From 64cfc91a70e7dfb070025cef630f8b7df6c6c0cf Mon Sep 17 00:00:00 2001 From: Germain GUEUTIER Date: Tue, 5 Nov 2024 15:22:12 +0100 Subject: [PATCH] init --- .github/workflows/ci.yaml | 171 +++++++++++++ .github/workflows/release.yaml | 145 +++++++++++ .gitignore | 1 + Dockerfile | 94 +++++++ LICENSE | 21 ++ README.md | 19 +- chart/.gitignore | 2 + chart/.helmignore | 26 ++ chart/Chart.yaml | 6 + chart/templates/NOTES.txt | 8 + chart/templates/_helpers.tpl | 294 ++++++++++++++++++++++ chart/templates/cert-manager.yaml | 55 ++++ chart/templates/client/cert-manager.yaml | 35 +++ chart/templates/client/deployment.yaml | 120 +++++++++ chart/templates/client/networkpolicy.yaml | 36 +++ chart/templates/client/pdb.yaml | 34 +++ chart/templates/server/cert-manager.yaml | 40 +++ chart/templates/server/deployment.yaml | 140 +++++++++++ chart/templates/server/gateway.yaml | 80 ++++++ chart/templates/server/ingress.yaml | 61 +++++ chart/templates/server/istio.yaml | 93 +++++++ chart/templates/server/networkpolicy.yaml | 65 +++++ chart/templates/server/pdb.yaml | 33 +++ chart/templates/server/role.yaml | 55 ++++ chart/templates/server/service.yaml | 56 +++++ chart/templates/server/tls-secrets.yaml | 83 ++++++ chart/templates/serviceaccount.yaml | 43 ++++ chart/values.yaml | 294 ++++++++++++++++++++++ demo/.env | 8 + demo/README.md | 76 ++++++ demo/docker-compose.yaml | 116 +++++++++ demo/files/gitguardian/nginx.conf | 48 ++++ demo/files/vcs/nginx.conf | 24 ++ docs/assets/ggbridge.drawio.png | Bin 0 -> 97066 bytes docs/assets/ggbridge_demo.drawio.png | Bin 0 -> 101193 bytes go.mod | 3 + main.go | 123 +++++++++ 37 files changed, 2507 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/ci.yaml create mode 100644 .github/workflows/release.yaml create mode 100644 .gitignore create mode 100644 Dockerfile create mode 100644 LICENSE create mode 100644 chart/.gitignore create mode 100644 chart/.helmignore create mode 100644 chart/Chart.yaml create mode 100644 chart/templates/NOTES.txt create mode 100644 chart/templates/_helpers.tpl create mode 100644 chart/templates/cert-manager.yaml create mode 100644 chart/templates/client/cert-manager.yaml create mode 100644 chart/templates/client/deployment.yaml create mode 100644 chart/templates/client/networkpolicy.yaml create mode 100644 chart/templates/client/pdb.yaml create mode 100644 chart/templates/server/cert-manager.yaml create mode 100644 chart/templates/server/deployment.yaml create mode 100644 chart/templates/server/gateway.yaml create mode 100644 chart/templates/server/ingress.yaml create mode 100644 chart/templates/server/istio.yaml create mode 100644 chart/templates/server/networkpolicy.yaml create mode 100644 chart/templates/server/pdb.yaml create mode 100644 chart/templates/server/role.yaml create mode 100644 chart/templates/server/service.yaml create mode 100644 chart/templates/server/tls-secrets.yaml create mode 100644 chart/templates/serviceaccount.yaml create mode 100644 chart/values.yaml create mode 100644 demo/.env create mode 100644 demo/README.md create mode 100644 demo/docker-compose.yaml create mode 100644 demo/files/gitguardian/nginx.conf create mode 100644 demo/files/vcs/nginx.conf create mode 100644 docs/assets/ggbridge.drawio.png create mode 100644 docs/assets/ggbridge_demo.drawio.png create mode 100644 go.mod create mode 100644 main.go diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml new file mode 100644 index 0000000..986f282 --- /dev/null +++ b/.github/workflows/ci.yaml @@ -0,0 +1,171 @@ +name: CI + +on: + pull_request: + push: + branches: + - '*' + tags-ignore: + - '*' + paths-ignore: + - 'demo/**' + - 'docs/**' + - 'LICENSE' + - 'README.md' + workflow_dispatch: + +env: + DAGGER_VERSION: "0.13.7" + DOCKER_REGISTRY: ${{ vars.DOCKER_REGISTRY }} + DOCKER_REPOSITORY: ${{ vars.DOCKER_REPOSITORY }} + DOCKER_REGISTRY_USERNAME: ${{ vars.DOCKER_REGISTRY_USERNAME }} + DOCKER_REGISTRY_PASSWORD: ${{ secrets.DOCKER_REGISTRY_PASSWORD }} + GH_DOCKER_REPOSITORY: ${{ vars.GH_DOCKER_REPOSITORY }} + GH_HELM_REPOSITORY: ${{ vars.GH_HELM_REPOSITORY }} + +jobs: + docker-unstable: + if: github.ref == 'refs/heads/init' && github.event_name == 'push' + + name: Push Docker image + runs-on: ubuntu-latest + + strategy: + matrix: + target: ["debug", "prod"] + + permissions: + contents: read + packages: write + attestations: write + id-token: write + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Set short SHA + id: sha + run: echo "short_sha=${GITHUB_SHA::7}" >> $GITHUB_ENV + + - name: Set image tag + id: tag + run: | + if [ "${{ github.ref }}" == "refs/heads/init" ]; then + if [[ "${{ matrix.target }}" == "debug" ]]; then + echo "tag=unstable-debug" >> $GITHUB_ENV + else + echo "tag=unstable" >> $GITHUB_ENV + fi + else + if [[ "${{ matrix.target }}" == "debug" ]]; then + echo "tag=build-${{ env.short_sha }}-debug" >> $GITHUB_ENV + else + echo "tag=build-${{ env.short_sha }}" >> $GITHUB_ENV + fi + fi + + - name: Publish Docker image to Github + uses: dagger/dagger-for-github@v6 + env: + GH_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} + with: + version: ${{ env.DAGGER_VERSION }} + engine-stop: false + module: github.com/opopops/daggerverse/docker@v1.0.0 + verb: call + args: | + --registry=ghcr.io \ + --username=${{ github.actor }} \ + --password=env:GH_REGISTRY_PASSWORD \ + build \ + --context=. \ + --target=${{ matrix.target }} \ + --platform=linux/amd64,linux/arm64 \ + publish \ + --image=ghcr.io/${GH_DOCKER_REPOSITORY}:${{ env.tag }} \ + + - name: Copy Docker image to Docker Hub + uses: dagger/dagger-for-github@v6 + env: + COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} + COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} + DOCKER_REGISTRY_PASSWORD: ${{ secrets.DOCKER_REGISTRY_PASSWORD }} + GH_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} + with: + version: ${{ env.DAGGER_VERSION }} + engine-stop: false + module: github.com/opopops/daggerverse/crane@v1.0.0 + verb: call + args: | + with-registry-auth \ + --address=ghcr.io \ + --username=${{ github.actor }} \ + --secret=env:GH_REGISTRY_PASSWORD \ + with-registry-auth \ + --address=$DOCKER_REGISTRY \ + --username=$DOCKER_REGISTRY_USERNAME \ + --secret=env:DOCKER_REGISTRY_PASSWORD \ + copy \ + --source=ghcr.io/${GH_DOCKER_REPOSITORY}:${{ env.tag }} \ + --target=${DOCKER_REGISTRY}/${DOCKER_REPOSITORY}:${{ env.tag }} \ + + - name: Scan Docker image + uses: dagger/dagger-for-github@v6 + env: + GH_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} + with: + version: ${{ env.DAGGER_VERSION }} + module: github.com/opopops/daggerverse/grype@v1.0.0 + verb: call + args: | + with-registry-auth \ + --address=ghcr.io \ + --username=${{ github.actor }} \ + --secret=env:GH_REGISTRY_PASSWORD \ + scan \ + --source=ghcr.io/${GH_DOCKER_REPOSITORY}:${{ env.tag }} \ + + helm-unstable: + if: github.ref == 'refs/heads/init' && github.event_name == 'push' + name: Push Helm Chart + runs-on: ubuntu-latest + + permissions: + contents: read + packages: write + attestations: write + id-token: write + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Lint + uses: dagger/dagger-for-github@v6 + with: + version: ${{ env.DAGGER_VERSION }} + engine-stop: false + module: github.com/purpleclay/daggerverse/helm-oci@v0.4.0 + verb: call + args: | + lint \ + --dir chart \ + --strict \ + + - name: Publish Helm chart + uses: dagger/dagger-for-github@v6 + env: + GH_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} + with: + version: ${{ env.DAGGER_VERSION }} + module: github.com/purpleclay/daggerverse/helm-oci@v0.4.0 + verb: call + args: | + package-push \ + --dir chart \ + --version="0.0.0" \ + --appVersion="unstable" \ + --registry=ghcr.io/${GH_HELM_REPOSITORY} \ + --username=${{ github.actor }} \ + --password=env:GH_REGISTRY_PASSWORD \ diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml new file mode 100644 index 0000000..f0435c3 --- /dev/null +++ b/.github/workflows/release.yaml @@ -0,0 +1,145 @@ +name: Release + +on: + push: + tags: + - 'v*' + +env: + DAGGER_VERSION: "0.13.7" + DOCKER_REGISTRY: ${{ vars.DOCKER_REGISTRY }} + DOCKER_REPOSITORY: ${{ vars.DOCKER_REPOSITORY }} + DOCKER_REGISTRY_USERNAME: ${{ vars.DOCKER_REGISTRY_USERNAME }} + GH_DOCKER_REPOSITORY: ${{ vars.GH_DOCKER_REPOSITORY }} + GH_HELM_REPOSITORY: ${{ vars.GH_HELM_REPOSITORY }} + +jobs: + docker: + if: startsWith(github.event.ref, 'refs/tags/v') + + name: Release Docker image + runs-on: ubuntu-latest + + strategy: + matrix: + target: ["debug", "prod"] + + permissions: + contents: read + packages: write + attestations: write + id-token: write + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Publish Docker image to GitHub + uses: dagger/dagger-for-github@v6 + env: + COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} + COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} + GH_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} + with: + version: ${{ env.DAGGER_VERSION }} + engine-stop: false + module: github.com/opopops/daggerverse/docker@v1.0.0 + verb: call + args: | + --registry=ghcr.io \ + --username=${{ github.actor }} \ + --password=env:GH_REGISTRY_PASSWORD \ + build \ + --context=. \ + --target=${{ matrix.target }} \ + --platform=linux/amd64,linux/arm64 \ + publish \ + --image=ghcr.io/${GH_DOCKER_REPOSITORY}:${{ github.ref_name }} \ + sign \ + --password=env:COSIGN_PASSWORD \ + --private-key=env:COSIGN_PRIVATE_KEY \ + + - name: Copy Docker image to Docker Hub + uses: dagger/dagger-for-github@v6 + env: + COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} + COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} + DOCKER_REGISTRY_PASSWORD: ${{ secrets.DOCKER_REGISTRY_PASSWORD }} + GH_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} + with: + version: ${{ env.DAGGER_VERSION }} + engine-stop: false + module: github.com/opopops/daggerverse/crane@v1.0.0 + verb: call + args: | + with-registry-auth \ + --address=ghcr.io \ + --username=${{ github.actor }} \ + --secret=env:GH_REGISTRY_PASSWORD \ + with-registry-auth \ + --address=$DOCKER_REGISTRY \ + --username=$DOCKER_REGISTRY_USERNAME \ + --secret=env:DOCKER_REGISTRY_PASSWORD \ + copy \ + --source=ghcr.io/${GH_DOCKER_REPOSITORY}:${{ github.ref_name }} \ + --target=${DOCKER_REGISTRY}/${DOCKER_REPOSITORY}:${{ github.ref_name }} \ + + - name: Scan Docker image + uses: dagger/dagger-for-github@v6 + env: + GH_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} + with: + version: ${{ env.DAGGER_VERSION }} + module: github.com/opopops/daggerverse/grype@v1.0.0 + verb: call + args: | + with-registry-auth \ + --address=ghcr.io \ + --username=${{ github.actor }} \ + --secret=env:GH_REGISTRY_PASSWORD \ + scan \ + --source=ghcr.io/${GH_DOCKER_REPOSITORY}:${{ github.ref_name }} \ + --fail-on=high \ + + + helm: + name: Push Helm Chart + runs-on: ubuntu-latest + + permissions: + contents: read + packages: write + attestations: write + id-token: write + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Lint + uses: dagger/dagger-for-github@v6 + with: + version: ${{ env.DAGGER_VERSION }} + engine-stop: false + module: github.com/purpleclay/daggerverse/helm-oci@v0.4.0 + verb: call + args: | + lint \ + --dir chart \ + --strict \ + + - name: Publish Helm chart + uses: dagger/dagger-for-github@v6 + env: + GH_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} + with: + version: ${{ env.DAGGER_VERSION }} + module: github.com/purpleclay/daggerverse/helm-oci@v0.4.0 + verb: call + args: | + package-push \ + --dir chart \ + --appVersion="${{ github.ref_name }}" \ + --registry=ghcr.io/${GH_HELM_REPOSITORY} \ + --username=${{ github.actor }} \ + --password=env:GH_REGISTRY_PASSWORD \ \ No newline at end of file diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..f81e5d7 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.local/ \ No newline at end of file diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..9f05b04 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,94 @@ +# syntax=docker/dockerfile:1 + +ARG REGISTRY="cgr.dev" + +### Base +FROM --platform=$BUILDPLATFORM ${REGISTRY}/chainguard/wolfi-base:latest AS base + +LABEL org.opencontainers.image.authors="GitGuardian SRE Team " + +ARG TARGETOS +ARG TARGETARCH +ARG TARGETVARIANT + +RUN apk add --no-cache \ + curl + +### WSTunnel +FROM base AS wstunnel + +ARG WSTUNNEL_VERSION="10.1.5" +ENV WSTUNNEL_VERSION=$WSTUNNEL_VERSION +RUN curl -fsSL https://github.com/erebe/wstunnel/releases/download/v${WSTUNNEL_VERSION}/wstunnel_${WSTUNNEL_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz | \ + tar xvzf - -C /usr/bin wstunnel && \ + chmod 755 /usr/bin/wstunnel +USER 65532 + +FROM base AS builder + +RUN apk add --no-cache \ + bash \ + git \ + go + + +### Build +FROM builder AS build + +WORKDIR /build +COPY go.mod . +COPY main.go . +RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} \ + go build -o ggbridge -ldflags "-w" . + + +### Dev +FROM builder AS dev + +RUN apk add --no-cache \ + nano \ + openssl \ + vim + +COPY --link --from=wstunnel --chmod=755 /usr/bin/wstunnel /usr/bin/wstunnel + + +### Debug +FROM base AS debug + +LABEL org.opencontainers.image.description="ggbridge - connect your on-prem VCS with the GitGuardian Platform" + +RUN apk add --no-cache \ + bash \ + curl \ + nginx-mainline \ + openssl + +RUN install -d -m 755 -o 65532 -g 65532 \ + /var/lib/nginx \ + /var/lib/nginx/html \ + /var/lib/nginx/logs && \ + install -d -m 777 -o 65532 -g 65532 \ + /var/lib/nginx/tmp \ + /var/run + +COPY --link --from=wstunnel --chmod=755 /usr/bin/wstunnel /usr/bin/wstunnel +COPY --link --from=build --chmod=755 /build/ggbridge /usr/bin/ggbridge + +USER 65532 + +ENTRYPOINT [] +CMD ["/bin/sh", "-l"] + + +### Prod +FROM ${REGISTRY}/chainguard/glibc-dynamic:latest AS prod + +LABEL org.opencontainers.image.authors="GitGuardian SRE Team " +LABEL org.opencontainers.image.description="ggbridge - connect your on-prem VCS with the GitGuardian Platform" + +COPY --link --from=wstunnel --chmod=755 /usr/bin/wstunnel /usr/bin/wstunnel +COPY --link --from=build --chmod=755 /build/ggbridge /usr/bin/ggbridge + +ENTRYPOINT ["/usr/bin/ggbridge"] +CMD ["client"] diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..189412c --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2024 Germain + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/README.md b/README.md index b77e343..ddb1ab1 100644 --- a/README.md +++ b/README.md @@ -1 +1,18 @@ -# ggbridge \ No newline at end of file +# ggbridge: connect your on-prem VCS with the GitGuardian Platform + +**ggbridge** is a tool designed to facilitate secure connections between the GitGuardian SaaS platform and your on-premise Version Control Systems (VCS) that are not exposed to the public internet. By acting as a secure bridge, GGBridge enables GitGuardian to access repositories located in isolated environments, ensuring that your sensitive code data remains protected while taking advantage of GitGuardian’s powerful scanning capabilities. + +With ggbirdge, organizations can maintain their internal infrastructure and security protocols without sacrificing the ability to integrate with GitGuardian’s monitoring and alerting features. + +## How it Works + +![ggbridge](./docs/assets/ggbridge.drawio.png) + +**ggbridge** is composed of two main parts: + +- **Server**: Installed on the GitGuardian's network. +- **Client**: Installed on the customer’s private network. + +The client component connects to the server using the WebSocket protocol to establish a secure, mutually authenticated (mTLS) tunnel between the customer’s network and the GitGuardian SaaS platform. This ensures both ends are securely authenticated. + +Once the tunnel is established, a proxy server is deployed on the GitGuardian side, which allows secure access to the client’s on-prem VCS through the tunnel. This proxy connection enables GitGuardian to scan and monitor your repositories without requiring your VCS to be publicly accessible. diff --git a/chart/.gitignore b/chart/.gitignore new file mode 100644 index 0000000..aee4987 --- /dev/null +++ b/chart/.gitignore @@ -0,0 +1,2 @@ +values-local*.yaml +values-local*.yml diff --git a/chart/.helmignore b/chart/.helmignore new file mode 100644 index 0000000..671084a --- /dev/null +++ b/chart/.helmignore @@ -0,0 +1,26 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ + +values-local.yaml +values-local.yml diff --git a/chart/Chart.yaml b/chart/Chart.yaml new file mode 100644 index 0000000..390f126 --- /dev/null +++ b/chart/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +name: ggbridge +description: A Helm chart for installing ggbridge +type: application +version: 0.0.0 +appVersion: "v0.0.0" diff --git a/chart/templates/NOTES.txt b/chart/templates/NOTES.txt new file mode 100644 index 0000000..e5322b4 --- /dev/null +++ b/chart/templates/NOTES.txt @@ -0,0 +1,8 @@ +Thank you for installing GitGuardian ggbridge. + +Your release is named {{ .Release.Name }}. + +To learn more about the release, try: + + $ helm status {{ .Release.Name }} + $ helm get all {{ .Release.Name }} diff --git a/chart/templates/_helpers.tpl b/chart/templates/_helpers.tpl new file mode 100644 index 0000000..d40edaf --- /dev/null +++ b/chart/templates/_helpers.tpl @@ -0,0 +1,294 @@ +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "ggbridge.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Expand the name of the chart. +*/}} +{{- define "ggbridge.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "ggbridge.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create a default fully qualified client name. +{{ include "ggbridge.client.name" . }} +*/}} +{{- define "ggbridge.client.fullname" -}} +{{- printf "%s-client" (include "ggbridge.fullname" .) | trunc 63 | trimSuffix "-" }} +{{- end -}} + +{{/* +Create a default fully qualified server name. +{{ include "ggbridge.server.name" ( dict "name" "server_name" context $ ) }} +*/}} +{{- define "ggbridge.server.fullname" -}} +{{- printf "%s-server" (include "ggbridge.fullname" .) | trunc 63 | trimSuffix "-" }} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "ggbridge.labels" -}} +helm.sh/chart: {{ include "ggbridge.chart" . }} +{{ include "ggbridge.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- with .Values.commonLabels }} +{{ tpl (toYaml .) $ }} +{{- end -}} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "ggbridge.selectorLabels" -}} +app.kubernetes.io/name: {{ include "ggbridge.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Client labels +{{ include "ggbridge.client.labels" . }} +*/}} +{{- define "ggbridge.client.labels" -}} +{{ include "ggbridge.client.selectorLabels" . }} +{{- with .Values.client.labels }} +{{ tpl (toYaml .) $ }} +{{- end }} +{{- end }} + +{{/* +Client selector labels +{{ include "ggbridge.client.selectorLabels" . }} +*/}} +{{- define "ggbridge.client.selectorLabels" -}} +app.kubernetes.io/component: client +{{- end }} + +{{/* +Server labels +{{ include "ggbridge.server.labels" . }} +*/}} +{{- define "ggbridge.server.labels" -}} +{{ include "ggbridge.server.selectorLabels" . }} +{{- with .Values.server.labels }} +{{ tpl (toYaml .) $ }} +{{- end }} +{{- end }} + +{{/* +Server selector labels +{{ include "ggbridge.server.selectorLabels" . }} +*/}} +{{- define "ggbridge.server.selectorLabels" -}} +app.kubernetes.io/component: server +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "ggbridge.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "ggbridge.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +Return the proper image name. +If image tag and digest are not defined, termination fallbacks to chart appVersion. +{{ include "ggbridge.image" }} +*/}} +{{- define "ggbridge.image" -}} +{{- $registryName := .Values.image.registry -}} +{{- $repositoryName := .Values.image.repository -}} +{{- $separator := ":" -}} +{{- $termination := .Values.image.tag | toString -}} + +{{- if not .Values.image.tag }} + {{- if .Chart }} + {{- $termination = .Chart.AppVersion | toString -}} + {{- end -}} +{{- end -}} +{{- if .Values.image.digest }} + {{- $separator = "@" -}} + {{- $termination = .Values.image.digest | toString -}} +{{- end -}} +{{- if $registryName }} + {{- printf "%s/%s%s%s" $registryName $repositoryName $separator $termination -}} +{{- else -}} + {{- printf "%s%s%s" $repositoryName $separator $termination -}} +{{- end -}} +{{- end -}} + +{{/* +Returns client pod affinity. +{{ include "ggbridge.client.affinity" $ }} +*/}} +{{- define "ggbridge.client.affinity" -}} +{{- $hostnames := list -}} +{{- range $index, $values := .Values.client.hosts -}} + {{- $hostnames = append $hostnames $values.hostname -}} +{{- end -}} +podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: app.kubernetes.io/component + operator: In + values: + - client + - key: hostname + operator: In + values: {{ $hostnames | uniq | toYaml | nindent 16 }} + topologyKey: "kubernetes.io/hostname" + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: app.kubernetes.io/component + operator: In + values: + - client + - key: hostname + operator: In + values: {{ $hostnames | uniq | toYaml | nindent 16 }} + topologyKey: "topology.kubernetes.io/zone" +{{- end -}} + +{{/* +Returns server pod affinity. +{{ include "ggbridge.server.affinity" $ }} +*/}} +{{- define "ggbridge.server.affinity" -}} +{{- $hostnames := list -}} +{{- range $index, $values := .Values.server.hosts -}} + {{- $hostnames = append $hostnames $values.hostname -}} +{{- end -}} +podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: app.kubernetes.io/component + operator: In + values: + - server + - key: hostname + operator: In + values: {{ $hostnames | uniq | toYaml | nindent 16 }} + topologyKey: "kubernetes.io/hostname" + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: app.kubernetes.io/component + operator: In + values: + - server + - key: hostname + operator: In + values: {{ $hostnames | uniq | toYaml | nindent 16 }} + topologyKey: "topology.kubernetes.io/zone" +{{- end -}} + +{{/* +Returns ingress annotations +{{ include "ggbridge.server.ingressAnnotations" ( dict "fullname" . "context" $ ) }} +*/}} +{{- define "ggbridge.server.ingressAnnotations" -}} +{{- $context := .context -}} +{{- $fullname := .fullname -}} +{{- $annotations := dict -}} +{{- if $context.Values.server.tls.enabled -}} + {{- if eq $context.Values.server.ingress.controller "traefik" -}} + {{- $_ := set $annotations "traefik.ingress.kubernetes.io/router.entrypoints" "websecure" -}} + {{- $_ := set $annotations "traefik.ingress.kubernetes.io/service.serversscheme" "http" -}} + {{- $_ := set $annotations "traefik.ingress.kubernetes.io/router.tls.options" (printf "%s-%s@kubernetescrd" $context.Release.Namespace $fullname ) -}} + {{- else if eq $context.Values.server.ingress.controller "nginx" -}} + {{- $_ := set $annotations "nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream" "false" -}} + {{- $_ := set $annotations "nginx.ingress.kubernetes.io/backend-protocol" "HTTP" -}} + {{- if eq $context.Values.server.tls.mode "mutual" -}} + {{- $_ := set $annotations "nginx.ingress.kubernetes.io/auth-tls-secret" (printf "%s/%s-crt" $context.Release.Namespace $fullname) -}} + {{- $_ := set $annotations "nginx.ingress.kubernetes.io/auth-tls-verify-client" "on" -}} + {{- $_ := set $annotations "nginx.ingress.kubernetes.io/auth-tls-verify-depth" "1" -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- $annotations = include "ggbridge.tplvalues.merge" ( dict "values" ( list $context.Values.server.ingress.annotations $annotations $context.Values.commonAnnotations ) "context" $context ) | fromYaml -}} +{{ include "ggbridge.tplvalues.render" ( dict "value" $annotations "context" $context) }} +{{- end -}} + +{{/* +Renders a value that contains template perhaps with scope if the scope is present. +Usage: +{{ include "ggbridge.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $ ) }} +{{ include "ggbridge.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $ "scope" $app ) }} +*/}} +{{- define "ggbridge.tplvalues.render" -}} +{{- $value := typeIs "string" .value | ternary .value (.value | toYaml) }} +{{- if contains "{{" (toJson .value) }} + {{- if .scope }} + {{- tpl (cat "{{- with $.RelativeScope -}}" $value "{{- end }}") (merge (dict "RelativeScope" .scope) .context) }} + {{- else }} + {{- tpl $value .context }} + {{- end }} +{{- else }} + {{- $value }} +{{- end }} +{{- end -}} + +{{/* +Merge a list of values that contains template after rendering them. +Merge precedence is consistent with http://masterminds.github.io/sprig/dicts.html#merge-mustmerge +Usage: +{{ include "ggbridge.tplvalues.merge" ( dict "values" (list .Values.path.to.the.Value1 .Values.path.to.the.Value2) "context" $ ) }} +*/}} +{{- define "ggbridge.tplvalues.merge" -}} +{{- $dst := dict -}} +{{- range .values -}} +{{- $dst = include "ggbridge.tplvalues.render" (dict "value" . "context" $.context "scope" $.scope) | fromYaml | merge $dst -}} +{{- end -}} +{{ $dst | toYaml }} +{{- end -}} + +{{/* +Merge a list of values that contains template after rendering them. +Merge precedence is consistent with https://masterminds.github.io/sprig/dicts.html#mergeoverwrite-mustmergeoverwrite +Usage: +{{ include "ggbridge.tplvalues.merge-overwrite" ( dict "values" (list .Values.path.to.the.Value1 .Values.path.to.the.Value2) "context" $ ) }} +*/}} +{{- define "ggbridge.tplvalues.merge-overwrite" -}} +{{- $dst := dict -}} +{{- range .values -}} +{{- $dst = include "ggbridge.tplvalues.render" (dict "value" . "context" $.context "scope" $.scope) | fromYaml | mergeOverwrite $dst -}} +{{- end -}} +{{ $dst | toYaml }} +{{- end -}} diff --git a/chart/templates/cert-manager.yaml b/chart/templates/cert-manager.yaml new file mode 100644 index 0000000..fa5b4a7 --- /dev/null +++ b/chart/templates/cert-manager.yaml @@ -0,0 +1,55 @@ +{{- if .Values.server.tls.certManager.enabled -}} + {{- $fullname := include "ggbridge.fullname" . -}} + {{- $namespace := ternary (default .Release.namespace .Values.server.istio.gateway.namespace) .Release.namespace .Values.server.istio.enabled -}} + {{- if eq .Values.server.tls.certManager.issuer "selfSigned" }} +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ printf "%s-selfsigned" $fullname }} + namespace: {{ $namespace }} + labels: + {{- include "ggbridge.labels" $ | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "ggbridge.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" . ) | nindent 4 }} + {{- end }} +spec: + selfSigned: {} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ printf "%s-ca" $fullname }} + namespace: {{ $namespace }} + labels: + {{- include "ggbridge.labels" $ | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "ggbridge.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + isCA: true + commonName: {{ printf "%s-ca" $fullname }} + secretName: {{ printf "%s-ca" $fullname }} + duration: 87600h # 10 years + privateKey: + algorithm: RSA + size: 2048 + issuerRef: + name: {{ printf "%s-selfsigned" $fullname }} + kind: Issuer +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ printf "%s-ca" $fullname }} + namespace: {{ $namespace }} + labels: + {{- include "ggbridge.labels" $ | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "ggbridge.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + ca: + secretName: {{ printf "%s-ca" $fullname }} + {{- end }} +{{- end }} diff --git a/chart/templates/client/cert-manager.yaml b/chart/templates/client/cert-manager.yaml new file mode 100644 index 0000000..27e3da0 --- /dev/null +++ b/chart/templates/client/cert-manager.yaml @@ -0,0 +1,35 @@ +{{- if .Values.server.tls.certManager.enabled -}} +{{- $fullname := include "ggbridge.fullname" . -}} +{{- $namespace := ternary (default .Release.namespace .Values.server.istio.gateway.namespace) .Release.namespace .Values.server.istio.enabled -}} + {{- with .Values.client -}} + {{- $clientFullname := include "ggbridge.client.fullname" $ -}} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ printf "%s-crt" $clientFullname }} + namespace: {{ $namespace }} + labels: + {{- include "ggbridge.labels" $ | nindent 4 }} + {{- include "ggbridge.client.labels" $ | nindent 4 }} + {{- if $.Values.commonAnnotations }} + annotations: {{- include "ggbridge.tplvalues.render" ( dict "value" $.Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + secretName: {{ printf "%s-crt" $clientFullname }} + duration: 17520h # 2 years + privateKey: + algorithm: RSA + size: 2048 + commonName: {{ $clientFullname }} + usages: + - client auth + issuerRef: + {{- if eq $.Values.server.tls.certManager.issuer "selfSigned" }} + name: {{ printf "%s-ca" $fullname }} + {{- else }} + name: {{ $.Values.server.tls.certManager.issuer }} + {{- end }} + kind: Issuer + {{- end }} +{{- end }} diff --git a/chart/templates/client/deployment.yaml b/chart/templates/client/deployment.yaml new file mode 100644 index 0000000..fd1c8d7 --- /dev/null +++ b/chart/templates/client/deployment.yaml @@ -0,0 +1,120 @@ +{{- range $index, $host := .Values.client.hosts -}} + {{- with $host -}} + {{- $fullname := include "ggbridge.fullname" $ }} + {{- $clientFullname := include "ggbridge.client.fullname" $ }} + {{- $indexClientFullname := printf "%s-%d" $clientFullname ($index | int) }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ $indexClientFullname }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "ggbridge.labels" $ | nindent 4 }} + {{- include "ggbridge.client.labels" $ | nindent 4 }} + {{- if $.Values.commonAnnotations }} + annotations: {{- include "ggbridge.tplvalues.render" ( dict "value" $.Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + replicas: {{ $.Values.client.replicas }} + {{- with $.Values.client.updateStrategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + selector: + matchLabels: + {{- include "ggbridge.selectorLabels" $ | nindent 6 }} + {{- include "ggbridge.client.selectorLabels" $ | nindent 6 }} + hostname: {{ .hostname }} + template: + metadata: + {{- with $.Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "ggbridge.labels" $ | nindent 8 }} + {{- include "ggbridge.client.labels" $ | nindent 8 }} + {{- with $.Values.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + hostname: {{ .hostname }} + spec: + {{- with $.Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "ggbridge.serviceAccountName" $ }} + {{- if $.Values.podSecurityContext.enabled }} + securityContext: + {{- toYaml (omit $.Values.podSecurityContext "enabled") | nindent 8 }} + {{- end }} + containers: + - name: {{ $.Chart.Name }} + {{- if $.Values.containerSecurityContext.enabled }} + securityContext: + {{- toYaml (omit $.Values.containerSecurityContext "enabled") | nindent 12 }} + {{- end }} + image: {{ include "ggbridge.image" $ }} + imagePullPolicy: {{ $.Values.image.pullPolicy }} + command: ["ggbridge"] + args: ["client"] + env: + - name: SERVER_ADDRESS + value: {{ .hostname }} + - name: TLS_ENABLED + value: {{ $.Values.client.tls.enabled | quote }} + {{- with $.Values.client.dnsResolver }} + - name: DNS_RESOLVER + value: {{ . | quote }} + {{- end }} + {{- with $.Values.client.connectionMinIdle }} + - name: CONNECTION_MIN_IDLE + value: {{ . | quote }} + {{- end }} + {{- with $.Values.logLevel }} + - name: LOG_LEVEL + value: {{ . | quote }} + {{- end }} + {{- if $.Values.client.tls.enabled }} + volumeMounts: + - name: tls-secret + mountPath: /etc/ggbridge/certs + readOnly: true + {{- end }} + resources: + {{- toYaml $.Values.resources | nindent 12 }} + {{- if $.Values.client.tls.enabled }} + volumes: + - name: tls-secret + secret: + {{- if (get (default dict $.Values.client.tls) "existingSecret") }} + secretName: {{ $.Values.client.tls.existingSecret }} + items: + - key: {{ default "tls.crt" $.Values.client.tls.existingSecretKeys.crt }} + path: client.crt + - key: {{ default "tls.key" $.Values.client.tls.existingSecretKeys.key }} + path: client.key + {{- else}} + secretName: {{ printf "%s-crt" $clientFullname }} + items: + - key: tls.crt + path: client.crt + - key: tls.key + path: client.key + {{- end }} + defaultMode: 420 + {{- end }} + {{- with $.Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- $affinity := include "ggbridge.tplvalues.merge" ( dict "values" ( list $.Values.affinity (include "ggbridge.client.affinity" $) ) "context" $ ) }} + affinity: {{- include "ggbridge.tplvalues.render" ( dict "value" $affinity "context" $) | nindent 8 }} + {{- with $.Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + + {{- end }} +{{- end }} diff --git a/chart/templates/client/networkpolicy.yaml b/chart/templates/client/networkpolicy.yaml new file mode 100644 index 0000000..a4b3885 --- /dev/null +++ b/chart/templates/client/networkpolicy.yaml @@ -0,0 +1,36 @@ +{{- if and .Values.client.hosts .Values.client.networkPolicy.enabled }} +{{- $clientFullname := include "ggbridge.client.fullname" . }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ $clientFullname }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "ggbridge.labels" . | nindent 4 }} + {{- include "ggbridge.client.labels" . | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "ggbridge.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" . ) | nindent 4 }} + {{- end }} +spec: + podSelector: + matchLabels: + {{- include "ggbridge.selectorLabels" . | nindent 6 }} + {{- include "ggbridge.client.selectorLabels" . | nindent 6 }} + policyTypes: + - Ingress + - Egress + egress: + - ports: + # Allow dns resolution + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + - port: 443 + protocol: TCP + {{- if .Values.client.networkPolicy.extraEgress }} + {{- include "ggbridge.tplvalues.render" ( dict "value" .Values.client.networkPolicy.extraEgress "context" . ) | nindent 4 }} + {{- end }} + ingress: [] +{{- end }} diff --git a/chart/templates/client/pdb.yaml b/chart/templates/client/pdb.yaml new file mode 100644 index 0000000..926309c --- /dev/null +++ b/chart/templates/client/pdb.yaml @@ -0,0 +1,34 @@ +{{- if and .enabled $.Values.client.pdb.create }} + {{- range $index, $host := .Values.client.hosts -}} + {{- with $host -}} + {{- $fullname := include "ggbridge.fullname" $ }} + {{- $clientFullname := include "ggbridge.client.fullname" $ }} + {{- $indexClientFullname := printf "%s-%d" $clientFullname ($index | int) }} +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ $indexClientFullname }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "ggbridge.labels" $ | nindent 4 }} + {{- include "ggbridge.client.labels" $ | nindent 4 }} + hostname: {{ .hostname }} + {{- if $.Values.commonAnnotations }} + annotations: {{- include "ggbridge.tplvalues.render" ( dict "value" $.Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- if $.Values.client.pdb.minAvailable }} + minAvailable: {{ $.Values.client.pdb.minAvailable }} + {{- end }} + {{- if or $.Values.client.pdb.maxUnavailable ( not $.Values.client.pdb.minAvailable ) }} + maxUnavailable: {{ $.Values.client.pdb.maxUnavailable | default 1 }} + {{- end }} + selector: + matchLabels: + {{- include "ggbridge.selectorLabels" $ | nindent 6 }} + {{- include "ggbridge.client.selectorLabels" $ | nindent 6 }} + hostname: {{ .hostname }} + {{- end }} + {{- end }} +{{- end }} diff --git a/chart/templates/server/cert-manager.yaml b/chart/templates/server/cert-manager.yaml new file mode 100644 index 0000000..cea5eea --- /dev/null +++ b/chart/templates/server/cert-manager.yaml @@ -0,0 +1,40 @@ +{{- if .Values.server.tls.certManager.enabled -}} + {{- $fullname := include "ggbridge.fullname" . -}} + {{- $serverFullname := include "ggbridge.server.fullname" . }} + {{- $namespace := ternary (default .Release.namespace .Values.server.istio.gateway.namespace) .Release.namespace .Values.server.istio.enabled -}} + {{- range $index, $host := .Values.server.hosts -}} + {{- with $host }} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ printf "%s-%d-crt" $serverFullname ($index | int) }} + namespace: {{ $namespace }} + labels: + {{- include "ggbridge.labels" $ | nindent 4 }} + {{- include "ggbridge.server.labels" $ | nindent 4 }} + {{- if $.Values.commonAnnotations }} + annotations: {{- include "ggbridge.tplvalues.render" ( dict "value" $.Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + secretName: {{ printf "%s-%d-crt" $serverFullname ($index | int) }} + duration: 17520h # 2 years + privateKey: + algorithm: RSA + size: 2048 + commonName: {{ .hostname }} + dnsNames: + - {{ .hostname }} + usages: + - server auth + issuerRef: + {{- if eq $.Values.server.tls.certManager.issuer "selfSigned" }} + name: {{ printf "%s-ca" $fullname }} + {{- else }} + name: {{ $.Values.server.tls.certManager.issuer }} + {{- end }} + kind: Issuer + + {{- end }} + {{- end }} +{{- end }} diff --git a/chart/templates/server/deployment.yaml b/chart/templates/server/deployment.yaml new file mode 100644 index 0000000..06d2ef8 --- /dev/null +++ b/chart/templates/server/deployment.yaml @@ -0,0 +1,140 @@ +{{- range $index, $host := .Values.server.hosts -}} + {{- with $host -}} + {{- $fullname := include "ggbridge.fullname" $ }} + {{- $serverFullname := include "ggbridge.server.fullname" $ }} + {{- $indexServerFullname := printf "%s-%d" $serverFullname ($index | int) }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ $indexServerFullname }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "ggbridge.labels" $ | nindent 4 }} + {{- include "ggbridge.server.labels" $ | nindent 4 }} + {{- if $.Values.commonAnnotations }} + annotations: {{- include "ggbridge.tplvalues.render" ( dict "value" $.Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + replicas: 1 + strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + selector: + matchLabels: + {{- include "ggbridge.selectorLabels" $ | nindent 6 }} + {{- include "ggbridge.server.selectorLabels" $ | nindent 6 }} + hostname: {{ .hostname }} + template: + metadata: + {{- with $.Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "ggbridge.labels" $ | nindent 8 }} + {{- include "ggbridge.server.labels" $ | nindent 8 }} + hostname: {{ .hostname }} + {{- with $.Values.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with $.Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "ggbridge.serviceAccountName" $ }} + {{- if $.Values.podSecurityContext.enabled }} + securityContext: + {{- toYaml (omit $.Values.podSecurityContext "enabled") | nindent 8 }} + {{- end }} + containers: + - name: ggbridge + {{- if $.Values.containerSecurityContext.enabled }} + securityContext: + {{- toYaml (omit $.Values.containerSecurityContext "enabled") | nindent 12 }} + {{- end }} + image: {{ include "ggbridge.image" $ }} + imagePullPolicy: {{ $.Values.image.pullPolicy }} + command: ["ggbridge"] + args: ["server"] + env: + - name: SERVER_ADDRESS + value: {{ printf "0.0.0.0:%d" ($.Values.server.services.external.ports.ws.containerPort | int) }} + {{- if and ($.Values.server.tls.enabled) (not $.Values.server.ingress.enabled) (not $.Values.server.gateway.enabled) (not $.Values.server.istio.enabled) }} + - name: TLS_ENABLED + value: "true" + {{- end }} + {{- with $.Values.logLevel }} + - name: LOG_LEVEL + value: {{ . | quote }} + {{- end }} + ports: + - name: ws + containerPort: {{ $.Values.server.services.external.ports.ws.containerPort }} + protocol: TCP + - name: socks + containerPort: {{ $.Values.server.services.proxy.ports.socks.containerPort }} + protocol: TCP + # readinessProbe: + # tcpSocket: + # port: {{ $.Values.server.services.external.ports.ws.containerPort }} + # initialDelaySeconds: 5 + # periodSeconds: 10 + # livenessProbe: + # tcpSocket: + # port: {{ $.Values.server.services.external.ports.ws.containerPort }} + # initialDelaySeconds: 5 + # periodSeconds: 10 + {{- if $.Values.server.tls.enabled }} + {{- if or (eq $.Values.server.tls.mode "passthrough") (and (not $.Values.server.ingress.enabled) (not $.Values.server.gateway.enabled) (not $.Values.server.istio.enabled)) }} + volumeMounts: + - name: tls-secret + mountPath: /etc/ggbridge/certs + readOnly: true + {{- end }} + {{- end }} + resources: + {{- toYaml $.Values.resources | nindent 12 }} + {{- if $.Values.server.tls.enabled }} + {{- if or (eq $.Values.server.tls.mode "passthrough") (and (not $.Values.server.ingress.enabled) (not $.Values.server.gateway.enabled) (not $.Values.server.istio.enabled)) }} + volumes: + - name: tls-secret + secret: + {{- if (get (default dict .tls) "existingSecret") }} + secretName: {{ .tls.existingSecret }} + items: + - key: {{ default "ca.crt" .tls.existingSecretKeys.caCrt }} + path: ca.crt + - key: {{ default "tls.crt" .tls.existingSecretKeys.crt }} + path: server.crt + - key: {{ default "tls.key" .tls.existingSecretKeys.key }} + path: server.key + {{- else}} + secretName: {{ printf "%s-crt" $indexServerFullname }} + items: + - key: ca.crt + path: ca.crt + - key: tls.crt + path: server.crt + - key: tls.key + path: server.key + {{- end }} + defaultMode: 420 + {{- end }} + {{- end }} + {{- with $.Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- $affinity := include "ggbridge.tplvalues.merge" ( dict "values" ( list $.Values.affinity (include "ggbridge.server.affinity" $) ) "context" $ ) }} + affinity: {{- include "ggbridge.tplvalues.render" ( dict "value" $affinity "context" $) | nindent 8 }} + {{- with $.Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + + {{- end }} +{{- end }} diff --git a/chart/templates/server/gateway.yaml b/chart/templates/server/gateway.yaml new file mode 100644 index 0000000..008c5fb --- /dev/null +++ b/chart/templates/server/gateway.yaml @@ -0,0 +1,80 @@ +{{- if .Values.server.gateway.enabled }} + {{- range $index, $host := .Values.server.hosts -}} + {{- with $host -}} + {{- $fullname := include "ggbridge.fullname" $ }} + {{- $serverFullname := include "ggbridge.server.fullname" $ }} + {{- $indexServerFullname := printf "%s-%d" $serverFullname ($index | int) }} + +{{- if $.Values.server.gateway.gateway.create }} +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: {{ $indexServerFullname }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "ggbridge.labels" $ | nindent 4 }} + {{- include "ggbridge.server.labels" $ | nindent 4 }} + {{- if or $.Values.commonAnnotations $.Values.server.gateway.annotations }} + {{- $annotations := include "ggbridge.tplvalues.merge" ( dict "values" ( list $.Values.server.gateway.annotations $.Values.commonAnnotations ) "context" $ ) }} + annotations: {{- include "ggbridge.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + gatewayClassName: {{ $.Values.server.gateway.gateway.className | quote }} + listeners: + - hostname: {{ .hostname | quote }} + allowedRoutes: + namespaces: + from: Same + {{- if $.Values.server.tls.enabled }} + name: https + port: {{ $.Values.server.gateway.gateway.ports.https }} + protocol: HTTPS + tls: + mode: Terminate + certificateRefs: + {{- if (get (default dict .tls) "existingSecret") }} + - name: {{ .tls.existingSecret }} + {{- else }} + - name: {{ printf "%s-crt" $serverFullname }} + {{- end }} + options: + gateway.istio.io/tls-terminate-mode: MUTUAL + {{- else }} + name: http + port: {{ $.Values.server.gateway.gateway.ports.http }} + protocol: HTTP + {{- end }} +{{- end }} +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: {{ $indexServerFullname }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "ggbridge.labels" $ | nindent 4 }} + {{- include "ggbridge.server.labels" $ | nindent 4 }} + {{- if or $.Values.commonAnnotations $.Values.server.gateway.annotations }} + {{- $annotations := include "ggbridge.tplvalues.merge" ( dict "values" ( list $.Values.server.gateway.annotations $.Values.commonAnnotations ) "context" $ ) }} + annotations: {{- include "ggbridge.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + {{- if $.Values.server.gateway.gateway.create }} + parentRefs: + - name: {{ $fullname }} + namespace: {{ $.Release.Namespace }} + sectionName: {{ ternary "https" "http" $.Values.server.tls.enabled }} + {{- else }} + parentRefs: {{ toYaml $.Values.server.gateway.parentRefs | nindent 4 }} + {{- end }} + hostnames: + - {{ .hostname }} + rules: + - backendRefs: + - name: {{ $fullname }} + port: {{ $.Values.server.services.external.ports.ws.port }} + + {{- end }} + {{- end }} +{{- end }} diff --git a/chart/templates/server/ingress.yaml b/chart/templates/server/ingress.yaml new file mode 100644 index 0000000..e3ba659 --- /dev/null +++ b/chart/templates/server/ingress.yaml @@ -0,0 +1,61 @@ +{{- if .Values.server.ingress.enabled }} + {{- range $index, $host := .Values.server.hosts -}} + {{- with $host -}} + {{- $fullname := include "ggbridge.fullname" $ }} + {{- $serverFullname := include "ggbridge.server.fullname" $ }} + {{- $indexServerFullname := printf "%s-%d" $serverFullname ($index | int) }} + +{{- if and (eq $.Values.server.ingress.controller "traefik") $.Values.server.tls.enabled }} +--- +apiVersion: traefik.io/v1alpha1 +kind: TLSOption +metadata: + name: {{ $indexServerFullname }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "ggbridge.labels" $ | nindent 4 }} + {{- include "ggbridge.server.labels" $ | nindent 4 }} +spec: + clientAuth: + secretNames: + - {{ printf "%s-crt" $serverFullname }} + clientAuthType: RequireAndVerifyClientCert + minVersion: VersionTLS12 +{{- end }} +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $indexServerFullname }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "ggbridge.labels" $ | nindent 4 }} + {{- include "ggbridge.server.labels" $ | nindent 4 }} + annotations: {{ include "ggbridge.server.ingressAnnotations" (dict "fullname" $fullname "context" $) | nindent 4 }} +spec: + ingressClassName: {{ $.Values.server.ingress.className | quote }} + rules: + - host: {{ .hostname | quote }} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: {{ $fullname }} + port: + number: {{ $.Values.server.services.external.ports.ws.port }} + {{- if $.Values.server.tls.enabled }} + tls: + - hosts: + - {{ .hostname | quote }} + {{- if (get (default dict .tls) "existingSecret") }} + secretName: {{ .tls.existingSecret }} + {{- else }} + secretName: {{ printf "%s-crt" $serverFullname }} + {{- end }} + {{- end }} + + {{- end }} + {{- end }} +{{- end }} diff --git a/chart/templates/server/istio.yaml b/chart/templates/server/istio.yaml new file mode 100644 index 0000000..3f81f1f --- /dev/null +++ b/chart/templates/server/istio.yaml @@ -0,0 +1,93 @@ +{{- if .Values.server.istio.enabled }} + {{- range $index, $host := .Values.server.hosts -}} + {{- with $host -}} + {{- $fullname := include "ggbridge.fullname" $ }} + {{- $serverFullname := include "ggbridge.server.fullname" $ }} + {{- $indexServerFullname := printf "%s-%d" $serverFullname ($index | int) }} + +{{- if $.Values.server.istio.gateway.create }} +--- +apiVersion: networking.istio.io/v1 +kind: Gateway +metadata: + name: {{ $indexServerFullname }} + namespace: {{ default $.Release.Namespace $.Values.server.istio.gateway.namespace }} + labels: + {{- include "ggbridge.labels" $ | nindent 4 }} + {{- include "ggbridge.server.labels" $ | nindent 4 }} + {{- if or $.Values.commonAnnotations $.Values.server.istio.annotations }} + {{- $annotations := include "ggbridge.tplvalues.merge" ( dict "values" ( list $.Values.server.istio.annotations $.Values.commonAnnotations ) "context" $ ) }} + annotations: {{- include "ggbridge.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + selector: {{ toYaml $.Values.server.istio.gateway.selector | nindent 4 }} + servers: + {{- if $.Values.server.tls.enabled }} + - port: + number: {{ $.Values.server.istio.gateway.ports.https }} + name: https + protocol: HTTPS + tls: + mode: {{ upper $.Values.server.tls.mode }} + minProtocolVersion: {{ $.Values.server.istio.gateway.tls.minProtocolVersion }} + {{- if ne $.Values.server.tls.mode "passthrough" }} + {{- if (get (default dict .tls) "existingSecret") }} + credentialName: {{ .tls.existingSecret }} + {{- else }} + credentialName: {{ printf "%s-crt" $indexServerFullname }} + {{- end }} + {{- end }} + {{- else }} + - port: + number: {{ $.Values.server.istio.gateway.ports.http }} + name: http + protocol: HTTP + {{- end }} + hosts: + - {{ .hostname | quote }} +{{- end }} +--- +apiVersion: networking.istio.io/v1 +kind: VirtualService +metadata: + name: {{ $indexServerFullname }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "ggbridge.labels" $ | nindent 4 }} + {{- include "ggbridge.server.labels" $ | nindent 4 }} + hostname: {{ .hostname }} + {{- if or $.Values.commonAnnotations $.Values.server.istio.annotations }} + {{- $annotations := include "ggbridge.tplvalues.merge" ( dict "values" ( list $.Values.server.istio.annotations $.Values.commonAnnotations ) "context" $ ) }} + annotations: {{- include "ggbridge.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + hosts: + - {{ .hostname | quote }} + {{- if $.Values.server.istio.gateway.create }} + gateways: + - {{ printf "%s/%s" (default $.Release.Namespace $.Values.server.istio.gateway.namespace) $indexServerFullname }} + {{- else }} + gateways: {{ toYaml $.Values.server.istio.gateways | nindent 4 }} + {{- end }} + tls: + - match: + - port: {{ $.Values.server.istio.gateway.ports.https }} + sniHosts: + - {{ .hostname | quote }} + route: + - destination: + host: {{ $indexServerFullname }} + port: + number: {{ $.Values.server.services.external.ports.ws.port }} + http: + - match: + - uri: + prefix: "/" + route: + - destination: + host: {{ $indexServerFullname }} + port: + number: {{ $.Values.server.services.external.ports.ws.port }} + {{- end }} + {{- end }} +{{- end }} diff --git a/chart/templates/server/networkpolicy.yaml b/chart/templates/server/networkpolicy.yaml new file mode 100644 index 0000000..3041b40 --- /dev/null +++ b/chart/templates/server/networkpolicy.yaml @@ -0,0 +1,65 @@ +{{- if and .Values.server.hosts .Values.server.networkPolicy.enabled }} + {{- $fullname := include "ggbridge.server.fullname" . }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ $fullname }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "ggbridge.labels" . | nindent 4 }} + {{- include "ggbridge.server.labels" . | nindent 4 }} + {{- if $.Values.commonAnnotations }} + annotations: {{- include "ggbridge.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + podSelector: + matchLabels: + {{- include "ggbridge.selectorLabels" $ | nindent 6 }} + {{- include "ggbridge.server.selectorLabels" $ | nindent 6 }} + policyTypes: + - Ingress + - Egress + egress: + - ports: + # Allow dns resolution + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + {{- if .Values.server.networkPolicy.extraEgress }} + {{- include "ggbridge.tplvalues.render" ( dict "value" .Values.server.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + ingress: + - ports: + # Allow external ws port + - port: {{ $.Values.server.services.external.ports.ws.containerPort }} + protocol: TCP + - ports: + # Allow proxy socks port + - port: {{ $.Values.server.services.proxy.ports.socks.containerPort }} + protocol: TCP + {{- if not .Values.server.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: + {{- include "ggbridge.selectorLabels" . | nindent 14 }} + {{- include "ggbridge.client.selectorLabels" . | nindent 14 }} + {{- if .Values.server.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := .Values.server.networkPolicy.ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- if .Values.server.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := .Values.server.networkPolicy.ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.server.networkPolicy.extraIngress }} + {{- include "ggbridge.tplvalues.render" ( dict "value" .Values.server.networkPolicy.extraIngress "context" . ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/chart/templates/server/pdb.yaml b/chart/templates/server/pdb.yaml new file mode 100644 index 0000000..9caf7a4 --- /dev/null +++ b/chart/templates/server/pdb.yaml @@ -0,0 +1,33 @@ +{{- range $index, $host := .Values.server.hosts -}} + {{- with $host -}} + {{- $fullname := include "ggbridge.fullname" $ }} + {{- $serverFullname := include "ggbridge.server.fullname" $ }} + {{- $indexServerFullname := printf "%s-%d" $serverFullname ($index | int) }} +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ $indexServerFullname }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "ggbridge.labels" $ | nindent 4 }} + {{- include "ggbridge.server.labels" $ | nindent 4 }} + hostname: {{ .hostname }} + {{- if $.Values.commonAnnotations }} + annotations: {{- include "ggbridge.tplvalues.render" ( dict "value" $.Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- if $.Values.server.pdb.minAvailable }} + minAvailable: {{ $.Values.server.pdb.minAvailable }} + {{- end }} + {{- if or $.Values.server.pdb.maxUnavailable ( not $.Values.server.pdb.minAvailable ) }} + maxUnavailable: {{ $.Values.server.pdb.maxUnavailable | default 1 }} + {{- end }} + selector: + matchLabels: + {{- include "ggbridge.selectorLabels" $ | nindent 6 }} + {{- include "ggbridge.server.selectorLabels" $ | nindent 6 }} + hostname: {{ .hostname }} + + {{- end }} +{{- end }} diff --git a/chart/templates/server/role.yaml b/chart/templates/server/role.yaml new file mode 100644 index 0000000..23e27a1 --- /dev/null +++ b/chart/templates/server/role.yaml @@ -0,0 +1,55 @@ +{{- if .Values.server.hosts }} + {{- $fullname := include "ggbridge.fullname" . }} + {{- if .Values.server.rbac.certManager.create }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ printf "%s-cert-manager" $fullname }} + namespace: {{ .Release.Namespace }} +rules: + - apiGroups: + - '' + resources: + - 'secrets' + verbs: + - 'get' + - 'list' + - 'watch' + - apiGroups: + - 'cert-manager.io' + resources: + - 'certificates' + verbs: + - 'get' + - 'list' + - 'watch' + - 'create' + - apiGroups: + - 'cert-manager.io' + resources: + - 'issuers' + verbs: + - 'get' + - 'list' + - 'watch' + - 'create' + {{- if .Values.server.rbac.certManager.subjects }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ printf "%s-cert-manager" $fullname }} + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ printf "%s-cert-manager" $fullname }} +{{- with .Values.server.rbac.certManager.subjects }} +subjects: + {{- toYaml . | nindent 2 }} +{{- end }} + + {{- end }} + {{- end }} +{{- end }} diff --git a/chart/templates/server/service.yaml b/chart/templates/server/service.yaml new file mode 100644 index 0000000..a2137e0 --- /dev/null +++ b/chart/templates/server/service.yaml @@ -0,0 +1,56 @@ +{{- $fullname := include "ggbridge.fullname" $ }} +{{- $serverFullname := include "ggbridge.server.fullname" $ }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ default (printf "%s-proxy" $serverFullname) .Values.server.services.proxy.name }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "ggbridge.labels" $ | nindent 4 }} + {{- include "ggbridge.server.labels" $ | nindent 4 }} + {{- if or .Values.commonAnnotations .Values.server.services.proxy.annotations }} + {{- $annotations := include "ggbridge.tplvalues.merge" ( dict "values" ( list .Values.server.services.proxy.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "ggbridge.tplvalues.render" $annotations | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.server.services.proxy.type }} + ports: + - port: {{ .Values.server.services.proxy.ports.socks.port }} + targetPort: socks + protocol: TCP + name: socks + selector: + {{- include "ggbridge.selectorLabels" . | nindent 4 }} + {{- include "ggbridge.server.selectorLabels" . | nindent 4 }} + +{{- range $index, $host := .Values.server.hosts -}} + {{- with $host -}} + {{- $indexServerFullname := printf "%s-%d" $serverFullname ($index | int) }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ $indexServerFullname }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "ggbridge.labels" $ | nindent 4 }} + {{- include "ggbridge.server.labels" $ | nindent 4 }} + {{- if or $.Values.commonAnnotations $.Values.server.services.external.annotations }} + {{- $annotations := include "ggbridge.tplvalues.merge" ( dict "values" ( list $.Values.server.services.external.annotations $.Values.commonAnnotations ) "context" $ ) }} + annotations: {{- include "ggbridge.tplvalues.render" $annotations | nindent 4 }} + {{- end }} +spec: + type: {{ $.Values.server.services.external.type }} + ports: + - port: {{ $.Values.server.services.external.ports.ws.port }} + targetPort: ws + protocol: TCP + name: ws + selector: + {{- include "ggbridge.selectorLabels" $ | nindent 4 }} + {{- include "ggbridge.server.selectorLabels" $ | nindent 4 }} + hostname: {{ .hostname }} + + {{- end }} +{{- end }} diff --git a/chart/templates/server/tls-secrets.yaml b/chart/templates/server/tls-secrets.yaml new file mode 100644 index 0000000..afb3793 --- /dev/null +++ b/chart/templates/server/tls-secrets.yaml @@ -0,0 +1,83 @@ +{{- if and (.Values.server.tls.enabled) (not .Values.server.tls.certManager.enabled) -}} + {{- $fullname := include "ggbridge.fullname" . }} + {{- $serverFullname := include "ggbridge.server.fullname" . }} + {{- $clientFullname := include "ggbridge.client.fullname" . }} + {{- $releaseNamespace := $.Release.Namespace }} + {{- $clusterDomain := $.Values.clusterDomain }} + {{- $ca := dict }} + {{- $clientCert := dict }} + {{- if .Values.server.tls.autoGenerated }} + {{- $caSecret := (get (lookup "v1" "Secret" $releaseNamespace (printf "%s-ca" $fullname)) "data" | default dict) }} + {{- if $caSecret }} + {{- $ca = buildCustomCert (get $caSecret "tls.crt") (get $caSecret "tls.key") }} + {{- else }} + {{- $ca = genCA $fullname 3650 }} + {{- end }} + {{- $clientCert = genSignedCert $clientFullname nil nil 365 $ca }} + {{- $namespace := ternary (default .Release.namespace .Values.server.istio.gateway.namespace) .Release.namespace .Values.server.istio.enabled -}} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ printf "%s-ca" $fullname }} + namespace: {{ $namespace }} + labels: + {{- include "ggbridge.labels" . | nindent 4 }} + {{- if $.Values.commonAnnotations }} + annotations: {{- include "ggbridge.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" . ) | nindent 4 }} + {{- end }} +type: kubernetes.io/tls +data: + tls.crt: {{ $ca.Cert | b64enc }} + tls.key: {{ $ca.Key | b64enc }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ printf "%s-crt" $clientFullname }} + namespace: {{ .Release.namespace }} + labels: + {{- include "ggbridge.labels" $ | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "ggbridge.tplvalues.render" ( dict "value" $.Values.commonAnnotations "context" . ) | nindent 4 }} + {{- end }} +type: kubernetes.io/tls +data: + tls.crt: {{ $clientCert.Cert | b64enc }} + tls.key: {{ $clientCert.Key | b64enc }} + {{- end }} + + {{- range $index, $host := .Values.server.hosts -}} + {{- $tls := default dict $host.tls -}} + {{- if not (get $tls "existingSecret") }} + {{- $indexServerFullname := printf "%s-%d" $serverFullname ($index | int) }} + {{- $namespace := ternary (default $.Release.namespace $.Values.server.istio.gateway.namespace) $.Release.namespace $.Values.server.istio.enabled -}} + {{- $cert := dict }} + {{- if $.Values.server.tls.autoGenerated }} + {{- $altNames := list (printf "*.%s.%s.svc.%s" $fullname $releaseNamespace $clusterDomain) $fullname }} + {{- $cert = genSignedCert $fullname nil $altNames 365 $ca }} + {{- else }} + {{- $ca = dict "Cert" $host.tls.caCrt }} + {{- $cert = dict "Cert" $host.tls.crt "Key" $host.tls.key }} + {{- end }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ printf "%s-crt" $indexServerFullname }} + namespace: {{ $namespace }} + labels: + {{- include "ggbridge.labels" $ | nindent 4 }} + {{- include "ggbridge.server.labels" $ | nindent 4 }} + {{- if $.Values.commonAnnotations }} + annotations: {{- include "ggbridge.tplvalues.render" ( dict "value" $.Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: kubernetes.io/tls +data: + ca.crt: {{ $ca.Cert | b64enc }} + tls.crt: {{ $cert.Cert | b64enc }} + tls.key: {{ $cert.Key | b64enc }} + {{- end }} + {{- end }} + +{{- end }} diff --git a/chart/templates/serviceaccount.yaml b/chart/templates/serviceaccount.yaml new file mode 100644 index 0000000..6d3bd81 --- /dev/null +++ b/chart/templates/serviceaccount.yaml @@ -0,0 +1,43 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "ggbridge.serviceAccountName" . }} + labels: + {{- include "ggbridge.labels" . | nindent 4 }} + {{- if or .Values.commonAnnotations .Values.serviceAccount.annotations }} + {{- $annotations := include "ggbridge.tplvalues.merge" ( dict "values" ( list .Values.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "ggbridge.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +automountServiceAccountToken: {{ .Values.serviceAccount.automount }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + {{- include "ggbridge.labels" . | nindent 4 }} + name: {{ include "ggbridge.fullname" . }} +rules: + - apiGroups: + - '' + resources: + - 'configmpas' + - 'secrets' + verbs: + - 'get' + - 'list' + - 'watch' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "ggbridge.fullname" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "ggbridge.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "ggbridge.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/chart/values.yaml b/chart/values.yaml new file mode 100644 index 0000000..3e0e02b --- /dev/null +++ b/chart/values.yaml @@ -0,0 +1,294 @@ +# Default values for ggbridge. + +# -- Override the default chart name +nameOverride: "" +# -- Override the default fully qualified app name +fullnameOverride: "" + +# -- Kubernetes cluster domain +clusterDomain: cluster.local + +# -- Add labels to all the deployed resources +commonLabels: {} +# -- Add annotations to all the deployed resources +commonAnnotations: {} + +# This sets the container image more information can be found here: https://kubernetes.io/docs/concepts/containers/images/ +image: + # -- Image registry + registry: ghcr.io + # -- Image repository + repository: gitguardian/ggbridge + # -- Image tag + tag: "" + # -- Image digest in the way sha256:aa.... + digest: "" + + # -- Image pull policy + pullPolicy: IfNotPresent + # -- Image pull secrets + pullSecrets: [] + +serviceAccount: + # -- Specifies whether a service account should be created + create: true + # @ignored + automount: true + # -- Annotations to add to the service account + annotations: {} + # -- The name of the service account to use + name: "" + +# -- This is for setting Kubernetes Annotations to a Pod +podAnnotations: {} +# -- This is for setting Kubernetes Labels to a Pod +podLabels: {} + +podSecurityContext: + # -- Enable Pod security Context in deployments + enabled: true + # @ignored + fsGroupChangePolicy: Always + # @ignored + sysctls: [] + # @ignored + supplementalGroups: [] + # @ignored + fsGroup: 65532 + +containerSecurityContext: + # -- Enable Container security Context in deployments + enabled: true + # @ignored + seLinuxOptions: {} + # @ignored + runAsUser: 65532 + # @ignored + runAsGroup: 65532 + # @ignored + runAsNonRoot: true + # @ignored + privileged: false + # @ignored + readOnlyRootFilesystem: true + # @ignored + allowPrivilegeEscalation: false + # @ignored + capabilities: + drop: ["ALL"] + # @ignored + seccompProfile: + type: "RuntimeDefault" + +# -- Set container requests and limits +resources: + requests: + cpu: 100m + memory: 128Mi + limits: {} + +# -- Node labels for pod assignment +nodeSelector: {} +# -- Affinity for pod assignment +affinity: {} +# -- Tolerations for pod assignment +tolerations: [] + +# -- Set log level +logLevel: INFO + +server: + # -- Services parameters + services: + # -- External service + external: + annotations: {} + # -- Kubernetes Service type + type: ClusterIP + ports: + # -- WebSocket service port + ws: + port: 8000 + containerPort: 8000 + # -- Internal proxy service + proxy: + # --- override the default service name + name: "" + annotations: {} + # -- Kubernetes Service type + type: ClusterIP + ports: + socks: + port: 1080 + containerPort: 1080 + + # -- Pod Disruption Budget parameters + pdb: + # -- Enable/disable a Pod Disruption Budget creation + create: true + # -- Minimum number of pods that must still be available after the eviction + minAvailable: 1 + # -- Max number of pods that can be unavailable after the eviction + maxUnavailable: "" + + # -- Network Policy parameters + networkPolicy: + # -- Specifies whether a NetworkPolicy should be created + enabled: true + # -- When true, server will accept connections from any source + allowExternal: true + # -- Add extra ingress rules to the NetworkPolicy + extraIngress: [] + # -- Add extra egress rules to the NetworkPolicy + extraEgress: [] + # -- Labels to match to allow traffic to the proxy server from other namespaces + ingressNSMatchLabels: {} + # -- Pod labels to match to allow traffic to the proxy server from other namespaces + ingressNSPodMatchLabels: {} + + # -- RBAC parameters + rbac: + # -- CertManager role + certManager: + # -- Whether to create & use certManager RBAC resources or not + create: false + # -- Grants certManager permissions to the sepcfied subjects + subjects: [] + # - kind: ServiceAccount + # name: gim + # namespace: gim + + # -- Configure the ingress resources that allows you to connect to the server + ingress: + # -- Enable server exposure using Kubernetes Ingress API + enabled: false + # -- Specify the ingress controller + controller: "" + # -- Set the ingerss ClassName + className: "" + # -- Set ingress annotations + annotations: {} + + # -- Configure the gateway resources that allows you to connect to the server + gateway: + # -- Enable server exposure using Kubernetes Gateway API + enabled: false + gateway: + # -- Specifies whether a Gateway resource should be created alongside the routing resource (HTTPRoute) + create: true + # -- Set the gatewayClassName + className: "" + # -- Specify Gateway ports number + ports: + http: 80 + https: 443 + # -- Specify the existing gateway resources + parentRefs: [] + # -- Set gateway annotations + annotations: {} + + # -- Configure the istio resources that allows you to connect to the server + istio: + # -- Enable server exposure using Istio ingress + enabled: false + gateway: + # -- Specifies whether an Istio Gateway resource should be created alongside the Virtual Service + create: true + # -- Specify the gateway namespace + namespace: "" + # -- Set Istio Gateway selector + selector: + istio: ingress + # -- Specify Istio Gateway ports number + ports: + http: 80 + https: 443 + # -- Specify Gateway TLS options + tls: + # -- Set the exising TLS secret + credentialName: "" + minProtocolVersion: TLSV1_2 + # -- Specify the existing gateway resources for Virtual Service + gateways: [] + # -- Set Istio annotations + annotations: {} + + tls: + # -- Enable TLS traffic support + enabled: false + # -- TLS mode (can be "passthrough" or "mutual") + mode: mutual + # -- Generate automatically self-signed TLS certificates + autoGenerated: false + certManager: + # -- Manage certifcates with cert-manager + enabled: false + # -- Cert-manager issuer + issuer: selfSigned + + hosts: [] + # - hostname: server.com + # tls: + # # -- Name of an existing secret that contains the certificates + # existingSecret: "" + # existingSecretKeys: + # # -- Existing secret key storing the Certificate Authority + # caCrt: "" + # # -- Existing secret key storing the server certificate + # crt: "" + # # -- Existing secret key storing the server certificate key + # key: "" + # # -- CA certificate in PEM format + # caCrt: "" + # # -- Server certificate in PEM format + # crt: "" + # # -- Server certificate key in PEM format + # key: "" + +client: + # -- Number of pods of the deployment + replicas: 1 + updateStrategy: + # -- Customize updateStrategy of Deployment or DaemonSet + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 + + # -- Pod Disruption Budget configuration + pdb: + # -- Enable/disable a Pod Disruption Budget creation + create: true + # -- Minimum number of pods that must still be available after the eviction + minAvailable: 1 + # -- Max number of pods that can be unavailable after the eviction + maxUnavailable: "" + + # -- Network Policy configuration + networkPolicy: + # -- Specifies whether a NetworkPolicy should be created + enabled: true + # -- Add extra egress rules to the NetworkPolicy + extraEgress: [] + + dnsResolver: "" + connectionMinIdle: 0 + + tls: + # -- Enable TLS traffic support + enabled: false + # -- Name of an existing secret that contains the certificates + existingSecret: "" + existingSecretKeys: + # -- Existing secret key storing the client certificate + crt: "" + # -- Existing secret key storing the client certificate key + key: "" + # -- Client certificate in PEM format + crt: "" + # -- Client certificate key in PEM format + key: "" + + # -- List of server hosts to connect to + hosts: [] + # - hostname: server.com diff --git a/demo/.env b/demo/.env new file mode 100644 index 0000000..5a28190 --- /dev/null +++ b/demo/.env @@ -0,0 +1,8 @@ +COMPOSE_PROJECT_NAME=ggbridge +COMPOSE_FILE=docker-compose.yaml + +GGBRIDGE_IMAGE=ghcr.io/gitguardian/ggbridge:unstable +GGBRIDGE_DEBUG_IMAGE=ghcr.io/gitguardian/ggbridge:unstable-debug + +PUBLIC_NETWORK_SUBNET=10.19.85.0/24 +PUBLIC_NETWORK_GATEWAY=10.19.85.1 diff --git a/demo/README.md b/demo/README.md new file mode 100644 index 0000000..b8209e7 --- /dev/null +++ b/demo/README.md @@ -0,0 +1,76 @@ +# ggbridge demo + +![ggbridge demo](../docs/assets/ggbridge_demo.drawio.png) + +Here is a demo built with [Docker Compose](https://docs.docker.com/compose/) to simulate the deployment of a **ggbridge** tunnel between a client’s network and the GitGuardian platform. The ggbridge proxy allows the GitGuardian platform to securely access the client’s Version Control Systems without requiring direct exposure of the client’s internal services to the internet. + +By using this demo, you can observe how the **ggbridge** proxy facilitates secure access to VCS repositories, demonstrating its potential for managing secure connections in real-world scenarios. The demo includes all necessary components to simulate the client network and proxy behavior, offering an easy-to-use example for testing and learning. + +## Requirements + +To run this demo, you need to have the following installed on your host: + +- [Docker](https://docs.docker.com/engine/install/) +- [Docker Compose](https://docs.docker.com/compose/install/) >= 2.26.0 + +Make sure both tools are installed and properly configured before proceeding with the demo setup. + +## Run the demo + +- Start the demo + +```shell +cd demo +docker-compose up -d +``` + +- Check that the following containers are running + +```shell +docker-compose ps +``` + +expected output: + +```shell +NAME IMAGE COMMAND SERVICE CREATED STATUS PORTS +ggbridge-client-1 gitguardian/ggbridge:latest "/usr/bin/ggbridge c…" client 2 seconds ago Up 1 second +ggbridge-developer-1 gitguardian/ggbridge:latest-debug "sleep infinity" developer 2 seconds ago Up 1 second +ggbridge-gitguardian-1 gitguardian/ggbridge:latest-debug "/usr/sbin/nginx -c …" gitguardian 2 seconds ago Up 1 second 10.19.85.1:80->80/tcp +ggbridge-server-1 gitguardian/ggbridge:latest "/usr/bin/ggbridge s…" server 2 seconds ago Up 1 second +ggbridge-vcs-1 gitguardian/ggbridge:latest-debug "/usr/sbin/nginx -c …" vcs 2 seconds ago Up 1 second +``` + +- Try to make an HTTP request to the client’s VCS from GitGuardian + +```shell +docker-compose exec gitguardian \ + curl http://vcs.client.internal +``` + +expected output: + +```shell +curl: (6) Could not resolve host: vcs.client.internal +``` + +We cannot reach the VCS from GitGuardian because they are on two separate networks. + +- Now, Let's try making an HTTP request to the client’s VCS server from GitGuardian using the **ggbridge** proxy + +```shell +docker-compose exec gitguardian \ + curl --proxy socks5h://proxy.gitguardian.internal http://vcs.client.internal +``` + +Et voilà! The request is now routed through the **ggbirdge** proxy and the internal VCS DNS name is resolved by the proxy. You should have the following JSON response for the VCS server: + +```json +{"message": "Welcome to the VCS server", "code": 200} +``` + +- Stop the demo + +```shell +docker-compose down +``` diff --git a/demo/docker-compose.yaml b/demo/docker-compose.yaml new file mode 100644 index 0000000..6a9898f --- /dev/null +++ b/demo/docker-compose.yaml @@ -0,0 +1,116 @@ +networks: + public: + driver: bridge + driver_opts: + com.docker.network.bridge.enable_ip_masquerade: "true" + com.docker.network.bridge.host_binding_ipv4: "${PUBLIC_NETWORK_GATEWAY}" + ipam: + config: + - subnet: ${PUBLIC_NETWORK_SUBNET} + gateway: ${PUBLIC_NETWORK_GATEWAY} + + gitguardian: + driver: bridge + + client: + driver: bridge + +services: + +### GitGuadian network +####################################### + + # GitGuardian Internal Monitoring (GIM) + gitguardian: + image: ${GGBRIDGE_DEBUG_IMAGE} + entrypoint: + - /usr/sbin/nginx + command: + - -c + - /etc/nginx/nginx.conf + - -g + - daemon off; + volumes: + - ./files/gitguardian/nginx.conf:/etc/nginx/nginx.conf:ro + ports: + - name: gitguardian + target: 80 + host_ip: ${PUBLIC_NETWORK_GATEWAY} + published: 80 + app_protocol: http + mode: host + networks: + gitguardian: + public: + aliases: + # GIM public API endpoint (used by ggshield) + - api.gitguardian.public + # GIM dashboard endpoint + - dashboard.gitguardian.public + # GIM incoming webhooks endpoint + - receiver.gitguardian.public + + # ggbridge server + server: + image: ${GGBRIDGE_IMAGE} + command: server + environment: + SERVER_ADDRESS: 0.0.0.0:80 + LOG_LEVEL: DEBUG + networks: + gitguardian: + aliases: + - proxy.gitguardian.internal + public: + aliases: + # GitGuardian tunnel endpoint + - tunnel.gitguardian.public + +### Client network +####################################### + + # ggbridge client + client: + image: ${GGBRIDGE_IMAGE} + environment: + SERVER_ADDRESS: tunnel.gitguardian.public:80 + LOG_LEVEL: DEBUG + networks: + - client + - public + depends_on: + - server + + # Version Control System server + vcs: + image: ${GGBRIDGE_DEBUG_IMAGE} + entrypoint: + - /usr/sbin/nginx + command: + - -c + - /etc/nginx/nginx.conf + - -g + - daemon off; + volumes: + - ./files/vcs/nginx.conf:/etc/nginx/nginx.conf:ro + networks: + client: + aliases: + - vcs.client.internal + extra_hosts: + # GIM incoming webhooks endpoint + receiver.gitguardian.public: "${PUBLIC_NETWORK_GATEWAY}" + + # Developer host + developer: + image: ${GGBRIDGE_DEBUG_IMAGE} + command: + - sleep + - infinity + networks: + - client + extra_hosts: + # GIM public API endpoint (used by ggshield) + api.gitguardian.public: "${PUBLIC_NETWORK_GATEWAY}" + # GIM dashboard endpoint + dashboard.gitguardian.public: "${PUBLIC_NETWORK_GATEWAY}" diff --git a/demo/files/gitguardian/nginx.conf b/demo/files/gitguardian/nginx.conf new file mode 100644 index 0000000..e93ef42 --- /dev/null +++ b/demo/files/gitguardian/nginx.conf @@ -0,0 +1,48 @@ +user nginx; +worker_processes 1; + +error_log stderr notice; + +pid /var/run/nginx.pid; + +events { + worker_connections 1024; +} + +http { + server { + listen 80; + server_name dashboard.gitguardian.public; + + access_log /dev/stdout; + + location / { + return 200 '{"message": "Welcome to the GitGuardian Dashboard", "code": 200}'; + add_header Content-Type application/json; + } + } + + server { + listen 80; + server_name api.gitguardian.public; + + access_log /dev/stdout; + + location / { + return 200 '{"message": "Welcome to the GitGuardian API", "code": 200}'; + add_header Content-Type application/json; + } + } + + server { + listen 80; + server_name receiver.gitguardian.public; + + access_log /dev/stdout; + + location / { + return 200 '{"message": "Welcome to the GitGuardian Receiver", "code": 200}'; + add_header Content-Type application/json; + } + } +} diff --git a/demo/files/vcs/nginx.conf b/demo/files/vcs/nginx.conf new file mode 100644 index 0000000..b57fe71 --- /dev/null +++ b/demo/files/vcs/nginx.conf @@ -0,0 +1,24 @@ +user nginx; +worker_processes 1; + +error_log stderr notice; + +pid /var/run/nginx.pid; + +events { + worker_connections 1024; +} + +http { + server { + listen 80; + server_name vcs.client.internal; + + access_log /dev/stdout; + + location / { + return 200 '{"message": "Welcome to the VCS server", "code": 200}'; + add_header Content-Type application/json; + } + } +} diff --git a/docs/assets/ggbridge.drawio.png b/docs/assets/ggbridge.drawio.png new file mode 100644 index 0000000000000000000000000000000000000000..79f3bea2040cb5691a86fefcaf024db9b49f0041 GIT binary patch literal 97066 zcmeEv2OyPgA2*_u%8W!P8QC10V`Vf*C=uBl`{39slrl0(LRP6zl$AY8MukK6US;pS zeb?cf(s-V?_j%uEyx;ddDd)cK`@YtH|Nj5$JiZss%N^KvWFHn5)`2sprIoR;cFkj9 z;c(&a1}zoC=gxv(*a&4gDXf<@)WcXknvD(KXVwG1<`tYNqyv zHV6~A<@REDcsT?(xCOS?fY8@9H{5RL-fq!@+ZY(yY&Y?tnjkU^T#}#@)DPqodKvc(*4Bv%!pm9v0Q0V&aTh3YaWv-7q^7149J5x9uidINaRU z#Om8deYmBip+1_H=pJ=#Y~T*xK4t_rN3Rb3j1^e;H@%}8RDRe}RO@9E16#lhC~o5B z<`>$Y4C=;dLlc-WdT2q+f-Q7052IItFxEAIJ8Zwd)wGi;+xv*wO&d5Ibhm?OJ8xqi zvT!_QXpZ7Y%s!&W0gUtSzx!o3Y`zG@f6^VG+!oX7n%kjwSI)#%&Q8|`@SY`@@_9pB z2e^&d_EQL3CkzAI!0jvz3{e!~22$r>Y+`GuVx_B(>cau>7icrKwJ=BDHiBE)s-WLR zJ-&6l%|P6I;M!bQ&(Qn=9ARR+EjapMX(+Lf0+Qa~A*f7fK7i!lDOI)tqa+{_U31OpF* zpI?ec7SK*=`woWPfcQ#T8QPdw7=qcOcEiLH21WsrEQR=Tg<3Cq&%xphG2(~e(XUk9 zBJ}UG)>j6TGX&bn*2W1?4BaEY5SlH};>^Q^zIOO391x)`r319@4!MBvqaV~o3nc7I z-zZM`6{ZExpn3lH=a16=--!m~2Y&p4^$ZPw+@rY(ZewcsmP7Ey# zFb|$N4 zhe1f5#!*ryFX)w06McEzt;G@|%sezqG(P8UC9d*HhBE;6EG|ChCa#I?$VW_K}-WKqs4EPKM z4R}$s{oczGEiJ9Ov|{QQ@Ag{U|H!-ptu{}*@)qaVKEDKrUon&Cg{?*FopMG@^^8OQ&~&3jfOR7}2$G{2z0p&?wFh3--52{CC#NNKoHUe>*h%4kOSLV3g(#U4n_nz65A6m>$3(0T`-pZUX!b%zdEbzC5zMr#o2Y ztJCu#K8w?z^ z)5C&D>ROrn)+^tt#ch-gv~4d1gPEb$`*l@3e}O~x=R#ZCTIW}I`R8647Y8>Fp$ovB>H`>AcJtBT_#Sn%zU=ROvg8oBXF+py$JpP_5hJpS5 zIj-1`fHa0+ziilkIqf2MMgi0LAF)9HiNF32k$OQ)J`bbAF~0dusmEx7e-4xU2pIn@ z;r6!qLk+!+iJ-%XZ~WuG15EoBpW;WT1rx%3mqXwc_+Rvoe}>8ao7vmn@{f0VwZE6F z{ks#h|2_DSdrRJag{yw~cKS;SC%Cwrk-=TA-YVZ7HJr1}dSLrlIOU0s0A z_+zsFe>~s6&2~GzNwkFhHvs!z#)$rWqM_a99fF6ke!m&={kHl0Wn1@KQ6i|kSApxB zp=!3in55sZRKJT)?obYJJ6m%TOHiYWsVzrIF*rhCfJzNXn*j5PE-ki1B^toJA1il3 z)wdNY%CK+*?^zk6jvk;YpAj5-cAy&XcRTx1^b1}GVW*iMs4KpJDFg=ZV%pI4rhwic z;eo0Mwnb_3EsgW<=M}f0(|@OE`b)*(uh%A`sDhp}z{9`Im!o5rKNmCmQc8t^STM?O zhm!n~Uf8K5F?#CnQIcpa@{PQKww)dohTTjow$3&DW~uwXs$u_H1&X2ss#qRV{f;h@ zM_6s2wlFerL{+p)Z4D@iX+^OjdJ59thFuO04jjgYj=Husb_m<;?1QX>6+0*?wcSd$ z%Gz0(!*vZ1z~Jz3p^}oaTp);%-I20jHvtc`Z&_n@ln87W-*Z@@s^b3=#8n7mJ~7r3_?SHMAMS~jOaL~50`~sb0wC6ADW8U9LM}2j|xNPl! z0tJE7ztYP)Ch;9#|GAFaw!!{$bq?_2w}<({HE310gJr%rYdd)clZpR(bk5Ik`tNA- zkJmZ+29_KsrGd}~1|6+)P}e}O7}*%2j^6?0!Op{nQZ%Rrc3^oCsM8N`c6MDOaBTvP0HAal>PQ+me8i4`>zjb? z>_8?1G+S8MSpt>1bqCmMv#stC?BEO_j}SliU#Q8x@Y@%jxdm}$uGe1vm-q_ zn*Sc&L<`goZ6!I;y|&Xm5CXeS@}?91K>m{Dr>y;3j$2e zw!z!-rM?`3+k)!;Ts_9a_icd5%m1V4!?;sB)flGj?_m|RE&glc%O9hGf8QVfSBJs2 z8U2S;#$Os~{zvE&A3xx2ltn@7AbwtS3IM|>f4Gty<*Wlo6ja7yic-;;5`Lk7G30jW z{?9I6$DA|Xq5XbPdSBtGf4?yC)F~Oh9j8%uo>RpXCSoGt9rtATQGfm-N1PkQH#=B| z4^t7g!**escB-Pk*Q5Gb&H%NDox16V6QDaliLXROMOi=Um~Rh@{)zfw$1Y=(`_5g) zwEZ$*^&hE`?|Ffr7j2gQJT(Fiihjd>{Jgy2n9>$QVg~)6P$WO%=i7_;Z!qN6v8r!Q zFMnqOf8n6kZ?N!Ad=--$`EQuLe-v9o_`c_{?>OwgZyk9d-w*je$<`Ppzr#MNfI2c0 za3Fq5M0arap9?OaJoFtF5*#_*K6Uz+d+ywV0DVHU58B!KnZ^8Ru^?tQF^cUkg{?3Q zxr3CbZ{x865jwD&wl=7c8+<9xcSiKjr>e?d8h4>^&>hYWKZYbb^wmF*bYRA)N$()t z1v@=+6uJIJ!u=z}kr#7%1rzxEZxHln5b}4Dx5HWee=viFX80cueEv6_6LbX2C-}XM z{t-+TLO-(8C&yHC{XJ^@M=bdwIx+D7x-Q@s`Uflbt>fFj@s(tlZ#?<>~p`%ayZOO=ixukrntLD zXM_lHz3YrojobTq{DTJruRp-|@%ZuQ1MyUFqC>7w$m`>DIN$&1;Gb?7l_kO^{^5s$ zflg^Mj+7}wMgmv*`=2r4?X7{UI-Ky)}H^LcxI=m=N3L}u^lhWw$o z@63Ok195O-GxWzv)8TNOm5A$-VLET*|C4D*7f$?SJ;YW@U|LF2NbC0-hnkgAip%#KgX&uIo`-ay|M{pY@}Eq@*ST}oPx|VK15>za+h>sV zBLPt)qCwNglUlk2i6q?E*vKN5lauRj%QO@6@wmx?-tP$+urGxJDvyb`hPEQc@u%RF zE%Q5M(d0hgc=<55o^-s1xXH&8qVo+ZS)-acR@kAem(MTSeYkh>`sWW}OoAzjv0^9)%kFromnF*dAu6}tC61UDuhJW-aDx>^_EnzBRz4@>uv0{ zjfj%2W-XTk-ENCl1qx#WX#^&azhBH7DD?FM`v`Ffuz(?cb4$Xm^yAmF-(wo*f=Ynp(A`uiuLq z2Ix#|nkm1kG;`3njQ(_9uUleG$uxGYY{c<(zz@~P_9&6|3oO)s+C z?~=|t&3uw9be^wGRHCOZ%7%Aaj`eSHb94KS>1c_i7-j-;c)6{vti)Z-w@*}hyxZ>( z>rJgf=ic|BtmOkF3};&ci{00Sn^Lr6KiOJiKU95j#mJQ{9`qv?B8RlT$8lA-T4+A| z{rj$*yA0cY6c;fMPSTMd1zWvpa7{E^{xpM*a- zyE554S%0kS%$d7x=^tI2UtYCdp81U1ozb^e;4gx5-&h1cj-uG|2}Z@3s5te@DOw6AmX69mq3hynQ`e`p5)$hAWA7#^p3{~K zq?QD9v0j-oY3~h;i&4Tc4{UFED%X(UeMxyi*l*>w-sizVSh#?B3m1EMZJ~=pRRn}d zp<;v%t%|Jd00X`hyPmGS#ej5|aOU_m^aL8OA3bPAHV-de=XYKhi|DcpCXS1tc)A$% zXigPDHvf+DzN(V;LkVosa(76zQUi=E$+9!gvyO1s!~v{QA&4H@T$hGfS|>^dTz1>K zZH?(E&r~vH>!-acn<83Ryx)oQ@=MLQ$rt+LGHy0rVP0<2eP#Fr1g8MiLgttgE;XcR z=8~+%F3$yt&fvcfre6w~%s%|L>^-Qz&wMPn({62w!{IMB2 zT@|#~ZYRVzv%I!8A)XJ^S}G}#2tiIVk5vR7^{;y@m%u!7vP*n(4M7ccCQD08M;$Pgpb)B_L&U?sTENHr^a zqOQ!|eI^hgOtB^PM4sj+=#*jurtD0%_qmEmf>RVP(`|KQb#i(nDTOgl&_7kk-I8-e zoqBROA@;l#4c>(3u015K<;R`a3SiyJr1Q6_b$nbM9UZ-9C-O#LN|&t;AY+5hM+-Bs zj=-wIJ>Az=81@Ps;6hwXmx-U_YPqYMrT1WqYO>m$hv8bLaWRiR%`J)Ws|JZ%_epyNsk_Bwr869I zzXrHZ7i{#IHwtGOn94?S2V>5CWbH0+Lbxt=I=n;4L+C|uO)P73`O8-3$qa~ zM%QBShTNAwhv8PV`8&&5yG`{-a*2vPljY1R>`_!`P<+69QfVTmk<))UlwG6Ao{~H{ zNh8}bJuZd-i+a^fc7rP@~}^|;+C9a_ciP$lg^ zDN#P9VuN=iwqq^aO5(uS=+p_UmNV~?rAkE+DI+chZ@Oq@Bnh|K8SI&Y;kAnU7t=&t zlwy^V9W5*sVSF~9$Q?{fV8|Fg5t791@qIi*NP(v^*xJ~#ZK#7U)(JbeL^xQ+Mk-9N zjiwYcR$gZkb5UFm=hipJ8)19Zk>S2D*1GpJQz$&m3Uz9 zl7Msg*I6qfT&9if3^+$Z_I)0-o_m0RJ6XmyJ(S#46(vN<_7K+n@%Tvb`htcPfq)rR zR)N#37tJK_f|!QW{&8y#-!+1|R-bk9nR4-T&n^hoXqaY=x?lwP63V0rBht6MV7jZgLy|D>|zeR5(fcQapKS6ogB zS;XUYXjNCYl;djN6O$V4YwLEdv(*A7!m4{PJeq{s=y}R}>)Xc9gi#_0nw_D4NA#wd z#-kZvs!M@0WiM-v5Cf7cPUX~YE#l`Yo22Ku~oG@N7Hb$Z$ zMLlEpcw1)1e1>&@Iqsu*HvEc?&8|WhruUCvlEuBHx30Uiitsy6-Lm5*oOy`dyg`sS^MRAz}k(l3k%!9NC&ScFlzLlUMwv22kDPA zJlngXuavWE&%q~-2eh@dXA291?K={p^}4zD(dC|3rwhWlzn)%8wfHp1-#>rYy6e5~ z({o|6FRo->$g$EL>&UHV69syuKR&1E{vE!Q3DWk;kj z^K9QmIRlwy zT5%u#`1Bz~R}sUdqcJoyx}`UtUc=&WzNwb`H8cyO2TWZ^JN1^0X(P@_sxQoGrzZnlK0-dl9P4h+hVOxnIdnNOF`kbKXQqwL z{S2Nsn=;JdQlOSQ*6_}1djS-vA@oQY5$GWlA8Hr7Gwu;Btmc-B^6n3$fj;Q6lwT4p zb3fmvrI7s5EpiAKz4V-uVCe$h3QXJFmP3LqE-vm0Oo3yM=bn$|{7Ly4#?ks5E+LEx zCD4!cZEBwawMKy({&b!!Tj+dphY<@O(RNo%DB*h>LSMhF4|oExyrHMYmWwaVi#_Wa zzC;Uk=5=2gPB4Iu+Ko2J1kpgJYEKb9HSWpob~nq?69G22{J`5XXA)M5NUn%&yVYZZ zitjAn8>DX8&yp8JI=!N*2u`Iq+?;tT)}9Qat}=g$*X(r%X~m)jCY(0Lv%3T1Wc=e! z-#H$?0$mkyUlZiFXtOxIOFZv6(Hi4P=aUD%LVGxK9od7nHI4xKq%k%{8DKoyvP?RzDa$E z<)Q>|Ppt;3D973|KiEeF1rdS(_SR)Br!su!q!%FILIr;IlU>o4RFIJyisI{JLC}T6 z-OtQ2;p0U4(4?t6>Y{V<4B%dR?fdS}3p5A-Vshw2^= zOoCwidNHnlp@oWhYs!=YsSHhXdFxCHp?iq zAHutf1||WxflYCtc#f^|L7GmA`4xAIYgEX@ae%5}q zz#8|z^(8%hwxOO%A%&L;ItyGXSz}}7Jcr3ZF}Ia)WP*Hz*X!$hUF)GCxT@;#;@Li!68b7ifUv0yO681!?(n2Y2 zlZA_n`2GodV!S#?X2}Y{KFGAD8*=NH@4v^a^u}>;8P0*fwlbRHxIW+fx_0acpJ`9S zGZn_FH9-7$!hshm7X(ZjD%tkcwpYn`2Z?XAxNf$YrBLb~J$%?$gG?uU6SyRI05(Ee zqc|y!Y<*=y%5UD{Flz!JZ<^7(x7Y|SOwHF?v zn@4k&=seh9QIu~4Sm(iX+O$jj!Hdt7%WemBb05(KTOLoV6&66V2#ayrooUuw&RM*M zv(JGh7uXmw2bjWbPhhR4fT}fM?$e-k&eV2!ggf2!c&-yaONQ7}*y}eG&lzZ@~ zFxj4i)Ld>L#@Y*nn7`kmHJxFk>4h0NJ+%x}9l?FeqAHww2{2_wzkL&5^bG*!g~;Ei z+G(z=uHoztNeI_2autdJHumBkb6R&~l&POdQr+Y3S0*Yd20;P2vms21=hGCO-)*jp zaw7J7e@@e{2+0U z8urwmkdl((a$j?dR1gjGrzM*(uYSN+3cN-0+~s8768!zLvU4Mi1WkH46c#y&As6+f zcT=daOCDr8d`iLddn+7W7(v{4+RbD zGWU`)9wua`f~L)VY7-#8Ct^E9r2OGoLTy4eps%@eN~@OpvSB1FVl!SYB4+B9kMlm) zg;Ud&GPus3ltqf1kiz-7^mc#ew)e>4r`=f=k-1_Nc(Q@izU1sz4ogmn4uy`We!NhYplf?g|`#y@!_f4uQGm zTOHu+@iXgA zQLYQEFeBX?1PpU4vx-TwUJPBWd(^EuK=7UE>nzJ+)q7)neX(0W%bD*dsK2_j$D=;7 z7i9MPhm9UTbePLh-VebAVKhAU@#e>KoDo(I{7HQU>#6(5n1dOWkfMuH-uoh^W_BMq z5+3a6cbUIUx}8l)ak}&QCDz%ar{*a*G>tbbWw29O#7}(~c2azHfkp=M_~1~QQK-`g z6=bTr>TIOCp}Uh!ToHhr__6aXJB6pN z?K3!+3K)r1K6)PK@Jx)VlA@tjKbwcpsSlu~LAk9hoe03x}F9sr9al)+ja1LRb&IdEqX> z8y*RAD%Vt6Z13(A2mB|oSOjTx=a90*HJgetq9%UT3ILtXV!sN2t}fl1^%+XRAI~An z3oM-dPm&Bz4|KDq2zckZZHUf(7>>xw_U#MFQVU%=c`-ueyyOQxdjJIYg*F?Ypz}1N z>Larb=kBHF#9n&KE~EsPp;zlx$pl6G1!|5#5K%VW}Y`S~eWsA|JImONBL`a7(ptMMJJXL^q@rm4-DwaneXJE<8 zb3g{;xYH$&rgBQjk+T()2fMBU>CIlqNyvF3Vc5k7T{mlfnRzHfUwn=R;?P~B)R58Y z;ub-m$eGv3Y*SiVY9TaUwGIvxrPtxKz6wllyVe@-WZySQtg?qG2U>AY%@ zSlJYaIOJQ34^1Gw_xO$7CYi6Y8+>zP-7$hjLa92=b?#vZgUY^~!+M7b`w!x%n(itS zLG+y*qEvr9b&Y?Z1~S+g!>QiNX`1RmLuJturGaROSD+$&6#O7DVKG){QSGmM?=j&xu$)4d)Sp^>Z960(<`m`w?Z%*DTZ zf6C=%+iadIXJ%Koal)Y)OK~kfx1z^)0~(iNDqI}`yTN~--fHxxzZE7JwN~<~Ua7kB zq{pesC41p9GL$v!3?%hNA>X6{TxOpdA4NFN>lf3>Ms78T+}aW;PXnYZ)nHY`W7=G5 zd5Ji&J&Nu|2cwH$En}T|`IMaH9%WotTWP41cHr_w6T{c*nv@G~%lE~z*}gHx;oqmf z5tl9XTzNFa<>kz=it_h~O&d?PwpV1r;epcnb6QN8>G_KIVGfMX**QnOx0B@BvuK41 ztkNMTS7T#iuhQH>(NhB_nbq$=bIZ-r9os>8YtddQMDxKR^tg;)xWm1ioScTLbT?!X zyXSfAm?nhDVrvErl}+N+W_?U(;D*g1ZtQeM^IJk@P1?R3;m*d3fCs^h&NaePd+IkLbo6B4+%Q?dD=t*@jwE)$c^f%$$n!Zlj04+}33(?mi_5U!{w*Qj8 z4^?T;^3mD%j>(~`p9CcrVw~M8E(qPcZ7tIZWSc`G+p_cac(T#^D5jfv+y#EDCHr^j z58cb8o2pk7kD%t^=eWU@a=TZp>YV<2tkS_87Wkzyx7G3N>gQsmMTZYoFk=Tsx-`zX zewam0v6H*?+Nm$ybka6JvcuF~c@rN>o_mi>4u;-*#!yjW0l#uU9;1S`QG;NhsR+(L zU=5GD2k?IKMIOT(V#K}hkeG&;NV1ZJ-bJ?b82~pw(AAL94~LcaahdPe(DznmRg9I2 ztbR|bUq?D{LdjJ_Drz(SbUc(SE3i86yiHt;S7h!bYJ%C?!*?f{N7Nf%0dLrM#YmEh z#?050MuOXNJi?Tn*Xo)&hrF7%-r;vha8C|-Sxv#Z_w$$pHpX<2> z$nD7woW;Ditk?owKIgrGGEsd~!a&D_%CPum#Ng>?Nkhw62r9W@w?i+zSYt`5jA9r$ z`Szqe<;!A#>`2S#vRR)a6eGBuO0?fUL#;hGwS{UE_F8D6bo4@MMy5r3ljF?M(#hdQ zS|OV!(^&$>wI!cq>q2UzcsjJ6fZ)ORw0ey5f`VdxW;gSq(^H>pn~`DmY;ww>Gq6x) zz|`F_%}Hu$aq47NRnM~b?N85RAsFIyAdJ)NMi z7NWGT<6xOq1484FEIpUAC;yBfdHk_+{DHpwUlIXm+nKW)$VGEFQ&h@pDnGw@ZOUol?-)tQ9_QNVuOoPPz)($OG8(qM4i%w8lSTvHQl(gvCZ1!!;vd%W5xC_l+57qcYgCgJK3?onQv3K=J}nk_vJA=#WwMeVq+G^s zwdZkF#Av*%y^bswb>DznkcNQ!z_#(=%{|~VBjG;(+`0I1VnRY>UrW(+o@Q!~6du)V z<58+p116w-P?bsbX&VUe$rYjV_s$6Eu;a`;YK{$vao=aps_bzs!3UO+Wzw4y{$9sv zM14AzU{~PSxJ5?R1M6I>^Si&PMv*uOQbe(*n8Y$}MQc71tr)%1)z=^mMP@7_MtSz_=8->dqB7?5aR|!CDX&@y|AD2Ky8N2#zV>LRhOSx2!yvT z2CksfrWnWbv7`%ad>upf+ec);bFby6k%FeiWEG5|ez^qN?> zDxOd5_k<-1mqAJ!hKC2Gux8)4streLA)F^#cN5Z>uh^QO@pWz@&~X$m6QIK5r=Vkg zzDx-nsv3q3iBQnHZ!E)XhiYG6oXXA`)vtk;3E+vauFX!GS4G2KV6EEjRvm>AL-{%M zQaSlmn_(kZ1mkJe&DaZJAd4l9lY-2{(`42Wf5peh$aoa;@)TP3>A0~|p8FD%&m^|Y zZXTa_(}XO--%sxU9OUPBR{B0M-el3LW!xyDUFbsw+^PCQ zC@XBm=wLyk+I%r6FUcaqwLG^7vTc#vX(hDTN&Q)f6d6OiD zv1KSdWzM0PLnn0(9s1;j|Co%rbykyuw}taTZMhI)K(IHOA!Hl*O%K76VTdH|!eeQZ z_f@BgwK3{;OuqbBAcR-Ia`O1wH4*VT2Tk0m#5Jopq@AlM$+Yj_!&S+}>+77pxASPz zXB|dgXlcZ4sO}wcO*nqxnKDBZ)TL>RDpvC`lZdEjhmZEG$J`8$lrV79jo^#7ImjxU zu{y#wTGI6K_wGGoK%N~!aPS~Mznrvm2O09=L%IwPV9Rd;JT6>#mnj+^3ciD@Ofp(MHRVCj0@cIt_A^R#7@;#qnSst*v;=X5i_0_f!p!Ic7D6GMQsZ-A~AmLS`0C zWEUBfV(X+EW531^Ib7KLDn3bFEIcyrPpe+(PM_S;!57u&op2!@NNWc!_J;f8q3k2{ zSS^~8J?9#_-`*G{!}vGY#8v`0~C~L?PJLuk7v7-AL`*)(`MM; zuIJP`+c2v2wb;v(TE0Z9O5?C*F9ZJ`#fY06ILCwWaFeBCXBuGG=2xY5*wdZ?{FYmh zOTN+l3-Ha2W2 z$_%2^Zr|g%Bdh8rNz!hrADc3FV*J~mH6M8BPe8rhY%VQj=shHvSC>?8{tCK)%7`9$ z-MCgC$uQI!Johu`Os2sqS}z5ikn>p)eyxgrUbvyB?!65c$-Aa@zyvi^zeM^OsB77RefPPb;-RQKb6^gFGM{(2h6JtL3Iggg* z*;^H;4HhrYthQ-8kyPss`U%uNdlMiXd(E8=tA26MkmEG>qQ}IoC0e}og0~2((A8ri zG@5zwfT(6fr-NsmbP4YXOdgqKWJSp~T_LWfGAJQXd`WxX=uXU~7(Th{pN0dOj&Dp; z+lmjlr*0m-)3&ZttP}C^_^xY3EuZQXC;JsE{5@PqPhV(spFE!MtahxcflnAk^-3C? z^Xwz+llk;V+&65>tY)WStLyVpkA zpQTIQ;ZGSVuU3n+KB=Szol(n_h?%lLDAc268#Io!E#ywV`&>DgC?a_sRlVlPOJucn zv`t6d>PXGUV`zEV0)ZpW(6QbqtoLzVB~tcty4m>Q!@Y>?uoXa1tIIg=o^s@lI`VPs z;AQl{_Lu_rjus+Ra_e$&*b;bRqt-| z*>CL+KFPX+6IH)HFI^|^>D~XG7NRv z81XTq20Tsc$p&ImN9bmQzrhOQ897u>60#&#WQ#1%!|vENhT$6=z)qS{?(l|Ij=i{> zZX})Ow>7VlYLZG4CHN-Jv*V5eBA0{}QDVmv=#g3boNMj2{__}Vx+Hux-9?f)bs5d( zt*V4U#^B+&F0I-RrzSfDt|xy%U91k^u;q}sY-o?4nmkg^u+4U7aI$3DG}vOoz$l$V&0#uAv&u8Nw9<}D9*SbmM>JLNBAX=c=E zADJLGePZC7=wMNmu7!He<{&n!q2Iis)+(!F4P}ljrqmNqzg4lY4wELsVmHM}8A7KnuNxDmvEF;6cbukq+&PkP9ECFo$ z-c^)sKOWqQn_OF^@h-c{oT{;SdmCR6=Y--UQZkOb2(FI0LWC@>r|QC9?xj-0)e_4k zqOv=Br@7|Xj59tF1;PxHyj3ksM}>d71-8rfsxmG$zM5AItsHXlgczD#gMB1!0yec6 zJ;Fv%V;x?&K66}q*roUL_#Q{cHGvJmw`J2Q*7(phk+@RM&w?CBPzlpf(ub*==EdTN z{Zbf#E}6$IXm_*ZIN}iEbYC5w_HsKBAKZv*sou~|;7oq$y$Po~n4MCp9)aa)tmjLD zii)#LWrcE@)S^9}f`oK)l`PU%MZy|qlSa3_O+jK$0OpsJmhQ^8AD6PVwSB;DR{Icp zZEY>pqMcte*M_0a2}Gu+P>CT>oVMOVF^x8ey>REb)J!g~7p2dEs(WK9 z(sx3*mS-9e?exypEjFetZjatu^bCLY2L+~%o$a{ZlZCV~G+I6Z{;zY{sfaSxV6!+B z6jaw|T`1@|_<0aUAJ4c{YsaxzCangm58`vEcAa@~PyJB>;RCu5|Ad9!+5vBz<6tAs z-~vEe9*Ig{ML=L5T|=*JEbjq1yo-@ByY>*$ z+y-?seb))aPKS*T=gK+Offam5n{@1sjzJuN3^VZEZ#{lnoYj)(50G+&ui zR+nmb;+QFR$S4$i<#cEEFypzXyCv+t&VfEL&RJ1vbV%_;GOx1@0_UAm$X{HD(>mqY z`exEIJV!06V}?TSewqK1q`{5X^TBTCo#+i-DSaNvlw1~OCw5+7Ua-)%$RmWhus!B{ zyusrmVRh$Ye1ezEhlf(t<$^hOln2jsz=*Ee(c^5=TV=!*fx;)*3o1FZ;_jlvACrmZ zQH8i5JyHisZr4C^;XLF z*jwZ?JNKq&-0Z}stG02h&E~j4E%?-Jyhs^2x(rAN*5g+;SDqhoQkDn=c>z>?1gP7& z1(G%-oCQ-jAme`n6h%^f0(CIb0II)`X?lt6$}4<;(@TO>Pj%W_Hp7U^+>mDljm!S0 zXG2kmLN1VkBo*H5xlR}dFkH1f+mrh!ILred`D}nRNOkd^{fBj4Dx^Ryaz|h0r-D*u z^VW1ckoHl9OfTJKId){`{b#1!B5diqrgQy%5@P&gI z6&^eUh09BG^@?e(%Qmx}AYHiY=39r+rs}oG!D#VoG^5Qa6|+cjLQYQ3sz?FCShoer zN8oq*+pG(|86v(8f11*%}qqWQvQfbi27I&Phh#MRs{ zDgTL2Q!th7gM3vWL8C=I1w{>Y#YS=>is7!q#4mWo@s&6DJ>4YfByJxy=fv> zY_#qqS$*L6VC*$nP}zCm>Dfc{=R-`d?>_Jb8;e>bXCKI-5s?8R$f2WIrPL(M1_fX zo~BYeYp?4rf{5b?&)l^OY4XQ33yFQN%OP8zS89tEVc*eBh%zFvSf10;VqR{#u;j=S zCU$U*QHsgTEID*Qy*Lb(@jTyv}%nN-^;DX%_ zIkq_U-n)=wPDuX^T<_k2E4C$1LtLzkXT2f?+wBym7Zzl7bRPN!56lMPDc64-Vp~{T z6xi&}vEJ3&+iN0JeKIi3?`eFQ#w1x>mq2Q2D@kDOISRt^l4e@3pzN@d9hq*;-0~0B z_vq<)hF6Z}q+at?k%%XD^1CSa5+}5}`t$ls67!WOC;Eu|D_b_l&(S)sv*4vYL;KMl; z<&Q2?i$bA&tmPGD$JS&8-B+9l+%=Fm2y4N`NzH`b$=+dKsnE6(;2T+YiA^~#U;6YR z5=r&}OrLknx!_@tFSmZKHb%1Yz@vnQ?kB>!1fiXvd=L9n zd26`-M#(P16D0F)by>3tE^ynM_pKFvl7>136BII|YKs?IZgtNdxy_;DG7tfiZz+77 zsGX|gNlDs{KJ0T?NfGIG*4}3NZKpI;yRVO9tlBI8N|+Tt4iNjF*q6tlICwpOGzuvM|mcMF`W%#^J5L;j2tWn2}$qp%~$sg z_aOTNnUft#hf-&cg;{O5G6U0gqsLW}u`K`zzdY5Jz=tb-HLh!4ewFd0e3!CAskq|a zr4>j0nf#+Y!^0-hT>YTxbF%4b1-HwF(QK=?n?ErX=^gdO^LeYEy`+J}^erX^`Qv%b zym>5r@@=%(Ud=oMji?-&bc)N!ae0T$mo_-F#S80&lHSvrhHpOVGF`sG+FYAAH)7RL(R{PnAI_~fdF7pY?T(xzUQ z^v3GEn>l1OIwjYhC0#6_C2_}VIn{NUld;gh{jIE=Tx47lpJ{{7V$C3@kJCB#ic0I) z-mzs;<|{d5VvZ?<4?0w+v|YJNpWIL~6Grq)acY?Q7Y>umU(34985L3&6Co;NcI>j1 zlcS4MZ@tp=qZ{VBmtWEe3-4xa8ZSedErb_#A;+y>ns(r^ytS8-HeEe>Q;Cn)%j2rTFsY~ z1?&B%6mvgoY095)oh7@TkRU)r^qoOH3Q%P^6A(-R_4k$9>c8du>`83oj;WMA!W#M5j7`8@` zaW?JKxq(HcLabI9Jj0>c$PNH(k5rh)JAx7r9F^Uq~dw zvH4scdhS?`)dbf2(33%gUE|m9%FI5%$?iDY*r@S9rttGq2_iQ3>FM_*YEXaIMfvin!%0{;UUS;(=t#%=q0FYg&5s_O)M!sr=!#Hb+&{7|0`mx0dZ*S%ekggQeqY*0Q@ z+d6arCMm-Dsgq=EPAlUf4OQVB+l0P%kBX~??kc6B%Gq_n5O#HLEr;Bjhn!>YLw!39 ztBzD`;tyRt>u|~$KW8?dl0Ii5QJt`JCGbuBi%6w{i*~r5&*gE!eX6zKOKpX*(3@7+u2y0#H%+?_`W&J65|&&stq7m}F0`?NJO?sP<> zsA!>lolvnTgF=ijv{R}1l+}8lovWD>BVvJA#2mRhuqR##xam$6fFk?DIuKJ0< z(Dqifb>ISP%Yi~fg-WQ*+CX(Aw?QRQ2qZSNI>P+jd+Yp}Ott;*GA>+tC?WGUS)pLn zgEdGYD*>exGje65R?Q9&jt85|gW5~hb(2E^OS>GG2c(8=LKRrDPM$qTsB#f{ z@^wr@p(HVKc8MvIDms0CsW`%vkY=TLm3#TR=aTtKLcHqjjO=^%a%aL4krSRPc%jl= zeGU=tdfrOkh?Z&@X7>qr_n>dLmb(+N=7bpO$Je9ULYc(GmzBF{x$`3o8|UZg-m`pc zMI3c-voau5SS((+PS5QmH4YjvFwiR#am zExwtg8%BKesEKK&QmK=Z3l--^S+Gjw=gC{25eX&jkT$X;yMe+{m3GRqr_#`CPYPTS z*YQS%i)tz{wEzVLYt_%sU3_b(DON^tj`txZ(0KKmNP0?YOF?Lh|}GMI^u zy5rqxM$!wf9S86j)B9VCGt+WKJk=ZibUvk-!G$>ku2kfYUN6lw zdhPTgbKkRpd*kC#4vYp708nEktG7hLuI-bk@s|{CasnvJaR&yFOUcHm(Fzeei1u#>dP{52lhf><@P|K6o$S0<} zwX!I#%j$9YnXBR4@P?@ArIgzr!cuxFyjiC@6^na5h9agG-gzG{W1(Y)r=F<`yq)6- zNeJv)Y0QwV6iB?hCt6s{%k8&7SDY0AzGv6d2s|JOeDxjYV$9Wzp=l5 zF1J5FA|)lIwac!)snc=jU049~>A!vK3rt~hpM-Z zYwG*s$CVb8PKkjiAq~=OgoKEa3P_hA(%m2;9TSw6mPSIlMu)%{-E4$(j2b=oUf-YZ z_wjrD{@&T{&bjB_*Xz7q&)|DU0}H&7@Y*gajxb%WBR=U{KytoPrRHvZK4{ zsXcCvuNZ1QfWMugjp}HL>N5~mI7^;q<q2zF)ve5v34gXAtwQW0XvSlg9e z`+?rS?g9lcd(!j+L#A?RSUNrcquvzR&wUn#+DI=LkIo5fx4Es-y`{wvQ z+}i8aI7||QVzG%M@Q()_5mn;{lU~OZ%v8bi zrEj{z(HQxz%i33o*U`!4W*2D2q0e&BS7`a*C4Xgsz{5$L6P6Q58gjlp!gt?F1mMsE zIFK=abWCi|(Tv3z@2iut7g`gyv%-O;bp(S6NV<_!g25H9g^zJ29=#K8!a#Z(6PeeX zCRnY2-_kpr z53TYY-c)9;{}6zgd@{jRW@pu7Rc<>D<4&pv(AF^zMF$i~BuXna_QTY4Cz^AopO_Xa zA0TvwzAR6dc`_En`r-Px68ES$pxIO0-7>nVkp6cz z9G1JTg@h`;krPi%?&Du$S9e_h0|CidllL3rnb5GvEli3;fDi1fjo4I9d<=teh@es3 zlSLnf7Hj9%dds}Hlhc3Oi_RD$;W#)ruQspL1X{nKbRD{nD`2ra<{J;@=R~*7P7Bd1 z0DIhJv;UsV{Co1c+iJLfy$43&O))(v3DN6dy=4YPbwO^bH6R%w6qbc~j_?u*kShiL z(MHdaj}8S3MPyZ$f20;j{aN3IH{sH3;T(et=%MS~e}tTPc9q{Af#ZIMR!Xh4O7W$C zRnow_YE$9@$WY?HUB8`_S=+Nh5134PR#TqbqW+pTd?;D=!{5MfX@!TYhHj{+^kv(% z-P3QoFxBBj&xN)&lZTR-6XQY zd5`!tTDx3OZP+rexh1_7pgz+}*-Kdai-OQWCr`@1gyz2N8Q@sBnK{%+Ih$1ZFjmCR zZ%o?NPbS+pjpCEfk9vPN|5+pUlZ|CSO`F$VSM83tv)|ghJ{ zBsrN*Jrfe{7@%x1+4Q=h+VR14wViBddDu!0VVdQHG}!rK#Yg7ygP#%XhqsOBMk6kz z!3u3IvTK|Wp9exjreS)1acMSreMa$}Q&3eNdO*~TZMr+Ern@}XGuXhwjE}w}i?=X+ z=PntFutK3jmG~+;xgyu0&%A-$72hSI_o7veoQ`p=>^N=hU!Ym*uRi&_f3)<1tfrto zF{CY=uv}TuY}Md3nJ54phZ?qpL1QK&A^UXeOoXviX{#393|K^ zfS~QVjs-U?D25aY{-O%H|Lj9thD1oBop`E0(2sjL>&z_U&O`>8dcc-LcX*m!kv(mP zD2QA(J#7wbTENs1l%!RUi|#?Ne;_3PWlE4t~B{#0xBRR@>wf7?(n9Hww{ zE#bE&tZoEL$kh42TQD8a*J+BMRp&|-C+Z3L?0nFP&(wS(TQSG16rF9dHP+zFzVKe* z5X0|rd?v3hGtP{JXZox&0E7X80D_=TvnXuDv~*j97t$BM(e=V|9_4pnkQFcCd;N@d z=z_>=syJ!)*=?OKd*+@Dxn6~_LSG?E&rcWJ1aOiGmebUqibuD+D?;9BDUl8&l6aEL zZyF7Ag7!_?O;>*WbKi)Bqz9Kw=2H>ZwDU^S2?R4`Pg8Wj+7f`H#VSEmx(=-hwRoHY z-~6xyC!_Eado1r*MiUhzbVQJAVY!qjPJ}PZOiBjI!YfQKxvZ-4F6ts@lJ>bY5XXgo&Lq9mj3s=({0}WM=A< zwd0NOtU^LDCU8=@o5z1t+J*afq1g#?nUr!fs@=wtE+WQ%``x%U)$s7yq{L`T$(Yr< zm$v3a;|CESlCxcSlHj$pT2gxf73a8&c=;)R;#m6+OaKS`+cFMe!P(*vL-;e#UHuw| zX%@b@wy>|!$wD@lTnhnu4=kVVq{ZHRAn4UdiyeCsZH^gZAR->f_$w&pG#^`sIO(3W z(;L}avk`RdXH;cTnH4ji6ZgJaglg97K6u3>-u`8$I-{99D)4#lYPb){0p>T{mUodwjBM&6qqDXzJRuRpwEfVopo;Dm zrNPlEyK7xCZqfDGP?p8dzob2LR7-6rndg=x#ZsgK@tRKk8BK311#9;mFRn}$O}Y<) z!K3TNdgK%gk*4c`!DO7n?b3M=*cJ?Aca=T+dv#m@*184R)p)fN5(3l!F1;)UOw)}F zCI;1lj_Y5C%7{A~?h`RJZHMEU-xWv2r)Ry(wNkw{E!EW*4uTA4N!utheis**lf8Ic z=eQ8jR_|0#;oW4Z!UXom+nFv?PZ|K9A)}3ggY^%O5r0_RZgKfWifnbxudXbyX`(Zg zo)7qcKn0ZDMPf%?5MKK~%PK9=vopWcF@ z#)z;uB(K|8c*4~3#R$o2KZH5i_5M%OX!{GcUiFLhm!z|4&n!)-pkyIWR|YaGcMIlfh;rQ zt-ri>>@d2Vi_H?ApAL{|0%iJ?z0Ec6>+ZGK60ke?tF{;~UL=TQzLt^#PY-(<%}mc0M{ANE-94n|D^$bDjU<#8clu-lo34}TZ#~Giypetm01wf zp6{4*nHK0<92g}roZ+w3akicDVE5Q4rp*`58{P7jHqafbZ7U?Y;U`ld8GoiH%v=;r#t#w>* zRVgb}OBnuS{g+!w(5{r^i_=vr7a3gu`nVDCSct__K%cq^8379d%yux~jlN@W{T&uLCC@IjH+YVE$6X7ArNVPa*O^$|{6{ghUpxU>_k$;p zaHG3MA9HX17Q1<`^aReFo{61b;;kHd@{P7lM|0^FDCYL>Qdkz4cl=J&zuw~nI(cTF zmra}8d;G=SC*J%32jRSZij4Cyja5k^=w1Ufamp<%|p;43y6 z5kW{{N{-r|#n+HM6)ZQp*QJLNkh>D&6LejmE;G8Ko2&a6chhPr?+o*&KR$dWbFukc zzh&3U|9ISjeOvF>{D&{T-@-6eE`y{e0e;VhGn+rDBfySv8Im^T7gr;rRDumCyP2RR zq9zRU$Nf~;qV)1C=lt?Y{@_fbA4m#1E7M^ro#<7#Yw^w_m1%D}8f8$KLy@ z^D@@(+mEk)`z0YcxJbFs`GKWr*(vj>`s2!d1Rp@E+!zjD3W>)(z%JxlKapv?u|sOn zt=gS_>)oUy0H~QPjJ-}+2((%fWekxpa6MWe%9 zizMV~+fHWY+=OYSUSM`uhY~|QIyhb4)!FDKv>f76Kz94-&d}|9$y4-V$bQBu9r@V2 zqwYkt%ti3H&B)fF_gpJ0`7dHrhgYab!7rgFE|Zo6o7W)%Z{3 zRg8D?%RT-g?Jcnwzht&P8o_{duZGr__|D0Nbf$iTEo4v5SZKd<)>B}rVX5H>Poi>- zQne4!%$6LTgYzULu+%8g9dULiO_uMxCV1%B^n|5=0@of_dXa0sH^uravO}g}$(erl zmzOD&Ckjt*rpqz6Iq01X%@%!%vMW0hD$#CkC_BBJ~JkE!`W_q&L=$gsjfvfM{qBR`kH z-ZgNncg<@z9s0$OHi&RDpo;Nfam8fb=49Auu8GPmP(REkI;by}k)l6KmMED&bop1N zK(@*>>A_(n>MlIu@{9wBSvHm{GZY_=&7S)JSQ7%zUFq|>tL4=!P$JLw?gfUBZ^&;D zG1ARjwiR`b8+v6U#jR*NY14+LCD+fySoGxCF5NuUGoydvjrCc=_CaRM{^bv~w;s@cpSHi(F0geUqJI^|0v6pWQ7z({Ec( zYD{x)rh-CVOcZ7;FHx|!e?7OxpjQG*W*Xe+AX!rQSb_(2K5c%jlc4);6+tSZ)yzB5 z#!X9qND+?&y&SJ^c3fi^ggSX~G$*Eu-jd|7<$Q2O1xN($rd&8;KyC9a*e=2con?sC zAg4-EM^DhpL~hGRcdoCoqh9TDH37Rq$HGH`H=|wQsS|hjiQT=I@!hvCOSYop@jx)y zhin@N&VvcJySauHCiGYP%`*+=AzQZ?WUJO`-F&6TI7f@Dg#;-`CPDyqL3<`) zU%FFf3@~tNP@+;}kG>jgwtD=a`P{ZPH0!=rZ}ZsJ(_Ep7$Ej?CAt_8SKs4@rN= zHdCY6KQ0`TYx|N#$3}|gX2xzDwT7V?{Pl7hWLup=_Qn{+9J)rdvK|w)p(nG9rS=qH^jA{K%hhmw-wwMHd;w#$k$+fES< zGu5|5r_3|qzw-xkG|u8U{BJ|`u2wRe_r)YJQzmD6o#iWgUYwSfWfg)R*M1)+uN`I1 zmqH}`C0ttL4AUA6B_tP@&pbZoY1YdkTp;T^jEQM?@^~BJ1twkGM zIR+s~2PX&ZvW!WedkzNP*u?|~n2G?fkDWj#Xm9cO2Ib!gDDx=D*wptS8F-YTblTwy zP17(Tjo!U)&HGvD^{dtQ*o8cL#pz{j3Fzx&8%)K&k+gZ;np1PXX@9jmx?1Smw?}ih zzl5ZJc8yDQgxEPW7rDkpewb>IPsj~CL*o89ZL{5xRh|H1#NkGBdicUZMGD~w-z6!_ zd&cL=;i$sL>yo;(cys<^KEzQ!&uofb!CE3BVmfb*H`*tSYfq>?XvqYc?zRHNHR*B1Av;%rlm!hvWF9_z`188o~hN@>Ot%N+w3_`;k=5u|!l<6@k*e`E5;LP%HW87uCU0!A?k2CktqXQS{ ze$iqLw+WLJ6Dr0B#8#-01Lvt&Swcw*Ivpwc|8{-Q+d9T@K|-foNP$kZoDwjJaGfm4 zJNsU&FSKEIUG2!X?}!!rC~6zU28Dd?%vZ}p7mf=#jVan2+>mtg_o75TKKjanv-UZJ zf|epONIgqgkvQ}{$p)!nMneA5)?TQN`RzQG3q0L4X}Ocg`a?eJKYblS71Ae$=1fS1$xU4MH>p(|_qxK-9z4&b;q(ZX2gUqkiuEtehR zzG=GGQfxV5HMI{UhE{m>=jXQ&imx3P$4{;xwX0cR<%w_d8{!1Z74Z4PPLVw!^Ihrn zfRD#@K%x4t-K!L_c||LZGi34`*?M2pPfwV1#3dj|lI_r}a@fvp?1H&`;D2@TVWRlm zq~c4#AAv_3rfhoqom}slKEJ!R&N-?aq;uIn2~<=G@9N{E!*N>^GE6h{o6^Y=y8PmE zx=fM0ytfw4$zmIN(`q7ohG%%}S&?$_L-@u)=HdlOwKucxAu$2zEnYPY%Tf)&lE2JEo zzx6E_0)YGYp!^vEy?UMEZBV&+c`n#X5C5atM?-VZU{l9Ey|+ihV~Yyuu98tx?NyqY9*axD9D=)A@g{`Seq%yHp% z6wf~M01#xRRx0*mw1j_^=R!3-Ab#77%P319LaS3?*|#z7yp4Ep-gZyN*{a8N*OcCr ziL=4t$pm^D)P~uMbcKWDwhGRcr&$(1&FFgr`B!kHPL{CSdAv z7E`;`%ZuX~$sH0SnM#zA&GdA&v;BMjOuL(?#E~WVU46-H&_~z=gSf);%GGMy^=6s; zmw7LK%}G>xvl*zT2V3$4iBBUXk4czJ8BK>OtT*(?HM3c7{DXd8)F)R|RN3rIs7f?@ zL`yoYhFek`q4$Rr%V3Ksa{Q*IKVXz$>^V8yQI~f>pf^0aOtoq~8@1AIJ07cXhJnd1 zZT)$3)l~3Xr$HJS_W)$DkyPCz$F`0y8Gy|REr0t(eD^Qus(i(p!bS=VwQ4Mj|3HeF zDHj@T?02yCU5H-zh&?9jB=nvaDfo8}@VzGf46wVAL|u7nnA!IEavd~vr_B#7e|*zN z1Q6Lh0!>PNC#_J0w71vc6quUm)2es)DHp@%8wCy=E8oyr@cmy|<$=OiCT@gUvd&9# zEfd8ebF%Y{eq>BN3$vi?jttRCpDV{2{~E?l_KF<$+3f>FV&yj2qqDX&89*@HQ&ch* z(Ha*LiqDQ4{8q^7dU3@jD0s)gKujrXI_tUfP0PIk%gdq0O-VBe6Yq7^7~ewa6cg8V zBce;vn>%iFe7y;1o2Ap2`I>Ek0fLyhcMnTZe!8}}Uv@PNb7b@=G5C&Gvffu4O0@&| zhuD)~)o_#>$L6nFM+OTzfSF-Mii>*46vMajRSg9BE;7(N!C(Z9{oQI|fZ8p_874_@Qz`W~vZj!*y1*O}NL zCITL#+g)Td6csctvrvGzriCCOME8e6t2c)8UKLaJ-=YM_!{R1e@`NGYPD{6zXqom> zt|sxD0y#XKG9r*JwI(k$g_0tLJ+%@AFIRRhi1rP&lKfhA&L=L` zr>$p{QmRDUx3|(R&nX={TN@p`(9(zyj>cvYn?Rd{MX%vhhU$2b4Rqef|L!n&$KC&Y z>y>-cwlFmQ@HVO<%y@AjXI^mYra=!V&e!dNKrK7WZ zByQx{kka1eq~7}*pG0%#=eJ7R9#?5IX%W|Mrb8z$RvP!~ zSIY+ZpZ9#66xxbplbn_jTWix7^rKz(7o>5ycTb{4_Ub+w=xsies+N>m3?O?tRTilQ zMt6VpDzvb2+4$P}|F8g1>DULnYftq$Ds8h;xMUp89k+uH_a@GcY7lTMhT{4GakRS7 zX|>=^wsJ^V->mdrkI=cxWg-0)7D|t510@N#ua71Nvm{834SVG#zD#;n;aTdr*LgEB zfy2Y4B|}O#SrKkPGZ4;)Me@gA>ZCpEY(W>KdK@n36lsM>ov-#G+!O=M(dGcgG|Z|^ zB}*Aol32BJ<}}12Uw``0Oc8u0wml;02aQ|E4O|zOO^LZf0B-PuJxTlZBEWpl)s$Ub z`9Lu@G&(tLTzX}7r82OK<42ImF;knH?9Xn>CqwZzq9t#IX1}&T(P2iz5_O->Y6&pg z^jfm^-GlT1>h$QbHKic?Cn}o6r@C_A+~(3^fATGA#>9L^l2i`(l>5_Y-`Mbe!V%#KJ&r-!0R==>l-X*MC@=oAVnsd z^S3oz!7smW5uNdPdvFRy?vh`U^Rnmnx#OHjCOamnXv6eYHS5uF5TF!b^93TpLlQnV z{x!{o+NDrbezp%Sy2X5v2O#}o#zgSj#vL>)n`hkxNPq&zUsRgHjzn`UZNv*OzD%gh z^h-X&s)q}SPhEd&q%L%c75Q98B*rEJ5(d(lc6b?am3~# zmUJjH73|`?+(Wneiwx5Jr`B#cQT1Du&$#k^=4bu>%7%@OK}TQiS-%d*G6BQWuHyw_ zdp!2$Q<+bF(96#W59JVFUZEky|`&oe~>* zQA+7y*<0YUoBa4xs2nSvPDyuy)YAlaTxWQM6gf?n(A-F40`B{KlrhOT5i?)~S(XCJKhwlQ0 zPX)Z9Qe$43t%@zdZC{wSJurHjWjImz-g?Q|_hFp1b&hv!6jy+Tc(+)2c#(xrfeG=W zsEe*}GRxawtD3Frly|EcfmX5!Q~s-XvV@DhauL3cMjao-@Fhb7PSsC0))nhhX=N)l zG^*d-^O9{{FBydUo>B1&rqdX zR?0=5-EC*zOVcg?0{-(y|F?%>FpcI!eUTwuo5Lb)lFc`P!fw13<88&qsoeddyVSkZ zrwc}LXbrfb$1}zVniH1Zvxkn>L-1|yZBmjp*#0`w`j#!qw>%X+fpI)$(767Cg^cg@ z#(D4cEU$|YJ2;*XcE%nN+j;d)y9pNEE}GrxoinS*W)HvMKkclBuJZ<2v4;8y1)OyW z;KM46U6*};gL(4xsDQ>$hhE()TM>#5*PHj^D;4i&3!&5}Cc2tn&ZBVItY-NMy)u0Y zfG#AC^uDsZPk;1`zxl5=FV>I7^NE8>&%gssn0D>w>dNB|Y1ha2c6viy#hh7j(|s~w zA{q$D(Spvh&ncADkHJX;duJTU0_B;n>s+{qc5$c=l*qTmrD_e@*!x2-wmU;f7UWM8 z<;N_r9i3bjHY2ncRc4!7qf3S7We8(dt3TSxjkjtL_``>?OcBu&eCu@vwwE0 zyy3GChHm-UPH?pxtIyIAe%pT)a*J(hYZcf#D0VqV`Wn zUL1Ju8fzg7Wjus6G3R)Ks2)yV@#DgM&BZ~0gB5hkJgDoST%Q>NygTk%Sr@QFU`!vy zCE!-Y7ur+hMqjiep9uPT2f4%Q9D?hGOV4KMI94uPDlB&+ayA2xMZGt$0wY%)ea=@w zO=c4ZferO%V8AaROaLB^F@WYGRhv<6&%Z>)O0!B8NPN^S{ZxSp8rThV9QdmdEO{J2 zjH9_!_`bl>)Zp~8?3~u-(cz8Z*96b*SF|V0M+AY`fY3-@riE6fKh3w?f&=8Hb^I^i zO5sPui86`{8fV$e6&CLH1Urz#yG(%XJaO5!CH?G~c{-o@71+91pLBW}w-b)8WZ9%- zz3a<4NYmYGX7chkVhzfBs#iju z=nH$m80S~#^83@?9;zO(6Zp2oh=Jzm+sy#5PGxMEx)m~ee{fZ_b+s*U>9UteoqS$QU?!4RQzJa_07 zTDmAV3o7?*2@oeq4nWpPJ1$5(lU#dsvMa(ABw+gSnGRg4Fwbhs6{#EVwpa(>ady7d ztuCuIMW>U*9Eq^IoeZLvwni-v7pP?Lca#@o4Cm$Ou) z)Mwm&)2mCTvQbufi;lz-AraihulOpAs&I76-x2N~4S#p19geEAccE4PsE-<&2*m7> z&9uDt8`1hwx|r=X6i(nD;QT|UT3LULDPU7OIQgjoh$yP$IUr6!hcm~8pfl(ze_wM0 zP?d*lpJe7@V#bmqqWd}p3y^KXh$}cNE{6Xt{cC>7md(#@ufIcV5hm9sI||?K+9q}) zyQ0>gp!bROnvw5p5T*VB;?*_+pX|yT2@o>klw_pCNFSKupOPY-Hrx22#cDrkPkZAq zh!-lfkMLAcL7}D3R~!1%{I8nRa--0y;Ky^zP0v*tiQ6MXxOPIl33FJtM7G2HXLhWT zF#jEKmovXSb}t>Tb-r?Pj1aI;3L&Q)?_utLD9S=U|$-OkbU*4qK6b^Tu==a(k~~tz((*p7IVrUbO5B#?A>M z3_skOOjo`k-cFYJTpPYpd1>|;>b2wgPd?%xR!)A@S9uFjZp;{6hjt!%T#d~4KMwe5 zx|iftZBYAhxwN9K_d6M^*Uge6?f!;uthzvgAK5M{gpV;P+poUd`(u9qmmvqr#O`)# zz#f%@XpPh3goUcEDyO|#8unU%iqV5lV$g-WwcLGow5jUeo^ z_TjymjD)C*bg|I)ZY{Z|ifC=6Cv>T2jcbcBeqbXYi=r1_JhC_K5Q`pT~1fL0I{z|pral9{wsBBwyz2i{-i>|A-^3LnTY ze6&T)mlboeYLTVX`pvTqf#@N+B5bin@ZHJo0& zva-G#?sXf|)f`nPesOEjEGC%hGwg&cCapPjh z3I*)A%mIBtlREmjL4R5d_+kFia2R(=gVbH8GFPOs%EE&-#hzYC#x)^knDwE4Ou0VJ zYs=iBcrVF5Bz7lysEqdjb^0pXNn1FnkOgkSju4dkUFo&R#Ppi)oIa~)bERnEXI}B% zoSTT?Qi(E)5*QzR`vf!_UK2xI6C_4cC8YIYww}$eOD3Ea9Kp0LAprLr59u1@-}(KB z()sc@FJf`Z;n5P^-TeL#iUVO(5rB$YhJJx;V06E9f=sn5v#ZyPXH&3JmFoSwA zm;AX@3KbnwcK=N=k|=-h`&rsq+8T*g(;IG?+li2d!?Zy#((B}d)Ns>J9^DG#;FTV= zmCaErcUS?HG8sA~*_0(3@M2@OwY4>=XBZ%XSAX^uv854CdW{&b`B&Py)~40rrJ#9O zC!X<>bz}C3cj`78_eDgULdc3x5i_IZl!?P@MCW!*o9C9H-(NjHB+vHq z^N65*V11H;PYF1*K{TPBaN&b-*}X zY=N_tPS+(z{VKQ0W|?5B{wxaMDSlcB|MM+ruWYTC=-~I!Z1c zhbcfIA@QlHj*t@VMvlM?FutK!h059fVill~Lsj>_kHqN7cAlk$R?ad_L|m*2Eg}_l zfGZqVkZrZ5Lt$E1cfmm4Ch!->icBS`boSxM zg4+j-m?c`K*T@XM^#I=d5>XX}S>L6j*knhIE(Ysq<$?nnR`z4A21%Bi#d}#Ol!z^8 zYVWTBl&d-~(07gvWLSe(^Ch3{qwA>bjwOpTbJouIFFsHM6IKG$M*RRtiMS^s?9A^{Zz?jDTzqL5ttwD2Vg@^Rz&cuuRvyQ#wImRS)wsBC zfiF4<+o(md@}Ho)VX?A)85CxH!3Biz%&n9X=?j-jL`-axkN-(dD*=u>rtY4OO*&|8 z$0O^5tCcB$52*%Qjgua!K!u!JoEqH+VF*rl7vp}@Y-cOvlLgpQi;gLgwwJL}K^Oj$LlsH!59@4XTr1t2DoaPU4%ZTrW%;Zf~vtAG6FQX}$

=~w2P8;QKfyaL0EsZO=6xa%$9@9Z z{Lp7mzx@hi{xed4wxxA1k%DCuU~AccshdCCN=B{bu(87*o_A|cY8Jl)T#!KX{n&OG zc&5=IQT}YJ*>dzU*A3crj)oX~vjwDAWD)#^8_oWVv$jH8xch#n{;tpd+{}k=(6sO9!k0Y5!UHHMws^H6ABt8$wm$fBdHFSslnW_@xZE*My3Y$2M64R-_yX zfRAAUlfye|(3eY=e@T38aA-YUsB5iZuD%5g)%iN9u!!d}k{x}9pApF~T(Pz8S(*MKmbE%>m{)j~kW>)6kL>6tm; z=plcoCdlJaQ&jKyz0kAJA3e9r#b5F*IEBk>5BVV`OYc76*tsgT@R&}e-&%5qRdEvu zYc^qgbGY(P8Ht6xo{Go`q($@`H(AI=C)9(UwW~uK<4)K=bTDf!$}_dP}7Md;fQDil%#c6$R+BB01-OvO!K~n%tE)M1-pa-@6D6 zEz(;~&2n=78g~0`JW^D$B7--)eNL{+n;H!UObTNLiN058GsbGP-3c0^-}{|eEZxD% zss*}VQUchEu~HH}YxBLMdvg(u%zxA|8+aOzw&oPIi$uwS)@)u6H)eFg0O2YQnp?mw zvg;<~&-ul)Qp)K?{rUS2N+!q;D=8{QMks;D&T3Ps;p)-U#_G>7kAsZ_C30is43f=*M-j{60dw0Ce~(`yypT*{YSVWaO%tPee< zZ*-cg;Vy4EdRg;f6bJCE5|l=XP__X|Z2o|ZMvAl-KPij*4Yy@d_)vAOstW7>61`Ok zXftYlEx$~m>-66Vhf{A@4s{Im1&%|W9GDMMv`)|-!)U6ZFrV4nOvCNsF9~<1Kf}{S zm253@zOa0*dt?jOC30?p-D|e;ZDgsD+I)&5Rfv4Me^M&qn|wrK+PzTbRc%?mUa+;m zD!|5em-@1}xOm+ZFy`)#A@rP>%7yu32eo)%_qUVa?Mu<)M~d4F@f%v6Dsk5IY`5cK z7U$mYn0^b3RJmOgQmiR9yVoISnYGG&b%u0mko^3I^Krd!gGW!<@potg_q~iu{!^q^ zY!?BP&SURKfAUE#8Kpk9=04WS>l6v@h4U-EQT~mDKa)EmudFQ+Fxek7@#lP;+Fz%(| z8c@9}SLdPT(VC?EufrF9q!SUX|}3vYA%!RlgZf z7m2G_v;%I*Ls7d>;^W|EsR*Me|;^bc3 z28|z7Qyo>y&Q$LQNu>SmQ(sqU;lm7Xe>xIPqX#9H8py8r%+R!FI@k@NN19}oO`N2S-5!LehV=Q7<)vqxiV zY@!DnTf0r@Xgd&~D^drO1)Q!NR=9W7^z7ok2-m)DYNa?UPEvIF>Lb~$!v2wAC4PLuz}|a2A7o+P*Gxr= z-vx>XQ;L^xBbtU3!1EzGqqO|uHSh~gU;giNcSmlYt2Gz%kn+);bKY%?c7ZuN4nE-Z zHoZw6{Q2JIMb0Q24vcDK{|qKF&b-g@RrY1Yht_87FQku3y9`g7J6?h=o8|0@jJS`? zn7Y7wWbowMcvZl4Ll|3b;-?~)YJzkbd;92X`lsRIX>ao27CafHtzSGfbtZXAcya%1 zEw$KiAb^*{8AS^J|K#eqz5{=hAcBaAT~qTrvPr>iN7MlD9X7F)!@K_H=_#)8_CK}c zM_;3Xfng#42I>O?Uyl05(o^)S$;JD|5>Xt)10O=$-5dX{N`zbv;M^%Hr^uQPOcx87 z55f@!b@ulH;kSlL|9$O1VZ!e9&#=h<|H6L-zJ;r*;~|-PC+~#%fL%F8@D_19oM?E$ zV}Q2O7(A7uI-oBmb7u!))WSb+Vk z|1)x}Wd653ho1;@#oz(87XvB=Wv61>d8!fI-c$aBU~^ytf|Soc8vMJukuq>~ez&5g zRl0v$&ScgU^q~J1zwRq8Omqf5-Z>V%P7%)Fzy}K6(l1nKWcneJ3 zcun1-R|9AL-Txu$JHWAi+px{7vW0}AjBLtYl}&aiJ3`3F%43(EkyQ3Wj~PO?Y-N-c z*?aH3x9@uTzwiI}-tRk(jw46$xPSNW9@lkV=XIW4Y0Phn329q1=0CSjuk9n)x1-Bj z?aLCf?8mA^_SQz5Cj5DbvBY(hIe{)}cd1AD~-@S1mQA9F5!=T#=7BJ!RKm`DA1_pF|buv!<^-*NmB?fUCaI~Og<5m+} zy?p{wuvYzf^x(Ki-(qo+y*%czeuowZv`g<U{>Kelr$M+y_;YW{a&ztPnF60QHic4V4BpXCbuky_UVqAxm&a5Rh@HBv+1AZ2c}7~lRyK+C<)IP|7L{0Eh&xRWHYQEXJamF6_?mD$>rnWIheMq80URkx@G?K>13QGvR;qd>}%?0V~p+MrzH|+3JCi*L3}D%#LGM_c{Y?IkJm+WqUi1Q7=?m@2S?`P zHD2x~X1zau5+B8?Ru1N zBth|W9tX4k{rJo2aJk?7p{Kt%@+amJ?BxOosZ=NvZ4TH=pEdV=(T{rj)`aQjN4>cj zOj*9+scsCpOj?c16pLZopnDZyy{cDg8y9D5Vi=}3&mAzRHmRb~87wM5+?Q`0IbyRU z=C&3FEEH^Tb*cTyJK>L+x=p#{>EPHdaoptb43BvV5}7;wj~Dmbp1cIz+)Z#4nTA(# z9}v(7u2_GL533&vU$3{tS0(37c-4h4`mRXzV%i^@l|~q|L4`o>%w6hSqbJ{>qWd6v zkP?>8E%5NRs>v|Ut35+Rd)1wN{&zW6jvqIxxmCu%?0ICM-(Uunk3oT7^FQID$e_TnqEx7U=8TL2%IdE^Zj`o9rg-BS5h;Ic%G{aANC1 zjsuqeAfcN0CJt2pKhD1>oK6d9tdGYqxs0=#l9eoANjy~i>~#daSUl&&t+Zse4YY#` zZ>693Lz!zrm`@SU#Q&KLoKVnpNKwdU5F*_;OhgDdKlZ|Bz*M7~rIH1brV#T~Sh-dh ze`x!TW8QRzu*EIWKa=b$60Mr=($Izco z3PMW^{K&lI&K|KI%d)78QwB9zaN8{r^8b zWCO3MpZ5e&fXini7qkM1{%G6s+XCAAK$K zRT6wa+x)>t%wZGb3hrcAjoZ;TnO9X(EpI19Q`jb#@=kRI(YreuO0bHy1h24-#Wi(? z5UF0}9rjBgc!7HLY(H@a5;}66t(o~mg~^|oGgIMNQpYPr+bT>0R>8mC^Fn}1!t8m6 z3k?l(quuTKgR;fEAxYXNO1A4zs}s$X+>dgtVBR&TZ12=NxP$AuwoWUO!PZfIm(I;+ z{>b$#vCGnCT9D8qV}3hWlw<1z&bEa24rhr8LmD$%o`^F}x34VJ<$Mf97_3A|E)RjeBV-@UFTO}%b84*r^tM^VY?P9+1P0_h4z|#WnQ8KX zAW`bNjt)kEpsc9dIh;9O9r12P%`M`xVyyRbFC7bG*8jXz+KG2t=NbXdSnE%c zQ16UU0U|#NES<02J0hRz&t7z=g9)|8_C5a2WN#jg{Mt)M2o`J%{{Kz!2pu)kjWAS6 zI%riJ9VY$rpbC;PmN#5sDwIo%GuOo`L12xSJnKc+6o$1*BHI#{kOW?Jlu8UZ>Zzsx# z=c%fbqt)uJTo1K{###8>J)7$DFCwGf=LA=C?xG~$-X7J6K{Bpwq$0>3qoL&Ds@`}f zcxJI?-NM@kIR7{N@+SrAY`dD5Ju`(XaD8MYB4y1&_dz0mUE!i?nbh0gHz8yAL+`@= zrZeLdS_|XEf^^>ey1Kn=oe&nH?x0Co_pb#EKBcO3<+zQ1 zu&*T+V!peD)Xxm(AlKyQQ1z5BC;9FbcBTnt7=*OH|HX zA@mfqk3AeeK_@9ZcSm{9-^XM^_FF8b=@n#wkW6-6!@|4)PlaKceXAdhVI(Q{UPnJ3 zJ{>$&z@_RdrPu#SiHCl_;r}U!v*Y_UoWnf$5={K?Z+8B_S=Uuiku)H7No*q~{3n-r zHHG(Zi5#Y&{72N1oI3u(AsJJ z{fc-TgEo91;Vq+wYfP{#xL;&^BfkQp_YW+3jD|7%6wrAeJ5oo=3vhUDEL@`-dF7ZXS=@y56v-s&2QY@_zOuK-Qsy?mp}N*YZ&+Za!$rC5656+ z;e@=nW%2P{lGu-2`tdf9CM*kHT#EcB@g@c6=J;B}!`=vV?rydJ^8kZlqUhC4oBhyf z>yKF^ytWVLC9xD06*IKZI_6W7=h%TykW$m<9NJkEk{C--_y^K}B1qPCr=#EYHLL*i zcEKQnHRmarX@nMvj36suVCz$(3CZ*=W7^X3A0t0~!ip880#}(_;eM~%-}lc6Sx()S z_VW((Fl^6%BIrm9P`d$fD7NZLS8q}@r~+oO!u=K#{YxgUpewnK>7wKq@CBxC)-9$4 z=`$-Y?<=9*@_PsB>yfau`mO$MSu%V|_+;rQZ3(+;6Gd75@d`rahFMqghC5jc**wuXHG-Wexu~bmi-3~yi|+fe8p-IVpI9M7UWm() zokycC9s8dUq*q}S^^@6;lNA34a!J}KKZZ;@anb4#y(bos=-~GyS3Y(ih6qLk4z3^k9O3_i;X(*F;6O9Qs8C%fLXQ z7IqtsIW_Y6COOc#a!AE80*I@IhT8TGiW6x9`V*mf624hhJ@zji3qQ~p4j|Pl^JFh9 zEG*dS9OvC0)ouKXh{#;?N24(KrebOAm7zy+;a4Uh-mixMJJRcTZ}JrpH%8+OEISe2n$%y^PnjXG2BYk{o)4uKB_p(jf?sqqa>QLlOZuCXr9FB+C{^xM*PEJ}di(LC&P=wd)TwhKXwJt<`AB}`HhesTc;%id#vZhBI5Ta0^5QSv)7 zDZOFv@^T2Am-{Y(`)Q*uCiVvSaWF#rX{RJz?dcw!a?`L5sW=OM!DzujhJY{v?SYda1fCtg)enSH8zefPH{fk)6WU(cL!Pf&dM z5Fn=x%$UkOYO%bSlz$+b6<|W5_yq(g)~oj!0MiS3jYskXWXH4gzA~L{C!f<$qMegg z%f=%X|78BfZy?`ySpHJRbmtD0SyLF_y~Nq#KdSd586+H5OZuM-mqJ(R8Q>5J%j6Uk zXd2U12?S-Q#C~E0GFjqqCYt5+3~+#YwDNzns_4(+KgG|q!~rZ|u}M*h<8Qh!<^kz6 z3WD#sqSEKX@$XL`6 zw1@WbkvcyqBHL^;Pr={;L#M}OcHuF`-h%^1Z<8{Sh+Baqj1fg0qOHZ>5d&`C=TmQZ zP>$10dKE9yzecus>@EdVu6-lAW7GEo9C;$pjzZ|j*zr4`px|Y|2vRmljuqszGF0lp zo#;tk^-^|DTQvx!_yP4nSa=gfW-$U85WCZv`3OSa?27;d80tb2GMHg;kB_<|!`i-F@XA`L{*A z58=*9AuEuPpi5DodAtYt`XnU#e9!jsYtKO48ZzG>Ir%l#eI;5OMd-RHAQhy!%rDtb z*e`?skiBH>R4B&=yuvAXCPCEOI1H}G#k|otVG3GxI-fNg)B1{dx719P>Z`1KZ$*2L zrzui!>X%+b=gSmCxvy6>efgaxKp|W3$#w?xwWvv*nlH`CNH2D$hvQo$vwbvnpQU16 zVt>ItQt7<-gav0Sb6da*8GVTpd9)4r)V%pEJ=N<1L#++R>y_&@SgSKHg2380{wXeH zZ}DcLQwN_i?U?&KJ&5^TX-^OmqTmP{h~7WgoDS!rJU9QC152>h0$@0TdVjZDoeUYn=$Z zOGLvMt+ceXasw~0{1PTL#QD2B@dYCf(zC>0%mkC2P?m!)%XfH#&-iggofmvTk=_(2 zvKd^2Mt#kk*cm^HBHvK+2)gj1RQc32+K*_$Ez-tsu`ZDakmb(eQT`qYGC4mx6_J`g zZL?r&=>Ymx96`uvrJLE>NCnHijs=n0xf^n4JI7QUIy8Rm1Q+-GqFnaku#kfnD_Z@q z@xs*Mo@coyd{_FbJWh1>9QKl4fHPL4enC7&@;57dX!G0a_fS*BFJT2m3C z7YUuQ_u;G~23uiVgApJY%x&!Aw4dhuv59b{0(?Lf?gdkm_)!emN~h#;+eszBO%XXU zu%P|*11PXN#kW;dfBAT880-1K8zdm$$WHc2t$GD6Mdi8}0ZwaEiai3AzWpAz5_u_OnMb|oom%irtml*?CGCv=f1yiyVJfezTEmzSZpw^RC`y`%X(kBIZ@g#QtK$e zmyRa;y!xoQBy>FXpUFwm`a3zu6S~<)C?qO|ePt{ZvFERG1~>h@Ov3r`_<8)DF@x_9 zK0T^*eNORkeh3jdx73?6Pxj>mNoE(SsERe>@cj~tM52auMs|^&l-ZAj&nJ|Llt{{4 z$~>KK5^iml<`pkDr_gAjQ+K-=C_MkX852wCe%XSW_ln(zktl@P>2)48I@~#GNFIM$ zL0;`+$A39Cv{TaQ^ZmO~N8pPPn~U{g8i^bB!-)s;Ox*2A;_$^fM#lD^pb;(KR@MP2 zxnYsJb>8~4q-`b&ii&)r7Us#4o1o}%GX_6Ph8v<7VBbi4jJfrgx1CSwhaCB8mdHP) z+~wk~xoF1l?K{JTpM-x?CPFq z6_#sumuTc7iu5gt@HRV=sGXN{87YoB#TXL z*No8BX}zZog#5^=t&UY(FIP?G{(Y=OyoMT(=KHt=;YE5umfcq7mVp6e!oSj$sGFLU0G zhYO8avFLGL&^eM2x}Qe!Wyiygzs0JyuV*=~**N&WTmbuEnd&BKX-ER_a8jRhL}itI zu`!Q@h>HmRsj@Bva}BG%GdYX5B!PW2tWaOWJ!4KQWlQ*WhNHgCZ}u$`MoC-2$X3Hx z{*E0Fxsm>SV|&5RL~@fIdwm&*5zI022_1cv&zYkqZA;2_V!1oV6uZsF!*MK~dlG}v z$HEo&N>7>_!Y&Yc6FMwgB5hOh%j>U463%1<>^xd)xOl;Wb>jz?4S!RA%|haT!)_xR zrqS6M^&L5sB<1_>{ed!G2Lm}zVZHC8qyE}RuhmaNsG0)N?KdXI!)3#}cFStK2TDD7 zud|(&cG#AZ%xXAG&=s%BmrTO0@Yq2))_;9W$sxPBf_F%8z_CR85GnXPUU6`~$ySvI z{qrZ+(bT2A?C8H`(q_S^V$SzjpjvX(CS0c4%y9n0B>Aq9X}2uK`^9wAe~Q7RY*@e* zEf9%GN@#bK_o5;THph}o)?)lw(6f(%bdBeVQ0B-@jde=3fN@p&kSpGdEm(gyEqZKa zFEvl`anO03x;8yJ!F1cl03(7jAM8Of_{VN-Lv)TrItckS^YHnSml1j~lih_3iP8Co z>2pXOa}Vfy%VnxlM{b&-mpc?1ZY(`tWuT>gf(4`~DCT?(GWeY+Q%#hpr$7yLp4D;b zJz$u}VWK4tc55$l#|09IYOR|A9C{}5Z07n9}ov9{sa7bN3kT7GGg5+E;P zy-tN<1Mmx8KhWD13;7?&L1q7+oN&g-W8jvCJ&6=fD`CiyNtBCmHIzh?)p}DWD4--- zZ<%{J5z6#qao*9rpU}^Nn9H-(K#hH{YhQeij_q>BfO+Bn4_1}qaty;M%eOa=t461< zt&9;Ra;UMddE37nLJ;}9i%jU5WJ4D?nN0sYAd`j(!Ai{Kz5oRnFKOOvazK_MVVcqK z62$NLJn)ShTe{2tW}_beL8XjTU%a|QzN@;S+4cN=7LTadC_6gkX9WPnhw0vtxF&=* z^4asf_Qq%$OpOj|S@zmH8LxYu;!t)ha2r3HzRE~J@!I;~E#_Od2op+eUE1s5WrlO~ zlEDb+&`VCxIaH+(7Y3tWephb5ALGA7&M2Ac2Z=Mz0*RbU>~-h+hsSKjd7Pro71(q_ zmTxwPzm56gt*`p&vZ&VEM32iRJ-)Ls;EU$~9cZzg`zxbCZjuK$(c{OYj~+b&%6c@P z^?-@?XYDS}8q+@(p8V4`Drf8Rs%|`hRb%6`?`u#6~Xe_U87ha^{`V*Jmcvt~X zT@-tcF*IW?tJM8OA*-)A`0$J%{x2bc}kKeQ)AA@LZB% z9`HGNDp|Td5|A@gdiO~PPSwtlxe8(*yGqLOYP_JG6$>UYy<}LW9fY=oM;8&~=f{iG z@+6EQ2>D8$w5DZ+9yIv&7Xz?{Wu51mFFMZ*^TX)3_+p$u*sv$LcjdMUgVa#4edvZJ zm|w2-Gn#GpJuffZUR^+Vv0hy2r*oR;`5{3R)-Jr-{{8jz>4Eo}xF_GT*!ZWR1>z6{oyhmO3|LYlclrN%J6}b!DDHN=`~08H zWnH(3LfTB$CY%{lJd&z(!AtZ}b*d77LSy8!ED`3jO@GlVjWKWeH$$qCH@%kR!Hwq0 zuCA^*o3r!GxIZd0-m6F9v3KV2PQK3Ya2ixmLR1^Uc#V8F!p*cr6jnWdk2M%r1ARda ze(f%|4xZP4Kpe(}CC&Tj-|a=yQzrCn>^Fg%Brj=<;Yhd4d>o?IbM{J=A^t8fN0;4+t#;ohk zXZ``H^k(;`Z!SGwpp5&=I44GdIdD-+*vvTFxE8{wBI1W?spabv?w()#D& z;ZpgFiIT%wv5Ha1aJYV=SabdGj!;L!>CZ~J4T1Et{hL0Y{!qmv zEZbFQGWO*T$8L+bHJ?B4O1A1hVoDs^xe>-7gt=aI?pSU(qkBxb8#&^R{G2NDfoA*s z$FHv<#?&QSCyOV!^6aOw>7S2bCH%{;szE#m9oTl{ z?N@w7_7q5hFp2+>i_QGWfarIm6zE9^xz${L&Qsmu*C zFv1=*K=m*IqT*|i5)qj#*GG4nXMf-@{qym8%dcNs8A`*(PE3$4;JqO74)wasF=YHc zf+MMxt;ZP+!Y09?IXoy<$dw2W@?FvRIb0d?8u@pkR9}3OunoTfx5U(^k_JW%CR`rBZx}CsGF1q2In`K^>_qLRPd5~82Rcxx}2`6mEGHpo|+ZIYc!}D z-Y0&l^ZPdrN?gZB&2-?HXC;HvR(0#6?WLRWQ0m<}`mU^Xmbl7&YgEl~a5cHDi~Nv8 z$Bfy*7J-j@f;2Z^$ic5szQgYqsq~Q9;A1b1!xRTM$PEu;uTC{I0V+Tp#}mCxIQT3L z?O8R}zf6!gi%Jd8;`lP11VkFrhb-leKY#SMe(-PULmj=M?rh@Qs-eb4Ro%dvw1wz# zE#tRMb`3_+KI^}T{|KPJW2+20=bnI!uM=?@>feBemTj1eO-STkst#Y<7WH91iSoXh z4B?0Om#10iJ9_|XGu5kxH?Z$3)LEkE^ZHJNa{Rk2w-9Ecg}?;a>athH&71B*O*faS zr_*xKhrKk8D)9QweuO#8&irSWzqlZug1Du@$o6h8msL~N>+YDks89X0b|;C)8FA|^ z4>Sn8w-=d9#E8B$zv{N`F`FQ%9*ANo=DhuCi(tT(So6-0;XfAXTDz>+Gdz0#Y!D_! zqE6rHU+rRYBS7`QY ztTS_gUEY`RLPvVp1h#?mLLN9H`eimL|PS?SA=pKd7NroKTa0*kxn$dq%N+&;)vm_3oC01 z4aFBmN~hq~y3V_uye%-qgDIaUr!}X5VF^0=w-rcWMxrE1ZJ3^qJJHf;W2rRS4<8br z++G&2HLC3^PM=(-nuaUMnd+#MvU<@UV z6EI(|5>)C5im82E1_3#nNR&{xyyER~x zu7c&dqUQL(r;pn>G`CH~^Yn~P@2eHk<|sX4Ai54I;j!{87CN}32;TD;*C^b9TH*g> z5Qqo=a*yOuV>V&m)M0xmC@I|o>Xp9?&>0yq?fI)$SeEDnZG(UOkl}n(h(iE6eXGTP z3M|^MZ0w8220VXiVKLPb#awUOWH##P=olOlau>)5EyH`I^$uH`eN89*R1bToOC&~F zvFy-AFISQrpPIjfALCp7B}}Bxph_HaJ2Iyh{&7x0JM;)(>np26CHDcge~UySGedy5 zGZk->R}Xkw7${OI&(^UO7f^4w8z7Z7VFAl<8~aq+Xq^v;POPva(^~m7 zvA|byRY}>W&_${J;+q<5tveTFCS>4mH5rBEH@-1AxwK}>F9;EY9?(hdXNy%6dW2@Y z0(0y_>ONE|uIc0(g~KpN=M$ZXb@B{Cpvn=qP_cW82GT#)IIj*-p({SMp3ryv`qcm{pnac$MMXMOH3>~f+_pbG+Fj_) zq3#e}=G4y7xn%6M`ytLic=o-PL$@NUX-}4h74))tpP#y2q~-r%PEqiekNRtKbMpZB zOyQ$Y&XYwmeGxlW29AwXa&<-3(3(A(R^!BP3bsaQC)=+<<0K5?11op=p_sSrGv>DR zITK+U-5Yj4 zcz13VDPh4hcf7ayUEjVsAi?e%fq7>e!CoZo1$Ynv!56OrPs@S$idG@5+GrrM(DXmG zlxq^`6gT7N7k;)?dwxoSE^~f)T;ee5(jTXY8|tq5@eE#j`F4j`cvdq1Qzhc$hNX0# z+QT_IPNOOs15F2LLz;%Q*;ruuy})kt+q5?q(H6z&UXPYqoHxIRUmP8Y_=a@H%Zb={ z5E!D>hxDq+?rgPovx%-`;DC1q3{AtCd^__jIDT4mZ`N_PL$hejsf5SM` zLZ13RVl17Ic>EBK`z$nM6cQElV$?KP=`?Mj1(snn#9I1oPIEy7W`0;M7HSRfX`3^ z!KJhDsb0WhqoeAU69k`IN-36b8wpNZ_A_ZE3rEctTeVNntO%k2{r z?J=d=+L?FCDl#9tR0)r7J+f>z!JKEK~bOa;3Tmj-gT3amG(vcXUjfJR-P7Ltb{Hv3sQC7 z%RSsusacu4rKn$hR;D)+qcM}c_TnD#_yET_HUyWj7l@-8&ny^b=1!M#@~42f-!y2M z{G5eaPil2vu4j9F25L)fY532VhRb-6o?D847?pAKqpyT5XesDNlU;UFL)D}p78yek zeeH_=Jw4jdhIO1I7CJNBZQdI*ta9T(#I@nRsinG8(3zN+lFVIm0KO{E_L~`fZ27r` z9o3;s{+`=#$hN@Bkvlu9AGjSyVyrgzA*%xOwcdB9{}atLn?RGF$F`=$xn1i$GJHa%7o4XZTzTQ)W~D?PSITQAePEx zM|HG>0G^fd**((-^>O+=MTYz)*;4)cT2@-ZFSbxAu0Nw(T^4@V%QQJr6ZS$!z|^N8 z2L4w=p;;cFsl6?A{JjUE>RUi8hmr_E*nF4b(Clo(SItwus(-UAt1NHYQb(-MA_Nv+Z9@dATOVw)1~2zFY!B%gxi{vL@jNQL0Tq4=LFdZ7A)5yYDx-5p zt`=9(M0b2?!a+FU2ZN>aSS>>jy3>`ngAs%eGQ0tixrhnMxH%~Wu7@JB)i(v5NGKUv zn=fMKFsL#W*xAcS^!GS@5e|^(Pj~VXTg}Xx*Sw(mUayrXHw5pJ(d2qMp~cBfmJh-x?4b1Ot%if{O}GT{J^ z1-FBy@8IP`1(W28+zA;JGRjMJO{u4Ht@DE@<-ZKVix5IImn#JZMq}X012vcE&fTsf z2ZRFP26d1GeaKM#^kac5^^?k@vYPn}^Dq;w6#iahL*hN8O$P0w%-_HZ4jXX_FQ?j_ zld}lRE>sT|K(&=@h5gtTAQZ9rQbYB*Oh%#zkL?G0)#1CJ+U|KDYR`_A!%59O41y$m z&OD=$omo6mmW1NZ&2EVn;n5t<;$R8kw)vzb-MsOPaeX$>KA=STE38W?plPslcS0S$ z%{F0$?HBvY!xC1FPUhVg+fV1P*G&n<`e(ILiqt3GEkY!uk}OM5?rCYLi zZ&15=4rQWbSXh+1BfrC!7r*q_$d!CCTww2JJByuaqo1p265HRWT%#O6Nh9 zoGmhGGI$U3*X}^rdo5mQD(cCdwfJ<9w!rfG1a(%}$}KPzzsEP#DuF?06Z0evg?u*O z*W`5K(RgRaV7mP&rn!9A1C|l?@y9mE<3z;KH6deF*8=-CgNfZ0lKyI^ZhxC!6=TTV zLWek<7$UtW4+{bH+@g)gs)&s%W3Ap_eTv@%c$p80vKs2e;!3L`yVr@bV`|JSWbdNJ zhH^du?So|+bxkUYjFq!I?R7wD_jnaDnqtPM zw%?)j9Wi??_FX?fkT+fG`t^F5?*ak>+uDs`7)IZnPf?fERxfK)$B?NjIBCA7U`aGM z0AfgclkdnzyVlnO{%qq+ReI(^cPUmJwhs5)WS865gcxVcF9=-SqUM&EkR+&ZtK?}> z8aMz?tv*~!M z*yB}|ZL(S&GQSZVYoV4gjADz?Bdgv#3JV`$T4NPj9tEa}M?G)eK#QXwrgDMPHcQS7 z^=`$ZO@UCTfuUPCA?hc}t{*x@qL5twVx3{;uYdnawX z%-mD&JZ1X5RhaV@VU_G(ZA_WuScIk#r|K7K;xyccdsKX+H(LPzrPGb&kxA;MC^tI9Chdl=B(gTijBr+`sTKZ!=W7AL+H(C^lW-*(IKz*Du?_3{)2M z`rqblc|wK{NA^*jgErS18a7s~6|K-c#I2QjGERO_k$OC58M-0n9_-(^C&|q6q+ZRb zn9oRWp|VIrZn?8E>k`n^+@Qp$%x`UGr$ zTE8H}bG>mNZzQuN)fOx$n@2?^j#*21%^Zlnm+*QyWAj*-QE5WZS{XGa*YTFU0}X~; zl=`WJhOO`~_?e__XPOJ*ygb`jqY~cPA6J?u37odo$&{&XzdA+k1c=U53zPGGR1N-b zXJvDM)*@}sbN2rhxk4}idM~jUA0It@q`QV+TcTfE#(ui>t{RPX4oj()sG|F;x5w>5 z5a+bnf%xctQBz`Fx4&gwHLQAt`AkL8h)%U;|4rABBi;r#$3K9Sxvmj>oBKHT7w$m#blIf4sioK0h z3-DmAcpTI}*8x62d+OMJGaPhhu7KkH+g6R{5li#pQv$b@w{Lw}xW?q=?|spmOJ0^4 zV*kOH6FqVNQ`qdk6oO#&&?yZ9)~?sU?;O(vG%2;6{>HY!-D?0y`oHrzt?66CbIXF- ze2jfsAGgN3UFWfo=ig! z-Mt+t@?%WGV^8>pW*n_8njuW$N|8N&9r6nZ2qTTWQ~E;Z)vptHD1)mkAXnp`~;NY z=7+7@BmYm2Fq@d38noONAa<=sT>1@T#ohS@Z3ldTsmK6=Hpu<-Fzft$95biv6SB{z+!8k2I#*9$XZu^ z$kEeW{rycm@?BTP(T-v$WW;%I_gVkn8*OCnZ>xd(8^OYSG3NzRXg7WGV>=yq##h52 zz`uePLIPT+IHz6##$heVjcRzZ>Cc%+tj5`AnMr}rBZ>)#)^`xi#~utbb{X|puV#5| z@;l|O!h;7~nqbEp@-8bY>)(#%KKI>Qe_GuoqZ=n#)%A96p7c?*zcR@ip9g(0S+YN} z%Ma?^dY@@EnA5Kq#m{N=lJ81Rb~hTKNe$%hiFhFU{G@fi_oi~s`QEU--Zy7<;1Qa1 zkD~dj&>%|-#A8_iHTc}t3{;Xtsh~Hk^Y9GmvBn2(QK!J)jmJNRh>jO@aDza2lw<Z|?vRA0-OO*x-pFVAQdtI{{;WAiY`g&(|SQnb9UEX|I_ygEZ8nDn` zZQeVMW_h65?6TM`8;;v_aow*yl!~KgD*%`1a!XS<-9srp$0F$SyYmsSnU7ewge`cC zp4XyT)pVlSId4c~!5<_UZ)%pCT*L6>iPA{2N?Wmm_fDqOYntBC*R6Tq#Ji+5)(5K_ zin>{(H5jXO@nyX>BD?}U@?<4$iMlMkCv4;~C@*MB64ND^0Z(})0B6jh0ZhsB{=iZ{ zX%x`PlK>?)8uZ%+1d;=Pu@=PG(q!LUR^kMZZePjZ-U;yc^+T57)NPq-PxvrkH(dIq zC-;#S!7g+#-y%8vz@a+>%S!``GG7A^M-)eVF4I*_1|*!g|`RyIa7MT;6K9UTY2(eHq; zpLO;Gg-JnXvezci$wmwrt~LtY)~vzAc!<4$0K)MW^z7%%IS{jmIM<7w0q2%AJ#u3w z_4c!FnO*|FNUT6TCcjsLd@R)51`2m1zp1LYn&fH#?8^+-32hBh50l_61_2I-p9%Ty zv+%EFxV5#V)33{nc*KOOXTK>Md4wLBR1bR%+lL~?w=T^Lu`gk}J7bLq>T8fV2Fo~* zW&*oC8n*WSM+cAN4G*r+>)qFFuUlNdJ?UrHoBhFgZRAmiLvRQ5hjXY&vfvkFoP2F& z(0X;*XayREmEaxSsCY4}Y2=VQ88i?`-yA_7y|7?4tJwF1HX4t#(TYeJdm<@Np8nO9 z=c)Agv;9UM4@&LF^H}KAsm1$BZ*m=9PrSY~sUiQP9-x*Vt`EE_U02OPTwn_ts`^1-KzF2KcAr)bhSC|yng5UejGtN)rp}gT8T8ooCKsWQ#N_kfu(M@+} zJfNfU@;&!b%K4%sz3gf(&dV>yVmPoSO1V|wKfT?s_FT3)Z+U{}8Ea#DmYPqS zyZ*7B|SP0c827}ZCtr~}X5=kP@ z;4bUc#PAP63ADp#kd9&?|J~3jS^Hsh9lzRE4~k=({e4q${GPe5vM)t9 zi;Lb;TH`d*o|>AT-H0+Hw~2Pb?+iMqFS_ZyV{=*+a{fv9xOQImgJWk}meAV3)1DVW zD9O|hTPG9OCfGEPtSAPXib=AdX8I?TMz;QuX7oZo`0jO)5tEok$~Ya}zxsZXJ+PT( zc<^otOr*AZt&8i+ms5O;Dfe5ycF>Ql4i;H*1z_n*uth!$zutYYouJh_!z}OPw`r)eHXC&%f8nD zLc`%fAA%TwW)YfR-2x&Kk{A#M`L#LS{E+fBH=+Vd{AlAORdt6*g|vgD(+6&H?P479 zedwgnaCuVU%YkB;H?!4K@Wp{Y;>;#JEBnaZJ|D|NrbNcR<<)}?H{^?`XRa-A1thK- zj1=@-`L!pB#Wua-RJEqe&A(>sebhS$DFF-+F*QH$NH_7t?PI_ECLun9p))?N6~IyX^?)rhc|=encS<3a1n z`!EKX6{JfOGECZZDN^KJ=U`1B9*yai9!U+L+q2K)?`jIY`~@9FSq=4*B|#X02eMg0 z@4kOAs($?CvwVvL3X7B>g4ZSZ1-==+CuQ3hgQzpx(^EHyEN0+<__Zwwm+9eVGvmVr zF zF6~e)Z<$id2WQ~)~vl&Mu-7xkMV3zIajJ>0KVJPHCsxL1l z22qn5!FXrI%su5X)$aa}MSc`yQ_>N_cxhjk4 zt4Z|PO-oRoT=IK2n2Z zyr?&)i6glyFk(Ec{W)5*|7s21x?a zZxHf(%jtNe=Pwx>$Fw2|F5FnTe>eHJAYs+I=q-$UbWHSv=X64LiG_3Y&GiB#T@gP? zlL|;ENMlE&k4cYO9{9d>A11&_eDjke*xP@UnGll#>)Qgamx@(NZLIUNfr3v;M)-4k zlVEW(_ARwdgQQI6PP1?!^$pTCoT_SXIlO>Tp#8-^ZLv)VmoSl5(QinTu{tjrqMKJkmEtUG60l5fr7ddDiP*Cy|a z8uK)}LMm}jvucO1FM>IQfxPzSjT>3!h@(5DCa-A%26*%eQpn%x=4YsKVsD1KY~w5L zyLPRjy!|7GEgVRQh_tRR#@_HfKwNyAX4T#3ZC+`%+G-ZPs}Vk}Qj;&}gRnkMvUg2r<19nPyL-?E0oue+lu zn>Mr2k~|lf<=o5qIc}|-ZSzq)9SJ8z$X|0lsIJcR{uw%+ZaO;D{dxJk=b2V>80o1L zNK_yM#6zxx+=!#npE$n&pJY!|m=<$fo__~bB652cHLXcnc zOTcj^mpo|}Bs2P0Wy+2xqV#s2@OzACF8*T;skuLXn$u@W-EMWfag|mf4ZEG$$y%m4 zV+9|?_Y?$5GRBO0a@0@yzY+9}r%urPGXUK+sZ@sP(yaM-g;e4apVf}6tmaZH{7nWy z+gP7V`girXR!WNbqo zd3zZ}3vwm2P#deg`x)xTyd1|bC?(mwK}f#G{q-BSl%AGq*Kbtp@jNkRD8kJu?pV*; zC)UGrP;8vkWY1&2{6eU-TeCISTs~4sI}>+1{zyLI&O4GZgkeWg?X~BkwQQE1H|MFX zweuq`E}oYvqt5)YANKsf_%*X`(Hdds!L}spAF?%4!4dA3dz4pRncgxu`mWqdHJezt z&AT&*fBF(X*B&G0jsE)$|A)OdafiBn-+&Pr6~@qRH@0j^mN3YYHL_)23aKPf*>|#p z?4cM-D%tlX`%)--vP5=b?8_jM_nLZop6B;`-~Zr!k7EvpGV__weShxzy07It&r1wl zSETXbn>5b=ih`7b*gDcQk@QI0YMO3>s*Fa^!CfhQu78C^x+LYptp_nIO%DsczE|I8 z8XBy)9{s|0(bu3iFd*Q=MnSS_f|e6^l|FScpUu^yQF*GaSl2tjTip`Xz2hsxiVBys zp!KnvYu57#Q1;P2!X`1U0jc1h>FuR$vdj_kdmu0M66MG$a1dqnlt)h;+}NzB%Y|Yb z-ssoP$Sri_tJ?VMypby#JNWsZx6d^$#%uPHXCD80HN|4ASgCBkb~F98X!)#l_d&s1 zj5n5(K$ALN0V6h5&R3}tAL#G&He0{K&~afT>)hDTW7k~|oLki=v&}_m^!?YIb|!kY zy5w)JR-~cu!>_U9TXSD4ZxD=JHrq$f@1aBr)tz01*J)|vr99rAzul{3`z|Qy?484o zR&|>p;4eqv=K+3t>W-Nk?cq(u_qoRgGC?saSw|Y;f~P=)GICrRPUz`v3Z|U~a@$jo z?D_zpk6{twz0i;l)xjq{H6&_WbONTvh1Q)*j$cn+sQ=_Sc(;{;1(&sI|Jv>Z)5h!j z-#UEfd8DLFAqe8s&AR&V^)oe0A0ln!sK8sEk=u5D>YX7^HjR(YVh5g98vEBBEY^Hw zQL3Yx&OU?psprQDli!ikD>o;;;J)Gfq0bQ;O5Ul=QMa-?R*mAq`8h2N-lwLx((8tJ z@|sN82MllvxC$Ai7XI6Xe3Yj}bSBF5@=VXzzuL30^UX4;Ed2oy>up~G;fLlG{>L5=InaZ^2BdiU!YfFOi_>G_oW?vrOV6q$Vyfn_7Es&!qC zRX=Xk+8P1-D?5})+7ti_Cxr$5Y`y_TAwZ=DX9sFsrVqSKqmf&P#{PGj8P#mCsP`_Y z)PFh#F;i%XhX%uA*BiCeBZqx48p%Wo9y_7Vq!a_RU1>joCixU9^%M=OZkr2ls>Y!9 zT20{F7TWale+Q63Y$Fbk^^nPL&SI zGHZakIFq^$p$?Cx*N<)clVbN$2qCM&NpsdQXlxJ#;k|MstHPAm{%*1)6me9p{De23 zgT%P73$Z4(8w9Sbkko-zS2u0IZ%tF!gP7$tD@oTuXCNA19UO%8i3_l3V^x8v&Suqj=F1$*o`a{n{Cn{Zq9=?R|GJ=Kfr9i zbpO6~o8;hvV(1ALhz_5^otxHxjF`@(->Mq`ablZ)G(0+d?p6=_-2schmJk5hTOIrQDBojzhAnVYbQ+-{9xkA8LrQx}Q&TgOsa)zB zr|IM=8R>$M!yI;|K&y_Ke*?Lwb5JR(Uk1pNm8e6$f{$=fNLTs{RSPAvUPt z3l7ToA7GiiCdC|*oIv9Aa*Z`;Fe$R91@J@GZGO#*#qQXyy${ICjNXk+2)vs^%xc^nAbs-kq-S{k?Vufa z8ax*%@>T+wJh`Cw{|4ldFS%H=WH6tFn9KS&;|N5jXY9`UV>qbBbRVq*672%CMmL6N z!F#*Obq6v(84s6~N?+0LUc4#mJ|XJQ#&H74LKGRS{0OuIxi$B`*yOdsPWWs|Brk~T zpP*6xK6dm{lJhbM6kevmgU<1l=#xd(olgPqrL%Hs&-Z3uc0TVlNKdKs%BnR;P%cX^ zFbUs|DSUI$?;wso$Q5C>D6F1kR+`3$y{C3!RypvQuuZ0vZ&nV3H>aYHm5y)aL(fpN z7zhKnsKvfCTlzvgHgWvOcxqt#*mgZRQ-(4fpDztJQ6zP^l>hmi;8j8rQK!ip(9GGU z^2FxGS47`$d?~TPJ-ZmAG}qHgt@@VNuviKI0>YQuvg9<#prtx=$M^MCqkGpD1U3Do zEF4H886V<$HPaX!*&GfuF!n#{Nc9e)Z2#`Fq_F3@>?UE5Xci`FU_poHINe1wN2TE5 zeZ)V!?Vek*E7M^8ZRI*Tcv_bQLl^wR5n@9q-4IuVvE`NK(g=h{fRb#vlc5c+B%>Kk zBsqo*M;ff8$%@@xeOc*$^rAi8tZ9F$|$n=?Z9JK5BiZ$i?fy?&#He-Fdq)TooYI8WIQaGawu)+ z(`3qMBbt05$GAdk`nXKD$NTaW#voU@*%T=_1or&=U8#vT^<`OGp}!R z;IxLn#xX+ z^#JoBmUO|3M8r=*_mIQe?%rWYr_JCsdPok0m3$A9kufDgIA_}glAlT)zIoWAUY=|r zAn?=#BleoSfO(R5N6}Hdq1yG6Bpf1%_>Wh6EsUh)k1(eZcT=ty&Le_0B=PzOy-Oxe zkY}p~=H#D*7QqwmKJer=_C1s*Y7&>{+o8HhS$dPU8(ErW8n`&5UYtUec%T!rV<&(s zFm5oYHtZeZIQxJD_i%%hRSbDOT#_t^w_g96GV#u%7P3TY0Vxhtm$kfOIwwxhQ{Tdl z2WLWYpPbyOv5FE;jFNw^)l1%OzFUw*hxhbPqPVQtYfbV%r@)e6Vh=&OMAniNX4ql^T2@~!_ST|G4i%8BOA0zjbPLTT`G=vXT?X4gz z+Ql1k3iugh)$%^~+f3S1$)D;_^nv|()TSD;epdxgdT&O2W}HBgDK9avFjujJvJ{)Z zS5@lgJrUkR2J2gd-E+&vH@hKM;+ctP-B^w?^4LK-M-#-(0{h}s6ph!7~DtfUO6DGEnNFcMpXiK4SXAj~1G7FuV09l>?fj)=H`xL%R zX^fk`x~_Y^ij3b_?3vPN@?)6?!KWjiz|D=_Qp4un$;d1|yQk+6Pio9Btn1h_Thow*R-W@~mjay<+ce4^wvHchHp zgKoV>L(^`gpuG(X>zKo1v~007!)f!%jGOi#2?ePXcsF%SY=-eJq=_D0vrYGJ864C+ z- zdKW}&vy0Ns%-xGhqJ{70J?Ga26MU==#7E?JQhV31HVwzty!tEvoo`uWl-Qn2a2PX} z3%YnypwRC3bvCx^vZ&pd3+<&iNSQkd=t(r`xRmG+oE?zs5A45!gPAToCQNBAXC}Vyw3Rgxuh1hQHMo3zr=QbPz4Z^|H1C6SK`nK~KM^l2!;RY48BPrR;YXxkkJpRNEELR>CMvjAu;P+R(jX{P zTg^3UWHVt;*$Rilw82=BQ6|yC*2Rzv`@p$hletZ>p2SY1YGB2&NQ^T@p_+5IH#(~T z;-%AWKS(~iKHiaGI5|3`ptb(Sm2flLX9=Gq)anre#OHmN~&Of#NaqiRmwwup)d#w-R>uyE^`RslD zovT-RpWDi7Z#6G^;M&9ds@ZNdto<; z)R5+O8$Z6Ue}wo(0KA3>&}cqWe?$P&(TH8rPqQd7v|1Uf_uX40h`Hz7)k!NBHJe#D{pgg(;_xz}em1 z1h4!M9ajqLA#;Jv*8-+hm=pF=2QOeOAZyKQ;Qri1d{iGv}+u8aBvSIBIxmf}b z;WmBUJwOkCFfI0z@>r=SKj*S$=_GJDE*$K~$=Eq6caK^0_x1jl4mX!`7)3ule9EwP z*hgZCm+v#~d_WFFt;9c?`L7FTia5k zw+-nzx!%Te3pr0#mLRtN2#%O;`2~3!sP@JT_-}iH0F}0>+!R!8oK$*o>jk0`n+AVZ zdfTqqhy+OotwD+GV^^x&OW*+&x~$*$J|4)F4l$kx6pLqGN zkQ~syz7Fc&nzYD{FM*;%2HSf;3wWs*&gcN`+1W3#e9?rWaXRkvw`(K^d`~WW!A+

MsV^uD~IcW6bdm7B9Z>Av5-FAi4V0Tx54*&iHznuOXd5=ZcHG^dS zfc&^iZ#5u^?r}rXkF*Dk)Gm8wnWJ~Pp-^6_r()ep`Mu^Tsb8h^x*apAOgdvmRq*Fx`Uu7Z(d6T%>9wNy6!B^a13f70Jfv za0-%aO|ON5W*u2c=g8U}9M4?un`mg>tLjqC;?1&9Q2G-JL3$(000uwf^Ej9!NOfvj zDa&JES*^FxB1zchDtnWl{k@G@P4?kM12O{1mKz&^5Mt~ayx7MZA~*^w@e!}%M+8j)%%i7gUS|nzcwLZ zRs0SXlWy_BDm-GbIi2!787+5^p^VM}RtivVXN8MsNh9&`XNl}WhcYx@^p=m?g}M=Z z5;O@1t-B^f&KEzQc=$B)imsv5US`|&j*!I(HJ$@lnf9H_)3|p+h4((_5!>-lZiIRd zrC|q`F$bXaqMyv{Vp;2Aauxfv$W+vItv*Ou!cm(Rk z!h+rr4;RT4lc4ll%YKWYst39ISKWBHM-gF-P*{v?Cf-aN(cDG4J(0&$H3w2NU3FwW zM?~g(azYHF2?rE{ub+l|<(`Eyp+uS1Zy;Tq(U~Ch8r2%#BI6({e@SL)-rfO?D>za| z2rZhMnliffptPDr5eE{|t@VDQd7Ntb%xP&b?>)6%`#Kih1s6#VKD}bjNsJ-(<~l6T zUpE5zqQe|ipuP8oLlSA?Gf(7rZBPcZ?sd~22^@mN)bPp3`F?uCQ<~L}EtkJ2^FB?d z(@cIao1e%asQYNbh_#WOS3{kGf-=&7Jr2Fv^I2w5aPg1>NiO06b58??t=yd(XG=Tn z!iu8_fZh&{)Ar3@79AJAyb)eQ*h2BV?4<9BiQ^O_51cX1bd8_$eb3p{7!&qbj6c!h0gR)44flmMZ2ej|w8luZ zV4Vcn=Euac+cciFfCYQK*Y#~K--ChJJD6%kep{RrLSbs^N+Bu3UJETE8f1rjwJDX4 zF>#BZx97F%#EAtzh(7xMxf)X9n;N!X7ITT=D6<5iwZ ze=m&5)sd@tSvGRk;#fvNUv|HKuBo`9fJX{dMBIWb_=uH8j}yQ01rL2o&-{FC)9taV zK%}*B084~UMmbv8mh&mfNm;2uxZp>%y5)!yt9`%SoZN#-MfOa4423ccUO6h?Ejf`% z>LOZD`L0dBOrb6x8w<^`ikjX0#AN()V~KkWXL)aC*i#HZwTR{Jyuwz1j8k0K=jh(ejW1NND~XB+36;};d<#YihQi`mo|7-t}}n0e3E zd2yVwf4*YeB%lTQ&arGE`~o?Rjyv~gUZIW}xR}C5%HX>O#e*7!UWwaGsr!b#a*5Z& zL`g3+Y(~;BnchewC#G5!dJOa19l8a42jv7PRjl2!NF!-D7CgREb_}mSAMQwCJ_@J$ z5K$c!Q9dR8HKD#j2^4nNteYfkS3(mc2de`esl7B!erGRHt)1nmm zH79Rc{?<}{LXC)*Yxh?l3ZJ`1xrr)Q1Qz$b@H)6j_X>?_A*f7WomZRNK7DPeG;e(H zQAXM2lz=8%Wc#+XJF4Y+_%M-}y4x7OB)Dx4xreA^l5os^ zmeQ>dIQPPA?6Lht4o|dVQ~Z~}QSIK!b&7fm3`>gtUcE=5>vs)oV#j^o7$Vf<=j>5= z$GyF{w&V?$2rct6VTcS&4_~~@%&kWpY&$B4TIOZD#?qpn#C1(2gHxqNLt3e&VOeXn zK>m`7PVLsasNGGvi+S>URqs#|){&OBU#}FF+>T(KjjsN#j4Hcdn|KPNH=%LEeIJ*? zc=mvkR7CacsjOqOo2*|=Q{2uSsX^j%2YjYnl!hJWdf3^I*qSx&9$KX;2%oY+IzzSF zl;7{+guZBalO6V0F}07~^I^(|bMh{?N|rM&Bb*R7gKjvxj&ldfybE9KA@bn=qNsB~ za<-+98gL#YvQ2PeYzRMJw*4arfOi3lY`9(`TQ}V@QHsmLjsk9pkpOj^3pi zPqo)WI}FQ2n(V*2eKy^kg<{W4gQ7hWV}-$R5M8guGOv2sMy#B3Qhu_JVY?1F3h3`dc?hoR%pV_fKFXY@M8cE6EYT4%nV zhBAfrd%aMY?M}}b4&jrztBgE%21LTU2tV6}vs~lSyS_oXvM{{>A*~ zn0Uq0%KA^arrY~Rydu%c18z#{as$f}xUjqVR07BpnJp6eIk@2t;cwJnWs-l#dnjcXTuwLn7v zwOJk{2E3Kfk!#PCjLO#ac$WxW=KBv;gqnYO^&r6}lKJz*lRpFYdbbZZmT<4`a zTjbS6c6nRtIQmyiw=YKw=v9U^jSh71^QxsWWpWz~i9|-+bY3V}G%4JsEVF3dWd?{ zuj7K(?i*#oaM?3e$L(zAUkSczXm;)#ZJdb>uIs9|7?vV@NtY@)|3qTo+1;T7UYKhx%chKkIZ%Q2(_pm9FM} z&Tg-^h?dVq?Y`O@)4P-_x&0VT$Ll6E{PWUmHT%!PrXN!3tfG7l^bTHrSYd0%;Q8%Lebv}%8m(md zt9A(@hP+-sXX5Q|X2|#DvKV|3iRp!!)OZB0`?wHcB>GJaU;`~MH_{uzr z(?y<-T`iuR&f)m;^@uyLRedm0#U0J0QFnRJdbny9ito!b6ck5o5QP(8k5q)4VlJkM zbf{~0H8wT*zGGi{GjhG%OetbR-EF?{U==?LXAg2Zl?A0+`=qJ(E(c5GHIdf!D7kIg zO@^oUU)08JPg=XHHMrn6(yULpeiByGw0p~975Ez?2R})?39hsa>jCrLo4$GonXYE3 zmBOauGA$nE`g~7gMxUn7qpI!S%G+-Djh}LLJAhiwWY$aeRLmCa{_rt3YRaURHPTKx zY02N4*~N77AgVk4XV~J>Jx^H`jJ?EG>m!Q$=%4XUQQx{lmSR5!#yZPDoOIx(RWei|4awqe+g^>9-TKNhdx~j-xwM47dzo;^uK{+X;iK@l6czp{-UuXfvP#NP# z;%lR{b}C94?ChaZ8!dN(8Anu`9t&^I#pIt2&ffEum;Rz7TPV*HUfq!ruI%gYK|a;? z?Gt)+;hoOW?hq`aehrfn>GmFt(u<2mp|akC%VFoVilYg4b1vNb-%yn^a`ZQ9zsVWQ zP#!bdWc2Z`#3|qT%>O|suW^aS)lRvbBhu?~OpA%C0?O`=T%3AQi@O&-l@ndst$lmG z5{dp2Egw8wZk+a-nzmq~+$`8-Oeu0YW52NwUh0Q!@U{-)g$kbx*Tqqw8#>|2(SX=jq^qk~S-WYJJ(MS`iO) z?)AMG%wnXl^vt(bRP~*=`d^XwYbA^kEh6D6T=LanWh2)wM|_OFp|W6i@;JWqy7A!$ zZjtIf9YcYHFC_5;yn}h@ft+8v=mo)>!nJfSJ)l4NG;K_h9a~|pB=eM)2RBn(IKM~$2gvnEUo|O1=PFnbOgVb#?9j#BiJO7s@>V;Olm?<1bbTp!bM57`~7P;-UF81wk^@VKF;^bO-~0=71PZdk35v(6TLj1=)ZWOaQDum<0vPCLUk{* zhRwYs&*KdZ3a8FTcU@|4LLGIq;3HHN(0!Q7=`T~aqMUzN?mUEiECXOZ%rF!2RzKYc!mbeK6JrYOEi*IhR1uKxt*vTpK1 zfnM;shu<@<6OCWRQdGm#3f~dYM|EmH@lbi8PdUnjpeBzJUIaC^C zqi7e{?SkW&pZdA6&sB0?$K;QOjjUYxJ#-;J)w>CWaqP+xhz2z*-phyR<`a_2&I705 z^h~xe5e0g>TyA1{o;kQe^_8iG9R-a~{;0Sft0V8#;Ejckv2UxVTpu0topN63nRJ?Z zGL0&_8LvN)E548;%xgShQx>&-Fy~zw81U*xCbK^mS%qq8=2H(4D}``GdRvp8n43N+ zid7(d_wUy&8bU310!>_mQu+|3I8pFkYWeH+NAc8@+O@IGBhR?T_d6oNb_`Dx)NX9+ zmyA}MY6!3>qe|>wS$=<5JlVE&jm9D8u0+MvvK)W;xd=DsZ{sgDq9QOx=m+m_79>ht zyV|>;7l9gknsHHlWkG~+rW0P?8iW)ZodA#MDPo&VUzFY)w{lf=`4?P=2%TAkB(=># zL7<1$n&~3y827j2q!*r?Ogz_>-*R+kT~h6xVX|BFycutt*C(4R;wpZjz_jJEVEEpw z9Q9&Ei(M_<$5pvYa*A%s%qH-p=U69*{~j)SOavU{vdC4^BHAmd+eg2Q8e2d&FXSRc zKl@s80;*=+I#!Z;V&CC;q-gX)eHN3GLLvX2egpN7gj2EX^0{C4gPQu5dHZ+`?%wqx zzs3}WzD8cA+?FVaa<~~cNK@o>Q3XKwO61tDe;-gQ+{9(S*7pNReHU+}(uZdns58ZJ zO;uJ}Zu5~c0)pykUQGO{oIhi?CrZ$zBd2jE7zzdSI+aVmd*~c=A3~XB7yj7N_bRxg z_!70D@5fZ*Rb-j4{?b1&Jy1%9pZMAM0T`u}_lGmee+~p+Ea6C^wz}xmPD)9{(>I{E zfDU$18M@B_8wX9^&*N0~JL=$Ot+0m!lYvHOBi|kRf-|E=}SR>~- zlm_ZQJ1o}sqigirr}jq&4hbx5OGjCCOO#y+seB#zWvAoR<6vUT4`nI?tF}>As|X5A z4QCK{(R{tEccf|kxt@jBq7?U%!Ogcc`E@VuV9WgM+6FDiNtqXDRYYUKmIi-*#+Ays z9~~(!?UT+1yyplhfmmmEo~a-XTn}%$yX2%sJgw%hpKi+^T!UW zF8#H9#v+ImFak$@ZDgNNWJ*RS0)w^TCy5+vI`#0m$`k8gi~x#>r;oQ{+OT~oDke+* zL!T20bw<<6oqK%O(`mrVMm`j6)hTejK&j>P{p%GDBgTmXr+*uUJU9Wi&Zu9#MA(=Y z0Z}Y98<5E080am0UN*OXmLr(#!>F-_z}4V{UFia2%r|vi$)~>#E^ktL_~^Gs7k};O z2pSS~pnK5G;|!FT<0;H@JlqHSKG=kNEHrNBMyyox_@1QLRsZ$YF$GvRrv9y&1TTUa zK>_8Xi!DAT96skM^k3Xp(R!dx0Vnj+kDNL|QiuQAx6Xbw(g!nc=fxbIibua#$^A8Xutv-sN$xId+c`2XF#WaxTNL-gU6+Nd z!v1*=5!_Q172z`8r0(kA>U;|t{Kw;sKp}EI8}U{wKW)OMd>?@A*b4h15OcXdRNgYUVC+@gJ`m zcr=kR0rHq?ep7mitG_HI2Rm44HPS}8&S3Lss&kdo+9dis!2rd5qA_%B`uDxRN2kg4LGpr9o7J8oTd&G@4pVyxWe;v~x+3py)ClZ>v_0zwjR85XK`?K@sIR6VKYM(eA z{eRtLoiu5Wv9?BMh}S`%oWE=&P^3hCiW|=OJwM{6@%!mA`aGbW7F^YIMSPd~V@e@N z0(`5-`|Z^`grOmBkno4>th%LHEiBEN-*{IO{rCKNYar4~_VYDPS-$*z*RNP2ax)Y) zXaYJHgVls)77%}~DdSC(KgG|NTCx*_Z=+H+7Dm@)zqs)GLq2MC?3zq13@Nt1|DB-d z9bJ>qjOBYCLL~2@ggqDaz;&0;Agukf_GZBE!I_W*&8W=p`atuWG)e5Q|6_jSJ;F{l zG$5E3a{S<*uZ78v^L{cVo73T_1QkdA`+dK+gPhD^*9YZ06GMKlMi;pLdG~gRH_rt< zz?2G~y7SAcQo97a0uC+V!MZ|;-**Q;iREOLpIrZX!3_0cNdvX@*q$J=fYDRCz3sET3k12}2&$@1>1!!zYcQHyD>I_;4jo z0VA%a=037AAv@Zy)mx#OBLL*fSYQ&WK$46=rtASxqP*uj&Q<3>jblmv0=;}x%kKqq430)RFNdOvMXOKNb@}+Oyb_l@KA(;_7fWiMDM~y*)@=g{= zz3Jz)?nCR{7^jgMW@Dyrb1QB^OHfHR1SES_hvKZeyL**5pVQK?O7A{&M(P1HGrkro z@o&!l0Pyt(*b?+l4yF-<7}6_wFG6L6p>f3xq9HPdhsp!}mq+^qQWdbo`GLjoI)l15L_lewheE5{ zWXTI99#H`(e_(gg7#&)+0xgSpT9C48qx*%LaPG`)uMTH zebW@gNpfW0&V@hbBz2+s$HJGZ%Pf0??Uru0U2tc`t&VLOx7vINX_O`Ti5|O|?CRVH z&)#PGf?~ZOlgCD+By>B)32zoCib+0^n;WgIB{0MRzswDlZSDQTl$5aq5-FfAv{A!z z$|Thq)gwK*K#aJ(D`|qf8y?|qS*Ey+k=z=%t&taNH(2-*fckxJOq6N@*$;@PV)--z zMt9e7*NtqRC2AwNW?lIHKB^JgV#SA6evPg$%@TRr{ zk3QT{@BpT?i5T0S92f4BbrV|^pm*jH=sVpc4QMGW{ktz3B_CV}q@ud^z zf~nE0uts%mM8im}UuU1Z%bW?mclY^mQfKHb)+_GmJYNlU=IV=)4}Y!u0>r%#35&4f zIlnHVfsh$^fxeqO**9l;9Dmc~uv>2Z0~=oF{6JC?gI>3Rm*+J=2ZT(wPnqD)_*`aw z=Xd``AUgMLLL+;A&Z~#N&+MPfV*rC~EI39xKX0H^*AMQz$K`lD`2k|j8{~~#Md6n? zQ>yV;{~M>Omy45syBHUUlY?DlIf=b!5WQV)W}8eSuE$U-$B3(`F|4|bx?r^79Zg)N}IBy+naaGf!|7Omgd}eY%4#wohJgkZCfy$hLl2g&d2dTr`fzPt$i+O9U@b59U}I3`0$H)_Jk*J{lu?}_^2@hh)$FY^EUDgkOQ9_Io$4_6?z%$ zOuVnR2TJm;uJz+H)*g9fJl1QTJ558?eX82{we3)5n_*@5;rz#Pdxhg5QZfuNv%Q zM@URHgy#`-%MzPU7412`R6GdQBSbj;{p+U)r>9RFdkUvPb+zM&K^_Spl~3geO&2L?_Sik@!iwt{-h6-1zg5x913O@MAaiK0ROECV zyVcT`uo359ZUtP~2r+P@d`k~Y+ZeP{oO|4wy1GMhS5hj0<2(BP7`|@4esi7uN*=i$ z2k-Z4m0v#puOl8Eae;I!i2#YzcNon%vJ#h~X!Ht+FKv8<*;z^KE=p7jz)o9IRWUka z20X8xn09SR%wsQw3z%ObSz%1QHzXnSgnw5a@_Y%T3-_O)7vnkmge3NEM9s-pkG2%B z{IfL9B8jt0I*(9C`5?P>2>-njFLOgZQLEQY@{VNWp9Sho8Y(CAC}4)0?P(96R_La+ zbB4WAw-(|3XOBUK%u-qX!0*l_&-L?JZQb*A(=q9iti(DEInnhl^Q@79mook z|Mu3==5owJatarag#R(8BQb1I&5hz#jsH=io0Js_hb#NLNrH3m`^Bt;Ak7p#qqI`= z9NteXTPIc6>Utw^TY>`1!v$|nZL;{+n}ZPPDw$3<0)a`{_KZn>vNIQ!ESk26-c;>nmoozol>fvYKLiWyBtj3AJBOC*tL<0f%0FArH&cdce_eXj{Y)9`R?rzT81e(sZvplK`S3>fyuQhjtM8GSi z>y8nBp7h_3ye=EggLd)4h2#IY34aaPdk(US&pm?%FaEQj2^*U5Dk7xV|NnvgnMUAA z=ch?2*7s zKIVGuKfopQDshR^vJP9-x>l1_^`;fh`V{}Ov}9&bXVWvxwinL^e62j;XqRl2Vz7%XT$qnL zx0Puz|G&G%l*L?4Q(7)CTtYSc_27!f?uJjh_y%M(KI8yS?9XHPW5(7gPH6QCJgZ-^ z*APg01r{Z3(&fL`MBXDk!i_tw&h+4;q3dOlrt6XDtk~tDoRWU`XAePdbjQ1r@)q*H zckXyv(x#+n@-3#Xk{sxvx)%}K{~MTUxAjJcqo0Be$PEAi;DV;q2TK^;HN z2@a}hUh>hu!-hY*OA|r3NvxC%?{%6i{qIAUsV0 zmAWueJ!G@h1PnF)<*M~31cGegoxyW?pFckS@967p5(eh=Op5tY(L2`b3Q|?4ALV_T z=^hA7`&sb~3tC6t<>BMh5EMTlkbrw~O(X_^_ynRzpKP`+0krI;X|*e`A?XGSECTy+ zRto=}I`i`+@9FTLq|TrE=3P*>O6%b<^M*>{v6*~`8m#1KwsW7e;>2%&2vZNJC%@5r5pdpaM3Vi7 zCt!ltAjZ$Q&$5!G^Cs;lzscL;XXf{M8F7|`wAlZ72_az*?7J9x*~hG@=M|NWJ~yeI z**$h^yU9(879SZIdG5|YzK#vfKAIWr1;}$?0w3cB<%_j!HXp`@jq!JZM2bOD9|&l5 z(7uWW{gsc9Xdty&qv<0stOwsd%<9cGF}l;=8^^7EX$17Pr%RYFIHZf$UTX|kgTzqQ zio4<>3u+8VjyKA^2Fd^L{rNC+f@!LK@P+)M)E%tT{y68(ceP%dEVvC0$a?5bobsiA z3B8HeK-NzDJpITP^eEPL83r-p=MJC;v7cM@9c1OTY&OQb_km-s9qd}%4IJ&G*zgq( zlL!_wMZ|!pVX7?I1xVO^L%MMMcdL;ih~*yduxsyoWjnl~K0R?dVRdU^kc~$#SEm{0`*54deZ_~Fz7{A7T5q)2 zFF%El*+j{x`ooK7UWLi2MU_Lle^JDADa5|V$?+J8T=v*LuCvHCQk zH@?+TT2e$^Rwm6KKbp7Svl8IDrbOM@T|`vm!s z6DbW#r-g5)_YDpKt#dQ%v}opffhl8i>OjEg@=%!uWVK%7>Pcmjr99A(RM7&>qLWhY z<&B#lTgMJUUzci~Zb|=lih=|c_IhjR#i=RI&u*l4%3})KVer}n)NNnu3+B@p`5&+t zd7<%uHpLRwd4d8zQee?M1rmQzAjAJg-eo1b3}kaDIhHi#XER8P0g z@|)H0#=#DlejFYg90_XtA3%|gT~M%_$4MR(gJOaLoA*Jz;tg&?!Oc|g+5a3)G6xBE zeE-~Z((|vS!%F^n`;Gmrrw@pYYwov(@3G>9oK4mq{NF`O*kH#AhBYt#880q6TNzHJ zis`Z?(b3vijXh3st=`Ie7AwgAe&{TuwIA=RdzeCX73@^4`rM@0ZnZFgn~|~8U$2$A)d)~yg#FW`z7F}4|M&3r7DSv- z@724z`j-C7T8Ob&0jKU+4~Gw1&+GB-i}8ve2VpUsP#pDNpU;>X&eHwPa~1bcY1nrR zB=63gN7-nlEf|P)CVg_|{qG`+knu*HP0Z*t$dA#vJ0kb<=Xah8gk3cpEhTGC;`Dbv zdd2D7?7h5cXN-31@1*Yf7lj@g^A8f>oF73inyzvCbd6>tDb$ImupGuPK#7ADCK`tLlzrH>Fi?UVzGMgM&q1djrMSbxeE|DO31 zG2ntj!)7YWS02V*z?h7&#G(*hu-za&VNqJZK$GGQ;!$^!s5W( zBhVzs4X2ql?nsuWGUs@hZCjJrFF9OlZh172g`z#lJ|E8TI-j~FGEMXMllird>Ox2x z8XC~7tg^YL)tR^7&9}5D1&4*{)=o}NvV-n<2w&kD)JiB(Zu`p0z2K0LXiymGJhM8+ z8}g2o;NyLa6UZvU&qHq!jjwE1vvhOKYL_myOR{4iFZOfg(P4+FiI*Gd6koOuk3Kay zbfc3$SXnvBvP314zD)UP3zvc7HM;>DR@JAxxFQ8F^7(!i78ca0Q<*id4G2rTE(6wd zn79M+Z70Y(PeTv2HARGf4Gv=8h zLbp4iH_pqQD(HLi#-Qj`74YN;-p@xk3e%yA2bCplsG|ZGBa0hSDYE!nRtP1zCSMx6k=Qd>yO86o1?~{gGelh$$o^Yim`a} zW=a6%=?}o$>#c=i7dyefB?!j!gW^R5RJSzUloIP2MkR9+L zTfK=7Xq6<;xG~2=?303Xn~v49ggR&;G`PZdt@Nl0v@&`9U;$Sn78HlRS`kklXTF0T zLrAW*u$=?Hh~T0AfLg^T zHvx>WbB+u8W%Dx>w`iR+_GGRv}cJwp=HdEFQAvQeUTAlRRYr( zS?QC#Ktsu4=oO(*=JDRVfwqG{)@#fq1HP=&m-aHN*+H!`r~djfK^wOsGjlT*4so+@Q=zhFvFU-6#-`{Q&pe zG%?txTZj9L~?b6yGA$Vy`wZVK+OHB(hoyKu(EU z6Nu!_NoU{q+Z?9VM_eeu_YPsnmpy=_Hw|5jbVu$>%0MHf%h2B|DYF?AhoeCHC}WCKOz{QJ{&Z=oVOB3FC z!g_R(oSIQb^Pbb!hjF0hC2*$D8q}%QU{zbkx_)5K`7w!~# za5w{>@v}7<2e-pa+Z(CMm5Ky5MJg+5sl%eSU(&zS$+Kc9p@|O@{$z+0?3_K^FvK(E z8wNL@QIiuOE_LU@BwiMZ@#&^9(%c8E!I`|%hve%ZIwiyoxQ`4)Q!6Ag?sD-mp=|U} z3$4MWGMHsM2gxApYd!b0TsWa-mnG?r;F-avsUB|Ai<6CRA z;^kulZa9{hg~fVHVn*}>=nI$QT4%2#P_^ouA|t)Z>_Z+0qGE6Qk^0U=7sVz)B{o&Q z3kYwq)muIT(9BD`1}SNwT*EhqOAj_gb1j*k46HDb=t|~`tM)Fv7}HTJUnVs_Ia0R z{-4gyJ)Y_PkK;2OL!FHYby#x=iKHYkLk+nf)hUh)>6av-T<6j@b7xyoR;Nr#QLaZW zxrN2(bVR4vA(~q*V;h>5(D^tz|D5yRZ-4KxeIMV?=a2XM`F_1#Z(=T1=eg!7dnWck z0G<%9(b>^yxb|z|4_4foZxM?$_NPMwfN)r2<@L+OUgtO8VIRF~>9q4Wto-J^B_=@hjZR%J=~-2tk53qu zZ&sL*A0Ku3!W~*0w~xQu4S~qjIN)rKXS>A>c-t4C;1dX0Vg6W#s?UOuF__Z8x(5%- zN|DhnX)VDvKcC+NCy^JxlD=J}#G4T-$tmR^V$IPk4tNM(WXptXr^rY_2UyE7(ddc< z1X3P&MQ3ViW#F<1XW=HU26V~du}V#zd4!`dl!TE0>56$S3VI$!CAO9*{RD71a}Z}U zjZxwB3<&Q*)`?5G8Fb8qX4csn_EO&PCGYMF^WLcsltp_G@IpkBUL7q|-3InhcShla z9NZJ+j=$Ab!H>0a{=7xN)i;8|VW*Q{DARA%0+k%R=*>xa&x`#I8N}eUu}t_?VAmk5 zk3EV{7WaRW*7-BEd=$%GmFmsk{s8D>=reh(tD7X?G%FnlS_fF;(ZbFV?Afp^Yif~R z@zDz6DNwJJ>bliO9;KtM8}2>I@A}2Q8{edVWxG=zJ@PoW)F?;mp}}wyTPcXwYww0@ zsuDzct5EhgP9p{xjmHsFtD+0II=m80AiO0DNzH*Xs;aZ zK;*NXqQ!P58DNwm0q>>N%p>?E;O^EqN$>GXNi&J=2%pEj;oVjuKwBDe5+9l-4>w@@ zrjv$wx9BG2FVv$L`chWFJ}mH4^XC;uEe)0N$oU;oYR$O{o|LY59Q2?*qXIX?2VVC8 zGU)Xmy~A`OPkX)FA_{r7TI0k_D)adX^LH=0vfc|059TdDLHVxklM1YbR-U^*+IftI zMdv6>Ls?gg*ty1iqkd=AeO?IPjD=iisE++~vAP4kZ--N1v>j;1%1aO+m#*A;AJX^40x1Id@joHYz?^I^$~)(cNT~Hc3T8as z=U#p|+)uafSIzqGP(}uctr2r+Mg4~$?oz2_Qm_X$kwV~Xd!0G4)|Mn?HEbY!W1mFn z?D{Qtd?l;Yw8`_?&6yWlky>|eAgY~5#lKEnaDDdL;N?^dIvtC#GUi3N{`O#;8TL@jApT zaT$A375kMgkR18QPbZA;3Y)0v;U#vca_lJV>i8pwDplt|!NXUg4 znc^^wqp$|{k{3(>jOJR}+as(wtcEl_2nLsb(OKC{{#k9UjHc{*&Qeh2L=hfSRJSdG zwm+rQlv;8A<5swWhbuiV_YM0ndq$FCO(;NJ)$&RBT&T!PU2eICQ2Mf8#L!FJ!>*PV zAQd?Wks<&{vw^p>_=}4hjJr&U@)79LOhH=01gI-#5^&cnv|A`baLBM$Hp@ik5nUI$ zL;#NMZ5e7x9&Gt?%f2_7r)9E(&KeFqI(a?!(U3sIzf%|O(7hJr8Qj}3dfVC=M^Sqg z?iuVKWvS6RP3j#PxfDVoAFWJ{()A5byw_KjUB1$Ye~*6y+>NJV-YQH;x>KjnIhpB% zcWi3&WMzq>QzR&jC|zTVo7&XL>aLK%0H}c>E*zyPLR3-;59=LKO%IJd$r4ls=j~!9 zHPY6b6m$UkP7GF#%P47 z0=ZN$tk0| zMs1%)8}^kXBmaf;y$Hhz2*z42fIJb~O^?Sy5Zk z*HG>8)I$Hj_*(x!HEedp4>FNMJ$VEQhjm#1?l|*U;M_6V8K#(zv+4fc88?7MaxIi6 z{r4(nQzu_BPx8bgN-Y7@(jxn%IE=+qVZ;*ia9M&fVWPl)$9jXy-2q4m9@=#tqf0Cu zqnpTE=@}avlSN@3R+)yC7(?51C3iTApFA@#=>NX?p=h8#(E)m)FvXw^aLa`!zhI1x z$Z|)v;KSqJbNq?5a%~*XGC6xrC{>Rx8{Oyz=75FNru+6>IGP7ir|75NRmC;^s z1L5mr5&gkzdSb0T!KW2^&C2}enmd@Cxgl{K^*&Cax5Gl3;}q4Eb*^l;+O2Z>jvLX} zCBFSo(ggF5hw+*-l4+*R@Ji{@;OEo>vy0=gs7c>ZMI@0bcY~)PBa^4@d)Y4iF*9jv zVB+NZREc;1V4B!$9o{!yNrGs$;9|<)c6)SRT)v}7+ZYuCl?t%-ndv`C`-X-Zts!X( z`YHzK{-=fB^(K{t-ZvX##&64e4QzRJ-RlFN6L`yT?sXDNa)UELZvk1fH5{I`k-~!} zWh#8@q*TcQXva2N0lkhQ^?6b(o1!6xHI*N)qvPywFOFF0R$Xq5L;da0(MH?{g==Cs z_s`(J!5E2)&Oa^r$vFSP`YX`wA0dYs1`a`R&QMA>d`N>2xoBV|3_jAmw@w zGB#TLUtKdLz4JV+9T1**Dz(WGZfUeJY#kx)Y{c%sXb4*WU?)1n|#RyQ}g4LU8LO$Pqk(&B57Olm7r+AiMyBeLtmt tPkaF6BjvA0YUQxHUH?lr|L;Fr*^)9aMmCX<{TE* zt|crioKyI_L5o1;S_=4sjXWnWg_YAv^#Kd(tiO}2j+3pMxs{C>79&i0`x_%4k0k=> z#0ZmNSYDPmZ692V7!NHilc- zIU$gij4&zi`?Q^tnGN_0n!*27)WQFBz<<0v7kK$E2(p5&lJ@pCX4+;ZN>-qEIewTR z7fb*&vnVNOD4${ElLp^ytgOwzA9*vlH3E7>+R_nW3tHrOVLV)0|3IUY`dLzyTt_IXlmxT-NX+y!DJbEBta+82PTc) z2Jpkq7!1C(J*r?QIMI(=nQpgf%9yFETdJEPIIR`5_)Lu*T=ndK*&C)$TQ_+}V|z_TCJU|G!r98y42kY-yU7WG zuyL}o|Gp89u(LCRqiKom(b&-u;rjh;<_H_~>d^PtgN1+BJJg{5!%f- zT9`TgfiYn~tI7f8gV~;6-*@!gTXOSTcm5z=ux(Pi7~43bX(VsuB=2nO2=u8P*ru~) zPOb+QRCaQ-*GhFI9u(#pw9-QE}u_2CM1CTQEi!{!J(Cybatw{QL4R*Jm*;J1yj ziJ6Tm0%_&6Z4BT*Tp?921?+>96;NAeesO~nBs@~aHdYpp?fBt#N%RF1gp(7(7Bhg9 zG2Gf>Yu*?cK?}o9fkHQ#8Y3;Yq!ya)4}v8iAjKyK^bz_BMukGcX>aCe1$f`g5!wwa zJB#lm3|fvE#)$lRGKTI^KnNISh_x|7zyonG)ZqF}$HRoTY$pH_JJdT2BR&{u*(sR6 zM^yetEQmIpJ6P}sZu?vGtg)jLMoYqNjFCvIZKVpD(W(;Sh2K)8KdS5P#r&XLw-pjv z-=b-Z^_z+jaBzn3!qx>&k<$ z9`HNBu9)lKn+0?q_`B7S38ul)$q8r)@QfVzxWJKIa2qS2Sh#@YFmnWE8uI|S`t=zw zz}EH)7~4V`2Hi0bqwT%{e%&4niGW)p`2lW1cW>{AaC7IfuyV3MtInT|^7Uyhw4Do~@OsDFjiZ9L>PS8Jldu6|gWVd&q2V8DD-WMt&L4vZZ=| z)QqNP=Elxj+qpfdpJ*;LHbwUiZbK`ZoeaAr+P`j-pvS<}fKC5u?!KCJPT)N7@uE!> zTB`wl2C1~a7*}8vA;R1oiE*nSM*4kg0e9|L&aXf7KT@4&9kD~4R2{8cjGZ8N?EftH z&+PLLwp>n5h=&J~jep7LI~n?q!eF$C7DCI&R|^e8H|(&`C%|mBSo}K+eFEKxVa&hP zLSuaLZ;sD5_y=v>A8>1cB6f7wL8GIsAG**FE(i{8{gi>W4C;LQ7qny0ubo(pkq>6d zZzg1V0<`}?S0O$Vn1I07D;SIh11;Oz`|B1N?Fj$(TVx?L-+yxewi~_~V!poxef`qQ z{XIlN`>Ed%35_QI459tqHU_d`zhxW#M|vL3jXU)GZ-X1iO8$a~e=(NW>DEEM(D!cN zmQMSFIAV)Qf8CD$29Dt4rQuJs%%4FWG>H4^>3l_TAjta5 zI14YN3Lq7{6UF^U!z{dL&uNE#!uK12mF-Z)4ovY!JNl{}z5_8($khY^0?*%tQS6;fY(O9m9e?>=wQR>^K->1r zz7GR|=Ixb#-)w5-@*OVvqifje=libz;{7qUxBAm|<|nfU`}JMx-wz-E+ECQC`ujZ~ z?&q;69xh%!*!K_;tx*4B1c|mfoR}0d+UlG@`vm`6047=$|3pE3RR>zqp#I>iP=9Uy zQ!#{zF*8siVBftj$jl2a*F;# zP@xdWWNrbzUqywOFy22075*4P#!&2c1Bc(8k&!>GjOqMeSn}^p_AhMEH@N!m`wssQ zxfjAX+88e3!*Ilo2rw_kpZMo+$&V4>e{4|jXOY|g%Ag?c&qBA`=JS6HMZZJl-*Tq_ zI{z%O`91#rh15cf@^=It(V;3#+~UVli{F#5+%7--<0uhiEPr7K{x8nBvzm|h$4EBD zB76l9GG;DjHV9BigSqm(t@s6d{TCR89|B5zn9{PHM&Tb9P{K^;Cy@SMdD(!X=&BCz z?YpXt?|jccNr_?j=PPG@r_~(I;AWsO(eeMBYM|AB;_dt{bqPVLTc&2V2=K?%3KVYhq05@=Opx|p9o=t%K|WBN2vt)3p;Duth4R1Y z=B?EIzperWWe|Ul-+h7yZGh1DTbPd@lpJia)ec<6*dUzz}h zW(e{A4jOMa?4X{N?N-&l6w=zv2@aL?Lz`-hwBJ5JU~c6G6}0Xo?vK@AKU9`M$PQha z4gzQ}DfAdJR<;&k#Wq$zwaVFovl`H84;fGs2h=Ij1r)tXp{M&J3i}fiF+gQ(4}&2l z?8HxqiJ{w0TAo0o#QzK}f2_IwftKGS=ihgArKM&0cT^{1ik(5V%-1v-I51=i)k5yL zCMy8_`#azv;st%9Q>L0ot+4KNAm3+usw}{*f63(drjN>uOO>L8zB1x^@k0ihi#_pe8-JIo}g72Ylv-a4IO7a|2!ZR_qV` zfVA7M0N|Y`=g_XyPB?*X`ZF}|@5aA>x&M#xdv>VMAEKL>hTon1`B!;cS0p$hhCbNl zk z14?3AA6ew-d^#y1oDM3cH*lsIl;$;$-(S! zj|9;+XQxUKqlQv>{1 z1}@;;>0)OKI7CS(z(IzGOU52@oQ=)JLrnsg6$dBac=<})Wd?>j{hRL0t;O9_qg*c- zi_6P~Yv_AhTU))%W8S$|nBkR)CIf!ZpUIZlK`Ja9voy950-Urj8<%of3q5sE9b)QN-<)e3 zm4@z;1&>q&RXx((-ofa+JRSmKV%M~WhK8s+cNo&>u+JY13JQuE7%&izHJo%J+<97;=skg`{-i*{!gCctCogykfCHk==Y$sl9WpU)E84FgsEBasQi~ zd}?UX*YyBj+;u?-+k>^dmNELWvG)4T>4W1@l^Y96N5njwqUqf>Kd+2FeP@RhA8(F_ zz0U6T<=#woNi{6@c;q%eMAebvvu;&gv{9_@`+14auD6IvdaCD17L|xgb4uX!BK%!3 z^1eones_0UZsiv}YVVJ)yjCbrUFy_FhA&oBZhkqxn~3V>tV_t^?x6K3rIIm{sZlDT z;2^O=-r_7|68Xw-;R{GuqtHERfyHps4cJDlZ7k;P#!QUa@Z znke9M3*zntd86Uy;pZy9_-Yljo!Zn-_CP(@;6LZrL*q5)-|N`Kd4+tbD@v!-#WsRk zbfJNMVY;xNJXL$S_^$8fmxZ_I5u+1xbrcskKCQg*(2XguBwyQfw&x@4R1yS~*O#X!H>SXV*Ryg;G8qELmb>fdP{wzO565t# z)H~avuc;e4yyMn_B*6dm89?L{ZQ}K3aTruD;scpMX0oEZk$t_v>nEL24Pz|{NT)BY zBD2@Q_6Dc*U1H@ASw|jWC0*^Ae*D(6DqIsRRFNAyWc{_s3Y9QHlmzQ>AP{XY?q#gB zxWhu%5fy84yNRi%rm{~3d*Iu^S;(iT)dB4);pYX zRvkzDww@Tjcx^pBZ*uF!NZ7<1(qRT+9)*r-=b(*`?1;wb&*G+Q#3-NIuJrcqM^dd^ z@m8#@gF`9&8`i88iAkm~mo|?VA*VPAI*x9<3;cZUORdl8{<*!JtA-ce+eG0iR7C)> zoEEa4f)Pad+2U(t>!|fSwPm;Md8`(UBBBxJ*xXo*Z};v-JPQ5Pp5lqLP>nI$+VL;T?+`dy#(=4iwaxXMbrH?YBQ7w>ifQgTW{)YDb54OKR)t2zstoedx?hd2IJy?_zrfo%Gdx(U&jdc8u#i zxhOoz%*@<$i{F}KoR|`e!qDyZQJR+g=>R!RAoG0Hd3Eiv6%MMG*GAMm|tCE~k zFXI&R*+i0BvCXB<3z@zjK76=h7|L(`R->(|C`&sx=Xt0DqQAmm;L)_z8L?FZ#}|y5 zDV*n@UeC_v;1`@=AA8gBVAoApZ&p(@y}U-Vcy>#tfoqbUwxpzFKpO>z4sEIHtjpUD zT-!OLX^%L>{j6 zI1-17)tT_MlnC{9;My%7 z3fRB`SffuGD;|y_cVP z&X(VoDbPH^fAPAL2GlIevxy$AP z7OC-jKh2b?n77=Dg{xzyQN_=QDPP}%&F{Vbk?Kg@k~A$zw3AI=nY-}%#aNa$%IrB3 zeDOK2r4DTaF6pq@VCLk8L(EAj&U;-BGM&jQ8_mkCI7f+pkoj!0!~4c_#L?@6fi!vx zZv^2<11E5(*ey9uZEh6wbiEoKjyx3y_O5{vQD)qo%benM?xA(ixG-`|=dJtnlg<&K z*PiwsezsqMXpdxqc6X_3?!Lo3v^QwmCX*Fo*&eiz!*vVol0Hs#zgbgza$M3-r^hO2LbKV0Bja`JYFW zYci=MCtCQfIo7P3yb%l!!_wmE%dC6Uu~qiR1_huh;2} zfsaf%b9VN+HThDX$suy`dpB#2PM&t3%C9$l9(E*IqeX4JMX>)m;4Q?Td-~o!SS3PE^)Wrct+DUZTqRSaMUgJj=(O4fT*CD>yl#~iYKV{MUI zdxtrVI?k}@4ZWbB$cm@76qUos9GL{ZWF)m12StEdyJu)@thK-x(fmvM${f|(0ac2& zGY8j2JU&`Rl5@0j1(FDQUN9=Nx0a_8E~C(Qx0qP->!36y9rLhH=!~-sQZG2vKXuWL z5ycy5|EYd+uq49STvL2~f?hY@7^wz1hpO9l^a7-he_kD15Ko`U%gAK7`4prE?B&;gpr#+}5yV%ELnG>@%4qq9kz0)z`!X(k45vE# zV9elA0sJVPm-=C8edn`D=rc!^#lpB)FIGi^8SC3{hvvf<7lC!n%G*U&K-*~) z<~&yryw+}pYJadWRnT^F(?DaqeHgn-)$Q|AXHwgvqr_ZV5A{0CT5+{DSc^!|94UH_XKJ-oE!7sE65AS{u=b!Iger zSMf~gKq5AgihLu3iOX&znPWO0z3}FHxwEoj>3MbIUD@`rH`|)2UVI7b!|OWnDt;vV z6g$bL$HBe6_3QOxaors>rvm3fUfyMq6)QVr?{Ouc)@tZUr(wb{3{HgQYTer5%o!8j zS#$jOs9Qk<=^_vwbh z@!l%IV_@DbiB!!=8G_~u0#75S=7ma{b)vkfy=C)Bm!7+sEgoJZUDC>4UztT%#a5y+ zvqs(_DqCKaZK)Pb5t8CDle6|glO$_%KK9xqv-`CX@K?h4%`4BWu>$&a9%sla__@RC zGINVMdoQGG_HdwDx`!MpHIuQav@M%SBGW%MCmgjG?ldH_XBK3lx$JsLxH^sczUF!O z^Du|_=>Fywwl$MC_mpD`{T+@OQ-|H(D=`4q$4BszQ_Wh4D&}O!l(REwO=8uL#S4!1 zJ`_{Qk)D{H+`MIK8jKsq&W>GOo!qN6a55rnpTnIy1YdHMbn+Aybq`ubbMt8SDF7Fx z2e>FVo*o%@16&z$9V;RsK%^}H@Nh_Y%6S5c^o&6EQnj#n`0a4pcsTMsa5y;exv~}j zD~tzu3h3EA1j9>)JOx`sGB*b6Iv|Z$c9Ia$((+EvSRrReimd5!JfE6ye=lg(Naoz= zpI_9Iov){&*Pih3)!GMk4wP%ZcVS5#2g=wx@KB%50OM_Go{!@L_t zsR3K1{qPi=de=x^(cH7Wc)IJ(ydIPjZ6S*7r9DOLXVoHkhr(9-OHFA+4j-mw!XE6F z@6wHZi#g&vVskB&pZf*=s|IRpiL{3r-? z>h9E(Q&=Dqn!*M9SQ@D9IONne0U*s>%m}ZGb#CRT1#FOh_idLrUqKCCmrhumA|k|t zp%zvjJ>2V3FbP{XiREZxfq+Td^LeKdKYIN(F;HUy9IjNOp>aN#b zvqa6c`aGb5@>**#YHvjRo704$=h`XZsKEta0HZ}puWRpiEqXDTy|%tvMT{Y!P~4=u3@0#5Q!7xHtrW3;||V#r&@7_ zZQSkyJB4RKR{8wB^}x;RFZ+E|2|np;2X{o70e%%`f6D;H;|g)JW8PLjizq_E%L=mK zEx>enWs_4AMF+s!!s^)idXqBhKL_zf1P8x(6{ne4%DY%7C@W@iBRr>VB8ZnYB_FPJ z`t6pz%fp5lRbh>%=T~D_+qS~}!sZlAEjX;Ktm4*)nnQO_Qw|q7ymuS9l@mGK{5HoR zVe$kHCtoyvYhqTl=2bT;W($sn*D3Mw55(EH)HWO0a~l8+lGAB~N|dq2ZvKeXVa+R9nTCSMas`D3oo#Y z!Xr=j$2pH&yM{f4zt8@Y=c}Zf#6)BdyysL-r+nh&{Ag$O2nXVc5hf6!)0Bh)SB4B& zbWhEi;`A*Xr1fbfk7gGu$OYasNOx;D;0f_y*Y;_b_Tp}h3*?bro&#YL(a!k`$w6Cz z3P$5M^?6We#puZi8iT8D7n3&H64LtESZSVHkb5LkS&egQY0+WdWJgX_cB~C4;1t5^ zi3+m_>gxt=T;SEkqjUN^OstPlduLvyQEOQY^9F+`#)(Ihl#y?1Uf^|o}NeXRRr@r$wd`4O46n7l<%s%j#FXV zt&)5x_gH$Q&!pE5Z_N`n5~sudoWgG%canU6{-D=*dY2qqAHq{3c7{^TZoyuRxdA0N~0>Ac2K#+$`EnV;KKHif@?&OAggdG}x zOYHX9z)D@%;#pZ#l+EqUE>z7UMgdu>Bi+d~&pDReTcV$~zIoqwEw=e2v_DaTAgG-~ z0)?68_^^XGb=Ebp`3e6Z9*OiG$Imy0M$z4rva27630`){fMSNe$A=pDSmv;E7=CLCm4w90J z%8q0QGQ=LvEv_o330`pG4R!iloW&3|BjaspnbFvXc#;!th~q-CWQ47~kwf1X_fBt2 z{Jzg(yy=lgs3;5MK|{HKH?8d2o+0jSQTgPMD7Z<1Snol_?5!y78UxnellrdVM?SPD z)51jc9mDGssY(vUlN_#(q-l%RXiLg)9q08ES56kyrS)-|;ul|hnjxQHP~xQKjjZZ}M*Vo7(G{1dt~vib)N__^X+Qu~-)=OyH|VCrTuTmh0rj+wCr9SSY4%MWPPeI!G&lp}#t-+=1KN>bK4Mm)h5 z&tT`sj8YpfU+KFBAd8rG;WP`17oW;`k3;|9gXoKA%>6glB47*M5s9Y-)QHL5$?(?} z5^k_jcrra>Z@4%n1`%)I7M84-_8w>x$PQrZOc}Gv#E9baPO}m7@>;!SIIXC7E@$?6 zz+$z-*`nfsGjn@ryi}j0i(%0=JGcl65YsA##V=@s(2o%E{Eel_&T;#P@@WFKU!_an0$i)XijP0jD0 zO=@(Qz8y#%Gh4aYH<|5p$!LEeLYtZ*$oJ}8KZsZOYpZtV7>pLQi5K*~tTM;0rSJU` zj+g&2keH@*UiYEillB8wy2u`}4G<)g;JHpiY^TFxF?pcJrSnV+9;t*6s?R^}48 z??{^dWDDM6IKQ=_=W~ySwK?D;j4ANwlDr(dM)y+g^ZF7pQNu5VGkpaIMZ2%c>*OV$ z3f*@2VqGF`9*C>4<=+){y{gu(63@q2pGfDFX3>^heAOzpnRt4b>{1Mi-hlR6B_*TK zi8CmE>w6`<$VEF46~Fz3I+}{Px>Vrg@CfUOlF7Z*Gf*@ca9+jZ<`ea&0aP2pJ%0T7 z^{CD|)IP^r`PuFQ=C+DwPblgvZTVBMiSiN4IQAVZq$845X$A})mz>)Zr^|~5Iv$?a zJ|?2|8t48i z*@`tB$S{aMw?0}>riKgZy{ZW}D!*^aB;t-fjnC?BNA0U-q*_jZ9i5wsJ}vyrE<0Q^L2yg-zRh;57%G73B3{tu+5w>n7z0l;}l3=`JE#1%L@z@ z`!bQeqBR_#>D^o8umJEy$>Z!o>&~-gLo*#&+R2ttoK*7p$AlegX-LQ|_nB(a+LS%G zPWn>nozTX}s?bu~qfz#goJ%<DGYw^~grM|2yv4@md`5dB(;hBstqh5`OK&zmqp?k$yD92xc$;OGnvV1cck?bIA_ge%-JjEi*si9PrZ8& z+c44-+REaxkN`U37!NCd( z`8i*D*_iq(K6WFwsLutAU2pl*g`GEPJI~(3_$K>mVQj0YvNxF9ysqKnjq-zl^V!^5Lp`2TX51oa>X;FrQw( z@tPo0cg>>HGchDpxm{@7dW=4&7f1yA}-s!;eR zd#zlW3QyV*Ej8!NxgS%qAR8^}Ocd*XAMHZ6l-$B<4Pt}W&w_{VBKw3dLff+aQN@*d z)}&x>dDHaHT}6*Z_Zu3b4+2lJfRLD5gjmjpW#{wHCui18%2L$jw=}{W4TLy$gQpvI z-R#EH0(|RlyVw6qwgX=KcarUx#Ji0mKtuNq*4thCDl*@`$clA-`|*wbUDvT>%axfU z-h&wASGr=p0Al^5mGu8}0x`;@I*vA;D==3U_Sq;(6h_KX5y?j+U%q-(Q9{Dc)YMeL z-2C1;50~5KoKGO9& zl1Wq$^xD_#=X06T@z3ZSt@7W+=e26T_Thd?V#;Tb8GZf8Ov!yL-U1|s#G{{wQz`-H zVx%_s-~#aRgeI?CzTA*!Tr*O=hejj7@WyDQ|Z;JSrfy8{OWnp$ia9^isEGP34#MtP?g}s-U`nMd=0?=koZXe+BTt`U=Mb z%YpjAa24qs42Pt@O>8BxNo{HRT_-D5OWK#w8yDi3lij2$KFx@@uMP%kQs%XS2v(&~8{WJ28<={puTSQVqOx+e zrhV5x+~;$eP+eL98RP2RgpG%^_31#?)cIW?s1;DG_`H06RQXl5F062=++YykRxRpd zuJ4_1aOgd5c-K-OmH>2a;TrCvPv7*u1kN%Ymho=?t2q8{01s#Sy3Y0)RICo|U0Q2R z61fYnk3h|m43pdjdEGcLv7p$DK>njzR%AM3kYf-W9v)jy?Rh2{)NU-T0XR;}U9oBs z?8g`C;YLX-gO#u^86Oqk(!+v!b@gfEr+|!lxieZ?arM$5V0T#aLAHY01-AQ1mv)LN z3jvPa_2KRt7ku1_3f*)D=o+5f44g>fF%D?Yy>J0!%$Y!n@!VVY4N6KJr8tggc^Yqx zfm`oOoUMgjrfxdIPWgT*ySU3?lB7LJ#8oQ+Cr<#bJ_s_HTAeiRBL^6>>5m^zOu(^U z?635#ybeMI#fvrTk)B^xhl$rduk>%_LLWaq;XZLYuwAY;Teskj-TRUN`v54|}C3Mx)en}xlO zp`vqDyD~QqGZ#f1=9OBW>Q3+R0d+TbFLq>JEEDti7zI3r2QByo8GEd4#!|y*P8ovi zR&I<=tJl3qVA5BjgN+2g8Du})jTEfj5xOx7ZbOd3exK5J*p%;Q52)|weYlrnUE9$8 zuHvJ>fUdO{*OH2A}4VzN<LWX#i!Mk=Io;GG6jJohNJDtN7CgZ;|lvcnx;>h;BA5s z)NKD^(<>-xi21CNUVU;%4K&2jOVIqya#N#4L zjJI;a@}BmxC)psfJ0{U!huN=O*w@5?{5%#Kbw&K(EQjw5W zAq17yUBy^Y(xo6|?zy`mj@+{^Z(ni@4s?^1OnE8DiK46UT%LN6Q?2Pc(_4(1?b(Z^ zyEdpt)Z}Rxyg++v&>1U~|53BGl34G0^yr1qbs&Q;;yBOaP7mQ?k+p+tsBF%W6CoaM zhb1mwqKH{4Uua~{6qgZuw(D`=rB)7Nt;4$r*R|5+!u8V(1J8kiE8>g0b`Mc+N zaZceXo0EC~%3(;?SQ>7m)?eCBI3n&RD3hi2FmdP@7ww4il=zG+lY2qNCeZIA^Yt{^ZGm-E!6gOpVde^*N}5{mwz^1sam_Wp!3LHzoydrY1BAJ$UQ!G>hKtj(7k-? zmDRjJGCLQb@9Q+o~KZt%0c|iZ4#fQUC*k?g0N)0{qyFTzL_^*=Ne97Gnib8rN%o>@vUkIt z*iY(p_2p#%2H1$Py;0Z#93(X~8{el`H|~p$QL@ro-5ImTBCu(-T!V!JPv!2o5k)@nPyAQk+8$op~Q~ z^`11wHxo@)d4zR&!~HYldG)*x>?LL|;UXz!Wo2!>=~DY8{a8{vG0rg)?b3cqS+TzN zdBIqF1qg>GpX?R+GOgG?>E<0Y2+Ac`3w@_&BE$Ct*&slIz61_`CS-VdkAwz2D-Fkl zQE(KF&DDuJu0oO$fdUd`^i0$N)X9hJH{~U#L{0j_y{a3F9{A&WuuSY4({EEt5%<0x z7$BlXJbB9Gi!%#$kK~253jGq_ERcwsS>t~6ir#7uY4YK{6<#E}u9&i(JQAEmbaS}A z?3G%PR`q_{Ps`J1Z`|K_8hQt&pcoLqEm(B#!z24aDGNTb4JlXcD6icY5?K`XrAMYX zxTX~5z=;MFue!gUhxc7fnEt9niR#s!N^)cG<|93qC9X^gU8dFl>};TuMECp&9?krQiul?cRNm8#X9maY=2^OE zt6&afl!PX=#!2$e1TG(>ttsUS5(|vI0Q_4j}V$&TII;ukPS$L*S zZWk$DfEeMr5d8VRFAcFKkb~*A5b8LwdN-V#M7u62OI0n%!}}`xP(|~+M)IR7_Z)jq zDaqaH3@7~su?a8p`nUC~%KW1y~PlP@5p?qQmSa3#AS2=9qUV40CuMr$a{xjWFmHt2`@ro*Iku0F-hx5Ww8`l^X8iT1jjsNL1<@uRiyT6%Rz%ti4Kzt)+ zbhc2XGmSc5GU&i-ywfVQU37j2=&uyWMNc1^S7^9Nc!N!6e$f2Nu|A;VPS=GT(!{v| zU|aEcvS+)UIaD&pCGSRVk`h&hM*z2?mNgvEL2U&^A=f1a0aL%!6om&a|+sKeD1Cfj^a|NVgBm19Ol z{?*Qk2>gxJ;YhZt`|v2~g4i#KkPp2k;lo-Ho@$)TF5)i#7}L`c_>Q7?aDdUzVK`f_ zHGK0>{%3Mm&y-G8E4LilRcY{;>hO14(FM$J`F`dW zB7>)-OZIiobnn>R9dnYfgQm%Va@|H#L>B+Zf6y$ zGSb9@^QOdF2lCg8e+z2?{3Kz;Afa~Qs73kV=h?DiwQQsfbmsfwHJ!a;&+^@u6}v1{ z%hkIiXxnq0oi&WS5NL&Je9~%K;ZX5bycd0QdkDr~5+(1dj(81X?Pf0oOZ#gwPnkC# zHnWAGL`Zl5Wr4zt*b-#`W5pAjUk~B zQ5_4)A)B!5z(Bd5cp5e78$U+E=af`^AAObFdNZWrxO=#6yEQRx zZ=^CFz7xKe%^BKin%+fTpQ3m4>70-9(rArSS_!jYjYA#~ut}q)JTOtfrDaIk@G>O3 zlmiW82KM7fQj9F?NSEr~FAN=SZq<*(&*(jalcgUuiG158CnerZRYYAx9ahQE`*4pw z$OWuK2>Nu!I#H4>F^cW-S@+^Z4c^N+IK;@v_~4FfUSGl$Mvg|3PoQp4j4wKklMG*v zp+{Oo=q(;E;CMW8FS6SC;Ye|&=fM1yiP!Sser$|oN48wnT=s$LHYta?bmsJJbd1t* z@a9otI5*rs0v2^>4{p`?1nMyxYzyDtlOl==#qu&*lJ~z$6JX#;I4}#~%=%68u)VkU z^_+_g+w3~bQy{pkOv68XzbU2$I$QxN&Ka70g(K#i=+= zB{IjqvluVAs_f@yUXJu`UGG+CU{2W8xvTTi{Ef?nZ>8yc#o{KW!Gc5jeQ9Rc)RNt6 zd-SHxwhxPYzh$Xq%bt^)tmwmqyk`xYli5oo&schH<-VVFh+}JAx=dN>5-9H|mUuAo zlip*?+xqhd7VWsq)gmXyM%*nA>V5(&t8flNGly0p7nRf?7oK46USx>JWhQX^LCHWm z2TNy4jdmmYphSvtNSo7w20PZsuMJ!xzJ7@E?FIx^ zc(V>R(`AY14-94!&F>R*)>+R#;8)~GX6g~xK^5nDo#KL*+7l}-P&>AUGtfsoACBW6 zz8^p6qSx-dCr#D|*CSejz~O|`Gi8fsW2-OFbOzq^3_{?$n6B3MtC5IA>SI5*-)%Z6 zPbx-cW0J~AX4)w~fkirfd!QZr@%Y*H8hY$D`92&QveaWA`C+g(&)K64n74_}f{ib) z&6O#c6lf+$S#X|!oy^zSf|KP`9|+tUso<=B-u)_fuPB!46zv=d_0CIr`s2Z^vFO?sRCO2yYRuZZQ;T*HvwfbV=eJ~_ zpCNU@Pvc^YbgxCu(b>g>8)Qor#mQY+IHZ<6j~^t8x}Qs;oXxC?Ns5U{tL0WyRgEHj z9UUEwvT;Q)he(TKB`Wz&yrc^Tl_(vYRLm5|jy+sYymd=2HCkR)_QC$J+FBW5`vJd3 zSQX}oS~3Ywh`T{Q5qExaShzD3R7g$5bxKpwL+w?JTG{DilL=#|mp&M7Cc1xK%m5Wi zB}TKI{v!EYaeUS4LE)N-$;!9mS)iB4vEtVC`YEp5oD+xLX&{s7mf$zfK&ailQvSKQ ztS3E#`)rTbRx4a3N_7XL~A$?8?5w4%4W ze7>k=`^dX5y$cEl>s#f=hLeicHe2M}8t5Dz9oX6e2K?(z=fvKHczibTR&#o)Q(rm1 z@TsAsL4VQB_u3*~-u#+=itnTQVP0jW`zEhN>h01e?mk7h;r?RG=*E&N=>>f+CXhT4 z!ygG+6D^QFEQpA7hjT-lLtBY!!-}FCU@lbosB?$nhFME5onA>naFp*?33r{WE;5eq zWZLCZp=$Z6ZMKtU@|vIT!G`D#pK;NY7cZy!+l5bVsmmic;vmql^ge8N3h~95H1XsT zkwostj0G;M8sIt&t>6B$oKu4a0~ZUb_LMYoflVf($F{x8{b04#go=#@9Ho-L5m%B3 zlsM!(aZM$}Bi*vl@%~D;F1&tg6K)a|5#FepJ*zhx>dv<+L^{Wd;}$>Sz9=rhIzl6(3f$5&FRI3`X+~OeCNjvR$lZNe<5)-ETfZag>12+ zjH+7@+%0m@FH1b6;{lBeHN~g1ICtYE9O|s&%%4+05Wf&QmdL-qr?M8WSX&+wgVB}W}8i-#U8JB{_s2Q_2w&n^zt7|$QX zpIHg^$Vm5dh^y;|i$`yDo?1je2J)tOVliy{4+?4L! zBSZ!GUrP?`Ia1 z2iaQI6^v9fgs6xJN;U`|c(}U~?8A@YkiVDMvs!A(_2o3EpstOMWxem(N+GXxE0QaI z!#T_3;odvOrG^(bkC(`$Z@h2rsgt8!UNsyQC3UsAG4+n8uq(M~>!b!2K@pP#JE#D{ z*U0GBKWgB0tpBcJx8v&Udz<^>X&V+Mfp2CX2F^3T)n6 zC-+>4Qdx>lT8or$dQyU-iOuS~_T09lp-(x~^i-YL4SZ-DuCw?*V^C&$6|p#INSE4w z*W@f!)cf;V3kHqs8q;rrd;~*twB&CYx-s^*Ou?KDC#`%cb`f%-%HK|Uoxlxs>29P@ z&?&yfCN9R#F8%2BwUOQr(=k5cOf;N_R5}#Hb7KcyIyNd^7+pJXPJl%NXYYl} zw9N<(;m^ys(Tgu)ZaJN6rEdN*YFqz0XGPTkclV2&7IxN=X(9jPud|gc2pSY)y?vV> zeZcRUPGi90=DezRh|%~dIM=P(L-2U|^J4{xys4gNt`A;UkbhiFc=~}MCZ27NKr>U! zISC0GhjF0-X+CXbdl8d&!RuA2JP&j#LvgRjvAR0L9ZbzmpKB&MeX_h|x+?Ucl!Tv# z?OPQboJ%r|vWoASlbh%!qUmS7%x_8b*86;{P|y!Ey~p?>UMw`^VQ8P1YN@#NXmfDQ zqffaVeKv8nu~`00wkMTHu6PqftxU_KMA@2e54~Hg?E_l5>joCCck_evN1jb=pNIm) zxJhx8^;~1BvNgI@j4v>Fc|UxW+FHYq>WG{l5mHYGUdMW%vq?x0o{<*QEPH+bHKwJ^ zhT=u5M=JxY7UXM1HI+(wL%b>R6c(c1s!{DeF5txE@wh&^Rc=O@^km`Heh`>f zh_vd;yL|%Dr>_NqvY?X75uA~0jE7m6)?D2$4$H2pl6c~u#Hlqgh^YmLkKd$M0Z^U& z_U+q_Grhtu8XD%}d5cj&@7J^H{nx5R&CJYLBg+;>o3eyOJmcq7`#c$NIHv#p>X&D;S}KG-vsXdL>eP5! z%8l#S$yDqXKb$A~Y>wqM&($d8zb#%HhaZCM5dNvEfFTDOAO=sZ{)$>4m zQIL|9lrCuykY?%bkdkiclJ1i3ZlpUUm+tQFZdhvRc=!8z@BIgR@6ODfIp=fE+{qyh z4#({-g5q2q!Y6JvW}>vAo$$4GkCs_#W*`D|K|b|h%g2%FXyOJT+ois3@|=mPMi2j4 zATguH^ZSrgE}bJ0NV^OH9tZ>A73N~z-+KWu7(HBE<>U!&*NdD4dUg3y)v_d8gV!aq zY$?ckTY*A0zs1gW6z};(s=Yy{eusY7d+5PA7=q*IBSZMwLF5YfWP7P*S+NqtZlcwu zqk8~ApUAoHDx&KJRZabF9@pDz91JsGtRyl${Y-IGQ8g-Neh3dNEjdw^f~pWC^M$Vf>kYSVJ`wHa`z3xtD^FbN3g^}L{oqkv>EJu`z0 z-wF$vXSzQW?mzW&yQSO!u;H{wmM$tx1$@o6$b^zbQU8GVdp#^KRNual@*1`FkkKBf z><(me3^QBC=#P^XHB2yc(GETw`gRJIO#h39h5Z;#!6oYd5yXH!tgbk8rJolqCpC_9 zlbUM5VE>dX+9{v&Em%X(f#ryJiS#)(%9%Dn69#3VXh zucU&-ro`@Y$gP_HOWB*xe02kCER)_44Cx3V4GznBS?BZBk}T~Kv3mOw0IL_Z*Y^WHErNa4G3}oUyxIk8zp+louuttvsg<35M0(CN!&EAeA{HpS;-Se`}Xn;;d3W zN~?(@VC18{v(2ElmuO7Zrf$7AK5Uj@Y8Eve&!B~Y@pCvFL`3|Al+aRNCL`?G`sl3z z1Wm7g2B=NL-EHxrbhrS@3Vo5$`0&w8jdGqic4#F!6+pJeMtor(o>%iw(7Cv#I<8+a zkrm&RyC0Q-&4VB+JFZ?>c6$7jaOE(h+4~DlNp-ZVc*HrXubKxTuc5((H zxmE>*OJ=jYwW7JhGJ+L6+g#p1c26}A_C*~=<+)ufEVqc&-n&q|S}y2yu(9YORx=+< z7)ms0rbpGM-X^JkLUhNf5jyvPy%LS*+1(QHLnL^eoqZz?|TEP z$Nx--@=?HQPyEltw`qScZ3YZ26TnR!?&h^#{w`JlFx=7!cgJ%w@>zVefS#j#mtR;& zC&O1h_n)-H{D}r#8{HC!@FoCR)REVhr#bef2ZKhEy`pSyW#RL1=61!iRo9)!V@D0E z|9m%Ha=;0)H9*t={Ki%173*OgbT#kQ;O+BAfLN$}1Oh+=4+q&k|06L-e4dro(vypW z!^!xN-ER*6;>oA7ifPg&G3!-|?jtj|=JW@@0X!ntKoha&g%A~&&KlatAYhzd5pq6; zHvqwAVRkb>+DZhTTqfvS1Tp9*Q_CUw!_ABW-~d0~9I?8bYxfbZf4Cpl1yYWDw~I#d zO17sEJ)f5X*CvY%B9)zJW#CnqjHa+yR07eQ0w9{_u-OS?qWN|`A&?0F;nnl`a)8xr zoDk}N5B%(rsXPg|jDN)gKP&V)+J9Q6oFwbIO94spf_^hB=!VZ*8^DT)KSEE6@bv7u z;KHr}3Zs0UaUY&JO+!VkZw8l(;H5=h9YpEdD$3hfz6DMQZk2XqZ%t>n_DZ!%yZdv- z0t*L6JHhA)F_sEx{dP>GS?yZF^Z3-?4l-Wcxs$FR#x}m(&Ndl}qjK2pMTCN}|H|LL zRF(s3-$*&!i1BD|iNnOvc0V zva9ETa~`>hOEB)DBQozPuk&dPpv=jDozHdwjWiwz`fueoc~6l>%8XAS0Lvj8?VBxnLkfY;1%uVHzBbLp zA76FYuq<37pBkYU^{4X`0-ujOF6ZU@h;T+>VPVPQ+Fl`%l}*@6ni%ekKTwZsWU!Y5@_! zK2HF(xdJ$_LB___-1134{IY8>b0V7m6+uFdMu3LiUH#ZShE9O$7W%m1{Um2isQ=*u z0a{uCfG#x#*lX)2F1(zJz5v5JafEMKRF6g1s{PR0QVETJu^2|g$}UGg;=eq4(j|dS zQl=Z{l?T4X6EHa?k&INt*>PQE&o%YJn;yUG2=TNQZ(Skrx!=BE!f4oM zd~a70OwSIx4(#lh^}HVn1Qok=z9gw2+%W01Ah723ke63%y7I$PisHjEYL}2rJNbnK z4hBM3v@bq|cpA3{5Be7ePYQd2!g!Sg47y=W{<3Qwm;ETo<$&8vie%Y*SPYpw)6@wz z^PS4AcnU*7)L;gZ;RrGsU<2#^LO7&l|8y{Q?)usbklp682{8#7;pk;R<;!mM*|;j-IB~2?7PRf;CNRoHXaMg8)@6~hdn9{GIlBHM1SO$B zCb?7&CIaUC9&pgIK8PUnivoiicIuN-+|yu?1PoIQ{!h|j$c ze|C*ve=E1@coC&^o47R{;rY~Hwk@es`+qJxPYc6{_z{x-@Sa{ z-*Ta)icZ76FNt z0-NA>VrLF3CLa1BAL=-_ke%&74J!=!fxMMc>aI*_pn5U068kbD=AM*VVa5_zgLP&+ z@rO&;P4hE3opLMHdXs>seFB%Lb7$N;!|2#K978nT+Yqzh5fH;9;2z@kQf_Zs&XpE0 z9B_r9)UmN z`x%<*LvqwFOr9YpoZ;?gh3C?MNTfM6O(Uxy6mv)2H|pT$Jk|kCQ0Xz9OJ2=EcJJKzdjoANlHp8DdBpEPC)b5uav;#$e5UzZ_pQ8rooy9 zpF2~;gm-RFP_x}XCoQGlssZK`ckf?<#tLz$`xH$fIRb52HDjE#c*JPp=Vsz3W7BJN%Y*g?Q^Pe`ZN0Ki}a&)t2pAP;DQHF|%KV2_z zBR`7`;^|P?ORFeoU)EN#Q{P4^T)OmUYg39Kl{@%J7JQ9sw(xKBDPDSd z5B$qN{Hha|(@$S*{-B)JTP_TtT_+7y<8H*{Ox7wl3bA2JSHy+M_)3S_P%Tz`B_b!j z+j^VS{Z`tI^442JG=1{cGP2958&g7}paem5W^~Jpiepx?#eHX>RA1mZCNpPjXsGfz zS_-I$h)dMuJLvlul$d<@aVDqIAc?Pk2reKT1Sxt@mjy&4_DCO9Nc@9OCasP z%t*A2!E#zXcq02)z1YM1j_JPT*9qtq<<2ui)yow07Cg4=2Lfr-(nxn6A!1SfM@uJp5W}lmy{)|NuYa=u_mma-DmZJj zz6tZrk~?g?#8(Bjn%j64tBYqQS2tTFx)s*Fb<@xD-Nlb@*(z0>hBw?$S5(nfCIlT{ z8E*%NTHEJ~T3mh+Ux+e48+OBC$lAu3o#EI>RYU^WghCADU^ISsE{z5zJ1dD!QxicB zRdM5G%Y>XVS33a~PKzL^E}BCj&N1{dE;hE%p+YDC4i284-dlT=g_eN$Yq*&=X_p_q zLm#&K;?=3U3w7RoLGgfsq2e!YA^(<~9J_kU_^dC?m%$5?rY&IRsdtE|;c=T6NSI%g zR9^(XaeeyeQcoKb8%JtBR76EVCC{q7?bz1?9~3AP-NJBsc(Lwh z&V9zLQ}+V<*e`}RyttQrF2UJ%9pSh=R@c~K+1~AR|M}3rFXdN{zlE?E)7cNxji}EO+!<7` zQHnPJ2Z49F0~2tYW^Hz$`yB;>wH$Qz!*K; z9^gSmNh!?AI$q{!Bqa2g&Xm~4KcI)IRrcSHa&4VZkGws83Xq(kJV|oCV@+IAnwN3r z<$6p^EnSJbsd$*@&8^0sKblfiPZts|e4kqfID_7s{ul<|=5Y$;RRQtYxAWbQtU_!Z zyia_@>?$+ne{wvIrpU0WHHFY$lh?JqA)@S9keeN(^Q~@ob*SQ)hG!2B9i4ItT9pt} zJGDLNAKZx%Dp1?NbpYSNBu6wzZqYk0zys1c;=Lz{9_4-=V9HXLpK69s^qmcfx9 z5sba^GpBg6aI3o4ZIhb;aCjF528udF2kcy8?2*o4eRcQ{ z)V7fqd@o3~D8XlD{;XGI*R7O?qutt7}?8HYvZ47MT`A z8GqJF6T3S6>+K~@UI)1k;*vzE4Y^+Gm^UiZC`IG`b53O4-C0{2Kw4~og_Uf!;QCn^ zJDh^X8IjMnLUnY*QKATOKxEXKI~s=J97(S{VTeXKrcjDCq54Ln=pWmrOH>v^1qkvP zGCa&|rcB9qMPpAcTX4k;&yvIMVzX0|XlkC4p3`@`8fLHN?7cDekdx2oRvyB8oU5&u z4H%ETwi2+?$&LRj7?tLRX_ra7f{U5hT6tLewB^9X^ZVgg&fyvqP+;G)f3;S$Q{Xo9 z_-0Wl%bgwfb<5x{CLtkZjs4}-JiOk}K=wpJZ$1|y(kG?L2O_3+jdj;EbMv{}8WZ8R z-d;+4ZtpP9i=p2~^9AA0Twb}-NtRBJlKhv+l1^U2(ttkMoRwWvu)e{-yoLQm@*!;r z%!Llo1gaqMFe@>4L?X}#Jo7Mb(67%~8Mj||uS;s(UpVluuCNkIl(f!wQ14v|J<3!^ zff@6##MBVH{1BeENSb&BKLrQGDBhuVOv0iwr#iWVxyDZ!ers8EX2ISwnM}CRm*}oQ z*FH6C$9(=sUG&^yk+*8MATr%(rr>6I`mIE*J}%$PcyL;8VQ5usq+l%wcQ6NRs~Dn? z5fMA}nLm!XBa;z7wPZTiP3C_mT9qec)uiX9I>cJnCCD+}ie-ySg7g%2!ur$A2=~?O z#lqh32ruxj_m%+i?GHCMyES>Zp)18&=g~2!PHa)J-U1$UR|1BTXb2? zN57T)r1}|^$;B9rNyk||i|T4&fm^Kn3xLme{kz<==EgXRKLtuF+QOZ#)66Qn9|=~RdiNvRQYX=)ZH?8K5V+{up~R=6rhF zw}ldh-Q82*{adVrkeG?q+#EC8VVz*C7Ue(Veo%~*G&c>Fy;-dmGg@YTy^k_M0q_t; zBqNI@5tT!u#K?O_XinBntylJb`I`+e?qA1>DFbIuG5-sE~-V8Jww66TK4)Ld9Tq^tB7 z=me9LG(R(A8vE~`7ZX%e$e71-rAkn}scbK-v#FgT6r;1Sxr(|yOq)`U&b!=8|_R*K*G_QoPVjP7SdDGz2o%Vd91_NuR?@zWJNAa=n`rz zYYU+(uh-#&jO1GC)hoEcocel8)qa8Su!GIBKOPQteTqz6^Q;^G*CQkT9;SX-M*r+K z&dE5FE2@$r!xOWqTvtbGVlbhO_P}JMW@oxhilPKxRfuY-Hop1*{DYsmJwd&31`Ndi z=8TV+I|lbFJoZA(^wi%!HxPIX#-nYJ0aH*siv-%R>ZZc%_7;gdTTaa5Ae>b7DAG5= zX`wj4J>zjllw@i9g@L8U{%V>HZ8%2aeAp42L8o2qQQ#)`UrSD?Cx=@CgLaE_p*O!u zgUy=+aZ6Q4g!`5OKBsd;>)Y#7gPxpQn0v(dZ7Kvsa zf)^IO|27c-Qq3wx?VS^^m%VGicf&&h^>P|&fNYTT^yf@7Ciovi5eK9{x^N}Vu9TG7 z=%jD6xG93iU(Kwa^q>|F_G>K;`<`Le+LsSZsuxa*Um*Wxz)L_a5E+o0NiNd!6luS| zg?GDog}EB8Lz7;r-MTu^)H3MBQ4d(8$6r%nk}C75yY=ed|aDf6Qz8%wpCeg3ZxvEXrQZx3?F6I)yvq$o@aIKm$8kfqZP<|06;9l}XpslTVEa{IC8P^C~XV z!!k|Q{SCQ93;gG~!7fcyEV1tN{EtAR)CO->f}<27tLr2Y>;B#VPXq3*lm+Gm0c z<1glst>12usrHS~7?N+US%~G5bm$Xzah3L@u}$9eMoi{g`yB2>mLx#Cs_1689(H+F z%U99bQ`b@2s*u)#XiqNle|$H)GFNkVj%)1dhbJN*(PEUC`DndtJQS5@rgslgvxn0m za`Ec@Ky7h@?XgD%&#=*O(FRr%%1&gKx4qz~!0IdJgZ>&x0}k}xG_L2;ce-STNb(tD zTf^d0kb1)=%BB2&>#m*1yWDp7X2~TIg7_ZkD%*hi*Xb6gy&s60CuGM(Yl{;*klr}Y zWQWE@cbys4_SD;?Pj0X5sXQ;dE^`G&PYrJE6Q?UzWtfg*Os@is);0d@FbW%Eo_-t7 zLS-rcp9KIkVH$PkHfbh^TXtaZpWz$YD(RCXxeOg%Hy*Xewaa|qORo6{J*6e-cnT9u zV2m$22`T6(9vfd6 zx=I;h-J4;vhty{l0EIBME)ZQk!9+6>yBl-Cy7lcvZUxrHiE*XI*^tLt)t}PM z!((%s2R`h|U*^hU3BEKqef6e`8mpWL32FmEHCplR*Wu-dADo)rJaD0Mv$}-_e|Nw8{V+4-teP)H0&3 zvXM{}9330Y|1_`TWImf?lLcXOwG}a6EG%1T(CA9@1-r26ZSTv^l7O70ZScRzzCNEQ zAfklEq(4Dp4*q5>4YY zC#!4EpoAX37Cq4%dzqVHsp5L)649ZTyAp_9b6%zLqjSQ zT#Umg__Rx9No?`evr|%N7FKV=da1vbU85;LQm9ZR)L`6gqP1Et#b9e*PUF!A&p4q; zfq|kAS72@jk!(xAcSJLOD0P}{JW#z_RY8;f9fZXCdKSGqPv9~1EH<)xLUKT_)L{s9 zr<$!goYkGTT_qRM`$A2vkQwXuVyosPkj*ave#!2J$Md+H@=v}uweY;WtFq) zWGN8JOTetvcoqk??O3Nh)&b!Xys!BAJzib!3wiQCYeuctb*8+54ra@F+uDqOQOOO7 z7!v|aKs8uARYzsg(Z*=poFylq7iaSjQP@Vf>9(ggE1m^{Ejq^Dm}2ZH{tQ>qFVJ1C z=em7PtBq*T`hfSiI($D8u80%GbypM0zk3W~psUTmgwAwiQPo?jCVzw;8+W)w_$c`M z2N;hpkPHvA6XbjT$e*p$l+#VW7mB(|HI@4^c&{`eef>3Z_h~77xBZn9=&~xsgr2Xz zJ?h-~u-;7hDc6a!Yqr_s@jYF+ayxJTsQgRrdAa51GFZWR69?Sg@L=-r1)uwzNXYcJ zIz$CmZ&td$_3Ga<*8%mByBqvcs}uM)_?gvdBJu^k%;g?sdX&*91hjw2{w6`Z z_MPW#A7$Kha7=2diqT?^RCFDG9;>L#7*Fpqn{0c`P*Jdny#F9V31U>LJe*asIi1n5 zIdx2wwyGQ%nqj#bD71E1V^8K42yl9hmeVrnzY8~>e>QP=^(_5Sjz?uS@pZUPVVz!q z?{`sPpmDZ-q3DZcyveYc-k`^4ahYsO-YI3h1mw9DYYEO%CbBK;0?nOeR>$S=d9!IV zZqY0c6+#Kex7^7Wps5XT=jnW2TMCK=T+TB-xtWxfKN!KIcE+oqLp9q!Q=D11uiuj& zds%a)UJg-0dy-O8DA_H4sIHy9Z7NcELo3gtbe>@Kq-j(H-sJmRAN;PDkJxGe^Z{b# zDWE{?c_rqy*F2E;YoTD`3~gw&O5k_PhMtEi?!)V~%iP`ze6(bMd;Q#oL5W_gRpQ7& zl;?}iQo}1XRaWxLE%^6|Luw18d%VpA@|sbzSZ|>gPxLmi?&d3@>S_Hfr+@&$I%=bp z;~_65l?yWzLdO;pf{CT03xQM2r>*1?v}3&~(}Y|L*j{55jBW`W^bAbbX%d+(1^60IO9DWjhL zyu}v`z3yt*PM__;v$poWAHr3vl$C4 zWc{5bg$)$Eg{_roTdQSU_mwOJ#JUUo}bsuENqG!RtBJhDc5flv1 zi%b5ZF=Wc>t1l~x70|-~j{Kk5OH~C2oEa5Q=II6rQYG42SXpTCizYJEiw@pu%;9f| z`2KtdM$PeDLc-(OluB%W`>|orl&7RpU!?1?;B{Jmg2#RzU9Ptb z&XZuv9*L!gciS{go`IZT%L~608(W1V_TS1Jq4{6?dg+!Z6UE`C;WjRmhrqGv){>N% zJ-)OSR9D(R^Wd-CJoy@mp|hVk!NL~$41n%tRb~~kpdcKtM)`^>F%pd^ESX&O$K!DE z)l1SeJ{!s`uUh)FMo1LM2cj+vhJwZtiqTM!x?9l(b`m+M4f{_gW^z{=a$oVDz#ll@}gz zwvYejIdfXCg(?)b1wC7Xc_`tB60t8C3an23b{6sJr+x?bU<4 z-C0Bq@Z_N%R(#|$>-f0exvZt~m`#a#shzRvU;T~_zBu*8&}cM3E>v(=8ADkSxcOA7 z#*{t3Hm2pW)py{rT_eF$(v03{%sSZhX|Ov8i6=whY`IP$)SdP4Wn0o}z2&n4=$5ol z&QoNpsNwt`x#RU7u5j#U4l66s7%m*`+>w`f{Jfxl( z9j?t;QCCoq6zP)>jsc2_UaXl`TzotRE^cs1Hp4)&jE}@S3g}bEXQk{h+r~8l?;lE6 z&jlx?K{0+_9&}`*!SL#G%?r<2QPD;xQ6ReMHs=Tb-?5Jn^-7^=v*2R2_SfHZ%Z=^G zDCgeq)`*YuML~IsWeepZ{Q+11oRO2us^l|BW+Ai@_}m&5{0miDGX`L@@yvk}X0*Xs z`oggdwLGLWj#eEnaWIp1NLL*QT*yecxNe;8ZA(ycP{u(x*J1piAPqDZr<4uL4!jvb zg-4&ZwOYA6|4E3x?1psky?9QGy&P2blkY#W*DI)mp`-sdC=cTWvnCZYBHR8LB{R|5 zLyAQM12-Emsq8&cXT8qcnF4k!4f~!OL8jzrQzkk7Qzx_}K7W8NC2j5+kld^pJKBsW zD5%mI0a8B${sG%&(dLm@T;$qPr^9K|aVF#jep?S#5J>Y~*m!ssZ#Jr8KA9Y4E%O;z zcSrQmKH%byTnFe448%(my|CRqzSX@|r@gTR_y!4QzUelqp#)!-kf^-?OZr)^7sE2l zXa<|ja;=Dor^Bn8!gW8>+zyMxt5yv#)_@A&$&=J|*NaQCMV~{iBnDSBxi9nm^OMizu!vu=vkRnS(Oys@Va6v$|g{tUY}XkZEv0k9y(E+U$Uu`w)9V+VnV zp6mM{WNgV`K%kTPb~rcXdR!yHavlk@$r0y>YxwQ7{;nFhx99%yq`9fy0{^?sD&8tj z#a;Id$dU0$dz_C&LJr!E8x1kNl zXY`+z*ygQ>5G58fe^JGQbg&6mcg~0b>m>)|XvR3KoYZJfVyl-EORDNq*g! zIo5r_d_%1biK9ZZ{I>5}_Ag!Hu)z~#qv-#wb!LBdH!*DUb{YGseOBIP@r4xlIb}oL zv#e)pEFrSF-hFT0D)=y;+%IlC<-S|SK9(=50#{XJw z()|LP6^xZi9qo?&vjnqGm4gzpvl_F4U&NDArCO>eANmM<1Pr!kXRRX{Mk)2h-{I1Q z;e-l9|5*R%_sw(5&U4qki@SEglbXFdUHWX>&i*MqWyyXajyUZB2tefGqlT50TdV#@-4Wifl@iFh{IiD}e5l`ueDSs|seONB)7JQKDW|10-r4`OOP2(UB{i>Z3J4aXNEHp0nA++n4kO z1~vMzy!EVdW$%=)x2}-C_cnbKN9fmftwbm7>Q9qR?=FTn59YFJmFLn+5Zc>7(D0;6 zJB_yjdi6Ri=%}GS#|K;?9L5JF6aL*oV^2FS%sbf*2-Nyf-D!2dZ%j|V4fI97Pb z%J(OR|0Zr{A^3|MHYBZWMOlEA0_kB3Z~xhZ9c`e7fz%n>zv*iyrOL!I?sdc%xz2|z=w@z19=N`bp z<#p@HQ|VY3t>VaHUU#Md%|yukMUg;TX;?;@|%|H%s9#_@1)FXS}Ns7=$et%BqS^e7RxZs%g*b@rY;0 zoGqFhb#^)RL@`I~A+fi6bbZKX_npIbC168+RBY@^;^hKx*M#wgQb<&D1fyj~=ef?x zRE3tspU~LwjgUvrz7z6XJ1VN~Hw}KoAmn`+2xl0v43gb8!^MyxB?&LGO=2T9G?W%+ zRZ?D5ISl(RRT!zy1~EeAPZ$_7p;BEW>aYg_PMb{&E5e^nUUFw}3hi##EWvMPyY_Jv zXXofpzDfTnDAH?)R+4PsP&=KZ|f?M;@84Rn}Ojz$61j- zXav@_E2|T@Mw=r>-!2}q@ObH*==~ciNVTXHVpT2*QW(nqZY}?%-5>6%EC?Z~@Q&ZVK^}ch

uB;BUZNpJ+ELt_hpztKS46#g@>9O=nu3DeZ z!2X$ljk@E{ie*uI?W*q9)2T#6)*s+_6xf$N*6C%PX7sY3c{pwK&8AFAN(^$~!-1A3 z@z$6~!O4HQ*XB)eEONc>FKhz&QU1g?Mf|~I<85Q}Z;pT?2HrJB`NB5gqe!@uL)BTm zap9Jh>Z8|Rdl3xnnur!=etz8wKIfG$c>amddkS*RFp)$hGwJosEtcQyV9~@VEV=A1N>P6O${nr_^2{vRXb|S7 z3=r|RhgzK9A(-54R%iah4)Ug$e7uFzFqv=qz|VCO69;#KMi=L1OP| z!M>qFLW~nda(i|+M1N+Lchl~z;Pqq6|8Tk{GR;Vd;d+(S^p*t(X^8;q50Y^O&~Qmw zswk8J@|mI`R>DU2*QC zS-2)wiQjx7)5}gmXPlqwyS?r1FR!&YDmxj`!2C_H(WWF3urJ{f6BKPzNnzFbt#!E_ z@(IO0#UFAq>v5Kvl9{r=vme#`LyZ#uUZdXF=I1dO=V879#grYbF4-@It;(c*ME$H~ z#9MD}=X7;c{no_lzsyLn_sSWt{(gF0ZIpycCzN3#i5F5NGYC&3mVPCW3=Jg3~Z} zlBMlS(`%fvpuyr&3+88dqsJVm4shMfx>@!4VtQVKib9VZLj<7-daxxol5Ym@fIQX!q`;h^=v(;O| zrNfH!RVb;UG_J}>ICf~aUynqW%6e+tc(>}5soZhi&%H2<0_VMnj;+}vM`B2B)iTs| zK>Jtc9K1x&bb)8w{-JO(p)TE&yNhB15Ab2O3lbD;R~CGo7CfcZs7mFno4{sT(i!>n zQqdPy+L*W)KF=ndP0c{4<(1<8wpA!lcOt%gaGoY(GDq4-*wB<08#Xgd8B0iavb^U1-s_QUwI>c5t`}5PPOJSQhq zu&uT#3H!Q85Ykp;u6bPf8n_rA0;=mX_$N?w3qIku4@gXNf`?mL z8%N&Q*wy}6I8Z}IQR>QlL-5D}ATRz7iN_S=J>a9v%N3}ly4}?wD&OTVb?ECu1f*!; zxXJDk^J8R6pozeQ^WG$Pjmce1wH1 zD>bBt4cb$G4>s#U_%x22W@#|tvgm_J5KXK8IdND)DoSGXuWI#A#!{$nC#fh-GxiqT za6yP_Q^^wp0ou`v zY|;~L+B3G42Db%V*nbsje%d|U^H2^97=O{jx(lLj5V!lKyNldt*hi23!@^r!sA}z3 z4W;2$e?ZEmN^#h{9{($S+&1gN$yH<580TQX;FzG3TILin;dyUS!8W)~o^3%)X#%Ld z5t~h4nwjP#%Mo~wotKM_^)90WBbdtPEl=P>U5(_v@*l@k1r(0$)pGI3FLY}!7ejbA z`1eWEvIQgSe?kUZnQB@Iy-*LvPy50rKmiMS-l%SbrzLtF=F~h+Bq2QPW#lw8=mc-8 z5%Oot+dWcMhO@=7_dp4+w!2o6jJW%zVX{~ozCy>upeo{%v^6?9Ryp~Jn18^xykC^1 z@bIKGq>62M{NV1xXKooJcimP$w$P;6HOM@cHmDvD(RjVhENYI?is6DjVyk>BFf$4E z&vK%o8rYFu<^Ju)3`eWBDSji+WY1y-|75a|z3Rz?mb*GR^VTNrY1b5Q@gR(8@0?_| z;BauMxI}P&D@xhUpY=#=Nc+FF#ukI-3%+>@=mtM^P`wib;3;mVkkK@{W-hL= zO46JaiD$NCf@ikK<1K#}KFdZcYp^3L`8(pDXD&n(#DpD?*cbDo>MZ_sZb>wK| zncTf&`*@dKTc)tenenjCdkiKZ7zWCR5*Kgh#A|ov= z{sIQ?Ovb(-pp1p*=X3q`+VqzF!iEl{VEcfJ%41Vf4u7Y+Hz|VXiz$pyyK7xEdE!sA zydh}uwK*}8qN+AU`ie2vYgY`**?-@WzyF{}`yIg~AYhibf^A5RP+GQ|9r(U4`?-9& z)~b+f4Lq-(`~NI}w-S-DnVi({@&SyHV(g>uyMGl%T_2F}k_WZYDUh(nx{ z_MW*d!PEdo(4ZNM&HMOr1FcxZ8K7A>y~6 zUKr3Ap%1);=*~?$jfbp9}G$Ua4#xo!JAp`a-(efK5Q&FNj~sfL6&A0_csU{6)+*7Cu+>fjL9{; zc=*_J?QOMyh{sJkde{w&t^45qQVqyXVtCU zkPsLM!Q3`!C9~2jBwKD^XR|ZP4pg?C)5J??Ml zc1(nDhN#ZX>VI8*Cn^k5l2ILjftE$FSh$&V`#KB{(z7C>T}Yd^(XChRDGFGwbAT1@64wm*mGQR4ofR6*-?llr*@33 z4{*RQ1^ic!`1V$K5R1)?O@crr&ls@%pZE34#ds;f4UQFcvZ;#u38yqkzThUumMHD_ zevx)nu!_4A&I_f*#{Rl7d}exlH%BSP3i8{CIwA>&PK@?_spvcN&A8$7vmWwr=_+il z-=h8&&R#KHZ#X67+b^cpNN!mUQEg%(7!n|YVRKyOejZEIJxBAbuKc#>V_x8z2S^RhIRx+!CXZ-#=b+0U}k znT{VZX-`+&!yY*99c>B}wgmwmc3j`%4dhLWojVBdN%h>vdQ#C}!xR;ROTQ7}6Dz8^ zHB6i`(CA$!3)Pt=V)R}voFGD0l9LAc)eI|ShAgM*m8w?Y;uFGxp5twNY0>)%cnUm= z1NM6zq(wyQ-!01}&@)>GI=#aSE0<#WLxja_ZiDTHhNr?e{bsHBmnC`X2I*j#0lfNU zOv=&J!GNqA#3oGE27GZA76e%DeZ8idP!tj#{%A@)ymkFHo{Px5@D0>A@HBLz3xP8r^pI+r^I9!h}=6XuzbDk!Ca1Vv8Gf9~zjik)k?`hjW8j zGSFa2z~B;u-tr zv2?lgsV>TYiuN_>-!Uu(CsRdu7*<*#w9*Ee+Nm^1!OVo?p(?wg^UyO|qgQxnidR^e z9B_!s199gv&sAw+8gT+V68dMhF-jC)!Z$}tn1tpD4XbN!yB9Qt7PjE(w0#?ibQpD> zo14Gwv$woAR%c7KzbX*Y2xs{D<&E!))xHdF`6f`cc+as=*ZZM$Qa7^5yZG6(2_#6~ zI*s{mMJ=J<0nT5hOg_A37|U!?j&ox~Y{4`~yUDN~NeC+;E6iL8Cv16n$A2nX>dgsH zhxz$2j-LsQLkIP1()DSDx=MsPN$gbIhx$s^Ig(Pv-q>J2ejMN$b`oHvsx80$bU9;L zU1y-LPYpfZi2+rBBhBM1ku!kMB6)#@A~_-ei{D=S>!-i zv}taZ9fo}m*Q|}5sF{guL`a5I^Q8fq*qhW+(0jKSrC)uLTcCoON@!uxMQX1~2zDkuX zMF;idxwZG2A%z#GcsV)ofrwg*J3=a~ORv~+89}>?8q6xQ-+YF111HC$NQcv`1Oh65|F^XqP>c6uNKhpUm^~QT6@-IixIlOz;kRMs zL-~0wpD%hWEpIL-ll#^h*xDj-B^1go6hBPZGE%v7PJh`_Uv_2m$PZXeE(;um8b1td z!TY8bpLtiS*2m!KH-Efpfvlz9HlLm1NrAK@xr(YNCOG~u7@F~JzIo@SaPt1c*NgW% z>kPg>>@C|qjc6BQ3Y-(AmrKtKcXxjcR42^)}x-ma%Njs&`pbjxJ^v6QfJ) zdj9K8h9S(eJHPN*9i10)BDhGmU;)tOC>k55{~a6lxrR0J@aK;}abDl#yv-~wjV1xD zVzL&Z1U+9i(|QTAWkSQDTc3uY-H3(wuhf6t#Y#BbnxHKF4EjzFZBL68P!c4q7bg2m z`xJqi)oJLt+Ut{zRNBbLeKti#Kmk{h>m1{`O#R!W5y7}(6C4~|`0U%A8G!4q zdNoeY#r4d%@lMnM6+g4MI6){OrEEDYl#GG$-P&4|4e=gPhTCvP-AzejU070hnVs>}d%Zqc2> z{<(lxhUaynpW+`7t7pH=SiyhP_%3%cK+r`XT_hv!^v?a4bD)|)A)fsSDFsEIMx*WB zfZ0ZW{W>?cKc!~x9YzmNlLS|xpU(9*47A}Qr0)H7kKhCB*4l}a%wqQhocL^hX6HZl z$~`ome*8$az0dvUiHGgmhk^on!v~L~xOSMD;pS=21U^&=c{dMh)7wl{=CL;9izsO{ ziDszfDVQ=bA&ZW&t=`;YcISE{*41HyUYv>!%RC5b2oJ~CTI0BTxA2meGU`1%=l#ld z{w(d2VXBg`JIwRAT8-JbtVmULsv=v(%+iYbR4Z-yfayI_zj{&PKM4@yv6`ohrh*X^ z6n8w7b3WcLdkjOd?{R8<*AT(cUvTxY|+&6vi6%il>56ytMm zAN`qMs5miSDN-{R<=n}={<6I{za#r23yBzVeHQ#o@+|u z;-DPZVc!NN6NDEY3%g{9K5rTlRLqizcvC;RIi(|nn8X2;^}0?AosBo&*I_!V8)oNQwQzbt|8g+wl@iH@Mn`?Ph~VVk@(t2Hs6MN&#gR%y&P zr1*H_X~FcUV{CW9@nRu96d9bHgjt?O;N#E#pl(U@DI8ezW&H{^VcD|wxc1WNS%G*- zx)f80>5aE0*!g1TnNmDYOT^{(A-WkoR5oq9Hm>2skF{aaZFhnMyu&Oz>gJvXBRHir z8*B1A%XUez^55$fk1~XLoyV@Zcj)o#|BxX0>80@9Prqz8So`;`GTg3W4_~$&J;b*nveVCE#?o~RNonQK-Ka5hEo_0NGhx7U6iaZM-Tdri z@5Xj$3LlQ70(kQ=@$(|RD{HZ+hF0dt;Mj!dFDV+zcYYdQ6e>qG~;CkBY zB5;J2*Vzn9ZJi?=XIQc`DMlo&3*o&Ouje(X^wMlfewy3biK2$Kn8kqKPFFaOQ)uZ5L1eww4U; zlm&M(gF8>3AoFtNnef06tzP>y#RB#e@YY)do$JTKVsB+%DrPE0^&i-(xbt5~5VbWy znCAp=PQIF#DHN_ic~{e&=;%j#yF=kH@m65yfgX;o4V|Oo9A^crx=eyRvUM=q!@p#Fyvs zL6YWYL&!mgRWOshW8;n4{ z@z0rJYlo%;L7zQE691xmYmKb%_%<$eZpv=Wa1<{0bC5h+0BQ6xeO?A3HeOz0IXSuTsHlTS=R04YD#9h~@6_}EJ`}FL z`~{sQ?c_!;&_;dMW6mbQ976MWDB_FA){{n(J10^Q)>Rx;2u$#0G zegO^wS3sDEYSf-=s-K7hSvxwJ06L(_#*^u@K!BP(`+J}bhk9nF8PDpKml?z zc_0cGC+ciUeCHlMAXRJgKb{Ut`-5yB7)S(-XkGUiW=oju7*sgMYzYjp0ovU_V_47X z6U%9)@6PYxRUnW>%c>kL3ksq303Q|0;;c#NFieT)42avQKDq?FS=pVv@f;+d9yo5i z)N`uKd{E^yZFq%4;Hj7XyL9^uXnKj4WTn^cl97^rD2fG4S#MGaOB>PLS4cljqfdn(``=L4JKTb1k^HLu1)qy2A)^EUq2L>g~qAgOtDL|?by}?6FBYbxo33SHv0&Rz1gVtmC6kRXQUSlL@ z`L31iQq_#SYy)V+;aS_>PoaRdixFr$>0AQuOx?eo_*&#Spa%;XI0Iq^g));h&hLRF z#R8B9YBlkm#+|4GbX|VHiN_})=>SA@;S5sH!mL!sW?cLuF3a_y0us)`*VFH1E(&35 zDzS9hL`0to1A+Kj^QPS;5PQ=q(4YsTf@DBE_$SD*3IbhfK=#Jyvr$ygUumo92lxzq zfUw>OWe9i#b)_w$ou{+`_Np^kfDvHMVgcLGXSL-lVQa#T(bD%194E4Y|HVI|3uF%K zkNThY_{>@01m@o)kv?Gp6f`%KXVy8KoSAI-XIwU0Yh4%na}@CIa&UYJrLf@yl8Ef| zBxES@Go9c6&X{XpucF4sItBBhyOR{VkF1Pm!&>vR`|jB`_mknuSs*5?RdfP~gPw&X zws^Nk(-azhFIH8#1mWfc^Wh5(xhA^-mf;c;qZfFyKG|E;lRA69@NqO#%vFB+d7&1wRs+z?x(!&B*fRb0A8*aTjrat$`bDt&TCl7tAS6@j1Hmf#3 zv$s8Q0A}@&UkenDXPc%?-e)Bw?%^vpMy? znt2IxHg7-4h(I-8$NYomMI~&2g*9hGtrAXpnponWGIszcRn6T^!U% z8=(NGD$m^2(;nOe!e;zX)JCX~WqV=u>l6m116t>XV9*6TWC+|y4DaZ8oZdu(lr~ab zsz=$yiiC=kb0d|exd+!q=Ir7WsXAQqa)hwyY@g_X^UPOD#S~OCAE|M=xqrhuBG#T? zwFi9?fD?Liljjd1u+l9t;g#47*8IN-;9$vGNN)F31~wO^gU3o`8`v^?44@BGZllyi zM~}Yiz7@F-*U3}Wh=Mv^o`4ws9(Y|Y&~!Oj%Y8rSnX&N6;uFy|$k?k&z`+KV3gd7V zh67R6f3?vozd>XJ5omkY^mb!4h0d^Ur_OLi{|c3<4|9B>?S^;_sURwI6>p4kva{-2 zVH2Q0)teQe%pcDJ>?09qAguX3ucY!xRg0$j8_+!J(cCXa{p68!N*qm=%D9s zVGiFJ`WRLE6;^X(c0+nNG(Q_TT~EabWVR<-d)Fj%XTG=K?}6<@2*mR!3|3A3cb?dG zJ=DG6s-;P^t;!;^Rz9LxUd6tqyT|p3CUiyG6@a(pxoqmPvLGM_O5a*i^6re|~d5FhU z1Di>O){f4`Ni8XABMK#s&j6#p4aHqHw!GUYW8<7A&i!=}VJdCsMr5^w@7+>GPmU)= zYF9??EZ8niYcBJS*TG4iOg2x6JsttgPd*3|%g+{J3z%yTUcYGc+BT%vTW&l6TdeuX z?tB-2n`cs(*~LeQ*|OMeHl?0UbA~1N7mqAm)&iWp~cKg0C1`y5*!Lz$V$ce8nuco2%k1Z!&$YRjYw+5%WnA| zxnwo)z%u<;7<_H;1?z*Ncvv>3_dSIjK~dF{O~dt+D^qwAe6}xr-MvCfa6EZ#(XpoH z!wY7P61}S9p!u~2B9s^EagL|n%Kcm$T!dWJ1|UZD4M&1#(}GrVDF#_k(ELYd8;E3N z9}PQ%vcyMSZ^-nWcr7eJ6uKIMOEg%rxNt30vh9BEnqfWUNd2lo9y&VUx+6K@&Ko>hnC z6V(SQN|oGLcaG zqm{mrgX{3A6Tw}%P>rpld%(DV{i$r&nG(#w-i62OVWYsZZ+9rnW4>|)%`k=?l~a<& zN>ETwo!hl1PJ3$DAfUb#aoAnXl;QOe829NoY{>*ymLZ_6QXG~DeayeF0IcwRg#xu? zcg5zCLWK4cw|LUs+t~X-d$(28M6U+jlm&#Udk z!ARko7C+zsMt;gr=^)QBDR4@TT@noc`H|Ovn-Pu841~s$XLSX3!H+KLvJ8S4H`5Y( zU-c;s24jUuhw+1FyHPzZ>L3P9OZyo$h&N680WaFgnEBn>2ha=j50%va^+^KwK;jKC zp-EP7r7zBxryHdh_qa4OIY8oHifQT2RiBW$yaSh}=iD7VA^JC650i74&wB_!TbJH` znpzY94>*k~$jiEF0|NLt$*VMKMD5I14oRwOI!_Wb3v^rq!r1WMEv(l8)E&<)iURO~ zw}##e)rSdyHV-Dt{JJwsu7!x)$Ouk(Q?_N2)JI)kFx&mPr{-4tAJh}@wdkYw`m09R zAJ>_gtc#XU9N<{>Ex&Fb3=s$OKs1aokIED?{1_MKs`mmg7BZul!H*PH z@TM-Z2X()%e5kAOQUMRHTjcP*ii5nBg@Sout%xz{toqnk74XGWz`Y=8!_E9b8Pnm^ z|Hh*^1AKFReEzUCJ7zHBMe_tQ@BVXXHCd8>#AtwPm5;N>0Inm5w4Vz2#_0Vp{ai-O zm%bPHMecta7(6J)3VjZo29+R^+ev$i9R>F{*06?vbhBqKaGBw@*;Q8#DJk|lOpudy zCUg*s1hYn&%XGdm6YLuNw1}C>`VFEV?>vgAx1V4O2?-U~f#3?KYt|l?f)FBbF-u!p zd**|=j{@_ufd~+F26<*{YEae5Rx$of( zlsTh{O)n(4-w|Pnl74s&`+)^}%8dCMQc%AL0v-7Bb26B|x`!WZOx_Pe8R)TUqmAX0 zCZEWG9^;zg%(&WD)-X{KlUljxegg2$hpul^UKnH3x=x4m%0^s+ZWv=g6 zOX@5YTpoDTcqqmCZ>lB8-Ng~U-N|hzpbe!Fl4ruKWEz71ne5=4QPSBEx{kS6y{l)= zYyC|^tjlC+pk3dhI#-)O)f{+RM6o2tNd1$=z8471^Xu>hDY#Z66C z(cg)n>)eJ71PQ)oCI-}{fhT$2PDHC~f;pA%UGAZEwb1pjcgRu6{3iRw(}P#%t1NzP zmh5~>s7VP35++N<@w+F`o<(2FMUm$nixj8d@61{UyG1@k<^tCfvKQ2S(^})@JwBgwhYbyark=i@_#mDcQ01d&OOzQ zeNAlo%(bv;6W{q?^XK}P2ZXr6GHL@H!4-)*fsYgT&B%HuXWnNuW`;3R_VgE&TO^hc zJjzclnPzQIO>YKfaWwD@aBkkY*9?4DVN^9B2(}w8Bm*u$G{!5p8-TqO4g?h8XTXaR z&sT8u0I`lUpvS!ij5AZ{I@>PO_`9357J&U+ykwMKw7tEZ#jMc}pMXHS#TlSr0i(O9 zAfRM7*2{{sZttQLFpUmlfZ~G=1pcDQ{N2nD^pK`Z?~YDQpawsk1YpGaC4p>MJVHyE zyZ~-~IS>R`>P@2pZl=qRIzTa>1Dxaa66fh3-wmn98vP|y6S+fy^0=7ZY`ms)gtR}J z6RWGd+IdzQb$s99kCWePy4e#3KP_$MF+CEy=4fkQ`ZZDOc}uz|fS zI#FeRJs^4QcC4;9h3)1cE(w3d-Z5q1`v9Q(u>NBU#CfN2)i?GuvEQ)wC}}<7eDKwP zOMWI>A$wiQF^)Qreio5t(a#V*-pImKs)(X^ZT}qqn)_;>9!mxbhvnNazZ)bB(Z@iV z@A?g5t%an8K;T8||M1`fZ1g|rShogp@i0!D$Hp)L&$F-1Ki}ZFo})e4Nc~J+DfvfH z^7Vf+66G~(G(JyG`v`jR2l{9`YSOvMWG}zDyTp#nO=AsiLjB?bI8(b54y70+`6I7` zI;T?LVX5xc3D4}WB1#oETS;W10iSEZco~pQz;M_{D(o$^WmND1nYft0JJa=mFZx2u zA`_+a;Z6>qk1tY>0kE3GooQMSn(_RB%-om-uC1&YhB@1u5+_PR#5Dce5S3(#xa(3U z**(Vz2;MC^u>BXwv7>CBnD@UG7xO&hd{AP-R!FRoJr1Y;;Bp>`@B8L-U~(m@@c4nN zy(a#ditKHaGaN5$V<>qk=&k>P<)sZ|WGTj9%`}MrDKUw{ z2>kIuv;+n3bUl*JO^L<<&V{bODG0Kly!quZGKM4KK*nH%eeyL3-nb&+Ko-7sS9adM z)JpIDw?f-MyqkAEQ_4`2+2ULRna5ukE?S-Cac|*pAomQ5CR69v5nK$q{VHGQJ+0`i zkuT3RJ3bl^EZG}@m`ZLn69&};2_pn8D&8CY0Pd+b{|vix8=)m(QCYR8(D$SGB- z_uM1((Qp0wvSi)^R`A{&xXOD5JtGq8m^@7}{*-S&AKlmeUW*A0)Cpi1<)R-QB~*esp6za}(7OB{t~pP!ML(<7;=x*#I=;s)g}F-Sx=E zFO)cA(%nE&AqeafIbdGA^u>F9u!@m|IjytHw#E@e|FHT^zWhe-%d=odDb%p;%eZX} z6K@njL)avCXX0WUc7o;mS?k#Q)j!J><~!tP-Qprb#|h~ateWkro^{5LbE!LUh&Yj% zUv|bW&V4CulwTjr69O?c2+uS1afPGz(&$2Tyb-~PL`bUimS__z=qVuccW(W{4=|REhNSbyG2;qn(q*%UWF2^pzL+@T z$?l60=_Xye<3l1xn2dgBVib4u?tx4!qZ=Z{@u%yTk>5SH+(yotiRu2d9-Y8DJKr=3 z{B<@iTST(O3fXv$9dJx~S&{g6xoVgl91{fE3hTa`Wwkl!_ddK{b90WS5C}PMGnV&F;oQ?knCcw5Sai2M zeMYzoP7ki~UlGDeSR7OI4?UVgiKr6HSFB7X9r}JBgLr^8pug3_QzBF91Y2AJQ$fli zBK-qc&(9;+_}T5S6Ip`deg7cZum~aBrjY^~hT@M4%1mpV=r{g+`x20Ex9FK3u3M!g z=F+11^M$h!mQqkIRBXPF`#iJg+f+%j(ygP!+g=yyaw@cS9Vww+W%LsrN_hN&V-;5S z0>E*;e&c!jq3ew&zWa*$^61yWYOcc0l$Kanc%U1x zwz2y_sO1VKWQz&Jw)6S7RPBOtB~I5K*Y-9>LO113uKe{te%S8WjaaJK`@(tV!xdVc zSpkM{==UGVwlZ3CZdbfzzrjU74R@vAbma-&I(LqI3;X{c>wOA{rNY;fE zocszTgeszlZcI5Kgj8}2Dy$w`%lP-U2`Zn|^~(nLl>cfY**okBJJB`~Dz45qquPfbNjmV9L{3X1%<|WUvW%?;DA~n! z{(>!jDR1O=8`ee7Z1R!yn@d$+EVW#tdO|ne z+SUWifns$W{xX;Jj}izsCfiu%$kXUHYi$8vmfrLJ|vSlhK?cM zlq|Vkilr7%FDxaU?u%pPo#dR1QesyfalWD^SP6_?6EZ~ne!#JMCc&{k)zlqMH@Rq) zp)I3q!$r;MBlb6MF5eNN4+*Ib9gtE%3Bpz%4eLI#w;$a?^rngK0qvD90aY(YR3q+2 zT4|h&lMotJBOX8G*c;EAl^{n!ifA9adUV?l4n^r;&pbHKgmLjqa&~r}X9ZqpOWXJx zLpr-mm2t*33Hg-?>hR?T6oo(#lOhb3>GwU{qa8_rdw((?e#p^5O{K^=e8NcOAk5H^ zAM==hSc_WsYaAbLIr~`ESG@dE-M6}(!fff-A6a5T$@G-bb%o7)KaZ&QY~T~vL`vkR z9eiBI9_A9!x7-JU1D3`t6F!BcW5oYhmN+FE6W$|r;+xvD9(x7gjoz1Jo|Rl#Y+ z)mhuG#QY?uWV*o7d!7ZiNe%MZN>ive8au#N{DSkN0cXJPWFkgmzxm@hBK)3{IkAP~ zh#q^68b`aucjMHM2*Y{gH9{x8PnybG5|hPGi$0R)8ka59W;a_sBbm&XvCDl%MMYUl z`slRoL|Lxe!GLq{HOVZo(y90Z&W5_6pPST0t69c=3v!8PrXs?<$oo{5`ixB-ymTFO znrE4=IUg2-jt8GzWX`3`Es#z zJMU1^pA41g_4?;o?fV>?%J>MHDqggF^g>E4nK~5tX33qrxbWDTjQeE6rG#QLwG z(r<${uN(ySjr;SRoZ?EjtjQ3vzDVek+6s>JbP-fC_LH<`2dSmE=^>G~O*M}0zxYic z#*qhk1>uDdpNVRqxprw@Sl)}(=Hgp$R*R7jx^2YwsTVU^pH^oBdrc}AY4i? z#NZnm_GiFGqoU6IXWI=&k_Q~)&ptlLh z!bRd16|pcS>TBT)O}IFI_l)(rbhR%U_~~0{^$Q^)?CTwfpIMuKx_i1H(v2eyh%su9XlfkxX);_0TGkO`}kJ9Sp*2b)Fdlv>DQ?ZJK)V*vu)7C^>jVp zchVZ3&n;+r!7>LPp?geo@NExMLM=YZzpd6D*1o1QW`ElF z`lb@SV|F;VR(241*3@K=$PKX>u~_Qw!-P~Owb{QmxeCSD#iTnw#Ay>U ze{?_7t7QM!K_!;)fvJ27UlQBzHl8Ff2)Mi>O=i6B23-dlh_ zSarkl{tVgJ`1L#4xY#L0QCBiXZ&kXy2%gp5UqL{cwyrmY(H%ohrUErfKFL(!K8)0h zGz~C&C4w#1=))i4b#zS^{TI$b6syNi{XwFVQcPLA-JtV>h4E>9bw)6m$5Ent$f$$qKtd0 zmVYAe$SkJatZLaNI6MEj%~*XgOf69nHYrrw+2z_*sWwJQg?o}QcO1^UuF`APCw*OM zSVB#;r2AuYcEmy1-L+IIhVsic%_;?0gBNSH7>ipzgmz~ zpBNYB?a|3&YpKn_O20RD@9fhnEV#$8P(iGG&Jo`?On zbQitj$=s{u$ev`!A+--fK5@q?rj zN{BCOmd7Si&^j~V#U07be6i&}WU(}vKYz-M^XKkur5$xC^H-GhJ0B8tFjJY2vCAy_ zEVNu}%7vU6`&i}^bdXX(IA^$GzvH$=!#+*b+O=^u@{vSZf73uG$cPjpUJ+B;kd=|p z-L97Ge0wo}9Bdg!#4y#Oz;JeMxv44K)5XA#y$c}yXBuulpBfP_dq-5e6W1Gp@UN>xV$O;YGr&ag(ivP^JW&tgtOdQp6Ft|1` z`&y7Xw;G}Xsh)V@be2A#qU=Qj9|ZJ9P-9M)rzD|yQrepJsoYP3RfJlVt~(9{JGxz# zQvS_<#KObRRL0MDF3qa8z2vxmR|U|Rq`L?>wLkw8NBh@d{n$|X`gXRRWTqagE z-#Dnskq*AFNXWT)RT_5WfE6LDaPM#54H~RfmK(^tZ;--q3Mbz=?AWBFC-c8UX(OMy z4OZjzD-(JX`Vl@SUlK+1m3#l5di}3wGAjP+tIASS|GNQ1yM5u0vnF1HIP4*%nTi<4&Po!UG zdR=7O8xNP~yu~+_uQ^lzxOmPLb4}$=+p-$`D?*mRG`G|%S7BJ<+CB#ldu^*?0_Mi@ z%4}uE0{PtE8j*`V_)A~8{IeW3@*DZ^xXhuH-zw?W@rXl|Mz!S0X^iv;x~;sWjm`IB zSlAKx0Z6)S+j%6B@Vs~GtTw-s%g>>izcWcQxWgl5E9d-?b7xby4Sg(YflEw?}LbrhmV zT?jv~l8TX$sHgMq^Pj02ps;DkZ0zP2YwqMH*0VjxHc*` zioDQpK(f`y#`=v2Ymv-^VTX6xWB5H}}|7pkIErPQf^ zj`k%gA{J8RleGP9(p}VW+8Vryn>f%cp7|Ve53~i$Lxa9x(nqR2`lC^WqDf7^FyZ)U zrDl_YS&7?4h)80NgY;h_`)!=L5by_Mj^-+l{BrlxpaQ~5ea^8|^1g4}u`H)khOH1N zp_>!g+=ClCdx#R3OUXdI-E3(m%Q-C1=nrapx3E-TnOB&R4TsZLQPYp$-aU!WdN9f7 z)P~eL0gwURHuFBx0G8Hc-HofP;E5>Kj`M1!3xjZnI}Qef%Z>rzp3@{9O4))YuSTb7 z?~rRdLp1-+XuM`CM*1^RUV-F#Fo;h~<$wzwCY_Vb>1p*C)0cSR;ZXO}(F{1y@Y49C zlY9jPXu<#(oiEjpLm*u%z}m71p6p9ku1O1`o4RN3UK;;HB?1@>D93pM9)pRdzfKM6 zhM68ILdO-@?KBkO1nDVCpm;iMvT0{417t`B6MkGJC@wHJ1fH5fv$`JvQ_~8+P8Iy{ z$Yy*FkIYApkFvyNs?MD{nWA@!`;cyqbWe0w!K6#Z!#o7rQF*y!S74 zP0aWlwAec_rMv{-Id}vA4jKZ$Et|jnWFgKJDifM}WVVILCj;1O@DwI>EfL^$+yp)< z&6g7-Bx?fmyg|b11d|e)-B135Qj=vtp;0mV`2yf3)G|q{AuDXAti-*`g$$+f;$zg+ zcZh>bjkL1= zGVc%-Rz0S#Ho6}xmnkd4$r=*eX_bao(=(>HFe$uFkVQvt;s0K}!1PTM)D*qV4ekKq z4@*$yIZc=}izMCr{EJ$@<(KRoc(}MZihCCL`1sAghiuhF1i^Q;Ck~Qf2ImogERW{s z{<>=d^5&&PqTyr@nVbI=YOzOw5wLz4r|S4Pjz!rSH{vwF%c8=aL1wGL~1pkAG!TUhAX+!JHE)1tu z)|PJSu3hw>`*^y@e4TBe@DGc98q}4*9l=P|+xj^uY{1_c-nrUFQZm6z9IDrUxQ6{Njq4Fy zVqA<*Z8BU*QhIA6Y=>m_y{#!-tS|CqKI}jpKI=UvXrsYU@HPM$EMR$1o#6$a`79^Z zAbqBkz;D2^?XHYIB@Un{(8#)f_z1ku?)deH4;jj|jW6cvE7dWJzG#{!!#xhOOR!t> zlP7gQVcwwq^W}}WF2`IvF3~{IH2jgOs!q`{ucgW@h1H{PB1#)P34CvWo)ksKsA?YJ zvR0E5pX6{6e8LjZDb0GO%nxF0TT;jgegp|}Kj}{o2B3chFWBJ#OY&SjPkHhG&mpsV zk#xmBPIb-L=IQPwEwUxNVB~4i<2vLu+>i=fVTMYozt={uhDB>}p&(mPD}7q0TLp*< zV#a9S>rLn71eUXD`8%b?Idn<9DR~+{k;CUSW_9g++mVIdM9NKtio)=-mfpd~qPGD~ zrk(%*H$79@iMQ2es>-sKHkel48gLwk)2Xhy=7_ z{YA_9w$Yc(%qlfyzvzzp_2@(74a5! z(Z5*W9|3b#>o6nmKJej1zj$FYG@6t=4cZYA#2#(;@ilammst^sg7qOY^^02dVa+jT9^r+EN9Bd(whcxIbDFcA8o zx~C79*ukr&ade7>aIvI$^uG?Ail9^g{K0tZR0H%DoJ7(dOX*z2Z2C>@0p&QR@eERh8kl7zy-j)U;EbI2TXXQ{7Q}N zC-(;gLS!UfuAq%gBVO_csybgC8;y5CYcaq_R(N>*zNPrrMdE528tK*m!(@AeCs$M|Ax5O-PU7zHF%{2G9w|F>e`e$0mb?QoTZpU_7 z{M@je40MM*tWSQFAXBh(=$RD`_5Z8z^@@0x8Ux&5_0@dkE&87oUqjSm2Ci^F9UFhM zzZDVSjUO;bG2k36#15OG4j|{b!XqeSIv3xRoEEOs3}WB$!p?Q=lG|Wge=o3&`emS< zMS)8gK>1{;UZM-}WBHoQ?0bdR0Vgwf7QuTM_)z;ns{R%|Xg0jnz)NU?8VN;sHe$wlBAU|dGy)ZW~{;5D*ihtkHc zs_Tv?79F&+Oq}m_{ll^0V@YA4X|~94$Nw22Rxm=&cb(VAo&jKtS1hgiP<T~n_FuXah#6N#IKO`%!N0S81t%|X7T66_7otBv<0SS!NxQ!{Sszhdn}m4J)E8_%^x$3od5d%@DzzcZ;id??m~Di-}fIMNJfMP z1(JRkLY}uG2GvF}=1xZH)C*H=zh`Copv-IIb2#(>J^e)r*l~JOrp`TCO8(EvmajGS zc-$T8-Zay+ze1&$8-iD25TE+D@N3U9(R5YJH7DYrJu3_VD(}8x78t$X&7!TA4dG{GLCMT|(aj@9%g~J5 zwYeky;q`Z77^(aU-PPJ8V}b;7&-TwgxN-tBAE3PI`_y-KF~u=g;t$H^*S=!kpf6>7`;EO5Hl$hl_IH9a8wCv&B0nih)nRj6#Um44v$|C$B^G(p z;n^pc%*9khKHns>(9WI4EYY?sp+~bKq`Mvom+hfTRg`R90<8!$%rQcxsU~BBSu%PS zZtx~dEnI2lv3XNsnM?o4HAamJAzFDE&dkhN{vJhJIG^`FN@~r z=Bb%tmLN|`9@%wpx3g?P#BXU#Wmxz6vGiVO(H(2*D=Qi$<_z< zC#u=4i~ibqUJ5ujZovG$f68CC-oqvn3%oyb?_9hB0HwIN^uN12I6{tDeF}K2a;P*n zn5Tvoegt+$1{SSamlw$|lZKEcEo@Y$n3FDG>DBtn>i^cHd3*~;zuNnaE6*enoRUJV zsH8-IfnExOf~lcyDqxPYU;{O(migAOpGZfLPILLYZ%ro!9nNheA|g`I(jr}0Sdg5E zg?GJq^M>rsoyas%=N5~B)igZ6-yEX1T>m&dSMqmy_0cypC>6|7(Ms<;=Mr+4zf!1@ z2TY?xSb;16Eg869eK?|rZ2%`vgawQg>)B0K^U2H0e@H)@&GC6v;P-dmXD%3T7a*F< z0T?OuVyBp|;Ua<~v-v*-SR*qz3V`>#5@FGoE-qfwx97$qRx7)Y98o8+VXka(&x{gJ^Y;jd%?3()0h{n?}Fud7H8eD!xw}! zGbL3&*jprrL=8YSlR))VuG?~#50ILQ`|x4zcfRn*bcuKt^_hgm zCEyRDr^pjdLz|m$s=}gfShc(*pq2?}*aZjboEdgsB$|v>IU9hC%nt+B`g6ELE-*zs zd#~r3u_*Lx5=>4{K>Ev7UXQKsFrQ zGOV%-o`L%=F0@5?O)ks-0uOi#>XmSDi71~w5R8)JIjaHqJnp><0JM5>d2wC~8aRAE zy8n26NQEzU3KZ-yZGt)X;_v?Q+F%|LD9w6jKa`&XfHNsVmhU39+=D}3t@fscfubeO zQ|g@jxjd4wTiu{w>!}PVtiio)g9ECyl*_rbVQ;&L&FgEXy=b|g7G{fq(x>ZY{wRvf zz>C*_p@2ubbZ@@pCKWB+NcX0lfQTf(etoId-aY2`w=+s1+XI-bV&3;)isypv0nn&7 z+F9kjevZHkteX#=`*O zLq9@u^3W~PKhj}md$z_o%dj)MmJb!Um4TN4X&Y^0d|ZJ|ewUN;<5S{C5JiHI@gYp& zQ9=875S+WLGz6-o5g(Og-9Bbp-HqTBe?;DfOF*uebl&&v{N*;ijhC+thsW{MLzVII z?Gh-;S4zZx6AsOgs{d+SH@IC3@SD$#J>Hm<8P$LqLREkg8OFxJ;Zu~jg9hNT*Xn2~ z>YvJI=iLHL31Bm6?^y-)O)pJ9*@6N%YcOwKGK?j^KREILUua$CzN#@Y3P3y*n)l9#wVjvVwB6J^-{`rO9@UoF@cN*5^9B)n`wd1FMa5sy zIUT2CY2m#Cd-BY?&%ft7(BTXz7;d(98*RfA1|fxqKe!y*+~ zU!DSx2G3qJr-WkN|6}V-z@dEK_Hl+R2_tLvHA^HZvQNxJBnCzHtQA?ajeVc&qeOOt zjASkQ9wCKfgvyq(jC~pV^1G+c=lg!&_kaA4!_kqN<$3Psd9M39&+EL-Yr-&b9V5Or z;lC=rPFG2XOo*h@n-P3pj!`>`D3(OOHAOZ^Woz6ulm?wo_}sx4~sC zXS?+CDeBS=zMPHtr#Hp$9-Vb`WQy}xRWVJIizz-oSklfKN$v?@raAOl{N`u=<_nfL zR=w`_)-ULB)}{Mlnn*R*31zQleho@Go}NRpU^@-#09VeENq>#l?kHyRn0>bmxj9Zg zaxm7lHL9o3_N?Cn_ctBmcUy~aiHzbWya|*)5exD1&!>ALJkOIGL)P!KjtJ6Y8P$D( z=1t-brwz@*lmlFajeL9ghbT~e-L*MAXh7p=8~#PzU3M!TcWK*GC}yJC$@m-?2YQwW zU4Sm4LtH1C_Ea6!Sp>f)J|^#B2|wdo&Iuu3*2KXu<3_!gyX%KY)IQrma6kvGi$31ON@U(Gzag{Yn$-8+f5YUO{8c zDw(npT=xq!Xav;)+dUuQh>mNy72XNzTpe%MkJkn4&M#$jWM^m1DC@WH@# z<bs>9a<HG<3IW7sBVJ413LgFZ$yG*mW)`ba`L^4Tz9kN4Y4*5AzRAYFt{D%`hIC7OrwHom6UAlpqNVm!29GRBOc1^QoE_YRvdba`RVnV;rs+BNMe04ZaStM<{JS z7W%+PM=|PDdP+7Z+Q_$HSEIt#ogCu|e~HAoY|Rgb1rnhB6+grXl_r;fxbLcJ%^Chu zwK8{P@uV05c}RaSC(whr7gB#eSh*`yAMu;7FAEp_plcGz4IOlZ*R`{4=hpECeZ%sq zvqqj&Scf+6r%`aiRVdZKcxT?tcI;D8Wa1ez<@;nc0tSp3?cm*-HIYR@GiQkv%!s{; z9>|ZaY}78rIf}LT?QVRrp-R6_ENV2$vz_%8v{LiR#4}vEMPp5_RmJ<75a3ja`%K4j z&aPmhn~^sA2IL}GM!%a$AqwC=oV~V=yL8?M;+hC+OnmFG-XN zg)vkzR7PPvpyM|HMZGlbBj!To9?jx?#mG3?q_h6U^@P^@jB1_2*eYD+1nAZGVt~sV zva^yG|0R2>e+f@OROyH^sS`9e@QX;q9Cd{NG`H->`-FGxoWBk7{%l; z4yi%AQa5|5b!MMTa}D0%6^Y=&o2`Mn)h+atXrR>l6C7ViBzp|XkdIcmhdwkwnkBWD zXcjB1EvffgTI+@|G`6j{gBm~gbuh>KWA8m?t!PRcnmShEo1lRU5dgu4h^fFSvAVk> zUc;ke`{zpMQZyjhv@m?eLue9ocYkkX|7wH;Tm>$({ai?Q!a2vG>w`?9@&=kPViG~$ z+MVsPG;`y6Ly2*D7lDCD&Tqs--u){~x^Jj1dq2!AIwa~rR0zC)Gjom4W!Id`xwFNa z25Bb;TeG=-%7z^iuoSGx1~L8B`7}lB2C8*2;0t3FmHD1;6*GjZct?z8zW-uicI{C^ zLJ{2`0b7cPTP84Ao~o^Td);i|0ficO5xe!TO_4HImgS+yy$Z6B8%RDrh2!xQ*l^c! zfz3FZ$80ClSc6O9zHE?#5V=rjx5u2JwC8V>x@DP(;kW*r^Pe0OgoMvRYq8npS|OBJ z+IgC|gfBBb*#_-v{#R6MvyBVI^0JaiE}`-1UQY2t+;QTAmY~e6pwlq(Tl^-N zuVseQ#Qe!5?F6wpiwq>*7IgXdfo^ibPTsc3gYMO9&aZ`UZihIVwZ^EczALL3pBL#h zdahJ^{GxEEYqZ~+b4i6fz&ICy_}Mz8iCk6D%VwITtZTjSS(@y&+HKNCrbnZ?^yh}% zx#B^b17AP=!8%4FA?(S6(S!Kz`46o0BTf9*Do;TqF;xkgbT*$tvbY5QXys`>rhqSM zj5o0o^J-FOq7z`<_YHslTrjK(>>zwO*N%Ctn+wK6dK|1?VA-zO#wyH!r>(i(#gBzH zLKJMbYg-_!+S-#a`@rh+%OdvQx2od9R84w#lx{bFB*y9f-)XFkE*XG!_%EO9%Xwv-qNd;R&Q@SPXJGDWZYGp~Ge zvf9Vb{X7&ha4~P<8aib;*)(rPA09ED#ic;00#w^M^u-j_9GUw9ykmhaTk0;3t z!*tOyr{?ssuoHW#vuDD!La?gn3Wev(ASnOnx4(Wh4XcK$Q%H-X&AnvVOD%h8dE&il zRmMZ&hWn0xv;u3bd4|8E`?yRvqy?aUE|L)RH+Eq0eZwa{=(9w| zCXKHY!Ow8EDKW zjP)~`VL0hyZNGEFh4nLYoMp^LldOAAXmiE$m}s`{_fs|dDz3fni3Zb6eb8K-yvEb+ zhzsNnsK}Bz4W(6>=AMjFa}FOe_)74Ny_uMnh!>KYj4b3UMT{(CYb!e)_j5e00@Ex( zyuDBGz5T-n{H5jX%uCYXXXt6j-NX$;eDtr^G|Oo$#JoSN_(5?(7GZ364uRxT6XLxN zsRS##83v~1@{`X&-QqWF9gbgrFVEj!N9=)DdaAt4q6Ma!2Fm?h;DaZ=czmm5A@*;G zIx-*!764C`R+}JY7}FoUOqo`#t^kkC#Kw)CSFVzmJ=2-Az^g(FxLN|iQIxNa z$Dmf8o|&WzlTFM4GpP^bd?{(c2+s(*P-}Eh-&ss>@X8-XcD{S=*(}7nTQNtEvAEh+ z#=xvlGvun1qjDnU`%v(=##;8MqY?Gd*91Rx*U)LlDxehKl z6!3MTuP5^n2=4j;u^80i?$Z~e5oCyFU2cS|hI+_LOM&+O>yNcVkU<%W{frKV_ycmm z#=1oCinr3I%X17@ow+l4XocgzH@@FpcXni+5<+GzTlHV`rG)VO>Av;r!W4VcSk$Bz z3vqgG)B1B7R+ZzqhCCG_aDLR&j{0ma&L`JUL8O%_7q`Qu?G1;xpS6BIIl)eYXl_1o zyt61yC?%Xb8ATvh`4a9=egZbP9ogjMX+lW?8dRRt8)DtyjXs$=3IbfD_wC=#$JMqZ zE!rbIHc2tj+nGtgE$C*RdgN~~nQ} z=SH8^>_dPZu2+hT&WP9>pz2ZzI;gObndK0+x6yX|Ns%6gT^b7k^ z>JMIXe+BVa9nf$o;iMi&p2vvoQ|M)4RoCJ=+$m#Fj{X*b#=px2JQmX6yr$evRW2oy zo3B2Pu}74@4aZHsd-$yBaO2ZP8wH~n=Akp_HcSHPNDm-E_;Ug_p4PQ&+y4YT7&<`o z{apVLG>!cRB*NV=ronydTEKUG1o(9r+Xdhqo_iomspyzkP0xKzACNZ!V7ZxSiANjB+4)O$duo^MbGoE24U&eFMoT@Ey=r?W+^PCxNWjbJT)cVifsQP)1!~ zyf?aPaRgW)VZc;s6X1{|4M?IFfYH(h&4u6c*84MJ6`TSrbb1PI zKEreP@2sRq-mB^XyqXl~M@qrr#LiuLko5ebg{f(+ixhw*FUTpVaB<`Xi_-V1;J~e2 zMBa7cIbeh?WC-*!-3RTP1NMO5*_lRd4Qi%@1OYkLT@}RymJduHClzMB&V%;89>|r{K3yz{z)r zL9}ZH=1%x6rGn75K)EDLnAt?sA@*b@GyfQV%%MJB*B&**cl(H}ueN}Qy%U)(+n-|nR0=POw*vD?rjxo7!<-( zYE*2XjR&ybQi`hSV5RZ0%g;IvruYwJ1(P#rfDh9G56PclW2-y<%L1?O1D>Z=*nfLT z+pPt#sgLdpSTsCIR`7ISwOAb~&moay@zF**wG$|v3QZO8Y(5Hw$)g=d8QbZvCn9LC zpozf8O7*-!E1*eD7S=#}=$(gq6(pYYk-4O`Bp^Z@22`%K-#(;=aNF>00tbxpv%}Wm zdv#7_3pVg%+BEeyJL^bnt*rr``p@H@>tNI1)@r+nRlT@Fso0xXsj;5c0-^uf zb?e8Qx+0v<6xSHU5XAlvW_3FVA`sp7!`&nw7md47fEvhF(H<2-F${7U@2g-Zp=G9j zX-vd0)6MQx0lCU z(0sINkrqbX{uFFWU0LIj#;8r`G^u@W%k^g+67&`F%`m_>YXKnxcLIdH(K}uwsb5gL z4+;AB5l4W6D;E51awcTAJB*A{=~#nLtbjU$Kg@NqrL-$b7yT|nw{=IDKyrwkC8L7Q znH03yL=Q3o!ZC$g!9yz)a>}UdJ@93c1o!8iADmMfnb8lFs?J+mnQw=!S38XuMYI6u z`?bjY+Kq9WdFE7DwKsW)EMesd5 zre!5UXVJ$(LQ{YQH~v6dX_AXj`MPD{#P>j{vYFhBj-OD;3W=r1r9e}gfuoyI>?ISH zFY(xk$<-^{njo=p0WfoBr;auMP*FX2GqJ}6YdLVf45xw!yi)jF+(2uk+p{+-_$1}+ zT+lPKTGwv#Gq{oP6Sv8TlP#w}>Bz}Ezx}{N$;Ye@%ZSbRr6VATfp^ia1%5FsG8?W^B?P?}P17xS zn(fk>tl){SI(fEHh~KoAot<4A&c{*u_2CJiJ!3@KpluGI01$_d9_c1?)B$To2Dw`j z#1|q?)$~apz9-8T0K3e3i+Ap)GVOsIJF(c{)${&kvzz0l!#3*&c0Yw*%DCp8UDsV4 z!R-8~eW5`2q95yITXFtN+-T295hR5k8IYs^1()ps4C$u-o zTibLQNXhndUB(WdQ>I3pm;(p!yJ1n(`=woY^KB)~ysL1$KsqL@%t}K`=yg2J_Pd8e z&y%A0%K?odF&h=;sg)lMr)yOphck0&uQ{Aa!A1(`CgPFca_2U^p>JF0g79AZa5 zm+==@piosDPN|BVfma#VsqpnPhAr{KDQ>#TL_v4xs@8?>{6B6NYiO;llxrw+?~+wf z10EB9x-BR$Gdz-PNw&M*B(2RHV3;1N`QegOlo9Xg<-EEam$YX!blmZYUpxa(ha&Mp zeUm*ro0{~Yz>=c}P}_EZsEIlCbqhm(|1MsL3lhc~%bv#W+*O~Z0W64L2Jywn7oO_2 zdzE@BOZ^#$c98uvRasxX@3j9=n=d3Ss_!1rxhKeZ ze|@s|>r=f9HfSYGb&@_PylM=Eo8mVvXq{(Ei+7d_LQ{DiLt zPwcNJ(EJ7g9WpF$;>Qk4ccagm_P#S=DnZ_(@BGJ84E5sdX zKVewF>%YA&4|w~^GA{Vr8agxjIG|Bv1YBd`aaTMS*i2+*M*(9qd^JKL&3ZBX;`1UQ z;+m8BHr7;?P2)=i)UeU}aS9>P&r`3td{xpht6LMR_$eooo;HFa6!vPHYwukC_Ov9S z#8^U_!rvR?*=mubsQaV0&#ac^m9Y+MYK;`DaGs$6lxIXPcg{Nky7t$J&nskXp}5HD_&p?`Gj7#wd>d&jY7KtN+Z2tOtmkr zBrz2BVZx&zUC83+XcCHHIu>1B)I58Q*ME4BdV7BH(VBy^?{ADIzNz9=n{!A0ihe%X z!wugnnXTz1e3z(Vj;1SvP2lU*d5jf^bu~RHkRZ2s4{SQ$207m>L%|-1_B%{#j*rx~ zCpCUDzN|6?cv)2P;m+ZdN{aW%Lg&NFdnbnTWcfxH3N;Q~Hc-s$cg ze}V;~S^LB4=gM&$SlQoaulhgK`)VOv0w7Iwv}AUr=^CBu_e zAFni0yWSTEHZ%1@CEBEr6dH~X4MCDToejvQgCWZs1jPQ6WwB}}qZb1$X&0Y4e7@s* z;Jql!D6DgSSmK3YxsDM|#7h~y->*WgHRoOW`**n`<*Bu|D#`Z>#~BI3DGNItVuYi; zplVYq%UIOJ^Lu@f-zr4&uoIkbb6MN@0e^9(_ZxTkB;U6!y3#5+^1H1&<-uW6_&!rt z$rtSX{sgOXQ{=was$}X(gJ5+=i%{ytlS1fS$%B|PtCJniankqRRhV+XGS-I$6#}-d zA)3(@`q^VX`6`Kq{~O?^NBkh{G>N}0%75tPMw9Ey^ZFovjaOpfEryKtP!r(LCQhw3 ze@MXXW(9{lwndP_d(Zr`7+To5wz{>SQF;Cxh!u(a*|H0U;z>II5nO^CYzFCJgPzPCQcQ z8OcF5aq(%)p&qk6NRsRSbf@Th~DmjJ&TL*534DFfXgpT3O%-R94GY8)2X1)n% zfe^}{P`7m4j*(ISHLvDi6)1ZI@_BwReAptGJ=H|s*03v#5vQdhF=l)5<>~W@Ug_)W zUMu@_KFIQyQ!-B!s_eo3E#0a7z5h%w?@Tt?&}zp{Z!V6}YSMF76~OBqCT=}CF36i! zCb_a%I5Vux#J}?*cA_6iq^y&eFpOt9sKah{C4fxfLoY=DxZbN2SE4h2-Nk$A6=*bl zdPoV_fIwJ9l_50~O$|=(<>f*aNfZ6snb!nBqLd7Z?;k-{Bm&~02lUR#ZIOpx3rH{# zm~$TrVK67l%-gGCw2M-H8^6PvYr&AniP+2vON!u{dyS=n1aUmGw=Ta;dHzl$K&kanQPJa>{4(+G|Rr~x|amACS9SZ3;tdVp$eX}TK^kkGlSGI761BUo4DP=9BQ<2C&Q7!?#L{?kSc7^PA#RF~Bkv6rT?T)ehIfNsI%(zQ!0o zVX(^Xqu}z7+Em~&V$k5TdJ$y(42Ad3rUrw^cCRteZ%Z^1r6nDHKs9o_W*@AIXs!-e zU~v*7Wc|9iv$?jfKGd)mstG}j0b$z(rLez3J5#He;yfiJhRau~>#0xrqVw-$ya?GTGYt`{Ogs?WHjxV5gG; z%Dmb!EaC+KMGyiG<4)0ho&gJ+0Os#*0z_{SHxKL=lVF!-ega_%Zix&`f~YFq117tc zfY&IzHuaXW_>Z3QdPE$zf`OEFrm~+w5>rS}(n1CBvK*^(&o9tPy^ScJ1fE6L=Iomq z-1-5;ecgEgcpYir`-=fNEAAF8e4dm^SJ!P2O3Gg=0RP{+pzMDhFjEb`Kc(ua9xTcF z0W4zov(8$p~?fmCn|ChW;6#h@nZ*5A~T_OOG~AOoujR%ql01UlnoHwMQG5J1v& z0P3M+yAB9`ENC_0p9F9MRRY(*ibFR!L1CO+%T_adEp!TT;m+&l&f^Vto(iF{z+1`q zX&+d9@yh7G_@9I3?$U=SnAb8j28HehamVnf33?Gg)RG(lBY`)SAt93>I+;El0=CFv zp=Cng%Dx|kVxWN!(zs@0qEstu`C9#fv+{4iQc3iwfV)V-mTa43jucPP9zC-;+gB3Q zYTXX`pez6RaZi!}@7$mC(2&S5Aawdz?>T35T4@&jLdD;Exb=1`we6+ON#J*@Q@wlt z9lN(v0(ij-z|NHH-M3QRo>{!&Cn;$CgTe%eyL84FtQP$U&SWZlc=geG&mzJiNJL|3 zIfJ5bU@QUP&A!{V-e|S1q&ajOzkj`LbgBrAMyJVa`I78uOs}DxEP;77ao$Q&&{w-v zvz3HRZAhkGUi2ZlgIGl2??wfR{R!{DSBg}!2e_IL&aQq|z{XqBgpxLOn%CbJo?#~x zTXIDhNI{=W)Z;X{kTnYtO(vusr*$ntCE`2aLirr`nJ?zUNgcd2UV57z03K(6?S_fQ9sX<}N3Fc;2`do{nL6SF&L(RK70XtEaE$dkOx9ZXt z`Ug2ps=6p2_20`NtvvLxmYQY5lVWYJsI=>fKIZ;}YFxKqTT9?Uf!p+Z?K1-3X{TMB zq1s}%qgt4TBlV8~nOF$eDTz~D?{(Q1J68FH1qc`iHPqGv)@6A)w01$9(EIZI@6f<& z{bGdiKDxmGwEJUuY^N9{8XKA>EjZN!hxMv)c3$Y@-Ja42u^CiPeA>!|XqF*xk2Had z6GSM9%V!!f_14_7VEwRuJq};ao$f)AvCCq4#fi{*MMLtL2C!mwV6hNjGZlq4_tb>A zJ^``~49Z+Sdw&?q>&2SXK(hQ6Nk>MkgP6VZbldE-!Q>xAMcb(Krk$#>+ED`nF;WcH-v5yMA*qLg`E_%;XnX6Wx2CL|s2VpAonJ zTKPP*;%Q)V$YT&>eth$~qD(^>hqYwy-9+GR`7UqwI88_QC0&A7VeDq;lwoPmA=^m{^e{hmj~{B zpTr0l&cu4_4D#&^A>CsT^^KVpfRKon5xoR)P9Z5e)B<+h;&3BOK9cGnzH8X)!0H5# zc>VDhn}m99#V1->a}orv?=AggZR%&X-#hj`zlm5Ff4UF0VgIF(>X7>ZSl**>ayE%A zL0U^`%O(@4in@%{1bpMBG#gg=DQcJUua*Oo5*o+aJbvA3AQTtG7g4Jetwjc^o0M%c z#k_yR^Dq7XlZ?Ls$vCKBweVkSi~uN4k3%hc*%`9(dXnpdG$r5HQUM&3N_555mad71 zG>>T>ve<lDBX)0$plMs1lNK zFs`-ZqNFPSd-?;+aL6yz?mbO{fKeraoXJ%(#5(pL(Z}{X+fYg-XUPU%z;KYYF`vG| zJ{nibx&oLaFr1t#6&IbgCc+kNoiSm^$R}V+7AvFjN zp!U;0AX8S(A7Gg4CCWt;V>w#ivUm{9UV*lb;C5JEYK|DYjm!b_pOnskm5~6{z3(n)HyTy6Ioc)5CNazfB!v2`3zfSeGhf;m)S==B&_gJ(A;~OYGt3Qc zs^r}Di;7L5;u6H)nq9CH+J)wvDJG+!W{C5DG17@@<#$6Mhp`CS@n7kws$I{5XExZYWS`tumE6ch;{6Z$J-)4z%FIP~95j%w zta_A_3^DstvU6xTQE!@ zJ}OvfQS^RMvsECR4C&S=2MRM-1P(k;I2Gvkbx`d5G+CT)h*uhZyFTyXUpQf`@ z%)LmyUHzk8z#xGInF(y!vB#L~~Xd+sTjbew|Oo zj>l`8^fuJKS1dD;r`wc2PaU*KkCvh+0)^g*1>Tx3hl>f^)ZXl9##en)OJe|Dp>8 zeZ{@Yt>yZo2N3DF0onpw_sp!s-8USYIAtLRqm+?EsUOY$wXZL`1}w+wtZ~$ylXcJn z*z8W^)=YPz4j4Ow4+?hup~)903@VcDpM`#Z&R#|FW|w6D3zWw$LOi$$Jb;(hAyHySv)>)QcDL8*9#d+~vNq2Iv!tfixks)_+wv6EY(j|JC5cX;P?RU@<5oJI!f% zc#{R6hH;+yDWbEFvMbN~egKnYqfK-HOnwfAAiS%Kf_erTWxZ?xIHQ0~7<4j7f*d~f zB{20Uo13nD;`>dB@{w4^MH{r{dNrs)k_M100HyzDq0<`nT(1v&mPU~(X9tN3v}NFa z_68yjf<$FkonOuciL2>eN%dB7HBr~!z2By^lrToPSjH!@%69(iaWgW#dZ7Ka>ycbmfd=vYH@WBE?nS{a!2`i4&H{@@Z^9lCK+~3(T#)QqJsr>2 zOnfaShh5tD%25rZOqA`A{RYZrBxuZ{9R0U@;%wsGHzt*7kz_QE${oA|x~@a7;%}v2 zxfvfiDP*ALyJlSsMzh3BXzU6>66dn?GURj-CF{3*xT&XO5mcEY1vi=f4wh?&7r{J+ z&JAPWr}`T(1$VG~cV>}U&7kBZF_a7V0-3oyPLS-|8oSWJo<3312tED9K)(y~{@!=PF z6eyu4frG%!jRSq81#laD)wvJq+rKi|143u0NN%feg90r9Fs(>`t}X_ZKR&8Rb^@E9 z;f_mOoCl-;xxXurBAqFHtk@Me^z&&xM`>+*_nXIJJ3}CSKd$I^LMCQZz0jLT7VkFf zEwB|ox=(T7c8#2+OJ~oT>eaZ?mx2E(tZe9*sBfnjZcqTx4l1qQXVtR0n`gi}Itihz zY|zG(6$x_zLzX`~p;7Q%C7+cy4m5e&oy>Z;96;WPnAN)6v0)Hg0q1q+R~`6GJJUvn z3~-%Pkb~l)Yy&~2M4ygP4o@Ih_}b*>Io2B7T6Jm}z{jw;#+kHkUjJLfRq>;s-#r)t z(g{ppHH?MqzuW+Rtj0%#O>0@__kS_!!?CKubZKWr-?iL*;{j=(m7g-()&Qoi{{vG8 z+lQ2&$c40U>zi4F&v@j5vP307iCtR<-%8E=my8`vr_3c=fR(cG9upm;>s5}Z>u+=p zn3rN!?Ut+1m|+Y`JSjL$3a({FNf&FTcEf#@{Uc!WoYLB#tx{t0zT3CJDi=uGsbk&* z?w5Y6YyN$~NPSku)RnL39{y`;@7?5#k&Ck0uE>+!Pm;uf=Z9C}7kQrbXvErjEdntZ zqPg`;w4T}tmm(r)v?;WtkKu{m7H_G?iz`74f#;m-PRE-6x6v%#qWH8X#e~N z(K?m>7tx~VD;d{~fmNo+L?t^H#&63C@IL22Q__`3crDsPQZWb73PwN`vYm!5bSs!} zf3aaMo{VPXdjTrGIzZxc2hKC-qKDS1O}=D z?(8hGwLrgxh|gZ5xZ^xm@`-j%AjlsYy4 zVsm?ih7;<0az}=rMiCn78UVXr`N<zhuAKhA ztMw7RM__0WJ01Dgos6qauU>!F7?n1ufZ0>RcJq384BiUdVB}FO5Zoxk@&vbvxX|{{xUl-g}mjsVn4>ES9f~Ooq z9!hEiSlIHv)E(AGQfm;TtfwjHlt2-^M!&5HCqj0ND-4mOboOzR>YXp&p##sImSR3% z!7pRn4|BQldxCR8@nwJ9fWp}ER>IpgE^->bE9kvUz1h@iE4^obWV`lCgT3vn0H?oA z%qo;D!qq-kI&?XMXr9D;Z|E?3`K+@_4X9z06+OSEO)ekoo5N=3BouCPbo@sPa5^4{ z^v^C#i}6RJ6$PidMn)IoulUngvgiWP=~niijshF_u)r~xwORJH++Dc~CZQzwfNGfC0CKt0Z(E`_Xt5EZa&hC3gEkUxTOFcn;iz(7s)z z)8vBtaWwL?ilDXNjya>66Ou76#+_-s%QA53L^B*0?Y47;5wt6uAu~FRevHOnrr_ZBDJ4CbL zfq)FW(`p_0n4Bd21Nxs5!SK*WKoBbEv>H?*_vnIOwv-@H$GtG$%dXt9d(b>do2eWC z!>)`!8{Rzsk?EV_hLV+%&-`8d+x_M&3r@}-AZ_nZG06uiqSz-7x@BU#XuPiEn~b!^ z4)m7Vp6C=NteUtUCj^d;>g7n@yUf~*=&T{Z&O84SkIy ztibztv?O*0wR#mhh+9h73Rp6Zz6R$!njaiY%nCzyW63z-b!<}rriXG&UZY}T=KqeY zCJl9x_`r+w0IePcHkD+tRP)UKTZ7d9z{gtfc+M(Y#Ph~7JeVTOOQ;u&p$FJ8QSb@+ zdwvhsc8*4z#(em>{m3>=)5apdDQ@_CuL54%Jd_&f8_28UnT?%oC{is8s@$2JR|9zR z8C3;h8u-y0Rg>!zd9l25`QOOctfr#D_+znl9-s{;OiQ~_>Mc9kJpjGNek??jy0);S z7P*S~uzm8f#1EUZsQ6WrnEhRv^;ME87zS~m1>ztFy;*nR+`klwDNufwgHjj1SpX`A zbnT*|xl3~hhQ5__5S?fqp;0WA9lYL4{ySb7WZPRaNT;q}E*v^QH83f5Of{X*e6oI( z#)sws+JQy|{`$WBaX8fLF$bR+lpl_HNY);EiUDl_->5v{NqncF@s1J8v2bM4bV*Kc zbInegQqEv?9jE5wy|CG|JmRGc@Z33;zv%EZ@jg<$7IXn5lB;n?OH#<{9_X^qY8a^{ z#SgDi+)NF8Mg~g8n>4xmDnMUyWabHqF>|X)pV3%V;n8q8F+|`O{S00)7Mt-0Kl{{< znbGnWZ^TL+mVN06{`9ppw3y9>Ga-Y*D-YCi`EhD_6B>)~>88W4-ldW8@&8m4_@ygPXWlMlx=AhfS zT7-bXcNzJDH#5lK(Gi!qC@lqpd1NcuAgV|%233T5u_;KZ=C+Y)XJ?GJACV~TrB9*Q z37?ZLVkbYcXYZA_6+g<1D|g@ zM#SQZ^!0Y{+(hQMMJ`8F(J162SSF)3uV6oOCxnc_-_G32+Ve7CIf^JS1V@rI6dXw4_&B+kz93 z^UhAW1!8@&{Gn^C5>hX3CAfbHL#f5DOd`FCCKa4WtF^{X4q8t91&<=-1NKP;qH+O( z+BpkT-OEV>Mw%yGj<}hZgtFGnIoaW?<*WVRxZ6mrQ_H`^zuzPs)i>d(yLhu9BU5{O z@SS(JZ@+&Wj?1}J8#lm%#2v&Xh$aKsJUNgoFj9zm#*hv!2?p6MgT=;N^RUtb`tFEN zL;1832Kc$2>^paZuByDaaJ(z4?(o@6?Cor@5EvyCyB$Rg8-qi zTJqIrtbT2}&l`J2zNe3*g1>P7=R3$9!PNkQS}7H}3+R2_AKtx<7XBA*pX2N2=X&w^ zj#}y)BQuxr7O7IsR*|a`sm858D*PG)_VaVOt`Do<+Zkv3xc9*O+?N@O zv4f$3%c%D(#U|UV4+n8&b|0T3w^vT?Q6=(<2H!AeGe({)4W0TO?lbvfj!spiXdwF; zki7LaA#_A^3HZw{yJTZKLj#X0r&A0**q?-kUtSs-_+!&4ax?u(u~}oX@J&HxP5Kvn z+bgN>9vXZUdMW$yq+y3{>}t{%!j6D!CIxjC&>DQfc*6d3hM|{8wJNIH3`CaF^MrQW zv7h3}n}gg2wFo8gdvDM&Z*mTn!+th+nQi?tp(sudTB%;QrDEPrLz>;=5o!(4mGs??WkO-W%Qm)cDO0XaL zPUW86e$Y%6C^+dlE|76Ipwv?68QB=cgC9Q2DRNm2-I5G-->-Tc+Kp9uyT_Rgx<0GP zQlE7IbYouacpD3`#`7FKNlfzhr-GdPAAL_-37hO-3^wQxop^^cDEu3b9X@wL;=ASB z`xn3%9;GU`F8IwXi9#0t(id;i)htNr?m~%?7c$`oS_`Q$A1@3Ow4-Y?be1_&3jI&= zHaaHw3ax7UU$?$mR@BLxJKcreF9NV*XTs(D%=v+&r$dgP-s;Vz-ec~@MTU6uZ5d&C z!&yzD5^Y;Qy)3U$pnA*t@WOEos`ZgZ#uj`*t?##;(kU~UFcvBdX z`iZWj{U=8A-O4kZkyju9tth(@n zzl9yavBUmTf`xXR9;d7kV$Q;>Hb_HwQRtoxJTPUXS1Z1^{N^VH3;U6YqcHql;AFW` zQA*kVtFy#K`Nt`@RrX6J1LfYeHW^f<;U7=jev0xby_^57%J-YF!jr8!ywjlS?}=A9 z#(FwuTe4O)=NSpkM*@&HL9POhUsy=1Um^Ct`lRPu<1Et_*A<8}u@9mv!!z#WT%s zw%)tgnyn&gq0}TK8muBzo$(Iik3?2^4@#y`B}TnRjhq~t5%4&{=Eh?^@705wFG?*% zOEbP1hczEA(ifr%H)OEKv!!N_R#m!k6i&Fr4PV#gx=j?E^R%BejpF9Y|O`{K)NgLGeOVA~h6I!K2x)wCDAVS}tU4!Y4oW@RE zlZSs}m$WDroO|$6R#kG@Og?3#KGaFh3#gl1pVP%t7z;XAEUy#O4TNP$Av<6@X?EEqmz1)e8IT9c;>6h z7HFCGHMdNipb*iSz4hpNd-Z&lwD-%)6MEE0`~j_SqW~!+$b;|nyGPo=$!LWmLNt-( zN*`KKa%a(rAr|n!fX%g?$#`sw=K%Tfit2+SkX_JUr3TpyjRt82=bzkuNqQU)wc1K? zJGLiF61RYyrqSmLc1M@cEKt;+d1nyS2y&oCRDw6i{zgN|N+y4_>%0S-ZwRHj4%sB@ z10>VnkLY;7y}xU5|2z+hChmnlo`SsWN9%EVR#`ye@p&Gdg>siM#=mLC-{Xu>`J2LR zcha;ufy1yAdOJ)D0-c9(Puw3_5G%4NNSWr}pKF=mvUl(}M=l`oX6S4rA5Zy9kd)vphGQqjfMv{*w^7TR28kAl z@YV)9wg0{c1`$l=2YCx!xqvLV2z~lht1={9YEdEC?Q@DPj45wU-K_%W$t}v%W_j}+ z;F_|oNcBhllP>8|;&(bb{C-bN7fuvTE*@c;Zf-sk<^D;JXb#W1AP6ck0R1~eug0mQ zCSN8_Si#2hOqjGxonq2g$3IAQJetUq{JTQ1_q3h$McJ6t2nvQ&UQ(j=5Hw&Nq>^$j z8kNwxuM!%rJW~H|9+yLX>Hbu%VN%8&c|f!K-x9bwNxiZ3jC550+_3+olWoS3SBRs3 ztKuyQ9h=-Fh3pu^tG~h<@DPT6VMZ_Rb>!71u>ErpOkTp8u)JMD^f`&5RaIOXuAuHS z9|+Z=1MK>Lu!9yhZcq4TaoJf`cN4+dGookz-PSJYwmrwmk8?4eA?2<8-hhvLdz6th z<~}Gdu;qIZXg0~Ps{i(!?cBL~Ui9z#Lf6iRIG5G6@BtfvgZ;H1pdaHX>T5C&xKqAL zy||>UCUPpV()LEGh`GAZKaV8%lN%0m^ti8`ot>nPT;-3B_K*POq5{6%N^wvG7)=m* zaGmi-YldOgj~^Xar-`SfKMUzP98D`Qa;yi=N~;NDp! z_w~{wjq(en92Wn=rnr@_KWiC$U)a(v;R5dU#UoMO4Qb5(gC1yPLJO*2iP0$+PRzJk zK1CgUMlEG@9^aHZ`-KuzWF(a2OG({4B6;w@g(^T_>infIQ^@kST9Rk{{^t;dtrK9k z2!YCaH`cZBwhwq--bV_1CeWnjZ>Sm@J-V{U@7c=1bJ36?!>`4tEaqnur@#e=1jY;n zPwXrWY*bJ2#n+$h$}u2?zCvDLid`S{euY{8n`pU7lGFGTv!(=yyuq8M_{I4%`NV`~ zmw;@J?csr}YcYeU99q*&_)1YNKoP7UXnNAl8-41L>e%&FnrnC|`}ag!nbu74wsu)j z1HZI_Hp7J!U;mfUU8M=OIV+t~DlA`a;qZJyhW8H~T-GI6+byK9(&unFkfnngk}^63 zkf^6N`N2&QJ|nCYAJ$Bq8^}z4yl6c3(fKUQT{}DADVXFZVi`y}%@AY_c!dT_J zUnG}FuKPDpJ7E4Yh^IXzJXS`YJ-Qt5 zGs`RRv_K-2OwQ)V!>aAYhgAVx*A_W%eG0oxMl|{Yx}xXj6|B?Ff&!=eF{j7sn!!p5 z$Z1kUI3*;32?Ldi7`-iq0WD#dsF zMg1wX^PCbD7%!tYOXA;e{7={fO%}9bNX-`?_Ba}WGv3eLYH*t)+(-X;+%m6QYySE4 zNRVZ#e@)c!`hVVKZ2@V4FUWAUA_zp=mEA+sqNVV=I8p>^5@-|6@&)cR|6D{;U;zTp zT`+(XSm`*jY}0xQ4*Xr>5~j8w6kGS(bmIqlb!XRV+zjeGel?K<&}|8nPo7U?yz^Jl z1E22|&9d#?6!Adz-|Yk_-f7pEeC}>DJpOy5oj^k>G-H+Djg~MRT_ngfux~1!fd`-F>S*lKBck&^YxhmGZNPc)0L_*hlJM;y zIsGQ;pMUQcfnGuav-He!r1xHn4GCgUq03VIRGt~XNn@=S2zIUEP7n*9;m|_;8N!b6 zzpFHL735{*nDxI1(2apyYF+nJS!>P~&%jSF|E3(}lwlGC_sw1PsK(2C zCZ}J`9uQ=*|AOow{*WgJcl}&SN)1@Hg2;L=YVo5fO-`wS-hLL+p-`ej)aY`l?%-E( z0SZ*KLh9rVilb7b|4HMwzEwY`UP5cF9PxLz`b#ey!uem_h{=h`0dENpl^K3ED4=G+ zx)eovMF4->FJD#IjQIcDN5V;D5EK_{LtSH?Jp{GCiqDNjNiAWb%7;`zbe&55Si$_? z==#t0L<+NlsJ@s6;VBS*o#4_HFFm^XBR4`8~fs;CkT`pbJQmnGUeJ^qr2Go4#-8)$6$AeKu)rx$1+KV#e67dg=~eg=dR13zrT0Sw04IY|W+X zXb}`u+D4wKo0CZKOmLHLyK%wba&@k(++TeeF43)7WA;PI%vHyMpG>MiEA-5IhK<5G zp8h@uX(-${mrjb|(F$5%qb-|HjD8oD+7Qc7F7G|bLDOwCXFl18YC@gxZ@1J?F;W_j z(%u~{;M!~i$sWq;hJ5lq;$j3(QfQCLEPW&ve-n3G7KZWwy*a9bBI8v`eakeCT!xb`$F8?KITwkBk`YkfZxh~iqcpcGJ*yJ zGv&p+3ERw9SXO#%joiWSA8Y1MS&Iamr;PvdghwizMEl^+aQ1a?_PW6LPr~}#zketC535?C|NR3FI?vP`x)B@Dd*6UX8I$2 z`1hd7?aHnzw+oZ6|B~CU^T%jkc%qBGu$JB}yFfEJpYgOoGi~mmTw{oLgp(4QaWIGO zb+S?At+V5+9>eQ>Hk#Q}0pvSutaJbA8C0m(;U=<|q(z>!pGrTTaleQ`rQ59XjLX2( z=afdFr_g87j5*=^mSzYGUb+)|pZhv)@cj3m43R&z7yj=k z#8&?Qv&KJq$p07C=tL8re|V&ubjae=L4E6Y(E@RXtNn2vi3=`?jd;HS;`lS)5$whQ zw&^5)zXm<>f2F=kQopJ-zE|Y^d?W)~eQ5a5$un&~(}sL19`}1?lqGalhQ00mS%v$@ zd|=ZpV($81SN9ozd%S<@WUSrtU0MliC2icnn5V9@>uFY+>nnY~CfB?&ny}jU3S4bl z!dm)sXXrj!@GESD0e^cb2`m-_;1%gwI{DMGdcXU)O^#g1%>tFAJVR_ z=CIC9RVljvw&LH7GK)vdsVzY6g6xK1@T(60^sAef7gewMg7d9U;Jq)S&sV;et=tgr_0ND*D)!)<&rCeE9Z6Z!7?L-$VK5XT3s@GvL*p@9^JG9hPjex@fd0NKR=i*PqLIU0gC`pU} zh+7NobzK$sCuXkvl}If|e?_ONw)o#$f;6%B4Jgg! zOK$>cr=iIA2hf=eAZ5#|@6?Qg)cxx#}b0PBH*J!nYaH;>T-1b0~dpdgt`vv|`5|^G9NqBGC4-(a!u+c|xcwt9!*Pq7hnxcAVG|g5n&=zoJ1; z@*;B;^74p_2*@X3E8UA(@7p9^mhZp>b@N?sb^A}d1soN^T+?448}+?7uGIH@-Mm(b z3i4-OfXq%CbVjjdcX>3uK%dqR)D*XCGPnuY6E|h1fV8cStME#jAlt`W2krS6+8h?dGbq*3ahp%e0D;i;o>I704dCbL+3 z&mX8dndS>uhrB@}+NoZU)jhsSfeaUY9GBO3W-SmTsgE;dHMB7GWk&cxLHDlL9))ry z(xbHq_=V>{wOPKkL8czBtk2RdQT=2od!1O?Pub_C&X+hmF=tiTq13uw4cMhp(&_>U zOLlSpYohqa8(>VS0e9NhOn$YaUto{^2<0>FOtd$5VpJ}}@YDolMz|x-sYVUoD}`ca z<^@#jeE16wMS-YLyE4}-ANSRMLWIoQiRj>(8+<*uLN1-H zRtCThQa^s~4sB45Wu-RsEdkRU3rQe}my%*djJ2WL+jmgJ#{S-9`rVK6i!-gHU+%RW z<`0;T+(vVjnD%uAfI{L(cK>q!XT3;nKHrZ|j{|g<-S~SB@NLLWkgyjIUsSayZp9Zn z26zk5m2P8ZQnenTuTN#4DoVSUx}|*_HZt?=t)4HECOS~```__}F(r49GL7$fG<;y1^=^}+h1YYIm(F`lSgb--!6dFYGx6CQeO)pE zmz4b9XTM2Z!Zs&v0+ff{*>Q)flbv0t+`9NV`V2{ZZ-&^yJmaffuPFWdc0)VOiOGt2 zI`@_iy-8Y9Tj@9$lF(uto#_>G!@I+vif;2Z|M}{0wx$H9lr zc4R)Ob+UGj!l*c%u3(yb6Jo7vIfH3j1A}o)+j2+a z2+DN5TH3Ph*W&(>`4MgpgDH;^YcJX2+rbH)_ykkse>XeY|KoOO`L&DKhOYyjsRbV` znayT$S9~pu_sdjyJz1Ii_PJ&^q4(d;!=EPbWX(KI>Ci(N`u{p5Y(YfBR>fcJk$>JY z^1fy#tmjBQbl>^E`tL8t9^8Y}8k%>^rnH@Q3x-`2x-WZedK-TqY`&1Ut z4K0V7=`JzNYyagYe={L|#~_t^{8L&ImGB336B=_2>7Vv+7(Ty0D{S~K_JXv4@ic3} zaw!ArylPrYz~&t{LCy(6-;DN;qXGV)2&2NJfA?z-!^C?X5W2-d6r6=<_^rylC^>QX zY3DtY%2XEd@9qmcfHe2hwzlc(bd#TKaBBAsLbmh`7#duId?D=edr3KMWb|-@zgQ@g zuuXEuQlV*1WBJRDw^x?XACEVjV$?37Lp^NtqV%JU9x6N?=haG72p+}dQNq$%K{Edck)DFUUJ!yd)dUj+ONHPay7Fy8 zR$$0ieR2^Z8an{XOIp{_b11kwXG^eL)rG;iJps!l%ZISwU(YnlOFDm7SsW|vO9xUt zqE{{@ZL|ByRd<5sDls#)SD8=(VpaxBh6e&w^AQyoe?N&I|#ws1m& zd~5X);M;iv2hboFt$4oFF;Q5_jOOxZTrd##O`ufB6*3n|6$#NGGJ0V(0Eza~{qOh@ zPF!xX*SIWX{rg4upl>&`{5+_l>a<23kkYdD{muktRtT=dGS2(xoR{jkKyPE{#e&AhB%B!uqO~3fdh|%^hQ`;t)Kw4@-Xm~- z#*`x!J7F#yGb6D`aZFFB@YdSy*(3Q}i=S;~;6e3xcZ_;9S41x7hxJv!EIb4v#Uc5r zDz$ANVaC%BV(F_co&ercO{|4vd4yf)dYH`nc50C_Sb#RL}&6nCHvudKSa zkTmvB`~s&T{KJ3EZ{Y{s$fwjho{^L(WV*_)8TD{xsHMSn5rYOf(L*4hWCqhjWbJLC z_V3NNNSU{H?4AKij z8w@WqWt;Nq?1QC<`h;*+VO%pFiUnk~oNVwlbGC-Kv;?wToaE!WYB6b<6JK7%hgGDi z(m*Aa3n0A8tm@7Og7=m>>7ea(GOaFNbL3}^U#IHB;_1_wpiqsF$t_5JNfdcYmmheS zG!-1VjdvHb%j~ee06R|}QUJr3K=ww84_F6WOXoiMuAN(y{kz7=QaM+0CMVbJRlfaL z&K*rG(tFBWu5{!idhQAc=448j@&&n=HqG_k*XPx@IX?&p-gQir=euC&k=NVH!j@p7 z`QqAYmwmGF6@fq2G~mmRbUujUbUdc^HP1ch7h9kQ6i?x9n?U3gj?SNX znx@dIwa3GPxAf$F@(-q6afD(+B9`3Jixoe7B0Tq$=@W`0f1xH^M9qF2XJ4A+@TY7= z!-x9Uz_iTd`t904UP;DDSs0HFyH@)zZ}+CF zJt5jknqlp$HOs6S5*}obkBPJ$Ec_(s`0NQh*^4R=s&mJDgfVULqxx{m`;W=!3|Nr{uGm-B-yZ-N@PIPzhtpZi`! zDofBx@6BZKcLQP2zJS2hx8_7rhBeGNC4`$MB^+<*fj}r@?2F_kSkY0s(5HmbvUUA* zT|mt<7!??|x)|>G9DbL=oWoE515gRA+RVJj>H?8(FPcQ?Y)kUAt(YDACVlDf&R+Y@ z^{DuZHh6}PS+CWkH*fc|mpDsBQo2}l6?i*Q;S|ZbYF{f%%&rOJ*DX`NftNo?x4|^} z-dxg~We#d?Wr>h z*#{OC9)|Pl?0BBB9A5KeMN7}~uA^oA^IvSDsz8(8H&!7|e@(58wY9Xn;%csmwrFy~PEk$-TAi87D(Rspu!kRS1q-53P z&3<>}LJ*QEkjF#yEo=#(M|$dBov($MMD!;_Zsp%c=V9KM@p(d!GaUk0Yx*0bM+jtD zHJbfFN7e92EG9krYCH9{vlsY#_8p!j48kV-EGnzIOn;J?D~;o(rX5)db>q>-P=J(d z#R&GMilRL_>QoF)|pQ*>PNWmfGJ>I7HX!EM9uz*Mh->tL~wvrV9X>jSWO4XEsod zMoDOp6@5y7Rq1TeJrH&0$c;idwJQ%h~4UB3A*%FoGPY_Wo|)|fL4G`dxj&% zb0wm|5frOu$EIp`$eVlx^^n&94^IRTOGZ0Oqv+*LhFq_{&V?!^vZgOhKH60GhI*#& z=l2XdLf?t=$A{$Yl0JPX-M$nt5VriAp%a&?eKba%p1r_%)drghc$o_-c?*k;{Mbwf zX3-rO-AbX2m84>oyG2IClA50!jx{c?_P1Gp+fKwW$mhqgbsZ0NzsR{W=bDuoo}Idp zPlbJ_L+v~VE3r0>H?cFUzfo+VC3!5B^__qRPVL4b;avGG(p}|BHw!Dq=Q>CD^lyy6 zH(n$y^>GhT^xm@?{G4hScw;2o-{6XWR36z{oZNREBHC^}o& z*2Rm=cNb2BBk65eoG#*Fp41@zvf-_Y8Q;bn$Vmr9K7KN@X?|7Yt`43>7lKt6hqu1v z{(R1s>boGdk4=7!;S&C(B9qo>&|ad$k3cw}QSY#%IM0RqD%1Kx!oFJ#Bd_YM-^x=S zT^sZm%EfR$;fILC*!sYEROg;RQ1x&#*f9;3l`#37q>|UgtwE?-aIHgZ&bN($x=e|= zr=#UT!#-idjE8{l%A)Xxb*F9-45|kBC@o65%`Ed|B7Ntt@Jvl0`siU$;<))v!|;d$ zqB*j~#fQ;GU)c};q>QZk&ONnQTCVU^y7^?EDUq;KW+UAOVB?4Md9sjjZA`F?q! zBaRBZ;YkYiKQo-Ai50lJJLd7x zhvW0=m3@T{=otG{N(}XmLwf8~ca{nss?|?R>?gL-E({MJ;^b7$dX^L?WaBWBab`

}GK;WE9zwwJaW>*b}}zpAA84FVeTD5Q2kB4^Y z3Y}xp3_oT$*1&Q`PGbFJMOArq8H%2~z2N+-i?^sX)|%H76B1V7%!wH6qZK1zodz2V zMJWrckom97hc_+Er|8M=gcb#!VRx@2dYw2|(V(c^tIen5A8fqIo{L!NhV1voABlZCm2g?zNj0Xz)V7gW1^?va(|DO zb@Of|wWu%K-5aL8lr*M4yBytTOIoc zYPDhiQCL_QpOjJkGHXk$srlzNAE{=QYit27y%uZ_Iy;lXWMY55UY(ZDu@qU&Hjof@ zVU)VIF4~Y(l&p~!vx^s_C2u~sGJJfwer<7Fr~6v*&mj`Y-RE42+;Y-ON_fb(Z=cQ2 z-)mU)O-M=}O5(90qsDr$LgH3p`1qBAb`Mkm&DdpZqDTJ^!3huF+K@9!TXeK{cG&FR zP2SzVcp_`KaPmaMWGQlc3UGTvsl!UFdMZ@3tcUXbSq9j|6XbLsnp(U&!iN0v{XvYL zRYvPkarn4D^$w5*35->B_uONMD~f;d;l5k4!*zmIfWX*%Uo~gn>U5FhnXl*SUAEG~ z83PP<>?6h%m^D3wJ`D%Yuq`aT@y(Xr@AgK#W~n^{Ro7R0QDFpiZZuH0V_AHBqTc-G zk*f34wr;cq6M`Fu9A`P2nR`CKt77ASbF8N=C;K|hmFKA8&5Zf4mt`8OMy%4Cjeq5@ z>T@NW5Fw1T^UzT%Dxs#s<4>e7qM!0O`MkPv*vCbu)CjpvvlM^TRce=>;>~8+?Ky4p ztE2ZyU13|B``UXp>FM_&`E$vR*9nu;k{1fsI@(NCRo1(j@t1R7HRx7T4lDoid6Hu} zgF`M8EsoKfXir7nrl>^H7)Y;V1gsJbo^!7C5;WL5t