From 8de55516a363b2b49c11f5d165e809ef8c60842b Mon Sep 17 00:00:00 2001
From: Min RK <benjaminrk@gmail.com>
Date: Wed, 18 Sep 2024 10:28:53 +0200
Subject: [PATCH 1/2] add kbatch to user image

---
 .../jupyterhub/images/user/requirements.txt                      | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gfts-track-reconstruction/jupyterhub/images/user/requirements.txt b/gfts-track-reconstruction/jupyterhub/images/user/requirements.txt
index 62138f7..53b3d6d 100644
--- a/gfts-track-reconstruction/jupyterhub/images/user/requirements.txt
+++ b/gfts-track-reconstruction/jupyterhub/images/user/requirements.txt
@@ -6,6 +6,7 @@ gh-scoped-creds
 isort
 jupyter-keepalive
 jupyterhub==4.1.6
+kbatch @ git+https://github.com/kbatch-dev/kbatch#subdirectory=kbatch
 # git+https://github.com/iaocea/pangeo-fish#egg=pangeo-fish
 #git+https://github.com/iaocea/xarray-regridding#egg=xarray-regridding
 xarray-healpy @ git+https://github.com/iaocea/xarray-regridding.git@0ffca6058f4008f4f22f076e2d60787fcf32ac82

From da01a637e6be699fcfd74a78425ea6101943062a Mon Sep 17 00:00:00 2001
From: Min RK <benjaminrk@gmail.com>
Date: Fri, 20 Sep 2024 12:44:30 +0200
Subject: [PATCH 2/2] deploy kbatch

---
 .pre-commit-config.yaml                       |   2 +-
 .../jupyterhub/gfts-hub/Chart.lock            |   7 +-
 .../jupyterhub/gfts-hub/Chart.yaml            |   5 +
 .../gfts-hub/templates/kbatch-rbac.yaml       |  31 +++++
 .../jupyterhub/gfts-hub/values.yaml           | 112 ++++++++++++++++++
 .../jupyterhub/secrets/config.yaml            | Bin 3395 -> 3621 bytes
 6 files changed, 154 insertions(+), 3 deletions(-)
 create mode 100644 gfts-track-reconstruction/jupyterhub/gfts-hub/templates/kbatch-rbac.yaml

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index e67cf16..3aaee28 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -38,7 +38,7 @@ repos:
     hooks:
       - id: chartpress
         # run in subdirectory
-        entry: bash -c 'cd gfts-track-reconstruction/jupyterhub && "$@"' --
+        entry: bash -c 'cd gfts-track-reconstruction/jupyterhub && chartpress --reset'
 
   # Autoformat and linting, misc. details
   - repo: https://github.com/pre-commit/pre-commit-hooks
diff --git a/gfts-track-reconstruction/jupyterhub/gfts-hub/Chart.lock b/gfts-track-reconstruction/jupyterhub/gfts-hub/Chart.lock
index 33b1b43..891fb2b 100644
--- a/gfts-track-reconstruction/jupyterhub/gfts-hub/Chart.lock
+++ b/gfts-track-reconstruction/jupyterhub/gfts-hub/Chart.lock
@@ -5,6 +5,9 @@ dependencies:
 - name: dask-gateway
   repository: https://helm.dask.org/
   version: 2024.1.0
+- name: kbatch-proxy
+  repository: https://kbatch-dev.github.io/helm-chart
+  version: 0.4.2
 - name: ingress-nginx
   repository: https://kubernetes.github.io/ingress-nginx
   version: 4.9.1
@@ -14,5 +17,5 @@ dependencies:
 - name: grafana
   repository: https://grafana.github.io/helm-charts
   version: 7.0.14
-digest: sha256:f65f939aed209d2ebec4ea4534deef0d14d8b99ee1c5ee20ddee11d0a7115b20
-generated: "2024-04-03T14:18:11.909303+02:00"
+digest: sha256:537e964a33edb2d34d66718427bc2b0716efc7c299330414696b1e80eb3f91ac
+generated: "2024-09-04T14:58:24.438886+02:00"
diff --git a/gfts-track-reconstruction/jupyterhub/gfts-hub/Chart.yaml b/gfts-track-reconstruction/jupyterhub/gfts-hub/Chart.yaml
index a515cc3..c8eb9a8 100644
--- a/gfts-track-reconstruction/jupyterhub/gfts-hub/Chart.yaml
+++ b/gfts-track-reconstruction/jupyterhub/gfts-hub/Chart.yaml
@@ -14,6 +14,11 @@ dependencies:
     version: "2024.1.0"
     repository: https://helm.dask.org/
 
+  # kbatch
+  - name: kbatch-proxy
+    version: "0.4.2"
+    repository: https://kbatch-dev.github.io/helm-chart
+
   # ingress
   - name: ingress-nginx
     version: "4.9.1"
diff --git a/gfts-track-reconstruction/jupyterhub/gfts-hub/templates/kbatch-rbac.yaml b/gfts-track-reconstruction/jupyterhub/gfts-hub/templates/kbatch-rbac.yaml
new file mode 100644
index 0000000..f264f23
--- /dev/null
+++ b/gfts-track-reconstruction/jupyterhub/gfts-hub/templates/kbatch-rbac.yaml
@@ -0,0 +1,31 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kbatch-role
+rules:
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+
+  - apiGroups: [""]
+    resources: ["namespaces"]
+    verbs: ["create", "get", "list", "delete"]
+
+  - apiGroups: [""]
+    resources: ["pods", "pods/log", "configmaps"]
+    verbs: ["get", "watch", "list", "create", "delete", "patch"]
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kbatch
+subjects:
+  - kind: User
+    name: system:serviceaccount:{{ .Release.Namespace }}:kbatch-proxy
+    apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: kbatch-role
+  apiGroup: rbac.authorization.k8s.io
diff --git a/gfts-track-reconstruction/jupyterhub/gfts-hub/values.yaml b/gfts-track-reconstruction/jupyterhub/gfts-hub/values.yaml
index d1ee534..8d5550a 100644
--- a/gfts-track-reconstruction/jupyterhub/gfts-hub/values.yaml
+++ b/gfts-track-reconstruction/jupyterhub/gfts-hub/values.yaml
@@ -30,6 +30,16 @@ jupyterhub:
       name: "c63eqfuv.c1.gra9.container-registry.ovh.net/gfts/jupyterhub-user"
       tag: "set-by-chartpress"
       pullPolicy: Always
+    networkPolicy:
+      egress:
+        # allow access to kbatch-proxy
+        - to:
+            - podSelector:
+                matchLabels:
+                  app.kubernetes.io/name: kbatch-proxy
+          ports:
+            - protocol: TCP
+              port: 80
     memory:
       limit: 24G
       guarantee: 8G
@@ -43,6 +53,7 @@ jupyterhub:
       CULL_INTERVAL: "120"
       GH_SCOPED_CREDS_CLIENT_ID: Iv1.f4a7db20c671f599
       GH_SCOPED_CREDS_APP_URL: https://github.com/apps/gfts-jupyterhub
+      KBATCH_URL: http://kbatch-proxy
       AWS_ENDPOINT_URL_S3: "https://s3.gra.perf.cloud.ovh.net"
       AWS_DEFAULT_REGION: gra
       # JUPYTER_FS_BUCKETS: destine-gfts-data-lake,gfts-reference-data,gfts-ifremer
@@ -186,6 +197,11 @@ jupyterhub:
           
         c.KubeSpawner.pre_spawn_hook = load_creds
     loadRoles:
+      server:
+        scopes:
+          - access:servers!server
+          - users:activity!user
+          - access:services!service=kbatch
       management:
         scopes:
           - admin-ui
@@ -197,6 +213,13 @@ jupyterhub:
         users:
           - annefou
           - minrk
+      kbatch-users:
+        scopes:
+          - "access:services!service=kbatch"
+        users:
+          - minrk
+    services:
+      kbatch-proxy: {}
 
   scheduling:
     userScheduler:
@@ -314,3 +337,92 @@ dask-gateway:
 
         # shutdown idle clusters after one hour
         c.ClusterConfig.idle_timeout = 3600
+
+kbatch-proxy:
+  fullnameOverride: kbatch-proxy
+  image:
+    repository: ghcr.io/minrk/kbatch-proxy
+    tag: "gfts"
+    pullPolicy: Always
+  app:
+    # jupyterhub_service_prefix: /services/kbatch-proxy
+    # cannot use internal ip
+    # pending https://github.com/kbatch-dev/helm-chart/pull/6
+    jupyterhub_api_url: https://gfts.minrk.net/hub/api/
+    extra_env:
+      JUPYTERHUB_SERVICE_NAME: kbatch
+      KBATCH_JOB_TEMPLATE_FILE: /srv/job_template.yaml
+      KBATCH_PROFILE_FILE: /srv/profiles.yaml
+    extraFiles:
+      job_template:
+        mountPath: /srv/job_template.yaml
+        data:
+          apiVersion: batch/v1
+          kind: Job
+          metadata:
+            labels:
+              app.kubernetes.io/managed-by: kbatch
+          spec:
+            template:
+              metadata:
+                labels:
+                  app.kubernetes.io/managed-by: kbatch
+              spec:
+                affinity:
+                  nodeAffinity:
+                    requiredDuringSchedulingIgnoredDuringExecution:
+                      nodeSelectorTerms:
+                        - matchExpressions:
+                            - key: hub.jupyter.org/node-purpose
+                              operator: In
+                              values:
+                                - user
+      profiles:
+        mountPath: /srv/profiles.yaml
+        data:
+          default:
+            resources:
+              requests:
+                cpu: "2"
+                memory: "8G"
+              limits:
+                cpu: "2"
+                memory: "8G"
+          big60:
+            resources:
+              requests:
+                cpu: "7"
+                memory: "60G"
+              limits:
+                cpu: "8"
+                memory: "60G"
+          big120:
+            resources:
+              requests:
+                cpu: "14"
+                memory: "120G"
+              limits:
+                cpu: "15"
+                memory: "120G"
+          big240:
+            resources:
+              requests:
+                cpu: "29"
+                memory: "240G"
+              limits:
+                cpu: "30"
+                memory: "240G"
+          huge:
+            resources:
+              requests:
+                cpu: "59"
+                memory: "480G"
+              limits:
+                cpu: "60"
+                memory: "480G"
+            node_affinity_required:
+              - matchExpressions:
+                  - key: gfts.destination-earth.eu/size
+                    operator: In
+                    values:
+                      - big512
diff --git a/gfts-track-reconstruction/jupyterhub/secrets/config.yaml b/gfts-track-reconstruction/jupyterhub/secrets/config.yaml
index 671b8bd66565c2986c9c90d57ee31ef85dbec76c..b04233e22819aa98519fb95d07d804153d945d14 100644
GIT binary patch
literal 3621
zcmV+=4%+bmM@dveQdv+`0PEH=vGaRDO3BD%t|z1t=g5Hy`mw73><=(R;9yV`S;Bns
z<aTx96+7Ym=>s?nWiRl`j)ecp^96RG^{fn^Y#fA|6!0WKV>x{`1jR-Stp-X4+PcB6
zwAZVIYfF!13VI4BIDb%iyAD?E+>^4%9E&c(%>+KsQJIM0#HJ51BD6SivFId3z*37H
zg>a=EsXI#7U~*f;4;(@wL%I-whlUnS86Hz>lqbs|_jkv2RaU*&dM4lg$Z(|QqZsJ`
zE(N?d#y$wG%)*<Q>!Ku;Woms$W>Z?M?$q_y*6(Qj`qmKu)o|)J_L%S2QNL=wp!DYV
z%ZhvM_(jFG;0e=(TtM$Jct0DnXQ9@e7a?~GkM*B~W^vk;f!IR6N1nK7rbtH2b)I;w
z0lY825G@1{!<TCd_oq*LXp=!h3E1Ydb1~Tvd(M_EwHo1dg0%qp$r1^7kIVT-dhp;G
zZtr_iOdmPqaAc=HilgO0CgYojMI1Ljrt0e=MKjJ%^jMNsCee4B<hmv!0MfCnm|n`%
z>s&=FhoTh<3+W#d<x#fqB5B)~PQ+Cn(Mk}I3w$5`a9#rySb1E+(}oG9R7>tC6x(!{
z*OpTcJNSN9n6}aZ7W7;bC1i@`n~e><vpLfirY3lS)e1MTcKh_#AkA}(?Yc3lYQtch
zC*cdDjg{^=G;yz5WoEILD1b1{C4^3yjBW<6x+rtD`-axs=7wkLdh@HE!!ymcy)%h9
zUggig&foUdUBy^a*Ku}wl{JtH#Y&ZZ=mZ-Kmd8f_tUrB5(CV5NqrytI+XGIAa!+6#
zs&(8~-xVQFM^!)>gIfd%rsz?TB;(e6Zr|znG*a$sXbw-7-gkoGX@}F790n@Wo&ZIl
zlT*(NAr21K@jvgbRdM>o1d`2TuvOGu%dDlqE+79UcU0yG#DL_M8xg3@UjTfbCeP+}
z?%Lpzr9bGN{@pzu+>JlQflKeM=)jPj<v8qnr3<ft@%l|$h?cqxur(yGt49E%xqC-?
zg+3;nCpVlRbsIz%QnPKggz^&1J=j;H_ByAH9-a*NI(D##b52?J`xoIAVgU<!z)6n6
zs5`-Ch!6ctJ*|op-aPEMBDg1bDih9z7p0G*se=dM7QweCGcJ~Hr!*KLJv((r7tbgy
zu?uqtmw7S4V<{}!Y!2F6UEA^Rgq_nPURz|ieWpA!F7iAvtAvV=nk1rm*JO=Z@K@`C
zn1JkNHtSV){h<v5<`jUhQ>{2?ELKillYADJ-eZl}S8-A>9jncB2DFt^3;OeUEt*}&
zj_M65l02dQQGS*yl-6uZao3sK2D9w~lxj5d$d7G>1&&w*S;iVYYw;SXkpggJH{?ef
z4Q7`{dx8iO+=v?Kc@%=KfC1Gj1Af=o?`Q9L9l4eQDxGdaj#KcZ5<8=YwR6e*L5pIg
zq*^2ElPB0eMnb&ecn1Pf%bbK(UA*Sb^Z>X;o@9F;Q&{lGhsKL9Ff29tf6CUyZV)=`
z&!asN&PnB(VPAGqxC>aN>Chr#=k(wWh3g@It;8`MQW^upy=gUM^`U52Ig}%^Xq#nI
z9*5%|gi(W*%vQgv0BztlwU=f}qUmH2AnXu9eaocM!`oBO9+9W_ko_7LS#_&@`He^!
zI^u!ZXm)%YyOC#G!qip)Zs;JSaD}0ZblGZ}P_qmuz$kRA(;t~s8IB3$u<?0q3L(HP
zE1Pu8{AR?al(@6ZHSkMlo$UIC(rgvDVqy0s{KCDhkaDqi!k2V$o};)XtvzZvB&Qf(
zDFj034;Y1d(Tz^R#F+g}t4)RTZo`S1me`=|HJ2n|l#chSK4^OiI*P^u0Y04Om;)hG
zn&<>cXQs!J83PL8$~xic-%!iUgEkY17N*KCFq_rK9>y`-L-CV#dwe^*XIz9J@B=ax
z0(N>nhtC}`?C1Zf13bgf^T6rBq!hg5e;-f#1}_{sS3WY{r}TJ+LriHk>rWkZ(<tI!
z=a~|k<!JihIl|3}FCe6?Oh$dT9~cHAM1Mw<pt4<F=*r6o`Up8KQxZ_>rZa^{e*c3a
z*g4D4$Vu0C|GznZYMq}nC%ne6Nj$I{dnkX_?D%_)&3$BeH-g^G3O--iV}r>Z1~%F1
z&v2aA5IMk0`5z19{i;l7^^i}}e1}=#wR0gRKTyP+v8oaebaJWlRz0j+{|cp!qee6{
z=HD*r7~pgcXQoqD1FAU$jv{C-|F!tRBJ^uB_7;FE8povB(w&3t*Un_WdY3D@nx^nZ
znM%aSJ(Q&c-a+`2=Mq%03OVx{QL1`b-{h<OJvRr%7N}bTEbX=ED|>_+d0~z6K1*S8
z+c-Su_^8iEN$ma1px&*x9ZXGfpgYJi_uW3CYVamhdJr7{ru3W)dmb-udvW6@FsBos
zjUJ<x^yg^@ZaR?Z<Smi1GCFc3!A2We?Ve)v<cr-GvWDj2Tk=dBn-hPR#BD?TYO2)B
zxPfg|d^0tmB?iDA2^<PF?ig$gFLh!kl0&jGSN%H_ihz%cTG0=;&JRYv{Ziae%GWm#
zsIN(xNazchj;-AP<BE>B!CTD`8z*Um7xRQxs4Al6!$>B2!J1pLW5q=`?t9J;8y*iN
z4`+*iWNO(<tqw`D#+YhYSGGUD`%~LZjA(GEbzh=Q{^Ud9M6aV$bHM73YRbxMI-jtH
ze*nzhmA-b+PJPmo3t6Yt;ZwM(UXAX#o_GE1v?M!BnXW%L&yb3D0Qtq}6<A%AbyVVL
z?>gUgr~C8)Tc%vsBYPMCg=^?@)gm~(Y@+=>#_O<$@wK1IN<~XyDxd40swBl}m@}bV
zBb&z<nS`c$W??uI#+AgD0zz81`4Z4wqoyra%37{d6ZgYczqZSQ+ei??sPt%*_yH(G
zP=vA$jTu6#KVz|&Qx-(>_l~N3dBSPt+nXe91c$32S(Vib#(17QqCA<8!KJ_8r_cMT
z6Gis%$#o`*#qj>ji8I?mt^$CPIK~ZzQhxxA6R5rft8RObsoZg8Pn!`Clyg2SR!vEd
z3wyaSv`i1I+uX37Z526QKw5rDGS)?<MW4*0qEGKCfQtwn!a?q$IETnKTZ`Kt&>u=_
zhlQlO#m1}Z+o&IZzs-$SkDfKvF^3`cD_<Q|n4FB-D3_<5Io4U|j`h)WR77~oveYno
zxQa;aRmc{m6NVjOTmm%g4Sn1(YY(Q8VvO`fROfzUuUBc;j?j6mF7gVs%VLW%2|x1q
zy4<gzZvKIOC?-%2D8%`%8t6bF!C&AkK5>i%GZ7@N_^#CwZXXif>{r*{%8L@ff-_VX
zR*4UfLP=V!<ZgpoF*@eGpyw*a83vMlg%K2d@1D?gGMgfg0G)(Gyk}tN?qy|wGI61n
zIj(um4O<ox2=BO^FpIe6Tkiim_qwzJ>VLt5+(mA?2}tH0U@hPW)&-CI=HO0X%It_z
zl=2nHrT|+nRB7crzdFj)wQ8LbF&_k#gHYtqHOXY`6^XQj%|bd^CE67=c>tUg7fkn{
z6&_98+=ho9dicN9uoFOaJr!v;K@6x`NEtkQtb$iA$8mwhkQciR-T{8*-rM67e@?k*
z<3!)U-kPKB?na%N;2CkynWwq&x6!YRTr{Pl1fG(6d^D>#Ltx%8ux@F%R5UEbB#O%$
zJ<~`1Nh-T%Q>{Df$QCX1xg>2L7k1mSiRjd9G2kQSKnoH~q8(j|5V0uPqY$D~K+!$T
z2AP}K*YlL=)weO9qGO>1O$BoeUwA9C#=j|Rlyu9PuLQDqns6Aq`sW9sK^$9Mbd|oF
z5p!abZu7m1J52trXV4q;>k>X-9`b8*4zJeb3XV@Uneiy1f1nMMxOC4X+D}O*<{1h2
zDEZl{Kx~W5bbKg~A|RmfLFj5HNfweY>Dk|(IZ#7;cNlBg(?sD*inZ0v8{IV|Nb=>U
zoH&)@vqV4o`|lb~pksJLal$ZF7Q|luAZ1x4a!U^uW#5J9HhA2Kxd1gUki4YEWUjW7
z;qBnR1MJCNu9E@AEw^(pl)3R9Jb$TQ)y->e=z1+~Ym{Egv~EL;L~Cj4SeKO%K7}7p
z!)%0%c4;JbC8$Gy^*k(+;UY*|vdAAlECwT6O?p&MN^F@U6lO5o2dV2`@NZso;B)U(
z5An1Fp>18-mZ-rQ_g~Mi5w?6(ZG-4)xoX=5g#<tNI<JP%Hmp1@Py%oM8<J<+-=W>v
zDaSR_{_BdOONLKfAgUQ-LB3by-AOj@=yka23<%}Plwl6+{t&;IFq-L${5EVv0bG@_
z04z8u@L`z%$zO)vxo(h*lba0duqm#4c(VZJA@{VX`wIua*;jD_y>vTNRjg(}gk=1m
zqyg|o*)w9LcoSb#P4lkaq>oS>&{-*Sp!-lF+_}tAw_Y-56<_nZHNNAEBJ7cl&a~D(
zn5`8$IJu%tz4BvD%A9hHh4WBJ@sOE+58s_%LMI%Qr}K&<8%{3`S0nguOlEp(9l(x1
z#l&)l9|&Tj>m-CrbSb2r5P>_r&@?B8Zowm<Ow!>6QhcM~%iS5NG{vj1<SEY7UtrE?
zvwjIy?bgM&iQQfZ5+oX`OtQVPC~M-u*_wN)(Kg7aSJ+fZkw_Jz0xcAT)5C8PN#LT$
zK%i#lwG1K;ki66>2lKrT#0*O{tl-(LY<a0oT9P1t>1Vvxw^cY<Pt@>nUw$V^w<r<`
zV4$2;f}3_T!EqWh&5scObKN!U(4)F7e7*pb@J6H8^;v;G_m&&Qz$Tzs!zsxv2-m-c
rBNwL(-3d0{v{}>`0?GxG!<WlY&NT*u;<{hz5-80IvJsWzSi|n<-rE3V

literal 3395
zcmV-J4ZQLIM@dveQdv+`0DP&8jb{ysjpuYqd^(H2bIMzlK0sef*JrLU2=r4fqB3O+
z!c#$sWVh9@&k0Wl7*vb2PF`~aZ@1AG(3`wUA9=^((04;Y%yo*A+PwX({$hylCnQV(
zW^`ohMk|_sZY`+B_qXtv@OFcJl?VB;wF;|qV*4vrb9dL@%a7N`;Gy?XlN#L4+$sV`
zO-t&#Y&vf8O4TIob_j1XPZA>uF=x~xovw7Xg0{<=7KxdAyh}wO<_u3@?D(1jUcn8>
zKH^uWBFFEPf;tP>qGaB3K_kqrHuDt%=>IV7gcus4yS~j-s4K2bAfL`)E{^TY5#;y0
zN;tWb?kZL%#|&LyNlujGF~CM^#<`Z%uGEJyde|?8r$aLPd)}RTt~bpFDJ}S*Rxa}|
zKB5goH4a_#(zR}rcNSLBsT}Gop{#j-Wcvbqjg_`_CZcL;1*({MuEKWDbXOi#d{R77
zV$7H&5n*L#2ezq2((fq2^ADr7wYZ~`rWO#5<RgjS7HRAs2rZ*s-7{2+UXy@IqE-^c
zE9X-I5|{mFEn3}m%0Y%LkLhb_#`ceGKoS)^d@JW;fw?oAsQ;wX&i*fRSdpdskmduL
z%~I)JhR6_R-U)><@cPc9(0I3wK7H0iku<n@LdTICdJHH&8n{9wH+duwm?VyFQgdV{
zkvU8;2}ej1IM-xm)A5I6MQe^l@RGfY5{<aFmpV-p_J=8#&;nb>B$z*J0wEIS<Y1g;
z<FK71l($<jN8QJ-;86Ca2h^xGPHRjrGmY#q!G;-?^eRW89gJrsV5yvHuuulOGW>=X
zVEzK}U~39>^|KGrV!DBX&n~LeA6T!nTU$TV=Al$;ui@|-cld^6vK!L2OGZKat&uRp
z{8n5+>9q7Pa=$EFdwF)tK8((6yXtl`a{MGG$0g|TLr<XnTTUasvQ-6xYmgttn#z-X
zBNHp711rbn{gPyy(?2<d6>aJQ#oG51PSfgwDCwM}^Bw)E<nA_$-Zi=apr5N-_mvAj
z8IEdM!*$qG1u@UPSl|yGcRW0^ZK8DAndy%9g0gr(i;2Sx@tC1`Nk5>3g?D;1jLt>#
z2cTy%oZA<W5Q<-0XJ+m{6mA|vLyP)>%8}{$r;s4R`Yf;n<ZgUpUNNs$ZFy+lms%dE
zoZ*ETg5)b;(^4g5SoN{G8-hixsLINbwahu-hKwv>yUBxg=+&2P(_n~ngR~*Nx1z(f
z?NrTP1+R3qw4P{5#Dd54<y*Fp5-GV0JfPnRW`A2+(FN}A4fafZ-&e^!YPL7(INE-I
z1P0#+vR$w9zyB%HLu5MNR~$b<PVYthv;fKIS+Q%$LJ~p+0}P29pbV4zWg<*L#G%TG
z9y&*lMkgYi8wZH;DD3sPwTuUIsl1rPUrJIF_JUQe_x~a3;YG@8hN{T$6m^Z2+GBl0
z5zAfhxKL7xE(&M58pDq9=nnRXwkKliMqhI_iFbFl>Ufd|bc`;D1maZw%{aMxNA%o{
zhDBn_q_RAGWyXZsBzh-;f`^RsrG_-YR9pAJ%Xb?1`10}je*e1?Fd!u29a4TWl1!!@
z(1i{xW6lF7;J)lU0X<ijl&ywzpYV?i$M(1_;!YtG=g#L{Q;4-S9K-2eetu3+w@O>`
z#f_2tNCoeZFQ;10bb9hl!R;D3F!+yY(C@-gCIkHx!f<=}Cu{eXLgCw#ogpAhEDKPY
zEWNtVA>32~&=bp!5n5{neAkG(_m{SLAP1dWbc=8*uhWDb5%C*I`dHKai<@=DQA&Hq
z4+G&(q0!rqb)<_B#b!-F;qY9X;7+gHo+$puAiUufViyrzG&+q-LV{QBaRzvm9`_sL
zaE<Xe*~aFlZo6wp$*$OD$TbW;kFg<ZRuAT<>5>~+Wrk?YA0LgXp7R2(MxYy}X(;xP
zz@-Z9#lvSK(*eax9H3%K(zc1Y{@JcR&yiKK)z3U&5Z)~?>zXV_svu*fco>}=FgUJ?
zT9i&g-?H!j&^Jha=_-O5hKjex0Coz4k3YhkkpXBT-EVC>=Yfo7mNnA2F5VW}<6~U1
zJG3yiXA{QD8q9=<W^oYJ{}ytaMU~+{VQi$lz|1w2yPlFo=;DMUO!h$D^0GQR+^Gvl
zDzz7C=UGph#2L5^)ZjSKl^~MC*iDH;Zyj5uE$hb}6JQxE)@6cEM9y6eL#|q5Ruv|W
z>3v^Y2I(X{5nKvmK&&FXLkE%wDjLCOdA}ras=dnz<@wrBRIUd)_KsaDSQlhO6!J!o
zFcXc><ix&>?(CZe<h@>@#1A``_OaL;RKq8<+J(;^RKUjKg=ThRd9FUh-8zK$$l2fB
z&`OXqx|lTscA2xLx6_dGh^j233*U?=1_f&ErH!dHKKS0C2}dhwUtWr2wK3N;Os%D9
zhtEpomdyy%CcgrrTbxLRVVdKZYDbDtN6t1$4k^;XVw4!KK4>-j=XR)N(JMjWZ6=(v
z&o`n+5r<$yZYMKKX#^TCA!UV)YL`F|`83tPX^KW|1@3V@&ai#xHd^GrQqLY+lmTKR
ziwWZ=h^1opxzu+wR?g}01F(XUx;8v5szc;Y-Z(m@cuLX>-g^rQr6i^z8qhcom!3O_
zNeR#KOfMyW>@QB{lhg()_w7+!N-F)-&hw2tRV;=s2@}dG%{K{7Hn<mS8rI^|-C0Z|
zeCO9#vfwAxBh6AX|Kr30%M*T};Gsut3_PX3gJ<(Mk_eaEdZCZG5u#mjbE7^fAjd~Z
z?bsYD$m9NUoRGi(!`4&GqBw8_+FbEg;aOlX{rKsFj8!bh!L63Yt4bYPWD2GKG=hn3
zu;6ckG!gehcvf83Mz<`m{r!?!fkN#if;{H3c?~KVM;u3}@(c`+q^ntJzcRw=6TlkT
z7TVnPqpoIoKlKhoQEF5lG5b*)l1k{GWqcvt&0^nCA7+ihf~hMF|FWvsh}+{m5yNCA
zUh_Z#nCu0zg`P)jD<)XSuPLc=ZRi~5xz)HrHg_Gl<l=*28zBg?1YPT~9#z_2FU;SL
zcy_|EENDCet(Sfsa6wQn%|kXzw8M8CriTcF>8Wti&$Z>LUU_YU`2rvE{f}%4aFkmG
zxu$M9CT21v?n<iB9opQYpKn$`Wg)^5bc!ombgtLiJ!3zXBQMwPBrjUHK#F}9*9)Pf
zU*LlX4{oSHaaWg#hE#ZtYKiv|FxENV4xq{;ueLci!w-1%?RoyX<Y^s$@RF0x_2K+W
zc{ckRQLdkUgYTYII=;s^<tx%gXfQ8(3yEJRN#4J<|7#jE<DdJJ!H0p92&!Q~_)`iS
zVL=&aeutkG5QYygDb`QZAQ<)2Bb`3%M3Y_TeYe8xx5<kHDmCkFV3psKU3Ddr;0T~s
zN$27d0LTp1csNj;CjBOc0V3OtQkJu4&(1>Gy+64hvDh%WP5$RS2r!T@Be2ugvh*<X
zs0eD(-7@GrjDn$_dc2EjGnod$tHi3mbBwA-+X?zW(O0ZrzQDcXd6PZrLZWSSEC`O|
zEMTX$PoUyCr!=E2iW4Q4Sy-~nGY9Dpz;&hVo?OJC#q$Dg;tPg5k(fVpHe`~Rs5nNp
zx)S-5CyZ~|;rn{ydC3H&FrijhM$|LmGrE2Jp)S}h(n?H&^73DfXu*~4AhUg$nmT9j
zf3M_d%V9JHXecQJA@1+(hhPPl_hLRJ&Y)llMUolT>ygTbnEtj220CGkc#fQk2t*$k
z#jV@JJL^33nEfEVt;;DqakneTAX%>u+I*dKw2wjxDFJVX$I#mJH{yBRiZzj8NpV(4
zM=Eo?bUXE%#XhZWS5}%>JM-Vt>xah!4L>|MOFn$!pDN`ZNN#!(72(-nF&S+~_!u`G
zDt$NR;ZJM|cW<Rnd2G_gk8QZlTmBQWDPFjZm>kEWzUjdp$d?QVp`d?RGGbpIMi6se
z$Up`0=f7g9+nFhw!nJKLII-qSfNYvmhFhGNCVdLZ8yZ4Aw6|D>gsq_Fuol%a2`@CP
zzMaQ-N&iNM!EoEtoos;G?Cl12`cU+59duK*7nS=VwMPaYv0g=>fjQfFxyj1ijFd}5
zC5XMRm_^Pz!r|IKDGlzb)dpTv@n2jlW?#|O#(g+FkOU;&9t`S~9#H+L#IT{O)hl_Y
z3ysv!o83QvSWvg2<Bp?Nds{SI1{af9aj0bCH&EdG1|p{rRUNJp*QKvrfL~|;#VJMn
z(x0#qBrQSw{h<X-XF@hDIEk`MzULVJBVXGeb;blL7YBSAQRf^x1As9&fzSRl!o!TD
zsly)b{|riF%5O&^Cm&XPFCv1MN_*{n8fovCn;3<t_CUh-h6Dh&)zu3*ILA|N>(X$u
z#%#Mym=^y*;?5@Vy`Zmn@f5ExXy>3#4)om%zsN#Yo6V*3tUPG$yS~g5<n#{-e~I^>
zWvyoODm7KQ>#i8FgAbnF6BDVnU+MKdVm0~R*&bp`%n`?3^CI-lX~N(c`E642^D8xw
ZaMwnD8<{rj>-VGySO(||l87%HCTDP@jvN30