}G|Xf&#G(>`!j)?igfSHC z5RlU=IG9vYmy86l-~QL-FiT>*P!qZiXgavFJC|+{VNem&E>#nGl`A&hB;*m(lApIl z2vYhbI#Y0El?k6%bU1fSpeU#bs-F_}ksbs}H=$53DWZQ^=p7-lyKQPJrD3@CIzXFe zm$hNHPaykNHoJgY{{4d32I5Nexj422AdJxz9gKyPMOBMR5ijqKWNQqsT#4Iu?(s2v zh~-WvaEmPnYCmwDN{2Wd3IV`ksCWmo9(gwKgvc*inp^eFW(8}yNl#g_sn`Nq>&TqEw6|t*ll5{8{R_U zFS5Ym7M`#7b@L`ea!k-$82mL-gADrbUT2o^Oth$i_Arylm3tVQj7YYi^NILxi_RX? zhsw4y@tU}p_IaMY^m&KY>6L zae0XaUnoWvr1QT-eM`l|3mb_z(pm`(3QbU>*^-L$Zreppz@E2;>YwgITx_+JEX`|tIjNhgdGx*> z#<^X@49_TlkbX4)U(Mvo&3i<$-Ya_@hRE87Q<|3Chx665!EA9~&$gR%gn2Wh76#BP zAq+W0RylFZIH?Gy0$WU6q-?qM*8uC090T(Y}HrI{EM=4^3^z(Agkz0Q(<3Y5J25h|dS+Q~2& zBejt@D~wqXCKoVU94l6^6F#3HOuc3^?EmYD{pFMl<{ z+Y}K|c<`m}W5R&g)ZzoFC`N2GO9;QIRX8us_B!JB5aCILb3H47Z27>zlAOlAxWnTh zf^M3|CI>tTMXvxpl>w!Y&uYde&PMCR_S7H5esRVb=PTbqu%?dFRVOq0a~|(E!tQF& zc05(_H?zXJDIT*DuiF9@Qdm-z4Flq%NhZTVLnqRgtlH*4-;fHx3pInQ@P^0TGej}) zGq5&0s(M8R(2FG>q2MbGT?W+Yk*&kVR;cc8WWO7(P1|2Q_C(%n$s#j1qVT@0{8W(F zaPyY6N0GI{purpjR{aF4gQQm!q#<}Xx?;8-?_)FNG`JwFA>sqyNeq5X;&vEdN0Ag- zu@^y_2u?6`-ZmZ3TVX9VTQPmBZ1?MUf$L_Oa_N=T48LLCSGtq@!77oe-2U1$s#Shmj*M!-LTNJz9|$%?^pzObUgx#>SlszUrwEt4 zcN`ZhTu;B`oCZ1fOWd(!c#V~ymi*kw_x?gvFHhyK{mvuaN+75QF`GMWPZ+$;NP}Vg zMgF^Ums)oq>+|qsGbNb~J@H%%qMDjmtE;Q$+Tb$vKf8{+KO$T=V#?8Y%gW`6O*@|I zeoaoE&uOIj6NNqw@R>s!t$}dp)Dp+hS~2Ll%ndgg%zTAgrZZ#x@L`hK;wjVVQsl~68CXWo6f>bPi^ z8c{z?(a)UinSt+$D9TSc7fUEGa=Dlz{MQ79b@I;)ow70Rm75R>n_< zgx1T5L>M{g+|(0^Kvh6Mh&Ny?ppY7mKp~8+xfOUkf15{D8j6+oVOg#hx3{8@-4S6z zndfWK;DL^*XeQi2O4>alyeP0Io`DFYDDp9lr^vHge5kw95jsRjJ#!XJ^eSk)axLT* z7uyI(&tbE;k-epRMtFm5IsxB>f(OQt_uw5=Bkw2Hzd?`!oMZOa85WUMj z8b&{&dq6ZmXBLlvE~J}w_Ranri!Fn6(?sTKn1}?-Z0^Y45*i8GjrH27f>|+3)_8d` zw(?!g7L;l%zq7he$K!5Q0NzE_tYpnE{d5-_{7>`eR+fcZ`hOPc7-M_i)T{meY&eVejOb?roMF)X5b2SPn^vtAW+J3O0J zRQkqv-^v=tifb40!lH>+bv8NOm%a?0c(!-0;lG4`-&Kh#=}A)j@HzO7i$S+As$D2r zdxcI4iPRanl%th?P(c^;Rq%_~&2#wwYZvJ$@7+rMbb4p}Vw-q}+b7TkBK56ab=- zfEJY*2=dl$fyJ(dcKT-3C*INSb5ZY3qT;TbF*t0J5aJ@~ z=Of>l5b0$9!PQx(@aOx&$FqfBiZ>;Jo9)@Iq#sy{`hu`s1?DWU^W>|uUEi_s*p~c^ zvX!aYS`MkJ6sv$;w)l3-mNkaLeBMbJt@UGI`OD+aKE&$ty`ZP^!?|s0qX111zt+GY zb@GQ15=--qJBolPWe?4s%|+2aKaKzGKV$QwvnN2Cez5&$k)~mF%G&0W@mqmOOg934 zfCftUX}_c%4bo9VkIcSjJfj%@S9JHk;D=9`EQctkdocD6qm;{9B%6j?-GT}*RJ864 zOhYC*sDsbxI{43k4gbQ>*d+J^QTKcQ%b7o_#*bCtvka^ZW8C8ZyRiQQvGF7569!&@ z{P&YNW1nXW#-v%`6aN>m_aASe&ujnl^G^fY|J?ZV+RZb^l~Lszep@m>$Aj^;@%_es zXAJm6s1N?W1F3S~Yi8od2hZa_*4H>F8|l z3C{fx6#aN|!yy<+*^#PZPC=L$werXNOsUWS9yi>*cS~S;rL4@J+|HD#ozr;L7xH8; zq_Q$B=y6IeXl$GoRIaCCzem)1YKuh@Dt=$^4~G?kEwgD{ucMT()q5I!eHi|4y=OBT zx$#6WbpKUt(GJG$Dx%j5Nx*4Hc@DQ-YNIxM`m0MTdh z?j0o~d?hl!Oigs+wPZIa4v;-PY0`&z;+Fe#XR1+z>L$FB_EYtf!}k} z%e>Lu*7&7!Tck=la%n4xcCcK}_ND~6oMucAA^;vD{Ti#NLOVoaEh4s#1@BELJ8{H@ zHgi4Xq24PpF%np#A><{(Sc~A9c?cLVShdsVkVs`PD2aqDC$7ap6@~N~!|IrZ_a>Q#}j+U|$g*W`XO=M3EPHj+P z&K9!iPSlam-d*!s)4Mr4oNpR&uqspi3P5m(^uK$g@J9gb7J_1>nmWY4^n|!n!3*vM ztAN7|dO1G}81E7Th~*JUR@+(tJe&}=1A93Gc6yIoiG;Mll`p7aM`bf5#` z>=--vfi_8)i>-u$^>aciN?3F7);aC_+Y^I?1_mnOB&~Yzf(MQgp|Y!ym*;Qv6ZK3P zIv$(qqHx1jEj`Plftu6e@hbzmQY;=zziQ&oAMx!LAh%+8oK=xqKiDU$OP# z^C?K>5(_j-F%Z~?%DF^pUay(4)cZ3i{KMY&CmcP`d- zKK^gY`CpSnr?=>4B{bn)VNhT-I1WA{v>}#6vokU6`(pb#x(?;^)iOJh!0Y_>+fjJq z=E)p7-B@I2M+aXF=EA!S0AjP{S?F;j6_;*@qZpil#i@82a&7}49Q*b7B`<;c;kig% z`k2JZ6DSFs%ur2(qxnU4;CkTulpp_YKf*2IEM?-izA|iQ1y(3C>5-4$PyvPDgV5wJ z7Jzn@aEv=%ZZl*--SeQEmu`aH^cZ!$QCb(i#*v=!GPg73Uvd+mCrM9paS&#RdG_{l$e8`Yx0klb2!HFD><*Kx0 zjEu3v|7OzvwRGCyBmHaaH76S;5vE}!qM+~#jc_;_kb9f9Q{%7CHIWgZ`xjXCy(U^V zigt^TWh6vpygdPisc9!`xPtGhG$N+^-bms>UAB>Q%*%MGD-|egxj*BeE>ZVtBCRe!`Go9L5&MTKdnrVMglh4C zcT4PQ7Rxp!=L#piZCO!p%G*oX;){UBk;q(iv)fvUFNNK1yu&9kt4m#&hePDGonKv# z@EbDMjwd0EEWd>TqM~G2yKMilKl#tWIWn*_-qFQt3C?q9BLRarr!!<_fb%=#vJVyG zRq%!&id$8GCAx4H&sR>1!cc6Jq3*SONgmG%bsrKLT3xO4q0$uK ziVym&Ld@Qz}(6Hyerw%AEK!7YZIJ!(W#zv!7IWvWYc751%v< zfW^Xz;v}n$oKYs%QHs!5ow5S)ecX|Ce(U0FW^BVxRdws2nHFVntVbVn};oLX1Yu@%e;dR1gSA#A;A zS-@VIv5|VTL(YuO!?-;Q8%0y<(^m?q_}gY`>Hdi*8C4}pKf`9uiM+)dDSB!(q++Fa z24&<#)i)W53wIZ&hX`H#4D7`x#zdCeWz;c*B7(JBr?d*Y={L4|UC4kB#C8UcX4o+r zu>8_v;;?pO(3{x^0+~7LNh9}1{%hN6Li)9wBLW(4)9Rq&%4FQA49Qpnp|W8~mOP&g zmhz4iC*?<|Nxqjl%)un6S_@op*%H|ZL5RG|Pp9VmPNnAIU%jjvB%sb}078U5>dKC9 zd$DUYCNWPbVb=Xf>6uNTB?z5%s&GvTfL^89`NO`Lv!awUN4b1i_Pu-p;6_T@I}TBy z!xP-IaznPf&I*_Pz8et6`s_pZJFPH*^KE*ZV{6&|=X5kkozQ4JjqR-4#I0S(&5{{) z1}+WuFJeSuuRdb)_F*avOR4Wc={pFVbh4gnDU~l4A!@~ZlnS<1I!=}3wVWMm0>DWs zY}MxnxZTHxm=l2Z%PbK-)OK#A!ZK2{uYd zC{Aq5xT8B-(y2~$E~>)9I6_&kLRe5Ct~exq_Hob_0N08VmU`qZub|*Z3B_q?myrfl zQWeh?{sT<;ju6vaXoNO7Ir%FaTZ5;ev5yb$=$JF1x9xZ!-z9i!hfeebRFZxp+sv?| z3ksZ@IyqjBZ^l0c@4pVLqxjw3IdE`r(pXMC7zKY>Y&aM&sk<`BzD`~Y&q{-xd@cVW zXtLHQCbV;R=V`HCQ%ccCnVS+Hh}*og|655%&m@PpX}F|{Do$@~6f2N_#7rE*0%Lj% zqu1Gn$**b%dRJ8#!63SXZuzRVxTNcWV9%=tm~dsfupw@{uMorFPVLIS7Np!~RiGuvXUA*dmI`%7NS4hU{EiY?|jjZEg=n zfvZ)-7t@V+c)R`r_YM1Db}7<(HfaQxN~N`Lj>vs!tzIq5=Cwp1V9c6TBrG^vTU!Ej zYV2IgdE`{6E8PK~%Px92?5rhodFxd9Z`!h7t~+C~2&WuEy80QB#5w)reO(Zcvcl;F zqU#QI9te92uzen%Rv&buzrK+8p^2+KA8Z1HgAKdL%If#)XG#><+^0s?CmY0^Y1>` z>RlB#?(>O$4HJkhzn^tqM12EtDK?%Wo%vqzi|keRZa`m52PdOBzqEJg?L&0*zHJa0 zRXG~tf(?77H6!*HAC#pleiCZ?YArBd4)nJUWKc4TGUgYAdaI@A*;ar8WMy6X?5Wy7 z_ju>=kKv3r^%@tp=154vN%giuq(ZWq{R=I94tECNRvdE~O}HgIsrq866_xsN3?66F zA{Yf>JoAZnIQ3QsG#qDgGfdH0ElULsLqdPiTY_{p{j;ud_1As^uLctkr0FrldKO@B zOV|#ikUZ7R>NfcIZ70O^1!1D{1bE&>b}*Htp~vjhiP$ufelYfC4})VTzQ&^)%U)TI zd6^e`UO9b^?+yMl^Zu_SPV_Wi~@ptIeQzsDRoxw_s z-c#9N^1NE--tVTQ+f_5cosuh(TSIS)NWZX;3~80??aoiWW@Gvad>pf4Wf>JhvP_r6 zoG~xBTd?#A*NRLO4;+q}DlPmDX1-SV;R+Flf7)HOC#P@k_66sN*ZdN1dY8~bgm|2r z9n@Ek8PRaZg`~8`w}-F#;~6@U4-E_JffcLa9M8!K?@PAmg|iOV-#xJX(upn)_&zY> z;^H3P9yVaZ37th^UCx#TX3ZnQQu^!qG!7UVD1jA0?W+(40k|(G^O9Sb*GzaAk)kWu{n7>qZNQsyMshQ3@rNho*1xxtuy2MKLK87Z3~6 z^o7$ozFr1=SxQ2?pmj|JR&E~p9Jit zi{XQ_1SVSR`LmW*%07ub5G7qtg<(~U_J{uegVYx;W5S2-qii_7K)mQZ&uzRn@O>#W0WvLuD`q@Iw9Q!cja8IS`+cQ zoX;zostwV-Nap6&5u}&!N5? zQOalB6Yf_=CIdo$fiJD14oa>?Bsr>W7EG#6KH@|mk@3A_cbCR+JCSm6AGV4Am{1u~ zZaF&1i|UV03#|UG->g@AO+RWI5AbJpfp_*oq1B-!qGLhZ*fVR2fD4y1@RY>6rd;Wv zzJTVi`2>ILTR1`7uXXjJtlB7}miiX{Hq%aO15fb2Q16fa03oysEx3U}1P&!c6i!5S zUN$t0iLGZp;oe6R;}69(T#}l@@7T$_RbQ49T^g0x{TSgvP{PMowRRL8;*kE}&3kU$ z!;_~sMr=sUYU%sh@gv(tkkZ@Zt1yAMo4PzD?-L}jYCn;~iUEuUv;6+idf9bCHEk0F zydh24}WG9EHR+KDx!~SB?VA)L3XKy6?0{v#URtHf&#FR;bz&2>{A%oBJHTG z0>DS~g-S;cn39PZs`_SD`PUam%U)udL?n4C*^#egCqI@P`eTLMLt9cDmWSZV+I)~r zAC2120tZfDQG-N|)5r>`^Rw4(vuzJXVE@hn+IRT5oQ(ZsC)^p{(KAxopUvMkD%VNCO% zekQEX@Sl!P3B#~{Qx2~KB}{cA*iH~3779c8u9K@wcLJWFB|$I3PH@-OmRRclar{u$CR^(oWN1zuCQgji*!a47h;tC>0a6Ty z9yX3x%?hlGgg$na*d)%IF2^7%ncf&}F@drax}FYO`t7*&EfpI{=9je;>${Sr5n(-> zJ^Y&qPE$-#?{+5}X6mBQQWNFHq5uU#RQ4@1RP=|`{qAo9D4>8Oj`3G^3cgTNo+3(Y*Gn?TD+cM!^i} z3;0cxRo(2LU@np)^UECC(DI3(QkEw&qik7lun8Y-IM>;Qe!!PeZd_)6Q< zBjb}PlHg%ia{Jmx{OE677JqI~Nqgbt^YBj0a0q}0bB%q^2@swe6D6vt4^cmq%^s+n8Lnw{0dz_DcH~mGWd*;MpD+2x@Xbqh)X%sq;r{M>F_>WjZyB2nEMI{r zYq*Qc!cJ<8RjBXJN#v3+ZJc5zkq9X= z+`A)$DXF++VGD`e*8~%%+E|>bsWMvC3}5P^t!-2A09}7sxEotQoq$8yG4g(W7eNRT z9@FdPWc*_t>D2km9>1AC=Pi43P7=daXBk7Wh9aV7T#&LWiMTs_H($FT23DypAM6|; z90TWoDvozX`b%->=UrA9)$noLvG$nr9=)wCN_U`&e*uto3naDROSxR zADxMvbAx&vVaZ4)ga+7c#zK^CPjmvE5M*vF_HE4@9^junsaDSG36^rLf0&%De@%$h z&AtrW+_dzOwj5~&PbH8^EITDpo!z^w<}qo+jgA$p)YE8B>UQUl0mN5JpItSo@gE{X zLj=DLgK*slKpb|h|5FK~=o9<=xLH*IW@^`q$m|iEns~Nfijjqxa$bHGMsR2wdBTF+ zCR}#;f~RI4OTzL+?kB`Uz;Dq<0E8{9lCn09U;ivt%(T#lZ8Olx=T!ak`^Fbb<^HI@4?Rze2R`#I; z1D~QDF%x`Qz>)ET8#hgUmW7?pqAWDSV3&YL^`V8TcIgt1dZc&(b~A|kw?j26)5Vfw za>`n(9$V6HnUi6(u7H@-H{P8U8t)I`jkE$~#|V93OYe1ELgkKF;{CWUSh zVa(q{zooB`?Z4mE+)}Q26Y5jxi{6&umTd74-D4{z{~Ab(`cCfeHSefBrNjC@GYk|X zf0Wn8AYMMDD{l3S*3##Iij(t;#Yc&OBo%ngrNDErluuL|vYV@l+`ngTdbPhQg@ydC(>@j5qvVwS$reblS|Ut4 zq)w4>anbWLXJZ&1Wi!n@VPLXYmp$-Tiw2V6RbF_d;?dq*L*zyF+fMx|3ibDO!}uij zzdSXhH_wp}48?_o1HFy{<60~QMoz~j7m{dZ6hG4etsZ~|PHw%eF`l~7qJZEX6N-6m zOTv+QH{g&g++`7K5ro(p&2O#-gsXLayrqTx1oY`9h429%X}QF4lgb2Ba)bv4H#O4x z0B5;Du-`aSD;}nugck4il*|wDCtob?a6~pli2(DMjW;nvC1ksH7e;#5c@>7@ae9-_ zL!izaV?ko8Z8~)LTxM~AC73n>oV6$gUxl`qoQa#YNBT``1gqr@N?MTam0aW>qWp_w z3vx=gJWIW=t1+(X4B13Lx|o>Wp+6F^!V*i^6q3&Z{O&trz_*i3i12_gWV48{qJpd# z48|-vP08_^9k5oAdJoA}#Q0QX)8A~iL)FZ*k5;A;@em@fnEE@_bh?^Z+Dy;~K+}X)JO=hK311X>(Z_a*(yqLOD#K}Fx5|a91b=-VGhL(##5^dq%k^AzY9*Sc;5WlKL)zJ4Lcpyw2C(`G zgKTq+&miKephZp8$gsgU6eh{m%^rg+al^+z0CzE#NEc2SP1K z?Jc0j_4bZKOX)sk0XHJ8gwjVYViHp%7!9e2wi4>S9heQwX*VBXXS<&IO+;noStsv&_;#uQB=Q3 z?7^w_EamEJ)=ZALKf81ef4|MpGkzXE*gd8x;&!HWEWc0r8SZD?_ z0oTKZ6R}<1ysxp(WwA#h;3VG0CXi*FI)Rmv$r0@AGT`tfNsSno9Sygdq%x!?VoLTe zQgCZ8&xm#nk@@!bZPZ@oypS(rHPnm2kK&0w$bvlv5ASAiMjH(<<=WqOAHJ&$4%3L7 zGblwq&NyN)=JC;*;`hlNVKVa#*ahb-dOYecy$l1bxoj}0D+jt0(n=~`9;E2=iZTdr zS09jDPduWmx}>H|&z79)LpXRdYGU0zYHk91ve`QRgpV5}yQ#Y_SJ3_Xt__o>00)6mdFRq>PHKL#lN zvamBCofL#9C@k!X!izr_L4tqV-`{VTy?f4fHGC>P`?`X#vLAlig2tWsvL@)eRHAZeARH#AN~CGXY(43#-3C@I`Hxk$<9`s*?n zDHv}Z?gdH{uI(FV(y=0mZW!iLC41K_Wx=nx*-`&W>>107W6_MsM#*$MH6<6UDa5|! zNydUgInHy#b9qy%q)$kWl8QnZg2tbbIk(vb>jyM0+u>cItr6;P-z5L`)M@7=pi3E@ z1>2FsouX4(nVt-_9{Vv%p!%;ctdmx#v&ZGTG{O%#U~2)c+b;BzRHlEMymM#}|D{o* z@1EwbB%dSTSw;XRbqc*AYzN7WKoNA>`j@AY%+0eYsX#Vn*$fLL#87|2gu+EB=c3Z! z8kiUt3NCLEAAG#S>wRX~i@>?`0s({`R^<!yQt&V##FA*PX8{hKV}&*-rwVmFNAnQc zoV9Q#_mtL;fie~AW4rU3d&>`0K+f~Dfk9Mkku>fBk?}3iYgPGs_J6CF&3B?sDWmfa z4r?YNi!&*sUg1odmhbKZdE~VH6QVQ$Q!!D8Y{Bk2=PD`)u37}=OLF}$I zz-XEHL7AvkdW{m1*2S7hSWh2K;w!wa!TBJbUUiva2XTMVb~JIFW7JUwgasty#4E-q zelG$LQ?PXzhKS6jrWhx1l&J|TykvjdD*X?p!LLPX$0P_r7iB);3KP@Thk%e5+{6Km zP4i7~5#fLT`&FaK*COCVCa4P<@7-S%ulJc9qjNc>AK&H2na_W$eS?N$O~>*_wk==d^% z+Y`;U!8@_x{P)UeOaaAv447_X{{Hd}m`#d5l*Y!!hE3}&`FQW(;4>`MYx45u@IUJ2 ze-7*{L5D|1wl+5>e~L<{tE7E$L8S6B{I8vVTP6Q&9lv>zPs(YYMbF9_8qkSHNMpvh zi1NRib(z>N{mK8iz7N7Yq1S!#zdZA^iTTR`pF#A>(`Z@$opk%pXZ)M+X+-^F1VQms z{y$RI)lvSz_mmwO8vTRB`|~z_T7RUZtC-wr{{OE4`W{qCO|+j~t3foU_W0}kTPw&A z*ioZH+vs8cKNPTKY@HbB|J#L^IX}Di@-uGdPKPPzdnf)SPaV_->bKQESTJ#_cQ7$J z6N7_ld2arXzwdhgjmV|)&-_79r6H#11G@%xF6@FiI0D3@IP%)f21eR_W%hYEC12<< zwmfh2PdMP?1cdabt+*)TvTyKHc~@awC>6A#bh?-jq4BMvQh`-|tuSc|=%j{3prRe_ zn>ix0TCDsW6)w@ks6BLg)xy`;^eunREG-?CE{x2V!vGZBim3Q7zHUV3#bL@u@070A zwJ%3JEz;k}6v%IVeW724IamkytvJN2=D|MXd1&E2wCRs||EB^Pl|XB2YxRwcK(w@0 zL|e!yDFyBA88R|6v1wd8baycbA5KQE8#TH8vLz?h(6DXQxEhS5P2k#z5rqr#5_Ja6 z4kbF`WM`LJuD*#w+-EeE(U^qa?>nWs;--lnvs}buaiN0~5wjyU>!zu76gf5B({J4{ zE6*9L;iKa55CkFpu-6%?ByTDRC8&?Syu2*Ab8vR)%i+~2J4wls{85J##}Q7sKN={sU1amg-Vj4()Kydm{HO{?_8p z%28>q!E3brZ_6II3@%SDt>RGp1K)nnsv9V&I~AQ|QsL$daQUsc z#;m%`oSOw$JFmK;P_m8xo8{W9L=u;jjDJ&6RRwT!<3ym-1xG|k(O?Hc04l>60b!iT zq|zlSMKl?o03h189|McWkPuf!0a{<)r{BOh(3le7Ab9cC1p5p7UG<0)XeuFec)@Cb zq~e-ixDumNgEgT=C4XIAC1Vg5ev_zz&=ON?-DSc>2Im5p`l8IA^HL7n>?NZ<0_o7d z;QD67=tc>{^l=Gfi7!=Swa_^aY*%a8{nT|;3a6W=9zYxkQ^%qQ#g%fr9Qv^7YapwY zCvH_#uD`_K#r$9ygD(3+x-#b*haNzk18POh2uAcH#Fz>|TPwM#rg{cBm7QANKZWd2 zdt+FfN(JK}el6I`???%#(`!e?>$B+-C?b{nIP^dUsGEOvfi@YsVR_vtM z#p$PjRVvjI=UJgyWwD#Jz@p~nz*paUD(Zn}Pn4ed(%fa*uQ$0NJF*|maDR(i`V*=`P_PXq$m)%>%+%RBIs(#iMpQ)3yWGe&7RqlD z1%zI2%Gpp2j&Q|T3dZDspRh0mAWGeFa?CiOnra=Bft~mtY|H27iqJ_u7@9}kJYrtv z?WL4v;|fNp@ZYoPB_J3`!Pn)NS)UDf(=h6}G1}aQE1nB6w#;1P&x%Ofn z7*#NA^)nSyaEAaf5EMZUUJdKpeFh*y{;nLKYX2br>QC|=7>;LfAOMGmb50--e#bx(_#avS9>P50*SL|5J!s$}VRD=D+ZETkL`>nE zaiR$w;6v}+FZKDc+9I7va@^qg0del&;hEqi-TT^L*7TO&e7JKe-!IXPnDm>z)%Wz# zk=3W%$doN<0ihJ7N%=V4Hzmd*#m&jxhld{96F~3n8>o-e4g;?hRnZ*@Ly+bf!F+b? zHi3@=z_ z06voRHwh01=7#Z$L3qModA6)ivk0x61J3U+Tbfl7O?~DN&=6v(ucA2a_C#NmRQyng zr$;^Mkc0}#d-blaGSuQ?lfoiYjP6>k6M26=$M}=o157U12D9hzr!NX06K~xV+@nPF zP{V*PNCvyB0=>V7d80POw+bmhL`#d_g6kP9ULPbi34?Q_NRHfXB=spIUYrJmZVuVi zO*`&Qq86tMV1gi~U7-Ps-Gwamy`?tGl9Oer&@0x_m zrPa+`^5mUpK4>JREFZR!4zsvVz~c$rhoyl)b!V!Bt=T^bSQ7W-XDc+=^h*^z2<;HmBa; z%HZvWY?1BV#R#7M;&hzuEya?m&5`|s|>&rL4( zw@;^(E0_5;G2@xv8)>ZzP7f+X53SF@gv#{wo&J9!BIrJ%k2Uj?oEWo56?;Z5~{tMvRh z8GiOh-LEjKLWq-fn35S?&i25%k>yn%u%O&%V&mVD@t&j@Hay8AYF;LCR0WeNjpB#at)>a^}&4r{cbgBtk+lMbtr;@m+@N zM!xG;>qs-|(47--l37VW5RDHRF>?0LD6yJMsx;2z44~SWpT!JEps?!&49)HJkBHJ;W<=#;xJQ!?X&p!$`5Xx{8vc8?U zI-07Ek{xK^Gwxj5qUWJ3qrYCts+IL|AXe?425HVmM;pZgDHg*Ijylo+oq!?g%Jca( z{IG$gjjoq86CaMcsZ4R_Pq7owZ*!U?0|JQb zfj2?zL#S%uzey~33&cdm%xA<{K?pMh>kDy&>)9@?s(yMt`yb`6(c$r_76(wJ3yf8w)iR zszh^SaB_TdT^vJH#ySO&GYl51Gjm+|%IJ*SIrMkmk)%wzrKO3Zi9qE%qH=aLevyr! zDe_4r`zxO9kA5NoKx$-0o(}EngtU#s$iSnE?u zR>Jx}wYtfqPpxh;dwn>=)&xOk5w6q7IL%9zj#JFf&bbt6!{@s2d^ef51r~$&gzWTD z6iT4EpRpq}<>q4b!9EqkytuNmy762mzh(Zm?c4G#&&CpvU^mq=HvCyQ(URAnV%^7D zBgfqPr8ez+0>`20$%!&y*qXG3+bY`()`G#GXyrK#5Mi*eu<&4tEJjlU+V9BqC8C1= z@fa)khp-lw(HI{fu|Xp?beHa3(&VUrQ^)lQz_?f5-xt+NVROrksNeS&5!ruKsdIRL z%?oHCmA8d;4bE+>cCuxqBq!q(mr2+UuPPy=s;Y+7ZT%UvPYpY zTB5>t;~|49yZ530CC`nt&Gs|Ef)UJotQgk>Nt`-25xoWHMMs2RvI6`+s@7{!x6!n5 zNqjy6J}WwUzuXsVet#ytfngH9N}{YX8@-Kij{!;~Gj8S3c=&9aez7KYvw|%B-yQwh`Z>_Y1deH zrC{J^`yJYmAlF=HIrp+poZDgQ_hxis#l+3I4{fO%ZN-@4Bxci)7{a=nhY_;GB{Isy zw1j|`W7))We2?K=B(SHofGrW55mPQT|Xq%K~X*dv4)P zo3-RKAr~B8lp+#^hM4wv9ano@@p&GhtECidU1}9`fAD-BqcogoO!wtZKQ3ifxL5h4 z@j?Qy(rg+WZj3P8m*;@O6Y8$8l_>VfsWN(;c+4wGC$I`zm&|P&7@6X6FM-^Hv9%|v zpPbHuRahP1SZYwMVyA437D2R&#ily~aj!d}n0Ju(Lt~~e^sPwTqO_njlg&!Y**TJ- zG;EH=O9*t1<5iE=X~_36b}8Dvd5a$e#a2Pgx0>RlC-*N?t6hQTbzC*?@z0m)sY$|z z&_QU0Oz^O_cBesn4JswN7}x|KYiDNQws?EnO4F5$cH3UY#a0|Hxqc5eaAn2>MSK$6 z_r->f$+bb2$i?SdUjC8(>J&ss~D3h}mZL5OknZ@$fKHZ(eA9J8z zdMT}ks>T7SthSFsG#6e~HA4N1dUb2b$Uns@fDo9{JKCbWDG_q1NJ&-Z9DcUr2@+MD zR89F6Zv7=2>}=#u$|cf*&{tSk3dMsYN%QDZT8L&IM23$!o`x}s8R{t?2dE0FsuZ!c z3G$5S_HqaL()9#5URmAMsX6=u#6H(g3FLcfG`Hh)%tbZsl@4Tdlh*QBe(@6J|!?3jr1f>KxF(FY_H9|O1j`%MWZF4K0y??Q8KU0kBf4<73{{1D- ziPwkqd~wKc3MP>}F5hLBCS^^azQ3iUu-}7LUYEanf0TspPGT>##yyALF!J9im?xkC zEsVjyKnRnM7!{WS8d{D`ai=b5>u#`!AA*Oe z#RQxJb2Q!LyS^;%|L2JQMTsx61k56n_T=&2`@FeX9X{_m0x3dKKrKyxG57F;lQ!Y} z0xWfhb3B)g?`3#=F;jJr+1J@sK`+_QRn@c3);y{(uu9RHTs>a)MAhY4Xik=CvDm`?B~_ zI}Q~817`h^l#n2H1P$-<2DcfpuIq82-c6a9NGPf)V)I8gwcgHaxo(F$eeqyFCc?Hl zT4)-_TVnH#ek|;E417K~Q7Lgm9@WnuGpM%nalBZ8+|S3BVz2V^?V%>aNX7 z4q40K_QUeZ&wmg;kTnmp@mS(TECm8{X(utHYfKhLxKdfwk7le#)GbL{3j8$B;n>?y z11iUERgWqkAPCDBL}XZs5`np;dfl6yaaEjIQKFaihW7Iv>xU(micP^WyW`?x6CI@1 zQP`WSpG343A%}`G+lGloH0~%M-DW_)pC3w#58_NB+X8WDRvcyt+JXH6OA}1e^6o-F3Hmw%&9% z?@tjH^1M;4?TOJ3U%jy7hqSAV4{6-v_WJI9tcdI(Z0^As-7u$iBMnwkh?pLXjK_Ql zm3+L`)t7aRRilDwvEwu95{BFjo&C_?wo8ZIFmB3CQ3~D_yYue*yKT~bMQ)ztZ2~LO z`|olUzs`#%AOT(%SaivL^N5JwmfGdw_kuQei1}n~T7)4!VhceWg|%ge6M@3g=OS0X z6H(mD^jGiP-qxkz?wWGn?iZvtxBB6sK$%EFZNsLnmxjAj- zLomG#0*MH&PjH`8aPg&OrP;)Vpd+*ZGJ|J$K#JBu(fd4bBode=yA2m)mGOQ4Kv;}%awp@Xy3`%DyB8~Al&xASC-Qtd_72th#yml?7 z+5OKcvYHG5UL?WLco}$}Icm2jkOM^k4-QKmRKsAI#iM2rQ8sk+Iyw<}aVp%mj$D!T zke&!x;KSw@RoOetyJj~E^&FXp3?c~mj4CUAi_(6GiAi(yf^(TCQzFupHMY#ymo;eU znxCMGbh16^nnSPnb^rvKXTIB@y>tvZgbY=bqH+1kjF(#EkRZJ4|0FzdvizCnIhTPTbqAEpRwGjO zJD0u3Gr9A3-BSq$EQkm+XO+q)U~a3kX-ojGRdR(hk^}bvS#20v7dfNWI7T9o3F3X( zJYulXGmVQTllK8PC3t|r*Sac*dF*D4!a?lbk#C`6bj+r^-Xn!XMHg&?*eS3exY%_n zA;?pqU}*X`D+s4bukBcqNr^bf_AW0dWGUCdm9O5d9b0ee8E^CJ9qpg+=-D>^vE)cL z0&?S{5OldW@-V-nYp=n0yU%>BncTHif3&gr)>n2Oh#NTrLqsCd2YQiH>Hhm=XOWIt zMOf_iZg`K>@PZL0V;tTmC88;K6i)9pkt3uws*HQ+MCQc@Iep$E5YneXzzTx8t$nQwxV4)K+8x~K^uvDZpx1f!V*0v$~G+~zOwZ&MwDNV3xgz%p;%k5Ysu)X zJ~l+MZ0Zx&H`1Ug_f^O;O?Me;!~JM-t<_i%c@xN9%CvPGxt2laZ;iw{fKhd$gT)4i zmt&KkwFoOLpm7VYnBSB%gA@JP)ss}B3P42(4kg|cL( zW_I1hyH*!R<^@`#Z5>KnALzD_C!8qk07Ft5o0?VTKf{lHrk&a>qKn=| zZ^jubTt%(RdJap}x$^J~Km;9Wy>dL7m?_4lIwAlIhr_Mu(z!1mFGW569moBI+p~h% zD!@P{{P2Y#ZqapJ#!pR3Tbr)`;AW>gsEwsX)VX>i8EWG*IH%aavDpy)uV{up=6x0x z=z+GdZGKJZV@-ih`NzE-c)-&78TitmGz|9mdUFEBQ*yA3`KtCVwx>%h2!?GjAV*e{ z09q4A1WYJb7OY9EHLrLho&?Q?292s9grFOla9t`|AOtM4IOogq{5C7cjZmuq&LOlE z?B@ch^$3b2%{Yzrj?RE zC|dR#2r2;(Soyy`t}}KDgm*wUQ2)nwe|^NN0fi5SUnnr?{m%>jYCOZ#C+g7)Ui$m} zfX(n4Ado_#)>Acx|Il~`2dr<*_|4|G0e_wwTJ{EvSh(Ioqqi@2_^yDc>mUydGQ*T~;24$gVw6&!3>T00h` z+v!jw0T);lSfU@kNbnSiZ&N;MZfPlIRf;gyrKg`9`(IrIEeP~QsOr1MP8a=zLjiWQ z*xdnVUg;CHJSp0}_KzQHa@D2JxbU~jO>r%VaU2mw4 zhsMAVZOAcg^5U%g$FefI#M$C656P9~1}TTj^#oEIJzey0v4FeM6u>1(*RTb^`uk9Q zX?3am=&;9Pb+6W2SA@WY!zxXl#6eo|=His{ce1(`I%d_4Vtktf&WeyT9BfeyYQBhN= zK%Q4Eg?cW;aaDHR8^=W)SEKt9mAei?fM19eHWQuVhlb3sE!yo(pOQ=^!b_LN1N|Qs z+nZdhY|aQ`?s|{$bK|alrjLVibwS5_Pr*l@=GDGJwP}{PZm9d`G}Y4kl^0lLi#Xc& z?zy3>eYr2(fHgLoN-4g{mM8=su`#s;lPN$&L5Or zW~2Ww=X$&M-3Mg2@W!o9`z2ebGt#ZL_ITjbpd!9d*9c|ycsau4a+2A_61K*1F2~%c zB3R7-0H6E&I_BIyMT_(*z5!N61~&=IX8dKWq*tKr+%IpLzsG8zcT+|Ce= ztQ1K>hRx3dm0e7{n2oB2Ntle^9M;`_a4v{cy#jE1ei(al2N$<8KH{ zS3IjtRI6T?{OFhINaDKpln1IhlhA1{ zBsON0nu2m#Y-W`K!I*R;s?(-|TaRKS)q}|57r3A#V_wE;G!9WPDbZG&oF`0 zui`V3k(BAK(W4V-rPbWDE*IXoWX#P`<7}CsSUrDW_lU zD{<=xsh{>(0Z$~82PP9nP&;I(S^7e?xU`S?fXpTCD7jxg$dqYtLY$b^aj0%eGE2Lp zu@M%F7<{*tYe`2r5!lU*Wa{01%P?qPL2%O4H$*>wbt6&s)N9;&{S6~=PRww0>{H`@ zuKqnF9jlw-ueCM+1lj#=BdprxP}Re`u?XV5a;MSGP!bluZ>y`%E71VpqU`G!Oz+O3 zd>QMZOh6Zv{dv!t{rMenn|T}u(b3ofbb9Jn9}-2s1J!<&X2I%t;Hy_~hV^B-+l*G^ z*4oL_<6H3a^OxdKC}YZ^o$m5_VJ}O_sbY!3KYGYCKa1h9S9U(&qksp%NJ_#m4aI(T zbmE&m{_fQ=U!F9eVEoR+{9z+r#p3n}1Du(HjF^iHxe!-*pt-%0O@s2zx2O(ZhGgDmI6lp?C-02=fq2bWs= zFE0`@mS-X3;Ym(+5}*PIqkDCR;7-mdfbp!+Q-g+OsJ?A%EL{8;>_HT3bLxJU@VCcLWa{lJNvV&&_tMTz=w+vI zUiDV@YVVX1{#~zIco;Nr1&bN3uZ>mW5>)l?4|$*=-mkkmX_+;Fjv#OH6-^@eZIdsw z_O%@j`9|Xr2T6HW4|K4fY#>WsX7y}Ypdz1pkk@cDbf$6=j_(v6@@u!%lnN=+9V>4Vxj1IfkWrL0ujuX4wRLZkfpmE)s45-(lUiKB+J*OM^*30mr zR!z2IB;=@Iuyhr9kk@MtogKsx8gBGdfa%w5P+as>Ja_+~wu4W$UHVw8$q_GpHnb_O zpsN=)p0RK4aSZ{pKA^%fr*AXM>4Ho*$QP9)&2IGwz`rPcx5l|YXegwjLBCpJmrzr} zQn$faDNP14m|9YgyKGiGPLXJ>(ncSpUT2VA7#9Ayj&+<)ShCeKglffLweX>w5OFiS zQTlOQu=|DILa=-!&COD+)oE8o0;1aOlsRwj!v%eBxE-;HDkxouNs-0pT&RJ(=*OYF zmx89$hYSPx^4X~zL>QbCj;Er_C{#Z$xg`k=1F;jd@(qPsDT3L=x!e;aT-(Ul?C|_O zuZnjZsE%{baEhC`-y5xTV($A|JWri7huMB(6s9xKsRG$4hGw5f*Q`up%R(>CDA>dz zqHylx&XkKGy*OT>3UAyha5VqRAP)QUT10Mgh97I2UasyorOq_ZGmYls$1p5kEgwX% z@)HIk+}37Gm{}N5vS#rGWn~efy$?DE;w;_hUp%!5wD+vP0ZTth5F*sEYbdB02@Y1^ zWF5G<2HTe}@O6t%O7^63f`q;n?rAyY5yY)w30d?xOBK5$0P#w{^f=EXE*FSvB8;``|%VQz-)!V`F=j|b-4 zIkwG1#By;-3u@Cy1G^Kh+v@~JHFH5E06v}GE!R`tZ-A<%DFDIw5+9v!Gmp#dG*l<$@XK0kY7oXe=S&3xD$JGk zs`ni_kIogJDepP!q}}&O{m*Cga)>DX9zI!sZ&7UMI+63fvjO(q7I@wp9*HWY?U-#^ z)|Al)yeyW(Rl1{_`wd^-uRTJY3~U5^3X{wNFLw)cfVVwAL~$Ap=Jvnn+(C%U0N+Oo zWEozn+WipcK=KG6K<83IeUhRU1T7AO1r)6koZK^AiEMU}h-;;~_I zi-a|lmL7Tnwd2?@hF(9>R9=IfhI!lxHabGz{kzY7%S&b@J>6cku}y^L>l;`jJN^f|^Hy(;V?$ zG;Vf5@5GBj{5{u)25u%xXYd=ICRh^`B?$?w;4gK+Z;a{SDP0W&+h6=~i-!8N+DT(( zcLatMv1?FboGzZqF@m}RZl;dI8zq}lt{nHNXR~?hrB6}Q;8YJcHpeb53DyP)LW*nS zi#&eUvS2I^WEM0;%KJrlH>wlAHpO7?hG*`cI(G92a+93%M;7ct}$R*mB$cwr|{s2V^kW>9|8nq(Cuyb47x1Y{u*WW`x zYIfQNZLN>JQ9JGo(UIHumU(?~U+Jg~A?l5J%)|9MM6Zy_%&pPly`lLI=lNp}1?`Gv zxhsWH%`2^mb_l^Uug}|v&`?zo@qQ8pc8uzaOAS$wi%X6TqlhT;g`wcGQj7u;J_Zbh zjSqMLylF=)+gJ?+AB?%1aIC1fXZmDePJHtFA&&#fl4qT=q4ECH*N3KYjg)%ifJVC_ zU#6KmeyCPZjSsXp$5UZG&M9`wI>jt(bn;IlN>qt?5s0g}cL=l!p1jt{DAVqvXO>p( zs5>R4;Z~DLTHEDR2LOP$$y@l_$)`-wL-btA{nA|S6av1b)&A0whEL!Q1cOrImX_}) zr*%6ObNU>QhX>;W`4rqDuY`x1^2Nd@*YknBWYdq!G8?Y*$}$(j<e{x+;cv<;5O;+(g2wC{i2ekbQK#5!P_i9b1)G}}oiWbtNO=FCkzc&i4)t1M#FEL$gy+mo;o5pr(MdN<|>?0jB+v48$^ex6a;rbqY%qG!^K-=teiu~ z)zTEvx!iUyhJoD2l?5*M;-M&-OUEy-?tCW%V0fMYB+aLOT8|X(Pg~5igV43f6TxY2 z5DbXlWGXzTbM)^m^MEvc`!P#XQ7^3<(dGm4qU(JvuK$Qd<2l@ZoI(YnWX;*H%A%NtwpyhiWvm#rif8rP(%?`Mepj6XWrAmt@hnCKg?~6T0-BADYN01 zS%hL7h(q1vM-zCy)z^|%K;gSL&Qq!GgGI1fPM2rrPs%+Ak0@+Oy_y=br0_pRd2cQJ zbHIl=I;odMf1hYCR+QV9=#Vam^A(qD<7YV-aZji(gm)dX=OEe&1 zJTf}bzR{qXv`%;dZynV^=mcZ9z0$WK28sthnm9&=G@!j8wowyX(?(N%AxUYQwAV#cjN)nFf)&!SbMRJX zhaKPg$9g`(rx}S%CJvXns34Is8!^Ni8P~(v&`H|ifhA2HlIWIppOe4b6u>%5BAHpP z6OGM#oz5-&m@ueo9{Y5o9=cI+mA0s>^!Y0K948>hHTvTW7tjqcWN7LGAq#`RZ7dWQXOsBCPLdNDQhJA`yn>W^Mnwhf{qeB~%j9YeA@#&xavx zQ_BRI((I!ZL)J6=Ri$sNe1-Iai1@^f9N)Shv5bX;Bz ze!=}4qZb+rBJ%72@7c@$eZ>2711xnQRR}qou9o}fyI*AMIxH*`k|V^qhsEzR z#UE=RRs92E1Fm;x{_X>iL1+vFaVSXgTGE(|Ds_upT%hrI=8$^`^lSfBQ1ws9b6|GRJN zG-&!n+cZE`ChZ?QlSTzLPA z!UD~1g2nwL`VYgtJ_!zNWaY^Gv(fy%MW@QoVON zm-;v4wQ~k8su(pFQpi8-{ogeXi+BE;ivGgq1+^6l7S{%x9mINbEyTyB0oxjDTGP7=E^CXfLK>}Z?{(yqH7igp^@(q~y)J^I|f z4J@zaO%~){bc!b!N8Aaj4_#4jw?uzA6+aHj>e`^mB?cGQy0Kb8z`~#&wc$nVU$=Al zO|J(CQv59AS*F{DL#tZWS#8wcOrP<-0LWb*e394wYkEPI3y2RpaK@a#sq+Cka`Tzj ztGk+&c&7v(+0>;u-G|YEd@j1Jh;h$4eO{??pThz$u~bmC)nOt9&;d8!;esgsu!vGU zBBtzznRu`8*UV(vhFEpqLMV@RZNZ0tfB*?1rh(3hE@riK$jY?|o~T56dSD3FOi^h& z0B2~uZ{M4l7zMF`z*>I9&awz?w&S3=?b1$J$BC+<))o92Uq9R~Z$I4LxYV=;h= z%iOzfiS|$|ggU|06t`e?_~JBvF*)(D>ND;*xiHvVF$TI)t=y4svTQiDAF`+x)j}}1 z`pu>Kf|M%zyMhX1pAXSf(GEKWFW=)mcv8HGKkePcn7L)YG|RL$^1_Wl!s*g@qR(7= z-U=!i!q)f!<8U=StgEa&VC{6XBG}*xiAG#Zyo|^*wY4IqXXHp-tihubZNt4#2r5mUHdfGEY2e9hrVB8RbA|Tm=1Ca=`1-Z1>@9jn1vm zc>fG<1Be$hf*hlCQt7avRZj(e@4Sx6;h>%A4XCj!eyQ5*YB)V@-tsU;r@jY)Y5B5% zj3G|)vmx=O4sz1EpO>fWlk8v1Vdo6(*;zND(cx_Q#htwZoO6+X|4?%iO)xV0{jMUmN^d>^$*+L9oZNH+g*J34z z{Lsx@Fg7^Pn2cfo+W&#ZdThxblAh?e$KVpSY>ikDDK$1R@lEdN$A7W7`xTT?_{qRp zDZ4D_;LJc?6=qJOR9>6TL%sC8%gk~h6ik+ICb!w0H@Py7C>%DqXDyh~N>|XfT>~yK z6(u1q5edwy90I}vPTpdMbej^ltjO4V!bZNqVt*sN3#xC>jil$BQjFGfk z+{TOU(1Wv5A%-P`cGM9&A~- zEw@yB9REpV(wYsyzH==6@r-n!JJ|jC!gJckvfBn31+BX77bh$X_AgGj^e;|Wy<-)1 ztN@HjO}ZXft!9Z6QIkJ#S&WAkv0{cMnn|YcJ5<_$rw|4E?q~q@0on-M$YNKMm2S_G zgJ<@j=R{O%ImVIu`FLu(D`couw`XYXqaPJQ1*>9kT@sZ#r{pO}yi(9i6GRcC7q+-> zBQV^eILwB~ZAvW9TqR{)WEMp|n!`d6V=m=J6X%-N_wPh>JBZ_0y(7Kst;vV5LZ#qj zMP6{V?i@NrRYS8AGN02N96DY3H(%6ZmTUxvFpoIBy&o1S1|!+^HA+@nHogv-#We_n zs%O<3C?o6FczYSUy&)`anZ8_14MPd9z zlJICbN-x-mz68r8+I+z2XWW&uV+s>S29$8T%}4dq17_f6bK7^p>Lk4$mvQ$N&zpv{ zPd4x!5lfd`A^<209^CdFytFGw%-tnVC7M!>K(NUddlaK%SqUN{?trx$2|E&G*mj^C|IHa>wU~r*6bLK;0446;b#iEMX*} z8D*2AyI<0(L@*XCM(xzJ(<_i=lD;i!6BK7dKPiL*{|ZEui8_ z`aK~wgIY&74{_joOh!0vt}Cc%TI@j*FBCDpY;0{UbUyc<3pb|7o^e_QK$`w?pyhno zX-R+Vp4}R#$Cs6MW%3^-@KK+bh{Rq%aG#8czaD9&lWhh(0*!j_HJxgAZ#p}wIy7FR z1N;LK!S2WGn0HIy@bN7aK2lM;g%E%{=!kD3h7YP2K?qJ)RK+!HssiF!g*`Ki&^4kO zh9{^2C`1CgnRNB_NYZm@3LbaRe1r}u?0!QxWezAS_93#(+!Zy~bT&o&WE>yC4G6N< zxL9drPRg_PN*-Gv2z_$gGQJOG+@#V%=dgr-+ukpU&Dw&yFC?2^%X}a7`wuTH{)fSC z=hHL2C)fl+S|%dUF*y69IWNk_%DD~nJNd__29<}ZyZwv2-GhsDzVnaXnL?$Wy`|qP zTSE0TqP7UW4K)>3l{do9p!Y7uNEu3fj?t@(wJRS#q*SLJQCHecG;C<@uc{i>({)$a|Z@v-~5#y>AwySI*f=i!9X~x9(l$+LY>u z^YY1DfWehJOmO1h-6sPB2@h|u&%TeX@ZGTnC?OZQJ0>DSIcr25fWmvZ_l%y!CU4*2 ze7|`3z(XnQM0T^)Vy^5hx`-xY75%DpYFWr$Mk zyu-*mgLc&DR#CAk*2l~zM$;=nuTOT{Fqh@GZC{B{X+6EF@8=b;TYNqgSo-TopdA8w z0_5E@iA!LQU?vx0;e(wu?LUF4iFDqtGB|&+y=be)K>rczV|f?p-JAL&85%lviZ4>`*0p40@T_3)^)}H*mH9)%@z*&)4GPkKm`BKE zX7nT7U0BlRJ!j_g_T!f_)c>69Kc@Vl5y&Q z!f|WnN$xl~ANdBj2o&_H#cf%#@Lpx@B2v!S@yXm5rq$$+fF&gZJFC9)7#w@|H3sGB zS;Ipmzs|;t%OJehYPs1xz_&Up5IQw@Id0#RNYyN7OH%nJ-iW}bW1B3>HkHO-=V_*G z@YW#W634H6czrDamDj640-TDe6Vw$K56TU)(Hx55$P*UxrYvRLFKLU0YO}?BZ}48t zv1y|~VR47{;|ut!cx|(fUt$39h0Rs)5@3VSgA~ya2^|5UJUlvDRNI=)aA&XfBk1;?-M4;}!!tdxn7NLZO84VzcIrIW<%Mvy;pq`r zUOEMbMvb=(%4lEvO4o1tz~;*d;*Cx^Ie=CDB1h}K#0~;$hvP#@-8ONw@*VEb6PMJV zQQ{W|9Qx7&}LKbjG%s4`sVS< zw)k<1!KO&=stDJC`c?rk_&3W0mNn=YYqh-QZz-xdrm+ zo$W(R99eCWs@8C9%Q_WHZAVNx{9Es*l$8s5_ej-D;M*RKFAJE@FEm2Rn>_B^eQ7pB zeIh;&86JbovVJ2{@>-_7bVAEruECC!D=-*~a{t0}Lzy@TUczMJitU-h!WP}4H%6U6 zOc^qu^Nf5V4V~hFPPdqDFzrAe`&IQRg$Z?cOiskcfF3rF2m8{D_(lj!N*gGj=Ix2p z!DnD`XzXgl4vN9ew$bfi2gTfW&|F`5XkKq?n~Zg*#q1f1J-J+zEaMj`4x(ThJaF`t zSP;l-X@%~T@(b_YQtHnSLLRAhn{MMcaKxN#Bb(=YKfeF+nF$1ue&9eftz{R9S?Kgy zvEJle6iW=uXG?kY3Mh-RUMq#PMu-G2nl<`0F>ASgmHRf^4Qbni3ei(vxwcjZalmbG zIMmdx_I zU5YO}4-`YwS%L7Qij@_I`;9owDyRF4$e}HJuV{=acA`lhTw|=pn`4z=r)|2B$8xmP zn775c@;76LP?}1->9%iy2;>LP$uHhY{|EH4=V7^UAnH$P?@1gRn>3^TJ;SDUSKDHtpP~3QA=1stYqV8G%sD?R(-MmO-Ap8|{KL1) z3(xPKiO2GYc@^XoFw$AEFnC*6l0=4uyM{Z1mlrq-mT8nmVch5_?~*q$YgJ;wQyV-; z&#VK$*=h8X2?0H11qKU@yAlIL6DXfNmKrwt=wGA1mC$%dhrTC0UoUvcufM5+m3*nUu;wt+^B}=Z6Q(sqe~35v6KKWMELx&jR?f#Y@xR+Oy!&dXJV@*5 zcJvA*KG0|8I^aVD0;jgi z3`6aHl;VgO7Iy8eJ=tH(9|HN@Q#D`gZrkng^r%_eO49hQBRElXU|7~+R0}10d2zqQ zf1^?Na~_AE*8}=}`fn~SIJA=uzb05rMPv9YMfNHUi$y%&7sKqs+3D%v0f`REuY4Gr z-&W1mc`h{9Yby|hdxjc#`^V4+lx{@RVp%&;*v~=W)34Lth(o%jOwEQW*|1EDGgyT) zk+3(naPfYrT3Fn$$6_)JMmEq*Flm-PN+jn0ixLfN;%%s(`e6` z@nMh=9wEOpj**vP*N#r8d2X3_wa~R<>HDnf2ljj(1;xxUuuL{Bt#s8&Xpj6-I}7Xi zq=q-WW_vm2kJiD`O-p&pkRJZ3h;1*CQ?@Cd83`$2BAxR}ZBKGXHTbO~FNKY=2*?VG z>@La|=DbklA1ZPnY4xhM7TF&2WuK%g?Urz)ss(hZzchV?)-Xb-0u1_)9b=FmW0*V4 zY2f7TJyJ~!>N#Ysm?n7GHg{kK;@@_(>b$gH@x!=1-WUEDbv^57TiyP~`U{`P>odUs z*;Nb&2L~S-6tCc`h{yaZD5&{$=kLt_xz!Lrh5Zz zrzwt>al1Fs!Gr1ChB|hqKkgk3P{4mMNaSQ;W7uA$xz{Z{jcFJ#FhG7pG<+HAcev#c zUr!MB>+!UimxPTEgcMXB+qfV)#$7$@$W#C&;$__XDnz{@IE0VEFc+Uy*$&QF`^wh* zS&HC$y9tbHyM8~w>P9;KPF1Mu_01asa7htC<&;&o$5!wJY3-4I) z`d%iz$4z5s<5hP!tj9tL5)cN16qKrnIS@)m(5dLuLxkMOKSiil`+^v*ETx=ZwtkjW z(bf3oC!;fvQY)){xf3-Jx~|5?5fhW2LLbzkqNlsL;hVMUhxzZcB=-rcmisi+EL;DvSy8+fL4BgwjO zE%s1%do1QNO2iWI2rDPf{0FHGP1O078AQG@5;RDmGqwiYGH2>!6?&?WWjNggUXuT0 zidvY#A$3I3Fg}Y`zWN2b#vTIJw~5h%YmrO_0j7Bw!tCWgt=92xYYOv(tMv_1B%))+ zKM4DMp7`}E_%i?2^o0NU`X{i0M)(=AoSUH`{SQ)uh<^amD&()b{K8>C-aI%8$eR;S zO_x#q!T|sABlzGmf?rC;UnJ^J^@7M4NSVW=6_|?tgBqew6ny)?tiL}fF=?lO!~iQB zt<-;O3jew<7;!7qZ`S?K)zH{KT`DNnQ1}Ozu%I`1|7a<{uND}9#u6$h0Q&Qwv3|5r z`}~Ep_SXjY%ZGqrdLXaAgJJq2tP0dI90z7Uq5thS_H5AFLzvTeI8JPJbi)$=YqLNH zG!xP!W7J6S@1^s1w+5670+pT8uSx1+|6uroD6rAj!1#ZplbyDDaAZ+GWJr=>hx=v^(SC|i5>UAc=P`eJ2q}v>6R8>x->1l zNN-fs0h0jb<8Rdw#+Ngd4GN7YeYR5lqzqSmY(wDsWHda2no8PKQHf_n<_ z(WMdAYQd$*Dm(9*_vjk@XeNO@g#ZFx&GMntKChBqP(gt`$CHi-@%MBKc)@hv`ovKu zbL`3u3kwShDXfeng0EyTy~!uO1pQS{?cfzdI6PG)U*Htt|Bp;^;1dcKKN;F^qrNQ_ zq29(0*V}YowEB#(sJQ1r0D1f=Nxh*Mr9mbO{_#6lQHk2hb(Dn6V9z&*{ct!n2$xNX zeN(gytWO%KOVtfOW7;FXnG0zGW7@M&VwjRftSriw17%yri5>^_3`#O1T^mfe4h%NsH?$5uqI+(PeX z)EZCEhEKjOM}VD5&qv?CU04bW3T#8;YHOd_#`Ig>4_*)Loe`b zKW0Ns0~H{}nQnD9($NMVHQZ%~@!>lV?fBDotOlNO(Z;2doYadQEh$I;C@f;;}%~-O71B0zPEw&BBq=Umx z+m}^xA9{bxx+z#IAdt1g3=Zg4K`Zr__-D4)u@AHxkUxPY@FExmQ*(hBx7Te_ykmgIt>MbvHs6*ob00TT-v}PEfo~c zzhXup_)*iQJiCgBTOeap8u_niMl7?LdQ<^6XMvgw<>v{*a?$f$9%c4omaOjcTPuTd z8j*mX;WiRNj`1+{$)0ExemHD8g?DFzYks-s>wNU#aqLE*hW$Qr-$VtTPo&f`+LYF! zED%TH@#*g_zlv3Yjn3;)ARZLJkEB(Mo%rr&IK3MgR{JW0vnf5w3Bz2Ep`4O_&M%Ey zHxl!g-eNZ{VNptUzmfx(i8rHLd}8Fq7hhJ_W;FUxI((Bms4}gD0Ht7+#6z>%S6BgK zyvWBBP9teX$Z+oN1vX2s9%6_N9_O!ABNCkGwlJ%rer)U3&*e>W8|yKHLamjAp`7a6 zf}C_n&^zn+FHwmcn^aDvtF=jfXm!f*Eultv5zW$92tgS~LNfB6?EH3EEj4<9{KHk7 zau0~6`vYBzxHsXMeVSH+g1TlnuccqCi^2ec6r8G1)+}}-x%X7SPE{{ z-VdYeM9*d{zyg;~tDDDJ;@T(Y)H{-h1w*4= z)j{0v~(Osaz!Ui8x`kBxZ}P{gQfSv4}2v_hCQKW@hl zJ6(&W{SxyEd=+=9LREtACy!>k`?w{9v78Gz0_yS*QkA~sTOU4mazP(=!Y1ql~)h! zl3tX5Clt^h=knJOc{O1tuc?rjnXR3!F<@@L{SBkm$(d{xS#7KyZ;ttRg{ME<+GC+p zDF`CDX;w}No2nq9hsd}9;UfHpza$c1m;u88Skvt$pnS6UD#*yG-&v$T( z;h9?Ym)K8S)1V*ft<8eILo7H5z^;q}%q;Ex6~<4`oIpW)U`a={kWVo5oFc+wpG5$! zATIXlKG`oYd+DaH!(0%a%o`5**yjKAcAim9Y+WB0P>M*Et^y)OK{{MIDj-F20Vxt% z1f&<~gd!j0D)l_~`32ti7u2|;R*7Fy`NLnu$U_Z7YC-p}uRnl)$5nRE7@S#xIp z_J5C+y=_ax=8KB$y;a|y^;OBOotsn<-ohVH&|-Y3A)Go=XDwkzv8!Gc5@opH3k(OF zc)2oriluwMywN3rh7?yaM!1O%Zxg{$q3LbJh=^WP7p^=Ck2iVtBYaf}sW6StT4dm> z?l%wi23V{Z>%CXB4((c{66p}iFw#ZcK=6ZO!@bIE{k_{$*n_H1WV_H={65{e&BGEC z;WApz)zj@Uc0JoBrHqBul0jJ$*~DD+pr??9cjB*rk*Wa8DLWbBZ2QM1d(AiPi}RlA zgF?bKUgPLUU#eyqtKiMdJ^Pyuhu4%i5={Z1C6ah6>s*UF@*fKPuD4-4_Em30)-ELo zD^UdGSC}~68?JguHdO5QP``40-(ep$Lv`WzOw#;IP`@5Z!bh*x$@hpicPHtt5P}*# z@gh$wGM3%{p$E_*+m>+16tfdTDJHo0(%FIdTv8A2R}Sxkgs1adkp)hQ*z_@;n5So) z4VaS`rQLDuLHee-Gwxr=>2umtSrx7r;%keYp1Lw%h8s{(Y_?-*;`Md<>7af`*u<(r zPyaHwW=e#-VMDsJaIghTp$d>z^!)S5bmJj2HIeMjgl*j}!R}Y!menV9HiJs9I;1v0 z#C^?O8G5aMe7^+<41@cfQZAA@AY^%s1z5n!pJ(9r<j=rs@dHK7tMbgm{JPhvo-rT8;&M21W^>p{g!ZiJZKO}+tY&0*ZY`8i`*3OJ zMK>2#_ij)+WdKf(-RXZ&dCNOJ_E3;855;IN zGk(cQn<^>YSl;p8_S$D<0&7Y!nfWq`epIToR1c%8E=!MYQou2cuOY21L>n@$4lYE!H9w%&TO2gwD@h7cIZw{7O z#%w>w)Lacc;2ZIDKBYAn!DabZI`1Z5la5V@92jtYpZ87OhP$uaIXXA}_+#CsT6w<~ zVk`DU7EZZzTA}(@S;T7~B3(pi?h>}J-rH6rCtHDe%sd2c5~M4+ZzG;-k=vmty0!g> zs;^-3s&D@rsgU{ptmn_Y!awRKhaS`bNovHM2Anli1;;3-R1S4?Q;VLX=Aj;rcotzQ zg=H}r+Ir6qhHvs>mvnhY<(+0NK6OxXgn=KH zl5p@B9jVq8IbQ+3td++Q#V6g|sf7*Pa0oat&);gd^w`};67 zM~%uwKp}uQ-?$xD7`c)KY|P$%@3vDiZlRT(qSw*HJsFLvcYh~ytJH)3?A}wtmJL4m zqp^@d&!tx_I~lcLvW2|C-9O?Hdi!3WxKX{=R$U$fRJ31(5IJSc;KiOI>Y2NU*g=-5 z1`@Fs9<~IX_icQsu9sPcC-fkdP~0xe$XC+z!qc!gRL$D!B_Li(j|nc#ZP99>KGd7n z=J@33eSwYAbRh00))lR3YFOR%lJ_^$v%X~NE1%-7Yij(j6#}5o8nj9|mL?51zFu0fD)m7FSn>`CN_!2mr9*O=) zR1{u4e&_Z(XCLYTsn+HF_Jz&95p(_T9Gh6Q%Wf=j%lNimXi{Nyc4z%fOC}+wd6fS? zh+p15Oq(BvU{WqOIy5lqIK4PNnFd0fiyJanvCvI%qjKGeH#ur6-KLKpy<`@e>xum# zDcf2U>@~^3VM&oZL!{VcX<(RFyJMgduAr< zK1zx8oJK7jO;!xBBS$kCUF)%|kK@1hulKZx|4_rTR|aFZ|+lO!Zs z$PlGHY)hdNpE!XvVm{C52l1cggooEYlMFOO)CPE0s-GbummaXL)ScZz8M4gyEeJV` zZd8lufGMwAs3lC1<0XFDpNL{02?A2wYNe0ch0Y`+*cDik9NKk`<#`1|fSB;zZH8s=q`<$4;o z4e+n4&rUDs3ol{1|FEDfik39%f>S_4zhM$;IS$&`bXgI83PC(kQ-rW(udPAd3N3c` z;2{dfM(zxfloAlG9x#ULXo4tCgU=z$b9=)HAW&FB0K)sU;qm_4sQHq)Z!{50@^{ZN zYyx|lH-5?P!f|6yjHjJUr%lmQt04kb6-F1qV~tPs$RWrr?2V^K-^i>^S2=N#hq;|- z-AfHo@iTS*f0pXi3?qmH z?1mib!DOG^4CD*Cnw~&ZzHQ;3LR2#$5&3T{8DEE+>Aml|FLK z`_^D^tryrd0~vQ{u;o0|evs)loJ>oxU#mY(08+CXL3YF-u^h%_FTs+P-V=O&&5HbJ zCAWK1oS(O}CvMoSY90++Tr@)91XsV=^MMervD)I_T(Rv^%)w z7x~l3q(6@@FPS95*@PIg@1>!ClF3$296BFmu^hbtTR7UzU|M_Vzp@ zXAtFAxOfZIUltc>B@HanO==vJ7HK^l1EjF)z_rW$5^dQq20Iw+5m))Qm@q8}UB#V+ z>Lr^u0WII(W(lMP+u2r44@eLwj#Cr8;D;bw(G~Yi z;d!=472a`yDqd$?g0>#`JI3J$>io@Yv}zif&Yoc6#lA7b`W`2g)vRzq3$m^>!Kh!o zkwZymoBkzIqPs1iJQvymTbQrJE&YVaw==+=hBqXc@m%Y#gG6QD7=T{9C z{Yw$9`7Hk`Vk1zBzx7h>Ux)v~DkA4tCBof;_hPKS;{23265?^=f-qcI?=Gbf&S^ma zt@7;Oz|GHH0m^3YpU~siDG&XlaXf(CEH#z(!>=p+oW?mRBKX$O<8<66s6%{G8FaC@&DzRDBLWWul`bU|MH>008Z1wxWwCa^i$sO8w;Dn zxfdbdM0>Gx|J4ThjO$V!9<2A^KN_WRx01)*ntzcSnoOKE56 Date: Mon, 30 Jul 2018 01:56:01 -0400 Subject: [PATCH 30/91] Update PPA for dnscrypt-proxy to 'bionic' (#1039) --- roles/dns_encryption/tasks/ubuntu.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/dns_encryption/tasks/ubuntu.yml b/roles/dns_encryption/tasks/ubuntu.yml index 5485f682..0050a58e 100644 --- a/roles/dns_encryption/tasks/ubuntu.yml +++ b/roles/dns_encryption/tasks/ubuntu.yml @@ -2,7 +2,7 @@ - name: Add the repository apt_repository: state: present - codename: artful + codename: bionic repo: ppa:shevchuk/dnscrypt-proxy register: result until: result|succeeded From b88f697b286d196bfb8699ce1947b1a4e883a45e Mon Sep 17 00:00:00 2001 From: Quentin Moss Date: Mon, 30 Jul 2018 06:01:03 -0700 Subject: [PATCH 31/91] Update troubleshooting docs to include iOS reconnection loop (#1042) * Update troubleshooting docs to include iOS reconnection loop * nits --- docs/troubleshooting.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/docs/troubleshooting.md b/docs/troubleshooting.md index c16ed9fb..26084eb5 100644 --- a/docs/troubleshooting.md +++ b/docs/troubleshooting.md @@ -18,6 +18,7 @@ * [I can't get my router to connect to the Algo server](#i-cant-get-my-router-to-connect-to-the-algo-server) * [I can't get Network Manager to connect to the Algo server](#i-cant-get-network-manager-to-connect-to-the-algo-server) * [Various websites appear to be offline through the VPN](#various-websites-appear-to-be-offline-through-the-vpn) + * [Devices appear to be stuck in reconnection loop](#devices-appear-to-be-stuck-in-reconnection-loop) * ["Error 809" or IKE_AUTH requests that never make it to the server](#error-809-or-ike_auth-requests-that-never-make-it-to-the-server) * [I have a problem not covered here](#i-have-a-problem-not-covered-here) @@ -213,6 +214,17 @@ $ sudo ifconfig wlan0 mtu 1438 You can also set the `max_mss` variable to a new value in config.cfg, and then redeploy your server rather than reconfigure the current one in-place. +### Clients appear stuck in a reconnection loop + +If you're using 'Connect on Demand' on iOS and your client device appears stuck in a reconnection loop after switching from WiFi to LTE or vice versa, you may want to try disabling DoS protection in strongSwan. + +The configuration value can be found in `/etc/strongswan.d/charon.conf`. After making the change you must reload or restart ipsec. + +Example command: +``` +sed -i -e 's/#*.dos_protection = yes/dos_protection = no/' /etc/strongswan.d/charon.conf && ipsec restart +``` + ### "Error 809" or IKE_AUTH requests that never make it to the server On Windows, this issue may manifest with an error message that says "The network connection between your computer and the VPN server could not be established because the remote server is not responding... This is Error 809." On other operating systems, you may try to debug the issue by capturing packets with tcpdump and notice that, while IKE_SA_INIT request and responses are exchanged between the client and server, IKE_AUTH requests never make it to the server. From 3ddd0ac30f211fcf0ba33b60e58cd158a4fe07dc Mon Sep 17 00:00:00 2001 From: Fabian Foerg Date: Mon, 30 Jul 2018 06:01:49 -0700 Subject: [PATCH 32/91] Run dnsmasq as the dnsmasq user (#1029) * Run dnsmasq as the dnsmasq user There is a task that checks whether the dnsmasq user exists. However, dnsmasq is configured to run as user "nobody" instead. This change lets dnsmasq run as user "dnsmasq". * remove dnsmasq user task --- roles/dns_adblocking/tasks/main.yml | 3 --- roles/dns_adblocking/templates/dnsmasq.conf.j2 | 2 +- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/roles/dns_adblocking/tasks/main.yml b/roles/dns_adblocking/tasks/main.yml index ded3f798..a68abeed 100644 --- a/roles/dns_adblocking/tasks/main.yml +++ b/roles/dns_adblocking/tasks/main.yml @@ -8,9 +8,6 @@ - name: Dnsmasq installed package: name=dnsmasq - - name: Ensure that the dnsmasq user exist - user: name=dnsmasq groups=nogroup append=yes state=present - - name: The dnsmasq directory created file: dest=/var/lib/dnsmasq state=directory mode=0755 owner=dnsmasq group=nogroup diff --git a/roles/dns_adblocking/templates/dnsmasq.conf.j2 b/roles/dns_adblocking/templates/dnsmasq.conf.j2 index 501f7568..135aeb18 100644 --- a/roles/dns_adblocking/templates/dnsmasq.conf.j2 +++ b/roles/dns_adblocking/templates/dnsmasq.conf.j2 @@ -103,7 +103,7 @@ server={{ host }} # If you want dnsmasq to change uid and gid to something other # than the default, edit the following lines. -user=nobody +user=dnsmasq group=nogroup # If you want dnsmasq to listen for DHCP and DNS requests only on From e0c317a9588af7b9bf6e846b669b3b3eeb2e034b Mon Sep 17 00:00:00 2001 From: Quentin Moss Date: Mon, 30 Jul 2018 07:28:14 -0700 Subject: [PATCH 33/91] Update documentation link (#1043) --- docs/troubleshooting.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/troubleshooting.md b/docs/troubleshooting.md index 26084eb5..632696d9 100644 --- a/docs/troubleshooting.md +++ b/docs/troubleshooting.md @@ -18,7 +18,7 @@ * [I can't get my router to connect to the Algo server](#i-cant-get-my-router-to-connect-to-the-algo-server) * [I can't get Network Manager to connect to the Algo server](#i-cant-get-network-manager-to-connect-to-the-algo-server) * [Various websites appear to be offline through the VPN](#various-websites-appear-to-be-offline-through-the-vpn) - * [Devices appear to be stuck in reconnection loop](#devices-appear-to-be-stuck-in-reconnection-loop) + * [Clients appear stuck in a reconnection loop](#clients-appear-stuck-in-a-reconnection-loop) * ["Error 809" or IKE_AUTH requests that never make it to the server](#error-809-or-ike_auth-requests-that-never-make-it-to-the-server) * [I have a problem not covered here](#i-have-a-problem-not-covered-here) From b86ebe20d7900a9a8898e5173a42ccb4dc7ee422 Mon Sep 17 00:00:00 2001 From: David Myers Date: Wed, 8 Aug 2018 00:25:33 -0400 Subject: [PATCH 34/91] Prevent DNS rebinding (#1049) --- .../dns_adblocking/templates/dnsmasq.conf.j2 | 1 + roles/dns_encryption/tasks/main.yml | 7 +++ .../templates/dnscrypt-proxy.toml.j2 | 2 +- .../templates/ip-blacklist.txt.j2 | 44 +++++++++++++++++++ 4 files changed, 53 insertions(+), 1 deletion(-) create mode 100644 roles/dns_encryption/templates/ip-blacklist.txt.j2 diff --git a/roles/dns_adblocking/templates/dnsmasq.conf.j2 b/roles/dns_adblocking/templates/dnsmasq.conf.j2 index 135aeb18..0e6e72f5 100644 --- a/roles/dns_adblocking/templates/dnsmasq.conf.j2 +++ b/roles/dns_adblocking/templates/dnsmasq.conf.j2 @@ -94,6 +94,7 @@ server={{ local_service_ip }}#5353 {% for host in dns_servers.ipv4 %} server={{ host }} {% endfor %} +stop-dns-rebind {% endif %} # and this sets the source (ie local) address used to talk to diff --git a/roles/dns_encryption/tasks/main.yml b/roles/dns_encryption/tasks/main.yml index 49c8d6e8..5740703c 100644 --- a/roles/dns_encryption/tasks/main.yml +++ b/roles/dns_encryption/tasks/main.yml @@ -7,6 +7,13 @@ include_tasks: freebsd.yml when: ansible_distribution == 'FreeBSD' +- name: dnscrypt-proxy ip-blacklist configured + template: + src: ip-blacklist.txt.j2 + dest: "{{ config_prefix|default('/') }}etc/dnscrypt-proxy/ip-blacklist.txt" + notify: + - restart dnscrypt-proxy + - name: dnscrypt-proxy configured template: src: dnscrypt-proxy.toml.j2 diff --git a/roles/dns_encryption/templates/dnscrypt-proxy.toml.j2 b/roles/dns_encryption/templates/dnscrypt-proxy.toml.j2 index 22e9cfc5..f99aeda0 100644 --- a/roles/dns_encryption/templates/dnscrypt-proxy.toml.j2 +++ b/roles/dns_encryption/templates/dnscrypt-proxy.toml.j2 @@ -343,7 +343,7 @@ cache_neg_max_ttl = 600 ## Path to the file of blocking rules (absolute, or relative to the same directory as the executable file) - # blacklist_file = 'ip-blacklist.txt' + blacklist_file = 'ip-blacklist.txt' ## Optional path to a file logging blocked queries diff --git a/roles/dns_encryption/templates/ip-blacklist.txt.j2 b/roles/dns_encryption/templates/ip-blacklist.txt.j2 new file mode 100644 index 00000000..d2189ff2 --- /dev/null +++ b/roles/dns_encryption/templates/ip-blacklist.txt.j2 @@ -0,0 +1,44 @@ +0.0.0.0 +10.* +127.* +169.254.* +172.16.* +172.17.* +172.18.* +172.19.* +172.20.* +172.21.* +172.22.* +172.23.* +172.24.* +172.25.* +172.26.* +172.27.* +172.28.* +172.29.* +172.30.* +172.31.* +192.168.* +::ffff:0.0.0.0 +::ffff:10.* +::ffff:127.* +::ffff:169.254.* +::ffff:172.16.* +::ffff:172.17.* +::ffff:172.18.* +::ffff:172.19.* +::ffff:172.20.* +::ffff:172.21.* +::ffff:172.22.* +::ffff:172.23.* +::ffff:172.24.* +::ffff:172.25.* +::ffff:172.26.* +::ffff:172.27.* +::ffff:172.28.* +::ffff:172.29.* +::ffff:172.30.* +::ffff:172.31.* +::ffff:192.168.* +fd00::* +fe80::* From 53d1113881e6b951cb5162ba987c5f583d918f9b Mon Sep 17 00:00:00 2001 From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com> Date: Wed, 8 Aug 2018 07:25:59 +0300 Subject: [PATCH 35/91] Split up unattended upgrades (#1041) --- roles/common/templates/50unattended-upgrades.j2 | 3 --- .../files/50-dnscrypt-proxy-unattended-upgrades | 4 ++++ roles/dns_encryption/tasks/ubuntu.yml | 10 +++++++++- roles/wireguard/files/50-wireguard-unattended-upgrades | 4 ++++ roles/wireguard/tasks/main.yml | 8 ++++++++ 5 files changed, 25 insertions(+), 4 deletions(-) create mode 100644 roles/dns_encryption/files/50-dnscrypt-proxy-unattended-upgrades create mode 100644 roles/wireguard/files/50-wireguard-unattended-upgrades diff --git a/roles/common/templates/50unattended-upgrades.j2 b/roles/common/templates/50unattended-upgrades.j2 index a902c7ad..0c55b702 100644 --- a/roles/common/templates/50unattended-upgrades.j2 +++ b/roles/common/templates/50unattended-upgrades.j2 @@ -2,9 +2,6 @@ Unattended-Upgrade::Allowed-Origins { "${distro_id}:${distro_codename}-security"; "${distro_id}:${distro_codename}-updates"; -{% if wireguard_enabled %} - "LP-PPA-wireguard-wireguard:${distro_codename}"; -{% endif %} // "${distro_id}:${distro_codename}-proposed"; // "${distro_id}:${distro_codename}-backports"; }; diff --git a/roles/dns_encryption/files/50-dnscrypt-proxy-unattended-upgrades b/roles/dns_encryption/files/50-dnscrypt-proxy-unattended-upgrades new file mode 100644 index 00000000..632bb318 --- /dev/null +++ b/roles/dns_encryption/files/50-dnscrypt-proxy-unattended-upgrades @@ -0,0 +1,4 @@ +// Automatically upgrade packages from these (origin:archive) pairs +Unattended-Upgrade::Allowed-Origins { + "LP-PPA-shevchuk-dnscrypt-proxy:${distro_codename}"; +}; diff --git a/roles/dns_encryption/tasks/ubuntu.yml b/roles/dns_encryption/tasks/ubuntu.yml index 0050a58e..f42d0a90 100644 --- a/roles/dns_encryption/tasks/ubuntu.yml +++ b/roles/dns_encryption/tasks/ubuntu.yml @@ -8,13 +8,21 @@ until: result|succeeded retries: 10 delay: 3 - + - name: Install dnscrypt-proxy apt: name: dnscrypt-proxy state: latest update_cache: true +- name: Configure unattended-upgrades + copy: + src: 50-dnscrypt-proxy-unattended-upgrades + dest: /etc/apt/apt.conf.d/50-dnscrypt-proxy-unattended-upgrades + owner: root + group: root + mode: 0644 + - block: - name: Ubuntu | Unbound profile for apparmor configured copy: diff --git a/roles/wireguard/files/50-wireguard-unattended-upgrades b/roles/wireguard/files/50-wireguard-unattended-upgrades new file mode 100644 index 00000000..b1ffc97d --- /dev/null +++ b/roles/wireguard/files/50-wireguard-unattended-upgrades @@ -0,0 +1,4 @@ +// Automatically upgrade packages from these (origin:archive) pairs +Unattended-Upgrade::Allowed-Origins { + "LP-PPA-wireguard-wireguard:${distro_codename}"; +}; diff --git a/roles/wireguard/tasks/main.yml b/roles/wireguard/tasks/main.yml index 4b70a3a2..df5b832e 100644 --- a/roles/wireguard/tasks/main.yml +++ b/roles/wireguard/tasks/main.yml @@ -14,6 +14,14 @@ state: present update_cache: true +- name: Configure unattended-upgrades + copy: + src: 50-wireguard-unattended-upgrades + dest: /etc/apt/apt.conf.d/50-wireguard-unattended-upgrades + owner: root + group: root + mode: 0644 + - name: Ensure the required directories exist file: dest: "{{ wireguard_config_path }}/{{ item }}" From a57a0adf5e1d0aeeea366c4c6ba4c7c5c60f3a45 Mon Sep 17 00:00:00 2001 From: Josh Dimarsky <24758845+yehoshuadimarsky@users.noreply.github.com> Date: Fri, 24 Aug 2018 04:42:59 -0400 Subject: [PATCH 36/91] Fixed broken link; clarified example docker command (#1064) --- docs/Docker.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/Docker.md b/docs/Docker.md index fba31193..65f363b9 100644 --- a/docs/Docker.md +++ b/docs/Docker.md @@ -4,7 +4,7 @@ While it is not possible to run your Algo server from within a Docker container, ## Limitations -1. [Advanced](ADVANCED.md) installations are not currently supported; you must use the interactive `algo` script. +1. [Advanced](deploy-from-ansible.md) installations are not currently supported; you must use the interactive `algo` script. 2. This has not yet been tested with user namespacing enabled. 3. If you're running this on Windows, take care when editing files under `configs/` to ensure that line endings are set appropriately for Unix systems. @@ -13,7 +13,7 @@ While it is not possible to run your Algo server from within a Docker container, 1. Install [Docker](https://www.docker.com/community-edition#/download) -- setup and configuration is not covered here 2. Create a local directory to hold your VPN configs (e.g. `C:\Users\trailofbits\Documents\VPNs\`) 3. Create a local copy of [config.cfg](https://github.com/trailofbits/algo/blob/master/config.cfg), with required modifications (e.g. `C:\Users\trailofbits\Documents\VPNs\config.cfg`) -4. Run the Docker container, mounting your configurations appropriately: +4. Run the Docker container, mounting your configurations appropriately (assuming the container is named `trailofbits/algo` with a tag `latest`): - From Windows: ```powershell C:\Users\trailofbits> docker run --cap-drop=all -it \ @@ -61,7 +61,7 @@ Docker themselves provide a concept of [Content Trust](https://docs.docker.com/e ## Future Improvements 1. Even though we're taking care to drop all capabilities to minimize the impact of running as root, we can probably include not only a `seccomp` profile, but also AppArmor and/or SELinux profiles as well. -2. The Docker image doesn't natively support [advanced](ADVANCED.md) Algo deployments, which is useful for scripting. This can be done by launching an interactive shell and running the commands yourself. +2. The Docker image doesn't natively support [advanced](deploy-from-ansible.md) Algo deployments, which is useful for scripting. This can be done by launching an interactive shell and running the commands yourself. 3. The way configuration is passed into and out of the container is a bit kludgy. Hopefully future improvements in Docker volumes will make this a bit easier to handle. ## Advanced Usage From e8947f318b197cc8e7c3dfeb7a1289f2593f3b6c Mon Sep 17 00:00:00 2001 From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com> Date: Mon, 27 Aug 2018 17:05:45 +0300 Subject: [PATCH 37/91] Large refactor to support Ansible 2.5 (#976) * Refactoring, booleans declaration and update users fix * Make server_name more FQDN compatible * Rename variables * Define the default value for store_cakey * Skip a prompt about the SSH user if deploying to localhost * Disable reboot for non-cloud deployments * Enable EC2 volume encryption by default * Add default server value (localhost) for the local installation Delete empty files * Add default region to aws_region_facts * Update docs * EC2 credentials fix * Warnings fix * Update deploy-from-ansible.md * Fix a typo * Remove lightsail from the docs * Disable EC2 encryption by default * rename droplet to server * Disable dependencies * Disable tls_cipher_suite * Convert wifi-exclude to a string. Update-users fix * SSH access congrats fix * 16.04 > 18.04 * Dont ask for the credentials if specified in the environment vars * GCE server name fix --- .travis.yml | 5 +- algo | 641 +----------------- ansible.cfg | 1 + cloud.yml | 49 ++ config.cfg | 21 +- deploy.yml | 98 --- docs/cloud-do.md | 6 +- docs/cloud-vultr.md | 8 + docs/deploy-from-ansible.md | 223 +++--- docs/deploy-to-freebsd.md | 4 +- docs/index.md | 1 + input.yml | 137 ++++ library/digital_ocean_tag.py | 217 ------ library/ec2_ami_copy.py | 216 ------ library/gce_region_facts.py | 139 ++++ library/lightsail_region_facts.py | 102 +++ main.yml | 9 + playbooks/cloud-post.yml | 45 ++ playbooks/cloud-pre.yml | 13 + playbooks/common.yml | 15 - playbooks/facts/FreeBSD.yml | 10 - playbooks/facts/main.yml | 44 -- playbooks/freebsd.yml | 9 - playbooks/local.yml | 31 - playbooks/local_ssh.yml | 12 - playbooks/post.yml | 16 - playbooks/ubuntu.yml | 14 - requirements.txt | 2 +- roles/client/tasks/main.yml | 2 +- roles/cloud-azure/defaults/main.yml | 214 ++++++ roles/cloud-azure/handlers/main.yml | 0 roles/cloud-azure/tasks/main.yml | 26 +- roles/cloud-azure/tasks/prompts.yml | 70 ++ roles/cloud-digitalocean/handlers/main.yml | 0 roles/cloud-digitalocean/tasks/main.yml | 66 +- roles/cloud-digitalocean/tasks/prompts.yml | 46 ++ .../templates/20-ipv6.cfg.j2 | 6 - roles/cloud-ec2/defaults/main.yml | 3 +- roles/cloud-ec2/handlers/main.yml | 0 roles/cloud-ec2/tasks/cloudformation.yml | 6 +- roles/cloud-ec2/tasks/encrypt_image.yml | 44 +- roles/cloud-ec2/tasks/main.yml | 74 +- roles/cloud-ec2/tasks/prompts.yml | 55 ++ roles/cloud-gce/handlers/main.yml | 0 roles/cloud-gce/tasks/main.yml | 53 +- roles/cloud-gce/tasks/prompts.yml | 67 ++ roles/cloud-lightsail/tasks/main.yml | 18 +- roles/cloud-lightsail/tasks/prompts.yml | 60 ++ roles/cloud-openstack/tasks/main.yml | 12 +- roles/cloud-scaleway/defaults/main.yml | 4 + roles/cloud-scaleway/tasks/main.yml | 25 +- roles/cloud-scaleway/tasks/prompts.yml | 34 + roles/cloud-vultr/tasks/main.yml | 36 + roles/cloud-vultr/tasks/prompts.yml | 56 ++ roles/common/tasks/facts.yml | 26 + roles/common/tasks/freebsd.yml | 18 +- roles/common/tasks/main.yml | 34 +- roles/common/tasks/ubuntu.yml | 106 +-- roles/dns_adblocking/meta/main.yml | 7 - roles/dns_adblocking/tasks/main.yml | 5 - .../dns_adblocking/templates/dnsmasq.conf.j2 | 2 +- roles/dns_encryption/defaults/main.yml | 4 +- roles/dns_encryption/handlers/main.yml | 7 + roles/dns_encryption/meta/main.yml | 4 - roles/dns_encryption/tasks/ubuntu.yml | 2 +- .../templates/dnscrypt-proxy.toml.j2 | 2 +- roles/local/handlers/main.yml | 0 roles/local/tasks/main.yml | 36 +- roles/local/tasks/prompts.yml | 44 ++ roles/ssh_tunneling/meta/main.yml | 4 - roles/ssh_tunneling/tasks/main.yml | 22 +- roles/vpn/defaults/main.yml | 32 + roles/vpn/meta/main.yml | 3 +- roles/vpn/tasks/client_configs.yml | 13 +- roles/vpn/tasks/freebsd.yml | 114 ---- roles/vpn/tasks/main.yml | 26 +- roles/vpn/tasks/openssl.yml | 18 +- roles/vpn/templates/client_ipsec.conf.j2 | 2 +- roles/vpn/templates/ipsec.conf.j2 | 4 +- roles/vpn/templates/mobileconfig.j2 | 10 +- roles/vpn/templates/rules.v4.j2 | 2 +- roles/vpn/templates/rules.v6.j2 | 2 +- roles/wireguard/defaults/main.yml | 24 - roles/wireguard/meta/main.yml | 3 - roles/wireguard/tasks/keys.yml | 3 +- roles/wireguard/tasks/main.yml | 2 +- server.yml | 65 ++ tests/local-deploy.sh | 7 +- tests/update-users.sh | 11 +- users.yml | 76 ++- 90 files changed, 1774 insertions(+), 2031 deletions(-) create mode 100644 cloud.yml delete mode 100644 deploy.yml create mode 100644 docs/cloud-vultr.md create mode 100644 input.yml delete mode 100644 library/digital_ocean_tag.py delete mode 100644 library/ec2_ami_copy.py create mode 100644 library/gce_region_facts.py create mode 100644 library/lightsail_region_facts.py create mode 100644 main.yml create mode 100644 playbooks/cloud-post.yml create mode 100644 playbooks/cloud-pre.yml delete mode 100644 playbooks/common.yml delete mode 100644 playbooks/facts/FreeBSD.yml delete mode 100644 playbooks/facts/main.yml delete mode 100644 playbooks/freebsd.yml delete mode 100644 playbooks/local.yml delete mode 100644 playbooks/local_ssh.yml delete mode 100644 playbooks/post.yml delete mode 100644 playbooks/ubuntu.yml create mode 100644 roles/cloud-azure/defaults/main.yml delete mode 100644 roles/cloud-azure/handlers/main.yml create mode 100644 roles/cloud-azure/tasks/prompts.yml delete mode 100644 roles/cloud-digitalocean/handlers/main.yml create mode 100644 roles/cloud-digitalocean/tasks/prompts.yml delete mode 100644 roles/cloud-digitalocean/templates/20-ipv6.cfg.j2 delete mode 100644 roles/cloud-ec2/handlers/main.yml create mode 100644 roles/cloud-ec2/tasks/prompts.yml delete mode 100644 roles/cloud-gce/handlers/main.yml create mode 100644 roles/cloud-gce/tasks/prompts.yml create mode 100644 roles/cloud-lightsail/tasks/prompts.yml create mode 100644 roles/cloud-scaleway/defaults/main.yml create mode 100644 roles/cloud-scaleway/tasks/prompts.yml create mode 100644 roles/cloud-vultr/tasks/main.yml create mode 100644 roles/cloud-vultr/tasks/prompts.yml create mode 100644 roles/common/tasks/facts.yml delete mode 100644 roles/dns_adblocking/meta/main.yml delete mode 100644 roles/dns_encryption/meta/main.yml delete mode 100644 roles/local/handlers/main.yml create mode 100644 roles/local/tasks/prompts.yml delete mode 100644 roles/ssh_tunneling/meta/main.yml delete mode 100644 roles/vpn/tasks/freebsd.yml delete mode 100644 roles/wireguard/defaults/main.yml delete mode 100644 roles/wireguard/meta/main.yml create mode 100644 server.yml diff --git a/.travis.yml b/.travis.yml index 9d91089e..47a58a95 100644 --- a/.travis.yml +++ b/.travis.yml @@ -42,7 +42,6 @@ before_cache: - sudo chown $USER. $HOME/lxc/cache.tar env: - - LXC_NAME=ubuntu1804 LXC_DISTRO=ubuntu LXC_RELEASE=18.04 - LXC_NAME=docker LXC_DISTRO=ubuntu LXC_RELEASE=18.04 before_install: @@ -67,8 +66,8 @@ install: script: # - awesome_bot --allow-dupe --skip-save-results *.md docs/*.md --white-list paypal.com,do.co,microsoft.com,https://github.com/trailofbits/algo/archive/master.zip,https://github.com/trailofbits/algo/issues/new # - shellcheck algo -# - ansible-lint deploy.yml users.yml deploy_client.yml - - ansible-playbook deploy.yml --syntax-check +# - ansible-lint main.yml users.yml deploy_client.yml + - ansible-playbook main.yml --syntax-check - ./tests/local-deploy.sh - ./tests/update-users.sh diff --git a/algo b/algo index 3c17a7d8..07a2875c 100755 --- a/algo +++ b/algo @@ -14,642 +14,9 @@ then fi fi -SKIP_TAGS="_null encrypted" -ADDITIONAL_PROMPT="[pasted values will not be displayed]" - -additional_roles () { - -read -p " -Do you want macOS/iOS clients to enable \"VPN On Demand\" when connected to cellular networks? -[y/N]: " -r OnDemandEnabled_Cellular -OnDemandEnabled_Cellular=${OnDemandEnabled_Cellular:-n} -if [[ "$OnDemandEnabled_Cellular" =~ ^(y|Y)$ ]]; then EXTRA_VARS+=" OnDemandEnabled_Cellular=Y"; fi - -read -p " -Do you want macOS/iOS clients to enable \"VPN On Demand\" when connected to Wi-Fi? -[y/N]: " -r OnDemandEnabled_WIFI -OnDemandEnabled_WIFI=${OnDemandEnabled_WIFI:-n} -if [[ "$OnDemandEnabled_WIFI" =~ ^(y|Y)$ ]]; then EXTRA_VARS+=" OnDemandEnabled_WIFI=Y"; fi - -if [[ "$OnDemandEnabled_WIFI" =~ ^(y|Y)$ ]]; then - read -p " -List the names of trusted Wi-Fi networks (if any) that macOS/iOS clients exclude from using the VPN (e.g., your home network. Comma-separated value, e.g., HomeNet,OfficeWifi,AlgoWiFi) -: " -r OnDemandEnabled_WIFI_EXCLUDE - OnDemandEnabled_WIFI_EXCLUDE=${OnDemandEnabled_WIFI_EXCLUDE:-_null} - EXTRA_VARS+=" OnDemandEnabled_WIFI_EXCLUDE=\"$OnDemandEnabled_WIFI_EXCLUDE\"" -fi - -read -p " -Do you want to install a DNS resolver on this VPN server, to block ads while surfing? -[y/N]: " -r dns_enabled -dns_enabled=${dns_enabled:-n} -if [[ "$dns_enabled" =~ ^(y|Y)$ ]]; then ROLES+=" dns"; EXTRA_VARS+=" local_dns=true"; fi - -read -p " -Do you want each user to have their own account for SSH tunneling? -[y/N]: " -r ssh_tunneling_enabled -ssh_tunneling_enabled=${ssh_tunneling_enabled:-n} -if [[ "$ssh_tunneling_enabled" =~ ^(y|Y)$ ]]; then ROLES+=" ssh_tunneling"; fi - -read -p " -Do you want the VPN to support Windows 10 or Linux Desktop clients? (enables compatible ciphers and key exchange, less secure) -[y/N]: " -r Win10_Enabled -Win10_Enabled=${Win10_Enabled:-n} -if [[ "$Win10_Enabled" =~ ^(y|Y)$ ]]; then EXTRA_VARS+=" Win10_Enabled=Y"; fi - -read -p " -Do you want to retain the CA key? (required to add users in the future, but less secure) -[y/N]: " -r Store_CAKEY -Store_CAKEY=${Store_CAKEY:-N} -if [[ "$Store_CAKEY" =~ ^(n|N)$ ]]; then EXTRA_VARS+=" Store_CAKEY=N"; fi - -} - -deploy () { - - ansible-playbook deploy.yml -t "${ROLES// /,}" -e "${EXTRA_VARS}" --skip-tags "${SKIP_TAGS// /,}" - -} - -azure () { - read -p " -Enter your azure secret id (https://github.com/trailofbits/algo/blob/master/docs/cloud-azure.md) -You can skip this step if you want to use your defaults credentials from ~/.azure/credentials -$ADDITIONAL_PROMPT -[...]: " -rs azure_secret - - read -p " - -Enter your azure tenant id (https://github.com/trailofbits/algo/blob/master/docs/cloud-azure.md) -You can skip this step if you want to use your defaults credentials from ~/.azure/credentials -$ADDITIONAL_PROMPT -[...]: " -rs azure_tenant - - read -p " - -Enter your azure client id (application id) (https://github.com/trailofbits/algo/blob/master/docs/cloud-azure.md) -You can skip this step if you want to use your defaults credentials from ~/.azure/credentials -$ADDITIONAL_PROMPT -[...]: " -rs azure_client_id - - read -p " - -Enter your azure subscription id (https://github.com/trailofbits/algo/blob/master/docs/cloud-azure.md) -You can skip this step if you want to use your defaults credentials from ~/.azure/credentials -$ADDITIONAL_PROMPT -[...]: " -rs azure_subscription_id - - read -p " - -Name the vpn server: -[algo]: " -r azure_server_name - azure_server_name=${azure_server_name:-algo} - - read -p " - - What region should the server be located in? (https://azure.microsoft.com/en-us/regions/) - 1. East US (Virginia) - 2. East US 2 (Virginia) - 3. Central US (Iowa) - 4. North Central US (Illinois) - 5. South Central US (Texas) - 6. West Central US (Wyoming) - 7. West US (California) - 8. West US 2 (Washington) - 9. Canada East (Quebec City) - 10. Canada Central (Toronto) - 11. Brazil South (Sao Paulo State) - 12. North Europe (Ireland) - 13. West Europe (Netherlands) - 14. France Central (Paris) - 15. France South (Marseille) - 16. UK West (Cardiff) - 17. UK South (London) - 18. Germany Central (Frankfurt) - 19. Germany Northeast (Magdeburg) - 20. Southeast Asia (Singapore) - 21. East Asia (Hong Kong) - 22. Australia East (New South Wales) - 23. Australia Southeast (Victoria) - 24. Australia Central (Canberra) - 25. Australia Central 2 (Canberra) - 26. Central India (Pune) - 27. West India (Mumbai) - 28. South India (Chennai) - 29. Japan East (Tokyo, Saitama) - 30. Japan West (Osaka) - 31. Korea Central (Seoul) - 32. Korea South (Busan) - -Enter the number of your desired region: -[1]: " -r azure_region - azure_region=${azure_region:-1} - - case "$azure_region" in - 1) region="eastus" ;; - 2) region="eastus2" ;; - 3) region="centralus" ;; - 4) region="northcentralus" ;; - 5) region="southcentralus" ;; - 6) region="westcentralus" ;; - 7) region="westus" ;; - 8) region="westus2" ;; - 9) region="canadaeast" ;; - 10) region="canadacentral" ;; - 11) region="brazilsouth" ;; - 12) region="northeurope" ;; - 13) region="westeurope" ;; - 14) region="francecentral" ;; - 15) region="francesouth" ;; - 16) region="ukwest" ;; - 17) region="uksouth" ;; - 18) region="germanycentral" ;; - 19) region="germanynortheast" ;; - 20) region="southeastasia" ;; - 21) region="eastasia" ;; - 22) region="australiaeast" ;; - 23) region="australiasoutheast" ;; - 24) region="australiacentral" ;; - 25) region="australiacentral2" ;; - 26) region="centralindia" ;; - 27) region="westindia" ;; - 28) region="southindia" ;; - 29) region="japaneast" ;; - 30) region="japanwest" ;; - 31) region="koreacentral" ;; - 32) region="koreasouth" ;; - esac - - ROLES="azure vpn cloud" - EXTRA_VARS="azure_secret=$azure_secret azure_tenant=$azure_tenant azure_client_id=$azure_client_id azure_subscription_id=$azure_subscription_id azure_server_name=$azure_server_name ssh_public_key=$ssh_public_key region=$region" -} - -digitalocean () { - read -p " -Enter your API token. The token must have read and write permissions (https://cloud.digitalocean.com/settings/api/tokens): -$ADDITIONAL_PROMPT -: " -rs do_access_token - - read -p " - -Name the vpn server: -[algo.local]: " -r do_server_name - do_server_name=${do_server_name:-algo.local} - - read -p " - - What region should the server be located in? - 1. Amsterdam (Datacenter 2) - 2. Amsterdam (Datacenter 3) - 3. Frankfurt - 4. London - 5. New York (Datacenter 1) - 6. New York (Datacenter 2) - 7. New York (Datacenter 3) - 8. San Francisco (Datacenter 1) - 9. San Francisco (Datacenter 2) - 10. Singapore - 11. Toronto - 12. Bangalore - -Enter the number of your desired region: -[7]: " -r region - region=${region:-7} - - case "$region" in - 1) do_region="ams2" ;; - 2) do_region="ams3" ;; - 3) do_region="fra1" ;; - 4) do_region="lon1" ;; - 5) do_region="nyc1" ;; - 6) do_region="nyc2" ;; - 7) do_region="nyc3" ;; - 8) do_region="sfo1" ;; - 9) do_region="sfo2" ;; - 10) do_region="sgp1" ;; - 11) do_region="tor1" ;; - 12) do_region="blr1" ;; - esac - -ROLES="digitalocean vpn cloud" -EXTRA_VARS="do_access_token=$do_access_token do_server_name=$do_server_name do_region=$do_region" -} - -ec2 () { - read -p " -Enter your aws_access_key (http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html) -Note: Make sure to use an IAM user with an acceptable policy attached (see https://github.com/trailofbits/algo/blob/master/docs/deploy-from-ansible.md). -$ADDITIONAL_PROMPT -[AKIA...]: " -rs aws_access_key - - read -p " - -Enter your aws_secret_key (http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html) -$ADDITIONAL_PROMPT -[ABCD...]: " -rs aws_secret_key - -read -p " - -Name the vpn server: -[algo]: " -r aws_server_name - aws_server_name=${aws_server_name:-algo} - - read -p " - - What region should the server be located in? - 1. us-east-1 US East (N. Virginia) - 2. us-east-2 US East (Ohio) - 3. us-west-1 US West (N. California) - 4. us-west-2 US West (Oregon) - 5. ca-central-1 Canada (Central) - 6. eu-central-1 EU (Frankfurt) - 7. eu-west-1 EU (Ireland) - 8. eu-west-2 EU (London) - 9. eu-west-3 EU (Paris) - 10. ap-northeast-1 Asia Pacific (Tokyo) - 11. ap-northeast-2 Asia Pacific (Seoul) - 12. ap-northeast-3 Asia Pacific (Osaka-Local) - 13. ap-southeast-1 Asia Pacific (Singapore) - 14. ap-southeast-2 Asia Pacific (Sydney) - 15. ap-south-1 Asia Pacific (Mumbai) - 16. sa-east-1 South America (São Paulo) - -Enter the number of your desired region: -[1]: " -r aws_region - aws_region=${aws_region:-1} - - case "$aws_region" in - 1) region="us-east-1" ;; - 2) region="us-east-2" ;; - 3) region="us-west-1" ;; - 4) region="us-west-2" ;; - 5) region="ca-central-1" ;; - 6) region="eu-central-1" ;; - 7) region="eu-west-1" ;; - 8) region="eu-west-2" ;; - 9) region="eu-west-3" ;; - 10) region="ap-northeast-1" ;; - 11) region="ap-northeast-2" ;; - 12) region="ap-northeast-3";; - 13) region="ap-southeast-1" ;; - 14) region="ap-southeast-2" ;; - 15) region="ap-south-1" ;; - 16) region="sa-east-1" ;; - esac - - ROLES="ec2 vpn cloud" - EXTRA_VARS="aws_access_key=$aws_access_key aws_secret_key=$aws_secret_key aws_server_name=$aws_server_name region=$region" -} - -lightsail () { -read -p " -Enter your aws_access_key (http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html) -Note: Make sure to use an IAM user with an acceptable policy attached (see https://github.com/trailofbits/algo/blob/master/docs/deploy-from-ansible.md). -$ADDITIONAL_PROMPT -[AKIA...]: " -rs aws_access_key - -read -p " - -Enter your aws_secret_key (http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html) -$ADDITIONAL_PROMPT -[ABCD...]: " -rs aws_secret_key - -read -p " - -Name the vpn server: -[algo.local]: " -r algo_server_name - algo_server_name=${algo_server_name:-algo.local} - - read -p " - - What region should the server be located in? - 1. us-east-1 US East (N. Virginia) - 2. us-east-2 US East (Ohio) - 3. us-west-1 US West (N. California) - 4. us-west-2 US West (Oregon) - 5. ap-south-1 Asia Pacific (Mumbai) - 6. ap-northeast-2 Asia Pacific (Seoul) - 7. ap-southeast-1 Asia Pacific (Singapore) - 8. ap-southeast-2 Asia Pacific (Sydney) - 9. ap-northeast-1 Asia Pacific (Tokyo) - 10. eu-central-1 EU (Frankfurt) - 11. eu-west-1 EU (Ireland) - 12. eu-west-2 EU (London) - -Enter the number of your desired region: -[1]: " -r algo_region -algo_region=${algo_region:-1} - - case "$algo_region" in - 1) region="us-east-1" ;; - 2) region="us-east-2" ;; - 3) region="us-west-1" ;; - 4) region="us-west-2" ;; - 5) region="ap-south-1" ;; - 6) region="ap-northeast-2" ;; - 7) region="ap-southeast-1" ;; - 8) region="ap-southeast-2" ;; - 9) region="ap-northeast-1" ;; - 10) region="eu-central-1" ;; - 11) region="eu-west-1" ;; - 12) region="eu-west-2";; - esac - - ROLES="lightsail vpn cloud" - EXTRA_VARS="aws_access_key=$aws_access_key aws_secret_key=$aws_secret_key algo_server_name=$algo_server_name region=$region" -} - -scaleway () { -read -p " -Enter your auth token (https://www.scaleway.com/docs/generate-an-api-token/) -$ADDITIONAL_PROMPT -[...]: " -rs scaleway_auth_token - -read -p " - -Enter your organization name (https://cloud.scaleway.com/#/billing) -$ADDITIONAL_PROMPT -[...]: " -rs scaleway_organization - -read -p " - -Name the vpn server: -[algo.local]: " -r algo_server_name - algo_server_name=${algo_server_name:-algo.local} - - read -p " - - What region should the server be located in? - 1. par1 Paris - 2. ams1 Amsterdam -Enter the number of your desired region: -[1]: " -r algo_region -algo_region=${algo_region:-1} - - case "$algo_region" in - 1) region="par1" ;; - 2) region="ams1" ;; - esac - - ROLES="scaleway vpn cloud" - EXTRA_VARS="scaleway_auth_token=$scaleway_auth_token scaleway_organization=\"$scaleway_organization\" algo_server_name=$algo_server_name algo_region=$region" -} - -openstack () { -read -p " -Enter the local path to your credentials OpenStack RC file (Can be downloaded from the OpenStack dashboard->Compute->API Access) -[...]: " -r os_rc - -read -p " - -Name the vpn server: -[algo.local]: " -r algo_server_name - algo_server_name=${algo_server_name:-algo.local} - - ROLES="openstack vpn cloud" - EXTRA_VARS="algo_server_name=$algo_server_name" - source $os_rc -} - -gce () { - read -p " -Enter the local path to your credentials JSON file (https://support.google.com/cloud/answer/6158849?hl=en&ref_topic=6262490#serviceaccounts): -: " -r credentials_file - - read -p " - -Name the vpn server: -[algo]: " -r server_name - server_name=${server_name:-algo} - - read -p " - - What zone should the server be located in? - 1. Eastern Canada (Montreal A) - 2. Eastern Canada (Montreal B) - 3. Eastern Canada (Montreal C) - 4. Central US (Iowa A) - 5. Central US (Iowa B) - 6. Central US (Iowa C) - 7. Central US (Iowa F) - 8. Western US (Oregon A) - 9. Western US (Oregon B) - 10. Western US (Oregon C) - 11. Eastern US (Northern Virginia A) - 12. Eastern US (Northern Virginia B) - 13. Eastern US (Northern Virginia C) - 14. Eastern US (South Carolina B) - 15. Eastern US (South Carolina C) - 16. Eastern US (South Carolina D) - 17. South America East (São Paulo A) - 18. South America East (São Paulo B) - 19. South America East (São Paulo C) - 20. Northern Europe (Hamina A) - 21. Northern Europe (Hamina B) - 22. Northern Europe (Hamina C) - 23. Western Europe (Belgium B) - 24. Western Europe (Belgium C) - 25. Western Europe (Belgium D) - 26. Western Europe (London A) - 27. Western Europe (London B) - 28. Western Europe (London C) - 29. Western Europe (Frankfurt A) - 30. Western Europe (Frankfurt B) - 31. Western Europe (Frankfurt C) - 32. Western Europe (Netherlands A) - 33. Western Europe (Netherlands B) - 34. Western Europe (Netherlands C) - 35. South Asia (Mumbai A) - 36. South Asia (Mumbai B) - 37. South Asia (Mumbai C) - 38. Southeast Asia (Singapore A) - 39. Southeast Asia (Singapore B) - 40. Southeast Asia (Singapore C) - 41. East Asia (Taiwan A) - 42. East Asia (Taiwan B) - 43. East Asia (Taiwan C) - 44. Northeast Asia (Tokyo A) - 45. Northeast Asia (Tokyo B) - 46. Northeast Asia (Tokyo C) - 47. Australia (Sydney A) - 48. Australia (Sydney B) - 49. Australia (Sydney C) - -Please choose the number of your zone. Press enter for default (#20) zone. -[20]: " -r region - region=${region:-20} - - case "$region" in - 1) zone="northamerica-northeast1-a" ;; - 2) zone="northamerica-northeast1-b" ;; - 3) zone="northamerica-northeast1-c" ;; - 4) zone="us-central1-a" ;; - 5) zone="us-central1-b" ;; - 6) zone="us-central1-c" ;; - 7) zone="us-central1-f" ;; - 8) zone="us-west1-a" ;; - 9) zone="us-west1-b" ;; - 10) zone="us-west1-c" ;; - 11) zone="us-east4-a" ;; - 12) zone="us-east4-b" ;; - 13) zone="us-east4-c" ;; - 14) zone="us-east1-b" ;; - 15) zone="us-east1-c" ;; - 16) zone="us-east1-d" ;; - 17) zone="southamerica-east1-a" ;; - 18) zone="southamerica-east1-b" ;; - 19) zone="southamerica-east1-c" ;; - 20) zone="europe-north1-a" ;; - 21) zone="europe-north1-b" ;; - 22) zone="europe-north1-c" ;; - 23) zone="europe-west1-b" ;; - 24) zone="europe-west1-c" ;; - 25) zone="europe-west1-d" ;; - 26) zone="europe-west2-a" ;; - 27) zone="europe-west2-b" ;; - 28) zone="europe-west2-c" ;; - 29) zone="europe-west3-a" ;; - 30) zone="europe-west3-b" ;; - 31) zone="europe-west3-c" ;; - 32) zone="europe-west4-a" ;; - 33) zone="europe-west4-b" ;; - 34) zone="europe-west4-c" ;; - 35) zone="asia-south1-a" ;; - 36) zone="asia-south1-b" ;; - 37) zone="asia-south1-c" ;; - 38) zone="asia-southeast1-a" ;; - 39) zone="asia-southeast1-b" ;; - 40) zone="asia-southeast1-c" ;; - 41) zone="asia-east1-a" ;; - 42) zone="asia-east1-b" ;; - 43) zone="asia-east1-c" ;; - 44) zone="asia-northeast1-a" ;; - 45) zone="asia-northeast1-b" ;; - 46) zone="asia-northeast1-c" ;; - 47) zone="australia-southeast1-a" ;; - 48) zone="australia-southeast1-b" ;; - 49) zone="australia-southeast1-c" ;; - esac - - ROLES="gce vpn cloud" - EXTRA_VARS="credentials_file=$credentials_file gce_server_name=$server_name ssh_public_key=$ssh_public_key zone=$zone max_mss=1316" -} - -non_cloud () { - read -p " -Enter the IP address of your server: (or use localhost for local installation) -[localhost]: " -r server_ip - server_ip=${server_ip:-localhost} - - read -p " - -What user should we use to login on the server? (note: passwordless login required, or ignore if you're deploying to localhost) -[root]: " -r server_user - server_user=${server_user:-root} - -if [ "x${server_ip}" = "xlocalhost" ]; then - myip="" -else - myip=${server_ip} -fi - - read -p " - -Enter the public IP address of your server: (IMPORTANT! This IP is used to verify the certificate) -[$myip]: " -r IP_subject - IP_subject=${IP_subject:-$myip} - -if [ "x${IP_subject}" = "x" ]; then - echo "no server IP given. exiting." - exit 1 -fi - - ROLES="local vpn" - EXTRA_VARS="server_ip=$server_ip server_user=$server_user IP_subject_alt_name=$IP_subject" - SKIP_TAGS+=" cloud update-alternatives" - - read -p " - -Was this server deployed by Algo previously? -[y/N]: " -r Deployed_By_Algo -Deployed_By_Algo=${Deployed_By_Algo:-n} -if [[ "$Deployed_By_Algo" =~ ^(y|Y)$ ]]; then EXTRA_VARS+=" Deployed_By_Algo=Y"; fi - -} - -algo_provisioning () { - echo -n " - What provider would you like to use? - 1. DigitalOcean - 2. Amazon EC2 - 3. Microsoft Azure - 4. Google Compute Engine - 5. Scaleway - 6. OpenStack (DreamCompute optimised) - 7. Install to existing Ubuntu 16.04 server (Advanced) - -Enter the number of your desired provider -: " - - read -r N - - case "$N" in - 1) digitalocean; ;; - 2) ec2; ;; - 3) azure; ;; - 4) gce; ;; - 5) scaleway; ;; - 6) openstack; ;; - 7) non_cloud; ;; - *) exit 1 ;; - esac - - additional_roles - deploy -} - -user_management () { - - read -p " -Enter the IP address of your server: (or use localhost for local installation) -: " -r server_ip - - read -p " -What user should we use to login on the server? (note: passwordless login required, or ignore if you're deploying to localhost) -[root]: " -r server_user - server_user=${server_user:-root} - -read -p " -Do you want each user to have their own account for SSH tunneling? -[y/N]: " -r ssh_tunneling_enabled -ssh_tunneling_enabled=${ssh_tunneling_enabled:-n} - -if [ "x${server_ip}" = "xlocalhost" ]; then - myip="" -else - myip=${server_ip} -fi - -read -p " - -Enter the public IP address of your server: (IMPORTANT! This IP is used to verify the certificate) -[$myip]: " -r IP_subject -IP_subject=${IP_subject:-$myip} - -if [ "x${IP_subject}" = "x" ]; then -echo "no server IP given. exiting." -exit 1 -fi - - read -p " -Enter the password for the private CA key: -$ADDITIONAL_PROMPT -: " -rs easyrsa_CA_password - -ansible-playbook users.yml -e "server_ip=$server_ip server_user=$server_user ssh_tunneling_enabled=$ssh_tunneling_enabled IP_subject_alt_name=$IP_subject easyrsa_CA_password=$easyrsa_CA_password" -t update-users --skip-tags common -} - case "$1" in - update-users) user_management ;; - *) algo_provisioning ;; + update-users) PLAYBOOK=users.yml; ARGS="${@:2} -t update-users";; + *) PLAYBOOK=main.yml; ARGS=${@} ;; esac + +ansible-playbook ${PLAYBOOK} ${ARGS} diff --git a/ansible.cfg b/ansible.cfg index c4d18d19..aef40841 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -4,6 +4,7 @@ pipelining = True retry_files_enabled = False host_key_checking = False timeout = 60 +stdout_callback = full_skip [paramiko_connection] record_host_keys = False diff --git a/cloud.yml b/cloud.yml new file mode 100644 index 00000000..3a4e299f --- /dev/null +++ b/cloud.yml @@ -0,0 +1,49 @@ +--- +- name: Provision the server + hosts: localhost + tags: algo + vars_files: + - config.cfg + + pre_tasks: + - block: + - name: Local pre-tasks + import_tasks: playbooks/cloud-pre.yml + tags: always + rescue: + - debug: var=fail_hint + tags: always + - fail: + tags: always + + roles: + - role: cloud-digitalocean + when: algo_provider == "digitalocean" + - role: cloud-ec2 + when: algo_provider == "ec2" + - role: cloud-vultr + when: algo_provider == "vultr" + - role: cloud-gce + when: algo_provider == "gce" + - role: cloud-azure + when: algo_provider == "azure" + - role: cloud-lightsail + when: algo_provider == "lightsail" + - role: cloud-scaleway + when: algo_provider == "scaleway" + - role: cloud-openstack + when: algo_provider == "openstack" + - role: local + when: algo_provider == "local" + + post_tasks: + - block: + - name: Local post-tasks + import_tasks: playbooks/cloud-post.yml + become: false + tags: cloud + rescue: + - debug: var=fail_hint + tags: always + - fail: + tags: always diff --git a/config.cfg b/config.cfg index a8fa915a..b5bbb9ca 100644 --- a/config.cfg +++ b/config.cfg @@ -10,8 +10,8 @@ users: ### Advanced users only below this line ### -# If True re-init all existing certificates. (True or False) -easyrsa_reinit_existent: False +# If True re-init all existing certificates. Boolean +keys_clean_all: False vpn_network: 10.19.48.0/24 vpn_network_ipv6: 'fd9d:bc11:4020::/48' @@ -28,9 +28,6 @@ wireguard_port: 51820 # - https://serverfault.com/questions/601143/ssh-not-working-over-ipsec-tunnel-strongswan #max_mss: 1316 -server_name: "{{ ansible_ssh_host }}" -IP_subject_alt_name: "{{ ansible_ssh_host }}" - # StrongSwan log level # https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration strongswan_log_level: 2 @@ -64,7 +61,7 @@ VPN_PayloadIdentifier: "{{ 800000 | random | to_uuid | upper }}" CA_PayloadIdentifier: "{{ 700000 | random | to_uuid | upper }}" # Block traffic between connected clients -BetweenClients_DROP: Y +BetweenClients_DROP: true congrats: common: | @@ -75,9 +72,9 @@ congrats: "# and ensure that all your traffic passes through the VPN. #" "# Local DNS resolver {{ local_service_ip }} #" p12_pass: | - "# The p12 and SSH keys password for new users is {{ easyrsa_p12_export_password }} #" + "# The p12 and SSH keys password for new users is {{ p12_export_password }} #" ca_key_pass: | - "# The CA key password is {{ easyrsa_CA_password }} #" + "# The CA key password is {{ CA_password }} #" ssh_access: | "# Shell access: ssh -i {{ ansible_ssh_private_key_file|default(omit) }} {{ ansible_ssh_user|default(omit) }}@{{ ansible_ssh_host|default(omit) }} #" @@ -98,6 +95,7 @@ cloud_providers: size: s-1vcpu-1gb image: "ubuntu-18-04-x64" ec2: + encrypted: false size: t2.micro image: name: "ubuntu-bionic-18.04" @@ -115,9 +113,16 @@ cloud_providers: openstack: flavor_ram: ">=512" image: Ubuntu-18.04 + vultr: + os: Ubuntu 18.04 x64 + size: 1024 MB RAM,25 GB SSD,1.00 TB BW local: fail_hint: - Sorry, but something went wrong! - Please check the troubleshooting guide. - https://trailofbits.github.io/algo/troubleshooting.html + +booleans_map: + Y: true + y: true diff --git a/deploy.yml b/deploy.yml deleted file mode 100644 index 532820c7..00000000 --- a/deploy.yml +++ /dev/null @@ -1,98 +0,0 @@ -- name: Configure the server - hosts: localhost - tags: algo - vars_files: - - config.cfg - - pre_tasks: - - block: - - name: Local pre-tasks - include_tasks: playbooks/local.yml - tags: [ 'always' ] - - - name: Local pre-tasks - include_tasks: playbooks/local_ssh.yml - become: false - when: Deployed_By_Algo is defined and Deployed_By_Algo == "Y" - tags: [ 'local' ] - rescue: - - debug: var=fail_hint - tags: always - - fail: - tags: always - - roles: - - { role: cloud-digitalocean, tags: ['digitalocean'] } - - { role: cloud-ec2, tags: ['ec2'] } - - { role: cloud-gce, tags: ['gce'] } - - { role: cloud-azure, tags: ['azure'] } - - { role: cloud-scaleway, tags: ['scaleway'] } - - { role: cloud-openstack, tags: ['openstack'] } - - { role: local, tags: ['local'] } - - post_tasks: - - block: - - name: Local post-tasks - include_tasks: playbooks/post.yml - become: false - tags: [ 'cloud' ] - rescue: - - debug: var=fail_hint - tags: always - - fail: - tags: always - -- name: Configure the server and install required software - hosts: vpn-host - gather_facts: false - tags: algo - become: true - vars_files: - - config.cfg - - pre_tasks: - - block: - - name: Common pre-tasks - include_tasks: playbooks/common.yml - tags: [ 'digitalocean', 'ec2', 'gce', 'azure', 'lightsail', 'scaleway', 'openstack', 'local', 'pre' ] - rescue: - - debug: var=fail_hint - tags: always - - fail: - tags: always - - roles: - - { role: dns_adblocking, tags: [ 'dns', 'adblock' ] } - - { role: ssh_tunneling, tags: [ 'ssh_tunneling' ] } - - { role: wireguard, tags: [ 'vpn', 'wireguard' ], when: wireguard_enabled } - - { role: vpn, tags: [ 'vpn' ] } - - post_tasks: - - block: - - debug: - msg: - - "{{ congrats.common.split('\n') }}" - - " {{ congrats.p12_pass }}" - - " {% if Store_CAKEY is defined and Store_CAKEY == 'N' %}{% else %}{{ congrats.ca_key_pass }}{% endif %}" - - " {% if cloud_deployment is defined %}{{ congrats.ssh_access }}{% endif %}" - tags: always - - - name: Save the CA key password - local_action: > - shell echo "{{ easyrsa_CA_password }}" > /tmp/ca_password - become: no - tags: tests - - - name: Delete the CA key - local_action: - module: file - path: "configs/{{ IP_subject_alt_name }}/pki/private/cakey.pem" - state: absent - become: no - tags: always - when: Store_CAKEY is defined and Store_CAKEY == "N" - rescue: - - debug: var=fail_hint - tags: always - - fail: - tags: always diff --git a/docs/cloud-do.md b/docs/cloud-do.md index b8f84681..675754a9 100644 --- a/docs/cloud-do.md +++ b/docs/cloud-do.md @@ -78,10 +78,10 @@ You will then be asked the remainder of the setup questions. ## Using DigitalOcean with Algo (via Ansible) -If you are using Ansible to deploy to DigitalOcean, you will need to pass the API Token to Ansible as `do_access_token`. +If you are using Ansible to deploy to DigitalOcean, you will need to pass the API Token to Ansible as `do_token`. For example, - ansible-playbook deploy.yml -t digitalocean,vpn,cloud -e 'do_access_token=my_secret_token do_server_name=algo.local do_region=ams2 + ansible-playbook deploy.yml -e 'provider=digitalocean do_token=my_secret_token' -Where "my_secret_token" is your API Token. +Where "my_secret_token" is your API Token. For more references see [deploy-from-ansible](deploy-from-ansible.md) diff --git a/docs/cloud-vultr.md b/docs/cloud-vultr.md new file mode 100644 index 00000000..3448e773 --- /dev/null +++ b/docs/cloud-vultr.md @@ -0,0 +1,8 @@ +### Configuration file + +You need to create a configuration file in INI format with your api key (https://my.vultr.com/settings/#settingsapi) + +``` +[default] +key = +``` diff --git a/docs/deploy-from-ansible.md b/docs/deploy-from-ansible.md index f7bcf6da..f3566c7f 100644 --- a/docs/deploy-from-ansible.md +++ b/docs/deploy-from-ansible.md @@ -11,74 +11,81 @@ You can deploy Algo non-interactively by running the Ansible playbooks directly Here is a full example for DigitalOcean: ```shell -ansible-playbook deploy.yml -t digitalocean,vpn,cloud -e 'do_access_token=my_secret_token do_server_name=algo.local do_region=ams2' +ansible-playbook main.yml -e "provider=digitalocean + server_name=algo + ondemand_cellular=false + ondemand_wifi=false + local_dns=true + ssh_tunneling=true + windows=false + store_cakey=true + region=ams3 + do_token=token" ``` +See below for more information about providers and extra variables + +### Variables + +- `provider` - (Required) The provider to use. See possible values below +- `server_name` - (Required) Server name. Default: algo +- `ondemand_cellular` (Optional) VPN On Demand when connected to cellular networks. Default: false +- `ondemand_wifi` - (Optional. See `ondemand_wifi_exclude`) VPN On Demand when connected to WiFi networks. Default: false +- `ondemand_wifi_exclude` (Required if `ondemand_wifi` set) - WiFi networks to exclude from using the VPN. Comma-separated values +- `local_dns` - (Optional) Enable a DNS resolver. Default: false +- `ssh_tunneling` - (Optional) Enable SSH tunneling for each user. Default: false +- `windows` - (Optional) Enables compatible ciphers and key exchange to support Windows clietns, less secure. Default: false +- `store_cakey` - (Optional) Whether or not keep the CA key (required to add users in the future, but less secure). Default: false + +If any of those unspecified ansible will ask the user to input + ### Ansible roles -Required tags: - -- cloud +Roles can be activated by specifying an extra variable `provider` Cloud roles: -- role: cloud-digitalocean, tags: digitalocean -- role: cloud-ec2, tags: ec2 -- role: cloud-gce, tags: gce +- role: cloud-digitalocean, provider: digitalocean +- role: cloud-ec2, provider: ec2 +- role: cloud-vultr, provider: vultr +- role: cloud-gce, provider: gce +- role: cloud-azure, provider: azure +- role: cloud-scaleway, provider: scaleway +- role: cloud-openstack, provider: openstack Server roles: -- role: vpn, tags: vpn -- role: dns_adblocking, tags: dns, adblock -- role: security, tags: security -- role: ssh_tunneling, tags: ssh_tunneling +- role: vpn +- role: dns_adblocking +- role: dns_encryption +- role: ssh_tunneling +- role: wireguard Note: The `vpn` role generates Apple profiles with On-Demand Wifi and Cellular if you pass the following variables: -- OnDemandEnabled_WIFI=Y -- OnDemandEnabled_WIFI_EXCLUDE=HomeNet -- OnDemandEnabled_Cellular=Y +- ondemand_wifi: true +- ondemand_wifi_exclude: HomeNet,OfficeWifi +- ondemand_cellular: true ### Local Installation -Required tags: - -- local +- role: local, provider: local Required variables: -- server_ip -- server_user -- IP_subject_alt_name +- server - IP address of your server +- ca_password - Password for the private CA key -Note that by default, the iptables rules on your existing server will be overwritten. If you don't want to overwrite the iptables rules, you can use the `--skip-tags iptables` flag, for example: - -```shell -ansible-playbook deploy.yml -t local,vpn --skip-tags iptables -e 'server_ip=172.217.2.238 server_user=algo IP_subject_alt_name=172.217.2.238' -``` +Note that by default, the iptables rules on your existing server will be overwritten. If you don't want to overwrite the iptables rules, you can use the `--skip-tags iptables` flag. ### Digital Ocean Required variables: -- do_access_token -- do_server_name -- do_region +- do_token +- region -Possible options for `do_region`: - -- ams2 -- ams3 -- fra1 -- lon1 -- nyc1 -- nyc2 -- nyc3 -- sfo1 -- sfo2 -- sgp1 -- tor1 -- blr1 +Possible options can be gathered calling to https://api.digitalocean.com/v2/regions ### Amazon EC2 @@ -86,27 +93,13 @@ Required variables: - aws_access_key - aws_secret_key -- aws_server_name - region -Possible options for `region`: +Possible options can be gathered via cli `aws ec2 describe-regions` -- us-east-1 -- us-east-2 -- us-west-1 -- us-west-2 -- ap-south-1 -- ap-northeast-2 -- ap-southeast-1 -- ap-southeast-2 -- ap-northeast-1 -- eu-central-1 -- eu-west-1 -- eu-west-2 +Additional variables: -Additional tags: - -- [encrypted](https://aws.amazon.com/blogs/aws/new-encrypted-ebs-boot-volumes/) (enabled by default) +- [encrypted](https://aws.amazon.com/blogs/aws/new-encrypted-ebs-boot-volumes/) - Encrypted EBS boot volume. Boolean (Default: false) #### Minimum required IAM permissions for deployment: @@ -178,46 +171,76 @@ Additional tags: Required variables: -- credentials_file -- gce_server_name -- ssh_public_key -- zone +- gce_credentials_file +- [region](https://cloud.google.com/compute/docs/regions-zones/) -Possible options for `zone`: +### Vultr -- us-west1-a -- us-west1-b -- us-west1-c -- us-central1-a -- us-central1-b -- us-central1-c -- us-central1-f -- us-east4-a -- us-east4-b -- us-east4-c -- us-east1-b -- us-east1-c -- us-east1-d -- europe-north1-a -- europe-north1-b -- europe-north1-c -- europe-west1-b -- europe-west1-c -- europe-west1-d -- europe-west2-a -- europe-west2-b -- europe-west2-c -- europe-west3-a -- europe-west3-b -- europe-west3-c -- asia-southeast1-a -- asia-southeast1-b -- asia-east1-a -- asia-east1-b -- asia-east1-c -- asia-northeast1-a -- asia-northeast1-b -- asia-northeast1-c -- australia-southeast1-a -- australia-southeast1-b -- australia-southeast1-c +Required variables: + +- [vultr_config](https://github.com/trailofbits/algo/docs/cloud-vultr.md) +- [region](https://api.vultr.com/v1/regions/list) + +### Azure + +Required variables: + +- azure_secret +- azure_tenant +- azure_client_id +- azure_subscription_id +- [region](https://azure.microsoft.com/en-us/global-infrastructure/regions/) + +### Lightsail + +Required variables: + +- aws_access_key +- aws_secret_key +- region + +Possible options can be gathered via cli `aws lightsail get-regions` + +### Scaleway + +Required variables: + +- [scaleway_token](https://www.scaleway.com/docs/generate-an-api-token/) +- [scaleway_org](https://cloud.scaleway.com/#/billing) +- region + +Possible regions: + +- ams1 +- par1 + +### OpenStack + +You need to source the rc file prior to run Algo. Download it from the OpenStack dashboard->Compute->API Access and source it in the shell (eg: source /tmp/dhc-openrc.sh) + + +### Local + +Required variables: + +- server - IP or hostname to access the server via SSH +- endpoint - Public IP address of your server +- ssh_user + + +### Update users + +Playbook: + +``` +users.yml +``` + +Required variables: + +- server - IP or hostname to access the server via SSH +- ca_password - Password to access the CA key + +Tags required: + +- update-users diff --git a/docs/deploy-to-freebsd.md b/docs/deploy-to-freebsd.md index 71440cc5..a0c04d4c 100644 --- a/docs/deploy-to-freebsd.md +++ b/docs/deploy-to-freebsd.md @@ -26,5 +26,7 @@ device crypto ## Installation ```shell -ansible-playbook deploy.yml -t local,vpn -e "server_ip=$server_ip server_user=$server_user IP_subject_alt_name=$server_ip Store_CAKEY=N" --skip-tags cloud +ansible-playbook main.yml -e "provider=local" ``` + +And follow the instructions diff --git a/docs/index.md b/docs/index.md index 47705b7a..84f07185 100644 --- a/docs/index.md +++ b/docs/index.md @@ -12,6 +12,7 @@ * Cloud setup - Configure [Azure](cloud-azure.md) - Configure [DigitalOcean](cloud-do.md) + - Configure [Vultr](cloud-vultr.md) * Advanced Deployment - Deploy to your own [FreeBSD](deploy-to-freebsd.md) server - Deploy to your own [Ubuntu 18.04](deploy-to-ubuntu.md) server diff --git a/input.yml b/input.yml new file mode 100644 index 00000000..aeb53192 --- /dev/null +++ b/input.yml @@ -0,0 +1,137 @@ +--- +- name: Ask user for the input + hosts: localhost + tags: algo + vars: + defaults: + server_name: algo + ondemand_cellular: false + ondemand_wifi: false + local_dns: false + ssh_tunneling: false + windows: false + store_cakey: false + providers_map: + - { name: DigitalOcean, alias: digitalocean } + - { name: Amazon EC2, alias: ec2 } + - { name: Vultr, alias: vultr } + - { name: Microsoft Azure, alias: azure } + - { name: Google Compute Engine, alias: gce } + - { name: Scaleway, alias: scaleway} + - { name: OpenStack (DreamCompute optimised), alias: openstack } + - { name: Install to existing Ubuntu 18.04 server (Advanced), alias: local } + vars_files: + - config.cfg + + tasks: + - pause: + prompt: | + What provider would you like to use? + {% for p in providers_map %} + {{ loop.index }}. {{ p['name']}} + {% endfor %} + + Enter the number of your desired provider + register: _algo_provider + when: provider is undefined + + - name: Set facts based on the input + set_fact: + algo_provider: "{{ provider | default(providers_map[_algo_provider.user_input|default(omit)|int - 1]['alias']) }}" + + - pause: + prompt: | + Name the vpn server + [algo] + register: _algo_server_name + when: + - server_name is undefined + - algo_provider != "local" + + - pause: + prompt: | + Do you want macOS/iOS clients to enable "VPN On Demand" when connected to cellular networks? + [y/N] + register: _ondemand_cellular + when: ondemand_cellular is undefined + + - pause: + prompt: | + Do you want macOS/iOS clients to enable "VPN On Demand" when connected to Wi-Fi? + [y/N] + register: _ondemand_wifi + when: ondemand_wifi is undefined + + - pause: + prompt: | + List the names of trusted Wi-Fi networks (if any) that macOS/iOS clients exclude from using the VPN + (e.g., your home network. Comma-separated value, e.g., HomeNet,OfficeWifi,AlgoWiFi) + register: _ondemand_wifi_exclude + when: + - ondemand_wifi_exclude is undefined + - (ondemand_wifi|default(false)|bool) or + (booleans_map[_ondemand_wifi.user_input|default(omit)]|default(false)) + + - pause: + prompt: | + Do you want to install a DNS resolver on this VPN server, to block ads while surfing? + [y/N] + register: _local_dns + when: local_dns is undefined + + - pause: + prompt: | + Do you want each user to have their own account for SSH tunneling? + [y/N] + register: _ssh_tunneling + when: ssh_tunneling is undefined + + - pause: + prompt: | + Do you want the VPN to support Windows 10 or Linux Desktop clients? (enables compatible ciphers and key exchange, less secure) + [y/N] + register: _windows + when: windows is undefined + + - pause: + prompt: | + Do you want to retain the CA key? (required to add users in the future, but less secure) + [y/N] + register: _store_cakey + when: store_cakey is undefined + + - name: Set facts based on the input + set_fact: + algo_server_name: >- + {% if server_name is defined %}{% set _server = server_name %} + {%- elif _algo_server_name.user_input is defined and _algo_server_name.user_input != "" %}{% set _server = _algo_server_name.user_input %} + {%- else %}{% set _server = defaults['server_name'] %}{% endif -%} + {{ _server | regex_replace('(?!\.)(\W|_)', '-') }} + algo_ondemand_cellular: >- + {% if ondemand_cellular is defined %}{{ ondemand_cellular | bool }} + {%- elif _ondemand_cellular.user_input is defined and _ondemand_cellular.user_input != "" %}{{ booleans_map[_ondemand_cellular.user_input] | default(defaults['ondemand_cellular']) }} + {%- else %}false{% endif %} + algo_ondemand_wifi: >- + {% if ondemand_wifi is defined %}{{ ondemand_wifi | bool }} + {%- elif _ondemand_wifi.user_input is defined and _ondemand_wifi.user_input != "" %}{{ booleans_map[_ondemand_wifi.user_input] | default(defaults['ondemand_wifi']) }} + {%- else %}false{% endif %} + algo_ondemand_wifi_exclude: >- + {% if ondemand_wifi_exclude is defined %}{{ ondemand_wifi_exclude }} + {%- elif _ondemand_wifi_exclude.user_input is defined and _ondemand_wifi_exclude.user_input != "" %}{{ _ondemand_wifi_exclude.user_input }} + {%- else %}_null{% endif %} + algo_local_dns: >- + {% if local_dns is defined %}{{ local_dns | bool }} + {%- elif _local_dns.user_input is defined and _local_dns.user_input != "" %}{{ booleans_map[_local_dns.user_input] | default(defaults['local_dns']) }} + {%- else %}false{% endif %} + algo_ssh_tunneling: >- + {% if ssh_tunneling is defined %}{{ ssh_tunneling | bool }} + {%- elif _ssh_tunneling.user_input is defined and _ssh_tunneling.user_input != "" %}{{ booleans_map[_ssh_tunneling.user_input] | default(defaults['ssh_tunneling']) }} + {%- else %}false{% endif %} + algo_windows: >- + {% if windows is defined %}{{ windows | bool }} + {%- elif _windows.user_input is defined and _windows.user_input != "" %}{{ booleans_map[_windows.user_input] | default(defaults['windows']) }} + {%- else %}false{% endif %} + algo_store_cakey: >- + {% if store_cakey is defined %}{{ store_cakey | bool }} + {%- elif _store_cakey.user_input is defined and _store_cakey.user_input != "" %}{{ booleans_map[_store_cakey.user_input] | default(defaults['store_cakey']) }} + {%- else %}false{% endif %} diff --git a/library/digital_ocean_tag.py b/library/digital_ocean_tag.py deleted file mode 100644 index 30a31852..00000000 --- a/library/digital_ocean_tag.py +++ /dev/null @@ -1,217 +0,0 @@ -#!/usr/bin/python -# -*- coding: utf-8 -*- - -# Copyright: Ansible Project -# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) - -from __future__ import absolute_import, division, print_function -__metaclass__ = type - - -ANSIBLE_METADATA = {'metadata_version': '1.1', - 'status': ['preview'], - 'supported_by': 'community'} - - -DOCUMENTATION = ''' ---- -module: digital_ocean_tag -short_description: Create and remove tag(s) to DigitalOcean resource. -description: - - Create and remove tag(s) to DigitalOcean resource. -author: "Victor Volle (@kontrafiktion)" -version_added: "2.2" -options: - name: - description: - - The name of the tag. The supported characters for names include - alphanumeric characters, dashes, and underscores. - required: true - resource_id: - description: - - The ID of the resource to operate on. - - The data type of resource_id is changed from integer to string, from version 2.5. - aliases: ['droplet_id'] - resource_type: - description: - - The type of resource to operate on. Currently, only tagging of - droplets is supported. - default: droplet - choices: ['droplet'] - state: - description: - - Whether the tag should be present or absent on the resource. - default: present - choices: ['present', 'absent'] - api_token: - description: - - DigitalOcean api token. - -notes: - - Two environment variables can be used, DO_API_KEY and DO_API_TOKEN. - They both refer to the v2 token. - - As of Ansible 2.0, Version 2 of the DigitalOcean API is used. - -requirements: - - "python >= 2.6" -''' - - -EXAMPLES = ''' -- name: create a tag - digital_ocean_tag: - name: production - state: present - -- name: tag a resource; creating the tag if it does not exists - digital_ocean_tag: - name: "{{ item }}" - resource_id: "73333005" - state: present - with_items: - - staging - - dbserver - -- name: untag a resource - digital_ocean_tag: - name: staging - resource_id: "73333005" - state: absent - -# Deleting a tag also untags all the resources that have previously been -# tagged with it -- name: remove a tag - digital_ocean_tag: - name: dbserver - state: absent -''' - - -RETURN = ''' -data: - description: a DigitalOcean Tag resource - returned: success and no resource constraint - type: dict - sample: { - "tag": { - "name": "awesome", - "resources": { - "droplets": { - "count": 0, - "last_tagged": null - } - } - } - } -''' - -from traceback import format_exc -from ansible.module_utils.basic import AnsibleModule -from ansible.module_utils.digital_ocean import DigitalOceanHelper -from ansible.module_utils._text import to_native - - -def core(module): - state = module.params['state'] - name = module.params['name'] - resource_id = module.params['resource_id'] - resource_type = module.params['resource_type'] - - rest = DigitalOceanHelper(module) - - # Check if api_token is valid or not - response = rest.get('account') - if response.status_code == 401: - module.fail_json(msg='Failed to login using api_token, please verify ' - 'validity of api_token') - if state == 'present': - response = rest.get('tags/{0}'.format(name)) - status_code = response.status_code - resp_json = response.json - changed = False - if status_code == 200 and resp_json['tag']['name'] == name: - changed = False - else: - # Ensure Tag exists - response = rest.post("tags", data={'name': name}) - status_code = response.status_code - resp_json = response.json - if status_code == 201: - changed = True - elif status_code == 422: - changed = False - else: - module.exit_json(changed=False, data=resp_json) - - if resource_id is None: - # No resource defined, we're done. - module.exit_json(changed=changed, data=resp_json) - else: - # Check if resource is already tagged or not - found = False - url = "{0}?tag_name={1}".format(resource_type, name) - if resource_type == 'droplet': - url = "droplets?tag_name={0}".format(name) - response = rest.get(url) - status_code = response.status_code - resp_json = response.json - if status_code == 200: - for resource in resp_json['droplets']: - if not found and resource['id'] == int(resource_id): - found = True - break - if not found: - # If resource is not tagged, tag a resource - url = "tags/{0}/resources".format(name) - payload = { - 'resources': [{ - 'resource_id': resource_id, - 'resource_type': resource_type}]} - response = rest.post(url, data=payload) - if response.status_code == 204: - module.exit_json(changed=True) - else: - module.fail_json(msg="error tagging resource '{0}': {1}".format(resource_id, response.json["message"])) - else: - # Already tagged resource - module.exit_json(changed=False) - else: - # Unable to find resource specified by user - module.fail_json(msg=resp_json['message']) - - elif state == 'absent': - if resource_id: - url = "tags/{0}/resources".format(name) - payload = { - 'resources': [{ - 'resource_id': resource_id, - 'resource_type': resource_type}]} - response = rest.delete(url, data=payload) - else: - url = "tags/{0}".format(name) - response = rest.delete(url) - if response.status_code == 204: - module.exit_json(changed=True) - else: - module.exit_json(changed=False, data=response.json) - - -def main(): - module = AnsibleModule( - argument_spec=dict( - name=dict(type='str', required=True), - resource_id=dict(aliases=['droplet_id'], type='str'), - resource_type=dict(choices=['droplet'], default='droplet'), - state=dict(choices=['present', 'absent'], default='present'), - api_token=dict(aliases=['API_TOKEN'], no_log=True), - ) - ) - - try: - core(module) - except Exception as e: - module.fail_json(msg=to_native(e), exception=format_exc()) - - -if __name__ == '__main__': - main() diff --git a/library/ec2_ami_copy.py b/library/ec2_ami_copy.py deleted file mode 100644 index 629a48c6..00000000 --- a/library/ec2_ami_copy.py +++ /dev/null @@ -1,216 +0,0 @@ -#!/usr/bin/python -# -*- coding: utf-8 -*- -# This file is part of Ansible -# -# Ansible is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# Ansible is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with Ansible. If not, see . - -ANSIBLE_METADATA = {'status': ['preview'], - 'supported_by': 'community', - 'version': '1.1'} - -DOCUMENTATION = ''' ---- -module: ec2_ami_copy -short_description: copies AMI between AWS regions, return new image id -description: - - Copies AMI from a source region to a destination region. This module has a dependency on python-boto >= 2.5 -version_added: "2.0" -options: - source_region: - description: - - the source region that AMI should be copied from - required: true - source_image_id: - description: - - the id of the image in source region that should be copied - required: true - name: - description: - - The name of the new image to copy - required: true - default: null - description: - description: - - An optional human-readable string describing the contents and purpose of the new AMI. - required: false - default: null - encrypted: - description: - - Whether or not to encrypt the target image - required: false - default: null - version_added: "2.2" - kms_key_id: - description: - - KMS key id used to encrypt image. If not specified, uses default EBS Customer Master Key (CMK) for your account. - required: false - default: null - version_added: "2.2" - wait: - description: - - wait for the copied AMI to be in state 'available' before returning. - required: false - default: false - tags: - description: - - a hash/dictionary of tags to add to the new copied AMI; '{"key":"value"}' and '{"key":"value","key":"value"}' - required: false - default: null - -author: Amir Moulavi , Tim C -extends_documentation_fragment: - - aws - - ec2 -''' - -EXAMPLES = ''' -# Basic AMI Copy -- ec2_ami_copy: - source_region: us-east-1 - region: eu-west-1 - source_image_id: ami-xxxxxxx - -# AMI copy wait until available -- ec2_ami_copy: - source_region: us-east-1 - region: eu-west-1 - source_image_id: ami-xxxxxxx - wait: yes - register: image_id - -# Named AMI copy -- ec2_ami_copy: - source_region: us-east-1 - region: eu-west-1 - source_image_id: ami-xxxxxxx - name: My-Awesome-AMI - description: latest patch - -# Tagged AMI copy -- ec2_ami_copy: - source_region: us-east-1 - region: eu-west-1 - source_image_id: ami-xxxxxxx - tags: - Name: My-Super-AMI - Patch: 1.2.3 - -# Encrypted AMI copy -- ec2_ami_copy: - source_region: us-east-1 - region: eu-west-1 - source_image_id: ami-xxxxxxx - encrypted: yes - -# Encrypted AMI copy with specified key -- ec2_ami_copy: - source_region: us-east-1 - region: eu-west-1 - source_image_id: ami-xxxxxxx - encrypted: yes - kms_key_id: arn:aws:kms:us-east-1:XXXXXXXXXXXX:key/746de6ea-50a4-4bcb-8fbc-e3b29f2d367b -''' - -from ansible.module_utils.basic import AnsibleModule -from ansible.module_utils.ec2 import (boto3_conn, ec2_argument_spec, get_aws_connection_info) - -try: - import boto - import boto.ec2 - HAS_BOTO = True -except ImportError: - HAS_BOTO = False - -try: - import boto3 - from botocore.exceptions import ClientError, NoCredentialsError, NoRegionError - HAS_BOTO3 = True -except ImportError: - HAS_BOTO3 = False - - - -def copy_image(ec2, module): - """ - Copies an AMI - - module : AnsibleModule object - ec2: ec2 connection object - """ - - tags = module.params.get('tags') - - params = {'SourceRegion': module.params.get('source_region'), - 'SourceImageId': module.params.get('source_image_id'), - 'Name': module.params.get('name'), - 'Description': module.params.get('description'), - 'Encrypted': module.params.get('encrypted'), -# 'KmsKeyId': module.params.get('kms_key_id') - } - if module.params.get('kms_key_id'): - params['KmsKeyId'] = module.params.get('kms_key_id') - - try: - image_id = ec2.copy_image(**params)['ImageId'] - if module.params.get('wait'): - ec2.get_waiter('image_available').wait(ImageIds=[image_id]) - if module.params.get('tags'): - ec2.create_tags( - Resources=[image_id], - Tags=[{'Key' : k, 'Value': v} for k,v in module.params.get('tags').items()] - ) - - module.exit_json(changed=True, image_id=image_id) - except ClientError as ce: - module.fail_json(msg=ce) - except NoCredentialsError: - module.fail_json(msg="Unable to locate AWS credentials") - except Exception as e: - module.fail_json(msg=str(e)) - - -def main(): - argument_spec = ec2_argument_spec() - argument_spec.update(dict( - source_region=dict(required=True), - source_image_id=dict(required=True), - name=dict(required=True), - description=dict(default=''), - encrypted=dict(type='bool', required=False), - kms_key_id=dict(type='str', required=False), - wait=dict(type='bool', default=False, required=False), - tags=dict(type='dict'))) - - module = AnsibleModule(argument_spec=argument_spec) - - if not HAS_BOTO: - module.fail_json(msg='boto required for this module') - # TODO: Check botocore version - region, ec2_url, aws_connect_params = get_aws_connection_info(module, boto3=True) - - if HAS_BOTO3: - - try: - ec2 = boto3_conn(module, conn_type='client', resource='ec2', region=region, endpoint=ec2_url, - **aws_connect_params) - except NoRegionError: - module.fail_json(msg='AWS Region is required') - else: - module.fail_json(msg='boto3 required for this module') - - copy_image(ec2, module) - - -if __name__ == '__main__': - main() diff --git a/library/gce_region_facts.py b/library/gce_region_facts.py new file mode 100644 index 00000000..65acfb63 --- /dev/null +++ b/library/gce_region_facts.py @@ -0,0 +1,139 @@ +#!/usr/bin/python +# Copyright 2013 Google Inc. +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + + +ANSIBLE_METADATA = {'metadata_version': '1.1', + 'status': ['preview'], + 'supported_by': 'community'} + + +DOCUMENTATION = ''' +--- +module: gce_region_facts +version_added: "5.3" +short_description: Gather facts about GCE regions. +description: + - Gather facts about GCE regions. +options: + service_account_email: + version_added: "1.6" + description: + - service account email + required: false + default: null + aliases: [] + pem_file: + version_added: "1.6" + description: + - path to the pem file associated with the service account email + This option is deprecated. Use 'credentials_file'. + required: false + default: null + aliases: [] + credentials_file: + version_added: "2.1.0" + description: + - path to the JSON file associated with the service account email + required: false + default: null + aliases: [] + project_id: + version_added: "1.6" + description: + - your GCE project ID + required: false + default: null + aliases: [] + requirements: + - "python >= 2.6" + - "apache-libcloud >= 0.13.3, >= 0.17.0 if using JSON credentials" +author: "Jack Ivanov (@jackivanov)" +''' + +EXAMPLES = ''' +# Gather facts about all regions +- gce_region_facts: +''' + +RETURN = ''' +regions: + returned: on success + description: > + Each element consists of a dict with all the information related + to that region. + type: list + sample: "[{ + "name": "asia-east1", + "status": "UP", + "zones": [ + { + "name": "asia-east1-a", + "status": "UP" + }, + { + "name": "asia-east1-b", + "status": "UP" + }, + { + "name": "asia-east1-c", + "status": "UP" + } + ] + }]" +''' +try: + from libcloud.compute.types import Provider + from libcloud.compute.providers import get_driver + from libcloud.common.google import GoogleBaseError, QuotaExceededError, ResourceExistsError, ResourceNotFoundError + _ = Provider.GCE + HAS_LIBCLOUD = True +except ImportError: + HAS_LIBCLOUD = False + +from ansible.module_utils.basic import AnsibleModule +from ansible.module_utils.gce import gce_connect, unexpected_error_msg + + +def main(): + module = AnsibleModule( + argument_spec=dict( + service_account_email=dict(), + pem_file=dict(type='path'), + credentials_file=dict(type='path'), + project_id=dict(), + ) + ) + + if not HAS_LIBCLOUD: + module.fail_json(msg='libcloud with GCE support (0.17.0+) required for this module') + + gce = gce_connect(module) + + changed = False + gce_regions = [] + + try: + regions = gce.ex_list_regions() + for r in regions: + gce_region = {} + gce_region['name'] = r.name + gce_region['status'] = r.status + gce_region['zones'] = [] + for z in r.zones: + gce_zone = {} + gce_zone['name'] = z.name + gce_zone['status'] = z.status + gce_region['zones'].append(gce_zone) + gce_regions.append(gce_region) + json_output = { 'regions': gce_regions } + module.exit_json(changed=False, results=json_output) + except ResourceNotFoundError: + pass + + +if __name__ == '__main__': + main() diff --git a/library/lightsail_region_facts.py b/library/lightsail_region_facts.py new file mode 100644 index 00000000..8da4c00c --- /dev/null +++ b/library/lightsail_region_facts.py @@ -0,0 +1,102 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- +# Copyright: Ansible Project +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + + +ANSIBLE_METADATA = {'metadata_version': '1.1', + 'status': ['preview'], + 'supported_by': 'community'} + +DOCUMENTATION = ''' +--- +module: lightsail_region_facts +short_description: Gather facts about AWS Lightsail regions. +description: + - Gather facts about AWS Lightsail regions. +version_added: "2.5.3" +author: "Jack Ivanov (@jackivanov)" +options: +requirements: + - "python >= 2.6" + - boto3 + +extends_documentation_fragment: + - aws + - ec2 +''' + + +EXAMPLES = ''' +# Gather facts about all regions +- lightsail_region_facts: +''' + +RETURN = ''' +regions: + returned: on success + description: > + Each element consists of a dict with all the information related + to that region. + type: list + sample: "[{ + "availabilityZones": [], + "continentCode": "NA", + "description": "This region is recommended to serve users in the eastern United States", + "displayName": "Virginia", + "name": "us-east-1" + }]" +''' + +import time +import traceback + +try: + import botocore + HAS_BOTOCORE = True +except ImportError: + HAS_BOTOCORE = False + +try: + import boto3 +except ImportError: + # will be caught by imported HAS_BOTO3 + pass + +from ansible.module_utils.basic import AnsibleModule +from ansible.module_utils.ec2 import (ec2_argument_spec, get_aws_connection_info, boto3_conn, + HAS_BOTO3, camel_dict_to_snake_dict) + +def main(): + argument_spec = ec2_argument_spec() + module = AnsibleModule(argument_spec=argument_spec) + + if not HAS_BOTO3: + module.fail_json(msg='Python module "boto3" is missing, please install it') + + if not HAS_BOTOCORE: + module.fail_json(msg='Python module "botocore" is missing, please install it') + + try: + region, ec2_url, aws_connect_kwargs = get_aws_connection_info(module, boto3=True) + + client = None + try: + client = boto3_conn(module, conn_type='client', resource='lightsail', + region=region, endpoint=ec2_url, **aws_connect_kwargs) + except (botocore.exceptions.ClientError, botocore.exceptions.ValidationError) as e: + module.fail_json(msg='Failed while connecting to the lightsail service: %s' % e, exception=traceback.format_exc()) + + response = client.get_regions( + includeAvailabilityZones=False + ) + module.exit_json(changed=False, results=response) + except (botocore.exceptions.ClientError, Exception) as e: + module.fail_json(msg=str(e), exception=traceback.format_exc()) + + +if __name__ == '__main__': + main() diff --git a/main.yml b/main.yml new file mode 100644 index 00000000..faf4c2d1 --- /dev/null +++ b/main.yml @@ -0,0 +1,9 @@ +--- +- name: Include prompts playbook + import_playbook: input.yml + +- name: Include cloud provisioning playbook + import_playbook: cloud.yml + +- name: Include server configuration playbook + import_playbook: server.yml diff --git a/playbooks/cloud-post.yml b/playbooks/cloud-post.yml new file mode 100644 index 00000000..283ed60a --- /dev/null +++ b/playbooks/cloud-post.yml @@ -0,0 +1,45 @@ +--- +- name: Set subjectAltName as afact + set_fact: + IP_subject_alt_name: "{% if algo_provider == 'local' %}{{ IP_subject_alt_name }}{% else %}{{ cloud_instance_ip }}{% endif %}" + +- name: Add the server to an inventory group + add_host: + name: "{% if cloud_instance_ip == 'localhost' %}localhost{% else %}{{ cloud_instance_ip }}{% endif %}" + groups: vpn-host + ansible_connection: "{% if cloud_instance_ip == 'localhost' %}local{% else %}ssh{% endif %}" + ansible_ssh_user: "{{ ansible_ssh_user }}" + ansible_python_interpreter: "/usr/bin/python2.7" + algo_provider: "{{ algo_provider }}" + algo_server_name: "{{ algo_server_name }}" + algo_ondemand_cellular: "{{ algo_ondemand_cellular }}" + algo_ondemand_wifi: "{{ algo_ondemand_wifi }}" + algo_ondemand_wifi_exclude: "{{ algo_ondemand_wifi_exclude }}" + algo_local_dns: "{{ algo_local_dns }}" + algo_ssh_tunneling: "{{ algo_ssh_tunneling }}" + algo_windows: "{{ algo_windows }}" + algo_store_cakey: "{{ algo_store_cakey }}" + IP_subject_alt_name: "{{ IP_subject_alt_name }}" + +- name: Additional variables for the server + add_host: + name: "{% if cloud_instance_ip == 'localhost' %}localhost{% else %}{{ cloud_instance_ip }}{% endif %}" + ansible_ssh_private_key_file: "{{ SSH_keys.private }}" + when: algo_provider != 'local' + +- name: Wait until SSH becomes ready... + wait_for: + port: 22 + host: "{{ cloud_instance_ip }}" + search_regex: "OpenSSH" + delay: 10 + timeout: 320 + state: present + when: cloud_instance_ip != "localhost" + +- debug: + var: IP_subject_alt_name + +- name: A short pause, in order to be sure the instance is ready + pause: + seconds: 20 diff --git a/playbooks/cloud-pre.yml b/playbooks/cloud-pre.yml new file mode 100644 index 00000000..da08b357 --- /dev/null +++ b/playbooks/cloud-pre.yml @@ -0,0 +1,13 @@ +--- +- name: Generate the SSH private key + openssl_privatekey: + path: "{{ SSH_keys.private }}" + size: 2048 + mode: "0600" + type: RSA + +- name: Generate the SSH public key + openssl_publickey: + path: "{{ SSH_keys.public }}" + privatekey_path: "{{ SSH_keys.private }}" + format: OpenSSH diff --git a/playbooks/common.yml b/playbooks/common.yml deleted file mode 100644 index e0aea2bb..00000000 --- a/playbooks/common.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- - -- name: Check the system - raw: uname -a - register: OS - -- name: Ubuntu pre-tasks - include_tasks: ubuntu.yml - when: '"Ubuntu" in OS.stdout or "Linux" in OS.stdout' - -- name: FreeBSD pre-tasks - include_tasks: freebsd.yml - when: '"FreeBSD" in OS.stdout' - -- include_tasks: facts/main.yml diff --git a/playbooks/facts/FreeBSD.yml b/playbooks/facts/FreeBSD.yml deleted file mode 100644 index 0d025fc0..00000000 --- a/playbooks/facts/FreeBSD.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- - -- set_fact: - config_prefix: "/usr/local/" - root_group: wheel - ssh_service_name: sshd - apparmor_enabled: false - strongswan_additional_plugins: - - kernel-pfroute - - kernel-pfkey diff --git a/playbooks/facts/main.yml b/playbooks/facts/main.yml deleted file mode 100644 index a03e7810..00000000 --- a/playbooks/facts/main.yml +++ /dev/null @@ -1,44 +0,0 @@ ---- - -- name: Gather Facts - setup: - -- name: Ensure the algo ssh key exist on the server - authorized_key: - user: "{{ ansible_ssh_user }}" - state: present - key: "{{ lookup('file', '{{ SSH_keys.public }}') }}" - tags: [ 'cloud' ] - -- name: Check if IPv6 configured - set_fact: - ipv6_support: "{% if ansible_default_ipv6['gateway'] is defined %}true{% else %}false{% endif %}" - -- name: Set facts if the deployment in a cloud - set_fact: - cloud_deployment: true - tags: ['cloud'] - -- name: Generate password for the CA key - local_action: - module: shell - openssl rand -hex 16 - become: no - register: CA_password - -- name: Generate p12 export password - local_action: - module: shell - openssl rand 8 | python -c 'import sys,string; chars=string.ascii_letters + string.digits + "_@"; print "".join([chars[ord(c) % 64] for c in list(sys.stdin.read())])' - become: no - register: p12_export_password_generated - when: p12_export_password is not defined - -- name: Define password facts - set_fact: - easyrsa_p12_export_password: "{{ p12_export_password|default(p12_export_password_generated.stdout) }}" - easyrsa_CA_password: "{{ CA_password.stdout }}" - -- name: Define the commonName - set_fact: - IP_subject_alt_name: "{{ IP_subject_alt_name }}" diff --git a/playbooks/freebsd.yml b/playbooks/freebsd.yml deleted file mode 100644 index 316c92ac..00000000 --- a/playbooks/freebsd.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- - -- name: FreeBSD / HardenedBSD | Install prerequisites - raw: sleep 10 && env ASSUME_ALWAYS_YES=YES sudo pkg install -y python27 - -- name: FreeBSD / HardenedBSD | Configure defaults - raw: sudo ln -sf /usr/local/bin/python2.7 /usr/bin/python2.7 - -- include_tasks: facts/FreeBSD.yml diff --git a/playbooks/local.yml b/playbooks/local.yml deleted file mode 100644 index 98a15774..00000000 --- a/playbooks/local.yml +++ /dev/null @@ -1,31 +0,0 @@ ---- - -- name: Generate the SSH private key - shell: > - echo -e 'n' | - ssh-keygen -b 2048 -C {{ SSH_keys.comment }} - -t rsa -f {{ SSH_keys.private }} -q -N "" - args: - creates: "{{ SSH_keys.private }}" - -- name: Generate the SSH public key - shell: > - echo `ssh-keygen -y -f {{ SSH_keys.private }}` {{ SSH_keys.comment }} - > {{ SSH_keys.public }} - changed_when: false - -- name: Change mode for the SSH private key - file: - path: "{{ SSH_keys.private }}" - mode: 0600 - -- name: Ensure the dynamic inventory exists - blockinfile: - dest: configs/inventory.dynamic - marker: "# {mark} ALGO MANAGED BLOCK" - create: true - block: | - [algo:children] - {% for group in cloud_providers.keys() %} - {{ group }} - {% endfor %} diff --git a/playbooks/local_ssh.yml b/playbooks/local_ssh.yml deleted file mode 100644 index b2b30b77..00000000 --- a/playbooks/local_ssh.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- - -- name: Ensure the local ssh directory is exist - file: - path: ~/.ssh/ - state: directory - -- name: Copy the algo ssh key to the local ssh directory - copy: - src: "{{ SSH_keys.private }}" - dest: ~/.ssh/algo.pem - mode: '0600' diff --git a/playbooks/post.yml b/playbooks/post.yml deleted file mode 100644 index e594b973..00000000 --- a/playbooks/post.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- - -- name: Wait until SSH becomes ready... - wait_for: - port: 22 - host: "{{ cloud_instance_ip }}" - search_regex: "OpenSSH" - delay: 10 - timeout: 320 - state: present - -- name: A short pause, in order to be sure the instance is ready - pause: - seconds: 20 - -- include_tasks: local_ssh.yml diff --git a/playbooks/ubuntu.yml b/playbooks/ubuntu.yml deleted file mode 100644 index bf7ac5b5..00000000 --- a/playbooks/ubuntu.yml +++ /dev/null @@ -1,14 +0,0 @@ ---- - -- name: Ubuntu | Install prerequisites - raw: "{{ item }}" - with_items: - - sleep 10 - - apt-get update -qq - - apt-get install -qq -y python2.7 sudo - become: true - -- name: Ubuntu | Configure defaults - raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1 - tags: - - update-alternatives diff --git a/requirements.txt b/requirements.txt index dae2ab65..f2580658 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,6 +1,6 @@ setuptools>=11.3 SecretStorage < 3 -ansible[azure]==2.4.3 +ansible[azure]==2.5.2 dopy==0.3.5 boto>=2.5 boto3 diff --git a/roles/client/tasks/main.yml b/roles/client/tasks/main.yml index 0a3eedce..60fafed2 100644 --- a/roles/client/tasks/main.yml +++ b/roles/client/tasks/main.yml @@ -2,7 +2,7 @@ setup: - name: Include system based facts and tasks - include_tasks: systems/main.yml + import_tasks: systems/main.yml - name: Install prerequisites package: name="{{ item }}" state=present diff --git a/roles/cloud-azure/defaults/main.yml b/roles/cloud-azure/defaults/main.yml new file mode 100644 index 00000000..9170a157 --- /dev/null +++ b/roles/cloud-azure/defaults/main.yml @@ -0,0 +1,214 @@ +--- +azure_regions: > + [ + { + "displayName": "East Asia", + "latitude": "22.267", + "longitude": "114.188", + "name": "eastasia", + "subscriptionId": null + }, + { + "displayName": "Southeast Asia", + "latitude": "1.283", + "longitude": "103.833", + "name": "southeastasia", + "subscriptionId": null + }, + { + "displayName": "Central US", + "latitude": "41.5908", + "longitude": "-93.6208", + "name": "centralus", + "subscriptionId": null + }, + { + "displayName": "East US", + "latitude": "37.3719", + "longitude": "-79.8164", + "name": "eastus", + "subscriptionId": null + }, + { + "displayName": "East US 2", + "latitude": "36.6681", + "longitude": "-78.3889", + "name": "eastus2", + "subscriptionId": null + }, + { + "displayName": "West US", + "latitude": "37.783", + "longitude": "-122.417", + "name": "westus", + "subscriptionId": null + }, + { + "displayName": "North Central US", + "latitude": "41.8819", + "longitude": "-87.6278", + "name": "northcentralus", + "subscriptionId": null + }, + { + "displayName": "South Central US", + "latitude": "29.4167", + "longitude": "-98.5", + "name": "southcentralus", + "subscriptionId": null + }, + { + "displayName": "North Europe", + "latitude": "53.3478", + "longitude": "-6.2597", + "name": "northeurope", + "subscriptionId": null + }, + { + "displayName": "West Europe", + "latitude": "52.3667", + "longitude": "4.9", + "name": "westeurope", + "subscriptionId": null + }, + { + "displayName": "Japan West", + "latitude": "34.6939", + "longitude": "135.5022", + "name": "japanwest", + "subscriptionId": null + }, + { + "displayName": "Japan East", + "latitude": "35.68", + "longitude": "139.77", + "name": "japaneast", + "subscriptionId": null + }, + { + "displayName": "Brazil South", + "latitude": "-23.55", + "longitude": "-46.633", + "name": "brazilsouth", + "subscriptionId": null + }, + { + "displayName": "Australia East", + "latitude": "-33.86", + "longitude": "151.2094", + "name": "australiaeast", + "subscriptionId": null + }, + { + "displayName": "Australia Southeast", + "latitude": "-37.8136", + "longitude": "144.9631", + "name": "australiasoutheast", + "subscriptionId": null + }, + { + "displayName": "South India", + "latitude": "12.9822", + "longitude": "80.1636", + "name": "southindia", + "subscriptionId": null + }, + { + "displayName": "Central India", + "latitude": "18.5822", + "longitude": "73.9197", + "name": "centralindia", + "subscriptionId": null + }, + { + "displayName": "West India", + "latitude": "19.088", + "longitude": "72.868", + "name": "westindia", + "subscriptionId": null + }, + { + "displayName": "Canada Central", + "latitude": "43.653", + "longitude": "-79.383", + "name": "canadacentral", + "subscriptionId": null + }, + { + "displayName": "Canada East", + "latitude": "46.817", + "longitude": "-71.217", + "name": "canadaeast", + "subscriptionId": null + }, + { + "displayName": "UK South", + "latitude": "50.941", + "longitude": "-0.799", + "name": "uksouth", + "subscriptionId": null + }, + { + "displayName": "UK West", + "latitude": "53.427", + "longitude": "-3.084", + "name": "ukwest", + "subscriptionId": null + }, + { + "displayName": "West Central US", + "latitude": "40.890", + "longitude": "-110.234", + "name": "westcentralus", + "subscriptionId": null + }, + { + "displayName": "West US 2", + "latitude": "47.233", + "longitude": "-119.852", + "name": "westus2", + "subscriptionId": null + }, + { + "displayName": "Korea Central", + "latitude": "37.5665", + "longitude": "126.9780", + "name": "koreacentral", + "subscriptionId": null + }, + { + "displayName": "Korea South", + "latitude": "35.1796", + "longitude": "129.0756", + "name": "koreasouth", + "subscriptionId": null + }, + { + "displayName": "France Central", + "latitude": "46.3772", + "longitude": "2.3730", + "name": "francecentral", + "subscriptionId": null + }, + { + "displayName": "France South", + "latitude": "43.8345", + "longitude": "2.1972", + "name": "francesouth", + "subscriptionId": null + }, + { + "displayName": "Australia Central", + "latitude": "-35.3075", + "longitude": "149.1244", + "name": "australiacentral", + "subscriptionId": null + }, + { + "displayName": "Australia Central 2", + "latitude": "-35.3075", + "longitude": "149.1244", + "name": "australiacentral2", + "subscriptionId": null + } + ] diff --git a/roles/cloud-azure/handlers/main.yml b/roles/cloud-azure/handlers/main.yml deleted file mode 100644 index e69de29b..00000000 diff --git a/roles/cloud-azure/tasks/main.yml b/roles/cloud-azure/tasks/main.yml index 6a6e9de4..682fcb3c 100644 --- a/roles/cloud-azure/tasks/main.yml +++ b/roles/cloud-azure/tasks/main.yml @@ -1,5 +1,8 @@ --- - block: + - name: Include prompts + import_tasks: prompts.yml + - set_fact: resource_group: "Algo_{{ region }}" secret: "{{ azure_secret | default(lookup('env','AZURE_SECRET'), true) }}" @@ -116,31 +119,10 @@ subnet_name: algo_subnet security_group_name: AlgoSecGroup - - name: Add the instance to an inventory group - add_host: - name: "{{ ip_address }}" - groups: vpn-host - ansible_ssh_user: ubuntu - ansible_python_interpreter: "/usr/bin/python2.7" - ansible_ssh_private_key_file: "{{ SSH_keys.private }}" - cloud_provider: azure - - set_fact: cloud_instance_ip: "{{ ip_address }}" + ansible_ssh_user: ubuntu - - name: Ensure the group azure exists in the dynamic inventory file - lineinfile: - state: present - dest: configs/inventory.dynamic - line: '[azure]' - - - name: Populate the dynamic inventory - lineinfile: - state: present - dest: configs/inventory.dynamic - insertafter: '\[azure\]' - regexp: "^{{ cloud_instance_ip }}.*" - line: "{{ cloud_instance_ip }}" rescue: - debug: var=fail_hint tags: always diff --git a/roles/cloud-azure/tasks/prompts.yml b/roles/cloud-azure/tasks/prompts.yml new file mode 100644 index 00000000..aadffd61 --- /dev/null +++ b/roles/cloud-azure/tasks/prompts.yml @@ -0,0 +1,70 @@ +--- +- pause: + prompt: | + Enter your azure secret id (https://github.com/trailofbits/algo/blob/master/docs/cloud-azure.md) + You can skip this step if you want to use your defaults credentials from ~/.azure/credentials + echo: false + register: _azure_secret + when: + - azure_secret is undefined + - lookup('env','AZURE_SECRET')|length <= 0 + +- pause: + prompt: | + Enter your azure tenant id (https://github.com/trailofbits/algo/blob/master/docs/cloud-azure.md) + You can skip this step if you want to use your defaults credentials from ~/.azure/credentials + echo: false + register: _azure_tenant + when: + - azure_tenant is undefined + - lookup('env','AZURE_TENANT')|length <= 0 + +- pause: + prompt: | + Enter your azure client id (application id) (https://github.com/trailofbits/algo/blob/master/docs/cloud-azure.md) + You can skip this step if you want to use your defaults credentials from ~/.azure/credentials + echo: false + register: _azure_client_id + when: + - azure_client_id is undefined + - lookup('env','AZURE_CLIENT_ID')|length <= 0 + +- pause: + prompt: | + Enter your azure subscription id (https://github.com/trailofbits/algo/blob/master/docs/cloud-azure.md) + You can skip this step if you want to use your defaults credentials from ~/.azure/credentials + echo: false + register: _azure_subscription_id + when: + - azure_subscription_id is undefined + - lookup('env','AZURE_SUBSCRIPTION_ID')|length <= 0 + +- set_fact: + secret: "{{ azure_secret | default(_azure_secret.user_input|default(None)) | default(lookup('env','AZURE_SECRET'), true) }}" + tenant: "{{ azure_tenant | default(_azure_tenant.user_input|default(None)) | default(lookup('env','AZURE_TENANT'), true) }}" + client_id: "{{ azure_client_id | default(_azure_client_id.user_input|default(None)) | default(lookup('env','AZURE_CLIENT_ID'), true) }}" + subscription_id: "{{ azure_subscription_id | default(_azure_subscription_id.user_input|default(None)) | default(lookup('env','AZURE_SUBSCRIPTION_ID'), true) }}" + +- block: + - name: Set facts about the regions + set_fact: + aws_regions: "{{ azure_regions | sort(attribute='region_name') }}" + + - name: Set the default region + set_fact: + default_region: >- + {% for r in aws_regions %} + {%- if r['region_name'] == "us-east-1" %}{{ loop.index }}{% endif %} + {%- endfor %} + + - pause: + prompt: | + What region should the server be located in? + {% for r in aws_regions %} + {{ loop.index }}. {{ r['region_name'] }} + {% endfor %} + + Enter the number of your desired region + [{{ default_region }}] + register: _algo_region + when: region is undefined diff --git a/roles/cloud-digitalocean/handlers/main.yml b/roles/cloud-digitalocean/handlers/main.yml deleted file mode 100644 index e69de29b..00000000 diff --git a/roles/cloud-digitalocean/tasks/main.yml b/roles/cloud-digitalocean/tasks/main.yml index f4932998..aca66b7b 100644 --- a/roles/cloud-digitalocean/tasks/main.yml +++ b/roles/cloud-digitalocean/tasks/main.yml @@ -1,7 +1,13 @@ - block: - - name: Set the DigitalOcean Access Token fact + - name: Include prompts + import_tasks: prompts.yml + + - name: Set additional facts set_fact: - do_token: "{{ do_access_token | default(lookup('env','DO_API_TOKEN'), true) }}" + algo_do_region: >- + {% if region is defined %}{{ region }} + {%- elif _algo_region.user_input is defined and _algo_region.user_input != "" %}{{ do_regions[_algo_region.user_input | int -1 ]['slug'] }} + {%- else %}{{ do_regions[default_region | int - 1]['slug'] }}{% endif %} public_key: "{{ lookup('file', '{{ SSH_keys.public }}') }}" - block: @@ -9,7 +15,7 @@ digital_ocean: state: absent command: ssh - api_token: "{{ do_token }}" + api_token: "{{ algo_do_token }}" name: "{{ SSH_keys.comment }}" register: ssh_keys until: ssh_keys.changed != true @@ -21,7 +27,7 @@ digital_ocean: state: absent command: ssh - api_token: "{{ do_token }}" + api_token: "{{ algo_do_token }}" name: "{{ SSH_keys.comment }}" register: ssh_keys ignore_errors: yes @@ -36,7 +42,7 @@ state: present command: ssh ssh_pub_key: "{{ public_key }}" - api_token: "{{ do_token }}" + api_token: "{{ algo_do_token }}" name: "{{ SSH_keys.comment }}" register: do_ssh_key @@ -44,69 +50,33 @@ digital_ocean: state: present command: droplet - name: "{{ do_server_name }}" - region_id: "{{ do_region }}" + name: "{{ algo_server_name }}" + region_id: "{{ algo_do_region }}" size_id: "{{ cloud_providers.digitalocean.size }}" image_id: "{{ cloud_providers.digitalocean.image }}" ssh_key_ids: "{{ do_ssh_key.ssh_key.id }}" unique_name: yes - api_token: "{{ do_token }}" + api_token: "{{ algo_do_token }}" ipv6: yes register: do - - name: Add the droplet to an inventory group - add_host: - name: "{{ do.droplet.ip_address }}" - groups: vpn-host - ansible_ssh_user: root - ansible_python_interpreter: "/usr/bin/python2.7" - ansible_ssh_private_key_file: "{{ SSH_keys.private }}" - do_access_token: "{{ do_token }}" - do_droplet_id: "{{ do.droplet.id }}" - cloud_provider: digitalocean - - set_fact: cloud_instance_ip: "{{ do.droplet.ip_address }}" + ansible_ssh_user: root - name: Tag the droplet digital_ocean_tag: name: "Environment:Algo" resource_id: "{{ do.droplet.id }}" - api_token: "{{ do_token }}" + api_token: "{{ algo_do_token }}" state: present - - name: Get droplets - uri: - url: "https://api.digitalocean.com/v2/droplets?tag_name=Environment:Algo" - method: GET - status_code: 200 - headers: - Content-Type: "application/json" - Authorization: "Bearer {{ do_token }}" - register: do_droplets - - - name: Ensure the group digitalocean exists in the dynamic inventory file - lineinfile: - state: present - dest: configs/inventory.dynamic - line: '[digitalocean]' - - - name: Populate the dynamic inventory - lineinfile: - state: present - dest: configs/inventory.dynamic - insertafter: '\[digitalocean\]' - regexp: "^{{ item.networks.v4[0].ip_address }}.*" - line: "{{ item.networks.v4[0].ip_address }}" - with_items: - - "{{ do_droplets.json.droplets }}" - - block: - name: "Delete the new Algo SSH key" digital_ocean: state: absent command: ssh - api_token: "{{ do_token }}" + api_token: "{{ algo_do_token }}" name: "{{ SSH_keys.comment }}" register: ssh_keys until: ssh_keys.changed != true @@ -118,7 +88,7 @@ digital_ocean: state: absent command: ssh - api_token: "{{ do_token }}" + api_token: "{{ algo_do_token }}" name: "{{ SSH_keys.comment }}" register: ssh_keys ignore_errors: yes diff --git a/roles/cloud-digitalocean/tasks/prompts.yml b/roles/cloud-digitalocean/tasks/prompts.yml new file mode 100644 index 00000000..f2804ca8 --- /dev/null +++ b/roles/cloud-digitalocean/tasks/prompts.yml @@ -0,0 +1,46 @@ +--- +- pause: + prompt: | + Enter your API token. The token must have read and write permissions (https://cloud.digitalocean.com/settings/api/tokens): + echo: false + register: _do_token + when: + - do_token is undefined + - lookup('env','DO_API_TOKEN')|length <= 0 + +- name: Set the token as a fact + set_fact: + algo_do_token: "{{ do_token | default(_do_token.user_input|default(None)) | default(lookup('env','DO_API_TOKEN'), true) }}" + +- name: Get regions + uri: + url: https://api.digitalocean.com/v2/regions + method: GET + status_code: 200 + headers: + Content-Type: "application/json" + Authorization: "Bearer {{ algo_do_token }}" + register: _do_regions + +- name: Set facts about thre regions + set_fact: + do_regions: "{{ _do_regions.json.regions | sort(attribute='slug') }}" + +- name: Set default region + set_fact: + default_region: >- + {% for r in do_regions %} + {%- if r['slug'] == "nyc3" %}{{ loop.index }}{% endif %} + {%- endfor %} + +- pause: + prompt: | + What region should the server be located in? + {% for r in do_regions %} + {{ loop.index }}. {{ r['slug'] }} {{ r['name'] }} + {% endfor %} + + Enter the number of your desired region + [{{ default_region }}] + register: _algo_region + when: region is undefined diff --git a/roles/cloud-digitalocean/templates/20-ipv6.cfg.j2 b/roles/cloud-digitalocean/templates/20-ipv6.cfg.j2 deleted file mode 100644 index 7db27bbb..00000000 --- a/roles/cloud-digitalocean/templates/20-ipv6.cfg.j2 +++ /dev/null @@ -1,6 +0,0 @@ -iface eth0 inet6 static - address {{ item.ip_address }} - netmask {{ item.netmask }} - gateway {{ item.gateway }} - autoconf 0 - dns-nameservers 2001:4860:4860::8844 2001:4860:4860::8888 diff --git a/roles/cloud-ec2/defaults/main.yml b/roles/cloud-ec2/defaults/main.yml index 045fe455..8060eb72 100644 --- a/roles/cloud-ec2/defaults/main.yml +++ b/roles/cloud-ec2/defaults/main.yml @@ -1,5 +1,6 @@ --- - +ami_search_encrypted: omit +encrypted: "{{ cloud_providers.ec2.encrypted }}" ec2_vpc_nets: cidr_block: 172.16.0.0/16 subnet_cidr: 172.16.254.0/23 diff --git a/roles/cloud-ec2/handlers/main.yml b/roles/cloud-ec2/handlers/main.yml deleted file mode 100644 index e69de29b..00000000 diff --git a/roles/cloud-ec2/tasks/cloudformation.yml b/roles/cloud-ec2/tasks/cloudformation.yml index 7c6fe374..27977203 100644 --- a/roles/cloud-ec2/tasks/cloudformation.yml +++ b/roles/cloud-ec2/tasks/cloudformation.yml @@ -1,11 +1,11 @@ --- - name: Deploy the template cloudformation: - aws_access_key: "{{ aws_access_key | default(lookup('env','AWS_ACCESS_KEY_ID'), true)}}" - aws_secret_key: "{{ aws_secret_key | default(lookup('env','AWS_SECRET_ACCESS_KEY'), true)}}" + aws_access_key: "{{ access_key }}" + aws_secret_key: "{{ secret_key }}" stack_name: "{{ stack_name }}" state: "present" - region: "{{ region }}" + region: "{{ algo_region }}" template: roles/cloud-ec2/files/stack.yml template_parameters: InstanceTypeParameter: "{{ cloud_providers.ec2.size }}" diff --git a/roles/cloud-ec2/tasks/encrypt_image.yml b/roles/cloud-ec2/tasks/encrypt_image.yml index 11779ea4..967e274d 100644 --- a/roles/cloud-ec2/tasks/encrypt_image.yml +++ b/roles/cloud-ec2/tasks/encrypt_image.yml @@ -1,37 +1,27 @@ +--- - name: Check if the encrypted image already exist - ec2_ami_find: - aws_access_key: "{{ aws_access_key | default(lookup('env','AWS_ACCESS_KEY_ID'), true)}}" - aws_secret_key: "{{ aws_secret_key | default(lookup('env','AWS_SECRET_ACCESS_KEY'), true)}}" - owner: self - sort: creationDate - sort_order: descending - sort_end: 1 - state: available - ami_tags: - Algo: "encrypted" - region: "{{ region }}" + ec2_ami_facts: + aws_access_key: "{{ access_key }}" + aws_secret_key: "{{ secret_key }}" + owners: self + region: "{{ algo_region }}" + filters: + state: available + "tag:Algo": encrypted register: search_crypt -- set_fact: - ami_image: "{{ search_crypt.results[0].ami_id }}" - when: search_crypt.results - - name: Copy to an encrypted image ec2_ami_copy: - aws_access_key: "{{ aws_access_key | default(lookup('env','AWS_ACCESS_KEY_ID'), true)}}" - aws_secret_key: "{{ aws_secret_key | default(lookup('env','AWS_SECRET_ACCESS_KEY'), true)}}" + aws_access_key: "{{ access_key }}" + aws_secret_key: "{{ secret_key }}" encrypted: yes name: algo kms_key_id: "{{ kms_key_id | default(omit) }}" - region: "{{ region }}" - source_image_id: "{{ ami_image }}" - source_region: "{{ region }}" + region: "{{ algo_region }}" + source_image_id: "{{ (ami_search.images | sort(attribute='creation_date') | last)['image_id'] }}" + source_region: "{{ algo_region }}" + wait: true tags: Algo: "encrypted" - wait: true - register: enc_image - when: not search_crypt.results - -- set_fact: - ami_image: "{{ enc_image.image_id }}" - when: not search_crypt.results + register: ami_search_encrypted + when: search_crypt.images|length|int == 0 diff --git a/roles/cloud-ec2/tasks/main.yml b/roles/cloud-ec2/tasks/main.yml index 0e820b84..64dbfcd4 100644 --- a/roles/cloud-ec2/tasks/main.yml +++ b/roles/cloud-ec2/tasks/main.yml @@ -1,66 +1,40 @@ - block: + - name: Include prompts + import_tasks: prompts.yml + - set_fact: - access_key: "{{ aws_access_key | default(lookup('env','AWS_ACCESS_KEY_ID'), true) }}" - secret_key: "{{ aws_secret_key | default(lookup('env','AWS_SECRET_ACCESS_KEY'), true) }}" - stack_name: "{{ aws_server_name | replace('.', '-') }}" + algo_region: >- + {% if region is defined %}{{ region }} + {%- elif _algo_region.user_input is defined and _algo_region.user_input != "" %}{{ aws_regions[_algo_region.user_input | int -1 ]['region_name'] }} + {%- else %}{{ aws_regions[default_region | int - 1]['region_name'] }}{% endif %} + stack_name: "{{ algo_server_name | replace('.', '-') }}" - name: Locate official AMI for region - ec2_ami_find: + ec2_ami_facts: aws_access_key: "{{ access_key }}" aws_secret_key: "{{ secret_key }}" - name: "ubuntu/images/hvm-ssd/{{ cloud_providers.ec2.image.name }}-amd64-server-*" - owner: "{{ cloud_providers.ec2.image.owner }}" - sort: creationDate - sort_order: descending - sort_end: 1 - region: "{{ region }}" + owners: "{{ cloud_providers.ec2.image.owner }}" + region: "{{ algo_region }}" + filters: + name: "ubuntu/images/hvm-ssd/{{ cloud_providers.ec2.image.name }}-amd64-server-*" register: ami_search - - set_fact: - ami_image: "{{ ami_search.results[0].ami_id }}" + - import_tasks: encrypt_image.yml + when: encrypted - - include_tasks: encrypt_image.yml - tags: [encrypted] + - name: Set the ami id as a fact + set_fact: + ami_image: >- + {% if ami_search_encrypted.image_id is defined %}{{ ami_search_encrypted.image_id }} + {%- elif search_crypt.images is defined and search_crypt.images|length >= 1 %}{{ (search_crypt.images | sort(attribute='creation_date') | last)['image_id'] }} + {%- else %}{{ (ami_search.images | sort(attribute='creation_date') | last)['image_id'] }}{% endif %} - - include_tasks: cloudformation.yml - - - name: Add new instance to host group - add_host: - hostname: "{{ stack.stack_outputs.ElasticIP }}" - groupname: vpn-host - ansible_ssh_user: ubuntu - ansible_python_interpreter: "/usr/bin/python2.7" - ansible_ssh_private_key_file: "{{ SSH_keys.private }}" - cloud_provider: ec2 + - name: Deploy the stack + import_tasks: cloudformation.yml - set_fact: cloud_instance_ip: "{{ stack.stack_outputs.ElasticIP }}" - - - name: Get EC2 instances - ec2_instance_facts: - aws_access_key: "{{ access_key }}" - aws_secret_key: "{{ secret_key }}" - region: "{{ region }}" - filters: - instance-state-name: running - "tag:Environment": Algo - register: algo_instances - - - name: Ensure the group ec2 exists in the dynamic inventory file - lineinfile: - state: present - dest: configs/inventory.dynamic - line: '[ec2]' - - - name: Populate the dynamic inventory - lineinfile: - state: present - dest: configs/inventory.dynamic - insertafter: '\[ec2\]' - regexp: "^{{ item.public_ip_address }}.*" - line: "{{ item.public_ip_address }}" - with_items: - - "{{ algo_instances.instances }}" + ansible_ssh_user: ubuntu rescue: - debug: var=fail_hint tags: always diff --git a/roles/cloud-ec2/tasks/prompts.yml b/roles/cloud-ec2/tasks/prompts.yml new file mode 100644 index 00000000..2993f694 --- /dev/null +++ b/roles/cloud-ec2/tasks/prompts.yml @@ -0,0 +1,55 @@ +--- +- pause: + prompt: | + Enter your aws_access_key (http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html) + Note: Make sure to use an IAM user with an acceptable policy attached (see https://github.com/trailofbits/algo/blob/master/docs/deploy-from-ansible.md) + echo: false + register: _aws_access_key + when: + - aws_access_key is undefined + - lookup('env','AWS_ACCESS_KEY_ID')|length <= 0 + +- pause: + prompt: | + Enter your aws_secret_key (http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html) + echo: false + register: _aws_secret_key + when: + - aws_secret_key is undefined + - lookup('env','AWS_SECRET_ACCESS_KEY')|length <= 0 + +- set_fact: + access_key: "{{ aws_access_key | default(_aws_access_key.user_input|default(None)) | default(lookup('env','AWS_ACCESS_KEY_ID'), true) }}" + secret_key: "{{ aws_secret_key | default(_aws_secret_key.user_input|default(None)) | default(lookup('env','AWS_SECRET_ACCESS_KEY'), true) }}" + +- block: + - name: Get regions + aws_region_facts: + aws_access_key: "{{ access_key }}" + aws_secret_key: "{{ secret_key }}" + region: us-east-1 + register: _aws_regions + + - name: Set facts about the regions + set_fact: + aws_regions: "{{ _aws_regions.regions | sort(attribute='region_name') }}" + + - name: Set the default region + set_fact: + default_region: >- + {% for r in aws_regions %} + {%- if r['region_name'] == "us-east-1" %}{{ loop.index }}{% endif %} + {%- endfor %} + + - pause: + prompt: | + What region should the server be located in? + (https://docs.aws.amazon.com/general/latest/gr/rande.html#ec2_region) + {% for r in aws_regions %} + {{ loop.index }}. {{ r['region_name'] }} + {% endfor %} + + Enter the number of your desired region + [{{ default_region }}] + register: _algo_region + when: region is undefined diff --git a/roles/cloud-gce/handlers/main.yml b/roles/cloud-gce/handlers/main.yml deleted file mode 100644 index e69de29b..00000000 diff --git a/roles/cloud-gce/tasks/main.yml b/roles/cloud-gce/tasks/main.yml index 24a825cf..8dad0a08 100644 --- a/roles/cloud-gce/tasks/main.yml +++ b/roles/cloud-gce/tasks/main.yml @@ -1,68 +1,37 @@ - block: - - set_fact: - credentials_file_path: "{{ credentials_file | default(lookup('env','GCE_CREDENTIALS_FILE_PATH'), true) }}" - ssh_public_key_lookup: "{{ lookup('file', '{{ SSH_keys.public }}') }}" - - - set_fact: - credentials_file_lookup: "{{ lookup('file', '{{ credentials_file_path }}') }}" - - - set_fact: - service_account_email: "{{ credentials_file_lookup.client_email | default(lookup('env','GCE_EMAIL')) }}" - project_id: "{{ credentials_file_lookup.project_id | default(lookup('env','GCE_PROJECT')) }}" - server_name: "{{ gce_server_name | replace('_', '-') }}" + - name: Include prompts + import_tasks: prompts.yml - name: Network configured gce_net: - name: "algo-net-{{ server_name }}" - fwname: "algo-net-{{ server_name }}-fw" + name: "algo-net-{{ algo_server_name }}" + fwname: "algo-net-{{ algo_server_name }}-fw" allowed: "udp:500,4500,{{ wireguard_port }};tcp:22" state: "present" mode: auto src_range: 0.0.0.0/0 - service_account_email: "{{ credentials_file_lookup.client_email }}" - credentials_file: "{{ credentials_file }}" - project_id: "{{ credentials_file_lookup.project_id }}" + service_account_email: "{{ service_account_email }}" + credentials_file: "{{ credentials_file_path }}" + project_id: "{{ project_id }}" - name: "Creating a new instance..." gce: - instance_names: "{{ server_name }}" - zone: "{{ zone }}" + instance_names: "{{ algo_server_name }}" + zone: "{{ algo_region }}" machine_type: "{{ cloud_providers.gce.size }}" image: "{{ cloud_providers.gce.image }}" service_account_email: "{{ service_account_email }}" credentials_file: "{{ credentials_file_path }}" project_id: "{{ project_id }}" metadata: '{"ssh-keys":"ubuntu:{{ ssh_public_key_lookup }}"}' - network: "algo-net-{{ server_name }}" + network: "algo-net-{{ algo_server_name }}" tags: - "environment-algo" register: google_vm - - name: Add the instance to an inventory group - add_host: - name: "{{ google_vm.instance_data[0].public_ip }}" - groups: vpn-host - ansible_ssh_user: ubuntu - ansible_python_interpreter: "/usr/bin/python2.7" - ansible_ssh_private_key_file: "{{ SSH_keys.private }}" - cloud_provider: gce - - set_fact: cloud_instance_ip: "{{ google_vm.instance_data[0].public_ip }}" - - - name: Ensure the group gce exists in the dynamic inventory file - lineinfile: - state: present - dest: configs/inventory.dynamic - line: '[gce]' - - - name: Populate the dynamic inventory - lineinfile: - state: present - dest: configs/inventory.dynamic - insertafter: '\[gce\]' - regexp: "^{{ google_vm.instance_data[0].public_ip }}.*" - line: "{{ google_vm.instance_data[0].public_ip }}" + ansible_ssh_user: ubuntu rescue: - debug: var=fail_hint tags: always diff --git a/roles/cloud-gce/tasks/prompts.yml b/roles/cloud-gce/tasks/prompts.yml new file mode 100644 index 00000000..b054cc9e --- /dev/null +++ b/roles/cloud-gce/tasks/prompts.yml @@ -0,0 +1,67 @@ +--- +- pause: + prompt: | + Enter the local path to your credentials JSON file + (https://support.google.com/cloud/answer/6158849?hl=en&ref_topic=6262490#serviceaccounts) + register: _gce_credentials_file + when: + - gce_credentials_file is undefined + - lookup('env','GCE_CREDENTIALS_FILE_PATH')|length <= 0 + +- set_fact: + credentials_file_path: "{{ gce_credentials_file | default(_gce_credentials_file.user_input|default(None)) | default(lookup('env','GCE_CREDENTIALS_FILE_PATH'), true) }}" + ssh_public_key_lookup: "{{ lookup('file', '{{ SSH_keys.public }}') }}" + +- set_fact: + credentials_file_lookup: "{{ lookup('file', '{{ credentials_file_path }}') }}" + +- set_fact: + service_account_email: "{{ credentials_file_lookup.client_email | default(lookup('env','GCE_EMAIL')) }}" + project_id: "{{ credentials_file_lookup.project_id | default(lookup('env','GCE_PROJECT')) }}" + +- block: + - name: Get regions + gce_region_facts: + service_account_email: "{{ credentials_file_lookup.client_email }}" + credentials_file: "{{ credentials_file_path }}" + project_id: "{{ credentials_file_lookup.project_id }}" + register: _gce_regions + + - name: Set facts about the regions + set_fact: + gce_regions: >- + [{%- for region in _gce_regions.results.regions | sort(attribute='name') -%} + {% if region.status == "UP" %} + {% for zone in region.zones | sort(attribute='name') %} + {% if zone.status == "UP" %} + '{{ zone.name }}' + {% endif %}{% if not loop.last %},{% endif %} + {% endfor %} + {% endif %}{% if not loop.last %},{% endif %} + {%- endfor -%}] + + - name: Set facts about the default region + set_fact: + default_region: >- + {% for region in gce_regions %} + {%- if region == "us-east1-b" %}{{ loop.index }}{% endif %} + {%- endfor %} + + - pause: + prompt: | + What region should the server be located in? + (https://cloud.google.com/compute/docs/regions-zones/) + {% for r in gce_regions %} + {{ loop.index }}. {{ r }} + {% endfor %} + + Enter the number of your desired region + [{{ default_region }}] + register: _gce_region + when: region is undefined + +- set_fact: + algo_region: >- + {% if region is defined %}{{ region }} + {%- elif _gce_region.user_input is defined and _gce_region.user_input != "" %}{{ gce_regions[_gce_region.user_input | int -1 ] }} + {%- else %}{{ gce_regions[default_region | int - 1] }}{% endif %} diff --git a/roles/cloud-lightsail/tasks/main.yml b/roles/cloud-lightsail/tasks/main.yml index 31f73e6f..29342af9 100644 --- a/roles/cloud-lightsail/tasks/main.yml +++ b/roles/cloud-lightsail/tasks/main.yml @@ -1,8 +1,6 @@ - block: - - set_fact: - access_key: "{{ aws_access_key | default(lookup('env','AWS_ACCESS_KEY_ID'), true) }}" - secret_key: "{{ aws_secret_key | default(lookup('env','AWS_SECRET_ACCESS_KEY'), true) }}" - region: "{{ algo_region | default(lookup('env','AWS_DEFAULT_REGION'), true) }}" + - name: Include prompts + import_tasks: prompts.yml - name: Create an instance lightsail: @@ -10,8 +8,8 @@ aws_secret_key: "{{ secret_key }}" name: "{{ algo_server_name }}" state: present - region: "{{ region }}" - zone: "{{ region }}a" + region: "{{ algo_region }}" + zone: "{{ algo_region }}a" blueprint_id: "{{ cloud_providers.lightsail.image }}" bundle_id: "{{ cloud_providers.lightsail.size }}" wait_timeout: 300 @@ -37,15 +35,7 @@ - set_fact: cloud_instance_ip: "{{ algo_instance['instance']['public_ip_address'] }}" - - - name: Add new instance to host group - add_host: - hostname: "{{ cloud_instance_ip }}" - groupname: vpn-host ansible_ssh_user: ubuntu - ansible_python_interpreter: "/usr/bin/python2.7" - ansible_ssh_private_key_file: "{{ SSH_keys.private }}" - cloud_provider: lightsail rescue: - debug: var=fail_hint diff --git a/roles/cloud-lightsail/tasks/prompts.yml b/roles/cloud-lightsail/tasks/prompts.yml new file mode 100644 index 00000000..26d50a57 --- /dev/null +++ b/roles/cloud-lightsail/tasks/prompts.yml @@ -0,0 +1,60 @@ +--- +- pause: + prompt: | + Enter your aws_access_key (http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html) + Note: Make sure to use an IAM user with an acceptable policy attached (see https://github.com/trailofbits/algo/blob/master/docs/deploy-from-ansible.md) + echo: false + register: _aws_access_key + when: + - aws_access_key is undefined + - lookup('env','AWS_ACCESS_KEY_ID')|length <= 0 + +- pause: + prompt: | + Enter your aws_secret_key (http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html) + echo: false + register: _aws_secret_key + when: + - aws_secret_key is undefined + - lookup('env','AWS_SECRET_ACCESS_KEY')|length <= 0 + +- set_fact: + access_key: "{{ aws_access_key | default(_aws_access_key.user_input|default(None)) | default(lookup('env','AWS_ACCESS_KEY_ID'), true) }}" + secret_key: "{{ aws_secret_key | default(_aws_secret_key.user_input|default(None)) | default(lookup('env','AWS_SECRET_ACCESS_KEY'), true) }}" + +- block: + - name: Get regions + lightsail_region_facts: + aws_access_key: "{{ access_key }}" + aws_secret_key: "{{ secret_key }}" + register: _lightsail_regions + + - name: Set facts about thre regions + set_fact: + lightsail_regions: "{{ _lightsail_regions.results.regions | sort(attribute='name') }}" + + - name: Set the default region + set_fact: + default_region: >- + {% for r in lightsail_regions %} + {%- if r['name'] == "eu-west-1" %}{{ loop.index }}{% endif %} + {%- endfor %} + + - pause: + prompt: | + What region should the server be located in? + (https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/) + {% for r in lightsail_regions %} + {{ loop.index }}. {{ r['name'] }} {{ r['displayName'] }} + {% endfor %} + + Enter the number of your desired region + [{{ default_region }}] + register: _algo_region + when: region is undefined + +- set_fact: + algo_region: >- + {% if region is defined %}{{ region }} + {%- elif _algo_region.user_input is defined and _algo_region.user_input != "" %}{{ lightsail_regions[_algo_region.user_input | int -1 ]['name'] }} + {%- else %}{{ lightsail_regions[default_region | int - 1]['name'] }}{% endif %} diff --git a/roles/cloud-openstack/tasks/main.yml b/roles/cloud-openstack/tasks/main.yml index d470e89e..8fb1e6b0 100644 --- a/roles/cloud-openstack/tasks/main.yml +++ b/roles/cloud-openstack/tasks/main.yml @@ -1,4 +1,8 @@ --- +- fail: + msg: "OpenStack credentials are not set. Download it from the OpenStack dashboard->Compute->API Access and source it in the shell (eg: source /tmp/dhc-openrc.sh)" + when: lookup('env', 'OS_AUTH_URL') == "" + - block: - name: Security group created os_security_group: @@ -70,15 +74,7 @@ - set_fact: cloud_instance_ip: "{{ os_server['openstack']['public_v4'] }}" - - - name: Add new instance to host group - add_host: - hostname: "{{ cloud_instance_ip }}" - groupname: vpn-host ansible_ssh_user: ubuntu - ansible_python_interpreter: "/usr/bin/python2.7" - ansible_ssh_private_key_file: "{{ SSH_keys.private }}" - cloud_provider: openstack rescue: - debug: var=fail_hint diff --git a/roles/cloud-scaleway/defaults/main.yml b/roles/cloud-scaleway/defaults/main.yml new file mode 100644 index 00000000..00c1dc10 --- /dev/null +++ b/roles/cloud-scaleway/defaults/main.yml @@ -0,0 +1,4 @@ +--- +scaleway_regions: + - alias: par1 + - alias: ams1 diff --git a/roles/cloud-scaleway/tasks/main.yml b/roles/cloud-scaleway/tasks/main.yml index 1bc939b8..9242fb3a 100644 --- a/roles/cloud-scaleway/tasks/main.yml +++ b/roles/cloud-scaleway/tasks/main.yml @@ -1,11 +1,14 @@ - block: + - name: Include prompts + import_tasks: prompts.yml + - name: Check if server exists uri: url: "https://cp-{{ algo_region }}.scaleway.com/servers" method: GET headers: Content-Type: 'application/json' - X-Auth-Token: "{{ scaleway_auth_token }}" + X-Auth-Token: "{{ algo_scaleway_token }}" status_code: 200 register: scaleway_servers @@ -24,7 +27,7 @@ method: GET headers: Content-Type: 'application/json' - X-Auth-Token: "{{ scaleway_auth_token }}" + X-Auth-Token: "{{ algo_scaleway_token }}" status_code: 200 register: scaleway_organizations @@ -32,7 +35,7 @@ set_fact: organization_id: "{{ item.id }}" no_log: true - when: scaleway_organization == item.name + when: algo_scaleway_org == item.name with_items: "{{ scaleway_organizations.json.organizations }}" - name: Get total count of images @@ -41,7 +44,7 @@ method: GET headers: Content-Type: 'application/json' - X-Auth-Token: "{{ scaleway_auth_token }}" + X-Auth-Token: "{{ algo_scaleway_token }}" status_code: 200 register: scaleway_pages @@ -68,7 +71,7 @@ method: POST headers: Content-Type: 'application/json' - X-Auth-Token: "{{ scaleway_auth_token }}" + X-Auth-Token: "{{ algo_scaleway_token }}" body: organization: "{{ organization_id }}" name: "{{ algo_server_name }}" @@ -94,7 +97,7 @@ method: POST headers: Content-Type: application/json - X-Auth-Token: "{{ scaleway_auth_token }}" + X-Auth-Token: "{{ algo_scaleway_token }}" body: action: poweron status_code: 202 @@ -108,7 +111,7 @@ method: GET headers: Content-Type: 'application/json' - X-Auth-Token: "{{ scaleway_auth_token }}" + X-Auth-Token: "{{ algo_scaleway_token }}" status_code: 200 until: - algo_instance.json.server.state is defined @@ -119,15 +122,7 @@ - set_fact: cloud_instance_ip: "{{ algo_instance['json']['server']['public_ip']['address'] }}" - - - name: Add new instance to host group - add_host: - hostname: "{{ cloud_instance_ip }}" - groupname: vpn-host ansible_ssh_user: root - ansible_python_interpreter: "/usr/bin/python2.7" - ansible_ssh_private_key_file: "{{ SSH_keys.private }}" - cloud_provider: scaleway rescue: - debug: var=fail_hint diff --git a/roles/cloud-scaleway/tasks/prompts.yml b/roles/cloud-scaleway/tasks/prompts.yml new file mode 100644 index 00000000..22c3f1aa --- /dev/null +++ b/roles/cloud-scaleway/tasks/prompts.yml @@ -0,0 +1,34 @@ +--- +- pause: + prompt: | + Enter your auth token (https://www.scaleway.com/docs/generate-an-api-token/) + echo: false + register: _scaleway_token + when: scaleway_token is undefined + +- pause: + prompt: | + Enter your organization name (https://cloud.scaleway.com/#/billing) + register: _scaleway_org + when: scaleway_org is undefined + +- pause: + prompt: | + What region should the server be located in? + {% for r in scaleway_regions %} + {{ loop.index }}. {{ r['alias'] }} + {% endfor %} + + Enter the number of your desired region + [{{ scaleway_regions.0.alias }}] + register: _algo_region + when: region is undefined + +- name: Set scaleway facts + set_fact: + algo_scaleway_token: "{{ scaleway_token | default(_scaleway_token.user_input) }}" + algo_scaleway_org: "{{ scaleway_org | default(_scaleway_org.user_input|default(omit)) }}" + algo_region: >- + {% if region is defined %}{{ region }} + {%- elif _algo_region.user_input is defined and _algo_region.user_input != "" %}{{ scaleway_regions[_algo_region.user_input | int -1 ]['alias'] }} + {%- else %}{{ scaleway_regions.0.alias }}{% endif %} diff --git a/roles/cloud-vultr/tasks/main.yml b/roles/cloud-vultr/tasks/main.yml new file mode 100644 index 00000000..78e514d0 --- /dev/null +++ b/roles/cloud-vultr/tasks/main.yml @@ -0,0 +1,36 @@ +- block: + - name: Include prompts + import_tasks: prompts.yml + + - name: Upload the SSH key + vr_ssh_key: + name: "{{ SSH_keys.comment }}" + ssh_key: "{{ lookup('file', '{{ SSH_keys.public }}') }}" + register: ssh_key + + - name: Creating a server + vr_server: + name: "{{ algo_server_name }}" + hostname: "{{ algo_server_name }}" + os: "{{ cloud_providers.vultr.os }}" + plan: "{{ cloud_providers.vultr.size }}" + region: "{{ algo_vultr_region }}" + state: started + tag: Environment:Algo + ssh_key: "{{ ssh_key.vultr_ssh_key.name }}" + ipv6_enabled: true + auto_backup_enabled: false + notify_activate: false + register: vultr_server + + - set_fact: + cloud_instance_ip: "{{ vultr_server.vultr_server.v4_main_ip }}" + ansible_ssh_user: root + + environment: + VULTR_API_CONFIG: "{{ algo_vultr_config }}" + rescue: + - debug: var=fail_hint + tags: always + - fail: + tags: always diff --git a/roles/cloud-vultr/tasks/prompts.yml b/roles/cloud-vultr/tasks/prompts.yml new file mode 100644 index 00000000..84e0cfd9 --- /dev/null +++ b/roles/cloud-vultr/tasks/prompts.yml @@ -0,0 +1,56 @@ +--- +- pause: + prompt: | + Enter the local path to your configuration INI file + (https://github.com/trailofbits/algo/docs/cloud-vultr.md): + register: _vultr_config + when: vultr_config is undefined + +- name: Set the token as a fact + set_fact: + algo_vultr_config: "{{ vultr_config | default(_vultr_config.user_input) | default(lookup('env','VULTR_API_CONFIG'), true) }}" + +- name: Get regions + uri: + url: https://api.vultr.com/v1/regions/list + method: GET + status_code: 200 + register: _vultr_regions + +- name: Format regions + set_fact: + regions: >- + [ {% for k, v in _vultr_regions.json.items() %} + {{ v }}{% if not loop.last %},{% endif %} + {% endfor %} ] + +- name: Set regions as a fact + set_fact: + vultr_regions: "{{ regions | sort(attribute='country') }}" + +- name: Set default region + set_fact: + default_region: >- + {% for r in vultr_regions %} + {%- if r['DCID'] == "1" %}{{ loop.index }}{% endif %} + {%- endfor %} + +- pause: + prompt: | + What region should the server be located in? + (https://www.vultr.com/locations/): + {% for r in vultr_regions %} + {{ loop.index }}. {{ r['name'] }} + {% endfor %} + + Enter the number of your desired region + [{{ default_region }}] + register: _algo_region + when: region is undefined + +- name: Set the desired region as a fact + set_fact: + algo_vultr_region: >- + {% if region is defined %}{{ region }} + {%- elif _algo_region.user_input is defined and _algo_region.user_input != "" %}{{ vultr_regions[_algo_region.user_input | int -1 ]['name'] }} + {%- else %}{{ vultr_regions[default_region | int - 1]['name'] }}{% endif %} diff --git a/roles/common/tasks/facts.yml b/roles/common/tasks/facts.yml new file mode 100644 index 00000000..8182cf20 --- /dev/null +++ b/roles/common/tasks/facts.yml @@ -0,0 +1,26 @@ +--- +- block: + - name: Generate password for the CA key + local_action: + module: shell + openssl rand -hex 16 + register: CA_password + + - name: Generate p12 export password + local_action: + module: shell + openssl rand 8 | python -c 'import sys,string; chars=string.ascii_letters + string.digits + "_@"; print "".join([chars[ord(c) % 64] for c in list(sys.stdin.read())])' + register: p12_password_generated + when: p12_password is not defined + tags: update-users + become: false + +- name: Define facts + set_fact: + p12_export_password: "{{ p12_password|default(p12_password_generated.stdout) }}" + tags: update-users + +- set_fact: + CA_password: "{{ CA_password.stdout }}" + IP_subject_alt_name: "{{ IP_subject_alt_name }}" + ipv6_support: "{% if ansible_default_ipv6['gateway'] is defined %}true{% else %}false{% endif %}" diff --git a/roles/common/tasks/freebsd.yml b/roles/common/tasks/freebsd.yml index 67d247d8..dc52931c 100644 --- a/roles/common/tasks/freebsd.yml +++ b/roles/common/tasks/freebsd.yml @@ -1,6 +1,13 @@ --- - - set_fact: + config_prefix: "/usr/local/" + root_group: wheel + ssh_service_name: sshd + apparmor_enabled: false + strongswan_additional_plugins: + - kernel-pfroute + - kernel-pfkey + ansible_python_interpreter: /usr/local/bin/python2.7 tools: - git - subversion @@ -17,6 +24,15 @@ tags: - always +- setup: + +- name: Install tools + package: name="{{ item }}" state=present + with_items: + - "{{ tools|default([]) }}" + tags: + - always + - name: Loopback included into the rc config blockinfile: dest: /etc/rc.conf diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 5b6aa438..73e6783f 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -1,26 +1,26 @@ --- - block: - - include_tasks: ubuntu.yml - when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu' + - name: Check the system + raw: uname -a + register: OS - - include_tasks: freebsd.yml - when: ansible_distribution == 'FreeBSD' + - include_tasks: ubuntu.yml + when: '"Ubuntu" in OS.stdout or "Linux" in OS.stdout' - - name: Install tools - package: name="{{ item }}" state=present - with_items: - - "{{ tools|default([]) }}" - tags: - - always + - include_tasks: freebsd.yml + when: '"FreeBSD" in OS.stdout' - - name: Sysctl tuning - sysctl: name="{{ item.item }}" value="{{ item.value }}" - with_items: - - "{{ sysctl|default([]) }}" - tags: - - always + - name: Gather additional facts + import_tasks: facts.yml - - meta: flush_handlers + - name: Sysctl tuning + sysctl: name="{{ item.item }}" value="{{ item.value }}" + with_items: + - "{{ sysctl|default([]) }}" + tags: + - always + + - meta: flush_handlers rescue: - debug: var=fail_hint tags: always diff --git a/roles/common/tasks/ubuntu.yml b/roles/common/tasks/ubuntu.yml index f2799ab0..fee3af42 100644 --- a/roles/common/tasks/ubuntu.yml +++ b/roles/common/tasks/ubuntu.yml @@ -1,52 +1,69 @@ --- +- block: + - name: Ubuntu | Install prerequisites + apt: + name: "{{ item }}" + update_cache: true + with_items: + - python2.7 + - sudo + + - name: Ubuntu | Configure defaults + alternatives: + name: python + link: /usr/bin/python + path: /usr/bin/python2.7 + priority: 1 + tags: + - update-alternatives + vars: + ansible_python_interpreter: /usr/bin/python3 + +- name: Gather facts + setup: + - name: Cloud only tasks block: - - name: Install software updates - apt: - update_cache: true - install_recommends: true - upgrade: dist + - name: Install software updates + apt: + update_cache: true + install_recommends: true + upgrade: dist - - name: Upgrade the ca certificates - apt: - name: ca-certificates - state: latest + - name: Check if reboot is required + shell: > + if [[ -e /var/run/reboot-required ]]; then echo "required"; else echo "no"; fi + args: + executable: /bin/bash + register: reboot_required - - name: Check if reboot is required - shell: > - if [[ -e /var/run/reboot-required ]]; then echo "required"; else echo "no"; fi - args: - executable: /bin/bash - register: reboot_required + - name: Reboot + shell: sleep 2 && shutdown -r now "Ansible updates triggered" + async: 1 + poll: 0 + when: reboot_required is defined and reboot_required.stdout == 'required' + ignore_errors: true - - name: Reboot - shell: sleep 2 && shutdown -r now "Ansible updates triggered" - async: 1 - poll: 0 - when: reboot_required is defined and reboot_required.stdout == 'required' - ignore_errors: true + - name: Wait until SSH becomes ready... + local_action: + module: wait_for + port: 22 + host: "{{ inventory_hostname }}" + search_regex: OpenSSH + delay: 10 + timeout: 320 + when: reboot_required is defined and reboot_required.stdout == 'required' + become: false + when: algo_provider != "local" - - name: Wait until SSH becomes ready... - local_action: - module: wait_for - port: 22 - host: "{{ inventory_hostname }}" - search_regex: OpenSSH - delay: 10 - timeout: 320 - when: reboot_required is defined and reboot_required.stdout == 'required' - become: false +- name: Include unatteded upgrades configuration + import_tasks: unattended-upgrades.yml - - name: Include unatteded upgrades configuration - include_tasks: unattended-upgrades.yml - - - name: Disable MOTD on login and SSHD - replace: dest="{{ item.file }}" regexp="{{ item.regexp }}" replace="{{ item.line }}" - with_items: - - { regexp: '^session.*optional.*pam_motd.so.*', line: '# MOTD DISABLED', file: '/etc/pam.d/login' } - - { regexp: '^session.*optional.*pam_motd.so.*', line: '# MOTD DISABLED', file: '/etc/pam.d/sshd' } - tags: - - cloud +- name: Disable MOTD on login and SSHD + replace: dest="{{ item.file }}" regexp="{{ item.regexp }}" replace="{{ item.line }}" + with_items: + - { regexp: '^session.*optional.*pam_motd.so.*', line: '# MOTD DISABLED', file: '/etc/pam.d/login' } + - { regexp: '^session.*optional.*pam_motd.so.*', line: '# MOTD DISABLED', file: '/etc/pam.d/sshd' } - name: Loopback for services configured template: @@ -101,3 +118,10 @@ value: 1 tags: - always + +- name: Install tools + package: name="{{ item }}" state=present + with_items: + - "{{ tools|default([]) }}" + tags: + - always diff --git a/roles/dns_adblocking/meta/main.yml b/roles/dns_adblocking/meta/main.yml deleted file mode 100644 index 5543bcab..00000000 --- a/roles/dns_adblocking/meta/main.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -dependencies: - - { role: common, tags: common } - - role: dns_encryption - tags: dns_encryption - when: dns_encryption == true diff --git a/roles/dns_adblocking/tasks/main.yml b/roles/dns_adblocking/tasks/main.yml index a68abeed..b276d355 100644 --- a/roles/dns_adblocking/tasks/main.yml +++ b/roles/dns_adblocking/tasks/main.yml @@ -1,10 +1,5 @@ --- - block: - - - name: The DNS tag is defined - set_fact: - local_dns: true - - name: Dnsmasq installed package: name=dnsmasq diff --git a/roles/dns_adblocking/templates/dnsmasq.conf.j2 b/roles/dns_adblocking/templates/dnsmasq.conf.j2 index 0e6e72f5..c52b6b9c 100644 --- a/roles/dns_adblocking/templates/dnsmasq.conf.j2 +++ b/roles/dns_adblocking/templates/dnsmasq.conf.j2 @@ -88,7 +88,7 @@ no-resolv # You can control how dnsmasq talks to a server: this forces # queries to 10.1.2.3 to be routed via eth1 # server=10.1.2.3@eth1 -{% if dns_encryption|default(false)|bool == true %} +{% if dns_encryption %} server={{ local_service_ip }}#5353 {% else %} {% for host in dns_servers.ipv4 %} diff --git a/roles/dns_encryption/defaults/main.yml b/roles/dns_encryption/defaults/main.yml index df031a90..5997f58a 100644 --- a/roles/dns_encryption/defaults/main.yml +++ b/roles/dns_encryption/defaults/main.yml @@ -1,7 +1,9 @@ --- -listen_port: "{% if local_dns|d(false)|bool == true %}5353{% else %}53{% endif %}" +algo_local_dns: false +listen_port: "{% if algo_local_dns %}5353{% else %}53{% endif %}" # the version used if the latest unavailable (in case of Github API rate limited) dnscrypt_proxy_version: 2.0.10 apparmor_enabled: true dns_encryption: true dns_encryption_provider: "*" +ipv6_support: false diff --git a/roles/dns_encryption/handlers/main.yml b/roles/dns_encryption/handlers/main.yml index 7947ef11..fe677147 100644 --- a/roles/dns_encryption/handlers/main.yml +++ b/roles/dns_encryption/handlers/main.yml @@ -8,3 +8,10 @@ name: dnscrypt-proxy state: restarted daemon_reload: true + when: ansible_distribution == 'Ubuntu' + +- name: restart dnscrypt-proxy + service: + name: dnscrypt-proxy + state: restarted + when: ansible_distribution == 'FreeBSD' diff --git a/roles/dns_encryption/meta/main.yml b/roles/dns_encryption/meta/main.yml deleted file mode 100644 index 9119c109..00000000 --- a/roles/dns_encryption/meta/main.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -dependencies: - - role: common - tags: common diff --git a/roles/dns_encryption/tasks/ubuntu.yml b/roles/dns_encryption/tasks/ubuntu.yml index f42d0a90..13ba1709 100644 --- a/roles/dns_encryption/tasks/ubuntu.yml +++ b/roles/dns_encryption/tasks/ubuntu.yml @@ -5,7 +5,7 @@ codename: bionic repo: ppa:shevchuk/dnscrypt-proxy register: result - until: result|succeeded + until: result is succeeded retries: 10 delay: 3 diff --git a/roles/dns_encryption/templates/dnscrypt-proxy.toml.j2 b/roles/dns_encryption/templates/dnscrypt-proxy.toml.j2 index f99aeda0..18a8bebb 100644 --- a/roles/dns_encryption/templates/dnscrypt-proxy.toml.j2 +++ b/roles/dns_encryption/templates/dnscrypt-proxy.toml.j2 @@ -134,7 +134,7 @@ tls_disable_session_tickets = true ## Keep tls_cipher_suite empty if you have issues fetching sources or ## connecting to some DoH servers. Google and Cloudflare are fine with it. -tls_cipher_suite = [49195] +# tls_cipher_suite = [49195] ## Fallback resolver diff --git a/roles/local/handlers/main.yml b/roles/local/handlers/main.yml deleted file mode 100644 index e69de29b..00000000 diff --git a/roles/local/tasks/main.yml b/roles/local/tasks/main.yml index 555baa45..5803cff9 100644 --- a/roles/local/tasks/main.yml +++ b/roles/local/tasks/main.yml @@ -1,40 +1,8 @@ --- - block: - - name: Add the instance to an inventory group - add_host: - name: "{{ server_ip }}" - groups: vpn-host - ansible_ssh_user: "{{ server_user }}" - ansible_python_interpreter: "/usr/bin/python2.7" - cloud_provider: local - when: server_ip != "localhost" + - name: Include prompts + import_tasks: prompts.yml - - name: Add the instance to an inventory group - add_host: - name: "{{ server_ip }}" - groups: vpn-host - ansible_ssh_user: "{{ server_user }}" - ansible_python_interpreter: "/usr/bin/python2.7" - ansible_connection: local - cloud_provider: local - when: server_ip == "localhost" - - - set_fact: - cloud_instance_ip: "{{ server_ip }}" - - - name: Ensure the group local exists in the dynamic inventory file - lineinfile: - state: present - dest: configs/inventory.dynamic - line: '[local]' - - - name: Populate the dynamic inventory - lineinfile: - state: present - dest: configs/inventory.dynamic - insertafter: '\[local\]' - regexp: "^{{ server_ip }}.*" - line: "{{ server_ip }}" rescue: - debug: var=fail_hint tags: always diff --git a/roles/local/tasks/prompts.yml b/roles/local/tasks/prompts.yml new file mode 100644 index 00000000..1f5edc2e --- /dev/null +++ b/roles/local/tasks/prompts.yml @@ -0,0 +1,44 @@ +--- +- pause: + prompt: | + Enter the IP address of your server: (or use localhost for local installation): + [localhost] + register: _algo_server + when: server is undefined + +- name: Set the facts + set_fact: + cloud_instance_ip: >- + {% if server is defined %}{{ server }} + {%- elif _algo_server.user_input is defined and _algo_server.user_input != "" %}{{ _algo_server.user_input }} + {%- else %}localhost{% endif %} + +- pause: + prompt: | + What user should we use to login on the server? (note: passwordless login required, or ignore if you're deploying to localhost) + [root] + register: _algo_ssh_user + when: + - ssh_user is undefined + - cloud_instance_ip != "localhost" + +- name: Set the facts + set_fact: + ansible_ssh_user: >- + {% if ssh_user is defined %}{{ ssh_user }} + {%- elif _algo_ssh_user.user_input is defined and _algo_ssh_user.user_input != "" %}{{ _algo_ssh_user.user_input }} + {%- else %}root{% endif %} + +- pause: + prompt: | + Enter the public IP address of your server: (IMPORTANT! This IP is used to verify the certificate) + [{{ cloud_instance_ip }}] + register: _endpoint + when: endpoint is undefined + +- name: Set the facts + set_fact: + IP_subject_alt_name: >- + {% if endpoint is defined %}{{ endpoint }} + {%- elif _endpoint.user_input is defined and _endpoint.user_input != "" %}{{ _endpoint.user_input }} + {%- else %}{{ cloud_instance_ip }}{% endif %} diff --git a/roles/ssh_tunneling/meta/main.yml b/roles/ssh_tunneling/meta/main.yml deleted file mode 100644 index e985f927..00000000 --- a/roles/ssh_tunneling/meta/main.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- - -dependencies: - - { role: common, tags: common } diff --git a/roles/ssh_tunneling/tasks/main.yml b/roles/ssh_tunneling/tasks/main.yml index 8a1d4965..860a329d 100644 --- a/roles/ssh_tunneling/tasks/main.yml +++ b/roles/ssh_tunneling/tasks/main.yml @@ -36,11 +36,12 @@ ssh_key_type: ecdsa ssh_key_bits: 256 ssh_key_comment: '{{ item }}@{{ IP_subject_alt_name }}' - ssh_key_passphrase: "{{ easyrsa_p12_export_password }}" + ssh_key_passphrase: "{{ p12_export_password }}" update_password: on_create state: present append: yes with_items: "{{ users }}" + tags: update-users - name: The authorized keys file created file: @@ -50,6 +51,7 @@ group: "{{ item }}" state: link with_items: "{{ users }}" + tags: update-users - name: Generate SSH fingerprints shell: ssh-keyscan {{ IP_subject_alt_name }} 2>/dev/null @@ -60,12 +62,9 @@ src: '/var/jail/{{ item }}/.ssh/id_ecdsa' dest: configs/{{ IP_subject_alt_name }}/{{ item }}.ssh.pem flat: yes + mode: "0600" with_items: "{{ users }}" - - - name: Change mode for SSH private keys - local_action: file path=configs/{{ IP_subject_alt_name }}/{{ item }}.ssh.pem mode=0600 - with_items: "{{ users }}" - become: false + tags: update-users - name: Fetch the known_hosts file local_action: @@ -80,15 +79,15 @@ src: ssh_config.j2 dest: configs/{{ IP_subject_alt_name }}/{{ item }}.ssh_config mode: 0600 - become: no - with_items: - - "{{ users }}" + become: false + tags: update-users + with_items: "{{ users }}" - name: SSH | Get active system users shell: > getent group algo | cut -f4 -d: | sed "s/,/\n/g" register: valid_users - when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" + tags: update-users - name: SSH | Delete non-existing users user: @@ -96,8 +95,9 @@ state: absent remove: yes force: yes - when: item not in users and ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" + when: item not in users with_items: "{{ valid_users.stdout_lines | default('null') }}" + tags: update-users rescue: - debug: var=fail_hint tags: always diff --git a/roles/vpn/defaults/main.yml b/roles/vpn/defaults/main.yml index f969fb29..51b06bf8 100644 --- a/roles/vpn/defaults/main.yml +++ b/roles/vpn/defaults/main.yml @@ -1,5 +1,37 @@ --- +BetweenClients_DROP: true +wireguard_config_path: "configs/{{ IP_subject_alt_name }}/wireguard/" +wireguard_interface: wg0 +wireguard_network_ipv4: + subnet: 10.19.49.0 + prefix: 24 + gateway: 10.19.49.1 + clients_range: 10.19.49 + clients_start: 100 +wireguard_network_ipv6: + subnet: 'fd9d:bc11:4021::' + prefix: 48 + gateway: 'fd9d:bc11:4021::1' + clients_range: 'fd9d:bc11:4021::' + clients_start: 100 +wireguard_vpn_network: "{{ wireguard_network_ipv4['subnet'] }}/{{ wireguard_network_ipv4['prefix'] }}" +wireguard_vpn_network_ipv6: "{{ wireguard_network_ipv6['subnet'] }}/{{ wireguard_network_ipv6['prefix'] }}" +keys_clean_all: false +wireguard_dns_servers: >- + {% if local_dns|default(false)|bool or dns_encryption|default(false)|bool == true %} + {{ local_service_ip }} + {% else %} + {% for host in dns_servers.ipv4 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% if ipv6_support %},{% for host in dns_servers.ipv6 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% endif %} + {% endif %} + +algo_ondemand_cellular: false +algo_ondemand_wifi: false +algo_ondemand_wifi_exclude: '_null' +algo_windows: false +algo_store_cakey: false +algo_local_dns: false ipv6_support: false +dns_encryption: true domain: false subjectAltName_IP: "IP:{{ IP_subject_alt_name }}" openssl_bin: openssl diff --git a/roles/vpn/meta/main.yml b/roles/vpn/meta/main.yml index 5543bcab..5f86e875 100644 --- a/roles/vpn/meta/main.yml +++ b/roles/vpn/meta/main.yml @@ -1,7 +1,6 @@ --- dependencies: - - { role: common, tags: common } - role: dns_encryption tags: dns_encryption - when: dns_encryption == true + when: dns_encryption diff --git a/roles/vpn/tasks/client_configs.yml b/roles/vpn/tasks/client_configs.yml index 52dff83c..827bef76 100644 --- a/roles/vpn/tasks/client_configs.yml +++ b/roles/vpn/tasks/client_configs.yml @@ -37,23 +37,12 @@ with_items: - "{{ users }}" -- name: Create the windows check file - file: - state: touch - path: configs/{{ IP_subject_alt_name }}/.supports_windows - when: Win10_Enabled is defined and Win10_Enabled == "Y" - -- name: Check if the windows check file exists - stat: - path: configs/{{ IP_subject_alt_name }}/.supports_windows - register: supports_windows - - name: Build the windows client powershell script template: src: client_windows.ps1.j2 dest: configs/{{ IP_subject_alt_name }}/windows_{{ item.0 }}.ps1 mode: 0600 - when: Win10_Enabled is defined and Win10_Enabled == "Y" or supports_windows.stat.exists == true + when: algo_windows with_together: - "{{ users }}" - "{{ PayloadContent.results }}" diff --git a/roles/vpn/tasks/freebsd.yml b/roles/vpn/tasks/freebsd.yml deleted file mode 100644 index 43cfbf63..00000000 --- a/roles/vpn/tasks/freebsd.yml +++ /dev/null @@ -1,114 +0,0 @@ ---- - -- name: FreeBSD / HardenedBSD | Get the existing kernel parameters - command: sysctl -b kern.conftxt - register: kern_conftxt - when: rebuild_kernel is defined and rebuild_kernel == "true" - -- name: FreeBSD / HardenedBSD | Set the rebuild_needed fact - set_fact: - rebuild_needed: true - when: item not in kern_conftxt.stdout and rebuild_kernel is defined and rebuild_kernel == "true" - with_items: - - "IPSEC" - - "IPSEC_NAT_T" - - "crypto" - -- name: FreeBSD / HardenedBSD | Make the kernel config - shell: sysctl -b kern.conftxt > /tmp/IPSEC - when: rebuild_needed is defined and rebuild_needed == true - -- name: FreeBSD / HardenedBSD | Ensure the all options are enabled - lineinfile: - dest: /tmp/IPSEC - line: "{{ item }}" - insertbefore: BOF - with_items: - - "options IPSEC" - - "options IPSEC_NAT_T" - - "device crypto" - when: rebuild_needed is defined and rebuild_needed == true - -- name: HardenedBSD | Determine the sources - set_fact: - sources_repo: https://github.com/HardenedBSD/hardenedBSD.git - sources_version: "hardened/{{ ansible_distribution_release.split('.')[0] }}-stable/master" - when: "'Hardened' in ansible_distribution_version" - -- name: FreeBSD | Determine the sources - set_fact: - sources_repo: https://github.com/freebsd/freebsd.git - sources_version: "stable/{{ ansible_distribution_major_version }}" - when: "'Hardened' not in ansible_distribution_version" - -- name: FreeBSD / HardenedBSD | Increase the git postBuffer size - git_config: - name: http.postBuffer - scope: global - value: 1048576000 - -- block: - - name: FreeBSD / HardenedBSD | Fetching the sources... - git: - repo: "{{ sources_repo }}" - dest: /usr/krnl_src - version: "{{ sources_version }}" - accept_hostkey: true - async: 1000 - poll: 0 - register: fetching_sources - - - name: FreeBSD / HardenedBSD | Fetching the sources... - async_status: jid={{ fetching_sources.ansible_job_id }} - when: rebuild_needed is defined and rebuild_needed == true - register: result - until: result.finished - retries: 600 - delay: 30 - rescue: - - debug: var=fetching_sources - - - fail: - msg: "Something went wrong. Check the debug output above." - -- block: - - name: FreeBSD / HardenedBSD | The kernel is being built... - shell: > - mv /tmp/IPSEC /usr/krnl_src/sys/{{ ansible_architecture }}/conf && - make buildkernel KERNCONF=IPSEC && - make installkernel KERNCONF=IPSEC - args: - chdir: /usr/krnl_src - executable: /usr/local/bin/bash - when: rebuild_needed is defined and rebuild_needed == true - async: 1000 - poll: 0 - register: building_kernel - - - name: FreeBSD / HardenedBSD | The kernel is being built... - async_status: jid={{ building_kernel.ansible_job_id }} - when: rebuild_needed is defined and rebuild_needed == true - register: result - until: result.finished - retries: 600 - delay: 30 - rescue: - - debug: var=building_kernel - - - fail: - msg: "Something went wrong. Check the debug output above." - -- name: FreeBSD / HardenedBSD | Reboot - shell: sleep 2 && shutdown -r now - args: - executable: /usr/local/bin/bash - when: rebuild_needed is defined and rebuild_needed == true - async: 1 - poll: 0 - ignore_errors: true - -- name: FreeBSD / HardenedBSD | Enable strongswan - lineinfile: - dest: /etc/rc.conf - regexp: ^strongswan_enable= - line: 'strongswan_enable="YES"' diff --git a/roles/vpn/tasks/main.yml b/roles/vpn/tasks/main.yml index 003c4761..de3a9f1d 100644 --- a/roles/vpn/tasks/main.yml +++ b/roles/vpn/tasks/main.yml @@ -1,5 +1,11 @@ --- - block: + - name: Include WireGuard role + include_role: + name: wireguard + tags: wireguard + when: wireguard_enabled and ansible_distribution == 'Ubuntu' + - name: Ensure that the strongswan group exist group: name=strongswan state=present @@ -9,25 +15,25 @@ - include_tasks: ubuntu.yml when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu' - - include_tasks: freebsd.yml - when: ansible_distribution == 'FreeBSD' - - name: Install strongSwan package: name=strongswan state=present - - include_tasks: ipsec_configuration.yml - - include_tasks: openssl.yml + - import_tasks: ipsec_configuration.yml + - import_tasks: openssl.yml tags: update-users - - include_tasks: distribute_keys.yml - - include_tasks: client_configs.yml + - import_tasks: distribute_keys.yml + - import_tasks: client_configs.yml delegate_to: localhost become: no tags: update-users - - meta: flush_handlers - - name: strongSwan started - service: name=strongswan state=started + service: + name: strongswan + state: started + enabled: true + + - meta: flush_handlers rescue: - debug: var=fail_hint tags: always diff --git a/roles/vpn/tasks/openssl.yml b/roles/vpn/tasks/openssl.yml index af19ae2b..acd966c6 100644 --- a/roles/vpn/tasks/openssl.yml +++ b/roles/vpn/tasks/openssl.yml @@ -9,7 +9,7 @@ file: dest: configs/{{ IP_subject_alt_name }}/pki state: absent - when: easyrsa_reinit_existent|bool == True + when: keys_clean_all|bool == True - name: Ensure the pki directories exist file: @@ -49,7 +49,7 @@ -keyout private/cakey.pem -out cacert.pem -x509 -days 3650 -batch - -passout pass:"{{ easyrsa_CA_password }}" && + -passout pass:"{{ CA_password }}" && touch {{ IP_subject_alt_name }}_ca_generated args: chdir: "configs/{{ IP_subject_alt_name }}/pki/" @@ -75,14 +75,14 @@ -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName={{ subjectAltName }}")) -keyout private/{{ IP_subject_alt_name }}.key -out reqs/{{ IP_subject_alt_name }}.req -nodes - -passin pass:"{{ easyrsa_CA_password }}" + -passin pass:"{{ CA_password }}" -subj "/CN={{ IP_subject_alt_name }}" -batch && {{ openssl_bin }} ca -utf8 -in reqs/{{ IP_subject_alt_name }}.req -out certs/{{ IP_subject_alt_name }}.crt -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName={{ subjectAltName }}")) -days 3650 -batch - -passin pass:"{{ easyrsa_CA_password }}" + -passin pass:"{{ CA_password }}" -subj "/CN={{ IP_subject_alt_name }}" && touch certs/{{ IP_subject_alt_name }}_crt_generated args: @@ -97,14 +97,14 @@ -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=DNS:{{ item }}")) -keyout private/{{ item }}.key -out reqs/{{ item }}.req -nodes - -passin pass:"{{ easyrsa_CA_password }}" + -passin pass:"{{ CA_password }}" -subj "/CN={{ item }}" -batch && {{ openssl_bin }} ca -utf8 -in reqs/{{ item }}.req -out certs/{{ item }}.crt -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=DNS:{{ item }}")) -days 3650 -batch - -passin pass:"{{ easyrsa_CA_password }}" + -passin pass:"{{ CA_password }}" -subj "/CN={{ item }}" && touch certs/{{ item }}_crt_generated args: @@ -121,7 +121,7 @@ -export -name {{ item }} -out private/{{ item }}.p12 - -passout pass:"{{ easyrsa_p12_export_password }}" + -passout pass:"{{ p12_export_password }}" args: chdir: "configs/{{ IP_subject_alt_name }}/pki/" executable: bash @@ -150,7 +150,7 @@ shell: > {{ openssl_bin }} ca -gencrl -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=DNS:{{ item }}")) - -passin pass:"{{ easyrsa_CA_password }}" + -passin pass:"{{ CA_password }}" -revoke certs/{{ item }}.crt -out crl/{{ item }}.crt register: gencrl @@ -165,7 +165,7 @@ shell: > {{ openssl_bin }} ca -gencrl -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=DNS:{{ IP_subject_alt_name }}")) - -passin pass:"{{ easyrsa_CA_password }}" + -passin pass:"{{ CA_password }}" -out crl/algo.root.pem when: - gencrl is defined diff --git a/roles/vpn/templates/client_ipsec.conf.j2 b/roles/vpn/templates/client_ipsec.conf.j2 index 7fde04ab..a45d8e3d 100644 --- a/roles/vpn/templates/client_ipsec.conf.j2 +++ b/roles/vpn/templates/client_ipsec.conf.j2 @@ -6,7 +6,7 @@ conn ikev2-{{ IP_subject_alt_name }} compress=no dpddelay=35s -{% if Win10_Enabled is defined and Win10_Enabled == "Y" %} +{% if algo_windows %} ike={{ ciphers.compat.ike }} esp={{ ciphers.compat.esp }} {% else %} diff --git a/roles/vpn/templates/ipsec.conf.j2 b/roles/vpn/templates/ipsec.conf.j2 index e98bb3c1..086e18af 100644 --- a/roles/vpn/templates/ipsec.conf.j2 +++ b/roles/vpn/templates/ipsec.conf.j2 @@ -10,7 +10,7 @@ conn %default compress=yes dpddelay=35s -{% if Win10_Enabled is defined and Win10_Enabled == "Y" %} +{% if algo_windows %} ike={{ ciphers.compat.ike }} esp={{ ciphers.compat.esp }} {% else %} @@ -28,7 +28,7 @@ conn %default right=%any rightauth=pubkey rightsourceip={{ vpn_network }},{{ vpn_network_ipv6 }} -{% if local_dns|d(false)|bool == true or dns_encryption|d(false)|bool == true %} +{% if algo_local_dns or dns_encryption %} rightdns={{ local_service_ip }} {% else %} rightdns={% for host in dns_servers.ipv4 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% if ipv6_support %},{% for host in dns_servers.ipv6 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% endif %} diff --git a/roles/vpn/templates/mobileconfig.j2 b/roles/vpn/templates/mobileconfig.j2 index 9a342b4b..44fbcbda 100644 --- a/roles/vpn/templates/mobileconfig.j2 +++ b/roles/vpn/templates/mobileconfig.j2 @@ -7,13 +7,13 @@ IKEv2 -{% if (OnDemandEnabled_WIFI is defined and OnDemandEnabled_WIFI == 'Y') or (OnDemandEnabled_Cellular is defined and OnDemandEnabled_Cellular == 'Y') %} +{% if algo_ondemand_wifi or algo_ondemand_cellular %} OnDemandEnabled 1 OnDemandRules -{% if OnDemandEnabled_WIFI_EXCLUDE is defined and OnDemandEnabled_WIFI_EXCLUDE != '_null' %} -{% set WIFI_EXCLUDE_LIST = OnDemandEnabled_WIFI_EXCLUDE.split(',') %} +{% if algo_ondemand_wifi_exclude != '_null' %} +{% set WIFI_EXCLUDE_LIST = (algo_ondemand_wifi_exclude|string).split(',') %} Action Disconnect @@ -30,7 +30,7 @@ {% endif %} Action -{% if OnDemandEnabled_WIFI is defined and OnDemandEnabled_WIFI == 'Y' %} +{% if algo_ondemand_wifi %} Connect {% else %} Disconnect @@ -42,7 +42,7 @@ Action -{% if OnDemandEnabled_Cellular is defined and OnDemandEnabled_Cellular == 'Y' %} +{% if algo_ondemand_cellular %} Connect {% else %} Disconnect diff --git a/roles/vpn/templates/rules.v4.j2 b/roles/vpn/templates/rules.v4.j2 index 820589f3..49c34e2f 100644 --- a/roles/vpn/templates/rules.v4.j2 +++ b/roles/vpn/templates/rules.v4.j2 @@ -70,7 +70,7 @@ COMMIT -A INPUT -d {{ local_service_ip }} -p udp --dport 53 -j ACCEPT # Drop traffic between VPN clients -{% if BetweenClients_DROP is defined and BetweenClients_DROP == "Y" %} +{% if BetweenClients_DROP %} {% set BetweenClientsPolicy = "DROP" %} {% endif %} -A FORWARD -s {{ vpn_network }}{% if wireguard_enabled %},{{ wireguard_vpn_network }}{% endif %} -d {{ vpn_network }}{% if wireguard_enabled %},{{ wireguard_vpn_network }}{% endif %} -j {{ BetweenClientsPolicy | default("ACCEPT") }} diff --git a/roles/vpn/templates/rules.v6.j2 b/roles/vpn/templates/rules.v6.j2 index 4f00c309..a6d853f2 100644 --- a/roles/vpn/templates/rules.v6.j2 +++ b/roles/vpn/templates/rules.v6.j2 @@ -85,7 +85,7 @@ COMMIT -A INPUT -d fcaa::1 -p udp --dport 53 -j ACCEPT # Drop traffic between VPN clients -{% if BetweenClients_DROP is defined and BetweenClients_DROP == "Y" %} +{% if BetweenClients_DROP %} {% set BetweenClientsPolicy = "DROP" %} {% endif %} -A FORWARD -s {{ vpn_network_ipv6 }}{% if wireguard_enabled %},{{ wireguard_vpn_network_ipv6 }}{% endif %} -d {{ vpn_network_ipv6 }}{% if wireguard_enabled %},{{ wireguard_vpn_network_ipv6 }}{% endif %} -j {{ BetweenClientsPolicy | default("ACCEPT") }} diff --git a/roles/wireguard/defaults/main.yml b/roles/wireguard/defaults/main.yml deleted file mode 100644 index 0559c50b..00000000 --- a/roles/wireguard/defaults/main.yml +++ /dev/null @@ -1,24 +0,0 @@ ---- -wireguard_config_path: "configs/{{ IP_subject_alt_name }}/wireguard/" -wireguard_interface: wg0 -wireguard_network_ipv4: - subnet: 10.19.49.0 - prefix: 24 - gateway: 10.19.49.1 - clients_range: 10.19.49 - clients_start: 100 -wireguard_network_ipv6: - subnet: 'fd9d:bc11:4021::' - prefix: 48 - gateway: 'fd9d:bc11:4021::1' - clients_range: 'fd9d:bc11:4021::' - clients_start: 100 -wireguard_vpn_network: "{{ wireguard_network_ipv4['subnet'] }}/{{ wireguard_network_ipv4['prefix'] }}" -wireguard_vpn_network_ipv6: "{{ wireguard_network_ipv6['subnet'] }}/{{ wireguard_network_ipv6['prefix'] }}" -easyrsa_reinit_existent: false -wireguard_dns_servers: >- - {% if local_dns|default(false)|bool or dns_encryption|default(false)|bool == true %} - {{ local_service_ip }} - {% else %} - {% for host in dns_servers.ipv4 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% if ipv6_support %},{% for host in dns_servers.ipv6 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% endif %} - {% endif %} diff --git a/roles/wireguard/meta/main.yml b/roles/wireguard/meta/main.yml deleted file mode 100644 index a766ccc1..00000000 --- a/roles/wireguard/meta/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -dependencies: - - { role: common, tags: common } diff --git a/roles/wireguard/tasks/keys.yml b/roles/wireguard/tasks/keys.yml index 322f974f..b38ab1fb 100644 --- a/roles/wireguard/tasks/keys.yml +++ b/roles/wireguard/tasks/keys.yml @@ -3,7 +3,7 @@ file: dest: "/etc/wireguard/private_{{ item }}.lock" state: absent - when: easyrsa_reinit_existent|bool == True + when: keys_clean_all|bool == True with_items: - "{{ users }}" - "{{ IP_subject_alt_name }}" @@ -13,7 +13,6 @@ register: wg_genkey args: creates: "/etc/wireguard/private_{{ item }}.lock" - executable: bash with_items: - "{{ users }}" - "{{ IP_subject_alt_name }}" diff --git a/roles/wireguard/tasks/main.yml b/roles/wireguard/tasks/main.yml index df5b832e..232d080c 100644 --- a/roles/wireguard/tasks/main.yml +++ b/roles/wireguard/tasks/main.yml @@ -4,7 +4,7 @@ repo: ppa:wireguard/wireguard state: present register: result - until: result|succeeded + until: result is succeeded retries: 10 delay: 3 diff --git a/server.yml b/server.yml new file mode 100644 index 00000000..c71b5be1 --- /dev/null +++ b/server.yml @@ -0,0 +1,65 @@ +--- +- name: Configure the server and install required software + hosts: vpn-host + gather_facts: false + tags: algo + become: true + vars_files: + - config.cfg + + roles: + - role: common + - role: dns_adblocking + when: algo_local_dns + tags: dns_adblocking + - role: ssh_tunneling + when: algo_ssh_tunneling + tags: ssh_tunneling + - role: vpn + tags: vpn + + post_tasks: + - block: + - name: Delete the CA key + local_action: + module: file + path: "configs/{{ IP_subject_alt_name }}/pki/private/cakey.pem" + state: absent + become: false + when: not algo_store_cakey + + - name: Dump the configuration + local_action: + module: copy + dest: "configs/{{ IP_subject_alt_name }}/config.yml" + content: | + server: {{ 'localhost' if inventory_hostname == 'localhost' else inventory_hostname }} + server_user: {{ ansible_ssh_user }} + {% if algo_provider != "local" %} + ansible_ssh_private_key_file: {{ ansible_ssh_private_key_file|default(SSH_keys.private) }} + {% endif %} + algo_provider: {{ algo_provider }} + algo_server_name: {{ algo_server_name }} + algo_ondemand_cellular: {{ algo_ondemand_cellular }} + algo_ondemand_wifi: {{ algo_ondemand_wifi }} + algo_ondemand_wifi_exclude: {{ algo_ondemand_wifi_exclude }} + algo_local_dns: {{ algo_local_dns }} + algo_ssh_tunneling: {{ algo_ssh_tunneling }} + algo_windows: {{ algo_windows }} + algo_store_cakey: {{ algo_store_cakey }} + IP_subject_alt_name: {{ IP_subject_alt_name }} + {% if tests|default(false)|bool %}ca_password: {{ CA_password }}{% endif %} + become: false + + - debug: + msg: + - "{{ congrats.common.split('\n') }}" + - " {{ congrats.p12_pass }}" + - " {% if algo_store_cakey %}{{ congrats.ca_key_pass }}{% endif %}" + - " {% if algo_provider != 'local' %}{{ congrats.ssh_access }}{% endif %}" + tags: always + rescue: + - debug: var=fail_hint + tags: always + - fail: + tags: always diff --git a/tests/local-deploy.sh b/tests/local-deploy.sh index b586aaac..fc7d038e 100755 --- a/tests/local-deploy.sh +++ b/tests/local-deploy.sh @@ -2,12 +2,11 @@ set -ex -DEPLOY_ARGS="server_ip=$LXC_IP server_user=ubuntu IP_subject_alt_name=$LXC_IP local_dns=true dns_over_https=true apparmor_enabled=false install_headers=false" -touch /tmp/ca_password +DEPLOY_ARGS="provider=local server=$LXC_IP ssh_user=ubuntu endpoint=$LXC_IP apparmor_enabled=false ondemand_cellular=true ondemand_wifi=true ondemand_wifi_exclude=test local_dns=true ssh_tunneling=true windows=true store_cakey=true install_headers=false tests=true" if [ "${LXC_NAME}" == "docker" ] then - docker run -it -v /tmp/ca_password:/tmp/ca_password -v $(pwd)/config.cfg:/algo/config.cfg -v ~/.ssh:/root/.ssh -v $(pwd)/configs:/algo/configs -e "DEPLOY_ARGS=${DEPLOY_ARGS}" travis/algo /bin/sh -c "chown -R 0:0 /root/.ssh && source env/bin/activate && ansible-playbook deploy.yml -t cloud,local,vpn,dns,ssh_tunneling,security,tests,dns_over_https -e \"${DEPLOY_ARGS}\" --skip-tags apparmor" + docker run -it -v $(pwd)/config.cfg:/algo/config.cfg -v ~/.ssh:/root/.ssh -v $(pwd)/configs:/algo/configs -e "DEPLOY_ARGS=${DEPLOY_ARGS}" travis/algo /bin/sh -c "chown -R 0:0 /root/.ssh && source env/bin/activate && ansible-playbook main.yml -e \"${DEPLOY_ARGS}\" --skip-tags apparmor" else - ansible-playbook deploy.yml -t cloud,local,vpn,dns,dns_over_https,ssh_tunneling,tests -e "${DEPLOY_ARGS}" --skip-tags apparmor + ansible-playbook main.yml -e "${DEPLOY_ARGS}" --skip-tags apparmor fi diff --git a/tests/update-users.sh b/tests/update-users.sh index bea5a8cb..ba40bb33 100755 --- a/tests/update-users.sh +++ b/tests/update-users.sh @@ -2,16 +2,13 @@ set -ex -CAPW=`cat /tmp/ca_password` -USER_ARGS="server_ip=$LXC_IP server_user=ubuntu ssh_tunneling_enabled=y IP_subject=$LXC_IP easyrsa_CA_password=$CAPW apparmor_enabled=false install_headers=false" - -sed -i 's/- jack$/- jack_test/' config.cfg +USER_ARGS="{ 'server': '$LXC_IP', 'users': ['user1', 'user2'] }" if [ "${LXC_NAME}" == "docker" ] then - docker run -it -v $(pwd)/config.cfg:/algo/config.cfg -v ~/.ssh:/root/.ssh -v $(pwd)/configs:/algo/configs -e "USER_ARGS=${USER_ARGS}" travis/algo /bin/sh -c "chown -R 0:0 /root/.ssh && source env/bin/activate && ansible-playbook users.yml -e \"${USER_ARGS}\" -t update-users --skip-tags common" + docker run -it -v $(pwd)/config.cfg:/algo/config.cfg -v ~/.ssh:/root/.ssh -v $(pwd)/configs:/algo/configs -e "USER_ARGS=${USER_ARGS}" travis/algo /bin/sh -c "chown -R 0:0 /root/.ssh && source env/bin/activate && ansible-playbook users.yml -e \"${USER_ARGS}\" -t update-users" else - ansible-playbook users.yml -e "${USER_ARGS}" -t update-users --skip-tags common + ansible-playbook users.yml -e "${USER_ARGS}" -t update-users fi if sudo openssl crl -inform pem -noout -text -in configs/$LXC_IP/pki/crl/jack.crt | grep CRL @@ -22,7 +19,7 @@ if sudo openssl crl -inform pem -noout -text -in configs/$LXC_IP/pki/crl/jack.cr exit 1 fi -if sudo openssl x509 -inform pem -noout -text -in configs/$LXC_IP/pki/certs/jack_test.crt | grep CN=jack_test +if sudo openssl x509 -inform pem -noout -text -in configs/$LXC_IP/pki/certs/user1.crt | grep CN=user1 then echo "The new user exists" else diff --git a/users.yml b/users.yml index f60cbb3b..36f162f5 100644 --- a/users.yml +++ b/users.yml @@ -1,5 +1,4 @@ --- - - hosts: localhost gather_facts: False tags: always @@ -8,27 +7,43 @@ tasks: - block: + - pause: + prompt: "Enter the IP address of your server: (or use localhost for local installation)" + register: _server + when: server is undefined + + - name: Set facts based on the input + set_fact: + algo_server: >- + {% if server is defined %}{{ server }} + {%- elif _server.user_input is defined and _server.user_input != "" %}{{ _server.user_input }} + {%- else %}omit{% endif %} + + - name: Import host specific variables + include_vars: + file: "configs/{{ algo_server }}/config.yml" + + - pause: + prompt: Enter the password for the private CA key + echo: false + register: _ca_password + when: ca_password is undefined + + - name: Set facts based on the input + set_fact: + CA_password: >- + {% if ca_password is defined %}{{ ca_password }} + {%- elif _ca_password.user_input is defined and _ca_password.user_input != "" %}{{ _ca_password.user_input }} + {%- else %}omit{% endif %} + - name: Add the server to the vpn-host group add_host: - hostname: "{{ server_ip }}" - groupname: vpn-host - ansible_ssh_user: "{{ server_user }}" + name: "{{ algo_server }}" + groups: vpn-host + ansible_ssh_user: "{{ server_user|default('root') }}" + ansible_connection: "{% if algo_server == 'localhost' %}local{% else %}ssh{% endif %}" ansible_python_interpreter: "/usr/bin/python2.7" - ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}" - easyrsa_CA_password: "{{ easyrsa_CA_password }}" - IP_subject: "{{ IP_subject_alt_name }}" - ansible_ssh_private_key_file: "{{ SSH_keys.private }}" - - - name: Wait until SSH becomes ready... - local_action: - module: wait_for - port: 22 - host: "{{ server_ip }}" - search_regex: "OpenSSH" - delay: 10 - timeout: 320 - state: present - become: false + CA_password: "{{ CA_password }}" rescue: - debug: var=fail_hint tags: always @@ -41,22 +56,17 @@ become: true vars_files: - config.cfg - - pre_tasks: - - block: - - name: Common pre-tasks - include_tasks: playbooks/common.yml - tags: always - rescue: - - debug: var=fail_hint - tags: always - - fail: - tags: always + - "configs/{{ inventory_hostname }}/config.yml" roles: - - { role: ssh_tunneling, tags: always, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" } - - { role: wireguard, tags: [ 'vpn', 'wireguard' ], when: wireguard_enabled } - - { role: vpn } + - role: common + - role: ssh_tunneling + when: algo_ssh_tunneling + - role: wireguard + tags: [ 'vpn', 'wireguard' ] + when: wireguard_enabled + - role: vpn + tags: vpn post_tasks: - block: From 36c871c4f1ceb83ab41a9158b1977b1964484e7b Mon Sep 17 00:00:00 2001 From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com> Date: Mon, 27 Aug 2018 17:28:02 +0300 Subject: [PATCH 38/91] Update CHANGELOG.md --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 897352b7..8b6969fb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,10 @@ +## 27 Aug 2018 +### Changed +- Large refactor to support Ansible 2.5. [Details](https://github.com/trailofbits/algo/pull/976) + +### How to upgrade +- Follow the [instructions](https://github.com/trailofbits/algo#deploy-the-algo-server) from scratch + ## 04 Jun 2018 ### Changed - Switched to [new cipher suite](https://github.com/trailofbits/algo/issues/981) From 701995ebb72d321f0557f180da650648e4f8d310 Mon Sep 17 00:00:00 2001 From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com> Date: Mon, 27 Aug 2018 17:29:16 +0300 Subject: [PATCH 39/91] Update CHANGELOG.md --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8b6969fb..63a4a450 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,7 @@ ## 27 Aug 2018 ### Changed - Large refactor to support Ansible 2.5. [Details](https://github.com/trailofbits/algo/pull/976) +- Add a new cloud provider - Vultr ### How to upgrade - Follow the [instructions](https://github.com/trailofbits/algo#deploy-the-algo-server) from scratch From 511086db8ef4b82c1887a28dcde718f41f17d715 Mon Sep 17 00:00:00 2001 From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com> Date: Mon, 27 Aug 2018 19:00:32 +0300 Subject: [PATCH 40/91] Update CHANGELOG.md --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 63a4a450..8fb954fd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,8 +3,9 @@ - Large refactor to support Ansible 2.5. [Details](https://github.com/trailofbits/algo/pull/976) - Add a new cloud provider - Vultr -### How to upgrade +### Upgrade notes - Follow the [instructions](https://github.com/trailofbits/algo#deploy-the-algo-server) from scratch +- You can't update users on your old servers with the new code. Use the old code before this release or rebuild the server from scratch ## 04 Jun 2018 ### Changed From 5f9a3d5eb5d1cc133c7b7d08ebd43c970efc9677 Mon Sep 17 00:00:00 2001 From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com> Date: Mon, 27 Aug 2018 19:01:59 +0300 Subject: [PATCH 41/91] Update CHANGELOG.md --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8fb954fd..b0b7c7c9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,7 @@ - Add a new cloud provider - Vultr ### Upgrade notes -- Follow the [instructions](https://github.com/trailofbits/algo#deploy-the-algo-server) from scratch +- If any problems encountered follow the [instructions](https://github.com/trailofbits/algo#deploy-the-algo-server) from scratch - You can't update users on your old servers with the new code. Use the old code before this release or rebuild the server from scratch ## 04 Jun 2018 From 635e7ff1af271ef91749a96e05b8f8a258c57106 Mon Sep 17 00:00:00 2001 From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com> Date: Mon, 27 Aug 2018 20:23:51 +0300 Subject: [PATCH 42/91] Update README.md --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 8f5ca043..176f9acc 100644 --- a/README.md +++ b/README.md @@ -14,7 +14,7 @@ Algo VPN is a set of Ansible scripts that simplify the setup of a personal IPSEC * Blocks ads with a local DNS resolver (optional) * Sets up limited SSH users for tunneling traffic (optional) * Based on current versions of Ubuntu and strongSwan -* Installs to DigitalOcean, Amazon Lightsail, Amazon EC2, Microsoft Azure, Google Compute Engine, Scaleway, OpenStack or your own Ubuntu 18.04 LTS server +* Installs to DigitalOcean, Amazon EC2, Vultr, Microsoft Azure, Google Compute Engine, Scaleway, OpenStack or your own Ubuntu 18.04 LTS server ## Anti-features @@ -29,7 +29,7 @@ Algo VPN is a set of Ansible scripts that simplify the setup of a personal IPSEC The easiest way to get an Algo server running is to let it set up a _new_ virtual machine in the cloud for you. -1. **Setup an account on a cloud hosting provider.** Algo supports [DigitalOcean](https://m.do.co/c/4d7f4ff9cfe4) (most user friendly), [Amazon Lightsail](https://aws.amazon.com/lightsail/), [Amazon EC2](https://aws.amazon.com/), [Microsoft Azure](https://azure.microsoft.com/), [Google Compute Engine](https://cloud.google.com/compute/), [Scaleway](https://www.scaleway.com/) and [OpenStack](https://www.openstack.org/). +1. **Setup an account on a cloud hosting provider.** Algo supports [DigitalOcean](https://m.do.co/c/4d7f4ff9cfe4) (most user friendly), [Amazon EC2](https://aws.amazon.com/), [Vultr](https://www.vultr.com/), [Microsoft Azure](https://azure.microsoft.com/), [Google Compute Engine](https://cloud.google.com/compute/), [Scaleway](https://www.scaleway.com/) and [DreamCompute](https://www.dreamhost.com/cloud/computing/) or an OpenStack based cloud hosting. 2. **[Download Algo](https://github.com/trailofbits/algo/archive/master.zip).** Unzip it in a convenient location on your local machine. From 6d3bb1cf2baadb4b552beaa9e726216d7ea56d54 Mon Sep 17 00:00:00 2001 From: TC1977 <37350377+TC1977@users.noreply.github.com> Date: Tue, 28 Aug 2018 10:03:43 -0400 Subject: [PATCH 43/91] Update minimum required IAM changes for deployment (#1080) Ansible2.5 allows Algo to directly ask AWS for the region list, rather than have it hardcoded and updated manually. Updated the documented minimum required permissions to include "DescribeRegions". --- docs/deploy-from-ansible.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/deploy-from-ansible.md b/docs/deploy-from-ansible.md index f3566c7f..946c045b 100644 --- a/docs/deploy-from-ansible.md +++ b/docs/deploy-from-ansible.md @@ -113,6 +113,7 @@ Additional variables: "Action": [ "ec2:DescribeImages", "ec2:DescribeKeyPairs", + "ec2:DescribeRegions", "ec2:ImportKeyPair" ], "Resource": [ From 3144458ac7b99372a301f2a178010c2fcdf37396 Mon Sep 17 00:00:00 2001 From: TC1977 <37350377+TC1977@users.noreply.github.com> Date: Tue, 28 Aug 2018 10:05:01 -0400 Subject: [PATCH 44/91] Update cloud-amazon-ec2.md (#1081) --- docs/cloud-amazon-ec2.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/cloud-amazon-ec2.md b/docs/cloud-amazon-ec2.md index 63831d55..36c51359 100644 --- a/docs/cloud-amazon-ec2.md +++ b/docs/cloud-amazon-ec2.md @@ -112,3 +112,6 @@ Enter the number of your desired region: ``` You will then be asked the remainder of the standard Algo setup questions. + +## Cleanup +If you've installed Algo onto EC2 multiple times, your AWS account may become cluttered with unused or deleted resources e.g. instances, VPCs, subnets, etc. This may cause future installs to fail. The easiest way to clean up after you're done with a server is to go to "CloudFormation" from the console and delete the CloudFormation stack associated with that server. Please note that unless you've enabled termination protection on your instance, deleting the stack this way will delete your instance without warning, so be sure you are deleting the correct stack. From f63bc1ef970266ec57b1d5a0806ca1dba2c175d4 Mon Sep 17 00:00:00 2001 From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com> Date: Tue, 28 Aug 2018 17:12:20 +0300 Subject: [PATCH 45/91] Update CHANGELOG.md --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index b0b7c7c9..e7f566a4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,7 @@ ### Upgrade notes - If any problems encountered follow the [instructions](https://github.com/trailofbits/algo#deploy-the-algo-server) from scratch - You can't update users on your old servers with the new code. Use the old code before this release or rebuild the server from scratch +- Update AWS IAM permissions for your user as per [issue](https://github.com/trailofbits/algo/issues/1079#issuecomment-416577599) ## 04 Jun 2018 ### Changed From ee3cb979f770e92899627b70c013a6d8a90a33a8 Mon Sep 17 00:00:00 2001 From: David Myers Date: Tue, 28 Aug 2018 10:25:40 -0400 Subject: [PATCH 46/91] Document how to use WireGuard on Ubuntu clients (#1071) --- README.md | 1 + docs/client-linux-wireguard.md | 48 ++++++++++++++++++++++++++++++++++ 2 files changed, 49 insertions(+) create mode 100644 docs/client-linux-wireguard.md diff --git a/README.md b/README.md index 176f9acc..26440fd3 100644 --- a/README.md +++ b/README.md @@ -190,6 +190,7 @@ After this process completes, the Algo VPN server will contains only the users l * Client setup - Setup [Android](docs/client-android.md) clients - Setup [Generic/Linux](docs/client-linux.md) clients with Ansible + - Setup Ubuntu clients to use [WireGuard](docs/client-linux-wireguard.md) * Cloud setup - Configure [Amazon EC2](docs/cloud-amazon-ec2.md) - Configure [Azure](docs/cloud-azure.md) diff --git a/docs/client-linux-wireguard.md b/docs/client-linux-wireguard.md new file mode 100644 index 00000000..123ab76e --- /dev/null +++ b/docs/client-linux-wireguard.md @@ -0,0 +1,48 @@ +# Using Ubuntu Server as a Client with WireGuard + +## Install WireGuard + +To connect to your Algo VPN using [WireGuard](https://www.wireguard.com) from an Ubuntu Server 16.04 (Xenial) or 18.04 (Bionic) client, first install WireGuard on the client: + +``` +# Add the WireGuard repository: +sudo add-apt-repository ppa:wireguard/wireguard +# Update the list of available packages (not necessary on Bionic): +sudo apt update +# Install the tools and kernel module: +sudo apt install wireguard +``` + +(For installation on other Linux distributions, see the [Installation](https://www.wireguard.com/install/) page on the WireGuard site.) + +## Locate the Config File + +The Algo-generated config files for WireGuard are named `configs//wireguard/.conf` on the system where you ran `./algo`. One file was generated for each of the users you added to `config.cfg` before you ran `./algo`. Each Linux and Android client you connect to your Algo VPN must use a different WireGuard config file. Choose one of these files and copy it to your Linux client. + +If your client is running Bionic (or another Linux that uses `systemd-resolved` for DNS) you should first edit the config file. Comment out the line that begins with `DNS =` and replace it with: +``` +PostUp = systemd-resolve -i %i --set-dns=172.16.0.1 --set-domain=~. +``` +Use the IP address shown on the `DNS =` line (for most, this will be `172.16.0.1`). If the `DNS =` line contains multiple IP addresses, use multiple `--set-dns=` options. + +## Configure WireGuard + +Finally, install the config file on your client as `/etc/wireguard/wg0.conf` and start WireGuard: + +``` +# Install the config file to the WireGuard configuration directory on your +# Bionic or Xenial client: +sudo install -o root -g root -m 600 .conf /etc/wireguard/wg0.conf +# Start the WireGuard VPN: +sudo systemctl start wg-quick@wg0 +# Check that it started properly: +sudo systemctl status wg-quick@wg0 +# Verify the connection to the Algo VPN: +sudo wg +# See that your client is using the IP address of your Algo VPN: +curl ipv4.icanhazip.com +# Optionally configure the connection to come up at boot time: +sudo systemctl enable wg-quick@wg0 +``` + +(If your Linux distribution does not use `systemd`, you can bring up WireGuard with `sudo wg-quick up wg0`). \ No newline at end of file From e860b78d804fc77b4c87359de17f0df7555219f3 Mon Sep 17 00:00:00 2001 From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com> Date: Wed, 29 Aug 2018 16:05:07 +0300 Subject: [PATCH 47/91] Scaleway authentication fix (#1088) --- roles/cloud-scaleway/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/cloud-scaleway/tasks/main.yml b/roles/cloud-scaleway/tasks/main.yml index 9242fb3a..ecf52e95 100644 --- a/roles/cloud-scaleway/tasks/main.yml +++ b/roles/cloud-scaleway/tasks/main.yml @@ -54,7 +54,7 @@ method: GET headers: Content-Type: 'application/json' - X-Auth-Token: "{{ scaleway_auth_token }}" + X-Auth-Token: "{{ algo_scaleway_token }}" status_code: 200 register: scaleway_images with_sequence: start=1 end={{ ((scaleway_pages.x_total_count|int / 100)| round )|int }} From fb1c0f6a5e692fb2dde905d1ea3c8b44dc10874e Mon Sep 17 00:00:00 2001 From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com> Date: Thu, 30 Aug 2018 15:36:35 +0300 Subject: [PATCH 48/91] Create a symlink if deploying to localhost (#1078) --- server.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/server.yml b/server.yml index c71b5be1..459dd63d 100644 --- a/server.yml +++ b/server.yml @@ -51,6 +51,14 @@ {% if tests|default(false)|bool %}ca_password: {{ CA_password }}{% endif %} become: false + - name: Create a symlink if deploying to localhost + file: + src: "{{ IP_subject_alt_name }}" + dest: configs/localhost + state: link + force: true + when: inventory_hostname == 'localhost' + - debug: msg: - "{{ congrats.common.split('\n') }}" From 687bab9e5478fd0c0aa7dddb488e3c7a10ef3350 Mon Sep 17 00:00:00 2001 From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com> Date: Thu, 30 Aug 2018 16:25:59 +0300 Subject: [PATCH 49/91] Update troubleshooting.md Fixes #744 --- docs/troubleshooting.md | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/docs/troubleshooting.md b/docs/troubleshooting.md index 632696d9..e6717b7a 100644 --- a/docs/troubleshooting.md +++ b/docs/troubleshooting.md @@ -8,8 +8,9 @@ * [Error: "ansible-playbook: command not found"](#error-ansible-playbook-command-not-found) * [Bad owner or permissions on .ssh](#bad-owner-or-permissions-on-ssh) * [The region you want is not available](#the-region-you-want-is-not-available) - * [AWS: SSH permission denied with an ECDSA key](#aws-ssh-permission-denied-with-an-ecdsa-key) - * [AWS: "Deploy the template" fails with CREATE_FAILED](#aws-deploy-the-template-fails-with-create_failed) + * [AWS: SSH permission denied with an ECDSA key](#aws-ssh-permission-denied-with-an-ecdsa-key) + * [AWS: "Deploy the template" fails with CREATE_FAILED](#aws-deploy-the-template-fails-with-create_failed) + * [DigitalOcean: error tagging resource 'xxxxxxxx': param is missing or the value is empty: resources](#digitalocean-error-tagging-resource) * [Connection Problems](#connection-problems) * [I'm blocked or get CAPTCHAs when I access certain websites](#im-blocked-or-get-captchas-when-i-access-certain-websites) * [I want to change the list of trusted Wifi networks on my Apple device](#i-want-to-change-the-list-of-trusted-wifi-networks-on-my-apple-device) @@ -163,6 +164,26 @@ Algo builds a [Cloudformation](https://aws.amazon.com/cloudformation/) template In many cases, failed deployments are the result of [service limits](http://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html) being reached, such as "CREATE_FAILED AWS::EC2::VPC VPC The maximum number of VPCs has been reached." In these cases, you must either [delete the VPCs from previous deployments](https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/working-with-vpcs.html#VPC_Deleting), or [contact AWS support](https://console.aws.amazon.com/support/home?region=us-east-1#/case/create?issueType=service-limit-increase&limitType=service-code-direct-connect) to increase the limits on your account. +### DigitalOcean: error tagging resource + +You tried to deploy to Algo to DigitalOcean and you received an error like this one: + +``` +TASK [cloud-digitalocean : Tag the droplet] ************************************ +failed: [localhost] (item=staging) => {"failed": true, "item": "staging", "msg": "error tagging resource '73204383': param is missing or the value is empty: resources"} +failed: [localhost] (item=dbserver) => {"failed": true, "item": "dbserver", "msg": "error tagging resource '73204383': param is missing or the value is empty: resources"} +``` + +The error is caused because Digital Ocean changed its API to treat the tag argument as a string instead of a number. + +1. Download [doctl](https://github.com/digitalocean/doctl) +2. Run `doctl auth init`; it will ask you for your token which you can get (or generate) on the API tab at DigitalOcean +3. Once you are authorized on DO, you can run `doctl compute tag list` to see the list of tags +4. Run `doctl compute tag delete enivronment:algo --force` to delete the environment:algo tag +5. Finally run `doctl compute tag list` to make sure that the tag has been deleted +6. Run algo as directed + + ## Connection Problems Look here if you deployed an Algo server but now have a problem connecting to it with a client. From 0188b2ff64544458585f2871fe96f3bc87dd1618 Mon Sep 17 00:00:00 2001 From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com> Date: Thu, 30 Aug 2018 16:40:01 +0300 Subject: [PATCH 50/91] Update deploy-to-ubuntu.md --- docs/deploy-to-ubuntu.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/deploy-to-ubuntu.md b/docs/deploy-to-ubuntu.md index 36956a30..6d6db62b 100644 --- a/docs/deploy-to-ubuntu.md +++ b/docs/deploy-to-ubuntu.md @@ -8,7 +8,7 @@ tl;dr: ```shell sudo apt-get install software-properties-common && sudo apt-add-repository ppa:ansible/ansible -sudo apt-get update && sudo apt-get install ansible python-pip build-essential python-dev +sudo apt-get update && sudo apt-get install ansible python-pip build-essential python-dev libssl-dev libffi-dev pip install virtualenv pip install --upgrade pip git clone https://github.com/trailofbits/algo From 002c4ef198aa0fea78ba8355dceec5a7e70411ba Mon Sep 17 00:00:00 2001 From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com> Date: Fri, 31 Aug 2018 08:40:22 +0300 Subject: [PATCH 51/91] Update ISSUE_TEMPLATE.md --- .github/ISSUE_TEMPLATE.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/ISSUE_TEMPLATE.md b/.github/ISSUE_TEMPLATE.md index e94593d3..7a8982df 100644 --- a/.github/ISSUE_TEMPLATE.md +++ b/.github/ISSUE_TEMPLATE.md @@ -1,6 +1,6 @@ ### OS / Environment (where do you run Algo on) ``` @@ -9,7 +9,8 @@ PUT THE OUTPUT HERE ### Cloud Provider (where do you deploy Algo to) ``` @@ -29,7 +30,7 @@ PUT THE OUTPUT HERE 3. ### Full log - + ``` PUT THE OUTPUT HERE From d9634eca8a3c9454c7c6e044b788f988054b16db Mon Sep 17 00:00:00 2001 From: Mike Myers Date: Sun, 2 Sep 2018 03:32:51 -0700 Subject: [PATCH 52/91] Update screenshot of AWS EC2 minimum permissions with ec2:DescribeRegions (#1095) --- docs/images/aws-ec2-new-policy.png | Bin 82947 -> 87193 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/docs/images/aws-ec2-new-policy.png b/docs/images/aws-ec2-new-policy.png index 47d7f283a681a3cf4b6fe716852f21764ea16843..691512e7f96eccaef4b4955a69aad174fa64efea 100644 GIT binary patch delta 81219 zcmeFZRa9L~vo=a_f&~cf?oM!bhoHedSa5>F4DRmk?!n#N-QC^Y4(}&>=l%Y1#yMl` zJ(IflbMnSZR#_LlZBMu)xWDNe-Y6z3Q{qp6`@uBs$l_xNM@enZ6!(8W|Cji^GeMrZ z|LXFeBKZNB3VEFY>WHebe~$F8mf+tCfIZfKjs9;L6~_l<(<>`uV}Cl_#SB$pM-~{< zfW;cO$oTkhYE{KbyF2aY3cXGb2oEJRH&;SFR1km4f-2VsP(atF!WH|dSA1&kR_P%RZk_bs!~MI7&vTF{Y92;_L?fx&x&PShA^Jll|9H3579tvs$7icPZx3b`LY!om)0 z_aa!Rv-UmY1Y0}U3Lc@2T+a!obXJQ2^*VRQ@wJ`ZV(g6k;xbKyC&5m#J!!EXlQ6G+ zf8Q)=x}dqU(@XlK$IHHUHa3y9ZTRePdRdAiLnwss-Z^&gphuE@eI~lrG>>vhH`ZcX z>yVRQHp*?XA*0UUmd>DZ>}>W%rIrL<(t3*N5#xt#a!{Vb|J?uo*nxq6O^zt0Tu!Fi zY6|pZz@DsLz};|fdwp_;8oEeTwO6wCtTS++@+-Oic%}vQ00}wWEB7MRE~}VChNFW+ z=M|XCR0BhIn$)=Yb$B{=DE2{J4!cU}%C8PE*X-JK`aHSRkizJ`t@TKXA5T9Kf!dQr z@8xCg0sJ?EcXxdEs~|#x)%qakukeR+U7JS5(rAJO2{_hN|8x&s*^Fty7KZo-y&gbM zZkI)W^Y8}yKp{o$rzN7RtLxSM1$N^4zR%-M@m!`w@orRlcAuQ&F56}XF3b(}T#0`I z3H5S$*X5kWJ7I4)Gp3ojGnV}@u@@e~x$F-4U95(sEkuSl&xX=_C;1UyqqItO%vOim# z@Y%6)Mch0)drrRw`6Sr(t}I#0;qg{^{#wjvAis<2qxeFaHhSc@-wM*Bs92d5d7-2u zFTrCsLZ1>Z-Po^in^|6EQs??ymo6bnoB<3kbN0j-=9gp3;k0WGgv1ouCGR=3((e23 zY5b#@AxCd``h%>%V;@)TFZ2q784M>4s$4SkLgTyj7PdGBMW4+sQbnYRd8l4oMcGA6 zx0?>v`_mNCUv6bt&;hR+3H-8&>}ayGVG6$?SlSNAMhf-+wO9?f3FgPTTL zRJJzDW}x@!mp&FL^K{eYKv<+bSE_2D!LTkVGLC?M>IAUQRL_-SF@sdZFD;tQ@;!!eUPVF<3w*626u_% zV_VAu5*qCpMO}C}8{8*tHxD;M(pBg>bn>OAVXwVB<*%W8f*AVr{ynjH{z4y@trAZ5 zgpZRl$t;4w-(^VX^;cXB$fd1)p4wD(;%a+~_x5ksQdm?PYo*j~L~)!Z2?XXRHEf-$ z!&^>ELBP%%k+135)GW&cWn0BJZTve(3 z=_8!b?@OsOn_x9I@Tr{B-s#A4y+e)ijTYbJ$RbT^%XvI{o(@6twu3i+2DaQ;tMu+Y z6v(Wj_PGiUS=KYKXGRy%^1f0vrKHPglAd5EDJsq3#42_a^zyML`TqS@t}H%afa{;0 zCBFeKO?sstg^qO%D-myEtE4rYAyM2Z%6sz&&s1s}Xp`+H30iyqXg()|8#wZ zOW15M6t+gPuyTZ`d2*dPT(QenH5)N-UiVdU5gg>UpaT!Cv73)$GFKkMNqN0c>AZf5#2Zqc!^@!ZoTt|yX(()&#z)+f^02ydM0S8FXpTU zrxL`|TRyIR)oBY_qo2ZwkW&AQmlSNKmENhd1Z}#CTjOpbr1@hmy`C2oR{Jba_YI5b zZh1*OXu-b$(8yy0HediFtUS2=Um&=1$>$gZEWHFp524( z=}g91+`gpk))0V0%T=8%8ltQ{)bEB=%OuD+8ii5lNQgtpmL6xXMfER9_v0!) z&mrP)2Gv)=M17)HS#Z|V#n)nh)))=daL`@N2c)j|@b*%R(e1IMjD@A2(4cgh0)>-= zoi5iA;7pnDDht9uk~H@*7-9I{ve`(G)S^RwAfv6APj^)SG+x-fdb4Su(*&j1YC@TF z^^7it4Gm!h2Pfd=cyh!cK93l`tq`mf!@F+JDN;QT*{ z0TP=6wMpFybyy}-08{N`aMCNV78r@|5n7n)oAa@tsw&gg(O+jP|2%z0`9ky!F@n{e zY}K{3^fNCHDV|!yrq<=BG8XOdw=iW!I7h1KfPwqXh{D#H+45p@``(cS!fqcIXF$Y0 zjX=@WZM;IGSg2DHxZW18U7HYgB*FnRg7zv%Mx{da~0tuo)>ECj6kNeRpx07cQE|Z@9l-(Yl+VICB6;P<- zL(|w%JCCFOnJmC4;dm+}uL-|7e@u1Z4X-SJL%l+yiBm~Gcs|ypdAtPbZD~#jE-l}qY);xg@iiJpYvdJq__LDxz9k@XWD5$a-RaTTC%4q?k5>jls} zC}rYao>Iamk|&*vcf}?_I!QYFt_j@d;F|BYB-H9NnK&asR&tEU;Q)751Wmc_j-9Rb zZ#}s9ZFI2LhdCqrhl=Pw-5d2CgFXeOj6b0w+rz>}<{4gd5+&P1 z3wkB2UZMo;nCvIOjs*B#CCLr#$TuVc3>8#WktaXC3ecseZ|sm7egVlOMXJmUMz{0nfZ#bv`nq(Yfo9=kv*eifwIuVCqSsvJ~fx>wG*t-G1L zZUS+p6}l}h_MG$gPKRMT=rE;yeD!I`}4Mn)q4MjI>rOWa)L-U)` zBmHYkkqpFcbUvW8YXg^$_+asiW|IT%+$MTNAWpA{k+0}Fi4l20X5|u18}^;FcW%=`n+Zhciy^er zhZarz{9?w&o2i9y>)tvtSPmpxi8tVoPG-^aUfILR##=rfQSD zXCXvO|AGvr)lp^K z7*qcJ-l6eS;B}^Awd=|KZUv>3xfZ?t+Gs*~dmJYGT&XsHH)4!&)ydC7P~}r7g&1i< z%!P;yrxoLVa{_0$Tc10(or*B7T&dD)3P684{wz zq@2-ALONmoTwGt{ie`GY)+Ohf6=AEm|CYLrI}hGM{)*z?=Cn$YpF6MYL%j7VD())s z(|(}HFxCD2eFkgG!Y33Ub&IqK8MX0c2h|6)D5#vT>1AKJiJJG-l1pE4a)8B0#s311 ze+jRv@^L(8y_@_rYh=mz4^!E9bV>!W^3p2?Zg zPO6;XcUEWnOW~IaOD6+UmRBx$y!HK-c>6shtES!_6XeP9d-+9lyAr>bou6p?!4VrM z|H^aa^)pw2CFQ&El7tX7$(~r2WG(T9$L|`nt=Qs28e#cs)aoTz{AAoN**a2$)K3kd z%T?tFXINiMey>m6TPw&pJwj%B1ef*K7e|*#@GFvT{N`rEJlw{g;B5}Sc6EQ@Kt7xn zZ?c8C5S`gyFDdYaz~fRadE!t9%`KYvbi?C|#ew1qsHXEzh}wdwGH+-4xXP3JNM)KR z9P7OKir5(&Opup%oyM>N*s)a2Jg> z{&a~;d>gJk_OM?Xb#JmR_P0fDuLWipU%O-g47BghW&-HqKX7%$YOkY)D4%Toqtrs{ zaJWPfO!AIbgj{45-5OrN(OO?=ECDuX_@fDslhP4MS5?A{G`)-*aH@yhua-@cl$u&v zTN~4H06*}b%HwjOu z-lP#C8Z6ND->?W19mMez5Dk<8tb1LAsW~$kw!3!IK81A~sx9&sjgGG3?rjZBlZ1%ooPL=AdXLD^tSYns z3G}kg6=p9Ft;)@DdUiKXFi+Z}ei5ZUgSW^p^&Z{IBr3%NdsZk|h@sz*yCZWXGImTZrzHZOrW$#q%{Vx+r)=VIog6;ck_ zD#L(5AtK&IEp@8|ku;_6N%K9yI{Gz=&PSb#9`ecGz506K4*$ZR!rk(5L>?|Z-nULgzUOpdM-5Fz83a(%(CCC`b5 z`khp+Du;$Ob1>g(O~e~k*Vl+?ATE?lWE%H^RVOkRS1nBRAS*W?>e%~g{RY}1L5W`q zc7v-37S*lM80fcZGSSsG|5(M<1b0TWLT;lv5yT2;HPw-Fxg~K#rh1*_%XJC3B1h=p zdZCILmRYid3!?4M1gu;$61}=hVr5&rt}_c$T8SvJ94wA8V^`WxGSOW53EZ`eE;RLJ zyp4z3T;`eh%jU$E(at13ey3?oxnxVpq7RMBgFoE-S>z1&a@68?V&iv9t}{j8uq4Os ztg#0~ODEX=WOL=Ujb&5(1m?{|=g65DSjgiJ2kJg)DUEZ%mlWXvMn6SBqQW5WOjKe= z?gJ6@!GcxRGRgZwV+t`CH&6h2OlVZ)qc_utdR4_->=i6MXo*QN4M- z8^JP%2j_yBR!!#NfkZGkT)bZg&kjFQC5ynV4C5NXs%4j9p&G@ zh!Bj4$*L1g7S(l(*Ya97xZKiX}u5t7g}YXR0~1}!&oWeCW~ zV=shGc_8#llV&b95P}Ms31pkYp4u;G#OXySJE12^RGynZuq;A6$m43aH@*O>>pElj zvQ!O|LDb#~Zd0MGh#YKmM5XFN&C8{U%dL0iosl?6*^y|$8fL&W46GLwJ-meR7G(+I z^T3ZGiSi^0Z(FFk4%Idq0Sy-e>&qeZPmIL)LcJ^?mN;GEeIMoL(ie04f9fGH-bZ8D zi!!VGp>n8JTDr0nVKcMRuAl%mEVlauC2!7L(+v%B!p;p5{|FAm-eGuOm&k|1(e@== z@%lXD(ofAM%91I~2*;9;tZ7wUKf5kJBWkJuF7*z?M_y$=tM_q0lt?kJAbaRpu3hOq zoH{@dFInj=0;u}qU|Zdid8BB0ce!EYEw5B?aZX2@ zX1w@2qM=bdl*{H%87jZ>UW^-aw1Ds*?a8=6WF)U5E8`c zxy_zuUlH%Q4+oI;A>aw`4|k!k_7l!v1j4k9W16BNM3V<1Dh%ZKio<+fsCv-*&CdI- z1TSvL;eTDLo56ktSB<4bB(;!2+ssq!sq5Mt(q;V4Wk$bQv;5KsMdgT4MwZ*YCgwYx z+*#`nnZ*iV{3Za}V!Jo~!9Yr9l)x;<=dE(1z?+(0R_a}TWO;N>-c1V$JBzYTldv-O z#n}_E&94Bd%$4Akqh2iKFc7o)@QaJnPCZDj#D}@D0WI2b(Q|j;_dhJgjp5npS}(Ka z*q{5_y^@bdJNF3U9Sk)D;oF+8X$H|J}jA$jfkMPbSpEP=Ua@y^-bt5`SqE zGu0aJx+=6)7BRWU393N-5$6GEF{Yu&k)LJX154wE?T@WPN6meJ76z`rlY8ypKaeTd zGFQJBxkdiL!T!T7n22><(XFlLs*p|`XJNs*$=S>GxrJS1j>=boSof_c6#|g!1n;@w6p;*Q`NzM?CQ_a{Hes|6fN@50Y+X>*hB* z$-hLvf6pdE6Z)N{ru)XB@b?9gw|O^hIs0r1@}J#+pirQ{n>HR+B`oIerd7guH!b!5 zOZ|cOKL1A(_#f&I{7)zFKh*!9_|Lzb|9@`*lzT{TtQ8vVh+!%jE5)0m{C?E*M!>`} zH=ErP)!Qig_<*<1So_{leE>Y4hlPdHTj_SDnR8H+rtKAMwSIMP^;v&W1kTNt}CoP{X`h8IZ2c@lLX1q*Cr~1;d>i7AxHS1jXqY8sPR&kkh7O zEno14%Wk|h8%N;bWF?lV_1^g5!HO*V>t3FQy*VK*Svxb+dtcdeg%U9D1u$}V!#B453W&fGHIC7O zas;mf&;$sLf%BC`?}(Bw`){xA#z@QMHecVu?=edaeXatGe+&NJ3v%%8%hK}A=?VO! z3SoVM;M@u3=5UDJtwYyOfwsEb$a6KIrNvm$9+4w3b?RT6ceIPDKOzMjTx0zQ0) z+uMRHw!3kHtw(snF-Z;AyqxoVgOQ|#C@49=-G>)&Lmc;RO!fEuGo4; zSf25zB0sQmb+usE?E1EoBz6;lrGKn0nwx{Yf0zF7*nYV=mbj<9#!-0Y@XNYZH!wXQ z+1!0XW-~-+39;SN(SthE(!6o_6Y5jp|X!m#|hPoq`;mUA(X$s9}w0R^e<9gN7 zk8+50M91%i6`3<=$aYdnp^6cSN`-<#CHgN|{#$=mjI1!7W}wI^jGY)L5X7 zkIk|)_I@GnWN0770oLq}{ES_hsJ7ii93+U^e65(tSw5?4xb8a6Fsp@ql{<4LhTB7| zxJ8g-x+#`kdAn#~krq#Z+tRS6oWwcia`uR&MjJ_xlmH(8_Jq@pg}_(((N#jHS}Vu< zz(NofYqciZrq&eBwTrfwUrsw2HfNDeMP+)EXCvJP0n1PM0Pk8OgFf}9N1m$VG^-O^ z>kp$hy0B6WUz9|_f^t6u9;}VY4dVLm7;*<)h1{Uy2Z_+xGp5(^+o`Um?9Imb`U)ZN zd2k-f?n38EV`b3Rw1w6>zqYXBh^e$J!N9aV@I1(Vw^*z?Ak2(6Yp`>&#;lz#OFZN9 zJ?BOIMCb@$1XlD$IFF9$sVmQdnmeP!u39lB3Jp)jE=xjzL)TOvNT}o;ytR*>aZ&^P^%S#Kp75(&1=ZndvXxeA8%emQ|<<%=)@ zc4JdY8Rzsj=06UfXBci#!4^uIw~WO+a!G4LnsKSs6T_*`rMHj>qFAuK2nD-4zDc}v z+q7V9WlJ)kEp#6y2kR_=aL5lcU#<7BMsaw&KJVNJh#p(bpRnN|!5eL`zAZAMc&;vR zeWL9YlpmTxIy}~3iDbhE;*qEU~iw@3a_N(buwqGJpOfs$n(@zK_395-` ztd&fiTK#d@j!OpI1-p3Ny}}x>zG~EF z>?WXp%?Gz_NnvxgHs=0%yEu{lK457R{$h=(-+MYKZ>%Xi-GL&mYW+QJ(a*rsFj=RV zP~GLMXTzSOwJKi`7;kiKA+oon(-}uRtk#zK^n=rbax-1-kGEY04GcH0p!+MW<`9zK z`EUD^qIu_dQku*}%jp)jM&IelrT#VU2FwAMg;~UxUO1mN+4JiQffhd*8;3j2<0b;B zTl8C8p(Q`0sPhyDUWs&`J4m^W+<@LkgXt1qpz%g%-8e^W7A=Zweii#9EiB?$iz_B5 zMzJpErDC;ZyfUs5@&WSpq@^IdTxF;gV|-N?VNiVnNvgy1#MW;~n^<2(9-;D3&O=ltaTq+o+uHhQmqf1U8VgdFfv}>CVtdR@Erhc?U z0itMjt&EM6SjlJBr)A9L4DRXaJ`x8OcHq(LRr+N%6#n9H?DEeNzQOQcdX;CFQrY_Y zWrER?sfM1~^UiaZt!pqq#%vY#<*+=r#d}#2t^2i&x5=U#KfX7AdAO)=FVf4nJjIPK zap;q8a!{h*B^iH8845B5>vvh-!Pf=yz>>AXe7e#nZvh{@hG4;CT2l?wME|4V}V* z(2c-Cy?Y(VhqT_LBZVl&yHmU%2Z8URd)2e&+U#d^he*G#NGjQ9ZB6E0FNDvJ2S21dk6+HJ4K`DPvKbMY=AWQ8_{c3U^ zJ|qct5%70si=fV{qHyjBb1Y6fX)4xHLkRiNGI5X?>K0^W z#-H2EsoY0Y`$EYG>#Pi%ymgTi5X`F05Zm@gB=242gRSovwTA{7&aDwm_3}*Fat?8( zQHjL{Vf8ud>nX7ulem|fIiq45*#R=l6;L=UH`E5$}VrcuhSDhiEwp7UbrUJ>s=HjghUeuJ7;@L)MRWrY5RWIyyl8;^e*cGyC z^^}z)vIrqX7ic7)D*>hmM`dgUhuETXn>nH{8p0`ZQVvmZOC15pu3FP{ptBT4(dP^G zNon4GqSQ|q57iCDU!}^SN%&rG+%4{vJ4Q`??lT&bRU9~8%v5N#sDr{#83s)vN7F88|_73*z@~4N+APa zqVl|o%G(?x1Ev#ARpK*gHW&7N)YUmeQ~KLC((8!GMjp**L^~ualYOg|m{B5;eOcka zCAYOMw-KPCNr^{we6qB8t6v6N)8ecHobI_^wWUv;|FQc00$ofpRYs#iYaGd}&1y|sIzyr0A_Vovpn zHouKJSZ=mW4Qnb|^Xg$5pQR~=f~QQO>KoB!rZtekQ_aC6(jHUZ>*Fd;H_nMH0MAre z6f1F&x@S^%wvW7?AM7{i!hpBtFmM-dv*lH45E<-QA$Ti#rF=v}XJ_a2#mt}c4ug}6 zcYgK3r_LF&T7zoM+?^9H{)F7a!My!SEIQ+h)Pjy5su8|?9V;~XQ9EYnZD?N^l#LoM zh2PE8VknmlqK84MwqCC)Rv66^S_UpgcV3p+$&nj%QnVbd7WXmJLJ0U&vy~E~-5E&2 zt;`4KNZ)&Kv{o*{Tx>ocPY`|V`$s5!C$r9oe5eeaxq}r>A&74BC7ziQcbu`ksJhVK z;cA$&MORd1xnSd~U}ku0Qjz0mCN!+6iO`njFW0+ExLuwHHk(=T46E@MU;Q?ZV!2{) zt}sy%lVzZm)XSo|rhjb2*Kc;;(b|Uc^2^L-bQb;o>Hs;H8#UHpCs#dP;%Yzw&iaP* zaKDPy+WBu3n;T2jE`|7Am?R%ZF$=3IXZYP$TD;=*0}1sT>Px6Hg=mQyJOW4+G#vM3 z^R2t42ocO`JF75s$hxVyLc0}t@Nohdl*dH@iLJX--7E`*&)BhUS=m+b9i3vh!F=E)u6Oma|04q@ncqdaHiacYE9--y1%_paXUC@Uls`?j55&3=JZY& zpa(-LjbhNdQ}Tk6Y4y|?OOyV?S3hM9bWq}Eli!nK-~nF z^1KB-N_jNbRoCO*yi*Yc!#e`}F;xX*rxG8R@g%a;CM+Md2=)exneQYRaq5g6iV;6Q zB&%A?m1`3H5a)C>|FPM3>j{-q%|O$TaKFTwf{J24qWOA*!k(1JC9(Kd=Fz^Y>j3tp zv{Hu!gAVV-_eVXvml5g~8(8ChjD=^SX{g2uS&p&_P76>of8pw-r%-;%y%3kajGfD8 zdvh~ko_j+sRgv9b`)NrosQe+Rp#=O#Fn2j$VHWp;1Z^4FVl}JvP+qv<39s?DR8e$- zqe-M^Xn1Mr}ZhS2^ zWnP#J(3S>rx_b|oWKD`8{pt`OF`WKY2ltPc7OGHtMr%pJ^&k&w`MCCe)OE|oP-c?S zv05EyU-MC>%@)DEQzOBdHd&c=K>k1&q~}+|;U*(F7P_5ye)H;mpI^k-q|tDU7eCh) zQ3EVK`Her;tY;2(?f57LH0X-=WonzVd;-u&!djyuC^cH9)(v{XO;$5GV4msf<84qc zjP+ws4dD9e(nCa}+@TMjl%wU$;E6r2B99{7M-fL^R0>wgpps@v0uicN-GeUCh=@H9 z<8*j~clA09J2yR>m*QtH!PXWb-Z|2UKjzgZ@L)+-Alls;Va)*9%b=!Z)@nXp@Ct-f^WP zUWz&4vrL`}j}^R@S=JXpIClZoJQGbic*b?i9hqN3wABdqy{(3+N~xZTVz(PHyfKkv zIvnw_$lh9o4H%5FX&}eg(;xv{g__F5H;C0{cV^t$?F=hd zfREJYf~>-v&&Mg|wkNbAn+=X;`e1+^Iq?ThsYlxZGkrpj4vM>&XvB+4&TF>(;q(=| zcw5#eZYtEB*ssb3552FvB3+4Tg-bPj>MNT5D5jT7h)u^z!Y49cZgOyHPUnV#FymSV zeAG5t)J+Ozex3oeqNC)00EF_r;F8omu{M`GsJJkrjW{G zB|MYqR{Gv>U{qI>xJRaVhQgHnzOILv_6X?cp-5pMEK(Ly{f_FD?tw(_Qzs~cZV)&h zAz@t3@59H3JmxpckV12z-I^nC#<9&&U7X*{!vIUYd3Mo>5v&v9s{zK%cPe5JcftIa z7GuMUyRKD^nuh&?oHWb8D<{Ne%;t{4WuQnFeJ#`VYc|jHZh1&)E_9zZNKan(cnIjC z|NJ5vBBlWxnO_DpU_)*ZLa|s}fLMK!z8r%311qZM19echy+g0Q^r32w_r2Drvwm9T z31|q1xE`D6L0N5WeMdZKCSwH>_suKRFzX`s_CNMDH@%mAGZ)RBkHc=FDP}MvVyYEv z9tL%ma8+}LkT-MNdjTB26!Ke-p>V%H)cH5%vvF(wfM=x1BS;+{YVf9cyjM)Szeioz zYjRQY&96~5FA)<`J>5LNEB-`WYPJ=|YoH^D>lt~On3(9zUD<1dDps$0<5gT`39Zj8 zh=ie*nAoq}(4lMx#Q{NgUb6cEcI^W-T^6#As&qghzmR93 zz^PuYg27jvdh$qX6E;u$2jF`e{!8GC8?ZqwQb0wAcYcwtBeEUmqZW?!B{pVRveuHr z_o67%WYAP?fM|3Tlh;EO>xBqU(xG#rl*(+pd^ok@JCY#J&Xm+!Tt;=_d{P#gXg>$VsqJYL}JQvbDX?b$Nxf#cJBi^}Z{uG=u%WCmT1 zO_^v`#Bf($Ut2h6D}jNoO|jNTcJF^bk_HY+6U7ZvqlsWNJhM-hWHv~6D@G$(n%xZ9 z63LIa_et2^#X7n`tRyGpzi%aFL?P?SxRaLF`zKq7v6w6&C=U?zRJv$QGbT+vSzjs3 z7IM`S^sgbR+Vxy!kDiyzKwEHq@iXQi?E@zM;1e>c!P5d}tR!K5U;cm={<;)1DEt>E zplD&E{fDo<12exM-Z6NMU!D1XM7e)q{6>GV5=KR|qtt&a;d`43{$IW>u=4kx|1Ado ziS-vq|Ap~O*Yr652f2Xu&Iwq3_?WK$U*PXQMv4u5=OSVYYuU^HZMT0a&<^^J{nPSq zDE?iX!SomBz%+xl7yCy<_ul3kK+rDO0zu&x^mn-u*5&6EYn(w>EG>oo&kPby^Y6$jPM^99TVESh}(DB z5W{)$hyP}90DREreTj^`B8mTla6=4#m;av+{4ci${tu1*mk0QN=>O0AcmLna`0on+ zga7-#UxIc6%4u_^Xq)?XJ(8TFq4*Lq6h^Tu8yQJa?;J&cr05v6R#Syzg@>^24NDls zNyB{Ix7*TrTY?W99F**CB#?n+StS6+#O4)V^CsX1kUeVy&H$upv|@G(LXGo7m5 z*0J0}Y${bBT!?l&{c4ILhxb5U-%U0)_p}#b|6C!FZiy2ut0FEr_Jw!kDfZW|Y4TJ_ zLA5|8zk4d#xF-BzKR3|0$DKZf0>0{Pz+yOs2PJyXl3M43wEKsu)$}m zH!zZZR~53WRBh$PLncJ9!OVtMA@>_&%X3HlE{&}WLeN+YluL1S-D@P$2iFF6ENrI!yZdw zt@cppbqre=&=6Z5K0bkXZs$0IAKxSU{n|m866r*{O7)E_+oR6<;5ZOm$e`ZsSgyyI zW%N+4*yhlh$mj<~lIx!Cm00kHaOh!;7KkPXi;Ok2VIXuXje>&9<$KX0yJn`fNQs2OwDF$)&#T+lG}W8ZK8dd?5%^a*+p0u4fR8Q%}V^;U-uD zg(}|ad_VA8tyq5GoKZ+EOMeoV9`|hICbv1)1qKhc4Tmof3% z`&OgE)_Kwx-1DmDuYDHpycG%vBh}FUGd9r7=n88U9RgF#Tk0g|SRH12LY*eWqf1Bh zzB}QrmY?Wml&0)XK}_T+kI1)*Xm06di0>7+BtcVprQ@Bda~oX5$G%^kT1`J4s?@OL zWU(PDrD3K6bX}Wjk_|3loh9YOHj)#A+}76hCd3~15>Whg3} zo3~>HBeY$kH?W4XN^MnbE8#v{*f+;wG6}&Zxg*-Ebx1ld$l=_P@|H}qqp3w!P1$Qn z{#}$o7ZIW6WHtd#KbFCIY6-Cq0t$Z0b~AqkOpDFeuss8-SozUTJoitA7+tfTwfpb}8O%^wztQcevIHB1B%AwLf*<5uEeF=8_Q1@BK7YYyy@A==gq}W&==&wQN;h^}xqE z&8+Ri&kr)nDIfwyDO`G=^MFSFwRA*09#lRY2_$W)-5)ttg=dp1)Q$a88e~YL=OoBb zap`uA_oY^;jJmzt;F11Td2V4todynYuMc`TIql9*zUxp1=7by5TiDkr=>XsXx?9R< z7QP@cO)ob$gp-BGniBOzD!0LL+pzSGI__{A&(?xlwRBBv_Egb)j0sl!$E{RPJQoUA zTUxF$>(35Ec8^#?T4Kh2ZkZ+LDm)#+l_5^G(Mh|3X02d*i`xb=Olsc{-JJykoK)ww zk_JrgKIww7?sAd}A`=Eq)?*;R8Y?wj?X`+z8q0h9WY3s{@QVv^TuGR4)7NMQQziDO zeW%6q@JJFoe#245yPkn>KhNO=Awzrj1@s1Q5(DbayTyZfLJdssa`q7c&JT7J+CK1I zTvj3eZ=n=4DXgGeibWl3%uxArr6OLuVJyer8nM-CGzi9}ixZsPFnfVfZBejTG^d?V zwu!n~%o26%Txw7YdV>yv$Udoku18cj*gMhbJUNEjsTb=q71-1!7H_BrNfG$!qiMLJ z5)xrjQR3ji{DC%K5@eFS<~NwaOP!9Gxio+C%@4ybeJ%$ZC9?CskfzY0Zkr%P!?8ol zEb}YPZov;eM7vlc<E)qp9$^idseG zdRoWU)+?IQ_nQ^lb7)h`N0jW*!aFJ4C`(b?<9Q+=wq<=^lQn|n;zSLu&AS8Bq@h&C zI<_6rvt7EW6Ig(1*vTj&Mt462W6Zutr(>q$f~!^j^0;^rZDF=Ti}!ml4lp$k zH8bY=AO$L$5louHJi5j3flvW8+yVB|DZ%82j&VyxRx4;GbB%-_KO-8~S_yyO$`n~7 zx5Vq!P~6>GFXco&Qib#tzuWUa(g%shGWo2o6GXT~4m|^C+6#emD8yQUq*N(fj64!Q zcGPe_fT;B3b>_Ds+HQJ8EO}&6`-NhMw}#q&l2{fS35|Ky34Z}Ayr>HaitxWb$v?1& zff$H&Q#(WKZ!5KxpKnqf)1Ar+ub`?a>~Za(K7}n8B4ssvl^O@AULl zvXmgTf*{o5bJ>&~bIB5ew{uvq2&{x8!8%M?uy#^<+0MehOlTib&@;eQW2kd-F=_i79oe&7=I@SK7Vr7*9Zz zA2|)s-x z)V#bcG{zeZO4}p+j7H33+BQsrHe+~O_rpN?%o`RjeAGrjW&U7uxdewGBCqavTUV~v zjhiV8Z@9KEZGN7v+f|kjCzslEcLw6z`pxaC!bG~60xI!qD-0hF0ikwFR3ixT>-W<4 zdx9R5H=d~~n>~)IdOh?o2}|V^v=UCr>779*rsvS_{ z8TTRmWA4N-GTi1&*;lZo{<(dHtz2365QS0g1fuBJ6z_> znKN_Vuj;G&$6L2*S3y1W?q1!?f4!bX=C9F>eOxx2n1piS6__P{VR1O;o*rsu}4H0PU?M%M@Wc*505f~bLW9Sub+oWm2Ant@vg}ze)gZLL{Pb~ zGS-mJ#0*8O{%inrN1Ld>e_4XKk*8ofnUDK;{qlV@33@CyhiLgJTR-OU+^LAX!VV8E ztSc*sT{y|aU!l`R6_d^s{1P4TCSG#X9SmSnicO^@=#%I%C2Wf7l$R!r82r`NmQh?z z+m7I(yOCcT=$e-&k>6cFalwoeamJf7nhvkq{^IrOx}FB0z6q3nC|V0#WP8~ZZ$M0G zgicvppw-&FP*dil71{{=wk%K=$^Mew8JPe%_4DH=OAV~*xt(u0(yFcTv``-ikQ$G~ z9!74t&mF&@Kp7Uo5f?%(O7{P{v%Wp^Kd5%6k6JXDo6FZ_V!l0QTM!(QSw^4H{kiAD zHKY6awb6(M;1G*L3_o5O+i)C`dMW5%*PIrA6tC*;qRl6qCZmqh{N+urWAr(D_Jl9B z2|anL6;;YS(BE$#c{e<5sx9lqAhF#VWIuB86~?I9b63&qi59-~3%sQWCx`KDt88`D zDbS>|8GL}ybgxVs5GVqayBTk2TrisZEwChh^4jDFmV7a&PL=9{ZDznj6x}?vI%}mk z+2C-&k&1~6juc6$UvYg3$FhV&T3*JqW$P;Osh?`)q{unV>KhxsRhw*|ZtKbTMf7(q zbmPllecp)B^;r!_V_6$Wm?*1tA)uYp9h(G(Uy@JS>S{}VW!~OL%xGq&lso${ie(&X z8`8r9_HEs3N}-rwK2cS=EZ=W*Zj^JI5$rd56pCx4w%S(jlbG;Zh)H;O;nv)+g7~i> zz8{BnW1S_`;CV`~>0_@twdd+Hc(g4VtVy(qgdtZ}oXzP%lbC0>xy^{M3CyL0KdK$d zhL~Cs>r;{z_MQFcebIh~{S?seyH{cMM!tLkly~xHxw&lFisO;-_N%a~b<7LxS%<{B zm5Cw9M7u)v-cmw;R8Nb13j&KS;ZfAAvBpDfl`^)v%(s8g+D`D1Sd2OGfXelac9jg- z8RZF@A?gUJdx|5F3aaCbTRc6;R)LcbJ3{ zg`q0}AiIUe%9L776Ks}IySdPGPx=G^r{eApLW!S5%1OSt&^h=`3e4w>eOBg+r70Y@ zSJFf}1QNn6@`AX&O-73>E^L&AP#Wt={n!g9HXtaGF1vYBPa)tofYC%@zJ(4xQc!&nV-41deUXjf3=P<5w){N?$Q_Apg}W|W_N`@yH*dsO6=&oe z(-D)x#vRW-y6wjACZBNV67Su-*RrQ3T7G~yl;>ovj<-+XSA2dl=G*2mijAts{MHQe z;%UCNzMLnH;S!pCk(@D63m6`~c%9e;l4zZ1&`S-oATQlWN3&!JwJnpv;ZVU`%RsnI zY_ap2Ju8ofEtm5|SUh3{jV^u89XTq@HJ4Pp9Y@U2mMFkDR;h-aAdT42su}NG%`ly| z^_=mbHmJX8yEV#&2;WpVVa&qt(%AlSFc+ea5pMlnYo(|{LJ%4(2oT%O&D|$$cUMZcISsWylO0|5)r)P_A`;XXgIP58E@8 zxpF;9oW?RqyVp`~Kv6)m-W@M#wLnhN-W%{*m=-U7?&CxnUYRd|YIai)QHIQy4zfF7qYHaTZ)QPY`itgV{;|&|)Y)B%I zsg6ocIB*ozkgPH_HtNY}A&?d%@4qC_C^Z{VmTFDGLw-;E#e2x@<7tW%{G}yH6uvj} zE-TxDufelVV!im<%b`<3)Zbc=6M%^h<;m41UCT@-o&sg(ndtmp_!E$2ZK#YKCPrT_ zA;(@3SpPf^z%{efb$F$@o-eg&R+_IM9n9UGQPRx>8wYN1V?sSdQ(>4H!BP6w%Kvkk7!P!tm&-AiS#_e=W3)`5Dfq;v0phTzu({_S#91f&Yd$N2E zhE}_~c}!b$+ki;?M4M?o`#Z|sE*Z>TlP)Ku^71HwsGLcZLShjg3;#5<%1rG_$463K z>Rh7xBP7PfI_H}o&-095I2}&9aa~T@OeXjrqYPX}(D#kDk}u3Bt?`=!Iyb;<{Dmq8c`uPqG2G*E(MbAyzb}v#DCRgO4=82^3 z7l(uz++<-Z^VJh=X>n#)2t}bS0(0r5H;~CaBfat6i>*4T;q$cNqRKT;S4<-jJ6^w< zscjXn@JafK&25|b=+`8BYi4o>@EPOU++E(|kI|F!L4pha>RidZv0_^-p!h|F7R%k- z6>xnP9c*+-Tzw)Q@oMBv%4)y-*xYU?eOqc5JUgE7{iRrW$=)8lTmc7FJ;Rv>wx75d zdC7gwC$^9(-B!k!D$D>Sxfbpl63^+4P2aUGZ?wJ^$5vpE#IcqAZwaZ1@?2+5V zh1V8ehtA<7S(xvP@KdH&PY)*$@J!81L!YdgmopY@$j=@o0X33=jjO(c|k6!T(Y!b zLG-mXmNmXJb~=Kb;7g7BydZ0Cea^Y27E;D($4Ei=G$!8L6;dA);x|xsd!|b?X*Z^X|$ANWJ^w~8asqs@yTSC2~XW89D4V3w|qSDvD7U9eim@qqOYfO-O_Df-=) znvC$*a&aNWG^Tim4_EO-*-fN76D1pmgfs_|Mzk##k6P{mqKlOnDGX{+!b{~eO#RDq z{h3EFy1Am_wu5zVPN2qKm@D9C*6N2Du6J&eI+pbJa9E4@A( z^2%(f%XQ%>USjqLkjPS7x2sM_hsI1yq22^tG)>U_rQ*O7rYJ^8jmC%-6jyHs5DO1r9{wwR@gSt)Fce z!ryF@dQB%1s`5G`XsqLM#zmK!Ankal%}&S=ELBE*z8B=wZ}2d~t542Y&|uH=b?!6Y zq4iD&L2MXnQg>@qJLJn)sBbZCyDM^WlBDhix%rIo5Jv?la7V8NZj0U|wmt<8x;sAP za*1@;7cpL5{VJ=n0K~vPJzS*uS5MO_+4SB(mK!FNV8?H=@EXQINyMu?pW1}nXe6_I zU38jlS`jvXhPZte_hTK1*j=EQs4Pnto7-i$*c&4nzk7gmXkC$bZ*2+U));t72$?h5 zK?Uh}!=1d}6fXJ>yFQaWvYNgu;$H~=7SmJ}n7d2P(>mCZVrU)bKiQW&h2*zNzj$TG3F4v{WS$u%kf2Yoqq%)Py}k4qXSy$%RS? z(R4?~g6|s-$gk6)SYR-mxS4pNg4vKMYAdA+8`54s96eWMa zzoI(c1}XW5C{*{kd)#ZgCwmliMMQ8M`5L|D3S>c#l=Q31m0@CjOVsDrqq{HPoPT#6 zS58�kLZS3o!<|cb$~uDnP!d=z;L5&=mN=_{wU0 zyXC#qkgkyS0pI1uDx_gYwygb|?z^Aja}1m?=J~IN$gfF}f#N;}EsI5pVK5CK5zwpZ zXJnL{M4Qjf%K3J$a+o-4{%-c{QX$do?L$P`jdcOsX8Pll>=rJ3%apz&hHo4Ms%her z0P~3Qen?7}M0`3t>#8YX+s=s7A;kK46FQwo=h}{+B&pSA55L>%DoUetWcu+ELYg>1 z>=2dD^<2-wTL-^i2%W2T8W;cJ1DVSJA+D?Vuo)LkJ&J0~3quB-(+jIK$*F|=*b1Xz zgw|LYo;)Im!z8GCsZ{b|8HnrNPbd{dpirRKMXnci@zcX-dHq1JIO%V~<+?@n*HA;= zwiw&P-wQrfV)9fhL$Z<6E6tfyms|Nm&4IquHsJ>IZO!Jc!*q?*k*JaI+goMyKA~4c z;&Uqo;-RXwk5D_2;S?(Bcamrch@hO%9a!;Z@o3c51!%xloGB% zGQ?^XXGhF*Cly`Nj77CTLI}p{EZM76Zct=49?1_zi$Z-W zY_c8A{&gJukjb~!h{G9?idYZv5FX$7BbdX`gVWqrT!8Uc!ul|njl?j8%ouMuEVNPQ z>Rs~7nF_0XhkgvcvrWrSWlV7epn{=4X>uDg>#%zuXd!gxvOrF5~yI_9ypdTVPT z(Nt}5!LIaP^rc|u>3GE{=^A+Tbt@Q^%aB~T+5d1;xDyo-EAL7&uU1>o^f)3>+$kxc zw`fQUrpdrAul!=(^q@`_PAQXy8(u+OK7!yFu}{s*nR0R1oUzsOz<9X=TyVr=$7eiD z+;y!;F**V(b?Pq?D^GhDg{jS#s&&@0A%~5{ZhLYbWfXG>I7>ovU2R-3 z_1?-6(Ct6!08x{97FQO)+vH0AWl49oxJxo3z`xjMux>$d;P^72DtVCAX2LGm{d?MH zqtdfl3=~(eHkEqJC%v8(8*Y^mKmvCGzQMO%Zw8dwuB*p!l}@tdD9kawHE>QNelWUP zlP+IGXL3?ee_Ij0*Q(+fQPG2{=5r|T%bJXu%YnR^+Y`8%93dD$e;9X1-@)Z27O?b6 zCrI+!q9+pZ&ZG=Ke-mw~?nSewYnnh@wG}$Xp%ODKPk1SrZ<1lrMLWD6W2XirE@(? z-=kff&9iE~oy-TI>PrYorumt4BKsl}v>v%!+kU#!N7FsazGzm-%#~dPD&(-IMM5ic zyAjBUwnn6+YJG;Yr*adP4S&5rYi zwdK5~kE&viP>JbHx;EnFm=2XvP*CYkA?dPIA4mS;r$z42)xEFLsc5j&3*K5%(3;`z zS~f?o=JdpXC~lR^+@YEeYHZpYn?!r>J)ih8G;i3qw1&pE zEoWr(#5>Ca!wPD=!fk0rTd+G)E=F1*s(YWMB6wr{*QRlun7kEjCbH%>IomO3=Nw>MWgjZg* zlGqdhk7aPItC1qU1GT?Cy5rJNIHJi2({rHsEHX?dYBSGeslhp&2C1HR9o9N&CtRw} zKnVB?ZWfoj{XWe*9P#@NEM6!os}KMBOhYYkOTLSHBVn99~;_mgYT&(^u19ZDK3`(#A|@_C6(R z$7J*;rzB7hQS^5Ucz6%5a?fIA%;~hwspns7OTt-=!Q%Vkfdti|npVp zg+q#-`cV2w_O{$f2*ozJt@MyN`=Hu|<3ZgKb^6sHXuyoyp5%c(_jrkk$(Zo3-TMA( ztnz`%Ws&0MN}Y)qhN{KT?hWQj{kvWdIR!G@+FydbDjhRBsX#;^-Wuwo10Z#T*!NyRV^h&~z)9gS9=`r%EQqOut({cRh<;Vk?Sba9M+Iqz{EdF`{~nxQ@=?}}w-aRrsfq5Gku zu~+REdmfwnRM}CG#?{|z0=<{5sx!3(Cd7L|X&!NSA34`d!`kpr{(SC!j_Ee0H2 z%^%Fu?*Zc3P*u^qf_%~=PKM!Cb53?^)^*aua;aE)nv^%q40rNd| z@u}-zd|ABpVI%ciWB05ubJL7cdL9GnEsm+`h}p;HHEGmCRveX3#iBa^VdN--!B@sg zDD4677}-4)&ybJ}#8OudwRHt~q^3`Oab{1k2c$JDyBlZg0BYq9}8MK9|(JUl$k7yXDr z0aW(%K@kiE)Z;vPD%mB#lrKs)#)V>5b)`~rS9u>)ob;C@noLnsYkZXq!ZR|SWl+Cj zVTWw>Y1J2Z`n?zr=nC7Fg{HOh_Va+9n`Cr2M>GOs<|KgK9D#;r@p+Wn`)0Qs1 zg_cO_+Z=RBT!3%un~h^0qOoez4AJO@t)%jLhfQ19C|+m2EYM}(XOmu2LGNuaWP0a1 z5_Ps{X7;r0*wf0mL=w|PS2HYl;JBk}5@2j<=lpv(rhoVnWlUj7>iJ66E-=k!bw-WH z;fQrcvAgu0S=yT2L)2AEGdUD>Xgj42CvN?U&+1dou8OCOl-jolD6J>Yi*gidl^(Vb z#=0YAgyhBrK$<~gU)o_?0>y5*lbWvN%)WxIGb(Bon?r*+a|Pn@%dL`}d9CWfV!fF8 zCM3^Bt5x?(nyDTAG$fM1E<62xeb!8xF1@Yy{Te+JCaC$NV73(27U4a~R8jsyWQ#86 z#mwn2#^vuNjG5lfl)C(&Y~j+T*GfMpPAwdsSZ8q<0Hyt;LlWcWS%!;e-U~BaCo4MiW52M$>k<1i`z`!5Lud^xLmO+G`BAE5qxfIoiljX;h6DraYm|K}w5AphUd z|NDc1zXCytoxY!1c*PcMHrMzW&aCt8=2ar^U5%Gck z`7q%6d)s~ z5QDKK|3yir38+NhOa37VgWq2t{foq87LYGD63xH@$3N84%Ye^Q*qw1-k0t6KgMmzA z+hb!2euueX{Vq_9!kgg?uqv-s`(VBy(wsAPF$>Fuq48MNe`$MLTxGXHZPrd$z@4+-P^fDx519Kj{wcJvl zq+t5uXd>hs_QcyL#K{)o^bZC5^Wnq!BnQx`9^w}wqTiekbRGJIWG3EdBaHRA>bibW zmGxFXYxS4!kLx}?@0CUwTJ@Y$*i70->*E?-KuLW>v!n`zeAcbF>{gm?WO-3;F*MuC zT%e?fenWgv6?))TYCM3dArtL8d=FE9wWC?vZjRS3%h*eTVF{Wb){Q3nhuK7+u>odZ zd4Muj2KZ+jAhl`MpCwA^{-Al^{3CE)z2Kz%Ky&1l;#qG6vs;=Hu(U*$Ak*kp2r@Ni z-t~c5LngXjd(jk&*ad~>;hEg19(i`tN$@Yh;sdQE=DWl4O9hDhMT`~99&cL*m?o$= z{Ber-5d^s|@%x^~be+tA`-}^|fDf|pd*=2U$;a^;H&_028GOE9YUPQZY7WCDy79XA zNnN@{!sfQlFZ6OrDWxDoF;mt_#@U=!hlY{qQahG}eRwLi_{7~_g~YMhfBv>6#_p;~ z()>p2TG+fw&AJapc=7#MDfEk5NHWZP1ZHLVRwzFw(;(z!g;t*-Kt}ftck!w^^P3p_ zZT-Dmh&!TOPzxX}T-I6ejX8f-fVHdLGeXo{@$Fi=TK^7w^72rZZqer*&C}#B=6M+> zAAo%S-c@MCTQ%e!t$Mtg$EP!E+CFYpq_pit zC((tcw`(T<6$7_9BTlFRYx(g`W^{Z@RX(OAj+ObTbusLB5vsD`mGxw)2I>> zBHi8+%zc|VHu*E}?N+7QP1)zm=1m(=PnS6uxPNB<}2fj#piRruJjUdrs73ayrm(Rfq$6*!1JTY zH&4PFVU?_?J3ht$nDdo%Ta#njw}q^{M}#hF{)2mqCz|KjYh;;g2tC~UPt}V3?~S=R zR5Xy`+r90um)^+pTU(&mWyCV9kp>3`zl$mMxx{Jl*=$N7Il>ytv~71eaJ?+bm`O!X zShvR;9VmKUU+V_GtuwnhEOWIL1E{qZyw*2YPP#V=LMx-DIG0jg6xPVh6} znwY_rD_p{qw|~(uqN^PrnY@pMi(!Ypn!jA|;qD%+kKzsl>Gtisnxm*3C+=2)&P1ve;EmClKQ+5i@ksCzbZ7L*NcZ1{q^-VFz`zl!kR0LWotc#dzir=kZ%=9e|i^XB>AqoZh$B5KW2b8uK1} z@w69?Ri}~^`xZ*PgR=hOkaUKorNHdMfC}do8F5z!Du^{+Tut0Tf1VTUQMm;OVA;x5 zgqoRgZRl47Hanugbgn?+%d5urlLmM~DaDN*=zr|3Ea`i+v)sMfVC*?@F0mE_05CYpm`BNPt z+XIpn4aO60ZEyoDJbD=C+jN3t0wchyI{mZuh>?^Om%myyTO(rP)kl}REFOE0F4TFP5qVZ@T2D z)SzMNv)0TZD>YhC;9`9aqazlzwqAHd%;#nX>kpy2bV<5}i8QuZkN@=>teBq0f<@tl z5Vtv8FWYdfEg4(Z!BzE&%oW7V-E9V{B1=7IVlSR&9}QKXeoUTZA=#47?X!^^l9p6W zDO0)4*Ky}$Y|%0x)-bFARo#TVS?&AF*+GO^N8sB7;p;sw(5Za`(F+R}=^?su=O`YO z;(Y+q#xJ-QK(9aAT;#=j1~o-AZ+qWbQoFEYuqUbS;Vne>jNXh~yH!{3SgSEX(*BtT zM_BtY%`5sV!cyD3zI0^sKQyKNT~kyqVGjZC*Ts%Hb_M%Zdc3%^)YT?z%hFd+MGM@B zyPlVwZa*o^m+FX(e%T#?(*&8Yt%an5C?#BThqa3{PSItR)$SkGfS_N|FlBK?0b^+{ zK|Q{1!B}@o{c2ZBg2-l*g4e#o6wW@PfeM{9dL7>M>?Ju{8`cu_VLATfVa2?YUK4<~ zP{}MkyQlaK{`PcAIQ6Cc=tH$YP_g7IQ*#T-`alpY2F;6qYoFK6w?t=6(00ix~ zTYV*5pocB_EP|yoA6)QdB3m8-_N)|yz4`#WCBq7off&?9+0kRmR9624i+Y*2W4~FS zi^Uv*>y085o+F>k;y+Op@I7-CDzV?~NZlp}Wj`Y2>8?|xA7C)G9KI12W!g^dp-JiLTG{mfvoD@Vkc7Y@WqI8q=Oej&FFTrQs(|w-7GKRiTgoB?+ zzFa8vK)6xF$gN@AVLx72?$Q<3_jYC!L}_7kUrWqpt@Iz zH|%Q9Tmd~4Fn*`4+@P;>PhyY4aZh#al3jJ}5Cn8|2+mdEtzQ;bBTlK^K0i-#x!v+I z%B?+)SaOAopxML%D;*$H^i2WRmDip-0$-R_Lsk=C6WTD|6h&MWse6Hchzubpc44_^ zv3mxHFgmtqBvf{tn&me)yM2yBR4!(|3tHO98BG>^j|80);q^-6v77>@Uv@9uO4o3V z(C9v^n#;Q40b*ujSyDzZlD+1nuXuRcPiG#$Zk&>b=;MmgPZqQo(_unYt?g95z=NXi z;{8(Zam{A@gwk~lLkZOZi~-gWZ3lmEX2iZh*%}jQ`4Hpa-I@1>iEE7tgFca}HN6U( zc4U#F*YZBLxPpavS8iAcy|{Ay6pA>5ct1@wT>lTs0z#P!&&p5rJv2RA(w9u#doI6$ zS37dtgO%At6^n7l7F#NXlINIRnW;;MmbZxdi|hE-|M=yJQ6&qe&zVb zn-68#g+6G8GQiCxh@|*h{rEfRvnTl@VH%ZDgn-w7X#@Cy(ZL;)ccL_&8v~ zf~K)lL<8Q)&frokU=-;GAev?6MO&Po^TPl!;vQ!UiARXy{lr0x&^xp zW1hzu#gSts^q`D4_JphnKa8=+jtX|n=J&Fx0;wEF%bfNQl%J0?m-C32aaR~WBV)q2 zE{gArC!jl7G|Kep_MGa z;;A`UdC`Bx=S;95OYuLt_b1s*Z_fRJpED4RKqSVJgGzqx9I;a%J)TJc=v(H`<{M6h z`T&fptZ;q%K{by15PI5QMX((7lRm186}ObJ;}4KIaX71}RacRJ1wEc0%b-D;*3?jc zmjJ$hfB2r^q>6Y7w_eT5F#P4S{zZ%$Dk#%oIkbVox4#eiT`)%p-`$zB8F|uwP4PbU zmm5WJM#``MKt%9C_7F3r&$#Mh#s6yxMZoVv*kiGGQrzEZ$@`L?SD%;)6QtM?kcnAQ zyc|vzv)rF<;pAI?%(`xLf#>GtHso5!1^=~druKV2o71L!Ua9c6k9iNKjhsO3+Kumd zG9mufqW8r5C+Yicj(j8h{xCxC@!!AG+RTl25XSQVfAs(UVBjx8{`aT;znU5Np9k{) zm=53{;_%LxCXP6Vi>{!cAeyqTGyhD;@x7XmjV6U#y$c-AR_zM}q5g}d>s=rBJ+`{i z1ZMt&QT*{s2jV-Yak6^2{^ww$>1M0FpUm&l@^Ad-54o}O{Sf9NLPn49U$Wmo=S9LR zeY@EkLKE8VP*iI?)u(oTyih$bILIFWk29Vv1Y_G$mD59cAl4E+`WJ5V$AaTbP*%BZ zQFo?dV$e+vCn|%PiphBxS7OQ00bYLzohR@PB_1FdT@v0%)F0KvqoSjC&&}1#Fv2|? zusPh*jjI3d+?XOaLS6++Bm73OqxznT|>;&i}*OcO>KEyONHc_DuqysgfLlSM0qe5_zR%wq?@g zyxw=eAznrjo3`2Sk8J79oT%Vj4DXnCV*avAk$hl(=(6B>-oxO$<2n_Stw!;{Lq|xI zsmat-b)}UIY}?zbtDrqRW3SCWEHlw~&nK(w5@gOA!Hn`R*QZ{HfyWaHKxyH0&`n`B z92%;cIDcF3SI7T^2Jak9CV3}Q@>p>U4RIfH0n2fPYFL6}Dr~h14g`n3B7>g51ATO# z8o5#GA5t`q@~+2@2IVdgnexBdReYvI_D4=Wb(VHN4od%c*v{^-*hWyC|MTo+iQY4G^rM-F ztG({Av9V|Aa2%+?HJaWWu*b~OCFa18IkDd_yExa-R=G@9|1@q)2Jb?tUUDZUCU(AP z3Y7CZ7sgh}zrWq<$NpV(jL%=l!18T~Hm~aYF3mp|ME?42ZNWKZ=(qQNCv8>mmosHu zjbqNI*g^Pr#U#2$%>F8Ll;{DGjJ5B?%@_My;(z`TYR=J)QRF!{nEqN>!Aa>`-~Z&E z2kp+Wl_dh`5~-+uyMiViQux;M>2LFCWbzTanl449_`O@1*rlxXu^Gv-{V5sh9R{&p z8mE7bv5nec_$*FyW}Kz_nxg(jKW(Vw%_r}KYdX>)jXZcm=D!IT=X)oB6VdG;PEAiw z#icRCD=opRhO1QOZgwsRkUmpy|FS=}e)KVCAkl085R7Qn5-wKw9}HdB`Q!ac0WN{& z&2-l$j!FouZ0Z&BhRZNGzEFbyI2o^ek<2!C-elab=$26h1*GrIVTWsBjr_30MX>t5 zRtT}-0=M8?wMLX|hO;02RsX$J;155c^1cA;<*V6R8+SM!Z+I&9h#_8J2PG-cvD~ja z-s-OEwEYrZZHQEPCr3gBd4c6zUC8qf)_8)0)H6V#^-Gwr($gbuY-~srNr>q#))?zr z#7w#$92_)QZGcu)SC3o_Nm^OaE!LU_R8-Kt|3_x!yoM}awmMR(pR!v zX{voR-j>LE{QDr^AuS@lyA%~~UHZQn^@rj5!#%6#k^X}G2T>oOrla3o>-*r!FQ4f! zGUtv)knQ2B%I8??jGG~HQ#pcTpNn(rfzIftsEq33c#a<1DPRGpvJO`bzwhXI#voB()%H<)0 zk}AyDZEbBBZO>$|=$jklPi;PHBJo89xUO@w{gcF4RzrQsDUaJYN=-%pc^%$}<+#EQ zo{FDo({%?kLb>-8Gd*_iM=9;?C731f$-dkucE@Z9fAEni-Tv5;iB>87agUG1I@=oK@7rjEWqD3zA#M){a zHIpq5DfEPlFE#XNmHn0hbwdi0AjBi5v^W?=9NFuYy#bX=M>WYh>q*hdREF6 zxk8Z*Qmm-f=d%Ij*2=EEGo&}-;4qUzMegF8;Y(z)=5siiya*b2jj570sglBfqe~rv zp2+$VM5z_jqg*~)hPA9iE>Dl$cz$G&%sY(H5!n^fkgc2mID3}D9I~>RT%l|;{(ct+ zfkOBkxO1m$*xc8Xr=UPps9fQ-h=-T%k}u~|$$Ot!DWQJgVuXMwkSpHt6)@h;gq?h) zJ+QYJ_uJaVC?sej>;lz4Iw_dlo30j`!%ded_}YfbHO)a;U&UmMY~ydPU~i4*4r3?X zuQhM=>G9qepes@Js-VZ2shO13Bq$x0AsaSnz{hry> zl##}$2xR^NilGOQ*5}U(^LCY&2b=z(Zte-R^oiXuFz9!;dW6DQrz@?T2KO zqKc1OM6#({bnz6*(WhkeaZf-u(9p7~D56Y*OjVPN0o#B-d|@)R*X7!rK}d%)oZ}so z@X`5CyJLLbp*}-`#zDx7;RQ34+=48nP?wPk`*ip+{6=}s9ebsV{aJRoIvu$}u_Rb> zoYU7U0<9f6s`)BN+oygd4EMo%6<8N7F5Ez9>GwNi-i*_n_aYaJPf(TPW6Fz(7CxS! z*1!QU@dRIJ1P-y9gE=xx%;A$%sy_wd$QXU+9vjmVwk4n(Vr{5bPT zZN~bf4CPi=kO@=6{%l%v5r-N%nyK_0bg=TIB_9)L=zHmC1!R+6I8m4 zp|Z9#@x>{kBcYynBY(NxxraS@CNZd~$bT2toI@!%y91jKedP$)d+1TQZ3mkzx71720E3(QA zdcV{G;yBsf?oh~fqYXpW4H(-8xihkEzf?!;pe&tGouvi4iDYp@Op7U8 zpK!{xjlkQ*kEmFAz#}1h;0uQVd9;3&?j)&Y@>1q@F`GVqgWvb;mivXjnh{7{O7|PN zFV-m*o1n_^=%{McgK(mS$uF@wJgi>ss~k5L+q)D(WV@=KfE(iS-&*Phw?Bw6$F4xG zWPVBX-x5vU;4;K-k;8!<$lz{Y&hY4lMh2pHFfnQ=r-_y@?TF5~S=t z-NDVq=w#0Z$mVra7y)em;rUu^oXyiFh_;in&fjnepP%eXC|H@h^*&%$*e^0;a5&RP zKZf;Z_x`9b8nv@SVa+lxunpxH*cD^(SOHwI3xE~>UP{IFqw0j=DXQD>vJCH|(=P$` zqSA?NPMEuWHv(NlY=Qys{kL`_742@?=$ouP8?-@tiyh4{L zRq>qGmIbh~SW!5Sku8cPg^~rn;$yc(nV%Tgs{zeAL&!M4s=2C-$2?n%V}26dWoWDo zNJJc5C+OV`OqjIa7tTfVdOHB#EP(YFS6SnK<8jHPAm~;mM!4%gY{qofvaU>Ymqc#A zsjltX@#YEe1r9C<|8D#+Lr{5mf9npBlfkw`RPx3ulfN2%d%&wJ@2!W)4b2@UB-@r2 zfk@dauzhed->Oq%axUp|`85>oI1HTD!;2h}l)o0(E@6?P2vhcr!2&de4b_os6w4SN zuPEjBHcFc2#dwb&9>JC^suB!G6_G}=t^yy}*uKHTiDDdLnoF;yf)6Zu1yzO+6QJ?t zx(7CQ#||H2hVFBMa|_e-b+ER5yUCrCC!se z&2G;F!T@gyJ^L(Pc?c-XVIse>;1sHQbW>OQP!B2X*z9+V^lLI!F?U)a6h0pDr-^^5 z6(2cBxTblYW&yKU6;42u%9|P`ES^(YfFLlM(Ti4iBfqfE*e#VD$b5%yeZEf z5}OdpXbFE7a<)ogl-hAUy@^dbDM1syygWaB_N z)bvTzu8Spg2t8-j2`p2xFDyBfFqpp_FQ*EMhQ^l;dO+({&gF*=igzRFi&h@tZ3x$XP&C*6 z;o-+C#i_atp{{%m?y2K5=2rnz)p|?sAE#;onLEFmONp-j%4m-fe{D#maZ8I= z3uO}VVm`_HtYW3PtazV)7zTebi!&;-{<_a<(?S(p4Z3E&7DCDUBFlH(-R+pH0B8<& zjja*?vWhl<6FO6#u?=>= zz9;Azm2In_6&YoI5_RVN-ksfL8Q`Ow5`0z3FTRhyAK&UweO}$^_bET1tGAvu zh`wfcX~%DxuAzZo;j%uC6s(K2OeV%#6|0Gh{uD?u?ys@Wlq4>8-6pG{E-s}vFDfB< zJX+_q^>Z5}95-XgDWcoWKmtFw#pwD5G0Lq6Mv3Kv(KMson=3SqWrt5|Klll`T-K;@Ii*rttW4wZ=&`i3-oCa!*d_ z8>x9q#^biS?lUSqsngf>kVBUUY>HA#jA&iZ4m4LC#Yzpsn}pxr@%E9!_;4TXg$4eI z%uN&-p9vy72ObJ;b-EAX*fL>nIO$Q$m9p9zr(K_#S>RmqOd`@9JFoLLFY1#%nH4CX zE3%X;KJ}X)e!iD$QNFxjHaRh;F*Wfgv`@aA)jP_+QmAewKXO#@RXMPfUR|}2w@)6z zfX9_~Y<*iEMv*Tl)mWWwcAH31x-yr6D-Yw4AMPUJ`xpKOC)hEXs0?O2?OPO=w?7k^ z=7s?&%RQaSO(o6wgZ=mb*)!vt!mVb8E`>V&KJn{G~}N7v~Y= zj7A#ZdeEI{4l$?XdOey^Qkh0{asTY!&t3L-bVT5;U;bl?YX8f4=idhacu|Qo*NLP=1&(#t1E2;%Pty}F;Mfn9@?z8HV&zu zVTjegy!BeIfBiV-Y4nl$DDXJQ@MqOdMuQu0_NgIbF_@}XO6{T(P-vu&$>jA(CDzQD z7D<=de$HQ|!uLR>p(ghZ;K4hs@5>Z=vtpAg@LAKz)7joFVgFDQ$uSoA*6N!rUmQhD z+v>dv!y^^yZ<*-xSe#e)o7fM zk`mdk$fu1~r5>gjXr-FyjLZnH`KB+jTqYP_Yb#`{h7v7A*w?{~n-tLPI(6};AN>m__Z?gd-o9Z2>UU_nA&{zQlCU-sG49JCg9y@oox z^3M&zN#Wz2`3Cbxkd;WOeD`VF;Pn0S2bAbJ^#=^Yp`-AxI6^Un??Yc2SCI9bodbD7 zNwI|2P1O4!KHK+V(>C@SmL;)wEZXdoul?z=+2WA@pZ7}x1jxRBy!}u7eZ1k18<6D} zk&}O7u-`K!i|-KepxA`@;zOo~MM%q$THCR~l={`+IyE!GbNVIM z?Zh0wckGQYCot8U?S(%zw}WEg{`*Rc@8l0a{PwtrT3IF0E2o`AXDl5^yWa@FtFYa} zeZIbu)>ES?tTU4ximWkVdoP-#cYBb=py}zBy>*9dk0^l-`z^KV#oCV`RFi_Wyp6ol z&PzhIpz&&x3H{)_j{zd`z)3PvsrDekBOHyNDBy5YhoDbf=)=5F{$K9vB^EG%jcuy3=iDm-VyYy6

Ch+R0DT~@A(zDT81Y4& zZ+)o4`MJwS{o`q-zN&m6=B6-mqi7TbgMFYzHw|)CblqkEb4AS8?AAQRzWT02ILhH- zZ~YK_5N{AEk-5;VdDzU5YjAkrjLBWipPln)u$Ks%$lw7U@8LR_s4zI7YZC=HsLNAS zebDHQsHt{4Qs+l{4r_g}w0x%BdNZ)v8dMoGx3)KNj9I*c6^y6hf~)-+%*L+wgdJNq z*h&LaTxu&iN6MW!M{Y2}(!={H$pATwa)@-aBysaWZETeWO@qIDVu$4lKplXyg!}UC#)+qaQ$P zRS2S!l>j)M4-!yYAyJ2@?=!<24=;b}jYAT*f4NTCveNCaN1~IjNqVZYNWAZUqwcJ| zdn)?c&fR@fPTcJl*i0K?mh<}XQTjZr_Y12T0$HEEP;dES1wcmx`;1P$(Nv%Qi=h|8 zfK8bQUg1}aBXV7F#QTf${X2nBbxP+PP|+Q;{)^4|2L~$HR2yf&J(7sPxmiSdeHoSh z`&GFuck+v(1jr=H3O5r%GD*nqr#>I=yFE(O8Sse+|5T@Gm-s#)o`k_Po62~=OIo^dzKDIs>E*u$U;#h)Rbe@QJR51; zSMtrXD1_o_&x%?>xY;fldx+~E}Vaz(Ap;Bg`W1Q(?<*aGu4Q62^iewrpf*BXIP{#p?8==Dd|GSYKv9oG_7eqCf=({ZL}F&4(!y%Z2kS0X zeE1IjDSD~QCS#EF&GoEkoX+8;IXMQVX(~Gth%6j+c?dAy^>k;@h`kQ40fbjTZTUKB zUwA)Uj2js<7cAr5Lq9gc0Y3QiQr6iq6L?$h)~9f@wSt#u4Wa9&8aIKhaZ1cKZkR$m zf)3#tmOYuO`hU0gs0iCjz1!_fUWOo*p)1QCTe8;mxdZs{+`N!0iW3XjN3 zyjP6t+2Svzj0c*C-LIj6j5zH^diMcm>0CvvFvZePEzt#aSBE!(<(*s{mVIYEd>?dKV{*=toLhFkwDRx>^_1Ekdz9#cv%mz>$l99NpYYG2V- zZ{;HyKUj;XCf=`*!)2r{1q${y!DpB?78XOLspWB&wKaT)b_8$iTl1l1MBFiA`*&f1 zsS)XQh1z_WNe;xvPp=YdV&a^|cmWeMStWyc^xz80o@VYpT7t{MpFLJaaO#Q7U^PPr zc7~Itq!AvzLxG{xZEjyfqu|s*8Cc>3_{MEA?B6U_-UOZWN|T9OZ9}TY3BSziDr2N2 z8bb?XU9&-_ZG$K8sH5o)s3661HZPEPU9j{^KJXW#I`zCWnw7swH%u~WDDMvxyhZ%Z ziB+8vkf?uKc%4ulyI(+)v*a%XRwfD)O!RQbt|(Cz_? zOA8+c-Mnx`%xcb`aa76(k2@ygn%*YB;pQFFzA&rla(s)uPRz?*La_?}-Gz!nt`wXS}T+1vRx;WyzM}%l+`4qgAXSkx-LLMM;i-6%7!g+N2xzGK2p0 zfANV-2qXeQ<*urp_Mg#lLfIc&j9q$Ow{ksGpDA#zUyAKY5H+TP%*d3tucBBmK{c1b znx3(G@6qdwW4I-wYa00Kl5j6ZXgH^Mg;^+*!aBfU)q=*%4=b*8IjpeF&9yYXi^%%C z%-UpF>>~@Py)bUgdwiDHS@~YhXQJn`K!_6?S^Ao)&0kA1;%0Ve^a8h z{cr3;d^)_zzaEf*xPIiv@^yEIc=I+U`7msHf0eKEDCAh=19s4!TM71wf7VodFk=IT zL_l=KZPPnU$7Ol@o`eRVb*|HK1scy%2@o4o)7$!K_2n^wyBkJ3_+yS%Q(D z%-c1t7zVeC@B^JeT^CEaKGU(Anm&7&6n{Oh zbwe;XFoXV@)D3;#uIT-~RI>2w{l>vHJFK1g;rw7O=m94X7l$2;ro({f--&%E=Xp5I z-GCGf4==B-{E?pZy&7&B2Dp#+nnvF)NtjidOCRBGe*W48dOR$3t~{us?Yqr&JroUhE}fee zULuP*^&c=UA_al#&mv_BS%uiwW#Y-$Gx45z3adp*NY$50y1%H|>$tRVoauEwUjUeB zg2HXJZW`f#=acHawI0mRFDUrG6%_!8ld%)52braDGTLb9v@W7>{Y@BGv_ioQzGm;rU4ChN8q7Vdbo|Xn=4xUpPJ|Q&o%Ggje}BI z%8}jvt~-qe!BsQdcv*a3%e2O9*Rl3udxr}Af5!>zeE}-S zBKyu=r}fxek|M$KSZgaNW-RQfPwqPn@H^pJHxrL;kA+E4j=#s@pZ+^GyqA%l4x5`A znjvn_Kl7`2`J=jnGX;l6*cG$lK%%dliHcgy%95SZoB8xYr zsoE(+{Z`T>*L<|x?bWJdC)(ugj%kg<-$X?J8*to@APtA0e9cJwcXivQ^LK4vK$@oO zjH+}F^<1LZfj!aO8X3vDa2vk3PEL-@AA#B*iZhuT>|vVw9D!n#BRnQ)!(nqCdm_!- zb9ma+EQQfPERW}MXQUWy_W&jATdvOQBi7Rwa4I<^H<`z!|I~z$0whEr#fq`LvILt4 zcM0bC%HBe8(-V-OmrP`~uu$L%!UboSm&`!yW-q1|kjqDKZkr+Sx`zmYA!rMaR^poh zJtXT>m|jZ8{|>d6kqjtN#5A^XP=9DBIwDTxu19*jIqrHPS@`6xu)uh<_!E^sXhQdM z)=PBs`{tVkGYUF7)w)3&1B5bu#d4n9NfHv^G#YZ{&E4VM*&sN~|Fl2Yu)l>r2NaI< z{CAHJBoquVD_mAiuFhR8-6ow0=%5{K@VAP*=1E7vMEu61xGbtZI)Voeps^23Y5Yh@^cI%rf8e&S}>JL9KsYCNvNniogfgqTFc~ z#nmee8N25wmyqx=$v)?)^)S5l+x}#||7lal)nUd9+JbqvPs(^P&u`2gq%_%nL;(*^ z)0>|d(xImwS0VUX8-p<*i~rNK6kvc>(jjDyfe?>3_j~pXozz?C_aePY&ljZ|{;@o65Q0ar!@7 zz&rtJP^a{Cuw^RH-t4#UripK?v7Zvv0xX@2P9)n$C{K?W{KPr?a_%PG#+WMP|Jq*h z5u~&2V9KUECjX~`p=6b?kV;{*NY+aEMfk6WfUfphKwbOfemr0K@&6O2)c+Qs(M`Mq zWaMDg9NKIQmy=hL+R^_DB3kc$2N9@kBlQ4kxmbJ9pVtdJ$^O%zO}_>G`}LbBVk%VY z?FnnO*%9f<%m5v$I%` z*)cxOd83LGT>#5{zVwY$ns&ZVk@krB=cc$?9Ddfr!Q#RLm0~HwFU<^tTgl(TcY9QP zMuI`>SSuYQ5+rv}7}#dP<#)j)mrJjHz~%SA&8Oeus@(C%I3CPdFDpq|u=USLT-%4& zUDf%O4w?FySN6u;=G7IN%B}=VyiMB&w#qajB_+iz8<+t0)M=jS8ie==U&pDmrt+Z6 zoSi=4>J%seZ@ThUI?%7lO0mlhnEs_gCP7pPlETzC!L|bptt)rTZ$omKN1g1S;+{i% z<}$mra+XZY=L3(n0rAm;um$7ig#J}~2vQf@9}mj|{9amx^oz=?2V+sU7R14L{+ddF zeN~iuakb{Rrt_GWm5yY%Z;JO)NYC2b7$>WqihEJEZJkC8RY)IL3LUB#|HNhruvVTa z1;v_vH5X3Q!f)SdrG8*r%QU5*)ut`%8N`7mgEd`SgS}?ce!ZSk>}G?Tm`1*K#lzID zM=hR|mLOm+=y19^F`qmKRo38q5U{Ve+qF%c<`)WMf1cV8&9gE`B2dcp(HwFK2{YuX zf%m2>A^EcHq#cRDgBPokV*UfgCBnhW8a~7`0ERM(Yk9acI8(P7&JT76=28})D_e8{ z?#?eM=fE)ks{58AvA!~zrsu~k_ZjTxC0s4aQcD!Dvm{3J`j4xa#Q-}5}Bn!<4Y)Cli)Q1Q{3SdO!w`jsqgoGGA1<8sw1oUNv}#*0_;b-RrZ)~X1~ z9c`A}Jz^q?$aJAe3iugmDSrY{;v;uEK{1Sr;OpDI9(tNT#9T#rtpl&J6xhh3G>5cPPPIV6WrojIvShvr>Odp=6 z7PF43T%E(e6E-PUHNi7_s1`dM_k3Vw(#oq8G?E)2hKjO(rRT{z^WKAZ( zPxxNOMMX%Q&UM$P`EO`VRlZ8aq=+Y6r>a2rj0>soECoWvWkD`K(Y~A1uf{ zkPsKoH~DI|WkT`z!Ia44I?(1@8$|t`ixD(_ReDhNA|6NV?Y&^SykcU-K+`N+0o|_J zw0QG^jGMv}GAF$6uf(*e`bQp|-(`Q$eSNVap658wB?|EgNJcrF5wt0eB!8!9T-bVm zqV;n;694RgTpYFy(|!56UzY`MKg1z(I?{`0Ue3OW03%lJN(fD3i960PP2i@Q@^f-- zKB9Ku5C#oXB6Z~wtk~Kxk!g1v0T5059?shNxvAcyXvl)5s+CtM-IBwn51LN*pD&e7zeHUAQyG z!_T08OfH;+m@z`fiyW#D>4{1f=cY>9O$F<$W`kk_2g9L9V#g1`aRaj%{XlC}K(=Po zJuX{;zstViCTCt-34Ve^5>pbcg~zYL3Yb98i{@Mw@wZCx2}Im!>nb_iYNa%_r(@WD@Op{4>F3VX9m6#GA+K#5EaC2Lc$Bm2~t%%g^07e6Y1^)s-{PZ!oJpL z7>PmIPGxg`PS^;?x^dkgM}~UwaIuu(b!(-=EAjCYIb`LIjD;Tsz>{r#G$G})rC-7W zMHYmA>7)K94*#oCXNowM+leS^DK6j1+^H{nIC)=5iD~VUxf)OL*&%eYzKxG9_@~}Y zSr2J}>8cMY4NfUZ@S~Pt%?`SFx5!zrZ~}_iawH6J&3{ zU5{o*Qd3PA)aanf1zPIiNx?^Wf6z*9DrFI{!6tF@i(4-#HpCOXuf|lD{DWBO_4{ zeT?*kYdr(Q1fJ_+)X{Qc1N#ye%Y?5Ioqwg6<6kI?+T$}4KqGks(7x&*u@)D4!!6>4 zyp&*HDcBrFsovo6sXx)pdekb@8tf~T*K?{LY@i~0zadyOcpD|0ujeL>@MVLq`!_+y z%G#sL)xFBYILj-bWnNS;HR4P2%2P$&oQ1XHW68D(h?uqB1`C2Z+Y%X>BM+}Wj#7E? zLL?}>7e7p)T5d52vPU*3VUil&=r6{h+%fkrx^*U&2g~TetBg&SekqZR->`Zu!oISU zlM_ktfk%GN4ry_*qI%tMv7uUUi{d>da}jSLkMQsbBJJ_LMQw>_u~oIgYc_k^_a%1< zGx{nOz=uzf48}@msGgt5?) z3ukv2p3qAu(0L8j^vKQfwmzMEK_;{o@*X@0;!N9ZIm6YkCBcHHH76F;&nMc|FDJtG z)p+F9*D*_-R-)}cB+gPyOQ?-tz+0UZ!Y*~$0a(7dWG?jyNlOo!QAls7NE5XiP0;+BPHXd} zonOR%!JU7}GIb-jNDSgGgYTx+lvP1D7}FLdTP{nCCp7Fen9|JA*P-auNg8AYl!IaS z@O_YK%{$_IA`*s5VvG4my6p|`(6o-|%ZR-;{&0p_5Lwu0Y5T_6 z^{jAZOH3Ei+}Xu>wnsi8!LOZ_`o_#R5rRa7gyR2bVdB9$-fAl;yeRNxbdlqoqYWt^jBLqDX66T z@-}2mEULg#KR?c3ocw{lnj@}~0VmG{eeqR&748G@m>kZK=m>}2I^^)@iA+PYXh+)n z&ifqn_t`t4LXJa#TceoM_rXu4t|=x?h=*VqUbmg}ii}#+5H_^1OikAP!CAr?(GiRh zJz>)8p5J!PU1NMFPrFUhotyS6F4zve&-dHkeTg*A*=tf}m76cAi{vf-?w}O%5~Jcuw=XTPHhBwwHPoSGMPv64Pd%UQzk?OENVW!25m<1o6#YVsI5uP zgV&$l30+stmByst4tz=0I^wNpQhihP;yO)nN108_F>ncE(8zOIF(f@W^ghQcLOkU% z#W6a(0Di>@+gK}w{4GY@5ZmtdKYK+yWx(Ux2-%n!s?uTmf4(4NT}fGNoUoT2)twAB z&b*kzw*#K_NENiZ98jZ@0+MALvS0M47g17y7v%RJTXg+IF_muIvSedxc54m9&EI|; zNWLPV75I?O84l9vmUB_zU&C}F^1&l*E=tPyEq}EPeJ>4FPPtM|yK?XIc|`_q06n1) z$FNn!+Z_V0qbeHaosXxQCSTz6Rjz9B;mCdH5sjR|?$xyvvO;&B=59 z_cd@mo6T&@mAqLGWr1JI2PW>LH0L?GEqM5gU+LZuqcAM(J$xz2FZuOVoq9KR`w=V@ z3-_zhFfAYV4)5Rca+(CR#c-NrI5=B!yRTv+0#NA1$`L$;=bsYL>hYFY`xPhNrL6(f zH9E9pNO%q)GUMUY39f)-HJ)dm825T^o|G-2Lhq{(E!s1|n8Ut%1GUg!3XRxAPeI%+*XD+CaZ@gIjM&8`|mEq{7s+QrCc#YAgv= zIfx^)0=j|7@VjlRFDub#ngj#zt_?q#^AI&eUPVyAYjVQ1aAd^>hRL3%GJV- zR;sx!_8}%tZLF4@_xCTi)XYGK<7wwO^_Y`^Dw zSLxiMPB!WPFP)xJS}FPakTv1mQn1mMxX=pko%R?Du97y z%$;@AZ^h7W$|`BC%eHtVw#mA~=|qnmKx|{%kjM%5Lh`jHEffvy*$gjObtPcd@Pehi zz;VB~jfDG5)(PzyBO#B@P@vu7z|Qx|3NRbiZ=rnrtXfS8mk>jQ>@gOm7-nA==mnE} z3HIHvCSB@w2-Q33c`g3?oBPU?nNAO@Cqd?TnQWo2)jDMDJJQ@FjNh3r@^NG+S%1xj zYKV5QJ<4jep=CTqf18S&`10PZ>AtICQwpsHGho(+ZOM@euGBg;pG~#YH=Tan{+qt+1M&3k7e@VOpmB8(4_zI$RAT@x7D0{^YYF z8lnai=Zgs;LY{S8i1){`7$#Y5)aI2 zN=;DP3-erdNzY+_O7rpS&s#E21y!}xJ1erEq)8=T*`b64g2)uwz0qrEGV<-P)@Y?!b>Le&$#z4SYY&hoq>lLHofvs1b zoRZUE_-6M|uWc5nFPHE}t3f*zM@L_b$i3lIcx(&0&1CHTi)>7&J}I?)LNYvanAc`c z%!PJz7KQ}M5ghF2i}PWLG7>?+jyg_r;K! zy@?qy711nCFR}do%ltb8lv!4@M1KC>-slS)q8>T-x6gyK)|5lDu(8W%Sn{r={@?*D zSz%f&u^o(`WP?faBUZ@Xmgy7+D58dcx=p-mF%-{2q#hdU!i^5hRo6K@Va@j{H1XWV zZqe9$qv9)M6O#!1!amq@^-PSCYtRJ=A2ry~au!}i2_IENN?RlNze@a=s87GGx^&RS zOB0ihYq1rh7!87Uk4a&xu3dP{3`g$+KtAjTyu0M^EEAS|ct zv*cT&ykoF*W~XNl7W^~6kyl>>WVt610}Jxr^XhBX1OQ~*3Z3Npv(+d3kj;?V1?>zo zf0s~Y&WnTcj@SToZ|dh~Z6z~g44k>^O?>_dLVW}bahnRVcW9MqO|4fy#J|f@9+zd4 zd7?RAthW`WwU$ABU4Y@p9;lb3G&b3ebLR(`?56UMNhJ& zy3crAl6-rlKr!B89FYSx^^f^~uJHmB^`yLh3->y1q4mf6c2ZH$-{K*QR>ItW&EoNc zvs>Z{a*3+klXtGf-QM1=SJw!FGR8@7rfDp$|HQJrjiKONimn~$ta>qnXPzY1u3<-q;+ zhVEtm+u$PzVx`;T$iJ06Sqv`KTUqoc>MD(N)>+wAkVY8hINPW|8+6^;FZ9lhhH|5^U z;s$)M*^^CQx5sb0=6p)8=nFO$+`l6AjIn3#qsWe8nb24O0?JL6m70InO*?YrM{t_l zyodl%-N$z?DrC3>

D={Gle6tl2-Z-hqSzq0kpj(3r;W5{fQp4CkHfKAdB6$9%sJ z3Pi{*=JKS!;ena)rmy`but3OL_V0L8Ok|U;Cc1k18Akz3gU(PVP zIDr4$(MNUDiJLYsqS{2B3!7DgLl z_>_ovFO)D!QlMzJky-`ZVEEC)4-ph-(siqW2v33tz>yrkCi}Xsp>v=NJ{zSTSmb5N zMNdvZpPHz)lkKUi9$)y?!-p!v0{(rc3p>~QdQCPFH^2Kv#;S2A`wT*>SFS>&!16G} z=~|n8DE+S!ds-obeAvqRL;dGN1uCkmERqw^&)x;`N%jS14fmVMZj=ur7x6_xW7krH zRj~Ek)9RUVJdDwO`~p3|BE#{z$a>|SQkPu5GH&ykob)^B)S7acONoxA`fU6 zRs2_JaY?K(UHLtTFW%E};XZ6a@im>c6P$}gpItLpb}AzkwYGd~C29)%)f7ZV;7F!G zt^k=O<`{hQPGiNhJ?P`<_Z(b+egZ(8>4L>OWQ}c4q(?vH1m8>nB05%KTftv!GjjcS z^ytY4niLPdp8ab_@}6wU(;!@qw>+!VDVrf&N+!f)@f`( z27FHR$(klh(l@`H!1hm#DLkyDU7dNS-Ee-UJV|>>r+(3IDi6c7tJq!-AsWg!6e$s2 z%WRjNw2tG;oa<2+WS(=zFD-%tbOywH$4kKn9~(r0O@@9hSpr8Cjr70Pd<=f0bl}d$ zU^K1FezCL}v*9)ytc)c!k4ov)HsSAUb!WRdA^kfJS zbxHP-^`}%qH!xGk`y|CQ&i}LEu=b!3FJCL&Vv2&f1mHO7}(7Wajw1;Y0FM58~;UiwNq^y!@8!7z@g*5 zM0bTTzKT_Au!?hB#^Z$JKr;MC1if+WnTAlOXDS zZUmgSbfIrF-{uMj<@YHf$JFS(?8uHNkm4g4%^=+WvDu-lL*jO&ijb$-gcfdK*TZ(y zW%y%$`tW|v*4?x?gw77WUXs zTtq-lfqNxy-gjKt#^+$bL@9my@zol$PctMxd@hIdlJDe)@WaDd#=ZMn3au~_j7Hb4 ziL4@VuZM=TKvRuw>g&KX|Gft!a}_w#;5<8eyB%r>EE3Ve@-OO$ zOs)e_%vv?UbWWTX&M87_8qve$^E$;#@<5Z06Gq&B^-P2JOY8_`j~18zI1c;CbbjQ0=>e&T?MXU{ArP^7fYf z&Yo4xhSTjMS#I|wUupD-IK5xYKf}MKYEr#suih#kc*2?**Z4CwBA+amlOQ%WmhjXZ zKAnIX7++;{eS6cR-I3Q;-e;;Pz}{MeZqWa;`zw>6YeJW}mJen5X;&*5-pk9u)GyU4 z7^^n!glS{ci6{(79+gbH>$6ja1gBiO<*>~~^fUPI4`WZz=+I$({JB`ZDnUQb2@JS&AvjH%ng&_CEZabOPyE^Q;>pii5Y&uOhI|OGu{I33 zlm7G3#MN;!xjWBzL_d{H(qD%V=9S&aM=10 z0iaBKkUrYj9Z$f?3~%jif-8*Cx*Mn|3!6-LM=!2|{{x%!U=Xk&xL)$GS+b>cDx)XPYo%`R{mgq`h{ud-g`YYfL)G$w)$K{Hwaf)E0^|K zPg2Bu6>IvU)O(w3mH)vWBWqPyPSKb|M0t;sOXElx!uXYd#Ym<7OoaqInz*1EvDQq5 z;h2;?WgzJ5NV#X_8qTjDx>?4I@)3K7kkI6?Qhxy;!#IrH-6h{R_`9SV%26jmPIfGb zpK9V^=x8owwu5>fNktU^jt=ZPQbK89mYtB_31PuD&Ckgf^bfg(%UL zb>PI*S(&b#&~CZ>EDK(U@H%iHHRpPZX3#gu+faAJ2X%RHE=!&O@S#LktS`An7JSh1 zUP>Gk5+O}HdOPUKf#uM7H*b>&2llE|?73Rz`Qig!UBrn|*fc>GorgmnZ}<-=^y&zG zb6I#hzgL)v5_Tro1#t^0uJqk6v&9+*B>;qXeR|Y zDtw0~ETf;mJsmm({41T?b4%T26S$gbbKbF6Ki|h1Z4O$0+mLTHOo zRuE2%l=g?g4l(@$%-b{niQht`+1Zfrp8@T>wV?x(qMHMIJ{zH_?8-@?#7+OqIb!)+#J@=$D_qP+0%8XwaUg}LRtrUGX&xcd$~^AB9- z{mi`?U6!5okgidXw=pZ~Y#DFJxHIL5m_;ZnC8RJgQTf0&oL4=T3dK5)q#Pk_FG-vc zxzsUv>h?>!S25(Nw0wPL`tgPHh632GbkrP)$XDd~! zZVaoT(a_0;>=X?Zl;m %vtSZ-@@$#yaQ?+w4KL?PXy~#9Vy2kgxR~jf$19<{hvW zR>RzMQ?>6*;ueTC2_$^Vf4Xb!J+^^__8||4E$E=QCsO4GhX=i0R{{_d4 zB6QS$1Rlj>E5qqAPdqc*Iw%iP^K9GK(V8LVQV?Tu4>pG4Cusi-d6~d8`A}qTNv}93 zAksPX`0Z!8nQ*?(i`ZN=J2Qh%M8R8^9KGIQ2wk@xm5wv?{7>XUkJEN{O_Xal`f3xk zoJg~2)j!#5E(*&Ud2Q6}EVXKlN}%N-wrnIU3@ZhH~;SgV&=O>l+cm*j$- z5WHV`2>fkaC*m6c%vwh^LDY%BS_D zUY0P?27BD_>`T4`Uxm)N^|Pvh=&B{a;i978f$d6AuyZyhK-^q>re6?Iy9CLR`9mLKq=PWUv2KoM_AP5uM11M|9cpL|5Phw z($5>X6W*8_7_z){DG!4T(e6URX}Kk^uIB46S00MfmpY<%mx!d?$OnZ%}pKL=sJyOLa?ZW4n!4w9z`204Ob@I5#)!ce&HIZUftE?PdQCCOpJf2gz1F8pw3x z(NsY<9*rI-uKCb{aw|U}Qu2g1q@6xibPpnS)z+A!0*=K^H+g@Ei)DSPJmW_H&s?-g zu|^lyh#?4v-y@1e=RA|qd4tMC7}A`IXY8^}aImdwy!OyuK+hlXUkzhq$gFze872z) zw1F6i8D02c$BeeKcRmwl;cfx)hx?MFlp$a5J2_}oj7*Nj?a8UW5eA39UvpdvB2jTw zY7MGtK~Mew`aQuc8z^Ot&%v;)ZHCF|i>dOld8qp6%52Df)C>9-#`wNjq@d25z!a*o z24<}b$tZ`&RE86^>e#@I+5Io!o~uB-1*g)U)$u^P%NPiDenJN`Doi*Ux1+`UIqews z&b1Tt<`pk^qZx+6NZJ+mSMB5neCFP$Kli_42Y=oSonLMFa{MU{DV2#B}IMWBtorv?F6)fXEk*ex&nuJNZFzhJZnZfMfGP-IaAf_%(0BqonjeS!fY&c=IA{o@a494}LC!LV9r)$1j5dv7aOaiJc#x!>m}(0pzAS5CkFYm0b-Lby3aBxDS&(C7?zzo^ zvd`nT)-;7;;6$Po&$w+Uw;u@aixMNB9v!CcdfZ9WOB9-(`ZYj;<>tt9>nGr$WcH>0hMlgl_-P zS(^c$QGkd_X3B(&z)vS{edkZigc7pnp;i$b{_{d#F<87w z5p_t%75bHt4CboJ^A(}Von>+|QRr0o3d;<{X#l@zu{}s|>B3V;lND8192*QV|7z#R zp#dQKe3HF@M23_m+flsMl_7R7EVguAFkPr47>zdXrmWW+SkxYi1L0NB3y+CMtG&928gfnX$e! zKw{ml)SJ-IDuIp{!|*7yZ~xsVdck97+Y+e1(31he#ZN%IEmEgaKaNYdot_Z)yspR9 zZ6jM)L=h12E#NL@`#8t}^1m2RdCdUdwY)i?n9c<&k=yk7%AYQ)`Jr40jVt4%lmA8g zu=&zZOc>4`D4bD{a6Hpy1f4(hUnM=VYsruJB)xNj!HLM_@E6{I`L_#zSg!{Uv9_}2 z*t$t*@}(e{j0dDE+r9->@;{`cZ9C>*>9ZuuS$+r^SvY+-%+ASD3|QZ)=An+KHbK18 z61OGxAb)T9RK5UN3~WXRGm0#M;C#dTO$ zcC@G<3D9ye!&66oW%0)kX5TL=_-vWr>WqnLpKNdoKln0hae_jk1Ci~6wQoeSKkj#; z&()r6?_-ZTmu&dOgBFKiEe3zOy%Ov!|Eh61aN_;UbZX18Yx4}MaXaV%GdQ))en@sQ zeB~qm|6-dk64;K?s;Pzk*BYGTDTs*{#Cby-~M&u#bEfj6URHZp-uQ) z>x&_!U?Y>vm4)Lc8lA$HP*G01pD=x2v0TCx0fiJMZ-7=Mh&^hoz^#o;bD%3kY~#b}b|Ie*Ci(4hPgT9`D}BwVHH@ zH2UlJ4vIcKue3GXFl#*voi$`6UHVI9Vc<-NiFv~_mj~hoknivTUZQd%I~l{NjPP=~ zV_QS$G`V4QmB+CL!gG8(ji+r}?oZ^#uT~0K7}z+>w+ZTFEt0>Qkql3ut_E<^Vc5N(whs8p#QVtqZf$Odep}}XuF5IMw_4HCxawu zn%a{<2a0EcSD$v+8K!o4P6q$8t7UO)qQHVGr^wCnSGn1Ln=;&js%lb*%W>J4Z z(VZ>d+_x>UX$=TIf$xjY}c zYpOqs5$KqwKK{&l zCNXU|_&RPnOqDHUs_r$ke){v-3u8WICv6WR)-4+Gj>zPE-2MhjyVH!#GAW7;c4ry8 z_hwFt?|~8B2G|T8vpS!6VB;YRj}dI^IDChWc&MJjPphIa2dWH<%^OH;+b+k)aljcp z76pumc#}DC9PO6y+voOU2>z>^?8J`uQCmY{|2Kug62W z!i4n0Q$xPd#)|~fI?)O9IuVVFKIPb#xzQYx%v7>(VBvaZ4R&HRw$~hfB1c;~oy9vu z0?`21>`zW;kmZq=ZUa!EE?aZ`{123r^X2Q}8=Ag#z@x9+=1@X&k{4D8I`MOd0!R0k z&y7$a+kZPkdi^BhVU9<=d@>%sYu`ZOF0H|M*q83xNP8?icA0~ydS?1uX{y_ri z0!MKU9evGg8E#2V^*liJv?r*4)nK04tdhteOB0nk%kC9wJeN2@$bc<>R8$tqU1Tus z^d(;tk7$VUwSP>Itgg15X}I4lct~DR?_go`j$%u6p}q-h-w((4%V*CczNWYEsVEk{ zz($k}(T44q6ocR7k&L3)S+v5;01W*1Q!T6dO0K^k7X$`*em6^@BI^bqj6{3n>U zr6<=XU-*)-_y2Pv@AlGdRAQ8ID@exNqdEY@YFqj>Fj71e!1ONHr}2L*TUW%AlpK;* z)$zZ?khI?N$tkcp^q4x&+#^Aa{+l8E(Lh0wA0{A1;{bX+lQHW5z-B#|J7f@Aza^>< zW&Q6%|2jY>KWL@91DS5{wM2#(7=?pmDnNr}$No^`@Ly1l;3XLF8&ul~LowW@2y&Q6 zfBnzy-^~_25l@W+cbJpX;m?Dr#=mdSz_Y{X=UIt`VBOtOqqJhAmmgBo2cKc9oMNFrnzqM4_9fHfI!ep$Rf%Czi6fnlx*`Ys-N3W&A$)idY~bo+##EH zEU_#UUR;ICd|i}Km(}qPLtKs?!$q9Q7KKUT#^_4^DyQ z@#&p@E|WXkrV!BJBc(3N+BE(WeE5`=$_yf?#(=$1fZVmYbzW#v4ml!xi>^8H*C^O# zVykzmf;)tJo5iJD+AJen?Y43B^+>_f<@)nVaKawwG)=Wc-?MHd^R~MK7)na^2=#3b zSP;0=AZPSoxyzA}W*W&CjO)1ts@z>6{6iJ{ESicDy>7N!HHK@<26pR$IVg-LIU(** z&H(uA*=Zj`raN4$**~56z~9M$9(rgt(5zXAAlMa1^w(peKA;M*xmgseW|>e(5mqlu z0QJ(|)hQds6ltBb5eNT@veN_;eSiC-P|U6ig?9DC*FBCP9&V(}1|}Wgf9kfPo@zGN z%20VT)RYgZ4!41Y@oPaDNFY>Wym+=-kN-0B_ZJ%Tv2YNwBu~KEzH{Aw zu`R%twT}OZ@W=ZjxxiOmcw=4ob15@sgvxFAkwlyj%ExVmOsztEkW>hPfi*(ISL;8X zyhI+S8?A>`ms09UoT_%Pr4-YmTC(iy9FsuK<6GfJ=a*ibll)RJuJdzZfARDkJ#-ik z6Wn(T3T0G$;prLOv*1dLZI47;2%j}7a=(>FdMl}N>-TzuJ-pEilVTka1TFwY_I~=p zEj*6ota&oh=730s3qT(`P204>0b>M)`cM7rM7;LA3OVL-G>QY!U)_&|F=GFrenE_m zBNm%p7wUFbC<}XmULx1rKEB9YF)k#dew4twDhInmqou1K530Ih+;H12avo|XBVM31sIeKCZp zY=lx%@8nBN4xZ&judMhuHDh-v%)_K=zLw5_Re{jZPJ-VJ?z40bFLXdT$2|wr>;*}E zdh4&5vFe@z?Y33YoOK>-^fDn~g%9R)ve_P4A+-*USYy3**6^nBpp!lZ6BNYf{C#%u zj<|Jvo(6z~TyU8u%wa;TUF4SbzO-L%C#chTV>W{-KVO7bkk@5xbDHlN2L2ymXBkx2 zwk7I>pd0t#?iM6K2=0UgcXtVH!CANy+}&M*ySqEV-8H!Lc5=?Sx9{uM{i^sy71Um9 zPZ{$Y-yEaHmML^QJka0KRpCo1B~k!RX>8hsETLd25MOZH6U9xL zgx$mBM9rX~u~&)zd-k%SzFkP#<_}Ng#;EJN&2Ih_4xgSbs96sRyUOA0?~3Hky1_Gq zX;fdSX8PCg=~GXu^wi)Z44@CCLli#yxnE0G^8<=U;A2nix^M z{^IbiMfufKE>>FlX29JU<@6W6?$vu#!cUb>>fhZ!LyZ7;0>BINX;fq-DYC9yaPi0RKb6v?tzI= zrIhhp)kf+j2Pu6TMF(4SbjSaTBw=)MPp%W>@2{TI(zh}S9{MEpDfQ0XSjsLu(T z(AUQ=Z!W+EFaiY41P<@>Cz{KGft@;gG=oxQ-TBYF57E)O+Q$X9P>Awr{+SU?;a;Sy zaM!_l33aa5^K^HJh6Q+x!_0SbNg(Zl&r_c5kaLez0b_@6PJyrDL zQ6OozY!_+&=U*|eIOglT=?5o+tP^n|#TgoaEy|(dht};T_c;vBIMOdia=BVANk#U; z!R?I)W*DGDkZRg;(iTr)3)nom|3u3t8HWciC;7xc zJiKMPXGC+Xb{|eBO%L&9HsYD%o`+eLFz-gLS4nrX;MiT3m6%MFctQiHc7ZEGy)mMI zjzw%Fv5MLJ)V2V_uwbRNQx-I{MBhD}s}3Jar@1W!!QA!h$1#Z?Aq{M6vzM|40jT2F zdzT@b2-2Os(Lmc=;vE03sNzQqHPT&RLXZNv@hY73CrNStjeq=fPaya6n`xNRHSDj0 z(kqm8FK*MHxjU3=@Sl7##;1C>#=W)M(~0=rB-w{&md?+-)P|Wk`Dw)^dIhF@cw8Js za=(`IP*;ttFd2S?%CgIAYK#zKl)xIhBb$P3Y`OcDvRf8R-}fil$O&mjQ3e=b2yctZ zTZymyBtKD$R5Lvlzs>UCJA=3vhoE@~`14K7WYg#sczQI+2oY)^x=%<{r}Dm$PpydV z_SkMblW|1#=ZQ(>#?w6k@!Z73&^6?@LaBeCxy-g501^4NN4djF>=#_xDQ@fMk)5xx z%dPdZ3}ZS)nk$=WD69+u(hK!xhZ=spa9g%j5Aq3L_Zc*r44yZ9&w5FB;~D+5aw5e< zoi3xp>0`Ly)>8z>=pF>dn+2`jMGed?@;GdqY(1;=_YvN#-i<1hc>IqH~S>^Odtuds`(0PVC2RJ=zV|L_bUP_Fw$i_ zcou)%LS*fAfZ*7#3eY9eHv`oX;{)2^_v|r>X#?c4ATSqRhC!E*Cf=a_C%# zGw*E*yK)8rf#xd`kXs+Rdu)M$d3SzSW)d9iesYxeBF28iq3F3CW_1wk0I=e_wyGeYZT+?}CAA`I@@I8EuI&@0 zNnk2zq8(k4=e`QXyV{mww7wiomPRbh23k`Us5Z2On8`M7ty;D zB#LACk#wK1H>abOK457ghM%}5473qNFETfOOBuztj$JHsV;F^zz8j(9y-uJCChRX4 zPXvMkv*mS5>4g@(d`vVY)@7<}WgTVx5-g^8urZIj_3Qq6Pwz;GxqJ~QBVj^H*j0pC zW2yR|O>St5>0$(_B!YN9S4XS%kUN(d~Q!8;0a zGV17Sis^DpjJu0fIEyCMYf7s^k>}aDvxA+RaYoPY95pzIf5Ol+90<*MMYq|t(k_*t zggt%*#oCQe`>H>wfmX+uHbljEI+-q<&8;oGrIFRGj_=VirK57OUy5w6%o+VjIho$v zZ*lMSjrhH{f?{*@ms3ba+e`oO>X2?eQ1fG&N-uHFmg>T7LRtV$ZEC)Vpn4&|TFgTN0gE4)f^PWCiH=2lnA09d_M3dq z?D$aUYHyfK5P*A<$I#WxFzekT_{teG6m|-KD}K>TZXvrBF*4QC!@l<ix6k-V^)| zDp1bXP-)&~K0vI_9@<S^<67%Le}cc62OJ?r+BxcL^!$2S!OT6%ow}MhBu&zI zWE?-~b*Xm_{*FgBo6reE16P#fuZvUyyjS%p^`Mxxs8*58gvbV@I;VD2Ma+fgD$z@G zYa{E>hJ5yfl}gP>Ce-1YO2p1#Sy1z~mR1?k0BBIXy3nH70K))NDCzmF487%)H&`k1 zqo3iI*j#eRnyL>%!qr{*Ir;=Ov-wRhEnd>~RlPgNasd9$f(thr>&?+pkbwZI%r{o- zWlqP$|M2ag9+e|K=xHfz^O^40=I+f055!xiP5Fe#*zmCQnKk8T(uZcK-oFg_OK7ia zCcw4JXGRy+o}d38D8z-p2+l;_f?hw{Z;WNSM(`dl$TVO1Lt?nB9raqv?RgnG_nq10 zjn@Hq6yJux9|eK@H_?jNyQ#D=Dm^pRcSETJ!eU?1uxmEy>xU z0a%9|=_l{zUJ=J*(xUzGvK$qgRj;}C;3D0>vx#R6;D2?h?uO&|H@ez;4WSVz0|ZZQ z^5w$B-bX6nB}3+o-jJ=8(D(zdgxbv@Esfgp=EB}}sw2N1jTJ7ED5{iDWGwtn79H}h zlnlaaY;eN5*RLmIfEi52SQS3Y{0A9(@_tn{eFHySr$zS9AlhbjZIB6q1|d>oEznr8 zTCd})9`HfZztiSMt^#YZcg*{bvcO9abwgZZU&&Zc?pbcxD*P`;|1gR4uHm=8eW5hi zcakksgzg^3xnHym4KWMm?E3m4!0ism^OwDJ+EzGvz=W*t`%LqPzX_T5hM$#y!aapT zPm5Fl?11w~?b9Wgq zo@(K#k&Bfi3&U@t40`O7+v`R`l&s^2eW;JN)(+jvmUbDmq!z7t33-*;j+dJFZ7Ow* z`Qrri3l&iSU`Co|DXj+^+c<9sy=GU_A+yrOxIYj~Vp58NEI? z)Ka;ux3l7=y~VH#$QElzq2BqRXtWUxzA3hTN|ft=F!_8hDBSAhO_>-Xn=hnNcmG%K7x?@Wy-j7fefy zN@}M&pVd*k3BYS$-P2uBI%iBWB3LsUz+Qq8IhX?~tf``Qj5{jL@JO*KT}CEsH-xwb zs{|(d>nJ{~i5ZpD}1Ke{&PlB#-PQEj8GP~+8xYx`~7v|eL{wPxJ3h2;Gr%6M|c*;616hK#oHKb*;;t0?xU{uc0jIR)uEzr;>-8FWjvGyS3ZCDcVWAh&Npo4JSJj! zSQs)_REsFfmB?LEr6?UBZXJvekgSlzm?11A+trn(M@p@vDIp zLFC)`N9;#;6lhVbVViJ)al-@sA#K#>d63$$jUlFqT0@(d{^-nx9H7_xq{SJPs$m(k zdAe<-h)l&9{CAe=7V`Jz2&ts^)w0te_y@uZ=aO^sZM<|@&)x(x;1+VfKwBw+xJ>>p zj$&N+Uoc$owtO^?CjS!Ml7Uv*8A>PC3Nl}vV{p-aIOzC2UTW(TkEtjj4paj>MiE>% z$-x1WQ_oM)!K^~6&(H}2^P%B~8vLx!hnqtz!dH z?$e_DJm6B1&vvEbtHp{fat9wqdAf!*%0#H%51S5MiAk8DcibM2+9986ESC6)(^yCWnBpPNSas=d5s^BI50xh1)@6 zuiFeYW3d4qx^YJD*6Nvo0WcL&G?{;_98b$mH?7`Xt2px?9SHp& z2^}g;=^XHHL^t?$ z=;2l5xNN}F(hk0!2cwJY*W4)*tNI;PLGJU+>B&}DU?v3OkW!}QX1*rfk?w%Z7s>`u zTLxk$AnWynprrtF+(w#-ynNl0={D+!`$er;S?9lV*N+W22kyj$s@yWT2#orVl5thUC9 z7#-+Mz!u1x)|FSr4K~lAq2OuZbD5MK=mnqK^_Vni*#I6_v zR?{|-tk<(6B9CsB1|?fV>kLLKYgW`k%htNBgFyUbGa)vl>zxR=R_7Fei;}RGWOlIo zjr0JAFO%=b)Slyxz54Nv9-=8cO|0?PDdQ*ed{A%OUBZN;!A?Uslq`>Y^Orn5T z+=^tVtsIo`Q|Fxx_`aILLGIs_eCVQ1MZglFtQ>JPtcMk6yi!eOZ-%Hj?CcV7dj7GU z`K2J$1(pG3vqhA7s|~<# zS?I@gbAD59&V}K$X?7X6Nh~rvk&3$gDRU$rKTcyie;n;YI2Nt*cqxFw*`t&UHHqzCWor7?43)PE+;fJ!nV=`aJ9B_dt%#Bn7puF6b~qqetdOq!}h|2IbjtaEk=8A80BCZM{CAk7Ul4zvl`;q9 zzF^W-J`OE#0cz zR_L}^0-G`$cVb&ym$$Slr8{clQ{$(mUgoCIq)Oqt=}FJOGCj=*@2*3@jMK9(BH!eu z3x3$rx6SQR#bfw5SzBzT)4UoZwqvj>$FpSF&0>zL=`Vu}9F{)No|6nO{A@bo7w2iE z%FP@x@DW4@chBe+0M;>p)}l%hw*CNFA-A7QR{vsw@f@4SS*V&K1^j&P;a%q5@EU)- zM>IFcjirmpGE|_W?K_5DwzP=d3QrxTx!kg~`+%*+!2!cjsby?2m%Mb~Lc>RM)zMVf z@vPlovM5f%j$OLDY-9kRN8;244=awc!ln{DJ70e?(O-rmSU2-MZjY;!BxSV?!R=EWY?6L$T=%M+No+AqsJ_*WGpnwlY1b(z zQID_f+DIt_`Lpy+cbPx!2|cw`CQ>NDr)e{ z_O@nGo>V?CdPTrdlS)OSX=C_-xlM{qBd`l#$Qi%6V){ZCnhrX_1zD113zbdd^^Xk{ z=hpAfC!;(j)9%3|3B^~TE6H6ZT`LHct#+%YVGg9I%R+tbqxJf6tQpI-Up z#S0l%4sg7eMY{54SfL6KoxLYb;II@Lx>T#S$cJW0KkUv8sCc^YXKW)gynLb|cWlPZ zT-~s3L4|Yq*6{i{IHoX=lM8cpkfoY{GjKK*s={D9>m&=ryy!-xS8bfCI}JvN?WO+h z3~R8Yr6i>fJKTGSoH3|%B=#naQ^1AizxZ>whfg(}jC39@1x&`rIdMz46f^HleJ@3- zMhBB@-vSxoIk$?eA<9tK+FyeO_x+To7%su$+1V=B3?i7Cje7m{oIZLigpY4j)A#+Q zj1kw|`debtkIu0smPPZz1o-cx?Tb#t#*J*tSgJ`bz1M;_%T`pfsz5XThmLPkP&nDR0J zQH+u6e&a4>`7f#33U$w{D!%S`1tFc{{u;UXMpc{aK!5y zX}HJ;9nK-Ead`+cLm1phK!$pMA5Cb9?9VZm)noJZXgeHbI>=D_rIW5gN}U_=nOh?($wPwF>D?(_MYzJO}!wMYg|@6&_dhYwu$ z{+0&EKjG>ctDL?aOi^#0%xVH%P#2WsKiUQ%*pH~d_+nfi^5>jbILV;|6uMgS*RwCt zCKDS)MO~4$R-n!%=E|!asKUvA5qIg`w~j8xf1^Z}e#5Q~;`dNqd<`QuFl{k+f%I_v zPu?0Jk$PoVWE$Qpa25mV$1ZTPvAH!4DOsB@#}r}>PzN&GQwlegbHu9rh;YKRbq3)j z-nC^s-Hr9bq$w@yoqzK9!Zt0bPmQrjVoQ=4p3QRi1mjk_pg(2YexT7$dNF>9;1^0B z(twWq`JldIQc{w|YJQZ-noqMsw zp!9i&s|BKv5E@y9#&I0?82rsWTF0@0K1TjM_4x5ygobm2<6N=o!rN#KU-DGZD{7ZF zGD8ey+|Kr4iFmt~XUh3}Fm21_@~$73rMWx-^NwuTdCsmk>KxyfjrXlfVFI%v@*92C zT+k!P`B&X}u4DcnAbW7NW2wUEa}rtme`4GQY<=~GmNy7bj-le> zx~Keb+uHaqgzr%s5i(dKYTH1J6f8sC7&K*(iyrqO9yw9)O6=z;!=#tiq1Dehr#Wfx6(qssaTK%kms%Kvod{R8NbZ1CHh^Fc=D_FO`6pa zfC{_(WGE5-`H|-9?+=R2N#F2hYq!zL_MpxB!Tx5zj+PCjE#XUA|WIKpb>nK(I-Q|NPT&(JWHHH zbLn}KlQBNF6bR46>gRDbY(hyR#Gmw=i?Q|Psuw2YwyHb*6au3-emz)~QFrgSF6;pz z3HX^VKG8K5-LA6kZv0m^2nEe5;q^J3<;aqFuSis*fA2`d0vXFvm4E>0d-UkPDIYW< zMDUL(nxu&g)H))l8DcLCm$*Ob9KSYk`;yf?gh+4p8wj~?6p_Exo8qpuN{Ii$0Lg!w zbCF9CODe=W9(MYnZ+{o)_+3ThF9fR&2iEf1Vnv&X9%v1VtNxrq38w&m_*jz+YY)B5 z)N^*w{Gc2_s^fLH;hf-*x;Yvyu^WCb-=AzXBm<*=7ps*%?Q#KO-|02-BE_#O0)7Zj z1r(jQ`(%8$;xZ6+Ih!2931?_1(nNs5Eg3_7XRhh*4}^mHFKUTtpU{dnv|uR5eiOrw_@vWRVd@9t*L4tkFW=DOqT}z- zb+%apglbGs1$VxmP9!4lOc4n>*1oolRYUng@Ty0X=8P!$CmFB%WO=fV9^Dgsk-Q_? zNeHU@rG)f6Vo$*}fSQ5sl+8M2nT4786=s;asF|A=DT!za5c@Un-b7LS-V7;;qqf}& zd!)uM+p3Yty(43F7tn?sar*uC>JT7WpOgqE-z|)*sD9tDI`q|=+-8?M5OEMVa;9tL za)5R)YE*(M$Gw*`BOX%V!4aWf4&mAxlDpS_rANUg{^ z=;B6zZ>c|30QsUe%5j42@Rhb?>l!b$T${h4G)-zw64X$cMW9B)-g~j3AY@$?)d{cG z4-UBgsiWRbPG19dqv&J;#lEkgAG0nIxSxPn2~yXJS}M>5Bsg5#L0c6~5@muyJ(ssi@GA;WO)xE*(lt#k+u=6gV$k@gbx?Mu7U z(t{6-jTk3P15W%PW7pseUY5k~yG4I%ck&9TAEVk7$^9m0=o{Ca7!8;At+@E;F_SdQ zNe3Stg-=&J`k9sAtpJUpo2KH4JCay~#eUkTO<`x9s!I5Yb7C1gPx z;V;{c2&`;8XcRi?(XQA}oWpFHGI^hSDhSM+hL7@FuYc$Y zf=d#uw!m4Rrq|s)r@gEU_U!$c*}$s+u-5I$iX77wA=p}vPDB`9f95$_>NiWtb`}i0 z)9Z|Nqw8I;IlR%t-m6`{UIlfgZ!sQy(ckOa!Gb-(T zKTr0UPs@X6F^7;=Qvb0FldW8PGpC6%+2_D8nJXXDESc{^_si%2@c%%2MzSAUbglD# z?!&tHfm`js-plEtj`Cc5@({vQV{fCc-rY0CJ^sMy)-$jY`6G^~a70470!c}1fY^` znG*z9MoC<}!ax2NklYB%HCCMvRrr{l$HD(ld1#){zeEZ9Es zJfr;u$?w}E3N9+6eYfSIn_;(z#2U4CXXbXCRIO-C?2L?P5dXdFVi8A|-j2DCcc*kB zNo>v$(chrFJ0_o=crLt;1b*|AX?p)J_iAO~%U|D6*i!_)IK^c+0mi%_MJGgrL(q5( z09Sc$akhJiW^*htE!@(r?rO+NCBXBZur`=Ucfk#|*En62zofTg!nr2)L~OYPqEY&{ zmY1^qJ@mhUzHzQH582Kp_GDFs>z1fh2+dhNIohD1t%r=nSV*>+j!UiApW{>L9D!E2 zi}f!B$sU1Y4`40NWnTBgISu{cxz6()KJ|xNdY1%~a!-pfJ@7h$@)(!b-k3Ug`{jeM z{#XCwEzF+*HJwU7Ar6=Mww=FScm1X1=`fHCjSRp2d0woOPy=z5{)D+6&8h7mSC(oE zB@oL)M9m91)u=J;VL_>!|A7!#HDk$z@2eeo;p3|vq=?pF)6#|Bt1A=K7o}Nkb=xOb zi_!FRzSy+~pmtV=UvtDBU194M=aqksN|f9|5G3!I;nfc0V#|4nxmFq{2zYrUSGhj% zqtWLn;&aE6ZQ8wn=UuE}f}H|QZ>HN*ctpz=G{;ykOBzlDu3W!eg^>g%*r%m;uPwXz z6Q9U#O+QzpJ;MwWX?we0DP&6A@6S9s%KdHf?rDQ>x}K6Xk1&ihe-R@n*nTllh>g!o zTmXF*@A(;s>-Oy$q*fou`D4K&JA4kiTcG|4RNKNI!bG7yhTkr=KU@67Rvq zKJN0L;P1nnk&R#3G{2IgR%Uo+Sni^!e&OF1U%PC0<3_d1SV|b6>l!bVOD%MDjVYy7 z)Sw!eC|QR^tK2x43aRJ6slO-$;*moEb3gZ8lN3<%|77v~TjHbRVLsu4U7nUv3vEVz z5PhMC&-#@gZRD6pHOvD>`xxPI5tF+H05kv}NB84_7v2uIf1JnsS!UM+6 zih#;!W3pk*%-yuF5CU!Ngab-apr-{XlN zj}wmC;w3yb=D#3dyzyTU5co|2EgY6$cl5M1Ud7^ zF9tnO*viN8Lbtw6Xmi;(+OqErcmH<&M0yfiT?o@Csap+H*A{-bKjfZKMwZOf%Z0Mz zQav>QQ-UH+Lpm1M_Rc>nmb~Kj%i%#hM$r_H643qOi?o`TCm^|b7q|a%c zyrptpv8^SEP6h|*B`(Io>M+KAk8%kASyGSNsN20OHre3ac8ixT*b2prUi|sFQKRi- z2|eR2Y9Ej1ua1T-tQze5b6NpLD=Jj&Gn=e0y zm^acs-bTa&SBPKSiUmlJ4r9W7-}2Y~le?a&G9_=UkfC^*rXO#j4mbFX|IALQ43%iq z^87ed35Aa>&12Iu*c0XV2DW!>8LJ62m=_fH)=Q5Y&mO21F62Dq4tyM~e4g5DCu$=F z%^B6CizrnWu|Er)`D3F*5Yuzf_ZV`k&j4L;S`rl6yhLB~uXqVb%(PEbPN7#9QdsE6 zwBRgCK4x}}NWY_20Skd{0}NmB^NAhP+48SR*mf|A0@|cD&ycI*m;@>=z65e4olE*YJJ~ZCT$%^}1z)@_;TY3j zz2Xv<5Ef8)=5N2i`@yG%-)RwOW8q6kyZ4?Up0(~AP=eT$k3b>*dHtEvOD3ESv_q4P7Bj7w#Yp%fk!Y_q&w6{B@bNV#}zm(P# zHSQfjrZdshx_+)nYCO!#hGOS;;_`Q9n3$VfKbM;d9-u`>nOXxRM1wi|%U60^RIKT} zsm)%r_VV2Z3EcQnzeI*EQz1U?G6uA{!+qZUp8fvxrM;pB!he5gLi_=xv)dhZ`9en; z2Lkwg6l*6XHc5O#*R^K3jAJH!(y%?lgfW5S6T<~TXz~e(-?0oe1?}`+MQ0|+l3;;){l;%E30cX0V7lHIuROFU z-27ZBGe3}xE7)*VPJx7;k!$@3Xx*Q3Izu+uT=v8w^SmIrQSzu9QWti_OJs+By)Qjk z*hnOhJkT&0)9EB&-SbNlcT`eG{f=GavLVxGKB#&bqp<1j*%}Z%VGhIT)PkJ3oZuEx z9X|HfP&bih3EIXb!(|FVtwqWL9sJn2n~{<4CX2xre45o0;ACR1vP%vIs8tU|cF2{x z^qIIcb$s&)fX49nGd7gx@D(vt+(W+9%YyM*b?yTC#HHY7DJ&IQ5l1{Vl7e0-k)P~b zKaZ;BxnZV^<6CyNq)ZC9gG%wVyFLa;ay9NWp;vPMIezYuLEbMM&4}qqq=ePrV7InH zgrv+0$64Fzm z87sp>106z3I)JtUvDaIFyqwNEY009K%KqBOiyfM%pZ}_W`zMQ*=uoyRtp4e{sbOi~ z)(VJ5*&*G52JF08Z;fXD<;QpC{X$)k!22yzR#X_~UBM z1imE+-WSD7dt5;y`M^v|v={b)JB@(2bqt5VkgTfP0E|>>3>G_vO8^54b`Y+!b6Da; zvDfp7iQ5z5nW6jZ+fQm|Zl9Q77K*RmqW&2S8FgIWpf&tO7_!7bLl`DVXBrMk4V|Ls=>!Lf;1 zR>-not9D9^PBL#AL2da~@kgqtOkH&vv0Lb82=YeH?%t#Y6Jy{Z2}x zjhE8iwWjv%;IB9tOqWuyz9u>b|-RP)?6SgJn0yDPlQ>0^g80 zXm?px;aI;76qd(SnWg`LKqwPPp}rD58&-^9ukG)Htu)v!2T0MQ@}X}1`xq7x9EYLV z=$8ZF?OK7e+78w8?6(Pv>#Sm$BwagwA+y3+M3ym(E8%(!|g0XzLV~ z3=8dMStZ_8o7!tDP8>;E`13&`!dVkk$BV18REp~Cnx~2fJ44F49TOmoH(XjB}kqha)6d zo5n-tOPc;xvdIk^U#)_5)P5Ha-=pvf{07%DjLtG}bGjOyg5OnXC*g1MVj1nc z{Qywd;MGmaqDh}ifDY+y5s9+2Jw8U$n?1A;T z)^DaImma)9MS&F7Sd5}OgsNYwl*8E24#$A+mg&Jl3XLBM4uu3Z$T#C!?dNludKUYm zNZxdL{CM?g)d}Oyv8=CG+UzX)Q0|@-bf@zqrPpQ6{8Pml=AyMF8YPdi+ z6wo!olx1OxCvm7kJ8gVYbU;Jo)1;BiVDBV7QA`|aRLR_#gkLd+OR0gWxF^cfaR&y_ zFgTt;=x?+=E*mtA$bWY%JAqALqG@Uxb3)rge;r#oS~Qqfq~Y%JDj^6G0@lP*Ak3u6 zk)Y@lvHtaNYWOq&$K*$7(#cwwHLg#p#W2tB*D4f$5d|r(V+}hl$H%DwQ=_1E0E5W{ z4{o0J76D?^s5%zk^Jz_@9@o%F0QgL+SN6iV0TR7BB4m48i6D@uXlU4Os2{l^jh#k< z5~~P)GGDmYv{xiQBNYyWDyFDe{@q9ofz+#YSQ1y*M#a7!Wn4o-0rAggExIP#{#O&Z zGt`XSl|E8~QIkUC#Imf6-*wLa`gunVX#x}yp$&JHqy6)kucgat6|$C3mLZEYN0%4S zJQ2v>jYA&Im@x2^TBXdCXWb27!xOQB`|tQ7y;eJTm{%^#1I474MN=$PGE=e^E>0ed zdiVvqP(>M1&CAyITTVgQ`NZApP&1F{pj5O~K-Ne~cUEpY8(<8uraocF0GvcPt|u2q z{ao!eT*Wr)ZL2~<006N|rG5CZU2R9}`<_V1yN&NOEoyU1KTf4hXbb%)xG4GiuWOZ5 z${JrwRGmX?2wil3kK@n^XgOYd`(r#^`aLdiQETpL;dAV@SVOT7^Nv$@^^Wq$SRGZj zGAu}JYtJSyIcjycW+hp98TjrW78bZfIkwPAcTayB!B^!T7lZS=&1VJxS)XH=e%BzY ztQEW=KO+ifTmL!cp5H;hvLX4Gq6D+l(2l&Cb-w0`RjwA3_%EiBgOUTJ!arZYb9hpN zyrzLt)=^YaG2MAt&YpmJOSk4Z*MZeyW{8feHDU>RcxS^?#1W9w2pY9ek8FMCB(miG zmE%aVDfw{1*Y`RA+E`};xngy9q=2dM%Qql)BX0hB2OC zN(<~cL%!a?*NS^JxN5qqmr+MLX0tmV*-4SfXzNIMm$9*r5)G?sqs_=l=7Tzn_F0x? z_^LEP9pb+i6>$9r2!(?Oi1}sTu5==Phhps=YDuc%%%(#8bVANt3#mQCE~xqJ;EYcL$NHbItBWb1tV1y2s-2riH`6<$kEk_?s76(TMxV`sL# zyF{$kfC0j}zGU`=y}g@G$#8bi7TWzNnwlMPd&Pv3e&D-VPL!>?Z^S7H_UG=1P#+GC zTgo_2I(AWc+7!Pv9FH;nh+j)Q4h{IzvkpAay`OmS(R2m#(B`0~_dxCtyNO&F0_surd0IB@@R@1;l8@kDt)vwv zA1MarqeYd4w8}a+xaIj-VrH{b7&ZZ@@hnX*P1Ix#uE#dhrD|SPs2uz0!C3%ez4a`i zO3XJyzA%4>aHpx%uzG^sIPOIUHEGK}?UmV=9eNI+DcWJ#;q1MFiNmN1;dkEQRfpyW zZrb=ZN^~|p{#?cfG>w9q?5i0>(T{P>(4{Jl^Og#jJl>S1(Z%43+G!3=6aK1vVs_3| zVse|~T8g0y6d~>wDK!v?>52ekj@J|CSL`zWV_sR$F%Rz~zt&5|a>9wJ+C%gx_3<+G z{Y87|V-`4tY68oCDw(%CO&6aJmJSJPSwOgQNiJv^!9iP_yX!E0KktnbZGhzi3 zfIK3P-Sul$DU|+v7|yyjeyB((+RfREU^)fWn7F}MMNA`tTbI}=D z7?$^ri4zSb*okU&FI0?fFPPoQPm~|Q?xEPSj7z@anJJGsuP5UM7#?rHRZO)q(42aBiGTD6tfxYnusW)&*mJSk~TO8b_!D zYO088nvSFkQtCyRm|C|~6W#WsyJCp*Oi)XRTHqX4!o>G-1+C&TiKrMw@5Sb_D1Yg? zkE342uaZ(YW7Fn)n3IRFAX&<~ki{{GEXdb&eT}VU()Og3l~d;}=U*xjX5-bPzMSv? zxjm%LWwN;PELf_C$BE)>nSjdKdJdHUR!2h7*6WD+LHv#eY$A5r$}o`)^(1<19pH%K zmm(AY;~__g;4FYI(;k1ICmldo(~DtIcG#J^zFwC_tcQ1ecJWqVu) z;ra)`n%UASF`n+>hbRET_hZT7%S0*c>V5)E13Rj*-EetIo8|@Y=-^W zz*=0|yBV@Ys*ofr$Wy_wMys^-dexIjF+1f{Z91>jk~yu9raTw?E=iAe=G;jyW&5On zwqty-AfIKGN;7(-%sI3u#w`X{Hvi@#iwDxAqov4B-d$4K(r(1rJp{NL%FMEwaPQXX zHZf^y7am;cWkc4Z)g*??F)7v$5e^e7Yq#q#mARqutQwmQ?$CD(z_~3>97+nlIB%(f9lTWjwnSvEo}Mf7A*vuaBGrXrmB@bAQz2G#Qf%M|FGnxXKM(hM*!pxpt{r`F;QCv6m-Q$mwX z?3*O*tcF4AUiUK#;HP8`z`-C`QrLZ1w^iDUthAQ06CC4ISKWe&dNbr{oLdW$W=-P2 z0TX)GBp9I0?v51#m-tgX*hY)6CF^O26g89ojx=kG}Y%~+4|D=c~tt-Fk! z{n)^y4X-PK#*p&5+p`t395khoHR0W$9j&Eo^!s90jt&>7D6Mpo*?V^rxBEBb=Jl^f z)T@K)SnAa>XbuUy8L;ApB?226h<IeKDq*yui1o&c}{t zu9Lpbo266=Uot=_X^!M3`Msm-3bwzr9Rlx6&)42p6%##m6n{C6Qv7>^IGBm1tP)2I zx!}&h9%?*giJamSeoJX#(V7!^;ugK0wVvMpvg83d6VFFsTD^^yj_v0W_-tsZ2csBk zg_0d)@pAeyky|I#AIBbtV_|N>`u(0@vv_&Tu!l*_{;K^P;^b;4D-$lRWD#IK?{Y3^ z^nh8|31oVRtczeW54lt@lKRX_xE@IZ@S*@WQ@`9eGhVJIW4aU3}H$IXd?pH1|^AEce`QH2) z6p*lxtv?W7d&QzpXmG0oM_~k^manr!)exrRzI#BuF6`VD{AZ|?r+rdq)B{n74Ir@* zl=$S~-}6e<8|0$#^jAjRuZHB9{VYthZbB+utUKU6W^PJHl*+7A&e)&f%d%M=kP5CY zhhA;G*CMiB9nne^xwRNMh>~bVET$y~Uh9>kY^yH3Eo}hWkK7Tz1h{$ZE_~t`siZ46 zI{uD3I6HW4%+&RuX7Ig$EiJGpk}w`rq`#(OAKU+P+(18a|ccL}~pTUCBc3{6DRIcQl+|)UMt|l;|QviyERvjS`}FMh^x-f(T-S zS1&(~Y1ZvJKVXLS8Rr5e%({ngS4*7SQ1}BzB4NkTt$kI!Cf% z5L4r-Z1bo$sXTZOUq!=BkeVB-$XeZK`Dx)PwSm@aUT!!Go-*c#)O=z+bo?oCL@va_>{AjOdH|35$>5GcqXXZM2zu$A4n9zb zO;e7^mwV3hFQ@!g<~RjdHpiyV#R@&{N^6hNGC4rB1hXJS0?{kP7cqy+tVU8RfX9ZC z=sv^mVWE$ZPYxt+w1KFL zhpnv)7-J9p*d0LKPF|Q8cX+bq!dt4G6iQqXCPdI74)cjhOpw2HDP;!+e{xpUe@mgcqQ@73ApTX;M z`6x(dLOZsgCL#lTx~6bJCM@ZK|HD#GBf^CHd<0XW_K45HDH3xh(u5=;2{Rc?^{mXw zBR(?5WfXxn>rn;Yj+}Yj$UM?k$Dp1Up|Eq9A1Y0k_p!4#Hn1)U2@2Q}`_JZNY7mOuPq8Di_ z8CJ_mrL%SY6-Lars}`IxC4~Eu`#nh1x#D+SUYC&|rW0SSW2gPcPo@WRttmW~#&q}f*VBT86S0v; z5#NRhYQ#0#%l0mBVD{c0{07?n#d6Y|@>}QhOY#sz+w$Wbzg2h@nA5sz`SAtC8qEFn zUcqCICE}2dU%sxOa?NDzmlJP1y)_-E61n7%dy>O_K&%m$Gzjo81xL1031=K@V-`j) zB61%0Y18I~Rd%8N=eOz;%Z2&&`8}ft@_n}!L7-_ly^qlggmEJ1mChlT?AbFnbY53a zfui0|S|*$wx8(C`XSzBZhCt#Ri4+`pIVbBfN@U z&O*@dWmfTcl0@#fz0_z7cfFXeTc3mg13W(Gjp(ne?cmn?+|M4+L z?UNtOYc#s5m*iAi%q46qMaZQfn|1kHyGw@*>`1v({v&)8Nw1IRNoLNS4#6yJj>cZSNunNNujY5r=Nr? zHW5E9&jnT$Gs^9s@8Xm`_(zP%D0nNL-EO_Bs*@-7M+-a=IQ*!!Ittn5)k8pwTI}`6 zkrNa}kJ?9FoWEUIZoi-ZnpWHkZFa;C{^1a_fUwS@mJB*Y^1gx3jI;UnRnWJ3dWt|Nn~vIM^DHsD_RKzVMw2J-yYp7J|W00zCX zWZ)wgRsDsMVfKbpXx%pV>3Qu~=d)nll7a`sH`Jpy8j^oK$ReFm5k5Ua)vh@Pe<*+R z1E+&Ax!&?uCZoeHTl-rp9{v~#1YFC-ra0eUCI)grxOAq7f20*#G{+9Nf>TGVEFka! z*O5kh_C2V6>ZQ~EKHie3sxf;x#H)2HXtr+xBv277VNZ;Nju>A~P)c^>4BB-^al-`* zk6sD2)3Dn6SrO_9EXTlM#Agk3_bzmLx?44b?S6sBBwZX{cRx_51*c6+Ve=0Q3i zRY($41pTGhZ2?9Rpjjt}Le5`S^Qu?mB%hQRE(^V@C+7a8J?oiBx|5_!7GAo!y>9qZ ztRUZ~Cw#A1=wphz`-^F2{7_^ih#U_&`KN)W*ZoJqB@jUpwle-xqmFoKcOMsx#~DAQ z`ZC{2(}cWQA{I=O(HS{<{l5T`HlXs^9OJz6hf{v~!Mjs%-Ql3&N3Dl<5Snc+kV2x` ztB>pu|Dw7v4+<`ZnzzJWOU1I5qMnurlx>Xcm@+K!9pP*HNKbaw5xzWoLOoEm`igbW z)dlvK^Ew?1N!DVQ(myV;Lgcsjpy&Mj7{Jk~40Q#*v+Yv<9lW4-#Qo5Jv@zw=OApsn z-0zF0i&M4hAOFM|y_W4g!f_tYw%dkZb=9qv6@-5EB3KN%{%n=IV9k!WSN?`vzTJwU z9M12b?1(GtCh)U;XxPy}7Kvn*--{Xyq}Psw>({JeBt?Y+P9VW9&0RdW1k_0)yUc{kCOCWf@G=H^S6Jl6$P z7vBZYJ@g{aovQhj<5!v>Q+l~k1Qu<3E!z%41OMhhBhnHc8oTrDQDF}rS)1_7EXR(U z|Bj_lA&8a1*HnT+OD|G!)>x z4Hm)k3}5H!Llgb1TMod$DRIyMf3s~>EBkPvlA@>a_ury~!lD%pNHddEy=GuBeMfft zV?4#b==2%+{Z7xNgU?Z1>J!w(<@OZ)@y{1eINbKEl5hX!Qb)a`Z;iR5*Zy$>e>hI?ImasEPHasU?%SlA}sH; z3I(TK715X7HxnjFzx9yT4x?gXU%_oqV=N|VqWqFJxI+i`Z>-1%6sV69lH z{{#s2WRzG))d{O*mXkT+4ffU&u6AM!U0+D3d>qG@7vYj8%H~v;t{Y!kXrYAm~YoJ{nAa9 zFe9ibnBQP7R<8BE%*XPr+|^_pG(<~bn=~}1`__=euI^f|>KfVCknTJR#OXF=9*Q34ID$jgIkIve&Pi&NH=^Qujll#v8t8Am5Ru~ezbkus( ze0Ci6S_KJ$90Dq;F(yqWu|3`ty3w61wQEpHy5q4##Kyj+tY=c+mL_K5nhvNl{P43c z!y>qc8x1c_rY|)p@*DUAYH%feGf-IjAhoZhp3Pyc)5cW1D3m7bdI|dc#2pkP6Dzp& zU^)CztL4#TExDG|y^9*9rY}3$6Hdy;} z*L>s!BjAbM&gLY)g2kSRVzErt9$prch<$p#A8KnY(@ODww&-ASr$9X=tlrwZ)5ZiJ zH7KYxp^!;`c&AjMxQ1EIqV$5y)6Q}FJr~eOM78aO@`J|D-`)tM-VD8tvOZp<>6)_? z{_8BX=cg$7hG%^8pg|{J>C98J2%cJ6syy6O|32aUqbJ&xmFeZhcV7HCmqCG*xBk>d zUNsX7epElB4T$?#4V`W0D90}q)jCoRG4?m-5S*t#AwH2FcVnaxWMm`33K|2LF$lQPFu3lC~cmI^w z_GR>r?;0J{yDy#@6VRW{lDn+Pe)A_X@uaO_WW4Iw0#j3_rvfInDKC;5o~hlN>+ovDiID=nXGx< z83}RtMA5(AR=ifg`+)ZrB6HpNKE?BHU+Fqi-(~VNe9fbVi2DK;yk4JNrk@7Z{d@&g21y1S6oHcqR!scqr=QGLuPx-gFl?s%N6D?YgfKd z^K&r*qns zbz?54fVYbQCynj{jVBoEZ#Bf+*MU3qFOAcQNbW)p=*xti@Ww6XSS^`eq3eT`z1-xqZZ*i;pIh*3M zeNi&9qUNZGDD_Aoq6=YYC~B;!LFzS-Z_Z+o%JTXMc-&*(!!z=Dd3TB%d%0lX=f*;; zjj&Fb+8XJ@y`DViX%bvLlFC^oYUCsFFHZrZQ`^O<^lyAO(B8-vZTfpCPnG_2ZNQRjet!O= znUeJW(pCawO?dicPSre&vqZT z(k-t(=_aLj8#`OQ5@l~fX+A(tEo742irku{k6yne4+Qv2!oiGv9EiidNEp`BL*uFt zvFQMfqd?e+$41&JcZiyxd#L)v%*^NTTa_E`jyQTXe@v8TZW3_Ir7R44b6I}yz9^H3VMh}{_2bZN zgKt&rm-Rt){QRAX&pI^1Mk0#Ni6MONmgSCwWJaxdET%ps_rgu+v^uGwCk=6u92^sG z=}yt%r3-U$(jn|13LGo`=qWsl&!Qp9KNd9@UQnA9YTG{o5e(cH*{;)no$`f)Pp;qDIU zpe}=QSAVR|N}EvbRWWofMjTB)73`8U&(*WmLqQ;vQic!Ycdi)&&iAdjX2T>mPEZ=$ zUUedrSQxnX-1(R92+r5Uhc@&TVwWBX0nKR#s~ziZHHZ*a!h_g}@fYu11lKR7ogvE& ztX>pq&@!5|)gyFWqj(|}W1gu^rLBc{)K~U*UyX#FW}NaEAE24&*HBVvZH(=>oG@=;I@5vHgxWXJoFR2O5xlTCdk8j%6&0zbR-OU2cxScjif?ja8y=IIo+4SgSZ{h}0CtE|Z^R(qv?L@l9up~e|G z>N&<^ycBOEk|B1{VvnFm-`4sG&BJHzqtkcDPO8NznXxYnw0Mf?5vKU);wgS)l(6Fk zdxM)Go-SYZ{cBpFAA|7+^P3O1A`;F{4(L7^1+XD@{3Ov)w?_vK z?k6TD##gGeXcvRpbaYmA;|q6PBlDYVi-W zhuLSo5rI|VTK5Z5u3Lprl|xh)qkhKl>qM~#-uYup@$K{aJ?>Ag+B&045@${!c?xBK z3v)`Qh~XD^>h2tv%cO=0g!TimJ0*wTt_1c8D(8pf3?j#e2Q@Ym?s`PSfhR`zkN)N_ z0%s(ulG#MX!OW7lqR1#|(K1FTLNrVI#86&;G`(ks5CvN@r^UeWA711nZ*CSsn^Y)i zeL(D2C9@P8$x=?AFj+F7oEYTm-Q%^w4i_ZzYEQ?)Zs6JmX&heN{oS zT?Spep0?6kvBpN)mzxp;=MZp!1-X^%5-3Y`AxSxvE*C1PgXI5vgQ6*+y4Q^ColRQ! zd#+avbiW_huDxEbhAVP=5$P*yf`QQ9zz_}NhKrqVC&$?*D5tUme$&xayDL^tGUTuh~*#R7Ie167HSv5MV; zp`0xx{5JpxNfXJWhZf!Q>lW-Cu1$74+(FOXAD;&&e@}g?V6FI}xl+;qq6kp3*yvP0 zE?`g2e|;nwHCD*`+MQ&qtowE0ZtYzAA#>T67kiLOdu)S^0aE-%f0cnR%ds+!>zGE- z#d6Dq8W0G4>7A$g&(tJVKvY*>jD}fW_D{{x-@+SNgAL-NwMjLtVuqVV*K?;o)mtJ( z-qucO9MeSjfzldmnVEh6@!&PRHJVB@}c^ug7=-(BTs;YS4a8QF6_db8OD>o2bb}j2T&K zntj4aoT3&s3qP9iRG1bYNbYm&tHbJs8TcHQc@+y(8_6oMyER2tHfcdw+999Us{D?@w0A>m*cRz(bfcY)8BYrnG^i5zpIV`gX%oD;(-W6- zHDEwHmSdBFboPL37DgDVvQu&5>t6dxM3Grs)l&@mHYzv9w zh;Flf9rTVV1@OM43M@4hxZz~Cpz#heg9#6IO5l60tzS=bV@bUI#ElqkR}wyhbAMM3 zfg@FW$|u)NqAMeV6DmeN&+OuZ0TQ|hz+ZSvL{(WjOaO~_h_|#>?15}uO-Dz|d^L9Q zq_}sv(Q?MkMd=U71G8b%Ns* z4A$%Qq=%)41m;gwT4Ojwj~TI<2#@e@%)oH*upE_13b^XmLjt7vX5&>|kxc1a8ygpw z+@H?~o1q>XaliR*7HqMHq}IvxoTCeZTzmc88$nu`$a7vVWtCz_2=@f}O;_~LvJ*v& zCWVC8-aCGQ*8gabDFi)}$(oa=x9D!Ji-w*YW&p!bsAxDgeM zixk7ub?d$Gs(}lyU%xQ8KaUSE#&)G9Cg%CmisOC;ebUjV8O$ zPvH2oo~FOA=4=5LFYh%odllMYID9 z49duekK>lwlTlE=9p0e~p3q*`>bc1WOzGUH#abn=X8kKIlK=rDodpnhVpV5B7;=gM z&8xxQhm8hK@gg32*$W=Z(*y_V{cAVfYj8HG8JS1Qhh0juEiII-G^L!1@nhLIO8mZ3 zA4<1#iNXy?<)16-njL%hBE{QFnpp=_%~NCa;g4PY%Bl3bsaove#~XHI##kL!i4V9O z6#*$4|M6bkmm8w*3xh-MAuj5lv-QB!ysL7aqxJ$v zBEgHmdO4-E$28|o_*>@%<6~P8uox7$F?Li2qrg!gJJ|xAfWX({(AKiEb zm1L83@EOq_tb6AbPVIkzz1=0cH|&F&ioC4>HQ%>BH7q{Om!GgvtpXnk+afDwzn*dz ztKX}%Un&1J1R%FOART;5%C|m@I>Z+jGgwJUF026yfZ1fv3At+irMNv~5^h8pB$lYZ z_wcl`kNe)P1pAdV1GaZF9hoEzx08H6dj1nSbL;nDTsLQN0M~B z5@JF5E1hj4B5&Y@HwHuoIoBO*Tw(>krNo*2sa$WIoRgB5gH;_fvF|QCMBJwDz#lER zDuRmd@^<{EvNeCb6uyC4{S5Uc7;>>IC-NbWEzX(xXQ#^_Zj&K(Bfr*m+5h!hfvo>`v2SR|Et*xdaLHq;e3pw78Ddb6qILj LsX1@Oib?XK~ delta 76939 zcmc$`WpG|evMp*cTFlH07Bg5Zi3&WpJ3 zzBqC34@D^UuG*QEm6^3FSJjtN4B;OFK^!VCEB+A{2lm5<4<98ZL=-=K0KNbHM+*)4 z`-!E0!+ABa0X7I%oIf@f2wPk`wlwgAEPwCA2f+`LBA=CAK~BtcJ?KHW!3KmPyPU)>Vr!A zzyUC&v8M(wCBXH{Ia9 zYXoqf9&^g-;P(}OReQ}>hJ>y8r9MJ%zkBxlU7;>;0t!$SniYZjQ6xIgdznx*b8~8& zmC<0iSHRtDx{27`={#cK`KB+^boBG(>9Q+L8DYTpOvfj>xwnhBsLK#yIm6MS>}jW; z=P3_c$F@%Q?n(m&M}78G)YRQM`FcISdhw4tp5V(h*@MM$W469II0zL+o#yGKFV$Bc z)G|7~JqG;K#Q(GsuQYgxGW~u}KOpV-wm$2+*DsJObN|Va@DnIsuhS@-(`8XZDjPqasf!0C{7q!UIHU7_{viEPVv z1L#8*EKQLc z7zOG27z7@h^Fy@Lxu0geMRr+PgtGm~WWADjnq21xOjA=wn8U1A${sWtfu5Hdk4#6j z5`mtOC?VB5l|$`-Z_JMoH*s_ih<|sY52&sZFv^F6?QAAOh`Ly6YHEiM$G{sW^lW;I zuG3_TahB0MNmj9=R{%G(I7(D*Lm|`>c>VV?7#C~J`tRHzt=_AQi|PCxy4+ECPiSv1 z)7P;-qKvwMzj@woH|!!6%=#jJ2GI%G!GAEt2F@puPf;ZL4Gj%r>pmPHs?t!xW<2}} zM~X4^lTb=z0jg%pC*6I2N1dr$q?TN2@TKfcJw?GVQTuhCpO& z^vDZj|Ea-BkiF3#Q5wG}x4W`ktzL~e8qQWCx3-pJdEWjJP`^ifAMBIti+)_7$!Z&9 zOiLQcF5M(Ry`lccyJ!qw8uYV3oH3WuH!u&yS^ybNyHa~B=74{#73$>lbR=d?w1g|n z?)~=1`BeEg@u9KJTuQQfJo~Bifalp`?*Mga+EK=8kNn(+xNr2B!s2oweb<{<98cKA zUy+|&Z9~>?hLDq)zcEZRYR@zSXtHguU`Q)<#PW{V*oW8>BOYiDV{V>C(5`HPX03uv zEdbi~Q}Z{@5P}#6rpX@5%n~ISd(GdPyJEp8r`R!qKLKNz zq%e0vg>Pdn7+Z>}4SkbCL&$obS0GRKr^bDb^BG_d&&QQt7(t0&!u#tC?aOim0P_7G zMwGmVH>Y2Xy*$W?s%P`n`)I{N{FWPI0I@4^0Twjhyshi*w)xAgos_U&!Oshi8fDMV z>fp03?8BzxDOjVK4QNo2R_CYvv{Gtc9R|1sH>ss@?l4f!tuGK=%-$vpJ$ArdQ%CY! zurvx?w#%_cQmB_U{da4T=6+%ZMXDRzQF}g)YdzeRars!ebV7&RX%&f$Cvzi@1LLxa zb@_E~hdAZUhX0&D6{)OY$Fo#+b2^wAl1D?pU9<{w-mvm{sh+Q&I`8AjE{miNWuW6_ ze`2y+;9Xq9C|d4a7;?*f$J(uA)j1^c+hRPcHW51EH?dK)GzsoV7k=#su5*U?w3~w^ z7(?5a;B{W#+f3<6xVxKI;6uM_BTVm>N?gJS4Hq{}#OVkTt&WN$E23!@j>llB{HW1H zH?}uE)YnI#wBcp6PkXFv$zV1S0?UYGAzY+|!z@}ukFJ-q(jsw3oQlh)fbveT+7h7B~1!FYTL(xWQDi?7?y);}M$|_EUw%Z2x^#Al=2}+&kd}1PrH^(Yp04y2Bodj)bh1~K-a^{j z)9i!T=nvR9*CTk@bpArAR;*-&4y~Np9n?S9pQb|ai2O4TtU4?OIhpr#3H@tHPTmcA51&b@mi8+9?8$LWO(hS^_e^GeElX4K*B16ZTJ>?t?B zJiCEI-h&L^87@#RUo6+1<^B8)m*6b1+InBB&by5b&Q?TP%z>uY>JvG_-z8ox6iD-d z5Ga3wa-X5^eXO#Z< zF>~}4t9mKrYRyZ4y2AmcQ#X%|q|;LV zZdqvN^p$h%fFjQwk@YGc%)VOJd+QBOo!5)V4`)898FO9mDYRYvV(&}3h1|hNEz?(5 zxd&S9%6!8CHL1(Z26*a;?KO=s>eY7p+Xrsm`#X~%2D=$6&qwBRk0Gfpy#XL13ee<8 zin5|es62DM48@@0f5d;9;0$SeV*~SVsq@h;>mTH8CzN`xR#vM(-~AjWe_sff0kl7mfJ>K)ASY9Fi*c_#zDl z!bW2Sc0LRkOR9)V>VL6-tT9)x0VA}{Gk!rZK9;fv-n)A_y(mOc_WCP$C!$<6FCnv! zn+>j=>0XSQ$IlG-o8wC&^jnBdD%UrdX3*G#Q zLx;(}qxImQ-KH786SJsbJQGh2_(<+qE+ zTk3}q$SLgV)xI~h;%|6Q(g9~HvF+pCue|nUqHq(t;xlX60`8A-Gc*xTpm*unUqyFa z>JZ=VyRR=$b+2l^$HK9ip9NWTX@kcdkhT$5WSP}gRmtEUVVs?XJUx5W|R< z3$;=8H}+yAWLo#1(@N8ui)7GiAn6xLa{N7!Ait34$%pR*5|4_=J(h(#To?j}^BzLS z;3=YTBX{-6yCc+gu+=WfFW)_HGSE^M4(SY!=%AgX+5ZIZcDB&U#hS9eaiOc#29@*+ zFoLVz3>O5U=w8~lV^X7sDtwA}^(#BC^#fDy_hL3pSto!4cZ>lE;0s4K^r0taHKgBl9gqsup+yHACx15ezY5(Z#Jm zKdG%UOk?~pS#=%eisMYNJUW&WpXVuBRx-3iCD;HTWEFZ~{6lAhcCr zXMM$F%)~a(`}T*P1o$%FSt7jwIMO83;sWK)pdNjuKsxW^5ne`P+_g+LINO(Lb;^ZI zbsj02`3}O<1fc*AkAUDORc$Ea`KL|@9BT_7xPjO@Kd%q`dhdK&4etRrBT4p;SLoXO zjqvF=9Xl*4+;bi87$#%k1K0N?>p>IZy1crV)*>%I%`=I+0DaD&9QqajNq0on#(w?w*8bKI475mD8C_!*IRBnt|BV#V1cd+#%C{ zwRbt#mk!wf;5ZG-5jeD5O_qxYDr^>W`>^@YtfJFWDfAix5LyNTL_3So_K%C?@};M{ z3V_4Zry_E1t#t5Pr8l%_LfsdlAKv|gl5(Wo_m*u>qIhFyO`(HU92t@1#8m9;s#i*~ zoH@^kYek`8A0MWpA-n5;g2w7^k4DR5?~fp&P9dI2%M-G<+p|Pv`MG& zw-6F`JQ0!s_o)TwZz>PFae-9uhrxm}+==r0^jC7q61p;zdKoq`q_M`{-m?jF@VHb-6iI-NkXBoMP-{sC*=MY6v}Hdl=(%YR_zO z>{mLroU`GXejC#fwTf;%y>vP)tQS7#t@ye{-v>}G+<#&;7jT+K)n*su_4Ds1hoaiR z$cC|J=XPi2Wqb7v+(}eue{=7-;l!{U(`GZW+2GZdi8m+4-@4laL&R?2Jz=9Ojr;vpoXKyT-@G@lKwbE zg3D3r%YzNAeARWw?#2lY8=0^XfMh!gkDjv;b}&IGj`+?UpCr%{$REunu9}4ijKvNW zpaqiON>&F(q{B5U4NnGgqi9k(R^87qdY{kb$Gin~r#x+8_pw_@wB|K+H#P)&7Ak*C zXt*{$pM$>DsuRW4lt2H~RlUWF6+kb0S_7A5X7=oYpS8-&`Vlx1fonRR?F~bH`V8VG z_8BJY!=jqs#@QYM6p!)JCc$1Ru)qy#hq2Yy-G|OmLSDY7xrj znpO$A}2#wyBKJ2ZRw*$S!~-Y)HoiuN$MZ%~9s_y7`3`qb9q{CnsGe_Hee z{}bHG_JpNM$V|wyvaC1|U6s9%;{K6b^pO*|z#_r$46jqEoziVbUG>w7A>u&r__kxm z7f%gsy^z3-1uZ!%S(S9Pu|pQ=9FBaxSMM!)qTx2xjC8^FBMv<=(`0bnj_j3E=hFLp*$6mz*Gd>6^~0a z_{ujb+Eo$yXSkG(y6*goYwA5LrCl|TJMLLul4io*UN<{Gl}lL!x_v71SJda2|5~n^ zAFc}bb!>Xbbu|3u6zs_0Dj1iEz0a=Xvt$A%cTbe#DY=r}`Sq&Jg~Vzj%+HU?y%#lQu=WPyONDfg{%7pY71QkR}u|< zf%Vb4x+YwHYd7UTk;DWvbn!_>s>{>#83Ec6W$>xp=1)GvwSo_nj^OTW(?m&-Q{%dn ztG0>+=h8gJ{9;QON6a6+xeFs?m(a97Iv7O{I(2RUkN4tTfdO3^aciGn0u0d-V}FF# zDFqLH!DtYF59%#Jb&Z%|Y-?!`yIJqC*Vv8tu%sfId~8Ebe%KVR~I*Y)%9&po(F+Y zfF9RBCO-$F_v6lCR1d1w#cn^H=ix4#?a?=QZ&OBRMA@JMdmeXo8q#OhSy8H1DmE?NWX{GV5SEcKJU_%KxZW#@Oamu`WToP#V+Wg8tOz(M82`h1I+^Jig1>Krlyp zMs~gy#EaTZP@+Y)G~Y9}dVO&eh9z;#y6RQ$*N&5NdCYV@Tb@U&1NRNGGYqh%=0XE8 zpM_$L3lvvDXrNCIiymLxe&(Q@46!cAQ{9;_z zo=`jm#B}rcmKbG|k~E_-*Hc?gNj-*gX?*1`GmDf2y+1nqtcRYSDA$!p-Im?4%=WUf z)HP6a{S1w_gdLI2>^r_mc$GCpRq9sBMR&(zzKg@nS8kCXMUcTkA~*q))e~Q#5s>hg zh0+#o_$h41RcmhL31;i`MXc;TUG-B>55V_3t;Br2>A!+-wO+~#W}Zl+{v*}Cx>-XHQ*cDxOq5@?MC)wMPzUo7IIA38jMME?aEK(q8C349O}E zJaQ`gBLcO(^Pzj503WZjalc#B4|~|L7QWy!{G%9~Z^#T}_}vYCLacZ9!L=Vm3dr73 zn17kMq%o~-9%}~7*v@UM$LT-JT?eEWd`LoxmZSk+D<=@P&OSEMx6$JXA04HQm088$ zQ<(3S5GWP7!R!=iOTi&4Nq%{{y+Q^0@CKa-*!Pj07>!a(cgBdZlb zmd>CCHc+yf*3|gDiSY4F&4|qws&Z+miLJjW206OHD?=D=>5}O-6^rbVi-a*e zz%nTj+H4icBA>x^(kVRXX(m8E^*?A9D6%U&f}vY zzCoALiifNH-2<`qQB*zt@G35H*Ry<#9Ea`T2WD1lkz2*Q_OkC-c$ARsQ`yMnDp{sy z&(<(Srh^OG1cVN)_Fu)e1~MByt7yM`-;b{y_(xH^sq;7A(S)gyU0%)98Vorx#iItT zpF%gjB_X2UPO@iE( z#J>x*J++h3NN}02Rz3f~YHYDIrAQ^Y7&BfCW-VD5X9JHSYoT0sppaWFOz-eD$M@^T znT?z%Z(TZxwYi0k*wtn){8k|_UFms>Xt{ImMd1zr*_m=L{^TF^mmZOu=uz6Ml_z18Fu!)+gH z<@KhD*ESeJ>X~^p#ll-y_t7TIy_L%}^g{j!?KJJ~C0ZhAX_{DNZq^!^ltfivO$opFl_c7Yy&G%{8Pn_2tDian*A3 zooru@@@-U)T`2)>m)t3LQ7>`DP2?k<$Gi?w{6pLXM`buK!@oxShoaIO$Q1JQ0ng&e z0;cJIC*uGgm=zY#Ikm~vS~E_f{}lY&T0cI(-K)qX_nQ8jr2T_o3jO{39)?x?pNz$y zivIs;5B%>6@X_(~Y->hrQFUs=}JKlq5~RC#D2~CTM2LLSeePJrftH@YLCCBXYdr z^Ou5ve{oQXu{$b>pKdAV&aJPkWuMKL;Bf{|3Y)dNgBRStd)t7@fdtT~C}aK#$SMgR zV{Bisgh0O3#x1J~UqRat>2e`mRmiB2^|h7*ej{k^=T_X7qPzXZ3hl1^)cm4+5MCUp zuKClclsf8mH{{Tv{XAv|>O0ZnDnV;E^le2&lGyM*W1OSsK3Sd3>hd8 z9Ti|&tbC<((R(Db3+@4hiTJ>J9f~?3mNK<6Xgo)nWKoa9NP}ifiRi5A_r{wZ>S=JLuB47zkEI zUD(gV1yE574u^s*05_mtfI6FrpEiQIkf=yI<{Qm8nR7Lm!y+~EwzhJ;_f}+};}tj1 zNEoe(YMe|M73lxUGs%J4t%q0{E-%}&^lh< zd{jkL4c0qYpmC-P+MX?Ja(!)@T7DGPmBj4_o#j$wd#H#5y_+omj{6OMWLL*Pk6F>a z{G(Z=qk3FJ-6{?$XphRfgY_eD=QP^yRWO0@`W7+j{!6;OMbxAu*QnGMQ+0%OPXF{yfjyfDFWxGTr5JtM!`@mgzYn9W#? z``U8ErA!pVF+MAw%zc@D!1!Cbg@;xq^Tp!yYLcx?<44dCp-h11A-p*~wN-*lb%OET zZU)o5#j7Vf@ils+9bo^u9W#O!1QpcwLej=a*uR$!Ge{rf#D}NJ3xrAz3(4L(;e|$a zSHlYj5|O)O)}65+y)JVo)4@ks7*P-iTCHfDp7?gtpB9J9S@PaG0uL};DcqkFN*fQa ziktXrE%C?A7&Q@bg5Sn&!u>1r@jstrY_~YldiN>7dLRW_Pm41-D!sj6M7>l&4&;^1 ziB5o&UwEt#YbRn<130bD7dPUWRiFG5IIdScoJiaHVm^uh|+*mE(yb3+{tgosP zccO`Nct*M|Nr=z*ZUQ(E0=XSAPHWClPE*x#RPOb$rXE+n?hIEM=rxk&Tn&T(_30(< zS|_$UlVP|fKEL3Ne%*#yfm&=+slSDv84Pa@(DO>4myY4rWVNCd*d>Q;rA9}OZ`nA| zM}0~xW_C+@({-xlpw>M;j?OWSV7Px4$NlPw9PjV{duvC-UKZJ}5=jnWi#|@U5JB54 zXXv;t=&xK9gHnsp`q2az-sVVFMQy_HmnNH-9IUWTdigGD@2l@Lf>js8X=2Qtr-VTz z(Ck-bpF1VAPWWkmX0SqCvxq2fPaAK^Yw#drGmu*V)q~yJzf_Jty2H2rqir_pIebpX zx>iN5;Q`hAm4?;p9cW7=Ryc!qgO!I;gw~R5keE_H4|DJ27ki6iO}xRGi8HJ<^!*>P z+GKA}qzt-*ep6&=9#0QFfh{tzh_f1bfc9}X!|j+O>lbGGCq$-wq6oN_NsP2V;nknv zZpR4Co72ZV=8MXDIQl3{LD|$ufH90VW{<&OhE3q9FmN7%vq(e2{EZRyebg;W};2lMBs4Kev- zG7-~4lLN(_sV)09tT{24kLy8Z7z;Qb;l+N;T4dv$MV`G1le;8sGsJv}E*nRAxgol_ zVj2AgAl#kJ2A|KnL5n%gM^kW^Ex_Y1O%6UrFU5SrN#J+vfXlEjmpl~7Wc_AJPeABj z#je|;rTB3AQG8D&BwXrqX%*4XSi<&mBnE#Y3-+Sz0b$6-op`mgQk!!F8RqjA!-gn} zUp<4OC8e=O2v3D0hM85nJ!1qeP8qGZCYG-WV6AB|u|$-fU+L0Y3efgkwcJT`4Z)xx>!l!(g$_2yS=~iU~;%t2Q!cB*@ zj4`@pePpM>-2wgy7y8a{hM$;N3R83dS?(CZBfT7KDd3~1lv+7NWLKds@Tn`zWh;C@Rw(~Mx1nqgJtI%F@QZLu~9DOY4- zit1VuB>X3olLVxbc9DlCg|n?XG9yU~X08x{>`a(TD}lVU;V9_d#Y#9QiI?~d`D6#Q zl$NOY@uh;ewqK!7F-{MgfVptDE~XIv&B?5$OMXiRl!79|*b=FrX=-RKfK>}=-RaIC zML~J<;tzIS=ARetC->)m;*TSn`hpu%c+HGT*;VS;&5T`qfFU{TKqXhy#XRm>Js#%D0OR9oALk5(2)*zi`CkmYjnZ@AW~}x4ay(1&!$yS~ z`*s@WhH*#XC=Hy>2Wa}P=8k8JC2%iyy5G5RaAXK-zDaGWwL-hW{;r*^)W>;?bq})W z%pm?gzbVcRn7v|dCN2;iAUs)fe7oi4HRB74HWyj4OzPst;;2Y<+&ws|!1pZ_ZRpk= zoJ{P;#+f?*r7keyz_JbRbZxYax6pl8PoOE_`L|=NK5U@T1$O5LvMp;k+6j>IQg*kH zlFDo$1qA(!$0N*jjzL z#B%-0rWAfEo#bpjxEloP(Wz0_ST6Nxz*lk{(sziaG$jf5=Q-YFL@6(=lvxlQfX!Ba zEyn2hgUkI@w0v(=`bO+SX+rzVOMdKi%1c_xKu5)viNV+$!Og z8`#_Ls93S>Xo}sqK}(34pfa}8BTLu{ac@$#3O3cfuVx-DQ{DBXEXMy5@DzE(JWhop zR;OYjr588)117BeZ$2xJ4H{i!cMdLxIPC6Amj#&M%L#c`?eYyp`XugbBBpB}OAyM^ z2sqfv5;nkADOABP9I5_(T%>U}|yFuU0r1f=KbmdS6(p#o2NQg>ph}c^ECM z1Jqeg!QUQxWb39cU0hxD?KTlsu_-7#O}5s1?}bu~@!F|sU>~7IfZ(^~MSo4WH)Zrf z3I`M+c_;~4l`z1PT+F%)K9CEk{4^8@19y8R^Fs@2M}>KDq|o>!-a&((9~iIR;2hZ4 zNIGtTeusZRs+YilU^btRzU7h@*H(}rA^hHjgl0^3JiK111QqVFp~laD*ZuG99Y{(S zDa{H`mXib#Ld;r|k=cEc5^w{ERQ|-sm(}rVc7Do}6(ps%eVA)dc*s4aa{5`1@3#!D zf$hs6itJUdT6m}A@X-_={JCo&v;4xcrKQP=)80Ye1j=6Ep z?+;=<3KNvyCmB6r!^3Nt%CpTyM{sDeo2+pLHsq za;ce|ShQR}Fg_k0@a+hkb6TRMf>F?8flvW_=L!JP=JKBG>ZG;6y(t`SZLr$jDPx>D z9ttJ8Tq_$YjQJgmcS54a1j>%A>}v|!=$dVp(=bx7v; z(4&sPc0@|kmkPXIgH@__sFyY~G#!B|geN}~hSZ{p5J4dNJ;kx@7Sx2kHw9Fu>`JoO zCZ@vkRCbx;NMe%i=N%vQQ-3FSXFg{&hpx-+be9^(m-5=W%{;Q}58nLt&21wuXjYLj zvy1ZV-v$#5~N6qMI%Yd(r=}qe*6@iUzNbkgD*bTgE-7!L3K2q2(*ys-Y);QP% zL+0w+B&FSiLS>Bw7y0$63v*=kDDmFA?ixrGCt2pWI47q<9f@$BUv`pk|arNQpo&_2KMyS`Fpvh~SBo;+>tHfrt9M0Vlu}EY*GX2fo zj77C@NN=J1Tr;e+j&J93NBR`1C_qd6=5Y4Q{!lXR_lA4%GX8l`ou#^fLVsAyi8Min zf)`(gP016&^~&Ii)*QHjJ=7$MgXMA5t=fSrOmi>LvEy01%DbMhwQ8q^H<3@wU&xx&20)E;jkQ z1!UCZMC|1`FP3l%N1fwxSUU$~v^S{0+eN7j8V4mCvd4kicvC|k%P^p3hL4*A2NU4I zNHy)mfUwhOoIwfiCQcjs-F(fIYH6n8Brkfhe9GmMa^L;r8T__Sz1nGp=Ny@*Ej%`+ z*wblsOSDvRjp8Nl>o96jMC8}&K)_mvYmQa>8owN*Y@__wGuC8SvECy(30v}8gq0Mr*kPdC0 z11{b**~$!1D6h`Z@ov;|kB{9uLlXzHmU)xrF1XfoQE#i4M*AO{a2`-gL_Z!;KTmKH z6}_AB@?^nzYJVjE>cyeM+*+-~LR#>cg zgH&EMK03{E-afZTVkxX9{w~)MaJcnjJWQUq=Ri9>1EGIvIT>r?T`7pR;7UN7=6_%) z(yMHcCE~yZdmI`W6Q}3kh~NEX?`kE!)M6nP>|mf((;`PN;wbJfX$k|D@k>0(h%Z#XhI{sFIX~Z zFs=(S-2F-F;OWG(y*ss9o@AS^^poIkU?Yn%i|}oBnQz*(UYl?8Sg!N=b9N%C#k`VX zPUYSb3gzP^P*RD{Rd`A@g6)C%z}|+MK)n4OkIy2P|MjdnyTgw)LiX^c#CDRpSXt!m z;zrQ~QG1x)s9af|o!dEkJUC6$g%$0X$cnZ2<|9Nu>+wPmga-s9Vai`cY#L%a)7}=9 zSTuxq7+!erFADNR9l3C5CiuN?5hT_HFG#?2Ni1zuJ^$ms3g!O*_F6C(gYD&c3;3v2 zfr9psIrBdS$(5sTj)OPRrM12}s4Zdmodo?=v}}R{rL$Rq;JvfJ^)+0*du~Bp=A9E! z!=ZFT^Z@H7U?^v*nqMvbGAn|YX7blcweg0s5%c^!0z4x}jKR>iIQvtYmvDNp3CHoM z)K*gO9E7*{zIiw0DNdaU-XyF9eLk2g{dhDJfAfv|-=o8k@o^a`p6VY6{V)84J7`&A zu4%XFU%TBu43Z^=s=wJGhDk`7@t5+zAGrMhrpm7J|5N+_>E^(Hs`Een`TynDfq%{W z|C@3C4`>7Y-!uImwgLX~g#XdO+7(R|clP#Cl98=s%iaC_8w&p&0VRweJRehzQh8;u zQUCP6Kd;C9!$})Z^y~4oB&&J;ij+Tg+VW$+JydTDE+p;`I{Ob@|L9~z-qrJGsQ&xe z?*vq|2d>^!xd+iV^k0au-{0R{Q&l{P`scX+;9q`+iSjp4x)rr+(5)S&f0x7m%mr0; zwzSmF|3z*I7YN2#sT+v>)!)+HZ(s5$|1G#N0j>4F$em65P4vyS`Ea`ZXG{WJs=oy< ze+gUtPr1GpvcKs!3tho9-v6|OKJ9P8*5v(X|0!3Hjk2r9i;a;;mf&ybH6m;e%G^nbd*!k6E7P5-xM;9?N&{;18d?=)KYOX9GqiOZgBdT?J8 zxRKOUQA`F_a9>0l4_qlqN8U?+`cHb?*CIIPYTE%5tHn&e9-v1Wk2^kuw>~nXv@d0p zrWtmal9D`I`|XMurCK2B$|^pIH!Uh$Sm;Y)Ou0V!gEnnK`K%jr>nyFB;qLJ40&Low*R8$Ggh9Pr%gI--d7`Sw zvl&>no%p%gJ=1E1zLxD| zD*`_m2jC|haK-c7@;U1z6(=|Z!W=YN?~qo?=LUx+}hxAwF2(3_mFmVwZv$*PJO6R#OLom>3UJ3 z*BHIk7q8J%ON)@5_oI^ZXlWB-TTbnEr#s?Y7k2HYOd&p3TaCoJxQ3%Gd@U)FdtRCG zR?+zfw7vbglywZKc4DUGJww9SKI`g^Hw=9R5F;QHpXef1BGP$s4;!%w<>0`kb1sGw z9f9)qBPTPC%TD!&O9|H%(V8<+EEfzfes3u`@rotgyR!o_{B%6+Gb+yKSXzk@Ip3#_ zxm%tu7WMba2~K_^#Y>p){*qZ!&$r`olb#Ey$y1R*>kS>jMZcahyiHCN%koUxmg|hM z=3d5^l6mA*#;!G1GnCXQV>@{Hh&sv7GJryUUL}q3op#52g;jg#=sLShrwdB5n2qQ0 zn)@k`MY4m;254sE5h0OLouGqRIAnf1BFJf5SRKl}gFyM6eEr+jO7rvJq}EDX8k^0& zpKJ?1@*=?2d%R&eNVE|+43D&}B+(RiR6IFccumS9SboTIC}OBkr!qOcfS!ae`)Vw`1k0sIFF1NtIG{A@SFoS?Zq`=0caqGM#9*~Yh>7jK z1d2=d53ddnw(*;1jnDZN$6fM${Eh!@Uy+cJukBmp3CM@IUujhtl4*7=^hX{+UU6wf#23A_e%Mv2M28tqsq z2r^cma`KX9)Fmu7cD6yNlVsevF`kg0sQjM7MzEc0JEK zV=c40WKpNHR*_x}-%@oMgR$tu zW%%N>0*hXXMmV+e`Gl`?Z^kpuBF7cfB7Nm)`PZd8Qb64d0WiqmK(_;i*1P9oYOuJc zUY1cQ7k*ir6D^vife>z^NsCB(FMTXxvf?6UJ)MYO%5Zsar;yqyd*} zaCTX*E~|Q!W^dD<01J~tKV7ec?CRo_7O0_x?hJ6x>SHLl%5@9T=(+tY@^c;&(xM%v zc0aQWk(KU_0*osaI!uWb)*}+-m>1Q*Qmx4-g=z?$SVR;yxaAiWswPWJ$UP{pmL-MA zCs0plr(;C(?%H?HT+Xo5&(-g5BG+E%XcyR7q*kMJHaCnYTi4aNp@cFEnZSX@E?@um+XX@^Pxw7AnO4jc!K#UiWnKduG%_o$E^8OG3%Fm_+>W`#t)c z?AIiwZ%b57`KJSZzzY=&eM!7o+b0j0$e>^%LkIAu7D{4=H?%|1xcYOJQQZ!Z1AYt^ zQ$SYCGLQJE_wdGn3FPa3*v~Po9+^DO^^d0n$004hFRU?{$(7~Cf_*x@HHW?)>Ioue zsTQUMAuCG@b<=x==YW0R4I!qIUJBzv-fIreiund^De>u?uZg1{nTBo0vcXb(AOFV& zlVnSD(y`E{n^gh-@F1pc&-JO~!8)xAjWU2KhhnO)AC2K7EbN&7xiZ?ech;6VD)J*(-m;#%n2f{6~4K!YaBylwxzeb?~3v+i`GWUY2<0!vM z91Hb{j1N2nR>wZmnj(-KpE&u`t^8~*m*li>@9UBUESmYUpr$nWsY0}pVyg@eK}B>e zZ0|It282viduz1M5{gj+LraHx49^(s$7 zF`3lRq+nKI#Zd=3?MlarkBU|mX*5OOAUpDZNuvbphcp!JB8?`0o{*>&!V5_YW;4k@ zX4YOw6{`(#;GqxB7ebj0JQgLdTC32ov7DXEBDzLPoXCh0#g*-@^g_~(EKO6Wp*1Y( z$cSV$WHQ}WC3(tQdJd2ra*fKxU1fA zF-Z5QT~pvhn$UWW;L}o}ezQ(0CQ@AF#V+i|@%Wl#QrXsG_@-sxNQ*&O8Py-f_%35h zw{Z&r_{l-Il_r9$^qSKOr}#`PgqBj z*)jMvB$aL7NQdwe+?}a3Eli0an;{3uuur8sVjhonMTeY8(EeUKbJ$dx_)`uP>- z>&w9-QVDToB)%NVuEPmuhJOQECC%%HhS<^&CcelXl#dQ4KhA-n3f#oEd;B_du)$u) z+@TjH^*TN0ACkF0dd^4Ry`v34NaiPUfemeGy=KTEB?)M+LIhd(w4j)G^$?iP3}kgD zalAMsH;y3>SmBi5Qg^2@e$*q;n|>DXiUNAFzjTGGDX!RXHYr%{%*!HNkrgrra!l`k z8EuAcPDCdaum%Gk&-~=pA8?#x2-){PNGD&jr^)g~WWMIzg?Waig5WZ3Y)(6G@o}AKO&G^tCQ*lQut%TETZr;b1ccY9CdIfV`8~kx z0FxQ)lu*Z4F(=t$NuTp%aMK0tKkX>lG^0NsQ$$f|dT;UeXw{={g-e2aOQi%TcV80< z6`czoC(1e(tEW-Yw%*C;_W6<}rA+owOrU8@_|AAROnZn2^Qfn2JmEZD{X8gq_Tzh2 zXh{zaV{*Y={4w;JI#C#MEiU#mRp_(?AHbIWPKc~GJ>9aE^lZ`FYCj@u<~o=TaHpR% ziSBYGj`;ZTb$DXgAo{^b+k$yEv~~%6cA>CJsEC4cvGv)BANvW*PlbX)_h&9BlzIOK z7qtdcnnTzE7$cV}s%YJh%P(eNE@D1N0pHa}v=Hu0c(h(G-_&+aOdOS6Ua%XPA_B4R z^8^qz(6N5p<{hyWV|s^Nnk5I~gN1K9rNE!Hg|N0{T)^KtZRm(f^~@TM9m#(M&Mp8e zD;u(X2`9+}=K>a+p>Unim;5yD-2+2*JOad}%8HJ`%5_6ESlD7Zq@%v2X_ztN#TFB| z>;iPXj+H%_K)F9%MAfF%RPDZ-exOXhc@h3+9{0yqnn;ZRejF&TRjRwudM+68epWPot zHg|S+48N|CsU*v4i}<|L@6l$A)gCVUsCOKPfcd@rmPRf`K>hu=zZx&xf(y{;IDR@R z9miqAq7+f~F!+59nN#=Wo>FxI482O-Wu@D&X1nk7$t2mG_YQ+OBxf;t#S8Rm$Cb#g=K08r{r&BGFb<7HIn3RI4@e=uJPsFsz zI3v32;}><(8#)&A3C07JUT=W~RCb{T2K*a&KUI&?km_^nXh1qY@;pKRPU|tiD)U~i zSsi(=YTV#`QX8gR^#^-LAEgvzd&dt`OIhbqZ+)^mXecWNZe?DZy_L!8U33-8njTe1 zVilNSDkE3NoDOZLi$anHjPI6oixufZw(uJ{%DKPxkF_TstXcQN)RqEAu_d(@v!T3@ z2oVq-8&rW}ye{#Mk&v#|BaIWUT(T|O@~aN&jxV9+ymji7%Fu3_8$#O1Mntirggpi+ zo6&OcB84Hl;rGa!db=eCGI z*^}8hrnWQy(6o|J4>%ZqoG_+JVuq}>m}{S!Ld~t%t=X|>g2Mt6q;8KO?=1J8 z)bPCou)UVuppNV)s2V=*ZPrjZEl-PuFmXxR7`}j2XwfFQIEeurMQn<L@;7!Jhd~+^j_W&X;2B3qvn_tf8ur+r^A5_eznDp{N$}g z8x+_$`Oe`ai?)*ED(_iNk>x$}QQpB=3oqP-h}l}bc8p)aNP?phd%e$WiGT| zLd5PVXJ}1FJP&8pa46(dWxV*9&hy1pmGdvORg{N(sD%lEr3LA>8o2ZyyokYFJs}^z zDHP{9h*q)?wCPlj9*_(AhlLDP1swVMpri`T3fX7ruE_lq)E~16WX)q#@pYf1KgVWX z{$ynJ=_Xy^TWV{^9IW#$H9^@J+0~qls}?ujbPDPOk&2;CGgr|RTDG*2sMZG@h>`L& z5dFkyU@7Rpo*x`m^yCi*`}g;IxI_(EIYU+U@@k1Ok;V4XXDbeeIzoi^kQcmxgJRkwj?GO6tc$^Im7%C&uCX zo)Fz=Nn-E&JG)kjVKca`OLC267oTC(sBZ}%U1cx;&f~3`TerncJKuvj>$f&OuvkC? zhF}gsDPByNDhZ5yxbbDomcH5vx|A!lomZwgC$AEo9&AXvO~6&kE=c7HgF5&1O|1@p zY7=GqGk^a!&umx2%ZXY|>65z!9nB!SsOnN$lWg(C&fp28X^ws#beRt@_LUu+pT$n`xrsp5>~fY@>+gB14?%f? z%UDXk(T3MgnecT%GPAkkeYYUrW%3?U%8^T`4%LfDThXr7+-ajcBPj zIi@ZVL&Wc_;v&%pZwD@X&ac`PQRNm82-=s1#f+~MK(Q66u-^ORszp!oQ?x?Xi+Q3XK=LzZuYF!QZL|1KuRlAjO$2O2KM0(lND)QqPFOO5$XZiX<^{7A^rl8YAQ5zBEWF1P;+PxKH1Oz# zjH0?6W7zg4FrL`B>-!hpi0t#x__|TvXcE>cA^oq^QP-c6Yx;cMb_Z0wOI(#CGYWq6 zHRqv_$i_5Aac1Fu@VT?Wm83E&whgHLIaNu=8NqRr)xw}Bimq{z94aJ{8MVNIjbmqQ zZ_G2O)5xNN6>(QHjoY)=(&*>YuMG%Lyi4wVhh@5=<#r*D8^Oi8r@yVo zM5h%8zqMGyP`>Q2B$X1SmuP6Y;40l8sO9K~G8CZLRpMl- zpGRbR6MUkkEW@EM#tjXN^_x{S!H+KziJ6xv+3l&~-nq2B=Z2_T#Z3sZyiu6N&88m- z<0=?0Ef=sRMtcOTQUo}&vD4fH-5$Y7&@a~&vp6~3y2XofebUtZm|6Ss5i@GmKi$9J zH`ND8Nx94rZKQJ_ZLW*D?56>;kM4VsyDdtaBlCX2ms&0oKDuci-ncUzPH8gx_QxU$upmZYD>A@>eedU+;PH{RQFXr^J`k7xz>7UnljqmEB ztgdT!%o;BL<(1tTqVZt+sDI_C@?MkPQBMc$_~((pb3Gn^0;9wrbw579$=;>TVwKUo zhrw*nR_Hopl!r@&vxcoYUY!nXiN7TM^z9-(8Gt|5>;J{O+rq ztI=u5@g5+fl$5!oB8&|vuKcW(9-9wNtspMJzr0*Yv3454m^rcEjj=Q6eV#NdR^?X6O#nBXXH2`K;tJ z(I=@cI?LvRPbS*9^<`?zG3qLeR~>dTh0B|F*s+}1Oic#tDH_XwxDWHS(ZMlWK9n~B zw3MaAbit=^mDFY(;_J9cMv?q%))0Xfn@)KYeq)?I)u}Is9y*39f~kH zis^|W9DBtTyIhJqQcbpFe7>hiwK_7`7y4r*P?RC{&QXTC^9Nq=h3c#XXZ8>BR zzbq!Y-9-k#?_p&GGk|dhS3$;Tx%VGj+AP^-Bt#NMs=>nWy6rd>C`G0vCK| zO!=MF@{vQAh&fJ-@+Bmi6Im>q5Q%aJ_%s#Hw4OQ&)MVk}XW^ z?7r}$!yxf)T-{|=CWn9X9txyaL5*A!b+>JMH%?#ku5uI{Us9WGzZDjUKfEBYwXJ!`M&W0CzL4vP`kGlf<&-a6 z*iKLVf-z`Rn)&7AK;J};5@X_=g;`^pI@oREoS}3{GKbs{Gq|sbDF7qRxwaP?5)5+l z6##Y1>w04AV+#)j$pz&RIHG;hOf%v#?RZoJ-_1d0C#;XYr*gnoT4r;km=#s z^qg~b9lIdfP;A(~tW-o%vO2CSe*Z*uD_ggRTBdEX>dlKu)x$^srBIod=-`QS99L5f z3YOSDAKMv=Bw00UllQQXR6MA>3mY|*TEJXy0M038J$D#tq+avvg1kuFwrpIhqbi+! zH>NZBEbDB&Gd*ss*igX2G~M3quBq#fsL-ztbwP{4vQ~u5he@#=}N%0QgN8PbBx5+ZoAa3I2VRD{S380V} zc&ij&r5?5I_{jt|dZ}gVTSR6I=UYm1U@v_3P#a*O?eUvCPmWQP^0>)jU`vDSob!?{ zH7zNvo_Cx%7Zge%qE%8tjzlfptSRTCOV%9HnthM*BxCUzDCBW^Fu!W3ym;BxZZQ@! zx^NV#hvBB4sno~oUw>s7GQiBN4lup4z+;r;wrmY2{ph&D-L*!+D>b!}_RRu^MI^`c znxTd$QYCt7y-KXmLea8sG79&&tQs06!Z9e)uw7sEbg|;b`fdV1FrTQ z!_LB;q!t@xT3v|fTxo)kG*7j2{NS4Y7-R17On$YfSi&BhTG@Xy;B%B=%Adl(zD&b( zt6s5eGrw(Ou%I>vT`;tBTiZjgtjayV&{E`a?)ZhAnEr^zem%|oqNM9bRm*xwIizMU zbkmbdO@Fou?iM^}Xsli|I6!UJIT@?TwDj@1Cso7!?Z{AsSoB3IQ}#_)73xU8Xc;!< zAyi=$9vrpc`iz9~`s2h%fW%4UY>}|9_9A1cPMm&5G(2ykvIXZ)pWS78UPrU{qV==s zGTP-$uN|*nO4_SNX7VELui?Dt7Qs z{Woq!gH$U%sIX`nY?bz?-Ngy4xaRf+W?&Dk(QWOrylR$tq)kaGqK7@;#FWr*`gF9R zg(ivL;&W{nrE@$WHkAgBg+0Fo6A+>t{n_mp&x0L@H*2Jp-4WPI(HnowHA(uqT6%*2 zbVE$amqK)yR(SV%GDSq7qH4(Zr@@%7eJ|=S}wD8 z9h%Y+6DzqRTDykMeQRnqSB-Ikiy4S9L#+KNu1KxQB>Xn!suM0G<^Ar1*5q!9&Zy7o zbNjRdpe`ipfG?qauA2LF{LGHTX~&{b4Btcb1>f*`M-DiA_3j6C z+q1Y7n#fL3bIi2}zBSx^e(Qnla7z`JyE6eC-k^HuPA)*%-;1hVQt0m3k20rt5%v^# zbH>;xPmO-_T=^PdjRAoXkH_v=wROn_tQZWuCOdDx z1P^2ldR76DaaXVt&ZRtS6^kje1%=PUbq(+e?ewI|^}mtsvCXvbTt4~AWxJBAa$Bni zYKzH=UoG%POkL)fcce~WYMz+uFPt>ClqdkbR|73FYELC^GV}6JWW7%IHcC7O z4pGg|8!lm?T5Xk(NSY0wq)TdZY?akcEh0>ZXV$qEPszW@4M!hkWEEcfpg41|%NN%q z=~>)1GM&C@%)ORUw>4xthjP>>th+tp3=v$9~>Sy;hi zd#%1-UDcrxOvz*OkR(40RxkXeM1a|5iJG-8PjeUr?dj{udBgT{_4TCY);-Vtkc$W) zS>l~8LDG@lt!4D+DjzTZ(yQ(`)#@zyR4u=-e9D@iV`ccX+bBG9V!3YT@TC=Yy(D5W zb`RH8*}h)fHs6o2W*DMi=GMkb|#(+?JQt<`0$-bSJHC{%Y!S?c;cDr z^rU@Xcu9@*ThcAp<69H6#EGgEZ;K%yW+&~fZIr9IX-e?uDW*OnN&aFc9UI|l=DU0a zg+fY5!GIB+tU38kJ}~zm2eL3wLX%|KY69im8D?fK4=8SBLK<02F6EtK@xhyY3-<(s zI7^ucw*5vLqLlW{lf{lCU&r}3C%*E{2)0%!H9OdV3ygl@v4F(5EubrYn>E7<96Dpc zl*G;Jnfj|Y7nN;L)rp&`Z2!(rPKZ4NjK-Z2pWi67`TNp*8_4yJv)ERH^~~2=a`#6L zne;Ig<1*q9Hf%$NYA%9y?wm$HeC4tL%(LnS^5$^B}M~b3_oYRz=9;=y3Y^5K9 z-c)dh03WXgBM>Wj*aFK^Tsox&*H7DTRmU}DJ9)i<*X(yNzMT%BXyV0QEhx+-so&@~ zbhfZFFYMU=%F;DKk;p#t@|mS>=L)mBR@%lvsA9qZw-8{7*2)sx&r-A!kv_LVNIn;| zQbF0=&73HY(!i{m0;#ZpQ@b$z4l8}lGIT)Vt8O%hMbPv7bKPEu#n8Q66$G_zpQFyK zrO4na(_r#qE3u%QuOH&Bi>c<~2U8cO6MPO?xE_dp>D~uo2lWnjdCl%RtfZA!>@-W( zx|U8_NE!hAoM$x_Pg@4gx-0UuloG{Pf0$OfA=3RiBeSo#{$ktFjb=JSjpoCnw9rqM zm_Z&h?6r#zk1iN7@u-_I5Ta>{&}#m{tC?IRMySPPQ4pe@e;jF2Fm`QIHuF)ml!Rc& zAOAhRu@HXRXc_ukNq`LeJ`09yr2d-eST&Y5JMtAw*uTf8M5Hw96@$DlNPnDs1ye-> zhIvyw5IZjRpIZ(=kJec-P8R+61BWNX*VtFV57S!`dqkgJ|2{?yAONGqS_~5NVu7z+3=efBV*Skzmhr2m7?To{BdG2KAucOamkMjIeN zq0nfGll}+YZ>Im>i3a`y@Ba$Zo+b8Ot|gcI`zG(v&S za(^u_dN&8~pPfzdAoep(_qR5E!+2UuEhrC69 zlt&dDZwhsmwk5b=eV=R`-M@;o!+wo3PA!6Q7aSUT!q&V9uZsEMgD<1u@ND&=n;3b? zOVLPbN1-uC47vsvH#_LR2Ifgv^FVZ ze$I^b5AA(=AOQ)|{f1UmSSnT%3GL9?JQbRZu)tmcTDfJHAxd|0yP%A0Rox zPtKW9{P((}_{szI5j4fkVSZkuQPrLHKlaAZV34L29VyO3*Lp+sJwtgP_f0<^d>o0M zJgPFAVt2FOb^S>8#@$lVQ;{&2SdDa2qixNL^m9Hee`pIUK@}H(;1|W>ryiJkeYoCW z)+oljE;+2sW}E+}UEP(ConFp7zWkEu+U<;48qoa6m4O7PBV1yI1@*pJArcs~K3sNv zmHT#BqF%bL#*)DTZx(8LMl61FX0na93F>}jbdFy-f1{AlaBU?YD#Co78lz6&Hz(52 zOmt#E(xy(8k7sHLgeBFN*IiAaV)1^;a+XZlQ#vyRJ7wE>HnUiKY~RJ_u&xgeoDOr5 za=3~s^V#kYn(By9pvBq`Oy#Y+sxex+D05gs;%+#)*HQ_9L^9sjrL9k71SS`!-A&QG zB~2eDQd2`xlme^mF`X2%l(ZL`=4PpGOtdorw2h~phfJ~uYA!C0xGoNfv6Wrx8OO304xwd5PpcA{ww z+|b|kqYVtKVT;Xkoq-~YwwuUw+HCE*nT*A-gd-riKpTOG>lBuY!Go$B2zi1#uIHId z%Dk#+cqQeK`^s5q^fe!zuTdnrP(_O^5QNA1VT1I_Pa~Lh^>mEu{dV8PYw8S0iYqQ8 zZTbXhda!5DGd2wtjBD*BU)_Cq8SVYLHJupBHADm67yNe>%4N3kQ)LJTfn&zT=#D3^ zn9<7cY$r6@j58gKVi2OVfib*g0UvU-N2wA`BQQIs2$De zpU>_KZwJswx9U(VTG+?OKTr!0w>%u9f5!C-Xu@&Q?sM79hjH$WV@2aWj?3Fu53fZt z)d0|-M#xG4vM`qAZ{@Ad5WGjoWSL`f7F!~_ZVRP!Sr@gvD#`x4<+NJu0xb81*<6>J zirHJj$2Ha{r)^~_vX^LeLM$>C&#e5HQ+doO-TQZV#&ADy{921rAu20}Itf`elqaS| z=V|oxQo1vs8fIB9CovzLdq(J0qfN!-I1>J%8u(i=34ES}H$$HK!Vah7s0^SxM=J0a+uvSFxz$?z4<@S^rh=e34$%gx>H`*L# zp$8CIXu><_?*xLW`ezdKV4sKJcEOCPj#;nE106INW6JxVc|>l^I|E;?sG>}QdSetUlTVQsuz+P;cYlQ)e5ysjN8BF!;3I56}_lRB1B&$bPC%R7=P>6CG zL3mQm!XxOW^oP-TVLUg4QuTOYWx!7CK3S`S-czgl81iN>IigYUI_~d6$rK1Go(5|S z`tW-pt`XHwnW;Zysd#o9Z;anqcJzMx5wnBO$6^E9!fwVP{%IbNhdu2-7|~I&VTdS= zZGZVnEH+@SO47F7_SpjoA0J;-6gRZGw8=YG<4Z_83Ga?;t@|%vqQ?>HVN2B zi8~f;wnNXgVqrC~NKbegaU0s&d=0r+uut}Uhv%jrlVy$~tTo+)cDf#?aebEJmemM0 zLX)Cr(}^Sm3$HzJj~e&ngeknt4T|8;ZU$#Ekdc|>3VX=?| zr=v;HRkp+uT$x4+<@w)*iIE{_siLXm_hx+?A0Pp*JGFJII7+1pwO?T@b0zdIcOQ(j zxHw(6#On}XoX(^;{t%S zGK|#aMwj?K`3!@mV@Kf}f8drzOh7Vo#(DN~n}xb|JtFgK&9zVF18=|#+DON&cHa-# zi1#zG=9W6wmOJYz(NY={T;hG6Iz#5_QdGkp;3$TJoe5I$v-Wl9tnj!+edXl)b~6n7 z8sE~=KH6uP*_G-ox*QbmMknbp;wh1Ae6?V@gl6Q%u%eg|I|>960U_j(AzFEOpR*N z^>KZ<=6v*|iSd}LmWXfFLJ3;Yo$)wgbNDRtfNIrGkuHPn$L+x z;rRekK_f8I&toWv@XmZyF{5E~c1JE$`bn2rm%96hb(*O z=f}{Tv!iwS-WuV~!)X)-r-Zu3rtd2<0Q#}Cz*M~Qc(`hK)f{ZuYIbbdYQCS9dM@2% zgFfQ@&p5QNi#|A-O;_>3e3FhObzGl#-Aw>`D;2V>7d+m`1HcHzeBaQ*3s-h}V{yK2vxex|mA{d^4gK z9hvw)b|;|_;>@1p6H|W{a)t=xNVa`En6^yel$h=x>sS(q#ICWK4Khr3*o z{Js8Wl4@fpS+G;uE+a+!uIjrSz#4j7DadKlCyN}MO=_h;l7P$20lU)^!k>%B%Ua)0 zl&0xOe}Q03K;iHNgMbsI8y~b!rhxtU3X7-C^Zd|Je+c!4U#m79J+Tbtq+f3ujg;q` zDwJkuXXADLmEXHY)cl*Lce=XMt4jd?$BQn~v!miAYdMmUhIieV6aDl7gMOo?hg^eh zP7o}8UvE(#lyt`zL0aN^7ynY|E30eqt(1NxySFeoPo@dZt6aP;Mtdj{K{q&{SeZkk>4xRw(ti^HmLP`1jhR9ABgdy`@O`Z z;-vy3ektu)+WmBZPtk`;nE1x`g{)w@hEMRU0XyO&594%f-B~}-ukqJeba@m&ubBq8;68DVBHF~0ewXa+@T1pMSbWW>0JsSW9gSh&Hb_WJEY4c^y)rxs!tZjJ{_zFs`<#lz53VC%_e8RT& zKY)-jdSCNN`SD;5ZUX+zkW~hL^DaoWyaFLDQ3(FmSkpAMxM%^{&!2Ly8kO~_X?~>0 z!4hQQ1e;pR1aQ_%Cv*5bKSg7`rzU$caWxCET%P_BFfJG6ztYT8!Kg>qB1?w}M@Acs zYWZ`Ego;6Ky3Xwt6aZuGsME<>r6Jb zK_sIegeT*uJi*Op!uksuDu2h^+`<1nL93C2tx%%2o&TjP;CD$*;q&ZnHoOF{{B_OPCW-8$^Fxe{@n&Ty#e+2DPste-~WO9S0i5%2b%mTg+;-Bix$*;tzv*movSeK zXV~9)0^Oue=QR^>T#Akl`EP6a>w~8u;%*sj`T4uY$qZtc$4ydRJ~cHpiGWL&FTBsU zgy$C*%`G@)|HAQf1$DC4Aj^IGKfVOm3BjjY?2~<3lRsu15GrYqr{Eai3-dpKz~6qz zs`@X4%7E-2N&+FY5(iNt&m{RDMt)s+W4ZA@aQ=5O{{>qf)Ji62Xutl=G$?Y7^&-MS8<^OMzfB9cl;-7Yyvb~7)3=JL2K2+BK8T?T&==zDc zM=PzZLr9MQ1q5P?y668e55PZ(_#-)@pgdUd7fS&+oDPHAdG3eZJv|G|n*+413Za(u zTOS&oaQ`ICi5Dzn(G|d}fcz6UQ5y1UFSiT?`T(r;VPfX(^CILfe0q6uVwxgs2vRb;rmSDqxGB7q-k_bARwM|ya6Iy{Di-e(>LLXzF&)E+l+WwTzPy)dVS;>WBu?vrb2pxK9e3ta z|L4vSqHR*Y#@`ae)co8&ZF1L44{Tce)mQUkqv^y1c`pXrPF(j77rD!ZJnMgow+$8s zM2?@`S97Usli7zifg`T`RRxObrUwR9`KxAN{pRrXe-61-_g^4IQ}_5AR_}jmh&JGV zz%S<2E3M|Zba__~bV96JHl8K73ut|Y`$Mze20(-CxuUF^A77o0pyR4w^R<=7Yc-JQXBaKI7HHG7x2R_4=mOD7p;YGAz=v-ZdmHx3kg`m`_AABt~# z_*ER*crGr+8oFkx%*DI5(XSmUE|=)mmHX$f)u(nbrSqygJHdamc*^oR>GJ_Tw~}i< z`U;wwcW5fYej%koasRMK=!y7d-7=ai!0Rs}m?i^jsv2-889Bk-u{u(j?sF%H{ku?9 zQG+Genhz`(n_qRmRU>QEiq){)do3cZk{dFFVb!+rxNgkVlA&57gm zPm%h?_A2*Z0?^#+DD9E~T+A0tbPs${rfU={S&%;h{}!)rF{GbTA7Tvmxse4p(?h>3 zyd-`vnYk2f#lKlU(@*uZH67Bb`=i#K;Df5L>wN(#Q}c(`ktc|~{G0R}=5pw|TksIv z7qn;h0*D%~`{K{^LVuR&s@EV}sOq(XB{IhR5ii{Vz{bnodlj}#&I_-Ki&bSf)Zp%XVS39W&~HB7wlB` zYxZlmas#T}yiQSx@cW3*RUHp9fM4Oo^cEVtPrNwOj&L9sD`B33Zw|0?x*1LL$CAB%I6~ z+o0@dLmD6~hTEt75x5(sz8$r(o%u+)e}0`|w}q*;=-i-va(f?54%zNfE@PPV7k7F%<4T;6;hy|JLe{-B#X*ut9Hc6q5*R7VNd zc_=r3{b|Q?zc6uQbf5NVs%sStv95N_eI|qMHksl|Ysv$g zsIs5zhcOH{H& z&7ipAR^O}F`htoEZvvzk!XdmjCBLUq2tDjrB(n&qonXRR(LdefsVJmvHF86?!(5x& zYXUQhU*r;tbkpJ$#jt7Tw3qlW#cH?X=&a8JnF~_O4aA;=VKXnseh>|Eg8A& z*`a3Qjf+I3+g123GG6e{gRP#qORg;)4S0AD)qsEw+dQNV4MwZxY@yg(!=1XsEG-fj zV&MU$AWFrcxwP@MkV)cC-BeWf2e^ZHF*>@BTWh-Xhu`|@NZG}y?W>>nTth|l&qO~` z^aH}J)8pN4oDd2>R3%eAys|Rhy=zrxOi|5MGEEMk3;|jbvlE`6>$uy$s_zi(vR(_^ z3V^Q}HuNj-)}il+nEP2@w91lpH`7vBojE3GpVaQ_+c{HxIYu8&t6LGI-<;X#sBs-N z7A(S4W-!QDL|5q|9Qzi&uawNfpmsRD^911Rl(_aClMCo(&PqM0PwFOaY9yya&qcz& z$eH4aBDArlA)@(}MkEp)K)9$U*}x}#r=gdt*_p&5`#4%7e*E{7x+;O!b^~W&(pRv- z0w)$qof@)~j|pr?xpgJO!@Z}7(W*khH2&O*^;66`%=;XfiP&%$DM6p*&1GwW#q5x6 z-MbYl{)#xSv(46WQTPahAYlZAI{m3YZOay7`h!`H1+qn^PoOVEzR7GxM5%#_3F%*)J_R`u>(ddSc51+M zGfYz47$Fz19#0Ruc7Bm>0fQa^Qgm6rmTpZxH!9|ugP}cK36V}UxEn}{Or|g~=QUL9;VDwV|Ok&dFbl>!6xeQvd%>~Y~ zA4;*BBe?vp#ai3Jula73hUx_$FJNvH4{1)jdqIyQZ=TQ{1r?SUvl;klF~p#t>Pmho z9F$OmZSaw@XMgN@Xt>xUWfJOsAt)wRcP9rDeSZTS?~3s~Wo>d*zufgZkuoM~I7-Lu z&ahS#*m2*4^Lwp+lE~=%?E#VP{&>-v-g7>ibF%PQ!*E9iTk`Q7$@al`Mtb=g3C2*B zam?e*BQ?J&y-E!pbPhnD*hZqrkuso2)|fJ!G?Kt}Mcu^ME24BQ>U%GAcuJv2nAv5y zwTWUfVN|AX`;TOaiOK8i;^hUp@-ICtCdpt0>AP49iqr>aYxfR0+jw~SZz@lE6BPs| zoQRYe({>Ob9igtVtsKn+l2+eBpD53_1%*rgSFvHkkXWwIsz8R+eIoq zcZ|LtDRs~MK1KZVV+0%#nLSz}=?1Hs{VP6$a1&=MC?~?_UX@|YM5y@!o5CXJSI+0^ zoT&#qk&c;lW);_VgvT1uD+2v=9-Uf`@K^@qNqV@Qg{ko*~?1Ex0#(!30qW&5e6JQ=@uF1HRe1%+zcGZL3`EH^&>cd}8G^whg7N67N3l_{tu-920FVX8CVZS%K!vr4}o{uUY*qZ(p$|J~F!`yxvY~w*L zOPWklDrfs<=MkpeBoPd6Vp9`>EZN}=@zcxz%eysGgS6v%b+Qq;K(%RJLwk)FI#Qpn z@&KtKOF)Us4P+E8h1bZVU3@Cy%13p>8QPZgfD`V&mu8<_NrBZzwEE`SMS%rnc?w^5 z>6ALkTY{F8;@uBRNI7FHm5dqpI!UvwU*h*>Q+d(6Y@T7dz8Q3T)v7)&${a6b!UQ99 zm4my=%F2QRFPLhaf*F-H8+!HVH#u0}0>y{3Fm8qE4^cap(7%mc7`BbdpK;6bhxJVk zccd){Yxf=Qp#!!z=DQXj()25y9oOzZdu*FJdwi^gkw~G#xc*wctP6zRi4BCeJmR=j ziqaofhc!@O!FH9+@H72Xg_f{zuiy!z=kPjl&bb$Q;DkV&VvsP{#I6g<`7Na(5s zL8uEKxZV1AVM0xOYah?zE3rk)4DN2YOxc{8MFUfO67_(#NWHhKQ@Fgax@P5_-3Zt+C!P z>mRs)*RF>3+&!yeF2yZBzDZ1A;O7X*w>2xT-II{}T|%@6lb9XlPylWrz<6sOZ8o8R&!(-omU}yoT ze4mPSK-(T5iJNl!acfsd`wg`22))wS>a}{`sw^ILt=2yq=#$WtT{QxP#C%Zku_kDC zaKn#*QwA?Cjb_tcqsMV&R@`!_U%qp5GK80#QLvb)c!S=G8Jg68CCadZt|Gy<7v*qLihPs|4wtW;{9DV?2WInMTTTC+s9c&hl( zQ4_%7-)K&3XKGicwXX=JY`Iy z%av99^L^a*YF`MuJY&rp=Zlm5Y>9FURSU*etf4&bFMpSOVBXs^(7K!@KQ%fIx>xSn zgzV{=&Sv;7UjiawZL&Ym*oF880_tK&Fv|ShaRL$i?!*+nMo@!*^-h`Z@kVObV;6>~ z3|>fj7bV@nH&w*X=iClY=Jex?a}DqDh?R z7%|k!Tu<_2z{{JSX{YTTOD%nSf_J`FLGdhnS35Jri-AWMk#t<{NG^-iG9R`>1V6Ro zay|W6-vuvn*DjLKbkW!E9YAnanbi%u=Xpg`{OQXuQ>?wZ2Y1DFv)I@^D(%LjCiqcI zX;CbyEy2sJ>8&3Lp_?LWlr*=`JT>0>I1WO`%`Hn58Q`%Q5c;g!50?PZX{@GlN52m$ z6zd%``%>TxGpmpN6t@`tYn&e;kvi9x3MYmrHImUA(U!Sh35q7?-sGDoG@rc@-`x5_ z2l0v5n(MpH;-n_^(k1WB{v@VW{NO^B3abtJ=`(=Pp>S2m1nZl`z!kH3o8%yX{=cH7 z2I#-Gc%D?(r{?^8Wv_@zHWiawV{8xiZr!UbRTYbDNKE1sFE~b9vTbpR z9XjbA+JHJWglfuBggn(7qwtOYo)I2)aD}SP?gpLlIiloQ4|=c^cGxiWfJxbDPYie`efj0ByhT!9^x z1KEq44n$5tas570*{RPCUs)#&kCjRL=Vxrdx`lKW2c}4O%Te>FlR_#kL#^;H2<2<& zAPfyvmZa>26-MUAjRflr?p>@6kXaK^YYV%Z>qBz(nRaaJo2?|b!OY4B{F=CpiuLV$p=s_flXZSDBF)hQsUbUxU|UJ8ZAVyu(f`!b2q2Xa+H@D90O)l}S0l6I0nUYw=5^huqTJra?q~%0ia3mDM8r!z@!Hk%n z<>Z3Iw~p#7CdFgx;s#=gk%P7XAGX|E9e-+6>Waf;9vWq_nXRC$J2vZk0*<9otO~N= z9`E_4jl7nRYCb+ChIklLH|SG~az7WYlrfz*mkjmTr-f81a?xcLhM=rr!5IJEZRqsN zYsm=#x!CxIL{p&N-^liLcLccTOMMeKfg^)WzlPTxm|P-d$6K+#{r8f%Hhlyg4eO!z z|8uIrAo|a8jpz@%^v!jLbuh1SM+p`FGQLZ^e?8zx@2U99*}8(@r$74%BiWSGC{l0Y z%&o-o_frsL(EXKRxC;NWt7PyICz=~`^Z2>{whv3fJe}kBDBpLkgRTMm=|?Ijf-YXT z1PVjM>$HD9&-2;k1D2&UEZM=H3y38|b=$6>j6>EehU8w99&Dy5q)^mN%)ItA=9SpzSSK*DbC# z@qzyfje`Kh5$-r}P>s4{RZ_*jytWZ~+G}+?GnIC}&W=6I)oXr4m*E%`l&D9bRSv-`Sgj0qZQI^W7}9JwoH^J z*^f!`c~F{>Gxb$H0}B|gOXZfD_fVNx?5A*x+|AOiV`lX!KgVhM(lK}4kE9)%@E3*0 zHUl#{-)U66C@E*Fo{vvk8F18MTei@2!#Y^W>V1DI{5@MDTm9OeM6+6@A7S}9D_Fa9 z^8cagtD~ygy0=wOLb{Re6p-%j21)7e?%dK1(%sVC-QC^Y-AKoG)O+vy`~G2^F*tjj zy<*P!%xA{J_8vuCbav?J39ePxDV&`lsmS{VID{dNI|#F|eWK^Y%tR{@w>B4vLkbz# zlJsv$$`z4R4>jCZyL@+3_nsMQ*+DeJxIE;~73JhZV>JO`bwn6Jzo@+CCLCYj(E0<2bqO+&CL|KOU zPtufAe}{;RO8p?ne*meeVRz0mrp=~{(=##Icl=E5M>Lu1k7ow-7O?IDx;8_fxe#p= z>vS}l99v9J8k&Q{$kFwb@lXrHJFx~Ow5Rm?yozV_XC4HKTsF$>=(o4W6*p> zm{}wJh>t0TI(UCg@UyL^BKbow5L->^7bl=ZoJ>vi3_vDaT{x+*621*ybGuZ?>m=So zh`cT6H~WUBPug)Pr;|X5+RuexyAvIi6g-8+od3wM%I0ODS7ze>Lda{Wo3vTBE#JAC zBk;voDXy{YCK(Wy-1l%96C1QsCZcvJq%;z8{F3{t>PU(y?e#w$v`oaC?sm&sBUZW? z#fi-=udl3ZEQy}y|GeB_cXCMy@ez&M7-dfbk=-{~#|rLYyw_i|Gw}Y-e8y#&jR|as z3@%;0kBCQ#kk;?!p@C_tVX7X3n1bIeu)imLKy`4~ln2)g0`9rZk;w%xW6Q9a*cDWjc-~ zwdy{d>n*Cx<#NTF?0nFhn8MTE4K&#`3}R}9-gAWSJ?o6hOn6}EzLSY~;t_;@z!}b24n8cqnh_qFnptO((MH0-4bSO69xD(qhaIB?xy4Q{2oi^imTi(wNJ*wwkC=d$ieT{mXa4ol=ZkcS@1jxb3 zk3YKJA7a)d2gXb|75q|Dp0`(y6FdFU_u0P%K>Moaa;U9VW%g`gXZxSsZC8U*&n2s? zW1btjhC2*Sz!%zM$Eazj3Hy|RafdTeUiTi6#roY#Qk7EJV!6Q?YMBYJ-NmB7<8s8> zXkn3OvzwBw=0~RvRBhg;`If9HX0^6{V5+eX+maEPN7n4nxEP8|M} z?>0rY8NrE*+8(M$M5&$DXKK+wO|faHNYojaFgpi=AFvpm*=s4CNDGrp0l z22pS@w7UFR4ac7S2R)!5+=xbW>Y>B? zHzoAusl zPcu;UFSgtu_?U}ywo4t$-i z8}=uK?||_W+f{h79ehXaVTe-NVAlxKN@Wm}A(>d?kM#hr1aAnNLbP-CO z-tfR1^l8oGsVae1sA@7mZ+|#;zSfS+QQxxDn_>Vm*b}w34*Vvn#3A7}iAaJ%uTka; zx>LOcAPxlhsSEBJO7`@N;CAG5xUCbF`W<+qME|4xGEN}J_gYU>nuTak0 zh#<+MW!D0TT*+7+5i0bLv^h2^bR%e!Xz(8W#}*R8*qr8F$ByU-JwC>{^L(nJH`J-8 zcTs{8*d^j;yK-o$SWkAcE+6yREK4s1?$^fFf*ly#bRAXj^v!t!FHOK|Q05&)USkZL%=xDtmh>I<=Gv-M=LiC!w{n1PSp8xCf0BSoq`x06 zCnLCZvfnbrqUIMDM#U2ag@n_*(b?EIZ|gLoTCE#xaoclu(cvCVYa{1AiMNL85N*z6 z$r?W5XGf6Jln)Gvt#p-=Wz_v-$QVb&^Gf)X-Gom%4NEj5>;0sA5q}BKAD@ulYiE|@ znbRsxBD4&6Wugp_-tW@UBK~B*zrljl9&7ecQOuQLZYv*LfIylw%2FJt6h*OJO ze|f(kN94CJ!UW32QG@;bzDZ(zJQEN&H8kMI9Ez(kfZ<+@4Skk%&K3sH10!^gaqiMR-*cb+Q1Al_1 z|Gcu^?pR0+hkQzQZ{!@NQ*>hpwic6`l+qSg)j+`I8e)js=|6-b+K&7?JHl6!?g;;s zH2^L>nh5CbbzttReJo)KTR!5@fH$zf!@ECTb-;FaGHv4FTHyV&KA`-Ab4t+cxbmAW z;muB2`7T&8-QwTCPZm2UUgSo)Xk17s*md%*zJv4#29sWzYp8wE&Y>zZ-?5KePJ}IDqoc zaCt%C9(Non|8vh=0ID800@vfOxL2fM29psr2v-^qUg+rPh>Ng24(qrQIUR~@SeJuo zxpxKsh4KExqjBqEAsyFy70c_Z(Z3t+@KQ|PL&(Ud}a-h-~C{mQb~ z?=jPmeWyFNH&50JXn<(|W@cs=%XVX#xw*nClzpohoWQoGOS=K@M9&qovjAe&mJcl! z{_=l$7w2z&FIFbF%8K-+zMfO*syG}T}SmZUXPu6wvGNz{>R%fg7!=i`2CM<=it|EOdZnE zjg!cCoMd=j6$ATg43jh^8(u6}H{xobH(V9xJoG2Nj_&FbpRRCM81ye?gNFI=@BH7& zfHE-LWcJ@fuusn>ikvRJ>V~9&Zj_ti>+xgN<3_=AZ;hXY@%fYL_qYC1=C{Q~cJ1(j zYi(T=h;3iLX(P@Bott=cY=O9fwq2MOO!w=Z^=$)`e+^-~BB+G(r7+V;qe4rcW!Ysf zwVsVHuE%_@1GLp+Y3!yaVK=~QBSy*d^U( z@4&nvziT|RSSgNeA)PPx>&cD`bu1X$wdvZ9hshs5V2lLBNscUhA$;9N+>U1fWCG<5 zYw|M{$i(v-6AG24PUsm$$XKq#QysDbTnOb_j^}C|Q!NW;;})tNsVrDLlICJ93QUt{ za_GN!d^z0Vm_i&2VfOh`Ia*5jn|48MtGQeZwqteN#*j{7)wyMJJjRgT(W*8y4{%H4 zWIr8fEXeb|fXuyvARy1j0~}-Ckj+WOJmW7vA9{T-3Pu#EE$NEM95}zYh?JrC4;Swm z#BqVWe7n-*M!PU zB$uQ%QMx$L`&)N@=l@PSfBoYsqqGv^{oW|sL~o$krlnv;w1QQHl5ii_OyG_F%CzU) z@BEa7AxS~W1i&23duHFijC)9f3vu8pOTGz3v{43@w2n*fhZMXg@LX64*{zXR`;oyOAntDZ8LOUsCv!eq4md>tdhpC4lbAB+?P1lLMHTDqJhGPim9 z7l-gBF>s?SW!-A?j~O{kw~if}b-Cg8HsVb(eDV1h!+VmaY&Ug1Njm5u&8T; zt;-=HGR5D&+@jEcx?t?j@q9<~_<2y)GC1!9c(UtyuE9I(NoTn);K?;Kzlnb+6S96D zMtku*LSVd^gG74wOT^cmgXMH2g7=X2TiZw2G32$Q$9xu72Op#yD~I#28QZ(+-Bd#X z5@*TZsK!DtLkQ?v6y0;wkg~Ri$>MMlj;Gm`K?hM+7OHw(U68JoT1{j}xej_LmY;wh z;KZ=PP8G>v@!0oq)5iV|gJWonWRKUF+A zq#CGWV}Mwu8@>E*RNoHUw6Yw(e$^rhXKgf|$pB@5^mW{lVR%kNp2MDmwsV|{47W|z za2i2(TV%)b3xd1S-u$&VQ zq2BfP618yWx}uy%Qp#O-M%Mu@(YTJE5?~D^5VHiTi64K{NRl#dKk3_C$uby%A)z{b zbh*TLn8i$q*#G7${EM$0foXU=Clq%{w(xM!e|H3&&n)xoC`E!@5od&lF`GVtOk|k#t z(m`^Rh0%7Jws2UAJ}sr4_R^R%1%1Edb2Uljk~OLoP%@!p)6%CCaX-&!QO9JTLK@HF zm@{P1Q~lQc>O$|Z>*|BgaTGmH_dV6e2m0l;A+vg9n{p-U*&p`Ft=xjH^xGUk+qL}a zL3$>9k;_vv zH}9%{7{rz(=dPRBkvJ}KQscPd7#dJS3edUqj?~*9W@y0e;4_*;?MG2I=8GhhH(?Ys z_FD3aA5H+RLFxu%W@wHn3I0$m7T3y~D=@8MTN5?TFo63sy8uG#BaZLUva^!x3r=Cx z&nSXALf#S0k6V3@I>YS2oe@K_WG1Zz9vfFP1k*cdXg+H{WyP3Bg~pUb9zBefL%#3Z z(fzdQ^BbNzr|^X3OM-}@sCpKTXXH&ob0-#lAotlR{dcwZPo9a*KRUWNaOH33}GpO3nPH<8YlIH%GO4q#soJQ zZ-IoZ6QO)l`JC+;sxZzv5>sN+&y`^6&kA8FfmOR;HnH^EDEP$EgH1q3G0iL0v<0i5?vq6A`$<}l9d>8P z8q8!88Z-^9CcGb5omI~)YNq+gOz7{cr~}5&Tp;AYMy@ak5#>m)uq5}qJuhADU8ZI3 z7=9Zd-bbQ#v*dv5g0cgnTxr~FWhJF`-2*mvw{3h!k2If6#~1yTXpufHRhFxQqNxBv zN?_U?CL|IMb+KKU8)Zw2$BTqQJV=t0exIE=1Uuf|Y03)8)nvc0pWL2>&Y1Voltb-Rap5ip_@QjBz zFILcF9*QN)tj2H*R#z%CXTX5SgfDg3`sb_F0wb z*n?C?Xf8!4Fo_viV@Ol!SAnN1*7PG(N1h~H=~@QHjR)e(iq?d~k*ocSiW{^n@M}`! zv`8%42V@IGx-=-!{vRB6{V>&`=%yJJ?Q(+I@N z%oS#z$?iY~m{|$zgK!gPpMvrr&;q&g5c3JW(uVySY8P%+p@IwDy_;)r>@sy?@^3=u z;>SOcnrP1nF6+Hir^56OA4{P%+>65G_lM#(%@lxf3<}pPiMEaM<35l#63hJVrq*=BCm?+teS5wbeib%vV?440Dh}wzy>~`2s zd&{sqJGes2x|FeUj!>KSzInMa<<4KX@*`^0@ihXHL{M5Nn{%b);aOICi1G?cqimC$jF zh6d=l(5rD5`1UbJZefPR`w~~o)ZU@X5>v455%Gp2PCyfA!F}i^CNe*MhJ5`+$28-# z4e6Wn#2n$Te6(K_qs|TKR@{(;LO2Jq&$ zt&I1We{_}*Se~BxD_$%Yi~3WUx8+dt-+0hCl(>U7rWneN72vNqK zbH0#oE?aFGfH7tV!5mn_M*SkkP%5%Y?C(NR=!lXZ^y`2&lW~Pq%SWTf`BsA-EYqeI zM|=0oSy})L@lZ#qbT=E%+UWMffX=x@Og^A~p~Dh39l*(qxpQ!(<4y-Q^DAWiaRH(b zzSS~&`B+rxig>#{vqh?M`#^Y-6`U%|f_2~u>MQ$tQsSlkPpnQ-Vzo;(N86nisLSzz z=EfX@N$VQLS`ykn+&~5xQu(vP{`ZmFbJ7ra-WZs7Xw`Og*fKX}xB4qIug9=GK)Feo z&ZD0mMp~NR)5l;{Q@!OT1of9^0)4TEA0I+kcF$gTQ)SI+-82Hve-Nuqd7comUd-Fb zhjGi|v zGMqIrVGRN}Ep0z&Ja3L1+pQi&qNdR^;mMue&dO@(F_)umE#Ex9%jLABuM(}c0jun` z3HTFXZ6^U0I@EVhIR-ggX3vj9f@l;A`ePpibKC?oj@ZRwQW;zv&>{e()jo`UP?4MZ zqH7FwXN_XiIVOK3^xm~G3>zzrJzB&mCKOPKrlS`%b?r?hGJAq_*z#BSHB zO!tOO{r7S01oEs-A&n_Hy2ENb!qagq`R)Ej8mrPVob?jW0R;NTVU;rk=d+rXpSyBc zZVUR9RCV{`6&IS8=KBHpWgqdp(kOae=`{zRMvLn)<~E9nysMf+&6Ogx6ZZo%c>T^F zBw`d@2*wQPYMXgs%$mkvAd@im(g7I%pp`@4wa~p<>Nm5VmNmq*x4PJfQO>T0L zL;d>ITTnhKwT3i*(3rQ^+5PJs%Yeuh(qwqOE5v6cDP22_Kn<(NR3SnM>L5|n7-o7%}d4}TT$%iYh4a4z+lr*l|-I@ z(14W(^tT&pyqmZWq~`E~&K1APQCNwT9KYh5Di08krXf~7>CsSmS1>7(5y2Tn}o>z>wSF%!c8)r z*1lr^EV_Y1`ju123YQb4J2YIzQ{-pUjdk?XxlqHZd~(c|_@GL3!_+8@1`4s~0=68? zrQI)Pf;X`&W-f~}!3M$S3 zj2ryD120(H^FJjmoXNaL&)%+%OKFaFhXbvk}U_e&Lzj&G4$1y zm5@b*yH#3RroZ1zNg;m0J@{I696~JB+oz`4%L`HKQ6I%%$HwU9_9x@U597&l$#Gkg z0UL{%y3;-go3LotTvDduz73 zJipPs>Bk=9E0X1M@cTs|DzD|c>=EWc;R0qE<{q;iP5*{(3Qy>cZYlD{S@29VD5_v= za56esjuh{+ZwH{r6OvhiQQ5y3A%34Q1vbkamJbCcg)AdA!JO=>nl+gLtZ=+_dVc5i zTn*JpU^kb|z4<;yYAyV-_#_u;1tIF0urr$9oY=UD@AWKRce(5hDG%k)H|A3^MHZ%_ zb46ve$w7*XU%7T&pAB7e0F*i0rF94%kz1Mv?)?}B9H9X!St1W@N0>{XZ&w4pRyS#W zPDmvlY2^8CjT~`nwL|$Q07W55`iC|W`9m8Ot=gH6{-%wZL(MgMWR=zYBv51Nq4z=> z*|mIq13F)!aq=1+Ph3&ewl!z|(kTrhb16gLJD=<-$NS%_Bcap12C7^i;Ld3eNZM&S z)qdFCL+|1t|MaES?6B$Uv<@!VWjMBolrv#t-@=_Yz&d;s6!`(;YDX-&Z9g}}_Y^vD zIu>QXfj89Xg6%dWsQS~1KXwYNE0Rj(8;vyFjMm}-k+Qm6Ez+ciOG1p;0(4!>#~z2; zWl=^H)<7@l8)&0vx~pbB0ra6 zy&ql(2U7gH%;oFNbOxM3Y3L4iBXPjtv{IREXyQ!qE-Q6Vpc`i9A zd$U9|r9Hl4Os>S&XaHUrtn2QA$cJRCudRSpI|uPx$dwVUpR@ zb!Yd`$tMXy*NS-Kp)EId{@d3QM&%PQfg0iHLa`1?xd~AiKHfC2tF-%Bm*HW|GzLiL z_7;cT4`7R zbWTK|1V z8*-T&Gz9QiZp0J<+3zw{nBt-b76^J;``^KMl|f%vLq&AtIfm?4<)ATIUB)qBnBe=m z%@7IC92_0OH&>Eu{01@kEz^u*eqkZMgA{Diii2~!0mF1wk};@@0$J146rje zOhAfNn@Vd~`MEZOU@X!LoKv<13QGsuo2S&6h@qpGYk7Yb4O&5gafMb*8*R3hMNaV8 z3PQ}klhSVgy)EtIuu{TJnQ$OQ>8sZlKCx%T>T*e>puqwoWk64%_-DU*ozhF7hi3R7 zp~d?q3^N{54N%}a^*BbwU4c2@uV*cOb*rurXU#A}jYXhFnlE)t~`u4D^6&&qNAes#R?uXY> z*c&@PmnJt}`L>D|!WT^vY>6_s2_i_tYKH{5waFkcD548(Jh82ZK-)!|2IvXf-LL?K z*zXXP_3_`O8$Fzs=p~^~1$!#&M5VFk2QpSA?c0jnsjy6_7Oiui z@h9Ex?W|L!*=aQ46(y14WWSKO!UDAlw@45KLa6Xe8&&{SnDCnjK#PpbA%mz*mX*R$ z44dCkLPPuzAt4@?agq(4iE(4_%m7bZo7(#$dWW<{CEh%2$kFrypRstl&^SfkWX3wg zJgYI%hpx4jYJD`Lf7V4!=sVPHUGTd0P94ie3i*7%njOz1lF-GlDX-pR3EmLBiaDGR zn=OEP+)z81$dXB`zDYgKhxUo$V2YvvBQb&)Dx&9%*ON78bA6{x*O3@NC^+}6zFO7A z8dvxDv~$h4xAM{1;DXqT#^X~fQFpf$7#!-()rAMdYPYxkhGG=AMJ@Ww`fBwrHFbq2 z{Va-}7O`p3X}y;v`Psx6SL`^gtO03P{!7D8nBA;1f_~Um zXugkWIZ#~d#e}17$fqXs=#7VLt)SvazON=mx32#9LM}4U0Bek%D^jXvkvF|`zFa*HDpqWYz^KWQ?TQq*)&eKx z5zRBs9p$ATD6bt&3pH2gO7-=fhukM5MA&%PZyY--^K|tdqjQn>rqYX0*3_3?@wN)~ z_J|PdO2LR`j4YebB@t6Y^|P^$k4&7kc*o#u?k8}CUvT{O%qQuMjboDA=f#H!F?tgl zKRY^)$^FKQM)s1HcmfjpB!3a0eD4SaeoUU&f1(8X@Bq6qQq~@iTOLg{BoE%l`ACMf94l$cl9HHjvX;IGFh>DP3Ax-PrB%!w_T+;e`7VvThsKFx8FX(-rJ zVoA^Oc#o}BRh!k@gi)cnMk9_3z?xK>*y5rO89_rLTVKTRV!6R%UxF$L-S52Tp0(Gk zA!M0o$9k26`#=~I)FC^y5V^=ia7m)U*!?KRdGmxMYouqSZZvR=W4x6jUg<+A^lhV{ zG5Ib6x=e}%tbII;)SO{(!-C(xD}?uZg*@gZOdTOtrKZ2!eHtK^s!7j2d~!)CYYbiN z)tUcHwz2IfxKoT1&tO&BDn4+JAa%m#?a2ND1yr-tY?(-htqF`@XPR&|ZGA!NoJnX+ zs=_JgUcShb&7YB-B6|+|s%!GWTt*pL14hYOf2Rmh;2ph4mq%@yh2vC99VbczcXWVl zD3rqxfV`>$DIGM5TYU3a-*v4DQZpm`(+KQ zYeN}ogr#Z=QZ-u>;#8|I`YB?1(0uM1Q8m>|ZV?@t-GU*0vn~?~irsE}hwaB`Xj;<7 zWmdEBP2ph~ZOT#~+YwH1R6~9_PdJ>ZD!?WheO|FVofG0H+^*UBj1`D79_y&wCz^Y~mU6yDYK70EeyZXz(`p971g;KhDkNu8cSScO$b0MvyDHpl56beWu1 zgF2<6q?+_yZJtgC$?WQBJvpe~UkMkJ@YxTQa!O`pQU4sAld@g-0iioP>oIRcw?2jy zpIL7U<#?hd3Tk3GcbB&+L`sQb8qw_Sryy)P+H`k*((}}Lbs3RZvE>o{zX6g`F)yfg>cM3pV5of(sR?*oJsi^UjA%lPzs;9xA1e!inFSfSHT(B7QWXgp2a{Q0H07)(_3D1cAoP|YN9REh zM;tAJb_sOrTdH~w*rX|cr?L5j_5()CfK{~918bLB^}E8DUIjawN=HhuduLOoe6{Kq-yN=hO+ksq{jBhm%0k%NcLzZd;wwRx+F%Qs9zCrlIHkW!R&hCHGZ1GMTot z^JSn($>H(TLO&{6S>#tAUv$2Im$o-RdGfZAtSUZAue_CY#^Q;dToQ>nWdYuJjZe8r z!cWsW7MeaoInS2!*#Eu@UWWq0TRMtO;e`?dJ|#FtPwm-t(<*rq(J#yXJrkd{&F4Uf^$8E&VjtnB$!itx5KDw|yDY<@ zD%J*^Cm~Abp(+(!UvWqx`w8=HX?c&eUOTvJ_55=kZ^si&nP__dsId zZ;S9RX!3iYgzr$`>QCiAXKk2VqV80jq$lIVb&Rn=cG*~~E)SHn?&W*bhQ_&L@>5cR z>nPvEE+-b#wIrtS6~YAmLRsEf5R}zKTgeudEG~aqx%1OLI@B%7ydlL43*1z<4IRZd zI;l@_!Rj}LJTT>9_`&}$lHIu-zzRIZlHctF*emi0MJvqp&7Mx)9ML(1Yok?N@BmA% z6qU_YFX9R_wYNiFGT^!2uotQza{7wgR6NcLz|#YV0d`<;svy`i_*^d;q1Qv&lK(u3 zm3zfm{aSRYhB3^_&^fr&qcDVk!;`Yuofc*iSzjuCyuy3f3IW;yd!&@G*V*^BcwsyW zm+wj?H~Hg^0L2R9>uG?8kU1>5hZz;K1pv?F!)bL;^zA0}A8Q2;E5<)&f5B9U? zB=m_!bM41W)331C*mJfh^jB;w7IY$7TI8xE=nBUduyIDf3;DGQ)1^mZeA_*84Lqgs z8n&3Mj^lnQjZc3;tAgt6i!n?Xt8y*aE8xD5gRS1PkpEGqa~czcqGR!(2*HjOVju~N zRsD_>>D7YA0{X`M$$sM2sf1e7i>(;~cO2RWRW(T9g1y+sgp5o!!pHJp3o;6Fb9Dck zy(N|RbA0uJV}Z43OpMXqMvHMR@sGVES@1G-a0?b>%u=GUj`Ln=3@{V5Vs0EA2_P?$ z7Z>80BSbr?5k1vp!TNYeNL!zZeHP`C3Ucr>EkF8L4HGV9lA5Z7*LOA(Z~Sz39;1pb zt4c+gpvcNCyJgu6vtf;jxV$wZ_Ml+&y!(`RMEbv8Uwa7=9ZH*F-RMlJ3O_F~ZUQ^5 z(WttAMa74`PeKUQa-tIH-H!krUP<|1H|_&Hu6S^ri_wttn`9Pevd9=wDDM@IIkJ^g zwn0}5nAE)M8=XX^i(DTGu;PNVaIJSH((Jx0HoJv3by!Rxfw`BID|vB^BttN@5sXV_j(h<%P7oEv|GaPl z2gi_<#GWxpKA^xGCi-0BQWO}53OCcRGICht$!6BKGpweSFnExd+2AFuMY@q_-a(W_ z`7ep^_nO$ z3rvY#Z=u9SiPQV#Y(wgl_4eaG&(Wzvmc!O``7svd0m|UN z&7x0=OEi^XXc-5VSCtx(O9yw}K8B{Y_j4*2hRPAh-S!H}@qPWb8NrhGo2liHa)yy- z3rwI`9%PNRV+geKOL}2Xx3z7d+yC`JV0hkj>3wH=I?-kN_efgs@}j46?ytsM3NWa| zf?fvzJ={$QqC$kt=fZG%cg!CMjaG%nAhkb(IG2Cf3+-|Q?apUyf`LIyx_7pYEEGno zA7EIA`u|5twC4+bPuvMzEX84i-KyTQMa|k7PHqaYAWbl*1ivgLvY<;exBq00@3D+h z_eEF0;+FxwBj;v77c7t+wkU(Ah+mWb&4R%uZ=_RByJ*B~I4@$rYADK8Qf##VWKcF5IyYxDUu@fVnW z4qQtJzrc=ksFd1UeU!{+pS^%(v?dU{AexPARTWIL?xc#Ii7U}M%K$xb-BC!uAv$3F zGAEkYxcJ_t?x;6fYMw3(XKNZ3Bko_;M!@?G@@W9L((6YiW=#=~?CiNv`xI2D+q7sr zz>Ngk3x4~LXW*_}gmlh})*~K`FoHu~2(=rnVN`a>a!Ly(eub{fY!Ed{6Czs(2xwV*c~m9nMa6Wy<4`j~ird5%xmR z@IAh-LR-u-wh3J?k34qn#Mw>M00}VM#`F8^`Z78>-LX$Oc@8ZEy zJMYE@!6JBss0hKpXI>9g;Qo0xZAg28j3!u77Nj^jY)EilK|%t8jw56|bW$Z8-+a0g z>v9{l!*$TI! zIVrmt#AZe(G!$sRbFpMUU?=$|BW~LuiF=%uF~?`Eo)}_jH{2jMlhv=5NX{qUoURs}e)QJZ%qmSg1BFN8y{G>Wdfy4? zvOsfek!%`Lal+j@3gZco91F;t;HB8-A&DJVTDg|f%xV;YqV zYvjZ$1-!Evw$}kOxnC5ycdPjZ>+s`~Rf;K^X-)My9vSWCV4lIel6q)Yx?6Gzlpya+ zn)>qdK7EWruC9j;B6H~gugit$Pa$rFWhqpP$8)&*>R#nmhcyCn@R&0_W_(Hyn}O2w=biZVJeD0Zo9oJ-2(*-rUH_^z zuSmZ)RSofafP;Ep9y(SK1D8c_6U5t=^Lm{we@hu=i^b{BQm0V1v*AODEXr+#?;Mb1 z=qUFI8<*T!fQPr@1~9n|D;~_A6ACz_{PiMtlvdx8*E*2 z?m~=2%Z6;UG0}{aQm^2vpp4aj0_0Rbdo`}IR7npE3XMW>9rliNIgvRe!Z_%}uKe%l z|HN-+ysbPcfJ=GYhGrdF@vTDA3c@IhtKZSSVLGt-~K+;=Zw#OixFG)gL z`Q{*pU38#;w%c-}Hh~keon|RdrHv!p4$WdgbR5`GsTP2e9S2mt*B)iGcOg@`%Ng`u zRn>iQv!|Mmr8VS-`Qgfk73=48cMnW8Pip8JeuHSVCm5`T96yUkYraC+v3YOWH8gOy zaC%O5uQ57V4yTo$)Xg5}_;6^{J>wkjcT^4j$F2XT+LZaGdajHKBNF&*z5;Zmv;%3u zHA^RVbHKB*iU~5F)6S`g?vE-*_0i`0<+)nZCxWt+eui`HtWTsqP&OtEcgH&`KFwd$EWN2VvNeZe_51U5?X6YTk*S#kuPa8RtN=$e9BwmFBPd5T~1|Ubi>4T*KcO zAudX>8cDgRtNEh3vwoX0;IAjWg$NS66#wtp@0E}GM{x;6rNgg-7^E{^Z-LiaM5=ka zu$aFu#K;@iZ-39qx`n>@EqJ&h6A~Jhe|Q?z9h&m$oWMv@hQKmQJ6ZFluBfw$;6*xt zF|jQ3c_~(y)s4&o2YN;|foFAg=Z$gQ>fEHqO;v7UwX( z31K0COq*JmC2n8N9=VMc#f3=yHVSr&;L zb#HcX_zoLgee3*|%i|yl_k(Izb_u!+qsG-f(+bH&d%l}<xV1Y0l;7A=+QKXSLPG z(Simnh+%1op=h--ew;D{C0L#^Sdhj&0k0uspYL}djB{1AFLkk(I)jc$obAooHC;o% z*KTjLA9HuMUForm09ek3^BnmpN2_liRXA`OtXcxHMIzQyr55^EJ(c*kgW_;stjyP1 zan$NsyWCbb((;kgc`=RDwGtyPB3gVWv-`y6SA(sBi=dlc#=HrB$!MuIzq3no`Cx~K z6Cp5+o|{*t@~`V9%=pejr8|7zG0b>Zv5-TeKEBEk_$>am1p z<-Y{#@8~WXZiVocJrvuMv-UU~P{uI1hIs|^t8KWZsucd)f>3a96lrK8uZhgv3lJuM zIw%*=7_*MY!@}ZNR(#OF%fpE;Lih}F?LRE0!!RR%I!tyhlj3_272IzehFLa99A6#> z&yHohkKC5aW1(m97(-0Xe7jr$z^VI1UQBe^XO%!PDaLEhkP)zXuHW$Z57r?hksj-i z7t(FsPrvmZXJDj`{l|sHc;`vb?(2p~L%RIPWQp+wbdd20@lj8+dvn&!2)0+#N7pJB z6za_eSuUz9$~HMt^gREiU_cfQ269>T2CwT4c~K_-z7724BSeyRFp$8fT_t-p?B`S7 zjVKrOKYm61ec#c+BpWu@`P(FRzi7vRpO#AG|F|f0;Elg^A|bw{-I{@Zx!QjV^#?V3 zAqIdjdPF^q9t^|3DEc>L_FLLqg+bEBwbdyffcTaTNN(+qWofu%3hnY&?D^O7y!GdW zhoq~*Mno};o9f!v7W)VF{tGCHpx@>;;K{8pu_wk>p?xcD9*CtaLlmdc!zM*mZ*@#X zaY~rqm8T8$f9m~U#?Q9TCYm>)V}v*m zq8;8l=xJqNWuX!5`t0>r4I_Z75wXL^cHHsgX>+*1!m&3?Bs#D#E=VBMYEwQ<=&Q)I zz<1?I$$l_>FU&+BE0qLAbel0TGldoTVL^<`0L#VXcZ{#h7dCU8QVq5kRd`<*PgE|QDaYU$jMuKrA@@Zhy9hts#M);m!UnT=-*^Wvi&3XO2J zP9cab^G+L+Hy3!?-#l`#vMmY{F|IDyjfI1kTx*BbC++mZP72EYA9@e^{RZMK_w6P`eG2xHQ6dM2O|7k67Pw z(K|I&{dYIXJ_t>5sf?T!VekCB541>v74(H~urAX`iAd;^lm%zX-qEtvE)DfLy`)7z zf;xO`pCFjO(w_PI+gZ$ph4mo>^H+K)j^1q9?nsroi$N&zMrBYqeLMM18HIitlSsk+aelJWJ%|d~ zh)}meqg481x@FMYmm>gcxs?NuX|8 z+x9KMI>o+wf!`SyN}&6^X+84E49;;Y5oLynM2;ajN&oJosI{K&h%4Ym4qqFE%D{Dp?oXV0K2WqoD4mE53)y@JHK~e6QcA{ z0>PD0EJaKeT%jOCDiF6MFJySZ9qKdf&L&ll-cz3CsiFOBl6nM}@{~ih#W&zA_fh-{ z9!nhhwItPU<;wv=eH-ac%D@U^-%XX9TptMILln1|``hz(T0Lz+u3(7dq<*ic>>7!e zc}hMUZ+$k%iM|7K!`)1L9Q_b)h3pV-2&6!by-_DUHDPpce&J9{> z0e8`#3;j-)I)_8H&7JELsFq%sNF!N-wjub;a|R+ZY(TO4(t|F*IYs80pG{u(Xn`lo z=G2`<>sRvX9x9T2(#z&7QMdA`W5_48#*6um_`_F6>m@lL)( zc57O4h`+k&)GW`X$6-Oy`&2i_tTehJqGHy@w8i6(ui>9M?e1-zuo{3bE_$a!`}r5R z5rcGvE%IG5NijARoK$ah{vTau8CGT2t!+V&?(S}+LApaq1SF&prMvs4ySr1mrMskS z(cRr8T^sT7dH4J64I%yV30&TJ#_b)opKXLjxx>EE^!hby4~Pvk;B3QOKl31w0Yc+3kNN(v&Nvka zlOxv?%3mC0^i}a~@=*vv8}MR+!{{@?G$ryI17mM``t~iuc0ID22rl~sP6{QQ*Xi#F z_Liy1qRGr(TjS&B*f9-h`sV7jif;^3r%iOKP_wCHM(Vgg$2AGFX;cy0U%95Myg5kM z_HvsCW3y5{S%p<216q$8JS(r=RJFAsVu$_0WCuWTDm?;ly@_CA+bZQ|WXX>q=$zWN z-|EA*J`d>7ZXc~@s71q59V-67bg7-CdX&WiIo2|D$8fP>5<&Z(R~jeOrh0s9h9L<| zJIx%L4NV||ggy)#`EK7qX1ZQuu8>(J7d9Y zz~c!Cn{VkFmFZq*qoKMW&0b#mM&(@CqcHM;(Q6yWSvi!SSLrY%X3G)=$$1Z{>eJ_5 z&0mIKMKK1qRRkKVXC)p9w&kFsd)NiUOxxGfDA6MdqJ~`Vsli3a>4cWn7osD(fS1@* z+o6z7OmJu|)P(1hn!}?as$N}&pV~np9Z=>$y^U0*I=dZR`B10v3@NqU5je(`u!DW^ zr4|ve!_$Sg3s}q9V0dIxv=`6`aSL^6GYz|WMc+fZ9MQmhma?da3!_Cn=)sCo=0_*N zxI>Pc)4bmPK}*FKw&QIPO$7Nc+D-S(NysVW!Hs5m#a*fL1?R0*FW+ya9DHnJIf@x z3y{8s&%eFS4ikCJuM(R3fS>E=fh zWQCjeGfS^mrtQ@*rZw2IrOS+F3HQDwEF7U+$xFF{7N|$1MAn%7s$dh# zP;ic%LcdAZR{5npn*FS!<;yx6NUG1U>HYKFr~A2IWV)QIiu?Uzm095z{9zT$K8K!Q zwLn!@Ap%B_^usS3!dJgnE}DH=A_v!JxNjR31LUN|$e-rFcYe26KpL-*8`U=x<9R@Q z_!wA5g|#T_oiQ7SD!JY?^vgt4 zBx%RQB1%VKrmPk*K`vtG9VAAr(^wav0^Hl+*h)gXZ9`O?+)y`Yp}bh^l5!!@l=nCZ=73I@zbNblcYY%w8l@b&~;Os zY|;eploxG}_loAkyPxGLmj)~~^qf!>e|-uMVSt=+e{X>4I7XoDN*M-a@mN9x5T4>v z(F$CvCO)4)Dp!zVhHfEy||8+vnOg#2bGlw$pW1)07=Y?~TQf|EW^}H8}lUyQ9#I#(= z8aU<*=hc~>aucwmfa-6MEijiG?cL=D0*Trh7aUg+pE6cl34+=+ZsBa>KnSUqxP!9^ zcl`ppyJlH9VZvDcE5!!8F-x7Gl2sYQ;dWO^rcsy#%Xiw*dKV05uQuKa2GhgeXPsht zG{Z*mlPPA$VRUFg4%Jegd=08=ye`s%GSi~0;dK*r`^MTi3WO?!zt;AJ;xD7UYZ~nm zPL)F6q|!ACQs#}*f7ym=`-uMVwG(>}8bh99! zgN?y<`2iWFxv!^3Qgaa8B?DmWK@Un3HvL=_vxrxx^SmIn%_zBHHN*NdN|ly-JjGQI zR*4654s>?`oGznUXj`DJ<;16sx`S5-c<!#H}6e4NY?&5J+#tbE>> z%&GDFAjl+e=S=)j=Dc&4 z>-Ls)(@T91AJ8l<=f1)=q{;;+)3|LcpUAOw7khj0mP7E{6S2YQmMgjW44b74-J%;( zLF;q%Z`?r7pGj1e^7&6y$aSh#K_pR|%N;EDc}Kvk9zsG}C+3`|Tt9AdHen6LLHv-& za{&4Z#kBkjxi24K-`?UtmrrCwTWJpf z_>eFV-k#t9J{Nt5%=H$3D%)k$y@4P|5RU#HzZlH#oqbe&EM$;mI0>(G0{yQMJ8*C; zzcCV3JHvrN-_3f_1QnvQUk1BWOn7NIvNZq=2t?i{n&x7zpKR1BM7L_&pnm#1v^PU? zpdWGeyk<_Qb5K;m7^c4UwyhtJf7ZFnb~Gr-!1x7e>m9+;#&qzHOMYtN3=OYj{Nu03 z{MMvWk6vV(KJY18hOa8RE`1d}+&s^>+f?$`8+(ZEja=D5u$~eg_Wg3uMFjX%F3pmt#s(LvW9jWf4YboYhw9pr+YNUGmgOu>5Lp`m^(#VpyY( z^2}MYuZvjB%2ZS`FNBZ16Gj8u@a89FE*0qdWR3H;JJ!H^jA{;uy4}*N}rZHThl;LyamtKHKg4wLqt9q=rV+fZVt- zi*J8|=gIOT{IKT8_(qSf4thuUMyBq8_|nh7@xds{ zP(~UT>A*DT(52G^XP$GcR@-y#P(SIi@t}!pu7;1wbTkh%7SW|@z62QBbjUI+6|fJ4 zCB8Tr45tVQgB#TV<~HSc2!`x)846JaVG6;Pd`_?HA=AF-=~<9moqYXEH_AN2u~{?= zD758MQc7X{3z5=SFW+!C1u9o@M&lfbeyUY}-%9tcT}_OV>sHio&BE^X;Punjb6pE_ zk|i#lIKlk2Z0GG%L$iywO;f4`d1zX8X)wOaLkEn&>sb(wD33EF&eK(3ULgL(6kdKf z^xgZj6;>Zpt7P1R>QKv%0!0PsE=aZw??y@9W4{ZlZ0!gwXw0Oa```jWZmw7l?z*z9 zo563)3gZGNoSku`M}IjSy&YJRi@xhH0y!0*xfVN{21VcfV&?py!6+Ak+xo@ohz{Hd zVSwkjYHea{&+~5~?hyE~9_CW;w?4iN;*O#Dr}^(_bEdF|(UI8K#4Y!HKWw`A zm!jbjz(0r($Phif#vD#YF#GtiJ6vSt-4o>84oNlESv|Agobf_NXKU1Ymm3WK_E(=5 zWTmqL%{27TR-woBPl#!SgS4$46M?jhUxv)2-9+9ZLdiXzR+;VnfwXC$pgbe zT<_gju<3uW{5gbsY$NcVIT9)1&#RZNh<4ev$V!!9g6Xpkn%Q0d`VM*ZG=RP%5hc26 zFk<;^Gt=s5RhBmTHUsxKq9eX6!&Y`pHvOl>b+zIPZ{`Fh6ZGdpah9;gDdeSYu zy*t%X?H``T*|&{qM)c(QLA-e^wB;>3njXIv)X*!)9&<=UJMd$MDB5}f`(8^2_V&=( z&TulzB+H$cY-7fxtpoBX8tD5`9oS2a68!{N`?1{yjRl@6J^YTnW$_cig?=P5ecLFU zXX2)zV#Jmj1<06TGru0dv#|fY1bg8;<>^`a;dWZ;E7tZ5ymW}T7zn~$*YOe_-*bQA z{1%f9ldhQ=%_CtIQKT~>#PHHU+l0b3NL{tqpD@nKqr4ImE+hUg z$(JNGE2kt_N16#jWHpIZW3n_UI&%I!%J)PN2%huUzG-xPh?&#*p@+|>{ffztIo3uh zpxX}j*4vbUF5lIkA$N_IkW`6l`Qyji7VP2V4N60yOZ)r;5jJ)4bK68R`qnI|J?!&mQ{eo(DZ09)tV z?$|(9lnO^&aPs}gBnttOiD`ZN`NuoOP!`HJQktA><1PLPj6gqJZ`kCW5W}Q|%tvvb zJI{JEK~5*{%v^Q6IiMyEOOp!?h(4KUpPG|4ffpAfua?JxJRCeGxh-=Nb}5@icwe_I zb&14E!}!>3WXkuR_HN=XBX^S6VB64r{4N+F`**Ivo1o_gK?N-kZ&lX3JMC!XphsO8 z$)bbs5%-$5i8@(6l0T^<3{NWhd$Mvuk`nqjN^a$)2~j3*mjE;%eKk0zsA`G{E<+DL zO>d}A9{p@`#t_uVswpv_dtu&ChJJ3P=Oi>z^~HQY9q|-A&3bsl-2U-@(>WbmDYl{j z06!D29_9)Ln~vuv?t9{MUqF#yuC|qaV%yjN_fV3Pw0Nc-E<2!kkJ@~A=r5rI{)6bE zPt^W{=(7HU=>8Bo$)c06eed^}twG8yNL$F^=Yd+(5>keIcM@#FsmEJI&pkrk;eZsh z@@gjR5!}!0aOF}pWVb!7m2nVX2@ri= z;RW*Da~ThVIMu`PDz~!Dl{r?=S#Wp8wJ3h&j3nH62&fcg``zl_SijR+xNc#-`er-f z7;g3r8%4$V8YYm1AZB!c zaAbQivxK+}}6+O%p8Khx~O@JH>G4DjxwJseGqPiAJas7FFviE#QIY3=ONGaoSpb_v zoGvt%Ygk|X0a8?Pr1mJ40KZ^N7SAL`!~U)>soRK|MkLdIoIAiBe#1lWFaKG-Kud+Y zL5i|0n_+W^#_m_KhHsbQ(5e+Lj-<-Cy9#}SS8?e#(T5zNajoiR7_is$3=C0`c=I}ymy;Uzh%Xu!2{@S^gS&c%(QwCq)tg!>Xflln@UEG+QBiIOIZxK zk@oIdY7d>;&x!~f>i1iGC!9iTEXp1iSHWA zH6#m$SZ;Dky)Vy0DEkfaK)a|L{{`}VISMcXl0U^~@$DHUm7}+xoS}gl9dpiP;2;-X zFD(W{nB%FrwbMhc-Vy#B^35B4OwU7Z(oO0$1IXYRt)r`Hpi@Ue;YRiXJA6Y|xz&{K z{p-}uJx;p6_lagx&p;8(`<^6raI!8-7rmzAh1$6Z!g;5@iv;vI>8@p{o-4Yyde6Md z@EA-pUDA_B!6tR8ba@)8JFkHLGg_~~j%!1RaBy~sNs*BQV@~BcUFuQNRa|{W76GxM zOeHnlO9QG5p5xxY-p_DvUyPb|c9;x(NS82T&e5BY9?9`y%FZfE-SLw1;N)KsKAa-# zG8E`T3I5OpIwRjG+VhLdGP8pq?qY<;`u$12ueD|#cP*)N?OKTvxu(!{ZNK2Xi{E$; zl5ih%c4D0{^;W1?ZxCI%jCG_tLAX?Ke5=Y3a!?v}A(cw?eE*?*8$w;3 z8vNa`hYjhrwHWGe#K((~T}5&+pn`(Rc#ogY$|5<#3*my7h>rqUD@@wt)%$fL7}i$V zP8cOC7bdv;IqzX}3Q1$EI?whFcp!|+voTs*mGllzFiN{eNu&nS{Me6WZFvPk)5$r9 z3B3Z8EoACBt+6BqQ)5f5(4%V6831;e*@F2{#G38 z$xa5zq$6H?638B3^PpwI*E%!hnvGh34+i3>i7YB2@IV*3E{C{U}WZkbUeK8Gf;O21$E6Yr%pWxS_Qd zSRDa9m)&L8bz8bD{$~`wyc3H8_)n*0yApyf3_r&r(UpW?*CBoT^p_Wg+tuxTQF%G& zuONXRV5}pliO3Wo2L9w*C!?sYT2&yZrD2Bf%&yDZDE5t`v#{QjW^ud=kIG5R0891X z35tc@`LQjUi3-&me3UB$YP(bhSS+^haYrpnQI^Tu-OHa0xpnwS60Gv;5W*Q+6z*2j z*Hz+u%2i-9fC9wsY``m1=iLGMNp;+U$CzrHNtV)ovBAB}QOxj+g-*rgXmHJrriiZ7 z8^|S0P38x!B@I#L4@`RUQCmEhH*73)nSRn+UNn=0L_Htnu+5-tHAe}} z4)I10jesUcm?{=Ty9rgF@DDaFEx_N78z>Xt)FiFKiOD{D1#h6dJs5qodQ^OV$?N7_SJTJBw{$16_hFY0fM3KN_VMEg(?U&yl&MQD>#K0aa(Z=!nIVSx z#(mTg?nDbxGCguuW&pNbU+cUChBuM)h~aT>MkqNx@U0w?y!Py%rR}##sfS#t_Jn~V zvFXfxkZsk6{4s;U01Yv;EN@n7;fI*dKjjX*;>YzBGs(*=@;E;=p?2Zrb0j2MP zX(+Kd9xRrA=21C2B%xzDWLcoN3@Ocsru{<}1)s@cllHxrMX&{hlcExl8&oofS=Xqs zih5IeCC|%jY$IWsDSYd<_X?$)LsO{B4zIhrM^M6AL~n>Tb?@C%#s%t3>IO5_{iH$jAc;)Zlb`)GP1Q6a zSrwFQtJP#{C%-1#{2kRwKDt`o{7qFI*qFp4!jq^TFv$JmH304zz6d2NjBTn!lo@S< zA(<>vjRsMP|Lx4x$LxkoZ8}Y4eb|}DNas_KO(hg^;rsdB8Usw+@;$^` z6G`UEO-Vzd6lf);!&KTu#*n^1tB0g`z>ela9eYZbP2#}E;l)ii-+?J`@=9$>Fucp5 z=L4Z5Nt+gemgT}Q9vrvYo>hg|gr!xnAsO@LBTc}8$gVvP7h!S3=0AJQz%p}t>Kj}) z)H<$a=r|1Dw9ZV0JW%d<#nBqL0#@Yi2k4|U8geW@7s%SEwQ&!fV*z9XVAn{F>j+g% zci;;12t%I1CY199C5}NPBmHKHSY!^-CM}SfM@W6*OBWFblWwa5Oqg>ioYt$30W#7% zomhizp&}<0)mq6S-rDp&q`A-~1HF^vMj*%{hcJ8btIz~~<2WZ-hh3Nisd{TdQDm4a zVdN{8k9eWKP{8XOfQ1WEGmW&Z912>hQ@L{`I0?2r)nZMNW1 zQQueE&3nDx3j2UL#Pc>Bw!7^}aZl%xRi zJ2Lk=M`}|)nA)pKHp)=4f{m`eMvHM2mn~P0lnmoXNpiGU9e%REZWEY&ese)Rz+pIy z0=e)yf60kTP2CNyY*%To6Q%9#Hi8l{p7S&gUWx|;#&DyOk+ElWT8&>J^j$ACwMF1t zZ6>mzR%Z&B-oyawv7Z@uA}v&$NqBug7ZVqH7)eXx;HE2Mmw=SN=WXK<`GF#Is8>U{ z)uDP{^-K&0rch4D8~L> zUKL3j$3$2SA%W-NY8B{NLjPNZ(^pM|qfG_{HXiomiLQp8xG+y z-_T~w-J>QKG~+@b895z)gjaXLDRo3`5cveoQ}+k&uV5# z=1(RF5Jf%s{98qb4gNs#oVIc+62M1f4Y6VRh4i=IIvs(8`68bBtCVy5o!cVnnDF^S z`nnI_f3d=6O9%!HJmX2|o$sT=S^olpP^ICntiXj=L4hBFcw|!W-am^6y+b?-P__#9 zU-REg4k6%Gnp3O#{5GZa&v^4${MDIRUyHZ*(XH8c!LdhA10T2zy6UyEUFoksuUirx zPN1Q#Ud0x0Vp+2VTe5XuU{*1!wN^2gtUfi>u#dZal*(;y6Lb6Z zl7;RM8S$AfH2k54z&5g}8TXF$mUkE$_D`Mc&MJ2(#S$D?tQsH*8Db$eB*R|;nW?RT zTPrEN=H4EnNm|eB)CcUG=RnWCE#*hZ3(L)LfSB={TdKhMNrhN7@hNldTs%{zA%tRe zN!@g(?IwIUBNB1jlN-W07R9U^Q-k-8*>o3)Y!&laUToSMf!<}5x#_%C_~Ouxfvt_r zK>hR|D*%cDn*=SUO>X(gCDlBh-!kp880Eftl`dVsA(Ve~2VWCqLoQS5eYp5Vl<`uN z*uho)4O(j9oDI_-2^}?`3TN8{V#m59w=4%<1yuT>uC<>3&Cnv#q6P#X%vGt*!lMng zvNqV%J-Y5|^cu}?cCAUev@?=aYxcm{2dYcJZ?ZLXW#?$*R$89YI&m&D2<|YvYGk{U zPyg<#-#-)Pwdk{A^EJfqwkhK4;im_B+@UCZ<8QS@b2TGHqV4>!ig`e)0DSY&!m?#W zUl1Ku>8c4*C>~gc&-YMw(aq-^B-w};Uv%!U(D6e;3%HU3r{=!cIsP$C2@vxbw=Q1* z?fQ=3HZPAv(6#b2rg`^J{kQVN2W&*tBe!ai35H>bK|M-pucXm4MlL3mZXt&oEa*Up zYVQvQ&ENF>^ImDGn(a3;K(>19BwEgnJV)}LSs_(NnA3$-`srS?-;taT_d2rkAr^F4 zRr_rpP1Qpka!o&-p_{G%IN&gH)wq~U9zJ_?QjY%O*H{ifU*D=b z3}7r)K+f=t{)D?E!G5~1g5E=crrWcyJ&{|Zlv#mviMYt`+Ct6`MX2jD`Xyl$@mDJ{ zMuHnbZrJ~a9zuS3riaU3$yI|bYyCeH15^)C4!8idq1trhJrmYOv!^@S&hrq6>m5sK zJ7(yWWE6NM`b7z!=vQ1jd!};L-uQ~wifNhP@A8heY-4V#N?mi0*j*h-o5qjP?ALi)$ z&5Z36(;TskMdsz)!IS(*bf)cro#;k6onqU%PwN_y4#pM_xmP!rR-2spng~A?$J1bs zztr=LD;X;?;MNiz-#qk;ihdW27MeZ-+Kg9F>vX&~uie@786`AvFD@1|*fvV@tRJc4 z#yu}(8MAe71`G!=O8t@uyAfi)(ky!7%|bHa$du#XV3>c0(F?^BF;f}?_)p9R&kid7 zL~n@|A^bkQBOB*HVpRu&4i7@#v*mW4QnMz+<%D%3w_UIu81;fvx-(MWgFO!Szp_{xb*!5gxot<>Ghsn!s9InA;_^f+LN6U35ZM@b^~#_>E0|CTPs zQa2fo;k?Xmz-+Z1Q93B?7_-$WCA}WbrOPdNJaWxSMOo+q?_2iY46j}3y1AiLl}zi> z@r5EjI9H7mz9L5NhreZI6!5HRRL?YJ1O$=W*NVA<@Eo?!d1m0(vA(g?1nh}dGm4#kNHZjz{;!H!yvdZ`YFY^8~E0)bRE zeMLJdm3Zx??%DWLXU$9~7KIKf&U*)H-oHs=Ou{KL+dXncrrtP9)g}yDvPTNeM_YHu zd5#W7GRR>pU+@&!NlWCw>`xh$3{;}1jaS*(mqb3(7;N#DW*HI8kcAYXRaDuCmmfxa z#`BozV%l0>LV+Hpzf)e|frjq6r8gh6zavbY3b@-TVYSgL2%{>V3Vz~yw7=w@oA34h za9=VT-Jemw_k;K^5LqH9CS}DOp%X7yH$Bd2_qnw5LN4U1gNytOb1yO<0?zi8Q24H0 z8d|O2iQkAs-SpXOiB#rNqjlYKXv^Gte(CrRM|5>+2QVx^l(I-f42V^qr8BrIh{CKY zQP%Qwj%mGHbM?t?JN-fE4MFLy`AEmYqK>~6c<8-8U7V;4BSIDWkXc%(NU=e4X^q%# zP?bZ8rb!I#spkL&=u6x{;$w{yroEo6PT?Y)Zu_JIOD{(DE;IA!7s^PEmIPNP-z1eU z2gHYfyo&U0^Og2ybM@G2jGZNwy5b-Rv8*f7f zrH86meu~r)Xo+B3$%HPL@h_h^>JW$*`hytpDj4NKQ3#E^PhG9>;>ZMTga8IK3)c{6WR_Aj|&85F=>K6HYg3vvyZ0IWi$_ zTtf;^nOqNU+XH?wx3->o3{>4KIrtSqI_CpqmDW7U9cnuDvnHLVvzDXbDjaQPx$9JTsZ{6@jmpAK!+D zbon;REM&;d{gO6cGOp9Or9*$H6B}1bzZ_ypyCeu?9LZ7P-?En$oAXZ=ig#PdeQs!i zcz>$Aogrs^SFv~fDk{Ix3Y)srLNrIDLo6^mG1gy6RCw$}SGq921qb{K>!kq~L*6aq z?m@eZYMQbYPG=Ovu~&3T#`21E#imXucJ)>h5r+=2R5Q^u!_~q&&P<~_QJa|NJT%9g z`Nz+pNm;{S>m{;#QK1FcVT@2vxEA zSV|sE6yH`XB{<_3-wbnY2f-j&PIi0-vXQ34)(gtAvN;f+Q7P*j3T$NZqogj?xjP8L zrm!g}NWpB0&q#Xp(1P>5S-|tsYaQC@8zuMB7RSyQ`94$%Xo+Iyb!N!_hK{5{JO?T? zQfR3wUv~kyPad3z4KeFIC6|4+@7Qa>Tx2|%+O4U6{9)(VkkId!Q?fI-$ns#c1RlTl zud^E|kEzO|38Ur`GmC;sKGTEeP?irc-t`(8x2E*}V~EP!dDNu@8)YF8e({Q`L@Ybb zxsW2j3Uv(~7NPH$<3fxh&_uGCH+XadjoM_m!$WJy zMU-8NctyS(HJ^Rxoy)hD18Ep>z^OYL2knksio( zyF}O-JQ>A4|Kk3VF88{YSp|3DK{POl3V8p_WXrd(vLDnDb~cptr|2c#SFu3>SXAkk zjb|t`Xy$&5x)f#tES%hu`417p^ci>Xl1b_Ed3F&@=apLGe?*#oXkbEK_@5M{gk_nDs&02#X?m5S*7p5r%Q3>;9L_tqM-bqQo!GHjubR z$6#f9D{kk~I~4LX-BDjL|Kz+lpo8=6${ta_@@uNN{^o1Tiwo&#w95M-0B)RX8 zHX91a+OK$Gs$SoSzJ|8|^%Yj#DKPIc`xwZclog1YJsv-a&xeR|GNgDgAG4(koXm{) z%Kli>S00~e-jNyb)6-@ECsQA-$c+G?sB4>`HJf~#(v7Eu+4+DNO8C6d`*ng1W@>_A zx@}NJeG)I$X7B|pWIe~u8@_a;d4mq|<+vN3j9VRwiPLbhCQAVVb0xprU&;^`6zY#J zazuHa4}vb%M5K969MVOV?$8KE$2W_@IJ2NYx>pQwH2b&Of?|5K@TyhiYsw zS)$xrYJ5X8)0pc3iCgN<*$s?`n(0U!Y9jq`R-aZ2Zu^md{kx#~MqOi4q$5AZq!U3OOjG~E z@o!9#!Jyp3Wx<2O0_gwnLzVcvML*#eCE`&-)*nPj`+^8B=M35=^EUR+yZyFB&M=zX z0iHpuK&UgOuWCc}tto%yhuL;!4nmqjmvP#9OWa4y)LopX9HAo$7d zzPvD?Y-ljw=niV*5szf+tw9`e^7rg~uNn5HSfZZqjMj;j+9bvTGNGp>eIcKM!$K*L zuvn1(8aVcoOnt8spvISH&J$wOGXItna%xG?|6OD?u7Ov3D(U_h_nmev%oHt4-zb$Z ztB<)pLF_`NWFv~B>AMce=p#1B2nXWn4>M_XM;_I2$_RB5x77Kznv{fm-*%~nMi-zP zN8gBjT%Ng9gf~Ms^sHVIbQ7JC5Eq(NWHpTkRCQ4W(>g$^ zZNhwZxc?JHx8z5AtQv+l7&F~kq>0f1^gccn$U*ddWF(=WfJCFk{WO6jfm_C*ouR?n zBAo^oEr+MubG4KGyy>#c+6@`w^Pgf_Ic^FRRJ7z#-B}7s#dvF#@nJiQj)q% zp0EA|S#%*+Bq`WVW$S=Y=b$PN)9(y)BMEBuLgTh#NIPxjgPkxWfRRM8sXiBy+@fF}T6c&)}Fw0ZIM4bPsU!fNx;-1A&`!p;0!`^}&II6=ISX z&-b<2Egw%!#lA9&LV(MYh#*iV*U2-$EWmdqty4YtL4G& z$(C_1b)**b%*WEPCW@r}1e%`+HIp=sP2qs<+2cS(;-$hY5}4#Ul#j^pi3M*ERpct3a8pZ>9;XahF*7bZ() zK$ba}iz4n&EIU;ylXoSaUrf3rs%sa@YOh>T7-Pw7_Ui^K66wVpRqt^U56WAfEvm$n zb=cn;UZbqMu3jxQndVci{>hKwO9!WezwXG;C@XznXXHf9U>%N95+ctrrCe09{^J8n z52o=Jyk-~s?=b*=SLJ7{U=thSh-MBhW|reO=8!~vaysP&LNe4&FWzE$EiV}xT8*h( zW~r_%<3#nIZ((ma%HE`5{A~p*iq61;%rDAnGt#lipIUEuihXQ*P7gbD#!y}CxU|#` znztEV8sPMBE&0zly@G54mpN)iy$4cQ!CuNV8>S6`%6*>Qzq>|I4UF{m1{# zNV(^dBa5#@k5@#wvAekd^Q>Xbx7?|<_nf|ZD|COV(x9|#{fL0i>j<%}?ws2QXD;zi zwLQLrpGNWxQ?wKz4NcFld_uD~5O_1G>Nh7polh)=Vu2|;B9hq!5nu9p+TwHO_m7#r;*SC8W z9krN+fInkPoc-!a9m%1DoVsp)G1N0-{g<76hFr1q)HkEPX6sg@#i=6?1rfK!olkIq zlJOMXZSRa<8#k!@1T8;LZ`z8%icou)842~>*5Q~yg$j+5lEy%WiguQ00Bl(CWf20; zi+AX`KRY#D8f;@?Vr3oCy`8xF`{U$P88G2`7q}U0Of#pw2x&6uyr(u+H&=O>O0`0Q zZrR9BwLOT57!>|2My00NGq_4v=+SB(Ut)O2-5+`zdOPPrj9kE!^2N8+m}-2`Ap!3KP@9qzehqv zU5Jg&ENot6B4md!{5h!tmhzV5)!SRsfZ!k1li9I83-*DLXrR z@6Zsz{(in@dTJ^`bp`8*CG^bb+!x<(iDFg1Y_eWGxBvHqBc6h|esU?Eq#p4HUx)op zEJuEs^6!+9^_;<1XXeAr;amOlo3Ha6g&{ zEv+WKA&iHobidp5CG#ow4ao0fio?ct#M1LH>8&d$hhH%D*ra zUGr4Ccw6<>ta+`Z3KM2~9IED@ zP{vfU07fcgYUs>2RnKTuUxyMqRcn1bScgwv9!7CBW-7&bs0`%zXn{-q15(M0FxSMd z{X(PO6snb`^0sLX5Lu-H6*xr>Dw+4!RE~K~Fn(RhBs#jyR(=J_P$%1C>W404m{+4Fg>AM<+C1E+W3 z`K>}spUa!-I0q%Rk6sKT@f>8rf`8*13_RS@i7c1iW5G8BUPShwobP0G(;@dcT<e`E*xwd?KPk6EBK`DYfoceVX)t!9CDuq1!xmW&iJXHUw6I6WIA*#F-6^~Oaj-jbW-U zl-vb@k4jVNQ~kE0l3Ozi`Z$g&B%^07d;6-CXTXPTzPp4Nqu?JpQp~!MInZ*)0)E;1 zlUZ(avh4|YU8h)|Zw9I>TaS?)WN&5A19C3#R65a_(W=7*sQxT~wh4%Y1-T)Uy&MEM z`KBM(+H`cDUAz`jk`0F+cqZ<^JH38+Fz_lO2_L=vYEBT(#bHsB%ZO}qK{FSsClv;` zz~2o*W-o{@U72UPhh4Z3<1wUi2OzA)*22uCBXHW6b^#*H$D-@?XfrkK>f#R?p_&rI z?N3u3vr55ajU0}bWc{Wyeu_jj;Rge=L3)ify2lmgp7Yh(9ZP2O;9>I$b`Z(61ftDD zVVG72Lq*L!TA_-eHIZ&X^=aKUjz&P`vXzQOTd8**=qR3s#|77FEyt{7M%lt0CVuWA zTV-UdStF$^_gvrg^MZ)d{A*;lp2GsS*F{QY2oj(@2YhX?;lJJtdD{m60VweO2wP+H zxh}@DY-d#DFC3r*mJjc+@I(IeCrkY$Fmh6v( zmwy>I|D;^jW8)tlWbJ>tpgfARV;b$K@RN^AeMDDQ8RjyzSp3Gu-|BuRSXD_g@NG`; zsY2|we*03WgPbz3HmR+3ZkA_mc6^OprmVacFYCbP^7^Q{HN3DNwm8i~G?UYQvZG|C z-mdw&g>dmoyn(VhjR*QXNS5=HQfSEt0ccp);1P@Sa|PtvrG@5gk^2fKNPD6}^ol?h zDEq9IJ>-5&0FUVM8WCo^(12}#<#6{iS`DBh_LSx?4tos@X+8}llcF*!9e3X7AA8=z z{&l>NNx&}a!;yb|LR{Z#^bIeqHcD0vnkMeyyycsDe7F;_cR5*UkFfhu_Qwfmx+uib zG!qxM810N%9hhnss~Rb+Y!#jy)LWxdRF) z<11ODKe#y;=%~4&;QV!8R(^HL_pxWH{^9g)?h#Sr9`aIPjqmK-v1|H^S?9=;d34-C zi(@VhV?5({zrgud971(^)Z-x_^z4yUmFn?gl<*$G{r%*5h{uyids@_-yM2p0j=)k2 zq9LzmbnN5_d+wD+N4lAH`gGz}CG{1sv~n;TPGoP_zUZ_VHqICml=iF5lQmrza7wEg z5qNNB_`#vP(qn*IVeS%H^Wj$)Ot}oR)5zp`^|FN3jn;vy00IHz@=qd+P;0$SmAJ}3 zmdDc)mZ=^o?}+X4a0esMO|xjHC0oS&R1G~rLQUP<;p%LFaUDwF+SB3!xN5oLtJ7du zwyqk?fA$V3M_GC}Hg8J`+w|FsCMhFlmg_xw7MmTb*x#x!G`9A$XBJ$Fz{7LuFmav` zO$AR*9%pq?M!8rmN7Ppd(y7Sni_d#bSF9IUtYnf7^w! z<3uE2kl1aZy}zp_EWQf@YLaOll-yS|nH$32A9Q_9uf=B!in|))wM!t*cvv?+b$N3- z5Rff^FL^M@`17mU2F}^I`)h-r2qD~WS*q7NrPJGWkp=XWuV$3YYP)1#HT5+sn<@Z_ zLH(z5ICe9nAO7i(dJODlNk?fYntV&L*w5DxtN7#t$4j?LFH?)tk3LL)0`hVxK?b zNJ+n2i*TtfGu65w(Qv;jH@w2qw4$}ouL8* zwGl26r7RHkGq9~$vD@lC$rBvYByoC1cXt}lwJ1Jnbyz#+07eFRBjsWs-f(iTq#C4P z74|J>O(T6S4ERdi$-gY9B>l3T$A8pzdJ#IEqo zW_nxhS}NA6UkA0~r-4y44;-yhG)o_i@Jv5xufVqE+>xeL%vwO4fj^r9twNoO+c%?2xZE zO5nppA%)s=i+oJ$ucSn`{->0y42!Dmx`3oeC@mle(vs3rl7ggkOM{~zIn;0f=@>)= zk&p)IP(T`#R1^UThmsCqXoi&c5X19)->>(&-uXFmoqON0*Shy!Yp$c6hPw3_9?ABo z?Za$x$B&Y4i|frs?oo%{^&4||Q`)?>zoHJEcYH!^+%gL*$HruNjfP(rd(rg(O&++Z zR3s1|F&{&T+g#&*2kzTa8T*DQ`6vipwa8RjE3NqeZP={XWBu#T>v|eK60E74GBgH! z$}`*MQD5voWPwinEwD4c$~>`q0|S3Fl!GC8Fj9B>U`_q0Mzh$`w)$3BuV=2%uMubD zPYxZ^$LqtY5MFe7&u0Y$NXl`A6P@P7pv*DK;9% zsZ}MlmdwJ-k|D0Ic_w`aIOs+zuPbh9{3xX_V<_dlI`&L>`4dnsqCP#kwK(JuiNS6#yp@h_FgL{%dTI{rc4U?|ee6~1>QJogH6O)Z zmh!}6BX*S2TO@v3_oGP>GEH(jzGB(IgdDct=40K~DFRvRBZz&HCKYUj2Mxc;Tb-eI zp!KzRaN5a%776h1M+)RQo27hS6oEf74!k<2UxJHtd--6S4Qkb&z&&iD7Y584B*y7j z@t@{8eyD#nhZx<#oRn?=HV(9|j-NEUcWBXX+NOesFqqOD6j&o%{I+OgTxJmgg7doR_WigE?_%MRqC-^%|hbo-x*wPN&V_zx$u>K81++8 zgCOk4q%~tzV#-i>vWuZUSfo(?3WcS;T6xuBTlIRDG)`m9K1cQ*(U=(Tdzlg2l#+b} zDn+!T49{h zI_cGu5&{1XiNIU`?jwW^{HcVtA5}3H?hN^*Ir-j=m%BdeDc^-qo8lsl=}3{L*7#hc zy(E9T+G#s~_1dGa4FFyeH|lEblqWU1odXr0GJ>*MsV5))5fx6NF@eH@RK>Uif*nf$ z3X46F+^*+%*F>O282rm+#&EpkF&8G!fpyKZYv(kM1*ng}3=C@e^YJ@JFLOhlRJ2oQ zu383BwK;}Dfub=B{?g&LPTu|$(3Fj}Y8AX4Qk&A%m`j5tl6A&}_j$p{fx0sl?&-?) z`8&2s3nRkuEslbN1HU(BQP0+=6zWmqHYPQQFeIivHgig{T$gxzL&43HNV5RWuj9$m zwVHJTx3?byCU*e2(8Ockep>47h$hN_D<}S zuZIg+9>&%*r`BBAYV#Pn^u{>DCR%Oq<6-GatFKTE)e$gFpUDg#FJhUmjpjOZe4_oL zes%;=;j)qI)9($nOe@X?gyuEYlfSY(3@I?ur-f{;K^G}chOT300YMt z>#(#}>1r;`XIb*n+adh@QPyn{Bif?fl68X#;d_gI%HPSWViGb1s%5`kPcCxCF>^(l z>$A)PbpUOSIgaRZ0Id5Z1AsdRUCr{D=B-p4;JN$R6MwM-#njfs2InAAp1NB%?;Jnb z$W#7-Qker``>*w5gnrtRk+)`7)fXwLpYU&)p?l@`v}VDSL6n1-wg|c^mp3Zcu`)7c zVT9+FFXp+{GJ8LDZq=aT{rgJ*3De|D1c-_X&QoA`dWHA8$iJ=#iqa`gYq0!75shSB zkU#cDSu0IcvGFn1&PEBdqEH!}O%#4qAgB$PWDJmFpQHmZdMd&Njd{)5*6T=#=Ick3*ow0hIvf4iSD)Uc9;E za%{;+a}2ZNo85o>Vt74(EBzvhpq9yXyh8Ty;TXxn{wjPE4e(uefTcZ!kebqu05Vjf z(3Mo0&c{o*loblAURu-Ae)LItKH$3xh5(A;^$7}+mU1jSx9U3mR*d-)iHy>KeT&`| zMf0t+SlA@at@m1f1u3^R&eTSbopgp|GBFji5QZILI@;H7|8m$}P`MK#E*0!<$l8rC z2z;m@!PSB$6`>VECL5s&Tp-#)^3J{kt&7|lrTLR4+G;o=zUed{y<5ii;kUJl6|RS4 z&1VZIJ_3N3e%!8HABxJmt`Dj5ln1>cUr_X3@3z(-J=ecUt3h>;*>F32yjy{4pRZUz zWk+gPtQJ?nzg8z3R~km!_3^XsZFF9L^38vSLT`;KQ zzWgE)((ll`yL6o*n_YbY=-?$~!r2ev5j>MgRRlOuoNtRP_^!JeFw!4Q6eZ^hF*EuXG?}qz-@rv!AQUbpG zi!W;2SRyw1d?A+3ii53Ym8XOh(e@{99yoUn!dNlkuB-XQVNtHqE%B4obj`nikfuDw z^MPHP%gbru`wZ8noA<-oB4|vg3^p13$ohL`2))iAL;tP@JcE!KDLQw0qAr-|_vC}@ za{&ldBjsRHmB}zx0lTBoNa+>~k#_>>zJpX9m~}$$WHW z=Y~t(8U*%5lrKRfc~IufwZn~W?c!b~d1w34T8t5Q5T?@*I6kQOb8N|j0Z{Y3P1yz8 zFzC?p*3yS+`xF-6>x$Z&InznF{zhs%TP#$wZ~7Btc6jSgZw%CI7@jt+$y+3NE7~3A zEO}N&_+#;(+|HxAg%?iBwbE4jRg2IaNSZy^cm_Mx2l~}T%^98w{NJoOK7F3*>9h{r z2GpEfq$?6!(P!BjBSV)BcQtua;#2lG9L9NBpR!r>o~Ybdv^~;YRg<%-Q4id_RBJf* z&u*I92*`y<%!OG6Du%UZ8d$sPotG3`jxkV)Uix_>xjc3Y8MqCmI6`vFvwegWw=wS2 zx3ElK@&YcSBX?I|7$fay1l^$F_w~tqwj(WU4w0fnNTg`{C|=oZE4=MAaD1|Z;AwYd5#qUBwlrHpW1Sr;h)wC)xJ1ohN zlYbcn%t9hYix0=y92(LDT4{2rPc^zKK3zQMgEJaRmmw!C>uJD_pI=y%Nu%r_l`1^I zPs@+qi8#nWWPJa#yFf_gMtE7PLcng+QSw^Kmk+XMicD_sx9E%QaR9fcM{9c@THDL= zO|F2S!ok6E*+)(Qco`R$;p(LlcFWvJP&RLPGAYa8GtA)3W*Xi8baZA@fG!0L3&e+Y zDvNiGyQM@*EC)X~2@7OXQ7=p^rshtiU{d1sj z&ty(sMvpXQ=HCVT$a~g(z?@RHZ`?q3Ts$_ih7 zlm3sDqC4_D2pdYo#>yI|6)zA#0gy1JN{+5| z-Hx4--I_9Up?Y?nk4IBZ0-pIV@;d%8qYAH*@o3dfey#LeF}1JvyHuPu@<^qpweQf^ zfYK()gVO}41lTy=PiQ{NclPM0KB$=8HJWXVyb9Y(|bK**ua%n+T?HokEe> z^yX^@QjezD&0jRkHtq~7zFICM(eaz&lR9YI?3~sBG}8%RUrbUPGne)1r2hYNdUx(t z3D_$r+2u`KKQ?5eG}gm?g*p~S%-cBCm^W_Ef85d}Gjak#0I^!UJn;RCP2-{F128I| z!NknewDpVpl{(2WGk_F z5=pOL#>gXP#{<*2W2TGrOZV3~eUd&TnBB|}xMGz{(-lEc%_d>?DD8kCvO@+Fd`c;7 z<>O!H96M*p8{PAAmCV8yi6w&zX0JtQuzYr8t66eL{12q)y^huTzs92je=P2+2a9zC zwi!CyzrsldiR|rnS(S%|{?KPgFlZ!D=w7i}c{sCo&Rv;ijDM5D0hVF`Ctlw+{-Bl? z%&l#YDZOdk`eU=yJmZ+`fF4-`a0rs@ck_iF@4=Uk{``Qjn_R9TL?e-%&j(zJU5|^R zkBT5wW>Jyq!RB^fB|A@du+~^sUnIm`WHPCDe0JR6X-y2gD@b}z+DWRwu8>k1A~@uT;}cstfC`?3u^84bJJa>5Io!Pf&?Ec&c36P zH@wJgOZKrD$6l0ikKsSFp~6~rm8M#nN^Fef>A35+A!{A>cZ~k;XM4E5luA?NTPc(< z`0p~B0>OEuwH>zO2)0O3;5+PsoCagjP8DoHC(0wD^lfZyo*=j2%M$-&xUp@rpQNg#UVPp<5D#p1Z?=l8*B z6(R#>LBI`@e<3_w=I3S4P^WMNS>iWP%X%z!-kF?+Wi-MOHB$dDNH>kP_)ok`nHLy9 z-7I#%v)HrcpK(PmCrEZi5V$iMI;RHheGu=Y_*7^TJ>eYEV(|2{D(9$0E@%e)IuIm2 jy#IR0hyTNvYsZ+$M})*KoSOI;;73_OUA{#2QQ&_7{<_iD From 91a9dfd9830f600f89c90f42bb9d89e64cbe5e89 Mon Sep 17 00:00:00 2001 From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com> Date: Sun, 2 Sep 2018 21:52:59 +0300 Subject: [PATCH 53/91] invoke dns encryption from main playbook instead of meta-dependencies (#1097) --- roles/vpn/meta/main.yml | 5 ----- server.yml | 3 +++ 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/roles/vpn/meta/main.yml b/roles/vpn/meta/main.yml index 5f86e875..ed97d539 100644 --- a/roles/vpn/meta/main.yml +++ b/roles/vpn/meta/main.yml @@ -1,6 +1 @@ --- - -dependencies: - - role: dns_encryption - tags: dns_encryption - when: dns_encryption diff --git a/server.yml b/server.yml index 459dd63d..e7e4ad2a 100644 --- a/server.yml +++ b/server.yml @@ -9,6 +9,9 @@ roles: - role: common + - role: dns_encryption + when: dns_encryption + tags: dns_encryption - role: dns_adblocking when: algo_local_dns tags: dns_adblocking From cbe57991db8236a1f3b6cef890a33b875ea6ed3c Mon Sep 17 00:00:00 2001 From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com> Date: Sun, 2 Sep 2018 21:54:06 +0300 Subject: [PATCH 54/91] Update docs (#1089) --- docs/client-macos-wireguard.md | 33 ++++++++++++ docs/faq.md | 5 ++ docs/troubleshooting.md | 91 +++++++++++++++++++++++++++++++++- 3 files changed, 127 insertions(+), 2 deletions(-) create mode 100644 docs/client-macos-wireguard.md diff --git a/docs/client-macos-wireguard.md b/docs/client-macos-wireguard.md new file mode 100644 index 00000000..0d1db781 --- /dev/null +++ b/docs/client-macos-wireguard.md @@ -0,0 +1,33 @@ +# Using MacOS as a Client with WireGuard + +## Install WireGuard + +To connect to your Algo VPN using [WireGuard](https://www.wireguard.com) from MacOS + +``` +# Install the wireguard-go userspace driver +brew install wireguard-tools +``` + +## Locate the Config File + +The Algo-generated config files for WireGuard are named `configs//wireguard/.conf` on the system where you ran `./algo`. One file was generated for each of the users you added to `config.cfg` before you ran `./algo`. Each Linux and Android client you connect to your Algo VPN must use a different WireGuard config file. Choose one of these files and copy it to your device. + +## Configure WireGuard + +Finally, install the config file on your client as `/usr/local/etc/wireguard/wg0.conf` and start WireGuard: + +``` +# Install the config file to the WireGuard configuration directory on your MacOS device +mkdir /usr/local/etc/wireguard/ +cp .conf /usr/local/etc/wireguard/wg0.conf + +# Start the WireGuard VPN: +sudo wg-quick up wg0 + +# Verify the connection to the Algo VPN: +wg + +# See that your client is using the IP address of your Algo VPN: +curl ipv4.icanhazip.com +``` diff --git a/docs/faq.md b/docs/faq.md index b55a911e..00b44f83 100644 --- a/docs/faq.md +++ b/docs/faq.md @@ -10,6 +10,7 @@ * [Where did the name "Algo" come from?](#where-did-the-name-algo-come-from) * [Can DNS filtering be disabled?](#can-dns-filtering-be-disabled) * [Wasn't IPSEC backdoored by the US government?](#wasnt-ipsec-backdoored-by-the-us-government) +* [What inbound ports are used?](#what-inbound-ports-are-used) ## Has Algo been audited? @@ -70,3 +71,7 @@ No. > It's interesting that the bug was fixed without an advisory (oh to be a fly on the wall on ICB that day; Theo had a, um, a, "way" with his dev team). On the other hand, we don't know what releases of OpenBSD actually had the bug right now. > > It seems vanishingly unlikely that there could have been anything deliberate about this series of changes. You are unlikely to find anyone who will impugn Angelos. Meanwhile, the diffs tell exactly the opposite of the story that Greg Perry told. + +## What inbound ports are used? + +You should only need 22/TCP, 500/UDP, and 4500/UDP. diff --git a/docs/troubleshooting.md b/docs/troubleshooting.md index e6717b7a..53bacb11 100644 --- a/docs/troubleshooting.md +++ b/docs/troubleshooting.md @@ -6,11 +6,15 @@ * [Error: "fatal error: 'openssl/opensslv.h' file not found"](#error-fatal-error-opensslopensslvh-file-not-found) * [Error: "TypeError: must be str, not bytes"](#error-typeerror-must-be-str-not-bytes) * [Error: "ansible-playbook: command not found"](#error-ansible-playbook-command-not-found) + * [Error: "Could not fetch URL ... TLSV1_ALERT_PROTOCOL_VERSION](#could-not-fetch-url--tlsv1_alert_protocol_version) * [Bad owner or permissions on .ssh](#bad-owner-or-permissions-on-ssh) * [The region you want is not available](#the-region-you-want-is-not-available) * [AWS: SSH permission denied with an ECDSA key](#aws-ssh-permission-denied-with-an-ecdsa-key) * [AWS: "Deploy the template" fails with CREATE_FAILED](#aws-deploy-the-template-fails-with-create_failed) + * [AWS: not authorized to perform: cloudformation:UpdateStack](#aws-not-authorized-to-perform-cloudformationupdatestack) * [DigitalOcean: error tagging resource 'xxxxxxxx': param is missing or the value is empty: resources](#digitalocean-error-tagging-resource) + * [Windows: The value of parameter linuxConfiguration.ssh.publicKeys.keyData is invalid](#windows-the-value-of-parameter-linuxconfigurationsshpublickeyskeydata-is-invalid) + * [Docker: Failed to connect to the host via ssh](#docker-failed-to-connect-to-the-host-via-ssh) * [Connection Problems](#connection-problems) * [I'm blocked or get CAPTCHAs when I access certain websites](#im-blocked-or-get-captchas-when-i-access-certain-websites) * [I want to change the list of trusted Wifi networks on my Apple device](#i-want-to-change-the-list-of-trusted-wifi-networks-on-my-apple-device) @@ -21,6 +25,7 @@ * [Various websites appear to be offline through the VPN](#various-websites-appear-to-be-offline-through-the-vpn) * [Clients appear stuck in a reconnection loop](#clients-appear-stuck-in-a-reconnection-loop) * ["Error 809" or IKE_AUTH requests that never make it to the server](#error-809-or-ike_auth-requests-that-never-make-it-to-the-server) + * [Windows: Parameter is incorrect](#windows-parameter-is-incorrect) * [I have a problem not covered here](#i-have-a-problem-not-covered-here) ## Installation Problems @@ -150,7 +155,7 @@ In order to fix this issue, delete the `algo.pem` and `algo.pem.pub` keys from y ### AWS: "Deploy the template fails" with CREATE_FAILED -You tried to deploy to Algo to AWS and you received an error like this one: +You tried to deploy Algo to AWS and you received an error like this one: ``` TASK [cloud-ec2 : Make a cloudformation template] ****************************** @@ -166,7 +171,7 @@ In many cases, failed deployments are the result of [service limits](http://docs ### DigitalOcean: error tagging resource -You tried to deploy to Algo to DigitalOcean and you received an error like this one: +You tried to deploy Algo to DigitalOcean and you received an error like this one: ``` TASK [cloud-digitalocean : Tag the droplet] ************************************ @@ -183,6 +188,65 @@ The error is caused because Digital Ocean changed its API to treat the tag argum 5. Finally run `doctl compute tag list` to make sure that the tag has been deleted 6. Run algo as directed +### Windows: The value of parameter linuxConfiguration.ssh.publicKeys.keyData is invalid + +You tried to deploy Algo from Windows and you received an error like this one: + +``` +TASK [cloud-azure : Create an instance]. +fatal: [localhost]: FAILED! => {"changed": false, +"msg": "Error creating or updating virtual machine AlgoVPN - Azure Error: +InvalidParameter\n +Message: The value of parameter linuxConfiguration.ssh.publicKeys.keyData is invalid.\n +Target: linuxConfiguration.ssh.publicKeys.keyData"} +``` + +This is related to [the chmod issue](https://github.com/Microsoft/WSL/issues/81) inside /mnt directory which is NTFS. The fix is to place Algo outside of /mnt directory. + +### Could not fetch URL ... TLSV1_ALERT_PROTOCOL_VERSION + +You tried to install Algo and you received an error like this one: + +``` +Could not fetch URL https://pypi.python.org/simple/secretstorage/: There was a problem confirming the ssl certificate: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:590) - skipping + Could not find a version that satisfies the requirement SecretStorage<3 (from -r requirements.txt (line 2)) (from versions: ) +No matching distribution found for SecretStorage<3 (from -r requirements.txt (line 2)) +``` + +It's time to upgrade your python + +`brew upgrade python2` + +You can also download python 2.7.x from python.org + +### Docker: Failed to connect to the host via ssh + +You tried to deploy Algo from Docker and you received an error like this one: + +``` +Failed to connect to the host via ssh: +Warning: Permanently added 'xxx.xxx.xxx.xxx' (ECDSA) to the list of known hosts.\r\n +Control socket connect(/root/.ansible/cp/6d9d22e981): Connection refused\r\n +Failed to connect to new control master\r\n +``` + +You need to add the following to the ansible.cfg in repo root: + +``` +[ssh_connection] +control_path_dir=/dev/shm/ansible_control_path +``` + +### AWS: not authorized to perform: cloudformation:UpdateStack + +You tried to deploy Algo to AWS and you received an error like this one: + +``` +TASK [cloud-ec2 : Deploy the template] ***************************************** +fatal: [localhost]: FAILED! => {"changed": false, "failed": true, "msg": "User: arn:aws:iam::082851645362:user/algo is not authorized to perform: cloudformation:UpdateStack on resource: arn:aws:cloudformation:us-east-1:082851645362:stack/algo/*"} +``` + +This error indicates you already have Algo deployed to Cloudformation. Need to [delete it](cloud-amazon-ec2.md#cleanup) first, then re-deploy. ## Connection Problems @@ -278,6 +342,29 @@ Then rerun the dependency installation explicitly using python 2.7 python2.7 -m virtualenv --python=`which python2.7` env && source env/bin/activate && python2.7 -m pip install -U pip && python2.7 -m pip install -r requirements.txt ``` +### Windows: Parameter is incorrect + +The problem may happen if you recently moved to a new server, where you have Algo VPN. + +1. Clear the Networking caches: + - Run CDM (click windows start menu, type 'cmd', right click on 'Command Prompt' and select "Run as Administrator"). + - Type the commands below: + ``` + netsh int ip reset + netsh int ipv6 reset + netsh winsock reset + ``` + +3. Restart your computer +4. Reset Device Manager adaptors: + - Open Device Manager + - Find Network Adapters + - Uninstall WAN Miniport drivers (IKEv2, IP, IPv6, etc) + - Click Action > Scan for hardware changes + - The adapters you just uninstalled should come back + +The VPN connection should work again + ## I have a problem not covered here If you have an issue that you cannot solve with the guidance here, [join our Gitter](https://gitter.im/trailofbits/algo) and ask for help. If you think you found a new issue in Algo, [file an issue](https://github.com/trailofbits/algo/issues/new). From 244a698531837b04c79a46f56118a0110c1f45d1 Mon Sep 17 00:00:00 2001 From: in-in Date: Sun, 2 Sep 2018 22:22:24 +0300 Subject: [PATCH 55/91] improve readability (#1085) --- docs/client-linux-wireguard.md | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/docs/client-linux-wireguard.md b/docs/client-linux-wireguard.md index 123ab76e..3430959c 100644 --- a/docs/client-linux-wireguard.md +++ b/docs/client-linux-wireguard.md @@ -4,11 +4,13 @@ To connect to your Algo VPN using [WireGuard](https://www.wireguard.com) from an Ubuntu Server 16.04 (Xenial) or 18.04 (Bionic) client, first install WireGuard on the client: -``` +```shell # Add the WireGuard repository: sudo add-apt-repository ppa:wireguard/wireguard + # Update the list of available packages (not necessary on Bionic): sudo apt update + # Install the tools and kernel module: sudo apt install wireguard ``` @@ -29,20 +31,25 @@ Use the IP address shown on the `DNS =` line (for most, this will be `172.16.0.1 Finally, install the config file on your client as `/etc/wireguard/wg0.conf` and start WireGuard: -``` +```shell # Install the config file to the WireGuard configuration directory on your # Bionic or Xenial client: sudo install -o root -g root -m 600 .conf /etc/wireguard/wg0.conf + # Start the WireGuard VPN: sudo systemctl start wg-quick@wg0 + # Check that it started properly: sudo systemctl status wg-quick@wg0 + # Verify the connection to the Algo VPN: sudo wg + # See that your client is using the IP address of your Algo VPN: curl ipv4.icanhazip.com + # Optionally configure the connection to come up at boot time: sudo systemctl enable wg-quick@wg0 ``` -(If your Linux distribution does not use `systemd`, you can bring up WireGuard with `sudo wg-quick up wg0`). \ No newline at end of file +(If your Linux distribution does not use `systemd`, you can bring up WireGuard with `sudo wg-quick up wg0`). From d95df710a55d664400ee2802fd5d4b2322ac1340 Mon Sep 17 00:00:00 2001 From: David Myers Date: Sun, 2 Sep 2018 15:26:06 -0400 Subject: [PATCH 56/91] Add an unattended reboot option (#1082) --- config.cfg | 9 +++++++++ roles/common/tasks/unattended-upgrades.yml | 8 ++++++++ roles/common/templates/60unattended-reboot.j2 | 2 ++ 3 files changed, 19 insertions(+) create mode 100644 roles/common/templates/60unattended-reboot.j2 diff --git a/config.cfg b/config.cfg index b5bbb9ca..6156031a 100644 --- a/config.cfg +++ b/config.cfg @@ -56,6 +56,15 @@ dns_servers: # IP address for the local dns resolver local_service_ip: 172.16.0.1 +# Your Algo server will automatically install security updates. Some updates +# require a reboot to take effect but your Algo server will not reboot itself +# automatically unless you change 'enabled' below from 'false' to 'true', in +# which case a reboot will take place if necessary at the time specified (as +# HH:MM) in the time zone of your Algo server. The default time zone is UTC. +unattended_reboot: + enabled: false + time: 06:00 + pkcs12_PayloadCertificateUUID: "{{ 900000 | random | to_uuid | upper }}" VPN_PayloadIdentifier: "{{ 800000 | random | to_uuid | upper }}" CA_PayloadIdentifier: "{{ 700000 | random | to_uuid | upper }}" diff --git a/roles/common/tasks/unattended-upgrades.yml b/roles/common/tasks/unattended-upgrades.yml index 378c16e3..d0beae0a 100644 --- a/roles/common/tasks/unattended-upgrades.yml +++ b/roles/common/tasks/unattended-upgrades.yml @@ -19,3 +19,11 @@ owner: root group: root mode: 0644 + +- name: Unattended reboots configured + template: + src: 60unattended-reboot.j2 + dest: /etc/apt/apt.conf.d/60unattended-reboot + owner: root + group: root + mode: 0644 diff --git a/roles/common/templates/60unattended-reboot.j2 b/roles/common/templates/60unattended-reboot.j2 new file mode 100644 index 00000000..6af49126 --- /dev/null +++ b/roles/common/templates/60unattended-reboot.j2 @@ -0,0 +1,2 @@ +Unattended-Upgrade::Automatic-Reboot "{{ unattended_reboot.enabled|lower }}"; +Unattended-Upgrade::Automatic-Reboot-Time "{{ unattended_reboot.time }}"; From 4c70b71df509bbbc0ac7c6824a6ea57d84e65e33 Mon Sep 17 00:00:00 2001 From: TC1977 <37350377+TC1977@users.noreply.github.com> Date: Thu, 6 Sep 2018 14:04:23 -0400 Subject: [PATCH 57/91] Fix spacing in congrats message (#1104) The spacing of several lines in the congrats message has been off. Here's the congrats output with this fix: ``` ok: [54.85.244.8] => { "msg": [ [ "\"# Congratulations! #\"", "\"# Your Algo server is running. #\"", "\"# Config files and certificates are in the ./configs/ directory. #\"", "\"# Go to https://whoer.net/ after connecting #\"", "\"# and ensure that all your traffic passes through the VPN. #\"", "\"# Local DNS resolver 172.16.0.1 #\"", "" ], " \"# The p12 and SSH keys password for new users is CR2qzRcA #\"\n", " \"# The CA key password is ed0fd57e7d355af08d12ccdbfd3f5931 #\"\n", " \"# Shell access: ssh -i configs/algo.pem ubuntu@54.85.244.8 #\"\n" ] } ``` --- config.cfg | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/config.cfg b/config.cfg index 6156031a..f9722514 100644 --- a/config.cfg +++ b/config.cfg @@ -79,11 +79,11 @@ congrats: "# Config files and certificates are in the ./configs/ directory. #" "# Go to https://whoer.net/ after connecting #" "# and ensure that all your traffic passes through the VPN. #" - "# Local DNS resolver {{ local_service_ip }} #" + "# Local DNS resolver {{ local_service_ip }} #" p12_pass: | - "# The p12 and SSH keys password for new users is {{ p12_export_password }} #" + "# The p12 and SSH keys password for new users is {{ p12_export_password }} #" ca_key_pass: | - "# The CA key password is {{ CA_password }} #" + "# The CA key password is {{ CA_password }} #" ssh_access: | "# Shell access: ssh -i {{ ansible_ssh_private_key_file|default(omit) }} {{ ansible_ssh_user|default(omit) }}@{{ ansible_ssh_host|default(omit) }} #" From 76a8fe35db0448366a777c285cb0620747de4e32 Mon Sep 17 00:00:00 2001 From: TC1977 <37350377+TC1977@users.noreply.github.com> Date: Fri, 7 Sep 2018 06:04:20 -0400 Subject: [PATCH 58/91] Document AWS disk encryption flag in config.cfg (#1102) This is to better document the "encryption" flag for those who are interested in full disk encryption on AWS. Recently on running the script, I also found the minimum permissions documented at https://github.com/trailofbits/algo/blob/master/docs/deploy-from-ansible.md weren't enough; "ec2:CopyImage" is also required. Not sure if you'd rather have this documented in the AWS docs instead, and not sure if you want "ec2:CopyImage" added to the default minimum required permissions. I can do either if you'd prefer. --- config.cfg | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/config.cfg b/config.cfg index f9722514..c838a640 100644 --- a/config.cfg +++ b/config.cfg @@ -103,6 +103,12 @@ cloud_providers: digitalocean: size: s-1vcpu-1gb image: "ubuntu-18-04-x64" + # Change the encrypted flag to "true" to enable AWS volume encryption, for encryption of data at rest. + # Warning: the Algo script will take approximately 6 minutes longer to complete. + # Also note that the documented AWS minimum permissions aren't sufficient. + # You will have to edit the AWS user policy documented at + # https://github.com/trailofbits/algo/blob/master/docs/cloud-amazon-ec2.md to also allow "ec2:CopyImage". + # See https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-edit.html ec2: encrypted: false size: t2.micro From 65b02396253d0eadd48af570f9e9086cc4637a62 Mon Sep 17 00:00:00 2001 From: David Myers Date: Fri, 7 Sep 2018 10:25:57 -0400 Subject: [PATCH 59/91] Display the invocation environment to aid debugging (#1108) --- algo-showenv.sh | 84 +++++++++++++++++++++++++++++++++++++++++ playbooks/cloud-pre.yml | 15 ++++++++ 2 files changed, 99 insertions(+) create mode 100755 algo-showenv.sh diff --git a/algo-showenv.sh b/algo-showenv.sh new file mode 100755 index 00000000..6085c407 --- /dev/null +++ b/algo-showenv.sh @@ -0,0 +1,84 @@ +#!/bin/bash +# +# Print information about Algo's invocation environment to aid in debugging. +# This is normally called from Ansible right before a deployment gets underway. + +# Skip printing this header if we're just testing with no arguments. +if [[ $# -gt 0 ]]; then + echo "" + echo "--> Please include the following block of text when reporting issues:" + echo "" +fi + +if [[ ! -f ./algo ]]; then + echo "This should be run from the top level Algo directory" +fi + +# Determine the operating system. +case "$(uname -s)" in + Linux) + OS="Linux ($(uname -r) $(uname -v))" + if [[ -f /etc/os-release ]]; then + # shellcheck disable=SC1091 + # I hope this isn't dangerous. + . /etc/os-release + if [[ ${PRETTY_NAME} ]]; then + OS="${PRETTY_NAME}" + elif [[ ${NAME} ]]; then + OS="${NAME} ${VERSION}" + fi + fi + STAT="stat -c %y" + ;; + Darwin) + OS="$(sw_vers -productName) $(sw_vers -productVersion)" + STAT="stat -f %Sm" + ;; + *) + OS="Unknown" + ;; +esac + +# Determine if virtualization is being used with Linux. +VIRTUALIZED="" +if [[ -x $(command -v systemd-detect-virt) ]]; then + DETECT_VIRT="$(systemd-detect-virt)" + if [[ ${DETECT_VIRT} != "none" ]]; then + VIRTUALIZED=" (Virtualized: ${DETECT_VIRT})" + fi +fi + +echo "Algo running on: ${OS}${VIRTUALIZED}" + +# Determine the currentness of the Algo software. +if [[ -d .git && -x $(command -v git) ]]; then + ORIGIN="$(git remote get-url origin)" + COMMIT="$(git log --max-count=1 --oneline --no-decorate --no-color)" + if [[ ${ORIGIN} == "https://github.com/trailofbits/algo.git" ]]; then + SOURCE="clone" + else + SOURCE="fork" + fi + echo "Created from git ${SOURCE}. Last commit: ${COMMIT}" +elif [[ -f LICENSE && ${STAT} ]]; then + CREATED="$(${STAT} LICENSE)" + echo "ZIP file created: ${CREATED}" +fi + +# The Python version might be useful to know. +if [[ -x ./env/bin/python ]]; then + ./env/bin/python --version 2>&1 +elif [[ -f ./algo ]]; then + echo "env/bin/python not found: has 'python -m virtualenv ...' been run?" +fi + +# Just print out all command line arguments, which are expected +# to be Ansible variables. +if [[ $# -gt 0 ]]; then + echo "Runtime variables:" + for VALUE in "$@"; do + echo " ${VALUE}" + done +fi + +exit 0 diff --git a/playbooks/cloud-pre.yml b/playbooks/cloud-pre.yml index da08b357..b40f6c85 100644 --- a/playbooks/cloud-pre.yml +++ b/playbooks/cloud-pre.yml @@ -1,4 +1,19 @@ --- +- name: Display the invocation environment + local_action: + module: shell + ./algo-showenv.sh \ + 'algo_provider "{{ algo_provider }}"' \ + 'algo_ondemand_cellular "{{ algo_ondemand_cellular }}"' \ + 'algo_ondemand_wifi "{{ algo_ondemand_wifi }}"' \ + 'algo_ondemand_wifi_exclude "{{ algo_ondemand_wifi_exclude }}"' \ + 'algo_local_dns "{{ algo_local_dns }}"' \ + 'algo_ssh_tunneling "{{ algo_ssh_tunneling }}"' \ + 'algo_windows "{{ algo_windows }}"' \ + 'wireguard_enabled "{{ wireguard_enabled }}"' \ + 'dns_encryption "{{ dns_encryption }}"' \ + > /dev/tty + - name: Generate the SSH private key openssl_privatekey: path: "{{ SSH_keys.private }}" From 57fb2ec3470f64be8785e4c7d77dc460b25b8db4 Mon Sep 17 00:00:00 2001 From: ctrlaltreboot <1124760+ctrlaltreboot@users.noreply.github.com> Date: Sat, 8 Sep 2018 23:38:49 +1000 Subject: [PATCH 60/91] Update client-windows.md (#1099) Correct command would be ```powershell -ExecutionPolicy ByPass -File C:\path\to\windows_USER.ps1 Add``` --- docs/client-windows.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/client-windows.md b/docs/client-windows.md index 6e071cf1..91dfd9c4 100644 --- a/docs/client-windows.md +++ b/docs/client-windows.md @@ -8,7 +8,7 @@ To install automatically, use the generated user Powershell script. 2. Open Powershell as Administrator. 3. Run the following command: ```powershell -powershell -ExecutionPolicy ByPass -File C:\path\to\windows_USER.ps1 -Add +powershell -ExecutionPolicy ByPass -File C:\path\to\windows_USER.ps1 Add ``` 4. The command has help information available. To view its full help, run this from Powershell: ```powershell From df4b3f620290f6b762e0a67501b5b9984f6950c2 Mon Sep 17 00:00:00 2001 From: TC1977 <37350377+TC1977@users.noreply.github.com> Date: Sat, 8 Sep 2018 09:39:53 -0400 Subject: [PATCH 61/91] Update Win10 client docs for non-admin accounts (#1093) * Update client-windows.md Allows non-admin accounts to use the VPN as per #983 and #994. Fix was also documented here https://www.bountysource.com/issues/49259904-windows-10-powershell-and-priv-nonpriv-account-issues * Update client-windows.md --- docs/client-windows.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/client-windows.md b/docs/client-windows.md index 91dfd9c4..77ba3c6f 100644 --- a/docs/client-windows.md +++ b/docs/client-windows.md @@ -1,6 +1,6 @@ # Windows client manual setup -## Automatic installtion +## Automatic installation To install automatically, use the generated user Powershell script. @@ -27,6 +27,8 @@ Set-ExecutionPolicy Unrestricted -Scope CurrentUser 4. In the same window, run the necessary commands to install the certificates and create the VPN configuration. Note the lines at the top defining the VPN address, USER.p12 file location, and CA certificate location - change those lines to the IP address of your Algo server and the location you saved those two files. Also note that it will prompt for the "User p12 password", which is printed at the end of a successful Algo deployment. +If you have more than one account on your Windows 10 machine (e.g. one with administrator privileges and one without) and would like to have the VPN connection available to all users, then insert the line `AllUserConnection = $true` after `$EncryptionLevel = "Required"`. + ```powershell $VpnServerAddress = "1.2.3.4" $UserP12Path = "$Home\Downloads\USER.p12" From 5e7f134005fb371347dcb1c86d5932fec45ae820 Mon Sep 17 00:00:00 2001 From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com> Date: Fri, 14 Sep 2018 16:09:46 +0300 Subject: [PATCH 62/91] Update issue templates (#1114) * Update issue templates * Delete ISSUE_TEMPLATE.md --- .github/ISSUE_TEMPLATE.md | 37 ----------------------- .github/ISSUE_TEMPLATE/bug_report.md | 32 ++++++++++++++++++++ .github/ISSUE_TEMPLATE/feature_request.md | 17 +++++++++++ 3 files changed, 49 insertions(+), 37 deletions(-) delete mode 100644 .github/ISSUE_TEMPLATE.md create mode 100644 .github/ISSUE_TEMPLATE/bug_report.md create mode 100644 .github/ISSUE_TEMPLATE/feature_request.md diff --git a/.github/ISSUE_TEMPLATE.md b/.github/ISSUE_TEMPLATE.md deleted file mode 100644 index 7a8982df..00000000 --- a/.github/ISSUE_TEMPLATE.md +++ /dev/null @@ -1,37 +0,0 @@ -### OS / Environment (where do you run Algo on) - - -``` -PUT THE OUTPUT HERE -``` - -### Cloud Provider (where do you deploy Algo to) - - -``` -PUT THE OUTPUT HERE -``` - -### Summary of the problem - - - - -### Steps to reproduce the behavior - - -1. Do this.. -2. Do that.. -3. - -### Full log - - -``` -PUT THE OUTPUT HERE -``` diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md new file mode 100644 index 00000000..cd9b4c6a --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -0,0 +1,32 @@ +--- +name: Bug report +about: Create a report to help us improve + +--- + +**Describe the bug** + +A clear and concise description of what the bug is. + +**To Reproduce** + +Steps to reproduce the behavior: +1. Do this.. +2. Do that.. +3. .. + +**Expected behavior** + +A clear and concise description of what you expected to happen. + +**Additional context** + +Add any other context about the problem here. + +**Full log** + + + +``` +PUT THE OUTPUT HERE +``` diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md new file mode 100644 index 00000000..066b2d92 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/feature_request.md @@ -0,0 +1,17 @@ +--- +name: Feature request +about: Suggest an idea for this project + +--- + +**Is your feature request related to a problem? Please describe.** +A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] + +**Describe the solution you'd like** +A clear and concise description of what you want to happen. + +**Describe alternatives you've considered** +A clear and concise description of any alternative solutions or features you've considered. + +**Additional context** +Add any other context or screenshots about the feature request here. From 4e5103986c154dc3f13c22c30d8f2a3cff03b686 Mon Sep 17 00:00:00 2001 From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com> Date: Fri, 14 Sep 2018 16:22:27 +0300 Subject: [PATCH 63/91] Create PULL_REQUEST_TEMPLATE.md --- PULL_REQUEST_TEMPLATE.md | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 PULL_REQUEST_TEMPLATE.md diff --git a/PULL_REQUEST_TEMPLATE.md b/PULL_REQUEST_TEMPLATE.md new file mode 100644 index 00000000..74118487 --- /dev/null +++ b/PULL_REQUEST_TEMPLATE.md @@ -0,0 +1,29 @@ + + +## Description + + +## Motivation and Context + + + +## How Has This Been Tested? + + + + +## Types of changes + +- [ ] Bug fix (non-breaking change which fixes an issue) +- [ ] New feature (non-breaking change which adds functionality) +- [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected) + +## Checklist: + + +- [ ] I have read the **CONTRIBUTING** document. +- [ ] My code follows the code style of this project. +- [ ] My change requires a change to the documentation. +- [ ] I have updated the documentation accordingly. +- [ ] I have added tests to cover my changes. +- [ ] All new and existing tests passed. From 4a42fbea35167de1b139dad95405189f3b3e8e69 Mon Sep 17 00:00:00 2001 From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com> Date: Mon, 17 Sep 2018 03:19:29 +0300 Subject: [PATCH 64/91] Move to the ARM deployment schema (#1107) --- CHANGELOG.md | 4 + config.cfg | 6 +- roles/cloud-azure/defaults/main.yml | 2 +- roles/cloud-azure/files/deployment.json | 209 ++++++++++++++++++++++++ roles/cloud-azure/tasks/main.yml | 135 +++------------ roles/cloud-azure/tasks/prompts.yml | 10 +- 6 files changed, 245 insertions(+), 121 deletions(-) create mode 100644 roles/cloud-azure/files/deployment.json diff --git a/CHANGELOG.md b/CHANGELOG.md index e7f566a4..417b757d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,7 @@ +## 7 Sep 2018 +### Changed +- Azure: Deployment via Azure Resource Manager + ## 27 Aug 2018 ### Changed - Large refactor to support Ansible 2.5. [Details](https://github.com/trailofbits/algo/pull/976) diff --git a/config.cfg b/config.cfg index c838a640..0967d260 100644 --- a/config.cfg +++ b/config.cfg @@ -95,11 +95,7 @@ SSH_keys: cloud_providers: azure: size: Basic_A0 - image: - offer: UbuntuServer - publisher: Canonical - sku: '18.04-LTS' - version: latest + image: 18.04-LTS digitalocean: size: s-1vcpu-1gb image: "ubuntu-18-04-x64" diff --git a/roles/cloud-azure/defaults/main.yml b/roles/cloud-azure/defaults/main.yml index 9170a157..cd5301d2 100644 --- a/roles/cloud-azure/defaults/main.yml +++ b/roles/cloud-azure/defaults/main.yml @@ -1,5 +1,5 @@ --- -azure_regions: > +_azure_regions: > [ { "displayName": "East Asia", diff --git a/roles/cloud-azure/files/deployment.json b/roles/cloud-azure/files/deployment.json new file mode 100644 index 00000000..646ea8a1 --- /dev/null +++ b/roles/cloud-azure/files/deployment.json @@ -0,0 +1,209 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "AlgoServerName": { + "type": "string" + }, + "sshKeyData": { + "type": "string" + }, + "location": { + "type": "string" + }, + "WireGuardPort": { + "type": "int" + }, + "vmSize": { + "type": "string" + }, + "imageReferenceSku": { + "type": "string" + } + }, + "variables": { + "vnetID": "[resourceId('Microsoft.Network/virtualNetworks', parameters('AlgoServerName'))]", + "subnet1Ref": "[concat(variables('vnetID'),'/subnets/', parameters('AlgoServerName'))]" + }, + "resources": [ + { + "apiVersion": "2015-06-15", + "type": "Microsoft.Network/networkSecurityGroups", + "name": "[parameters('AlgoServerName')]", + "location": "[parameters('location')]", + "properties": { + "securityRules": [ + { + "name": "AllowSSH", + "properties": { + "description": "Locks inbound down to ssh default port 22.", + "protocol": "Tcp", + "sourcePortRange": "*", + "destinationPortRange": "22", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": 100, + "direction": "Inbound" + } + }, + { + "name": "AllowIPSEC500", + "properties": { + "description": "Allow UDP to port 500", + "protocol": "Udp", + "sourcePortRange": "*", + "destinationPortRange": "500", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": 110, + "direction": "Inbound" + } + }, + { + "name": "AllowIPSEC4500", + "properties": { + "description": "Allow UDP to port 4500", + "protocol": "Udp", + "sourcePortRange": "*", + "destinationPortRange": "4500", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": 120, + "direction": "Inbound" + } + }, + { + "name": "AllowWireGuard", + "properties": { + "description": "Locks inbound down to ssh default port 22.", + "protocol": "Udp", + "sourcePortRange": "*", + "destinationPortRange": "[parameters('WireGuardPort')]", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": 130, + "direction": "Inbound" + } + } + ] + } + }, + { + "apiVersion": "2015-06-15", + "type": "Microsoft.Network/publicIPAddresses", + "name": "[parameters('AlgoServerName')]", + "location": "[parameters('location')]", + "properties": { + "publicIPAllocationMethod": "Static" + } + }, + { + "apiVersion": "2015-06-15", + "type": "Microsoft.Network/virtualNetworks", + "name": "[parameters('AlgoServerName')]", + "location": "[parameters('location')]", + "properties": { + "addressSpace": { + "addressPrefixes": [ + "10.10.0.0/16" + ] + }, + "subnets": [ + { + "name": "[parameters('AlgoServerName')]", + "properties": { + "addressPrefix": "10.10.0.0/24" + } + } + ] + } + }, + { + "apiVersion": "2015-06-15", + "type": "Microsoft.Network/networkInterfaces", + "name": "[parameters('AlgoServerName')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Network/networkSecurityGroups/', parameters('AlgoServerName'))]", + "[concat('Microsoft.Network/publicIPAddresses/', parameters('AlgoServerName'))]", + "[concat('Microsoft.Network/virtualNetworks/', parameters('AlgoServerName'))]" + ], + "properties": { + "networkSecurityGroup": { + "id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('AlgoServerName'))]" + }, + "ipConfigurations": [ + { + "name": "ipconfig1", + "properties": { + "privateIPAllocationMethod": "Dynamic", + "publicIPAddress": { + "id": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('AlgoServerName'))]" + }, + "subnet": { + "id": "[variables('subnet1Ref')]" + } + } + } + ] + } + }, + { + "apiVersion": "2016-04-30-preview", + "type": "Microsoft.Compute/virtualMachines", + "name": "[parameters('AlgoServerName')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Network/networkInterfaces/', parameters('AlgoServerName'))]" + ], + "properties": { + "hardwareProfile": { + "vmSize": "[parameters('vmSize')]" + }, + "osProfile": { + "computerName": "[parameters('AlgoServerName')]", + "adminUsername": "ubuntu", + "linuxConfiguration": { + "disablePasswordAuthentication": true, + "ssh": { + "publicKeys": [ + { + "path": "/home/ubuntu/.ssh/authorized_keys", + "keyData": "[parameters('sshKeyData')]" + } + ] + } + } + }, + "storageProfile": { + "imageReference": { + "publisher": "Canonical", + "offer": "UbuntuServer", + "sku": "[parameters('imageReferenceSku')]", + "version": "latest" + }, + "osDisk": { + "createOption": "FromImage" + } + }, + "networkProfile": { + "networkInterfaces": [ + { + "id": "[resourceId('Microsoft.Network/networkInterfaces', parameters('AlgoServerName'))]" + } + ] + } + } + } + ], + "outputs": { + "publicIPAddresses": { + "type": "string", + "value": "[reference(resourceId('Microsoft.Network/publicIPAddresses',parameters('AlgoServerName')),providers('Microsoft.Network', 'publicIPAddresses').apiVersions[0]).ipAddress]", + } + } +} diff --git a/roles/cloud-azure/tasks/main.yml b/roles/cloud-azure/tasks/main.yml index 682fcb3c..27e2defc 100644 --- a/roles/cloud-azure/tasks/main.yml +++ b/roles/cloud-azure/tasks/main.yml @@ -4,123 +4,38 @@ import_tasks: prompts.yml - set_fact: - resource_group: "Algo_{{ region }}" - secret: "{{ azure_secret | default(lookup('env','AZURE_SECRET'), true) }}" - tenant: "{{ azure_tenant | default(lookup('env','AZURE_TENANT'), true) }}" - client_id: "{{ azure_client_id | default(lookup('env','AZURE_CLIENT_ID'), true) }}" - subscription_id: "{{ azure_subscription_id | default(lookup('env','AZURE_SUBSCRIPTION_ID'), true) }}" + algo_region: >- + {% if region is defined %}{{ region }} + {%- elif _algo_region.user_input is defined and _algo_region.user_input != "" %}{{ azure_regions[_algo_region.user_input | int -1 ]['name'] }} + {%- else %}{{ azure_regions[default_region | int - 1]['name'] }}{% endif %} - - name: Create a resource group - azure_rm_resourcegroup: + - name: Create AlgoVPN Server + azure_rm_deployment: + state: present + deployment_name: "AlgoVPN-{{ algo_server_name }}" + template: "{{ lookup('file', 'deployment.json') }}" secret: "{{ secret }}" tenant: "{{ tenant }}" client_id: "{{ client_id }}" subscription_id: "{{ subscription_id }}" - name: "{{ resource_group }}" - location: "{{ region }}" - tags: - Environment: Algo - - - name: Create a virtual network - azure_rm_virtualnetwork: - secret: "{{ secret }}" - tenant: "{{ tenant }}" - client_id: "{{ client_id }}" - subscription_id: "{{ subscription_id }}" - resource_group: "{{ resource_group }}" - name: algo_net - address_prefixes: "10.10.0.0/16" - tags: - Environment: Algo - - - name: Create a security group - azure_rm_securitygroup: - secret: "{{ secret }}" - tenant: "{{ tenant }}" - client_id: "{{ client_id }}" - subscription_id: "{{ subscription_id }}" - resource_group: "{{ resource_group }}" - name: AlgoSecGroup - purge_rules: yes - rules: - - name: AllowSSH - protocol: Tcp - destination_port_range: 22 - access: Allow - priority: 100 - direction: Inbound - - name: AllowIPSEC500 - protocol: Udp - destination_port_range: 500 - access: Allow - priority: 110 - direction: Inbound - - name: AllowIPSEC4500 - protocol: Udp - destination_port_range: 4500 - access: Allow - priority: 120 - direction: Inbound - - name: AllowWireGuard - protocol: Udp - destination_port_range: "{{ wireguard_port }}" - access: Allow - priority: 130 - direction: Inbound - - - name: Create a subnet - azure_rm_subnet: - secret: "{{ secret }}" - tenant: "{{ tenant }}" - client_id: "{{ client_id }}" - subscription_id: "{{ subscription_id }}" - resource_group: "{{ resource_group }}" - name: algo_subnet - address_prefix: "10.10.0.0/24" - virtual_network: algo_net - security_group_name: AlgoSecGroup - tags: - Environment: Algo - - - name: Create an instance - azure_rm_virtualmachine: - secret: "{{ secret }}" - tenant: "{{ tenant }}" - client_id: "{{ client_id }}" - subscription_id: "{{ subscription_id }}" - resource_group: "{{ resource_group }}" - admin_username: ubuntu - virtual_network: algo_net - name: "{{ azure_server_name }}" - ssh_password_enabled: false - vm_size: "{{ cloud_providers.azure.size }}" - tags: - Environment: Algo - ssh_public_keys: - - { path: "/home/ubuntu/.ssh/authorized_keys", key_data: "{{ lookup('file', '{{ SSH_keys.public }}') }}" } - image: "{{ cloud_providers.azure.image }}" - register: azure_rm_virtualmachine - - # To-do: Add error handling - if vm_size requested is not available, can we fall back to another, ideally with a prompt? + resource_group_name: "AlgoVPN-{{ algo_server_name }}" + parameters: + AlgoServerName: + value: "{{ algo_server_name }}" + sshKeyData: + value: "{{ lookup('file', '{{ SSH_keys.public }}') }}" + location: + value: "{{ algo_region }}" + WireGuardPort: + value: "{{ wireguard_port }}" + vmSize: + value: "{{ cloud_providers.azure.size }}" + imageReferenceSku: + value: "{{ cloud_providers.azure.image }}" + register: azure_rm_deployment - set_fact: - ip_address: "{{ azure_rm_virtualmachine.ansible_facts.azure_vm.properties.networkProfile.networkInterfaces[0].properties.ipConfigurations[0].properties.publicIPAddress.properties.ipAddress }}" - networkinterface_name: "{{ azure_rm_virtualmachine.ansible_facts.azure_vm.properties.networkProfile.networkInterfaces[0].name }}" - - - name: Ensure the network interface includes all required parameters - azure_rm_networkinterface: - secret: "{{ secret }}" - tenant: "{{ tenant }}" - client_id: "{{ client_id }}" - subscription_id: "{{ subscription_id }}" - name: "{{ networkinterface_name }}" - resource_group: "{{ resource_group }}" - virtual_network_name: algo_net - subnet_name: algo_subnet - security_group_name: AlgoSecGroup - - - set_fact: - cloud_instance_ip: "{{ ip_address }}" + cloud_instance_ip: "{{ azure_rm_deployment.deployment.outputs.publicIPAddresses.value }}" ansible_ssh_user: ubuntu rescue: diff --git a/roles/cloud-azure/tasks/prompts.yml b/roles/cloud-azure/tasks/prompts.yml index aadffd61..28d42521 100644 --- a/roles/cloud-azure/tasks/prompts.yml +++ b/roles/cloud-azure/tasks/prompts.yml @@ -48,20 +48,20 @@ - block: - name: Set facts about the regions set_fact: - aws_regions: "{{ azure_regions | sort(attribute='region_name') }}" + azure_regions: "{{ _azure_regions|from_json | sort(attribute='name') }}" - name: Set the default region set_fact: default_region: >- - {% for r in aws_regions %} - {%- if r['region_name'] == "us-east-1" %}{{ loop.index }}{% endif %} + {% for r in azure_regions %} + {%- if r['name'] == "eastus" %}{{ loop.index }}{% endif %} {%- endfor %} - pause: prompt: | What region should the server be located in? - {% for r in aws_regions %} - {{ loop.index }}. {{ r['region_name'] }} + {% for r in azure_regions %} + {{ loop.index }}. {{ r['displayName'] }} {% endfor %} Enter the number of your desired region From 14234344ebe5d5d687faebbc6fd0c99e520fa4a0 Mon Sep 17 00:00:00 2001 From: James Date: Tue, 18 Sep 2018 02:43:41 -0500 Subject: [PATCH 65/91] Use gateway ip address for wireguard interface (#1115) --- roles/wireguard/templates/server.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/wireguard/templates/server.conf.j2 b/roles/wireguard/templates/server.conf.j2 index 17b388fc..d9468de4 100644 --- a/roles/wireguard/templates/server.conf.j2 +++ b/roles/wireguard/templates/server.conf.j2 @@ -1,5 +1,5 @@ [Interface] -Address = {{ wireguard_network_ipv4['subnet'] }}/{{ wireguard_network_ipv4['prefix'] }}{% if ipv6_support %},{{ wireguard_network_ipv6['gateway'] }}/{{ wireguard_network_ipv6['prefix'] }} +Address = {{ wireguard_network_ipv4['gateway'] }}/{{ wireguard_network_ipv4['prefix'] }}{% if ipv6_support %},{{ wireguard_network_ipv6['gateway'] }}/{{ wireguard_network_ipv6['prefix'] }} {% endif %} ListenPort = {{ wireguard_port }} From 8f090a36f8a619b6293719f1624c8d11a4cb4c61 Mon Sep 17 00:00:00 2001 From: Mike Myers <30631532+mike-myers-tob@users.noreply.github.com> Date: Tue, 18 Sep 2018 00:47:07 -0700 Subject: [PATCH 66/91] Fix minor typos in Amazon EC2 setup documentation. (#1116) --- docs/cloud-amazon-ec2.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/cloud-amazon-ec2.md b/docs/cloud-amazon-ec2.md index 36c51359..1e81988f 100644 --- a/docs/cloud-amazon-ec2.md +++ b/docs/cloud-amazon-ec2.md @@ -6,7 +6,7 @@ Creating an Amazon AWS account requires giving Amazon a phone number that can re ### Select an EC2 plan -The cheapest EC2 plan you can choose is the "Free Plan" a.k.a. the "AWS Free Tier." It is only available to new AWS customers, it has limits on usage, and is converts to standard pricing after 12 months (the "introductory period"). After you exceed the usage limits, after the 12 month period, or if you are an existing AWS customer, then you will pay standard pay-as-you-go service prices. +The cheapest EC2 plan you can choose is the "Free Plan" a.k.a. the "AWS Free Tier." It is only available to new AWS customers, it has limits on usage, and it converts to standard pricing after 12 months (the "introductory period"). After you exceed the usage limits, after the 12 month period, or if you are an existing AWS customer, then you will pay standard pay-as-you-go service prices. *Note*: Your Algo instance will not stop working when you hit the bandwidth limit, you will just start accumulating service charges on your AWS account. @@ -22,7 +22,7 @@ Here, you have the policy editor. Switch to the JSON tab and copy-paste over the ### Set up an AWS user -In the AWS console, find the users (“Identiy and Access Management”, a.k.a. IAM users) menu: click Services > IAM. +In the AWS console, find the users (“Identity and Access Management”, a.k.a. IAM users) menu: click Services > IAM. Activate multi-factor authentication (MFA) on your root account. The simplest choice is the mobile app "Google Authenticator." A hardware U2F token is ideal (less prone to a phishing attack), but a TOTP authenticator like this is good enough. From eb2224cde1ea7c739315af1824a9b373fa24be81 Mon Sep 17 00:00:00 2001 From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com> Date: Fri, 21 Sep 2018 20:05:11 +0300 Subject: [PATCH 67/91] install generic linux headers (#1124) --- roles/common/defaults/main.yml | 2 ++ roles/common/tasks/ubuntu.yml | 11 ++++++++++- 2 files changed, 12 insertions(+), 1 deletion(-) create mode 100644 roles/common/defaults/main.yml diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml new file mode 100644 index 00000000..f358d3e1 --- /dev/null +++ b/roles/common/defaults/main.yml @@ -0,0 +1,2 @@ +--- +install_headers: true diff --git a/roles/common/tasks/ubuntu.yml b/roles/common/tasks/ubuntu.yml index fee3af42..9c6e6a5b 100644 --- a/roles/common/tasks/ubuntu.yml +++ b/roles/common/tasks/ubuntu.yml @@ -108,7 +108,7 @@ - coreutils - iptables-persistent - cgroup-tools - - "openssl{% if install_headers|default(true)|bool %},linux-headers-{{ ansible_kernel }}{% endif %}" + - openssl sysctl: - item: net.ipv4.ip_forward value: 1 @@ -125,3 +125,12 @@ - "{{ tools|default([]) }}" tags: - always + +- name: Install headers + apt: + name: "{{ item }}" + state: present + when: install_headers + with_items: + - linux-headers-generic + - "linux-headers-{{ ansible_kernel }}" From aa318bff18834f348d7b90df245bc56f5568c06d Mon Sep 17 00:00:00 2001 From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com> Date: Fri, 21 Sep 2018 20:08:00 +0300 Subject: [PATCH 68/91] Update PULL_REQUEST_TEMPLATE.md --- PULL_REQUEST_TEMPLATE.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/PULL_REQUEST_TEMPLATE.md b/PULL_REQUEST_TEMPLATE.md index 74118487..03a88d72 100644 --- a/PULL_REQUEST_TEMPLATE.md +++ b/PULL_REQUEST_TEMPLATE.md @@ -14,16 +14,16 @@ ## Types of changes -- [ ] Bug fix (non-breaking change which fixes an issue) -- [ ] New feature (non-breaking change which adds functionality) -- [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected) +- [] Bug fix (non-breaking change which fixes an issue) +- [] New feature (non-breaking change which adds functionality) +- [] Breaking change (fix or feature that would cause existing functionality to not work as expected) ## Checklist: -- [ ] I have read the **CONTRIBUTING** document. -- [ ] My code follows the code style of this project. -- [ ] My change requires a change to the documentation. -- [ ] I have updated the documentation accordingly. -- [ ] I have added tests to cover my changes. -- [ ] All new and existing tests passed. +- [] I have read the **CONTRIBUTING** document. +- [] My code follows the code style of this project. +- [] My change requires a change to the documentation. +- [] I have updated the documentation accordingly. +- [] I have added tests to cover my changes. +- [] All new and existing tests passed. From 810358f1cc47eb11fbb506b7fd5d98b0904e4040 Mon Sep 17 00:00:00 2001 From: Gio d'Amelio Date: Fri, 21 Sep 2018 22:34:47 -0700 Subject: [PATCH 69/91] Update algo-showenv.sh to use `/usr/bin/env` in it's hashbang (#1126) Should allow better cross platform compatibility --- algo-showenv.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/algo-showenv.sh b/algo-showenv.sh index 6085c407..41a6ff06 100755 --- a/algo-showenv.sh +++ b/algo-showenv.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash # # Print information about Algo's invocation environment to aid in debugging. # This is normally called from Ansible right before a deployment gets underway. From 6c0753e3b89991e7ce0832bb297fd8d0eaf70c81 Mon Sep 17 00:00:00 2001 From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com> Date: Thu, 27 Sep 2018 11:18:00 +0300 Subject: [PATCH 70/91] GCE: Static external ip (optional) (#1125) --- config.cfg | 9 +++++---- roles/cloud-gce/tasks/main.yml | 17 +++++++++++++++++ 2 files changed, 22 insertions(+), 4 deletions(-) diff --git a/config.cfg b/config.cfg index 0967d260..fe6bbfd1 100644 --- a/config.cfg +++ b/config.cfg @@ -83,7 +83,7 @@ congrats: p12_pass: | "# The p12 and SSH keys password for new users is {{ p12_export_password }} #" ca_key_pass: | - "# The CA key password is {{ CA_password }} #" + "# The CA key password is {{ CA_password }} #" ssh_access: | "# Shell access: ssh -i {{ ansible_ssh_private_key_file|default(omit) }} {{ ansible_ssh_user|default(omit) }}@{{ ansible_ssh_host|default(omit) }} #" @@ -101,9 +101,9 @@ cloud_providers: image: "ubuntu-18-04-x64" # Change the encrypted flag to "true" to enable AWS volume encryption, for encryption of data at rest. # Warning: the Algo script will take approximately 6 minutes longer to complete. - # Also note that the documented AWS minimum permissions aren't sufficient. - # You will have to edit the AWS user policy documented at - # https://github.com/trailofbits/algo/blob/master/docs/cloud-amazon-ec2.md to also allow "ec2:CopyImage". + # Also note that the documented AWS minimum permissions aren't sufficient. + # You will have to edit the AWS user policy documented at + # https://github.com/trailofbits/algo/blob/master/docs/cloud-amazon-ec2.md to also allow "ec2:CopyImage". # See https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-edit.html ec2: encrypted: false @@ -114,6 +114,7 @@ cloud_providers: gce: size: f1-micro image: ubuntu-1804 + external_static_ip: false lightsail: size: nano_1_0 image: ubuntu_16_04 diff --git a/roles/cloud-gce/tasks/main.yml b/roles/cloud-gce/tasks/main.yml index 8dad0a08..8af6ff87 100644 --- a/roles/cloud-gce/tasks/main.yml +++ b/roles/cloud-gce/tasks/main.yml @@ -14,10 +14,27 @@ credentials_file: "{{ credentials_file_path }}" project_id: "{{ project_id }}" + - block: + - name: External IP allocated + gce_eip: + service_account_email: "{{ service_account_email }}" + credentials_file: "{{ credentials_file_path }}" + project_id: "{{ project_id }}" + name: "{{ algo_server_name }}" + region: "{{ algo_region.split('-')[0:2] | join('-') }}" + state: present + register: gce_eip + + - name: Set External IP as a fact + set_fact: + external_ip: "{{ gce_eip.address }}" + when: cloud_providers.gce.external_static_ip + - name: "Creating a new instance..." gce: instance_names: "{{ algo_server_name }}" zone: "{{ algo_region }}" + external_ip: "{{ external_ip | default('ephemeral') }}" machine_type: "{{ cloud_providers.gce.size }}" image: "{{ cloud_providers.gce.image }}" service_account_email: "{{ service_account_email }}" From dbd68aa97d81e3286264344c112744554e2bd5b3 Mon Sep 17 00:00:00 2001 From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com> Date: Thu, 27 Sep 2018 11:18:12 +0300 Subject: [PATCH 71/91] WireGuard BSD (#1083) * WireGuard BSD * Remove unneeded config option * Enable PersistentKeepalive for NAT and Firewall Traversal Persistence * Install dnscrypt-proxy from repositories --- cloud.yml | 2 +- input.yml | 2 +- roles/common/tasks/facts.yml | 4 ++ .../dns_encryption/files/rc.dnscrypt-proxy.sh | 38 ------------- roles/dns_encryption/tasks/freebsd.yml | 55 +++---------------- .../templates/dnscrypt-proxy.toml.j2 | 2 +- roles/vpn/tasks/main.yml | 6 -- roles/wireguard/files/wireguard.sh | 40 ++++++++++++++ roles/wireguard/handlers/main.yml | 2 +- roles/wireguard/tasks/freebsd.yml | 16 ++++++ roles/wireguard/tasks/keys.yml | 6 +- roles/wireguard/tasks/main.yml | 42 ++++---------- roles/wireguard/tasks/ubuntu.yml | 32 +++++++++++ roles/wireguard/templates/client.conf.j2 | 1 + roles/wireguard/templates/server.conf.j2 | 1 - server.yml | 4 ++ 16 files changed, 123 insertions(+), 130 deletions(-) delete mode 100644 roles/dns_encryption/files/rc.dnscrypt-proxy.sh create mode 100644 roles/wireguard/files/wireguard.sh create mode 100644 roles/wireguard/tasks/freebsd.yml create mode 100644 roles/wireguard/tasks/ubuntu.yml diff --git a/cloud.yml b/cloud.yml index 3a4e299f..671c7765 100644 --- a/cloud.yml +++ b/cloud.yml @@ -1,7 +1,7 @@ --- - name: Provision the server hosts: localhost - tags: algo + tags: always vars_files: - config.cfg diff --git a/input.yml b/input.yml index aeb53192..18534518 100644 --- a/input.yml +++ b/input.yml @@ -1,7 +1,7 @@ --- - name: Ask user for the input hosts: localhost - tags: algo + tags: always vars: defaults: server_name: algo diff --git a/roles/common/tasks/facts.yml b/roles/common/tasks/facts.yml index 8182cf20..29ee3f55 100644 --- a/roles/common/tasks/facts.yml +++ b/roles/common/tasks/facts.yml @@ -23,4 +23,8 @@ - set_fact: CA_password: "{{ CA_password.stdout }}" IP_subject_alt_name: "{{ IP_subject_alt_name }}" + +- name: Set IPv6 support as a fact + set_fact: ipv6_support: "{% if ansible_default_ipv6['gateway'] is defined %}true{% else %}false{% endif %}" + tags: always diff --git a/roles/dns_encryption/files/rc.dnscrypt-proxy.sh b/roles/dns_encryption/files/rc.dnscrypt-proxy.sh deleted file mode 100644 index da35d896..00000000 --- a/roles/dns_encryption/files/rc.dnscrypt-proxy.sh +++ /dev/null @@ -1,38 +0,0 @@ -#!/bin/sh - -# PROVIDE: dnscrypt-proxy -# REQUIRE: LOGIN -# BEFORE: securelevel -# KEYWORD: shutdown - -# Add the following lines to /etc/rc.conf to enable `dnscrypt-proxy': -# -# dnscrypt_proxy_enable="YES" -# dnscrypt_proxy_flags="" -# -# See rsync(1) for rsyncd_flags -# - -. /etc/rc.subr - -name="dnscrypt-proxy" -rcvar=dnscrypt_proxy_enable -load_rc_config "$name" -pidfile="/var/run/$name.pid" -start_cmd=dnscrypt_proxy_start -stop_postcmd=dnscrypt_proxy_stop - -: ${dnscrypt_proxy_enable="NO"} -: ${dnscrypt_proxy_flags="-config /usr/local/etc/dnscrypt-proxy/dnscrypt-proxy.toml"} - -dnscrypt_proxy_start() { - echo "Starting dnscrypt-proxy..." - touch ${pidfile} - /usr/sbin/daemon -cS -T dnscrypt-proxy -p ${pidfile} /usr/dnscrypt-proxy/freebsd-amd64/dnscrypt-proxy ${dnscrypt_proxy_flags} -} - -dnscrypt_proxy_stop() { - [ -f ${pidfile} ] && rm ${pidfile} -} - -run_rc_command "$1" diff --git a/roles/dns_encryption/tasks/freebsd.yml b/roles/dns_encryption/tasks/freebsd.yml index 30e0186c..bdada6fe 100644 --- a/roles/dns_encryption/tasks/freebsd.yml +++ b/roles/dns_encryption/tasks/freebsd.yml @@ -1,51 +1,10 @@ --- -- name: FreeBSD | Ensure that the required directories exist - file: - path: "{{ item }}" - state: directory - with_items: - - "{{ config_prefix|default('/') }}etc/dnscrypt-proxy/" - - /usr/dnscrypt-proxy/ - -- name: Required tools installed +- name: Install dnscrypt-proxy package: - name: gtar + name: dnscrypt-proxy2 -- name: FreeBSD | Retrive the latest versions - uri: - url: https://api.github.com/repos/jedisct1/dnscrypt-proxy/releases/latest - register: dnscrypt_proxy_latest - ignore_errors: true - -- name: FreeBSD | Set default dnscrypt-proxy assets - set_fact: - dnscrypt_proxy_latest: - json: - assets: - - name: "dnscrypt-proxy-freebsd_amd64-{{ dnscrypt_proxy_version }}.tar.gz" - browser_download_url: "https://github.com/jedisct1/dnscrypt-proxy/releases/download/{{ dnscrypt_proxy_version }}/dnscrypt-proxy-freebsd_amd64-{{ dnscrypt_proxy_version }}.tar.gz" - when: dnscrypt_proxy_latest.failed - -- name: FreeBSD | Download the latest archive - get_url: - url: "{{ item['browser_download_url'] }}" - dest: "/tmp/dnscrypt-proxy-freebsd_amd64-{{ dnscrypt_proxy_version }}.tar.gz" - mode: '0755' - force: true - with_items: "{{ dnscrypt_proxy_latest['json']['assets'] }}" - no_log: true - when: '"freebsd_amd64" in item.name and not item.name.endswith("minisig")' - notify: restart dnscrypt-proxy - -- name: FreeBSD | Extract the latest archive - unarchive: - remote_src: true - src: /tmp/dnscrypt-proxy-freebsd_amd64-{{ dnscrypt_proxy_version }}.tar.gz - dest: /usr/dnscrypt-proxy - -- name: FreeBSD | Configure rc script - copy: - src: rc.dnscrypt-proxy.sh - dest: /usr/local/etc/rc.d/dnscrypt-proxy - mode: "0755" - notify: restart dnscrypt-proxy +- name: Enable mac_portacl + lineinfile: + path: /etc/rc.conf + line: 'dnscrypt_proxy_mac_portacl_enable="YES"' + when: listen_port|int == 53 diff --git a/roles/dns_encryption/templates/dnscrypt-proxy.toml.j2 b/roles/dns_encryption/templates/dnscrypt-proxy.toml.j2 index 18a8bebb..aba1919e 100644 --- a/roles/dns_encryption/templates/dnscrypt-proxy.toml.j2 +++ b/roles/dns_encryption/templates/dnscrypt-proxy.toml.j2 @@ -151,7 +151,7 @@ tls_disable_session_tickets = true ## People in China may need to use 114.114.114.114:53 here. ## Other popular options include 8.8.8.8 and 1.1.1.1. -fallback_resolver = '127.0.0.53:53' +fallback_resolver = '{% if ansible_distribution == "FreeBSD" %}{{ ansible_dns.nameservers.0 }}:53{% else %}127.0.0.53:53{% endif %}' ## Never try to use the system DNS settings; unconditionally use the diff --git a/roles/vpn/tasks/main.yml b/roles/vpn/tasks/main.yml index de3a9f1d..2a7a90b2 100644 --- a/roles/vpn/tasks/main.yml +++ b/roles/vpn/tasks/main.yml @@ -1,11 +1,5 @@ --- - block: - - name: Include WireGuard role - include_role: - name: wireguard - tags: wireguard - when: wireguard_enabled and ansible_distribution == 'Ubuntu' - - name: Ensure that the strongswan group exist group: name=strongswan state=present diff --git a/roles/wireguard/files/wireguard.sh b/roles/wireguard/files/wireguard.sh new file mode 100644 index 00000000..efcde0e3 --- /dev/null +++ b/roles/wireguard/files/wireguard.sh @@ -0,0 +1,40 @@ +#!/bin/sh + +# PROVIDE: wireguard +# REQUIRE: LOGIN +# BEFORE: securelevel +# KEYWORD: shutdown + +. /etc/rc.subr + +name="wg" +rcvar=wg_enable + +command="/usr/local/bin/wg-quick" +start_cmd=wg_up +stop_cmd=wg_down +status_cmd=wg_status +pidfile="/var/run/$name.pid" +load_rc_config "$name" + +: ${wg_enable="NO"} +: ${wg_interface="wg0"} + +wg_up() { + echo "Starting WireGuard..." + /usr/sbin/daemon -cS -p ${pidfile} ${command} up ${wg_interface} +} + +wg_down() { + echo "Stopping WireGuard..." + ${command} down ${wg_interface} +} + +wg_status () { + not_running () { + echo "WireGuard is not running on $wg_interface" && exit 1 + } + /usr/local/bin/wg show wg0 && echo "WireGuard is running on $wg_interface" || not_running +} + +run_rc_command "$1" diff --git a/roles/wireguard/handlers/main.yml b/roles/wireguard/handlers/main.yml index 1063f5e6..d13ee31c 100644 --- a/roles/wireguard/handlers/main.yml +++ b/roles/wireguard/handlers/main.yml @@ -1,5 +1,5 @@ --- - name: restart wireguard service: - name: "wg-quick@{{ wireguard_interface }}" + name: "{{ service_name }}" state: restarted diff --git a/roles/wireguard/tasks/freebsd.yml b/roles/wireguard/tasks/freebsd.yml new file mode 100644 index 00000000..63e7b48c --- /dev/null +++ b/roles/wireguard/tasks/freebsd.yml @@ -0,0 +1,16 @@ +--- +- name: BSD | WireGuard installed + package: + name: wireguard + state: present + +- set_fact: + service_name: wireguard + tags: always + +- name: BSD | Configure rc script + copy: + src: wireguard.sh + dest: /usr/local/etc/rc.d/wireguard + mode: "0755" + notify: restart wireguard diff --git a/roles/wireguard/tasks/keys.yml b/roles/wireguard/tasks/keys.yml index b38ab1fb..33434081 100644 --- a/roles/wireguard/tasks/keys.yml +++ b/roles/wireguard/tasks/keys.yml @@ -1,7 +1,7 @@ --- - name: Delete the lock files file: - dest: "/etc/wireguard/private_{{ item }}.lock" + dest: "{{ config_prefix|default('/') }}etc/wireguard/private_{{ item }}.lock" state: absent when: keys_clean_all|bool == True with_items: @@ -12,7 +12,7 @@ command: wg genkey register: wg_genkey args: - creates: "/etc/wireguard/private_{{ item }}.lock" + creates: "{{ config_prefix|default('/') }}etc/wireguard/private_{{ item }}.lock" with_items: - "{{ users }}" - "{{ IP_subject_alt_name }}" @@ -31,7 +31,7 @@ - name: Touch the lock file file: - dest: "/etc/wireguard/private_{{ item }}.lock" + dest: "{{ config_prefix|default('/') }}etc/wireguard/private_{{ item }}.lock" state: touch with_items: - "{{ users }}" diff --git a/roles/wireguard/tasks/main.yml b/roles/wireguard/tasks/main.yml index 232d080c..3621754c 100644 --- a/roles/wireguard/tasks/main.yml +++ b/roles/wireguard/tasks/main.yml @@ -1,27 +1,4 @@ --- -- name: WireGuard repository configured - apt_repository: - repo: ppa:wireguard/wireguard - state: present - register: result - until: result is succeeded - retries: 10 - delay: 3 - -- name: WireGuard installed - apt: - name: wireguard - state: present - update_cache: true - -- name: Configure unattended-upgrades - copy: - src: 50-wireguard-unattended-upgrades - dest: /etc/apt/apt.conf.d/50-wireguard-unattended-upgrades - owner: root - group: root - mode: 0644 - - name: Ensure the required directories exist file: dest: "{{ wireguard_config_path }}/{{ item }}" @@ -33,6 +10,16 @@ delegate_to: localhost become: false +- name: Include tasks for Ubuntu + include_tasks: ubuntu.yml + when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu' + tags: always + +- name: Include tasks for FreeBSD + include_tasks: freebsd.yml + when: ansible_distribution == 'FreeBSD' + tags: always + - name: Generate keys import_tasks: keys.yml tags: update-users @@ -40,16 +27,11 @@ - name: WireGuard configured template: src: server.conf.j2 - dest: "/etc/wireguard/{{ wireguard_interface }}.conf" + dest: "{{ config_prefix|default('/') }}etc/wireguard/{{ wireguard_interface }}.conf" mode: "0600" notify: restart wireguard tags: update-users -- name: WireGuard reload-module-on-update - file: - dest: /etc/wireguard/.reload-module-on-update - state: touch - - name: WireGuard users config generated template: src: client.conf.j2 @@ -62,7 +44,7 @@ - name: WireGuard enabled and started service: - name: "wg-quick@{{ wireguard_interface }}" + name: "{{ service_name }}" state: started enabled: true diff --git a/roles/wireguard/tasks/ubuntu.yml b/roles/wireguard/tasks/ubuntu.yml new file mode 100644 index 00000000..c75b8a7b --- /dev/null +++ b/roles/wireguard/tasks/ubuntu.yml @@ -0,0 +1,32 @@ +--- +- name: WireGuard repository configured + apt_repository: + repo: ppa:wireguard/wireguard + state: present + register: result + until: result is succeeded + retries: 10 + delay: 3 + +- name: WireGuard installed + apt: + name: wireguard + state: present + update_cache: true + +- name: WireGuard reload-module-on-update + file: + dest: /etc/wireguard/.reload-module-on-update + state: touch + +- name: Configure unattended-upgrades + copy: + src: 50-wireguard-unattended-upgrades + dest: /etc/apt/apt.conf.d/50-wireguard-unattended-upgrades + owner: root + group: root + mode: 0644 + +- set_fact: + service_name: "wg-quick@{{ wireguard_interface }}" + tags: always diff --git a/roles/wireguard/templates/client.conf.j2 b/roles/wireguard/templates/client.conf.j2 index f75f0f43..6432e0ad 100644 --- a/roles/wireguard/templates/client.conf.j2 +++ b/roles/wireguard/templates/client.conf.j2 @@ -9,3 +9,4 @@ DNS = {{ wireguard_dns_servers }} PublicKey = {{ lookup('file', wireguard_config_path + '/public/' + IP_subject_alt_name) }} AllowedIPs = 0.0.0.0/0, ::/0 Endpoint = {{ IP_subject_alt_name }}:{{ wireguard_port }} +PersistentKeepalive = 25 diff --git a/roles/wireguard/templates/server.conf.j2 b/roles/wireguard/templates/server.conf.j2 index d9468de4..adda0bed 100644 --- a/roles/wireguard/templates/server.conf.j2 +++ b/roles/wireguard/templates/server.conf.j2 @@ -5,7 +5,6 @@ Address = {{ wireguard_network_ipv4['gateway'] }}/{{ wireguard_network_ipv4['pre ListenPort = {{ wireguard_port }} PrivateKey = {{ lookup('file', wireguard_config_path + '/private/' + IP_subject_alt_name) }} SaveConfig = false -Table = off {% for u in users %} diff --git a/server.yml b/server.yml index e7e4ad2a..4f8ad7cd 100644 --- a/server.yml +++ b/server.yml @@ -9,6 +9,7 @@ roles: - role: common + tags: common - role: dns_encryption when: dns_encryption tags: dns_encryption @@ -18,6 +19,9 @@ - role: ssh_tunneling when: algo_ssh_tunneling tags: ssh_tunneling + - role: wireguard + when: wireguard_enabled + tags: wireguard - role: vpn tags: vpn From 144258668271b7088f9242793f569b639a55d882 Mon Sep 17 00:00:00 2001 From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com> Date: Sun, 30 Sep 2018 05:25:02 +0300 Subject: [PATCH 72/91] WireGuard: Generate QR codes (#1129) * WireGuard: Generate QR codes * Update client-android.md --- docs/client-android.md | 3 +-- requirements.txt | 1 + roles/wireguard/tasks/main.yml | 14 ++++++++++++++ 3 files changed, 16 insertions(+), 2 deletions(-) diff --git a/docs/client-android.md b/docs/client-android.md index 1e98f6d7..553b5071 100644 --- a/docs/client-android.md +++ b/docs/client-android.md @@ -3,5 +3,4 @@ ## Installation via profiles 1. [Install the WireGuard VPN Client](https://play.google.com/store/apps/details?id=com.wireguard.android). -2. Copy `wireguard/{username}.conf` to your phone's internal storage. -3. Open the WireGuard app and add a connection using your AlgoVPN configuration file. +2. Open QR code `configs//wireguard/.png` and scan it in the WireGuard app diff --git a/requirements.txt b/requirements.txt index f2580658..4d40c39b 100644 --- a/requirements.txt +++ b/requirements.txt @@ -10,3 +10,4 @@ pyopenssl jinja2==2.8 shade pycrypto +segno diff --git a/roles/wireguard/tasks/main.yml b/roles/wireguard/tasks/main.yml index 3621754c..dacedb56 100644 --- a/roles/wireguard/tasks/main.yml +++ b/roles/wireguard/tasks/main.yml @@ -42,6 +42,20 @@ delegate_to: localhost become: false +- name: Generate QR codes + shell: > + umask 077; + which segno && + segno --scale=5 --output={{ item.1 }}.png \ + "{{ lookup('template', 'client.conf.j2') }}" || true + changed_when: false + with_indexed_items: "{{ users }}" + delegate_to: localhost + become: false + args: + chdir: "{{ wireguard_config_path }}" + executable: bash + - name: WireGuard enabled and started service: name: "{{ service_name }}" From d7dcaeb575e9f0c5bd852b8fe2e378e7bdff4db2 Mon Sep 17 00:00:00 2001 From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com> Date: Thu, 4 Oct 2018 14:36:54 +0300 Subject: [PATCH 73/91] Update troubleshooting.md Fixes #1118 --- docs/troubleshooting.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/troubleshooting.md b/docs/troubleshooting.md index 53bacb11..90c14a5e 100644 --- a/docs/troubleshooting.md +++ b/docs/troubleshooting.md @@ -1,5 +1,7 @@ # Troubleshooting +First of all, check [this](https://github.com/trailofbits/algo#features) and ensure that you are deploying to the supported ubuntu version. + * [Installation Problems](#installation-problems) * [Error: "You have not agreed to the Xcode license agreements"](#error-you-have-not-agreed-to-the-xcode-license-agreements) * [Error: checking whether the C compiler works... no](#error-checking-whether-the-c-compiler-works-no) From d90ba3d11a18bd0edfd5fc2c678420e234f55330 Mon Sep 17 00:00:00 2001 From: David Myers Date: Thu, 4 Oct 2018 18:12:48 -0400 Subject: [PATCH 74/91] Allow more flexible DNSCrypt configuration (#1120) * Allow more flexible DNSCrypt configuration * Correct permissions on files changed in #1120 I'm not sure why using BBEdit over SMB makes every file executable. * Put the public resolvers cache file in /tmp. --- config.cfg | 20 +++++++++++++++---- roles/dns_encryption/defaults/main.yml | 6 +++++- .../templates/dnscrypt-proxy.toml.j2 | 8 ++++++-- 3 files changed, 27 insertions(+), 7 deletions(-) diff --git a/config.cfg b/config.cfg index fe6bbfd1..f1721e5e 100644 --- a/config.cfg +++ b/config.cfg @@ -38,13 +38,25 @@ adblock_lists: - "https://www.malwaredomainlist.com/hostslist/hosts.txt" - "https://hosts-file.net/ad_servers.txt" -# Enable DNS encryption. Use dns_encryption_provider to specify the provider. If false dns_servers should be specified +# Enable DNS encryption. +# If 'false', 'dns_servers' should be specified below. dns_encryption: true -# Possible values: google, cloudflare -dns_encryption_provider: cloudflare +# DNS servers which will be used if 'dns_encryption' is 'true'. Multiple +# providers may be specified, but avoid mixing providers that filter results +# (like Cisco) with those that don't (like Cloudflare) or you could get +# inconsistent results. The list of available public providers can be found +# here: +# https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v2/public-resolvers.md +dnscrypt_servers: + ipv4: + - cloudflare +# - google + ipv6: + - cloudflare-ipv6 -# DNS servers which will be used if dns_encryption disabled +# DNS servers which will be used if 'dns_encryption' is 'false'. +# The default is to use Cloudflare. dns_servers: ipv4: - 1.1.1.1 diff --git a/roles/dns_encryption/defaults/main.yml b/roles/dns_encryption/defaults/main.yml index 5997f58a..1869e6a2 100644 --- a/roles/dns_encryption/defaults/main.yml +++ b/roles/dns_encryption/defaults/main.yml @@ -5,5 +5,9 @@ listen_port: "{% if algo_local_dns %}5353{% else %}53{% endif %}" dnscrypt_proxy_version: 2.0.10 apparmor_enabled: true dns_encryption: true -dns_encryption_provider: "*" ipv6_support: false +dnscrypt_servers: + ipv4: + - cloudflare + ipv6: + - cloudflare-ipv6 diff --git a/roles/dns_encryption/templates/dnscrypt-proxy.toml.j2 b/roles/dns_encryption/templates/dnscrypt-proxy.toml.j2 index aba1919e..d954ff8b 100644 --- a/roles/dns_encryption/templates/dnscrypt-proxy.toml.j2 +++ b/roles/dns_encryption/templates/dnscrypt-proxy.toml.j2 @@ -27,7 +27,11 @@ ## The proxy will automatically pick the fastest, working servers from the list. ## Remove the leading # first to enable this; lines starting with # are ignored. -server_names = ['{{ dns_encryption_provider }}'{% if ipv6_support and dns_encryption_provider == "cloudflare" %}, '{{ dns_encryption_provider }}-ipv6' {% endif %} ] +{# Allow either list to be empty. Output nothing if both are empty. #} +{% set servers = [] %} +{% if dnscrypt_servers.ipv4 %}{% set servers = dnscrypt_servers.ipv4 %}{% endif %} +{% if ipv6_support and dnscrypt_servers.ipv6 %}{% set servers = servers + dnscrypt_servers.ipv6 %}{% endif %} +{% if servers %}server_names = ['{{ servers | join("', '") }}']{% endif %} ## List of local addresses and ports to listen to. Can be IPv4 and/or IPv6. @@ -446,7 +450,7 @@ cache_neg_max_ttl = 600 [sources.'public-resolvers'] urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md'] - cache_file = 'public-resolvers.md' + cache_file = '/tmp/public-resolvers.md' minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' refresh_delay = 72 prefix = '' From cd3fbe5e47f8798f8a3acac675342bbf4acc2f6b Mon Sep 17 00:00:00 2001 From: David Myers Date: Fri, 5 Oct 2018 10:29:09 -0400 Subject: [PATCH 75/91] Add WireGuard port to FAQ (#1141) --- docs/faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/faq.md b/docs/faq.md index 00b44f83..db11965d 100644 --- a/docs/faq.md +++ b/docs/faq.md @@ -74,4 +74,4 @@ No. ## What inbound ports are used? -You should only need 22/TCP, 500/UDP, and 4500/UDP. +You should only need 22/TCP, 500/UDP, 4500/UDP, and 51820/UDP opened on any firewall that sits between your clients and your Algo server. From bcba9055474ea99ead92786729266f1b3d186e19 Mon Sep 17 00:00:00 2001 From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com> Date: Mon, 8 Oct 2018 03:33:55 +0300 Subject: [PATCH 76/91] ssh tunneling fixes (#1127) --- roles/ssh_tunneling/tasks/main.yml | 41 +++++++++----------------- roles/vpn/defaults/main.yml | 1 + roles/vpn/tasks/main.yml | 10 +++---- roles/vpn/tasks/openssl.yml | 27 +++++++++++++++-- roles/vpn/templates/strongswan.conf.j2 | 2 +- server.yml | 6 ++-- users.yml | 4 +-- 7 files changed, 50 insertions(+), 41 deletions(-) diff --git a/roles/ssh_tunneling/tasks/main.yml b/roles/ssh_tunneling/tasks/main.yml index 860a329d..259464b4 100644 --- a/roles/ssh_tunneling/tasks/main.yml +++ b/roles/ssh_tunneling/tasks/main.yml @@ -31,25 +31,20 @@ groups: algo home: '/var/jail/{{ item }}' createhome: yes - generate_ssh_key: yes + generate_ssh_key: false shell: /bin/false - ssh_key_type: ecdsa - ssh_key_bits: 256 - ssh_key_comment: '{{ item }}@{{ IP_subject_alt_name }}' - ssh_key_passphrase: "{{ p12_export_password }}" - update_password: on_create state: present append: yes with_items: "{{ users }}" tags: update-users - name: The authorized keys file created - file: - src: '/var/jail/{{ item }}/.ssh/id_ecdsa.pub' - dest: '/var/jail/{{ item }}/.ssh/authorized_keys' - owner: "{{ item }}" - group: "{{ item }}" - state: link + authorized_key: + user: "{{ item }}" + key: "{{ lookup('file', 'configs/' + IP_subject_alt_name + '/pki/public/' + item + '.pub') }}" + state: present + manage_dir: true + exclusive: true with_items: "{{ users }}" tags: update-users @@ -57,15 +52,6 @@ shell: ssh-keyscan {{ IP_subject_alt_name }} 2>/dev/null register: ssh_fingerprints - - name: Fetch users SSH private keys - fetch: - src: '/var/jail/{{ item }}/.ssh/id_ecdsa' - dest: configs/{{ IP_subject_alt_name }}/{{ item }}.ssh.pem - flat: yes - mode: "0600" - with_items: "{{ users }}" - tags: update-users - - name: Fetch the known_hosts file local_action: module: template @@ -83,20 +69,21 @@ tags: update-users with_items: "{{ users }}" - - name: SSH | Get active system users - shell: > - getent group algo | cut -f4 -d: | sed "s/,/\n/g" - register: valid_users + - name: Get active users + getent: + database: group + key: algo + split: ':' tags: update-users - - name: SSH | Delete non-existing users + - name: Delete non-existing users user: name: "{{ item }}" state: absent remove: yes force: yes when: item not in users - with_items: "{{ valid_users.stdout_lines | default('null') }}" + with_items: "{{ getent_group['algo'][2].split(',') }}" tags: update-users rescue: - debug: var=fail_hint diff --git a/roles/vpn/defaults/main.yml b/roles/vpn/defaults/main.yml index 51b06bf8..a7e3ea0f 100644 --- a/roles/vpn/defaults/main.yml +++ b/roles/vpn/defaults/main.yml @@ -34,6 +34,7 @@ ipv6_support: false dns_encryption: true domain: false subjectAltName_IP: "IP:{{ IP_subject_alt_name }}" +subjectAltName_USER: "{% if '@' in item %}email:{{ item }}{% else %}DNS:{{ item }}{% endif %}" openssl_bin: openssl strongswan_enabled_plugins: - aes diff --git a/roles/vpn/tasks/main.yml b/roles/vpn/tasks/main.yml index 2a7a90b2..27be701a 100644 --- a/roles/vpn/tasks/main.yml +++ b/roles/vpn/tasks/main.yml @@ -1,10 +1,10 @@ --- - block: - - name: Ensure that the strongswan group exist - group: name=strongswan state=present - - - name: Ensure that the strongswan user exist - user: name=strongswan group=strongswan state=present + - name: Include WireGuard role + include_role: + name: wireguard + tags: wireguard + when: wireguard_enabled and ansible_distribution == 'Ubuntu' - include_tasks: ubuntu.yml when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu' diff --git a/roles/vpn/tasks/openssl.yml b/roles/vpn/tasks/openssl.yml index acd966c6..a8175977 100644 --- a/roles/vpn/tasks/openssl.yml +++ b/roles/vpn/tasks/openssl.yml @@ -16,12 +16,14 @@ dest: "configs/{{ IP_subject_alt_name }}/pki/{{ item }}" state: directory recurse: yes + mode: '0700' with_items: - ecparams - certs - crl - newcerts - private + - public - reqs - name: Ensure the files exist @@ -42,6 +44,7 @@ - name: Build the CA pair shell: > + umask 077; {{ openssl_bin }} ecparam -name secp384r1 -out ecparams/secp384r1.pem && {{ openssl_bin }} req -utf8 -new -newkey ec:ecparams/secp384r1.pem @@ -70,6 +73,7 @@ - name: Build the server pair shell: > + umask 077; {{ openssl_bin }} req -utf8 -new -newkey ec:ecparams/secp384r1.pem -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName={{ subjectAltName }}")) @@ -92,9 +96,10 @@ - name: Build the client's pair shell: > + umask 077; {{ openssl_bin }} req -utf8 -new -newkey ec:ecparams/secp384r1.pem - -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=DNS:{{ item }}")) + -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName={{ subjectAltName_USER }}")) -keyout private/{{ item }}.key -out reqs/{{ item }}.req -nodes -passin pass:"{{ CA_password }}" @@ -102,7 +107,7 @@ {{ openssl_bin }} ca -utf8 -in reqs/{{ item }}.req -out certs/{{ item }}.crt - -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=DNS:{{ item }}")) + -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName={{ subjectAltName_USER }}")) -days 3650 -batch -passin pass:"{{ CA_password }}" -subj "/CN={{ item }}" && @@ -113,8 +118,24 @@ executable: bash with_items: "{{ users }}" + - name: Create links for the private keys + file: + src: "pki/private/{{ item }}.key" + dest: "configs/{{ IP_subject_alt_name }}/{{ item }}.ssh.pem" + state: link + force: true + with_items: "{{ users }}" + + - name: Build openssh public keys + openssl_publickey: + path: "configs/{{ IP_subject_alt_name }}/pki/public/{{ item }}.pub" + privatekey_path: "configs/{{ IP_subject_alt_name }}/pki/private/{{ item }}.key" + format: OpenSSH + with_items: "{{ users }}" + - name: Build the client's p12 shell: > + umask 077; {{ openssl_bin }} pkcs12 -in certs/{{ item }}.crt -inkey private/{{ item }}.key @@ -149,7 +170,7 @@ - name: Revoke non-existing users shell: > {{ openssl_bin }} ca -gencrl - -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=DNS:{{ item }}")) + -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName={{ subjectAltName_USER }}")) -passin pass:"{{ CA_password }}" -revoke certs/{{ item }}.crt -out crl/{{ item }}.crt diff --git a/roles/vpn/templates/strongswan.conf.j2 b/roles/vpn/templates/strongswan.conf.j2 index b658ac08..7fcf9ef4 100644 --- a/roles/vpn/templates/strongswan.conf.j2 +++ b/roles/vpn/templates/strongswan.conf.j2 @@ -10,7 +10,7 @@ charon { include strongswan.d/charon/*.conf } user = strongswan - group = strongswan + group = nogroup {% if ansible_distribution == 'FreeBSD' %} filelog { /var/log/charon.log { diff --git a/server.yml b/server.yml index 4f8ad7cd..b6e8340b 100644 --- a/server.yml +++ b/server.yml @@ -16,14 +16,14 @@ - role: dns_adblocking when: algo_local_dns tags: dns_adblocking - - role: ssh_tunneling - when: algo_ssh_tunneling - tags: ssh_tunneling - role: wireguard when: wireguard_enabled tags: wireguard - role: vpn tags: vpn + - role: ssh_tunneling + when: algo_ssh_tunneling + tags: ssh_tunneling post_tasks: - block: diff --git a/users.yml b/users.yml index 36f162f5..bb934946 100644 --- a/users.yml +++ b/users.yml @@ -60,13 +60,13 @@ roles: - role: common - - role: ssh_tunneling - when: algo_ssh_tunneling - role: wireguard tags: [ 'vpn', 'wireguard' ] when: wireguard_enabled - role: vpn tags: vpn + - role: ssh_tunneling + when: algo_ssh_tunneling post_tasks: - block: From efc8dc7620bc8692c8bd27f3b79fa8cd18d1bdaf Mon Sep 17 00:00:00 2001 From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com> Date: Sun, 14 Oct 2018 10:22:45 +0300 Subject: [PATCH 77/91] add tags for the wireguard qr code task. variables fix (#1147) --- roles/vpn/tasks/openssl.yml | 2 ++ roles/wireguard/tasks/main.yml | 3 +++ 2 files changed, 5 insertions(+) diff --git a/roles/vpn/tasks/openssl.yml b/roles/vpn/tasks/openssl.yml index a8175977..3a286be7 100644 --- a/roles/vpn/tasks/openssl.yml +++ b/roles/vpn/tasks/openssl.yml @@ -196,6 +196,8 @@ executable: bash delegate_to: localhost become: no + vars: + ansible_python_interpreter: "{{ ansible_playbook_python }}" - name: Copy the CRL to the vpn server copy: diff --git a/roles/wireguard/tasks/main.yml b/roles/wireguard/tasks/main.yml index dacedb56..f52183d0 100644 --- a/roles/wireguard/tasks/main.yml +++ b/roles/wireguard/tasks/main.yml @@ -52,6 +52,9 @@ with_indexed_items: "{{ users }}" delegate_to: localhost become: false + tags: update-users + vars: + ansible_python_interpreter: "{{ ansible_playbook_python }}" args: chdir: "{{ wireguard_config_path }}" executable: bash From fbc7b29456dcc13e7d7e1c5323f72b9652ad3abb Mon Sep 17 00:00:00 2001 From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com> Date: Mon, 22 Oct 2018 23:49:09 +0300 Subject: [PATCH 78/91] WireGuard update-users fix (#1154) --- roles/wireguard/defaults/main.yml | 3 +++ roles/wireguard/tasks/main.yml | 13 ++++++++++++- roles/wireguard/templates/client.conf.j2 | 4 +--- roles/wireguard/templates/server.conf.j2 | 9 +++------ 4 files changed, 19 insertions(+), 10 deletions(-) create mode 100644 roles/wireguard/defaults/main.yml diff --git a/roles/wireguard/defaults/main.yml b/roles/wireguard/defaults/main.yml new file mode 100644 index 00000000..51ef2279 --- /dev/null +++ b/roles/wireguard/defaults/main.yml @@ -0,0 +1,3 @@ +--- +wireguard_client_ip: "{{ wireguard_network_ipv4['clients_range'] }}.{{ wireguard_network_ipv4['clients_start'] + item.0 + 1 }}/32{% if ipv6_support %},{{ wireguard_network_ipv6['clients_range'] }}{{ wireguard_network_ipv6['clients_start'] + item.0 + 1 }}/{{ wireguard_network_ipv6['prefix'] }}{% endif %}" +wireguard_server_ip: "{{ wireguard_network_ipv4['gateway'] }}/{{ wireguard_network_ipv4['prefix'] }}{% if ipv6_support %},{{ wireguard_network_ipv6['gateway'] }}/{{ wireguard_network_ipv6['prefix'] }}{% endif %}" diff --git a/roles/wireguard/tasks/main.yml b/roles/wireguard/tasks/main.yml index f52183d0..369f88c7 100644 --- a/roles/wireguard/tasks/main.yml +++ b/roles/wireguard/tasks/main.yml @@ -7,6 +7,7 @@ with_items: - private - public + - ip delegate_to: localhost become: false @@ -24,6 +25,16 @@ import_tasks: keys.yml tags: update-users +- name: Dump IP addresses + copy: + dest: "{{ wireguard_config_path }}/ip/{{ item.1 }}" + content: "{{ wireguard_client_ip }}" + force: false + with_indexed_items: "{{ users }}" + tags: update-users + become: false + delegate_to: localhost + - name: WireGuard configured template: src: server.conf.j2 @@ -38,9 +49,9 @@ dest: "{{ wireguard_config_path }}/{{ item.1 }}.conf" mode: "0600" with_indexed_items: "{{ users }}" + become: false tags: update-users delegate_to: localhost - become: false - name: Generate QR codes shell: > diff --git a/roles/wireguard/templates/client.conf.j2 b/roles/wireguard/templates/client.conf.j2 index 6432e0ad..d7645be7 100644 --- a/roles/wireguard/templates/client.conf.j2 +++ b/roles/wireguard/templates/client.conf.j2 @@ -1,8 +1,6 @@ [Interface] PrivateKey = {{ lookup('file', wireguard_config_path + '/private/' + item.1) }} -Address = {{ wireguard_network_ipv4['clients_range'] }}.{{ wireguard_network_ipv4['clients_start'] + item.0 + 1 }}/32{% if ipv6_support %},{{ wireguard_network_ipv6['clients_range'] }}{{ wireguard_network_ipv6['clients_start'] + item.0 + 1 }}/{{ wireguard_network_ipv6['prefix'] }} -{% endif %} - +Address = {{ lookup('file', wireguard_config_path + '/ip/' + item.1) }} DNS = {{ wireguard_dns_servers }} [Peer] diff --git a/roles/wireguard/templates/server.conf.j2 b/roles/wireguard/templates/server.conf.j2 index adda0bed..a2307d87 100644 --- a/roles/wireguard/templates/server.conf.j2 +++ b/roles/wireguard/templates/server.conf.j2 @@ -1,16 +1,13 @@ [Interface] -Address = {{ wireguard_network_ipv4['gateway'] }}/{{ wireguard_network_ipv4['prefix'] }}{% if ipv6_support %},{{ wireguard_network_ipv6['gateway'] }}/{{ wireguard_network_ipv6['prefix'] }} -{% endif %} - +Address = {{ wireguard_server_ip }} ListenPort = {{ wireguard_port }} PrivateKey = {{ lookup('file', wireguard_config_path + '/private/' + IP_subject_alt_name) }} SaveConfig = false -{% for u in users %} +{% for u in users|sort %} [Peer] # {{ u }} PublicKey = {{ lookup('file', wireguard_config_path + '/public/' + u) }} -AllowedIPs = {{ wireguard_network_ipv4['clients_range'] }}.{{ wireguard_network_ipv4['clients_start'] + loop.index }}/32{% if ipv6_support %},{{ wireguard_network_ipv6['clients_range'] }}{{ wireguard_network_ipv6['clients_start'] + loop.index }}/128 -{% endif %} +AllowedIPs = {{ lookup('file', wireguard_config_path + '/ip/' + u) }} {% endfor %} From 3468d27e615f8532f550518043ce4539ebd9d09e Mon Sep 17 00:00:00 2001 From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com> Date: Mon, 22 Oct 2018 23:49:18 +0300 Subject: [PATCH 79/91] Lightsail back (#1157) --- CHANGELOG.md | 4 ++++ README.md | 2 +- config.cfg | 2 +- input.yml | 1 + roles/cloud-lightsail/tasks/prompts.yml | 4 ++-- 5 files changed, 9 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 417b757d..27bd579d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,7 @@ +## 20 Oct 2018 +### Added +- AWS Lightsail + ## 7 Sep 2018 ### Changed - Azure: Deployment via Azure Resource Manager diff --git a/README.md b/README.md index 26440fd3..ccd21c4d 100644 --- a/README.md +++ b/README.md @@ -14,7 +14,7 @@ Algo VPN is a set of Ansible scripts that simplify the setup of a personal IPSEC * Blocks ads with a local DNS resolver (optional) * Sets up limited SSH users for tunneling traffic (optional) * Based on current versions of Ubuntu and strongSwan -* Installs to DigitalOcean, Amazon EC2, Vultr, Microsoft Azure, Google Compute Engine, Scaleway, OpenStack or your own Ubuntu 18.04 LTS server +* Installs to DigitalOcean, Amazon Lightsail, Amazon EC2, Vultr, Microsoft Azure, Google Compute Engine, Scaleway, OpenStack or your own Ubuntu 18.04 LTS server ## Anti-features diff --git a/config.cfg b/config.cfg index f1721e5e..03f439e9 100644 --- a/config.cfg +++ b/config.cfg @@ -129,7 +129,7 @@ cloud_providers: external_static_ip: false lightsail: size: nano_1_0 - image: ubuntu_16_04 + image: ubuntu_18_04 scaleway: size: START1-S image: Ubuntu Bionic Beaver diff --git a/input.yml b/input.yml index 18534518..f24ab2ba 100644 --- a/input.yml +++ b/input.yml @@ -13,6 +13,7 @@ store_cakey: false providers_map: - { name: DigitalOcean, alias: digitalocean } + - { name: Amazon Lightsail, alias: lightsail } - { name: Amazon EC2, alias: ec2 } - { name: Vultr, alias: vultr } - { name: Microsoft Azure, alias: azure } diff --git a/roles/cloud-lightsail/tasks/prompts.yml b/roles/cloud-lightsail/tasks/prompts.yml index 26d50a57..de6a02d9 100644 --- a/roles/cloud-lightsail/tasks/prompts.yml +++ b/roles/cloud-lightsail/tasks/prompts.yml @@ -37,7 +37,7 @@ set_fact: default_region: >- {% for r in lightsail_regions %} - {%- if r['name'] == "eu-west-1" %}{{ loop.index }}{% endif %} + {%- if r['name'] == "us-east-1" %}{{ loop.index }}{% endif %} {%- endfor %} - pause: @@ -45,7 +45,7 @@ What region should the server be located in? (https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/) {% for r in lightsail_regions %} - {{ loop.index }}. {{ r['name'] }} {{ r['displayName'] }} + {{ (loop.index|string + '.').ljust(3) }} {{ r['name'].ljust(20) }} {{ r['displayName'] }} {% endfor %} Enter the number of your desired region From 54a91447bf9e873c7bbd7066d5f5ba8dae2d6064 Mon Sep 17 00:00:00 2001 From: Bruno Tavares Date: Sun, 28 Oct 2018 03:35:43 -0300 Subject: [PATCH 80/91] Add documentation on how to setup GCE accounts (#1164) * Add documentation on how to setup GCE accounts This commit adds the steps needed to create a credential with the needed access on Google Cloud Platform to be able to successfully create a new algo VPN. Related to: - https://github.com/trailofbits/algo/issues/682 - https://github.com/trailofbits/algo/issues/658 * Adds links on main README to GCP * Adds link to Ansible documentation * Update cloud-gce.md --- README.md | 1 + docs/cloud-gce.md | 41 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 42 insertions(+) create mode 100644 docs/cloud-gce.md diff --git a/README.md b/README.md index ccd21c4d..68b2648d 100644 --- a/README.md +++ b/README.md @@ -195,6 +195,7 @@ After this process completes, the Algo VPN server will contains only the users l - Configure [Amazon EC2](docs/cloud-amazon-ec2.md) - Configure [Azure](docs/cloud-azure.md) - Configure [DigitalOcean](docs/cloud-do.md) + - Configure [Google Cloud Platform](docs/cloud-gce.md) * Advanced Deployment - Deploy to your own [FreeBSD](docs/deploy-to-freebsd.md) server - Deploy to your own [Ubuntu 18.04](docs/deploy-to-ubuntu.md) server diff --git a/docs/cloud-gce.md b/docs/cloud-gce.md new file mode 100644 index 00000000..fe43c43a --- /dev/null +++ b/docs/cloud-gce.md @@ -0,0 +1,41 @@ +# Google Cloud Platform setup + +Follow the [installation instructions](https://cloud.google.com/sdk/) to have the CLI commands to interact with Google. + +After creating an account and installing, login in on your account using `gcloud init` + +### Creating a project + +The recommendation on GCP is to group resources on **Projets**, so we will create one project to put our VPN server and service account restricted to it. + +```bash +## Create the project to group the resources +### You might need to change it to have a global unique project id +PROJECT_ID=${USER}-algo-vpn +BILLING_ID="$(gcloud beta billing accounts list --format="value(ACCOUNT_ID)")" + +gcloud projects create ${PROJECT_ID} --name algo-vpn --set-as-default +gcloud beta billing projects link ${PROJECT_ID} --billing-account ${BILLING_ID} + +## Create an account that have access to the VPN +gcloud iam service-accounts create algo-vpn --display-name "Algo VPN" +gcloud iam service-accounts keys create configs/gce.json \ + --iam-account algo-vpn@${PROJECT_ID}.iam.gserviceaccount.com +gcloud projects add-iam-policy-binding ${PROJECT_ID} \ + --member serviceAccount:algo-vpn@${PROJECT_ID}.iam.gserviceaccount.com \ + --role roles/compute.admin +gcloud projects add-iam-policy-binding ${PROJECT_ID} \ + --member serviceAccount:algo-vpn@${PROJECT_ID}.iam.gserviceaccount.com \ + --role roles/iam.serviceAccountUser + +## Enable the services +gcloud services enable compute.googleapis.com + +./algo -e "provider=gce" -e "gce_credentials_file=$(pwd)/configs/gce.json" + +``` + +**Attention:** take care of the `configs/gce.json` file, which contains the credentials to manage your Google Cloud account, including create and delete servers on this project. + + +There are more advanced arguments available for deploynment [using ansible](deploy-from-ansible.md) From 465cbeb7e09fbb5acece73d2e0b7265b8134a536 Mon Sep 17 00:00:00 2001 From: Aleksander Date: Tue, 30 Oct 2018 07:59:50 +0100 Subject: [PATCH 81/91] Update StrongSwan setup docs (#1181) --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 68b2648d..282de737 100644 --- a/README.md +++ b/README.md @@ -132,11 +132,13 @@ One common use case is to let your server access your local LAN without going th conn lan-passthrough leftsubnet=192.168.1.1/24 # Replace with your LAN subnet - rightsubnet=192.168.1.1/24 # Replac with your LAND subnet + rightsubnet=192.168.1.1/24 # Replace with your LAN subnet authby=never # No authentication necessary type=pass # passthrough auto=route # no need to ipsec up lan-passthrough +To configure the connection to come up at boot time replace `auto=add` with `auto=start`. + ### Other Devices Depending on the platform, you may need one or multiple of the following files. From 399d47233a8548e9576cb7e2726de52d6a1c1164 Mon Sep 17 00:00:00 2001 From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com> Date: Thu, 1 Nov 2018 20:59:14 +0100 Subject: [PATCH 82/91] add region (#1182) --- roles/cloud-lightsail/tasks/prompts.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/cloud-lightsail/tasks/prompts.yml b/roles/cloud-lightsail/tasks/prompts.yml index de6a02d9..ff3d23e3 100644 --- a/roles/cloud-lightsail/tasks/prompts.yml +++ b/roles/cloud-lightsail/tasks/prompts.yml @@ -27,6 +27,7 @@ lightsail_region_facts: aws_access_key: "{{ access_key }}" aws_secret_key: "{{ secret_key }}" + region: us-east-1 register: _lightsail_regions - name: Set facts about thre regions From 30446d03632327e345823ebaa2a101990b6f7f03 Mon Sep 17 00:00:00 2001 From: datew0 <44378542+datew0@users.noreply.github.com> Date: Fri, 2 Nov 2018 14:38:54 +0300 Subject: [PATCH 83/91] Set disk size depending on server plan (#1159) Scaleway`s START1-XS does not start with a disk size of 50GB. --- roles/cloud-scaleway/tasks/image_facts.yml | 1 + roles/cloud-scaleway/tasks/main.yml | 9 +++++++++ 2 files changed, 10 insertions(+) diff --git a/roles/cloud-scaleway/tasks/image_facts.yml b/roles/cloud-scaleway/tasks/image_facts.yml index 1faa3d33..41269845 100644 --- a/roles/cloud-scaleway/tasks/image_facts.yml +++ b/roles/cloud-scaleway/tasks/image_facts.yml @@ -6,4 +6,5 @@ when: - cloud_providers.scaleway.image == item.name - cloud_providers.scaleway.arch == item.arch + - server_disk_size == item.root_volume.size with_items: "{{ outer_item['json']['images'] }}" diff --git a/roles/cloud-scaleway/tasks/main.yml b/roles/cloud-scaleway/tasks/main.yml index ecf52e95..87ec1d7f 100644 --- a/roles/cloud-scaleway/tasks/main.yml +++ b/roles/cloud-scaleway/tasks/main.yml @@ -2,6 +2,15 @@ - name: Include prompts import_tasks: prompts.yml + - name: Set disk size + set_fact: + server_disk_size: 50000000000 + + - name: Check server size + set_fact: + server_disk_size: 25000000000 + when: cloud_providers.scaleway.size == "START1-XS" + - name: Check if server exists uri: url: "https://cp-{{ algo_region }}.scaleway.com/servers" From 2b2d90a8a9d265baf67020c88163ca29f6c8acea Mon Sep 17 00:00:00 2001 From: zuccs Date: Tue, 6 Nov 2018 02:35:01 +1100 Subject: [PATCH 84/91] Fix typo (#1165) --- roles/cloud-lightsail/tasks/prompts.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/cloud-lightsail/tasks/prompts.yml b/roles/cloud-lightsail/tasks/prompts.yml index ff3d23e3..1c98c5ac 100644 --- a/roles/cloud-lightsail/tasks/prompts.yml +++ b/roles/cloud-lightsail/tasks/prompts.yml @@ -30,7 +30,7 @@ region: us-east-1 register: _lightsail_regions - - name: Set facts about thre regions + - name: Set facts about the regions set_fact: lightsail_regions: "{{ _lightsail_regions.results.regions | sort(attribute='name') }}" From a53dec6349d99111db8348664f8765b831b9bda7 Mon Sep 17 00:00:00 2001 From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com> Date: Tue, 6 Nov 2018 07:03:44 +0100 Subject: [PATCH 85/91] Closes #1189 --- docs/troubleshooting.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/troubleshooting.md b/docs/troubleshooting.md index 90c14a5e..6b1fc09e 100644 --- a/docs/troubleshooting.md +++ b/docs/troubleshooting.md @@ -349,7 +349,7 @@ python2.7 -m virtualenv --python=`which python2.7` env && source env/bin/activat The problem may happen if you recently moved to a new server, where you have Algo VPN. 1. Clear the Networking caches: - - Run CDM (click windows start menu, type 'cmd', right click on 'Command Prompt' and select "Run as Administrator"). + - Run CMD (click windows start menu, type 'cmd', right click on 'Command Prompt' and select "Run as Administrator"). - Type the commands below: ``` netsh int ip reset From a76642c4d5c29f12efa9183cad465f1704a45a2d Mon Sep 17 00:00:00 2001 From: TC1977 <37350377+TC1977@users.noreply.github.com> Date: Mon, 12 Nov 2018 04:21:54 -0500 Subject: [PATCH 86/91] Update mobileconfig.j2 (#1197) Adds "Algo VPN" to the organization in the "Profiles" menu of "General Settings". (The type still shows up as "Unknown" in the "VPN" menu, because that seems to be governed by the "VPNSubType" string, which must be empty according to the [developer reference](https://developer.apple.com/enterprise/documentation/Configuration-Profile-Reference.pdf) Maybe this can help clear the way for #1101. --- roles/vpn/templates/mobileconfig.j2 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/vpn/templates/mobileconfig.j2 b/roles/vpn/templates/mobileconfig.j2 index 44fbcbda..54614fd4 100644 --- a/roles/vpn/templates/mobileconfig.j2 +++ b/roles/vpn/templates/mobileconfig.j2 @@ -178,6 +178,8 @@ {{ IP_subject_alt_name }} IKEv2 PayloadIdentifier donut.local.{{ 500000 | random | to_uuid | upper }} + PayloadOrganization + Algo VPN PayloadRemovalDisallowed PayloadType From 75685e202b884c2d873cdc35ea1ebfbecdf78af9 Mon Sep 17 00:00:00 2001 From: TC1977 <37350377+TC1977@users.noreply.github.com> Date: Mon, 12 Nov 2018 08:01:37 -0500 Subject: [PATCH 87/91] Troubleshooting.md updates (#1195) * Troubleshooting.md updates Adds solutions to #1067 to the troubleshooting faq. Also moves a couple of answers to correspond to the headers. * Change to Algo, strongly rec Ubuntu 18.04 --- docs/troubleshooting.md | 62 ++++++++++++++++++++++++++--------------- 1 file changed, 40 insertions(+), 22 deletions(-) diff --git a/docs/troubleshooting.md b/docs/troubleshooting.md index 6b1fc09e..6e910218 100644 --- a/docs/troubleshooting.md +++ b/docs/troubleshooting.md @@ -17,6 +17,7 @@ First of all, check [this](https://github.com/trailofbits/algo#features) and ens * [DigitalOcean: error tagging resource 'xxxxxxxx': param is missing or the value is empty: resources](#digitalocean-error-tagging-resource) * [Windows: The value of parameter linuxConfiguration.ssh.publicKeys.keyData is invalid](#windows-the-value-of-parameter-linuxconfigurationsshpublickeyskeydata-is-invalid) * [Docker: Failed to connect to the host via ssh](#docker-failed-to-connect-to-the-host-via-ssh) + * [Wireguard: Unable to find 'configs/...' in expected paths](#wireguard-unable-to-find-configs-in-expected-paths) * [Connection Problems](#connection-problems) * [I'm blocked or get CAPTCHAs when I access certain websites](#im-blocked-or-get-captchas-when-i-access-certain-websites) * [I want to change the list of trusted Wifi networks on my Apple device](#i-want-to-change-the-list-of-trusted-wifi-networks-on-my-apple-device) @@ -123,6 +124,22 @@ You tried to install Algo and you see an error that reads "ansible-playbook: com You did not finish step 4 in the installation instructions, "[Install Algo's remaining dependencies](https://github.com/trailofbits/algo#deploy-the-algo-server)." Algo depends on [Ansible](https://github.com/ansible/ansible), an automation framework, and this error indicates that you do not have Ansible installed. Ansible is installed by `pip` when you run `python -m pip install -r requirements.txt`. You must complete the installation instructions to run the Algo server deployment process. +### Could not fetch URL ... TLSV1_ALERT_PROTOCOL_VERSION + +You tried to install Algo and you received an error like this one: + +``` +Could not fetch URL https://pypi.python.org/simple/secretstorage/: There was a problem confirming the ssl certificate: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:590) - skipping + Could not find a version that satisfies the requirement SecretStorage<3 (from -r requirements.txt (line 2)) (from versions: ) +No matching distribution found for SecretStorage<3 (from -r requirements.txt (line 2)) +``` + +It's time to upgrade your python. + +`brew upgrade python2` + +You can also download python 2.7.x from python.org. + ### Bad owner or permissions on .ssh You tried to run Algo and it quickly exits with an error about a bad owner or permissions: @@ -171,6 +188,17 @@ Algo builds a [Cloudformation](https://aws.amazon.com/cloudformation/) template In many cases, failed deployments are the result of [service limits](http://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html) being reached, such as "CREATE_FAILED AWS::EC2::VPC VPC The maximum number of VPCs has been reached." In these cases, you must either [delete the VPCs from previous deployments](https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/working-with-vpcs.html#VPC_Deleting), or [contact AWS support](https://console.aws.amazon.com/support/home?region=us-east-1#/case/create?issueType=service-limit-increase&limitType=service-code-direct-connect) to increase the limits on your account. +### AWS: not authorized to perform: cloudformation:UpdateStack + +You tried to deploy Algo to AWS and you received an error like this one: + +``` +TASK [cloud-ec2 : Deploy the template] ***************************************** +fatal: [localhost]: FAILED! => {"changed": false, "failed": true, "msg": "User: arn:aws:iam::082851645362:user/algo is not authorized to perform: cloudformation:UpdateStack on resource: arn:aws:cloudformation:us-east-1:082851645362:stack/algo/*"} +``` + +This error indicates you already have Algo deployed to Cloudformation. Need to [delete it](cloud-amazon-ec2.md#cleanup) first, then re-deploy. + ### DigitalOcean: error tagging resource You tried to deploy Algo to DigitalOcean and you received an error like this one: @@ -205,22 +233,6 @@ Target: linuxConfiguration.ssh.publicKeys.keyData"} This is related to [the chmod issue](https://github.com/Microsoft/WSL/issues/81) inside /mnt directory which is NTFS. The fix is to place Algo outside of /mnt directory. -### Could not fetch URL ... TLSV1_ALERT_PROTOCOL_VERSION - -You tried to install Algo and you received an error like this one: - -``` -Could not fetch URL https://pypi.python.org/simple/secretstorage/: There was a problem confirming the ssl certificate: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:590) - skipping - Could not find a version that satisfies the requirement SecretStorage<3 (from -r requirements.txt (line 2)) (from versions: ) -No matching distribution found for SecretStorage<3 (from -r requirements.txt (line 2)) -``` - -It's time to upgrade your python - -`brew upgrade python2` - -You can also download python 2.7.x from python.org - ### Docker: Failed to connect to the host via ssh You tried to deploy Algo from Docker and you received an error like this one: @@ -239,16 +251,22 @@ You need to add the following to the ansible.cfg in repo root: control_path_dir=/dev/shm/ansible_control_path ``` -### AWS: not authorized to perform: cloudformation:UpdateStack +### Wireguard: Unable to find 'configs/...' in expected paths -You tried to deploy Algo to AWS and you received an error like this one: +You tried to run Algo and you received an error like this one: ``` -TASK [cloud-ec2 : Deploy the template] ***************************************** -fatal: [localhost]: FAILED! => {"changed": false, "failed": true, "msg": "User: arn:aws:iam::082851645362:user/algo is not authorized to perform: cloudformation:UpdateStack on resource: arn:aws:cloudformation:us-east-1:082851645362:stack/algo/*"} -``` +TASK [wireguard : Generate public keys] ******************************************************************************** +[WARNING]: Unable to find 'configs/xxx.xxx.xxx.xxx/wireguard//private/dan' in expected paths. -This error indicates you already have Algo deployed to Cloudformation. Need to [delete it](cloud-amazon-ec2.md#cleanup) first, then re-deploy. +fatal: [localhost]: FAILED! => {"msg": "An unhandled exception occurred while running the lookup plugin 'file'. Error was a , original message: could not locate file in lookup: configs/xxx.xxx.xxx.xxx/wireguard//private/dan"} +``` +This error is usually hit when using the local install option on a server that isn't Ubuntu 18.04. You should upgrade your server to Ubuntu 18.04. If this doesn't work, try removing `*.lock` files at /etc/wireguard/ as follows: + +```ssh +sudo rm -rf /etc/wireguard/*.lock +``` +Then immediately re-run `./algo`. ## Connection Problems From 66d30e3005b6f92079c0b8db15edeceef29ce0ec Mon Sep 17 00:00:00 2001 From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com> Date: Mon, 12 Nov 2018 18:03:31 +0100 Subject: [PATCH 88/91] WireGuard update-users fix (#1183) --- roles/vpn/defaults/main.yml | 4 +- roles/wireguard/defaults/main.yml | 2 +- roles/wireguard/tasks/main.yml | 90 +++++++++++++----------- roles/wireguard/templates/client.conf.j2 | 2 +- roles/wireguard/templates/server.conf.j2 | 8 ++- 5 files changed, 58 insertions(+), 48 deletions(-) diff --git a/roles/vpn/defaults/main.yml b/roles/vpn/defaults/main.yml index a7e3ea0f..8e044f29 100644 --- a/roles/vpn/defaults/main.yml +++ b/roles/vpn/defaults/main.yml @@ -7,13 +7,13 @@ wireguard_network_ipv4: prefix: 24 gateway: 10.19.49.1 clients_range: 10.19.49 - clients_start: 100 + clients_start: 2 wireguard_network_ipv6: subnet: 'fd9d:bc11:4021::' prefix: 48 gateway: 'fd9d:bc11:4021::1' clients_range: 'fd9d:bc11:4021::' - clients_start: 100 + clients_start: 2 wireguard_vpn_network: "{{ wireguard_network_ipv4['subnet'] }}/{{ wireguard_network_ipv4['prefix'] }}" wireguard_vpn_network_ipv6: "{{ wireguard_network_ipv6['subnet'] }}/{{ wireguard_network_ipv6['prefix'] }}" keys_clean_all: false diff --git a/roles/wireguard/defaults/main.yml b/roles/wireguard/defaults/main.yml index 51ef2279..90da64f5 100644 --- a/roles/wireguard/defaults/main.yml +++ b/roles/wireguard/defaults/main.yml @@ -1,3 +1,3 @@ --- -wireguard_client_ip: "{{ wireguard_network_ipv4['clients_range'] }}.{{ wireguard_network_ipv4['clients_start'] + item.0 + 1 }}/32{% if ipv6_support %},{{ wireguard_network_ipv6['clients_range'] }}{{ wireguard_network_ipv6['clients_start'] + item.0 + 1 }}/{{ wireguard_network_ipv6['prefix'] }}{% endif %}" +wireguard_client_ip: "{{ wireguard_network_ipv4['clients_range'] }}.{{ wireguard_network_ipv4['clients_start'] + index|int + 1 }}/{{ wireguard_network_ipv4['prefix'] }}{% if ipv6_support %},{{ wireguard_network_ipv6['clients_range'] }}{{ wireguard_network_ipv6['clients_start'] + index|int + 1 }}/{{ wireguard_network_ipv6['prefix'] }}{% endif %}" wireguard_server_ip: "{{ wireguard_network_ipv4['gateway'] }}/{{ wireguard_network_ipv4['prefix'] }}{% if ipv6_support %},{{ wireguard_network_ipv6['gateway'] }}/{{ wireguard_network_ipv6['prefix'] }}{% endif %}" diff --git a/roles/wireguard/tasks/main.yml b/roles/wireguard/tasks/main.yml index 369f88c7..fa184fdc 100644 --- a/roles/wireguard/tasks/main.yml +++ b/roles/wireguard/tasks/main.yml @@ -7,7 +7,6 @@ with_items: - private - public - - ip delegate_to: localhost become: false @@ -25,50 +24,57 @@ import_tasks: keys.yml tags: update-users -- name: Dump IP addresses - copy: - dest: "{{ wireguard_config_path }}/ip/{{ item.1 }}" - content: "{{ wireguard_client_ip }}" - force: false - with_indexed_items: "{{ users }}" - tags: update-users - become: false - delegate_to: localhost +- block: + - block: + - name: WireGuard user list updated + lineinfile: + dest: "{{ wireguard_config_path }}/index.txt" + create: true + mode: "0600" + insertafter: EOF + line: "{{ item }}" + register: lineinfile + with_items: "{{ users }}" -- name: WireGuard configured - template: - src: server.conf.j2 - dest: "{{ config_prefix|default('/') }}etc/wireguard/{{ wireguard_interface }}.conf" - mode: "0600" - notify: restart wireguard + - set_fact: + wireguard_users: "{{ (lookup('file', wireguard_config_path + 'index.txt')).split('\n') }}" + + - name: WireGuard users config generated + template: + src: client.conf.j2 + dest: "{{ wireguard_config_path }}/{{ item.1 }}.conf" + mode: "0600" + with_indexed_items: "{{ wireguard_users }}" + when: item.1 in users + vars: + index: "{{ item.0 }}" + + - name: Generate QR codes + shell: > + umask 077; + which segno && + segno --scale=5 --output={{ item.1 }}.png \ + "{{ lookup('template', 'client.conf.j2') }}" || true + changed_when: false + with_indexed_items: "{{ wireguard_users }}" + when: item.1 in users + vars: + index: "{{ item.0 }}" + ansible_python_interpreter: "{{ ansible_playbook_python }}" + args: + chdir: "{{ wireguard_config_path }}" + executable: bash + become: false + delegate_to: localhost + + - name: WireGuard configured + template: + src: server.conf.j2 + dest: "{{ config_prefix|default('/') }}etc/wireguard/{{ wireguard_interface }}.conf" + mode: "0600" + notify: restart wireguard tags: update-users -- name: WireGuard users config generated - template: - src: client.conf.j2 - dest: "{{ wireguard_config_path }}/{{ item.1 }}.conf" - mode: "0600" - with_indexed_items: "{{ users }}" - become: false - tags: update-users - delegate_to: localhost - -- name: Generate QR codes - shell: > - umask 077; - which segno && - segno --scale=5 --output={{ item.1 }}.png \ - "{{ lookup('template', 'client.conf.j2') }}" || true - changed_when: false - with_indexed_items: "{{ users }}" - delegate_to: localhost - become: false - tags: update-users - vars: - ansible_python_interpreter: "{{ ansible_playbook_python }}" - args: - chdir: "{{ wireguard_config_path }}" - executable: bash - name: WireGuard enabled and started service: diff --git a/roles/wireguard/templates/client.conf.j2 b/roles/wireguard/templates/client.conf.j2 index d7645be7..05bdea00 100644 --- a/roles/wireguard/templates/client.conf.j2 +++ b/roles/wireguard/templates/client.conf.j2 @@ -1,6 +1,6 @@ [Interface] PrivateKey = {{ lookup('file', wireguard_config_path + '/private/' + item.1) }} -Address = {{ lookup('file', wireguard_config_path + '/ip/' + item.1) }} +Address = {{ wireguard_client_ip }} DNS = {{ wireguard_dns_servers }} [Peer] diff --git a/roles/wireguard/templates/server.conf.j2 b/roles/wireguard/templates/server.conf.j2 index a2307d87..eb77f13a 100644 --- a/roles/wireguard/templates/server.conf.j2 +++ b/roles/wireguard/templates/server.conf.j2 @@ -4,10 +4,14 @@ ListenPort = {{ wireguard_port }} PrivateKey = {{ lookup('file', wireguard_config_path + '/private/' + IP_subject_alt_name) }} SaveConfig = false -{% for u in users|sort %} +{% for u in wireguard_users %} +{% if u in users %} +{% set index = loop.index %} [Peer] # {{ u }} PublicKey = {{ lookup('file', wireguard_config_path + '/public/' + u) }} -AllowedIPs = {{ lookup('file', wireguard_config_path + '/ip/' + u) }} +AllowedIPs = {{ wireguard_network_ipv4['clients_range'] }}.{{ wireguard_network_ipv4['clients_start'] + index }}/32{% if ipv6_support %},{{ wireguard_network_ipv6['clients_range'] }}{{ wireguard_network_ipv6['clients_start'] + index }}/128{% endif %} + +{% endif %} {% endfor %} From affadd401d1a28ef3199e993441d687632b5e272 Mon Sep 17 00:00:00 2001 From: jxn Date: Tue, 13 Nov 2018 23:57:55 -0600 Subject: [PATCH 89/91] fix typos in docker documentation and shell-script text (#1202) --- algo-docker.sh | 2 +- docs/Docker.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/algo-docker.sh b/algo-docker.sh index da458034..858f6204 100644 --- a/algo-docker.sh +++ b/algo-docker.sh @@ -11,7 +11,7 @@ usage() { retcode="${1:-0}" echo "To run algo from Docker:" echo "" - echo "docker run --cap-drop ALL -it -v :"${DATA_DIR}" trailofbits/algo:latest" + echo "docker run --cap-drop=all -it -v :"${DATA_DIR}" trailofbits/algo:latest" echo "" exit ${retcode} } diff --git a/docs/Docker.md b/docs/Docker.md index 65f363b9..2efd5e32 100644 --- a/docs/Docker.md +++ b/docs/Docker.md @@ -22,7 +22,7 @@ While it is not possible to run your Algo server from within a Docker container, ``` - From Linux: ```bash - $ docker run --cap-drop-all -it \ + $ docker run --cap-drop=all -it \ -v /home/trailofbits/Documents/VPNs:/data \ trailofbits/algo:latest ``` From 1c16554b41eb45608da76a6c70c99d0be568b34b Mon Sep 17 00:00:00 2001 From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com> Date: Thu, 15 Nov 2018 10:22:11 +0100 Subject: [PATCH 90/91] Rename Docker.md to deploy-from-docker.md --- docs/{Docker.md => deploy-from-docker.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename docs/{Docker.md => deploy-from-docker.md} (100%) diff --git a/docs/Docker.md b/docs/deploy-from-docker.md similarity index 100% rename from docs/Docker.md rename to docs/deploy-from-docker.md From d8b318b59a5629e260d4d811785c11f744756826 Mon Sep 17 00:00:00 2001 From: David Myers Date: Fri, 16 Nov 2018 01:22:57 -0500 Subject: [PATCH 91/91] Detect when running in Docker (#1204) --- algo-showenv.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/algo-showenv.sh b/algo-showenv.sh index 41a6ff06..4793be9f 100755 --- a/algo-showenv.sh +++ b/algo-showenv.sh @@ -46,6 +46,8 @@ if [[ -x $(command -v systemd-detect-virt) ]]; then if [[ ${DETECT_VIRT} != "none" ]]; then VIRTUALIZED=" (Virtualized: ${DETECT_VIRT})" fi +elif [[ -f /.dockerenv ]]; then + VIRTUALIZED=" (Virtualized: docker)" fi echo "Algo running on: ${OS}${VIRTUALIZED}"

AO}d74{dH&{4R(!>>;|o5t>*(OF5%iqw-s5z#9FD8ssaxGI2;kAF zdnY&`c2&Rq4=w*MqABxD_g)(jMJDlC%hQ$94rYYZEuY@cd%h^E7^C1j?w*P0Mb$WH zjI}vYP{~QsQ)OsdLhT`_sEjL)mu8I@W4K1o24amNuZ7 zsi_q4zgWK_{Hw)*-F04Ol6N(Bg#Jg`S#I}pw4r-0ieYPup=!4?!b}?g-H>Mt=A;SF zo^PRKpB{E0jq+7=uJmx0yMs?YI@y`AYq^AiuixG3Jmv51xX@!8!f`fTWTvsM;g1W2xh&XTvH`-Gy z=8$Mi{QE!$QcJ9TuJ4j!!z&yYkBh}U{MH*&l(hoJVN2-3Yj+s5S3+YyR}dMh;$10o z5*O*g%}g~2=}^|kN{rUm0;i09xQTXC+<6jrkaAW?-sLS@ zz=3~)+AAIFU%7H4OeQ5d&sYrZwLoCyziPavyKK4>!e4P$>`cws=dec||G+iED_B@- z%{5)4@Zb7}frFz;Llb*XX761B#rN}JrGVzRRU$q%HphzMqb7a??@?6npm_v#|BJmW+3&X)ofdKUL_q||JXl`41*|LDuf9=n_} zC?>^3omnzMHjj;4o`9hS#1zsKUGieOt%n&9p9uy=>iEA!Dki80VW*!f5)J9f6O#qz zXW$klAR<6J%k9hCFeThs%N$#;UQ}o_9b&nxF|XL-NYnTD$5((!4HmGXdW+xlj=ZGX z6Z|i25J}m^LJJ8`28xGe6ND8}utV7^;3nlXZ&P(&J zNJvB=X}kXIYo+>s%k*0xdm{w`#du^RjXo^HKfU}5hW%>Cxd;Q#8P|5VTp$t%TWb42 zJWJCRQ&>-cV(-6X0}{ZC0HCYEK|(c1nC>~y5&JJf{AuSALxbcu;eT0WVo#2*L02np z9gL@~KoY0X$00@0Xm?0Qbxc~=lcNm_cT77u3bqhL9hyyX!9>QK^9U;E!o~J;E!x;{qy;UOF zo`rEy0{92%I{#875YPfc z(vR_tu8eiR`P7Dq;75~<5vjeV3D%XmBIk^%T?C&oBPf4SJrVO0io%QT3k?}xm)Tpqib8%dKVog}YF+y)s3&{Og7?xNxmA{dq{wDuyD0{l%l118$T!xcsZbpO$9>8i=;%u?1DE zqu{Os_NVJ91fj1uv!* z?yu$Ff-HZMKy+agOA}KCS18Jo3c@QZ2pw5;gZf0fyG7Nj|6E{kW?(m$q7liZJZ)cV zu6CaPB>ownB?057B-LK^>mg!e2kCCw;3{MPZH?=fexR0zENwFju;cHxeBK7EVv6LY zdsS8Uj3&xFryfnTzkJK)R_2&ClIe~Ngb;Wl7U)ahQK>t$M)5 z{h3dEZVb2p{UAsmq1~c;Io7K3u=W~8?aVIZg!6+4Aa$kN!1_vk4o^DjrKVQE?cxQw>W2Q%$oKYP;TE`WT(8|xKQA^-(=a#Ab{v=b|$9)-u z(OTtV6IzY9;v%EG*fnd^Ngj!y?(M6vl*816^Mn8zVYC!2i0&B&i|Y>suQXVQ|J}_UK}G z5+Xj>gfc^yPkGw291bs;4d4XW)WT^E+J^~PfS6@&H2n> zfM-k8nR4VL<~xN9l5Hx^y4N)2KDy5opk3N^p;;2JF7*Ub)i9evDUjXve70cbcSAgB zaw{HOA=wO3@vC^o*4eK4LHKON?V~}z5n!*!ww0G$+t;cyzF7Q*!5=Hst=MG6$mlaN z=g%wkrP0P2)LQXCaz?$j(ryz(QS7=zh5Ey^JMxXXkpGhY`mOf7gxSD(N3Y112p7DOA_ zSLSJ{TNHW4-IoEx_A~JanRRVvkfKHv#f-W>lYN7EI!(fH*&`zqcuX2_pspS_k-GN08oqGxL3^RYFW(aX;FN}n(H z43Rpt+zP@X&ULYOf^qC%(P=v4FfZAF6;UcIltFY2EEhW87;bc+RrKXbvB5wsJ(>bg zP9kV~V?{-hW{kqSN2aZi75g~obc@fZi=>2mQnp4)#c9l=P1vCci*`BM;QPq*%mF3q z*QjLAKJkUTRLc*?3hGwF+rfKHk=b|&&h+@;j8CwY68d(fhQ|Ch-gEZ{ zV(O&FGw6xiw1VtCJFiA-)gL<<*xGQ~clM*2PM;t#t^G0EAm14}i$g5c6d@PmpKGpJMvP?N!=Hfu=GoMakQ4W-^RTH=N13^2<9 z=9x`Olmi+jl!kkDRN1lgk-m?3#p9$K1!;Exo+e~cM2*F-a<=g_Mc0UF)VoxjHF{mK zOjq6QdfO-y;)6!5qQEzb9_Q;x_PW%T4h6<5F~F__Ld%(}hF@T`L)O*88$(c!{f+}) z1Kzo64(14)++SgRYLO3;kq{zzTmIhj-EswCx=Lo!z+8yq1^&JBo57&Zb(aqRzxe*Z zglB|8Rnhd3kfzzkEo(Zsekw~gxPlC0RmwMOF#%a@yLI%Zsh~j0fvIJT4$neG1ALN9 z)F=xCT7&acud?T}?FTzCfNS2n$HXHY&POs#Xonu@Zhg~1IP!1^!1pZ$6f&euG?iB+ zumnPUhGnY9#od>PY(#@C3;*H zD3u4THTPe9EdBZx8Aby!=OJo{?lgs~?M4~_Y57`)k9UbhM#*!poHr&s16iY6(d0F@ zjxX46Vw2lkj~G5{@}upg@opyv#`PrOcbPB%0Wx_nKy$KE-(+}q_{?z3Te3!H#098EvwVLZ>&5N!Hf5VZMt}$l7qj4e8Q>1GQfJ?u{8d*$w8sa%TG|%}E!H*HRQEGS? zx7IUJwkc^e*5xKfHwl$w#iAXne?xQiZs!wkC^hVJ&Lz568*~gev3zaF(}MH6%?>kcTgJYsXm?I*@vDA1Q)TEFHz zh$rL*rmUZ3Wec@0Tz1xt+Y%PSe{kJ&Dd^sStnz%Y`SJ8TI1jNP zD2Is`#TnZnwvUVOcbChY6KcCLGGl5+O;@DK?a$cqn-dsiUZ3*-eMK<3v})mb;l zrc$`?tY645_Lchja8`nIJK!@y=~gPb`;D2WjXt6pkpT?YhISqR%U2?`e$s1n_E+0>{B(A+5k-_S;wJPmdn}l`~nf zR{K9;LvD_dK66A=@bb~{_Q2fb`qwT<9hL#s*fCO~q?3jtyOJD1mtvm~**@XS<+@IK zG~@)d>!q=FZ4VkYxO5X8uif9kS;? z8a<@Cn-wLY0z$O)&!8#ey1A#t6k1usBWq~?2=lmK_EGZ5n_ROOE_tiSO?kJquY#w$ z*M;`Gih=r5FR=sB8wYSUbNs`<3hUi-@?B}!a8gJLmI92f>YNE%R)r%}KThU3O%2{7 zBKlP*zG((K@ss*CA9b-yW8TWUk$F{@CHaUJKc$7MHh)*4xQ)4(R8DX|2WPZq#<5)m zB{pS1Q>w=Grvn>LQRb`iz?FOr{Ck8je`YfH{4Ifl9d3(^KEnG2wKbCdc+_V-Le$Sf zMw-Iqq+-5jY}BC|d=9!ua^Wo{UU=oLhUrr%K4LKD+;BvjT7WIB_a?c~-24Q}i7i^+ z!-uC^C1rh-(7Ll1!|KtK;1Uhb+fol7@%BX_;a()^r>&hV)ui~@=*^R$06nt zv$x_GGa#w^erL7-00`+yXy=enBmRj89u%-S+K?RI5ByV@2RKeV$&Ug}ud{_n#AjJ# zXGJ2yj;#u#j7O}FJEEN{{O7w4o`XuJ?SZ+xq?&qE^@!Q+-sERO5MM1As;J)?K@{nr zd4kHlZwuC2myh>f#0vPTE)XBdXx$qi6ay z-%I8jeA8gO}s>26i<+gYDsV8G@$ z6lHk&zijYyE=W2lPm{|H#QER;JKIbLtQeuBHWcKf>=b8o))oY+nB3rIl}g$^vl9$w zZka!yjqX+AG^O12nGa54mgUFS{qI?N9=}fL8bHv4pOO6LUgm5@XQ#DnC*A%fM)WrQ zQ=n?@IC64i{P+a)Y+f+7{%r3iR1*03I)BdDFjh43zxFv2kRC%H^|cEJB7Nc?fgBGe zYlRnQ%HTH(Kj2h&zx|fxbGpOyDyaHxZgt`-E#HDqkw-d)F4qk=Y$kIwzGIneJ1Kav zSS(VUGz|t9(-1dlW9W)hqapFFuVI@ri{ggxgv>kkNfrmirB4n1{U_V-;NN)sI|1Vk zG}qBD2dxX>qmG_lQ9J5fGQ30i;qZHpxRP}S>}d1TG9Zp0i4U?-!C|dr%rle3O7O!P zPm!@^s0MRA$$v^cWpgKmrVfwsv5C6VV^UYs|EaRQ_Tf0MobVNKmetEQ1bgkL4!Hgf?aGgd~On@I0vleXCJskOb{8b=a)2 z!cnV_(|xoqe8Iaigg|Uy7xMwg(lnHf8Pj7V%`rcN4P#q6{5pFBFy3FN>4#tr+MBAj zjtqTt@Y!f^Bi**KlU_yH^;o~fBu?ZV}&!nYsEaAXyd;4Edm1t?Q5U08J8&K)67#={w#svzLCfDQz%^SuTg;aA;6yl z8L~pKS5wb&+1@#m0bFqH*<)RTUGNt5S{p5@w&L=xbV(p^|Uh%~~ zsTtv`;q}Mb*0|6L)X2-s=BCt1Rnse)kQN3_k>&gwi{=W{YioUHzVTW;i{niAOVA9P zu^kJC*Z((m)3Fn0ED7?&$;NJix`V=`;`o6jN^tG(DUZ9<&_O-3Z(@jbD#l7wy3hoZ z8`O40ZZS6cf1|h93$_12Z#n-bdJ`+Th&c8YMehhvYDd^ZjJyukA{P-i;(8Kc97{jn zD*>(tNw*_H$i};ch*!`6^V5x6m9WFEj1Jln97Rt-u(}Fk83Zbl{1PLrjL^QaepieY zV!5nAg7%>|KI~wwXEu|u30Cz;?3%q?3nk{wYkI7MX|0bx^Tv}Nym*vLaswU>9&A{& zR_@zB-+i;2af&qmhKZzXat{?uPm^HCN?`VV!Ts{2`j_V7H2{d(Y0z(7`yMGGrSY#y6NAkAzbKr2)u<7-@8f{I&%5?LC?ld{-61Lg z(?dn_lr>?*%*1MzG=BGy_Y+v}P*oYSMkT$rk9c$!9RPdZh7obrH8E`z&d79Y!)(F? z4yvCHj&P|xowX>#kJa<*>>LEl?3LX7JCS zQ9;<`b!hWzg`;UDuyM#Ldf4*8BCZ@3$liG6LLFy-cNWide0lHs(YUl`YlA#bUVFcs zfBG}MZSsd+6xVxbe}iEnWMPD^80DaVP;`3l6k4O9UcK~v_-tds`2f}f&nKMbmw}&w zi(J80a!(^4D{^edEWlg(-o+bzT8BZYlfO9=uVC*j_7B~}qTWRvbpl{nH!jM&K;KL| zUXP=x*5d1@0WYp1yTAOZ-Yz__Pi4@)VcG1}*W!O!Jd$nw!b_f(sn{cFuQr#87<2H! zbSZ5$=;4dkM8>`3W2&>?s{!XY#NGnS??%=IuD8Xx=6VhNP!~S|fgr+Ede?#z8q+6T zQP}xz3$q{o<3~Rzap+W8yFBfn@BYiYFD%(a*YE#-0XqKMX`ig`OLe%D67rnAJFyqV zM;2F`g&z1f#zLH$R=wD@Ra5@~x&a#36*Iqkf(6?Lh1e!BAJg2j{{`r5mILf*l>AH? zj9q|kIQZt_H~)#R(N>ByIB?-!RQOCnn?uP=2>Q3>e!})3EFsEGa@net@YXN~bHaxv zGR>*HVOG1W;-ZxWa23A*-NYgC&i?{*{>(+_L8%IfIb27^DV3;Q7gs0~Elzn?k}wb} zU~8*EQ5M*0?p@Rnn@@N@M*RyWUo#63TXj}pES zfsJa{UKf4e2L*G<7a(z${V$TcSsB(PO2DW%ArBrxKCq}CB6#*Y>uzPKT+4fO_%6K5 z@*2r7Thsr7gh}LFe_^qsqE%AzA99b zt*EAZYe<&GaXt_{pbGQpcN){qjgX`c>*a^fJ9{72FE(9D+EYuaJ6(1in))-!k5zz4 z@+0bKQXrs6XZ+j8uEG-Y?A#FWr#Swpp+KVVTOHZwy=&@hht`7lZfR7#`@gx}%`a{T zfpmsyove+_j4NTWuDfqvDt=k$AedsC4B%xVkzy zD9f0aEz!P>5b`f{$BC9(OL#M^jD$@4j8n)!FSfu5?uwm^g9OpQPt@u&@O38?+D^%y zA1NmvDzp+fm9RU9pfOcfVE5$tf|pQWYrM57<{O!0obim5Or8 zNd(jGMD5w!=`AlxIvoA;;K0i(5mxPeUZ+BWixm?tn-N;WPqn`}>T5V{}jMs zZC}NGk;MK>UzR4v)+?VrGy-6WAMyl}$RAph9jR@Zq{$apK`^Fm*$sm2XDuI^2Xw)`g95ku>dcPn((B%87oJ z%FtP!Meu#Oo<7++EGHxvbqOn8Q!1UNIg0;_`5k3XqDN+}^vJKrf@*fRM)h7kK&+u_ zetywf(-8bDO{f1QW{>0cfsvjnJ3zvxCG!Vk;3JJ-)I(g}S2VL;A)_Qo&{xVY1b1Kz zqp>_Br!P<{*P)ZIW$*25N;pju?sSd>xKAB-?;ax*co)bB?KuXMT|PKEN!pN%UUDrV zycW+a20iL9pDSW!d@ba3^150nKZ1E?m3#m#n1m*y)Cm`B3sUXFI9^=Wz9Leh-FlStyFs|rI3va4; zj?Gw`BUlKeva<$^xg1@*jrj#IM`$5uKu9*GRt#3TU^u_KLeCOHfA2Br1aqMU zA(k1vC^-z>WuSFk2F007bVl=fw7{2|82m{F|BLqGh?U*9S@D;A@vfxd5~2C*;|aT3 z>B1?)ksu8rlpJ3Ma{iY%)gLk^K8e!?^4TO6mIbT|t;oID1$nWNY~?JW6r`BUFP3XR z3dmd>Q&2G+b1acuM->+YGyVcYULY`R)qeJ|47L2|EU$>~4w=eq-aBcctlpYg!|{6~ zb`sJp6n_dhdWTfWtjX7FkKNbT&nsdhpg;O?hS4Sfn$W`Y4vbpucJaT(?dU>>cb|mD zln>EKYeu}ynFXX_3gnbOc6gj))q}HRiF+9yawmn zm7AaW1F_nChQRScfiATgC|vT=GR<>3CmWL+gRV`W`xMErU8l_Kaw;Lw4C4X?C$_iu<9UjN*c{vOL6xsk06kbvf&(UUD# zFp)o9b+!d6hY@`!4M@qLAi)T5g=mP`n)cE;=Rq_)G?rmILsrurzC%Al`$A(I&ib1W zPJyQ){6d5n#E!A1?GT!02!q0FH&G|E?wdSx=u2s=Hk(dCk`f0!7$ffC0vA(d8GCtz2x^LeKm&#)r8I)OxPn!4*}V|~+3F2TIl?oWc$2x=8e1eS1%VQfeI3jW zIPW=o*(aam0k|l?jqvOphZ@`^xb+05cqBmFGgMuCPyvD-XaEj2MpW}WNd z2Xk)jR$N^a?!NHLS|ZtTsp?iTxHf%Kie`l8I@Mt$*(;twJA&qIgs$OK* znLk6MvA&8D)N#_=*Y}wEZQ=0WLo(g)4U|+iQ5T&R`&ihWebh7FkS=ZJpd!{HNy-2+ zxe106=OipusT3_1!HtySWVt!^=5XK1vk1JfKt0HDEaD?#@qOW%GntyYJ50r);!zJ$ z=cj!*MFMP>`48A>UNmT9EsDk_-gO!E0mXo)0djK7;7{6g#G@T9AE5@4gKVaLWMK=m zld+~?5BAcrp+*q4w~Xw%(f0C)2YNrYjFOzl1HyfpBdt%>2kRE%n9-f%C9L`yu@4*k zIxLy!DS?qjXXlq`t!mt&!-|K|*N_BoCopZJLN-=-^yIR6d=9!3kJY4V7&Dsf|$NiUm zX0Q(bgElcF$aKV;KX&$df4C@LrLu)aq$ugav@=2hco(-R49))ME{~lsqdp1&oqHfw zb49WR+R0wK`c3{IH%*`!=!JOcO-?F7g53!3fti2GKfF!z@T}Dp#iTeDF%xH;Q+LHV zeOzq>@dCzMx0>^3D4FocZv=|@3-%TN>>qrZ#9g}QPQ?upL_SgdV_SP61WuGZ3IuWC z+W>ucdPKh@>U+L)SMmFmJDY%?2O73|vYQ&P zk7V83{8ya%^)+xjA4Bd2tnD_2nywqy_{Wkc$m=#Sd7SCD>_FD+JXSs{CwX}FibA6O zf4JY|g)s<$?zd)KVMcPaWvof(LfF1HHi+dx)92voq0*M@K`oz32>BOwv>BIYcg)vC zL64O>tx`5A19Gx4KM#i(<;Q{6&t3Oxmb%rF!V7v7+~G!^`-o=d><2b`z7Z&xKXh_? zYCRz3%RWG3)TbbVuf&IC1@n+-&v_8MpJx@;By)~-_^TT=^=KLV$UN`hN?E$2-ixk<#-ynr`+_F7J|-@VI} zXxiZ`JbQwzkFh0@EcZQK)f1$>)g*9q`|=(oy?Du%?vLk=2mK$lCG!9xj8YuK|De3YZ|!T?qz0wr>UxHum;HjWrsBWAd#5 zf2n@FM6in+TE4(Dod>qs`{J4zK(g)# z=Ns$H%cHh{GZ{bjZA6z-3_wI}*W(~X?MowK{ScLryDkr?_6TGsx$pF#8o5Tpi& zsf)_U#j}e_)ZZ$`Y8Y_;sO~t7wpszPfN+hv zDeT=tEDVQh95ntZVjT6)=P^Zy6-8n+^oI&U=mDwVx=(8DNc+~%kK`bg6QmP1wb6!5 z#3NIN7W20!%AV^m@cRQRa{JGKjZ`F9Me0=%zu0$d2S;Wyb-pPuLt5V?{dOs(kPD>3 zy(r`JOY_gR7yfS(UTf&qndJOry>VOW8C9>_ii*|*Ls`=DV}Zc)dfG1kr>Nx z6l00*7zoq=u`bb?tk{$jt(?o#eX31H9E$rc)EdC~+_d!2y=@Y}d39lmJ4Vd544878#vVyGDg=jc7*`%a{DS zhg<7i)@-$ctc;^o<{gZ;2e0T3X7!7De zG_h`ORx}uQ$_s2>$rGl%Z>4B+bsvU}M$pOwQtFKiH5iC>4In;*!PstJRtvjGFipst_utWzCe{frB}C=`WtX|YgU{mJjr zZ*UejXs=pBk!$G^+XH|OUe%c?RD?3j8axW#?KA;94Cv7WA>Lg=l`H5;t4SY~v9P@i zLDpb0+rg59v>NQLa*te`xvMrhB+Ft)WtXE9HQ!%=FfQp5k?|R^DqDY=zIGQ1CDkkK zgRGqg#4>X?EiuFxhCgVU)T|X^aIQjD4Gozfa?4$A?k&FGJQ`!7m3dawXNcmD;k9JB z@VCH$>U+Kh|x*0!jCL}$*aKi>Tt`x zv^?M|{am&fJCs$#RZZ{@cdX%-5;35UQwbMso1N!%`Q6(4AQp2q!bGb=Jqs*{fiix@ z}f(9IcW;F}fh_(FZs~tkaA+>L(9}_ZV~&N9+IG>z%+ho z6)%)Y44d#R2~LDhdbKB8td`-sXg{B5@kh}U6U+KQJJHlG;gFN(*AndeiW@v}?jjxQ zPpVa!$&alC^8>CzViNC$@lqSSXILgGpXdK%hDj|*0T@kCbEtk}`;Sw(AC()wTJ_l1 zmfj=i`mpSSc=-1^{KW9l$xI2psLmt`I_E)ATW*h(c431)Er8PRvaniyKVmsq%m)ml zY)U>&wA_Ub=E5^_OS~F4R5S5WACL=JtOH;BN>ihRez#bEJx&8QnV5zCYv;y9y$d)!Dg|aHkF8Y$`S?vy@AN=Zm}cXyX` z3J6F^2}nyExzb6+ z0K@#?g4vRS(PK7s-3&F{K1~4X1Es!pEtEf#{#ReoA_BRUMHtg;4DdBQv&dq|vR*nA zS*cVn2!jHG1(yA!f2^_ng^s+qp4Amd#d9CEbM1|C=io`}l|xQzlN=tlh~+8|Y2N&r zko)w3$j8=_>%6Eh;=Sn#&SuO~-S^x+eVn^Sif_xNy&%zI1wO z718$}`7Z72X~w^b`m^6T6G&S&&+UPR{QCvHvW3D2`eG}0H0L_|Kc9A75vW1&w1Yt5 zbq|)2^|%!*8$Q}S?(cix4x_ADgu^WPwdmVvggs@K`4)i{<1=DZfneWK8Il?Hy5<$& zh~&)F_u&W)(5%O#S%<=a-Jl|oOSH`^5aIX|Gd;)a@ynchO-93Q^udA&4Ie&kqpOyhI==c zmXpato)51Bxc%0<#A&YbTTKC7_;nr$tLSivIs;@b)sH^rt6%08Eor?^v8T+3Pg6>$ zK^7Y6m|s-&)12F+Cm9mL+pd9~B8+t#Jg8A5+E@;o`(BDJIo{yFVk!j)Wppdba4Nr$ zKOQ&QdUOGBG+jj1^#Q*qh^tyXkp52e+#xRilIUYsLnD#7m!uWD5H5h&FnU0wBL`M5 zS)_Uw+Xv-_LcdFdlgXc1O#PVGAVcnD4XY~N^o?j(3bpS$Fwy#B6+7of6KQ=}#blg8 z;$0O7EH-tjkk7G~&Umw08)G?8HG} zx=?WOo-ULuJv&A_Ng8++qBO2bNxD7%Dx2DhJ>tAaZU0ch<4-ML*Dj_-tk;%7)@nJo zWKpt#ha)te`5r{s=Dhcj^g5*i?aw$PtjDiWTrnU8He`2cUIaImpK@v4Mm8GLm=hUW zV#}cP1HXTFAo=8jsk{(|1O9JVAb9xm>(Q;MfZ0e(pzL|dV1P8H>N%s`TlgM0;;vDa ze}^&m_Gk$%voTrnFxt4CNw>v{B!`hc=H$KpX$-43SBtAV)tcUn{|k>-?DPeP=_x6hK-x4v0#Fk{w|f9!)&%7;D09yVW+gTrJdlF7tyI0P zJ1oMKDLz{xO=bXDmwA6Iwet(nm#=JxdkU+r6j?V|15IW3%L+uTZ};xRry@nUnbQ1N z_c$^D`=Fs9*@{IImC-*<>oR@8hPq6UOB6Gb|>AIR!pby~-cC zULss(r6C-oUmGs3OX0^}i8w)kuH#yV5y(K9GHn;1OT6IAyws!oa}Yz`Xa^v)Q4Y>K zR)Mmm)VzH-J*dF37?NrI16P4R&!uwC0sPfsK&Ic~lQaB?B6X9<$F_Ac!I9%v9E%hsaVUKuViMI1co5e~XWc zH~Cqr-8=J>Zkw?(^g*68a@1#R)eB)(WQWwh3yXY9Z`XBnqlS-ZTnQmIhDbM!Xj1a_ z0?il1M+PW&N|+}Df34-$ZA_z;)lV11g(B29PUzn(QZI+csR*ohghWzLQ=cE6>7?un z1!7r+?2H<-#6}F~?aT>n7Z$+%j~7%;%AW}qemFR|Tc7<%{n0&8f2WhCtz-GiTSq^G z*F+968-4itvBO{wS&TFW>RQsCPYdQaTf4s1etUYQWfxZ@ZF2;y*hgbt(7`?7^zg{- z#)J|izcP5Z6(k1^A}GF{#$w1X)nT)@8lJUD7(4SmMCfslxM;{mE=^@|FfS= zr3L;%rjN=8K;<(n)l6!))q>YN*74m-Oo$Nja-cCM;F*C!@|uUaojcuy}n<$OwdmqvgG(shQPpb)NqC#a?+^b&}8$Ot*?L-z$Np* z`apk8kzT#0j_cj!k;eX3{zO?;&9aQeQKwjTuD2p3H62CV&+K7rF4?NFsusC)=F6gd zGSb>CKBJI=Z2HJE(zH*^`9R?$(%1Ga*wV6=)SKe88!XFFab|owi#r{Qp54~dGdWbJ ziwl#kHA5ujswjC9*|k(A`K4nw_Sr9>X;6tFS*PRq1nF3?1{JM?5}o5Xxzv~9fJAE? zOdT3Y_#W3kov1eWiq^xgXpQ5+l?Y!lf^4Wil$xF}^M$tiN1L z@&tSd>iwh47tmxht;>P|ApSq=kZb?~I!CJ6zYpN!A_dW!Ls(!Mc_zR+s(`5?r!|&hS!i`t=jr%87>##=FKtuCD z*ha&LX4l+M@m{9A!?w*EVC}jUva6svwaEQNFg1oQEw6!Qw{gx`+`V#(sP<;zM}$wR zUE+g;G(!I0vGp8?W9gKJrzS(|HD`8n!eY9}>g13GtJ(ZgCpL%2i=tm6(IiVRlGP>E zIcu$g!tWN*wJt5tC--=}q=)_}v|SwxB2FEQ;%|<{2UDDU1gq;&JNA^|hby~;EZ`Rk4V{$d8502xO*t?@iosjgLv zWX*2lXhyCwn6H@6YhXvy>${OTrUF`%{T}PoVdN_gbm~6XY1jMx+S8dwM`OEbjp;#t z_nULcr%ieR-3TeO+w}T6jUD1)Nb5nmNZ7nbapZ+GAgIoMtH@qMQ9ZoaHH6vDp8NDr zuLArgHGP+ZKKiEzWw)!4PP0A>qd?!f>=RwcG-sZpuO4rfY?wN3Y+cmFj_;bOF;lyEX6DiuV0^8rr}23@^l@KFa$ekN zqPUh&(9}-NMEPef9Xq>Z$`wnG8=LnuIkce6jPLp>ig?egDZEW$r5Q85cy^jWU0IbXoZO?kA&z}=y z-7r47^Yr#6%BeA7A^w`?WpcF2ng}4G&7%J}zPzxqz{gUm6B&NVL2;n#M?%b`_&7+m zrr#Y z04Mq!5|mXR^fM4FW9d0CyWVt)IXw(AC18m-s5FN<@ebwn>**vZ0|Q8{Ur;Lie#hX? zA*_iF?El(iUbCdo6U9VqMNmJPRVcN8pgwEYD13}_DJLiAuYm!=t*!6c8R_YSz;gC| zJ2=qDq(P8zvRKuz<2{Dn`yk0U)cKuf@fgie2;>sNHxfCD)3krqBI^$#&}8M>qB9wi z+PNg#qHwgTNMU7qmU;EPU(e0--=kkd5XrOjnF& z=LcUG%NN?sm`Ze)1~;A*L9y$Dg!z6asI+#)>ydmoY2|Sn?0TKGjcq%&DejS32f_iy zjJDNR47R-(%#BxyXbiZ;AR$~Pg?q*OwY(tyeqtuN=&y0YSjA}Fv{+Jwg|YnYV&Y}y ztL&T|WZni378Y)(5J;T3_;M0Y_~u3q#4!I{>ZVRu3u;-+bm;Ubkg=M7yjqZJiL;u6 z2|j|WlEKXgo))N5oR8X6PJqt$RB)S2@+8_T*{JvJ$VW=GN-G7YudYzprGRqWB3IR{ z>vL+i{6_fTu2fPz{iYwVxC^|^O<4GmlwXq~qZ~fHOk!>H1%F&>_kI8ag7Z!FE}lB;mY5ou}@>if7UxeA&#!F8J_9XV{? z+)|@De7`1e_2sj9M1`IdtA1=QoZKEDIA?1t+j~;B?F)X_0k--@AF#4z57kxnQU)V5 z_XJHWL-ZKWjZci!{;xq|EnIQC=W z|9~RA%V=ann8d?nTaw3&>Ucss8D%IH?fL4eA3A4ReD=&H%P0E8lLVhBoi`L|F`)*2 zG6RX*rL@aegmq7JsSX`f-KHsiqZOqsG1zuD-u_oPg1mvt?UcON3KaZ-xH@LL?{Bza zL$&^1`H}w=P`7>7dI~anO3@iAwT4i%X&@TQetV#(saq%NLsWIFcX-{`pN?+km2>v0 zwymWf^M`knX!$(x>=$#bn?WkJKJZDCH#w?9zniqu%JPm(yws;fl&4;zdUx*>c)u)C zE<=(S-gG6(=V{F;vTDXMepZfU3tdow%?rc2V?+B$p*k0G ztjJ|?edHw#c8rT)Ljfvty5-4E$=2_f9|of~N-AaDjv+DO4j~8ADkHe-R`G6%odP_X zL;A8R@Tcj;;unq~_SfqXYRcMSjJXj9iV15bZL?9Xaw>~sx;jVJ`8L*j=Qw35DvL?7 zt^%GfcY!T2g}n&HUu{LRxLwBDOF(tbP3O%-GiT!URKTx%a7W>?+)Bz(B}0V6gZieo z*xc&n(2TRwO=}|8Pd`eA_4Iin7O`-*{4pt!*tXZadQPd7*E-Nvvw9u(CyX>^EQSoINzGi&Cib zmi_5Dd$aY_P*Y_7`*0#bzPWbTGJ%pAhV6?ZKzsECCHL`l*^jdW0r~Fnx|@Tm$y;Qt zYv@zJqQK#iTi1kvb;r=1O?={Zvs)f6a}x7tFW|@smq?T0_1=JQ)Zs0=8ujhT2+=i? z&%3dsNWVLgwy$xMJ}%8ZxPaMaWHWyM_=K^2&b%|N_6%!>jEUscN}99T`R%_k#4gTl zGww6dqs*VfzaF>xvuEi0x__-60^E2oRdA`ycbnps+jz!Szd!DR{~^QbJ~Va&oRhG> z(Ao9^AQ3{(brNGnIT)^}CRRQM8-F_lmO7ODU5?Y8b<8kt?V|PO91)uX4U8`m8k!$n z&kp;TmtX$*qc$ zQI)BorI$0S;8f(*D{eg&?tS9%h_SJ~>@KP}Py4w~byY(2stP9JQ~nd>O9i&`S!8{` zYA>s)u8S2h)SYoW1;U!@{bvukkqMb3Hk#?KuYg3wSK-yEv^UB=^V+QSG4Hm!j52Bn zn8Op#e)BtjA<4X1vN-UBIp_<`0T4)Tk1=-|X)NO&j{3Yb?L>;?Wn=>`bx3El>7xP+ zRn9=l)-_$SFB*HARIC(zlf!!tCUKoXWbdEUQHP1sBboHSO|^7N0S`h|i4@2Z!`m2ccav;v@DuHIuFo z;fnUr#<`1H8I$>#-v#gZpibw{Y`Wzhfmg^0j-@Um$3rn7W~(B* z`ZN(obBg5k74R3Q>@HB*Lip}x&lfWuE7g|{3NX!~e}fO-mzX0bB@YtXOetLE}W;LGq9g0B#iO?|rylugpRLwpl=y7LGvxmRRg%k$D! zc5nChn$I@W#KaBITa?!ch>&?DV1t>xr~`5qA_=KlvYsNEDmaI7TFI-_&Ta@o%kGo4 zGfkb9)2s?X7zolu3%mJKNT~r{PoP!ZnUv`2hm11{i|7byy{@X2)b8QZfsKP!4d=*f zkH*7Q*u@Xb^?xI;?N2>JjGeNJfHO0~%o?Di5_f{378jUwY!pjR9#3_C2Krf_E9Voz ztV{K@f-_6lnm3CXo%p(A_@OI27OHq38-|){;rHKb6F2*}=j)s>z26wUrgWXVEi~0d zBcD4bdI2{bLQ9-F9-(}4wg28)u9au=W!0w3EBjy)>Fhg+$j*05E8!fqx#`{aKArNXlYcxLAe>dp77OPx zQi^1M1aX{nN9XpJEP*{Wo?dUj6?w@o#V>-wbq?P3EX`Q%F1@<6-hiBITOimmiD|)W zjFw;;h$ns|H(W;egSdR$)qg#lgA%ne~U07B2@$I(sK68WhK0?shA8|SO&>OAJtUdlkb*_aT;>Msi zMWU}T4a{WAtFOCi4srm{&2^Ww-!715c$h1NrcBaGFDK7p`0v=Y1}}9%wBj#$DFzLV zJdk0))|i)_KSKMJ&?nC+g60SV*&VTDGQ5V!G3M)%Hs@bC5tEesbq}Ndj3!@|?%hC+ zzrWNTOZ`Pz5`8t91DD@9>9(@6NZ_kTC9dcSCyY%^rHNZ6d6_H&m>sPaiq$mblFk|9 z-zkdiB}R(jZfXrL2bSc+dVfUb7E8WR$1;k%Bq&DO+40`BF*8>;2uv9kXrt|Q3TG2% z$BJr>&oq=X7%`Vn%~#$!vXx;c@8Hm|%a&;vyAfo*k%_UEuv|jo{(V^9zh~n8Iu-`2 ze8M2LT(n{2?Zp-jf2DU?cf`v#E3Y4`DrkAeDMI~sA%^o0USFD+gHE-n@QtnYyJ;D z*d>rK%NQ?LMMn*z--PB_#Z2RR#pGw4DKf*1M>!g6|?-4G>~kr-m&*w8eXnPUHCJ@0*CNJGa5E^ z#(~Uj>_Gl8(mYI~4`x5S)zs=n3*dfDBQRQ8Rs6)1-!llr?y?DSEuPV5EdzD^VjfKc zH&$Z}J2@DF>(hFg^Kc>Gr-3_Z8jX^WAleAXLbjR zVvT3B##(igp}P>OP~>T;B0ao6n+i$qCtC4^{(HAjwqJJu@AS3Sf8o?uB;?DT*C;;D zNqDtyKxtt2{zVw?o%Z=^!evH%jqf%F2FU)5wVZj0>UbQsg=nw_-t?)~wWkG(K{i&J zSp$UFo8ZdIsYJIP*n#tbFR{!-Pj7m;n9B$AEjPa{lbZ!J5f+@H;naO@NoQ;mlz6YI z!#n%KY7n)?Dmf`Vih+|v=)@pdTiK`I4n$4L8IZIdu86+j3SLve4c)gq`&6x{=RT`Y zJ3&97-}TC#OyQe8RA1nl7H7pdRy0`|qANIZXJjx5@(Ij1UY8m2S=}9> z!qEF?r9)?n>Bs;s;p=A`VN5ya>3rZ;B^>_%hZ(iAW(a6bT2g;$^aCmT{Eq zc-OKS@ zVg|~NG4XY{!EJP(k#)6DN7JH6F7h?3*(WSCGnH3iNzzW5{AcwqLfVgoM2%=<$%l4<6y>9ya12np6=OsZ^5DWUz%9wM(@wdgpOwBr#V_%|cSY63IoG?oJ5qMS1I9 z*aEDG{T5|Jv%~&2p@gzOc^m2cjcy{&Yq(kujgesxA!?Yp!gv+>l^>yGBZ;L!SzOQK z@=daBy?*`zu=2)Fp3VA7`P+BDVdZ9qUA-%Z5{S@!p>s#tzvUCd?Be@s^o=-}p`^dt zL043qL0P}ti#~dG>~m*d%AaY7I9NXLmJ_97Jt<|GEX;_TIU(LPoBIkM^x6Sy{(}xL z*v^QP?(IKiGgsg3xZ#)2jwZ_&B#n$q{gEAU-Q$c{?*(XzN(G<7GzPgx5)q6^N)tla z5aKzL>fNDAAMhCdnxC&ru?O=C205!!^-rn=D2nmZw>@JC=MEy7F=qvgZk+Yc`P-?yTz76HcYGN46)ff%A_KoX{o^PBFqa%G)ad{8kgbY)8;Af0= zagT$3Bh~3AMjN#T%=(e5pM=f!i(y}~l(0#i3ZC=S!-)CSD}93jc;olfc6c#7TXefu zf!*1&Vq{3>2e_zdewO7k&Tonwop5nGFADblMd4KKmgn2V!~90`etq;v-i)3lcaJBK3H452jvydm;?|AP;C*I$RdqD3*AJs{O!5zD03w4=t6p%^Aq0fDNp)5hhTSC&BWp4B(;O@v$%a`7f zso+Fpe8u06Q_>rVFvG7Xwz0_n}(1iid)#>j%%GlD9pP7t4<%2>oq@oZUu|tXa!e zpw2bL)<}%24k$WfR-U<-gCfe=+g{)?Yw&|)y${FJ%0>VBBCpHR3HS6vPAxOcz_n$N zO=EyhL*%OZ17km6MBCo6IP}XX1|?M`9}!X zG(_@g^o630A$TVRX54;GQNc9FKeQnXGB@23o+s|Fc%iv#ip$~T8um^V-SZ?u-}ri$ z8)?5o+4~<@$p%X?oy!?y0#p``JjcA z9JLN_wa1Rp^hx{8zovsXB-k^I(kVUaoDKNXVrf|!Q7A2s#8pCha%*t+#(?BJrkqlV z`LJHtmWYqbF4l(SCw|W1OqjqJWZF!XU~sE@v+wJP)*}qMjGzz2VZFMf7@pg~jmQ9GDz-|I? z3s$bkE7P9RLwS<-;7#t96zlU!`M(+?%2OW$p9qmTWH|IaToUl<$) zRv?%uF%ehKu;3$2Ezn7Ua^r#)v&2%<`UG1Fq7Q(^IC?;ir) zcC^hJeO{JiOzBAtb^gBgQo}NibfMFFZm7M0UR46`0MvzcHF8zeNqEg~4f#*;SawDe zLev^IXTtd?*T&&wvr0v8Rx(>(s|o5Y(dd3^T4_E7iGSWMLQ(QrWD&gTI{LLFC!dL! z^lYDBK0xGAp)IKXKi%3>zG^lzF$vTBIlMb{YAj6^n9pZ-T$5|YwspGACu_CG^5`12 zzQMjc^|1Ni%MDv*Lv+Wyu|3DXWT$5w{4-sVhkjXdI1-Yo#fZSNE6GQuV@Z?rhAzPY z#n8rM3T{kWch;N?*pIHPFaYq-Z`8y0f1KyMPet&sFD!2VfQURq4S1F`(~sa`IFx_z zWU}(Qj`}OZJlvje z%o=Kb9leYz_=s*H2=Gf1p*yv=_PM6^0!005B0zGke>Noq1GZcJvLMlK5uG}z!3o2= z+;6-08gDhH$F}s}y$|B)4(L)hfA@+G-7;ci)L~E5HDp+oI8m(`UaWt|a7S_Z;t8^{ zbx3Yg!YE7FY?-~fSOeSIAdXL57FCv%8}D?|^EG3>`40)Jfk#03_I<6$r4oFn=bx%c z(}nFi#Ag?zVeten#B|6(+*67JJG;18=IZF=H;{&@KS*IF=XZpq^P7c~k=d15HS4;V z=$=5p1;A7x584wgH4&%WX^eP&NS7B$(<$vm&U1Vw`3dggNUODl!I1YSLKfdlI-Kn% zebhcD3x+ibD@^n>r2BnSn#{a=Vn8#qY%_AEIi&tSVXz^$9Rb*zi(i^!nY#IW4uy?E zZ)XT^JItb01*KXdz6zdkflq|t7ILgf?4MHKg;Pgx4|;#rae0;cUW#3X*2%*TG#Fb5OgLWd#LqB_-i$|CtRq_M!ssCz>oYoPQ2E_geyo0Zt{>+bI7n z2;AWmy${jfOL$@4KgEEDq(ca70scf<|MBchp+5+2A+}+Y=wAlFG?fL*#_6CpJvIe{(G5DafDpvW10}?$+)`A)KZA3NT^6i3W$gz zsHkX2LJ*%JQAHuZi8U2O5aSE45rj4$d^fp1_*$lp)66UW{j_(uf^2O_g@-{4F@Yjt zql-3hup!#JIAQd{fkW4VA@_o~M97#nLo6CBTZ_@EW=L;@6c#_1;9ZJvK@_RHKw z--3eFi`H_m{h~naTLcxXcovz?2kDg|a^7Alh5lrWL+63d*~ClHc2XI-&=eid~ybF4l>x6s*kJb{PRU;u?1X6UsjYCID8FK z*6XQGgJ^$2r&C!QG_);?<{6CptGvq7;eai|O$qf10Z%2L=qQc@2#S{wF544?LlF_I zCA;es@o!6j>jBwrqGD@jqE7Mu;uykSSEmfR z<}n5dZ}t7kaO5?&S~jp7Hb^j|NH|e70ulGzZar&idkVOM6u%)q>KD8awucb9RGs%& zfJOOPXc$)_Eqt*KOcHU*bD2)JpxG-6RUvES_FN_Cdfy(2GR`&*VX9#aO6AB77;F5P z)&a4B3JQxM&uF-Le>j^q3R6LA1l7Wcj~x|jC}{Ji^`v3`&aZ`mr45nyuDy8F!}30o zoKX)A^9j`uRw$Mbn1jtI!BqO1RBu-1w`wHJaM`oK{JMIbbHn(W@>V*!dM&`UEquk+ ziUJ5A=$E~cB?Q?F#@V88^?>`hi=J`Wd}K*~Yv=C^%k2HYj;-f9NS`N0D@P+o^93{q zP;R!CHW@H|i47}(c!m=Bd_>aGRO9cF8k-sA|2>enKC=4!4M%$-^X)kszRvAK_(mN} z&=fr!59ntRPy*5#J%|T*5MX5*JjBuhaZf!(k&Rr=&0ECB6#Nt=QD_gwZ*uuv(5 zN&xvZ_;4@S5{UQ~BrhTl6rryac%1=*1eoO(G$*87Aeh3J@m>gfths=U+|P~v@K>0; z;5EHGgX+V*=8WLJ{%FvF_K18UA)G|M5~$xp5(!--pqN7{3B5+)t^;557%8z=V2cFB zb8$;SxS>>q)bq3zU~dsU;kyDtawU&&8lwUgNl|GcFvvo_iY-7k<*Oi{QiMV~XCqnRT-VX?x8WW@Uc58Gc~%WVU_+Ivw;AQObL{e=^OKG=Fo z%%n)aH|Pqr^V@L#m<4Df?M{uE1w|u*CkHoDRye(&zTjfP>NLZ&@DbLn-50(PD3a)z z-c(~9ruS408EkR{<$$&TOK~IfFE`+kL-oc(bygB*ZH7U$UbSgUEK6Evd}mH)(60EQ z0}eZd4lA5ExDXh@(gRt;y8Y`zcU!~uk?!2Q0(zhA0^LSJw-bOKkCBf&kNB_RuP_1O zgi_OlONgc4+`qEtWll>Rkw+n^h5Zn5$Y-C4#}ttvK0vV!J0JAj!NtSNLR@F(=4lsf z2X}sQRzJd@hMS>_*N{*m75*is#7Y&ZBH1qPDV$zVQi4&iSm0I?n?IFbliwpRAlNf1 zXclM8Xr9Y_W=?5RYJOyxYDUT!!FvmLp0@SRFI2)KGI! zb6Ox=AgN5z%&GrbTUTpq>SPvaOk-kghGP=CJhU{qEWFgPe7fYdoYHaynAzOv*uP3n zr{mK`=WOM=<@Dxa=CtC{bD(vCvB!3TbizOE9DB-!og^DF9YLFLNv_DUj>t&TPFM}) z3F?S>p+krej~K}|N07&o$C%<}AgH0T`*dl!@zSa6edg`yE#%$i?e<9iH1^8<8t~fo z>h>h?x%TrB>^JB=*v8L4ps%6RKa0U;qj*!d5|h&JktWir(A?^!QdZKRQDoArQS*}Y zGt}#v)JQaqYAXhowp;igQO(HBKrlHlVbnR-Wf-CC;O-pkeBPPgc|*QMZb$AQlOofT zG9sHN3nH76;7|A}StbD?fhOf5T~Mf61YR^HA&}BHYLoCefhy@Zfo$w#Vt7<-0)DJ+ zLUW94Vm&b<86(~;MSy;j>O)&dlt?5`XFH2HGC$a;-l$-QgN%xdpy+E+%J}U#`S?o` zPNI2>l-=FBr|YRTTK%|dl5>(;l76{WIqN+3yd)bE8$%Ou6Tgd^i}sz&9n>o0>X+v8 z&4or=NnuqIsRFs(isDMM+5^$a&vXuS`c;lqNVY__5%*l@LU^Ef3|YuoLb^h_5rDFb z+U#0<)taxD1>J?daqnbrmf#TJ>3wiP5W;W+J|PcL1|-S_UkXZwX@}*8A%?-pzmmU` z&y%whQx|*5T&5ZRpq-4#xJ$c9e@RtOo6;!NJZrFMAl2m7K-YlRmeic7#BM2Q*0vF- z>)OyyL>j=WKW%{b*q;#>vgK#y)4$uyc1WrY?(`XV&%p z0(ldy;j!JNX=1CJp zM$1`Am&w3O|LXD0Sww4a3lP0d;Wjl*Yl#-Guva}ALaDa*eI1Ps$%oOCQjDUQ(Tr(< z>s|}jNk>CRy;J3N`!V)2`RBuj+=s_A%XOMo4$I4F{x_dPeBv0iP1Y(s5hX8p5UxHG}i{0`8+{^W)9P^|T; zEvCh%y}9nz^-(`reQw!d`Vs`65c87toaIJfAz&th3_F#Eo zKR6%n0Dnt;k9v@~yn%FwloF8eEyYv8v%zP^KEZay^yS!Lx%Oanygk%7;e2!75Py$V zMUg_0O(0L0;y-_6z31Aw8CO}sIA9Q+MV?*kIq^A9cgVuZD4MMHoygqHta$Cd^E&N3 zf9;K(CZK`Eip-3}NS;gKPSH&ks2+SDeEac1_EZ6E*}r_BpPrwGhKa8CMe~o3xV{13 z(k27B1%SlmfC{eF#b?-}W43wc#aQaiC?%Ir$Q}B>9F%>Z%MBS9g5T!xS7?O zJDXn{!5e%gDXD92V6j{7Q|#lKs2WQ6`4XZpM5uUGRNE*KapdIy7w$bq@GFLSaerxV z7cC^QGVxT!U1fHz8{jl&@eBDEe<4eid5zyd+yLdz$LO;5WvUwwY4M7aa}stFZJ!Q> z7iD<5nBAWu7?SEJ90+bJF^O3tu4tZ_H&=zLd0)={gg6LJ z7iBhg|M@FRmmZ(N!}CJR(sy~o@$$wD%`vGmi3TI20$;aNOV^(2$x$L&x#|LKtYWXC z=ajs8T(N6|S=wB9!Vb9eBfu$|{db9colgO8v0 zR&VH4pRO?a05u6%!QhOYvEA^cFKv!Q&X@Pbw}v%T%koRgtP&o0vri69cnH=rY_3pcJ9z1Ae5=h%`sc zl1#VRU(BMcWIBI1|L7UJuEe)#JJZEwEWuU>dEm-^@YZ>C1=9@F?H55(o(VESAiMgG zuB7>k!Srb#Y|oCeUy6Oaq$Q?wynLv<#cJA;+XBrB;aKV<_+$}_7V8+ZB$YL-n>~Y7 zzj08D$?mWLy(PXywOP4I-9^DQ(FNJ%z}3(hqFR3)axLe~V$B1v2pWr*O|2KDmypPQ ziJZfyLZR;=kiVJw(dFOYyF}PwkcOx;YH#7RbZoEnZ63gco!b@NiSEL>A|NJ^%yaLx zHv2gKZI6%V9K&cQ+hLr)3<`*dhQ!J6X2w zcAt{6@~6S9!H&L%H7yzK`3vbrhb9*1TyAup5`ri`?~l?42e-um3SIe*jvN6mU}wwW zU1STxi$2^f{5@O`z7Na${ceZ+oARYOz02sj;nHpE;CVtQN738>iWT1n79~h^=;sdhRrn_sVg!ef z>gYsqf}bilDZVV7O|LCkKT{HDIuz`D#9rIT=JCM4?judw#@hzl18p--QyZB7Y%6I(0sEA z5*aWcQ8(s8VNwn}{-)XSq!~#mjY6YV(RYqfWyxO7KG8hs8h(#`e*>?M8e^1$X5Bh<-r6|phw)L(A8VX_pcki(Le}S%@enA_$2P7$=C)9?Aiyd}Z9rU0 z9EMGc_{v{MIL8%*yMX6Q+Hb>Q_TZzXR4BJMRjNJXz(mc|P{-!b2iyUYd>#rbsl7a3 zPD!$8CfM-%5G3EB$scQ=nk>VD%9{N)+g-fLpXj^9AH=Xb8;_F)6{BTVXAWno&yDW1 zMi|Oe@*$!M_#rvKd(au6JpTkNk%iHK4T)2B+Qh18&@rcoIF(kK;!2E2u1>s5*5}Gm z6snr*>h;+cSDhMKIr$+SkRoe6Xf@MRpnjoGS0UXd)&+17F3{U9b_f5UixFE`{UQ5f zveK>fGGas7ipk2QgJ3y%U2k<}w(VA7Yo>ZcSRUTR&WC+L`TAFn`eDgQgg+f0NX#n8 z2_b=?EfE-H!|CM{D3LsEE;y|}Y#4|~Ztz|jfDrl&bXkJk19psnf(Ua*tX>3m6lw)( zUwAQ|_KGF~lq_;321XoDTvxnH>@6_Zz=;#=r}*{l)TpM3KfEwT9zk9TBeH~Ea)4#O z_YjP+Zk^^5{Fz-Qc1%b|)XO)Fk(X_nxOJ)Th*GUm8iXf^vtjGbI?mnB>XI7B!E-WG z!aXVP;6X&fXe4P&@j%!Fs99Ju=>vGulw(5ec>Ovh4fAECC9dTfK;35jsA9imUt6#0 z*!i&V)a-D^Xh~no;3j3Q{Io(C>8)1lS5mdPuQDRI$OMTNNtGh5?VMQpnowNE9&iw% zqEuu|rZZJL)W6E5tkO>+R!P}J*n*ox8p)jZT-a`DZ{4s(u*`7gF&|QCGs4q&v`sXc zwchI4>&NQw>eSshBQkxT>4&N-E)wzZI!ySkI|-#)AE3&+>`Hp{daDTEwyLMI3|Wvu zEsf$43fxAnN4jK2SF968+dqVVB_-YlZ5(@s9h#9`7^eVDfpKs@xy@e;r@} zGgp@mky@RwroLvt?ZosM>l(g_@W%UaN%k}XFGgAw@e94lcCIkQDIz%+S})k9$Xu73 zy3upIQ|ngrb@LK5zFG;J)_5M-mLFICJPXG%>jZX#4jV6Bq7L}L*4Y#w+-nYiAQgn{ z6a=$@2z!b10!M^fmrfQvP`Ucp|=%BiJy2DG^ALfG`W)AaKJf&5I?@KS@3H>>nMm zSAeFS$r*GXC0*dN<+*+bdO*tf%=M2teNM@z;qM0z6Pro0#Fl+0JF|5~om zE>Wy-U#ZjP9sRXnholH}-vdod6^l*UCDwKZdpUhxE4H!3Iqi=1)(6fJjweb@CQ)YK zNBLxr2DRpptzFA@6qQa2G$DsD(C1E_Qva}FQd)Gr?6v_g{n1|hU zB(Qpm8a3U>E<@LZ4#Q@kgYr;T(1W-334V{yb!*4d(>z9_dVLpxeoCjyF-3RJQ=fSlqqoDHjm?(v(%^N;9@XPSz;RMq z*m6AA$mN5t1j8O(faymPMURRv2B2C18xe$M3vx#gEtRm207glWs1%CN08-NnYZUi7 z^j98rDQvn>U0$Pt%ABGKxD~2d$X#5R0923Q?zGmC#I5KpbO=WHy^ah*GQ_DrU${@u z?#R=&mBWNPiZ{J)Vy+aY%%h+Rkr@)jan$j+gma-!q1~;}?d}(qkk7;R!)V1aW`+kH zv>PVejwIHc8LX@3r1c4$nOtbCn5|~5FYa0%r;pT+kq|HtQ_xAD7sFV?`B6_%auUB4 zx)-vU@|q%yt;Z3l?R zS~_#j;nR9qLODd}lRv%z(OFXdGN$1VG`r5uAAxUO!GG`~tKbe&Gw% z=knPYx6DRjG?U%CM{$GV`1CcN-__^Js3qAq(> z00H53 z=l=a_YwB!B=x%ERaN>67BmOr8_wVRjh>aBk(eKb zkdTnq(Zq~fNkr_w=)ZsQ5nDJr+jBE8xVgE}yRp#QIhr#tadB}mFfubRGt>QspmXv7 zI2*dt0h~zwL*x%SBBoBpj+XY$mUaNbf6+BGvU73fBPRYAqd%Yjtkcxp@-I#Rr~iue zTR?_?%`h<0Gcx>1`!_1@zec$gEZt3QG(;?IO#x27dGK?waPa;c{(sH<#qn>Lntx%k zG5rtBzs>v?lb7LN0{l&&|7h#qqrcU~55vpwr|S7(VBy3PKtKdRBt?W&+(FOQp$t$} z-=VJTBy0lrUOKq^sg&X}5+Z*)E!urwsRoqMtDqOP^| zfZ|dLg2E{HgQ4bvK>YW$B|tEGH5a}T?2myz=LC@q;>N)P{to=FIRFkQhPc(v-rl$F z2bYmBBJi1NS!q@q1%kyIjGfnD)-&iAh*S3W(#{9q{cr`tlvti#tRKT0^s;(&dVP)l z6oHc&KU6$gvTq|ynI(qogpQ8RRS8CRP)iF&aa@19{tp;Frlp0I^tO{22Eh*JtItM&mvhm+z@XmlC|!x2&|9 z?^rQ8VRX&>oBvn-(kFIE@o@|jLat-F!s^(O?oquv-4yo zyyXV7RrJQcybJ%+rrfgph3U$go3->PsG;QL#i=)B^un9?j(N946|QDw?&U)%#^Yt}vD>DT}4W^2c%GsrS##<#`OnhNeQdht|`A$CDbA>GEo?y7M2rSRsq% zv;%!cPBizEHxmm6RwY`3dS9}Aj?hF@ZSLLN079`wFDqkLEzL>KV1+~HeKZYf)2Qdb zgNQcFU+f^s6a}5PnBLbXG>@B9*8Z95s$kczbPR2&Y(6k+>+6X|k%Mob^xhilC;HtXkcNlFAk)sjR&FK|ao^@%clJLrWbwmiP7 zbcL`+7VfHs25b&L?kOiizE^X`Wod;_8$eR9dv&5M&G^wYB=ucyy+e>+`|g4Ozc=K8 zJOf+>_^N4pWykYLT1|F-Lv4IXmBqCiw28&72-V5W%*sB*GpRXg(#b*Gpd?-cXt{qO zKtr}^*05qce;|sfNGzC?bX&a%>Lj2Q6YkrhnRJ`%?1|87s^ zN13?p$MvVz1dJor;uLD3pPXp%GM-IWvvIrGl#s?x$u{Adr08>XK8~0t*6ptcG#xLq z6jM&PVqKolY|bGI)pVlIuh{GIimSrcC#h~^9s>xzehtk}b09J1=nUY#16M5B#0i^J zHg9J=jXeyamfy~zXwTK}@hzR*<4W~2D($?!XwIB3K$|WJHoO=-WOBQ>aW`E?kYIUV z*xIPa$nFjes-3Cn43pa!?#jjsH=T+V?WvpE4b`}F1j|MGdKlZf3LnX1=5-QIfNaWu z&LuLGDI&9Gsl2|A5Vhh|Bg?`i^k)E~mdJIVvm{eq?)M-EX0~dIq0l07FnwQ4E!O>k zsO!_%tul^WsJAww*M^l_Z>cbj`EdCOMwvweK~NJhvHxpVE*x@@o_b zA9<<>g>Y8k%pivtTM@4xWkO>W11-hVY!?(N1|L5L+`Z39v^GxSa03cJs@v{5OYlAL z1PVWcaoq3ZJv47GV)2PSjM5%O$!5O$;17M*L?}>w(~@c#3zRkou3vKi?*Yqf9atNB zcW$@ky5HV50il~=p$_^5TEt6JiWlXXo?A}ey5AaIsqgpjran(ok7=+>wkjBpUNls3uGi|F zEnB*0?DvSc0$xPfcypfvn&#+#c&O8FwGb?B6-`k$+|-wOs`4w^1HpXd&=(bQShj|1 zA{9HPKsx7y#Y*@sFbT!_hwk4KCUW|}rwvS(E9%a7ZNVUuJQ&SP(8%hBKnZXlGz_nW z5>DRz!a94j!P;0!F0{EBR8KL~lJ_&g{eX#mI~Oa#eVc`ohqox~ zo~77{Mo$2`bPU@&aYgn-z2Kya`F{I}Z`7gfEXFukXIfdp&jyzBsuE_Y9MY>_<0|~n zvw!}Mo;N%t{`Hn??&24OkR!>R2WOo*TXAO*-fF(}b^YN?jSGo;N5zP%nG)*)gBMOk z%(~Cw^tjVU>BvX!8m-;7zFBxS?FaH=QTHcx^}E5wEqMk?0nG8N-}kzKR#&>sMz_Bi zB|ucrceb8u^e} zcbD&+ zI^X5>oc9j;`9`$)nC?Lw4dUhMisS{@LTzp8&kcU?-BSOepdF-%y;WG4k_i`&krrk} zun7}NIM^MSn7!&J$5P?pKYRDBq5^J(3d_!#PI8cyj(=Xn-hnhe5uaQ(CG>;}Kaz%j zZdh_tiaI~X7lk0W}484+1Rat-q*MjtXyL=^I{2Uv6&}XpQQS@jBCA zV_F0N{WK%Q*n&@=oge3b7%vkzKV5i}E>`Osic?YuUiSjFD=&=cWGkSuMQF%afU%*l z8+s4)kn`#-LKo@?b#e+NL`FT35pT~h@bJxUUy`ABRvN#e+;PB|5Nrn4@URATG|*0C z@xvut84PeEhNiSe8!hVxzu%}Jg7pv$1)aV(;hk1yze2*_-gL`fp@@Rzm4}$rPNLqucO&B)qDoQ$k-XiVRkL09jR;sG_E_?h=dX4r9rVQ?17lD^W1T-A-&!++#!xDGE_D3W*+t6r7lzo|BmHZ2TV8;BKNjmgjKJVuA2eI%uliP5=0Q|b z9>Jd>SjBezeW9h}^?~b5*P2MJ>y&{{d3>HC01fi??CwCfo=C<0&eh#KcBA?!#6~5s zP~Nk5R|=+kO@lQC06OasX0Dj;6E8M9 zAj-dvK=^Z0SI2L+UXN|=W1jmiOzv9kj`a}CI#k{jABLg-tcyJ%m1u{_>t1UKaX!(- zo(xNyl7XxS{N~mX4!wE9*YD;-GaNZBpa5CM{f+Jk38R0UP zV&fgO4hU?uFM#KMitf#c3P`8d!v%-Ki9}yHM9QwZr|G^N6Np%l;3|D-7*#Oo9$wlp zGG>cny}UVlv~@SW(CKV!h^G>aes!#_*MI5iQXfOwz+?2a_kS~1khOj1STv}Fv%lA9 zWD>LuLE!L?7GCWUH?pEuQf45&yLEJCswt8?Mh5QV)EHd!+w*E7t=c|4jlz%IfWifD zitL(0Lu0e!7tFx(Wl#ys3+8x$5kz@n+G2MH1l0j0WPXUy85h`(m9Kc(dDvKuRI(?Z zYSOnP$*a=7yyTNvY*aE?g`FxkG}I(hEAhW*ZJ7Im|B)A?mO_Je(3NQssaGEu)ExaH z(mK7@R1 z>&PGG$B_9D=3vF(xISjf#~FTcQELBA%mRiJ<2A4rLZ=Q0p&w>A_NZH}V=ZF{ z3yIwTZ`AstU|LSX3{DQMLPBC2oDoonE&RHsZx*DA!)u*9dZ<$c$lSYi2JgUGK9VP6 zX&-tBx0Rl$2Fcg_wky<$g#M{T?i?s@xk-fa^V;ot)aaz>(8-DDKWNb(6c3l(IzE`T^F1*e^}7r+R~MH)S-hGUe_(p5tFs_#7y9}3m3eGJA2qt*A=~>#o(!zVy~u@` z>EO#RTK1dQaLlwGV3C$8BdQ75> z$6GzmYevh!sHNT3G}JDwl~#=8Zi>$YTcTR&DzP9Mdb~9fBBFmt{=VkMBefp8VsS)We#1BE=Z?P z-v+{t!LF6lafNOZ{~0HI#9xRV-Dffj|{ zs_GLet?Xw=&;~E;tDd?Y2iB>wnkM5f?yYxK2fjQt`ro_{xvy%pG2ZD2dNWu;^3>i8 zSTENQG#48!6ut9YWku?N+MV>4;GS?E3LagxK+@}>CYR%~Lwl_kdIt8z`GF-H3Xb(L zSp5&oJi^w;77-_b0J@8vn~9ZON*@E0t*^YGCWfwmZ&w1Mx(vy|QFN!+EXZC1WO2<=vZE&lR}I?!w*F?0d53{3`HG+C<6UPV zAuxm11h2Q8Tzc)^BBI}OI$YhbfysWuM3RA!jb(MlpXCPmk^suF3unhG(sGhFtRj1g z39hi~WvfEyYcd@Za1J$9+R(LXa2+&!>tnX1Jfr)xY4--p(w zs?Hi3j6Q8f#LL^@UFqbB!HM>!;aBsCV*M&L$1@lT2fA|RJ+)WY7J{d+p16eZIJD&7XyC5C=I_&W73)0mQ1%t0jZfOg?v$B|*P z$?2jmibX`ybVN|htuc5yoY-Mry;)W@l`2&z!lm&TpR4l#_i&82i2~DJvVG9D6JX=i zN!zEW-O!U%r3UV!dv-WxLdJ5fFo-J1>X zlXb)1ZV-!T%D$7HBQ6w2`W8t!Wj25BM6jiQZ`#55;^P$7ilwCe>UC2hF`m3%Dr8q| z;j`{%!r@9D)3i7d({=Ds$Il`Px-)ia zUx2F%BvQHTPkgWz6zM9uTH95VIV8&Z6Rmc0l@V{&4rUS>UHEm%9g)U^ctP*iT-{zf z$W|QIrLJRWBOB%C=7ttVUO0&hk`rK=oxo!jJL4leyZo-w?|vmr`CjLk6R0PRPY;;0 z%q|s!d6~~>3o2Kx9iQNa4lcjO6{B#3l-IBe9Et*lDaI@x2N^)#iCyuZPV~;OuwaD? z?spo>;4RIWW$rr4!dG9HlBNceQvjpZ@+mbskqAQ-zw2TeciTMU#-n@D*PMS-SY`xohf-6ii#fajG8v4cQ;fF1-uR;w+qw1A^pplz>gDY|t%XxH zxP9Qrch-T1FAoDkcZ~Sx1m{hMcX!+5w-cQ0L>TDg&NK^aqE=|0cZ>ZT>prp+M5{GIcyB_2b38X6J(VVrlg<03RB; zYU8;R)w|6AAD%PP-|pF1!$ra64tb}>qTTck77g2q?i|eU9`eb*fi&u*%%1S?AiL(k+E)D+l;Y(8oZlF zK4q+3`ShqfdyLd!3r_3#O57sYai>lM(->lbb)!akMa^!U%?3h>lJe zcd@hVt(}j6)j0ng`oNuZN!)iw#WdxPA)nIo-C~)HgO?`JhT^+Kka|i1@Uaqkqd}CZ zFh~DLaW&(qq!{Si8rv_7u<aurK!dK zAbDpMz@rn9*4hkP106QRLQvKr2kFIoQaRb{MxIDm-QoOU2xBuYQW-)@5C+F&h zAF=KX+xGj5*!-0XG(Ntw?LSb6I9Ln29*nwv0OBdc&H9i-2%*NN1JU%Pwn&M=k9c zMMCrxm*{CuQcU{A*?9Ns#!(`W=&vii>&}@fy{;`6G4joof(Srs$vui#qtVx|y!SG& z9`?H#S2z~G6mV1OFF3Bh^*I<$L*d~>SbGeaU!2+^l^R>x*y3DXd!XdFf7Lh>@Zm^LSe&8);*PG*W)qaVz&o- zi_wMk0)aIxe!Esl_55HO_G$`ylHJfd(FK=EN{`{SDd9PL2F)yhZ;~o|6o*0+V&?;R!Uyhn5 zv9Kt~Pts^ITS>WTFYF-`Um30(JzjZQ1+Z4Fw)6WK+ZCLqnu4w(vXO@SrFwx=cavnC zs{$s;5JMI(4u`P~Fm0>SJZU%TS+rNf7gyr0db6eMib*BGk5n#9nQYs6bfwx&t#8kF zIHP!Bq{h#Ovi}2b2PQ$S7#^l=<+5)SsY`Kh7ZvBkA4iP45D|!#AQ2ow6djrWj_X z=41!y;JgP(*hB zwIQ>=)nMM&u<3tyu<*l)FfHwhABn7p-W8QrUwBk&UX2Td{Y+(nx)sQ}A2YiXiiQ&+ zmtVc(_tz!DA1sM<%U;@Q>{>fQ+?XFHf5UKbJ%GVxagYtLoX?SZhDGU>;2EJYt_C}Z z+J0LtRVDa3B}@3M)#G#Dgab)lYMfQ9aT*&?c5Oy)G8 zOt4z!&w@0if%H~!kP6+bRzA%Ic)qEV1`9YOJ5pcCfNg^o{6U=!+uH$Y?UNft5lvka zrb=_YSwwXYnYP(vn|;JTJFgci0ow3NbR0Sx10}+IO%niN0`S+NH?6$}wWO5Pd*rGT ztrmkK>)JE)OpA$sJm-Vp1;ffZ_luohf%SJ^OT2iETH;FKRCDllg*}KQGbM? z*dI>x=aCEg0`^7e9ESH_?6Y?OL~ zQUqaA_h2UfL(JbD@LGo6i|+gA)WCl(pG zzx-48OBe=mR-0i||D==~@d>j~4T&`}?=Ro}510Q(cM-De|A)=6ugm#HMX8`e$VQH9 z?syvqB_Hpk>wLZpqc@bWw%0*Sipvu?XDxbFxe2qb1)0c`(_hIF7A6_IF$7!H?keo_ z;Aq~5_V>NCpMv?_mIn_G4jz}TS;WY2b#Msy{Wsq0`pjy@0;5%atip|k&`nu@yCKXy z0cQkl7Tft^lNTMsfCJWNQN*z~I$EwU0 z@YD0SJUy-W)VQ$V=By{m>c^#pKD!PC;|hzBp=v^d_#7`mL(7)I@^>8y2CQlbLZ(_; zTE@-+Ht(%r($DA9%1dH!&}mk543lk>UnoE35l+Czxunto86ID_wXGMAGk8&dCrxW&QndAAlsQ2%TVI?5}zdM;% zZa-Hm40eU9_#r?@DA-or)cLgfOs}`mnfeYuZ;cN)Qr2QAhgxYVhqa4!y%IuBY-@7} zo4N@8>1)dI6GM+Xny&+akgCG@rYF*l<%>rx)Eb{iV(O_%hzZgTLa?Eq3bNGURzxu$ zn8b5#9 z$(8|1-uV{vnDez563G?1DqhCI@KzvdkV?fyrsSVz`GqQ|$1Vw$;JBK+hpwgR7iRsm z9$Il%@MI1>>Z#xHnOEzYYVumV}mjur)f&;6U3@xgX4l(+zG;$3i#N*cZRm45GPw zaJA%ZTtc(-G3hyI1kc9=s*Vi`*J=cnCOi(qM zWTHZU(^EJ)xp^;j(?mMrstYZEIFmcuAe~^Y8*Og$tIl-2aV@mcym-;~{euxwoPQVm~GU5J0RP3~lyx=T> zClaDGJHU3j!AW|~b(VyV2r|@IDJp5=>rzWkuiv%c+;^uz`04(Ws8sOUFAlmsRs&NM zApB$xLAx1aiGMR_w>^8wyo!53Tef`efbw)#NfF5kk%n5qaBYUL-VVf>nO zdVSgXtjJ*t{lzMx`8=r3^4v9HCb)t_LH-y$E4<4qp|KG9j2p(-3o>nE(QXj>KmJ0zkX3Zs=>EP$T(vAQxJwbjbHXa`BV_)qg%z8G} z4T-VU)zxP{-AWa)NYqN&9a@-DFe)aBAB+Bw&Ent)uxZ!H} z1$8O1m*8Hp&Cm+64cqIb9K+7n98J6gF)z^<(BN;GdFqLrMB6Mrpl0A zLoS8ww2|%D6%rN)=XYwKSciX(z|yMB4Fd24%g(5)<7aUk|Rk?N8^P8bsmo zpc{uigt*$3tVyTHuzj|f0r3PPnk=LBU%T8{;aknsF{0>JC|9jbcKB@K6U!X_J^u{& z1qL~Ds^~jXSq|tXvnHHK+Mn>`WLB}oJeP=0J!nRr&f*J4jl|AcYXi01f$uz6g=*_p zwSzYT#mhHRnrU_eH?7L=tY8dIo>MN!rcWs;?Q)vTr&D;J2yQq?xhO?OwEM z1%}WKMQ8lX{I#Jrwp1gm|81~3lq-2L9DT}upNwW}M;Sr(_s4*;6|T_b*6{gGPLmOq z+uC*9Yw;)OJDz1;;`3q+AqU=gW5Jex+ky+c0B@kXh`KtkOSco?I?CyU9DJvppC|t$ zEKy~niNH{^lLDz#fuOBaRc4>9C>X08ez2Vtko!{qFovQoCT{F|&tGidPb*-y=^;Em8nH0Aw?33_LYyR%DymG8o zim*v5ZF=-mx1_!H@<0uAvVzb_lt;-kB^vvkTtu?)aEjy6Oag5_nC^e=xV)@y^{883 zTPgE?ruqIV0;JE8_#bq$QGpWOwMolsO@2#J&|n!fkwe=mnGhwGK!3bBDEq>&5TlvA zclK$JJ1j{*iq+1x7B2RayLM1V1kc9ix~$_SFYS^_--ZHA1CG4Nx-NQL%f=KYBJTax z3^w=()Wm>On4X+(GhnJ~Nm-VO9_kj4So^&l?IY9Fc&6Cpyln7%q`XON$kZs5SWy+ z(7CDi=6~$e5$G)FBAaJv?>u*}F>B#L6L~l;*n!@D?ln(q7(UZBbYa8Oc~9E;(vrGcD85EBb{K(H5%J~Ey>T58e2tgC5)h*!>I zn;W+M+$nG&R9bBNSJ=D}ETE^iDFpzvr`STlNbls1r2V+Nf2PNyEE#2~8L2D_B6;8X z$d%(LQ_$>(HZUf$UN&Ey{@^jrMC&nG?GWu+3_ChL945!>v0-x*ni4jMM!CmARv=HD zJBu-odgXbPVuP2*jpiFy6KQo(l(PLJ5MY} zsl|(Ru0kt}^;Ij#kQ#7>c;a(`e9KTt`oJ<0IJxv~k4fg$UUf&YKN>$ksdSc!@AWde zy44ojj5GD`nInVRK@8iuk{jW!bFs|6%V>p?SbKr*PjKEvJv6$HT;mA&X8w_->_=EtWrHaOxgA2if*9`7(Ka2)FKkRV$qTNOYHgGLg$QT zDe}NyP841CLt2{nI(MHQt|yVWx4*NC6`7vvFuON1y$-gdXCi!BNFD6pQN4(*nwBFi z{z__&P!>EAZl%E(hZm$u3*xuc$Xk+wKjhO|eg@v^K@Q*W|Fm00!}1fL!HKy-tI={;aTka;STD6JYPYrc*t!^?~Z zk~$tD({F|5ixh(a2=Pwn!%MP)&MgAJMM?HnA?;Z>NWt$4-_z4mG;sZWGJa(ha<|z` z&ge(n{+^U{&SL#txj1#H@@OJtihv$pP30c(YfIC?>>}ctHmlt9fSXT2xx9T@Yf40E zi^oOSr;WYC_vV6d z@2v^e&WjH>Wi1@_&XhFU3wi*}dfok{;E?&!w(aDXw1>?94lXDJd?ga;D9elL&1YLU z5mx08E>9xuP!btSHBM89w}<1Y{~UvgEbJ6!YM7={%7@j*@6n4~AXH@TWvk0XGH7mkm=V^x*m?s*LQ&7r*Uc)m+e1^4 zEA#`{?0JY_cCM_fP|>N;N+(c{>_^0w1Y`!tzezEiq6z!kl%i(|u)@w1$-M_hEnCppi%RM(G&10N zogHm?@^d+v@ZSm!0k`4=Su;}Zp>3uFc#Pj2yfkdy#m34@5DPQ=7X`Y~1^M#wB5qOA zwrp*L#N@pgN;N_a1V?vm`jUUo7I@+|kUrZwIf=HrfufU>Lx$lLjXIdT)goys+x%m{ zA?#{}9R90r*^Tkfe-0g+TrP-@W{Tev5@y0Je_HIjz1$svg@yGA3L22w9r*$(SZG3h zE59$dh5%oyVuMRdOA8e{yS<%V^C99d=ZpANccYA&u*%UZV=xG2ryc zBc-O+)}HBUG%&Uh|4mg%4Y0TOLonT4bu-d+dwu}yrp)>ILGEG~F$vI47#LetgNdO0 z9;3g#1ekd|BZ9y#8~&o$VTh?cVz!8{+E6o`xa%nLp%91JUs1}>;6KsIf3JxmCkQ^j zf+c4N>c4gNzrITWv!ws$641r79q_7uEvo;1{R1XL%~A0b-l|)cKs}glF2B+G{qMH3 ze8_))QHtG2daHBqK9p#I$>Dk+r1HONdiQ|^OzEaTz449z@U60^{}9)nm{tF-i6RTk z8qbn)6#V5r{%ehygBe}*(^j9)|4rBaC7KkNO@9-(|94TvRxtf;zW$-?Uo}C%nS$G9 z{TTUgEzDX1^U}(Xbh>Y+96VG4Xu8oQKmNvH|2_7zbl?T>|4+q#nE(H8O+})4B?PtY zBisQ~Oj6qW1uk(O&q&CxASASc4|G^XG;gTbF^~FWWa&I)^jiMGA|FeTq(u_p& z!uB~>haHibU&1lVsmtXIcy(d;x`&k4-bdPulEh-oH?SMA)DM7>v+yWq$+YP}_UwpJ;T3OWM}r7Qa57X#hkLp9_7ZoIMFr#v#P(JEi9 zx&#BZf6InXQJof)Aad-0@;FU3s?nm9jN4#JOOB-N)1P2Q<+jB8E;~E>`z`p|v4$Mw zI=ZXBwl)9vQnxix{5`9LM|JeN2iJN>w3FSe>TyP~XCsbw6>H0gX{yQOGNU7Ad}DL~ zqB}na1!Ok1azOFR@e3Ay>RrgLo2Ih7mQc2GnM-Dk$;XTo6()iBkJHtFL!P!O zCPB54zIh$&F!e7d8`#@*c!wws2f-JfTwZ(`=GBrx2CarZRDlGZe>9gx0Z6a;Z;Tn0 zEZFRR&|hm;GuklkXu?sd#C$EKPnQll8AU%)ZGLAHkYAd*mWzvnyS#_|yboL;&d??a zB4WnaP9<#Ad%Qt(xt-XaNhZG5yxS8!c;ea~>M(!ZsFUK3vD7SybiA{ABmmS5xLijw zmSELskT-J`17q3=uh!)&!$dZ8X|zFz4W~rsxbkR zcQJTbVt_6_Fa+Oxj)eWQtDiH~Ii2MYoMdA(T1X!VU}MWoNiauS4CbV$RE-yU2N%07 zWi-UJjYgj>jRr6~n-tF9o#`BThhjZUgb$M|l4-!0*N68R-$w+C%LNje+U@`%?Yr`_ zJQ^~A@)QRE&lkx^N$5wH_Ztl4tMOS^;;0;M4efY-pv-w)U_M29i%a$@AnPHG)Z_j} zV}Tw=D!qZO`|Eo_hT7Jqz3JJpyc)nH4HoxS%AT6^lhYGkLEul_>z}$O+L`b2M}VVe zTa0X6c#Fl_FgP4;dBuPkdo92c;#tPhic}J>RqRc{HOJ|@@m;CFOc|K)gM*)+bK;%W zUpPij=Ls)hycMRL3HVS~&7Z?pQ>W~9RH^#eE2BtSbK;FWgB*=i)~8C+{@zITh5HP~ z1KDZL7RGC)b1j@S)=m~HfA(AeA@Jn9Amsek)2<$q*)OwxL<|gA+DjsN7+3K_7TBg6 z6$E~#Vv!JY^q*^;4P;g%l2&*KQX}SlBMDaX!5P%+kI=+T+G+t1*z-78tqAT}6AN9$ z-w}nRRXL_!R^SGZcS3nQQKpDtttvt9*sQ+Y#Y|IRd47h8%NPMMHZ@*AsvPG#(7izr zvJharLH+JRd$3zpv0wSYc>oKgwOkTi%NV);i$IwKjZ#%)a2^$s;xt9ZMHLr zg_n7jtcZ{timuNM<a9}%% z=VwI75g?P8rFZb7XMCNRhRSBTjF)@?w=~vIw|s}Hr0oE@_8Dr)={fHJ4qEOobZ!hj zzX1_fgFQ>O_3C+g;g1!&fMRNGoouKazUS7k-%1EC<&3{oplrsE{_nd0!X3J+OkB^E;OVKwBIa)Ftd=Xdq-BS*H~<)v2ehVD#m>JPpRSDeJZ%5pR%g+2|M`Px^)AYW`)It{JI~W@|qB zpMJFC{CC@m$^RVq$u<7=#w&n}=*oaY6kZ~_!Z+Rw z0}FMd8Jagt_CKXhJ~k~#{NBAS5D*sbZExOOG5;&z0n4WTAq_#lXbz{!_RZ)2gkL^# zU{vW!@gGqB-@o{6Me_R#sA2JQ8SKC1X869#_&i-kfA;`NTsAB#xAvrqN6BZVZ zbLk^uo_L_zO`*QxM-Pw?*;PNT_)#_?-MiT%H#oPxLT>a`WYbo2X{=oHqlHnwSX?vj z!wUMz@&ySSFsw()+L~sA}K3$=UpsO@5dc3OHe$nNQcd0jFs15eIQiT8ruQI+>YIm&N9C7$cjS85c z=={*?x@_H_@a<@fU`w@3aiS=!h>)dw?jt_FX1UQHb>z$e{A6f zA&{nLiVP+?jK|W;6IFW|ONU5gy**j8RiyCOv5we6TR>7Rv1Cu=5jAzTI1Oc zetrIj{RTbo1$eIio z-;EEq*@BH(!mCs)K=X;R9oI`^Dn;Ibx7b;rSHUVOQTg@O_kHNyEOk;19t)(@c*wNZtjEsk5HPv<>%Mq!f^wSD-qDh{7l zc|H45A8Y|k6Scfb@A)oOm1JTXVwE@KG1)ILC+1<|mC6b=cyaIdH|D|A>J)dWhGUpF zAyu@9p;C_Z=TukLedPxpwHG+0i3{}?H|0GXB@5lhTE*mLwR=~U8`q-C#w>jaT?z9( zw>3bsYpZM5Y9IdE+S>WexsUhNOA^yJ5C6d-feKWU16$M8M_7D*gq}b|p@S8&;P0{U zjtkW;I0c=ZVv@;0MXd0jT69S&4w#(%ebh-Glz&DLLS++w5azcZ7FR{Wwo zt~`QAe?&Wy)}YIo!!*0`1M`)nAS%=P!AJumUt*DHuRW5Z`rAX@Y7)t1NHG6TvgzK3 z>A9pMgR%rHt)3Uwurao2OkIb#27L1p18%;7_C0{Db z&9)9k>Eu}aP7S>IJp<>i$5h&uo5c3ca-5Xms&#~ADP*9TiU`ecqq<{{lHOvW6H zr#jS{jxG;*kW}~OSm%a)b)J!T;51UXVw>dt%V^IqACpZY!DGTiSKd53yqKMIqr$Cz z-_qUVmuaJZs{sp#h=HaHpjcY5g#?>Zna8Rl&!|=nk{ErkL+5Acz8RMc&D;6HK397Z z^CCi(h37|E@D9c@s6%Jpx&rP#&SPexeFp#V zk`wj*4-f|xxA#Z$R~OdWk%`5e!`Ld_A=K$+p$y!)hDe}B>@8bK1RqqxtTtI0)`+{Ob^lsF9L3HTf{9#Qk_DJ+bxOz>W z3xym1L|F91%r|A5noSe&5aHP+?gnvSOAsW7)WeMHDIPc^F*Ff$v$y+GO5A({YM}+z zv6QW&{#h=jE=@Z_d-EZS4QI9`@Bnm73z_6-se=-jCYnAu z%83$2kZ9DOHP$5iGZOxr{vG+KyZ9VF#gqvV(N~DXD|o3(5zZlf?Kaq|zWW1xIDOQ< zhH=f{@{o>$NitY6e#s!=ch?U~3||Z(UwAC2{Fu6{9oG~V^bocT`zJNniCRz5l6Vd9 z+E8x{Cf7TaASc_JKrZHM@_IV~9~BDq6;pYBmV4sIVgQx#E^8x+FB%Q&t-C>)GGjdj z=aQT3xV3`r#CyNhM?JjAcIFprZc(BefbT~&sy}{uw7EGcHuZ-p^R_5}J(tw!oMjq* zV84Rx2xiNg800hce$|BvbJVenQj~X}vG(D6<`Qhk&C8~91K0!wj%k#XmvL$ndw!j< zYt-U*AFs!~`|{O_+Nm$e|5btCljtUvpNsXTKYMpNZkxIC@RMXZ7lafVah3iidRch% zI=RgkR~yJ2x_xSp((5D<*Vpm|FLv6x?Xu3a$e&f8lR8alr#!iHs%^9v2kHk|M4;-g z@;yi7l2|RE16js;eCy#aMA~3*;-`lc#W**2)Xblkx)-(BazYI}JS~|=?`kP3wQ<;J z(kPMaGymXkuEjg0NX6@SIrAzTo^ zn}Dg>O=@0#3Zc~rzS3ZJG=)5#^)30+|}C+$i=}Uew3y zW;;NYS0CI@GE;9Et4xa%Pwip%7mDNBWW!w^GaxVq0UUl+Vw~&C2j%^A{Asfq8i#So zLm0~DI(aAggs4vV)jOo7-Ny3Slg=G`7ahlA$A=#pK#$}X6agH*>3~<;^AwZ9<&gcIBH$ILH~uFZoHwk4hS;ibg$NyEoTB@HG^`A2G^AYU3@H{A!?|O_@1; zycgy=jS$leEp!(Y+k0Ia=%8=rHEK>)UN&E7pG`D&o{^MsT`Ynh-n{eGqcl&;ovAN9I6K7_G7LNyq=$`mJ$S$y5-$7qF?9i?h z(N#Zr@7AoTx#EcD5Yx8IYU1772y-k7nhfa{NoAx-S^-WQ`#Zs zGPI1IJr9e)={}sjuv1UafT2}3(S1;&$U{irIo_4sMfoA~m$H6D*6>=MGf4|=77vO9 z#PnDHizbdjyvid+b3K{_DgaJnZySGK@_|A%a-j6%T(q}ax;;%rWXxx2*(g`J0lTmp zDl!o-stGcnTA4+OPuHAXu_r-!dgGSlKCMKdV9(8be@M-YLvu4afNE0=v|{6WHq3FC zEq`k^H85_%u^w&dB4M5Q)E2gxWgn?{J8NbqNWt=g813y~IjeQ1GGd_q$g}YB$S`L6 z$8mU!*@NmPwI@~)HeTmz(bXeCgrY`K` zoS3^XYhFDnNf<~@Q)sikv6OeFmyhBN>r9X7cgQ922G%?H%uYzSP7pdZw9mLsNxwKn zseJzPRLR)+YryYmEzhI>YTNP*SHnBgigvogV)5~*F!U<89f-5^^5>-@e*O2&Md7Xu zzq+9+pZQsgceKkGj={eS0XZKc-(=ectc{I6mDOxkh$RIgo z?owy>ilPHEEmEG_rp&W2cvz|PQT3V5Q0+H9+n9wsuqYF~q@hN6ybcd)McBx*P*>&*GwRx{2u>4&+u^OJ|3UNbCGdGFbY95)u47s^td z@=UTs?6~Mz0D1B4tl_D=*hN{|3GwVOWD%BQ053H!veJoFN=aBzlfcvJ*460bF-ispQ`Jm8uhTiyI zI`g;-F?HzB-^S86csE0f_0HVq)+|1~YY0(ZO>Teg^BTu&6h{q`=~&rhnm9hncGNmW zE#r&_AY}WhiXa$qj##V`xK+Gw@M@5A>>==#&QTKK1YfA=*XFQJz07x({TTNvKAdMs zPteq1QXe}A-mUs{7t4}!#BwW+7C)R4xnADB-dR&7y$VVP6xuCwtU~;BXT$NydJ$BU zChhMpZu#Q^6d#ZSL1(-1g~%As<4JO$qP->XXHpcc6^LoztmA+pWuixUw7=?e#{r)U zMIf>_ghLC=A}_%vNfbt{Ub0c}2c?U9<&jR`k;Gm(zB9%;W=|Sn*J+9!CtuqVXHk6VJ4la&JPND9`|9M?8R>S~8KW)G&gSF&Ot2FqWjQkvCj*9Tbs zPD7ocGH49$hVB=Ya}bgR=m2@?KX$4-&NvlX4u0Tl84mU^k&Z;UKS$rL`^4=e$qeiT z{02!>uSrdP;;DOLI6HA8ZKV7senRXSd^0w~TUz9yn-!iL*KieKpShYdmH3Kz?XHi$ zw)k3`;8|@qZsbZp=XG`oWJC~rS7XHj)Jz+jur2X|42-(!JChQN;Vq<%wEiKaGkHY{ z*cDIvt56$24FqmH6J((eaR42Z9HSqO zRJ0+B55YCZQ)c@uXVCj@2uZ|)#<*JgFwEMddYTq;K6ZToX?B zC&Uu-BXl*O{=L%JcvL@rNOGqcY&0MuWKEs3n++hMQ$5P*we9+$<3Qc}I^|{@WN5R= z&b>@msWq8g>0iDKA&-GEKBu>Y4&;Kw*{784W z9QaMy`ISLf%mvWfX3Dj-*RLycCg#GR+N$NPkABvC>sD9a*fTzkw$}K=;O@+#4}3FS z*pn~}RWv9j_M&2R^D;Qi$aQ1X7l}PR{PxnXsHdd*>N-KnS9GJoB5iZSK9R+MNzVRG zsIJ2uov#)(e^D-=tTR4$MM$peiE*(7!W8a3>U5dN3+gLhG7b;62$R$z?-OOc-VJMB zUnDhG9OmooO=SJF8 zWjO9k9pF~G)srU08-IM6ZWpYAW6i|M!NCDL;yo1}H|BOs!9DK2JF_`+qh^97ekH)z zK2*|N^K7AptqY9&dD8BZb&iNfL)DG@fwM-M9p;A@ql-}ohN#SLb$bo7&@!X;(SEDL z$?(IIbiWI<)&2`SiI`W!_4$V*bS3uAFOsPQ0cz6{(KV+Mv(3tMY3?*C>D_Vg6YfI3 z;Q$K7VTWD5W;DOz?YN+2^&jzv%b{YfFXS%L!tSZcb2gV3U9hXPzcT0b6Q(}VxgqZw zSmcL)Af`A_my>_>iQ>Bvs=jk~T%r|+-B0d_8?ip7b@-m(m$iyD2N(-pOvkIYza`;t zENMN-H%?&9yksBkNHkG>Xt7S_li_028F<{)cF}lxqN0G+`93hQiOkn~z6E!v`Ca+g z!$A$G?4+&!pJc;Y$Ro;l+KEZ&)J1D)}wTqMdnoZlv#|c%)iG ztuLay4d|z%$-Y37sgrs^zpOApm8nyP7uB{}B%tXrke?O@DU}jMf|% zK08~tc-GV9j_@ode7vGrEbElKU)E|JEmC4VD9#Y0H|m*phIfLA-xPS!pol(PRWs|m z-1i01^8``Gu$^d@6QEPy5qu-U@}z*_q|WTSZvSBpQ{0RNnkhJMD|l>(R;uzpt8?e_ zr^80SlSkq3?7uclA+b&Jp**WesJT?YBJ5P~ykBo3#h7GXm846FPJc2fUa8C3&UFqWRdJC@U$F!ka&mF#Q0_-0wKE_ojHOqCM83Z`Ad0qr=a@P`M4HlD-7}FT zRoa_Ubq?<_JhU4AokHrGIi?+TrJ`)s74>+i>5@mLDox(BY-IY7_b+qKQr~Z{g!obQRxO(vQ#~e(ja~?!haUPCbTscL- z%fiDHPLswgDcK=>6_W`j5_=%AK#yt6j6IX!)yB@|ss*FJ`!H%YdV39Tjq|+yQM*MCN`L1R?c=mW-I2NKX7Q` z2VE3Iif-=%M+PgIkZApV+If1=@~9lI+r+pSYpe9epf6CuQ?;}%a&?gn3wU$SxCjXB z!d8Hpho{fBd8*0r+d*Rm{kb*R5M8{ z9SkskG?vEB{tUP^G+vs2oH!DuybnSm{FXOQI=u?LL;dJB$Q-GC*+2K#d^5Uk)zSKR z^OPxnOLgF`k$Y=0M|F5)mU)#`D%O1VT5H()V*g+_amrLU$S+Y&G4?y-=)R2GvaMA; zx`PJAIxHiOSJ-2h9x0-xc=;*btKBOfc3p>3#;I{r63DlNk#8U zk|a-i@jH4lsGLRb@@fYEQr-P_)Xg2|MZyI*XjkCl&@oW3w}Z}l%5)k$XLIu(Y% zf~tk=#G6hARRh5%Z{=h&g+;yi)J2o)&=Qxc1y) zv!RTUIGh&7uwrFS>N5UO1@{}aT=gJb9LnM^&l-RA&|U_N%`R=*rX_{?b+8GgNR)Yx z-q8eoJfkPHQC2)q9)wlDZ0)R@kuz$-7a_TLU0l(Cmu!(4yK+hHm7qeAZvk`& z&f%bjWU;_NWJCINKuu{`xRV6eNa&j4XZCt{B{t+A%1+Ox*85up$VStYW)1NTkD`s%JVz8t5npO_}?#{!Ubr})<79k!J*;tuRL}{IF zonl-}Qn(68U%?J5mdB)ukFE`0(Qu{#Kv}hFE>$#2+Oq=(F6*a=h-ijy3W&8UN1YDW zT%h^#*q)g3I{3c;yz5z(R7A~4;!2{lGxR{uhDW`M1O!^qnM)zIt6Jjhv6mguW`!B# z9~O<%m(@Df){s+<02i`pZloC2k}@}d^I_;D?jQ1yV> zDN*(Ogn(jX=o@wC1vmcX8igF-@|BI3@#EZ_Z1*X>f5)CL>W!=DQj|DuEpX!3>BER= zt`-KHmEV}#+GO#5%{-Smf+!w+{McoN;&SXTv(Du>5i93-WWz~dW}@NMV9lkn-8o!O z$)dICxJQSHE5X8PH(V0(wyM6CYC3WtsX7DtWTFJSENDmg6L3-9v!POcwYF1t{! zulrl8Ejq+3uGG>MYLp7*Xoi~d%w5&E7tux!SofY!Bs*ZqdS3Bu-tPgqI@n^Iw`wa>z)>YzlSU zSMc#@;CHTJy=>LRo>2D*rxFeNVkwzw>DG37U>MD0NPa6dUw0eCcm+?43bvh$7PFlD z`FlpE9={VCQ81v^#uR?CX6|^&EXyfYoQ|Cv2xRl*Wb=Bz z=&BO+nUQ=w$B_Rq{04DKF1Ng3s|8xu!k#pN%uwITG6th)S@G%Sc9RK`dCHhzv9+>i z%DY@tRQXrgG>a=JHq@@;`k^5{SJ`a8c{thtQ{ndPxTG83z0(;Jw^)_e2*0-M!}t(& ze@GRjR=;dsS0@FO8m@hGf?`A|aLGuagH36ozE3S|t&jbCO0FAv*h!-X7dbxZ$*HMY zY%opf^}SeyST|liE^gAZFwKqVNQ&lRy<&J{Cpy*Pp97YZ;-$eTsqx>5;_x%-inzOO zX>q-oycm(Z)U`COdnCIvg$$T|*cP&E%&j_Uqr^^lt@dkEdPbbn1#G2e^+XoVwdnmH zhUiu*KMz%;UoMi8@c?yy-eYb_an?H{_wDV1T)0G{pcEFB3RniLwF5179h4i6!jGI= z7!<=YrfOGWo8u;&#nR3klnubwx|hWso=*i=>4vf zCa(hZ;SqdMrqflVD}grx@E3XC5BmO7I!gFKvHS_hyAn{$-nT0?nJ=z(xTpvIDlQd}^2UJxkxV!W7)Zr;OB$9mXyI#A36%6(!vkwI=XkC0t zpak}P^(L7JI(ezcQy=bZ)My{w!!C}r&xGl|hyMA{N<^Y^bbgDm9S>+QI%Nfx6WgAr znbdlmdDZWms38`VTB=3eT%KL`={T45Gly8jG|0PV9)Chd{rQ9k+KeVZT?RguRDg<< z)OSv&Dj#wi>tx2l&P;fhHC#_g%iQe5@8h2d;EY6*i;tqMSm(BflDA1&8?N?tRouP! z-6KyHr6Zc6CcJH|5YOp3biR0T=RXr436)RdN&5ACC@K zL0S8sO_!VCbjs9CW;5dGn9MAAwg4Z-L8d0Fx__bp=F3CnK04)ouP>$tM$Y%it|9G> z@vT^bGP>JBoEEpk!%9rn*N^`@FQCZ$@%kS-wPcGhm1mC6&XW2xUrqk(SeUcBdVPjw}|s2lD^c9$a-jcoh9O7`}Z{G z;`u2Z+(%Fi-}+@5R=5e75y^x*LH+f2TuoI9nP}JNdou3~#pD-%hyA?iu0vwpR!mts zZlkKf8B&n)`Z3RGat-d;A1gJv?lTG3L((3RmMV}J0~IicjRbGzlGf~Q?p+Xd-IIz@ z0xxX%RBw&5EywGsJ>$-?*xIc!pB4YeD*Q4&u8>xUN8pJLtQ!mZS%FEzOO^+{M-Ne% z+c&Otn%UZBuTS^~kZZTkl*sM*?X5G5NS(KrC4pvlu<&~?(EJkXVX!jppl6<(R5tm_ z%O8BVcU}!f^IF|*EnhdU+sm_|ro^BN?%bpdWbBilZ}-)Xgr4)`ZwZ!+jvQt^c`Jhr zN-ePvrZVE7jhs(^XgIZ#c81kQm=q>9$R_$gKas`HKxB%bp9_A(!W}t(l5kzfz1|q! z!(OcEh&3)k;qdiKulzzUBf5C}zFNx-X8^gL^u=d7S5jdqG~jy#L*@RFPuG5{|A&e1 zx>=tX<_Ld3*EotMBi3KfciD2ug@bPxhG`8lxSb0om{&nYzo#$3E8kURpeNw}kpMdC zNTB4yWQBtkg~ajAUc_kmzFI*;O3H8!i`B_lKviV$)MJ#6_IbuPQ3&%Ju@DK|?ZHKH zEMY>Svm|mSED>`sguriV;?KprgJ2P07}}&D*GVAU8m7N3P8Sj7=E5sd8r z)t~RW3}|2xk{qIHV*foppGd&t6Kq5gEA(#>{FA{Vbfvk+rN0>*aNU7e;PDZn5lY7U zA0mwYBf|g7r^xw-5&s9z8HCX!#`oMKsVx!3_2z}U$9`elxxsen1A z;>ii#^}yYP@44`fU!^{1=r*-RUtVH9=sm5YC9ETPtC0+7RqUDP-yzoneg^}$?tk64 zpYtWfgTX|D8y#?M$72Ih(A$qtk zW_J|F+`n=XR(1XXHthfot0bnwiJOmorg;47r3Ql)iNtOq=PSeX^v805(cN-IJ4MO; zR~+0^VJESsH5XhAK8%1L6~o(xy<+zh+vUs+XXgsP@P|9UJZCl~&( zgZb%{TKo%6G$mYi$J)-Q)K_bB+06K#PdQvCYd8>?)l4iNUtY}RP_)W8<8-tnkf)tQ zsx_I}af}nk4F+;L3ecB-iA#Cm)9SG#80x=>w>!}?9i<%0DYOv&xKwGhV<#qG+Af`v zPx72oi4#Ntl>{YpsXEIRyt5IgrL3zqNT0o?yd1#v48yM^*H3%)KEF>Dq449@&lQ2F z@3rJIqY*Z|(U-msLXKj|c@{LK^2ol)n-WPiLbifedNv`{~ zRG!~mOs?HASZd;%wiDas<&C~la1f5Dw068(+4x!>Ws!B)_vL4*n%bIb`s2oP1xt(C z^L>Bv)6dc+?z;n4<{WI+W8LE-jcR9VnQ=hzNpwZ6Pi!6MRQ67%f@^D9sywqin{#<9 zI3-n+d0Ei(G6SW=1`UHve3}vXY8Tvpz$7@UtLvaTVU8$D10TF=<(XJqB|P8Dqm$A% z5Ug52`s;H9_!OfZKhj{sR z0>YtpEQoK+-cvN#xIPo@zlcb-GW{w^Hhy}xdAzXG%3ZM&5OAbotJH~7VqW8O1JXyd&0bBGsDLs?AsS1WEBehcoMO?NiCg<@w| zrj~JvJ#`|I!NtKet|VL@x!SQwP(6x#Cl(LiG};YnHxXDtqlI`5FQQj%1k(abX|O!r#Gm2r}vHl~N;^Byj%kDA-&C`0OS)7@e< zo}JwJ?FDJ=3?nXONASAgIhNzde3n_g$b~*~KQtZs%N&1PEi653-jN1JA)>9baJ%o8 z|92r1{vr=(eyb=EtuVEK=zF1^VE-tWk%%-yTrXj*HqmqY%*+%s z#EhT3_u2cNwN}-4|J^G6Q0Y~TdRjfx{Y>}MgE~+pe>)%4eJ_!Whg$K9gD73>^<>1C zK`yCf#wpNmpL_x}JL|r=G{$hzKv*q`J`zgnLuYfsZs!KIW|}!~$NkL;4*kBdA7%(+ z8)+syuGYPBNz1d1i+Chka}j76k#5*oL6~Mfdf`RDTr(JJld>w^M34 z3BrLO(gEmM0!La87~1w}!Qzj(^t$Few33cJvir2F-Ux1$o2X^jXC7HHBP6>69Va*0 z%2q;+l;^tGxdP+v6?l8^@y6jw{gtm&<>fd|XKUi7t?X9!Z24^B`r>?=uhC{`wcVSW zrTfaWWahOZe|ycger0a|t7{SzHbfZ<+r|ujR+qb(r9#Vlz^QA0;?cg#g~>Ja z+cd4029(82!vuR(!=TSAM^ZJ&`CXs3_u6{#w6#Oze+(RPR)ojc(06FkOD}K2e+tv- zB{QKgzf!#D&au2-I|-hl!jq>_^uw(4@GZnH!}5Gixf&hZtkLO-U-QKpqXx;r86p`VD0-tdLmBeiWr*L5&<&=A_hhzrGal0&4Y6ohw4V)b>$}G!9deM zJi?{)(BWK5I-x>QhM!MhP2IN7{1~dHc66b4feE}Z?E7CtD}Sgi_Cxh!ut3lw!|aSXak8pgJH(7e>Uk;h=Piqyxf`} zX$^-7BHtXUDD>F3I*72B2D6`-{SQMNATQ!Yve?eALD26{9Xe@LAr>8E>M_oNrV>z? zedK{s#{$nbX!b&RJF#57`&)i_s_+@jcscSWxfIEEo>-7dRauT-6jm81lTekA>b!mv zAtiFP{bgxdVpj5j(7ZrG=ms`YXg)OMh_N#i*~l+X*SSA|6{s17dYi}Wy<>M@%taol zwFIk%p_H}RAB-q}4wtncZ&R)Kl6|b8G1CCb0iLLJVM|`g>zKic%{u$jZ-h7dM9OP0 z5WmL$@0hn6In3uaJ))~BRyi!IcWvMTO#tr zq6pUr4w;zKd1XZd?0Aupc{R09B_qKGpo929Ds#E><a)#|42X1j2WqA*(H~@RywfBq#ROdzAk`Zw&qq5iU?b zBDh?I#{Na=pg*8HnhFFohD=z{#s4mXUy#qsCTc>gwhXwDkx>#G&j8@>U!etSb7CkyO z+lK@sd^hNNyT5pfe=V)-*b&yh!O?d(sQZpcnbn1a{*J|bK)S0%_zOt=*N-4zzpGnH zMGocf>Lz}l2E_lfY1n>;!A_HVJ!>m2wP@wuV!`;2JibKa?_u_krAe-Yt`9mh4KIa} zvMH;^sJZAjR~$)6Nx3!C>c-87FT}dsKRD=AHV?aqaA2n8p#D36kYu-4^oVo~$ZP^x z!Q`F1s77S`@>vXbtVLz*SPE_tv^C>Cc(P@~O8}kf&*ci4@28Cg!3{7<#1M!)Y8CbW zI}q5rJ^Kv9!3l$t>yqdyIAKsY`tKDw<=Q9YQI{AL!#I-Ir!Z=oUv6hLZWlZ&P~c_T z|M~fYDiipdoWg+Je#GMkCH|OHFVPL4RI_UnMeF-B0kJM7nlQhzYQ)}C_2p-NNsFU| zZWMMKSbfsMo|+N_i%(WR24_lwFE|3M$^nlCm-puTb@$$6uYr#Jg2KTIT{U!cI*1!< zOpslXQ9b0U?%1Vwq)t{JKRrLn7*3`?MyjR z&_eY>F)d~6&YIB?-KzoChjy_TQ0ko-bPeFwO&cnd-V!}3H8^)X2+)T_{HRLfUydaF zBCNnU@ED{wu!x&q_?v~&gH3^~orj!xp2U6+sH9I1{#+%LU6NxS?iO!HbeK$iZ; zD71Gk(Jj8h%c{o)I3Er_`f_s(+P;(JTo)LHI8_mBG6ANa7{n^CVcUrb)QKi)fK>ty zWB^0J-S4=?q#QBebC&I3nZ+-4Rx&t6EPWAc_*K82nu|iV(iMf6rQWA{T33q%!aqA~ z3A`|2;i7+_-FA&D`g6P~whR2zm}^@I)zv9n`kayQ`;;vlN$kv1Q4bvv!-Fj3bTq;c zV40~sXsmlohK5Fjo}X=MZstU_jGm!55I?Fl)qW888HUQcMXo(IBs5LyEHxbJlSd2Y z{oiE?MG7)%2o_apblB)G8!*^qHJm)d?2`L_$1=*`JX%=&{Mo>p#5r$AYu(!o=@nklch^xr0 zx4xe7w>}AV(i7_!Ad8Yg5_R#!&$4O`#xIWUZyDCjZ(TD|xwy8v$DE(<o^ok?qY?0 zZ0fnZpVMF$*upEA(TjE4iZB;7YL7AqgmIzKVEQk1>-Hh>lRRCAMppt*xF~kvPPpaPKEvIi zly5ZSct7{|P22@7sRP%Zdln3AvVoM&E`>c=8dw>~<%K;=qiy^bGm&Nn8DDVgET6gj!si6M|O*wzc`D7^>Dxr-2Wpei7> zMIAxREuJrFNY6y|?2V(#+aF88OF!2R?k?5s)#GFlTKqVeB#i%qyW6!vJqXpFsfgTk zL5wq_63(iB8uj$TgW=Gw0igB22M)fSsJ7VNbQp8e>I5kXD3SE?DxQVwK`mjzs4g$!@w;A? zA7>v4Ir%!j@K+@iM1_97O<7bozHuXdK%TmAoIi1Uyh-&a<2iMBMr;a>BYofvb?X%$ z(~65s8-bI*Kl36V@C;YL;o!it*ccBdgJw% zJ4+Q8)MyWu(q5sLMkFd|#`YCv8$KAg$0%RgT}net_hNl<05m^*)LXu$9!u5!5pSiF zi8a?UlbXBeczBWWN9)#BzPCDiR!v{)r?Fg-Ur#qBOje!Aid z;r<%AaNFSvhZ9gvjkYKIibQeNO+Y23c|Wua6jMibd#on_?IL~R^*I$Cm~V5|q5W$_ z+8wl>gcqF}c&PkTuj9te8RZ>PUXaIE30D5`#=6m;D*+dx8Ow9ewsUs&+i>X=F(wRiwi7D7~K;$@VbQkj@H zCX&l*z?=W<`8V~&gBVe1 zqcx9_KqUk?mJ}ed9P>4d^|chfcWq~^ih+X3PG0MYTUh!}cm!*$Hm!3<28Ax}f1Rk% zSDzVAXsda7TQuxtNU0-=Ywt&$XT=w_Qm{E_WVQJuw+&lN1V`wY`+H!#hbO#ORzgI3 z#~~}25?ewR`(~>qr74ydi}+GKtY%|AsZ%9UWvf2lv&n|vTXF)w6;YP9FH#eA)Vz$~ z0At(_9?f|%V;hM9^gld>%^Gbd#}CX)YiewSYPABGC7O-Ij*gIgm3F>&yB}5!Q~6gH zE*KNr^zztS1fIpfN+SsY5>BP%m*vr$n%~PCVY!RUUXBVyE8}Xq2az})T`Wf!MO}vl z%C(XUBT<^lesb$CKNC+W*jGEKQ?6H(#!8pOqE?ijI!474xL{IXVmsgA;LVz=vi-%C!+aF}Ldqj>6)#N8#1(x1)d#64v94}^0(O+(f4OXO@O{QZ zUvhLKP&{~_gC5-w1rNH>P=<3|sDhdW`M`l>I|%wL#x+}~Gh$jpK6dxK2Av~!kv(^H z_i6xdpy#+TOC(9%cYk`k*?V{e2KR;I%1BJD-+%HkV0h1&7u%>^ZYfVp-TNU?0Dj@+ zYY;^3PK7a}C9*p7q&kfAMqv3eF8NUEc!^NvJ+sbJc$oDqhG?pA*D5shq^pbht&rtn zmM^wr5si8f-bv82))FM`zN?fchni82^sD0+)1x=AVY=v;8l)$H+FiHqJ;rWnnFQw2 zS|QWmfQ^sKRs$)}pzse;Z{4K7`aD=~KVFWaqc{z&Uy9;dMeHi=fdCBBGcL{LRN)h$ zTI(eawO@On4N$YCL4aV!HMF_`bMn8i01EQmxsu{hLxP;E3HU8c@QQDdgV`eS#$r7u zPnK@Et6fPWZ<#xFBW0$jM=T)+U?gjQnu;7%b_|~iYp2@N06sH(BRn-#VV5p7pE}_u z%j6J-5>~wmsO3-5QqCGpdR`9RexyzXve?52J;>b(sPxwrunpy^wtM9lVl~- zU8V6$|3mt>^qh9lM6sqV{6M|@a@cQVX?!Jx6-Z0!RX=I&ads)1&F?fuszu|Ky7|bh zq9k%)hn^m6eod1a93V~DI{kjsur?w{_1;UioCRSm^}AnTH? zd1QZw-S#df$sH-r+Rn%SV6g6PGTjA6pIsja{RAD?N(Aqr8rLoU= zzy=JP1x#@xL{3a#Pbp8LZZJqQFpCpUR5Bh|RnB}ahi_-i6pEwPxLu>wz``zcVQb{f zIjonz=1Q{0Xog3=n|`wFnYajwp=f