From f91b08bdec4562b845e80c4012d9c12b2e2ab17f Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Tue, 26 Dec 2023 05:28:26 +0100 Subject: [PATCH 001/288] enable DOH/DOQ using Let's Encrypt certs out of the box --- conf/AdGuardHome.yaml | 14 +++++++------- scripts/install | 6 ++++++ scripts/restore | 5 +++++ scripts/upgrade | 6 ++++++ 4 files changed, 24 insertions(+), 7 deletions(-) diff --git a/conf/AdGuardHome.yaml b/conf/AdGuardHome.yaml index a37ec830..aab71845 100644 --- a/conf/AdGuardHome.yaml +++ b/conf/AdGuardHome.yaml @@ -72,20 +72,20 @@ dns: resolve_clients: true local_ptr_upstreams: [] tls: - enabled: false - server_name: "" + enabled: __DNS_OVER_HTTPS__ + server_name: "__DOMAIN__" force_https: false port_https: 443 - port_dns_over_tls: 853 - port_dns_over_quic: 784 + port_dns_over_tls: __ADGUARD_DOT_PORT__ + port_dns_over_quic: __ADGUARD_DOQ_PORT__ port_dnscrypt: 0 dnscrypt_config_file: "" - allow_unencrypted_doh: __DNS_OVER_HTTPS__ + allow_unencrypted_doh: false strict_sni_check: false certificate_chain: "" private_key: "" - certificate_path: "" - private_key_path: "" + certificate_path: "/etc/yunohost/certs/__DOMAIN__/cert.pem" + private_key_path: "/etc/yunohost/certs/__DOMAIN__/key.pem" filters: - enabled: true url: https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt diff --git a/scripts/install b/scripts/install index 5c2e176f..7acca718 100644 --- a/scripts/install +++ b/scripts/install @@ -54,6 +54,12 @@ ynh_add_nginx_config #================================================= # SPECIFIC SETUP +#================================================= + +# adding the adguardhome dedicated user to the 'ssl-cert' group to permit the +# use of the Let's Encrypt certs for DOT/DOQ +usermod -a -G "ssl-cert" "$app" + #================================================= # ADD A CONFIGURATION #================================================= diff --git a/scripts/restore b/scripts/restore index 6070641d..99660ff0 100644 --- a/scripts/restore +++ b/scripts/restore @@ -13,6 +13,11 @@ source /usr/share/yunohost/helpers #================================================= # RESTORE THE APP MAIN DIR #================================================= + +# adding the adguardhome dedicated user to the 'ssl-cert' group to permit the +# use of the Let's Encrypt certs for DOT/DOQ +usermod -a -G "ssl-cert" "$app" + ynh_script_progression --message="Restoring the app main directory..." --weight=1 ynh_restore_file --origin_path="$install_dir" diff --git a/scripts/upgrade b/scripts/upgrade index d036e39a..80709508 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -80,6 +80,12 @@ yunohost service add $app --description="Ads & trackers blocking DNS server" --n #================================================= # SPECIFIC UPGRADE +#================================================= + +# adding the adguardhome dedicated user to the 'ssl-cert' group to permit the +# use of the Let's Encrypt certs for DOT/DOQ +usermod -a -G "ssl-cert" "$app" + #================================================= # UPDATE A CONFIG FILE #================================================= From 93acc5640c68eb953d46c21cbf4fe8f816dbc80f Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Tue, 26 Dec 2023 05:35:37 +0100 Subject: [PATCH 002/288] typo --- conf/AdGuardHome.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf/AdGuardHome.yaml b/conf/AdGuardHome.yaml index aab71845..e1d99541 100644 --- a/conf/AdGuardHome.yaml +++ b/conf/AdGuardHome.yaml @@ -84,7 +84,7 @@ tls: strict_sni_check: false certificate_chain: "" private_key: "" - certificate_path: "/etc/yunohost/certs/__DOMAIN__/cert.pem" + certificate_path: "/etc/yunohost/certs/__DOMAIN__/crt.pem" private_key_path: "/etc/yunohost/certs/__DOMAIN__/key.pem" filters: - enabled: true From 48e1d682033d14c757a3bfc61837694955270d1f Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Tue, 26 Dec 2023 05:44:56 +0100 Subject: [PATCH 003/288] fix args declaration --- scripts/install | 14 ++++++++------ scripts/upgrade | 4 ++-- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/scripts/install b/scripts/install index 7acca718..04182a63 100644 --- a/scripts/install +++ b/scripts/install @@ -17,18 +17,20 @@ ynh_script_progression --message="Storing installation settings..." --weight=2 if [ "$dns_over_https" == "1" ]; then dns_over_https="true" - # DNS over TLS - adguard_DoT_port=853 - ynh_app_setting_set --app="$app" --key=adguard_DoT_port --value=$adguard_DoT_port ynh_exec_warn_less yunohost firewall allow --no-upnp UDP $adguard_DoT_port ynh_exec_warn_less yunohost firewall allow --no-upnp TCP $adguard_DoT_port - # DNS over QUIC - adguard_DoQ_port=784 - ynh_app_setting_set --app="$app" --key=adguard_DoQ_port --value=$adguard_DoQ_port ynh_exec_warn_less yunohost firewall allow --no-upnp UDP $adguard_DoQ_port else dns_over_https="false" fi + +# DNS over TLS +adguard_DoT_port=853 +ynh_app_setting_set --app="$app" --key=adguard_DoT_port --value=$adguard_DoT_port +# DNS over QUIC +adguard_DoQ_port=784 +ynh_app_setting_set --app="$app" --key=adguard_DoQ_port --value=$adguard_DoQ_port + ynh_app_setting_set --app="$app" --key=dns_over_https --value=$dns_over_https #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index 80709508..a9bd237d 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -34,12 +34,12 @@ then dns_over_https="true" ynh_app_setting_set --app="$app" --key=dns_over_https --value=$dns_over_https # DNS over TLS - adguard_DoT_port=853 + adguard_DoT_port=853 ynh_app_setting_set --app=$app --key=adguard_DoT_port --value=$adguard_DoT_port ynh_exec_warn_less yunohost firewall allow --no-upnp UDP $adguard_DoT_port ynh_exec_warn_less yunohost firewall allow --no-upnp TCP $adguard_DoT_port # DNS over QUIC - adguard_DoQ_port=784 + adguard_DoQ_port=784 ynh_app_setting_set --app="$app" --key=adguard_DoQ_port --value=$adguard_DoQ_port ynh_exec_warn_less yunohost firewall allow --no-upnp UDP $adguard_DoQ_port elif [ -z "$dns_over_https" ] || [ "$dns_over_https" == "0" ]; From e23e23a54bfdbb7253aadfe8909d7852763aa5dd Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Tue, 26 Dec 2023 05:50:15 +0100 Subject: [PATCH 004/288] removal of unnecessary quotes --- scripts/install | 2 +- scripts/restore | 2 +- scripts/upgrade | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/scripts/install b/scripts/install index 04182a63..55f73343 100644 --- a/scripts/install +++ b/scripts/install @@ -60,7 +60,7 @@ ynh_add_nginx_config # adding the adguardhome dedicated user to the 'ssl-cert' group to permit the # use of the Let's Encrypt certs for DOT/DOQ -usermod -a -G "ssl-cert" "$app" +usermod -a -G ssl-cert "$app" #================================================= # ADD A CONFIGURATION diff --git a/scripts/restore b/scripts/restore index 99660ff0..a71b20b1 100644 --- a/scripts/restore +++ b/scripts/restore @@ -16,7 +16,7 @@ source /usr/share/yunohost/helpers # adding the adguardhome dedicated user to the 'ssl-cert' group to permit the # use of the Let's Encrypt certs for DOT/DOQ -usermod -a -G "ssl-cert" "$app" +usermod -a -G ssl-cert "$app" ynh_script_progression --message="Restoring the app main directory..." --weight=1 diff --git a/scripts/upgrade b/scripts/upgrade index a9bd237d..93beadd8 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -84,7 +84,7 @@ yunohost service add $app --description="Ads & trackers blocking DNS server" --n # adding the adguardhome dedicated user to the 'ssl-cert' group to permit the # use of the Let's Encrypt certs for DOT/DOQ -usermod -a -G "ssl-cert" "$app" +usermod -a -G ssl-cert "$app" #================================================= # UPDATE A CONFIG FILE From 0aa41375cb4fe689798f7ad47a28f7ad6a2c8dba Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Tue, 26 Dec 2023 05:55:30 +0100 Subject: [PATCH 005/288] am dumdum --- scripts/install | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/scripts/install b/scripts/install index 55f73343..addd8bfa 100644 --- a/scripts/install +++ b/scripts/install @@ -14,6 +14,13 @@ source /usr/share/yunohost/helpers #================================================= ynh_script_progression --message="Storing installation settings..." --weight=2 +# DNS over TLS +adguard_DoT_port=853 +ynh_app_setting_set --app="$app" --key=adguard_DoT_port --value=$adguard_DoT_port +# DNS over QUIC +adguard_DoQ_port=784 +ynh_app_setting_set --app="$app" --key=adguard_DoQ_port --value=$adguard_DoQ_port + if [ "$dns_over_https" == "1" ]; then dns_over_https="true" @@ -24,13 +31,6 @@ else dns_over_https="false" fi -# DNS over TLS -adguard_DoT_port=853 -ynh_app_setting_set --app="$app" --key=adguard_DoT_port --value=$adguard_DoT_port -# DNS over QUIC -adguard_DoQ_port=784 -ynh_app_setting_set --app="$app" --key=adguard_DoQ_port --value=$adguard_DoQ_port - ynh_app_setting_set --app="$app" --key=dns_over_https --value=$dns_over_https #================================================= From 41f9785fba5af1b635a7af693cdbff0aa9c44a49 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Tue, 26 Dec 2023 16:47:09 +0100 Subject: [PATCH 006/288] uncapitalize dot & doq vars --- scripts/install | 14 +++++++------- scripts/upgrade | 14 +++++++------- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/scripts/install b/scripts/install index addd8bfa..f9d10f6d 100644 --- a/scripts/install +++ b/scripts/install @@ -15,18 +15,18 @@ source /usr/share/yunohost/helpers ynh_script_progression --message="Storing installation settings..." --weight=2 # DNS over TLS -adguard_DoT_port=853 -ynh_app_setting_set --app="$app" --key=adguard_DoT_port --value=$adguard_DoT_port +adguard_dot_port=853 +ynh_app_setting_set --app="$app" --key=adguard_dot_port --value=$adguard_dot_port # DNS over QUIC -adguard_DoQ_port=784 -ynh_app_setting_set --app="$app" --key=adguard_DoQ_port --value=$adguard_DoQ_port +adguard_doq_port=784 +ynh_app_setting_set --app="$app" --key=adguard_doq_port --value=$adguard_doq_port if [ "$dns_over_https" == "1" ]; then dns_over_https="true" - ynh_exec_warn_less yunohost firewall allow --no-upnp UDP $adguard_DoT_port - ynh_exec_warn_less yunohost firewall allow --no-upnp TCP $adguard_DoT_port - ynh_exec_warn_less yunohost firewall allow --no-upnp UDP $adguard_DoQ_port + ynh_exec_warn_less yunohost firewall allow --no-upnp UDP $adguard_dot_port + ynh_exec_warn_less yunohost firewall allow --no-upnp TCP $adguard_dot_port + ynh_exec_warn_less yunohost firewall allow --no-upnp UDP $adguard_doq_port else dns_over_https="false" fi diff --git a/scripts/upgrade b/scripts/upgrade index 93beadd8..9b8d0e51 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -34,14 +34,14 @@ then dns_over_https="true" ynh_app_setting_set --app="$app" --key=dns_over_https --value=$dns_over_https # DNS over TLS - adguard_DoT_port=853 - ynh_app_setting_set --app=$app --key=adguard_DoT_port --value=$adguard_DoT_port - ynh_exec_warn_less yunohost firewall allow --no-upnp UDP $adguard_DoT_port - ynh_exec_warn_less yunohost firewall allow --no-upnp TCP $adguard_DoT_port + adguard_dot_port=853 + ynh_app_setting_set --app=$app --key=adguard_dot_port --value=$adguard_dot_port + ynh_exec_warn_less yunohost firewall allow --no-upnp UDP $adguard_dot_port + ynh_exec_warn_less yunohost firewall allow --no-upnp TCP $adguard_dot_port # DNS over QUIC - adguard_DoQ_port=784 - ynh_app_setting_set --app="$app" --key=adguard_DoQ_port --value=$adguard_DoQ_port - ynh_exec_warn_less yunohost firewall allow --no-upnp UDP $adguard_DoQ_port + adguard_doq_port=784 + ynh_app_setting_set --app="$app" --key=adguard_doq_port --value=$adguard_doq_port + ynh_exec_warn_less yunohost firewall allow --no-upnp UDP $adguard_doq_port elif [ -z "$dns_over_https" ] || [ "$dns_over_https" == "0" ]; then dns_over_https="false" From 5b8e6276e06bec49f040f2c3549959af82ebf411 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Tue, 26 Dec 2023 16:54:42 +0100 Subject: [PATCH 007/288] rework dot and doq ports attributions --- scripts/upgrade | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/scripts/upgrade b/scripts/upgrade index 9b8d0e51..fbac0c39 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -29,18 +29,22 @@ ynh_systemd_action --service_name="$app" --action="stop" #================================================= ynh_script_progression --message="Ensuring downward compatibility..." --weight=1 -if [ -n "$dns_over_https" ] && [ "$dns_over_https" == "1" ]; +if [ -z "$adguard_dot_port" ] || [ -z "$adguard_doq_port" ]; then - dns_over_https="true" - ynh_app_setting_set --app="$app" --key=dns_over_https --value=$dns_over_https # DNS over TLS adguard_dot_port=853 ynh_app_setting_set --app=$app --key=adguard_dot_port --value=$adguard_dot_port - ynh_exec_warn_less yunohost firewall allow --no-upnp UDP $adguard_dot_port - ynh_exec_warn_less yunohost firewall allow --no-upnp TCP $adguard_dot_port # DNS over QUIC adguard_doq_port=784 ynh_app_setting_set --app="$app" --key=adguard_doq_port --value=$adguard_doq_port +fi + +if [ -n "$dns_over_https" ] && [ "$dns_over_https" == "1" ]; +then + dns_over_https="true" + ynh_app_setting_set --app="$app" --key=dns_over_https --value=$dns_over_https + ynh_exec_warn_less yunohost firewall allow --no-upnp UDP $adguard_dot_port + ynh_exec_warn_less yunohost firewall allow --no-upnp TCP $adguard_dot_port ynh_exec_warn_less yunohost firewall allow --no-upnp UDP $adguard_doq_port elif [ -z "$dns_over_https" ] || [ "$dns_over_https" == "0" ]; then From 54aef3496ac50eea93b5111ba30e061e41c63c9e Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Tue, 26 Dec 2023 16:57:05 +0100 Subject: [PATCH 008/288] use ynh_find_port to attribute properly dot and doq ports --- scripts/install | 4 ++-- scripts/upgrade | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/scripts/install b/scripts/install index f9d10f6d..ddbe8f0b 100644 --- a/scripts/install +++ b/scripts/install @@ -15,10 +15,10 @@ source /usr/share/yunohost/helpers ynh_script_progression --message="Storing installation settings..." --weight=2 # DNS over TLS -adguard_dot_port=853 +adguard_dot_port=ynh_find_port --port=853 ynh_app_setting_set --app="$app" --key=adguard_dot_port --value=$adguard_dot_port # DNS over QUIC -adguard_doq_port=784 +adguard_doq_port=ynh_find_port --port=784 ynh_app_setting_set --app="$app" --key=adguard_doq_port --value=$adguard_doq_port if [ "$dns_over_https" == "1" ]; diff --git a/scripts/upgrade b/scripts/upgrade index fbac0c39..9b61ecc6 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -32,10 +32,10 @@ ynh_script_progression --message="Ensuring downward compatibility..." --weight=1 if [ -z "$adguard_dot_port" ] || [ -z "$adguard_doq_port" ]; then # DNS over TLS - adguard_dot_port=853 + adguard_dot_port=ynh_find_port --port=853 ynh_app_setting_set --app=$app --key=adguard_dot_port --value=$adguard_dot_port # DNS over QUIC - adguard_doq_port=784 + adguard_doq_port=ynh_find_port --port=784 ynh_app_setting_set --app="$app" --key=adguard_doq_port --value=$adguard_doq_port fi From bf81f58546fcba7000446adeb68e1dd96962788f Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Tue, 26 Dec 2023 17:23:28 +0100 Subject: [PATCH 009/288] user ressources in manifest to declare dot and doq ports --- conf/AdGuardHome.yaml | 4 ++-- manifest.toml | 4 ++++ scripts/install | 10 ---------- scripts/upgrade | 13 ------------- 4 files changed, 6 insertions(+), 25 deletions(-) diff --git a/conf/AdGuardHome.yaml b/conf/AdGuardHome.yaml index e1d99541..81a6641d 100644 --- a/conf/AdGuardHome.yaml +++ b/conf/AdGuardHome.yaml @@ -76,8 +76,8 @@ tls: server_name: "__DOMAIN__" force_https: false port_https: 443 - port_dns_over_tls: __ADGUARD_DOT_PORT__ - port_dns_over_quic: __ADGUARD_DOQ_PORT__ + port_dns_over_tls: __PORT_DNS_OVER_HTTP__ + port_dns_over_quic: __PORT_DNS_OVER_QUIC__ port_dnscrypt: 0 dnscrypt_config_file: "" allow_unencrypted_doh: false diff --git a/manifest.toml b/manifest.toml index b2ecffd1..ab0746c8 100644 --- a/manifest.toml +++ b/manifest.toml @@ -67,6 +67,10 @@ autoupdate.strategy = "latest_github_release" [resources.ports] adguard.default = 53 adguard.exposed = "Both" +dns_over_http.default = 853 +dns_over_http.exposed = "Both" +dns_over_quic.default = 784 +dns_over_quic.exposed = "TCP" [resources.system_user] diff --git a/scripts/install b/scripts/install index ddbe8f0b..5bb6fb05 100644 --- a/scripts/install +++ b/scripts/install @@ -14,19 +14,9 @@ source /usr/share/yunohost/helpers #================================================= ynh_script_progression --message="Storing installation settings..." --weight=2 -# DNS over TLS -adguard_dot_port=ynh_find_port --port=853 -ynh_app_setting_set --app="$app" --key=adguard_dot_port --value=$adguard_dot_port -# DNS over QUIC -adguard_doq_port=ynh_find_port --port=784 -ynh_app_setting_set --app="$app" --key=adguard_doq_port --value=$adguard_doq_port - if [ "$dns_over_https" == "1" ]; then dns_over_https="true" - ynh_exec_warn_less yunohost firewall allow --no-upnp UDP $adguard_dot_port - ynh_exec_warn_less yunohost firewall allow --no-upnp TCP $adguard_dot_port - ynh_exec_warn_less yunohost firewall allow --no-upnp UDP $adguard_doq_port else dns_over_https="false" fi diff --git a/scripts/upgrade b/scripts/upgrade index 9b61ecc6..3e9a2c89 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -29,23 +29,10 @@ ynh_systemd_action --service_name="$app" --action="stop" #================================================= ynh_script_progression --message="Ensuring downward compatibility..." --weight=1 -if [ -z "$adguard_dot_port" ] || [ -z "$adguard_doq_port" ]; -then - # DNS over TLS - adguard_dot_port=ynh_find_port --port=853 - ynh_app_setting_set --app=$app --key=adguard_dot_port --value=$adguard_dot_port - # DNS over QUIC - adguard_doq_port=ynh_find_port --port=784 - ynh_app_setting_set --app="$app" --key=adguard_doq_port --value=$adguard_doq_port -fi - if [ -n "$dns_over_https" ] && [ "$dns_over_https" == "1" ]; then dns_over_https="true" ynh_app_setting_set --app="$app" --key=dns_over_https --value=$dns_over_https - ynh_exec_warn_less yunohost firewall allow --no-upnp UDP $adguard_dot_port - ynh_exec_warn_less yunohost firewall allow --no-upnp TCP $adguard_dot_port - ynh_exec_warn_less yunohost firewall allow --no-upnp UDP $adguard_doq_port elif [ -z "$dns_over_https" ] || [ "$dns_over_https" == "0" ]; then dns_over_https="false" From 6caf6dffdb8aa21cebfb389fe9e7fecdddf861c2 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Tue, 26 Dec 2023 17:37:08 +0100 Subject: [PATCH 010/288] fix quic protocol --- manifest.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifest.toml b/manifest.toml index ab0746c8..91817172 100644 --- a/manifest.toml +++ b/manifest.toml @@ -70,7 +70,7 @@ adguard.exposed = "Both" dns_over_http.default = 853 dns_over_http.exposed = "Both" dns_over_quic.default = 784 -dns_over_quic.exposed = "TCP" +dns_over_quic.exposed = "UDP" [resources.system_user] From 985606161571d7d5b25cde299978a5ece1d070c7 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Tue, 26 Dec 2023 17:49:51 +0100 Subject: [PATCH 011/288] add dot and doq port at service addition --- scripts/install | 2 +- scripts/restore | 2 +- scripts/upgrade | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/scripts/install b/scripts/install index 5bb6fb05..f50e59f8 100644 --- a/scripts/install +++ b/scripts/install @@ -117,7 +117,7 @@ ynh_script_progression --message="Configuring a systemd service..." --weight=1 # Create a dedicated systemd config ynh_add_systemd_config -yunohost service add $app --description="Ads & trackers blocking DNS server" --needs_exposed_ports $port_adguard +yunohost service add $app --description="Ads & trackers blocking DNS server" --needs_exposed_ports $port_adguard $port_dns_over_http $port_dns_over_quic #================================================= # START SYSTEMD SERVICE diff --git a/scripts/restore b/scripts/restore index a71b20b1..eccf9ef3 100644 --- a/scripts/restore +++ b/scripts/restore @@ -43,7 +43,7 @@ ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf" ynh_restore_file --origin_path="/etc/systemd/system/$app.service" systemctl enable "$app.service" --quiet -yunohost service add $app --description="Ads & trackers blocking DNS server" --needs_exposed_ports $port_adguard +yunohost service add $app --description="Ads & trackers blocking DNS server" --needs_exposed_ports $port_adguard $port_dns_over_http $port_dns_over_quic #================================================= # START SYSTEMD SERVICE diff --git a/scripts/upgrade b/scripts/upgrade index 3e9a2c89..49447c99 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -67,7 +67,7 @@ ynh_add_nginx_config # Create a dedicated systemd config ynh_add_systemd_config -yunohost service add $app --description="Ads & trackers blocking DNS server" --needs_exposed_ports $port_adguard +yunohost service add $app --description="Ads & trackers blocking DNS server" --needs_exposed_ports $port_adguard $port_dns_over_http $port_dns_over_quic #================================================= # SPECIFIC UPGRADE From 3bb6d476378e8f56a40710a485d338f7df4fad44 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Tue, 26 Dec 2023 18:15:15 +0100 Subject: [PATCH 012/288] DoH and DoQ disabled by default; see #135 --- manifest.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifest.toml b/manifest.toml index 91817172..365e5341 100644 --- a/manifest.toml +++ b/manifest.toml @@ -46,7 +46,7 @@ type = "password" [install.dns_over_https] ask.en = "Should DNS-over-HTTPS be enabled? (If so, anyone who knows your adguard address can make a doh request to https://adguardomain.tld/dns-query)" -default = true +default = false type = "boolean" [resources] From e12323f72e4d311e2f713e5908829015db25a9e1 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Tue, 26 Dec 2023 18:25:58 +0100 Subject: [PATCH 013/288] trying to fix the weird bug where the main port is 443 --- manifest.toml | 1 + 1 file changed, 1 insertion(+) diff --git a/manifest.toml b/manifest.toml index 365e5341..b62a6d13 100644 --- a/manifest.toml +++ b/manifest.toml @@ -71,6 +71,7 @@ dns_over_http.default = 853 dns_over_http.exposed = "Both" dns_over_quic.default = 784 dns_over_quic.exposed = "UDP" +main.default = 13120 [resources.system_user] From 6f551cf865d5cb57e085791ddf7ac2f80bf68519 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Tue, 26 Dec 2023 20:22:10 +0100 Subject: [PATCH 014/288] fix bind for dns_over_https --- config_panel.toml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/config_panel.toml b/config_panel.toml index c8db66c9..7e9540da 100644 --- a/config_panel.toml +++ b/config_panel.toml @@ -4,9 +4,9 @@ version = "1.0" name = "AdguardHome configuration" services = ["__APP__"] - [main.options.dns_over_https] - ask = "Enable DNS-over-HTTPS" - type = "boolean" - yes = "true" - no = "false" - bind = "allow_unencrypted_doh:__INSTALL_DIR__/AdGuardHome.yaml" +[main.options.dns_over_https] +ask = "Enable DNS-over-HTTPS" +bind = "tls>enabled:__INSTALL_DIR__/AdGuardHome.yaml" +no = "false" +type = "boolean" +yes = "true" From 0319cb3e382529bd6e4e6146630b0de6898a7eed Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Tue, 26 Dec 2023 21:00:04 +0100 Subject: [PATCH 015/288] fix 'tls: port_https' --- conf/AdGuardHome.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf/AdGuardHome.yaml b/conf/AdGuardHome.yaml index 81a6641d..b88b3198 100644 --- a/conf/AdGuardHome.yaml +++ b/conf/AdGuardHome.yaml @@ -75,7 +75,7 @@ tls: enabled: __DNS_OVER_HTTPS__ server_name: "__DOMAIN__" force_https: false - port_https: 443 + port_https: __PORT_DNS_OVER_HTTP__ port_dns_over_tls: __PORT_DNS_OVER_HTTP__ port_dns_over_quic: __PORT_DNS_OVER_QUIC__ port_dnscrypt: 0 From d784bb90cf6d286bd6ba382f8576b9c8c3fc7f74 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Tue, 26 Dec 2023 21:02:15 +0100 Subject: [PATCH 016/288] puting __PORT_DNS_OVER_HTTP__ for /dns-query --- conf/nginx.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf/nginx.conf b/conf/nginx.conf index c07fbf25..d0944ea6 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -27,7 +27,7 @@ location /dns-query { proxy_http_version 1.1; proxy_read_timeout 6s; proxy_connect_timeout 6s; - proxy_pass http://127.0.0.1:__PORT__/dns-query; + proxy_pass http://127.0.0.1:__PORT_DNS_OVER_HTTP__/dns-query; } # disabling the API point of the built-in updater (which can break the installation) From 9f55785a1211a5e0b518ccd4d0325ed38845d615 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Tue, 26 Dec 2023 21:07:37 +0100 Subject: [PATCH 017/288] replacing __PORT_DNS_OVER_HTTP__ by __PORT__ for port_https and /dns-query --- conf/AdGuardHome.yaml | 2 +- conf/nginx.conf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/conf/AdGuardHome.yaml b/conf/AdGuardHome.yaml index b88b3198..5ec1cd22 100644 --- a/conf/AdGuardHome.yaml +++ b/conf/AdGuardHome.yaml @@ -75,7 +75,7 @@ tls: enabled: __DNS_OVER_HTTPS__ server_name: "__DOMAIN__" force_https: false - port_https: __PORT_DNS_OVER_HTTP__ + port_https: __PORT__ port_dns_over_tls: __PORT_DNS_OVER_HTTP__ port_dns_over_quic: __PORT_DNS_OVER_QUIC__ port_dnscrypt: 0 diff --git a/conf/nginx.conf b/conf/nginx.conf index d0944ea6..c07fbf25 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -27,7 +27,7 @@ location /dns-query { proxy_http_version 1.1; proxy_read_timeout 6s; proxy_connect_timeout 6s; - proxy_pass http://127.0.0.1:__PORT_DNS_OVER_HTTP__/dns-query; + proxy_pass http://127.0.0.1:__PORT__/dns-query; } # disabling the API point of the built-in updater (which can break the installation) From 6a5f073fb361b2ea6f13a900f80a8fef615005c8 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Tue, 26 Dec 2023 21:36:51 +0100 Subject: [PATCH 018/288] trying with a new different port --- conf/AdGuardHome.yaml | 2 +- conf/nginx.conf | 2 +- manifest.toml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/conf/AdGuardHome.yaml b/conf/AdGuardHome.yaml index 5ec1cd22..8ef33aa4 100644 --- a/conf/AdGuardHome.yaml +++ b/conf/AdGuardHome.yaml @@ -75,7 +75,7 @@ tls: enabled: __DNS_OVER_HTTPS__ server_name: "__DOMAIN__" force_https: false - port_https: __PORT__ + port_https: __PORT_INTERNAL_HTTPS__ port_dns_over_tls: __PORT_DNS_OVER_HTTP__ port_dns_over_quic: __PORT_DNS_OVER_QUIC__ port_dnscrypt: 0 diff --git a/conf/nginx.conf b/conf/nginx.conf index c07fbf25..03a8ef7e 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -27,7 +27,7 @@ location /dns-query { proxy_http_version 1.1; proxy_read_timeout 6s; proxy_connect_timeout 6s; - proxy_pass http://127.0.0.1:__PORT__/dns-query; + proxy_pass http://127.0.0.1:__PORT_INTERNAL_HTTPS__/dns-query; } # disabling the API point of the built-in updater (which can break the installation) diff --git a/manifest.toml b/manifest.toml index b62a6d13..d08f098f 100644 --- a/manifest.toml +++ b/manifest.toml @@ -71,7 +71,7 @@ dns_over_http.default = 853 dns_over_http.exposed = "Both" dns_over_quic.default = 784 dns_over_quic.exposed = "UDP" -main.default = 13120 +internal_https.default = 13120 [resources.system_user] From d038c903d3c8f3ecaeb8cbad47beee0c1194890c Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Tue, 26 Dec 2023 21:42:40 +0100 Subject: [PATCH 019/288] add quic mention --- manifest.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifest.toml b/manifest.toml index d08f098f..c567065b 100644 --- a/manifest.toml +++ b/manifest.toml @@ -45,7 +45,7 @@ type = "user" type = "password" [install.dns_over_https] -ask.en = "Should DNS-over-HTTPS be enabled? (If so, anyone who knows your adguard address can make a doh request to https://adguardomain.tld/dns-query)" +ask.en = "Should DNS-over-HTTPS/QUIC be enabled? (If so, anyone who knows your adguard address can make a doh request to https://adguardomain.tld/dns-query)" default = false type = "boolean" From cbd3ad057e409ca0d89746648bda414222006129 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Tue, 26 Dec 2023 21:54:15 +0100 Subject: [PATCH 020/288] set https and proxy_ssl_session_reuse on to avoid unnecessary CPU consumption --- conf/nginx.conf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/conf/nginx.conf b/conf/nginx.conf index 03a8ef7e..9b255cb4 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -27,7 +27,8 @@ location /dns-query { proxy_http_version 1.1; proxy_read_timeout 6s; proxy_connect_timeout 6s; - proxy_pass http://127.0.0.1:__PORT_INTERNAL_HTTPS__/dns-query; + proxy_ssl_session_reuse on; + proxy_pass https://127.0.0.1:__PORT_INTERNAL_HTTPS__/dns-query; } # disabling the API point of the built-in updater (which can break the installation) From c9c017af09178bd46f3da14fa77ac54b063d3ce5 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Tue, 26 Dec 2023 22:17:18 +0100 Subject: [PATCH 021/288] open or close DoH/DoQ ports according to the selected choice in the config panel --- config_panel.toml | 2 +- scripts/config | 38 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 39 insertions(+), 1 deletion(-) create mode 100644 scripts/config diff --git a/config_panel.toml b/config_panel.toml index 7e9540da..ce27c170 100644 --- a/config_panel.toml +++ b/config_panel.toml @@ -5,7 +5,7 @@ name = "AdguardHome configuration" services = ["__APP__"] [main.options.dns_over_https] -ask = "Enable DNS-over-HTTPS" +ask = "Enable DNS-over-HTTPS/QUIC" bind = "tls>enabled:__INSTALL_DIR__/AdGuardHome.yaml" no = "false" type = "boolean" diff --git a/scripts/config b/scripts/config new file mode 100644 index 00000000..7141bdbe --- /dev/null +++ b/scripts/config @@ -0,0 +1,38 @@ +#!/bin/bash + +#================================================= +# GENERIC STARTING +#================================================= +# IMPORT GENERIC HELPERS +#================================================= + +source _common.sh +source /usr/share/yunohost/helpers + +ynh_abort_if_errors + +#================================================= +# CUSTOM THINGS +#================================================= + +ynh_app_config_apply() { + _ynh_app_config_apply + + if [ "$dns_over_https" == "true" ]; then + ynh_script_progression --message="Opening DoH and DoQ ports..." + # if DNS over HTTPS/QUIC is activated, open the associated ports + ynh_exec_warn_less yunohost firewall allow --no-upnp TCP "$port_dns_over_http" + ynh_exec_warn_less yunohost firewall allow --no-upnp TCP "$port_dns_over_quic" + yunohost firewall reload + elif [ "$dns_over_https" == "false" ]; then + # else if false, close them + ynh_script_progression --message="Closing DoH and DoQ ports..." + ynh_exec_warn_less yunohost firewall disallow --no-upnp TCP "$port_dns_over_http" + ynh_exec_warn_less yunohost firewall disallow --no-upnp TCP "$port_dns_over_quic" + yunohost firewall reload + else + # else, throw error + ynh_print_warn --message="The variable 'dns_over_https' should be 'true' or 'false' but isn't, please report this." + fi + +} \ No newline at end of file From acd0d6f4a8c614928c0b5420718fa2b5af708be1 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Tue, 26 Dec 2023 22:21:33 +0100 Subject: [PATCH 022/288] fix TCP/UDP opening/closing --- scripts/config | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/scripts/config b/scripts/config index 7141bdbe..5f585f82 100644 --- a/scripts/config +++ b/scripts/config @@ -22,13 +22,15 @@ ynh_app_config_apply() { ynh_script_progression --message="Opening DoH and DoQ ports..." # if DNS over HTTPS/QUIC is activated, open the associated ports ynh_exec_warn_less yunohost firewall allow --no-upnp TCP "$port_dns_over_http" - ynh_exec_warn_less yunohost firewall allow --no-upnp TCP "$port_dns_over_quic" + ynh_exec_warn_less yunohost firewall allow --no-upnp UDP "$port_dns_over_http" + ynh_exec_warn_less yunohost firewall allow --no-upnp UDP "$port_dns_over_quic" yunohost firewall reload elif [ "$dns_over_https" == "false" ]; then # else if false, close them ynh_script_progression --message="Closing DoH and DoQ ports..." ynh_exec_warn_less yunohost firewall disallow --no-upnp TCP "$port_dns_over_http" - ynh_exec_warn_less yunohost firewall disallow --no-upnp TCP "$port_dns_over_quic" + ynh_exec_warn_less yunohost firewall disallow --no-upnp UDP "$port_dns_over_http" + ynh_exec_warn_less yunohost firewall disallow --no-upnp UDP "$port_dns_over_quic" yunohost firewall reload else # else, throw error From d99bc8893d32d55877efd780863f97da29c95442 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Tue, 26 Dec 2023 22:25:48 +0100 Subject: [PATCH 023/288] close DoH/DoQ ports if needed --- scripts/install | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/scripts/install b/scripts/install index f50e59f8..915cf06a 100644 --- a/scripts/install +++ b/scripts/install @@ -17,8 +17,15 @@ ynh_script_progression --message="Storing installation settings..." --weight=2 if [ "$dns_over_https" == "1" ]; then dns_over_https="true" + # no need to open the ports, as they were opened at the 'Provisioning ports' step else dns_over_https="false" + # if dns_over_https is false, we need to close ports, + # as they were opened at the 'Provisioning ports' step + ynh_exec_warn_less yunohost firewall disallow --no-upnp TCP "$port_dns_over_http" + ynh_exec_warn_less yunohost firewall disallow --no-upnp UDP "$port_dns_over_http" + ynh_exec_warn_less yunohost firewall disallow --no-upnp UDP "$port_dns_over_quic" + ynh_exec_warn_less yunohost firewall reload fi ynh_app_setting_set --app="$app" --key=dns_over_https --value=$dns_over_https From 516a83a9e64e52a6c89e09c3d5051bf4db6e5609 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Tue, 26 Dec 2023 22:28:34 +0100 Subject: [PATCH 024/288] asking user if DoH/DoQ is activated --- .github/ISSUE_TEMPLATE.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/ISSUE_TEMPLATE.md b/.github/ISSUE_TEMPLATE.md index 2729a6b2..a2742d31 100755 --- a/.github/ISSUE_TEMPLATE.md +++ b/.github/ISSUE_TEMPLATE.md @@ -5,13 +5,15 @@ about: When creating a bug report, please use the following template to provide --- **How to post a meaningful bug report** + 1. *Read this whole template first.* 2. *Determine if you are on the right place:* - *If you were performing an action on the app from the webadmin or the CLI (install, update, backup, restore, change_url...), you are on the right place!* - *Otherwise, the issue may be due to the app itself. Refer to its documentation or repository for help.* - *When in doubt, post here and we will figure it out together.* 3. *Delete the italic comments as you write over them below, and remove this guide.* ---- + +--- ### Describe the bug @@ -26,13 +28,16 @@ about: When creating a bug report, please use the following template to provide - If yes, please explain: - Using, or trying to install package version/branch: - If upgrading, current package version: *can be found in the admin, or with `yunohost app info $app_id`* +- Is DNS over HTTP or DNS over QUIC activated?: *no / yes* ### Steps to reproduce - *If you performed a command from the CLI, the command itself is enough. For example:* + ```sh sudo yunohost app install the_app ``` + - *If you used the webadmin, please perform the equivalent command from the CLI first.* - *If the error occurs in your browser, explain what you did:* 1. *Go to '...'* @@ -47,6 +52,7 @@ about: When creating a bug report, please use the following template to provide ### Logs *When an operation fails, YunoHost provides a simple way to share the logs.* + - *In the webadmin, the error message contains a link to the relevant log page. On that page, you will be able to 'Share with Yunopaste'. If you missed it, the logs of previous operations are also available under Tools > Logs.* - *In command line, the command to share the logs is displayed at the end of the operation and looks like `yunohost log display [log name] --share`. If you missed it, you can find the log ID of a previous operation using `yunohost log list`.* From 0475073364c749147781671dda1fca2e2ac89c05 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Tue, 26 Dec 2023 22:51:43 +0100 Subject: [PATCH 025/288] bump schema_version & better default config --- conf/AdGuardHome.yaml | 178 +++++++++++++++++++++++++++--------------- 1 file changed, 116 insertions(+), 62 deletions(-) diff --git a/conf/AdGuardHome.yaml b/conf/AdGuardHome.yaml index 8ef33aa4..ff65a253 100644 --- a/conf/AdGuardHome.yaml +++ b/conf/AdGuardHome.yaml @@ -1,76 +1,78 @@ -bind_host: 0.0.0.0 -bind_port: __PORT__ -beta_bind_port: 0 +http: + pprof: + port: 6060 + enabled: false + address: 0.0.0.0:__PORT__ + session_ttl: 720h users: -- name: __ADMIN__ - password: __PASSWORD__ + - name: __ADMIN__ + password: __PASSWORD__ auth_attempts: 5 block_auth_min: 15 http_proxy: "" language: "" -rlimit_nofile: 0 -debug_pprof: false -web_session_ttl: 720 +theme: auto dns: bind_hosts: __IPV4_ADDR__ __IPV6_ADDR__ port: __PORT_ADGUARD__ - statistics_interval: 1 - querylog_enabled: true - querylog_file_enabled: true - querylog_interval: 90 - querylog_size_memory: 1000 anonymize_client_ip: false - protection_enabled: true - blocking_mode: default - blocking_ipv4: "" - blocking_ipv6: "" - blocked_response_ttl: 10 - parental_block_host: family-block.dns.adguard.com - safebrowsing_block_host: standard-block.dns.adguard.com ratelimit: 20 + ratelimit_subnet_len_ipv4: 24 + ratelimit_subnet_len_ipv6: 56 ratelimit_whitelist: [] refuse_any: true upstream_dns: - - https://dns10.quad9.net/dns-query + - https://dns10.quad9.net/dns-query + - https://dns.mullvad.net/dns-query + - https://dns-unfiltered.adguard.com/dns-query upstream_dns_file: "" bootstrap_dns: - 9.9.9.10 - 149.112.112.10 + - 194.242.2.2 - 2620:fe::10 - 2620:fe::fe:10 - all_servers: false + - 2a07:e340::2 + fallback_dns: [] + all_servers: true fastest_addr: false + fastest_timeout: 1s allowed_clients: [] disallowed_clients: [] blocked_hosts: - - version.bind - - id.server - - hostname.bind - cache_size: 4194304 - cache_ttl_min: 0 - cache_ttl_max: 0 + - version.bind + - id.server + - hostname.bind + trusted_proxies: + - 127.0.0.0/8 + - ::1/128 + cache_size: 41943040 + cache_ttl_min: 10800 + cache_ttl_max: 86400 + cache_optimistic: true bogus_nxdomain: [] aaaa_disabled: false enable_dnssec: false - edns_client_subnet: false + edns_client_subnet: + custom_ip: "" + enabled: false + use_custom: false max_goroutines: 300 + handle_ddr: true ipset: [] - filtering_enabled: true - filters_update_interval: 24 - parental_enabled: false - safesearch_enabled: false - safebrowsing_enabled: false - safebrowsing_cache_size: 1048576 - safesearch_cache_size: 1048576 - parental_cache_size: 1048576 - cache_time: 30 - rewrites: [] - blocked_services: [] - local_domain_name: lan - resolve_clients: true + ipset_file: "" + bootstrap_prefer_ipv6: true + upstream_timeout: 10s + private_networks: [] + use_private_ptr_resolvers: false local_ptr_upstreams: [] + use_dns64: false + dns64_prefixes: [] + serve_http3: true + use_http3_upstreams: true + serve_plain_dns: true tls: enabled: __DNS_OVER_HTTPS__ server_name: "__DOMAIN__" @@ -80,30 +82,41 @@ tls: port_dns_over_quic: __PORT_DNS_OVER_QUIC__ port_dnscrypt: 0 dnscrypt_config_file: "" - allow_unencrypted_doh: false - strict_sni_check: false + allow_unencrypted_doh: true certificate_chain: "" private_key: "" certificate_path: "/etc/yunohost/certs/__DOMAIN__/crt.pem" private_key_path: "/etc/yunohost/certs/__DOMAIN__/key.pem" + strict_sni_check: false +querylog: + ignored: [] + interval: 24h + size_memory: 1000 + enabled: true + file_enabled: true +statistics: + ignored: [] + interval: 720h + enabled: true filters: -- enabled: true - url: https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt - name: AdGuard DNS filter - id: 1 -- enabled: false - url: https://adaway.org/hosts.txt - name: AdAway Default Blocklist - id: 2 -- enabled: false - url: https://www.malwaredomainlist.com/hostslist/hosts.txt - name: MalwareDomainList.com Hosts List - id: 4 + - enabled: true + url: https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt + name: AdGuard DNS filter + id: 1 + - enabled: false + url: https://adaway.org/hosts.txt + name: AdAway Default Blocklist + id: 2 + - enabled: false + url: https://www.malwaredomainlist.com/hostslist/hosts.txt + name: MalwareDomainList.com Hosts List + id: 3 whitelist_filters: [] user_rules: [] dhcp: enabled: false interface_name: "" + local_domain_name: lan dhcpv4: gateway_ip: "" subnet_mask: "" @@ -117,13 +130,54 @@ dhcp: lease_duration: 86400 ra_slaac_only: false ra_allow_slaac: false -clients: [] +filtering: + blocking_ipv4: "" + blocking_ipv6: "" + blocked_services: + schedule: + time_zone: Local + ids: [] + protection_disabled_until: null + safe_search: + enabled: false + bing: false + duckduckgo: false + google: false + pixabay: false + yandex: false + youtube: false + blocking_mode: refused + parental_block_host: family-block.dns.adguard.com + safebrowsing_block_host: standard-block.dns.adguard.com + rewrites: [] + safebrowsing_cache_size: 1048576 + safesearch_cache_size: 1048576 + parental_cache_size: 1048576 + cache_time: 30 + filters_update_interval: 12 + blocked_response_ttl: 10 + filtering_enabled: true + parental_enabled: false + safebrowsing_enabled: true + protection_enabled: true +clients: + runtime_sources: + whois: true + arp: true + rdns: true + dhcp: true + hosts: true + persistent: [] log: - compress: false - localtime: false + file: "" max_backups: 0 max_size: 100 max_age: 3 - file: "" -verbose: false -schema_version: 10 \ No newline at end of file + compress: false + local_time: false + verbose: false +os: + group: "__APP__" + user: "__APP__" + rlimit_nofile: 0 +schema_version: 27 \ No newline at end of file From 8aa3f1508b7a41a2a9a24b1facc0171828863d0b Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Tue, 26 Dec 2023 23:14:07 +0100 Subject: [PATCH 026/288] handle closing unnecessary ports at restore and upgrade --- scripts/restore | 14 ++++++++++++++ scripts/upgrade | 7 +++++++ 2 files changed, 21 insertions(+) diff --git a/scripts/restore b/scripts/restore index eccf9ef3..4a2edb76 100644 --- a/scripts/restore +++ b/scripts/restore @@ -10,6 +10,20 @@ source ../settings/scripts/_common.sh source /usr/share/yunohost/helpers +#================================================= +# CLOSE UNNECESSARY PORTS +# no need to open the ports, as they were opened at the 'Provisioning ports' step +#================================================= + +if [ "$dns_over_https" == "false" ]; then + # if dns_over_https is false, we need to close ports, + # as they were opened at the 'Provisioning ports' step + ynh_exec_warn_less yunohost firewall disallow --no-upnp TCP "$port_dns_over_http" + ynh_exec_warn_less yunohost firewall disallow --no-upnp UDP "$port_dns_over_http" + ynh_exec_warn_less yunohost firewall disallow --no-upnp UDP "$port_dns_over_quic" + ynh_exec_warn_less yunohost firewall reload +fi + #================================================= # RESTORE THE APP MAIN DIR #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index 49447c99..df9debd8 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -33,10 +33,17 @@ if [ -n "$dns_over_https" ] && [ "$dns_over_https" == "1" ]; then dns_over_https="true" ynh_app_setting_set --app="$app" --key=dns_over_https --value=$dns_over_https + # no need to open the ports, as they were opened at the 'Provisioning ports' step elif [ -z "$dns_over_https" ] || [ "$dns_over_https" == "0" ]; then dns_over_https="false" ynh_app_setting_set --app="$app" --key=dns_over_https --value=$dns_over_https + # if dns_over_https is false, we need to close ports, + # as they were opened at the 'Provisioning ports' step + ynh_exec_warn_less yunohost firewall disallow --no-upnp TCP "$port_dns_over_http" + ynh_exec_warn_less yunohost firewall disallow --no-upnp UDP "$port_dns_over_http" + ynh_exec_warn_less yunohost firewall disallow --no-upnp UDP "$port_dns_over_quic" + ynh_exec_warn_less yunohost firewall reload fi #================================================= From f198af5425f37ec0a1c48d220a82fff7be927c3a Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Tue, 26 Dec 2023 23:35:34 +0100 Subject: [PATCH 027/288] use a custom setter in place of ynh_app_config_apply --- config_panel.toml | 1 - scripts/config | 10 ++++++---- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/config_panel.toml b/config_panel.toml index ce27c170..506d655c 100644 --- a/config_panel.toml +++ b/config_panel.toml @@ -6,7 +6,6 @@ services = ["__APP__"] [main.options.dns_over_https] ask = "Enable DNS-over-HTTPS/QUIC" -bind = "tls>enabled:__INSTALL_DIR__/AdGuardHome.yaml" no = "false" type = "boolean" yes = "true" diff --git a/scripts/config b/scripts/config index 5f585f82..e3eacfb5 100644 --- a/scripts/config +++ b/scripts/config @@ -12,11 +12,10 @@ source /usr/share/yunohost/helpers ynh_abort_if_errors #================================================= -# CUSTOM THINGS +# SPECIFIC SETTERS #================================================= -ynh_app_config_apply() { - _ynh_app_config_apply +set__dns_over_https() { if [ "$dns_over_https" == "true" ]; then ynh_script_progression --message="Opening DoH and DoQ ports..." @@ -37,4 +36,7 @@ ynh_app_config_apply() { ynh_print_warn --message="The variable 'dns_over_https' should be 'true' or 'false' but isn't, please report this." fi -} \ No newline at end of file + # save the new setting + ynh_app_setting_set "$app" prices "$dns_over_https" +} + From 7bfab1e0b3517ebae3068021a0db57554d79fd71 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Tue, 26 Dec 2023 23:40:45 +0100 Subject: [PATCH 028/288] fix SC2086 --- scripts/change_url | 4 ++-- scripts/install | 12 ++++++------ scripts/restore | 6 +++--- scripts/upgrade | 10 +++++----- 4 files changed, 16 insertions(+), 16 deletions(-) diff --git a/scripts/change_url b/scripts/change_url index 5c25374f..d63b767d 100644 --- a/scripts/change_url +++ b/scripts/change_url @@ -16,7 +16,7 @@ source /usr/share/yunohost/helpers #================================================= ynh_script_progression --message="Stopping a systemd service..." --weight=1 -ynh_systemd_action --service_name=$app --action="stop" --log_path="systemd" +ynh_systemd_action --service_name="$app" --action="stop" --log_path="systemd" #================================================= # MODIFY URL IN NGINX CONF @@ -32,7 +32,7 @@ ynh_change_url_nginx_config #================================================= ynh_script_progression --message="Starting a systemd service..." --weight=1 -ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" +ynh_systemd_action --service_name="$app" --action="start" --log_path="systemd" #================================================= # END OF SCRIPT diff --git a/scripts/install b/scripts/install index 915cf06a..d1cbe89a 100644 --- a/scripts/install +++ b/scripts/install @@ -28,7 +28,7 @@ else ynh_exec_warn_less yunohost firewall reload fi -ynh_app_setting_set --app="$app" --key=dns_over_https --value=$dns_over_https +ynh_app_setting_set --app="$app" --key=dns_over_https --value="$dns_over_https" #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE @@ -36,12 +36,12 @@ ynh_app_setting_set --app="$app" --key=dns_over_https --value=$dns_over_https ynh_script_progression --message="Setting up source files..." --weight=4 # Download, check integrity, uncompress and patch the source from app.src -ynh_setup_source --dest_dir=$install_dir +ynh_setup_source --dest_dir="$install_dir " chmod -R o-rwx "$install_dir" -chown -R $app:$app "$install_dir" +chown -R "$app:$app" "$install_dir" -setcap 'CAP_NET_BIND_SERVICE=+eip CAP_NET_RAW=+eip' $install_dir/AdGuardHome +setcap 'CAP_NET_BIND_SERVICE=+eip CAP_NET_RAW=+eip' "$install_dir/AdGuardHome" #================================================= # NGINX CONFIGURATION @@ -114,7 +114,7 @@ ynh_app_setting_set --app="$app" --key=password --value="$password" ynh_add_config --template="../conf/AdGuardHome.yaml" --destination="$install_dir/AdGuardHome.yaml" chmod 600 "$install_dir/AdGuardHome.yaml" -chown -R $app:$app "$install_dir/AdGuardHome.yaml" +chown -R "$app:$app" "$install_dir/AdGuardHome.yaml" #================================================= # SETUP SYSTEMD @@ -124,7 +124,7 @@ ynh_script_progression --message="Configuring a systemd service..." --weight=1 # Create a dedicated systemd config ynh_add_systemd_config -yunohost service add $app --description="Ads & trackers blocking DNS server" --needs_exposed_ports $port_adguard $port_dns_over_http $port_dns_over_quic +yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "$port_adguard" "$port_dns_over_http" "$port_dns_over_quic" #================================================= # START SYSTEMD SERVICE diff --git a/scripts/restore b/scripts/restore index 4a2edb76..1d292df6 100644 --- a/scripts/restore +++ b/scripts/restore @@ -39,9 +39,9 @@ ynh_restore_file --origin_path="$install_dir" # this will be treated as a security issue. chmod 750 "$install_dir" chmod -R o-rwx "$install_dir" -chown -R $app:$app "$install_dir" +chown -R "$app:$app" "$install_dir" -setcap 'CAP_NET_BIND_SERVICE=+eip CAP_NET_RAW=+eip' $install_dir/AdGuardHome +setcap 'CAP_NET_BIND_SERVICE=+eip CAP_NET_RAW=+eip' "$install_dir/AdGuardHome" ynh_restore_file --origin_path="/etc/dnsmasq.d/$app" @@ -57,7 +57,7 @@ ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf" ynh_restore_file --origin_path="/etc/systemd/system/$app.service" systemctl enable "$app.service" --quiet -yunohost service add $app --description="Ads & trackers blocking DNS server" --needs_exposed_ports $port_adguard $port_dns_over_http $port_dns_over_quic +yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "$port_adguard" "$port_dns_over_http" "$port_dns_over_quic" #================================================= # START SYSTEMD SERVICE diff --git a/scripts/upgrade b/scripts/upgrade index df9debd8..1061e28b 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -55,13 +55,13 @@ then ynh_script_progression --message="Upgrading source files..." --weight=1 # Download, check integrity, uncompress and patch the source from app.src - ynh_setup_source --dest_dir=$install_dir + ynh_setup_source --dest_dir="$install_dir " fi chmod -R o-rwx "$install_dir" -chown -R $app:$app "$install_dir" +chown -R "$app:$app" "$install_dir" -setcap 'CAP_NET_BIND_SERVICE=+eip CAP_NET_RAW=+eip' $install_dir/AdGuardHome +setcap 'CAP_NET_BIND_SERVICE=+eip CAP_NET_RAW=+eip' "$install_dir/AdGuardHome" #================================================= # NGINX CONFIGURATION @@ -74,7 +74,7 @@ ynh_add_nginx_config # Create a dedicated systemd config ynh_add_systemd_config -yunohost service add $app --description="Ads & trackers blocking DNS server" --needs_exposed_ports $port_adguard $port_dns_over_http $port_dns_over_quic +yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "$port_adguard" "$port_dns_over_http" "$port_dns_over_quic" #================================================= # SPECIFIC UPGRADE @@ -156,7 +156,7 @@ if need_file_update: " chmod 600 "$install_dir/AdGuardHome.yaml" -chown -R $app:$app "$install_dir/AdGuardHome.yaml" +chown -R "$app:$app" "$install_dir/AdGuardHome.yaml" #================================================= # START SYSTEMD SERVICE From 0c6de738af94850800c655bfd1c5dcb120b01c46 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Tue, 26 Dec 2023 23:48:41 +0100 Subject: [PATCH 029/288] restore the bind --- config_panel.toml | 1 + 1 file changed, 1 insertion(+) diff --git a/config_panel.toml b/config_panel.toml index 506d655c..a3c79424 100644 --- a/config_panel.toml +++ b/config_panel.toml @@ -9,3 +9,4 @@ ask = "Enable DNS-over-HTTPS/QUIC" no = "false" type = "boolean" yes = "true" +bind = "tls>enabled:__INSTALL_DIR__/AdGuardHome.yaml" From 0c0266156c3c1cfdd427f29b2981fcfcb4650866 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 27 Dec 2023 00:08:06 +0100 Subject: [PATCH 030/288] Update scripts/config Co-authored-by: Alexandre Aubin <4533074+alexAubin@users.noreply.github.com> --- scripts/config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/config b/scripts/config index e3eacfb5..1348ef7a 100644 --- a/scripts/config +++ b/scripts/config @@ -37,6 +37,6 @@ set__dns_over_https() { fi # save the new setting - ynh_app_setting_set "$app" prices "$dns_over_https" + ynh_app_setting_set "$app" dns_over_https "$dns_over_https" } From 74d16e44d368a2cacf43015938fb4ef72c66aafd Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 27 Dec 2023 00:08:17 +0100 Subject: [PATCH 031/288] Update scripts/config Co-authored-by: Alexandre Aubin <4533074+alexAubin@users.noreply.github.com> --- scripts/config | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/config b/scripts/config index 1348ef7a..98b6342a 100644 --- a/scripts/config +++ b/scripts/config @@ -40,3 +40,4 @@ set__dns_over_https() { ynh_app_setting_set "$app" dns_over_https "$dns_over_https" } +ynh_app_config_run $1 From e8f7f5036950fc9d057b59fac019fc2f07100a91 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 27 Dec 2023 00:17:16 +0100 Subject: [PATCH 032/288] exposing port 53 on the Internet should be a deliberate choice, see #135 --- config_panel.toml | 8 +++++++- scripts/config | 37 ++++++++++++++++++++++++++++++------- scripts/install | 22 +++++++++++++++++----- scripts/restore | 10 +++++++--- scripts/upgrade | 24 +++++++++++++++++------- 5 files changed, 78 insertions(+), 23 deletions(-) diff --git a/config_panel.toml b/config_panel.toml index a3c79424..d6582a58 100644 --- a/config_panel.toml +++ b/config_panel.toml @@ -4,8 +4,14 @@ version = "1.0" name = "AdguardHome configuration" services = ["__APP__"] +[main.options.open_port_53] +ask = "Open port 53 to the Internet?" +no = "false" +type = "boolean" +yes = "true" + [main.options.dns_over_https] -ask = "Enable DNS-over-HTTPS/QUIC" +ask = "Enable DNS-over-HTTPS/QUIC?" no = "false" type = "boolean" yes = "true" diff --git a/scripts/config b/scripts/config index e3eacfb5..4f2af333 100644 --- a/scripts/config +++ b/scripts/config @@ -15,21 +15,40 @@ ynh_abort_if_errors # SPECIFIC SETTERS #================================================= +set__open_port_53() { + + if [ "$open_port_53" == "true" ]; then + ynh_script_progression --message="Opening port 53..." + # if the user would expose port 53 to the Internet, open it + ynh_exec_warn_less yunohost firewall allow Both "$port_adguard" + yunohost firewall reload + elif [ "$open_port_53" == "false" ]; then + # else if false, close it + ynh_script_progression --message="Closing port 53..." + ynh_exec_warn_less yunohost firewall disallow Both "$port_adguard" + yunohost firewall reload + else + # else, throw error + ynh_print_warn --message="The variable 'open_port_53' should be 'true' or 'false' but isn't, please report this." + fi + + # save the new setting + ynh_app_setting_set "$app" --key=open_port_53 --value="$open_port_53" +} + set__dns_over_https() { if [ "$dns_over_https" == "true" ]; then ynh_script_progression --message="Opening DoH and DoQ ports..." # if DNS over HTTPS/QUIC is activated, open the associated ports - ynh_exec_warn_less yunohost firewall allow --no-upnp TCP "$port_dns_over_http" - ynh_exec_warn_less yunohost firewall allow --no-upnp UDP "$port_dns_over_http" - ynh_exec_warn_less yunohost firewall allow --no-upnp UDP "$port_dns_over_quic" + ynh_exec_warn_less yunohost firewall allow Both "$port_dns_over_http" + ynh_exec_warn_less yunohost firewall allow UDP "$port_dns_over_quic" yunohost firewall reload elif [ "$dns_over_https" == "false" ]; then # else if false, close them ynh_script_progression --message="Closing DoH and DoQ ports..." - ynh_exec_warn_less yunohost firewall disallow --no-upnp TCP "$port_dns_over_http" - ynh_exec_warn_less yunohost firewall disallow --no-upnp UDP "$port_dns_over_http" - ynh_exec_warn_less yunohost firewall disallow --no-upnp UDP "$port_dns_over_quic" + ynh_exec_warn_less yunohost firewall disallow Both "$port_dns_over_http" + ynh_exec_warn_less yunohost firewall disallow UDP "$port_dns_over_quic" yunohost firewall reload else # else, throw error @@ -37,6 +56,10 @@ set__dns_over_https() { fi # save the new setting - ynh_app_setting_set "$app" prices "$dns_over_https" + ynh_app_setting_set "$app" --key=dns_over_https --value="$dns_over_https" } +#================================================= +# GENERIC FINALIZATION +#================================================= +ynh_app_config_run $1 diff --git a/scripts/install b/scripts/install index d1cbe89a..51965370 100644 --- a/scripts/install +++ b/scripts/install @@ -14,22 +14,34 @@ source /usr/share/yunohost/helpers #================================================= ynh_script_progression --message="Storing installation settings..." --weight=2 -if [ "$dns_over_https" == "1" ]; -then +if [ "$dns_over_https" == "1" ]; then dns_over_https="true" # no need to open the ports, as they were opened at the 'Provisioning ports' step else dns_over_https="false" # if dns_over_https is false, we need to close ports, # as they were opened at the 'Provisioning ports' step - ynh_exec_warn_less yunohost firewall disallow --no-upnp TCP "$port_dns_over_http" - ynh_exec_warn_less yunohost firewall disallow --no-upnp UDP "$port_dns_over_http" - ynh_exec_warn_less yunohost firewall disallow --no-upnp UDP "$port_dns_over_quic" + ynh_exec_warn_less yunohost firewall disallow Both "$port_dns_over_http" + ynh_exec_warn_less yunohost firewall disallow UDP "$port_dns_over_quic" ynh_exec_warn_less yunohost firewall reload fi ynh_app_setting_set --app="$app" --key=dns_over_https --value="$dns_over_https" +if [ "$open_port_53" == "1" ]; then + open_port_53="true" + # no need to open th port, as it were opened at the 'Provisioning ports' step +else + open_port_53="false" + # if open_port_53 is false, we need to close port, + # as it were opened at the 'Provisioning ports' step + ynh_exec_warn_less yunohost firewall disallow Both "$port_dns_over_http" + ynh_exec_warn_less yunohost firewall reload +fi + +ynh_app_setting_set --app="$app" --key=open_port_53 --value="$open_port_53" + + #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE #================================================= diff --git a/scripts/restore b/scripts/restore index 1d292df6..84bdd3f6 100644 --- a/scripts/restore +++ b/scripts/restore @@ -18,9 +18,13 @@ source /usr/share/yunohost/helpers if [ "$dns_over_https" == "false" ]; then # if dns_over_https is false, we need to close ports, # as they were opened at the 'Provisioning ports' step - ynh_exec_warn_less yunohost firewall disallow --no-upnp TCP "$port_dns_over_http" - ynh_exec_warn_less yunohost firewall disallow --no-upnp UDP "$port_dns_over_http" - ynh_exec_warn_less yunohost firewall disallow --no-upnp UDP "$port_dns_over_quic" + ynh_exec_warn_less yunohost firewall disallow Both "$port_dns_over_http" + ynh_exec_warn_less yunohost firewall disallow UDP "$port_dns_over_quic" + ynh_exec_warn_less yunohost firewall reload +fi + +if [ "$open_port_53" == "false" ]; then + ynh_exec_warn_less yunohost firewall disallow Both "$port_dns_over_http" ynh_exec_warn_less yunohost firewall reload fi diff --git a/scripts/upgrade b/scripts/upgrade index 1061e28b..412e9261 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -29,23 +29,33 @@ ynh_systemd_action --service_name="$app" --action="stop" #================================================= ynh_script_progression --message="Ensuring downward compatibility..." --weight=1 -if [ -n "$dns_over_https" ] && [ "$dns_over_https" == "1" ]; -then +if [ -n "$dns_over_https" ] && [ "$dns_over_https" == "1" ]; then dns_over_https="true" ynh_app_setting_set --app="$app" --key=dns_over_https --value=$dns_over_https # no need to open the ports, as they were opened at the 'Provisioning ports' step -elif [ -z "$dns_over_https" ] || [ "$dns_over_https" == "0" ]; -then +elif [ -z "$dns_over_https" ] || [ "$dns_over_https" == "0" ]; then dns_over_https="false" ynh_app_setting_set --app="$app" --key=dns_over_https --value=$dns_over_https # if dns_over_https is false, we need to close ports, # as they were opened at the 'Provisioning ports' step - ynh_exec_warn_less yunohost firewall disallow --no-upnp TCP "$port_dns_over_http" - ynh_exec_warn_less yunohost firewall disallow --no-upnp UDP "$port_dns_over_http" - ynh_exec_warn_less yunohost firewall disallow --no-upnp UDP "$port_dns_over_quic" + ynh_exec_warn_less yunohost firewall disallow Both "$port_dns_over_http" + ynh_exec_warn_less yunohost firewall disallow UDP "$port_dns_over_quic" + ynh_exec_warn_less yunohost firewall reload +fi + +if [ -n "$open_port_53" ] && [ "$open_port_53" == "1" ]; then + open_port_53="true" + # no need to open th port, as it were opened at the 'Provisioning ports' step +elif [ -z "$open_port_53" ] || [ "$open_port_53" == "0" ]; then + open_port_53="false" + # if open_port_53 is false, we need to close port, + # as it were opened at the 'Provisioning ports' step + ynh_exec_warn_less yunohost firewall disallow Both "$port_dns_over_http" ynh_exec_warn_less yunohost firewall reload fi +ynh_app_setting_set --app="$app" --key=open_port_53 --value="$open_port_53" + #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE #================================================= From 4e867eab91e595463189f6b64b47616618c606fb Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 27 Dec 2023 00:20:29 +0100 Subject: [PATCH 033/288] fix --- scripts/config | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/scripts/config b/scripts/config index 13e73c57..7509bb38 100644 --- a/scripts/config +++ b/scripts/config @@ -56,16 +56,11 @@ set__dns_over_https() { fi # save the new setting -<<<<<<< HEAD ynh_app_setting_set "$app" --key=dns_over_https --value="$dns_over_https" } - + #================================================= # GENERIC FINALIZATION #================================================= -======= - ynh_app_setting_set "$app" dns_over_https "$dns_over_https" -} ->>>>>>> 74d16e44d368a2cacf43015938fb4ef72c66aafd ynh_app_config_run $1 From 587cdce928870989b3e5ae4bc5a7640af7ae8a82 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 27 Dec 2023 00:20:42 +0100 Subject: [PATCH 034/288] quoting --- scripts/config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/config b/scripts/config index 7509bb38..54504d75 100644 --- a/scripts/config +++ b/scripts/config @@ -63,4 +63,4 @@ set__dns_over_https() { # GENERIC FINALIZATION #================================================= -ynh_app_config_run $1 +ynh_app_config_run "$1" From fa2ef95f385b86433a155e895b1826bd540f7d8e Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 27 Dec 2023 00:26:18 +0100 Subject: [PATCH 035/288] asking to expose port 53 at installation --- config_panel.toml | 2 +- manifest.toml | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/config_panel.toml b/config_panel.toml index d6582a58..7c4829a7 100644 --- a/config_panel.toml +++ b/config_panel.toml @@ -5,7 +5,7 @@ name = "AdguardHome configuration" services = ["__APP__"] [main.options.open_port_53] -ask = "Open port 53 to the Internet?" +ask = "Expose port 53 to the Internet?" no = "false" type = "boolean" yes = "true" diff --git a/manifest.toml b/manifest.toml index c567065b..3a3c8b55 100644 --- a/manifest.toml +++ b/manifest.toml @@ -44,6 +44,11 @@ type = "user" [install.password] type = "password" +[install.open_port_53] +ask.en = "Expose port 53 to the Internet? (If so, anyone who knows your server's IP can make a DNS request to it)" +default = false +type = "boolean" + [install.dns_over_https] ask.en = "Should DNS-over-HTTPS/QUIC be enabled? (If so, anyone who knows your adguard address can make a doh request to https://adguardomain.tld/dns-query)" default = false From 9682d3bc415c1399c4b1a6d61570f9c7746b04fb Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 27 Dec 2023 00:31:05 +0100 Subject: [PATCH 036/288] typo --- scripts/install | 2 +- scripts/upgrade | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/install b/scripts/install index 51965370..dfcd0b2f 100644 --- a/scripts/install +++ b/scripts/install @@ -48,7 +48,7 @@ ynh_app_setting_set --app="$app" --key=open_port_53 --value="$open_port_53" ynh_script_progression --message="Setting up source files..." --weight=4 # Download, check integrity, uncompress and patch the source from app.src -ynh_setup_source --dest_dir="$install_dir " +ynh_setup_source --dest_dir="$install_dir" chmod -R o-rwx "$install_dir" chown -R "$app:$app" "$install_dir" diff --git a/scripts/upgrade b/scripts/upgrade index 412e9261..30961f26 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -65,7 +65,7 @@ then ynh_script_progression --message="Upgrading source files..." --weight=1 # Download, check integrity, uncompress and patch the source from app.src - ynh_setup_source --dest_dir="$install_dir " + ynh_setup_source --dest_dir="$install_dir" fi chmod -R o-rwx "$install_dir" From a1ed293caa522e57a6ce383ef9ba67f5bf2b8251 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 27 Dec 2023 00:40:32 +0100 Subject: [PATCH 037/288] warns about amplification attacks --- manifest.toml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/manifest.toml b/manifest.toml index 3a3c8b55..35351ff3 100644 --- a/manifest.toml +++ b/manifest.toml @@ -45,12 +45,14 @@ type = "user" type = "password" [install.open_port_53] -ask.en = "Expose port 53 to the Internet? (If so, anyone who knows your server's IP can make a DNS request to it)" +ask.en = "Expose port 53 to the Internet?" +help.en = "If so, anyone who knows your server's IP can make a DNS request to it. It may be used to perform amplification attacks: https://en.wikipedia.org/wiki/Denial-of-service_attack#Amplification" default = false type = "boolean" [install.dns_over_https] -ask.en = "Should DNS-over-HTTPS/QUIC be enabled? (If so, anyone who knows your adguard address can make a doh request to https://adguardomain.tld/dns-query)" +ask.en = "Should DNS-over-HTTPS/QUIC be enabled?" +help.en = "If so, anyone who knows your adguard address can make a doh request to https://adguardomain.tld/dns-query" default = false type = "boolean" From f47ae330919189c3dfaeaaf68c10d346df0ccd92 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 27 Dec 2023 01:10:26 +0100 Subject: [PATCH 038/288] tell the ynh core that port 53 is mandatory for DNS --- manifest.toml | 1 + 1 file changed, 1 insertion(+) diff --git a/manifest.toml b/manifest.toml index 35351ff3..97e60527 100644 --- a/manifest.toml +++ b/manifest.toml @@ -74,6 +74,7 @@ autoupdate.strategy = "latest_github_release" [resources.ports] adguard.default = 53 adguard.exposed = "Both" +adguard.fixed = true dns_over_http.default = 853 dns_over_http.exposed = "Both" dns_over_quic.default = 784 From fced44bdb10e3d3d9e34db02c1cf394ddd49cd42 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 27 Dec 2023 01:20:28 +0100 Subject: [PATCH 039/288] fix unbound var --- scripts/upgrade | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/scripts/upgrade b/scripts/upgrade index 30961f26..fbc964e2 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -29,6 +29,7 @@ ynh_systemd_action --service_name="$app" --action="stop" #================================================= ynh_script_progression --message="Ensuring downward compatibility..." --weight=1 +ynh_app_setting_get --app="$app" --key=dns_over_https if [ -n "$dns_over_https" ] && [ "$dns_over_https" == "1" ]; then dns_over_https="true" ynh_app_setting_set --app="$app" --key=dns_over_https --value=$dns_over_https @@ -43,19 +44,20 @@ elif [ -z "$dns_over_https" ] || [ "$dns_over_https" == "0" ]; then ynh_exec_warn_less yunohost firewall reload fi +ynh_app_setting_get --app="$app" --key=open_port_53 if [ -n "$open_port_53" ] && [ "$open_port_53" == "1" ]; then open_port_53="true" + ynh_app_setting_set --app="$app" --key=open_port_53 --value="$open_port_53" # no need to open th port, as it were opened at the 'Provisioning ports' step elif [ -z "$open_port_53" ] || [ "$open_port_53" == "0" ]; then open_port_53="false" + ynh_app_setting_set --app="$app" --key=open_port_53 --value="$open_port_53" # if open_port_53 is false, we need to close port, # as it were opened at the 'Provisioning ports' step ynh_exec_warn_less yunohost firewall disallow Both "$port_dns_over_http" ynh_exec_warn_less yunohost firewall reload fi -ynh_app_setting_set --app="$app" --key=open_port_53 --value="$open_port_53" - #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE #================================================= From d5b68fded1e9d2e85c07d717d27afc65c3946ea8 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 27 Dec 2023 01:28:11 +0100 Subject: [PATCH 040/288] properly fix unbound vars --- scripts/upgrade | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/scripts/upgrade b/scripts/upgrade index fbc964e2..5fb98202 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -29,12 +29,11 @@ ynh_systemd_action --service_name="$app" --action="stop" #================================================= ynh_script_progression --message="Ensuring downward compatibility..." --weight=1 -ynh_app_setting_get --app="$app" --key=dns_over_https -if [ -n "$dns_over_https" ] && [ "$dns_over_https" == "1" ]; then +if [ -n "${dns_over_https:-}" ] && [ "${dns_over_https:-}" == "1" ]; then dns_over_https="true" ynh_app_setting_set --app="$app" --key=dns_over_https --value=$dns_over_https # no need to open the ports, as they were opened at the 'Provisioning ports' step -elif [ -z "$dns_over_https" ] || [ "$dns_over_https" == "0" ]; then +elif [ -z "${dns_over_https:-}" ] || [ "${dns_over_https:-}" == "0" ]; then dns_over_https="false" ynh_app_setting_set --app="$app" --key=dns_over_https --value=$dns_over_https # if dns_over_https is false, we need to close ports, @@ -44,12 +43,11 @@ elif [ -z "$dns_over_https" ] || [ "$dns_over_https" == "0" ]; then ynh_exec_warn_less yunohost firewall reload fi -ynh_app_setting_get --app="$app" --key=open_port_53 -if [ -n "$open_port_53" ] && [ "$open_port_53" == "1" ]; then +if [ -n "${open_port_53:-}" ] && [ "${open_port_53:-}" == "1" ]; then open_port_53="true" ynh_app_setting_set --app="$app" --key=open_port_53 --value="$open_port_53" # no need to open th port, as it were opened at the 'Provisioning ports' step -elif [ -z "$open_port_53" ] || [ "$open_port_53" == "0" ]; then +elif [ -z "${open_port_53:-}" ] || [ "${open_port_53:-}" == "0" ]; then open_port_53="false" ynh_app_setting_set --app="$app" --key=open_port_53 --value="$open_port_53" # if open_port_53 is false, we need to close port, From 55a11a72757cbaa7fe06600e223129ead0977431 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 27 Dec 2023 01:35:02 +0100 Subject: [PATCH 041/288] removed unnecessary relative path --- scripts/install | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/install b/scripts/install index dfcd0b2f..b72c0eee 100644 --- a/scripts/install +++ b/scripts/install @@ -123,7 +123,7 @@ password=$(python3 -c "import bcrypt; print(bcrypt.hashpw(b\"$password\", bcrypt ynh_app_setting_set --app="$app" --key=password --value="$password" # Main config File -ynh_add_config --template="../conf/AdGuardHome.yaml" --destination="$install_dir/AdGuardHome.yaml" +ynh_add_config --template="AdGuardHome.yaml" --destination="$install_dir/AdGuardHome.yaml" chmod 600 "$install_dir/AdGuardHome.yaml" chown -R "$app:$app" "$install_dir/AdGuardHome.yaml" From 556b2458ef39fdb2014a53a666da07a97b635908 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 27 Dec 2023 02:32:52 +0100 Subject: [PATCH 042/288] fill the 'tls:' section at upgrade --- scripts/upgrade | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/scripts/upgrade b/scripts/upgrade index 5fb98202..2652ce0d 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -43,6 +43,26 @@ elif [ -z "${dns_over_https:-}" ] || [ "${dns_over_https:-}" == "0" ]; then ynh_exec_warn_less yunohost firewall reload fi +# fill the 'tls:' section of the AGH configuration if necessary +if grep -q "certificate_path: \"\"" "$install_dir/AdGuardHome.yaml" || grep -q "private_key_path: \"\"" "$install_dir/AdGuardHome.yaml" || grep -q "server_name: \"\"" "$install_dir/AdGuardHome.yaml"; then + ynh_replace_string --match_string="enabled: \"\"" --replace_string="enabled: \"$dns_over_https\"" --target_file="$install_dir/AdGuardHome.yaml" + # using sed magic because of the line break :/ + sed --in-place "/tls:$/{n;s/enabled: false/enabled: $dns_over_https/}" "$install_dir/AdGuardHome.yaml" + ynh_replace_string --match_string="server_name: \"\"" --replace_string="server_name: \"$domain\"" --target_file="$install_dir/AdGuardHome.yaml" + ynh_replace_string --match_string="allow_unencrypted_doh: false" --replace_string="allow_unencrypted_doh: true" --target_file="$install_dir/AdGuardHome.yaml" + ynh_replace_string --match_string="certificate_path: \"\"" --replace_string="certificate_path: \"/etc/yunohost/certs/$domain/crt.pem\"" --target_file="$install_dir/AdGuardHome.yaml" + ynh_replace_string --match_string="private_key_path: \"\"" --replace_string="private_key_path: \"/etc/yunohost/certs/$domain/key.pem\"" --target_file="$install_dir/AdGuardHome.yaml" +fi + +# check if one of 'port_https:', 'port_dns_over_tls:' or 'port_dns_over_quic:' uses the default setting +if grep -q "port_https: \"443\"" "$install_dir/AdGuardHome.yaml" || grep -q "port_dns_over_tls: \"853\"" "$install_dir/AdGuardHome.yaml" || grep -q "port_dns_over_quic: \"784\"" "$install_dir/AdGuardHome.yaml"; then + # if so: mandatory replacement for them + # (because the final user can't easily know the ports used by the package) + ynh_replace_string --match_string="port_https: \"443\"" --replace_string="port_https: \"$port_internal_https\"" --target_file="$install_dir/AdGuardHome.yaml" + ynh_replace_string --match_string="port_dns_over_tls: \"853\"" --replace_string="port_dns_over_tls: \"$port_dns_over_http\"" --target_file="$install_dir/AdGuardHome.yaml" + ynh_replace_string --match_string="port_dns_over_quic: \"784\"" --replace_string="port_dns_over_quic: \"$port_dns_over_quic\"" --target_file="$install_dir/AdGuardHome.yaml" +fi + if [ -n "${open_port_53:-}" ] && [ "${open_port_53:-}" == "1" ]; then open_port_53="true" ynh_app_setting_set --app="$app" --key=open_port_53 --value="$open_port_53" From f65fc16f3f8c6bec7665cb46f4d9696155743d2f Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 27 Dec 2023 03:26:04 +0100 Subject: [PATCH 043/288] hardcode port 53 (mandatory but conflicting with dnsmasq and the core) --- conf/AdGuardHome.yaml | 2 +- manifest.toml | 3 --- scripts/config | 4 ++-- scripts/install | 8 +++----- scripts/restore | 9 +++++---- scripts/upgrade | 11 ++++++----- 6 files changed, 17 insertions(+), 20 deletions(-) diff --git a/conf/AdGuardHome.yaml b/conf/AdGuardHome.yaml index ff65a253..c0d20769 100644 --- a/conf/AdGuardHome.yaml +++ b/conf/AdGuardHome.yaml @@ -16,7 +16,7 @@ dns: bind_hosts: __IPV4_ADDR__ __IPV6_ADDR__ - port: __PORT_ADGUARD__ + port: 53 anonymize_client_ip: false ratelimit: 20 ratelimit_subnet_len_ipv4: 24 diff --git a/manifest.toml b/manifest.toml index 97e60527..fc0ba0ad 100644 --- a/manifest.toml +++ b/manifest.toml @@ -72,9 +72,6 @@ autoupdate.asset.armhf = "^AdGuardHome_linux_armv7.tar.gz$" autoupdate.strategy = "latest_github_release" [resources.ports] -adguard.default = 53 -adguard.exposed = "Both" -adguard.fixed = true dns_over_http.default = 853 dns_over_http.exposed = "Both" dns_over_quic.default = 784 diff --git a/scripts/config b/scripts/config index 54504d75..8d4ed165 100644 --- a/scripts/config +++ b/scripts/config @@ -20,12 +20,12 @@ set__open_port_53() { if [ "$open_port_53" == "true" ]; then ynh_script_progression --message="Opening port 53..." # if the user would expose port 53 to the Internet, open it - ynh_exec_warn_less yunohost firewall allow Both "$port_adguard" + ynh_exec_warn_less yunohost firewall allow Both 53 yunohost firewall reload elif [ "$open_port_53" == "false" ]; then # else if false, close it ynh_script_progression --message="Closing port 53..." - ynh_exec_warn_less yunohost firewall disallow Both "$port_adguard" + ynh_exec_warn_less yunohost firewall disallow Both 53 yunohost firewall reload else # else, throw error diff --git a/scripts/install b/scripts/install index b72c0eee..73c1fef4 100644 --- a/scripts/install +++ b/scripts/install @@ -30,13 +30,11 @@ ynh_app_setting_set --app="$app" --key=dns_over_https --value="$dns_over_https" if [ "$open_port_53" == "1" ]; then open_port_53="true" - # no need to open th port, as it were opened at the 'Provisioning ports' step + # if open_port_53 is true, we need to open port 53 + ynh_exec_warn_less yunohost firewall allow Both 53 + ynh_exec_warn_less yunohost firewall reload else open_port_53="false" - # if open_port_53 is false, we need to close port, - # as it were opened at the 'Provisioning ports' step - ynh_exec_warn_less yunohost firewall disallow Both "$port_dns_over_http" - ynh_exec_warn_less yunohost firewall reload fi ynh_app_setting_set --app="$app" --key=open_port_53 --value="$open_port_53" diff --git a/scripts/restore b/scripts/restore index 84bdd3f6..5f060619 100644 --- a/scripts/restore +++ b/scripts/restore @@ -11,8 +11,8 @@ source ../settings/scripts/_common.sh source /usr/share/yunohost/helpers #================================================= -# CLOSE UNNECESSARY PORTS -# no need to open the ports, as they were opened at the 'Provisioning ports' step +# PROCESS OPENING/CLOSING PORTS +# no need to open the DoH/DoQ ports, as they were opened at the 'Provisioning ports' step #================================================= if [ "$dns_over_https" == "false" ]; then @@ -23,8 +23,9 @@ if [ "$dns_over_https" == "false" ]; then ynh_exec_warn_less yunohost firewall reload fi -if [ "$open_port_53" == "false" ]; then - ynh_exec_warn_less yunohost firewall disallow Both "$port_dns_over_http" +if [ "$open_port_53" == "true" ]; then + # if open_port_53 is true, we need to open port 53 + ynh_exec_warn_less yunohost firewall allow Both 53 ynh_exec_warn_less yunohost firewall reload fi diff --git a/scripts/upgrade b/scripts/upgrade index 2652ce0d..f25f6010 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -66,16 +66,17 @@ fi if [ -n "${open_port_53:-}" ] && [ "${open_port_53:-}" == "1" ]; then open_port_53="true" ynh_app_setting_set --app="$app" --key=open_port_53 --value="$open_port_53" - # no need to open th port, as it were opened at the 'Provisioning ports' step + # if open_port_53 is true, we need to open port 53 + ynh_exec_warn_less yunohost firewall allow Both 53 + ynh_exec_warn_less yunohost firewall reload elif [ -z "${open_port_53:-}" ] || [ "${open_port_53:-}" == "0" ]; then open_port_53="false" ynh_app_setting_set --app="$app" --key=open_port_53 --value="$open_port_53" - # if open_port_53 is false, we need to close port, - # as it were opened at the 'Provisioning ports' step - ynh_exec_warn_less yunohost firewall disallow Both "$port_dns_over_http" - ynh_exec_warn_less yunohost firewall reload fi +# remove setting no longer required +ynh_app_setting_delete --app="$app" --key="$port_adguard" + #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE #================================================= From 0c9c1b007a71b2dfe3e51d98e87786626a587923 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 27 Dec 2023 03:38:12 +0100 Subject: [PATCH 044/288] add comment about all those 'ynh_replace_string' --- scripts/upgrade | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/scripts/upgrade b/scripts/upgrade index f25f6010..609521e5 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -43,6 +43,11 @@ elif [ -z "${dns_over_https:-}" ] || [ "${dns_over_https:-}" == "0" ]; then ynh_exec_warn_less yunohost firewall reload fi +# about all those 'ynh_replace_string': +# AGH modifies by itself the config file when an user modifies it using the front-end +# so if we're using 'ynh_add_config' to process the config file, each +# regeneration of the config would break the user's changes :/ (yeah ik...) + # fill the 'tls:' section of the AGH configuration if necessary if grep -q "certificate_path: \"\"" "$install_dir/AdGuardHome.yaml" || grep -q "private_key_path: \"\"" "$install_dir/AdGuardHome.yaml" || grep -q "server_name: \"\"" "$install_dir/AdGuardHome.yaml"; then ynh_replace_string --match_string="enabled: \"\"" --replace_string="enabled: \"$dns_over_https\"" --target_file="$install_dir/AdGuardHome.yaml" From e66c485156fa9f419e38b22cf6572893ed087565 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 27 Dec 2023 03:40:28 +0100 Subject: [PATCH 045/288] fixes for port_adguard --- scripts/install | 2 +- scripts/restore | 2 +- scripts/upgrade | 6 +++--- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/scripts/install b/scripts/install index 73c1fef4..1edb3e60 100644 --- a/scripts/install +++ b/scripts/install @@ -134,7 +134,7 @@ ynh_script_progression --message="Configuring a systemd service..." --weight=1 # Create a dedicated systemd config ynh_add_systemd_config -yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "$port_adguard" "$port_dns_over_http" "$port_dns_over_quic" +yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "$port_dns_over_http" "$port_dns_over_quic" #================================================= # START SYSTEMD SERVICE diff --git a/scripts/restore b/scripts/restore index 5f060619..c342dbca 100644 --- a/scripts/restore +++ b/scripts/restore @@ -62,7 +62,7 @@ ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf" ynh_restore_file --origin_path="/etc/systemd/system/$app.service" systemctl enable "$app.service" --quiet -yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "$port_adguard" "$port_dns_over_http" "$port_dns_over_quic" +yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "$port_dns_over_http" "$port_dns_over_quic" #================================================= # START SYSTEMD SERVICE diff --git a/scripts/upgrade b/scripts/upgrade index 609521e5..409a065e 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -110,7 +110,7 @@ ynh_add_nginx_config # Create a dedicated systemd config ynh_add_systemd_config -yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "$port_adguard" "$port_dns_over_http" "$port_dns_over_quic" +yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "$port_dns_over_http" "$port_dns_over_quic" #================================================= # SPECIFIC UPGRADE @@ -182,8 +182,8 @@ if \"0.0.0.0\" in conf_file[\"dns\"][\"bind_hosts\"]: conf_file[\"dns\"][\"bind_hosts\"].append(\"$ipv6_addr\") need_file_update = True -if conf_file[\"dns\"][\"port\"] != $port_adguard: - conf_file[\"dns\"][\"port\"] = $port_adguard +if conf_file[\"dns\"][\"port\"] != 53: + conf_file[\"dns\"][\"port\"] = 53 need_file_update = True if need_file_update: From b2e05f1dd887364af294427b99eb154907e858f8 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 27 Dec 2023 04:04:52 +0100 Subject: [PATCH 046/288] fix ynh_app_setting_delete key --- scripts/upgrade | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/upgrade b/scripts/upgrade index 409a065e..911fbfaa 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -80,7 +80,7 @@ elif [ -z "${open_port_53:-}" ] || [ "${open_port_53:-}" == "0" ]; then fi # remove setting no longer required -ynh_app_setting_delete --app="$app" --key="$port_adguard" +ynh_app_setting_delete --app="$app" --key=port_adguard #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE From 37183691565f3eaea0f810e3dd763b4a0d040e42 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 27 Dec 2023 04:15:24 +0100 Subject: [PATCH 047/288] better comment --- scripts/upgrade | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/upgrade b/scripts/upgrade index 911fbfaa..f29221dd 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -47,6 +47,7 @@ fi # AGH modifies by itself the config file when an user modifies it using the front-end # so if we're using 'ynh_add_config' to process the config file, each # regeneration of the config would break the user's changes :/ (yeah ik...) +# maybe one day use python3 -c "import yaml" in placeof this shit, but not today # fill the 'tls:' section of the AGH configuration if necessary if grep -q "certificate_path: \"\"" "$install_dir/AdGuardHome.yaml" || grep -q "private_key_path: \"\"" "$install_dir/AdGuardHome.yaml" || grep -q "server_name: \"\"" "$install_dir/AdGuardHome.yaml"; then From 0806bc5a2c58a7716300562744abab4c7da65044 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 27 Dec 2023 04:17:35 +0100 Subject: [PATCH 048/288] typo & better phrasing --- scripts/upgrade | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/upgrade b/scripts/upgrade index f29221dd..b1131302 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -47,7 +47,7 @@ fi # AGH modifies by itself the config file when an user modifies it using the front-end # so if we're using 'ynh_add_config' to process the config file, each # regeneration of the config would break the user's changes :/ (yeah ik...) -# maybe one day use python3 -c "import yaml" in placeof this shit, but not today +# maybe one day we'll use python3 -c "import yaml" in place of this shit, but not today # fill the 'tls:' section of the AGH configuration if necessary if grep -q "certificate_path: \"\"" "$install_dir/AdGuardHome.yaml" || grep -q "private_key_path: \"\"" "$install_dir/AdGuardHome.yaml" || grep -q "server_name: \"\"" "$install_dir/AdGuardHome.yaml"; then From a951205bf791c3aed3897d7ca2931f5d8993ea6f Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 27 Dec 2023 04:29:52 +0100 Subject: [PATCH 049/288] fix name --- config_panel.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config_panel.toml b/config_panel.toml index 7c4829a7..cbf2d875 100644 --- a/config_panel.toml +++ b/config_panel.toml @@ -1,7 +1,7 @@ version = "1.0" [main] -name = "AdguardHome configuration" +name = "AdGuard Home configuration" services = ["__APP__"] [main.options.open_port_53] From ac4a27a368ef87692b7af81739c7d55d86f85b7c Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 27 Dec 2023 04:36:43 +0100 Subject: [PATCH 050/288] bump version and add a display warning at this upgrade --- doc/PRE_UPGRADE.d/0.107.43~ynh4 | 8 ++++++++ manifest.toml | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-) create mode 100644 doc/PRE_UPGRADE.d/0.107.43~ynh4 diff --git a/doc/PRE_UPGRADE.d/0.107.43~ynh4 b/doc/PRE_UPGRADE.d/0.107.43~ynh4 new file mode 100644 index 00000000..ec88101f --- /dev/null +++ b/doc/PRE_UPGRADE.d/0.107.43~ynh4 @@ -0,0 +1,8 @@ +From this 0.107.43~ynh4 version, some things have changed: +- port 53 is no longer exposed on the Internet by default, it's now a deliberate choice +- it is now possible to use DoH and DoQ with Let's Encrypt certificates out of the box, but this is also disabled by default for the same reason. + +To activate either of these features, please use the config panel: +Applications → AdGuard Home → AdGuard Home configuration +- Expose port 53 to the Internet? +- Enable DNS-over-HTTPS/QUIC? \ No newline at end of file diff --git a/manifest.toml b/manifest.toml index fc0ba0ad..10aeb27a 100644 --- a/manifest.toml +++ b/manifest.toml @@ -5,7 +5,7 @@ description.fr = "Serveur DNS, bloqueur de publicités et trackers" id = "adguardhome" name = "AdGuard Home" -version = "0.107.43~ynh3" +version = "0.107.43~ynh4" maintainers = ["ddataa"] From 4c21a0eaa6bf22c2a6dfbd6c698428806b0bfdee Mon Sep 17 00:00:00 2001 From: yunohost-bot Date: Wed, 27 Dec 2023 03:36:48 +0000 Subject: [PATCH 051/288] Auto-update README --- README.md | 2 +- README_fr.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 97e6a428..b6a6ec72 100644 --- a/README.md +++ b/README.md @@ -21,7 +21,7 @@ AdGuard Home is a network-wide software for blocking ads & tracking. After you s It operates as a DNS server that re-routes tracking domains to a "black hole", thus preventing your devices from connecting to those servers. It's based on software we use for our public AdGuard DNS servers -- both share a lot of common code. -**Shipped version:** 0.107.43~ynh3 +**Shipped version:** 0.107.43~ynh4 ## Screenshots diff --git a/README_fr.md b/README_fr.md index a0af80eb..bd63fbd9 100644 --- a/README_fr.md +++ b/README_fr.md @@ -21,7 +21,7 @@ AdGuard Home est un logiciel à l'échelle du réseau pour bloquer les publicit Il fonctionne comme un serveur DNS qui redirige les domaines de pistage vers un "trou noir", empêchant ainsi vos appareils de se connecter à ces serveurs. Il est basé sur un logiciel que nous utilisons pour nos serveurs DNS publics AdGuard - les deux partagent beaucoup de code commun. -**Version incluse :** 0.107.43~ynh3 +**Version incluse :** 0.107.43~ynh4 ## Captures d’écran From 8e746e8bfba4da84ff1a462cf735056e4ad3e01e Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 27 Dec 2023 04:57:11 +0100 Subject: [PATCH 052/288] fix ynh_replace_string --- scripts/upgrade | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/scripts/upgrade b/scripts/upgrade index b1131302..04bda13a 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -54,19 +54,19 @@ if grep -q "certificate_path: \"\"" "$install_dir/AdGuardHome.yaml" || grep -q " ynh_replace_string --match_string="enabled: \"\"" --replace_string="enabled: \"$dns_over_https\"" --target_file="$install_dir/AdGuardHome.yaml" # using sed magic because of the line break :/ sed --in-place "/tls:$/{n;s/enabled: false/enabled: $dns_over_https/}" "$install_dir/AdGuardHome.yaml" - ynh_replace_string --match_string="server_name: \"\"" --replace_string="server_name: \"$domain\"" --target_file="$install_dir/AdGuardHome.yaml" + ynh_replace_string --match_string="server_name: \"\"" --replace_string="server_name: $domain" --target_file="$install_dir/AdGuardHome.yaml" ynh_replace_string --match_string="allow_unencrypted_doh: false" --replace_string="allow_unencrypted_doh: true" --target_file="$install_dir/AdGuardHome.yaml" - ynh_replace_string --match_string="certificate_path: \"\"" --replace_string="certificate_path: \"/etc/yunohost/certs/$domain/crt.pem\"" --target_file="$install_dir/AdGuardHome.yaml" - ynh_replace_string --match_string="private_key_path: \"\"" --replace_string="private_key_path: \"/etc/yunohost/certs/$domain/key.pem\"" --target_file="$install_dir/AdGuardHome.yaml" + ynh_replace_string --match_string="certificate_path: \"\"" --replace_string="certificate_path: /etc/yunohost/certs/$domain/crt.pem" --target_file="$install_dir/AdGuardHome.yaml" + ynh_replace_string --match_string="private_key_path: \"\"" --replace_string="private_key_path: /etc/yunohost/certs/$domain/key.pem" --target_file="$install_dir/AdGuardHome.yaml" fi # check if one of 'port_https:', 'port_dns_over_tls:' or 'port_dns_over_quic:' uses the default setting if grep -q "port_https: \"443\"" "$install_dir/AdGuardHome.yaml" || grep -q "port_dns_over_tls: \"853\"" "$install_dir/AdGuardHome.yaml" || grep -q "port_dns_over_quic: \"784\"" "$install_dir/AdGuardHome.yaml"; then # if so: mandatory replacement for them # (because the final user can't easily know the ports used by the package) - ynh_replace_string --match_string="port_https: \"443\"" --replace_string="port_https: \"$port_internal_https\"" --target_file="$install_dir/AdGuardHome.yaml" - ynh_replace_string --match_string="port_dns_over_tls: \"853\"" --replace_string="port_dns_over_tls: \"$port_dns_over_http\"" --target_file="$install_dir/AdGuardHome.yaml" - ynh_replace_string --match_string="port_dns_over_quic: \"784\"" --replace_string="port_dns_over_quic: \"$port_dns_over_quic\"" --target_file="$install_dir/AdGuardHome.yaml" + ynh_replace_string --match_string="port_https: 443" --replace_string="port_https: $port_internal_https" --target_file="$install_dir/AdGuardHome.yaml" + ynh_replace_string --match_string="port_dns_over_tls: 853" --replace_string="port_dns_over_tls: $port_dns_over_http" --target_file="$install_dir/AdGuardHome.yaml" + ynh_replace_string --match_string="port_dns_over_quic: 784" --replace_string="port_dns_over_quic: $port_dns_over_quic" --target_file="$install_dir/AdGuardHome.yaml" fi if [ -n "${open_port_53:-}" ] && [ "${open_port_53:-}" == "1" ]; then From ac4223c5d6b7bbd06c17b32d5f575c78194513e0 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 27 Dec 2023 05:01:03 +0100 Subject: [PATCH 053/288] fix grep --- scripts/upgrade | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/upgrade b/scripts/upgrade index 04bda13a..471623b6 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -61,7 +61,7 @@ if grep -q "certificate_path: \"\"" "$install_dir/AdGuardHome.yaml" || grep -q " fi # check if one of 'port_https:', 'port_dns_over_tls:' or 'port_dns_over_quic:' uses the default setting -if grep -q "port_https: \"443\"" "$install_dir/AdGuardHome.yaml" || grep -q "port_dns_over_tls: \"853\"" "$install_dir/AdGuardHome.yaml" || grep -q "port_dns_over_quic: \"784\"" "$install_dir/AdGuardHome.yaml"; then +if grep -q "port_https: 443" "$install_dir/AdGuardHome.yaml" || grep -q "port_dns_over_tls: 853" "$install_dir/AdGuardHome.yaml" || grep -q "port_dns_over_quic: 784" "$install_dir/AdGuardHome.yaml"; then # if so: mandatory replacement for them # (because the final user can't easily know the ports used by the package) ynh_replace_string --match_string="port_https: 443" --replace_string="port_https: $port_internal_https" --target_file="$install_dir/AdGuardHome.yaml" From 8734f31e98685150bf6906245f2bac6d1c4313ec Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 27 Dec 2023 06:01:21 +0100 Subject: [PATCH 054/288] add docs --- doc/ADMIN.md | 44 +++++++++++++++++++++++++++++++++ doc/PRE_UPGRADE.d/0.107.43~ynh4 | 7 +++++- 2 files changed, 50 insertions(+), 1 deletion(-) create mode 100644 doc/ADMIN.md diff --git a/doc/ADMIN.md b/doc/ADMIN.md new file mode 100644 index 00000000..71af9788 --- /dev/null +++ b/doc/ADMIN.md @@ -0,0 +1,44 @@ +# Admin notebook of YunoHost's AdGuard Home + +You want to be sure to understand the config settings? You're at the right place! ^w^ + +## Expose port 53 to the Internet? + +This setting is **disabled** by default. + +You need to know that anyone who knows your server's IP can make a DNS request to it. It may be used to perform [amplification attacks](https://en.wikipedia.org/wiki/Denial-of-service_attack#Amplification)! + +To use AdGuard Home in your domestic network, you don't need to activate this. +You simply have to use your local IP adress (like `192.168.0.1` or so) as DNS IP for your IT hardware at home + +Warning: you should not have public IPs of the config file if the port 53 is not exposed on Internet (else: AGH crashes) +You can remove them in your config file `/var/www/adguardhome/AdGuardHome.yaml` in the `dns: bind_hosts:` section +Any IP that doesn't start with the folowing are public ones: + +- `10.` +- `169.` +- `172.` +- `192.168.` +- `fdxx:` (where the `x` can be any hexadecimal character) +- `fe80:` + +So, any other IP should be a public one. + +Restart AdGuard Home after applying the needed edits: +`yunohost service restart adguardhome` + +## Enable DNS over HTTP and DNS over QUIC? + +This setting is **disabled** by default. + +You need to know that anyone who knows your AdGuard Home domain-name can make a DNS request to it. It may be used to perform [amplification attacks](https://en.wikipedia.org/wiki/Denial-of-service_attack#Amplification)! + +It's really important to use the configuration panel to deactivate this setting, and **NOT** the built-in setting in the AdGuardHome interface. +This is because YunoHost needs to perform actions such as automatically opening or closing the server's ports, which cannot be done without going through the configuration panel. + +If you host your machine at home, for using DoH or DoQ, you have to open the following ports on your router: + +- `853` in TCP & UDP (for DNS over HTTP) +- `784` in UDP (for DNS over QUIC) + +Then you can use `https://adguard.example.com/dns-query` (where `adguard.example.com` is the domain-name associated to your AdGuard Home) as a DoH or DoQ DNS server for your devices. ^w^ diff --git a/doc/PRE_UPGRADE.d/0.107.43~ynh4 b/doc/PRE_UPGRADE.d/0.107.43~ynh4 index ec88101f..dc521a0d 100644 --- a/doc/PRE_UPGRADE.d/0.107.43~ynh4 +++ b/doc/PRE_UPGRADE.d/0.107.43~ynh4 @@ -5,4 +5,9 @@ From this 0.107.43~ynh4 version, some things have changed: To activate either of these features, please use the config panel: Applications → AdGuard Home → AdGuard Home configuration - Expose port 53 to the Internet? -- Enable DNS-over-HTTPS/QUIC? \ No newline at end of file +- Enable DNS-over-HTTPS/QUIC? + +This update is at risk of crashing AdGuard Home + +If any trouble or question, please refer to [the package's admin docs](https://github.com/YunoHost-Apps/adguardhome_ynh/blob/master/doc/ADMIN.md)! ^w^ +If needed and a similar issue does not already exist, please [open an issue on the GitHub's package page](https://github.com/YunoHost-Apps/adguardhome_ynh/issues)! From 77c7cedc79784bb4ce969012cad1d5a8278dc47c Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 27 Dec 2023 06:02:37 +0100 Subject: [PATCH 055/288] better phrasing --- doc/PRE_UPGRADE.d/0.107.43~ynh4 | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/doc/PRE_UPGRADE.d/0.107.43~ynh4 b/doc/PRE_UPGRADE.d/0.107.43~ynh4 index dc521a0d..f875c5ce 100644 --- a/doc/PRE_UPGRADE.d/0.107.43~ynh4 +++ b/doc/PRE_UPGRADE.d/0.107.43~ynh4 @@ -7,7 +7,6 @@ Applications → AdGuard Home → AdGuard Home configuration - Expose port 53 to the Internet? - Enable DNS-over-HTTPS/QUIC? -This update is at risk of crashing AdGuard Home - +This update is at risk of crashing AdGuard Home, so: If any trouble or question, please refer to [the package's admin docs](https://github.com/YunoHost-Apps/adguardhome_ynh/blob/master/doc/ADMIN.md)! ^w^ If needed and a similar issue does not already exist, please [open an issue on the GitHub's package page](https://github.com/YunoHost-Apps/adguardhome_ynh/issues)! From 2c8322ce7c830f8c4508db92c49b22c5ebb75929 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 27 Dec 2023 06:24:32 +0100 Subject: [PATCH 056/288] if the IP is public and the user doesn't want to expose port 53, skip it --- scripts/_common.sh | 15 +++++++++++++++ scripts/install | 18 ++++++++++++++---- scripts/upgrade | 10 ++++++++++ 3 files changed, 39 insertions(+), 4 deletions(-) diff --git a/scripts/_common.sh b/scripts/_common.sh index 944a65ef..d44411c2 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -8,6 +8,21 @@ # PERSONAL HELPERS #================================================= +is_public_ip(){ + local IP + IP="$1" + if [[ "$IP" =~ ^10.*|^169.*|^172.*|^192.168.* ]] ; then + # private ipv4 + returns false + elif [[ "$IP" =~ ^fd*|^fe80:* ]] ; then + # private ipv6 + returns false + else + # public ip + returns true + fi +} + #================================================= # EXPERIMENTAL HELPERS #================================================= diff --git a/scripts/install b/scripts/install index 1edb3e60..57afc3b5 100644 --- a/scripts/install +++ b/scripts/install @@ -103,8 +103,13 @@ ipv4_addr="" for i in $(seq "$(echo "$ipv4_route_output" | wc -w)" -1 1); do ip=$(echo "$ipv4_route_output" | awk "{print \$$i}") if ynh_validate_ip4 --ip_address="$ip"; then - ipv4_addr="- $ip" - break + if is_public_ip "$ip" && [ "$open_port_53" == "false" ] ; then + # if the IP is public and the user doesn't want to expose port 53, skip it + break + else + ipv4_addr="- $ip" + break + fi fi done @@ -112,8 +117,13 @@ ipv6_addr="" for i in $(seq "$(echo "$ipv6_route_output" | wc -w)" -1 1); do ip=$(echo "$ipv6_route_output" | awk "{print \$$i}") if ynh_validate_ip6 --ip_address="$ip"; then - ipv6_addr="- $ip" - break + if is_public_ip "$ip" && [ "$open_port_53" == "false" ] ; then + # if the IP is public and the user doesn't want to expose port 53, skip it + break + else + ipv6_addr="- $ip" + break + fi fi done diff --git a/scripts/upgrade b/scripts/upgrade index 471623b6..4fd0bed9 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -154,8 +154,13 @@ ipv4_addr="" for i in $(seq "$(echo "$ipv4_route_output" | wc -w)" -1 1); do ip=$(echo "$ipv4_route_output" | awk "{print \$$i}") if ynh_validate_ip4 --ip_address="$ip"; then + if is_public_ip "$ip" && [ "$open_port_53" == "false" ] ; then + # if the IP is public and the user doesn't want to expose port 53, skip it + break + else ipv4_addr="$ip" break + fi fi done @@ -163,8 +168,13 @@ ipv6_addr="" for i in $(seq "$(echo "$ipv6_route_output" | wc -w)" -1 1); do ip=$(echo "$ipv6_route_output" | awk "{print \$$i}") if ynh_validate_ip6 --ip_address="$ip"; then + if is_public_ip "$ip" && [ "$open_port_53" == "false" ] ; then + # if the IP is public and the user doesn't want to expose port 53, skip it + break + else ipv6_addr="$ip" break + fi fi done From ce7daa396a957411bc86982784d9a5732c83cadb Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 27 Dec 2023 06:28:26 +0100 Subject: [PATCH 057/288] add "fc" private ipv6 --- scripts/_common.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/_common.sh b/scripts/_common.sh index d44411c2..59724155 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -14,7 +14,7 @@ is_public_ip(){ if [[ "$IP" =~ ^10.*|^169.*|^172.*|^192.168.* ]] ; then # private ipv4 returns false - elif [[ "$IP" =~ ^fd*|^fe80:* ]] ; then + elif [[ "$IP" =~ ^fc*|^fd*|^fe80:* ]] ; then # private ipv6 returns false else From 58a0d7594ea1fb9efbdc3bd7989e39cf52a18cad Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 27 Dec 2023 06:29:51 +0100 Subject: [PATCH 058/288] typo --- scripts/_common.sh | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/scripts/_common.sh b/scripts/_common.sh index 59724155..3d26a9ce 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -12,14 +12,14 @@ is_public_ip(){ local IP IP="$1" if [[ "$IP" =~ ^10.*|^169.*|^172.*|^192.168.* ]] ; then - # private ipv4 - returns false + # private ipv4, so false + return 1 elif [[ "$IP" =~ ^fc*|^fd*|^fe80:* ]] ; then - # private ipv6 - returns false + # private ipv6, so false + return 1 else - # public ip - returns true + # public ip, so true + return 0 fi } From e622a2193d775e30924b28a59222f1323c3c020f Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 27 Dec 2023 06:33:05 +0100 Subject: [PATCH 059/288] small refactor --- scripts/_common.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/scripts/_common.sh b/scripts/_common.sh index 3d26a9ce..03af121b 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -9,8 +9,7 @@ #================================================= is_public_ip(){ - local IP - IP="$1" + local IP="$1" if [[ "$IP" =~ ^10.*|^169.*|^172.*|^192.168.* ]] ; then # private ipv4, so false return 1 From 32d9aec8875ac41cf007779dd1c7bbf47155f04b Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 27 Dec 2023 06:36:39 +0100 Subject: [PATCH 060/288] add comment to is_public_ip() --- scripts/_common.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/scripts/_common.sh b/scripts/_common.sh index 03af121b..dcfb7b9c 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -9,7 +9,10 @@ #================================================= is_public_ip(){ +# used to discriminate publics IPs over private IPs + local IP="$1" + if [[ "$IP" =~ ^10.*|^169.*|^172.*|^192.168.* ]] ; then # private ipv4, so false return 1 From 5bdc4b920326f5df88c4f6e322eb827871f2494e Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 27 Dec 2023 06:36:59 +0100 Subject: [PATCH 061/288] typo --- scripts/_common.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/_common.sh b/scripts/_common.sh index dcfb7b9c..31144002 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -9,7 +9,7 @@ #================================================= is_public_ip(){ -# used to discriminate publics IPs over private IPs +# used to discriminate publics IPs over privates IPs local IP="$1" From a5f428541198f5d3abef522563888ce927316433 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 27 Dec 2023 06:49:32 +0100 Subject: [PATCH 062/288] replace two 'for loops' in install & upgrade scripts by process_ips() --- scripts/_common.sh | 21 +++++++++++++++++++++ scripts/install | 31 +++---------------------------- scripts/upgrade | 33 ++++----------------------------- 3 files changed, 28 insertions(+), 57 deletions(-) diff --git a/scripts/_common.sh b/scripts/_common.sh index 31144002..35e2f718 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -25,6 +25,27 @@ is_public_ip(){ fi } +process_ips(){ +# used to process the IPs to put them in the AGH's config file + + local ips="$1" + + for i in $(seq "$(echo "$ips" | wc -w)" -1 1); do + ip=$(echo "$ips" | awk "{print \$$i}") + if ynh_validate_ip4 --ip_address="$ip"; then + if is_public_ip "$ip" && [ "$open_port_53" == "false" ] ; then + # if the IP is public and the user doesn't want to expose port 53, skip it + break + else + ips="- $ip" + break + fi + fi + done + + return "$ips" +} + #================================================= # EXPERIMENTAL HELPERS #================================================= diff --git a/scripts/install b/scripts/install index 57afc3b5..0dfa1b89 100644 --- a/scripts/install +++ b/scripts/install @@ -97,35 +97,10 @@ systemctl restart dnsmasq ynh_store_file_checksum --file="/etc/dnsmasq.d/$app" ipv4_route_output=$(echo "$(ip -4 route get 1.2.3.4 2> /dev/null)" | head -n1 | head -n1) -ipv6_route_output=$(echo "$(ip -6 route get ::1.2.3.4 2> /dev/null)" | head -n1) +ipv4_addr=$(process_ips "$ipv4_route_output") -ipv4_addr="" -for i in $(seq "$(echo "$ipv4_route_output" | wc -w)" -1 1); do - ip=$(echo "$ipv4_route_output" | awk "{print \$$i}") - if ynh_validate_ip4 --ip_address="$ip"; then - if is_public_ip "$ip" && [ "$open_port_53" == "false" ] ; then - # if the IP is public and the user doesn't want to expose port 53, skip it - break - else - ipv4_addr="- $ip" - break - fi - fi -done - -ipv6_addr="" -for i in $(seq "$(echo "$ipv6_route_output" | wc -w)" -1 1); do - ip=$(echo "$ipv6_route_output" | awk "{print \$$i}") - if ynh_validate_ip6 --ip_address="$ip"; then - if is_public_ip "$ip" && [ "$open_port_53" == "false" ] ; then - # if the IP is public and the user doesn't want to expose port 53, skip it - break - else - ipv6_addr="- $ip" - break - fi - fi -done +ipv6_route_output=$(echo "$(ip -6 route get ::1.2.3.4 2> /dev/null)" | head -n1) +ipv6_addr=$(process_ips "$ipv6_route_output") password=$(python3 -c "import bcrypt; print(bcrypt.hashpw(b\"$password\", bcrypt.gensalt(rounds=10)).decode())") ynh_app_setting_set --app="$app" --key=password --value="$password" diff --git a/scripts/upgrade b/scripts/upgrade index 4fd0bed9..e35f7525 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -147,36 +147,11 @@ systemctl restart dnsmasq ynh_store_file_checksum --file="/etc/dnsmasq.d/$app" -ipv4_route_output=$(echo "$(ip -4 route get 1.2.3.4 2> /dev/null)" | head -n1) -ipv6_route_output=$(echo "$(ip -6 route get ::1.2.3.4 2> /dev/null)" | head -n1) +ipv4_route_output=$(echo "$(ip -4 route get 1.2.3.4 2> /dev/null)" | head -n1 | head -n1) +ipv4_addr=$(process_ips "$ipv4_route_output") -ipv4_addr="" -for i in $(seq "$(echo "$ipv4_route_output" | wc -w)" -1 1); do - ip=$(echo "$ipv4_route_output" | awk "{print \$$i}") - if ynh_validate_ip4 --ip_address="$ip"; then - if is_public_ip "$ip" && [ "$open_port_53" == "false" ] ; then - # if the IP is public and the user doesn't want to expose port 53, skip it - break - else - ipv4_addr="$ip" - break - fi - fi -done - -ipv6_addr="" -for i in $(seq "$(echo "$ipv6_route_output" | wc -w)" -1 1); do - ip=$(echo "$ipv6_route_output" | awk "{print \$$i}") - if ynh_validate_ip6 --ip_address="$ip"; then - if is_public_ip "$ip" && [ "$open_port_53" == "false" ] ; then - # if the IP is public and the user doesn't want to expose port 53, skip it - break - else - ipv6_addr="$ip" - break - fi - fi -done +ipv6_route_output=$(echo "$(ip -6 route get ::1.2.3.4 2> /dev/null)" | head -n1) +ipv6_addr=$(process_ips "$ipv6_route_output") # Reset the bind_hosts if the current ip is 0.0.0.0 python3 -c "import yaml From a31a7b0ad1dc08e06e4ea30ea78a0858176c299a Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 27 Dec 2023 06:50:37 +0100 Subject: [PATCH 063/288] add comment --- scripts/upgrade | 2 ++ 1 file changed, 2 insertions(+) diff --git a/scripts/upgrade b/scripts/upgrade index e35f7525..555b7ba9 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -147,9 +147,11 @@ systemctl restart dnsmasq ynh_store_file_checksum --file="/etc/dnsmasq.d/$app" +# get IPv4 for the AGH config file ipv4_route_output=$(echo "$(ip -4 route get 1.2.3.4 2> /dev/null)" | head -n1 | head -n1) ipv4_addr=$(process_ips "$ipv4_route_output") +# get IPv6 for the AGH config file ipv6_route_output=$(echo "$(ip -6 route get ::1.2.3.4 2> /dev/null)" | head -n1) ipv6_addr=$(process_ips "$ipv6_route_output") From 335b5d564588a21c45a43347390b249c4ba7863c Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 27 Dec 2023 06:50:56 +0100 Subject: [PATCH 064/288] add comment --- scripts/install | 2 ++ 1 file changed, 2 insertions(+) diff --git a/scripts/install b/scripts/install index 0dfa1b89..4e4eaf06 100644 --- a/scripts/install +++ b/scripts/install @@ -96,9 +96,11 @@ systemctl restart dnsmasq ynh_store_file_checksum --file="/etc/dnsmasq.d/$app" +# get IPv4 for the AGH config file ipv4_route_output=$(echo "$(ip -4 route get 1.2.3.4 2> /dev/null)" | head -n1 | head -n1) ipv4_addr=$(process_ips "$ipv4_route_output") +# get IPv6 for the AGH config file ipv6_route_output=$(echo "$(ip -6 route get ::1.2.3.4 2> /dev/null)" | head -n1) ipv6_addr=$(process_ips "$ipv6_route_output") From 9bb37f2f357c2af6ac5ee23e8846afc65a02f4c6 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 27 Dec 2023 06:54:34 +0100 Subject: [PATCH 065/288] process IPs and regen conf when set__open_port_53() --- scripts/config | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/scripts/config b/scripts/config index 8d4ed165..b9498027 100644 --- a/scripts/config +++ b/scripts/config @@ -32,6 +32,39 @@ set__open_port_53() { ynh_print_warn --message="The variable 'open_port_53' should be 'true' or 'false' but isn't, please report this." fi + # regenerate config, needed to add or delete public IPs following the user's choice + # get IPv4 for the AGH config file + ipv4_route_output=$(echo "$(ip -4 route get 1.2.3.4 2> /dev/null)" | head -n1 | head -n1) + ipv4_addr=$(process_ips "$ipv4_route_output") + + # get IPv6 for the AGH config file + ipv6_route_output=$(echo "$(ip -6 route get ::1.2.3.4 2> /dev/null)" | head -n1) + ipv6_addr=$(process_ips "$ipv6_route_output") + + # Reset the bind_hosts if the current ip is 0.0.0.0 +python3 -c "import yaml +with open(\"$install_dir/AdGuardHome.yaml\", 'r') as file: + conf_file = yaml.safe_load(file) + +need_file_update = False + +if \"0.0.0.0\" in conf_file[\"dns\"][\"bind_hosts\"]: + conf_file[\"dns\"][\"bind_hosts\"] = [] + if \"$ipv4_addr\": + conf_file[\"dns\"][\"bind_hosts\"].append(\"$ipv4_addr\") + if \"$ipv6_addr\": + conf_file[\"dns\"][\"bind_hosts\"].append(\"$ipv6_addr\") + need_file_update = True + +if conf_file[\"dns\"][\"port\"] != 53: + conf_file[\"dns\"][\"port\"] = 53 + need_file_update = True + +if need_file_update: + with open(\"$install_dir/AdGuardHome.yaml\", 'w') as file: + yaml.dump(conf_file, file) +" + # save the new setting ynh_app_setting_set "$app" --key=open_port_53 --value="$open_port_53" } From 06ed843bc5721dc7daba02466cc91743533171aa Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 27 Dec 2023 07:00:43 +0100 Subject: [PATCH 066/288] mention that public IPs should be automatically removed --- doc/ADMIN.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/doc/ADMIN.md b/doc/ADMIN.md index 71af9788..53e6c13e 100644 --- a/doc/ADMIN.md +++ b/doc/ADMIN.md @@ -9,10 +9,11 @@ This setting is **disabled** by default. You need to know that anyone who knows your server's IP can make a DNS request to it. It may be used to perform [amplification attacks](https://en.wikipedia.org/wiki/Denial-of-service_attack#Amplification)! To use AdGuard Home in your domestic network, you don't need to activate this. -You simply have to use your local IP adress (like `192.168.0.1` or so) as DNS IP for your IT hardware at home +You simply have to use your local IP adress (like `192.168.0.1` or so) as DNS IP for your IT hardware at home. Warning: you should not have public IPs of the config file if the port 53 is not exposed on Internet (else: AGH crashes) -You can remove them in your config file `/var/www/adguardhome/AdGuardHome.yaml` in the `dns: bind_hosts:` section +They should be automatically removed when upgrading this package or when modifiying this port 53 exposure setting, but it's in the docs just in case. +You can remove them in your config file `/var/www/adguardhome/AdGuardHome.yaml` in the `dns: bind_hosts:` section. Any IP that doesn't start with the folowing are public ones: - `10.` From 28d4679ce595fbee79d7ce1d862b4b2fd0b64c1a Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 27 Dec 2023 07:01:50 +0100 Subject: [PATCH 067/288] typo --- scripts/_common.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/_common.sh b/scripts/_common.sh index 35e2f718..6a512e1f 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -43,7 +43,7 @@ process_ips(){ fi done - return "$ips" + echo "$ips" } #================================================= From f0b6d46a851093de0d3b81bbb940d83eb3e11d44 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 27 Dec 2023 07:06:06 +0100 Subject: [PATCH 068/288] adding myself as second maintainer --- manifest.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifest.toml b/manifest.toml index 10aeb27a..e0688c9d 100644 --- a/manifest.toml +++ b/manifest.toml @@ -7,7 +7,7 @@ name = "AdGuard Home" version = "0.107.43~ynh4" -maintainers = ["ddataa"] +maintainers = ["ddataa", "OniriCorpe"] [upstream] admindoc = "https://github.com/AdguardTeam/AdGuardHome/wiki" From d7bfbddc2f048bfa4abf1dbf2b00f2f484ab8d42 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 27 Dec 2023 07:18:17 +0100 Subject: [PATCH 069/288] moving the python script to a function in personal helpers --- scripts/_common.sh | 28 ++++++++++++++++++++++++++++ scripts/config | 25 ++----------------------- scripts/upgrade | 25 ++----------------------- 3 files changed, 32 insertions(+), 46 deletions(-) diff --git a/scripts/_common.sh b/scripts/_common.sh index 6a512e1f..57b7c709 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -46,6 +46,34 @@ process_ips(){ echo "$ips" } +update_config(){ +# used to update the IP adresses in the AGHconfig file + +# Reset the bind_hosts if the current ip is 0.0.0.0 +python3 -c "import yaml +with open(\"$install_dir/AdGuardHome.yaml\", 'r') as file: + conf_file = yaml.safe_load(file) + +need_file_update = False + +if \"0.0.0.0\" in conf_file[\"dns\"][\"bind_hosts\"]: + conf_file[\"dns\"][\"bind_hosts\"] = [] + if \"$ipv4_addr\": + conf_file[\"dns\"][\"bind_hosts\"].append(\"$ipv4_addr\") + if \"$ipv6_addr\": + conf_file[\"dns\"][\"bind_hosts\"].append(\"$ipv6_addr\") + need_file_update = True + +if conf_file[\"dns\"][\"port\"] != 53: + conf_file[\"dns\"][\"port\"] = 53 + need_file_update = True + +if need_file_update: + with open(\"$install_dir/AdGuardHome.yaml\", 'w') as file: + yaml.dump(conf_file, file) +" +} + #================================================= # EXPERIMENTAL HELPERS #================================================= diff --git a/scripts/config b/scripts/config index b9498027..a5c77f6e 100644 --- a/scripts/config +++ b/scripts/config @@ -41,29 +41,8 @@ set__open_port_53() { ipv6_route_output=$(echo "$(ip -6 route get ::1.2.3.4 2> /dev/null)" | head -n1) ipv6_addr=$(process_ips "$ipv6_route_output") - # Reset the bind_hosts if the current ip is 0.0.0.0 -python3 -c "import yaml -with open(\"$install_dir/AdGuardHome.yaml\", 'r') as file: - conf_file = yaml.safe_load(file) - -need_file_update = False - -if \"0.0.0.0\" in conf_file[\"dns\"][\"bind_hosts\"]: - conf_file[\"dns\"][\"bind_hosts\"] = [] - if \"$ipv4_addr\": - conf_file[\"dns\"][\"bind_hosts\"].append(\"$ipv4_addr\") - if \"$ipv6_addr\": - conf_file[\"dns\"][\"bind_hosts\"].append(\"$ipv6_addr\") - need_file_update = True - -if conf_file[\"dns\"][\"port\"] != 53: - conf_file[\"dns\"][\"port\"] = 53 - need_file_update = True - -if need_file_update: - with open(\"$install_dir/AdGuardHome.yaml\", 'w') as file: - yaml.dump(conf_file, file) -" + # update the IP adresses in the AGH config file + update_config # save the new setting ynh_app_setting_set "$app" --key=open_port_53 --value="$open_port_53" diff --git a/scripts/upgrade b/scripts/upgrade index 555b7ba9..41c1a14a 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -155,29 +155,8 @@ ipv4_addr=$(process_ips "$ipv4_route_output") ipv6_route_output=$(echo "$(ip -6 route get ::1.2.3.4 2> /dev/null)" | head -n1) ipv6_addr=$(process_ips "$ipv6_route_output") -# Reset the bind_hosts if the current ip is 0.0.0.0 -python3 -c "import yaml -with open(\"$install_dir/AdGuardHome.yaml\", 'r') as file: - conf_file = yaml.safe_load(file) - -need_file_update = False - -if \"0.0.0.0\" in conf_file[\"dns\"][\"bind_hosts\"]: - conf_file[\"dns\"][\"bind_hosts\"] = [] - if \"$ipv4_addr\": - conf_file[\"dns\"][\"bind_hosts\"].append(\"$ipv4_addr\") - if \"$ipv6_addr\": - conf_file[\"dns\"][\"bind_hosts\"].append(\"$ipv6_addr\") - need_file_update = True - -if conf_file[\"dns\"][\"port\"] != 53: - conf_file[\"dns\"][\"port\"] = 53 - need_file_update = True - -if need_file_update: - with open(\"$install_dir/AdGuardHome.yaml\", 'w') as file: - yaml.dump(conf_file, file) -" +# update the IP adresses in the AGH config file +update_config chmod 600 "$install_dir/AdGuardHome.yaml" chown -R "$app:$app" "$install_dir/AdGuardHome.yaml" From f57edf01d5d852b85b9a8c8a52e58fe489f3fa1a Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 27 Dec 2023 07:19:00 +0100 Subject: [PATCH 070/288] the python code to kepp the port 53 is now useless as it's now hardcoded --- scripts/_common.sh | 4 ---- 1 file changed, 4 deletions(-) diff --git a/scripts/_common.sh b/scripts/_common.sh index 57b7c709..e140ef35 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -63,10 +63,6 @@ if \"0.0.0.0\" in conf_file[\"dns\"][\"bind_hosts\"]: if \"$ipv6_addr\": conf_file[\"dns\"][\"bind_hosts\"].append(\"$ipv6_addr\") need_file_update = True - -if conf_file[\"dns\"][\"port\"] != 53: - conf_file[\"dns\"][\"port\"] = 53 - need_file_update = True if need_file_update: with open(\"$install_dir/AdGuardHome.yaml\", 'w') as file: From 09287bf21794a084a822a22179299e999f55249e Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 27 Dec 2023 07:22:52 +0100 Subject: [PATCH 071/288] update IPs each time the function update_config is called --- scripts/_common.sh | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/scripts/_common.sh b/scripts/_common.sh index e140ef35..645cad79 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -56,13 +56,13 @@ with open(\"$install_dir/AdGuardHome.yaml\", 'r') as file: need_file_update = False -if \"0.0.0.0\" in conf_file[\"dns\"][\"bind_hosts\"]: - conf_file[\"dns\"][\"bind_hosts\"] = [] - if \"$ipv4_addr\": - conf_file[\"dns\"][\"bind_hosts\"].append(\"$ipv4_addr\") - if \"$ipv6_addr\": - conf_file[\"dns\"][\"bind_hosts\"].append(\"$ipv6_addr\") - need_file_update = True +conf_file[\"dns\"][\"bind_hosts\"] = [] +if \"$ipv4_addr\": + conf_file[\"dns\"][\"bind_hosts\"].append(\"$ipv4_addr\") + need_file_update = True +if \"$ipv6_addr\": + conf_file[\"dns\"][\"bind_hosts\"].append(\"$ipv6_addr\") + need_file_update = True if need_file_update: with open(\"$install_dir/AdGuardHome.yaml\", 'w') as file: From 271cd9428ac50ffbd1ac2a4776c270219bb044dc Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 27 Dec 2023 07:25:48 +0100 Subject: [PATCH 072/288] update IPs on restore --- scripts/restore | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/scripts/restore b/scripts/restore index c342dbca..e4abd84e 100644 --- a/scripts/restore +++ b/scripts/restore @@ -41,6 +41,21 @@ ynh_script_progression --message="Restoring the app main directory..." --weight= ynh_restore_file --origin_path="$install_dir" +# we need to update IP adresses in case the backup is restored in a different +# environment, else AGH will try to bind port 53 on non-existent IPs and crash + +# get IPv4 for the AGH config file +ipv4_route_output=$(echo "$(ip -4 route get 1.2.3.4 2> /dev/null)" | head -n1 | head -n1) +ipv4_addr=$(process_ips "$ipv4_route_output") + +# get IPv6 for the AGH config file +ipv6_route_output=$(echo "$(ip -6 route get ::1.2.3.4 2> /dev/null)" | head -n1) +ipv6_addr=$(process_ips "$ipv6_route_output") + +# update the IP adresses in the AGH config file +update_config + + # this will be treated as a security issue. chmod 750 "$install_dir" chmod -R o-rwx "$install_dir" From a090eb78199a38643bd92c755a97a97d858e891b Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 27 Dec 2023 07:29:11 +0100 Subject: [PATCH 073/288] remove irrelevant comment --- scripts/_common.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/scripts/_common.sh b/scripts/_common.sh index 645cad79..57ee3089 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -49,7 +49,6 @@ process_ips(){ update_config(){ # used to update the IP adresses in the AGHconfig file -# Reset the bind_hosts if the current ip is 0.0.0.0 python3 -c "import yaml with open(\"$install_dir/AdGuardHome.yaml\", 'r') as file: conf_file = yaml.safe_load(file) From f4a305decb6fe238348bafbffb9c4646e9bf2bf1 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 27 Dec 2023 19:18:27 +0100 Subject: [PATCH 074/288] remove dash before IP --- scripts/_common.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/_common.sh b/scripts/_common.sh index 57ee3089..d63b5a3e 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -37,7 +37,7 @@ process_ips(){ # if the IP is public and the user doesn't want to expose port 53, skip it break else - ips="- $ip" + ips="$ip" break fi fi From 5d35c035597fe746110e16f2774c78d7e9b4118a Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 27 Dec 2023 19:23:21 +0100 Subject: [PATCH 075/288] better comments --- scripts/_common.sh | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/scripts/_common.sh b/scripts/_common.sh index d63b5a3e..901985c0 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -10,17 +10,19 @@ is_public_ip(){ # used to discriminate publics IPs over privates IPs +# private IPv4 start with: 10.; 169.; 172. or 192.168. +# private IPv6 start with: fc; fd or fe80: local IP="$1" if [[ "$IP" =~ ^10.*|^169.*|^172.*|^192.168.* ]] ; then - # private ipv4, so false + # private IPv4, so false return 1 elif [[ "$IP" =~ ^fc*|^fd*|^fe80:* ]] ; then - # private ipv6, so false + # private IPv6, so false return 1 else - # public ip, so true + # public IP, so true return 0 fi } @@ -32,9 +34,10 @@ process_ips(){ for i in $(seq "$(echo "$ips" | wc -w)" -1 1); do ip=$(echo "$ips" | awk "{print \$$i}") + # check if the so-called IP really is one if ynh_validate_ip4 --ip_address="$ip"; then + # if the IP is public and the user doesn't want to expose port 53, skip it if is_public_ip "$ip" && [ "$open_port_53" == "false" ] ; then - # if the IP is public and the user doesn't want to expose port 53, skip it break else ips="$ip" From d4a231c203cfe3e51e4b69e019ee901d51f07077 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 27 Dec 2023 19:24:42 +0100 Subject: [PATCH 076/288] add line break --- scripts/backup | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/backup b/scripts/backup index 250b80ff..fdbe58e9 100644 --- a/scripts/backup +++ b/scripts/backup @@ -13,6 +13,7 @@ source /usr/share/yunohost/helpers #================================================= # DECLARE DATA AND CONF FILES TO BACKUP #================================================= + ynh_print_info --message="Declaring files to be backed up..." #================================================= From 9e24b6163764feb211dfa7a46a9815bc0e926c03 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 27 Dec 2023 19:40:24 +0100 Subject: [PATCH 077/288] refactor commands to get IPs --- scripts/config | 6 ++---- scripts/install | 7 ++----- scripts/restore | 6 ++---- scripts/upgrade | 6 ++---- 4 files changed, 8 insertions(+), 17 deletions(-) diff --git a/scripts/config b/scripts/config index a5c77f6e..f18214fa 100644 --- a/scripts/config +++ b/scripts/config @@ -34,12 +34,10 @@ set__open_port_53() { # regenerate config, needed to add or delete public IPs following the user's choice # get IPv4 for the AGH config file - ipv4_route_output=$(echo "$(ip -4 route get 1.2.3.4 2> /dev/null)" | head -n1 | head -n1) - ipv4_addr=$(process_ips "$ipv4_route_output") + ipv4_addr=$(process_ips "$(ip -4 route get 1.2.3.4 2> /dev/null | head -n1 | head -n1)") # get IPv6 for the AGH config file - ipv6_route_output=$(echo "$(ip -6 route get ::1.2.3.4 2> /dev/null)" | head -n1) - ipv6_addr=$(process_ips "$ipv6_route_output") + ipv6_addr=$(process_ips "$(ip -6 route get ::1.2.3.4 2> /dev/null | head -n1)") # update the IP adresses in the AGH config file update_config diff --git a/scripts/install b/scripts/install index 4e4eaf06..9797faa3 100644 --- a/scripts/install +++ b/scripts/install @@ -39,7 +39,6 @@ fi ynh_app_setting_set --app="$app" --key=open_port_53 --value="$open_port_53" - #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE #================================================= @@ -97,12 +96,10 @@ systemctl restart dnsmasq ynh_store_file_checksum --file="/etc/dnsmasq.d/$app" # get IPv4 for the AGH config file -ipv4_route_output=$(echo "$(ip -4 route get 1.2.3.4 2> /dev/null)" | head -n1 | head -n1) -ipv4_addr=$(process_ips "$ipv4_route_output") +ipv4_addr=$(process_ips "$(ip -4 route get 1.2.3.4 2> /dev/null | head -n1 | head -n1)") # get IPv6 for the AGH config file -ipv6_route_output=$(echo "$(ip -6 route get ::1.2.3.4 2> /dev/null)" | head -n1) -ipv6_addr=$(process_ips "$ipv6_route_output") +ipv6_addr=$(process_ips "$(ip -6 route get ::1.2.3.4 2> /dev/null | head -n1)") password=$(python3 -c "import bcrypt; print(bcrypt.hashpw(b\"$password\", bcrypt.gensalt(rounds=10)).decode())") ynh_app_setting_set --app="$app" --key=password --value="$password" diff --git a/scripts/restore b/scripts/restore index e4abd84e..d028225a 100644 --- a/scripts/restore +++ b/scripts/restore @@ -45,12 +45,10 @@ ynh_restore_file --origin_path="$install_dir" # environment, else AGH will try to bind port 53 on non-existent IPs and crash # get IPv4 for the AGH config file -ipv4_route_output=$(echo "$(ip -4 route get 1.2.3.4 2> /dev/null)" | head -n1 | head -n1) -ipv4_addr=$(process_ips "$ipv4_route_output") +ipv4_addr=$(process_ips "$(ip -4 route get 1.2.3.4 2> /dev/null | head -n1 | head -n1)") # get IPv6 for the AGH config file -ipv6_route_output=$(echo "$(ip -6 route get ::1.2.3.4 2> /dev/null)" | head -n1) -ipv6_addr=$(process_ips "$ipv6_route_output") +ipv6_addr=$(process_ips "$(ip -6 route get ::1.2.3.4 2> /dev/null | head -n1)") # update the IP adresses in the AGH config file update_config diff --git a/scripts/upgrade b/scripts/upgrade index 41c1a14a..e9b0afec 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -148,12 +148,10 @@ systemctl restart dnsmasq ynh_store_file_checksum --file="/etc/dnsmasq.d/$app" # get IPv4 for the AGH config file -ipv4_route_output=$(echo "$(ip -4 route get 1.2.3.4 2> /dev/null)" | head -n1 | head -n1) -ipv4_addr=$(process_ips "$ipv4_route_output") +ipv4_addr=$(process_ips "$(ip -4 route get 1.2.3.4 2> /dev/null | head -n1 | head -n1)") # get IPv6 for the AGH config file -ipv6_route_output=$(echo "$(ip -6 route get ::1.2.3.4 2> /dev/null)" | head -n1) -ipv6_addr=$(process_ips "$ipv6_route_output") +ipv6_addr=$(process_ips "$(ip -6 route get ::1.2.3.4 2> /dev/null | head -n1)") # update the IP adresses in the AGH config file update_config From c8785c3e018372c0bb8590f19ace805da0853fb6 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 27 Dec 2023 19:45:20 +0100 Subject: [PATCH 078/288] better placment --- scripts/upgrade | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/scripts/upgrade b/scripts/upgrade index e9b0afec..915c4ab7 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -29,6 +29,17 @@ ynh_systemd_action --service_name="$app" --action="stop" #================================================= ynh_script_progression --message="Ensuring downward compatibility..." --weight=1 +if [ -n "${open_port_53:-}" ] && [ "${open_port_53:-}" == "1" ]; then + open_port_53="true" + ynh_app_setting_set --app="$app" --key=open_port_53 --value="$open_port_53" + # if open_port_53 is true, we need to open port 53 + ynh_exec_warn_less yunohost firewall allow Both 53 + ynh_exec_warn_less yunohost firewall reload +elif [ -z "${open_port_53:-}" ] || [ "${open_port_53:-}" == "0" ]; then + open_port_53="false" + ynh_app_setting_set --app="$app" --key=open_port_53 --value="$open_port_53" +fi + if [ -n "${dns_over_https:-}" ] && [ "${dns_over_https:-}" == "1" ]; then dns_over_https="true" ynh_app_setting_set --app="$app" --key=dns_over_https --value=$dns_over_https @@ -69,17 +80,6 @@ if grep -q "port_https: 443" "$install_dir/AdGuardHome.yaml" || grep -q "port_dn ynh_replace_string --match_string="port_dns_over_quic: 784" --replace_string="port_dns_over_quic: $port_dns_over_quic" --target_file="$install_dir/AdGuardHome.yaml" fi -if [ -n "${open_port_53:-}" ] && [ "${open_port_53:-}" == "1" ]; then - open_port_53="true" - ynh_app_setting_set --app="$app" --key=open_port_53 --value="$open_port_53" - # if open_port_53 is true, we need to open port 53 - ynh_exec_warn_less yunohost firewall allow Both 53 - ynh_exec_warn_less yunohost firewall reload -elif [ -z "${open_port_53:-}" ] || [ "${open_port_53:-}" == "0" ]; then - open_port_53="false" - ynh_app_setting_set --app="$app" --key=open_port_53 --value="$open_port_53" -fi - # remove setting no longer required ynh_app_setting_delete --app="$app" --key=port_adguard From ac6df8b7081e5c31f952454e0f4fe6ad477b273c Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 27 Dec 2023 19:50:05 +0100 Subject: [PATCH 079/288] better if --- scripts/install | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/install b/scripts/install index 9797faa3..fa98bfc4 100644 --- a/scripts/install +++ b/scripts/install @@ -14,7 +14,7 @@ source /usr/share/yunohost/helpers #================================================= ynh_script_progression --message="Storing installation settings..." --weight=2 -if [ "$dns_over_https" == "1" ]; then +if "$dns_over_https"; then dns_over_https="true" # no need to open the ports, as they were opened at the 'Provisioning ports' step else @@ -28,7 +28,7 @@ fi ynh_app_setting_set --app="$app" --key=dns_over_https --value="$dns_over_https" -if [ "$open_port_53" == "1" ]; then +if "$open_port_53"; then open_port_53="true" # if open_port_53 is true, we need to open port 53 ynh_exec_warn_less yunohost firewall allow Both 53 From 95f8a53d877c7d0a4b6d5e8324f83546e8bc6a65 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 27 Dec 2023 19:56:29 +0100 Subject: [PATCH 080/288] Better user information about ports opening / closing --- scripts/config | 16 ++++++++-------- scripts/install | 4 ++++ 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/scripts/config b/scripts/config index f18214fa..a2d552d7 100644 --- a/scripts/config +++ b/scripts/config @@ -18,15 +18,15 @@ ynh_abort_if_errors set__open_port_53() { if [ "$open_port_53" == "true" ]; then - ynh_script_progression --message="Opening port 53..." + ynh_print_info --message="Opening port 53..." # if the user would expose port 53 to the Internet, open it ynh_exec_warn_less yunohost firewall allow Both 53 - yunohost firewall reload + ynh_exec_warn_less yunohost firewall reload elif [ "$open_port_53" == "false" ]; then # else if false, close it - ynh_script_progression --message="Closing port 53..." + ynh_print_info --message="Closing port 53..." ynh_exec_warn_less yunohost firewall disallow Both 53 - yunohost firewall reload + ynh_exec_warn_less yunohost firewall reload else # else, throw error ynh_print_warn --message="The variable 'open_port_53' should be 'true' or 'false' but isn't, please report this." @@ -49,17 +49,17 @@ set__open_port_53() { set__dns_over_https() { if [ "$dns_over_https" == "true" ]; then - ynh_script_progression --message="Opening DoH and DoQ ports..." + ynh_print_info --message="Opening DoH and DoQ ports..." # if DNS over HTTPS/QUIC is activated, open the associated ports ynh_exec_warn_less yunohost firewall allow Both "$port_dns_over_http" ynh_exec_warn_less yunohost firewall allow UDP "$port_dns_over_quic" - yunohost firewall reload + ynh_exec_warn_less yunohost firewall reload elif [ "$dns_over_https" == "false" ]; then # else if false, close them - ynh_script_progression --message="Closing DoH and DoQ ports..." + ynh_print_info --message="Closing DoH and DoQ ports..." ynh_exec_warn_less yunohost firewall disallow Both "$port_dns_over_http" ynh_exec_warn_less yunohost firewall disallow UDP "$port_dns_over_quic" - yunohost firewall reload + ynh_exec_warn_less yunohost firewall reload else # else, throw error ynh_print_warn --message="The variable 'dns_over_https' should be 'true' or 'false' but isn't, please report this." diff --git a/scripts/install b/scripts/install index fa98bfc4..faf9a6ac 100644 --- a/scripts/install +++ b/scripts/install @@ -17,10 +17,12 @@ ynh_script_progression --message="Storing installation settings..." --weight=2 if "$dns_over_https"; then dns_over_https="true" # no need to open the ports, as they were opened at the 'Provisioning ports' step + ynh_print_info --message="DoH and DoQ ports are already closed." else dns_over_https="false" # if dns_over_https is false, we need to close ports, # as they were opened at the 'Provisioning ports' step + ynh_print_info --message="Closing DoH and DoQ ports..." ynh_exec_warn_less yunohost firewall disallow Both "$port_dns_over_http" ynh_exec_warn_less yunohost firewall disallow UDP "$port_dns_over_quic" ynh_exec_warn_less yunohost firewall reload @@ -31,10 +33,12 @@ ynh_app_setting_set --app="$app" --key=dns_over_https --value="$dns_over_https" if "$open_port_53"; then open_port_53="true" # if open_port_53 is true, we need to open port 53 + ynh_print_info --message="Opening port 53..." ynh_exec_warn_less yunohost firewall allow Both 53 ynh_exec_warn_less yunohost firewall reload else open_port_53="false" + ynh_print_info --message="Port 53 is already closed." fi ynh_app_setting_set --app="$app" --key=open_port_53 --value="$open_port_53" From 7e74ca5827c50886a38a92d29129dc4e5085c86d Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 27 Dec 2023 20:09:25 +0100 Subject: [PATCH 081/288] better docs --- doc/ADMIN.md | 15 +++++++++------ doc/PRE_UPGRADE.d/0.107.43~ynh4 | 3 +++ 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/doc/ADMIN.md b/doc/ADMIN.md index 53e6c13e..0e6ce97b 100644 --- a/doc/ADMIN.md +++ b/doc/ADMIN.md @@ -8,10 +8,13 @@ This setting is **disabled** by default. You need to know that anyone who knows your server's IP can make a DNS request to it. It may be used to perform [amplification attacks](https://en.wikipedia.org/wiki/Denial-of-service_attack#Amplification)! -To use AdGuard Home in your domestic network, you don't need to activate this. -You simply have to use your local IP adress (like `192.168.0.1` or so) as DNS IP for your IT hardware at home. +To use AdGuard Home in your home network, you don't need to activate this setting. +You simply have to use the private IP adress of your server (like `192.168.0.1` or so) as DNS IP for your IT hardware at home. +The right IP to use are shown in the "Setup Guide" page of your AdGuard Home instance. -Warning: you should not have public IPs of the config file if the port 53 is not exposed on Internet (else: AGH crashes) +If you would expose the port 53 on Internet, you'll be able to use the public IP of your server (the same as in your domain name DNS settings) on any device outside your home network. + +**Warning:** you should not have public IPs of the config file if the port 53 is **not exposed** on Internet (else: AGH crashes) They should be automatically removed when upgrading this package or when modifiying this port 53 exposure setting, but it's in the docs just in case. You can remove them in your config file `/var/www/adguardhome/AdGuardHome.yaml` in the `dns: bind_hosts:` section. Any IP that doesn't start with the folowing are public ones: @@ -20,13 +23,13 @@ Any IP that doesn't start with the folowing are public ones: - `169.` - `172.` - `192.168.` +- `fcxx:` (where the `x` can be any hexadecimal character) - `fdxx:` (where the `x` can be any hexadecimal character) - `fe80:` So, any other IP should be a public one. -Restart AdGuard Home after applying the needed edits: -`yunohost service restart adguardhome` +Restart AdGuard Home after applying the needed edits: `yunohost service restart adguardhome` ## Enable DNS over HTTP and DNS over QUIC? @@ -35,7 +38,7 @@ This setting is **disabled** by default. You need to know that anyone who knows your AdGuard Home domain-name can make a DNS request to it. It may be used to perform [amplification attacks](https://en.wikipedia.org/wiki/Denial-of-service_attack#Amplification)! It's really important to use the configuration panel to deactivate this setting, and **NOT** the built-in setting in the AdGuardHome interface. -This is because YunoHost needs to perform actions such as automatically opening or closing the server's ports, which cannot be done without going through the configuration panel. +This is because YunoHost needs to perform actions such as automatically opening or closing the server's ports and refresh the IP to provide to AdGuard Home, which cannot be done without going through the configuration panel. If you host your machine at home, for using DoH or DoQ, you have to open the following ports on your router: diff --git a/doc/PRE_UPGRADE.d/0.107.43~ynh4 b/doc/PRE_UPGRADE.d/0.107.43~ynh4 index f875c5ce..ca9c1730 100644 --- a/doc/PRE_UPGRADE.d/0.107.43~ynh4 +++ b/doc/PRE_UPGRADE.d/0.107.43~ynh4 @@ -7,6 +7,9 @@ Applications → AdGuard Home → AdGuard Home configuration - Expose port 53 to the Internet? - Enable DNS-over-HTTPS/QUIC? +It's really important to use the configuration panel to activate or deactivate the DNS-over-HTTPS/QUIC setting, and **NOT** the built-in setting in the AdGuardHome interface. +This is because YunoHost needs to perform actions such as automatically opening or closing the server's ports and refresh the IP to provide to AdGuard Home, which cannot be done without going through the configuration panel. + This update is at risk of crashing AdGuard Home, so: If any trouble or question, please refer to [the package's admin docs](https://github.com/YunoHost-Apps/adguardhome_ynh/blob/master/doc/ADMIN.md)! ^w^ If needed and a similar issue does not already exist, please [open an issue on the GitHub's package page](https://github.com/YunoHost-Apps/adguardhome_ynh/issues)! From b95d192aa6a321a7c529722513aea6769385d2a7 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 27 Dec 2023 22:30:57 +0100 Subject: [PATCH 082/288] mopved all the code to create a dnsmask config with the network interface to personal helpers --- scripts/_common.sh | 25 +++++++++++++++++++++++++ scripts/install | 23 ++--------------------- scripts/restore | 5 ++++- scripts/upgrade | 22 ++-------------------- 4 files changed, 33 insertions(+), 42 deletions(-) diff --git a/scripts/_common.sh b/scripts/_common.sh index 901985c0..687315fa 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -8,6 +8,31 @@ # PERSONAL HELPERS #================================================= +configure_network_interface_dnsmasq(){ +# used to put the network interface in a dedicated dnsmasq config + + ipv4_interface=$(echo "$(ip -4 route get 1.2.3.4 2> /dev/null)" | head -n1 | grep -oP '(?<=dev )\w+' || true) + ipv6_interface=$(echo "$(ip -6 route get ::1.2.3.4 2> /dev/null)" | head -n1 | grep -oP '(?<=dev )\w+' || true) + + if [ -z "$ipv4_interface" ] && [ -z "$ipv6_interface" ]; then + ynh_die --message="Impossible to find the main network interface, please report this issue." + elif [ "$ipv4_interface" != "$ipv6_interface" ]; then + if [ -z "$ipv4_interface" ]; then + echo -e "bind-interfaces\nexcept-interface=$ipv6_interface" > "/etc/dnsmasq.d/$app" + elif [ -z "$ipv6_interface" ]; then + echo -e "bind-interfaces\nexcept-interface=$ipv4_interface" > "/etc/dnsmasq.d/$app" + else + echo -e "bind-interfaces\nexcept-interface=$ipv4_interface, $ipv6_interface" > "/etc/dnsmasq.d/$app" + fi + else + echo -e "bind-interfaces\nexcept-interface=$ipv4_interface" > "/etc/dnsmasq.d/$app" + fi + + systemctl restart dnsmasq + + ynh_store_file_checksum --file="/etc/dnsmasq.d/$app" +} + is_public_ip(){ # used to discriminate publics IPs over privates IPs # private IPv4 start with: 10.; 169.; 172. or 192.168. diff --git a/scripts/install b/scripts/install index faf9a6ac..ff98f435 100644 --- a/scripts/install +++ b/scripts/install @@ -77,27 +77,8 @@ usermod -a -G ssl-cert "$app" #================================================= ynh_script_progression --message="Adding a configuration file..." --weight=1 -# echo the ip route command to prevent a crash if the server doesn't have any ipv4/6 -ipv4_interface=$(echo "$(ip -4 route get 1.2.3.4 2> /dev/null)" | head -n1 | grep -oP '(?<=dev )\w+' || true) -ipv6_interface=$(echo "$(ip -6 route get ::1.2.3.4 2> /dev/null)" | head -n1 | grep -oP '(?<=dev )\w+' || true) - -if [ -z "$ipv4_interface" ] && [ -z "$ipv6_interface" ]; then - ynh_die --message="Impossible to find the main network interface, please report this issue." -elif [ "$ipv4_interface" != "$ipv6_interface" ]; then - if [ -z "$ipv4_interface" ]; then - echo -e "bind-interface\nexcept-interface=$ipv6_interface" > "/etc/dnsmasq.d/$app" - elif [ -z "$ipv6_interface" ]; then - echo -e "bind-interfaces\nexcept-interface=$ipv4_interface" > "/etc/dnsmasq.d/$app" - else - echo -e "bind-interfaces\nexcept-interface=$ipv4_interface, $ipv6_interface" > "/etc/dnsmasq.d/$app" - fi -else - echo -e "bind-interfaces\nexcept-interface=$ipv4_interface" > "/etc/dnsmasq.d/$app" -fi - -systemctl restart dnsmasq - -ynh_store_file_checksum --file="/etc/dnsmasq.d/$app" +# put the network interface in a dedicated dnsmasq config +configure_network_interface_dnsmasq # get IPv4 for the AGH config file ipv4_addr=$(process_ips "$(ip -4 route get 1.2.3.4 2> /dev/null | head -n1 | head -n1)") diff --git a/scripts/restore b/scripts/restore index d028225a..2909ab7c 100644 --- a/scripts/restore +++ b/scripts/restore @@ -41,9 +41,12 @@ ynh_script_progression --message="Restoring the app main directory..." --weight= ynh_restore_file --origin_path="$install_dir" -# we need to update IP adresses in case the backup is restored in a different +# we need to refresh IP adresses in case the backup is restored in a different # environment, else AGH will try to bind port 53 on non-existent IPs and crash +# put the network interface in a dedicated dnsmasq config +configure_network_interface_dnsmasq + # get IPv4 for the AGH config file ipv4_addr=$(process_ips "$(ip -4 route get 1.2.3.4 2> /dev/null | head -n1 | head -n1)") diff --git a/scripts/upgrade b/scripts/upgrade index 915c4ab7..4532929f 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -126,26 +126,8 @@ usermod -a -G ssl-cert "$app" #================================================= ynh_script_progression --message="Updating a configuration file..." --weight=1 -ipv4_interface=$(echo "$(ip -4 route get 1.2.3.4 2> /dev/null)" | head -n1 | grep -oP '(?<=dev )\w+' || true) -ipv6_interface=$(echo "$(ip -6 route get ::1.2.3.4 2> /dev/null)" | head -n1 | grep -oP '(?<=dev )\w+' || true) - -if [ -z "$ipv4_interface" ] && [ -z "$ipv6_interface" ]; then - ynh_die --message="Impossible to find the main network interface, please report this issue." -elif [ "$ipv4_interface" != "$ipv6_interface" ]; then - if [ -z "$ipv4_interface" ]; then - echo -e "bind-interfaces\nexcept-interface=$ipv6_interface" > "/etc/dnsmasq.d/$app" - elif [ -z "$ipv6_interface" ]; then - echo -e "bind-interfaces\nexcept-interface=$ipv4_interface" > "/etc/dnsmasq.d/$app" - else - echo -e "bind-interfaces\nexcept-interface=$ipv4_interface, $ipv6_interface" > "/etc/dnsmasq.d/$app" - fi -else - echo -e "bind-interfaces\nexcept-interface=$ipv4_interface" > "/etc/dnsmasq.d/$app" -fi - -systemctl restart dnsmasq - -ynh_store_file_checksum --file="/etc/dnsmasq.d/$app" +# put the network interface in a dedicated dnsmasq config +configure_network_interface_dnsmasq # get IPv4 for the AGH config file ipv4_addr=$(process_ips "$(ip -4 route get 1.2.3.4 2> /dev/null | head -n1 | head -n1)") From fdc0d03874097633335aa16de1fa593b615a2e7d Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 27 Dec 2023 22:41:08 +0100 Subject: [PATCH 083/288] put back the comment note about echo & add comment --- scripts/_common.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/scripts/_common.sh b/scripts/_common.sh index 687315fa..c00ce42b 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -11,6 +11,8 @@ configure_network_interface_dnsmasq(){ # used to put the network interface in a dedicated dnsmasq config + # get the network interface name for IPv4 and IPv6 + # note: echo the IP route command to prevent a crash if the server doesn't have any IPv4/6 ipv4_interface=$(echo "$(ip -4 route get 1.2.3.4 2> /dev/null)" | head -n1 | grep -oP '(?<=dev )\w+' || true) ipv6_interface=$(echo "$(ip -6 route get ::1.2.3.4 2> /dev/null)" | head -n1 | grep -oP '(?<=dev )\w+' || true) From 8aef567a04ae4c3151e01a8b79839fea0a9b62a0 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 27 Dec 2023 22:44:43 +0100 Subject: [PATCH 084/288] simplify "source _common.sh" path --- scripts/backup | 2 +- scripts/restore | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/backup b/scripts/backup index fdbe58e9..198193b8 100644 --- a/scripts/backup +++ b/scripts/backup @@ -7,7 +7,7 @@ #================================================= # Keep this path for calling _common.sh inside the execution's context of backup and restore scripts -source ../settings/scripts/_common.sh +source _common.sh source /usr/share/yunohost/helpers #================================================= diff --git a/scripts/restore b/scripts/restore index 2909ab7c..50c91de7 100644 --- a/scripts/restore +++ b/scripts/restore @@ -7,7 +7,7 @@ #================================================= # Keep this path for calling _common.sh inside the execution's context of backup and restore scripts -source ../settings/scripts/_common.sh +source _common.sh source /usr/share/yunohost/helpers #================================================= From b91377589466ea214d70a14d1fed11382a909e37 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 27 Dec 2023 22:48:49 +0100 Subject: [PATCH 085/288] backup & restore AGH dnsmasq config is now irrelevant (as it's regenerated at restore) --- scripts/backup | 1 - scripts/restore | 2 -- 2 files changed, 3 deletions(-) diff --git a/scripts/backup b/scripts/backup index 198193b8..98ea8cfd 100644 --- a/scripts/backup +++ b/scripts/backup @@ -38,7 +38,6 @@ ynh_backup --src_path="/etc/systemd/system/$app.service" # BACKUP VARIOUS FILES #================================================= -ynh_backup --src_path="/etc/dnsmasq.d/$app" #================================================= # END OF SCRIPT diff --git a/scripts/restore b/scripts/restore index 50c91de7..81b98ba4 100644 --- a/scripts/restore +++ b/scripts/restore @@ -64,8 +64,6 @@ chown -R "$app:$app" "$install_dir" setcap 'CAP_NET_BIND_SERVICE=+eip CAP_NET_RAW=+eip' "$install_dir/AdGuardHome" -ynh_restore_file --origin_path="/etc/dnsmasq.d/$app" - systemctl restart dnsmasq #================================================= From aeab6379ab1955cf212150c54f080e8e8d19975b Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 27 Dec 2023 22:51:09 +0100 Subject: [PATCH 086/288] rename "update_config()" into more explicit "update_agh_config()" --- scripts/_common.sh | 2 +- scripts/config | 2 +- scripts/restore | 2 +- scripts/upgrade | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/scripts/_common.sh b/scripts/_common.sh index c00ce42b..d34d7812 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -76,7 +76,7 @@ process_ips(){ echo "$ips" } -update_config(){ +update_agh_config(){ # used to update the IP adresses in the AGHconfig file python3 -c "import yaml diff --git a/scripts/config b/scripts/config index a2d552d7..35e4c170 100644 --- a/scripts/config +++ b/scripts/config @@ -40,7 +40,7 @@ set__open_port_53() { ipv6_addr=$(process_ips "$(ip -6 route get ::1.2.3.4 2> /dev/null | head -n1)") # update the IP adresses in the AGH config file - update_config + update_agh_config # save the new setting ynh_app_setting_set "$app" --key=open_port_53 --value="$open_port_53" diff --git a/scripts/restore b/scripts/restore index 81b98ba4..a490f9c6 100644 --- a/scripts/restore +++ b/scripts/restore @@ -54,7 +54,7 @@ ipv4_addr=$(process_ips "$(ip -4 route get 1.2.3.4 2> /dev/null | head -n1 | hea ipv6_addr=$(process_ips "$(ip -6 route get ::1.2.3.4 2> /dev/null | head -n1)") # update the IP adresses in the AGH config file -update_config +update_agh_config # this will be treated as a security issue. diff --git a/scripts/upgrade b/scripts/upgrade index 4532929f..62c6c2e4 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -136,7 +136,7 @@ ipv4_addr=$(process_ips "$(ip -4 route get 1.2.3.4 2> /dev/null | head -n1 | hea ipv6_addr=$(process_ips "$(ip -6 route get ::1.2.3.4 2> /dev/null | head -n1)") # update the IP adresses in the AGH config file -update_config +update_agh_config chmod 600 "$install_dir/AdGuardHome.yaml" chown -R "$app:$app" "$install_dir/AdGuardHome.yaml" From bb235a2392115c189d444fe0fa85c3a43cf1247e Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 27 Dec 2023 22:52:58 +0100 Subject: [PATCH 087/288] Remove the dedicated dnsmasq config for AdGuardHome --- scripts/remove | 3 +++ 1 file changed, 3 insertions(+) diff --git a/scripts/remove b/scripts/remove index e21957ad..f2cfcb05 100644 --- a/scripts/remove +++ b/scripts/remove @@ -22,6 +22,9 @@ then yunohost service remove "$app" fi +# Remove the dedicated dnsmasq config for AdGuardHome +ynh_secure_remove --file="/etc/dnsmasq.d/$app" + # Remove the dedicated systemd config ynh_remove_systemd_config From c512e9599e2ecc44938dc651e20e7b2820338344 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 27 Dec 2023 23:03:45 +0100 Subject: [PATCH 088/288] add progression message for system configurations removal --- scripts/remove | 2 ++ 1 file changed, 2 insertions(+) diff --git a/scripts/remove b/scripts/remove index f2cfcb05..9cf2b067 100644 --- a/scripts/remove +++ b/scripts/remove @@ -22,6 +22,8 @@ then yunohost service remove "$app" fi +ynh_script_progression --message="Removing system configurations related to $app..." --weight=1 + # Remove the dedicated dnsmasq config for AdGuardHome ynh_secure_remove --file="/etc/dnsmasq.d/$app" From a55c98a99460dadbfe7a95d61fe6e6657f089157 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 27 Dec 2023 23:04:34 +0100 Subject: [PATCH 089/288] dnsmask config removal put at the end --- scripts/remove | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/scripts/remove b/scripts/remove index 9cf2b067..e696f0f8 100644 --- a/scripts/remove +++ b/scripts/remove @@ -24,15 +24,17 @@ fi ynh_script_progression --message="Removing system configurations related to $app..." --weight=1 -# Remove the dedicated dnsmasq config for AdGuardHome -ynh_secure_remove --file="/etc/dnsmasq.d/$app" - # Remove the dedicated systemd config ynh_remove_systemd_config # Remove the dedicated NGINX config ynh_remove_nginx_config +# Remove other various files specific to the app... + +# Remove the dedicated dnsmasq config for AdGuardHome +ynh_secure_remove --file="/etc/dnsmasq.d/$app" + #================================================= # END OF SCRIPT #================================================= From 5790f18a1af7686f5a76b54fb63c271e12cd8620 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 27 Dec 2023 23:25:14 +0100 Subject: [PATCH 090/288] fix IP indenting --- conf/AdGuardHome.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/conf/AdGuardHome.yaml b/conf/AdGuardHome.yaml index c0d20769..3ddeeeea 100644 --- a/conf/AdGuardHome.yaml +++ b/conf/AdGuardHome.yaml @@ -14,8 +14,8 @@ language: "" theme: auto dns: bind_hosts: - __IPV4_ADDR__ - __IPV6_ADDR__ + __IPV4_ADDR__ + __IPV6_ADDR__ port: 53 anonymize_client_ip: false ratelimit: 20 From 490e207587f774707ff86e10eb27048457352fb2 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 27 Dec 2023 23:41:50 +0100 Subject: [PATCH 091/288] fix ip --- scripts/install | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/scripts/install b/scripts/install index ff98f435..c8cd330d 100644 --- a/scripts/install +++ b/scripts/install @@ -14,7 +14,7 @@ source /usr/share/yunohost/helpers #================================================= ynh_script_progression --message="Storing installation settings..." --weight=2 -if "$dns_over_https"; then +if $dns_over_https; then dns_over_https="true" # no need to open the ports, as they were opened at the 'Provisioning ports' step ynh_print_info --message="DoH and DoQ ports are already closed." @@ -30,7 +30,7 @@ fi ynh_app_setting_set --app="$app" --key=dns_over_https --value="$dns_over_https" -if "$open_port_53"; then +if $open_port_53; then open_port_53="true" # if open_port_53 is true, we need to open port 53 ynh_print_info --message="Opening port 53..." @@ -80,11 +80,11 @@ ynh_script_progression --message="Adding a configuration file..." --weight=1 # put the network interface in a dedicated dnsmasq config configure_network_interface_dnsmasq -# get IPv4 for the AGH config file -ipv4_addr=$(process_ips "$(ip -4 route get 1.2.3.4 2> /dev/null | head -n1 | head -n1)") +# get IPv4 for the AGH config file (with a starting "- ") +ipv4_addr=$(echo "- " "$(process_ips "$(ip -4 route get 1.2.3.4 2> /dev/null | head -n1 | head -n1)")") -# get IPv6 for the AGH config file -ipv6_addr=$(process_ips "$(ip -6 route get ::1.2.3.4 2> /dev/null | head -n1)") +# get IPv6 for the AGH config file (with a starting "- ") +ipv6_addr=$(echo "- " "$(process_ips "$(ip -6 route get ::1.2.3.4 2> /dev/null | head -n1)")") password=$(python3 -c "import bcrypt; print(bcrypt.hashpw(b\"$password\", bcrypt.gensalt(rounds=10)).decode())") ynh_app_setting_set --app="$app" --key=password --value="$password" From 6223ab706b827cb75863f45ac2a489f04c4bfb22 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 27 Dec 2023 23:46:42 +0100 Subject: [PATCH 092/288] Revert "simplify "source _common.sh" path" This reverts commit 8aef567a04ae4c3151e01a8b79839fea0a9b62a0. --- scripts/backup | 2 +- scripts/restore | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/backup b/scripts/backup index 98ea8cfd..342c5a0d 100644 --- a/scripts/backup +++ b/scripts/backup @@ -7,7 +7,7 @@ #================================================= # Keep this path for calling _common.sh inside the execution's context of backup and restore scripts -source _common.sh +source ../settings/scripts/_common.sh source /usr/share/yunohost/helpers #================================================= diff --git a/scripts/restore b/scripts/restore index a490f9c6..9773c8ea 100644 --- a/scripts/restore +++ b/scripts/restore @@ -7,7 +7,7 @@ #================================================= # Keep this path for calling _common.sh inside the execution's context of backup and restore scripts -source _common.sh +source ../settings/scripts/_common.sh source /usr/share/yunohost/helpers #================================================= From 64109eec8242161a77f958351d83ec1965b73e30 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 27 Dec 2023 23:56:26 +0100 Subject: [PATCH 093/288] add shellcheck config --- .shellcheckrc | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 .shellcheckrc diff --git a/.shellcheckrc b/.shellcheckrc new file mode 100644 index 00000000..9321071d --- /dev/null +++ b/.shellcheckrc @@ -0,0 +1,15 @@ +# ~/.shellcheckrc + +# follow source _common.sh +external-sources=true + +# disable common errors with yunohost scripting: + +# Not following: (error message here) +disable=SC1091 + +# foo appears unused. Verify it or export it. +disable=SC2034 + +# var is referenced but not assigned. +disable=SC2154 From b74820b443e02366150e3530b21218f799c13ef8 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 28 Dec 2023 00:05:40 +0100 Subject: [PATCH 094/288] shellcheck: ignore SC2005 --- scripts/_common.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/scripts/_common.sh b/scripts/_common.sh index d34d7812..87d70eda 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -13,7 +13,9 @@ configure_network_interface_dnsmasq(){ # get the network interface name for IPv4 and IPv6 # note: echo the IP route command to prevent a crash if the server doesn't have any IPv4/6 + # shellcheck disable=SC2005 ipv4_interface=$(echo "$(ip -4 route get 1.2.3.4 2> /dev/null)" | head -n1 | grep -oP '(?<=dev )\w+' || true) + # shellcheck disable=SC2005 ipv6_interface=$(echo "$(ip -6 route get ::1.2.3.4 2> /dev/null)" | head -n1 | grep -oP '(?<=dev )\w+' || true) if [ -z "$ipv4_interface" ] && [ -z "$ipv6_interface" ]; then From 4b780131dc13ecba0882c2a754cb8443b7b5a6e8 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 28 Dec 2023 00:11:48 +0100 Subject: [PATCH 095/288] debug --- scripts/install | 3 +++ 1 file changed, 3 insertions(+) diff --git a/scripts/install b/scripts/install index c8cd330d..3d2cb9d7 100644 --- a/scripts/install +++ b/scripts/install @@ -118,3 +118,6 @@ ynh_systemd_action --service_name="$app" --action="restart" --log_path=systemd #================================================= ynh_script_progression --message="Installation of $app completed" --last + +# temporarily cat the AGH config for debug purposes +cat "$install_dir/AdGuardHome.yaml" From a9e36a82ec6cbefa5651e43be954f6da4987fb8c Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 28 Dec 2023 00:43:30 +0100 Subject: [PATCH 096/288] debug --- scripts/install | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/install b/scripts/install index 3d2cb9d7..4bca14c3 100644 --- a/scripts/install +++ b/scripts/install @@ -120,4 +120,4 @@ ynh_systemd_action --service_name="$app" --action="restart" --log_path=systemd ynh_script_progression --message="Installation of $app completed" --last # temporarily cat the AGH config for debug purposes -cat "$install_dir/AdGuardHome.yaml" +ynh_print_info --message="$(head -n 30 /var/www/adguardhome/AdGuardHome.yaml)" \ No newline at end of file From 1d5e520b73eaecd3d1e13cc69adb55bf45992499 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 28 Dec 2023 00:52:42 +0100 Subject: [PATCH 097/288] rework process_ips() --- scripts/_common.sh | 10 ++++++++-- scripts/install | 8 ++++---- 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/scripts/_common.sh b/scripts/_common.sh index 87d70eda..f67a2cac 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -60,6 +60,7 @@ process_ips(){ # used to process the IPs to put them in the AGH's config file local ips="$1" + if [ "$2" == "install" ]; then local install=true; fi for i in $(seq "$(echo "$ips" | wc -w)" -1 1); do ip=$(echo "$ips" | awk "{print \$$i}") @@ -69,8 +70,13 @@ process_ips(){ if is_public_ip "$ip" && [ "$open_port_53" == "false" ] ; then break else - ips="$ip" - break + if $install; then + ips="- $ip" + break + else + ips="$ip" + break + fi fi fi done diff --git a/scripts/install b/scripts/install index 4bca14c3..daed02f0 100644 --- a/scripts/install +++ b/scripts/install @@ -80,11 +80,11 @@ ynh_script_progression --message="Adding a configuration file..." --weight=1 # put the network interface in a dedicated dnsmasq config configure_network_interface_dnsmasq -# get IPv4 for the AGH config file (with a starting "- ") -ipv4_addr=$(echo "- " "$(process_ips "$(ip -4 route get 1.2.3.4 2> /dev/null | head -n1 | head -n1)")") +# get IPv4 for the AGH config file (special argument "install" at the end to get a starting "- " by IP) +ipv4_addr=$(echo "- " "$(process_ips "$(ip -4 route get 1.2.3.4 2> /dev/null | head -n1 | head -n1)" install)") -# get IPv6 for the AGH config file (with a starting "- ") -ipv6_addr=$(echo "- " "$(process_ips "$(ip -6 route get ::1.2.3.4 2> /dev/null | head -n1)")") +# get IPv6 for the AGH config file (special argument "install" at the end to get a starting "- " by IP) +ipv6_addr=$(echo "- " "$(process_ips "$(ip -6 route get ::1.2.3.4 2> /dev/null | head -n1)" install)") password=$(python3 -c "import bcrypt; print(bcrypt.hashpw(b\"$password\", bcrypt.gensalt(rounds=10)).decode())") ynh_app_setting_set --app="$app" --key=password --value="$password" From 6b3e8a81b5bea4e5abc63675d3dcd8cc7deb5f31 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 28 Dec 2023 00:57:00 +0100 Subject: [PATCH 098/288] add comment --- scripts/_common.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/_common.sh b/scripts/_common.sh index f67a2cac..ad50a203 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -70,6 +70,7 @@ process_ips(){ if is_public_ip "$ip" && [ "$open_port_53" == "false" ] ; then break else + # special case for installation, as a dash is required before an IP if $install; then ips="- $ip" break From 176f3149d4f265b63495de56fa65b7921247dd2c Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 28 Dec 2023 00:58:05 +0100 Subject: [PATCH 099/288] typo --- scripts/_common.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/_common.sh b/scripts/_common.sh index ad50a203..1254d74f 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -57,7 +57,7 @@ is_public_ip(){ } process_ips(){ -# used to process the IPs to put them in the AGH's config file +# used to process the IPs to put in the AGH's config file local ips="$1" if [ "$2" == "install" ]; then local install=true; fi From 8dcf8646218bb1379fd85af6da1cafa7cc8bb5ee Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 28 Dec 2023 01:00:14 +0100 Subject: [PATCH 100/288] fix if --- scripts/install | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/install b/scripts/install index daed02f0..6c4714f3 100644 --- a/scripts/install +++ b/scripts/install @@ -14,7 +14,7 @@ source /usr/share/yunohost/helpers #================================================= ynh_script_progression --message="Storing installation settings..." --weight=2 -if $dns_over_https; then +if [ "$dns_over_https" == "0" ]; then dns_over_https="true" # no need to open the ports, as they were opened at the 'Provisioning ports' step ynh_print_info --message="DoH and DoQ ports are already closed." @@ -30,7 +30,7 @@ fi ynh_app_setting_set --app="$app" --key=dns_over_https --value="$dns_over_https" -if $open_port_53; then +if [ "$open_port_53" == "0" ]; then open_port_53="true" # if open_port_53 is true, we need to open port 53 ynh_print_info --message="Opening port 53..." From 1a86052659f57883350ea0b68a54fbc40d2de55a Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 28 Dec 2023 01:05:04 +0100 Subject: [PATCH 101/288] better test if --- scripts/install | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/install b/scripts/install index 6c4714f3..0a56e8e6 100644 --- a/scripts/install +++ b/scripts/install @@ -14,7 +14,7 @@ source /usr/share/yunohost/helpers #================================================= ynh_script_progression --message="Storing installation settings..." --weight=2 -if [ "$dns_over_https" == "0" ]; then +if [ "$dns_over_https" = true ]; then dns_over_https="true" # no need to open the ports, as they were opened at the 'Provisioning ports' step ynh_print_info --message="DoH and DoQ ports are already closed." @@ -30,7 +30,7 @@ fi ynh_app_setting_set --app="$app" --key=dns_over_https --value="$dns_over_https" -if [ "$open_port_53" == "0" ]; then +if [ "$open_port_53" = true ]; then open_port_53="true" # if open_port_53 is true, we need to open port 53 ynh_print_info --message="Opening port 53..." From 2e5a03320f367a380703dc664a83c993b09b18ff Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 28 Dec 2023 01:09:39 +0100 Subject: [PATCH 102/288] Revert "rework process_ips()" This reverts commit 1d5e520b73eaecd3d1e13cc69adb55bf45992499. --- scripts/_common.sh | 11 ++--------- scripts/install | 8 ++++---- 2 files changed, 6 insertions(+), 13 deletions(-) diff --git a/scripts/_common.sh b/scripts/_common.sh index 1254d74f..965f6088 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -60,7 +60,6 @@ process_ips(){ # used to process the IPs to put in the AGH's config file local ips="$1" - if [ "$2" == "install" ]; then local install=true; fi for i in $(seq "$(echo "$ips" | wc -w)" -1 1); do ip=$(echo "$ips" | awk "{print \$$i}") @@ -70,14 +69,8 @@ process_ips(){ if is_public_ip "$ip" && [ "$open_port_53" == "false" ] ; then break else - # special case for installation, as a dash is required before an IP - if $install; then - ips="- $ip" - break - else - ips="$ip" - break - fi + ips="$ip" + break fi fi done diff --git a/scripts/install b/scripts/install index 0a56e8e6..aed57035 100644 --- a/scripts/install +++ b/scripts/install @@ -80,11 +80,11 @@ ynh_script_progression --message="Adding a configuration file..." --weight=1 # put the network interface in a dedicated dnsmasq config configure_network_interface_dnsmasq -# get IPv4 for the AGH config file (special argument "install" at the end to get a starting "- " by IP) -ipv4_addr=$(echo "- " "$(process_ips "$(ip -4 route get 1.2.3.4 2> /dev/null | head -n1 | head -n1)" install)") +# get IPv4 for the AGH config file (with a starting "- ") +ipv4_addr=$(echo "- " "$(process_ips "$(ip -4 route get 1.2.3.4 2> /dev/null | head -n1 | head -n1)")") -# get IPv6 for the AGH config file (special argument "install" at the end to get a starting "- " by IP) -ipv6_addr=$(echo "- " "$(process_ips "$(ip -6 route get ::1.2.3.4 2> /dev/null | head -n1)" install)") +# get IPv6 for the AGH config file (with a starting "- ") +ipv6_addr=$(echo "- " "$(process_ips "$(ip -6 route get ::1.2.3.4 2> /dev/null | head -n1)")") password=$(python3 -c "import bcrypt; print(bcrypt.hashpw(b\"$password\", bcrypt.gensalt(rounds=10)).decode())") ynh_app_setting_set --app="$app" --key=password --value="$password" From 22a3d330ed44e449b0a4f8810b01622b9ac81b5e Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 28 Dec 2023 01:18:07 +0100 Subject: [PATCH 103/288] fix IP validation for IPv6 --- scripts/_common.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/_common.sh b/scripts/_common.sh index 965f6088..c93d0aec 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -64,7 +64,7 @@ process_ips(){ for i in $(seq "$(echo "$ips" | wc -w)" -1 1); do ip=$(echo "$ips" | awk "{print \$$i}") # check if the so-called IP really is one - if ynh_validate_ip4 --ip_address="$ip"; then + if ynh_validate_ip4 --ip_address="$ip" || ynh_validate_ip6 --ip_address="$ip"; then # if the IP is public and the user doesn't want to expose port 53, skip it if is_public_ip "$ip" && [ "$open_port_53" == "false" ] ; then break From 664b0cdc3adcb477fa8626a15dbbfdcb28ad7a89 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 28 Dec 2023 02:54:35 +0100 Subject: [PATCH 104/288] replace ynh_replace_string by ynh_write_var_in_file --- scripts/upgrade | 20 +++++++++----------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/scripts/upgrade b/scripts/upgrade index 62c6c2e4..e95385ea 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -54,7 +54,7 @@ elif [ -z "${dns_over_https:-}" ] || [ "${dns_over_https:-}" == "0" ]; then ynh_exec_warn_less yunohost firewall reload fi -# about all those 'ynh_replace_string': +# about all those 'ynh_write_var_in_file': # AGH modifies by itself the config file when an user modifies it using the front-end # so if we're using 'ynh_add_config' to process the config file, each # regeneration of the config would break the user's changes :/ (yeah ik...) @@ -62,22 +62,20 @@ fi # fill the 'tls:' section of the AGH configuration if necessary if grep -q "certificate_path: \"\"" "$install_dir/AdGuardHome.yaml" || grep -q "private_key_path: \"\"" "$install_dir/AdGuardHome.yaml" || grep -q "server_name: \"\"" "$install_dir/AdGuardHome.yaml"; then - ynh_replace_string --match_string="enabled: \"\"" --replace_string="enabled: \"$dns_over_https\"" --target_file="$install_dir/AdGuardHome.yaml" - # using sed magic because of the line break :/ - sed --in-place "/tls:$/{n;s/enabled: false/enabled: $dns_over_https/}" "$install_dir/AdGuardHome.yaml" - ynh_replace_string --match_string="server_name: \"\"" --replace_string="server_name: $domain" --target_file="$install_dir/AdGuardHome.yaml" - ynh_replace_string --match_string="allow_unencrypted_doh: false" --replace_string="allow_unencrypted_doh: true" --target_file="$install_dir/AdGuardHome.yaml" - ynh_replace_string --match_string="certificate_path: \"\"" --replace_string="certificate_path: /etc/yunohost/certs/$domain/crt.pem" --target_file="$install_dir/AdGuardHome.yaml" - ynh_replace_string --match_string="private_key_path: \"\"" --replace_string="private_key_path: /etc/yunohost/certs/$domain/key.pem" --target_file="$install_dir/AdGuardHome.yaml" + ynh_write_var_in_file --file="$install_dir/AdGuardHome.yaml" --key="tls>enabled" --value="$dns_over_https" + ynh_write_var_in_file --file="$install_dir/AdGuardHome.yaml" --key="server_name" --value="$domain" + ynh_write_var_in_file --file="$install_dir/AdGuardHome.yaml" --key="allow_unencrypted_doh" --value="true" + ynh_write_var_in_file --file="$install_dir/AdGuardHome.yaml" --key="certificate_path" --value="/etc/yunohost/certs/$domain/crt.pem" + ynh_write_var_in_file --file="$install_dir/AdGuardHome.yaml" --key="private_key_path" --value="/etc/yunohost/certs/$domain/key.pem" fi # check if one of 'port_https:', 'port_dns_over_tls:' or 'port_dns_over_quic:' uses the default setting if grep -q "port_https: 443" "$install_dir/AdGuardHome.yaml" || grep -q "port_dns_over_tls: 853" "$install_dir/AdGuardHome.yaml" || grep -q "port_dns_over_quic: 784" "$install_dir/AdGuardHome.yaml"; then # if so: mandatory replacement for them # (because the final user can't easily know the ports used by the package) - ynh_replace_string --match_string="port_https: 443" --replace_string="port_https: $port_internal_https" --target_file="$install_dir/AdGuardHome.yaml" - ynh_replace_string --match_string="port_dns_over_tls: 853" --replace_string="port_dns_over_tls: $port_dns_over_http" --target_file="$install_dir/AdGuardHome.yaml" - ynh_replace_string --match_string="port_dns_over_quic: 784" --replace_string="port_dns_over_quic: $port_dns_over_quic" --target_file="$install_dir/AdGuardHome.yaml" + ynh_write_var_in_file --file="$install_dir/AdGuardHome.yaml" --key="port_https" --value="$port_internal_https" + ynh_write_var_in_file --file="$install_dir/AdGuardHome.yaml" --key="port_dns_over_tls" --value="$port_dns_over_http" + ynh_write_var_in_file --file="$install_dir/AdGuardHome.yaml" --key="port_dns_over_quic" --value="$port_dns_over_quic" fi # remove setting no longer required From 6577bd22bbf57a75e4499cc98d62e83277d6c49f Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 28 Dec 2023 03:09:21 +0100 Subject: [PATCH 105/288] set "all_users" as the new [install.init_main_permission] --- manifest.toml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/manifest.toml b/manifest.toml index e0688c9d..3727c65a 100644 --- a/manifest.toml +++ b/manifest.toml @@ -35,8 +35,9 @@ default = "/adguard" type = "path" [install.init_main_permission] -default = "visitors" +default = "all_users" type = "group" +help.en = "Even by restricting access to users only, the AdGuard Home API will be available (ex. for a mobile app use)." [install.admin] type = "user" From be36cfb279552bc093fb6046394ffad7516c5e0c Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 28 Dec 2023 03:15:30 +0100 Subject: [PATCH 106/288] implementing CI tests for "open_port_53" and "dns_over_https" --- tests.toml | 29 +++++++++++++++++++++++++---- 1 file changed, 25 insertions(+), 4 deletions(-) diff --git a/tests.toml b/tests.toml index 00d74697..240f6263 100644 --- a/tests.toml +++ b/tests.toml @@ -2,8 +2,29 @@ test_format = 1.0 [default] - # ------------------------------- - # Default args to use for install - # ------------------------------- +# ------------------------------- +# Default args to use for install +# ------------------------------- - args.dns_over_https=1 \ No newline at end of file +# false by default +args.open_port_53 = 1 +args.dns_over_https = 1 + +# ------------------------------- +# additional tests suite +# ------------------------------- + +[open_port_53] +only = ["install.root"] +args.open_port_53 = 0 +args.dns_over_https = 1 + +[open_doh_doq_ports] +only = ["install.root"] +args.open_port_53 = 1 +args.dns_over_https = 0 + +[open_both_port_53_and_doh_doq_ports] +only = ["install.root"] +args.open_port_53 = 0 +args.dns_over_https = 0 From 1862a22c6793675833137c20c832005d1d39b476 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 28 Dec 2023 03:18:09 +0100 Subject: [PATCH 107/288] debug upgrade --- scripts/upgrade | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/scripts/upgrade b/scripts/upgrade index e95385ea..81c756f0 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -29,22 +29,22 @@ ynh_systemd_action --service_name="$app" --action="stop" #================================================= ynh_script_progression --message="Ensuring downward compatibility..." --weight=1 -if [ -n "${open_port_53:-}" ] && [ "${open_port_53:-}" == "1" ]; then +if [ -z "${open_port_53:-}" ] && [ "${open_port_53:-}" = true ]; then open_port_53="true" ynh_app_setting_set --app="$app" --key=open_port_53 --value="$open_port_53" # if open_port_53 is true, we need to open port 53 ynh_exec_warn_less yunohost firewall allow Both 53 ynh_exec_warn_less yunohost firewall reload -elif [ -z "${open_port_53:-}" ] || [ "${open_port_53:-}" == "0" ]; then +elif [ -n "${open_port_53:-}" ] || [ "${open_port_53:-}" = false ]; then open_port_53="false" ynh_app_setting_set --app="$app" --key=open_port_53 --value="$open_port_53" fi -if [ -n "${dns_over_https:-}" ] && [ "${dns_over_https:-}" == "1" ]; then +if [ -z "${dns_over_https:-}" ] && [ "${dns_over_https:-}" = true ]; then dns_over_https="true" ynh_app_setting_set --app="$app" --key=dns_over_https --value=$dns_over_https # no need to open the ports, as they were opened at the 'Provisioning ports' step -elif [ -z "${dns_over_https:-}" ] || [ "${dns_over_https:-}" == "0" ]; then +elif [ -n "${dns_over_https:-}" ] || [ "${dns_over_https:-}" = false ]; then dns_over_https="false" ynh_app_setting_set --app="$app" --key=dns_over_https --value=$dns_over_https # if dns_over_https is false, we need to close ports, @@ -151,3 +151,6 @@ ynh_systemd_action --service_name="$app" --action="restart" --log_path="systemd" #================================================= ynh_script_progression --message="Upgrade of $app completed" --last + +# temporarily show the AGH config for debug purposes +ynh_print_info --message="$(head -n 30 /var/www/adguardhome/AdGuardHome.yaml)" \ No newline at end of file From 34eee2028a46202cd3b047c340409e4bf776055d Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 28 Dec 2023 03:58:18 +0100 Subject: [PATCH 108/288] fix the "there's no valid IP at all for this configuration" bug where the whole route where echoed --- scripts/_common.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/scripts/_common.sh b/scripts/_common.sh index c93d0aec..2f17b73c 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -60,6 +60,7 @@ process_ips(){ # used to process the IPs to put in the AGH's config file local ips="$1" + local processed_ips for i in $(seq "$(echo "$ips" | wc -w)" -1 1); do ip=$(echo "$ips" | awk "{print \$$i}") @@ -69,13 +70,13 @@ process_ips(){ if is_public_ip "$ip" && [ "$open_port_53" == "false" ] ; then break else - ips="$ip" + processed_ips="$ip" break fi fi done - echo "$ips" + echo "$processed_ips" } update_agh_config(){ From c4bf95489f60782c627ec9d36a51fdbb2b85d523 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 28 Dec 2023 04:01:22 +0100 Subject: [PATCH 109/288] fix: processed_ips can be empty --- scripts/_common.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/_common.sh b/scripts/_common.sh index 2f17b73c..001d3f70 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -76,7 +76,7 @@ process_ips(){ fi done - echo "$processed_ips" + echo "${processed_ips:-}" } update_agh_config(){ From 8c1f2e0c8562fe67b0cef49968b44bc27f1cd46b Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 28 Dec 2023 04:02:14 +0100 Subject: [PATCH 110/288] better docs --- doc/ADMIN.md | 2 +- doc/PRE_UPGRADE.d/0.107.43~ynh4 | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/doc/ADMIN.md b/doc/ADMIN.md index 0e6ce97b..73c2a912 100644 --- a/doc/ADMIN.md +++ b/doc/ADMIN.md @@ -15,7 +15,7 @@ The right IP to use are shown in the "Setup Guide" page of your AdGuard Home ins If you would expose the port 53 on Internet, you'll be able to use the public IP of your server (the same as in your domain name DNS settings) on any device outside your home network. **Warning:** you should not have public IPs of the config file if the port 53 is **not exposed** on Internet (else: AGH crashes) -They should be automatically removed when upgrading this package or when modifiying this port 53 exposure setting, but it's in the docs just in case. +Please note: They should be automatically removed when upgrading this package or when modifiying this port 53 exposure setting, but it's in the docs just in case. You can remove them in your config file `/var/www/adguardhome/AdGuardHome.yaml` in the `dns: bind_hosts:` section. Any IP that doesn't start with the folowing are public ones: diff --git a/doc/PRE_UPGRADE.d/0.107.43~ynh4 b/doc/PRE_UPGRADE.d/0.107.43~ynh4 index ca9c1730..727cee39 100644 --- a/doc/PRE_UPGRADE.d/0.107.43~ynh4 +++ b/doc/PRE_UPGRADE.d/0.107.43~ynh4 @@ -11,5 +11,5 @@ It's really important to use the configuration panel to activate or deactivate t This is because YunoHost needs to perform actions such as automatically opening or closing the server's ports and refresh the IP to provide to AdGuard Home, which cannot be done without going through the configuration panel. This update is at risk of crashing AdGuard Home, so: -If any trouble or question, please refer to [the package's admin docs](https://github.com/YunoHost-Apps/adguardhome_ynh/blob/master/doc/ADMIN.md)! ^w^ -If needed and a similar issue does not already exist, please [open an issue on the GitHub's package page](https://github.com/YunoHost-Apps/adguardhome_ynh/issues)! +- If any trouble or question, please refer to [the package's admin docs](https://github.com/YunoHost-Apps/adguardhome_ynh/blob/master/doc/ADMIN.md)! In any case, we recommend reading it! ^w^ +- If needed and a similar issue does not already exist, please [open an issue on the GitHub's package page](https://github.com/YunoHost-Apps/adguardhome_ynh/issues)! From 8f0906e85b57308c186bf1b305fc85e4a0b8315e Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 28 Dec 2023 04:24:40 +0100 Subject: [PATCH 111/288] fix --- scripts/install | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/install b/scripts/install index aed57035..4a7f715b 100644 --- a/scripts/install +++ b/scripts/install @@ -14,7 +14,7 @@ source /usr/share/yunohost/helpers #================================================= ynh_script_progression --message="Storing installation settings..." --weight=2 -if [ "$dns_over_https" = true ]; then +if [[ $dns_over_https == 0 ]]; then dns_over_https="true" # no need to open the ports, as they were opened at the 'Provisioning ports' step ynh_print_info --message="DoH and DoQ ports are already closed." @@ -30,7 +30,7 @@ fi ynh_app_setting_set --app="$app" --key=dns_over_https --value="$dns_over_https" -if [ "$open_port_53" = true ]; then +if [[ $open_port_53 == 0 ]]; then open_port_53="true" # if open_port_53 is true, we need to open port 53 ynh_print_info --message="Opening port 53..." From cd382bed1cb719c0ddaebd53aa34ab0e395a4700 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 28 Dec 2023 05:17:39 +0100 Subject: [PATCH 112/288] better message --- scripts/install | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/install b/scripts/install index 4a7f715b..54023857 100644 --- a/scripts/install +++ b/scripts/install @@ -17,7 +17,7 @@ ynh_script_progression --message="Storing installation settings..." --weight=2 if [[ $dns_over_https == 0 ]]; then dns_over_https="true" # no need to open the ports, as they were opened at the 'Provisioning ports' step - ynh_print_info --message="DoH and DoQ ports are already closed." + ynh_print_info --message="DoH and DoQ ports have already been opened at port provision step." else dns_over_https="false" # if dns_over_https is false, we need to close ports, From f4f916a8b29d084f9db841aba3eb5ba9d199c3ea Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 28 Dec 2023 05:54:28 +0100 Subject: [PATCH 113/288] new function: get_network_interface() --- scripts/_common.sh | 18 ++++++++++++------ scripts/install | 6 +++++- scripts/restore | 6 +++++- scripts/upgrade | 3 --- 4 files changed, 22 insertions(+), 11 deletions(-) diff --git a/scripts/_common.sh b/scripts/_common.sh index 001d3f70..e0e38409 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -8,15 +8,21 @@ # PERSONAL HELPERS #================================================= -configure_network_interface_dnsmasq(){ -# used to put the network interface in a dedicated dnsmasq config +get_network_interface(){ +# get the network interface name for IPv4 and IPv6 + + local IPvx="$1" - # get the network interface name for IPv4 and IPv6 # note: echo the IP route command to prevent a crash if the server doesn't have any IPv4/6 # shellcheck disable=SC2005 - ipv4_interface=$(echo "$(ip -4 route get 1.2.3.4 2> /dev/null)" | head -n1 | grep -oP '(?<=dev )\w+' || true) - # shellcheck disable=SC2005 - ipv6_interface=$(echo "$(ip -6 route get ::1.2.3.4 2> /dev/null)" | head -n1 | grep -oP '(?<=dev )\w+' || true) + echo ipv4_interface="$(echo "$(ip -"$IPvx" route get 1.2.3.4 2> /dev/null)" | head -n1 | grep -oP '(?<=dev )\w+' || true)" +} + +configure_network_interface_dnsmasq(){ +# used to put the network interface in a dedicated dnsmasq config + + local ipv4_interface="$1" + local ipv6_interface="$2" if [ -z "$ipv4_interface" ] && [ -z "$ipv6_interface" ]; then ynh_die --message="Impossible to find the main network interface, please report this issue." diff --git a/scripts/install b/scripts/install index 54023857..cd17771c 100644 --- a/scripts/install +++ b/scripts/install @@ -77,8 +77,12 @@ usermod -a -G ssl-cert "$app" #================================================= ynh_script_progression --message="Adding a configuration file..." --weight=1 +# get the name of the network interface in IPv4 and IPv6 +ipv4_interface="$(get_network_interface 4)" +ipv6_interface="$(get_network_interface 6)" + # put the network interface in a dedicated dnsmasq config -configure_network_interface_dnsmasq +configure_network_interface_dnsmasq "$ipv4_interface" "$ipv6_interface" # get IPv4 for the AGH config file (with a starting "- ") ipv4_addr=$(echo "- " "$(process_ips "$(ip -4 route get 1.2.3.4 2> /dev/null | head -n1 | head -n1)")") diff --git a/scripts/restore b/scripts/restore index 9773c8ea..18e5cba8 100644 --- a/scripts/restore +++ b/scripts/restore @@ -44,8 +44,12 @@ ynh_restore_file --origin_path="$install_dir" # we need to refresh IP adresses in case the backup is restored in a different # environment, else AGH will try to bind port 53 on non-existent IPs and crash +# get the name of the network interface in IPv4 and IPv6 +ipv4_interface="$(get_network_interface 4)" +ipv6_interface="$(get_network_interface 6)" + # put the network interface in a dedicated dnsmasq config -configure_network_interface_dnsmasq +configure_network_interface_dnsmasq "$ipv4_interface" "$ipv6_interface" # get IPv4 for the AGH config file ipv4_addr=$(process_ips "$(ip -4 route get 1.2.3.4 2> /dev/null | head -n1 | head -n1)") diff --git a/scripts/upgrade b/scripts/upgrade index 81c756f0..3706d5b2 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -124,9 +124,6 @@ usermod -a -G ssl-cert "$app" #================================================= ynh_script_progression --message="Updating a configuration file..." --weight=1 -# put the network interface in a dedicated dnsmasq config -configure_network_interface_dnsmasq - # get IPv4 for the AGH config file ipv4_addr=$(process_ips "$(ip -4 route get 1.2.3.4 2> /dev/null | head -n1 | head -n1)") From 952f48f41ac45de7416b5a9a5ef2be99047582e2 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 28 Dec 2023 06:16:48 +0100 Subject: [PATCH 114/288] edit the 'ip' commands because we need the IP without route too (they may be private IPs) --- scripts/config | 10 ++++++++-- scripts/install | 5 +++-- scripts/restore | 5 +++-- scripts/upgrade | 9 +++++++-- 4 files changed, 21 insertions(+), 8 deletions(-) diff --git a/scripts/config b/scripts/config index 35e4c170..a9b878ac 100644 --- a/scripts/config +++ b/scripts/config @@ -33,11 +33,17 @@ set__open_port_53() { fi # regenerate config, needed to add or delete public IPs following the user's choice + + # get the name of the network interface in IPv4 and IPv6 + ipv4_interface="$(get_network_interface 4)" + ipv6_interface="$(get_network_interface 6)" + # get IPv4 for the AGH config file - ipv4_addr=$(process_ips "$(ip -4 route get 1.2.3.4 2> /dev/null | head -n1 | head -n1)") + ipv4_addr=$(process_ips "$(ip -4 address show "$ipv4_interface" 2> /dev/null | grep inet)") # get IPv6 for the AGH config file - ipv6_addr=$(process_ips "$(ip -6 route get ::1.2.3.4 2> /dev/null | head -n1)") + # the 'sed' is used to get rid of the network prefix ('/64' for example) + ipv6_addr=$(process_ips "$(ip -6 address show "$ipv6_interface" 2> /dev/null | grep inet | sed 's&/.*&&')") # update the IP adresses in the AGH config file update_agh_config diff --git a/scripts/install b/scripts/install index cd17771c..3fb19956 100644 --- a/scripts/install +++ b/scripts/install @@ -85,10 +85,11 @@ ipv6_interface="$(get_network_interface 6)" configure_network_interface_dnsmasq "$ipv4_interface" "$ipv6_interface" # get IPv4 for the AGH config file (with a starting "- ") -ipv4_addr=$(echo "- " "$(process_ips "$(ip -4 route get 1.2.3.4 2> /dev/null | head -n1 | head -n1)")") +ipv4_addr=$(echo "- " "$(process_ips "$(ip -4 address show "$ipv4_interface" 2> /dev/null | grep inet)")") # get IPv6 for the AGH config file (with a starting "- ") -ipv6_addr=$(echo "- " "$(process_ips "$(ip -6 route get ::1.2.3.4 2> /dev/null | head -n1)")") +# the 'sed' is used to get rid of the network prefix ('/64' for example) +ipv6_addr=$(echo "- " "$(process_ips "$(ip -6 address show "$ipv6_interface" 2> /dev/null | grep inet | sed 's&/.*&&')")") password=$(python3 -c "import bcrypt; print(bcrypt.hashpw(b\"$password\", bcrypt.gensalt(rounds=10)).decode())") ynh_app_setting_set --app="$app" --key=password --value="$password" diff --git a/scripts/restore b/scripts/restore index 18e5cba8..961a8451 100644 --- a/scripts/restore +++ b/scripts/restore @@ -52,10 +52,11 @@ ipv6_interface="$(get_network_interface 6)" configure_network_interface_dnsmasq "$ipv4_interface" "$ipv6_interface" # get IPv4 for the AGH config file -ipv4_addr=$(process_ips "$(ip -4 route get 1.2.3.4 2> /dev/null | head -n1 | head -n1)") +ipv4_addr=$(process_ips "$(ip -4 address show "$ipv4_interface" 2> /dev/null | grep inet)") # get IPv6 for the AGH config file -ipv6_addr=$(process_ips "$(ip -6 route get ::1.2.3.4 2> /dev/null | head -n1)") +# the 'sed' is used to get rid of the network prefix ('/64' for example) +ipv6_addr=$(process_ips "$(ip -6 address show "$ipv6_interface" 2> /dev/null | grep inet | sed 's&/.*&&')") # update the IP adresses in the AGH config file update_agh_config diff --git a/scripts/upgrade b/scripts/upgrade index 3706d5b2..4f420654 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -124,11 +124,16 @@ usermod -a -G ssl-cert "$app" #================================================= ynh_script_progression --message="Updating a configuration file..." --weight=1 +# get the name of the network interface in IPv4 and IPv6 +ipv4_interface="$(get_network_interface 4)" +ipv6_interface="$(get_network_interface 6)" + # get IPv4 for the AGH config file -ipv4_addr=$(process_ips "$(ip -4 route get 1.2.3.4 2> /dev/null | head -n1 | head -n1)") +ipv4_addr=$(process_ips "$(ip -4 address show "$ipv4_interface" 2> /dev/null | grep inet)") # get IPv6 for the AGH config file -ipv6_addr=$(process_ips "$(ip -6 route get ::1.2.3.4 2> /dev/null | head -n1)") +# the 'sed' is used to get rid of the network prefix ('/64' for example) +ipv6_addr=$(process_ips "$(ip -6 address show "$ipv6_interface" 2> /dev/null | grep inet | sed 's&/.*&&')") # update the IP adresses in the AGH config file update_agh_config From 7c5ce0d152b9e17d37d787b032b4b8284da677f5 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 28 Dec 2023 06:24:34 +0100 Subject: [PATCH 115/288] fix --- scripts/_common.sh | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/scripts/_common.sh b/scripts/_common.sh index e0e38409..8f10e9aa 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -14,8 +14,13 @@ get_network_interface(){ local IPvx="$1" # note: echo the IP route command to prevent a crash if the server doesn't have any IPv4/6 - # shellcheck disable=SC2005 - echo ipv4_interface="$(echo "$(ip -"$IPvx" route get 1.2.3.4 2> /dev/null)" | head -n1 | grep -oP '(?<=dev )\w+' || true)" + if [[ "$IPvx" = "4" ]]; then + # shellcheck disable=SC2005 + echo "$(echo "$(ip -4 route get 1.2.3.4 2> /dev/null)" | head -n1 | grep -oP '(?<=dev )\w+' || true)" + else + # shellcheck disable=SC2005 + echo "$(echo "$(ip -6 route get ::1.2.3.4 2> /dev/null)" | head -n1 | grep -oP '(?<=dev )\w+' || true)" + fi } configure_network_interface_dnsmasq(){ From 584d0ce893261852c05419fd85642a1b2a39d3a6 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 28 Dec 2023 06:43:36 +0100 Subject: [PATCH 116/288] trying to better handle ip processing at install --- scripts/_common.sh | 10 ++++++++-- scripts/install | 10 ++++++---- 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/scripts/_common.sh b/scripts/_common.sh index 8f10e9aa..989b54f8 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -81,8 +81,14 @@ process_ips(){ if is_public_ip "$ip" && [ "$open_port_53" == "false" ] ; then break else - processed_ips="$ip" - break + if [[ $is_install = true ]]; then + # to get a dash before each IP + processed_ips="- $ip" + break + else + processed_ips="$ip" + break + fi fi fi done diff --git a/scripts/install b/scripts/install index 3fb19956..7715119c 100644 --- a/scripts/install +++ b/scripts/install @@ -84,12 +84,14 @@ ipv6_interface="$(get_network_interface 6)" # put the network interface in a dedicated dnsmasq config configure_network_interface_dnsmasq "$ipv4_interface" "$ipv6_interface" -# get IPv4 for the AGH config file (with a starting "- ") -ipv4_addr=$(echo "- " "$(process_ips "$(ip -4 address show "$ipv4_interface" 2> /dev/null | grep inet)")") +# to warn process_ips that we're doing an installation (to get a dash before each IP) +is_install=true +# get IPv4 for the AGH config file +ipv4_addr=$(process_ips "$(ip -4 address show "$ipv4_interface" 2> /dev/null | grep inet)") -# get IPv6 for the AGH config file (with a starting "- ") +# get IPv6 for the AGH config file # the 'sed' is used to get rid of the network prefix ('/64' for example) -ipv6_addr=$(echo "- " "$(process_ips "$(ip -6 address show "$ipv6_interface" 2> /dev/null | grep inet | sed 's&/.*&&')")") +ipv6_addr=$(process_ips "$(ip -6 address show "$ipv6_interface" 2> /dev/null | grep inet | sed 's&/.*&&')") password=$(python3 -c "import bcrypt; print(bcrypt.hashpw(b\"$password\", bcrypt.gensalt(rounds=10)).decode())") ynh_app_setting_set --app="$app" --key=password --value="$password" From 2153dfe5217c08219218de0cbc879cb785a3ed3b Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 28 Dec 2023 06:45:25 +0100 Subject: [PATCH 117/288] fix --- scripts/_common.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/_common.sh b/scripts/_common.sh index 989b54f8..e054775c 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -81,7 +81,7 @@ process_ips(){ if is_public_ip "$ip" && [ "$open_port_53" == "false" ] ; then break else - if [[ $is_install = true ]]; then + if [[ "${is_install:-}" = true ]]; then # to get a dash before each IP processed_ips="- $ip" break From fd75e1c9e5eea6201d2ba062c9caebef153b4cb5 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 28 Dec 2023 06:53:47 +0100 Subject: [PATCH 118/288] better phrasing --- scripts/install | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/install b/scripts/install index 7715119c..20eea4f9 100644 --- a/scripts/install +++ b/scripts/install @@ -17,7 +17,7 @@ ynh_script_progression --message="Storing installation settings..." --weight=2 if [[ $dns_over_https == 0 ]]; then dns_over_https="true" # no need to open the ports, as they were opened at the 'Provisioning ports' step - ynh_print_info --message="DoH and DoQ ports have already been opened at port provision step." + ynh_print_info --message="DoH and DoQ ports are open." else dns_over_https="false" # if dns_over_https is false, we need to close ports, From 4c6de3701cb9edb4578d39786bfe66a8c9dfa6f9 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 28 Dec 2023 07:03:57 +0100 Subject: [PATCH 119/288] fix ipv4 getting --- scripts/config | 4 ++-- scripts/install | 3 ++- scripts/restore | 3 ++- scripts/upgrade | 3 ++- 4 files changed, 8 insertions(+), 5 deletions(-) diff --git a/scripts/config b/scripts/config index a9b878ac..5bddc71f 100644 --- a/scripts/config +++ b/scripts/config @@ -38,8 +38,8 @@ set__open_port_53() { ipv4_interface="$(get_network_interface 4)" ipv6_interface="$(get_network_interface 6)" - # get IPv4 for the AGH config file - ipv4_addr=$(process_ips "$(ip -4 address show "$ipv4_interface" 2> /dev/null | grep inet)") + # the 'sed' is used to get rid of the network prefix ('/24' for example) and the router IP + ipv4_addr=$(process_ips "$(ip -4 address show "$ipv4_interface" 2> /dev/null | grep inet | sed 's&/.*&&')") # get IPv6 for the AGH config file # the 'sed' is used to get rid of the network prefix ('/64' for example) diff --git a/scripts/install b/scripts/install index 20eea4f9..746c949d 100644 --- a/scripts/install +++ b/scripts/install @@ -87,7 +87,8 @@ configure_network_interface_dnsmasq "$ipv4_interface" "$ipv6_interface" # to warn process_ips that we're doing an installation (to get a dash before each IP) is_install=true # get IPv4 for the AGH config file -ipv4_addr=$(process_ips "$(ip -4 address show "$ipv4_interface" 2> /dev/null | grep inet)") +# the 'sed' is used to get rid of the network prefix ('/24' for example) and the router IP +ipv4_addr=$(process_ips "$(ip -4 address show "$ipv4_interface" 2> /dev/null | grep inet | sed 's&/.*&&')") # get IPv6 for the AGH config file # the 'sed' is used to get rid of the network prefix ('/64' for example) diff --git a/scripts/restore b/scripts/restore index 961a8451..322612cc 100644 --- a/scripts/restore +++ b/scripts/restore @@ -52,7 +52,8 @@ ipv6_interface="$(get_network_interface 6)" configure_network_interface_dnsmasq "$ipv4_interface" "$ipv6_interface" # get IPv4 for the AGH config file -ipv4_addr=$(process_ips "$(ip -4 address show "$ipv4_interface" 2> /dev/null | grep inet)") +# the 'sed' is used to get rid of the network prefix ('/24' for example) and the router IP +ipv4_addr=$(process_ips "$(ip -4 address show "$ipv4_interface" 2> /dev/null | grep inet | sed 's&/.*&&')") # get IPv6 for the AGH config file # the 'sed' is used to get rid of the network prefix ('/64' for example) diff --git a/scripts/upgrade b/scripts/upgrade index 4f420654..8fb3e769 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -129,7 +129,8 @@ ipv4_interface="$(get_network_interface 4)" ipv6_interface="$(get_network_interface 6)" # get IPv4 for the AGH config file -ipv4_addr=$(process_ips "$(ip -4 address show "$ipv4_interface" 2> /dev/null | grep inet)") +# the 'sed' is used to get rid of the network prefix ('/24' for example) and the router IP +ipv4_addr=$(process_ips "$(ip -4 address show "$ipv4_interface" 2> /dev/null | grep inet | sed 's&/.*&&')") # get IPv6 for the AGH config file # the 'sed' is used to get rid of the network prefix ('/64' for example) From 27f111ef66fffb8e39e9eb6aec86f7076ded5d3d Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 28 Dec 2023 07:15:42 +0100 Subject: [PATCH 120/288] rework process_ips() to effectively get multiple IP if needed --- scripts/_common.sh | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/scripts/_common.sh b/scripts/_common.sh index e054775c..fe0c1724 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -71,23 +71,19 @@ process_ips(){ # used to process the IPs to put in the AGH's config file local ips="$1" - local processed_ips + local processed_ips="" for i in $(seq "$(echo "$ips" | wc -w)" -1 1); do ip=$(echo "$ips" | awk "{print \$$i}") # check if the so-called IP really is one if ynh_validate_ip4 --ip_address="$ip" || ynh_validate_ip6 --ip_address="$ip"; then # if the IP is public and the user doesn't want to expose port 53, skip it - if is_public_ip "$ip" && [ "$open_port_53" == "false" ] ; then - break - else + if ! is_public_ip "$ip" && ! [ "$open_port_53" == "false" ] ; then if [[ "${is_install:-}" = true ]]; then # to get a dash before each IP - processed_ips="- $ip" - break + processed_ips+="- $ip " else - processed_ips="$ip" - break + processed_ips+="$ip " fi fi fi From 6e86686cf32c8aae9e2995e139ea5933d2b10a17 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 28 Dec 2023 07:29:07 +0100 Subject: [PATCH 121/288] fix --- scripts/_common.sh | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/scripts/_common.sh b/scripts/_common.sh index fe0c1724..2e95dd29 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -77,8 +77,10 @@ process_ips(){ ip=$(echo "$ips" | awk "{print \$$i}") # check if the so-called IP really is one if ynh_validate_ip4 --ip_address="$ip" || ynh_validate_ip6 --ip_address="$ip"; then - # if the IP is public and the user doesn't want to expose port 53, skip it - if ! is_public_ip "$ip" && ! [ "$open_port_53" == "false" ] ; then + # don't process if the IP is public and the port 53 closed + if is_public_ip "$ip" && [ "$open_port_53" == "false" ] ; then + exit 1 + else if [[ "${is_install:-}" = true ]]; then # to get a dash before each IP processed_ips+="- $ip " From fd9db7c7b6a71c3ce8c0936e0941f826b5e79148 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 28 Dec 2023 07:37:53 +0100 Subject: [PATCH 122/288] fix --- scripts/_common.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/_common.sh b/scripts/_common.sh index 2e95dd29..92020420 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -83,9 +83,9 @@ process_ips(){ else if [[ "${is_install:-}" = true ]]; then # to get a dash before each IP - processed_ips+="- $ip " + processed_ips+=" - $ip" else - processed_ips+="$ip " + processed_ips+=" $ip" fi fi fi From 4350238f8ca3a3755ef66abcf44875fd88131aba Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 28 Dec 2023 07:42:18 +0100 Subject: [PATCH 123/288] real fix lol --- scripts/_common.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/_common.sh b/scripts/_common.sh index 92020420..db0afffb 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -83,9 +83,9 @@ process_ips(){ else if [[ "${is_install:-}" = true ]]; then # to get a dash before each IP - processed_ips+=" - $ip" + processed_ips+="- $ip\n" else - processed_ips+=" $ip" + processed_ips+="$ip\n" fi fi fi From 7053fbdc69a8368233c984afba41dab27d84bb89 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 28 Dec 2023 07:53:35 +0100 Subject: [PATCH 124/288] sigh --- scripts/_common.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/_common.sh b/scripts/_common.sh index db0afffb..e547a511 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -83,9 +83,9 @@ process_ips(){ else if [[ "${is_install:-}" = true ]]; then # to get a dash before each IP - processed_ips+="- $ip\n" + processed_ips+=$'- 192.168.42.80\n' else - processed_ips+="$ip\n" + processed_ips+=$'$ip\n' fi fi fi From 75a1fb4cdff3481693b39846cd604b101319e22f Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 28 Dec 2023 08:01:41 +0100 Subject: [PATCH 125/288] sigh --- scripts/_common.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/_common.sh b/scripts/_common.sh index e547a511..4c22953c 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -83,9 +83,9 @@ process_ips(){ else if [[ "${is_install:-}" = true ]]; then # to get a dash before each IP - processed_ips+=$'- 192.168.42.80\n' + processed_ips+=$(printf "$processed_ips\n%s" "- $ip") else - processed_ips+=$'$ip\n' + pprocessed_ips+=$(printf "$processed_ips\n%s" "$ip") fi fi fi From 2423ba05c0b7d6467d3519ebfc4ffe50e929ad99 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 28 Dec 2023 08:14:42 +0100 Subject: [PATCH 126/288] trying a thing --- scripts/_common.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/scripts/_common.sh b/scripts/_common.sh index 4c22953c..1afcf61d 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -81,6 +81,10 @@ process_ips(){ if is_public_ip "$ip" && [ "$open_port_53" == "false" ] ; then exit 1 else + after_first_pass=true + if [ $after_first_pass = true ]; then + processed_ips+=$(printf "$processed_ips\n%s" "/n") + fi if [[ "${is_install:-}" = true ]]; then # to get a dash before each IP processed_ips+=$(printf "$processed_ips\n%s" "- $ip") From bc0a88718052bb5f65cf6b9678a56eaa90e554bc Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 28 Dec 2023 08:17:23 +0100 Subject: [PATCH 127/288] fix --- scripts/_common.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/_common.sh b/scripts/_common.sh index 1afcf61d..62e6cb32 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -81,10 +81,10 @@ process_ips(){ if is_public_ip "$ip" && [ "$open_port_53" == "false" ] ; then exit 1 else - after_first_pass=true - if [ $after_first_pass = true ]; then + if [ "${after_first_pass:-}" = true ]; then processed_ips+=$(printf "$processed_ips\n%s" "/n") fi + after_first_pass=true if [[ "${is_install:-}" = true ]]; then # to get a dash before each IP processed_ips+=$(printf "$processed_ips\n%s" "- $ip") From 87c31e7082a1a4ca70139edf4d638e91fa446240 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 28 Dec 2023 08:25:47 +0100 Subject: [PATCH 128/288] try a fix --- scripts/_common.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/_common.sh b/scripts/_common.sh index 62e6cb32..c66bd0eb 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -78,7 +78,7 @@ process_ips(){ # check if the so-called IP really is one if ynh_validate_ip4 --ip_address="$ip" || ynh_validate_ip6 --ip_address="$ip"; then # don't process if the IP is public and the port 53 closed - if is_public_ip "$ip" && [ "$open_port_53" == "false" ] ; then + if [ "$(is_public_ip "$ip")" == 0 ] && [ "$open_port_53" == "false" ] ; then exit 1 else if [ "${after_first_pass:-}" = true ]; then From 68cfa98d49bc16779e459715497c6f32608d2aee Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Sat, 30 Dec 2023 23:07:52 +0100 Subject: [PATCH 129/288] use the same IP config updating in mechanism for all scripts --- conf/AdGuardHome.yaml | 4 +--- scripts/_common.sh | 33 ++++++++++----------------------- scripts/config | 2 +- scripts/install | 5 +++-- scripts/restore | 2 +- scripts/upgrade | 2 +- 6 files changed, 17 insertions(+), 31 deletions(-) diff --git a/conf/AdGuardHome.yaml b/conf/AdGuardHome.yaml index 3ddeeeea..df12248a 100644 --- a/conf/AdGuardHome.yaml +++ b/conf/AdGuardHome.yaml @@ -13,9 +13,7 @@ http_proxy: "" language: "" theme: auto dns: - bind_hosts: - __IPV4_ADDR__ - __IPV6_ADDR__ + bind_hosts: [] port: 53 anonymize_client_ip: false ratelimit: 20 diff --git a/scripts/_common.sh b/scripts/_common.sh index c66bd0eb..9977d64f 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -81,16 +81,7 @@ process_ips(){ if [ "$(is_public_ip "$ip")" == 0 ] && [ "$open_port_53" == "false" ] ; then exit 1 else - if [ "${after_first_pass:-}" = true ]; then - processed_ips+=$(printf "$processed_ips\n%s" "/n") - fi - after_first_pass=true - if [[ "${is_install:-}" = true ]]; then - # to get a dash before each IP - processed_ips+=$(printf "$processed_ips\n%s" "- $ip") - else - pprocessed_ips+=$(printf "$processed_ips\n%s" "$ip") - fi + processed_ips+=$(printf "$processed_ips\n%s" "$ip") fi fi done @@ -98,26 +89,22 @@ process_ips(){ echo "${processed_ips:-}" } -update_agh_config(){ +update_agh_ip_config(){ # used to update the IP adresses in the AGHconfig file python3 -c "import yaml with open(\"$install_dir/AdGuardHome.yaml\", 'r') as file: conf_file = yaml.safe_load(file) -need_file_update = False - conf_file[\"dns\"][\"bind_hosts\"] = [] -if \"$ipv4_addr\": - conf_file[\"dns\"][\"bind_hosts\"].append(\"$ipv4_addr\") - need_file_update = True -if \"$ipv6_addr\": - conf_file[\"dns\"][\"bind_hosts\"].append(\"$ipv6_addr\") - need_file_update = True - -if need_file_update: - with open(\"$install_dir/AdGuardHome.yaml\", 'w') as file: - yaml.dump(conf_file, file) + +for ip in \"$ipv4_addr\": + conf_file[\"dns\"][\"bind_hosts\"].append(\"ip\") +for ip in \"$ipv6_addr\": + conf_file[\"dns\"][\"bind_hosts\"].append(\"ip\") + +with open(\"$install_dir/AdGuardHome.yaml\", 'w') as file: + yaml.dump(conf_file, file) " } diff --git a/scripts/config b/scripts/config index 5bddc71f..233efc3f 100644 --- a/scripts/config +++ b/scripts/config @@ -46,7 +46,7 @@ set__open_port_53() { ipv6_addr=$(process_ips "$(ip -6 address show "$ipv6_interface" 2> /dev/null | grep inet | sed 's&/.*&&')") # update the IP adresses in the AGH config file - update_agh_config + update_agh_ip_config # save the new setting ynh_app_setting_set "$app" --key=open_port_53 --value="$open_port_53" diff --git a/scripts/install b/scripts/install index 746c949d..4e7a2244 100644 --- a/scripts/install +++ b/scripts/install @@ -84,8 +84,6 @@ ipv6_interface="$(get_network_interface 6)" # put the network interface in a dedicated dnsmasq config configure_network_interface_dnsmasq "$ipv4_interface" "$ipv6_interface" -# to warn process_ips that we're doing an installation (to get a dash before each IP) -is_install=true # get IPv4 for the AGH config file # the 'sed' is used to get rid of the network prefix ('/24' for example) and the router IP ipv4_addr=$(process_ips "$(ip -4 address show "$ipv4_interface" 2> /dev/null | grep inet | sed 's&/.*&&')") @@ -94,6 +92,9 @@ ipv4_addr=$(process_ips "$(ip -4 address show "$ipv4_interface" 2> /dev/null | g # the 'sed' is used to get rid of the network prefix ('/64' for example) ipv6_addr=$(process_ips "$(ip -6 address show "$ipv6_interface" 2> /dev/null | grep inet | sed 's&/.*&&')") +# update the IP adresses in the AGH config file +update_agh_ip_config + password=$(python3 -c "import bcrypt; print(bcrypt.hashpw(b\"$password\", bcrypt.gensalt(rounds=10)).decode())") ynh_app_setting_set --app="$app" --key=password --value="$password" diff --git a/scripts/restore b/scripts/restore index 322612cc..ab4d976c 100644 --- a/scripts/restore +++ b/scripts/restore @@ -60,7 +60,7 @@ ipv4_addr=$(process_ips "$(ip -4 address show "$ipv4_interface" 2> /dev/null | g ipv6_addr=$(process_ips "$(ip -6 address show "$ipv6_interface" 2> /dev/null | grep inet | sed 's&/.*&&')") # update the IP adresses in the AGH config file -update_agh_config +update_agh_ip_config # this will be treated as a security issue. diff --git a/scripts/upgrade b/scripts/upgrade index 8fb3e769..e16e59e7 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -137,7 +137,7 @@ ipv4_addr=$(process_ips "$(ip -4 address show "$ipv4_interface" 2> /dev/null | g ipv6_addr=$(process_ips "$(ip -6 address show "$ipv6_interface" 2> /dev/null | grep inet | sed 's&/.*&&')") # update the IP adresses in the AGH config file -update_agh_config +update_agh_ip_config chmod 600 "$install_dir/AdGuardHome.yaml" chown -R "$app:$app" "$install_dir/AdGuardHome.yaml" From ccce10f7286694099cd2bd4738f5f7b688b49adb Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Sat, 30 Dec 2023 23:17:15 +0100 Subject: [PATCH 130/288] we no more need break lines --- scripts/_common.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/_common.sh b/scripts/_common.sh index 9977d64f..548fc669 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -81,7 +81,7 @@ process_ips(){ if [ "$(is_public_ip "$ip")" == 0 ] && [ "$open_port_53" == "false" ] ; then exit 1 else - processed_ips+=$(printf "$processed_ips\n%s" "$ip") + processed_ips+="$ip " fi fi done From 815c087270f688089ac252ccfb72fc04d43e10da Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Sat, 30 Dec 2023 23:28:09 +0100 Subject: [PATCH 131/288] put the config file at the start, before we use it --- scripts/install | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/scripts/install b/scripts/install index 4e7a2244..803c090c 100644 --- a/scripts/install +++ b/scripts/install @@ -77,6 +77,9 @@ usermod -a -G ssl-cert "$app" #================================================= ynh_script_progression --message="Adding a configuration file..." --weight=1 +# Main config File +ynh_add_config --template="AdGuardHome.yaml" --destination="$install_dir/AdGuardHome.yaml" + # get the name of the network interface in IPv4 and IPv6 ipv4_interface="$(get_network_interface 4)" ipv6_interface="$(get_network_interface 6)" @@ -98,9 +101,6 @@ update_agh_ip_config password=$(python3 -c "import bcrypt; print(bcrypt.hashpw(b\"$password\", bcrypt.gensalt(rounds=10)).decode())") ynh_app_setting_set --app="$app" --key=password --value="$password" -# Main config File -ynh_add_config --template="AdGuardHome.yaml" --destination="$install_dir/AdGuardHome.yaml" - chmod 600 "$install_dir/AdGuardHome.yaml" chown -R "$app:$app" "$install_dir/AdGuardHome.yaml" From a46953854d862c5c1e1c00bf7b01a988311d36bb Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Sat, 30 Dec 2023 23:34:00 +0100 Subject: [PATCH 132/288] fix --- scripts/_common.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/_common.sh b/scripts/_common.sh index 548fc669..d2021746 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -99,9 +99,9 @@ with open(\"$install_dir/AdGuardHome.yaml\", 'r') as file: conf_file[\"dns\"][\"bind_hosts\"] = [] for ip in \"$ipv4_addr\": - conf_file[\"dns\"][\"bind_hosts\"].append(\"ip\") + conf_file[\"dns\"][\"bind_hosts\"].append(ip) for ip in \"$ipv6_addr\": - conf_file[\"dns\"][\"bind_hosts\"].append(\"ip\") + conf_file[\"dns\"][\"bind_hosts\"].append(ip) with open(\"$install_dir/AdGuardHome.yaml\", 'w') as file: yaml.dump(conf_file, file) From 0e4cd18bee3491b9e94d7318eb7b012c9d77e6ff Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Sat, 30 Dec 2023 23:38:00 +0100 Subject: [PATCH 133/288] fix dnsmask config after AGH removal --- scripts/remove | 2 ++ 1 file changed, 2 insertions(+) diff --git a/scripts/remove b/scripts/remove index e696f0f8..49d32d7a 100644 --- a/scripts/remove +++ b/scripts/remove @@ -35,6 +35,8 @@ ynh_remove_nginx_config # Remove the dedicated dnsmasq config for AdGuardHome ynh_secure_remove --file="/etc/dnsmasq.d/$app" +systemctl restart dnsmasq + #================================================= # END OF SCRIPT #================================================= From 12e407f08b0a0ff3b367120853ccc4898473bc7d Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Sat, 30 Dec 2023 23:38:57 +0100 Subject: [PATCH 134/288] check if the port 53 has really been released from dnsmasq --- scripts/_common.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/scripts/_common.sh b/scripts/_common.sh index d2021746..fd881976 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -46,6 +46,8 @@ configure_network_interface_dnsmasq(){ systemctl restart dnsmasq ynh_store_file_checksum --file="/etc/dnsmasq.d/$app" + + ynh_port_available --port=53 || ynh_die --message="Port 53 is needs to be available for this app" } is_public_ip(){ From 3c60a815d79edbd34861d8b24275e6c87022613f Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Sat, 30 Dec 2023 23:44:35 +0100 Subject: [PATCH 135/288] use split() to split $ipvx_addr variables --- scripts/_common.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/_common.sh b/scripts/_common.sh index fd881976..7cdc2314 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -100,9 +100,9 @@ with open(\"$install_dir/AdGuardHome.yaml\", 'r') as file: conf_file[\"dns\"][\"bind_hosts\"] = [] -for ip in \"$ipv4_addr\": +for ip in \"$ipv4_addr\".split(): conf_file[\"dns\"][\"bind_hosts\"].append(ip) -for ip in \"$ipv6_addr\": +for ip in \"$ipv6_addr\".split(): conf_file[\"dns\"][\"bind_hosts\"].append(ip) with open(\"$install_dir/AdGuardHome.yaml\", 'w') as file: From 0c040d97f789e44e93761f5d7be72850570533fe Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Sat, 30 Dec 2023 23:47:08 +0100 Subject: [PATCH 136/288] neh --- scripts/install | 2 -- 1 file changed, 2 deletions(-) diff --git a/scripts/install b/scripts/install index 803c090c..6bd5520e 100644 --- a/scripts/install +++ b/scripts/install @@ -41,8 +41,6 @@ else ynh_print_info --message="Port 53 is already closed." fi -ynh_app_setting_set --app="$app" --key=open_port_53 --value="$open_port_53" - #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE #================================================= From 61e690a5ef37c0d92bcce143388825d994fa3b8c Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Sat, 30 Dec 2023 23:47:40 +0100 Subject: [PATCH 137/288] am dumb lmao --- scripts/install | 2 ++ 1 file changed, 2 insertions(+) diff --git a/scripts/install b/scripts/install index 6bd5520e..803c090c 100644 --- a/scripts/install +++ b/scripts/install @@ -41,6 +41,8 @@ else ynh_print_info --message="Port 53 is already closed." fi +ynh_app_setting_set --app="$app" --key=open_port_53 --value="$open_port_53" + #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE #================================================= From 1edb6757fff6af48a1c8b3e94f498a8bbcd0be3d Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Sat, 30 Dec 2023 23:47:59 +0100 Subject: [PATCH 138/288] neh2 --- scripts/_common.sh | 2 -- 1 file changed, 2 deletions(-) diff --git a/scripts/_common.sh b/scripts/_common.sh index 7cdc2314..058bdc2b 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -46,8 +46,6 @@ configure_network_interface_dnsmasq(){ systemctl restart dnsmasq ynh_store_file_checksum --file="/etc/dnsmasq.d/$app" - - ynh_port_available --port=53 || ynh_die --message="Port 53 is needs to be available for this app" } is_public_ip(){ From 3e04b8a607a307969dca08fc977663b1a90b8bff Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Sat, 30 Dec 2023 23:53:53 +0100 Subject: [PATCH 139/288] add comments to update_agh_ip_config() --- scripts/_common.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/scripts/_common.sh b/scripts/_common.sh index 058bdc2b..00e1d334 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -92,17 +92,21 @@ process_ips(){ update_agh_ip_config(){ # used to update the IP adresses in the AGHconfig file +# use python's yaml and open the AGH config file python3 -c "import yaml with open(\"$install_dir/AdGuardHome.yaml\", 'r') as file: conf_file = yaml.safe_load(file) +# reset the IPs in the AGH config file conf_file[\"dns\"][\"bind_hosts\"] = [] +# add each IPv4 and IPv6 in the AGH config file for ip in \"$ipv4_addr\".split(): conf_file[\"dns\"][\"bind_hosts\"].append(ip) for ip in \"$ipv6_addr\".split(): conf_file[\"dns\"][\"bind_hosts\"].append(ip) +# save the config file with open(\"$install_dir/AdGuardHome.yaml\", 'w') as file: yaml.dump(conf_file, file) " From 558f6209e6f5d7deb4c5f796a41bc88e9b06c1c6 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Sat, 30 Dec 2023 23:58:33 +0100 Subject: [PATCH 140/288] fix password in the config file --- scripts/install | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/scripts/install b/scripts/install index 803c090c..4a2cb0c6 100644 --- a/scripts/install +++ b/scripts/install @@ -77,6 +77,10 @@ usermod -a -G ssl-cert "$app" #================================================= ynh_script_progression --message="Adding a configuration file..." --weight=1 +# user's password encryption +password=$(python3 -c "import bcrypt; print(bcrypt.hashpw(b\"$password\", bcrypt.gensalt(rounds=10)).decode())") +ynh_app_setting_set --app="$app" --key=password --value="$password" + # Main config File ynh_add_config --template="AdGuardHome.yaml" --destination="$install_dir/AdGuardHome.yaml" @@ -98,9 +102,6 @@ ipv6_addr=$(process_ips "$(ip -6 address show "$ipv6_interface" 2> /dev/null | g # update the IP adresses in the AGH config file update_agh_ip_config -password=$(python3 -c "import bcrypt; print(bcrypt.hashpw(b\"$password\", bcrypt.gensalt(rounds=10)).decode())") -ynh_app_setting_set --app="$app" --key=password --value="$password" - chmod 600 "$install_dir/AdGuardHome.yaml" chown -R "$app:$app" "$install_dir/AdGuardHome.yaml" From 3887e14886fd0a92d18f5a8b7dfea48b2c47ddd6 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Sat, 30 Dec 2023 23:59:23 +0100 Subject: [PATCH 141/288] no longer needed --- check_process | 28 ---------------------------- 1 file changed, 28 deletions(-) delete mode 100644 check_process diff --git a/check_process b/check_process deleted file mode 100644 index 75a77b0a..00000000 --- a/check_process +++ /dev/null @@ -1,28 +0,0 @@ -;; Test complet - ; Manifest - domain="domain.tld" - path="/path" - admin="john" - password="1Strong-Password" - dns_over_https=1 - ; Checks - pkg_linter=1 - setup_sub_dir=1 - setup_root=1 - setup_nourl=0 - setup_private=1 - setup_public=1 - upgrade=1 - upgrade=1 from_commit=c57900238fe703377b39d2dc54027e4b5303e9e6 - # 0.107.8~ynh1 - upgrade=1 from_commit=66d2a70352aa1337f0f7fcef20a91efaf557b0ec - backup_restore=1 - multi_instance=0 - change_url=1 -;;; Options -Email= -Notification=none -;;; Upgrade options - ; commit=c57900238fe703377b39d2dc54027e4b5303e9e6 - name=0.107.2, 5 JAN 22 - manifest_arg=domain=DOMAIN&path=PATH&admin=USER&is_public=1&password=pass& \ No newline at end of file From 4c3dab8147f0343218382b510a53ce5ae2dfdf5e Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Sun, 31 Dec 2023 00:03:30 +0100 Subject: [PATCH 142/288] add help text --- config_panel.toml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/config_panel.toml b/config_panel.toml index cbf2d875..bf73e737 100644 --- a/config_panel.toml +++ b/config_panel.toml @@ -9,6 +9,7 @@ ask = "Expose port 53 to the Internet?" no = "false" type = "boolean" yes = "true" +help = "If so, anyone who knows your server's IP can make a DNS request to it. It may be used to perform amplification attacks: https://en.wikipedia.org/wiki/Denial-of-service_attack#Amplification" [main.options.dns_over_https] ask = "Enable DNS-over-HTTPS/QUIC?" @@ -16,3 +17,4 @@ no = "false" type = "boolean" yes = "true" bind = "tls>enabled:__INSTALL_DIR__/AdGuardHome.yaml" +help = "If so, anyone who knows your adguard address can make a doh request to https://adguardomain.tld/dns-query" From ff6ef61ce14978f2ec60ed3a921fbfd4a427e4a2 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Sun, 31 Dec 2023 00:04:47 +0100 Subject: [PATCH 143/288] increase ram usage to have some margin --- manifest.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/manifest.toml b/manifest.toml index 3727c65a..9d7f989a 100644 --- a/manifest.toml +++ b/manifest.toml @@ -21,8 +21,8 @@ architectures = "all" disk = "50M" ldap = false multi_instance = false -ram.build = "50M" -ram.runtime = "50M" +ram.build = "200M" +ram.runtime = "200M" sso = false yunohost = ">= 11.2" From 00936aea855461874d106e1289ec68c7b851d46d Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Sun, 31 Dec 2023 00:28:51 +0100 Subject: [PATCH 144/288] debug prints no longer needed --- scripts/install | 3 --- scripts/upgrade | 3 --- 2 files changed, 6 deletions(-) diff --git a/scripts/install b/scripts/install index 4a2cb0c6..a1d950cf 100644 --- a/scripts/install +++ b/scripts/install @@ -128,6 +128,3 @@ ynh_systemd_action --service_name="$app" --action="restart" --log_path=systemd #================================================= ynh_script_progression --message="Installation of $app completed" --last - -# temporarily cat the AGH config for debug purposes -ynh_print_info --message="$(head -n 30 /var/www/adguardhome/AdGuardHome.yaml)" \ No newline at end of file diff --git a/scripts/upgrade b/scripts/upgrade index e16e59e7..8dd07661 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -154,6 +154,3 @@ ynh_systemd_action --service_name="$app" --action="restart" --log_path="systemd" #================================================= ynh_script_progression --message="Upgrade of $app completed" --last - -# temporarily show the AGH config for debug purposes -ynh_print_info --message="$(head -n 30 /var/www/adguardhome/AdGuardHome.yaml)" \ No newline at end of file From 56b9a133acada900a862d75f1cc8a3d8e12014ca Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Sun, 31 Dec 2023 00:34:41 +0100 Subject: [PATCH 145/288] put opening/closing ports info messages in upgrade script too --- scripts/install | 2 +- scripts/upgrade | 8 ++++++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/scripts/install b/scripts/install index a1d950cf..16112f60 100644 --- a/scripts/install +++ b/scripts/install @@ -38,7 +38,7 @@ if [[ $open_port_53 == 0 ]]; then ynh_exec_warn_less yunohost firewall reload else open_port_53="false" - ynh_print_info --message="Port 53 is already closed." + ynh_print_info --message="Port 53 is closed." fi ynh_app_setting_set --app="$app" --key=open_port_53 --value="$open_port_53" diff --git a/scripts/upgrade b/scripts/upgrade index 8dd07661..c4c7516f 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -33,22 +33,26 @@ if [ -z "${open_port_53:-}" ] && [ "${open_port_53:-}" = true ]; then open_port_53="true" ynh_app_setting_set --app="$app" --key=open_port_53 --value="$open_port_53" # if open_port_53 is true, we need to open port 53 + ynh_print_info --message="Opening port 53..." ynh_exec_warn_less yunohost firewall allow Both 53 ynh_exec_warn_less yunohost firewall reload elif [ -n "${open_port_53:-}" ] || [ "${open_port_53:-}" = false ]; then open_port_53="false" ynh_app_setting_set --app="$app" --key=open_port_53 --value="$open_port_53" + ynh_print_info --message="Port 53 is closed." fi if [ -z "${dns_over_https:-}" ] && [ "${dns_over_https:-}" = true ]; then dns_over_https="true" ynh_app_setting_set --app="$app" --key=dns_over_https --value=$dns_over_https - # no need to open the ports, as they were opened at the 'Provisioning ports' step + # no need to open the ports, as they were opened at the 'Provisioning ports' step + ynh_print_info --message="DoH and DoQ ports are open." elif [ -n "${dns_over_https:-}" ] || [ "${dns_over_https:-}" = false ]; then dns_over_https="false" ynh_app_setting_set --app="$app" --key=dns_over_https --value=$dns_over_https - # if dns_over_https is false, we need to close ports, + # if dns_over_https is false, we need to close ports, # as they were opened at the 'Provisioning ports' step + ynh_print_info --message="Closing DoH and DoQ ports..." ynh_exec_warn_less yunohost firewall disallow Both "$port_dns_over_http" ynh_exec_warn_less yunohost firewall disallow UDP "$port_dns_over_quic" ynh_exec_warn_less yunohost firewall reload From 29cd1df5c320a3fd00ed91ecf261259baf23b961 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Sun, 31 Dec 2023 00:45:36 +0100 Subject: [PATCH 146/288] add 2 ynh_print_info --- scripts/config | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/scripts/config b/scripts/config index 233efc3f..ee054a1f 100644 --- a/scripts/config +++ b/scripts/config @@ -34,6 +34,8 @@ set__open_port_53() { # regenerate config, needed to add or delete public IPs following the user's choice + ynh_print_info --message="Obtaining IP addresses for the AGH config file..." + # get the name of the network interface in IPv4 and IPv6 ipv4_interface="$(get_network_interface 4)" ipv6_interface="$(get_network_interface 6)" @@ -45,6 +47,8 @@ set__open_port_53() { # the 'sed' is used to get rid of the network prefix ('/64' for example) ipv6_addr=$(process_ips "$(ip -6 address show "$ipv6_interface" 2> /dev/null | grep inet | sed 's&/.*&&')") + ynh_print_info --message="Updating the AGH config file..." + # update the IP adresses in the AGH config file update_agh_ip_config @@ -74,7 +78,7 @@ set__dns_over_https() { # save the new setting ynh_app_setting_set "$app" --key=dns_over_https --value="$dns_over_https" } - + #================================================= # GENERIC FINALIZATION #================================================= From dee489790dd64db2b19a6dc96518fd0ba43ba934 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Sun, 31 Dec 2023 00:56:29 +0100 Subject: [PATCH 147/288] debug ip --- scripts/upgrade | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/scripts/upgrade b/scripts/upgrade index c4c7516f..c922ee3e 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -140,6 +140,10 @@ ipv4_addr=$(process_ips "$(ip -4 address show "$ipv4_interface" 2> /dev/null | g # the 'sed' is used to get rid of the network prefix ('/64' for example) ipv6_addr=$(process_ips "$(ip -6 address show "$ipv6_interface" 2> /dev/null | grep inet | sed 's&/.*&&')") +# debug +ynh_print_info --message="IPv4: $ipv4_addr" +ynh_print_info --message="IPv6: $ipv6_addr" + # update the IP adresses in the AGH config file update_agh_ip_config From 82d0ea33921280bfb40f63f5c88ee97ada93f224 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Sun, 31 Dec 2023 01:04:35 +0100 Subject: [PATCH 148/288] add docs link in config panel --- config_panel.toml | 1 + 1 file changed, 1 insertion(+) diff --git a/config_panel.toml b/config_panel.toml index bf73e737..1f1c069e 100644 --- a/config_panel.toml +++ b/config_panel.toml @@ -2,6 +2,7 @@ version = "1.0" [main] name = "AdGuard Home configuration" +help = "If any trouble or question, please refer to [the package's admin docs](https://github.com/YunoHost-Apps/adguardhome_ynh/blob/master/doc/ADMIN.md)!" services = ["__APP__"] [main.options.open_port_53] From a7ddbdeae2ff7f974c0aac04a10b0a090877f8d7 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Sun, 31 Dec 2023 01:07:48 +0100 Subject: [PATCH 149/288] fix if or --- scripts/_common.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/_common.sh b/scripts/_common.sh index 00e1d334..6cdfb30a 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -76,7 +76,7 @@ process_ips(){ for i in $(seq "$(echo "$ips" | wc -w)" -1 1); do ip=$(echo "$ips" | awk "{print \$$i}") # check if the so-called IP really is one - if ynh_validate_ip4 --ip_address="$ip" || ynh_validate_ip6 --ip_address="$ip"; then + if [[ $(ynh_validate_ip4 --ip_address="$ip") || $(ynh_validate_ip6 --ip_address="$ip") ]] ; then # don't process if the IP is public and the port 53 closed if [ "$(is_public_ip "$ip")" == 0 ] && [ "$open_port_53" == "false" ] ; then exit 1 From 4181ed6204487961ac611a7f7d7c44686e600c5c Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Sun, 31 Dec 2023 01:19:22 +0100 Subject: [PATCH 150/288] fixes --- config_panel.toml | 2 +- scripts/_common.sh | 6 +++++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/config_panel.toml b/config_panel.toml index 1f1c069e..cb9f4d2c 100644 --- a/config_panel.toml +++ b/config_panel.toml @@ -2,7 +2,7 @@ version = "1.0" [main] name = "AdGuard Home configuration" -help = "If any trouble or question, please refer to [the package's admin docs](https://github.com/YunoHost-Apps/adguardhome_ynh/blob/master/doc/ADMIN.md)!" +help = "If any trouble or question, please refer to the admin documentation right below!" services = ["__APP__"] [main.options.open_port_53] diff --git a/scripts/_common.sh b/scripts/_common.sh index 6cdfb30a..91a78bb9 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -76,7 +76,7 @@ process_ips(){ for i in $(seq "$(echo "$ips" | wc -w)" -1 1); do ip=$(echo "$ips" | awk "{print \$$i}") # check if the so-called IP really is one - if [[ $(ynh_validate_ip4 --ip_address="$ip") || $(ynh_validate_ip6 --ip_address="$ip") ]] ; then + if [ "$(ynh_validate_ip4 --ip_address="$ip")" ] || [ "$(ynh_validate_ip6 --ip_address="$ip")" ] ; then # don't process if the IP is public and the port 53 closed if [ "$(is_public_ip "$ip")" == 0 ] && [ "$open_port_53" == "false" ] ; then exit 1 @@ -92,6 +92,10 @@ process_ips(){ update_agh_ip_config(){ # used to update the IP adresses in the AGHconfig file +if [ -z "${ipv4_addr:-}" ] && [ -z "${ipv6_addr:-}" ]; then + ynh_die --message="At leat one IP adress is required to run AdGuard Home. Please report this error." +fi + # use python's yaml and open the AGH config file python3 -c "import yaml with open(\"$install_dir/AdGuardHome.yaml\", 'r') as file: From 799b5b22e8566275549dada8e827423bebf0b4a2 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Sun, 31 Dec 2023 01:24:22 +0100 Subject: [PATCH 151/288] try a fix --- scripts/_common.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/_common.sh b/scripts/_common.sh index 91a78bb9..2e555bbd 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -79,7 +79,7 @@ process_ips(){ if [ "$(ynh_validate_ip4 --ip_address="$ip")" ] || [ "$(ynh_validate_ip6 --ip_address="$ip")" ] ; then # don't process if the IP is public and the port 53 closed if [ "$(is_public_ip "$ip")" == 0 ] && [ "$open_port_53" == "false" ] ; then - exit 1 + processed_ips+="" else processed_ips+="$ip " fi From 1c198b3f425fb1ccf37ccebdd4725d2d0743dbd6 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Sun, 31 Dec 2023 01:25:00 +0100 Subject: [PATCH 152/288] comment --- scripts/_common.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/_common.sh b/scripts/_common.sh index 2e555bbd..cac75a2e 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -79,6 +79,7 @@ process_ips(){ if [ "$(ynh_validate_ip4 --ip_address="$ip")" ] || [ "$(ynh_validate_ip6 --ip_address="$ip")" ] ; then # don't process if the IP is public and the port 53 closed if [ "$(is_public_ip "$ip")" == 0 ] && [ "$open_port_53" == "false" ] ; then + # don't add this IP processed_ips+="" else processed_ips+="$ip " From 29c6b0a04b6b68310d84233a034b7c0c400601f3 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Sun, 31 Dec 2023 01:27:17 +0100 Subject: [PATCH 153/288] use no-op command --- scripts/_common.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/_common.sh b/scripts/_common.sh index cac75a2e..4596ed0e 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -79,8 +79,8 @@ process_ips(){ if [ "$(ynh_validate_ip4 --ip_address="$ip")" ] || [ "$(ynh_validate_ip6 --ip_address="$ip")" ] ; then # don't process if the IP is public and the port 53 closed if [ "$(is_public_ip "$ip")" == 0 ] && [ "$open_port_53" == "false" ] ; then - # don't add this IP - processed_ips+="" + # don't add this IP (do nothing) + : else processed_ips+="$ip " fi From 5bec155503cd7cad882ceb5683ba969117a29999 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Sun, 31 Dec 2023 01:28:39 +0100 Subject: [PATCH 154/288] comment --- scripts/_common.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/_common.sh b/scripts/_common.sh index 4596ed0e..65403100 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -82,6 +82,7 @@ process_ips(){ # don't add this IP (do nothing) : else + # add this IP and a space as IP delimiter processed_ips+="$ip " fi fi From 515b371a7dbdbb0709c17267f53ea96e2bc162fe Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Sun, 31 Dec 2023 02:04:04 +0100 Subject: [PATCH 155/288] fix process_ips() --- scripts/_common.sh | 27 +++++++++++++++------------ 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/scripts/_common.sh b/scripts/_common.sh index 65403100..05a14779 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -73,19 +73,22 @@ process_ips(){ local ips="$1" local processed_ips="" - for i in $(seq "$(echo "$ips" | wc -w)" -1 1); do - ip=$(echo "$ips" | awk "{print \$$i}") - # check if the so-called IP really is one - if [ "$(ynh_validate_ip4 --ip_address="$ip")" ] || [ "$(ynh_validate_ip6 --ip_address="$ip")" ] ; then - # don't process if the IP is public and the port 53 closed - if [ "$(is_public_ip "$ip")" == 0 ] && [ "$open_port_53" == "false" ] ; then - # don't add this IP (do nothing) - : - else - # add this IP and a space as IP delimiter - processed_ips+="$ip " - fi + # remove the 'inet6' and 'inet' from the IP + ips="$(echo "$ips" | sed "s/inet6//g ; s/inet//g")" + + # for each IP + for ip in $ips; do + # check if the so-called IP really is one + if [ "$(ynh_validate_ip4 --ip_address="$ip")" ] || [ "$(ynh_validate_ip6 --ip_address="$ip")" ] ; then + # don't process if the IP is public and the port 53 closed + if [ "$(is_public_ip "$ip")" == 0 ] && [ "$open_port_53" == "false" ] ; then + # don't add this IP (do nothing) + : + else + # add this IP and a space as IP delimiter + processed_ips+="$ip " fi + fi done echo "${processed_ips:-}" From 546bcb26fd518bf280dab11a5007b7d9387bfdbe Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Sun, 31 Dec 2023 02:17:08 +0100 Subject: [PATCH 156/288] fix --- scripts/_common.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/scripts/_common.sh b/scripts/_common.sh index 05a14779..31ea5da6 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -73,15 +73,15 @@ process_ips(){ local ips="$1" local processed_ips="" - # remove the 'inet6' and 'inet' from the IP + # remove the 'inet6' and 'inet' from the IP addresses string ips="$(echo "$ips" | sed "s/inet6//g ; s/inet//g")" # for each IP for ip in $ips; do # check if the so-called IP really is one - if [ "$(ynh_validate_ip4 --ip_address="$ip")" ] || [ "$(ynh_validate_ip6 --ip_address="$ip")" ] ; then + if [[ "$(ynh_validate_ip4 --ip_address="$ip")" == 0 ]] || [[ "$(ynh_validate_ip6 --ip_address="$ip")" == 0 ]]; then # don't process if the IP is public and the port 53 closed - if [ "$(is_public_ip "$ip")" == 0 ] && [ "$open_port_53" == "false" ] ; then + if [ "$(is_public_ip "$ip")" == 0 ] && [ "$open_port_53" == "false" ]; then # don't add this IP (do nothing) : else From a4f840ff076c79b023fc2412cc1f7542fb350869 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Sun, 31 Dec 2023 03:02:14 +0100 Subject: [PATCH 157/288] sigh --- scripts/_common.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/_common.sh b/scripts/_common.sh index 31ea5da6..9fd49221 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -79,7 +79,7 @@ process_ips(){ # for each IP for ip in $ips; do # check if the so-called IP really is one - if [[ "$(ynh_validate_ip4 --ip_address="$ip")" == 0 ]] || [[ "$(ynh_validate_ip6 --ip_address="$ip")" == 0 ]]; then + if [[ "$(ynh_validate_ip4 --ip_address="$ip")" == 0 || "$(ynh_validate_ip6 --ip_address="$ip")" == 0 ]]; then # don't process if the IP is public and the port 53 closed if [ "$(is_public_ip "$ip")" == 0 ] && [ "$open_port_53" == "false" ]; then # don't add this IP (do nothing) From fa246d0b36b348ae70a784b470805378c7f26146 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Sun, 31 Dec 2023 03:11:29 +0100 Subject: [PATCH 158/288] idk sigh --- scripts/_common.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/_common.sh b/scripts/_common.sh index 9fd49221..b66497be 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -79,7 +79,7 @@ process_ips(){ # for each IP for ip in $ips; do # check if the so-called IP really is one - if [[ "$(ynh_validate_ip4 --ip_address="$ip")" == 0 || "$(ynh_validate_ip6 --ip_address="$ip")" == 0 ]]; then + if [[ $(ynh_validate_ip4 --ip_address="$ip") == 0 || $(ynh_validate_ip6 --ip_address="$ip") == 0 ]]; then # don't process if the IP is public and the port 53 closed if [ "$(is_public_ip "$ip")" == 0 ] && [ "$open_port_53" == "false" ]; then # don't add this IP (do nothing) From 5f9bdc4a63f80499abedbc956a89b5589499b72a Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Sun, 31 Dec 2023 03:37:10 +0100 Subject: [PATCH 159/288] debug --- scripts/_common.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/scripts/_common.sh b/scripts/_common.sh index b66497be..b81b4c23 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -81,10 +81,13 @@ process_ips(){ # check if the so-called IP really is one if [[ $(ynh_validate_ip4 --ip_address="$ip") == 0 || $(ynh_validate_ip6 --ip_address="$ip") == 0 ]]; then # don't process if the IP is public and the port 53 closed + echo "IP validated: $ip" if [ "$(is_public_ip "$ip")" == 0 ] && [ "$open_port_53" == "false" ]; then # don't add this IP (do nothing) + echo "don't add" : else + echo "add" # add this IP and a space as IP delimiter processed_ips+="$ip " fi From 06e61b08de52817917bd70710130f2b57bfffb50 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Sun, 31 Dec 2023 03:44:57 +0100 Subject: [PATCH 160/288] humpft --- scripts/_common.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/_common.sh b/scripts/_common.sh index b81b4c23..9467def8 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -79,7 +79,7 @@ process_ips(){ # for each IP for ip in $ips; do # check if the so-called IP really is one - if [[ $(ynh_validate_ip4 --ip_address="$ip") == 0 || $(ynh_validate_ip6 --ip_address="$ip") == 0 ]]; then + if ynh_validate_ip4 --ip_address="$ip" || ynh_validate_ip6 --ip_address="$ip"; then # don't process if the IP is public and the port 53 closed echo "IP validated: $ip" if [ "$(is_public_ip "$ip")" == 0 ] && [ "$open_port_53" == "false" ]; then From fab6dcce386b127fd930c36a7bc82a89bdff34ab Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Sun, 31 Dec 2023 03:48:46 +0100 Subject: [PATCH 161/288] fix and remove debug echo --- scripts/_common.sh | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/scripts/_common.sh b/scripts/_common.sh index 9467def8..906d2bac 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -81,13 +81,10 @@ process_ips(){ # check if the so-called IP really is one if ynh_validate_ip4 --ip_address="$ip" || ynh_validate_ip6 --ip_address="$ip"; then # don't process if the IP is public and the port 53 closed - echo "IP validated: $ip" - if [ "$(is_public_ip "$ip")" == 0 ] && [ "$open_port_53" == "false" ]; then + if is_public_ip "$ip" && [ "$open_port_53" == "false" ]; then # don't add this IP (do nothing) - echo "don't add" : else - echo "add" # add this IP and a space as IP delimiter processed_ips+="$ip " fi From 2d8e14ae608ce6455915ccedeef10aad0bee59fe Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Sun, 31 Dec 2023 04:17:54 +0100 Subject: [PATCH 162/288] we can't use IPv6 LLA for DNS --- scripts/_common.sh | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/scripts/_common.sh b/scripts/_common.sh index 906d2bac..c29356c4 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -80,13 +80,17 @@ process_ips(){ for ip in $ips; do # check if the so-called IP really is one if ynh_validate_ip4 --ip_address="$ip" || ynh_validate_ip6 --ip_address="$ip"; then - # don't process if the IP is public and the port 53 closed - if is_public_ip "$ip" && [ "$open_port_53" == "false" ]; then - # don't add this IP (do nothing) - : - else - # add this IP and a space as IP delimiter - processed_ips+="$ip " + # we can't use IPv6 LLA for DNS: https://github.com/AdguardTeam/AdGuardHome/issues/2926#issuecomment-1284489380 + # if we try to bind port 53 on a fe80:: address, AGH crashes + if ! [[ "$ip" =~ ^fe80:* ]]; then + # don't process if the IP is public and the port 53 closed + if is_public_ip "$ip" && [ "$open_port_53" == "false" ]; then + # don't add this IP (do nothing) + : + else + # add this IP and a space as IP delimiter + processed_ips+="$ip " + fi fi fi done From b5a1c3955401b510fc8bde8387dc9a54ae2ca42c Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Sun, 31 Dec 2023 04:24:31 +0100 Subject: [PATCH 163/288] warn about IPv6 LLA --- doc/ADMIN.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/doc/ADMIN.md b/doc/ADMIN.md index 73c2a912..1a6cf6eb 100644 --- a/doc/ADMIN.md +++ b/doc/ADMIN.md @@ -25,7 +25,8 @@ Any IP that doesn't start with the folowing are public ones: - `192.168.` - `fcxx:` (where the `x` can be any hexadecimal character) - `fdxx:` (where the `x` can be any hexadecimal character) -- `fe80:` + +**Warning:** IPv6 starting with `fe80:` (IPv6 LLA) can't be used for DNS purposes, if you try to put one in the AGH config, it won't work. So, any other IP should be a public one. From 1828efa42652ad44fda51f98855d4a8b39f42dbc Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Sun, 31 Dec 2023 04:48:18 +0100 Subject: [PATCH 164/288] update the AGH config when enabling or disabling DoH --- scripts/config | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/scripts/config b/scripts/config index ee054a1f..41ed02cf 100644 --- a/scripts/config +++ b/scripts/config @@ -47,9 +47,8 @@ set__open_port_53() { # the 'sed' is used to get rid of the network prefix ('/64' for example) ipv6_addr=$(process_ips "$(ip -6 address show "$ipv6_interface" 2> /dev/null | grep inet | sed 's&/.*&&')") - ynh_print_info --message="Updating the AGH config file..." - # update the IP adresses in the AGH config file + ynh_print_info --message="Updating the AGH config file..." update_agh_ip_config # save the new setting @@ -75,6 +74,10 @@ set__dns_over_https() { ynh_print_warn --message="The variable 'dns_over_https' should be 'true' or 'false' but isn't, please report this." fi + # update the value in the AGH config file + ynh_print_info --message="Updating the AGH config file..." + ynh_write_var_in_file --file="$install_dir/AdGuardHome.yaml" --key="tls>enabled" --value="$dns_over_https" + # save the new setting ynh_app_setting_set "$app" --key=dns_over_https --value="$dns_over_https" } From 39c1bc93877bcdc9f67a581ca017d90ebe72598a Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Sun, 31 Dec 2023 04:49:28 +0100 Subject: [PATCH 165/288] no i don't need to, i'm tired x) --- scripts/config | 4 ---- 1 file changed, 4 deletions(-) diff --git a/scripts/config b/scripts/config index 41ed02cf..d8a52b4d 100644 --- a/scripts/config +++ b/scripts/config @@ -74,10 +74,6 @@ set__dns_over_https() { ynh_print_warn --message="The variable 'dns_over_https' should be 'true' or 'false' but isn't, please report this." fi - # update the value in the AGH config file - ynh_print_info --message="Updating the AGH config file..." - ynh_write_var_in_file --file="$install_dir/AdGuardHome.yaml" --key="tls>enabled" --value="$dns_over_https" - # save the new setting ynh_app_setting_set "$app" --key=dns_over_https --value="$dns_over_https" } From bdbd7b759661ca25be2ac243e73c1f0e53fdc9f8 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Sun, 31 Dec 2023 22:04:19 +0100 Subject: [PATCH 166/288] debug --- scripts/config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/config b/scripts/config index d8a52b4d..d54adc3d 100644 --- a/scripts/config +++ b/scripts/config @@ -52,7 +52,7 @@ set__open_port_53() { update_agh_ip_config # save the new setting - ynh_app_setting_set "$app" --key=open_port_53 --value="$open_port_53" + ynh_app_setting_set "$app" --key=open_port_53 --value="$open_port_53" --debug } set__dns_over_https() { From 98f1689437d3824463061cd3bb224e680163a95d Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Sun, 31 Dec 2023 22:39:46 +0100 Subject: [PATCH 167/288] add the missing --app to ynh_app_setting_set --- scripts/config | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/config b/scripts/config index d54adc3d..5cf9cc83 100644 --- a/scripts/config +++ b/scripts/config @@ -52,7 +52,7 @@ set__open_port_53() { update_agh_ip_config # save the new setting - ynh_app_setting_set "$app" --key=open_port_53 --value="$open_port_53" --debug + ynh_app_setting_set --app="$app" --key=open_port_53 --value="$open_port_53" --debug } set__dns_over_https() { @@ -75,7 +75,7 @@ set__dns_over_https() { fi # save the new setting - ynh_app_setting_set "$app" --key=dns_over_https --value="$dns_over_https" + ynh_app_setting_set --app="$app" --key=dns_over_https --value="$dns_over_https" } #================================================= From 7c858689edd47e473f59b895d8daeaa6264498f0 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Sun, 31 Dec 2023 22:47:36 +0100 Subject: [PATCH 168/288] delete --debug --- scripts/config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/config b/scripts/config index 5cf9cc83..6f5ffdf0 100644 --- a/scripts/config +++ b/scripts/config @@ -52,7 +52,7 @@ set__open_port_53() { update_agh_ip_config # save the new setting - ynh_app_setting_set --app="$app" --key=open_port_53 --value="$open_port_53" --debug + ynh_app_setting_set --app="$app" --key=open_port_53 --value="$open_port_53" } set__dns_over_https() { From 888ca46db889a8662ba05615b1eeca0d09e85bfa Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Sun, 31 Dec 2023 23:17:30 +0100 Subject: [PATCH 169/288] fix unbound variables --- scripts/config | 3 +++ 1 file changed, 3 insertions(+) diff --git a/scripts/config b/scripts/config index 6f5ffdf0..621c8813 100644 --- a/scripts/config +++ b/scripts/config @@ -57,6 +57,9 @@ set__open_port_53() { set__dns_over_https() { + ynh_app_setting_get --app="$app" --key=port_dns_over_http + ynh_app_setting_get --app="$app" --key=port_dns_over_quic + if [ "$dns_over_https" == "true" ]; then ynh_print_info --message="Opening DoH and DoQ ports..." # if DNS over HTTPS/QUIC is activated, open the associated ports From b38a6a44e689cdffdddf25f7b3daf28d7aaa06a4 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Sun, 31 Dec 2023 23:24:59 +0100 Subject: [PATCH 170/288] correctly assign vars --- scripts/config | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/config b/scripts/config index 621c8813..6aabb4d0 100644 --- a/scripts/config +++ b/scripts/config @@ -57,8 +57,8 @@ set__open_port_53() { set__dns_over_https() { - ynh_app_setting_get --app="$app" --key=port_dns_over_http - ynh_app_setting_get --app="$app" --key=port_dns_over_quic + port_dns_over_http=$(ynh_app_setting_get --app="$app" --key=port_dns_over_http) + port_dns_over_quic=$(ynh_app_setting_get --app="$app" --key=port_dns_over_quic) if [ "$dns_over_https" == "true" ]; then ynh_print_info --message="Opening DoH and DoQ ports..." From 6b190a3a94aed5c2a0cd7220235231b69e38f0a9 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Sun, 31 Dec 2023 23:33:02 +0100 Subject: [PATCH 171/288] save the new setting in the AGH config file --- scripts/config | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/scripts/config b/scripts/config index 6aabb4d0..69388e6a 100644 --- a/scripts/config +++ b/scripts/config @@ -77,7 +77,10 @@ set__dns_over_https() { ynh_print_warn --message="The variable 'dns_over_https' should be 'true' or 'false' but isn't, please report this." fi - # save the new setting + # save the new setting in the AGH config file + ynh_write_var_in_file --file="$install_dir/AdGuardHome.yaml" --key="tls>enabled" --value="$dns_over_https" + + # save the new setting in YNH ynh_app_setting_set --app="$app" --key=dns_over_https --value="$dns_over_https" } From 57fb93edaa33c5d1d1ff326fb9623c32081cc6b1 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Sun, 31 Dec 2023 23:43:02 +0100 Subject: [PATCH 172/288] delete unneccessary yunohost firewall reload --- scripts/config | 8 ++------ scripts/install | 4 +--- scripts/restore | 4 +--- scripts/upgrade | 4 +--- 4 files changed, 5 insertions(+), 15 deletions(-) diff --git a/scripts/config b/scripts/config index 69388e6a..d3258a82 100644 --- a/scripts/config +++ b/scripts/config @@ -21,12 +21,10 @@ set__open_port_53() { ynh_print_info --message="Opening port 53..." # if the user would expose port 53 to the Internet, open it ynh_exec_warn_less yunohost firewall allow Both 53 - ynh_exec_warn_less yunohost firewall reload elif [ "$open_port_53" == "false" ]; then # else if false, close it ynh_print_info --message="Closing port 53..." ynh_exec_warn_less yunohost firewall disallow Both 53 - ynh_exec_warn_less yunohost firewall reload else # else, throw error ynh_print_warn --message="The variable 'open_port_53' should be 'true' or 'false' but isn't, please report this." @@ -63,15 +61,13 @@ set__dns_over_https() { if [ "$dns_over_https" == "true" ]; then ynh_print_info --message="Opening DoH and DoQ ports..." # if DNS over HTTPS/QUIC is activated, open the associated ports - ynh_exec_warn_less yunohost firewall allow Both "$port_dns_over_http" + ynh_exec_warn_less yunohost firewall allow Both "$port_dns_over_http" --no-reload ynh_exec_warn_less yunohost firewall allow UDP "$port_dns_over_quic" - ynh_exec_warn_less yunohost firewall reload elif [ "$dns_over_https" == "false" ]; then # else if false, close them ynh_print_info --message="Closing DoH and DoQ ports..." - ynh_exec_warn_less yunohost firewall disallow Both "$port_dns_over_http" + ynh_exec_warn_less yunohost firewall disallow Both "$port_dns_over_http" --no-reload ynh_exec_warn_less yunohost firewall disallow UDP "$port_dns_over_quic" - ynh_exec_warn_less yunohost firewall reload else # else, throw error ynh_print_warn --message="The variable 'dns_over_https' should be 'true' or 'false' but isn't, please report this." diff --git a/scripts/install b/scripts/install index 16112f60..1b8e1175 100644 --- a/scripts/install +++ b/scripts/install @@ -23,9 +23,8 @@ else # if dns_over_https is false, we need to close ports, # as they were opened at the 'Provisioning ports' step ynh_print_info --message="Closing DoH and DoQ ports..." - ynh_exec_warn_less yunohost firewall disallow Both "$port_dns_over_http" + ynh_exec_warn_less yunohost firewall disallow Both "$port_dns_over_http" --no-reload ynh_exec_warn_less yunohost firewall disallow UDP "$port_dns_over_quic" - ynh_exec_warn_less yunohost firewall reload fi ynh_app_setting_set --app="$app" --key=dns_over_https --value="$dns_over_https" @@ -35,7 +34,6 @@ if [[ $open_port_53 == 0 ]]; then # if open_port_53 is true, we need to open port 53 ynh_print_info --message="Opening port 53..." ynh_exec_warn_less yunohost firewall allow Both 53 - ynh_exec_warn_less yunohost firewall reload else open_port_53="false" ynh_print_info --message="Port 53 is closed." diff --git a/scripts/restore b/scripts/restore index ab4d976c..b29b641a 100644 --- a/scripts/restore +++ b/scripts/restore @@ -18,15 +18,13 @@ source /usr/share/yunohost/helpers if [ "$dns_over_https" == "false" ]; then # if dns_over_https is false, we need to close ports, # as they were opened at the 'Provisioning ports' step - ynh_exec_warn_less yunohost firewall disallow Both "$port_dns_over_http" + ynh_exec_warn_less yunohost firewall disallow Both "$port_dns_over_http" --no-reload ynh_exec_warn_less yunohost firewall disallow UDP "$port_dns_over_quic" - ynh_exec_warn_less yunohost firewall reload fi if [ "$open_port_53" == "true" ]; then # if open_port_53 is true, we need to open port 53 ynh_exec_warn_less yunohost firewall allow Both 53 - ynh_exec_warn_less yunohost firewall reload fi #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index c922ee3e..8dbfc8c6 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -35,7 +35,6 @@ if [ -z "${open_port_53:-}" ] && [ "${open_port_53:-}" = true ]; then # if open_port_53 is true, we need to open port 53 ynh_print_info --message="Opening port 53..." ynh_exec_warn_less yunohost firewall allow Both 53 - ynh_exec_warn_less yunohost firewall reload elif [ -n "${open_port_53:-}" ] || [ "${open_port_53:-}" = false ]; then open_port_53="false" ynh_app_setting_set --app="$app" --key=open_port_53 --value="$open_port_53" @@ -53,9 +52,8 @@ elif [ -n "${dns_over_https:-}" ] || [ "${dns_over_https:-}" = false ]; then # if dns_over_https is false, we need to close ports, # as they were opened at the 'Provisioning ports' step ynh_print_info --message="Closing DoH and DoQ ports..." - ynh_exec_warn_less yunohost firewall disallow Both "$port_dns_over_http" + ynh_exec_warn_less yunohost firewall disallow Both "$port_dns_over_http" --no-reload ynh_exec_warn_less yunohost firewall disallow UDP "$port_dns_over_quic" - ynh_exec_warn_less yunohost firewall reload fi # about all those 'ynh_write_var_in_file': From fe105c6e2bfa38993a99a4b960716de9c45bc2e4 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Sun, 31 Dec 2023 23:45:58 +0100 Subject: [PATCH 173/288] close ports while removing the package --- scripts/remove | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/scripts/remove b/scripts/remove index 49d32d7a..a2c1a8e1 100644 --- a/scripts/remove +++ b/scripts/remove @@ -15,6 +15,15 @@ source /usr/share/yunohost/helpers # REMOVE SERVICE INTEGRATION IN YUNOHOST #================================================= +# close ports +ynh_print_info --message="Closing port 53..." +ynh_exec_warn_less yunohost firewall disallow Both 53 +if [ "$dns_over_https" == "true" ]; then + ynh_print_info --message="Closing DoH and DoQ ports..." + ynh_exec_warn_less yunohost firewall disallow Both "$port_dns_over_http" --no-reload + ynh_exec_warn_less yunohost firewall disallow UDP "$port_dns_over_quic" +fi + # Remove the service from the list of services known by YunoHost (added from `yunohost service add`) if ynh_exec_warn_less yunohost service status "$app" >/dev/null then From 90c6a6ce6650376a586bbd5a36c7c14f9d95c709 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Mon, 1 Jan 2024 00:18:23 +0100 Subject: [PATCH 174/288] fix ynh_write_var_in_file --- scripts/config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/config b/scripts/config index d3258a82..4c0f42f9 100644 --- a/scripts/config +++ b/scripts/config @@ -74,7 +74,7 @@ set__dns_over_https() { fi # save the new setting in the AGH config file - ynh_write_var_in_file --file="$install_dir/AdGuardHome.yaml" --key="tls>enabled" --value="$dns_over_https" + ynh_write_var_in_file --file="$install_dir/AdGuardHome.yaml" --key="enabled" --after="tls" --value="$dns_over_https" # save the new setting in YNH ynh_app_setting_set --app="$app" --key=dns_over_https --value="$dns_over_https" From a3c8958f169137c9921d10f495efb6bf1613c47f Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Mon, 1 Jan 2024 00:39:15 +0100 Subject: [PATCH 175/288] fix ynh_write_var_in_file --- scripts/config | 2 +- scripts/upgrade | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/config b/scripts/config index 4c0f42f9..6bbfdca2 100644 --- a/scripts/config +++ b/scripts/config @@ -74,7 +74,7 @@ set__dns_over_https() { fi # save the new setting in the AGH config file - ynh_write_var_in_file --file="$install_dir/AdGuardHome.yaml" --key="enabled" --after="tls" --value="$dns_over_https" + ynh_write_var_in_file --file="$install_dir/AdGuardHome.yaml" --key="enabled" --after="tls:" --value="$dns_over_https" # save the new setting in YNH ynh_app_setting_set --app="$app" --key=dns_over_https --value="$dns_over_https" diff --git a/scripts/upgrade b/scripts/upgrade index 8dbfc8c6..5e8eba07 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -64,7 +64,7 @@ fi # fill the 'tls:' section of the AGH configuration if necessary if grep -q "certificate_path: \"\"" "$install_dir/AdGuardHome.yaml" || grep -q "private_key_path: \"\"" "$install_dir/AdGuardHome.yaml" || grep -q "server_name: \"\"" "$install_dir/AdGuardHome.yaml"; then - ynh_write_var_in_file --file="$install_dir/AdGuardHome.yaml" --key="tls>enabled" --value="$dns_over_https" + ynh_write_var_in_file --file="$install_dir/AdGuardHome.yaml" --key="enabled" --after="tls:" --value="$dns_over_https" ynh_write_var_in_file --file="$install_dir/AdGuardHome.yaml" --key="server_name" --value="$domain" ynh_write_var_in_file --file="$install_dir/AdGuardHome.yaml" --key="allow_unencrypted_doh" --value="true" ynh_write_var_in_file --file="$install_dir/AdGuardHome.yaml" --key="certificate_path" --value="/etc/yunohost/certs/$domain/crt.pem" From 786ec0f2b33a524356e1768ec075557380544f93 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Mon, 1 Jan 2024 01:18:06 +0100 Subject: [PATCH 176/288] remove debug ynh_print_info --- scripts/upgrade | 4 ---- 1 file changed, 4 deletions(-) diff --git a/scripts/upgrade b/scripts/upgrade index 5e8eba07..0400827c 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -138,10 +138,6 @@ ipv4_addr=$(process_ips "$(ip -4 address show "$ipv4_interface" 2> /dev/null | g # the 'sed' is used to get rid of the network prefix ('/64' for example) ipv6_addr=$(process_ips "$(ip -6 address show "$ipv6_interface" 2> /dev/null | grep inet | sed 's&/.*&&')") -# debug -ynh_print_info --message="IPv4: $ipv4_addr" -ynh_print_info --message="IPv6: $ipv6_addr" - # update the IP adresses in the AGH config file update_agh_ip_config From 7f32cd77c0b163558c2749f406662435ecf091ba Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Mon, 1 Jan 2024 03:54:33 +0100 Subject: [PATCH 177/288] add --needs_exposed_ports "53" --- scripts/install | 2 +- scripts/restore | 2 +- scripts/upgrade | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/scripts/install b/scripts/install index 1b8e1175..4e0fdbf2 100644 --- a/scripts/install +++ b/scripts/install @@ -111,7 +111,7 @@ ynh_script_progression --message="Configuring a systemd service..." --weight=1 # Create a dedicated systemd config ynh_add_systemd_config -yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "$port_dns_over_http" "$port_dns_over_quic" +yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53" "$port_dns_over_http" "$port_dns_over_quic" #================================================= # START SYSTEMD SERVICE diff --git a/scripts/restore b/scripts/restore index b29b641a..8a43917e 100644 --- a/scripts/restore +++ b/scripts/restore @@ -80,7 +80,7 @@ ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf" ynh_restore_file --origin_path="/etc/systemd/system/$app.service" systemctl enable "$app.service" --quiet -yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "$port_dns_over_http" "$port_dns_over_quic" +yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53" "$port_dns_over_http" "$port_dns_over_quic" #================================================= # START SYSTEMD SERVICE diff --git a/scripts/upgrade b/scripts/upgrade index 0400827c..b2c80538 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -111,7 +111,7 @@ ynh_add_nginx_config # Create a dedicated systemd config ynh_add_systemd_config -yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "$port_dns_over_http" "$port_dns_over_quic" +yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53" "$port_dns_over_http" "$port_dns_over_quic" #================================================= # SPECIFIC UPGRADE From 4ba23512692e05ae8de0f2b5709e6ad407107161 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Mon, 1 Jan 2024 04:06:53 +0100 Subject: [PATCH 178/288] declare needs_exposed_ports according to real user need --- scripts/config | 30 +++++++++++++++++++++++++----- scripts/install | 24 +++++++++++++++--------- scripts/restore | 14 +++++++++++--- scripts/upgrade | 24 ++++++++++++++++-------- 4 files changed, 67 insertions(+), 25 deletions(-) diff --git a/scripts/config b/scripts/config index 6bbfdca2..9830f797 100644 --- a/scripts/config +++ b/scripts/config @@ -15,19 +15,19 @@ ynh_abort_if_errors # SPECIFIC SETTERS #================================================= -set__open_port_53() { +set__expose_port_53() { - if [ "$open_port_53" == "true" ]; then + if [ "$expose_port_53" == "true" ]; then ynh_print_info --message="Opening port 53..." # if the user would expose port 53 to the Internet, open it ynh_exec_warn_less yunohost firewall allow Both 53 - elif [ "$open_port_53" == "false" ]; then + elif [ "$expose_port_53" == "false" ]; then # else if false, close it ynh_print_info --message="Closing port 53..." ynh_exec_warn_less yunohost firewall disallow Both 53 else # else, throw error - ynh_print_warn --message="The variable 'open_port_53' should be 'true' or 'false' but isn't, please report this." + ynh_print_warn --message="The variable 'expose_port_53' should be 'true' or 'false' but isn't, please report this." fi # regenerate config, needed to add or delete public IPs following the user's choice @@ -49,8 +49,18 @@ set__open_port_53() { ynh_print_info --message="Updating the AGH config file..." update_agh_ip_config + if [[ $dns_over_https == 0 ]] && [[ $expose_port_53 == 0 ]]; then + yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53" "$port_dns_over_http" "$port_dns_over_quic" + elif [[ $dns_over_https == 0 ]]; then + yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "$port_dns_over_http" "$port_dns_over_quic" + elif [[ $expose_port_53 == 0 ]]; then + yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53" + else + yunohost service add "$app" --description="Ads & trackers blocking DNS server" + fi + # save the new setting - ynh_app_setting_set --app="$app" --key=open_port_53 --value="$open_port_53" + ynh_app_setting_set --app="$app" --key=expose_port_53 --value="$expose_port_53" } set__dns_over_https() { @@ -73,6 +83,16 @@ set__dns_over_https() { ynh_print_warn --message="The variable 'dns_over_https' should be 'true' or 'false' but isn't, please report this." fi + if [[ $dns_over_https == 0 ]] && [[ $expose_port_53 == 0 ]]; then + yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53" "$port_dns_over_http" "$port_dns_over_quic" + elif [[ $dns_over_https == 0 ]]; then + yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "$port_dns_over_http" "$port_dns_over_quic" + elif [[ $expose_port_53 == 0 ]]; then + yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53" + else + yunohost service add "$app" --description="Ads & trackers blocking DNS server" + fi + # save the new setting in the AGH config file ynh_write_var_in_file --file="$install_dir/AdGuardHome.yaml" --key="enabled" --after="tls:" --value="$dns_over_https" diff --git a/scripts/install b/scripts/install index 4e0fdbf2..ca36abc4 100644 --- a/scripts/install +++ b/scripts/install @@ -29,17 +29,15 @@ fi ynh_app_setting_set --app="$app" --key=dns_over_https --value="$dns_over_https" -if [[ $open_port_53 == 0 ]]; then - open_port_53="true" - # if open_port_53 is true, we need to open port 53 - ynh_print_info --message="Opening port 53..." - ynh_exec_warn_less yunohost firewall allow Both 53 +ynh_print_info --message="Opening port 53..." +ynh_exec_warn_less yunohost firewall allow Both 53 +if [[ $expose_port_53 == 0 ]]; then + expose_port_53="true" else - open_port_53="false" - ynh_print_info --message="Port 53 is closed." + expose_port_53="false" fi -ynh_app_setting_set --app="$app" --key=open_port_53 --value="$open_port_53" +ynh_app_setting_set --app="$app" --key=expose_port_53 --value="$expose_port_53" #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE @@ -111,7 +109,15 @@ ynh_script_progression --message="Configuring a systemd service..." --weight=1 # Create a dedicated systemd config ynh_add_systemd_config -yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53" "$port_dns_over_http" "$port_dns_over_quic" +if [[ $dns_over_https == 0 ]] && [[ $expose_port_53 == 0 ]]; then + yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53" "$port_dns_over_http" "$port_dns_over_quic" +elif [[ $dns_over_https == 0 ]]; then + yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "$port_dns_over_http" "$port_dns_over_quic" +elif [[ $expose_port_53 == 0 ]]; then + yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53" +else + yunohost service add "$app" --description="Ads & trackers blocking DNS server" +fi #================================================= # START SYSTEMD SERVICE diff --git a/scripts/restore b/scripts/restore index 8a43917e..eb40af5d 100644 --- a/scripts/restore +++ b/scripts/restore @@ -22,8 +22,8 @@ if [ "$dns_over_https" == "false" ]; then ynh_exec_warn_less yunohost firewall disallow UDP "$port_dns_over_quic" fi -if [ "$open_port_53" == "true" ]; then - # if open_port_53 is true, we need to open port 53 +if [ "$expose_port_53" == "true" ]; then + # if expose_port_53 is true, we need to open port 53 ynh_exec_warn_less yunohost firewall allow Both 53 fi @@ -80,7 +80,15 @@ ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf" ynh_restore_file --origin_path="/etc/systemd/system/$app.service" systemctl enable "$app.service" --quiet -yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53" "$port_dns_over_http" "$port_dns_over_quic" +if [[ $dns_over_https == 0 ]] && [[ $expose_port_53 == 0 ]]; then + yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53" "$port_dns_over_http" "$port_dns_over_quic" +elif [[ $dns_over_https == 0 ]]; then + yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "$port_dns_over_http" "$port_dns_over_quic" +elif [[ $expose_port_53 == 0 ]]; then + yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53" +else + yunohost service add "$app" --description="Ads & trackers blocking DNS server" +fi #================================================= # START SYSTEMD SERVICE diff --git a/scripts/upgrade b/scripts/upgrade index b2c80538..60d9665e 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -29,15 +29,15 @@ ynh_systemd_action --service_name="$app" --action="stop" #================================================= ynh_script_progression --message="Ensuring downward compatibility..." --weight=1 -if [ -z "${open_port_53:-}" ] && [ "${open_port_53:-}" = true ]; then - open_port_53="true" - ynh_app_setting_set --app="$app" --key=open_port_53 --value="$open_port_53" - # if open_port_53 is true, we need to open port 53 +if [ -z "${expose_port_53:-}" ] && [ "${expose_port_53:-}" = true ]; then + expose_port_53="true" + ynh_app_setting_set --app="$app" --key=expose_port_53 --value="$expose_port_53" + # if expose_port_53 is true, we need to open port 53 ynh_print_info --message="Opening port 53..." ynh_exec_warn_less yunohost firewall allow Both 53 -elif [ -n "${open_port_53:-}" ] || [ "${open_port_53:-}" = false ]; then - open_port_53="false" - ynh_app_setting_set --app="$app" --key=open_port_53 --value="$open_port_53" +elif [ -n "${expose_port_53:-}" ] || [ "${expose_port_53:-}" = false ]; then + expose_port_53="false" + ynh_app_setting_set --app="$app" --key=expose_port_53 --value="$expose_port_53" ynh_print_info --message="Port 53 is closed." fi @@ -111,7 +111,15 @@ ynh_add_nginx_config # Create a dedicated systemd config ynh_add_systemd_config -yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53" "$port_dns_over_http" "$port_dns_over_quic" +if [[ $dns_over_https == 0 ]] && [[ $expose_port_53 == 0 ]]; then + yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53" "$port_dns_over_http" "$port_dns_over_quic" +elif [[ $dns_over_https == 0 ]]; then + yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "$port_dns_over_http" "$port_dns_over_quic" +elif [[ $expose_port_53 == 0 ]]; then + yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53" +else + yunohost service add "$app" --description="Ads & trackers blocking DNS server" +fi #================================================= # SPECIFIC UPGRADE From 06737daaa3463a104a60703ba0b53a59dfcde479 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Mon, 1 Jan 2024 04:09:11 +0100 Subject: [PATCH 179/288] declare needs_exposed_ports according to real user need --- scripts/config | 7 ++++--- scripts/install | 7 ++++--- scripts/restore | 7 ++++--- scripts/upgrade | 7 ++++--- 4 files changed, 16 insertions(+), 12 deletions(-) diff --git a/scripts/config b/scripts/config index 9830f797..16036148 100644 --- a/scripts/config +++ b/scripts/config @@ -83,11 +83,12 @@ set__dns_over_https() { ynh_print_warn --message="The variable 'dns_over_https' should be 'true' or 'false' but isn't, please report this." fi - if [[ $dns_over_https == 0 ]] && [[ $expose_port_53 == 0 ]]; then + # declare needs_exposed_ports according to real user need + if [ "$dns_over_https" == "true" ] && [ "$expose_port_53" == "true" ]; then yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53" "$port_dns_over_http" "$port_dns_over_quic" - elif [[ $dns_over_https == 0 ]]; then + elif [ "$dns_over_https" == "true" ]; then yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "$port_dns_over_http" "$port_dns_over_quic" - elif [[ $expose_port_53 == 0 ]]; then + elif [ "$expose_port_53" == "true" ]; then yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53" else yunohost service add "$app" --description="Ads & trackers blocking DNS server" diff --git a/scripts/install b/scripts/install index ca36abc4..6f28b8b2 100644 --- a/scripts/install +++ b/scripts/install @@ -109,11 +109,12 @@ ynh_script_progression --message="Configuring a systemd service..." --weight=1 # Create a dedicated systemd config ynh_add_systemd_config -if [[ $dns_over_https == 0 ]] && [[ $expose_port_53 == 0 ]]; then +# declare needs_exposed_ports according to real user need +if [ "$dns_over_https" == "true" ] && [ "$expose_port_53" == "true" ]; then yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53" "$port_dns_over_http" "$port_dns_over_quic" -elif [[ $dns_over_https == 0 ]]; then +elif [ "$dns_over_https" == "true" ]; then yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "$port_dns_over_http" "$port_dns_over_quic" -elif [[ $expose_port_53 == 0 ]]; then +elif [ "$expose_port_53" == "true" ]; then yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53" else yunohost service add "$app" --description="Ads & trackers blocking DNS server" diff --git a/scripts/restore b/scripts/restore index eb40af5d..c3a5e645 100644 --- a/scripts/restore +++ b/scripts/restore @@ -80,11 +80,12 @@ ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf" ynh_restore_file --origin_path="/etc/systemd/system/$app.service" systemctl enable "$app.service" --quiet -if [[ $dns_over_https == 0 ]] && [[ $expose_port_53 == 0 ]]; then +# declare needs_exposed_ports according to real user need +if [ "$dns_over_https" == "true" ] && [ "$expose_port_53" == "true" ]; then yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53" "$port_dns_over_http" "$port_dns_over_quic" -elif [[ $dns_over_https == 0 ]]; then +elif [ "$dns_over_https" == "true" ]; then yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "$port_dns_over_http" "$port_dns_over_quic" -elif [[ $expose_port_53 == 0 ]]; then +elif [ "$expose_port_53" == "true" ]; then yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53" else yunohost service add "$app" --description="Ads & trackers blocking DNS server" diff --git a/scripts/upgrade b/scripts/upgrade index 60d9665e..c49cf153 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -111,11 +111,12 @@ ynh_add_nginx_config # Create a dedicated systemd config ynh_add_systemd_config -if [[ $dns_over_https == 0 ]] && [[ $expose_port_53 == 0 ]]; then +# declare needs_exposed_ports according to real user need +if [ "$dns_over_https" == "true" ] && [ "$expose_port_53" == "true" ]; then yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53" "$port_dns_over_http" "$port_dns_over_quic" -elif [[ $dns_over_https == 0 ]]; then +elif [ "$dns_over_https" == "true" ]; then yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "$port_dns_over_http" "$port_dns_over_quic" -elif [[ $expose_port_53 == 0 ]]; then +elif [ "$expose_port_53" == "true" ]; then yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53" else yunohost service add "$app" --description="Ads & trackers blocking DNS server" From b994dd48d1410eb9195633c23c14c374246a601b Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Mon, 1 Jan 2024 04:23:16 +0100 Subject: [PATCH 180/288] rework port 53 expose --- scripts/config | 13 ------------- scripts/install | 9 +++++++-- scripts/restore | 6 ++++-- scripts/upgrade | 11 +++++++---- 4 files changed, 18 insertions(+), 21 deletions(-) diff --git a/scripts/config b/scripts/config index 16036148..28795cdd 100644 --- a/scripts/config +++ b/scripts/config @@ -17,19 +17,6 @@ ynh_abort_if_errors set__expose_port_53() { - if [ "$expose_port_53" == "true" ]; then - ynh_print_info --message="Opening port 53..." - # if the user would expose port 53 to the Internet, open it - ynh_exec_warn_less yunohost firewall allow Both 53 - elif [ "$expose_port_53" == "false" ]; then - # else if false, close it - ynh_print_info --message="Closing port 53..." - ynh_exec_warn_less yunohost firewall disallow Both 53 - else - # else, throw error - ynh_print_warn --message="The variable 'expose_port_53' should be 'true' or 'false' but isn't, please report this." - fi - # regenerate config, needed to add or delete public IPs following the user's choice ynh_print_info --message="Obtaining IP addresses for the AGH config file..." diff --git a/scripts/install b/scripts/install index 6f28b8b2..a6fc925d 100644 --- a/scripts/install +++ b/scripts/install @@ -29,8 +29,13 @@ fi ynh_app_setting_set --app="$app" --key=dns_over_https --value="$dns_over_https" -ynh_print_info --message="Opening port 53..." -ynh_exec_warn_less yunohost firewall allow Both 53 + +# if the port 53 is not open, open it, it's mandatory to use AGH +if ! yunohost firewall list | grep -q " 53$"; then + ynh_print_info --message="Opening port 53..." + ynh_exec_warn_less yunohost firewall allow Both 53 +fi + if [[ $expose_port_53 == 0 ]]; then expose_port_53="true" else diff --git a/scripts/restore b/scripts/restore index c3a5e645..af315a0d 100644 --- a/scripts/restore +++ b/scripts/restore @@ -22,8 +22,10 @@ if [ "$dns_over_https" == "false" ]; then ynh_exec_warn_less yunohost firewall disallow UDP "$port_dns_over_quic" fi -if [ "$expose_port_53" == "true" ]; then - # if expose_port_53 is true, we need to open port 53 + +# if the port 53 is not open, open it, it's mandatory to use AGH +if ! yunohost firewall list | grep -q " 53$"; then + ynh_print_info --message="Opening port 53..." ynh_exec_warn_less yunohost firewall allow Both 53 fi diff --git a/scripts/upgrade b/scripts/upgrade index c49cf153..0a3d6ed6 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -29,18 +29,21 @@ ynh_systemd_action --service_name="$app" --action="stop" #================================================= ynh_script_progression --message="Ensuring downward compatibility..." --weight=1 +# if the port 53 is not open, open it, it's mandatory to use AGH +if ! yunohost firewall list | grep -q " 53$"; then + ynh_print_info --message="Opening port 53..." + ynh_exec_warn_less yunohost firewall allow Both 53 +fi + if [ -z "${expose_port_53:-}" ] && [ "${expose_port_53:-}" = true ]; then expose_port_53="true" ynh_app_setting_set --app="$app" --key=expose_port_53 --value="$expose_port_53" - # if expose_port_53 is true, we need to open port 53 - ynh_print_info --message="Opening port 53..." - ynh_exec_warn_less yunohost firewall allow Both 53 elif [ -n "${expose_port_53:-}" ] || [ "${expose_port_53:-}" = false ]; then expose_port_53="false" ynh_app_setting_set --app="$app" --key=expose_port_53 --value="$expose_port_53" - ynh_print_info --message="Port 53 is closed." fi + if [ -z "${dns_over_https:-}" ] && [ "${dns_over_https:-}" = true ]; then dns_over_https="true" ynh_app_setting_set --app="$app" --key=dns_over_https --value=$dns_over_https From 10e581cb6eb1440cc8e47fb00fd8284481ebd36b Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Mon, 1 Jan 2024 04:24:37 +0100 Subject: [PATCH 181/288] fix --- scripts/config | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/scripts/config b/scripts/config index 28795cdd..f84f174e 100644 --- a/scripts/config +++ b/scripts/config @@ -36,11 +36,11 @@ set__expose_port_53() { ynh_print_info --message="Updating the AGH config file..." update_agh_ip_config - if [[ $dns_over_https == 0 ]] && [[ $expose_port_53 == 0 ]]; then + if [ "$dns_over_https" == "true" ] && [ "$expose_port_53" == "true" ]; then yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53" "$port_dns_over_http" "$port_dns_over_quic" - elif [[ $dns_over_https == 0 ]]; then + elif [ "$dns_over_https" == "true" ]; then yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "$port_dns_over_http" "$port_dns_over_quic" - elif [[ $expose_port_53 == 0 ]]; then + elif [ "$expose_port_53" == "true" ]; then yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53" else yunohost service add "$app" --description="Ads & trackers blocking DNS server" From 107a7f9c8b822b1eea686bd30cec2ff9ccf25be9 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Mon, 1 Jan 2024 05:39:44 +0100 Subject: [PATCH 182/288] add Allowlist section --- config_panel.toml | 4 ++-- doc/ADMIN.md | 43 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 45 insertions(+), 2 deletions(-) diff --git a/config_panel.toml b/config_panel.toml index cb9f4d2c..70705f82 100644 --- a/config_panel.toml +++ b/config_panel.toml @@ -10,7 +10,7 @@ ask = "Expose port 53 to the Internet?" no = "false" type = "boolean" yes = "true" -help = "If so, anyone who knows your server's IP can make a DNS request to it. It may be used to perform amplification attacks: https://en.wikipedia.org/wiki/Denial-of-service_attack#Amplification" +help = "If so, anyone who knows your server's IP can make a DNS request to it. It may be used to perform amplification attacks: https://en.wikipedia.org/wiki/Denial-of-service_attack#Amplification Read the admin doc to secure your server using allowlist." [main.options.dns_over_https] ask = "Enable DNS-over-HTTPS/QUIC?" @@ -18,4 +18,4 @@ no = "false" type = "boolean" yes = "true" bind = "tls>enabled:__INSTALL_DIR__/AdGuardHome.yaml" -help = "If so, anyone who knows your adguard address can make a doh request to https://adguardomain.tld/dns-query" +help = "If so, anyone who knows your adguard address can make a doh request to https://adguardomain.tld/dns-query It also may be used to perform amplification attacks. Read the admin doc to secure your server using allowlist." diff --git a/doc/ADMIN.md b/doc/ADMIN.md index 1a6cf6eb..186c2ac4 100644 --- a/doc/ADMIN.md +++ b/doc/ADMIN.md @@ -47,3 +47,46 @@ If you host your machine at home, for using DoH or DoQ, you have to open the fol - `784` in UDP (for DNS over QUIC) Then you can use `https://adguard.example.com/dns-query` (where `adguard.example.com` is the domain-name associated to your AdGuard Home) as a DoH or DoQ DNS server for your devices. ^w^ + +## Allowlist + +If your port 53 is exposed on Internet, you can secure your AdGuard Home server using allowlist to prevent unauthorized use. + +We've had YunoHost users surprised to see their instance receiving tens of thousands of requests per day, this was due to the public exposure of port 53 on Internet and the lack of securisation of their instance. + +The allowlist setting is located in your AdGuard Home interface: +Settings → DNS settings → Access settings → Allowed clients + +### Local network + +If you selfhost at home, you can simply paste this in your allowlist (it will allow any kind of private IP): + +```text +10.0.0.0/8 +172.16.0.0/12 +192.168.0.0/16 +fc00::/7 +fe80::/16 +``` + +Note: The slash `/` and the following number after the IP adresses represents the network mask, it's called the CIDR notation. If you want to learn about the CIDR notation, [you can read this article](https://whatismyipaddress.com/cidr). + +### Authorize some public IP addresses + +Then you need to add the authorized public IP addresses. + +For example, to authorize the IPv4 of your home internet connexion, open and paste the showed IP in the allowlist. + +If your ISP has assigned you an IPv6 range (ex. `2a01:d34d:b33f:1312::/64`), you can add it so that any device on your home network using an address in this range will be authorized. + +You can add any public IP you know you'll use. + +If you want to use your AGH instance on your smartphone, it gets more complex: you have to allow the IP ranges of your mobile operator. +It's not perfect but it still drastically reduces the chances of unauthorized use, while allowing you to use it with your smartphone. +Note: in case of connection on not authorized wifi networks with your smartphone, you will not be able to use your AdGuard Home instance. + +Using the connexion to allow, go to and click on "Autonomous Systems". +You can now copy all the IP adresses in the "routes" section, remove all quotation marks, commas and spaces, but keep one IP per line, then paste the result into your allowlist. +It should look like the list in the previous section. + +Note: maybe you'll need to do this step multiple times, as some Internet provider have multiple ASN numbers. So if one day your AdGuard Home refuses to reply, it might be because of this. From a2f9a6110dfcae2779edeef0596c6f1ef009455f Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Mon, 1 Jan 2024 05:42:13 +0100 Subject: [PATCH 183/288] bold notes --- doc/ADMIN.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/doc/ADMIN.md b/doc/ADMIN.md index 186c2ac4..79a2f945 100644 --- a/doc/ADMIN.md +++ b/doc/ADMIN.md @@ -15,7 +15,7 @@ The right IP to use are shown in the "Setup Guide" page of your AdGuard Home ins If you would expose the port 53 on Internet, you'll be able to use the public IP of your server (the same as in your domain name DNS settings) on any device outside your home network. **Warning:** you should not have public IPs of the config file if the port 53 is **not exposed** on Internet (else: AGH crashes) -Please note: They should be automatically removed when upgrading this package or when modifiying this port 53 exposure setting, but it's in the docs just in case. +**Please note:** They should be automatically removed when upgrading this package or when modifiying this port 53 exposure setting, but it's in the docs just in case. You can remove them in your config file `/var/www/adguardhome/AdGuardHome.yaml` in the `dns: bind_hosts:` section. Any IP that doesn't start with the folowing are public ones: @@ -69,7 +69,7 @@ fc00::/7 fe80::/16 ``` -Note: The slash `/` and the following number after the IP adresses represents the network mask, it's called the CIDR notation. If you want to learn about the CIDR notation, [you can read this article](https://whatismyipaddress.com/cidr). +**Note:** The slash `/` and the following number after the IP adresses represents the network mask, it's called the CIDR notation. If you want to learn about the CIDR notation, [you can read this article](https://whatismyipaddress.com/cidr). ### Authorize some public IP addresses @@ -83,10 +83,10 @@ You can add any public IP you know you'll use. If you want to use your AGH instance on your smartphone, it gets more complex: you have to allow the IP ranges of your mobile operator. It's not perfect but it still drastically reduces the chances of unauthorized use, while allowing you to use it with your smartphone. -Note: in case of connection on not authorized wifi networks with your smartphone, you will not be able to use your AdGuard Home instance. +**Note:** in case of connection on not authorized wifi networks with your smartphone, you will not be able to use your AdGuard Home instance. Using the connexion to allow, go to and click on "Autonomous Systems". You can now copy all the IP adresses in the "routes" section, remove all quotation marks, commas and spaces, but keep one IP per line, then paste the result into your allowlist. It should look like the list in the previous section. -Note: maybe you'll need to do this step multiple times, as some Internet provider have multiple ASN numbers. So if one day your AdGuard Home refuses to reply, it might be because of this. +**Note:** maybe you'll need to do this step multiple times, as some Internet provider have multiple ASN numbers. So if one day your AdGuard Home refuses to reply, it might be because of this. From faba92a3fb58fdb838de745deaf9e179376e65d5 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Mon, 1 Jan 2024 06:19:32 +0100 Subject: [PATCH 184/288] add mention of the iOS "Limit IP tracking" setting --- doc/ADMIN.md | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/ADMIN.md b/doc/ADMIN.md index 79a2f945..22bcc678 100644 --- a/doc/ADMIN.md +++ b/doc/ADMIN.md @@ -86,6 +86,7 @@ It's not perfect but it still drastically reduces the chances of unauthorized us **Note:** in case of connection on not authorized wifi networks with your smartphone, you will not be able to use your AdGuard Home instance. Using the connexion to allow, go to and click on "Autonomous Systems". +**Note:** If you're using an iPhone, make sure that the ["Limit IP tracking" setting](https://support.apple.com/guide/iphone/iph499d287c2/ios) is disabled (otherwise you must authorize Akamai IP addresses using the same method). You can now copy all the IP adresses in the "routes" section, remove all quotation marks, commas and spaces, but keep one IP per line, then paste the result into your allowlist. It should look like the list in the previous section. From b4e939425f4136fc91b0e521c658a7aec423a408 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Mon, 1 Jan 2024 06:19:44 +0100 Subject: [PATCH 185/288] fix --- doc/ADMIN.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/ADMIN.md b/doc/ADMIN.md index 22bcc678..0a491837 100644 --- a/doc/ADMIN.md +++ b/doc/ADMIN.md @@ -86,7 +86,7 @@ It's not perfect but it still drastically reduces the chances of unauthorized us **Note:** in case of connection on not authorized wifi networks with your smartphone, you will not be able to use your AdGuard Home instance. Using the connexion to allow, go to and click on "Autonomous Systems". -**Note:** If you're using an iPhone, make sure that the ["Limit IP tracking" setting](https://support.apple.com/guide/iphone/iph499d287c2/ios) is disabled (otherwise you must authorize Akamai IP addresses using the same method). +**Note:** If you're using an iPhone, make sure that the ["Limit IP tracking" setting](https://support.apple.com/guide/iphone/iph499d287c2/ios) is disabled (otherwise you must authorize Akamai IP addresses using the same method). You can now copy all the IP adresses in the "routes" section, remove all quotation marks, commas and spaces, but keep one IP per line, then paste the result into your allowlist. It should look like the list in the previous section. From 2ebd81db62b313331810b676f1c9cd3ffccd9691 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Mon, 1 Jan 2024 07:17:52 +0100 Subject: [PATCH 186/288] add a command for a ready to use list --- doc/ADMIN.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/doc/ADMIN.md b/doc/ADMIN.md index 0a491837..30e7ad65 100644 --- a/doc/ADMIN.md +++ b/doc/ADMIN.md @@ -90,4 +90,11 @@ Using the connexion to allow, go to and click on "Autonomous You can now copy all the IP adresses in the "routes" section, remove all quotation marks, commas and spaces, but keep one IP per line, then paste the result into your allowlist. It should look like the list in the previous section. +You can use the following command to automatically give you a ready-to-use list: + +```bash +AS="$(curl -sL ip.guide | jq -s --indent 1 ".[].network.autonomous_system.asn")" | curl -sL ip.guide/AS"$AS" | jq -s --indent 1 ".[].routes" | +sed "/\[/d;/{/d;/]/d;/}/d;s/ \"//;s/\",//;s/\"//" +``` + **Note:** maybe you'll need to do this step multiple times, as some Internet provider have multiple ASN numbers. So if one day your AdGuard Home refuses to reply, it might be because of this. From 2d5c1eac452e005eea4d23e004d3a47ac37e5a91 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Mon, 1 Jan 2024 07:22:39 +0100 Subject: [PATCH 187/288] refactor --- doc/ADMIN.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/ADMIN.md b/doc/ADMIN.md index 30e7ad65..d63bf814 100644 --- a/doc/ADMIN.md +++ b/doc/ADMIN.md @@ -93,7 +93,7 @@ It should look like the list in the previous section. You can use the following command to automatically give you a ready-to-use list: ```bash -AS="$(curl -sL ip.guide | jq -s --indent 1 ".[].network.autonomous_system.asn")" | curl -sL ip.guide/AS"$AS" | jq -s --indent 1 ".[].routes" | +curl -sL ip.guide/AS"$(curl -sL ip.guide | jq -s --indent 1 ".[].network.autonomous_system.asn")" | jq -s --indent 1 ".[].routes" | sed "/\[/d;/{/d;/]/d;/}/d;s/ \"//;s/\",//;s/\"//" ``` From 389b903c668b3839cdaf010d94e2b31186af5a56 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Mon, 1 Jan 2024 07:23:31 +0100 Subject: [PATCH 188/288] del line break --- doc/ADMIN.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/doc/ADMIN.md b/doc/ADMIN.md index d63bf814..5ae052cb 100644 --- a/doc/ADMIN.md +++ b/doc/ADMIN.md @@ -93,8 +93,7 @@ It should look like the list in the previous section. You can use the following command to automatically give you a ready-to-use list: ```bash -curl -sL ip.guide/AS"$(curl -sL ip.guide | jq -s --indent 1 ".[].network.autonomous_system.asn")" | jq -s --indent 1 ".[].routes" | -sed "/\[/d;/{/d;/]/d;/}/d;s/ \"//;s/\",//;s/\"//" +curl -sL ip.guide/AS"$(curl -sL ip.guide | jq -s --indent 1 ".[].network.autonomous_system.asn")" | jq -s --indent 1 ".[].routes" | sed "/\[/d;/{/d;/]/d;/}/d;s/ \"//;s/\",//;s/\"//" ``` **Note:** maybe you'll need to do this step multiple times, as some Internet provider have multiple ASN numbers. So if one day your AdGuard Home refuses to reply, it might be because of this. From 6477aab4b3521394435f66fe5d29f4362b53890f Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Mon, 1 Jan 2024 07:44:54 +0100 Subject: [PATCH 189/288] better command --- doc/ADMIN.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/ADMIN.md b/doc/ADMIN.md index 5ae052cb..25fbb4b5 100644 --- a/doc/ADMIN.md +++ b/doc/ADMIN.md @@ -93,7 +93,7 @@ It should look like the list in the previous section. You can use the following command to automatically give you a ready-to-use list: ```bash -curl -sL ip.guide/AS"$(curl -sL ip.guide | jq -s --indent 1 ".[].network.autonomous_system.asn")" | jq -s --indent 1 ".[].routes" | sed "/\[/d;/{/d;/]/d;/}/d;s/ \"//;s/\",//;s/\"//" +curl -sL ip.guide/AS"$(curl -sL ip.guide | jq -s --indent 1 ".[].network.autonomous_system.asn")" | jq -s -j --indent 1 ".[].routes" | sed "/v4/d;/v6/d;/\],/d" | tr -d " [{]\",}" ``` **Note:** maybe you'll need to do this step multiple times, as some Internet provider have multiple ASN numbers. So if one day your AdGuard Home refuses to reply, it might be because of this. From a74b43b26854494798ef0682af7299a9de7601f7 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Mon, 1 Jan 2024 07:49:33 +0100 Subject: [PATCH 190/288] explain the command --- doc/ADMIN.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/doc/ADMIN.md b/doc/ADMIN.md index 25fbb4b5..17c920e1 100644 --- a/doc/ADMIN.md +++ b/doc/ADMIN.md @@ -96,4 +96,6 @@ You can use the following command to automatically give you a ready-to-use list: curl -sL ip.guide/AS"$(curl -sL ip.guide | jq -s --indent 1 ".[].network.autonomous_system.asn")" | jq -s -j --indent 1 ".[].routes" | sed "/v4/d;/v6/d;/\],/d" | tr -d " [{]\",}" ``` +The command asks your IP address to ip.guide, which returns the "Autonomous System" number, then the commands asks the IP ranges, then display it on your screen. + **Note:** maybe you'll need to do this step multiple times, as some Internet provider have multiple ASN numbers. So if one day your AdGuard Home refuses to reply, it might be because of this. From 01b97d3694c176d895db9e50e3c5630e8395b5d5 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Mon, 1 Jan 2024 19:14:30 +0100 Subject: [PATCH 191/288] simpler sed --- doc/ADMIN.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/ADMIN.md b/doc/ADMIN.md index 17c920e1..c5a5d3b8 100644 --- a/doc/ADMIN.md +++ b/doc/ADMIN.md @@ -93,7 +93,7 @@ It should look like the list in the previous section. You can use the following command to automatically give you a ready-to-use list: ```bash -curl -sL ip.guide/AS"$(curl -sL ip.guide | jq -s --indent 1 ".[].network.autonomous_system.asn")" | jq -s -j --indent 1 ".[].routes" | sed "/v4/d;/v6/d;/\],/d" | tr -d " [{]\",}" +curl -sL ip.guide/AS"$(curl -sL ip.guide | jq -s --indent 1 ".[].network.autonomous_system.asn")" | jq -s -j --indent 1 ".[].routes" | sed "/v.*:/d;/\],/d" | tr -d " [{]\",}" ``` The command asks your IP address to ip.guide, which returns the "Autonomous System" number, then the commands asks the IP ranges, then display it on your screen. From b704fb80627e814071727117a79785dfaada1f5f Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Mon, 1 Jan 2024 19:16:05 +0100 Subject: [PATCH 192/288] simpler tr --- doc/ADMIN.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/ADMIN.md b/doc/ADMIN.md index c5a5d3b8..67ee5e21 100644 --- a/doc/ADMIN.md +++ b/doc/ADMIN.md @@ -93,7 +93,7 @@ It should look like the list in the previous section. You can use the following command to automatically give you a ready-to-use list: ```bash -curl -sL ip.guide/AS"$(curl -sL ip.guide | jq -s --indent 1 ".[].network.autonomous_system.asn")" | jq -s -j --indent 1 ".[].routes" | sed "/v.*:/d;/\],/d" | tr -d " [{]\",}" +curl -sL ip.guide/AS"$(curl -sL ip.guide | jq -s --indent 1 ".[].network.autonomous_system.asn")" | jq -s -j --indent 1 ".[].routes" | sed "/v.*:/d;/\],/d" | tr -d " {]\",}" ``` The command asks your IP address to ip.guide, which returns the "Autonomous System" number, then the commands asks the IP ranges, then display it on your screen. From dc6923685f68a2e1c51f25027989a6125b0827f9 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Tue, 2 Jan 2024 17:54:04 +0100 Subject: [PATCH 193/288] simplify command --- doc/ADMIN.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/ADMIN.md b/doc/ADMIN.md index 67ee5e21..e45fa124 100644 --- a/doc/ADMIN.md +++ b/doc/ADMIN.md @@ -93,7 +93,7 @@ It should look like the list in the previous section. You can use the following command to automatically give you a ready-to-use list: ```bash -curl -sL ip.guide/AS"$(curl -sL ip.guide | jq -s --indent 1 ".[].network.autonomous_system.asn")" | jq -s -j --indent 1 ".[].routes" | sed "/v.*:/d;/\],/d" | tr -d " {]\",}" +curl -sL ip.guide/AS"$(curl -sL ip.guide | jq -s ".[].network.autonomous_system.asn")" | jq -s ".[].routes" | sed "/v.*:/d;/\],/d" | tr -d " {]\",}" ``` The command asks your IP address to ip.guide, which returns the "Autonomous System" number, then the commands asks the IP ranges, then display it on your screen. From 0c5575b331ca59a3b93c82e7ee40051a1b197e3e Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Tue, 2 Jan 2024 18:04:07 +0100 Subject: [PATCH 194/288] update about port 53 exposure --- config_panel.toml | 4 ++-- doc/ADMIN.md | 25 +++++++++++++++++++------ 2 files changed, 21 insertions(+), 8 deletions(-) diff --git a/config_panel.toml b/config_panel.toml index 70705f82..d9f67bc9 100644 --- a/config_panel.toml +++ b/config_panel.toml @@ -5,12 +5,12 @@ name = "AdGuard Home configuration" help = "If any trouble or question, please refer to the admin documentation right below!" services = ["__APP__"] -[main.options.open_port_53] +[main.options.expose_port_53] ask = "Expose port 53 to the Internet?" no = "false" type = "boolean" yes = "true" -help = "If so, anyone who knows your server's IP can make a DNS request to it. It may be used to perform amplification attacks: https://en.wikipedia.org/wiki/Denial-of-service_attack#Amplification Read the admin doc to secure your server using allowlist." +help = "If so, anyone who knows your server's IP can make a DNS request to it. It may be used to perform amplification attacks: https://en.wikipedia.org/wiki/Denial-of-service_attack#Amplification Please read the admin doc to understand that setting and to secure your server using allowlist." [main.options.dns_over_https] ask = "Enable DNS-over-HTTPS/QUIC?" diff --git a/doc/ADMIN.md b/doc/ADMIN.md index e45fa124..53addcd2 100644 --- a/doc/ADMIN.md +++ b/doc/ADMIN.md @@ -6,17 +6,30 @@ You want to be sure to understand the config settings? You're at the right place This setting is **disabled** by default. -You need to know that anyone who knows your server's IP can make a DNS request to it. It may be used to perform [amplification attacks](https://en.wikipedia.org/wiki/Denial-of-service_attack#Amplification)! +When disabled: -To use AdGuard Home in your home network, you don't need to activate this setting. +- YunoHost **will not** check if the port 53 is accessible on Internet and warns you if not (so no irrelevant warning) +- Public IP adresses **will not** be added to the AdGuard Home configuration + +When enabled: + +- YunoHost **will** check if the port 53 is accessible on Internet and warns you if not +- You need to **manually open port 53** on your touter if you self-host at home +- Public IP adresses **will** be added to the AdGuard Home configuration + +You need to know that if you expose your DNS server to Internet, anyone who knows your server's IP can make a DNS request to it. It *may be used* to perform [amplification attacks](https://en.wikipedia.org/wiki/Denial-of-service_attack#Amplification)! +This risk is greatly minimized by the rate limiting setting, which is set to 20 requests per second per client by default: +Settings → DNS settings → DNS server configuration → Rate limit + +To use AdGuard Home in your home network if your self-hosting at home, you **don't need** to activate this setting. You simply have to use the private IP adress of your server (like `192.168.0.1` or so) as DNS IP for your IT hardware at home. -The right IP to use are shown in the "Setup Guide" page of your AdGuard Home instance. +The right IP addresses to use are shown in the "Setup Guide" page of your AdGuard Home instance. If you would expose the port 53 on Internet, you'll be able to use the public IP of your server (the same as in your domain name DNS settings) on any device outside your home network. -**Warning:** you should not have public IPs of the config file if the port 53 is **not exposed** on Internet (else: AGH crashes) -**Please note:** They should be automatically removed when upgrading this package or when modifiying this port 53 exposure setting, but it's in the docs just in case. -You can remove them in your config file `/var/www/adguardhome/AdGuardHome.yaml` in the `dns: bind_hosts:` section. +**Warning:** you should not have public IPs in the config file if the port 53 is **not exposed** on Internet (else: AGH crashes) +**Please note:** They should be automatically removed when upgrading this package or when modifiying this port 53 exposure setting, but it's in the docs just in case. +You can remove them in your config file `/var/www/adguardhome/AdGuardHome.yaml` in the `dns: bind_hosts:` section. Any IP that doesn't start with the folowing are public ones: - `10.` From fb9671fa34b92a3529f15a5f1e0813d3d3948ee5 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Tue, 2 Jan 2024 18:05:14 +0100 Subject: [PATCH 195/288] typo --- doc/ADMIN.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/ADMIN.md b/doc/ADMIN.md index 53addcd2..2d387657 100644 --- a/doc/ADMIN.md +++ b/doc/ADMIN.md @@ -14,7 +14,7 @@ When disabled: When enabled: - YunoHost **will** check if the port 53 is accessible on Internet and warns you if not -- You need to **manually open port 53** on your touter if you self-host at home +- You need to **manually open port 53** of your router if you self-host at home - Public IP adresses **will** be added to the AdGuard Home configuration You need to know that if you expose your DNS server to Internet, anyone who knows your server's IP can make a DNS request to it. It *may be used* to perform [amplification attacks](https://en.wikipedia.org/wiki/Denial-of-service_attack#Amplification)! From 8ebedf813e5fe9c577fcf919afd619f817ea955b Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Tue, 2 Jan 2024 18:10:12 +0100 Subject: [PATCH 196/288] add allowlist mention in the expose port 53 section --- doc/ADMIN.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/doc/ADMIN.md b/doc/ADMIN.md index 2d387657..8336cbeb 100644 --- a/doc/ADMIN.md +++ b/doc/ADMIN.md @@ -21,6 +21,8 @@ You need to know that if you expose your DNS server to Internet, anyone who know This risk is greatly minimized by the rate limiting setting, which is set to 20 requests per second per client by default: Settings → DNS settings → DNS server configuration → Rate limit +You can completely or almost completely reduce the risk of unauthorized use with the help of the [Allowlist section](#allowlist) further down in this documentation. + To use AdGuard Home in your home network if your self-hosting at home, you **don't need** to activate this setting. You simply have to use the private IP adress of your server (like `192.168.0.1` or so) as DNS IP for your IT hardware at home. The right IP addresses to use are shown in the "Setup Guide" page of your AdGuard Home instance. From 8fa54453a50953250cb17bd1adfeaaceafb886c3 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 3 Jan 2024 22:06:38 +0100 Subject: [PATCH 197/288] add mention of the use of the port 53 in the manifest --- manifest.toml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/manifest.toml b/manifest.toml index 9d7f989a..823c8423 100644 --- a/manifest.toml +++ b/manifest.toml @@ -78,6 +78,9 @@ dns_over_http.exposed = "Both" dns_over_quic.default = 784 dns_over_quic.exposed = "UDP" internal_https.default = 13120 +# AGH also uses port 53 but we can't put it here as dnsmasq uses it by default +# and the ynh core would assign us another port, however, on installation we +# edit dnsmasq's configuration to allow AGH to use port 53 on non-localhost IPs [resources.system_user] From c569b80b4a96adb099d033c81753f9270b1d31a1 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 3 Jan 2024 22:41:43 +0100 Subject: [PATCH 198/288] add a new password tool in the config panel --- config_panel.toml | 5 +++++ doc/PRE_UPGRADE.d/0.107.43~ynh4 | 2 ++ scripts/config | 10 ++++++++++ scripts/install | 2 ++ scripts/upgrade | 4 ++++ 5 files changed, 23 insertions(+) diff --git a/config_panel.toml b/config_panel.toml index d9f67bc9..6b7d9af0 100644 --- a/config_panel.toml +++ b/config_panel.toml @@ -19,3 +19,8 @@ type = "boolean" yes = "true" bind = "tls>enabled:__INSTALL_DIR__/AdGuardHome.yaml" help = "If so, anyone who knows your adguard address can make a doh request to https://adguardomain.tld/dns-query It also may be used to perform amplification attacks. Read the admin doc to secure your server using allowlist." + +[main.extra.new_password] +ask = "Set a new admin password" +type = "string" +help = "With this tool, you can easily change the password of your AdGuard Home. Just put the desired password in the text input." diff --git a/doc/PRE_UPGRADE.d/0.107.43~ynh4 b/doc/PRE_UPGRADE.d/0.107.43~ynh4 index 727cee39..ecddd6d7 100644 --- a/doc/PRE_UPGRADE.d/0.107.43~ynh4 +++ b/doc/PRE_UPGRADE.d/0.107.43~ynh4 @@ -10,6 +10,8 @@ Applications → AdGuard Home → AdGuard Home configuration It's really important to use the configuration panel to activate or deactivate the DNS-over-HTTPS/QUIC setting, and **NOT** the built-in setting in the AdGuardHome interface. This is because YunoHost needs to perform actions such as automatically opening or closing the server's ports and refresh the IP to provide to AdGuard Home, which cannot be done without going through the configuration panel. +A new password tool has been added in the config panel too, to make it easier to change the administration password of AdGuard Home + This update is at risk of crashing AdGuard Home, so: - If any trouble or question, please refer to [the package's admin docs](https://github.com/YunoHost-Apps/adguardhome_ynh/blob/master/doc/ADMIN.md)! In any case, we recommend reading it! ^w^ - If needed and a similar issue does not already exist, please [open an issue on the GitHub's package page](https://github.com/YunoHost-Apps/adguardhome_ynh/issues)! diff --git a/scripts/config b/scripts/config index f84f174e..e75daafd 100644 --- a/scripts/config +++ b/scripts/config @@ -88,6 +88,16 @@ set__dns_over_https() { ynh_app_setting_set --app="$app" --key=dns_over_https --value="$dns_over_https" } +set__new_password() { + + # user's password encryption + password=$(python3 -c "import bcrypt; print(bcrypt.hashpw(b\"$new_password\", bcrypt.gensalt(rounds=10)).decode())") + ynh_app_setting_set --app="$app" --key=password --value="$password" + + # save the new setting in the AGH config file + ynh_write_var_in_file --file="$install_dir/AdGuardHome.yaml" --key="password" --value="$password" +} + #================================================= # GENERIC FINALIZATION #================================================= diff --git a/scripts/install b/scripts/install index a6fc925d..5d73a8c4 100644 --- a/scripts/install +++ b/scripts/install @@ -44,6 +44,8 @@ fi ynh_app_setting_set --app="$app" --key=expose_port_53 --value="$expose_port_53" +ynh_app_setting_set --app="$app" --key=new_password --value="" + #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index 0a3d6ed6..be9d0a6b 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -86,6 +86,10 @@ fi # remove setting no longer required ynh_app_setting_delete --app="$app" --key=port_adguard +if [ -z "${new_password:-}" ]; then + ynh_app_setting_set --app="$app" --key=new_password --value="" +fi + #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE #================================================= From 7415cc436e4cb44602e1acc8aec716754488615e Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 3 Jan 2024 22:45:12 +0100 Subject: [PATCH 199/288] add ynh_print_info --- scripts/config | 3 +++ 1 file changed, 3 insertions(+) diff --git a/scripts/config b/scripts/config index e75daafd..2748778f 100644 --- a/scripts/config +++ b/scripts/config @@ -36,6 +36,8 @@ set__expose_port_53() { ynh_print_info --message="Updating the AGH config file..." update_agh_ip_config + # declare needs_exposed_ports according to real user need + ynh_print_info --message="Updating the YunoHost service for AdGuard Home..." if [ "$dns_over_https" == "true" ] && [ "$expose_port_53" == "true" ]; then yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53" "$port_dns_over_http" "$port_dns_over_quic" elif [ "$dns_over_https" == "true" ]; then @@ -71,6 +73,7 @@ set__dns_over_https() { fi # declare needs_exposed_ports according to real user need + ynh_print_info --message="Updating the YunoHost service for AdGuard Home..." if [ "$dns_over_https" == "true" ] && [ "$expose_port_53" == "true" ]; then yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53" "$port_dns_over_http" "$port_dns_over_quic" elif [ "$dns_over_https" == "true" ]; then From 6124db99921ccc4024e453f779fa844a9a5e674f Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 3 Jan 2024 23:02:17 +0100 Subject: [PATCH 200/288] rework opening/closing ports --- scripts/install | 42 ++++++++++++++++++++++++++++-------------- scripts/restore | 27 ++++++++++++++++++--------- scripts/upgrade | 34 ++++++++++++++++++++++++++++------ 3 files changed, 74 insertions(+), 29 deletions(-) diff --git a/scripts/install b/scripts/install index 5d73a8c4..d38cdf26 100644 --- a/scripts/install +++ b/scripts/install @@ -16,26 +16,12 @@ ynh_script_progression --message="Storing installation settings..." --weight=2 if [[ $dns_over_https == 0 ]]; then dns_over_https="true" - # no need to open the ports, as they were opened at the 'Provisioning ports' step - ynh_print_info --message="DoH and DoQ ports are open." else dns_over_https="false" - # if dns_over_https is false, we need to close ports, - # as they were opened at the 'Provisioning ports' step - ynh_print_info --message="Closing DoH and DoQ ports..." - ynh_exec_warn_less yunohost firewall disallow Both "$port_dns_over_http" --no-reload - ynh_exec_warn_less yunohost firewall disallow UDP "$port_dns_over_quic" fi ynh_app_setting_set --app="$app" --key=dns_over_https --value="$dns_over_https" - -# if the port 53 is not open, open it, it's mandatory to use AGH -if ! yunohost firewall list | grep -q " 53$"; then - ynh_print_info --message="Opening port 53..." - ynh_exec_warn_less yunohost firewall allow Both 53 -fi - if [[ $expose_port_53 == 0 ]]; then expose_port_53="true" else @@ -46,6 +32,34 @@ ynh_app_setting_set --app="$app" --key=expose_port_53 --value="$expose_port_53" ynh_app_setting_set --app="$app" --key=new_password --value="" +#================================================= +# PROCESS OPENING/CLOSING PORTS +#================================================= + +# if the port 53 is not open, open it, it's mandatory to use AGH +if ! yunohost firewall list | grep -q " 53$"; then + ynh_print_info --message="Opening port 53..." + ynh_exec_warn_less yunohost firewall allow Both 53 +fi + +if [ "${dns_over_https:-}" = true ]; then + # if DoH and DoQ are closed + if ! yunohost firewall list | grep -q " $port_dns_over_http$" && ! yunohost firewall list | grep -q " $port_dns_over_quic$"; then + ynh_print_info --message="Opening DoH and DoQ ports..." + ynh_exec_warn_less yunohost firewall allow Both "$port_dns_over_http" --no-reload + ynh_exec_warn_less yunohost firewall allow UDP "$port_dns_over_quic" + else + # no need to open the ports, as they were opened at the 'Provisioning ports' step + ynh_print_info --message="DoH and DoQ ports are open." + fi +else + # if dns_over_https is false, we need to close ports, + # as they were opened at the 'Provisioning ports' step + ynh_print_info --message="Closing DoH and DoQ ports..." + ynh_exec_warn_less yunohost firewall disallow Both "$port_dns_over_http" --no-reload + ynh_exec_warn_less yunohost firewall disallow UDP "$port_dns_over_quic" +fi + #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE #================================================= diff --git a/scripts/restore b/scripts/restore index af315a0d..84b28de7 100644 --- a/scripts/restore +++ b/scripts/restore @@ -12,23 +12,32 @@ source /usr/share/yunohost/helpers #================================================= # PROCESS OPENING/CLOSING PORTS -# no need to open the DoH/DoQ ports, as they were opened at the 'Provisioning ports' step #================================================= -if [ "$dns_over_https" == "false" ]; then - # if dns_over_https is false, we need to close ports, - # as they were opened at the 'Provisioning ports' step - ynh_exec_warn_less yunohost firewall disallow Both "$port_dns_over_http" --no-reload - ynh_exec_warn_less yunohost firewall disallow UDP "$port_dns_over_quic" -fi - - # if the port 53 is not open, open it, it's mandatory to use AGH if ! yunohost firewall list | grep -q " 53$"; then ynh_print_info --message="Opening port 53..." ynh_exec_warn_less yunohost firewall allow Both 53 fi +if [ "${dns_over_https:-}" = true ]; then + # if DoH and DoQ are closed + if ! yunohost firewall list | grep -q " $port_dns_over_http$" && ! yunohost firewall list | grep -q " $port_dns_over_quic$"; then + ynh_print_info --message="Opening DoH and DoQ ports..." + ynh_exec_warn_less yunohost firewall allow Both "$port_dns_over_http" --no-reload + ynh_exec_warn_less yunohost firewall allow UDP "$port_dns_over_quic" + else + # no need to open the ports, as they were opened at the 'Provisioning ports' step + ynh_print_info --message="DoH and DoQ ports are open." + fi +else + # if dns_over_https is false, we need to close ports, + # as they were opened at the 'Provisioning ports' step + ynh_print_info --message="Closing DoH and DoQ ports..." + ynh_exec_warn_less yunohost firewall disallow Both "$port_dns_over_http" --no-reload + ynh_exec_warn_less yunohost firewall disallow UDP "$port_dns_over_quic" +fi + #================================================= # RESTORE THE APP MAIN DIR #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index be9d0a6b..99941072 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -29,12 +29,6 @@ ynh_systemd_action --service_name="$app" --action="stop" #================================================= ynh_script_progression --message="Ensuring downward compatibility..." --weight=1 -# if the port 53 is not open, open it, it's mandatory to use AGH -if ! yunohost firewall list | grep -q " 53$"; then - ynh_print_info --message="Opening port 53..." - ynh_exec_warn_less yunohost firewall allow Both 53 -fi - if [ -z "${expose_port_53:-}" ] && [ "${expose_port_53:-}" = true ]; then expose_port_53="true" ynh_app_setting_set --app="$app" --key=expose_port_53 --value="$expose_port_53" @@ -90,6 +84,34 @@ if [ -z "${new_password:-}" ]; then ynh_app_setting_set --app="$app" --key=new_password --value="" fi +#================================================= +# PROCESS OPENING/CLOSING PORTS +#================================================= + +# if the port 53 is not open, open it, it's mandatory to use AGH +if ! yunohost firewall list | grep -q " 53$"; then + ynh_print_info --message="Opening port 53..." + ynh_exec_warn_less yunohost firewall allow Both 53 +fi + +if [ "${dns_over_https:-}" = true ]; then + # if DoH and DoQ are closed + if ! yunohost firewall list | grep -q " $port_dns_over_http$" && ! yunohost firewall list | grep -q " $port_dns_over_quic$"; then + ynh_print_info --message="Opening DoH and DoQ ports..." + ynh_exec_warn_less yunohost firewall allow Both "$port_dns_over_http" --no-reload + ynh_exec_warn_less yunohost firewall allow UDP "$port_dns_over_quic" + else + # no need to open the ports, as they were opened at the 'Provisioning ports' step + ynh_print_info --message="DoH and DoQ ports are open." + fi +else + # if dns_over_https is false, we need to close ports, + # as they were opened at the 'Provisioning ports' step + ynh_print_info --message="Closing DoH and DoQ ports..." + ynh_exec_warn_less yunohost firewall disallow Both "$port_dns_over_http" --no-reload + ynh_exec_warn_less yunohost firewall disallow UDP "$port_dns_over_quic" +fi + #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE #================================================= From 2a57997e297aca6709f4338a11120c803349c706 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 3 Jan 2024 23:22:11 +0100 Subject: [PATCH 201/288] fix --- scripts/upgrade | 8 -------- 1 file changed, 8 deletions(-) diff --git a/scripts/upgrade b/scripts/upgrade index 99941072..6e6d1008 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -37,20 +37,12 @@ elif [ -n "${expose_port_53:-}" ] || [ "${expose_port_53:-}" = false ]; then ynh_app_setting_set --app="$app" --key=expose_port_53 --value="$expose_port_53" fi - if [ -z "${dns_over_https:-}" ] && [ "${dns_over_https:-}" = true ]; then dns_over_https="true" ynh_app_setting_set --app="$app" --key=dns_over_https --value=$dns_over_https - # no need to open the ports, as they were opened at the 'Provisioning ports' step - ynh_print_info --message="DoH and DoQ ports are open." elif [ -n "${dns_over_https:-}" ] || [ "${dns_over_https:-}" = false ]; then dns_over_https="false" ynh_app_setting_set --app="$app" --key=dns_over_https --value=$dns_over_https - # if dns_over_https is false, we need to close ports, - # as they were opened at the 'Provisioning ports' step - ynh_print_info --message="Closing DoH and DoQ ports..." - ynh_exec_warn_less yunohost firewall disallow Both "$port_dns_over_http" --no-reload - ynh_exec_warn_less yunohost firewall disallow UDP "$port_dns_over_quic" fi # about all those 'ynh_write_var_in_file': From 75c6179a619eafd1b112dd4f034ba9ff69911a42 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 3 Jan 2024 23:23:30 +0100 Subject: [PATCH 202/288] fix unbound variable --- scripts/upgrade | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/upgrade b/scripts/upgrade index 6e6d1008..45122c97 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -29,7 +29,7 @@ ynh_systemd_action --service_name="$app" --action="stop" #================================================= ynh_script_progression --message="Ensuring downward compatibility..." --weight=1 -if [ -z "${expose_port_53:-}" ] && [ "${expose_port_53:-}" = true ]; then +if [ -z "${expose_port_53:-}" ] || [ "${expose_port_53:-}" = true ]; then expose_port_53="true" ynh_app_setting_set --app="$app" --key=expose_port_53 --value="$expose_port_53" elif [ -n "${expose_port_53:-}" ] || [ "${expose_port_53:-}" = false ]; then From 68638296044bba77f36a9c74ac54dd10b1c3aaad Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 3 Jan 2024 23:34:17 +0100 Subject: [PATCH 203/288] if the DNS port is not 53, make sure it is --- scripts/upgrade | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/scripts/upgrade b/scripts/upgrade index 45122c97..a59d8c0e 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -45,6 +45,11 @@ elif [ -n "${dns_over_https:-}" ] || [ "${dns_over_https:-}" = false ]; then ynh_app_setting_set --app="$app" --key=dns_over_https --value=$dns_over_https fi +# if the DNS port is not 53, make sure it is +if ! [ "$(ynh_read_var_in_file --file="$install_dir/AdGuardHome.yaml" --key="port" --after="dns")" == "53" ]; then + ynh_write_var_in_file --file="$install_dir/AdGuardHome.yaml" --key="port" --after="dns" --value="53" +fi + # about all those 'ynh_write_var_in_file': # AGH modifies by itself the config file when an user modifies it using the front-end # so if we're using 'ynh_add_config' to process the config file, each From 7facbe28209ef83afa5acca92e498e2d9ff49878 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 3 Jan 2024 23:37:19 +0100 Subject: [PATCH 204/288] moved --- scripts/upgrade | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/scripts/upgrade b/scripts/upgrade index a59d8c0e..24a8fc4e 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -45,11 +45,6 @@ elif [ -n "${dns_over_https:-}" ] || [ "${dns_over_https:-}" = false ]; then ynh_app_setting_set --app="$app" --key=dns_over_https --value=$dns_over_https fi -# if the DNS port is not 53, make sure it is -if ! [ "$(ynh_read_var_in_file --file="$install_dir/AdGuardHome.yaml" --key="port" --after="dns")" == "53" ]; then - ynh_write_var_in_file --file="$install_dir/AdGuardHome.yaml" --key="port" --after="dns" --value="53" -fi - # about all those 'ynh_write_var_in_file': # AGH modifies by itself the config file when an user modifies it using the front-end # so if we're using 'ynh_add_config' to process the config file, each @@ -85,6 +80,11 @@ fi # PROCESS OPENING/CLOSING PORTS #================================================= +# if the DNS port in the AGH config is not 53, make sure it is... +if ! [ "$(ynh_read_var_in_file --file="$install_dir/AdGuardHome.yaml" --key="port" --after="dns")" == "53" ]; then + ynh_write_var_in_file --file="$install_dir/AdGuardHome.yaml" --key="port" --after="dns" --value="53" +fi + # if the port 53 is not open, open it, it's mandatory to use AGH if ! yunohost firewall list | grep -q " 53$"; then ynh_print_info --message="Opening port 53..." From 57474383ba4c05dddbda24ccb39d18c5059b1d11 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 3 Jan 2024 23:38:13 +0100 Subject: [PATCH 205/288] add ynh_print_info --- scripts/upgrade | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/upgrade b/scripts/upgrade index 24a8fc4e..f36eae8c 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -82,6 +82,7 @@ fi # if the DNS port in the AGH config is not 53, make sure it is... if ! [ "$(ynh_read_var_in_file --file="$install_dir/AdGuardHome.yaml" --key="port" --after="dns")" == "53" ]; then + ynh_print_info --message="Fixing port 53 in the AGH config file..." ynh_write_var_in_file --file="$install_dir/AdGuardHome.yaml" --key="port" --after="dns" --value="53" fi From 63dfc780d8ce2d394d144f6506ec02292128f85f Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 3 Jan 2024 23:40:16 +0100 Subject: [PATCH 206/288] fix --- manifest.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifest.toml b/manifest.toml index 823c8423..564b7b81 100644 --- a/manifest.toml +++ b/manifest.toml @@ -45,7 +45,7 @@ type = "user" [install.password] type = "password" -[install.open_port_53] +[install.expose_port_53] ask.en = "Expose port 53 to the Internet?" help.en = "If so, anyone who knows your server's IP can make a DNS request to it. It may be used to perform amplification attacks: https://en.wikipedia.org/wiki/Denial-of-service_attack#Amplification" default = false From 267b56ba87fec4930866d17d9ccb8157a09f05da Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 3 Jan 2024 23:44:47 +0100 Subject: [PATCH 207/288] test upgrade from past version --- tests.toml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tests.toml b/tests.toml index 240f6263..2532af6b 100644 --- a/tests.toml +++ b/tests.toml @@ -10,6 +10,12 @@ test_format = 1.0 args.open_port_53 = 1 args.dns_over_https = 1 +# ------------------------------- +# Commits to test upgrade from +# ------------------------------- + +test_upgrade_from.c1b81566.name = "Upgrade from 0.107.43~ynh3" + # ------------------------------- # additional tests suite # ------------------------------- From d8ff1775012f32efdcafb5099f1b356dd39fc621 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 3 Jan 2024 23:57:05 +0100 Subject: [PATCH 208/288] fix --- scripts/_common.sh | 2 +- tests.toml | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/scripts/_common.sh b/scripts/_common.sh index c29356c4..a884fa8f 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -84,7 +84,7 @@ process_ips(){ # if we try to bind port 53 on a fe80:: address, AGH crashes if ! [[ "$ip" =~ ^fe80:* ]]; then # don't process if the IP is public and the port 53 closed - if is_public_ip "$ip" && [ "$open_port_53" == "false" ]; then + if is_public_ip "$ip" && [ "$expose_port_53" == "false" ]; then # don't add this IP (do nothing) : else diff --git a/tests.toml b/tests.toml index 2532af6b..5bb537b3 100644 --- a/tests.toml +++ b/tests.toml @@ -7,7 +7,7 @@ test_format = 1.0 # ------------------------------- # false by default -args.open_port_53 = 1 +args.expose_port_53 = 1 args.dns_over_https = 1 # ------------------------------- @@ -20,17 +20,17 @@ test_upgrade_from.c1b81566.name = "Upgrade from 0.107.43~ynh3" # additional tests suite # ------------------------------- -[open_port_53] +[expose_port_53] only = ["install.root"] -args.open_port_53 = 0 +args.expose_port_53 = 0 args.dns_over_https = 1 [open_doh_doq_ports] only = ["install.root"] -args.open_port_53 = 1 +args.expose_port_53 = 1 args.dns_over_https = 0 [open_both_port_53_and_doh_doq_ports] only = ["install.root"] -args.open_port_53 = 0 +args.expose_port_53 = 0 args.dns_over_https = 0 From f6f6e705fc2f485b97f36ddcff893198fb076c3e Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 3 Jan 2024 23:58:05 +0100 Subject: [PATCH 209/288] import needed settings --- scripts/config | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/scripts/config b/scripts/config index 2748778f..c61016e5 100644 --- a/scripts/config +++ b/scripts/config @@ -11,6 +11,10 @@ source /usr/share/yunohost/helpers ynh_abort_if_errors +# import needed settings +port_dns_over_http=$(ynh_app_setting_get --app="$app" --key=port_dns_over_http) +port_dns_over_quic=$(ynh_app_setting_get --app="$app" --key=port_dns_over_quic) + #================================================= # SPECIFIC SETTERS #================================================= @@ -54,9 +58,6 @@ set__expose_port_53() { set__dns_over_https() { - port_dns_over_http=$(ynh_app_setting_get --app="$app" --key=port_dns_over_http) - port_dns_over_quic=$(ynh_app_setting_get --app="$app" --key=port_dns_over_quic) - if [ "$dns_over_https" == "true" ]; then ynh_print_info --message="Opening DoH and DoQ ports..." # if DNS over HTTPS/QUIC is activated, open the associated ports From 14a7b866dec4f1349fccbb6ad7f9f96ad7621d14 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 4 Jan 2024 00:09:38 +0100 Subject: [PATCH 210/288] better phrasing --- doc/PRE_UPGRADE.d/0.107.43~ynh4 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/PRE_UPGRADE.d/0.107.43~ynh4 b/doc/PRE_UPGRADE.d/0.107.43~ynh4 index ecddd6d7..c5d15d3d 100644 --- a/doc/PRE_UPGRADE.d/0.107.43~ynh4 +++ b/doc/PRE_UPGRADE.d/0.107.43~ynh4 @@ -10,7 +10,7 @@ Applications → AdGuard Home → AdGuard Home configuration It's really important to use the configuration panel to activate or deactivate the DNS-over-HTTPS/QUIC setting, and **NOT** the built-in setting in the AdGuardHome interface. This is because YunoHost needs to perform actions such as automatically opening or closing the server's ports and refresh the IP to provide to AdGuard Home, which cannot be done without going through the configuration panel. -A new password tool has been added in the config panel too, to make it easier to change the administration password of AdGuard Home +Also, a new password tool has been added in the config panel too, to make it easier to change the administration password of AdGuard Home! ^w^ This update is at risk of crashing AdGuard Home, so: - If any trouble or question, please refer to [the package's admin docs](https://github.com/YunoHost-Apps/adguardhome_ynh/blob/master/doc/ADMIN.md)! In any case, we recommend reading it! ^w^ From aa2b4d02622863aa374391df767fd9da605d74d9 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 4 Jan 2024 00:09:47 +0100 Subject: [PATCH 211/288] add ynh_print_info --- scripts/config | 2 ++ 1 file changed, 2 insertions(+) diff --git a/scripts/config b/scripts/config index c61016e5..68514bb4 100644 --- a/scripts/config +++ b/scripts/config @@ -95,10 +95,12 @@ set__dns_over_https() { set__new_password() { # user's password encryption + ynh_print_info --message="Encrypting the new password..." password=$(python3 -c "import bcrypt; print(bcrypt.hashpw(b\"$new_password\", bcrypt.gensalt(rounds=10)).decode())") ynh_app_setting_set --app="$app" --key=password --value="$password" # save the new setting in the AGH config file + ynh_print_info --message="Saving the new password in the AGH configuration..." ynh_write_var_in_file --file="$install_dir/AdGuardHome.yaml" --key="password" --value="$password" } From eb54efb4da15e2a338f086c1e72fd5c4582407cb Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 4 Jan 2024 00:19:26 +0100 Subject: [PATCH 212/288] add ynh_script_progression for opening and closing port section --- scripts/install | 1 + scripts/restore | 1 + scripts/upgrade | 1 + 3 files changed, 3 insertions(+) diff --git a/scripts/install b/scripts/install index d38cdf26..0f502ba4 100644 --- a/scripts/install +++ b/scripts/install @@ -35,6 +35,7 @@ ynh_app_setting_set --app="$app" --key=new_password --value="" #================================================= # PROCESS OPENING/CLOSING PORTS #================================================= +ynh_script_progression --message="Process opening & closing ports..." --weight=2 # if the port 53 is not open, open it, it's mandatory to use AGH if ! yunohost firewall list | grep -q " 53$"; then diff --git a/scripts/restore b/scripts/restore index 84b28de7..8aa6a945 100644 --- a/scripts/restore +++ b/scripts/restore @@ -13,6 +13,7 @@ source /usr/share/yunohost/helpers #================================================= # PROCESS OPENING/CLOSING PORTS #================================================= +ynh_script_progression --message="Process opening & closing ports..." --weight=2 # if the port 53 is not open, open it, it's mandatory to use AGH if ! yunohost firewall list | grep -q " 53$"; then diff --git a/scripts/upgrade b/scripts/upgrade index f36eae8c..ec6fbcaf 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -79,6 +79,7 @@ fi #================================================= # PROCESS OPENING/CLOSING PORTS #================================================= +ynh_script_progression --message="Process opening & closing ports..." --weight=2 # if the DNS port in the AGH config is not 53, make sure it is... if ! [ "$(ynh_read_var_in_file --file="$install_dir/AdGuardHome.yaml" --key="port" --after="dns")" == "53" ]; then From 5539d8bd9439d8456ecd779ba1a5d5501250f99d Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 4 Jan 2024 00:21:53 +0100 Subject: [PATCH 213/288] add sub category names --- config_panel.toml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/config_panel.toml b/config_panel.toml index 6b7d9af0..054965d3 100644 --- a/config_panel.toml +++ b/config_panel.toml @@ -5,6 +5,9 @@ name = "AdGuard Home configuration" help = "If any trouble or question, please refer to the admin documentation right below!" services = ["__APP__"] +[main.options] +name = "Configure AdGuard Home options" + [main.options.expose_port_53] ask = "Expose port 53 to the Internet?" no = "false" @@ -20,6 +23,9 @@ yes = "true" bind = "tls>enabled:__INSTALL_DIR__/AdGuardHome.yaml" help = "If so, anyone who knows your adguard address can make a doh request to https://adguardomain.tld/dns-query It also may be used to perform amplification attacks. Read the admin doc to secure your server using allowlist." +[main.extra] +name = "Extra tools" + [main.extra.new_password] ask = "Set a new admin password" type = "string" From fa0931a4c69ee745ef0533609000d60a4511e07a Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 4 Jan 2024 00:27:06 +0100 Subject: [PATCH 214/288] better placing and add ynh_script_progression --- scripts/remove | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/scripts/remove b/scripts/remove index a2c1a8e1..e1a28b59 100644 --- a/scripts/remove +++ b/scripts/remove @@ -10,10 +10,9 @@ source _common.sh source /usr/share/yunohost/helpers #================================================= -# STANDARD REMOVE -#================================================= -# REMOVE SERVICE INTEGRATION IN YUNOHOST +# PROCESS CLOSING PORTS #================================================= +ynh_script_progression --message="Process closing ports..." --weight=2 # close ports ynh_print_info --message="Closing port 53..." @@ -24,6 +23,12 @@ if [ "$dns_over_https" == "true" ]; then ynh_exec_warn_less yunohost firewall disallow UDP "$port_dns_over_quic" fi +#================================================= +# STANDARD REMOVE +#================================================= +# REMOVE SERVICE INTEGRATION IN YUNOHOST +#================================================= + # Remove the service from the list of services known by YunoHost (added from `yunohost service add`) if ynh_exec_warn_less yunohost service status "$app" >/dev/null then From d0e977fff30c220a2ececb3e714bdcd5faf9dc3e Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 4 Jan 2024 02:05:28 +0100 Subject: [PATCH 215/288] better phrasing --- scripts/remove | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/remove b/scripts/remove index e1a28b59..9ac8f663 100644 --- a/scripts/remove +++ b/scripts/remove @@ -12,7 +12,7 @@ source /usr/share/yunohost/helpers #================================================= # PROCESS CLOSING PORTS #================================================= -ynh_script_progression --message="Process closing ports..." --weight=2 +ynh_script_progression --message="Closing ports..." --weight=2 # close ports ynh_print_info --message="Closing port 53..." From ddd7d35b1a9a3f966e33810b15154de5f661e2c5 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Sat, 6 Jan 2024 21:14:04 +0100 Subject: [PATCH 216/288] english as default --- conf/AdGuardHome.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf/AdGuardHome.yaml b/conf/AdGuardHome.yaml index df12248a..15f269f3 100644 --- a/conf/AdGuardHome.yaml +++ b/conf/AdGuardHome.yaml @@ -10,7 +10,7 @@ users: auth_attempts: 5 block_auth_min: 15 http_proxy: "" -language: "" +language: en theme: auto dns: bind_hosts: [] From 8934664aebe8a1443191f37949d26b8933c1dc65 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Sat, 6 Jan 2024 21:14:11 +0100 Subject: [PATCH 217/288] remove irrelevant if --- scripts/remove | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/scripts/remove b/scripts/remove index 9ac8f663..7a13716e 100644 --- a/scripts/remove +++ b/scripts/remove @@ -30,11 +30,8 @@ fi #================================================= # Remove the service from the list of services known by YunoHost (added from `yunohost service add`) -if ynh_exec_warn_less yunohost service status "$app" >/dev/null -then - ynh_script_progression --message="Removing $app service integration..." --weight=1 - yunohost service remove "$app" -fi +ynh_script_progression --message="Removing $app service integration..." --weight=1 +yunohost service remove "$app" ynh_script_progression --message="Removing system configurations related to $app..." --weight=1 From 0931db002805586cca424149d195ad03cd191fec Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 10 Jan 2024 00:40:51 +0100 Subject: [PATCH 218/288] remove DoQ port in app declaration, else diagnostics will cry because it can't test an UDP port --- scripts/config | 8 ++++---- scripts/install | 4 ++-- scripts/restore | 4 ++-- scripts/upgrade | 4 ++-- 4 files changed, 10 insertions(+), 10 deletions(-) diff --git a/scripts/config b/scripts/config index 68514bb4..88a53339 100644 --- a/scripts/config +++ b/scripts/config @@ -43,9 +43,9 @@ set__expose_port_53() { # declare needs_exposed_ports according to real user need ynh_print_info --message="Updating the YunoHost service for AdGuard Home..." if [ "$dns_over_https" == "true" ] && [ "$expose_port_53" == "true" ]; then - yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53" "$port_dns_over_http" "$port_dns_over_quic" + yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53" "$port_dns_over_http" elif [ "$dns_over_https" == "true" ]; then - yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "$port_dns_over_http" "$port_dns_over_quic" + yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "$port_dns_over_http" elif [ "$expose_port_53" == "true" ]; then yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53" else @@ -76,9 +76,9 @@ set__dns_over_https() { # declare needs_exposed_ports according to real user need ynh_print_info --message="Updating the YunoHost service for AdGuard Home..." if [ "$dns_over_https" == "true" ] && [ "$expose_port_53" == "true" ]; then - yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53" "$port_dns_over_http" "$port_dns_over_quic" + yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53" "$port_dns_over_http" elif [ "$dns_over_https" == "true" ]; then - yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "$port_dns_over_http" "$port_dns_over_quic" + yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "$port_dns_over_http" elif [ "$expose_port_53" == "true" ]; then yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53" else diff --git a/scripts/install b/scripts/install index 0f502ba4..2db443fa 100644 --- a/scripts/install +++ b/scripts/install @@ -133,9 +133,9 @@ ynh_add_systemd_config # declare needs_exposed_ports according to real user need if [ "$dns_over_https" == "true" ] && [ "$expose_port_53" == "true" ]; then - yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53" "$port_dns_over_http" "$port_dns_over_quic" + yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53" "$port_dns_over_http" elif [ "$dns_over_https" == "true" ]; then - yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "$port_dns_over_http" "$port_dns_over_quic" + yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "$port_dns_over_http" elif [ "$expose_port_53" == "true" ]; then yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53" else diff --git a/scripts/restore b/scripts/restore index 8aa6a945..2486150f 100644 --- a/scripts/restore +++ b/scripts/restore @@ -94,9 +94,9 @@ systemctl enable "$app.service" --quiet # declare needs_exposed_ports according to real user need if [ "$dns_over_https" == "true" ] && [ "$expose_port_53" == "true" ]; then - yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53" "$port_dns_over_http" "$port_dns_over_quic" + yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53" "$port_dns_over_http" elif [ "$dns_over_https" == "true" ]; then - yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "$port_dns_over_http" "$port_dns_over_quic" + yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "$port_dns_over_http" elif [ "$expose_port_53" == "true" ]; then yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53" else diff --git a/scripts/upgrade b/scripts/upgrade index ec6fbcaf..fb8b045e 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -141,9 +141,9 @@ ynh_add_systemd_config # declare needs_exposed_ports according to real user need if [ "$dns_over_https" == "true" ] && [ "$expose_port_53" == "true" ]; then - yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53" "$port_dns_over_http" "$port_dns_over_quic" + yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53" "$port_dns_over_http" elif [ "$dns_over_https" == "true" ]; then - yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "$port_dns_over_http" "$port_dns_over_quic" + yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "$port_dns_over_http" elif [ "$expose_port_53" == "true" ]; then yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53" else From c7661d70060679d9bef68eb86e9603df8d4bd2e2 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 17 Jan 2024 03:58:01 +0100 Subject: [PATCH 219/288] add schema --- manifest.toml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/manifest.toml b/manifest.toml index 564b7b81..47fdfcc3 100644 --- a/manifest.toml +++ b/manifest.toml @@ -1,3 +1,5 @@ +#:schema https://raw.githubusercontent.com/YunoHost/apps/master/schemas/manifest.v2.schema.json + packaging_format = 2 description.en = "Network-wide ads & trackers blocking DNS server" @@ -83,6 +85,7 @@ internal_https.default = 13120 # edit dnsmasq's configuration to allow AGH to use port 53 on non-localhost IPs [resources.system_user] +allow_email = true [resources.install_dir] From 677846745ed6a1ffaea4d7313807967511cce432 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Tue, 13 Feb 2024 00:23:49 +0100 Subject: [PATCH 220/288] start after nginx --- conf/systemd.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf/systemd.service b/conf/systemd.service index 02442d7c..571a1cfa 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -1,7 +1,7 @@ [Unit] Description=AdGuardHome: Network-level blocker ConditionFileIsExecutable=__INSTALL_DIR__/AdGuardHome -After=syslog.target network-online.target +After=syslog.target network-online.target nginx.service [Service] Type=simple From 5f6a941bee6689191f76dd2cf92908e8073baa8a Mon Sep 17 00:00:00 2001 From: yunohost-bot Date: Thu, 7 Mar 2024 20:22:53 +0000 Subject: [PATCH 221/288] Auto-update README --- README.md | 14 +++++++------- README_fr.md | 14 +++++++------- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index c8c625c5..dc26ac8b 100644 --- a/README.md +++ b/README.md @@ -29,12 +29,12 @@ It operates as a DNS server that re-routes tracking domains to a "black hole", t ## Documentation and resources -* Official app website: -* Official user documentation: -* Official admin documentation: -* Upstream app code repository: -* YunoHost Store: -* Report a bug: +- Official app website: +- Official user documentation: +- Official admin documentation: +- Upstream app code repository: +- YunoHost Store: +- Report a bug: ## Developer info @@ -48,4 +48,4 @@ or sudo yunohost app upgrade adguardhome -u https://github.com/YunoHost-Apps/adguardhome_ynh/tree/testing --debug ``` -**More info regarding app packaging:** \ No newline at end of file +**More info regarding app packaging:** diff --git a/README_fr.md b/README_fr.md index c107c63c..d0988585 100644 --- a/README_fr.md +++ b/README_fr.md @@ -29,12 +29,12 @@ Il fonctionne comme un serveur DNS qui redirige les domaines de pistage vers un ## Documentations et ressources -* Site officiel de l’app : -* Documentation officielle utilisateur : -* Documentation officielle de l’admin : -* Dépôt de code officiel de l’app : -* YunoHost Store: -* Signaler un bug : +- Site officiel de l’app : +- Documentation officielle utilisateur : +- Documentation officielle de l’admin : +- Dépôt de code officiel de l’app : +- YunoHost Store : +- Signaler un bug : ## Informations pour les développeurs @@ -48,4 +48,4 @@ ou sudo yunohost app upgrade adguardhome -u https://github.com/YunoHost-Apps/adguardhome_ynh/tree/testing --debug ``` -**Plus d’infos sur le packaging d’applications :** \ No newline at end of file +**Plus d’infos sur le packaging d’applications :** From 4ccbe686fc2efd748fed24d5ce25636869ac2466 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Sun, 12 May 2024 04:59:11 +0200 Subject: [PATCH 222/288] DoT seems to work with this config --- conf/nginx.conf | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/conf/nginx.conf b/conf/nginx.conf index 9b255cb4..c324581b 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -22,13 +22,9 @@ location __PATH__/ { location /dns-query { proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_redirect off; - proxy_buffering on; - proxy_http_version 1.1; - proxy_read_timeout 6s; - proxy_connect_timeout 6s; - proxy_ssl_session_reuse on; - proxy_pass https://127.0.0.1:__PORT_INTERNAL_HTTPS__/dns-query; + proxy_set_header X-Real-IP $remote_addr; + proxy_bind 127.0.0.1; + proxy_pass http://127.0.0.1:__PORT_INTERNAL_HTTPS__/dns-query; } # disabling the API point of the built-in updater (which can break the installation) From 0903f45def19c2edf5c2598ee841ba8fe3f7cd67 Mon Sep 17 00:00:00 2001 From: yunohost-bot Date: Sun, 12 May 2024 02:59:17 +0000 Subject: [PATCH 223/288] Auto-update READMEs --- ALL_README.md | 8 ++++++++ README.md | 14 ++++++------- README_es.md | 51 +++++++++++++++++++++++++++++++++++++++++++++++ README_eu.md | 51 +++++++++++++++++++++++++++++++++++++++++++++++ README_fr.md | 32 ++++++++++++++--------------- README_gl.md | 51 +++++++++++++++++++++++++++++++++++++++++++++++ README_zh_Hans.md | 51 +++++++++++++++++++++++++++++++++++++++++++++++ 7 files changed, 235 insertions(+), 23 deletions(-) create mode 100644 ALL_README.md create mode 100644 README_es.md create mode 100644 README_eu.md create mode 100644 README_gl.md create mode 100644 README_zh_Hans.md diff --git a/ALL_README.md b/ALL_README.md new file mode 100644 index 00000000..8938aaec --- /dev/null +++ b/ALL_README.md @@ -0,0 +1,8 @@ +# All available README files by language + +- [Read the README in English](README.md) +- [Lee el README en español](README_es.md) +- [Irakurri README euskaraz](README_eu.md) +- [Lire le README en français](README_fr.md) +- [Le o README en galego](README_gl.md) +- [阅读中文(简体)的 README](README_zh_Hans.md) diff --git a/README.md b/README.md index dc26ac8b..fc77a574 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ @@ -9,10 +9,10 @@ It shall NOT be edited by hand. [![Install AdGuard Home with YunoHost](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=adguardhome) -*[Lire ce readme en français.](./README_fr.md)* +*[Read this README in other languages.](./ALL_README.md)* -> *This package allows you to install AdGuard Home quickly and simply on a YunoHost server. -If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/install) to learn how to install it.* +> *This package allows you to install AdGuard Home quickly and simply on a YunoHost server.* +> *If you don't have YunoHost, please consult [the guide](https://yunohost.org/install) to learn how to install it.* ## Overview @@ -38,11 +38,11 @@ It operates as a DNS server that re-routes tracking domains to a "black hole", t ## Developer info -Please send your pull request to the [testing branch](https://github.com/YunoHost-Apps/adguardhome_ynh/tree/testing). +Please send your pull request to the [`testing` branch](https://github.com/YunoHost-Apps/adguardhome_ynh/tree/testing). -To try the testing branch, please proceed like that. +To try the `testing` branch, please proceed like that: -``` bash +```bash sudo yunohost app install https://github.com/YunoHost-Apps/adguardhome_ynh/tree/testing --debug or sudo yunohost app upgrade adguardhome -u https://github.com/YunoHost-Apps/adguardhome_ynh/tree/testing --debug diff --git a/README_es.md b/README_es.md new file mode 100644 index 00000000..e7037ab2 --- /dev/null +++ b/README_es.md @@ -0,0 +1,51 @@ + + +# AdGuard Home para Yunohost + +[![Nivel de integración](https://dash.yunohost.org/integration/adguardhome.svg)](https://dash.yunohost.org/appci/app/adguardhome) ![Estado funcional](https://ci-apps.yunohost.org/ci/badges/adguardhome.status.svg) ![Estado En Mantención](https://ci-apps.yunohost.org/ci/badges/adguardhome.maintain.svg) + +[![Instalar AdGuard Home con Yunhost](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=adguardhome) + +*[Leer este README en otros idiomas.](./ALL_README.md)* + +> *Este paquete le permite instalarAdGuard Home rapidamente y simplement en un servidor YunoHost.* +> *Si no tiene YunoHost, visita [the guide](https://yunohost.org/install) para aprender como instalarla.* + +## Descripción general + +AdGuard Home is a network-wide software for blocking ads & tracking. After you set it up, it'll cover ALL your home devices, and you don't need any client-side software for that. + +It operates as a DNS server that re-routes tracking domains to a "black hole", thus preventing your devices from connecting to those servers. It's based on software we use for our public AdGuard DNS servers -- both share a lot of common code. + + +**Versión actual:** 0.107.45~ynh1 + +## Capturas + +![Captura de AdGuard Home](./doc/screenshots/68747470733a2f2f63646e2e616467756172642e636f6d2f7075626c69632f416467756172642f436f6d6d6f6e2f616467756172645f686f6d652e676966.gif) + +## Documentaciones y recursos + +- Sitio web oficial: +- Documentación usuario oficial: +- Documentación administrador oficial: +- Repositorio del código fuente oficial de la aplicación : +- Catálogo YunoHost: +- Reportar un error: + +## Información para desarrolladores + +Por favor enviar sus correcciones a la [`branch testing`](https://github.com/YunoHost-Apps/adguardhome_ynh/tree/testing + +Para probar la rama `testing`, sigue asÍ: + +```bash +sudo yunohost app install https://github.com/YunoHost-Apps/adguardhome_ynh/tree/testing --debug +o +sudo yunohost app upgrade adguardhome -u https://github.com/YunoHost-Apps/adguardhome_ynh/tree/testing --debug +``` + +**Mas informaciones sobre el empaquetado de aplicaciones:** diff --git a/README_eu.md b/README_eu.md new file mode 100644 index 00000000..7a892370 --- /dev/null +++ b/README_eu.md @@ -0,0 +1,51 @@ + + +# AdGuard Home YunoHost-erako + +[![Integrazio maila](https://dash.yunohost.org/integration/adguardhome.svg)](https://dash.yunohost.org/appci/app/adguardhome) ![Funtzionamendu egoera](https://ci-apps.yunohost.org/ci/badges/adguardhome.status.svg) ![Mantentze egoera](https://ci-apps.yunohost.org/ci/badges/adguardhome.maintain.svg) + +[![Instalatu AdGuard Home YunoHost-ekin](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=adguardhome) + +*[Irakurri README hau beste hizkuntzatan.](./ALL_README.md)* + +> *Pakete honek AdGuard Home YunoHost zerbitzari batean azkar eta zailtasunik gabe instalatzea ahalbidetzen dizu.* +> *YunoHost ez baduzu, kontsultatu [gida](https://yunohost.org/install) nola instalatu ikasteko.* + +## Aurreikuspena + +AdGuard Home is a network-wide software for blocking ads & tracking. After you set it up, it'll cover ALL your home devices, and you don't need any client-side software for that. + +It operates as a DNS server that re-routes tracking domains to a "black hole", thus preventing your devices from connecting to those servers. It's based on software we use for our public AdGuard DNS servers -- both share a lot of common code. + + +**Paketatutako bertsioa:** 0.107.45~ynh1 + +## Pantaila-argazkiak + +![AdGuard Home(r)en pantaila-argazkia](./doc/screenshots/68747470733a2f2f63646e2e616467756172642e636f6d2f7075626c69632f416467756172642f436f6d6d6f6e2f616467756172645f686f6d652e676966.gif) + +## Dokumentazioa eta baliabideak + +- Aplikazioaren webgune ofiziala: +- Erabiltzaileen dokumentazio ofiziala: +- Administratzaileen dokumentazio ofiziala: +- Jatorrizko aplikazioaren kode-gordailua: +- YunoHost Denda: +- Eman errore baten berri: + +## Garatzaileentzako informazioa + +Bidali `pull request`a [`testing` abarrera](https://github.com/YunoHost-Apps/adguardhome_ynh/tree/testing). + +`testing` abarra probatzeko, ondorengoa egin: + +```bash +sudo yunohost app install https://github.com/YunoHost-Apps/adguardhome_ynh/tree/testing --debug +edo +sudo yunohost app upgrade adguardhome -u https://github.com/YunoHost-Apps/adguardhome_ynh/tree/testing --debug +``` + +**Informazio gehiago aplikazioaren paketatzeari buruz:** diff --git a/README_fr.md b/README_fr.md index d0988585..803c35a5 100644 --- a/README_fr.md +++ b/README_fr.md @@ -1,6 +1,6 @@ # AdGuard Home pour YunoHost @@ -9,10 +9,10 @@ It shall NOT be edited by hand. [![Installer AdGuard Home avec YunoHost](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=adguardhome) -*[Read this readme in english.](./README.md)* +*[Lire le README dans d'autres langues.](./ALL_README.md)* -> *Ce package vous permet d’installer AdGuard Home rapidement et simplement sur un serveur YunoHost. -Si vous n’avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) pour savoir comment l’installer et en profiter.* +> *Ce package vous permet d’installer AdGuard Home rapidement et simplement sur un serveur YunoHost.* +> *Si vous n’avez pas YunoHost, consultez [ce guide](https://yunohost.org/install) pour savoir comment l’installer et en profiter.* ## Vue d’ensemble @@ -21,7 +21,7 @@ AdGuard Home est un logiciel à l'échelle du réseau pour bloquer les publicit Il fonctionne comme un serveur DNS qui redirige les domaines de pistage vers un "trou noir", empêchant ainsi vos appareils de se connecter à ces serveurs. Il est basé sur un logiciel que nous utilisons pour nos serveurs DNS publics AdGuard - les deux partagent beaucoup de code commun. -**Version incluse :** 0.107.45~ynh1 +**Version incluse :** 0.107.45~ynh1 ## Captures d’écran @@ -29,23 +29,23 @@ Il fonctionne comme un serveur DNS qui redirige les domaines de pistage vers un ## Documentations et ressources -- Site officiel de l’app : -- Documentation officielle utilisateur : -- Documentation officielle de l’admin : -- Dépôt de code officiel de l’app : -- YunoHost Store : -- Signaler un bug : +- Site officiel de l’app : +- Documentation officielle utilisateur : +- Documentation officielle de l’admin : +- Dépôt de code officiel de l’app : +- YunoHost Store : +- Signaler un bug : ## Informations pour les développeurs -Merci de faire vos pull request sur la [branche testing](https://github.com/YunoHost-Apps/adguardhome_ynh/tree/testing). +Merci de faire vos pull request sur la [branche `testing`](https://github.com/YunoHost-Apps/adguardhome_ynh/tree/testing). -Pour essayer la branche testing, procédez comme suit. +Pour essayer la branche `testing`, procédez comme suit : -``` bash +```bash sudo yunohost app install https://github.com/YunoHost-Apps/adguardhome_ynh/tree/testing --debug ou sudo yunohost app upgrade adguardhome -u https://github.com/YunoHost-Apps/adguardhome_ynh/tree/testing --debug ``` -**Plus d’infos sur le packaging d’applications :** +**Plus d’infos sur le packaging d’applications :** diff --git a/README_gl.md b/README_gl.md new file mode 100644 index 00000000..9aaca8b6 --- /dev/null +++ b/README_gl.md @@ -0,0 +1,51 @@ + + +# AdGuard Home para YunoHost + +[![Nivel de integración](https://dash.yunohost.org/integration/adguardhome.svg)](https://dash.yunohost.org/appci/app/adguardhome) ![Estado de funcionamento](https://ci-apps.yunohost.org/ci/badges/adguardhome.status.svg) ![Estado de mantemento](https://ci-apps.yunohost.org/ci/badges/adguardhome.maintain.svg) + +[![Instalar AdGuard Home con YunoHost](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=adguardhome) + +*[Le este README en outros idiomas.](./ALL_README.md)* + +> *Este paquete permíteche instalar AdGuard Home de xeito rápido e doado nun servidor YunoHost.* +> *Se non usas YunoHost, le a [documentación](https://yunohost.org/install) para saber como instalalo.* + +## Vista xeral + +AdGuard Home is a network-wide software for blocking ads & tracking. After you set it up, it'll cover ALL your home devices, and you don't need any client-side software for that. + +It operates as a DNS server that re-routes tracking domains to a "black hole", thus preventing your devices from connecting to those servers. It's based on software we use for our public AdGuard DNS servers -- both share a lot of common code. + + +**Versión proporcionada:** 0.107.45~ynh1 + +## Capturas de pantalla + +![Captura de pantalla de AdGuard Home](./doc/screenshots/68747470733a2f2f63646e2e616467756172642e636f6d2f7075626c69632f416467756172642f436f6d6d6f6e2f616467756172645f686f6d652e676966.gif) + +## Documentación e recursos + +- Web oficial da app: +- Documentación oficial para usuarias: +- Documentación oficial para admin: +- Repositorio de orixe do código: +- Tenda YunoHost: +- Informar dun problema: + +## Info de desenvolvemento + +Envía a túa colaboración á [rama `testing`](https://github.com/YunoHost-Apps/adguardhome_ynh/tree/testing). + +Para probar a rama `testing`, procede deste xeito: + +```bash +sudo yunohost app install https://github.com/YunoHost-Apps/adguardhome_ynh/tree/testing --debug +ou +sudo yunohost app upgrade adguardhome -u https://github.com/YunoHost-Apps/adguardhome_ynh/tree/testing --debug +``` + +**Máis info sobre o empaquetado da app:** diff --git a/README_zh_Hans.md b/README_zh_Hans.md new file mode 100644 index 00000000..8c9b67b9 --- /dev/null +++ b/README_zh_Hans.md @@ -0,0 +1,51 @@ + + +# YunoHost 上的 AdGuard Home + +[![集成程度](https://dash.yunohost.org/integration/adguardhome.svg)](https://dash.yunohost.org/appci/app/adguardhome) ![工作状态](https://ci-apps.yunohost.org/ci/badges/adguardhome.status.svg) ![维护状态](https://ci-apps.yunohost.org/ci/badges/adguardhome.maintain.svg) + +[![使用 YunoHost 安装 AdGuard Home](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=adguardhome) + +*[阅读此 README 的其它语言版本。](./ALL_README.md)* + +> *通过此软件包,您可以在 YunoHost 服务器上快速、简单地安装 AdGuard Home。* +> *如果您还没有 YunoHost,请参阅[指南](https://yunohost.org/install)了解如何安装它。* + +## 概况 + +AdGuard Home is a network-wide software for blocking ads & tracking. After you set it up, it'll cover ALL your home devices, and you don't need any client-side software for that. + +It operates as a DNS server that re-routes tracking domains to a "black hole", thus preventing your devices from connecting to those servers. It's based on software we use for our public AdGuard DNS servers -- both share a lot of common code. + + +**分发版本:** 0.107.45~ynh1 + +## 截图 + +![AdGuard Home 的截图](./doc/screenshots/68747470733a2f2f63646e2e616467756172642e636f6d2f7075626c69632f416467756172642f436f6d6d6f6e2f616467756172645f686f6d652e676966.gif) + +## 文档与资源 + +- 官方应用网站: +- 官方用户文档: +- 官方管理文档: +- 上游应用代码库: +- YunoHost 商店: +- 报告 bug: + +## 开发者信息 + +请向 [`testing` 分支](https://github.com/YunoHost-Apps/adguardhome_ynh/tree/testing) 发送拉取请求。 + +如要尝试 `testing` 分支,请这样操作: + +```bash +sudo yunohost app install https://github.com/YunoHost-Apps/adguardhome_ynh/tree/testing --debug +或 +sudo yunohost app upgrade adguardhome -u https://github.com/YunoHost-Apps/adguardhome_ynh/tree/testing --debug +``` + +**有关应用打包的更多信息:** From 048de5fb70fc218f1e77d9d74946ef810e93f6e4 Mon Sep 17 00:00:00 2001 From: yunohost-bot Date: Sun, 12 May 2024 03:02:29 +0000 Subject: [PATCH 224/288] Auto-update READMEs --- README_es.md | 7 +++++-- README_zh_Hans.md | 7 +++++-- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/README_es.md b/README_es.md index e7037ab2..f3d4bcb2 100644 --- a/README_es.md +++ b/README_es.md @@ -20,12 +20,15 @@ AdGuard Home is a network-wide software for blocking ads & tracking. After you s It operates as a DNS server that re-routes tracking domains to a "black hole", thus preventing your devices from connecting to those servers. It's based on software we use for our public AdGuard DNS servers -- both share a lot of common code. +**Important note**: This AdGuard Home package needs to disable Dnsmasq on the main network interface to allow AdGuard Home to listen DNS resquest using it. +However, Dnsmasq is not disabled and will continue to function as the *localhost DNS server*. -**Versión actual:** 0.107.45~ynh1 + +**Versión actual:** 0.107.48~ynh1 ## Capturas -![Captura de AdGuard Home](./doc/screenshots/68747470733a2f2f63646e2e616467756172642e636f6d2f7075626c69632f416467756172642f436f6d6d6f6e2f616467756172645f686f6d652e676966.gif) +![Captura de AdGuard Home](./doc/screenshots/demo.gif) ## Documentaciones y recursos diff --git a/README_zh_Hans.md b/README_zh_Hans.md index 8c9b67b9..3df4a719 100644 --- a/README_zh_Hans.md +++ b/README_zh_Hans.md @@ -20,12 +20,15 @@ AdGuard Home is a network-wide software for blocking ads & tracking. After you s It operates as a DNS server that re-routes tracking domains to a "black hole", thus preventing your devices from connecting to those servers. It's based on software we use for our public AdGuard DNS servers -- both share a lot of common code. +**Important note**: This AdGuard Home package needs to disable Dnsmasq on the main network interface to allow AdGuard Home to listen DNS resquest using it. +However, Dnsmasq is not disabled and will continue to function as the *localhost DNS server*. -**分发版本:** 0.107.45~ynh1 + +**分发版本:** 0.107.48~ynh1 ## 截图 -![AdGuard Home 的截图](./doc/screenshots/68747470733a2f2f63646e2e616467756172642e636f6d2f7075626c69632f416467756172642f436f6d6d6f6e2f616467756172645f686f6d652e676966.gif) +![AdGuard Home 的截图](./doc/screenshots/demo.gif) ## 文档与资源 From a80877672e7731ede20b9dd8a95850fcf63025ef Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Sun, 12 May 2024 05:08:48 +0200 Subject: [PATCH 225/288] fix proxy_pass port for DoT --- conf/nginx.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf/nginx.conf b/conf/nginx.conf index c324581b..d1ff5d0f 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -24,7 +24,7 @@ location /dns-query { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Real-IP $remote_addr; proxy_bind 127.0.0.1; - proxy_pass http://127.0.0.1:__PORT_INTERNAL_HTTPS__/dns-query; + proxy_pass http://127.0.0.1:__PORT__/dns-query; } # disabling the API point of the built-in updater (which can break the installation) From 9c5feb4112e67daf701a1ad6c5c83362e641d878 Mon Sep 17 00:00:00 2001 From: yunohost-bot Date: Sun, 12 May 2024 03:38:35 +0000 Subject: [PATCH 226/288] Auto-update READMEs --- README_es.md | 2 +- README_zh_Hans.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README_es.md b/README_es.md index f3d4bcb2..d93500c0 100644 --- a/README_es.md +++ b/README_es.md @@ -24,7 +24,7 @@ It operates as a DNS server that re-routes tracking domains to a "black hole", t However, Dnsmasq is not disabled and will continue to function as the *localhost DNS server*. -**Versión actual:** 0.107.48~ynh1 +**Versión actual:** 0.107.48~ynh2 ## Capturas diff --git a/README_zh_Hans.md b/README_zh_Hans.md index 3df4a719..73ec042b 100644 --- a/README_zh_Hans.md +++ b/README_zh_Hans.md @@ -24,7 +24,7 @@ It operates as a DNS server that re-routes tracking domains to a "black hole", t However, Dnsmasq is not disabled and will continue to function as the *localhost DNS server*. -**分发版本:** 0.107.48~ynh1 +**分发版本:** 0.107.48~ynh2 ## 截图 From 08088676fcb14ba985b9d7a0daa0ee06c8b55ee2 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Mon, 13 May 2024 00:53:44 +0200 Subject: [PATCH 227/288] add kernel system config file for DoQ --- conf/10-adguardhome.conf | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 conf/10-adguardhome.conf diff --git a/conf/10-adguardhome.conf b/conf/10-adguardhome.conf new file mode 100644 index 00000000..c1f8e941 --- /dev/null +++ b/conf/10-adguardhome.conf @@ -0,0 +1,5 @@ +# This is a configuration file linked to the AdGuardHome YunoHost package + +# augment the packet buffer size for DNS over QUIC to work properly +net.core.rmem_max = 2500000 +net.core.wmem_max = 2500000 From 3d5dd45dfc328dbb6241b41c6f2e141ff02ed277 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Mon, 13 May 2024 01:00:22 +0200 Subject: [PATCH 228/288] edit scripts to handle the kernel config file for DoQ --- scripts/backup | 2 ++ scripts/install | 3 +++ scripts/remove | 3 +++ scripts/restore | 7 +++++++ scripts/upgrade | 5 ++++- 5 files changed, 19 insertions(+), 1 deletion(-) diff --git a/scripts/backup b/scripts/backup index 342c5a0d..93fbb01a 100644 --- a/scripts/backup +++ b/scripts/backup @@ -38,6 +38,8 @@ ynh_backup --src_path="/etc/systemd/system/$app.service" # BACKUP VARIOUS FILES #================================================= +# backup the kernel config file for DoQ +ynh_backup --src_path="/etc/sysctl.d/10-adguardhome.conf" #================================================= # END OF SCRIPT diff --git a/scripts/install b/scripts/install index 2db443fa..3b40a0d5 100644 --- a/scripts/install +++ b/scripts/install @@ -90,6 +90,9 @@ ynh_add_nginx_config # use of the Let's Encrypt certs for DOT/DOQ usermod -a -G ssl-cert "$app" +# adding a kernel config file for DoQ +ynh_add_config --template="10-adguardhome.conf" --destination="/etc/sysctl.d/10-adguardhome.conf" + #================================================= # ADD A CONFIGURATION #================================================= diff --git a/scripts/remove b/scripts/remove index 7a13716e..4eb7f429 100644 --- a/scripts/remove +++ b/scripts/remove @@ -43,6 +43,9 @@ ynh_remove_nginx_config # Remove other various files specific to the app... +# remove the kernel config file for DoQ +ynh_secure_remove --file="/etc/sysctl.d/10-adguardhome.conf" + # Remove the dedicated dnsmasq config for AdGuardHome ynh_secure_remove --file="/etc/dnsmasq.d/$app" diff --git a/scripts/restore b/scripts/restore index 2486150f..d32108c1 100644 --- a/scripts/restore +++ b/scripts/restore @@ -103,6 +103,13 @@ else yunohost service add "$app" --description="Ads & trackers blocking DNS server" fi +#================================================= +# RESTORE VARIOUS FILES +#================================================= + +# restore the kernel config file for DoQ +ynh_restore_file --origin_path="/etc/sysctl.d/10-adguardhome.conf" + #================================================= # START SYSTEMD SERVICE #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index 4e3e3af3..5544f212 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -120,7 +120,7 @@ then ynh_script_progression --message="Upgrading source files..." --weight=1 # Download, check integrity, uncompress and patch the source from app.src - ynh_setup_source --dest_dir=$install_dir --full_replace=1 --keep="data AdGuardHome.yaml" + ynh_setup_source --dest_dir="$install_dir" --full_replace=1 --keep="data AdGuardHome.yaml" fi chmod -R o-rwx "$install_dir" @@ -158,6 +158,9 @@ fi # use of the Let's Encrypt certs for DOT/DOQ usermod -a -G ssl-cert "$app" +# adding a kernel config file for DoQ +ynh_add_config --template="10-adguardhome.conf" --destination="/etc/sysctl.d/10-adguardhome.conf" + #================================================= # UPDATE A CONFIG FILE #================================================= From 29514b0d99b7949184341b02969e100a49a94c72 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Mon, 13 May 2024 01:01:49 +0200 Subject: [PATCH 229/288] comment edit --- scripts/remove | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/scripts/remove b/scripts/remove index 4eb7f429..6e862be8 100644 --- a/scripts/remove +++ b/scripts/remove @@ -41,7 +41,9 @@ ynh_remove_systemd_config # Remove the dedicated NGINX config ynh_remove_nginx_config -# Remove other various files specific to the app... +#================================================= +# REMOVE VARIOUS FILES specific to the app... +#================================================= # remove the kernel config file for DoQ ynh_secure_remove --file="/etc/sysctl.d/10-adguardhome.conf" From 74da41ddd7929b849ed31dbd92ffdfb8024b23f7 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Mon, 13 May 2024 01:12:45 +0200 Subject: [PATCH 230/288] update docs --- doc/ADMIN.md | 22 +++++++++++++--------- doc/PRE_UPGRADE.d/0.107.43~ynh4 | 4 ++-- 2 files changed, 15 insertions(+), 11 deletions(-) diff --git a/doc/ADMIN.md b/doc/ADMIN.md index 8336cbeb..bba03622 100644 --- a/doc/ADMIN.md +++ b/doc/ADMIN.md @@ -14,8 +14,8 @@ When disabled: When enabled: - YunoHost **will** check if the port 53 is accessible on Internet and warns you if not -- You need to **manually open port 53** of your router if you self-host at home -- Public IP adresses **will** be added to the AdGuard Home configuration +- You need to **manually open port 53** of your router if you self-host at home! +- Public IP adresses **will** be added to the AdGuard Home configuration, so AGH will be able to bind to them You need to know that if you expose your DNS server to Internet, anyone who knows your server's IP can make a DNS request to it. It *may be used* to perform [amplification attacks](https://en.wikipedia.org/wiki/Denial-of-service_attack#Amplification)! This risk is greatly minimized by the rate limiting setting, which is set to 20 requests per second per client by default: @@ -24,15 +24,15 @@ Settings → DNS settings → DNS server configuration → Rate limit You can completely or almost completely reduce the risk of unauthorized use with the help of the [Allowlist section](#allowlist) further down in this documentation. To use AdGuard Home in your home network if your self-hosting at home, you **don't need** to activate this setting. -You simply have to use the private IP adress of your server (like `192.168.0.1` or so) as DNS IP for your IT hardware at home. -The right IP addresses to use are shown in the "Setup Guide" page of your AdGuard Home instance. +You simply have to use the private IP adress of your server (like `192.168.0.1` or so) as DNS IP for your IT devices at home. +The right IP addresses to use are shown at the top of the "Setup Guide" page of your AdGuard Home instance. If you would expose the port 53 on Internet, you'll be able to use the public IP of your server (the same as in your domain name DNS settings) on any device outside your home network. **Warning:** you should not have public IPs in the config file if the port 53 is **not exposed** on Internet (else: AGH crashes) **Please note:** They should be automatically removed when upgrading this package or when modifiying this port 53 exposure setting, but it's in the docs just in case. You can remove them in your config file `/var/www/adguardhome/AdGuardHome.yaml` in the `dns: bind_hosts:` section. -Any IP that doesn't start with the folowing are public ones: +Any IP **that doesn't start** with the folowing are public ones: - `10.` - `169.` @@ -41,13 +41,13 @@ Any IP that doesn't start with the folowing are public ones: - `fcxx:` (where the `x` can be any hexadecimal character) - `fdxx:` (where the `x` can be any hexadecimal character) -**Warning:** IPv6 starting with `fe80:` (IPv6 LLA) can't be used for DNS purposes, if you try to put one in the AGH config, it won't work. +**Warning:** IPv6 starting with `fe80:` (IPv6 LLA) CAN'T be used for DNS purposes, if you try to put one in the AGH config, it won't work and crash. So, any other IP should be a public one. Restart AdGuard Home after applying the needed edits: `yunohost service restart adguardhome` -## Enable DNS over HTTP and DNS over QUIC? +## Enable DNS over HTTP, DNS over TLS and DNS over QUIC? This setting is **disabled** by default. @@ -56,12 +56,16 @@ You need to know that anyone who knows your AdGuard Home domain-name can make a It's really important to use the configuration panel to deactivate this setting, and **NOT** the built-in setting in the AdGuardHome interface. This is because YunoHost needs to perform actions such as automatically opening or closing the server's ports and refresh the IP to provide to AdGuard Home, which cannot be done without going through the configuration panel. -If you host your machine at home, for using DoH or DoQ, you have to open the following ports on your router: +If you host your machine at home, for using DoH or DoQ, you have to open the following ports on your router by yourself: - `853` in TCP & UDP (for DNS over HTTP) - `784` in UDP (for DNS over QUIC) -Then you can use `https://adguard.example.com/dns-query` (where `adguard.example.com` is the domain-name associated to your AdGuard Home) as a DoH or DoQ DNS server for your devices. ^w^ +Then you can use the following adresses (where `adguard.example.com` is the domain-name associated to your AdGuard Home) as a DoH, DoT or DoQ DNS server for your devices: + +- DNS over HTTP: `https://adguard.example.com/dns-query` +- DNS over TLS: `tls://adguard.example.com:853` +- DNS over QUIC: `quic://adguard.emelyne.eu:784` ## Allowlist diff --git a/doc/PRE_UPGRADE.d/0.107.43~ynh4 b/doc/PRE_UPGRADE.d/0.107.43~ynh4 index c5d15d3d..9e8768da 100644 --- a/doc/PRE_UPGRADE.d/0.107.43~ynh4 +++ b/doc/PRE_UPGRADE.d/0.107.43~ynh4 @@ -1,11 +1,11 @@ From this 0.107.43~ynh4 version, some things have changed: - port 53 is no longer exposed on the Internet by default, it's now a deliberate choice -- it is now possible to use DoH and DoQ with Let's Encrypt certificates out of the box, but this is also disabled by default for the same reason. +- it is now possible to use DNS over HTTP, DNS over TLS and DNS over QUIC, with the Let's Encrypt certificates generated by YunoHost, out of the box, but this is also disabled by default for the same reason. To activate either of these features, please use the config panel: Applications → AdGuard Home → AdGuard Home configuration - Expose port 53 to the Internet? -- Enable DNS-over-HTTPS/QUIC? +- Enable DNS-over-HTTPS/TLS/QUIC? It's really important to use the configuration panel to activate or deactivate the DNS-over-HTTPS/QUIC setting, and **NOT** the built-in setting in the AdGuardHome interface. This is because YunoHost needs to perform actions such as automatically opening or closing the server's ports and refresh the IP to provide to AdGuard Home, which cannot be done without going through the configuration panel. From 70884560ba8cd4c818b8af62cd3c76ddadc9daeb Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Mon, 13 May 2024 01:16:19 +0200 Subject: [PATCH 231/288] war that maybe the devices config will be to redo if the user already uses DoX --- doc/PRE_UPGRADE.d/0.107.43~ynh4 | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/PRE_UPGRADE.d/0.107.43~ynh4 b/doc/PRE_UPGRADE.d/0.107.43~ynh4 index 9e8768da..7264ba2e 100644 --- a/doc/PRE_UPGRADE.d/0.107.43~ynh4 +++ b/doc/PRE_UPGRADE.d/0.107.43~ynh4 @@ -13,5 +13,6 @@ This is because YunoHost needs to perform actions such as automatically opening Also, a new password tool has been added in the config panel too, to make it easier to change the administration password of AdGuard Home! ^w^ This update is at risk of crashing AdGuard Home, so: +- If you're already using DoH, DoT or DoQ with your AdGuard Home instance: the configuration of your devices may need to be redone, I'm sorry for that. - If any trouble or question, please refer to [the package's admin docs](https://github.com/YunoHost-Apps/adguardhome_ynh/blob/master/doc/ADMIN.md)! In any case, we recommend reading it! ^w^ - If needed and a similar issue does not already exist, please [open an issue on the GitHub's package page](https://github.com/YunoHost-Apps/adguardhome_ynh/issues)! From aaf7de72cc112c81a41a274c0f9de8c1f16c9e72 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Mon, 13 May 2024 01:16:29 +0200 Subject: [PATCH 232/288] wording --- config_panel.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config_panel.toml b/config_panel.toml index 054965d3..02f90ef6 100644 --- a/config_panel.toml +++ b/config_panel.toml @@ -16,12 +16,12 @@ yes = "true" help = "If so, anyone who knows your server's IP can make a DNS request to it. It may be used to perform amplification attacks: https://en.wikipedia.org/wiki/Denial-of-service_attack#Amplification Please read the admin doc to understand that setting and to secure your server using allowlist." [main.options.dns_over_https] -ask = "Enable DNS-over-HTTPS/QUIC?" +ask = "Enable DNS-over-HTTPS/TLS/QUIC?" no = "false" type = "boolean" yes = "true" bind = "tls>enabled:__INSTALL_DIR__/AdGuardHome.yaml" -help = "If so, anyone who knows your adguard address can make a doh request to https://adguardomain.tld/dns-query It also may be used to perform amplification attacks. Read the admin doc to secure your server using allowlist." +help = "If so, anyone who knows your adguard address can make a DoH request to https://adguardomain.tld/dns-query or using DoT or DoQ. It also may be used to perform amplification attacks. Read the admin doc to secure your server using allowlist." [main.extra] name = "Extra tools" From 157e0d8a75588e9f6f95359c7771528658bd3ac7 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Mon, 13 May 2024 01:29:12 +0200 Subject: [PATCH 233/288] bump version --- manifest.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifest.toml b/manifest.toml index f515dee4..8a9f0556 100644 --- a/manifest.toml +++ b/manifest.toml @@ -7,7 +7,7 @@ description.fr = "Serveur DNS, bloqueur de publicités et trackers" id = "adguardhome" name = "AdGuard Home" -version = "0.107.48~ynh2" +version = "0.107.48~ynh3" maintainers = [ "ddataa", "OniriCorpe" ] From 40fb7203c43caa865ba78610340bbfd3ef1ae547 Mon Sep 17 00:00:00 2001 From: yunohost-bot Date: Sun, 12 May 2024 23:29:19 +0000 Subject: [PATCH 234/288] Auto-update READMEs --- README.md | 2 +- README_es.md | 2 +- README_eu.md | 2 +- README_fr.md | 2 +- README_gl.md | 2 +- README_zh_Hans.md | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 359c8d6f..b3f5e50a 100644 --- a/README.md +++ b/README.md @@ -24,7 +24,7 @@ It operates as a DNS server that re-routes tracking domains to a "black hole", t However, Dnsmasq is not disabled and will continue to function as the *localhost DNS server*. -**Shipped version:** 0.107.48~ynh2 +**Shipped version:** 0.107.48~ynh3 ## Screenshots diff --git a/README_es.md b/README_es.md index d93500c0..d07da3ab 100644 --- a/README_es.md +++ b/README_es.md @@ -24,7 +24,7 @@ It operates as a DNS server that re-routes tracking domains to a "black hole", t However, Dnsmasq is not disabled and will continue to function as the *localhost DNS server*. -**Versión actual:** 0.107.48~ynh2 +**Versión actual:** 0.107.48~ynh3 ## Capturas diff --git a/README_eu.md b/README_eu.md index cfe8b6b8..de48a0f4 100644 --- a/README_eu.md +++ b/README_eu.md @@ -24,7 +24,7 @@ It operates as a DNS server that re-routes tracking domains to a "black hole", t However, Dnsmasq is not disabled and will continue to function as the *localhost DNS server*. -**Paketatutako bertsioa:** 0.107.48~ynh2 +**Paketatutako bertsioa:** 0.107.48~ynh3 ## Pantaila-argazkiak diff --git a/README_fr.md b/README_fr.md index a48126b8..1268f683 100644 --- a/README_fr.md +++ b/README_fr.md @@ -24,7 +24,7 @@ Il fonctionne comme un serveur DNS qui redirige les domaines de pistage vers un Cependant, Dnsmasq n'est pas désactivé et continuera à fonctionner en tant que *serveur DNS localhost*. -**Version incluse :** 0.107.48~ynh2 +**Version incluse :** 0.107.48~ynh3 ## Captures d’écran diff --git a/README_gl.md b/README_gl.md index d38bee32..5410886e 100644 --- a/README_gl.md +++ b/README_gl.md @@ -24,7 +24,7 @@ It operates as a DNS server that re-routes tracking domains to a "black hole", t However, Dnsmasq is not disabled and will continue to function as the *localhost DNS server*. -**Versión proporcionada:** 0.107.48~ynh2 +**Versión proporcionada:** 0.107.48~ynh3 ## Capturas de pantalla diff --git a/README_zh_Hans.md b/README_zh_Hans.md index 73ec042b..ed9c1272 100644 --- a/README_zh_Hans.md +++ b/README_zh_Hans.md @@ -24,7 +24,7 @@ It operates as a DNS server that re-routes tracking domains to a "black hole", t However, Dnsmasq is not disabled and will continue to function as the *localhost DNS server*. -**分发版本:** 0.107.48~ynh2 +**分发版本:** 0.107.48~ynh3 ## 截图 From d965a191a43ea98d6a530767eec5ea9eb5b0cce8 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Mon, 13 May 2024 01:36:12 +0200 Subject: [PATCH 235/288] rename the pre upgrade warning to the proper version name --- doc/PRE_UPGRADE.d/{0.107.43~ynh4 => 0.107.48~ynh3.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename doc/PRE_UPGRADE.d/{0.107.43~ynh4 => 0.107.48~ynh3.md} (100%) diff --git a/doc/PRE_UPGRADE.d/0.107.43~ynh4 b/doc/PRE_UPGRADE.d/0.107.48~ynh3.md similarity index 100% rename from doc/PRE_UPGRADE.d/0.107.43~ynh4 rename to doc/PRE_UPGRADE.d/0.107.48~ynh3.md From 00ca366b8574e5c9333f1ea68f3e07b5136c089d Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Mon, 13 May 2024 01:44:36 +0200 Subject: [PATCH 236/288] oops, forgot to bump the version number here too --- doc/PRE_UPGRADE.d/0.107.48~ynh3.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/doc/PRE_UPGRADE.d/0.107.48~ynh3.md b/doc/PRE_UPGRADE.d/0.107.48~ynh3.md index 7264ba2e..2ab67a20 100644 --- a/doc/PRE_UPGRADE.d/0.107.48~ynh3.md +++ b/doc/PRE_UPGRADE.d/0.107.48~ynh3.md @@ -1,9 +1,11 @@ -From this 0.107.43~ynh4 version, some things have changed: +From this 0.107.48~ynh3 version, some things have changed: + - port 53 is no longer exposed on the Internet by default, it's now a deliberate choice - it is now possible to use DNS over HTTP, DNS over TLS and DNS over QUIC, with the Let's Encrypt certificates generated by YunoHost, out of the box, but this is also disabled by default for the same reason. To activate either of these features, please use the config panel: Applications → AdGuard Home → AdGuard Home configuration + - Expose port 53 to the Internet? - Enable DNS-over-HTTPS/TLS/QUIC? @@ -13,6 +15,7 @@ This is because YunoHost needs to perform actions such as automatically opening Also, a new password tool has been added in the config panel too, to make it easier to change the administration password of AdGuard Home! ^w^ This update is at risk of crashing AdGuard Home, so: + - If you're already using DoH, DoT or DoQ with your AdGuard Home instance: the configuration of your devices may need to be redone, I'm sorry for that. - If any trouble or question, please refer to [the package's admin docs](https://github.com/YunoHost-Apps/adguardhome_ynh/blob/master/doc/ADMIN.md)! In any case, we recommend reading it! ^w^ - If needed and a similar issue does not already exist, please [open an issue on the GitHub's package page](https://github.com/YunoHost-Apps/adguardhome_ynh/issues)! From 21d71b65a498c51917e2056454932924e2727798 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Mon, 13 May 2024 01:45:31 +0200 Subject: [PATCH 237/288] wording --- doc/PRE_UPGRADE.d/0.107.48~ynh3.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/PRE_UPGRADE.d/0.107.48~ynh3.md b/doc/PRE_UPGRADE.d/0.107.48~ynh3.md index 2ab67a20..f2476612 100644 --- a/doc/PRE_UPGRADE.d/0.107.48~ynh3.md +++ b/doc/PRE_UPGRADE.d/0.107.48~ynh3.md @@ -3,7 +3,7 @@ From this 0.107.48~ynh3 version, some things have changed: - port 53 is no longer exposed on the Internet by default, it's now a deliberate choice - it is now possible to use DNS over HTTP, DNS over TLS and DNS over QUIC, with the Let's Encrypt certificates generated by YunoHost, out of the box, but this is also disabled by default for the same reason. -To activate either of these features, please use the config panel: +To activate either of these features, please use the config panel in the YunoHost webadmin: Applications → AdGuard Home → AdGuard Home configuration - Expose port 53 to the Internet? From d19c5d9fb2895ad97b75566a7d1ca8ec71e9fb50 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Mon, 13 May 2024 02:10:40 +0200 Subject: [PATCH 238/288] rename 'port_dns_over_http' in 'port_dns_over_tls' --- manifest.toml | 8 ++++---- scripts/config | 14 +++++++------- scripts/install | 10 +++++----- scripts/remove | 2 +- scripts/restore | 10 +++++----- scripts/upgrade | 12 ++++++------ 6 files changed, 28 insertions(+), 28 deletions(-) diff --git a/manifest.toml b/manifest.toml index 8a9f0556..bd9068fe 100644 --- a/manifest.toml +++ b/manifest.toml @@ -54,8 +54,8 @@ default = false type = "boolean" [install.dns_over_https] -ask.en = "Should DNS-over-HTTPS/QUIC be enabled?" -help.en = "If so, anyone who knows your adguard address can make a doh request to https://adguardomain.tld/dns-query" +ask.en = "Should DNS-over-HTTPS/TLS/QUIC be enabled?" +help.en = "If so, anyone who knows your adguard address can make a doh request to https://adguardomain.tld/dns-query or using DoT/DoQ" default = false type = "boolean" @@ -75,8 +75,8 @@ type = "boolean" autoupdate.strategy = "latest_github_release" [resources.ports] -dns_over_http.default = 853 -dns_over_http.exposed = "Both" +dns_over_tls.default = 853 +dns_over_tls.exposed = "Both" dns_over_quic.default = 784 dns_over_quic.exposed = "UDP" internal_https.default = 13120 diff --git a/scripts/config b/scripts/config index 88a53339..d5ca3b5a 100644 --- a/scripts/config +++ b/scripts/config @@ -12,7 +12,7 @@ source /usr/share/yunohost/helpers ynh_abort_if_errors # import needed settings -port_dns_over_http=$(ynh_app_setting_get --app="$app" --key=port_dns_over_http) +port_dns_over_tls=$(ynh_app_setting_get --app="$app" --key=port_dns_over_tls) port_dns_over_quic=$(ynh_app_setting_get --app="$app" --key=port_dns_over_quic) #================================================= @@ -43,9 +43,9 @@ set__expose_port_53() { # declare needs_exposed_ports according to real user need ynh_print_info --message="Updating the YunoHost service for AdGuard Home..." if [ "$dns_over_https" == "true" ] && [ "$expose_port_53" == "true" ]; then - yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53" "$port_dns_over_http" + yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53" "$port_dns_over_tls" elif [ "$dns_over_https" == "true" ]; then - yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "$port_dns_over_http" + yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "$port_dns_over_tls" elif [ "$expose_port_53" == "true" ]; then yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53" else @@ -61,12 +61,12 @@ set__dns_over_https() { if [ "$dns_over_https" == "true" ]; then ynh_print_info --message="Opening DoH and DoQ ports..." # if DNS over HTTPS/QUIC is activated, open the associated ports - ynh_exec_warn_less yunohost firewall allow Both "$port_dns_over_http" --no-reload + ynh_exec_warn_less yunohost firewall allow Both "$port_dns_over_tls" --no-reload ynh_exec_warn_less yunohost firewall allow UDP "$port_dns_over_quic" elif [ "$dns_over_https" == "false" ]; then # else if false, close them ynh_print_info --message="Closing DoH and DoQ ports..." - ynh_exec_warn_less yunohost firewall disallow Both "$port_dns_over_http" --no-reload + ynh_exec_warn_less yunohost firewall disallow Both "$port_dns_over_tls" --no-reload ynh_exec_warn_less yunohost firewall disallow UDP "$port_dns_over_quic" else # else, throw error @@ -76,9 +76,9 @@ set__dns_over_https() { # declare needs_exposed_ports according to real user need ynh_print_info --message="Updating the YunoHost service for AdGuard Home..." if [ "$dns_over_https" == "true" ] && [ "$expose_port_53" == "true" ]; then - yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53" "$port_dns_over_http" + yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53" "$port_dns_over_tls" elif [ "$dns_over_https" == "true" ]; then - yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "$port_dns_over_http" + yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "$port_dns_over_tls" elif [ "$expose_port_53" == "true" ]; then yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53" else diff --git a/scripts/install b/scripts/install index 3b40a0d5..f678513b 100644 --- a/scripts/install +++ b/scripts/install @@ -45,9 +45,9 @@ fi if [ "${dns_over_https:-}" = true ]; then # if DoH and DoQ are closed - if ! yunohost firewall list | grep -q " $port_dns_over_http$" && ! yunohost firewall list | grep -q " $port_dns_over_quic$"; then + if ! yunohost firewall list | grep -q " $port_dns_over_tls$" && ! yunohost firewall list | grep -q " $port_dns_over_quic$"; then ynh_print_info --message="Opening DoH and DoQ ports..." - ynh_exec_warn_less yunohost firewall allow Both "$port_dns_over_http" --no-reload + ynh_exec_warn_less yunohost firewall allow Both "$port_dns_over_tls" --no-reload ynh_exec_warn_less yunohost firewall allow UDP "$port_dns_over_quic" else # no need to open the ports, as they were opened at the 'Provisioning ports' step @@ -57,7 +57,7 @@ else # if dns_over_https is false, we need to close ports, # as they were opened at the 'Provisioning ports' step ynh_print_info --message="Closing DoH and DoQ ports..." - ynh_exec_warn_less yunohost firewall disallow Both "$port_dns_over_http" --no-reload + ynh_exec_warn_less yunohost firewall disallow Both "$port_dns_over_tls" --no-reload ynh_exec_warn_less yunohost firewall disallow UDP "$port_dns_over_quic" fi @@ -136,9 +136,9 @@ ynh_add_systemd_config # declare needs_exposed_ports according to real user need if [ "$dns_over_https" == "true" ] && [ "$expose_port_53" == "true" ]; then - yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53" "$port_dns_over_http" + yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53" "$port_dns_over_tls" elif [ "$dns_over_https" == "true" ]; then - yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "$port_dns_over_http" + yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "$port_dns_over_tls" elif [ "$expose_port_53" == "true" ]; then yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53" else diff --git a/scripts/remove b/scripts/remove index 6e862be8..7cf714d1 100644 --- a/scripts/remove +++ b/scripts/remove @@ -19,7 +19,7 @@ ynh_print_info --message="Closing port 53..." ynh_exec_warn_less yunohost firewall disallow Both 53 if [ "$dns_over_https" == "true" ]; then ynh_print_info --message="Closing DoH and DoQ ports..." - ynh_exec_warn_less yunohost firewall disallow Both "$port_dns_over_http" --no-reload + ynh_exec_warn_less yunohost firewall disallow Both "$port_dns_over_tls" --no-reload ynh_exec_warn_less yunohost firewall disallow UDP "$port_dns_over_quic" fi diff --git a/scripts/restore b/scripts/restore index d32108c1..31cf549a 100644 --- a/scripts/restore +++ b/scripts/restore @@ -23,9 +23,9 @@ fi if [ "${dns_over_https:-}" = true ]; then # if DoH and DoQ are closed - if ! yunohost firewall list | grep -q " $port_dns_over_http$" && ! yunohost firewall list | grep -q " $port_dns_over_quic$"; then + if ! yunohost firewall list | grep -q " $port_dns_over_tls$" && ! yunohost firewall list | grep -q " $port_dns_over_quic$"; then ynh_print_info --message="Opening DoH and DoQ ports..." - ynh_exec_warn_less yunohost firewall allow Both "$port_dns_over_http" --no-reload + ynh_exec_warn_less yunohost firewall allow Both "$port_dns_over_tls" --no-reload ynh_exec_warn_less yunohost firewall allow UDP "$port_dns_over_quic" else # no need to open the ports, as they were opened at the 'Provisioning ports' step @@ -35,7 +35,7 @@ else # if dns_over_https is false, we need to close ports, # as they were opened at the 'Provisioning ports' step ynh_print_info --message="Closing DoH and DoQ ports..." - ynh_exec_warn_less yunohost firewall disallow Both "$port_dns_over_http" --no-reload + ynh_exec_warn_less yunohost firewall disallow Both "$port_dns_over_tls" --no-reload ynh_exec_warn_less yunohost firewall disallow UDP "$port_dns_over_quic" fi @@ -94,9 +94,9 @@ systemctl enable "$app.service" --quiet # declare needs_exposed_ports according to real user need if [ "$dns_over_https" == "true" ] && [ "$expose_port_53" == "true" ]; then - yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53" "$port_dns_over_http" + yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53" "$port_dns_over_tls" elif [ "$dns_over_https" == "true" ]; then - yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "$port_dns_over_http" + yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "$port_dns_over_tls" elif [ "$expose_port_53" == "true" ]; then yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53" else diff --git a/scripts/upgrade b/scripts/upgrade index 5544f212..1a4e3264 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -65,7 +65,7 @@ if grep -q "port_https: 443" "$install_dir/AdGuardHome.yaml" || grep -q "port_dn # if so: mandatory replacement for them # (because the final user can't easily know the ports used by the package) ynh_write_var_in_file --file="$install_dir/AdGuardHome.yaml" --key="port_https" --value="$port_internal_https" - ynh_write_var_in_file --file="$install_dir/AdGuardHome.yaml" --key="port_dns_over_tls" --value="$port_dns_over_http" + ynh_write_var_in_file --file="$install_dir/AdGuardHome.yaml" --key="port_dns_over_tls" --value="$port_dns_over_tls" ynh_write_var_in_file --file="$install_dir/AdGuardHome.yaml" --key="port_dns_over_quic" --value="$port_dns_over_quic" fi @@ -95,9 +95,9 @@ fi if [ "${dns_over_https:-}" = true ]; then # if DoH and DoQ are closed - if ! yunohost firewall list | grep -q " $port_dns_over_http$" && ! yunohost firewall list | grep -q " $port_dns_over_quic$"; then + if ! yunohost firewall list | grep -q " $port_dns_over_tls$" && ! yunohost firewall list | grep -q " $port_dns_over_quic$"; then ynh_print_info --message="Opening DoH and DoQ ports..." - ynh_exec_warn_less yunohost firewall allow Both "$port_dns_over_http" --no-reload + ynh_exec_warn_less yunohost firewall allow Both "$port_dns_over_tls" --no-reload ynh_exec_warn_less yunohost firewall allow UDP "$port_dns_over_quic" else # no need to open the ports, as they were opened at the 'Provisioning ports' step @@ -107,7 +107,7 @@ else # if dns_over_https is false, we need to close ports, # as they were opened at the 'Provisioning ports' step ynh_print_info --message="Closing DoH and DoQ ports..." - ynh_exec_warn_less yunohost firewall disallow Both "$port_dns_over_http" --no-reload + ynh_exec_warn_less yunohost firewall disallow Both "$port_dns_over_tls" --no-reload ynh_exec_warn_less yunohost firewall disallow UDP "$port_dns_over_quic" fi @@ -141,9 +141,9 @@ ynh_add_systemd_config # declare needs_exposed_ports according to real user need if [ "$dns_over_https" == "true" ] && [ "$expose_port_53" == "true" ]; then - yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53" "$port_dns_over_http" + yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53" "$port_dns_over_tls" elif [ "$dns_over_https" == "true" ]; then - yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "$port_dns_over_http" + yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "$port_dns_over_tls" elif [ "$expose_port_53" == "true" ]; then yunohost service add "$app" --description="Ads & trackers blocking DNS server" --needs_exposed_ports "53" else From 7f37e22c060936df8037adc5bdcbd6940c83a08a Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Mon, 13 May 2024 02:14:38 +0200 Subject: [PATCH 239/288] use an OR in place of an AND to be sure to open ports if needed --- scripts/upgrade | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/upgrade b/scripts/upgrade index 1a4e3264..45829be5 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -95,7 +95,7 @@ fi if [ "${dns_over_https:-}" = true ]; then # if DoH and DoQ are closed - if ! yunohost firewall list | grep -q " $port_dns_over_tls$" && ! yunohost firewall list | grep -q " $port_dns_over_quic$"; then + if ! yunohost firewall list | grep -q " $port_dns_over_tls$" || ! yunohost firewall list | grep -q " $port_dns_over_quic$"; then ynh_print_info --message="Opening DoH and DoQ ports..." ynh_exec_warn_less yunohost firewall allow Both "$port_dns_over_tls" --no-reload ynh_exec_warn_less yunohost firewall allow UDP "$port_dns_over_quic" From 0bd9d8644cbd7157b68736627b1c0085c789dac5 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Mon, 13 May 2024 02:18:17 +0200 Subject: [PATCH 240/288] fix a if condition --- scripts/upgrade | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/upgrade b/scripts/upgrade index 45829be5..963ec6d4 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -37,7 +37,7 @@ elif [ -n "${expose_port_53:-}" ] || [ "${expose_port_53:-}" = false ]; then ynh_app_setting_set --app="$app" --key=expose_port_53 --value="$expose_port_53" fi -if [ -z "${dns_over_https:-}" ] && [ "${dns_over_https:-}" = true ]; then +if [ -z "${dns_over_https:-}" ] || [ "${dns_over_https:-}" = true ]; then dns_over_https="true" ynh_app_setting_set --app="$app" --key=dns_over_https --value=$dns_over_https elif [ -n "${dns_over_https:-}" ] || [ "${dns_over_https:-}" = false ]; then From 8d5c864dbbab32a95149bdd8141e2a8f2f1fce2e Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Mon, 13 May 2024 02:25:38 +0200 Subject: [PATCH 241/288] fix conditions in the downward compatibility --- scripts/upgrade | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/scripts/upgrade b/scripts/upgrade index 963ec6d4..08ca4f1b 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -29,20 +29,22 @@ ynh_systemd_action --service_name="$app" --action="stop" #================================================= ynh_script_progression --message="Ensuring downward compatibility..." --weight=1 -if [ -z "${expose_port_53:-}" ] || [ "${expose_port_53:-}" = true ]; then - expose_port_53="true" - ynh_app_setting_set --app="$app" --key=expose_port_53 --value="$expose_port_53" -elif [ -n "${expose_port_53:-}" ] || [ "${expose_port_53:-}" = false ]; then +if [ -z "${expose_port_53:-}" ] || [ "${expose_port_53:-}" = false ]; then + # if 'expose_port_53' doesn't exist or is false expose_port_53="false" ynh_app_setting_set --app="$app" --key=expose_port_53 --value="$expose_port_53" +elif [ "${expose_port_53:-}" = true ]; then + expose_port_53="true" + ynh_app_setting_set --app="$app" --key=expose_port_53 --value="$expose_port_53" fi -if [ -z "${dns_over_https:-}" ] || [ "${dns_over_https:-}" = true ]; then - dns_over_https="true" - ynh_app_setting_set --app="$app" --key=dns_over_https --value=$dns_over_https -elif [ -n "${dns_over_https:-}" ] || [ "${dns_over_https:-}" = false ]; then +if [ -z "${dns_over_https:-}" ] || [ "${dns_over_https:-}" = false ]; then + # if 'dns_over_https' doesn't exist or is false dns_over_https="false" ynh_app_setting_set --app="$app" --key=dns_over_https --value=$dns_over_https +elif [ "${dns_over_https:-}" = true ]; then + dns_over_https="true" + ynh_app_setting_set --app="$app" --key=dns_over_https --value=$dns_over_https fi # about all those 'ynh_write_var_in_file': From 02014252d96214e9b405a5ca3e6852f9d31f8e04 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Mon, 13 May 2024 02:37:09 +0200 Subject: [PATCH 242/288] provide directly usable DoX addresses in admin docs --- doc/ADMIN.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/doc/ADMIN.md b/doc/ADMIN.md index bba03622..582d7c83 100644 --- a/doc/ADMIN.md +++ b/doc/ADMIN.md @@ -61,11 +61,11 @@ If you host your machine at home, for using DoH or DoQ, you have to open the fol - `853` in TCP & UDP (for DNS over HTTP) - `784` in UDP (for DNS over QUIC) -Then you can use the following adresses (where `adguard.example.com` is the domain-name associated to your AdGuard Home) as a DoH, DoT or DoQ DNS server for your devices: +Then you can use the following adresses as a DoH, DoT or DoQ DNS server for your devices: -- DNS over HTTP: `https://adguard.example.com/dns-query` -- DNS over TLS: `tls://adguard.example.com:853` -- DNS over QUIC: `quic://adguard.emelyne.eu:784` +- DNS over HTTP: `https://__DOMAIN__/dns-query` +- DNS over TLS: `tls://__DOMAIN__:__PORT_DNS_OVER_TLS__` +- DNS over QUIC: `quic://__DOMAIN__:__PORT_DNS_OVER_QUIC__` ## Allowlist From ea65742609baa04771a04ffac2e93024f16c9c09 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Mon, 13 May 2024 02:45:45 +0200 Subject: [PATCH 243/288] show the right ports for DoT & DoQ in the admin docs --- doc/ADMIN.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/ADMIN.md b/doc/ADMIN.md index 582d7c83..ec9ad933 100644 --- a/doc/ADMIN.md +++ b/doc/ADMIN.md @@ -58,8 +58,8 @@ This is because YunoHost needs to perform actions such as automatically opening If you host your machine at home, for using DoH or DoQ, you have to open the following ports on your router by yourself: -- `853` in TCP & UDP (for DNS over HTTP) -- `784` in UDP (for DNS over QUIC) +- `__PORT_DNS_OVER_TLS__` in TCP & UDP (for DNS over TLS) +- `__PORT_DNS_OVER_QUIC__` in UDP (for DNS over QUIC) Then you can use the following adresses as a DoH, DoT or DoQ DNS server for your devices: From 33566ed3f35e48a194918b9f35e1f2e848ec409b Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Mon, 13 May 2024 03:00:20 +0200 Subject: [PATCH 244/288] fix config file --- conf/AdGuardHome.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf/AdGuardHome.yaml b/conf/AdGuardHome.yaml index 7430fafd..c121c05e 100644 --- a/conf/AdGuardHome.yaml +++ b/conf/AdGuardHome.yaml @@ -76,7 +76,7 @@ tls: server_name: "__DOMAIN__" force_https: false port_https: __PORT_INTERNAL_HTTPS__ - port_dns_over_tls: __PORT_DNS_OVER_HTTP__ + port_dns_over_tls: __PORT_DNS_OVER_TLS__ port_dns_over_quic: __PORT_DNS_OVER_QUIC__ port_dnscrypt: 0 dnscrypt_config_file: "" From 74fcbc3d287e294b1461596646ed1f1492cc206a Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 15 May 2024 00:32:37 +0200 Subject: [PATCH 245/288] use fix ports for DoT and DoQ --- manifest.toml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/manifest.toml b/manifest.toml index bd9068fe..75596409 100644 --- a/manifest.toml +++ b/manifest.toml @@ -77,8 +77,10 @@ type = "boolean" [resources.ports] dns_over_tls.default = 853 dns_over_tls.exposed = "Both" +dns_over_tls.fixed = true dns_over_quic.default = 784 dns_over_quic.exposed = "UDP" +dns_over_tls.fixed = true internal_https.default = 13120 # AGH also uses port 53 but we can't put it here as dnsmasq uses it by default # and the ynh core would assign us another port, however, on installation we From 04e9b44db3ceb67d959972e08a825cb0dc047760 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 15 May 2024 00:36:41 +0200 Subject: [PATCH 246/288] comment for 'internal_https.default' --- manifest.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifest.toml b/manifest.toml index 75596409..77d67f34 100644 --- a/manifest.toml +++ b/manifest.toml @@ -81,7 +81,7 @@ dns_over_tls.fixed = true dns_over_quic.default = 784 dns_over_quic.exposed = "UDP" dns_over_tls.fixed = true -internal_https.default = 13120 +internal_https.default = 13120 # dummy port because the app settings requiring it # AGH also uses port 53 but we can't put it here as dnsmasq uses it by default # and the ynh core would assign us another port, however, on installation we # edit dnsmasq's configuration to allow AGH to use port 53 on non-localhost IPs From a2c07647539d1bab8a1f92ab04c981740de66a37 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 15 May 2024 00:45:49 +0200 Subject: [PATCH 247/288] better port fixes --- scripts/upgrade | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/scripts/upgrade b/scripts/upgrade index 08ca4f1b..7362a7a8 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -62,14 +62,10 @@ if grep -q "certificate_path: \"\"" "$install_dir/AdGuardHome.yaml" || grep -q " ynh_write_var_in_file --file="$install_dir/AdGuardHome.yaml" --key="private_key_path" --value="/etc/yunohost/certs/$domain/key.pem" fi -# check if one of 'port_https:', 'port_dns_over_tls:' or 'port_dns_over_quic:' uses the default setting -if grep -q "port_https: 443" "$install_dir/AdGuardHome.yaml" || grep -q "port_dns_over_tls: 853" "$install_dir/AdGuardHome.yaml" || grep -q "port_dns_over_quic: 784" "$install_dir/AdGuardHome.yaml"; then - # if so: mandatory replacement for them - # (because the final user can't easily know the ports used by the package) - ynh_write_var_in_file --file="$install_dir/AdGuardHome.yaml" --key="port_https" --value="$port_internal_https" - ynh_write_var_in_file --file="$install_dir/AdGuardHome.yaml" --key="port_dns_over_tls" --value="$port_dns_over_tls" - ynh_write_var_in_file --file="$install_dir/AdGuardHome.yaml" --key="port_dns_over_quic" --value="$port_dns_over_quic" -fi +# make sure that the ports configured for the app are those known by the package +ynh_write_var_in_file --file="$install_dir/AdGuardHome.yaml" --key="address" --after="http:" --value="127.0.0.1:$port" +ynh_write_var_in_file --file="$install_dir/AdGuardHome.yaml" --key="port_dns_over_tls" --value="$port_dns_over_tls" +ynh_write_var_in_file --file="$install_dir/AdGuardHome.yaml" --key="port_dns_over_quic" --value="$port_dns_over_quic" # remove setting no longer required ynh_app_setting_delete --app="$app" --key=port_adguard From eb08ef2a373b13a65676150a617f9949b80f1e40 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Wed, 15 May 2024 00:52:09 +0200 Subject: [PATCH 248/288] fix key duplication --- manifest.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifest.toml b/manifest.toml index 77d67f34..061c021c 100644 --- a/manifest.toml +++ b/manifest.toml @@ -80,7 +80,7 @@ dns_over_tls.exposed = "Both" dns_over_tls.fixed = true dns_over_quic.default = 784 dns_over_quic.exposed = "UDP" -dns_over_tls.fixed = true +dns_over_quic.fixed = true internal_https.default = 13120 # dummy port because the app settings requiring it # AGH also uses port 53 but we can't put it here as dnsmasq uses it by default # and the ynh core would assign us another port, however, on installation we From 27607da0061334ce7b165a37e478c92fcb2c0f8a Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 16 May 2024 03:04:42 +0200 Subject: [PATCH 249/288] adding docs for Secure DNS profile creator on Apple devices --- doc/APPS.md | 33 ++++++++++++++++-- doc/screenshots/apps/DNS-profile-creator.jpeg | Bin 0 -> 435161 bytes 2 files changed, 31 insertions(+), 2 deletions(-) create mode 100644 doc/screenshots/apps/DNS-profile-creator.jpeg diff --git a/doc/APPS.md b/doc/APPS.md index cfb9bf03..4072a38c 100644 --- a/doc/APPS.md +++ b/doc/APPS.md @@ -11,7 +11,9 @@ To be completed by someone who uses an Android app [AdGuard Home Remote](https://apps.apple.com/app/id1543143740) by [RocketScience IT](https://rocketscience-it.nl/) is compatible with Mac, iPhone, iPad and Watch. It is free with an in-app purchase of 6€ or US$5 to unlock some features. No ads, no tracking. -You can easilly configure it: +This app is for monitoring or configuring your AGH instance, not to use your AGH as a DNS server on your Apple device. + +You can easilly configure this app: - Add Instance - Choose a display name @@ -20,4 +22,31 @@ You can easilly configure it: - Enter your AdGuard Home credentials in the "Authentication" fields - Test the connection, if a green check is showed up, you're alright -![A screenshot showing the previous instructions completed in the app](screenshots/apps/AGH-remote.PNG) +![A screenshot showing the previous instructions completed in the app](https://raw.githubusercontent.com/YunoHost-Apps/adguardhome_ynh/master/doc/screenshots/apps/AGH-remote.PNG) + +### Secure DNS profile creator + +To use your AGH instance as a DNS server on your Apple device, you can use [Secure DNS profile creator](https://dns.notjakob.com/index.html). + +To do so, you first need to activate the DNS over HTTP/TLS/QUIC functionnality using the YunoHost Webadmin. +If you're reading this you should already be in the right page: just click the "AdGuard Home configuration" option at the top of this text, toggle on "Activate DNS over HTTP/TLS/QUIC?" then "Save". +Else, open The YunoHost Webadmin and follow this path: `Applications -> AdGuard Home -> AdGuard Home configuration` + +Now, click the "Secure DNS profile creator" link above and fill the input fields. + +- Name of DNS provider: put an arbitrary name here, for example "AGH" +- Salect either DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) +- For the primary DNS settings, you have to put trustworthy servers IPs, for example [the FDN ones](https://www.fdn.fr/actions/dns/) +- And finally the setting for your AdGuard Home server URL: + - If you selected DoH: put your domain name followed by `/dns-query`: `https://__DOMAIN__/dns-query` + - If you selected DoT: put your bare domain name: `__DOMAIN__` + +You can toggle the "Advanced" button to exclude the created profile to be used when you're on your domestic WiFi network or some other settings. + +[Your configuration should look like this.](https://raw.githubusercontent.com/YunoHost-Apps/adguardhome_ynh/master/doc/screenshots/apps/DNS-profile-creator.jpeg) + +Now, click the "Add to profile" button to generate the profile file, validate the "Configuration successfully added to profile." message showed on screen, then click the "Download Profile" button and accept the download. + +And finaly, open the system settings, click the "Downloaded profile" and install it bu entering your device password and tapping the final "Install" button. + +Your device should now use your AdGuard Home instance as its DNS server. Congrats! diff --git a/doc/screenshots/apps/DNS-profile-creator.jpeg b/doc/screenshots/apps/DNS-profile-creator.jpeg new file mode 100644 index 0000000000000000000000000000000000000000..8c57da04d4d273995484748dfc6bf4a22bf3b958 GIT binary patch literal 435161 zcmeFa2V4~0vM<^s$qYeq7$pcwmMCddB#DTaK+>pyBmv0-3^Rxdf&@VU1to|GN*Kve zhKzuKTpC}UiSV12PpJd2_=0X!_+3XCocbdmr)4;=#!9jy(3g5SwR_viNKZQw6DdIm z`7aOPrPXfxMY6I92nq>{$Q+ZEJAOi4LsLupl#by!BV!X&v-4N3Ub}8>bHmoj+2xL_ zo4bd9KwwZXA|&*|!$(okk7Ht!pFK}WO?&Y&{Y~!Mym$Ep??054S5#J2*VNXvw6?W( zbbjvY9vm7T866v+n4Di&T>AEX`NzsCVe8lS&h8#@|KJb0Kz{y>Eb#Z=DEkMxctE=7 z85tQEng5`Rjz0Jg!g&~(j;bEwJ!8du%a>2`ryU{5iE8xu3r9~(0Z^Pd~bzin)P zZtQ<-od2=Wz((l6Ho%(?fj^wA%&h-$?mvA%n*qhrgf4C(jyx1?S0}QG)W0%8EQqiEETQuOwS) zKJ-?-_@zjTyXfPtAG<@`YYF$-wrv4waN#cdB4#}WuiOm9TcTN!Nc{I`eQbQ-)gjK2 zU+@_-(Tta|W{)MVuzd?Z>{N-miL@blEYHW7o3z2>4fyczw(u(?(N^1cIbu2~ zdy`U?TZ(<=TCY`9^Dh>+qgp*O4}siMA?v)Zcn!DCYD@b_PB!xlE1WrQ@W$LPbz|qO z8w1`TmO_D#8}9N`J~Ti-c)&{co_MQoaTp3i#E3bQUYD(e4wU1#5Cn0%&|FHGX#3mX*JQm#wOTd-M zMmI|S(7LjMIyE}a`-$>xD1(K^S<*zMpt*(X&}rG4l4wJsG7VsiC+aJp=!vfv)d|5d zxsvP~r~3;&)%6ZUzSc*5i4`4qfeFfnG)>Cy;TEmQyi%>1%42$33t1EBHf}ov%wE!* z22@X1PHP4gF(|ed)heI-xag$mPd3a}Xk9G>bJK*?KM5^-i?5t?Ku}yAT zF2_pYE}}`l?8~QK0L5qpFU3`($$T_mKC2ZPB><~{t>X&J!{=7MKt0PzXFkPhE5Syl zoA0&N#=SbkWfN(lAH4*R*3&OWR67olRp)!mly@vHFX-BtyG1Rhy4##6fL`hP!7LjK zw7cBw>We0}flk-=aT8 zuL~+~7;C^D8yJi@<8iH6NcZi!`m?3|A?oL)lcbVQJ0-|HeW37`TkU?|`3RJ^75vkl z4vfs>Z#bOMly=$Pp@&bSVY1DCjkiU{u%bFMv0v|JJcnz+LZdsS1~!)^BG?RPm_(w8 ztR-48R8d@m0mA+Is`=qM?Wlm7IIr}H@rTnW=iAw-(_rgP2=i9kta!a^xd>gOYvG0t z!-@etMoy2^X3u}@UF`U)M)@W!q11!)>!Gh zDDRp+m@V47{}8Il;0UqwEu1>isQBq?!{tV3q`au7Kl)o$ zdbO63bbE0_*E6;AT&6zHot=aMvIC_O=F$HMS}~h3f4qSX{}V><5vpF@X|**e%=9Ig zo#k;zk`b%dBhe^FwRR*c+>AOBslrSBAGp~T-LX?NyjoFJbGn_~NZ~^f!*NDuzR#yHKROqq z*W*Ew%P6mw1|^BD?;L(8mc&dpiCfy%{4%O)Rz8Svo~r%={}i{JutO#wp)?@5c#Z~; zxZG*Lfxi51Ih7r}AN-gFy_WEa2ISnh#5n2N3?WKYw`Dy4N|su*9`GsQ8lUwtxm?L+ zX*uh0df(I6h~>!KgJwqSjZQLO)~*5NCG`}Nl_1#W6MrB*Hl|}-tZ-;WL$v2y?1a?y zZ;IcHw54AqrSE4^*<$d5W<*(%nLUnpXGCEeCOn0{dxpb_ReZp&`h4NIU@OIbY&Hvj z@ubN*69Jj<#^DMLFk=Fcpy^?fqQsFENm_^}tyFcQiKhYzASl)(9PyT}7ubu{TI@@C z{qj!S&kN7K{`!phBKKVVaemHC$Rd2eXT5kqUvzhe^0?s)=@fBv-kA{nVBs2V0W0v= z*z&z5A5qi*j!zvI<;WC|8Vfb=50o=7$}97i9^{!YIWwHegc_g$%^<-`y{JRs0XT|= zA_7h3v9|rHfYL(rm=23b4_AuQF-2`LV4takT%%h)8lt^%T4JUM)s4ejV8^#w#!M-> z8WUu@g?*koVg54BX^d#j*M$nc9bq9~Y!1@9hbrMjDXq4`$|0qIT0J!dth8TW^+Bk& z9wc+p#A@d*#FofMWfR837X>515wIzOsP9NO&hgD%3w<(c<0&ba+-DaINbYyDNhzsZ zdTOj=-E@`i;3Ww`?SL{FFd(3@5M&0hoHv#{Q5WOF->B&8PDxI;Qt&63QMqzWA*i!WR&Z44g8@8gqO{j>h z?;oZ{3~PN7d~%u{KpEb<$r-GcG~Dqan~;hz9E3SRh{yIeZq3J=TT;?1G3z*Po7UPp z<#nIb&bHkW@znkGQc|(?WC3i0;WV_5lm7>rpDKcQHn-Vk5jLOy#EEA$ooT(wpTDn5 zQ%vEpsj!KVi+(d^lm z3DWLbjJQY#kS*R|kz_4URjg7T8yueM%%Kioh1P%S*~Q;tR$ckA@*%0cD!!Pzsra0N5zO-f97`}}k z^bd682kz>@oIo9tN);s5znkuKeY587vY^Z8#NTbmxS(4z5G{E+rz-PhrxiRm3vZP* z9zBm+Uzzt|AYUTNjRhO<5!lUK!erW;>#o(Ls`|Q0o`U)z&NbqWP_iB}wpg3#iA%gc z`JFLDs(g_#JJap3^?tpIA#NL5NWmO8cC-M??7aj&DyC1-#;a92!tU0}@p)+xy>Al391$D)aJt^8O&A@VRqZi5 z+9bVeHTH299JeQlXN_F5+CT@J>p)hSn{n_;oBiIlKybAbO9{>_Pr+m zPFsM?_vVw@BBUjYAIVEhEJ2uq+z9CSoOAlG>4hm`c4y+h{$FrAP|XbafU${koigvoruoAl~O z6}@M21~E>x=9QVa+aGVKqorRZpOjc7Mer49bW6p;dY4oc|H_X+jXdGvwgE*47VLOPF8 z>BwP2sN;x`&l$!eOCbx4k1|J=QQBCM(LD!pN!{1`7VR~&sVGm(`v_wJ2<@2#Q5Z#^J0%Ue{QJY zX^uYYoLCSBig4%kbXV-$LOo*w3KER1sCg@rD=G&h+mclgiYIN)LA&2g%4zsO;2j896;4v`# zB~eia*ls&9$H!GD0k)AEo|~=6%eS9SGNiIH;5`?D$;#J=SgmM`A{pwH2e%cso!5II zlO8bngo`X3vU-X8(`QTqb}k3I6@oqtTLvw__+LA-0x4>31IcdOiwKW>BGam@b zK$J~_vmC&zn@i(g5`y}yAtbi4BP&@RiH4SJ)sq_PGxT7xiJGxqR;so z-vo9;9TuXKTPArbj~j#MV#SsV{DO4GPH5WuNbr@R#f>gLn(*NrHH_ys8H2m@|8JHT^6Y2HQc?u z1Nsn4uCHb%Ej&6*OOr{@1HA#*D>iBzY%VP=4K9Md-5(2MXgF`2>*AuBlW$|F&GB(+ zbrf~`&2ogm@|UErLQNA7YLHS9M#1~r(B{o#_5x`)m#C}9B~9}^rH%tp%#kdgH7MfL z&P;JEB@R88B>^K=5-eoCR$B5Y{>*oA@fD8U;HX-2eb+KjC1j?KYhZ{hnENPn7eL8T zI~Jjp`7LxSi(VkH=2Dmj>|ABmmcIcn4JZ{Eq5&6m;*p{xQ8DT$ngxQ14}eh=VjH)> z4j)B#eIc4t+dM5P+Nab$_Pe=KJ;95+Nc`xG|?r$jd^loyZEx%W4-lM zyYQD#ya47rNV*@o>pl`r14`=hsmW~QG)g%*FwTlKEV%zgr!@F)BfE^1Sz9-anlph+i)`MXBM6rJ8eH_f~1T`s4dPn3S)J$g#F_#HTV zWd3@I2}(SHCcnfq^_OJOfOmPA7ASzA0iX$DCp+XLmYeFHPhPCfJAbUQE@D0<`Zk0k zKj$)wR56NzZg$ufO=L&)z*)$uL2C*JMwH5jC0T))QA(8(3Vt zYGf8DE^y6Ki-9S9@Lo^Nj;_nKZTe4jt-H^_3$0N@f~;?dQ>`N258ivocHgM%6<6Qi z!wLzGMxBAmZmNIKU)!H1jJ3ia!#DzC)S-`2;=>KPXiM*OoAnd)Dk9C&&C!|e%pclR>g!zJdG42F(_`(>pj*2Y5Sm7LqLp=U@&q{< zGm0Zh!O5>B@@T;A-eqcBY=prDO2a0`2kp5T8@UxC%Z*6b5^CsBEK|RGqQtD_{#ULO z%j>L*@pet<%KX+DL-W`3b`(?hYEx{Gjnc@|T&~5S(S!RIl*RykPg6<>N_N_#E_~#< zHT7siO=Z|)N12*OxNpglbIgVlX-5vmYS7IpFjuGu@-ihy9TLNQu_n63fb;d{&&uPH zlCyTt&z9PCEJr;p_tEvQP}csO4LJjn+e5rPW<+^c5$-oD9lt{ZIH&BtbOTCwbHy6P z)u0Y${lfK4dPHZt1h`%udCGF3|B#2Zh;gaQyRxa-$=U=2lHzdGFX7Z>ryyamI08Ha zhrik%F9Pj=Ohz5xTCLfG-w_SE^$+PjY&JXgXwqyqsa5Xf_#rWFH8{!^-F-L^LSoLR zW*yCjEPvSA{bf~`x=RgF@;-KZ%UoVC_|7Sr7fZ>O#V8!QnOBeBrGR{z7{Az4AQcu5 zwHVqa-LRow*bT=E)3(oL54?5c+365HXj%vR>Es@Mh#A+{@yC^QnIJc}*=$h3y zog+A?8RrO8%p7D2(gb-o-Jp4}GxZ~w0IApiw0`$PobG*<_|69@>tkgSjd5 zyNP^@8*mRz&GRpCOM55z(a~o5R1$~J-i=%i-qWm;a}ON%z*ftMkOgcEwqo@DBJu7W zOLn4wS)e@S%o~`imN}oyr!up>3tzSr9)%n|{46dm!VB~$;0^pv^OlqIJDx&P5s3WO zx*&{lYL4L-j7COnCqZlCzAV<3RK4p_`(zg!%8~BG#JM}!Yk>=!3{&Dtogs%Tb(+|V zMJ{C3CB!P4tzOsK!Sv#YC#>7O_!hD@d`qBQGwf4Pwi~v@dl&OnD|YXg)LuQcB-2)Q zER^?cg33kEmF7)b#E?(GCQ+R&wt1Z?Ib@@UZd!B+JU)9qLra}OYIm4+Uwvinf|V;b zhZ`8W(qksVVfXH}_d(yEPWi5U#Z-m;N;- z%e5{sW>l7EEV*R`hv^RL!S1l20nZ`{)s&br&|wTuL4{F=uDf2M6j5cy>7My7zIIdy z-E4e{wxzIutUX2px|$JF)V2xqc4IeI59XnpScV!w^Zl%qu#De{(O%n{{p`lDn@DBr zDeA(z?z$3v@a)ar3hH4Kw<~HAc*^@K29G*?7+>U6H50A9)gMX?kUua1TTVnMU!xRY zot2}r#Hm89N)2`A?yZjb+UBHMxdtEVdB;|Jd-RtaFTh1#x&iOQMm5MUz=hX>W<~I+ zX(2@()yXWy>qR*s%Sru0S5Mne?JqHJ?zJiJpB;^+0gkD#gHVtCTq;ZFT)0{rv_kf= zo?XGYGV}Rjdb7JdK#-;XiPJW&Ia?Et!V^iSiOlV2c5oV#B!FThw8snu_MVusFz+!A zNXiKbyd`(}^9}#Xj(Zm&;+}JfL}`=uV!?UbhCD1vW9?zpgN{kNmFrvQ&t})(;B`xr zrmV2tg@a+9LaZBxD651abS^5#8pt4`7ptQb^GAH_+g<%~X8TyErgPudoqDVy0jTCh zdD*#OGT$Be1E@fQGQps85&Osm4e?N!)l+#C^DZ9JFR@wqidjr7QonE!Mm!E#A0aT$ zjddpS5SP~luMoA`)8gOX@OWzcee`$$mTKX9{t zSlQb~T647EmxYwXeIB|yvR~N%iY?d~ZOTy?&}~p;Xrqb`E9^iv6zL>iuYXUtSL}6^ zy{5yoiz{?&GF3vIU>$*;dny8Z+#vdX`p3bmP@6|e8)BU&rK|nqH+;L3xlW$KG{IxA zYz9(fso`~XpO`xRzUcQJnyRZR6SLe(0+YAT3iHY2I#rP4qr{sqGcay+x9~RR01r+) z%_SmWnT3V*g=;ZNn|DH%Uq0!Qj&qm+b)%Vdvd1UTqbssUB8U^g^8$Fzu|z#1t*G>A zTg|5juX}7Vd?O`Qg!Mi>fChWZcdh*tx2Cf0fHNW!BEReg1fgz8Jhw17X5*FC=S}^x zL`TBNik6v(Vnv9d5o~gA{!8pI+R)!G4Ul?vwJ9}~kO{#vgm=*{^K!`ZdQQ6zTjt2o zsHydVFRz$l9Y_u9J3^hGkgDhaA54kz`E@PchI;>3KDWpFt32`!)BS+6p=5|@b9-(2 z>~-h2_B2y>+Yk3)Uhu+hPhW7mdWL?(0M?az|+ z)Q%Z1`8EqPe~qQ2(17S3By4Q^NeDRvZ!B(UUuD$Fc~)34{q!kkHCw$T`cUOQlf8Hp zi`8jpDG$2YsqrKvX0-A6vzCJZNAA+9Ocp(P*L$Oc`tJJ6H-5%l+)_uk&`YArI8k1x zuTVi(;wIri8&04kV0d7OAdZ_%?>eSdBzwDL;OJGwz0eK*#pjope{gng%)hrseda-R zW#OZnss@@qqP-}!aSs(T@1XjZ7N<7HmUlq$`oWb*LU`y{u7{yXGRhC;k|z&XZ|Y27 zZ%OVyQ-pVGisaJt z3YXrxatlT31niPhom?!I?MEE012IQU>|!A+J#`Ly=Us78@0ymdPq zGC?*SRFtxj%>3@}{yyY{3a=TtHur_xoZyp?pBf1}~QMj6w5x~D=yHO@DFUXD7g86&~$FluXacD08UgQ%aFd||E1Q_s)O|@hm zAJn_>^hxR<=4JzT>bSIuc6j|q-&aoB8l(ssfVZRg*@tAY6v4%{JTLn0Pg>9I9Ht|o zi$L$h3ngXdy*8f}rNi{7nb|olI8D$4do9imoCbumk#R&4={EH%tm0J^B!()R8ZP7V z>()R~ikJHMi}1mti4wOQdyfZ0XE872vgsQsluVd+ugM&w2`xb8s=_}M`QmuOGu6vz zGks=*I>i0t@k1q1A9#ZroDN*T42xc0BjDO$<-?bifSoTzatXZG_$ z6aSFVD3+abOHCLY18w}GOxDqm`Y&iww2WjVw=`zXg8{tH89yGcVA9&MYzVMSO$xC3gdvQSU%@(@iU> zTAO!w3zDpsF3o1^LPGHeK(c#Y&C8#%LCH6S>g&bI)x?s`mXbrqaHXhOkvMqi>&|sh z$*>>~O(Fy!8@Ot%7pkFYFG;Xx3Gd4(u1JzKsJejbW6^phB}7B`5ZP)zW2Iuo?tD$c z&%U2CvF02D+}*1tXIY9sX78>w!|^tvUY;$fR3XY+1Ag~L?bI3i%ANYQm{Vfj$$bl~ zxm>NOa;tB*FKL(fEJDcqi){y(2TFQOBweCN|9o*?n+3av{7K7T4sVr?QSDn%qQRYX zpPwcaR(>>Dv^Y#BJ!I~yHhpnJx=b}V=+vD%r=*{CNsqkNvT7XI5p{r@zuv$oxF&p` zMf8ouy1mfR$^248$2@%PgdD?;Iq34aECdvf3d6R*UawI9#0E|L*ys z_=PE<$XI%7^oEt${uCRVAD8D=S*#qxI&8dix9SrmksMx(SnX`}MZDaJ7q58cr8srt zajPW<^`=XLeb)4%khp*P{@Ox*!dqe%LAf2q^RC=MpKMv=xZ3N6`CfEr>(28Iu}2Dm zL2CE2&d<4JLk3~vI4YYVfp6D(z^+NBDhV2gJUm$Ob>)}6sAq=Y({I#XgRa9;Sub;) zk5r$ynku^ne+a)on~m zD7d&;zc5BVoZpESf!(=513+^sMhsW3G#`yJ@8|0ZBdsjOZf=~Wq};q}6=%$E&vZ$3 z1)gy|I4v}MT5DHL|5I;$QK`8oe?Y*g>(@b>a%98<>|)uuezE}HLiEE1E#`*?>coqk z3mUH*JXt=4C4R(p2?E*!R7p#Xm0&2|#)lqp=hQpm4ZP@uK@HZg-&gH^ z+;&(d5vFb!4|42KR-eHi1zcioqz>RJd=jxBwBoS^0lFX-qym59wm$#h;-j4ESeBR* z*}C<~T4JfUEy7vRpdHo1m2P0xpCh64c6O&fa{6q1arP=#2hHfS`+KE(YrhWuhO?v? zk74KD=~UH{kzR-NA*7og7yI~y?RvNLB2ETTz$imJ%6{N)3j7Zx{{Quk zrVanSxAs561^z3ZqmBFne=vECbf|7LKibXxdksFNLQ_YvaJ_a^i%K6eG?;8DY~`3krO=- zJ_N%b!qI@#!~cg5==ODgU-z3YpuGH+gWuyL^|u`S){}o4ir@O+x4rzsVfZZv|38+4 zVtaJ678z2|xrESKyc7R^mHFoxjUwOU+xu_oUSbKY@WaSp%F9MMYQOEP>y29FW&xx! zqs&6*4m7uT#RmNb!C5=YUgY$~JK6NH;409+^4?faylK4~L3CQcL^x{8 zUh2!-3)N`rL{<&8sS0z1w4Ac{e_dpqhm3*Sp*ql8*GjPKJRq@p3&fY63*r|W;4C!%R%f9cl&DhT!Hx`t1qMBT-1dyKuZ z{u@xFa9)|jF@gRuk_{PGo*bi^i!W0`rqIVQFAG<){_g(;z?)dPf9V}ljCF$TpBRJh zveeLkfh6lLjh*UsZ~;Tcc8%IB2nC@609l2=OpdNpJ|Jh&0Amg3>)6MzCH?p4u_Z7! zL$y%y&!7wJuPKG{zq{stU9A3zUGtZ0#(#R(l=L)XA$mRpw$(6YMz^%|;oSo1bY1N) zQR+?+cH(pz9b@av>p4tWP0)$NHnf<=3%dFdElcmjRo|8ynj$PJ6js$%$2->?!Av44R3EsE{)y}(wHCIB zpM6qhx9iC91?R`_-CkFneK0nP6@%SooEV%9cvm@AF!Fe;*S>; z9S;uD4|ii&=)yYTCc(x0O6Z~48tQ_VJ8bjS_lDqhG$#^0=Z?e(6493i?WmbIo#FjL z6we=FK2uq{@zu3j%<$Mt7m>A!PdoHKs`wJehOwM5pACi%6(|ci^lPy}Z@@cPbvt+J zl&{d2k2Si+VI{t!5ir@s_-{$K;{<|_Ugdh536yMhK-p1}2>Q`MQb(pl<3RD|6UB-& zU!l><*}R7{YZ##&wM1J%f}W30;&DuKqPXTuMCUxb2#UW9-e|S6NH!j4=Fk-r>BQv0JVC>H3L=IcKZD-BY~33G zSQ#Du-*UGe#g%4}Q#>&wM*Ba47)$8~Q@d(^WUmF%fSXSeDZ=~!N(k|QYB-rjL0N+K zPNYm8-Ui*07{;z`p(#QmNq@rG{|-+6&mN-;d3c{FAEe8|C)t)dKf#(2rG=`~4Oz1) zj8q0$JZ1g!$usivn<52{8UQPmbg~7e&PO*awkG_KJKH2wAlMUlvspcA!N+^thW;$bXud72|jHFbB!+MK9ce;+U^y>l)gf+ zw!k;ElZ9jdqU`$00ya`-h}HFDg4<2&Q<9?h>yGWR9swmZ*>*QEWPZbgbQXIyO+b*> z?sJifp>ew<^bu+T$v_MvX(L4lFGt7_f`IPYr}N6CqNlv2j;jWVYKz-QWZ4ouclU{) z+_6}8ylgOZ73hH+KCArv{?`8Dx96eGAN%y>7}l^8D#~C?&{?rs{&T^uFiKgWZ%|hv@5NG9ANCH~iPeiLiRyNgA^LdF&Dy;_Kjg0W zv*C)g$x13cRxB`FY0q%Pdpq1%GwOS{YvfhmDC@YVXP8$`i`ZH}AX}H%g_j!-Y+|yf zt$VAhL-_8kp3IILO(Oab7&)>ySFuE9Wg5T-H$`$%%Jgo5$=lJ*p~qsJ3hXjoDj}z$ z1H%W!k{$^)VTM3ByUA`mL2v^^Cnk{KLy7^TgU$(Z?d9dnyhm?eoIee{Uw6LDQ^2Ds zQt39MM0PYkg&s8sqf<{zpz`B8G71r~Fo@D~N9W|z(Y+@-MV@MvZBHGH&4E1oJd4}q zg&pW%ZP0VMds>>a01@T&4e`X@!8w<||L3jkY%Um8d}a_XS4wYkWXSM?2#n zV4le%Se!ams1;+O^in^j@{G_?mtB(I zP9wuUB`kzE!-*!!7sY!xC~w9})#>JOl^|g2RdfPu{RsBpxcv9JgDbmO5ajff&`Eg+ z=AIkLAjkeoB!B!rl7tfOMG^-6+3R)Sbi}9=#A7y^{i6$TiFrQy?|rXIGPuTmbia~ z-lVdS)+Lt zhx521`r7!r=ljGP$AXgj7uwQ+;RLszdY7ts#NMVy1R8u8TtcNBRD-Z>$@Jq$Iy}*M zb;;hr)twny8$F0UdjG^3W=21jV)+eEn-LzV;mx1kg9cWvFPGS}PPZ-MvpKp+i&WMg zX`IALT2yT@skdNZW(4rX9adt6}x7_>PP~jkkH{Umi)y^~z_Ad(SM!CCBi? zXL2V61eSr3&6C_sxDu9A(ADHdulGN_OMG0z3cKEBx^p?2+0>WrD3~3~{@-^d+*n14 z0~3-99nj;FV9vX-5nOug?_Gcb27K$^*>_v&5gPDx7lc{EL14*`j-tPXOaB^n{AZ8R zf5|EBKPt=rg{kacBA&my=AW=a@=xrVzb@?65pNaPf`G9GwfBxypA{?Z%$$9UZd`q4 zuXv*LI!8XESfnn`X=oj~awfhF%8#uO_V+^PPjxZoKEGFgzxju6=Xd#Ub=zQ|x+1>? z6Q9KufO!aoYCzYOd49N6O&Vj5w_R?_^-w62;E$lYxS0~c_|(|)BMoR(T^S3>Feb*# z_e?qM$=E%{n~)D(hZY0K9Ha1CG=QU0nF2A8paD$}X}|)AX^OHz&~sZW^2uTBwjMEz2GH}-fG4?BVGsC$1X7;{+-C*TWI#mvw)H3!-vh3Ief>4RNoKL6 zDkTzK-lKnn;Pw%wb^wrB zzaQy0mwwCA?-BP~Fa1`PzYWT7v-@AlIf2_#J3rq=dKD8h*Y-k#QgSbjU6J6Yb3s{> zN=wNnFl04@#GB`+M~R8^J?uuOLPQphHmyZ&74*qBVcj+-{lUt3*r+iaJl7LR4%C5R*z&3miHKV?*-gly0kA7*Tn7yh$@_isHxqtK z!tdemTPOThjK8hJ|AmRXk-WQgZAxLQ?m#UWcI8^Zf6vkVJIKhtVrIqvjOKr=Lj6Cx z{$K6U`ua1KIH~Ja=8k6~h zVdG!bIpJ*wpQ;|^*mi}42Q6sl#JRl4T4MH}#9l!$Qd?5B)NHd3PxLH!`Pr)sZR~}o z@`kC}3wHXM!iznrt+4Wqwp1Nd{q8NWZpFoBFY^Si4c4`d2A3G>Px%8~q8EOs6|7-X zp}pOEOvW?SYB%EzEJST@xxjv#KU5}&xk-YZ5?x6#=whm@ikYw3jWgtMLLBTL2SZRz z?;AD1a~o&7+DA%a7EHTewJO~FjLP(Lf*JRsa;;2s8TOrs8zi;~+nxaG;qr{u(CH(k zLnT__>9=){-hD1x%82=h>2U}?JJO)>VcIQyrhL*7tdL{#R_KJuFXqxs`1EEQHp&r7 zOvy2SxBB$M%!y~70okmQsB!(VVe4P_Nq*G+Aw$;!#C=6%aaikx>+5gkrfnbW)vQ(c zLGn0{l|+!Ayoo&l$YBOx#AAZ3P=IVpd3PJ1)fUe?1s~*!DXel{ zCwYB{CIK0N_=~0fkLQ!^p3I!E=xyTp)YIkGoB4ootQ}jGMdk}@hnJ($al8f+tGtNn zc~XkIQfxu}M_%Z&e%2I3|CtkWp^vg5UrxwjR;T9r*Xv1QkVrUtAWVYDd@lS-he&w* z2ZxJghib9uGkMK77dhsI67vA`adqnv8c-Fzz7bARM^=llT!Pt&aMX_b3U3VTTA(rvyYfUp5MM)joFosaBvr#aMvZsmpb_ax-qQ#CQ&A<$-#^)K8Jmz ziuhJBJ!Mv4^v-UTyFO=fxqtZEA;V7G>8rcig(z_%SagFig}8bAtDYU6ifalM?Cdea z+(nlS2yOdRtZY@N(v2xKgLt_8UvCHePpaajM%Ur!?GBl!vWWWK2m7@yvid2!fff>B)PeD%mN zYqbuqU*B#qX0GtjAb!1qo3JqBF{VLci2qr8l0I2ELVpC8=7|1m;iO5lmH^%1^10GPNHRa%ak0u;Hf*9Uu^K-oaQ+GE3n{^)bVU5C}FxH@?*%>UAFV zD->@^fnTW@EH)5HG}uLKEX?HD-*3FmQfuJDa4Z6r6)Jy_M|rEq4}S47CACOTzkqB- zbaE1Nl=Vz0CGo%7W6Us$c{?j$nHG~K(J6!;gBG&KJ>tJhFaUehu>&Er^~=fpU`33y`Qr zIpXyzm+{~8{PW;?Isq7#%u(a`?vwpBCEv7JCic%WbIW(2bGXc=3{YB#JJl)B3hVv-RFrnb_wL9*OElx)8{^C|xq zA@NF<2S65hgMA}M6#?}X+7r#SYBC?2|48qKr<1QQf6CiI_uwLYhdrH_f1~hor|+uA z7m0=YGk>BY01o_#=~2N^!hZQwj|e(s;JN=#WBF|il{JfWYy~WF-*{}A_^UGs-Oe-T zB>rvnvnv10*lg?}pPxV;j*`+T`~fT!4VzN7qGao#{qf7q{)+jn7Zl!yb1{Y06urp?E7m=>HU^7xfPca9jp(Nx|pE(b%-e^Op^mb`4u<%*Vi6X|Ws*A)RIm(`0`S!cCd~&(o$HD3Jbs;VcLgN1o$PN} zOTU7E(b;Mve$smqjM@)pLYjf{_L(5q{yMltCw%kC#@))5qa#b!r1Kh;!!bOJD)6M! z46y)N@mz?QiAd@lZMIzLtXo&6Z_G?CZd@|s`k8r~zfb=plih&ECwOaUd)i}l(b~Hj ziaG(cm9_U{%{T_0{#mO5^CP1vy*dgu_a0YvF=rmiFO!$n-cMihL&@pdS??g!>P>A) z_NIDiae*_LL2(gi?TYJ}mAR`15+j=dinp078;6#YCl`bd7j}X#HA%U@#BFrv5*=6) z^Z)Ig`L9Xf^45l>I+>MD`O0<~kKfRM#&NdpVk{?)Q>{(JJ3G|Q!BCm9HTN}wS_)Pc z#IUUFPF8NLTTwU9eT?cGcX~Ljnb>(d37&gx{})Ms7}e)scw^}HbN*qkn+*>##jofk z64}3F&wN;}0a13B=-?Ufs<8*_KQ(m2u!?MJw#d<;xbW{*6?|*Wm_b|eCZ)2$$n#L{ zyBh++Lq+*@8Ci7@DOiNYy=ll&u0yGaV|9W1gS@=quMpCmZ|FRi>tiv>S1uC--WPOs zJ2*~Xz?w2hQsO=t z9<|1UxKK11KI)V_UGDukZYyhs(J2qDJ3>+gMe)Yh9Z_sTqrzB@HAx~X`|-P5ds@?G z51Db_)amvg5tiqN$kN2#MdhfU&C$_2PYR`PeSPa4C3b5oRm!s{MXr^OPvnGc72`0YnC?l{6$qa}d^vsGGJ8(CS@T}%8?C>kOebk&@ zXDOCqN2!N>6Na;5*GeAIfVX8|5AAK7ncsl!9#EnKpp&A_sVlN^4Wb@Hv(19NO5?^; zB&URnEqcTKLenO;-R^~%tlB2DGhtY-K%rAx%a31|Da#6f^9y?F#_*0)EN z6f-@|Qp`jbUo#l5hM&REWlnw{A=ejV3R2f&uTqV%0ga$j>!o+a(~~o+9THuY{xB9u z|7BXQBDmAu(A|W_4Z$xFA-gX?4u(^wZ7V>#=`vUEpw<@JtU75}IBw(_s5egfh_kK6 z_0Jd{Q9wWZ%KS@Eqqn`Kqr7{Id@pyDrcHNZN}~Yp>sKQDmDrMy)5hVy(g8BMP$0EhYwXg*jkY0sd(%=Q5&FKLOH9`o zlFhW~vDpmxYAVZOf}XV?l@qKuxFG*ac9#?1n6`kOg3p&Ew474NAu!Wf{t;p`5 zVeFrky`0_NRVT^Be@$@-I1!cykCPhw$sZimk1xt4}rC ztawv)K1x^?Q6B6QH4kvm041P33`*u_QzJ0!iV{x|EH6(^RwTOxC-)qozb;ae+J7>E zZvX9g8{{X+x)+N#@rfr8;R~a+c$mWrvC(I5yaV(1;B6j2Zn1?faoL`00JbRi;26%mmh5)`FF1O#3|2uM>9BE1tj3L?Gt zfb^13Vj#tN-o5wC`S#4L+22`f&OWo&{2_}Fl05Bx?sDDN^)U!8=1Ngu9UK=Wx~W>+*v(F&tF^WCveBdM4Tnj0nVUDxwu;E07Na5n)o(MED-h@a z;m8KfikhQuQa3&-sa!RkUE39$K9as6?chY15!kPzIjne37jvu~oWYJ}>U+2oVM5kf zn(0@pUUABSViI0$3c986&G^c_QY+#(|z5ykQ5leWq837li zo6ot2AxqodXReOD*$&J%{xFtUr2I*bU2@st$r1K*8jJia=Civ1l+Jg7GBPMbwacXP zuFh6O?w%S|sd@Xccj~q}_a0y8lP+dU1m_F!Z6p>~+TH-?VRqq!cJXiOPuM>@bKl6` zujJvBW#^B(Eb&oWhq~EB8FxT8gE+Gld92nW!*|n=@wwEowg;bH|Hj8MXYoxiOQlWR zg(!zw4D-n191z|?^481yUT6Ub4wP{=^{cNuClNO}#hjt*S0RyY6sY6tb^C z@ngJX@}T?~Auqalmza`8rPSyzGM%unryCoC4^Ce^8qNE|PU~((QkRxK6`V27{1v%+n*75dhFMF#iYoyxl_l`w+8o3 z{y>h@0D}SmZugN?6>zPE0p{H)Le}Pp(AB|O0DNN`AfsQVk9`mPw8DX`C@X*CV|b?c zk^Cp|IK&P5eMXTAVs!fwwUz=a(cfB;gwhU{oaxlM4=qj5b((6Bgt{=w!2a^4R+y1s zbiT}%`U^d%qEAaDt`+6=&o{AMuM=%L4t@JJ|L8Uc5lcUZU-tu@Q<-2Ts4Q|+bAy>b zkP!@}tQdryem*38OOYOXrt_I%)z>dgcumi=%%!uQtm|exS(_*S+O*=qQpZMW82j z3t>j8fNa}P{V@h0;Gf?>pT&$!<^dow1z(GqiTDHALTZDLdbr3OwxViL#zDVD6&3u4 zy>~w7RvHV^wJt1az-(z#eV9!{aG=E%|L=c4#rivx$>|An3vrFu{q;id&IP&zoIEoa zP@coLPSb?}rTN$-x%}H6e=-)exrP z``jpfih~#D3F)Uqg8~Q|gK3m;(>8^#CuB@4oj%>~R+?&4R(@&9qQuqQqUE(mu=j&D zOr*qWHkimnYDIH3lFrYg`st(L-R2^ySDAi;l%XBxvn%%a4M|lUD*mfG{3&!KfTB)1 znK_FagAbH05IiF0lrkV%@(FK0h6Gfclbl2PH$2!=l+U$ol0G{nLz) z*56nueR z)CIC^^)gP7DKy#cepb-5B$4X|G+(wMRGN9Fj#2fZ!BsCLY>7jP;82>@ys#gB z{QxMd%y6uk(16GsRp>Fz5IuHBEM$Oalp=A&F;0EX^4e0S@>Mg-4ROy>?sQ4LRiqTN zhi4hX3!ll_FT}a@swPZFudTmtWY=Ir2+}E9fCl+;??6t(H1 zRv;6VR1D`ov(|I7tY4Ba4@JWP!48L-w>xc=o-VjZm>Ip3(0+yp`V5)k}ocOYj_ZBjU!#d z?rE%BGh6cs3=s+c&Go;n>;*=SE|l4mc9H5fv!`+*b4l|GBL zlhv_32~W61u1k*$FAURlXq37?khC;0VE-TC=&{H=T_I37#{BIZ#?K+c0bgoYrmOkb zts1tR4rw+m#X?D$Cc)>&21OR*FTpxh18cy(*`oHVHNwYmO`2KTrB;Zrv+OTF7d|Tx z*gMR3Zg~sws~n*ZR3-JzOFL<)3U^8e&x~YIJlj3^j%5%ZbYKnuwn7jF4U^)=0r#~& zJYpx`EBF?9D3!ffyC{q~bU0*@$+ihgp4v>N*WjmcR7KNw&z+_Zdd;;AU#u=Y3Y{7k zwNz(3Ql%>X6ItB<{aQ`1f28&}wfqgFix^dmHy9_&Yw?*ASu?A;LZhx;Ebhqx@akNV z?+117F6jeN93HZFhh{4`gc%t&RV{DC}G)HFQdreJErVe#x>TdH^S+IB_Y>sbrQNnum^C5--nd6PfK zdaAo@o`mO>^8~*qIc8?RS&Fbf<6Ge6UbSY$5}a4hRggLZ<@4}WoFAAksw`l3)b=(} zrB^Ci(LUCx4tOOBY$qL57P8HUKE%)q&zJlJ{+QuKJTTMEg{NP%>jif1~t|7zI4wshH4w(H6I3ciAqW^0GB0PKJLzG7s zI;es!7(j_V{szc|guGlsg=3im>CiZ|D6;`shG|*9!^w4_K{GAMO#w2zUwf@>NL9z8 zw(_SAJE9ET*#Qm`(7J(@=w^Ow&Kq|{^4B8xH1oJ+)7Fz7e!XSsRAB)etmnVMyf&{dSAQvdM0xZ|8rV^+TM!R8gd{*qjm!(-S1Xv z#I5Z6q}^Sw`raTBG~=Cqw9fio-O#R4oukRyPOm`iBt8udMVT*_SltCeI%2$pX_7!n zVOB38_l*=WI$jh+D{kDLh-`ztw3VQ;5+$^5R`k?f9Ex`HcoK6Kx#m&oT$`xy&Hlp? z$R6jd0i_qIm&Z-}9RgfyG%_nIk}rhDSp0QfGp*I)fX?cEFXKb4!7OY%U>4DYiyGeK zx4l4h&wE=?MeP;tqn|itC;fz5xChH!e-gU3-ryxKD>$8;#p|s}HSo z-Zt~q{$@BX|K@S?%v*#9R__wb7}JRS+s!)*U*pID_fs|TZv|ntIqGM!C&iuA-Hv~4 z&f}V-nO-lnFaG91Wz^V2=OI^b`|{hJ!m`iBxkoMLV`_(eNJ11M17!akjT8c*AdU_TUJ~5+S$#3%$b==Uv`}E?uUH>t zne}JqJtH7wcL6#dwQeR*ZwD_(RkQBf=vi03Z}Fo5M_Z_GXM|wvaWODnU3Kb(*2U(r zknmX?m#epC>jpl6b6mdy@m_B0<5?EJN2mB9$1cP-sP6o&Zg%i1wbfa2(x)L=@*|bj zd%x?+h1KXdjOG?JiU5)`V+KU;NO)+ik_7hU`q^uv4*hCI{`aB;EazDt=zKGtdVQNC z1Jn3O_ku5?eOef$Oqy#JQl2)Ru~x_$SPTofS4Z&ewBC@gl6k{vpQ$XNhi{iJ2?+4} zG}-;hh3~tkm#4ImO1}mmwD(MObdV`g)&SyLX6Xm&+9}S|3|Er<-1JMd+zO|(r7y;+ zysFls%G1gEaf8Xk-pvt-E?+M|zdQ-X;KcYq2NbL(B*MA@sc;C%>!ju{E@+jqyt=q| zJHK=&>C#Ed%mg`ki)S_Fa9{KJ+y?9@o>}c$Cvru7INCgwKC4P%K%Vr*(UmVoUG0zOOciDq<;7m>yGOVdyl%&?| zKI+~K3=9scSf2eN9Xl~@IaZhO@jI6I_CmSV!EO(r9dJzB;|ofKyzvsmZ_p0A0Tr&x zQ_RWs-!spsy6JOlJ_1HpCai)hJRGOdZj2(ifdO0 zGk;;kN)fLJrIZg$xhf+?>DG%NQKNRA`!nAU(+mf>pn8`=!zG1D_)HG0$h@VFbB?`? zOlYvu86wQW`KxUwzT5G<|8h1WPqR7)kx09uup<+@jKs?Sh>|#LcK59T8xIi0W&wfY zCm<(>Z8YW`ZmK95^KI8J(T|x@ysumpp}G|LEZ4ht{CUyuRtQRO7W*0yW;y4#XZTt- zCAZ~bq}?oz7boC!G~EjEK!y1?S(@TEuoK8h4E*5l{rQUpm)@BnJ(;&HU8RS;Nrjl2 z4>7y@Hh4^kbUSU3H-Zy zpI1%`#UA?>C!GFTJgoO#U{9c-?hXsh6WE2lD{g-v3||oCEbC*mO(~CY>s93QofO9u ziZ%9DUw4SZn_1V7SV~v1?)LW6@eeffwtuAyG2ii`asPpIC~5orf!wdvr$=Md%P52< z!gwYST|)*{SFG)&J6GS^KlZgEU$wPKqsk=kH|1@kZ#Ss;wh9dT3NZ~ZP|S!~C%7VI zpO*&yTc;^! zG3#FVV1gTAPYV}`qo}zM_I2`d*9f#bzKfK*WOU}7(g8~gq^*lL(k?-1FilyKw8vt3 z>$$>r-P80dgUmDZYh+kU9s1OR0hH0F2^Vvd@mErYPsMB4*y8y4+KeI3REK<_Oat68 z5J6jkES^F3bFYjnm%CtWiTEc1*+u_0wzK~_HUfcUjoagA9>om1fr-?2-lgxEk4%@r z*Yn9hSG&JfIfqKS)qlpGly6g)(cjwxjFsu{zsIH!<)2Ii!H5&se&M(+8x;8Whv|PH zeIp9n-IO07QBXo{1kqSd1<)CMeh*Z~r`JvA2%}o9$rVxB2Orx7`h0PoyY*g`%~3z> zM%=H<#i`?O(E@WwK2$&+{Vp|}hzQqQGtv7*#oenOe3}`=!)xp#ePfnI=FP#%@5`6O zRsA`dFdWu^2OgBpAXE2svLvO4RT%P?bGN&BZ6{>TtQ>|UK;K@l#aM~n%Kz+Sm7POQ86DxvAZ*Axn39JGrHyw$1;n8@AcYW zsCcKr?kjZu>ZR4#3Z28NNI`4*d1|EBC(L7Os=ZmGp17K4sk<@UCL=sgCszz_0lz++c^K&j_m0+S4>d zn1ReQ)Ou(boF9dptFfs4OZ!UUie{Ec?5o(x2}60-4S|rrRlu;}gdew_n_gEvT}Gyq zQ38*ibJ{Uh7YpFNH!pNQG2tcT*LO%%kivX5L_WZ>tL%rG^p`sdSnA;}Js>i`01?Rz z6&%$P#8i%r*rrv)!YRH&P>wpX3KTuwYhCmrEiMFu4>SiviG={D(1;7At3qv7^g zq5CpcISGy$eeX%uYZYv@&yVY@ZydwS*bY)H$wCdfGE|$nKu2H-BHfaQ&3ZQGODm&a zLf&bgU(Bm)KD}`$9omcdcX7B2lzPgi5fNFhz$nyqFYtA39Q&DT=c!7F{}-3kFzlVg zmpr|NdQHX$xD!$c{e!?OMNOH>x7O;qpq%n<-1ZUnu zNGR1wvi%#Vw5;EN?7?O$)(+FmQO1MEzxL5t@|+X5zH$ZTUw%?xe|In{ZkeM~769+TB{O4IEOTXw^vIkbYop{fk4o#u*=^#S)}-1TqZ#=9pbY zHKIc*S?+f1VqL{h#?V<2M3?jzqO&q?^SQ$BPUaCkQqmnpfi4G?gOWg1az9yL?G>y# zSdhLgD`+kp`~Dv4N3Y@AnHK`|CG#;{iO~8ixszfYzTNt=Gq#F*RXEBYJ zcL`ARPh=51i11h;pvVJ1F+P%&_xh2wg^f_tyicMcXQ$p| zy4=Ng`48W@A58_)kO_iBoiTzOTAprAeM!c*siC!~@%hI2E5Ab*;;y`o=D1GO+xn>V z0EDXf%tO7PV5gIh87TwiCsP`q0G~;RZ~6W$v8n;zDdeL(W@Oho(-eKT=7=0GzpUZi zH=aED>a;nSd_p|x%k?Ao7Ui{uaVR@#W+BR%nt(?k$TH`wS8R{h1k{8TytFW#{&d?= zo$kcirLeEbcn|-@T@P|RUoqjBonkAdhwD1#02&-Fer*<-I>4r!jn7$rPW3bi*%vwM zV4!B_KJWafnVs{k#azrg7P7v-S`(CY8g+x3I}3*__p0=}j?;`nwrm#$>qVz@Uq?Qf>xrOW#^=CYr(-Kjgn5LH{e#;y>Z>zi+cTt#^F>nZ7JP%a}8g zhaULxnp9t{-ly?vwQSZ&Bf1fWtXo-wKsfRD{ix=A-(Zuf=xSiszcTJ|Lx0_W%)ila zSZ2OgpFik7b11v+uW-UBJCZc<8kVfosHW)t$@y-6@uNK-?lhSYy-A7Zhw%AuH^f-Q zEOg!aB#yWaYp6&QA{TtUUWjk$)fRfo($SIUBY5REOr)J-e4FyGG$8-8Aq@2(uSQxG z#ka&x7-!3n%jUha&3uBmZR{1dLhKska;+E&RA8_V9_gbyk~nTMJ}}vQZ@5EzAIfmM zu>QQ3NF0Pn9k zIokc**D|zP3i4MY#a}=Fs$U6h4a)*o*kjJu;VIXL1q~syj*(7sD^>VXC;SqE`jRfO zR+lu0Mr{+A3GNMa1E$m_KMmo$i%mM?wg*eFJx_fMQi814uT?y1I`FK5hfao3xtFQK zEXc3>A*uFxV}^F0nv%G0WZQ@zI0Uz%lc=MljM{^r&*o--c9SB<{AAt*n%^{k^X={k zUCx2oeI=ES`NdEqFNR-xqXL^6Zxev4p!yL@FXZJb{gBGASsQLv+Ctm-OG5Se&1W3f z8ubHm*S2Z8)M;=FydrSXA(YQ~s#(9&rwo4?{AyrvPZ>^A*cbw?h$eIJgrVgQyDrX+ z6)+>s?+WZ|%)zL#j_Yq`6*QEHq{*BzaTjZc_W|PD;{FBzw8cg?cuhB+DR2OKur)^2 zeX0r$3W^2u#{3ZmB`mQU>gmV)BNTRqL1vwF!+i{BA->wdh%eoB!aW#T`&eIY`LyZ# zuOBt<&b4y@Zsr7icWQpK=?Y-#_B&Mew~bW zluLmnsZS8p3N?q*sC=_PgiOviX1d9irMGam%XW#VWv%`r#^AXJh`vE;X3hye4CBBw zf*ade5#1y<&9hQ16e{V|{MS?2fN<{Ew*|jgLw0w*0EP`rqa@r#g1yhRfPL;NndP-0 zkM+bJuR3g!mnD7)sOyl<2WqcVC0Ek^mRY3T9a zh3x;aDxJaxVRZU$p*sR4i6lfng9zPPcFqYbwAQx0?{~-V?FY5an1oFjX%R7oW1>}{ zbS@a+dy9W(z6zsj^iy*GKycB(F=I8LnyZ49mDyZZoWUMml~f*F?CFXLx7T5Oi&?v{ zXSVbxFjM@)v4arwgI=T!vkOy%X~m8uT_0A(g`Rg_W`8N)>O~o)=bTxtbrW8U*n{6L zPBJD`^)I%kxT?IZ*AUBmmv^(CVJkgf7tg881a_O6=-jY{TPAA?DaH!L=0ozj<-D`z< zGA0*>(#d~&KCjr&y>j0Hq_VK@%n2wD#$V`*=$}d66d?7ht#L7)YYi)qJ@Ytm=+_+N zYlOb~lLLqMhl6_l6%mJyVzyzv$^s8h5ujdBAg^7|JWRS6F80MgzXeZuKf9NsupnT< zf9lxp?y2L)LSa1gTYad*8NQ2Vz4f9izpZ|UKFK{dy5jTf3$M-V*({#V$E7cNJH}O> z3{sa@*xU>vkZvKcuu_9&S6GBDdy1j46w@_KO2|h_!^c`9daH6*+`PaB>>GmXq1$B@ zl%wm|YNbK=9k5x_BK9|l(`yQ}+bDseBr|f-tBtJw2O^2ITT+xs4w|vxb$b5%tq-FA zc0bp3QUa(fbAKPMqZqE*1K@0Ty6N<#RB3;ztrYS^O;s*mk`x1~D1eV96=+cJQ2}OI z1q0^%pV%Yq+sy8Lxn|6mFrAAEIF>6y?J80g-BoRrc{jBDPD0v#2!B$Zr?)&m#rms5 zVMmP8%XsaD8GYV;g^UeR4JG@$D*KkyIXEPXkoOi#xPL;SZ1~-i?LLC8)Bh>VQ>_2k zJ0*WT(>eQkQrsGUpkb?l^^_1#MYu{?(uP>2PoP@FG^fGX(3_LYlSxxQJOlz$Pv2Wh zpeMh2-@E;M!X=$Ks^y0Q|$lRM4r<2WsheT;`axNF)uV`Wx5ect3z@*u{73lC2QC&= zYv5SPGQQM{xR^{-L}rs^!|WC;R^=;r&c|d}KspeGw-k2gEc&xJnO*-YANs?5SD#40RuD=sYoR1QqP#M* zOGr~71~1Ii(OnqRQzHI#3_jWJPd~`0+0jyhqKDypr3?)d#h*1E=dYS-|%NR&-6d&qMG z;WXXcn$x@Z5Rm)9;Q+#wldz_!#Ek1keg=0wVj4!pP%0RSwU#tVx>4%mft>(B6I z{2U589tPkucmPK65rR=z`!PEL_}JlpaYuGtg~dj}k$YW5lvJwGrz-)oScw(SW-;~vof~%p+|Fugb{I-8H4&WXe}{Ohj5qagBe@7B zl)3?w(2SEGM;g_?B1&v{zOHy5{E_ys{yr7JPuOg!`RSv^pHYfrTO83QsMyjbqqOpw z#_V1cPH&=zW6@w8LA$mxT_)7xiVUx&ycbOR%q7)*t2%;Rk+0K5ScFeIXz!<%=w4wp zPSjVS6?2SkjG5UKb50V~Ey?M4SY29uIqq8X$S&Z9oQcs76d@5Pl8kKhd0%M+fCBz* zigWQl_Q}!OI{Q7pM)~`h_*b4=-^HL!LAp0S)&uxks3UU}z9VJy2Z8~MBDzPIfj51w zS3-G^LYoY;T#@UHr_;Bp60R+T@X2jX9Q!4G)Sxd&Cjh|F-hiwWa_mkg&9fm{YTW5W z2gcO}L2)&g-aHg}^qYD8l+NlBUL4aXg>k_gaVlOFJ@0HQ?Zo|!Qm!WU^bo7ewL*5v z8bo_|1V_4y8S`nul%(dq2F0)-AFf#=1)F1H`O9lThV~^>Jyzo_a|v?aW3zRv6}nFn z&g!x-C*ZJpPWq*O)QvRxfwF=N>xPW%92YgH=fT06uiNIld}U!jhlIz#-kUG*yfUP% znm@TDdAuYAG4Mpz>8#sR?)EcxPBfa`eRT+*Q;VPp(O-~o4XcQ;lgy^JxkmFuN`;}1 zqi=jikxgYZXG^9+*|;m{X9!M9*w+F!1VgELrxi)=chd@0Ei`u~gtd1Qum?rBxq^D(JHIX9YnZ*1#@X~AqijbPw;3#_Q z51M6qkyn}BxZ>&7KaercJAAe&yGc@&9V8XuW07+YfX=IL{EL2THSnk7t^S% z%Wi@0g_mw5@nr(H*e8CcL(`aY0HFe`8ZOjIVmj>0+8J#l z$HyXxrhOZ%6A2RDmoGWAm!aJzttKrdIvoS}8a-J5`W2ynYH8(}>AS5%I(qm4>`29& z+`1-X8MlWsYe`aX|*{}BAazaKtRKsdCc6f#}< z&Q^-F`>C{ooS3F6GN<=i&7=H#>ZRoxc?1D)rkj>9u)1nU`eDr2`Ef)EhF!+(M9R7= zB`%M4>_i*U$GdQN)}7ARPbr{Qebgr^aZz>Fc9w@xd@IETZxawNcu_6r0|Xa>12k+( zf(nizTYEqA1U2(2g2%!saoAij_d0*pMu|kw2HS&+P}M!XIXqQ9Y2A*P>J6+Q)YY3Q z)Nfkkn(Iti{?*D&%lk2^^l~}^LUko#nvsI2QM?>7_7S@YRv>87yp9^KVL3( z9eh`BrCskC-SS}jWduEG5aWs%L)`B_Tk3`+o~-h*59A!5(35SuW07^x(!&02!_4rK zJ6$l7X|(wovj%2!JQUxS2VsT)_#|Nqfj;#IGQ0-cM<9ckihm%n`5=e>_02Fd+Jymp z>sRuir$mRE3D{r1VwQE#tkeqTwE{C-%P9pb97TuXIC{uJV|pG4NC!m*o_em5?q&yoq-<}qM)%-0{wf~CiW^|(ko z`#v00Y}%`jka?XTva5ZYV-dG5LUX5I0bN_dzSfN}z9;KhgSE;Sj~CSiU$^Q9`N??) z?zKQoKfM6!ce-xbeM)8_CR>#v^Ij6IzJU;d zDY_yx@C)4na7N)n(j-}F1}$URh3{FTnw{WwqaSSrBMYt(ntRahucI{zXuBng1+ct{3oCZvq|R%g$w=CgR2 zM`sFh#*41^g3wgpSCgSkZhfDoDjH%w3MbuG3KJsmV4gt3lT#-OWc+WHU3~c@H|yEb z;#z=tk5Kr;exh6*%Iy-Y53^QP=qf1!c8UQtvqkjaM7d}pE|Z!^99m%?KXblqTfj>v zO#1jRkt=CE7$l&!6}mDFc=l>ziAHJTLaiqp4M0T{``t@(@8Jf8W$Fiy8@R&{JyyPerOK zHsoxw#>vIhlN1y8QryOu>-jtB(1oU{sesRO;?$!3Seoj5OC5QjkK<6L)=X3gom z`IKzx`wVMp%vMupv!IWY%u7}0^83XV$N#z~c-uf)6*TP1Fxi%1{Aewt?{+J2YH>3P zsskrp>2rxE^<5k>Vr`S&`v5f+Xh)AvR~WP@g%d<-4QDqG`^No&fC@?I=7vfqr;e^! z`FTddkLN}TCyxHu_+p+W#Lv=#@&=RRf$jr@-8&j|^Dj=M)ntj{q_pkp@$2kt5?0q6 zrt)UbiLqNibOF9<=H((Z7SSbB7_@n+H& z3;ig++qQ}BX95)R5AF!_v$SEFA2A1TJ9mN8Oh5bwvTD95*D@Um=T(`e%EknfFE+QR z_4wumYPK1wK8hE*x%qshrCc*XSe4#5yyHoBXWrhN?WP@E2Jlt09TsXG=x~Xr-NE$U z90rcN+#g7Rtq^fqh>C0X-|ddjw)>38cNu;yvaw-}D&{_?CP_C}(}!R#!$=4M%z`-# zD^ZI219^lDkEt;CKbv+f!9#iScv-xzA=`HKVUJfDD}HQ_7**PrH!;il(G4T zp0|5%op+u*oHh7F3{>D&x0q|4tixYj)1SGr{k6H#h- z)I9mcs*2;V^E~XKy6RpDNr*Ur=C08d9nNY?@}6lwvCI}qpcPEj(_i^MwKIzJv6Ont zZhkl6K|nBa2_HIP_lj5>b3Wx(u9BjKE~w&{R@j!qLn_DLkWp$W9m>^j_CA02t{bYG zE1`8yz(O!(!%cWG=X2#1pA9lxUP98QHsw=7&YSFW8($z|*8NB&jhZ(X^#<&R%kG4J zt0)=E5q0sJ@81yHAkOSbrLz zwLeB7%+9~CRU}`_pF{AvNS+#+-*#6ONp^^7I)*@Kh^ZtvGJf$nx>XzIHrxO5+`<>Cuih)22B~Uk zG>bY}r#p-z#!KOhkwA)(>Ylf)Irq9nc=u;~Eau53^%SLwc4>)q7TLs5td*V-Zptd3 z`BYhF!6eo<2uMl1MXRuoa@+A?c(Uu9T2#G^<{Qc5Luc_O2A5(MpX!vqL{`8n9O;<~ zvuX^l9>Pwd71Mw9w-Dt!wU?CNI!!`gL(m6E-Qhb7gBHyv$;vhT>G57IQeu7rzt5_V zU1tx1pTRibqsNBVw#g~YIDQqM=gD3j+4Lj6l|}E~q@CCL<%gsMsWN!!mQ?AF)H%vW zDksezb>V7t-)?7R!R~vvHq%7w)6oT;JS&76`xT)o{I3`S2IL+Rk>&VT+80QxCR7D- zCbF#WIEnsh^K#7qjHj%$B`HXmgI(?yX7tIicPv{zbb&t*<}KnJv%%k;8HxYFS)g#Y zxU`f|TbeB9`pdB_`TD4Rs!4=$bXfDj2YT(7m5~_)(!GCK+a%hpZX$vOtnEVLi-1G= zgDIO)-(qKzw4Xz*_A@Eh7#Z+~Fac)Qlo-GqI7g~y5PIk9w>HZ-A3i{oO>~|wRa5>o z_dtd<=Ry|*EotzXi|{%1OpoxD$+(?n#2bR;)Gp?3xS> zQ=Noguj_Nqas4zUHrmJjV#-LN4fgzPfM;u9KLC9-Y7rhF#cjc55X8J#h;>?gR<0TS zAuoSmw(thw#tL0}7EYCeukrW+@azftee`kPpDk(>7XuZalFZ^cWdrDj^wTLjjoZHb zEOQu=wfj+DbTbj&j29R+;Pe7E79jm97?&y|Rzh?izZWw5-yIy9ST;z?FrrD-!WzIO62*7I*H?WhMGF zNo+3rM7bGHiHgT!#&e633U9e`1yFis04Qo`E_&1eOTAHmAsvvP!OY;$(iMFeH}??D zwmhEJsS3p+rH1X@LnkYu7+2$7>5!2EW-+n(E>_3#9Sfa)^I9R7x7)qkJowz=PG>w= zS}{1D577gt=4t8~$Ix9xB?`WL=xH3HXjM|Uf4(d>^xI8d1bb9je!U-_^s%V7_nfpWg!o}fF7dz4iQNPEzw7gNBT);*C;m2pV=BW zl-o!X>0o!7h|ZPpu$YDdB-G{zl44KhBDCTnV1jGf=91xZV{4_qtIFf}&KRI>_F4=1 zS@1OB-X%kNfwz$&Nb*_ZA$d0VcQ~3EYU?;GEA5X=H5+=pFB(3PQQO-ylz)TL>P|4CX`%J_NcoEv|U^xby7sI$*z- zg}t0Q#i9;6bVX_16iY^BJy2CDaeS?9M0RaSw!uYf3)$8X4a+jw| zG2tpT<))Q`wMr@%({~+1h$4SMsRxwz%|9^*;iNlCW9>5r?cG8s|VWDmR=s#wq+_1i|wKA{u$*1lVZzrs(IA zT1EY-1#5*oFXEN`Cn|9so z0r?tj05Yljba!WyuA@ci06GGBz-fd?;eU3VVjZeiK|Q6uA=BE7=eom_zJGG%au@iV zte(j8>+-o^7jgss1|u9G&sXb(0Wi@Y#yGh83vm8X49M(}v&gZ#vzuYH27ZFL91B-v zV^1%QadDG3Pf8@4lOYV?<-Qugd=DgH8Ic&;vt8;SG9L~w+~Dn?^{45sq_z^$rftda zT0tpP%6Sd<<7(1R&(aUao_QkQ4X`kdf~63^%%{;!z=VvzchU$fbP%OWo0a^5*m2?+ zqJuP0W@L+^c7rlACYX5~oHpLtySY?<;~V=Epl7N%+uINaa4T{VADzNiM%ne*uOBCUYcyA;COwZ(qi;u^!(33AJ!w* z9FW~s^e!mKfg8S23BCks$iMCaKph?je*}%0E+&BLH6fC4n0fm0*y2l+QJ!pJl8<>2>ZC+Ciq@rRy7)kv}HU3Fv7; zg%x^0C>a@4FKK0*N!KE+hPxGHn}{bRUC$PD)SnfQmbFLBe%D#uHVZn!_&XRoyK;M! zIVgF&_#M|U^U#1))bFXJG1Ol$(<``a^wnXo4Zpg#R_b!12kTh?hW1%`wQ1{KpQ?uV zdbFGB)r&ti0%UHjp57U~Bo1A-&#?iJ)iP*n4QJWoSd<%)L#(>k2%{19f5qLZ2fH7xX4r% zw|!!ab?YlYpQGFLszQ&UEXav(^0HzlM_tFF&WE!cy)mIHyhv+~UE%WgSxcqqui{Fe zZEn&;+rRLh_97R@3gRyI`q(S+%H_=dew!A>f*&PBz**sT$noa8FkuvoEI-_cmKk_> zZD2OhNio^-@*7E%+QCb)ml_|*X#@Lr`tQA14;!e}qdi2a8LP_J+vO?J7nD=KS|8Z3 z?tKPm1Hcz=TurpfU4K|E_|j;(Uh->*kHpQWt@3{6lJqvdiY_3xrVnOxh(swO7I3!q zqApQi2D*@}{dikFo;5^;#ee%@a?Jv@{vj3_L=ZsBP_e|{Ejm6#gNTI-E`VDg>CXJT zRMDO^l49~KbL2J$&iua*zIW+!=9@|_n=!D%s!D%{?xc?9R;w3G`QTecF~+j8U47N} zYtAXeWZZIMCAk3UXlOphuIv1&Ie>NwkB%u^Nc9%d3XoS&hTl?H?xrd%WD6{=`*=AD zi!qnb_TQ==-JrQ{wFY|3~BbUjSo6bWSp^ zO_!b1)m6Q=h=Zw9c)o*!Cie+1^Rez`re^yu-#3w+dDWgacPqaCwnbd&{;~Bz(q3=2 zXkcJwUll`jT)I?N^ z9|;K1%S3LI>>Lg7ohHb*?^%=JI^ZddCg$*1fY8&4t%^lV%Pvj=^_Yx}3AVQRsd&Z^ zx-k+wfM< z;rXB;ueP}d{QO@dgzgxwcpCnz0ye+N|BJ`;x6jq3;vyi-a9vK{ZeXbHKu3t1GeRvA z*QOBwFzsr=70npu+R`cB^RDQyc-5rO==vr;zrj3#1q5KWEM$WwP(5;~XCIY2p;ze8d}rWA)y@6K1C+SpH6^xaJ^}5SgyVC^J#N<4*9|zT zS-okgxNr{g{X%KXrJ2Wn#kWFC|0~&OHd}CPW7aVYcQ?Dfw86PtL8?x`(wdXS|WO3t6P6ia!0%A#rtT!1X=^AQZoEd>yJaapo7S zj(<||=)KID8=Lc|Wl;5H3-^Fxwzni7)o<<(M6#^ISEyODJ#6g9i7HX!*T36%PI|v* zJ491^FsJ?#SU>E?x_G9@Fy$5Csk5I`qI0{z=nrcv%zJk+&=qshi*@#%IV*zLUlUfg zmq`fD81LHW2OsOUuwD`=HP2t3W~tY36%^brj3;fjCJmW;d>Q(EaZGmSYnND5erA@e zrN#3@GCZbb?yoQ+rJUwEJAK+P%Ts)d?f{PAdm&yL}j_*oWI{_%D)zcPzI?2B(p ze%o6s@o`0TBi$rRF!}M9iug5T?bLnw^_LTK2l8F(C5P#XdBz`oQ;ci-RK=dN4f&7^ z-8@9Jqsbk4tJDZc`+vPK{@Y`<(h=&FR2z{zG$J z_`7NP2vd%_@Y5IwrbCBo^_)5Po+GlIlhlf&cgMPqKFuf^`Ow30P~U$C1lODG`H!~G zqQ!jcWtrPc<}2_E5WMPOsj=&&>WiA|Z-!Ez*V)y)nRy#%+Jx&1I=}R>RHZ=9bl6KQ zQ2J^~<$%)02ZMtJUyQZ4s+K;B9{3R$bTa6|68;96qY)P+$=f$SL^qv5@-B_NkU6ZR z$|bciG|Bl)&G5{PV7VM)zXAxqIdT>rTCYo9ooJmwa=A)M2b?Q-R{i&`;odv)h+BG% zD>!OSUA@rE>16r)^$lsK?C=Opb@`5tXL=lO^;Wnb`uaBgFD4Bv2*E~uijMVl)gI!4 zL%pT_H`aSixCI?_g4l+8%#cOD*G)b-FWxPqB8c0N#l_wY`?tZ9_Ae}j1NnP6e)5}p z%|YLQSeq$%UI|N=EA(~hxY5qQ=iay2lrG*Q=U|S^{{I3PW&Iy|5{inbK4jK=r9%7e zAzqO+4kCPdcG|JAD9uD>U_79JcWKCp?QPvWYE$fgF5-rF&6|$2ggJDGW zJ)sB*QI<*eC6k@VzVC+Y%ZwPqEIrrfd*8?LeDC{ye$R3Ij^q3LJ@@lGpFfo5V0zE> zeqZN#o#**lh?jxvdGw)w*Er)Wch**HHVT(9}y$(bI#(HfdS{&g+_e%%~O@- zp*x}QYz@H>D^ISq(V^BD$L z+9(tlK{BSE%Cy_e@CDuC2iZTSHtHYC?z}T!8v~<(MtY*7Z{Eh_=t~7O`-xwC_mL+S zc=^Z6?Jx9RzLvVzhCFyrof14B=plkX6ZW9)-m8n4iJL`gH*PU`_}U|V+DG2Ag`c=+ z@I@#zgw4ctTV@<{-73x#o_+VrZ=nE*n=)#uNeORz2U{3$d6beM!PPF$eDWP!t8AO+ zXL>7)1U-j*G@tU5t6gUWm-f*&DM>-%u7cu2qByBvCB(m=<~d+x7d~M#>i|P@GDw1&NM!3zg*L1h7*sh^rRt<8INtc1r4DJZdyn= znA2y_xnHdD*x&b!#JG71t{zcy^O|y)~~CI8A^Q4LV!oNr~ZEs!b z{YqrHA-b`GQr50fwx6RY)*zwvGarsxTKL+2ma{ZF6^kP}_n8Z|pax6Z?jFSj0al&%Ax^!5%J*_V z?OoIq8XNcT*viKrvoZbE|LmLe*eyMcd)%kGF2!axbXb@;LT8w4D?hh@Cn{}0XC-p8 zVzn4)kz2&}Is|)T%qzi{J~t_7dpiQab$$-(C5>JkE-yRzIaegPpJqC}(!0Rr%&jC_ zDvDncHkC`xHq8-eW6Ru0x`j$_gSk*zzFY*<%w!)8luIGrmoY}T-IeaiclVyT|NGR94Y28i6@ z1yis;&(KvR*v7*(t|nfT$8Cw-WM;0b>H95%@af5cAwrlCygW{)JeQ9zR5cXji(w}=ye&u*dvyugq zoiHf7JH7~%()#D7XsP-Ip|FhwKuO1_N$$Z2fN=B5dA{$62&agl`%Xe6*F7iF2zA7A zlBBJxH&U9~GlSJ~71$xfeX8YmH+(%2VT9S>*Qnh6X~=Ly`~#VTuV_L?Wwt(%%#e48 zEF?)H!y>~A-3$r_YZ!N4a<0nqaFpcfCQ_Sb|8UH6htn?kMH@;Q$gQ16L}14fDlt)l zlDn|VeNwKkFTsgih-`-lL?u@|V7=mcutGf<@CPEsh>M|O)KvdKK1OXEcE4v^@9Th8 z$i%`P%Mis;E!okw$G;3I2;7;whWquorASY{s!jS)6i-Ts6I4i01L;_X?!z#G_NiNt zjLs*(E@wPw*eW3UnGe9LVB`;J-=PF%Tmdzd1*HnG z-^&>6%;T|^M(!bxO7}ZQT3nTxuVvI*duObw>E1s#Ma0 zs>G=+2D-zH=MMxA(Q5z&W!kq1K0aN=H!wR2cvDO^Ds@&eyFGDZYQl3r5 zjL6r{ClK0w^$4+V;vfXf*e&+8_nk&+ztQ)CMf&Koyt|n9CDb>~lkfeC>M`>BK&&f) zX+EOG^B6#!HXg@p3FE6q`FCOj#j2c;3hz6$QhN+)?{%0yJ>fhZ*mkHVGEch+#t8-U zsAl;1GD(xDRbtch32Bd?&DJRR)Nsz;)yhhT_2JCBj+4nR0NDa6{*fgJ2--Cn!j^WC z;D*>N{DBNSY6K&XkSFBZppWE9l(JgTj;OG_jMC&0-g^~PA)&iGfPb78w znu9J5`?TVEvvXazRa&arh88MQ4XZr0PJT+vcCS1F<6F8o2zA^)NEe0G{sj0*7bzzw zpHQ9&FEL+H?JzDUfW70hbeTJaE?~i`qwe;|@*0Gc6Tp9&&OHA$y z-=2$(K6ASF>RfeZBtlnT^-BC5MnQs1rfby=K+NBVDR8leDc^~-1sZle{7yXhyN9b*~etihIL zWWS+QNVRHn75uP0{-9LLJtxTYl6Tl)8C(tQ6MAz>b|a(%sI8F*c0`%8v)pB#Ql1~b z8Hw(keBvNmQqnWXy|HX0{stALg$;&DpdR8foMi^wG<;(>Sc-ka z{TplVmUlnxVqTWIq#>b_c(7jtz zYLwDe@uYnBhLo)Mt0izKO|ZRyL&Y?(eXa^yv^jknN6m}oE#5cOcPr&GzV_(t?e7{j zB^Y|-1!4|fG#?%j1PUON2UpWb{6@8y-9FOe6LX%6(bV@yWvt8ufMA>yAcd$?-mSfyV8iJG;rlRr(NGe07@!Gd|))C3G`^Z`Cq8 zVkdf=B>l-z;Wf!S_R#yHqFlR|^$6 zkZiTwyb{?5+!GpStR|y6 zeNYtwLuE3>tLYri#FZ})LUSjrt|c=1)Rrn-$bJ+yduC>H@QT;LEu6ZMzwsuR>eAcb z$J+X$ExAGdORznS+ggrWWa_N&sULcfdYW@A_I$z?`?QhTo#x&qYnGQ6#FyJoFw85s zJ7@9X&r~v3t0<-fpqS4Zik37apZCgs^C9u-KDq%j{}En(5QcID+yUJ{*!NV_1F+0d z6|0r?0oNf~u4;qbXK~FCemgVG^>3US17Q%hK`2pJsxoe_$v8T7@^zL`ab4V3V`TWl zWm8Pv9hcyK!n>^#G;ak0v=+=BKE4f*J%rmta7~Q%`N`Iv~CH` zbq|mOJy$wSkWqzGkXP|n1s}ORP)%%a)S<*^FiZ#aLo3W*l1~hjuN6J3KFW=ca&RVf zDX%io1hd`o(u69l3-aQ{lAXDzMfq@xDWe2w*BIyXaR;~vEq?Z z9Lm!2-5d3tsU`+;QwC?Iq05WFdQI@K*~lSK{O+Gt9Nfi0~!@}kE5*(mfy1QNjqlSTmG+z@L-Xp6=b zDU^54nt%T5r}f;gSuXLG%z4}IoP5(~?FEm7l{rEy;VnX_Rdohx2pI93A+O;*!Au}V z1BOR!1}qkyHy0#3%8+j1v!UEf2 z0U|V!*!$jZ^6$>rT>gIWGpH6ke+FP^8!;cTH8!6REy$ac`uo~o@rqN^_bir8v8eh- zH@a;7&kBx!aMpB-dYTxp*wKVKL7hY~*;y6F#Z~xsy>v)#f1>sl4sD~0`0;c)_?}%f zq!WBN!C<5g9uE8cD;Kreold?*3@)Z>;7%mlB-ECp->1r7F9mtNR8AXAbbM?`3KI{u z)t}UUG4}*L>@cJOfLKkpG4_G{EmgL{M*M9m7cKi#^r`|fCGUm^pT0yOC1uTeJpVFP z^YArJi(G;qBcCD>YH$t7O5wubnqr0S+=Nd|zMAaWn0gAA`dZ}wLYU246KaMO1WV9{ z@NU1;F~2jJ{5{>@*_;@@cyI8$YsPi6`HVP?`JT>&1)cJ!mwl{Gc5ZVlL^9w`xkqgtx|3DQ|COY<{iI^Sw~V z$o5qkE%=@#PP}E3+BjGm_R-cwjQyjQGhOm)mUkZG1-wn|{@B9V@!7TNJNMTWcPFQt zpLa2L4s=Egqy!65{z0Dx@;=V+5NLT;C7y3*Q7?+SrOdTzQq4a=A?4S~yHWIW2cC+M zr}fuA9hAMpzdMVxAlZXTsu{|OamGNwci+ty@AWH`7;l|Xdc^zSw9YTx`i9y;W$qNU zE1{auD?q0N^l|^UebM|g@%gV-HidJrxnR>ycF6B}WerJhxECZ9e2@8xP2dPg2Ju^S zlq~ldc?SP7se|?XS4w2(wW#YGRX4sOW(HpSs2#LDnfwFU48ULOFn=|rMG`A0D9^sQ z+MAe|85_C89{7CwJ?j)fSPtcZNHHb{WL)ibB$3)-H^+J`3#;KV)viw7C-8I`8rjaU zg8aaad}n`|%_3aU?b;Ev)Hd0;2;Id8#Yhiw$TKWUycNx$T^q!x?=ihatJysCdouMa z+ay|_el^j{`6UV+1=!-h3{Qwv~-pi!ueA5aRf_1u;|-dq>YJPKt)3dlcQJ(3V~ zOMKTp_wh*#FWHbE2rJY%6R($~^9|MCl;jN5cKm*}tLdYE=?&(K4VJB!(e zXZQO^C#-=kXL~8YuaQ&!(heR2xXV>3xF%AElB^-*VyiIhBg3SS*`85ot={T+iF#LO z`D}`hP;%&ux2-mAti^nmmGXYilL=VJNsVTFjub`c%ch>tpS*uTI17kmdy(u>U3Vg= zO<9cIVK_I=Rb6~y>1dPd1XD_5 zUlD;AKTL-Z1FoOx#-nbXiMX6_%4$=bgmJMvf)i!{m#UxzLtsMz1lMlF3sJwua|nND zR$HUTU2l$(pS&C!nXB3%$7z5A-WO2mt&YBDixPTN-rn8Bniq5&qlIx7L`u$stYIV# z+p|_U#Iqd@0}>-jg~C9oKrP+FIZ~e0fa>r`KSMmV7egzLiY$W@TiTQ5ZJ~qja<3=+ z^4mQh5xDDff8a*f9mc-fq1o4msTyPkoN4!3BMmXo@pA`5r}VFANz~=|g{5fcHvu&a zhohLyOte$hc^pHO2Iri0jO$ci#p|=j16*sa-|Xs~?wsh{Jb{*~r^IVW>U>ftDXw!H zt?#tTePa52CFI9l#9|?YDo?WyHr*jU1QtEu8g%Q0dyd{mg)jH26ZMzAFrDH~$)@r+!A@@N1H(Y;1oJTwl6?B-Ynt)nSmO)Fc3YG^?k~j( z6wU1#Y)~~EfV_De832`E28}~^jnsGnIgJUJ{)`+hz;l43Ap<$t_&90|4FA^@f)FM& zcbce;u!FI~Vbgu+<^V|qX+`<8qfi)hMz5eA@x-z#fI!M|537|v{rKMYABfomz;RAM zi5GUrZ^WBrj>xzjYPvXjMH*9#nzAC80wvl-f*FpXnT_US7I^d{q~)VzbY}X)Ayt;h z)WOYU2HzbXyLdeXaxL;E5Ws=Hq^gfn&mz8Dt80Am%w4*zAG^r?tbBY=$455^OQ?p-l)Hw6;QIbg-Xy(F(GVy?S~U zJQZ9K!ZloA1hwf{2#^p1loT~aS3EC0wFEb1UTzV}4(}W6bbbE7JMve=iGaj{bTWuV zA?ZjTK+qo|-EuvX?$eQ(LzEZbXmS1lM9XTE0-5x8vkxR_vT-*JJtJNPjU0&rC5eKe zM?)1;{2SeVJ{ET2vyz>;Ju-D>_hw6etb7al5Hy%wR^0-dL}87_T8#yQhU(NT1aD=3 zY~zZtawg>F-FCdgyZ>1DlAn4o)vfS7+u9sKp7K(IjeLwa=ZHVugyF0B1L0pcI|}^u zdF>3|GA};u1Xo^| z#Id&8(oySb%G16|B!KhK#R09#AAo7cPz1t6KKd&7%&DlZCE@|K9)yPvKsOZ%Ow}0H z=ExjMRAV;qD_>X(0Q|kE3n0yM=XOEBJO$f0MD5Yomi_zNwG4qpru|1Jha^rI0PkoA z;IRYv`d0XvMxG6o`wf1W_tvD}ioiR7*~VUm)&OeqLb z+YnT(oKENZD8I!j#v}QVMwR!)l6--5%U|wi_Cx?_mw19Vrvz-kkGvJgc=J6~+}Q-8 zcSN)vMfKlbGhvv81IF8-`dm0>e-1!fhulYe0a6!rs17}i8duT<;-C_)e-%0)#B^2jaa3z-yQJ&l}%ke zvI=IAje;P8TG(ixjPGaI0|+d-$>%7dI9rFPU1D0$B@=Z9vM?dyFd5!=Y6IRsMm}wy zK=g%n7$1@Gj?~;yAM!3}nNiqKP2!meo4)uDSAZkZIvtyLzFzi{ByMOvq1hd^nBC^d zOcuv=izLz%ZJtAcu6E(Zt{g#x zSot2wPAP1l#|yVz@l(;r4wS0goAQm6+Gp}}7rdi_Rmkw`xO(;&;yoL{u12YFlTVjZ z8Al!#AoNN19m=eKJ(#FO`(p#dZf@;olj9;*zN+Q|8g9 zk@s-f!Jt9J)I#NnupKRa))c_Cq~XTobERYX(v!9R;O=@MPcq2i7}$IkoCD*GiW;30 z&|q+x)GhHWT1!o|o|v9F6nVpW=sjf=9)^8&rI!A6$Q7mIi=8M(8KRifP7?}>fMc__ zR2MU$EzTb|%-C{Qk9>Y~dk21Ed_C2?+Zi2-3`Qm~3bgCqErEE!aF#&SSE`W#0Gpq~ zDG~}hFn~ZjRN9G!?*HbdzB0B2se~S_Oq`lWk+{KgFc@kJ(ivTVFqN0I$Us51flQMO zJj~ke=v+!PNWRu45*I4Tdcr}OE|5hJa1ZsUA~*g(JYhsJpQ`d>F@5|9R!E!PPua%7 zyRI*$Gcq1s>EM0rY496t60z);6{v|Jf&*v^z=@ORn5&;Bw|wM1es4t}n+8-3C@@BKVG&{e(zC+0h11EaT0( z_}W1A{T2?ZmCSB;AcAl*w89@EnF3DWl1E@ehnRw=KLZK=MBM>vazXO28;lL8i~@O} z8YbK!M!mPF6K&5A^mROKa6?OkP{Nlg#KC!n_q#Yap&mAXH~|+YZIRdcD3NgD`Mxa~ zg%)}0C7ir$IfvC&dMG>NCanC3dcHA)=mQqJgGfVC`st2WBGeF5^5GL}+hQ?>KgQPv zyP@Z7mOV9AQ9~kejH^$tzGpL_WIjkHcz`RkLPWG_$gQ-o*4QexCRrX zXFu6}A)71cFJyYAM@6Q`;QFFo^rOoIxAHxVs97cVNOM2g__^<-@<$-E*gOV~dt6@Vr1B2Bz9T>N)?NDan#j#!mi%*6Qc+$t_p|2h9H8(AHM(o({^`d_M34Jd^d`sdwTk#} zIlXN71F6-77NW}ZwrcaJGXz0VqA0$;sm`46&eCzR^x+Fj8@W4QXUjT~Q9TJv?VB%y z@Q3GKf8rwJsYBUJZjC3&f%v`_0jZ^A<9?r*m;kY~eTM!>9HN?cjycF zNsv<0G#K#Q?K1H}SBCasd@iHMC#Q_d0<-MBu*P34L~l zC1{OJM=LX*FWI`L9az3xxEAHH>^JAMs-!F~IFc2QSLx#Ce0DD7^?Zm5yWX`6uT2;V zEr5$y*+ZvGB@L#ZBJa7=6i5SyZ?`Yxjo=ZVI4kRhKt0Qb8cbdCjuCKoICoUe;i?i1 zNo8EFN>|Nr=DYC00kNceadrJE?~NsPKe}fn>hM+-fD9LjcMrJRFq{|lJa^VuWV7hq z!p+!LW&&4&4g`|;RMOiF4~z0y{SaX@g0AG5?~0P%w$HTdrI{3XBdsYQ$r=qQcl7fu zn9&J*sFpg$ei^YG_TxsZ3YUXWh`NryXkR-jdh9vsL3W#EPK3uGeTyV}0JpU)*~l-2 zlLnJdENbK9?-PqDhOccsYbtQH`tsV4UrETJukE>QW8HN{*DLmOJ$r*!hfDKcnW_SK7$rnzvswNk(_%ASTa5hKtuvt} zHDBZ+e}B30AW3O!+N=I*SBE8b^*x&#@OVj~9CsXHrH zczQ~2LE$Xyt(Tvl+_d%0mAFCubB@m!KZ%SwaMH}WU^uDbuE5=@DSa+xe@nZC(9NNh zZ{y-CH-7!gVmG75F3)SRMNFALAzgxG#QyYdNu1+yE!>MU zSZ)))c;fE)rt=I!9LG23`4&B-rKPt;>+4gNvmBj8Q+1`cx1aX(Jk=LjO72o%`A0L3 zrk`lnHY8ka^Mk0I}V zw%t%k={oNE^BUH$DC)*McdD7Ahq{s7zXb+p0Sb3x?obWbWPDf2rVbWkred%MZN}g@ zTm^59(m0F2SmF9IgW@i(ng5;?$rI{$lT-%^lJ76jF&eB$M`9R`yFH1lNwg~zdt1`x zDfM|;?bI|4=lHCmL2<*@*+qo}yd2g%Rzn6cc83_Y*xiO1Q*frM_GRL@CJ@~IT$f8v zFeF%^QHbmbn3gt=Vz9<>3Vj^fOdioJx<}6QahQfOIi6us*iS!qQ0#a+;9*#^%moWI zrUGKMO(kx)sWn|*C8fvTJBmLbyvl-3+#A^;*|qfBT7lE#cwYor4+~{IrJn+F zT~fp1z7ev$L`!-^hjZOh#mudXxULEdCG`(e#qf^NNY^5LG_k{CSYhjy>Gf9!ck5Dj ze~n(|(l(S+P5cajWI?`{21P@*pCv^7#m0jzbfX!ZG^EDlXO0mKsx3{k^1bO}H&nJ> z>wBJ!IUU6vK3(u+e!0d);yvq%CNUc?*__U@5(ZM}jJMu^&uK|p=PJIGpCy@HZ|Uyv zK8V(dzlJZ=oi2D9%&OV;WcaqGKwo&HIN1Pao93HCRBfx<4*NJ)t}v7J_LKF*)U=#* zvqLoRsk5*7^&dRFy7t#6W@tddD1|U5&oKY1xSf`rNEJd%zR*K~Snl}I0Z(O5Y4Pc# zSAL=p<>i__E~G8-(_+G@Nn(8)Rc3TQ(4}1`b&$GE^>eKBIhXSO>EX)|8h*w3*s)A- zC5|!3fJHQPR=W_f)9POxC0(+(o0Dzcn00i2QC#)*im!w9?_jU=`UTH_EDejD&qpBY zR<{$exfAbEviHqk`NxG$dhhev=Oy29XgokDwEX)6SOvq~fQFbEV}WSOkjCXGyFoRm zt5j*`rT28CyE)Fk=y1qFEy0{OeB^%0ry#jmau9I~3%HzD@AAY6|M6Z+=w_(I1LC|NbHH`x`cSlZXe`SZh@V|v6&YZi1Uv?654aAbS4 zq@}i7DUG@Ct@x*QBfsh2eLnJON>|j%4ceBH#>?wvyDk}vBoC)YM?*H%&f%Fl=Ge9Y zY5seV=m=TKTZm?PP^O>^NaFvb%@N+PU1ZoolPs+)_)kzJiSJtx-Rm6s;uP{D`#+G5 zqF?J0w0U^*SftHji3O;Z_%{6GF`s@M`?g%*BlW9=rk_{L(T%m`D%Z~e9mw+_Hev#v zZDBL*4w1HvuP;1{cz#APq0st1Z>v=mBQwXjC-oT~n~UNCMh{)n3ANZj%N1L^bgpla zi*LfR_3YfO10^{P$c)I>Grm_L_OD#U{>M_}{}l}Xuld=qGgx=M@+N+JJl|d8|Vo>;2xLOYD&l^S?djtQy%V!SdWFeXJw+!uo|p zB^t|i$mRmyKZH?ZT{{2$K92sM`Ua8%R4|9`GR37)!rd@?E@SV^bIDL}FNzjqNX!$c zRlqVFmzf-+8VamX{H9Q1=(j~{+5h3+{{y~tw8Z~45BvXvucJ#acCf>XV{pO=Fg6@W zGVfB@uikV7o4|5|+Qbb#x^fXhzKmxeM^plIPBs9bD%hK0B4JDFpTJ}Q=*G$xo&SgY z1?-=x@qgc%f5D^jFT6GV|Lb-QKt!G)OXD5ecFs&8U`>QspXomk`BzG(w0PEcl^mcY zfpdN&5$exB5N2|w(jr3}ef8*Dn)FeY&xIZRkRAvaFLDilIisAFF3CK$Uq$-MfYsr{ zvieQ(E`v402Ame@gX@Sx$^s?8GgOt31(_90mP7iJ8|g|=&zIRU{-f@3#DgXvWNUtr=l54IcZoNC2!9A2pCdeo z-=Ut03X-t1>Pt&dVcXA?josSVvDwCWdEuA{EMKVK#rp1zJ*bYhSUj{p?V{|*BUn3` zueHe%r1;jsSq-~sFI67|tO&fbYJWlkRY|%*-Hn%sG=83bY8yp}AWHP)x~w!Ls9prx zJihc?9W)6k={Wi!GLjPJ<1W|A>Zzc9d~nUoS;Ltw-NPa3g|cd_wnyO4AUSrergaG# zi4UdD1a8ZGO4Zv(;f5KtxgneamiqTECbT9>(2fV4B+~%%%`wYBx#lxDQtr_dv`Mz4 zy9Yn$;+(ci%uOdX%8VP&r@hR%5hP4Dj2F-p_}X$d@!IFv7Z$Ohc&^nsz6N8qO&^jn zF<@aO*vlQO?#CyL4E77rF%2jRrA|1We7njfAc^0(XUwr)ZdkIx7~mt?!u@L9C+Q%$ zOLW}(u%Dq04319#a0{yK$SiqY3PB7t8s2Ne{66RqPhEDlli<6eccW<~%f)k|VBRsD zdUZo(^eq;~As)UsxRsN2;cUCwa?+0!$^vb$TpP0AX8d9~2j@dAbp~4)-?OLPr^LkV z#Y+eE0GD*nftY=|KJoMC(bh6G2n6}cb+>ve z4fT80m;`u-ae*r&dNMS-1K__zh!I$Ul@=yUW8TW;ouxJH;+&=l{?fVD%*c zo6j)=I{$+xu^#I--J9ET#-~xa_1Y+UW?zznqViUZ z2FnKChsCdB*$vz~14}I27-?i7->W66E?#YLaL$`> zy`n?+CB_wZQ~ak*eGNm>WUzWU!I6@z03K)mOmdbG$v0w8RW-01>3*30{J|M{4m+5% zzHq$cGK_CkmT2B?c@VacQjnlGymN`e3?d)nD%Z;M;`=3TF$_R~*uy82TcJ>e64z@Z z6;d$0&>Q83k&VrLA(onN&ehOnjS#!=5mbY@H~@dM8^P?AT0(xO@1esmj1BJih}I;c zU6Z1e&lBA>2hUU<;q6_R4)haR5mI(CSL7WHyxgC&3RbqWnZOY3R?<%_Z^i2fr3B9q zGAd`-#Y@NSRI84bgVkm`2*-&I3#uZ?*p5~wH}vx&HFkNE!oGqxQ+>nC=0D*T2j4N_ zD8}Lnb@K&GR3AWHS%}7){yv|m^D8#=O_#97{%_w%A28t`GpWHVMP~hh+^em9v}@VnSTCmYwh-2tJ2=gsm` zLK{REP;65hK!t_u$`b>?SvWAy za`3qdi^$orZ6hg?jYp~6WXpa98^z@tThi!r72kqocbCJTpU{@kjtyaRIjX0g)SGu@ z5${N6i`yfnDvoaPNq)%X{}oIw*&hc;hr<$pgQQIo)MeyLwfhdS&u(r^revWWgP1_} z#K-!p_i)$Q#+-E*oy}hoCPim8O09 zhr!o{j)I@rh3GNQ2}eRJUcB8i>H>~RYO%CUuy>P|QS0Vd2)$-PQ?c;G7Z6BN;QSf_ zljIA;j1uC>-fctTvrjJ#y)M4=+SSRhmaA8oGIAs%`@`pOmNTlV-+m!?a3xmF@SmGO*|O>WW&2Om+3 z8>?Dp0k6ZDIsp6H7uyK2)(Z5y;!;Py7bj4ab26zi;+!aa;gQPot5?x!l7yo6$*`Rm z0L|03z}Hs*DBy&moSs@k=XSNMh;i~rCYyMFI@$Ce2jRbpn*Y{cja8IbAn;mbgBm{% zZn&-vTx4u?t}L6J;)*8GS)*1v3u$pJtrY>A_j}#7cYixGJjZW9qh& zB=w8_(&d+4K(JSE|GrF#k7~WUk&UNty3V^BCmu@J)hn+k17!Ug0DYa#*?`ib_Y%gZ z?hnc11HNs~Fb2FGNqf^1u@coe&!Le*bjJ$t-^UTE13nN#7^NyDm9r$@ z{7EuYMp7Xnl`TP$pmO~cB?S9pe*IJkGMDc~<(p@n>MVBD*_b@^7B4XO+njd4^s~3e zu5Y(}bCLKhaFup*Zp!o}{HyQF2ceX^*3Q{^ED0;{*b$N>-b|6$L^|$tw4IU>6DK(P zW7|ioHq`R*1@naM?XDy9MN>#nM^Mur2yAm?aX5nlpH!d$6Cy=z1>!ye((q2kSQZZm z2XRC;2J%JtxNEDe-N&isKKV{;Mo1?la)aVa@>!8c8QDQ-_xP(C|R55 zhN)MHe1lJTS!?Z=1YfoZc^#E_Pj)n;qBNibY*7kmR``VT17ZH!50Ym@+K1}r)b7EV z)bzPSsiFvY8#jX+-{TTTZ`r*l(YxYQWuQ))Ln#hYL|!CnW52O3wh3|wO5m@I%TIb{ zS8o#f)r#{Q-Qs#WwZ8X4&>8Z;Q63dhFl<+jhqruFQ9qaAnxR>8{@mj8jynakg*-oP z0dOptXmD^xgO!+3kW({cJFs{7F=6>em!16eq=}X)w#uNpCJgKFtr(I98P-Vjawc6T zpAS*B;!ml{I%4vfqN_T1d19Lj_9FCa1TATH`6uupE#QcjE*QFq8+Hak~POFsArO2`7JN4w#)WB~Pi zRlSHJ@$7q2BvTuSVD-TqymMobjYJO+`MIf$3`Fp^s3$;y5@grsj?ASXUPsJ^inRsT zrlX|i?`B_{H{U^R8G$i4ycy1ncOY|A{M(-?)~< zMX6kYpLhE82hzv`U4x^6h0*a$FFcHZz_fcx2Lh#@n$Rm)2l>=j z%|s~nRuZZt`noOMr}2ahc%lzUpQOatz(P9ZI@uSk6*9W4erKCLEw<(2#d9X8hVOv0 z)r2bRYj>BMA8RYDWMhY=pzM8BBg%glcKUOY>XwzqD%Isop=<&Zorbk1NUY2)GUdviQ@MGimby5UmuE z8f12Zi3EHFt{&8_!9&c%|Hdw-6cKap4*N*4wfrujEFC;mOH7UZCCsa8SRQmfm(my{ zZh<&hWFL@!n;Ia)Y!w*ef40b4c1EUb67ds)RM2^r#e+jdt2rYl9mC|iGtIWxJNu{3 z`JPaD$2!6mNtVGvPq-w2qq%YRP0V!*zS)K6H@MpGE%wL1rU`{V1MYFCr3H|JzDONV z!?=(#|K%l!U%?hQp^Eb^LXSw$qZ8;iK;v$TpL$EK9kx$^?VWf>{Th90PA_SH5?Q#oh35{jPBBp8tU3c7@UY+Wk0nNEFd_ey_V z|D(yjc^h;7_x}4oHvrMETsJ(&`=|z$W0Vj;z_Y(cLwxuj+J7Y|c2s8oK*OWE{y_HZ z%>GT;7WL2A*MIrpU^RPUiV%%g+N5ADDy6QRL*>K63`vYUpF6p8bEw<`AW7N-P8IA6 zs=a=WXn?eGFGToS)|edViXybT=6qip049qot-_&=4kRcS+;zfpBJIM)H%Y=1+}>E- z&-K^Iw=s7h)HTOPeL@V04JXMXc$vuk1a8-{S<$g=z73P%$9~(Q-miLB#BqDYDiX9? zunAW}35@<>1I{tlE!!Ly{;_B9T8*>RMEltf)y$~5p;vMjV30_@ggi=dF0rj(62b62RVJ4RyXD{z6|669Df@D|sQEl= z%ul3_4kyh~D1HbapF!*-_@lyYp?n2|ZY?`tU2A%7#^VQkh2!-2V!Z3_QM3f@9(>+> zD`SBIYhuJDERMeN*qfl2Onw-@z8mXDbUWk7wD;&Tf|7#w@jO zJ3BHi@X+I%gD>Y6+=XAdURF`~we0#O+ROaWpVZ!Yfyf{Lu3Z5SCwwG2I+IlIBbkVN z>2Y-xw=Lk)GgBqCt|m;q-;1j3Ym#?>>+F4Bbgv~iQ8%trq5=9I6){I6hPNVa!cP^K zL{^bFk9oNFOdU9kL6LSPNJ)SL!*sxSfo?o|qZBc_Jq!99RbJ^jq{IN(hij$Xia$=f<-@E4!acbsvB&(tkv};&aHGQsFn)HzF%<`!7P$D` z-zK;-aV5^>bJx#hruHcA-Qi(((R_@U`T+T+db??8KLtjf!lfpn8PcA9KEbPmVxqL}|0&gZSQ zR&$s4FUrsLhKn-x0!Pb@A|Ha~<)hq%M%+GPYzSr3*N3F#-n4|Y2<+CPM_@#K*nFmk z-DtrOEa;xxWPU@AuU+=c_QcpMMjT9I20`M*RC9;#p%}YyKu%QlL1ZW{h&@LZ-W3(ZjhRbR&ynk zJE(_F$&6!9YY>EDL%KT_??Wp++l-mW_QWQ?#RLXQo^$zxr6$HDR!5q6+SNf@iFfTM zaz+Q@i(!^Qo-QDgbiWZ3+@&$}5>)!82anvTUiu&da8X4-b7zKhoVe4flywmgi|{G>X>fSZCtK0< zeC-`$89Z&0Tz7Bs7kQFT-ZEhN#%SRp^OsarnzOs~_O~^m;F!S*bL*R!(jm%$qfdCF zRK~(VR0lcOeW$cn>JQ@23MKDZ zC(_IHJ=q8MLTOeI&zec&XLm@BI(~!0uHa6@!0Y(RT^&Ti<|4@+u`|z7(a4=O$ab2j zvDH28G*%KER`WRIrc&yCA9@R8pFV~CVpLV%X3{5_$;yP6W20$O2OlaBmgn})EkKEY zQgZdfHyJ9wBmod6KRhf(&D}=r>OgT5@UjBRY0&RDiUD<_1no}=v>}M5KPYjq)idI>!9p&|AB}ANGeMTi4Qe! zc@(x&h&enTtTq@8T)5rP<3rS_@UlOUKpilG=0vqP1hr@H-Bd^*t;i24*9QVBy?#bJsnYd9(9J=FDM0jH1v!jeg7F==7&eV z8`lXolU+K~4qIcbbX*tA9SlQZH;(<*Bij zf43=ru8lQfA%J_%@q@+bUy?LoepaE9FTP(rsXUo07OY{5sUx{lelE+d^z1GU1)Qe1 zh19@xxlXN9vmLG+dlOybB@!8gkn} zOF#$KmBHUo1>}Myj;TnX(HMIaJpur2w!bk%SJWt6E!jGcNL}!ydqflozy@n*nv+N!8@`1TZReZ6CSjPaY!{+yG2 zyGg;u0;{y)4)#|cXdUo;9IHY;B^KD>?OIdoeuZa?y-OuD)1ECZ*6&h2M4(RtIKgWz zIhJnzQ|mN^okH_?O-3Egyi=pW9MQ>L86I143D#%tJ%ilVvrUl*e{@CIE$}brmkac_ zc-RBiBxsAq$V`h+CX1avM3v)mH$C9Ca6)+OO)51NPYRBlS4>5AoP22qFpyf>9thjkHNDA+YY^dAaYrm z610o3a%)tdI4ItXuHE}|@q36WAGHSN(l-g$r)0t$QOC(1Lyb_Ux{jQ&-$2yL~)dt*_NR8hq=)@Y;_Vl2FQqPoqq*7Uis`^|V* zodj*KPQxb6sal4dlg@mMuN`t9s1HX|OJ%565XOWDlu(VcWZMRuQ9{(LIztPg&t=xM zymRcf?*GBwdj~cBt^2>B2!bFWy+#B?nxKM;lz=E50SjFsBE3tMk|0QL0!kHvfTC3C z2uSEfM4GhFLO_rbNGKtY;{CYK{N}g!K4~ z%e7w)7*DbB(O@l%H#sFlla2-E?LTH^V74I%*reFPiQkz^!th&i5~4>iY66pzoW2kO?U zMI~MkPgA_f$B5E={ayJ;b3+E7OJ&w_aECCQVkrp*`f`bs}SzJ{MI%*VGnxyRo>=7=-|R$ayg$u}6jg`1G(cgWXgG!-Q| zwfo_yyO2C!d2#upfyAA~)lAnG6hH0ptLxMUw&BcD8nQP(45)$1boIJnRb z3o2l)Gu7wLTGEt60c+M<$8oyUK&0LG?x36R$$7=g+G>`%;0ll?pjo1^tyn@nNAQK( zq04sSM0juk)ulmD!z*&DRczOY!{y0=YAO9-e3%h-xGBRy7!IUppi6t8lq~x zFGV_y2a>Ec#7Z_YIVkrxNVftoUBVQ`=cu^FX+Mrzq)bR2nb0fVAG022JN`8fSpYtZ z7GMX1PSn;A4`J3|x-K+AYkKG83R+4$rqa3{8w1&Tds}A_Zc0q(13crsQ8}e&s%kzJ8?gJMeQgdkQSSk$tBy>Ih{O*e*L z)YppVT&(1@^Nv}K@c)(Gds3WMi}vI`2+S#6%U;SPSs;`XqIH?|dt%X#2$?NoqU3x< z{SGz-*EzY%w-#-5#~c6k?P$#OHk-621M(d_32@2OBI*AEVT4#*bpWG*vG-yR<+xhaT zM^!(!Oc6?bqnlVlDYy;$H3VewoAHL`ZMK;>gkg-KVX1Xnm1K6UYUrRVN6;2~{J{=0 zbq@Inj&%W(&w;^I5tlZA;+|RrsE`Vx4ZJQr@9Znps5YjNY>9n^{|@-btzC_;4Nld0 zc0)5o&cQoNSy1!(+PaB!ZP*Avp`&wtcQ!JzN8;a}(}(}PcI(eceY{9;B`OsXKYNiw zma`6>1+;H!uetkvjr8ReOG~XX?bQ>mwT<~eofhF6sj}9?c}04xjK1}V@0pzXrrB#I z5f>3TE2&;!wvYt)fDBK6$9SlwOH5P@LC_6k`~sjRm)LmY9C0vB@x{;bw9&WEK>`wjr~% zIGy%v)&j5ee0Zj~E?#@>=Yr6M0MgFJ9yPL1AH}yJWG^P_aO}WiQ6raslnC z?&{mrQsvmW@<`%?sYb*7svt^Q=(8d>)RiFp!CUdYd$+4ou)M!G!xq+0U$fKl$zPe| z?ZF))Ym#FEVY>NBpJrRq4;xa*f!sY*K!A6Nm`QDY3utX#(R{?Pp`4be*_9gt{(W6# zf^i;|4sojvjo%UzHSM$X1~w;K8QW3$>B~^mDZ>f-anbtm12yw+JSR9Xx1?c4EjLs9 z-pdTO`T}0a`9SI04gk*cO-z$d0*P4Uk{4j#3ZPRORlBePx4qi5(rfRpkRl<{8VTNH%1{{e}ia)BF*Y>@2i$B>{BjpKWP9S27g7p zRrazrxp?lU8rQ$8zs5l7bvoyH+eI!^Pmq%!pQ6}dH20d}Hz>I7(duxVruMWePqI+K`FGFd(QC91jA`;DwM^AFDr9HCn z7bN$;wWt2-0R`+jFS5X05HZ1(UzR8WYMkA{k3Y=|xu(hXw~Si6=doC!1En^>_#nA2 z9=#0lfmVWRcM_=rLCwM*>O#Z-BL=~%jlAlQ&t)e@7$JNXRRZ!$zQFY7@V*zoi(UZX z>Mi)6JdDkM!LiSQ9+tFei)kqxTgMtQSg0*K_BTZTE#SF<_`t6m()OXX>P~gCqk`p zk{$3*Y+Yeqg!oZwTU>;*h=`v1*!isNg$pl?>V?_9POG_Lk|YUeATV$w%QQnd$Vx;_ zAN5*bt@h{Gs4Tzqb4c6v{h3Pnxe`#o<~maD4-JRn^d84K`mxVADzdfSX`ty@9px%?VY=lHA36O36v|(RasQ-Z%0&&l{S12LzH{ zIoP}pMY#uDZiA+B3 zQ&*&1g!-gwu4SI7{(jxv9JnW(@Femq&{E!3z|J`bEaGK}&)sVga!-*cg~!T_LbRKo zo-fi*O(M9qizsox5uc5c@7lb|lMle3*m+OfnYon{ALrz?LnqwCtR{Fa9KsEVL;y24 z0plKU(t<1=9=*S*c15@4heLuyH0ZLH1{UxZVBvJTiD99NO-shx{;J6I^5-tC%*D$euulFx;{uI3HR4hY zU(6%M1vQJ^5c?HlqLdRk-#7)n*$O$9HQ(6T`s1rROMFYZLJp}RmSC!Qf}G4hHH=r4 zqh<{;7&+k^E}plK zblGX&-eOSeYa9l=W4M6ICf$AsmFXQxBFLKXhWM@&8meWE=v?4vj9=Xtuq@&oH|*Bo zyuto8q0tu|p{=|LeMlS!$W^#>^kTdh6-;I)f(zRs3y01l2p?_b)GFy&Osj>=YVwMc z`RA&)WiVi(WC=FrJ!}AZ#$SpIbyJ#(QZ=GCLnT;WJgTrge_lBilE~V9Iazmo9r|8f zf|3mf=Aiz4wa+qJ43xb9w}33~_mrsn^g}epZ}&~DIwGL({^P!v?-+uaK}TJf9YE~M zM;!;#wm$U0$VX3#FcY)A>{gv? zL{wl`nO^>&ejF>IHZ=15!q;}wRg4pVl$w^TyP?6oe@NyyrT>X!+{5ZznmeE4@k!0{v51?` zdYbVR7fl7;0C4)wf!pOhg+?H1y*erK(1|+m{zG%irqpviV>F+w)&_Gz;<#(T65Ph8 zuq`+PLM|m2jxMySm}*BRLs=AeP6r|GMOfB-(eGJyaZKZ$TQC}lm%`*}+lVeCmIgZU zRdL|~+ux3}m8!;N#uy{xo}tn&Ti9SLIj!^P&wE#>NtCV0L!iMb7TA%%kyN!&syI>7 z0&mpT_||ZIW+*TCKKH4uop$JqFCh>p^*WUqqe2KZV}(<#Iv;PdOj_NZquo%kylC>} zOR-rEY}@+1X|v8N?!?HXw+7%Ch#NEkauV+1HEZ8Vy+ZW&J^yxz;=0$>z&kcKYvBHH z%(>tt*Xsw>Kf|vi3XrU+r#wns71rS=TU9vx#sfB{=xJ{~H7s*YNFB+VdW&s69$~x= zM}LB|?s$#gnt;)+*92KyosZr?S(>S5^9(tPN`kvqX?CFe)CH;xCB045CP)m!xYhCA z(z(Ws=Wwmt%D+y|N$$%x54Kk|D5tNnOK%wBZmKh#sLmndE7Lo2{4=VSSx@Qxcyrq& zl08_GMA+E+K-!A;-!lkJ*{EFC%yY!#04hK|7 zynFYh71_cof95D{;OsYxvmU5G-(wvz&o#h~Y*Gxj*o}xF$e?GldH7!hn!29RqPgyP zwFafbRV4I^qE+Uu7E9vX;NVA$~L@ zL15nnQ&Q9giN+mmB9v0Nlg#~;_WTRh&y)lW408><8Vd(p0%;LB7o5KLY3=rjY7{V_ z+MvKL^9t7&-D*v`H~227Os{&v4ncE ztjvlS*B{@dKS3Q5F9`s&zMGea-5Eld9@s;T3d{jwn2zz0iVJ+p9B5eFzYgdqp+L;U z19_A(ja+7oJE)NC@FpH&VDEw?n?5D;sdv0}RGeY4erY``1TxM@Gh`CS-ito~&m0nZ zfNoE8fj|XdL^T`-WtHtMX$mE$u*-0Sz($0s^xb;#@WUF{;U6Rb%LeL-r&lqcc3Tly%RTmFsaxPOu8RhM! zyU3b_XK$~jfWO?ft5N)E8Tmx$5s{6|oy`Gp&+{$~hw6>9PfZ^D1)2M!2swS$9U`CN4U#CJ$ZJI=wQ&$b>N_%9?l1U)(i56(obMZzx*2 zE?k&^HCM2Ri3(zAaB-1!J-H(F$ma($iLMjE4LcL+NO=yEB5tA=Uob`}=9Z}isLadR zMbitUp?V!tc^EEX{hzFy_^xac3?ZZ-Sic8;@q-TlXq zIJ1)%!Hg3TjUTFd0MA}#@;!VN=4uRXu;XQ%|HFWv9+-#mhpdiHvS-7}R4fEd^-QrBSH0Jf{a}N@#E*>>f8=>eH+WG{xY>l!1K1WZlw70- zly5eagE)!{G#rx;y=8UkRALWYD3d<4RMJ9jEkc{hV@uJk>SvqvB7{~`av;vaUQ4|R zis`?wLRQIH4y1KA|E6MhcO03i*wY~L)$^&EI5Du>Uo~E%v449RqGW?)90F%$mF7bw|pQjFr zsMg`NlZu9(`NMr(L_WgpPJEk;6Q}nwPYt|axV;pkzp99gU&I;8Pfu#1bJ^N}-2dKswYN1*Kgsdo}yh<2|<^OTmpaqJrsHLT9*->&gfRF zurs7id|bAm!Nto7^eQlpJ9kinD_W8@eW49#5sh#P($b{>KR6D@LhBEc9$VyxSQd`6 z6w%LGJ-NWY@@)L&XJIoWi)zTSFcia^q=Xc58>>S_1Gev5+iS8`j&g~l(-3CR$_F4T zLQO`Z5sSM?@OUr)H$YItGLUbq{>xv2auzTlddtoAsY^M$mSSmF|2Pbnmn&$}KjG+C zqFf|qn!q=EFR1=p&bFRSM}14N_g#d9#3@v42X=_QZM?k322>Y zs8VVWkZ<5?w3>Gan)L^Dh$Z1y-h2t+C9|(lHQ>C+%}q_fWL_T7bK#7^u_8j03IGhr zO9gV3T%Poq$5-=5*Y6I*ymCoXxH{I$WsLZ!Xmx(I9h!gcKx(9-KycXk_=5+SY`JBQ-uYPLrl_a(Ei_yIN*zVDF zWD0Lvyk|Rub0fSY&X6FBgJHPLp1|fab2kQjU85Z9@-h<#yrf$Vr{)<3^y!wus;Gn1alH`qH%?b zISI`Q?-aR=3!V;2(P_}~VeL=aai4sAE0E{f2fA05*B{;73;(6X5)PMEBAEh1m^KM_ zs*uztzEM}U3DRehXc~po!j~j@LgGsojuv!K9oGkpNbs3qS8^7y8Z9^+1?LRChg+bU z`T$t(kRgTd45JDSuT!6Z_D>fmh#ai_pxIfhSEcebQwm{c=Yr(Q5jWFqKD#lDha#)9 zm;^%+GKV2*SMj!V|9(&!&ENNz{7GO^Xec?VT7|^DrOHMe)H>BJuPAGF1wFvBoQK3} z&r#UwLzggYGvk$w+kM+o)jt%G>dhJnyU2#2STv++{;!0?>@NjR=eJK*xit6 zqTsw56@P*dP(aF9xOyJZY3T_iw~c4hRvurZ zBU1h0tdx7@DHd9>SdpliWNZGuH7KH4ZL2vmN%nvrzdG-#cV+qgx&#aSo*CHz&(>=T zX|W#WarK2N!Z()PWlh&e9||rUFRLGwo-r3}izhQM z$oxX02KyEia3Wupa)+5V(${yyf&5FaW)f~NslWYWU(--%RT*q-k*_|1VZ3DW+ok?@ z4=XUbE02Q7?N4BUcbzk(tTm)))&*tWY0RpdX1(qv`0(;o^n0aQAtxbEz^Inmd*dKK zdwJeKulcoo*qwe^(d28YMorIm;)w)3@f__8N2frE?5v+z`Nio2=gTb?ZPzn>pzGrU z9=>#p$rf2fMW-7Fu6|~F zf#NAyLL?tEM3(ogKrLM#OD)d{y1kI(zpJ^4s`Eg)vLzBGBSzdF8?qK!o=xlr9kw&# zxmUV+^UsUO0KlF_>=31KEf-ObHCk}tn{V{|o?v0Gg6rlG43)xzuu5D|UBS(B>fp;Lzme6jldu>ta$ zFCKv3*}DWcloUd5e_ZFiJ2T%tTa?3dVIwS-dY@(!HMNDs2kK5N>Kn5?T=?+xqmOH} zuF&bER&Scap0F@<*a?WE*9!q;Z0KElQs6y)1AlMbmzC3njGv*c)5F0>@xz1);(&{@ zoV96Vlk}z4p+759KatA4BBFrbNoWlTl_#5j9D<*7di?p6&?6uZ$#nu8J_IsAKSQly zI|db&%E$GcoKQ2^EOJ+o7)b5d0h%_g+N3_UHIK_z9LVsqm|smR#x;Rnr(Iu(_eZcf1jpbi&_s^0DngUTfYbR zi2Dzg?BRcq+cuc)p4?F8UI^;K1SW@uxH&mt=1mVyx}OsCcV0G%3TNDwPJdZc0Sc=i zNj;niN?DSR4?W@bGy_#!5m59-!JwbsMZS{miO)JzexCXr%r94ebzCRLQ$qA>T#@uh zqgv=UY{#L}Pjw;u)h|oJW^!&_nKje4w-2AhE{l=MZ(PntN65@wgu7NHHu6C21&S3K z=HEMGM+^=IzODh}^ah9{^2Lp+&b%uRj9|M={&M%W#*AF(yhxXO#hLkAGUkGP`sk;A zvi@&g+kV)oW%=$!)`bm$jMS>RKL66oN^>>zc|R|0&!kH?&~9I+qir3^&P%8suulsE z`pKiI|4eFoc$lCrN!;uc@Xt@jL*DMplF;ToDe+JM@db^c(&BzDRAX30HgAQ@p7NiU zmGO9Q!169yXD&4Y;S2p%l0X*2Kxl}WCIDdC-C^86N!s4)nTtaA%da2_i(qs-iI*y3 zPV#_{8nplyFjfcv{c~Fe=wCtO-HRNd<{ycRz2-w7-GaMUR|(irj`y#^PjM$bU$tI2W=s~Dl;8P zhJ0~?>?A!yTX)~a zAh>exFp-*ugK=1U^B?sTt38{^iy|ApK_*RU8>`RM_iGJ%=D%MbymUUCSAWt!iD3)+ zD{$(D|H$3K5WRdR+D6kaC*4Jsm43iGM~T_M=I;rNX`~E-s%#?%oC6)e!Cr{(OY&bt z{RZieA0XLXbE3+ebISNG?l|V38$5%46)2NBjcEmPa7N4WytA;$HuVwg!H~Y3;@}xU z#g=T3uUWl1uLK?0-pee5qo6!gQ8Fjq&sK$KSJoC&*}>9)pYP+kThnvBt8ymo)=>;e z8Mx8KA~{-}@b*1Z3o69tAJwZWHw*wT9 z&$TVy=p5RSOKHksA5GoK!2yUezP1ZwVIb^m1iF@UO>x*+cAFVPGv$E&y>rUR8Y+zU zpbj(ej{6YzSv9rtCwPZ<(|P6!6%kUQj%E>JcyBXKRTfH<};tE#q~ z5L7PSoLbFYzjDW@MOjt)QozmmINJ%lanBCw)Usq>lBqv5enF~jDqk$i?saznpsSg> zE_Uh+!uzw@P|!RGHbI>Q;|vk;HKDo_Z5OD+$AIpqOI^Il4T!Z-`W1mrvcEwpQ8#t6 zIUehC$!fH#{|2260&WeBq(?!A4^r-k(6x?;%F;ImugZ$X`9>^$>1q;*Ee|{4v&aPZ zM55Bs4cR=A=wZS6wsg=ecXZ*$Fc#Mv^p~SkxlYGdas`{iF^fd0Mr=A}R?i*WyEvop ztwqQs!&{?Uq$xnhUwxx}gfWgfiab&8HDkUU)z@{eysy-?O*p}z&27`~Qg7qE*&e@J zcFDSNi_YS-K52~llvQFM8qNlcmhm6cA!cIBQqsX2TV>qH-q`nN0Y}%o&b-4WBIhn& z7SqP==9NC>u7Ttj|ABFc$WCl40T%&R^We6U04?KZVJdURqI7hAX*~AN+Xv7-534#C z6M;XVGP}ie!%wLiz?Wv%K)RD@uL}Bue~&f%=^*gbX_#wZq3{R3N=ny#w@}Jn^{JKC~QWg<9(tk%}g4ho}hE1<+2s zJ=qqZleN+x$StTT1jKTw{=hZJm{MEmxAZ7quD;Rx65&JLFV(&6Kp9D@3Y0rki}()D zi}~KLaE_Rck<;q7dOqJ^y^b>FvrnronM=~6ay<|Mh}Z1oN4TU$GB+JT0f$Id7aVd% zu!qWG6?6R3>1Tt*IG{6^Ail#=LN8m;?405Z;xLt*#fjN^agZskW3RX;spj`%h9&1XClA2Uqf9vfM3l%A7gVp+I!t-sG=v%{N+Hmy)$`|qj z^v=vRf+Q|;%X}%Mzv=*MJBAWmO`YJ~631nrG5xW6E z)p)wb-K{$``(DvI&L z$8^raHZ^`s1gK`LaAl~jJ*jSTUa=uKTvtsLai-h&fJA2_8}7HA2ZB~7D!cN_qg?g5 zDTPzQp8;PD2<)4E{%1nftQQD2%!{Z6lR0NG&@Ll$o4P6gDoppM6a;ygVlMO0v^j@#DG-h0Tyrg$vauOSV zwAQs)pNVB%g41jwSoY!k3z9LRdP+ZzE6PVZybqr)6c+D@k8AJoq?&4~kbL4n1SIi% zW=g9PZimo@gH>ZbV(M#K4Tdf`Wnpz!zeE+rW~hQJ!v`>Jz`BWe3F}&{Gf$yHHXz(o zVP{_Tiz5evA>If(J6S>%v&SXA+Ez(C11Q-DCfp~Us$0|DBYe`q;kvZW*@zn)&|osK zK}KX!r=X`>RT!fce}lODN-a^nqKzI_GoEX4j2aSOTkNZ!_J*rBP-21Q`UWDTdIcZY ziQuJPtZ0l-96r7A($?B?Q8y(FegmAr6=!`Ik`j3Kn9k-JnFmU}W3LNr8v(Px8SF}| z?OkkuW99LTy;eHOtp>{>>-BQ9Soyl9WsBvy`liI6!X6PvhJ(}1)m4{?E%-)EOdp)1 z2eTM|yplt$IMIyi^A%U-g}63p%$|VB=N?^*N%H8ML*xg%{kmrH{(XX0-0}DkX&`4=2fDM!%DhD`(@7YZDUM=`0s)@p-~S==0MmGPL%hMj8`=!=@CDLA#UTs z-b_yV>UHwZTpN~bN>;VPC$=psD#%L-lSq!JM6^EPR31B*7YpaozVW9HV?BrbX z_DVJ5hmNXtt79=jIdL=$zqdRbPZfWtJLC}(jGGo!=9tmYzgaZvJiH858Tn&+!MG26 zI{MiWB`7y=P^h(rEQK+H>s+mxgOYo{3wMMLCgeILE6sJ&e9mG?e-6!PK;jJGv$h+i zXNWx4cYT_T?)GrO&imMk;xY-{lp-oa&?DltC1_&Fh+jb7wo!RNL#=$S3e^4J!DbgHzwL^*G{yWk2DsW-yMBBNseK?y-vCUAi z)x3-%29j0LGth0?N5Lj`Cni=|?E>&)2)1!4C9%ke$cDRnTZ9Jpt#pc4K|Yg}GSPIY z`_uE^po=&uQDd6v^nPZyy)ukWA2M-~cLu)XKp)?^w6ep=ErfYxw{4lJM>H# z6ovqXVi(A-eJ4HybT|en6tSi%pe_>e1wMdY1a{I>`hcM1!O=JxEJCbZib>cX79sMQ zc*s8-{pnI(#c@VEZbsnp&HnNj>F%c`6&_?WA`;KL3{L>}LAd<0mFA!7o@;dbd@i2n z(oKbg2Ck&*A~OZ25d<&dd?ghS>GHP%)(bZ;0-}9heR+>p%h-T3wL)fQ%M6?pi`( zdw_UY4Cfyct_}_&>==yrb)2oMB`FnSIArP)xmP1}WGlKEJ$}GDsbtz4lD)7N=^B+gqk5GtMWHZO4Klesb3C=Bvjruo=m3+01L%{` z6l7gMmD79I%;TpTioecV<}9GjpE=Teh0Vb{yIETNjE*kN;`vcB0`~wpD<#|38>&-s zWf|;z!_U_17ciU4_4uhCL^1$lhbeDtR*=o`w}A-SQw(r0%skDrAhOsJp-?T_M_(Ed zlCHsz;Dd?UkS&QH0g6+gPgow=plp8Q+?l73lb`VyCFcL+Je5zZYKEW@kWXuozd`OQ zY(fu-CEe!7oIz$Dm#?3AC3PVSDmUC?A; zE=Q%^k40ahX_rK`W;7e~1+{eBs^Qg3mgRXCuD&hbdw#Jv#zy@RcZkx{@HUF?X z6V`lB#q;%`ljqv6pmiwQ=>KcT%Ks}oCiwT?nF0K-(f{lF|L)NFdpr9Jh0TjJ&Yy@W zy(peY?|_~Uu2(0w;Xr8nr>0CQB6v{}{NOyq8<0eZu#%;!+7i=gcdWh2#i}1do_Brg z`EX72`E$NdeH}D%T1yXFJxjb|`eXEljj`B{SCtI8tbtOlq*IIc%*K%np*6qqMaDgr z>+A1u=$+7PUw#1~$~U1GOc>h$4?`8wDfp-=kVZgO{RZ^_rJ<8MTXH~`{q7Ex3e8=>`fOCrYBoQV!?eeza}tf1CI;OiztA zc?Bo4qozV-I(qhg#(FMPj~Mxu=(^#@O3_;t(FWYvCgAYoaWZqw8}^{H$-Uu%w?n`k$mjX$ z#O2DiB=n$(ePh={+wTF^vme(#e|p+ilkA2~1yX5qZ5#=b#HjZdOU)sUB<0QI+|c>O z_HULdOy9hSY~ zb9RG#+fh%NU(a;BEa*0Qdwo$XpBvViKU3AZZ%jOoOw8|9LGlohhGS3M8KSS}JSyI& zz1h!3+0y`L@0*Xn>zvwE7H9T)CPjE#Coq%RMJ1JQxp3W&nUiEwJ-lKji9;6cd6f#ob;zp024jVHi^eL{JE4pnZ@Sfao4R2J~5^LrEfV zp*}tSw^IGZ*S|q90KO#vBBKhwkd_YthhjjTZZ)H@7@B2(Y|1YL0Vf>xQ zYf-JnWyHs;w{twsQCBC~^rsT-VOLFRA#-^XI zC!gf?ITYW2AUpurlwZ3IOCdt3OfC4+zd^><0L_`0ZZu*MK6Fz1voxDySbsrEZ>u~Z zm69b7cWUwr8Sp164TjkjTYNLgis$QnCXvM+_JQuFzO-A&v+a^(6zXb*rNy~(tlz%% zfk4XQIi%&KMKb3eMn0}iw^eI7%yzKz>iF4I(dK*NOU7bBb7lMl@e#&$Me|>5K#CNN z0CUu_p7DTp2n?kpynVsDE2s1N%7x8Z*{>_XPt4m7GXkx`<|eO=s`Bz|j}CH$mlb{N zpci=|0Qy5Yp}Ea1%WmYW7%=&3Y*2>&mWE|^78=ATo<3qif8TtXdVvDeCW5XlaRd2S zjs+{L+fFXrb0`-UPYwq^jp8+DyVf%*=6zfsQ`;}N5Ohk4`ZeP7I{6b;j20lbvd_tb zA%1G78rUR13FVNU!O^*aotGRS-Exaul6HnLi{a5ntr=Aax?yjj*$Lo)NdFdmet^nj6e024*!hBSL-Q1YFY-ZA}!OG zl%{}|iO3sy!&@a@ZWy(DX67MDR&K9zR@!Mg8ZRX!_N#BK_Z-8VaJt{(@kC$# z+jq}f?QyDOcd+eyZw>&oqQ~iVK>v=I4v^<`)^7klT&!rkah?5|buJmJyqUF3FaNd& zb_?f96D$5kCDpNhhD`NL~x@eY1+Rg?I=zz-!E3xIdyBbW4&iG0tG<+pFqz z1yK;zeU$e|yV)jo#QIiR@$$-H)93FJ9=2 zuTR(G%Q^%+I(L$dp7!L0a0r#IfbAOrT8P1vk{p;IK*`-7e0cig6Ff4uT_mKyRR*USvFbruYdnX^rrO@>*364Pix*?TH3Jp`Qh+ z2yv-5-?I<5*<%?&LYkl6T&@-q5`osq7fzyV>Nsu0aiG|t{ z%Xo?^+)%}BLb%>R66NqR-)g30fB0VHm*8s=U28m-IG*7i)sN5a)>d&cjBSW zLU^(2GGvG57#)XnJ=`~sV$|2xxcqD9pV4fyWIxz?pt%DDkEK~;*rz=c9|MeC>T%Y+ z3#V|5NriZ}lu#vb{C*QU<4Vcb`%Cy)H?cJqVH(*Ub(B)kTJFd8m+3LS~<|8 zODbXKW-eOZ)twP%Sps!xzezk$uIjEzgzTD;y?%r2MSzyCcTcAl{|Kv&ghTBB(MA(| z|LLE{h!4I}L0qKvssU%5{?7t7<*FIB7dN0W@FzeP9-1gHRA`K;VxKMk#KgNc)JG1{ zU^B_;LRJ&1`sL1?_&n(@H~qxGpP6HWzrAYF81>ZnxjH{iCt9{mvHl0jEK^#L_2S5- zYfoppewKc^TTohcU6ye&9CC&nhA+W5byv8CdG*{lSQ#^%;n0!MVR4%=<%(jKdH!X} zze0afM)>A2X5%DZtIv>(?uWhzjmJJYlpBB~!ewWA#IRX$k-4ybTsWd`(Z2Czc+i|Z z8bR6sq}kw_#jb~LOWDL797}QVQ%yok?gb_VH6*^(^;y#LcAnY?y01W?5X$CP#ZP{M zu$)-3j%`(X;#HW`d;ir;PiPv9heEF>!uJ3T_RZdh3a#ZQscD#fqs{+tt$>&DU8MTD5w!X^;a$nGy* zn5!jt&ZT#0o2Y=6v(0HJCXVwFW+s9(U&};$H5t`^(ClSymEo6rkSs9CUj(m@Hb!q< zr+loSmV=@}{aG)}O}fLs>UMB%B5|hRXcRn3{rvjEr7=+pJG@-2TE7M@A_Up$}<51i^d1*CpJFfcM zpj@wU=?gjlRJanxWvX!kmO&jtFpw_+t}`_-V8n&Q*t=Zw9i!fVyCh!2v8z|z3?z0y zeRQiz?bLzA+J)3gO-S!ff`of3=MrU#1JFWBFBtHuv041Ur(ir~fKDA31WND$aSb!n z5K`VM|BmzY>qkiG7q+T>bV*x`=<9%J(;hE~QGbhfA_(BkQKWaHu1aR5QkP???nJ!ay8VcP`U%d#y;Ekw2|+K zI{HCK+ql()vUpQwR~jfH6|UX$a166L*vU6m{O$z5@=W==?iGfmTel@d9{H! zJ#|CT#t$X;9x{gH|3ycL)Inwv-cVxvrCRkdhutFJhR^W2YnQ{y3>a>O0%5ELgW!*P zn8F_nr3?X(PVSzV+9EA)Du0fvSLsn+kNNaMfE?UPhFe z2pvI&z&z$rhYZhG!kfj%`_JTHZ$(lbXPvb_6FJcPjBXMss$@{MIe%w+@1A4G=l7{= zPNZJ5$JWX_Ime9z6H19Ak*3ntV)N>ls|f!jb8gc)v2W40(FS~~oXN~@o&<95uO+H; zPQ{w}IcOYm3|qS>0sdCbP>ylBcdn8i^b^VP-=X0!Pb;i@rICdx8UC0s}HVaePs zfr_Y$A3aoTP*-^3STwj_Ym$onmM5F4W@~Sa?i-^dt&D`vNVGK8H|L3gXjH2sR+d{t zjKZ{*s)VUu;WZ+eAs<5_KYrq;5_Zlxn>naNBp2}0mizSOx6nB5K(hh(w{K;rE02W=9t&NdPJ)tp-;cVdiM5kgptS3PIdUtD3C zT7C$70UJQnGrnl$U&`Hyg!4VV5@dXLkN(;TmXDsm^jQkUUS6;k(KOLj`=a&$=>(bf z1WpH{UM5EKp+aLG<&8Xssj>1KA9XY_;QIy$i*)2eExpyQPXbb#tHmisuvlP2tY?fM>!4@lBOoX2F9lh3-^%3Gj~356i@9ES zFM79QB?DC5C*+7!ai%3Vo0ZT*ob$g2VbDh@oYH&aX_tlq5e)St_^D7!Tuki6X^Afx zwGQIn?$GwEeh3(@NpssTB199hI7kn?RyO}Mt_|rBSd|;5e4^ZJw>Y=($;E4m`mK-F zR;&8If+&ERB_fL$jBnLKFA8W!m3t~4xvREcE)&1YA1>MOGc&~otWR#L`myt3u^!xM z9FJf@6Xi(;U7xIPR%@2&@)xCl6?`1v+>s_V5wvhw@J(vIr^_M;P%U{e&r2rw!((GC z#+U3aukStVJEtHN<&2KK)1{VT8zZJjvwq`8%{08@+A@@rTr==?rdZ}|7l*`(<22}5 zzfsJuD`QArnQeL0IH9zjI3S!E9(uy_7#`^t$31c*c461zN8u&SP91?Xjep1B`wJa`*O)(F2e6TVdE)*l0*EM{e-*#K$Q7!2@&@dqR?wI@I3dCoyH04`cG|b^8}e^ zo>%PyUnK&06D%Wt>FZ-Ki5?JTS>t-){MWiGY^U@EB3v*db6w(XcCo`qL9tN#r)$?Y zHNg34U9x8suN3K=6S~|a-A;<^|FAg&cZRY%t4kBdF^lX(+f|h>(#PaMH&uO85w-Zs z+z~G?vzbUko}+j>7de79?>kEVDii0_WBP05-Y7iwF`YF@CcfArUK3+q0U;cDA>G-59t1UFKUl zA&3&KJ{bx~(N9SvXMn#^hp$y*XWw9Fe})w&`b?=GtU>A)v6f46z8&6V4x+HTJ6Xy- zfwgBui#`9sFvqQu)sx1uLxX|9eSU$7p50sLZ2U222e@9R4<3Vh>H;(t8THpDP;7Yh z8}<11O)t2!+1YXzOT5XccoiJiQ)F|iHchwtb}v;&?B}pP1qjZggD6qOmo|--@!Vw} z0_q+bo#f{iJ7Kt3=}gy0WhCDsl1K(*>ydpnj-ZI$z1!oJ_e_5jCa_z}D&%!N?d8^! z3ojT)q6?wy9;&8z$G*;Bze0;vC8wWvOn$;fFD(EeZe3BNZ6gMbLZEfpA&fReNrL0} z-Mza_X4(@1S2>FO_Jn_mxPMoni{d_lmbo@ZfBrb{CQ!cP`|O#_km~oR!(wmJ-~ym3 z50}88RTbSQdF=xhBcJ<5==6L%d|gDNHzcDqXr#`)au<2S&Kj0L;t18m@pd8Nd7G!Y z<+NF^8K)biab;kxy*7N2$Z}43c*$lFo4O2T2m&;4VTZ9~#<0^x#RGN@XN+kTou4GD zUPo=joFxI0eK-@~H3o@L7a>X&0i4+MCF=^93dnF&)zrX!r|Grm!_U1T@zcNvrch$x zzg~6#TiGTQUp4p@=;`6DB}U;Kp)&!SecnN)ob9Hwndvu4s@7JJI%$tx_I7P4aBAQwMmRCvAq!CGd{IGIjL?m(X1&%Yn^gw_FH!-_~rBTVeSLZJbcMgDC83$ z`0hONC-U}OM)8ds?f%?56;>hMi_M45(Ni|aLj`Oz#)*&*J% zX(Dri&vd}^F3JFQ^C2vpIsmR`iz3q%Y=BR~l9e=jQh?~bJZni|k(>c22Ge@__t z&*jAjXb(>aYtWz;o_?@RO~s_)v(LB;SA5?-7YzwQvI1^e_N@RJQpIa!Voxc|o@BPJ za~Cg?g1@E%um2??G48Qa-*U&KVGModx?t*au+}J+YTTl_tFNBi zow9cSZw04+DCqx@?^0+fxe$+7svz+mm0Pk`jsOv8;q-kqw^vA*N8Ddc4Y^0#Ej(qP{4))6D^T|JIJvhS?f0_JP<*S(jm((0t`wD z>;J*to5w@_{``tQ8r@7(P_HQRKQCiQ{bbg$oHW57j6lEA8XdceK(c8&J5rfDB}Z`*SN$S7LF z?fP>`_V^_O!236DzUU$NAmshxZtiy>3MTQkIK0eCp<6}NZq^du$Nm|T%J8=r)c?c8 z`}bIh|8Fm-|M>g=)z2ta8Mm=I-Q~rYC>J!id`}`*GNa@_79ZL=D-uj`K=NSXFt76(c@5gW5#N1v0e-r#s^Z|4)c-+aGK+p6t_ zM7(N=MMu9vZ?dP7YheaNRoPuqL~{rB$UhVdt9U28n9ET-Yn0z;oNhj+TR|BN*G%Ak z*@e#1lCz(|2*7>ID~43@TIz)^fwq;&PmdfaIF4{{OI*`s0|14Dh-o>3Ldkwxu~d0k z{FqcBP|k5=y16$&*C)2tUcCGl-2}3QCXBae7py|D-p3Y9sJ*!(m?v*QTtz&_?iFJy zaV@Nhk%QCznH@>mwGq!TdtqYP-i5!~yp})d5OO%*E~7DuI*N!NI->RN47c$9!wRSE zM69L1UVi8Gda(Ab;g`>-DBMw?Ythzx2Y#2NwrzMM-NP+U`t^G%Mb18PsL1B+ZVqR- zQ)yaDs`*4h>~n?7L?wmB-U3Iqfp@`#F6H90ot!5VVeciln~uSc;y>m(&Lwa)Sc)gQ za+wd!I4TBQoC~bf5NvMU1{l?ybJ0{GpqkA&?$~kp6()2Z|LbCm_vy(Ng^rpIKM&r3 z;H{$x3|?z6b;JPbm>Z3c^a)2kQ8%!6f5P?AlDEO?Q^L|0Ax4QSvJ6WvRb8y6A%2QH*ICaAJyCn#cYXc)4_%G z5id!hv+Aviu{QL>TCVtL$ohsc)X=d;Bt>Y>dP6j^=0>IB)T5_J(b1(9!Ak(ev#Uu2 z)14&enZ833jCuy$cbv*eErTp%_^Z&G1b_}s@lI>-ak2$b6UdZm!NnQ~a&S1wPbMMn zXHt)9$MxCd^*FBN9+}=GEl-X{m3`N_PpO=HpulOu^aewUFcaL}L`iBEjn&_7-Z8T2 z_eFl<tz z+?ph!HyY4YeYUE{UVS>dNI=trb2CK;N<*sjq$qvoHA|h`*^S3!y`S$d*sRnlPdsd& zy5l68S9EycH0Bm&CJj}A3q@!FNK-pPfmEDt_=%+6nh_Y#|4;?XSnC~Hreg37SFhW* zUk_k+sb+^5G8?i*rwS9>B!ZepVdL~D5d0DpCuOvFObT;9AaTNcPF5h-qon`EC>F_A z)prE0Pc8JMDBxoZBJ}Yc`;n4^s@<9fex}F2pK@ln-rHWs*1YslZarqop%ZjZX{o6@pw$Xv^JfF^rVyhuWXrA~2C0u*d(7RAtwoS`S7 zcPp$!0=Y-e+$`p+`QZU{Gfqg278-%XD2-YvIfVG7rTtO$i@bZ9dG!vRIL%=&=w%OF zk{~(j+0GfJBaLc>aP4X~vYLf{7Vvr_-|6ZXuX-bG8 zUmI3ZTHaN(Q-#z1KD(pl^+@}e?y>Q>#0urW(G_He#7i9B1T(Ha=TS0;j=6*VWP|Ho zT(M!V;(4fFaE)%VNy;xVMq(}{gxCV)&n=^AZxKSPD7*=5(sKjGs--zI3FUCz^4M?| ztP-{-@*+RiCP`M9-^#c06VpeWpbbOleGKnr{ax|t z=L`((bR~35VNJLSfprsnGBKDM3aL$qcs@)D{nS%5X-Nv%d@#DcD6**UdoS5R^3`>6 z1jN!>WLA;FjUswTg6XIr+)yAv>#k?y9!s}1luadG$Xt_~(O*03Z9nsG=JmMwgfJ9G zlg4t>ITG$8wwPovA(CHTo!W0x+>of;c~eSk>>1~+%Oii$Z2%DyIws^<6hldWY^Me zZIMa)U?dmY5Mo>N+o;7OPfQMrnaRVkX&uFf5(`EfIPsH)5m)**+*IpqD_(whZkRoI zR_f%pUYv>&(BGOBmfJ@W>8S~{qZBwbzQF|TKYFDc#tRMjeBaVP`uE~g!5kx(NxA*? zZ!a^EKQ4In@qV>vN0Ow`>z~$UG=q-PWY^3iz7OwVtE@=Vw)-_gf>s;Mm$;ZDb032{ zo^=2=SkR6fGbY+lt8@gNB!n;yfia3lMY_WR>kIRqR|Q_j*-x0bK{rcJ(xr5ENZEdI zZ~JzduutK}5}{wj8EX1P=6vfN;3ZHCSFggNbOfGVQlW-->31x5Ba75+<{2|SDhpx& zSJAiLNWMY){uKq%dAXIc<%#&0j^2gFM>DFppknb-jWu6tAH(bBB2}=pLNkxT8Id{{ z!cAT zAvah+@$*<1{-)<7L%S0EEG)uv27SUcqHDW6Nxu|TO-fmUJ6n(7m4)GYp3)h#Zb<>5Yh07jC=theE< z=5ej)$QKdq3CG9RzE;0l=b!ND8BWfv-Ffte@cVkGNU&DuU@+vwGI|=qLHmKkLpjF{ zrg6s9PYt%7^PIvBF8dkoRmolMPCs;(!-w{NNzD5S(KfuBgkU5YBvAWv^E^hWZ<}pIn7q_`!2xlQ0K=@{IF_kG1>+|F*tHKfh znAFnmkHtK+qmPxMGBB@rv99o{#{!3B z#8c&ZyPSKBKuujMDVhp$)sS4c4mGRkn5zvBNe}PcTJyrZ&fQ6IujI;Eha|r%O%G+~ zjI8xuhb+-O)0W$I2|i8*!8^nnErq^xDza>RAV4N`XPt&qUXdKjm6gQR80d(L;h?Q(95bkVOLA3 z%=Gd5D$vYHlHT74b(w&*G+y)9?BK~0bT3)Tm|pv_cQNhrv`hS)a^5s1YcgSP8>pA} zmaGUj73H|3ew~i;Q;Va%Db{ZM!C{wr_QdZ8_n#e8rQgMEz{pZ?18OqG4aklEw3<3i zs$aR>PIn;Sb#@aHqED03O7QCOhE+I5R6+S@gA$w#8grVm)nY2QM{L7aM|`Gu%U_S1 zi?yJq*W?MD(tIaodPWAMrg(c~uz7{Y6_h^@4Y34?+~tf!g)~5>4yc z%(M_7izrU9rGnMAM@At;2?Z^E4F1LjAft#^c>Z?FZK*m;UrSL|!SkfXqPmY#ZGjpE z<)7B}wKfc{S4gt6e!1bpetyx)`0Yc!C#h%7HHY?@!ur*L$Io zR&y_t?#3&5NoZ`g6dq9|NeQ&{y}}8o;i7KCZ{mAVbC-4}P0nuc(-c*&3^q1DYsw6X zrOItXu>3Vd9hFhH63P2Hp{8HsFO9ys_uxLAb})JpLprrYiA4hGv$bwe$q%Hdkx=tX z+q9Ew+wSa@=JoC+{c{d8028y}xxPU@2B#;<;BRyj)2WpnF<31no5|%06@{v^m!=q> z8A@z9e(~x{{XqZiRGG^#4sQw_V=zeEHQ^y5qPK3CpL28e%@_E8qC*qf+#$Pw)lITO5tZOiv*SD+!C= zURkHO&h&U*PrZ1qb@BT>A#t)7FqCNG0!J>y3^Ddhf7aFgIIfu{U9YK-+cHqvjls8m zw;Tl9`U#Vk#m>*Utc#Ndgp0)=9#pC|rmPbQDktuL@Gvuyq=C|OgrV0g zB?9_X-=Md*<5#MKhSa+xXi*N+0IU>)zrp$PFFJ-MHCGt70!_{7qVR&HNlpCW3mjDH z$eFCo_I!AqUGGfPyCp$Bg5gFc$Xb|5%*1R`DEJrM_|*au^5##iOjcJv=hM-O=PtHZ zsw62x%~k1l*#BXb`2QZ*S>j)!g#VQ2Q~`Wj*KESr>elU{w^;4H#-U1V8&m3C77el1 z62x<0akowm{7AV;k}QRvN%cHOo7Nb)0Hsu--gvF@?Vt+Lk$YPaO)B_lfc*QkB49do z?e~RpmEsqCk1pt~J29-`#!$DvWbCw0FvfO{7&|SU3%EU5gLt9_FAB03&m>sRwaUBI zj@qbB_MiJD%Gqo&38B+E>xGBSjsP9G&gBtq>sDb|sX4vlM=T^ummXiZJlb;Tn{!wj zzp?j#NqEQ1DqQTTeWn-fIXzKgqYaE;A*{$zRy37GZU%qj_4lWG-z2LMF|@I1HUc#A zcfXo8^UW`q+KOnOFa9Smsn%~|U-n%>C&2meuGneSkw-)FyD@Jc2he5AIsNczPd|uq zpnH1xHuD%tSlGmyXxU#KGn5&b+ENRd*3jgf(=C-Fo&?&`3GJA@-<-7A66gfFLl_p` zAd*WtIrxFQ%TrYO;S6;+%vNQyr&n9cvb>qCEbOv+$8J|R{$IV4_@w=F#>x$1YaR`y2Jwco4 zMRtAj>mNj{MO>ePR8AcAuWT@7r=e^J>=kQ`*k`cGBYhH#LGN$YTqn+q#?!_nw(o&K zbr~Eo(ik}NnF!%W(7E7PM@+?w?07n(+Z`FVq9SSxhE{YXvQqZ<*G+>IHVUE}G@m|L zC$^n$`@Z<-8}6-*>pZ(-vyM`~kF%<^@%8%nRrRw~SAGbF#uhO!3X?}?5+WQ)Joo|| z!cuJixb<{Fx>zNC_TFPDN%9ZurFB_`IR&Qv`xL7o`QeaL1ony}jTg?RttYL6en-tsv#ra$!PLlbi^TjB)h+|uY?XcF`J~+YJv#*U+KiF(r=?%B|>c^Np+vP z-SaCZ#w^{*W(zrQOs4pB$-Rbp2crWZ&@cmrTf&hW&w->NsbUU||s3uY(D@8!dS zRIC%$3$b@d3UgTkdWp6p8CD%vj&Vq5OkGpV&heO$xa~R{vqk5>$!=+KaYrAcK5c7$ zmo?R~Piy`i>IEHDn~K7=^i{0+qF5H{viY2JaKzU$+%2tkFA6p2E2AmNb#xDJFzc>E zEUDM1ZxDk1=-JJ<&oKW_^p0oBM*7$*C2*%(rMkQ*Qd=`Va~Q?*nE6H6;WF+=Kl8HT zzcH}n19;&_$Szg9BNeVlOSV{gMaL&Eu?7GQLC7q9Yv?PA*c^uc*JTpydgD)%%2RJ2 zH17o1CVaPgbg7p^1?-D{*uP_H2^*}X@MgB^$P$>>74ZcI{kxgnWU?!UGrgo_Hb6S| zOp0>N!tLu5SZ2vkSWivf$5mnd-3f>h1K7^<%f?C~MpsGmd<2ImkUKH@lT45T(T{&h5!5=OxZ6CR z?yR1(4uDM=3NtMMnq>4Q#tnI(uNVwj7n+4qnS^Oxpw%%?TnG0`2$X#D!2^m4$?IeH zEG}Z=VdR`ZJFvx&bhDa=re3n6`P$eacFVKX-zGloSt)8kq z0C}fDQ&{NiQUr1)4^nB-vL!m*C%if>_R|e!{`wu}@Dvy98uW7{WAKYaKxn{QD8{7% z^SaRjxHx_{S``v862s8OMICEOH<*n_eNAvla5x>TBTP-U#LNG6mrT8g4>SYt(nq1BU*9rHI-#>p{D4we9IG1zJ@7JdgMSWyHs%j>gHKJLE)PcMPMAVV3a($CAL|?q(20h+DZB)(Vbbq&6 zTsf!8WN&WiX}#etw!D;8U65jnHpq|zXd^mY1V)`xRivm-(_Nx37iydAztp~UOmP~2 z%Da2;G)Rt!Bvx1AM>mjvz&2&n_vq)#3UK51D~W5Y^11@A65IVQFs+()eY^8i?%)uQ zZN|ikD-o{gaDaR-Of4qMG9c^-XZiR1hwtDWZ;mq5$sEDJAuh&KGDLs}3VF5yt6VG( zWNVTmaAfko9U+uWTUv1c`o?Tsj<4H%ahrL^^N+yn3Xa09PJ?m+*1{xRZ3`L;QJqKPoDoUa!yoXH$cIsTL#`~gua$N=F z)KaL8#XXGQc^SfW1DF9yDFI>+<#IvrQ$HX?T!pVC89r;08p`>B47C5z%^13D+8b27 zJ4$19em~hl@NTx;4K%kxb9Q;26tntX_c|OBYKKQFf~WDPwM+29tq28rq^$WVrkyq# z7e2pr6{<~fm?|wjE%H8I`Y8*2*^jYi2C+3TAet$}NK_@nOH@54>Il7k=rqk%O=}N% zu3@xjB(&s%JqqtU$NBUq9U=tLCmcru(gTcv1T|Wkw_4V)`QcKUD#yUL%<40DtKWnu zvoMRrAuq50ShwzSuuFnUCByocnvn-rBcd^DIDpd|N=Gk62kUHucL~mM*Cs{nFS^o0 z6fM)ExDLEl30_+!Wzt%{s?!p$0(E2_MH!*k|K*XS`kM4AU-@0xHeC5z2kUH4tfDdIT2&wg)p2`gl+ojD# z0LTh)hr8Bfr33FG0X;#P%{(Xb!4uj#jxwvR2b0>aha%uR+>qZdHC;xIF2z9h#4FKD zuL0?K8Hl^yJv9t@jE+52!)+;8nEp&i#mYtPMw)eMx3Z1y?9HOsU9*)4{F$>*_6J?a zPpkW;4<1;y)_=$d7(0DB;ZFN;S}<}Z8MEz(6GpC|0{i)6;o9~Njiu+af8Z5rB~1uN z%E~iVL3(?{ou%hrT^#gxkB8DlO(|_f(~g;MLhTtKu(U*au@*_lmWNH8aF3BD$fW<`q~Y)$`dCli#H90(<+Ys_S9yI3Df*+Yrh4x! zokxcGa59+-(Fu{DcoQ;P#Wlr+>jvN&vyCp;dkw?Y_gwF1Xg)|axE>ljc-?n~PIG~v zD^3Ncpd?(Hv@}!vN>?hmE&lV^Lf9Ag9ICo#kn6GpNwOj7DsUg!Emtx$E=+%L>)7d$ zXU8OS`DT!KuyGC)n!r_D?hB*Js%=5=hL{8Otyqb@9RXSrR9B+Ues6EHAmCzd(L-Y& zpQnpP1zA6mzO6rdkQF6wv})92)n8q5wJqakJSP7}zm4-K*TWV-hw0*Bx^rxwFGZgY zsSj$Gkpx@vV?+y$o0_ks&fQl^dOWU(zV=AqUUSUt*!kC7qdg4$#|fS!DQIh)O4~@2 zI`tFWA%-J;w)pJl=PSPjZ_l!&Da(oL+;4`G_*{@JCus`KP11vKPqMs!*N7{-$DsRF zlW@Bf_m$sM?KykD-olX;u3%q#mO$Gi$}#KSxrlBIN9pk?|M$+b8MpYI<*$VsM@eDt z9Ne#50T#LH)SM;-7o;dc33%`N7OrD0F{#Ero(GOD5pKtr-3*uvOI_j?>Ye zl|n|lXk_H&@TM4v3eOG20AIo+T$Lad+xzrr*t-R)+&bs@7B~Q8UAWO`iK5QgmA)A$ zo57m&LhXXWS|`VY)1jK7TojXF;N>eo%h+xxNwHD&~N$Yb$Sq6`_Y zDlsWSG$ugT69~ey_9IoSlKknaSmmHM3lld#Y@0NM+Sz4cEDvBbRyp7RppuUqYjg)_ zPBpj)SrPtx1mXybLx_>GK5A04zt3DP()}>R12jqEu6fg#;Dv?IlT9r03{*&G`KnPmuPV=w4o+pf1c*iY^|Rd zClq6k2$sNebue|NEhIS;rk012jIDb13FXuGf~KscU(ituw;EP0di&Y0>15K>_={Jm z3q_JRreN(hq8GKMNgMIQYF&%IIKMYaKKn_A&WDe4eO?+4aei{wdVUqPXuUQ;F~yo1L}8_e8OYLiH!-!;;YMtfUIV$Wlr93r4>ytTy5d?7O6ot_h%SR{AVwX+}BUUamNScQ+c+H0P65KB+g zlN|16j=aB`k^T1JN^SCl&;`*JIm3D}m8#fzHOslhxlPBq`jo}gtEou_^6NoH8fTh@ z{&bNZZ=FDlrP0on^~0|^=BU4#D^E3Vh&N(v-7BC|Oy#(EAfvH|J^~o?8RQwqjy@jv znPK$%;ZnG|AJOQ1j`{uHnta>2!6)HU9drR=|K;t0f5A%m(;irEP@HQ-wq&$l-U{E6 zs%VJF%bktzu^o7GD12CoB@Pi9E*A6W=H0jcCHoiML!rE-Q73lF+WfgcQrFTHcOW~? zUFJF}#~$lmC%@5hz2Y+elDuIfn902YP-pu=%-S|5mCc+THi$OJEShjR>PO9R`aLYO%jR&Fm0;X} zd`Y?GF~_0Zg8~L|-;sx?J9XGKm=0&;;XXxPg&_Z#*-YJG-=l5eAk1!a>7({q@cUqG zhB-)kkl!5QYtu=>aosez007SVviq)>`n6iX>*O#?A*C) zwMO!}7qGu?i{?b?43y~k~1oF)TmdqP^1nAY_Y6WxSLLZiD6@J3=S4q+_zCWY%=na2( z{~}}@O#S+{A?fqjh~ivzo4E{rjWh~`=`+q`=ByDW@|#j;XD=9-MzK^bO1&f4K!DYw z#ZO!XNT**Bt`beY5RUe>-B%r-YLa5vn1{jq3{H80?K&G$Q}B~k<2gVyD2y|dWmlv8ACDqOq%bw45)TjmA(vD zXLg}IKJ2AB$a^g_J!O8R^ziqeCzYs7+ejd^5p5e^Q#60Jtyr*G&R=h03KSCDdz5}u zV(R)n@K6LprfwGq-Vze8F02U#Hyr)))#@f6|DuCe#7!lXkod|(fZAq^`7VHInC8Q<~H$#hMkexNCJ04onjBu%cZ;NqK%^*LLoUMZzn-Okz3 ze7YcKLLcpT8u>ch5kE{jQI*u!df9qz{VT1D<9zg*kqZEkCT@chF_ z{+5wU(V0weppdh$NsBpb7{n1=J=GeRDIs4!wsn-RE6%_W?{10R=Lmo2`5 z=qp}~HwM*06zvG*)&N3|bWzjUCyu2c(7yhvlvE$v>x;jS8XZVoS}Jj&AW0kZ5)20wzj8O|)jSKYWut31J!`|kVFG^%6e0EiUq$iHv#zh;x7smm6jslCV3hvR z*`d*OO!z^l30O)4%w}AjMYUgUvm^{aE7uP39@(w=EoPqYP@lalFWxLS)radt;!{ zF!$l8-r#NwIY>{nL__FwU7+IwzVlCd5A5U{3MY=uEMhc3RLzF~#geo+nGLhKAjJ+O zS8iGOj!~tnEE9_56`LEmcjiHbw>1n*Bfw`yO>dB#Q)Kc#f-}y*w)a-psO_@L2Y+@K z9J^YoW1(HVaQvUQ=pNt%3E(|}oA(BbOb5%8)KPuB^oKN_A7Ssiyq@MuM%I2*{-OCP z=4}u z%q=KJ(yeO*#mGAwrCPc}h3z{9sj)mo_mejh?zrxFO)dET)1GsXkxCv;Uejg&gNH=d z0zb#e(Rs!7>RGuhCW>awphNladD{3{Os(@1ZuiL+j)uogl7Rbje+jHMmi9CLZTL`| zQf*P0FI8&*ra=MKO-LB+CsOb;>;{23W?@M6Kv}AK;O_dd8KT3LCs+zc6JRe&NL83f zny6HMTc}hKt>o#F$~IE_lbh43@s-#NnRW=rXT_prb=Ls5+T%8or;jlGW_;qk_E3$N zeph1S6xqmshnPdC#w6&R(zoZx^K?kPUc)7rx80wl%&M++INJBdR97Mw$$*^6$5k0N z!y+vG+9X&(8s;K=>&-*Ui}@ZyCZZl4VYZ>@Z*{G)PcNZEd=wn^?~ZKx9Efz+*VP49 z3{dLr{S;F+FF^m4RESq_8Sr3Pv=Iqb`T0T2?8(sf5iZ&5vm-M+4K9sGuIG!;4yRzo zpq@QiOag-$A&NjwHz)wK!zu~^e&_-+3!w;vnjX{oakUm3tYo8W6RguWj&m-Xh6@${R4 z7rGPndQhzm-gEmMoF^#Gq(n5(ZL`!9FPRfTRa+~3;tkXJ2~9MTVw2sn@dWUWKM;@q z!avA=Nm2c;KwAEv_B;Ny?*%~BqN_0u;Iirlt1j}qme3dFBS?{(DfT;en9?l%gsg*q zX+`&P$ZKB9;%7On3sY{Mfw6BS)S!{)o(>sq7g6|hfk*szIidtj$eSnu%Dy~s9GenI zra&95j?4)dd;=v&oFPS)fiM?MjQ~mk5C42!b{fHK<5y^tcE5pgQQpj-;F8*y(xC#QR*(TH5ei;iylLg?EA)$wD34r+971t zkfOY_4gmziKYnmQ62K@H8~yj&`uo%RdvE=H68{bme}~h*FQ32f#QzUv5FF5PN#gmR z&6PuN?_%f5y4IfaLeKm~FLc2D$VRkpIu}SsdBx9EHYBtoIGdiq72#0NYAYUkG0QZ8h<1o--FE%wGkqe*3FWRDLL=&pExs=ST6cXh{#Lt*bL!-I}tb^Pf9gP7GyGo+DAx7-`!|MHl-c1`VK3_pedTe3E z_x3njQRSc&RSstRyd~~-I#LA2vtFV}vQpj8y^cr_?QYgghsD1bU2H&Ad1BA1&Cgw( zw|-=EknMDOrQPn`2G^29@1$2O@Hk)4IR#fHU|V~<8Z_ri&bce&*}E|8qD9o@sb{5_ zt5~@3%o@=f8|O(jLv%(Fm`!V=8lX9P(gUe#^kF0J6*JGje~4t=Ao3k(xp+$@b$iuy=1dv;10K$v;ErR3ld~Uuj8e;wfx^q!;SWhtU>b zqauyJCVpv9nv~4AuOsxJYxr@s{2Bk6nj?Hq+%~ZWqPLGwG)R7P3DMaKm3V0A#>o8L zM(!$CNw-*e*+C_TC8t)Jzu0PR0-O^~Q73rh&Y*d)qL$gIYhta}XpfnmTL`+bQ9jEN z{fJgzr>$o}Vx{nDfRV;I?L5)b^C4NgXF(`2C#=X`rD3ouwroBZ-6JunNV^5={EKdH z-xHX$_xCgZP&Kv2faX$!xC$vB4KyPaXSCI-t)X3k36-A{+u? zdh9-BVTjdPLkre;Q(#sce7)h@9p$-&3+>ALCF65CWoYMa6MzQ39 zS6Gy>l0yrYfuNQ$4`W_K&=GFs&1`YKH!N~~7U{u%ar))=@YyeYY;wdl;(fyYdP%^X zRl;#Nd%wr-)Ez5}4A+=?lwUgAoYr(wA%#+B6xG;V8z)H|co zA=5tHZnbw;BX!&YfoBK`zllx&AQ>_&GdBQ)E7V3(K-Oi)Z<8nxuC^iVoZ(FuNmiw` z5peH(ll*D=I>u0?@2Kgx(R1_5{#(|G)VwAQu|OI(h*NeOO^%tUYDn6AR2h#yX$A)F6o{iRwi%f2-6?q+EJ^$*;a9fBc3PVXCQTVRz1ov_Gk zeotYNW?PcW<#VdvJW>~@FR)_{TWXBVXt4c&4P9|*%NIIv#r_d@Y6q$`HPBn7@1!mg zm!Bk#5s&92-#Zh1UD{t-#O9)G+rXQdgkH=&0Ab9eu?>8vAo#UAyW7?OtQxVByI}A{ z*KS9|G1vRmw;WDZJn#xynx{3|icx>PFi%{}@jALO6ws#4AaD9LbZy7W#+Cpj-Xx9U z<6Ei|xSUx6J{qVfY^I;83qQ3c^Sw0hSE=?|CaD^DE+oXm-9NdAOO9-%%+;r#t~Sb+ zElCj#juJe1UTI~d>5v+XkSBFx(-0>~*7JcyJ{v;vi~~Vc=|65P1)L!EcW&5wMN$(D}ZIY-N%o+ISW%vf}ORM~G{Y z7J9&w-BD^v4X9HNRwY5iqi)tEJz*w$KD0^ppRQBZs#C}1nAbJoLmr8_G zVb}c%C^ktGr{)y6e_2;0(r5K!lKlj=uW+-@Q#0r&uIM}jH|;w{2%$U{XV*G$&v)W3 zH_z?iCl`s^T%!(rS=g^d5BE!%XE4E_hwcc!hwpo7<(Kja_x_>#CC|!Ew&X`d9m|VA zk2VqU3nE6*$Cn22%oMcN*WjtuHCdwjNn;Xc%;G9uH^+XF%@y!=@ARXe2-dMBB&>6h zb^VQv)6B#Bprewnj2kSi+l(%m2}v1Bd2Jq^l_K&HV)0N{)znd?sypo+QgJQj=66Gm zX@zj!c3nq}*AqXIvSzlT4#mdAjmdI5af&r(=kUTCrDqX4ZqxPzNbEtf31{m#?vq^q1Z!vnPI0ly4=}SdvExn zd2y3#6u<1~Ne{nM_nyo=GYRBuhmFtA3$(g(NN~e-@#`74vb>(Bn)Z(JZ--}J3*fuh zAy+FWB04YXv!W}mpwG9AW2bRb^hkAuQ_c`h)$pI2>p21{ot63=-(nc2(zECfA_bXM z>6cV3%;sT?q`cYDC=bf1c{!c}7orXf<<^_TyJPwUnsL!b!+<$-y6$a5`8lDAyHBU$ z>%IF{boo`utc~V0+|9Ds9&ev>S9x83W_>%(Je;xn7hMdJk>ZDk-YFl1`!Sw)=yIY8 ze@uEu@7k$b*BO}4V6N$~z^_un8?@&(j^kRgg@#Al{rvceBctkN)!*V*@0?Js8s&C7 zNH7z%U(DB!DBy$WI1VT0cwHTtO)v{CupZ(61Z@G#we#0H(IleteBw1vw>yG-qUc zp2KNZ1y;$2)-S+c;w7KKSN}4REiK7Y2PZFWxCGOrm{C!Pa}=ROE3B|eo8u`~vAw#T z5}^dWMa3zdmm$d$B{15MgoKaCY$0^M$IIUQ*L%6H)A~B!!eqtA&_6lH`>>-x5}tW| ze=dQ8ayMH0*3vDDs-)ljXWy#cBwT+=$9>A?zBjIf4k2!8jxMqMPMqs{t5lmZCx4kc z*1+($nbUuZBIqAjoDBXaiX#6pcuLQ!sg27|H9r;^T&beeOvhm)lT+mO8LcMwqz!OEPsuu$<I@-33HwH|-P^tT+M z99uLbE2x?*d2O1F8V|RhE4j*bHAuX~o69bCJ**kCKU4_7cZ`T{mXyot8~wG|0G6r@)En059b${bpq3Q%MV zzbPQgh5;>zLlbs7cpL00ppgqzVO~ObnB#qdbb@Z+)&=+x`t_f5R-$bynq%3kcRB!+ z!V#3H#WzShgfogF%ZKp8CtNG3#4{oh4@9dJFTN~|vt_-N-=Av|!o z_fxKxI$vKKDV0SPq)yBUCh=QD(Fc7#ap93tSFcjvHyd^m3jx*fwWB&aVrI&A>^r70 zd(hZPfYI^!5M!*}RHaQfevP;WEIi0YG1rnd``XQYSBs9Xaj6a(L|@=F7QsrgJ^zIj zE4N9{rHw(V{IH%vPM|JoP#t-}GNLFMefRxj#mzEDW%W$CZ_9tvASgpg9-kD9y8OG8i5o!|d>5rm}q4-Ra>CGm@cceWp3&lfxkTPP*` z)&($paYxt<%I6$Ta6`^yNo-p?f+f@M+p)ysCi-Z%6tNH@7mUgy7MMoi$)g#626Vn- zbu?ES5%L2-3+W&&(ON;4{N65yGy6SM`QBB^P3A>c;#K0ncmblT>G)8ti0P=&O%9aw z*IHmA*YQtCM@c+-Tw)@{suNZ28P)*(ICuYZ&S3uQqQ2uH%#ct9kdnBg$01{{4D!k6 z{fA8IL~<>LpB5DKctCgfNaL^yOhpnV1Y!r{BcboKn_8dASLVO;<1s|RYT0Nm7$Q98 z{-d?5qB5ypW z3+WJJ3wfNyG}MBubc|_|bLL+=kMS1It$4_k$loP+IzgX(Cs9{Clu$r~Q`3RU%U4&H zJ+dN;KXI1dDpFxH_kp;D*qN7^c3s)^$Gq3>V`poM$UKyjBWj)zm$h-R4JO5stWyq` zex9m`q90qN>pOL=>k-pz_WhR~2o;yFo%tm$wU?*!y`=VQlNxqzt{Yd@b!o_`9omxV z;ogMlqIpM>;hfxfbr5$TOF@m*M-}bjt5xpiZYYJ&M@5&!fJ)MNB5~)z@FE72lK-_K z{X?puhWz$LBS;i_%ySa|5k=PVS2PZGkDRiyHPrh(2@2<2i)KhQE>zW%9*!UY2NKc< zt9p`Ldo-k;>#LsRx%g(Dq3WOmvQs#rV7+K&OK9aw>a>u&%(HhdMe%%7yNvXte&%_5 zL>H~gMGZ1m+xa!9c}m#I^;^!aP_3Utvgj!I&+oLpPt(lQ&;}@aRrlK0xcG9Z!1zmF zrrfzePR@O757Z9v$VbJpr4VO!=>@t>E4h`s+L;bN5?bQ)$$`Jpfh`yEM7wuPptTzF zyfY7|_J5|3Pq@Bb##JSR>vuDn=y|N~D>buAo$o%VpwsU00RhdLW6c;a*!DC=-7Gt^ zY`s}%+a1ShA*9`Fx0&0$uH(NYb>8@T!CtaZ^0g}wLOZVSDc0ATz_=Ql_aou%le@oI zN@6Zh`Yjd|BdT1{T&{L7WTJS#eE7qiHD_P3@1`*u{aHHr?03^ma!D>Lw{)21{wH(}3 zyT7Nc_27f=w!B-cw2?Y@GvQSSyhxue5VCQUaJg+>pd-t5PCVUF;Z;qcLWtFmmMN_m z|5=T5bQ)(-oehrxE^@f(7_#dz-hvwO9L&7LQ}&rDyxlazzvzyE@>qEZ(1fMo5d2k| zu|NoBU9$k-ady#PATu9f+Ypi=ttAa|s08ePFGkD3uJrq$cvgvDIV08=F~f>a?&s9L zH13kD)ujU};=v~et4a(X4wqB~ot`$XpX@RhJQ-!Im88*p8(6!-Dt*hGG3AcyXdma# zeLVj4?PpKjr|)v@4x2c^v2uhuzxK{CdVwYe2V7DzkG~Y$j8rFoIU!!rR?fDd(`-V( zmiCG6MJ;7FEob@C+CeQLb6!1$rtaU01o~fYif0`i!VdUfJBI14Q5RRSK*p{sYr@c3 z^!M8&qfMx#`+pO4`hPpgK_|Jcd5-nbZd8v_L(W5XpWLG-+0JnuaJsV|~2B&nHrbZ&!I;w*O%) zNB<6gpN-fPxYQ}}5^@}@LpsH9UNP?VrH3UYZ!9KWOj=^8WBqj$qb`{ubo;MF1E3PY z`4jmEA3NSni(!)>i4-6SW_Uj=CL)`UWK9rWYt>;JwP=6wgrB&be`v&;JN<-h?JM`) z-&$UMCH}q8q7NWHDS%a2U{Mj4z)UTbydV2sydE(?Opv=o(|!xMFqpHSpcfz71=_7T zG3+rDKatk(ldTfR!F}nl6_S<+8*fi+DV({^5w=K?S63ep>%jC$4Ft>S_yNT5uZ~kvxnAu6iU8O33uy}6ALS~ALZVWu;lab zGo)IAoE0e?h+6HMC{?H1y_txpdaGX{l^{YJ$*in|JoiC=lSkeCvk%yjCsxXwCTRJ2 z6TeE}$&?pvu<1%3z_`bdy{!D1M(0(z;FnC!Xv>hf`^yFzP?Z5RH*)0yJd;qXO-OJd z5!KjF7e8g8qpAK_1VHUOz@aH?nqy?Q2h#2f;nuIo^mAu#!zz4MQBFUhBAf0QcS&mR z#^&=WN1_Eax+ZeYZomi>=w#2Si9oca`jKCx_|N(H|@<`~*Noan`}6Q~vum z@Zo?^IZM{QVqoMW68G^E-JNHX(`rkCzh4FX1iQ$BtVuaag5o)`%Kn3pm>1$zHiO2n z%Bq^0nSi$kwX8*#?LNwdk?P3jC^DqT!&k^ENDXuQ z7-Uu$x9CAuwed_I^_cna6Pz?>IZOb>6L z_e-F{Z%aAx#T|-XH3j12Qt-!IhyKQ*6HlwdIrnG-;p5`J$b>8 zbL*v;ptEkg95k`6_~q3bX@KA-NfI}>o=M0d`4ZW|C*g|0hdtz9rPDvA`h;(H)k+*d z`&Ihox0P;O7Mh8Q)JH}lybvkw3xiz;RHM5YhOa$|Y#is#Y9eY&_*FE23EST93KYEa z%B{`UQ;fcIV(()4H70CKcXM!}g+pr$5-S7(dOcSDg$|~yc zMj^*3LS1Mvk?+m(Uxm&TtBJP$pyr?nIs(u}T~6BAN}%SH_38d%klO^>ma26;W%&uKH~2GT7KZTO04vfOSH4|`=W z_O;12i)4^z8gu}++N9HioXNEX-pgmMnW-2L)M+1+e|jWz?8!Ce)l|&Z1S1X--C}_Q zBvVj5Vf^l+id6xOUURONJu@%eazN&)N8g?*!|I$cuqmP0s38G3F~%-_x@;{f;jDml1B;}; zM4$D~zH?OcmM{&F?THNQC8S~s7{*$hkzT^;dHA<`tQ))w*P3JGp4DGYdUH9eWhjQ3&IIT|+=Sn7Im`tD6etwjUC8PIKSoZh4z|G9zZicqpgwQp1Fz0t z9eUj`Km3zRDn%3DviTnbT2zc znRuj*vlmL>ZX3eTX9f9oPl^lD((6BU(=&-E^BNSQnPWFi3bQJeEd!upj6kp%qcA0) z)aF{R{S7i&#?0;0M*-~Q8$d{hnFJigz23oXQGjC);85-c!;TT(E}AL<`8Y@uDC9!S zQLO0ZC3J4^ggZTPFc!T<1B!F$Ys>>DZAX5C2;ua8$gUGi_csW!0XaCAO4diX79J|; ziT?(nNrlubeXy!E)B@=KFjC}!=1&M=A5aYeS~ZLBAUFnEHsV(c`6>O6dieHD5N!Cb zkNMZr{A+IhwS@i(NPor6zjmR&Hp{TBa-7jYTRsRk!AH2`TB6#$LXAP^ORID!U1 zwiB!0!XTZ1H0hN+v#i&J*FaJAH$UJ6!*9Ph;un5o4@6xZmrYr_)!G>MQ@Sy0jB+7E zPV2uE<$oDl0n$+aFSF|3`}cpz*y{i1-v8eJ_kY^8e=x54H{ZGK8Lg1cxdIi~v%H15 z(U#l&gc7`D9Bs(2IQ8f;PdjIg%IUytjh)7^SQumXd9!YEYVW% zEyQ#5am1vttcCJxgnO@QEZk*h|G@mmg4+dsFdtxcf$g4~kfgJs2oPLDJkc4?nNv9l zsBWp)_d2Wc4(g;})6}{gN-j?~CYxRS6^vZ&Uy!3}Wa4Av=5Sp3K)vbN>bve+$8;M$ zQ192G$uRR!x3{N%ZaQ8J-oV_uI=ufP4UkF=0lWefD~bU1Ite|-88aN@ z1QQWn<}91(ulO*4e}|b}s479CV_nO3sdu9zfO5`DPnodvmLl81R~{Wu{&_OF<-UvZ z4D0#gjK|+fD;^9ncd7ml%aA}@3u|&PgACq)a|~BJ{p@(l#WLucdXD&MZh(LHs6T)^ z;oD56OJy0>Qz}WE6~M6^{q=9=>EFZvl7TE|gwWSQQF)h1 z_sA2t#sDBlL-E1c3(h*{r>A@0=x_X5kB~N)(&m86!Q9Db0c#j=iXxQ(0MKSyj%{3B zlzmZsS}HnQ;1{t$^K`gQLBgReNtf)8LnI>VkP&)f!Q;%0!)nbdcUuxPlxt5rSV}O& zTD?35$J2)Z9cQkIxohOx3l3Hh{I=?J2;qB^qXDDi%YM_Es`iKy34a}_XOOwxRuDq9 z?nb7OLJRWf7aP+b@87fY-F;*rUW8r4Qh66hmSiQ$l@$b!B3yn2CHyS+=%KmY3q@g$ z#3v}@EAyg@J?JbDTz~lLy%>o=8MGI~4M~>CiFiO4n4k|K>i2;rCr*$sMk22AcshAa zov(kv6us&8;JL~XmSltbT$+H7(|aTM9wZ6qha~0R^W|!Y_7A+7kVo`ghVtuaNBW?iW~TY~qWDsE(!Rx`{%||y`aI{TUFU8PAa;9W{~9fK z$s4x(B|THG`Rcjj|J}&`&x*8v??XV^ii9!+fD@ahheCS#%|9?~Db{2#KDoSZx3epX z9p0bh0&tHa4TPl%KZT8H%b)${gPzN!G(HhA*{wn|n8`*UT=EUO?A;_<#!fZ8xKgq- zy?OU~p-+qLvVnBG)M9~|Dg()+8#*zE@e4L;lcdU^eN4wfJ-V)9}IU@sYUJv&yL#8-^{nVikYpbp`P&15A?6!A8lhSP@%BvF6-P^5zB}IZ>fc z)Sc&bG$P5)nhfO7rog?TSUw7X)ab=S54U3hNX<1SRGf|^MaHt)i+6Q$1Mk%Owd&F9 z`S6d~+TkMF!Uq+X2^Eo4BVzSjr`F}#JHZdPthXi7AX`oxrBP_H$6EMLRsd@C^Kv!f z$E80I9koEn5y&Ev>_A5YXlMg3&@8REO)NMFSD3s2h=ndE-l|J+UhZ2`Ut0Ude6o;{ z&N>Hk_%54)_jfMwBx~4e_DSv3Tj+$432y4(XLDoRi^Wgu+u@j~9P2t;HewJdc&HA2 z95`U?Av?e)v*S*hsY*YqOfS%Q&sij1l$1awXI!P=f$o zkO-L>FPmWUOf|lai|dYhDGZrydOtoL68Z(LEVu^c_bB`TrUDp3Tp1NGrbr}aiv?NL z-jkcO4Dj_8%?rUC$gkhnXRHD}HNgycUn6o+d1Y_6kaI`wu(T+>$9OA@JK4qv_&sPx zNxg@?T`%Dypw=@f0x%ZZ8-y#8k6dxZ$7T*68_T~b_IfugZQ$oi1()*=zF|RcMVgSU z4m1Fm>ubdbyG&5X0nDy0ULJ=tk3PFLJ8N8U#rFJ^A72YA_RCQwH^|c+B*4;$ybgN; zK92Te^JQK|i901Od`5h9v(+?e{6XiVX;@pW>b?n7PvPK&o~qpB%V z+w^R`Q3zR{%|E-!8k3&_~S2nc5wnDfMbk3cIyMJ()wA0JwmScqL9$ zk=%Oj+hnE6K*d@A(VPrgkD{Clt{{CR159t0Tk(%nH&i-L1-xIq(%fCusOk8gdUcVz zWD;$$Hy2$xCJ4lqw1H0p@%7IB&^n5<_}ID^siz6o#@_}5vjPa184wE`I{ zD$`XMvz(hhhClO~k{=L6%HTFsDe}z)a592hH8p1TXq`rA8}fXLGL@(3=g%}i&+YWK zWhkNtG2u>%q2(o-5d|=)rkl~@fIfJg!kvEC^P1A^HPljZ&4(QDd_>0y9gcEna4(*# zOXO3w#em9}L95z8(Jn=y*$3iNkrhAng>#YX0F(FV4lS)xem8Z}y=%YVEb;kJB}!f0 zXyX1fLp$mj|INYUUkxPdAr`b$^xeWKMuYEnY0q1%LI6O8;DoVzN)PSTDFYhC6O?9b z25QQTnyl43hv-mgF(F#vW#jZDf^!y-Q9s9kbhx@~r(C|THU7rWPb}w)o(LihY1zP< zD-0^EE$jtzQ0<|~db}+SBT_GYeyI&z*v>>t1cNk9rlvO%3cIV=uTtMW4(TD99f=$}pBm=xz z0wSNjzxmBQ!xn!g@0}?B!=k$h0HHZDCD;}NSD>}}$Ul*r@@}>gg2Wc*I-Iq+!E5!? z{^InrDAQ4wm0(U=O zpA6S@Bg9g9daYZnm=zntd=vu_o{29rPKUZopFB&(w+Yjl0hqE?ETq=03a4O;vrT|@ z&597q>Stz38qIW~8$4o$V+kh{5u+7@SA(sR#< zlP()8ztyztJ-Q&&4T4wDdm#iXK(%xM=L{bP=EQ6ZU5EhAk?zj__*tR!Q$t*q2JhF2 z?FBb*^KmxKb6z(Tzsvo@Cg^ZVUsc zb10y(UN>W5hW2^dAuj33l=GGk5ZcrioEk*QHG57caf%t}8dT1aWl`(<0OypHP2L6S z|2Ap1(Ne|ur*ORv$i&Z`B9BNI#Ubh9=WclE?93f192hY*AgLt3NjAJq=*f}n4mdv} z<%8QWd!39C56TnldN5;mAr#vUCYV?qXnP{oZGn7sSMvVeTRKCE@$$rvTqWqBJc*|&Af4tTEgChV47d_gM`C{P6(GC8%%>10YAF}0kv2G{CDUx z-}Sv2W47AUUjXNwN-xq+tdR0Eo5u_XO}5*K(4nn$ZNMSr;~#5Ps5sF1ACdC{(ZhD- zw0#U6M%R_VUm}-QSzKWYUZyy^#Y4ti+RyK8EWk>aqI2<$!W{7vdo*)C@lYc;)sth5AyTZ(p@>e!sl2i1{4* zhT^~|~9`m|Jm-3`d zK%35Udha|XeIj#ctS=C!x)AJX=92-Xufr5QQ=A-xVt&17V7jUaG2bqXF6352L?d`$ zx6R zEh1?dkmcu%HdY4u-~=#Zn}8Qu7|@${#$~4^je0jdQ{PqzNMT>HB~1y+u0h=p9YzRu zWH`81BT?rfVHu}9wv2W9I=f~w=fw8RDD#Na4VGr1574*s35P&P;UVN*85-@GtJg^8 zHY^Kv`{J$5S}F*7C-l(e4&l+elVB&g?LtyK8TFR>m^=W~B26XPTHRDYXnoP-!L!OU zZQ&AvCmHZ{z>yll1WK^lIxt3ea~%?iR`m3K=r@Ib_aXrB!*C@O=#VesDPR$*&i75# zWSgFw=}rQtq;FnS{*o^y_~-^bHkTfS@ZJ!?6gCvDGnT+da$S?GgYz)sJga%5IYuVj ztLn{7&rR4DbdQS$s8O-l-C~N;GLQ*J8j%aOx{e#w_eA4Mj`VHM-?8!&z3fgIIe%|0 zT_2n}2W&J4I$P0mq?5pdAJI;r#gp?WSHKhd^yAMaZ#4%jlC63UWfDuhBBppcv`_Kp z$bOiReBey$mD)x2`jTaHs0BftTa@E>5G!KcPf=99#Vpzf6pNl(_6+5bT53#MEc&k-e_I{-;t_dw9k*UBMyD zgpx~$2iQF0>bH)2kq-A`0@(7Etm}LT zGxnc{&0{B?M-BQ7rPR|-+5y4x3gjL%p`V0Egm6KxK24F%*f&SDX{Xw_KJ#UqQw!<= ze+XK4r#J;OULy{!SG}F|X!?2%R$E~{=!O!UKHb#t*a;}KW|>p`^uYs}&88cYuWEVC zbo2Fh|*~Y71pJv{^0RpOtf8~qeZ+S+4PBm%#WW~F{ zQqlAVb8g6hCj*tIFV&!Y&%ZqFTl^q_N*=3gH8g3V^G+~V$LwixCf-$Dy|yEc9pibvi>-EkC-M<<70k-_E#d+7k|nfocLut_sOu*` zg{}%kcOxe+bfJ0IAvka?$`X9}sN3X;9dm&q|4~Lt2|$8j0~T9<83MZqJ`^nCLIJ8* zt$OsO9gJ-tX}h2O+H_^cY5p71IU;d_Li@-B9R-{iqDQ#9EwOl_-(R;YLhrKF8QF~9 zBG6-RzzH#uJRC--xH+s~{L<&$4=?L0SnfNV{vv0NU1ixC!bUsNe>CvlQq+;dv3av$ zZFDd-*G|l_FhC6T#h5oB?|%eq;GnVelbACZgi?-kNJ8&JJ%Fwma%g*s!s}!tkXTRA zkkBFVJQr`4>Z8dmrt$^XIuXn3_0V|j^5<+Z)3-p4=3B9?0k4KC6z^0|%!}0Zy_J ziaveE9G<6(Y{_xX4>6^7a|m1;hD)q9g;AA6(GOpaal>5$WySzmDnjZY(00B3tAfwXE?>LJIH2c{lp1971NpLqoIMN!7G!j>*fS5K zgI0d8M^Q;W%p>8tv82xcxUr0j7KNkNuNQLgLlV%n;>GjHTKbdac_%tg>lzwQEdXt0 zPh;j*Al^jbVQ4<;)dH#9z6U}IBV1?gJ{@Q;j{9PK<7Z{a&??|)i5zGh53)!MxtQQ0 zii<@SZ|IBak_yAhoh&L=xy^k2*-i$R+Ei9*_He+X;a}~6D9TP3B`4w`3D+hJ0|Yaq zpZmDQfC68M!-F&#Tm21ztyO{EzY)}4Gwo%r;tG|1j;j7M*IF#_%NrbcL;`>RYm?)i z_UF!@9yyVD$|-LU7RZPE8LE#qHG8AZXHKbA#{v4)N=YS6tg{dUt$&OYQNY>N+9;=ibF#m2V_)4CI z1w(0Fl8}oM`s)oRn)1hRy?k00-#l3kpEt;P#>f9#%QivJU(4Za1pK9>_#$?BsaCJ` zt=EoOwc6Li#75o_O0LbsO3X3=X+Sn3Ms*=r)#8=v(opI_4!1T(E(Mwj6f=|U0@ZfE zZ*7Fluasz{k;P@l;$#O3`{dBrM~=X!^I$~Ll3`%H6{klN>3y|bzbn%_Qq1T#5qqOJ zv&M!3{ezeb&^%ixaYu>v#COSiU5ShSgRb;ptX^)z*DB^v4t>VKK~nH_z3IM-;zel` zd*%vM^b6f3Ro3#W!;UJ$q0rxXtcD#U`Y!w+4tDVKNc$YO5yz|Cz;0YFt+kwES>jg-DO83>uBV}m1oaq ztM;ki{8seAl|c4&{nN~E&|TkWUhm8V3dBA$%F+!^V0SVMuE!kZ`GMUGECY7*7g4us z5-rB{xIOmAukk56On;GyQHk=}FtK?bJ%1PQap)aPLU1dzor75s!Cl&x=QudU0*Te5 zR~tZv501b25e`!By{8XuMK?gGuXEbLBz8gtJ&FUN`TbCm7)2tZ$w-R)FG%g>Holln zG2SV2lyL61Z`%mBqoC(H92CTH>SocAdR5)~6wKs6N^9BYp_!HaKmL2K_%dYJOL;cs z6ca%7Vz?4aq6SDQ;sNfS9MM*P``cR|#C;Z03K|ebFJuK-4--yPIW&K7>3;O92i#O5k#|=P-u1R9$iL#ID@1 zftA+UoeGb(FPqISjADjq6$E4yT^6Q44t#q9B6F7&ccYIX6rD@Db~P|0dAmsVqvFY@ z$3aNKTDO0&NN<}sF}d;Fp?aB5NP6ECd%{2}nMIAV0z703vcntt5a1T9!$2{EDWbw2 z4qAScS=H8eOPBY()ZcP$u~5;Vo;b=!UAO%uyPglcg#&nQ%D{UGu@*<2&JmmiAQJ*z zsS@bfZI{J2x?|Mxa6QhEI!EZ8?-IkRPcLryZo2Ro`5g6;s$QHwbM3+_>~0h>Tbh=G zp3hcCv+H=DHo)s5%u+2KE=~CPhe%|#Gruw}dbq1LkD(tQBp4bc@6EBmj@Nx88gg{5 zM8Cc)wQgu4m&^QcuDzw;W;f>8n_2IB>AgocgE~sQY8vgK_yd zU_qjbXonurJ4dx7l%p1`Kpq;xvxT@`qcM1oP9Kg_gL%96tF2hKZ?F<612AginP#(M zB~L+z?I$8>FE^!JEzzC#^B!4mL^u^wB;k{D+z1yR!|QtdqYu=Ql^lX6>EDRvwJ&-Y z%mlI)8qRxfH3B2}4$V;ib+zpb`B;VHn&i@nbCb^%rfWR*fsIzL1!xpI^nmLs0AVjY zI1b_IE$Ha;WX49$du4tbKHfkOKz%wMJX?!1oyT@#XG7xCYZj#*pPLBLSLO19c5MH32pY(NDgOUr#ZDW#MQ7-LrCIk|VGS?ud7@ z<{i9jsu}LmDaSLcFWyVoeh67o=(s43y{(~S_lueMg zuI5}N@<*xXRH{ASc*%V}VVe(rRq*Ydl->l|25_?%Fl99D4cZOB^NZ8DyAF4?*j1eR zIbI)R^jCOUUmldW*(byNjLG`*beJ5$Y5~%xY6Kzwg~UV%ku1U@adw zEU$bHsmlYBZCq;0rey--TZ9IrUtIIl3H1qvcq^8ENz*4!Nj@Jg&=!tHJ)e1%MJXL( z?i^m(-=5{rlk+V2)zERIr^jYC4>VKw0I0J|a8}()QQ3fJT5po7L;f+f38~iMw(;__ zW&BDaLOQiO=Qaa6G-V6TX|O!{@hQSXQEy@Q_IzEn=_3!te2&D3E~@mli0*&$-ti^X z(muc?=vY0ekv*i)j~^?6p(p*j%O`H1?K=DD%V3l7!K?g4EYSNUouD7THxHCQUWF6h zIMfCoA>*uCv+gms)&e#cl`9RxmDl25yj$FC$epk;>M>CG<$W+Q^28D9^j%?Bm;cMt zjZ3T6?EDSHx{N+a(PKBSnO#IS1A2?(GaB7o6Hc8_W;Q#R^?dV7@ms@Nf~mDFjXT0X zl#hi!{tUmRLxcYWey)QZ8=AD@4py4K*_s+}$K+7K?^l!_$~|l>1${R^#QcUDRF_IJ z28Qms2QX(~H?^k7=x+7+`wC1tgY{mv71vsm!#8{xTdvG#90PaB;jPG$71aDXG)Zn1 zaVW}1tk_VdSW~TNZ>bLol*sXq6FG8KwI06o$*QY~{w!Y;)#uhey`0@%g_vL?WjE5E z)8$ZI6iZ>ZBlFsHsW)>L5ItNcVYUU`Px^Gsf)yu+MVmTdb(Y1cvYSiw5Vx)56YxQV zP>VJ(aPF$3z2ynxY@CCqlZw%q^aTQM`B}Q|p`HX38byx2#v>Tzx}$jnle$ zi60e8llJ6282cgf*(A7l3$0d1wBWSejARVm!9d~|{73fYJxSmu$HLaeAoEqB%iVow z56Xr>*Qgf{*;vHl*6`i_s>EU&$9Ax!8T#U&1OxO1otx+zr^Af*(dZH9YstXe8hPm4 zRQD+kmtptKU|+oC6LJa)B!?aMVaip(_pw%F9HAUY_vCWo{-n|21U!SU3STz&}%H>8V4Xesni#!?!jsxl`2h! z4)Vbx=mT>o*ZuVaf?;>tO!r+8lPe$d)kI4bjvFD44+UfqEvia9M2eILwD@28(=zBS%*g zTu2VUY!~;&8IVq+^H(W_^y6US&o;mTt%+WC?_!=IVJBb20`ybo{e8nvyE|YhEapE~ z;tVu#V084HGknQ1b6r1P-wJxFbn@N1q}mhi5+H^?8FYb1ix~dkhm@9hnWT7xkF@MI z8?*%S5kfr)r;u)wuPb$uTLgUZEN*R|T0ECNd2GwBMuR%Q-`e64WO-DY&H!Yd9xGZ> zBBUI(cLUJz6{qDP?t)VhbprA7IG^J?7`U*?+1Bv@P5YxMqSQ{QN5W<-loG+sVB|0q zX!`a-KrkV)ND;kjj^!cmEmT8YteuAx7s*>&M{qtpr*hQvwTYO%bzv)1ntB&lDRuCX zIo=0g6T;gXg2MBJn*b|4;%Nq#;0d#xGrfXG(8~2<7T3m=mcOexynMK&SnBCk;I3jO zS@XxS+)Q@>6c!C+3fsWM`bGw-hIrt|F}jFg@HMZvkk&St1|AxnD>XuwK{&7a9<`gyA@x5&DSldT=`>v&401=}&CxD!CSX{d zT6_oA&^s9Ys=tJIEZ^C%WO_-xv!2W_UJ{PXaer=3H933eL6lH&n z^I-g`G-=fn3fSwV{swWwd~hvda<_?`#Q|=s=cS^{eKHVJ`Wke#Ir;#irnd(&Sv>`9 zBH!dMJRR(_A=yR=7@6YsyY~i3@$5{kW-wDGE2{O%u-kw7&&@w#{mveLI;o`?;ZuCpRY)ET;?5y}+ zk8K&%g&Z&2jZScqCFdx-{sD>G6GBc-I0VOi@vl=}OV~00mxKQPJ;ypZE2EY~t8sZ` zd0)yb{;Y#oV961`gIlhEfZp83DIx*`;a7U%kjiP|C%i(ul5wztlDSms3{=x9|HB~H zf4(mt-yxPDLYgE)DBASiSqU<9K2g`KO^Tet7Sq_~am1mjyM4QN>q5rqxU>o}?`@j| zP{wVS0^0&NC8;FGi4=Gi+$jXCqWfvWL(5D($@ zY&wQIoH1S%aXI{g1N1+iV%wD_9PqIltp4(J0aOa+a(!5iee23uA0g2!r)^Eq`A6F6 zP#2)Nc=Q)J$gRz|mY8~lVnZVy^?SzrX~`H;6(&OLwT{9u$2{Sh*l$0&a(FAVqHBM| za9ei_nP!pRH{ISGnxQMVXk&I!CsSW6m8w06)1dKdD^d0VSOuTS-~E2a=On`f0@Ff2 zff#lMU^QsJ-yq_RzrS#^XINh>=kMP7*RB3~R)5W_zZTA4k%8~8DEgoGjlZ^uKU?fy zli~lO$>4$}T!k{MvXKy6uzMr31X@>t)Vbadcq5%$a?S#JeVC|Cf_;~)Czj>*S2!y3 zhnBrnvA0U`Ykt>uaT39f{l5COR3!u8<#h1vVKHKbb<7y9lK{N2&3BOWbmkZK1Z;b1 zK(O;(s)S@#FGVWlIRp8u(e2g-Z|%PI>7PYe3$in;;F0&&7>rI{WB&b@(cNE0cmF}; z;Qn6d>Yx4lKT$aAUubj(dR<><$>>OwKJ;`F8?COln1KImeWj#RwQGveSaG71(?5gj zva23G^wD91zYz#jltwkc5RIyzCrCXWj7wkS(8R&c!MH*W_msI_IJj-t{=tEzKM#*t zO0$%ZvE)SZBjCijUp zfz-)w{_s%Y@~0lecOmLmiq8NDHfZF%*2L6^OSbVj(G?o@?d2N>v5!-ZT|-}DXGD+a zwtAlqKQ1@a!b~W{n{-j)6t|iY1HOj$*?AP9T&NNpQ-O zsljs{UFDg)RJNEgQQW#c#GZZ6N2>B2vs4;rD*<#sPhgRlAJ#v{*NQ7-BggiH&Y)tb za`*Hq-Z=?y+fP*=NNtZb-+g*6BP{wt7hD7jldN(Cc;Dj}JSX!rkA14o59||BiD8Is zN<#>Py8i3LYPDzwAEnDtt#9SDI|-t{7a31tSt8}`V#u%qbED>|KyU9JbZt&AS8VnP zuL4B^yx86Kp@yZupv4PGsBOl~;!W|z2z_x`Ad)f|J#peE&m9bI5}_bgHCyPAS|OXafD@R=@v1>MIrAWhf0W~+aTjBZSPF|OL#h$q`_~@! z*myNfRbMW{(LMii=v4mS4vhz+Ov0I>BME0er%G1(y>+{PiBxJEJjcpYT^jlIW5F|puQeLFpQ;&q(MKMG{nz1M zR!=_S!IVrxQ+#o*y4XumCg#;MjDV{82#k^N6d%+rBn1VLA5-j1^B!bgitrh($*)q4 zzJIIte)|w}p0(570@nm$VL3vzPp$Aoup*u9%#D`XsTW9IDMsnS^%092{ndeRZEWPw zpWX2Pd-46!J3+Q4%JqhZ^}L_o;_$NX&U*hK7e6vn8ZXGv#m^|jn4x`*xzPIR6OWma zM>n6R8LYCbU6TB~ChB$jMfkfCsmvjUHGPiPZ3#mV7xbi3*W_cbCfkTD`oQTe!zYB> z%}VzrKV{2yY;5m1-CjV%%mRc(c$0fdo!kt6$c3MYZxTww1C&3jq%en7dN9WQ*BSf2 zIaL1>L+HQIj)!p-Jds0+iy{TJ5f$rH-NtuRDCl0$k zTIJqW8*LL(lyutiHDIKM}GMP~+_K_OjNJhxYe*j^|sX@l2^Z@0NqnwR|3w8BI94vyg+y?lAdu{PLE zCaE#S^2U2BOEnMRLO?4pbz;<*u)O}AqT&Sx@8z*qK>)z!92!FJ`UH5OQ%ac$_LJC2DoeUx*> z23-MPhi1Z=2vy4|Fz45RzmAkurBjDTCDTUaErvp|PDMM)ahfYFuHPH+5tXv*kl}RF z$7bfnt8kgRX}^_z_cbUtyhrPf2BHod{W>d1;nn`*@K9HYbYu9lA?8_dU185nT6)U~ z95U)Rh^eZoQtje8b-5`x`#J#Y+EM>-ZpT96{_T#HSG>UosCnBBEHQKn&zV&UGyg7$ z-4(mFDW{#PKFQ+Ru=7JAOZ;T&Gb#RC)9TA0;bp*_5u5Bs(KmbW)wF)3a)`^aAAL{{ zJ6HL+V<^j2B2rT#<=HjnxkA)_N2?@mze^0#Gb_|!;i%L-+%Ny3tJ&G&m-#`N{yZz+ zcOnh{1K*}e_A3oGaU}Mnmj>@#4-?UEd{wqb4W2vdV7Dn`A~X%6R8+yM;d6e9?rcrmgw?52_u@w|{fpQD}J#?!>A&@H)!B|u~ zBsr{bS0L!Dk7x|z=`GV!DMlXcJRfV7ZOk5?H<0bu1JP&Zcrts`^#sY75Kc6XX75s$ zz2p#FTrfJIZMY<5l+FOr`sAGQENC9>3ymp|Az*uGwmmyPzD>%;jZZ%H9xB7}b|1e) zys&G_q}yS2%~*S3p^(F)X%=05d!+#Up>YgZnx)hH)YK`&E>i3Ck>2ehu39tzevN1{ z=|sofg3A!fKHmP-cE(JaqH6dca6g@A=@}z~HHPW9me|Y(<}XmTUFfmk*j{0`bRyTS zOhcereC7o0P9_u`ja13tv;sfDuEtVN8jl+iwA)dkk zL5rSY+;ePx7}L^q zgi5BU>7R4W`NUZ5_y*U21QW31;+iyFo120V(%KcM1AtUZXV27n^Myhs8uVq7Up}RE zZQXa0(Rc{qi3F_C78>&Ii6P_ap8D2V{$&4P`fVzXRTSt<@J40G5l7H2zd`pqXpNLJ zG|Y(iFa4^=NKMB0MD!BtchQ9obXe@iC47dVyQ}%tD%n+Ic5q9{rn!XBVZxv zJ$>8z%PD(3X$BH|qPD97>)n(auv26Q0j}-agUC2KRUhR^=kL zD{H!1`g++*UOia~zW_fApFoT2SmHM>IZAff>WPn5ZMvk4_g+2Cm!kP2qBVSW-R~P7 zo<*`7tQlUpHE2zo7OFKEMD8u@+FA=Qd+552hw! z>su|l?P;6ncc0zb#x|Ys?vQS&s!V`q^OV+-tqUeSBDh6+KYuoJ8>f9=&Ofz300e_F z|JfdmkQ{DS+#PD@mn|!U&JPsK-SwdTf@$o2X~6ti+nNl*w29G*f$*0vONtv>=f&O` z^?6;e+%FV}a^GH#h@;Hjs5ob(FEWk>%aN=|x4={A8rh^LiIshPt<^2*Z!aE)<-BmF zGx_U-pU<(wcmjx$c&3PXZ*`Y2w?jF%03qeBtFDi<*OM;5`3{>YHn7k_(w$))U4p}W zR%>-;U^bf$O3&Pq(q{9~P!pZA*P;OH86Du`ub~(I7=HUwZ;uRDv`ZScUoSa%3?0`=x6K{R(jqkV|afOos1_JRBrK`S<+g_V>s4=^n?wTBX>^6%;YB3)LV2d1+sg2pe5Scc(7f%6z(yVb9+U#CbZf5=3d1+IWXBW&*1Qk+@x${5M+33e%Iwo8nr;HRQ_Am) z30u!vZ1HRHK030mSB1w2vM=TB11eEh5OXE*;y)n5-O^~=Jlqy9!N1IR8qLQ!9({|Sx z(Fi+NQ%T7*|Jwmua{wg2ONj$^ojir-5+xg(xsBBGxJiVRoNwIrc^&^T`SU>_vkcc*E^43C}j`Hibkv(Fy zUZGKn&UFpU*}93S%XhZJKvM8uREh6^4Ad_`(!-Wet)_*DIGyrk^$A7_<==ZYQ&Eo^ zUa=)oz7Uc83Cu+GB*){R6LPqZ^g#skLw+c~7k4a?vtIn@u#oMNcC4ISRNN?}DYdZ0 zP{SH%J5Rg$GQv#Vq%zfBN^P5+pT5St*ii8sbV?3=xFt(}=Diz4XWb)YUix0o;lBV* zR2X>*WseYx{8CiZIO(_~G+$?W{=(1)$#m!|`$Foo>ffNXmcm0GI^T%F1l(g>D`hfB2e3hbw#b?0* zgiVKK`PJ4yO9D3Z_l}4krxySf3?rx% zc6_b|kUIB9QjXq1{QCTck$~v}Z;Owi*R~Nf!SCtzbcx@fG!g(fgaQcZUpI>(`z!{1`Acu43P56(@R#rb@W*e7I7cD4E`6w6LCJ75&B^XRvG?9lO?~^mXcQF{ z0qLEfH0et3L6IgRB0`j6RHR0XGyx3>MWlm(fPxSe1W_Q;1SttU(u*|dO?pWvA&}x* z?sLu?zrD}9=e>8wKJT4-u76~h5tGGSbItOd-|wd^Rp1qA-pN<;vMl#2i&Hfve0lh2 zTtibEA-bL);QD$b=Z}*U0jPQY0)>V83KPG{`4WyTWlVJzvx5sRgZ>unf`|kBatoG4 zHTrxf+3j%meIv79x4c~3e9rvp)Q&jQn}fj+U9<;mBmqj7);m$$7pl3}NzOL&@&P78Wl#~r*o;{oLD(GBJRJP&eG5y_PAani$Q)PA(< zfx!YDt=5UdbZf@uOD zqIpn6KA<`#^zr5jMz;f0$%&z5pSf`2yfYfQ@<*b>ZNUP7WwM?GVa=(;qp9mSrk zId}(vq`9MyjdeXD`1|-AlbAhnhw`|M!kSEd7`-yfN5oc$OKkzU~J) zCUVK27Y0U+%km^#?emn3N-(}rA33}D%?K%jI5cEU@O<#h%*8K`BT&BMA!t`(Xw9S< z9D(DcSK)-+^tC8Hg(EiuGA=!Bmgl?tFoWUxrSho2tnA*IdQ-8iH=(-8Q{AgfGl-*< zK0*tIuRKm_)VRmRehUFt`SxA!>jciJ$~dv<=m~$Apj+wa=&cnl{!^)IuWlP3?@l{YRCmYHNVkW15b}TH{Tc*l z;V7U8;FAnyq_w3mCHrO%LLO@Qwd~vt%ZFQtm$~1gJZBtO^C0R$pOPt5Dl75|r4X>0 zzXj>>n`9fk;jv{TaqgCbL%}j9|Ex~aqrNj**1ZYb2lhmaJXS`G2oXD-hUcq&lY-Qj z;byl^U%pS&GL|(xlrPs}pt%OKM74m~bU8@ovuB9-CRQy!3puLn`s_FN_rZb1FGfb+ z2293gsQ@`x<$@o##+Qbkdk7-?>>Wl;OBz)#Uo)LEOmV&wdQ@C2K4m9i?GtgRZt^(e zZ2dGQV#H(VvHjv;g~h>6`KeBc(ogD3S;ljxNw2;7a3)3*%b6M{e@kPD5cz1_@Rq78 z&#L&EuqSQ?)LPj>%8xOcRU@+tzTHii5gLa@TySzv1*5$$hAa>|Onoa+7albE?gA%k&T|8BJQ~JrvT%#1G z>FgUK-YW6J44!SvU>rM*mmYQh9wh~Utv_55l|R{*diDZH?6cVWfekoz?PQ>rh`A4*`XUkg9D8a3C_0RkZ=CSp^k=-7LXrj88i?s>^<#3orjk|4ddHEC3esKPf}3c2GB^%N<1BFat9H7m?&8{{0E zJa_RCQ+%5n)5-=#+Ju&N6Cf;b_|OJxG{~g@7&wO1O@9i&%P$gOIgk>}Y8Z)W3fdHf zbebu2x=>sCM4<5EW8^No;@-Ki-y_D0zDk8=Aie3~`e%^Flx|{_Mmy;aOif z0MAOO#1htE78%9^2;Z1zCaEnm_U?kpmsBqNJa)}MQ^M=HCUyWgufYiu$0$FEvb$tA z()j+3<>!qOf=^8AZ{6Tei+eYQ3Owa)b}PphP(au_1vuOm4d#)ha{1BHW>e07IFs7GIaM=Ys2)-VTcvvaersg`arj)p zOTIkEoWvi$5_so?@fNRoRoH9SH)1`^b84tIR7ZV{5|uTe!U1uKrOjkvXb zhEg=~C}b)F!k6K|o2ES1n=tPYv>2 z3L2SK5y}r(&1$gq*w+~*%2BoPyUWJpHXEhpNEU3{5wjPueO=jqR;m(Q>qSTyq^d#=4lp#Vh zR;OA1N{30C;gRk7H|#A6N|t~Y3qY9dG#|UwEmCtyyDaIm5!12-ss`BNE|nj>&j1H- zHO|eLZ4^lZBm|eiLx%fpa_JNS>d_SpyDr>`Bs42ko-^u>5`N)vZgjM(Llo|V(@4L` zs|w@{n01pLO-(`DVPE_S3OcjUX1xi)v@YUq#2a;9&e-ru&*t3MOg~0{!miusav6Y6 zS=sB0lvmV}j=XYyR6SK$QxR>{DwH^PwNd=gJ<)-Ee=35}4L;1^qDl18%!n(Ey-RkP zgh+*g_n8RAA{P5rxSzPxkNHI7TdG=2x_)y#%s(Bup=0RJ_y$-6giqINMnQT;KdGwx zeQHt#FR8YPJT0lxl2LjnF?loTtQq$K;!jj2qYihL;y%sJ5-?7)nehZSR1Ll%lL!4P zhIok%1(Fi-cey@~eWc!q<&ikC&9jMEv!B8or)g8xW*|ocWWTwO=tY)L^-9_$>UBqN zNrG*7JM9zH-8G0nmetJdhURA6I`Q5p8PGYvwLh>GTw(GA)u?@s9WcEu4aii&R zUgM;Y!~5K*ncz^lR~h%Oj(?D4Di%9!T5vtKFT z^Rt$C1-2^Si3t(CDnf+b%zzClltTpIZI=umc+Gcxv^_Iz+qmbIDmfOi4X8?VfJaPh zBJ3z@v!2FGU%@sh2X-Tmb}yIDsQFyQe;rU-_tP1i^zv6tZkwD)vXv*0BnGtq(-{W; zPo#RM}SjHkl_dVxxm0Cv?vPC*w791|I0!-ng4Q*uV2F{@ZDh z{jYq6fA%?x=}M#BpznL%zK!+!16?=lJ4i>wzm6Eg4H;bQya0g>0i5XTzM?4~7tXw4 zOZdkRTWWB%{jM5z;Y}6RCl4gKx(kQ&Jh*GgV;c=ZdYheyk-z+H(NIpN{*bR&{CTVq zEEdCO+fG$OB4*CHS0J9N*<+O+oQuOfI2S)I*SYxSm}KhBpYC~&l1wCDjitIs=L7kJ z4~y@D)m1G|t}p~^1QR0EbUI~MPaIp#OPaWGiL*xMjX=I=;>&;vM%d#7 z#^Lr~pl0B9k440w7d1Wr{7eTt&Bo`&Ri?QlGspKSG1W;O9o}ZTNoLCyH%j`IwtwKh z=Q(u3)sOEzH|@o-TcwCi4O}{N@F)2#I=_>gd1)U0^+NcTbYhNY_M3K2ukK5^Y+Bq_ z2BHbfElM$|Uu1IaD5FhRM~vSBp6>SVqpm;XKJx;^{D!}XZJ+TAbiFExYW+2Recrmt z?01*w7j&3OFMGV_2HC{eSAP;1TyAq$n7?9c`Z62a8*<3z@foIUzz?ml8NV&mk0vU@ z7_!d+ifzvAm4CZ8sE!dxYkclelCgY;nTxbUa)0uQId_TS=}wk1?^7oVa-Ln&K4~KM z9WZz^1$0STN&c&lA9!L0C1Ew=(H?lD;?}JR;7w(VjxSax^`>iL?yC_q;Z&EqH(zGu zB)0-Y6Oe6rF1~2kJ}91GRsAJ+ZqMq`ptuO^PW`1!ZROC^atp;|}Y0eS$Z7|KY;)OM=6r4S{q@c7zU5!=NU zXs-HRC86TdR$k&y;O-Sy&3^Oh)-4}911+8ipMh~uZf&eF1O^agG4IYT+;A}Sl+x2M zZbREOy$jZ{JV`U9M9i#sxzAv^;o420IU_V$uj6+7^u0$844&p*pjU4uhP{<-^FBHi zsuSIh8!GR-#(~IR*6{a|V?L(4arzl3*x;`5LreXgWFrs{s_}aNcD|sa^7<1Euk!R` zcBdPQj$Koh4d*`Kvc9>_m@dNRCC&S{EJ=E=5AzGSNW5l~EeGHTcDCAG#qYBTxswhf z5|tC5FO!}TE{BWjJsI@m2IVAq2TCOYM)kN}lq}7XIR5-QQg4Rtf4R&myrQhX=ysGz ziA0FWlw9(FUncBUZIFor?rZ;pIVzw7z121e^}fOI%lPM0n7IEZ=~FyA6|1g*PoLci zqn;1EuPnPK_3si_2HA~Dk<%9ZwMnBQ{W_x=^t_{VedzbvZpubz{=40d3D zv>~R^pWVlAdknpX`Vku#qn9Xg)0vlcnjYGFd`bF7cw>_SNbFO=R6F3yPC#Uf)j`Y+ zY^epAQ5}cJ&XZu&^F!*pBSAIKO|_sbmBOMC!l=7A`~Uwlum2S@zeAAXO(C$*$}OoX z`b6gY#qZ_)gz#8i=-e+*wGg-=7{c;frR1*>N`B$DWH@xQ#T)CVBC~V2l_$;MFtDqE z{|X(Jv5EfdtSL6fF&usA4ATyE3b7_b%$r3t#>q`95o#~H=}Yuv^X}W$svokx_(oRl z>y#!)?ueNB0cN$;S@KPb^R`cp@&n^$(7k!D7j6)RwLlyQEeZLxD*>0jIU1@Gq=SkXb zGJ^`4H2_y*{`~e&U;P;yf9ArUb>q)E`Db7FvxokP8UDmbe`3NvG2x$>@J~$mzer5z zNma6QKQlBTO#%cM3kt;N&8`JCv1faN3y}bX#2ED*eF7&;Q^iyGsQQy=kMZTH<{~(0 zGfsd%V8*MF4=mGS0~JrQKwULc?F*Jne9e{-1?hVCf96Tp|5)q(3(oC-RPFhXt#$w7 z-~NxT`QPdDe>C3w?{shfjC=Vje)6Ajz5j04_-ozszuUe2Gw$af1=Z+SpgwO#J3=`} zN(SINTv&!Y#qtX2T(4^%?%NPCD)yMXzlGT4?eSutZJs4N0^t{kBJm*e(*y+tkQt3S ztcSgrJ^E!#$4$6!ur#S*JYfX=x~2Q+DAGTe|HiP zwk?51WmgQD4%D2>H*J5v@~~+5r#ME|W}*EB+xXGB$Lt9OScK|mC1QJT?#tH-FA3|5 z%_1UK4CUAWm&ROJ2<|kH>?H&Di=;#}U`}@UKL*YZ<)jU6z%UrApu1+JYcD z0=RPk!5wMJ8NPP~ySTzQ20*!`PLa$RUsv$^hLWJbUm%*QD~*$x5%mN;6$)lRU>Sgq z!ej!(87~@8-B^Jy8H%usP>u0aH!atUOS&0Y;bJR0YBTvryspa#Y5u!*=vdK+J^;sa zBLm+eb%}kSJRZ|mZEdL(BX@TB;RTN(fB_1m>9LFKE$E}@sVvy%TbVf&*IC;bf07VE zgWT$`d+nm40dri7y4!TLa$PvTi+J+N%`5>@9*xtQ90>p?o?2QF(KNXrW8!M)ys2^8 z(dYE>3f?|$7}f1#R&FqaX%TBec{Q!4(m2VZYcz#rHr-E&OD*-vTPli`dJ;KkEqqb= z;m?+{(4qkB4}k1Xm@FZz1`;#OC|{{?9XL*UaF+8&fQNir38@5qzY-4aSTSvyY+>F#?mBX>SgjF!-ak}WzmDGfvD@s7Wdmo_p*deaBrFl zs1adnvsB?RMk|CvzEIUZf5(zJAc?Q47n{e_VJ&db-d(`p8tJF07;9VI4#0GiG(z>G z>(2pxEn(;~r3Q55V{DTpn_q$9Z_WyUpoa63~(_&eKE~TAuoz|#{E<`rno+pzv-00h@Fuhd^&-02E4lAL{(?> z33flN(efC?@eNFc-Ryau)RtNSDo8w{hs^K0$fPyGomF;#q`GeHhsfSo`CyJ9pwP>9nT>@yyTciX%6YV;>ahN7UflLqk0-~m^_eXMz zA4>*GQO_P>@%8L5cJUIg0MWvV->|oO$n7A=lJsyS7m0bA@s?_i>Kn;$gPkY~k*jBa zdE4{6XP0E+94zyW?O|@|Zt*#`mk6(~^pB9Klzq=$VhX07{mT+Z@zZ6(rn*ovMrE z24G;J_KSGFRobasqgk2l>cE^qTae<2aaAG<-%8RO_V*~>p=}=$6XWXm8}zW?&@Yg= z1a?6%SZ{$0BhE+6`~r<|)#(e66kgjsOUsAbl6N1K7A?+4MYVliXAJ@t{KI!BYQ)AV zLNns1+aybk7GNMPx5jH96Dfb1Ln5hQ)bOmx6-{hB+6lj>4St3pp9Si*DzJBGqCNYb zg8pFuUy4G|!3MmLsbug0eO9D%Zw=a?WZ&=@5oK?l)o-sxJ8gZugtOk~yV_EE-WoH2 zE{prF_N4O&by}^-=Z6EZR~3aJKI-~>?>V#`v7$hu(q+GvY>u2j`Y`9P!&8ZraMtB$|p{yU3})P9OdJF>XcO# zB9@_h7Z1`6oXUJMO^DsW91M8JQB~oBvh$(Usyh%DI5%+wj6D2+E6bLCFB?gYp;{IM^PJekH)k>yZ#96+=KN{QaIs)HRnmHVo`)U?* z(tVIaUVU&RbL?tM*zw4u&o)dw2cqe{z*WS8x`94$)B%LVq0@w>jlDAy0J7|J?FJ*> z12p~Nx3nsD(Qw9O6+zWr#1OAcQXB|XI zVos4umuim!Wa@Pd8ZW}6VnCOJm^>r*QQ_xeYHt@PsHCn!c(+b%FM)ar)ehm(*Qebg zG61APT92E$Khe>ns^GKgqd_uJ(`9e$u&ZXBfw@l~4p_ZH3CLT-dHgJ3nT+Hk&P@ao z9Y2|U@VtFZE~;PFh(MBen%@QppS&yk+Q63qURP@*@)|HW9&a$7xBjc+;$_USFmvUYn)6Y;46|4hLRZ@Eg!%~lxwa_M+Lfs47^Ko)8#$7dfi_P z8V&tG6QG#SAmY&++nDePwxkg~Cwmpix79wvk~2|1M>;+>JveHhshj1-v@b_lqpF|) zZaeXsjB0oEBnwVrbcrF!%Q0Hj&^wkaIQMbXFs2hRWthfH z#T7^5i+x1gY9UXKTiGTNR&u6Q4k0E>05_EI>Vc$iqLgqVWOk^|5#_1Wk|i`)qvz)- z#XGM#M^z1ftO`BnA}zX15Fx=ng8`fDNLaaL6i&iJ5E6s%TZ2y52wpDOg6rQ;?YYH# z{x#0<==`w7o*yd>@uhaQi1tEv1MW)h;SSp~I&! zBZw)->VTr*MbhXpZ~B8D?^8Q?(^)DHW`0Lvi&K<`j~nPtF)fg&2T)DHbExmy0pg5| zAHP6xkI^)4Ac_X|G~`X{S(+|!D1;W2Lm@a4i?Hr4Eq%*cMfWPym2*m~-fAA6PS7i9 zz;lXGTuGuU*9Ao?!qvX|ovt@ZcOPPXcw<}iMgj_be8&>#l#+@TOck&xxB7WB1HML2QN#T2^CBWOK&RCEY=M>23>4hQHg-n5(XF{nII_ zjbdTLVc)O|LpS?(M4W7@`gh>35Q^(Afl^uizbyhJQe7mHEYJpkT?2kk109Rm+5ZLF zM_?C9&^w!G++*se0S(1MAvB?W5}@abk;j z9tI~8a0N#`0&F5ms!G1%KZkeSETfz0cLoW%=B3D)oSvn;cUdzKwFb6tABvuPKGK*3 zT{|{&{RY62bMJ<`da3iO;cAVy?wtsrcYdrySgKi|yixsN0Y%`FN(l@_N~UhSr=O=; z_V+}9d8s{la->KHEMxN$9gsYMcSpOiDnf>t7{@yK>V?cJGg?rPnySw=Un?|~Gy3ev zx3$;ICE`c*Vq~xjcg$>0Xon>lfCqM4Frg3@T@xx7?Ht8u78`jIsY)DsqqSD@zB+yCzAsf1e7R)8uHe>n zkBHZ0w?hC@$6a*26u{)&K`H=B9BXjEx5fpVg;b#mqk1Mz6Zs+;(%sWKom`Eg{C!2` z@LIzgaRs)fo=(asp<3MLa+(e@Hb1fo|8*b`tEu)xo4GsMtC=3u(SGu+XC z!K^RN67BS=lOkP^YYME0<4dH)x>8Sh%Fl#$AC0D_($PJb{MQzp~!bT zY8VkE;iOPd=l5ft^H}{s{BfKFqYEvB;tELGXke%jA7R~n;OCxNh`jC_>GEkb)CL4x z9%Q?Be_)OVEu)=MTFI#=zmw zYB`be;HQ!*o@LZ1o1l7MR3l6NRomyOB8L7OK%NLgyogm|Z~)$h6NoXYQSL@ws*j~3 zjB%9y0cntNso&Q<8Co?USy7p~qom)an02k_o`TF(oQtC=-KOiTOV)vwbEN(MyZ(qmt6L%umpU!?AAu3kI=D>f+F_Cc(6!;kI01$4yJXa<^Iwn^%|Z{UmD$NOoGtEH_+QY&~?aP|5FBcn$Za^vsp-}G4XdN zHa2gaSI-ZW@HTlnQKGF{U?_8PDpcz?t%@63^$XOf#OQ-hlGj~)TG zTKig-TP2m>%Y}|*O)U2`l&BXx0%f5wLw=E}#q4ai;=cWOpEu^71RmHcdT|9_3twcFj?aNs!%c;?dx$@ZQUo z&g0pu{TsINH@@+ImDk_lFn`C)R2A|yfWa({`t}GVUP1}XSxip~NH;fo5Rc{FUw;9f6$VmAibuzYzsLNpne)1<*9UxjyQ@X03v(aN;7G{cS*ph8>&EVWHhF9x4{BEweZw8 zj&0YJbh4UHWwQC}dy<({;$P?}mfr9+*bh9JMt=)&vF9P~K2_6HL$iM3bL6`jSL7)!?~Qy{ zkkrI3@zn3y6;mmkG>|0lz(S_VAv~-fJXNOg;kWS{y1C1yTgx2I#=nz^Tf5}v^kRkv zqyPI&0?F`NMUaNYtA)?s?-wRbjQp58a3hvU{PhVJ6Q}r{&06jQWW?$a6#;m&rPc7w zAeaJ#%zD*Wlz1*VS0`IX2TI1p>YJ>0SU0`#TzDRcjT4C}_8EwRWU5Dlyo|OoyB}ARKZ_%?K1^MZJz1LUWwq_6MB+KUeA&lgeeQ)*hzMiU;LjUhPDutwYm*6>Vdw}cpU zXaM{VoObo3WO;S0@M;#{Vd2O3oGrz|I#I9P@kBdxjG-k5C2V>le1~Pn zf#oUn@}&-Kl~XCdK*DFq%_s!`?ELN*NCbFldHAw40)%B*|L|8&@kV{&fwlJ~_|Ls- zN2wMyZ$62)Kis;+BvU`!#)>Sa>d+pOV5>tU6H7|zRJ9Jv8uUu&^3gZ_NhTG})lqM~ z8)U?h;oiplKDWR|pvSueAO|5qe}g)+0^!wlgu6O_T=C?xWDTvd$0iFlsUH(H7C5ew zsyp-?pr8CESv)pr=#If~pjZNmCR;EkcG?TsZ7Rffzifmjsw4}4@Gd#EUT{=xzZp0n zDws68seV{P-kD-&hiepz!OAaww@2L8-)gZlY6S#dP2TWOJ^|x53kj@{p;$&AnpaoL zZ(2l9Pp)3ub4JzrOO)^@e+l`sSG!e9l<)bSd#bh<2Lz$w=5l=gz(k)*3Iqu8m)`~J z6X>aUPfQf1#Q7OMkHU1R*Y6DNVsCltz}+lkL%}s6-B<4jqF=E|<(b!ld~Vg4BdhzB^(NwVLROoryI?%W# zdJ5VT7KJW3I~374E@#w_pFXu|(M>M1ZY}-RHJ)|3XI5(g;8WtKcfe&8^y3pJ0Gzq~ z2EzhNNCz|#g&1HfsyVu+aH^Yj7ze~*BeZf#Hi-pFDJBUuVYt*No@?bwT+9C2@B7t5 zQV*psb;K4&xZZw~rQ9@I`w&o)T-1nyOl40BAT6mtzNS%a(hVh&(1;lxOqU*+37vxl zWp%VzRR|@EZvA8>v=bZ-z%Z)+>uf~-wqb(*zzF_hD8Rpi5nzk|R*LE-z`*z4lRVex z_;6hzkB(9}w7t4RX19rh*HQ&RQqdM;kOQyiCy4|MkP)VHZ*VfK(3`jfic|M6ni1_Eg+7DdgBgIIt3p?HY3CMJ zfe_h9rwRW8M#E+^__xSlpyro318Y-aKmmF^E6+Y1NT3E%0isUt6_V0VAPFG{WG|oT z(t%UMVqQSnCXi@N**>txWQ4+_8%0q-qIlc7#(WRhyxaC6(+Q9}!0}XOLXrk7p+AE_ zD1$$(`_p%S#@(M;@n=Q(vl{=|EB@@We`1vXi3m!W(S$E%l;E9+L(R3eEu_kuYCIut z7jg~lM-pg}a`XqkEAjc@(p;oo+?%zpk$@ncs z%^E%#+R+dC*T4L~?Z40=*nvwxod6nxb_IOE622@w&Pr1qJPpfOEhz%slg|BdTsx#E zY+d%@jkdU zTK8C_C8t=}OgrwmF?uBNbM_Y2VF==6IU?R*m7Dh=z;RtHs&{f##l*Mm>s(4~a>zum z94&~Rw$mMq0~2>6)f`>ETPHLfIWPQZak+Q(B0A$CQ}%4arM(AuMQHiF93c_R`-T)*B_XeW}hkW&{ z8|?;mBg)$!mG!HRMkzdagA&wwcef~Sj3ato4HAao^hGd@B2D|tbYALe1r+P@twMZP zAp0fkRL2iY9d7SxwY#S#n=%dSt|70K^{n3`cF2k2-Z8I-HlK>>3VQ9dVj${dWdFIi zW&fiD`AJxU<7{ zp8LRNA@LLjY|>o}ctc0=IMkGMVwT?mN8K>rQ?y$iiX+!AId^bhGM8B|QyAb0<&sp&&vO8j;m2cSe zqgQJXK!vmg!lni&>I=F13tEukoH-m6`>d(}DU+WC1?%NPmG|ZE2Cgeg+;|stWZvH= z7$gFy(bz@rfJJEhloVoD%a9eRD@s4{@QP>f*qzHyPrPQUVJlZ^#D_w-ak9+{-66UV zzmN9krBf7|;E~rZyTY}mgoS5-3;-^C(MT<#RG4#Ov;iEJ4N z`|<3cK2f<)y(7k{BLxh872^;0&W$=4sn(rorH`DuPrZwSe*IEeTA9?hF8$2yMo!|l z<0U1;^UTkUKf7KoXGY3Ocg>7bwRVfBN4P$`=ou!RF97s1isdB_x;d zY4H|+s+`sf)oT;qQe#eMt<0xo>20}em_fAlI zn4^0C7IXWFassiRuK&l}s42SaifwIjj(YJces=4Sy8RwzC8MA_N~>m6Q=@xI3E?p^ z0-J*~QfUkdYZcC)%SOW<45u(KFh*o9iD-kYubHWze;DeYag(jl52DX+=% zx*P6zpQ0bUwAI{K{^aB0#q6=6UOvp{p*2b8+kVW%zDsZY1Fw!ZN=#ZR-1rhyYydvp zYqviiRv6%FjWH%2ez704Q_7Rd^7P!doX27IqDP6~7=3Yg%ryS+Qr~iV^2IHd0AmM& zsD?(5OR&~)x#2QcFpLj*euj!?a=#^5lX2twsPmZ4+0Wp8w}qdurXj?vnXR-GanLt z)Atu^x4+uF{U^SM*`r#}n>I!GRSquz(Qz7^1pj+|$m<6vcm7WMu@HR{{p|^WNW``R zX%Q#ee<|~!{|asWXGe%kBd8NJKT=v<^|-w?@seFer`-<)JM)(vp=!qCDOXLjcCdC8 z^c={2b}q-5TIrjE?_0<6;rE^?K4BjhPG}mcVYI*wqeRaW7j6KROR1Z=dGPmT0Eqs} zEB~e#4}JeL0WJy+Va;~~u#DqMvu^8ir4-lcHKmJv*^-`vGfL;$;-9|bw%I=p+Q--N zp)@IUss;snfwJ&cSFrG@3O)Tvh7Z$~-iCY8&dk|ztU1v%7!exg$1X^jyhJpL;IqqI zzWHpWLg5)A=nWSI3g8V_i%H)JcwwAC0M&*x_NC7vPrk=M;m)RwRiU|XTxS-1OPXw7 z{iTGSrz@`4vj-{v>5$dYD#pB}dSIWGdJ%ayjBG^Yi$I-3N>x;ZLDPH86uyf|of-P6 zoJhN7TDLjQT!@sJ-Wate$9?yE`Cy)8zRXefscK~XXgcSyxjQ^UJ6JQIHW_O_VMJ;h z3EY~q$Qga9tl2Q94w<@%4Fy^_yUD)4jOn<_yaL!ZrOumogOJ)aX+jHG%fd?tRVJd-MG`u)92SjIh}PQ1vmjGRm*2kAFw!WCWjoJt>JZb|LiyueKscRYR?%p= zyAIjTI*z9@nU3VG?vl6+zSr}uc|HEXx51m$YIAgVyl($0GXOOeL_a{p+!81G(JLCq zt!i}Mj9ez#NtU@er)mxdZ>oIq9_|8xeCKf~^k-A?VyrOP2WQ&U6i@AL!nWPWFl8HUX|^b7RD!((!1 z<@fJ97nwHEje(uXOH^@;+IFt6sjmDyLzhUeTeK5SzBv66KCnUX&P;L z+YDQUQbi3;@X@ns4E>3iDa=#Vl_zm03d_f5TR0_?Z|iWMnLOn%{c7~Xh5;9&6~>Qu z_k_BVl`rrO#wofxshI)&_cZm`NBygHW zq{1Jhru%Lj-YMgVmA|_z=?{7&`hdpP$n#rhc#Gykc5_sm$YAeFCdND zy&U^^ULsl}4KZUifWy}f=WkQa9+mbE)l}Q!ivoP|aQfv{f{2Dr7BeC_#GP7g?p{b+*c@7)6F>cShY4aw zo(#rsCg4SXfrj!TA=@dyhzQmnp;+H3LJj`{l?CM%&gO)OM;~3^vGNEPe*)J9y*1O^ z;tyYGfiHqb@MJs*7EFUlHz2~2&c7RRJ0{Gh@zD7F(`ui&rX23;ai*)@0c#FQG%n-y z38m->$@1rS-M4u+yNgC6&A@4paAX|S$bQ0(=0j@I__2ll@*rcLUq_@unxP3mN1UkV z7=vhG8i2cR%wi?!x2j zOukE{^0-*2OF2?cu)GpE&%7WJZau2D1u*L1kP*2SJKFyHtilg&UyLsd4%%AXkC$Nn zc_>AmAY!JepR#|LsziBb!9-T99om-TS2OPv_TbErdFGUUqpcXqugkFplS4N)_+j^@ zQ6e-v)duurW3`$j*90yjgd%N-{)0j($F;``Ms>+*{S41;en#D%;G&mV~@~8D-8Eim-Bbpv9}}DCwRltl}+Bt z@nb`Doo38x?#yIbH*1`IUsLtIKh2WcRW|NaD=4e~z&?FOPp4tB0$LYIJO57Jc0!v- zyT@NSQTn0%;**y@TdtDTX7MH1x=y8O+k|{n&!o^4qx(w_tvC0_xS~*Jf~@n%<6=bW zxyeEwFwqiogfgz{j3%8H8tki)%pGkN&6cP!d}Pqo^-$lk#=bmAh>CC%+-OmHY6nYT z2zX46ObGRjm~F_fUHO@Eo`509J1t({7Vcr5Hz9P#;lwBlv(;E`kAmJCEtl>5vQXwv z9tQ9;w)~t{>@mmj?${^*a4!C2svD$MUa|~Ddn8RyZ@IEvmEw|S%6p5=l-t=eg55|fRTKH#))$iAeX}a^zVl2CopR;K&B$)ytITb7N^4A1mt|=F2Oxu2 z9kj*tlOAHn%T#>u6rqQqM#itPRYw~2CU!A zG>+6`U;1rO&J4A%yc$O;ylV(E?sWF;G@V0WN zXReiflDm*)cUNw)_u*H~DZr*^9=!@Ifzqr~XzDTanvC3b47r(}?>8ByFAtC@A$8g| z?{Qy)oKFnd^?$>PMU`->id-2(bJVTMZTXY0111yCh!FZyJo!b+`Xtc`y{B{%Sd~SG z_R2wi_)_Mz2vV3GrT$%jB_X|juq^ZOqcZ1o36oG`+jC{kJm^T!`EKTs+F3G|{sujr zQDdm|6vsn()OckGX#pD8*m)Go+2Ssu%291Ezg*;C*W!15Q*I>==&1~!W;l^Rs8Gqv;I<3Z$=glwEHTl~ zj^0BMAQhMv5f4%!@~9{B)Vun~H3j);W8XOKgB{g@A}IzUhl5mrgUnMS@IOQuVE;}GS@a3hGN+YW|cetyE-UMWRhqG@m)!Wgc zDIwDWNG1}CBk_7)VCOrJG~UyfojPvZlf@>GUocUIM({+7Ozq9t*+<16n)vNU0=%bP zZtGujuB3Dko(^8RNfmsXLKJxFr$fAVSB)y z%L>?#veQqiO@lw1)W>lVaOVbU&@-dHReeZtVQ-^D9|g4#l4Dmt>ngW==rAc7Bi-5n z@ZyJo+XE9v8Mxa3Q%2k#OtcssMo&X2BZC7@No3XwT6P+XZA7sA*=FxDbYg;ig#w{E_aa~1$znSi%V7WpBOeiY@QvV@ENP-%q7yv#RwAPM z!!w(kPNGzsx^5&iX($hQo05qpg%S1>5_WVn3l#l0P6mkG{f4`Ch+pEM_u;@ekOksU z8kEESg7TJjOZLFaDO5St{F8?r`>GyQ+ug@a{iH(xp^1gFrc|k8_ge0*;^Wn)5Bc7T zPvC`X6y&c`GR)GwUiR&eXXu9-b)r52DCNsyl~q7GB2+ErF3eKpO7#n8bJLLL3*+aT zK}b8u{mBtsk4AtM_7vyyY@FA z$@hTA9Ry4dgl1h|_%H`;A1I#waW|q#@ZR@Wg2>Nm07Q4sGzYM&q_P&m)gi?utL@nd ztfQlyGaH;oTPqXwx3{EUu8y}g&dly6I$|~bk5U0a- zkAFPK+%u1B0a_m4tS}jh0xy$;>tn)*gS?H`zo3ujlwII zyq~T7f)7Y}rXi8^!2lw-7sfcY1gv&E2w?9HGTf5{J*ikTqu!O}Pi86vc^#pOND zWtG1`mIJzFPhwt0g3rz}Esw@|06DvIa1$nS^5g@35u_GQ4Re7qB6q+$jgkCMhVZbVk4kq2_~Jyk|K<=sk} zRSiV&r$5NHzXpt0Ui<=i;`e|D!yN=ntKPer)RRdNcQBBM80}_6d4LumaM+QhiNh4? zOeUAvQ~MF!r9f`;U8@Jr%|jNCtjo>sQ>DpdU=dFvG1DKrPwrcYAU*%TN3#Dr-vgZ4 zKc?lcGEYbReW|LPcK+{lhyS%CIrN`bA7R>2B1==sr$p?hTS}>VwDUCymKJ7t>PeTU zIqy}0wU6jBTYu}ed-N7q%{PdhDcfmVG?UUVJ&k;mvU#tI{Z^{)i1~M-ZiZfeW(}|y zY*Sjw3&!gd9$?pVpPo26_v#1e7sxjWP|JW$rF5^7rZ5p%%EX9wj>)7;&ntCLVBqM&8<LS5A(8 zW5uO;ma{em|2%IaIXZTm{V}b&3|IU8=hmvCimxfyr6pA+)xowHWF^R1u%2YYWG4)x!+504~Ci0r$N?4_h^BeEqaLe{B} zEretWGotKE2vMOZTTIrm&e$h}?7J~TvJEqqG0f8Q>As)iey;2K-OqL3$Mai`-|xA< zf6Q^rFvonh*L!)r&hvGi0aut)xoSdlo%@IqIL%N`N+j2F5lbiea-YI%t!SrSl;qih zXQJe#aIk5U6VZ&ULMblkTcC0YO|K{dH^ieMYHWo^jnE4t>>J6YC2Ttv{;@!>@{L^R zGsca#Oq;5UH2Ual`0f7kyI{h9^%l=Jy&1NLv^-8lJl&YV)=Y|;S~e_PoibmPtytRh zAnH8%+7~8I9B6^D0{x79<&*);0ipZ@zRYskmH*K@{;e%b!PhiQplBm^0+$zv)<*yM z$rPncyOMD}-H*r1RpJ&o8ZqcM8H~y0fT_aQ5iCGG>- z+48_t29IKJqyjbsS1Boe0?`C;h-9*BK)2v8Up(e;(kdGwkc5b1a5^zMVW)?6c?Vc> z;>FVYniC5uOJ=^^Z<^W?oJ20!9;aVsz0?Ui|tHMxBFUV23Fy_+CWZ z++k94`nzXDv(ncO?C!cNlrBjty81E8aF4G+68S!Pe_7){ThpAr+t*~imn#3Bm#+T` zU{15oqubzc>rfn633@)$wCyaOHB9lJc zD`xySNS}Kf$T7oeQE|vb%vJxYyL3P*pe`UZIRV&mU}Vw&KL_)R;b1!k%UXjha{c5& znaZ!5HE~-GPNA}m-{a5o*WRqt4;IaNBRam=$$OKvmN5W8V7kXcZx7PEG}K=QJQaRn zHfCmuvIB{IlQ_F~2z?8s%;*CHt&v_@6EFn|SLfK6K=unZaLI{3(R%+ zMkT8P{Fmx%+FmlYQ+5y;==l%A8ShJIA#rPF4N+SX>x#15k|}QHZKjoK1qsR5C{OG@ z)unuX5BP2TeBb>*ZYIavSWn_9qlF8 z_Z`(XlL5eT58)g%eJrQ8=UF%#TNv7oA&iDUKBrlK~(7)AT*Pd&cb$jGl24#!bN=EvhuLa^c7s>H$;tib9@fp_-R zbNVQkl5h6Yrxags>OHz5nXrez2&c+_M!qs*uJ&z;(zlNOkp!GH6Z);ZUQ{j!70&c zE*H0(B4#g(j^jUVl$EUNap-U1msKq^ZPFynJI2C5A-~oegM8e8l2NOzZEC>@OwrH9 z^oUc*^7~4USQnhJz@D9TWM|fPAwfgaX++>v;;GTlZ!&gPlC?&+Q?e;QqZZj>atY6F zktBY!z9B^_O2=z7$5c>3A$l?O5$Iri7)S@-+g=|LQ!PMD-KSB#z%DVxYsv;e zQf=Gz)X3PY`24aaXU;m^8Z~^bRl$UnZ@=$P^A~U#8az{wC|%toQmq3jFJ2KI#DV+{ zXL5cjur5TzcKT*x!Wn1m9GAygp9yK#rdZVp`ueZxmH%R}0n#Qi$#@NV7@Y6{@r|O2 zcsQB(zT+!@e<;#*U=jHBb}yI;MU~1$Qyw;4zOqo}%X7V_TUsdH?tZG%i!c6H z@4U+D6&+ug?Ieul7j+k5dxmEKLq2n*Xl0qyi%So5x@A(m@*BT(F5dsw*=YB|6o~FZ zZ?5SRxJ^+cu42tclzo53;h9feQ8Vd|Kc#!OAZ0*w{F_8&CIP5cf@q<82e1A7arFD@ zH6ys>3~Q^`S;kKi(l9|Xw!J{J$T}cpG8sG{OgLF=Mv}%ECn`N|d~cnw_sG}i<adszx%Id{db1Zzdle@3hLAXL^1wjcgV zWnF2II|Dy^Ny83k7(;~kJeN1Qs-*r@*lXGziDkMdC={N6$WPr9_^q z;jb*@R0Mz3BZe))#g9^Ci($RzRv9v1fBYQp%gF0;$V_nDv$16-`*myxg7B_X) zws_(|^s8Xvjaea8#-M6P;^oJQliO!=o?xkK5BxVFIy~&Iaf?s1FqfdWA6LEQ&m9 z3pTzX+jEMM6U+C0q`#s%$Kph<2$BWpRFiwsc?7%Qlr&fz6MFpwmR3SO<^uPnp>Ee2)BldCBp6)Z^HR6?FCKwBVu{ zL+?XVPRug>6?w8oYTxw`$;)|MKn>_2by~-O98FT5eL-?;S>mYF$6vja@Yqd8IC$MD z%&ibMs4LVsqH?PCx$a{%NM`+}~5(fX5()Mis-m|(C;0H{TfkI1aSrD*eich8s@qu81&`5^CR3;r} z0bp*zm5PwRv$g)eeM^4)&r2!(jtN)##CC7Wrw#DT<(cZweR9Vs-+#wVGOift-FpER z(N($P_3$Ie#xH*_w&_j?>{Ay(Zd{LLS!#3Zy3_p|8Zzt9E$PzL|EeEm1iJ2dSd zQPw=JcCLRwQN1aD7ZU$MR%HI$7Oel#pz7bnz<(8HK5;Xw_NJdF<2ayau)t1}?C1E)_JswbU%m0VZ zd0d&xh$1k~lEwzK&$WJpV<*s*l7IXR+K2u1Q*nRYtA7cOzk=b8~f{tAYFn^pe` zhQEU0uVDE5J;Z;7WdhYePg&5^hyiE~vj%(iM$!2<#;uUYnq{PQ)cDmbaCdk@wdrp! z+*H*zAVprkSOUBEaCyUjy>Va#a)B`{Q8WHLIs7xAp{8x1B+Sw7Vm&6xo4Rj&`#Np< zPIA`U)U#)gcrb4V-pNu43R#OuvUJFLZ&7vmRF%iS<~e`Y9`&aW=dah_--Ewo`TzcY z{9}Clqb&bF{{O%F=f7nz|5v{k|K9cgt(_y7OufBQ>M=s%c$2LGRm$v=&i(u-rZ znO`jX+1%ZPPRXd~0V>PP`CUI{EWZ@8n6$Fa0PT7IspYS1pb$INmF75YcHD2z{;HeJ zfHn_E`zFh^|6MDG{~yi^{I|{U|9Dpw$y|UX1oZ*{VP?rC=_=D)2YqVb$Dj`YnukH? zr@U=)mfNd@#OYI3JL(i#%$6obQ0cpVk!Y%gp5lQtCCQ4c2EbsDl^o9Scne+%gEz^k z@FD6+!Qra2I`Cl5OFC+Xpr-&45=*{M0q2K`5#2GHfNZh;*P$JG*E^~X*Y&^lvCPjN z?r`0%<0JD?+#!R7>srN=j8XJgxdgcTd;iX^Qe1CHJp0X=hOV9mRj#bL>0L9_@$LFA zp0*AAWg#C|&)jeLT9+~PSjWcXO+Hsk9H{>zs_l=ol$)44xq^a_cwy=J_&12lvm(CF z`&Occ;NAYio;ljxH}ro!?Xw!;qKl1J4A(Ja9Y>v#ysc2C>nfU;7kSrh7lN3#UK;fXO z1E?hUu_`}hyY0z1mOs>%rO5_~6cA8UZ|+;68ZcH)--)S>UhHqv;FG(INC)4uL%S%e zfQ2aWx!lv!`kI@!MT+pHa2O3*Ef0+w)G@(Mr=2aqicTAcp8L^V!2v9 zmnt5BW)syUK`ZZST5=1ukB?~(jHv<)poxPA?XHNP!jQplrtWx>YBoN6ik0zpuZ^vp zIh^#cm!*SaTl4(gqD#!66I|`j6o2TRToDeA(UqrYTp5!RxG0<%bD`0!=*}zIh>)U% z6gJDF$G;d|Vf`__V@5TGwdQ^;YPRLVOWX-VI zcX3R3m-f=qc#SKm20@WUtOpf?+qJMqx=G9(4PG%dmk+@`9c9`hs!Wwq>{S%IPp=@rIZi`TRinvs5VJ`uU(5xn`I$P`dZV7&qM8B6?Ju~N3#vDi1w*B^``G< z@Cb4)#L@cbufT4}ys$9|J}IJZiU#>fnw!A1dfCnLpVifttUZ@zrBnF?wA0eU*+3HV zw;(9z^OQ6IVeFu%)BrSP&s@&Wl(h1dtJ7ZDk;Y==={Nmit{F>raC4kjPJHGiJ}pz0 zo_AkA2L$dRqDsBo`ewlZ@fV&mmf0!n*$jb~Z-36RA9|5+aDwaCM%)~U zD=G-h4$ZttOhS5*r)smFDkt_;alKcO3P`Bi+~x$Vk6h+0*6seN&%>FkH>U*11FnrD z>LxDrHG}0@9T)M|SYE}$S55sN^+qY~-4^8oG}MXL1{k{YfLeYmtrLC)PPF#hKcD>k zH)wbK#&6KDbwDQ2?2$|3f#c1wv{MJ0?OMrP4&T;z?Q3eYeL|~p(=n4Wo|nMb1Zvz) zGDVSQuOw0V8`S2Zts!k*U|izx=|xh&fLBA{(L3)ruS4aY@8og)(u_OvZ`Oo|{tti8 z^|uln|G1hQ^pd408gdxbDcjaLj#TN>xg7Xa%~mQd1ekLrry7NIl8ztHHG1; zosbMZeW`2Nbl;Xa)q{Bln4;MRs8Wov-=HeiuJ|$t1|?ckP0VO4Z2tU_xLO;0JXH$I z9fy;dv9di)5d;%+A6m?EwjOiriAYjabtK|NVIm*V|= zLLM!vVci;UW`Y(zV$SsIEFVGwO+t$B=-jW!4s7g!$z*ANkZ02l=v%V8Z#O5W+M!wz zF|G0K=Au=B?Ai~3C0;z$gELWq8N$og!_%)aK! zo#2x#UtqgsJ4Xau#U@1;lRv>sLmlX8sLP?Uq*-7l+s!??TKUE|N6{=k#63r(2q~ew zkiukhyiOai?vngZtb25zQ7XcW(F1gwF*v=PPgBxKs>VKtdOI}3n#&U3Pfk9Yv#QF3 z!nRaI5+~$_&;Y{Zf!~Lu;G{7(yc{+r~C{p3%(Bz-^&$3dqIwef=9}-zEr6o;SP&|0uI}dXdDU(qXxD%SU_l#auMNyqcPgFTj z00&Z=8TvbiRZy}iHnEoT-dHT)6G1N~`_b$nzJPsSkB~-BzOq=;Q*jqb z$qJ2{KeVc&p)jGzqJ&cAkX5d_8{dua1q7d;x(BSA?sg-VhsmD9yPLqO-zpbm z!4`V*iMTSAv)Jp$)LDnm^#Wa{3nC^y+tV9IHDAqhjxcSPS5W1F@2a3q%$a_m-JmoU zuL<|1Jq^C)IqrW?2GUfQqRs}yglD-iaGXFD@j<VbcP&ssJk z5$rZFxrdiq{}X@*lp0)eZ0+Ek)r0;NeArz(jARM{_tuzO;hODpxs6x_wiZe8Ks||m ziiGEp{_B`K9hI8_KC*&2D8IY>2g)%d`-irX1 zPxlbx$rNQQEjgDRzRpnuwA@gZnTbnmpO86PF=F`{a<;}+Q8reuu82l(U1LO{=c_-d zOT2&|4Jv*W_SxKMJ!<1HIYleEql95iBPP|*Ie>fS249Q{1>}(t`|zEYXP6-jHg!MG z`Q(W;Ji60C@cF1wSy7am(3517VW}LJUEGF@WXSk7vcxMp3RyhoZQtCH89ct-8x-U( zKPyvpy>s!2&g7d^i(&*YyeQJaoyo^n#YF*L+xjrx;YE~>m(kecWv2*wvHNo$KNrW{ zAQSxE%d)}ZUFfrLPp%2-0_*xViTO5htSrwz|Lt?%{Ry34J{e)>0a zDa-&pTcB3~oJThyg99|~y>?BVXh3d2vCGOCQ!wN8th!c1GwmhV4Ov-jYsYD_e{<%% z=qpa0Qc@!>bKQ-q7iux64&nD?2sI2f>Ez#;@e+7eUMylieUy-|rq*@GH|3k)vAmqX zA@p@%9!$y=Y&uJJzC?egZ57DNLy2dcwzs^d=MZuK?CjP0RqDmFw?-77-DKqeuV0}u z&sxZi4iKzA0ZxTOrqX?`-#0Ky-_83?ZWO6gw(6445r=^C|Cf*eNUhF&X|~ ze#=RVAkV`A7|n$Yy9ruZ6rj(rf0=p%)`1p+yTir2p52~eVU*(1{G~lL`@V2!Yw*|i z_?_YGw!R@|;h)mQ@ie$?a}vHV-lb!sEZ5@9KI)fkd~A=)mpE;hi%+!!U4;aAFarU~ z4eZ`HQ3~+ZTZFqrRK6PmYSAICKJ?S9)Rf2DJ7&>D_-0bQ4Sfl>i|_~LwGqmIO%tVl z9t+wZQpx(XOn`mmls-T6%?hT;Z>`Uor@On~iCgn=AUn_tcc4v{gT3&13GT_>XFd)A ze$R)Dk79(TIL{Bq(NlpRD`xbglqhQ-DXQdH%4HXg*oXPUhiy~tAl}MX)lI86Eyr)G zCA^yGKcCYT4$cVyQ>c-Q2DxoMI*?$rTB8^Hbpgeb@jqT!=GOas#9*=k{e$i~=x3}x zF*CA;k6kT3zIQ@+Y-sZK)=;nHu{zp-7d;6$Zqst6t}s0V#!U$z4Vfh>TGm#kFI+ZC z#ojnqVHv{H6mpYw`;+1SL@|N?#lOw^&nmuD3x)`w%7I=77^TPC3nn}@gI~^#Oqu)p zoh(})tlA9NM0=`0<@~Nd_yKJfKJs3B?sP96+l~ky$5vJI3mcW;yqA3m(^P$d)W>m~ zsU@u~OkDDqBPgkl;X3TN;7+h8O_=m4I+-E18n9yDpEH?sXW!OpFF)m(=2_h9-GlKp z6=0cTDWmlIeNYB^w4d*2mEAP1#wvGINQH)NN_z+Y5?LeN2k0SE#623HD*59e?35P} zxvG9&g6x9K9@iwBH^g@3y78R5x2T_V7IR6d^G(t&Q7(aIT?Ad|%tj}u-%ir%d$8p_ zIVO4azUiAPmcyw>Ecm_;>IpoaHQF;C0o-XW+8`S%bF|(*y@|`uIL(>BRr2+)?F_b> zmBwqZP)HCU_DH;RR!hEKHDnX=^jFByoXh1L4X;Y2&wo`goiVyBDLzVc16&D4uvHQS zI0;U^J+|S;5O+4z%_^#_{ZQas9AXxA>t*PnVnaVj9m(dJ0Y0!aNlFr&v7#HK11=ZMdj){Z_ubJ+(;O<;N5SWS} zULISH9odN`Q<_(5(xtB&_MCA%BD04Wm^#B8(l#g6M9hr4kj%HzlN_86nf5xX6nVz2 zCf!Z1CE#{t0@Zd9QX@g|Cy9_NN2|qL@M53edul|NeXgk$e(WP$d1G}Q5_s{(Z9w-0 z09L3Xz?Q8RCJ)dy`H0vTp&@RcrY0%(A7l@HIR%}~`p7Nz^Zj!X#VKRF^jw zo2Rfu)Zu)uK2g8m3kLM4fD*2HOP$g!zzJcQ=7h&`LpM97k`uJ;o*g7rl-?NE$h2hP zP(qBx+~kFUj!}Eb4}b$^&>jQp#$~Pu9z_d&sP8z~wQ}VBki$)Qg#5TaTP{w)f0}Q9 z6ga=)(1*a+YhgdoygTxtmvIhes?7F|iO7?lL)v>u??>GqH8O3!9QeSujUcd5eM4>O z1q^YDHx85RQ$6yP*im8bqf;Hgp5=T-J8`J7(O0P{Eg`Kh)bC$)Nd8z3{Quzv{|l}8 z530#y|H*3df2vgc&yV$wnehJ!pZ`K@{`oWg3$6JN?$3V~t@*DyzW#>)`_Jct1_^eG z6@-+75Pyj)HEKqs+YRx#Sz14PSAPpL7JhkEF}Nc~c#J0f#Uc-2@=ju>UHV>T-6_YV z^kj(XtZCh-OtTzOu3nC@ZOFcKJ16{G>lN^Okk!ZLMm(}*-~>(f>u?YUP(WQ#*GQ2* z;oI}3E$!WJP_wi2zt6L};b!gZ94Qyxa7|47aC<9?nk-kY@%R_Qem@7G z)t67>(9hNVVi`I=VB#K@2AuhL5z1q#rwZGh47+KsOi3OAxp&NZqUL-DdqARfkNz3H ztb_BT9RqsU7kJ_AZ{VJ}2V78x-=IU~U`i)o_HhgHgfR>zT3`V>WhEw}Ogm_SU}4x) z(bVK1W3K7x`r4%Bl?n8fOR_!X+TZZ{5w;W|;?@9upmXzBsK$uOr;1ty^3FQNJ= z)Z%Y$i|q;^Jwj!N+Rpo}f0zePNn9hH{!p|kuJYC>$(#K}tPf83(~G^Nn&eSg<-ptyrx0I(9AMO1D@VHDi6SCt3IuydL@vy`$Q7N4k1z`hbxREXXW>@tUW z0OD?ZyYA~qsx*{Jt{M$$K8f2XE|{2Gelj@Q$NxzwCG+LX>BUKr#UqlU3qW_v>*ew) z42)w8CJr5NAgadPvakn*4K=wp zQWj&rT<06fyejqlUYFv}7Pd>GX?kpiVed(qWC_YAqU!uyBq_gZD(O{&U(Czms){I2 z;T?MM;rRONUTB3A4omoIxSPd<173jOhRfxqOt~{6=lB6R#?oZQIb+)8XfmLd zl(+X1O;lL;4NADlx+u%H3n6e&PtgqM*$in)ATBe>uX?)7xZ|sVzmM{ZWSKK*GwOA7 zPA3-CQXgsB`cSQ4ZMi4VZmP#9@XnlbW7U0@*bb}i!`u_G%=t#~Qp!zC31*eUPf;M6j1?Oe#&CC^njy^NIhh?q}B#v4!YvBsBltYg?_@bbm})h%Mod>I#K| zr7BZY1~7B#Z_P$_Lf(#6q&g|s$zB|4$VliBztDynVp>Uw9C2mFX`Vq;poAD5KqW<2 zo-qJBO)t2>VPG2Fp2Ht+nXxg4x8o;`n}u7bW_(mDNWbLxwRB$GypH|Lne=|J(*3$_XD(lU_ zP_bJ0wZ51qz|{qU!Ya@@&EFzbetS6{w4&A8XydcNY!O;TMjPHYOqJ2Wnhs`#v1K5#Je zaP?S7QU|N{6ddXZFkK2)3B5|sK}m;dRQp(2)h6xTus{d7b{QtqcctuLb<%T97g2lk z42FWYuHuL)Opwx#H@6wu7_vorM>da~>4>?rb-Q@}iTajBrv;ngJUm8tJj$orLs{jH zz6EQquk98qFVh$x96#i5;niD|qK zA#T>$X=Ti^VdI2$(z?!@l6i^G-Yb4F5bhdmR4x-u=LXh+LKfDDpyhWm_IHE(!9sDJwpV#1|}1r z?Y9y*tjsO68_r0epLYZ-4BiP$_5utU$>!rVbqqN>k8@Z@mA5h)JUV$PFO=rF-hB4Y z4ZX=)MDqgrre&aO_>0B(Ft&&0>66L5+l6O-gA_mkhr}1gP{yR>_Dx>eMUpw-zL^oH zY_@m)>ev>)wTe-j2q=OJ$wz=!TXb-VE~EK(%d||!Yecl}BsfS#ESW4g=E)u7WC-xB{R+|b+aD}0;*CyFbwZ9YSrB^l~Q8czzn z5?JEog}g{!vLbumar3}OorT@xGZA7gUbQ%lDg**jZWX1eiEJAX{eIB=WlYV?cTX;4 z-;Pb`I%esvK}7vZBtcIiw}z07U8j;1uMS^Gy!9o&*~!;rp*pH>$}=|Oyrfd2-c8;B z)0Ry~a0i4vnFYGwK&(6m-C66t7dvsc`tDD*Jq1HpN~ja%Z8=SqqK+%GYLDfb_RFuX zGX3nt(DT0kbJT(b<#>ECa41~&?l9T~61(>d+R)H2{P36CH)N{q1M%-YFPL}wpaRJ# zQA!o=^VbW0d{a+(E-4@X7Tm7MStc^?dVK5X;b76YAqgQ}d5)Xj(j5o6Q<2f#bzx1S z1o`)k@X4-ooniS@19ORFxI37WLf()O=q0n)K00e%Zq=J*OHW-C4dJ>5qOiBk360VK z(4OM0pXi1{1-!~XYbbLFBeT_YttejnP7L-2Tu zbB__44D!s$Ayl=#ag>1EVk`3?Hih1OQw0e676+-xAbJzR7Z^?jTkOPDNG9Ns-dQwBhq zd;lmP{D|^F6rf!O_BA0d(c}w&LeB+236zz__iI6}6Ar8={GlR+Q0C65f#@>dYR{k9 zVi&g@TvIwqnAP$@CSq$_=NZCPWPm91F&B@Z3D3X*DbF*EX-zrW$xSO#&P!Fo(;^X_ zASGAf`>{bD+ulunmxf0Q=P+|iC;;4gVazxh{Tp1h7Mzqt<%cMLH0IaQi1hUttbVRpd9xsUq5146t}rh)5xfvtS-(U)c!bXdUT!I(^E&Tt)`e$~l; zc&S{1!A7ULtU@X`JF16k_6u@ba-`EG$CLw8d^-pZMI)s8^V`qLftnV)m-p*6;*CVn zlnP^`!)lf9PFz_$@htA3lpIP=fN3y>rgY2j;OHk$ZmtN+PX`uxA&(4A)QM!>BJ1Mg zd&NOw=CIGOv0S3LHzFP`tgTK`C5K+@!>Pt-a1VSjV?Ki%rnQJ|EQl?n-*{3a1NN=y zhs^@UtdW3G>%hw~NQK1uPqnGHTGo*r4T)7SQZUGwXKlx)+y>vdS&|^TZxXU*<^)H%pD>kW7j_o z2l=RW4BF4x-#908-ndTftdP)=D%45XltguAEBb^%ImMxCs(_RqmEC@;E~HWM`HboD zgq}b;E=nw>d~M#Z!^arEN%)2Hi*0DGz8H*>B?Wk$Z1rpGNis$9v(=>`b=1s3VFo}Q zKL?PjN(NNV=<$yLFmeUZ+=@U~pu51yxt!W&B#Rca&tfOr5+7whZ))&(&{tDe9~L8h z7u%>Ea2byp1qz-6@NNtR&giUz?>tW5DWvg?Gp@%kWYUAjz&rh~nP_B9!P%6CVoADT z7?`R7`vw<)du6FlF!;)|G3{-$2ynHEJvP1!chM(t4_^9kr!%xS=r>3LAn1)7F&>~p z(DTu7(mu(ZQNN7tUkwMd?254MH0%E|Z@|3wJl}qLI0bc4;Zc~H;)>to09lLji+a=f zx~|aj8a>mC;WSoJbQw8}gK-X=_dbuhtPs}`+-3OmYK|a^gzP#wKdX9Z+nFRdtlTYh z$e|Y@tEQuI7O~7qo}je*Q<-4>x`*gFj6>fZCwkjdr(RaSaElzH`~l?XsQ9G5KC641 zRWVAM^)M*Z5a4l0yA#y&J=MH~`O9#90nq%phxob-Hm7J}muvhz-M3lB&0#=>$fEE= z9exbndKtw-ap~aib1z=eL_{eelqX6r*zzCftOrObTuc2@;L4+;NMgT1FG71XD>{fv zS5Q*$9=l?Aqg?8Z`KqrBvf~Ep2Uf{AdNc3{($@}AM9l6K$!JH_hZ#8(aa4$QQ3G!=A5@>!(63?Lf71d`{7CbJ?#x~o4|2ifkD-(abOX3L@Z39+H9ID zI-_=YvQ;4}VHMdYiF_5={#5?>mm`+~5=V~x1bYv}=GKlA*hv}=b=Ab^4i1gh3}oQ6 zN48;3VzGg5t;aNv=^=fTYh_9FlZWr#=N|)sM5DXV6xnftA&95s`)`?IypP_1TaZ1BKJ)kH38S zsPj$oyx{|k3{zhi1}{O8HYTWkS}_mH_jVQ@Eq6(1w3qGp(a23ZSJh!1OK9{s0MM!$ zzYaU_{9B-KVEY_(j3$_(tZj{m^?7T&|v^dy)#V`xtNrM|tFlB{BP(i{-|(RFlusVzRZ1M#_h}DxDmPW|D+M^f;a`**qOQxYRb3Gcjf)C1mHQR@BtG$& zL5Ys>J_yldAPUn3snLeX)<=gSB6oV@_r6i9OsPc{6`UT-SnzxmL#H;=Y2!Mmy(<;&!l;jg@G~&z@%gv~CRw zhOrJgFqZ|v*w@Tp*_{Vom01XzrF((W=K{7_wI(VSQztKP+NF=LH3ZEe76=BWUoF&@ z_U>fQ@qQC2$Owp2g9^#mPW!`KRlq)Mc+-5MD~rs{9(XlD^X#|Zpp4f{`)iPVH1S&U zzBZf_J`PZi8R0dHXnyqF%_;Z!=!kNZB+ZEU-Tq0myNrL|BjngNpXUwUhl#zSxn8>f zdDNJe1C9o-0a8T2L3;L}T{J~L7?2juVWF2bnc)VGKz}(8UZ_*59*gVmVt7azg#GR$v~0OW@)!HL+&U~9$uC2E!(d?b(2iZ!#_R ze%4%^#ID$^ziPS^$>Xb+w3yD+k4uWqKG-A!PW04!Gz}s$as%uM7o35nnU1;E`S7y^ zJ>8XkiBCHHYCZk7(KVCEgkR#LTYhn0Xv&2&J9Gt68|y)&2~Q?p&kVdswSLQ83t77C z81NJ^jio5F($cshz`Mg%0Nco00mOj)DbLcKf#<0KJkM$1&BTXdKz`jk9ac#(#!Ez@ zy(~^LegOMLNXNd7*?SG^k*L?3QLk32%o^mSSxYBo2=^xB6CNKypGMCEK>pT~aWwgi z7yQ7=&5^Y$IZ+tcsZ)U^OOlk?>Bp7fdBIQ6sb;j{9eb&~gj)y4^j=Epk!Kf0fQnu; z3IIGw5^dm^XMlX7AHSZ@E`$qW?)IqpO&3SKw85;2&f1>CAL9M%8#Dk|MSul? zbFESQL+~i03H*S`LIv8uwTQMK$m|EjZtgy1y@yD$Wj&EDPbkZ`kttHz5iZVMjS>^R zj9Xfyw~Qv5%Wu%<5rC*#j`~4=55Ai_B~8v89`A5wACel@*8Fa*{{FsEZOxnF_NO4l zZWT@=>nE<d|%Rh~C^26x$9M zH;DuLf@W3dxT4vafOW60YD)Z&Ep!Q&9xg2z!KHsxS~3#iK|48$_C-X9>kNmw;~?yz z2B+p$WSS~-O-2@LnqSnZ8EX4*A1^<`w#p?L!Gx$q&sRxsRGZYO0!fY7g%H-SBid%( z7jsK8tVF8xQwF@3h%w>@1Ft$UTnjQ(VZcVaq2B-x!I#!lLzUpVbsBCN$WP5wyhCh0Y$=$a*q@lnxKaMkFi~#)Q zcQL@UaguhYrzL_D@%RdB(QlBQp7?V>k5ZO0PSt}3cc5e`LG%=Dao+k6b0d+rU2*d! zaeZ5oiIGQ+PMb>02=DU^=08bnwXwW%_-=$|gd#bZadd!m0Z2K8fpQ1N`dyQ*+K})H z-`mp;z5FVs16GSo9pf$VYOdB=Z%f(7$?xq#iBK!`@FQ%2jS4t>TQ;zAWok7tyR z5BFB*;ye%QF|UOihRRa)Vcow$BH#z+mLd{ynyM+Dk2`(T%`~WnFI&a*&B6`fm8)fh zJ17Nup)MHO+ZjL^b|B5w9ehc<(5qxy+3_{wa)(I*zq;6=B9QGy@_G&F$S=k*CaMT@ z4F~S>dQv6sp#6h&8wrH=u~pP1(v9?aI#;h|R7DWq zdt~;s^tPK%X?^%5q18v;E6H(S!1av_&|MUdCL(YB7H_>}^+lJ01 z9=@w#^YDzA`6F-@Irm~3)fB2|2EaoO?)VUgV8XVc?(jhz;{|-a09=cS1-q3&jELCw zup=!LWQVAKLD(0B-PLCiQlriPs0F0BJ+6Ak|oL`Jw7Y zF)h<-@7~@gXxoM)*|n`xYCJm3E-T)UJ-gmy>$D(lus$>p&6wsF>F^MLe zr0T1AqP#wah{XmryP&? z%o;N%K@r0ee>S#Ka4)pL%Eg1O>c^_bl{-Q@%k!UXLbH~|FWr9(tc*UKiXn`nzw#(% zHuO(5iiD?kGp&X%$bTMkd85cJt@))=(l;qS{OIBl^#ORRzPjr4Nps3Jz7#8Dh7a*O z)(MyY@wrNay+Ae`T)&m0I;-f@dbdOOsjmlf6r~l|>7nT*FfPh7YG-D)Zx&um+C0Lc zv3tiGd#;R-XSpep(*Nor-xawBKyS(h;;S|@^)X{e_b~Bu^Slwsd>}?!3ooX!ZCXFP zTj>1_AGgK&Jo`xC($yZIyb_VN_gvH#v%^IG^&CDA5bPuvr$YJsl5@n&1u1rqsf6oU z2s;(jKw<20Y$G>!;UfLPBgy?;s^#)no2a^5oKr$r$89|YLf}Z-o$qWaN-!VC&!hDGd zw*B<$R|y2){${X`a{98v=6W<Mf+lP$eV@z&vjNPuPYw8j?bV#rl42s@&B$(ON&C)OVcX=4V;x1A+#xCx4!G zra2?)Upn+uRp*#Ga`K)4v95Y&(?4zE(3Eb3pk4>(tBYFIUgs&}!@0z48ZZ4F?Oa$P zO&1M00gc){wom$2l{&G1JvEP8L26N9%i`7?T4z^Gf72RWH-cDHn{hH3>RAu4d$*Vk zq93Av058rq$?sMJMa7_f9OR3$LM_EJgy_s z=PGDNPMrB~-mpAWwiP4?FlkEL43LlT8I zjMVOdpC@{EJWk$cw}X#&Kn?^EgJ6+ma1{b0@=e>#f8prkknxxNk9_adri>bapc_Ym z&nze&jAI}?kHH{{6~^WnJiNxLWaSZia4Mm|F7Wg`WXaIFg)ErIRS1kq$o^rd;z}@p zUS6?BSMFWTd-4mp!EZn80b0yQO77tWH zNzA_IHtvKEh!NomB>*d^`MYUzq zjiavj3&isx|I{iqhkeT#irry6$TYXl{X=!syl>x13aDFpWP~$`wGHsD!@sBHDE|m` z@%z~QY|f{%t}cpCWv1%sdBS5Ctb|I)?LA#EMT4pZ)&C7LptwED-i+}Zi3}8t_oucT zHI+>VB|m&BdrLDX&lT{-v?a%&qi<0L@UinC1*aI!xwmQ!*2S*7P^m-b zKzpqO`&{5Oy*9;iPhdSzN6#)d1ikF2{kC?@R2yZ*H`Ce9(yw;tdD7zeTSk8_|2m2f z+U6Nl6$3=!zdCUu<9urhPa7#ey*>~+G`@*Z~g;$tQ6Tpyq$ zD43F!DJ%dsb9+shw>jC(%n3w!^jnX6B}D2;-2X=?VS~dDGslrjzEMpK)oiX>GZmHk z5(%U5HO)aWZogI_TtAo~rZ7zI)?+l##^EuH-tj=Z^`3*fZJt=pIZ6MhD@Mue$V~A( zaL&Suh`enqPMW|)U1oB3nP3_V2b%%8Wet#T*@gaDdbN`2qBRr*WCTo*0B{5sasi1y z3lERQ@+p}wr9C7AJwta#`Wl}4wkF|z*4{9--|uAz#WUChfXc>A;Fkz!N*@SzXxw6c zfEAjI=Zbqgz(O(VF*mRs-LM=Rnv*osP8H>R4_dXj2l@VqpQv5rY#FHCR`i?vFZegubDA$H^ig^E~_{*qJxJYng#C=y>nHR-RkIRGg?OUl~?JKsY^-k`z08$@%+*hy4Wcn@nwkLlp*8k-TH>|5V6_7sE! z#pjcD@y@KIfmpD+MFQFR9MQSZJFEz5WvR?ETae@SY0<>w(!IU>bgm`wK{1xW9@M9)fBFG%_A(DTCmbt#^K{18J_D z1#y7UP6o34(p@V&50-yac7ZUUcQ;u_AVj;(Kh_rj zzBGa4VkD)afMZ15E6u8HvqIJI+O}<0_ z3cu_3f3f%G;ZVPQ|L{nXJ^OAdqC(1AStiMzq|I(BA%r3s3}eZ@MNtu>D9SQq7sf6W zLUx83WoO1RhFN;f?{yu=bKlqZcirFTey-o|K92i&?*8aFnz791bNZa`^S!*5C?87P z45oRmgs2o*e#-6eP=&$Cub4|e^;2}~ZT$D%vgDEXJk+oldJY-_XWP1~sx;QyY}3|v zl`Ai)d`D)o@8ICo2Q*e#L~s_W$z#*Zkin0OoH{;wXuz}Fw%{lZ`e|eORTlv^HL4se zNWtJUM&?MK1^HH{H8O)IWFxO>>puDT5j|+RsYJ{nKczo|d7?(QjVNl=Ym4Ln*0^%3 z*9ogz^0@&xn&^2&GRY$u}wq5s5vc1dOD9Dga9$*;`7vw zMF4>rrtuNTR(_=II4xg|Ht|n-KSvNAYMP3cJ zkW@z2BwmUk;_Ul>K`OaF<+!OJyn8NhxR#vAL}2(?F4&!0S8#!F6840sg854T`PD%% ztWNW_#qTPvAEWl`#Z`|aT~4Ud$!J6NlK2_yK~xXqS<+lIlC{X~tbP4z==(|60huwi zTAd|-QDxmr@sNX?2g6QdqOeYwG0isgM_k*aCO#^HAe`Ku;PSz>hboO7_<7vvaS5xt z)Aet}M_^zSA5OhW0D)?6A06v}!*gQ^`V=36>zf3xA2pxC4eETvSgcmf@b#(fO(8M{ zC$2G7Gleh_m1x=>WH4aOZb$-;Z-y7+aDx*`X$49ED5i3y2!=8Za0`~MmSX#FIEU@6 ziXI>7k<`7w6u=L9-B(n5M>!a5{=`SKlqkGQ`wOIt;5!*cPt=X7>KM{zE}>^h_h(6s z_jw)wQ#X1M(u0`Ofs>-?;=Mv^QDpP5bZwn+;|kmBAFr8eo<8VZ^8S#XvG~c}FFq+u zvcM?;HC-Jbl)FxoC26@zFMKPma+C>wLCAuCG#2UI&NZ5#KE^Z#Fk*Bd!Go}m+biKz zjRkaB-ipfyo4brd-xOym5~v!`UmNq7xeYl zpKwNqNV1?{*Zz>9W}*ur#Ezld;1rqfYmv909>ZFPI4et)tQ`m@sh$U!t0xlkwa;Nd zXF4o?LZ28&Hm2}X&sd=kyL?Q#*6{egdFlaI!KjMX9jFOt)&e^20G6wPw~2s-Anizk zX`#7prXKmDruj8iHi*txqv0?OcBliNhVRF&(fcnB7Vi8RC7L-5xq! zKS$$qrC)W*zdm?}?;6xMo97nzW^DvRQk+1pAdX)_Z9>K7{e&2{635cUx6#`J2aoGi zZ1*nb5SwA6dQE`q-AeaXD&x|$99&t>m3Hp7z2=&%yE&-}JTqB>zhL<~ntnl&9QIRU zR2$4HlM2SWA5J#(SSf^JN5}lhm`N1n=-NsWQKc1KW`LPSg-@O8ulNdY-R{%#T4>$k_ZoD`q}UqP}{wz?s|NB&{m=Sv4VzVk0=Ny&yF7^ zM$7yG7cR!vy}*S}Uv2A4a_#0FSCKI7Xtk(wP+R0xdJW1Im!QL4L*!{q5>YRDJ*DMs z=60{>(8RY_?{NZ02|&~WgzTo{uvuVB{|n*(5|-UP!*hZ`qhM1LDB;uCNLa;*2s{qD zBs3?@+BU*3dkcU@j7}(n@12eocJ7AKzG7l`EJ8$0)cqeFos<4 z_Xc2N8lo2G;iq3)HjpAdu8!jScHJK9L)kKOfzqRmII*U$$10<*StvZk#E(nuVYvKcnd{>Gumx&bng1H zKZa;95YU><#~jw$V0;zhFzyAVnS}G-JlEiN4E#?hT3y1KK4w@T;~R=y>r&oI02?Xyn0kMK z&%H4>?Yaf@OuDS4)XSz>%Z&nJ9LPg~Ws50st&NAx^v7bBWJB!wp%kHOS7UA=eLmjp zHUQaHDQ2OUfL-}SJ%u!-KdtlkdQDj~NwOuuLbr}oef#mGX#P`O$^FWn4AfB6&BrdH zlAu=@jU}2+2AcPwJg`yyZWl{Cg6IXe#H)0*dosO~nO4^xORd1c2!?nWJswWZ1Ci}6 zTb<-|!6$Jz2RLA|a^9*9z2u};DW%?j<8sBW@N;YY4?XTy%Z;s>-UCZIe58FZ@fhw& z?Zkqd$)+GDAKsRh2lwzslR@8~i7~=e|B!Eyr`Iz?T!UHYg%=$-Nm(yNdEuHB8e&eTnW{_zGCar)WiEa=SJRj;fnm%$1D9((bC9tk^R#RYz z;l3nZpm>;wvneWicB4@CRQa8>_&o+gT4HoXSP8IDjcTciD{{w`UlblY=ds`_gv~Wp zh&@}NR_7tjV;`M|QzM~QzTd2tX_X?THRF>uE9DCYr@N>fa zA9uXEPxSG8z7JF(q#10XG1yy}_($K6{q(ZyJFId)2OOD`kYWr(!4~MzqrezShr(1q z$(VWGw!>(e@ew^Mm`l_;%;~Xm`>YCN+}iTs9;023R$Qq$jsF;CjppS= z8se}&{3vZvQmEHq;LdtX_kIiH`xA8~2uK)(aU4Q>Pk*8#3w;boej!@EG7V-$S!G^a z1Q+Q1bGgn}E>jwZvDwgQXqm!U98F-L1twg)5=D~+v`H^M`!35L8e>=ekB-h8x!ydz z6ro0IgsasjR^8tOEkw48&seM)0 zFIclq&^VngD4BNMSyEdbP0vT&QyN{H_G)CqI>APMPCFDWdw9KfzY+hH^Fe2*CPyS> z!psH|KmLcmg0)j+t#B3f2pZ)j@DXm5Gghoqn(At;%sd)zRO>qq?d(!qV+2lvW-x zdy^r(vkDr9E}*F!{1wN$#*jqp_I0RoI`phCQMI?;%iZZKT`WAC_`#b;?WYbe$uAl> z8ry5OOYveeE)J=_@Bi7qxNnT~IqD!ayf3^-LP~!79Y7h!(bG^~n9&L?4XWPKE<7ao z$lbeFhAnEp-12NDX>kgyhTRJ$ANJ3Mm-E9H z;L5=I>?svyM;xm1;?8uL*F&suW~`uN+3mTLNgie zummmfqwyECYg}2H+Dm`E{7_M?H+{%5peOz35m*2`61s8pXUb3i6GzVY+h-;foa&_C-E&-i_Xs@$br&{@X#pcVS0oc2B{VM-tfV7E z63ic1-A{EH^AwstkA9fhWBq7j!g8Z}R`~YWJAMC2F~5J#R{Kkq?84veUzm1*o_;;@?*tZ1jI}Sh z{-2YFV(DyGG5)Xdv|;-7n@{_fipqb*r}dWZ!k->2JJonyR0gf7De% zC?d7h?@c1d;-(U>paTE#oef;BV2o3D`NHh9d z*n9@!DM;Jae?cOk#7=B^9-ZHd4>jEYCt|+!Qe2f1u$!vpz;2w3qq!yh>2(MUbj4<# zqFl{)Wv667L4(B37}AuzR*wCGTo?x(J*DR~`Ar{&m?^=F&czQpvf5PuaFFxoH?nzp zV3a#RFoqFR6$2x}l_(ZK!6Soeg8HUTl4EfE0OM)81i0W73P5A%T>#=cJRZLw?EnVx zzr4k~0W8>mFVFAg`Tg|#eYgGIT)$(_@6i1FYx?Jn#{aHABfroaiEE(0VknJu zZ!|w__l`=P;4g-;?<6+7qB#A6$ZnBPj3&^t$-c}wllf1u%+P=DG5qJd1griAJ8MF@ z3g)$K7)EStg9WAldl$3A*B}7!Po?gl@AL-q?C$>MdKE}NSyz|Ul^s7ZowjFm z{O6&Igkt4=ZWaIA&GP>f(wu^ub1h0c8W;fbAhVxGKJz;Ek2l)ilzA22eA|O+a-;!Wwy^h7{Fo zFEkG3vR|7#Oymt7Dcd$MuX29<;=*|rnVU`l_XFCZPZRsFOH*qAwK_bn6csFIZT*Lt z!GU0Q%Ih?H@wPs_S^Z->I{k{*?Uxg$P1Lryf*(C zs&cyTGs`1D3M|)YV&_V3YS){M&f8~)yKy2qobC+}$^eR3+rygWy4J6#l(a>hJh{Gq zHxjZdF+88t7UbMA{U`>APrDMoWZO?Hoz-3~ClPxJ{Kb*Dt+Al5iA{!X5Mt8!_KZsl zF7j;0${PDvzi4nc`cheKI(}TX(H{BAY-aKj0`u>W#(c)yFWnJ(jjuojv zMB|;4<-%1*HtYFq`qPZ2;~wbORwbw0)ZhzVGU&*9*Kn8e@&m;VX+Gqu6gkv#@tdOW z9@S?Fae}cU5s8^z}Re(OLf`AfavqG~*3s-05d!O$sU@t7lYIET| zwk^Q4qdT3%Wk>05KP&fmxk<%cETSUT5uJ|LzsL~93}MIl$xamO8GxLNieX4n0>&>6 zJ`^vo&P$uj%teSkz9R4GEWyT{#d>iQlZd_9yDv#FxUbgXwX#@;8D4k~7hXXfo}vz6!C2?KQXtUni133o%NS)KXTy*^evS8yi64{*R* zlvo+9mRJEAJloa*k#wc1CarzZn{mh7M`^UEgc)+~;AujAu!r@6aFxx(+5IsM!$-Qt zcC2>l`l;%KVJ*wW-WAe&-D#e17*7M|LXR*9Pr5MW^}s=^9q5YD;?(SAR=`*;GmHju zXM}!lwobswiU$}gS7bWYaVe@u`2Q{AkC=7yoMCI zL1$4fkfTcu5mZT}HWA&rmT<#Cko5KmcHl@^UFwX&HQ`uUr!!Z0_F76)FCkzp3?|AF zzIQ*xX2g2I#<#83_MAwGe&F3Z(sD9CUZg{)IPztR8By~({Z%nT1|WI9R_4iO_yryL zIuK(6FB{MG2+1d$?(7f+Y(M~=p3a1C9*5HQeEJ2!FICZBJfu!qk|jw78Sk36H7sG{ zyn39DKA*}hLOy7wxNk5s1eDsncKLmiXe?kPPNw3cX#Abao_qt%Z(Z)bx)9v<=;V(} z1KV`>ADGd&HZ-J81;55?PjfFdt(V2)JkygrjOlgJJ!2apIEVp9s z+()WR8%k~Vdd&ftRxYgK4+9na}v+8(_T^PUoT{dQ8Mu!%m#6vOG^gx!ln)ykBX^7 zI_F~PYJSMOvg6W`oP{3ssxa5eycw_^^ThGjpLhQnhcrZY{9rOMnA3r}88yS!g|Pz?8xOi9+wqt)(`1hc*U2i!JVoEbV`18I)OtlP$oB>$*qnPiC?j5iabhGBD z7SwU(n3lEn>-7_u=gO-OT7pTL*Go{f$9!=iu(Dr}6+z%n?-;YbIm_wDZ3^!|w<8`A5iq8fxFZZ7HHb`vOB%Nfp zlDjD3i^p1`+=5)l?)~E}SYmxSHLgWQIa8xE(Q+(YyzEDE;^bXsqEIZAnJ@=<4uO*@ z`d*>CW~~|}4lmVMsuS-H+1}sBuPikuo#;ON3*z1z3gyx|Ldr~Mx5 zoJ8ccRt0O72=5vs++vR&9Tl*%t2sV;MQ8B>E))5ba9Xv<5-(KhIvpo1mFe@Lmpj!} z$i6P^S>gVg&f5m8HQC&w!q^fRf3Iu+SHy*@xWm?A2Ryum8{nRU*pGVA^@O5Y1~HXU{KM zp7s5jdn3MI+5fiH4;f^x@A0$XM4a@MV!Q4oG9TM`z?b8u?mP-nv1_&(-mBH@rWK>~v;{ho!YL{_xl-{-zQhP?)2Umk8+ zI8M7!;whHXX%T`IX&KUrLmy=PxxU0TS%vdym7wBk7TS>Y|A7SMzn7!@FaH0Zb9&5+ zB~WL<*S+8XoVyH4pIsJ6u;{mctY80z@BT~1=f6-*F)zbL%o&$70izBRh@}hPfVqDS zyh6mTI2Iw244<_GzMB}aKSwA}))(h#B<%GQg#Tj>Ipntjq>tp}@R%YDBiaN)zxizw z49cM*idw?dYi{w$uqf5ImveF~*He|7&B;aMUpi{Yf;%ihB)Q9!3aZ6j#u=<5$g~Ar z(Jt|?qKk5BV{Yp*7MZp%>is$=k@|f!Rupl-bjT&VrS_@HgmtlcC7uKF;E71S40A8x zdN3~_G5YR8L9f`ps&%yt4TZD2ysT;8f;S)^9ptw7K1enP`IY$xSjIH= zdp4c6kcm=X4Qj2nBXhgYg9-n!4qB8J7kK3S(7R%mKMGY$y_D_F{XBE{=KSLQt}gHW z+R>^^WXuYVm`{UIh96*D`v6Hf|UYs!bVgNk-)$ zFzv}N-gWR5wZF+I7TKn^mGHWhd2C^Ph`~uS@G!#~5LFr}SxsP%ui<2Ls zDE82jwOEE|CzVR)(>~udrP3_~fm@^V(#H*{sgw+K}p}C7MN~t}Bo+O>OZxaj&aI4_&W3p%>KiLY(vFUetN|vP7o%xFY z-u9I#B|1q=mlx9oXGWwfHBG7X(Jb#60o@Em%vDyXDxW-o)CLKfc})`or()ANCt^)F zeb2BBiud7;Rs!0?g0c1jiNy%c{eo1@C7@=GQRsfTda_F>Zfo0xMW(KuLal}U+jRW< zUyw&wxFSt3Tds8+J;rxTdi_M5oMd{jp}MsIma>sYhHZYP%Fg`pq8O1(1j4IRvOo2Tmq-=))weW(bH;k#mUw zZNioTRz~&^Sm|vw44q#x`1EDgVJL_S_mX1ZqBOw=({O(4g}#vqGtOo5x74Q(xh3x# zFC>2rgwgoT877!$5I;Boq9+Y|T7DD7U;`ldBbKcwGJu+ob)SPu(ZFS=^b(Y)9220u zaD7*$@E4@(G{~TKx4|wn5yPHo&<0z|h4h>rv5ML}P8S_Q{gALh(F5B6oSy3(^hj_U zPRzX7D|U!1mfNPP#G6`L#~FMfIq~pQq9;!&<|h4h0|!s!AN;?Fx~p$ms?L)xVch-L zbk_~`q&mgi4(j2>jo$agVZIAqLu=O> z>CMbPSkFkmAr03f0MTlIVIub!w#=i!NK%`}mdwSdDn;Y=)>#mFuGbhTsZWYnL{IcN za6Y%d-N^)Qv+h6{udL;iGiBJ#_>4@hObTk+chhotZaOIxUDg||rs#f&QtDV>_Uk4Gvm)F=9&7mhHh=0FyYVj^H+PX0yO{uB#ZL6Z zf?@b1a zVSPyxlyh}5Y~6}cv11%KGl?=QGt;ve@GSDkMJXQ15>60p>|wg8{9pl|izZ%z^Nzb+ zr4VM+^T&&PGoTf@4%zRkstJ>#ED#HN%I%~XrDZxvp0F~{J88=7ntrv)eqLQ(sWj^{ z58bC2-8#?-gh-mzvkpDUC_*(}O)A%zdQ$X$eYSIH!?xB0w+h@|pC|@%(fEka<*m0D z-`!ApzbLDt@l1i)k^0eO9ZK0>$U~7s#}yU>u(=RYY&au06JM`xd_`7EHTiw46Ldw( z9R21pYamtQq7Hv>8=#NB`UR=|G?c!sX&j(#QWP(;HLj^?`59GO8OIupa)s}+bvRyk ze_~?l3FSF!IvAmdW~&~Rv(OGxm((ThcDZB6M5PeTun9rNdg)oxr8 zL4ATVF?t!=WfUjU^X4p#K~u%7OeD*I()FrpgRmRhV=4SeZjfDR2D>O;e8rL+nqiP- zs6KY$r4vh?%PJ--EAWZ7Rc9wzDwRl2T^Y&@^vbvD>a!c`da8F^Le<+qPyX1lE+m!? zc4t^9QiQ}^fw$Knm_JrL^1VF4)I4lzYek^zc8b#0m0R8>#^Oi!`oRN$tBpnzR1#@T zN<+_hh+nKV%FAS#Bs6z(6;Z=?iA48&FZ+_Q|@WSd5wUcedaET%v%YnqquX>T6B5dGQpoj#cPCe zZQ||_f5vfV@8&j!O7CF2ezb@%HZ#Pt8ZA3fm2+({UfSu3j})e9Gg)&^ijDl~ZM#-= zj(Jj-K?{WmXd2Nj29Soop{CyewIeOB=}N%Fobk93q&&7$yymIX(MMZQ*4!5yrQ$NKTlN6_iOUbW)mH}Y1gvIL#qH?aC=Cws)a)w$$SPC z+rW!x-e{UqtUNg}UV6%eX}$Q6+>aEMNh4a)zPiPbe-QfrCk@^I@~`g#m3msnFo^3^ z78oNGehLV3aAIet8k9im9e^q~*&#F)K&$$5^PTyxK+*qFn{z;imv(tbhX;Wl=&%v2 z)6htBJuKrh*L_&Gd`@BzCdiOk#0k-S@(~+$VdCyz4ZAm_!*#6I`wq7I&&&7R&E8X4 zr%^P4aA~!HN3ZbSL7UW9HN-$y%f^j99@S~ZsKx0+f>=mPwL2;?p;-H|QW%V9h5UGe!LC6%e$g`B zTH;5RF`M)4z?4hw%U)x)QGfg#nmX}KX&m3HBQyg}Ge2wRAd>SQQm zxB>}3#}WWUF`~zC&0dlV!7$=_4$jqFTE=^>+c!-;=6mT#L9zo1+!;SB-ipMoJa9%vyjHqf`{p1W9#LXNdH2Vaq3asvMH-j|5+`^LLzq48huX zqR-|5O9;0q*wE|Pscoy2Ge=@2cHA6e4vYKrUf5SHc9eOcmzgmLnkGukil)=68F`~$ z-!9&sH`dCi`$4@DanCUkf^TpH%6ak=IxNUXB)LZO12{xd%Z;?*r#KsWa{rv>c~7q7 z#2vwz&C9ID1Rj2SN^hH3UMz-SRP1Z}yf#&u8rv`NL}jeLc8UCw6g1qlKbS>3;>EWa zeck&S{o><9<=h>A zlO;6PGO`;!A;skbu5rF93O1dC=2Ix29iUmyOv=NZE_3#KMr25K;+|A(*=g2 zTcy&i84o2>BEIq*;=q?h*eEW9r$K&WJr+`v51(AD8Wu~XMcQV(7qhn8a`8z)@xxt^ zGW1#nH-Da7qhZFnC_*VD4O6w32oc#r1WymAKr#liAk-jtKiS7l6w-IkLbnKG5PF^qV zQD)kWUEe**Jk+3yyiHQ-;1R_pXkALyJ5v=qcKTp%s=x#8xGc~vpgy&mYe|w?0s{6P zZxL%P)Zoe7FHQ+?O$p^^ckVrMy3O?fJV>=jKgtdsn>5BiV-RolD{^PJl8tUw_NFmC zdgO_UPHQ6XsXGCPo6AYz&`N9@^l^ZygHUxMt~KCD?Q+-NKfZwtROMq9%MeCfM z7pgUnSLHh8x%|?G%V0uz;t=DYrbqBne}mnB1LLDVroaEtl|XjDFCmpdVH7~Yf;1dd z7kx*Wi9P?f8OXnJQF#7}@bRyl5`R91{(trQ&lAS~H*??N|JbPRKUn8tzzumDWlk|r z^auP!3(GFmKYC05BmPRSG(iHA-SIJA- zqSxNjxPt8v?rluG5VP}F22&RJ`FMt;LN0Hep+D(Gw-~>?DiO}C|7O0lhd|&oG zB*OmDex!MQ8s$$8>zL?cEkgknecbLIp#8w60odh+v_lL^Eq<@X@8{z89syD8cf9zwi2i#mey_zJNBQqF_21H( z-)r%EEq>>nzjN^4^~nF2+AL5fj@W_ciB@tf8PI~|Yo(mL>@bPf&H6EMJd`r*PBo)o zFVHivE=%ZeA-`mM#CUtQ`n!^oULVIFWRA?io&R*S^4k^t zFR3-Z{?o4L|KFn7{FxZ@ufF~(2Er0ja@tD(j5w}(h&SJWd)66!c?VNIT@p74+;Db> z^Z$Tk(;obSyuJr8cut^)B2~OZ1{PH*Xdlq(-9f!5GLJ`<3%6m}X%|VXQJacB%R@qz z4tBgjX`|#5-%n4FgtW3|`&eK6ufGVRO2V|P2_v-{qRdDUp(WMTNnaBJR z;OC3K>qt<>%sHwO_>Eu9M{|fzVA3F`d#5Ic6H`YJj${<23ctkiT{U5kh3nzfMBA6r zl~bC6*49?xBLt~UCc<@@lV5$5ZO3y=6$*KInVg*+Lm(0<<`DL!I!EGmdobjaDNK0b zs%yWAif9l&W6l71>Y2SsPm$eKEJRQ{tBS z#m#JPIZGlLJF}gr7$c?NgW$M`-&sqk`nk!T`Diy)alDLFf>hit?G!J{)AC z>27Fjb2vm=ScbVK%8laE2Am(grmc#AesQu+hUB<%bARfgE{GLZVZfcsto-^O^HSo& zbyxG>J)P-h+Y+yu)%T1T;klY9z&$(7PBw;taeKnIu{aFHu`N7rYs3#X&e{~G>eAKyj-eQo><2aJYAo!`RMzjg>g#STc5LNfbhnIWl)ER}6NvVu2WvJ` z$0!~I%-*r4Abh>poLSfpT6OLVu0qOWRhWNc4;SSAriDI4z_NhiKJC}$B|M_{;jWZq zO;-PmUYk~u!2U&4%*CFUQuwMZ=x7eXIfL1*d#2_{g0N3e7JkZ^P;%kPC+JNs2*OOz zd9`QFye6fK!KPSz$m65FvdFA~#qq;&g##Afkec_0K0-Pb zTMX|N=e>rX=_}F6=DmhAC)(nlhZl{l!HGX6)EBnjMJu+tX?M0B*ig~eKa#QBhpI8O_*h#UorHkmU^rZj|m@HX@ek&1m}V2j~R()W;dqJ z@=dP`v*eo@ldnv2*&EUd+354Sn6ue?Vpr98BB##umvf*5+{Cn7&)SdbvUHB!(39H_ z*;{E_B{+2#Fc`erJ-p2AO$J)}^#$T;SibZ%Ni#EA6Gc#sA=x|}Z)#x&5QeQ&g5P_> z@m%WoF4}>;e6rRXjmP4nSWB zvqoCjLt|*tcsR?VM-C;=Jmb# zw^wTa;ZN}WNDWeNl2*%%q!i(bk(Eq}VTGfC^yw2nu1WaB_p$Qo2U3H(aS}J6nhf4A z=v9vHD=ohu(vDl0gCuB#mhlY7#ydoYSf!?lAyRoFE-dW6W>#2;%27-}64{Z0Q>+@ZY`MgG$GzaXH*8Wld}qVq z7Cwm?(bD7-hZ1xZ4sblxtV&82M_+j2B+l5=9&*Oy7^zLBU*U3&W)1s?9EH|R2)D7? z>RH$yH*fpVmg>db$$9D16MHkRx_BPg;_Q6_V=oH?VJ|q2Xqo9q)MA!-K*1VT4?J#- zo(;nACyyA5-jN$WQ+$4C2v7bguX#<`OyzL`>ka4AkRUUNu71G2A|eJDEPWW656BAl z6J+FyjE#SYk$HBADfY2q3sZsvE`zJm_Nz}$JUVu|o9~=O zmay6rvd`F5uuBWb}4b4;MI&D3KYfIPeNr$g$#l3j7 zs}O4~LKo>{mDJZcI_1hI5;^yXJ=;%antd5*MqF!e;EwG_@w=*w9NB3red@Y#iD~D2 zN?;$Wuzr9Cwh0~k+{WFFL~*nbijBM~lkAT=D5_Y|Re7q{8lR^H&3;_ zp|lzqv-e^!`?nJx!V^ccx%pzZx9QItPUq_Q(WGB)>DN^#z<4yF$rvdTPXtYWMw2|C zWt?Z{T4nkRqOdA`)M)Dp;?^pg0Mk=f7eADbWa?u+yNQeAjwIe#tA-QN(IaKLafYq@ZOG~@I>}J^W=Dh?rJMLWbP;? zxE2UXs*jCxq!CF^9FH8Xt@4968u!km6DRd9Vf($D2YgNaJx&yj zgutWa{l_ya2Mi^i!%O}aw)8kb*cvRg{S3fd17{@d{s>&0z2RW0+{tg8?73n1;e=6aQ3s^8Ss)T^B1^fpPihez%RJ z3Bz+r@%oiBY*X>Y>Yv%6PqNCHOxvgSk>pw?@7$F-R%Poxz;0f8$C@>5HpDwO@q_yl zj2WfkJ?+AGEgNSFT3o-V!%M=+=JcDx2dwhC4{%Iu4Am%cBY;7n(x9*@;1fM~Z?Bxx9U`=R44eTiJk;4sEG6FZivB%iiQYS8{et=~>;{ei-f;vz`x)h^bRC=0vUNBuE>m}l4s?Yq0TJwUbsXxne8SgPbZ2z70*n%^@<&`iH`UM*;nU8y1i;e)0VhDI)0!^xQg?J$Vhy|w2-rO z3DnNAf>J<+kys=;QJ97GsA7DeOAWB6to$3V8!_X=X1WU{g0l)J%vzlud=uQPXBMu_|7Tz|%zwo~+9mu$(TMS_QB2-5id!qNxbTM{W5mgAKMd|WjXBAn{n_uYR;dXX`dw)buZYZnJ!_j`l~FZPd( z2`5;V$XflURm^R;^3n6~u0(Tnp%;6wbq3=tQkJY! z4b>FD*^vE?$7}=a?WQ#*5((~K8XJXOmIo(HPJamO9PsprgCEe5SUP(oFWlFBnNqys zVElZUXjaqmgxe|MGhslGIGn(cr=6ob6?}_{_f^S%oAJpuzbaC)NR}D(A%U&u+prqo zW~~5vyfjZ_Fa2~U_|;rU>zr;*vHJLJk@cLK2(-3(K^O|qxb_dOt-zeH;pw;M(@Hw= z*aIPVYEt!XpL?C_*!Qtjd-N9g2LJ8!H!rZ$(DWV69wn)`-BTkz5q(B z`~+-Ug6WJyc(z;Zqa>FC-Czef4gFHyYX)X-QFUyzf}b$Ty?S>>1Q(RCiy~%o6Y#ww zIx37FGE~U9(lp53nEC4|r71eG>ZN981aT?lzRtTk92rE#l-KW3BSKzuD9dG1)CwGf zz&6`Ff9ynDMZ0+AH{W)NnC-d~`I$9-_BsGEmoZEt--7;yHFgszz%-BL$GS?wW~yQ; zFq|~yKE>OEI+L1iwGnv!Is4~2x2_v-j+|l2EFC#<3Vw=aOj#qqW7E}&WAM?-$O2Pz zh2fDpGl>kcK-12s$xOXU)>a&;fMJ3I)R|=!fThZ@scQyjT*2;*%m)RFkJ8QFac-A& zcu66|f7~oUxAw8tSOxc^1vb%~3&Fg^$*&DB-QP8)eXA2%l39;f{i^gr88ymb|2(`w zIk=y^TU5VjySTgZI{9K{ziW|#_iL??PN5&4=dZ>Wl`8n(rChE#?dm7O2iBkw8_incz2L^ob$ z^{3uNI9{@t!AaQI#JLwtldJ9&cS2`*gti##kjCxh08S(n{svwtIar0|q8$o6v(Gl} z#Sia&`{t@{BX-kiE7^M*s_9P~L>3%Qk|eidX?pAvuDg43WRyAEw|P?DhR&q!d75PB z61yXXHGnzRNN3F8VpkMLI8t8;b;z*Bgpnv>kac(*v;vm6#lz|Uc43b>roA_JA zR0oz%D+~MH&Q4yB=#ccW4(6j5)}h{w+bsm28pU&nzqk|U^Fhx?XiNI|e73sE=bOe` zg6ls9Rct4^SsD*pO(r)jieBPIiG_vel+&LEOS(=SCpqC_D_V{3A+_QTw;f)+k-2`k zMC;Z$#Vvu}SR7z1wMtsHX;eBK7|by2SNMrIXzOGl(_r1c{fMPTI%L1dibE+?!j!Xt zjg&vgR-V^ZwjMS<4a~>$o=5d zd64JM3iH#PzA<`}e-!pm82Hy;ZRrJ`ig}dI{J5K}sa{?ZFV+sS%54cSkC3%hnUg(c%-Z_BUVJbZD7efEjb_)70wT!%#8g`94)3z+u?_X>t$l>R|trQfU-K@E+0;A+R<;^P5_0!VWWWwj3o@8a${*e(9CQTeSNcorY&il&-$8BK zTK3n@(O%Xk(eHyWuBWzPx%?Fz4>>KrAZy)#Q!*B!gQmYm-Bt9OS&LoMlAg}saF^77 z6J}d~!>Hf*4o>8#pwZZ);(c(x>^(I~qf6u{N;qCAT0M)8ltB5esAh54pcnAc1oGcD zaf!XtW%uR|bQJsnt;nOL)tfWw?_oDhhL2It0$Q9av5FpK3_kKsHqVEKGqk%I(^F+W z)9A=rwX9S>-?;I5y)FaABaM^KlEh5|8w_t&7t2p8t%#F^Z74B$6vuY4knaj=&IoT} zn|RB?8%|EAK1lGL)crhHaUTaV4_fLdYN=}+i2MltgzfnSnJq@Z8QAB*?ZgeTf^tJ~ zStES#KeLB;_un3T6HCco_-O(|7=CYpC3wSm8Z-c_ATlE8HN|MGiM-R+GSMxZas1@v z>T@04?X13POVCOrYt)~P1r4i0-(jTfhh3@Kl)GHg>v6Cd-$^Dcl-}{8~{pCexhvmAh zrBm=X>pwDXA0m8X3H*vl^j(Wae;kgkGs7FktT|USB*dSJ9=PZ2aakY`uu=N^A0}8j z3?A-(XllH+<}&%icD%j6i+Zih<1@X-!X_CLNlZBS1DY2yeuW@6-Q z+v7b>%qBHt#Vzw9i=#j@96W>mtan99P`2@?$2{7Zxx9-3`h!{bhEz@^@!i}*`pk5+6~e8z2SPX~1_|>TlP6dV zifz%%{Ulz;oO+ya`wEY_yz>_xvkG^-Mn^B-|Ha&!Mzi^b{i2kj#;O`>ilU`8)jSJr zO+~3z6(wyArKzH3LX?_kiWU_uiW*Y$P%|;lW5t-5)sPq>B=X)UJ5f6~#0R3#jfFXCQ>D8Zd%=r;ugaXAh6R@5D)@Nq833O%Zw0}fb< zxCXZ>V`QBsK9LWQ-$>x0U76K&gvR+Z-3nNz%PUyXinbr^hlY`2`;lCJ%Rg`$n9j{e zlH5qSi_#e6`PMDCyp2&xipKrEnu?Lzx_)r7k{z&B?nVHEf*>$J_RJ?U5JWyDEb_CB~ds#m+Cw zQRMDK^{yH?1yqwaq%<~)RZdX+hsu{F(fTAY1h4@Bw2F`0?W9`qHgnbK5613FVcEqk z!#}S&q>dElvJJXQ@oGAaE0YGiuONy%fF$*6!NPt*#nz{2XU+MQ{|@Yr{s%ISLZ z4`w{8_;*+8%@;o-`v*)*lRKCZc` zXh0~wza*r;k|tY_#qUQ2$(gL%__aH_U`s8i)-)Z-U)9fD`>eOf6gW(4dg8rDqQI5u zb=XAqCbu9D=FN3c_8%e*7SF{;UTTAcgNG?7xQZ`$?FsRZVaTqc<2~Em%Ej1*$cS{UM(To zQ(9Ljdd+nN;M`65@)9Vy0T|&(IhTzN59wkPBwJ2aZ)!Y(pBH+?NtMy3UR9C5LlwNm zq54W~y=9vC0c!(b&6t+N<$an?hM8mM!8-0rAtzcYK_~isS^JOlw{zJO(s0PmzT7(e zNkm~oTa2b1Dm#bjf|n?w(E42RJeMNBjkvUTP@&a^O=kUiMjB*Ebd{1j>Wgmdfxd zNSv#roOIF~Jo9^Fq*H+b2zMRwl^&@;eP&6LgxTXax=buBN69b!1;{>1(H_j*R})?g z37KDtyPX`i;JFW>B|iXusCX=r#Ig-Odvqhnki-t}#bCiCI(?v%35V7FZ^6?u&7)u;a zL(Z>GQjZ5uFC9GF`-cjsbWRn6#4v7kWXbc46})NZUj>A9Q~0}bv1jDz!IV!fjLWNc zzXA?sw8?$QEHKpVR1#>w*Idb&UjW~@bUdhIR}-cl=#V)aQ*NzdMJ~>rf4>OiB#--} z`~5fd9%`%FxS{1&bj$YVGP+L8wRTZA401$v*D5(_HgAJt5WF>rSaxSmsFE3aY4h*x zYQpNy=LU1Wfw#LNZW>9Rqh81oSBeZ}VChOZ*95AC*F5T{9S{FN7dgMIjwxEo=9{;Eewq4ine(hsE>uS&&KvM-DsH(1)5m8-YcWDw zM5evjs^6%&Ap}YnjSbgIABBd!5qg~H?zz|^pGEjeT+%S5Z4sGIxupksRdtQ|4ty=L zAV`9wc1Y47{$kr-0PgcQ$k!vPQwRTi|9n;7SA#)@stWz$z*XRmrjcBNiuk6+;mT;K zh|pN~S4oZzpR;f3tT0W6*?@T9E+YaVD>i-q{#GnARm)-pv?i3n-XF!_|ePFbmVJoAmiRagRxJDfLpHj}T?2FrycMdRiFqiQP-lEn2`4 z_6ufJdfwPGWY~nPvO$r$h9?@ulk59dRFLIOy1-g>D}>K9*HI#%hb{jxEC%0gbqLY} zT_tPbEjzQOXy9*ATic4UdGK)Eq znN{yv`UB!Bdn+3B>#x!Q`tn0MoJN-z}JIYO#58X?uJLTWN1=_2v(_s(w2 zu~xaV9N2$*rBMft{RWQrgU7<|c_aOLp5SHQS1m$}ym$mHz6>x2sar09`7~6tB#E9F zx0sz&FnWe-n)^n;PrHl3K^n~|P9Y-rEOA&9- zt?+XwU`$l%wxgj4EqtzD^dR+t+xK)m=9nk02kTMPVZ%DPte*d+*Mg)3#0 zpobj&-}wyCZrZ2IX{$KCU{Db{gjfPplQ*y@fHKPI0|3L%fXQhP1-}tgW?}-&6pkIT zQ+d@i>2T#i`u4!(>vzfDzWia90SxWVUN6HLx9k+pKP$jlpuPY$pKh7{!pQp*M8PljUht%p= zTSUjBMm+}kg+|YFEhl!QQ(AX3uP_0XpJMP+POUY2A4??6IrnpzPpQP_44}Q`NW? zs_aanm~l(0@uaJ_c!b@!-^QbC$GjJvh@ziQ%;>j4aT;RFOX$Q7UL_=E*N0EQyhB6o z*Of{)8rWm~1}g)NP?fWd#6&H5GHWE}Vnl{$#@0>g?XANLgMbavZ z5!o$J3VV&-E!s#yr8_tBP{jCgI#fBVb%x;}%~172b(PZ=ut3 z;v0OTb7=0E<3_kvU)+=FZ(Aw8M%NS#ciN8tGtGMcLlv7Nov^(qlcTA%z|7{}`8`g( zfBA%g`+QjfQ}j9$t)ti!e>HY2Ip)_H`;d~M!YgNfDs?KxAa_8jxSIn)){SE=+-Mx@M+^$+cB+Wd&PjHR13F*n}sN7{IlUJ zt7y>!!(2Asb3}_ITX?X%O_^@?COY(#yFbk15h7h%)9fHHIT>P1oFh2mdQegiAp9_S zyj1qnvn>CK`<=sKgTYqGdFrW}4=Pi0u&wGpQOyerdEC{R2G5RV8}7n|fiIBJDac9m zCP_HYEDGbfY6Oe15=F-DT_F;`wy%iSakYc}`)CByPS>!=D{r)9@SFhbplB)M370n} zZ(Q5Vo7JN#y(OArDfa-i&>-0(dT#jR-yMY7)i=!|JjWg9E8l7QOAr_*WpYs-r!Tkip^84t@b@cv$PWG*VGYinput;)4|(!ay0s7pb?PN0~S4u2jeGL@9J7l zeKi(2_C_UE`37R|&E^seSL6;a}NWv;s*BrW9v@3n6%As9W*45VF1 z7$kc#H|f2KaER95RD#O50=KIvilS0iGq$XrpW6G3ANk|-hWN(>qFX`0Vqp?CJrgFBbxKoh;} zMO`J$^zy1!fZ2BwG7>AkJ`X~?^H@Dyx+y=bw1QOZl$XCUXegFqDmr7dJaWqC1wW&N z0q8HVR6pPkF{U52#J8I)X0x zUD?&Jz;mF?7F-CDHxFPHP^PPEzP;nJBIjvT2wZ+(D_hzieaaZ(T3L%Ybo$IU^2?0&_y-&JfnO%Kmiy{{^)O}g`ye6bpPPa(Qjgmk z5$#Ld&kG9YG9gt8mS-Od;Y72iD`+|PxI~GtL)sM z4rNOTQqA8`4+!0u_Ql{tnDlfLH-2P!5`3vU3$-~{9MoeaG3>l>jozS1d!Jl5ZbQi0Y360OxMlTpH|T5>vu=l z6dQ-AYqkPBIjw2Ib`!~q@(n!2$Mkd|nyo8h9pWu)i!MGM(C8A|1(AVUF<`M?@iuXg zdTrn;w&f=d*<~65uNDh&ZMulRy{pjdGbv$GWnS_rjkdylbrl4I$td=xPmI%g;v{kyGwVDO%uv^mKn2r1G#PxPD zFQd}p1hr13Hlb^5)zAIy^fM_C+pL78fr5M5pl1|7LeK3rLiKkh=NewOf6f^_J#7UT zY*}0!hvhbG77LS0dqONcKcr~J0x96g$eN+2w$Ki{o3`r4zdhyVn(G@3(i*g$$KHMi z*$Y(xbp_09I9l8MoeV)2bd@l9$Eh;FmsL?z!9U1X$F!Kp%G1YSCO;c1+sAeZvo_|F zHKv-)nyoyxW+H z^7Fn*eU!0l>+R}`57>hmnmZ4D{k6nL_dH~whjaUkzU^NQ7-tiAzAeCQy5k}!k}!Ou zC0dk2!kCV4u+G==sTlE7NDvE53V0w4*^_up3l;!eEQW0J(zRgjSBhmc!~592Ye_$U z1ikmzgr=MqwnzdF3Y~^HaF`RxDdXF6&3LVSims`Y1uNZh$y6i9c#Bbr|2pH%MFbSahlve{Mbb3f8w#>qLCg+xz`2jFX$0aX zx@wck^I>yQQHL+&l%HN?-R#>dFx5&sop>s>w^s%ltO1Gze52BB_#J@Wkm9G`w!{jM zDTlNUQ7uw4!jm;y-<+4Dsq};ZgGyP)>~ygIFr7LhnS?KlIR^3hAuC4?_akAOjZy9gd|sCz-|SxIEuLR>mtVt1)~iVP~+Dt5UR zqbsLUf9lab(qAb{K=$&AQz0jSCh9RtO}YYCJ7+k(QO7}qo29+vXe?oAYgD042z~nK z2sy|oPV=Wl%kLY^7XP|SEnn`E6t+PrNiMrMVUpnk#A)s~9;t{syf|~z{fde^>58c~ zZS1onGx`O1E$Te}h{8tV?6Tw&Ze3VYYnlHno6QkJH2D>+BMz;;U9s{`S|MJ=YA71eP&KKwZRQB=z^?kPuoH7@mAi0ifn*4!b&|odE!U?ER%pW3jI)#^h570&4=u#H~w$o)BhGS|37)r z|99!h|M})L2QI@ysuQENwCZpzb)tCd0a^efe}Vket@@&~wSdZ>g>wtRO&0h;WWv%F zV{C;D9cwBb*sE6+BHxGgQL$3e*1i6>9rl`@XAQOeCY=k=W=+$w|G`1Gz_WM9r%zTc ze&SB*(Qq2y`IL6A{JuW_WnE8DwQF-TvKzr+gYHV|O10TFn7kb~ci)fZ!w{8U+JB1C zu|&eI674=Lq9@I7_M#O)D zdl`&A2-`N6`Hcs7$BLW;;GFF2S@Zx(W~2rn!ZJOt1dSeLe>FEQLc@Vb{OA zXh{*hi<;NcOEi*qI3)4XQ}k=z*Y-zOXGCzm&xjI*HjsPx$NE{1>(d=bBKIAsIe3Il z-;2SYkJ5)df)v8p$@C-z*qsSUMK^Y$MVwmfr^w#)wc)!F8z=Mb(8ItkPZw@pN}kpS z_Auj=?WfhzRi8pC{uGMla0?jbGFwX=tymG=NGg78ZD?=|%r&>v!>*u7?@3_8wZe2^ zz@=D~Rqkre=kg1;T3?mfqDmiW#`d-Oa94zn1dU(G!{@SnC_*;DAS5xOr|p;n9@O6a z_Ra09jn+oDAEcagc}i1heTZCvFfaYFbMdX(LdVItdAo|}Dwtm=Pl#kLWfKb1zAR~8 z-!F3Km?|@&d1YA{Wdx7RxnU#~fMyz^F;Ba)>lE#9hvOi6^p~hB<@!QUTloYbm#FWu z{MCo;nx6|di5~JEWB(78<;4M(HB0`tNsg%kcl5QzY1aOC`9uH7t};+xn99~lXVU;B z*9tJ#;^j>$i8h#PrMp6*`d;&Ry`mvf+O{_BDE-FqziXZIFZkkKuppW^i(vFF1(n17IRrjNLPW!7Jp>H?_YMDXEEK=g z5gqGZxE6}&nwbPwi?y3Fk#CPH@BvELc{`JvKZb8`OPA73GAr#`>;-MotY!Ko-2L5A zyY$@SbON|cXQopoK+&Q52AfXeOLp_R->oReY}hjtN2#VhCH)^Aj+~m+P{l#BI(_fQ ziFZA;FF%5q2af^_Tp1ivf7F}h0(Q?uQLf|B`|Y-uG_c=~0%r#P*KzbX&1!gx7NIkw z)Dm+3dDj)Gb;sq7ZC7e{pOU#QYvJ0F>Q(Ax$-kc>UFhWT44!{x3{=TEKMI3H(7qDM>0Yzd zzZb$VGTs0}D=ml+N3d6;UJSUG2F-plqj$tvE=wb@&0O#(&}BE)3{2MZBwq%!``3pn z9Y6d=LuioTRo2^=wdZSlhKh#}vfN21cr))AeCgIdR6XJ}Oe>H!B%8AxZyhlMH@u5%Qulh& zTwH%5r>o1H9o18ev_S^sC-7N605BEQ3alu9 z2dQBgUoQ8Fd+|MOYZJP`Cnd97-irTiFiKYCpAoz|$>};bD0d%=Nm^cOb8Dg6N`NBH zfg#^&m0uX85f~WeGU8pu9wGFn-X23AN0*ih*C(EDe!g@5Z|S?sjoUCHLh)2vYFABJ zv%H}!LzU{>LhLmZ`0UOJfZD9Ime^R-SWsrNt^Wy4OdHPlh ze7J*Al2eG5E-`PJfCD9ZBbZ)(d}=8vBsG-_&lC$g$IOy=C*lDgOn_{#T{ z$rZDfh~Td#L3JfWWk4`?GYOCk8Y=F-?H07K7pWh4pM1F@VuU(cW&auY7bTe)-5R6V z$7!5CYHg#}1#2@NmtUFCvYzQ_QJ>x;>#t}+pEoDxXC9pSUwW6zt*$?2NyQ23>Z5MwbP93Sb)+ctI#oS+V$#lA0#BJmFs`<`!mbQ(F z%m#a07=V<%Q$XDl?EAn8r!FG zy$4d}ue=LvwHtuZ=rI}?qZ@uJFC^#zL+}AdAo(E!es-&5dyE7|Vcp_$t`lQd7(Qk` z@x81Wj)2r?_~0+>fa^;cdhqN3ETjn&BGP=Ti+HCcN`B$l{I}%f1XHe{-2!20m14kY; zDsbU79%5DtWQntuk3T>n`B_6OBb?O`1nIh$C2!dX>QU?H0D(AGahlyf6lT~pqAF%U z%5p_>unt{z_RdB;*7Yfm0i`EL;j_ylv{CMea&OA-A%+p1!`~V& z&Y@G}z-7RkcLL3oh9vqz5~eA`N(_Z8bwlmWYl+uCh2|w^p1PqxmC7io3zwv;*J`F; z#c>Ib-xX~;(q}XzT+3zSAtEsGGVP0MQ%$PhpVutJXU7PAiF&oUSaJ)@#Yz5^wipnb1IhW4^QtwjKp#F6}RY68T93&F$$Q!w1h*5`+z3!K~IMiULKPj;<8zyK-i=>+~iidqSuu|CF*bmxFWaB z6iof64Im8|K-;0~{eHw@KK(=WXqyc{#CleiI!*aEgTd1^StO>cEIv|$^!4U==Hy0$ z_tY=$@c0UpY|IL$-<-QG2hyVjO}8xL3U`aktmgm?f!DMB{*W?{HxwJ?a(lN7vGeVt zKyU&uUFov41*6m?mE@j(&DwWm_jj|xt_A-FG!d@nKR0$dMut;++145A1hRU&cN@Ar zmacuDqiDSX2z&6aL7pT%81)#LzR-ra)NU^CJR>LhzHO-K?l?0Lw|1PW9Dr-&R^n zOdoAvbeNlfz1X8i@@ztvz^)(~tF6q%?kx;;^2qP&K(}8nfwl3w z*_fkl<0T_GT=6}@NS>ccvk$o9oVi~vjy|G#)&QC@+0@ok{OpCdCouzPDb^Q)qhX3) zgXMw;8+*ds;N#vV7gVp;Eeu3NT`S`eTwsRp6?2}>K|F)Id{fG+uw^P7YeSB1vI2E_ zJ9$S*qx78$Pg`2w)LIh?96ryv`D)w~xRcO%_EeXOlaSE?53ysb#aWZhi0wYEUJV>W zb=8vgEQ0Q3*GXNixSt2Wat>gLo;?1|qVa++>+|=G!ofDn1w?Im!Og56evdnR^!qDb zYW%o?fscji^Q`=0br-+DCj}v>;ib^TAcfkA!9n4OT~wD*Lp^<9m&j_O*R-d+(aTw!}u}InSg+MmM5j-Zvomu-uE}+M$2#CBg9F zJm`eVn(DNU@D|4w(IV`(9>k5hqlx-y)pzH~`^bRguw=XApJXl~8}7Gt(-cMY4c5q| zKhsu)2~1ffRE|WNf^weh-hyP+Tw-n zGJ*D~`|HS;3>0_4m1XnOt=GJ2;-jp-*T=VQ>fD?Dc3%840TkER5NAJVVB7o$2^kO3 z@&n9VXm$`$0L6p3mAbk$+U|073SWTFY(ts|*b4`dBcv+b(mOgj-QyI%2b?SzASj_xCF?xpL-4^*G_Z6%}pTX%MG z`$oi6JhfN6k64CDDB5s?0c9vct*0*{N=Z9P2ro0mPb{;=cnz$}Z#U`=&baTb)fUV3 z?1y}e={!%_&BM)nB)i}lH)*+&KAY8*iaV@q147|bD0ck|W{4XrSe55zF2eftrD|Qg zQAS^4gsSFy=usjzu`^y7D;7eQ<@#Nso3~}{;4!~wdY$St*gWo*irGW8oU~Kj;w7Wv zH_Fx@yD}QSti1|Y`-Auk$wkz_DhoT@7`hYs6YzUx1}ssQ*97p|SF8KL_To29Sw2s% z>%C-e%6`7u^3#M~vWyu`qTIBFey*HWtqeq<_Z7`p!jF(`w)W8MT z9MlBIz#wTgrnBmu+%pb+vLJ->B<6Z`4hNux}BYTbzgn_ z^gKad(P$+j+zX(}Kb#^fV~Cl2eD~Ns#i4qau2ifZPG;@`Bc@YHwA*>$zj->GUr46# zJ}91kdg&jk`!}e(AQxI+PvCjSAzZ|tYt>6E=qi@w@Ra4A6GD}HQS)4mp8$TlE&#FP zm~ZU$^jFGJcekp{Wm^NeLcTDGi*7&TEN$^AzBrkk=5Njc>O5Shl9E4ewLAD_S{aIv zcCyb_XV%xKf-LZLn7WR5iS~5xXZq}qlYqLvJmXYgUKqLWCiu3WvKZyc8$1U9E_|YC^6DSNb^EoZ)&~e;6&0}o28U; z#Jxth8U(8;w|^+uY{k`Nde;EI#EXNcPgT+K2q{BS{a;9mQY-$L?c58pE& zm-I%KoWZU8I$be1Qc%A)S8!I;f-Me0-9+QNOh-iEQjD$IK?td)cMj1Q`gKQ1BMC7e z(h0&evst)vE&-toQEvTeyn&5JTIg&rj@@b_^yadSNZ8oK&V4T3H5*VE7Ky*=P$k<& zgGV-ajf5^;0uoQ(O>}|y$}{)Po6P!tbPrOEsNek|&`S|Xy66Yr8OXDNLar$oNPkkZ zIjz%XPi~}@1V4gU!QK*8zmf0at20|_R$^_XzK35==r_yn$jjMNef8cimz59b^CC=$ zX|NW)UlTV+-O4>Vt5Nxho`~O}!&?aLfSExMj~3T9m{H^D8OvnE`t*~-GHIXPE8Ri* zCmG+6xn*D{IGxqPJzwswKq_2sECEcfWrGXHzSWy@MS zD58=+Ld=!cc>+o&vNquN<27wU{v9v+?eERLn186kcBR2iHUhkwPc<)jm%x><$2g_a zp+n}ifE58KfKgyFn%IGCWZq87sVPNO`wCfy$hXYK;l~AuhF>htF@ipk@pxefyM0c6 zcRKay{gaIZ=sG0A`X&Nv3fc_dDvdBQnyZO%pm({g)7!fR`3_>x5LjLc574X2H(D`b zc{pczSINzwL-ua|ipQ`H@+0M{s0Y~v=pc9%r=rZ&I4@Qtc7$j(;tO|{fN^lCka+S!pZ@&KKUA{X z0(IRZ;S(@%e0C;d{|uLWx3uIBj|jid$zciGZN4;d=v|o2+(@fY~gY z*mr}Ny{}2hcx8F2TXCzZh(yFZH;~Wa;kQJ|4Tz3wj90w&ksS0F%`wbRuo4#S+6n*g zxH>saQ>VvX8)QWp05dl6;gw9U$i$Y}t-5sdwpZR0Tv8ui$o3v?xBZbuQiI9j?gq84 zC`VzcGJTxF9>!qo(O*=UHzYR%?uKX%xdeAY{=yt7ds*Z?2`q$byD_~6t9ch-Xf>wq zVfI8>Lfuw+-pI3has`EQg*^Zke~wz+}IIk16>^+^UMn)AFnyMw$CVAAOZR zw3(7p2-1?5nmWSIb%d1|N?d$IOocoR9)q)J3BYdQ*2BI#|I*00-pqKS%p!5;;G1@( z7C=)O-&o_U)$ zb=J*B37Jd50}!UGE_TY38C}+0e%u%DSBkpL(}wM>oPRexC~KYd_@YJU*EgExn6neg z${;)?aoCjd(DYvxo?Dz24fz%^bvYKnL+0_0*q#-b=CMVqexWmdmvUuu)obernG(#F z82O0!+pX*Hw#)aM?59T8U%uygORIP3n1KA&`pVXN4Q7dDp{h`-<9)v%=M9m&^@tky ziVgrs*X63EDT8fkw!cixVfE#cj5hL?JN+oX8U2=J&rPDV!dGqzSINWLFW~=p;{5rK zCr(QZZU)tTo|72)4G7zLaw7Hf{2OdURm|eR-IG$G{Ws>s4agGIO=N&K0l9nPmK)ex zzE411+T=}|ZMIN2_1h-<{CU5_o{UH%94cq!x4RzVwd6fPPWrq4ean{L4Y9~S2WZHS z<+%xaXG5es!4jFQq_U+EN&wU1X<^-s0F=y0+4w@hd&krsn7A ziihz33OjPI=(izRwzRk+vA!Lo+7{e-_k^e_06V@@F7ZaQ(F#6oamTrRJcjTQQ+hhp z;H&e|--#Y5f0>;} zd1#~Zzh~r4UK=Ba2w}YkZmO>|<>+L?3*Q4(Ts=FuG1#zuIt|)@W7TN+fuYCe=XaVIBNbbT_FO=TT{qY zIl~)Ay_a^98+2(#sU#-Aj>uEVMtxE$d{cpHADu-pk_HF_&jAo|6uR-|OpE}y&ZP{L zz-LszN4%%#|LGL=Uy``M|NJ+Oj3jje(1a%MTLC0Y|unjzf^1w6-kb_@WJ}h(l z2=-*p@fU1uKCGrGNOALjnZH=>=_)Whi@tt;F$;o_|}AK zXd-LpYnK9-I*(IN-OF<7H+8xX<5)E%Hl*auo5zlsf-FtaavQ6Yog#F%%OizG>BrzT z$`OiLpxA))Tta0{ZEms&?az-T@gbKP1ay{XhGw|xp2l6-77PDOcR}~IfhH^487&Ol|UfHudg! z$okN#)%8TVs_CGvq}K>E2^@Jc?Q=|!c=!b=7wa-5z z;!;W(=#%RcyX$3mh~G)wIpULmwP2A^`~%E}!{apVo^V>iqY%w-svsQ_uU|{gJ$!co zresSa4{6ga)kiAREcUr{EWV>Z-W0jw)@kC~W~Vvjx>1u>P5S-i-P>}`O9=)Ju5At; zX~WZk-$cO%PgW(a;+alJ5MD;uJ5 z7%r2r6Ia@BEOL;`8c47px|Ty**-M+OJfMU&`sR^KCPk9>e@q&oBbFTnC|Vkds2CzzRd?DN)*$py`K@4~Z<%L7*{ z^hH1P_}r*}_lIX6kxAi!-D@Gf#MZ+s3(-CP3bIC*W1im5e^6l9ON-AOB7RumLq-Y8 zOu`_67p#Yhn%?1o{e9|DYEOIE3t&tO;44kkm_)Q#dotOC=vkro#~y`hrCt-)a?TgX zhhW~V%<&LuOmLLK;=cq6Z-PAMIjSEWwRXzbKUBw(lYLx1gKpetD{H|KPxTo)XD>t1b1RwP->8qm1+XjM}KZjYztYzF zhw5{uyU6^Z$prW;%w$Zje*dAx;SsIn#&OUbN!+i*bcPHr zCxfQ@cUoes%IgNcj$>Opebm09DBsyB` z09jUzoHIpv*htkj=RVsOQ1gFukPicAEYu4XAF^I?@YrZ125E^RHX zHg%1IepvfmNSrUWL53f87hq(Wn35i&EQh>>S9L)PF*h`m^{Iku+}gl^X9aHj0C)q0tUBSI^3sD$eiB&z6j^T%2V7s6M{%Iap z#y1yVW%lr+{%e>`j1|?Ii`K$`1`AbZ93~GW%jJC zDrK&N!dErn;I5s92%h*`VW9)mQ{!OgAia@x5cLrxGT>{+JoF06g>HVWb`CirHX%e6 zxZbL^BlWIaT0{xgCvL@k<7%xcfwKgQ;3CF$XI5t}MI#+rey7Io`C07zq^DxjvHOC{ zSaAggez8U*BTeCn$K2zR;pK)G8RK5KJJW3M&k3WkEA3jG&xHLMM{eG|^$P6u)dP|p zR~q-I{psUShIYD^i44Lx{ze-UIKpe|!V#Ou9guMuEF3FfOV%mh=3PyeWP^K34ctd~ zGnd*p|2u3M1$3!S{lJuQSwH++MW|6Ew~ypgQE6?GWYaPY3P$a?jNsmuD^*fcJR0ty zeoEhWF0pMQLm0$A%=m%cs@UXuSom1=#9! z@7@5E5^9QNsXm|52UG3Gda2-*-y6UJWGFEfe_2CNXo}ye0kD@+_gK?8x~=L)WLI1R zq8JyKD$=tRh9tVR6k5-xvSoGO-2nTtOAIKVA1HykTdq`9HB3rlDk|fD)Ym7!icz@s z+E>MlzW8SAU5cX#fK^e6l5iCedTqdGV-;Nce0Dh8} zhv~nxZOArKb^ZZrp}>p|L}H5^@k#v4msMut`L4T;?hmKzC-YbzYn}l)z6Y-Io#@4i zBHaR)TKRcfW2{27$SYJ<|a3fJfhO@B1LBqHR-wi;KvGare9DK@Fjsqoy|d8#2O9@y8q-osuh1sDr$~I zdTN7oDBXyI$9t_i0y2l3E3N#kt7XJIN^2J24q}bO?e=1T)c$WLSVlt-kWzhykx;aE@kF9s*5o=+Z3|E_l5wLov8`->m8{o3pipsJ z8nBfc3@T@W5zU_1lOEeZ?0L&q=ufMA_FUP++rJuK>@8n-sJ$aj(+NES6Doi{;_>qS z2|#GQUl#0V*$DKzTP0*;+;keIf)$c3EO7oXCxtcxdEhl;$I+JUdy`pPb-1qCowdBo3I9I8DI+ zE^YuWF{LBuK#CD0N(*ofI=e10LgDp0I|L+8yJV}Et^)JZ_&%P0%Ljuy{y=lk+GWaT zOTLfyK8Zz^jZZ^&v%bfrTL2-t?HWgbI$>ex0})S>duHWqd~>S0K37W{Ec?6iG2eB8 zx^Fjv-b)-N?BAU(m0qoAs;G~^Dv6IZ8S}_xv&R7q!Unc5mcqSl0+_TVRSYF+p&vC~ z)218{v_5)5OyHeP0}4>hld#g)EjnF4p2wZ7c0V(t?>|FyCh|D9Z~*6QH{wQmmWNk* zQuT^`|6aoK&m5nS$eb_88VaBt>HA8Iq%NR!@)N>!Tl zPCyg{L_}1Y5S2~@M5UJi3P=|aP!wXLh(PEaLa!oCKtpfRA)$mo%I`eBbIzH0XU=)g z%(uQ-->h}MKUlcT4urj*eee6Z?yH0YD53wc6p2l7Eyt90<>9_L@-EQprkhSg+ss@4|+4_dc znVUsx{XOMFo$T~I_Ns-Q1;G$k+Sc_weS$a0?F_+tkq(eYqL#}cL3v?K8VKQIIGw!N zAZ-oC*UF0L13vp&nkip;2RS((CLc;itea?oaqO8sKCH53i08l@IJ|!7Ky+?O1m5MG z>wee`B)gWn=TQ{O&ok}`!Dsq`BdOSX)JnK%6xSF6#mx}j;XyR)$vwB{Hs9Z#oDfvK z9G!ryD`U!PYUhXGPF7^y42Wz{dD8HC_FQL2SxBj!Tns47)|Nf{be5-EnKHTyb z^;gCL_ZQZfU@3=u<7bq6!N)>;%c@`+kV7Q!R$(H0EzrMo4K!^}zLX$ZUdI^&d^Jn!go-E(g0iY-cR7VA&!0>ECy`; z?j-yLxz7lv@K^o}wjzGYCtKl<>zw&fIA4|`;8V@k-tj6@bXk`KzIhL8X$-GTTmNwsR%pOjkf&NX>}qDO_r(2dQg|(>2O>7vgN(B zmn?IR5-{UK{rT-q56k(D%!ip-&s8K$6Bf+G`nFgTYiWlYc3YdI#>qT|ZD^wB=En9J zEsZ@V?c31?7L)vt>Uj*UKdPm!zcZ%TZMQ{>#ZrvH5;(Xsoi-HV3Nj+PEtoo7{-I^$ zmD?};CRcZ4;EBTP1#IK1DpmObJ^1yX)L)tJ#@y&*8sr?lnDX+zQW>=J``J5zq`eDm zhhbAY?bU~5wUpf)+&-;lm>*hPVR7^|(`}bD2Ze7PU^nAOGknN;fCg#C5^VvP^Rn@P z5^Ms@c=-2G&oBbYUeAgOsxtCgkdy+Mw!`l|<=wmT@wD#_qj%5(^)-n4FU7At6t51S z*5p=ye`=oq&>zHttHY==GAi>cedXvpqTXsIP0^s<`I_JExt6Yv{KSZ+XFxY5^~FD9 zek=Kj<2I9qqL9Jbtp&EOW;2rOx6?^mVCQK?)-4+bZXa^tfqBt;>gD-}@#>3uaz-a> zodp`7aFs<492{=L-}vmSZn`aO6HRnPs-rg+XYS9ntGuV(sT`Th^J=i(97U4y(VF0cc`*B`iBP9-qY3+y4pbesZ$Aq z+(=n>TPxV%W+XD5+QY;8@y<4BvZT!ceTp2(a+Nl+_do7!jpPPRt`sVkpGikB=~Cse%-I^- z_*T-JH+q5z1@z!nduut|)wTVr&(w@nqwlMmygn&DVmhQ?!%-*lhhqq0HvhAlwZ*Pttk-M*w0o%G?VlF9RKS7w(&W*jhn!7rv-F~2WKJj9{g04(F zN>^%S;Ada^SfEQnr5x+DQE4SYSEglU`0~VyqqNn#sHDFj?nwf~34>bPW@TD-YMx#D z{YLt6-Hy zW7^WUYL#jRKF4IS2U7+HdTJeDY+Zy~?vz;|!FWw_`{`0$Q|N162i%Wif_$j;YOMq9 z*zl;uH4`&-V&Ke;nk$gr6c6i@TQ?$Tj+|@Ox3Sw@)%N0*V`nQPX0BH-SDPlhNa*1` zF~g^}As-6?;{$i#_fl6)c>+{odg!dLb;P8FuLCcrQnh%y{R-dIy9MWCRir=N>pC8W zi2UCWmj4sdVx$mlSn3xbej2eK%5|09ShN=LQCsxYdB3L|2fE%X__zgVSg4GvN(K+V z@>E95rpRrQ4d+G7L2~V+rB7M~0}EOxKH-{NN2 ze9Qe`OL|=jLhT$9_gBZ!*Ujeh+7oQ&lj4ejr!9w|=A39^@|2qZ3zku;!|0onkvUsK$$=YCq7qJXsZN(eP3}1FW zXMG$|8n}b_X||Duf5k+J{YH_^0C(c=K&i<}%&)F_YBb|rvkykz{7j`)_hsn^pV&+J zxcN9}Vy9birhIK(=hB>XW_NYDRz5bxlu$BsWYz*5`5UvczP5Ou%!ciyP2P?&!;LsR!aQ77_G5V|OMOKDMOnq4`GWkP3PXGTg77Nk+s{i01T9_n zow!~k62dtjrsEFMViI`n;HV$O(~4~Rocvf++Y~l^21Js)t^ZkiV1DI7M7!kLbx9gY zv;#h`c}9T9+B()GH-6`*mA#S_U+lf@HyMFT-d#cn%{kUK7vh)sQCyupBm1BcEYs4T z^7Fg=wyv=46<_%2VA1Il`1CJx;x#;mrfCj}G!;6Fmftl)*7l`f;R;h^fzFZ@)5Z1EvcX}(JN8!BPuQ9TD6j}7b1Lc;f<`?L7ua>N+%ejK~ zCl29mnmspPWflKi7fmSWZeu8S?#G~}i(Tf>tx%re+d+G{f{E0;li#L;Kf?Cws}{~I zZ)HMuuu>-0!^IUcHoFE*SXpToe=+Ri`USD;tlr7i75_p{7R1xy^?V1|#|ixo7b1@I z=cL*P#J@f8NKqp!Q0Y;vVOqYiD-Cw|MS+i983p?))6&TJCZi9+>TX6 zmIb&-AUsH;yHo#s)W3Yk|408u{s%0_3&75fDo-}U9dwwnx$(=r*!GYvk|pRLe|YTN zrbU?i_8pi5{P6q%jKG?47`roo<)E5?kcf3KMOYH@t~d#B)6$T;J8jO(A5^o}A$D&z%~L?0!Ye%V zh0^2piGGCOgeLtR5!efGE1gY0ewq^zKe<q?-KEr!x2$}TAl|{Vo^Zt zK`{qgZGZ6>XcwPWFI(sI%#df={UOvGWSQWPCTJ34KI$IWaP=2g#H22Dz0MK&WgCIy zhu~qrSRFa%;@@h<{T5!@Kp^0IxHp@%%nRh{2a}WSUG8jefKf)zQ;Gq7Rc&~z5ohe} z(dZj`1+O5MpZuTAnI(`F=Yn8-?gU}`)R4tPo>Ozr7zP_$62tP*>gXXTGbpT#QUskJ zN}ZI=-{Hr5)_R{V^PHrol(bTnXb#ssJhYd--AV6u%=EKbxUyJY+e|x|YKKnL;rH*F z`&O0gU)BEW?UHZU78A6u+0)RwCe&vIRW9)yHYY=@|9sffG;TOmVAcg)A?{#y6eZ>| zkMao5Q?C;1an9SF!cgId+1#UBA`jGc?kc<%>mtcUivI<93fy$}ahND&G#?^;S_rpa zTZ^fmS-Q-kSZY!&k;`TDrQ!CR>5~?X#U?2J__=8+Bpx5dTG!Fbsm!H_B=RF8xHj1we-@-gcp%%)R(JUzzYe4q-k>|t{4hf>gLMgPrd6Wc%8NjI4b3pLs70m_fY!snx+ z=cQ~L9jxBoDh+rAwh=FT9UP)2!e8pH+BcFM{4Gt>g=pt>UVpfr8^KT_-@v&m@?`s2 zEQA>Ny?5KZF0r?jr>5pjM3>ruyf8iZ2$)mh@a3 z@N%=riUEdT*jSUoTDmh~Ys$%lw{`2@IbJaXhCX>(kxGAwSit0bh}S8S%~SsV)xB`( zW5l$&NTU2t2u~&Cv9LPPbYURcNuYz@p@r$4^eU;_Xm3)Dem!KvYa`Eoe<=eeYx0qfk^tPQDUk)w3hqW&X$gO&U@D|nDKja0GBTQ?O#Upbw z&vWqO2}-C_?Hwm5t)CNNQS!TBp)~1rH9|aztg|!i&=+gYxbK+*5A*1LJ1ps=bh|*- z$7^6l9GA`aV?+7;-b(Ro)D}Im?3$R#*6lVVFV%H%1ntM)}=_ z42Y@3+d*{qcR9A<^8We@%N_M_Hmhhn*XXw=Qzj^1U?v;Z%IFt+QXy78-!O9vKRTbLR!V8a^`n@%)dj z5lPi=I{&8_no(G6AjER}RErForVQ%`{T5W3ujRQ;ZXPDE}Gwq(i$~i_d z`3sxu)GhW9T47A2BO-m!o_wXDybdYLx9=NkNL|zV=|H4~BdNpu)rmS#qFmdNWt(J9 z$?zpDKSirt8|5o-na4C2K6{EDDADXx<&Z7}JC58_Oi*Dgl-*1p`C3b$O+++TdWcvI zRx(s%J;0in^gZUbauTpJg2V$?O8XoDrzWAewNwME?;KIS&DqMF7}|9}I$PXDwZjFb z$XDqL1xsWf?5U1RwqvH9MUyVO*C+x*Jl(``DU%?={SLxU@dvm{zE z4Zh8FBFScpEHRJ7rnKFBcC$Rr8lyXxJ-w#zAni#CuZjls70oVp(P#HSE^?iHDMBV| zlAc{(A=6W$F;BABvrIZb1(FJ9o!% z{Z9VX1UDjjj#&ZF1Fk1-VY#NxmcP2z{prgEh??-|Dv}@O`WFOhORTrVV;uNhlqBLaDcJR;K8ioXgvNs&M*OOd#iGkYazm|S;6qamwOCb==ggF z?^&ONse=_Lj*{iTcU2xlTLqwB!(35xHvZ80+%I`EI`QZ^faA&_E&4K^HZq& z&Y`tZbF2mTCD#$vJV8HoW;A$XU8nq zX_}0`HOCC?Go(+?YvyM~(5p=s_O;xlDt{0CK|NK1%V=K}8~(UcwC{gsyU#q5Jw-oK z`1vfw6yom}*>HB=jNcvc+26U-c0GNu&>>Q|Fc3Ic`Mf0<5j(i@u#s7B-#NBdpXu4_ z)EFPaDy75Ay_#KvuQ0Lo&ojF@yi`mq`>uK}b^IaXyEbCs>mTrhXUi+`eXwbOK>8%R z3M22b8YA#K*J*#NH%e9{iMa>L*1Hq@s&Lmtqx7QS?~oegpXd>7i;lqY1eg=EAsm0a zHRxB7o#RVMy9q(aRiX9WKOtEEu?_5h=JBw9XaxDMqI{$&A7DW6`<04GqJ~wjz{;+d ze_lbcZOQJ(bxVIxQIJfTzmi}g=$(GXxpBPL|UU zMoX)%HXjC4UEh-<7~l$<*m1ub@pA2_JUk?#9c3i?>UbZ2ThNY~4ID+lqi4#x+Q#^c ztI^DltuFR3n*81psm|cV&Ljkwbq-+F$v(MB^!^IJDln{PZa>ns7H1rKq;`w&o;90{ zKtnnGt1a;~yrhuHa@GUu8j92w3~NHY3VTKco$MdxWlqQ(>5_kH+fiPN+$pys&m4r0 z55u!>QRmYZuU)2@e4nEJp7pg3Yp`A|h%#-2wM%ww+QM)j<}?2!8HCtH@Z zI-~fsK(7vTj7>%djQ6g8%6@P@WJh}Td+=Ky(E`eKBZ(j5Z-8Ik)6kB(4OJd{Nt_Tt zn2~g=;p)I8o&!ZzB70rvu_hig$e)|<1_W;x-BHh+(^yma@>*Zb8-|Z_wLt1(hZV{l za%4D{o}k)d7KveR@Cw#yydt}$WI}g8O77wB6HWxhCbJ5kXwo@^Z(Vz+6w$I!g=Fg4 zvn67neSJp!5e)0-1H+xdQqa^hE0#wFF|z}V_O^C<%HObAs};$1su7pyE?n(X>~0SX z1D;>csd8S&$d?Bju33FnsdlXvChSnR;AHQl1zqTUvh;8P{KU^iXyBdl+8ec(edMp4QRsXCel*#`Ab$DehFs7!KJEicM?Idfg1g{gN(yielJBv&3uVcj~jSo@>e&4mO(Gqa+tA8U84;ym9gRi7#)o=C8FUrE1m+|DeJBP3RMi z%b*&&L}50>yubj)atKzHM^4H#r1(QAEKOcSyC+^Qc#gJe%g3S@JMwi0L|zsY@H(dW zAH(Q2UG&$SgLZ0%{(^VWwh-u5`V|94K=+J+ix3j2vd6QD>E?&TwGCf4f+8&q2J2Z zb%dj&zHTaLrl0PvPy3t@el~15Cm1~CnIjjHj%eLr2Pi+BH8dS zDtE(cTF&yyRM#aRLHv0 zcYp_-biRYM#<65ihdocJIT`cK&p);n%OJK5I~BT2G<*)#phTIYLn*JfK2{M2J}~I& zcxQ?ZI7^!Cp=pZHEbGRy1-ZBjPckf$tAF;g*Nq~gVlJ45xZNsM!+`@O3 zD=J)L1i9G4y!XyEh2oaU@fvVS=mfxAI?%&*Pp%UUN!N);v(e9^BPL@W4^GZBT+Y_o z87hM@)z==k%(5X%6PaeS-4%o;JM=UOID%QW??j z;Vz=eUZ@va@rKr$uhW%w$&BB7p5mBvNCnN&V1I}dAnp;W@v2dK`A?x-tN8V?M`sco zohNiUX6Ym@O!}Q`pj+EDfyWdf^EorF+qpTtqwFEP)#Ub1JlRK=RAR#6$EatMi-KWz zyWE#9ixYeny_12!zow2t&q*`t@7IMXAMau|fHAE#37atAJdiq>B6jH;jhc}|rvPLj z_K?>>8?AS2{V>bOi}E5xQ~7fEDUdF0J0{BZ724r^T~(VoF$f|R!!&0`02>E(uNNQ z>9IN*c%J7lClte~hFoNYtCwZx--jPse&Yd7!FiohUE)&f zwvO7|QjWZ2Gv$5pTAtQF-pe+(7qQ<0bxQNTeDgRbUDEI&xVyJjU@+}C8wJs4J6qk1 zj*KP+bxljyJ?TFDIP%`nOFdfmHiN^SD6Os#d^5mDdAl`<-u|x8@PH3f8T3xj9Z{-t z!^q!v=k;FLfsRlfJZl@8$#9OeZXG+_CGqQhn$TSQL=)|W)P!2vb$bL!7!jxwiKn%! z8$)|++z;Vfu$C3IN_#h{>l@L|G|K^)UEtEj&FtJF+k(mY+ZhV~D2U$Tw&a=N(~=h| zdGMftLuF{_+|5nY!&65Nz%%4n6BpSOFZ*>~j*<9#S|IN0ujw@gVU^oi?=pU+6k4jc z@Cm1l`UhPmYLetv53)sS$1JSJb7MZnm=7(TnccX2>C!Pn>8X6$7UaXYdPGv(MSYqR zn|p8lmqhX%LPZ!sv&a`bPnk{eY6>@l^Cjk*ztK0rUGe!LwIZy=t>&{IatoY2Q#{WsBzVgmRCw z$E^20iVRp(S@qE3_{dTph)E<<|MiwowJ|M)ryWy=7|+ z{Reur_pF@IDrn-Zh&r8=lPi}E$%w8dG4kCp>IH;`FM6Ia$RBD3m$?iHyH(=wjv}=R z@<0%Cxk;*6vc*EZbA{RK&o|oy6cT?;nl1GQZ{ur%RioR-#$Zf*qQjdq>=MbUP=$Nf ze@jo6uJ%JhY)N-MSI^J~3+3B9BlrZl1V3dItKxyhbcFg^u2{AVya+u3l$QfkF1hx& ze852;>4{wS=1oynPe}d_d8(5)TwaWE1|GBA$(1M${}JB|`fVm1$4f?#Wv{+n5Oz_f zsLOw3NPbhfObO}-c+&|$AzF=2&~n3dk_i5z6`13bw$>AjeoFU4ZD7WHKTPd(K`8V&j9$RHEE{?eVF9)^%bNu;=okg#O^VN;x!*|Uj8Ko0v zpE9*C?B=_I{Zfj$(~I8{jspiq(B4lU!?@nO-g;o9J)rdJ&%DN5m)%ghq>7l8+<5CH z(%3M0$zw;}SKCAoHTLGePdk=;4JMy|5o&449nxhD5Pi9o90$Fl4l7cKm88MR`g2#Eh{yL>DJaw zJ)sUUP8!jaK3T1CmoC$G)Ur94W=e_*K8v_uEh{SyF%_v1qLo)8uL0vr;1%#+>5KN? zZ=U$yUDN)Dd)ogc-~W;C+25N>{$F~2{((g9|35#mkiY)lqM;Ojy@6AWSIXjM1^Ix= zOH~<Y?a{b>FmPy=rRIuKHjBj6?Fz3jYvWKmCYEMO3MSP#u z&b_SsxIV#Sk0fbXVz;zHa3k~dt^IDnns{g%HacqGAjZYk)R?~db^DA@RSi9TX|eFX zK(Nraz_5Qi9>x-^nMbVd%4QjRD#UZ!(L{hmGCEUT<950`LiHXkx2}~#wGz$JKhK`8 z-*&n8LgCvZ$d)NYC3YVs6nvV9!Sxx805qAg<)|yVqTf30q36DUk<47Jv)RRyznYm} z9Y$$BvA6zPz5i45|0{k${}I{b{3Fw#<&8sJOy~t-MMnVx&y|r^rhzNI8PtvY_1xQu zy6DejperHL&pGGFJqJNU#@OG}E%A!i6RS!yuJbaN)^`VSJG?srrWheyN2a+wxN<@P z?)N7q8?8WSY~e=*soWW5BT~Zeg1onUTBku*mX$e{9P-|MJWw`|FLtfhCF+*QaRtH9 z#w!r#o3rC<8F6G~oP`O|V{QsL&z#U$SyXZHnn*>YL;8-F^aGWhADYj8Bs2%Uv&>w@ z0QpIFbgl!F(D?7XDZ5?;!Q_eRnPC#g^gavrN8}j{r zLpn>`y%KjLuG!;5JN6aIwU!^<^ZNo*==PRZ7i_u%pk?@V{o!DByoK%1o~G4CVbP*F zCmVBqSiaV&T{M&X(2B6=aAl8!qIg!2*VCadE#6GAOM2Q2ol<)u^BJ48vtIPX<(oJ{ z(X6Ja{o2r|V?%29)cG@lS%c-Fj^o|aV)*oEJjZ-hQsJtGpoYw=YTwh!DaYlr%FdOZ zW#io1?tnanL3LE!P`rtWPd8;fR7tAer8ysw{(h@blRh_j`WQA^CTces#@GVLIg4`vcG-fU~=L)_&RT{BrMPp>6aT2eIx& zrl;RsX_o~#jNl(M4mK@jk(*Mcyuw7^f z^XXi=i+a6~Prt;?EEf9A4gP0okc>w3<66YK^d`T&wt=Q=?W^?hUZ+=M0mkfKsXYF0 zgVJFgF`~*z4;kfv%c}CW2_@aT2F|gL<~zkpcc$WxJ@QU5f)Fz^=o-ytmt%qj=Ais- z#s2GN{Mm0#0Ga$s=d@=<9nR1nP28h5W$3i&+ckn6I1FNbx8G$?6pfe25}wt&L%X8D9O`M0 zHN79;?eIumrUK2FWN_&g^&`lm2~`5xgF@gZR_lg2Isrr-E67gNp>onGun&__1>y_z zz$u8-CWa_sS5&#Z8HpoccX*d0x8Er}mVA1@wC>qU#Jn*nj>^#X7epc%w@t&y z8If)8F%MyfySM`?GmyEwc+a9rn50xUh>@&T>;;C%s$jEAJ>4}}yi}V4ue{>D9CP~p zT|+MhUacL|P@nNJScTWdef(E~&4>~p8y50EymK_U?cx5=i+d@qv;O-mq`4zB7TKcO zbUv7gI51~2^UGub6&VauDe^-oX$Y6fq8?^sJgU)ruc~8}y2%!@^49mapyL834bkUH zh&Aa}Xz#Q#UK7!Me-Ych`E(>+j?>^QOx)S0>VnFsx zk>voD{3j4=D2%VMMuAV84=tPNoYJSVnPDwwi?ecoWke5kgpsA$QfALLX^9#z-tS5VRcXu5e+4||B^Ze)mMwgEU>+^k)C(+}J7i zl%LH9y%rYOni@$b0n6~HS#KblJ1+SV6Zq%U+SB0VVqo`Y68M*2G^l@G%S?M!w^G&6 zSQ;@u&njn_Fy5Db*~PTbkNNYx9WWJXF}^VATg{Wv=j6oEueE#fW300D*4D)B+lHbk zk05J^ql-j8Tq*$=%S3pPX@){Cl7k2D<0abr1C?DpmZCKKo;NtMhotm4(n)ed4BtKq zeVDo{`0)n)ZtShZ_v3q-Aei<#m~cuE6@kqk7EaB~DdxEiepnM(h!`iGEl4cKotm-0 z0SKlp^;=WrkLA+@puOznJz)97AgYpn+GJd(9Y0v^+b7+6#4wHk9Dxdw!;@h(uIl6 zgGWNeAH4;~EejLU0z{J`POYAI`61NM7a~PsNCPBYlN$9K6lbAd5X=jDpRvAH9kn29 zbOp#^N>R!75@p`@@IM#jl&L*|W#GO##aTL45l%G0yUcFKQrXE5#+w-3O9lE7S4LSf zBc@D3z6Mx$iMlHwkpiCz_65SU2I*6MzWVCMO$0~40#Qe&(JQ;HNM@w78BtudxrlMz zuruozlr#9&`23x#_PkqLk*j(l*k1wfJ3N?6&X_#XaaKQk``FN4F9=+Tr$l+Y4$j{T zpcKtgA^L6A?9x}Tgz?*19BMa9?pim8zuHmxmJ=ixKS*y04)+EZ?j8}`4sc)O(L;A? zkkk>+0+;w0~ zJu|^LH&wYPKft)g#IMe&aq;JrUbiy-N(cr7TL6A|YBv!~9`4ftNR~eg<^g*sN0g+G z0C661=47c_;uV+qXX2@d0)f${sP+d-OJ;JtDvHZq8Sl22wdtgmg*d3ETu2;biyAxD zh3MvWj|;sElAhD8ZFi$&X4+?JB7A5`L!T~gNG-vM(thNu4h$tW5Kc|3L-!g(C`*(a z%|^i*gDEY?=m#md)qe0lk%XzR33gnr^rW3o_+`q|`< zX~y6&TX?azE#jnB1al}TPAx*AitA1M#N`m2Z_pdj!3Nv=+N~4v-^}fQeMok^5vZ7Z zW8qmgVrhmb>DT&IE(%pS9@n5bw{mI%p{QSgo#@2)RI(UL3i(~-O?sjWWg1Sq|AU|U zLWeIHN&(e!HXBx6m4qK(IEb3Zo3+DF8w&jTIoTo9)~5CKw^(I?G1H@0*Obb+WE<(P z2_xDtI4jo388+qD4Se{#*{QVZXXr)l9aBP0rBhW5aZ0Rk%v&UX&9~&tQ@Su1WCcA2 zC!UwvK+Fz2i@r=;!s-0%nq}pVRIqLB*xc|GHy1TH_qdO#_i;hjlGiJ5dpmI5s&LEE z4HhI@*CWH2y?Pn@j=iEQ*fHv~=4-|a#SDqJokV^A%!V~quZrZK!+eHe8Ru0uSV{ck z`{P@II~+}{!r6n>mtPbnx|;1<+CD;7evKM#JLGKJPZVt{ZG ztW<=1hDHb>S*`;avn^#NRQcmZ@6&Ea&5t*oW=>S`@ZKxC9*AQOs@^yxc~A%bf>c-4 z2jL{V8850EcJAiyUznj{$d6IBk|7{vvyjdad10~r$xWs&Xg zi7YRSF}YbFV%Su}d_h*P^`jb?o*mj%HiB+!M-TkvuW<%>e!_3&y~4&!-)~`iGYffc z8uG2(VNfE@KcRl#7v2XSx&<8Rj0yw%HJZ8Y2`IsL0mQ>Oc)UhuhDy2H+^U?gi9i7Nd1sR8XF?l7 z?Sjf1eZji z3j}Sm{z9FzbNZcRTGzDIE%U;`{D@_uGI}v-pZ57cdznWpL=3I^d~aX>(Zzez@?03~ge3YF5zKv0vXW(4d7+V^ zmgKXWg?3djivij2pVmFmUT;awDho8gXJ$O@pQ7#lAB7(L`;%no{}B(I!bVA*H-SBG zy7)sT6p`U(M7vEZ$XrcE?Do2eW?E+6G^yu)5SVh^G$ak|F%PZ{?|WFxQ7ifc`H!|D zf0Zy5lX_PD~8?Z+F z^rJ~K*zn45f8*zvmTt|7xk zVEK*4dQq<;pZ`ti4aB>Vp`U{v5dG$pUd+&umGg)$rQk<9fIaXFG0~*8j+JXgJ`eP3NjUYirl~HHedB9zAN$L18;UK- zUBYcS!Am41#8@DG2SpgMdWX08dHUOlFn;r$cv1=Nn(Hw+tOcOhzd)`RAXknx)VH8^ z)Lh{Nj&jf}_rPtaAVIt74CoZuw#cS)2^T`{bltL=R4$nw>gJS^%3pk}zQS1Uh= z5|-Y2W!lSg4$-dNI99Vh04O>-?WNLzsi|=5(9UYh(`3t<>Ns)ry|>|K=)=nV4zb@h$1SBK~#j5;vo&y3+V>MFP+afAd!&AG$k(7BY_<2uKj=gEPB4 zMwKKRG3J>P6b0{WH1}}TX#Tvo`rEiS+){l(=sJYH8&h$js1em^#&zXkOB#Cmrs2U7 z&15K3XHzky47qp-=ST5FQchRm^5TOHRpS~gzxrp-X;qKPiPuT8Tw=IeawCLO&=Q1U znUP=EgOsr1ZNQc02F`%%dxi@Zd>F@Vx*iE>nZ0XJZ$v!x_TkhYX97Ot;xHL(DeRBr zsHr#T`!L5tncU&LKEF0o7B)2Ov-1zCgZ#?2zjqHkrt!lDzJoCA(XV(s7$E2q9iC#9 z_jAT$Dg_>X?iVb(%jMm2M-takBYaXYF`DZGi3?%#G}9%9EIA^r@qB>mhrXI$9KxUj zx&GFHdW6nWM*pf`V0lw$nw$H~JM^Q$t-9(9xZc{i1DB=lW#$OYLHbEJq`@1P)WKi; z)d4r&2G+GLwlK9{+WV97+h)dBDVG93%F*w<_S5u9!N&9yI?#mf1&yy@Hb!t3a3Wm% z!&hSN?`ds)i%PZx9dULo^RIN$TP%~yw2a9E_M?X*ct)z>Haj5dKKRo^7&byeF!(&G zsY5Gfzt0pbDyiL8j6U^WVFQ4mL@nGIcQd%D zzaUlg6fUpRe?eyUL7cSIz6JG^A&K=5+oytOlQUa~Xf|iHpT*?L%`LvPugR!Scp>~? zeQ9#?iUiGgR*m}XcrzRaTxpW1F=QA~dl-4B5TFh zxk^vw)FjXV?obC(Sap+`q-Aqu{w#{`qUfrP6!IXu(1H zS-TL#zXm8ilV!lEaHft!*?np%NHg?z{jazA^YABP;?(A@?X;>;_M!*RL4#S`yEaI; z+2FI_=vaT3xfe~;5iqHC=_p&BdB}En=?T-#V{-}txYW+4{Qf7?olp(t?#BuP0W_0LAmLttTh11Mg9H8Ee3RDSF5 z#rEW9HF=~fhqsp$6Z-?jNA0wOi2#v%cSMbX&Ax%|+=mKc*3mCudwoKo2msbt5PDNP z%;sF1pi}IryiL<1&FLrfx?aoj>qdGH+$FihQu--bNM~EjFE~Mk_+?hcrCr5_P#Ki7 zo|&FsMSGy4%I;=+qUM303L96o!UxSdhvQ*L4S+O>zsX&PR+_a*F(*#_yx0aTz-9&f?3A$-RZlc@m~koOWsSMd$qsr zSk5iS7Xtx=5pFqYQ)D+6_q)=mpwN2a_gnQbkLLu|YBz#1g(Gx&rd;PM=}GWK9M2{V zNk_SE-;=@{$Cn>g3Op@y%K7Axj`mNpYXTifpmKEcQ^DK;ii# zn92Qu*xjCUA+s+N3h~=7xcfTnp>SH)63mfjQIQG1s5yFCzBPWh*E_3*Msf6&;P@(( z%(ZOrtPNA<*Gf4ywqoCwyPocwJed!p5gbYZ<0 zvs%7p<53v@OyPycZ02PMFbv{Ehfj`&O@eFR!tY#@jwo{JWK~M+7twHcdehU#Zdzp| zQS=CdGcv=%+mLiRvIrP6`ALv)*2iGo*fA+Y&&0!v?o|)xPx!(v$g~=-SOGa|ykGZE zN(pQ>1IE{&h=*F?qnksx8mwohJhyBoY;F0twksCYclqffV=I!saVX)fNDP>4C0XC7+2)4@r@(Oj+=>q z_2DXK2G*&EqxFG{Q@n}iwm9)uxaJF}!YtK=3=QZ7!g4II1XPhJ49*gIsKOfY7i9kcK#jSb=;boZM{q|+Ww9iYbO83{ zk;il6m-~>dA=s$glwvro21(wf$<9ODP<>n>=;}WpBW5Q6%7WZDGjl|1+0I4y3qt0| zpqh!y4N#s708HH-axn03&=zVKayAE5>a{6?KOn?Mcfn2ti~1CC1#91b;CW>;r-tWr zkEX_Ew(CsT`gi#On?u^>8QfJ2cDo(>{D%K0)8Sw-=WkklUn$1Z%kF;XG*z==x^%tw zIceZj28r2ClXg^P=bIwi%l$5Mn+iu;TY5vPoeoK`ZS`aI$O&7!K^=g+x0pO_lrMHb zXsg~BtcZIa56Lie*CSy4K$(ryvN;YgZ4R(BAj>+HRPIL#1D_D?3hEk$YrEb&65|lgqS3nd6c_?+ zjFY+7ZvvR>`TAUO+-^?ns^$2p+CzT0I?tJ>-N3)16O#kSCe7Ud*Y73uTQ(zc1ZTau zMYj8>+b^3razQiwhOCFW=FQtLJ$2hXc^92A=cvNS7EKreF67@i(>iVs0d0rpNTHui zcB$uB`XfVBrk+TcX!DB5BnY?vffQcufa46cS(e*nFIVw#NGrDg@_FDC7f3?<`<>~RvP_GB601AF-TpmSLb(CRe6s< z*dpJO^I2PZFJ*i*ncabE2E76RbAz0}An(N>kKnkQm_w~3VNk}}VMo$Hk4I+5x5Dx8&ZF;Km0Z&SRXXA9UjOQS216a&=(XhSS5OAI&^1@&M z58|11P{9H)vd5>`h05?nDLE7iXNeGGko6pDY^i+x7sPn=&rJ{A382aXQnQ^Zh>01i z1psLmIUCjHbwsWQQW>LsTF`FI7Ujp0oDtvNAH&{xX_ZKUhV^!(*Z$+l$!^|oU_`>dtq#2?;Ss<}=E6|TqyQ3Davd}y zpG(JAXFAZ)b<3Ne{2X7vsi1JOh@efAYjGy^A@br@&&#azMR~YuA9I=rsOUbR!5WIj zLJn1S7f@t&+PRJXJTMZJEuEh^8yi>3wA*za+5z~SLYKr_K&$Vt3WrmNo8*Z;cv>n0 zyvVhkE>n=0+!!%`ULl5EIcI5?TZh0umidLc46(`*?i zXrNmTUuQ{Af0_H}ZoRwz+!wTc?XupwP$BIU{6#J)NB^I>0Qt`ly>v zAexhgv^FiW3sVD%10mwVs42aCsG3iqXDbafiYRXW(Vs`Wzg|60f_DMT+=dKS@6ijU$WA%h3=&-NL!V zJ#-xL$>LtKm71{jt~>wnL7{@e$t_-X-g^;xbhW);lS9}iM$f@x;gxyqa(w=>uAUWf zaT7tVvhURsmkNvSSEbz6=ChvnC{%NT#4k%Mp8BT{&i`Z@**{V^1wS@oij$V@UeT92 z-*#T;q{z!FLDX=P8Tmerl42!Zm@#Ca@}V)($%mFwTKRUZJ@b$d3)!0yB;O|jap-Yj z$C2{%3wL(Gs!&m?R#@>5JHPv?eq5%|? zD!mgG1O)-52+{)j(nJJQinORmmm&xR2n0oXlOiZcQ9(dTM0$}(Z_-PohJ@Y|>VkxL z*1Pu}*7Z@>5Kea|`L-gDkR!~uhZm1oU0pZU!BD~`t5ck1Eg335E`_ytzJpfQnF zcDSS=*@WVp)j6K&X8g73o%9EexwUFKB6r*zE?(n25Qp%qEI3CITo42LdZIslkjEmJTQ zqFTFFG;7_KEP$uH7=a?OP;H1WRUQE4ydv*T8qTrkSMrwMc+C@iabHR(k(_&*dcE}8 z>7~ka)eL75{*Mn=#GaZCrp$ATzSdgS)&^Bw*gsN7FnqgKie=Q1=tEJPF9)wLCqY!~ z)0{nuo?x?pB|=9+qo^D@de7PYVO+KD(-3XiY@0}kn6Gq_x@#YZ8U-^kFXb+2DdDo4 z0*+_3q`=DJsw-lG&+gZ)jWr=BBRZjE>yx0sD5@A_n=XFGTft7OP83-?r7|&EP4GQ3 zj&ZLS6&$;=L}t`ANrZ)Vs$!SripgR6++rn}h@oTFB-U z$7?8i>Toq%tUqB4WUCE3QdQwfpchSc9>o#J{Q@^&Lw_jt_~$POO_KiX<1Z$f!qjq-K?g|ZXhVnk z1eum9xSkVea(NVX;XEfAcqCbjtDg++13XU488Og zM-(s3EH3JOh@KXC!1~~o@kgC^YWVwXE=RCg>_!RMfI>e!d=v1SGpJEOP#50?B+g8n z-Hnqlzslw`u8k}K<7{Cr0l4I`kuX=H;wHY%9mYp*q{IrT zGTawKaY!cq3Wciy^7}Q%AE{6P-Wtq8M8~;rRAloScxzO15v^?X1EuG0oSxC&e3a_e z&&PPHW{*z|+jrlXHpwDYUB3%m&`1X|p(DO) zu5$QmSc%W|I5b*=F);vu2m6x{5GkSRbQdsh7m>OaApE1PJv;YC)m3Y@&F-#uHf+!3 zo~n;v(~x(-UsFSZww(z?GQm7LcdP-HqjuMM%*fdp@&X^({7MZJ?t3g}zG%1Vzt{ji zZBpyFFc9@3JJB;sO=gQ|xH^}S@m+lU#!bhfHj$jfi+EG9cb4|1LXuImFMiNA%7GVj zKmw62!}~p?%=Z(|8&y=aE1NeG6*5!<%{$2Q{%&$mA5T|&udDS~gZ`JPwZ`+9x=}@` zjvX0US%<)wsBDOPl0K8F5JXPDxb7m|YCl+SRG~L`$;!VpB8b@5Es@C0Cn|;%1OF$b zQ>k&##mFQtWR-D8(&-Xh9K5Y^!V9~bJzG} zOi_K&+B;d<&q)M=gRI!MGJoL&Gl$3e61C!g>TCsiG$l;P&%xHoU%HBr7f9MO;n)*` z89tMWdF?9xRof9!@yaaKp6l8{b_6y+vVSAFbcHRqji3%QkUOVS_jUNOL99rPvs&A| zO)mBcjItB>ES~`q;3W5QKY}cmi;_xdVbHnM#qDjgbbp(=R9~^|6&uH9ObqG_^)yfi z6+z05PTs`25t2@Aaqzh_c3h#s+P8Y?c*n10-`YvPNLK^Ikwn`uJPq)mx&BDY440$* z+@?~rz{L-8+U%PsJMb zXzMmEjv2KxR;lqPPxFm?2${rvf#AIYu|Y(s{X$@ctZZX#0BST3gFXX}K7HA8CA}#n z$8#q>yn)Ah7#8dDw;^}Ho4!VZQW+nR;YfqQ#R1udhYD7LZ!W1grFPkiMeCf}313M; z)vVd_`+*r8*$CXg(V*3=6lPBNn7Uoqa69#|oaseIg2aZ{Va_$=RB{u@76U7mbtKK) z7B5nU6#i~*i)NK2&-F;HL@|!gA=J*#FCcg0c7mY2MZ!D1#p+;bqY6NpH)V#LK`9Wx)2OSb|f9fxyL^Rj{HcJ2$4sN^aG{aBgO5<4d zJ?-qMGNnFs+U=^G(TSu|z{GsPr(N!fmuu_uOt{&AkCdC^jqf$Xl}y)9R2}#xHE_0^ z-$l&d;J5HS8~R|xm|^D64%o|g)bU`Z^3Xdm9fn1dRt0*)X64m&NVYA*h2p-Ti5o#{ zaX=+GkU9z%P;hQgnqw2PZuvCz#LzCUO(a|B3*wTfW|7nfAudPBz)-mG|2l**^!FGQ zwfsN14*vf$6#p+ND(D8V_hmFLXap2}vZ34u3Jdf<0GzkI>ap|bM}Lre1Vy4%IB3L( zQtO>tC_4{kRBJVO9AZp1371XVFu(mEuY-i#cFfK>GG-v0_?DrRG9?eHp<@PNVEzCY=JecCN$!?`KAO#9QLjHn0*pP z0Vne@pQxPBaVu)%MmALy?DP*X;HUq-tiM<5@7VhLN&GuO{GCq!-hBR#+7qjXl-BL$ zpg;-`gO42ilrhgc7T-Ov1T^ZaB>1=h9{Z)o$q`LrWhCqik4YP%Ocidq8mW-lHx;=c z8k%@u6?^PNN3i@Snp3d9BDNk+0vG{=(riL=Kg7vy{pd;hW!@p3_opu)Mx#97@46Nn z@1u(_PUu69MlNs)ROSj+M<3BC{}BQ4|5J?T|9~X^S1!- z^^e=o)ad9&lmEk){T~*Udq+6vIzY_wRN72T_85 z4Br3DIuHNHhuQzyI%f-c8J=(BNb@^qdjCmM07PnX7aB5iX|#B3n~HcoFz1z*u z#4$#1AkWRRu_MOJY|fuK7faBeSGBvhlC|{9ywHHGx>m%=r)c%S!6aMCRdy|zQb4y9 zE#=p$AvmTcU2rX<#Okd$on$}}`b!q!>yOJf3cA!FsspqpwpcvwMV91P@zBwcUPWiF zO}F@oMmDccd=x{~Rw!+QY3_r{y;omXpXE&Tu$mH8!>;!)X^LFXmXZ?X^1OMeiQ(m` z(&QEq4y>9D^73;l?@N5Ra|Gq4&E82+SXNOx=nSsBs_`6iU1s6i*uy}J;9BaN&Q(xy z%IcF7Hht{Fye@ZAeO*M49Qs*D0AvTpwnB25SO|Y7&lSH)P=1hB!1{wjss_lPjf4G| zs4NN3R!9~jzT@kOeaWia=0ycrj)@o@a3=l>wtE$noYh8kcIBh6h2W?b{QT)sjyH(Z z5`w|*@bf_5noKflw7SJE?e~we;|JE;_or8@e0RPQL{pcBuS2^-G=e|Y_w#{tU5S_7 zU4^Y;Ro-DWF^jjeItH)||H|R!UJ+pjtO#hnKV;VNR)IGVS>Baa$AcqS4ap{N#g<+%{w%GfnY>ZysmV*iEp$3tJ)ULv`Hw7Wt_ zush}ZU|WgJ)HXM8fFaeymRvyXZxpMla^9U>bKN(gmT290_KQQW7h%8gW+v0;!kb+~ zW@4GSF5lT`NRhVR30(2NPj6AQ7vil~c>~)ia*N+avJ%VtZjfhbMG_YRx48s~% z-gB(0`^JM=hyUYu*LEla(hx6ovtZMJY7 zHKM`mzzv~<_7F9f=)HbkiXch$)jIq>PI#{vz9w?!=Gi^TK=Z_Z2dRJF$V-f`C6Kqi zI(_Bm_k5CA6MrSJ+?VRJ?zrzmf`llKY~0Ru?D>TQZNmDOaV)zfy7u%jQy-sQDZHv5nbgigh(m8ehw0oYO zakXZjCO>7FHjaDs01PZg*J7VRdod3GX5abqB|p4LVgbE-u%4ugNdC zJ?j6wnGJ%aceGvBEXDKi8#*>pX0Mu_u^*=Fp4~lrz))#R#D*#M^UNGa{825hGFvag zPP5rj3Gq%bAJ8YO10kQqMm9Ly2fd7zvR7>V=GeliV#K=_+P@@LHYAjZM^)2Kd+M5K z3bFjj|L6XNP-?QwkK1ziI+Uf5bc)h0_nz62dvrOQ9tkg=>36p?u#ld=TG?95*oyM> zd88?#uN|26oygm!VwjRvb+4u1RGPOg-$g*!lg*O2Xr^;)_I+m{Vyi6^Tiqe20NTecBIk7gCnJYFy;VD!@&=j6h-S6hS% zSHQ+*R9Fs zVJg4h6&$f#5vuZ$kBvpY6Noewp{ng>xu-r!sp58A9Zu z4_J6-VbMOWe6sVkpm!vm=Z`KK->;p0S0~W$;QnBVmprNM`(qm^PcC*l{^A6!(m>y& zFb&$_2LC{mTS5P2DQ7PC&zGO1i3u&O*t!<3_#G+k*16|1X?fGRAtno8_$~O2;9gL{ zkY^0DHUm9A4d$3$%fZWvRy}-OPpWHDFGv)gYSV(faU8=%q2?ct!q)adNQsW(b1FOF zOn~uC7#3Ju_O!g&l<@Tdd|Alx>FZ{-*yb1qCY3>*D>Qk&pQ5zlA-l=sU3^`~|le|GB;h zJ-*gD*lIa+G=~4NaQ#k@d@lqEGR~j6*0C1iziaQ7*m9n1eaKPE06vHD?RD7lL)8qj^!g8?iWmc2Hx^sd7n;Var|S10z-*s z6lsnfuxFXpCm08YYVzMVcbx5~TWwUXuPGnO5(|9Jp_J}<<&JV`ktQHZ*zh7e@i9<7 z=bO-Uhk8FHlt1<%?Sl& zBs(iXGxE2oCp-tHf4vnZ+pObLFh7gpgB4T3FaRJ=kK6Q{J;N4^OyXi|3a}&htr?|945`M zn~FtktaUDhQAVP@$erI18oIqwbAnQ^x;ygN>KZoQn>TMEi(&=L<{Ia93n{D6z zH*G0}+Y2eL=~+*!OT7br6ob5*%0Em}9V2O0Z%I2Nnc{UwyR2Vs<#KGEeZu?#JM;x< z{@w~{)L1L3aeqKV-SYOJ#_6XA0pg)WT01}D&dbY6s*T>jWDUb5jTy#*<+p>+ zAw?=l$mNsA(WjYcM&D2hBgpxJ5d-Ea6i(tsb)=fBplvDeeA#lxdATq4OUN;kJ4I@= zqB4kcA6XMvR#y5j*PJC>A9k~TTYAWNb=7e+GGd^KYg)bOu0ZBLw`bi>A0P>s9&tepERMD83P#- zE@-*l&KFBIhmu&^gJ2y33k|FHD|fd`H&>+6?g2%N5kFGpT{Pqe-5%cki5<8)IdWdv z0rv8x6FAGn<9png+8qKfjPvB5sgtCKq?DO=jD+Cs*;b0p;dPr;T{9JLtXjT~e0Qpg z(^`gLM2^uLT^D1!%=6}s+GjI1IelH;t7jpeMTCUd*bg3ajQ65AHnap{Ax2gYmMY? zrcQjP4=S2hIqGN`?1KIf*3`@MyZO9Dl>Y=V7*tWOeuRy&%1 z2JkOI^5d7T8Rs$%y=}Z#LHu%R`O0;4mI8=_M?~DJvzipXLAZW@NyAR)SW8)PH5*z% zjzI}X?-XvAmVElv@!`^IZG;;nz%*=hsTC)(((+)kap7aM9p8^jXXfW{LfCwYCn;$E zji1}>G>=(D)yoskf9N_tO?cy_N@Ht7Ox?KLfXY*=VG;{h%L?^WRvbbGmSy2Oqhqm1SbY!=p{%W<<7F5P4Tvwtm)sb>|9U!uALeU+7~fpW=#4#L-q$DzL=e#I z@a_Y@Z#Oxv-w)@xBmfDdp{z~79J3EkuHo*3!C{DO@d0J^@1d|dREH3aazMDm7RYEh zYJ5@LjWxMJdnsj8!+P~csgcQR*ZKOll%lA|)VXg|oyLsgj9_a0E=ZY~c(Y^n3FHGZ zWgo5nhWs2jDJkhxvQ#6cCD^HJ6Kw^3Bd0eX_0y|Jl=Vx?iD3E=ez1+hfUVj_Hz&M0 zvuY+upI=yP)DTOh;{BM(Iw7+G2?2+`ORee0(>=Dog@j@kYCQo&$ciu+)kk!g%mwz9f-T-b( zqQNnsq5_DSKe}Q*K;;3w3FyG{7*?wLaIOipt+b2*9}SN`wJ0G$7f2l)wr7cZy`?dq z4EOKXz3LJxfFbz)!%=Aw-^n+m)b6@7}MqY19^3h1=Vz*v-L;KmBY6)uiSO%Mvdr0#79fi z+&ph91`S>6=9VmcwF&pMnq?5Vy?w{Rq>_aW6` zoKYceIVbs$@j|$h;FHe5YU?X!sTDN4Z0l>_!pea6-Zu14CPg1oABZAk>e_xEO5G@V zy5ZoIbdmMPjjUo_F{~~bBn5T$6o6}<1BP9gKQs35ATQvet?p;LDwz^iTXtL(_ zx+KB`LPYz4Mb%isutqIf21v{Acr^Fja%i0PL(S#r@ATAXhgc(`1ohSl=-w7=n>&MK zX(T}am0bD9<*sSGRiN1jmTdG00}W)KA1mF|Fr5YB`nYFedMHYK}C z2TUqevs61rSZ0tkX^3G&O)zJ*Y7TkzwN2U^ktcT00hGM6(NkpP~sp0|w zX)_EL=G@T0mBj`nywApz$h9Fi{JWt`?)1B6=d2dgbpsBdj77^BT6Ae?J5J;JGqYUba92PAdl&OcUm)gv9I6Td)?hG)e;p$eP>@QpP|UST&5W3Bk_ z4U0FLfZ)Z1C=||P32sd7hix-rF*8QTC$RmX7>gYi`M^H+_A}wpU%H~Dz2i> zGO?`*yf=kQvkneCH9sm?L|Ken`~e|iN&*;Osd1D1w8x}VM<3vqLMV zE2=mJ;zSp)E&XM{y=GsMrF#{}yBlnYUiVK5%WrSHHcL}QfyD!p>IZunAJGaAbG*1- zw!|_*cDE+3HD9bWgx)o!HHf?rMZB(Y?-IEA;1GGo8NVU((j_Qt1MG;?w0{DY4d_Nu zH?Y*9FQ{@9C9D#CbPxf?mfurD@o55Q&A$YbIsSI_V*X)PGa8hv zNORf85W^5sJQIdrw{ufv(|RW;;xOwvbSnu8YPF!zTyLPJ|;6o#J{m1X$) zrkboKUh>k2iw#y>g$g0v3QHT15}$AHSEZVCEEem!9}3@O)qR-z&|H+Lv8@V^^wk%K z)I=j*s7J+qrRZA+EAqD2^A}Ukt;%)hUKnaocya)jHlCxN$TgOg0e8X<=I**tnJ$)`Ka;XR|A)y)`56fMGbld)ZZ7oBKt)5i=a5DqL6PZbGlxa?Wm=Lmj%66(6b?o$)aUo^4i7z(({C*4E;hG4wGX+>(INe){{BNLFd z({^N5h&MW;=ichMAYk;aA^*^V6L%ukyeEA$a%eAbTG^4Onxpmf>W!-qs_8Dn`ilL< zkv%ullt_;8N79qe9^$%OTPQX@!UxfcRt5h0G7FNro_w*OyH}sN(d_gYL`>_EF9;j) zBKUBiYOcfb9;)X}Jv;oSbv_>|e~B&|X&y-YxG4pLI?LVGG*9d4T4n-cZC^G{L#~0i zG_J;v$6hnJ{4a&Z*FOsl<;6zdVTuufMP|k0sSi`+!oAFyf2%VbR9sp}8 zbwmD&KjaMG#)gKjc9bB8@iA|{k$5tm&n+0djq1P6L;HPcKeqf0x+2by=8A$W&*o%# z4OlSZ1DO3#%2?L5)I#Cf6!Xdol4DD+Y{x~=+S+bP_j&Rb-L7c# zp;==&>3m}hQKYYL-7VD#Zx}bidjazX;teg&rbPI_kMuY)Ps&lGG_g6+OtQQJ#|{zLvsqoboV@TCegyAnUxI9AgR z0>UE-`VOvKHn{xwUcGY{^YwKES`A1e(X}2-9B;;_89F=KtF{PToB#Maf?s()9S1VH z=A9bBw}l_4H=sMRx390k_sB}rS59=3jSwK)v|$weoM|meMtXwn`iWvI=esoRLEg54 zbAfynINmj$E0D4lf4LlC+HhsG;c*t28GN&;4ff!+F;oMMf^BQKV*c&zBK~{TfdAh# z^UAN-W~q)ru37Ux>Ml8Xc~|b!>sPSzOFZ7mf4fPFu7gSIt|=UQlM4%@ii zmBSWHlxRhse3LE6d$MZ=VRXgV^S8BRQ$;f8y6!~=a;^oJ*gR(*e5l=dXdh%HDGTms#Fz-%@7<*tHTB``)%SR2d7kL$@y7Yr5;d--SMfb^-imJ?Me@8<~}v#?D7c*57h= zOboQkP94J0V!MkWs_!VeL{UTOf(I)vSD)>O-H=W5Txk(vLo5Dr2^QB71(XWcye9L~ zjkpHeID$qsCwWQzYt}a?XNYfdKe`#Tl9(Q9wF3i*xW&u5^HN}oCjqH3aYBTa=+|rK ze&6sSIac&KWA662yZ)vVT{}g}&*KrnMs9zj)l=*Rn>cc_$*+m{n6I!zlDU;U_56zoaBtQ(PGZtS zF*KlP=kkRfx{X&R*&onvmvdORIyBA>Rl>MYE`aT|ipm$~_2>t}Zr?1R%U9gkpOFVp zB-xwQ!)oq?4wGug>3AKhT3!Bj5T7au{#DbJbfqRV?G%f!WcW_Tc?jI}bBd|Vmn?@Qv$EKtq%9>JajQN~Qf&^D?d@gRJ!UfSVM+M(9rs;Csl zVSzbV6RxRqkml`x}{l^t;NkPfc#FGCZCK^zlU!Ud_p zBwkQl6Us7sn7`2u9=dzkA-%3l6&~!D1fm&{%!9vHy;osQQNi|A`ss$P&-sM1TM3Pp z;D@dl)euKWm;ye9E56bq8B$FOJY(mqe5W26F;(y!VS6=r>Z`w!WYPkC3Cd?1!u5rg z7{AOWw;R!Zb;@CL0Ve-7e&hZ%exLqd@vHQ-JB?jc=%kMrneNZH(W1DK{36s0-Eu#N zA=BL4pX|^|vDDH*5sZ#6E3?A|(!$OWak0srwPDk#vmf}Fy{^?QV3;2_qQGlR263ru zv#m0+7f7NF{QYklywsI#M*ESsfVf2U}<{Ff9Cyl3hLIEf6Mljs#il*X% z!k-C`lOz*?&-C42v#Gbz%d0vSi;tA9S3cB2UnAK}SN?`XDGK)Ja@gaLyQC)K zUm6TT<+om0&b+~I@wXJZDlxe}{d()O&WR8UX0{a0UI!44|NPjsJs>~1F`SjIJohew%w}c2`iSd6L<1l3n%A( zR=&Al9KeyUOmPY0qS+fm7b7nL9~_6}(g@A)P{Zo?gdf?Uc`4s=Nsz|3R9;v4b79>=Iqj@NH&M4ByYTU4 zJ3Z|C-6_mRfx~Y-CN)Ef1(gQY{#9wTPx^0|fLd#=t1;l&;S@!bXtSA^hs&ep1wd)6 z<@tqu-Bl6BpK{Qz$78PAjl3UVz*Zk&n){$+$Og6|uzBdS{(FR5G|@VL9RPMGWcRea53 zn{*Je7CQ8W!b-aH0w1J%Kf|`cKp~4SRSq9dDAtEwRK!0wrmw1f#@$zo@_S1Dl)CCH z`mEjb{cGLeH@j>v8^xCewj#ud5v@_Y-4^?8-e;x1>q0nkUayT~x(-1|`-;yWpy*#D z636Ny<A@cF)Hba>iSsp!w-n%E;w{N{h#n{ch%r6zp zLuP|fV3YTNA_90T?N7L%CejjVAMtb4ciSmXyi*q?~67mWKhS7pl@#Bl&U@zxq5H zVeeGr2BS?op%si^tpUPdZ0{b) zSU{hi-vQDOzb`m_?j+oF2 zoo`Qb!JW_bHBZMvV3@fzTu$l zAax=kTG3$b(uuD|K2q&-XXVOfcY3{3j2TKPd?eO5Jcip4Rca%hR}VHKeVKI#-I|A5 z>T%CzR50bEYVe{}734=(*O)@FXw6g1#R#=oti-?bHUEEbDd*l@YLPuuLW2#peMZzV zZKK^kR@eU_R_iZ_8viA1OW}!c1F}t}?q+vFw0b|LTH58~s1=|Hk(Kcr+5=6^$*T7#KAh9IvRun(V0S9)s zI4RQ9lyugtbcg&CDEUbR$+D_hb;g%LG`+|&xFWR=TB!u~K^)c1=Ewrdl|giOMajB4 z^%7lgS(QYY554T-euVyE{ZJHF^&XIQIh*2gi&e(iCtzP6fHscTi0*%(5}b zV;)EOmcw=d#P?7Iys4*;!RA6l3etPYiaLoOH4bvgZgX@9TU z-?8@hWAJzK_&eqPy&L?!hyG>d(fDReMih`GpF?0<8!y5f8b~RRJ8o4bFC@XQoMdob zI$>Y_%T94AnL3Ut%YMb>B61S&C|Ny9aYPz?krQKV`7nKpqw!5 zZAFOOHv7-NUZ(rLaZPk{iCF8Y6}F~ASTBO$?SD#*_}jwmFSV%thgrD&Z_4riE7!A& z=mMBMl+{T?90>EaBM58YOscK;g|xl-66xr$3~JZ`TUj86tcZ|pt&0e&grC$o2zcIj zyM#5H?%Y$l?W7-xp!{~Q`yd>JYTh_b#VqUohIIR2K=M3Xp5g+I7ID0;Rel)OitP26 zizPq3wdchIbEh+Z-O!r*4ng$(3nbJ$2PrwAfa9Xv9B6jz2>-=;f!jq&xj&|co=@e zUcf+VEnDV^ndGevyC$J{Z9iNE3Y^#yw>qLeAZ&SG4i*#M7J(KOlh?1S4KVcY{<}7U zRmIou7zYC>e|LU*3!Sh|5rDo(Ma_M%Gw*@E+1)Ez!dia{ajt8DKo}UPeX!Qdb}ZmJ z-yaFx)<7gvn-6eDAdV&xJO$IP*SUXSshcr$lhXtyMbDk`9%kTMEd0|M3wj6w-#{^S zVc9>Ou@ZvWfY4@JUeZQ*~@DmTquy6t0Liaz(sf_=HpTYhLU3|2*4=!?21_*Y0cnEu& z2lNtQgoH@yMMRAC;B(M=TB@g9O#YlrY5n~t-W&R40aTY^9Y{SyX8$xhXv0k?5z<~! z#nz}ogC05Y-ObBwj0%jcGNWoBQ2~O;2VE-K;YU2~7)7v|xwFLsK-)AdR}tApmpbf`&Q}N63y+i519?&ez|R{z6fxCT2uMyd!+tzY(;&hSf90^*e_`D)M+6{XxPJF6ocaw3P+3P zaD%c>Wb%Bnaq6IqUt*Kn@R=#_1Jvx67@a|NWvt-#nsFdBP4N(~3H77+0a~-d_wef| z9x7jJ>R5MKkDBqqBZSb#%$Z}X+1WEN$({aj4{HFG4}1|;YE8GBUh_+HQmB7pU3}tP z-yMAXaa^EMONSDwY`=`Vqfaz`Psbnca3a`r8}=jnP^uAx+@bMcH%bu_G)-!0N73%G z@pL$XrVz<4b?>TlA0#T#u=mj;+g5hb5y4jx31IKFlIe6K-}1II59vmaSCY*1Hjfzl z4#s7VZ4$(Kr9k&tBM#FK9rY^>Hq5%aZ@#Lji5A!B!yE17uzl6wq3{r45lB`HPq2I~ z5671-$499&qmB5782R!&Q-&8^TX8-BiL5f!S7+1TQW0Y$COdJmq$Y(mBYq4QavdMF z-x~uFeeVgcnR?bguDQR$w-t>%FPY z?N020VCJuKA-!q+#o7SKC0$!*$+pbA-s7oj*Pc~ic{whd=!9P0Tw=`e6MJvWFtram zgR%FZU#>&4BcAz`Xj(SA$NDaM;MPxWV=tefjFa=ZtHC%Brv8L;RVp`J^2eY1IJL@p z?xopFRUf%(Mjit{Rf{Zo{7Xcso!)UO@&ewF9(IP}K$2W}G{RF^{oL@?PIYh4WOf;2 zuHy$qZ=HyJ%^}5%3&S3Yf|K(#F`bVkM0=U9W%dZjTKna&Wi_fIrJ$!N-~cbTS0mH^ zOx-s>GC}TEigyUpC1G7-t$j2%x*p{&W>N$g{t!%`+2x!H8JIi7Hs6Psf1#WOtiB*E zNY()?$;Vk^7k1Dx&k~u>hUf|ZN)AzX?JnBAw|~7dyyFLmkFv9#s`#M9YH|5$IYc85 za|;p!9|ip@j9!{UiLt_TR1WF8)0(w*0yZj`V+Cgmof2wyylQlJ{La1&P?>KtY3ZCz zjB`EBoTQl>qw8lXc5AR`6mQ#yq6(fXvYCONpERs*e%+`|plvK8F~ngU(4hw^5%C zMii3YyYHR4!j=d9#!?5yFq;~@wBzSGa58xN(BwMw9V{<6$acCH<*&Zi!<$ObP1R9L z>eCmaii2K`lRr=(M$ZY(0(XJ2O4Em;$Iqe4znqFkz0&7M3bP>cs|ZlYBTr>^i^y@; zsPf!x#c^B()20Kn(MPKLw?;Of2Fs35-uQXGp|U3WzA)d(?xkh_V%Z7TI}t`eSLvx| zF`+{1yyYr8AUAZ)4L(u6)tAORk7?|dPw#SfIm37` z_HG&k7>gxfYWeeP%*FxF)$RsTZI+Ha&8jD;w+8(U5o2hE85kXNfR+;>Fg=PR`6^O6 z;Xy(N$7Ezv+(VwZ&=y~ZS7wWwxWp3RIzXI)UM*C*Dd0{sWvsROAN8tAsF|s>EJF~ zp_+_Er1M5{SD%o1cyK3f+rsV7YGUa(v>)_ zU%1RJzny$WR4o4U4c;oL@5Jy=WMzt$x2+nne`58uZz$EdOdFXRXJT zUw1kaj)8=qalaw7cUc1an{a1>`>Fgyt5qob^M#SU{kjyf^Vh|_PtkewB%awi`0C2J zUlzwXXIp&#;rH)}8cXXdR`Am>2iJaq7HGIk zO4iu1Ecm)9wf}g}AA~_3?!g@>e1Oud6+EIGX%Ce4f)2F@RTX!e_(i>WR%r2W8$w+! zisG)LC4hO%Dc-xF;x^vIZhhu9#;qxZy5l)cts@9doBVHXpHV(GAu*&R*3GNjjW2B@=Lo(BZn?eRT+I-~D|nlGJo+K z(wudi4zh1@WseVdfdTrC_+T#NHSor7&Jj>eog&?fZTfY?DQDPH>GbkWt3ENkE~sy| zu?Cl*C=3_-pdv*?hW0L+1zMHdn7Q=v>Be(MNNB8xb`Y7^eK2d@oC&oWR>&5bz;zUz zPt#w}s!X)enGzw_qQfiR-=_jTgqwo|^e0HcLGpqA?F764Cp9M3G820*dF* zm*-ham9WTEt&$vF&l~0^k0$BpM#fO#RMFs`My1AtCeZFNc4CDve|V+$nZ3}tu2~v6 z;Z>u@t=_gqWH8Zp{)XhCeyM^}BSq45!;saKw%Q*Naib&gIfb1$Y@mp3&49~!|KdA)um0?e)BH_yw`|0KJTyDQLC*8&~oGDqARF8kh){s@M!+tzuR;w+w;CbI zc(;yb6lV*u(m};i%S)WB`I=KU<&NfSI#8)@AwKkkxyojyn@U8qRSo;du4G?MLaX@- zh-Msb!KVy4r;mJ_0IY75MK|^XCuBu`u z5-II2_KZ_kl&?iNFZ_z$N_GGw=I#i_uHJ^pcq}rvGZ+<;|FYae| zoW8>rDzNp#h!t^n&KO93SQlTppL(Wcp-Y}Ggzr#`oi(r$SqZ<3Ja?RqrUZUs;{~#f zZ8&dScbY1Y>y8->Cve|8{)hrG^}C=pro2sem68U{l}XO(J~H>$AA71|xP;G!UN{jd z6GHY5F)X{yDBP%8ul~~FWQ5EMhXoP2@rSBc#0Zu7#On1xd@W1Whf3IErL zSbDy)BWxK!HKLym?g@y^I{5%r#=%8C`}P{C%7A!)SalBQ}MpBhf%{T za7GF}cqqf*QAglZa9rfO)qV%~eIf60Xbwm)S%mYc-6VFj)@6YhV5VJXg}0)w@><<% za3jZJ%qI`a){AQxwrYtZm`D+W`Z8+j#k3C{Rb%B6GI}nn6y9Y_?&23Nx7ngx+8PIyXl{V4hi9lbA1GAKoH$0F zO--H!sYUUV7WISfms5q4q;8X%I9nftXheXqbl5)&ZS(Al668My3b#D!8hr~gZHVA@90Yuf(4*O zFdYy&i;3EcvoZr5KO5w_7`h4IEbA0p7d%w?AiaFosraL4N*4g;QqiR-*t%>G$fKHR zEI*Ef%{!7{#|SO(dqdEQU_`7weg|6W{y`Ei{@y~pTBqPO5DkpG{SdBMo$$&<| zc^?Md-MVWrGtuSMskVRQ}oiUa1+h?NzT@*F#qB}{@hXHU@K zv(jcgcwMAEyG$TGb953Pzc!@xcNMd0G-v**bQwq-Jl0H*b89SfW> zPL0NaWnq;59`OdIxjV^3tRBfH7HkB3wuVjEdR@0Pl?XqFsBRWHOVp^m_JUxgTiy_nRMKg$&Trw_9muW; zEyOV*wTT@dV7AajgKtQze9$db8&hT9a%+We=agXoj0mC8sSdQiyrl0cX9dVC*gO3a z^>++EI}2J~th-kHiQJ#2m{X6JsL|YqI89D#1rN1^QhRj1@+)ACP8~G_UYI!T^vbo-CrbQECK9~a=^8@@p=rEM<(;a zVy44(o1YW!WgD-naXkZMESlOGkU5&xR#QxH*!FmuuW$U^twz#l0DF$Cw=%GTDA|4rXd&Q2 zHO>!TJ`33A806Y$|2OL1JE*C*T^kLeqEuyqLJgwy zCLo|71f)v|y+i0AARr>4mjppTAfX0QerNf9Gw1BR=gd3%`%am2{$m(Q*0a`np8LM; ztEkit_Gjq!>P$l?pt|Wm_XBV`l6{GVlnL~)JZ?4UKOt;9{{dwDpZyy3?@}553({4Z z5Vyb_EQLVvwita`6BQWWmfvz`>C#dgCiOQza(KeZX`@cuz{4Wj_z^G+(#36h#UNJF zs@LAQ3>PvuLaOi6czQXi4tF zAF6SIwTtIKmaV?G5RfY0tMgP@1r8w2UG{-MHJN3hPd@=b&mx%fIs-5C4{rC-HEr~Dz&U{650HwC?vEV0WA~gfarATRF9Bf-cc6OFY=uECHc~~Y zoq>KA=u1wNS@RLhV!gl-hfucXrbBCdw)Za}KNiw9UOd0{l1Uq4v7>Y6-M~wIz|4k{ zd(c4yN2zk0cbS(RD|KwG%=-4!PwXb$DiX#POArfX3v@x{kR!U3Ev#Kr)z7nCmacap zC~Z#$@2nP`G#jzrYB|OYr*DsqKb?EDu8w^7}Vy=*LN$%a)^WH*0 z#>)MfThDWqZl?A>I%U_eocjC|+7(0rM8OewT3#@l^YQlEJVVtW)mtSmo-nTPvRsvi z=?#Qx3J2g;YY#&L-3sPKAQauU@I@uKLU!P?M<1_eJC>`(fw*#nX}MISjrpLT!4gOu zOxVs@r0H?A2J!N3=8`zwS{l8+sjl`Nx0jy|^4Wq8hiKWXE=F{VsC1-9#Cw0!u4&ci zu)WrFB>jF+y!S-kVdbuq3?uJe#2=upypX^PNIF~7=wYgXhX9o`VSx)GF=d#ykyfc& zXjDH`QyZzz{pUiOkC9RbXurpfs!VRiW8WU~9on3?)C;;TVc7PQ`;HQ)ZS%{Ggci?< zkn3OoI_$>*#tJyv2tC$yRdyvOK&=qvQ8c@``y$^D?cBNb>dB&Kukpj|6RrA-`3L9% z>JwtwO3`Dt-0{WPVVy^gn)jo$K&3ZEYW=(~N(uw{caUvb1(ll+WY?4Kh%K0!UHH9L zSjw_2XHYRL=@T@d61r}dMecJYV#833fK5h8x2bxf%d5%B=~?}&IN#`Jk+N4LPv||N zfQ-Fu*lA_Kl1R8wj3G9D#ytMilyJRf>dWk>r@bkY`x20XiWUb7ED%QWiwD>A6j)w;3GU#F}r^rHkUL-S|r`S(Dh zO!@Ra$dw;%+p5@z})M|R*7nHCQsT_w_+!P^k;}w$E)IDz(x{SR%ICzTr zpe^!MGU3_l4VzQ{+I(tI)OX-BGzI9M0cM1Ge}o?xuO-B5T`DANT39MQD>w=^43#!S z`84aTT)siT@Gg5X9A6-H(T(49K`p_6NOv{Je>Lym*;ME z@b71@diu5f@Ga3HP+htV5XzN9_N0A-9%&<*;!(NY7CZc$S)ZtQ3kgyq&X-o!cK^it z1Tni1Ly6rI$SG1=HSw_fB{Em%TrtF5Bq@`YV9a)qGXdgD6KsPdNq;J;Kqb$lO z%BZhy#8t{6_*neTF2F<|c|v}TH^T5DIynP;&KZc^Or%EhJmu zV|34D%y6w-&`3*Iy%{0P40yclF>Io0(bUwkhxFD`?A}eYaWJo!n^PaE+9?9p&e=MC z|F)gh#6;ia15)R}*D%VAaIxHG*3TmfVL=3e;%qU5Mz`D)vz&PwCv2G$uXQVj4^%Ds zCJWI>wj*u#p;(@}Y3iqHwyI9nPj0=o*OQUVIms)7y}y|b`gIi=20ur=T_pW6|F?S8 z-ETEpQHk7hQz6VuuZ)A%NQ#|l^fR=iU&OW|(pTSSyygInVyW8R4C%Su{&?IA)B9Hx zF1V2n#DOrb<2N}X=XgWIYCeh`6_>1()L#GmeRO=04~<7 zh0JjfPtI6mQxoAcZVKIo)my)tnd@n})i})gzJ#MY9YkmWbMz=^J_*HjY?RE*p9MWB zd;5jOiJZ2TxPGQ5D2-wR07q%jdx}$KE4W3yxuw^-i8J`i{~Rz zYCeOfa~ulin_|!2x%xb)pY;axt_jn7By3R;IDjSQy7G;l*>PP>@I@BzcNR%*_78#` zPFFxUQD04nSX!6@7BKTm!DFX$@z`hu$qJ*Apv&_nk9$5n@iAQt9k$#9;nJz%K>M1r zgrYE8qJG-~Qbigj@DxD=)g$QB{Mkj_Y{F#f=z)>Dz&nYpVgAbon5BhC_AKOI2qQ*oTzv2A#D zd)}uW+tEbmIXVu@qgtlAN4Z-4gZ0bf)p|YUSise#`dlILD#LUzZeIO|eX>5;Dfb$3 z&%yi!^QW+<84|kjOMZ})HTW5^CX)J}*5cogb3sk@X};|JGl-8FOm%1ETNvRPI5RW# zdM@kvJG&!td`X7<)hd6(vQ&SA*@I=t*rnjlhjji%=488(y7%tkCK@knu8Ty9jh;F~ z7bMfIbt#v$phc?ln{8%O3qB}W8V?ytBy_{s=s>sI*F7j~=395jCwfzDB`Po#bY0kK z(rh?AZ8MW}ersrE(&ael(@=xTvplimFiB8wBS!rP)P*DJ*eB!5TDA3!;HIyr8Y4d; zLoxPzgPS6cb(lgP}v9gZ+z}{PzC#X8C|~1r|RNjeZ7*!ZO|XDA&!OQRI!mY&ak5Y8_E?ctNn*n76wy zeehVdKIDEm^9|>n8Ou-2J?F%4wXfe;E(>-vs}58muMyB;kq7>g-)Gl$lpL!YPvx@u zSDm}@AmHF2o83;IY)N9V8RxtE!;582#&P;aSc=))hY%k2W!!>|A~Cpd5jLd<6w4Z2 zdbrfOwUr~|MqRD-$&ptof8&f|4!X!GB~z_gX{WN1?Dk_~U&9GB zH&wmhcD@xY`SITZDDC2{Nf8DIG2tK;9Z{9MK0G)AB0Wkq{IZ5qLpe1@Z%L)A2&7;8 z^n#^#4V($$e&%$65S&Lz$MioXY|)m+-{g@FTAY_kNgJtcLk)eWLeZ^@mR#3xj_K)OrxA`c>0RusqG3|DS7$M zJ|yc*C1fyVrEDn!QJ3eY7wr8V)2mSDyA3D}A~q5#pcOz;eZax9AUAzmCQ~F& zDRRjWB=J(X?xn%6I8cxSMI504k8I(mRZDmzAwye&%OG1f27fg z_0=iYfYV>Y)q;mmI~G)J`hFih%72xrODgGwNE1a8y2=cn_oft4m#yI6^m>GdI1Uf9yXe!`9=~)cM`eK=3LpIqR8Ok z@T(`3UWb^+qXZ8Wndv`Kyn!kX=QAY_nlf8ti_nM|W!a1ECjDk1+BdE;#1K8{=c%Gs zekcTrd*8a<5Nj;33mFohRriZt5VP{tmYYPm#Q@R4JkIA$djyZCC+s|H;s)XeE7XJg z1j?N(Xq9wnS2c`Vq2&{op^f@)w_GIQ-m@<`#s!bu%_dZ}1MZ{ECSKULv^2Wye7iKL zbodX5{XN6s;h!&dB#urPFZs^gxV6gHun{OWHtgD7e@~#XCvm1Pwdwuz-E>}31f_23`MFgL3qG)wLPvn0Q{b<;y=@6WV$;P0bCq${I2d3Kg z-HrRDr=L9N*~Kb+nGRLa0ZTSreeu0PcECVv|D-q1bdrmOpN$h`Ovx_6^t!4DDCjFi z6j^^4IvmF>FqTj}jSapwrp3!;+6lT_II6=4Wx^PpqdQLr?>$Y|~ zi$xOG7UOGIG<af=?#el7_Opp;Gl2v)sxmS*9UFXv#5sTL zx($@g0ecAmO8q&FIL58nbR_-;ViPc=xt(RuE0A>g-@YVja0z?{N&N1i*Z01hbykB;W4y>5Bj~UQPezzU&u3 z9oqf0dZNYk|3MYq{{_Vu@uC%Dj8a;c0>9Z4+3BGHcz-;`^z1q4ndYUDK`@YjK^PH{%Lu`FS?S z)&Hq$t_!?g&{s;103yz86Ble|W;7Kao98`}39P4)~7#UWLxjVI3-<(_V zR1TAUT(<~RqyGQ;H?8_hik;tJ_|?cQt?T(V9d-(>$@3pCGb*PTO2igTpB=VmB9;gA z&9gU?QFxkuC*O}gZ^)Win>1YP~=&5}y56nHewF0$hE3GNZ} zOXL6)dj>ENuCjuGGX%HT-VdwvfIPhJ!(mhyS>Q8LXem63kRe2giOIZcnHGNABxWVs zE|eXa&GF%X?VYKq36iE*{{+$pl%Z^c~`TIq85Y9_a#OF5@qMr7l||5!c7;6aEIX(8-S;NwD9(1ko&e|&dPARxPbQcY7T$vn6xBUR={|7RsY+YE$ZLJ zaMaq_`4wCDJbT76Yjtl)B3`NSV}cF{Q$p3I2vcwW+}msYsVHBQ=FKYhp}JwjajG5i zbBx|MfA&XV;{-%vy|~rOL22fMG9$12mUd?>GcfIp1`7ou2xu-FtG?pdskN_i`DL{& zaa^T$Ugm9zCHW`ofZjZXokR z555M!NADNCO0vP=DVyAnf4;!TKNuRQ7`gC{iAms870Tjh0e|nqG_H5k&fw;a)`^zb zc!OP$N9eBW*{7+hWH12}EmZC$=Mdf@gs`y^Np$)iPzg{krX&75BMb)UXTW~$ZLE!Y zo=DY2->nzG0Q2I&XWjs#RD-DtcGAG>prIb}{QFD#oxnn-qRUfXF_BuDB)L9O{)r0{ zHQ#J^N20nCB}c@eMGm$%PKR7+(O)X_?6jzvmWgzetZoTeBD}LBF*RsMmSH0187A5! zkzs+V+5BNMw{{s-+^j1JT6EQeh|LQHF4%LBbI1VvW~t5N-|-C6ObV=vNkX&<;UGjW z)E;&ue+5_#$m&r($QD5BtJS;b?7HjQMB*o|CBu>jvkvrn+O}^&dxKLZ$>;-Za#W7X zt91+SxvcWh9N$p3uNOe}o2(GKKXMNblE^;^4OI7Hq}-iWHx=U_%TqBAs|*bVq-H(I z%;*DSaw5LCO$^Plo*vh;8AdBDmuPtRwdx5`_mZsv0f72R&!p|a3vhH;IGw;LB(fgpBUO{R`n;JVKkCP-XKaF^0FuBg>3-IGKW`S6DCGyN2 zQs!Y7?ZmQ+pmj(>jMA@`f=BE|S9-5&pK<_#?6_LYfJye{g)WWwe2)OTFFndNzFb!` z?Bk3|fX{I40aOrl#Ez7%%`!r~b^a9o;tnO28vMYN1#A zC3sjZ9Ub@V7U^`-#Dm!@9S}rA=v~fH2(6oAO$Q93UK-l~_VWL7I z$FEI@W$ID00|Ph?5oiItY_U`&{K|K#ufO}gK^flt>em(e+RlJ_fIZHTq6T1~FMz3W zARu|q+re2=Y*1ev8UfNV3zT+pl!+ye%1WxMC+-1!prlJRe+=s+-F{TY>vA%HzDh;# zuG#R=-T^3n#64r(hv~T6yJoL+JsW>@(08(rV3nB95FT>DZU?j~lw1glzFzJ{-gbzR z`lU`QZkJj6gzMBe?AeYIl^CBf9rxboP;win82GN2HSopb^>#XFo}5FJ1BegIg!n^? zsLNhQPsHafGrvb@^EMZ2S5LIqpSZ^)iCgmxRo&Q*0apQ-nOXPt!Qddjd)ckAS3?Ki zy1}%J+y9PzO182a&RfgTY?Qdre%kEcyHxPU~6knl(dHuM-EzeSI2=;r3E?h$@JlLw~y+_YA#%+o0BsB=( zS~f>|urQE10n9Gh^zRebLi7us-jxo@`(+fEi#^edIzb0+ix%Q+Ytprv7-JyYbtsg4 zZ6I5ya@&SP;k)M+sEXfs$H<=-*RIVz`L!qTD~W@U*6q%ZPzO8zbgZfiH!~~XMB!du(?!0Ro`AGERA10tWTyk%=7jyYbs4Qr8{byVWP(x1X z4a9lK-YQ*XW~neS+!I*&GFHNS;r-&9clvfZqGcqx#qDVN`M$ytyyAt=<8SyyndaGt zxHuMXzY=97hGPg=E^{(m_c3Cy_i4s3=gnfjCrBs)8LyOKq-wY!YDJeyL65;V1(IE|FN4wj&{e$k#2` z@v1joiW{bUcI)pah`m`5;b?UZyh=91yGN(TO=K+PoC~;?YHr~;nXS|=un)|lf{Z98 zmea_?rR^|?qRaibs_goPJ}J|u);#}!nmS&WpsL8Q(}B{Y!fuz|z7w~@5=cSmT7|1} zi8|m5WM89_~1M>1JbIxoI?5YTnF^Q_$dsXQOIiJtKTbhO4cNoz)77KNaQ; z%ilXXFwfk~(NdfU(K4a;WI-us8U)MH2cgPt^uRZ3SRuqO%z2~{oTyh1jc74+ok**& zd!>Hi{hot1b5?KD0!!di(qTCDHlngu(xb??3I2@3CgWi`sX4M z9VLF7d*HHL{>$rLC)8tuc+!B#o?q}cbRkk-bjxGu{Fa}cCo@-T5YYna1=QW&t6TOIe1PS#%9aw?eEbv=GEW7;5CD+OW>>NB^a3Cawn_S)cxKLWab4)TGe-@?*#dyor4_nDI~4{G5%JZA}sZ`5@3QB2n)lvH?rquX083=YU^H% z3}|M_ZMaV>F6zeuY3o3FNWC`EDTH{)ay0f_GsfvPoQ*0lp=zy;zx>ASnXhV#nMGLB zy~M`HiN5Uo?716oBl@K1MUrR)!CHDjZ@j!TH-KyC-JSlt?R6b(XU3J0C@fRpV`APE z2Ul$)CHNnZTt7er^DIYcP&5gSZ%UELi)L@GX0nf2&NQ}lb6tF24W8rZ2e=EVWq1)^ zo1NiWlt;iXCnvOoVZF9Ta!+tNRi7MJ4ph3_OW!QJK40+jM7X@D>R0!>@mat@w1#0f zHH9J&sN4EuVvAx@QJIyMNLYd*97t#qM4A z`(*I8Z3t9-<97mx4m^UKTHb{P6%Q0-VDDeVBgP&zWi2s%OYk3}WomJ_5U^1b=LM6_ z%9sAc$mo9Ww)%p$Ma-g{<1F!qQCemmOTfW0o!R!ffRk1Hn*f*N{lQ-ziIV{M*F}DF zpi2(RpEN?{&Og~eFsEK}?bfs_GMR(b23GsJct7)0NcjUhNvt%K@Tg6RFuAb}Hx879 z3I%c!wAKE&95+81^bj_CIaGDkn5BZ%;Q8zN>m#+#>62~eE58SenQxeKo(ZpZS%t+j zeB>{_wl8Ks%GCcJpdoo@u@j+DEdeE$W0nGBS{k(Kt{LDc!*e`lKa_%dgVodqa2oSz zr+%=;ILcc>KCapHEg6H&$wm~d8zlg}G+=}qu_hc#(r<+0!|)N{_k!afd~=czshXaa!gF)Cd^;}eu}xA02g!a! ziWTsJagg<>5L-SQ-Pz!yy373oZ$>afa@%m$DP$oY3?!_GaNr-Ow2#+(*b<$v%#*u{ zc8VE}+6j2`e#8T=MeoZ_h*=iRH3GJ$QG7PL(=A#$M0z7wvW-Ypi(>sNkUgxbn+fU? znDp4)-?YX=V(rk8(~wN5gA8A%5-r1)j?>GDmE)JU3TIlaXt@w|~NBS zmByVjMrfttE`A^6=J9$K{*!RztP<_C6bAz)|?-(6HxPqn_MgusG1EMi3`D_TyY9 zuJ26_L^RjG{2ewayDefSuOqtBu+15GkF*-CYUu4|Y1!hE|B4*#6n%A%`HK#S{gnG$ zAc8ajjGO?f!SvkHc+JLwWXWvckDJd@q=ewbCkw6wIWy4DkQML?V5Hdtl27CWe$dG8 zfrs2?U=M#vg(kHCLk1rNkTVH0s^c|f>VFPk12CWYI}Q6Lv+2h_4)j_h?vXX|aX0Z7 zv`le_Dq8xvUo5(N{0Q%q;Ht>_12j1Yv%vS=efW(nTK;^U&c#O}43eJ5Ca0bNtnzKq z`Z#+c_n@6rZ_tkev6+{+>3Pcns@$7CVXUFub;?+c%Z#Lmp^Zl;Nc4 zV(1x+KC!+R#yb;e{9P*mZ*=6%62mQ0I%XI*;%Hu<0~n)kCiowY%m{V7Q=LyBsTiCv zvc4x(*N_O=P@5xSsb`f{{#<0lYg)QsF5A}BJ=huA5WKjYY8N8+6Cw!|jQX8}mMjU} zUtPiXC2zAnaDR77z*axIAN&wt$Nec;R03o|SJn>`w<<>YHmkTG4=>^YhEQAEbAQGs z@S3y)SbUrGf{=^)q|3=k%cs=5UKFxx{YZ3?88rB#jgh=zN)(2l^P2qJQ1JnLnSaLX zkM8?+9hFbfd)sXEJ~(G>$;sBAmrM725_RQOw){ZQ`7_rbKlk`vYgrbNg$^FnkswKx zwR4}i`CB?tSbtP}6(OaQ)y>GwBpJ(b_QD`M%Yvq#H|K!e?UAQnblUf_*|1T77nGJ8 zv9u4;$OU_*@;rWLb}OHb^G-|8=6-YaSoGoPrrjhK=) zK5{rJe&NLa9Ai(}LB_^Oq{XY#gtv+;zy&jBA@K0f<2p<}_0DK%=~h8qJmG%0W+dTN zi5Oe#6%mvmh=MqXCUX#A(U4136I#GQ#u5ORqOPf_{aJktkTQ(PP+$b7XrCp8c;(*p zp(SGBP-CSnk%nn`h&Sfw({N}@D4sLFb)flCEG5x!Zal;v*IzMDj_4Dd$jk#gulcHA z8aFtzbT7b^LavS60j<%6slueb?xPGk=b)BFw};ehpS^65x@h5~S%Ve5H(1@kuySIr zxjE$eYx9)XdtdRb)dUOV$P!?&!$3f5$=7*XjS+JwfIf-p#?dkM4FUWa{I-Z;aTY;;Q+#G9pUoV6d?c?^V)A6-+o?GETVfx zdQKwtz^#RG(`K8ZO=Tmcb)tn``O>!&wNrZD#mhy4#TuS37B8FiV!7z5lswX7(HE_%&29Sgvb+4}YOcJ8{r1e1%6FDB z``H}tgB1YLHA$WJb_=?vV&iKQMMBW;xJP0C$N=2#ob=r$klbDt%gi^;gR6*{v&(f2 z(Y@kH-8~|P&9TB)IsjZ^r6)KZ5Lio_DbkQ#fbu1Al&LfI?{V$xiZ{@@QB=ZygK{_G zC>ee?P>NQfWmK@9dJOJ1H+wX8`A+Ad^2Oa8w%!$q2-x-s4YOXrgK-jG3+oh7=~SP{ z(je9tolh=>e9egs-jWMdKhYZ6-zerIhEt$OqP{u;Z9GO33wR+Wk;A{01@|=t=M-iB z=qhx1Py&@77QJ}rG+x3DSEGLg@0gcjH-@+Wm9$z@gXVJqLd#y07#9Pv_ilHP^MX*z#Wtrjcfol#0XxKn z#X4y8*|Vm5U+J5mC$tRc@+{T&ACPq|j3yS{c8)llc^ZS)R=m@Mx-2x2PgU0* zpg@Q%K&(+sHy-Ij?aw^=2Q+r3WOwCk{$HEUCwYliyq=9Ke|iHX@~y!)?-R5=mkQsu zXfMG}a_5`RM?Ld%>-`~YI`G=|Ayu>9KCAFFRs*#pN#aZ!(a7Kah(k?F&K+%i3l2j% z5fVD#u@Ig*BDSX{dV+o>dh?}PkK`Anl^!ul?0jZh%Bh7vIe=BC-4HP$O7boCV$@Y% ziM6kDI$(LS{y`);ZYjgOrnz|qfI%a(_(DlBRS^%AF^8{3j{q<4!Zs=Tpv^U+NbK|k zTGD?a1Ee6K!~9KBiN$#~w`tShi{x`nOZcb(3S{0g`GDy=5K8h{Vcia1aN_(xGiK!2u<-ILwLaxU~0 z1b@e={{THuJa^&wUWc~;RR#VeP=lOL(F%l2tPuOcvgG7$y{(z<=_Rc8bDR-!aipCJ z1e5e1S5830H;&tqHD)bl7YyaOrC$zsgbQ?Ja}@sraw}6?+-MWVahjLeS0{mJX2_sP zrr(}$R@^*r=3|LCd_u@3U4&}uf$(*X5mv9Vm*eF(V^@Am>iFY2|B;w>;7W8`M<$q( zY+YYk)@O*+B*|Tnc*mSQ7{mrbAde&gg-T4`T6*-KhQ`ogMFsj!brP9zl9`B_;-(w1 zLJv3^=`QBz8gOqB{gP|lw9nfF_w2Q&Wlib>4#8Q^Y-U**CLb$K74|^DL{#_hS~NFY zzi>+7J?Ufq@Z29W#t_)GY*rxBL!E9U6A38J7Eu>07pe-Wscwq&1}oHW-X7{JoEMra z&;+Mi#{NrDzT9b!=ld!mmR(OrwUVMiPQFP*_b5OuNFvKVYD%{?TEsEu7X3pH$QHy@YRBcQ=hk`*W|I+%e!`zy(jhcPv%ij}L)8 zXAHTqejT%iovL26NiO@X;iaxI{6&F~nQ6#>270B#B0V?NQl-g)h_p}o|3n3!Ai zqjyeRrBMEp=9b3j z@A>Hu(>xFM1Y~~8B{q`%C<^4$x}~nilnqDjHcg)7q1`jfm(E=2T1VL7>wDe9=}I*8 z)}A%<`gE5`!}-r5A}TAl60I-HbcXfE`3eKTIQqa1SlGEG_hT~pACTd%^5%mU;2VR$ z!rGii9iPQ$ka^1ig#)>AY17lX$w-sMFyEyxS<~by*F_mnmf?ve_h~rrM35qSgyIlg z>Xqx~6`b7o)8#iWN9(fdXqhm5rwap$4Ow6=Ue1R;e)98Z3GU_$a6~!XD6-Z_@gSR% zI2)mSOYY`xQd=L#z4~N5C)%X`#eSLU1Gd9n)c(SK;HDUq><+6Xir7b{cx%44$&U9V zn@t1W?!gjBi7q%}%fqEsU$fAWhpnkcWt(|(Z8xN9oEzFDQcrqgKG69#j%C8NeDgN4 zB;Jk`%ot~U=sc@_;UxGy(SI+S!;NUR=}zMAI`82!-C}zDt3{U6f*^P0e&1zmK!U}w zW;>cEn2$c1_JFM3Z6g>zb3dIg(O3LRP_F!g+YIktkEpi0wlUCBgT-L9!W?pnmq0nh zH&kts2Yu`$HeLAJbs@qX>x7-66_VIv$_(+wFT07I#o-RK*MFZV(mo4(fCPvvSwj&- z)tLyqh7x+)=p-bDN*x5nw27 z^$ipNZfDaIQNaV=qlIV&QIf4x6Nk#LktLgairt#8DVFEy__FDaq8Itr3;*+x6;C

g)k+QFH@5%eDlv8VuA7Q`JjuJIIoUBn^b}G+J$*$su`FxSUIAmvcsSm!l6FlLkH?_(*X{|BX@A zL*DnSek@tm5r-MT(&VG;5{`HR0nsf30E!vIPp_kQxSN4TX$Mdj>$PENY4i(7#f~gN z(qnYAs`J$~jK_gjnvXqghW!eMKl#ukQ3~6bs?sRxB4Dt^!o>y(%B66k`ls-U$HWLA zuT}8K46jH9+7H@W8KABG7I63{lYl-;7V7r@wGiWd&8z>#b9}r^hL1?fS1~uHY)mHA zJpfUR#6H1RzB6|B@VlC5&?;aabjfV$sW<`PQOBNbmbWsq?-g=k zKA?|y5ol79dM9=&`3|v!L*^0b(F!8v_q>g61r(NuV%|kf`QoJ$7CD6Hz?}0^@o7a< zHLnJxea=dV6};pq@hPDHz;f;ZFe&~d@ztDWtsp4Pb1b~(|vuxoTT3BY%3(}VZ_7ui7|r}XWwW1 zZ91AEn*gs0Fm~F^{0AiN^aeOzS{9CFHK;^P9oE%7a{den6V{^Suw-q+rWbI@!DUQj zD)y@L=~qmEdhk6Bpz|-68v!;&F<vn+KS0+x7>_SsQU5O|veq=NX~@aa4n5m%*k2 zdfJ4EPTj?-2|VzgLi0>zJm=NMnHA0Mo5ZtUfvBZ+s^f&$$T{kLl4$McS*f|WxeddU zUo*?Y9@*P7>VR$NGffUX^Jz?mFoT(U)uP|xTsqy+n$&B0mPw8`M^ zw$p$;Pp|W?JFAg9+eTefEfj*ctA9;2zE*x8TXTA^UvYPrzhWi< zz}8;w1R;I`N0A;;uNF9HJv;qPF{g$xF6Td0PfKqrvEExqTUnk{dHnjQ%DMW(Qt!fJH$B zovtxHsQ(Jxjy{GSOqhyZ|Nbdnu%jaA`Jt8HMPZ!)Ft@rP4TmR z3b_W^V<0I6M{F$YIHtSP0)V|K*8;00w^?R~R}Z}mbr=Mn>MChJo;B&l*sJ@6l*SsY z#YX_IcEaT9{kj@*j_Rjwxw*+Zm8*?6*&zkZig933$Q2--S-ND2V$_gRX{bIGQUBmB zE5pNveN4QT5?&kDX|bOcS>vZw(kx*5WW+8$o5I|)$V(t&R`vA zC!PhBBD?2xAkUaSoeskKKT!7LsE&aL{E3Ng-`hRZ)Nw*O{4rK#R&a zeInn%>mO9Ue4ua^X~$)WHqLW)ZeNKCKCVKyL_ov*wE_Ewgeg?_P8%kdT!;L72ouL_m3C)A8${U(2Y=Gzy?w~LQnc;wcT5W zxI^OW;W&q|kQ%U_vbN?6ciycXf89UKW=ZD2xB$gZ^%Bk3rpZW-#oS2+Che1r@O$J0 z$}$h3Ix}Kv<*4Oq8$el?iKfT!?kR;)%_)2|wBc!Ux98`YWMpV3HZ4r_DV3?1RICe} z$653WIUfk2b3M?$*|X`E=oq7EBo69&$8ov|I<-w0g0jYqgloaL=a9Z8o)T_C)AM>l z=Ar18co1vb6i_Ort-XZZ`+2xhNW>mklN^T950deDV>usNaCOml#aF+Cd8CMTHo&6* z#tLl-9^sFE6D(YRkXl=m;fAB!eJlS^UxHE2?#0c-5Y17h0y@yy@7$mwfChCNyBDuP z-3GQ(r)^+6CDwOr^ZphU`?**-u2|5F2=G&Pe`n|#nfH`)@Pr1gy9Q+Td$n^WGFY8H zJe?M@{mJl)^Y;v7%&RV^Z3X!6GgEsOR08G;%3cBSp~7(HQL} z*-jPqQdF45&vU-eb zrMi(fmom^Sn9hZ;mo)UPNLgb~{)<)OyOm52&QiMfF^PL|cY=f-)%+|&O-$bfHbHhE z3==bRpC5T>_=;T!b`8?tdX%yBYfsQA-b-%dlb^{#`?stQv!{YqG32yG^-ZQ6mo$j% z#Oaulse&_(JHKwWyWfBJ_+8fRKr|_%3(BG;C;bsYoO$AA@j!UqXyyELdt7S>I1Ci@ zkzx$McQHh~wa^1%P^W&ueD9h{jril;8v{H34v1yIH_sI~Rj_-U_5Xm{9WYPH0VGO$ zurl#EoSlBPllfK*k8gZ_uJ?^FM~U~|B0cg8r?8HWs7)SHW&FtXot9r(-n|}8ArN0u zL?4j3W1}%zK-`XWzmVSRW9n_d%l>Hj6_7GJWuyCrDnRmydJY}qneEL9-WAB!L_Lfq zVPlR*+Jh83*cL~^z6TZ1wsKM}H^b^B{rZ*b&Tfn{<55oAF(rVfiaR7v)L7#F4c=)P zsWVXd5MQ~4=@2bhynsSs()`oMcpp8cB8O|L2kL*!0KLiz1~~D7+9wBBOio@p{L@2d zZq$N#fL#|LVWRy#6bi^dUMSYc#13ru5H-}m&Yq1p4#I_k2YUVRRMUfU=n zqTZ@vg%JmBBBNq1TQBk+_n$0vg2lRVDXGGo_L2z!o)r zO44V3(T?`RhV4IrZY?rB!E!h)MENW^rrS)xJHTtoQR@_A$QMo7cn}5vwzOc`NL_qN zK`q{L@{hb-ZKGbg)h6pknD7a|Y-Vgt8Z~u<2Zif~9*b)nx=%^;rCP+b6%*aNXB;cX z@#&Tqm#>@7=ULrUq5V2)-)Gx^U#EKGyb`#mW~9@NIo49Y!p6T}Rq4wtKY1}PHpD+v zZn#Fo-Gn$_>wsBP{@{M~XbjIMlF62w7}liC*K_)_N6 zM5`j15Ci^fc7LRF-N(%>3FrLS6t9<$-^XXa=~vY*$U!}&JH!o5e53u&vxlZ9!arN2 z#b6!Ku@~I~4XX{tEw>HDYioKED9&fxi_2XgXX!(u=z3#w$1EZaE4OmIJ4 zounUI!xo@Ny1V0g-rqN=!WcT#;mFaX+_%ko*>4S=6|7WOQ%&+|bSfnLsc<#(=%_DD zO{%a8c*;zX>&1%F!DPlxGYE)$!L7F7K|)bcXYsS}mzFEO5;@v(OL~qzmzS%RB$LOJ zb=dx!9q7OHKmL!N z&m}%;d`+3Nrh;A^o}QX+@fXLdoBcu8rOP%1&sQ&Pk{5NcpA~leYdGCbS5eb+DgS4**g^-OealF{EOdj&5l`uayy?N zokv($|BU5h;xyE{8@(!UWGGCs+W$WRgss_dZ>h!(d3_k`HD8mpv9L>Cq$^?d#D?cj z0gpFNKzjV2f9Y|vkkGe#TXJj=zJ|ukx;`FP^SM@#aI)!s9Fqlcf3ylGUs&;}$U~%) zf3kS{&2)&e^WV!ae`7!_jPj=VmG2oVuOAD!?^oU6)+jg~Y|A9<`Ghs!(3D?n@y+Du z|F{Z36ny`-mj)F0WO#n*rqR8@lHX;+Qb=(ZUUrq;bJqyzpw*(>!qdPX{*P<>|KYFy zov-gjOcT~ogsC&@I*}==Mg7Z~Pnt$b-9e~Rl*QBP3mvR_dcv$`-PLRLSJsnUgnX^^ zUrx*fS*Z;LdoiGI2cwagMc;5cGOu*hv%=|wb1uivecd!Z$E2p5KA2qyILW0=f@g}d zeusBM6vnQq8n5i^@P7cxqOdabWL&#Cnsf-Id7)OEPt*dg-{8;S+HGnwoC)X_+-aX{j~3wN@bk}u z1&kK4?CT3WFGRdHugH&17kGLr#pxL5rY?H*ix%?YkIgoXiJ{Y8qXeQ$^_a2**Oyx_ z-x8$7azn275_G^>HD=QbH4B|!*0rX~XcBB`?~-U*5f9(}nb;dqI4>1IKYb=RR>K}6 zAOm3{+AXf%k=o%JLV$ zZpf&`Oaqah5wT0#o!AJEz{lk37xjE;cdBMA?`A!XvtN-k7-5r3$dK7exGM;v{=GdM z(a;^|V-A{U1pp7G#Q9N71C@S$T1&@-q*|+ncMgqKPWscg2m6+qnn$KjZ`^F9Wjx=a zDluBRJk(B}zS-pxuOil&m>e7A%(%4hrcG@OB1+!+(S7{uf1~cr!=ViSx8V^bgpe)E z$XeMdM7AN>l0C^fMYd#%5Mw4}-$Dq5LXu^&@5U}#?8eTZl63}+VV2&j=b!g@p7%Ju z@AJp|{EpxIhd&(0ecbmw*LB_3_4%CV`8hwi@EN;aRYm4AX)Z}G1eFE3a&lLclWS42 zc}nR$Io#=YZQEMSV(*?mmmX+32>GSdL{|A7;$1@s(i^Mubg$fU;o6CIVM~ggN{sA3 zQBE73G0A?1uo(}aicU(aJ%~P5bv^tvXX_H%wE}kfckRDP)*y5_c-GFHlDNpRiK%nE zCtg?QG8bDMFEWL+_}*Q*cHtbg3_&lQAg~xSxnlAiVx5$2jrEA7-(T6#g0hUjuTuiY z+c`Z;^s$<}v-&{IEj7E9rofTZDG($zFLdZw*MPTPhIRRXK%WTbb9c6$%v%9^@3pm6 zJw_d|{FiRSfDJ&#lLt_qu$ZyI`Ya?Q(Z-D-&dHS?>yt)zj;cf?PH4t_U|S4Ksd+)5BIPgY9UTvA+=QheYVCH0@?s12uA)=Gq#% z1a;pkISdGtvxql3roU4v{Lry)~8FeMs`L-p5KpK#P24?JlsBh`@^pt`hI&e z#*T4o3~f07G>JSJ&hT9Kj#+rzAOD`GwgRdPyfS~dg_0mn>Pqq)IjKw$k>yVnMj;+v>OlzTX&AE zpY>{a>SV<++lLDtJeQQLp^#D>YT7x(htT{7nCg}X3+SqfCpA7i{mAN0?x6T3>2AOA zB{Rm=P%7~#$3=ri4l};;e>770-;HSgcdmo|M-Q)bqCP>H2<=tbAAmnn{nj$eu^~$N z47=>`0Ls#iCEqc9rwCuWH2=mXT=1#N0_-X}qm{SP2#4nJIJ+-fRgMAt*lL>Z^U(bz~0!gXXL&m7sFxBC?)Jfm+dkk==d zR_Nc~-9FK}hjZ(`rsy+++%wEnAcpZ6C9J(lzS?k9v#%Bly?H36O<>(lSoVZ*>1`2n zJ!_j~RMQ0fkqGR@`*%ktfQ$ws;KhFfn+Mgh4>;6*AaWFaua@rcErHy#h|fS+W1ldD z;k#ke_hI|r*dm*)0_b+F|HH}WInd648gK-*9mo_aUD+fkfIhrv_OH$e3am#<$mdW4*9awK02^x{ z=%4QUOOG&7gInn#zr9^F0{BmfEWp2ylB*F4hcqU zL2YrPzaLSxf#V?kGDe7^jGuEnQ{{Et?pTd6=arbLk@JJmVnG@)N_bi%s8;WfRZ`iX zLZ}6Kv~{%}#NLa(JfEO!2Ac-eDp(%7Kd7lZ)2(Cv+_{^w1HE;BA=?C!2>nbMvgc0V z@3$nh1^vN}pBKv|{(Gr~pZb@7=90D7XJB1J5l5z-NpefZVNcF5sWARLeZ9*@{Qm5> zSEtx-VY6tT;hc(#Ou>LD?wXm~@bO$e9;+=AbF#rKbEYVd@l~Z>*mVGGRa^}xi+oe~ zrW{)*nL1Td!!#gcVhC&5$oWm-2qRw%rtcvlWrh(t2>C~?L-Jn@r%z^HO$rx=!=%sd z!4u&%Qc10_WxIK!&SpeTecV%pZ^vd|jM>E;CVIy(M2Sa9zka3=>F9;SOz$oKimS|A znC(8`aW`O9!jl!<+5IuU#HbUJ&)8?^dlm!;DZN6bJ$c-XWaFgG!2WMj1KDCx&fa|V z6wy}47SmYAQ;nps6;_?jgCM3Snr~L)B$95HDSj#{f*7hCC*+ZagrpM+Scgv8c7`r% z$bJ8H>_X*I(%zV-3gbSy5im>S-%BZ7A&NFe)@1u$#*?=47kE>MI{Dw*8SCC`c{?>F zz8Fz$?Em;0`#Y--dUA+-10g-E?zU8r{_xIcH@mPUZ_e{JOAL4+2R(&nexTTg()Yg} z?0Y=nz#7{TTc+Wm?aS`7A!W3<^nf0SEf}3%Mvi-Kdm(; z($yjpDSj%CwokW<+645oM2XH3kRiM;L)BSRG9655jR4SIQ?eui@HTDiEmaP-Z)t^@ z0qC$?39t|Yy!ifE2r>UTln;3}I2TurVnSZ1p6O?P%JD@GcdBYzCMIMzxd?B<*yhkm zO$E7irg9T0bcIetr21_zS`7ZE&+6GxnrEjx@Q;sW#W^VS(#|G5DKox4E#-c{%l^9E zhpB!xjqzVIO=u<{5*Sq4xILn%;nel>+RO5tGnoVYj61x(W#NAcPNCvJKx>6Bvo==f zF)!>_k@b4Q^wskGM&eS0TBIWuA4>GCCj1k`;WSB6rEkQvJJTfY+?_GNmetgQdWch} za`rK^0yZ@%-NL;1woSsEr|+l6rkTfs40ik}1wr2xCR;RgZeU0iWOsy%B({6u)oZ)SM$ve2GPY5%ZOTYhf{`uUTg z=}21)UN_QXM!VkccxycO%kqTuXLlcmZQv@Tm)Lvf;bso1@~rb6z4f&X5M54oi%nlG z;sCm_)o3XpKPJEWXBEzK_Cw{iY=!+Gp4zd!elu~`Z=-+onI;E`AIzYC*Ww>q{t=7y zC)zZ8*K!N93FX~WT3P&`f{vpEVg<=&W#>$A-(pXm(5U42qdOz#TpMP#E8DbhZBw)q z>F`gAMrR##{OCmQ7Fl0c-L^Q{zXE>?t7nk*$8U6E?j@2{7DmfE*kvafD74DI7u~6pAz{HvLE6M`yAzE6=>ua z`4y1Rp)D9e8TYG)m9e`%@ASCwpS~=a&I4Uh4#C(+@#e(U;*hA9`S=uC@1DKKgQE0l z8ew?p=lYh#t^7i6SOy}BAip#er^)SMtMn`G$8(2=Td*TVDOB30=j5RdnV?-rN53W9 z9y!!t>((nDes-wKGwz0Uy@#TX->*m8t`YW6E>`<$ZMN^z9ge`?=2u}Tv3XYj4GNgN z8)pwg&8Tl^m!=+mD@tLrx4-l_PEjU_<(V(vwR;c^z>m!)Hc z|3WM*eTn!ti*Du|X65q(JK-tULxvfD2>jpCPnZ`DJzZ#uZD)tZ?Nk__DZJH+A)k-C z>5BcX@ zPHg*62QxM2xtzVT=OJj5^cCKoYlt(N!iFE+uHWquT^vXV%4EBKn5+KPjr#F_Tw^$b zlqKzT(>R*&SJOYps46YKl5Dt&Z}L&zL2O3#g(W?$J4086qlVtbx7T=}*Q#UX%Zv6z zUc76()5$;6QMz<+qF&u|W#|k-XCljv;4-t|DC2oL)hU^yDulJ_Bl`EhcIs;jtfZ1Az=c=tLsePOfW@yWbkYydUwKC!KDOo#`XcRosL43?odT^p0p#Sm@ zZ8P7N!;MSV8?G!k%w7HM_U3Dvnlrzv69B69fJq426tFWf{g_jEy7>A6=lbjhBhM>w z_X7V+Ee4P)+1s8*fo}222{53VNzjxTD;izJB$za02M)?ObErj*`waN9BRF!F{-h+d zYhqi^F@`HS=(>)0J$F)3kIjgA`MBwY$cv?;2Bn|1W{mncQ|^s+Caf$)AJ-D@^})`2 zxA<}qC=xIE;X4?t(F^NckjGN|E50ntbJ??$9cEaqaujJj=Yz^TEIYDR(1nEjg+$WS z5tewRcOFMP4f0bf0u~E6i)BUl4bBrYu=(B~+n6m+LNak`wl~bv-6k;mTwMxEqx0Sr z?3VS{akCSd=<@YuDy8{-U69h&T>lkgwX8tR)pUmj@X04=UL(1wrv+P@xr^pzd##$w zu!Y^csu$J=2B8fMLQE{|A>fw&Po zYl^EGfuD(Hu|MvGP=3i^@PgLgEeyp+6>BaBJ+{eC2HxOOli6U*lp{5zNgEw!y@=^J z;B#L$Zm4{ISXXY>+RX;6>#)m?!P}#12ESx_sx*K8yWTpSCP%qW3Ot46nfTGr;G9|S zTcc&_|D(}`;piD_NHKQn2_ZT7hS~h|Y{OHr+Qce~;3cZ`&$H+0%Lwpfb(@uh-gbgx zsbA^M>|M$)3FrB7QR)Pv5QN*hTUeUF9;p;uw|Hvd%l%OHV+KQ38dl-J9=ns_?5__6 z>>o;~Xw6H;&cqvy)zKD>_44@ZZvvF|F@JUq+;AkX?uP}i{>Yq%gUTCclYPn zKEP}kL|fW3%u*F>*9Uq6RN|fc3uy%UrB2h>9JgpixR7VFX#_gCxL^iu%=0Gr zE8mcJ#q-Bnkkt_86=_sg&JCmpK`*7?+qrm+o3zPq^LjVScgtO#ZEHQkZlP0v5-q7A z&=%B57UGo?{czJuo=KtBlbk9%11C;$=vCfI?AGvQe0-iBUl~t(uC4?s>TuL&6yu8| zs4l7hYS}U#@t!BAI91Z@TJHxv@3z)KN;$O(^8m#Ss)Jm8aU^<_{eu_@4QKf+8FQh7EGbW4-4{mY5SER%`;rHA#%^ej-JI3M|k}cht^)AOB z76L29eB43G6QEN6@>p(BXI!evV1&S|GDuVQD^IDd)Xu zYp3P)Gj$;Nvq$)$sbJzTg23snxJ&4M^22cO>F8i!&*r7;#{+-8 zU_V1g+S5gDc)&mTY|;@bpSH^4Syt3Rv!rys*R!?@4tDd|546YiI2kYG6$jlDR)D8r zY8g9Bg=pXYLO9VheuP#O&(W~>r#USnyLr3M3W6h-=`VH@7y-|!B`l?jETx=cT0&pe9h&yOV{ zdB(TR;bh5Pr#yoo_7?GKqqEyW#1kMnqd4Myp8r7$2e;_r^<&QM{c%8<)sM-%lcL*} zTfJMzkO!ITmimNV+~Gw4R5T)(*0CUjr-c*7^m6<2u1&}yr+!S@{0R6VG|7;raxU_# zMb%+;pvbPTUl;N#rpm1Y9Rsb`M891}aTYdCAcX+#+aDwI^R&KXEjA<|sQ;vd6CzuD z_T~JWCY3eKJZb~Xg?+kgMZfO>0oA*cc!$P3nPpI0n{qS9=!vu!mw|K|xYHrab`eM6!jqVOj2Q>HkR zFY<{f!03K_`^I*6$i($XjQ=y`8wANP0tZ+ve$!{#a>XPy6u3uV2syHr)^(Pmok~4t z6XDx~_ol_2#SxtX!WpDef*KB!fILmwvmyDdm9<^I-H$0B&Hh{=-w>}kq6kj5n#;tcnPY+4L zP@kigUTX@2+JfiGJy4=M z_GRVg6c4ZEMP^bm<*x0e6qiA@>wD1>EIq&LuPC4RZm`_yNi?RW(7;ZKNGpr+VnMxSK)!(j2(J0=MLmW+2$2f`W)&5 zfMG_UXk94A;)HHER8!?->rFAJM_qk$L(OiH4^i+YS>LJCkXXRpH6u;*Up}C4c`l_> z#IUr>wC{f*JQWn95>m*Z-R~`z%l2`c=hDg)fuBL(dB#R`pDILpl*Wco&01dUg|Z@) zA_xJ8>bfYQ_<2>{yNTI{@rhiC);ZSej1(@w#dQq{Q>^Oe0fmrH~`xpJK^RZ=2VAbl&IqDrko(jhoWyrsb* zW5DfK1rf$p!cgrvz|yto8t~|1{)NRIwxB0w5<6A$ z!t-YiP=T}$Qln9>VT{B|(vUysw`JS*J9X3FWu-#&l{&B zRB&&>YpuJeuq902BEZ~6cO=GT)s;V*-sk>0$Z2>-?Ah0X7feK@5!yih@c{G;bOrRx zZ3l|w=QCD$?brm_`DP}Gl+DR>d)ALV^y#M=^P-<=K7Q9;LalD6a|d7}tiQq;CmdNi zR5ty)ev+$r{;TJiWbduQH{n(?Cq_wv`)Gi9yO@%sxPSHT#6+&-_vN4I#sfr|3{2?N zak}5erTgDxGwTb=Of!EqeDvS~17P5r-eCd)7N^iOro!coSc)>vGjecpp*8i`9 zgn>q2-~3W!L%E5Mu7f7fgde8$o;mwki>V^dMe_2M(g){BT?XaaDvS)_@Ynl5`{NS~ z?>>8wq^?s!vh3!uSXZqq^AoBlE@!qiba@$N1pzLFe2Ugv#7J=OQEGnssbEV}0{d1r z!2-&*Zku=?Yw)QtdaiG3KwBn4F9TcXmEx_>Fj1C5lHA$E5Qe&Q-t25f5j>tGd3V8- z0>0@5S8DIu*eWF(90WS^^8<=Mdf(c31;$8<>=2foKyWX&=vPhbdzQ*P#ujBlVZS>j-bA`ws*fekiT$usS(o0OdB!ZgzeBuFjig8utcm^vQ_vs9xhJcge|R5W zH}If-SUh@NK=E)^?n}fNa!cR;4>|?rCLeWHzYh?qjyxpu&@j#XlHhonopaDx#vGN= z3*vW}4H(`$5z;;}prIXIMUbasIJ8RmCV^0K!7}n0z<;vwQ~NEz04Ue_~%g z)@&vv?-xut_H}W}(n+((>Q_{rq!>wYKo*~LxOm3(T z9!FmD6U7CYUvuM@;__6YC8gv#Xw$v?3nt z+RUe%j4i0C>ab$Sf#BTHa}(h7^{0IXm52ce64VOXCE2W4pZi=w%C{Qh$6PNr>i;aN z9xQ}~eu0;S3=)(nTvAKu-bMO{nwO}+DpF_p%e-RRk<}*t8-}H2P(klZ{{_C;wqvh% zfoN20#99e-nKB%g3#c$*lJ$}K85$ZZVNtCsbIWSv(XqnZZexF;GV=IYfq1GNQ`&0c)fSM${tfu;t=Ry%YhU#Sp1rlBp0 z@jxvV!)vgeDbL|GfV;+=K`7%Z@}fR&Sn~{^{JlrB-Z*v^-0=XWihvA3W3owGF(@zjgCeEqHA zq0tHcl}7Z`Ux*;86X=re$wxPT#xJJO4Mzv_>ReFsM*iFh$Dk#6dH>w{5My^w_X~{nt&*Tb~FF{-*r&#o#af|5^ zMHqG2Jd$N?-s)NEH0ck4w+G6ETFQqVZxDD+97og>+yrFljx?KW#Zbu`xczj6_7$*NR~w4i;1vns+9Q9=}6e0PuKkk@-s zilvcSw%5(_&xz$dZ|`*ot3|?V7V+lnF^xEl-w?d~>VP+CITGgav95YZPOwAn_eKney6?;ep&RbA?Kaz9*A zpZ&>@`tmlPP-7(&3}iY@5;?J;06G&fBum>#bK5-8xU=J1SCfOC$L++x);323^sdM_&7wRGEoFChz({?P(zNB25r@l%s{k+u+c?xE0Qw+@5 zCW(919V6T>GvvRlvU1|*v=U3`<;Fjv)6O|o{J*oxRAHN};IcK+(9gRFeo~viaK(Ai z^RU`2d47Q^vYP&>=b_#dPkc*1QTXyFLUI*v%Da{XN9A;|AnRke6v^Lrdk@tQDlHb4 zLk(A&>QZqzl5A<9h1lK4%%3_L0E>HsCU#LXpFpP-mLCX1+OhWt4A%7*KG->Qb6rQ2 zxSEOUeP-PS2l}N0bb47E0o(HzB1|z(H_GpynfTtMnc~_UR&J+hH+y<2Ie8 zlyD602{5+cBrSHRIcF}run==qTt&o-K#ub~lRo5yw)(U4^t)a0TS$Rm$3<{ZaUi6Z zTAFeeSW$LkwN0*C{DnqeVsUO}zD#C^$1v{dAj@QU)HtT@UpPa8_mz1qWmJ1sggQ)& zs^m>{zYvY!MlD>{ZjrIlf2{JE5og6sWd^myOl{<2q#yl}>ih)c${m934?f$6nU?9I zm3BNIb6ebm@1sAXXRt&&0%|jtU`T@o=irp2)mr>eMe8r#8lYwQvlVKo(;P3$qRARgK&y*%d5#ddGqv&sq+t zr~p5E5&_VQ44)45+I{@9BLUJO%YI0EDX>vZyX)iueA26^} zI4&Mc7v*{jo;1}>XcHSDG7B5i6cT9Z{=p%)Bb6v}Y5o zXHX3#n^>|uf(d^Rt;9Y}?rqQ%ZyDcljWJ6OvzRsGxRIK9hlSxX_ZPqP9Ln0LY<`ch zSanTXM#Dqv5nY)!kTudPHyy?SZS*XLcpi`5%qk)&nBjlL`aJ0)T=_gEJI8b~!Rf?d zV2v9Zpia2|P(nlhpVaqr_#sMSjwuxd+FkXc*H~yQT%e?pfcK$wLCGn$G!#Ms)V4{c z{{_967C|efqhla40h_`=D+25}pJHe$lh0tsX=hObdU!N7dVhy{J{c1Pj=|~$O~U(d z+)zwA$MB!rFRakJ^>6;L7pXcjfmY9tggf*LJl;IN%C zh~6aa<&DC2{MSmjU{!NXTs|!J8%o`Z$_8RfU~#lMtjUhT0G7JQe3%i0kDXkY)la|_ zupSgdtFFxcMMtBq6=ZiUcR-BMb42dmP!^n1F zuE9K6dCft}x+O*sFq*g@EGJ4}C0tzLXFVs9Vy69Bk?uDNZ;FmSg7>n|jCJIkXyP0y znVxSi_2W7f!(;Fuk>mHzO)2%$m*JnFcr*E_A!07|15LU!4Ci2E5YrhV`}*pURni3h zd3pJ>Au-)Ce@!ioz-Q9CP#V(;f$Jv8jci8}u*FK+g|cj9D>l9NkJ1T=5|i4H>m*@k zG59;6Z2b`_j8G{b@5qN$nl)u4P} zyi-1M+5cemray}zwk1Zw>g)5s!!iOFjhDT5=tzj759oML3{B0F)CW&Epb3rEEkfru z4nmYDWAAe{D>QmO8OhM8FG_uPVlvwRUgTQPVd!Sm$_@ub4vf9UhA<5Oe88uCt;!S2 zV`&hfn+$LG{I))i$zhs*MTtTP{Kr?tp zZbQ_Vsp}*Fp`Z671W`jgF-Lw6X~7@pH{nyl9{=D9?g6#h6l!f*(|~hSgxLwxdnXv{ z!sJ1anG9A#Lj%CxEpGv_e}mGV)aLQO5UCVAn$`{0$PFX7F<3*+nANQ}97WPf-G{1j~IWq$2JPlX(eJGjqSt@CQb zGgC|tFDvoA^=fUZ$WxA#qF0hYM8XnshP0e=%v4Hkx;iWPY{o!y4`M@bcLA?E4;Kv$_FUJbuRFyH~gs zyfgLfIjsW26C>Q|H&N5pG^TG)fPa)99@CRW>U=l1@cV#O;CCRyHYPs6eStp9Lg&Qi z3v5n6ir-263t``>EBlhqW;35a_PXkED-&=3Jouom z;?482Pv?Bup7NuAI}=f)b1PH@8dF&b$#m(#WHUSo@x&F2Reipj;Hx=**-+rCdbFJt zorXZ_BqsZi!n@o8XVG5?eIvOobi%XlQ-WEVq}@|Fo3q+yoA_L(5`#CTkJL#a2wk!v zcn29Tgc`okys?3Rig~14IV+IW&}3I3x$^yVOj1U84y54J(snNd849CtvJ>B>CbS*I z@V`nk9KW4rYGES%N13PqOlmG7PE+$~ViYK8@#*_@)vM@JqaJ~i2h#p$jAUCAe2av` zU!ChWkv=TNkctTf}ekXzwwyXiOAoxVpwq2(!>O9CfB7PIrdH4V(-6Co87?m*Do~jw@tn`#{{#qxTRt{ ziF;tgK|fIScqO<>_E5-tB!69;mo`hdrGvmXm(~Ius&gDYI6fI7F$;%ebIP}BA zd#gxXps{)Def7LsswNH2{_6R2QIhaWG^QK~6&PM8HCXI96&>BoO!P6o7@nvXmY@PZpOWqv1qx5`-v1_pr!F&78BK~KT? z9g<9bHwX!NY$$4^L)>qlOr+??TzAazpnK8-m zk(mE6S9a?3_2ShueHAM!!8BtCN(Wy5A%+OD`-n#*mX+ihFTr-PvHPPtF3sk9dUB_G zA2+S*s9g7-v))6)N8nrUM5+0hrJQyKl34j%KYMK5`GA%SUbiWuPfxlw-P7QRr{DHG z94|PAx%-d1h3^J7$57*%^Jy72)~i2|C143cl{_63h%J}w>jlj5?Ij-Ut#bj4uSXHAX?PM-YcdlbsMZ98BhM z4yNX`(fUBfN1q(t4VIU@g-`EOHjkCyol)d4x7N%{Ow36-y3w~V z?NZekr96;SP@DYmL`V)Kh{ByhGqvtT5!pvj`w`4kyC%|;V%j_)&hn2@)JYo4(i-v> z!{xO;sv~o;lY0jBo*s`Xum8v}y1MUlQo_7hFlEq`Bn_qHp}|(X34I4%m4SQLF}I9@ zq~<&!`6#wjgm%nCjhox|nGN^|eYKEVn=7Tx4c`9onD5>&V2mhV?;DqNgYW>2Urlz1PvVl;n!+2MqkvzO0@))a}?+6jEO z4U9xjh)1m{^dhqnAf}6`K#tF_Cn!4b_HoSy|1xQ5ZK%&%2z5!OS!HxN@t>P%cT+zW zBb6*Y1Lmm?tV4B3Myp$qI(i;%C7Os?kk$C|5o}WGagG^> zHlRu0Gb&gBzxKNGNtfVw^ho{;JB`b9#+1fXvxJI8G1LjHPPW3FiyvZBe=A#b`%4kM z$}>YUK3%G=dG#inDBONm#EqM>X+-c}Vc=9$AdU4@eSTgh_ORjMAn0V91-j7CQYq}< za5W%-IGACblz~@RaaqVOb)5ESUOhS&jq`Snn6i`Yt&RxctDKk*yK;HhdUxLOOL1`S z%0ZGM)sie_4_XR2-*@&4Dm~NQnsc&z>H41fBCv`xobhS|{SUXhciP0FMZTkjndt@vR7Ur2;vC>f~z|{jDiP`mqeBdzdc68C<3d z3g+gf_Pigh+MIHp>upUbhJ--3l)+86sg)Ra`6Ne4Qu@dB8No?xL-qTtGe@yd*RevU zdO}nm*J|fISZq!U`2wm_74y(^`Y&V!`8`CY$NU;1$rw@$7wv{Tm?JWzjcKn*_n*M9=`h1rX;G1trbvd;c)2lc|EM%+5^TlL+ZtTbsa?~ev5pH~CX zzjl^cF+I6qH@{L$yd3ISa?fv9pz0sw7|x7ZbP6Gs?}~9h3S7nn&C<-iFj9kIv@8t> zN~58nAtz%Fdz834Z$Eb}&E~zoc$ylJRmRDHnB*Hu7ha=>4khr?n3PxENcH%)4Ufqx zwW*$Xk@+BkPN0wO8o4-GL;COwdM$`};V-L}4P`TWn8me-NuqkL1|PLKhS zC+HUeRMo$bJFN*Oqg%x-&2J)fPn~~|I`taDtu2nlqN;wyC=D@z9mx7-B&nu=VlqZ!Cx!O#s+vYijJ|DctgCjWpZjv| z+TH^Tp)Bg_@O4%sKTAT?9`oSJH@@^!NZ+U3A$uF}3K-r-{_xs2HChMH;#cfy6a;l0 zj=yCp=mD)|-^8vgPD}NTmRGoWs#I~l>EE<2czKT)=hi~Rbo@Kifljc$)?%K9U%7b+-4q9f}CTlNiIPPvu$BVhiv8}p>~bFoaK z-pt{?C45xq*JdQn6FsZRK7(7B4me-SUf<{hvh0Uj7lF&bl=|Ooq!7=$ca@NgVsNx6fgs(Qn(;$lq*Q74L2Bx zqof~xWNqY#@I}JR;Lv-CvAZ4yrc5sGh(^2`553?H_@7Wq{=H7joYQv!50M zIU1s|aIe65=8z-4!J=M{TeU12!h_2~%HQrkthrfKn|HS>3$}1gtPbgh5GJLgDWarY z+)!+uKug-_j_$bZ_T9c844;bPUE&B6;Yj`%F&Xx5UI^FFTZ6BNjxTHUx@Q+ zQ(IjvLA2FC`Lg?}@(su}sV^eo3(sJ0nyKqx{YfB{N4KA_$3c0vmu%`-HPvL_9`#bXG|nfRooKzo9S2 z^`!~}byRwvk;Y<<@3)U!PKiWbnzd7JmMebC%47Fxyjs`aO}$1WHHQA1QGU8cAoM1L zVp;{r%vn&Koqu#1y(UFtUNxk?Lb9YiHlBYg4iKr!Wq6$~O+hThW?7n*rCT-Zd+7)J zp|d((o&rYFRrdi~huy(YxQX9?nNo8#+3z~`4bR!ZXLS_4FAa!?_?KM}E{I@-pw$1h z=m^7r59|l{z&?}w!Hk^%2B2r#_Gm0ZAky^r`3rH%%L4v@-enyi5_*ll{GyZ1bkm?HNz`| zqjxo6*T=S>uw=gy)%D`Kx!L~=V&?fjM1Wz)uRdfEUA7<=8;qPESp=P;mli96C6gy$mz@A*pEzo17-i`8Z5mz#%OREDm z)H(=z4Cyx^s~2|0=itNS&T8g@@&Cb&#)!H zg+c>ba`R6k2VorIc1bL~zNT^+XI9Vby*ZAi$Ek@EC1)oY30ow=w!&6_bF_&a~u4Tg<4MKRHpm(IyK%#QGxf5mX0$8`bFqTitL5favj< zT_pk#$8-|XZAi*41Z;QnnVJ45?@I3qiJabBqcZ~!$pYV#9uJn(IG>>-CxB@^{_nU) zA)eMJQUdT69y2cs#8XOtO9z9MQ1j$bg$VrCrwTp*OAe7F(OZT-N)4T|A!GWJ4lG3> zk_C=;rw-Caf4qqWJ|W!bpOtruBlMyJ+~-aB?YZxTb*@?uL#r{-v~#5Nm7Vad_Om*{ zN42W+FBiND9(6N3F1xk;WrX2=gIk130b3Tap8AsFMwUY80r8tcPmN?@$>I&~+6og1 zX`zYs!i9k2=PtM{dj(GJZdLYkX3NXJ7z68 zv?I61rpDCbOdGzMmZmQXmsiuCievWyUdIqjCHLo=QRfo9d$=W(eY&d1l z;$`j{y?%UXK9MiunGpW~H-)xfGw*R=d3W&!-d<}3z_;tf*G&%Q8p(J+fC1t(R90zqN1k8~8bLjAHXcjs;6)u- zxYH9NyBwt^)w!3GqV!(@{c8%KE!A7WK4&n&U5C|=}Y#qvpoJQ56 z654rEB85c=2rQC~hbQOWm~mY*diqf-MpR>iFMV}4{mrz>&vr-jdv#qh6gf;gLwcZj z*>i!Txegy!RW}~}?rS@I+9&Yom3x9XN^if=8vV}@U}?-u?FC!k+mf-Or$DY>bsf;)`*qlb7#ZR3TMa=}{?s9Mcg*4R7!RY|64rQS++-*n=s^~8% z9@qKdTO~CsHPrBWmVL4! zd5N_?oO0+D1Bw_mLgYd_L+;RC4fW8u4|bNkK@;p>!W_w(p_b0TfG<&GU{3Pe`z@Qw zmUcemh1-eQM_Xb_K{QU-Y1FXA0nmbh6L|Rp{R|3lHW7CK_unULhYQTFl#eYKv*2~m zcD~z__i(#!!i^qkdq^y4Y-(zGIrK#Oo7j`5d@azP)$xBWTK|tfy8mR_LGA}y;kPgl zG)Jgz9}%|~R*V~??!g`yyo`n~e2$TsQg(KHr% zqOL8l+sKO;co6+<^u%nIU56P#yxjsD{h}i4sfF7t98+R}-Zy`}P(gpS zJx@Q6abr(um!am+q&-k)5aMNiN|_|@@>QoQhnX)usn_`Xd{3$@g~LBNih-XWOY1~& z%Q+KDdQBr6tQVvVh7Cq%b);L)|Nbc+FUS^&QbBiwoTr~gs#CP_4Lztt&2xmE?kz!* zo9?)eao?K~(S8IvQ+rV5iMv5oDJrk zPaiBzyIx1Wi_i&TzXVN%Yrd^H9w8-CVlBLzF~8@|9h{(mZmYxefPwev@^(iP zEyTU_eoz&m8DPe^El<(##FcdCbGhfRcgRQKgW(;M2L$6v#Y>&S#UE_@9y`Y#JHxZN zdribId>p|+enK15JWDNWSDc}k;NPc)y_?p4YwMx+@4cNRTCtqGCnQ~FZgjBuzwlfE z)tmcVM8E|{JPZB{A)4(`Wc?qg8!zSlzBT4yF;H#fVMn)G@Be~@ZtvXT-M!TB$mMow z18OO!c?(OCwC(S-5pZz5(h9pD=PxE$f89VtO7s6>@4cd$YTtcPu+fP~6A+>lQ4x@i zw19;oLPQh0w^F|L8K_4AWcf7Mr!Dx2uSZO^qx>cAm!WBwZ}eVtv%NI zuXAzEIQ!yUFqD!xW_zFaDZi41J>&Ql)E_@-MOy0zCIWrzjwlWUXf6eiW0U1{22b$m z=kUEmUDLmn^6kWx(N}M&-xo*Yk(~h4MYeTzT%k?Dxq<6yfn!aiNx>@S{@wZxo4D_G zIMGn|M(`~T#0LQDMqZ!AtN_(8o(N<#Zx)!E#!(nM#u9Pm4;=#?OfY38Gh`rEs}kpj zp|ge%Bpc}*Lv=zFB?S1*UA3g5k=HZU;>y_C)O*{%)tBDKEHYg*pQrIK9zr$^DK9%I zVjB~Sm<)mF)*8LY7f~~GzU1zta|&O+J~IKV!e6mc0K@K|sJRpy)nAFN8Pa444Z&|( z&m&#m2F@1XC+wop`RL|}D<=;kNYTJ;O>mmIN_O%fsE}L;uMwIA?}_szIo2PhySan* zA4gyNhGSof{s2oHGSNQm=%kiIkN9EfqV}i1R*};a?x~CW!TCpW!pI3t=4+GF!nEj+$2{ zJTeJN8*emlyM)mcO}L4);6lA!ao>X7bwXi)PDI4K(j<9y9@1>_xpgD;qLc$L-TBZ2 z@(>dZdT=r>iOdU>M(UJD^dY(?tq^$$EJ$v9*flVq0MA)_FLz^na`B7Zf@kT?mtu)q zFgc)(;$6*Tp-cK@&&{?PvEgBF9Cnqg&#cKj?^G8zX=$DFHaMH~eAT6Q^($!Ac!SPr zMd3%d^m|cuCb;LnU<7F~jQR=vvS%S?PhLI*clTY?(n?w;0R!_LX0ifaBqRqRP4>wU zB%9}S0=RO%8{Nn?rVOW(fZtEl|m3&l0eM;y} z_5c3F*=*#jL@_Zo&(z8F0=q$Ms(TyDc}=N(^Ck$v^dE*0aWf~{ z`L4&XflH*_cqKNHUo0Qpjh^rX&LV_jO4UomGsTTxe3Hdi-Ttd&D z`iD;lj)SmeKgx{N{Shi(2h$WPXiH4 zhHRRT5F>({pyPY&AdRcZ-~djf7;%mKVU7Z0qK{xX zM2S3A>p$RIm!j|j0=n$sSM~kUYme-PC*hMVbe1JTgU<+(4{^?=_{j-Ex5W2L4{g3K zFHMzzyaa>`34gJ0P*M>s+Z#HOh#&fgfv3_)l!GI!YZe;bJ9GQmcjdOObFDH@c5W{4 z9^9nWXt1N6167#a4q49|zBN?kXk1VODz%$Z9B&7trOvBT>RtBufXmt6m;?Xam*1jF z0m%S}gD|Wmt&)Vs^9`j5-x{Ce`#`HSG57O5hp6>$rb+$%$Uy%=5LA2ERjFQZ*-)J# zkbs}@ODV)%cevK2cZ(T4DI0+zJVr${s1TI$f*~%M5vAmxmOt`Hv2`Z*%gWgO+6{cEMqx=w|+()MZV&@sY39uAJ#faPVgp{I2X+{=8#dz3uiH(`OA zFWLH=Tk$*He_W^SUE8D96!JAr`@GT zJDvH=5&7nUW7=j2Bp#hV1fFM#A+qiV0m!Ts-!vDRT_!0O`hqma8S_ z*G+o;_iZNIHqXdlXBTF9RzKCS{!~pe(+{ckocj3ot>kbape&?YLx$#10||Za8kE*= z8xg7^Af%6rtpi7UR`cJYokRT*a$8}zfWukxRi-VIEF{nmIqxdem<;!vo8=gnC`oH$ ze_>&Fl$-o~6)^Iqy$390ekB+~#Ye{hbTRr!BQtE4#QPbr9+E`I7Oug@4sn2tp9SR} z8H8twm5KcnnYDfn>aTihS<%J+fpB)>-VGp{PEs5Ir0IzUK7?!Hyb3Np?9+_gAh%Iv z9cC!uihWIN-qVkw4~ovB%BaWYJ!*MWUM7+w`8J>}1RM99f9MoI+Z3_1hPrZ8aAnN6 zTvfQo^Chg8MOY8W#ObU$MD+YD4n4tJ=Sk=`QOk()`m7GqXzxdoBrb)ItVEGngVp0B z!CZCLfZO>5x>Z&frj=d1p^&Z&G2uRCA!ZZH>ymeqIhW;1Kl_-xmcuELf%(lK-XVs5)^FuLITFA=nIsyH>_^s3 z`X?q`B=mRGi>N$&{E?t@&{V<-go9<^;mj4l%CYSbP78n)RB7J)?m$|%Uzt`iaejNQ z_eQ(sl0!7=;SZm9)294l$lN#Z&-kVVnQsKhTx#MIotlYt7f0Ji9vxbCTjB)=I%!mq ztYFP#QZTvu2mKHDe4PO?`pM4-!#W}l;Xdipwp|<-{FK=$Z^{YelMwNcUYCPt5|FBd z=J|2Z`797%K+*CVU7}*pHLD`};S;gCxMenXKG}+<%h0r724T+xd3P5A9ysqlVkVU* zo8(G{<~>Dk#uCc9jfosH=9HJaU8?6!zuLYg|I(J;`xxp8yNR5JV9;+-F7WUM4nlbB zJk9*xum&UmgBdmNVGQ@BDBPkyi5!cmbrU!lMXd*l+rOSYA+%5Q8^HZwY*6#F!dKPX zdKNrcRk`e6?8?gW{j`2_^0n%fYV;TuNc)@2fPe!QTDP?%Ml`X};18aRaCzoit|iMK zIT}2g6)Sf=^@V*QjgI)Yb)QL=LN!5|tvVq<_8dY=Gs~`cm-9(V>f-r*iDHvXk;Hxrlp1WsV(^MOJ8Jpj`VpInBF3n&32R&tBs zkcQ5D?9-f9zA9P4ZdboLewb2{Pt5_t!7^6q%2!YsaCqp1RSV$H*nXFsG;e*GqFXNL zTAw_Aa3(f)mic1Uik zZS@6*uj+dBNPA$Lzybm<6rga}CMSB(z7d(`et$Z2?e3Tes($HKE$!S`+UMD0OMXLV zji+cLF8^_>*crE)za#jv*geOLzCI!J#9VXoxk6|Bb^_x8x(P_n{?M;d9}>~+@C(kU zv-FFws_dfmvee7(3GdXd=~iDd(PPd2iq`nMk!^s-#Yn%1JDW)h1$Bn=euEDOyp{C5 zgD(3>@eVl}n3)NTU$fhK<@p5+Pt5-cngv$t1aN82R3o4@{B{Sg*KCp8IsjG+B3Y#w z#6RqTUySVB_;f0RI{F({xkKeifW^!JbD^+H1k;vGLYUvF@9tCIScKb#xXwQ0)o;-M z))lIK(=FoUMfxKXZDC9cl*f_`#zVpoPC@L+d=qCddCrNq`A#M1*?V009r-JyI`pi( zM;b+)&dNx6M!rpIAUcF;+@9xPd-w-Wpnq2S*uQSXrWk*{;hEiTYB<9}hRfdezin_N zGOY%|L3!$TyODl@kR0LddJfL^bQV;$q^Jm^yVOdoqAe1V%`!U6G_Wfm=uDl+~;eWWxJGUd&C6q&d_xsHvdm`>uWQa z{>te=@O-O;vdMdimzYk;-+10P^!VPDlcWt&FmO<`pDq4ybG(o$)?X)A>_opj>h(ED z`OxH7!t7>@g^AnPsrQ|cXJ}Yik1ytUX`Tm68xEU7K%yc9fNFCHeP(3Og?P^O<9&X? z)S>G_Mt&z+mcLp&rmmQFJ{G&+jqZa@oWxfEOc5=4aykBczX1c0^XuV_maC`n!3-b7 zo_$EVD}WO~3ugr@RdC$W6tfMRrmGj3|N_l0PR96oAvTr8J zENozM+`!|vTm2WFmf>ig3E0~$WP`SYf*(H{yZW%#P@Yb7rdBheZ1`29!3=p7>ypu# zM7=H^^O2LJ2SolLpKdy>^N}}b+_r7xPwI7VDRm4(da$A$UAoO0%B@D2;p2e{ zP3nk6p=_og-lKt+r{b5V_htb1|+nK+CJJ2}xA8*5dr;wgkSy^5G%g{c}n; zQM&N!ZerX$8WY<*g#X3WYePR3%6IJO%Y#(VyH;{yi{dr4$8sNPwtyj6|85ZPK``y3 z#@$(KAo^inKX$>6o3=e@wHY)k`{mKET;o90Fxw-bVr=;(Ly~9tfi9qcUMrnHap_41 z4cJV@mZGEp1*K4g;aqK#1D;IUqJleo;_mVh-A7Ehu6wTHCpll$SUtCBv@_Es ztj(l#AQqu9^p)f^4M{P%%iHDkU%gxZC;c4!uf&YD>lg`rxLKZq2p|J#sb}4T4cWfy zC5;#~=m;LXkXPm1#1h)Dl`tAN=qzdun9&GQOzF&{z?4nl2Wkup%-+7SlCTqKI;$@r zo_vA!4amH3&4$^+Vl5M?6%~}bDG9Lay0Lr8{x@y4!71SX?O=P+=nxct5mM9wAyH2# z$!3aClFqd2UyP9+ntAcb=!dbE{i(P>^Ho416iheoVl*hC8)WVB| zN){u+0H{JF^)%VTVIIz*gSNRP^l0e8J?rrM9++v9HJl}Nuj;W&N>cUdA@Db)V_J@= zUaqCME$dHR2I262*Z@S2J%S_ZH}Phy-^`;&kKp}XhsXjcSyKW^xcrN*knFdRtS!Of zJ^%bks9`NN8X(`H>@&OOZA#}dL&4lgQO9JYDB)AI^g(PkuM;C%{g7SJGa6nUU%eAy zb7}-BPR1D#e8R&@WS3a`Vv0;SZFEVGSEh(FSSJk!JcNbbjXj+mVRXmzxtp}&D(A_k zGdCzb8@<+jax-bV~QmlYsYm-wUw9v=>U~KG_erX%i*r~8f;U0 z2AcNjqh;!!mh$eME)%gNQgqp<7yQHRj&`og0-^!FNhjk6qD z7ZLY|u%%SSdD?AQ?cDjzXHGsVxyvV=SEizlfr4%>15$PCNl+bCei)bvX58*pK+UTE z!%&RG(g#tM@y%GWWO$e@MT6dxAuu@G=01*--rUW%D>Kkt49o*-9LoR0P&9#K)R)|0 zM?MFUuc5XQloSd8z^JKHw;KgAX1lAlBBZJAy`~KoARo^C!_X!hhJo0T!{%L0wUKAw zt{IBr`;3GKnXg7akM8id?2xY|zXe(!U`w(s#l+7A8il9auM6*c63!_7t=cg~Z@IZK zC8hMd*W3#%lOsb`z3+TqBP3>)|0JXZ&g48nb=H@kuuA09dm!$bufNS$40;DC_XX-O zvjiCR7D2f@%d%NJAu#&&3jjmqKlnOi+law0Dae~BOOhp563}zVFydird>)vC9Cm%N z;w-dbfxoapvolV0V+|%cx_^`M>K}$K89FbZB!r28>}!7owe*F8&j98?dwAVcLT!_@ zTTMfe#0{YWjbGT;;kwL>t)Z7o$uD_NfU?m_0qVYMN+)Inv_R0*0ovqyAm?Gou61KAg zzm2D!I)2NyP3k`%EL)?k9Q!piNa3jx125{{VBUz5q2}dL5$`Qv^W9bzT6z|pxRz)Q z4QmiY=n(5;m-FU9AZN9<+zbzIrS#h0@2NQrufK*J>1dFCWSlaC3X}bxJd3sII2*{N z_J9eC9DtNDwL!*TPwLc=<4EioqUM3nQs~OrvnPDr4C-5W%^OP7>v&0NWuQsIbcVG;v;VZ*ZO#cq>t0)+Ju@I(WcfW+imEVyT| zv1BNV{Aju{8|FXsp_4t9=Z8suR2jf~bk`Anr^wJnDJOXVaq#)KyjXA5Plnx_pRHT8 z9$lQ{+Mf1YgRzWmNVcplL^mGucrg69E=^#fgkryH#S3r>31tM)%c$5)X?3Ee4~F$$FI3mgu%A+_j!-tkr@{s&#ymnPxa!xZ|x+(tm#$%*-7yr zKxU^uGmDIBdbC%Qv_TDC5hasaTV`nYP|`WjmXx>H?ftGJ-5R6F++n=7(z&L`NOm$l5Tk zOWS?$hE>EtMw=wii0+o1ICp-YTv~MG%%e6@jq_0^F4C2bA_gQy^E9$q(jSM$T{5_3 zww}W;1w%{4Wf*0CB@2HszL_C;E${N`uj+Q1v^d%=84A1ImY)?xzXQn){eMu2_Qd~7 z#{&H;SwR|*YlH&TaOdy!Op@#rFgm>j=(GS7sw50pkgh_;;8A8HN+yljycdP(i$<8+Ql3*yE6PSH+5ALD#vfiO$+=^) zh--ZOjN$kJ)07JEA;Us-sb~Njt7dq_rSbW0>B=)nFsean4@c4%!~*@uSLlcdgZG9c zS)QQG-xrv6Vs(?_vH$oWd7R+0_G7ZV;I zDKe5AsC?#hV_TruFGbG&!*EOKh!<9ZC0M|YZpKOhCySynk1jrDfV%Yj7Ne)h?(tF> zb5R{?qx4^TfVWK)H5e$Q;(wtwvQTm`^f8?JrWmymgF0qLulHq3wxyt^AhbHV$FVj- zRhEJR#NHu#*8yadl(px)aAq{(W^uPKUZ{|#UjGJw_bS`o{TSyt2DYS98cJ&iWnT`W z@qRL{i;g*w?E-&+8-Tzqi58D?+?%&rMV|K?SfNYs!!gFy?};u7;Dc9C{jvRhfXCem z8h2=F&>-hzQ}tZm-{lE)eb{flSno%8;ihIs`-fqNaR+7y;_}qu?k&9u=j$BGmT?+L zvnsZXODEAc>(cwqAUKkVGNutY!qB5@?SBf+9B(e6U8$pKrL9OD>dZ4Td@dC!O3qcn z412%R*!-uckn~#nQH_oGF79*jf@Gt>RDaH1Yg_tEI zsgjm}dMRWbP|Tk+JE2N7=ygBxIhV}51U>XB-U9DI10fmc-tMpFOA&1iND04qdNVg_ zRTpczv5UozQa_@(0BnWs--r2mKj|Na4>J7p2Gmy3zQ!rwn-WQSJ-~bH*sG!K11~t( z&$!F5FRI~Y+Ko|n+;=ClUEe1;D%|&(C~cyWvsgpkP!MGy3!C*4B+eEG-V;T+XJUICasz=@&5$ zWZRf)S2lTAi8Y77OgwuYu=q` zMj(U=q*(SA#p#c9jJ1lt=o;d;Z#zDfdgY`82@p03joFwzNpcsY@0 zcOt8kw+GjK)?LfuoZhuO_an~_me}(UIApvJ0D$qzj%+M|M#Q_ z-3^)aB^3=~UE<$OK;vI&Xi7%JrRS8S5e?;g2ev*ea#U+K3U#z0bCHvf-DqqW>R=0y z$~X(O;4}Z5Ovpv*zxe~lzq4l`5`26_eE`7ZX8>f#Kwtm>Mmh%5qPTK^=V69`#>rL3 z(8U_T2Rm?B-)R8I4JPP=k5uAgu?NGb{qO+l6#~FCE(X(Es<6ioD=BE8O9)hFiGJis zz>wDb9|nB~baOl_s`Fky0JT&HuvIxy+Tbdn>um`?I*9<%wi15u@rltT%w{SDx;|T$ z91o{oTn$iazyx{bc0XrVG44Dkz^vYBV=OoDZ#1ph-7{n;VD12TJ)B0Tqvk$mmc|Do zRW1D@7F60_+Y@}>j{O*SyDI$q!=+DpALH(u3sj?=<#_yG4P~ z(!~uQG3S{|C9ms^VDC4ar0UiJ*Bn9bwNWL&aD7ZT7d(e3la))8^9bHTP?P{=^gg3( zapwHhCf?n=7@#7^n?0e$Kie}8AD^6Cj`aLK#?7u$^Ol9xs64jgT~70{eWcPMptg2M z>H>s-toh@_h)m&LD9+non^;0MC7v?vy>US9O6)*mGCggLNgx zV;2L6U|JX&yB|2Z6G7z_qTlbE2hqIBfd{Mj6(pJnpm_1LYx__9p!4Bj_Fr%L=(r7b zB^2Gx<8qC;5WsGZ4=>GEMihCdSOh~Z0e)#ylw3;%m+9J~4z)u849KcyO%ritrU1tX9?PlSAU!E0S zrRl7LJYeSZE^x*DSvK!sLVV=POG10W6`_tTLb-yZfNx&IW;2;U@WbBo=qdmNmp|SlQz~60w2b> z?Zr#1PvqC1MLpcWhfVD z%qJ8xm5~WR;4s%rx(L=|#=q$!VWneN#(EhjIT0P1k(*M)iUc4-$S^1%;I6b1IbF@; z%KfND?Qdb@Q3D(OjxZdvXzp>So87MC3y2?+!hyLw&4IQ zz!IO#W2i7Pada88#V$v5c=8X!>p@^xw@}>h0dS7KZ}LAq@&>L6`2GFJY1r|BEbSUo z6wuhB-a%RYpVY$oug(ShuXL9GvxM;>u+V`h)wx6kWJezuiD~O6fE%#A;-|e7PuIa*|Ku|5o{`XW7I25Ux0Y-M(DaJh<4^tzTK zFzN03J=w~|dpz@tUviTv{zA=-mRhsi9idI2XR@}Zx1KMdZ!doKHS;=0&=O&Rv_zDA zL*)jCS8j>Bn3GJ-7t7kXzRf=mRefy*zaPrNOQwCJ589lo5kBpxJe>0j5!%uf3~r)4#q2OR}v z(y5umAHZBnl7JsLDN&TH^4cd>bTYFwLu%C)&&2vXKfguTK=)ebRq1o92{h2Tr@XC6 z>(x*elP;()e__z1CfaJ`6$0{o+C}YSs8pc-gr4}qcFbI0Mkw~O#_d8wvI%HDK8HuA15ukB#J)Cgd2-t{8y**? z{VC|0nbl`AaXo*B8{-M0{U z<E8&_~+brU*;_N&ghOH!c;ZP zm%y7A6#YJm48mssDcZx6tfolp%ylvAryaeLxwj*=-e2=QO8w)>dPIG}`f*jIJ6tJx zGJ37oQ{s2A)ZS>a_=qy!lmyUDo?=T94;~Tn^$%0J!&~ zHB|}-vT#n+Y6z@POhKLRg&}tWR6No0(B{(UPLb`vj<HZyx#oVZMu08wc!6B5%)EIv7FL7LlP$OF_8i<8p2M-u7JnGN{%n zBUbya<+?}tS@s{sbM?4;RE42~EniEnSX+}?EElSfU!iVNfi}IkK=`4IF*j4;njXJT zfO4OS(;v$&Dz^>>@PaG2Yke-5UjI zaBMu=U&~2Q+zDJ&!l08DL^k@-UC)+`}A#n zL5`g`@3jg-tyb^oz~t^cLUkS?Zf%Wq^1l}I3q!9$n zyGDVUX;T{bU-k?Z0h!C6-F=B-Ms4I|(m&*&G~#x|DiY*gzA%)#DW35?({iMN$cg=7 zrDtET?wjmGSm=%l1ia;L$n6%&os7T7fcvYEgdRWzH^^2IWrK@~sEu&N3cm775M}PS z@NbsXv69-R45d*Gj>6pHEThsI1A!%Rm@e=MfC`<59fO?oS+h?+)yg)BFpM4iUInnukhzs0?+)5)!>KmAqe`PI+e3F2Eq z=QtN_rW^5CQR+>KFd`!JoH2Rf^bhI-n6ubU2wh9%p(4AB=S{4^}^^JU82oA$@$m4gfHon9s!tIhw5o- ztFcK#e_zoy_A54ew!uHL#nY&{Kp?wI^o>=5pT%Wf+n)PNxz8{Ojs*Oc^U?Rn*~G~w z#3|YAwGZj)_av9K#}l4sE{I`%qEDcgG6ku|%|xEHrE05sR(NW+o0DZ%=Z4+q*+3c) zKeV|0Q13eCO~ENrX8A?gz@R1w<}6RiJ#hX4Qn@@I_yzlp@Z9?1VI z6NxKmpw52@4;SGjf5Qvg8WW#B?B+;MGdde(_AbKd#Fr#74S+C6(JLbWwqghA+(u?r zR#MfM-pO6RRj?qw>v-~gRuo0Bdk!12LioxX-^W)l#ax^g;5an&82E{ldg7;IM4ZX7pA+D- z=2QTWTiE&QbX|p~cG~Va6f^h_{~Pwhe45Tk$P9M_ND9K9t^AhO-)lZTaF&pn;Z?W_ zNUbi~*MaAvQ1qi<3gnq)s7tKLTG8< zBR}ljHXOr;UcFOx#q6@S@eS1l9>ygv0JzEX@4w84VP(c4S$+|?!>Y8c*m^44i{8>H z-LfmM;@lf!Mq{Z@%PIyNB*;oco zQ4_G>XK~-?EmMAq4m`!*fA`p@U1}-dKbqE~YpI^|5cUarSDFacHD}^(f#I19o2^SG z3j9nSGG~kf_h8Jx)8O3%Gwg40!0?CR`&$oZ)C(=PCC=TJkI*|Izpx@Ph;Lb@&ZM`$-6w~xWe@^$QmHj5R`}Iu!zb6~Pe94E+NP!C4$NeDWs3Cwj zOprQv=)@YCQt?&!Df^eWy3yvp+$1j%p26Zu__?(J>pAJu!&5gp7@MwbGBybVd`x5% z?Fuoz2|OO(c+RqAfh~1^wBFqDR5HJ8ov!u^h@XsQinG=Z5@AJLNP4Cacppl8XJs~ZzfZ3BN?ma#Ri{aMZVYuy|$0lo!D zLGNHgXBhwzQSE$AM6`wlPxCU~Ja&;^R?vOYJXo7|FAs+eyFCw!6@vaWS2J2?DYEW- z!JmD}cBp{v#W=rjmK*89L8^Ri?+$PX*Ux`B8TxqY>dLCi8hFBX9{Lt}-g?!Y{7~S9 z)vBF;-MHn`B-Qg%#(*mJ52-(N0jkm{{R%k&0&;wInJLx7eJ*7#x>i|@!nxegR7ZwV z%nn#Jy*&VU0nTGWQ`j6wJxZ>sWbv-eUE_2?A414AYjIh=I=&hb$%>r~QtghNQ<3J@hO{a;bye?^P`d;c>1DoFodg z*IQa)B#!uh7<8kKGVy&tFa8{A>=t|lW=Lg zXM2M+cCmUDeMbt0ea8e8O|bH)1(rSGgxhrT&ro;d}#3OU*(uf8>WLjC;orR#{wm+QCoJHG;?@rJYXu9=&j zU;XsV9EM0g%?t}#i?r7ZZZMB+gz*B5ad`M~eDf^-l;6u^sFuY|5!YlW?$9`0<01y2*!8myRDT#8XknEu<+-G{6+(v|*&+N=zww2lVJk#DZh zpO_tP0>dV8N;_%?OHUkaRLLYBL1^BnWyh0K08i^CV5k6#QW4><&+yE-t|H%Zot;nj zN$RZ&Nt!zQC9?RwFvXoy2%QlP+3ywcPR~`6xju%!z5xB_ebWa+?ar6Sb337%k*<7WiNf4=PYb%DHhn{b@SoFW~738T6&PdaWFCf2pRMqe0;v};J7w5XoZhL(b z^h| z$5N!IHvtLagAc>h#{qoP_nj?;d_SHmg}0x(q1Q|0S3OyY0O5hbthv_L~dvZ~g5u&7D>WlXE@Ipq)S zP$Fm2Hdp{5MA6#NQpup;`QI%MdWVNf_;HOfo@a7ujI5!#EbNTu(G6kYzpsrQ()kP5goEW3ey+S=k6+qLZYt&kaUo0yGl|~kKe2c-TiQK; z-=FRF4EYt{^jAf^L(3pMa{a9BM0=Z?+)mksEcgCq(fWSs{C*FEPk?U=WLys~j?*UC zpq1kCkIrVQ%_;m`t9Tk3o2e7(vKSwQVn0BKA+IF1)YP(kNbaeu*1l!LrOG6nf;zjx z+h}3))alTD*79bYqp)4<&|J9bdzXD7(w8s|bAoAehDs_gn#Z#9dgF8KfGFeWD(p+( z1E!TAASV&d3)bK$M%*Q8qQmx;M1q>SJI2R(T)Ne5e}dD4N&^X206D@QE|N|ZvkXi( z`lGO&X73L5;QiT!&fOe>lx`(Js0Gzt(0>|p%y*)Jhj_U*2+$6o z*bLb_xyd^CTcoV)h%o)(Jk5aog5V-Rn}Sr@R7Awd=J=BVHe)T)(H#~a3@GzCFdhyLvA)$+Q9|NerQcm@OdXC?ed!3A=B z7y(3a!9CeAN;@4)=!-hg6ndJWt~Wd%E1ml>%vAi9aWgLD3vowV*m|d>ZyeG%s;5J= zsrJlweh{1Z(f^&^PUfXsp_=mgMGyhNi$?B;pV%WJx_RfEfx45s|E^_uc^tXD|_C(ioKtkmnD7rz2dYkOthA_%~ zy4G)$(%N;q=`t$fcTCdCpD&aLXPDl21%l7|pMY5^MOz$DIYq)z*AP?Do;*{KX!Rag$ZOZ%~srla0cL6W+FM+RxF)xG6xcR3ik z9>6%#fa%BD_V~ZzHYN7G1BS++_C~&28Uxjvy?y7-9P{xoPTZwHsBGl)yrz|QH7$h0|vGxKK=^~Y+ z^$}(FM@_H6cfy02gZm1!ma8;8e7zkg;8m!TLi2#-8nHAs>XYt;0-Ws{;OD}4fWcwM zCvc5|8a65fqrsU~`I_scwJd@lm2I^SRmU-6Vu$!^Puyo@FKpM63TQ^c00iD@q{{{< zWYpAelw?a(4k_SrS0q~dLp!2cPcbIl?(0Qr>3_C>u1(`@)+MdW^gb=Y_@;QG>^$EO?;t*A>SVMJ zTyB_ur%d@INAOaA`<%SzL@|Kk6(T3n!(+wv;6!u|@-*VwkQU!+4LuAm?1p<-I*h8qM0tmP4VJ>GwSc;J$i53@hI>EPLbQNU{&qNfpm|5; zS?cK`stVC)G_0~t@#pjGR7Ms>qeE-Yv3;@9Q|3bxvYScx9&YpU;Z3SV4o>L{@pnwv zn-ei0CM6VUtg1Ziutl)4?t@0I)H{jYF=c;U0o?OmtqR62#5r1KojURMe0w%tDALW; zJPPj;Xm4@icD2d99U+5usM4s@>}f#gJfc82zAcj*=U?#yi>lThL67NpI^AiceX;{XX+Yp(C!cTT6iV_-}$SUrsl zL*g)r*5s4zYL7N8nV;~O_9Mn%K3czccXyfq%GgGxfS2p#rIV9)5d-o!I_%#jFjDhR zPS$ZyB{9iYPC8GI|+Xm9+H)S|R4|dtG(z!+Z68t)%_F7?ka#?+}2^J8f+Me=hEN zIom%-w5FL!JL*INbZH01yNVgb&?Wnq8Zrzc3=5wOe}Azk+EM$6d(4OT5WW?U4?^7= zsNmo?YDk;tqN}*1WVwb~|7v`3Q*1Ja;h8hwp3)d3r85Mv^xEQ?@yUzR%gI8BJCzhbNwdr^gUvnJ&SK0U*Rd3K6eU9Aj5^XJZ z-?~7Y{cL$w^7{mxqsJbD_5Sf~SVn6**+rPu67e|@5Whm|_zDVtHn{H!Z6`RXq0(xsNAiR#tWpF{ox68d zc&vRZuS9Aa#EtB*;TYU0R+1Qn84&il_=hCxlGww_o3rJAToJ48(>#q(_>WQ~i8XyWenII;opoj@7+`ybwVA;;zFKgRgrbkb_B*44Jqo_N-&w z{jcclrVhFvK5_0gkZq3RT0~@O9=rS=ds>mwbOO)E$&_p52Fy>_W*I7E!_ypEX!m59 zoXcz`t#fIQrz3CN|HH5@9~~pBxv?@z_MnLKznGD)W|D-|A+d+}8rZlH-M}{%vQaU6 zd{1f*4?jTDi9l6T3D25xu@Mslg)an-%ap{{r^!lRwqjYEOfY7+kVa9106pE)bUr5^ z3`Fo?`Lk(_HlQz7<@;Eqs}!Ud{92{-vA7p+2ff|$bV&|Tlwwh>z4d+V_n*a}aR>L$ z5xDn-e!1z?XW!Fi_1+4mpU{z8dfwTQm$mdAw~1z!v1R9_BOc%=nG_Ga?p zs|V@)E}m;OUAlHrGcP|J2jC#TH#SOl)zZkdZ5jN-b^LgBz(ZuiL1%auFRq7f}5U-7;Wq^z+*9(+w#>Y|UTX_jOY z;o8dbx>jaCF__nHRd!CdzB|9rFk(V}a7MOCcD#MEy@uOw50~7NLk{w-xK||RpCEs` zV*tW({$k95szyj?5a(VKwzPO7U9`_SP(4eT?QPmxuRV_vN&~&yiE8U0y;mEpP_d@J-B{8Q#BERXRj%0R{dg7z=8&euo~$ivVkb zU(&l~`43z`+&Y8}>t8O#l8>f&%YIMRrFP7l-#mhS6ILHh1tj1ZDhd3ph4~d@t!9F0 zY#nEVhGdZ5B2Cp)muRvA&mQ72p~7c;k2B{C^U8U*%6-&U^>q$Bmb3NEVS&9|;%aX# z>cdyg!Is2sSBl8=ly;kVnC6+05odk>Kj*)R&It%Oby$ z&LAt3z5zMM=UD(He)aE_*|1UM5%&RP2^;Q%)5P0auXMO;aii_-_qX&dz|pJ;FpcCO z3}_&)3}nCOwZ~#ki7<;k?ocA3wg9NXB@i2M9AF8YE#Y3kwm`@_$Qw>+RhfL#Qctm= z%jdF}4DJ^$ORjX3?EF{vLy(GYKFT4D1utli^RtGwz?%xD*k zUqcDs2O_VS1E=(3#`{xXwVh!kZ`J*n)&e~-cDcB8sdNIM;(mLMBLKujcAlG@ZfWY6 zO1QKhmlv8>AJp=VKCZn#>bo}Z3jpTVGAni$ zR_9h!zI1%r2YB0l!(UG!>>W5dk?=hvaze$hNW$ajWSI`El{4HG%;+xT-fL>QLA=!#} ztH-B?{!u14R$RnX!(h2xc}sHnDQCUQ(usI%chhwGubs?$6mya^QFM}=ZAnOKIwO6r z-;GNschz`wq1xVq%({nSLC7cU{M8PE+BCtF;EBL^L18v zZ@K7w!kiU4$LX^FSE`h269E025@(w~kDpwF+qp{f=ZoA+aq}2U_$`1;+BM(Yo3qLX zhEY8I2h4O7NB!bp!G$w#ZlD*pnU5cw(c2Or;F@MxD~ly>5q@Ljr=D6?4v$WVgTh{p zpFeLB_c)R&wGMql7Z}p8r(83b50cKdD%Q7Y;=Xt9>*ck$C&9)H!eNLYK!f!&{ak$X zF|A8$^;Iq(moKBMc5Lb9Q#q>3dVItoCIGeRkw5dqNTQC|geucd$u4nA0YEJs;t!bA zZ3z)12f|frA-rtl;KLE*=6d424{eg(CuY^7q5XJ)#U#tFYBCj7`tADPASzcckT8ZRwfG6+U;A%02@XxD${YB>%7 zG}#|o=q`fD+@(~YxtY~~Bk*so%-5?odmwbk!-c~9M(Jky*N5w>1PWoly;o%jA!{@A?uHW$Q(7oLnTR%jRFW^1qrsyC9h>*4*7h?)vy?vfj zT2R$c#V_eZ_0rkPOc(MWXhn31`@(1pszTtJ}&N^4g9TlzNF{jy64U7o&ICV&LgJjf>g*$uI&u&pY7R{zcl8J*c!6%lbp3K;~m3@AbW-4z=i&U9_u2x z0GkHxUTU-sck^n*S9#nORG%ZYa86j42Qwt&x;vTtP@gDlx*tivpy`}|zr`~Ll|>v#O_?{(e(T;KbTj>94K ze$SZqdA`oq>-l^<+f%Yjd`yOm1cI!hsY;{tviSb}6Z#`*I{EDGVTdi`#=lR$J)omq9k{d(G=Jx`U=(N@&3Vb4ft>Fz z*>PwbmsmT=oO31T8~%5|i=#FnV_g?8F5=1c_GxCq7_*MbO$7+kHl zq0anEwT~Z7bhvtjy%Lf%VFWkNyeMo@9j%PY;3Kow(bcy6el+l)TDLD)f67t^zYDO=;%sRb z-8qu0o%mgh#+hei>nDN~9Ns5zG<^Q?$gjEU0rJ(e4k-Y^7u6OyQCfQWyY^AefTPBr zP~zm#IsEhN3T#}rPtnw8=N#6A7q63)F9;USCnPnsG?%}954dCePEv|`W`qR;C!5?g z%k;%f%2bIKoc8$v}zuT>%?skXENpXB(!U~CvI)Aj9&QZ1{` zsoR|<32_M#-Y*QBIsA`Z0GXUSd2j%lM4eaRdyUuj#<)`~nlX+pOW(JWeE))A<<~WY zhl!edq0yZPC$c>$?eQ*au;W|Zpq><^tk-Fl+4;wHXv1tSS1fXT$=Y4+;VPI`bFcnt zm=9rf31R(J^t}9dcgCKN5R4R-`t6MWX)(dLL)6?yx1E0@Ra?)BL#+a zTxITv5r&T{FIL2`VS1LnQ~V8A@@adod057UE+w!sZyUbX${ckURra~!GxYuSPHmTD z(}Sp1`lc?ncBJ&2gPZG9lQ*gN_=GqfMf^EdUR#QGrtv-=%C98H&i+(%egTy$)EZPx zp5xLLa1qCzrZ5bJsvD9`<|NcEkWRMI&oo$PjrkE9*O+g|d%%FoV-fq7R?#RFtX}yJ zr8zt>wNk6(=qxpOq?_-dg_511tH%p3d(RB_MBYdWg zBoiyXy|L8Hpf!>RoxW-Dy?%Zhkdnp0JP^7JTl4&2>SV!BG7f*2ap}jb?g{w8l8Ax} znpp%ZNO=jLC~XssF!yV3`$APRr$Tc-$&WsM#{PsTp5(I`ohMd9QjUJd;^lVx zsppH|iP)_x8^@^5>zWiRe_rE?B;-kd*-tX_kjQDaL3g3ix8~mwjLCtJMVyU3tACWt zsTuMcXO_aDyxs!cBJ(c|>4Pkto6qE!P}8I$`knGvAf`GizEfVXj&RxJ)SNTMqY&H+C)hIqAfc{X1lkts}LsFGooK zd&q~jiO{PU4yq|Rn{Xy&IYb0k6DQ5XD5)k2-|5{KUqPbDCp%4xI{HIHM6l#!*OM`q zHVVy>CA2CJ9%PvuNs#{S0qqG(wYcR;xknWlovvp0BIK6t)BL_p-qYDnC9ogzZ}rEa ztMYL3G(ob#&0zv@FWiHFf_Yjju8I5gQFF}Nhh)?M^Z|u`Vxw3>*4)vdsbn?XEManpIZ6#{!S?fjC{m6hJ8jZnQtM3$85elM?T{UQZ%H`9wDG6r62SXw{x=^)&b07GZN$mG}lO`i+6+3`LR|WsTh5M z=_FR{l|G12X!j=sp({Z`w$(*e(B(#W~LlRPO8Ff$a4I8V_9; zl;C@?Dlq-j3uY%yFp*m*Qd4BO?n_>y&#|R@Upjx4E%NdlZ1CJV-tg7luYjAR-wBVE zB$;*U&vgtZy%3%`t=?z1P5OOA9``iZYuMG6szT15!$ltA_wbP$N904ZdA1UXPtIJO z6j`tria8r?Ey0*EvbLMcbLc7q+O>Tf({Z{-35BVreJ^@A>$ipQlaTS7xXMOFTc6^4 zSFJ$M54v$9jsN93!kVMEVS&w+MkeMyL_kPM0-9>7v=;ZzXHZsSP1PU)zF@xAOGs^VM4g1GvQo( zgCLXR$cGa_?38EvPMbJqndq4_1JnS|c{Bfa>9@ytlpWu&J>;7=O!%1Ex&h(5C*O;T zDgEA(k#hZ;Xt4;kkqBM)oV&)TliW6=G%P|om*F5{Voq&Hmhy}~XZ{ot7#gexL8YCq zx8^qQR)er~m-TwJ37;Rht8k5eCyFwiznqYi zF0&UMjTLGWA}#&+3!+_nw#o19-L9STS6FG3<#>pUQ_ZWWFV3#ELg6|>RZ1<`M=9Zc z@+a%4g{fg6MZ+|tAGhT?BL&moRcx`z&LFaS{ zqRbn?tga&7swZwXEO1Mue6O?rwRte+`$R&MT8Xl~Z(tlzw}d|Eb*WG3phABBYUliG zyHNFCv@cZX2Xw2ZJ&C!Kr*8O@>%*A@0F5xpL_dL<>#7I5L_#%XX4~V5Byl*wo-brQ%L=S-; zkKJrV!}4peDT3ecUbadGK-fxHJGlDo_%_p}NR&*n0_#3yI`o)x>GQCDPq@vV&7|+$Igxm=NACm=oY2T zf`1HUUS{UN&t8>noPCdr>r~CaZKfO{?!YwvBiIdE@vb?d1$Vqrp7?>~d3J&8uMr=! zpxZwzQzwJ+5Yvi@%IlGYCUN~#6yNL%7a3cFZMD?5ce?5y7XpZ_ZAdi<6Ax1SV1ldZ zS0GrkiNpT;p7&7JqXsyhe2k23Tp={o?C0FUlKrjdE47X^H#+&&g%Q_Ni z9l2AkY{WaHZh`R9(zoHq)WX>VWm?g3hXDM6rAUF{oN z;#1@FL_U}b8KXn;+}B^K3wKDD2FNvj&YDsQp?s48w)EVPF8amFfe>-sx5(R~de6Go z3+!eEVt(F^&%?+?Gmgyqee&8%B?r&Jn5bH#K8_+8D=O0?*<-a50^g@SI%Y%yB@69; z_e)01H1e++h~Czeep9YvByo|vE^@l&5qz;0(_Fyuy)AcCONj?`kX}O z4S`78IO7L1kDmHZH#O^{^77#V?fdDsKerC)h^Bn_pkpVV4|%5ZDgM!*n*MB=v0i#R zkJnH0Mo%Xm(iD3|fQ1c{beg*PR0N8PjXWXS|zdn4DEf`h& z;&XppFX|%+F=tUrGH!2cpIB4c+dlWzw2Ql<;!THus>H#|*sEUYnCAOXu)kE-L@Fnt z7zyPudHhCAUn*bk24)bj=n?F)Aw3LqK?Yl zUJGJ+l8)4)^3jSE-J>RMkPVQZ>AwbTE-gUlPxc6XCXZ4K2h#2hC!B2Q;$EKETn`{j z3Ybh1mY!RG8ToW7BEb8L#Eqbg7(30CY{v0x5{y;khQdFl(6xg14ik;c6MKUSK*n+4uR8ApRKpC9iD=8i}eO-4OHN>=WCyqd{_P;)R(02NoViAUhpJhz255C^*W+NM!DW$T8;c} zbtwfm>9lSoSx8nN1JbkSJ-)UN$YKxRW1&hodrUYl5;lX3!<+;M4qL{ivc@&;H%Gms z8VUEV7^*FOQZeqv^U=@3V?)$&Btf&RA6)KsWh2*xZ=`Q@iIa+eGGd$rowMIi(3HJr-ui8U zO=wug$3wz^<#Z;;UPG`e0yK=stYcRA`C8I~W zT&iZv<_vby|9gXQ;0ez>@+al{w9no`BAsUL(KGDftpU8OQa@t(h1)xhv*Y)FmM1mZ z%AZXO)UfgMwk6f|16saVErTYdww72RPnS0&w~qRP-RI?U6CQ; zE5b5$8M8=6-yeZ(9(V5Of8vfkjH4;1x7G+Vkld5hWg!^*#=*I|1dgHBq@iSrgOU7( zUdXla5ju#h^O4~~orkmA4zc;^IlDWm7wwgG-U=-d|GpK)y54fo59Ga^v_;jO5T{M&v^6)x$h~M}ik`;SRybT>au^DEjsS-B! zv_5_P#%A{xcF--wre_P|JKcaK_IY-hLckOwN?k0X6~T!@%;^@!2eIE^5kK=Z#*g9b z>CMltjep{5ctdw{9|p_J8AlIpO7Zl%x=l>V{C-oZd#cOLO8|PN_IlWAS2OnxzO{S; z-GS$*`bky&VA@r_JdpUgP4&fMB%&^j5Y@kDVkX3JBvjpraufLd1_7R<&}=`Cm!ww| z4N~n2Y`mBO^QJax&ho*zl#f@A2{1*CA}${dTEzZH-+M>aKNaz?n(W2u1X&8YRKclD zQ{duRUAN#PrO(qFNP%OMI`zY@-n~kF^Xr#8xE#;nt5e)lX1SuSaXB!qz<*WJ^|m_^ zyAwb+rjv$KlUy#3!U(4mHruA{n-dFiwm+(^?-lqh9E5n^K#Kszzj9vHs{xbW8~x2R5o*z?_Q9q3$UF;%W| zBEEg$N{-2J?~|>?5Id|DXtDny{-*LHW4xR0t@@=q2Dz){Xqi2ID5(VX3PWC}4ayf_v-z?5?8UIie%CPg9n1E5>HX9I6c8T&zj-GvWVFU;qd_UCI#0nJagEj~ zH~8*1K+GUtSYI=a3@|HlkNV?U)Fp^K#jlj(rI7lKY20;>r!y;0^4xDOuu3Qq3Nn^r z5Mvk_IP$w8D(&>^s)Wa@oix4DAyn^wc>@y zl{dbUq{H4djlF!@S2-1s`sQq+rZV1E91`yNIFE}M9fR`uq)F&!ouF0T&o!Tq`Ih=r z>)qsHYNpnylim3oPH}%wRh?4iaye zPl+00F8+Z%nqMlB6Evl9nqQS{msT|ddruh`Qf0{YWz>80rLk@_ z*f;!{KJYs9NqkD~z{1r}k%az&M4N61EPZ}i5HQ=Hwbtaj0hw1Hefe%hC9gI}IJa;@ zFUUu>Rr3g+P;y1_`B3@g@`5V-FXwrqLN{rxsG9F>XWgW&5`q0(rVd`r-RJ+ea0f?- z_iGqcQ+_sZURTHI;j)BKe_Ef$z5>I1hC!~dlEm!C3oS=2BlPnBLBay1NfesV2Om2l zINGT5?hj8^$_m@6n4iEt_FH?j+o;vReBSQDt9#kfWo0JIDPP~#);=)(SmXQg4uRpy z666)6=S@?@+)~T5J%N1#V_S+ev#2R#{Sh@8a_a14M3XV*oj>h=`id;(i%_iNJ~Gd@ zsiw*It8|Z@uvaR>^^5Sa*`GFVOik^-10nwT7d?RgCl5X1pP{~1sIs&Dr^rKd&icn! zviV<+EsJGd8mPZ14ted{Yx!@vVqTADKsunt;#E=4C?kXLW4p}QVOk7&!5x55BCLUU z^9|OR41TMkOEHKwQBR;4c?IbvZbm7BWAGnQ9pZGtL?S^eMf1o;@W+w)0Yg0-Ex;NF zv9``iLnbqmO5Ii&uHNo9Bv%kWDRkYVAVm5r{YIVp1dCdKqPke}S-+X}?qxZs0>cuP zho~Ii=o2FaIwrcWvj{o-A;h{LFhSoVg{P4En5gL+(6(%sue= zE{(kRZw}Vhek*PxiiD~u-yim2Kfk`FsO#t|ZGFZ6z2-kk&HZVE4vgSA@-6qbPCU|B zHj3Ki4$r;&r`q4T&^8Uetv-?ID35&z9xgfmyt!@{JEg(vVs|JbRW?i+DIBnZ6{Mwq zA^q;WE*O6W>C=vZ2&(HlZMZki~|GqlGBb;{qv&z31d@A7Wd(eu2NfPK~+Kp9yiy zqg+NVKKR9A!5YNG72&8*b#)x=b%^}RnE3rV;?z3l!-ZR72Dc%6hz4zYs;tF1v1gj1 zx8yRs&zU^73|9$f56&c}?-h^}{pQPLv`MZDrdgN|=I06-k7$vqesCW@-MVAV%;8^( zoMdgSQGtPAVq^W7n_oxMruujzY$b5&dC8eg7V1hRaC0%(*{MMw z3+WcqwiG3*Bkqg&4LJLcFQ31e*hXFOK(FL{#jPN3hV)v%2GqESlt<+Gxfc)Zldit{ zrV?%)cjSJ?w>h1s2iJGH)LxO?xk5(Kyt~0hX1y{7<{~5YvZj+QCqKwo_Fhz#?J{WY zx6%;yRcAvzlAi_&oL1Qq_X;q!eQ}!U=m`$b@MA|o(5b8_lo|Kv@08Ctpp(y?MRWGg zbwxQRDtlj0cyQqIXOQPyv#J+H16mzojKjN^VuB%vBquhJfCJ`{bS zjcezO<-gSee?cft4jxEHEDvcqNtjQqM>)gW`{m7n?UhI`G9c!0pj2iqk!B(Z11x5% zWRY~CLTP18%QNQ*RKkB13 zKfm(m%FlZ6TjFrtP82x9oKPn8ALOuExRC$FW@ytu*}PqXO{|fu*D>LjlX29baxB_D zIYzV{A*g2W>Un+@eTwy^B{Uar=k*(g(lEu|9aB5$Wly@d)a<*AYAF?vIJK{x&4uYW z20(f~J?PddTFS$-l#ji>9NIT}L&)FuIcMqIB>PsHapza%gwo9r;ns2fS(Aq|iZOQ| zt8kJv$A6#4R?;eVV-$K-TXC>bjx$v;Q*toEmW4K_$$zLp9Ot^Xi)2hya5^EqwUmNv{#Knv;9yfi*v(`NLqoX zE$@r0nI|?s)L)+X0tVZy;53#!C#a54*$s!9v5?85nCmicrNh`XUYflC&eorf!b?jKrxV`1J38h@I!`TgpLTtU!)mr_^bl5rxR>ZNcj;Nzjf#iENPWR$ zQ1PWJ;zYsmUzlp6YG;5?_O~Z6C$(68snyvqgu&0W9=XU-oyK zA!v4Ht2AxWE zJx?PmQcOi|@x!ifWg&lRfh1XRzaBJjr5ncEkvIJcRqY z@C%pq!40>pbAINtoTn~dG>`uAqdCukagp75&yU=dKhd-f3Xl!{(*q4Ten|@-l5|AG zpULi&^V&YOPC8!kn$!PG+@Wp@q6*jH4qF`?H=QX`Dl1a>AYHa0YVhJ`Vh5k$V19cC1m0_+4DPa-R{scATVaO?-Hf}Kp~IV2OHgV74mKdt-0gy9_|*qP#n z{ua~*-~FvjPvG7{L^iSj{jY#PCh>iy*9U=XQRvD7w9Jp`N?#SX3D2GKPYBok1DL-J zy%8)vgW=UUE6gq(2u{52()}JW5O03bVJm0*U^s7GT2u_8%<;tj=P2EI$rS}W>k7!d zesI&?zid26$|_TrQ`OB9!C&wR{S8qw`9S;ASIV7n zwD%zIBz(Chx0sf4^}y;&WnxAUqsVPMc^48;6o=)aY7-4{lWIEo(-UTl5$brkGr`lW z5>&l_j*#q-e)I{fxc}sXMk1ztTE%%>?lE(%AGH5XZ4&gY@HwJppl4Q~hg zmo#1@;=8btq0|0;8Y7Cwpu#RZ8-q*3zOt`q9Aqmr!Bu|GykbPn(Zy{i-hVM|j)^HD z$L;ioS+3VLDz5{_!<}$7#tCQZcxGUO3Qfwo(F@@$^8tcdP0)=QMGIAit}+NJ`Qr+I zUPN&}sMsogSxjCw$$xq0_VZAUivfb1A(^@6#)*w)==t(fe}tt*MdJj@ZjI?Yo)AgK}IZlq77{fmj z39#`H)A(`K;TKGE9J-wkW1<0|;Ad?hhoY1(NQTo2{(>x2_+#ie7(HBa9UU=qoP3>F z-sw!B2t9QcmP(s2%9{6hoFA((Rd@75){YoRmOG8|P8&id9s&+l)0dI^4UCx=wl)@g zJ0O8YZTb_P`)z@z)VWE0nY7xXmeY~vZ(#j0t{h(mrr{St-Q26DMwOI{RLjO>Emx6C zq6Uqs)=05mSG{OsF$d?G82W-GUyb7I+@me7RYaSUk#lBdNF_x%v&J|6j45)AN6fFT zX+Bbi(XwWVO7+fjcwzEKy|}hJnQn2D4eXurnNveYC*)KaHQ=f!AM(AB6aMwy@s1Nq z`c3icO3$t^>^&_p>f(DSn@4m0gFJ=qe(i|f-E;)!2mS;6UK+XZJxY)CRj=U0p<6af zb+|$Eiw&thXn}aL(;;K~zHb=??wB>_@Z$~ZlYFa&P2p(=#@`swTBqy6BZ07*gxfI~ ze@Fj`*)l?`x8e`@x8b4Bw0S#WY&w!h4I5l41sNzs8_q*$=M_R7xeUv~bBn@M_x-Zf z!2T(QSsbie_!{vSe1{k8!GkME6Z#}(OOEVLZv+I-!6>XQk@cegYFk1(MA7+#&MZXy z&SAseXnk!xNj#dpu|$IB#E}OPHv7>-p{mPwUzM*Ji>%~tB>jN0c8jo%ZX<4qQH+-q zgQF>mR0raIlmZ2utPz}ItOb8=QD55fMaf^DlzN8t5%kInO;7I)R4M?t*1k=T!wK>? z)0L#Vc@L+X4IgbsrYwa`o_Pg9uK}69h`!ZScI4DnA1YkA_MO)=ifOUF^EwJqS5};HzimGNWL|#A+=Zz#6c8@aH{6wO%>NMJzT1!e8fG+*!{ZdRivDUbe+#64Yo;jB;UUGPJ4DQz2vAg5*TPD51$!7uJaKw;u5 z$IC*k>6G-JuOQU5YmOK6P47SsW%i7K)v*_hq{k(bX^;_kH7_;G+=liOy~B@QtChNs zdOGy><(LB36WbS&aF2aO=(?(u0o8hRA#&`NBnRJZ%Mc`RICrfj&XRp(_$>U#AKsTj zsk#kCyMH}z=@IgwUXg$V#9rm3#^6%_B&|z=`)ny}3sSPV#n2jNH2>kuDqX5;tvPFc zU!^}DcI`Dwls;`6zFi*Xz&L_E?mXb{K9?P>XjWKrs_|w@dXm_8w4CG$d{V!4{DJc! zBH`?fy=LS;| zwXAM@4t;lHma|k&#anStx{S9KGf~(!W-M9qK6%dUO3k|U8;9v}g0)zoKIFkQ@1k3yd;VV}nw~_WJa~qjOE5?Be{7x%djm3j^pZ4vtCY*Z0AvvB; zi?3$-3cXLV!wBUCcpJ&Nf`&#-IsKZ2AqnJTv!PfV-z?`bjSL%&q;7B&UCFq8(CWfu z{QG+DPoZF)d>ERRhFHiXkJG<`TJY^hG;fud|q> zF-ybOk2+{K&`5xKqAArs?D<0_j`dSKl%yAbxX<;!;Ro$dZ#_H#z*M9{1>=J`tPaV>K8xYRIp zwe^<5(<C5g z{g`OhzG}HyY*ERSbj9d#SPaDXg7l;H9_5}ijk!>SI#v!mnkJ-ZS`;ApdKv%B15ac6 zr4htxpW9nz1Rkxo-$D=V`A(x5XxrrCqhgrEjPTEZ@?mx8qc)8r?`q#Cv6JOW~ANj zlYJdDz=Q`TyDI%;?0M?V__kNnK$MZbtJ*tPEAQaJPuf3*5L@LL2#5ZIOBNSE7wQF& zr5Wy_TksInd9uO0L{-f00?>Y_o!IcPOf|d7D}9;exW4|2g}oynkh@?Z$vuHCk#^o# zt3IBs=nQ>MeJ)hJ2((nvrO}538G1%_h`;gjwcP1)s%+up!QcV*Caz&h8Qs<6yNbl5 zLTohxdHATyM^q$twCCZWA^arRR0t-X&;mFNCIl=M|!aJ9A zZwv7d9>2wUdT1Go+1MAXS|p)uFmZ2|Z-@>5KyFX=AE2e&Xp)PUB%h2`UFhwLMSEFY z=(LzHj!jZI@+cv>%+~;ALB?Fe{d!7LdiR@h?>l<4APNwQ)?GcRiXc;(XN1bjQ^dU= zyW9RkuG3@2_WQ9{8cjx53I$J&MuUuoq%sSOnLo-h0mV;reLTtmsX@mCG+OPOveFC1*tR`U`=*)XbDOih646FthgIEums(ecQ=wQ6HVmh7Ki3wr=w6nTAmO`;3%A%n?DcAXg z*n=$6DY8_Tadp@fHDFlns=^GkN@pSG5l6V9S-{;BLhou(6-SyR7@L>>URgdG87Y6w zUEuf4b-y${{Ue@@QzKEV;@i^km^fB>*((sXbW@<+eBNkG&^a65p(0&S*wkzn>BDN` zdN<6oE-E1HLF`wXmBi-w!M-h;6Gs^czCf`jDF;6A;^Bd zvOqRA1EX^v;7=FG=QtlXInt;&ca6{Q&!ORN+~L$@_c7}9E$hE=jiZ<&{?p#Fb6$k? zM-IQ$28#tQ(7)OADF;ldHPz2w?SMSX_z&fV#lc7V543=S%<~$wppQO>9yEM&i0{&_ z-1395d78-t$7arohA{NsZqER-VNJ9 zD3e=ykVE;b^%z#Nj5ulT*9wcO#dE8<+7sd*+Jq(N_<^2kmWTKZ!eGF7$A+R1^6fBq zBa$uf?u9qYJY-FkeEF%bwE6V$Yuz6n{As3#r0-diCzj!Ku9D6m9u4i)d!Q|D`F9@4 zjRpMv1UeD@Bnwl4ZY{R{<()kaqiuV1A97s8Q{{?U;Rm}-Krmffv=K&)LAPC|xKZ;WAdrxeN(TKp>_$+5n6o6FouI$C<8Fwtk4DI@-cG$)^xLFcS?QSrh9ho(^a!{YKlT0R}tO^olf z>l~!#7wAU>_QgQ1@2n#ConIZ|{1MV}|f#tRmWx;SJ$^M@@VYh&_`)Wro?U+aMT z{#^<>jJ_lzu1^ZzifyY@vA598k z>8srW7i)r9PAl{T2~57TuddCq)o--Xvcx@P=s+7I_(Oz3e!Pla>n7sc@l}`F`4Le& z0;;V0Q4@+uu6NLt(vzrs4ob2ZW4~7%c?o=W!#{@fSTJ57=pR9yuqE!6Zxm#Pbh9eh zgw7b;SSqsa3`Ia-zrAS z2okaTp_&GFrVEmR+JXr|d$n5*Crh^Z&IprB2>w&2XAMo*M;yeqOfndy$2Da58@&{$>Y1mln3PGJy)WBvwO7q6kOS$Z>s9&Xz$f0D^A*xKl_!UQg5{y#E41FfrB1ZK?u6F!F8jnra+H>V{%d^!?hP zc;{%=&RwpG^eMSR;~!|^ZFBXuhqN+_$p@jyJ#l43L}F_=v=Cyvp1fwN&W9nN`|O^OXHPx*;8Xqis{ds!=la13Wt+Ij{ zY;KtefFF9&$kK28ZJ!(#hPIKoDLyh(ZhR|-{Zl@%yczjC&?sk?rpmLo`mB>R_RKv- zrs(7Ez7lG=rd}Ne%_&6?)9J^ZDQCgR?i3YDAXnjHECh6u&mMU*tyyBKRoU$@Bq8jg zEc^M`V;d=$p#lSSg9;}BHxrw>Bw2OtS~X@b0n0n?O*6j)T15Qcy zmUlg8GT*8MfC;kOO&_pa_eivyhq2YA%yAMs-D zbJN@=r;n7r-#T+08qOY)k8W|OT9?-%w-EO!a(y$S9FZPtDL21Jay?UtWK>{SffMiP zKgY6>#Mit?W~L;+$TFE-Gv~6KCQ}v@&|Gfs9owy*gjv~dT_9CUU6=$}SjonaVd8&5 zP9jI~Ylf6Z`lR%|r@#-vqIRjsp?9`AtHWj8>$gR4-1n=>JsUJwb%-MfL~OD0VU2eL z4LO27*&H?U^c#C>os9wmx#If6>!(G-+0P+IWs-_YrvKbJsbw-TCLdRz z0SEu8Ma3owIVnK+@vPWKCBpXcQ}}eP4YCqh^B07AO0ykZf$5CF@-7QA4=VPUC^+lg zotjaIm8N88-m#YBW$Zb9I6kjUJ(*3{7bSGjo`YrQR&~%Ol}D9+Zw^oIxF!Q;zvlO$ zgEJ?<%7&$?k`#XqfwT?LVX!tyGk4n!kEw>oP3t82oQqOD!tVVSLb5C$!=m-U^tD0UTS{0;kro@}ZpM zNjx%VPa%5GLjBmJ6;CQHn^up#%e7dQLrQESjn%=(7mVAQlnJWe~J_^@yW7l=KM) zoA8!_{dtw~xc{Z2t-@;ZlQ);k2VvxMn`>>eV5$J0XD%v1-Kga~gg(C{+7tv`lx&EF zJBdYnm6;K33I>5r^y9cvlpJa1<18!!!J&pIa!?m)$kt1kZtqce^DDvrce2xmv_>}j zQw-#=5{JW@c*L*jc*z{TuLpjzYT(y_s$;JFxR>08AwIxFAgT~8FdnkZ+)~>|c6i73 z$`HH2gNiWwT8f3%6pyfrcDZWIUio*}^Sq0LR2WIQP5m;7sQ@?Z9ejtiC+Gf$8E;Re zxfkvkOZYfQ_plnne3O%6wia=wJS0J`%+*HiyY`oxXU5#V5HKhFeKJwk-{Ku3yN}CU zdRr@&RJYCTg{%$%Pgr>GA0=gXXls9Dpftv^QOgHvBMn8F#f;bwb8mtV3Us}exV^VR z5*lwtCgC|0oP&Ce`W#))*XYZ!+_hPJ(*062g|XhmtQe^97Z-5__ypWmG@2Pb9u-TS z!11G<`XjRbf-tD712%W?^E6$nw==ar^N`rFibRq<-cfLTM}9VFGdxhAdQz9LQAyF5 z)D51cA#M*#+gHZ$IOoJ{S;aeudf5G8=~MyhpU@ksI%zZZlHPtaO0m=_tL^Hm@2x>G zohsD9!sCnOF7DowB~m^D0j_S=s!yZ59Tqf~zc+J+yuo>jg4gbi_j;8+zzlUrbQ|tQ7tp#J^o2 zozEed!P%%5#7C+R)=$Z7e&;K=-+W|jJV-17+O2hTkDKgFQE3yzSHasP#BZf3ld?jS z5|kw`;6gdC&xWhSLAIQ8)#-gVDL5F{c3KFKUy>MGK9ezXM^#+D_`B=Goziuf zJCU|8XN#&n+sDXl*L=q2YIzP80+w9UIdTcf;5yluB-+e>FPi|uDe;e0^ic?lr(Nnhh71K zzWz+^!$R=Ev7+Uvi4*nbeN*S$8Gqe+@2GyIB5!>yUoZ7mki&9i1w*sR(c+)*j`W#q zI!gmZ)L(g?9Ur591!Zrj4k1d+5cRg&0(|)S9^Ve?I1cG+>XBI1gM_#)<6+c*IaPyT z!Y2El!*`$i>?%Iz&B-R=6dc-iONDfGMirbR>_7gRdfcbd;dS!HJpITlKkXful2W<1 zjfrDT%F#IcO@?JtCtoFdd+&{;#8Eak$d+C(E3u~&eGC-HCAec$ z!&yAPzwSLyo%gewDE8*A$JschUrcZRiT|uq{Zva#XoP_}577agfaW7*(~c97F$O`- zigoCQ#m?@Al@xh%+xHPcg!0(SWE-Pfyn#k_HM|m6A6#ns7I%F^`9k?0gS}o7d@Yw~ ze}jl@M<-hF#y=UY`uUR_bh{?ZP}=RTlkRs2%k$>n+exjVh%A3~0qV`K!%<&c39e4g zN0eEMcPLSz$;ivvweUpGPssvR&n_4})Vy%|Oj3TbDQ$`9PUW$ZRx`BECr1;qvaJXg zHf+Ko-5z)|rTl-`Um2JJ}bIn$D+_F1$^X zQI|~o*evy0&}T063XCjtJ*6&<^I^@g z>r2&{`Spo&sUce`nO3{dS5Zyz^Gh8i>Q_;QV|3t(opf+5{azs;fY`mfe!uPsO%m7= zb`X1$Qf@zL)QDluoEbrz53SCM0|Fohg*Sj&X^OS>?UxIRIMY>$K(U2J?SmjX@R zfuDjOIz#CZ$T9FaT3`T5vGLdN!%I&1*3j`caTg&M%XTxdg|_M#-!MXbA~>*|`4|pc zb{aj!K&=eHe`SAb!BNu$;Zs=mEVFj;s<2H*97-84{0;${uoexVsJWFx?=%DpvVHlt zi}f4er2pt&k)^}%&t&-je*ub6rN14RTiMi8FuK0XTrDjc)Q2}aG~iw+}-QoHx7+-&ON`};$RbdLebs#XdKmQWLK4D|Db+!*DO}LT;^QBQl632 zmd@F!AMIN@=Zgn5-~*e~Qb!1e%_939V*G1E;YTJ>0@KbuM&M5eO$08Q%sM z9Yln+t{{k7iO-PiLPNSmPnz0fn4V_Q5voN`o+iITt8!C1z(=-~+%}7j#WOdWPcU5TZhxB8miw$LHz^?U~@MxMkd~Pd=x;jwHCBo?6a3IUqt(PqDYH z9=+sd9VgF%ki3)j^{b!{L|K7hXOqgsv3egF13xJ>ck~xF^SxRlv4X{(rK^OG`f*Et ze)oNj6{(@iC{UjHOEhxi1hXLH>6c%SI2<#I;SG2>(rDXFZs4xXEPgzNx_tA&;7i(KhN`jc|Xsqe8x1_xUSKG(dzq z^#8-F5c+GltBcSQotc~1VuW(EhPOZFrVo@b9GQ395)CnjTD9Qunwx=s&3N^J`6fX8 z%SMo&fI3r*2cRDvv2o}H3~a{_0a(0c;0ffFIy0^y$g&#LY?CfHg{_tzbCYI9{`=n^ zku+%jZnz`AKq~llp<(F0pH%RWLl-%d8j%u$JV${#h_U=JRwF0<;{otZ4 zgAsVZ<+O?=&}k~~30Jhy=|aucl7f@NVz(|OLyHbCo3GuS^f#k3+fxMA1CGhC{PVb*Xpo@sM5;ra7X;Lw`WeTOrVAf!9?cnt zRolF{aQ)(l6vpJ{9tRV+v;bY#RbwdUwXP(PnB-4c>ip zyzV7BXa^8)!$OZD+i@Y6!*S8NXV!))OahpSpRfB=VW*XrF+WYkP&eKXgEdtd4nf20 z_!ZK4))ICG+Qqf%&Ad3|zNzZ#vyAL_kP6Wu+QKYp+@t7aHedAqLJj}{Qz>qjy9)@S zHh-+gJ;c`jh1|(D&V2h*(?u#JMvEIrrvH{P1%{AnQ{V}PqE`W*V7X^Qlk&(0)d%B| zA*l_-xMst~OUL`otKw?~hWP#)!S?9QD2#s(A8}c+XYz51 z<+^FJeB;Krr~S9bm-#i@!{%`>P#pdUD_SW0310XL<*FOs>L)kSywck|X8MnzJ|D)b z2?iYVk~M#()v=|h=jb*Wx;)u-5x=SZtjXMy?UkOVcMw}--p_sTiUWH!wJA# z?j=Wo_At{A+Uv53){MbdRs?wLMvDH1AH=$kwQg|R#$>Lur>xTq;|l7>rL}J})0nrb@mA{r~0)6LieZV;~lg0Cpt>pCcAh8vV}p0&p7|f@hkq zOn^7gP5$Q_(0_kFQGjG4A^v(hGu0E7JK&7{ZhYl_c`j+^gR8$i$0er9JvX3u!z z)5I?Rx_gRI8{$oxIJ;*J?grZVmJ>*pL=((p2z{X8MCpmVr9pnnTkc+Vt%)sj|3YAC zx8EuxruRjQ&n6h?uI6&|VI~<&;qE38F0eUky9MPRma}%v0Q$;u9Qc-c%Ftqt5cJTo z-9aiho^En+(T^4mZt}3v`fmhT0eC5Q<{T)m;*MDEKv(~?Q3hX$fxk7>+&{>SjLmK3=MYd?sT-U3^p>l#9GhdwKgz#C4;O*=XauVnbV^j!NpKGN^l^!g85Qf`@fKw z9LWCQBxZ?s_Q8N}T7t{504BSg?}y(?d2Y|Lyq2*e#pk=ve9bsCB;dd&9OMw4UYC_3 zp$;xfioz&&rA;T}fD9G?-LvUM4@8NbVlAV<@TSdnW|z*qP0=wf=_jVOp(K9HSX=qv zb~eX4+b6zVc&gg7b%@230?nS&^oSq}q)ZUKcPl9is4Z+;WKSiM| za!|QgmJI68Oz5hurRuW$P&EBm7k}=-FWT^VW7!3Lept6L#+ABGduIT5#)L18bZ5i< zg^ax7VK~YJ=?RQYk{XFC^sas^O-}7lg6L}=Ntg)z6}y;hJ0fWEp8o;?XN6m+1v;Q8 zk$)kR^*;YX3Jh=(C{A?W1EL=-vIi~ar!I|-oEuAGA znng@3|33HJX-3^=3;iXC3jYCL$Oxokm)v#TjXQEkx(%e`1?e)WN0{7TI zG-=UUV(7JtGL(ju-O4g3o%ue+2nnwyPDG&{lw;EFSgzWfOSRZ5R+^M*s<7@nQ(x_C zAFd)-{LjKu&e3QHh}3Y9TA5M+M%Dt0#$)Mtn`R>7fB<618+mL3t8GjyX`Meiq{c!q zbMRDnE{_OlXc-o=)7=Rpn}3Iiq8AcDNH<9l8dqC5+T01-Y$ggxli^v9n2<*k5=-~tEYZIzvGDd zIfu&G3gG+$+Cgros0XxCP?s#zCDD^@egN=pK8`0Ep`#i&Kr>)ELQ%O>!^Hs_t-4w@ z`7|N?ns)-}jLgfrSdPF0#0(>y`90-2Iq%>lNh6ld@ABYiC6an85V4rHd5&d9H5XxY zzgL?x!N3c2cO0YlurWEOkQPLfo`$pzgz#tPQWu37ubSb2@{-FD5MBOD&}{huP__Zm zEp$UnR;TGVd{2m8-lX#{M4U~7-n0N>)Xlb6V?&eBe@m-NXfRyqoy6L6$?=7E9{!kb zx{aQ;W7sx?h|9bNQ98@pT`sfa#@+cf1!|w9y$I$ilozq67dXdb`ggM4L*DKda(dZx zF^Ir+`+n>d;eeYaD#n-;y)6J%{Z&gpbxN3i`t8Zz+BYtOQ`}%QH5@x)GBeYC@JC(9 zB>eizE#Sm8x}q1LFL+O8#M6;lva3`U6aq|C|33i+qW>FvWQz_%nvf%jc@NR2scIy? zyv5SnH)1*bK7JqHRlPN4dqu&%h(S#bNW2H4XI@NA&!eTU7K{WY_?F+falqR-q$diEZZap>iui~A=|Y_!E%S-9znlEM zv85@YUwh{<+xN|W5r)1pQ2)|$b=ApktxJoAkyOtzmw8^+@2W9wQ)eq#cMdnMyXy6& zt-v?EZLR?G2UBx|vvAekCTObX`q+d#KN?51VCGz?+*yufc95nIGMw=YBgpC%W zwwxn}m*M@x?q^0c;NE^r77bCj4cX)E8qyQGY=ABPEmWG__`%xPp~z*o$H&c^ktbDf z@iD14R+IHJ1GJoX8fido1PWaHw2#H4Yh6Nx(aH*T&WeR&N;b=csCdHbM@bCYgr>D< z$UJc(THA18&UK~}#WPw~6?eC)}Oo%fOQzLdqAdP5mm`~CM3A^j>V~q zrEL~(O`s|q=_~8D;--3BgQ~R`jXatoYQNR`Io6Bqlij8h37$4|v^#eCXDlqH1$468^6}LB$a;N95IPDlJ8h?- z-Km%-1TZQ*JEr*axQ$lURi_8gA_*V=%*L<3j076X`y4eTbIkq$VkP@d+~Do%Wgw$xyoeC=$F?5j2jau_gXV=KvHw#&uf{-g2+U~Q3ICXQMzYyx>|I{u|71{Ra5B}+}pysMEg5Mf|E&Ciy%Sf z!7da-YS0&AP3A(3GK?IG*BknF>q((LTF%N!;NtS3v%vAG>JWjPSlr~G9#D~zw7_Z~^^hNmSKG0TrrHuPBI{|oQl$72zt3xF&uoGkrz~BvFeMkH z>%Yn}z9(X1w2c=Kr>FcY+m5onV?M8bcc^NqOz6^PzgPU!XW8h1M0|HOGMFUMgX7sB zA)sGR(?EZE-=0ek;UhRrK+C}!GAEP6H{_!}ghjk zwr;|Vnuk>vhE`4P#qkpiD%{W9Ni_7)n7;0M;u!XABgD5083Td`-)S<90XhX(_X8M= zOnEf6@yCO&(&mOZbXx6<;j)c2E}hRmhoAhymJNL6z)D$5`X@m6%@~S z>@ugt=pASt(vaLtx<;V=->XPz@ZjlaXZ7HI0joPx}>& zq1;{FLJh9C?`k*y+?*@-j<4hWb)lDZxsRL2NBpn8i67I8j{x#~-=F_rmR3v`aY=Lr zT&kGQT~Cg^ikJ=<=ronxh>>2%TYYE)ril%hg50S_*W(J?5{X`&$d+jz&vZ1XI9ob(4tTnsy~1wyG_}S8}L3IET;BdB|CuS<`NbHsQI(~yj@o{-Tzn(T->2GCopIKfV)%V;G zxpN{|;Bnx@k^}F}2aHEaVF!n}ojW<)WXIdk?-P6rIYqn2LDz$AHyDUmDM!GG(s-c$ zZN4*-Y;a50XOd&>J`NE>D-@F=wk~0(6@iXOZwd*~GdP30US}lLGJ#%{9sR+HaB@Ts z+1vj}HT}Zz$LkhK?CG%S;1t7z|4Mhmb|;K$-aoJNVnD6=Uu1(2M?Nn_)xRg9 z{{`0kKl?BAzcCg5Par zA0fyl)qx_3{D(M@w9kYSF7fH067Wry~}pZKd^81es+Jw}XUMaBgsRmuZeJBM;S| z57X|}#Q(bY55uo)!7p01mXO1U=sy78gZkd0M*J0?=XS@4{nOEsLF#y_vBbbzp7XtO zCm`DI7R=rAQQhEuJ}kVAE%hU+tD=4^0R?`E!RbB1vhb_Uj6XlgR}d#cnoL0H$F1>- zs^yAMPBM%;cxMo*F8BSL|9!E-Lz3-73smRyP)+O_UB0riF~O77cR(d|kA1isFbMTv z>_axoB$EYbye@CI8k>w} zk&svobtLOA?y+o#ry3+9C_q%T%BJ?@Tu`=}?mPyEPJ4@`i$kf3kRPIW2v zzieENoc1>OxL~*p#S7tPXD7QieAKoYplxvGHFRayN|$j|SvMBJ+y6-+TKwC^^fY;( za_&87Nd#vG^aEmTtQwqSz1HsNs2d^Y7V?c?0P$j>_Fyb2*u{fPbP2u3FT*AcAvHGl z&9A(J^``aQH0cYlV1rPXKD7KG)^1oWDVm$a?{+o})WoPp3s@;gZ(SdBIRr zCTq@Z+L$gj>+U`vu>)DLk>KpLovoANnNrAl$>*P@Yz&wOMJ5V?X9@y@T%=`7W&yd@ z+}hHu&hnx4)1)gxTc-@SArdmfAu51k=iQyHMO+5z_AgFu&iCAMviMf9@!Vc-g(WQK z%|yz?I=l_`3g{o`3b@imMwK=TbF4YEmH9SbSGIm)e9D**NNBN7K9D1Am^MXP4!_n{ zK#w1+P~I?*3V3x!+1$L`n`8nZnoZ1bXX675s`xkC4BQzjEKyX-4|3wQ2aR47n zHTg)kY=5{|H@afw|1(XCH|PDcW1iNqE?7ihZ9A4zCSo6;oC||q)Nvph9Va9ib|Kzf zkbq|1bv&ysvp=3tg^_;A^!(vfigZi8dqN5N#bZ9-1I9Id(0rg?cu+w~Um$tpNKMmz zBO^dJ=Or`qeM%*V*ehKno&tXt0xSPO>!Mm zK)B<17j1c3PWaC(8cTIoiueUS`^=|BvHQmgqyJd%DFO>E&*c#O&|nKC+iiEFq(`XA zPZXZdx?T*p(5K{ku1)h2(-P+9ewNe0b8<`}c>u{>&?Z*u^D}?vk=2%!v*}Sl(hVNv zk>U+Dh(8*&h3YR=7L1rf_Xej zE~0VhZ2ZKnxUV|R+cBQU2qNm7}CK;=SgB%I1=l+HG z-{=9TIiTDwg;XG!w>Mjg%5<(XxTSylVvLY^EApE8QEd2=-rst;9G5;sSKB-P`BQUn zApz?tcRhda_@u1NOa|l+$4flpc8k&)zd1j@;q4*S;SX!Sm8{=JAnSH_wpjXP&Rh`@ znP`}$O4CvlJE!lE-joJ&ec9C=&*vAUU*J!k7;fHP{L_|m+FxU#yLv$YTZ*gp32!*N zrb3X?kd+X;#MaK<-l9R8*eG3sF_6tnNxlW2R{!uFc_}0ra=iTo3|W@EUXC>b*@Rz^ z3ydFKq!nK!aDJsO=pV89R`gxH(sntMwQNL-I6ePNql)PENfD1 ze-#C#VYGb+)|YjRJN&KVQpw>6x_L z9xk#k!#mzb5u+Ma56O(Hv1}^Ml`aHDh7BanD!4ujy&mNE*jF;>2efa`{K_JR#cf_? zT>J-8!%1orNcGy^4)Jr82{)b1mR~nkp6s_UzVwqM6QjDRv}U@~dR8T_r{*9@A?HH| z1oVuKpak^B(h@czRmSp7M~RF4w>00kwDCZ}(>o0NOc*m8{*RM=#cS#f&;H@vT8TgI z_*=-}6!Sq}?x}m`BN>Amc_iiA<1aRaIyR1yZQm!BotdvW=w-hs-w+$bkQ8)kFOPEC zKXOCNnWX=|c_v3@1H0_8w~PF?gzpC$^@|zu(;L7WIGUfXQct{h*}|$sMVpfL%<`;; z9NpvmHFiBnZFSHj?X~u`1I{xf{laO|H@E{@8NNUAZSe2b&pKos8INQGmPXm)nH?yp zkZV4Cf)=-b11p>LJU_F;_{fajzcbJ39A4LhBmT%u$>x>@_e6bxpGQe15QaV(2zwPn zoPKb1KE2E4OzKxnz^rmpR0_C2Nndaa5!kc-b)y2 znan$1i5QEsnsO}*Uqpf1Y?gCbPpb__PEU(m1u?7OC!YrY^01(XUx34y@o}ju;x*@W z$fYKr^TMWv54Vv5Z8SG)|Bs0a@xRXH&Mo%||9t8JA%49_iH7WclEr$GY+Es${udYL zB0F__>E8u>cx%pEAVJ?o(W`OnhJ2OEM~nI;CZAmPm_8E)QttwwxNH8ZS2cyjW*bF?w~dsZjLvY1C7@ zV{A=j0F$zNbk6Ud=);$XKNy{{ADgaF=C^O13gJrswuJ2n%+TDxXBuA zGf$9cIJX29enT|S3T1#LYTINL+OAD}S#5A=N;5ZSmxva4)7Yp1foMvHoHMm`B7+eC z$+z$$xMxv5jn-TiJn*Sb>E#iftg!CfqlGU;9soKq2&Qea6OmwmrVN6V5*DUh@4X$h8;1Sl!NHC4Z zQ+Uc~^N4NFM#O9nw)uIB$dHn@aoOZ=zWBre^kqGav~P)Ks|>K(yq~!MaPbUjizYLQ z=qe^F-J#t>L44zgAHe=4?(Z3HtP)E)Z~%%@ylNwn`b+lN<^$(}%2#$><$ZFq=B5P9 z6yOH%5&yPouxi2T4^_#QemAId8zqwt7cy4Sc8Eh!H9Q4cNRQ3sc%$u|Z}l+`1Vy znPDq{>TXf_p;}xG=UA&bTGA_+p1tZ`;J_&3Xg&6NuXg}~^w!tCF@H|z+`W?ba$o($ z<4?kG?rlfpK&dXIyZZ~oxr)*%CgyDqW@G=p&AMY2&2PBZ0VZ@!esi1_v+YaEP!?R> zELxHtok_&>d{_KioDaY`>AZmHN<*cnyy3lW~RN|$-^s}hv7l&krXMU(HQkwaKR(B=D6@z zA0>*u3HQH?|9Fxp+EYK>vd6G9#(Pi;;>|9HZ?)lB8cJ-!y*em;w00_+(RDDs_m>e* z@{I4$mi&@@zgFqxEjO0m*({j>Lg(xfcwfA@y z;C3L8`hcP&GJ7G~j1zKv+Q{SGgw-N!N`p`st-yV^F@EBD^c_J7oUcW%4s#r5G)s2+ zcTUIEM%t$^#juvYUAeFQOP@9Ro$p-YEKp)PGh}N`?my5W)r5W2EnUnqnCUd_j4+6n zJb(ME<~LW1G4f^;_l(+3O;*9|nox5~EZkeCtKEvAXVBv~v&)_bErkSOTJbM6Z26oT zM)!p~K006aK3-Q3K_tHJyU~x#ec6AZ_ffni)_xSlOaDr=oO@_NZZ{kik2}z8xGSa) zW%Nr~7D=3(_%Y8zzCeJnP&vkQg{<&1N+rcC@8-^Up45OSKk}gDiOLhUU&AW4W9VZ3 zcXzuQvWp96tt_75MRc9g{l1vSeTAB>>+x=)oq*(E7>-yAuQk16G2nN=QIUjxv5|?y zYqZR+I0cf>$9|_~OOoQ_a&6PBg0CJ32mIs2&Sd~uNO+DuwI75C*VW2g*hOB)Sl|CK zevbLeuESjQQ#pg#XFqozLECK)&$WP~>z9IBdW060rDlgV6HdOM;9iJ*Aq5v*jPGhl5FN@Yq(^4ei>=Y z#s6G51!@1#GV%ooiWF4DBe=;Ww}(9(UT zx9um)SwD50tC6oi8yj?TD3oF2g#0=fwIb*@(64j>>*h$(d?g%$ilUy3pIOAWVoxKj z{J%|C|IRj(Sjb7F*7fLI@tqC!wmt4PFFnz8tHh*q-LKNx=8>jvlA+|!0}&$h@nv&7 ziX|Q-$6m|$ltS!VA2%ja`Vs|S_XaL8$Dq4^`27kL8Vam5%nlq#w|cs483B426DJjX zRoI!+F4exit7#$p(YqvjhuQo+0uJs|s<{_u_s1ByRh50?b|5uYKe(B~<)XnHKtOPQ z|EQ%J&Ek_1f4U*n4?wdj@?qUA>ZF!B>*U&eONEz$K)-W_wU;KD&~r3LS# z&Y!#Mwm$UnoSmCg0Ew_R2eY(N;1Le}jo;+-{1?KU226f2f;Mu(6QC+2{|x?kVwXp( zwTAh~JQCG|-Z9Ulx0%}>iQM17^T2=pXi^4n#UpciwAvE998XR81=iO633?w>EHX}xEq`{+J*u?}r5v6`njcLA5A6?)o42xaKmR~|lbI^^I zqtWYRFqfCNz3&gF|5Iu9S1S@c&%8veH&Rf=hc~2X+7v7Z(i; zfx6O|Xjx5$KBVMDjn`D@l2JD8b4bp zu|!-4{(vLxUxZ?}|NB4k8?{gvHPT008JA}Fhn@*axLdQ;b+$^}>$5fmcTdb#|Q^5xD%3%QDg)d|i zdOP4@U*6A|k)hxG3_oBE1Hfa~9dt-*Z8wa0fjjOdch5(+arm>GL%A;i6{EsIV=iL+ z9Sk)br(U7RPp+a_K28-Ic`${ZWAf5sX3o%=67UuAG8DiL2HSRs!HK~W(`s27_l7@4 zRY<3vvpbCRNru3R)XEoNF*dqn`-?d&u8K@tUjQe`RIw>?H1CD(df2w@U4Q$7(NV{2 zd1Ya;?|4wa4I{^L-`G#t%sU0Uj6rezda$$pg#><}BkoijUE^7Xd1=c~pz&Tpyyy!g8i5?v!L~ z`SqJ$3m%?d!U^VbL~f&4sa~TVKXEwXR;j1=MgAlUT_;B!BdLm8!S9Ld9W9q8T27EL zZ8%=l_59TDf-UV6c`6l>4kK(yC<6hpG13H8wYGcvND!>1)*v)p&D4Zqh;(g;Ft%ti zzStwDa+#KmPk9o0DMm+@QETC@Dq5iFd|aCq6;|{B_@jZe9gMoj*gwPKaO zYb!qYe5OGzxt(E6bMI`+H8RhpOt&)YjTME7Lz&SO*L}ncjDGW-?Eyz5uy_o0g>$3M zy76gTb}S`WKREbKx;l8g>t{vh!s!mVZ-#f+P+_yqC~?5aY|eAZIra4HYN=vuF;l3f zv_5nYsB#* zU$cRcR>C~Gx=RYzGPFtR4_xe0j|uphi!<(@$RgljWNgp5$J+OiN3SxTNuQK{!=ceH zStA;9{JV)+^0uv=zxlyXeRF-}Z4y4xJ-?>TA=+ZY`i)$9o3tQupkovPi}T8y^Sm)^AsphFy$3phvQjr3E{Xr-oE!$zyF54x z7Ar|hM(X=W?x^;kD2Nj5^Nd|$dq=X(-gP}H?Yza-wcMFlJ8zis)?}1BngZCPw$uz| zaLinfD5MUc{C+@x|JgtXst&%Q%a3MUIA4XUd)IxN@zA$i{ja5S&ox^)^58)XxsO$UK6jj!F*M8u#tQ7Wmm8UMGoD^O~TQTHt1C@^OdM|J+Xaa#>72x z4+-7TfR0x#tA0&jbqK1rbW$IWktCe`ZZtXAwnB~z#BBPIc~tF@t*14^Rq0PO zPG6sS5EOOiCd-oGeS0EN4RBmP)EES(!U;D#P5LI4n9DJ$JQdS@w1p*x-4DLGi1m1(>1Y+8 z#O%F%_+&_6Me-a}WCbc(vb)}G%Z)@V%^B@0bGcT2@2W`1dlPzQ(oiVt6ZBV5vaJiM z55HqXeFFAb+rNsDfA`r{<&BB5H8D-H4gtYNj`nMb?s^(}QFHfXv~&8a74j7u-Ri@- zHPb1M`;xGB+!dgDjydFPa;NX1kEAWB)VhBmm?$(Jv7&c+yapubGXq-m7J%ydF<#+j z1>T+T3)~jl=jh*Vday!tRT?+|a#GL#s4B5#>0$ND$bW`=mgv_cmmAy#S28K?J-`lH z<-~v{#@4)JJ;??uo@F5!J8!&PQP*ajS+fu}B7pr2NGrDFePSUc30%(h7zpaxjm5>r zL1wD(I1>HdW#tZu?}L=prLk+859#;rA4qOVOt;uhpm?akB=ut5$}(r6=H=xMz5pp< zj824Ah!*?U0e@Swtz|Rqtp{$AHS7KO-sIL@ZlRLP{lXqF`D5(nmwJD-=%A;KmtsAJ z`Uoy#Z&Do84*=0HRQnU;X#2o}xYFtTg3YfL&b8OrTjf&PT19z23w@j7KO(unu*)#H zhkg0%1px74Umr9$&V87$h!)p5b{j&IZw9g^DdbsyF_}yN*4_lzsj+~TuwcJp^3p$} z%0E?RAGxOP-24f#n0Am{conYF>eggL}hfD!>4nfA$bpjYq zT?<6hg0F#+A{s)IqLrYe$&GD+d~r^TZnzCn>1UjC_L-QFBA#$V`e{Ee1CC}C%HOO< zOq%#7dIPENQv4{UXv;o8sOcT46F#7Kjd<~i!ZNmZ(!b^ade$5>27&k9Xh7z_`pu1?>yhQBzc<1^)S%TixJptWn;)@|8CM?r`q{;Iihq9kk+sAL%=ULAqZ{o%u zs8f`3KHf;Wq5C^E;Ply?PbE3+A=>=imwkFV;L$=UsTc{#j1!**oFsx5&Lkrhf^S2l zTl#4QRWtA?(6!Ja`RVHoI3_kx0^|{X;Xd}WU6)ukQ?W@XE!T24IDeB_5W|C5S1!HJ z>2mF?`U!?mE${68efY-vvPtqpYqk_w6R3RxW#5-3iU(HZ6?gJ#)6TJT{K*c{H708< zq>{r(Fn!|4`ydMsritv(agKT8tj-HQCO$UrLD z=*sb2?Qj>~3`5xFaRJ!2&{~T&;9OVuYtidn&_^bB=-qxpwq*0J7NOY|-`~sEzYC_` zdm%FcS#Sacv=JZ$8+PV!QcZ)3*7z%hdEbtIAJyc%b`mao>e8$MvyKr}ejaY0e^Zi<@u03P91KL({XqI&HzE08zgyBy+v4fnxcbAUM(;+E zrDsh*nUo>fV(gbewAFf~fq;X{!%&?zwFB73El_HFYy_1*7{?B!knRVUP`J^(s{mOr zsRQ40fCM0Vlw)+Y0l-+znu}tVDyrVTcH>M{jXjUnodv#ADBnK-oG^;E9~5x|w1sz% z{I9MZxa?6HHDw+;c&&>hETup%^NRg9WYpiOlXX5wc$N&ctip>rrr9PHwh>s2k`*kmqxb>uMN2S6U*@f2u4&a4|%(vU>^pg0*{~ z9JdEd>kAKTlF+YxRk{d@oY$j0PDp=KdEJqmoJ4w;V|ge;7qVLNqp|Ly7j$s{LWDjK zI01g_Ag7D@Wu>XJ3*&i9(LCVt3Vdbo%fFfW;Y5OOD?QJulSQVhwQ4K z$Y0Qj?8g){HV2_M3qDWJQ?Cv0#rSeaXMU8;VdBE5#xI(*43zGaX4>ID z1|om5@Lu!`;Y4Nr*RQ2P1^k#x{n}jbr*#g>FYWOz0Bvu#W+(w0{TU(QJXLL+`DSij zKJB8x)b<-sJyCE>m?2%XCZaoU$?Nmq?aOyFH=TMkUCAxB`n@xOG2wIU6-h4x!@yzM zXKk3nB0Spg&hVWMzG{!!4gQc?t+!9*ZhJCx?(9?UZ|86bPbk@$$-Si|A)@T#Od>h0C*Fddt!Hez}}+I3pH#j@;>oHT4!Y* z7)FePW8o$7Fn%U8_+kM{1N~!AgU&efFNE|7vXjHJYOhaHD#@4Iw9@KZyfSer{wh8F zvk

g)k+QFH@5%eDlv8VuA7Q`JjuJIIoUBn^b}G+J$*$su`FxSUIAmvcsSm!l6FlLkH?_(*X{|BX@A zL*DnSek@tm5r-MT(&VG;5{`HR0nsf30E!vIPp_kQxSN4TX$Mdj>$PENY4i(7#f~gN z(qnYAs`J$~jK_gjnvXqghW!eMKl#ukQ3~6bs?sRxB4Dt^!o>y(%B66k`ls-U$HWLA zuT}8K46jH9+7H@W8KABG7I63{lYl-;7V7r@wGiWd&8z>#b9}r^hL1?fS1~uHY)mHA zJpfUR#6H1RzB6|B@VlC5&?;aabjfV$sW<`PQOBNbmbWsq?-g=k zKA?|y5ol79dM9=&`3|v!L*^0b(F!8v_q>g61r(NuV%|kf`QoJ$7CD6Hz?}0^@o7a< zHLnJxea=dV6};pq@hPDHz;f;ZFe&~d@ztDWtsp4Pb1b~(|vuxoTT3BY%3(}VZ_7ui7|r}XWwW1 zZ91AEn*gs0Fm~F^{0AiN^aeOzS{9CFHK;^P9oE%7a{den6V{^Suw-q+rWbI@!DUQj zD)y@L=~qmEdhk6Bpz|-68v!;&F<vn+KS0+x7>_SsQU5O|veq=NX~@aa4n5m%*k2 zdfJ4EPTj?-2|VzgLi0>zJm=NMnHA0Mo5ZtUfvBZ+s^f&$$T{kLl4$McS*f|WxeddU zUo*?Y9@*P7>VR$NGffUX^Jz?mFoT(U)uP|xTsqy+n$&B0mPw8`M^ zw$p$;Pp|W?JFAg9+eTefEfj*ctA9;2zE*x8TXTA^UvYPrzhWi< zz}8;w1R;I`N0A;;uNF9HJv;qPF{g$xF6Td0PfKqrvEExqTUnk{dHnjQ%DMW(Qt!fJH$B zovtxHsQ(Jxjy{GSOqhyZ|Nbdnu%jaA`Jt8HMPZ!)Ft@rP4TmR z3b_W^V<0I6M{F$YIHtSP0)V|K*8;00w^?R~R}Z}mbr=Mn>MChJo;B&l*sJ@6l*SsY z#YX_IcEaT9{kj@*j_Rjwxw*+Zm8*?6*&zkZig933$Q2--S-ND2V$_gRX{bIGQUBmB zE5pNveN4QT5?&kDX|bOcS>vZw(kx*5WW+8$o5I|)$V(t&R`vA zC!PhBBD?2xAkUaSoeskKKT!7LsE&aL{E3Ng-`hRZ)Nw*O{4rK#R&a zeInn%>mO9Ue4ua^X~$)WHqLW)ZeNKCKCVKyL_ov*wE_Ewgeg?_P8%kdT!;L72ouL_m3C)A8${U(2Y=Gzy?w~LQnc;wcT5W zxI^OW;W&q|kQ%U_vbN?6ciycXf89UKW=ZD2xB$gZ^%Bk3rpZW-#oS2+Che1r@O$J0 z$}$h3Ix}Kv<*4Oq8$el?iKfT!?kR;)%_)2|wBc!Ux98`YWMpV3HZ4r_DV3?1RICe} z$653WIUfk2b3M?$*|X`E=oq7EBo69&$8ov|I<-w0g0jYqgloaL=a9Z8o)T_C)AM>l z=Ar18co1vb6i_Ort-XZZ`+2xhNW>mklN^T950deDV>usNaCOml#aF+Cd8CMTHo&6* z#tLl-9^sFE6D(YRkXl=m;fAB!eJlS^UxHE2?#0c-5Y17h0y@yy@7$mwfChCNyBDuP z-3GQ(r)^+6CDwOr^ZphU`?**-u2|5F2=G&Pe`n|#nfH`)@Pr1gy9Q+Td$n^WGFY8H zJe?M@{mJl)^Y;v7%&RV^Z3X!6GgEsOR08G;%3cBSp~7(HQL} z*-jPqQdF45&vU-eb zrMi(fmom^Sn9hZ;mo)UPNLgb~{)<)OyOm52&QiMfF^PL|cY=f-)%+|&O-$bfHbHhE z3==bRpC5T>_=;T!b`8?tdX%yBYfsQA-b-%dlb^{#`?stQv!{YqG32yG^-ZQ6mo$j% z#Oaulse&_(JHKwWyWfBJ_+8fRKr|_%3(BG;C;bsYoO$AA@j!UqXyyELdt7S>I1Ci@ zkzx$McQHh~wa^1%P^W&ueD9h{jril;8v{H34v1yIH_sI~Rj_-U_5Xm{9WYPH0VGO$ zurl#EoSlBPllfK*k8gZ_uJ?^FM~U~|B0cg8r?8HWs7)SHW&FtXot9r(-n|}8ArN0u zL?4j3W1}%zK-`XWzmVSRW9n_d%l>Hj6_7GJWuyCrDnRmydJY}qneEL9-WAB!L_Lfq zVPlR*+Jh83*cL~^z6TZ1wsKM}H^b^B{rZ*b&Tfn{<55oAF(rVfiaR7v)L7#F4c=)P zsWVXd5MQ~4=@2bhynsSs()`oMcpp8cB8O|L2kL*!0KLiz1~~D7+9wBBOio@p{L@2d zZq$N#fL#|LVWRy#6bi^dUMSYc#13ru5H-}m&Yq1p4#I_k2YUVRRMUfU=n zqTZ@vg%JmBBBNq1TQBk+_n$0vg2lRVDXGGo_L2z!o)r zO44V3(T?`RhV4IrZY?rB!E!h)MENW^rrS)xJHTtoQR@_A$QMo7cn}5vwzOc`NL_qN zK`q{L@{hb-ZKGbg)h6pknD7a|Y-Vgt8Z~u<2Zif~9*b)nx=%^;rCP+b6%*aNXB;cX z@#&Tqm#>@7=ULrUq5V2)-)Gx^U#EKGyb`#mW~9@NIo49Y!p6T}Rq4wtKY1}PHpD+v zZn#Fo-Gn$_>wsBP{@{M~XbjIMlF62w7}liC*K_)_N6 zM5`j15Ci^fc7LRF-N(%>3FrLS6t9<$-^XXa=~vY*$U!}&JH!o5e53u&vxlZ9!arN2 z#b6!Ku@~I~4XX{tEw>HDYioKED9&fxi_2XgXX!(u=z3#w$1EZaE4OmIJ4 zounUI!xo@Ny1V0g-rqN=!WcT#;mFaX+_%ko*>4S=6|7WOQ%&+|bSfnLsc<#(=%_DD zO{%a8c*;zX>&1%F!DPlxGYE)$!L7F7K|)bcXYsS}mzFEO5;@v(OL~qzmzS%RB$LOJ zb=dx!9q7OHKmL!N z&m}%;d`+3Nrh;A^o}QX+@fXLdoBcu8rOP%1&sQ&Pk{5NcpA~leYdGCbS5eb+DgS4**g^-OealF{EOdj&5l`uayy?N zokv($|BU5h;xyE{8@(!UWGGCs+W$WRgss_dZ>h!(d3_k`HD8mpv9L>Cq$^?d#D?cj z0gpFNKzjV2f9Y|vkkGe#TXJj=zJ|ukx;`FP^SM@#aI)!s9Fqlcf3ylGUs&;}$U~%) zf3kS{&2)&e^WV!ae`7!_jPj=VmG2oVuOAD!?^oU6)+jg~Y|A9<`Ghs!(3D?n@y+Du z|F{Z36ny`-mj)F0WO#n*rqR8@lHX;+Qb=(ZUUrq;bJqyzpw*(>!qdPX{*P<>|KYFy zov-gjOcT~ogsC&@I*}==Mg7Z~Pnt$b-9e~Rl*QBP3mvR_dcv$`-PLRLSJsnUgnX^^ zUrx*fS*Z;LdoiGI2cwagMc;5cGOu*hv%=|wb1uivecd!Z$E2p5KA2qyILW0=f@g}d zeusBM6vnQq8n5i^@P7cxqOdabWL&#Cnsf-Id7)OEPt*dg-{8;S+HGnwoC)X_+-aX{j~3wN@bk}u z1&kK4?CT3WFGRdHugH&17kGLr#pxL5rY?H*ix%?YkIgoXiJ{Y8qXeQ$^_a2**Oyx_ z-x8$7azn275_G^>HD=QbH4B|!*0rX~XcBB`?~-U*5f9(}nb;dqI4>1IKYb=RR>K}6 zAOm3{+AXf%k=o%JLV$ zZpf&`Oaqah5wT0#o!AJEz{lk37xjE;cdBMA?`A!XvtN-k7-5r3$dK7exGM;v{=GdM z(a;^|V-A{U1pp7G#Q9N71C@S$T1&@-q*|+ncMgqKPWscg2m6+qnn$KjZ`^F9Wjx=a zDluBRJk(B}zS-pxuOil&m>e7A%(%4hrcG@OB1+!+(S7{uf1~cr!=ViSx8V^bgpe)E z$XeMdM7AN>l0C^fMYd#%5Mw4}-$Dq5LXu^&@5U}#?8eTZl63}+VV2&j=b!g@p7%Ju z@AJp|{EpxIhd&(0ecbmw*LB_3_4%CV`8hwi@EN;aRYm4AX)Z}G1eFE3a&lLclWS42 zc}nR$Io#=YZQEMSV(*?mmmX+32>GSdL{|A7;$1@s(i^Mubg$fU;o6CIVM~ggN{sA3 zQBE73G0A?1uo(}aicU(aJ%~P5bv^tvXX_H%wE}kfckRDP)*y5_c-GFHlDNpRiK%nE zCtg?QG8bDMFEWL+_}*Q*cHtbg3_&lQAg~xSxnlAiVx5$2jrEA7-(T6#g0hUjuTuiY z+c`Z;^s$<}v-&{IEj7E9rofTZDG($zFLdZw*MPTPhIRRXK%WTbb9c6$%v%9^@3pm6 zJw_d|{FiRSfDJ&#lLt_qu$ZyI`Ya?Q(Z-D-&dHS?>yt)zj;cf?PH4t_U|S4Ksd+)5BIPgY9UTvA+=QheYVCH0@?s12uA)=Gq#% z1a;pkISdGtvxql3roU4v{Lry)~8FeMs`L-p5KpK#P24?JlsBh`@^pt`hI&e z#*T4o3~f07G>JSJ&hT9Kj#+rzAOD`GwgRdPyfS~dg_0mn>Pqq)IjKw$k>yVnMj;+v>OlzTX&AE zpY>{a>SV<++lLDtJeQQLp^#D>YT7x(htT{7nCg}X3+SqfCpA7i{mAN0?x6T3>2AOA zB{Rm=P%7~#$3=ri4l};;e>770-;HSgcdmo|M-Q)bqCP>H2<=tbAAmnn{nj$eu^~$N z47=>`0Ls#iCEqc9rwCuWH2=mXT=1#N0_-X}qm{SP2#4nJIJ+-fRgMAt*lL>Z^U(bz~0!gXXL&m7sFxBC?)Jfm+dkk==d zR_Nc~-9FK}hjZ(`rsy+++%wEnAcpZ6C9J(lzS?k9v#%Bly?H36O<>(lSoVZ*>1`2n zJ!_j~RMQ0fkqGR@`*%ktfQ$ws;KhFfn+Mgh4>;6*AaWFaua@rcErHy#h|fS+W1ldD z;k#ke_hI|r*dm*)0_b+F|HH}WInd648gK-*9mo_aUD+fkfIhrv_OH$e3am#<$mdW4*9awK02^x{ z=%4QUOOG&7gInn#zr9^F0{BmfEWp2ylB*F4hcqU zL2YrPzaLSxf#V?kGDe7^jGuEnQ{{Et?pTd6=arbLk@JJmVnG@)N_bi%s8;WfRZ`iX zLZ}6Kv~{%}#NLa(JfEO!2Ac-eDp(%7Kd7lZ)2(Cv+_{^w1HE;BA=?C!2>nbMvgc0V z@3$nh1^vN}pBKv|{(Gr~pZb@7=90D7XJB1J5l5z-NpefZVNcF5sWARLeZ9*@{Qm5> zSEtx-VY6tT;hc(#Ou>LD?wXm~@bO$e9;+=AbF#rKbEYVd@l~Z>*mVGGRa^}xi+oe~ zrW{)*nL1Td!!#gcVhC&5$oWm-2qRw%rtcvlWrh(t2>C~?L-Jn@r%z^HO$rx=!=%sd z!4u&%Qc10_WxIK!&SpeTecV%pZ^vd|jM>E;CVIy(M2Sa9zka3=>F9;SOz$oKimS|A znC(8`aW`O9!jl!<+5IuU#HbUJ&)8?^dlm!;DZN6bJ$c-XWaFgG!2WMj1KDCx&fa|V z6wy}47SmYAQ;nps6;_?jgCM3Snr~L)B$95HDSj#{f*7hCC*+ZagrpM+Scgv8c7`r% z$bJ8H>_X*I(%zV-3gbSy5im>S-%BZ7A&NFe)@1u$#*?=47kE>MI{Dw*8SCC`c{?>F zz8Fz$?Em;0`#Y--dUA+-10g-E?zU8r{_xIcH@mPUZ_e{JOAL4+2R(&nexTTg()Yg} z?0Y=nz#7{TTc+Wm?aS`7A!W3<^nf0SEf}3%Mvi-Kdm(; z($yjpDSj%CwokW<+645oM2XH3kRiM;L)BSRG9655jR4SIQ?eui@HTDiEmaP-Z)t^@ z0qC$?39t|Yy!ifE2r>UTln;3}I2TurVnSZ1p6O?P%JD@GcdBYzCMIMzxd?B<*yhkm zO$E7irg9T0bcIetr21_zS`7ZE&+6GxnrEjx@Q;sW#W^VS(#|G5DKox4E#-c{%l^9E zhpB!xjqzVIO=u<{5*Sq4xILn%;nel>+RO5tGnoVYj61x(W#NAcPNCvJKx>6Bvo==f zF)!>_k@b4Q^wskGM&eS0TBIWuA4>GCCj1k`;WSB6rEkQvJJTfY+?_GNmetgQdWch} za`rK^0yZ@%-NL;1woSsEr|+l6rkTfs40ik}1wr2xCR;RgZeU0iWOsy%B({6u)oZ)SM$ve2GPY5%ZOTYhf{`uUTg z=}21)UN_QXM!VkccxycO%kqTuXLlcmZQv@Tm)Lvf;bso1@~rb6z4f&X5M54oi%nlG z;sCm_)o3XpKPJEWXBEzK_Cw{iY=!+Gp4zd!elu~`Z=-+onI;E`AIzYC*Ww>q{t=7y zC)zZ8*K!N93FX~WT3P&`f{vpEVg<=&W#>$A-(pXm(5U42qdOz#TpMP#E8DbhZBw)q z>F`gAMrR##{OCmQ7Fl0c-L^Q{zXE>?t7nk*$8U6E?j@2{7DmfE*kvafD74DI7u~6pAz{HvLE6M`yAzE6=>ua z`4y1Rp)D9e8TYG)m9e`%@ASCwpS~=a&I4Uh4#C(+@#e(U;*hA9`S=uC@1DKKgQE0l z8ew?p=lYh#t^7i6SOy}BAip#er^)SMtMn`G$8(2=Td*TVDOB30=j5RdnV?-rN53W9 z9y!!t>((nDes-wKGwz0Uy@#TX->*m8t`YW6E>`<$ZMN^z9ge`?=2u}Tv3XYj4GNgN z8)pwg&8Tl^m!=+mD@tLrx4-l_PEjU_<(V(vwR;c^z>m!)Hc z|3WM*eTn!ti*Du|X65q(JK-tULxvfD2>jpCPnZ`DJzZ#uZD)tZ?Nk__DZJH+A)k-C z>5BcX@ zPHg*62QxM2xtzVT=OJj5^cCKoYlt(N!iFE+uHWquT^vXV%4EBKn5+KPjr#F_Tw^$b zlqKzT(>R*&SJOYps46YKl5Dt&Z}L&zL2O3#g(W?$J4086qlVtbx7T=}*Q#UX%Zv6z zUc76()5$;6QMz<+qF&u|W#|k-XCljv;4-t|DC2oL)hU^yDulJ_Bl`EhcIs;jtfZ1Az=c=tLsePOfW@yWbkYydUwKC!KDOo#`XcRosL43?odT^p0p#Sm@ zZ8P7N!;MSV8?G!k%w7HM_U3Dvnlrzv69B69fJq426tFWf{g_jEy7>A6=lbjhBhM>w z_X7V+Ee4P)+1s8*fo}222{53VNzjxTD;izJB$za02M)?ObErj*`waN9BRF!F{-h+d zYhqi^F@`HS=(>)0J$F)3kIjgA`MBwY$cv?;2Bn|1W{mncQ|^s+Caf$)AJ-D@^})`2 zxA<}qC=xIE;X4?t(F^NckjGN|E50ntbJ??$9cEaqaujJj=Yz^TEIYDR(1nEjg+$WS z5tewRcOFMP4f0bf0u~E6i)BUl4bBrYu=(B~+n6m+LNak`wl~bv-6k;mTwMxEqx0Sr z?3VS{akCSd=<@YuDy8{-U69h&T>lkgwX8tR)pUmj@X04=UL(1wrv+P@xr^pzd##$w zu!Y^csu$J=2B8fMLQE{|A>fw&Po zYl^EGfuD(Hu|MvGP=3i^@PgLgEeyp+6>BaBJ+{eC2HxOOli6U*lp{5zNgEw!y@=^J z;B#L$Zm4{ISXXY>+RX;6>#)m?!P}#12ESx_sx*K8yWTpSCP%qW3Ot46nfTGr;G9|S zTcc&_|D(}`;piD_NHKQn2_ZT7hS~h|Y{OHr+Qce~;3cZ`&$H+0%Lwpfb(@uh-gbgx zsbA^M>|M$)3FrB7QR)Pv5QN*hTUeUF9;p;uw|Hvd%l%OHV+KQ38dl-J9=ns_?5__6 z>>o;~Xw6H;&cqvy)zKD>_44@ZZvvF|F@JUq+;AkX?uP}i{>Yq%gUTCclYPn zKEP}kL|fW3%u*F>*9Uq6RN|fc3uy%UrB2h>9JgpixR7VFX#_gCxL^iu%=0Gr zE8mcJ#q-Bnkkt_86=_sg&JCmpK`*7?+qrm+o3zPq^LjVScgtO#ZEHQkZlP0v5-q7A z&=%B57UGo?{czJuo=KtBlbk9%11C;$=vCfI?AGvQe0-iBUl~t(uC4?s>TuL&6yu8| zs4l7hYS}U#@t!BAI91Z@TJHxv@3z)KN;$O(^8m#Ss)Jm8aU^<_{eu_@4QKf+8FQh7EGbW4-4{mY5SER%`;rHA#%^ej-JI3M|k}cht^)AOB z76L29eB43G6QEN6@>p(BXI!evV1&S|GDuVQD^IDd)Xu zYp3P)Gj$;Nvq$)$sbJzTg23snxJ&4M^22cO>F8i!&*r7;#{+-8 zU_V1g+S5gDc)&mTY|;@bpSH^4Syt3Rv!rys*R!?@4tDd|546YiI2kYG6$jlDR)D8r zY8g9Bg=pXYLO9VheuP#O&(W~>r#USnyLr3M3W6h-=`VH@7y-|!B`l?jETx=cT0&pe9h&yOV{ zdB(TR;bh5Pr#yoo_7?GKqqEyW#1kMnqd4Myp8r7$2e;_r^<&QM{c%8<)sM-%lcL*} zTfJMzkO!ITmimNV+~Gw4R5T)(*0CUjr-c*7^m6<2u1&}yr+!S@{0R6VG|7;raxU_# zMb%+;pvbPTUl;N#rpm1Y9Rsb`M891}aTYdCAcX+#+aDwI^R&KXEjA<|sQ;vd6CzuD z_T~JWCY3eKJZb~Xg?+kgMZfO>0oA*cc!$P3nPpI0n{qS9=!vu!mw|K|xYHrab`eM6!jqVOj2Q>HkR zFY<{f!03K_`^I*6$i($XjQ=y`8wANP0tZ+ve$!{#a>XPy6u3uV2syHr)^(Pmok~4t z6XDx~_ol_2#SxtX!WpDef*KB!fILmwvmyDdm9<^I-H$0B&Hh{=-w>}kq6kj5n#;tcnPY+4L zP@kigUTX@2+JfiGJy4=M z_GRVg6c4ZEMP^bm<*x0e6qiA@>wD1>EIq&LuPC4RZm`_yNi?RW(7;ZKNGpr+VnMxSK)!(j2(J0=MLmW+2$2f`W)&5 zfMG_UXk94A;)HHER8!?->rFAJM_qk$L(OiH4^i+YS>LJCkXXRpH6u;*Up}C4c`l_> z#IUr>wC{f*JQWn95>m*Z-R~`z%l2`c=hDg)fuBL(dB#R`pDILpl*Wco&01dUg|Z@) zA_xJ8>bfYQ_<2>{yNTI{@rhiC);ZSej1(@w#dQq{Q>^Oe0fmrH~`xpJK^RZ=2VAbl&IqDrko(jhoWyrsb* zW5DfK1rf$p!cgrvz|yto8t~|1{)NRIwxB0w5<6A$ z!t-YiP=T}$Qln9>VT{B|(vUysw`JS*J9X3FWu-#&l{&B zRB&&>YpuJeuq902BEZ~6cO=GT)s;V*-sk>0$Z2>-?Ah0X7feK@5!yih@c{G;bOrRx zZ3l|w=QCD$?brm_`DP}Gl+DR>d)ALV^y#M=^P-<=K7Q9;LalD6a|d7}tiQq;CmdNi zR5ty)ev+$r{;TJiWbduQH{n(?Cq_wv`)Gi9yO@%sxPSHT#6+&-_vN4I#sfr|3{2?N zak}5erTgDxGwTb=Of!EqeDvS~17P5r-eCd)7N^iOro!coSc)>vGjecpp*8i`9 zgn>q2-~3W!L%E5Mu7f7fgde8$o;mwki>V^dMe_2M(g){BT?XaaDvS)_@Ynl5`{NS~ z?>>8wq^?s!vh3!uSXZqq^AoBlE@!qiba@$N1pzLFe2Ugv#7J=OQEGnssbEV}0{d1r z!2-&*Zku=?Yw)QtdaiG3KwBn4F9TcXmEx_>Fj1C5lHA$E5Qe&Q-t25f5j>tGd3V8- z0>0@5S8DIu*eWF(90WS^^8<=Mdf(c31;$8<>=2foKyWX&=vPhbdzQ*P#ujBlVZS>j-bA`ws*fekiT$usS(o0OdB!ZgzeBuFjig8utcm^vQ_vs9xhJcge|R5W zH}If-SUh@NK=E)^?n}fNa!cR;4>|?rCLeWHzYh?qjyxpu&@j#XlHhonopaDx#vGN= z3*vW}4H(`$5z;;}prIXIMUbasIJ8RmCV^0K!7}n0z<;vwQ~NEz04Ue_~%g z)@&vv?-xut_H}W}(n+((>Q_{rq!>wYKo*~LxOm3(T z9!FmD6U7CYUvuM@;__6YC8gv#Xw$v?3nt z+RUe%j4i0C>ab$Sf#BTHa}(h7^{0IXm52ce64VOXCE2W4pZi=w%C{Qh$6PNr>i;aN z9xQ}~eu0;S3=)(nTvAKu-bMO{nwO}+DpF_p%e-RRk<}*t8-}H2P(klZ{{_C;wqvh% zfoN20#99e-nKB%g3#c$*lJ$}K85$ZZVNtCsbIWSv(XqnZZexF;GV=IYfq1GNQ`&0c)fSM${tfu;t=Ry%YhU#Sp1rlBp0 z@jxvV!)vgeDbL|GfV;+=K`7%Z@}fR&Sn~{^{JlrB-Z*v^-0=XWihvA3W3owGF(@zjgCeEqHA zq0tHcl}7Z`Ux*;86X=re$wxPT#xJJO4Mzv_>ReFsM*iFh$Dk#6dH>w{5My^w_X~{nt&*Tb~FF{-*r&#o#af|5^ zMHqG2Jd$N?-s)NEH0ck4w+G6ETFQqVZxDD+97og>+yrFljx?KW#Zbu`xczj6_7$*NR~w4i;1vns+9Q9=}6e0PuKkk@-s zilvcSw%5(_&xz$dZ|`*ot3|?V7V+lnF^xEl-w?d~>VP+CITGgav95YZPOwAn_eKney6?;ep&RbA?Kaz9*A zpZ&>@`tmlPP-7(&3}iY@5;?J;06G&fBum>#bK5-8xU=J1SCfOC$L++x);323^sdM_&7wRGEoFChz({?P(zNB25r@l%s{k+u+c?xE0Qw+@5 zCW(919V6T>GvvRlvU1|*v=U3`<;Fjv)6O|o{J*oxRAHN};IcK+(9gRFeo~viaK(Ai z^RU`2d47Q^vYP&>=b_#dPkc*1QTXyFLUI*v%Da{XN9A;|AnRke6v^Lrdk@tQDlHb4 zLk(A&>QZqzl5A<9h1lK4%%3_L0E>HsCU#LXpFpP-mLCX1+OhWt4A%7*KG->Qb6rQ2 zxSEOUeP-PS2l}N0bb47E0o(HzB1|z(H_GpynfTtMnc~_UR&J+hH+y<2Ie8 zlyD602{5+cBrSHRIcF}run==qTt&o-K#ub~lRo5yw)(U4^t)a0TS$Rm$3<{ZaUi6Z zTAFeeSW$LkwN0*C{DnqeVsUO}zD#C^$1v{dAj@QU)HtT@UpPa8_mz1qWmJ1sggQ)& zs^m>{zYvY!MlD>{ZjrIlf2{JE5og6sWd^myOl{<2q#yl}>ih)c${m934?f$6nU?9I zm3BNIb6ebm@1sAXXRt&&0%|jtU`T@o=irp2)mr>eMe8r#8lYwQvlVKo(;P3$qRARgK&y*%d5#ddGqv&sq+t zr~p5E5&_VQ44)45+I{@9BLUJO%YI0EDX>vZyX)iueA26^} zI4&Mc7v*{jo;1}>XcHSDG7B5i6cT9Z{=p%)Bb6v}Y5o zXHX3#n^>|uf(d^Rt;9Y}?rqQ%ZyDcljWJ6OvzRsGxRIK9hlSxX_ZPqP9Ln0LY<`ch zSanTXM#Dqv5nY)!kTudPHyy?SZS*XLcpi`5%qk)&nBjlL`aJ0)T=_gEJI8b~!Rf?d zV2v9Zpia2|P(nlhpVaqr_#sMSjwuxd+FkXc*H~yQT%e?pfcK$wLCGn$G!#Ms)V4{c z{{_967C|efqhla40h_`=D+25}pJHe$lh0tsX=hObdU!N7dVhy{J{c1Pj=|~$O~U(d z+)zwA$MB!rFRakJ^>6;L7pXcjfmY9tggf*LJl;IN%C zh~6aa<&DC2{MSmjU{!NXTs|!J8%o`Z$_8RfU~#lMtjUhT0G7JQe3%i0kDXkY)la|_ zupSgdtFFxcMMtBq6=ZiUcR-BMb42dmP!^n1F zuE9K6dCft}x+O*sFq*g@EGJ4}C0tzLXFVs9Vy69Bk?uDNZ;FmSg7>n|jCJIkXyP0y znVxSi_2W7f!(;Fuk>mHzO)2%$m*JnFcr*E_A!07|15LU!4Ci2E5YrhV`}*pURni3h zd3pJ>Au-)Ce@!ioz-Q9CP#V(;f$Jv8jci8}u*FK+g|cj9D>l9NkJ1T=5|i4H>m*@k zG59;6Z2b`_j8G{b@5qN$nl)u4P} zyi-1M+5cemray}zwk1Zw>g)5s!!iOFjhDT5=tzj759oML3{B0F)CW&Epb3rEEkfru z4nmYDWAAe{D>QmO8OhM8FG_uPVlvwRUgTQPVd!Sm$_@ub4vf9UhA<5Oe88uCt;!S2 zV`&hfn+$LG{I))i$zhs*MTtTP{Kr?tp zZbQ_Vsp}*Fp`Z671W`jgF-Lw6X~7@pH{nyl9{=D9?g6#h6l!f*(|~hSgxLwxdnXv{ z!sJ1anG9A#Lj%CxEpGv_e}mGV)aLQO5UCVAn$`{0$PFX7F<3*+nANQ}97WPf-G{1j~IWq$2JPlX(eJGjqSt@CQb zGgC|tFDvoA^=fUZ$WxA#qF0hYM8XnshP0e=%v4Hkx;iWPY{o!y4`M@bcLA?E4;Kv$_FUJbuRFyH~gs zyfgLfIjsW26C>Q|H&N5pG^TG)fPa)99@CRW>U=l1@cV#O;CCRyHYPs6eStp9Lg&Qi z3v5n6ir-263t``>EBlhqW;35a_PXkED-&=3Jouom z;?482Pv?Bup7NuAI}=f)b1PH@8dF&b$#m(#WHUSo@x&F2Reipj;Hx=**-+rCdbFJt zorXZ_BqsZi!n@o8XVG5?eIvOobi%XlQ-WEVq}@|Fo3q+yoA_L(5`#CTkJL#a2wk!v zcn29Tgc`okys?3Rig~14IV+IW&}3I3x$^yVOj1U84y54J(snNd849CtvJ>B>CbS*I z@V`nk9KW4rYGES%N13PqOlmG7PE+$~ViYK8@#*_@)vM@JqaJ~i2h#p$jAUCAe2av` zU!ChWkv=TNkctTf}ekXzwwyXiOAoxVpwq2(!>O9CfB7PIrdH4V(-6Co87?m*Do~jw@tn`#{{#qxTRt{ ziF;tgK|fIScqO<>_E5-tB!69;mo`hdrGvmXm(~Ius&gDYI6fI7F$;%ebIP}BA zd#gxXps{)Def7LsswNH2{_6R2QIhaWG^QK~6&PM8HCXI96&>BoO!P6o7@nvXmY@PZpOWqv1qx5`-v1_pr!F&78BK~KT? z9g<9bHwX!NY$$4^L)>qlOr+??TzAazpnK8-m zk(mE6S9a?3_2ShueHAM!!8BtCN(Wy5A%+OD`-n#*mX+ihFTr-PvHPPtF3sk9dUB_G zA2+S*s9g7-v))6)N8nrUM5+0hrJQyKl34j%KYMK5`GA%SUbiWuPfxlw-P7QRr{DHG z94|PAx%-d1h3^J7$57*%^Jy72)~i2|C143cl{_63h%J}w>jlj5?Ij-Ut#bj4uSXHAX?PM-YcdlbsMZ98BhM z4yNX`(fUBfN1q(t4VIU@g-`EOHjkCyol)d4x7N%{Ow36-y3w~V z?NZekr96;SP@DYmL`V)Kh{ByhGqvtT5!pvj`w`4kyC%|;V%j_)&hn2@)JYo4(i-v> z!{xO;sv~o;lY0jBo*s`Xum8v}y1MUlQo_7hFlEq`Bn_qHp}|(X34I4%m4SQLF}I9@ zq~<&!`6#wjgm%nCjhox|nGN^|eYKEVn=7Tx4c`9onD5>&V2mhV?;DqNgYW>2Urlz1PvVl;n!+2MqkvzO0@))a}?+6jEO z4U9xjh)1m{^dhqnAf}6`K#tF_Cn!4b_HoSy|1xQ5ZK%&%2z5!OS!HxN@t>P%cT+zW zBb6*Y1Lmm?tV4B3Myp$qI(i;%C7Os?kk$C|5o}WGagG^> zHlRu0Gb&gBzxKNGNtfVw^ho{;JB`b9#+1fXvxJI8G1LjHPPW3FiyvZBe=A#b`%4kM z$}>YUK3%G=dG#inDBONm#EqM>X+-c}Vc=9$AdU4@eSTgh_ORjMAn0V91-j7CQYq}< za5W%-IGACblz~@RaaqVOb)5ESUOhS&jq`Snn6i`Yt&RxctDKk*yK;HhdUxLOOL1`S z%0ZGM)sie_4_XR2-*@&4Dm~NQnsc&z>H41fBCv`xobhS|{SUXhciP0FMZTkjndt@vR7Ur2;vC>f~z|{jDiP`mqeBdzdc68C<3d z3g+gf_Pigh+MIHp>upUbhJ--3l)+86sg)Ra`6Ne4Qu@dB8No?xL-qTtGe@yd*RevU zdO}nm*J|fISZq!U`2wm_74y(^`Y&V!`8`CY$NU;1$rw@$7wv{Tm?JWzjcKn*_n*M9=`h1rX;G1trbvd;c)2lc|EM%+5^TlL+ZtTbsa?~ev5pH~CX zzjl^cF+I6qH@{L$yd3ISa?fv9pz0sw7|x7ZbP6Gs?}~9h3S7nn&C<-iFj9kIv@8t> zN~58nAtz%Fdz834Z$Eb}&E~zoc$ylJRmRDHnB*Hu7ha=>4khr?n3PxENcH%)4Ufqx zwW*$Xk@+BkPN0wO8o4-GL;COwdM$`};V-L}4P`TWn8me-NuqkL1|PLKhS zC+HUeRMo$bJFN*Oqg%x-&2J)fPn~~|I`taDtu2nlqN;wyC=D@z9mx7-B&nu=VlqZ!Cx!O#s+vYijJ|DctgCjWpZjv| z+TH^Tp)Bg_@O4%sKTAT?9`oSJH@@^!NZ+U3A$uF}3K-r-{_xs2HChMH;#cfy6a;l0 zj=yCp=mD)|-^8vgPD}NTmRGoWs#I~l>EE<2czKT)=hi~Rbo@Kifljc$)?%K9U%7b+-4q9f}CTlNiIPPvu$BVhiv8}p>~bFoaK z-pt{?C45xq*JdQn6FsZRK7(7B4me-SUf<{hvh0Uj7lF&bl=|Ooq!7=$ca@NgVsNx6fgs(Qn(;$lq*Q74L2Bx zqof~xWNqY#@I}JR;Lv-CvAZ4yrc5sGh(^2`553?H_@7Wq{=H7joYQv!50M zIU1s|aIe65=8z-4!J=M{TeU12!h_2~%HQrkthrfKn|HS>3$}1gtPbgh5GJLgDWarY z+)!+uKug-_j_$bZ_T9c844;bPUE&B6;Yj`%F&Xx5UI^FFTZ6BNjxTHUx@Q+ zQ(IjvLA2FC`Lg?}@(su}sV^eo3(sJ0nyKqx{YfB{N4KA_$3c0vmu%`-HPvL_9`#bXG|nfRooKzo9S2 z^`!~}byRwvk;Y<<@3)U!PKiWbnzd7JmMebC%47Fxyjs`aO}$1WHHQA1QGU8cAoM1L zVp;{r%vn&Koqu#1y(UFtUNxk?Lb9YiHlBYg4iKr!Wq6$~O+hThW?7n*rCT-Zd+7)J zp|d((o&rYFRrdi~huy(YxQX9?nNo8#+3z~`4bR!ZXLS_4FAa!?_?KM}E{I@-pw$1h z=m^7r59|l{z&?}w!Hk^%2B2r#_Gm0ZAky^r`3rH%%L4v@-enyi5_*ll{GyZ1bkm?HNz`| zqjxo6*T=S>uw=gy)%D`Kx!L~=V&?fjM1Wz)uRdfEUA7<=8;qPESp=P;mli96C6gy$mz@A*pEzo17-i`8Z5mz#%OREDm z)H(=z4Cyx^s~2|0=itNS&T8g@@&Cb&#)!H zg+c>ba`R6k2VorIc1bL~zNT^+XI9Vby*ZAi$Ek@EC1)oY30ow=w!&6_bF_&a~u4Tg<4MKRHpm(IyK%#QGxf5mX0$8`bFqTitL5favj< zT_pk#$8-|XZAi*41Z;QnnVJ45?@I3qiJabBqcZ~!$pYV#9uJn(IG>>-CxB@^{_nU) zA)eMJQUdT69y2cs#8XOtO9z9MQ1j$bg$VrCrwTp*OAe7F(OZT-N)4T|A!GWJ4lG3> zk_C=;rw-Caf4qqWJ|W!bpOtruBlMyJ+~-aB?YZxTb*@?uL#r{-v~#5Nm7Vad_Om*{ zN42W+FBiND9(6N3F1xk;WrX2=gIk130b3Tap8AsFMwUY80r8tcPmN?@$>I&~+6og1 zX`zYs!i9k2=PtM{dj(GJZdLYkX3NXJ7z68 zv?I61rpDCbOdGzMmZmQXmsiuCievWyUdIqjCHLo=QRfo9d$=W(eY&d1l z;$`j{y?%UXK9MiunGpW~H-)xfGw*R=d3W&!-d<}3z_;tf*G&%Q8p(J+fC1t(R90zqN1k8~8bLjAHXcjs;6)u- zxYH9NyBwt^)w!3GqV!(@{c8%KE!A7WK4&n&U5C|=}Y#qvpoJQ56 z654rEB85c=2rQC~hbQOWm~mY*diqf-MpR>iFMV}4{mrz>&vr-jdv#qh6gf;gLwcZj z*>i!Txegy!RW}~}?rS@I+9&Yom3x9XN^if=8vV}@U}?-u?FC!k+mf-Or$DY>bsf;)`*qlb7#ZR3TMa=}{?s9Mcg*4R7!RY|64rQS++-*n=s^~8% z9@qKdTO~CsHPrBWmVL4! zd5N_?oO0+D1Bw_mLgYd_L+;RC4fW8u4|bNkK@;p>!W_w(p_b0TfG<&GU{3Pe`z@Qw zmUcemh1-eQM_Xb_K{QU-Y1FXA0nmbh6L|Rp{R|3lHW7CK_unULhYQTFl#eYKv*2~m zcD~z__i(#!!i^qkdq^y4Y-(zGIrK#Oo7j`5d@azP)$xBWTK|tfy8mR_LGA}y;kPgl zG)Jgz9}%|~R*V~??!g`yyo`n~e2$TsQg(KHr% zqOL8l+sKO;co6+<^u%nIU56P#yxjsD{h}i4sfF7t98+R}-Zy`}P(gpS zJx@Q6abr(um!am+q&-k)5aMNiN|_|@@>QoQhnX)usn_`Xd{3$@g~LBNih-XWOY1~& z%Q+KDdQBr6tQVvVh7Cq%b);L)|Nbc+FUS^&QbBiwoTr~gs#CP_4Lztt&2xmE?kz!* zo9?)eao?K~(S8IvQ+rV5iMv5oDJrk zPaiBzyIx1Wi_i&TzXVN%Yrd^H9w8-CVlBLzF~8@|9h{(mZmYxefPwev@^(iP zEyTU_eoz&m8DPe^El<(##FcdCbGhfRcgRQKgW(;M2L$6v#Y>&S#UE_@9y`Y#JHxZN zdribId>p|+enK15JWDNWSDc}k;NPc)y_?p4YwMx+@4cNRTCtqGCnQ~FZgjBuzwlfE z)tmcVM8E|{JPZB{A)4(`Wc?qg8!zSlzBT4yF;H#fVMn)G@Be~@ZtvXT-M!TB$mMow z18OO!c?(OCwC(S-5pZz5(h9pD=PxE$f89VtO7s6>@4cd$YTtcPu+fP~6A+>lQ4x@i zw19;oLPQh0w^F|L8K_4AWcf7Mr!Dx2uSZO^qx>cAm!WBwZ}eVtv%NI zuXAzEIQ!yUFqD!xW_zFaDZi41J>&Ql)E_@-MOy0zCIWrzjwlWUXf6eiW0U1{22b$m z=kUEmUDLmn^6kWx(N}M&-xo*Yk(~h4MYeTzT%k?Dxq<6yfn!aiNx>@S{@wZxo4D_G zIMGn|M(`~T#0LQDMqZ!AtN_(8o(N<#Zx)!E#!(nM#u9Pm4;=#?OfY38Gh`rEs}kpj zp|ge%Bpc}*Lv=zFB?S1*UA3g5k=HZU;>y_C)O*{%)tBDKEHYg*pQrIK9zr$^DK9%I zVjB~Sm<)mF)*8LY7f~~GzU1zta|&O+J~IKV!e6mc0K@K|sJRpy)nAFN8Pa444Z&|( z&m&#m2F@1XC+wop`RL|}D<=;kNYTJ;O>mmIN_O%fsE}L;uMwIA?}_szIo2PhySan* zA4gyNhGSof{s2oHGSNQm=%kiIkN9EfqV}i1R*};a?x~CW!TCpW!pI3t=4+GF!nEj+$2{ zJTeJN8*emlyM)mcO}L4);6lA!ao>X7bwXi)PDI4K(j<9y9@1>_xpgD;qLc$L-TBZ2 z@(>dZdT=r>iOdU>M(UJD^dY(?tq^$$EJ$v9*flVq0MA)_FLz^na`B7Zf@kT?mtu)q zFgc)(;$6*Tp-cK@&&{?PvEgBF9Cnqg&#cKj?^G8zX=$DFHaMH~eAT6Q^($!Ac!SPr zMd3%d^m|cuCb;LnU<7F~jQR=vvS%S?PhLI*clTY?(n?w;0R!_LX0ifaBqRqRP4>wU zB%9}S0=RO%8{Nn?rVOW(fZtEl|m3&l0eM;y} z_5c3F*=*#jL@_Zo&(z8F0=q$Ms(TyDc}=N(^Ck$v^dE*0aWf~{ z`L4&XflH*_cqKNHUo0Qpjh^rX&LV_jO4UomGsTTxe3Hdi-Ttd&D z`iD;lj)SmeKgx{N{Shi(2h$WPXiH4 zhHRRT5F>({pyPY&AdRcZ-~djf7;%mKVU7Z0qK{xX zM2S3A>p$RIm!j|j0=n$sSM~kUYme-PC*hMVbe1JTgU<+(4{^?=_{j-Ex5W2L4{g3K zFHMzzyaa>`34gJ0P*M>s+Z#HOh#&fgfv3_)l!GI!YZe;bJ9GQmcjdOObFDH@c5W{4 z9^9nWXt1N6167#a4q49|zBN?kXk1VODz%$Z9B&7trOvBT>RtBufXmt6m;?Xam*1jF z0m%S}gD|Wmt&)Vs^9`j5-x{Ce`#`HSG57O5hp6>$rb+$%$Uy%=5LA2ERjFQZ*-)J# zkbs}@ODV)%cevK2cZ(T4DI0+zJVr${s1TI$f*~%M5vAmxmOt`Hv2`Z*%gWgO+6{cEMqx=w|+()MZV&@sY39uAJ#faPVgp{I2X+{=8#dz3uiH(`OA zFWLH=Tk$*He_W^SUE8D96!JAr`@GT zJDvH=5&7nUW7=j2Bp#hV1fFM#A+qiV0m!Ts-!vDRT_!0O`hqma8S_ z*G+o;_iZNIHqXdlXBTF9RzKCS{!~pe(+{ckocj3ot>kbape&?YLx$#10||Za8kE*= z8xg7^Af%6rtpi7UR`cJYokRT*a$8}zfWukxRi-VIEF{nmIqxdem<;!vo8=gnC`oH$ ze_>&Fl$-o~6)^Iqy$390ekB+~#Ye{hbTRr!BQtE4#QPbr9+E`I7Oug@4sn2tp9SR} z8H8twm5KcnnYDfn>aTihS<%J+fpB)>-VGp{PEs5Ir0IzUK7?!Hyb3Np?9+_gAh%Iv z9cC!uihWIN-qVkw4~ovB%BaWYJ!*MWUM7+w`8J>}1RM99f9MoI+Z3_1hPrZ8aAnN6 zTvfQo^Chg8MOY8W#ObU$MD+YD4n4tJ=Sk=`QOk()`m7GqXzxdoBrb)ItVEGngVp0B z!CZCLfZO>5x>Z&frj=d1p^&Z&G2uRCA!ZZH>ymeqIhW;1Kl_-xmcuELf%(lK-XVs5)^FuLITFA=nIsyH>_^s3 z`X?q`B=mRGi>N$&{E?t@&{V<-go9<^;mj4l%CYSbP78n)RB7J)?m$|%Uzt`iaejNQ z_eQ(sl0!7=;SZm9)294l$lN#Z&-kVVnQsKhTx#MIotlYt7f0Ji9vxbCTjB)=I%!mq ztYFP#QZTvu2mKHDe4PO?`pM4-!#W}l;Xdipwp|<-{FK=$Z^{YelMwNcUYCPt5|FBd z=J|2Z`797%K+*CVU7}*pHLD`};S;gCxMenXKG}+<%h0r724T+xd3P5A9ysqlVkVU* zo8(G{<~>Dk#uCc9jfosH=9HJaU8?6!zuLYg|I(J;`xxp8yNR5JV9;+-F7WUM4nlbB zJk9*xum&UmgBdmNVGQ@BDBPkyi5!cmbrU!lMXd*l+rOSYA+%5Q8^HZwY*6#F!dKPX zdKNrcRk`e6?8?gW{j`2_^0n%fYV;TuNc)@2fPe!QTDP?%Ml`X};18aRaCzoit|iMK zIT}2g6)Sf=^@V*QjgI)Yb)QL=LN!5|tvVq<_8dY=Gs~`cm-9(V>f-r*iDHvXk;Hxrlp1WsV(^MOJ8Jpj`VpInBF3n&32R&tBs zkcQ5D?9-f9zA9P4ZdboLewb2{Pt5_t!7^6q%2!YsaCqp1RSV$H*nXFsG;e*GqFXNL zTAw_Aa3(f)mic1Uik zZS@6*uj+dBNPA$Lzybm<6rga}CMSB(z7d(`et$Z2?e3Tes($HKE$!S`+UMD0OMXLV zji+cLF8^_>*crE)za#jv*geOLzCI!J#9VXoxk6|Bb^_x8x(P_n{?M;d9}>~+@C(kU zv-FFws_dfmvee7(3GdXd=~iDd(PPd2iq`nMk!^s-#Yn%1JDW)h1$Bn=euEDOyp{C5 zgD(3>@eVl}n3)NTU$fhK<@p5+Pt5-cngv$t1aN82R3o4@{B{Sg*KCp8IsjG+B3Y#w z#6RqTUySVB_;f0RI{F({xkKeifW^!JbD^+H1k;vGLYUvF@9tCIScKb#xXwQ0)o;-M z))lIK(=FoUMfxKXZDC9cl*f_`#zVpoPC@L+d=qCddCrNq`A#M1*?V009r-JyI`pi( zM;b+)&dNx6M!rpIAUcF;+@9xPd-w-Wpnq2S*uQSXrWk*{;hEiTYB<9}hRfdezin_N zGOY%|L3!$TyODl@kR0LddJfL^bQV;$q^Jm^yVOdoqAe1V%`!U6G_Wfm=uDl+~;eWWxJGUd&C6q&d_xsHvdm`>uWQa z{>te=@O-O;vdMdimzYk;-+10P^!VPDlcWt&FmO<`pDq4ybG(o$)?X)A>_opj>h(ED z`OxH7!t7>@g^AnPsrQ|cXJ}Yik1ytUX`Tm68xEU7K%yc9fNFCHeP(3Og?P^O<9&X? z)S>G_Mt&z+mcLp&rmmQFJ{G&+jqZa@oWxfEOc5=4aykBczX1c0^XuV_maC`n!3-b7 zo_$EVD}WO~3ugr@RdC$W6tfMRrmGj3|N_l0PR96oAvTr8J zENozM+`!|vTm2WFmf>ig3E0~$WP`SYf*(H{yZW%#P@Yb7rdBheZ1`29!3=p7>ypu# zM7=H^^O2LJ2SolLpKdy>^N}}b+_r7xPwI7VDRm4(da$A$UAoO0%B@D2;p2e{ zP3nk6p=_og-lKt+r{b5V_htb1|+nK+CJJ2}xA8*5dr;wgkSy^5G%g{c}n; zQM&N!ZerX$8WY<*g#X3WYePR3%6IJO%Y#(VyH;{yi{dr4$8sNPwtyj6|85ZPK``y3 z#@$(KAo^inKX$>6o3=e@wHY)k`{mKET;o90Fxw-bVr=;(Ly~9tfi9qcUMrnHap_41 z4cJV@mZGEp1*K4g;aqK#1D;IUqJleo;_mVh-A7Ehu6wTHCpll$SUtCBv@_Es ztj(l#AQqu9^p)f^4M{P%%iHDkU%gxZC;c4!uf&YD>lg`rxLKZq2p|J#sb}4T4cWfy zC5;#~=m;LXkXPm1#1h)Dl`tAN=qzdun9&GQOzF&{z?4nl2Wkup%-+7SlCTqKI;$@r zo_vA!4amH3&4$^+Vl5M?6%~}bDG9Lay0Lr8{x@y4!71SX?O=P+=nxct5mM9wAyH2# z$!3aClFqd2UyP9+ntAcb=!dbE{i(P>^Ho416iheoVl*hC8)WVB| zN){u+0H{JF^)%VTVIIz*gSNRP^l0e8J?rrM9++v9HJl}Nuj;W&N>cUdA@Db)V_J@= zUaqCME$dHR2I262*Z@S2J%S_ZH}Phy-^`;&kKp}XhsXjcSyKW^xcrN*knFdRtS!Of zJ^%bks9`NN8X(`H>@&OOZA#}dL&4lgQO9JYDB)AI^g(PkuM;C%{g7SJGa6nUU%eAy zb7}-BPR1D#e8R&@WS3a`Vv0;SZFEVGSEh(FSSJk!JcNbbjXj+mVRXmzxtp}&D(A_k zGdCzb8@<+jax-bV~QmlYsYm-wUw9v=>U~KG_erX%i*r~8f;U0 z2AcNjqh;!!mh$eME)%gNQgqp<7yQHRj&`og0-^!FNhjk6qD z7ZLY|u%%SSdD?AQ?cDjzXHGsVxyvV=SEizlfr4%>15$PCNl+bCei)bvX58*pK+UTE z!%&RG(g#tM@y%GWWO$e@MT6dxAuu@G=01*--rUW%D>Kkt49o*-9LoR0P&9#K)R)|0 zM?MFUuc5XQloSd8z^JKHw;KgAX1lAlBBZJAy`~KoARo^C!_X!hhJo0T!{%L0wUKAw zt{IBr`;3GKnXg7akM8id?2xY|zXe(!U`w(s#l+7A8il9auM6*c63!_7t=cg~Z@IZK zC8hMd*W3#%lOsb`z3+TqBP3>)|0JXZ&g48nb=H@kuuA09dm!$bufNS$40;DC_XX-O zvjiCR7D2f@%d%NJAu#&&3jjmqKlnOi+law0Dae~BOOhp563}zVFydird>)vC9Cm%N z;w-dbfxoapvolV0V+|%cx_^`M>K}$K89FbZB!r28>}!7owe*F8&j98?dwAVcLT!_@ zTTMfe#0{YWjbGT;;kwL>t)Z7o$uD_NfU?m_0qVYMN+)Inv_R0*0ovqyAm?Gou61KAg zzm2D!I)2NyP3k`%EL)?k9Q!piNa3jx125{{VBUz5q2}dL5$`Qv^W9bzT6z|pxRz)Q z4QmiY=n(5;m-FU9AZN9<+zbzIrS#h0@2NQrufK*J>1dFCWSlaC3X}bxJd3sII2*{N z_J9eC9DtNDwL!*TPwLc=<4EioqUM3nQs~OrvnPDr4C-5W%^OP7>v&0NWuQsIbcVG;v;VZ*ZO#cq>t0)+Ju@I(WcfW+imEVyT| zv1BNV{Aju{8|FXsp_4t9=Z8suR2jf~bk`Anr^wJnDJOXVaq#)KyjXA5Plnx_pRHT8 z9$lQ{+Mf1YgRzWmNVcplL^mGucrg69E=^#fgkryH#S3r>31tM)%c$5)X?3Ee4~F$$FI3mgu%A+_j!-tkr@{s&#ymnPxa!xZ|x+(tm#$%*-7yr zKxU^uGmDIBdbC%Qv_TDC5hasaTV`nYP|`WjmXx>H?ftGJ-5R6F++n=7(z&L`NOm$l5Tk zOWS?$hE>EtMw=wii0+o1ICp-YTv~MG%%e6@jq_0^F4C2bA_gQy^E9$q(jSM$T{5_3 zww}W;1w%{4Wf*0CB@2HszL_C;E${N`uj+Q1v^d%=84A1ImY)?xzXQn){eMu2_Qd~7 z#{&H;SwR|*YlH&TaOdy!Op@#rFgm>j=(GS7sw50pkgh_;;8A8HN+yljycdP(i$<8+Ql3*yE6PSH+5ALD#vfiO$+=^) zh--ZOjN$kJ)07JEA;Us-sb~Njt7dq_rSbW0>B=)nFsean4@c4%!~*@uSLlcdgZG9c zS)QQG-xrv6Vs(?_vH$oWd7R+0_G7ZV;I zDKe5AsC?#hV_TruFGbG&!*EOKh!<9ZC0M|YZpKOhCySynk1jrDfV%Yj7Ne)h?(tF> zb5R{?qx4^TfVWK)H5e$Q;(wtwvQTm`^f8?JrWmymgF0qLulHq3wxyt^AhbHV$FVj- zRhEJR#NHu#*8yadl(px)aAq{(W^uPKUZ{|#UjGJw_bS`o{TSyt2DYS98cJ&iWnT`W z@qRL{i;g*w?E-&+8-Tzqi58D?+?%&rMV|K?SfNYs!!gFy?};u7;Dc9C{jvRhfXCem z8h2=F&>-hzQ}tZm-{lE)eb{flSno%8;ihIs`-fqNaR+7y;_}qu?k&9u=j$BGmT?+L zvnsZXODEAc>(cwqAUKkVGNutY!qB5@?SBf+9B(e6U8$pKrL9OD>dZ4Td@dC!O3qcn z412%R*!-uckn~#nQH_oGF79*jf@Gt>RDaH1Yg_tEI zsgjm}dMRWbP|Tk+JE2N7=ygBxIhV}51U>XB-U9DI10fmc-tMpFOA&1iND04qdNVg_ zRTpczv5UozQa_@(0BnWs--r2mKj|Na4>J7p2Gmy3zQ!rwn-WQSJ-~bH*sG!K11~t( z&$!F5FRI~Y+Ko|n+;=ClUEe1;D%|&(C~cyWvsgpkP!MGy3!C*4B+eEG-V;T+XJUICasz=@&5$ zWZRf)S2lTAi8Y77OgwuYu=q` zMj(U=q*(SA#p#c9jJ1lt=o;d;Z#zDfdgY`82@p03joFwzNpcsY@0 zcOt8kw+GjK)?LfuoZhuO_an~_me}(UIApvJ0D$qzj%+M|M#Q_ z-3^)aB^3=~UE<$OK;vI&Xi7%JrRS8S5e?;g2ev*ea#U+K3U#z0bCHvf-DqqW>R=0y z$~X(O;4}Z5Ovpv*zxe~lzq4l`5`26_eE`7ZX8>f#Kwtm>Mmh%5qPTK^=V69`#>rL3 z(8U_T2Rm?B-)R8I4JPP=k5uAgu?NGb{qO+l6#~FCE(X(Es<6ioD=BE8O9)hFiGJis zz>wDb9|nB~baOl_s`Fky0JT&HuvIxy+Tbdn>um`?I*9<%wi15u@rltT%w{SDx;|T$ z91o{oTn$iazyx{bc0XrVG44Dkz^vYBV=OoDZ#1ph-7{n;VD12TJ)B0Tqvk$mmc|Do zRW1D@7F60_+Y@}>j{O*SyDI$q!=+DpALH(u3sj?=<#_yG4P~ z(!~uQG3S{|C9ms^VDC4ar0UiJ*Bn9bwNWL&aD7ZT7d(e3la))8^9bHTP?P{=^gg3( zapwHhCf?n=7@#7^n?0e$Kie}8AD^6Cj`aLK#?7u$^Ol9xs64jgT~70{eWcPMptg2M z>H>s-toh@_h)m&LD9+non^;0MC7v?vy>US9O6)*mGCggLNgx zV;2L6U|JX&yB|2Z6G7z_qTlbE2hqIBfd{Mj6(pJnpm_1LYx__9p!4Bj_Fr%L=(r7b zB^2Gx<8qC;5WsGZ4=>GEMihCdSOh~Z0e)#ylw3;%m+9J~4z)u849KcyO%ritrU1tX9?PlSAU!E0S zrRl7LJYeSZE^x*DSvK!sLVV=POG10W6`_tTLb-yZfNx&IW;2;U@WbBo=qdmNmp|SlQz~60w2b> z?Zr#1PvqC1MLpcWhfVD z%qJ8xm5~WR;4s%rx(L=|#=q$!VWneN#(EhjIT0P1k(*M)iUc4-$S^1%;I6b1IbF@; z%KfND?Qdb@Q3D(OjxZdvXzp>So87MC3y2?+!hyLw&4IQ zz!IO#W2i7Pada88#V$v5c=8X!>p@^xw@}>h0dS7KZ}LAq@&>L6`2GFJY1r|BEbSUo z6wuhB-a%RYpVY$oug(ShuXL9GvxM;>u+V`h)wx6kWJezuiD~O6fE%#A;-|e7PuIa*|Ku|5o{`XW7I25Ux0Y-M(DaJh<4^tzTK zFzN03J=w~|dpz@tUviTv{zA=-mRhsi9idI2XR@}Zx1KMdZ!doKHS;=0&=O&Rv_zDA zL*)jCS8j>Bn3GJ-7t7kXzRf=mRefy*zaPrNOQwCJ589lo5kBpxJe>0j5!%uf3~r)4#q2OR}v z(y5umAHZBnl7JsLDN&TH^4cd>bTYFwLu%C)&&2vXKfguTK=)ebRq1o92{h2Tr@XC6 z>(x*elP;()e__z1CfaJ`6$0{o+C}YSs8pc-gr4}qcFbI0Mkw~O#_d8wvI%HDK8HuA15ukB#J)Cgd2-t{8y**? z{VC|0nbl`AaXo*B8{-M0{U z<E8&_~+brU*;_N&ghOH!c;ZP zm%y7A6#YJm48mssDcZx6tfolp%ylvAryaeLxwj*=-e2=QO8w)>dPIG}`f*jIJ6tJx zGJ37oQ{s2A)ZS>a_=qy!lmyUDo?=T94;~Tn^$%0J!&~ zHB|}-vT#n+Y6z@POhKLRg&}tWR6No0(B{(UPLb`vj<HZyx#oVZMu08wc!6B5%)EIv7FL7LlP$OF_8i<8p2M-u7JnGN{%n zBUbya<+?}tS@s{sbM?4;RE42~EniEnSX+}?EElSfU!iVNfi}IkK=`4IF*j4;njXJT zfO4OS(;v$&Dz^>>@PaG2Yke-5UjI zaBMu=U&~2Q+zDJ&!l08DL^k@-UC)+`}A#n zL5`g`@3jg-tyb^oz~t^cLUkS?Zf%Wq^1l}I3q!9$n zyGDVUX;T{bU-k?Z0h!C6-F=B-Ms4I|(m&*&G~#x|DiY*gzA%)#DW35?({iMN$cg=7 zrDtET?wjmGSm=%l1ia;L$n6%&os7T7fcvYEgdRWzH^^2IWrK@~sEu&N3cm775M}PS z@NbsXv69-R45d*Gj>6pHEThsI1A!%Rm@e=MfC`<59fO?oS+h?+)yg)BFpM4iUInnukhzs0?+)5)!>KmAqe`PI+e3F2Eq z=QtN_rW^5CQR+>KFd`!JoH2Rf^bhI-n6ubU2wh9%p(4AB=S{4^}^^JU82oA$@$m4gfHon9s!tIhw5o- ztFcK#e_zoy_A54ew!uHL#nY&{Kp?wI^o>=5pT%Wf+n)PNxz8{Ojs*Oc^U?Rn*~G~w z#3|YAwGZj)_av9K#}l4sE{I`%qEDcgG6ku|%|xEHrE05sR(NW+o0DZ%=Z4+q*+3c) zKeV|0Q13eCO~ENrX8A?gz@R1w<}6RiJ#hX4Qn@@I_yzlp@Z9?1VI z6NxKmpw52@4;SGjf5Qvg8WW#B?B+;MGdde(_AbKd#Fr#74S+C6(JLbWwqghA+(u?r zR#MfM-pO6RRj?qw>v-~gRuo0Bdk!12LioxX-^W)l#ax^g;5an&82E{ldg7;IM4ZX7pA+D- z=2QTWTiE&QbX|p~cG~Va6f^h_{~Pwhe45Tk$P9M_ND9K9t^AhO-)lZTaF&pn;Z?W_ zNUbi~*MaAvQ1qi<3gnq)s7tKLTG8< zBR}ljHXOr;UcFOx#q6@S@eS1l9>ygv0JzEX@4w84VP(c4S$+|?!>Y8c*m^44i{8>H z-LfmM;@lf!Mq{Z@%PIyNB*;oco zQ4_G>XK~-?EmMAq4m`!*fA`p@U1}-dKbqE~YpI^|5cUarSDFacHD}^(f#I19o2^SG z3j9nSGG~kf_h8Jx)8O3%Gwg40!0?CR`&$oZ)C(=PCC=TJkI*|Izpx@Ph;Lb@&ZM`$-6w~xWe@^$QmHj5R`}Iu!zb6~Pe94E+NP!C4$NeDWs3Cwj zOprQv=)@YCQt?&!Df^eWy3yvp+$1j%p26Zu__?(J>pAJu!&5gp7@MwbGBybVd`x5% z?Fuoz2|OO(c+RqAfh~1^wBFqDR5HJ8ov!u^h@XsQinG=Z5@AJLNP4Cacppl8XJs~ZzfZ3BN?ma#Ri{aMZVYuy|$0lo!D zLGNHgXBhwzQSE$AM6`wlPxCU~Ja&;^R?vOYJXo7|FAs+eyFCw!6@vaWS2J2?DYEW- z!JmD}cBp{v#W=rjmK*89L8^Ri?+$PX*Ux`B8TxqY>dLCi8hFBX9{Lt}-g?!Y{7~S9 z)vBF;-MHn`B-Qg%#(*mJ52-(N0jkm{{R%k&0&;wInJLx7eJ*7#x>i|@!nxegR7ZwV z%nn#Jy*&VU0nTGWQ`j6wJxZ>sWbv-eUE_2?A414AYjIh=I=&hb$%>r~QtghNQ<3J@hO{a;bye?^P`d;c>1DoFodg z*IQa)B#!uh7<8kKGVy&tFa8{A>=t|lW=Lg zXM2M+cCmUDeMbt0ea8e8O|bH)1(rSGgxhrT&ro;d}#3OU*(uf8>WLjC;orR#{wm+QCoJHG;?@rJYXu9=&j zU;XsV9EM0g%?t}#i?r7ZZZMB+gz*B5ad`M~eDf^-l;6u^sFuY|5!YlW?$9`0<01y2*!8myRDT#8XknEu<+-G{6+(v|*&+N=zww2lVJk#DZh zpO_tP0>dV8N;_%?OHUkaRLLYBL1^BnWyh0K08i^CV5k6#QW4><&+yE-t|H%Zot;nj zN$RZ&Nt!zQC9?RwFvXoy2%QlP+3ywcPR~`6xju%!z5xB_ebWa+?ar6Sb337%k*<7WiNf4=PYb%DHhn{b@SoFW~738T6&PdaWFCf2pRMqe0;v};J7w5XoZhL(b z^h| z$5N!IHvtLagAc>h#{qoP_nj?;d_SHmg}0x(q1Q|0S3OyY0O5hbthv_L~dvZ~g5u&7D>WlXE@Ipq)S zP$Fm2Hdp{5MA6#NQpup;`QI%MdWVNf_;HOfo@a7ujI5!#EbNTu(G6kYzpsrQ()kP5goEW3ey+S=k6+qLZYt&kaUo0yGl|~kKe2c-TiQK; z-=FRF4EYt{^jAf^L(3pMa{a9BM0=Z?+)mksEcgCq(fWSs{C*FEPk?U=WLys~j?*UC zpq1kCkIrVQ%_;m`t9Tk3o2e7(vKSwQVn0BKA+IF1)YP(kNbaeu*1l!LrOG6nf;zjx z+h}3))alTD*79bYqp)4<&|J9bdzXD7(w8s|bAoAehDs_gn#Z#9dgF8KfGFeWD(p+( z1E!TAASV&d3)bK$M%*Q8qQmx;M1q>SJI2R(T)Ne5e}dD4N&^X206D@QE|N|ZvkXi( z`lGO&X73L5;QiT!&fOe>lx`(Js0Gzt(0>|p%y*)Jhj_U*2+$6o z*bLb_xyd^CTcoV)h%o)(Jk5aog5V-Rn}Sr@R7Awd=J=BVHe)T)(H#~a3@GzCFdhyLvA)$+Q9|NerQcm@OdXC?ed!3A=B z7y(3a!9CeAN;@4)=!-hg6ndJWt~Wd%E1ml>%vAi9aWgLD3vowV*m|d>ZyeG%s;5J= zsrJlweh{1Z(f^&^PUfXsp_=mgMGyhNi$?B;pV%WJx_RfEfx45s|E^_uc^tXD|_C(ioKtkmnD7rz2dYkOthA_%~ zy4G)$(%N;q=`t$fcTCdCpD&aLXPDl21%l7|pMY5^MOz$DIYq)z*AP?Do;*{KX!Rag$ZOZ%~srla0cL6W+FM+RxF)xG6xcR3ik z9>6%#fa%BD_V~ZzHYN7G1BS++_C~&28Uxjvy?y7-9P{xoPTZwHsBGl)yrz|QH7$h0|vGxKK=^~Y+ z^$}(FM@_H6cfy02gZm1!ma8;8e7zkg;8m!TLi2#-8nHAs>XYt;0-Ws{;OD}4fWcwM zCvc5|8a65fqrsU~`I_scwJd@lm2I^SRmU-6Vu$!^Puyo@FKpM63TQ^c00iD@q{{{< zWYpAelw?a(4k_SrS0q~dLp!2cPcbIl?(0Qr>3_C>u1(`@)+MdW^gb=Y_@;QG>^$EO?;t*A>SVMJ zTyB_ur%d@INAOaA`<%SzL@|Kk6(T3n!(+wv;6!u|@-*VwkQU!+4LuAm?1p<-I*h8qM0tmP4VJ>GwSc;J$i53@hI>EPLbQNU{&qNfpm|5; zS?cK`stVC)G_0~t@#pjGR7Ms>qeE-Yv3;@9Q|3bxvYScx9&YpU;Z3SV4o>L{@pnwv zn-ei0CM6VUtg1Ziutl)4?t@0I)H{jYF=c;U0o?OmtqR62#5r1KojURMe0w%tDALW; zJPPj;Xm4@icD2d99U+5usM4s@>}f#gJfc82zAcj*=U?#yi>lThL67NpI^AiceX;{XX+Yp(C!cTT6iV_-}$SUrsl zL*g)r*5s4zYL7N8nV;~O_9Mn%K3czccXyfq%GgGxfS2p#rIV9)5d-o!I_%#jFjDhR zPS$ZyB{9iYPC8GI|+Xm9+H)S|R4|dtG(z!+Z68t)%_F7?ka#?+}2^J8f+Me=hEN zIom%-w5FL!JL*INbZH01yNVgb&?Wnq8Zrzc3=5wOe}Azk+EM$6d(4OT5WW?U4?^7= zsNmo?YDk;tqN}*1WVwb~|7v`3Q*1Ja;h8hwp3)d3r85Mv^xEQ?@yUzR%gI8BJCzhbNwdr^gUvnJ&SK0U*Rd3K6eU9Aj5^XJZ z-?~7Y{cL$w^7{mxqsJbD_5Sf~SVn6**+rPu67e|@5Whm|_zDVtHn{H!Z6`RXq0(xsNAiR#tWpF{ox68d zc&vRZuS9Aa#EtB*;TYU0R+1Qn84&il_=hCxlGww_o3rJAToJ48(>#q(_>WQ~i8XyWenII;opoj@7+`ybwVA;;zFKgRgrbkb_B*44Jqo_N-&w z{jcclrVhFvK5_0gkZq3RT0~@O9=rS=ds>mwbOO)E$&_p52Fy>_W*I7E!_ypEX!m59 zoXcz`t#fIQrz3CN|HH5@9~~pBxv?@z_MnLKznGD)W|D-|A+d+}8rZlH-M}{%vQaU6 zd{1f*4?jTDi9l6T3D25xu@Mslg)an-%ap{{r^!lRwqjYEOfY7+kVa9106pE)bUr5^ z3`Fo?`Lk(_HlQz7<@;Eqs}!Ud{92{-vA7p+2ff|$bV&|Tlwwh>z4d+V_n*a}aR>L$ z5xDn-e!1z?XW!Fi_1+4mpU{z8dfwTQm$mdAw~1z!v1R9_BOc%=nG_Ga?p zs|V@)E}m;OUAlHrGcP|J2jC#TH#SOl)zZkdZ5jN-b^LgBz(ZuiL1%auFRq7f}5U-7;Wq^z+*9(+w#>Y|UTX_jOY z;o8dbx>jaCF__nHRd!CdzB|9rFk(V}a7MOCcD#MEy@uOw50~7NLk{w-xK||RpCEs` zV*tW({$k95szyj?5a(VKwzPO7U9`_SP(4eT?QPmxuRV_vN&~&yiE8U0y;mEpP_d@J-B{8Q#BERXRj%0R{dg7z=8&euo~$ivVkb zU(&l~`43z`+&Y8}>t8O#l8>f&%YIMRrFP7l-#mhS6ILHh1tj1ZDhd3ph4~d@t!9F0 zY#nEVhGdZ5B2Cp)muRvA&mQ72p~7c;k2B{C^U8U*%6-&U^>q$Bmb3NEVS&9|;%aX# z>cdyg!Is2sSBl8=ly;kVnC6+05odk>Kj*)R&It%Oby$ z&LAt3z5zMM=UD(He)aE_*|1UM5%&RP2^;Q%)5P0auXMO;aii_-_qX&dz|pJ;FpcCO z3}_&)3}nCOwZ~#ki7<;k?ocA3wg9NXB@i2M9AF8YE#Y3kwm`@_$Qw>+RhfL#Qctm= z%jdF}4DJ^$ORjX3?EF{vLy(GYKFT4D1utli^RtGwz?%xD*k zUqcDs2O_VS1E=(3#`{xXwVh!kZ`J*n)&e~-cDcB8sdNIM;(mLMBLKujcAlG@ZfWY6 zO1QKhmlv8>AJp=VKCZn#>bo}Z3jpTVGAni$ zR_9h!zI1%r2YB0l!(UG!>>W5dk?=hvaze$hNW$ajWSI`El{4HG%;+xT-fL>QLA=!#} ztH-B?{!u14R$RnX!(h2xc}sHnDQCUQ(usI%chhwGubs?$6mya^QFM}=ZAnOKIwO6r z-;GNschz`wq1xVq%({nSLC7cU{M8PE+BCtF;EBL^L18v zZ@K7w!kiU4$LX^FSE`h269E025@(w~kDpwF+qp{f=ZoA+aq}2U_$`1;+BM(Yo3qLX zhEY8I2h4O7NB!bp!G$w#ZlD*pnU5cw(c2Or;F@MxD~ly>5q@Ljr=D6?4v$WVgTh{p zpFeLB_c)R&wGMql7Z}p8r(83b50cKdD%Q7Y;=Xt9>*ck$C&9)H!eNLYK!f!&{ak$X zF|A8$^;Iq(moKBMc5Lb9Q#q>3dVItoCIGeRkw5dqNTQC|geucd$u4nA0YEJs;t!bA zZ3z)12f|frA-rtl;KLE*=6d424{eg(CuY^7q5XJ)#U#tFYBCj7`tADPASzcckT8ZRwfG6+U;A%02@XxD${YB>%7 zG}#|o=q`fD+@(~YxtY~~Bk*so%-5?odmwbk!-c~9M(Jky*N5w>1PWoly;o%jA!{@A?uHW$Q(7oLnTR%jRFW^1qrsyC9h>*4*7h?)vy?vfj zT2R$c#V_eZ_0rkPOc(MWXhn31`@(1pszTtJ}&N^4g9TlzNF{jy64U7o&ICV&LgJjf>g*$uI&u&pY7R{zcl8J*c!6%lbp3K;~m3@AbW-4z=i&U9_u2x z0GkHxUTU-sck^n*S9#nORG%ZYa86j42Qwt&x;vTtP@gDlx*tivpy`}|zr`~Ll|>v#O_?{(e(T;KbTj>94K ze$SZqdA`oq>-l^<+f%Yjd`yOm1cI!hsY;{tviSb}6Z#`*I{EDGVTdi`#=lR$J)omq9k{d(G=Jx`U=(N@&3Vb4ft>Fz z*>PwbmsmT=oO31T8~%5|i=#FnV_g?8F5=1c_GxCq7_*MbO$7+kHl zq0anEwT~Z7bhvtjy%Lf%VFWkNyeMo@9j%PY;3Kow(bcy6el+l)TDLD)f67t^zYDO=;%sRb z-8qu0o%mgh#+hei>nDN~9Ns5zG<^Q?$gjEU0rJ(e4k-Y^7u6OyQCfQWyY^AefTPBr zP~zm#IsEhN3T#}rPtnw8=N#6A7q63)F9;USCnPnsG?%}954dCePEv|`W`qR;C!5?g z%k;%f%2bIKoc8$v}zuT>%?skXENpXB(!U~CvI)Aj9&QZ1{` zsoR|<32_M#-Y*QBIsA`Z0GXUSd2j%lM4eaRdyUuj#<)`~nlX+pOW(JWeE))A<<~WY zhl!edq0yZPC$c>$?eQ*au;W|Zpq><^tk-Fl+4;wHXv1tSS1fXT$=Y4+;VPI`bFcnt zm=9rf31R(J^t}9dcgCKN5R4R-`t6MWX)(dLL)6?yx1E0@Ra?)BL#+a zTxITv5r&T{FIL2`VS1LnQ~V8A@@adod057UE+w!sZyUbX${ckURra~!GxYuSPHmTD z(}Sp1`lc?ncBJ&2gPZG9lQ*gN_=GqfMf^EdUR#QGrtv-=%C98H&i+(%egTy$)EZPx zp5xLLa1qCzrZ5bJsvD9`<|NcEkWRMI&oo$PjrkE9*O+g|d%%FoV-fq7R?#RFtX}yJ zr8zt>wNk6(=qxpOq?_-dg_511tH%p3d(RB_MBYdWg zBoiyXy|L8Hpf!>RoxW-Dy?%Zhkdnp0JP^7JTl4&2>SV!BG7f*2ap}jb?g{w8l8Ax} znpp%ZNO=jLC~XssF!yV3`$APRr$Tc-$&WsM#{PsTp5(I`ohMd9QjUJd;^lVx zsppH|iP)_x8^@^5>zWiRe_rE?B;-kd*-tX_kjQDaL3g3ix8~mwjLCtJMVyU3tACWt zsTuMcXO_aDyxs!cBJ(c|>4Pkto6qE!P}8I$`knGvAf`GizEfVXj&RxJ)SNTMqY&H+C)hIqAfc{X1lkts}LsFGooK zd&q~jiO{PU4yq|Rn{Xy&IYb0k6DQ5XD5)k2-|5{KUqPbDCp%4xI{HIHM6l#!*OM`q zHVVy>CA2CJ9%PvuNs#{S0qqG(wYcR;xknWlovvp0BIK6t)BL_p-qYDnC9ogzZ}rEa ztMYL3G(ob#&0zv@FWiHFf_Yjju8I5gQFF}Nhh)?M^Z|u`Vxw3>*4)vdsbn?XEManpIZ6#{!S?fjC{m6hJ8jZnQtM3$85elM?T{UQZ%H`9wDG6r62SXw{x=^)&b07GZN$mG}lO`i+6+3`LR|WsTh5M z=_FR{l|G12X!j=sp({Z`w$(*e(B(#W~LlRPO8Ff$a4I8V_9; zl;C@?Dlq-j3uY%yFp*m*Qd4BO?n_>y&#|R@Upjx4E%NdlZ1CJV-tg7luYjAR-wBVE zB$;*U&vgtZy%3%`t=?z1P5OOA9``iZYuMG6szT15!$ltA_wbP$N904ZdA1UXPtIJO z6j`tria8r?Ey0*EvbLMcbLc7q+O>Tf({Z{-35BVreJ^@A>$ipQlaTS7xXMOFTc6^4 zSFJ$M54v$9jsN93!kVMEVS&w+MkeMyL_kPM0-9>7v=;ZzXHZsSP1PU)zF@xAOGs^VM4g1GvQo( zgCLXR$cGa_?38EvPMbJqndq4_1JnS|c{Bfa>9@ytlpWu&J>;7=O!%1Ex&h(5C*O;T zDgEA(k#hZ;Xt4;kkqBM)oV&)TliW6=G%P|om*F5{Voq&Hmhy}~XZ{ot7#gexL8YCq zx8^qQR)er~m-TwJ37;Rht8k5eCyFwiznqYi zF0&UMjTLGWA}#&+3!+_nw#o19-L9STS6FG3<#>pUQ_ZWWFV3#ELg6|>RZ1<`M=9Zc z@+a%4g{fg6MZ+|tAGhT?BL&moRcx`z&LFaS{ zqRbn?tga&7swZwXEO1Mue6O?rwRte+`$R&MT8Xl~Z(tlzw}d|Eb*WG3phABBYUliG zyHNFCv@cZX2Xw2ZJ&C!Kr*8O@>%*A@0F5xpL_dL<>#7I5L_#%XX4~V5Byl*wo-brQ%L=S-; zkKJrV!}4peDT3ecUbadGK-fxHJGlDo_%_p}NR&*n0_#3yI`o)x>GQCDPq@vV&7|+$Igxm=NACm=oY2T zf`1HUUS{UN&t8>noPCdr>r~CaZKfO{?!YwvBiIdE@vb?d1$Vqrp7?>~d3J&8uMr=! zpxZwzQzwJ+5Yvi@%IlGYCUN~#6yNL%7a3cFZMD?5ce?5y7XpZ_ZAdi<6Ax1SV1ldZ zS0GrkiNpT;p7&7JqXsyhe2k23Tp={o?C0FUlKrjdE47X^H#+&&g%Q_Ni z9l2AkY{WaHZh`R9(zoHq)WX>VWm?g3hXDM6rAUF{oN z;#1@FL_U}b8KXn;+}B^K3wKDD2FNvj&YDsQp?s48w)EVPF8amFfe>-sx5(R~de6Go z3+!eEVt(F^&%?+?Gmgyqee&8%B?r&Jn5bH#K8_+8D=O0?*<-a50^g@SI%Y%yB@69; z_e)01H1e++h~Czeep9YvByo|vE^@l&5qz;0(_Fyuy)AcCONj?`kX}O z4S`78IO7L1kDmHZH#O^{^77#V?fdDsKerC)h^Bn_pkpVV4|%5ZDgM!*n*MB=v0i#R zkJnH0Mo%Xm(iD3|fQ1c{beg*PR0N8PjXWXS|zdn4DEf`h& z;&XppFX|%+F=tUrGH!2cpIB4c+dlWzw2Ql<;!THus>H#|*sEUYnCAOXu)kE-L@Fnt z7zyPudHhCAUn*bk24)bj=n?F)Aw3LqK?Yl zUJGJ+l8)4)^3jSE-J>RMkPVQZ>AwbTE-gUlPxc6XCXZ4K2h#2hC!B2Q;$EKETn`{j z3Ybh1mY!RG8ToW7BEb8L#Eqbg7(30CY{v0x5{y;khQdFl(6xg14ik;c6MKUSK*n+4uR8ApRKpC9iD=8i}eO-4OHN>=WCyqd{_P;)R(02NoViAUhpJhz255C^*W+NM!DW$T8;c} zbtwfm>9lSoSx8nN1JbkSJ-)UN$YKxRW1&hodrUYl5;lX3!<+;M4qL{ivc@&;H%Gms z8VUEV7^*FOQZeqv^U=@3V?)$&Btf&RA6)KsWh2*xZ=`Q@iIa+eGGd$rowMIi(3HJr-ui8U zO=wug$3wz^<#Z;;UPG`e0yK=stYcRA`C8I~W zT&iZv<_vby|9gXQ;0ez>@+al{w9no`BAsUL(KGDftpU8OQa@t(h1)xhv*Y)FmM1mZ z%AZXO)UfgMwk6f|16saVErTYdww72RPnS0&w~qRP-RI?U6CQ; zE5b5$8M8=6-yeZ(9(V5Of8vfkjH4;1x7G+Vkld5hWg!^*#=*I|1dgHBq@iSrgOU7( zUdXla5ju#h^O4~~orkmA4zc;^IlDWm7wwgG-U=-d|GpK)y54fo59Ga^v_;jO5T{M&v^6)x$h~M}ik`;SRybT>au^DEjsS-B! zv_5_P#%A{xcF--wre_P|JKcaK_IY-hLckOwN?k0X6~T!@%;^@!2eIE^5kK=Z#*g9b z>CMltjep{5ctdw{9|p_J8AlIpO7Zl%x=l>V{C-oZd#cOLO8|PN_IlWAS2OnxzO{S; z-GS$*`bky&VA@r_JdpUgP4&fMB%&^j5Y@kDVkX3JBvjpraufLd1_7R<&}=`Cm!ww| z4N~n2Y`mBO^QJax&ho*zl#f@A2{1*CA}${dTEzZH-+M>aKNaz?n(W2u1X&8YRKclD zQ{duRUAN#PrO(qFNP%OMI`zY@-n~kF^Xr#8xE#;nt5e)lX1SuSaXB!qz<*WJ^|m_^ zyAwb+rjv$KlUy#3!U(4mHruA{n-dFiwm+(^?-lqh9E5n^K#Kszzj9vHs{xbW8~x2R5o*z?_Q9q3$UF;%W| zBEEg$N{-2J?~|>?5Id|DXtDny{-*LHW4xR0t@@=q2Dz){Xqi2ID5(VX3PWC}4ayf_v-z?5?8UIie%CPg9n1E5>HX9I6c8T&zj-GvWVFU;qd_UCI#0nJagEj~ zH~8*1K+GUtSYI=a3@|HlkNV?U)Fp^K#jlj(rI7lKY20;>r!y;0^4xDOuu3Qq3Nn^r z5Mvk_IP$w8D(&>^s)Wa@oix4DAyn^wc>@y zl{dbUq{H4djlF!@S2-1s`sQq+rZV1E91`yNIFE}M9fR`uq)F&!ouF0T&o!Tq`Ih=r z>)qsHYNpnylim3oPH}%wRh?4iaye zPl+00F8+Z%nqMlB6Evl9nqQS{msT|ddruh`Qf0{YWz>80rLk@_ z*f;!{KJYs9NqkD~z{1r}k%az&M4N61EPZ}i5HQ=Hwbtaj0hw1Hefe%hC9gI}IJa;@ zFUUu>Rr3g+P;y1_`B3@g@`5V-FXwrqLN{rxsG9F>XWgW&5`q0(rVd`r-RJ+ea0f?- z_iGqcQ+_sZURTHI;j)BKe_Ef$z5>I1hC!~dlEm!C3oS=2BlPnBLBay1NfesV2Om2l zINGT5?hj8^$_m@6n4iEt_FH?j+o;vReBSQDt9#kfWo0JIDPP~#);=)(SmXQg4uRpy z666)6=S@?@+)~T5J%N1#V_S+ev#2R#{Sh@8a_a14M3XV*oj>h=`id;(i%_iNJ~Gd@ zsiw*It8|Z@uvaR>^^5Sa*`GFVOik^-10nwT7d?RgCl5X1pP{~1sIs&Dr^rKd&icn! zviV<+EsJGd8mPZ14ted{Yx!@vVqTADKsunt;#E=4C?kXLW4p}QVOk7&!5x55BCLUU z^9|OR41TMkOEHKwQBR;4c?IbvZbm7BWAGnQ9pZGtL?S^eMf1o;@W+w)0Yg0-Ex;NF zv9``iLnbqmO5Ii&uHNo9Bv%kWDRkYVAVm5r{YIVp1dCdKqPke}S-+X}?qxZs0>cuP zho~Ii=o2FaIwrcWvj{o-A;h{LFhSoVg{P4En5gL+(6(%sue= zE{(kRZw}Vhek*PxiiD~u-yim2Kfk`FsO#t|ZGFZ6z2-kk&HZVE4vgSA@-6qbPCU|B zHj3Ki4$r;&r`q4T&^8Uetv-?ID35&z9xgfmyt!@{JEg(vVs|JbRW?i+DIBnZ6{Mwq zA^q;WE*O6W>C=vZ2&(HlZMZki~|GqlGBb;{qv&z31d@A7Wd(eu2NfPK~+Kp9yiy zqg+NVKKR9A!5YNG72&8*b#)x=b%^}RnE3rV;?z3l!-ZR72Dc%6hz4zYs;tF1v1gj1 zx8yRs&zU^73|9$f56&c}?-h^}{pQPLv`MZDrdgN|=I06-k7$vqesCW@-MVAV%;8^( zoMdgSQGtPAVq^W7n_oxMruujzY$b5&dC8eg7V1hRaC0%(*{MMw z3+WcqwiG3*Bkqg&4LJLcFQ31e*hXFOK(FL{#jPN3hV)v%2GqESlt<+Gxfc)Zldit{ zrV?%)cjSJ?w>h1s2iJGH)LxO?xk5(Kyt~0hX1y{7<{~5YvZj+QCqKwo_Fhz#?J{WY zx6%;yRcAvzlAi_&oL1Qq_X;q!eQ}!U=m`$b@MA|o(5b8_lo|Kv@08Ctpp(y?MRWGg zbwxQRDtlj0cyQqIXOQPyv#J+H16mzojKjN^VuB%vBquhJfCJ`{bS zjcezO<-gSee?cft4jxEHEDvcqNtjQqM>)gW`{m7n?UhI`G9c!0pj2iqk!B(Z11x5% zWRY~CLTP18%QNQ*RKkB13 zKfm(m%FlZ6TjFrtP82x9oKPn8ALOuExRC$FW@ytu*}PqXO{|fu*D>LjlX29baxB_D zIYzV{A*g2W>Un+@eTwy^B{Uar=k*(g(lEu|9aB5$Wly@d)a<*AYAF?vIJK{x&4uYW z20(f~J?PddTFS$-l#ji>9NIT}L&)FuIcMqIB>PsHapza%gwo9r;ns2fS(Aq|iZOQ| zt8kJv$A6#4R?;eVV-$K-TXC>bjx$v;Q*toEmW4K_$$zLp9Ot^Xi)2hya5^EqwUmNv{#Knv;9yfi*v(`NLqoX zE$@r0nI|?s)L)+X0tVZy;53#!C#a54*$s!9v5?85nCmicrNh`XUYflC&eorf!b?jKrxV`1J38h@I!`TgpLTtU!)mr_^bl5rxR>ZNcj;Nzjf#iENPWR$ zQ1PWJ;zYsmUzlp6YG;5?_O~Z6C$(68snyvqgu&0W9=XU-oyK zA!v4Ht2AxWE zJx?PmQcOi|@x!ifWg&lRfh1XRzaBJjr5ncEkvIJcRqY z@C%pq!40>pbAINtoTn~dG>`uAqdCukagp75&yU=dKhd-f3Xl!{(*q4Ten|@-l5|AG zpULi&^V&YOPC8!kn$!PG+@Wp@q6*jH4qF`?H=QX`Dl1a>AYHa0YVhJ`Vh5k$V19cC1m0_+4DPa-R{scATVaO?-Hf}Kp~IV2OHgV74mKdt-0gy9_|*qP#n z{ua~*-~FvjPvG7{L^iSj{jY#PCh>iy*9U=XQRvD7w9Jp`N?#SX3D2GKPYBok1DL-J zy%8)vgW=UUE6gq(2u{52()}JW5O03bVJm0*U^s7GT2u_8%<;tj=P2EI$rS}W>k7!d zesI&?zid26$|_TrQ`OB9!C&wR{S8qw`9S;ASIV7n zwD%zIBz(Chx0sf4^}y;&WnxAUqsVPMc^48;6o=)aY7-4{lWIEo(-UTl5$brkGr`lW z5>&l_j*#q-e)I{fxc}sXMk1ztTE%%>?lE(%AGH5XZ4&gY@HwJppl4Q~hg zmo#1@;=8btq0|0;8Y7Cwpu#RZ8-q*3zOt`q9Aqmr!Bu|GykbPn(Zy{i-hVM|j)^HD z$L;ioS+3VLDz5{_!<}$7#tCQZcxGUO3Qfwo(F@@$^8tcdP0)=QMGIAit}+NJ`Qr+I zUPN&}sMsogSxjCw$$xq0_VZAUivfb1A(^@6#)*w)==t(fe}tt*MdJj@ZjI?Yo)AgK}IZlq77{fmj z39#`H)A(`K;TKGE9J-wkW1<0|;Ad?hhoY1(NQTo2{(>x2_+#ie7(HBa9UU=qoP3>F z-sw!B2t9QcmP(s2%9{6hoFA((Rd@75){YoRmOG8|P8&id9s&+l)0dI^4UCx=wl)@g zJ0O8YZTb_P`)z@z)VWE0nY7xXmeY~vZ(#j0t{h(mrr{St-Q26DMwOI{RLjO>Emx6C zq6Uqs)=05mSG{OsF$d?G82W-GUyb7I+@me7RYaSUk#lBdNF_x%v&J|6j45)AN6fFT zX+Bbi(XwWVO7+fjcwzEKy|}hJnQn2D4eXurnNveYC*)KaHQ=f!AM(AB6aMwy@s1Nq z`c3icO3$t^>^&_p>f(DSn@4m0gFJ=qe(i|f-E;)!2mS;6UK+XZJxY)CRj=U0p<6af zb+|$Eiw&thXn}aL(;;K~zHb=??wB>_@Z$~ZlYFa&P2p(=#@`swTBqy6BZ07*gxfI~ ze@Fj`*)l?`x8e`@x8b4Bw0S#WY&w!h4I5l41sNzs8_q*$=M_R7xeUv~bBn@M_x-Zf z!2T(QSsbie_!{vSe1{k8!GkME6Z#}(OOEVLZv+I-!6>XQk@cegYFk1(MA7+#&MZXy z&SAseXnk!xNj#dpu|$IB#E}OPHv7>-p{mPwUzM*Ji>%~tB>jN0c8jo%ZX<4qQH+-q zgQF>mR0raIlmZ2utPz}ItOb8=QD55fMaf^DlzN8t5%kInO;7I)R4M?t*1k=T!wK>? z)0L#Vc@L+X4IgbsrYwa`o_Pg9uK}69h`!ZScI4DnA1YkA_MO)=ifOUF^EwJqS5};HzimGNWL|#A+=Zz#6c8@aH{6wO%>NMJzT1!e8fG+*!{ZdRivDUbe+#64Yo;jB;UUGPJ4DQz2vAg5*TPD51$!7uJaKw;u5 z$IC*k>6G-JuOQU5YmOK6P47SsW%i7K)v*_hq{k(bX^;_kH7_;G+=liOy~B@QtChNs zdOGy><(LB36WbS&aF2aO=(?(u0o8hRA#&`NBnRJZ%Mc`RICrfj&XRp(_$>U#AKsTj zsk#kCyMH}z=@IgwUXg$V#9rm3#^6%_B&|z=`)ny}3sSPV#n2jNH2>kuDqX5;tvPFc zU!^}DcI`Dwls;`6zFi*Xz&L_E?mXb{K9?P>XjWKrs_|w@dXm_8w4CG$d{V!4{DJc! zBH`?fy=LS;| zwXAM@4t;lHma|k&#anStx{S9KGf~(!W-M9qK6%dUO3k|U8;9v}g0)zoKIFkQ@1k3yd;VV}nw~_WJa~qjOE5?Be{7x%djm3j^pZ4vtCY*Z0AvvB; zi?3$-3cXLV!wBUCcpJ&Nf`&#-IsKZ2AqnJTv!PfV-z?`bjSL%&q;7B&UCFq8(CWfu z{QG+DPoZF)d>ERRhFHiXkJG<`TJY^hG;fud|q> zF-ybOk2+{K&`5xKqAArs?D<0_j`dSKl%yAbxX<;!;Ro$dZ#_H#z*M9{1>=J`tPaV>K8xYRIp zwe^<5(<C5g z{g`OhzG}HyY*ERSbj9d#SPaDXg7l;H9_5}ijk!>SI#v!mnkJ-ZS`;ApdKv%B15ac6 zr4htxpW9nz1Rkxo-$D=V`A(x5XxrrCqhgrEjPTEZ@?mx8qc)8r?`q#Cv6JOW~ANj zlYJdDz=Q`TyDI%;?0M?V__kNnK$MZbtJ*tPEAQaJPuf3*5L@LL2#5ZIOBNSE7wQF& zr5Wy_TksInd9uO0L{-f00?>Y_o!IcPOf|d7D}9;exW4|2g}oynkh@?Z$vuHCk#^o# zt3IBs=nQ>MeJ)hJ2((nvrO}538G1%_h`;gjwcP1)s%+up!QcV*Caz&h8Qs<6yNbl5 zLTohxdHATyM^q$twCCZWA^arRR0t-X&;mFNCIl=M|!aJ9A zZwv7d9>2wUdT1Go+1MAXS|p)uFmZ2|Z-@>5KyFX=AE2e&Xp)PUB%h2`UFhwLMSEFY z=(LzHj!jZI@+cv>%+~;ALB?Fe{d!7LdiR@h?>l<4APNwQ)?GcRiXc;(XN1bjQ^dU= zyW9RkuG3@2_WQ9{8cjx53I$J&MuUuoq%sSOnLo-h0mV;reLTtmsX@mCG+OPOveFC1*tR`U`=*)XbDOih646FthgIEums(ecQ=wQ6HVmh7Ki3wr=w6nTAmO`;3%A%n?DcAXg z*n=$6DY8_Tadp@fHDFlns=^GkN@pSG5l6V9S-{;BLhou(6-SyR7@L>>URgdG87Y6w zUEuf4b-y${{Ue@@QzKEV;@i^km^fB>*((sXbW@<+eBNkG&^a65p(0&S*wkzn>BDN` zdN<6oE-E1HLF`wXmBi-w!M-h;6Gs^czCf`jDF;6A;^Bd zvOqRA1EX^v;7=FG=QtlXInt;&ca6{Q&!ORN+~L$@_c7}9E$hE=jiZ<&{?p#Fb6$k? zM-IQ$28#tQ(7)OADF;ldHPz2w?SMSX_z&fV#lc7V543=S%<~$wppQO>9yEM&i0{&_ z-1395d78-t$7arohA{NsZqER-VNJ9 zD3e=ykVE;b^%z#Nj5ulT*9wcO#dE8<+7sd*+Jq(N_<^2kmWTKZ!eGF7$A+R1^6fBq zBa$uf?u9qYJY-FkeEF%bwE6V$Yuz6n{As3#r0-diCzj!Ku9D6m9u4i)d!Q|D`F9@4 zjRpMv1UeD@Bnwl4ZY{R{<()kaqiuV1A97s8Q{{?U;Rm}-Krmffv=K&)LAPC|xKZ;WAdrxeN(TKp>_$+5n6o6FouI$C<8Fwtk4DI@-cG$)^xLFcS?QSrh9ho(^a!{YKlT0R}tO^olf z>l~!#7wAU>_QgQ1@2n#ConIZ|{1MV}|f#tRmWx;SJ$^M@@VYh&_`)Wro?U+aMT z{#^<>jJ_lzu1^ZzifyY@vA598k z>8srW7i)r9PAl{T2~57TuddCq)o--Xvcx@P=s+7I_(Oz3e!Pla>n7sc@l}`F`4Le& z0;;V0Q4@+uu6NLt(vzrs4ob2ZW4~7%c?o=W!#{@fSTJ57=pR9yuqE!6Zxm#Pbh9eh zgw7b;SSqsa3`Ia-zrAS z2okaTp_&GFrVEmR+JXr|d$n5*Crh^Z&IprB2>w&2XAMo*M;yeqOfndy$2Da58@&{$>Y1mln3PGJy)WBvwO7q6kOS$Z>s9&Xz$f0D^A*xKl_!UQg5{y#E41FfrB1ZK?u6F!F8jnra+H>V{%d^!?hP zc;{%=&RwpG^eMSR;~!|^ZFBXuhqN+_$p@jyJ#l43L}F_=v=Cyvp1fwN&W9nN`|O^OXHPx*;8Xqis{ds!=la13Wt+Ij{ zY;KtefFF9&$kK28ZJ!(#hPIKoDLyh(ZhR|-{Zl@%yczjC&?sk?rpmLo`mB>R_RKv- zrs(7Ez7lG=rd}Ne%_&6?)9J^ZDQCgR?i3YDAXnjHECh6u&mMU*tyyBKRoU$@Bq8jg zEc^M`V;d=$p#lSSg9;}BHxrw>Bw2OtS~X@b0n0n?O*6j)T15Qcy zmUlg8GT*8MfC;kOO&_pa_eivyhq2YA%yAMs-D zbJN@=r;n7r-#T+08qOY)k8W|OT9?-%w-EO!a(y$S9FZPtDL21Jay?UtWK>{SffMiP zKgY6>#Mit?W~L;+$TFE-Gv~6KCQ}v@&|Gfs9owy*gjv~dT_9CUU6=$}SjonaVd8&5 zP9jI~Ylf6Z`lR%|r@#-vqIRjsp?9`AtHWj8>$gR4-1n=>JsUJwb%-MfL~OD0VU2eL z4LO27*&H?U^c#C>os9wmx#If6>!(G-+0P+IWs-_YrvKbJsbw-TCLdRz z0SEu8Ma3owIVnK+@vPWKCBpXcQ}}eP4YCqh^B07AO0ykZf$5CF@-7QA4=VPUC^+lg zotjaIm8N88-m#YBW$Zb9I6kjUJ(*3{7bSGjo`YrQR&~%Ol}D9+Zw^oIxF!Q;zvlO$ zgEJ?<%7&$?k`#XqfwT?LVX!tyGk4n!kEw>oP3t82oQqOD!tVVSLb5C$!=m-U^tD0UTS{0;kro@}ZpM zNjx%VPa%5GLjBmJ6;CQHn^up#%e7dQLrQESjn%=(7mVAQlnJWe~J_^@yW7l=KM) zoA8!_{dtw~xc{Z2t-@;ZlQ);k2VvxMn`>>eV5$J0XD%v1-Kga~gg(C{+7tv`lx&EF zJBdYnm6;K33I>5r^y9cvlpJa1<18!!!J&pIa!?m)$kt1kZtqce^DDvrce2xmv_>}j zQw-#=5{JW@c*L*jc*z{TuLpjzYT(y_s$;JFxR>08AwIxFAgT~8FdnkZ+)~>|c6i73 z$`HH2gNiWwT8f3%6pyfrcDZWIUio*}^Sq0LR2WIQP5m;7sQ@?Z9ejtiC+Gf$8E;Re zxfkvkOZYfQ_plnne3O%6wia=wJS0J`%+*HiyY`oxXU5#V5HKhFeKJwk-{Ku3yN}CU zdRr@&RJYCTg{%$%Pgr>GA0=gXXls9Dpftv^QOgHvBMn8F#f;bwb8mtV3Us}exV^VR z5*lwtCgC|0oP&Ce`W#))*XYZ!+_hPJ(*062g|XhmtQe^97Z-5__ypWmG@2Pb9u-TS z!11G<`XjRbf-tD712%W?^E6$nw==ar^N`rFibRq<-cfLTM}9VFGdxhAdQz9LQAyF5 z)D51cA#M*#+gHZ$IOoJ{S;aeudf5G8=~MyhpU@ksI%zZZlHPtaO0m=_tL^Hm@2x>G zohsD9!sCnOF7DowB~m^D0j_S=s!yZ59Tqf~zc+J+yuo>jg4gbi_j;8+zzlUrbQ|tQ7tp#J^o2 zozEed!P%%5#7C+R)=$Z7e&;K=-+W|jJV-17+O2hTkDKgFQE3yzSHasP#BZf3ld?jS z5|kw`;6gdC&xWhSLAIQ8)#-gVDL5F{c3KFKUy>MGK9ezXM^#+D_`B=Goziuf zJCU|8XN#&n+sDXl*L=q2YIzP80+w9UIdTcf;5yluB-+e>FPi|uDe;e0^ic?lr(Nnhh71K zzWz+^!$R=Ev7+Uvi4*nbeN*S$8Gqe+@2GyIB5!>yUoZ7mki&9i1w*sR(c+)*j`W#q zI!gmZ)L(g?9Ur591!Zrj4k1d+5cRg&0(|)S9^Ve?I1cG+>XBI1gM_#)<6+c*IaPyT z!Y2El!*`$i>?%Iz&B-R=6dc-iONDfGMirbR>_7gRdfcbd;dS!HJpITlKkXful2W<1 zjfrDT%F#IcO@?JtCtoFdd+&{;#8Eak$d+C(E3u~&eGC-HCAec$ z!&yAPzwSLyo%gewDE8*A$JschUrcZRiT|uq{Zva#XoP_}577agfaW7*(~c97F$O`- zigoCQ#m?@Al@xh%+xHPcg!0(SWE-Pfyn#k_HM|m6A6#ns7I%F^`9k?0gS}o7d@Yw~ ze}jl@M<-hF#y=UY`uUR_bh{?ZP}=RTlkRs2%k$>n+exjVh%A3~0qV`K!%<&c39e4g zN0eEMcPLSz$;ivvweUpGPssvR&n_4})Vy%|Oj3TbDQ$`9PUW$ZRx`BECr1;qvaJXg zHf+Ko-5z)|rTl-`Um2JJ}bIn$D+_F1$^X zQI|~o*evy0&}T063XCjtJ*6&<^I^@g z>r2&{`Spo&sUce`nO3{dS5Zyz^Gh8i>Q_;QV|3t(opf+5{azs;fY`mfe!uPsO%m7= zb`X1$Qf@zL)QDluoEbrz53SCM0|Fohg*Sj&X^OS>?UxIRIMY>$K(U2J?SmjX@R zfuDjOIz#CZ$T9FaT3`T5vGLdN!%I&1*3j`caTg&M%XTxdg|_M#-!MXbA~>*|`4|pc zb{aj!K&=eHe`SAb!BNu$;Zs=mEVFj;s<2H*97-84{0;${uoexVsJWFx?=%DpvVHlt zi}f4er2pt&k)^}%&t&-je*ub6rN14RTiMi8FuK0XTrDjc)Q2}aG~iw+}-QoHx7+-&ON`};$RbdLebs#XdKmQWLK4D|Db+!*DO}LT;^QBQl632 zmd@F!AMIN@=Zgn5-~*e~Qb!1e%_939V*G1E;YTJ>0@KbuM&M5eO$08Q%sM z9Yln+t{{k7iO-PiLPNSmPnz0fn4V_Q5voN`o+iITt8!C1z(=-~+%}7j#WOdWPcU5TZhxB8miw$LHz^?U~@MxMkd~Pd=x;jwHCBo?6a3IUqt(PqDYH z9=+sd9VgF%ki3)j^{b!{L|K7hXOqgsv3egF13xJ>ck~xF^SxRlv4X{(rK^OG`f*Et ze)oNj6{(@iC{UjHOEhxi1hXLH>6c%SI2<#I;SG2>(rDXFZs4xXEPgzNx_tA&;7i(KhN`jc|Xsqe8x1_xUSKG(dzq z^#8-F5c+GltBcSQotc~1VuW(EhPOZFrVo@b9GQ395)CnjTD9Qunwx=s&3N^J`6fX8 z%SMo&fI3r*2cRDvv2o}H3~a{_0a(0c;0ffFIy0^y$g&#LY?CfHg{_tzbCYI9{`=n^ zku+%jZnz`AKq~llp<(F0pH%RWLl-%d8j%u$JV${#h_U=JRwF0<;{otZ4 zgAsVZ<+O?=&}k~~30Jhy=|aucl7f@NVz(|OLyHbCo3GuS^f#k3+fxMA1CGhC{PVb*Xpo@sM5;ra7X;Lw`WeTOrVAf!9?cnt zRolF{aQ)(l6vpJ{9tRV+v;bY#RbwdUwXP(PnB-4c>ip zyzV7BXa^8)!$OZD+i@Y6!*S8NXV!))OahpSpRfB=VW*XrF+WYkP&eKXgEdtd4nf20 z_!ZK4))ICG+Qqf%&Ad3|zNzZ#vyAL_kP6Wu+QKYp+@t7aHedAqLJj}{Qz>qjy9)@S zHh-+gJ;c`jh1|(D&V2h*(?u#JMvEIrrvH{P1%{AnQ{V}PqE`W*V7X^Qlk&(0)d%B| zA*l_-xMst~OUL`otKw?~hWP#)!S?9QD2#s(A8}c+XYz51 z<+^FJeB;Krr~S9bm-#i@!{%`>P#pdUD_SW0310XL<*FOs>L)kSywck|X8MnzJ|D)b z2?iYVk~M#()v=|h=jb*Wx;)u-5x=SZtjXMy?UkOVcMw}--p_sTiUWH!wJA# z?j=Wo_At{A+Uv53){MbdRs?wLMvDH1AH=$kwQg|R#$>Lur>xTq;|l7>rL}J})0nrb@mA{r~0)6LieZV;~lg0Cpt>pCcAh8vV}p0&p7|f@hkq zOn^7gP5$Q_(0_kFQGjG4A^v(hGu0E7JK&7{ZhYl_c`j+^gR8$i$0er9JvX3u!z z)5I?Rx_gRI8{$oxIJ;*J?grZVmJ>*pL=((p2z{X8MCpmVr9pnnTkc+Vt%)sj|3YAC zx8EuxruRjQ&n6h?uI6&|VI~<&;qE38F0eUky9MPRma}%v0Q$;u9Qc-c%Ftqt5cJTo z-9aiho^En+(T^4mZt}3v`fmhT0eC5Q<{T)m;*MDEKv(~?Q3hX$fxk7>+&{>SjLmK3=MYd?sT-U3^p>l#9GhdwKgz#C4;O*=XauVnbV^j!NpKGN^l^!g85Qf`@fKw z9LWCQBxZ?s_Q8N}T7t{504BSg?}y(?d2Y|Lyq2*e#pk=ve9bsCB;dd&9OMw4UYC_3 zp$;xfioz&&rA;T}fD9G?-LvUM4@8NbVlAV<@TSdnW|z*qP0=wf=_jVOp(K9HSX=qv zb~eX4+b6zVc&gg7b%@230?nS&^oSq}q)ZUKcPl9is4Z+;WKSiM| za!|QgmJI68Oz5hurRuW$P&EBm7k}=-FWT^VW7!3Lept6L#+ABGduIT5#)L18bZ5i< zg^ax7VK~YJ=?RQYk{XFC^sas^O-}7lg6L}=Ntg)z6}y;hJ0fWEp8o;?XN6m+1v;Q8 zk$)kR^*;YX3Jh=(C{A?W1EL=-vIi~ar!I|-oEuAGA znng@3|33HJX-3^=3;iXC3jYCL$Oxokm)v#TjXQEkx(%e`1?e)WN0{7TI zG-=UUV(7JtGL(ju-O4g3o%ue+2nnwyPDG&{lw;EFSgzWfOSRZ5R+^M*s<7@nQ(x_C zAFd)-{LjKu&e3QHh}3Y9TA5M+M%Dt0#$)Mtn`R>7fB<618+mL3t8GjyX`Meiq{c!q zbMRDnE{_OlXc-o=)7=Rpn}3Iiq8AcDNH<9l8dqC5+T01-Y$ggxli^v9n2<*k5=-~tEYZIzvGDd zIfu&G3gG+$+Cgros0XxCP?s#zCDD^@egN=pK8`0Ep`#i&Kr>)ELQ%O>!^Hs_t-4w@ z`7|N?ns)-}jLgfrSdPF0#0(>y`90-2Iq%>lNh6ld@ABYiC6an85V4rHd5&d9H5XxY zzgL?x!N3c2cO0YlurWEOkQPLfo`$pzgz#tPQWu37ubSb2@{-FD5MBOD&}{huP__Zm zEp$UnR;TGVd{2m8-lX#{M4U~7-n0N>)Xlb6V?&eBe@m-NXfRyqoy6L6$?=7E9{!kb zx{aQ;W7sx?h|9bNQ98@pT`sfa#@+cf1!|w9y$I$ilozq67dXdb`ggM4L*DKda(dZx zF^Ir+`+n>d;eeYaD#n-;y)6J%{Z&gpbxN3i`t8Zz+BYtOQ`}%QH5@x)GBeYC@JC(9 zB>eizE#Sm8x}q1LFL+O8#M6;lva3`U6aq|C|33i+qW>FvWQz_%nvf%jc@NR2scIy? zyv5SnH)1*bK7JqHRlPN4dqu&%h(S#bNW2H4XI@NA&!eTU7K{WY_?F+falqR-q$diEZZap>iui~A=|Y_!E%S-9znlEM zv85@YUwh{<+xN|W5r)1pQ2)|$b=ApktxJoAkyOtzmw8^+@2W9wQ)eq#cMdnMyXy6& zt-v?EZLR?G2UBx|vvAekCTObX`q+d#KN?51VCGz?+*yufc95nIGMw=YBgpC%W zwwxn}m*M@x?q^0c;NE^r77bCj4cX)E8qyQGY=ABPEmWG__`%xPp~z*o$H&c^ktbDf z@iD14R+IHJ1GJoX8fido1PWaHw2#H4Yh6Nx(aH*T&WeR&N;b=csCdHbM@bCYgr>D< z$UJc(THA18&UK~}#WPw~6?eC)}Oo%fOQzLdqAdP5mm`~CM3A^j>V~q zrEL~(O`s|q=_~8D;--3BgQ~R`jXatoYQNR`Io6Bqlij8h37$4|v^#eCXDlqH1$468^6}LB$a;N95IPDlJ8h?- z-Km%-1TZQ*JEr*axQ$lURi_8gA_*V=%*L<3j076X`y4eTbIkq$VkP@d+~Do%Wgw$xyoeC=$F?5j2jau_gXV=KvHw#&uf{-g2+U~Q3ICXQMzYyx>|I{u|71{Ra5B}+}pysMEg5Mf|E&Ciy%Sf z!7da-YS0&AP3A(3GK?IG*BknF>q((LTF%N!;NtS3v%vAG>JWjPSlr~G9#D~zw7_Z~^^hNmSKG0TrrHuPBI{|oQl$72zt3xF&uoGkrz~BvFeMkH z>%Yn}z9(X1w2c=Kr>FcY+m5onV?M8bcc^NqOz6^PzgPU!XW8h1M0|HOGMFUMgX7sB zA)sGR(?EZE-=0ek;UhRrK+C}!GAEP6H{_!}ghjk zwr;|Vnuk>vhE`4P#qkpiD%{W9Ni_7)n7;0M;u!XABgD5083Td`-)S<90XhX(_X8M= zOnEf6@yCO&(&mOZbXx6<;j)c2E}hRmhoAhymJNL6z)D$5`X@m6%@~S z>@ugt=pASt(vaLtx<;V=->XPz@ZjlaXZ7HI0joPx}>& zq1;{FLJh9C?`k*y+?*@-j<4hWb)lDZxsRL2NBpn8i67I8j{x#~-=F_rmR3v`aY=Lr zT&kGQT~Cg^ikJ=<=ronxh>>2%TYYE)ril%hg50S_*W(J?5{X`&$d+jz&vZ1XI9ob(4tTnsy~1wyG_}S8}L3IET;BdB|CuS<`NbHsQI(~yj@o{-Tzn(T->2GCopIKfV)%V;G zxpN{|;Bnx@k^}F}2aHEaVF!n}ojW<)WXIdk?-P6rIYqn2LDz$AHyDUmDM!GG(s-c$ zZN4*-Y;a50XOd&>J`NE>D-@F=wk~0(6@iXOZwd*~GdP30US}lLGJ#%{9sR+HaB@Ts z+1vj}HT}Zz$LkhK?CG%S;1t7z|4Mhmb|;K$-aoJNVnD6=Uu1(2M?Nn_)xRg9 z{{`0kKl?BAzcCg5Par zA0fyl)qx_3{D(M@w9kYSF7fH067Wry~}pZKd^81es+Jw}XUMaBgsRmuZeJBM;S| z57X|}#Q(bY55uo)!7p01mXO1U=sy78gZkd0M*J0?=XS@4{nOEsLF#y_vBbbzp7XtO zCm`DI7R=rAQQhEuJ}kVAE%hU+tD=4^0R?`E!RbB1vhb_Uj6XlgR}d#cnoL0H$F1>- zs^yAMPBM%;cxMo*F8BSL|9!E-Lz3-73smRyP)+O_UB0riF~O77cR(d|kA1isFbMTv z>_axoB$EYbye@CI8k>w} zk&svobtLOA?y+o#ry3+9C_q%T%BJ?@Tu`=}?mPyEPJ4@`i$kf3kRPIW2v zzieENoc1>OxL~*p#S7tPXD7QieAKoYplxvGHFRayN|$j|SvMBJ+y6-+TKwC^^fY;( za_&87Nd#vG^aEmTtQwqSz1HsNs2d^Y7V?c?0P$j>_Fyb2*u{fPbP2u3FT*AcAvHGl z&9A(J^``aQH0cYlV1rPXKD7KG)^1oWDVm$a?{+o})WoPp3s@;gZ(SdBIRr zCTq@Z+L$gj>+U`vu>)DLk>KpLovoANnNrAl$>*P@Yz&wOMJ5V?X9@y@T%=`7W&yd@ z+}hHu&hnx4)1)gxTc-@SArdmfAu51k=iQyHMO+5z_AgFu&iCAMviMf9@!Vc-g(WQK z%|yz?I=l_`3g{o`3b@imMwK=TbF4YEmH9SbSGIm)e9D**NNBN7K9D1Am^MXP4!_n{ zK#w1+P~I?*3V3x!+1$L`n`8nZnoZ1bXX675s`xkC4BQzjEKyX-4|3wQ2aR47n zHTg)kY=5{|H@afw|1(XCH|PDcW1iNqE?7ihZ9A4zCSo6;oC||q)Nvph9Va9ib|Kzf zkbq|1bv&ysvp=3tg^_;A^!(vfigZi8dqN5N#bZ9-1I9Id(0rg?cu+w~Um$tpNKMmz zBO^dJ=Or`qeM%*V*ehKno&tXt0xSPO>!Mm zK)B<17j1c3PWaC(8cTIoiueUS`^=|BvHQmgqyJd%DFO>E&*c#O&|nKC+iiEFq(`XA zPZXZdx?T*p(5K{ku1)h2(-P+9ewNe0b8<`}c>u{>&?Z*u^D}?vk=2%!v*}Sl(hVNv zk>U+Dh(8*&h3YR=7L1rf_Xej zE~0VhZ2ZKnxUV|R+cBQU2qNm7}CK;=SgB%I1=l+HG z-{=9TIiTDwg;XG!w>Mjg%5<(XxTSylVvLY^EApE8QEd2=-rst;9G5;sSKB-P`BQUn zApz?tcRhda_@u1NOa|l+$4flpc8k&)zd1j@;q4*S;SX!Sm8{=JAnSH_wpjXP&Rh`@ znP`}$O4CvlJE!lE-joJ&ec9C=&*vAUU*J!k7;fHP{L_|m+FxU#yLv$YTZ*gp32!*N zrb3X?kd+X;#MaK<-l9R8*eG3sF_6tnNxlW2R{!uFc_}0ra=iTo3|W@EUXC>b*@Rz^ z3ydFKq!nK!aDJsO=pV89R`gxH(sntMwQNL-I6ePNql)PENfD1 ze-#C#VYGb+)|YjRJN&KVQpw>6x_L z9xk#k!#mzb5u+Ma56O(Hv1}^Ml`aHDh7BanD!4ujy&mNE*jF;>2efa`{K_JR#cf_? zT>J-8!%1orNcGy^4)Jr82{)b1mR~nkp6s_UzVwqM6QjDRv}U@~dR8T_r{*9@A?HH| z1oVuKpak^B(h@czRmSp7M~RF4w>00kwDCZ}(>o0NOc*m8{*RM=#cS#f&;H@vT8TgI z_*=-}6!Sq}?x}m`BN>Amc_iiA<1aRaIyR1yZQm!BotdvW=w-hs-w+$bkQ8)kFOPEC zKXOCNnWX=|c_v3@1H0_8w~PF?gzpC$^@|zu(;L7WIGUfXQct{h*}|$sMVpfL%<`;; z9NpvmHFiBnZFSHj?X~u`1I{xf{laO|H@E{@8NNUAZSe2b&pKos8INQGmPXm)nH?yp zkZV4Cf)=-b11p>LJU_F;_{fajzcbJ39A4LhBmT%u$>x>@_e6bxpGQe15QaV(2zwPn zoPKb1KE2E4OzKxnz^rmpR0_C2Nndaa5!kc-b)y2 znan$1i5QEsnsO}*Uqpf1Y?gCbPpb__PEU(m1u?7OC!YrY^01(XUx34y@o}ju;x*@W z$fYKr^TMWv54Vv5Z8SG)|Bs0a@xRXH&Mo%||9t8JA%49_iH7WclEr$GY+Es${udYL zB0F__>E8u>cx%pEAVJ?o(W`OnhJ2OEM~nI;CZAmPm_8E)QttwwxNH8ZS2cyjW*bF?w~dsZjLvY1C7@ zV{A=j0F$zNbk6Ud=);$XKNy{{ADgaF=C^O13gJrswuJ2n%+TDxXBuA zGf$9cIJX29enT|S3T1#LYTINL+OAD}S#5A=N;5ZSmxva4)7Yp1foMvHoHMm`B7+eC z$+z$$xMxv5jn-TiJn*Sb>E#iftg!CfqlGU;9soKq2&Qea6OmwmrVN6V5*DUh@4X$h8;1Sl!NHC4Z zQ+Uc~^N4NFM#O9nw)uIB$dHn@aoOZ=zWBre^kqGav~P)Ks|>K(yq~!MaPbUjizYLQ z=qe^F-J#t>L44zgAHe=4?(Z3HtP)E)Z~%%@ylNwn`b+lN<^$(}%2#$><$ZFq=B5P9 z6yOH%5&yPouxi2T4^_#QemAId8zqwt7cy4Sc8Eh!H9Q4cNRQ3sc%$u|Z}l+`1Vy znPDq{>TXf_p;}xG=UA&bTGA_+p1tZ`;J_&3Xg&6NuXg}~^w!tCF@H|z+`W?ba$o($ z<4?kG?rlfpK&dXIyZZ~oxr)*%CgyDqW@G=p&AMY2&2PBZ0VZ@!esi1_v+YaEP!?R> zELxHtok_&>d{_KioDaY`>AZmHN<*cnyy3lW~RN|$-^s}hv7l&krXMU(HQkwaKR(B=D6@z zA0>*u3HQH?|9Fxp+EYK>vd6G9#(Pi;;>|9HZ?)lB8cJ-!y*em;w00_+(RDDs_m>e* z@{I4$mi&@@zgFqxEjO0m*({j>Lg(xfcwfA@y z;C3L8`hcP&GJ7G~j1zKv+Q{SGgw-N!N`p`st-yV^F@EBD^c_J7oUcW%4s#r5G)s2+ zcTUIEM%t$^#juvYUAeFQOP@9Ro$p-YEKp)PGh}N`?my5W)r5W2EnUnqnCUd_j4+6n zJb(ME<~LW1G4f^;_l(+3O;*9|nox5~EZkeCtKEvAXVBv~v&)_bErkSOTJbM6Z26oT zM)!p~K006aK3-Q3K_tHJyU~x#ec6AZ_ffni)_xSlOaDr=oO@_NZZ{kik2}z8xGSa) zW%Nr~7D=3(_%Y8zzCeJnP&vkQg{<&1N+rcC@8-^Up45OSKk}gDiOLhUU&AW4W9VZ3 zcXzuQvWp96tt_75MRc9g{l1vSeTAB>>+x=)oq*(E7>-yAuQk16G2nN=QIUjxv5|?y zYqZR+I0cf>$9|_~OOoQ_a&6PBg0CJ32mIs2&Sd~uNO+DuwI75C*VW2g*hOB)Sl|CK zevbLeuESjQQ#pg#XFqozLECK)&$WP~>z9IBdW060rDlgV6HdOM;9iJ*Aq5v*jPGhl5FN@Yq(^4ei>=Y z#s6G51!@1#GV%ooiWF4DBe=;Ww}(9(UT zx9um)SwD50tC6oi8yj?TD3oF2g#0=fwIb*@(64j>>*h$(d?g%$ilUy3pIOAWVoxKj z{J%|C|IRj(Sjb7F*7fLI@tqC!wmt4PFFnz8tHh*q-LKNx=8>jvlA+|!0}&$h@nv&7 ziX|Q-$6m|$ltS!VA2%ja`Vs|S_XaL8$Dq4^`27kL8Vam5%nlq#w|cs483B426DJjX zRoI!+F4exit7#$p(YqvjhuQo+0uJs|s<{_u_s1ByRh50?b|5uYKe(B~<)XnHKtOPQ z|EQ%J&Ek_1f4U*n4?wdj@?qUA>ZF!B>*U&eONEz$K)-W_wU;KD&~r3LS# z&Y!#Mwm$UnoSmCg0Ew_R2eY(N;1Le}jo;+-{1?KU226f2f;Mu(6QC+2{|x?kVwXp( zwTAh~JQCG|-Z9Ulx0%}>iQM17^T2=pXi^4n#UpciwAvE998XR81=iO633?w>EHX}xEq`{+J*u?}r5v6`njcLA5A6?)o42xaKmR~|lbI^^I zqtWYRFqfCNz3&gF|5Iu9S1S@c&%8veH&Rf=hc~2X+7v7Z(i; zfx6O|Xjx5$KBVMDjn`D@l2JD8b4bp zu|!-4{(vLxUxZ?}|NB4k8?{gvHPT008JA}Fhn@*axLdQ;b+$^}>$5fmcTdb#|Q^5xD%3%QDg)d|i zdOP4@U*6A|k)hxG3_oBE1Hfa~9dt-*Z8wa0fjjOdch5(+arm>GL%A;i6{EsIV=iL+ z9Sk)br(U7RPp+a_K28-Ic`${ZWAf5sX3o%=67UuAG8DiL2HSRs!HK~W(`s27_l7@4 zRY<3vvpbCRNru3R)XEoNF*dqn`-?d&u8K@tUjQe`RIw>?H1CD(df2w@U4Q$7(NV{2 zd1Ya;?|4wa4I{^L-`G#t%sU0Uj6rezda$$pg#><}BkoijUE^7Xd1=c~pz&Tpyyy!g8i5?v!L~ z`SqJ$3m%?d!U^VbL~f&4sa~TVKXEwXR;j1=MgAlUT_;B!BdLm8!S9Ld9W9q8T27EL zZ8%=l_59TDf-UV6c`6l>4kK(yC<6hpG13H8wYGcvND!>1)*v)p&D4Zqh;(g;Ft%ti zzStwDa+#KmPk9o0DMm+@QETC@Dq5iFd|aCq6;|{B_@jZe9gMoj*gwPKaO zYb!qYe5OGzxt(E6bMI`+H8RhpOt&)YjTME7Lz&SO*L}ncjDGW-?Eyz5uy_o0g>$3M zy76gTb}S`WKREbKx;l8g>t{vh!s!mVZ-#f+P+_yqC~?5aY|eAZIra4HYN=vuF;l3f zv_5nYsB#* zU$cRcR>C~Gx=RYzGPFtR4_xe0j|uphi!<(@$RgljWNgp5$J+OiN3SxTNuQK{!=ceH zStA;9{JV)+^0uv=zxlyXeRF-}Z4y4xJ-?>TA=+ZY`i)$9o3tQupkovPi}T8y^Sm)^AsphFy$3phvQjr3E{Xr-oE!$zyF54x z7Ar|hM(X=W?x^;kD2Nj5^Nd|$dq=X(-gP}H?Yza-wcMFlJ8zis)?}1BngZCPw$uz| zaLinfD5MUc{C+@x|JgtXst&%Q%a3MUIA4XUd)IxN@zA$i{ja5S&ox^)^58)XxsO$UK6jj!F*M8u#tQ7Wmm8UMGoD^O~TQTHt1C@^OdM|J+Xaa#>72x z4+-7TfR0x#tA0&jbqK1rbW$IWktCe`ZZtXAwnB~z#BBPIc~tF@t*14^Rq0PO zPG6sS5EOOiCd-oGeS0EN4RBmP)EES(!U;D#P5LI4n9DJ$JQdS@w1p*x-4DLGi1m1(>1Y+8 z#O%F%_+&_6Me-a}WCbc(vb)}G%Z)@V%^B@0bGcT2@2W`1dlPzQ(oiVt6ZBV5vaJiM z55HqXeFFAb+rNsDfA`r{<&BB5H8D-H4gtYNj`nMb?s^(}QFHfXv~&8a74j7u-Ri@- zHPb1M`;xGB+!dgDjydFPa;NX1kEAWB)VhBmm?$(Jv7&c+yapubGXq-m7J%ydF<#+j z1>T+T3)~jl=jh*Vday!tRT?+|a#GL#s4B5#>0$ND$bW`=mgv_cmmAy#S28K?J-`lH z<-~v{#@4)JJ;??uo@F5!J8!&PQP*ajS+fu}B7pr2NGrDFePSUc30%(h7zpaxjm5>r zL1wD(I1>HdW#tZu?}L=prLk+859#;rA4qOVOt;uhpm?akB=ut5$}(r6=H=xMz5pp< zj824Ah!*?U0e@Swtz|Rqtp{$AHS7KO-sIL@ZlRLP{lXqF`D5(nmwJD-=%A;KmtsAJ z`Uoy#Z&Do84*=0HRQnU;X#2o}xYFtTg3YfL&b8OrTjf&PT19z23w@j7KO(unu*)#H zhkg0%1px74Umr9$&V87$h!)p5b{j&IZw9g^DdbsyF_}yN*4_lzsj+~TuwcJp^3p$} z%0E?RAGxOP-24f#n0Am{conYF>eggL}hfD!>4nfA$bpjYq zT?<6hg0F#+A{s)IqLrYe$&GD+d~r^TZnzCn>1UjC_L-QFBA#$V`e{Ee1CC}C%HOO< zOq%#7dIPENQv4{UXv;o8sOcT46F#7Kjd<~i!ZNmZ(!b^ade$5>27&k9Xh7z_`pu1?>yhQBzc<1^)S%TixJptWn;)@|8CM?r`q{;Iihq9kk+sAL%=ULAqZ{o%u zs8f`3KHf;Wq5C^E;Ply?PbE3+A=>=imwkFV;L$=UsTc{#j1!**oFsx5&Lkrhf^S2l zTl#4QRWtA?(6!Ja`RVHoI3_kx0^|{X;Xd}WU6)ukQ?W@XE!T24IDeB_5W|C5S1!HJ z>2mF?`U!?mE${68efY-vvPtqpYqk_w6R3RxW#5-3iU(HZ6?gJ#)6TJT{K*c{H708< zq>{r(Fn!|4`ydMsritv(agKT8tj-HQCO$UrLD z=*sb2?Qj>~3`5xFaRJ!2&{~T&;9OVuYtidn&_^bB=-qxpwq*0J7NOY|-`~sEzYC_` zdm%FcS#Sacv=JZ$8+PV!QcZ)3*7z%hdEbtIAJyc%b`mao>e8$MvyKr}ejaY0e^Zi<@u03P91KL({XqI&HzE08zgyBy+v4fnxcbAUM(;+E zrDsh*nUo>fV(gbewAFf~fq;X{!%&?zwFB73El_HFYy_1*7{?B!knRVUP`J^(s{mOr zsRQ40fCM0Vlw)+Y0l-+znu}tVDyrVTcH>M{jXjUnodv#ADBnK-oG^;E9~5x|w1sz% z{I9MZxa?6HHDw+;c&&>hETup%^NRg9WYpiOlXX5wc$N&ctip>rrr9PHwh>s2k`*kmqxb>uMN2S6U*@f2u4&a4|%(vU>^pg0*{~ z9JdEd>kAKTlF+YxRk{d@oY$j0PDp=KdEJqmoJ4w;V|ge;7qVLNqp|Ly7j$s{LWDjK zI01g_Ag7D@Wu>XJ3*&i9(LCVt3Vdbo%fFfW;Y5OOD?QJulSQVhwQ4K z$Y0Qj?8g){HV2_M3qDWJQ?Cv0#rSeaXMU8;VdBE5#xI(*43zGaX4>ID z1|om5@Lu!`;Y4Nr*RQ2P1^k#x{n}jbr*#g>FYWOz0Bvu#W+(w0{TU(QJXLL+`DSij zKJB8x)b<-sJyCE>m?2%XCZaoU$?Nmq?aOyFH=TMkUCAxB`n@xOG2wIU6-h4x!@yzM zXKk3nB0Spg&hVWMzG{!!4gQc?t+!9*ZhJCx?(9?UZ|86bPbk@$$-Si|A)@T#Od>h0C*Fddt!Hez}}+I3pH#j@;>oHT4!Y* z7)FePW8o$7Fn%U8_+kM{1N~!AgU&efFNE|7vXjHJYOhaHD#@4Iw9@KZyfSer{wh8F zvk

Rb#q4&$D<U5U354FANGsvGF#lgm7Np=mlM3?#1PkrAj{V84GhAAzbgVA9gTN-y zWy`I7g&=wYUG4H`!ttT>Bx(EBr;9aupEX5Wv1PyFa~T}bydjbi-T-r#65~l z-s2~f>u{%R#Z3ECC>M!)mvmoEbiVlGvuc@i}9e1c+v?=mZ^Dw-Ty6Cm2Ci!gH< zo$3)ef2ntSeR~=cjc0VU|9 zHgUI|emrdv(p8QiQF^@TqQ--^v14N^+almCyx1Y4qg@&x#R;Gq6C~Dl>t)7v6v7bG$ zv0K)`^wfyb9c%DBSYV~b?HdTHL1D6eD~vO~nJ_c>1^i)7gV4-nV~uUmJUR8w_}Osn zCEf+l6Z?p?Bb`VjV50)T$V*j_K2|tCCn%n2-_z{-GOI%F%j)c@qnt&JZj-QV7+H}2 zCDqScYWAB)()vHq)4l-`8H?!*;`d{=67cI+1ojCntl(SjmJE6Gz zLaeeIqp;DxbJ_FSgyOO>ONuNHMxXAKKHC=t+z=P{#2&dy5m|-jP(5aB5Um&mbUq01 z*LxttpKygupSHB<;~D%paALx#SK#gGY#j#Pon;=thToVYRsKV^D8{ea$QTJRpEV5%Ik~XFS$B?6%D$# zvQP37Z}BkL?QZT3G1P;b3N2GkZ#@Ef&I6ZrI|3YQ>g|E4^S?wIy zlo}>RD5cp!SQexnX)h4}3W35ut?|6>uu~AZVv`5% z)RA3F07x8^9ut5V>LN*W2zjKDPB6cSvuPifxA%RLr1`MB(M!6P>xAtU*`?tYb`b2F zmBhh~fQA0v{Z(zFfYRo2Zhhw+wf0J^oO%aBEMQ|3V+gsE*02q5p_v!yL$r1YF1qlc^CaqFCXlfXkb+=KXBgsg>Yv zL_MV|w)^5%hv@p!P1#(I3b3jHwvWz0G;H7IA$xZo6;AGp-gHZ?iQL%j|HZ6$SMBga z+>qA-CLLpwLV6E`XKSAX`xW4=)+~{w#|J(atE#;3kW5VY+Ikdv(KeTpYDMNHO?0FN zI(7Y|ca3jM99uY{KabkIcDdxZVfW3O=Q(ao0&f*?=^vXX{v6yRpS$Rvc705W#E0do zor>75`R6lwCA)ViRDHAlwfGBNoDkBK9P^2KhZH^$?W4ByK<{i#EnEHLm%3|=vpdFO z8zxs?+64SffkZ%x4MCnE`gOMOlK6@bZkgRlS}o0`Xzw7n^onrWo)xTLBvN@v1t4Wj zp)2tq4U&Zyx1&_yJZm|2%{X6mQgC*FUl^xtGml4J&RzNc+@NxtBR0C_7#R&vcP=eT zqx3fKq6*=s6z$!B^mu*kF5&RyNbuIFbnWl!y^fN>%tgO*k5#F@B~*_+D|2!$@ABks zeEd$XPIAF}xbk-{2dEBQIikf*kYk{cBW=@Z2QSMln3j68MZ-gSj((58Biw%eeJ(y^ z7^&8beC6{^OTLyNY&5N6?Dja*bII6jjhB-|LlN`g%XPE_U76d{`}4U+$7wx-mkobe zT=4Ewh!bwN8vW=ENbah4p!igqv$RAMA7ha-=Pkmm2MUL`hx)wM=Az%edaxcwy{U1E zoM$qoXc((lUECKj>FPPBDV~&g*fz+L^jt?i0|aLUt*AwsEJ0A~4wDJ<0kvU8==FDp z+}Fy}iSS?{C*lCIzQBaHrr60_%ROHHb=G(0_L5__p*nKmJPiBzO&!v;Rvf2-wi-uR zwQ_Asb|p*VPZRd`uOaBNxQp+^-eQxUJWe(kXk}$SVl)L?s6A=~&5Jxv;^>$cC?}!{ z4-WT!rO$%UjePtxmfbOqq0ekYZOQgHO3@Z6L9#t)zdjM@GksEd^L|ZQtVrY|QnThv zHv5ewO)=mfje6x4h~B`EZtgdkd6(&i1$kYsz0)Hz8Phjb+oNzh6GIX>%Jwo*GwwtS zw{Rn+hz=8>bf|$xHA}Ta@Rj@R-5cs}Z7hyeRmf6a8nmsytfDgOLp0~|?Y4|BavA9u zsjcQfkuOjp)a%3ACK46X`WnfBJlvTUEk>6_YJT{=oO@%Q4zi{{YB&eh#J|MB)V2tV zY=~;MqLeFr=trp4J$$b<#*rlw6q}SVB}jR<&r1ycPjEtjkN~vJ_7v4*5y$PCV?XL6 zSSBv&xaMVqv7zN4D% z7iWLTxE*reEub1E5ENdtrr-ay+_{KmL>(N`*KZR~&9laFa^9 zYfeV?;@R_R2)dz-xKO-cm9nt^FyaJNm-tf%7O_z(w){HkY=)5v4@^m-{Dg_uw_wAY zJL{OKu!YikRRtz_Rw#u5S+&%D7m{0uBQg*LUZ0;3!cANiR$0}{1w zt017jn`&}Kp@$^>=?8O@aM3iWaO0+y`JtA?qocyxvA^_lQVQF`(F5^ z?e)LhIhd0_t^-}+n7lZ5d$*(E+n=M)37TJORc3F*T%a^b8ponX{s(*S9oO`>>K#*P{y%RbJ0!k6-U6h(o10>n+ z((O5C@9nwgx%cxv_dfT1@AF6G^NGK#-&!-XW@gQr`HmXjr)q`~uUUcM25x++!JwaY z4$@|9eB_NDEM96XSy`i1aNc!E9DW|S12!?+3OqLLCcTAO?-oraCbdK)9IeNrMyTn? z=?(%N`hgOMae%r^B$FkMI&xjP<#vS^BZpt^nY}5ej}@mq7kQtfY0?9gZp;}*NWt0s zv_92coLNSd8=3bsaCj>EhQex3?lJ@clN%79hHxXXOtl?3Gg!tH%6^YAqOJ-> zC{5to{opB_z#H120Ay&p2J5_HmsdShNKluKy5{xLHv1W*PnNO!h^BJj@LAmP4rFP2 z$TW{(6O6WOM4(}CF6P4E6|u&vES=s(8qb3(*YZ|-{2Ww&lpX)&IFI(ig9ry*5B zP~>jMBwYKe#87M%K4EPbCJQ4So}RkOkT|2~^5+}p&v%{znhhR_DeY)nJ@c)Bc}%pt z$Xv8%t_PX@!c~wxiZL#BTPaKrs}t@))M?{f*bVo1ac#KfQJ-Spm|ODn(Jpzi&#p#; zz>oxRUmBIf0Yz9>9cC%LgsZ z?MP=o!mYo&lIY=eD-WEBEso016>6zE)37$==Li~w_?DJqaDy8NH}g<&u4*faG%r2n zj?kMFgxdC*uM%#16F{?t+XYAwlNt^gPuTNPrsyy(52#s1w{R@*edsGb8FBbvjA~Ya zn+$#!QQO9ej#j*ygUB%P-}QOaZrJXb_BE$^(OwXgAGLZIq~#K>H>6;xWRKO;5UZ{D(s)NL>afC1R#~3FGgYI4c^?{EE&qJ**}Y^J~-(I zg0T@Xk@1Mcn~$GARzE$Ee>CJ;H_O`-AQ5^m%pT7a3Hdx&PJ`Y)D7?ko!O}CINTzek znEzaG%rx)NF0{QbI+f1P9BU7wMfe&W804jQvMYDHLHD1?5H_ylb{vfFpdSkU?5qCk zUxt6#!QlUP2!Z@7DBIW##lPx z-RC48YB#tSBBLD%f-v{EG!$iKUU4evw4OQb&A!UCp-dP!*5>7T3mWDFA$(13Ng@`& zY^w&G(!)3FU%OQ8#~RHab5WyNaaa=;8*{LbF&e6qu{-yYTV7R?n$~Bd>#{!$N6~Iu zDt!QVzy}NJ#116A{|lG;B-^=(3;K3xZ0 zl+x3r7>&&E*_(G^tA{`?yt=9&MKW3ZW#O|ehZr!-kf(arX%@UFWw$$+A){wiL|oG1 zzY2AHM$?R+NaU?$!0S@lL-?olOG;i9(C`&c57jHr8^gyeSjJDhI6bPca@%!ZmqNm{ zkA}*2g6vzh2Fas#22F!VY?p~MLRei-)vt|hTw(AIpBP+4TzlE zif|vWQn+Svm3*Bp)8#yMp(m^uPI$^=NNUOkNkHcyeqlM^c5Ae^_MI}1j7^xz#TX@9 z#)j#t7wV%yDKiL>E3{&Ej)BU;6m>daBlFadyBA?yfqd!NzNXLHznzSw&OZz7PfI)c zvPGF5ryjLtT?#75U30Y$9p=|^7rk}0k^ksOfx?*Z@42Z-T;bdu{7&b)x|=9`A`fJC zKmv4Zw*@FxqyeEnNw_#cBj#$rNyI}d{Z-;?7_CGAZY%95Q)H54kl6su8Wp}B>qU`Raru}0Raz)CR%ikg7&bVfR`=KMCnf)+GsAIkv z+a}U+U!&KbnF*=sp0IliWM@SW0M_n(ppXKlh57sER%)>Y%hbG9<*;SPMqaB`FgOgR zvC5JQj3!z+jb7}_lKU=wy!}hkQ~VM_`_E1UAo8|;LO2?+CSI#e;Go&2btU8+s%L(~ zqF{7P-AXfOb@yhn58VfH+w|nTp5~x{U@6F`;J2o1W)BV_mF-i3T&hM|TGecRE}h*= zIU1x}WR%z0ze_Vyq>xcsl2y2s9SvzI9*ij@WPCE|c!bsOQl<*#wu-9s96*`5YOuUq z3krA&d3qyAj)PW%2lrh_LkPMyu$)%ED9qN?X~lv zs&M^Bw2&n+0@>U-u@)>oU$1>msus~15u7Z_l`W9zy1fs@nUb`{T0m^L7yNS> z-ADVQU9Yg|C4exAjp}w)gal$ldv&CT-|9Nc(lr-yB8s z1%cPEXBwOU*-9$B?$>@gOuPSxA8>a;Gx_|9AIx}=Q8}RxmBu&uZr{Kw)EonZ@dXYU_P~fBW=Wj{&PZtxqP9;FQ!*YFsfx`OQjLtx z?o-sF?guheLH!QaID$c?=yKP*AQKAo4Cv#?(0&W_K!W_KqPE*cO*7&Z0d|i zbE!XX_wjyWMW=*yg>wxLO%;E6c5boFVDL~pOZ20*=kD}p4$YIO0%f72l9z&kc(9d^ znOYy_Y0Y=fqdK(L;z{ZMan782`pXOKR12tkKO%d(ygc%-zOd~x{@Rz_>}sE1fA-?z z8y{|immkeMnu$v^wlz9mVdVIdC+Tz(%a-#hNJ8Pi(F|P&f74YV*5AOb2g4(&?vQ>d zz|O*=a2lP7GJBBFD^4+r03nD{@X-kiIR3JE6yBCfJ=W&HbI_i6gm&fXl_e9IQCYh4 zmjSAr06bk;*-C81H%%%z*4Z+6i$a$=l+=mYFuD!2-jUQVphEkj(?^0WjxOA#`#}MN z#iht){N%lBz(o7y`&o~su*Y_2{pWmUS`MVl+fOs8)jj(>e!-uCrPDCe zPY`dHN4SM^SLPVF%Zhs>Ibrs8{NzI#y3cD@PYAB*WJ{54tFEs;PP2<+_v4#>&R1b^ ztP3|*0UM8$A>S-oZiF5qagzGQyr=tE5GM4n8?1ebqA$&!u^ZTap^Yi32L8gq^zdmk z!fVF_FLVB*-$e=%-zQ7*UX-uKSNx(&RQefTVJ27e>?SzCf+eWV)%sI6rZD*P?rR8G z*TwQtoH{8Y!87)STbH`Iru@+qt@2r&J6(xkEu(3TFUYRWMz@G=%dy9b$F9R~1q`Je z`B1Jyjdz<(e01(aQ12Cu#RDlV&N4Pl{*ccn$QSPC?%oz|gxOi5qDg`sgl&)o-f!ga zZGB{iG&YNAqDRiC70eX5<0l1=JTTzc0hJNez=x=EFBRX4$`G zWD8sH&EK+YF3)$QnKE`^sIW(lqB@Y+7k)Z5#TD`XF+o}F+}ycOx!<=;d37Nt(&&&6 zQyCSHW4|2S8d8L3L|ZOAWa@>Tk<;wt;tv)$(&5_U8O+FfG?d8qo7Hl8?7~~HF6rSDHkc@Af7SS{610s%voZ1KPkG)ZCxHxRfL2yVS zMuObqv?a_AJ#1gxq4In3$l)0%9!d%n4*%2t0qonU$5R_O>a;+Qqr=Eo{(Lj&QPW0V zDs0TNH?{$cF}pV^DsI+PA!aKLpLi%Vmlp4yYVgEoJ1Fh8MF(^ZY4s>);o38D@7;zF zmX~UwAf!(dz>EO+OHfW}s_KR+-R5`Pc~0$`rv%pd`Kl>sA)X-zCJ2W%lVnb@=sF(z z1eut(QhD7Ej(azbqd2jWgWSVUK}$>8G8hCA)M13J@#ef&&ZTjJ<1F*z!IN@(MgV_h zy^thEdOzwosB7CmmUM42FHZiX*&>9rp+A-B0j=;WHbdw%vmMJ$ki}PN)zl zA+E?`F+z;VE)k&)u6C1F6}524>0#hoGcM`kbuN;ohBK?QX+iO4MbDY|^zkz^EeD)O|)Y$d$$m=;Fg> ziLmA**U!5T0ygv|PDOZo!7dIAP8*IXp9TFBWPxA29Fk3X;|rIC&y(alf$sFop%tnO!q|$@ z_}%`*hm~o?92rq3=J|z-J_+M>@E;PnWq$Z;CfGLAs5OjrDqh>;_3YpfmoZ!1t40_b# z1E|C-g&ya#S|wcAI3B2z_vGgOY+YzWA~8$(G-#mX74H7ZwE2OSV0p=f0jXjs^;2pd z|vg;(06V>u+_nMuPLvN?984P{pJ zNBAfo$ge2X30{%f(9XY_*=p<~WoLKNjHnrm*QJ)2s)#z`wIf@{<4i=o3X+s%SXks3 zSy<_Xg~{$_``P0irc<8E70y^zSs7m3KLcO;EJR=j8J-kiNsbtzZaQRr+^%$vRrl*Qnx^An5)XWD>G@_qi?xFV1 zk=TKFRKoVP&$*|TV+aWjQ~Mi0m3;tF8F(0`EHRiQ>`*}>$Ek-}mTIfJvyOF{HNRJ< zxu_~+AR@xWV6&tnY=alsv)!Mf%BggIyX z}p$C`MAGsz!2(aJk8#$uZFRgPJ z(XXx9KDs(<>sOJ&{3PqnQ$ps$ju{I!9BP_6oW%6TBso4SJ7XM{kmwqe$-TuShFvVC zK>6%*eXkLV1;F#`mw|I;oyPFcIgqUqLPsVXNDV}?ofzd_D0T~{9?mx;vbxSF!e?z7 zo}ioE!yVW-J=|dkvMPRqxPfHmRG`?Ucd}Q&D12~`?!E$rlA=L^hcoI<43x{E_|jv} zGp`@y<(a$Kb{EdWmfdjbBAH zx4^YM%~~Dk>Mi)F!c51bI`wG>SX2O{B8Gkb@aYc^DeU+qT=)ecWY4OsCL3tbA5+6# zuVe1=Sn#Mkc}ze1T9NSh1nBh^sH}vS#&#{wW=EeRC>MPgX;(aW_w>ONw621aQ&2-8 z&Za{Q;>Xm0q#%f6hcd@^pf%NXPeR@Y=S;GsTw*YLLTz7oz-Vf^*t%OqBz@-VJQ$Nx z43LhI=6W^zB?>C5X6@Zg8fvhSX!I?I~%Fc~9kOR7g78aBrDZ5uu z{V1rnOK$AUkcaEw(Tg3@IDu9arMaInE-QORD{E>;P6u@1nTn`ZBixMKA81iNM~qkG zD;mM0u8;;J_uJk-spWr9e#|hoGUYIuoR~&%o=FXdAG5}Zg``|PmsJrYW5;Lvxz3>s z+sF$rd68iaP&`*FXb*%51LX^+9n4RGEB9fxq`*k2mv!ZZCiT!Ppi4n8`c0=FG@TZG}{BGzqZaU?_sH$8;)({Um!WwMWSN z*xYs*_2dkOduEIV4V;K(BpH5D19wH_lJU4$3N=pUH;70u4@qBRw+)2stq^L5oyv3~ zd~_Kc^Db2kGYOoiDf;?6b?3=6vQ~xH_dpPFh=JYjilga`%Bx$ewB(8rr^2GYB%Wn@ ztH>DLv#n>w(1AK`mm+|Fk=K`Q+T@%y0{dKOFex3)aiS}+Iq>N2c;h}Js7RASH$g{Y zHrtp27L9R2iGeBHN*_j!G8{0HpHXsyr`&IQUdjzRfrEw{0NUL_iA{YVfES_WFW)@+ z>8edj-LW_KTi#K}r5*1p^tM?k$A+om}>hzwRf4n`5n{HaHlwqljllQ>f6~v z$y1(x3nE)iN?mo$u$9@gOQFSDN7}iFM_zdFRw^eOvZB$c>lz!UQ+OM{IVaYv6EVdg zjVL0>QAN+@0BApt2n|oBGt;GN%&Cc9N2$wwJa$`jMjp?;8ca$J^Z2?|yWB3pe*2Xb z*Hqj!rs(eY&&Q}U5ngS5BSNJWS^qV@p162gyj9P|Ra03g%qStoo z%Xw`?>#4eM7ndgE`KC^h_j25K4fIry^TNA3>Rit{W_uzxD{F}{ zFGk*I8x`{x3oE-#!OlT^)PoegvFkgDYyq^m#4yLL3ES4qF*6ml#m{nQ&kVUN59W5B z@InXsS6C~$>Of#=6@o63X>=EbV2=^tIsnIaT zT6M`Brju%&!o9bm!HFHogon?vbx`1_!r$-T%ka3%lX;or^d+^C8^IrK$-jZjHYzMb zBRcf0-!**v-O8k%jr=BxoYS`NgT>o8WxDwJzTAU(jZsyPrH%<}4$fbYuM9f3Ce^;D z`A(v1Oo6nTK8C+nL>g!FIxO&LYrbntVp8*_fB&}yA>0xEwi+dCHC0WJ{OB;c{1tptvRwm&MT1G|15v|Li6MkUN0P+YWSHwm5iazS(Pwg5-3EqT)#=02*# zOgiD=^Z|R>qtp6qE+HS>yWaS+ed}>XOf@%9;Fqx_%d=iVQiJ{F6XM22(@{cH8=>Yr zhP2m}t?wUFH<=F@I^g;Z(x+rd+5=WHqUfL{l^tdSJA}6}#sXvy>%mix4I=eUY0(vN zsztTS33pHhDr)WAz)?k8<0$aX@Urrnicjg{Z9C87%;P&YMJJ}`TsmQzb1+-jArzV4 zwZVdO>5N8`GGpfsMG3}Oc%pW%t9mQH0$OX?V88u&+v(CO;~6D6wQ<<~HmLf5W{naw z@v1W*vu5;CSVF%nVT1YvmZHm>KU2JFqg)yeU9z znTEN{nJ3rj8v}%4cR>LugtsyoD%zf~*fef%JKeUjt{CNgIyugkd=2#MsF8w~D97e@ zSl&;Jri^t6388os-)lxcPIQ>-3nftvD)S-QTfUzchOb{MiH&7G+g-hXlsfl>;pn6U zI4{V5{C-|QZK9Qkk%fixxV2*UX^!-PppKL@#b8g^daMd>;p`MA=m3|*G}Royi6xjc z)D(-vzdJK^o{C$lRHB%&CPWVuBMCq4huOozEF`N)T>!lOz|_|i^<+G~@WZv;`=CYd z&;y5s)aXh>86<0+@wrK_qI@@Yx(Aok7H;|<3Z(RQg!uA4o92RtW7vxb(CG?|t^8=s zuT2t6xHe0!;-iQ8pByK9;LT6B3BQG}okh05NBU88ZNo3rE}y)r(5Fdv54)akq3q>&nEy7kye@IpL&zVU1zTT_uKFC7;S> z^3=U7U0DW?>RVM98Od`yE>h5L0BZ!Fg*^%oK%ljT6$SW9G8hC!DZb+~4tBJcUto_@D^IX>~ME?D>fm zn3-I1MKM}y5cC=52_>v?(HCgx^yM?uWYn>cE$9oXb=KpeLLaYT^lHKCl zz3Q~ag*j$V?%8_K|DO6C=h0fW+%pYVtBHBa660gfsq&fmqr77qUz4ikpqYr!`dMw? zHnyHzd??BP(n8HUg#^COM+1E!l#q*sOS?%Vw0EKXQH$9fn-n!gLa*DtI~oJCXV^QH z0G>5n+>&SM$mS*@3GWlbLv);vdRipqm2_DD!FBj>_TZ++4&FDN8staa$ut? zen2iyw(NrpcQ3#zMM;G^`;7~wV|NLx(THL zIHvIsLP&r-!r@{A?m8wL@1?CjEFaRWl5E4(djx9DA@JF799hm=YcmapAiSo(JUTG! zjMRFPA9(hVtw9s;4v^3c%LExwr^-!V!i5!07=BHg5R<{lhJK+|oYrJxNcZ#Cq z0GJKUHpq%|Zo`ZW&qk#lldd;ZAGkYIP_DJNejgaR0TDEZIQZAzDHK~G#LWKwkPZ8Pn@O2vMPMKCR<$^^2Ev2)%NZ?0#e=9F|HiL~Bb@#HZSnSuFeV zU*Uu3l-@Z3su~SMr-=51$Q19Q?6@y8@8jOD^3^^tem)<+rtQ@rh%dx3v?tv(5r~wo zjlR^*X3WHK2*N{li$5<{mSX!%-A*7(9b+@+FgG=_X^!{JGRthpV_lm_l;v9$KB!dM ziI2q_cEhnfP!41n3~0i){JpCUp4%G%wVRbJ3%u+&=Wqg7ZdUQk%f0)e@zFS5b{~o4 zP~KL~ZQ|vf6#Tm!V=lgea5D2k{_}aA>Vu1^Y0PB1P!J3Z8HUo5xR>{@XCUdny!JTW z=f+Jf?Bth4COMc=-|%eDFcaCS-$!Zyam5cIo=LE_)bLRXnVo%uS~ptzD2q+ccP95v z6dAuUa0=sb=u3~Ci9Hj(>VCV+pJtvDa5psw~av>&-SuN z#_2Rr`odRJX-z>emK6tk9((O8nmAnyVVHyS<7?;Otr)KMbK4X4_bMr5Vvn8*kL^1d zusauPqlw3>7uRV+S2e5=Tt?UB-vx;S;!tNyZcgBg^xx7qY)l*-c)+_u$xO z>0ozpXA1cfUi6Km9}>K}d+T5-LV974Y#%zCx+fVeMyfJFepPEQ##7>sPR(FiO_gkP z@6`Brm1mA2AINF6%n=jFl}Cz{7iZxyP6T0Skf?_p{Bp=G{r3gFkn1<^imoY_w}4^* zhK|&c#hbW>w;6!PZE34upTk1L1Iaq9a*Ve z5?l8Clq$c!1}qcehGbJ_o$x#J$(=|=+EEy*eaTXr+)AS{@oM-^{JTco2P(@JIwmGX zrTGq(j>v*Z9sdVJ>lC%v;%^B8v z;uLQ@gm4S&J3vB(Mn3pmE<(WdP=?s;l}~K3{v(!-*}P$;40mYK7z~gjeRG`lsUvV~ zj9IDE*kTk{Kvmz1S5*Wb!%rz^%wan&#FT98{X|BcS?IBIt=EeyCzEg&v;=uPTWDyH z%H39S_+tItDi>ytAj|Ivux~~k`Qq<301H8&!u_<-_)>j;c&pcdJ=+5p>lY;|TY4YW z-$Hb$3j=zf8>R$t5WI6jZY7y~gE=7gM20cj3wGc()Ua<7ilZu>F}Ik4V~GRCOROPL zl4<&##+u1g6b}m2PZc0i+bmAt5(@SgBi1cQ`&Vw-y`e3*Ma67+DTcZn;!FUFJ1%tw zG$k}be%(T6fJ$`K9#l%_fC@_F9K!9q$hG*oA6-$H)pfhJ^o2msEy&Y22@az}G}BQV z!oF>jayU3j%yQ7rH0NEe*+u9x?l_^dH{Z$bv8dlr;eG`wub>(L=fedj5JTcI!A~_C z>Y0td<1g;EJjqzO)=Q=?KoR?Sw%SM;Lbxll>;MgQo_ivDNI%4iTFI|BcsXfa@hoV7 zpiJY8&n$nLPoenyW2I^zJhnyDAD6UM4Z5&KZHygpEqnyq{Aj7Yh&zGm4^)1R-^{5D z2F&geXtX$6r`5-3R#O?da)x6Fqgb2Ck8VAl$c= z`WVJorgU$!RsLSR2Wv*aYf(|I`>0dFRSd6;APl!DA=ZD1!4kRfnb_slRHgtLyn`mT z&b7zO(b+*RMxAj@?-)A;E{V|4P+v2M78n$J1K<-n`@2szimW}j+D?52qfU~=qs+0G zCMdOi3U5PF^Eb*Y{*cII@5{lTQC6`kP|>ebCA)3J8~R$p(R?f7Y=^WShv{*OxecE~ zU4*OndE$8L&vs2oE~3^-%t2gAKj@EJ_!Q80;i zoHT%mJjm@5-=au9ZV`dY-noO5?hALSGsLbj4{l9d?P;ov?s#z=BVem25kEjN+MyT2lT~lYl(XG5 zPl6;(1BeCs1};RyT(iD;;YvcW%7$isxmMT1=VZf>WV&JNd{RH0eLLJ_QrkxhF>V=B zX2-#|9Mpo9o~<0-9ep)0xg^6hVW#n5=U~yiqU{!cb91GxV6E)ig(usN%^ytt_R{y!Ur##+vUIUCuu$fs}{rJM1*! zp2{en>?iSjyU*IKQfc_&c*y30Ub&0x9^VnvrS=A?LM1DsLBhp6vt^T>mI;eVjs8B# zIk#FM7m$4j5O4xq0a1Z$hN=f#fC_p%UV?$aif-x zUYN_cfCJ>n^j)iQ!xRAZ1P9p|mUfx=41+}7@?wR;xmdj`Ha~2xYmYTRpHLPANK<2e z;<@AB`r{67n1$Stce?!SzHhJ!4-s^jz(w}1j9^06GjF>#FmLjKgY~d*H@NI52z<7w%YtMpsSa0DGF9j9&hJ=gLE4_ zltHyZV454w%=qCpiwpIn54h{ut~u|O*OR7BA!~wZF@b3e8L+#35u-Li1kjSZ(8s#+ zE$&cju4FR5mpCg8`xaSCY^s?-B8Z||wX<5Bto`IieqUPq)V@KA;2q1wiwTL6R5eKmacM}z{gtO@d6ebJszcVg3WuiOlE3X0B+tPPuV8Rqt!!F! z`+EJaJEx>KX_`^y7;g;3p{LGw#uM*4*F8nA?zU6ee>!+~+VSWYsVCDmfgIsb&6RTW zsN~$y>LX)1vxgmLpI9c0Fp0t@$z2Hah_<1jq3xE5$)3}#8?X9A3d}$6C-BDwl#%V* z;l!Ge*#1;nDHsdl>a2Wy`d&J#3z?^RX`_y+Lg0zii_7q{wy=`EwpWIFtTizyNw-R5 z)}4y(>TwD#sZb;kBrVLRQ4y0ecrVHB8SU$)SDt>+xX#O_oXN$fJV#YC#S-u#m8H(| z_P#}Sfz*W(`Vw{fbe_2nZ}*C~K>mC?@wJo|lAhFiL7u*_vo5k(OP1AR`f70_|Lv6R zy;tU+vTum1hEEa_(T%OJs&$X*b&YHV> zo#ILDMq{qriIj^h!+sDDWxO%H&iWbO(eBoirKk{69<%M8b&q|Knwn~i0f_ap2kG+Ax2H>f^POcnhc?BaQn zlA3oUjX{l=4-#ybVB71?zHEuYC=FXGax%CiB>R{++uTG4(O>sP@V&)YE}A*cG<1>i`uWd1JFuQT!$yw} zc&oO6Q`mbsHN&A|ZwA(Haf(Y>UL6H-r(+j8G9muO2Rcg$Fa{Fz`^h@^%rUi+ajQ_< z^cgR!gVnfzpa!a<$8EglaL{OJwNG_={%2nMbmmw;5meB_BmubQZ^qIi}3hp7g4rfYtOdBH5WK_I*SO2OLc;hi1bj zu9V||2batGIvZd=naq2aPQD5;Y&gCyzE3-?coO$=R_7t;b=xvJjx!O{@)j4l{F#~} zXNQ7zY#3vUd^~xw!dIa_!1lxw%eWx}ZU7+n)Cu}9?P>PGms6=azj%3m_gc zX1wFiEp~ecIU#q#SMFoNq60gK*uzl$!_W{!R(8I9($E-una#~& z978X%Ar+&ZWfUKS;Gu;0ivt{Gtqucu$CT=sLp7_<7Rn4Mj~{mBh$TO!oBEPsnnhro zwiUq0^UbLfPAB=d6~+6fvy1Y1)+e*G@*7abT$geE?D5S^EL2&VpoXj#?5p*B*!N-HnsU!z4`C-zW0f{eidf2T6Yqs&=Eiu^kuA>v##d8*L}1^ zdu+vy$|Zn@k|vM|xr^_+65JAS?vo$v{wlwT<91t~0`ZGca*n|GL$e<9!E&w%E8XfL zkF(cyz2fRNyBZH|Xn09-L*xYB=H2|6j?MhP`b+j7?LxGs%!^n8_XT|scW~De9h^P9 zD4b%C1RCpNC<7_{K6maP*Fzk1m<+c%A2-8iTL|yG418R2{)%n*>svROT+YMf=YB11 zITZQ7@w@uO_9-quojEj(-6Y-6xz&u)0Y%K&S$*z3hqAlzG2lr4f2`%xKWjBb{jb^_ z{daB6^j|rze}$U-UpbHeuJ8I+_$B{c=loweum4*%7x|-nHB|G zB=SFr4*%9#f4LqlDsASa0s%p3=n9(F4umqvDeHU7R7#l9TJxWtH44xxBX{GB@6IP63lx;n`OI_Anw%;-CKTxoW7Y# zxCdsu4u%*2N&k(x--j4OFzoF&V8Olb12hPFL+kd=MD7oh*lXw52wVLytdI^#5=@Z} zj(dEtum1aVbAGNWY`^;%vJX#OeCKZXDHYoW&X*VrnEmt(u=YIIOq8-X(ii-=5ga<^ zZvJ6Kzd?R1sYZAihPPsfLQeK0v1b9;(U1T^9Mujp7XVZMi7wH4#LB?mAgRR%9biew zA4_s%*-rfN(0&N=_xI@Ftzc2eZQ4J*XC>hKk|Z#{FG)UfzlFr!Hz$yl2uP(3D4q+O ziB^_CdVzHE#w;*9cckNO*y7)QwNHbZ^n0!9Zw?l2hf6%Dfs-g@0HOj|Tj&LRH?c<& zOz=B`Luus>}q#(ZC zRKbsM@Y@znKWoz3-`4XL%uEW*Y(nhk%=&+s*`>&R42gYUPGHv^^L=L0U}o9vI&0sM z-)ClzTCJld5dScm3*ZS?~f*02ecp zelJ!1tpRVWaH!$G%NGXQ4r3>}r~c(NiQqM|X9CfjX)-+8xKw$TJ}WV_h< zHz=M3$TMdKi5)Y?w!4KQ(8m8mwDSQW5`})BVO$Qn5IOUhB#uP>+@3>VhyT8*e(v5M zJc0v4R2%+Ih-a$)4q$fXxG<8B-S2PW0B-{5hJW9^zf&9yY6x{x)|9+w1 z)$|5X2=B@z@QbsY@~lG*SRm|+{{yTSco z-@hB&U&r|?DS_EW{%W@WJj!3qwkpduh9K_z-E3z7Yx>h}|Jn5aO3PD``*S4rO0e_) zPD`NS|2)bs(vMR0cm0*%e;wwB&i;c2QBQBE`jyzfj`J(y{+ajl@8VnRS9H-oA@~1^ zZJk?&!$67tgWkY1`OY@w^T7PgX>jwBq$v^wIzfkfIPTucs ztIxl~Oa8@g{ZAwR?@rDi4d~Ae@E2;6*#FGM|I4*s&o=*uxd!(*;Pks&@u-`(FG=ltN>{)2&*_+|rCq`q@{o@+NX*?q_l(&j%8`(k9 z{nW)izJp6+0I7vGGHxL_?yHT76Z3-fN6DSA8JQM;=nN{jpp0Ig*%Wo|ZryW+6o(+? zI~}u!e0Vmhw3+GjRmG~eRsh_AihN0!9`3zo`s;eDmxj}Ct z{Y^nrbaAs!#E}_woH&0cd+F%eXGn15ev-LJ^a48dlJq5v$MvPfErNN!r7H6cjz31Y zg$uA89ntQ5-*QZmUz^Ncc~}4-?AY!r9l*&39R7Nz1Wl0hk)+eX+I$7oiMw5qg6L+3 zh3WL~y(Iq!f6}(ngZl$vspkwyml9LAabl!L_95^g*t~!j$O&5jIik_J=*hVfSng|V zT6*N!r^r9X&4u%^pd#G|N<{vkakb_W;qdpK17V;R{|J)EE)32^Er}W8tpKq&0JQ=0 zvrUgAoFJM1dvoOffBW3!5B>eTp^s=te%m^GhbI7(k~eaT@1_tb7hohPVD{I4@F8HA zCzhzq5JJhUcP-D=EHUUmO_d0jV5x(h{gAU0u;v7Y1*PRD{m;fvMKhPmal4Zb$3HZ@o}8zB zBdFGgPgBaq;Eml4!+1}vo@5XS5^IBw#OvWbW;h7ORBvmNJxkh4Ti>#Gsh=FfD7?&I zVejzSv#$|<&WSfZkjIsdFTa2A{yG)9xJ^C50HfVt2$oiT6p~&G@}3*G2kOjm)K{>R z=r8^;q{Xh6U5@BVJ4J48_pPGJxy8UOXqd7BFE4ie)y`#W`i}K+h4t8EUKI;vz0sPv zpd4%;a|840rovpprv&=BXVuKre(Me?0;~i!}uhMBt<wSF&T_3{~JlBrz2hz#Uh{xvr1hxAs?mZ?OT_62Isy5Re-kOVlzsU!c zsQOwpr-ZX8*x=So%BJSfGG|UmSo3`*3uny}lFHL6JLSg-mvSE7UK6>sq2ymNe z{A9789_HcQRxJWD&t9$DyYl!UyYo{@vj_gmL7}vnCep&{wjgjJ+0|lQp8p{~Jfzxg z^f!o%wbg>AV0u;Wf2s<9<6IN)wCvMC_P0x%uvG0Eq)T4N?MXP1W{4J(hwQw*PO9w& zcpRLs;q@JNk@_t&7lCmS{NweIa3PkB5HrdKwkrngR?V7q2-vNw|9rPjF8wF()`oFn zEJ4mO`{FD#BI)g6M@w>3RX+Dys+%^>O_!pGs(u=Iy-mza?_D5ESJ5AI!ZS!LY%5b) z_zP3>gXNhTHe*Rrb{q+04JTEb^zvjLiwaDc}L!;BLQn!DvR&2DRX$p%XT!9}m zJu_w=K&GtHOiUNy&sb6$R$eu=5)ip(On0sPm5j~TZJjN7H;!)cce!%{g_`=Vi5Ww% z4|^Vr^Bythjh_dm(Z%VgfI~i2z&qtLpUOJR;jBxp2!8?HcjN*u<%2sXGh=VYj(MuP z2qzE|6*;VD`y%YTa!6S+hf9n0`ZIX&%6hKQd%Q<20LT3Gije2TAl zj9EOUX!QelkV@O%6uRP4Y?3qRXYNe@jk~>K52gIRUl=)8KIA6~I_$EoEa&*C2Avo! z%08}BUwiyy&r3bWgOuYavD_`?eCKktaXp=6M7s z^W>RS#V=@wvN&JI!TAI>(eCqunNe?+hH|P4-_K^SRZJM~+hFr&LebdD#sj6HnUh7lcieQ5kT^;>kG zX2Jf=g^=d1xH3oKbNlJ|bob1MO`4Cqt-6KJtUDU&qIK}v*!|^MnMgzR^7^2*G@Y^+ z0=@lwmK#xC(qC9!XKIVcN0(k&<&a40iaRR9pt(nodd*qv!7{Y-c~6o1TXUJUf#S!8 zydBJYqAGp{>vJ&cnV9~0)ZVkkd*JH$FxT5XbBrh%I)Wrfpd4&qw{=-g^l3{;i@$z? zacph;Fva2%+1dK_o!aWE;Fd||^P0GXbFT^vVYR%^u)*V#=8loZZxZ=$OR{pnZou_g z%dr^aS29{4e;Pes19fgUDxht@`R1#Pe)r@T|3od`RBXre;^Tm`6B<%CwS3uWj!*W* zG9CYXo2h4o(w}ascsu@NMR2?4Y5<$^)k-qAZKi|{0#z+TxKC6nRRF}cMkbV_P)yn* zg4bR4iQ>n-k_u!!>M8GMbYB%3eY@8D634vOGvxVeMOPl~uT3N`PF64XH%`mh4rlgV zi1#UX*fNmC-IRErdzm33eQD56PT7VT{n2z=VJiGL$PvF=*p?fn49A+Y&Xzc?r7OIC z&ajs3qVD42&?~%kegYbWDOGLHEJ7*V`uIsdp4-{3us961ezs{F-6y|U>PIhsJnAd# zf&J3KKJRs8f`0R0$Tdl)R~or$2l-n856uN0Dayef6ST7t_Mm>?A4sKDM$m zV;yGkUb?rsx97Qk$NRkR?>L_OKf`=|uXFoc=XqV{qJHe?SixOFY*S*U;&j4DJ4yDFP*I_~NQhO8fm6e#8}yyw zZ{oY4S$B=$IVo9IO{wGz{-E~D4-yI2-OChT24hG)$Qer#V@;23z##E?%!?-LG=+>a z6E|v)+__F0gB=p=-c){>C=-U(7;N5cI_2iEIKInSF6m)Z^kFUH+b05{U&VYso% z;;@fuUVpN>B>O~xx!k1Iuv%0eW$)#98AfsjQ4F(hurYtp=^v3jvp2cp26qu+1n!Z7%P3LKx2sRY6OXX5VlT>k8ZNiPvM$UqJ zAvYd89kfbftLux?zrS1@24af74Wb*?hTADagaQn5^}!A-^7wBtih3JNPl z$9`PAf)#@-_o*v%PvUd8_jWbh99)O&?wM?TD%ucnh<#Xji}6ForMD{?*n*fa1zi*i$1m&90LxV7ZDGLZmkML#2~(&d+WKo4ac5@ym=E>!S<=tlvY3A zaC~)^HL?cPIpaH&rGkZ$C*R5DIc)9dlqwV0mw8gZd>ilLrebKfglj5MGzi_myR36! z_UaERq1_Ya-CFECDg!32lKEIk{AtAe$HjTJ@@R8x<2Hr&E$COvxu20^&NHK~9c2`; zDL0Fl7gLd_$g_{lE;Zj7SB$}ko7VI0IV3OXfrtBeQ=b>ZAe{t4!5lR}a0hs71~fFp@&Rrt~c}%v~Be&S| zxXBu_s6Ou8JVNjz2$l<>LZ=WN`KKFHx_K(LUAgA7&-0>YzZazTX4|~u8No{|D4pR9 z0~Z0D70xQgsH5Dk+f)B+^cJ4UHW9N6$Y_a){rM%1<`(t%;dMwiqPkcs{J@)`gJ%iV zcZfdC0*qF@%=WdJ=%gGYiw@6umD)x3bi}wgK1FCsn7<5p z9A3#4QaS3?>vee~3HOAqI?gp9K+eHUET7-%G+|mz4W&nYn=KJ?Q*K!uB`+p9~$f;5dq6So^2TRaNjhqAtQsW`y_u*-?LTOv5Z`OT}>X% zYOeE^h^McpSz30{K4WC>4=g*hY2O z?3c!NiT^`CTSMQAa8FZ+s?x~9OWB;%ptn-|FOrYy7TitNfB&UID-YP!_Dc(@< zemc&5Y7!k!WKqNf3-WZOz8<)7l=tn{KCHtcv}cTd3Y6t^NrUq-jp#CC9daY+gqK)o zn@VOq-IU)la=txwPyfD(5AS_u^%+?DDxic`@vayd0`< zSw-hMbG$<8Q|W+)O|?_*R_t^$TfwE(Da08xgiNp}_P?Sk52F%2n9twbD^c=(*Uo}? zTax4}MTTa^z~wy`=)BMm$Q{bsd#_p_c_?3E8t_3SseUY5h^2L>R`fNkC_BSoYn~Sk zy1h4^KQ2{e8-boEm8{%-@8bTHnL@*X&tcs+6cP8;q-+crPakN}VyG4cqvMRnZ}@|( zeK`#K7}a*|5SNf5GEPYQi{ucGm28thRYWlV{4v~{QUy}xkZ~A#v+W=*D7;jzd;iUs zy*!zZ{o2F#Fo;#4j!jv>Nj7k=Wlxx2^H6-_?F@demL}21UH;5MhZvM7Hs#4m$@;q$ zLsN~8*xO^=CY-L#6ouXwaMF(bh+{pP_Kr~IoaHD;qGo8{j> zxo^6+%gyar#Uifx-5PGNu+9TkrNmJVA>VgEI`bB89qs+HdTJfw%B%Ef_E5b7p)Q$T zA6*FV#rGW6$v{`wSlu~$tS*`xGZgpIiN*9$a$u^_AtwNLZ@k`vo!b?N(cL^-)q%?j+$z-!=z@dDJQ_TfwN`i_9<&#I-S zg1#iUe$$4oLINV*t-=BX-SdhjQQf&1GiN*+ao%>?6<;}zNhi@4bvh> zy+88HTWD>m(NKr(Xt>G|wX zQFGR%76n4L?~qEI+CY5VcR43NNA}|L)r9^OT&B@n7iQ+JD|-<`CcNmnsF-6{vbA1pTNVlH zL&ci*jFVbR!q6X$q z8drh;MGiVmQf5)iorY6KK0dZ#;%w%?4rv)*%Z_c)Vh!<52Xuw<|Y z#(;Y%kq$@9m&SRu4m>*i-sxC_xbBH}YbA>AcU8HU<=TZJbx3MnFzfng)<=vCfl9f% z;Qd0jlagcj9n{O@-l2qBE9&hkn(mxU!Od)e4Lor1xA5CZ0=|8G3v>Q-l@7W9Ihs&i z%nv;xWMC3MtH*lnmSRq=b`qqstJuF9*WEZgdftLO`9V+8h=sA3V2%uWf}O8B2!|o3s)Ook~L`$ZnU=)A6AVryE|}JLbqhLIQfeV83E_UkJ|u; zuKXJ4gCyBps)=(f-`{T4j@G>?(oPLb`uu3~Ey(IE2xD4-N2Fsqy&-YSLxQRHkvDg_ zn|A5oj@B>MgVN`@mw~I=!|=fCRQnP03)MXyd8WMJqCOO7xMTN z#9J&ncRZiVb?R--8MRrIXn7iiHcOYJN}M(NG&w*Zj_m~301wbzz@hwCl}~^B?-vlW ziXU6kBQTjixwaR8Ya0bz+sKVOPc57S=FeT*k95rVPs0g*bZytb3~r~5L*@ z6gVGR!1>T(`R+>SKYqyk?_M>P2@h>vN{lDTRduc`h?JEo2DY5u+mlhG65(bX|HHy3;Vb+Q7&8#Y_mlKrW&)hE2(IF!@~*+_X*16PC5gVPs6R`!|8M!d#4)X_H|Y&@ zLlK4Yi8VeuJ8=C9U)=_B#5-N#;QG~J`P=K)5YHuW{d)T6>(`cVOzrplkF4l?I58mk zY3>z!*V8f|ZMDEx+g?sdwnmu8hKeYj(!GNTr;s$YIdYnJ>Fs9Lyt#tMT5FUjuxlx?Fah9K^6yy@OOWW z@PQkt^}?`8OEc!&nrX8t@tdlLqh=VUZ$(TylLF^iI0#D}TUWagMQ$-U&BE(aAJSbK; zk0BY7VVXBF=^UVHVv2$vOuS3gFoQ49KxU{UwV41V>#KkeMxCYzvKgO&{q6-wPFkpd zFTz?eL)o(PP59~>eU7{r#E%_e zfSVXHsJ4(>siN<02It-%F?yhi;su@zNI-9@Xi%X z1(fWUj~SzY?;5XS%VESslqlVI4N2duxeloTDUaL6d@$p1P>nHo5kWQdWd5YR7OqeC z#Fx;wVyYFA0RaU1CU6e|Dm%U-FzmM+$Rw%-!rKBd3rjQtQG>oW3${uJxx1Wn+d2Q= z@b=7l-;i%S=)v);i2eVO@b4tN^IIMNYYCTc{l$7fx-Ss1`(W6Q z<^?i-IscW2Rf*a^sxZj%4g?}5FkybuaFC3f@z)}r^MU`Q!5FF`5HVT!M-A5o8vZXt zjQ)i{py^+Yc%=gNqY=aZwGn?uApnr?S+Id1e`UqrlL#OBjs^e9iod0C!-~J-!CzbP zw-f>^{+VZXlrygIIjQ@)9 zKLG%(k=p$0dcPw4&&omhRyml&0K%vKF~S4vs`U6)|ABT4d}knri(@s||;2=N;R z@DsB(Fn+^8a1|_K8yJuIJ;av*%>9nU4ej`j1)f{a1B^fY2N(~wr+eR$_%ow_;Xx)4 z6To=HA7K1lKp^vP5MZO@By@s6=KP8PKJozML4oEUfxJ6@2u_3p1lZ7q9}!?3!nm=^ z{UmgN0XzRp$Y6s7JGVD*GT>>TWa}#kV8PrW-?h6xD`v=sVtyy(A2;%WIkG+#`ZLJ= zEM}l*gkM2`$?lKjJPY>m6-*^&5cw;}0U^^t4(m@o1VBMUvhc4$7T(yKG{D~U25e0~ ztr`C(-vZZf)(l&qebvm36>tBWD+UJ<*tx&I;;*iU|Ay;vYs2#>p#ztP@mpMm z1F0$gircsfzTc=Ne2hYgS;dwSh~E)sfT?`@{eu#J@*tj=t@2xH?|XmCbcD~v-|7{n zd1Xar0q%|&x`O(KrN9zc8NZY4i{D807d|Zm`>pt8g;YC`tLXd7OUa#sQQzy+&$1zq zP1L?sfDjll8~yF_`KY^oqs2cfL@!tz^Dm1dCDXZ}-oI$a$X^rri{8-XvEYTQ-)cuD z@$B~|3tgqtKLe-CmMR6?^s|LM{t;xZkh#BF4O89Mtux_|scZ&RZU(tazF$4iAD^^D zant>_Z+OGNi1?_x|AfkJKqc#2{GzNqaJymTPv3v+9Q^Y)T73IPumzZW{|h|RhQIwS z8viOwOl2iehQ`LXu}#tCzx$*>7X8&gf1~bsbS`dh%=ncJj~>1ukZ(TWDwO_2VSxZj zfdDkNe2pVO&8Y^UQS>crQ5HlRyRah&-(O*H!#DrQLP`N_=TI5JgX|j*0`I*BKxJhu z5lUlIx=UwD14>s0#38={Vh@35p0wea_W{Rz9O!1qpv)SNGl9A-j0!44uacoZ$>JJt zYBGstKmp=5FuNXvA-}L?2~$}`6#dGUuj1Z#UFEmGFdj_(S^mDjo&QE}WH$7s;%m%+ z0S%Xa)T5t1gBW7lMhx-m{_@L8XTVB-HQlem|2NI?kAU{O&E`9x-S=}4umQCH6A$3m zAn$wU=mppxzxAF#keB+uEN&SH!af+-ly^U^h{PWEqBL^(aq~D&92vPBM0+8hh17mS zgjY?(*}d|QaYb)wx1*$Z)T=h9dU|{^?_%FwWjUFV7a4i!j;czg7ZG)8vP}0)L57|w zf>d-Klt|1IBL z|42=xx3=NOCNUH;VMKd5abw#Dr$>a^jgAkR%Goj)`$@3h!D&<^DVd_b5p$%2o23y< z$oXeM|NQkIZv3Mg|JcGm$nXym{)2@7AmL9)2xfaxWB%JOb^n5X#`Tu}7yLQLx+7!T z{y~PeILIl%g&yoB1e#SeohA-;Jy4@$1u zld)rz2z zkGWBjuAH|FGl3h#e=rry8vUHE$Ie_r=+24oRSr*x_bu`IP`+dlfo z&=W5YZ@b6KEnL+1tn_vH5G}}gig%7`oZhrawf*Itof?v22l>w2VDr{@8Za9Zj5=q0 z1>H!xeWA?-8&ED<(zf3A1F2^K&6)E}^N!%$l8qcppsK z$?`}X^i%>TGG2l!6cx`8P=9Rjr4926Mh{uqZFO$tW%Iv_~GM+i(IyMRxrucnAXmLqd!#-{gUkOWi)o#^b6Py=hQXxEu2Ig5RS|u= zO2fxtxwIvMH)b#aFW@OeHcjzG6t{;)uN--AfSM_d=ZW%VWsp`g@0Svnz}Y7?^Hthj_lkRH)~BT&Tk5bxzkjb&SsKnlwZD ziR6_Q#NIi*xtfdblrDez=wT%=>P@mvWe;UDIj9cKM1_*D+9dOYGHjrXG`ErYi7qpf zaXzPH^8nl{q}iZfi03;9;^5&HiP;g+0nA`Z96fy)??cE73slG+Io~1AUqZCp;9kg)P7@=fQ#UDoi5e3bIfv< zAbDer>`LN3-Ii6(K)v;`6geCsu_aDVs3+?M*1ke~U*G$8_ozwK!V}fjZ33NRM-m1J z9FyfTzHhnstgFlSy=mJLC74in{mW9yJUW7(-$Zx*$wP*zz_l>?Hd?xcJ-(o`YB?_| znW9&-l>c-WW6i;kx7JsbLhmv5F}4}v0tb}Asi^`5g~ARWydT#e21U(I8My29sw^pP z{&KwfNXJ7t%j`RmPXx{}XPDC~v8-rj5uCr;F|->%LtnJzT_i_VvZf8vs412I(dDx@ z_OcvVvDQ>IjQv5s37+pi-8cg4#+$buEXeFty{%4S+kQ7`D(<#T51nbN$^8bg$^9p^ zOm(gpJ{IWghwt{><5`b?tr(2+6hrME;jq|3vcQj)%?1rWFcRzeyiX_Un!VLMafwW< zgl;F?nca6prUx--TSxG!(jcbQs2X_KR%r^1a~pLo4A}FZgEVY9oqv3YB_f{tGhBM8 z34%^VT&90OP@jYO0NQX>ZaUs~OFcXJF`| zmfx&}*0--U05Q=z6<}=O@%*|6&H-kuGm2F?{g+OqWNOPBDa8x>9NTQN=}_M}=DkC> zF6ANiR9DAAbIh_2u|KR@(kHv&nVCB0sI0|&mhBiV7k=3KX0{h+;SW1V*Z{R7R31{y zTlj-G|0;}t_6~gR&PL9fH#VP^l)VNrR1x9_50loSJf-*lDr|J&)(EsumD%KOr0dHH%XoyYP>D-Z)_-n zc&BtzhaFng`?Kq872a|4R_ttKk!?OB;4;b>OMBocK;B)8=U&u9)(oiS5OcIwbFYb1mXNflF;~#jwq%-9xp( z3dgQ%#uo9#fq~U0wbWHC&NV&d6&ICaSGz0#>#ke2C)Le}4mpvG(@_C8| z*|EA@#w67)zse!I=I%amr|hOZeKlT;5kcaN2fY|LS4T$R%&5qrmB0f1&8YH*#Ti?z zH}01jZTAM>5=|DDc&EjZ8^Nn1^w4p!ZV)#;LQx>gjBtAw1R;Cir#lp;U_0#%x+mf+ z!Xyv&_n2#4dwnVDP56oTU16@~Pmk!-pp2;;caDzGvP*BAKM@n8Wm9*X7HcQB$^u!& zktNR^q#Q>XUbMn)>47lQFoezzo`-0Um@Bb9(eT~nhsfz@nPEM&+_>6ybNGx|RG-Oa ztD-4R>Jju)I>&s$8) z_w~hh8|u2Av~k&*1VnSu$RFUOQCnr}XywsgW-uE{z zy$~_#6W?+$*2n;MuqX#Ijkh6y`8L@6=+t!GXP0~IEcib@)P3o=7B1=Nkb2tboUB#k z)o5XfjAZFama&O`_%bV5d8GRbv92Pl2U;~CN^(9_|H=Ng8LQoFkC16;`nBTN!23** ze5W8xPuLx^+UBG;Zd{q3eLO(S(?yDgp!IID7bui)9ONx64Y_yk$_#2cDZpQgnOP`~ z`i6)NP{1*xu%}4I{?Z}^?eg*U$b(?eYH=g0-(}9R2w4wp4hGv=ItvM2h2?TcWF{p9 z$K5DM?o%lEoc~y4&kyQsDVf6JY{4m+;%wWP_-MtnQoPMnb1e7jWa|&Us zmvr4>q}aW0ib70D6;56UJa!m60mQgXI$I)I4P!)!q{ccsdhA>>3_i4@!Bw?7JCE}N zYn^}ugYaken=2s@S7;#qin*LA**%@ANsBK(V2|Y({P?gT-Tw9K;f^(VLn(BD=@+Tb z8i#AA_z$OVHP234@WZR)2V>R5I_33yGBrQucORfIKX9g<>O3F7^PorB-Soz_yB7Xd zIbs*uZV0&?TSYGWf08F`r@E6vp4v_3bWPADI-F*b^-BcK_rK#hL?2wmus}#XGUZ7z6s4O2B zn|Gs~$R0yw_C|VeL(f$2^$W!S~y4NycY=Gn z7)Crfcuwerlqxfwh56;=A0J?~kkn=rSj7Vjfl947n}HNAptSnKFx`s+Q88 zsvO4d4C29_$Su57bgfu#z&iKCjc2ab1}U;T{SCH?Bbd-8WW+Gu7rw&<>sPMeceKEX z%R2M|>uUI^hbUAN%k31XTa(Bqb+Y5V_ns#pAHS)~Lc=wWmMD8u-dLEEG7Yj@ z)i_Z}b7MM8Yt~Jrm%6skH}Rg-Y&J0Q_C|z0GAi$^2VwTh<1|(pFbAj~owb#EjmSR| zFK@v>_GgX}8EeXYH(h(x=2ongZlvA9@dJt>+bUIi_^R-jA z+lv)*DXE0_O}RxCzt+q@uded=E^Kd<;^q&-9M06{XI^ka_~0`Hw;DgygzQLEK2O|| zntCkkOnKszW;WhuengAgXzjMPZ#`Burs9n3j-57EUFG9Iqr121Xaj=6D_ZH75)AxdWtrLZF(ohIH})-tLB5=$2hjFJFE$H0?VkF~WOMNaB z%T$fA!9a-gcy7PRnVK`NTYEtlw;Kz)uX|s9!891R$_~=_RZ0HSE)*rylu=AAg2_{f ztf)zh8a$1iZr*`-fOD?z*E(N1ak6Q_)-Lwi750|*T4!N1VI=I3GhwTmApJd@b*Vwc zp4lt*Kp9C+y6Zs1QH%Y4-2qoWc}v>biv{Lnx*D zPkAay_+rt01--3(6{1mJBx67JJli(N_4%UIs~W3@+Pl((OSDk5%OIA`vk7 z-B5q04_ZAH<-;$tO~dK-fhhOwlj=uf8$z}2_X&I5F37%#h|fRAJXKZ~NN4u!M{J=A z4>doqIFe1i3rY{Uo>d^1p6~2-xHDvEvKpZ);52q!Tlj~FV|Qn?v>IB-7lxX=0YD1EqYV1-mbQ*SChe)AYPsL=qik+*=ls(EsS6JhxAW_1D{yX^L)yR8-inMr@n-pQ{Ino&mh9VNzGX*DQi{h^6>+d>3g`@gM^cqE8^yMls zhh)Fx)wJyQY=Px9S0cMhz>q*s$b{MF&VX_u`{iX&K3H%o6Uk*cKg%V=BL~?ZD}0{M zyEISkia3?<6xxpU!!Y7)k=>EQxO-F=68|tbXrtOJw`YEj7Ub8R<* zbG4n2cEPq+dT*VxtY?CONC?@?fpV-x6zB()Y7T9;sJq2c;483RM8x2YA^892ZSI06d zrQxFM>)FX%F>9xkF(#`k3vWmmaF%3(tjA0Hq`F5q;kodP9bNPsmdF6NM?1 z@lDFn#FGoGY^6sVv=6dc@eJT4UOa`i;JXnc#+6VmaQ?wO9Yi@XsjdFWMcJ>MxLn>n ze_gsS;D}ClwWTORf%U2)bf2=AWMau%LN0WAhKQ}XgW2gR3xY|%vLPofm+~OJ7U^A% zS!XKmYWW>~9<7(^C7mOc>LnSTP&FSH2wAgTE+m6;jeP&wkkfU`A5YsSSFoAcgdo*a zx~2~{avp~0K&3+G5Br>m>5UA=wqbfDjcL&sdmPs|o_&-Yo@A%Cw^hCx4_eo7PAjfS z5$xmaW}O=wEMpoA!%rSM6FSd^d@BHUYv%E%&~D_t0YO?K=1Laa45&2xK{2cv32U|# zN%T!Yxj857JM49KL?D85S3=VBheA44Ozcg*t4YLR7%SSC{5egr*25zo)M>B1?^K$7 z^)lyi&qSiF$NUx@YJ-l!EXz};>K$OhDF?%%aa}*-P-i7HbR`-Cp`Pto4tS<-?Vje~ zD1X<&ut(xdeaw#gp_UxUpIvz9yL1io$D!3F$nJ$@dW$^t!D}_OPasS_o0Ah-W!9=N z!Nj$4Rqc2{O1NT%@}W?jm7EZt`izU$NG$-~%tzA%m!j8fD zSJDrUadBI-X=&~J+%9tBX?;?x;L#69W`!5%;7uCYG{16&iMT~i5fb+dbdZ8&sFE$h zjupC93V+stf-GQ7P502)YOE^GYb66z%KcvQL9eDd9F4h|l*GJfm) zf4_yzZ=9Eno}J9=?f-cP<}WT{{`e~5e@{PT#`TVW`12R?V_fh2&+!L$iL61C8xE_} zyQ2@K9{%{HJ1QhAf~9l2KzUrVGDiuHUp0JG+;g$;PS3RK0CpP6Z$=hbU!$#b{xEuybgKS zL-$WV)&#+*Ab$TR`0rj;K!bu!yBSJVy09Dq($&K%;N(3Zg?IjS*zaG4(Ez9Y3st`( zC7HfQoT3HNo$EkT6!tdE>LtX-B@PBEI9&f7DIiYvKjrxezj%l&3JN6(V05F-MODz; zUIqTodjH|?e}_Ia5gq_@jmG3J-?tTM_a!6EQEl12XWK+}l`G5iWM#F&jW}09Spt>? z6o_5(@so-9sc~fc&&*zZhjrrmA!h5}$c5PLlJu@D}Q8_zL6Ke{qWf&%- zHz{-?j_Q@s>F~)hWf46_d|KNL2kaPMUOAf(3huiA+lnkd$ ze@egHI2bTk(o(=|D&ri#WLps1=Cn(?!zk3e^u~pH#viV;p_?@!o-HPr3QHHUr-p5y zdD6`zYPP->b{tr1$89>G`$~uffFaOfvt4){(ipQ2DT^YyUwW z@F5a>34DDX916`@dmi|79QGPPBxBc7FsrxLAuG9IWVAlb08V{_p>!hxK=3*fLsb){ zr^D!%@wDk=It(EAMF8N^2>P<|uoDLZ#TpzF2CPFe0MN(Cfa_MVf7bC2KmHf$2mi1P zS#mDu#`I`dC4T#~d}B1z{=%M@G2>}%DR(+jKpy!C{K0Z@>O~U17RhUYS{UB)w8t;g r^ Date: Thu, 16 May 2024 10:57:29 +0200 Subject: [PATCH 263/288] typos and less implicitness --- doc/APPS.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/doc/APPS.md b/doc/APPS.md index 4131a9c9..bb80112a 100644 --- a/doc/APPS.md +++ b/doc/APPS.md @@ -38,11 +38,11 @@ Now that it's done, go to AdGuard Home [Setup Guide](https://__DOMAIN____PATH__# - Hostname: keep it that way - HTTPS port: same, keep it that way - Protocol: now you have to made a choice: select either DNS-over-HTTPS or DNS-over-TLS - - If you want to use the [ClientID](https://github.com/AdguardTeam/AdGuardHome/wiki/Clients#clientid) option, you can't choose DNS-over-TLS since YunoHost can't handle wildcard domain names, so mandatory DNS-over-HTTPS for you + - If you want to use the [ClientID](https://github.com/AdguardTeam/AdGuardHome/wiki/Clients#clientid) option to whitelist your client, you can't choose DNS-over-TLS since YunoHost can't handle wildcard domain names, so mandatory DNS-over-HTTPS for you - If you don't know which one to choose, here's some help: - - as stated above, pick DNS-over-HTTPS if you want to use the ClientID feature to authenticate your requests - - pick DNS-over-HTTPS if you are likely to use networks that filter the DNS-over-TLS port, such as companies, schools, etc. - - else, pick DNS-over-TLS because it's a bit faster, as it uses one less [OSI network layer](https://en.wikipedia.org/wiki/OSI_model) + - As stated above, pick DNS-over-HTTPS if you want to use the ClientID feature to authenticate your requests + - Pick DNS-over-HTTPS if you are likely to use networks that filter the DNS-over-TLS port, such as companies, schools, etc. + - Else, pick DNS-over-TLS because it's a bit faster, as it uses one less [OSI network layer](https://en.wikipedia.org/wiki/OSI_model) - ClientID: enter a ClientID, `iphone-123456` as an example - Don't forget to add the exact same ClientID to your Allowlist in the `Settings → DNS settings → Access settings → Allowed clients` From 1502832343b59577ea541e13af692f493a8646d1 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 16 May 2024 11:12:50 +0200 Subject: [PATCH 264/288] better phrasing --- doc/APPS.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/APPS.md b/doc/APPS.md index bb80112a..17bfe792 100644 --- a/doc/APPS.md +++ b/doc/APPS.md @@ -33,7 +33,7 @@ To do so, you first need to activate the DNS over HTTP/TLS/QUIC functionnality u If you're reading this you should already be in the right page: just click the "AdGuard Home configuration" option at the top of this text, toggle on "Activate DNS over HTTP/TLS/QUIC?" then "Save". Else, open The YunoHost Webadmin and follow this path: `Applications → AdGuard Home → AdGuard Home configuration` -Now that it's done, go to AdGuard Home [Setup Guide](https://__DOMAIN____PATH__#guide) page of your instance, click the "DNS Privacy" option and scroll to the bottom. +Now that it's done, go to the [Setup Guide](https://__DOMAIN____PATH__#guide) page of your AdGuard Home instance, click the "DNS Privacy" option and scroll to the bottom. - Hostname: keep it that way - HTTPS port: same, keep it that way From e7c6a5a960e1e640eb0c52af9717812021dbe9ab Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 16 May 2024 11:14:26 +0200 Subject: [PATCH 265/288] typo --- doc/APPS.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/APPS.md b/doc/APPS.md index 17bfe792..85e785a3 100644 --- a/doc/APPS.md +++ b/doc/APPS.md @@ -27,7 +27,7 @@ You can easilly configure this app: ### Secure DNS profile To use your AGH instance as the DNS server on your Apple device, you can generate an Apple 'Secure DNS profile'. -Note: as a more tech-savy alternative to this tutorial, you can use [Secure DNS profile creator](https://dns.notjakob.com/index.html). +Note: as a more tech-savvy alternative to this tutorial, you can use [Secure DNS profile creator](https://dns.notjakob.com/index.html). To do so, you first need to activate the DNS over HTTP/TLS/QUIC functionnality using the YunoHost Webadmin. If you're reading this you should already be in the right page: just click the "AdGuard Home configuration" option at the top of this text, toggle on "Activate DNS over HTTP/TLS/QUIC?" then "Save". From 91d86bf859df6b56b880d7f90e76f5893ebec45f Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 16 May 2024 11:22:51 +0200 Subject: [PATCH 266/288] fix a dumb fileless grep... --- scripts/upgrade | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/upgrade b/scripts/upgrade index 77a0627a..861c31bf 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -30,7 +30,7 @@ ynh_systemd_action --service_name="$app" --action="stop" ynh_script_progression --message="Ensuring downward compatibility..." --weight=1 # to remove some time in the future (DoH PR during testing phase residual) -if ! grep -q "port_https: 0"; then +if ! grep -q "port_https: 0" "$install_dir/AdGuardHome.yaml"; then ynh_write_var_in_file --file="$install_dir/AdGuardHome.yaml" --key="port_https" --value="0" fi From 2d9d2a1fbe4f778bac28b1cf167777a35d517418 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 16 May 2024 13:11:55 +0200 Subject: [PATCH 267/288] rename a setting to be more accurate --- config_panel.toml | 2 +- doc/ADMIN.md | 2 +- doc/PRE_UPGRADE.d/0.107.48~ynh3.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/config_panel.toml b/config_panel.toml index 02f90ef6..5ce3d489 100644 --- a/config_panel.toml +++ b/config_panel.toml @@ -9,7 +9,7 @@ services = ["__APP__"] name = "Configure AdGuard Home options" [main.options.expose_port_53] -ask = "Expose port 53 to the Internet?" +ask = "Bind to public IP addresses?" no = "false" type = "boolean" yes = "true" diff --git a/doc/ADMIN.md b/doc/ADMIN.md index 5c6de922..91c33499 100644 --- a/doc/ADMIN.md +++ b/doc/ADMIN.md @@ -2,7 +2,7 @@ You want to be sure to understand the config settings? You're at the right place! ^w^ -## Expose port 53 to the Internet? +## Bind to public IP addresses? This setting is **disabled** by default. diff --git a/doc/PRE_UPGRADE.d/0.107.48~ynh3.md b/doc/PRE_UPGRADE.d/0.107.48~ynh3.md index b981c967..709a1aee 100644 --- a/doc/PRE_UPGRADE.d/0.107.48~ynh3.md +++ b/doc/PRE_UPGRADE.d/0.107.48~ynh3.md @@ -6,7 +6,7 @@ From this 0.107.48~ynh3 version, some things have changed: To activate either of these features, please use the config panel in the YunoHost webadmin: Applications → AdGuard Home → AdGuard Home configuration -- Expose port 53 to the Internet? +- Bind to public IP addresses? - Enable DNS-over-HTTPS/TLS/QUIC? It's really important to use the configuration panel to activate or deactivate the DNS-over-HTTPS/QUIC setting, and **NOT** the built-in setting in the AdGuardHome interface. From c8f51af47bb83c61455058724be36d5b79e616db Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 16 May 2024 13:18:05 +0200 Subject: [PATCH 268/288] talk about 'ClientID' in the 'Authorize some public IP addresses' section --- doc/ADMIN.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/ADMIN.md b/doc/ADMIN.md index 91c33499..50ea235e 100644 --- a/doc/ADMIN.md +++ b/doc/ADMIN.md @@ -102,7 +102,7 @@ If your ISP has assigned you an IPv6 range (ex. `2a01:d34d:b33f:1312::/64`), you You can add any public IP you know you'll use. -If you want to use your AGH instance on your smartphone, it gets more complex: you have to allow the IP ranges of your mobile operator. +If you want to use your AGH instance on your smartphone without using the [ClientID](https://github.com/AdguardTeam/AdGuardHome/wiki/Clients#clientid) feature (only availabe with DoH, check the 'Apps' documentation to find out how to use it on your phone), it gets more complex: you have to allow the IP ranges of your mobile operator. It's not perfect but it still drastically reduces the chances of unauthorized use, while allowing you to use it with your smartphone. **Note:** in case of connection on not authorized wifi networks with your smartphone, you will not be able to use your AdGuard Home instance. From 3647ffbd6f0e14d6366f34d5bcad0ee749a43ba1 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 16 May 2024 13:18:32 +0200 Subject: [PATCH 269/288] line break --- doc/ADMIN.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/doc/ADMIN.md b/doc/ADMIN.md index 50ea235e..33c218e1 100644 --- a/doc/ADMIN.md +++ b/doc/ADMIN.md @@ -73,7 +73,8 @@ If your port 53 is exposed on Internet, you can secure your AdGuard Home server We've had YunoHost users surprised to see their instance receiving tens of thousands of requests per day, this was due to the public exposure of port 53 on Internet and the lack of securisation of their instance. -In this allowlist, you can put [ClientID](https://github.com/AdguardTeam/AdGuardHome/wiki/Clients#clientid)s in place of IP addresses for the devices that uses DNS over HTTP. But since since YunoHost can't handle wildcard domain names, you can't use this ClientID functionnality with DNS over TLS and DNS over QUIC, sorry about that. +In this allowlist, you can put [ClientID](https://github.com/AdguardTeam/AdGuardHome/wiki/Clients#clientid)s in place of IP addresses for the devices that uses DNS over HTTP. +But since since YunoHost can't handle wildcard domain names, you can't use this ClientID functionnality with DNS over TLS and DNS over QUIC, sorry about that. The allowlist setting is located in your AdGuard Home interface: `Settings → DNS settings → Access settings → Allowed clients` From df1363c0c12aa41d085c0630b358bc3ef9f03984 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 16 May 2024 13:22:40 +0200 Subject: [PATCH 270/288] add the URL with ClientID for DoH --- doc/ADMIN.md | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/ADMIN.md b/doc/ADMIN.md index 33c218e1..af867abd 100644 --- a/doc/ADMIN.md +++ b/doc/ADMIN.md @@ -75,6 +75,7 @@ We've had YunoHost users surprised to see their instance receiving tens of thous In this allowlist, you can put [ClientID](https://github.com/AdguardTeam/AdGuardHome/wiki/Clients#clientid)s in place of IP addresses for the devices that uses DNS over HTTP. But since since YunoHost can't handle wildcard domain names, you can't use this ClientID functionnality with DNS over TLS and DNS over QUIC, sorry about that. +**Note:** to use DNS over HTTP with a ClientID, you have to use the following URL: `https://__DOMAIN__/dns-query/your-client-id` The allowlist setting is located in your AdGuard Home interface: `Settings → DNS settings → Access settings → Allowed clients` From 839beb96a0db5ed91a3ed98d47a999934e63a818 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 16 May 2024 13:32:06 +0200 Subject: [PATCH 271/288] minor docs improvements --- doc/ADMIN.md | 6 +++--- doc/APPS.md | 8 ++++---- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/doc/ADMIN.md b/doc/ADMIN.md index af867abd..071f917c 100644 --- a/doc/ADMIN.md +++ b/doc/ADMIN.md @@ -14,12 +14,12 @@ When disabled: When enabled: - YunoHost **will** check if the port 53 is accessible on Internet and warns you if not -- You need to **manually open port 53** of your router if you self-host at home! -- Public IP adresses **will** be added to the AdGuard Home configuration, so AGH will be able to bind to them +- ⚠️ You need to **manually open port 53** of your router if you self-host at home! +- Server's public IP adresses **will** be added to the AdGuard Home configuration, so AGH will be able to bind to them You need to know that if you expose your DNS server to Internet, anyone who knows your server's IP can make a DNS request to it. It *may be used* to perform [amplification attacks](https://en.wikipedia.org/wiki/Denial-of-service_attack#Amplification)! This risk is greatly minimized by the rate limiting setting, which is set to 20 requests per second per client by default: -Settings → DNS settings → DNS server configuration → Rate limit +`Settings → DNS settings → DNS server configuration → Rate limit` You can completely or almost completely reduce the risk of unauthorized use with the help of the [Allowlist section](#allowlist) further down in this documentation. diff --git a/doc/APPS.md b/doc/APPS.md index 85e785a3..42299371 100644 --- a/doc/APPS.md +++ b/doc/APPS.md @@ -2,7 +2,7 @@ ## Android -To be completed by someone who uses an Android app +To be completed by someone who uses an Android app, feel free to contribute! ## Apple devices @@ -11,7 +11,7 @@ To be completed by someone who uses an Android app [AdGuard Home Remote](https://apps.apple.com/app/id1543143740) by [RocketScience IT](https://rocketscience-it.nl/) is compatible with Mac, iPhone, iPad and Watch. It is free with an in-app purchase of 6€ or US$5 to unlock some features. No ads, no tracking. -This app is for monitoring or configuring your AGH instance, not to use your AGH as a DNS server on your Apple device. +This app is for monitoring or configuring your AGH instance, not to use your AGH as a DNS server on your Apple device. See the section bellow for that! You can easilly configure this app: @@ -27,7 +27,7 @@ You can easilly configure this app: ### Secure DNS profile To use your AGH instance as the DNS server on your Apple device, you can generate an Apple 'Secure DNS profile'. -Note: as a more tech-savvy alternative to this tutorial, you can use [Secure DNS profile creator](https://dns.notjakob.com/index.html). +**Note:** as a more tech-savvy alternative to this tutorial, you can use [Secure DNS profile creator](https://dns.notjakob.com/index.html). To do so, you first need to activate the DNS over HTTP/TLS/QUIC functionnality using the YunoHost Webadmin. If you're reading this you should already be in the right page: just click the "AdGuard Home configuration" option at the top of this text, toggle on "Activate DNS over HTTP/TLS/QUIC?" then "Save". @@ -52,4 +52,4 @@ Finaly, open the system settings, click on the "Downloaded profile" message and Your device should now use your AdGuard Home instance as its DNS server. Congrats! -Note: Installed DNS profiles can be managed in the Settings under "General" then "VPN and Device Management". +**Note:** Installed DNS profiles can be managed in the Settings under "General" then "VPN and Device Management". From a087831edd721d15a376ae18bb2a7309f30522f8 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 16 May 2024 13:35:11 +0200 Subject: [PATCH 272/288] add the URL with ClientID to the DoH possible URLs --- doc/ADMIN.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/ADMIN.md b/doc/ADMIN.md index 071f917c..0744e20d 100644 --- a/doc/ADMIN.md +++ b/doc/ADMIN.md @@ -63,7 +63,7 @@ If you host your machine at home, for using DoH or DoQ, you have to open the fol Then you can use the following adresses as a DoH, DoT or DoQ DNS server for your devices: -- DNS over HTTP: `https://__DOMAIN__/dns-query` +- DNS over HTTP: `https://__DOMAIN__/dns-query` (or `https://__DOMAIN__/dns-query/your-client-id` with a [ClientID](https://github.com/AdguardTeam/AdGuardHome/wiki/Clients#clientid)) - DNS over TLS: `tls://__DOMAIN__:__PORT_DNS_OVER_TLS__` - DNS over QUIC: `quic://__DOMAIN__:__PORT_DNS_OVER_QUIC__` From df1a5cf9ef0a7e4b7fb216dcefaf9105cc1f0581 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Sat, 18 May 2024 19:27:26 +0200 Subject: [PATCH 273/288] adding precisions to a sentence --- doc/APPS.md | 2 +- doc/APPS_fr.md | 55 ++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 doc/APPS_fr.md diff --git a/doc/APPS.md b/doc/APPS.md index 42299371..d16e7715 100644 --- a/doc/APPS.md +++ b/doc/APPS.md @@ -30,7 +30,7 @@ To use your AGH instance as the DNS server on your Apple device, you can generat **Note:** as a more tech-savvy alternative to this tutorial, you can use [Secure DNS profile creator](https://dns.notjakob.com/index.html). To do so, you first need to activate the DNS over HTTP/TLS/QUIC functionnality using the YunoHost Webadmin. -If you're reading this you should already be in the right page: just click the "AdGuard Home configuration" option at the top of this text, toggle on "Activate DNS over HTTP/TLS/QUIC?" then "Save". +If you're reading this using the YunoHost interface, you should already be in the right page: just click the "AdGuard Home configuration" option at the top of this text, toggle on "Activate DNS over HTTP/TLS/QUIC?" then "Save". Else, open The YunoHost Webadmin and follow this path: `Applications → AdGuard Home → AdGuard Home configuration` Now that it's done, go to the [Setup Guide](https://__DOMAIN____PATH__#guide) page of your AdGuard Home instance, click the "DNS Privacy" option and scroll to the bottom. diff --git a/doc/APPS_fr.md b/doc/APPS_fr.md new file mode 100644 index 00000000..f23a14b3 --- /dev/null +++ b/doc/APPS_fr.md @@ -0,0 +1,55 @@ +# Documentation des applications + +## Android + +Doit être complété par quelqu'un qui utilise Android + +## Appareils Apple + +### AdGuard Home Remote + +[AdGuard Home Remote](https://apps.apple.com/app/id1543143740) par [RocketScience IT](https://rocketscience-it.nl/) est compatible avec les Mac, iPhone, iPad et Watch. +Elle est gratuite and un achat in-app de 6 € pour débloquer des fonctionnalités supplémentaires. Aucune publicité ni tracking. + +Cette app sert à monitorer ou configurer votre instance AGH, et non pas utiliser cette dernière comme serveur DNS pour votre appareil Apple. + +Vous pouvez facilement configurer l'app : + +- Ajouter une instance +- Choisir un nom d'affichage +- Écrire le nom de domaine de votre instance AdGuard Home, par exemple `adguard.example.com` +- Choisir `https`, cela va automatiquement remplir le champ du port avec `443` +- Renseigner vos identifiants AdGuard Home dans les champs "Authentification" +- Tester la connexion, si une coche verte apparaît, tout est bon! + +[Votre configuration devrait ressemblr à ceci.](https://raw.githubusercontent.com/YunoHost-Apps/adguardhome_ynh/master/doc/screenshots/apps/AGH-remote.PNG) + +### Profil DNS sécurisé + +Afin d'utiliser votre instance AGH en tant que serveur DNS de votre appareil Apple, vous pouvez générer un "Profil DNS sécurisé". +**Note :** en alternative pour utilisateurice expérimenté•e à ce tutoriel, vous pouvez également utiliser l'outil [Secure DNS profile creator](https://dns.notjakob.com/index.html). + +Pour ce faire, vous devez au préalable activer la fonctionnalité DNS sur HTTP/TLS/QUIC en utilisant l'interface d'administration Web de YunoHost. +Si vous lisez ceci via l'interface YunoHost', vous devriez déjà être au bon endroit: cliquez simplement sur l'option "AdGuard Home configuration" au dessus de ce texte, activez "Activate DNS over HTTP/TLS/QUIC?" puis cliquez sur "Save". +Sinon, ouvrez l'interface d'administration Web et suivez ce chemin : `Applications → AdGuard Home → AdGuard Home configuration` + +Désormais, rendez-vous sur la page [Setup Guide](https://__DOMAIN____PATH__#guide) de votre instance AdGuard Home, cliquez sur "DNS privacy" et déscendez tout en bas. + +- Hostname: laisser comme tel +- HTTPS port: laisser aussi comme tel +- Protocol: vous devez désormais faire un choix entre DNS-over-HTTPS et DNS-over-TLS + - Si vous désirez utiliser la fonctionnalité [ClientID](https://github.com/AdguardTeam/AdGuardHome/wiki/Clients#clientid) afin de mettre vos appareils sur liste blanche, vous ne pouvez pas choisir DNS-over-TLS car YunoHost ne peut pas gérer les noms de domaines "wildcard", l'usage du DNS-over-HTTPS sera donc obligatoire pour vous + - Si vous ne savez pas lequel choisir, voici un peu d'aide : + - Comme expliqué ci-dessus, choisissez DNS-over-HTTPS si vous souhaitez utiliser la fonctionnalité ClientID pour authentifier vos requêtes + - Choisissez DNS-over-HTTPS si vous devez fréquemment utiliser des réseaux succeptibles de filtrer le port du DNS-over-TLS, tels que ceux des entreprises, des écoles, etc. + - Sinon, choisissez le DNS-over-TLS pour sa rapidité légèrement suppérieure, comme il utilise une [couche réseau OSI](https://fr.wikipedia.org/wiki/Mod%C3%A8le_OSI) de moins +- ClientID: renseigner un ClientID, `iphone-123456` par exemple + - N'oubliez pas d'ajouter un ClientID identique dans votre liste blanche : `Settings → DNS settings → Access settings → Allowed clients` + +Vous pouvez maintenant cliquer sur le bouton "Download configuration file" et accepter le téléchargement. + +Pour finir, ouvrez les réglages système, cliquez sur le message "Profil téléchargé" et installez-le en entrant le mot de passe de l'appareil et en tapant "Installer" quelques fois. + +Votre appareil devrait maintenant utiliser votre instance AdGuard Home en tant que serveur DNS. Super ! + +**Note :** Les profils installés peuvent être gérés dans les Réglages, dans "Général" puis "VPN et gestion de l'appareil". From fc508c5d8931f326eda4dab9f9769f3100e5b136 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Sat, 18 May 2024 19:48:14 +0200 Subject: [PATCH 274/288] french translation for the config panel --- config_panel.toml | 31 +++++++++++++++++++++---------- 1 file changed, 21 insertions(+), 10 deletions(-) diff --git a/config_panel.toml b/config_panel.toml index 5ce3d489..955491a6 100644 --- a/config_panel.toml +++ b/config_panel.toml @@ -1,32 +1,43 @@ version = "1.0" [main] -name = "AdGuard Home configuration" -help = "If any trouble or question, please refer to the admin documentation right below!" +name.en = "AdGuard Home configuration" +name.fr = "Configuration de AdGuard Home" +help.en = "If any trouble or question, please refer to the admin documentation right below!" +help.fr = "En cas de problème ou questionnement, référez-vous au guide d'administration en bas de la page !" + services = ["__APP__"] [main.options] -name = "Configure AdGuard Home options" +name.en = "Configure AdGuard Home options" +name.fr = "Options de configuration de AdGuard Home" [main.options.expose_port_53] -ask = "Bind to public IP addresses?" +ask.en = "Bind to public IP addresses?" +ask.fr = "Liaison avec les adresses IP publiques ?" no = "false" type = "boolean" yes = "true" -help = "If so, anyone who knows your server's IP can make a DNS request to it. It may be used to perform amplification attacks: https://en.wikipedia.org/wiki/Denial-of-service_attack#Amplification Please read the admin doc to understand that setting and to secure your server using allowlist." +help.en = "If so, anyone who knows your server's IP can make a DNS request to it. It may be used to perform amplification attacks: https://en.wikipedia.org/wiki/Denial-of-service_attack#Amplification Please read the admin doc to understand that setting and to secure your server using allowlist." +help.fr = "Si activé, quiconque connaissant l'adresse IP de votre serveur pourra lui faire des requêtes DNS. Il pourrait être utilisé afin de réaliser des attaques par amplification DNS : https://www.malekal.com/attaque-dos-amplification Veuillez lire le guide d'administration pour comprendre ce paramètre et comment sécuriser votre serveur en utilisant la liste blanche." [main.options.dns_over_https] -ask = "Enable DNS-over-HTTPS/TLS/QUIC?" +ask.en = "Enable DNS-over-HTTPS/TLS/QUIC?" +ask.fr = "Activer le DNS-sur-HTTPS/TLS/QUIC ?" no = "false" type = "boolean" yes = "true" bind = "tls>enabled:__INSTALL_DIR__/AdGuardHome.yaml" -help = "If so, anyone who knows your adguard address can make a DoH request to https://adguardomain.tld/dns-query or using DoT or DoQ. It also may be used to perform amplification attacks. Read the admin doc to secure your server using allowlist." +help.en = "If so, anyone who knows your adguard address can make a DoH request to https://adguardomain.tld/dns-query or using DoT or DoQ. It also may be used to perform amplification attacks. Read the admin doc to secure your server using allowlist." +help.fr = "Si activé, quiconque connaissant l'adresse de votre serveur pourra lui faire des requêtes DoH sur https://adguardomain.tld/dns-query ou en utilisant le DoT ou DoQ. Il pourrait aussi être utilisé afin de réaliser des attaques par amplification DNS. Veuillez lire le guide d'administration pour comprendre ce paramètre et comment sécuriser votre serveur en utilisant la liste blanche." [main.extra] -name = "Extra tools" +name.en = "Extra tools" +name.fr = "Outils" [main.extra.new_password] -ask = "Set a new admin password" +ask.en = "Set a new admin password" +ask.fr = "Changer le mot de passe administrateur" type = "string" -help = "With this tool, you can easily change the password of your AdGuard Home. Just put the desired password in the text input." +help.en = "With this tool, you can easily change the password of your AdGuard Home. Just put the desired password in the text input." +help.fr = "À l'aide de cet outil, vous pouvez facilement changer le mot de passe de votre AdGuard Home. Renseignez juste le mot de passe désiré dans le champ de saisie." From 98baaf6646845359aecdbdeb1378b196a7b9fce9 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Sat, 18 May 2024 20:16:22 +0200 Subject: [PATCH 275/288] smol english docs fixes --- doc/ADMIN.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/ADMIN.md b/doc/ADMIN.md index 0744e20d..79dda8b5 100644 --- a/doc/ADMIN.md +++ b/doc/ADMIN.md @@ -41,7 +41,7 @@ Any IP **that doesn't start** with the folowing are public ones: - `fcxx:` (where the `x` can be any hexadecimal character) - `fdxx:` (where the `x` can be any hexadecimal character) -**Warning:** IPv6 starting with `fe80:` (IPv6 LLA) CAN'T be used for DNS purposes, if you try to put one in the AGH config, it won't work and crash. +**Warning:** IPv6 starting with `fe80:` (IPv6 LLA) CAN'T be used for DNS purposes, if you try to put one in the AGH config, it won't work and crash! So, any other IP should be a public one. @@ -51,7 +51,7 @@ Restart AdGuard Home after applying the needed edits: `yunohost service restart This setting is **disabled** by default. -You need to know that anyone who knows your AdGuard Home domain-name can make a DNS request to it. It may be used to perform [amplification attacks](https://en.wikipedia.org/wiki/Denial-of-service_attack#Amplification)! +If enabled, you need to know that anyone who knows your AdGuard Home domain-name can make a DNS request to it. It may be used to perform [amplification attacks](https://en.wikipedia.org/wiki/Denial-of-service_attack#Amplification)! It's really important to use the configuration panel to deactivate this setting, and **NOT** the built-in setting in the AdGuardHome interface. This is because YunoHost needs to perform actions such as automatically opening or closing the server's ports and refresh the IP to provide to AdGuard Home, which cannot be done without going through the configuration panel. From ba112fde654de4d996204a70cb4b583c173e6a13 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Sat, 18 May 2024 20:16:45 +0200 Subject: [PATCH 276/288] admin docs french translation, first part --- doc/ADMIN_fr.md | 68 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 68 insertions(+) create mode 100644 doc/ADMIN_fr.md diff --git a/doc/ADMIN_fr.md b/doc/ADMIN_fr.md new file mode 100644 index 00000000..aecdbde9 --- /dev/null +++ b/doc/ADMIN_fr.md @@ -0,0 +1,68 @@ +# Guide d'administration de AdGuard Home pour YunoHost + +Vous voulez comprendre comment bien configurer les paramètres de AdGuard Home ? Vous êtes au bon endroit ! ^w^ + +## Liaison avec les adresses IP publiques ? + +Ce paramètre est **désactivé** par défaut. + +Lorsque désactivé : + +- YunoHost **ne va pas** vérifier l'accessibilité du port 53 depuis Internet et vous avertir s'il n'est pas accessible (donc éviter les alertes non pertinentes) +- Les adresses IP publiques **ne seront pas** ajoutées à la configuration de AdGuard Home + +Lorsque activé : + +- YunoHost **vérifiera** l'accessibilité du port 53 depuis Internet et vous avertira s'il n'est pas accessible +- ⚠️ Vous devrez **ouvrir manuellement le port 53** sur votre routeur si vous vous auto-hébergez à la maison ! +- Les adresses IP publiques **seront** ajoutées à la configuration de AdGuard Home, donc AGH se liera à elles + +Vous devez savoir que lorsque vous exposez votre serveur DNS sur Internet, quiconque connaît son adresse peut l'utiliser. **Il peut être détourné** afin de réaliser des [attaques par amplification DNS](https://www.malekal.com/attaque-dos-amplification) ! +Ce risque est grandement limité par le système de limitation du nombre de requêtes (rate limiting), qui est consifuré pr défaut à 20 requêtes par secondes par client : +`Settings → DNS settings → DNS server configuration → Rate limit` + +Vous pouvez complètement ou presque complètement ces risques d'usages non autorisés à l'aide de la section [Liste blanche](#liste-blanche) plus loin dans cette documentation. + +Pour utiliser AdGuard Home sur votre réseau domestique si vous vous auto-hébergez à la maison, il **n'est pas nécessaire** d'activer ce paramètre. +Vous avez simplement à utiliser l'adresse IP privée de votre serveur (telle que `192.168.0.1` ou similaire) en tant qu'adresse IP du serveur DNS de vos appareils électroniques domestiques. +La bonne adresse à utiliser est indiquée en haut de la page "Setup Guide" de votre instance AdGuard Home. + +Si vous voulez exposer le port 53 sur Internet, vous devrez utiliser l'adresse IP publique de votre serveur (la même que celle configurée dans les paramètres DNS de votre nom de domaine) sur les apapreils situés ou pouvant se situer à l'extérieur de votre domicile. + +**Avertissement :** vous ne devez pas avoir d'adresse IP publique dans votre configuration AdGuard Home si le port 53 n'est pas exposé sur Internet (sinon AGH crash). +**Veuillez noter :** Elles devraient être automatiquement lors de la mise à jour du packge ou en modifiant ce réglage de l'exposition du port 53, mais c'est dans la doc au cas où. +Vous pouvez les retirer dans la configuration située à `/var/www/adguardhome/AdGuardHome.yaml` dans la section `dns: bind_hosts:`. +Si une IP **ne débute pas** par ce qui suit, c'est une IP publique : + +- `10.` +- `169.` +- `172.` +- `192.168.` +- `fcxx:` (où le `x` peut être n'importe quel caractère' hexadecimal) +- `fdxx:` (où le `x` peut être n'importe quel caractère' hexadecimal) + +**Avertissement :** Les IPv6 débutant par `fe80:` (IPv6 LLA) NE peuvent PAS être utilisées pour du DNS, si vous essayez d'en mettre une dans la configuration de AGH, ça ne fonctionnera pas et AGH crashera ! + +Donc toute autre adresse IP devrait être une adresse IP publique. + +Redémarrez AdGuard Home manuellement après avoir modifié sa configuration à la main : `yunohost service restart adguardhome` + +## Activer le DNS-sur-HTTPS/TLS/QUIC ? + +Ce paramètre est **désactivé** par défaut. + +Si activé, vous devez savoir que quiconque connaît le nom de domaine de votre AdGuard Home peut l'utiliser. **Il peut être détourné** afin de réaliser des [attaques par amplification DNS](https://www.malekal.com/attaque-dos-amplification) ! + + + +## Liste blanche + + + +### Réseau local + + + +### Authoriser quelques adresses IP publiques + + From 2ede9723d924f6df994f93d1e11c4ca5b532010a Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Sun, 19 May 2024 03:01:30 +0200 Subject: [PATCH 277/288] admin docs fixes --- doc/ADMIN.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/doc/ADMIN.md b/doc/ADMIN.md index 79dda8b5..02eff73c 100644 --- a/doc/ADMIN.md +++ b/doc/ADMIN.md @@ -15,7 +15,7 @@ When enabled: - YunoHost **will** check if the port 53 is accessible on Internet and warns you if not - ⚠️ You need to **manually open port 53** of your router if you self-host at home! -- Server's public IP adresses **will** be added to the AdGuard Home configuration, so AGH will be able to bind to them +- Server's public IP adresses **will** be added to the AdGuard Home configuration, so AGH will be able to bind to them and will expose directly the port 53 to the Internet You need to know that if you expose your DNS server to Internet, anyone who knows your server's IP can make a DNS request to it. It *may be used* to perform [amplification attacks](https://en.wikipedia.org/wiki/Denial-of-service_attack#Amplification)! This risk is greatly minimized by the rate limiting setting, which is set to 20 requests per second per client by default: @@ -53,10 +53,10 @@ This setting is **disabled** by default. If enabled, you need to know that anyone who knows your AdGuard Home domain-name can make a DNS request to it. It may be used to perform [amplification attacks](https://en.wikipedia.org/wiki/Denial-of-service_attack#Amplification)! -It's really important to use the configuration panel to deactivate this setting, and **NOT** the built-in setting in the AdGuardHome interface. +It's really important to use the configuration panel included in the YunoHost Webadmin interface to activate or deactivate this setting, and **NOT** the built-in setting in the AdGuardHome interface. This is because YunoHost needs to perform actions such as automatically opening or closing the server's ports and refresh the IP to provide to AdGuard Home, which cannot be done without going through the configuration panel. -If you host your machine at home, for using DoH or DoQ, you have to open the following ports on your router by yourself: +If you host your machine at home, for using DoT or DoQ, you have to open the following ports on your router by yourself: - `__PORT_DNS_OVER_TLS__` in TCP & UDP (for DNS over TLS) - `__PORT_DNS_OVER_QUIC__` in UDP (for DNS over QUIC) @@ -71,7 +71,7 @@ Then you can use the following adresses as a DoH, DoT or DoQ DNS server for your If your port 53 is exposed on Internet, you can secure your AdGuard Home server using allowlist to prevent unauthorized use. -We've had YunoHost users surprised to see their instance receiving tens of thousands of requests per day, this was due to the public exposure of port 53 on Internet and the lack of securisation of their instance. +We've had YunoHost users surprised to see their instance receiving tens of thousands of unknown requests per day, this was due to the public exposure of port 53 on Internet and the lack of securisation of their instance. In this allowlist, you can put [ClientID](https://github.com/AdguardTeam/AdGuardHome/wiki/Clients#clientid)s in place of IP addresses for the devices that uses DNS over HTTP. But since since YunoHost can't handle wildcard domain names, you can't use this ClientID functionnality with DNS over TLS and DNS over QUIC, sorry about that. @@ -96,7 +96,7 @@ fe80::/16 ### Authorize some public IP addresses -Then you need to add the authorized public IP addresses. +Then you can add some authorized public IP addresses. For example, to authorize the IPv4 of your home internet connexion, open and paste the showed IP in the allowlist. @@ -106,10 +106,10 @@ You can add any public IP you know you'll use. If you want to use your AGH instance on your smartphone without using the [ClientID](https://github.com/AdguardTeam/AdGuardHome/wiki/Clients#clientid) feature (only availabe with DoH, check the 'Apps' documentation to find out how to use it on your phone), it gets more complex: you have to allow the IP ranges of your mobile operator. It's not perfect but it still drastically reduces the chances of unauthorized use, while allowing you to use it with your smartphone. -**Note:** in case of connection on not authorized wifi networks with your smartphone, you will not be able to use your AdGuard Home instance. +**Note:** in case of connection on non authorized wifi networks with your smartphone, you will not be able to use your AdGuard Home instance. Using the connexion to allow, go to and click on "Autonomous Systems". -**Note:** If you're using an iPhone, make sure that the ["Limit IP tracking" setting](https://support.apple.com/guide/iphone/iph499d287c2/ios) is disabled (otherwise you must authorize Akamai IP addresses using the same method). +**Note:** If you're using an iPhone, make sure that the ["Limit IP tracking" or "iCloud private relay" settings](https://support.apple.com/guide/iphone/iph499d287c2/ios) are disabled (otherwise you must authorize Akamai IP addresses using the same method). You can now copy all the IP adresses in the "routes" section, remove all quotation marks, commas and spaces, but keep one IP per line, then paste the result into your allowlist. It should look like the list in the previous section. @@ -119,6 +119,6 @@ You can use the following command to automatically give you a ready-to-use list: curl -sL ip.guide/AS"$(curl -sL ip.guide | jq -s ".[].network.autonomous_system.asn")" | jq -s ".[].routes" | sed "/v.*:/d;/\],/d" | tr -d " {]\",}" ``` -The command asks your IP address to ip.guide, which returns the "Autonomous System" number, then the commands asks the IP ranges, then display it on your screen. +The command asks your IP address to ip.guide, which returns the "Autonomous System" number (ASN) of your access provider, then the commands asks its IP ranges, then display it on your screen. **Note:** maybe you'll need to do this step multiple times, as some Internet provider have multiple ASN numbers. So if one day your AdGuard Home refuses to reply, it might be because of this. From 30526dd7990eb9c1590ebe7686b7226cdd6031ae Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Sun, 19 May 2024 03:01:52 +0200 Subject: [PATCH 278/288] admin docs french translation, final part --- doc/ADMIN_fr.md | 61 ++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 58 insertions(+), 3 deletions(-) diff --git a/doc/ADMIN_fr.md b/doc/ADMIN_fr.md index aecdbde9..49affd88 100644 --- a/doc/ADMIN_fr.md +++ b/doc/ADMIN_fr.md @@ -15,7 +15,7 @@ Lorsque activé : - YunoHost **vérifiera** l'accessibilité du port 53 depuis Internet et vous avertira s'il n'est pas accessible - ⚠️ Vous devrez **ouvrir manuellement le port 53** sur votre routeur si vous vous auto-hébergez à la maison ! -- Les adresses IP publiques **seront** ajoutées à la configuration de AdGuard Home, donc AGH se liera à elles +- Les adresses IP publiques **seront** ajoutées à la configuration de AdGuard Home, donc AGH se liera à elles, ce qui exposera directement le port 53 sur Internet Vous devez savoir que lorsque vous exposez votre serveur DNS sur Internet, quiconque connaît son adresse peut l'utiliser. **Il peut être détourné** afin de réaliser des [attaques par amplification DNS](https://www.malekal.com/attaque-dos-amplification) ! Ce risque est grandement limité par le système de limitation du nombre de requêtes (rate limiting), qui est consifuré pr défaut à 20 requêtes par secondes par client : @@ -29,7 +29,7 @@ La bonne adresse à utiliser est indiquée en haut de la page "Setup Guide" de v Si vous voulez exposer le port 53 sur Internet, vous devrez utiliser l'adresse IP publique de votre serveur (la même que celle configurée dans les paramètres DNS de votre nom de domaine) sur les apapreils situés ou pouvant se situer à l'extérieur de votre domicile. -**Avertissement :** vous ne devez pas avoir d'adresse IP publique dans votre configuration AdGuard Home si le port 53 n'est pas exposé sur Internet (sinon AGH crash). +**Avertissement :** vous ne devez pas avoir d'adresse IP publique dans votre configuration AdGuard Home si le port 53 n'est pas exposé sur Internet (sinon AGH crash). **Veuillez noter :** Elles devraient être automatiquement lors de la mise à jour du packge ou en modifiant ce réglage de l'exposition du port 53, mais c'est dans la doc au cas où. Vous pouvez les retirer dans la configuration située à `/var/www/adguardhome/AdGuardHome.yaml` dans la section `dns: bind_hosts:`. Si une IP **ne débute pas** par ce qui suit, c'est une IP publique : @@ -47,22 +47,77 @@ Donc toute autre adresse IP devrait être une adresse IP publique. Redémarrez AdGuard Home manuellement après avoir modifié sa configuration à la main : `yunohost service restart adguardhome` -## Activer le DNS-sur-HTTPS/TLS/QUIC ? +## Activer le DNS-sur-HTTPS, DNS-sur-TLS et DNS-sur-QUIC ? Ce paramètre est **désactivé** par défaut. Si activé, vous devez savoir que quiconque connaît le nom de domaine de votre AdGuard Home peut l'utiliser. **Il peut être détourné** afin de réaliser des [attaques par amplification DNS](https://www.malekal.com/attaque-dos-amplification) ! +Il est vraiment importantd'utuliser le panneau de configuration inclus dans l'interface d'administration Web de YunoHost pour activer ou désactiver ce paramètre, et donc **NE PAS** utiliser le réglage inclus dans AdGuard Home. +Cela en raison de la nécessité que YunoHost réalise des réglages automatisés tels que ouvrir ou fermer des ports et rafraichir la liste des IP dans le fichier de configuration de AGH, qui ne peuvent être réalisés qu'en passant par ce paneau de configuration dédié. +Si vous auto-hébergez votre serveur à la maison, afin de pouvoir utiliser de DoT ou DoQ, vous devez aussi ouvrir vous même les ports suivant dans les réglages de votre routeur : + +- `__PORT_DNS_OVER_TLS__` en TCP & UDP (pour le DNS sur TLS) +- `__PORT_DNS_OVER_QUIC__` en UDP (pour le DNS sur QUIC) + +Puis vous pourrez utiliser les adresses suivantes en tant que serveur DNS DoH, DoT ou DoQ pour vos appareils électroniques : + +- DNS sur HTTP : `https://__DOMAIN__/dns-query` (ou `https://__DOMAIN__/dns-query/votre-client-id` en utilisant un [ClientID](https://github.com/AdguardTeam/AdGuardHome/wiki/Clients#clientid)) +- DNS sur TLS : `tls://__DOMAIN__:__PORT_DNS_OVER_TLS__` +- DNS sur QUIC : `quic://__DOMAIN__:__PORT_DNS_OVER_QUIC__` ## Liste blanche +Sir votre prot 53 est exposé sur Internet, vous pouvez sécuriser votre instance AdGuard Home à l'aide de la liste blanche, afin d'empêcher des usages non autorisés. + +Nous avons déjà reçu des messages d'utilisateurices de YunoHost interloqué-es en se rendant compte que leur instance AGH recevait des dizaines de milliers de requêtes inconnues par jour, cela étant du à l'exposition publique du port 53 sur Internet et au manque de sécurisation de leur instance. +Dans cette liste blanche, vous pouvez ajouter des [ClientID](https://github.com/AdguardTeam/AdGuardHome/wiki/Clients#clientid) en lieu et place des adresses IP de vos appareils utilisant le DNS sur HTTP. +Comme YunoHost ne supporte pas les noms de domaines "wildcard", l'usage de la fonctionnalité des ClientID n'est pas possible avec l'utilisation du DNS sur TLS et le DNS sur QUIC. Nous sommes désolées pour cela. +**Note :** afin d'utiliser le DNS sur HTTP avec un ClientID, vous devez utiliser une adresse telle que : `https://__DOMAIN__/dns-query/votre-client-id` + +Les réglages de la liste blanche se situent dans l'interface de AdGuard Home à cet endroit : `Settings → DNS settings → Access settings → Allowed clients` ### Réseau local +Si vous vous autohébergez à la maison, vous pouvez simplement coller la liste d'IP suivantes dans votre liste blanche (cela autorisera n'importe quelle adresse IP privée) : + +```text +10.0.0.0/8 +172.16.0.0/12 +192.168.0.0/16 +fc00::/7 +fe80::/16 +``` +**Note:** Le slash `/` et le numéro le suivant, après une adresse IP, representent le masque de sous réseau, ceci est appelé la notation CIDR. Si vous voulez en savoir plus sur la notation CIDR, [vous pouvez lire cet article](https://whatismyipaddress.com/cidr) (en anglais). ### Authoriser quelques adresses IP publiques +Vous pouvez maintenant aussi autoriser quelques adresses IP publiques. + +Par exemple, pour autoriser l'adresse IPv4 de votre connexion Internet domestique, ouvrez et collez l'adresse affichée dans votre liste blanche. + +Si votre FAI vous a assigné une plage d'adresses IPv6 (par exemple `2a01:d34d:b33f:1312::/64`), vous pouvez l'ajouter pour autoriser n'importe quel appareil de votre réseau utilisant cette plage d'adresses. + +Vous pouvez ajouter n'importe quelle adresse IP dont vous avez l'usage. + +Si vous voulez utiliser votre instance AGH avec votre smartphone sans utiliser la fonctionnalité [ClientID](https://github.com/AdguardTeam/AdGuardHome/wiki/Clients#clientid) (qui est uniquement disponible en utilisant le DoH, lisez la documentation des applications pour savoir comment l'utiliser avec votre smartphone), cela devient plus complexe : vous devrez autoriser les plages IP de votre opérateur mobile. +Ce n'est clairement pas parfait mais cela diminue quand même drastiquement les chances d'utilisations non autorisées, tout en vous permettant un usage avec votre smartphone. +**Note :** en cas de connexion sur des réseaux wifi non préalablement autorisés, vous ne pourrez pas utiliser votre instance AdGuard Home. + +En utilisant la connexion à autoriser, rendez-vous sur et cliquez sur "Autonomous Systems". +**Note :** Si vous utilisez un iPhone, vérifiez bien que [les options "Limiter le suivi de l'adresse IP" ou "Relais privé iCloud"](https://support.apple.com/guide/iphone/iph499d287c2/ios) sont désactivées (sinon vous devrez autoriser les adresses IP de Akamai en utilisant la même méthode). +Vous pouvez désormais copier toutes les adresses IP présentes dans la section "routes", retirer tous les guillemets, virgules et espaces en conservant une IP par ligne, puis coller ce résultat dans votre liste blanche. +Cela devrait ressembler à la liste de la section précédente de ce tutoriel. + +Vous pouvez utiliser la ligne de commande suivante pour avoir un résultat clé en main : + +```bash +curl -sL ip.guide/AS"$(curl -sL ip.guide | jq -s ".[].network.autonomous_system.asn")" | jq -s ".[].routes" | sed "/v.*:/d;/\],/d" | tr -d " {]\",}" +``` + +Cette commande demande votre adresse IP sur ip.guide, et la réponse contient l'identifiant "Autonomous System" (ASN) lié à votre opérateur. Puis la commande demande ses plages IP et les affiche sur votre écran. +**Note :** il est possible que vous deviez réaliser cette opération plusieurs fois, comme certains fournisseurs d'accès possèdent plusieurs numéros ASN. Donc si un jour votre AdGuard Home refuse de répondre, cela peut être la cause. From 7e64a2bfbb3cc9175bea6904c7d15fb5655e65de Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Sun, 19 May 2024 03:08:47 +0200 Subject: [PATCH 279/288] various smol fixes --- doc/ADMIN.md | 6 +++--- doc/ADMIN_fr.md | 12 ++++++------ 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/doc/ADMIN.md b/doc/ADMIN.md index 02eff73c..cad18273 100644 --- a/doc/ADMIN.md +++ b/doc/ADMIN.md @@ -30,7 +30,7 @@ The right IP addresses to use are shown at the top of the "Setup Guide" page of If you would expose the port 53 on Internet, you'll be able to use the public IP of your server (the same as in your domain name DNS settings) on any device outside your home network. **Warning:** you should not have public IPs in the config file if the port 53 is **not exposed** on Internet (else: AGH crashes) -**Please note:** They should be automatically removed when upgrading this package or when modifiying this port 53 exposure setting, but it's in the docs just in case. +**Please note:** they should be automatically removed when upgrading this package or when modifiying this port 53 exposure setting, but it's in the docs just in case. You can remove them in your config file `/var/www/adguardhome/AdGuardHome.yaml` in the `dns: bind_hosts:` section. Any IP **that doesn't start** with the folowing are public ones: @@ -92,7 +92,7 @@ fc00::/7 fe80::/16 ``` -**Note:** The slash `/` and the following number after the IP adresses represents the network mask, it's called the CIDR notation. If you want to learn about the CIDR notation, [you can read this article](https://whatismyipaddress.com/cidr). +**Note:** the slash `/` and the following number after the IP adresses represents the network mask, it's called the CIDR notation. If you want to learn about the CIDR notation, [you can read this article](https://whatismyipaddress.com/cidr). ### Authorize some public IP addresses @@ -109,7 +109,7 @@ It's not perfect but it still drastically reduces the chances of unauthorized us **Note:** in case of connection on non authorized wifi networks with your smartphone, you will not be able to use your AdGuard Home instance. Using the connexion to allow, go to and click on "Autonomous Systems". -**Note:** If you're using an iPhone, make sure that the ["Limit IP tracking" or "iCloud private relay" settings](https://support.apple.com/guide/iphone/iph499d287c2/ios) are disabled (otherwise you must authorize Akamai IP addresses using the same method). +**Note:** if you're using an iPhone, make sure that the ["Limit IP tracking" or "iCloud private relay" settings](https://support.apple.com/guide/iphone/iph499d287c2/ios) are disabled (otherwise you must authorize Akamai IP addresses using the same method). You can now copy all the IP adresses in the "routes" section, remove all quotation marks, commas and spaces, but keep one IP per line, then paste the result into your allowlist. It should look like the list in the previous section. diff --git a/doc/ADMIN_fr.md b/doc/ADMIN_fr.md index 49affd88..816fd665 100644 --- a/doc/ADMIN_fr.md +++ b/doc/ADMIN_fr.md @@ -29,8 +29,8 @@ La bonne adresse à utiliser est indiquée en haut de la page "Setup Guide" de v Si vous voulez exposer le port 53 sur Internet, vous devrez utiliser l'adresse IP publique de votre serveur (la même que celle configurée dans les paramètres DNS de votre nom de domaine) sur les apapreils situés ou pouvant se situer à l'extérieur de votre domicile. -**Avertissement :** vous ne devez pas avoir d'adresse IP publique dans votre configuration AdGuard Home si le port 53 n'est pas exposé sur Internet (sinon AGH crash). -**Veuillez noter :** Elles devraient être automatiquement lors de la mise à jour du packge ou en modifiant ce réglage de l'exposition du port 53, mais c'est dans la doc au cas où. +**Avertissement :** vous ne devez pas avoir d'adresse IP publique dans votre configuration AdGuard Home si le port 53 n'est pas exposé sur Internet (sinon AGH crash). +**Veuillez noter :** elles devraient être automatiquement lors de la mise à jour du packge ou en modifiant ce réglage de l'exposition du port 53, mais c'est dans la doc au cas où. Vous pouvez les retirer dans la configuration située à `/var/www/adguardhome/AdGuardHome.yaml` dans la section `dns: bind_hosts:`. Si une IP **ne débute pas** par ce qui suit, c'est une IP publique : @@ -41,7 +41,7 @@ Si une IP **ne débute pas** par ce qui suit, c'est une IP publique : - `fcxx:` (où le `x` peut être n'importe quel caractère' hexadecimal) - `fdxx:` (où le `x` peut être n'importe quel caractère' hexadecimal) -**Avertissement :** Les IPv6 débutant par `fe80:` (IPv6 LLA) NE peuvent PAS être utilisées pour du DNS, si vous essayez d'en mettre une dans la configuration de AGH, ça ne fonctionnera pas et AGH crashera ! +**Avertissement :** les IPv6 débutant par `fe80:` (IPv6 LLA) NE peuvent PAS être utilisées pour du DNS, si vous essayez d'en mettre une dans la configuration de AGH, ça ne fonctionnera pas et AGH crashera ! Donc toute autre adresse IP devrait être une adresse IP publique. @@ -74,7 +74,7 @@ Sir votre prot 53 est exposé sur Internet, vous pouvez sécuriser votre instanc Nous avons déjà reçu des messages d'utilisateurices de YunoHost interloqué-es en se rendant compte que leur instance AGH recevait des dizaines de milliers de requêtes inconnues par jour, cela étant du à l'exposition publique du port 53 sur Internet et au manque de sécurisation de leur instance. Dans cette liste blanche, vous pouvez ajouter des [ClientID](https://github.com/AdguardTeam/AdGuardHome/wiki/Clients#clientid) en lieu et place des adresses IP de vos appareils utilisant le DNS sur HTTP. -Comme YunoHost ne supporte pas les noms de domaines "wildcard", l'usage de la fonctionnalité des ClientID n'est pas possible avec l'utilisation du DNS sur TLS et le DNS sur QUIC. Nous sommes désolées pour cela. +Comme YunoHost ne supporte pas les noms de domaines "wildcard", l'usage de la fonctionnalité des ClientID n'est pas possible avec l'utilisation du DNS sur TLS et le DNS sur QUIC. Nous sommes désolées pour cela. **Note :** afin d'utiliser le DNS sur HTTP avec un ClientID, vous devez utiliser une adresse telle que : `https://__DOMAIN__/dns-query/votre-client-id` Les réglages de la liste blanche se situent dans l'interface de AdGuard Home à cet endroit : `Settings → DNS settings → Access settings → Allowed clients` @@ -91,7 +91,7 @@ fc00::/7 fe80::/16 ``` -**Note:** Le slash `/` et le numéro le suivant, après une adresse IP, representent le masque de sous réseau, ceci est appelé la notation CIDR. Si vous voulez en savoir plus sur la notation CIDR, [vous pouvez lire cet article](https://whatismyipaddress.com/cidr) (en anglais). +**Note :** le slash `/` et le numéro le suivant, après une adresse IP, representent le masque de sous réseau, ceci est appelé la notation CIDR. Si vous voulez en savoir plus sur la notation CIDR, [vous pouvez lire cet article](https://whatismyipaddress.com/cidr) (en anglais). ### Authoriser quelques adresses IP publiques @@ -108,7 +108,7 @@ Ce n'est clairement pas parfait mais cela diminue quand même drastiquement les **Note :** en cas de connexion sur des réseaux wifi non préalablement autorisés, vous ne pourrez pas utiliser votre instance AdGuard Home. En utilisant la connexion à autoriser, rendez-vous sur et cliquez sur "Autonomous Systems". -**Note :** Si vous utilisez un iPhone, vérifiez bien que [les options "Limiter le suivi de l'adresse IP" ou "Relais privé iCloud"](https://support.apple.com/guide/iphone/iph499d287c2/ios) sont désactivées (sinon vous devrez autoriser les adresses IP de Akamai en utilisant la même méthode). +**Note :** si vous utilisez un iPhone, vérifiez bien que [les options "Limiter le suivi de l'adresse IP" ou "Relais privé iCloud"](https://support.apple.com/guide/iphone/iph499d287c2/ios) sont désactivées (sinon vous devrez autoriser les adresses IP de Akamai en utilisant la même méthode). Vous pouvez désormais copier toutes les adresses IP présentes dans la section "routes", retirer tous les guillemets, virgules et espaces en conservant une IP par ligne, puis coller ce résultat dans votre liste blanche. Cela devrait ressembler à la liste de la section précédente de ce tutoriel. From da6fdd2bdaefc40f0f995917559d62f1f1656c57 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Sun, 19 May 2024 03:20:46 +0200 Subject: [PATCH 280/288] update some strings and translate them --- manifest.toml | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/manifest.toml b/manifest.toml index 25e5ca89..e3ecf568 100644 --- a/manifest.toml +++ b/manifest.toml @@ -40,6 +40,7 @@ yunohost = ">= 11.2" default = "all_users" type = "group" help.en = "Even by restricting access to users only, the AdGuard Home API will be available (ex. for a mobile app use)." +help.fr = "Même en limitant l'accès aux seuls utilisateurs, l'API AdGuard Home sera disponible (par ex. pour utiliser une application mobile)." [install.admin] type = "user" @@ -48,14 +49,18 @@ help.en = "Even by restricting access to users only, the AdGuard Home API will b type = "password" [install.expose_port_53] -ask.en = "Expose port 53 to the Internet?" -help.en = "If so, anyone who knows your server's IP can make a DNS request to it. It may be used to perform amplification attacks: https://en.wikipedia.org/wiki/Denial-of-service_attack#Amplification" +ask.en = "Bind to public IP addresses?" +ask.fr = "Liaison avec les adresses IP publiques ?" +help.en = "If so, anyone who knows your server's IP can make a DNS request to it. It may be used to perform amplification attacks: https://en.wikipedia.org/wiki/Denial-of-service_attack#Amplification Please read the admin doc to understand that setting and to secure your server using allowlist." +help.fr = "Si activé, quiconque connaissant l'adresse IP de votre serveur pourra lui faire des requêtes DNS. Il pourrait être utilisé afin de réaliser des attaques par amplification DNS : https://www.malekal.com/attaque-dos-amplification Veuillez lire le guide d'administration pour comprendre ce paramètre et comment sécuriser votre serveur en utilisant la liste blanche." default = false type = "boolean" [install.dns_over_https] -ask.en = "Should DNS-over-HTTPS/TLS/QUIC be enabled?" -help.en = "If so, anyone who knows your adguard address can make a doh request to https://adguardomain.tld/dns-query or using DoT/DoQ" +ask.en = "Enable DNS-over-HTTPS/TLS/QUIC?" +ask.fr = "Activer le DNS-sur-HTTPS/TLS/QUIC ?" +help.en = "If so, anyone who knows your adguard address can make a DoH request to https://adguardomain.tld/dns-query or using DoT or DoQ. It also may be used to perform amplification attacks. Read the admin doc to secure your server using allowlist." +help.fr = "Si activé, quiconque connaissant l'adresse de votre serveur pourra lui faire des requêtes DoH sur https://adguardomain.tld/dns-query ou en utilisant le DoT ou DoQ. Il pourrait aussi être utilisé afin de réaliser des attaques par amplification DNS. Veuillez lire le guide d'administration pour comprendre ce paramètre et comment sécuriser votre serveur en utilisant la liste blanche." default = false type = "boolean" From e5f6048c535b12c008672141af17d875d434b0f8 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Sun, 19 May 2024 03:23:21 +0200 Subject: [PATCH 281/288] spaces before colon in french --- doc/APPS_fr.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/doc/APPS_fr.md b/doc/APPS_fr.md index f23a14b3..a85182ef 100644 --- a/doc/APPS_fr.md +++ b/doc/APPS_fr.md @@ -35,15 +35,15 @@ Sinon, ouvrez l'interface d'administration Web et suivez ce chemin : `Applicatio Désormais, rendez-vous sur la page [Setup Guide](https://__DOMAIN____PATH__#guide) de votre instance AdGuard Home, cliquez sur "DNS privacy" et déscendez tout en bas. -- Hostname: laisser comme tel -- HTTPS port: laisser aussi comme tel -- Protocol: vous devez désormais faire un choix entre DNS-over-HTTPS et DNS-over-TLS +- Hostname : laisser comme tel +- HTTPS port : laisser aussi comme tel +- Protocol : vous devez désormais faire un choix entre DNS-over-HTTPS et DNS-over-TLS - Si vous désirez utiliser la fonctionnalité [ClientID](https://github.com/AdguardTeam/AdGuardHome/wiki/Clients#clientid) afin de mettre vos appareils sur liste blanche, vous ne pouvez pas choisir DNS-over-TLS car YunoHost ne peut pas gérer les noms de domaines "wildcard", l'usage du DNS-over-HTTPS sera donc obligatoire pour vous - Si vous ne savez pas lequel choisir, voici un peu d'aide : - Comme expliqué ci-dessus, choisissez DNS-over-HTTPS si vous souhaitez utiliser la fonctionnalité ClientID pour authentifier vos requêtes - Choisissez DNS-over-HTTPS si vous devez fréquemment utiliser des réseaux succeptibles de filtrer le port du DNS-over-TLS, tels que ceux des entreprises, des écoles, etc. - Sinon, choisissez le DNS-over-TLS pour sa rapidité légèrement suppérieure, comme il utilise une [couche réseau OSI](https://fr.wikipedia.org/wiki/Mod%C3%A8le_OSI) de moins -- ClientID: renseigner un ClientID, `iphone-123456` par exemple +- ClientID : renseigner un ClientID, `iphone-123456` par exemple - N'oubliez pas d'ajouter un ClientID identique dans votre liste blanche : `Settings → DNS settings → Access settings → Allowed clients` Vous pouvez maintenant cliquer sur le bouton "Download configuration file" et accepter le téléchargement. @@ -52,4 +52,4 @@ Pour finir, ouvrez les réglages système, cliquez sur le message "Profil télé Votre appareil devrait maintenant utiliser votre instance AdGuard Home en tant que serveur DNS. Super ! -**Note :** Les profils installés peuvent être gérés dans les Réglages, dans "Général" puis "VPN et gestion de l'appareil". +**Note :** les profils installés peuvent être gérés dans les Réglages, dans "Général" puis "VPN et gestion de l'appareil". From 67698a548ee2a97de80c4068d4ce20013a6cf441 Mon Sep 17 00:00:00 2001 From: tituspijean Date: Sun, 19 May 2024 10:09:33 +0200 Subject: [PATCH 282/288] Add Android documentation --- doc/APPS.md | 23 ++++++++++++++++++++++- doc/APPS_fr.md | 23 ++++++++++++++++++++++- 2 files changed, 44 insertions(+), 2 deletions(-) diff --git a/doc/APPS.md b/doc/APPS.md index d16e7715..c7f63a64 100644 --- a/doc/APPS.md +++ b/doc/APPS.md @@ -2,7 +2,28 @@ ## Android -To be completed by someone who uses an Android app, feel free to contribute! +### Built-in Private DNS + +Android offers a Private DNS feature starting its version 9 and above. +This Private DNS setting will only work for DNS-over-TLS with Adguard Home, since DNS-over-HTTPS is limited to a couple of hardcoded providers. + +Android being available under various flavours depending on your phone manufacturer, the location of that setting can vary. +It is generally along the lines of `Settings > Connections > More connections parameters > Private DNS`. +There, select "Hostname of the private DNS provider" and enter your Adguard Home's domain: `__DOMAIN__` (no protocol, no slash, only the domain). + +### Intra + +Intra by [Jigsaw Operations LLC](https://jigsaw.google.com) can be downloaded from [Google Play](https://play.google.com/store/apps/details?id=app.intra) or [F-Droid](https://f-droid.org/packages/app.intra/). +This free app can connect you to your Adguard Home server through DNS-over-HTTPS. + +To configure it, once installed: +- Open its side menu `≡ → Parameters → Select a DNS over HTTPS menu` +- Choose `Custom URL server` and enter your server address: + - `https://__DOMAIN__/dns-query` + - If you want to track your device requests and use some per-device rules, replace [ClientID](https://github.com/AdguardTeam/AdGuardHome/wiki/Clients#clientid) in the following URL: `https://__DOMAIN__/dns-query/ClientID`, +- Go back to the main screen of the app, and enable the app with the top-right switch. + +Technically, it creates a local VPN connection to enforce the use of your DNS server: a 🔑 icon will appear at the top of your screen once it is enabled. ## Apple devices diff --git a/doc/APPS_fr.md b/doc/APPS_fr.md index a85182ef..21ba5038 100644 --- a/doc/APPS_fr.md +++ b/doc/APPS_fr.md @@ -2,7 +2,28 @@ ## Android -Doit être complété par quelqu'un qui utilise Android +### DNS privé intégré + +Android propose une fonctionalité nommée **DNS privé** depuis sa version 9. +Ce paramètre **DNS privé** ne fonctionnera que pour *DNS-over-TLS*, car *DNS-over-HTTPS* n'est limité qu'à une paire de fournisseurs figés dans le code. + +Android étant distribuée en de multiples variantes selon les fournisseurs d'appareils, l'emplacement de ce paramètre peut varier. +Il est peu ou prou placé dans `Paramètres → Connexions → Plus de paramètres de connexion → DNS privé` +Là, sélectionnez "Nom d'hôte du fournisseur DNS privé", et encodez le nom de domaine de votre serveur Adguard Home: `__DOMAIN__` (pas de protocole, pas de barre oblique, seulement le domaine). + +### Intra + +Intra par [Jigsaw Operations LLC](https://jigsaw.google.com) peut-être téléchargée depuis [Google Play](https://play.google.com/store/apps/details?id=app.intra) ou [F-Droid](https://f-droid.org/packages/app.intra/). +Cette application gratuite permet de vous connecter à votre serveur Adguard Home via *DNS-over-HTTPS*. + +Pour la configurer, une fois installée : +- Ouvrez son menu latéral `≡ → Paramètres → Sélectionnez un serveur DNS over HTTPS` +- Choisissez `URL de serveur personnaliséer` et encodez votre URL : + - `https://__DOMAIN__/dns-query` + - Si vous souhaitez suivre les requêtes de votre appareil ou utiliser des règles personnalisées, remplacez [ClientID](https://github.com/AdguardTeam/AdGuardHome/wiki/Clients#clientid) dans l'URL suivante: `https://__DOMAIN__/dns-query/ClientID`, +- Retournez au menu principal de l'app, et activez-la avec l'interrupteur en haut à droite de l'écran. + +Techniquement, elle créé une connexion VPN locale pour imposer l'usage de votre serveur DNS : une icône 🔑 apparaîtra en haut de votre écran, une fois activée. ## Appareils Apple From fc13be861d99d03a2982cfd808bb74fab446f115 Mon Sep 17 00:00:00 2001 From: tituspijean Date: Sun, 19 May 2024 10:17:00 +0200 Subject: [PATCH 283/288] Typos --- doc/APPS.md | 6 +++--- doc/APPS_fr.md | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/doc/APPS.md b/doc/APPS.md index c7f63a64..31c38f99 100644 --- a/doc/APPS.md +++ b/doc/APPS.md @@ -8,7 +8,7 @@ Android offers a Private DNS feature starting its version 9 and above. This Private DNS setting will only work for DNS-over-TLS with Adguard Home, since DNS-over-HTTPS is limited to a couple of hardcoded providers. Android being available under various flavours depending on your phone manufacturer, the location of that setting can vary. -It is generally along the lines of `Settings > Connections > More connections parameters > Private DNS`. +It is generally along the lines of `Settings → Connections → More connection parameters → Private DNS`. There, select "Hostname of the private DNS provider" and enter your Adguard Home's domain: `__DOMAIN__` (no protocol, no slash, only the domain). ### Intra @@ -34,7 +34,7 @@ It is free with an in-app purchase of 6€ or US$5 to unlock some features. No a This app is for monitoring or configuring your AGH instance, not to use your AGH as a DNS server on your Apple device. See the section bellow for that! -You can easilly configure this app: +You can easily configure this app: - Add Instance - Choose a display name @@ -50,7 +50,7 @@ You can easilly configure this app: To use your AGH instance as the DNS server on your Apple device, you can generate an Apple 'Secure DNS profile'. **Note:** as a more tech-savvy alternative to this tutorial, you can use [Secure DNS profile creator](https://dns.notjakob.com/index.html). -To do so, you first need to activate the DNS over HTTP/TLS/QUIC functionnality using the YunoHost Webadmin. +To do so, you first need to activate the DNS over HTTP/TLS/QUIC functionality using the YunoHost Webadmin. If you're reading this using the YunoHost interface, you should already be in the right page: just click the "AdGuard Home configuration" option at the top of this text, toggle on "Activate DNS over HTTP/TLS/QUIC?" then "Save". Else, open The YunoHost Webadmin and follow this path: `Applications → AdGuard Home → AdGuard Home configuration` diff --git a/doc/APPS_fr.md b/doc/APPS_fr.md index 21ba5038..5a494ce2 100644 --- a/doc/APPS_fr.md +++ b/doc/APPS_fr.md @@ -54,7 +54,7 @@ Pour ce faire, vous devez au préalable activer la fonctionnalité DNS sur HTTP/ Si vous lisez ceci via l'interface YunoHost', vous devriez déjà être au bon endroit: cliquez simplement sur l'option "AdGuard Home configuration" au dessus de ce texte, activez "Activate DNS over HTTP/TLS/QUIC?" puis cliquez sur "Save". Sinon, ouvrez l'interface d'administration Web et suivez ce chemin : `Applications → AdGuard Home → AdGuard Home configuration` -Désormais, rendez-vous sur la page [Setup Guide](https://__DOMAIN____PATH__#guide) de votre instance AdGuard Home, cliquez sur "DNS privacy" et déscendez tout en bas. +Désormais, rendez-vous sur la page [Setup Guide](https://__DOMAIN____PATH__#guide) de votre instance AdGuard Home, cliquez sur "DNS privacy" et descendez tout en bas. - Hostname : laisser comme tel - HTTPS port : laisser aussi comme tel @@ -63,7 +63,7 @@ Désormais, rendez-vous sur la page [Setup Guide](https://__DOMAIN____PATH__#gui - Si vous ne savez pas lequel choisir, voici un peu d'aide : - Comme expliqué ci-dessus, choisissez DNS-over-HTTPS si vous souhaitez utiliser la fonctionnalité ClientID pour authentifier vos requêtes - Choisissez DNS-over-HTTPS si vous devez fréquemment utiliser des réseaux succeptibles de filtrer le port du DNS-over-TLS, tels que ceux des entreprises, des écoles, etc. - - Sinon, choisissez le DNS-over-TLS pour sa rapidité légèrement suppérieure, comme il utilise une [couche réseau OSI](https://fr.wikipedia.org/wiki/Mod%C3%A8le_OSI) de moins + - Sinon, choisissez le DNS-over-TLS pour sa rapidité légèrement supérieure, comme il utilise une [couche réseau OSI](https://fr.wikipedia.org/wiki/Mod%C3%A8le_OSI) de moins - ClientID : renseigner un ClientID, `iphone-123456` par exemple - N'oubliez pas d'ajouter un ClientID identique dans votre liste blanche : `Settings → DNS settings → Access settings → Allowed clients` From 06b18d55d01b7e3ab0ae3d56eaf5eb651294f0ea Mon Sep 17 00:00:00 2001 From: tituspijean Date: Sun, 19 May 2024 10:36:27 +0200 Subject: [PATCH 284/288] Factorize apps instructions --- doc/APPS.md | 16 +++++++++++----- doc/APPS_fr.md | 14 +++++++++----- 2 files changed, 20 insertions(+), 10 deletions(-) diff --git a/doc/APPS.md b/doc/APPS.md index 31c38f99..e4d538c4 100644 --- a/doc/APPS.md +++ b/doc/APPS.md @@ -1,11 +1,21 @@ # Apps documentation +## Preamble + +To use the DNS-over-HTTPS/TLS/QUIC functionality, you need to enable it from your app's YunoHost configuration panel. + +If you're reading this using the YunoHost interface, you should already be in the right page: just click on the [AdGuard Home configuration](#/apps/adguardhome/main) option at the top of this text, toggle on "Activate DNS over HTTP/TLS/QUIC?" then "Save". +Else, open The YunoHost Webadmin and follow this path: `Applications → AdGuard Home → AdGuard Home configuration`. + +From the command line interface: `yunohost app config set __APP__ main.options.dns_over_https -v 1` + ## Android ### Built-in Private DNS Android offers a Private DNS feature starting its version 9 and above. This Private DNS setting will only work for DNS-over-TLS with Adguard Home, since DNS-over-HTTPS is limited to a couple of hardcoded providers. +Make sure to have followed the instructions of the Preamble above. Android being available under various flavours depending on your phone manufacturer, the location of that setting can vary. It is generally along the lines of `Settings → Connections → More connection parameters → Private DNS`. @@ -50,11 +60,7 @@ You can easily configure this app: To use your AGH instance as the DNS server on your Apple device, you can generate an Apple 'Secure DNS profile'. **Note:** as a more tech-savvy alternative to this tutorial, you can use [Secure DNS profile creator](https://dns.notjakob.com/index.html). -To do so, you first need to activate the DNS over HTTP/TLS/QUIC functionality using the YunoHost Webadmin. -If you're reading this using the YunoHost interface, you should already be in the right page: just click the "AdGuard Home configuration" option at the top of this text, toggle on "Activate DNS over HTTP/TLS/QUIC?" then "Save". -Else, open The YunoHost Webadmin and follow this path: `Applications → AdGuard Home → AdGuard Home configuration` - -Now that it's done, go to the [Setup Guide](https://__DOMAIN____PATH__#guide) page of your AdGuard Home instance, click the "DNS Privacy" option and scroll to the bottom. +Make sure you have followed the instructions of the Preamble above, then go to the [Setup Guide](https://__DOMAIN____PATH__#guide) page of your AdGuard Home instance, click the "DNS Privacy" option and scroll to the bottom. - Hostname: keep it that way - HTTPS port: same, keep it that way diff --git a/doc/APPS_fr.md b/doc/APPS_fr.md index 5a494ce2..88fab896 100644 --- a/doc/APPS_fr.md +++ b/doc/APPS_fr.md @@ -1,5 +1,13 @@ # Documentation des applications +## Préambule + +Pour utiliser la fonctionnalité DNS sur HTTP/TLS/QUIC, vous devez l'activer dans l'interface d'administration de YunoHost. +Si vous lisez ceci via l'interface web de YunoHost, vous devriez déjà être au bon endroit: cliquez simplement sur l'option [AdGuard Home configuration](#/apps/adguardhome/main) au dessus de ce texte, activez "Activate DNS over HTTP/TLS/QUIC?" puis cliquez sur "Save". +Sinon, ouvrez l'interface d'administration Web et suivez ce chemin : `Applications → AdGuard Home → AdGuard Home configuration` + +Depuis la ligne de commande: `yunohost app config set __APP__ main.options.dns_over_https -v 1` + ## Android ### DNS privé intégré @@ -50,11 +58,7 @@ Vous pouvez facilement configurer l'app : Afin d'utiliser votre instance AGH en tant que serveur DNS de votre appareil Apple, vous pouvez générer un "Profil DNS sécurisé". **Note :** en alternative pour utilisateurice expérimenté•e à ce tutoriel, vous pouvez également utiliser l'outil [Secure DNS profile creator](https://dns.notjakob.com/index.html). -Pour ce faire, vous devez au préalable activer la fonctionnalité DNS sur HTTP/TLS/QUIC en utilisant l'interface d'administration Web de YunoHost. -Si vous lisez ceci via l'interface YunoHost', vous devriez déjà être au bon endroit: cliquez simplement sur l'option "AdGuard Home configuration" au dessus de ce texte, activez "Activate DNS over HTTP/TLS/QUIC?" puis cliquez sur "Save". -Sinon, ouvrez l'interface d'administration Web et suivez ce chemin : `Applications → AdGuard Home → AdGuard Home configuration` - -Désormais, rendez-vous sur la page [Setup Guide](https://__DOMAIN____PATH__#guide) de votre instance AdGuard Home, cliquez sur "DNS privacy" et descendez tout en bas. +Assurez-vous d'avoir suivi les instructions du Préambule ci-dessus, puis rendez-vous sur la page [Setup Guide](https://__DOMAIN____PATH__#guide) de votre instance AdGuard Home, cliquez sur "DNS privacy" et descendez tout en bas. - Hostname : laisser comme tel - HTTPS port : laisser aussi comme tel From bb36cf2b9ec9e4eb31d2d5778e1b465aefb1eba7 Mon Sep 17 00:00:00 2001 From: tituspijean Date: Sun, 19 May 2024 10:40:09 +0200 Subject: [PATCH 285/288] Dynamic URL in doc, in case app changes ID someday --- doc/APPS.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/APPS.md b/doc/APPS.md index e4d538c4..99a8ffec 100644 --- a/doc/APPS.md +++ b/doc/APPS.md @@ -4,7 +4,7 @@ To use the DNS-over-HTTPS/TLS/QUIC functionality, you need to enable it from your app's YunoHost configuration panel. -If you're reading this using the YunoHost interface, you should already be in the right page: just click on the [AdGuard Home configuration](#/apps/adguardhome/main) option at the top of this text, toggle on "Activate DNS over HTTP/TLS/QUIC?" then "Save". +If you're reading this using the YunoHost interface, you should already be in the right page: just click on the [AdGuard Home configuration](#/apps/__APP__/main) option at the top of this text, toggle on "Activate DNS over HTTP/TLS/QUIC?" then "Save". Else, open The YunoHost Webadmin and follow this path: `Applications → AdGuard Home → AdGuard Home configuration`. From the command line interface: `yunohost app config set __APP__ main.options.dns_over_https -v 1` From dd113cb3f112474098fc275e5d56191532ae7e05 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Mon, 20 May 2024 22:50:16 +0200 Subject: [PATCH 286/288] address the "Port 853 is already used by another process or app" error --- doc/PRE_UPGRADE.d/0.107.48~ynh3.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/doc/PRE_UPGRADE.d/0.107.48~ynh3.md b/doc/PRE_UPGRADE.d/0.107.48~ynh3.md index 709a1aee..e50d0619 100644 --- a/doc/PRE_UPGRADE.d/0.107.48~ynh3.md +++ b/doc/PRE_UPGRADE.d/0.107.48~ynh3.md @@ -1,3 +1,5 @@ +⚠️ **Important thing to do before upgrading:** if you enabled the "Enable DNS-over-HTTPS" option in your config panel, please disable it before upgrading, else the upgrade will fail! ⚠️ + From this 0.107.48~ynh3 version, some things have changed: - port 53 is no longer exposed on the Internet by default, it's now a deliberate choice From dfbc1c2c590fa3e70b9f4df43ed93b8640968a70 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Mon, 20 May 2024 22:50:58 +0200 Subject: [PATCH 287/288] disable test upgrade from commit --- tests.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests.toml b/tests.toml index 5bb537b3..05b0e18f 100644 --- a/tests.toml +++ b/tests.toml @@ -14,7 +14,7 @@ args.dns_over_https = 1 # Commits to test upgrade from # ------------------------------- -test_upgrade_from.c1b81566.name = "Upgrade from 0.107.43~ynh3" +# test_upgrade_from.c1b81566.name = "Upgrade from 0.107.43~ynh3" # ------------------------------- # additional tests suite From 2d3ab2ebf76022a9a5b5d469b30d5abacd1a1b99 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Mon, 20 May 2024 23:36:36 +0200 Subject: [PATCH 288/288] adding command to release DoT/DoQ ports before the upgrade --- doc/PRE_UPGRADE.d/0.107.48~ynh3.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/doc/PRE_UPGRADE.d/0.107.48~ynh3.md b/doc/PRE_UPGRADE.d/0.107.48~ynh3.md index e50d0619..b755e06b 100644 --- a/doc/PRE_UPGRADE.d/0.107.48~ynh3.md +++ b/doc/PRE_UPGRADE.d/0.107.48~ynh3.md @@ -1,4 +1,11 @@ -⚠️ **Important thing to do before upgrading:** if you enabled the "Enable DNS-over-HTTPS" option in your config panel, please disable it before upgrading, else the upgrade will fail! ⚠️ +⚠️ **Important thing to do before upgrading:** +⚠️ If you enabled the "Enable DNS-over-HTTPS" option in your config panel, please disable it and execute the following command before upgrading, else the upgrade will fail! + +```bash +yunohost firewall disallow Both 853 --no-reload && yunohost firewall disallow Both 784 +``` + +--- From this 0.107.48~ynh3 version, some things have changed:

Rb#q4&$D<U5U354FANGsvGF#lgm7Np=mlM3?#1PkrAj{V84GhAAzbgVA9gTN-y zWy`I7g&=wYUG4H`!ttT>Bx(EBr;9aupEX5Wv1PyFa~T}bydjbi-T-r#65~l z-s2~f>u{%R#Z3ECC>M!)mvmoEbiVlGvuc@i}9e1c+v?=mZ^Dw-Ty6Cm2Ci!gH< zo$3)ef2ntSeR~=cjc0VU|9 zHgUI|emrdv(p8QiQF^@TqQ--^v14N^+almCyx1Y4qg@&x#R;Gq6C~Dl>t)7v6v7bG$ zv0K)`^wfyb9c%DBSYV~b?HdTHL1D6eD~vO~nJ_c>1^i)7gV4-nV~uUmJUR8w_}Osn zCEf+l6Z?p?Bb`VjV50)T$V*j_K2|tCCn%n2-_z{-GOI%F%j)c@qnt&JZj-QV7+H}2 zCDqScYWAB)()vHq)4l-`8H?!*;`d{=67cI+1ojCntl(SjmJE6Gz zLaeeIqp;DxbJ_FSgyOO>ONuNHMxXAKKHC=t+z=P{#2&dy5m|-jP(5aB5Um&mbUq01 z*LxttpKygupSHB<;~D%paALx#SK#gGY#j#Pon;=thToVYRsKV^D8{ea$QTJRpEV5%Ik~XFS$B?6%D$# zvQP37Z}BkL?QZT3G1P;b3N2GkZ#@Ef&I6ZrI|3YQ>g|E4^S?wIy zlo}>RD5cp!SQexnX)h4}3W35ut?|6>uu~AZVv`5% z)RA3F07x8^9ut5V>LN*W2zjKDPB6cSvuPifxA%RLr1`MB(M!6P>xAtU*`?tYb`b2F zmBhh~fQA0v{Z(zFfYRo2Zhhw+wf0J^oO%aBEMQ|3V+gsE*02q5p_v!yL$r1YF1qlc^CaqFCXlfXkb+=KXBgsg>Yv zL_MV|w)^5%hv@p!P1#(I3b3jHwvWz0G;H7IA$xZo6;AGp-gHZ?iQL%j|HZ6$SMBga z+>qA-CLLpwLV6E`XKSAX`xW4=)+~{w#|J(atE#;3kW5VY+Ikdv(KeTpYDMNHO?0FN zI(7Y|ca3jM99uY{KabkIcDdxZVfW3O=Q(ao0&f*?=^vXX{v6yRpS$Rvc705W#E0do zor>75`R6lwCA)ViRDHAlwfGBNoDkBK9P^2KhZH^$?W4ByK<{i#EnEHLm%3|=vpdFO z8zxs?+64SffkZ%x4MCnE`gOMOlK6@bZkgRlS}o0`Xzw7n^onrWo)xTLBvN@v1t4Wj zp)2tq4U&Zyx1&_yJZm|2%{X6mQgC*FUl^xtGml4J&RzNc+@NxtBR0C_7#R&vcP=eT zqx3fKq6*=s6z$!B^mu*kF5&RyNbuIFbnWl!y^fN>%tgO*k5#F@B~*_+D|2!$@ABks zeEd$XPIAF}xbk-{2dEBQIikf*kYk{cBW=@Z2QSMln3j68MZ-gSj((58Biw%eeJ(y^ z7^&8beC6{^OTLyNY&5N6?Dja*bII6jjhB-|LlN`g%XPE_U76d{`}4U+$7wx-mkobe zT=4Ewh!bwN8vW=ENbah4p!igqv$RAMA7ha-=Pkmm2MUL`hx)wM=Az%edaxcwy{U1E zoM$qoXc((lUECKj>FPPBDV~&g*fz+L^jt?i0|aLUt*AwsEJ0A~4wDJ<0kvU8==FDp z+}Fy}iSS?{C*lCIzQBaHrr60_%ROHHb=G(0_L5__p*nKmJPiBzO&!v;Rvf2-wi-uR zwQ_Asb|p*VPZRd`uOaBNxQp+^-eQxUJWe(kXk}$SVl)L?s6A=~&5Jxv;^>$cC?}!{ z4-WT!rO$%UjePtxmfbOqq0ekYZOQgHO3@Z6L9#t)zdjM@GksEd^L|ZQtVrY|QnThv zHv5ewO)=mfje6x4h~B`EZtgdkd6(&i1$kYsz0)Hz8Phjb+oNzh6GIX>%Jwo*GwwtS zw{Rn+hz=8>bf|$xHA}Ta@Rj@R-5cs}Z7hyeRmf6a8nmsytfDgOLp0~|?Y4|BavA9u zsjcQfkuOjp)a%3ACK46X`WnfBJlvTUEk>6_YJT{=oO@%Q4zi{{YB&eh#J|MB)V2tV zY=~;MqLeFr=trp4J$$b<#*rlw6q}SVB}jR<&r1ycPjEtjkN~vJ_7v4*5y$PCV?XL6 zSSBv&xaMVqv7zN4D% z7iWLTxE*reEub1E5ENdtrr-ay+_{KmL>(N`*KZR~&9laFa^9 zYfeV?;@R_R2)dz-xKO-cm9nt^FyaJNm-tf%7O_z(w){HkY=)5v4@^m-{Dg_uw_wAY zJL{OKu!YikRRtz_Rw#u5S+&%D7m{0uBQg*LUZ0;3!cANiR$0}{1w zt017jn`&}Kp@$^>=?8O@aM3iWaO0+y`JtA?qocyxvA^_lQVQF`(F5^ z?e)LhIhd0_t^-}+n7lZ5d$*(E+n=M)37TJORc3F*T%a^b8ponX{s(*S9oO`>>K#*P{y%RbJ0!k6-U6h(o10>n+ z((O5C@9nwgx%cxv_dfT1@AF6G^NGK#-&!-XW@gQr`HmXjr)q`~uUUcM25x++!JwaY z4$@|9eB_NDEM96XSy`i1aNc!E9DW|S12!?+3OqLLCcTAO?-oraCbdK)9IeNrMyTn? z=?(%N`hgOMae%r^B$FkMI&xjP<#vS^BZpt^nY}5ej}@mq7kQtfY0?9gZp;}*NWt0s zv_92coLNSd8=3bsaCj>EhQex3?lJ@clN%79hHxXXOtl?3Gg!tH%6^YAqOJ-> zC{5to{opB_z#H120Ay&p2J5_HmsdShNKluKy5{xLHv1W*PnNO!h^BJj@LAmP4rFP2 z$TW{(6O6WOM4(}CF6P4E6|u&vES=s(8qb3(*YZ|-{2Ww&lpX)&IFI(ig9ry*5B zP~>jMBwYKe#87M%K4EPbCJQ4So}RkOkT|2~^5+}p&v%{znhhR_DeY)nJ@c)Bc}%pt z$Xv8%t_PX@!c~wxiZL#BTPaKrs}t@))M?{f*bVo1ac#KfQJ-Spm|ODn(Jpzi&#p#; zz>oxRUmBIf0Yz9>9cC%LgsZ z?MP=o!mYo&lIY=eD-WEBEso016>6zE)37$==Li~w_?DJqaDy8NH}g<&u4*faG%r2n zj?kMFgxdC*uM%#16F{?t+XYAwlNt^gPuTNPrsyy(52#s1w{R@*edsGb8FBbvjA~Ya zn+$#!QQO9ej#j*ygUB%P-}QOaZrJXb_BE$^(OwXgAGLZIq~#K>H>6;xWRKO;5UZ{D(s)NL>afC1R#~3FGgYI4c^?{EE&qJ**}Y^J~-(I zg0T@Xk@1Mcn~$GARzE$Ee>CJ;H_O`-AQ5^m%pT7a3Hdx&PJ`Y)D7?ko!O}CINTzek znEzaG%rx)NF0{QbI+f1P9BU7wMfe&W804jQvMYDHLHD1?5H_ylb{vfFpdSkU?5qCk zUxt6#!QlUP2!Z@7DBIW##lPx z-RC48YB#tSBBLD%f-v{EG!$iKUU4evw4OQb&A!UCp-dP!*5>7T3mWDFA$(13Ng@`& zY^w&G(!)3FU%OQ8#~RHab5WyNaaa=;8*{LbF&e6qu{-yYTV7R?n$~Bd>#{!$N6~Iu zDt!QVzy}NJ#116A{|lG;B-^=(3;K3xZ0 zl+x3r7>&&E*_(G^tA{`?yt=9&MKW3ZW#O|ehZr!-kf(arX%@UFWw$$+A){wiL|oG1 zzY2AHM$?R+NaU?$!0S@lL-?olOG;i9(C`&c57jHr8^gyeSjJDhI6bPca@%!ZmqNm{ zkA}*2g6vzh2Fas#22F!VY?p~MLRei-)vt|hTw(AIpBP+4TzlE zif|vWQn+Svm3*Bp)8#yMp(m^uPI$^=NNUOkNkHcyeqlM^c5Ae^_MI}1j7^xz#TX@9 z#)j#t7wV%yDKiL>E3{&Ej)BU;6m>daBlFadyBA?yfqd!NzNXLHznzSw&OZz7PfI)c zvPGF5ryjLtT?#75U30Y$9p=|^7rk}0k^ksOfx?*Z@42Z-T;bdu{7&b)x|=9`A`fJC zKmv4Zw*@FxqyeEnNw_#cBj#$rNyI}d{Z-;?7_CGAZY%95Q)H54kl6su8Wp}B>qU`Raru}0Raz)CR%ikg7&bVfR`=KMCnf)+GsAIkv z+a}U+U!&KbnF*=sp0IliWM@SW0M_n(ppXKlh57sER%)>Y%hbG9<*;SPMqaB`FgOgR zvC5JQj3!z+jb7}_lKU=wy!}hkQ~VM_`_E1UAo8|;LO2?+CSI#e;Go&2btU8+s%L(~ zqF{7P-AXfOb@yhn58VfH+w|nTp5~x{U@6F`;J2o1W)BV_mF-i3T&hM|TGecRE}h*= zIU1x}WR%z0ze_Vyq>xcsl2y2s9SvzI9*ij@WPCE|c!bsOQl<*#wu-9s96*`5YOuUq z3krA&d3qyAj)PW%2lrh_LkPMyu$)%ED9qN?X~lv zs&M^Bw2&n+0@>U-u@)>oU$1>msus~15u7Z_l`W9zy1fs@nUb`{T0m^L7yNS> z-ADVQU9Yg|C4exAjp}w)gal$ldv&CT-|9Nc(lr-yB8s z1%cPEXBwOU*-9$B?$>@gOuPSxA8>a;Gx_|9AIx}=Q8}RxmBu&uZr{Kw)EonZ@dXYU_P~fBW=Wj{&PZtxqP9;FQ!*YFsfx`OQjLtx z?o-sF?guheLH!QaID$c?=yKP*AQKAo4Cv#?(0&W_K!W_KqPE*cO*7&Z0d|i zbE!XX_wjyWMW=*yg>wxLO%;E6c5boFVDL~pOZ20*=kD}p4$YIO0%f72l9z&kc(9d^ znOYy_Y0Y=fqdK(L;z{ZMan782`pXOKR12tkKO%d(ygc%-zOd~x{@Rz_>}sE1fA-?z z8y{|immkeMnu$v^wlz9mVdVIdC+Tz(%a-#hNJ8Pi(F|P&f74YV*5AOb2g4(&?vQ>d zz|O*=a2lP7GJBBFD^4+r03nD{@X-kiIR3JE6yBCfJ=W&HbI_i6gm&fXl_e9IQCYh4 zmjSAr06bk;*-C81H%%%z*4Z+6i$a$=l+=mYFuD!2-jUQVphEkj(?^0WjxOA#`#}MN z#iht){N%lBz(o7y`&o~su*Y_2{pWmUS`MVl+fOs8)jj(>e!-uCrPDCe zPY`dHN4SM^SLPVF%Zhs>Ibrs8{NzI#y3cD@PYAB*WJ{54tFEs;PP2<+_v4#>&R1b^ ztP3|*0UM8$A>S-oZiF5qagzGQyr=tE5GM4n8?1ebqA$&!u^ZTap^Yi32L8gq^zdmk z!fVF_FLVB*-$e=%-zQ7*UX-uKSNx(&RQefTVJ27e>?SzCf+eWV)%sI6rZD*P?rR8G z*TwQtoH{8Y!87)STbH`Iru@+qt@2r&J6(xkEu(3TFUYRWMz@G=%dy9b$F9R~1q`Je z`B1Jyjdz<(e01(aQ12Cu#RDlV&N4Pl{*ccn$QSPC?%oz|gxOi5qDg`sgl&)o-f!ga zZGB{iG&YNAqDRiC70eX5<0l1=JTTzc0hJNez=x=EFBRX4$`G zWD8sH&EK+YF3)$QnKE`^sIW(lqB@Y+7k)Z5#TD`XF+o}F+}ycOx!<=;d37Nt(&&&6 zQyCSHW4|2S8d8L3L|ZOAWa@>Tk<;wt;tv)$(&5_U8O+FfG?d8qo7Hl8?7~~HF6rSDHkc@Af7SS{610s%voZ1KPkG)ZCxHxRfL2yVS zMuObqv?a_AJ#1gxq4In3$l)0%9!d%n4*%2t0qonU$5R_O>a;+Qqr=Eo{(Lj&QPW0V zDs0TNH?{$cF}pV^DsI+PA!aKLpLi%Vmlp4yYVgEoJ1Fh8MF(^ZY4s>);o38D@7;zF zmX~UwAf!(dz>EO+OHfW}s_KR+-R5`Pc~0$`rv%pd`Kl>sA)X-zCJ2W%lVnb@=sF(z z1eut(QhD7Ej(azbqd2jWgWSVUK}$>8G8hCA)M13J@#ef&&ZTjJ<1F*z!IN@(MgV_h zy^thEdOzwosB7CmmUM42FHZiX*&>9rp+A-B0j=;WHbdw%vmMJ$ki}PN)zl zA+E?`F+z;VE)k&)u6C1F6}524>0#hoGcM`kbuN;ohBK?QX+iO4MbDY|^zkz^EeD)O|)Y$d$$m=;Fg> ziLmA**U!5T0ygv|PDOZo!7dIAP8*IXp9TFBWPxA29Fk3X;|rIC&y(alf$sFop%tnO!q|$@ z_}%`*hm~o?92rq3=J|z-J_+M>@E;PnWq$Z;CfGLAs5OjrDqh>;_3YpfmoZ!1t40_b# z1E|C-g&ya#S|wcAI3B2z_vGgOY+YzWA~8$(G-#mX74H7ZwE2OSV0p=f0jXjs^;2pd z|vg;(06V>u+_nMuPLvN?984P{pJ zNBAfo$ge2X30{%f(9XY_*=p<~WoLKNjHnrm*QJ)2s)#z`wIf@{<4i=o3X+s%SXks3 zSy<_Xg~{$_``P0irc<8E70y^zSs7m3KLcO;EJR=j8J-kiNsbtzZaQRr+^%$vRrl*Qnx^An5)XWD>G@_qi?xFV1 zk=TKFRKoVP&$*|TV+aWjQ~Mi0m3;tF8F(0`EHRiQ>`*}>$Ek-}mTIfJvyOF{HNRJ< zxu_~+AR@xWV6&tnY=alsv)!Mf%BggIyX z}p$C`MAGsz!2(aJk8#$uZFRgPJ z(XXx9KDs(<>sOJ&{3PqnQ$ps$ju{I!9BP_6oW%6TBso4SJ7XM{kmwqe$-TuShFvVC zK>6%*eXkLV1;F#`mw|I;oyPFcIgqUqLPsVXNDV}?ofzd_D0T~{9?mx;vbxSF!e?z7 zo}ioE!yVW-J=|dkvMPRqxPfHmRG`?Ucd}Q&D12~`?!E$rlA=L^hcoI<43x{E_|jv} zGp`@y<(a$Kb{EdWmfdjbBAH zx4^YM%~~Dk>Mi)F!c51bI`wG>SX2O{B8Gkb@aYc^DeU+qT=)ecWY4OsCL3tbA5+6# zuVe1=Sn#Mkc}ze1T9NSh1nBh^sH}vS#&#{wW=EeRC>MPgX;(aW_w>ONw621aQ&2-8 z&Za{Q;>Xm0q#%f6hcd@^pf%NXPeR@Y=S;GsTw*YLLTz7oz-Vf^*t%OqBz@-VJQ$Nx z43LhI=6W^zB?>C5X6@Zg8fvhSX!I?I~%Fc~9kOR7g78aBrDZ5uu z{V1rnOK$AUkcaEw(Tg3@IDu9arMaInE-QORD{E>;P6u@1nTn`ZBixMKA81iNM~qkG zD;mM0u8;;J_uJk-spWr9e#|hoGUYIuoR~&%o=FXdAG5}Zg``|PmsJrYW5;Lvxz3>s z+sF$rd68iaP&`*FXb*%51LX^+9n4RGEB9fxq`*k2mv!ZZCiT!Ppi4n8`c0=FG@TZG}{BGzqZaU?_sH$8;)({Um!WwMWSN z*xYs*_2dkOduEIV4V;K(BpH5D19wH_lJU4$3N=pUH;70u4@qBRw+)2stq^L5oyv3~ zd~_Kc^Db2kGYOoiDf;?6b?3=6vQ~xH_dpPFh=JYjilga`%Bx$ewB(8rr^2GYB%Wn@ ztH>DLv#n>w(1AK`mm+|Fk=K`Q+T@%y0{dKOFex3)aiS}+Iq>N2c;h}Js7RASH$g{Y zHrtp27L9R2iGeBHN*_j!G8{0HpHXsyr`&IQUdjzRfrEw{0NUL_iA{YVfES_WFW)@+ z>8edj-LW_KTi#K}r5*1p^tM?k$A+om}>hzwRf4n`5n{HaHlwqljllQ>f6~v z$y1(x3nE)iN?mo$u$9@gOQFSDN7}iFM_zdFRw^eOvZB$c>lz!UQ+OM{IVaYv6EVdg zjVL0>QAN+@0BApt2n|oBGt;GN%&Cc9N2$wwJa$`jMjp?;8ca$J^Z2?|yWB3pe*2Xb z*Hqj!rs(eY&&Q}U5ngS5BSNJWS^qV@p162gyj9P|Ra03g%qStoo z%Xw`?>#4eM7ndgE`KC^h_j25K4fIry^TNA3>Rit{W_uzxD{F}{ zFGk*I8x`{x3oE-#!OlT^)PoegvFkgDYyq^m#4yLL3ES4qF*6ml#m{nQ&kVUN59W5B z@InXsS6C~$>Of#=6@o63X>=EbV2=^tIsnIaT zT6M`Brju%&!o9bm!HFHogon?vbx`1_!r$-T%ka3%lX;or^d+^C8^IrK$-jZjHYzMb zBRcf0-!**v-O8k%jr=BxoYS`NgT>o8WxDwJzTAU(jZsyPrH%<}4$fbYuM9f3Ce^;D z`A(v1Oo6nTK8C+nL>g!FIxO&LYrbntVp8*_fB&}yA>0xEwi+dCHC0WJ{OB;c{1tptvRwm&MT1G|15v|Li6MkUN0P+YWSHwm5iazS(Pwg5-3EqT)#=02*# zOgiD=^Z|R>qtp6qE+HS>yWaS+ed}>XOf@%9;Fqx_%d=iVQiJ{F6XM22(@{cH8=>Yr zhP2m}t?wUFH<=F@I^g;Z(x+rd+5=WHqUfL{l^tdSJA}6}#sXvy>%mix4I=eUY0(vN zsztTS33pHhDr)WAz)?k8<0$aX@Urrnicjg{Z9C87%;P&YMJJ}`TsmQzb1+-jArzV4 zwZVdO>5N8`GGpfsMG3}Oc%pW%t9mQH0$OX?V88u&+v(CO;~6D6wQ<<~HmLf5W{naw z@v1W*vu5;CSVF%nVT1YvmZHm>KU2JFqg)yeU9z znTEN{nJ3rj8v}%4cR>LugtsyoD%zf~*fef%JKeUjt{CNgIyugkd=2#MsF8w~D97e@ zSl&;Jri^t6388os-)lxcPIQ>-3nftvD)S-QTfUzchOb{MiH&7G+g-hXlsfl>;pn6U zI4{V5{C-|QZK9Qkk%fixxV2*UX^!-PppKL@#b8g^daMd>;p`MA=m3|*G}Royi6xjc z)D(-vzdJK^o{C$lRHB%&CPWVuBMCq4huOozEF`N)T>!lOz|_|i^<+G~@WZv;`=CYd z&;y5s)aXh>86<0+@wrK_qI@@Yx(Aok7H;|<3Z(RQg!uA4o92RtW7vxb(CG?|t^8=s zuT2t6xHe0!;-iQ8pByK9;LT6B3BQG}okh05NBU88ZNo3rE}y)r(5Fdv54)akq3q>&nEy7kye@IpL&zVU1zTT_uKFC7;S> z^3=U7U0DW?>RVM98Od`yE>h5L0BZ!Fg*^%oK%ljT6$SW9G8hC!DZb+~4tBJcUto_@D^IX>~ME?D>fm zn3-I1MKM}y5cC=52_>v?(HCgx^yM?uWYn>cE$9oXb=KpeLLaYT^lHKCl zz3Q~ag*j$V?%8_K|DO6C=h0fW+%pYVtBHBa660gfsq&fmqr77qUz4ikpqYr!`dMw? zHnyHzd??BP(n8HUg#^COM+1E!l#q*sOS?%Vw0EKXQH$9fn-n!gLa*DtI~oJCXV^QH z0G>5n+>&SM$mS*@3GWlbLv);vdRipqm2_DD!FBj>_TZ++4&FDN8staa$ut? zen2iyw(NrpcQ3#zMM;G^`;7~wV|NLx(THL zIHvIsLP&r-!r@{A?m8wL@1?CjEFaRWl5E4(djx9DA@JF799hm=YcmapAiSo(JUTG! zjMRFPA9(hVtw9s;4v^3c%LExwr^-!V!i5!07=BHg5R<{lhJK+|oYrJxNcZ#Cq z0GJKUHpq%|Zo`ZW&qk#lldd;ZAGkYIP_DJNejgaR0TDEZIQZAzDHK~G#LWKwkPZ8Pn@O2vMPMKCR<$^^2Ev2)%NZ?0#e=9F|HiL~Bb@#HZSnSuFeV zU*Uu3l-@Z3su~SMr-=51$Q19Q?6@y8@8jOD^3^^tem)<+rtQ@rh%dx3v?tv(5r~wo zjlR^*X3WHK2*N{li$5<{mSX!%-A*7(9b+@+FgG=_X^!{JGRthpV_lm_l;v9$KB!dM ziI2q_cEhnfP!41n3~0i){JpCUp4%G%wVRbJ3%u+&=Wqg7ZdUQk%f0)e@zFS5b{~o4 zP~KL~ZQ|vf6#Tm!V=lgea5D2k{_}aA>Vu1^Y0PB1P!J3Z8HUo5xR>{@XCUdny!JTW z=f+Jf?Bth4COMc=-|%eDFcaCS-$!Zyam5cIo=LE_)bLRXnVo%uS~ptzD2q+ccP95v z6dAuUa0=sb=u3~Ci9Hj(>VCV+pJtvDa5psw~av>&-SuN z#_2Rr`odRJX-z>emK6tk9((O8nmAnyVVHyS<7?;Otr)KMbK4X4_bMr5Vvn8*kL^1d zusauPqlw3>7uRV+S2e5=Tt?UB-vx;S;!tNyZcgBg^xx7qY)l*-c)+_u$xO z>0ozpXA1cfUi6Km9}>K}d+T5-LV974Y#%zCx+fVeMyfJFepPEQ##7>sPR(FiO_gkP z@6`Brm1mA2AINF6%n=jFl}Cz{7iZxyP6T0Skf?_p{Bp=G{r3gFkn1<^imoY_w}4^* zhK|&c#hbW>w;6!PZE34upTk1L1Iaq9a*Ve z5?l8Clq$c!1}qcehGbJ_o$x#J$(=|=+EEy*eaTXr+)AS{@oM-^{JTco2P(@JIwmGX zrTGq(j>v*Z9sdVJ>lC%v;%^B8v z;uLQ@gm4S&J3vB(Mn3pmE<(WdP=?s;l}~K3{v(!-*}P$;40mYK7z~gjeRG`lsUvV~ zj9IDE*kTk{Kvmz1S5*Wb!%rz^%wan&#FT98{X|BcS?IBIt=EeyCzEg&v;=uPTWDyH z%H39S_+tItDi>ytAj|Ivux~~k`Qq<301H8&!u_<-_)>j;c&pcdJ=+5p>lY;|TY4YW z-$Hb$3j=zf8>R$t5WI6jZY7y~gE=7gM20cj3wGc()Ua<7ilZu>F}Ik4V~GRCOROPL zl4<&##+u1g6b}m2PZc0i+bmAt5(@SgBi1cQ`&Vw-y`e3*Ma67+DTcZn;!FUFJ1%tw zG$k}be%(T6fJ$`K9#l%_fC@_F9K!9q$hG*oA6-$H)pfhJ^o2msEy&Y22@az}G}BQV z!oF>jayU3j%yQ7rH0NEe*+u9x?l_^dH{Z$bv8dlr;eG`wub>(L=fedj5JTcI!A~_C z>Y0td<1g;EJjqzO)=Q=?KoR?Sw%SM;Lbxll>;MgQo_ivDNI%4iTFI|BcsXfa@hoV7 zpiJY8&n$nLPoenyW2I^zJhnyDAD6UM4Z5&KZHygpEqnyq{Aj7Yh&zGm4^)1R-^{5D z2F&geXtX$6r`5-3R#O?da)x6Fqgb2Ck8VAl$c= z`WVJorgU$!RsLSR2Wv*aYf(|I`>0dFRSd6;APl!DA=ZD1!4kRfnb_slRHgtLyn`mT z&b7zO(b+*RMxAj@?-)A;E{V|4P+v2M78n$J1K<-n`@2szimW}j+D?52qfU~=qs+0G zCMdOi3U5PF^Eb*Y{*cII@5{lTQC6`kP|>ebCA)3J8~R$p(R?f7Y=^WShv{*OxecE~ zU4*OndE$8L&vs2oE~3^-%t2gAKj@EJ_!Q80;i zoHT%mJjm@5-=au9ZV`dY-noO5?hALSGsLbj4{l9d?P;ov?s#z=BVem25kEjN+MyT2lT~lYl(XG5 zPl6;(1BeCs1};RyT(iD;;YvcW%7$isxmMT1=VZf>WV&JNd{RH0eLLJ_QrkxhF>V=B zX2-#|9Mpo9o~<0-9ep)0xg^6hVW#n5=U~yiqU{!cb91GxV6E)ig(usN%^ytt_R{y!Ur##+vUIUCuu$fs}{rJM1*! zp2{en>?iSjyU*IKQfc_&c*y30Ub&0x9^VnvrS=A?LM1DsLBhp6vt^T>mI;eVjs8B# zIk#FM7m$4j5O4xq0a1Z$hN=f#fC_p%UV?$aif-x zUYN_cfCJ>n^j)iQ!xRAZ1P9p|mUfx=41+}7@?wR;xmdj`Ha~2xYmYTRpHLPANK<2e z;<@AB`r{67n1$Stce?!SzHhJ!4-s^jz(w}1j9^06GjF>#FmLjKgY~d*H@NI52z<7w%YtMpsSa0DGF9j9&hJ=gLE4_ zltHyZV454w%=qCpiwpIn54h{ut~u|O*OR7BA!~wZF@b3e8L+#35u-Li1kjSZ(8s#+ zE$&cju4FR5mpCg8`xaSCY^s?-B8Z||wX<5Bto`IieqUPq)V@KA;2q1wiwTL6R5eKmacM}z{gtO@d6ebJszcVg3WuiOlE3X0B+tPPuV8Rqt!!F! z`+EJaJEx>KX_`^y7;g;3p{LGw#uM*4*F8nA?zU6ee>!+~+VSWYsVCDmfgIsb&6RTW zsN~$y>LX)1vxgmLpI9c0Fp0t@$z2Hah_<1jq3xE5$)3}#8?X9A3d}$6C-BDwl#%V* z;l!Ge*#1;nDHsdl>a2Wy`d&J#3z?^RX`_y+Lg0zii_7q{wy=`EwpWIFtTizyNw-R5 z)}4y(>TwD#sZb;kBrVLRQ4y0ecrVHB8SU$)SDt>+xX#O_oXN$fJV#YC#S-u#m8H(| z_P#}Sfz*W(`Vw{fbe_2nZ}*C~K>mC?@wJo|lAhFiL7u*_vo5k(OP1AR`f70_|Lv6R zy;tU+vTum1hEEa_(T%OJs&$X*b&YHV> zo#ILDMq{qriIj^h!+sDDWxO%H&iWbO(eBoirKk{69<%M8b&q|Knwn~i0f_ap2kG+Ax2H>f^POcnhc?BaQn zlA3oUjX{l=4-#ybVB71?zHEuYC=FXGax%CiB>R{++uTG4(O>sP@V&)YE}A*cG<1>i`uWd1JFuQT!$yw} zc&oO6Q`mbsHN&A|ZwA(Haf(Y>UL6H-r(+j8G9muO2Rcg$Fa{Fz`^h@^%rUi+ajQ_< z^cgR!gVnfzpa!a<$8EglaL{OJwNG_={%2nMbmmw;5meB_BmubQZ^qIi}3hp7g4rfYtOdBH5WK_I*SO2OLc;hi1bj zu9V||2batGIvZd=naq2aPQD5;Y&gCyzE3-?coO$=R_7t;b=xvJjx!O{@)j4l{F#~} zXNQ7zY#3vUd^~xw!dIa_!1lxw%eWx}ZU7+n)Cu}9?P>PGms6=azj%3m_gc zX1wFiEp~ecIU#q#SMFoNq60gK*uzl$!_W{!R(8I9($E-una#~& z978X%Ar+&ZWfUKS;Gu;0ivt{Gtqucu$CT=sLp7_<7Rn4Mj~{mBh$TO!oBEPsnnhro zwiUq0^UbLfPAB=d6~+6fvy1Y1)+e*G@*7abT$geE?D5S^EL2&VpoXj#?5p*B*!N-HnsU!z4`C-zW0f{eidf2T6Yqs&=Eiu^kuA>v##d8*L}1^ zdu+vy$|Zn@k|vM|xr^_+65JAS?vo$v{wlwT<91t~0`ZGca*n|GL$e<9!E&w%E8XfL zkF(cyz2fRNyBZH|Xn09-L*xYB=H2|6j?MhP`b+j7?LxGs%!^n8_XT|scW~De9h^P9 zD4b%C1RCpNC<7_{K6maP*Fzk1m<+c%A2-8iTL|yG418R2{)%n*>svROT+YMf=YB11 zITZQ7@w@uO_9-quojEj(-6Y-6xz&u)0Y%K&S$*z3hqAlzG2lr4f2`%xKWjBb{jb^_ z{daB6^j|rze}$U-UpbHeuJ8I+_$B{c=loweum4*%7x|-nHB|G zB=SFr4*%9#f4LqlDsASa0s%p3=n9(F4umqvDeHU7R7#l9TJxWtH44xxBX{GB@6IP63lx;n`OI_Anw%;-CKTxoW7Y# zxCdsu4u%*2N&k(x--j4OFzoF&V8Olb12hPFL+kd=MD7oh*lXw52wVLytdI^#5=@Z} zj(dEtum1aVbAGNWY`^;%vJX#OeCKZXDHYoW&X*VrnEmt(u=YIIOq8-X(ii-=5ga<^ zZvJ6Kzd?R1sYZAihPPsfLQeK0v1b9;(U1T^9Mujp7XVZMi7wH4#LB?mAgRR%9biew zA4_s%*-rfN(0&N=_xI@Ftzc2eZQ4J*XC>hKk|Z#{FG)UfzlFr!Hz$yl2uP(3D4q+O ziB^_CdVzHE#w;*9cckNO*y7)QwNHbZ^n0!9Zw?l2hf6%Dfs-g@0HOj|Tj&LRH?c<& zOz=B`Luus>}q#(ZC zRKbsM@Y@znKWoz3-`4XL%uEW*Y(nhk%=&+s*`>&R42gYUPGHv^^L=L0U}o9vI&0sM z-)ClzTCJld5dScm3*ZS?~f*02ecp zelJ!1tpRVWaH!$G%NGXQ4r3>}r~c(NiQqM|X9CfjX)-+8xKw$TJ}WV_h< zHz=M3$TMdKi5)Y?w!4KQ(8m8mwDSQW5`})BVO$Qn5IOUhB#uP>+@3>VhyT8*e(v5M zJc0v4R2%+Ih-a$)4q$fXxG<8B-S2PW0B-{5hJW9^zf&9yY6x{x)|9+w1 z)$|5X2=B@z@QbsY@~lG*SRm|+{{yTSco z-@hB&U&r|?DS_EW{%W@WJj!3qwkpduh9K_z-E3z7Yx>h}|Jn5aO3PD``*S4rO0e_) zPD`NS|2)bs(vMR0cm0*%e;wwB&i;c2QBQBE`jyzfj`J(y{+ajl@8VnRS9H-oA@~1^ zZJk?&!$67tgWkY1`OY@w^T7PgX>jwBq$v^wIzfkfIPTucs ztIxl~Oa8@g{ZAwR?@rDi4d~Ae@E2;6*#FGM|I4*s&o=*uxd!(*;Pks&@u-`(FG=ltN>{)2&*_+|rCq`q@{o@+NX*?q_l(&j%8`(k9 z{nW)izJp6+0I7vGGHxL_?yHT76Z3-fN6DSA8JQM;=nN{jpp0Ig*%Wo|ZryW+6o(+? zI~}u!e0Vmhw3+GjRmG~eRsh_AihN0!9`3zo`s;eDmxj}Ct z{Y^nrbaAs!#E}_woH&0cd+F%eXGn15ev-LJ^a48dlJq5v$MvPfErNN!r7H6cjz31Y zg$uA89ntQ5-*QZmUz^Ncc~}4-?AY!r9l*&39R7Nz1Wl0hk)+eX+I$7oiMw5qg6L+3 zh3WL~y(Iq!f6}(ngZl$vspkwyml9LAabl!L_95^g*t~!j$O&5jIik_J=*hVfSng|V zT6*N!r^r9X&4u%^pd#G|N<{vkakb_W;qdpK17V;R{|J)EE)32^Er}W8tpKq&0JQ=0 zvrUgAoFJM1dvoOffBW3!5B>eTp^s=te%m^GhbI7(k~eaT@1_tb7hohPVD{I4@F8HA zCzhzq5JJhUcP-D=EHUUmO_d0jV5x(h{gAU0u;v7Y1*PRD{m;fvMKhPmal4Zb$3HZ@o}8zB zBdFGgPgBaq;Eml4!+1}vo@5XS5^IBw#OvWbW;h7ORBvmNJxkh4Ti>#Gsh=FfD7?&I zVejzSv#$|<&WSfZkjIsdFTa2A{yG)9xJ^C50HfVt2$oiT6p~&G@}3*G2kOjm)K{>R z=r8^;q{Xh6U5@BVJ4J48_pPGJxy8UOXqd7BFE4ie)y`#W`i}K+h4t8EUKI;vz0sPv zpd4%;a|840rovpprv&=BXVuKre(Me?0;~i!}uhMBt<wSF&T_3{~JlBrz2hz#Uh{xvr1hxAs?mZ?OT_62Isy5Re-kOVlzsU!c zsQOwpr-ZX8*x=So%BJSfGG|UmSo3`*3uny}lFHL6JLSg-mvSE7UK6>sq2ymNe z{A9789_HcQRxJWD&t9$DyYl!UyYo{@vj_gmL7}vnCep&{wjgjJ+0|lQp8p{~Jfzxg z^f!o%wbg>AV0u;Wf2s<9<6IN)wCvMC_P0x%uvG0Eq)T4N?MXP1W{4J(hwQw*PO9w& zcpRLs;q@JNk@_t&7lCmS{NweIa3PkB5HrdKwkrngR?V7q2-vNw|9rPjF8wF()`oFn zEJ4mO`{FD#BI)g6M@w>3RX+Dys+%^>O_!pGs(u=Iy-mza?_D5ESJ5AI!ZS!LY%5b) z_zP3>gXNhTHe*Rrb{q+04JTEb^zvjLiwaDc}L!;BLQn!DvR&2DRX$p%XT!9}m zJu_w=K&GtHOiUNy&sb6$R$eu=5)ip(On0sPm5j~TZJjN7H;!)cce!%{g_`=Vi5Ww% z4|^Vr^Bythjh_dm(Z%VgfI~i2z&qtLpUOJR;jBxp2!8?HcjN*u<%2sXGh=VYj(MuP z2qzE|6*;VD`y%YTa!6S+hf9n0`ZIX&%6hKQd%Q<20LT3Gije2TAl zj9EOUX!QelkV@O%6uRP4Y?3qRXYNe@jk~>K52gIRUl=)8KIA6~I_$EoEa&*C2Avo! z%08}BUwiyy&r3bWgOuYavD_`?eCKktaXp=6M7s z^W>RS#V=@wvN&JI!TAI>(eCqunNe?+hH|P4-_K^SRZJM~+hFr&LebdD#sj6HnUh7lcieQ5kT^;>kG zX2Jf=g^=d1xH3oKbNlJ|bob1MO`4Cqt-6KJtUDU&qIK}v*!|^MnMgzR^7^2*G@Y^+ z0=@lwmK#xC(qC9!XKIVcN0(k&<&a40iaRR9pt(nodd*qv!7{Y-c~6o1TXUJUf#S!8 zydBJYqAGp{>vJ&cnV9~0)ZVkkd*JH$FxT5XbBrh%I)Wrfpd4&qw{=-g^l3{;i@$z? zacph;Fva2%+1dK_o!aWE;Fd||^P0GXbFT^vVYR%^u)*V#=8loZZxZ=$OR{pnZou_g z%dr^aS29{4e;Pes19fgUDxht@`R1#Pe)r@T|3od`RBXre;^Tm`6B<%CwS3uWj!*W* zG9CYXo2h4o(w}ascsu@NMR2?4Y5<$^)k-qAZKi|{0#z+TxKC6nRRF}cMkbV_P)yn* zg4bR4iQ>n-k_u!!>M8GMbYB%3eY@8D634vOGvxVeMOPl~uT3N`PF64XH%`mh4rlgV zi1#UX*fNmC-IRErdzm33eQD56PT7VT{n2z=VJiGL$PvF=*p?fn49A+Y&Xzc?r7OIC z&ajs3qVD42&?~%kegYbWDOGLHEJ7*V`uIsdp4-{3us961ezs{F-6y|U>PIhsJnAd# zf&J3KKJRs8f`0R0$Tdl)R~or$2l-n856uN0Dayef6ST7t_Mm>?A4sKDM$m zV;yGkUb?rsx97Qk$NRkR?>L_OKf`=|uXFoc=XqV{qJHe?SixOFY*S*U;&j4DJ4yDFP*I_~NQhO8fm6e#8}yyw zZ{oY4S$B=$IVo9IO{wGz{-E~D4-yI2-OChT24hG)$Qer#V@;23z##E?%!?-LG=+>a z6E|v)+__F0gB=p=-c){>C=-U(7;N5cI_2iEIKInSF6m)Z^kFUH+b05{U&VYso% z;;@fuUVpN>B>O~xx!k1Iuv%0eW$)#98AfsjQ4F(hurYtp=^v3jvp2cp26qu+1n!Z7%P3LKx2sRY6OXX5VlT>k8ZNiPvM$UqJ zAvYd89kfbftLux?zrS1@24af74Wb*?hTADagaQn5^}!A-^7wBtih3JNPl z$9`PAf)#@-_o*v%PvUd8_jWbh99)O&?wM?TD%ucnh<#Xji}6ForMD{?*n*fa1zi*i$1m&90LxV7ZDGLZmkML#2~(&d+WKo4ac5@ym=E>!S<=tlvY3A zaC~)^HL?cPIpaH&rGkZ$C*R5DIc)9dlqwV0mw8gZd>ilLrebKfglj5MGzi_myR36! z_UaERq1_Ya-CFECDg!32lKEIk{AtAe$HjTJ@@R8x<2Hr&E$COvxu20^&NHK~9c2`; zDL0Fl7gLd_$g_{lE;Zj7SB$}ko7VI0IV3OXfrtBeQ=b>ZAe{t4!5lR}a0hs71~fFp@&Rrt~c}%v~Be&S| zxXBu_s6Ou8JVNjz2$l<>LZ=WN`KKFHx_K(LUAgA7&-0>YzZazTX4|~u8No{|D4pR9 z0~Z0D70xQgsH5Dk+f)B+^cJ4UHW9N6$Y_a){rM%1<`(t%;dMwiqPkcs{J@)`gJ%iV zcZfdC0*qF@%=WdJ=%gGYiw@6umD)x3bi}wgK1FCsn7<5p z9A3#4QaS3?>vee~3HOAqI?gp9K+eHUET7-%G+|mz4W&nYn=KJ?Q*K!uB`+p9~$f;5dq6So^2TRaNjhqAtQsW`y_u*-?LTOv5Z`OT}>X% zYOeE^h^McpSz30{K4WC>4=g*hY2O z?3c!NiT^`CTSMQAa8FZ+s?x~9OWB;%ptn-|FOrYy7TitNfB&UID-YP!_Dc(@< zemc&5Y7!k!WKqNf3-WZOz8<)7l=tn{KCHtcv}cTd3Y6t^NrUq-jp#CC9daY+gqK)o zn@VOq-IU)la=txwPyfD(5AS_u^%+?DDxic`@vayd0`< zSw-hMbG$<8Q|W+)O|?_*R_t^$TfwE(Da08xgiNp}_P?Sk52F%2n9twbD^c=(*Uo}? zTax4}MTTa^z~wy`=)BMm$Q{bsd#_p_c_?3E8t_3SseUY5h^2L>R`fNkC_BSoYn~Sk zy1h4^KQ2{e8-boEm8{%-@8bTHnL@*X&tcs+6cP8;q-+crPakN}VyG4cqvMRnZ}@|( zeK`#K7}a*|5SNf5GEPYQi{ucGm28thRYWlV{4v~{QUy}xkZ~A#v+W=*D7;jzd;iUs zy*!zZ{o2F#Fo;#4j!jv>Nj7k=Wlxx2^H6-_?F@demL}21UH;5MhZvM7Hs#4m$@;q$ zLsN~8*xO^=CY-L#6ouXwaMF(bh+{pP_Kr~IoaHD;qGo8{j> zxo^6+%gyar#Uifx-5PGNu+9TkrNmJVA>VgEI`bB89qs+HdTJfw%B%Ef_E5b7p)Q$T zA6*FV#rGW6$v{`wSlu~$tS*`xGZgpIiN*9$a$u^_AtwNLZ@k`vo!b?N(cL^-)q%?j+$z-!=z@dDJQ_TfwN`i_9<&#I-S zg1#iUe$$4oLINV*t-=BX-SdhjQQf&1GiN*+ao%>?6<;}zNhi@4bvh> zy+88HTWD>m(NKr(Xt>G|wX zQFGR%76n4L?~qEI+CY5VcR43NNA}|L)r9^OT&B@n7iQ+JD|-<`CcNmnsF-6{vbA1pTNVlH zL&ci*jFVbR!q6X$q z8drh;MGiVmQf5)iorY6KK0dZ#;%w%?4rv)*%Z_c)Vh!<52Xuw<|Y z#(;Y%kq$@9m&SRu4m>*i-sxC_xbBH}YbA>AcU8HU<=TZJbx3MnFzfng)<=vCfl9f% z;Qd0jlagcj9n{O@-l2qBE9&hkn(mxU!Od)e4Lor1xA5CZ0=|8G3v>Q-l@7W9Ihs&i z%nv;xWMC3MtH*lnmSRq=b`qqstJuF9*WEZgdftLO`9V+8h=sA3V2%uWf}O8B2!|o3s)Ook~L`$ZnU=)A6AVryE|}JLbqhLIQfeV83E_UkJ|u; zuKXJ4gCyBps)=(f-`{T4j@G>?(oPLb`uu3~Ey(IE2xD4-N2Fsqy&-YSLxQRHkvDg_ zn|A5oj@B>MgVN`@mw~I=!|=fCRQnP03)MXyd8WMJqCOO7xMTN z#9J&ncRZiVb?R--8MRrIXn7iiHcOYJN}M(NG&w*Zj_m~301wbzz@hwCl}~^B?-vlW ziXU6kBQTjixwaR8Ya0bz+sKVOPc57S=FeT*k95rVPs0g*bZytb3~r~5L*@ z6gVGR!1>T(`R+>SKYqyk?_M>P2@h>vN{lDTRduc`h?JEo2DY5u+mlhG65(bX|HHy3;Vb+Q7&8#Y_mlKrW&)hE2(IF!@~*+_X*16PC5gVPs6R`!|8M!d#4)X_H|Y&@ zLlK4Yi8VeuJ8=C9U)=_B#5-N#;QG~J`P=K)5YHuW{d)T6>(`cVOzrplkF4l?I58mk zY3>z!*V8f|ZMDEx+g?sdwnmu8hKeYj(!GNTr;s$YIdYnJ>Fs9Lyt#tMT5FUjuxlx?Fah9K^6yy@OOWW z@PQkt^}?`8OEc!&nrX8t@tdlLqh=VUZ$(TylLF^iI0#D}TUWagMQ$-U&BE(aAJSbK; zk0BY7VVXBF=^UVHVv2$vOuS3gFoQ49KxU{UwV41V>#KkeMxCYzvKgO&{q6-wPFkpd zFTz?eL)o(PP59~>eU7{r#E%_e zfSVXHsJ4(>siN<02It-%F?yhi;su@zNI-9@Xi%X z1(fWUj~SzY?;5XS%VESslqlVI4N2duxeloTDUaL6d@$p1P>nHo5kWQdWd5YR7OqeC z#Fx;wVyYFA0RaU1CU6e|Dm%U-FzmM+$Rw%-!rKBd3rjQtQG>oW3${uJxx1Wn+d2Q= z@b=7l-;i%S=)v);i2eVO@b4tN^IIMNYYCTc{l$7fx-Ss1`(W6Q z<^?i-IscW2Rf*a^sxZj%4g?}5FkybuaFC3f@z)}r^MU`Q!5FF`5HVT!M-A5o8vZXt zjQ)i{py^+Yc%=gNqY=aZwGn?uApnr?S+Id1e`UqrlL#OBjs^e9iod0C!-~J-!CzbP zw-f>^{+VZXlrygIIjQ@)9 zKLG%(k=p$0dcPw4&&omhRyml&0K%vKF~S4vs`U6)|ABT4d}knri(@s||;2=N;R z@DsB(Fn+^8a1|_K8yJuIJ;av*%>9nU4ej`j1)f{a1B^fY2N(~wr+eR$_%ow_;Xx)4 z6To=HA7K1lKp^vP5MZO@By@s6=KP8PKJozML4oEUfxJ6@2u_3p1lZ7q9}!?3!nm=^ z{UmgN0XzRp$Y6s7JGVD*GT>>TWa}#kV8PrW-?h6xD`v=sVtyy(A2;%WIkG+#`ZLJ= zEM}l*gkM2`$?lKjJPY>m6-*^&5cw;}0U^^t4(m@o1VBMUvhc4$7T(yKG{D~U25e0~ ztr`C(-vZZf)(l&qebvm36>tBWD+UJ<*tx&I;;*iU|Ay;vYs2#>p#ztP@mpMm z1F0$gircsfzTc=Ne2hYgS;dwSh~E)sfT?`@{eu#J@*tj=t@2xH?|XmCbcD~v-|7{n zd1Xar0q%|&x`O(KrN9zc8NZY4i{D807d|Zm`>pt8g;YC`tLXd7OUa#sQQzy+&$1zq zP1L?sfDjll8~yF_`KY^oqs2cfL@!tz^Dm1dCDXZ}-oI$a$X^rri{8-XvEYTQ-)cuD z@$B~|3tgqtKLe-CmMR6?^s|LM{t;xZkh#BF4O89Mtux_|scZ&RZU(tazF$4iAD^^D zant>_Z+OGNi1?_x|AfkJKqc#2{GzNqaJymTPv3v+9Q^Y)T73IPumzZW{|h|RhQIwS z8viOwOl2iehQ`LXu}#tCzx$*>7X8&gf1~bsbS`dh%=ncJj~>1ukZ(TWDwO_2VSxZj zfdDkNe2pVO&8Y^UQS>crQ5HlRyRah&-(O*H!#DrQLP`N_=TI5JgX|j*0`I*BKxJhu z5lUlIx=UwD14>s0#38={Vh@35p0wea_W{Rz9O!1qpv)SNGl9A-j0!44uacoZ$>JJt zYBGstKmp=5FuNXvA-}L?2~$}`6#dGUuj1Z#UFEmGFdj_(S^mDjo&QE}WH$7s;%m%+ z0S%Xa)T5t1gBW7lMhx-m{_@L8XTVB-HQlem|2NI?kAU{O&E`9x-S=}4umQCH6A$3m zAn$wU=mppxzxAF#keB+uEN&SH!af+-ly^U^h{PWEqBL^(aq~D&92vPBM0+8hh17mS zgjY?(*}d|QaYb)wx1*$Z)T=h9dU|{^?_%FwWjUFV7a4i!j;czg7ZG)8vP}0)L57|w zf>d-Klt|1IBL z|42=xx3=NOCNUH;VMKd5abw#Dr$>a^jgAkR%Goj)`$@3h!D&<^DVd_b5p$%2o23y< z$oXeM|NQkIZv3Mg|JcGm$nXym{)2@7AmL9)2xfaxWB%JOb^n5X#`Tu}7yLQLx+7!T z{y~PeILIl%g&yoB1e#SeohA-;Jy4@$1u zld)rz2z zkGWBjuAH|FGl3h#e=rry8vUHE$Ie_r=+24oRSr*x_bu`IP`+dlfo z&=W5YZ@b6KEnL+1tn_vH5G}}gig%7`oZhrawf*Itof?v22l>w2VDr{@8Za9Zj5=q0 z1>H!xeWA?-8&ED<(zf3A1F2^K&6)E}^N!%$l8qcppsK z$?`}X^i%>TGG2l!6cx`8P=9Rjr4926Mh{uqZFO$tW%Iv_~GM+i(IyMRxrucnAXmLqd!#-{gUkOWi)o#^b6Py=hQXxEu2Ig5RS|u= zO2fxtxwIvMH)b#aFW@OeHcjzG6t{;)uN--AfSM_d=ZW%VWsp`g@0Svnz}Y7?^Hthj_lkRH)~BT&Tk5bxzkjb&SsKnlwZD ziR6_Q#NIi*xtfdblrDez=wT%=>P@mvWe;UDIj9cKM1_*D+9dOYGHjrXG`ErYi7qpf zaXzPH^8nl{q}iZfi03;9;^5&HiP;g+0nA`Z96fy)??cE73slG+Io~1AUqZCp;9kg)P7@=fQ#UDoi5e3bIfv< zAbDer>`LN3-Ii6(K)v;`6geCsu_aDVs3+?M*1ke~U*G$8_ozwK!V}fjZ33NRM-m1J z9FyfTzHhnstgFlSy=mJLC74in{mW9yJUW7(-$Zx*$wP*zz_l>?Hd?xcJ-(o`YB?_| znW9&-l>c-WW6i;kx7JsbLhmv5F}4}v0tb}Asi^`5g~ARWydT#e21U(I8My29sw^pP z{&KwfNXJ7t%j`RmPXx{}XPDC~v8-rj5uCr;F|->%LtnJzT_i_VvZf8vs412I(dDx@ z_OcvVvDQ>IjQv5s37+pi-8cg4#+$buEXeFty{%4S+kQ7`D(<#T51nbN$^8bg$^9p^ zOm(gpJ{IWghwt{><5`b?tr(2+6hrME;jq|3vcQj)%?1rWFcRzeyiX_Un!VLMafwW< zgl;F?nca6prUx--TSxG!(jcbQs2X_KR%r^1a~pLo4A}FZgEVY9oqv3YB_f{tGhBM8 z34%^VT&90OP@jYO0NQX>ZaUs~OFcXJF`| zmfx&}*0--U05Q=z6<}=O@%*|6&H-kuGm2F?{g+OqWNOPBDa8x>9NTQN=}_M}=DkC> zF6ANiR9DAAbIh_2u|KR@(kHv&nVCB0sI0|&mhBiV7k=3KX0{h+;SW1V*Z{R7R31{y zTlj-G|0;}t_6~gR&PL9fH#VP^l)VNrR1x9_50loSJf-*lDr|J&)(EsumD%KOr0dHH%XoyYP>D-Z)_-n zc&BtzhaFng`?Kq872a|4R_ttKk!?OB;4;b>OMBocK;B)8=U&u9)(oiS5OcIwbFYb1mXNflF;~#jwq%-9xp( z3dgQ%#uo9#fq~U0wbWHC&NV&d6&ICaSGz0#>#ke2C)Le}4mpvG(@_C8| z*|EA@#w67)zse!I=I%amr|hOZeKlT;5kcaN2fY|LS4T$R%&5qrmB0f1&8YH*#Ti?z zH}01jZTAM>5=|DDc&EjZ8^Nn1^w4p!ZV)#;LQx>gjBtAw1R;Cir#lp;U_0#%x+mf+ z!Xyv&_n2#4dwnVDP56oTU16@~Pmk!-pp2;;caDzGvP*BAKM@n8Wm9*X7HcQB$^u!& zktNR^q#Q>XUbMn)>47lQFoezzo`-0Um@Bb9(eT~nhsfz@nPEM&+_>6ybNGx|RG-Oa ztD-4R>Jju)I>&s$8) z_w~hh8|u2Av~k&*1VnSu$RFUOQCnr}XywsgW-uE{z zy$~_#6W?+$*2n;MuqX#Ijkh6y`8L@6=+t!GXP0~IEcib@)P3o=7B1=Nkb2tboUB#k z)o5XfjAZFama&O`_%bV5d8GRbv92Pl2U;~CN^(9_|H=Ng8LQoFkC16;`nBTN!23** ze5W8xPuLx^+UBG;Zd{q3eLO(S(?yDgp!IID7bui)9ONx64Y_yk$_#2cDZpQgnOP`~ z`i6)NP{1*xu%}4I{?Z}^?eg*U$b(?eYH=g0-(}9R2w4wp4hGv=ItvM2h2?TcWF{p9 z$K5DM?o%lEoc~y4&kyQsDVf6JY{4m+;%wWP_-MtnQoPMnb1e7jWa|&Us zmvr4>q}aW0ib70D6;56UJa!m60mQgXI$I)I4P!)!q{ccsdhA>>3_i4@!Bw?7JCE}N zYn^}ugYaken=2s@S7;#qin*LA**%@ANsBK(V2|Y({P?gT-Tw9K;f^(VLn(BD=@+Tb z8i#AA_z$OVHP234@WZR)2V>R5I_33yGBrQucORfIKX9g<>O3F7^PorB-Soz_yB7Xd zIbs*uZV0&?TSYGWf08F`r@E6vp4v_3bWPADI-F*b^-BcK_rK#hL?2wmus}#XGUZ7z6s4O2B zn|Gs~$R0yw_C|VeL(f$2^$W!S~y4NycY=Gn z7)Crfcuwerlqxfwh56;=A0J?~kkn=rSj7Vjfl947n}HNAptSnKFx`s+Q88 zsvO4d4C29_$Su57bgfu#z&iKCjc2ab1}U;T{SCH?Bbd-8WW+Gu7rw&<>sPMeceKEX z%R2M|>uUI^hbUAN%k31XTa(Bqb+Y5V_ns#pAHS)~Lc=wWmMD8u-dLEEG7Yj@ z)i_Z}b7MM8Yt~Jrm%6skH}Rg-Y&J0Q_C|z0GAi$^2VwTh<1|(pFbAj~owb#EjmSR| zFK@v>_GgX}8EeXYH(h(x=2ongZlvA9@dJt>+bUIi_^R-jA z+lv)*DXE0_O}RxCzt+q@uded=E^Kd<;^q&-9M06{XI^ka_~0`Hw;DgygzQLEK2O|| zntCkkOnKszW;WhuengAgXzjMPZ#`Burs9n3j-57EUFG9Iqr121Xaj=6D_ZH75)AxdWtrLZF(ohIH})-tLB5=$2hjFJFE$H0?VkF~WOMNaB z%T$fA!9a-gcy7PRnVK`NTYEtlw;Kz)uX|s9!891R$_~=_RZ0HSE)*rylu=AAg2_{f ztf)zh8a$1iZr*`-fOD?z*E(N1ak6Q_)-Lwi750|*T4!N1VI=I3GhwTmApJd@b*Vwc zp4lt*Kp9C+y6Zs1QH%Y4-2qoWc}v>biv{Lnx*D zPkAay_+rt01--3(6{1mJBx67JJli(N_4%UIs~W3@+Pl((OSDk5%OIA`vk7 z-B5q04_ZAH<-;$tO~dK-fhhOwlj=uf8$z}2_X&I5F37%#h|fRAJXKZ~NN4u!M{J=A z4>doqIFe1i3rY{Uo>d^1p6~2-xHDvEvKpZ);52q!Tlj~FV|Qn?v>IB-7lxX=0YD1EqYV1-mbQ*SChe)AYPsL=qik+*=ls(EsS6JhxAW_1D{yX^L)yR8-inMr@n-pQ{Ino&mh9VNzGX*DQi{h^6>+d>3g`@gM^cqE8^yMls zhh)Fx)wJyQY=Px9S0cMhz>q*s$b{MF&VX_u`{iX&K3H%o6Uk*cKg%V=BL~?ZD}0{M zyEISkia3?<6xxpU!!Y7)k=>EQxO-F=68|tbXrtOJw`YEj7Ub8R<* zbG4n2cEPq+dT*VxtY?CONC?@?fpV-x6zB()Y7T9;sJq2c;483RM8x2YA^892ZSI06d zrQxFM>)FX%F>9xkF(#`k3vWmmaF%3(tjA0Hq`F5q;kodP9bNPsmdF6NM?1 z@lDFn#FGoGY^6sVv=6dc@eJT4UOa`i;JXnc#+6VmaQ?wO9Yi@XsjdFWMcJ>MxLn>n ze_gsS;D}ClwWTORf%U2)bf2=AWMau%LN0WAhKQ}XgW2gR3xY|%vLPofm+~OJ7U^A% zS!XKmYWW>~9<7(^C7mOc>LnSTP&FSH2wAgTE+m6;jeP&wkkfU`A5YsSSFoAcgdo*a zx~2~{avp~0K&3+G5Br>m>5UA=wqbfDjcL&sdmPs|o_&-Yo@A%Cw^hCx4_eo7PAjfS z5$xmaW}O=wEMpoA!%rSM6FSd^d@BHUYv%E%&~D_t0YO?K=1Laa45&2xK{2cv32U|# zN%T!Yxj857JM49KL?D85S3=VBheA44Ozcg*t4YLR7%SSC{5egr*25zo)M>B1?^K$7 z^)lyi&qSiF$NUx@YJ-l!EXz};>K$OhDF?%%aa}*-P-i7HbR`-Cp`Pto4tS<-?Vje~ zD1X<&ut(xdeaw#gp_UxUpIvz9yL1io$D!3F$nJ$@dW$^t!D}_OPasS_o0Ah-W!9=N z!Nj$4Rqc2{O1NT%@}W?jm7EZt`izU$NG$-~%tzA%m!j8fD zSJDrUadBI-X=&~J+%9tBX?;?x;L#69W`!5%;7uCYG{16&iMT~i5fb+dbdZ8&sFE$h zjupC93V+stf-GQ7P502)YOE^GYb66z%KcvQL9eDd9F4h|l*GJfm) zf4_yzZ=9Eno}J9=?f-cP<}WT{{`e~5e@{PT#`TVW`12R?V_fh2&+!L$iL61C8xE_} zyQ2@K9{%{HJ1QhAf~9l2KzUrVGDiuHUp0JG+;g$;PS3RK0CpP6Z$=hbU!$#b{xEuybgKS zL-$WV)&#+*Ab$TR`0rj;K!bu!yBSJVy09Dq($&K%;N(3Zg?IjS*zaG4(Ez9Y3st`( zC7HfQoT3HNo$EkT6!tdE>LtX-B@PBEI9&f7DIiYvKjrxezj%l&3JN6(V05F-MODz; zUIqTodjH|?e}_Ia5gq_@jmG3J-?tTM_a!6EQEl12XWK+}l`G5iWM#F&jW}09Spt>? z6o_5(@so-9sc~fc&&*zZhjrrmA!h5}$c5PLlJu@D}Q8_zL6Ke{qWf&%- zHz{-?j_Q@s>F~)hWf46_d|KNL2kaPMUOAf(3huiA+lnkd$ ze@egHI2bTk(o(=|D&ri#WLps1=Cn(?!zk3e^u~pH#viV;p_?@!o-HPr3QHHUr-p5y zdD6`zYPP->b{tr1$89>G`$~uffFaOfvt4){(ipQ2DT^YyUwW z@F5a>34DDX916`@dmi|79QGPPBxBc7FsrxLAuG9IWVAlb08V{_p>!hxK=3*fLsb){ zr^D!%@wDk=It(EAMF8N^2>P<|uoDLZ#TpzF2CPFe0MN(Cfa_MVf7bC2KmHf$2mi1P zS#mDu#`I`dC4T#~d}B1z{=%M@G2>}%DR(+jKpy!C{K0Z@>O~U17RhUYS{UB)w8t;g r^ Date: Thu, 16 May 2024 03:13:27 +0200 Subject: [PATCH 250/288] change the AGH remote app sccreenshot from inline image to a link --- doc/APPS.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/doc/APPS.md b/doc/APPS.md index 4072a38c..8a4fd5ce 100644 --- a/doc/APPS.md +++ b/doc/APPS.md @@ -22,7 +22,7 @@ You can easilly configure this app: - Enter your AdGuard Home credentials in the "Authentication" fields - Test the connection, if a green check is showed up, you're alright -![A screenshot showing the previous instructions completed in the app](https://raw.githubusercontent.com/YunoHost-Apps/adguardhome_ynh/master/doc/screenshots/apps/AGH-remote.PNG) +[Your configuration should look like this.](https://raw.githubusercontent.com/YunoHost-Apps/adguardhome_ynh/master/doc/screenshots/apps/AGH-remote.PNG) ### Secure DNS profile creator @@ -38,8 +38,8 @@ Now, click the "Secure DNS profile creator" link above and fill the input fields - Salect either DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) - For the primary DNS settings, you have to put trustworthy servers IPs, for example [the FDN ones](https://www.fdn.fr/actions/dns/) - And finally the setting for your AdGuard Home server URL: - - If you selected DoH: put your domain name followed by `/dns-query`: `https://__DOMAIN__/dns-query` - - If you selected DoT: put your bare domain name: `__DOMAIN__` + - If you selected DoH: put your domain name followed by `/dns-query`: `https://__DOMAIN__/dns-query` + - If you selected DoT: put your bare domain name: `__DOMAIN__` You can toggle the "Advanced" button to exclude the created profile to be used when you're on your domestic WiFi network or some other settings. From ac58a0f1c88bca0b164070415f48479d3fd7fc0a Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 16 May 2024 03:14:07 +0200 Subject: [PATCH 251/288] line break --- doc/APPS.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/APPS.md b/doc/APPS.md index 8a4fd5ce..4a6ebcb5 100644 --- a/doc/APPS.md +++ b/doc/APPS.md @@ -29,7 +29,7 @@ You can easilly configure this app: To use your AGH instance as a DNS server on your Apple device, you can use [Secure DNS profile creator](https://dns.notjakob.com/index.html). To do so, you first need to activate the DNS over HTTP/TLS/QUIC functionnality using the YunoHost Webadmin. -If you're reading this you should already be in the right page: just click the "AdGuard Home configuration" option at the top of this text, toggle on "Activate DNS over HTTP/TLS/QUIC?" then "Save". +If you're reading this you should already be in the right page: just click the "AdGuard Home configuration" option at the top of this text, toggle on "Activate DNS over HTTP/TLS/QUIC?" then "Save". Else, open The YunoHost Webadmin and follow this path: `Applications -> AdGuard Home -> AdGuard Home configuration` Now, click the "Secure DNS profile creator" link above and fill the input fields. From 20cd2ae4181cf6493d684b21176e9c2f71d110e3 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 16 May 2024 03:18:15 +0200 Subject: [PATCH 252/288] phrasing --- doc/APPS.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/APPS.md b/doc/APPS.md index 4a6ebcb5..a3f3cb02 100644 --- a/doc/APPS.md +++ b/doc/APPS.md @@ -38,7 +38,7 @@ Now, click the "Secure DNS profile creator" link above and fill the input fields - Salect either DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) - For the primary DNS settings, you have to put trustworthy servers IPs, for example [the FDN ones](https://www.fdn.fr/actions/dns/) - And finally the setting for your AdGuard Home server URL: - - If you selected DoH: put your domain name followed by `/dns-query`: `https://__DOMAIN__/dns-query` + - If you selected DoH: put your domain name between `https://` and `/dns-query`: `https://__DOMAIN__/dns-query` - If you selected DoT: put your bare domain name: `__DOMAIN__` You can toggle the "Advanced" button to exclude the created profile to be used when you're on your domestic WiFi network or some other settings. From 166b19c9f3ac729945fd7c8bff5f4c1a4c951662 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 16 May 2024 03:18:57 +0200 Subject: [PATCH 253/288] typo --- doc/APPS.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/APPS.md b/doc/APPS.md index a3f3cb02..7804ea0c 100644 --- a/doc/APPS.md +++ b/doc/APPS.md @@ -35,7 +35,7 @@ Else, open The YunoHost Webadmin and follow this path: `Applications -> AdGuard Now, click the "Secure DNS profile creator" link above and fill the input fields. - Name of DNS provider: put an arbitrary name here, for example "AGH" -- Salect either DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) +- Select either DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) - For the primary DNS settings, you have to put trustworthy servers IPs, for example [the FDN ones](https://www.fdn.fr/actions/dns/) - And finally the setting for your AdGuard Home server URL: - If you selected DoH: put your domain name between `https://` and `/dns-query`: `https://__DOMAIN__/dns-query` From 4e5a7e2bc127057baab2b4fdcd4ba282bbf5df06 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 16 May 2024 03:26:26 +0200 Subject: [PATCH 254/288] add a mention of the "DNS-over-HTTPS or DNS-over-TLS?" help section --- doc/APPS.md | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/APPS.md b/doc/APPS.md index 7804ea0c..e9bc5a92 100644 --- a/doc/APPS.md +++ b/doc/APPS.md @@ -36,6 +36,7 @@ Now, click the "Secure DNS profile creator" link above and fill the input fields - Name of DNS provider: put an arbitrary name here, for example "AGH" - Select either DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) + - If you don't know which one to choose, you can read the "DNS-over-HTTPS or DNS-over-TLS?" section of [the tool's homepage(https://dns.notjakob.com/index.html) - For the primary DNS settings, you have to put trustworthy servers IPs, for example [the FDN ones](https://www.fdn.fr/actions/dns/) - And finally the setting for your AdGuard Home server URL: - If you selected DoH: put your domain name between `https://` and `/dns-query`: `https://__DOMAIN__/dns-query` From 958068bdbdde39501e8e8689b976133b9e51e62a Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 16 May 2024 03:47:45 +0200 Subject: [PATCH 255/288] tell where DNS profiles can be managed in the device settings --- doc/APPS.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/doc/APPS.md b/doc/APPS.md index e9bc5a92..8667e2dc 100644 --- a/doc/APPS.md +++ b/doc/APPS.md @@ -51,3 +51,5 @@ Now, click the "Add to profile" button to generate the profile file, validate th And finaly, open the system settings, click the "Downloaded profile" and install it bu entering your device password and tapping the final "Install" button. Your device should now use your AdGuard Home instance as its DNS server. Congrats! + +Installed DNS profiles can be managed in the Settings under "General" then "VPN and Device Management". From 02a211ff5deef5643ca91dce83230afa05f312e0 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 16 May 2024 04:19:46 +0200 Subject: [PATCH 256/288] mention the new apple devices DNS tutorial in the pre-upgrade text --- doc/PRE_UPGRADE.d/0.107.48~ynh3.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/doc/PRE_UPGRADE.d/0.107.48~ynh3.md b/doc/PRE_UPGRADE.d/0.107.48~ynh3.md index f2476612..b981c967 100644 --- a/doc/PRE_UPGRADE.d/0.107.48~ynh3.md +++ b/doc/PRE_UPGRADE.d/0.107.48~ynh3.md @@ -14,6 +14,9 @@ This is because YunoHost needs to perform actions such as automatically opening Also, a new password tool has been added in the config panel too, to make it easier to change the administration password of AdGuard Home! ^w^ +The "Apps" documentation also has been updated to add a tutoral explaining how to configure your AdGuard Home instance as the DNS server on Apple devices. +You can read this "Apps" doc on the AdGuard Home page in your YunoHost Webadmin interface, just next to the "Admin" doc. + This update is at risk of crashing AdGuard Home, so: - If you're already using DoH, DoT or DoQ with your AdGuard Home instance: the configuration of your devices may need to be redone, I'm sorry for that. From 3c6058e5b94ad32e8ab971533207efdf9f096ec7 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 16 May 2024 06:59:07 +0200 Subject: [PATCH 257/288] can't use ClientID with DoT --- doc/APPS.md | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/APPS.md b/doc/APPS.md index 8667e2dc..8ae27710 100644 --- a/doc/APPS.md +++ b/doc/APPS.md @@ -37,6 +37,7 @@ Now, click the "Secure DNS profile creator" link above and fill the input fields - Name of DNS provider: put an arbitrary name here, for example "AGH" - Select either DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) - If you don't know which one to choose, you can read the "DNS-over-HTTPS or DNS-over-TLS?" section of [the tool's homepage(https://dns.notjakob.com/index.html) + - If you want to use the [ClientID](https://github.com/AdguardTeam/AdGuardHome/wiki/Clients#clientid) option, you can't chose DoT since YunoHost can't handle wildcard domain names, so mandatory DoH for you - For the primary DNS settings, you have to put trustworthy servers IPs, for example [the FDN ones](https://www.fdn.fr/actions/dns/) - And finally the setting for your AdGuard Home server URL: - If you selected DoH: put your domain name between `https://` and `/dns-query`: `https://__DOMAIN__/dns-query` From 91898f1d0d7cc56f42eeddf0e7a84872caf291be Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 16 May 2024 09:18:05 +0200 Subject: [PATCH 258/288] fixes some typos ans sentences formulations --- doc/APPS.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/APPS.md b/doc/APPS.md index 8ae27710..83b9b4c4 100644 --- a/doc/APPS.md +++ b/doc/APPS.md @@ -37,7 +37,7 @@ Now, click the "Secure DNS profile creator" link above and fill the input fields - Name of DNS provider: put an arbitrary name here, for example "AGH" - Select either DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) - If you don't know which one to choose, you can read the "DNS-over-HTTPS or DNS-over-TLS?" section of [the tool's homepage(https://dns.notjakob.com/index.html) - - If you want to use the [ClientID](https://github.com/AdguardTeam/AdGuardHome/wiki/Clients#clientid) option, you can't chose DoT since YunoHost can't handle wildcard domain names, so mandatory DoH for you + - If you want to use the [ClientID](https://github.com/AdguardTeam/AdGuardHome/wiki/Clients#clientid) option, you can't choose DoT since YunoHost can't handle wildcard domain names, so mandatory DoH for you - For the primary DNS settings, you have to put trustworthy servers IPs, for example [the FDN ones](https://www.fdn.fr/actions/dns/) - And finally the setting for your AdGuard Home server URL: - If you selected DoH: put your domain name between `https://` and `/dns-query`: `https://__DOMAIN__/dns-query` From 1c95e2ab5e860680f3fa44a1ba64e84b5b7c0d65 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 16 May 2024 09:23:44 +0200 Subject: [PATCH 259/288] fixes some typos ans sentences formulations --- doc/APPS.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/doc/APPS.md b/doc/APPS.md index 83b9b4c4..70b572c9 100644 --- a/doc/APPS.md +++ b/doc/APPS.md @@ -26,7 +26,7 @@ You can easilly configure this app: ### Secure DNS profile creator -To use your AGH instance as a DNS server on your Apple device, you can use [Secure DNS profile creator](https://dns.notjakob.com/index.html). +To use your AGH instance as the DNS server on your Apple device, you can use [Secure DNS profile creator](https://dns.notjakob.com/index.html). To do so, you first need to activate the DNS over HTTP/TLS/QUIC functionnality using the YunoHost Webadmin. If you're reading this you should already be in the right page: just click the "AdGuard Home configuration" option at the top of this text, toggle on "Activate DNS over HTTP/TLS/QUIC?" then "Save". @@ -49,8 +49,8 @@ You can toggle the "Advanced" button to exclude the created profile to be used w Now, click the "Add to profile" button to generate the profile file, validate the "Configuration successfully added to profile." message showed on screen, then click the "Download Profile" button and accept the download. -And finaly, open the system settings, click the "Downloaded profile" and install it bu entering your device password and tapping the final "Install" button. +Finaly, open the system settings, click on the "Downloaded profile" message and install it by entering your device password and tapping the "Install" button a couple times. Your device should now use your AdGuard Home instance as its DNS server. Congrats! -Installed DNS profiles can be managed in the Settings under "General" then "VPN and Device Management". +Note: Installed DNS profiles can be managed in the Settings under "General" then "VPN and Device Management". From 02b0461bbc585965bf22f0d672783b2a3d694bb8 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 16 May 2024 09:24:20 +0200 Subject: [PATCH 260/288] reset port_https because it's not relevant --- conf/AdGuardHome.yaml | 2 +- manifest.toml | 1 - scripts/upgrade | 5 +++++ 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/conf/AdGuardHome.yaml b/conf/AdGuardHome.yaml index c121c05e..54e8b306 100644 --- a/conf/AdGuardHome.yaml +++ b/conf/AdGuardHome.yaml @@ -75,7 +75,7 @@ tls: enabled: __DNS_OVER_HTTPS__ server_name: "__DOMAIN__" force_https: false - port_https: __PORT_INTERNAL_HTTPS__ + port_https: 0 port_dns_over_tls: __PORT_DNS_OVER_TLS__ port_dns_over_quic: __PORT_DNS_OVER_QUIC__ port_dnscrypt: 0 diff --git a/manifest.toml b/manifest.toml index 061c021c..25e5ca89 100644 --- a/manifest.toml +++ b/manifest.toml @@ -81,7 +81,6 @@ dns_over_tls.fixed = true dns_over_quic.default = 784 dns_over_quic.exposed = "UDP" dns_over_quic.fixed = true -internal_https.default = 13120 # dummy port because the app settings requiring it # AGH also uses port 53 but we can't put it here as dnsmasq uses it by default # and the ynh core would assign us another port, however, on installation we # edit dnsmasq's configuration to allow AGH to use port 53 on non-localhost IPs diff --git a/scripts/upgrade b/scripts/upgrade index 7362a7a8..77a0627a 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -29,6 +29,11 @@ ynh_systemd_action --service_name="$app" --action="stop" #================================================= ynh_script_progression --message="Ensuring downward compatibility..." --weight=1 +# to remove some time in the future (DoH PR during testing phase residual) +if ! grep -q "port_https: 0"; then + ynh_write_var_in_file --file="$install_dir/AdGuardHome.yaml" --key="port_https" --value="0" +fi + if [ -z "${expose_port_53:-}" ] || [ "${expose_port_53:-}" = false ]; then # if 'expose_port_53' doesn't exist or is false expose_port_53="false" From b597b11d14b8a063ec2eb8d513d97485b7270884 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 16 May 2024 09:28:51 +0200 Subject: [PATCH 261/288] document ClientID in the 'Allowlist' section of the admin docs --- doc/ADMIN.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/doc/ADMIN.md b/doc/ADMIN.md index ec9ad933..5c6de922 100644 --- a/doc/ADMIN.md +++ b/doc/ADMIN.md @@ -73,8 +73,10 @@ If your port 53 is exposed on Internet, you can secure your AdGuard Home server We've had YunoHost users surprised to see their instance receiving tens of thousands of requests per day, this was due to the public exposure of port 53 on Internet and the lack of securisation of their instance. +In this allowlist, you can put [ClientID](https://github.com/AdguardTeam/AdGuardHome/wiki/Clients#clientid)s in place of IP addresses for the devices that uses DNS over HTTP. But since since YunoHost can't handle wildcard domain names, you can't use this ClientID functionnality with DNS over TLS and DNS over QUIC, sorry about that. + The allowlist setting is located in your AdGuard Home interface: -Settings → DNS settings → Access settings → Allowed clients +`Settings → DNS settings → Access settings → Allowed clients` ### Local network From 7d221f1a2c6bb5659977000eff661f6157537d62 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 16 May 2024 10:55:10 +0200 Subject: [PATCH 262/288] simplify the 'Secure DNS profile' tutorial --- doc/APPS.md | 35 +++++++++--------- doc/screenshots/apps/DNS-profile-creator.jpeg | Bin 435161 -> 0 bytes 2 files changed, 17 insertions(+), 18 deletions(-) delete mode 100644 doc/screenshots/apps/DNS-profile-creator.jpeg diff --git a/doc/APPS.md b/doc/APPS.md index 70b572c9..4131a9c9 100644 --- a/doc/APPS.md +++ b/doc/APPS.md @@ -24,32 +24,31 @@ You can easilly configure this app: [Your configuration should look like this.](https://raw.githubusercontent.com/YunoHost-Apps/adguardhome_ynh/master/doc/screenshots/apps/AGH-remote.PNG) -### Secure DNS profile creator +### Secure DNS profile -To use your AGH instance as the DNS server on your Apple device, you can use [Secure DNS profile creator](https://dns.notjakob.com/index.html). +To use your AGH instance as the DNS server on your Apple device, you can generate an Apple 'Secure DNS profile'. +Note: as a more tech-savy alternative to this tutorial, you can use [Secure DNS profile creator](https://dns.notjakob.com/index.html). To do so, you first need to activate the DNS over HTTP/TLS/QUIC functionnality using the YunoHost Webadmin. If you're reading this you should already be in the right page: just click the "AdGuard Home configuration" option at the top of this text, toggle on "Activate DNS over HTTP/TLS/QUIC?" then "Save". -Else, open The YunoHost Webadmin and follow this path: `Applications -> AdGuard Home -> AdGuard Home configuration` +Else, open The YunoHost Webadmin and follow this path: `Applications → AdGuard Home → AdGuard Home configuration` -Now, click the "Secure DNS profile creator" link above and fill the input fields. +Now that it's done, go to AdGuard Home [Setup Guide](https://__DOMAIN____PATH__#guide) page of your instance, click the "DNS Privacy" option and scroll to the bottom. -- Name of DNS provider: put an arbitrary name here, for example "AGH" -- Select either DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) - - If you don't know which one to choose, you can read the "DNS-over-HTTPS or DNS-over-TLS?" section of [the tool's homepage(https://dns.notjakob.com/index.html) - - If you want to use the [ClientID](https://github.com/AdguardTeam/AdGuardHome/wiki/Clients#clientid) option, you can't choose DoT since YunoHost can't handle wildcard domain names, so mandatory DoH for you -- For the primary DNS settings, you have to put trustworthy servers IPs, for example [the FDN ones](https://www.fdn.fr/actions/dns/) -- And finally the setting for your AdGuard Home server URL: - - If you selected DoH: put your domain name between `https://` and `/dns-query`: `https://__DOMAIN__/dns-query` - - If you selected DoT: put your bare domain name: `__DOMAIN__` +- Hostname: keep it that way +- HTTPS port: same, keep it that way +- Protocol: now you have to made a choice: select either DNS-over-HTTPS or DNS-over-TLS + - If you want to use the [ClientID](https://github.com/AdguardTeam/AdGuardHome/wiki/Clients#clientid) option, you can't choose DNS-over-TLS since YunoHost can't handle wildcard domain names, so mandatory DNS-over-HTTPS for you + - If you don't know which one to choose, here's some help: + - as stated above, pick DNS-over-HTTPS if you want to use the ClientID feature to authenticate your requests + - pick DNS-over-HTTPS if you are likely to use networks that filter the DNS-over-TLS port, such as companies, schools, etc. + - else, pick DNS-over-TLS because it's a bit faster, as it uses one less [OSI network layer](https://en.wikipedia.org/wiki/OSI_model) +- ClientID: enter a ClientID, `iphone-123456` as an example + - Don't forget to add the exact same ClientID to your Allowlist in the `Settings → DNS settings → Access settings → Allowed clients` -You can toggle the "Advanced" button to exclude the created profile to be used when you're on your domestic WiFi network or some other settings. +You can now click on the "Download configuration file" button and accept the download. -[Your configuration should look like this.](https://raw.githubusercontent.com/YunoHost-Apps/adguardhome_ynh/master/doc/screenshots/apps/DNS-profile-creator.jpeg) - -Now, click the "Add to profile" button to generate the profile file, validate the "Configuration successfully added to profile." message showed on screen, then click the "Download Profile" button and accept the download. - -Finaly, open the system settings, click on the "Downloaded profile" message and install it by entering your device password and tapping the "Install" button a couple times. +Finaly, open the system settings, click on the "Downloaded profile" message and install it by entering your device password and tapping the "Install" button a couple times. Ignore the text indicating that the profile is unsigned. Your device should now use your AdGuard Home instance as its DNS server. Congrats! diff --git a/doc/screenshots/apps/DNS-profile-creator.jpeg b/doc/screenshots/apps/DNS-profile-creator.jpeg deleted file mode 100644 index 8c57da04d4d273995484748dfc6bf4a22bf3b958..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 435161 zcmeFa2V4~0vM<^s$qYeq7$pcwmMCddB#DTaK+>pyBmv0-3^Rxdf&@VU1to|GN*Kve zhKzuKTpC}UiSV12PpJd2_=0X!_+3XCocbdmr)4;=#!9jy(3g5SwR_viNKZQw6DdIm z`7aOPrPXfxMY6I92nq>{$Q+ZEJAOi4LsLupl#by!BV!X&v-4N3Ub}8>bHmoj+2xL_ zo4bd9KwwZXA|&*|!$(okk7Ht!pFK}WO?&Y&{Y~!Mym$Ep??054S5#J2*VNXvw6?W( zbbjvY9vm7T866v+n4Di&T>AEX`NzsCVe8lS&h8#@|KJb0Kz{y>Eb#Z=DEkMxctE=7 z85tQEng5`Rjz0Jg!g&~(j;bEwJ!8du%a>2`ryU{5iE8xu3r9~(0Z^Pd~bzin)P zZtQ<-od2=Wz((l6Ho%(?fj^wA%&h-$?mvA%n*qhrgf4C(jyx1?S0}QG)W0%8EQqiEETQuOwS) zKJ-?-_@zjTyXfPtAG<@`YYF$-wrv4waN#cdB4#}WuiOm9TcTN!Nc{I`eQbQ-)gjK2 zU+@_-(Tta|W{)MVuzd?Z>{N-miL@blEYHW7o3z2>4fyczw(u(?(N^1cIbu2~ zdy`U?TZ(<=TCY`9^Dh>+qgp*O4}siMA?v)Zcn!DCYD@b_PB!xlE1WrQ@W$LPbz|qO z8w1`TmO_D#8}9N`J~Ti-c)&{co_MQoaTp3i#E3bQUYD(e4wU1#5Cn0%&|FHGX#3mX*JQm#wOTd-M zMmI|S(7LjMIyE}a`-$>xD1(K^S<*zMpt*(X&}rG4l4wJsG7VsiC+aJp=!vfv)d|5d zxsvP~r~3;&)%6ZUzSc*5i4`4qfeFfnG)>Cy;TEmQyi%>1%42$33t1EBHf}ov%wE!* z22@X1PHP4gF(|ed)heI-xag$mPd3a}Xk9G>bJK*?KM5^-i?5t?Ku}yAT zF2_pYE}}`l?8~QK0L5qpFU3`($$T_mKC2ZPB><~{t>X&J!{=7MKt0PzXFkPhE5Syl zoA0&N#=SbkWfN(lAH4*R*3&OWR67olRp)!mly@vHFX-BtyG1Rhy4##6fL`hP!7LjK zw7cBw>We0}flk-=aT8 zuL~+~7;C^D8yJi@<8iH6NcZi!`m?3|A?oL)lcbVQJ0-|HeW37`TkU?|`3RJ^75vkl z4vfs>Z#bOMly=$Pp@&bSVY1DCjkiU{u%bFMv0v|JJcnz+LZdsS1~!)^BG?RPm_(w8 ztR-48R8d@m0mA+Is`=qM?Wlm7IIr}H@rTnW=iAw-(_rgP2=i9kta!a^xd>gOYvG0t z!-@etMoy2^X3u}@UF`U)M)@W!q11!)>!Gh zDDRp+m@V47{}8Il;0UqwEu1>isQBq?!{tV3q`au7Kl)o$ zdbO63bbE0_*E6;AT&6zHot=aMvIC_O=F$HMS}~h3f4qSX{}V><5vpF@X|**e%=9Ig zo#k;zk`b%dBhe^FwRR*c+>AOBslrSBAGp~T-LX?NyjoFJbGn_~NZ~^f!*NDuzR#yHKROqq z*W*Ew%P6mw1|^BD?;L(8mc&dpiCfy%{4%O)Rz8Svo~r%={}i{JutO#wp)?@5c#Z~; zxZG*Lfxi51Ih7r}AN-gFy_WEa2ISnh#5n2N3?WKYw`Dy4N|su*9`GsQ8lUwtxm?L+ zX*uh0df(I6h~>!KgJwqSjZQLO)~*5NCG`}Nl_1#W6MrB*Hl|}-tZ-;WL$v2y?1a?y zZ;IcHw54AqrSE4^*<$d5W<*(%nLUnpXGCEeCOn0{dxpb_ReZp&`h4NIU@OIbY&Hvj z@ubN*69Jj<#^DMLFk=Fcpy^?fqQsFENm_^}tyFcQiKhYzASl)(9PyT}7ubu{TI@@C z{qj!S&kN7K{`!phBKKVVaemHC$Rd2eXT5kqUvzhe^0?s)=@fBv-kA{nVBs2V0W0v= z*z&z5A5qi*j!zvI<;WC|8Vfb=50o=7$}97i9^{!YIWwHegc_g$%^<-`y{JRs0XT|= zA_7h3v9|rHfYL(rm=23b4_AuQF-2`LV4takT%%h)8lt^%T4JUM)s4ejV8^#w#!M-> z8WUu@g?*koVg54BX^d#j*M$nc9bq9~Y!1@9hbrMjDXq4`$|0qIT0J!dth8TW^+Bk& z9wc+p#A@d*#FofMWfR837X>515wIzOsP9NO&hgD%3w<(c<0&ba+-DaINbYyDNhzsZ zdTOj=-E@`i;3Ww`?SL{FFd(3@5M&0hoHv#{Q5WOF->B&8PDxI;Qt&63QMqzWA*i!WR&Z44g8@8gqO{j>h z?;oZ{3~PN7d~%u{KpEb<$r-GcG~Dqan~;hz9E3SRh{yIeZq3J=TT;?1G3z*Po7UPp z<#nIb&bHkW@znkGQc|(?WC3i0;WV_5lm7>rpDKcQHn-Vk5jLOy#EEA$ooT(wpTDn5 zQ%vEpsj!KVi+(d^lm z3DWLbjJQY#kS*R|kz_4URjg7T8yueM%%Kioh1P%S*~Q;tR$ckA@*%0cD!!Pzsra0N5zO-f97`}}k z^bd682kz>@oIo9tN);s5znkuKeY587vY^Z8#NTbmxS(4z5G{E+rz-PhrxiRm3vZP* z9zBm+Uzzt|AYUTNjRhO<5!lUK!erW;>#o(Ls`|Q0o`U)z&NbqWP_iB}wpg3#iA%gc z`JFLDs(g_#JJap3^?tpIA#NL5NWmO8cC-M??7aj&DyC1-#;a92!tU0}@p)+xy>Al391$D)aJt^8O&A@VRqZi5 z+9bVeHTH299JeQlXN_F5+CT@J>p)hSn{n_;oBiIlKybAbO9{>_Pr+m zPFsM?_vVw@BBUjYAIVEhEJ2uq+z9CSoOAlG>4hm`c4y+h{$FrAP|XbafU${koigvoruoAl~O z6}@M21~E>x=9QVa+aGVKqorRZpOjc7Mer49bW6p;dY4oc|H_X+jXdGvwgE*47VLOPF8 z>BwP2sN;x`&l$!eOCbx4k1|J=QQBCM(LD!pN!{1`7VR~&sVGm(`v_wJ2<@2#Q5Z#^J0%Ue{QJY zX^uYYoLCSBig4%kbXV-$LOo*w3KER1sCg@rD=G&h+mclgiYIN)LA&2g%4zsO;2j896;4v`# zB~eia*ls&9$H!GD0k)AEo|~=6%eS9SGNiIH;5`?D$;#J=SgmM`A{pwH2e%cso!5II zlO8bngo`X3vU-X8(`QTqb}k3I6@oqtTLvw__+LA-0x4>31IcdOiwKW>BGam@b zK$J~_vmC&zn@i(g5`y}yAtbi4BP&@RiH4SJ)sq_PGxT7xiJGxqR;so z-vo9;9TuXKTPArbj~j#MV#SsV{DO4GPH5WuNbr@R#f>gLn(*NrHH_ys8H2m@|8JHT^6Y2HQc?u z1Nsn4uCHb%Ej&6*OOr{@1HA#*D>iBzY%VP=4K9Md-5(2MXgF`2>*AuBlW$|F&GB(+ zbrf~`&2ogm@|UErLQNA7YLHS9M#1~r(B{o#_5x`)m#C}9B~9}^rH%tp%#kdgH7MfL z&P;JEB@R88B>^K=5-eoCR$B5Y{>*oA@fD8U;HX-2eb+KjC1j?KYhZ{hnENPn7eL8T zI~Jjp`7LxSi(VkH=2Dmj>|ABmmcIcn4JZ{Eq5&6m;*p{xQ8DT$ngxQ14}eh=VjH)> z4j)B#eIc4t+dM5P+Nab$_Pe=KJ;95+Nc`xG|?r$jd^loyZEx%W4-lM zyYQD#ya47rNV*@o>pl`r14`=hsmW~QG)g%*FwTlKEV%zgr!@F)BfE^1Sz9-anlph+i)`MXBM6rJ8eH_f~1T`s4dPn3S)J$g#F_#HTV zWd3@I2}(SHCcnfq^_OJOfOmPA7ASzA0iX$DCp+XLmYeFHPhPCfJAbUQE@D0<`Zk0k zKj$)wR56NzZg$ufO=L&)z*)$uL2C*JMwH5jC0T))QA(8(3Vt zYGf8DE^y6Ki-9S9@Lo^Nj;_nKZTe4jt-H^_3$0N@f~;?dQ>`N258ivocHgM%6<6Qi z!wLzGMxBAmZmNIKU)!H1jJ3ia!#DzC)S-`2;=>KPXiM*OoAnd)Dk9C&&C!|e%pclR>g!zJdG42F(_`(>pj*2Y5Sm7LqLp=U@&q{< zGm0Zh!O5>B@@T;A-eqcBY=prDO2a0`2kp5T8@UxC%Z*6b5^CsBEK|RGqQtD_{#ULO z%j>L*@pet<%KX+DL-W`3b`(?hYEx{Gjnc@|T&~5S(S!RIl*RykPg6<>N_N_#E_~#< zHT7siO=Z|)N12*OxNpglbIgVlX-5vmYS7IpFjuGu@-ihy9TLNQu_n63fb;d{&&uPH zlCyTt&z9PCEJr;p_tEvQP}csO4LJjn+e5rPW<+^c5$-oD9lt{ZIH&BtbOTCwbHy6P z)u0Y${lfK4dPHZt1h`%udCGF3|B#2Zh;gaQyRxa-$=U=2lHzdGFX7Z>ryyamI08Ha zhrik%F9Pj=Ohz5xTCLfG-w_SE^$+PjY&JXgXwqyqsa5Xf_#rWFH8{!^-F-L^LSoLR zW*yCjEPvSA{bf~`x=RgF@;-KZ%UoVC_|7Sr7fZ>O#V8!QnOBeBrGR{z7{Az4AQcu5 zwHVqa-LRow*bT=E)3(oL54?5c+365HXj%vR>Es@Mh#A+{@yC^QnIJc}*=$h3y zog+A?8RrO8%p7D2(gb-o-Jp4}GxZ~w0IApiw0`$PobG*<_|69@>tkgSjd5 zyNP^@8*mRz&GRpCOM55z(a~o5R1$~J-i=%i-qWm;a}ON%z*ftMkOgcEwqo@DBJu7W zOLn4wS)e@S%o~`imN}oyr!up>3tzSr9)%n|{46dm!VB~$;0^pv^OlqIJDx&P5s3WO zx*&{lYL4L-j7COnCqZlCzAV<3RK4p_`(zg!%8~BG#JM}!Yk>=!3{&Dtogs%Tb(+|V zMJ{C3CB!P4tzOsK!Sv#YC#>7O_!hD@d`qBQGwf4Pwi~v@dl&OnD|YXg)LuQcB-2)Q zER^?cg33kEmF7)b#E?(GCQ+R&wt1Z?Ib@@UZd!B+JU)9qLra}OYIm4+Uwvinf|V;b zhZ`8W(qksVVfXH}_d(yEPWi5U#Z-m;N;- z%e5{sW>l7EEV*R`hv^RL!S1l20nZ`{)s&br&|wTuL4{F=uDf2M6j5cy>7My7zIIdy z-E4e{wxzIutUX2px|$JF)V2xqc4IeI59XnpScV!w^Zl%qu#De{(O%n{{p`lDn@DBr zDeA(z?z$3v@a)ar3hH4Kw<~HAc*^@K29G*?7+>U6H50A9)gMX?kUua1TTVnMU!xRY zot2}r#Hm89N)2`A?yZjb+UBHMxdtEVdB;|Jd-RtaFTh1#x&iOQMm5MUz=hX>W<~I+ zX(2@()yXWy>qR*s%Sru0S5Mne?JqHJ?zJiJpB;^+0gkD#gHVtCTq;ZFT)0{rv_kf= zo?XGYGV}Rjdb7JdK#-;XiPJW&Ia?Et!V^iSiOlV2c5oV#B!FThw8snu_MVusFz+!A zNXiKbyd`(}^9}#Xj(Zm&;+}JfL}`=uV!?UbhCD1vW9?zpgN{kNmFrvQ&t})(;B`xr zrmV2tg@a+9LaZBxD651abS^5#8pt4`7ptQb^GAH_+g<%~X8TyErgPudoqDVy0jTCh zdD*#OGT$Be1E@fQGQps85&Osm4e?N!)l+#C^DZ9JFR@wqidjr7QonE!Mm!E#A0aT$ zjddpS5SP~luMoA`)8gOX@OWzcee`$$mTKX9{t zSlQb~T647EmxYwXeIB|yvR~N%iY?d~ZOTy?&}~p;Xrqb`E9^iv6zL>iuYXUtSL}6^ zy{5yoiz{?&GF3vIU>$*;dny8Z+#vdX`p3bmP@6|e8)BU&rK|nqH+;L3xlW$KG{IxA zYz9(fso`~XpO`xRzUcQJnyRZR6SLe(0+YAT3iHY2I#rP4qr{sqGcay+x9~RR01r+) z%_SmWnT3V*g=;ZNn|DH%Uq0!Qj&qm+b)%Vdvd1UTqbssUB8U^g^8$Fzu|z#1t*G>A zTg|5juX}7Vd?O`Qg!Mi>fChWZcdh*tx2Cf0fHNW!BEReg1fgz8Jhw17X5*FC=S}^x zL`TBNik6v(Vnv9d5o~gA{!8pI+R)!G4Ul?vwJ9}~kO{#vgm=*{^K!`ZdQQ6zTjt2o zsHydVFRz$l9Y_u9J3^hGkgDhaA54kz`E@PchI;>3KDWpFt32`!)BS+6p=5|@b9-(2 z>~-h2_B2y>+Yk3)Uhu+hPhW7mdWL?(0M?az|+ z)Q%Z1`8EqPe~qQ2(17S3By4Q^NeDRvZ!B(UUuD$Fc~)34{q!kkHCw$T`cUOQlf8Hp zi`8jpDG$2YsqrKvX0-A6vzCJZNAA+9Ocp(P*L$Oc`tJJ6H-5%l+)_uk&`YArI8k1x zuTVi(;wIri8&04kV0d7OAdZ_%?>eSdBzwDL;OJGwz0eK*#pjope{gng%)hrseda-R zW#OZnss@@qqP-}!aSs(T@1XjZ7N<7HmUlq$`oWb*LU`y{u7{yXGRhC;k|z&XZ|Y27 zZ%OVyQ-pVGisaJt z3YXrxatlT31niPhom?!I?MEE012IQU>|!A+J#`Ly=Us78@0ymdPq zGC?*SRFtxj%>3@}{yyY{3a=TtHur_xoZyp?pBf1}~QMj6w5x~D=yHO@DFUXD7g86&~$FluXacD08UgQ%aFd||E1Q_s)O|@hm zAJn_>^hxR<=4JzT>bSIuc6j|q-&aoB8l(ssfVZRg*@tAY6v4%{JTLn0Pg>9I9Ht|o zi$L$h3ngXdy*8f}rNi{7nb|olI8D$4do9imoCbumk#R&4={EH%tm0J^B!()R8ZP7V z>()R~ikJHMi}1mti4wOQdyfZ0XE872vgsQsluVd+ugM&w2`xb8s=_}M`QmuOGu6vz zGks=*I>i0t@k1q1A9#ZroDN*T42xc0BjDO$<-?bifSoTzatXZG_$ z6aSFVD3+abOHCLY18w}GOxDqm`Y&iww2WjVw=`zXg8{tH89yGcVA9&MYzVMSO$xC3gdvQSU%@(@iU> zTAO!w3zDpsF3o1^LPGHeK(c#Y&C8#%LCH6S>g&bI)x?s`mXbrqaHXhOkvMqi>&|sh z$*>>~O(Fy!8@Ot%7pkFYFG;Xx3Gd4(u1JzKsJejbW6^phB}7B`5ZP)zW2Iuo?tD$c z&%U2CvF02D+}*1tXIY9sX78>w!|^tvUY;$fR3XY+1Ag~L?bI3i%ANYQm{Vfj$$bl~ zxm>NOa;tB*FKL(fEJDcqi){y(2TFQOBweCN|9o*?n+3av{7K7T4sVr?QSDn%qQRYX zpPwcaR(>>Dv^Y#BJ!I~yHhpnJx=b}V=+vD%r=*{CNsqkNvT7XI5p{r@zuv$oxF&p` zMf8ouy1mfR$^248$2@%PgdD?;Iq34aECdvf3d6R*UawI9#0E|L*ys z_=PE<$XI%7^oEt${uCRVAD8D=S*#qxI&8dix9SrmksMx(SnX`}MZDaJ7q58cr8srt zajPW<^`=XLeb)4%khp*P{@Ox*!dqe%LAf2q^RC=MpKMv=xZ3N6`CfEr>(28Iu}2Dm zL2CE2&d<4JLk3~vI4YYVfp6D(z^+NBDhV2gJUm$Ob>)}6sAq=Y({I#XgRa9;Sub;) zk5r$ynku^ne+a)on~m zD7d&;zc5BVoZpESf!(=513+^sMhsW3G#`yJ@8|0ZBdsjOZf=~Wq};q}6=%$E&vZ$3 z1)gy|I4v}MT5DHL|5I;$QK`8oe?Y*g>(@b>a%98<>|)uuezE}HLiEE1E#`*?>coqk z3mUH*JXt=4C4R(p2?E*!R7p#Xm0&2|#)lqp=hQpm4ZP@uK@HZg-&gH^ z+;&(d5vFb!4|42KR-eHi1zcioqz>RJd=jxBwBoS^0lFX-qym59wm$#h;-j4ESeBR* z*}C<~T4JfUEy7vRpdHo1m2P0xpCh64c6O&fa{6q1arP=#2hHfS`+KE(YrhWuhO?v? zk74KD=~UH{kzR-NA*7og7yI~y?RvNLB2ETTz$imJ%6{N)3j7Zx{{Quk zrVanSxAs561^z3ZqmBFne=vECbf|7LKibXxdksFNLQ_YvaJ_a^i%K6eG?;8DY~`3krO=- zJ_N%b!qI@#!~cg5==ODgU-z3YpuGH+gWuyL^|u`S){}o4ir@O+x4rzsVfZZv|38+4 zVtaJ678z2|xrESKyc7R^mHFoxjUwOU+xu_oUSbKY@WaSp%F9MMYQOEP>y29FW&xx! zqs&6*4m7uT#RmNb!C5=YUgY$~JK6NH;409+^4?faylK4~L3CQcL^x{8 zUh2!-3)N`rL{<&8sS0z1w4Ac{e_dpqhm3*Sp*ql8*GjPKJRq@p3&fY63*r|W;4C!%R%f9cl&DhT!Hx`t1qMBT-1dyKuZ z{u@xFa9)|jF@gRuk_{PGo*bi^i!W0`rqIVQFAG<){_g(;z?)dPf9V}ljCF$TpBRJh zveeLkfh6lLjh*UsZ~;Tcc8%IB2nC@609l2=OpdNpJ|Jh&0Amg3>)6MzCH?p4u_Z7! zL$y%y&!7wJuPKG{zq{stU9A3zUGtZ0#(#R(l=L)XA$mRpw$(6YMz^%|;oSo1bY1N) zQR+?+cH(pz9b@av>p4tWP0)$NHnf<=3%dFdElcmjRo|8ynj$PJ6js$%$2->?!Av44R3EsE{)y}(wHCIB zpM6qhx9iC91?R`_-CkFneK0nP6@%SooEV%9cvm@AF!Fe;*S>; z9S;uD4|ii&=)yYTCc(x0O6Z~48tQ_VJ8bjS_lDqhG$#^0=Z?e(6493i?WmbIo#FjL z6we=FK2uq{@zu3j%<$Mt7m>A!PdoHKs`wJehOwM5pACi%6(|ci^lPy}Z@@cPbvt+J zl&{d2k2Si+VI{t!5ir@s_-{$K;{<|_Ugdh536yMhK-p1}2>Q`MQb(pl<3RD|6UB-& zU!l><*}R7{YZ##&wM1J%f}W30;&DuKqPXTuMCUxb2#UW9-e|S6NH!j4=Fk-r>BQv0JVC>H3L=IcKZD-BY~33G zSQ#Du-*UGe#g%4}Q#>&wM*Ba47)$8~Q@d(^WUmF%fSXSeDZ=~!N(k|QYB-rjL0N+K zPNYm8-Ui*07{;z`p(#QmNq@rG{|-+6&mN-;d3c{FAEe8|C)t)dKf#(2rG=`~4Oz1) zj8q0$JZ1g!$usivn<52{8UQPmbg~7e&PO*awkG_KJKH2wAlMUlvspcA!N+^thW;$bXud72|jHFbB!+MK9ce;+U^y>l)gf+ zw!k;ElZ9jdqU`$00ya`-h}HFDg4<2&Q<9?h>yGWR9swmZ*>*QEWPZbgbQXIyO+b*> z?sJifp>ew<^bu+T$v_MvX(L4lFGt7_f`IPYr}N6CqNlv2j;jWVYKz-QWZ4ouclU{) z+_6}8ylgOZ73hH+KCArv{?`8Dx96eGAN%y>7}l^8D#~C?&{?rs{&T^uFiKgWZ%|hv@5NG9ANCH~iPeiLiRyNgA^LdF&Dy;_Kjg0W zv*C)g$x13cRxB`FY0q%Pdpq1%GwOS{YvfhmDC@YVXP8$`i`ZH}AX}H%g_j!-Y+|yf zt$VAhL-_8kp3IILO(Oab7&)>ySFuE9Wg5T-H$`$%%Jgo5$=lJ*p~qsJ3hXjoDj}z$ z1H%W!k{$^)VTM3ByUA`mL2v^^Cnk{KLy7^TgU$(Z?d9dnyhm?eoIee{Uw6LDQ^2Ds zQt39MM0PYkg&s8sqf<{zpz`B8G71r~Fo@D~N9W|z(Y+@-MV@MvZBHGH&4E1oJd4}q zg&pW%ZP0VMds>>a01@T&4e`X@!8w<||L3jkY%Um8d}a_XS4wYkWXSM?2#n zV4le%Se!ams1;+O^in^j@{G_?mtB(I zP9wuUB`kzE!-*!!7sY!xC~w9})#>JOl^|g2RdfPu{RsBpxcv9JgDbmO5ajff&`Eg+ z=AIkLAjkeoB!B!rl7tfOMG^-6+3R)Sbi}9=#A7y^{i6$TiFrQy?|rXIGPuTmbia~ z-lVdS)+Lt zhx521`r7!r=ljGP$AXgj7uwQ+;RLszdY7ts#NMVy1R8u8TtcNBRD-Z>$@Jq$Iy}*M zb;;hr)twny8$F0UdjG^3W=21jV)+eEn-LzV;mx1kg9cWvFPGS}PPZ-MvpKp+i&WMg zX`IALT2yT@skdNZW(4rX9adt6}x7_>PP~jkkH{Umi)y^~z_Ad(SM!CCBi? zXL2V61eSr3&6C_sxDu9A(ADHdulGN_OMG0z3cKEBx^p?2+0>WrD3~3~{@-^d+*n14 z0~3-99nj;FV9vX-5nOug?_Gcb27K$^*>_v&5gPDx7lc{EL14*`j-tPXOaB^n{AZ8R zf5|EBKPt=rg{kacBA&my=AW=a@=xrVzb@?65pNaPf`G9GwfBxypA{?Z%$$9UZd`q4 zuXv*LI!8XESfnn`X=oj~awfhF%8#uO_V+^PPjxZoKEGFgzxju6=Xd#Ub=zQ|x+1>? z6Q9KufO!aoYCzYOd49N6O&Vj5w_R?_^-w62;E$lYxS0~c_|(|)BMoR(T^S3>Feb*# z_e?qM$=E%{n~)D(hZY0K9Ha1CG=QU0nF2A8paD$}X}|)AX^OHz&~sZW^2uTBwjMEz2GH}-fG4?BVGsC$1X7;{+-C*TWI#mvw)H3!-vh3Ief>4RNoKL6 zDkTzK-lKnn;Pw%wb^wrB zzaQy0mwwCA?-BP~Fa1`PzYWT7v-@AlIf2_#J3rq=dKD8h*Y-k#QgSbjU6J6Yb3s{> zN=wNnFl04@#GB`+M~R8^J?uuOLPQphHmyZ&74*qBVcj+-{lUt3*r+iaJl7LR4%C5R*z&3miHKV?*-gly0kA7*Tn7yh$@_isHxqtK z!tdemTPOThjK8hJ|AmRXk-WQgZAxLQ?m#UWcI8^Zf6vkVJIKhtVrIqvjOKr=Lj6Cx z{$K6U`ua1KIH~Ja=8k6~h zVdG!bIpJ*wpQ;|^*mi}42Q6sl#JRl4T4MH}#9l!$Qd?5B)NHd3PxLH!`Pr)sZR~}o z@`kC}3wHXM!iznrt+4Wqwp1Nd{q8NWZpFoBFY^Si4c4`d2A3G>Px%8~q8EOs6|7-X zp}pOEOvW?SYB%EzEJST@xxjv#KU5}&xk-YZ5?x6#=whm@ikYw3jWgtMLLBTL2SZRz z?;AD1a~o&7+DA%a7EHTewJO~FjLP(Lf*JRsa;;2s8TOrs8zi;~+nxaG;qr{u(CH(k zLnT__>9=){-hD1x%82=h>2U}?JJO)>VcIQyrhL*7tdL{#R_KJuFXqxs`1EEQHp&r7 zOvy2SxBB$M%!y~70okmQsB!(VVe4P_Nq*G+Aw$;!#C=6%aaikx>+5gkrfnbW)vQ(c zLGn0{l|+!Ayoo&l$YBOx#AAZ3P=IVpd3PJ1)fUe?1s~*!DXel{ zCwYB{CIK0N_=~0fkLQ!^p3I!E=xyTp)YIkGoB4ootQ}jGMdk}@hnJ($al8f+tGtNn zc~XkIQfxu}M_%Z&e%2I3|CtkWp^vg5UrxwjR;T9r*Xv1QkVrUtAWVYDd@lS-he&w* z2ZxJghib9uGkMK77dhsI67vA`adqnv8c-Fzz7bARM^=llT!Pt&aMX_b3U3VTTA(rvyYfUp5MM)joFosaBvr#aMvZsmpb_ax-qQ#CQ&A<$-#^)K8Jmz ziuhJBJ!Mv4^v-UTyFO=fxqtZEA;V7G>8rcig(z_%SagFig}8bAtDYU6ifalM?Cdea z+(nlS2yOdRtZY@N(v2xKgLt_8UvCHePpaajM%Ur!?GBl!vWWWK2m7@yvid2!fff>B)PeD%mN zYqbuqU*B#qX0GtjAb!1qo3JqBF{VLci2qr8l0I2ELVpC8=7|1m;iO5lmH^%1^10GPNHRa%ak0u;Hf*9Uu^K-oaQ+GE3n{^)bVU5C}FxH@?*%>UAFV zD->@^fnTW@EH)5HG}uLKEX?HD-*3FmQfuJDa4Z6r6)Jy_M|rEq4}S47CACOTzkqB- zbaE1Nl=Vz0CGo%7W6Us$c{?j$nHG~K(J6!;gBG&KJ>tJhFaUehu>&Er^~=fpU`33y`Qr zIpXyzm+{~8{PW;?Isq7#%u(a`?vwpBCEv7JCic%WbIW(2bGXc=3{YB#JJl)B3hVv-RFrnb_wL9*OElx)8{^C|xq zA@NF<2S65hgMA}M6#?}X+7r#SYBC?2|48qKr<1QQf6CiI_uwLYhdrH_f1~hor|+uA z7m0=YGk>BY01o_#=~2N^!hZQwj|e(s;JN=#WBF|il{JfWYy~WF-*{}A_^UGs-Oe-T zB>rvnvnv10*lg?}pPxV;j*`+T`~fT!4VzN7qGao#{qf7q{)+jn7Zl!yb1{Y06urp?E7m=>HU^7xfPca9jp(Nx|pE(b%-e^Op^mb`4u<%*Vi6X|Ws*A)RIm(`0`S!cCd~&(o$HD3Jbs;VcLgN1o$PN} zOTU7E(b;Mve$smqjM@)pLYjf{_L(5q{yMltCw%kC#@))5qa#b!r1Kh;!!bOJD)6M! z46y)N@mz?QiAd@lZMIzLtXo&6Z_G?CZd@|s`k8r~zfb=plih&ECwOaUd)i}l(b~Hj ziaG(cm9_U{%{T_0{#mO5^CP1vy*dgu_a0YvF=rmiFO!$n-cMihL&@pdS??g!>P>A) z_NIDiae*_LL2(gi?TYJ}mAR`15+j=dinp078;6#YCl`bd7j}X#HA%U@#BFrv5*=6) z^Z)Ig`L9Xf^45l>I+>MD`O0<~kKfRM#&NdpVk{?)Q>{(JJ3G|Q!BCm9HTN}wS_)Pc z#IUUFPF8NLTTwU9eT?cGcX~Ljnb>(d37&gx{})Ms7}e)scw^}HbN*qkn+*>##jofk z64}3F&wN;}0a13B=-?Ufs<8*_KQ(m2u!?MJw#d<;xbW{*6?|*Wm_b|eCZ)2$$n#L{ zyBh++Lq+*@8Ci7@DOiNYy=ll&u0yGaV|9W1gS@=quMpCmZ|FRi>tiv>S1uC--WPOs zJ2*~Xz?w2hQsO=t z9<|1UxKK11KI)V_UGDukZYyhs(J2qDJ3>+gMe)Yh9Z_sTqrzB@HAx~X`|-P5ds@?G z51Db_)amvg5tiqN$kN2#MdhfU&C$_2PYR`PeSPa4C3b5oRm!s{MXr^OPvnGc72`0YnC?l{6$qa}d^vsGGJ8(CS@T}%8?C>kOebk&@ zXDOCqN2!N>6Na;5*GeAIfVX8|5AAK7ncsl!9#EnKpp&A_sVlN^4Wb@Hv(19NO5?^; zB&URnEqcTKLenO;-R^~%tlB2DGhtY-K%rAx%a31|Da#6f^9y?F#_*0)EN z6f-@|Qp`jbUo#l5hM&REWlnw{A=ejV3R2f&uTqV%0ga$j>!o+a(~~o+9THuY{xB9u z|7BXQBDmAu(A|W_4Z$xFA-gX?4u(^wZ7V>#=`vUEpw<@JtU75}IBw(_s5egfh_kK6 z_0Jd{Q9wWZ%KS@Eqqn`Kqr7{Id@pyDrcHNZN}~Yp>sKQDmDrMy)5hVy(g8BMP$0EhYwXg*jkY0sd(%=Q5&FKLOH9`o zlFhW~vDpmxYAVZOf}XV?l@qKuxFG*ac9#?1n6`kOg3p&Ew474NAu!Wf{t;p`5 zVeFrky`0_NRVT^Be@$@-I1!cykCPhw$sZimk1xt4}rC ztawv)K1x^?Q6B6QH4kvm041P33`*u_QzJ0!iV{x|EH6(^RwTOxC-)qozb;ae+J7>E zZvX9g8{{X+x)+N#@rfr8;R~a+c$mWrvC(I5yaV(1;B6j2Zn1?faoL`00JbRi;26%mmh5)`FF1O#3|2uM>9BE1tj3L?Gt zfb^13Vj#tN-o5wC`S#4L+22`f&OWo&{2_}Fl05Bx?sDDN^)U!8=1Ngu9UK=Wx~W>+*v(F&tF^WCveBdM4Tnj0nVUDxwu;E07Na5n)o(MED-h@a z;m8KfikhQuQa3&-sa!RkUE39$K9as6?chY15!kPzIjne37jvu~oWYJ}>U+2oVM5kf zn(0@pUUABSViI0$3c986&G^c_QY+#(|z5ykQ5leWq837li zo6ot2AxqodXReOD*$&J%{xFtUr2I*bU2@st$r1K*8jJia=Civ1l+Jg7GBPMbwacXP zuFh6O?w%S|sd@Xccj~q}_a0y8lP+dU1m_F!Z6p>~+TH-?VRqq!cJXiOPuM>@bKl6` zujJvBW#^B(Eb&oWhq~EB8FxT8gE+Gld92nW!*|n=@wwEowg;bH|Hj8MXYoxiOQlWR zg(!zw4D-n191z|?^481yUT6Ub4wP{=^{cNuClNO}#hjt*S0RyY6sY6tb^C z@ngJX@}T?~Auqalmza`8rPSyzGM%unryCoC4^Ce^8qNE|PU~((QkRxK6`V27{1v%+n*75dhFMF#iYoyxl_l`w+8o3 z{y>h@0D}SmZugN?6>zPE0p{H)Le}Pp(AB|O0DNN`AfsQVk9`mPw8DX`C@X*CV|b?c zk^Cp|IK&P5eMXTAVs!fwwUz=a(cfB;gwhU{oaxlM4=qj5b((6Bgt{=w!2a^4R+y1s zbiT}%`U^d%qEAaDt`+6=&o{AMuM=%L4t@JJ|L8Uc5lcUZU-tu@Q<-2Ts4Q|+bAy>b zkP!@}tQdryem*38OOYOXrt_I%)z>dgcumi=%%!uQtm|exS(_*S+O*=qQpZMW82j z3t>j8fNa}P{V@h0;Gf?>pT&$!<^dow1z(GqiTDHALTZDLdbr3OwxViL#zDVD6&3u4 zy>~w7RvHV^wJt1az-(z#eV9!{aG=E%|L=c4#rivx$>|An3vrFu{q;id&IP&zoIEoa zP@coLPSb?}rTN$-x%}H6e=-)exrP z``jpfih~#D3F)Uqg8~Q|gK3m;(>8^#CuB@4oj%>~R+?&4R(@&9qQuqQqUE(mu=j&D zOr*qWHkimnYDIH3lFrYg`st(L-R2^ySDAi;l%XBxvn%%a4M|lUD*mfG{3&!KfTB)1 znK_FagAbH05IiF0lrkV%@(FK0h6Gfclbl2PH$2!=l+U$ol0G{nLz) z*56nueR z)CIC^^)gP7DKy#cepb-5B$4X|G+(wMRGN9Fj#2fZ!BsCLY>7jP;82>@ys#gB z{QxMd%y6uk(16GsRp>Fz5IuHBEM$Oalp=A&F;0EX^4e0S@>Mg-4ROy>?sQ4LRiqTN zhi4hX3!ll_FT}a@swPZFudTmtWY=Ir2+}E9fCl+;??6t(H1 zRv;6VR1D`ov(|I7tY4Ba4@JWP!48L-w>xc=o-VjZm>Ip3(0+yp`V5)k}ocOYj_ZBjU!#d z?rE%BGh6cs3=s+c&Go;n>;*=SE|l4mc9H5fv!`+*b4l|GBL zlhv_32~W61u1k*$FAURlXq37?khC;0VE-TC=&{H=T_I37#{BIZ#?K+c0bgoYrmOkb zts1tR4rw+m#X?D$Cc)>&21OR*FTpxh18cy(*`oHVHNwYmO`2KTrB;Zrv+OTF7d|Tx z*gMR3Zg~sws~n*ZR3-JzOFL<)3U^8e&x~YIJlj3^j%5%ZbYKnuwn7jF4U^)=0r#~& zJYpx`EBF?9D3!ffyC{q~bU0*@$+ihgp4v>N*WjmcR7KNw&z+_Zdd;;AU#u=Y3Y{7k zwNz(3Ql%>X6ItB<{aQ`1f28&}wfqgFix^dmHy9_&Yw?*ASu?A;LZhx;Ebhqx@akNV z?+117F6jeN93HZFhh{4`gc%t&RV{DC}G)HFQdreJErVe#x>TdH^S+IB_Y>sbrQNnum^C5--nd6PfK zdaAo@o`mO>^8~*qIc8?RS&Fbf<6Ge6UbSY$5}a4hRggLZ<@4}WoFAAksw`l3)b=(} zrB^Ci(LUCx4tOOBY$qL57P8HUKE%)q&zJlJ{+QuKJTTMEg{NP%>jif1~t|7zI4wshH4w(H6I3ciAqW^0GB0PKJLzG7s zI;es!7(j_V{szc|guGlsg=3im>CiZ|D6;`shG|*9!^w4_K{GAMO#w2zUwf@>NL9z8 zw(_SAJE9ET*#Qm`(7J(@=w^Ow&Kq|{^4B8xH1oJ+)7Fz7e!XSsRAB)etmnVMyf&{dSAQvdM0xZ|8rV^+TM!R8gd{*qjm!(-S1Xv z#I5Z6q}^Sw`raTBG~=Cqw9fio-O#R4oukRyPOm`iBt8udMVT*_SltCeI%2$pX_7!n zVOB38_l*=WI$jh+D{kDLh-`ztw3VQ;5+$^5R`k?f9Ex`HcoK6Kx#m&oT$`xy&Hlp? z$R6jd0i_qIm&Z-}9RgfyG%_nIk}rhDSp0QfGp*I)fX?cEFXKb4!7OY%U>4DYiyGeK zx4l4h&wE=?MeP;tqn|itC;fz5xChH!e-gU3-ryxKD>$8;#p|s}HSo z-Zt~q{$@BX|K@S?%v*#9R__wb7}JRS+s!)*U*pID_fs|TZv|ntIqGM!C&iuA-Hv~4 z&f}V-nO-lnFaG91Wz^V2=OI^b`|{hJ!m`iBxkoMLV`_(eNJ11M17!akjT8c*AdU_TUJ~5+S$#3%$b==Uv`}E?uUH>t zne}JqJtH7wcL6#dwQeR*ZwD_(RkQBf=vi03Z}Fo5M_Z_GXM|wvaWODnU3Kb(*2U(r zknmX?m#epC>jpl6b6mdy@m_B0<5?EJN2mB9$1cP-sP6o&Zg%i1wbfa2(x)L=@*|bj zd%x?+h1KXdjOG?JiU5)`V+KU;NO)+ik_7hU`q^uv4*hCI{`aB;EazDt=zKGtdVQNC z1Jn3O_ku5?eOef$Oqy#JQl2)Ru~x_$SPTofS4Z&ewBC@gl6k{vpQ$XNhi{iJ2?+4} zG}-;hh3~tkm#4ImO1}mmwD(MObdV`g)&SyLX6Xm&+9}S|3|Er<-1JMd+zO|(r7y;+ zysFls%G1gEaf8Xk-pvt-E?+M|zdQ-X;KcYq2NbL(B*MA@sc;C%>!ju{E@+jqyt=q| zJHK=&>C#Ed%mg`ki)S_Fa9{KJ+y?9@o>}c$Cvru7INCgwKC4P%K%Vr*(UmVoUG0zOOciDq<;7m>yGOVdyl%&?| zKI+~K3=9scSf2eN9Xl~@IaZhO@jI6I_CmSV!EO(r9dJzB;|ofKyzvsmZ_p0A0Tr&x zQ_RWs-!spsy6JOlJ_1HpCai)hJRGOdZj2(ifdO0 zGk;;kN)fLJrIZg$xhf+?>DG%NQKNRA`!nAU(+mf>pn8`=!zG1D_)HG0$h@VFbB?`? zOlYvu86wQW`KxUwzT5G<|8h1WPqR7)kx09uup<+@jKs?Sh>|#LcK59T8xIi0W&wfY zCm<(>Z8YW`ZmK95^KI8J(T|x@ysumpp}G|LEZ4ht{CUyuRtQRO7W*0yW;y4#XZTt- zCAZ~bq}?oz7boC!G~EjEK!y1?S(@TEuoK8h4E*5l{rQUpm)@BnJ(;&HU8RS;Nrjl2 z4>7y@Hh4^kbUSU3H-Zy zpI1%`#UA?>C!GFTJgoO#U{9c-?hXsh6WE2lD{g-v3||oCEbC*mO(~CY>s93QofO9u ziZ%9DUw4SZn_1V7SV~v1?)LW6@eeffwtuAyG2ii`asPpIC~5orf!wdvr$=Md%P52< z!gwYST|)*{SFG)&J6GS^KlZgEU$wPKqsk=kH|1@kZ#Ss;wh9dT3NZ~ZP|S!~C%7VI zpO*&yTc;^! zG3#FVV1gTAPYV}`qo}zM_I2`d*9f#bzKfK*WOU}7(g8~gq^*lL(k?-1FilyKw8vt3 z>$$>r-P80dgUmDZYh+kU9s1OR0hH0F2^Vvd@mErYPsMB4*y8y4+KeI3REK<_Oat68 z5J6jkES^F3bFYjnm%CtWiTEc1*+u_0wzK~_HUfcUjoagA9>om1fr-?2-lgxEk4%@r z*Yn9hSG&JfIfqKS)qlpGly6g)(cjwxjFsu{zsIH!<)2Ii!H5&se&M(+8x;8Whv|PH zeIp9n-IO07QBXo{1kqSd1<)CMeh*Z~r`JvA2%}o9$rVxB2Orx7`h0PoyY*g`%~3z> zM%=H<#i`?O(E@WwK2$&+{Vp|}hzQqQGtv7*#oenOe3}`=!)xp#ePfnI=FP#%@5`6O zRsA`dFdWu^2OgBpAXE2svLvO4RT%P?bGN&BZ6{>TtQ>|UK;K@l#aM~n%Kz+Sm7POQ86DxvAZ*Axn39JGrHyw$1;n8@AcYW zsCcKr?kjZu>ZR4#3Z28NNI`4*d1|EBC(L7Os=ZmGp17K4sk<@UCL=sgCszz_0lz++c^K&j_m0+S4>d zn1ReQ)Ou(boF9dptFfs4OZ!UUie{Ec?5o(x2}60-4S|rrRlu;}gdew_n_gEvT}Gyq zQ38*ibJ{Uh7YpFNH!pNQG2tcT*LO%%kivX5L_WZ>tL%rG^p`sdSnA;}Js>i`01?Rz z6&%$P#8i%r*rrv)!YRH&P>wpX3KTuwYhCmrEiMFu4>SiviG={D(1;7At3qv7^g zq5CpcISGy$eeX%uYZYv@&yVY@ZydwS*bY)H$wCdfGE|$nKu2H-BHfaQ&3ZQGODm&a zLf&bgU(Bm)KD}`$9omcdcX7B2lzPgi5fNFhz$nyqFYtA39Q&DT=c!7F{}-3kFzlVg zmpr|NdQHX$xD!$c{e!?OMNOH>x7O;qpq%n<-1ZUnu zNGR1wvi%#Vw5;EN?7?O$)(+FmQO1MEzxL5t@|+X5zH$ZTUw%?xe|In{ZkeM~769+TB{O4IEOTXw^vIkbYop{fk4o#u*=^#S)}-1TqZ#=9pbY zHKIc*S?+f1VqL{h#?V<2M3?jzqO&q?^SQ$BPUaCkQqmnpfi4G?gOWg1az9yL?G>y# zSdhLgD`+kp`~Dv4N3Y@AnHK`|CG#;{iO~8ixszfYzTNt=Gq#F*RXEBYJ zcL`ARPh=51i11h;pvVJ1F+P%&_xh2wg^f_tyicMcXQ$p| zy4=Ng`48W@A58_)kO_iBoiTzOTAprAeM!c*siC!~@%hI2E5Ab*;;y`o=D1GO+xn>V z0EDXf%tO7PV5gIh87TwiCsP`q0G~;RZ~6W$v8n;zDdeL(W@Oho(-eKT=7=0GzpUZi zH=aED>a;nSd_p|x%k?Ao7Ui{uaVR@#W+BR%nt(?k$TH`wS8R{h1k{8TytFW#{&d?= zo$kcirLeEbcn|-@T@P|RUoqjBonkAdhwD1#02&-Fer*<-I>4r!jn7$rPW3bi*%vwM zV4!B_KJWafnVs{k#azrg7P7v-S`(CY8g+x3I}3*__p0=}j?;`nwrm#$>qVz@Uq?Qf>xrOW#^=CYr(-Kjgn5LH{e#;y>Z>zi+cTt#^F>nZ7JP%a}8g zhaULxnp9t{-ly?vwQSZ&Bf1fWtXo-wKsfRD{ix=A-(Zuf=xSiszcTJ|Lx0_W%)ila zSZ2OgpFik7b11v+uW-UBJCZc<8kVfosHW)t$@y-6@uNK-?lhSYy-A7Zhw%AuH^f-Q zEOg!aB#yWaYp6&QA{TtUUWjk$)fRfo($SIUBY5REOr)J-e4FyGG$8-8Aq@2(uSQxG z#ka&x7-!3n%jUha&3uBmZR{1dLhKska;+E&RA8_V9_gbyk~nTMJ}}vQZ@5EzAIfmM zu>QQ3NF0Pn9k zIokc**D|zP3i4MY#a}=Fs$U6h4a)*o*kjJu;VIXL1q~syj*(7sD^>VXC;SqE`jRfO zR+lu0Mr{+A3GNMa1E$m_KMmo$i%mM?wg*eFJx_fMQi814uT?y1I`FK5hfao3xtFQK zEXc3>A*uFxV}^F0nv%G0WZQ@zI0Uz%lc=MljM{^r&*o--c9SB<{AAt*n%^{k^X={k zUCx2oeI=ES`NdEqFNR-xqXL^6Zxev4p!yL@FXZJb{gBGASsQLv+Ctm-OG5Se&1W3f z8ubHm*S2Z8)M;=FydrSXA(YQ~s#(9&rwo4?{AyrvPZ>^A*cbw?h$eIJgrVgQyDrX+ z6)+>s?+WZ|%)zL#j_Yq`6*QEHq{*BzaTjZc_W|PD;{FBzw8cg?cuhB+DR2OKur)^2 zeX0r$3W^2u#{3ZmB`mQU>gmV)BNTRqL1vwF!+i{BA->wdh%eoB!aW#T`&eIY`LyZ# zuOBt<&b4y@Zsr7icWQpK=?Y-#_B&Mew~bW zluLmnsZS8p3N?q*sC=_PgiOviX1d9irMGam%XW#VWv%`r#^AXJh`vE;X3hye4CBBw zf*ade5#1y<&9hQ16e{V|{MS?2fN<{Ew*|jgLw0w*0EP`rqa@r#g1yhRfPL;NndP-0 zkM+bJuR3g!mnD7)sOyl<2WqcVC0Ek^mRY3T9a zh3x;aDxJaxVRZU$p*sR4i6lfng9zPPcFqYbwAQx0?{~-V?FY5an1oFjX%R7oW1>}{ zbS@a+dy9W(z6zsj^iy*GKycB(F=I8LnyZ49mDyZZoWUMml~f*F?CFXLx7T5Oi&?v{ zXSVbxFjM@)v4arwgI=T!vkOy%X~m8uT_0A(g`Rg_W`8N)>O~o)=bTxtbrW8U*n{6L zPBJD`^)I%kxT?IZ*AUBmmv^(CVJkgf7tg881a_O6=-jY{TPAA?DaH!L=0ozj<-D`z< zGA0*>(#d~&KCjr&y>j0Hq_VK@%n2wD#$V`*=$}d66d?7ht#L7)YYi)qJ@Ytm=+_+N zYlOb~lLLqMhl6_l6%mJyVzyzv$^s8h5ujdBAg^7|JWRS6F80MgzXeZuKf9NsupnT< zf9lxp?y2L)LSa1gTYad*8NQ2Vz4f9izpZ|UKFK{dy5jTf3$M-V*({#V$E7cNJH}O> z3{sa@*xU>vkZvKcuu_9&S6GBDdy1j46w@_KO2|h_!^c`9daH6*+`PaB>>GmXq1$B@ zl%wm|YNbK=9k5x_BK9|l(`yQ}+bDseBr|f-tBtJw2O^2ITT+xs4w|vxb$b5%tq-FA zc0bp3QUa(fbAKPMqZqE*1K@0Ty6N<#RB3;ztrYS^O;s*mk`x1~D1eV96=+cJQ2}OI z1q0^%pV%Yq+sy8Lxn|6mFrAAEIF>6y?J80g-BoRrc{jBDPD0v#2!B$Zr?)&m#rms5 zVMmP8%XsaD8GYV;g^UeR4JG@$D*KkyIXEPXkoOi#xPL;SZ1~-i?LLC8)Bh>VQ>_2k zJ0*WT(>eQkQrsGUpkb?l^^_1#MYu{?(uP>2PoP@FG^fGX(3_LYlSxxQJOlz$Pv2Wh zpeMh2-@E;M!X=$Ks^y0Q|$lRM4r<2WsheT;`axNF)uV`Wx5ect3z@*u{73lC2QC&= zYv5SPGQQM{xR^{-L}rs^!|WC;R^=;r&c|d}KspeGw-k2gEc&xJnO*-YANs?5SD#40RuD=sYoR1QqP#M* zOGr~71~1Ii(OnqRQzHI#3_jWJPd~`0+0jyhqKDypr3?)d#h*1E=dYS-|%NR&-6d&qMG z;WXXcn$x@Z5Rm)9;Q+#wldz_!#Ek1keg=0wVj4!pP%0RSwU#tVx>4%mft>(B6I z{2U589tPkucmPK65rR=z`!PEL_}JlpaYuGtg~dj}k$YW5lvJwGrz-)oScw(SW-;~vof~%p+|Fugb{I-8H4&WXe}{Ohj5qagBe@7B zl)3?w(2SEGM;g_?B1&v{zOHy5{E_ys{yr7JPuOg!`RSv^pHYfrTO83QsMyjbqqOpw z#_V1cPH&=zW6@w8LA$mxT_)7xiVUx&ycbOR%q7)*t2%;Rk+0K5ScFeIXz!<%=w4wp zPSjVS6?2SkjG5UKb50V~Ey?M4SY29uIqq8X$S&Z9oQcs76d@5Pl8kKhd0%M+fCBz* zigWQl_Q}!OI{Q7pM)~`h_*b4=-^HL!LAp0S)&uxks3UU}z9VJy2Z8~MBDzPIfj51w zS3-G^LYoY;T#@UHr_;Bp60R+T@X2jX9Q!4G)Sxd&Cjh|F-hiwWa_mkg&9fm{YTW5W z2gcO}L2)&g-aHg}^qYD8l+NlBUL4aXg>k_gaVlOFJ@0HQ?Zo|!Qm!WU^bo7ewL*5v z8bo_|1V_4y8S`nul%(dq2F0)-AFf#=1)F1H`O9lThV~^>Jyzo_a|v?aW3zRv6}nFn z&g!x-C*ZJpPWq*O)QvRxfwF=N>xPW%92YgH=fT06uiNIld}U!jhlIz#-kUG*yfUP% znm@TDdAuYAG4Mpz>8#sR?)EcxPBfa`eRT+*Q;VPp(O-~o4XcQ;lgy^JxkmFuN`;}1 zqi=jikxgYZXG^9+*|;m{X9!M9*w+F!1VgELrxi)=chd@0Ei`u~gtd1Qum?rBxq^D(JHIX9YnZ*1#@X~AqijbPw;3#_Q z51M6qkyn}BxZ>&7KaercJAAe&yGc@&9V8XuW07+YfX=IL{EL2THSnk7t^S% z%Wi@0g_mw5@nr(H*e8CcL(`aY0HFe`8ZOjIVmj>0+8J#l z$HyXxrhOZ%6A2RDmoGWAm!aJzttKrdIvoS}8a-J5`W2ynYH8(}>AS5%I(qm4>`29& z+`1-X8MlWsYe`aX|*{}BAazaKtRKsdCc6f#}< z&Q^-F`>C{ooS3F6GN<=i&7=H#>ZRoxc?1D)rkj>9u)1nU`eDr2`Ef)EhF!+(M9R7= zB`%M4>_i*U$GdQN)}7ARPbr{Qebgr^aZz>Fc9w@xd@IETZxawNcu_6r0|Xa>12k+( zf(nizTYEqA1U2(2g2%!saoAij_d0*pMu|kw2HS&+P}M!XIXqQ9Y2A*P>J6+Q)YY3Q z)Nfkkn(Iti{?*D&%lk2^^l~}^LUko#nvsI2QM?>7_7S@YRv>87yp9^KVL3( z9eh`BrCskC-SS}jWduEG5aWs%L)`B_Tk3`+o~-h*59A!5(35SuW07^x(!&02!_4rK zJ6$l7X|(wovj%2!JQUxS2VsT)_#|Nqfj;#IGQ0-cM<9ckihm%n`5=e>_02Fd+Jymp z>sRuir$mRE3D{r1VwQE#tkeqTwE{C-%P9pb97TuXIC{uJV|pG4NC!m*o_em5?q&yoq-<}qM)%-0{wf~CiW^|(ko z`#v00Y}%`jka?XTva5ZYV-dG5LUX5I0bN_dzSfN}z9;KhgSE;Sj~CSiU$^Q9`N??) z?zKQoKfM6!ce-xbeM)8_CR>#v^Ij6IzJU;d zDY_yx@C)4na7N)n(j-}F1}$URh3{FTnw{WwqaSSrBMYt(ntRahucI{zXuBng1+ct{3oCZvq|R%g$w=CgR2 zM`sFh#*41^g3wgpSCgSkZhfDoDjH%w3MbuG3KJsmV4gt3lT#-OWc+WHU3~c@H|yEb z;#z=tk5Kr;exh6*%Iy-Y53^QP=qf1!c8UQtvqkjaM7d}pE|Z!^99m%?KXblqTfj>v zO#1jRkt=CE7$l&!6}mDFc=l>ziAHJTLaiqp4M0T{``t@(@8Jf8W$Fiy8@R&{JyyPerOK zHsoxw#>vIhlN1y8QryOu>-jtB(1oU{sesRO;?$!3Seoj5OC5QjkK<6L)=X3gom z`IKzx`wVMp%vMupv!IWY%u7}0^83XV$N#z~c-uf)6*TP1Fxi%1{Aewt?{+J2YH>3P zsskrp>2rxE^<5k>Vr`S&`v5f+Xh)AvR~WP@g%d<-4QDqG`^No&fC@?I=7vfqr;e^! z`FTddkLN}TCyxHu_+p+W#Lv=#@&=RRf$jr@-8&j|^Dj=M)ntj{q_pkp@$2kt5?0q6 zrt)UbiLqNibOF9<=H((Z7SSbB7_@n+H& z3;ig++qQ}BX95)R5AF!_v$SEFA2A1TJ9mN8Oh5bwvTD95*D@Um=T(`e%EknfFE+QR z_4wumYPK1wK8hE*x%qshrCc*XSe4#5yyHoBXWrhN?WP@E2Jlt09TsXG=x~Xr-NE$U z90rcN+#g7Rtq^fqh>C0X-|ddjw)>38cNu;yvaw-}D&{_?CP_C}(}!R#!$=4M%z`-# zD^ZI219^lDkEt;CKbv+f!9#iScv-xzA=`HKVUJfDD}HQ_7**PrH!;il(G4T zp0|5%op+u*oHh7F3{>D&x0q|4tixYj)1SGr{k6H#h- z)I9mcs*2;V^E~XKy6RpDNr*Ur=C08d9nNY?@}6lwvCI}qpcPEj(_i^MwKIzJv6Ont zZhkl6K|nBa2_HIP_lj5>b3Wx(u9BjKE~w&{R@j!qLn_DLkWp$W9m>^j_CA02t{bYG zE1`8yz(O!(!%cWG=X2#1pA9lxUP98QHsw=7&YSFW8($z|*8NB&jhZ(X^#<&R%kG4J zt0)=E5q0sJ@81yHAkOSbrLz zwLeB7%+9~CRU}`_pF{AvNS+#+-*#6ONp^^7I)*@Kh^ZtvGJf$nx>XzIHrxO5+`<>Cuih)22B~Uk zG>bY}r#p-z#!KOhkwA)(>Ylf)Irq9nc=u;~Eau53^%SLwc4>)q7TLs5td*V-Zptd3 z`BYhF!6eo<2uMl1MXRuoa@+A?c(Uu9T2#G^<{Qc5Luc_O2A5(MpX!vqL{`8n9O;<~ zvuX^l9>Pwd71Mw9w-Dt!wU?CNI!!`gL(m6E-Qhb7gBHyv$;vhT>G57IQeu7rzt5_V zU1tx1pTRibqsNBVw#g~YIDQqM=gD3j+4Lj6l|}E~q@CCL<%gsMsWN!!mQ?AF)H%vW zDksezb>V7t-)?7R!R~vvHq%7w)6oT;JS&76`xT)o{I3`S2IL+Rk>&VT+80QxCR7D- zCbF#WIEnsh^K#7qjHj%$B`HXmgI(?yX7tIicPv{zbb&t*<}KnJv%%k;8HxYFS)g#Y zxU`f|TbeB9`pdB_`TD4Rs!4=$bXfDj2YT(7m5~_)(!GCK+a%hpZX$vOtnEVLi-1G= zgDIO)-(qKzw4Xz*_A@Eh7#Z+~Fac)Qlo-GqI7g~y5PIk9w>HZ-A3i{oO>~|wRa5>o z_dtd<=Ry|*EotzXi|{%1OpoxD$+(?n#2bR;)Gp?3xS> zQ=Noguj_Nqas4zUHrmJjV#-LN4fgzPfM;u9KLC9-Y7rhF#cjc55X8J#h;>?gR<0TS zAuoSmw(thw#tL0}7EYCeukrW+@azftee`kPpDk(>7XuZalFZ^cWdrDj^wTLjjoZHb zEOQu=wfj+DbTbj&j29R+;Pe7E79jm97?&y|Rzh?izZWw5-yIy9ST;z?FrrD-!WzIO62*7I*H?WhMGF zNo+3rM7bGHiHgT!#&e633U9e`1yFis04Qo`E_&1eOTAHmAsvvP!OY;$(iMFeH}??D zwmhEJsS3p+rH1X@LnkYu7+2$7>5!2EW-+n(E>_3#9Sfa)^I9R7x7)qkJowz=PG>w= zS}{1D577gt=4t8~$Ix9xB?`WL=xH3HXjM|Uf4(d>^xI8d1bb9je!U-_^s%V7_nfpWg!o}fF7dz4iQNPEzw7gNBT);*C;m2pV=BW zl-o!X>0o!7h|ZPpu$YDdB-G{zl44KhBDCTnV1jGf=91xZV{4_qtIFf}&KRI>_F4=1 zS@1OB-X%kNfwz$&Nb*_ZA$d0VcQ~3EYU?;GEA5X=H5+=pFB(3PQQO-ylz)TL>P|4CX`%J_NcoEv|U^xby7sI$*z- zg}t0Q#i9;6bVX_16iY^BJy2CDaeS?9M0RaSw!uYf3)$8X4a+jw| zG2tpT<))Q`wMr@%({~+1h$4SMsRxwz%|9^*;iNlCW9>5r?cG8s|VWDmR=s#wq+_1i|wKA{u$*1lVZzrs(IA zT1EY-1#5*oFXEN`Cn|9so z0r?tj05Yljba!WyuA@ci06GGBz-fd?;eU3VVjZeiK|Q6uA=BE7=eom_zJGG%au@iV zte(j8>+-o^7jgss1|u9G&sXb(0Wi@Y#yGh83vm8X49M(}v&gZ#vzuYH27ZFL91B-v zV^1%QadDG3Pf8@4lOYV?<-Qugd=DgH8Ic&;vt8;SG9L~w+~Dn?^{45sq_z^$rftda zT0tpP%6Sd<<7(1R&(aUao_QkQ4X`kdf~63^%%{;!z=VvzchU$fbP%OWo0a^5*m2?+ zqJuP0W@L+^c7rlACYX5~oHpLtySY?<;~V=Epl7N%+uINaa4T{VADzNiM%ne*uOBCUYcyA;COwZ(qi;u^!(33AJ!w* z9FW~s^e!mKfg8S23BCks$iMCaKph?je*}%0E+&BLH6fC4n0fm0*y2l+QJ!pJl8<>2>ZC+Ciq@rRy7)kv}HU3Fv7; zg%x^0C>a@4FKK0*N!KE+hPxGHn}{bRUC$PD)SnfQmbFLBe%D#uHVZn!_&XRoyK;M! zIVgF&_#M|U^U#1))bFXJG1Ol$(<``a^wnXo4Zpg#R_b!12kTh?hW1%`wQ1{KpQ?uV zdbFGB)r&ti0%UHjp57U~Bo1A-&#?iJ)iP*n4QJWoSd<%)L#(>k2%{19f5qLZ2fH7xX4r% zw|!!ab?YlYpQGFLszQ&UEXav(^0HzlM_tFF&WE!cy)mIHyhv+~UE%WgSxcqqui{Fe zZEn&;+rRLh_97R@3gRyI`q(S+%H_=dew!A>f*&PBz**sT$noa8FkuvoEI-_cmKk_> zZD2OhNio^-@*7E%+QCb)ml_|*X#@Lr`tQA14;!e}qdi2a8LP_J+vO?J7nD=KS|8Z3 z?tKPm1Hcz=TurpfU4K|E_|j;(Uh->*kHpQWt@3{6lJqvdiY_3xrVnOxh(swO7I3!q zqApQi2D*@}{dikFo;5^;#ee%@a?Jv@{vj3_L=ZsBP_e|{Ejm6#gNTI-E`VDg>CXJT zRMDO^l49~KbL2J$&iua*zIW+!=9@|_n=!D%s!D%{?xc?9R;w3G`QTecF~+j8U47N} zYtAXeWZZIMCAk3UXlOphuIv1&Ie>NwkB%u^Nc9%d3XoS&hTl?H?xrd%WD6{=`*=AD zi!qnb_TQ==-JrQ{wFY|3~BbUjSo6bWSp^ zO_!b1)m6Q=h=Zw9c)o*!Cie+1^Rez`re^yu-#3w+dDWgacPqaCwnbd&{;~Bz(q3=2 zXkcJwUll`jT)I?N^ z9|;K1%S3LI>>Lg7ohHb*?^%=JI^ZddCg$*1fY8&4t%^lV%Pvj=^_Yx}3AVQRsd&Z^ zx-k+wfM< z;rXB;ueP}d{QO@dgzgxwcpCnz0ye+N|BJ`;x6jq3;vyi-a9vK{ZeXbHKu3t1GeRvA z*QOBwFzsr=70npu+R`cB^RDQyc-5rO==vr;zrj3#1q5KWEM$WwP(5;~XCIY2p;ze8d}rWA)y@6K1C+SpH6^xaJ^}5SgyVC^J#N<4*9|zT zS-okgxNr{g{X%KXrJ2Wn#kWFC|0~&OHd}CPW7aVYcQ?Dfw86PtL8?x`(wdXS|WO3t6P6ia!0%A#rtT!1X=^AQZoEd>yJaapo7S zj(<||=)KID8=Lc|Wl;5H3-^Fxwzni7)o<<(M6#^ISEyODJ#6g9i7HX!*T36%PI|v* zJ491^FsJ?#SU>E?x_G9@Fy$5Csk5I`qI0{z=nrcv%zJk+&=qshi*@#%IV*zLUlUfg zmq`fD81LHW2OsOUuwD`=HP2t3W~tY36%^brj3;fjCJmW;d>Q(EaZGmSYnND5erA@e zrN#3@GCZbb?yoQ+rJUwEJAK+P%Ts)d?f{PAdm&yL}j_*oWI{_%D)zcPzI?2B(p ze%o6s@o`0TBi$rRF!}M9iug5T?bLnw^_LTK2l8F(C5P#XdBz`oQ;ci-RK=dN4f&7^ z-8@9Jqsbk4tJDZc`+vPK{@Y`<(h=&FR2z{zG$J z_`7NP2vd%_@Y5IwrbCBo^_)5Po+GlIlhlf&cgMPqKFuf^`Ow30P~U$C1lODG`H!~G zqQ!jcWtrPc<}2_E5WMPOsj=&&>WiA|Z-!Ez*V)y)nRy#%+Jx&1I=}R>RHZ=9bl6KQ zQ2J^~<$%)02ZMtJUyQZ4s+K;B9{3R$bTa6|68;96qY)P+$=f$SL^qv5@-B_NkU6ZR z$|bciG|Bl)&G5{PV7VM)zXAxqIdT>rTCYo9ooJmwa=A)M2b?Q-R{i&`;odv)h+BG% zD>!OSUA@rE>16r)^$lsK?C=Opb@`5tXL=lO^;Wnb`uaBgFD4Bv2*E~uijMVl)gI!4 zL%pT_H`aSixCI?_g4l+8%#cOD*G)b-FWxPqB8c0N#l_wY`?tZ9_Ae}j1NnP6e)5}p z%|YLQSeq$%UI|N=EA(~hxY5qQ=iay2lrG*Q=U|S^{{I3PW&Iy|5{inbK4jK=r9%7e zAzqO+4kCPdcG|JAD9uD>U_79JcWKCp?QPvWYE$fgF5-rF&6|$2ggJDGW zJ)sB*QI<*eC6k@VzVC+Y%ZwPqEIrrfd*8?LeDC{ye$R3Ij^q3LJ@@lGpFfo5V0zE> zeqZN#o#**lh?jxvdGw)w*Er)Wch**HHVT(9}y$(bI#(HfdS{&g+_e%%~O@- zp*x}QYz@H>D^ISq(V^BD$L z+9(tlK{BSE%Cy_e@CDuC2iZTSHtHYC?z}T!8v~<(MtY*7Z{Eh_=t~7O`-xwC_mL+S zc=^Z6?Jx9RzLvVzhCFyrof14B=plkX6ZW9)-m8n4iJL`gH*PU`_}U|V+DG2Ag`c=+ z@I@#zgw4ctTV@<{-73x#o_+VrZ=nE*n=)#uNeORz2U{3$d6beM!PPF$eDWP!t8AO+ zXL>7)1U-j*G@tU5t6gUWm-f*&DM>-%u7cu2qByBvCB(m=<~d+x7d~M#>i|P@GDw1&NM!3zg*L1h7*sh^rRt<8INtc1r4DJZdyn= znA2y_xnHdD*x&b!#JG71t{zcy^O|y)~~CI8A^Q4LV!oNr~ZEs!b z{YqrHA-b`GQr50fwx6RY)*zwvGarsxTKL+2ma{ZF6^kP}_n8Z|pax6Z?jFSj0al&%Ax^!5%J*_V z?OoIq8XNcT*viKrvoZbE|LmLe*eyMcd)%kGF2!axbXb@;LT8w4D?hh@Cn{}0XC-p8 zVzn4)kz2&}Is|)T%qzi{J~t_7dpiQab$$-(C5>JkE-yRzIaegPpJqC}(!0Rr%&jC_ zDvDncHkC`xHq8-eW6Ru0x`j$_gSk*zzFY*<%w!)8luIGrmoY}T-IeaiclVyT|NGR94Y28i6@ z1yis;&(KvR*v7*(t|nfT$8Cw-WM;0b>H95%@af5cAwrlCygW{)JeQ9zR5cXji(w}=ye&u*dvyugq zoiHf7JH7~%()#D7XsP-Ip|FhwKuO1_N$$Z2fN=B5dA{$62&agl`%Xe6*F7iF2zA7A zlBBJxH&U9~GlSJ~71$xfeX8YmH+(%2VT9S>*Qnh6X~=Ly`~#VTuV_L?Wwt(%%#e48 zEF?)H!y>~A-3$r_YZ!N4a<0nqaFpcfCQ_Sb|8UH6htn?kMH@;Q$gQ16L}14fDlt)l zlDn|VeNwKkFTsgih-`-lL?u@|V7=mcutGf<@CPEsh>M|O)KvdKK1OXEcE4v^@9Th8 z$i%`P%Mis;E!okw$G;3I2;7;whWquorASY{s!jS)6i-Ts6I4i01L;_X?!z#G_NiNt zjLs*(E@wPw*eW3UnGe9LVB`;J-=PF%Tmdzd1*HnG z-^&>6%;T|^M(!bxO7}ZQT3nTxuVvI*duObw>E1s#Ma0 zs>G=+2D-zH=MMxA(Q5z&W!kq1K0aN=H!wR2cvDO^Ds@&eyFGDZYQl3r5 zjL6r{ClK0w^$4+V;vfXf*e&+8_nk&+ztQ)CMf&Koyt|n9CDb>~lkfeC>M`>BK&&f) zX+EOG^B6#!HXg@p3FE6q`FCOj#j2c;3hz6$QhN+)?{%0yJ>fhZ*mkHVGEch+#t8-U zsAl;1GD(xDRbtch32Bd?&DJRR)Nsz;)yhhT_2JCBj+4nR0NDa6{*fgJ2--Cn!j^WC z;D*>N{DBNSY6K&XkSFBZppWE9l(JgTj;OG_jMC&0-g^~PA)&iGfPb78w znu9J5`?TVEvvXazRa&arh88MQ4XZr0PJT+vcCS1F<6F8o2zA^)NEe0G{sj0*7bzzw zpHQ9&FEL+H?JzDUfW70hbeTJaE?~i`qwe;|@*0Gc6Tp9&&OHA$y z-=2$(K6ASF>RfeZBtlnT^-BC5MnQs1rfby=K+NBVDR8leDc^~-1sZle{7yXhyN9b*~etihIL zWWS+QNVRHn75uP0{-9LLJtxTYl6Tl)8C(tQ6MAz>b|a(%sI8F*c0`%8v)pB#Ql1~b z8Hw(keBvNmQqnWXy|HX0{stALg$;&DpdR8foMi^wG<;(>Sc-ka z{TplVmUlnxVqTWIq#>b_c(7jtz zYLwDe@uYnBhLo)Mt0izKO|ZRyL&Y?(eXa^yv^jknN6m}oE#5cOcPr&GzV_(t?e7{j zB^Y|-1!4|fG#?%j1PUON2UpWb{6@8y-9FOe6LX%6(bV@yWvt8ufMA>yAcd$?-mSfyV8iJG;rlRr(NGe07@!Gd|))C3G`^Z`Cq8 zVkdf=B>l-z;Wf!S_R#yHqFlR|^$6 zkZiTwyb{?5+!GpStR|y6 zeNYtwLuE3>tLYri#FZ})LUSjrt|c=1)Rrn-$bJ+yduC>H@QT;LEu6ZMzwsuR>eAcb z$J+X$ExAGdORznS+ggrWWa_N&sULcfdYW@A_I$z?`?QhTo#x&qYnGQ6#FyJoFw85s zJ7@9X&r~v3t0<-fpqS4Zik37apZCgs^C9u-KDq%j{}En(5QcID+yUJ{*!NV_1F+0d z6|0r?0oNf~u4;qbXK~FCemgVG^>3US17Q%hK`2pJsxoe_$v8T7@^zL`ab4V3V`TWl zWm8Pv9hcyK!n>^#G;ak0v=+=BKE4f*J%rmta7~Q%`N`Iv~CH` zbq|mOJy$wSkWqzGkXP|n1s}ORP)%%a)S<*^FiZ#aLo3W*l1~hjuN6J3KFW=ca&RVf zDX%io1hd`o(u69l3-aQ{lAXDzMfq@xDWe2w*BIyXaR;~vEq?Z z9Lm!2-5d3tsU`+;QwC?Iq05WFdQI@K*~lSK{O+Gt9Nfi0~!@}kE5*(mfy1QNjqlSTmG+z@L-Xp6=b zDU^54nt%T5r}f;gSuXLG%z4}IoP5(~?FEm7l{rEy;VnX_Rdohx2pI93A+O;*!Au}V z1BOR!1}qkyHy0#3%8+j1v!UEf2 z0U|V!*!$jZ^6$>rT>gIWGpH6ke+FP^8!;cTH8!6REy$ac`uo~o@rqN^_bir8v8eh- zH@a;7&kBx!aMpB-dYTxp*wKVKL7hY~*;y6F#Z~xsy>v)#f1>sl4sD~0`0;c)_?}%f zq!WBN!C<5g9uE8cD;Kreold?*3@)Z>;7%mlB-ECp->1r7F9mtNR8AXAbbM?`3KI{u z)t}UUG4}*L>@cJOfLKkpG4_G{EmgL{M*M9m7cKi#^r`|fCGUm^pT0yOC1uTeJpVFP z^YArJi(G;qBcCD>YH$t7O5wubnqr0S+=Nd|zMAaWn0gAA`dZ}wLYU246KaMO1WV9{ z@NU1;F~2jJ{5{>@*_;@@cyI8$YsPi6`HVP?`JT>&1)cJ!mwl{Gc5ZVlL^9w`xkqgtx|3DQ|COY<{iI^Sw~V z$o5qkE%=@#PP}E3+BjGm_R-cwjQyjQGhOm)mUkZG1-wn|{@B9V@!7TNJNMTWcPFQt zpLa2L4s=Egqy!65{z0Dx@;=V+5NLT;C7y3*Q7?+SrOdTzQq4a=A?4S~yHWIW2cC+M zr}fuA9hAMpzdMVxAlZXTsu{|OamGNwci+ty@AWH`7;l|Xdc^zSw9YTx`i9y;W$qNU zE1{auD?q0N^l|^UebM|g@%gV-HidJrxnR>ycF6B}WerJhxECZ9e2@8xP2dPg2Ju^S zlq~ldc?SP7se|?XS4w2(wW#YGRX4sOW(HpSs2#LDnfwFU48ULOFn=|rMG`A0D9^sQ z+MAe|85_C89{7CwJ?j)fSPtcZNHHb{WL)ibB$3)-H^+J`3#;KV)viw7C-8I`8rjaU zg8aaad}n`|%_3aU?b;Ev)Hd0;2;Id8#Yhiw$TKWUycNx$T^q!x?=ihatJysCdouMa z+ay|_el^j{`6UV+1=!-h3{Qwv~-pi!ueA5aRf_1u;|-dq>YJPKt)3dlcQJ(3V~ zOMKTp_wh*#FWHbE2rJY%6R($~^9|MCl;jN5cKm*}tLdYE=?&(K4VJB!(e zXZQO^C#-=kXL~8YuaQ&!(heR2xXV>3xF%AElB^-*VyiIhBg3SS*`85ot={T+iF#LO z`D}`hP;%&ux2-mAti^nmmGXYilL=VJNsVTFjub`c%ch>tpS*uTI17kmdy(u>U3Vg= zO<9cIVK_I=Rb6~y>1dPd1XD_5 zUlD;AKTL-Z1FoOx#-nbXiMX6_%4$=bgmJMvf)i!{m#UxzLtsMz1lMlF3sJwua|nND zR$HUTU2l$(pS&C!nXB3%$7z5A-WO2mt&YBDixPTN-rn8Bniq5&qlIx7L`u$stYIV# z+p|_U#Iqd@0}>-jg~C9oKrP+FIZ~e0fa>r`KSMmV7egzLiY$W@TiTQ5ZJ~qja<3=+ z^4mQh5xDDff8a*f9mc-fq1o4msTyPkoN4!3BMmXo@pA`5r}VFANz~=|g{5fcHvu&a zhohLyOte$hc^pHO2Iri0jO$ci#p|=j16*sa-|Xs~?wsh{Jb{*~r^IVW>U>ftDXw!H zt?#tTePa52CFI9l#9|?YDo?WyHr*jU1QtEu8g%Q0dyd{mg)jH26ZMzAFrDH~$)@r+!A@@N1H(Y;1oJTwl6?B-Ynt)nSmO)Fc3YG^?k~j( z6wU1#Y)~~EfV_De832`E28}~^jnsGnIgJUJ{)`+hz;l43Ap<$t_&90|4FA^@f)FM& zcbce;u!FI~Vbgu+<^V|qX+`<8qfi)hMz5eA@x-z#fI!M|537|v{rKMYABfomz;RAM zi5GUrZ^WBrj>xzjYPvXjMH*9#nzAC80wvl-f*FpXnT_US7I^d{q~)VzbY}X)Ayt;h z)WOYU2HzbXyLdeXaxL;E5Ws=Hq^gfn&mz8Dt80Am%w4*zAG^r?tbBY=$455^OQ?p-l)Hw6;QIbg-Xy(F(GVy?S~U zJQZ9K!ZloA1hwf{2#^p1loT~aS3EC0wFEb1UTzV}4(}W6bbbE7JMve=iGaj{bTWuV zA?ZjTK+qo|-EuvX?$eQ(LzEZbXmS1lM9XTE0-5x8vkxR_vT-*JJtJNPjU0&rC5eKe zM?)1;{2SeVJ{ET2vyz>;Ju-D>_hw6etb7al5Hy%wR^0-dL}87_T8#yQhU(NT1aD=3 zY~zZtawg>F-FCdgyZ>1DlAn4o)vfS7+u9sKp7K(IjeLwa=ZHVugyF0B1L0pcI|}^u zdF>3|GA};u1Xo^| z#Id&8(oySb%G16|B!KhK#R09#AAo7cPz1t6KKd&7%&DlZCE@|K9)yPvKsOZ%Ow}0H z=ExjMRAV;qD_>X(0Q|kE3n0yM=XOEBJO$f0MD5Yomi_zNwG4qpru|1Jha^rI0PkoA z;IRYv`d0XvMxG6o`wf1W_tvD}ioiR7*~VUm)&OeqLb z+YnT(oKENZD8I!j#v}QVMwR!)l6--5%U|wi_Cx?_mw19Vrvz-kkGvJgc=J6~+}Q-8 zcSN)vMfKlbGhvv81IF8-`dm0>e-1!fhulYe0a6!rs17}i8duT<;-C_)e-%0)#B^2jaa3z-yQJ&l}%ke zvI=IAje;P8TG(ixjPGaI0|+d-$>%7dI9rFPU1D0$B@=Z9vM?dyFd5!=Y6IRsMm}wy zK=g%n7$1@Gj?~;yAM!3}nNiqKP2!meo4)uDSAZkZIvtyLzFzi{ByMOvq1hd^nBC^d zOcuv=izLz%ZJtAcu6E(Zt{g#x zSot2wPAP1l#|yVz@l(;r4wS0goAQm6+Gp}}7rdi_Rmkw`xO(;&;yoL{u12YFlTVjZ z8Al!#AoNN19m=eKJ(#FO`(p#dZf@;olj9;*zN+Q|8g9 zk@s-f!Jt9J)I#NnupKRa))c_Cq~XTobERYX(v!9R;O=@MPcq2i7}$IkoCD*GiW;30 z&|q+x)GhHWT1!o|o|v9F6nVpW=sjf=9)^8&rI!A6$Q7mIi=8M(8KRifP7?}>fMc__ zR2MU$EzTb|%-C{Qk9>Y~dk21Ed_C2?+Zi2-3`Qm~3bgCqErEE!aF#&SSE`W#0Gpq~ zDG~}hFn~ZjRN9G!?*HbdzB0B2se~S_Oq`lWk+{KgFc@kJ(ivTVFqN0I$Us51flQMO zJj~ke=v+!PNWRu45*I4Tdcr}OE|5hJa1ZsUA~*g(JYhsJpQ`d>F@5|9R!E!PPua%7 zyRI*$Gcq1s>EM0rY496t60z);6{v|Jf&*v^z=@ORn5&;Bw|wM1es4t}n+8-3C@@BKVG&{e(zC+0h11EaT0( z_}W1A{T2?ZmCSB;AcAl*w89@EnF3DWl1E@ehnRw=KLZK=MBM>vazXO28;lL8i~@O} z8YbK!M!mPF6K&5A^mROKa6?OkP{Nlg#KC!n_q#Yap&mAXH~|+YZIRdcD3NgD`Mxa~ zg%)}0C7ir$IfvC&dMG>NCanC3dcHA)=mQqJgGfVC`st2WBGeF5^5GL}+hQ?>KgQPv zyP@Z7mOV9AQ9~kejH^$tzGpL_WIjkHcz`RkLPWG_$gQ-o*4QexCRrX zXFu6}A)71cFJyYAM@6Q`;QFFo^rOoIxAHxVs97cVNOM2g__^<-@<$-E*gOV~dt6@Vr1B2Bz9T>N)?NDan#j#!mi%*6Qc+$t_p|2h9H8(AHM(o({^`d_M34Jd^d`sdwTk#} zIlXN71F6-77NW}ZwrcaJGXz0VqA0$;sm`46&eCzR^x+Fj8@W4QXUjT~Q9TJv?VB%y z@Q3GKf8rwJsYBUJZjC3&f%v`_0jZ^A<9?r*m;kY~eTM!>9HN?cjycF zNsv<0G#K#Q?K1H}SBCasd@iHMC#Q_d0<-MBu*P34L~l zC1{OJM=LX*FWI`L9az3xxEAHH>^JAMs-!F~IFc2QSLx#Ce0DD7^?Zm5yWX`6uT2;V zEr5$y*+ZvGB@L#ZBJa7=6i5SyZ?`Yxjo=ZVI4kRhKt0Qb8cbdCjuCKoICoUe;i?i1 zNo8EFN>|Nr=DYC00kNceadrJE?~NsPKe}fn>hM+-fD9LjcMrJRFq{|lJa^VuWV7hq z!p+!LW&&4&4g`|;RMOiF4~z0y{SaX@g0AG5?~0P%w$HTdrI{3XBdsYQ$r=qQcl7fu zn9&J*sFpg$ei^YG_TxsZ3YUXWh`NryXkR-jdh9vsL3W#EPK3uGeTyV}0JpU)*~l-2 zlLnJdENbK9?-PqDhOccsYbtQH`tsV4UrETJukE>QW8HN{*DLmOJ$r*!hfDKcnW_SK7$rnzvswNk(_%ASTa5hKtuvt} zHDBZ+e}B30AW3O!+N=I*SBE8b^*x&#@OVj~9CsXHrH zczQ~2LE$Xyt(Tvl+_d%0mAFCubB@m!KZ%SwaMH}WU^uDbuE5=@DSa+xe@nZC(9NNh zZ{y-CH-7!gVmG75F3)SRMNFALAzgxG#QyYdNu1+yE!>MU zSZ)))c;fE)rt=I!9LG23`4&B-rKPt;>+4gNvmBj8Q+1`cx1aX(Jk=LjO72o%`A0L3 zrk`lnHY8ka^Mk0I}V zw%t%k={oNE^BUH$DC)*McdD7Ahq{s7zXb+p0Sb3x?obWbWPDf2rVbWkred%MZN}g@ zTm^59(m0F2SmF9IgW@i(ng5;?$rI{$lT-%^lJ76jF&eB$M`9R`yFH1lNwg~zdt1`x zDfM|;?bI|4=lHCmL2<*@*+qo}yd2g%Rzn6cc83_Y*xiO1Q*frM_GRL@CJ@~IT$f8v zFeF%^QHbmbn3gt=Vz9<>3Vj^fOdioJx<}6QahQfOIi6us*iS!qQ0#a+;9*#^%moWI zrUGKMO(kx)sWn|*C8fvTJBmLbyvl-3+#A^;*|qfBT7lE#cwYor4+~{IrJn+F zT~fp1z7ev$L`!-^hjZOh#mudXxULEdCG`(e#qf^NNY^5LG_k{CSYhjy>Gf9!ck5Dj ze~n(|(l(S+P5cajWI?`{21P@*pCv^7#m0jzbfX!ZG^EDlXO0mKsx3{k^1bO}H&nJ> z>wBJ!IUU6vK3(u+e!0d);yvq%CNUc?*__U@5(ZM}jJMu^&uK|p=PJIGpCy@HZ|Uyv zK8V(dzlJZ=oi2D9%&OV;WcaqGKwo&HIN1Pao93HCRBfx<4*NJ)t}v7J_LKF*)U=#* zvqLoRsk5*7^&dRFy7t#6W@tddD1|U5&oKY1xSf`rNEJd%zR*K~Snl}I0Z(O5Y4Pc# zSAL=p<>i__E~G8-(_+G@Nn(8)Rc3TQ(4}1`b&$GE^>eKBIhXSO>EX)|8h*w3*s)A- zC5|!3fJHQPR=W_f)9POxC0(+(o0Dzcn00i2QC#)*im!w9?_jU=`UTH_EDejD&qpBY zR<{$exfAbEviHqk`NxG$dhhev=Oy29XgokDwEX)6SOvq~fQFbEV}WSOkjCXGyFoRm zt5j*`rT28CyE)Fk=y1qFEy0{OeB^%0ry#jmau9I~3%HzD@AAY6|M6Z+=w_(I1LC|NbHH`x`cSlZXe`SZh@V|v6&YZi1Uv?654aAbS4 zq@}i7DUG@Ct@x*QBfsh2eLnJON>|j%4ceBH#>?wvyDk}vBoC)YM?*H%&f%Fl=Ge9Y zY5seV=m=TKTZm?PP^O>^NaFvb%@N+PU1ZoolPs+)_)kzJiSJtx-Rm6s;uP{D`#+G5 zqF?J0w0U^*SftHji3O;Z_%{6GF`s@M`?g%*BlW9=rk_{L(T%m`D%Z~e9mw+_Hev#v zZDBL*4w1HvuP;1{cz#APq0st1Z>v=mBQwXjC-oT~n~UNCMh{)n3ANZj%N1L^bgpla zi*LfR_3YfO10^{P$c)I>Grm_L_OD#U{>M_}{}l}Xuld=qGgx=M@+N+JJl|d8|Vo>;2xLOYD&l^S?djtQy%V!SdWFeXJw+!uo|p zB^t|i$mRmyKZH?ZT{{2$K92sM`Ua8%R4|9`GR37)!rd@?E@SV^bIDL}FNzjqNX!$c zRlqVFmzf-+8VamX{H9Q1=(j~{+5h3+{{y~tw8Z~45BvXvucJ#acCf>XV{pO=Fg6@W zGVfB@uikV7o4|5|+Qbb#x^fXhzKmxeM^plIPBs9bD%hK0B4JDFpTJ}Q=*G$xo&SgY z1?-=x@qgc%f5D^jFT6GV|Lb-QKt!G)OXD5ecFs&8U`>QspXomk`BzG(w0PEcl^mcY zfpdN&5$exB5N2|w(jr3}ef8*Dn)FeY&xIZRkRAvaFLDilIisAFF3CK$Uq$-MfYsr{ zvieQ(E`v402Ame@gX@Sx$^s?8GgOt31(_90mP7iJ8|g|=&zIRU{-f@3#DgXvWNUtr=l54IcZoNC2!9A2pCdeo z-=Ut03X-t1>Pt&dVcXA?josSVvDwCWdEuA{EMKVK#rp1zJ*bYhSUj{p?V{|*BUn3` zueHe%r1;jsSq-~sFI67|tO&fbYJWlkRY|%*-Hn%sG=83bY8yp}AWHP)x~w!Ls9prx zJihc?9W)6k={Wi!GLjPJ<1W|A>Zzc9d~nUoS;Ltw-NPa3g|cd_wnyO4AUSrergaG# zi4UdD1a8ZGO4Zv(;f5KtxgneamiqTECbT9>(2fV4B+~%%%`wYBx#lxDQtr_dv`Mz4 zy9Yn$;+(ci%uOdX%8VP&r@hR%5hP4Dj2F-p_}X$d@!IFv7Z$Ohc&^nsz6N8qO&^jn zF<@aO*vlQO?#CyL4E77rF%2jRrA|1We7njfAc^0(XUwr)ZdkIx7~mt?!u@L9C+Q%$ zOLW}(u%Dq04319#a0{yK$SiqY3PB7t8s2Ne{66RqPhEDlli<6eccW<~%f)k|VBRsD zdUZo(^eq;~As)UsxRsN2;cUCwa?+0!$^vb$TpP0AX8d9~2j@dAbp~4)-?OLPr^LkV z#Y+eE0GD*nftY=|KJoMC(bh6G2n6}cb+>ve z4fT80m;`u-ae*r&dNMS-1K__zh!I$Ul@=yUW8TW;ouxJH;+&=l{?fVD%*c zo6j)=I{$+xu^#I--J9ET#-~xa_1Y+UW?zznqViUZ z2FnKChsCdB*$vz~14}I27-?i7->W66E?#YLaL$`> zy`n?+CB_wZQ~ak*eGNm>WUzWU!I6@z03K)mOmdbG$v0w8RW-01>3*30{J|M{4m+5% zzHq$cGK_CkmT2B?c@VacQjnlGymN`e3?d)nD%Z;M;`=3TF$_R~*uy82TcJ>e64z@Z z6;d$0&>Q83k&VrLA(onN&ehOnjS#!=5mbY@H~@dM8^P?AT0(xO@1esmj1BJih}I;c zU6Z1e&lBA>2hUU<;q6_R4)haR5mI(CSL7WHyxgC&3RbqWnZOY3R?<%_Z^i2fr3B9q zGAd`-#Y@NSRI84bgVkm`2*-&I3#uZ?*p5~wH}vx&HFkNE!oGqxQ+>nC=0D*T2j4N_ zD8}Lnb@K&GR3AWHS%}7){yv|m^D8#=O_#97{%_w%A28t`GpWHVMP~hh+^em9v}@VnSTCmYwh-2tJ2=gsm` zLK{REP;65hK!t_u$`b>?SvWAy za`3qdi^$orZ6hg?jYp~6WXpa98^z@tThi!r72kqocbCJTpU{@kjtyaRIjX0g)SGu@ z5${N6i`yfnDvoaPNq)%X{}oIw*&hc;hr<$pgQQIo)MeyLwfhdS&u(r^revWWgP1_} z#K-!p_i)$Q#+-E*oy}hoCPim8O09 zhr!o{j)I@rh3GNQ2}eRJUcB8i>H>~RYO%CUuy>P|QS0Vd2)$-PQ?c;G7Z6BN;QSf_ zljIA;j1uC>-fctTvrjJ#y)M4=+SSRhmaA8oGIAs%`@`pOmNTlV-+m!?a3xmF@SmGO*|O>WW&2Om+3 z8>?Dp0k6ZDIsp6H7uyK2)(Z5y;!;Py7bj4ab26zi;+!aa;gQPot5?x!l7yo6$*`Rm z0L|03z}Hs*DBy&moSs@k=XSNMh;i~rCYyMFI@$Ce2jRbpn*Y{cja8IbAn;mbgBm{% zZn&-vTx4u?t}L6J;)*8GS)*1v3u$pJtrY>A_j}#7cYixGJjZW9qh& zB=w8_(&d+4K(JSE|GrF#k7~WUk&UNty3V^BCmu@J)hn+k17!Ug0DYa#*?`ib_Y%gZ z?hnc11HNs~Fb2FGNqf^1u@coe&!Le*bjJ$t-^UTE13nN#7^NyDm9r$@ z{7EuYMp7Xnl`TP$pmO~cB?S9pe*IJkGMDc~<(p@n>MVBD*_b@^7B4XO+njd4^s~3e zu5Y(}bCLKhaFup*Zp!o}{HyQF2ceX^*3Q{^ED0;{*b$N>-b|6$L^|$tw4IU>6DK(P zW7|ioHq`R*1@naM?XDy9MN>#nM^Mur2yAm?aX5nlpH!d$6Cy=z1>!ye((q2kSQZZm z2XRC;2J%JtxNEDe-N&isKKV{;Mo1?la)aVa@>!8c8QDQ-_xP(C|R55 zhN)MHe1lJTS!?Z=1YfoZc^#E_Pj)n;qBNibY*7kmR``VT17ZH!50Ym@+K1}r)b7EV z)bzPSsiFvY8#jX+-{TTTZ`r*l(YxYQWuQ))Ln#hYL|!CnW52O3wh3|wO5m@I%TIb{ zS8o#f)r#{Q-Qs#WwZ8X4&>8Z;Q63dhFl<+jhqruFQ9qaAnxR>8{@mj8jynakg*-oP z0dOptXmD^xgO!+3kW({cJFs{7F=6>em!16eq=}X)w#uNpCJgKFtr(I98P-Vjawc6T zpAS*B;!ml{I%4vfqN_T1d19Lj_9FCa1TATH`6uupE#QcjE*QFq8+Hak~POFsArO2`7JN4w#)WB~Pi zRlSHJ@$7q2BvTuSVD-TqymMobjYJO+`MIf$3`Fp^s3$;y5@grsj?ASXUPsJ^inRsT zrlX|i?`B_{H{U^R8G$i4ycy1ncOY|A{M(-?)~< zMX6kYpLhE82hzv`U4x^6h0*a$FFcHZz_fcx2Lh#@n$Rm)2l>=j z%|s~nRuZZt`noOMr}2ahc%lzUpQOatz(P9ZI@uSk6*9W4erKCLEw<(2#d9X8hVOv0 z)r2bRYj>BMA8RYDWMhY=pzM8BBg%glcKUOY>XwzqD%Isop=<&Zorbk1NUY2)GUdviQ@MGimby5UmuE z8f12Zi3EHFt{&8_!9&c%|Hdw-6cKap4*N*4wfrujEFC;mOH7UZCCsa8SRQmfm(my{ zZh<&hWFL@!n;Ia)Y!w*ef40b4c1EUb67ds)RM2^r#e+jdt2rYl9mC|iGtIWxJNu{3 z`JPaD$2!6mNtVGvPq-w2qq%YRP0V!*zS)K6H@MpGE%wL1rU`{V1MYFCr3H|JzDONV z!?=(#|K%l!U%?hQp^Eb^LXSw$qZ8;iK;v$TpL$EK9kx$^?VWf>{Th90PA_SH5?Q#oh35{jPBBp8tU3c7@UY+Wk0nNEFd_ey_V z|D(yjc^h;7_x}4oHvrMETsJ(&`=|z$W0Vj;z_Y(cLwxuj+J7Y|c2s8oK*OWE{y_HZ z%>GT;7WL2A*MIrpU^RPUiV%%g+N5ADDy6QRL*>K63`vYUpF6p8bEw<`AW7N-P8IA6 zs=a=WXn?eGFGToS)|edViXybT=6qip049qot-_&=4kRcS+;zfpBJIM)H%Y=1+}>E- z&-K^Iw=s7h)HTOPeL@V04JXMXc$vuk1a8-{S<$g=z73P%$9~(Q-miLB#BqDYDiX9? zunAW}35@<>1I{tlE!!Ly{;_B9T8*>RMEltf)y$~5p;vMjV30_@ggi=dF0rj(62b62RVJ4RyXD{z6|669Df@D|sQEl= z%ul3_4kyh~D1HbapF!*-_@lyYp?n2|ZY?`tU2A%7#^VQkh2!-2V!Z3_QM3f@9(>+> zD`SBIYhuJDERMeN*qfl2Onw-@z8mXDbUWk7wD;&Tf|7#w@jO zJ3BHi@X+I%gD>Y6+=XAdURF`~we0#O+ROaWpVZ!Yfyf{Lu3Z5SCwwG2I+IlIBbkVN z>2Y-xw=Lk)GgBqCt|m;q-;1j3Ym#?>>+F4Bbgv~iQ8%trq5=9I6){I6hPNVa!cP^K zL{^bFk9oNFOdU9kL6LSPNJ)SL!*sxSfo?o|qZBc_Jq!99RbJ^jq{IN(hij$Xia$=f<-@E4!acbsvB&(tkv};&aHGQsFn)HzF%<`!7P$D` z-zK;-aV5^>bJx#hruHcA-Qi(((R_@U`T+T+db??8KLtjf!lfpn8PcA9KEbPmVxqL}|0&gZSQ zR&$s4FUrsLhKn-x0!Pb@A|Ha~<)hq%M%+GPYzSr3*N3F#-n4|Y2<+CPM_@#K*nFmk z-DtrOEa;xxWPU@AuU+=c_QcpMMjT9I20`M*RC9;#p%}YyKu%QlL1ZW{h&@LZ-W3(ZjhRbR&ynk zJE(_F$&6!9YY>EDL%KT_??Wp++l-mW_QWQ?#RLXQo^$zxr6$HDR!5q6+SNf@iFfTM zaz+Q@i(!^Qo-QDgbiWZ3+@&$}5>)!82anvTUiu&da8X4-b7zKhoVe4flywmgi|{G>X>fSZCtK0< zeC-`$89Z&0Tz7Bs7kQFT-ZEhN#%SRp^OsarnzOs~_O~^m;F!S*bL*R!(jm%$qfdCF zRK~(VR0lcOeW$cn>JQ@23MKDZ zC(_IHJ=q8MLTOeI&zec&XLm@BI(~!0uHa6@!0Y(RT^&Ti<|4@+u`|z7(a4=O$ab2j zvDH28G*%KER`WRIrc&yCA9@R8pFV~CVpLV%X3{5_$;yP6W20$O2OlaBmgn})EkKEY zQgZdfHyJ9wBmod6KRhf(&D}=r>OgT5@UjBRY0&RDiUD<_1no}=v>}M5KPYjq)idI>!9p&|AB}ANGeMTi4Qe! zc@(x&h&enTtTq@8T)5rP<3rS_@UlOUKpilG=0vqP1hr@H-Bd^*t;i24*9QVBy?#bJsnYd9(9J=FDM0jH1v!jeg7F==7&eV z8`lXolU+K~4qIcbbX*tA9SlQZH;(<*Bij zf43=ru8lQfA%J_%@q@+bUy?LoepaE9FTP(rsXUo07OY{5sUx{lelE+d^z1GU1)Qe1 zh19@xxlXN9vmLG+dlOybB@!8gkn} zOF#$KmBHUo1>}Myj;TnX(HMIaJpur2w!bk%SJWt6E!jGcNL}!ydqflozy@n*nv+N!8@`1TZReZ6CSjPaY!{+yG2 zyGg;u0;{y)4)#|cXdUo;9IHY;B^KD>?OIdoeuZa?y-OuD)1ECZ*6&h2M4(RtIKgWz zIhJnzQ|mN^okH_?O-3Egyi=pW9MQ>L86I143D#%tJ%ilVvrUl*e{@CIE$}brmkac_ zc-RBiBxsAq$V`h+CX1avM3v)mH$C9Ca6)+OO)51NPYRBlS4>5AoP22qFpyf>9thjkHNDA+YY^dAaYrm z610o3a%)tdI4ItXuHE}|@q36WAGHSN(l-g$r)0t$QOC(1Lyb_Ux{jQ&-$2yL~)dt*_NR8hq=)@Y;_Vl2FQqPoqq*7Uis`^|V* zodj*KPQxb6sal4dlg@mMuN`t9s1HX|OJ%565XOWDlu(VcWZMRuQ9{(LIztPg&t=xM zymRcf?*GBwdj~cBt^2>B2!bFWy+#B?nxKM;lz=E50SjFsBE3tMk|0QL0!kHvfTC3C z2uSEfM4GhFLO_rbNGKtY;{CYK{N}g!K4~ z%e7w)7*DbB(O@l%H#sFlla2-E?LTH^V74I%*reFPiQkz^!th&i5~4>iY66pzoW2kO?U zMI~MkPgA_f$B5E={ayJ;b3+E7OJ&w_aECCQVkrp*`f`bs}SzJ{MI%*VGnxyRo>=7=-|R$ayg$u}6jg`1G(cgWXgG!-Q| zwfo_yyO2C!d2#upfyAA~)lAnG6hH0ptLxMUw&BcD8nQP(45)$1boIJnRb z3o2l)Gu7wLTGEt60c+M<$8oyUK&0LG?x36R$$7=g+G>`%;0ll?pjo1^tyn@nNAQK( zq04sSM0juk)ulmD!z*&DRczOY!{y0=YAO9-e3%h-xGBRy7!IUppi6t8lq~x zFGV_y2a>Ec#7Z_YIVkrxNVftoUBVQ`=cu^FX+Mrzq)bR2nb0fVAG022JN`8fSpYtZ z7GMX1PSn;A4`J3|x-K+AYkKG83R+4$rqa3{8w1&Tds}A_Zc0q(13crsQ8}e&s%kzJ8?gJMeQgdkQSSk$tBy>Ih{O*e*L z)YppVT&(1@^Nv}K@c)(Gds3WMi}vI`2+S#6%U;SPSs;`XqIH?|dt%X#2$?NoqU3x< z{SGz-*EzY%w-#-5#~c6k?P$#OHk-621M(d_32@2OBI*AEVT4#*bpWG*vG-yR<+xhaT zM^!(!Oc6?bqnlVlDYy;$H3VewoAHL`ZMK;>gkg-KVX1Xnm1K6UYUrRVN6;2~{J{=0 zbq@Inj&%W(&w;^I5tlZA;+|RrsE`Vx4ZJQr@9Znps5YjNY>9n^{|@-btzC_;4Nld0 zc0)5o&cQoNSy1!(+PaB!ZP*Avp`&wtcQ!JzN8;a}(}(}PcI(eceY{9;B`OsXKYNiw zma`6>1+;H!uetkvjr8ReOG~XX?bQ>mwT<~eofhF6sj}9?c}04xjK1}V@0pzXrrB#I z5f>3TE2&;!wvYt)fDBK6$9SlwOH5P@LC_6k`~sjRm)LmY9C0vB@x{;bw9&WEK>`wjr~% zIGy%v)&j5ee0Zj~E?#@>=Yr6M0MgFJ9yPL1AH}yJWG^P_aO}WiQ6raslnC z?&{mrQsvmW@<`%?sYb*7svt^Q=(8d>)RiFp!CUdYd$+4ou)M!G!xq+0U$fKl$zPe| z?ZF))Ym#FEVY>NBpJrRq4;xa*f!sY*K!A6Nm`QDY3utX#(R{?Pp`4be*_9gt{(W6# zf^i;|4sojvjo%UzHSM$X1~w;K8QW3$>B~^mDZ>f-anbtm12yw+JSR9Xx1?c4EjLs9 z-pdTO`T}0a`9SI04gk*cO-z$d0*P4Uk{4j#3ZPRORlBePx4qi5(rfRpkRl<{8VTNH%1{{e}ia)BF*Y>@2i$B>{BjpKWP9S27g7p zRrazrxp?lU8rQ$8zs5l7bvoyH+eI!^Pmq%!pQ6}dH20d}Hz>I7(duxVruMWePqI+K`FGFd(QC91jA`;DwM^AFDr9HCn z7bN$;wWt2-0R`+jFS5X05HZ1(UzR8WYMkA{k3Y=|xu(hXw~Si6=doC!1En^>_#nA2 z9=#0lfmVWRcM_=rLCwM*>O#Z-BL=~%jlAlQ&t)e@7$JNXRRZ!$zQFY7@V*zoi(UZX z>Mi)6JdDkM!LiSQ9+tFei)kqxTgMtQSg0*K_BTZTE#SF<_`t6m()OXX>P~gCqk`p zk{$3*Y+Yeqg!oZwTU>;*h=`v1*!isNg$pl?>V?_9POG_Lk|YUeATV$w%QQnd$Vx;_ zAN5*bt@h{Gs4Tzqb4c6v{h3Pnxe`#o<~maD4-JRn^d84K`mxVADzdfSX`ty@9px%?VY=lHA36O36v|(RasQ-Z%0&&l{S12LzH{ zIoP}pMY#uDZiA+B3 zQ&*&1g!-gwu4SI7{(jxv9JnW(@Femq&{E!3z|J`bEaGK}&)sVga!-*cg~!T_LbRKo zo-fi*O(M9qizsox5uc5c@7lb|lMle3*m+OfnYon{ALrz?LnqwCtR{Fa9KsEVL;y24 z0plKU(t<1=9=*S*c15@4heLuyH0ZLH1{UxZVBvJTiD99NO-shx{;J6I^5-tC%*D$euulFx;{uI3HR4hY zU(6%M1vQJ^5c?HlqLdRk-#7)n*$O$9HQ(6T`s1rROMFYZLJp}RmSC!Qf}G4hHH=r4 zqh<{;7&+k^E}plK zblGX&-eOSeYa9l=W4M6ICf$AsmFXQxBFLKXhWM@&8meWE=v?4vj9=Xtuq@&oH|*Bo zyuto8q0tu|p{=|LeMlS!$W^#>^kTdh6-;I)f(zRs3y01l2p?_b)GFy&Osj>=YVwMc z`RA&)WiVi(WC=FrJ!}AZ#$SpIbyJ#(QZ=GCLnT;WJgTrge_lBilE~V9Iazmo9r|8f zf|3mf=Aiz4wa+qJ43xb9w}33~_mrsn^g}epZ}&~DIwGL({^P!v?-+uaK}TJf9YE~M zM;!;#wm$U0$VX3#FcY)A>{gv? zL{wl`nO^>&ejF>IHZ=15!q;}wRg4pVl$w^TyP?6oe@NyyrT>X!+{5ZznmeE4@k!0{v51?` zdYbVR7fl7;0C4)wf!pOhg+?H1y*erK(1|+m{zG%irqpviV>F+w)&_Gz;<#(T65Ph8 zuq`+PLM|m2jxMySm}*BRLs=AeP6r|GMOfB-(eGJyaZKZ$TQC}lm%`*}+lVeCmIgZU zRdL|~+ux3}m8!;N#uy{xo}tn&Ti9SLIj!^P&wE#>NtCV0L!iMb7TA%%kyN!&syI>7 z0&mpT_||ZIW+*TCKKH4uop$JqFCh>p^*WUqqe2KZV}(<#Iv;PdOj_NZquo%kylC>} zOR-rEY}@+1X|v8N?!?HXw+7%Ch#NEkauV+1HEZ8Vy+ZW&J^yxz;=0$>z&kcKYvBHH z%(>tt*Xsw>Kf|vi3XrU+r#wns71rS=TU9vx#sfB{=xJ{~H7s*YNFB+VdW&s69$~x= zM}LB|?s$#gnt;)+*92KyosZr?S(>S5^9(tPN`kvqX?CFe)CH;xCB045CP)m!xYhCA z(z(Ws=Wwmt%D+y|N$$%x54Kk|D5tNnOK%wBZmKh#sLmndE7Lo2{4=VSSx@Qxcyrq& zl08_GMA+E+K-!A;-!lkJ*{EFC%yY!#04hK|7 zynFYh71_cof95D{;OsYxvmU5G-(wvz&o#h~Y*Gxj*o}xF$e?GldH7!hn!29RqPgyP zwFafbRV4I^qE+Uu7E9vX;NVA$~L@ zL15nnQ&Q9giN+mmB9v0Nlg#~;_WTRh&y)lW408><8Vd(p0%;LB7o5KLY3=rjY7{V_ z+MvKL^9t7&-D*v`H~227Os{&v4ncE ztjvlS*B{@dKS3Q5F9`s&zMGea-5Eld9@s;T3d{jwn2zz0iVJ+p9B5eFzYgdqp+L;U z19_A(ja+7oJE)NC@FpH&VDEw?n?5D;sdv0}RGeY4erY``1TxM@Gh`CS-ito~&m0nZ zfNoE8fj|XdL^T`-WtHtMX$mE$u*-0Sz($0s^xb;#@WUF{;U6Rb%LeL-r&lqcc3Tly%RTmFsaxPOu8RhM! zyU3b_XK$~jfWO?ft5N)E8Tmx$5s{6|oy`Gp&+{$~hw6>9PfZ^D1)2M!2swS$9U`CN4U#CJ$ZJI=wQ&$b>N_%9?l1U)(i56(obMZzx*2 zE?k&^HCM2Ri3(zAaB-1!J-H(F$ma($iLMjE4LcL+NO=yEB5tA=Uob`}=9Z}isLadR zMbitUp?V!tc^EEX{hzFy_^xac3?ZZ-Sic8;@q-TlXq zIJ1)%!Hg3TjUTFd0MA}#@;!VN=4uRXu;XQ%|HFWv9+-#mhpdiHvS-7}R4fEd^-QrBSH0Jf{a}N@#E*>>f8=>eH+WG{xY>l!1K1WZlw70- zly5eagE)!{G#rx;y=8UkRALWYD3d<4RMJ9jEkc{hV@uJk>SvqvB7{~`av;vaUQ4|R zis`?wLRQIH4y1KA|E6MhcO03i*wY~L)$^&EI5Du>Uo~E%v449RqGW?)90F%$mF7bw|pQjFr zsMg`NlZu9(`NMr(L_WgpPJEk;6Q}nwPYt|axV;pkzp99gU&I;8Pfu#1bJ^N}-2dKswYN1*Kgsdo}yh<2|<^OTmpaqJrsHLT9*->&gfRF zurs7id|bAm!Nto7^eQlpJ9kinD_W8@eW49#5sh#P($b{>KR6D@LhBEc9$VyxSQd`6 z6w%LGJ-NWY@@)L&XJIoWi)zTSFcia^q=Xc58>>S_1Gev5+iS8`j&g~l(-3CR$_F4T zLQO`Z5sSM?@OUr)H$YItGLUbq{>xv2auzTlddtoAsY^M$mSSmF|2Pbnmn&$}KjG+C zqFf|qn!q=EFR1=p&bFRSM}14N_g#d9#3@v42X=_QZM?k322>Y zs8VVWkZ<5?w3>Gan)L^Dh$Z1y-h2t+C9|(lHQ>C+%}q_fWL_T7bK#7^u_8j03IGhr zO9gV3T%Poq$5-=5*Y6I*ymCoXxH{I$WsLZ!Xmx(I9h!gcKx(9-KycXk_=5+SY`JBQ-uYPLrl_a(Ei_yIN*zVDF zWD0Lvyk|Rub0fSY&X6FBgJHPLp1|fab2kQjU85Z9@-h<#yrf$Vr{)<3^y!wus;Gn1alH`qH%?b zISI`Q?-aR=3!V;2(P_}~VeL=aai4sAE0E{f2fA05*B{;73;(6X5)PMEBAEh1m^KM_ zs*uztzEM}U3DRehXc~po!j~j@LgGsojuv!K9oGkpNbs3qS8^7y8Z9^+1?LRChg+bU z`T$t(kRgTd45JDSuT!6Z_D>fmh#ai_pxIfhSEcebQwm{c=Yr(Q5jWFqKD#lDha#)9 zm;^%+GKV2*SMj!V|9(&!&ENNz{7GO^Xec?VT7|^DrOHMe)H>BJuPAGF1wFvBoQK3} z&r#UwLzggYGvk$w+kM+o)jt%G>dhJnyU2#2STv++{;!0?>@NjR=eJK*xit6 zqTsw56@P*dP(aF9xOyJZY3T_iw~c4hRvurZ zBU1h0tdx7@DHd9>SdpliWNZGuH7KH4ZL2vmN%nvrzdG-#cV+qgx&#aSo*CHz&(>=T zX|W#WarK2N!Z()PWlh&e9||rUFRLGwo-r3}izhQM z$oxX02KyEia3Wupa)+5V(${yyf&5FaW)f~NslWYWU(--%RT*q-k*_|1VZ3DW+ok?@ z4=XUbE02Q7?N4BUcbzk(tTm)))&*tWY0RpdX1(qv`0(;o^n0aQAtxbEz^Inmd*dKK zdwJeKulcoo*qwe^(d28YMorIm;)w)3@f__8N2frE?5v+z`Nio2=gTb?ZPzn>pzGrU z9=>#p$rf2fMW-7Fu6|~F zf#NAyLL?tEM3(ogKrLM#OD)d{y1kI(zpJ^4s`Eg)vLzBGBSzdF8?qK!o=xlr9kw&# zxmUV+^UsUO0KlF_>=31KEf-ObHCk}tn{V{|o?v0Gg6rlG43)xzuu5D|UBS(B>fp;Lzme6jldu>ta$ zFCKv3*}DWcloUd5e_ZFiJ2T%tTa?3dVIwS-dY@(!HMNDs2kK5N>Kn5?T=?+xqmOH} zuF&bER&Scap0F@<*a?WE*9!q;Z0KElQs6y)1AlMbmzC3njGv*c)5F0>@xz1);(&{@ zoV96Vlk}z4p+759KatA4BBFrbNoWlTl_#5j9D<*7di?p6&?6uZ$#nu8J_IsAKSQly zI|db&%E$GcoKQ2^EOJ+o7)b5d0h%_g+N3_UHIK_z9LVsqm|smR#x;Rnr(Iu(_eZcf1jpbi&_s^0DngUTfYbR zi2Dzg?BRcq+cuc)p4?F8UI^;K1SW@uxH&mt=1mVyx}OsCcV0G%3TNDwPJdZc0Sc=i zNj;niN?DSR4?W@bGy_#!5m59-!JwbsMZS{miO)JzexCXr%r94ebzCRLQ$qA>T#@uh zqgv=UY{#L}Pjw;u)h|oJW^!&_nKje4w-2AhE{l=MZ(PntN65@wgu7NHHu6C21&S3K z=HEMGM+^=IzODh}^ah9{^2Lp+&b%uRj9|M={&M%W#*AF(yhxXO#hLkAGUkGP`sk;A zvi@&g+kV)oW%=$!)`bm$jMS>RKL66oN^>>zc|R|0&!kH?&~9I+qir3^&P%8suulsE z`pKiI|4eFoc$lCrN!;uc@Xt@jL*DMplF;ToDe+JM@db^c(&BzDRAX30HgAQ@p7NiU zmGO9Q!169yXD&4Y;S2p%l0X*2Kxl}WCIDdC-C^86N!s4)nTtaA%da2_i(qs-iI*y3 zPV#_{8nplyFjfcv{c~Fe=wCtO-HRNd<{ycRz2-w7-GaMUR|(irj`y#^PjM$bU$tI2W=s~Dl;8P zhJ0~?>?A!yTX)~a zAh>exFp-*ugK=1U^B?sTt38{^iy|ApK_*RU8>`RM_iGJ%=D%MbymUUCSAWt!iD3)+ zD{$(D|H$3K5WRdR+D6kaC*4Jsm43iGM~T_M=I;rNX`~E-s%#?%oC6)e!Cr{(OY&bt z{RZieA0XLXbE3+ebISNG?l|V38$5%46)2NBjcEmPa7N4WytA;$HuVwg!H~Y3;@}xU z#g=T3uUWl1uLK?0-pee5qo6!gQ8Fjq&sK$KSJoC&*}>9)pYP+kThnvBt8ymo)=>;e z8Mx8KA~{-}@b*1Z3o69tAJwZWHw*wT9 z&$TVy=p5RSOKHksA5GoK!2yUezP1ZwVIb^m1iF@UO>x*+cAFVPGv$E&y>rUR8Y+zU zpbj(ej{6YzSv9rtCwPZ<(|P6!6%kUQj%E>JcyBXKRTfH<};tE#q~ z5L7PSoLbFYzjDW@MOjt)QozmmINJ%lanBCw)Usq>lBqv5enF~jDqk$i?saznpsSg> zE_Uh+!uzw@P|!RGHbI>Q;|vk;HKDo_Z5OD+$AIpqOI^Il4T!Z-`W1mrvcEwpQ8#t6 zIUehC$!fH#{|2260&WeBq(?!A4^r-k(6x?;%F;ImugZ$X`9>^$>1q;*Ee|{4v&aPZ zM55Bs4cR=A=wZS6wsg=ecXZ*$Fc#Mv^p~SkxlYGdas`{iF^fd0Mr=A}R?i*WyEvop ztwqQs!&{?Uq$xnhUwxx}gfWgfiab&8HDkUU)z@{eysy-?O*p}z&27`~Qg7qE*&e@J zcFDSNi_YS-K52~llvQFM8qNlcmhm6cA!cIBQqsX2TV>qH-q`nN0Y}%o&b-4WBIhn& z7SqP==9NC>u7Ttj|ABFc$WCl40T%&R^We6U04?KZVJdURqI7hAX*~AN+Xv7-534#C z6M;XVGP}ie!%wLiz?Wv%K)RD@uL}Bue~&f%=^*gbX_#wZq3{R3N=ny#w@}Jn^{JKC~QWg<9(tk%}g4ho}hE1<+2s zJ=qqZleN+x$StTT1jKTw{=hZJm{MEmxAZ7quD;Rx65&JLFV(&6Kp9D@3Y0rki}()D zi}~KLaE_Rck<;q7dOqJ^y^b>FvrnronM=~6ay<|Mh}Z1oN4TU$GB+JT0f$Id7aVd% zu!qWG6?6R3>1Tt*IG{6^Ail#=LN8m;?405Z;xLt*#fjN^agZskW3RX;spj`%h9&1XClA2Uqf9vfM3l%A7gVp+I!t-sG=v%{N+Hmy)$`|qj z^v=vRf+Q|;%X}%Mzv=*MJBAWmO`YJ~631nrG5xW6E z)p)wb-K{$``(DvI&L z$8^raHZ^`s1gK`LaAl~jJ*jSTUa=uKTvtsLai-h&fJA2_8}7HA2ZB~7D!cN_qg?g5 zDTPzQp8;PD2<)4E{%1nftQQD2%!{Z6lR0NG&@Ll$o4P6gDoppM6a;ygVlMO0v^j@#DG-h0Tyrg$vauOSV zwAQs)pNVB%g41jwSoY!k3z9LRdP+ZzE6PVZybqr)6c+D@k8AJoq?&4~kbL4n1SIi% zW=g9PZimo@gH>ZbV(M#K4Tdf`Wnpz!zeE+rW~hQJ!v`>Jz`BWe3F}&{Gf$yHHXz(o zVP{_Tiz5evA>If(J6S>%v&SXA+Ez(C11Q-DCfp~Us$0|DBYe`q;kvZW*@zn)&|osK zK}KX!r=X`>RT!fce}lODN-a^nqKzI_GoEX4j2aSOTkNZ!_J*rBP-21Q`UWDTdIcZY ziQuJPtZ0l-96r7A($?B?Q8y(FegmAr6=!`Ik`j3Kn9k-JnFmU}W3LNr8v(Px8SF}| z?OkkuW99LTy;eHOtp>{>>-BQ9Soyl9WsBvy`liI6!X6PvhJ(}1)m4{?E%-)EOdp)1 z2eTM|yplt$IMIyi^A%U-g}63p%$|VB=N?^*N%H8ML*xg%{kmrH{(XX0-0}DkX&`4=2fDM!%DhD`(@7YZDUM=`0s)@p-~S==0MmGPL%hMj8`=!=@CDLA#UTs z-b_yV>UHwZTpN~bN>;VPC$=psD#%L-lSq!JM6^EPR31B*7YpaozVW9HV?BrbX z_DVJ5hmNXtt79=jIdL=$zqdRbPZfWtJLC}(jGGo!=9tmYzgaZvJiH858Tn&+!MG26 zI{MiWB`7y=P^h(rEQK+H>s+mxgOYo{3wMMLCgeILE6sJ&e9mG?e-6!PK;jJGv$h+i zXNWx4cYT_T?)GrO&imMk;xY-{lp-oa&?DltC1_&Fh+jb7wo!RNL#=$S3e^4J!DbgHzwL^*G{yWk2DsW-yMBBNseK?y-vCUAi z)x3-%29j0LGth0?N5Lj`Cni=|?E>&)2)1!4C9%ke$cDRnTZ9Jpt#pc4K|Yg}GSPIY z`_uE^po=&uQDd6v^nPZyy)ukWA2M-~cLu)XKp)?^w6ep=ErfYxw{4lJM>H# z6ovqXVi(A-eJ4HybT|en6tSi%pe_>e1wMdY1a{I>`hcM1!O=JxEJCbZib>cX79sMQ zc*s8-{pnI(#c@VEZbsnp&HnNj>F%c`6&_?WA`;KL3{L>}LAd<0mFA!7o@;dbd@i2n z(oKbg2Ck&*A~OZ25d<&dd?ghS>GHP%)(bZ;0-}9heR+>p%h-T3wL)fQ%M6?pi`( zdw_UY4Cfyct_}_&>==yrb)2oMB`FnSIArP)xmP1}WGlKEJ$}GDsbtz4lD)7N=^B+gqk5GtMWHZO4Klesb3C=Bvjruo=m3+01L%{` z6l7gMmD79I%;TpTioecV<}9GjpE=Teh0Vb{yIETNjE*kN;`vcB0`~wpD<#|38>&-s zWf|;z!_U_17ciU4_4uhCL^1$lhbeDtR*=o`w}A-SQw(r0%skDrAhOsJp-?T_M_(Ed zlCHsz;Dd?UkS&QH0g6+gPgow=plp8Q+?l73lb`VyCFcL+Je5zZYKEW@kWXuozd`OQ zY(fu-CEe!7oIz$Dm#?3AC3PVSDmUC?A; zE=Q%^k40ahX_rK`W;7e~1+{eBs^Qg3mgRXCuD&hbdw#Jv#zy@RcZkx{@HUF?X z6V`lB#q;%`ljqv6pmiwQ=>KcT%Ks}oCiwT?nF0K-(f{lF|L)NFdpr9Jh0TjJ&Yy@W zy(peY?|_~Uu2(0w;Xr8nr>0CQB6v{}{NOyq8<0eZu#%;!+7i=gcdWh2#i}1do_Brg z`EX72`E$NdeH}D%T1yXFJxjb|`eXEljj`B{SCtI8tbtOlq*IIc%*K%np*6qqMaDgr z>+A1u=$+7PUw#1~$~U1GOc>h$4?`8wDfp-=kVZgO{RZ^_rJ<8MTXH~`{q7Ex3e8=>`fOCrYBoQV!?eeza}tf1CI;OiztA zc?Bo4qozV-I(qhg#(FMPj~Mxu=(^#@O3_;t(FWYvCgAYoaWZqw8}^{H$-Uu%w?n`k$mjX$ z#O2DiB=n$(ePh={+wTF^vme(#e|p+ilkA2~1yX5qZ5#=b#HjZdOU)sUB<0QI+|c>O z_HULdOy9hSY~ zb9RG#+fh%NU(a;BEa*0Qdwo$XpBvViKU3AZZ%jOoOw8|9LGlohhGS3M8KSS}JSyI& zz1h!3+0y`L@0*Xn>zvwE7H9T)CPjE#Coq%RMJ1JQxp3W&nUiEwJ-lKji9;6cd6f#ob;zp024jVHi^eL{JE4pnZ@Sfao4R2J~5^LrEfV zp*}tSw^IGZ*S|q90KO#vBBKhwkd_YthhjjTZZ)H@7@B2(Y|1YL0Vf>xQ zYf-JnWyHs;w{twsQCBC~^rsT-VOLFRA#-^XI zC!gf?ITYW2AUpurlwZ3IOCdt3OfC4+zd^><0L_`0ZZu*MK6Fz1voxDySbsrEZ>u~Z zm69b7cWUwr8Sp164TjkjTYNLgis$QnCXvM+_JQuFzO-A&v+a^(6zXb*rNy~(tlz%% zfk4XQIi%&KMKb3eMn0}iw^eI7%yzKz>iF4I(dK*NOU7bBb7lMl@e#&$Me|>5K#CNN z0CUu_p7DTp2n?kpynVsDE2s1N%7x8Z*{>_XPt4m7GXkx`<|eO=s`Bz|j}CH$mlb{N zpci=|0Qy5Yp}Ea1%WmYW7%=&3Y*2>&mWE|^78=ATo<3qif8TtXdVvDeCW5XlaRd2S zjs+{L+fFXrb0`-UPYwq^jp8+DyVf%*=6zfsQ`;}N5Ohk4`ZeP7I{6b;j20lbvd_tb zA%1G78rUR13FVNU!O^*aotGRS-Exaul6HnLi{a5ntr=Aax?yjj*$Lo)NdFdmet^nj6e024*!hBSL-Q1YFY-ZA}!OG zl%{}|iO3sy!&@a@ZWy(DX67MDR&K9zR@!Mg8ZRX!_N#BK_Z-8VaJt{(@kC$# z+jq}f?QyDOcd+eyZw>&oqQ~iVK>v=I4v^<`)^7klT&!rkah?5|buJmJyqUF3FaNd& zb_?f96D$5kCDpNhhD`NL~x@eY1+Rg?I=zz-!E3xIdyBbW4&iG0tG<+pFqz z1yK;zeU$e|yV)jo#QIiR@$$-H)93FJ9=2 zuTR(G%Q^%+I(L$dp7!L0a0r#IfbAOrT8P1vk{p;IK*`-7e0cig6Ff4uT_mKyRR*USvFbruYdnX^rrO@>*364Pix*?TH3Jp`Qh+ z2yv-5-?I<5*<%?&LYkl6T&@-q5`osq7fzyV>Nsu0aiG|t{ z%Xo?^+)%}BLb%>R66NqR-)g30fB0VHm*8s=U28m-IG*7i)sN5a)>d&cjBSW zLU^(2GGvG57#)XnJ=`~sV$|2xxcqD9pV4fyWIxz?pt%DDkEK~;*rz=c9|MeC>T%Y+ z3#V|5NriZ}lu#vb{C*QU<4Vcb`%Cy)H?cJqVH(*Ub(B)kTJFd8m+3LS~<|8 zODbXKW-eOZ)twP%Sps!xzezk$uIjEzgzTD;y?%r2MSzyCcTcAl{|Kv&ghTBB(MA(| z|LLE{h!4I}L0qKvssU%5{?7t7<*FIB7dN0W@FzeP9-1gHRA`K;VxKMk#KgNc)JG1{ zU^B_;LRJ&1`sL1?_&n(@H~qxGpP6HWzrAYF81>ZnxjH{iCt9{mvHl0jEK^#L_2S5- zYfoppewKc^TTohcU6ye&9CC&nhA+W5byv8CdG*{lSQ#^%;n0!MVR4%=<%(jKdH!X} zze0afM)>A2X5%DZtIv>(?uWhzjmJJYlpBB~!ewWA#IRX$k-4ybTsWd`(Z2Czc+i|Z z8bR6sq}kw_#jb~LOWDL797}QVQ%yok?gb_VH6*^(^;y#LcAnY?y01W?5X$CP#ZP{M zu$)-3j%`(X;#HW`d;ir;PiPv9heEF>!uJ3T_RZdh3a#ZQscD#fqs{+tt$>&DU8MTD5w!X^;a$nGy* zn5!jt&ZT#0o2Y=6v(0HJCXVwFW+s9(U&};$H5t`^(ClSymEo6rkSs9CUj(m@Hb!q< zr+loSmV=@}{aG)}O}fLs>UMB%B5|hRXcRn3{rvjEr7=+pJG@-2TE7M@A_Up$}<51i^d1*CpJFfcM zpj@wU=?gjlRJanxWvX!kmO&jtFpw_+t}`_-V8n&Q*t=Zw9i!fVyCh!2v8z|z3?z0y zeRQiz?bLzA+J)3gO-S!ff`of3=MrU#1JFWBFBtHuv041Ur(ir~fKDA31WND$aSb!n z5K`VM|BmzY>qkiG7q+T>bV*x`=<9%J(;hE~QGbhfA_(BkQKWaHu1aR5QkP???nJ!ay8VcP`U%d#y;Ekw2|+K zI{HCK+ql()vUpQwR~jfH6|UX$a166L*vU6m{O$z5@=W==?iGfmTel@d9{H! zJ#|CT#t$X;9x{gH|3ycL)Inwv-cVxvrCRkdhutFJhR^W2YnQ{y3>a>O0%5ELgW!*P zn8F_nr3?X(PVSzV+9EA)Du0fvSLsn+kNNaMfE?UPhFe z2pvI&z&z$rhYZhG!kfj%`_JTHZ$(lbXPvb_6FJcPjBXMss$@{MIe%w+@1A4G=l7{= zPNZJ5$JWX_Ime9z6H19Ak*3ntV)N>ls|f!jb8gc)v2W40(FS~~oXN~@o&<95uO+H; zPQ{w}IcOYm3|qS>0sdCbP>ylBcdn8i^b^VP-=X0!Pb;i@rICdx8UC0s}HVaePs zfr_Y$A3aoTP*-^3STwj_Ym$onmM5F4W@~Sa?i-^dt&D`vNVGK8H|L3gXjH2sR+d{t zjKZ{*s)VUu;WZ+eAs<5_KYrq;5_Zlxn>naNBp2}0mizSOx6nB5K(hh(w{K;rE02W=9t&NdPJ)tp-;cVdiM5kgptS3PIdUtD3C zT7C$70UJQnGrnl$U&`Hyg!4VV5@dXLkN(;TmXDsm^jQkUUS6;k(KOLj`=a&$=>(bf z1WpH{UM5EKp+aLG<&8Xssj>1KA9XY_;QIy$i*)2eExpyQPXbb#tHmisuvlP2tY?fM>!4@lBOoX2F9lh3-^%3Gj~356i@9ES zFM79QB?DC5C*+7!ai%3Vo0ZT*ob$g2VbDh@oYH&aX_tlq5e)St_^D7!Tuki6X^Afx zwGQIn?$GwEeh3(@NpssTB199hI7kn?RyO}Mt_|rBSd|;5e4^ZJw>Y=($;E4m`mK-F zR;&8If+&ERB_fL$jBnLKFA8W!m3t~4xvREcE)&1YA1>MOGc&~otWR#L`myt3u^!xM z9FJf@6Xi(;U7xIPR%@2&@)xCl6?`1v+>s_V5wvhw@J(vIr^_M;P%U{e&r2rw!((GC z#+U3aukStVJEtHN<&2KK)1{VT8zZJjvwq`8%{08@+A@@rTr==?rdZ}|7l*`(<22}5 zzfsJuD`QArnQeL0IH9zjI3S!E9(uy_7#`^t$31c*c461zN8u&SP91?Xjep1B`wJa`*O)(F2e6TVdE)*l0*EM{e-*#K$Q7!2@&@dqR?wI@I3dCoyH04`cG|b^8}e^ zo>%PyUnK&06D%Wt>FZ-Ki5?JTS>t-){MWiGY^U@EB3v*db6w(XcCo`qL9tN#r)$?Y zHNg34U9x8suN3K=6S~|a-A;<^|FAg&cZRY%t4kBdF^lX(+f|h>(#PaMH&uO85w-Zs z+z~G?vzbUko}+j>7de79?>kEVDii0_WBP05-Y7iwF`YF@CcfArUK3+q0U;cDA>G-59t1UFKUl zA&3&KJ{bx~(N9SvXMn#^hp$y*XWw9Fe})w&`b?=GtU>A)v6f46z8&6V4x+HTJ6Xy- zfwgBui#`9sFvqQu)sx1uLxX|9eSU$7p50sLZ2U222e@9R4<3Vh>H;(t8THpDP;7Yh z8}<11O)t2!+1YXzOT5XccoiJiQ)F|iHchwtb}v;&?B}pP1qjZggD6qOmo|--@!Vw} z0_q+bo#f{iJ7Kt3=}gy0WhCDsl1K(*>ydpnj-ZI$z1!oJ_e_5jCa_z}D&%!N?d8^! z3ojT)q6?wy9;&8z$G*;Bze0;vC8wWvOn$;fFD(EeZe3BNZ6gMbLZEfpA&fReNrL0} z-Mza_X4(@1S2>FO_Jn_mxPMoni{d_lmbo@ZfBrb{CQ!cP`|O#_km~oR!(wmJ-~ym3 z50}88RTbSQdF=xhBcJ<5==6L%d|gDNHzcDqXr#`)au<2S&Kj0L;t18m@pd8Nd7G!Y z<+NF^8K)biab;kxy*7N2$Z}43c*$lFo4O2T2m&;4VTZ9~#<0^x#RGN@XN+kTou4GD zUPo=joFxI0eK-@~H3o@L7a>X&0i4+MCF=^93dnF&)zrX!r|Grm!_U1T@zcNvrch$x zzg~6#TiGTQUp4p@=;`6DB}U;Kp)&!SecnN)ob9Hwndvu4s@7JJI%$tx_I7P4aBAQwMmRCvAq!CGd{IGIjL?m(X1&%Yn^gw_FH!-_~rBTVeSLZJbcMgDC83$ z`0hONC-U}OM)8ds?f%?56;>hMi_M45(Ni|aLj`Oz#)*&*J% zX(Dri&vd}^F3JFQ^C2vpIsmR`iz3q%Y=BR~l9e=jQh?~bJZni|k(>c22Ge@__t z&*jAjXb(>aYtWz;o_?@RO~s_)v(LB;SA5?-7YzwQvI1^e_N@RJQpIa!Voxc|o@BPJ za~Cg?g1@E%um2??G48Qa-*U&KVGModx?t*au+}J+YTTl_tFNBi zow9cSZw04+DCqx@?^0+fxe$+7svz+mm0Pk`jsOv8;q-kqw^vA*N8Ddc4Y^0#Ej(qP{4))6D^T|JIJvhS?f0_JP<*S(jm((0t`wD z>;J*to5w@_{``tQ8r@7(P_HQRKQCiQ{bbg$oHW57j6lEA8XdceK(c8&J5rfDB}Z`*SN$S7LF z?fP>`_V^_O!236DzUU$NAmshxZtiy>3MTQkIK0eCp<6}NZq^du$Nm|T%J8=r)c?c8 z`}bIh|8Fm-|M>g=)z2ta8Mm=I-Q~rYC>J!id`}`*GNa@_79ZL=D-uj`K=NSXFt76(c@5gW5#N1v0e-r#s^Z|4)c-+aGK+p6t_ zM7(N=MMu9vZ?dP7YheaNRoPuqL~{rB$UhVdt9U28n9ET-Yn0z;oNhj+TR|BN*G%Ak z*@e#1lCz(|2*7>ID~43@TIz)^fwq;&PmdfaIF4{{OI*`s0|14Dh-o>3Ldkwxu~d0k z{FqcBP|k5=y16$&*C)2tUcCGl-2}3QCXBae7py|D-p3Y9sJ*!(m?v*QTtz&_?iFJy zaV@Nhk%QCznH@>mwGq!TdtqYP-i5!~yp})d5OO%*E~7DuI*N!NI->RN47c$9!wRSE zM69L1UVi8Gda(Ab;g`>-DBMw?Ythzx2Y#2NwrzMM-NP+U`t^G%Mb18PsL1B+ZVqR- zQ)yaDs`*4h>~n?7L?wmB-U3Iqfp@`#F6H90ot!5VVeciln~uSc;y>m(&Lwa)Sc)gQ za+wd!I4TBQoC~bf5NvMU1{l?ybJ0{GpqkA&?$~kp6()2Z|LbCm_vy(Ng^rpIKM&r3 z;H{$x3|?z6b;JPbm>Z3c^a)2kQ8%!6f5P?AlDEO?Q^L|0Ax4QSvJ6WvRb8y6A%2QH*ICaAJyCn#cYXc)4_%G z5id!hv+Aviu{QL>TCVtL$ohsc)X=d;Bt>Y>dP6j^=0>IB)T5_J(b1(9!Ak(ev#Uu2 z)14&enZ833jCuy$cbv*eErTp%_^Z&G1b_}s@lI>-ak2$b6UdZm!NnQ~a&S1wPbMMn zXHt)9$MxCd^*FBN9+}=GEl-X{m3`N_PpO=HpulOu^aewUFcaL}L`iBEjn&_7-Z8T2 z_eFl<tz z+?ph!HyY4YeYUE{UVS>dNI=trb2CK;N<*sjq$qvoHA|h`*^S3!y`S$d*sRnlPdsd& zy5l68S9EycH0Bm&CJj}A3q@!FNK-pPfmEDt_=%+6nh_Y#|4;?XSnC~Hreg37SFhW* zUk_k+sb+^5G8?i*rwS9>B!ZepVdL~D5d0DpCuOvFObT;9AaTNcPF5h-qon`EC>F_A z)prE0Pc8JMDBxoZBJ}Yc`;n4^s@<9fex}F2pK@ln-rHWs*1YslZarqop%ZjZX{o6@pw$Xv^JfF^rVyhuWXrA~2C0u*d(7RAtwoS`S7 zcPp$!0=Y-e+$`p+`QZU{Gfqg278-%XD2-YvIfVG7rTtO$i@bZ9dG!vRIL%=&=w%OF zk{~(j+0GfJBaLc>aP4X~vYLf{7Vvr_-|6ZXuX-bG8 zUmI3ZTHaN(Q-#z1KD(pl^+@}e?y>Q>#0urW(G_He#7i9B1T(Ha=TS0;j=6*VWP|Ho zT(M!V;(4fFaE)%VNy;xVMq(}{gxCV)&n=^AZxKSPD7*=5(sKjGs--zI3FUCz^4M?| ztP-{-@*+RiCP`M9-^#c06VpeWpbbOleGKnr{ax|t z=L`((bR~35VNJLSfprsnGBKDM3aL$qcs@)D{nS%5X-Nv%d@#DcD6**UdoS5R^3`>6 z1jN!>WLA;FjUswTg6XIr+)yAv>#k?y9!s}1luadG$Xt_~(O*03Z9nsG=JmMwgfJ9G zlg4t>ITG$8wwPovA(CHTo!W0x+>of;c~eSk>>1~+%Oii$Z2%DyIws^<6hldWY^Me zZIMa)U?dmY5Mo>N+o;7OPfQMrnaRVkX&uFf5(`EfIPsH)5m)**+*IpqD_(whZkRoI zR_f%pUYv>&(BGOBmfJ@W>8S~{qZBwbzQF|TKYFDc#tRMjeBaVP`uE~g!5kx(NxA*? zZ!a^EKQ4In@qV>vN0Ow`>z~$UG=q-PWY^3iz7OwVtE@=Vw)-_gf>s;Mm$;ZDb032{ zo^=2=SkR6fGbY+lt8@gNB!n;yfia3lMY_WR>kIRqR|Q_j*-x0bK{rcJ(xr5ENZEdI zZ~JzduutK}5}{wj8EX1P=6vfN;3ZHCSFggNbOfGVQlW-->31x5Ba75+<{2|SDhpx& zSJAiLNWMY){uKq%dAXIc<%#&0j^2gFM>DFppknb-jWu6tAH(bBB2}=pLNkxT8Id{{ z!cAT zAvah+@$*<1{-)<7L%S0EEG)uv27SUcqHDW6Nxu|TO-fmUJ6n(7m4)GYp3)h#Zb<>5Yh07jC=theE< z=5ej)$QKdq3CG9RzE;0l=b!ND8BWfv-Ffte@cVkGNU&DuU@+vwGI|=qLHmKkLpjF{ zrg6s9PYt%7^PIvBF8dkoRmolMPCs;(!-w{NNzD5S(KfuBgkU5YBvAWv^E^hWZ<}pIn7q_`!2xlQ0K=@{IF_kG1>+|F*tHKfh znAFnmkHtK+qmPxMGBB@rv99o{#{!3B z#8c&ZyPSKBKuujMDVhp$)sS4c4mGRkn5zvBNe}PcTJyrZ&fQ6IujI;Eha|r%O%G+~ zjI8xuhb+-O)0W$I2|i8*!8^nnErq^xDza>RAV4N`XPt&qUXdKjm6gQR80d(L;h?Q(95bkVOLA3 z%=Gd5D$vYHlHT74b(w&*G+y)9?BK~0bT3)Tm|pv_cQNhrv`hS)a^5s1YcgSP8>pA} zmaGUj73H|3ew~i;Q;Va%Db{ZM!C{wr_QdZ8_n#e8rQgMEz{pZ?18OqG4aklEw3<3i zs$aR>PIn;Sb#@aHqED03O7QCOhE+I5R6+S@gA$w#8grVm)nY2QM{L7aM|`Gu%U_S1 zi?yJq*W?MD(tIaodPWAMrg(c~uz7{Y6_h^@4Y34?+~tf!g)~5>4yc z%(M_7izrU9rGnMAM@At;2?Z^E4F1LjAft#^c>Z?FZK*m;UrSL|!SkfXqPmY#ZGjpE z<)7B}wKfc{S4gt6e!1bpetyx)`0Yc!C#h%7HHY?@!ur*L$Io zR&y_t?#3&5NoZ`g6dq9|NeQ&{y}}8o;i7KCZ{mAVbC-4}P0nuc(-c*&3^q1DYsw6X zrOItXu>3Vd9hFhH63P2Hp{8HsFO9ys_uxLAb})JpLprrYiA4hGv$bwe$q%Hdkx=tX z+q9Ew+wSa@=JoC+{c{d8028y}xxPU@2B#;<;BRyj)2WpnF<31no5|%06@{v^m!=q> z8A@z9e(~x{{XqZiRGG^#4sQw_V=zeEHQ^y5qPK3CpL28e%@_E8qC*qf+#$Pw)lITO5tZOiv*SD+!C= zURkHO&h&U*PrZ1qb@BT>A#t)7FqCNG0!J>y3^Ddhf7aFgIIfu{U9YK-+cHqvjls8m zw;Tl9`U#Vk#m>*Utc#Ndgp0)=9#pC|rmPbQDktuL@Gvuyq=C|OgrV0g zB?9_X-=Md*<5#MKhSa+xXi*N+0IU>)zrp$PFFJ-MHCGt70!_{7qVR&HNlpCW3mjDH z$eFCo_I!AqUGGfPyCp$Bg5gFc$Xb|5%*1R`DEJrM_|*au^5##iOjcJv=hM-O=PtHZ zsw62x%~k1l*#BXb`2QZ*S>j)!g#VQ2Q~`Wj*KESr>elU{w^;4H#-U1V8&m3C77el1 z62x<0akowm{7AV;k}QRvN%cHOo7Nb)0Hsu--gvF@?Vt+Lk$YPaO)B_lfc*QkB49do z?e~RpmEsqCk1pt~J29-`#!$DvWbCw0FvfO{7&|SU3%EU5gLt9_FAB03&m>sRwaUBI zj@qbB_MiJD%Gqo&38B+E>xGBSjsP9G&gBtq>sDb|sX4vlM=T^ummXiZJlb;Tn{!wj zzp?j#NqEQ1DqQTTeWn-fIXzKgqYaE;A*{$zRy37GZU%qj_4lWG-z2LMF|@I1HUc#A zcfXo8^UW`q+KOnOFa9Smsn%~|U-n%>C&2meuGneSkw-)FyD@Jc2he5AIsNczPd|uq zpnH1xHuD%tSlGmyXxU#KGn5&b+ENRd*3jgf(=C-Fo&?&`3GJA@-<-7A66gfFLl_p` zAd*WtIrxFQ%TrYO;S6;+%vNQyr&n9cvb>qCEbOv+$8J|R{$IV4_@w=F#>x$1YaR`y2Jwco4 zMRtAj>mNj{MO>ePR8AcAuWT@7r=e^J>=kQ`*k`cGBYhH#LGN$YTqn+q#?!_nw(o&K zbr~Eo(ik}NnF!%W(7E7PM@+?w?07n(+Z`FVq9SSxhE{YXvQqZ<*G+>IHVUE}G@m|L zC$^n$`@Z<-8}6-*>pZ(-vyM`~kF%<^@%8%nRrRw~SAGbF#uhO!3X?}?5+WQ)Joo|| z!cuJixb<{Fx>zNC_TFPDN%9ZurFB_`IR&Qv`xL7o`QeaL1ony}jTg?RttYL6en-tsv#ra$!PLlbi^TjB)h+|uY?XcF`J~+YJv#*U+KiF(r=?%B|>c^Np+vP z-SaCZ#w^{*W(zrQOs4pB$-Rbp2crWZ&@cmrTf&hW&w->NsbUU||s3uY(D@8!dS zRIC%$3$b@d3UgTkdWp6p8CD%vj&Vq5OkGpV&heO$xa~R{vqk5>$!=+KaYrAcK5c7$ zmo?R~Piy`i>IEHDn~K7=^i{0+qF5H{viY2JaKzU$+%2tkFA6p2E2AmNb#xDJFzc>E zEUDM1ZxDk1=-JJ<&oKW_^p0oBM*7$*C2*%(rMkQ*Qd=`Va~Q?*nE6H6;WF+=Kl8HT zzcH}n19;&_$Szg9BNeVlOSV{gMaL&Eu?7GQLC7q9Yv?PA*c^uc*JTpydgD)%%2RJ2 zH17o1CVaPgbg7p^1?-D{*uP_H2^*}X@MgB^$P$>>74ZcI{kxgnWU?!UGrgo_Hb6S| zOp0>N!tLu5SZ2vkSWivf$5mnd-3f>h1K7^<%f?C~MpsGmd<2ImkUKH@lT45T(T{&h5!5=OxZ6CR z?yR1(4uDM=3NtMMnq>4Q#tnI(uNVwj7n+4qnS^Oxpw%%?TnG0`2$X#D!2^m4$?IeH zEG}Z=VdR`ZJFvx&bhDa=re3n6`P$eacFVKX-zGloSt)8kq z0C}fDQ&{NiQUr1)4^nB-vL!m*C%if>_R|e!{`wu}@Dvy98uW7{WAKYaKxn{QD8{7% z^SaRjxHx_{S``v862s8OMICEOH<*n_eNAvla5x>TBTP-U#LNG6mrT8g4>SYt(nq1BU*9rHI-#>p{D4we9IG1zJ@7JdgMSWyHs%j>gHKJLE)PcMPMAVV3a($CAL|?q(20h+DZB)(Vbbq&6 zTsf!8WN&WiX}#etw!D;8U65jnHpq|zXd^mY1V)`xRivm-(_Nx37iydAztp~UOmP~2 z%Da2;G)Rt!Bvx1AM>mjvz&2&n_vq)#3UK51D~W5Y^11@A65IVQFs+()eY^8i?%)uQ zZN|ikD-o{gaDaR-Of4qMG9c^-XZiR1hwtDWZ;mq5$sEDJAuh&KGDLs}3VF5yt6VG( zWNVTmaAfko9U+uWTUv1c`o?Tsj<4H%ahrL^^N+yn3Xa09PJ?m+*1{xRZ3`L;QJqKPoDoUa!yoXH$cIsTL#`~gua$N=F z)KaL8#XXGQc^SfW1DF9yDFI>+<#IvrQ$HX?T!pVC89r;08p`>B47C5z%^13D+8b27 zJ4$19em~hl@NTx;4K%kxb9Q;26tntX_c|OBYKKQFf~WDPwM+29tq28rq^$WVrkyq# z7e2pr6{<~fm?|wjE%H8I`Y8*2*^jYi2C+3TAet$}NK_@nOH@54>Il7k=rqk%O=}N% zu3@xjB(&s%JqqtU$NBUq9U=tLCmcru(gTcv1T|Wkw_4V)`QcKUD#yUL%<40DtKWnu zvoMRrAuq50ShwzSuuFnUCByocnvn-rBcd^DIDpd|N=Gk62kUHucL~mM*Cs{nFS^o0 z6fM)ExDLEl30_+!Wzt%{s?!p$0(E2_MH!*k|K*XS`kM4AU-@0xHeC5z2kUH4tfDdIT2&wg)p2`gl+ojD# z0LTh)hr8Bfr33FG0X;#P%{(Xb!4uj#jxwvR2b0>aha%uR+>qZdHC;xIF2z9h#4FKD zuL0?K8Hl^yJv9t@jE+52!)+;8nEp&i#mYtPMw)eMx3Z1y?9HOsU9*)4{F$>*_6J?a zPpkW;4<1;y)_=$d7(0DB;ZFN;S}<}Z8MEz(6GpC|0{i)6;o9~Njiu+af8Z5rB~1uN z%E~iVL3(?{ou%hrT^#gxkB8DlO(|_f(~g;MLhTtKu(U*au@*_lmWNH8aF3BD$fW<`q~Y)$`dCli#H90(<+Ys_S9yI3Df*+Yrh4x! zokxcGa59+-(Fu{DcoQ;P#Wlr+>jvN&vyCp;dkw?Y_gwF1Xg)|axE>ljc-?n~PIG~v zD^3Ncpd?(Hv@}!vN>?hmE&lV^Lf9Ag9ICo#kn6GpNwOj7DsUg!Emtx$E=+%L>)7d$ zXU8OS`DT!KuyGC)n!r_D?hB*Js%=5=hL{8Otyqb@9RXSrR9B+Ues6EHAmCzd(L-Y& zpQnpP1zA6mzO6rdkQF6wv})92)n8q5wJqakJSP7}zm4-K*TWV-hw0*Bx^rxwFGZgY zsSj$Gkpx@vV?+y$o0_ks&fQl^dOWU(zV=AqUUSUt*!kC7qdg4$#|fS!DQIh)O4~@2 zI`tFWA%-J;w)pJl=PSPjZ_l!&Da(oL+;4`G_*{@JCus`KP11vKPqMs!*N7{-$DsRF zlW@Bf_m$sM?KykD-olX;u3%q#mO$Gi$}#KSxrlBIN9pk?|M$+b8MpYI<*$VsM@eDt z9Ne#50T#LH)SM;-7o;dc33%`N7OrD0F{#Ero(GOD5pKtr-3*uvOI_j?>Ye zl|n|lXk_H&@TM4v3eOG20AIo+T$Lad+xzrr*t-R)+&bs@7B~Q8UAWO`iK5QgmA)A$ zo57m&LhXXWS|`VY)1jK7TojXF;N>eo%h+xxNwHD&~N$Yb$Sq6`_Y zDlsWSG$ugT69~ey_9IoSlKknaSmmHM3lld#Y@0NM+Sz4cEDvBbRyp7RppuUqYjg)_ zPBpj)SrPtx1mXybLx_>GK5A04zt3DP()}>R12jqEu6fg#;Dv?IlT9r03{*&G`KnPmuPV=w4o+pf1c*iY^|Rd zClq6k2$sNebue|NEhIS;rk012jIDb13FXuGf~KscU(ituw;EP0di&Y0>15K>_={Jm z3q_JRreN(hq8GKMNgMIQYF&%IIKMYaKKn_A&WDe4eO?+4aei{wdVUqPXuUQ;F~yo1L}8_e8OYLiH!-!;;YMtfUIV$Wlr93r4>ytTy5d?7O6ot_h%SR{AVwX+}BUUamNScQ+c+H0P65KB+g zlN|16j=aB`k^T1JN^SCl&;`*JIm3D}m8#fzHOslhxlPBq`jo}gtEou_^6NoH8fTh@ z{&bNZZ=FDlrP0on^~0|^=BU4#D^E3Vh&N(v-7BC|Oy#(EAfvH|J^~o?8RQwqjy@jv znPK$%;ZnG|AJOQ1j`{uHnta>2!6)HU9drR=|K;t0f5A%m(;irEP@HQ-wq&$l-U{E6 zs%VJF%bktzu^o7GD12CoB@Pi9E*A6W=H0jcCHoiML!rE-Q73lF+WfgcQrFTHcOW~? zUFJF}#~$lmC%@5hz2Y+elDuIfn902YP-pu=%-S|5mCc+THi$OJEShjR>PO9R`aLYO%jR&Fm0;X} zd`Y?GF~_0Zg8~L|-;sx?J9XGKm=0&;;XXxPg&_Z#*-YJG-=l5eAk1!a>7({q@cUqG zhB-)kkl!5QYtu=>aosez007SVviq)>`n6iX>*O#?A*C) zwMO!}7qGu?i{?b?43y~k~1oF)TmdqP^1nAY_Y6WxSLLZiD6@J3=S4q+_zCWY%=na2( z{~}}@O#S+{A?fqjh~ivzo4E{rjWh~`=`+q`=ByDW@|#j;XD=9-MzK^bO1&f4K!DYw z#ZO!XNT**Bt`beY5RUe>-B%r-YLa5vn1{jq3{H80?K&G$Q}B~k<2gVyD2y|dWmlv8ACDqOq%bw45)TjmA(vD zXLg}IKJ2AB$a^g_J!O8R^ziqeCzYs7+ejd^5p5e^Q#60Jtyr*G&R=h03KSCDdz5}u zV(R)n@K6LprfwGq-Vze8F02U#Hyr)))#@f6|DuCe#7!lXkod|(fZAq^`7VHInC8Q<~H$#hMkexNCJ04onjBu%cZ;NqK%^*LLoUMZzn-Okz3 ze7YcKLLcpT8u>ch5kE{jQI*u!df9qz{VT1D<9zg*kqZEkCT@chF_ z{+5wU(V0weppdh$NsBpb7{n1=J=GeRDIs4!wsn-RE6%_W?{10R=Lmo2`5 z=qp}~HwM*06zvG*)&N3|bWzjUCyu2c(7yhvlvE$v>x;jS8XZVoS}Jj&AW0kZ5)20wzj8O|)jSKYWut31J!`|kVFG^%6e0EiUq$iHv#zh;x7smm6jslCV3hvR z*`d*OO!z^l30O)4%w}AjMYUgUvm^{aE7uP39@(w=EoPqYP@lalFWxLS)radt;!{ zF!$l8-r#NwIY>{nL__FwU7+IwzVlCd5A5U{3MY=uEMhc3RLzF~#geo+nGLhKAjJ+O zS8iGOj!~tnEE9_56`LEmcjiHbw>1n*Bfw`yO>dB#Q)Kc#f-}y*w)a-psO_@L2Y+@K z9J^YoW1(HVaQvUQ=pNt%3E(|}oA(BbOb5%8)KPuB^oKN_A7Ssiyq@MuM%I2*{-OCP z=4}u z%q=KJ(yeO*#mGAwrCPc}h3z{9sj)mo_mejh?zrxFO)dET)1GsXkxCv;Uejg&gNH=d z0zb#e(Rs!7>RGuhCW>awphNladD{3{Os(@1ZuiL+j)uogl7Rbje+jHMmi9CLZTL`| zQf*P0FI8&*ra=MKO-LB+CsOb;>;{23W?@M6Kv}AK;O_dd8KT3LCs+zc6JRe&NL83f zny6HMTc}hKt>o#F$~IE_lbh43@s-#NnRW=rXT_prb=Ls5+T%8or;jlGW_;qk_E3$N zeph1S6xqmshnPdC#w6&R(zoZx^K?kPUc)7rx80wl%&M++INJBdR97Mw$$*^6$5k0N z!y+vG+9X&(8s;K=>&-*Ui}@ZyCZZl4VYZ>@Z*{G)PcNZEd=wn^?~ZKx9Efz+*VP49 z3{dLr{S;F+FF^m4RESq_8Sr3Pv=Iqb`T0T2?8(sf5iZ&5vm-M+4K9sGuIG!;4yRzo zpq@QiOag-$A&NjwHz)wK!zu~^e&_-+3!w;vnjX{oakUm3tYo8W6RguWj&m-Xh6@${R4 z7rGPndQhzm-gEmMoF^#Gq(n5(ZL`!9FPRfTRa+~3;tkXJ2~9MTVw2sn@dWUWKM;@q z!avA=Nm2c;KwAEv_B;Ny?*%~BqN_0u;Iirlt1j}qme3dFBS?{(DfT;en9?l%gsg*q zX+`&P$ZKB9;%7On3sY{Mfw6BS)S!{)o(>sq7g6|hfk*szIidtj$eSnu%Dy~s9GenI zra&95j?4)dd;=v&oFPS)fiM?MjQ~mk5C42!b{fHK<5y^tcE5pgQQpj-;F8*y(xC#QR*(TH5ei;iylLg?EA)$wD34r+971t zkfOY_4gmziKYnmQ62K@H8~yj&`uo%RdvE=H68{bme}~h*FQ32f#QzUv5FF5PN#gmR z&6PuN?_%f5y4IfaLeKm~FLc2D$VRkpIu}SsdBx9EHYBtoIGdiq72#0NYAYUkG0QZ8h<1o--FE%wGkqe*3FWRDLL=&pExs=ST6cXh{#Lt*bL!-I}tb^Pf9gP7GyGo+DAx7-`!|MHl-c1`VK3_pedTe3E z_x3njQRSc&RSstRyd~~-I#LA2vtFV}vQpj8y^cr_?QYgghsD1bU2H&Ad1BA1&Cgw( zw|-=EknMDOrQPn`2G^29@1$2O@Hk)4IR#fHU|V~<8Z_ri&bce&*}E|8qD9o@sb{5_ zt5~@3%o@=f8|O(jLv%(Fm`!V=8lX9P(gUe#^kF0J6*JGje~4t=Ao3k(xp+$@b$iuy=1dv;10K$v;ErR3ld~Uuj8e;wfx^q!;SWhtU>b zqauyJCVpv9nv~4AuOsxJYxr@s{2Bk6nj?Hq+%~ZWqPLGwG)R7P3DMaKm3V0A#>o8L zM(!$CNw-*e*+C_TC8t)Jzu0PR0-O^~Q73rh&Y*d)qL$gIYhta}XpfnmTL`+bQ9jEN z{fJgzr>$o}Vx{nDfRV;I?L5)b^C4NgXF(`2C#=X`rD3ouwroBZ-6JunNV^5={EKdH z-xHX$_xCgZP&Kv2faX$!xC$vB4KyPaXSCI-t)X3k36-A{+u? zdh9-BVTjdPLkre;Q(#sce7)h@9p$-&3+>ALCF65CWoYMa6MzQ39 zS6Gy>l0yrYfuNQ$4`W_K&=GFs&1`YKH!N~~7U{u%ar))=@YyeYY;wdl;(fyYdP%^X zRl;#Nd%wr-)Ez5}4A+=?lwUgAoYr(wA%#+B6xG;V8z)H|co zA=5tHZnbw;BX!&YfoBK`zllx&AQ>_&GdBQ)E7V3(K-Oi)Z<8nxuC^iVoZ(FuNmiw` z5peH(ll*D=I>u0?@2Kgx(R1_5{#(|G)VwAQu|OI(h*NeOO^%tUYDn6AR2h#yX$A)F6o{iRwi%f2-6?q+EJ^$*;a9fBc3PVXCQTVRz1ov_Gk zeotYNW?PcW<#VdvJW>~@FR)_{TWXBVXt4c&4P9|*%NIIv#r_d@Y6q$`HPBn7@1!mg zm!Bk#5s&92-#Zh1UD{t-#O9)G+rXQdgkH=&0Ab9eu?>8vAo#UAyW7?OtQxVByI}A{ z*KS9|G1vRmw;WDZJn#xynx{3|icx>PFi%{}@jALO6ws#4AaD9LbZy7W#+Cpj-Xx9U z<6Ei|xSUx6J{qVfY^I;83qQ3c^Sw0hSE=?|CaD^DE+oXm-9NdAOO9-%%+;r#t~Sb+ zElCj#juJe1UTI~d>5v+XkSBFx(-0>~*7JcyJ{v;vi~~Vc=|65P1)L!EcW&5wMN$(D}ZIY-N%o+ISW%vf}ORM~G{Y z7J9&w-BD^v4X9HNRwY5iqi)tEJz*w$KD0^ppRQBZs#C}1nAbJoLmr8_G zVb}c%C^ktGr{)y6e_2;0(r5K!lKlj=uW+-@Q#0r&uIM}jH|;w{2%$U{XV*G$&v)W3 zH_z?iCl`s^T%!(rS=g^d5BE!%XE4E_hwcc!hwpo7<(Kja_x_>#CC|!Ew&X`d9m|VA zk2VqU3nE6*$Cn22%oMcN*WjtuHCdwjNn;Xc%;G9uH^+XF%@y!=@ARXe2-dMBB&>6h zb^VQv)6B#Bprewnj2kSi+l(%m2}v1Bd2Jq^l_K&HV)0N{)znd?sypo+QgJQj=66Gm zX@zj!c3nq}*AqXIvSzlT4#mdAjmdI5af&r(=kUTCrDqX4ZqxPzNbEtf31{m#?vq^q1Z!vnPI0ly4=}SdvExn zd2y3#6u<1~Ne{nM_nyo=GYRBuhmFtA3$(g(NN~e-@#`74vb>(Bn)Z(JZ--}J3*fuh zAy+FWB04YXv!W}mpwG9AW2bRb^hkAuQ_c`h)$pI2>p21{ot63=-(nc2(zECfA_bXM z>6cV3%;sT?q`cYDC=bf1c{!c}7orXf<<^_TyJPwUnsL!b!+<$-y6$a5`8lDAyHBU$ z>%IF{boo`utc~V0+|9Ds9&ev>S9x83W_>%(Je;xn7hMdJk>ZDk-YFl1`!Sw)=yIY8 ze@uEu@7k$b*BO}4V6N$~z^_un8?@&(j^kRgg@#Al{rvceBctkN)!*V*@0?Js8s&C7 zNH7z%U(DB!DBy$WI1VT0cwHTtO)v{CupZ(61Z@G#we#0H(IleteBw1vw>yG-qUc zp2KNZ1y;$2)-S+c;w7KKSN}4REiK7Y2PZFWxCGOrm{C!Pa}=ROE3B|eo8u`~vAw#T z5}^dWMa3zdmm$d$B{15MgoKaCY$0^M$IIUQ*L%6H)A~B!!eqtA&_6lH`>>-x5}tW| ze=dQ8ayMH0*3vDDs-)ljXWy#cBwT+=$9>A?zBjIf4k2!8jxMqMPMqs{t5lmZCx4kc z*1+($nbUuZBIqAjoDBXaiX#6pcuLQ!sg27|H9r;^T&beeOvhm)lT+mO8LcMwqz!OEPsuu$<I@-33HwH|-P^tT+M z99uLbE2x?*d2O1F8V|RhE4j*bHAuX~o69bCJ**kCKU4_7cZ`T{mXyot8~wG|0G6r@)En059b${bpq3Q%MV zzbPQgh5;>zLlbs7cpL00ppgqzVO~ObnB#qdbb@Z+)&=+x`t_f5R-$bynq%3kcRB!+ z!V#3H#WzShgfogF%ZKp8CtNG3#4{oh4@9dJFTN~|vt_-N-=Av|!o z_fxKxI$vKKDV0SPq)yBUCh=QD(Fc7#ap93tSFcjvHyd^m3jx*fwWB&aVrI&A>^r70 zd(hZPfYI^!5M!*}RHaQfevP;WEIi0YG1rnd``XQYSBs9Xaj6a(L|@=F7QsrgJ^zIj zE4N9{rHw(V{IH%vPM|JoP#t-}GNLFMefRxj#mzEDW%W$CZ_9tvASgpg9-kD9y8OG8i5o!|d>5rm}q4-Ra>CGm@cceWp3&lfxkTPP*` z)&($paYxt<%I6$Ta6`^yNo-p?f+f@M+p)ysCi-Z%6tNH@7mUgy7MMoi$)g#626Vn- zbu?ES5%L2-3+W&&(ON;4{N65yGy6SM`QBB^P3A>c;#K0ncmblT>G)8ti0P=&O%9aw z*IHmA*YQtCM@c+-Tw)@{suNZ28P)*(ICuYZ&S3uQqQ2uH%#ct9kdnBg$01{{4D!k6 z{fA8IL~<>LpB5DKctCgfNaL^yOhpnV1Y!r{BcboKn_8dASLVO;<1s|RYT0Nm7$Q98 z{-d?5qB5ypW z3+WJJ3wfNyG}MBubc|_|bLL+=kMS1It$4_k$loP+IzgX(Cs9{Clu$r~Q`3RU%U4&H zJ+dN;KXI1dDpFxH_kp;D*qN7^c3s)^$Gq3>V`poM$UKyjBWj)zm$h-R4JO5stWyq` zex9m`q90qN>pOL=>k-pz_WhR~2o;yFo%tm$wU?*!y`=VQlNxqzt{Yd@b!o_`9omxV z;ogMlqIpM>;hfxfbr5$TOF@m*M-}bjt5xpiZYYJ&M@5&!fJ)MNB5~)z@FE72lK-_K z{X?puhWz$LBS;i_%ySa|5k=PVS2PZGkDRiyHPrh(2@2<2i)KhQE>zW%9*!UY2NKc< zt9p`Ldo-k;>#LsRx%g(Dq3WOmvQs#rV7+K&OK9aw>a>u&%(HhdMe%%7yNvXte&%_5 zL>H~gMGZ1m+xa!9c}m#I^;^!aP_3Utvgj!I&+oLpPt(lQ&;}@aRrlK0xcG9Z!1zmF zrrfzePR@O757Z9v$VbJpr4VO!=>@t>E4h`s+L;bN5?bQ)$$`Jpfh`yEM7wuPptTzF zyfY7|_J5|3Pq@Bb##JSR>vuDn=y|N~D>buAo$o%VpwsU00RhdLW6c;a*!DC=-7Gt^ zY`s}%+a1ShA*9`Fx0&0$uH(NYb>8@T!CtaZ^0g}wLOZVSDc0ATz_=Ql_aou%le@oI zN@6Zh`Yjd|BdT1{T&{L7WTJS#eE7qiHD_P3@1`*u{aHHr?03^ma!D>Lw{)21{wH(}3 zyT7Nc_27f=w!B-cw2?Y@GvQSSyhxue5VCQUaJg+>pd-t5PCVUF;Z;qcLWtFmmMN_m z|5=T5bQ)(-oehrxE^@f(7_#dz-hvwO9L&7LQ}&rDyxlazzvzyE@>qEZ(1fMo5d2k| zu|NoBU9$k-ady#PATu9f+Ypi=ttAa|s08ePFGkD3uJrq$cvgvDIV08=F~f>a?&s9L zH13kD)ujU};=v~et4a(X4wqB~ot`$XpX@RhJQ-!Im88*p8(6!-Dt*hGG3AcyXdma# zeLVj4?PpKjr|)v@4x2c^v2uhuzxK{CdVwYe2V7DzkG~Y$j8rFoIU!!rR?fDd(`-V( zmiCG6MJ;7FEob@C+CeQLb6!1$rtaU01o~fYif0`i!VdUfJBI14Q5RRSK*p{sYr@c3 z^!M8&qfMx#`+pO4`hPpgK_|Jcd5-nbZd8v_L(W5XpWLG-+0JnuaJsV|~2B&nHrbZ&!I;w*O%) zNB<6gpN-fPxYQ}}5^@}@LpsH9UNP?VrH3UYZ!9KWOj=^8WBqj$qb`{ubo;MF1E3PY z`4jmEA3NSni(!)>i4-6SW_Uj=CL)`UWK9rWYt>;JwP=6wgrB&be`v&;JN<-h?JM`) z-&$UMCH}q8q7NWHDS%a2U{Mj4z)UTbydV2sydE(?Opv=o(|!xMFqpHSpcfz71=_7T zG3+rDKatk(ldTfR!F}nl6_S<+8*fi+DV({^5w=K?S63ep>%jC$4Ft>S_yNT5uZ~kvxnAu6iU8O33uy}6ALS~ALZVWu;lab zGo)IAoE0e?h+6HMC{?H1y_txpdaGX{l^{YJ$*in|JoiC=lSkeCvk%yjCsxXwCTRJ2 z6TeE}$&?pvu<1%3z_`bdy{!D1M(0(z;FnC!Xv>hf`^yFzP?Z5RH*)0yJd;qXO-OJd z5!KjF7e8g8qpAK_1VHUOz@aH?nqy?Q2h#2f;nuIo^mAu#!zz4MQBFUhBAf0QcS&mR z#^&=WN1_Eax+ZeYZomi>=w#2Si9oca`jKCx_|N(H|@<`~*Noan`}6Q~vum z@Zo?^IZM{QVqoMW68G^E-JNHX(`rkCzh4FX1iQ$BtVuaag5o)`%Kn3pm>1$zHiO2n z%Bq^0nSi$kwX8*#?LNwdk?P3jC^DqT!&k^ENDXuQ z7-Uu$x9CAuwed_I^_cna6Pz?>IZOb>6L z_e-F{Z%aAx#T|-XH3j12Qt-!IhyKQ*6HlwdIrnG-;p5`J$b>8 zbL*v;ptEkg95k`6_~q3bX@KA-NfI}>o=M0d`4ZW|C*g|0hdtz9rPDvA`h;(H)k+*d z`&Ihox0P;O7Mh8Q)JH}lybvkw3xiz;RHM5YhOa$|Y#is#Y9eY&_*FE23EST93KYEa z%B{`UQ;fcIV(()4H70CKcXM!}g+pr$5-S7(dOcSDg$|~yc zMj^*3LS1Mvk?+m(Uxm&TtBJP$pyr?nIs(u}T~6BAN}%SH_38d%klO^>ma26;W%&uKH~2GT7KZTO04vfOSH4|`=W z_O;12i)4^z8gu}++N9HioXNEX-pgmMnW-2L)M+1+e|jWz?8!Ce)l|&Z1S1X--C}_Q zBvVj5Vf^l+id6xOUURONJu@%eazN&)N8g?*!|I$cuqmP0s38G3F~%-_x@;{f;jDml1B;}; zM4$D~zH?OcmM{&F?THNQC8S~s7{*$hkzT^;dHA<`tQ))w*P3JGp4DGYdUH9eWhjQ3&IIT|+=Sn7Im`tD6etwjUC8PIKSoZh4z|G9zZicqpgwQp1Fz0t z9eUj`Km3zRDn%3DviTnbT2zc znRuj*vlmL>ZX3eTX9f9oPl^lD((6BU(=&-E^BNSQnPWFi3bQJeEd!upj6kp%qcA0) z)aF{R{S7i&#?0;0M*-~Q8$d{hnFJigz23oXQGjC);85-c!;TT(E}AL<`8Y@uDC9!S zQLO0ZC3J4^ggZTPFc!T<1B!F$Ys>>DZAX5C2;ua8$gUGi_csW!0XaCAO4diX79J|; ziT?(nNrlubeXy!E)B@=KFjC}!=1&M=A5aYeS~ZLBAUFnEHsV(c`6>O6dieHD5N!Cb zkNMZr{A+IhwS@i(NPor6zjmR&Hp{TBa-7jYTRsRk!AH2`TB6#$LXAP^ORID!U1 zwiB!0!XTZ1H0hN+v#i&J*FaJAH$UJ6!*9Ph;un5o4@6xZmrYr_)!G>MQ@Sy0jB+7E zPV2uE<$oDl0n$+aFSF|3`}cpz*y{i1-v8eJ_kY^8e=x54H{ZGK8Lg1cxdIi~v%H15 z(U#l&gc7`D9Bs(2IQ8f;PdjIg%IUytjh)7^SQumXd9!YEYVW% zEyQ#5am1vttcCJxgnO@QEZk*h|G@mmg4+dsFdtxcf$g4~kfgJs2oPLDJkc4?nNv9l zsBWp)_d2Wc4(g;})6}{gN-j?~CYxRS6^vZ&Uy!3}Wa4Av=5Sp3K)vbN>bve+$8;M$ zQ192G$uRR!x3{N%ZaQ8J-oV_uI=ufP4UkF=0lWefD~bU1Ite|-88aN@ z1QQWn<}91(ulO*4e}|b}s479CV_nO3sdu9zfO5`DPnodvmLl81R~{Wu{&_OF<-UvZ z4D0#gjK|+fD;^9ncd7ml%aA}@3u|&PgACq)a|~BJ{p@(l#WLucdXD&MZh(LHs6T)^ z;oD56OJy0>Qz}WE6~M6^{q=9=>EFZvl7TE|gwWSQQF)h1 z_sA2t#sDBlL-E1c3(h*{r>A@0=x_X5kB~N)(&m86!Q9Db0c#j=iXxQ(0MKSyj%{3B zlzmZsS}HnQ;1{t$^K`gQLBgReNtf)8LnI>VkP&)f!Q;%0!)nbdcUuxPlxt5rSV}O& zTD?35$J2)Z9cQkIxohOx3l3Hh{I=?J2;qB^qXDDi%YM_Es`iKy34a}_XOOwxRuDq9 z?nb7OLJRWf7aP+b@87fY-F;*rUW8r4Qh66hmSiQ$l@$b!B3yn2CHyS+=%KmY3q@g$ z#3v}@EAyg@J?JbDTz~lLy%>o=8MGI~4M~>CiFiO4n4k|K>i2;rCr*$sMk22AcshAa zov(kv6us&8;JL~XmSltbT$+H7(|aTM9wZ6qha~0R^W|!Y_7A+7kVo`ghVtuaNBW?iW~TY~qWDsE(!Rx`{%||y`aI{TUFU8PAa;9W{~9fK z$s4x(B|THG`Rcjj|J}&`&x*8v??XV^ii9!+fD@ahheCS#%|9?~Db{2#KDoSZx3epX z9p0bh0&tHa4TPl%KZT8H%b)${gPzN!G(HhA*{wn|n8`*UT=EUO?A;_<#!fZ8xKgq- zy?OU~p-+qLvVnBG)M9~|Dg()+8#*zE@e4L;lcdU^eN4wfJ-V)9}IU@sYUJv&yL#8-^{nVikYpbp`P&15A?6!A8lhSP@%BvF6-P^5zB}IZ>fc z)Sc&bG$P5)nhfO7rog?TSUw7X)ab=S54U3hNX<1SRGf|^MaHt)i+6Q$1Mk%Owd&F9 z`S6d~+TkMF!Uq+X2^Eo4BVzSjr`F}#JHZdPthXi7AX`oxrBP_H$6EMLRsd@C^Kv!f z$E80I9koEn5y&Ev>_A5YXlMg3&@8REO)NMFSD3s2h=ndE-l|J+UhZ2`Ut0Ude6o;{ z&N>Hk_%54)_jfMwBx~4e_DSv3Tj+$432y4(XLDoRi^Wgu+u@j~9P2t;HewJdc&HA2 z95`U?Av?e)v*S*hsY*YqOfS%Q&sij1l$1awXI!P=f$o zkO-L>FPmWUOf|lai|dYhDGZrydOtoL68Z(LEVu^c_bB`TrUDp3Tp1NGrbr}aiv?NL z-jkcO4Dj_8%?rUC$gkhnXRHD}HNgycUn6o+d1Y_6kaI`wu(T+>$9OA@JK4qv_&sPx zNxg@?T`%Dypw=@f0x%ZZ8-y#8k6dxZ$7T*68_T~b_IfugZQ$oi1()*=zF|RcMVgSU z4m1Fm>ubdbyG&5X0nDy0ULJ=tk3PFLJ8N8U#rFJ^A72YA_RCQwH^|c+B*4;$ybgN; zK92Te^JQK|i901Od`5h9v(+?e{6XiVX;@pW>b?n7PvPK&o~qpB%V z+w^R`Q3zR{%|E-!8k3&_~S2nc5wnDfMbk3cIyMJ()wA0JwmScqL9$ zk=%Oj+hnE6K*d@A(VPrgkD{Clt{{CR159t0Tk(%nH&i-L1-xIq(%fCusOk8gdUcVz zWD;$$Hy2$xCJ4lqw1H0p@%7IB&^n5<_}ID^siz6o#@_}5vjPa184wE`I{ zD$`XMvz(hhhClO~k{=L6%HTFsDe}z)a592hH8p1TXq`rA8}fXLGL@(3=g%}i&+YWK zWhkNtG2u>%q2(o-5d|=)rkl~@fIfJg!kvEC^P1A^HPljZ&4(QDd_>0y9gcEna4(*# zOXO3w#em9}L95z8(Jn=y*$3iNkrhAng>#YX0F(FV4lS)xem8Z}y=%YVEb;kJB}!f0 zXyX1fLp$mj|INYUUkxPdAr`b$^xeWKMuYEnY0q1%LI6O8;DoVzN)PSTDFYhC6O?9b z25QQTnyl43hv-mgF(F#vW#jZDf^!y-Q9s9kbhx@~r(C|THU7rWPb}w)o(LihY1zP< zD-0^EE$jtzQ0<|~db}+SBT_GYeyI&z*v>>t1cNk9rlvO%3cIV=uTtMW4(TD99f=$}pBm=xz z0wSNjzxmBQ!xn!g@0}?B!=k$h0HHZDCD;}NSD>}}$Ul*r@@}>gg2Wc*I-Iq+!E5!? z{^InrDAQ4wm0(U=O zpA6S@Bg9g9daYZnm=zntd=vu_o{29rPKUZopFB&(w+Yjl0hqE?ETq=03a4O;vrT|@ z&597q>Stz38qIW~8$4o$V+kh{5u+7@SA(sR#< zlP()8ztyztJ-Q&&4T4wDdm#iXK(%xM=L{bP=EQ6ZU5EhAk?zj__*tR!Q$t*q2JhF2 z?FBb*^KmxKb6z(Tzsvo@Cg^ZVUsc zb10y(UN>W5hW2^dAuj33l=GGk5ZcrioEk*QHG57caf%t}8dT1aWl`(<0OypHP2L6S z|2Ap1(Ne|ur*ORv$i&Z`B9BNI#Ubh9=WclE?93f192hY*AgLt3NjAJq=*f}n4mdv} z<%8QWd!39C56TnldN5;mAr#vUCYV?qXnP{oZGn7sSMvVeTRKCE@$$rvTqWqBJc*|&Af4tTEgChV47d_gM`C{P6(GC8%%>10YAF}0kv2G{CDUx z-}Sv2W47AUUjXNwN-xq+tdR0Eo5u_XO}5*K(4nn$ZNMSr;~#5Ps5sF1ACdC{(ZhD- zw0#U6M%R_VUm}-QSzKWYUZyy^#Y4ti+RyK8EWk>aqI2<$!W{7vdo*)C@lYc;)sth5AyTZ(p@>e!sl2i1{4* zhT^~|~9`m|Jm-3`d zK%35Udha|XeIj#ctS=C!x)AJX=92-Xufr5QQ=A-xVt&17V7jUaG2bqXF6352L?d`$ zx6R zEh1?dkmcu%HdY4u-~=#Zn}8Qu7|@${#$~4^je0jdQ{PqzNMT>HB~1y+u0h=p9YzRu zWH`81BT?rfVHu}9wv2W9I=f~w=fw8RDD#Na4VGr1574*s35P&P;UVN*85-@GtJg^8 zHY^Kv`{J$5S}F*7C-l(e4&l+elVB&g?LtyK8TFR>m^=W~B26XPTHRDYXnoP-!L!OU zZQ&AvCmHZ{z>yll1WK^lIxt3ea~%?iR`m3K=r@Ib_aXrB!*C@O=#VesDPR$*&i75# zWSgFw=}rQtq;FnS{*o^y_~-^bHkTfS@ZJ!?6gCvDGnT+da$S?GgYz)sJga%5IYuVj ztLn{7&rR4DbdQS$s8O-l-C~N;GLQ*J8j%aOx{e#w_eA4Mj`VHM-?8!&z3fgIIe%|0 zT_2n}2W&J4I$P0mq?5pdAJI;r#gp?WSHKhd^yAMaZ#4%jlC63UWfDuhBBppcv`_Kp z$bOiReBey$mD)x2`jTaHs0BftTa@E>5G!KcPf=99#Vpzf6pNl(_6+5bT53#MEc&k-e_I{-;t_dw9k*UBMyD zgpx~$2iQF0>bH)2kq-A`0@(7Etm}LT zGxnc{&0{B?M-BQ7rPR|-+5y4x3gjL%p`V0Egm6KxK24F%*f&SDX{Xw_KJ#UqQw!<= ze+XK4r#J;OULy{!SG}F|X!?2%R$E~{=!O!UKHb#t*a;}KW|>p`^uYs}&88cYuWEVC zbo2Fh|*~Y71pJv{^0RpOtf8~qeZ+S+4PBm%#WW~F{ zQqlAVb8g6hCj*tIFV&!Y&%ZqFTl^q_N*=3gH8g3V^G+~V$LwixCf-$Dy|yEc9pibvi>-EkC-M<<70k-_E#d+7k|nfocLut_sOu*` zg{}%kcOxe+bfJ0IAvka?$`X9}sN3X;9dm&q|4~Lt2|$8j0~T9<83MZqJ`^nCLIJ8* zt$OsO9gJ-tX}h2O+H_^cY5p71IU;d_Li@-B9R-{iqDQ#9EwOl_-(R;YLhrKF8QF~9 zBG6-RzzH#uJRC--xH+s~{L<&$4=?L0SnfNV{vv0NU1ixC!bUsNe>CvlQq+;dv3av$ zZFDd-*G|l_FhC6T#h5oB?|%eq;GnVelbACZgi?-kNJ8&JJ%Fwma%g*s!s}!tkXTRA zkkBFVJQr`4>Z8dmrt$^XIuXn3_0V|j^5<+Z)3-p4=3B9?0k4KC6z^0|%!}0Zy_J ziaveE9G<6(Y{_xX4>6^7a|m1;hD)q9g;AA6(GOpaal>5$WySzmDnjZY(00B3tAfwXE?>LJIH2c{lp1971NpLqoIMN!7G!j>*fS5K zgI0d8M^Q;W%p>8tv82xcxUr0j7KNkNuNQLgLlV%n;>GjHTKbdac_%tg>lzwQEdXt0 zPh;j*Al^jbVQ4<;)dH#9z6U}IBV1?gJ{@Q;j{9PK<7Z{a&??|)i5zGh53)!MxtQQ0 zii<@SZ|IBak_yAhoh&L=xy^k2*-i$R+Ei9*_He+X;a}~6D9TP3B`4w`3D+hJ0|Yaq zpZmDQfC68M!-F&#Tm21ztyO{EzY)}4Gwo%r;tG|1j;j7M*IF#_%NrbcL;`>RYm?)i z_UF!@9yyVD$|-LU7RZPE8LE#qHG8AZXHKbA#{v4)N=YS6tg{dUt$&OYQNY>N+9;=ibF#m2V_)4CI z1w(0Fl8}oM`s)oRn)1hRy?k00-#l3kpEt;P#>f9#%QivJU(4Za1pK9>_#$?BsaCJ` zt=EoOwc6Li#75o_O0LbsO3X3=X+Sn3Ms*=r)#8=v(opI_4!1T(E(Mwj6f=|U0@ZfE zZ*7Fluasz{k;P@l;$#O3`{dBrM~=X!^I$~Ll3`%H6{klN>3y|bzbn%_Qq1T#5qqOJ zv&M!3{ezeb&^%ixaYu>v#COSiU5ShSgRb;ptX^)z*DB^v4t>VKK~nH_z3IM-;zel` zd*%vM^b6f3Ro3#W!;UJ$q0rxXtcD#U`Y!w+4tDVKNc$YO5yz|Cz;0YFt+kwES>jg-DO83>uBV}m1oaq ztM;ki{8seAl|c4&{nN~E&|TkWUhm8V3dBA$%F+!^V0SVMuE!kZ`GMUGECY7*7g4us z5-rB{xIOmAukk56On;GyQHk=}FtK?bJ%1PQap)aPLU1dzor75s!Cl&x=QudU0*Te5 zR~tZv501b25e`!By{8XuMK?gGuXEbLBz8gtJ&FUN`TbCm7)2tZ$w-R)FG%g>Holln zG2SV2lyL61Z`%mBqoC(H92CTH>SocAdR5)~6wKs6N^9BYp_!HaKmL2K_%dYJOL;cs z6ca%7Vz?4aq6SDQ;sNfS9MM*P``cR|#C;Z03K|ebFJuK-4--yPIW&K7>3;O92i#O5k#|=P-u1R9$iL#ID@1 zftA+UoeGb(FPqISjADjq6$E4yT^6Q44t#q9B6F7&ccYIX6rD@Db~P|0dAmsVqvFY@ z$3aNKTDO0&NN<}sF}d;Fp?aB5NP6ECd%{2}nMIAV0z703vcntt5a1T9!$2{EDWbw2 z4qAScS=H8eOPBY()ZcP$u~5;Vo;b=!UAO%uyPglcg#&nQ%D{UGu@*<2&JmmiAQJ*z zsS@bfZI{J2x?|Mxa6QhEI!EZ8?-IkRPcLryZo2Ro`5g6;s$QHwbM3+_>~0h>Tbh=G zp3hcCv+H=DHo)s5%u+2KE=~CPhe%|#Gruw}dbq1LkD(tQBp4bc@6EBmj@Nx88gg{5 zM8Cc)wQgu4m&^QcuDzw;W;f>8n_2IB>AgocgE~sQY8vgK_yd zU_qjbXonurJ4dx7l%p1`Kpq;xvxT@`qcM1oP9Kg_gL%96tF2hKZ?F<612AginP#(M zB~L+z?I$8>FE^!JEzzC#^B!4mL^u^wB;k{D+z1yR!|QtdqYu=Ql^lX6>EDRvwJ&-Y z%mlI)8qRxfH3B2}4$V;ib+zpb`B;VHn&i@nbCb^%rfWR*fsIzL1!xpI^nmLs0AVjY zI1b_IE$Ha;WX49$du4tbKHfkOKz%wMJX?!1oyT@#XG7xCYZj#*pPLBLSLO19c5MH32pY(NDgOUr#ZDW#MQ7-LrCIk|VGS?ud7@ z<{i9jsu}LmDaSLcFWyVoeh67o=(s43y{(~S_lueMg zuI5}N@<*xXRH{ASc*%V}VVe(rRq*Ydl->l|25_?%Fl99D4cZOB^NZ8DyAF4?*j1eR zIbI)R^jCOUUmldW*(byNjLG`*beJ5$Y5~%xY6Kzwg~UV%ku1U@adw zEU$bHsmlYBZCq;0rey--TZ9IrUtIIl3H1qvcq^8ENz*4!Nj@Jg&=!tHJ)e1%MJXL( z?i^m(-=5{rlk+V2)zERIr^jYC4>VKw0I0J|a8}()QQ3fJT5po7L;f+f38~iMw(;__ zW&BDaLOQiO=Qaa6G-V6TX|O!{@hQSXQEy@Q_IzEn=_3!te2&D3E~@mli0*&$-ti^X z(muc?=vY0ekv*i)j~^?6p(p*j%O`H1?K=DD%V3l7!K?g4EYSNUouD7THxHCQUWF6h zIMfCoA>*uCv+gms)&e#cl`9RxmDl25yj$FC$epk;>M>CG<$W+Q^28D9^j%?Bm;cMt zjZ3T6?EDSHx{N+a(PKBSnO#IS1A2?(GaB7o6Hc8_W;Q#R^?dV7@ms@Nf~mDFjXT0X zl#hi!{tUmRLxcYWey)QZ8=AD@4py4K*_s+}$K+7K?^l!_$~|l>1${R^#QcUDRF_IJ z28Qms2QX(~H?^k7=x+7+`wC1tgY{mv71vsm!#8{xTdvG#90PaB;jPG$71aDXG)Zn1 zaVW}1tk_VdSW~TNZ>bLol*sXq6FG8KwI06o$*QY~{w!Y;)#uhey`0@%g_vL?WjE5E z)8$ZI6iZ>ZBlFsHsW)>L5ItNcVYUU`Px^Gsf)yu+MVmTdb(Y1cvYSiw5Vx)56YxQV zP>VJ(aPF$3z2ynxY@CCqlZw%q^aTQM`B}Q|p`HX38byx2#v>Tzx}$jnle$ zi60e8llJ6282cgf*(A7l3$0d1wBWSejARVm!9d~|{73fYJxSmu$HLaeAoEqB%iVow z56Xr>*Qgf{*;vHl*6`i_s>EU&$9Ax!8T#U&1OxO1otx+zr^Af*(dZH9YstXe8hPm4 zRQD+kmtptKU|+oC6LJa)B!?aMVaip(_pw%F9HAUY_vCWo{-n|21U!SU3STz&}%H>8V4Xesni#!?!jsxl`2h! z4)Vbx=mT>o*ZuVaf?;>tO!r+8lPe$d)kI4bjvFD44+UfqEvia9M2eILwD@28(=zBS%*g zTu2VUY!~;&8IVq+^H(W_^y6US&o;mTt%+WC?_!=IVJBb20`ybo{e8nvyE|YhEapE~ z;tVu#V084HGknQ1b6r1P-wJxFbn@N1q}mhi5+H^?8FYb1ix~dkhm@9hnWT7xkF@MI z8?*%S5kfr)r;u)wuPb$uTLgUZEN*R|T0ECNd2GwBMuR%Q-`e64WO-DY&H!Yd9xGZ> zBBUI(cLUJz6{qDP?t)VhbprA7IG^J?7`U*?+1Bv@P5YxMqSQ{QN5W<-loG+sVB|0q zX!`a-KrkV)ND;kjj^!cmEmT8YteuAx7s*>&M{qtpr*hQvwTYO%bzv)1ntB&lDRuCX zIo=0g6T;gXg2MBJn*b|4;%Nq#;0d#xGrfXG(8~2<7T3m=mcOexynMK&SnBCk;I3jO zS@XxS+)Q@>6c!C+3fsWM`bGw-hIrt|F}jFg@HMZvkk&St1|AxnD>XuwK{&7a9<`gyA@x5&DSldT=`>v&401=}&CxD!CSX{d zT6_oA&^s9Ys=tJIEZ^C%WO_-xv!2W_UJ{PXaer=3H933eL6lH&n z^I-g`G-=fn3fSwV{swWwd~hvda<_?`#Q|=s=cS^{eKHVJ`Wke#Ir;#irnd(&Sv>`9 zBH!dMJRR(_A=yR=7@6YsyY~i3@$5{kW-wDGE2{O%u-kw7&&@w#{mveLI;o`?;ZuCpRY)ET;?5y}+ zk8K&%g&Z&2jZScqCFdx-{sD>G6GBc-I0VOi@vl=}OV~00mxKQPJ;ypZE2EY~t8sZ` zd0)yb{;Y#oV961`gIlhEfZp83DIx*`;a7U%kjiP|C%i(ul5wztlDSms3{=x9|HB~H zf4(mt-yxPDLYgE)DBASiSqU<9K2g`KO^Tet7Sq_~am1mjyM4QN>q5rqxU>o}?`@j| zP{wVS0^0&NC8;FGi4=Gi+$jXCqWfvWL(5D($@ zY&wQIoH1S%aXI{g1N1+iV%wD_9PqIltp4(J0aOa+a(!5iee23uA0g2!r)^Eq`A6F6 zP#2)Nc=Q)J$gRz|mY8~lVnZVy^?SzrX~`H;6(&OLwT{9u$2{Sh*l$0&a(FAVqHBM| za9ei_nP!pRH{ISGnxQMVXk&I!CsSW6m8w06)1dKdD^d0VSOuTS-~E2a=On`f0@Ff2 zff#lMU^QsJ-yq_RzrS#^XINh>=kMP7*RB3~R)5W_zZTA4k%8~8DEgoGjlZ^uKU?fy zli~lO$>4$}T!k{MvXKy6uzMr31X@>t)Vbadcq5%$a?S#JeVC|Cf_;~)Czj>*S2!y3 zhnBrnvA0U`Ykt>uaT39f{l5COR3!u8<#h1vVKHKbb<7y9lK{N2&3BOWbmkZK1Z;b1 zK(O;(s)S@#FGVWlIRp8u(e2g-Z|%PI>7PYe3$in;;F0&&7>rI{WB&b@(cNE0cmF}; z;Qn6d>Yx4lKT$aAUubj(dR<><$>>OwKJ;`F8?COln1KImeWj#RwQGveSaG71(?5gj zva23G^wD91zYz#jltwkc5RIyzCrCXWj7wkS(8R&c!MH*W_msI_IJj-t{=tEzKM#*t zO0$%ZvE)SZBjCijUp zfz-)w{_s%Y@~0lecOmLmiq8NDHfZF%*2L6^OSbVj(G?o@?d2N>v5!-ZT|-}DXGD+a zwtAlqKQ1@a!b~W{n{-j)6t|iY1HOj$*?AP9T&NNpQ-O zsljs{UFDg)RJNEgQQW#c#GZZ6N2>B2vs4;rD*<#sPhgRlAJ#v{*NQ7-BggiH&Y)tb za`*Hq-Z=?y+fP*=NNtZb-+g*6BP{wt7hD7jldN(Cc;Dj}JSX!rkA14o59||BiD8Is zN<#>Py8i3LYPDzwAEnDtt#9SDI|-t{7a31tSt8}`V#u%qbED>|KyU9JbZt&AS8VnP zuL4B^yx86Kp@yZupv4PGsBOl~;!W|z2z_x`Ad)f|J#peE&m9bI5}_bgHCyPAS|OXafD@R=@v1>MIrAWhf0W~+aTjBZSPF|OL#h$q`_~@! z*myNfRbMW{(LMii=v4mS4vhz+Ov0I>BME0er%G1(y>+{PiBxJEJjcpYT^jlIW5F|puQeLFpQ;&q(MKMG{nz1M zR!=_S!IVrxQ+#o*y4XumCg#;MjDV{82#k^N6d%+rBn1VLA5-j1^B!bgitrh($*)q4 zzJIIte)|w}p0(570@nm$VL3vzPp$Aoup*u9%#D`XsTW9IDMsnS^%092{ndeRZEWPw zpWX2Pd-46!J3+Q4%JqhZ^}L_o;_$NX&U*hK7e6vn8ZXGv#m^|jn4x`*xzPIR6OWma zM>n6R8LYCbU6TB~ChB$jMfkfCsmvjUHGPiPZ3#mV7xbi3*W_cbCfkTD`oQTe!zYB> z%}VzrKV{2yY;5m1-CjV%%mRc(c$0fdo!kt6$c3MYZxTww1C&3jq%en7dN9WQ*BSf2 zIaL1>L+HQIj)!p-Jds0+iy{TJ5f$rH-NtuRDCl0$k zTIJqW8*LL(lyutiHDIKM}GMP~+_K_OjNJhxYe*j^|sX@l2^Z@0NqnwR|3w8BI94vyg+y?lAdu{PLE zCaE#S^2U2BOEnMRLO?4pbz;<*u)O}AqT&Sx@8z*qK>)z!92!FJ`UH5OQ%ac$_LJC2DoeUx*> z23-MPhi1Z=2vy4|Fz45RzmAkurBjDTCDTUaErvp|PDMM)ahfYFuHPH+5tXv*kl}RF z$7bfnt8kgRX}^_z_cbUtyhrPf2BHod{W>d1;nn`*@K9HYbYu9lA?8_dU185nT6)U~ z95U)Rh^eZoQtje8b-5`x`#J#Y+EM>-ZpT96{_T#HSG>UosCnBBEHQKn&zV&UGyg7$ z-4(mFDW{#PKFQ+Ru=7JAOZ;T&Gb#RC)9TA0;bp*_5u5Bs(KmbW)wF)3a)`^aAAL{{ zJ6HL+V<^j2B2rT#<=HjnxkA)_N2?@mze^0#Gb_|!;i%L-+%Ny3tJ&G&m-#`N{yZz+ zcOnh{1K*}e_A3oGaU}Mnmj>@#4-?UEd{wqb4W2vdV7Dn`A~X%6R8+yM;d6e9?rcrmgw?52_u@w|{fpQD}J#?!>A&@H)!B|u~ zBsr{bS0L!Dk7x|z=`GV!DMlXcJRfV7ZOk5?H<0bu1JP&Zcrts`^#sY75Kc6XX75s$ zz2p#FTrfJIZMY<5l+FOr`sAGQENC9>3ymp|Az*uGwmmyPzD>%;jZZ%H9xB7}b|1e) zys&G_q}yS2%~*S3p^(F)X%=05d!+#Up>YgZnx)hH)YK`&E>i3Ck>2ehu39tzevN1{ z=|sofg3A!fKHmP-cE(JaqH6dca6g@A=@}z~HHPW9me|Y(<}XmTUFfmk*j{0`bRyTS zOhcereC7o0P9_u`ja13tv;sfDuEtVN8jl+iwA)dkk zL5rSY+;ePx7}L^q zgi5BU>7R4W`NUZ5_y*U21QW31;+iyFo120V(%KcM1AtUZXV27n^Myhs8uVq7Up}RE zZQXa0(Rc{qi3F_C78>&Ii6P_ap8D2V{$&4P`fVzXRTSt<@J40G5l7H2zd`pqXpNLJ zG|Y(iFa4^=NKMB0MD!BtchQ9obXe@iC47dVyQ}%tD%n+Ic5q9{rn!XBVZxv zJ$>8z%PD(3X$BH|qPD97>)n(auv26Q0j}-agUC2KRUhR^=kL zD{H!1`g++*UOia~zW_fApFoT2SmHM>IZAff>WPn5ZMvk4_g+2Cm!kP2qBVSW-R~P7 zo<*`7tQlUpHE2zo7OFKEMD8u@+FA=Qd+552hw! z>su|l?P;6ncc0zb#x|Ys?vQS&s!V`q^OV+-tqUeSBDh6+KYuoJ8>f9=&Ofz300e_F z|JfdmkQ{DS+#PD@mn|!U&JPsK-SwdTf@$o2X~6ti+nNl*w29G*f$*0vONtv>=f&O` z^?6;e+%FV}a^GH#h@;Hjs5ob(FEWk>%aN=|x4={A8rh^LiIshPt<^2*Z!aE)<-BmF zGx_U-pU<(wcmjx$c&3PXZ*`Y2w?jF%03qeBtFDi<*OM;5`3{>YHn7k_(w$))U4p}W zR%>-;U^bf$O3&Pq(q{9~P!pZA*P;OH86Du`ub~(I7=HUwZ;uRDv`ZScUoSa%3?0`=x6K{R(jqkV|afOos1_JRBrK`S<+g_V>s4=^n?wTBX>^6%;YB3)LV2d1+sg2pe5Scc(7f%6z(yVb9+U#CbZf5=3d1+IWXBW&*1Qk+@x${5M+33e%Iwo8nr;HRQ_Am) z30u!vZ1HRHK030mSB1w2vM=TB11eEh5OXE*;y)n5-O^~=Jlqy9!N1IR8qLQ!9({|Sx z(Fi+NQ%T7*|Jwmua{wg2ONj$^ojir-5+xg(xsBBGxJiVRoNwIrc^&^T`SU>_vkcc*E^43C}j`Hibkv(Fy zUZGKn&UFpU*}93S%XhZJKvM8uREh6^4Ad_`(!-Wet)_*DIGyrk^$A7_<==ZYQ&Eo^ zUa=)oz7Uc83Cu+GB*){R6LPqZ^g#skLw+c~7k4a?vtIn@u#oMNcC4ISRNN?}DYdZ0 zP{SH%J5Rg$GQv#Vq%zfBN^P5+pT5St*ii8sbV?3=xFt(}=Diz4XWb)YUix0o;lBV* zR2X>*WseYx{8CiZIO(_~G+$?W{=(1)$#m!|`$Foo>ffNXmcm0GI^T%F1l(g>D`hfB2e3hbw#b?0* zgiVKK`PJ4yO9D3Z_l}4krxySf3?rx% zc6_b|kUIB9QjXq1{QCTck$~v}Z;Owi*R~Nf!SCtzbcx@fG!g(fgaQcZUpI>(`z!{1`Acu43P56(@R#rb@W*e7I7cD4E`6w6LCJ75&B^XRvG?9lO?~^mXcQF{ z0qLEfH0et3L6IgRB0`j6RHR0XGyx3>MWlm(fPxSe1W_Q;1SttU(u*|dO?pWvA&}x* z?sLu?zrD}9=e>8wKJT4-u76~h5tGGSbItOd-|wd^Rp1qA-pN<;vMl#2i&Hfve0lh2 zTtibEA-bL);QD$b=Z}*U0jPQY0)>V83KPG{`4WyTWlVJzvx5sRgZ>unf`|kBatoG4 zHTrxf+3j%meIv79x4c~3e9rvp)Q&jQn}fj+U9<;mBmqj7);m$$7pl3}NzOL&@&P78Wl#~r*o;{oLD(GBJRJP&eG5y_PAani$Q)PA(< zfx!YDt=5UdbZf@uOD zqIpn6KA<`#^zr5jMz;f0$%&z5pSf`2yfYfQ@<*b>ZNUP7WwM?GVa=(;qp9mSrk zId}(vq`9MyjdeXD`1|-AlbAhnhw`|M!kSEd7`-yfN5oc$OKkzU~J) zCUVK27Y0U+%km^#?emn3N-(}rA33}D%?K%jI5cEU@O<#h%*8K`BT&BMA!t`(Xw9S< z9D(DcSK)-+^tC8Hg(EiuGA=!Bmgl?tFoWUxrSho2tnA*IdQ-8iH=(-8Q{AgfGl-*< zK0*tIuRKm_)VRmRehUFt`SxA!>jciJ$~dv<=m~$Apj+wa=&cnl{!^)IuWlP3?@l{YRCmYHNVkW15b}TH{Tc*l z;V7U8;FAnyq_w3mCHrO%LLO@Qwd~vt%ZFQtm$~1gJZBtO^C0R$pOPt5Dl75|r4X>0 zzXj>>n`9fk;jv{TaqgCbL%}j9|Ex~aqrNj**1ZYb2lhmaJXS`G2oXD-hUcq&lY-Qj z;byl^U%pS&GL|(xlrPs}pt%OKM74m~bU8@ovuB9-CRQy!3puLn`s_FN_rZb1FGfb+ z2293gsQ@`x<$@o##+Qbkdk7-?>>Wl;OBz)#Uo)LEOmV&wdQ@C2K4m9i?GtgRZt^(e zZ2dGQV#H(VvHjv;g~h>6`KeBc(ogD3S;ljxNw2;7a3)3*%b6M{e@kPD5cz1_@Rq78 z&#L&EuqSQ?)LPj>%8xOcRU@+tzTHii5gLa@TySzv1*5$$hAa>|Onoa+7albE?gA%k&T|8BJQ~JrvT%#1G z>FgUK-YW6J44!SvU>rM*mmYQh9wh~Utv_55l|R{*diDZH?6cVWfekoz?PQ>rh`A4*`XUkg9D8a3C_0RkZ=CSp^k=-7LXrj88i?s>^<#3orjk|4ddHEC3esKPf}3c2GB^%N<1BFat9H7m?&8{{0E zJa_RCQ+%5n)5-=#+Ju&N6Cf;b_|OJxG{~g@7&wO1O@9i&%P$gOIgk>}Y8Z)W3fdHf zbebu2x=>sCM4<5EW8^No;@-Ki-y_D0zDk8=Aie3~`e%^Flx|{_Mmy;aOif z0MAOO#1htE78%9^2;Z1zCaEnm_U?kpmsBqNJa)}MQ^M=HCUyWgufYiu$0$FEvb$tA z()j+3<>!qOf=^8AZ{6Tei+eYQ3Owa)b}PphP(au_1vuOm4d#)ha{1BHW>e07IFs7GIaM=Ys2)-VTcvvaersg`arj)p zOTIkEoWvi$5_so?@fNRoRoH9SH)1`^b84tIR7ZV{5|uTe!U1uKrOjkvXb zhEg=~C}b)F!k6K|o2ES1n=tPYv>2 z3L2SK5y}r(&1$gq*w+~*%2BoPyUWJpHXEhpNEU3{5wjPueO=jqR;m(Q>qSTyq^d#=4lp#Vh zR;OA1N{30C;gRk7H|#A6N|t~Y3qY9dG#|UwEmCtyyDaIm5!12-ss`BNE|nj>&j1H- zHO|eLZ4^lZBm|eiLx%fpa_JNS>d_SpyDr>`Bs42ko-^u>5`N)vZgjM(Llo|V(@4L` zs|w@{n01pLO-(`DVPE_S3OcjUX1xi)v@YUq#2a;9&e-ru&*t3MOg~0{!miusav6Y6 zS=sB0lvmV}j=XYyR6SK$QxR>{DwH^PwNd=gJ<)-Ee=35}4L;1^qDl18%!n(Ey-RkP zgh+*g_n8RAA{P5rxSzPxkNHI7TdG=2x_)y#%s(Bup=0RJ_y$-6giqINMnQT;KdGwx zeQHt#FR8YPJT0lxl2LjnF?loTtQq$K;!jj2qYihL;y%sJ5-?7)nehZSR1Ll%lL!4P zhIok%1(Fi-cey@~eWc!q<&ikC&9jMEv!B8or)g8xW*|ocWWTwO=tY)L^-9_$>UBqN zNrG*7JM9zH-8G0nmetJdhURA6I`Q5p8PGYvwLh>GTw(GA)u?@s9WcEu4aii&R zUgM;Y!~5K*ncz^lR~h%Oj(?D4Di%9!T5vtKFT z^Rt$C1-2^Si3t(CDnf+b%zzClltTpIZI=umc+Gcxv^_Iz+qmbIDmfOi4X8?VfJaPh zBJ3z@v!2FGU%@sh2X-Tmb}yIDsQFyQe;rU-_tP1i^zv6tZkwD)vXv*0BnGtq(-{W; zPo#RM}SjHkl_dVxxm0Cv?vPC*w791|I0!-ng4Q*uV2F{@ZDh z{jYq6fA%?x=}M#BpznL%zK!+!16?=lJ4i>wzm6Eg4H;bQya0g>0i5XTzM?4~7tXw4 zOZdkRTWWB%{jM5z;Y}6RCl4gKx(kQ&Jh*GgV;c=ZdYheyk-z+H(NIpN{*bR&{CTVq zEEdCO+fG$OB4*CHS0J9N*<+O+oQuOfI2S)I*SYxSm}KhBpYC~&l1wCDjitIs=L7kJ z4~y@D)m1G|t}p~^1QR0EbUI~MPaIp#OPaWGiL*xMjX=I=;>&;vM%d#7 z#^Lr~pl0B9k440w7d1Wr{7eTt&Bo`&Ri?QlGspKSG1W;O9o}ZTNoLCyH%j`IwtwKh z=Q(u3)sOEzH|@o-TcwCi4O}{N@F)2#I=_>gd1)U0^+NcTbYhNY_M3K2ukK5^Y+Bq_ z2BHbfElM$|Uu1IaD5FhRM~vSBp6>SVqpm;XKJx;^{D!}XZJ+TAbiFExYW+2Recrmt z?01*w7j&3OFMGV_2HC{eSAP;1TyAq$n7?9c`Z62a8*<3z@foIUzz?ml8NV&mk0vU@ z7_!d+ifzvAm4CZ8sE!dxYkclelCgY;nTxbUa)0uQId_TS=}wk1?^7oVa-Ln&K4~KM z9WZz^1$0STN&c&lA9!L0C1Ew=(H?lD;?}JR;7w(VjxSax^`>iL?yC_q;Z&EqH(zGu zB)0-Y6Oe6rF1~2kJ}91GRsAJ+ZqMq`ptuO^PW`1!ZROC^atp;|}Y0eS$Z7|KY;)OM=6r4S{q@c7zU5!=NU zXs-HRC86TdR$k&y;O-Sy&3^Oh)-4}911+8ipMh~uZf&eF1O^agG4IYT+;A}Sl+x2M zZbREOy$jZ{JV`U9M9i#sxzAv^;o420IU_V$uj6+7^u0$844&p*pjU4uhP{<-^FBHi zsuSIh8!GR-#(~IR*6{a|V?L(4arzl3*x;`5LreXgWFrs{s_}aNcD|sa^7<1Euk!R` zcBdPQj$Koh4d*`Kvc9>_m@dNRCC&S{EJ=E=5AzGSNW5l~EeGHTcDCAG#qYBTxswhf z5|tC5FO!}TE{BWjJsI@m2IVAq2TCOYM)kN}lq}7XIR5-QQg4Rtf4R&myrQhX=ysGz ziA0FWlw9(FUncBUZIFor?rZ;pIVzw7z121e^}fOI%lPM0n7IEZ=~FyA6|1g*PoLci zqn;1EuPnPK_3si_2HA~Dk<%9ZwMnBQ{W_x=^t_{VedzbvZpubz{=40d3D zv>~R^pWVlAdknpX`Vku#qn9Xg)0vlcnjYGFd`bF7cw>_SNbFO=R6F3yPC#Uf)j`Y+ zY^epAQ5}cJ&XZu&^F!*pBSAIKO|_sbmBOMC!l=7A`~Uwlum2S@zeAAXO(C$*$}OoX z`b6gY#qZ_)gz#8i=-e+*wGg-=7{c;frR1*>N`B$DWH@xQ#T)CVBC~V2l_$;MFtDqE z{|X(Jv5EfdtSL6fF&usA4ATyE3b7_b%$r3t#>q`95o#~H=}Yuv^X}W$svokx_(oRl z>y#!)?ueNB0cN$;S@KPb^R`cp@&n^$(7k!D7j6)RwLlyQEeZLxD*>0jIU1@Gq=SkXb zGJ^`4H2_y*{`~e&U;P;yf9ArUb>q)E`Db7FvxokP8UDmbe`3NvG2x$>@J~$mzer5z zNma6QKQlBTO#%cM3kt;N&8`JCv1faN3y}bX#2ED*eF7&;Q^iyGsQQy=kMZTH<{~(0 zGfsd%V8*MF4=mGS0~JrQKwULc?F*Jne9e{-1?hVCf96Tp|5)q(3(oC-RPFhXt#$w7 z-~NxT`QPdDe>C3w?{shfjC=Vje)6Ajz5j04_-ozszuUe2Gw$af1=Z+SpgwO#J3=`} zN(SINTv&!Y#qtX2T(4^%?%NPCD)yMXzlGT4?eSutZJs4N0^t{kBJm*e(*y+tkQt3S ztcSgrJ^E!#$4$6!ur#S*JYfX=x~2Q+DAGTe|HiP zwk?51WmgQD4%D2>H*J5v@~~+5r#ME|W}*EB+xXGB$Lt9OScK|mC1QJT?#tH-FA3|5 z%_1UK4CUAWm&ROJ2<|kH>?H&Di=;#}U`}@UKL*YZ<)jU6z%UrApu1+JYcD z0=RPk!5wMJ8NPP~ySTzQ20*!`PLa$RUsv$^hLWJbUm%*QD~*$x5%mN;6$)lRU>Sgq z!ej!(87~@8-B^Jy8H%usP>u0aH!atUOS&0Y;bJR0YBTvryspa#Y5u!*=vdK+J^;sa zBLm+eb%}kSJRZ|mZEdL(BX@TB;RTN(fB_1m>9LFKE$E}@sVvy%TbVf&*IC;bf07VE zgWT$`d+nm40dri7y4!TLa$PvTi+J+N%`5>@9*xtQ90>p?o?2QF(KNXrW8!M)ys2^8 z(dYE>3f?|$7}f1#R&FqaX%TBec{Q!4(m2VZYcz#rHr-E&OD*-vTPli`dJ;KkEqqb= z;m?+{(4qkB4}k1Xm@FZz1`;#OC|{{?9XL*UaF+8&fQNir38@5qzY-4aSTSvyY+>F#?mBX>SgjF!-ak}WzmDGfvD@s7Wdmo_p*deaBrFl zs1adnvsB?RMk|CvzEIUZf5(zJAc?Q47n{e_VJ&db-d(`p8tJF07;9VI4#0GiG(z>G z>(2pxEn(;~r3Q55V{DTpn_q$9Z_WyUpoa63~(_&eKE~TAuoz|#{E<`rno+pzv-00h@Fuhd^&-02E4lAL{(?> z33flN(efC?@eNFc-Ryau)RtNSDo8w{hs^K0$fPyGomF;#q`GeHhsfSo`CyJ9pwP>9nT>@yyTciX%6YV;>ahN7UflLqk0-~m^_eXMz zA4>*GQO_P>@%8L5cJUIg0MWvV->|oO$n7A=lJsyS7m0bA@s?_i>Kn;$gPkY~k*jBa zdE4{6XP0E+94zyW?O|@|Zt*#`mk6(~^pB9Klzq=$VhX07{mT+Z@zZ6(rn*ovMrE z24G;J_KSGFRobasqgk2l>cE^qTae<2aaAG<-%8RO_V*~>p=}=$6XWXm8}zW?&@Yg= z1a?6%SZ{$0BhE+6`~r<|)#(e66kgjsOUsAbl6N1K7A?+4MYVliXAJ@t{KI!BYQ)AV zLNns1+aybk7GNMPx5jH96Dfb1Ln5hQ)bOmx6-{hB+6lj>4St3pp9Si*DzJBGqCNYb zg8pFuUy4G|!3MmLsbug0eO9D%Zw=a?WZ&=@5oK?l)o-sxJ8gZugtOk~yV_EE-WoH2 zE{prF_N4O&by}^-=Z6EZR~3aJKI-~>?>V#`v7$hu(q+GvY>u2j`Y`9P!&8ZraMtB$|p{yU3})P9OdJF>XcO# zB9@_h7Z1`6oXUJMO^DsW91M8JQB~oBvh$(Usyh%DI5%+wj6D2+E6bLCFB?gYp;{IM^PJekH)k>yZ#96+=KN{QaIs)HRnmHVo`)U?* z(tVIaUVU&RbL?tM*zw4u&o)dw2cqe{z*WS8x`94$)B%LVq0@w>jlDAy0J7|J?FJ*> z12p~Nx3nsD(Qw9O6+zWr#1OAcQXB|XI zVos4umuim!Wa@Pd8ZW}6VnCOJm^>r*QQ_xeYHt@PsHCn!c(+b%FM)ar)ehm(*Qebg zG61APT92E$Khe>ns^GKgqd_uJ(`9e$u&ZXBfw@l~4p_ZH3CLT-dHgJ3nT+Hk&P@ao z9Y2|U@VtFZE~;PFh(MBen%@QppS&yk+Q63qURP@*@)|HW9&a$7xBjc+;$_USFmvUYn)6Y;46|4hLRZ@Eg!%~lxwa_M+Lfs47^Ko)8#$7dfi_P z8V&tG6QG#SAmY&++nDePwxkg~Cwmpix79wvk~2|1M>;+>JveHhshj1-v@b_lqpF|) zZaeXsjB0oEBnwVrbcrF!%Q0Hj&^wkaIQMbXFs2hRWthfH z#T7^5i+x1gY9UXKTiGTNR&u6Q4k0E>05_EI>Vc$iqLgqVWOk^|5#_1Wk|i`)qvz)- z#XGM#M^z1ftO`BnA}zX15Fx=ng8`fDNLaaL6i&iJ5E6s%TZ2y52wpDOg6rQ;?YYH# z{x#0<==`w7o*yd>@uhaQi1tEv1MW)h;SSp~I&! zBZw)->VTr*MbhXpZ~B8D?^8Q?(^)DHW`0Lvi&K<`j~nPtF)fg&2T)DHbExmy0pg5| zAHP6xkI^)4Ac_X|G~`X{S(+|!D1;W2Lm@a4i?Hr4Eq%*cMfWPym2*m~-fAA6PS7i9 zz;lXGTuGuU*9Ao?!qvX|ovt@ZcOPPXcw<}iMgj_be8&>#l#+@TOck&xxB7WB1HML2QN#T2^CBWOK&RCEY=M>23>4hQHg-n5(XF{nII_ zjbdTLVc)O|LpS?(M4W7@`gh>35Q^(Afl^uizbyhJQe7mHEYJpkT?2kk109Rm+5ZLF zM_?C9&^w!G++*se0S(1MAvB?W5}@abk;j z9tI~8a0N#`0&F5ms!G1%KZkeSETfz0cLoW%=B3D)oSvn;cUdzKwFb6tABvuPKGK*3 zT{|{&{RY62bMJ<`da3iO;cAVy?wtsrcYdrySgKi|yixsN0Y%`FN(l@_N~UhSr=O=; z_V+}9d8s{la->KHEMxN$9gsYMcSpOiDnf>t7{@yK>V?cJGg?rPnySw=Un?|~Gy3ev zx3$;ICE`c*Vq~xjcg$>0Xon>lfCqM4Frg3@T@xx7?Ht8u78`jIsY)DsqqSD@zB+yCzAsf1e7R)8uHe>n zkBHZ0w?hC@$6a*26u{)&K`H=B9BXjEx5fpVg;b#mqk1Mz6Zs+;(%sWKom`Eg{C!2` z@LIzgaRs)fo=(asp<3MLa+(e@Hb1fo|8*b`tEu)xo4GsMtC=3u(SGu+XC z!K^RN67BS=lOkP^YYME0<4dH)x>8Sh%Fl#$AC0D_($PJb{MQzp~!bT zY8VkE;iOPd=l5ft^H}{s{BfKFqYEvB;tELGXke%jA7R~n;OCxNh`jC_>GEkb)CL4x z9%Q?Be_)OVEu)=MTFI#=zmw zYB`be;HQ!*o@LZ1o1l7MR3l6NRomyOB8L7OK%NLgyogm|Z~)$h6NoXYQSL@ws*j~3 zjB%9y0cntNso&Q<8Co?USy7p~qom)an02k_o`TF(oQtC=-KOiTOV)vwbEN(MyZ(qmt6L%umpU!?AAu3kI=D>f+F_Cc(6!;kI01$4yJXa<^Iwn^%|Z{UmD$NOoGtEH_+QY&~?aP|5FBcn$Za^vsp-}G4XdN zHa2gaSI-ZW@HTlnQKGF{U?_8PDpcz?t%@63^$XOf#OQ-hlGj~)TG zTKig-TP2m>%Y}|*O)U2`l&BXx0%f5wLw=E}#q4ai;=cWOpEu^71RmHcdT|9_3twcFj?aNs!%c;?dx$@ZQUo z&g0pu{TsINH@@+ImDk_lFn`C)R2A|yfWa({`t}GVUP1}XSxip~NH;fo5Rc{FUw;9f6$VmAibuzYzsLNpne)1<*9UxjyQ@X03v(aN;7G{cS*ph8>&EVWHhF9x4{BEweZw8 zj&0YJbh4UHWwQC}dy<({;$P?}mfr9+*bh9JMt=)&vF9P~K2_6HL$iM3bL6`jSL7)!?~Qy{ zkkrI3@zn3y6;mmkG>|0lz(S_VAv~-fJXNOg;kWS{y1C1yTgx2I#=nz^Tf5}v^kRkv zqyPI&0?F`NMUaNYtA)?s?-wRbjQp58a3hvU{PhVJ6Q}r{&06jQWW?$a6#;m&rPc7w zAeaJ#%zD*Wlz1*VS0`IX2TI1p>YJ>0SU0`#TzDRcjT4C}_8EwRWU5Dlyo|OoyB}ARKZ_%?K1^MZJz1LUWwq_6MB+KUeA&lgeeQ)*hzMiU;LjUhPDutwYm*6>Vdw}cpU zXaM{VoObo3WO;S0@M;#{Vd2O3oGrz|I#I9P@kBdxjG-k5C2V>le1~Pn zf#oUn@}&-Kl~XCdK*DFq%_s!`?ELN*NCbFldHAw40)%B*|L|8&@kV{&fwlJ~_|Ls- zN2wMyZ$62)Kis;+BvU`!#)>Sa>d+pOV5>tU6H7|zRJ9Jv8uUu&^3gZ_NhTG})lqM~ z8)U?h;oiplKDWR|pvSueAO|5qe}g)+0^!wlgu6O_T=C?xWDTvd$0iFlsUH(H7C5ew zsyp-?pr8CESv)pr=#If~pjZNmCR;EkcG?TsZ7Rffzifmjsw4}4@Gd#EUT{=xzZp0n zDws68seV{P-kD-&hiepz!OAaww@2L8-)gZlY6S#dP2TWOJ^|x53kj@{p;$&AnpaoL zZ(2l9Pp)3ub4JzrOO)^@e+l`sSG!e9l<)bSd#bh<2Lz$w=5l=gz(k)*3Iqu8m)`~J z6X>aUPfQf1#Q7OMkHU1R*Y6DNVsCltz}+lkL%}s6-B<4jqF=E|<(b!ld~Vg4BdhzB^(NwVLROoryI?%W# zdJ5VT7KJW3I~374E@#w_pFXu|(M>M1ZY}-RHJ)|3XI5(g;8WtKcfe&8^y3pJ0Gzq~ z2EzhNNCz|#g&1HfsyVu+aH^Yj7ze~*BeZf#Hi-pFDJBUuVYt*No@?bwT+9C2@B7t5 zQV*psb;K4&xZZw~rQ9@I`w&o)T-1nyOl40BAT6mtzNS%a(hVh&(1;lxOqU*+37vxl zWp%VzRR|@EZvA8>v=bZ-z%Z)+>uf~-wqb(*zzF_hD8Rpi5nzk|R*LE-z`*z4lRVex z_;6hzkB(9}w7t4RX19rh*HQ&RQqdM;kOQyiCy4|MkP)VHZ*VfK(3`jfic|M6ni1_Eg+7DdgBgIIt3p?HY3CMJ zfe_h9rwRW8M#E+^__xSlpyro318Y-aKmmF^E6+Y1NT3E%0isUt6_V0VAPFG{WG|oT z(t%UMVqQSnCXi@N**>txWQ4+_8%0q-qIlc7#(WRhyxaC6(+Q9}!0}XOLXrk7p+AE_ zD1$$(`_p%S#@(M;@n=Q(vl{=|EB@@We`1vXi3m!W(S$E%l;E9+L(R3eEu_kuYCIut z7jg~lM-pg}a`XqkEAjc@(p;oo+?%zpk$@ncs z%^E%#+R+dC*T4L~?Z40=*nvwxod6nxb_IOE622@w&Pr1qJPpfOEhz%slg|BdTsx#E zY+d%@jkdU zTK8C_C8t=}OgrwmF?uBNbM_Y2VF==6IU?R*m7Dh=z;RtHs&{f##l*Mm>s(4~a>zum z94&~Rw$mMq0~2>6)f`>ETPHLfIWPQZak+Q(B0A$CQ}%4arM(AuMQHiF93c_R`-T)*B_XeW}hkW&{ z8|?;mBg)$!mG!HRMkzdagA&wwcef~Sj3ato4HAao^hGd@B2D|tbYALe1r+P@twMZP zAp0fkRL2iY9d7SxwY#S#n=%dSt|70K^{n3`cF2k2-Z8I-HlK>>3VQ9dVj${dWdFIi zW&fiD`AJxU<7{ zp8LRNA@LLjY|>o}ctc0=IMkGMVwT?mN8K>rQ?y$iiX+!AId^bhGM8B|QyAb0<&sp&&vO8j;m2cSe zqgQJXK!vmg!lni&>I=F13tEukoH-m6`>d(}DU+WC1?%NPmG|ZE2Cgeg+;|stWZvH= z7$gFy(bz@rfJJEhloVoD%a9eRD@s4{@QP>f*qzHyPrPQUVJlZ^#D_w-ak9+{-66UV zzmN9krBf7|;E~rZyTY}mgoS5-3;-^C(MT<#RG4#Ov;iEJ4N z`|<3cK2f<)y(7k{BLxh872^;0&W$=4sn(rorH`DuPrZwSe*IEeTA9?hF8$2yMo!|l z<0U1;^UTkUKf7KoXGY3Ocg>7bwRVfBN4P$`=ou!RF97s1isdB_x;d zY4H|+s+`sf)oT;qQe#eMt<0xo>20}em_fAlI zn4^0C7IXWFassiRuK&l}s42SaifwIjj(YJces=4Sy8RwzC8MA_N~>m6Q=@xI3E?p^ z0-J*~QfUkdYZcC)%SOW<45u(KFh*o9iD-kYubHWze;DeYag(jl52DX+=% zx*P6zpQ0bUwAI{K{^aB0#q6=6UOvp{p*2b8+kVW%zDsZY1Fw!ZN=#ZR-1rhyYydvp zYqviiRv6%FjWH%2ez704Q_7Rd^7P!doX27IqDP6~7=3Yg%ryS+Qr~iV^2IHd0AmM& zsD?(5OR&~)x#2QcFpLj*euj!?a=#^5lX2twsPmZ4+0Wp8w}qdurXj?vnXR-GanLt z)Atu^x4+uF{U^SM*`r#}n>I!GRSquz(Qz7^1pj+|$m<6vcm7WMu@HR{{p|^WNW``R zX%Q#ee<|~!{|asWXGe%kBd8NJKT=v<^|-w?@seFer`-<)JM)(vp=!qCDOXLjcCdC8 z^c={2b}q-5TIrjE?_0<6;rE^?K4BjhPG}mcVYI*wqeRaW7j6KROR1Z=dGPmT0Eqs} zEB~e#4}JeL0WJy+Va;~~u#DqMvu^8ir4-lcHKmJv*^-`vGfL;$;-9|bw%I=p+Q--N zp)@IUss;snfwJ&cSFrG@3O)Tvh7Z$~-iCY8&dk|ztU1v%7!exg$1X^jyhJpL;IqqI zzWHpWLg5)A=nWSI3g8V_i%H)JcwwAC0M&*x_NC7vPrk=M;m)RwRiU|XTxS-1OPXw7 z{iTGSrz@`4vj-{v>5$dYD#pB}dSIWGdJ%ayjBG^Yi$I-3N>x;ZLDPH86uyf|of-P6 zoJhN7TDLjQT!@sJ-Wate$9?yE`Cy)8zRXefscK~XXgcSyxjQ^UJ6JQIHW_O_VMJ;h z3EY~q$Qga9tl2Q94w<@%4Fy^_yUD)4jOn<_yaL!ZrOumogOJ)aX+jHG%fd?tRVJd-MG`u)92SjIh}PQ1vmjGRm*2kAFw!WCWjoJt>JZb|LiyueKscRYR?%p= zyAIjTI*z9@nU3VG?vl6+zSr}uc|HEXx51m$YIAgVyl($0GXOOeL_a{p+!81G(JLCq zt!i}Mj9ez#NtU@er)mxdZ>oIq9_|8xeCKf~^k-A?VyrOP2WQ&U6i@AL!nWPWFl8HUX|^b7RD!((!1 z<@fJ97nwHEje(uXOH^@;+IFt6sjmDyLzhUeTeK5SzBv66KCnUX&P;L z+YDQUQbi3;@X@ns4E>3iDa=#Vl_zm03d_f5TR0_?Z|iWMnLOn%{c7~Xh5;9&6~>Qu z_k_BVl`rrO#wofxshI)&_cZm`NBygHW zq{1Jhru%Lj-YMgVmA|_z=?{7&`hdpP$n#rhc#Gykc5_sm$YAeFCdND zy&U^^ULsl}4KZUifWy}f=WkQa9+mbE)l}Q!ivoP|aQfv{f{2Dr7BeC_#GP7g?p{b+*c@7)6F>cShY4aw zo(#rsCg4SXfrj!TA=@dyhzQmnp;+H3LJj`{l?CM%&gO)OM;~3^vGNEPe*)J9y*1O^ z;tyYGfiHqb@MJs*7EFUlHz2~2&c7RRJ0{Gh@zD7F(`ui&rX23;ai*)@0c#FQG%n-y z38m->$@1rS-M4u+yNgC6&A@4paAX|S$bQ0(=0j@I__2ll@*rcLUq_@unxP3mN1UkV z7=vhG8i2cR%wi?!x2j zOukE{^0-*2OF2?cu)GpE&%7WJZau2D1u*L1kP*2SJKFyHtilg&UyLsd4%%AXkC$Nn zc_>AmAY!JepR#|LsziBb!9-T99om-TS2OPv_TbErdFGUUqpcXqugkFplS4N)_+j^@ zQ6e-v)duurW3`$j*90yjgd%N-{)0j($F;``Ms>+*{S41;en#D%;G&mV~@~8D-8Eim-Bbpv9}}DCwRltl}+Bt z@nb`Doo38x?#yIbH*1`IUsLtIKh2WcRW|NaD=4e~z&?FOPp4tB0$LYIJO57Jc0!v- zyT@NSQTn0%;**y@TdtDTX7MH1x=y8O+k|{n&!o^4qx(w_tvC0_xS~*Jf~@n%<6=bW zxyeEwFwqiogfgz{j3%8H8tki)%pGkN&6cP!d}Pqo^-$lk#=bmAh>CC%+-OmHY6nYT z2zX46ObGRjm~F_fUHO@Eo`509J1t({7Vcr5Hz9P#;lwBlv(;E`kAmJCEtl>5vQXwv z9tQ9;w)~t{>@mmj?${^*a4!C2svD$MUa|~Ddn8RyZ@IEvmEw|S%6p5=l-t=eg55|fRTKH#))$iAeX}a^zVl2CopR;K&B$)ytITb7N^4A1mt|=F2Oxu2 z9kj*tlOAHn%T#>u6rqQqM#itPRYw~2CU!A zG>+6`U;1rO&J4A%yc$O;ylV(E?sWF;G@V0WN zXReiflDm*)cUNw)_u*H~DZr*^9=!@Ifzqr~XzDTanvC3b47r(}?>8ByFAtC@A$8g| z?{Qy)oKFnd^?$>PMU`->id-2(bJVTMZTXY0111yCh!FZyJo!b+`Xtc`y{B{%Sd~SG z_R2wi_)_Mz2vV3GrT$%jB_X|juq^ZOqcZ1o36oG`+jC{kJm^T!`EKTs+F3G|{sujr zQDdm|6vsn()OckGX#pD8*m)Go+2Ssu%291Ezg*;C*W!15Q*I>==&1~!W;l^Rs8Gqv;I<3Z$=glwEHTl~ zj^0BMAQhMv5f4%!@~9{B)Vun~H3j);W8XOKgB{g@A}IzUhl5mrgUnMS@IOQuVE;}GS@a3hGN+YW|cetyE-UMWRhqG@m)!Wgc zDIwDWNG1}CBk_7)VCOrJG~UyfojPvZlf@>GUocUIM({+7Ozq9t*+<16n)vNU0=%bP zZtGujuB3Dko(^8RNfmsXLKJxFr$fAVSB)y z%L>?#veQqiO@lw1)W>lVaOVbU&@-dHReeZtVQ-^D9|g4#l4Dmt>ngW==rAc7Bi-5n z@ZyJo+XE9v8Mxa3Q%2k#OtcssMo&X2BZC7@No3XwT6P+XZA7sA*=FxDbYg;ig#w{E_aa~1$znSi%V7WpBOeiY@QvV@ENP-%q7yv#RwAPM z!!w(kPNGzsx^5&iX($hQo05qpg%S1>5_WVn3l#l0P6mkG{f4`Ch+pEM_u;@ekOksU z8kEESg7TJjOZLFaDO5St{F8?r`>GyQ+ug@a{iH(xp^1gFrc|k8_ge0*;^Wn)5Bc7T zPvC`X6y&c`GR)GwUiR&eXXu9-b)r52DCNsyl~q7GB2+ErF3eKpO7#n8bJLLL3*+aT zK}b8u{mBtsk4AtM_7vyyY@FA z$@hTA9Ry4dgl1h|_%H`;A1I#waW|q#@ZR@Wg2>Nm07Q4sGzYM&q_P&m)gi?utL@nd ztfQlyGaH;oTPqXwx3{EUu8y}g&dly6I$|~bk5U0a- zkAFPK+%u1B0a_m4tS}jh0xy$;>tn)*gS?H`zo3ujlwII zyq~T7f)7Y}rXi8^!2lw-7sfcY1gv&E2w?9HGTf5{J*ikTqu!O}Pi86vc^#pOND zWtG1`mIJzFPhwt0g3rz}Esw@|06DvIa1$nS^5g@35u_GQ4Re7qB6q+$jgkCMhVZbVk4kq2_~Jyk|K<=sk} zRSiV&r$5NHzXpt0Ui<=i;`e|D!yN=ntKPer)RRdNcQBBM80}_6d4LumaM+QhiNh4? zOeUAvQ~MF!r9f`;U8@Jr%|jNCtjo>sQ>DpdU=dFvG1DKrPwrcYAU*%TN3#Dr-vgZ4 zKc?lcGEYbReW|LPcK+{lhyS%CIrN`bA7R>2B1==sr$p?hTS}>VwDUCymKJ7t>PeTU zIqy}0wU6jBTYu}ed-N7q%{PdhDcfmVG?UUVJ&k;mvU#tI{Z^{)i1~M-ZiZfeW(}|y zY*Sjw3&!gd9$?pVpPo26_v#1e7sxjWP|JW$rF5^7rZ5p%%EX9wj>)7;&ntCLVBqM&8<LS5A(8 zW5uO;ma{em|2%IaIXZTm{V}b&3|IU8=hmvCimxfyr6pA+)xowHWF^R1u%2YYWG4)x!+504~Ci0r$N?4_h^BeEqaLe{B} zEretWGotKE2vMOZTTIrm&e$h}?7J~TvJEqqG0f8Q>As)iey;2K-OqL3$Mai`-|xA< zf6Q^rFvonh*L!)r&hvGi0aut)xoSdlo%@IqIL%N`N+j2F5lbiea-YI%t!SrSl;qih zXQJe#aIk5U6VZ&ULMblkTcC0YO|K{dH^ieMYHWo^jnE4t>>J6YC2Ttv{;@!>@{L^R zGsca#Oq;5UH2Ual`0f7kyI{h9^%l=Jy&1NLv^-8lJl&YV)=Y|;S~e_PoibmPtytRh zAnH8%+7~8I9B6^D0{x79<&*);0ipZ@zRYskmH*K@{;e%b!PhiQplBm^0+$zv)<*yM z$rPncyOMD}-H*r1RpJ&o8ZqcM8H~y0fT_aQ5iCGG>- z+48_t29IKJqyjbsS1Boe0?`C;h-9*BK)2v8Up(e;(kdGwkc5b1a5^zMVW)?6c?Vc> z;>FVYniC5uOJ=^^Z<^W?oJ20!9;aVsz0?Ui|tHMxBFUV23Fy_+CWZ z++k94`nzXDv(ncO?C!cNlrBjty81E8aF4G+68S!Pe_7){ThpAr+t*~imn#3Bm#+T` zU{15oqubzc>rfn633@)$wCyaOHB9lJc zD`xySNS}Kf$T7oeQE|vb%vJxYyL3P*pe`UZIRV&mU}Vw&KL_)R;b1!k%UXjha{c5& znaZ!5HE~-GPNA}m-{a5o*WRqt4;IaNBRam=$$OKvmN5W8V7kXcZx7PEG}K=QJQaRn zHfCmuvIB{IlQ_F~2z?8s%;*CHt&v_@6EFn|SLfK6K=unZaLI{3(R%+ zMkT8P{Fmx%+FmlYQ+5y;==l%A8ShJIA#rPF4N+SX>x#15k|}QHZKjoK1qsR5C{OG@ z)unuX5BP2TeBb>*ZYIavSWn_9qlF8 z_Z`(XlL5eT58)g%eJrQ8=UF%#TNv7oA&iDUKBrlK~(7)AT*Pd&cb$jGl24#!bN=EvhuLa^c7s>H$;tib9@fp_-R zbNVQkl5h6Yrxags>OHz5nXrez2&c+_M!qs*uJ&z;(zlNOkp!GH6Z);ZUQ{j!70&c zE*H0(B4#g(j^jUVl$EUNap-U1msKq^ZPFynJI2C5A-~oegM8e8l2NOzZEC>@OwrH9 z^oUc*^7~4USQnhJz@D9TWM|fPAwfgaX++>v;;GTlZ!&gPlC?&+Q?e;QqZZj>atY6F zktBY!z9B^_O2=z7$5c>3A$l?O5$Iri7)S@-+g=|LQ!PMD-KSB#z%DVxYsv;e zQf=Gz)X3PY`24aaXU;m^8Z~^bRl$UnZ@=$P^A~U#8az{wC|%toQmq3jFJ2KI#DV+{ zXL5cjur5TzcKT*x!Wn1m9GAygp9yK#rdZVp`ueZxmH%R}0n#Qi$#@NV7@Y6{@r|O2 zcsQB(zT+!@e<;#*U=jHBb}yI;MU~1$Qyw;4zOqo}%X7V_TUsdH?tZG%i!c6H z@4U+D6&+ug?Ieul7j+k5dxmEKLq2n*Xl0qyi%So5x@A(m@*BT(F5dsw*=YB|6o~FZ zZ?5SRxJ^+cu42tclzo53;h9feQ8Vd|Kc#!OAZ0*w{F_8&CIP5cf@q<82e1A7arFD@ zH6ys>3~Q^`S;kKi(l9|Xw!J{J$T}cpG8sG{OgLF=Mv}%ECn`N|d~cnw_sG}i<adszx%Id{db1Zzdle@3hLAXL^1wjcgV zWnF2II|Dy^Ny83k7(;~kJeN1Qs-*r@*lXGziDkMdC={N6$WPr9_^q z;jb*@R0Mz3BZe))#g9^Ci($RzRv9v1fBYQp%gF0;$V_nDv$16-`*myxg7B_X) zws_(|^s8Xvjaea8#-M6P;^oJQliO!=o?xkK5BxVFIy~&Iaf?s1FqfdWA6LEQ&m9 z3pTzX+jEMM6U+C0q`#s%$Kph<2$BWpRFiwsc?7%Qlr&fz6MFpwmR3SO<^uPnp>Ee2)BldCBp6)Z^HR6?FCKwBVu{ zL+?XVPRug>6?w8oYTxw`$;)|MKn>_2by~-O98FT5eL-?;S>mYF$6vja@Yqd8IC$MD z%&ibMs4LVsqH?PCx$a{%NM`+}~5(fX5()Mis-m|(C;0H{TfkI1aSrD*eich8s@qu81&`5^CR3;r} z0bp*zm5PwRv$g)eeM^4)&r2!(jtN)##CC7Wrw#DT<(cZweR9Vs-+#wVGOift-FpER z(N($P_3$Ie#xH*_w&_j?>{Ay(Zd{LLS!#3Zy3_p|8Zzt9E$PzL|EeEm1iJ2dSd zQPw=JcCLRwQN1aD7ZU$MR%HI$7Oel#pz7bnz<(8HK5;Xw_NJdF<2ayau)t1}?C1E)_JswbU%m0VZ zd0d&xh$1k~lEwzK&$WJpV<*s*l7IXR+K2u1Q*nRYtA7cOzk=b8~f{tAYFn^pe` zhQEU0uVDE5J;Z;7WdhYePg&5^hyiE~vj%(iM$!2<#;uUYnq{PQ)cDmbaCdk@wdrp! z+*H*zAVprkSOUBEaCyUjy>Va#a)B`{Q8WHLIs7xAp{8x1B+Sw7Vm&6xo4Rj&`#Np< zPIA`U)U#)gcrb4V-pNu43R#OuvUJFLZ&7vmRF%iS<~e`Y9`&aW=dah_--Ewo`TzcY z{9}Clqb&bF{{O%F=f7nz|5v{k|K9cgt(_y7OufBQ>M=s%c$2LGRm$v=&i(u-rZ znO`jX+1%ZPPRXd~0V>PP`CUI{EWZ@8n6$Fa0PT7IspYS1pb$INmF75YcHD2z{;HeJ zfHn_E`zFh^|6MDG{~yi^{I|{U|9Dpw$y|UX1oZ*{VP?rC=_=D)2YqVb$Dj`YnukH? zr@U=)mfNd@#OYI3JL(i#%$6obQ0cpVk!Y%gp5lQtCCQ4c2EbsDl^o9Scne+%gEz^k z@FD6+!Qra2I`Cl5OFC+Xpr-&45=*{M0q2K`5#2GHfNZh;*P$JG*E^~X*Y&^lvCPjN z?r`0%<0JD?+#!R7>srN=j8XJgxdgcTd;iX^Qe1CHJp0X=hOV9mRj#bL>0L9_@$LFA zp0*AAWg#C|&)jeLT9+~PSjWcXO+Hsk9H{>zs_l=ol$)44xq^a_cwy=J_&12lvm(CF z`&Occ;NAYio;ljxH}ro!?Xw!;qKl1J4A(Ja9Y>v#ysc2C>nfU;7kSrh7lN3#UK;fXO z1E?hUu_`}hyY0z1mOs>%rO5_~6cA8UZ|+;68ZcH)--)S>UhHqv;FG(INC)4uL%S%e zfQ2aWx!lv!`kI@!MT+pHa2O3*Ef0+w)G@(Mr=2aqicTAcp8L^V!2v9 zmnt5BW)syUK`ZZST5=1ukB?~(jHv<)poxPA?XHNP!jQplrtWx>YBoN6ik0zpuZ^vp zIh^#cm!*SaTl4(gqD#!66I|`j6o2TRToDeA(UqrYTp5!RxG0<%bD`0!=*}zIh>)U% z6gJDF$G;d|Vf`__V@5TGwdQ^;YPRLVOWX-VI zcX3R3m-f=qc#SKm20@WUtOpf?+qJMqx=G9(4PG%dmk+@`9c9`hs!Wwq>{S%IPp=@rIZi`TRinvs5VJ`uU(5xn`I$P`dZV7&qM8B6?Ju~N3#vDi1w*B^``G< z@Cb4)#L@cbufT4}ys$9|J}IJZiU#>fnw!A1dfCnLpVifttUZ@zrBnF?wA0eU*+3HV zw;(9z^OQ6IVeFu%)BrSP&s@&Wl(h1dtJ7ZDk;Y==={Nmit{F>raC4kjPJHGiJ}pz0 zo_AkA2L$dRqDsBo`ewlZ@fV&mmf0!n*$jb~Z-36RA9|5+aDwaCM%)~U zD=G-h4$ZttOhS5*r)smFDkt_;alKcO3P`Bi+~x$Vk6h+0*6seN&%>FkH>U*11FnrD z>LxDrHG}0@9T)M|SYE}$S55sN^+qY~-4^8oG}MXL1{k{YfLeYmtrLC)PPF#hKcD>k zH)wbK#&6KDbwDQ2?2$|3f#c1wv{MJ0?OMrP4&T;z?Q3eYeL|~p(=n4Wo|nMb1Zvz) zGDVSQuOw0V8`S2Zts!k*U|izx=|xh&fLBA{(L3)ruS4aY@8og)(u_OvZ`Oo|{tti8 z^|uln|G1hQ^pd408gdxbDcjaLj#TN>xg7Xa%~mQd1ekLrry7NIl8ztHHG1; zosbMZeW`2Nbl;Xa)q{Bln4;MRs8Wov-=HeiuJ|$t1|?ckP0VO4Z2tU_xLO;0JXH$I z9fy;dv9di)5d;%+A6m?EwjOiriAYjabtK|NVIm*V|= zLLM!vVci;UW`Y(zV$SsIEFVGwO+t$B=-jW!4s7g!$z*ANkZ02l=v%V8Z#O5W+M!wz zF|G0K=Au=B?Ai~3C0;z$gELWq8N$og!_%)aK! zo#2x#UtqgsJ4Xau#U@1;lRv>sLmlX8sLP?Uq*-7l+s!??TKUE|N6{=k#63r(2q~ew zkiukhyiOai?vngZtb25zQ7XcW(F1gwF*v=PPgBxKs>VKtdOI}3n#&U3Pfk9Yv#QF3 z!nRaI5+~$_&;Y{Zf!~Lu;G{7(yc{+r~C{p3%(Bz-^&$3dqIwef=9}-zEr6o;SP&|0uI}dXdDU(qXxD%SU_l#auMNyqcPgFTj z00&Z=8TvbiRZy}iHnEoT-dHT)6G1N~`_b$nzJPsSkB~-BzOq=;Q*jqb z$qJ2{KeVc&p)jGzqJ&cAkX5d_8{dua1q7d;x(BSA?sg-VhsmD9yPLqO-zpbm z!4`V*iMTSAv)Jp$)LDnm^#Wa{3nC^y+tV9IHDAqhjxcSPS5W1F@2a3q%$a_m-JmoU zuL<|1Jq^C)IqrW?2GUfQqRs}yglD-iaGXFD@j<VbcP&ssJk z5$rZFxrdiq{}X@*lp0)eZ0+Ek)r0;NeArz(jARM{_tuzO;hODpxs6x_wiZe8Ks||m ziiGEp{_B`K9hI8_KC*&2D8IY>2g)%d`-irX1 zPxlbx$rNQQEjgDRzRpnuwA@gZnTbnmpO86PF=F`{a<;}+Q8reuu82l(U1LO{=c_-d zOT2&|4Jv*W_SxKMJ!<1HIYleEql95iBPP|*Ie>fS249Q{1>}(t`|zEYXP6-jHg!MG z`Q(W;Ji60C@cF1wSy7am(3517VW}LJUEGF@WXSk7vcxMp3RyhoZQtCH89ct-8x-U( zKPyvpy>s!2&g7d^i(&*YyeQJaoyo^n#YF*L+xjrx;YE~>m(kecWv2*wvHNo$KNrW{ zAQSxE%d)}ZUFfrLPp%2-0_*xViTO5htSrwz|Lt?%{Ry34J{e)>0a zDa-&pTcB3~oJThyg99|~y>?BVXh3d2vCGOCQ!wN8th!c1GwmhV4Ov-jYsYD_e{<%% z=qpa0Qc@!>bKQ-q7iux64&nD?2sI2f>Ez#;@e+7eUMylieUy-|rq*@GH|3k)vAmqX zA@p@%9!$y=Y&uJJzC?egZ57DNLy2dcwzs^d=MZuK?CjP0RqDmFw?-77-DKqeuV0}u z&sxZi4iKzA0ZxTOrqX?`-#0Ky-_83?ZWO6gw(6445r=^C|Cf*eNUhF&X|~ ze#=RVAkV`A7|n$Yy9ruZ6rj(rf0=p%)`1p+yTir2p52~eVU*(1{G~lL`@V2!Yw*|i z_?_YGw!R@|;h)mQ@ie$?a}vHV-lb!sEZ5@9KI)fkd~A=)mpE;hi%+!!U4;aAFarU~ z4eZ`HQ3~+ZTZFqrRK6PmYSAICKJ?S9)Rf2DJ7&>D_-0bQ4Sfl>i|_~LwGqmIO%tVl z9t+wZQpx(XOn`mmls-T6%?hT;Z>`Uor@On~iCgn=AUn_tcc4v{gT3&13GT_>XFd)A ze$R)Dk79(TIL{Bq(NlpRD`xbglqhQ-DXQdH%4HXg*oXPUhiy~tAl}MX)lI86Eyr)G zCA^yGKcCYT4$cVyQ>c-Q2DxoMI*?$rTB8^Hbpgeb@jqT!=GOas#9*=k{e$i~=x3}x zF*CA;k6kT3zIQ@+Y-sZK)=;nHu{zp-7d;6$Zqst6t}s0V#!U$z4Vfh>TGm#kFI+ZC z#ojnqVHv{H6mpYw`;+1SL@|N?#lOw^&nmuD3x)`w%7I=77^TPC3nn}@gI~^#Oqu)p zoh(})tlA9NM0=`0<@~Nd_yKJfKJs3B?sP96+l~ky$5vJI3mcW;yqA3m(^P$d)W>m~ zsU@u~OkDDqBPgkl;X3TN;7+h8O_=m4I+-E18n9yDpEH?sXW!OpFF)m(=2_h9-GlKp z6=0cTDWmlIeNYB^w4d*2mEAP1#wvGINQH)NN_z+Y5?LeN2k0SE#623HD*59e?35P} zxvG9&g6x9K9@iwBH^g@3y78R5x2T_V7IR6d^G(t&Q7(aIT?Ad|%tj}u-%ir%d$8p_ zIVO4azUiAPmcyw>Ecm_;>IpoaHQF;C0o-XW+8`S%bF|(*y@|`uIL(>BRr2+)?F_b> zmBwqZP)HCU_DH;RR!hEKHDnX=^jFByoXh1L4X;Y2&wo`goiVyBDLzVc16&D4uvHQS zI0;U^J+|S;5O+4z%_^#_{ZQas9AXxA>t*PnVnaVj9m(dJ0Y0!aNlFr&v7#HK11=ZMdj){Z_ubJ+(;O<;N5SWS} zULISH9odN`Q<_(5(xtB&_MCA%BD04Wm^#B8(l#g6M9hr4kj%HzlN_86nf5xX6nVz2 zCf!Z1CE#{t0@Zd9QX@g|Cy9_NN2|qL@M53edul|NeXgk$e(WP$d1G}Q5_s{(Z9w-0 z09L3Xz?Q8RCJ)dy`H0vTp&@RcrY0%(A7l@HIR%}~`p7Nz^Zj!X#VKRF^jw zo2Rfu)Zu)uK2g8m3kLM4fD*2HOP$g!zzJcQ=7h&`LpM97k`uJ;o*g7rl-?NE$h2hP zP(qBx+~kFUj!}Eb4}b$^&>jQp#$~Pu9z_d&sP8z~wQ}VBki$)Qg#5TaTP{w)f0}Q9 z6ga=)(1*a+YhgdoygTxtmvIhes?7F|iO7?lL)v>u??>GqH8O3!9QeSujUcd5eM4>O z1q^YDHx85RQ$6yP*im8bqf;Hgp5=T-J8`J7(O0P{Eg`Kh)bC$)Nd8z3{Quzv{|l}8 z530#y|H*3df2vgc&yV$wnehJ!pZ`K@{`oWg3$6JN?$3V~t@*DyzW#>)`_Jct1_^eG z6@-+75Pyj)HEKqs+YRx#Sz14PSAPpL7JhkEF}Nc~c#J0f#Uc-2@=ju>UHV>T-6_YV z^kj(XtZCh-OtTzOu3nC@ZOFcKJ16{G>lN^Okk!ZLMm(}*-~>(f>u?YUP(WQ#*GQ2* z;oI}3E$!WJP_wi2zt6L};b!gZ94Qyxa7|47aC<9?nk-kY@%R_Qem@7G z)t67>(9hNVVi`I=VB#K@2AuhL5z1q#rwZGh47+KsOi3OAxp&NZqUL-DdqARfkNz3H ztb_BT9RqsU7kJ_AZ{VJ}2V78x-=IU~U`i)o_HhgHgfR>zT3`V>WhEw}Ogm_SU}4x) z(bVK1W3K7x`r4%Bl?n8fOR_!X+TZZ{5w;W|;?@9upmXzBsK$uOr;1ty^3FQNJ= z)Z%Y$i|q;^Jwj!N+Rpo}f0zePNn9hH{!p|kuJYC>$(#K}tPf83(~G^Nn&eSg<-ptyrx0I(9AMO1D@VHDi6SCt3IuydL@vy`$Q7N4k1z`hbxREXXW>@tUW z0OD?ZyYA~qsx*{Jt{M$$K8f2XE|{2Gelj@Q$NxzwCG+LX>BUKr#UqlU3qW_v>*ew) z42)w8CJr5NAgadPvakn*4K=wp zQWj&rT<06fyejqlUYFv}7Pd>GX?kpiVed(qWC_YAqU!uyBq_gZD(O{&U(Czms){I2 z;T?MM;rRONUTB3A4omoIxSPd<173jOhRfxqOt~{6=lB6R#?oZQIb+)8XfmLd zl(+X1O;lL;4NADlx+u%H3n6e&PtgqM*$in)ATBe>uX?)7xZ|sVzmM{ZWSKK*GwOA7 zPA3-CQXgsB`cSQ4ZMi4VZmP#9@XnlbW7U0@*bb}i!`u_G%=t#~Qp!zC31*eUPf;M6j1?Oe#&CC^njy^NIhh?q}B#v4!YvBsBltYg?_@bbm})h%Mod>I#K| zr7BZY1~7B#Z_P$_Lf(#6q&g|s$zB|4$VliBztDynVp>Uw9C2mFX`Vq;poAD5KqW<2 zo-qJBO)t2>VPG2Fp2Ht+nXxg4x8o;`n}u7bW_(mDNWbLxwRB$GypH|Lne=|J(*3$_XD(lU_ zP_bJ0wZ51qz|{qU!Ya@@&EFzbetS6{w4&A8XydcNY!O;TMjPHYOqJ2Wnhs`#v1K5#Je zaP?S7QU|N{6ddXZFkK2)3B5|sK}m;dRQp(2)h6xTus{d7b{QtqcctuLb<%T97g2lk z42FWYuHuL)Opwx#H@6wu7_vorM>da~>4>?rb-Q@}iTajBrv;ngJUm8tJj$orLs{jH zz6EQquk98qFVh$x96#i5;niD|qK zA#T>$X=Ti^VdI2$(z?!@l6i^G-Yb4F5bhdmR4x-u=LXh+LKfDDpyhWm_IHE(!9sDJwpV#1|}1r z?Y9y*tjsO68_r0epLYZ-4BiP$_5utU$>!rVbqqN>k8@Z@mA5h)JUV$PFO=rF-hB4Y z4ZX=)MDqgrre&aO_>0B(Ft&&0>66L5+l6O-gA_mkhr}1gP{yR>_Dx>eMUpw-zL^oH zY_@m)>ev>)wTe-j2q=OJ$wz=!TXb-VE~EK(%d||!Yecl}BsfS#ESW4g=E)u7WC-xB{R+|b+aD}0;*CyFbwZ9YSrB^l~Q8czzn z5?JEog}g{!vLbumar3}OorT@xGZA7gUbQ%lDg**jZWX1eiEJAX{eIB=WlYV?cTX;4 z-;Pb`I%esvK}7vZBtcIiw}z07U8j;1uMS^Gy!9o&*~!;rp*pH>$}=|Oyrfd2-c8;B z)0Ry~a0i4vnFYGwK&(6m-C66t7dvsc`tDD*Jq1HpN~ja%Z8=SqqK+%GYLDfb_RFuX zGX3nt(DT0kbJT(b<#>ECa41~&?l9T~61(>d+R)H2{P36CH)N{q1M%-YFPL}wpaRJ# zQA!o=^VbW0d{a+(E-4@X7Tm7MStc^?dVK5X;b76YAqgQ}d5)Xj(j5o6Q<2f#bzx1S z1o`)k@X4-ooniS@19ORFxI37WLf()O=q0n)K00e%Zq=J*OHW-C4dJ>5qOiBk360VK z(4OM0pXi1{1-!~XYbbLFBeT_YttejnP7L-2Tu zbB__44D!s$Ayl=#ag>1EVk`3?Hih1OQw0e676+-xAbJzR7Z^?jTkOPDNG9Ns-dQwBhq zd;lmP{D|^F6rf!O_BA0d(c}w&LeB+236zz__iI6}6Ar8={GlR+Q0C65f#@>dYR{k9 zVi&g@TvIwqnAP$@CSq$_=NZCPWPm91F&B@Z3D3X*DbF*EX-zrW$xSO#&P!Fo(;^X_ zASGAf`>{bD+ulunmxf0Q=P+|iC;;4gVazxh{Tp1h7Mzqt<%cMLH0IaQi1hUttbVRpd9xsUq5146t}rh)5xfvtS-(U)c!bXdUT!I(^E&Tt)`e$~l; zc&S{1!A7ULtU@X`JF16k_6u@ba-`EG$CLw8d^-pZMI)s8^V`qLftnV)m-p*6;*CVn zlnP^`!)lf9PFz_$@htA3lpIP=fN3y>rgY2j;OHk$ZmtN+PX`uxA&(4A)QM!>BJ1Mg zd&NOw=CIGOv0S3LHzFP`tgTK`C5K+@!>Pt-a1VSjV?Ki%rnQJ|EQl?n-*{3a1NN=y zhs^@UtdW3G>%hw~NQK1uPqnGHTGo*r4T)7SQZUGwXKlx)+y>vdS&|^TZxXU*<^)H%pD>kW7j_o z2l=RW4BF4x-#908-ndTftdP)=D%45XltguAEBb^%ImMxCs(_RqmEC@;E~HWM`HboD zgq}b;E=nw>d~M#Z!^arEN%)2Hi*0DGz8H*>B?Wk$Z1rpGNis$9v(=>`b=1s3VFo}Q zKL?PjN(NNV=<$yLFmeUZ+=@U~pu51yxt!W&B#Rca&tfOr5+7whZ))&(&{tDe9~L8h z7u%>Ea2byp1qz-6@NNtR&giUz?>tW5DWvg?Gp@%kWYUAjz&rh~nP_B9!P%6CVoADT z7?`R7`vw<)du6FlF!;)|G3{-$2ynHEJvP1!chM(t4_^9kr!%xS=r>3LAn1)7F&>~p z(DTu7(mu(ZQNN7tUkwMd?254MH0%E|Z@|3wJl}qLI0bc4;Zc~H;)>to09lLji+a=f zx~|aj8a>mC;WSoJbQw8}gK-X=_dbuhtPs}`+-3OmYK|a^gzP#wKdX9Z+nFRdtlTYh z$e|Y@tEQuI7O~7qo}je*Q<-4>x`*gFj6>fZCwkjdr(RaSaElzH`~l?XsQ9G5KC641 zRWVAM^)M*Z5a4l0yA#y&J=MH~`O9#90nq%phxob-Hm7J}muvhz-M3lB&0#=>$fEE= z9exbndKtw-ap~aib1z=eL_{eelqX6r*zzCftOrObTuc2@;L4+;NMgT1FG71XD>{fv zS5Q*$9=l?Aqg?8Z`KqrBvf~Ep2Uf{AdNc3{($@}AM9l6K$!JH_hZ#8(aa4$QQ3G!=A5@>!(63?Lf71d`{7CbJ?#x~o4|2ifkD-(abOX3L@Z39+H9ID zI-_=YvQ;4}VHMdYiF_5={#5?>mm`+~5=V~x1bYv}=GKlA*hv}=b=Ab^4i1gh3}oQ6 zN48;3VzGg5t;aNv=^=fTYh_9FlZWr#=N|)sM5DXV6xnftA&95s`)`?IypP_1TaZ1BKJ)kH38S zsPj$oyx{|k3{zhi1}{O8HYTWkS}_mH_jVQ@Eq6(1w3qGp(a23ZSJh!1OK9{s0MM!$ zzYaU_{9B-KVEY_(j3$_(tZj{m^?7T&|v^dy)#V`xtNrM|tFlB{BP(i{-|(RFlusVzRZ1M#_h}DxDmPW|D+M^f;a`**qOQxYRb3Gcjf)C1mHQR@BtG$& zL5Ys>J_yldAPUn3snLeX)<=gSB6oV@_r6i9OsPc{6`UT-SnzxmL#H;=Y2!Mmy(<;&!l;jg@G~&z@%gv~CRw zhOrJgFqZ|v*w@Tp*_{Vom01XzrF((W=K{7_wI(VSQztKP+NF=LH3ZEe76=BWUoF&@ z_U>fQ@qQC2$Owp2g9^#mPW!`KRlq)Mc+-5MD~rs{9(XlD^X#|Zpp4f{`)iPVH1S&U zzBZf_J`PZi8R0dHXnyqF%_;Z!=!kNZB+ZEU-Tq0myNrL|BjngNpXUwUhl#zSxn8>f zdDNJe1C9o-0a8T2L3;L}T{J~L7?2juVWF2bnc)VGKz}(8UZ_*59*gVmVt7azg#GR$v~0OW@)!HL+&U~9$uC2E!(d?b(2iZ!#_R ze%4%^#ID$^ziPS^$>Xb+w3yD+k4uWqKG-A!PW04!Gz}s$as%uM7o35nnU1;E`S7y^ zJ>8XkiBCHHYCZk7(KVCEgkR#LTYhn0Xv&2&J9Gt68|y)&2~Q?p&kVdswSLQ83t77C z81NJ^jio5F($cshz`Mg%0Nco00mOj)DbLcKf#<0KJkM$1&BTXdKz`jk9ac#(#!Ez@ zy(~^LegOMLNXNd7*?SG^k*L?3QLk32%o^mSSxYBo2=^xB6CNKypGMCEK>pT~aWwgi z7yQ7=&5^Y$IZ+tcsZ)U^OOlk?>Bp7fdBIQ6sb;j{9eb&~gj)y4^j=Epk!Kf0fQnu; z3IIGw5^dm^XMlX7AHSZ@E`$qW?)IqpO&3SKw85;2&f1>CAL9M%8#Dk|MSul? zbFESQL+~i03H*S`LIv8uwTQMK$m|EjZtgy1y@yD$Wj&EDPbkZ`kttHz5iZVMjS>^R zj9Xfyw~Qv5%Wu%<5rC*#j`~4=55Ai_B~8v89`A5wACel@*8Fa*{{FsEZOxnF_NO4l zZWT@=>nE<d|%Rh~C^26x$9M zH;DuLf@W3dxT4vafOW60YD)Z&Ep!Q&9xg2z!KHsxS~3#iK|48$_C-X9>kNmw;~?yz z2B+p$WSS~-O-2@LnqSnZ8EX4*A1^<`w#p?L!Gx$q&sRxsRGZYO0!fY7g%H-SBid%( z7jsK8tVF8xQwF@3h%w>@1Ft$UTnjQ(VZcVaq2B-x!I#!lLzUpVbsBCN$WP5wyhCh0Y$=$a*q@lnxKaMkFi~#)Q zcQL@UaguhYrzL_D@%RdB(QlBQp7?V>k5ZO0PSt}3cc5e`LG%=Dao+k6b0d+rU2*d! zaeZ5oiIGQ+PMb>02=DU^=08bnwXwW%_-=$|gd#bZadd!m0Z2K8fpQ1N`dyQ*+K})H z-`mp;z5FVs16GSo9pf$VYOdB=Z%f(7$?xq#iBK!`@FQ%2jS4t>TQ;zAWok7tyR z5BFB*;ye%QF|UOihRRa)Vcow$BH#z+mLd{ynyM+Dk2`(T%`~WnFI&a*&B6`fm8)fh zJ17Nup)MHO+ZjL^b|B5w9ehc<(5qxy+3_{wa)(I*zq;6=B9QGy@_G&F$S=k*CaMT@ z4F~S>dQv6sp#6h&8wrH=u~pP1(v9?aI#;h|R7DWq zdt~;s^tPK%X?^%5q18v;E6H(S!1av_&|MUdCL(YB7H_>}^+lJ01 z9=@w#^YDzA`6F-@Irm~3)fB2|2EaoO?)VUgV8XVc?(jhz;{|-a09=cS1-q3&jELCw zup=!LWQVAKLD(0B-PLCiQlriPs0F0BJ+6Ak|oL`Jw7Y zF)h<-@7~@gXxoM)*|n`xYCJm3E-T)UJ-gmy>$D(lus$>p&6wsF>F^MLe zr0T1AqP#wah{XmryP&? z%o;N%K@r0ee>S#Ka4)pL%Eg1O>c^_bl{-Q@%k!UXLbH~|FWr9(tc*UKiXn`nzw#(% zHuO(5iiD?kGp&X%$bTMkd85cJt@))=(l;qS{OIBl^#ORRzPjr4Nps3Jz7#8Dh7a*O z)(MyY@wrNay+Ae`T)&m0I;-f@dbdOOsjmlf6r~l|>7nT*FfPh7YG-D)Zx&um+C0Lc zv3tiGd#;R-XSpep(*Nor-xawBKyS(h;;S|@^)X{e_b~Bu^Slwsd>}?!3ooX!ZCXFP zTj>1_AGgK&Jo`xC($yZIyb_VN_gvH#v%^IG^&CDA5bPuvr$YJsl5@n&1u1rqsf6oU z2s;(jKw<20Y$G>!;UfLPBgy?;s^#)no2a^5oKr$r$89|YLf}Z-o$qWaN-!VC&!hDGd zw*B<$R|y2){${X`a{98v=6W<Mf+lP$eV@z&vjNPuPYw8j?bV#rl42s@&B$(ON&C)OVcX=4V;x1A+#xCx4!G zra2?)Upn+uRp*#Ga`K)4v95Y&(?4zE(3Eb3pk4>(tBYFIUgs&}!@0z48ZZ4F?Oa$P zO&1M00gc){wom$2l{&G1JvEP8L26N9%i`7?T4z^Gf72RWH-cDHn{hH3>RAu4d$*Vk zq93Av058rq$?sMJMa7_f9OR3$LM_EJgy_s z=PGDNPMrB~-mpAWwiP4?FlkEL43LlT8I zjMVOdpC@{EJWk$cw}X#&Kn?^EgJ6+ma1{b0@=e>#f8prkknxxNk9_adri>bapc_Ym z&nze&jAI}?kHH{{6~^WnJiNxLWaSZia4Mm|F7Wg`WXaIFg)ErIRS1kq$o^rd;z}@p zUS6?BSMFWTd-4mp!EZn80b0yQO77tWH zNzA_IHtvKEh!NomB>*d^`MYUzq zjiavj3&isx|I{iqhkeT#irry6$TYXl{X=!syl>x13aDFpWP~$`wGHsD!@sBHDE|m` z@%z~QY|f{%t}cpCWv1%sdBS5Ctb|I)?LA#EMT4pZ)&C7LptwED-i+}Zi3}8t_oucT zHI+>VB|m&BdrLDX&lT{-v?a%&qi<0L@UinC1*aI!xwmQ!*2S*7P^m-b zKzpqO`&{5Oy*9;iPhdSzN6#)d1ikF2{kC?@R2yZ*H`Ce9(yw;tdD7zeTSk8_|2m2f z+U6Nl6$3=!zdCUu<9urhPa7#ey*>~+G`@*Z~g;$tQ6Tpyq$ zD43F!DJ%dsb9+shw>jC(%n3w!^jnX6B}D2;-2X=?VS~dDGslrjzEMpK)oiX>GZmHk z5(%U5HO)aWZogI_TtAo~rZ7zI)?+l##^EuH-tj=Z^`3*fZJt=pIZ6MhD@Mue$V~A( zaL&Suh`enqPMW|)U1oB3nP3_V2b%%8Wet#T*@gaDdbN`2qBRr*WCTo*0B{5sasi1y z3lERQ@+p}wr9C7AJwta#`Wl}4wkF|z*4{9--|uAz#WUChfXc>A;Fkz!N*@SzXxw6c zfEAjI=Zbqgz(O(VF*mRs-LM=Rnv*osP8H>R4_dXj2l@VqpQv5rY#FHCR`i?vFZegubDA$H^ig^E~_{*qJxJYng#C=y>nHR-RkIRGg?OUl~?JKsY^-k`z08$@%+*hy4Wcn@nwkLlp*8k-TH>|5V6_7sE! z#pjcD@y@KIfmpD+MFQFR9MQSZJFEz5WvR?ETae@SY0<>w(!IU>bgm`wK{1xW9@M9)fBFG%_A(DTCmbt#^K{18J_D z1#y7UP6o34(p@V&50-yac7ZUUcQ;u_AVj;(Kh_rj zzBGa4VkD)afMZ15E6u8HvqIJI+O}<0_ z3cu_3f3f%G;ZVPQ|L{nXJ^OAdqC(1AStiMzq|I(BA%r3s3}eZ@MNtu>D9SQq7sf6W zLUx83WoO1RhFN;f?{yu=bKlqZcirFTey-o|K92i&?*8aFnz791bNZa`^S!*5C?87P z45oRmgs2o*e#-6eP=&$Cub4|e^;2}~ZT$D%vgDEXJk+oldJY-_XWP1~sx;QyY}3|v zl`Ai)d`D)o@8ICo2Q*e#L~s_W$z#*Zkin0OoH{;wXuz}Fw%{lZ`e|eORTlv^HL4se zNWtJUM&?MK1^HH{H8O)IWFxO>>puDT5j|+RsYJ{nKczo|d7?(QjVNl=Ym4Ln*0^%3 z*9ogz^0@&xn&^2&GRY$u}wq5s5vc1dOD9Dga9$*;`7vw zMF4>rrtuNTR(_=II4xg|Ht|n-KSvNAYMP3cJ zkW@z2BwmUk;_Ul>K`OaF<+!OJyn8NhxR#vAL}2(?F4&!0S8#!F6840sg854T`PD%% ztWNW_#qTPvAEWl`#Z`|aT~4Ud$!J6NlK2_yK~xXqS<+lIlC{X~tbP4z==(|60huwi zTAd|-QDxmr@sNX?2g6QdqOeYwG0isgM_k*aCO#^HAe`Ku;PSz>hboO7_<7vvaS5xt z)Aet}M_^zSA5OhW0D)?6A06v}!*gQ^`V=36>zf3xA2pxC4eETvSgcmf@b#(fO(8M{ zC$2G7Gleh_m1x=>WH4aOZb$-;Z-y7+aDx*`X$49ED5i3y2!=8Za0`~MmSX#FIEU@6 ziXI>7k<`7w6u=L9-B(n5M>!a5{=`SKlqkGQ`wOIt;5!*cPt=X7>KM{zE}>^h_h(6s z_jw)wQ#X1M(u0`Ofs>-?;=Mv^QDpP5bZwn+;|kmBAFr8eo<8VZ^8S#XvG~c}FFq+u zvcM?;HC-Jbl)FxoC26@zFMKPma+C>wLCAuCG#2UI&NZ5#KE^Z#Fk*Bd!Go}m+biKz zjRkaB-ipfyo4brd-xOym5~v!`UmNq7xeYl zpKwNqNV1?{*Zz>9W}*ur#Ezld;1rqfYmv909>ZFPI4et)tQ`m@sh$U!t0xlkwa;Nd zXF4o?LZ28&Hm2}X&sd=kyL?Q#*6{egdFlaI!KjMX9jFOt)&e^20G6wPw~2s-Anizk zX`#7prXKmDruj8iHi*txqv0?OcBliNhVRF&(fcnB7Vi8RC7L-5xq! zKS$$qrC)W*zdm?}?;6xMo97nzW^DvRQk+1pAdX)_Z9>K7{e&2{635cUx6#`J2aoGi zZ1*nb5SwA6dQE`q-AeaXD&x|$99&t>m3Hp7z2=&%yE&-}JTqB>zhL<~ntnl&9QIRU zR2$4HlM2SWA5J#(SSf^JN5}lhm`N1n=-NsWQKc1KW`LPSg-@O8ulNdY-R{%#T4>$k_ZoD`q}UqP}{wz?s|NB&{m=Sv4VzVk0=Ny&yF7^ zM$7yG7cR!vy}*S}Uv2A4a_#0FSCKI7Xtk(wP+R0xdJW1Im!QL4L*!{q5>YRDJ*DMs z=60{>(8RY_?{NZ02|&~WgzTo{uvuVB{|n*(5|-UP!*hZ`qhM1LDB;uCNLa;*2s{qD zBs3?@+BU*3dkcU@j7}(n@12eocJ7AKzG7l`EJ8$0)cqeFos<4 z_Xc2N8lo2G;iq3)HjpAdu8!jScHJK9L)kKOfzqRmII*U$$10<*StvZk#E(nuVYvKcnd{>Gumx&bng1H zKZa;95YU><#~jw$V0;zhFzyAVnS}G-JlEiN4E#?hT3y1KK4w@T;~R=y>r&oI02?Xyn0kMK z&%H4>?Yaf@OuDS4)XSz>%Z&nJ9LPg~Ws50st&NAx^v7bBWJB!wp%kHOS7UA=eLmjp zHUQaHDQ2OUfL-}SJ%u!-KdtlkdQDj~NwOuuLbr}oef#mGX#P`O$^FWn4AfB6&BrdH zlAu=@jU}2+2AcPwJg`yyZWl{Cg6IXe#H)0*dosO~nO4^xORd1c2!?nWJswWZ1Ci}6 zTb<-|!6$Jz2RLA|a^9*9z2u};DW%?j<8sBW@N;YY4?XTy%Z;s>-UCZIe58FZ@fhw& z?Zkqd$)+GDAKsRh2lwzslR@8~i7~=e|B!Eyr`Iz?T!UHYg%=$-Nm(yNdEuHB8e&eTnW{_zGCar)WiEa=SJRj;fnm%$1D9((bC9tk^R#RYz z;l3nZpm>;wvneWicB4@CRQa8>_&o+gT4HoXSP8IDjcTciD{{w`UlblY=ds`_gv~Wp zh&@}NR_7tjV;`M|QzM~QzTd2tX_X?THRF>uE9DCYr@N>fa zA9uXEPxSG8z7JF(q#10XG1yy}_($K6{q(ZyJFId)2OOD`kYWr(!4~MzqrezShr(1q z$(VWGw!>(e@ew^Mm`l_;%;~Xm`>YCN+}iTs9;023R$Qq$jsF;CjppS= z8se}&{3vZvQmEHq;LdtX_kIiH`xA8~2uK)(aU4Q>Pk*8#3w;boej!@EG7V-$S!G^a z1Q+Q1bGgn}E>jwZvDwgQXqm!U98F-L1twg)5=D~+v`H^M`!35L8e>=ekB-h8x!ydz z6ro0IgsasjR^8tOEkw48&seM)0 zFIclq&^VngD4BNMSyEdbP0vT&QyN{H_G)CqI>APMPCFDWdw9KfzY+hH^Fe2*CPyS> z!psH|KmLcmg0)j+t#B3f2pZ)j@DXm5Gghoqn(At;%sd)zRO>qq?d(!qV+2lvW-x zdy^r(vkDr9E}*F!{1wN$#*jqp_I0RoI`phCQMI?;%iZZKT`WAC_`#b;?WYbe$uAl> z8ry5OOYveeE)J=_@Bi7qxNnT~IqD!ayf3^-LP~!79Y7h!(bG^~n9&L?4XWPKE<7ao z$lbeFhAnEp-12NDX>kgyhTRJ$ANJ3Mm-E9H z;L5=I>?svyM;xm1;?8uL*F&suW~`uN+3mTLNgie zummmfqwyECYg}2H+Dm`E{7_M?H+{%5peOz35m*2`61s8pXUb3i6GzVY+h-;foa&_C-E&-i_Xs@$br&{@X#pcVS0oc2B{VM-tfV7E z63ic1-A{EH^AwstkA9fhWBq7j!g8Z}R`~YWJAMC2F~5J#R{Kkq?84veUzm1*o_;;@?*tZ1jI}Sh z{-2YFV(DyGG5)Xdv|;-7n@{_fipqb*r}dWZ!k->2JJonyR0gf7De% zC?d7h?@c1d;-(U>paTE#oef;BV2o3D`NHh9d z*n9@!DM;Jae?cOk#7=B^9-ZHd4>jEYCt|+!Qe2f1u$!vpz;2w3qq!yh>2(MUbj4<# zqFl{)Wv667L4(B37}AuzR*wCGTo?x(J*DR~`Ar{&m?^=F&czQpvf5PuaFFxoH?nzp zV3a#RFoqFR6$2x}l_(ZK!6Soeg8HUTl4EfE0OM)81i0W73P5A%T>#=cJRZLw?EnVx zzr4k~0W8>mFVFAg`Tg|#eYgGIT)$(_@6i1FYx?Jn#{aHABfroaiEE(0VknJu zZ!|w__l`=P;4g-;?<6+7qB#A6$ZnBPj3&^t$-c}wllf1u%+P=DG5qJd1griAJ8MF@ z3g)$K7)EStg9WAldl$3A*B}7!Po?gl@AL-q?C$>MdKE}NSyz|Ul^s7ZowjFm z{O6&Igkt4=ZWaIA&GP>f(wu^ub1h0c8W;fbAhVxGKJz;Ek2l)ilzA22eA|O+a-;!Wwy^h7{Fo zFEkG3vR|7#Oymt7Dcd$MuX29<;=*|rnVU`l_XFCZPZRsFOH*qAwK_bn6csFIZT*Lt z!GU0Q%Ih?H@wPs_S^Z->I{k{*?Uxg$P1Lryf*(C zs&cyTGs`1D3M|)YV&_V3YS){M&f8~)yKy2qobC+}$^eR3+rygWy4J6#l(a>hJh{Gq zHxjZdF+88t7UbMA{U`>APrDMoWZO?Hoz-3~ClPxJ{Kb*Dt+Al5iA{!X5Mt8!_KZsl zF7j;0${PDvzi4nc`cheKI(}TX(H{BAY-aKj0`u>W#(c)yFWnJ(jjuojv zMB|;4<-%1*HtYFq`qPZ2;~wbORwbw0)ZhzVGU&*9*Kn8e@&m;VX+Gqu6gkv#@tdOW z9@S?Fae}cU5s8^z}Re(OLf`AfavqG~*3s-05d!O$sU@t7lYIET| zwk^Q4qdT3%Wk>05KP&fmxk<%cETSUT5uJ|LzsL~93}MIl$xamO8GxLNieX4n0>&>6 zJ`^vo&P$uj%teSkz9R4GEWyT{#d>iQlZd_9yDv#FxUbgXwX#@;8D4k~7hXXfo}vz6!C2?KQXtUni133o%NS)KXTy*^evS8yi64{*R* zlvo+9mRJEAJloa*k#wc1CarzZn{mh7M`^UEgc)+~;AujAu!r@6aFxx(+5IsM!$-Qt zcC2>l`l;%KVJ*wW-WAe&-D#e17*7M|LXR*9Pr5MW^}s=^9q5YD;?(SAR=`*;GmHju zXM}!lwobswiU$}gS7bWYaVe@u`2Q{AkC=7yoMCI zL1$4fkfTcu5mZT}HWA&rmT<#Cko5KmcHl@^UFwX&HQ`uUr!!Z0_F76)FCkzp3?|AF zzIQ*xX2g2I#<#83_MAwGe&F3Z(sD9CUZg{)IPztR8By~({Z%nT1|WI9R_4iO_yryL zIuK(6FB{MG2+1d$?(7f+Y(M~=p3a1C9*5HQeEJ2!FICZBJfu!qk|jw78Sk36H7sG{ zyn39DKA*}hLOy7wxNk5s1eDsncKLmiXe?kPPNw3cX#Abao_qt%Z(Z)bx)9v<=;V(} z1KV`>ADGd&HZ-J81;55?PjfFdt(V2)JkygrjOlgJJ!2apIEVp9s z+()WR8%k~Vdd&ftRxYgK4+9na}v+8(_T^PUoT{dQ8Mu!%m#6vOG^gx!ln)ykBX^7 zI_F~PYJSMOvg6W`oP{3ssxa5eycw_^^ThGjpLhQnhcrZY{9rOMnA3r}88yS!g|Pz?8xOi9+wqt)(`1hc*U2i!JVoEbV`18I)OtlP$oB>$*qnPiC?j5iabhGBD z7SwU(n3lEn>-7_u=gO-OT7pTL*Go{f$9!=iu(Dr}6+z%n?-;YbIm_wDZ3^!|w<8`A5iq8fxFZZ7HHb`vOB%Nfp zlDjD3i^p1`+=5)l?)~E}SYmxSHLgWQIa8xE(Q+(YyzEDE;^bXsqEIZAnJ@=<4uO*@ z`d*>CW~~|}4lmVMsuS-H+1}sBuPikuo#;ON3*z1z3gyx|Ldr~Mx5 zoJ8ccRt0O72=5vs++vR&9Tl*%t2sV;MQ8B>E))5ba9Xv<5-(KhIvpo1mFe@Lmpj!} z$i6P^S>gVg&f5m8HQC&w!q^fRf3Iu+SHy*@xWm?A2Ryum8{nRU*pGVA^@O5Y1~HXU{KM zp7s5jdn3MI+5fiH4;f^x@A0$XM4a@MV!Q4oG9TM`z?b8u?mP-nv1_&(-mBH@rWK>~v;{ho!YL{_xl-{-zQhP?)2Umk8+ zI8M7!;whHXX%T`IX&KUrLmy=PxxU0TS%vdym7wBk7TS>Y|A7SMzn7!@FaH0Zb9&5+ zB~WL<*S+8XoVyH4pIsJ6u;{mctY80z@BT~1=f6-*F)zbL%o&$70izBRh@}hPfVqDS zyh6mTI2Iw244<_GzMB}aKSwA}))(h#B<%GQg#Tj>Ipntjq>tp}@R%YDBiaN)zxizw z49cM*idw?dYi{w$uqf5ImveF~*He|7&B;aMUpi{Yf;%ihB)Q9!3aZ6j#u=<5$g~Ar z(Jt|?qKk5BV{Yp*7MZp%>is$=k@|f!Rupl-bjT&VrS_@HgmtlcC7uKF;E71S40A8x zdN3~_G5YR8L9f`ps&%yt4TZD2ysT;8f;S)^9ptw7K1enP`IY$xSjIH= zdp4c6kcm=X4Qj2nBXhgYg9-n!4qB8J7kK3S(7R%mKMGY$y_D_F{XBE{=KSLQt}gHW z+R>^^WXuYVm`{UIh96*D`v6Hf|UYs!bVgNk-)$ zFzv}N-gWR5wZF+I7TKn^mGHWhd2C^Ph`~uS@G!#~5LFr}SxsP%ui<2Ls zDE82jwOEE|CzVR)(>~udrP3_~fm@^V(#H*{sgw+K}p}C7MN~t}Bo+O>OZxaj&aI4_&W3p%>KiLY(vFUetN|vP7o%xFY z-u9I#B|1q=mlx9oXGWwfHBG7X(Jb#60o@Em%vDyXDxW-o)CLKfc})`or()ANCt^)F zeb2BBiud7;Rs!0?g0c1jiNy%c{eo1@C7@=GQRsfTda_F>Zfo0xMW(KuLal}U+jRW< zUyw&wxFSt3Tds8+J;rxTdi_M5oMd{jp}MsIma>sYhHZYP%Fg`pq8O1(1j4IRvOo2Tmq-=))weW(bH;k#mUw zZNioTRz~&^Sm|vw44q#x`1EDgVJL_S_mX1ZqBOw=({O(4g}#vqGtOo5x74Q(xh3x# zFC>2rgwgoT877!$5I;Boq9+Y|T7DD7U;`ldBbKcwGJu+ob)SPu(ZFS=^b(Y)9220u zaD7*$@E4@(G{~TKx4|wn5yPHo&<0z|h4h>rv5ML}P8S_Q{gALh(F5B6oSy3(^hj_U zPRzX7D|U!1mfNPP#G6`L#~FMfIq~pQq9;!&<|h4h0|!s!AN;?Fx~p$ms?L)xVch-L zbk_~`q&mgi4(j2>jo$agVZIAqLu=O> z>CMbPSkFkmAr03f0MTlIVIub!w#=i!NK%`}mdwSdDn;Y=)>#mFuGbhTsZWYnL{IcN za6Y%d-N^)Qv+h6{udL;iGiBJ#_>4@hObTk+chhotZaOIxUDg||rs#f&QtDV>_Uk4Gvm)F=9&7mhHh=0FyYVj^H+PX0yO{uB#ZL6Z zf?@b1a zVSPyxlyh}5Y~6}cv11%KGl?=QGt;ve@GSDkMJXQ15>60p>|wg8{9pl|izZ%z^Nzb+ zr4VM+^T&&PGoTf@4%zRkstJ>#ED#HN%I%~XrDZxvp0F~{J88=7ntrv)eqLQ(sWj^{ z58bC2-8#?-gh-mzvkpDUC_*(}O)A%zdQ$X$eYSIH!?xB0w+h@|pC|@%(fEka<*m0D z-`!ApzbLDt@l1i)k^0eO9ZK0>$U~7s#}yU>u(=RYY&au06JM`xd_`7EHTiw46Ldw( z9R21pYamtQq7Hv>8=#NB`UR=|G?c!sX&j(#QWP(;HLj^?`59GO8OIupa)s}+bvRyk ze_~?l3FSF!IvAmdW~&~Rv(OGxm((ThcDZB6M5PeTun9rNdg)oxr8 zL4ATVF?t!=WfUjU^X4p#K~u%7OeD*I()FrpgRmRhV=4SeZjfDR2D>O;e8rL+nqiP- zs6KY$r4vh?%PJ--EAWZ7Rc9wzDwRl2T^Y&@^vbvD>a!c`da8F^Le<+qPyX1lE+m!? zc4t^9QiQ}^fw$Knm_JrL^1VF4)I4lzYek^zc8b#0m0R8>#^Oi!`oRN$tBpnzR1#@T zN<+_hh+nKV%FAS#Bs6z(6;Z=?iA48&FZ+_Q|@WSd5wUcedaET%v%YnqquX>T6B5dGQpoj#cPCe zZQ||_f5vfV@8&j!O7CF2ezb@%HZ#Pt8ZA3fm2+({UfSu3j})e9Gg)&^ijDl~ZM#-= zj(Jj-K?{WmXd2Nj29Soop{CyewIeOB=}N%Fobk93q&&7$yymIX(MMZQ*4!5yrQ$NKTlN6_iOUbW)mH}Y1gvIL#qH?aC=Cws)a)w$$SPC z+rW!x-e{UqtUNg}UV6%eX}$Q6+>aEMNh4a)zPiPbe-QfrCk@^I@~`g#m3msnFo^3^ z78oNGehLV3aAIet8k9im9e^q~*&#F)K&$$5^PTyxK+*qFn{z;imv(tbhX;Wl=&%v2 z)6htBJuKrh*L_&Gd`@BzCdiOk#0k-S@(~+$VdCyz4ZAm_!*#6I`wq7I&&&7R&E8X4 zr%^P4aA~!HN3ZbSL7UW9HN-$y%f^j99@S~ZsKx0+f>=mPwL2;?p;-H|QW%V9h5UGe!LC6%e$g`B zTH;5RF`M)4z?4hw%U)x)QGfg#nmX}KX&m3HBQyg}Ge2wRAd>SQQm zxB>}3#}WWUF`~zC&0dlV!7$=_4$jqFTE=^>+c!-;=6mT#L9zo1+!;SB-ipMoJa9%vyjHqf`{p1W9#LXNdH2Vaq3asvMH-j|5+`^LLzq48huX zqR-|5O9;0q*wE|Pscoy2Ge=@2cHA6e4vYKrUf5SHc9eOcmzgmLnkGukil)=68F`~$ z-!9&sH`dCi`$4@DanCUkf^TpH%6ak=IxNUXB)LZO12{xd%Z;?*r#KsWa{rv>c~7q7 z#2vwz&C9ID1Rj2SN^hH3UMz-SRP1Z}yf#&u8rv`NL}jeLc8UCw6g1qlKbS>3;>EWa zeck&S{o><9<=h>A zlO;6PGO`;!A;skbu5rF93O1dC=2Ix29iUmyOv=NZE_3#KMr25K;+|A(*=g2 zTcy&i84o2>BEIq*;=q?h*eEW9r$K&WJr+`v51(AD8Wu~XMcQV(7qhn8a`8z)@xxt^ zGW1#nH-Da7qhZFnC_*VD4O6w32oc#r1WymAKr#liAk-jtKiS7l6w-IkLbnKG5PF^qV zQD)kWUEe**Jk+3yyiHQ-;1R_pXkALyJ5v=qcKTp%s=x#8xGc~vpgy&mYe|w?0s{6P zZxL%P)Zoe7FHQ+?O$p^^ckVrMy3O?fJV>=jKgtdsn>5BiV-RolD{^PJl8tUw_NFmC zdgO_UPHQ6XsXGCPo6AYz&`N9@^l^ZygHUxMt~KCD?Q+-NKfZwtROMq9%MeCfM z7pgUnSLHh8x%|?G%V0uz;t=DYrbqBne}mnB1LLDVroaEtl|XjDFCmpdVH7~Yf;1dd z7kx*Wi9P?f8OXnJQF#7}@bRyl5`R91{(trQ&lAS~H*??N|JbPRKUn8tzzumDWlk|r z^auP!3(GFmKYC05BmPRSG(iHA-SIJA- zqSxNjxPt8v?rluG5VP}F22&RJ`FMt;LN0Hep+D(Gw-~>?DiO}C|7O0lhd|&oG zB*OmDex!MQ8s$$8>zL?cEkgknecbLIp#8w60odh+v_lL^Eq<@X@8{z89syD8cf9zwi2i#mey_zJNBQqF_21H( z-)r%EEq>>nzjN^4^~nF2+AL5fj@W_ciB@tf8PI~|Yo(mL>@bPf&H6EMJd`r*PBo)o zFVHivE=%ZeA-`mM#CUtQ`n!^oULVIFWRA?io&R*S^4k^t zFR3-Z{?o4L|KFn7{FxZ@ufF~(2Er0ja@tD(j5w}(h&SJWd)66!c?VNIT@p74+;Db> z^Z$Tk(;obSyuJr8cut^)B2~OZ1{PH*Xdlq(-9f!5GLJ`<3%6m}X%|VXQJacB%R@qz z4tBgjX`|#5-%n4FgtW3|`&eK6ufGVRO2V|P2_v-{qRdDUp(WMTNnaBJR z;OC3K>qt<>%sHwO_>Eu9M{|fzVA3F`d#5Ic6H`YJj${<23ctkiT{U5kh3nzfMBA6r zl~bC6*49?xBLt~UCc<@@lV5$5ZO3y=6$*KInVg*+Lm(0<<`DL!I!EGmdobjaDNK0b zs%yWAif9l&W6l71>Y2SsPm$eKEJRQ{tBS z#m#JPIZGlLJF}gr7$c?NgW$M`-&sqk`nk!T`Diy)alDLFf>hit?G!J{)AC z>27Fjb2vm=ScbVK%8laE2Am(grmc#AesQu+hUB<%bARfgE{GLZVZfcsto-^O^HSo& zbyxG>J)P-h+Y+yu)%T1T;klY9z&$(7PBw;taeKnIu{aFHu`N7rYs3#X&e{~G>eAKyj-eQo><2aJYAo!`RMzjg>g#STc5LNfbhnIWl)ER}6NvVu2WvJ` z$0!~I%-*r4Abh>poLSfpT6OLVu0qOWRhWNc4;SSAriDI4z_NhiKJC}$B|M_{;jWZq zO;-PmUYk~u!2U&4%*CFUQuwMZ=x7eXIfL1*d#2_{g0N3e7JkZ^P;%kPC+JNs2*OOz zd9`QFye6fK!KPSz$m65FvdFA~#qq;&g##Afkec_0K0-Pb zTMX|N=e>rX=_}F6=DmhAC)(nlhZl{l!HGX6)EBnjMJu+tX?M0B*ig~eKa#QBhpI8O_*h#UorHkmU^rZj|m@HX@ek&1m}V2j~R()W;dqJ z@=dP`v*eo@ldnv2*&EUd+354Sn6ue?Vpr98BB##umvf*5+{Cn7&)SdbvUHB!(39H_ z*;{E_B{+2#Fc`erJ-p2AO$J)}^#$T;SibZ%Ni#EA6Gc#sA=x|}Z)#x&5QeQ&g5P_> z@m%WoF4}>;e6rRXjmP4nSWB zvqoCjLt|*tcsR?VM-C;=Jmb# zw^wTa;ZN}WNDWeNl2*%%q!i(bk(Eq}VTGfC^yw2nu1WaB_p$Qo2U3H(aS}J6nhf4A z=v9vHD=ohu(vDl0gCuB#mhlY7#ydoYSf!?lAyRoFE-dW6W>#2;%27-}64{Z0Q>+@ZY`MgG$GzaXH*8Wld}qVq z7Cwm?(bD7-hZ1xZ4sblxtV&82M_+j2B+l5=9&*Oy7^zLBU*U3&W)1s?9EH|R2)D7? z>RH$yH*fpVmg>db$$9D16MHkRx_BPg;_Q6_V=oH?VJ|q2Xqo9q)MA!-K*1VT4?J#- zo(;nACyyA5-jN$WQ+$4C2v7bguX#<`OyzL`>ka4AkRUUNu71G2A|eJDEPWW656BAl z6J+FyjE#SYk$HBADfY2q3sZsvE`zJm_Nz}$JUVu|o9~=O zmay6rvd`F5uuBWb}4b4;MI&D3KYfIPeNr$g$#l3j7 zs}O4~LKo>{mDJZcI_1hI5;^yXJ=;%antd5*MqF!e;EwG_@w=*w9NB3red@Y#iD~D2 zN?;$Wuzr9Cwh0~k+{WFFL~*nbijBM~lkAT=D5_Y|Re7q{8lR^H&3;_ zp|lzqv-e^!`?nJx!V^ccx%pzZx9QItPUq_Q(WGB)>DN^#z<4yF$rvdTPXtYWMw2|C zWt?Z{T4nkRqOdA`)M)Dp;?^pg0Mk=f7eADbWa?u+yNQeAjwIe#tA-QN(IaKLafYq@ZOG~@I>}J^W=Dh?rJMLWbP;? zxE2UXs*jCxq!CF^9FH8Xt@4968u!km6DRd9Vf($D2YgNaJx&yj zgutWa{l_ya2Mi^i!%O}aw)8kb*cvRg{S3fd17{@d{s>&0z2RW0+{tg8?73n1;e=6aQ3s^8Ss)T^B1^fpPihez%RJ z3Bz+r@%oiBY*X>Y>Yv%6PqNCHOxvgSk>pw?@7$F-R%Poxz;0f8$C@>5HpDwO@q_yl zj2WfkJ?+AGEgNSFT3o-V!%M=+=JcDx2dwhC4{%Iu4Am%cBY;7n(x9*@;1fM~Z?Bxx9U`=R44eTiJk;4sEG6FZivB%iiQYS8{et=~>;{ei-f;vz`x)h^bRC=0vUNBuE>m}l4s?Yq0TJwUbsXxne8SgPbZ2z70*n%^@<&`iH`UM*;nU8y1i;e)0VhDI)0!^xQg?J$Vhy|w2-rO z3DnNAf>J<+kys=;QJ97GsA7DeOAWB6to$3V8!_X=X1WU{g0l)J%vzlud=uQPXBMu_|7Tz|%zwo~+9mu$(TMS_QB2-5id!qNxbTM{W5mgAKMd|WjXBAn{n_uYR;dXX`dw)buZYZnJ!_j`l~FZPd( z2`5;V$XflURm^R;^3n6~u0(Tnp%;6wbq3=tQkJY! z4b>FD*^vE?$7}=a?WQ#*5((~K8XJXOmIo(HPJamO9PsprgCEe5SUP(oFWlFBnNqys zVElZUXjaqmgxe|MGhslGIGn(cr=6ob6?}_{_f^S%oAJpuzbaC)NR}D(A%U&u+prqo zW~~5vyfjZ_Fa2~U_|;rU>zr;*vHJLJk@cLK2(-3(K^O|qxb_dOt-zeH;pw;M(@Hw= z*aIPVYEt!XpL?C_*!Qtjd-N9g2LJ8!H!rZ$(DWV69wn)`-BTkz5q(B z`~+-Ug6WJyc(z;Zqa>FC-Czef4gFHyYX)X-QFUyzf}b$Ty?S>>1Q(RCiy~%o6Y#ww zIx37FGE~U9(lp53nEC4|r71eG>ZN981aT?lzRtTk92rE#l-KW3BSKzuD9dG1)CwGf zz&6`Ff9ynDMZ0+AH{W)NnC-d~`I$9-_BsGEmoZEt--7;yHFgszz%-BL$GS?wW~yQ; zFq|~yKE>OEI+L1iwGnv!Is4~2x2_v-j+|l2EFC#<3Vw=aOj#qqW7E}&WAM?-$O2Pz zh2fDpGl>kcK-12s$xOXU)>a&;fMJ3I)R|=!fThZ@scQyjT*2;*%m)RFkJ8QFac-A& zcu66|f7~oUxAw8tSOxc^1vb%~3&Fg^$*&DB-QP8)eXA2%l39;f{i^gr88ymb|2(`w zIk=y^TU5VjySTgZI{9K{ziW|#_iL??PN5&4=dZ>Wl`8n(rChE#?dm7O2iBkw8_incz2L^ob$ z^{3uNI9{@t!AaQI#JLwtldJ9&cS2`*gti##kjCxh08S(n{svwtIar0|q8$o6v(Gl} z#Sia&`{t@{BX-kiE7^M*s_9P~L>3%Qk|eidX?pAvuDg43WRyAEw|P?DhR&q!d75PB z61yXXHGnzRNN3F8VpkMLI8t8;b;z*Bgpnv>kac(*v;vm6#lz|Uc43b>roA_JA zR0oz%D+~MH&Q4yB=#ccW4(6j5)}h{w+bsm28pU&nzqk|U^Fhx?XiNI|e73sE=bOe` zg6ls9Rct4^SsD*pO(r)jieBPIiG_vel+&LEOS(=SCpqC_D_V{3A+_QTw;f)+k-2`k zMC;Z$#Vvu}SR7z1wMtsHX;eBK7|by2SNMrIXzOGl(_r1c{fMPTI%L1dibE+?!j!Xt zjg&vgR-V^ZwjMS<4a~>$o=5d zd64JM3iH#PzA<`}e-!pm82Hy;ZRrJ`ig}dI{J5K}sa{?ZFV+sS%54cSkC3%hnUg(c%-Z_BUVJbZD7efEjb_)70wT!%#8g`94)3z+u?_X>t$l>R|trQfU-K@E+0;A+R<;^P5_0!VWWWwj3o@8a${*e(9CQTeSNcorY&il&-$8BK zTK3n@(O%Xk(eHyWuBWzPx%?Fz4>>KrAZy)#Q!*B!gQmYm-Bt9OS&LoMlAg}saF^77 z6J}d~!>Hf*4o>8#pwZZ);(c(x>^(I~qf6u{N;qCAT0M)8ltB5esAh54pcnAc1oGcD zaf!XtW%uR|bQJsnt;nOL)tfWw?_oDhhL2It0$Q9av5FpK3_kKsHqVEKGqk%I(^F+W z)9A=rwX9S>-?;I5y)FaABaM^KlEh5|8w_t&7t2p8t%#F^Z74B$6vuY4knaj=&IoT} zn|RB?8%|EAK1lGL)crhHaUTaV4_fLdYN=}+i2MltgzfnSnJq@Z8QAB*?ZgeTf^tJ~ zStES#KeLB;_un3T6HCco_-O(|7=CYpC3wSm8Z-c_ATlE8HN|MGiM-R+GSMxZas1@v z>T@04?X13POVCOrYt)~P1r4i0-(jTfhh3@Kl)GHg>v6Cd-$^Dcl-}{8~{pCexhvmAh zrBm=X>pwDXA0m8X3H*vl^j(Wae;kgkGs7FktT|USB*dSJ9=PZ2aakY`uu=N^A0}8j z3?A-(XllH+<}&%icD%j6i+Zih<1@X-!X_CLNlZBS1DY2yeuW@6-Q z+v7b>%qBHt#Vzw9i=#j@96W>mtan99P`2@?$2{7Zxx9-3`h!{bhEz@^@!i}*`pk5+6~e8z2SPX~1_|>TlP6dV zifz%%{Ulz;oO+ya`wEY_yz>_xvkG^-Mn^B-|Ha&!Mzi^b{i2kj#;O`>ilU`8)jSJr zO+~3z6(wyArKzH3LX?_kiWU_uiW*Y$P%|;lW5t-5)sPq>B=X)UJ5f6~#0R3#jfFXCQ>D8Zd%=r;ugaXAh6R@5D)@Nq833O%Zw0}fb< zxCXZ>V`QBsK9LWQ-$>x0U76K&gvR+Z-3nNz%PUyXinbr^hlY`2`;lCJ%Rg`$n9j{e zlH5qSi_#e6`PMDCyp2&xipKrEnu?Lzx_)r7k{z&B?nVHEf*>$J_RJ?U5JWyDEb_CB~ds#m+Cw zQRMDK^{yH?1yqwaq%<~)RZdX+hsu{F(fTAY1h4@Bw2F`0?W9`qHgnbK5613FVcEqk z!#}S&q>dElvJJXQ@oGAaE0YGiuONy%fF$*6!NPt*#nz{2XU+MQ{|@Yr{s%ISLZ z4`w{8_;*+8%@;o-`v*)*lRKCZc` zXh0~wza*r;k|tY_#qUQ2$(gL%__aH_U`s8i)-)Z-U)9fD`>eOf6gW(4dg8rDqQI5u zb=XAqCbu9D=FN3c_8%e*7SF{;UTTAcgNG?7xQZ`$?FsRZVaTqc<2~Em%Ej1*$cS{UM(To zQ(9Ljdd+nN;M`65@)9Vy0T|&(IhTzN59wkPBwJ2aZ)!Y(pBH+?NtMy3UR9C5LlwNm zq54W~y=9vC0c!(b&6t+N<$an?hM8mM!8-0rAtzcYK_~isS^JOlw{zJO(s0PmzT7(e zNkm~oTa2b1Dm#bjf|n?w(E42RJeMNBjkvUTP@&a^O=kUiMjB*Ebd{1j>Wgmdfxd zNSv#roOIF~Jo9^Fq*H+b2zMRwl^&@;eP&6LgxTXax=buBN69b!1;{>1(H_j*R})?g z37KDtyPX`i;JFW>B|iXusCX=r#Ig-Odvqhnki-t}#bCiCI(?v%35V7FZ^6?u&7)u;a zL(Z>GQjZ5uFC9GF`-cjsbWRn6#4v7kWXbc46})NZUj>A9Q~0}bv1jDz!IV!fjLWNc zzXA?sw8?$QEHKpVR1#>w*Idb&UjW~@bUdhIR}-cl=#V)aQ*NzdMJ~>rf4>OiB#--} z`~5fd9%`%FxS{1&bj$YVGP+L8wRTZA401$v*D5(_HgAJt5WF>rSaxSmsFE3aY4h*x zYQpNy=LU1Wfw#LNZW>9Rqh81oSBeZ}VChOZ*95AC*F5T{9S{FN7dgMIjwxEo=9{;Eewq4ine(hsE>uS&&KvM-DsH(1)5m8-YcWDw zM5evjs^6%&Ap}YnjSbgIABBd!5qg~H?zz|^pGEjeT+%S5Z4sGIxupksRdtQ|4ty=L zAV`9wc1Y47{$kr-0PgcQ$k!vPQwRTi|9n;7SA#)@stWz$z*XRmrjcBNiuk6+;mT;K zh|pN~S4oZzpR;f3tT0W6*?@T9E+YaVD>i-q{#GnARm)-pv?i3n-XF!_|ePFbmVJoAmiRagRxJDfLpHj}T?2FrycMdRiFqiQP-lEn2`4 z_6ufJdfwPGWY~nPvO$r$h9?@ulk59dRFLIOy1-g>D}>K9*HI#%hb{jxEC%0gbqLY} zT_tPbEjzQOXy9*ATic4UdGK)Eq znN{yv`UB!Bdn+3B>#x!Q`tn0MoJN-z}JIYO#58X?uJLTWN1=_2v(_s(w2 zu~xaV9N2$*rBMft{RWQrgU7<|c_aOLp5SHQS1m$}ym$mHz6>x2sar09`7~6tB#E9F zx0sz&FnWe-n)^n;PrHl3K^n~|P9Y-rEOA&9- zt?+XwU`$l%wxgj4EqtzD^dR+t+xK)m=9nk02kTMPVZ%DPte*d+*Mg)3#0 zpobj&-}wyCZrZ2IX{$KCU{Db{gjfPplQ*y@fHKPI0|3L%fXQhP1-}tgW?}-&6pkIT zQ+d@i>2T#i`u4!(>vzfDzWia90SxWVUN6HLx9k+pKP$jlpuPY$pKh7{!pQp*M8PljUht%p= zTSUjBMm+}kg+|YFEhl!QQ(AX3uP_0XpJMP+POUY2A4??6IrnpzPpQP_44}Q`NW? zs_aanm~l(0@uaJ_c!b@!-^QbC$GjJvh@ziQ%;>j4aT;RFOX$Q7UL_=E*N0EQyhB6o z*Of{)8rWm~1}g)NP?fWd#6&H5GHWE}Vnl{$#@0>g?XANLgMbavZ z5!o$J3VV&-E!s#yr8_tBP{jCgI#fBVb%x;}%~172b(PZ=ut3 z;v0OTb7=0E<3_kvU)+=FZ(Aw8M%NS#ciN8tGtGMcLlv7Nov^(qlcTA%z|7{}`8`g( zfBA%g`+QjfQ}j9$t)ti!e>HY2Ip)_H`;d~M!YgNfDs?KxAa_8jxSIn)){SE=+-Mx@M+^$+cB+Wd&PjHR13F*n}sN7{IlUJ zt7y>!!(2Asb3}_ITX?X%O_^@?COY(#yFbk15h7h%)9fHHIT>P1oFh2mdQegiAp9_S zyj1qnvn>CK`<=sKgTYqGdFrW}4=Pi0u&wGpQOyerdEC{R2G5RV8}7n|fiIBJDac9m zCP_HYEDGbfY6Oe15=F-DT_F;`wy%iSakYc}`)CByPS>!=D{r)9@SFhbplB)M370n} zZ(Q5Vo7JN#y(OArDfa-i&>-0(dT#jR-yMY7)i=!|JjWg9E8l7QOAr_*WpYs-r!Tkip^84t@b@cv$PWG*VGYinput;)4|(!ay0s7pb?PN0~S4u2jeGL@9J7l zeKi(2_C_UE`37R|&E^seSL6;a}NWv;s*BrW9v@3n6%As9W*45VF1 z7$kc#H|f2KaER95RD#O50=KIvilS0iGq$XrpW6G3ANk|-hWN(>qFX`0Vqp?CJrgFBbxKoh;} zMO`J$^zy1!fZ2BwG7>AkJ`X~?^H@Dyx+y=bw1QOZl$XCUXegFqDmr7dJaWqC1wW&N z0q8HVR6pPkF{U52#J8I)X0x zUD?&Jz;mF?7F-CDHxFPHP^PPEzP;nJBIjvT2wZ+(D_hzieaaZ(T3L%Ybo$IU^2?0&_y-&JfnO%Kmiy{{^)O}g`ye6bpPPa(Qjgmk z5$#Ld&kG9YG9gt8mS-Od;Y72iD`+|PxI~GtL)sM z4rNOTQqA8`4+!0u_Ql{tnDlfLH-2P!5`3vU3$-~{9MoeaG3>l>jozS1d!Jl5ZbQi0Y360OxMlTpH|T5>vu=l z6dQ-AYqkPBIjw2Ib`!~q@(n!2$Mkd|nyo8h9pWu)i!MGM(C8A|1(AVUF<`M?@iuXg zdTrn;w&f=d*<~65uNDh&ZMulRy{pjdGbv$GWnS_rjkdylbrl4I$td=xPmI%g;v{kyGwVDO%uv^mKn2r1G#PxPD zFQd}p1hr13Hlb^5)zAIy^fM_C+pL78fr5M5pl1|7LeK3rLiKkh=NewOf6f^_J#7UT zY*}0!hvhbG77LS0dqONcKcr~J0x96g$eN+2w$Ki{o3`r4zdhyVn(G@3(i*g$$KHMi z*$Y(xbp_09I9l8MoeV)2bd@l9$Eh;FmsL?z!9U1X$F!Kp%G1YSCO;c1+sAeZvo_|F zHKv-)nyoyxW+H z^7Fn*eU!0l>+R}`57>hmnmZ4D{k6nL_dH~whjaUkzU^NQ7-tiAzAeCQy5k}!k}!Ou zC0dk2!kCV4u+G==sTlE7NDvE53V0w4*^_up3l;!eEQW0J(zRgjSBhmc!~592Ye_$U z1ikmzgr=MqwnzdF3Y~^HaF`RxDdXF6&3LVSims`Y1uNZh$y6i9c#Bbr|2pH%MFbSahlve{Mbb3f8w#>qLCg+xz`2jFX$0aX zx@wck^I>yQQHL+&l%HN?-R#>dFx5&sop>s>w^s%ltO1Gze52BB_#J@Wkm9G`w!{jM zDTlNUQ7uw4!jm;y-<+4Dsq};ZgGyP)>~ygIFr7LhnS?KlIR^3hAuC4?_akAOjZy9gd|sCz-|SxIEuLR>mtVt1)~iVP~+Dt5UR zqbsLUf9lab(qAb{K=$&AQz0jSCh9RtO}YYCJ7+k(QO7}qo29+vXe?oAYgD042z~nK z2sy|oPV=Wl%kLY^7XP|SEnn`E6t+PrNiMrMVUpnk#A)s~9;t{syf|~z{fde^>58c~ zZS1onGx`O1E$Te}h{8tV?6Tw&Ze3VYYnlHno6QkJH2D>+BMz;;U9s{`S|MJ=YA71eP&KKwZRQB=z^?kPuoH7@mAi0ifn*4!b&|odE!U?ER%pW3jI)#^h570&4=u#H~w$o)BhGS|37)r z|99!h|M})L2QI@ysuQENwCZpzb)tCd0a^efe}Vket@@&~wSdZ>g>wtRO&0h;WWv%F zV{C;D9cwBb*sE6+BHxGgQL$3e*1i6>9rl`@XAQOeCY=k=W=+$w|G`1Gz_WM9r%zTc ze&SB*(Qq2y`IL6A{JuW_WnE8DwQF-TvKzr+gYHV|O10TFn7kb~ci)fZ!w{8U+JB1C zu|&eI674=Lq9@I7_M#O)D zdl`&A2-`N6`Hcs7$BLW;;GFF2S@Zx(W~2rn!ZJOt1dSeLe>FEQLc@Vb{OA zXh{*hi<;NcOEi*qI3)4XQ}k=z*Y-zOXGCzm&xjI*HjsPx$NE{1>(d=bBKIAsIe3Il z-;2SYkJ5)df)v8p$@C-z*qsSUMK^Y$MVwmfr^w#)wc)!F8z=Mb(8ItkPZw@pN}kpS z_Auj=?WfhzRi8pC{uGMla0?jbGFwX=tymG=NGg78ZD?=|%r&>v!>*u7?@3_8wZe2^ zz@=D~Rqkre=kg1;T3?mfqDmiW#`d-Oa94zn1dU(G!{@SnC_*;DAS5xOr|p;n9@O6a z_Ra09jn+oDAEcagc}i1heTZCvFfaYFbMdX(LdVItdAo|}Dwtm=Pl#kLWfKb1zAR~8 z-!F3Km?|@&d1YA{Wdx7RxnU#~fMyz^F;Ba)>lE#9hvOi6^p~hB<@!QUTloYbm#FWu z{MCo;nx6|di5~JEWB(78<;4M(HB0`tNsg%kcl5QzY1aOC`9uH7t};+xn99~lXVU;B z*9tJ#;^j>$i8h#PrMp6*`d;&Ry`mvf+O{_BDE-FqziXZIFZkkKuppW^i(vFF1(n17IRrjNLPW!7Jp>H?_YMDXEEK=g z5gqGZxE6}&nwbPwi?y3Fk#CPH@BvELc{`JvKZb8`OPA73GAr#`>;-MotY!Ko-2L5A zyY$@SbON|cXQopoK+&Q52AfXeOLp_R->oReY}hjtN2#VhCH)^Aj+~m+P{l#BI(_fQ ziFZA;FF%5q2af^_Tp1ivf7F}h0(Q?uQLf|B`|Y-uG_c=~0%r#P*KzbX&1!gx7NIkw z)Dm+3dDj)Gb;sq7ZC7e{pOU#QYvJ0F>Q(Ax$-kc>UFhWT44!{x3{=TEKMI3H(7qDM>0Yzd zzZb$VGTs0}D=ml+N3d6;UJSUG2F-plqj$tvE=wb@&0O#(&}BE)3{2MZBwq%!``3pn z9Y6d=LuioTRo2^=wdZSlhKh#}vfN21cr))AeCgIdR6XJ}Oe>H!B%8AxZyhlMH@u5%Qulh& zTwH%5r>o1H9o18ev_S^sC-7N605BEQ3alu9 z2dQBgUoQ8Fd+|MOYZJP`Cnd97-irTiFiKYCpAoz|$>};bD0d%=Nm^cOb8Dg6N`NBH zfg#^&m0uX85f~WeGU8pu9wGFn-X23AN0*ih*C(EDe!g@5Z|S?sjoUCHLh)2vYFABJ zv%H}!LzU{>LhLmZ`0UOJfZD9Ime^R-SWsrNt^Wy4OdHPlh ze7J*Al2eG5E-`PJfCD9ZBbZ)(d}=8vBsG-_&lC$g$IOy=C*lDgOn_{#T{ z$rZDfh~Td#L3JfWWk4`?GYOCk8Y=F-?H07K7pWh4pM1F@VuU(cW&auY7bTe)-5R6V z$7!5CYHg#}1#2@NmtUFCvYzQ_QJ>x;>#t}+pEoDxXC9pSUwW6zt*$?2NyQ23>Z5MwbP93Sb)+ctI#oS+V$#lA0#BJmFs`<`!mbQ(F z%m#a07=V<%Q$XDl?EAn8r!FG zy$4d}ue=LvwHtuZ=rI}?qZ@uJFC^#zL+}AdAo(E!es-&5dyE7|Vcp_$t`lQd7(Qk` z@x81Wj)2r?_~0+>fa^;cdhqN3ETjn&BGP=Ti+HCcN`B$l{I}%f1XHe{-2!20m14kY; zDsbU79%5DtWQntuk3T>n`B_6OBb?O`1nIh$C2!dX>QU?H0D(AGahlyf6lT~pqAF%U z%5p_>unt{z_RdB;*7Yfm0i`EL;j_ylv{CMea&OA-A%+p1!`~V& z&Y@G}z-7RkcLL3oh9vqz5~eA`N(_Z8bwlmWYl+uCh2|w^p1PqxmC7io3zwv;*J`F; z#c>Ib-xX~;(q}XzT+3zSAtEsGGVP0MQ%$PhpVutJXU7PAiF&oUSaJ)@#Yz5^wipnb1IhW4^QtwjKp#F6}RY68T93&F$$Q!w1h*5`+z3!K~IMiULKPj;<8zyK-i=>+~iidqSuu|CF*bmxFWaB z6iof64Im8|K-;0~{eHw@KK(=WXqyc{#CleiI!*aEgTd1^StO>cEIv|$^!4U==Hy0$ z_tY=$@c0UpY|IL$-<-QG2hyVjO}8xL3U`aktmgm?f!DMB{*W?{HxwJ?a(lN7vGeVt zKyU&uUFov41*6m?mE@j(&DwWm_jj|xt_A-FG!d@nKR0$dMut;++145A1hRU&cN@Ar zmacuDqiDSX2z&6aL7pT%81)#LzR-ra)NU^CJR>LhzHO-K?l?0Lw|1PW9Dr-&R^n zOdoAvbeNlfz1X8i@@ztvz^)(~tF6q%?kx;;^2qP&K(}8nfwl3w z*_fkl<0T_GT=6}@NS>ccvk$o9oVi~vjy|G#)&QC@+0@ok{OpCdCouzPDb^Q)qhX3) zgXMw;8+*ds;N#vV7gVp;Eeu3NT`S`eTwsRp6?2}>K|F)Id{fG+uw^P7YeSB1vI2E_ zJ9$S*qx78$Pg`2w)LIh?96ryv`D)w~xRcO%_EeXOlaSE?53ysb#aWZhi0wYEUJV>W zb=8vgEQ0Q3*GXNixSt2Wat>gLo;?1|qVa++>+|=G!ofDn1w?Im!Og56evdnR^!qDb zYW%o?fscji^Q`=0br-+DCj}v>;ib^TAcfkA!9n4OT~wD*Lp^<9m&j_O*R-d+(aTw!}u}InSg+MmM5j-Zvomu-uE}+M$2#CBg9F zJm`eVn(DNU@D|4w(IV`(9>k5hqlx-y)pzH~`^bRguw=XApJXl~8}7Gt(-cMY4c5q| zKhsu)2~1ffRE|WNf^weh-hyP+Tw-n zGJ*D~`|HS;3>0_4m1XnOt=GJ2;-jp-*T=VQ>fD?Dc3%840TkER5NAJVVB7o$2^kO3 z@&n9VXm$`$0L6p3mAbk$+U|073SWTFY(ts|*b4`dBcv+b(mOgj-QyI%2b?SzASj_xCF?xpL-4^*G_Z6%}pTX%MG z`$oi6JhfN6k64CDDB5s?0c9vct*0*{N=Z9P2ro0mPb{;=cnz$}Z#U`=&baTb)fUV3 z?1y}e={!%_&BM)nB)i}lH)*+&KAY8*iaV@q147|bD0ck|W{4XrSe55zF2eftrD|Qg zQAS^4gsSFy=usjzu`^y7D;7eQ<@#Nso3~}{;4!~wdY$St*gWo*irGW8oU~Kj;w7Wv zH_Fx@yD}QSti1|Y`-Auk$wkz_DhoT@7`hYs6YzUx1}ssQ*97p|SF8KL_To29Sw2s% z>%C-e%6`7u^3#M~vWyu`qTIBFey*HWtqeq<_Z7`p!jF(`w)W8MT z9MlBIz#wTgrnBmu+%pb+vLJ->B<6Z`4hNux}BYTbzgn_ z^gKad(P$+j+zX(}Kb#^fV~Cl2eD~Ns#i4qau2ifZPG;@`Bc@YHwA*>$zj->GUr46# zJ}91kdg&jk`!}e(AQxI+PvCjSAzZ|tYt>6E=qi@w@Ra4A6GD}HQS)4mp8$TlE&#FP zm~ZU$^jFGJcekp{Wm^NeLcTDGi*7&TEN$^AzBrkk=5Njc>O5Shl9E4ewLAD_S{aIv zcCyb_XV%xKf-LZLn7WR5iS~5xXZq}qlYqLvJmXYgUKqLWCiu3WvKZyc8$1U9E_|YC^6DSNb^EoZ)&~e;6&0}o28U; z#Jxth8U(8;w|^+uY{k`Nde;EI#EXNcPgT+K2q{BS{a;9mQY-$L?c58pE& zm-I%KoWZU8I$be1Qc%A)S8!I;f-Me0-9+QNOh-iEQjD$IK?td)cMj1Q`gKQ1BMC7e z(h0&evst)vE&-toQEvTeyn&5JTIg&rj@@b_^yadSNZ8oK&V4T3H5*VE7Ky*=P$k<& zgGV-ajf5^;0uoQ(O>}|y$}{)Po6P!tbPrOEsNek|&`S|Xy66Yr8OXDNLar$oNPkkZ zIjz%XPi~}@1V4gU!QK*8zmf0at20|_R$^_XzK35==r_yn$jjMNef8cimz59b^CC=$ zX|NW)UlTV+-O4>Vt5Nxho`~O}!&?aLfSExMj~3T9m{H^D8OvnE`t*~-GHIXPE8Ri* zCmG+6xn*D{IGxqPJzwswKq_2sECEcfWrGXHzSWy@MS zD58=+Ld=!cc>+o&vNquN<27wU{v9v+?eERLn186kcBR2iHUhkwPc<)jm%x><$2g_a zp+n}ifE58KfKgyFn%IGCWZq87sVPNO`wCfy$hXYK;l~AuhF>htF@ipk@pxefyM0c6 zcRKay{gaIZ=sG0A`X&Nv3fc_dDvdBQnyZO%pm({g)7!fR`3_>x5LjLc574X2H(D`b zc{pczSINzwL-ua|ipQ`H@+0M{s0Y~v=pc9%r=rZ&I4@Qtc7$j(;tO|{fN^lCka+S!pZ@&KKUA{X z0(IRZ;S(@%e0C;d{|uLWx3uIBj|jid$zciGZN4;d=v|o2+(@fY~gY z*mr}Ny{}2hcx8F2TXCzZh(yFZH;~Wa;kQJ|4Tz3wj90w&ksS0F%`wbRuo4#S+6n*g zxH>saQ>VvX8)QWp05dl6;gw9U$i$Y}t-5sdwpZR0Tv8ui$o3v?xBZbuQiI9j?gq84 zC`VzcGJTxF9>!qo(O*=UHzYR%?uKX%xdeAY{=yt7ds*Z?2`q$byD_~6t9ch-Xf>wq zVfI8>Lfuw+-pI3has`EQg*^Zke~wz+}IIk16>^+^UMn)AFnyMw$CVAAOZR zw3(7p2-1?5nmWSIb%d1|N?d$IOocoR9)q)J3BYdQ*2BI#|I*00-pqKS%p!5;;G1@( z7C=)O-&o_U)$ zb=J*B37Jd50}!UGE_TY38C}+0e%u%DSBkpL(}wM>oPRexC~KYd_@YJU*EgExn6neg z${;)?aoCjd(DYvxo?Dz24fz%^bvYKnL+0_0*q#-b=CMVqexWmdmvUuu)obernG(#F z82O0!+pX*Hw#)aM?59T8U%uygORIP3n1KA&`pVXN4Q7dDp{h`-<9)v%=M9m&^@tky ziVgrs*X63EDT8fkw!cixVfE#cj5hL?JN+oX8U2=J&rPDV!dGqzSINWLFW~=p;{5rK zCr(QZZU)tTo|72)4G7zLaw7Hf{2OdURm|eR-IG$G{Ws>s4agGIO=N&K0l9nPmK)ex zzE411+T=}|ZMIN2_1h-<{CU5_o{UH%94cq!x4RzVwd6fPPWrq4ean{L4Y9~S2WZHS z<+%xaXG5es!4jFQq_U+EN&wU1X<^-s0F=y0+4w@hd&krsn7A ziihz33OjPI=(izRwzRk+vA!Lo+7{e-_k^e_06V@@F7ZaQ(F#6oamTrRJcjTQQ+hhp z;H&e|--#Y5f0>;} zd1#~Zzh~r4UK=Ba2w}YkZmO>|<>+L?3*Q4(Ts=FuG1#zuIt|)@W7TN+fuYCe=XaVIBNbbT_FO=TT{qY zIl~)Ay_a^98+2(#sU#-Aj>uEVMtxE$d{cpHADu-pk_HF_&jAo|6uR-|OpE}y&ZP{L zz-LszN4%%#|LGL=Uy``M|NJ+Oj3jje(1a%MTLC0Y|unjzf^1w6-kb_@WJ}h(l z2=-*p@fU1uKCGrGNOALjnZH=>=_)Whi@tt;F$;o_|}AK zXd-LpYnK9-I*(IN-OF<7H+8xX<5)E%Hl*auo5zlsf-FtaavQ6Yog#F%%OizG>BrzT z$`OiLpxA))Tta0{ZEms&?az-T@gbKP1ay{XhGw|xp2l6-77PDOcR}~IfhH^487&Ol|UfHudg! z$okN#)%8TVs_CGvq}K>E2^@Jc?Q=|!c=!b=7wa-5z z;!;W(=#%RcyX$3mh~G)wIpULmwP2A^`~%E}!{apVo^V>iqY%w-svsQ_uU|{gJ$!co zresSa4{6ga)kiAREcUr{EWV>Z-W0jw)@kC~W~Vvjx>1u>P5S-i-P>}`O9=)Ju5At; zX~WZk-$cO%PgW(a;+alJ5MD;uJ5 z7%r2r6Ia@BEOL;`8c47px|Ty**-M+OJfMU&`sR^KCPk9>e@q&oBbFTnC|Vkds2CzzRd?DN)*$py`K@4~Z<%L7*{ z^hH1P_}r*}_lIX6kxAi!-D@Gf#MZ+s3(-CP3bIC*W1im5e^6l9ON-AOB7RumLq-Y8 zOu`_67p#Yhn%?1o{e9|DYEOIE3t&tO;44kkm_)Q#dotOC=vkro#~y`hrCt-)a?TgX zhhW~V%<&LuOmLLK;=cq6Z-PAMIjSEWwRXzbKUBw(lYLx1gKpetD{H|KPxTo)XD>t1b1RwP->8qm1+XjM}KZjYztYzF zhw5{uyU6^Z$prW;%w$Zje*dAx;SsIn#&OUbN!+i*bcPHr zCxfQ@cUoes%IgNcj$>Opebm09DBsyB` z09jUzoHIpv*htkj=RVsOQ1gFukPicAEYu4XAF^I?@YrZ125E^RHX zHg%1IepvfmNSrUWL53f87hq(Wn35i&EQh>>S9L)PF*h`m^{Iku+}gl^X9aHj0C)q0tUBSI^3sD$eiB&z6j^T%2V7s6M{%Iap z#y1yVW%lr+{%e>`j1|?Ii`K$`1`AbZ93~GW%jJC zDrK&N!dErn;I5s92%h*`VW9)mQ{!OgAia@x5cLrxGT>{+JoF06g>HVWb`CirHX%e6 zxZbL^BlWIaT0{xgCvL@k<7%xcfwKgQ;3CF$XI5t}MI#+rey7Io`C07zq^DxjvHOC{ zSaAggez8U*BTeCn$K2zR;pK)G8RK5KJJW3M&k3WkEA3jG&xHLMM{eG|^$P6u)dP|p zR~q-I{psUShIYD^i44Lx{ze-UIKpe|!V#Ou9guMuEF3FfOV%mh=3PyeWP^K34ctd~ zGnd*p|2u3M1$3!S{lJuQSwH++MW|6Ew~ypgQE6?GWYaPY3P$a?jNsmuD^*fcJR0ty zeoEhWF0pMQLm0$A%=m%cs@UXuSom1=#9! z@7@5E5^9QNsXm|52UG3Gda2-*-y6UJWGFEfe_2CNXo}ye0kD@+_gK?8x~=L)WLI1R zq8JyKD$=tRh9tVR6k5-xvSoGO-2nTtOAIKVA1HykTdq`9HB3rlDk|fD)Ym7!icz@s z+E>MlzW8SAU5cX#fK^e6l5iCedTqdGV-;Nce0Dh8} zhv~nxZOArKb^ZZrp}>p|L}H5^@k#v4msMut`L4T;?hmKzC-YbzYn}l)z6Y-Io#@4i zBHaR)TKRcfW2{27$SYJ<|a3fJfhO@B1LBqHR-wi;KvGare9DK@Fjsqoy|d8#2O9@y8q-osuh1sDr$~I zdTN7oDBXyI$9t_i0y2l3E3N#kt7XJIN^2J24q}bO?e=1T)c$WLSVlt-kWzhykx;aE@kF9s*5o=+Z3|E_l5wLov8`->m8{o3pipsJ z8nBfc3@T@W5zU_1lOEeZ?0L&q=ufMA_FUP++rJuK>@8n-sJ$aj(+NES6Doi{;_>qS z2|#GQUl#0V*$DKzTP0*;+;keIf)$c3EO7oXCxtcxdEhl;$I+JUdy`pPb-1qCowdBo3I9I8DI+ zE^YuWF{LBuK#CD0N(*ofI=e10LgDp0I|L+8yJV}Et^)JZ_&%P0%Ljuy{y=lk+GWaT zOTLfyK8Zz^jZZ^&v%bfrTL2-t?HWgbI$>ex0})S>duHWqd~>S0K37W{Ec?6iG2eB8 zx^Fjv-b)-N?BAU(m0qoAs;G~^Dv6IZ8S}_xv&R7q!Unc5mcqSl0+_TVRSYF+p&vC~ z)218{v_5)5OyHeP0}4>hld#g)EjnF4p2wZ7c0V(t?>|FyCh|D9Z~*6QH{wQmmWNk* zQuT^`|6aoK&m5nS$eb_88VaBt>HA8Iq%NR!@)N>!Tl zPCyg{L_}1Y5S2~@M5UJi3P=|aP!wXLh(PEaLa!oCKtpfRA)$mo%I`eBbIzH0XU=)g z%(uQ-->h}MKUlcT4urj*eee6Z?yH0YD53wc6p2l7Eyt90<>9_L@-EQprkhSg+ss@4|+4_dc znVUsx{XOMFo$T~I_Ns-Q1;G$k+Sc_weS$a0?F_+tkq(eYqL#}cL3v?K8VKQIIGw!N zAZ-oC*UF0L13vp&nkip;2RS((CLc;itea?oaqO8sKCH53i08l@IJ|!7Ky+?O1m5MG z>wee`B)gWn=TQ{O&ok}`!Dsq`BdOSX)JnK%6xSF6#mx}j;XyR)$vwB{Hs9Z#oDfvK z9G!ryD`U!PYUhXGPF7^y42Wz{dD8HC_FQL2SxBj!Tns47)|Nf{be5-EnKHTyb z^;gCL_ZQZfU@3=u<7bq6!N)>;%c@`+kV7Q!R$(H0EzrMo4K!^}zLX$ZUdI^&d^Jn!go-E(g0iY-cR7VA&!0>ECy`; z?j-yLxz7lv@K^o}wjzGYCtKl<>zw&fIA4|`;8V@k-tj6@bXk`KzIhL8X$-GTTmNwsR%pOjkf&NX>}qDO_r(2dQg|(>2O>7vgN(B zmn?IR5-{UK{rT-q56k(D%!ip-&s8K$6Bf+G`nFgTYiWlYc3YdI#>qT|ZD^wB=En9J zEsZ@V?c31?7L)vt>Uj*UKdPm!zcZ%TZMQ{>#ZrvH5;(Xsoi-HV3Nj+PEtoo7{-I^$ zmD?};CRcZ4;EBTP1#IK1DpmObJ^1yX)L)tJ#@y&*8sr?lnDX+zQW>=J``J5zq`eDm zhhbAY?bU~5wUpf)+&-;lm>*hPVR7^|(`}bD2Ze7PU^nAOGknN;fCg#C5^VvP^Rn@P z5^Ms@c=-2G&oBbYUeAgOsxtCgkdy+Mw!`l|<=wmT@wD#_qj%5(^)-n4FU7At6t51S z*5p=ye`=oq&>zHttHY==GAi>cedXvpqTXsIP0^s<`I_JExt6Yv{KSZ+XFxY5^~FD9 zek=Kj<2I9qqL9Jbtp&EOW;2rOx6?^mVCQK?)-4+bZXa^tfqBt;>gD-}@#>3uaz-a> zodp`7aFs<492{=L-}vmSZn`aO6HRnPs-rg+XYS9ntGuV(sT`Th^J=i(97U4y(VF0cc`*B`iBP9-qY3+y4pbesZ$Aq z+(=n>TPxV%W+XD5+QY;8@y<4BvZT!ceTp2(a+Nl+_do7!jpPPRt`sVkpGikB=~Cse%-I^- z_*T-JH+q5z1@z!nduut|)wTVr&(w@nqwlMmygn&DVmhQ?!%-*lhhqq0HvhAlwZ*Pttk-M*w0o%G?VlF9RKS7w(&W*jhn!7rv-F~2WKJj9{g04(F zN>^%S;Ada^SfEQnr5x+DQE4SYSEglU`0~VyqqNn#sHDFj?nwf~34>bPW@TD-YMx#D z{YLt6-Hy zW7^WUYL#jRKF4IS2U7+HdTJeDY+Zy~?vz;|!FWw_`{`0$Q|N162i%Wif_$j;YOMq9 z*zl;uH4`&-V&Ke;nk$gr6c6i@TQ?$Tj+|@Ox3Sw@)%N0*V`nQPX0BH-SDPlhNa*1` zF~g^}As-6?;{$i#_fl6)c>+{odg!dLb;P8FuLCcrQnh%y{R-dIy9MWCRir=N>pC8W zi2UCWmj4sdVx$mlSn3xbej2eK%5|09ShN=LQCsxYdB3L|2fE%X__zgVSg4GvN(K+V z@>E95rpRrQ4d+G7L2~V+rB7M~0}EOxKH-{NN2 ze9Qe`OL|=jLhT$9_gBZ!*Ujeh+7oQ&lj4ejr!9w|=A39^@|2qZ3zku;!|0onkvUsK$$=YCq7qJXsZN(eP3}1FW zXMG$|8n}b_X||Duf5k+J{YH_^0C(c=K&i<}%&)F_YBb|rvkykz{7j`)_hsn^pV&+J zxcN9}Vy9birhIK(=hB>XW_NYDRz5bxlu$BsWYz*5`5UvczP5Ou%!ciyP2P?&!;LsR!aQ77_G5V|OMOKDMOnq4`GWkP3PXGTg77Nk+s{i01T9_n zow!~k62dtjrsEFMViI`n;HV$O(~4~Rocvf++Y~l^21Js)t^ZkiV1DI7M7!kLbx9gY zv;#h`c}9T9+B()GH-6`*mA#S_U+lf@HyMFT-d#cn%{kUK7vh)sQCyupBm1BcEYs4T z^7Fg=wyv=46<_%2VA1Il`1CJx;x#;mrfCj}G!;6Fmftl)*7l`f;R;h^fzFZ@)5Z1EvcX}(JN8!BPuQ9TD6j}7b1Lc;f<`?L7ua>N+%ejK~ zCl29mnmspPWflKi7fmSWZeu8S?#G~}i(Tf>tx%re+d+G{f{E0;li#L;Kf?Cws}{~I zZ)HMuuu>-0!^IUcHoFE*SXpToe=+Ri`USD;tlr7i75_p{7R1xy^?V1|#|ixo7b1@I z=cL*P#J@f8NKqp!Q0Y;vVOqYiD-Cw|MS+i983p?))6&TJCZi9+>TX6 zmIb&-AUsH;yHo#s)W3Yk|408u{s%0_3&75fDo-}U9dwwnx$(=r*!GYvk|pRLe|YTN zrbU?i_8pi5{P6q%jKG?47`roo<)E5?kcf3KMOYH@t~d#B)6$T;J8jO(A5^o}A$D&z%~L?0!Ye%V zh0^2piGGCOgeLtR5!efGE1gY0ewq^zKe<q?-KEr!x2$}TAl|{Vo^Zt zK`{qgZGZ6>XcwPWFI(sI%#df={UOvGWSQWPCTJ34KI$IWaP=2g#H22Dz0MK&WgCIy zhu~qrSRFa%;@@h<{T5!@Kp^0IxHp@%%nRh{2a}WSUG8jefKf)zQ;Gq7Rc&~z5ohe} z(dZj`1+O5MpZuTAnI(`F=Yn8-?gU}`)R4tPo>Ozr7zP_$62tP*>gXXTGbpT#QUskJ zN}ZI=-{Hr5)_R{V^PHrol(bTnXb#ssJhYd--AV6u%=EKbxUyJY+e|x|YKKnL;rH*F z`&O0gU)BEW?UHZU78A6u+0)RwCe&vIRW9)yHYY=@|9sffG;TOmVAcg)A?{#y6eZ>| zkMao5Q?C;1an9SF!cgId+1#UBA`jGc?kc<%>mtcUivI<93fy$}ahND&G#?^;S_rpa zTZ^fmS-Q-kSZY!&k;`TDrQ!CR>5~?X#U?2J__=8+Bpx5dTG!Fbsm!H_B=RF8xHj1we-@-gcp%%)R(JUzzYe4q-k>|t{4hf>gLMgPrd6Wc%8NjI4b3pLs70m_fY!snx+ z=cQ~L9jxBoDh+rAwh=FT9UP)2!e8pH+BcFM{4Gt>g=pt>UVpfr8^KT_-@v&m@?`s2 zEQA>Ny?5KZF0r?jr>5pjM3>ruyf8iZ2$)mh@a3 z@N%=riUEdT*jSUoTDmh~Ys$%lw{`2@IbJaXhCX>(kxGAwSit0bh}S8S%~SsV)xB`( zW5l$&NTU2t2u~&Cv9LPPbYURcNuYz@p@r$4^eU;_Xm3)Dem!KvYa`Eoe<=eeYx0qfk^tPQDUk)w3hqW&X$gO&U@D|nDKja0GBTQ?O#Upbw z&vWqO2}-C_?Hwm5t)CNNQS!TBp)~1rH9|aztg|!i&=+gYxbK+*5A*1LJ1ps=bh|*- z$7^6l9GA`aV?+7;-b(Ro)D}Im?3$R#*6lVVFV%H%1ntM)}=_ z42Y@3+d*{qcR9A<^8We@%N_M_Hmhhn*XXw=Qzj^1U?v;Z%IFt+QXy78-!O9vKRTbLR!V8a^`n@%)dj z5lPi=I{&8_no(G6AjER}RErForVQ%`{T5W3ujRQ;ZXPDE}Gwq(i$~i_d z`3sxu)GhW9T47A2BO-m!o_wXDybdYLx9=NkNL|zV=|H4~BdNpu)rmS#qFmdNWt(J9 z$?zpDKSirt8|5o-na4C2K6{EDDADXx<&Z7}JC58_Oi*Dgl-*1p`C3b$O+++TdWcvI zRx(s%J;0in^gZUbauTpJg2V$?O8XoDrzWAewNwME?;KIS&DqMF7}|9}I$PXDwZjFb z$XDqL1xsWf?5U1RwqvH9MUyVO*C+x*Jl(``DU%?={SLxU@dvm{zE z4Zh8FBFScpEHRJ7rnKFBcC$Rr8lyXxJ-w#zAni#CuZjls70oVp(P#HSE^?iHDMBV| zlAc{(A=6W$F;BABvrIZb1(FJ9o!% z{Z9VX1UDjjj#&ZF1Fk1-VY#NxmcP2z{prgEh??-|Dv}@O`WFOhORTrVV;uNhlqBLaDcJR;K8ioXgvNs&M*OOd#iGkYazm|S;6qamwOCb==ggF z?^&ONse=_Lj*{iTcU2xlTLqwB!(35xHvZ80+%I`EI`QZ^faA&_E&4K^HZq& z&Y`tZbF2mTCD#$vJV8HoW;A$XU8nq zX_}0`HOCC?Go(+?YvyM~(5p=s_O;xlDt{0CK|NK1%V=K}8~(UcwC{gsyU#q5Jw-oK z`1vfw6yom}*>HB=jNcvc+26U-c0GNu&>>Q|Fc3Ic`Mf0<5j(i@u#s7B-#NBdpXu4_ z)EFPaDy75Ay_#KvuQ0Lo&ojF@yi`mq`>uK}b^IaXyEbCs>mTrhXUi+`eXwbOK>8%R z3M22b8YA#K*J*#NH%e9{iMa>L*1Hq@s&Lmtqx7QS?~oegpXd>7i;lqY1eg=EAsm0a zHRxB7o#RVMy9q(aRiX9WKOtEEu?_5h=JBw9XaxDMqI{$&A7DW6`<04GqJ~wjz{;+d ze_lbcZOQJ(bxVIxQIJfTzmi}g=$(GXxpBPL|UU zMoX)%HXjC4UEh-<7~l$<*m1ub@pA2_JUk?#9c3i?>UbZ2ThNY~4ID+lqi4#x+Q#^c ztI^DltuFR3n*81psm|cV&Ljkwbq-+F$v(MB^!^IJDln{PZa>ns7H1rKq;`w&o;90{ zKtnnGt1a;~yrhuHa@GUu8j92w3~NHY3VTKco$MdxWlqQ(>5_kH+fiPN+$pys&m4r0 z55u!>QRmYZuU)2@e4nEJp7pg3Yp`A|h%#-2wM%ww+QM)j<}?2!8HCtH@Z zI-~fsK(7vTj7>%djQ6g8%6@P@WJh}Td+=Ky(E`eKBZ(j5Z-8Ik)6kB(4OJd{Nt_Tt zn2~g=;p)I8o&!ZzB70rvu_hig$e)|<1_W;x-BHh+(^yma@>*Zb8-|Z_wLt1(hZV{l za%4D{o}k)d7KveR@Cw#yydt}$WI}g8O77wB6HWxhCbJ5kXwo@^Z(Vz+6w$I!g=Fg4 zvn67neSJp!5e)0-1H+xdQqa^hE0#wFF|z}V_O^C<%HObAs};$1su7pyE?n(X>~0SX z1D;>csd8S&$d?Bju33FnsdlXvChSnR;AHQl1zqTUvh;8P{KU^iXyBdl+8ec(edMp4QRsXCel*#`Ab$DehFs7!KJEicM?Idfg1g{gN(yielJBv&3uVcj~jSo@>e&4mO(Gqa+tA8U84;ym9gRi7#)o=C8FUrE1m+|DeJBP3RMi z%b*&&L}50>yubj)atKzHM^4H#r1(QAEKOcSyC+^Qc#gJe%g3S@JMwi0L|zsY@H(dW zAH(Q2UG&$SgLZ0%{(^VWwh-u5`V|94K=+J+ix3j2vd6QD>E?&TwGCf4f+8&q2J2Z zb%dj&zHTaLrl0PvPy3t@el~15Cm1~CnIjjHj%eLr2Pi+BH8dS zDtE(cTF&yyRM#aRLHv0 zcYp_-biRYM#<65ihdocJIT`cK&p);n%OJK5I~BT2G<*)#phTIYLn*JfK2{M2J}~I& zcxQ?ZI7^!Cp=pZHEbGRy1-ZBjPckf$tAF;g*Nq~gVlJ45xZNsM!+`@O3 zD=J)L1i9G4y!XyEh2oaU@fvVS=mfxAI?%&*Pp%UUN!N);v(e9^BPL@W4^GZBT+Y_o z87hM@)z==k%(5X%6PaeS-4%o;JM=UOID%QW??j z;Vz=eUZ@va@rKr$uhW%w$&BB7p5mBvNCnN&V1I}dAnp;W@v2dK`A?x-tN8V?M`sco zohNiUX6Ym@O!}Q`pj+EDfyWdf^EorF+qpTtqwFEP)#Ub1JlRK=RAR#6$EatMi-KWz zyWE#9ixYeny_12!zow2t&q*`t@7IMXAMau|fHAE#37atAJdiq>B6jH;jhc}|rvPLj z_K?>>8?AS2{V>bOi}E5xQ~7fEDUdF0J0{BZ724r^T~(VoF$f|R!!&0`02>E(uNNQ z>9IN*c%J7lClte~hFoNYtCwZx--jPse&Yd7!FiohUE)&f zwvO7|QjWZ2Gv$5pTAtQF-pe+(7qQ<0bxQNTeDgRbUDEI&xVyJjU@+}C8wJs4J6qk1 zj*KP+bxljyJ?TFDIP%`nOFdfmHiN^SD6Os#d^5mDdAl`<-u|x8@PH3f8T3xj9Z{-t z!^q!v=k;FLfsRlfJZl@8$#9OeZXG+_CGqQhn$TSQL=)|W)P!2vb$bL!7!jxwiKn%! z8$)|++z;Vfu$C3IN_#h{>l@L|G|K^)UEtEj&FtJF+k(mY+ZhV~D2U$Tw&a=N(~=h| zdGMftLuF{_+|5nY!&65Nz%%4n6BpSOFZ*>~j*<9#S|IN0ujw@gVU^oi?=pU+6k4jc z@Cm1l`UhPmYLetv53)sS$1JSJb7MZnm=7(TnccX2>C!Pn>8X6$7UaXYdPGv(MSYqR zn|p8lmqhX%LPZ!sv&a`bPnk{eY6>@l^Cjk*ztK0rUGe!LwIZy=t>&{IatoY2Q#{WsBzVgmRCw z$E^20iVRp(S@qE3_{dTph)E<<|MiwowJ|M)ryWy=7|+ z{Reur_pF@IDrn-Zh&r8=lPi}E$%w8dG4kCp>IH;`FM6Ia$RBD3m$?iHyH(=wjv}=R z@<0%Cxk;*6vc*EZbA{RK&o|oy6cT?;nl1GQZ{ur%RioR-#$Zf*qQjdq>=MbUP=$Nf ze@jo6uJ%JhY)N-MSI^J~3+3B9BlrZl1V3dItKxyhbcFg^u2{AVya+u3l$QfkF1hx& ze852;>4{wS=1oynPe}d_d8(5)TwaWE1|GBA$(1M${}JB|`fVm1$4f?#Wv{+n5Oz_f zsLOw3NPbhfObO}-c+&|$AzF=2&~n3dk_i5z6`13bw$>AjeoFU4ZD7WHKTPd(K`8V&j9$RHEE{?eVF9)^%bNu;=okg#O^VN;x!*|Uj8Ko0v zpE9*C?B=_I{Zfj$(~I8{jspiq(B4lU!?@nO-g;o9J)rdJ&%DN5m)%ghq>7l8+<5CH z(%3M0$zw;}SKCAoHTLGePdk=;4JMy|5o&449nxhD5Pi9o90$Fl4l7cKm88MR`g2#Eh{yL>DJaw zJ)sUUP8!jaK3T1CmoC$G)Ur94W=e_*K8v_uEh{SyF%_v1qLo)8uL0vr;1%#+>5KN? zZ=U$yUDN)Dd)ogc-~W;C+25N>{$F~2{((g9|35#mkiY)lqM;Ojy@6AWSIXjM1^Ix= zOH~<Y?a{b>FmPy=rRIuKHjBj6?Fz3jYvWKmCYEMO3MSP#u z&b_SsxIV#Sk0fbXVz;zHa3k~dt^IDnns{g%HacqGAjZYk)R?~db^DA@RSi9TX|eFX zK(Nraz_5Qi9>x-^nMbVd%4QjRD#UZ!(L{hmGCEUT<950`LiHXkx2}~#wGz$JKhK`8 z-*&n8LgCvZ$d)NYC3YVs6nvV9!Sxx805qAg<)|yVqTf30q36DUk<47Jv)RRyznYm} z9Y$$BvA6zPz5i45|0{k${}I{b{3Fw#<&8sJOy~t-MMnVx&y|r^rhzNI8PtvY_1xQu zy6DejperHL&pGGFJqJNU#@OG}E%A!i6RS!yuJbaN)^`VSJG?srrWheyN2a+wxN<@P z?)N7q8?8WSY~e=*soWW5BT~Zeg1onUTBku*mX$e{9P-|MJWw`|FLtfhCF+*QaRtH9 z#w!r#o3rC<8F6G~oP`O|V{QsL&z#U$SyXZHnn*>YL;8-F^aGWhADYj8Bs2%Uv&>w@ z0QpIFbgl!F(D?7XDZ5?;!Q_eRnPC#g^gavrN8}j{r zLpn>`y%KjLuG!;5JN6aIwU!^<^ZNo*==PRZ7i_u%pk?@V{o!DByoK%1o~G4CVbP*F zCmVBqSiaV&T{M&X(2B6=aAl8!qIg!2*VCadE#6GAOM2Q2ol<)u^BJ48vtIPX<(oJ{ z(X6Ja{o2r|V?%29)cG@lS%c-Fj^o|aV)*oEJjZ-hQsJtGpoYw=YTwh!DaYlr%FdOZ zW#io1?tnanL3LE!P`rtWPd8;fR7tAer8ysw{(h@blRh_j`WQA^CTces#@GVLIg4`vcG-fU~=L)_&RT{BrMPp>6aT2eIx& zrl;RsX_o~#jNl(M4mK@jk(*Mcyuw7^f z^XXi=i+a6~Prt;?EEf9A4gP0okc>w3<66YK^d`T&wt=Q=?W^?hUZ+=M0mkfKsXYF0 zgVJFgF`~*z4;kfv%c}CW2_@aT2F|gL<~zkpcc$WxJ@QU5f)Fz^=o-ytmt%qj=Ais- z#s2GN{Mm0#0Ga$s=d@=<9nR1nP28h5W$3i&+ckn6I1FNbx8G$?6pfe25}wt&L%X8D9O`M0 zHN79;?eIumrUK2FWN_&g^&`lm2~`5xgF@gZR_lg2Isrr-E67gNp>onGun&__1>y_z zz$u8-CWa_sS5&#Z8HpoccX*d0x8Er}mVA1@wC>qU#Jn*nj>^#X7epc%w@t&y z8If)8F%MyfySM`?GmyEwc+a9rn50xUh>@&T>;;C%s$jEAJ>4}}yi}V4ue{>D9CP~p zT|+MhUacL|P@nNJScTWdef(E~&4>~p8y50EymK_U?cx5=i+d@qv;O-mq`4zB7TKcO zbUv7gI51~2^UGub6&VauDe^-oX$Y6fq8?^sJgU)ruc~8}y2%!@^49mapyL834bkUH zh&Aa}Xz#Q#UK7!Me-Ych`E(>+j?>^QOx)S0>VnFsx zk>voD{3j4=D2%VMMuAV84=tPNoYJSVnPDwwi?ecoWke5kgpsA$QfALLX^9#z-tS5VRcXu5e+4||B^Ze)mMwgEU>+^k)C(+}J7i zl%LH9y%rYOni@$b0n6~HS#KblJ1+SV6Zq%U+SB0VVqo`Y68M*2G^l@G%S?M!w^G&6 zSQ;@u&njn_Fy5Db*~PTbkNNYx9WWJXF}^VATg{Wv=j6oEueE#fW300D*4D)B+lHbk zk05J^ql-j8Tq*$=%S3pPX@){Cl7k2D<0abr1C?DpmZCKKo;NtMhotm4(n)ed4BtKq zeVDo{`0)n)ZtShZ_v3q-Aei<#m~cuE6@kqk7EaB~DdxEiepnM(h!`iGEl4cKotm-0 z0SKlp^;=WrkLA+@puOznJz)97AgYpn+GJd(9Y0v^+b7+6#4wHk9Dxdw!;@h(uIl6 zgGWNeAH4;~EejLU0z{J`POYAI`61NM7a~PsNCPBYlN$9K6lbAd5X=jDpRvAH9kn29 zbOp#^N>R!75@p`@@IM#jl&L*|W#GO##aTL45l%G0yUcFKQrXE5#+w-3O9lE7S4LSf zBc@D3z6Mx$iMlHwkpiCz_65SU2I*6MzWVCMO$0~40#Qe&(JQ;HNM@w78BtudxrlMz zuruozlr#9&`23x#_PkqLk*j(l*k1wfJ3N?6&X_#XaaKQk``FN4F9=+Tr$l+Y4$j{T zpcKtgA^L6A?9x}Tgz?*19BMa9?pim8zuHmxmJ=ixKS*y04)+EZ?j8}`4sc)O(L;A? zkkk>+0+;w0~ zJu|^LH&wYPKft)g#IMe&aq;JrUbiy-N(cr7TL6A|YBv!~9`4ftNR~eg<^g*sN0g+G z0C661=47c_;uV+qXX2@d0)f${sP+d-OJ;JtDvHZq8Sl22wdtgmg*d3ETu2;biyAxD zh3MvWj|;sElAhD8ZFi$&X4+?JB7A5`L!T~gNG-vM(thNu4h$tW5Kc|3L-!g(C`*(a z%|^i*gDEY?=m#md)qe0lk%XzR33gnr^rW3o_+`q|`< zX~y6&TX?azE#jnB1al}TPAx*AitA1M#N`m2Z_pdj!3Nv=+N~4v-^}fQeMok^5vZ7Z zW8qmgVrhmb>DT&IE(%pS9@n5bw{mI%p{QSgo#@2)RI(UL3i(~-O?sjWWg1Sq|AU|U zLWeIHN&(e!HXBx6m4qK(IEb3Zo3+DF8w&jTIoTo9)~5CKw^(I?G1H@0*Obb+WE<(P z2_xDtI4jo388+qD4Se{#*{QVZXXr)l9aBP0rBhW5aZ0Rk%v&UX&9~&tQ@Su1WCcA2 zC!UwvK+Fz2i@r=;!s-0%nq}pVRIqLB*xc|GHy1TH_qdO#_i;hjlGiJ5dpmI5s&LEE z4HhI@*CWH2y?Pn@j=iEQ*fHv~=4-|a#SDqJokV^A%!V~quZrZK!+eHe8Ru0uSV{ck z`{P@II~+}{!r6n>mtPbnx|;1<+CD;7evKM#JLGKJPZVt{ZG ztW<=1hDHb>S*`;avn^#NRQcmZ@6&Ea&5t*oW=>S`@ZKxC9*AQOs@^yxc~A%bf>c-4 z2jL{V8850EcJAiyUznj{$d6IBk|7{vvyjdad10~r$xWs&Xg zi7YRSF}YbFV%Su}d_h*P^`jb?o*mj%HiB+!M-TkvuW<%>e!_3&y~4&!-)~`iGYffc z8uG2(VNfE@KcRl#7v2XSx&<8Rj0yw%HJZ8Y2`IsL0mQ>Oc)UhuhDy2H+^U?gi9i7Nd1sR8XF?l7 z?Sjf1eZji z3j}Sm{z9FzbNZcRTGzDIE%U;`{D@_uGI}v-pZ57cdznWpL=3I^d~aX>(Zzez@?03~ge3YF5zKv0vXW(4d7+V^ zmgKXWg?3djivij2pVmFmUT;awDho8gXJ$O@pQ7#lAB7(L`;%no{}B(I!bVA*H-SBG zy7)sT6p`U(M7vEZ$XrcE?Do2eW?E+6G^yu)5SVh^G$ak|F%PZ{?|WFxQ7ifc`H!|D zf0Zy5lX_PD~8?Z+F z^rJ~K*zn45f8*zvmTt|7xk zVEK*4dQq<;pZ`ti4aB>Vp`U{v5dG$pUd+&umGg)$rQk<9fIaXFG0~*8j+JXgJ`eP3NjUYirl~HHedB9zAN$L18;UK- zUBYcS!Am41#8@DG2SpgMdWX08dHUOlFn;r$cv1=Nn(Hw+tOcOhzd)`RAXknx)VH8^ z)Lh{Nj&jf}_rPtaAVIt74CoZuw#cS)2^T`{bltL=R4$nw>gJS^%3pk}zQS1Uh= z5|-Y2W!lSg4$-dNI99Vh04O>-?WNLzsi|=5(9UYh(`3t<>Ns)ry|>|K=)=nV4zb@h$1SBK~#j5;vo&y3+V>MFP+afAd!&AG$k(7BY_<2uKj=gEPB4 zMwKKRG3J>P6b0{WH1}}TX#Tvo`rEiS+){l(=sJYH8&h$js1em^#&zXkOB#Cmrs2U7 z&15K3XHzky47qp-=ST5FQchRm^5TOHRpS~gzxrp-X;qKPiPuT8Tw=IeawCLO&=Q1U znUP=EgOsr1ZNQc02F`%%dxi@Zd>F@Vx*iE>nZ0XJZ$v!x_TkhYX97Ot;xHL(DeRBr zsHr#T`!L5tncU&LKEF0o7B)2Ov-1zCgZ#?2zjqHkrt!lDzJoCA(XV(s7$E2q9iC#9 z_jAT$Dg_>X?iVb(%jMm2M-takBYaXYF`DZGi3?%#G}9%9EIA^r@qB>mhrXI$9KxUj zx&GFHdW6nWM*pf`V0lw$nw$H~JM^Q$t-9(9xZc{i1DB=lW#$OYLHbEJq`@1P)WKi; z)d4r&2G+GLwlK9{+WV97+h)dBDVG93%F*w<_S5u9!N&9yI?#mf1&yy@Hb!t3a3Wm% z!&hSN?`ds)i%PZx9dULo^RIN$TP%~yw2a9E_M?X*ct)z>Haj5dKKRo^7&byeF!(&G zsY5Gfzt0pbDyiL8j6U^WVFQ4mL@nGIcQd%D zzaUlg6fUpRe?eyUL7cSIz6JG^A&K=5+oytOlQUa~Xf|iHpT*?L%`LvPugR!Scp>~? zeQ9#?iUiGgR*m}XcrzRaTxpW1F=QA~dl-4B5TFh zxk^vw)FjXV?obC(Sap+`q-Aqu{w#{`qUfrP6!IXu(1H zS-TL#zXm8ilV!lEaHft!*?np%NHg?z{jazA^YABP;?(A@?X;>;_M!*RL4#S`yEaI; z+2FI_=vaT3xfe~;5iqHC=_p&BdB}En=?T-#V{-}txYW+4{Qf7?olp(t?#BuP0W_0LAmLttTh11Mg9H8Ee3RDSF5 z#rEW9HF=~fhqsp$6Z-?jNA0wOi2#v%cSMbX&Ax%|+=mKc*3mCudwoKo2msbt5PDNP z%;sF1pi}IryiL<1&FLrfx?aoj>qdGH+$FihQu--bNM~EjFE~Mk_+?hcrCr5_P#Ki7 zo|&FsMSGy4%I;=+qUM303L96o!UxSdhvQ*L4S+O>zsX&PR+_a*F(*#_yx0aTz-9&f?3A$-RZlc@m~koOWsSMd$qsr zSk5iS7Xtx=5pFqYQ)D+6_q)=mpwN2a_gnQbkLLu|YBz#1g(Gx&rd;PM=}GWK9M2{V zNk_SE-;=@{$Cn>g3Op@y%K7Axj`mNpYXTifpmKEcQ^DK;ii# zn92Qu*xjCUA+s+N3h~=7xcfTnp>SH)63mfjQIQG1s5yFCzBPWh*E_3*Msf6&;P@(( z%(ZOrtPNA<*Gf4ywqoCwyPocwJed!p5gbYZ<0 zvs%7p<53v@OyPycZ02PMFbv{Ehfj`&O@eFR!tY#@jwo{JWK~M+7twHcdehU#Zdzp| zQS=CdGcv=%+mLiRvIrP6`ALv)*2iGo*fA+Y&&0!v?o|)xPx!(v$g~=-SOGa|ykGZE zN(pQ>1IE{&h=*F?qnksx8mwohJhyBoY;F0twksCYclqffV=I!saVX)fNDP>4C0XC7+2)4@r@(Oj+=>q z_2DXK2G*&EqxFG{Q@n}iwm9)uxaJF}!YtK=3=QZ7!g4II1XPhJ49*gIsKOfY7i9kcK#jSb=;boZM{q|+Ww9iYbO83{ zk;il6m-~>dA=s$glwvro21(wf$<9ODP<>n>=;}WpBW5Q6%7WZDGjl|1+0I4y3qt0| zpqh!y4N#s708HH-axn03&=zVKayAE5>a{6?KOn?Mcfn2ti~1CC1#91b;CW>;r-tWr zkEX_Ew(CsT`gi#On?u^>8QfJ2cDo(>{D%K0)8Sw-=WkklUn$1Z%kF;XG*z==x^%tw zIceZj28r2ClXg^P=bIwi%l$5Mn+iu;TY5vPoeoK`ZS`aI$O&7!K^=g+x0pO_lrMHb zXsg~BtcZIa56Lie*CSy4K$(ryvN;YgZ4R(BAj>+HRPIL#1D_D?3hEk$YrEb&65|lgqS3nd6c_?+ zjFY+7ZvvR>`TAUO+-^?ns^$2p+CzT0I?tJ>-N3)16O#kSCe7Ud*Y73uTQ(zc1ZTau zMYj8>+b^3razQiwhOCFW=FQtLJ$2hXc^92A=cvNS7EKreF67@i(>iVs0d0rpNTHui zcB$uB`XfVBrk+TcX!DB5BnY?vffQcufa46cS(e*nFIVw#NGrDg@_FDC7f3?<`<>~RvP_GB601AF-TpmSLb(CRe6s< z*dpJO^I2PZFJ*i*ncabE2E76RbAz0}An(N>kKnkQm_w~3VNk}}VMo$Hk4I+5x5Dx8&ZF;Km0Z&SRXXA9UjOQS216a&=(XhSS5OAI&^1@&M z58|11P{9H)vd5>`h05?nDLE7iXNeGGko6pDY^i+x7sPn=&rJ{A382aXQnQ^Zh>01i z1psLmIUCjHbwsWQQW>LsTF`FI7Ujp0oDtvNAH&{xX_ZKUhV^!(*Z$+l$!^|oU_`>dtq#2?;Ss<}=E6|TqyQ3Davd}y zpG(JAXFAZ)b<3Ne{2X7vsi1JOh@efAYjGy^A@br@&&#azMR~YuA9I=rsOUbR!5WIj zLJn1S7f@t&+PRJXJTMZJEuEh^8yi>3wA*za+5z~SLYKr_K&$Vt3WrmNo8*Z;cv>n0 zyvVhkE>n=0+!!%`ULl5EIcI5?TZh0umidLc46(`*?i zXrNmTUuQ{Af0_H}ZoRwz+!wTc?XupwP$BIU{6#J)NB^I>0Qt`ly>v zAexhgv^FiW3sVD%10mwVs42aCsG3iqXDbafiYRXW(Vs`Wzg|60f_DMT+=dKS@6ijU$WA%h3=&-NL!V zJ#-xL$>LtKm71{jt~>wnL7{@e$t_-X-g^;xbhW);lS9}iM$f@x;gxyqa(w=>uAUWf zaT7tVvhURsmkNvSSEbz6=ChvnC{%NT#4k%Mp8BT{&i`Z@**{V^1wS@oij$V@UeT92 z-*#T;q{z!FLDX=P8Tmerl42!Zm@#Ca@}V)($%mFwTKRUZJ@b$d3)!0yB;O|jap-Yj z$C2{%3wL(Gs!&m?R#@>5JHPv?eq5%|? zD!mgG1O)-52+{)j(nJJQinORmmm&xR2n0oXlOiZcQ9(dTM0$}(Z_-PohJ@Y|>VkxL z*1Pu}*7Z@>5Kea|`L-gDkR!~uhZm1oU0pZU!BD~`t5ck1Eg335E`_ytzJpfQnF zcDSS=*@WVp)j6K&X8g73o%9EexwUFKB6r*zE?(n25Qp%qEI3CITo42LdZIslkjEmJTQ zqFTFFG;7_KEP$uH7=a?OP;H1WRUQE4ydv*T8qTrkSMrwMc+C@iabHR(k(_&*dcE}8 z>7~ka)eL75{*Mn=#GaZCrp$ATzSdgS)&^Bw*gsN7FnqgKie=Q1=tEJPF9)wLCqY!~ z)0{nuo?x?pB|=9+qo^D@de7PYVO+KD(-3XiY@0}kn6Gq_x@#YZ8U-^kFXb+2DdDo4 z0*+_3q`=DJsw-lG&+gZ)jWr=BBRZjE>yx0sD5@A_n=XFGTft7OP83-?r7|&EP4GQ3 zj&ZLS6&$;=L}t`ANrZ)Vs$!SripgR6++rn}h@oTFB-U z$7?8i>Toq%tUqB4WUCE3QdQwfpchSc9>o#J{Q@^&Lw_jt_~$POO_KiX<1Z$f!qjq-K?g|ZXhVnk z1eum9xSkVea(NVX;XEfAcqCbjtDg++13XU488Og zM-(s3EH3JOh@KXC!1~~o@kgC^YWVwXE=RCg>_!RMfI>e!d=v1SGpJEOP#50?B+g8n z-Hnqlzslw`u8k}K<7{Cr0l4I`kuX=H;wHY%9mYp*q{IrT zGTawKaY!cq3Wciy^7}Q%AE{6P-Wtq8M8~;rRAloScxzO15v^?X1EuG0oSxC&e3a_e z&&PPHW{*z|+jrlXHpwDYUB3%m&`1X|p(DO) zu5$QmSc%W|I5b*=F);vu2m6x{5GkSRbQdsh7m>OaApE1PJv;YC)m3Y@&F-#uHf+!3 zo~n;v(~x(-UsFSZww(z?GQm7LcdP-HqjuMM%*fdp@&X^({7MZJ?t3g}zG%1Vzt{ji zZBpyFFc9@3JJB;sO=gQ|xH^}S@m+lU#!bhfHj$jfi+EG9cb4|1LXuImFMiNA%7GVj zKmw62!}~p?%=Z(|8&y=aE1NeG6*5!<%{$2Q{%&$mA5T|&udDS~gZ`JPwZ`+9x=}@` zjvX0US%<)wsBDOPl0K8F5JXPDxb7m|YCl+SRG~L`$;!VpB8b@5Es@C0Cn|;%1OF$b zQ>k&##mFQtWR-D8(&-Xh9K5Y^!V9~bJzG} zOi_K&+B;d<&q)M=gRI!MGJoL&Gl$3e61C!g>TCsiG$l;P&%xHoU%HBr7f9MO;n)*` z89tMWdF?9xRof9!@yaaKp6l8{b_6y+vVSAFbcHRqji3%QkUOVS_jUNOL99rPvs&A| zO)mBcjItB>ES~`q;3W5QKY}cmi;_xdVbHnM#qDjgbbp(=R9~^|6&uH9ObqG_^)yfi z6+z05PTs`25t2@Aaqzh_c3h#s+P8Y?c*n10-`YvPNLK^Ikwn`uJPq)mx&BDY440$* z+@?~rz{L-8+U%PsJMb zXzMmEjv2KxR;lqPPxFm?2${rvf#AIYu|Y(s{X$@ctZZX#0BST3gFXX}K7HA8CA}#n z$8#q>yn)Ah7#8dDw;^}Ho4!VZQW+nR;YfqQ#R1udhYD7LZ!W1grFPkiMeCf}313M; z)vVd_`+*r8*$CXg(V*3=6lPBNn7Uoqa69#|oaseIg2aZ{Va_$=RB{u@76U7mbtKK) z7B5nU6#i~*i)NK2&-F;HL@|!gA=J*#FCcg0c7mY2MZ!D1#p+;bqY6NpH)V#LK`9Wx)2OSb|f9fxyL^Rj{HcJ2$4sN^aG{aBgO5<4d zJ?-qMGNnFs+U=^G(TSu|z{GsPr(N!fmuu_uOt{&AkCdC^jqf$Xl}y)9R2}#xHE_0^ z-$l&d;J5HS8~R|xm|^D64%o|g)bU`Z^3Xdm9fn1dRt0*)X64m&NVYA*h2p-Ti5o#{ zaX=+GkU9z%P;hQgnqw2PZuvCz#LzCUO(a|B3*wTfW|7nfAudPBz)-mG|2l**^!FGQ zwfsN14*vf$6#p+ND(D8V_hmFLXap2}vZ34u3Jdf<0GzkI>ap|bM}Lre1Vy4%IB3L( zQtO>tC_4{kRBJVO9AZp1371XVFu(mEuY-i#cFfK>GG-v0_?DrRG9?eHp<@PNVEzCY=JecCN$!?`KAO#9QLjHn0*pP z0Vne@pQxPBaVu)%MmALy?DP*X;HUq-tiM<5@7VhLN&GuO{GCq!-hBR#+7qjXl-BL$ zpg;-`gO42ilrhgc7T-Ov1T^ZaB>1=h9{Z)o$q`LrWhCqik4YP%Ocidq8mW-lHx;=c z8k%@u6?^PNN3i@Snp3d9BDNk+0vG{=(riL=Kg7vy{pd;hW!@p3_opu)Mx#97@46Nn z@1u(_PUu69MlNs)ROSj+M<3BC{}BQ4|5J?T|9~X^S1!- z^^e=o)ad9&lmEk){T~*Udq+6vIzY_wRN72T_85 z4Br3DIuHNHhuQzyI%f-c8J=(BNb@^qdjCmM07PnX7aB5iX|#B3n~HcoFz1z*u z#4$#1AkWRRu_MOJY|fuK7faBeSGBvhlC|{9ywHHGx>m%=r)c%S!6aMCRdy|zQb4y9 zE#=p$AvmTcU2rX<#Okd$on$}}`b!q!>yOJf3cA!FsspqpwpcvwMV91P@zBwcUPWiF zO}F@oMmDccd=x{~Rw!+QY3_r{y;omXpXE&Tu$mH8!>;!)X^LFXmXZ?X^1OMeiQ(m` z(&QEq4y>9D^73;l?@N5Ra|Gq4&E82+SXNOx=nSsBs_`6iU1s6i*uy}J;9BaN&Q(xy z%IcF7Hht{Fye@ZAeO*M49Qs*D0AvTpwnB25SO|Y7&lSH)P=1hB!1{wjss_lPjf4G| zs4NN3R!9~jzT@kOeaWia=0ycrj)@o@a3=l>wtE$noYh8kcIBh6h2W?b{QT)sjyH(Z z5`w|*@bf_5noKflw7SJE?e~we;|JE;_or8@e0RPQL{pcBuS2^-G=e|Y_w#{tU5S_7 zU4^Y;Ro-DWF^jjeItH)||H|R!UJ+pjtO#hnKV;VNR)IGVS>Baa$AcqS4ap{N#g<+%{w%GfnY>ZysmV*iEp$3tJ)ULv`Hw7Wt_ zush}ZU|WgJ)HXM8fFaeymRvyXZxpMla^9U>bKN(gmT290_KQQW7h%8gW+v0;!kb+~ zW@4GSF5lT`NRhVR30(2NPj6AQ7vil~c>~)ia*N+avJ%VtZjfhbMG_YRx48s~% z-gB(0`^JM=hyUYu*LEla(hx6ovtZMJY7 zHKM`mzzv~<_7F9f=)HbkiXch$)jIq>PI#{vz9w?!=Gi^TK=Z_Z2dRJF$V-f`C6Kqi zI(_Bm_k5CA6MrSJ+?VRJ?zrzmf`llKY~0Ru?D>TQZNmDOaV)zfy7u%jQy-sQDZHv5nbgigh(m8ehw0oYO zakXZjCO>7FHjaDs01PZg*J7VRdod3GX5abqB|p4LVgbE-u%4ugNdC zJ?j6wnGJ%aceGvBEXDKi8#*>pX0Mu_u^*=Fp4~lrz))#R#D*#M^UNGa{825hGFvag zPP5rj3Gq%bAJ8YO10kQqMm9Ly2fd7zvR7>V=GeliV#K=_+P@@LHYAjZM^)2Kd+M5K z3bFjj|L6XNP-?QwkK1ziI+Uf5bc)h0_nz62dvrOQ9tkg=>36p?u#ld=TG?95*oyM> zd88?#uN|26oygm!VwjRvb+4u1RGPOg-$g*!lg*O2Xr^;)_I+m{Vyi6^Tiqe20NTecBIk7gCnJYFy;VD!@&=j6h-S6hS% zSHQ+*R9Fs zVJg4h6&$f#5vuZ$kBvpY6Noewp{ng>xu-r!sp58A9Zu z4_J6-VbMOWe6sVkpm!vm=Z`KK->;p0S0~W$;QnBVmprNM`(qm^PcC*l{^A6!(m>y& zFb&$_2LC{mTS5P2DQ7PC&zGO1i3u&O*t!<3_#G+k*16|1X?fGRAtno8_$~O2;9gL{ zkY^0DHUm9A4d$3$%fZWvRy}-OPpWHDFGv)gYSV(faU8=%q2?ct!q)adNQsW(b1FOF zOn~uC7#3Ju_O!g&l<@Tdd|Alx>FZ{-*yb1qCY3>*D>Qk&pQ5zlA-l=sU3^`~|le|GB;h zJ-*gD*lIa+G=~4NaQ#k@d@lqEGR~j6*0C1iziaQ7*m9n1eaKPE06vHD?RD7lL)8qj^!g8?iWmc2Hx^sd7n;Var|S10z-*s z6lsnfuxFXpCm08YYVzMVcbx5~TWwUXuPGnO5(|9Jp_J}<<&JV`ktQHZ*zh7e@i9<7 z=bO-Uhk8FHlt1<%?Sl& zBs(iXGxE2oCp-tHf4vnZ+pObLFh7gpgB4T3FaRJ=kK6Q{J;N4^OyXi|3a}&htr?|945`M zn~FtktaUDhQAVP@$erI18oIqwbAnQ^x;ygN>KZoQn>TMEi(&=L<{Ia93n{D6z zH*G0}+Y2eL=~+*!OT7br6ob5*%0Em}9V2O0Z%I2Nnc{UwyR2Vs<#KGEeZu?#JM;x< z{@w~{)L1L3aeqKV-SYOJ#_6XA0pg)WT01}D&dbY6s*T>jWDUb5jTy#*<+p>+ zAw?=l$mNsA(WjYcM&D2hBgpxJ5d-Ea6i(tsb)=fBplvDeeA#lxdATq4OUN;kJ4I@= zqB4kcA6XMvR#y5j*PJC>A9k~TTYAWNb=7e+GGd^KYg)bOu0ZBLw`bi>A0P>s9&tepERMD83P#- zE@-*l&KFBIhmu&^gJ2y33k|FHD|fd`H&>+6?g2%N5kFGpT{Pqe-5%cki5<8)IdWdv z0rv8x6FAGn<9png+8qKfjPvB5sgtCKq?DO=jD+Cs*;b0p;dPr;T{9JLtXjT~e0Qpg z(^`gLM2^uLT^D1!%=6}s+GjI1IelH;t7jpeMTCUd*bg3ajQ65AHnap{Ax2gYmMY? zrcQjP4=S2hIqGN`?1KIf*3`@MyZO9Dl>Y=V7*tWOeuRy&%1 z2JkOI^5d7T8Rs$%y=}Z#LHu%R`O0;4mI8=_M?~DJvzipXLAZW@NyAR)SW8)PH5*z% zjzI}X?-XvAmVElv@!`^IZG;;nz%*=hsTC)(((+)kap7aM9p8^jXXfW{LfCwYCn;$E zji1}>G>=(D)yoskf9N_tO?cy_N@Ht7Ox?KLfXY*=VG;{h%L?^WRvbbGmSy2Oqhqm1SbY!=p{%W<<7F5P4Tvwtm)sb>|9U!uALeU+7~fpW=#4#L-q$DzL=e#I z@a_Y@Z#Oxv-w)@xBmfDdp{z~79J3EkuHo*3!C{DO@d0J^@1d|dREH3aazMDm7RYEh zYJ5@LjWxMJdnsj8!+P~csgcQR*ZKOll%lA|)VXg|oyLsgj9_a0E=ZY~c(Y^n3FHGZ zWgo5nhWs2jDJkhxvQ#6cCD^HJ6Kw^3Bd0eX_0y|Jl=Vx?iD3E=ez1+hfUVj_Hz&M0 zvuY+upI=yP)DTOh;{BM(Iw7+G2?2+`ORee0(>=Dog@j@kYCQo&$ciu+)kk!g%mwz9f-T-b( zqQNnsq5_DSKe}Q*K;;3w3FyG{7*?wLaIOipt+b2*9}SN`wJ0G$7f2l)wr7cZy`?dq z4EOKXz3LJxfFbz)!%=Aw-^n+m)b6@7}MqY19^3h1=Vz*v-L;KmBY6)uiSO%Mvdr0#79fi z+&ph91`S>6=9VmcwF&pMnq?5Vy?w{Rq>_aW6` zoKYceIVbs$@j|$h;FHe5YU?X!sTDN4Z0l>_!pea6-Zu14CPg1oABZAk>e_xEO5G@V zy5ZoIbdmMPjjUo_F{~~bBn5T$6o6}<1BP9gKQs35ATQvet?p;LDwz^iTXtL(_ zx+KB`LPYz4Mb%isutqIf21v{Acr^Fja%i0PL(S#r@ATAXhgc(`1ohSl=-w7=n>&MK zX(T}am0bD9<*sSGRiN1jmTdG00}W)KA1mF|Fr5YB`nYFedMHYK}C z2TUqevs61rSZ0tkX^3G&O)zJ*Y7TkzwN2U^ktcT00hGM6(NkpP~sp0|w zX)_EL=G@T0mBj`nywApz$h9Fi{JWt`?)1B6=d2dgbpsBdj77^BT6Ae?J5J;JGqYUba92PAdl&OcUm)gv9I6Td)?hG)e;p$eP>@QpP|UST&5W3Bk_ z4U0FLfZ)Z1C=||P32sd7hix-rF*8QTC$RmX7>gYi`M^H+_A}wpU%H~Dz2i> zGO?`*yf=kQvkneCH9sm?L|Ken`~e|iN&*;Osd1D1w8x}VM<3vqLMV zE2=mJ;zSp)E&XM{y=GsMrF#{}yBlnYUiVK5%WrSHHcL}QfyD!p>IZunAJGaAbG*1- zw!|_*cDE+3HD9bWgx)o!HHf?rMZB(Y?-IEA;1GGo8NVU((j_Qt1MG;?w0{DY4d_Nu zH?Y*9FQ{@9C9D#CbPxf?mfurD@o55Q&A$YbIsSI_V*X)PGa8hv zNORf85W^5sJQIdrw{ufv(|RW;;xOwvbSnu8YPF!zTyLPJ|;6o#J{m1X$) zrkboKUh>k2iw#y>g$g0v3QHT15}$AHSEZVCEEem!9}3@O)qR-z&|H+Lv8@V^^wk%K z)I=j*s7J+qrRZA+EAqD2^A}Ukt;%)hUKnaocya)jHlCxN$TgOg0e8X<=I**tnJ$)`Ka;XR|A)y)`56fMGbld)ZZ7oBKt)5i=a5DqL6PZbGlxa?Wm=Lmj%66(6b?o$)aUo^4i7z(({C*4E;hG4wGX+>(INe){{BNLFd z({^N5h&MW;=ichMAYk;aA^*^V6L%ukyeEA$a%eAbTG^4Onxpmf>W!-qs_8Dn`ilL< zkv%ullt_;8N79qe9^$%OTPQX@!UxfcRt5h0G7FNro_w*OyH}sN(d_gYL`>_EF9;j) zBKUBiYOcfb9;)X}Jv;oSbv_>|e~B&|X&y-YxG4pLI?LVGG*9d4T4n-cZC^G{L#~0i zG_J;v$6hnJ{4a&Z*FOsl<;6zdVTuufMP|k0sSi`+!oAFyf2%VbR9sp}8 zbwmD&KjaMG#)gKjc9bB8@iA|{k$5tm&n+0djq1P6L;HPcKeqf0x+2by=8A$W&*o%# z4OlSZ1DO3#%2?L5)I#Cf6!Xdol4DD+Y{x~=+S+bP_j&Rb-L7c# zp;==&>3m}hQKYYL-7VD#Zx}bidjazX;teg&rbPI_kMuY)Ps&lGG_g6+OtQQJ#|{zLvsqoboV@TCegyAnUxI9AgR z0>UE-`VOvKHn{xwUcGY{^YwKES`A1e(X}2-9B;;_89F=KtF{PToB#Maf?s()9S1VH z=A9bBw}l_4H=sMRx390k_sB}rS59=3jSwK)v|$weoM|meMtXwn`iWvI=esoRLEg54 zbAfynINmj$E0D4lf4LlC+HhsG;c*t28GN&;4ff!+F;oMMf^BQKV*c&zBK~{TfdAh# z^UAN-W~q)ru37Ux>Ml8Xc~|b!>sPSzOFZ7mf4fPFu7gSIt|=UQlM4%@ii zmBSWHlxRhse3LE6d$MZ=VRXgV^S8BRQ$;f8y6!~=a;^oJ*gR(*e5l=dXdh%HDGTms#Fz-%@7<*tHTB``)%SR2d7kL$@y7Yr5;d--SMfb^-imJ?Me@8<~}v#?D7c*57h= zOboQkP94J0V!MkWs_!VeL{UTOf(I)vSD)>O-H=W5Txk(vLo5Dr2^QB71(XWcye9L~ zjkpHeID$qsCwWQzYt}a?XNYfdKe`#Tl9(Q9wF3i*xW&u5^HN}oCjqH3aYBTa=+|rK ze&6sSIac&KWA662yZ)vVT{}g}&*KrnMs9zj)l=*Rn>cc_$*+m{n6I!zlDU;U_56zoaBtQ(PGZtS zF*KlP=kkRfx{X&R*&onvmvdORIyBA>Rl>MYE`aT|ipm$~_2>t}Zr?1R%U9gkpOFVp zB-xwQ!)oq?4wGug>3AKhT3!Bj5T7au{#DbJbfqRV?G%f!WcW_Tc?jI}bBd|Vmn?@Qv$EKtq%9>JajQN~Qf&^D?d@gRJ!UfSVM+M(9rs;Csl zVSzbV6RxRqkml`x}{l^t;NkPfc#FGCZCK^zlU!Ud_p zBwkQl6Us7sn7`2u9=dzkA-%3l6&~!D1fm&{%!9vHy;osQQNi|A`ss$P&-sM1TM3Pp z;D@dl)euKWm;ye9E56bq8B$FOJY(mqe5W26F;(y!VS6=r>Z`w!WYPkC3Cd?1!u5rg z7{AOWw;R!Zb;@CL0Ve-7e&hZ%exLqd@vHQ-JB?jc=%kMrneNZH(W1DK{36s0-Eu#N zA=BL4pX|^|vDDH*5sZ#6E3?A|(!$OWak0srwPDk#vmf}Fy{^?QV3;2_qQGlR263ru zv#m0+7f7NF{QYklywsI#M*ESsfVf2U}<{Ff9Cyl3hLIEf6Mljs#il*X% z!k-C`lOz*?&-C42v#Gbz%d0vSi;tA9S3cB2UnAK}SN?`XDGK)Ja@gaLyQC)K zUm6TT<+om0&b+~I@wXJZDlxe}{d()O&WR8UX0{a0UI!44|NPjsJs>~1F`SjIJohew%w}c2`iSd6L<1l3n%A( zR=&Al9KeyUOmPY0qS+fm7b7nL9~_6}(g@A)P{Zo?gdf?Uc`4s=Nsz|3R9;v4b79>=Iqj@NH&M4ByYTU4 zJ3Z|C-6_mRfx~Y-CN)Ef1(gQY{#9wTPx^0|fLd#=t1;l&;S@!bXtSA^hs&ep1wd)6 z<@tqu-Bl6BpK{Qz$78PAjl3UVz*Zk&n){$+$Og6|uzBdS{(FR5G|@VL9RPMGWcRea53 zn{*Je7CQ8W!b-aH0w1J%Kf|`cKp~4SRSq9dDAtEwRK!0wrmw1f#@$zo@_S1Dl)CCH z`mEjb{cGLeH@j>v8^xCewj#ud5v@_Y-4^?8-e;x1>q0nkUayT~x(-1|`-;yWpy*#D z636Ny<A@cF)Hba>iSsp!w-n%E;w{N{h#n{ch%r6zp zLuP|fV3YTNA_90T?N7L%CejjVAMtb4ciSmXyi*q?~67mWKhS7pl@#Bl&U@zxq5H zVeeGr2BS?op%si^tpUPdZ0{b) zSU{hi-vQDOzb`m_?j+oF2 zoo`Qb!JW_bHBZMvV3@fzTu$l zAax=kTG3$b(uuD|K2q&-XXVOfcY3{3j2TKPd?eO5Jcip4Rca%hR}VHKeVKI#-I|A5 z>T%CzR50bEYVe{}734=(*O)@FXw6g1#R#=oti-?bHUEEbDd*l@YLPuuLW2#peMZzV zZKK^kR@eU_R_iZ_8viA1OW}!c1F}t}?q+vFw0b|LTH58~s1=|Hk(Kcr+5=6^$*T7#KAh9IvRun(V0S9)s zI4RQ9lyugtbcg&CDEUbR$+D_hb;g%LG`+|&xFWR=TB!u~K^)c1=Ewrdl|giOMajB4 z^%7lgS(QYY554T-euVyE{ZJHF^&XIQIh*2gi&e(iCtzP6fHscTi0*%(5}b zV;)EOmcw=d#P?7Iys4*;!RA6l3etPYiaLoOH4bvgZgX@9TU z-?8@hWAJzK_&eqPy&L?!hyG>d(fDReMih`GpF?0<8!y5f8b~RRJ8o4bFC@XQoMdob zI$>Y_%T94AnL3Ut%YMb>B61S&C|Ny9aYPz?krQKV`7nKpqw!5 zZAFOOHv7-NUZ(rLaZPk{iCF8Y6}F~ASTBO$?SD#*_}jwmFSV%thgrD&Z_4riE7!A& z=mMBMl+{T?90>EaBM58YOscK;g|xl-66xr$3~JZ`TUj86tcZ|pt&0e&grC$o2zcIj zyM#5H?%Y$l?W7-xp!{~Q`yd>JYTh_b#VqUohIIR2K=M3Xp5g+I7ID0;Rel)OitP26 zizPq3wdchIbEh+Z-O!r*4ng$(3nbJ$2PrwAfa9Xv9B6jz2>-=;f!jq&xj&|co=@e zUcf+VEnDV^ndGevyC$J{Z9iNE3Y^#yw>qLeAZ&SG4i*#M7J(KOlh?1S4KVcY{<}7U zRmIou7zYC>e|LU*3!Sh|5rDo(Ma_M%Gw*@E+1)Ez!dia{ajt8DKo}UPeX!Qdb}ZmJ z-yaFx)<7gvn-6eDAdV&xJO$IP*SUXSshcr$lhXtyMbDk`9%kTMEd0|M3wj6w-#{^S zVc9>Ou@ZvWfY4@JUeZQ*~@DmTquy6t0Liaz(sf_=HpTYhLU3|2*4=!?21_*Y0cnEu& z2lNtQgoH@yMMRAC;B(M=TB@g9O#YlrY5n~t-W&R40aTY^9Y{SyX8$xhXv0k?5z<~! z#nz}ogC05Y-ObBwj0%jcGNWoBQ2~O;2VE-K;YU2~7)7v|xwFLsK-)AdR}tApmpbf`&Q}N63y+i519?&ez|R{z6fxCT2uMyd!+tzY(;&hSf90^*e_`D)M+6{XxPJF6ocaw3P+3P zaD%c>Wb%Bnaq6IqUt*Kn@R=#_1Jvx67@a|NWvt-#nsFdBP4N(~3H77+0a~-d_wef| z9x7jJ>R5MKkDBqqBZSb#%$Z}X+1WEN$({aj4{HFG4}1|;YE8GBUh_+HQmB7pU3}tP z-yMAXaa^EMONSDwY`=`Vqfaz`Psbnca3a`r8}=jnP^uAx+@bMcH%bu_G)-!0N73%G z@pL$XrVz<4b?>TlA0#T#u=mj;+g5hb5y4jx31IKFlIe6K-}1II59vmaSCY*1Hjfzl z4#s7VZ4$(Kr9k&tBM#FK9rY^>Hq5%aZ@#Lji5A!B!yE17uzl6wq3{r45lB`HPq2I~ z5671-$499&qmB5782R!&Q-&8^TX8-BiL5f!S7+1TQW0Y$COdJmq$Y(mBYq4QavdMF z-x~uFeeVgcnR?bguDQR$w-t>%FPY z?N020VCJuKA-!q+#o7SKC0$!*$+pbA-s7oj*Pc~ic{whd=!9P0Tw=`e6MJvWFtram zgR%FZU#>&4BcAz`Xj(SA$NDaM;MPxWV=tefjFa=ZtHC%Brv8L;RVp`J^2eY1IJL@p z?xopFRUf%(Mjit{Rf{Zo{7Xcso!)UO@&ewF9(IP}K$2W}G{RF^{oL@?PIYh4WOf;2 zuHy$qZ=HyJ%^}5%3&S3Yf|K(#F`bVkM0=U9W%dZjTKna&Wi_fIrJ$!N-~cbTS0mH^ zOx-s>GC}TEigyUpC1G7-t$j2%x*p{&W>N$g{t!%`+2x!H8JIi7Hs6Psf1#WOtiB*E zNY()?$;Vk^7k1Dx&k~u>hUf|ZN)AzX?JnBAw|~7dyyFLmkFv9#s`#M9YH|5$IYc85 za|;p!9|ip@j9!{UiLt_TR1WF8)0(w*0yZj`V+Cgmof2wyylQlJ{La1&P?>KtY3ZCz zjB`EBoTQl>qw8lXc5AR`6mQ#yq6(fXvYCONpERs*e%+`|plvK8F~ngU(4hw^5%C zMii3YyYHR4!j=d9#!?5yFq;~@wBzSGa58xN(BwMw9V{<6$acCH<*&Zi!<$ObP1R9L z>eCmaii2K`lRr=(M$ZY(0(XJ2O4Em;$Iqe4znqFkz0&7M3bP>cs|ZlYBTr>^i^y@; zsPf!x#c^B()20Kn(MPKLw?;Of2Fs35-uQXGp|U3WzA)d(?xkh_V%Z7TI}t`eSLvx| zF`+{1yyYr8AUAZ)4L(u6)tAORk7?|dPw#SfIm37` z_HG&k7>gxfYWeeP%*FxF)$RsTZI+Ha&8jD;w+8(U5o2hE85kXNfR+;>Fg=PR`6^O6 z;Xy(N$7Ezv+(VwZ&=y~ZS7wWwxWp3RIzXI)UM*C*Dd0{sWvsROAN8tAsF|s>EJF~ zp_+_Er1M5{SD%o1cyK3f+rsV7YGUa(v>)_ zU%1RJzny$WR4o4U4c;oL@5Jy=WMzt$x2+nne`58uZz$EdOdFXRXJT zUw1kaj)8=qalaw7cUc1an{a1>`>Fgyt5qob^M#SU{kjyf^Vh|_PtkewB%awi`0C2J zUlzwXXIp&#;rH)}8cXXdR`Am>2iJaq7HGIk zO4iu1Ecm)9wf}g}AA~_3?!g@>e1Oud6+EIGX%Ce4f)2F@RTX!e_(i>WR%r2W8$w+! zisG)LC4hO%Dc-xF;x^vIZhhu9#;qxZy5l)cts@9doBVHXpHV(GAu*&R*3GNjjW2B@=Lo(BZn?eRT+I-~D|nlGJo+K z(wudi4zh1@WseVdfdTrC_+T#NHSor7&Jj>eog&?fZTfY?DQDPH>GbkWt3ENkE~sy| zu?Cl*C=3_-pdv*?hW0L+1zMHdn7Q=v>Be(MNNB8xb`Y7^eK2d@oC&oWR>&5bz;zUz zPt#w}s!X)enGzw_qQfiR-=_jTgqwo|^e0HcLGpqA?F764Cp9M3G820*dF* zm*-ham9WTEt&$vF&l~0^k0$BpM#fO#RMFs`My1AtCeZFNc4CDve|V+$nZ3}tu2~v6 z;Z>u@t=_gqWH8Zp{)XhCeyM^}BSq45!;saKw%Q*Naib&gIfb1$Y@mp3&49~!|KdA)um0?e)BH_yw`|0KJTyDQLC*8&~oGDqARF8kh){s@M!+tzuR;w+w;CbI zc(;yb6lV*u(m};i%S)WB`I=KU<&NfSI#8)@AwKkkxyojyn@U8qRSo;du4G?MLaX@- zh-Msb!KVy4r;mJ_0IY75MK|^XCuBu`u z5-II2_KZ_kl&?iNFZ_z$N_GGw=I#i_uHJ^pcq}rvGZ+<;|FYae| zoW8>rDzNp#h!t^n&KO93SQlTppL(Wcp-Y}Ggzr#`oi(r$SqZ<3Ja?RqrUZUs;{~#f zZ8&dScbY1Y>y8->Cve|8{)hrG^}C=pro2sem68U{l}XO(J~H>$AA71|xP;G!UN{jd z6GHY5F)X{yDBP%8ul~~FWQ5EMhXoP2@rSBc#0Zu7#On1xd@W1Whf3IErL zSbDy)BWxK!HKLym?g@y^I{5%r#=%8C`}P{C%7A!)SalBQ}MpBhf%{T za7GF}cqqf*QAglZa9rfO)qV%~eIf60Xbwm)S%mYc-6VFj)@6YhV5VJXg}0)w@><<% za3jZJ%qI`a){AQxwrYtZm`D+W`Z8+j#k3C{Rb%B6GI}nn6y9Y_?&23Nx7ngx+8PIyXl{V4hi9lbA1GAKoH$0F zO--H!sYUUV7WISfms5q4q;8X%I9nftXheXqbl5)&ZS(Al668My3b#D!8hr~gZHVA@90Yuf(4*O zFdYy&i;3EcvoZr5KO5w_7`h4IEbA0p7d%w?AiaFosraL4N*4g;QqiR-*t%>G$fKHR zEI*Ef%{!7{#|SO(dqdEQU_`7weg|6W{y`Ei{@y~pTBqPO5DkpG{SdBMo$$&<| zc^?Md-MVWrGtuSMskVRQ}oiUa1+h?NzT@*F#qB}{@hXHU@K zv(jcgcwMAEyG$TGb953Pzc!@xcNMd0G-v**bQwq-Jl0H*b89SfW> zPL0NaWnq;59`OdIxjV^3tRBfH7HkB3wuVjEdR@0Pl?XqFsBRWHOVp^m_JUxgTiy_nRMKg$&Trw_9muW; zEyOV*wTT@dV7AajgKtQze9$db8&hT9a%+We=agXoj0mC8sSdQiyrl0cX9dVC*gO3a z^>++EI}2J~th-kHiQJ#2m{X6JsL|YqI89D#1rN1^QhRj1@+)ACP8~G_UYI!T^vbo-CrbQECK9~a=^8@@p=rEM<(;a zVy44(o1YW!WgD-naXkZMESlOGkU5&xR#QxH*!FmuuW$U^twz#l0DF$Cw=%GTDA|4rXd&Q2 zHO>!TJ`33A806Y$|2OL1JE*C*T^kLeqEuyqLJgwy zCLo|71f)v|y+i0AARr>4mjppTAfX0QerNf9Gw1BR=gd3%`%am2{$m(Q*0a`np8LM; ztEkit_Gjq!>P$l?pt|Wm_XBV`l6{GVlnL~)JZ?4UKOt;9{{dwDpZyy3?@}553({4Z z5Vyb_EQLVvwita`6BQWWmfvz`>C#dgCiOQza(KeZX`@cuz{4Wj_z^G+(#36h#UNJF zs@LAQ3>PvuLaOi6czQXi4tF zAF6SIwTtIKmaV?G5RfY0tMgP@1r8w2UG{-MHJN3hPd@=b&mx%fIs-5C4{rC-HEr~Dz&U{650HwC?vEV0WA~gfarATRF9Bf-cc6OFY=uECHc~~Y zoq>KA=u1wNS@RLhV!gl-hfucXrbBCdw)Za}KNiw9UOd0{l1Uq4v7>Y6-M~wIz|4k{ zd(c4yN2zk0cbS(RD|KwG%=-4!PwXb$DiX#POArfX3v@x{kR!U3Ev#Kr)z7nCmacap zC~Z#$@2nP`G#jzrYB|OYr*DsqKb?EDu8w^7}Vy=*LN$%a)^WH*0 z#>)MfThDWqZl?A>I%U_eocjC|+7(0rM8OewT3#@l^YQlEJVVtW)mtSmo-nTPvRsvi z=?#Qx3J2g;YY#&L-3sPKAQauU@I@uKLU!P?M<1_eJC>`(fw*#nX}MISjrpLT!4gOu zOxVs@r0H?A2J!N3=8`zwS{l8+sjl`Nx0jy|^4Wq8hiKWXE=F{VsC1-9#Cw0!u4&ci zu)WrFB>jF+y!S-kVdbuq3?uJe#2=upypX^PNIF~7=wYgXhX9o`VSx)GF=d#ykyfc& zXjDH`QyZzz{pUiOkC9RbXurpfs!VRiW8WU~9on3?)C;;TVc7PQ`;HQ)ZS%{Ggci?< zkn3OoI_$>*#tJyv2tC$yRdyvOK&=qvQ8c@``y$^D?cBNb>dB&Kukpj|6RrA-`3L9% z>JwtwO3`Dt-0{WPVVy^gn)jo$K&3ZEYW=(~N(uw{caUvb1(ll+WY?4Kh%K0!UHH9L zSjw_2XHYRL=@T@d61r}dMecJYV#833fK5h8x2bxf%d5%B=~?}&IN#`Jk+N4LPv||N zfQ-Fu*lA_Kl1R8wj3G9D#ytMilyJRf>dWk>r@bkY`x20XiWUb7ED%QWiwD>A6j)w;3GU#F}r^rHkUL-S|r`S(Dh zO!@Ra$dw;%+p5@z})M|R*7nHCQsT_w_+!P^k;}w$E)IDz(x{SR%ICzTr zpe^!MGU3_l4VzQ{+I(tI)OX-BGzI9M0cM1Ge}o?xuO-B5T`DANT39MQD>w=^43#!S z`84aTT)siT@Gg5X9A6-H(T(49K`p_6NOv{Je>Lym*;ME z@b71@diu5f@Ga3HP+htV5XzN9_N0A-9%&<*;!(NY7CZc$S)ZtQ3kgyq&X-o!cK^it z1Tni1Ly6rI$SG1=HSw_fB{Em%TrtF5Bq@`YV9a)qGXdgD6KsPdNq;J;Kqb$lO z%BZhy#8t{6_*neTF2F<|c|v}TH^T5DIynP;&KZc^Or%EhJmu zV|34D%y6w-&`3*Iy%{0P40yclF>Io0(bUwkhxFD`?A}eYaWJo!n^PaE+9?9p&e=MC z|F)gh#6;ia15)R}*D%VAaIxHG*3TmfVL=3e;%qU5Mz`D)vz&PwCv2G$uXQVj4^%Ds zCJWI>wj*u#p;(@}Y3iqHwyI9nPj0=o*OQUVIms)7y}y|b`gIi=20ur=T_pW6|F?S8 z-ETEpQHk7hQz6VuuZ)A%NQ#|l^fR=iU&OW|(pTSSyygInVyW8R4C%Su{&?IA)B9Hx zF1V2n#DOrb<2N}X=XgWIYCeh`6_>1()L#GmeRO=04~<7 zh0JjfPtI6mQxoAcZVKIo)my)tnd@n})i})gzJ#MY9YkmWbMz=^J_*HjY?RE*p9MWB zd;5jOiJZ2TxPGQ5D2-wR07q%jdx}$KE4W3yxuw^-i8J`i{~Rz zYCeOfa~ulin_|!2x%xb)pY;axt_jn7By3R;IDjSQy7G;l*>PP>@I@BzcNR%*_78#` zPFFxUQD04nSX!6@7BKTm!DFX$@z`hu$qJ*Apv&_nk9$5n@iAQt9k$#9;nJz%K>M1r zgrYE8qJG-~Qbigj@DxD=)g$QB{Mkj_Y{F#f=z)>Dz&nYpVgAbon5BhC_AKOI2qQ*oTzv2A#D zd)}uW+tEbmIXVu@qgtlAN4Z-4gZ0bf)p|YUSise#`dlILD#LUzZeIO|eX>5;Dfb$3 z&%yi!^QW+<84|kjOMZ})HTW5^CX)J}*5cogb3sk@X};|JGl-8FOm%1ETNvRPI5RW# zdM@kvJG&!td`X7<)hd6(vQ&SA*@I=t*rnjlhjji%=488(y7%tkCK@knu8Ty9jh;F~ z7bMfIbt#v$phc?ln{8%O3qB}W8V?ytBy_{s=s>sI*F7j~=395jCwfzDB`Po#bY0kK z(rh?AZ8MW}ersrE(&ael(@=xTvplimFiB8wBS!rP)P*DJ*eB!5TDA3!;HIyr8Y4d; zLoxPzgPS6cb(lgP}v9gZ+z}{PzC#X8C|~1r|RNjeZ7*!ZO|XDA&!OQRI!mY&ak5Y8_E?ctNn*n76wy zeehVdKIDEm^9|>n8Ou-2J?F%4wXfe;E(>-vs}58muMyB;kq7>g-)Gl$lpL!YPvx@u zSDm}@AmHF2o83;IY)N9V8RxtE!;582#&P;aSc=))hY%k2W!!>|A~Cpd5jLd<6w4Z2 zdbrfOwUr~|MqRD-$&ptof8&f|4!X!GB~z_gX{WN1?Dk_~U&9GB zH&wmhcD@xY`SITZDDC2{Nf8DIG2tK;9Z{9MK0G)AB0Wkq{IZ5qLpe1@Z%L)A2&7;8 z^n#^#4V($$e&%$65S&Lz$MioXY|)m+-{g@FTAY_kNgJtcLk)eWLeZ^@mR#3xj_K)OrxA`c>0RusqG3|DS7$M zJ|yc*C1fyVrEDn!QJ3eY7wr8V)2mSDyA3D}A~q5#pcOz;eZax9AUAzmCQ~F& zDRRjWB=J(X?xn%6I8cxSMI504k8I(mRZDmzAwye&%OG1f27fg z_0=iYfYV>Y)q;mmI~G)J`hFih%72xrODgGwNE1a8y2=cn_oft4m#yI6^m>GdI1Uf9yXe!`9=~)cM`eK=3LpIqR8Ok z@T(`3UWb^+qXZ8Wndv`Kyn!kX=QAY_nlf8ti_nM|W!a1ECjDk1+BdE;#1K8{=c%Gs zekcTrd*8a<5Nj;33mFohRriZt5VP{tmYYPm#Q@R4JkIA$djyZCC+s|H;s)XeE7XJg z1j?N(Xq9wnS2c`Vq2&{op^f@)w_GIQ-m@<`#s!bu%_dZ}1MZ{ECSKULv^2Wye7iKL zbodX5{XN6s;h!&dB#urPFZs^gxV6gHun{OWHtgD7e@~#XCvm1Pwdwuz-E>}31f_23`MFgL3qG)wLPvn0Q{b<;y=@6WV$;P0bCq${I2d3Kg z-HrRDr=L9N*~Kb+nGRLa0ZTSreeu0PcECVv|D-q1bdrmOpN$h`Ovx_6^t!4DDCjFi z6j^^4IvmF>FqTj}jSapwrp3!;+6lT_II6=4Wx^PpqdQLr?>$Y|~ zi$xOG7UOGIG<af=?#el7_Opp;Gl2v)sxmS*9UFXv#5sTL zx($@g0ecAmO8q&FIL58nbR_-;ViPc=xt(RuE0A>g-@YVja0z?{N&N1i*Z01hbykB;W4y>5Bj~UQPezzU&u3 z9oqf0dZNYk|3MYq{{_Vu@uC%Dj8a;c0>9Z4+3BGHcz-;`^z1q4ndYUDK`@YjK^PH{%Lu`FS?S z)&Hq$t_!?g&{s;103yz86Ble|W;7Kao98`}39P4)~7#UWLxjVI3-<(_V zR1TAUT(<~RqyGQ;H?8_hik;tJ_|?cQt?T(V9d-(>$@3pCGb*PTO2igTpB=VmB9;gA z&9gU?QFxkuC*O}gZ^)Win>1YP~=&5}y56nHewF0$hE3GNZ} zOXL6)dj>ENuCjuGGX%HT-VdwvfIPhJ!(mhyS>Q8LXem63kRe2giOIZcnHGNABxWVs zE|eXa&GF%X?VYKq36iE*{{+$pl%Z^c~`TIq85Y9_a#OF5@qMr7l||5!c7;6aEIX(8-S;NwD9(1ko&e|&dPARxPbQcY7T$vn6xBUR={|7RsY+YE$ZLJ zaMaq_`4wCDJbT76Yjtl)B3`NSV}cF{Q$p3I2vcwW+}msYsVHBQ=FKYhp}JwjajG5i zbBx|MfA&XV;{-%vy|~rOL22fMG9$12mUd?>GcfIp1`7ou2xu-FtG?pdskN_i`DL{& zaa^T$Ugm9zCHW`ofZjZXokR z555M!NADNCO0vP=DVyAnf4;!TKNuRQ7`gC{iAms870Tjh0e|nqG_H5k&fw;a)`^zb zc!OP$N9eBW*{7+hWH12}EmZC$=Mdf@gs`y^Np$)iPzg{krX&75BMb)UXTW~$ZLE!Y zo=DY2->nzG0Q2I&XWjs#RD-DtcGAG>prIb}{QFD#oxnn-qRUfXF_BuDB)L9O{)r0{ zHQ#J^N20nCB}c@eMGm$%PKR7+(O)X_?6jzvmWgzetZoTeBD}LBF*RsMmSH0187A5! zkzs+V+5BNMw{{s-+^j1JT6EQeh|LQHF4%LBbI1VvW~t5N-|-C6ObV=vNkX&<;UGjW z)E;&ue+5_#$m&r($QD5BtJS;b?7HjQMB*o|CBu>jvkvrn+O}^&dxKLZ$>;-Za#W7X zt91+SxvcWh9N$p3uNOe}o2(GKKXMNblE^;^4OI7Hq}-iWHx=U_%TqBAs|*bVq-H(I z%;*DSaw5LCO$^Plo*vh;8AdBDmuPtRwdx5`_mZsv0f72R&!p|a3vhH;IGw;LB(fgpBUO{R`n;JVKkCP-XKaF^0FuBg>3-IGKW`S6DCGyN2 zQs!Y7?ZmQ+pmj(>jMA@`f=BE|S9-5&pK<_#?6_LYfJye{g)WWwe2)OTFFndNzFb!` z?Bk3|fX{I40aOrl#Ez7%%`!r~b^a9o;tnO28vMYN1#A zC3sjZ9Ub@V7U^`-#Dm!@9S}rA=v~fH2(6oAO$Q93UK-l~_VWL7I z$FEI@W$ID00|Ph?5oiItY_U`&{K|K#ufO}gK^flt>em(e+RlJ_fIZHTq6T1~FMz3W zARu|q+re2=Y*1ev8UfNV3zT+pl!+ye%1WxMC+-1!prlJRe+=s+-F{TY>vA%HzDh;# zuG#R=-T^3n#64r(hv~T6yJoL+JsW>@(08(rV3nB95FT>DZU?j~lw1glzFzJ{-gbzR z`lU`QZkJj6gzMBe?AeYIl^CBf9rxboP;win82GN2HSopb^>#XFo}5FJ1BegIg!n^? zsLNhQPsHafGrvb@^EMZ2S5LIqpSZ^)iCgmxRo&Q*0apQ-nOXPt!Qddjd)ckAS3?Ki zy1}%J+y9PzO182a&RfgTY?Qdre%kEcyHxPU~6knl(dHuM-EzeSI2=;r3E?h$@JlLw~y+_YA#%+o0BsB=( zS~f>|urQE10n9Gh^zRebLi7us-jxo@`(+fEi#^edIzb0+ix%Q+Ytprv7-JyYbtsg4 zZ6I5ya@&SP;k)M+sEXfs$H<=-*RIVz`L!qTD~W@U*6q%ZPzO8zbgZfiH!~~XMB!du(?!0Ro`AGERA10tWTyk%=7jyYbs4Qr8{byVWP(x1X z4a9lK-YQ*XW~neS+!I*&GFHNS;r-&9clvfZqGcqx#qDVN`M$ytyyAt=<8SyyndaGt zxHuMXzY=97hGPg=E^{(m_c3Cy_i4s3=gnfjCrBs)8LyOKq-wY!YDJeyL65;V1(IE|FN4wj&{e$k#2` z@v1joiW{bUcI)pah`m`5;b?UZyh=91yGN(TO=K+PoC~;?YHr~;nXS|=un)|lf{Z98 zmea_?rR^|?qRaibs_goPJ}J|u);#}!nmS&WpsL8Q(}B{Y!fuz|z7w~@5=cSmT7|1} zi8|m5WM89_~1M>1JbIxoI?5YTnF^Q_$dsXQOIiJtKTbhO4cNoz)77KNaQ; z%ilXXFwfk~(NdfU(K4a;WI-us8U)MH2cgPt^uRZ3SRuqO%z2~{oTyh1jc74+ok**& zd!>Hi{hot1b5?KD0!!di(qTCDHlngu(xb??3I2@3CgWi`sX4M z9VLF7d*HHL{>$rLC)8tuc+!B#o?q}cbRkk-bjxGu{Fa}cCo@-T5YYna1=QW&t6TOIe1PS#%9aw?eEbv=GEW7;5CD+OW>>NB^a3Cawn_S)cxKLWab4)TGe-@?*#dyor4_nDI~4{G5%JZA}sZ`5@3QB2n)lvH?rquX083=YU^H% z3}|M_ZMaV>F6zeuY3o3FNWC`EDTH{)ay0f_GsfvPoQ*0lp=zy;zx>ASnXhV#nMGLB zy~M`HiN5Uo?716oBl@K1MUrR)!CHDjZ@j!TH-KyC-JSlt?R6b(XU3J0C@fRpV`APE z2Ul$)CHNnZTt7er^DIYcP&5gSZ%UELi)L@GX0nf2&NQ}lb6tF24W8rZ2e=EVWq1)^ zo1NiWlt;iXCnvOoVZF9Ta!+tNRi7MJ4ph3_OW!QJK40+jM7X@D>R0!>@mat@w1#0f zHH9J&sN4EuVvAx@QJIyMNLYd*97t#qM4A z`(*I8Z3t9-<97mx4m^UKTHb{P6%Q0-VDDeVBgP&zWi2s%OYk3}WomJ_5U^1b=LM6_ z%9sAc$mo9Ww)%p$Ma-g{<1F!qQCemmOTfW0o!R!ffRk1Hn*f*N{lQ-ziIV{M*F}DF zpi2(RpEN?{&Og~eFsEK}?bfs_GMR(b23GsJct7)0NcjUhNvt%K@Tg6RFuAb}Hx879 z3I%c!wAKE&95+81^bj_CIaGDkn5BZ%;Q8zN>m#+#>62~eE58SenQxeKo(ZpZS%t+j zeB>{_wl8Ks%GCcJpdoo@u@j+DEdeE$W0nGBS{k(Kt{LDc!*e`lKa_%dgVodqa2oSz zr+%=;ILcc>KCapHEg6H&$wm~d8zlg}G+=}qu_hc#(r<+0!|)N{_k!afd~=czshXaa!gF)Cd^;}eu}xA02g!a! ziWTsJagg<>5L-SQ-Pz!yy373oZ$>afa@%m$DP$oY3?!_GaNr-Ow2#+(*b<$v%#*u{ zc8VE}+6j2`e#8T=MeoZ_h*=iRH3GJ$QG7PL(=A#$M0z7wvW-Ypi(>sNkUgxbn+fU? znDp4)-?YX=V(rk8(~wN5gA8A%5-r1)j?>GDmE)JU3TIlaXt@w|~NBS zmByVjMrfttE`A^6=J9$K{*!RztP<_C6bAz)|?-(6HxPqn_MgusG1EMi3`D_TyY9 zuJ26_L^RjG{2ewayDefSuOqtBu+15GkF*-CYUu4|Y1!hE|B4*#6n%A%`HK#S{gnG$ zAc8ajjGO?f!SvkHc+JLwWXWvckDJd@q=ewbCkw6wIWy4DkQML?V5Hdtl27CWe$dG8 zfrs2?U=M#vg(kHCLk1rNkTVH0s^c|f>VFPk12CWYI}Q6Lv+2h_4)j_h?vXX|aX0Z7 zv`le_Dq8xvUo5(N{0Q%q;Ht>_12j1Yv%vS=efW(nTK;^U&c#O}43eJ5Ca0bNtnzKq z`Z#+c_n@6rZ_tkev6+{+>3Pcns@$7CVXUFub;?+c%Z#Lmp^Zl;Nc4 zV(1x+KC!+R#yb;e{9P*mZ*=6%62mQ0I%XI*;%Hu<0~n)kCiowY%m{V7Q=LyBsTiCv zvc4x(*N_O=P@5xSsb`f{{#<0lYg)QsF5A}BJ=huA5WKjYY8N8+6Cw!|jQX8}mMjU} zUtPiXC2zAnaDR77z*axIAN&wt$Nec;R03o|SJn>`w<<>YHmkTG4=>^YhEQAEbAQGs z@S3y)SbUrGf{=^)q|3=k%cs=5UKFxx{YZ3?88rB#jgh=zN)(2l^P2qJQ1JnLnSaLX zkM8?+9hFbfd)sXEJ~(G>$;sBAmrM725_RQOw){ZQ`7_rbKlk`vYgrbNg$^FnkswKx zwR4}i`CB?tSbtP}6(OaQ)y>GwBpJ(b_QD`M%Yvq#H|K!e?UAQnblUf_*|1T77nGJ8 zv9u4;$OU_*@;rWLb}OHb^G-|8=6-YaSoGoPrrjhK=) zK5{rJe&NLa9Ai(}LB_^Oq{XY#gtv+;zy&jBA@K0f<2p<}_0DK%=~h8qJmG%0W+dTN zi5Oe#6%mvmh=MqXCUX#A(U4136I#GQ#u5ORqOPf_{aJktkTQ(PP+$b7XrCp8c;(*p zp(SGBP-CSnk%nn`h&Sfw({N}@D4sLFb)flCEG5x!Zal;v*IzMDj_4Dd$jk#gulcHA z8aFtzbT7b^LavS60j<%6slueb?xPGk=b)BFw};ehpS^65x@h5~S%Ve5H(1@kuySIr zxjE$eYx9)XdtdRb)dUOV$P!?&!$3f5$=7*XjS+JwfIf-p#?dkM4FUWa{I-Z;aTY;;Q+#G9pUoV6d?c?^V)A6-+o?GETVfx zdQKwtz^#RG(`K8ZO=Tmcb)tn``O>!&wNrZD#mhy4#TuS37B8FiV!7z5lswX7(HE_%&29Sgvb+4}YOcJ8{r1e1%6FDB z``H}tgB1YLHA$WJb_=?vV&iKQMMBW;xJP0C$N=2#ob=r$klbDt%gi^;gR6*{v&(f2 z(Y@kH-8~|P&9TB)IsjZ^r6)KZ5Lio_DbkQ#fbu1Al&LfI?{V$xiZ{@@QB=ZygK{_G zC>ee?P>NQfWmK@9dJOJ1H+wX8`A+Ad^2Oa8w%!$q2-x-s4YOXrgK-jG3+oh7=~SP{ z(je9tolh=>e9egs-jWMdKhYZ6-zerIhEt$OqP{u;Z9GO33wR+Wk;A{01@|=t=M-iB z=qhx1Py&@77QJ}rG+x3DSEGLg@0gcjH-@+Wm9$z@gXVJqLd#y07#9Pv_ilHP^MX*z#Wtrjcfol#0XxKn z#X4y8*|Vm5U+J5mC$tRc@+{T&ACPq|j3yS{c8)llc^ZS)R=m@Mx-2x2PgU0* zpg@Q%K&(+sHy-Ij?aw^=2Q+r3WOwCk{$HEUCwYliyq=9Ke|iHX@~y!)?-R5=mkQsu zXfMG}a_5`RM?Ld%>-`~YI`G=|Ayu>9KCAFFRs*#pN#aZ!(a7Kah(k?F&K+%i3l2j% z5fVD#u@Ig*BDSX{dV+o>dh?}PkK`Anl^!ul?0jZh%Bh7vIe=BC-4HP$O7boCV$@Y% ziM6kDI$(LS{y`);ZYjgOrnz|qfI%a(_(DlBRS^%AF^8{3j{q<4!Zs=Tpv^U+NbK|k zTGD?a1Ee6K!~9KBiN$#~w`tShi{x`nOZcb(3S{0g`GDy=5K8h{Vcia1aN_(xGiK!2u<-ILwLaxU~0 z1b@e={{THuJa^&wUWc~;RR#VeP=lOL(F%l2tPuOcvgG7$y{(z<=_Rc8bDR-!aipCJ z1e5e1S5830H;&tqHD)bl7YyaOrC$zsgbQ?Ja}@sraw}6?+-MWVahjLeS0{mJX2_sP zrr(}$R@^*r=3|LCd_u@3U4&}uf$(*X5mv9Vm*eF(V^@Am>iFY2|B;w>;7W8`M<$q( zY+YYk)@O*+B*|Tnc*mSQ7{mrbAde&gg-T4`T6*-KhQ`ogMFsj!brP9zl9`B_;-(w1 zLJv3^=`QBz8gOqB{gP|lw9nfF_w2Q&Wlib>4#8Q^Y-U**CLb$K74|^DL{#_hS~NFY zzi>+7J?Ufq@Z29W#t_)GY*rxBL!E9U6A38J7Eu>07pe-Wscwq&1}oHW-X7{JoEMra z&;+Mi#{NrDzT9b!=ld!mmR(OrwUVMiPQFP*_b5OuNFvKVYD%{?TEsEu7X3pH$QHy@YRBcQ=hk`*W|I+%e!`zy(jhcPv%ij}L)8 zXAHTqejT%iovL26NiO@X;iaxI{6&F~nQ6#>270B#B0V?NQl-g)h_p}o|3n3!Ai zqjyeRrBMEp=9b3j z@A>Hu(>xFM1Y~~8B{q`%C<^4$x}~nilnqDjHcg)7q1`jfm(E=2T1VL7>wDe9=}I*8 z)}A%<`gE5`!}-r5A}TAl60I-HbcXfE`3eKTIQqa1SlGEG_hT~pACTd%^5%mU;2VR$ z!rGii9iPQ$ka^1ig#)>AY17lX$w-sMFyEyxS<~by*F_mnmf?ve_h~rrM35qSgyIlg z>Xqx~6`b7o)8#iWN9(fdXqhm5rwap$4Ow6=Ue1R;e)98Z3GU_$a6~!XD6-Z_@gSR% zI2)mSOYY`xQd=L#z4~N5C)%X`#eSLU1Gd9n)c(SK;HDUq><+6Xir7b{cx%44$&U9V zn@t1W?!gjBi7q%}%fqEsU$fAWhpnkcWt(|(Z8xN9oEzFDQcrqgKG69#j%C8NeDgN4 zB;Jk`%ot~U=sc@_;UxGy(SI+S!;NUR=}zMAI`82!-C}zDt3{U6f*^P0e&1zmK!U}w zW;>cEn2$c1_JFM3Z6g>zb3dIg(O3LRP_F!g+YIktkEpi0wlUCBgT-L9!W?pnmq0nh zH&kts2Yu`$HeLAJbs@qX>x7-66_VIv$_(+wFT07I#o-RK*MFZV(mo4(fCPvvSwj&- z)tLyqh7x+)=p-bDN*x5nw27 z^$ipNZfDaIQNaV=qlIV&QIf4x6Nk#LktLgairt#8DVFEy__FDaq8Itr3;*+x6;C