From efcca74d67a2cb11ed3b4ee0e6dae8b7e1a5e759 Mon Sep 17 00:00:00 2001 From: Zoey Date: Tue, 10 Oct 2023 19:33:30 +0200 Subject: [PATCH] fix security headers and sockets Signed-off-by: Zoey --- Dockerfile | 2 +- backend/internal/nginx.js | 62 ------------------ backend/templates/_hsts.conf | 12 +--- backend/templates/_listen.conf | 2 +- backend/templates/certbot-request.conf | 18 ----- backend/templates/default.conf | 2 - .../app-images/logo-text-vertical-grey.png | Bin 10424 -> 15580 bytes .../nginx/conf/conf.d/include/default.conf | 2 - .../local/nginx/conf/conf.d/include/hsts.conf | 8 +++ .../nginx/conf/conf.d/no-server-name.conf | 2 - rootfs/usr/local/nginx/conf/nginx.conf | 6 +- 11 files changed, 16 insertions(+), 100 deletions(-) delete mode 100644 backend/templates/certbot-request.conf create mode 100644 rootfs/usr/local/nginx/conf/conf.d/include/hsts.conf diff --git a/Dockerfile b/Dockerfile index d935eba3..69f68082 100644 --- a/Dockerfile +++ b/Dockerfile @@ -53,7 +53,7 @@ RUN apk add --no-cache ca-certificates git build-base && \ sed -i "s|CAPTCHA_TEMPLATE_PATH=.*|CAPTCHA_TEMPLATE_PATH=/data/etc/crowdsec/captcha.html|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf -FROM zoeyvid/nginx-quic:205 +FROM zoeyvid/nginx-quic:206 SHELL ["/bin/ash", "-eo", "pipefail", "-c"] COPY rootfs / RUN apk add --no-cache ca-certificates tzdata tini \ diff --git a/backend/internal/nginx.js b/backend/internal/nginx.js index fa6299f5..8c7970f9 100644 --- a/backend/internal/nginx.js +++ b/backend/internal/nginx.js @@ -271,55 +271,6 @@ const internalNginx = { }); }, - /** - * This generates a temporary nginx config listening on port 80 for the domain names listed - * in the certificate setup. It allows the certbot acme challenge to be requested by certbot - * when requesting a certificate without having a hostname set up already. - * - * @param {Object} certificate - * @returns {Promise} - */ - generateLetsEncryptRequestConfig: (certificate) => { - if (config.debug()) { - logger.info('Generating certbot Request Config:', certificate); - } - - const renderEngine = utils.getRenderEngine(); - - return new Promise((resolve, reject) => { - let template = null; - let filename = '/usr/local/nginx/conf/conf.d/certbot_' + certificate.id + '.conf'; - - try { - template = fs.readFileSync(__dirname + '/../templates/certbot-request.conf', {encoding: 'utf8'}); - } catch (err) { - reject(new error.ConfigurationError(err.message)); - return; - } - - certificate.ipv6 = internalNginx.ipv6Enabled(); - - renderEngine - .parseAndRender(template, certificate) - .then((config_text) => { - fs.writeFileSync(filename, config_text, {encoding: 'utf8'}); - - if (config.debug()) { - logger.success('Wrote config:', filename, config_text); - } - - resolve(true); - }) - .catch((err) => { - if (config.debug()) { - logger.warn('Could not write ' + filename + ':', err.message); - } - - reject(new error.ConfigurationError(err.message)); - }); - }); - }, - /** * A simple wrapper around unlinkSync that writes to the logger * @@ -343,19 +294,6 @@ const internalNginx = { return host_type.replace(new RegExp('-', 'g'), '_'); }, - /** - * This removes the temporary nginx config file generated by `generateLetsEncryptRequestConfig` - * - * @param {Object} certificate - * @returns {Promise} - */ - deleteLetsEncryptRequestConfig: (certificate) => { - const config_file = '/usr/local/nginx/conf/conf.d/letsencrypt_' + certificate.id + '.conf'; - return new Promise((resolve/*, reject*/) => { - internalNginx.deleteFile(config_file); - resolve(); - }); - }, /** * @param {String} host_type diff --git a/backend/templates/_hsts.conf b/backend/templates/_hsts.conf index 18b4f450..82664d0f 100644 --- a/backend/templates/_hsts.conf +++ b/backend/templates/_hsts.conf @@ -1,17 +1,7 @@ {% if certificate and certificate_id > 0 -%} {% if ssl_forced == 1 or ssl_forced == true %} {% if hsts_enabled == 1 or hsts_enabled == true %} - add_header X-XSS-Protection "0" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "strict-origin-when-cross-origin" always; - add_header Content-Security-Policy "default-src https: 'unsafe-inline' 'unsafe-eval'; upgrade-insecure-requests" always; - - add_header Expect-CT "enforce; max-age=86400" always; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - - add_header Cross-Origin-Embedder-Policy-Report-Only "require-corp; report-to='default'" always; - add_header Cross-Origin-Opener-Policy-Report-Only "same-origin-allow-popups; report-to='default'" always; + include conf.d/include/hsts.conf; {% endif %} {% endif %} {% endif %} diff --git a/backend/templates/_listen.conf b/backend/templates/_listen.conf index 858615a1..2b5973e5 100644 --- a/backend/templates/_listen.conf +++ b/backend/templates/_listen.conf @@ -1,4 +1,4 @@ - listen unix:/run/nginx.sock; + listen unix:/run/nginx-{{ id }}.sock; listen 80; listen [::]:80; diff --git a/backend/templates/certbot-request.conf b/backend/templates/certbot-request.conf deleted file mode 100644 index 54533691..00000000 --- a/backend/templates/certbot-request.conf +++ /dev/null @@ -1,18 +0,0 @@ -{% include "_header_comment.conf" %} - -server { - listen unix:/run/nginx.sock; - - listen 80; - listen [::]:80; - - server_name {{ domain_names | join: " " }}; - - include conf.d/include/acme-challenge.conf; - include conf.d/include/block-exploits.conf; - - location / { - include conf.d/include/acme-challenge.conf; - return 404; - } -} diff --git a/backend/templates/default.conf b/backend/templates/default.conf index 88806d06..fde8bc5a 100644 --- a/backend/templates/default.conf +++ b/backend/templates/default.conf @@ -2,8 +2,6 @@ # Default Site # ------------------------------------------------------------ server { - listen unix:/run/nginx.sock default_server; - listen 80 default_server; listen [::]:80 default_server; diff --git a/frontend/app-images/logo-text-vertical-grey.png b/frontend/app-images/logo-text-vertical-grey.png index df90ece667fd5af156bb23b4528aced748a42baf..4676ee810b31e415d8255072e984465a93ea7db7 100644 GIT binary patch literal 15580 zcmV<2JR`%2P)Px#1ZP1_K>z@;j|==^1poj532;bRa{vGi!vFvd!vV){sAK>DJaI`xK~#9!?3@Ky zR9O_q+3qSkSj7njrrr!ws92P>1}kBA71maBoele$1L{)kKOk`cehu-#pMB)`&SEso{d?a z!ev@Bc^_KRcqd6Z&*A`{hDzmwErV~Fk;O9K#0Bl|^Cf zkB{_a{&>`nReji>X?FyGBl{gv9r0zv9`4WbyAmjF13@kix!k}0g|_}(m**^BaHX(? z`-`)0c>)9 zum{wP5Q090G8sa}-|NDJlXN3ROz?4i+~xlD&)GVB&2DSU;tsNJ;ih9YS0nHSTX%xz z6TDxyrwdkEGPy#?3VIY~xjm+xE^{-@7lqV@3&*MF33xDy`xG4v$9$Qu9`a+&FB;%c zczqbpt_h()hth{qU<{+c5JFXHLj`HZkzW0cepK6RAD4&kllVJr{Zg0bAje%|{f_&I zJQYK)`f^bi{PCyAbedYg$^J*tsfxyxZ0bNsJc+kMYy;;c%RH) z3H@+~Cm^>Q8wx$9kv#T(*vBzBvb+Jdl~$VLJ;4^v1X;Wa`(}O|WD403!Fg0aj|wu* zqmI?iqbzs_1Ijc{XvfzV4D+cuFqi+lew4hGHdMGuA1bPKg4dzyUyJZwpZ&T3u}R}C z+ozYwrj%0@3taEp|6gP4h1?EM#2gGo?rBiOu7*N)uw`=qH)iZKY%JQWB$KDcK)7tl z;2*_6*o>dQYfYtmVH^K>*feIs%Ho~8$u+l)gi*q zn}SEHHz902zPBNGIsk|!Kw{U)<$zLZrSepjR65Y8P_zRVpZoUzhk?`fobUQP6tm=z z$6ATdFG2wu@D7m22C|=H#kS3aefo843h$sfmA4lA_EC@~=0le3MSzG#3#P&A=Th$( z<_XotCg2Sy%zUeUo*)k9P@QfDkI+FIEIxtvRDH1MCu5kX#DK+~*5AvjmP?& z!@KOfPAXlZl}aTlihAxoz26Hx%jHohcIyiHoEezm2cVE$=Kzl2@ioDW*Vzwp&REj< zo3TBcVMyciA=&q-JNs)%bgz)5>LftwcsN2wqPIfJ|;i_}Ln{d~&T^-Wdb;k^3ZngRNWgI6TN> z%)?Co5drHFG|)oub_8FAfv_72@cScNi6+hSgdj#6P430{ky`>I_<94Xc;QQFIU&l&6l4S6HuqE@NEm2${{p%av zmb5m_5e!4CPr|kS5~>u}_Z`M?(S+JJrLJ^OUpt!Wge_Y%uH|)F1aCm_SmAFmj--U( z(;Oge=?Ge`lFC0p$hm0wwFn&WHE3u_eXdq}gd|<3kXqvlGDq2 zio4ue>`_RH*cPXyqv$Lz#Wg(%GyOFz@>(_hxfRP>KXrLIlUp6b8AHRiW%9FeFa8>? z`L&j40hksGt{C1FF4N8vN|lQg&(N8#S|IX3;8W1%=bG?ydNar22qT1SZJ21THbi)W zF60^tJJ5zwmoX6HY6b|$Rrd1Y0k`>*V({^4qmjsmYrW*D2>gatqOeyB{h*RJ5^k_& zn#;N^%q?RqTwLC5evea}h^PPez;j|;9#Ng4JWZ#$b1g-jYp z0C>&Ir0XlYp!1e(QA_2sH4+JhZQPTMjzdj;L?x4XswLguuMrL|s&t=fy^gC1#F&3%u_4lYb*SpU40GG-Czx5x$YOg5Z_LpNqkA_G2dV>@w!G3o9AhFRWl(zqp)XySS1GS5~p0Vl9UlKIPjDix7G^ zYHmZz7EW0(yD#ADSlw*i5aV2STkQnSi&&}qXhMX`5PBXKaYlp=x(47hd|impt{Et{ zt9wX5CzsJSZZpW`*VHokcD+n7rPRxd0Tk5;u?n;Q250){QpTcVD9iP33xHNB27n_7 z+!kIhWxbJcs>kxsv;7jV{fqd2*uPRa=o$5m;XXQb*a~y?@RRnlVzl)p(D9BzV1feH zUVPmj4$Gc!{@nb}U7tUHJDqr~qc>~C;4PNhfKct_wjX#{0g_mSAtQW-dfEu13& z^m6${tmb2|iubK?b9=VYjkwF7Dq+nZTFO}Xq;8n)Aus^&U({wzE@;%VgI-l zMFFurPjRyTyY>&@^RTKS%+pX4HrG%c`n^FFsxejvf$g*xV6oN!-JOPR!0J5C~DY;*MD^^~bjt+}1vZ7T*sueP>CxMYZ+tQEv0$ z8uJY}+b0rE1tw^U0^+|f42YR~+Be=K+b81T|CFs8jpN&CD?&o_s*nt$Dy&3b69Tk! z6~n=LT8zN!!J~{&z{!L>4-r89@h4nxd(3oz;Z>f@{v2)n5{jHh=uXhT6}&?<{MmRP z=d|_T2Oj09-m#h|db#49O6kv_^Sy1 zRPVJ=6c`7^0da6DAmRGS{&DH}dc@g&k?kT{y8T1>z$XpW!F_bf&{YV$*iaK{!Au9O zG6Z!CcrzAr+aaGLZiJrW@(9{}Kg)6UX3bVsO_MDD!{GI^grGz4+CK>1DXmNj8fs8w z8EeMIGUh^svv&uCNLTYEj758K&9A%ewxAJwVL&V@4o(KfLvdi7r8sb7Q8C*8Nxy_% zhl8@7Xo*?=kghz0rL7K~saJ>YGpNF}G;m$D19%hgL0~;2M(8XHLjTcW?-3a7jnG+g z{CuxHk8P^n#)7j;e;xYSd$oF6vxG!HmLj-O<6PTsD_t;U*U;c)zX~2D1(k3xRIuji z(cZUS>JlzO==Jb1^UGNaeKG5glrt7un}T<$C;+n`1K?Eucx|zN{EzwlW2c`9jACTD zWVMXRpKNToE>{NjQz?h1m})s7`$aLfY|MPD-Um6>bmwLa9=js+ ztx(K1+m5k8mBk{CjQ=(GOPO%}BX=kG+Z1=S1a|sJRyULSN;_J(#}Fba!8P8FTeP>e z{pz6tdqsD#twtiPxAxoFJ*ozEl{=7J?KTt2yS-t=_AUKd*V&X4{sp&Lk6mRh3d5fM z%vJU~w&I=$-XEa{qHYcV)R};UD<}M8lXv!7+p|T$KU^Yv;zCKkxU$ND*6OO^ps5N5 zwEE_mt{efzszG2;`r1gD>?#yWZKS=)qu64khL)e_~Pk5K`S; zV^u1a!-ejzI153@@6rv|`*_IZ80jJFiS7^coeYN4T7ab>mDBWnUmkc8$zIfuc z8Z-YC27(#094`0ak`o?mvcC%x_PH|PP*)}?V0n^Dd?8eMNkA=;fznGsF7SH55k?=f zx1&GV-aZg^w(n2A>o|<$x{im-ZgaF)%te)Vd83naRDVjy0!E@72y)xUqe&q45KulLz@vAi#wzSP>7)Z$eaxI$O2kJE-o#cK%#C0N@JsAsqMA*!OsXHIqx~=jM3O zRHh^@sfp!~(iLob#rqz1)glBwPe`1-yTO^|^C>I#?N@8(2~$i9M8T$c9vvYo=oZ_g zckk4}Qdf1TaBS5e!Im>JPT5f=%T5E&?#w{&_1f>sBuBfl$!QMPevv05x$eElcdmY9 zM~D8f4WVyuqTL+^!NJZUaI))kWg+{+h54=#&$~2S$HnW!dBUi}`GQC*1^~&EtRwl} z(d4H-8|>SAB5?V75-VE=8|4UI8Xemr!8>)eqz|d9>_Kc*av;?T0xHE7PKXF{jLl%3ZXaG!7dDv?JBkH?&xpd-Y(Dy{TA(LA3%P5 zbqwV4mY>b1*1tyg_AYqge*L34RMfOQeq=?SU@ghvuf_5vl5CT$x5XoH8hRXR(|-Z{ zVRZ^~MuI0#kVVEsV^mLwYTomH2NT7yO0e1W}b zmZPm(afj|QW_bc0wf3UNsa$^B^}zQm)=Sy0On=Pqv;&2U{(0LRe$?gy;kw#f0fNT>*dmFt#YqwR ze+#@%J$R+U4mIAz)^d4|#!S2H(b`h&y$00YX3Tg5Pu&xEGlDlDcp5rpw;jPNae8*A zc^)-QH=knBw*I@j6Fh?5--YG5uOlP;z^klpF!NOy1jGsc>)!xAhqnUqh3iZ?f;FEV zV@18xX!*ib1JUv?(suu!2agu7w^n+u1PFS-``RA;6*2f_W{>#OAoj*3Q%U$Zvuaux10u#in^4;TkD&J zR`00tC2OC>Y)?S=CUk`VE_iFT!j2h###-4!-cZFq04k~zewImU9Bxn#{>Qt6rzdLb z*7EDHfV+elzfm179Aa1~ZsYRTTn`*(@Y-j)GDhrwm6?h`aP6CpvN{BhfcxJQcmxXt z!YF&LFmhuaGqRmaLzSN^T<4!pMP1J2ueERS`VWG?a;+zjYHy>ZQXWfh<<^7uc^oPw zBZ;cJlGGq{8hkl||6T}|yweZ_46u9{tJ9opYcQ zbMD?w-e2$R5TK&lx9uJ74F0RmVQ`eU3=lZv3!>!?KX?5=h`-a9%BShk~mV9|~af#w~} zpa(eaU$h+zUvwBlzGZv>hq)^e`Wh&pEuV@^%VB@s_LufKkJbHhs2Il<^?u)t9lsix zvVZru&2?Xdq>!}01lZU!8aByV82IzoeZDNa+8tD-IZ6%E&9#Ci;Y?-mei1`l`Wn)T}r_y}HWOXKdbWbme%lXwh(pg**C4U?%y3}b!T z7=nD-!}N?`^ebc!0nO6tDp3d!hR!C}c|;X67G)Q*Hu#5%(+{pun2x1b!Q(JF>pW zmdP6cS%2Kt%R{J_bz#B*y5ZvG8eiFRrI&1g&dckiKYTdFf9?6qw!_0R+KfM!)@F)5 z6+t8PW=g>TNN+uz?CAO?>s~}d91JDFsFXQCa2w#aFR0-^4Mnkm!5Ylofz*>YG%3Wxm$&s{qMvj_#X4PYDbBwu4yt6bH>*SrJI8N+eb1~tk2%0k&uX)CLdL{;8T7bJl+rJ61dFYwe+Bs zn?uE2)FHxg#!ztGx~1|=Ze&8xnfoKHS=Fy(1usK{&xqvzyNL&cy$@M=lJ(=YVnPjdN51iz+6 zCiAE5|1SgIVHWIqeIwd=`oSM&e9_t2)9)CcF=_9lteRad9Xvuuu?Q4$&O$zi?*M;_ z^C*J%$L}6Fn@8X>NA%v}MI%sh-c;_%h{ZlY)`VgS`6LcqnZB z6c%}NpondU9QHke=iU=|+D+&zSBHuQ8-hjgXz3LwyWR=BDfnT{!8@gOJo_f2?Y|5I zVLiV0FYV*?5@1&TIpC*2dizS7G&C&&n03VVd>K;H|+DoZ0ABbqU_Te4cD2t}w zpNyBqyE!ZSw?!Y%2>1LzJ%jZY%yNGZ@ZR#kJC0eE-bzsR9O&G!vm{dzgj_+=?{LnZ zB81xb0Z1Nyr^L#sCChP60 zmJhy4US_TO1-v1}qn|DHKKLf!E1QC!!G0@n#(x34wNg=GReJk4tsasEJ!z}A-yS^b zp9J6i&j;Ue_Fb($K@ll(PT$VtzB_0J>z$Tu^^U4usi-nncn@$Eccvtsmo1fFZqK+4 z^fXkGkeH(bNp18P@@Exy2;Q#tc7P{$uILfGq!+evV+g|jQ@|&^GJzzz&L?qRYssC# zufG%{i}Z9BcT?GK2hU=^(}IgT4T4uXz}MI=DZ&~LXfi$6mQ?7m1`J{G* zfEYgPPE5;QBem&hOP}?9K@OIAkai566^ltF6+z0_Z<12RZv>A!cZnTlk_6WKkU*^9dJHhZ%ZHkLhJHljhfU>12J;lx86C#Rz(NGw5o3ukl$9I-iyLD*58W z6{01B3%LvKdPoz?|C}E$U307+t^@jQ6)Rr{Q33G~IW!s83`<(PHlY5HW)+^otsb`N zi^yRq=G8+JVfAZ?u+%p;HoQg5-0f=jWW^TG?U2a>1P&yFXTd7|2Ln#U>eG3gx>V0a z)^x#XJA$vM3-~&O` zeG!6Q@e6R2hKAmAgpW(4A-1S%%f%4;J(Z}NIv--~973*Q` zz>N?&B-s-ATEYYxxC8vp?41QzTUpb``E1=?*fxO>AVER`1gQkAd(-x%yDc>;Kv`V3 zo0=gBNpK5LdAF=fyS~)zZK(h)Rq9?MSSjS5?|(u=Vcm=_=XvJ2ccuC}Gxx~M{H0|t zE611aQjRO@$Q)NnvL>!2im{qf{P$i2enTgCY}<@DgFkItD~M}dD_BR?JD)c%>V6)0 z(a#2N9t4FCw1+G*X_nw_eK)de8Zi+7yF2({03S=e{jQh843c!6UXr#|=aZhKm&iFp z^m7{#n!)G%Ebs{NL^-bXT8^}QaLAoBYt?v-2R!|>YFs&E0zcsnc+Xx39&lms_%`D@ zr}Ma+Y3p%tQ-%(de*k#%xa#2WJYbJSYE?cw|9GQ^XPeHm2Y3KaHv_+=_ernS4^CGh z3Jf!dWL@9%-y1wu@+5b3IR(E*HLTRy0@0)se0i{X{F)mSdanoHB^5%qY~AYH5$c)t zQs<`DMWSoX0FQe1-yJ+1wCm(GvDgN^W-~J-+Tz$@%@&@I&@+^Qgm2u0Eew8_)RH>f0wyD>Gzgpq= zKERuWfqEE1Kdp?p&HP(%2>Nh})w28}I%-}F7;@!WbV!SgqzR}&|vhxHx< z#5ct>{Cn)xdyZ(*4~#Wv2WRX+s87-k%5b?Pl09Vc8%E*49H$=wkHZ>3&u!CS-(KjI zo1QtUbg^=rW~fY}F|F9k$CW>)7+1C#lcBu__|d%t{J#8`9y+Gxy{{{DqAg3z^=|NZ zlNp(RyPQQz)jE_xO(ta!{z2mcU4$S2WzLzXaj$KLUJNEc5AcRC;o;_4q7heK3w-#u zDqdW3b3>s( zm1O^3^%6ds3Of)(v14Z$)OzOz?Av`p8ELjg1jP#xO_37^b`GkxI1@8MAY*1)=-2^tY8zo#1fpzv(vPl?zVcmV_>> ze#6MekI(kVwlDU|3CFqnSAg9J>pH0`@y=~Pc>lb3U|x8hSjCf}{aH9#pGhqvA2dU! zLp`xvs+zFoMCQ0MW9FDLCT(~zlR8{ORs|OIj_usOke43X5pVzg?j(D%Bi@cw$?T1% z()g!aOB`pAcg2>dh`Dbcfa{`#BE##VwAM)15<`sJC?fZK(3GJQ;qZJzxNua{JmKb+ z=_WBCv-*<}$&)uR0k&!XC5qOeNW$VT9>v}{w)x&!N$6X%8{0S?_4FchXvYGsz%%D$ zfmd$uI8wf699uofb7vlL(@iRcCQ>-)V@5R zfUF!+0`LXB3;Z5{-v;oz671VyyAH{mENQ5vDiP3zS%9`BTic>sZ=&y9Bi^ggR(vV? z+3-5cow(05P8DXgzUoH7cZW~l_3h0;qH{=@-f&~AU~IiW@Wh|~XZ%)DNytY%kF zWQQz~vS->#aXY6Pw(0(50R`&;yp@7q)my=DzXN_-g8jCwiJWKagINzi;BNw?K+d<^ z(SAcnr)F%A6J0`RR}IfcFFskN+}X)L92VnLR6PiuK&%0N)|CnoT-w7Bj^< zB5Fr4+n%NFxQ_-SF>-)OuF=y$?P{ z7)E8knxlGxhsWQ>3EpRPmH%_WU-EbAI6}d*xC9>0)Ua%ukMy^zu4UOM5A?J3u9W=x zzBskgiu=$~-1qQ^f`ZzSnxoaDid)c9oE#pB7ULs|n2kQa3_KQe>65KOn!XJl;h*5Y ztsVFBw5RVm@LK_X>k5}=iIjgIAP>c1&CyoCZ-G(hkO5<`g}aQ&@Fx9#DEOwJu5bMJ z+Z0o%H+g(D+K$%1?o0q9;5XE=x!bGR+}CPZ{9n{Eg9V!?A^c6NHnHje==w0RDiFWY(1xA5`a^~JHUrroyZM|mOd+e z!X2<;>=Yqyh*Zax4$5m^5m3nVF7P}+(G{1n}&uA(1Z2l~#DDzp?o=#$4lOn^BA;Qtw0!hC~{R2zfW(WV6^`w;g2 zw6$czgi@x|w}8Rv9h2jsW>yK)m{>;{SqMRbaDK{_F#F_9cz-P#Sv(Z7)GGdQx|qZJ zf75gLL`UWDcwWYuWC!Kx1fKGCqH`u$gpSrL{EBdhQ&8M1z}L%I4;)+Mpt>3>Xlsi8 zmO4bF@K$TI>j?-66g9?pNQg{&AC>jIG0pR30`Wg{GKKCncQ#F$L_>q7Ms%>y!pqMM zb29FAv}Y>e-PTPjP>Nbsq2`+ zA$i6(T$VGh(lbtu&)odOWqe|mm*8z%Oex* zc#6anfzrm5{nHx;1=kqPdA13+ZcWjm^$7C~fQ>u%t^*r9p$+r8=z3GI=t9d>QFGH& z*J^E$+xRX8DomhTfZsgTtpMN~j}3G*L;rE`Y%##kH-rCPy8x@VOJV??F?;zBf)}Zc zUvvjQ>-!CD%1Ggud=l+UD_xU63+JUA2k;Jfd5;Nz|Az3t=xRJa{UQLj#q$&txCwSL zUkUKa8wvKx@&vxZH=3LOj74u0A|~+QTT$-Z<_O{3))>>B`|Z~5-X9?(xOs!plPgth zZig_?9{p>s!+T7ie>wASOcbm>>dn7QMFYP1N$~DJ37&oePTM7s!%nFb@NWkHF>F&v z1<_0>I-BUWWbu6KXwf{oMMJ`Q$;ILJNf!azco#mk6cWcv2XH{|1P<`3TZw$t*9i`) znF)M3C&VJZcWckmMO;I?=y83xt2<8SR^d|Sc&j=5L-bESy>m}~N4dETD$Y9_rn-;p zYKXSJejGxS^*i-RZ`K)Db8L!Y4JiU6I zXP3ZQV4t!E3%iz1@USlMX(W-afFZo|RJDmb`Qjw|EMfRlvd2uKiMY5tVG)w>MjH4O`go z{_g?5gY5?J^L{7rFbaO+cfnIH-#8mRY-U$z5$4x^GIN8!CRp=?`Fkvr$R1e0PYOnO zuSWH2M|bey_HU4Qeg+Ne*YGVbigl0&MmS_XFT0lohN(`wA zN}+dyA0%qW9=-+(y!m9o-8QBb7M2fw#b!Hw&9+H__g7c4I31h2CV;hR4Y1qV+jxc> z-f@l-`xD@k@r_S6{uuZwfZqe~pN`j<)CHtb(`4Y?@oa+ca!b*UCFw9R64+ zKl$}AyX2z??d?6F^HQ+QTXZXypI({ZpqQD!&9RbFNz#A9py8jUT@=b>3oGtbOX;u>MaQ1Q4lczX9DRn}XcdVsUrV(#y0C?>#tU%tfe_Z7=}=r${tj3c6;16L)BTlD^NqW4pf8v|F9OTtCWdAoSVRQL!x zWt#};u;t7_XNUs{l%1dfm>OW?sWd^~BUCeAxMnfy#aRT&k!V?xM@k0fHm@I{+4sS; z^{F4vd^_;n*=sFj{JWkilU3Z8F}m0X;LFp76-2Jj_iGXMvZ4t4 z+Zru0|-o3XQiWcy&AU-nzc+^c@r6Hr|`|h*VcLxo02Ih_k*f_RPyK6laCxd1VdC z7pbf@0>u;G_EMF!d5+HDt_Hzva(==f1!q zkvKss{o$4iNlEWhPSZKk_ge*wJUXd~pr*$dR==%YIG6HAxGxiA7W8ZU; z56*=?T>b!Mzhb0J1NL|B^y!V8dU(ME0M{T5x(?P%z1#$SOc|h;p&F*VAZu)?UoP_H z`@;G!N`bbxAEBKCi_nX`cH(&(MUX^ingAX~gO|5nKVVX=&NpqHE--V}4S$6_K~CKF zMUqOut4HBNB|rO-11!Z8dr$a0B=Kj^cLl4%{;{jtk(H`Vf|N!e~1S>)gTfL(2K_Aai6RF4tz>(999k5xz%PZWw#9W$_C z3KA;ikpA3?h2B}zy|?596triKE+O!C0{BERrW85xnp9N7c& zdj-n(a22~AtNS(7_ThaW{vExK-z`*adrzEws1%@~wQ-nV%B6Gx?m$#q}>(t&kqw@!@d9g37|Ak}UOCb+kc1h%26E6+LVa+zJPkP(6!3uK1 zQ^_2}k!x2rjoCU+=NP;*l};JV8haVDf)ix|9?e=nqWi;Gp(NgFAz6wOw=CCms^{KP z;F(tm=yMew3j4oF|Mj3=SBnt|EKO(?p9NXr> z%M$@SrVDsC>mN$utU{SZ-1yoIQQ8uftIB+@%J7(E#(jH zc2V*63$vCZbN0vqp}M`wrE3BJyt)f~6srsT9pK?@v8>QTv8?%vQmhu*1Y1b@!g_BS zG$d2SX6Unz!XmD;N~pe61@FhA?z`Xt9O0gcWrv=Jr{_mnE*u(TJ&%eX_l5P|?EN^4 zx4{IM1F!$;5W+tU;L}JNz*Fb|u7j6vjAAVaj_fznDwq}A=jHdx(eIa5s~+Da$`oTe zCp#p}I{b}O#%(z_p)H0Lx<87&AUV3J948_TDFp# zq>8khJ2d?N*{Opf06`!CfT|gM>C@p!n~OmL5?lhBkdGeBZixNc6Gz+!`}aRjwY;00000000000Fb%bHwT#6fgp}Q+qP}nwr$(CZQHhO+qP|6|4G_pGU@HT_VwQ(pgn!(4av}x&D9w1F{*GtK}v1uHttgq`1+)GIj6X zJ(#QdusfZ?zL_rS4f25hdWb&i{uST>Efb9WF60dc6vDZqTgq6nOMsTj(BFtoYlI z#>~l+gk6CNmVOjK>bL>_jFq28dlm8fh1U@QZxNH=d7#O6DcMFb(br-Fowfv7=t=nm zy{cBhZ^UmE(O_o}uK4aIR{S0Gm6F|`70$`Y`dnrb{8QY&cjMR(&`IHK@aVIUfi3SK z57}hkHpaCCp3V>o$k?;jv_;tsp4v1xo5OAtiuK!t0cdLiJeP}j z-V^m(vvKe?c6b{+?sp3t$`T`O3=trkMEwEQz~h2}>B+GIh}EcmE1q@G1@~Pc(^!3ASMeef#<;w z4MpU`%s z6d0#3Bd%7#^JK^yo?!7H`15QfDZ$e!mp0+mCJE0Q&@+?Z-_SAQB66QA?C9!c@EaA2 z=qM_^s8nX;c5K2_<++?J|4bW7hk_-}O0Qli;cB zvLaL2PqZ_{o8SR75xu4Sgiqf=uM^9DS_e;CCK)f1D4R@z??-UBC`?jwB8z`N3 zSM+;2qAY-a!B>jVTO`_PZUX!@0X~77T!sWMFP{`^!G<=_Tf>iHu?q&V3SJI=7uWmU z;KkOykNtg9*Rc@QXEoS{gVLlBL0~o$nY%NhkL(7%ohrfetRC8I&m=dmOGhN0RhHj9 zXmZ#EJ{9Eap8_6bNqHHQ`M&`EByFjBIR$(48Y^_3(eYu7gfXQ5acY{9mL2rT<*nZ|^ z51L|Nuz!VNIFPv8kfl6-6Q|l2A;kKk+Xj@c;3%ugTN+@MerYRf7eZ(;T#+q z$P9SgM-e_VYIm=j*SVf1^C2~C3GRdu?fxL}J%!WXvILOX;O;f8AfBv|AFpWQTlp+Y zxpp2W2>rR@*fI+4d}?nNU)%tH&jL^NMY(QtUP>2Ab-K~_M|xc7T$GcEm(zQw74Y@y z)$_~SLAwP-u0JX-$Kdmb&z&(uc`_AveOJ?R7pt_y$V5sQxr+E{Y`l-&y?e)G#qxEm zA!H0>CZs?4N&l+I+n{tgugk}yrM;Iz_Cro;f$c*4wq)N^oJ(Fx@Xq!3UJiKYa=<&6 q1KznD@XkfAZxmURut@r!ynX<~w;h83lm|}$0000Px#1ZP1_K>z@;j|==^1poj532;bRa{vGi!vFvd!vV){sAK>DC{0O3K~#9!?A--; zQ|BJX@mzP`hSStivq(KH#jOK|yA*A);?8h}m3pZQR(x~EKr$w(pC~S)%*}@CGTv?>PhXTiR{Xel>m0 zx6N(40RIAJIDHND3!R*}ygmv}JHV5GPPu&)5AgdDBJ=qF54PW_zjmAJ&9VeJm8Ho5 zE;!TUf&P2L_vMd~56+(;KTtYF5n}wA$2&SKdD2rx0B0rrJa}-*Gpw)TNZtT>8pCPPb zp45KcnJPD5YqQ3i06%Tt2qn`cJ7NbNsVr4y3~fByA8B_=TZl07g5>oJCi2i#%MX=P z@pOfy2&15fyArd!Ht+;^t;*eJ0s5U;=cfVx6`F~P5Ya`z9|C;3%y>uc4qA(bBbjES z^p6#@Jw$HFBUjrLxr=TA>7h^xfR|JQPeA9pjryCV>K45hx{8QT0R9P(qfr3*b#$E?=yz=EB!-$z&M0$=qxSQFS{ z4KSj7m(=Fvs{YRfq4KqY=#%7I3Z}{b{t{j)0RMqVV5nSug8+P05Fg7=p3-)bS+o}8 z&UN1jWoH~zbW$P&ehaUCUvZkYEs6m8SscPq`A#X7M9C^0djq-^I*tfCd*`r6;qqts!Sd_+qHfyHDr^>ZXQYx8J#+t@$6q}WC$Z3yT>tM+UAEUez!1NkT-gP0D#znshMr66^H z7pbJ!rYn5ZKwgd-2z^$L!f*6L%TUU0u!Qb6nMDu8I`oPjHJTWmZ8Ph=UnICXr{7Pv@6f)AcY3!>XGV3{_CU zcs+QP_F#K1)q!_W*a3G3BEkB}iN^;rr*hPxlgb0R>ncL?P?aNz>;_9+9#~AduE(wf z-*6(`vze85repG?Ul#iFzC!_@tx^vnc0q=jZYea=R|&lr;KP8OgQ!YjwsaLUKX<&0 zipB%J<~?}IA1=?z>#or7z}40t@IBpi;0V})T}4&aNy@RDF^V{i*h0OD%<1S&+Yzxah_y54_sZ>R@v%a^Ckg)T&>^<@bpUfUhXeuxg5Dy zU#^eKMBEBATdt2}bm`T)K^JyQ>-@-s4`qZWjVC{_xfkHujeQMMha_DZy8 zX4+H>e*-&rSHo=Ra)b@#PL@$|9l+<}Fs^Wrg0w+iRN~`DYPm1v2!Q9jtklnmiX4a1 z<3`KqzQvSMAP0zy#(j%v2cFaqrAO9N=}ebYIuj@ePiGKb58iw~skzCZpSsy5>eB_pc+UjKpVp6JRgjPu)N%^oaU~A=$Q3(Q!k)XZ z#F|~k4&04ZmEkW%>d@K4c}`qmr~=7Z4e%v^pNy|)?ExPn1kS&fkMN}8A@1y=uM>CK zPRbQ~`m+*m{|amsdX62wA}=puN_Tcw=E?1E+MT=IWI8Jl&!@*0Gx!CdnaE%~Z#3>t zj~h>TblGkxoot@So$H*;&UH$zf_^nHiEh20MEhIE(*|W+h)KX-z7ufh^i6-dalbv6 z^Q;e7tR75xIsJe=00ptU=RLXN=gm1yj)F=G{q9zs>2|&8s)Xpg9hL8K=J3@k9j<}&Mb zW@+`>(Due{*zqPqxToTolqa6Y9ygt0FESYC9alOYc1xfWb`f++9?hL?lfa$plFZHk z`%;HQx()D??Gm}Iers5yM+~7D(>N(}r)3r*9{=2}0Cw+TCocE-01o(EVNM%>doUio zG{={((w?mLmdu+!nZxaKB7CLF_$zBP880rh&?4ZI7JvRY&XK#k3akF*67Km7H?DMy zJ1ZIEUeoG*FRJldGr;#L9N>N}r@Nd^xjE3TcdXf-dN#D*QbPOCp2k-6MPn;=TH?&9 z-MzU|Zy)ZGV{>jt!$6k)PG{QQFpxfN97x+5wWGBS1L%`R@3TuyLrC3Z@{@}W%l}kq zt>_Xt_M}Uc4*!IGBs=95%U$S@$j%2QvCjk6aIv1TY_)p~C3?qFvUltvlY+l=rxl&Q z-GWZs@TaTy+HhqmKdxLQ2euDVBHuZN?<>jk|9h#%uR!yijLIVUQ?6C7tSMV3B@U-$ z>0>z+Cc1L@qvfnD#DfY#s|CM?dWmW|3i`YM=D%Xe+)w{uRr;Oy1vp-H?L+@XyBk^3 zK}#$4tz|1Noyx_q5)oOT6fdAyenoRauV4PM{5+pVz>Gy}93X;eCJz8l8xD}C;}zqH(+ zO273i*TlH;(AB2<0wz&Lg&_*c7X~jzv(T?ZKVW>**tRLK(-9fBPi#xyT3FJy1}!nm zyBL5Q;iJvQ1Kw8; zuQYrQem@2gW;~Vs*S%a5_X_x}QYuZ55-yq)n(b+*iKq?+pqrrsmGNz{`nRIb8rKZZ zx23)xeQ7xYGd_)8BD)&lFGh5RpY<+L<>_9rZ#DdvM(FP#dI`^d1pIfXndm1N01rZU z>j3_`z$#z;OM!PVg5UNd;qL)_i0CICK>s6J40!HG!1IkZf*=19p1m#b*tWNzGuXzT zebAOl^8HDZtNh9c-B}0z{AJXPl^yobYNBfe&j7y^@P8J)!2x(%z-PW1J`nI;^qtKJ zx}wOW6E2Z@_##wso&O29=wF?6ic+7qUQH>kk(wCq7)tUnarl$>+tI0eZP~+1I5xhA zLpZgvnGyWn(q{lKQUcwNO7Ht{nr*UjO^O@$3ivIhiBgH^|2P2O8t})2z_S{)$Dv&- z>;SfATN@4M4m(D%D~c34>lQ~RoOKJpEW^*bU=_CDV4Eb`&?S|Nl}E8Sx5yXhJ|+Z@ zS)O$|yDiY$vl}=3xT14T9Il}wI&OQr(&3xh&#p8V=;V(D!k3kO=gw*3U704)jX#D5 zd_`o?3G}nNixt>o(Q`dKz;SrjmThg&n_E|ZEKB-NFr~Z`#6A+9_pzm+}@-9|eHu4m~j6Sz3nNLnM00=|jBpS{;6>oQjHstZyMSJf~& zVNG;Kcag>1%Cp@krL@GK%FcLlnhYt^L}K-x!J`{OSHM3)V?;mG0q}okHEJ6J^z!Wu zyR!B5MsVrxO~7&d7+POHm@?iQN%8+4NNe94$-c5(z|J|x^7y?CKjV{OnR`DOnn}CH zY@yv_x3X=$)>5)Ej@C#cO#}Ywt$?g*E~TniHPbQMKe8(hC7Lf}qzMOjiZOT<{5ri= zIe&=a!`#lw<2kOrgX{8hH#g`%D*e4sK#!w!^+us!eOLfODDBr!!v33xUKZr$j$ufe~F1)DXYu^y78q{7maRd?oDTGaT?b7mA645E&8XZ z4hBxkc0uR!2Fpm*Qb9Q`y6fV>6YW^2N`VvtC(T^B_?TTuK|9cQ^u$)Mrj@m+>j@%MzH0uu{()a1`O|*63`lY4} zA87DB`)>iSeiQIO{wG?k2RDM(0-o{c2IZm2ZxDW$5&WXJ3BDY?V*u|1c>1Z~0X!Bx zLsScRZb;B^;SXmBVWSJ5j)ggQb$oO$NG99HN#^EFXJzRD6{Dp z+C6?d56|z+c^JSq(WCFgHvY>o+i6emcGG}=_Q)@byWl`{*qYIC34bWJwG#YAy9}W7 z_qQ{A?W#MJ69#uBZKe%r*2%SHX)T-9YHvMQK16pLbFXT^@pt(_a$HNNU}}FaEpB?` zszc|mq09Akq-QQ&2zSJ|iE1%$xb_l0#28%ny5XOLY2Duku{686+_nLkZ1?zWv}^R1 zk%pfE@Oyhgw$gz~pU{>88ML(7s>LP&&*dw#@ZCD$vMP@8*UTNVuC&CmllBL+pJ1jZ z%b6yf2d+3#!vL;>#|+2eodYXPYegk%25U=Vf@?M7aVgaT!@FP*GhDsr4U)6mjvgGY zk>_y3BYzPk12l)&_p@A~1J98+=N{Pv^A}IjgQnBlifS>^-y7C7{k`Ehejmx>Go(Xb z|L-864`OSZPU2ELBDi>EGFu~yW^3Cf(aymeBMd)d|HMze`y6}oVXY(BNbBj;zwrdq zIF83T_pDNtl8TE0bYHw^@5n-o?qa=V@Q@O(W9v(ZWvdx zW?-%00X!K|WqdRc;N9FgwU0NK;{qjgxAeALFOL=iR)+>hiQ?m&kF*^)DBQ`L0 zeW=r1>ep}rjk29V;~nRi2z(CUbzi*r@aN{Kq%5F!1$w;n-*_BZksjPQ%yL{~*G5|$ zJ(iWkjwFDiLFMT6;q?Js-OiKCam4mqfA}U4w&x79T>HRcdO7ZU!z`ac55!Y+@Tk`C zh!Da8@UMX^z3Bul(LaSH1f&5xP6rP7igWRao-qdvKVwjnNh?NRrURVDI?U!XF?fCX z%GMR|sczPKWMOzaR+`kUyd*kAk6s7xFP~oFY&6S_;k{kxnd|%7?1qcD2Vx#u*AItB z8UN@}+*E>xwRUqH`5giIdZ(*WMNW_Wv6n%t?pBxV#3UU%@#y$IWM0M`KT z08n^Q@J&eHiJq;Md$ zhaJoD4AMTdT2P){Zvsx*OvYaQ4}b@F`n$t$YPJt%`~a5XvKV{y$y{~t$(}KlzMdUv zHD&22tR=>o++O{2z!&Mjsq~%?m3`|z#^?b>*DAm_ym&y7b_?!JTPfr6$Ku#~m=hID zR^ay^aHVM@sWf$DITnE0!S@DyUx4e+&b9Gm0M}LZWQ`KwuB4Jn@OK@U%I8C-4oD<* zKp1=KI-dhPmtB7X4(q187Cct(*qiT9X_ix1l6MTlYF_sWWR6dN7zc1ll}AycZ`>xs z&sf?vE^(sUd>UpkiGppX^9z7!z-!C>vr2M(scgSH!we@)q{|{B_XH|$MTOJQ&9eBC(0jX&kAQKsW_^SwlsNIt>A$^pWmkEzVGn@+Q}ENhL11N z<12CY&V`@t01xFdalnzXo(o zYc!UUWh*JMc?QEwH$IHx_<+t*Jfc}#t3(R#nh|FB8S#BL?TPKVffh86WMk}S(J=8O z(|~_|M4rWE%6M?nr0cG%*1i*aV}w@i{40ymMel+bT8;ny@r z8D<*i>hESaWKojT@KUPt2Iwy6zdHEMQr&&(M(D_B0SJ|q=Z|p)eC>ux;oB9f_DgzX zVR#9tyhm$Q{%e^YT&O(1<)5jVg}I7qIdF!qYm$%A**Rl)_ZW)zi>L4&85GeqogzL+ zSL)x7U)M(*(xJ!nSVuA4H=4#3I1hF>XR)=FzG}@wmS_$lK0SQlY`}-`$Te1u0RMUe zz|&EYFuVh)yn?j+D!v-@%cz^^H3wk3BC09eA4dtwH9B-u4CFr>z_&xBFB1PIEHHJc zslscK2GJXY*W))tDX#%vgeo4s^akL+Hhe#@=e{-Y`ra_S@dDt7_8Gxz0B?w%iW-YB z-XQ#RBlvGj7XJAjmn_<-``Wce{POM6jKaC{S=h#xREr*pCd#$g7pRk~Y=ItxJ^5^Y z8?ROlB$aXt#_ozhHW8-F3z zF{?OLs(W|=%j6$spvSH_c0Z@xDeYqL^I@6-IZY6L8p5F-o>yZl!l)a3??0*JZjsO2 zMqxW1H&j%I1F(at15d;re!6e`mQCJC_CoIkbgY7X&=OQ=aJV!U90wPPU`Hp_1%M;KSt-Y`Zrb9J}8{{f(X`y`rXP&=n2#*zmlw z%u@7!9GQM`{?Q&W-_^K1_gNEb_@4JI26X9VHT)c+9+pE1ue&-m?k^J=49xJ$hzCa| z2(QCOD0|OTiSGMm?O6A=0Otg^=ac2h74W?j5df|peuxJ>>m<{hYb2R}p{d>PMQ?DN z@0ir&^83kYfG5CHP4MfLNs0RRb+sH4(aUNW^)#xN^>7Mo*r)IJ=jxNM0NbSD_1*vP zEIZxmTodX(g+~@_lKiH@mo3q?fG5Bc;BQ?N+x_G}0qR`Gq~D-9fG+_&)dqf@GATv> z{%)2*=XhwLx-=QE+5rCQ+Xz3R2Ka+N5S{?f_YLy-iO~C@8;H)M9|*s<2KYIK@V~Sf zf8$5O>q|n7>ImEyeT|6k_2A7jK6}q>+ZWsTQ1|xL!cUf`8Nf%@^l;(gp&nGwQ$ZI2 zf4(X_Um=?QgSX?IlN$m#8Bvu2ljwSfMB3;PO_A<^_o@E4eWPDWlKwM45D$(PLg#n% z0vq-2|JH2d4x-(PH>NY`7( z)48r`EVE-W7v&m>J7S_J*~bVSZB!=lCu|I!LkoP%LEV9UQ4ik3YUrL$;y&&ogYi+v zU}Y0`X7w0qL~Qf z$A}>W@LrhZ1Ko*@@}lS6<=hcxd+w8ZR&0-jEjucfa96~3>^i_NiS2dp=fw3;1G+A5 z!`}r%4=rZy##J?V$bBO=#H0!X1bL7#wyCU}BvMoZ`6N}~Sk;RAlAOFP{i|QGH%g`=FCtZQ#`R^%jhk%6SpsaIy94iRt*n@_I(`@+s%Fe}itRVUG5qFC#|WBcvzlhuhja6B0*HrS(J3w3B;aqZ zaE^OEPDV7&ok~IlpEY{~wW@&bs(42Lf07=*WUvQ&@`0@UD+^n0=f5p!Zxb8(2H;%=o?3jw9$PHtXZy>h8kYC8ap;(OA@Kk9! zX%o)Q;K|Zo4&K0R9X#)538&}jQv zK%c{-SA^fEg*wiyxbt_uQ-V9NzeH4#Qv?rBnEf;d|2^jTM2-`g$|xDG7?>Z5Z8xB6 z*o%+M8=wfz>#0x!I6?q_0wQj>CtYpkqTT)vOZKe}T(~dAVk`g>%C?wAPc7!_!36_6 zU6m}-0A7zRh=1BHf{waI({|jwx^v_v9$PSe0oXVB6I$3}1@&nZss|TrjKj?02@dne z&vuMnFbiuJU{}}CS@w}_M5Z>d4gWoW7a^_+`a~T(Zgx-*;PtEZU;+H0+M%9wtCcH# z_MSBZa1HR5y4SlFr#gn$0-n_+{6_(+4h?KF zvEj=bBO0PebpJKrSEGN5-lhTY_UKd%@cPDA*>7m=`p#$XTJ8Ed!+$$|=W3C_0QTNm zz<-L|L~ru|{CL2t3nl}8kRUwYa-sKPM{XQ&ON8LRvb3fz8aJd{4M);b@w{r$@spqk zKNN_r+s@Y>mL}8;k8S)p!0*CN-N)6#-$a2Tqk(JUe+}rJLaTbb>ftW|ysPM!G64S$ z7J#_C{?)=0{%!|uj`)-Dd-pW8w!i|AQL$HViE{=`o6^Vi|492Ka`wo6Huta|fE!Js z2jXdhvmLPu4$HMi-PUkI;3v>|9M4~~i(ucnMR8jPZQyoK*hZfLKWk_Oco|x}d*r4n z-wqD5m?#1KS!49k4l^j&VJb~0FVmpXv%juSR}jBj)VIPrJZ$F< z*N9Dm7l4L$P8~SOZ9ysU^|wG_me1nBb@)>qS0v1FjH{1-Y90XZg|6z*2LrvYg5lO? zrn|LSuKPJ})tH)i@J^|lqq?rejS%Z;A%6>$-7FezHHpSJ&Y(#SOTNS*oVQt9U|^=t$nE4& zpppXIsmhP-zJvwfgK9S)t>gcsYO(4ARg17hRr6KX)vY6R3qY=NDc!VNKu4To2-|cX zT900-vp_$F*R`H8I`B9j+~ejQdmQK9SD=|kAZi|109;hf!v+;~2oJm99k=bEL+mm9 zB&gd!eunZ;;mg-2==x=+r~_ZiqSu8fW9I<6GkWE-^}@Pk3;^~;M8;tOD2eO4es)BM z^}jKzzQzEs5BgdVU+zLG&kkR!TgCM$XpQH`yv6|XU(mnNyXar&Pp|WSJf7@7xbZP0 zszb_!u&x?8<^dTk>^i%CGGD}8BbzgeyB@PCUwM5O}oC`{ia6pQ*GiRcFoe4qY%087ybv<}@vq)z}o8x1i_{d5a} z1xi=RTuANPk<@M0kgB;3Ua*`NVKmQee^u6*2kj3s1NFe`l2BGgs4z# ze?rC(od>_@8b|k~$#lp$oL1UQVZ#~?p$Xy;7A9TFt@TS`>-c79oM}g>5wB%);Q=^?Sfr#Tf_D`uFy`f2<8Sf8A9VMf@!LF3=dz? zm_|XmmN?C!DBm@!mMIecAu^Aj?>KC~x)aXBpV7~9q3+3&C{{8<)3f0KHcbz1)D-;r zgeD`h#x@?}A~Fxt87G~hCIDF_1bL4QQ|uR93ThlQKx7`jobj!A{vVTE zR&+G~KVcr`VIJmT9_I1C_RWGvZWxHdNtv0MnTbSYqGM(j(e)SHzdi=PYJCtTFXMF@ z`ODwRs5QiZ0@&dzCTF4vQD)LhHuTdx4xE=cIhNo#9s z+Yu!+H8r)RqoboC<=SgF_xA1EZHaRto1C1)r%Z8FlX>1&bNpq>wQtRPwnh1hySuv& zr;9-f z_4W1b&1jEDoAwtED-%2n!1KWO_V(VC{1QFDD|mn|6MR=!*8>7x3NLPKY&@#q1tMYf zRDs~9Yc|86Qt&+7^Dr+5ui#-tflt8M%Ag7ciRYsX{rvfJk0*EqZ$T6bp7+D%_*n{` z1B^{~am*jQf=4ATmJI%~1Uwv)gn3`^G3tUc)@*Bl;Nz!HpZ+Z)q8$GI_U+qFF!Ba( zEl}_mc$nwqSYBR^F=aK!7L6^z%%Jd)dG{^@^h8P>52JqdfJeLG+3Vi5hj+w_Zl+6`9oF>nC`}_Nk3LM-zYi?Pao13oy zz8CnOo}N1)f?r=T!9CvKZI-fZ@T|=Q-E>UAiyCZ8Sm1f1_=D#TS2lQbO#tay*5Tpd z{a)aaQY{kv@87@oXI0cC=bs4kWr06iCV28LVuDPkFl;<320XtG12h6&Fz@#VZ@V?q z*q77JcXV{zE*m_4cvPXj0bPxBT48w7ZM{<7m91P(qctp7{! z2=lJs**Zft!1GXVa|~pkfg5W}*)CHv!4&jBg}|e2_Xz5}NRl@)@OCk!4Djfm zB1ixp4In7b^{RnS>F24TY?y-A1s>tPIPiSmofJIMl@dp)Ab7hL@kR>2sj2A%g`YD& zzFY+Oh)ND#x^h=V@K9~>=)M#_-t7$DhWn7f=Kw)N-KjEo$hBLo3p~PoXy6g-nTzh-_tMwZ%FqkV8Jm&PFfk(JcX{6)6;BE5C zew0BnjC8DFfso`2o^#K(FW@lny}iAsbG}Caqca(6^K$S6MgZVRdeR>}fZV_e92r1f zUhjOw&LAAyl}NeCbM@BYv!KJU-Mnt_@ZeCubIHMbz&I$)Frwc@(#a1zFK_Xq`ee9Q z@X0dZSAQUHIUDss_uv8E4(_hibH5jO3*>(XkC2-zYfDSZT?XE5BL&agVL<0l*1L73 zY%{)={h78Sg#fdA_N1~&qi4zIpwgau-d_^%a_H&Z;F+xP0xy$%@yfzC&wS$XOHYLH z!oQD~Kdb!j<9Pxn#eo+*-