From c2024205fb919c05d5fce698590f4f6f7c59f3af Mon Sep 17 00:00:00 2001 From: Alexander Daichendt Date: Sun, 25 Sep 2022 20:40:46 +0200 Subject: [PATCH] feat: add ldap blog page --- src/routes/blog/lldap-caddy/+page.md | 142 ++++++++++++++++++ .../blog/lldap-caddy/lldap_overview.png | Bin 0 -> 43082 bytes 2 files changed, 142 insertions(+) create mode 100644 src/routes/blog/lldap-caddy/+page.md create mode 100644 src/routes/blog/lldap-caddy/lldap_overview.png diff --git a/src/routes/blog/lldap-caddy/+page.md b/src/routes/blog/lldap-caddy/+page.md new file mode 100644 index 0000000..c87b431 --- /dev/null +++ b/src/routes/blog/lldap-caddy/+page.md @@ -0,0 +1,142 @@ +--- +created: '2022-09-24' +title: 'Securing a Caddy endpoint with LLDAP' +description: '' +keywords: + - LDAP + - Caddy +--- + + + +For my small home network, I was looking around for a solution to synchronize user +accounts across services. I host various services like a file server or smaller web +applications that are accessed by my significant other and a couple of friends. In the +past, I manually created accounts and passed on the password, which is slightly tedious. +Another pain point is, that my web applications are unsecured at the moment. I would like +to have an SSO login screen before being able to access a service. As a reverse proxy, I +already deployed [Caddy](https://caddyserver.com/). + +After researching I found out that for me and the services I am running, LDAP would be the +best choice as it has the best compatibility and appears to be the industry standard for +this kind of problem. Looking for a server proofed hard: most of them are rather heavy +with lots of functions that I don't need or are tedious to configure. Consequently, I +searched for a lightweight server and found one: +[LLDAP](https://github.com/nitnelave/lldap) is exactly what I was looking for. The project +includes a lightweight LDAP server, which only supports a bare minimum of features (users, +groups). Passwords can be reset by users in a small - admittedly ugly - web interface. +Perfect for me. For locking down web applications there is +[caddy-security](https://authp.github.io/) - an addon that allows interaction with LDAP +before granting access to a site. + +## Setup + +Since I installed a Caddy Docker image with caddy-security already integrated, I did not +have to do anything else. For example, [Alexander +Henderson's](https://hub.docker.com/r/alexandzors/caddy#!) image comes with several useful +modules preinstalled, that I require for other projects anyway. If that's not an option, +you can easily create your own Docker image including caddy-security. + +The installation is quickly done with Docker. I mounted a folder instead of the suggested +volume. The initial password can be reset in the administration panel. I utilize a custom +bridge for networking so that I can resolve my other services with DNS. After that, we can +navigate to http://IP:17170 and are presented with the administration panel, where we can +create users and groups. + + + +## Integration with Caddy + +Assume we have a domain `example.xyz`. You can already create A or CNAME records for the +domains `auth.example.xyz` and `example.xyz` and point them at your Caddy server. + +Now we need to prepare the authentication part in the global block of the Caddy file as +follows. In your Caddy docker-compose file make sure to add the two env vars for +LLDAP_ADMIN_PASSWORD and JWT_SHARED_KEY. The part with search_filter and group is crucial. +The search_filter is the query that is used to find your user object in the domain. Once +it is found, depending on the groups your user is in, groups get assigned within the Caddy +authentication procedure. In this example, a domain user that belongs to the group `user` +gets assigned the `authp/user` group. + +The file is an adoption of the caddy-security documentation[^1] to interact with LLDAP: + +``` +order authenticate before respond +order authorize before basicauth + +security { + ldap identity store example.xyz { + realm example.xyz + servers { + ldap://lldap:3890 + } + attributes { + name displayName + surename cn + username uid + member_of memberOf + email mail + } + username "CN=admin,OU=people,DC=example,DC=xyz" + password "{env.LLDAP_ADMIN_PASSWORD}" + search_base_dn "DC=example,DC=xyz" + search_filter "(&(uid=%s)(objectClass=person))" + groups { + "uid=user,ou=groups,dc=example,dc=xyz" authp/user + } + } + + authentication portal myportal { + crypto default token lifetime 3600 + crypto key sign-verify {env.JWT_SHARED_KEY} + enable identity store example.xyz + cookie domain example.xyz + ui { + logo url "https://caddyserver.com/resources/images/caddy-circle-lock.svg" + logo description "Caddy" + links { + "My Identity" "/whoami" icon "las la-user" + } + } + } + + authorization policy mypolicy { + # disable auth redirect + set auth url https://auth.example.xyz + + crypto key verify {env.JWT_SHARED_KEY} + allow roles authp/user + } +} +``` + +Finally, we need to create endpoints for auth and whatever service we need to protect. +Make sure that the names `myportal` and `mypolicy` match with the previously declared +ones. Note: the `import tls` originated from my globally defined TLS setup and is not +relevant to this guide. + +``` +auth.example.xyz { + route { + authenticate with myportal + } +} + +example.xyz { + root * /config/html + authorize with mypolicy + encode gzip + file_server browse + import tls +} +``` + +I strongly recommend consulting the documentation[^1][^2] for in-depth information. + +Happy authenticating! + +[^1]: https://authp.github.io/docs/authenticate/ldap/ldap +[^2]: https://github.com/nitnelave/lldap diff --git a/src/routes/blog/lldap-caddy/lldap_overview.png b/src/routes/blog/lldap-caddy/lldap_overview.png new file mode 100644 index 0000000000000000000000000000000000000000..88dc2fdcec781a0d65eb6de1bd3f16deb2ea6e6c GIT binary patch literal 43082 zcmd>mcT`i|*CwyNii*G+r6^T{NC)X1L_!ykE+s@j2)&2UqaqNxbm_eX2+~_ZmEL>r zz4zWG`2N1N=HFT0nl-a#?z+Ie=bXFmIp^+u%Jb}v-v=cb!bcR3@bK^mR#w{q50B{g?ayD4EJT!ecrWneKoaWC@tac!J++mon?2%Y zSIm~|iZllNurwf$FPTLEx~{jNJXmI0>O4SdlP4fts8a~bSa%#B&Kc0vidTxybL3iU zXUo?SBF$5E)%~rV4rwak`>gX0N|=A}*;ur@^&|xE+utCGhv%+h=c|(4Asc#f-GYKE z2^&>PZxt1T@PdX0_nbwhs$d(d>$qy-;n@xdA+9k>Sp?YweM5UPV4m_?@XMn)pxK-BY$m zU!C~)P#BjP{Oamq(=AW%GFQw$L+ZNE0t7@!vy zbRpczMmeE-%vHty$lDD%d{mD9aauAzKi@y!0H68DD_T@`sAerbR)SYP zFlTOdclr5*e}FqxmGf=q@HrsN!nuGf-Z^{1_gFS6%62>S(i%Bf(Nygeq91Qhebu;&d%>4De^k}N(?kL53&uBZ zY{v(g3PY4k$Ftkx3|wxKM4+18loJpan8LaZ|Kg4Z1It0k-yivDrLFMM+4ZZNu12!T zMzS6diJ7#@neUItKE5}Y%WRDhrAa!-EqdChh`W>FoBAH2Hi(ihv(X8Q7hoT!7!#lT zOvF!ILKNheRQ3sWj#eGv6>)lktIS*O;0dv!;AgPO&hbg{c>#>yf;=LVf6Si0sJ&Iz4S6#Xdq(*ar(7Cz zmcK_%cv>1mM!Ly1GrO=xhB=U?ZxH4GG~=G&^Nw(}VOqMH+m0UhEgyd zglJVFZ=bw`Z=%9x`(f{*Wk3->E{vLGbUi=GH51*J?2&XX%A-Z8ni7+};@J2|YR~@M-12rk^ zrT3h58j|s4=K0EF^DL_4WniFDuCI@GTth>bq~Xery?*R;i%{OqQEmZkA2Y!KL_U#c zSXfV8J)PI2KhK!b-k$|U$(A{8KO#aY?kXG6MrB6}}Z?dX+xvVv|OcgTyp5{k1o$*M6w zL9PbcUwSMF-JB>=@Oi2CpV}hr4I%< zlUnll4-zSRR!yEoJ~pk~)1dom6!uzX6^+q@W>HV@xR{%_WqguWQx=w25|)1y!g9Ab z^CTz1v_~lh^J-=(NQp#Bc!QP2F^Y6~TlW1_Ro(ch$BZcuU_9@GdNNm}w*NuA(%_2+4XSpcJ ze_^3rUo#(Bkl7q#&M;ma_L_|ia~R`1c{|(TPP!+YJc6l&6MqZ{2%EYO@T1{vxOi6Y z;~9PImed!ih3mEIk{QUbx9wqeXkVK2;?7ibm9w}WtHsq@mJk~-wthNox>>B482>$d2|fV_I>bRS2aE*1Inbkl8rwWSu~ z#T`{PyVAZ$(~ONoov@vK*;cOr&*B$OZ*8R1Te?eoM3anJIzAqDw3b6Wf2r7iMu@s> zGi4nXz7`?7^7^!7u||n{Di~F060HXEll^!Ux48NNYs!urA27lNB_k0Q{%Fu(W0Nrr zK;^zn2%p|kRjk#3vRXW;zuEhDo4d9~C+74bA3^D?Y%bQpl27Sh37O4>_uc(=1VMPZ z_Y4p63YPg_HYw+G)s&9*`&`Pij7FfoH`V+S^87hAimk$|9t}b=$#b&~qC0z@{YZGm z4Ae1jHBVtqtrd4!@Xzt`B2~;s*-|mJcN9FRrGKJ<8zfE{G+-;3N-zj#?o*E26V*=T zm~-53NR+-yK>JKJ$4b{$0HW|qUxD?Vbgj1?dZY{+i5e--BwYiLNOplmbk$+InwfZx zTrEozk*m?~w-$O0gB35Eb&XnCw3?nPf+B1;=t3p@k&Ito8ie9bBX%~mQX`M3DY_?o z3vi1Ci-D(Dv&;D*QW?YHQPeT!IBKK*)MqZ#wLRxXV!uqh6S>;=X?+F^6#)u0&f4{* zxB>u8p90@JqsuEC(YtuG^Wvgv7P%`u<1lXKi$&RGH77PBXPald*`eMqU5$rP6=H;9 z=DY|GAH}CCo^Mu&H=amhIfg$a)Bu^&&*x&QQJZ5qV*^D`(7UX&WJkYPCl6J@4?`E! zhSz#46wjx8@^5DuE7)%DOTa^- z8tzGVn}Nz{gK^zihp)B=*!p_7rlzOUZf^=sU5AyGueN*!XRLR%mG%dUpD}dUaBh?K z0z(?F&8BMI@F^`0^d(#2>vswAF_;+5y#HEVDJX;p6Rlt)%NXZ0{m`IS0zjS*pc1$m z6y3%qykP-2n!Rp}MShnKu^8Nyfl`S4W(1D!^%phEg|2oMBZdU3o`lvcKS)5f#8fiU zAIuuxH38G*pJR|nMmW#3=Gbz&T}U(ErH%c1=xYm>#zgQWW7U&Bq80KSVCrK}OI6b} zO{K3!nSn$AK)&Ni^@xakG!n`6W;s-PPHXm;T$&^Z6i@G)00f@b0Hgt-VI>jtV;SuC zt8g9j1<~4rkO5Jcyx(fjO)lSc?UGUlX?X@8J~HiFv%k=S-SAOt+_%s=Kdu~nm0e%= zF=*}3C-Lh!?xYce&P+xa^sonTGtK8Pk4JEIn+NDh?U4SMkr|0J{{W*+j>qA$Rd!9M!^b1OeNoiJ@vtvFUEjnbWAMG&aOVMyy^ zKYoJC>5mR!-$cPBbtw=zm7Q|9bjJ+$i3SL?$)7K|urBaWfpwIuzAJX9Vo{_xW^&EQMItkYqVj0>C(FvY$(p4oNc!~3MB~Vm zX^g2)ETsozp5CfH|9j&lDA4fnv1o8}BXO{m%h58~?y;m}^^_u%H!v587P{Ary`wWP zq~VzZ2+=Xt@;KT;v2u*0D-s7DxXBYs{bnOCaX=wM2BkH6T%tFISFKhJD7Y<#ex^qh zVd6X4bm8tFmd;;5J-?}Sw8^g0?Gr8$B~*xTy%4mpaMzV7;s-U?{Gh4cRo@F9Def;m z*g_fg_@pmDxuwrh02va$GXB=hsBI8_X z@8i^a#(Z1^m68?adAxj_&?V~htDtSrvGv#|n4jB{EJb7G-2_WA{qZ?IQQ2(nzW=~T zEi*N9i46n*=-CTPtLc9_5=u;kvzzLRV{;)ba+1B-z{rB7+EU>73!u536Iv4VYIKoW zCNJ;M+3iSQ?fm1ss_MZ$w}})pP_*ioCjU1B?a5837_D_geA^}|eNOz%I zZ)AZUe_NzqtCV6unHx#uqZsLoY85~cH6}K6X~{BS3z9J4P)5hoC($br<6vt=hukb` z;|u#?R@vBEEUaf%_=gZ1Jui1{$-JeNYDQu!_@+t`l&(C3v{>b51Ok0VjX9eC_Cq=W zq05b&1N!Z)-5l(Nf}0GM^t2?~?$}>){v)Y0!`j8HuDId-NEvE1?$Eg=wBeM%*saHN zbT-Khc<86-pG*6rrq=i^F`(~Jzy7!jYFkRsex(O7G~FPpud^1LrP_Zo#;j*OlGC5S zVj@!8!3Jz6URXGH3223cl{iZ(8E6~hYFBAF7B^Go269~XG|)P*$9;h>#|zYZsHJN! z;J$i)&-C=3&q?s+7PU>uq`|M6x7cePn}@T?&rTjCcxNWSauuzoNIjD6$KFiS48evy z&P-?e6=#a&a$hLI5@0N;3Bn$)4w~{5D!+73a=gb4l^rbW7lubXK9ke7#<-c4q;Tjp z!LhxsEO(c#^^^A52p9`kPQgB5-0zYwV4t5SF~1hk++4axh&cKn-rdvL)}u!cOg;Rt z?)z$lIHq{Fetcz{DYWOxz}yDPJdNW@e^s;MJ=AIUM%pn+V9+9e1X$Vx!II ztlU&T%Nqnt6`K#_e!CZCCdfuKp%$kY%CWhEP>@CDZ+~QL_-E}8x_{BX zE_JkWY!r6aGD%&^m>(B^yr)Y*PB_eqmaAQv_MqE)l1rl+-hJv=KhrS ztul4L)0hgq%jW9wX*-yof-kb&#lda8ico7)g%Q|1JG&@YY{;OLoiv}97wEF6q5%_D zqN-(&v@R{Ey{@ttLF2IIhYxO#ie+PKyFj;lJjnzUQDNr|$Z=0A(xvY6P1f|Dr69G( z^*#z)#x<?U6X0We~;xOHUizQ~zU4a3{0Z;UAoo1PvU>mVWKz^#`D=@mWPp zUqwkMK{JYrxNtC7n=;(pRjQ}nsXlw__N92qUi4y|^c;wSt+Wu`G2LH+(~BMMJEDHd zB`Z%K_Z6-RKKN5i=;yyk*5CKgq$+#U2i&=P7jiK`+t_tdW|TkvEzxW1TiL&`dmYDj96n`pqkn)s(VJMu&3Z1ln;SoL zul|1+gDYA}{DvB8oPk1>g@};>aPM3_ay7EGbv$gnz$e^a zIo3?q+QJbQVmNs9R(>yzUfB9(_b+vUH(UFkD*b;LmtxwqZ@7C$#9XKj`F zw(h2yxc-&V`fK$Q4!q9qh||T5HMr#KkjDh&T>UJwWEy|Q>wydf@|t_MIpXlWd8wCm z4Qzpjk19xq2G?+%i90Ha&K2NySSMqjl~Pwo4Gj)DBkFF8&#tiRV_I!`Dk5=$%j3^A zwcKxR(-YoZ-4hwvt>C>)W~@2GC4K4smJ6Sp|DWySi!OQXG%gD-;ZF2+Mbp1^!wsW| z|HrQ?oZJ$FxV*jN=DC>J6$hNU{cmrcIOvU7RUZ=;X8zh$xKZp;k$NTGq$l1)MJo8p zM0J0?(@SF{pDe%kmwf4s_6n`(PJVprPmx#cR0%}~B}k+wZ!-=i_SXl`o9z&$6x&-m zr`Icu&Tt)urk};_Zw(QWnPJGmX(4I zIPs%^*fQ|ODryoXqCv0Sktr&43sU0%=~X(v12qTv?&%+j78w>ar9bhTS(zLmGlWyA z45OOvh|+Xs2l)ynRuQg@-KyaybwLuY_mU6RhGvA4%T+IAh!=jnoNG5$aON3WVjPPs z{M_Cct{N~z39hHyC`s$gFza4On*7NEb99Qup}jw`uU#e^+s2OI5}Q)|No5|H<24bj zzjn>WM$UYwx)`-N$3F*8&91JxIzFP2InI+|VC!NQSXSr7aV?K@?VMbdAW3nU{ibf>65QUd71o3zPm+xnWM$o z*0RC!M%lwjlEcC`&$`C`%NM{bgC#FjNMRoWt^wwzb0ONeF>eV>;dlIP!f(( zp4h?6o48*Pe`a>__)wBc%h`!jk2en zycJN1usqK(5i{*7bm$vgahL+C{%SRRM8Mya9t9r$mUfL5tuRBM@QA%K8IQg6KW|c> z=;mb#r=_-f{>+$5M%yqf>hpwo&sE}O%vGaeRFj+1B1aOa#V zZ+Tr1Pj2<2Dxs??PZqZ6&SbY*S4H!g23nsPA=gLdaASM$<7Zny5j%|A(sKlc>jW!l zofw&PE~7BPNfI(%Zmp-v*9UfT+|VYmTC8{nH4j6o|PfjDd|!U5fK3on+~Ln8$MmVp{R&@X+2YCyg!H z=FXflpzrI{)uWL?dwEXr{bZNMhjF9+0fWE)@uVLriNCfCb7z1Wq=!(A=~r0wNR;;vJTny0vTHA65M6REeQA?pd`B}Nz8bjm8-#nPm*|RK~^dk*5-BYg} zR_wfA|02Igo&*q55xm5alt$czF#AXhD0P;5XP7COo@MqnUDYnnaRv38t~;8vto%H+aaZuC4!2tCw7j{n*>qth4l&kahtg_Ti}OgMYIknx*nDuCA#~Ow zU#t!YD*rJ$yu7+sGroEYF6TuG$hU3ud8hFTD41m{Gh8-hQ&7U3N|t5Age}=#>rX9S zu84@{Gx^*};~X@xGc=KmgGZxt@5caRg2TK@^L5_MlhtBgW*vGpz#R_uwLlwEiy#9D7kmuGx-q<}sK{ETxeb2uFo`#>l)gG`xTEPoF$|C-(_JFsyclK9xHt=Gj_x z8MH^Hvx7<0HQli#@PX9t1xBF{!f)Cli3z*%13w;FuK^~47avH0CeiD=-jy75JLw42!+z1QInHV zC&oCZ;4>@Dba4!E6@0V9Mr0)jfZyZE#=(D*Pq>#N7BDdBf0O}N2pRRq^4ICe&DD=z z<@mye{WWw?Xj!L{;>tNJG=Cy12=acm(&MMbzf;RK1G$mNZk{E0rAwutF4RtsXJ;pplm?LSa&dbZv9vD`aLw%X zG|^3vZGm5{)829;7OauV{o2w~c&9WEGpVsam`dF-z9|~STf0Fd+kFn!`-POIbwotllY*bQ`d>fXtSMm#VU@ibO&`_l6U-eT^+; zv+FTwCT1u3&&jg0zW^%o)-{>jK}nXps~}*$7vb~cfz-s@4Zmdm5I?dUr(B3x|HP;Q z1FFSiyXvuAfG%ju<41uswFKZQ(7rc^ls(up{f&YAe8j`h6vB`f33i>zdG`}!Z99#I zHQekc*ZmfplpR6g-y+^@I0F=67O^I)79=@g<{G4-iD|Tyg{T)J;IO0>|B!-K4o5%P znN^usN}F`wqr$(7^+65N#01mo%l{m8R7u33-A(@v@(_6qVt8UgJ=*u01A_!W`^769gUSdYv-xQF6p+(T0@zY_seGMMGg0IC&fnPJ9QD15?}gTB zasjKUv%4h{nEKI2_YSvm7L-ob)nI0MDgie*c_zS+z zLBF}2K7GhclYcCk_5O{&?CNex3P*I5OO0mj6TnHRVH{4EN?Blgo`5|8UO-=ahgkkZ z7{cP1@k0aRljd=RIeo4n&fPEK$FB3_KLbNsrc~srBWUfaQoZOOr$Ys-WzNw#t&F#z zx@u^(xhEQFs+54N=ulRdFOkzJ+$c+)FOb=!38gtv_Ty&(8u}-2iNKVdA~$9ws#{dy zVU}xkId0%!VzEBZE5~>9r(*s{yUs;l$#NU>XR$oh7H5N~TZNiC85xQPqK_4KPp__t zCk=7?OFiKXi}G^|q|nL+JG~SDAi3GGF|-nmo>;IYGcI6nm!teq;cDbRw434DOb3h= zt=-$vg77mcLO02$hgVUllT5(WXKt|B4DExoG8T#ZHrR-970hF-t9;r+{Y2EalIUTK z{zs?Sda_=n8vAkO0OaALV>`>ovPy2+x`(-Ws?ltS#&4I0C9C9odHw{sGfa2ghG=5_ zYgVX%)@SRO5b%Me*}1<)j7tV7;Z6+4VALB{r;?ZaEwBpPn>E`Du`DDgkaEOQc{EWv z4Za|haWO@&Z4Mz%-3+=kN>*&vx`wFIPG6f41@ zN^gCVp_g-ZcO{Gfb;8CsNd3Bhpx1Q7)NEuwgLed+AeFXLkSi#qw-q;gb0KaU@Devb zY?<5Wu~09?es|^=6zNu0GRLtWd06{_nWPH4lUEltR%;srMIn_6{n1u53FRLOY9(<7 zE+8swW55jt>YQ*x0|w_e!9)O+8k^^nY5Cq@Vlkii6WGMsc#WxvdCKdrcb_E2+1IM< zw1f9mt+~B0ck)#W>9S;>h9=jOLADY|22Pu_jS^X>3hAvRO$?fHF6ndaTQXaQr-fZ6 zp(xNfj*`|)cnYY*#$E4&wOBrKLeGww*9>Tq!cLRr3aDih;>@Z`yf2Js*TTa+QO)6}3O|HGs**M)4#I>RUQqTJpx~%*(pzyoP_B z3Cs<(TV_%@2lXiU`@LbLwR}IlD-k|{?HC?{oxtv38ZYV@hok)qQVl)lAIW?@EbCV2 zaqEwYi-{`pjBeDZaFug9)Y$Z-BFCBA;}He#b@p}+^|UnIV&B!B-T>sPk-p$B^HF0+ zL;fU8m+?~96%bmW$F7*}i$t!gN`YMO^JVL@Okbj1r2u`HTzr=f%U<-le05YvZ0T}U zu7m02)l!YW+V7#7hu5{Y>v0^xZo38a`S=((-wrNjF5fKCg$X|D*EALafu4)Jk_Uti zWJr}UE8dZmd4;|N?|;G#5Zx7^&ZzpCCxDgUK!xZ*w2?P`R@{X8Q<%8B8F{Rprg^L; z*jW5$@#p6FPII4qIh|9_>+^4^}gBV;s@~O$-j${nqe0>f1!3_BlO(f@s^9}YO3dF z6;Qh6MD9IUT83$sLO?LD%j{ZLS_bjB8+=Pd8|{Z&uc`96Z(cdY1mybEKCfNa*XZ-C zS_|T!;9XZwRt!ufg<7%aU$CMQr0}V)M~~|r^er6AZ1xy;1r&$`)I(OgIE#nTi8QZ) zsn=L}&>~+(HPRX9{4|C0Jk~nVvB_U}XXC*tBn#5B!ScY>Ql>I;pt+kF-eYT($0qu) z)~l!w3CQ#9<-96v>p~fMl%_LoD0Zc+tnAo=;5IaTYqbzv=cD?OV#`?Ma_d-8tvu-Q z-JRMh>q?w==Z+sT!m5YS*3WrTs$hlRSxQT&o-ZFdQBW|ZiUiyGlT;n|yu5e~%%tGe^gt4S-eri&v8+ z2mC^U@4pQgjDO|Oogq%@aM@8ScgRaoUd_nsDVJloYP3Go2sX%l68ht1l#hZYCX(wg zKVm%L11H1#LLM{eXH)+<~PI;mCA?MwGOM3Pb(nRuMjFTwO zofd{37pyZZl+I!tiRl${J!{ucStE)G4Ie3}oU0J3UKTe^s7%rxJNs&)91_y0%0s^# zc>3Fp+yZSF{= z(wWrx3q?=9k0F}B>J0TioJ2pt7CLGu$kcoHcgZoiy<+_Rxz~cdS`zf_KJglEvgPvK z$at6Eu2i)Bfu|77JoV4O`EYCbs9nlqHz)1Mxy4O2je8bhkA?>ohg)jGo-JIM-Mz|W zi{Cvip@R1LKkFb{O>{JpG7u%eq5g#@KzO0DD<8oCC^ z#Ey?kSfPEWj}9nc>C{c?is;zkt1+$xy6`l9#E%`JNbauKT*sjjny;>*Rm)mh0`=$F zP{TNMwU8bGPNnQ{Dm6baVz+XFn+hy&K?q;U9#GUC2jw#rdNqDK^hYXj{$yPUSDP7+ z|9C-}*2m?9lq;y*Y_W9Wed8#*NwAi?fb$6a{yWoJ0l{vKl-sczQx?GOd>{sV@yAIVuiIfu=Wk_sjG}bh5CytEX@be*_5&uy{e&_NNqs5=vIf&SiiJGhx_qBTfoZ(uUqzE-MHs+Fkre)zkeN` zL4b_JNR7B_?-LYUYt+&>Qir1$c8=15JOeNS`?*c#{D0Sb+#yYPEgE>Yp~rinQT66=fQChjD~a z$NBk2LABG?c!okWE;i{;c+&0DJEVQbIF@J9Sx0IcMYv-QlrUoW=!eEJ7rl3Ia~#fJ zM_tPGa+Nn@+V|P2%&VRvr{ifXF1MoQmhPwv8cK8GiK^%HBM3K&6)CvoUQNH-70ljU z08UMwy5k6wFWugDq1M*!HCn$b{hl{uT&O5<*eY1!C16%Ppxf(ombg| z6S;OP1aF*m7k%^WY=LGDK6Sih(|U%`&;E5|aZ_VH5zR{t=D@SU_2g~A)xnx0+K1v7 zP7M#1;s_anD~#3$5#&3U_FcI*A}%#)=J%7q|B~={y=Jg#h1&V09T5+0M-AZ}zK-;p z%SM!qc8%S_#=T@}92Zu>c}IWB-EB8@qHAnqaPi>4`XP%Ae}T%h`b4#UU4Gj6)jc{k zuf(x6YZuO*Inp$?kc=eE`o1V_K?vp1$Mcr0%2#+LtsagmvCzyws^dBjFB#E@H;99; z9PC{O?#I*T(AUA9vo-Z;G_mI$Y#D?~o=LRRMe{L!X|&IHR=?6J|EzJ`P=Q;R@E(OU z>Uwe-FW!y1pmAO;Ov=KZxOn+{U>us_TcpKy>yksCW?_CEHFCtVrDa6-e#$w~|LHuF z+%oJie>g`ens{d1+dBOh8|#y2(+3%lX}gmk6yVFom%~SIp|*UpqvBGcS;BVS6V`ZL z_T<~{JMR2~n3b)b0?ck{FOvj(iu!V^&Piwg(yillca7?x)08HD?{js_grnl2n~^P< z;^<40gMt;2!Gnb(afHd0-45n}*4o`YRa`LKgkOgr`xF#oahM&wu;szn#e7d9nQT#s!+J1p3_j zOA!3YN0Q=<$8BM{HofoHQ9|v#zoN$~* zB;AbMq-W0^xQVKd5N*)5)au1&C}=y$Ad#}<9nK!L2@tA{Y}6gor?*hPQ*7==6@OL8 zjbcc4MtPk6CZ}cbJ}RwV8Dc&HL#zWz51j^zXq1;X27UI1ywSx77q?w|vuB z%WlG2_!w6A6R^ zTrX`cFNr2j4jc^x@NZ_^P3T&=xY-}6!XY7N3F1rV$wN|`q(OEz z%b3-z;d!v#NgI5)2Vr@5_k_^()91^}t|o}=0KL>?hA#P~<9rCd?lz@}`RB>J44cG= z@Cg%T=jEQHB*c!l%E?uoJ;ZWchQ_Y;tTXxh|gE3lx2V8;%Mt|UMLT}`)CPWr3}=4mN-oCo_G zHV!%QOd(V24mbzir3r}{lG1TD;QrnmaqiA@V{Elk)OMnZv zU9t_c>eg{$yUtHoOvtrs1@o#5@ppLc)kXJQ+O{37>rM9S6>0|Y@ZRfC(RH$`<6RXM z`_;Oe0}Z7Ej+Cei?BI}_WH?#igU^F@w0H22ka@Jds0qaT#6fxol_B9Q9G=_K!>)gJ zl$>+^qw1`x+V!KPaB39Z_+M7Hkk8TvyG_Kp7@#s2stAYIF=SO;&ntsJ57%aT>Mj~a z!(!SCZrFi9^1Ijj=zYXgY#w9^Hoc67b_W1cJ*aJyOLV_2lsTAxaU|VJbw7ts1&mGA zoaFJPuKDAFIt8r*9R7~4Wb{XBQtw8eMD$ccCIut@CfH4}@7X4HBSP%^emz<9#lPCw zu62(WsNRNOweuqcJ%&^Ul$Z0K?}3*N=fn#j9@+8~C0w?&@(B>L1d)r8fhvzO#KCx= zi!zorulgXxj6>}CqF4#+=-jyDTWyjUefk>Tl<%JuxCv5jP zk{HaFzAb*t8WVS1KG(*wd^}>2Bp6JCK6gr<6f{}0DZLj`5I&|G75s>V{>?`QYrxs% z?s(Eo0mV7wAZqgYA+}nos#4iA&pRZEe=G6R)XX);=_q#P?#|Tpl4_%B(qxBr_ za^HbV{RZ0=$-|+xUTSK)V0gz0!a=>mBN|qB5P!L91fRvuob*+pytVCX`p;s%yN@_B ztydjX!|zpzU+G3(GXC-fYFKNeTdP@bVNBPd8bB>m(DW?*Ai5H9pK56F6t`~IxUB-Td8JLfNH*zn!Zj|1cHY$0S9}#W=o!H5~cH?lmx0K&6 z-MZ2PeB3xDhZGkBtnG5jsRd@15|r;`dR9wsmSd0MfKb}USLe!fqN-z7uFY2Xu_U(3 z#{^>zr7ywNH5Dpjhu-lj#`E71`Lxb^;a4}D%L(i{rP~Eb9S>;XO+cXi%eUL2ki&4q z3@pXz$Vm0dpY6YV0T>*iKKh$5Q3z+RV8Ug`cA7+EI6my@L)wE6t;4k#565HCD=Cl& zZSC3k#mdf2(>SyR-w%0M%aLt9A819W<%AyuDKrg}1Etqa*C5(8Pm;wkr=LIb11dQd z10)wz6*{_=AMOFTt7`?tJY43nLNN#p(AAI$_;3&rj0brQrOh-3tRsM|KB zz@)HXw$_i-r)SFv^>F>FzQGy+JwdUnp5luUexhodbDQDe>*AYl48%Jg*Q>rsZOPSl z)p2OW`KWF~&5=B13HcPP76 zuhZfxrmRCiItY>q+lh02e0C~?a`N$*n|3b$%@IbgvQIfJ`UP-5Jyi_;`%IoY77p#bEh`tDQ-n5M2Cy5H4TWRb-!r< zgYOKk;~kX+z>od`2%g}=vd<28z+&W~)`{sUG#=!AzLyt!)gE~>1v9n2?vm*j-k~1m zAdsswO$de&I74vaUJ%eKrE)XWKTKP7GXsZN{W?GU;;?mb{w1z)FTrMf$Gy(Ad}7N< zYv%0B(RMqwn%Jc}xkCJUHGT3T?W@F161F-d0M&hSb0gIF#%noHD>>QFpX6PRDO#P` zc)6*{q*A9cCNEMe(tD|0=WFaQv#?CcDB~Pj1(sr)YNx${&i9?FBWxUeVHh$M5)SBN zLAu7XE6xY48I0Y6bqk&c#4DJdm;)h)+0M@JlM4^_e2cBoQnjm&vg4iJm+8AVU2*bP zzpTCKj4$KH-SxT&jFp48XDTf&8aPP1bW2Ev=2&@m=_^K(get_&FS5zW3dX=|aPA}` zubasfjND<~^|h1AP&^l9$o8nq;CP{1NP|tjn3e0~kmgiru_?_G-<8jllHk_+c%Y?Z%q&+LuSK$7 z1m@-Y;^x>DanHmdOC4_IZ0nkD+S7_U8$RAQ1+GVL!E@v1OXu%T`a%+`PSR4ny9@YQ zoC3;Zg9l!cA>t4!0U=$UEs;;lC3n&aOUb075kL|jrwyCcMcaG^ zExqXFFh&XC>TbB%s}$6(J2o>@dup_@%@KVy6KhpXOa;qMt%_G-g7UfI{+|Jf!m2U$ z)n<@ost`2_$q-<%Xv0zDqoehVRzglQdd7TVzx|mWLY1@z?WT04r&b>h5)f zx!NxMei#scr4OcfsyVMF^ITCTI>>W2NmwMhx>astn$o;jd+2?ZP98_}0Y=S|FD?W* zS{3AamHTX^Z9&Owuwll@aqU4g+u#i3vr+#Sg>p$Nq0_E{OsPn>2i-?)1(uH}uk<-| zgB3{aD)r{c>;yHUyL7tKAHjY&y_5rMcP|km~ZtRH)bktYMhQ-sBM@ip6z!iK238QTc6mR zw--tPdgrstj7>$ODHQ?|8zJk0mt$8mtZ|$yXKTe#2&`CZ?S9wio1zs%Riz{6{V}s1 z-_jE8rRaOaH&)QG-1E^*KDz`Ms%aasF0e#mLFrbwlQ-gMp^hgcSb0sma8sD?F&W2w ztsViH&?!HH+jNM$?ni%;Tb}dkzwG|eP?PaISKrxu`g(gHy2cjTrXOw0$GaoGg$=%E zfX(-=mF*~F`#kaW%6gCEK~0E>NtGp=E(y4XmG9jJJz?&(9r664{95OkW8!%-EuJ*=hJ?m&Ar(1-$?Qv&xpYDb+Y859%T>jt>X6 zW$r*W=N9Omi1F+iYYh(y)-b72{OzJCfG|*?SR?$wi}GuEEy4hTPv_C(kI?H9iX z*2^PsKS;jxF%+8HKeG+Uf%muzTK^CB-ZQMJZd)6U@+c|-q9RIF5Ri^Y?;?nFlwLxl zOYa~A0xBH@>C%@x^x1Bd@K4qXYcdvecp4veVrfgcU?O_xWdXR zbFDeo9QQr$F~&S|^u?-On5l8fDL!i*HU9P!HW})sWbKJ(P3O`r-?l9|SNY}O>rQW_ zUAHmrN_|%L)eAF-y+IS&`-ZN3=>G6=W zj3|HghiONbf$Q3Y3>dKjwM0){X!HDevPG^dc6CFR>f$FB7kfo|33Cn1h>+z~dl$VY zvcvZ8C9y2~Ge6wzWMwB-rfo&7*Cy&-3h(v`@QBCNqFhcJkBpehcXpDzlLB3MEg6a2OsSf$&7L zlHxjjSU|(?UFKK!iz7;jxEY=g?@XPgzF6|9JR9))YWxo0x1XuEo0iU+xn*^)%>!2X zN~;o4hBDF04A&}`5~b`D;k;j!pE9xEOGRu;(e%Vyw#ZKAt@#SxU{5RgjH|2iL%U#h zWd*{vR}*$*JYR40Zv5F&kIjpCdydt|+Sa=Vk&E~cp?(vy_cmKnMQnd%3`ofMmTBB{>kM}RQ+3YHkXV~b zKZ!z6bX&DBI0a|i`bYs%jf&W07t<~oby^wKci$N9(1&U4zCcC3=FK_jywjgEB2RAZ zAW>uAJ4e?=%vC$=Lg~CY6<<7r?C98gpU!1eqi|6_tf@lT4NxT4FtFwy$tV zzBZOWa1-n{(b6+5BKFEY#xX4T<6DD-S6r0~dsv|a$lcoW)|`OrM~7o(ZvAnm(sUBi z{GhwRWbyfVr0U~GZ>=17 z=XYP|f|4FJ)!u;=b<>L1E`Cqk-Ho>7QKGL?Mj%#1IS=-?F;9J#5Lebt3?hq_vCh2; zxtOs$mE0dryQU}Duwb5Df>*~>BgZRsj$xF2=>%|m4_ z=xq&1nWW1~#7?%L!*s=PxCaCx?9khoAlab_=VIEV#Xq%GzAsVYN6qPiAxF8$R&pg* z!be`D7x&w5iB?7VH`gZ3sixK0b{@sdF^owpArvwts(ZewOw+oCoPOb52{K96yI4C^ zqA|adteC6Q=lXLGyPC3)-QnA#3BTuio8Pjp{KAc5RHVIfVoDjt3L#)OUOK$HB`(QX zww^f5A^C?P#qiXlZMLDZ|t4f&SK8LNPC9s5@FTOimMef4oHHZ zRInF9IFjKz$x};9OG#Z8F&$YCLNj6?rgK{JcROVNfc|o}<#q7YO9@z{khEOU&deW?XlpV|}Bs2_I zaAg*`=QriHWwd^>{Ot+-t*szGr~e49ullpS|J|))ihzXM@XdwMU9SYf(-_bfOjg;t z4$5SzJFgy6`StPd&7eHg?LSk1{^Qa7%aJMWuNb1scznPa>^+1LSF;<=|7&VW8K{zA(7hH zQw8#`^o^zh(%mg2=?gcf=2IokS2+_peBk2c%h4&EdU`dKAL5uhI-);(0&+zB#uf%9 zkah6}l(~zGsYxf5hleDeOn&dbg)Z^903_UgCH4Z2&!cqq$Qk?!CVD_l=u^a-h`QoX zF?Z#yE7k&&Z9%I?k)QLW!I?^J9FrcTpTxh7k%2(!k6yP14XLDk&S&JaiJ!^_?zJRy z3piT3>*a^-&!Q%;faDD~pn4WaGqOfJBi9{oT6;ab=`N6Qn|1PClY8F~C^uE}a^db@ zzXLz}$r!E%6f%OO$@hR>5n(#bA3gG2F_%@_XnoBLYRs;`T?}M$I1n&!=bc%#u2#Gf z50jU*&}19OIo|W!`vFz#jls6?wf)WKQW*$`{)=;>=?SHWjmHiyFbVhyn99#4_Z2l7 z^FRT3r~7wycXxMoPESwwxQPeX*}EOoKRlN#A->Sjo9RXMoJ_74b>7hOqHhy_x7w$# zkUZ)xVM{&v<1;^}E1~lVbi;%7_CAGWUNK%wt^9OOk%;FZi^X9E+No)E3#X5D;trLnWnqwhmp|b z4`k0hByJvV`liaM=ow6<3KlyYcF)eHGM$L?d2YM6#qr0vTVPN<a*8ANjc189vQQWuNbPAi z5*Gj2h}n=l5I4HZ`}bY_4Qft%@yJ}KoLq#+evjvMY>a62a8-Js_pzH{mGF?Hr`mc{ zFT`6?5U9C^TU$Q~D*90)?4}>9)g0w1d){EwM?6_XCp;|8`*@U;gPx@LOMX_D!t==N zDg5j*&r^LlSw1TA4fNfYtwIi@6*xZVj1PXZ_LbY*t^^*f)gfIkPq?_Z7ktJOzmzJ0D8z$93JM!(X;YDe`D+vk z<2(IZvp8tLO@6HZVWfRr9os$?GB~)-+*p#CvC`r_SM>Z(*Y^dV^8F!|w%ugGn}c8V ze^!~NpUrkNX!vT&O(LZ<>?77+;QI>B`J9bt!IW{;MayjXYgdHP$#E3`v{-~y@?rAU zY$sRcZ>hdA&lmE}TfrU0td#+kPOL1iTP(TLSn-6@`{)lxk_~1mf(8L)1$axOyAp7_ zYKcPzjAJ3e^FQltT?%Jt!l>Vk`#&41uR|w{b=Kh%_;V#PT<+8rvcI~%-~L(I>c(~b zn{J3JcBU@06CN@}2Q-{>jwu}aqltx~UhC~41+;I2Ozq|d9G)1Z2;LvbecQGAh31LR z8Wr^RK$Gtf6V^dZs@h_0)IU)KsY*smp+@n`K+ajt8L-I{T;;;B}5nN6W?47SO#7ZcjvLTo*!yDS16mZw9X{xkdF=z3Ex3 zPP^`{R-Q#~ZE`yL)bxDY)7Yb$!V&6gMCS!={<6q^Np@R13OCN|?g%g)kg2KBrgMZs z2k><`v%aP8BU#V0Sz_2HvkD55G7Cfs3POXk-{wEr@Kt_o<>=QOLK;gn6}%$ zpFz2+mj=|AI(2>llFZH{#?6pBCtIq9dvhCtJ<);gC@nW(%_ya&PR-nc&`EoaF~v#r zX-6puEzvTZmeMH0L+g%8Vp!00@@Wh!wu%de35p!qxFs-O##Ty8mOHZH&OlK*xxM$6 zG&5yXZ#m1U5OfmdfiD_sI)7faJ}eS;s-Z^Aix0Y$+r4hIc~5wVMRoMr!?PyI16nQ0 z=UNF1o@7lHT!oKxC$s3m8)oqPp6GIcZgX#*?G%FvO_kKt4`PjZ1rMDkx(q zs11hOD*Yy5G&3+X;bXc=xfkiOSTBLAIEiYYf*u_O`;(J;kH!hOML2ZEUVNNJ*$o+q ze(H5$K>asRw7xHI-S<<0M!$tC@kG7doD}(Vveyi|x_^>hFY;?%TOD9JkdmFAQ%K@N zf8^z3gWJpzEBKsO6gTx$kv#hxmGFLsWP_eg^boT@J}72i9vW;`48|2AFiojS`(e&7 zA%~90{gc|kHWtPMnkLl5YdsgwAV>N2xwwaN1F zl)OUY5LPoY`DAuJCKJx+%;L6s<8tA|bG2!1Dc`e}o`f{`;06&&7vpe+6LDe?6j=j= z>~=Vjrqerz?YFO9Ac0+>EnAOF^T%K@OZix=vWxkDXyOaqzQ4^b#Q5bqx&RK=VP<=1U5y zL#RuJLXnaM9v9*swyS;GhCBcvp0?%;K%8X-dD3dD0iu+bIGOpDM(IbMFSj#meVOp) zw(aFA5wC$$|6G75oed10XhjWRxAR*B%gK_Yz9_}~;z@J(??ue3;msZ~CXY0gUJZOl zUT2|HuG*B`nM|>?bnwvM06NwOa{6*2c)T;svu^H51Etf3#Eo(8go|4mgW6Yypz<&8MfHs}i zKTc(T(!X$_BQsLbB;&Ssyy2wpd7DlWt;{>C)Lpg?Dg=ef9&GMzhSyaa)Jq+1uadMC zh?{)ayJFOeh2LZ%KKH4$T=2jW2y}V<<}u61N9S3p-)*Pp40HAvl^bsHfefiw>PSH9 zM1RCT9DXNxRCM(d_oMDXU7i{=N%-y0F6Uam-uD2oD?qo@MdrPAm&^J5YQ72UnAZI` zM7XqA)6@cq8Y2aj`w zS{7Z=dgZR%L?FMKK)vzj7cJ~cCWX;}MdGb0=ovFg{fMCZtKkGY^-t)LU+Dvj$)#6A zPQ#$iC%@?+?=5r$g`4BwZHUjg(Yo44toSfFS@rfB4q$z^|6+Yb8xGdhuZ-%r>FVN* z*(_XuF9zI6mUg}|9tW3ZI@ywPR=`A8<^KU`hwqXA?HS;#uCBHyA2s7+3(a^CI<@#I z>2Ih61p1$m*8hT;SpXgJ(v_GmVg*cyn^CtxkdpPG{%H6CfN9M}^mC#*CBh>C4S<0s z{OjAlKq&vlrOk&>zfJ;D>^!l%Rus7gH&*+Sxs#+dv#fEk)_O5XTglK9s=NOtZXAK2IH zbO$7#WC(-eLIJyi!ce5-js(nbd#5;AXgH7*b(^6?A8s`D2so~`Yag>IT4e)T1aur5G9yvrTHEIXboN((k7)hum9Ia(^>e#Tl)y~fybkTk4tDkpR`L6#lt9hT<}o63Qh2uw^8d9$r`!~yI+yx0S1b_WmuhZ zXZ|P8%Wgl4RVd-21Bj>~p>c*3E0$?_Spo-}xyEtr=rx zjsl+Cz*ZGqh6 zh>tGA1*1JJd-W*GT(M0$UXz_hmE6#=33;I$aiJ=Q9#xMCv6l<6+2djRlafG^K=|^- z!;Mk6K@UB7cv7Wp!meVHq8Q3o}@^)HQW54qfsk{n#wULk=%t#mPav6o|{I)Ow) z53f!QHFV69)ZK%@*x}sB$oTiWXM4&g}xC`r$dn_&1Iq8zwUx`^#-%#|d? zE!?u&nL`4;X-kD+@+%|bWa9wt$u0Em#!nHP9ST2P_I{r@yH>E+(uZPY3|`)~t=`u- zNS<@mT0h{)1J{F~(T-%9zypj?C0rCzr=Rg=BMR#6BaZj@r__yCSGM`4Ks#)$Km*@j zs0kYOuLs;UpoT%ws-xMo9v}D9A2lLs3rgzcM;tZb1AjwXbujg2w7 z-cDY1q^{TQN|JZu=El_ALOg>zN>0|6>&gxr1w|=Vs7x`U-z8=MxU&&lx*aQSYyFPX z3ao_7Ym#PZ;<$-h%kYGpKJGhN)IJY6(+~~`L9?2^R=8*a|tzUka|P4lhKaQ z=Xs;5Hf@An+u9`qdB{L?|2X=6~zp61@dtq zfF}|P&-mGV@c3EiE1r<=PA6#f0qq;aC%V!grn))iG;n>Y9v&?Gh%9Z-s+X@Suhe`^ z(D}6CjCMuS1eA6%v+0@(_i5u(HN2oQ*D3C-`F1?;rW}}Stg=#soI#k)V{Fx6F{}Tc zvz3nOAalX|4}~a2n0P3i%-8s}7|X26#42xfOgRbrR7FJ1!vQ3$H0ZI!sb#gQate&k zAq$IF>Zo>e{vP~&?%fri@qi>Vhk9h;AL^vP9k+%=hrM)Yaz#&<7vIv4NrSCFdkDD2 zyUaJ58{mjr_H5W0$#U8E?OME^hqPEAYErvjxO_=Btee4;`QzMY`lpH5pT86@uL)%0^kySUDy6iD#%*F6TwfaKKmW1VPZKyxd(J-5ym zPjD8${mi@zHhKn{#JsP5W4=d_`i8JzM)NSZWoTw+@Z7-dUqHVB@n!F5_tUld8*A41 zPBtEItB^#|;^bV`h#txo3G1=B1;{_eTfcLPH1g^I1&?-Z2r?9G& z0*pl+|M0B}B0W#;Z7%P}6MASgwQnn5S<5u^Bh0{)6Ly@Kkjr0>a5Uj`Vh}4@dGWx{ z=C{fIlq33||&F-k!($#?6rHw5~pA{01_;7lR zt@V`e7?dtGZLf2v5t3y-eyePw0fs!Haz%+HC9aeqY-b@=AuUS`wl^q5&YD{5;@gSE zf}btS?Ok3dFf}7=wkpYG+99kTyV@W6n z!!VSp*diRxh-tc|P>Dac!0AtI(@ zH&1>%-hj&wbLrP+Vm}2OdPQGf-n3h>_DN1ro<16#%T6|H*c+KLf6op7ac#`?ho-j{ zhNV!g##eV(H9O}=!8|wYtb6paOR~QKFw;-e$l8=L=k}nhPtVU%s+$5TN8a0|F2sCW zT<0*#{yfpjCTZ;B!|ATRBfATZb>{Y1V~>dTO7s3oN`uvYx3LW{u~77fk2)F?9pwos zcYI%*K0&qB3R+dL9*R`0B){X1Vz|YEQ@4GD@f$vNvo?fjtn4W!k)=sOQe$fQv0I4+ z0t@8tmXy6JUpBfO_P%F}(Qp@mSLWD>9eACkwgt(>OYC~J1o?5yjX_x?TatE8Ngq=d zx&FV%V35*(CWA1qgm>23gS!T&OMRCw15k7?g^gcuDDGq4s;+d)y1T^&Je4-$1yWb& z_N1?n(xW2>oA;)tn6PbM6@VtNdXeWhj(wF#VhMM+IhqxolhTAni!3*XRz!QS7O9uJ zrE8n-+qjLAUg(TUPPPG59hMk?P?!`+>CKM)Nh!3hF_eV1w=tYpn0uZ?Q{T>$IQ=Q7 zb`GTYecPj)9|mY8Q}Nrl{D7zQ2yFLq`Dijz8&-=TY& z$ok%r0|9gI{UY}kBVWS268u&Ve>SCP|LB>S6~4y<FE$e?nIOTSmyY1_psL z#XJvcrCAxzIMWoIgnq%cP3~K5H6sHP6Y^tplmy(jI!#oz4KLz@zVP;?w%Eu77 zuWGNAVj_q%786F~e7Aez;51p?y3~FeFgvETi`#g5-i08qx zxj9*_eMx%={pQwS!Ojk*gfq_d3jD=p92^5jmyyU`C+EIHU+VZD_BU zqyYg)wtm(*P$bo})U6ZK4-2t`E7WEy)KQowMO3wom~Cqsw$p@Tav@6y;Pz?2o(r=)ggQ$;M#Noyfge%6HHKlttLq|x0y z+&RCo?owR8PAh51>X=B@lL4@AL~6QMSzedV0%~;r*nNw(@7`*0(A*TRq&$z!27~Hv z-QSoJ5wCSIOP6QincA$1>v6^*qGhdmcq`FRJ%YLShSL!T_R0!$jQ%8uHq^XP^57 z)qgq4T`vS=tnMwNA2in`9S=(Wo}%SxehKBuaGHw^w5!$nopS=*g*2(_tL=HF==$=f zYAK~JM{BDdtH4rmdn2Rx-HLpvF1o{olTmPMm%gBsm26?fsA;+n{zGtZm2axVPHAlF zxkI%ig`k+L~!{!uh&Av5B0lFT^ob_ z2R9{e;HzKuRz!WaA_iRJcA>z->e11c5d|L^+Q?!xQW4+yr~_huZQP ze<-24a^BJBK~gKN`#;fOi>P}_USL@RRy8%ab&Ozo>ZM6LrW$qOyH9k5Aikif3=0P5 zixWQ}KOeBVIhQy|kz)7OsvMn)e0I`Cm@?5vK<$X&;FICeLvp=dH>cH#2Zg~*yTN}{ zmYuv7bSb_~C4t>5r_mO_WoWFSkQ|diuT+O`>Vbq;04{58`Z3?f4dD(`)UQs=4;oI+ zCOvysn^9|F!Osq;)X0?8=ZCnd=OC+kol^cXmM>WGB4^DF^`lCH({*!UA+y}=v#Bz_%(fW_)xrzbr%&n38 zYlUpbUY&oN7F&e3_VQSO*S!}A3jq37#f+=dN4A;z+IQXVMPXUlzRJ@*=xe;uy$dRm zv$#wHa|cCS3m2n_gWgBAkYKo;Y1o3WI5?C275i)gS8_Q~2Gp&})n+{2=Qv2rR~e^A z={9|)TrE!9LtyE=$Wjeez)D)Ly%9^~*@Y$!I5MW^uV&A%mXq=eX>t zpPzFM=hcca*D0KGQWZWXj@xC`@p|o9fu%$>BiYYs0!1)^rh)_@2R%~e`VJwlSQ#Ul zPRhFAZyh+TuiD>W)H^viGqUD5JcIP590Yfp?-dt(QW#(g;>%Wf_Uie-AbZ98E+@z7 z%cWxuUxJ&QieH&q7PGIGGO-poU!spdglM2iJ)OoryiC6$SlDELbsr8{H&!Rd>qRc0 zC2$K#aLXGOOB13Zjg!&|AnLVf$$|`O_G&QoYfYmZ zFt;i>=Ll~hDcIR9t(^k*ON@+`L#hfB6WrV@pQR~0vXh796z4BWCMs7_R0&{ zwxoG~nU?1H+*+}TjWj_R`)zEkE9)?0q^_12~=EfWMvb% z_GRH-uuE5XGlN)joqnsWURCpACr|bLwZp|}>$+nDcepqb=iRZdMfLEm`jbQs$gk-< zoP9p5iq&ErE#}l4h8!1Hq8{7O9-LK|<0j?MNG)J@N5NllxZ!tL+qfOCrXZa)Ux!R- zne&@-)59Eg)Y2B_E04GsBu$V81L2sQW@q6P6XZBBT;1FHNd&{4Ei6-GTH)u{<)?7v z*5o9Yu3@<)kGIt%=o(HL^ixF3q18b%y2--kPnwU&PexocwPdxx(aR!NlMzMTFWq8( z$KS>)MNa;o3D~zuSwHGO!T!JXx&N#5Il%BQJxBJ?oUQNNpktuXlCtYU_g#rkA`-ws3of zkrp7-@@4+yw5az07?Z0SVRN+i!JtT9n@9Jj#>@wE-@W^W-4MateA0DiMmt<6a(eRa zyXg7jxb-=$(R==~?ril1Ztn(DZe61o%>JK+TK3pe1vM$1T)DE-7Xi%2??05X?I+Mi zb%n7ya90knT3a0E&9q(@T}=<02r1!=fQlQOw~wF~keanp+boxI+lOi0cY}Fbmv$As zTOwcY%R0^JTZuc8;bB5a zWtpW>$^P}?N)C2wJpaQ^K9)2pP0LX7i@#*R52?@)~ zI$ue()S0yAvG2oT78X_u3a`hobQI|sjSUODxLL;`{m^X}+$}8S@3y;73^GLdOde|+ zZ_LoE+-MaFwSDnaqkDFGI>p6APQL?nLpyJBsHCv0Mrh%0;fp3I9$uO^e#hp`tTMBN z27CW}Lo4P^cX<8g{YXjuFD29fy89)}GRh=K0E{F!d`s>9D6D?^E_9lHpHV-VM(^gK zr$_751lM%>$?N?9)9~AWSc?OeM5o6(POscrIpIOcorjH3aG!dqJi{Ogn9OIGmj?wf z<-?rAsH>o1!djP_kG5PDp0rpSCe*E(e<1VQ^8pr~kVXK3Nq*K(6Zn60-=zbsoDdch zu?7mc0*EvdO57kibw~3^Zr{mDH+|6ik3fzu`K za|6iti^LP7(}c=JKlfg^2OA=_BvKZkW#lOxa&-uGlhAnHivYdMYd*NTg7Z2%goYH? z&Sn_YPZ#dPBz&QPzrq$leh+~d*SzL1JR@?aGR)p{8r@dQJ`-?4ex&Wn1FBp7*hMM-1Dz6RqJFLrdS0J4xGNyu2(elF&SOI zHhlQH$13<1p$VTX2qJQ7&Hf`FQR#(`2isnwp4z9>3YySt<9h8n=$)IU)IPlU`his+ zZNmP36a+t#Ak4TEievW36?Dvxhn2pZ6|*T2sfqUL#0iDa7A;x+f&;g2>=Jf8+*h~P zL^P{~W)#lRdpA}rQ!KXfnlGC5hYYJQOt3IAx-TZmE2E4aroQf~;Lrv_-e2J&JRWeQ zKicqYS$I8J!K#{g^ByB3Jgx_#Nne2hKT(eGWNFh}pVexeQ0Hm*Iv~tFn#;-`JvAsLR=wi0C&3o2zhV9w)`^5E~YKz0G9|O|H^+(EB zwTzC3J+3A>gk8x6*>t(q1cZiM8-5yjE)fFT%3N5b7V#C-NXdBTmRhL*P0VUD+$*zfH zFc&90!Crr)u5c8V#cEX;VdD!`TWVu36U48i%W-#p4r4s)gwDt2*>Y_YiM)z?NEE9^ zACukGw4Cvo?~i5fKf8XGSH!Q-qor@3NDTON00$8vcDEoz@4Ul@`CK_JUrKa* z=jUv!+9`6zxM@7r(g4F6MzZ8O?WieQpBG*aHaLz8ZV%KN3sj=9FJV0-)yQ~Tp+(Fr zVZa^S?x`T9{oPB4C%Z&}2CZx0r7dd~){dut{&YGE$A#OOTvpm?G-bRsnHZ71ZvZt7bAJGlU5H_jlWo3ldd%KMZX+Sp*S9Ozw_xbEgWYhR*2gZ$-1)P~ z&VXD!BbSTFZn2lVeJ6uo6EPTYr(e%*S>dux{!!eRssu-yTv5HbM6N={xZ);-o=fG+ zuhkOK+}B47qV>zVLyw-V_-NU7xo^C-SxmN!wPegTo~5jK(+5w?%B9*r7%Nl5z;k5< z(G`u0e_fIgJFK#Ef905VsUGJCo{K=B7!eq6;WJ2MjwFr`vT{!Zs zptm&dlTe(1#QB$x^_5f{;h$}i_O;84?mrSa23M9Lz64^(X$f8CxCmGW&6u#UAtps- zgB9pI@0}A$JEzUJ!B0-cP3)lCmkYStouVR$l+*X31`uOMcq?L;<`Vc$3zOn#&)iUV zzTzhR##f#Sl9u$-^~J(Ovu~z3!}=XG={6z6i1`BleLi??+2sM6K@Hi^KwA3gOq^Zh zt!YC~i%)zj6mqm!Uoq~2_K2;D5GjcJyO#MjMTuWl?o%kCUCF)m@F0t~t>I8UC9}SP?js8ce%6$nWo&FvAN)*WIwQz{tTW5e>LV8o z`?D_ZxcYn1X-W9L$O|N*gB+G!v>lXI-cNep<_(z_#X${~&ZI?|*`wfc2d`)%I82i| zw%~w7tAh)7z@zbjn ztDSwXjkSo*)7kQGsP3EOFK@gb@37(0uY?Wl=y|LoN>qQ1h=O14VTIKaOA7ncgHdE>+2gPQw%1UrY z=GX*9*hF?G_@C>1LS+6zq5}tZ-|VgDcG_wR)8CQrv-q;pq1mDqM~AlF=BS7b>MT$k zyq=(xc@pQr$^oNd_K6h4X>7z1lTeq#67uL3m6^70h``>kUz=#% zetC|N|DjGrS-Sht-v)2_kos5o{Khu#c>QjkYgIknRb*{ueK`RF_hE-w=BEZgS-7ZDQ~35YM(z zDcXip-h1#HX@cpIM@`ETTb|Qx@-kkh5O7M|LS83RjLLY2E}^>V>WY`C{-sF|7TxBb4Y;Z z+y=FDz`!3SCMMHg9|qXbY!CzNbv7|!UPSM<;^(;837_M4Qb$CX5^j~cImTA}xHqud zJU*cn`HawcyjtCV6m6rwwlNs3JeE_eGkHOk!*PzFO~Ify!UhxlTFeGGxHrGyQ?~uG z0f83OFpxCz<&PpIN0HkJCLM&a;_U^Tf?#ea{Jf4@%uo;vP^?I(vcl9D{`E5>`x(7H)tSoOyC@c6K#qp!xG zzsR62WPFWC;riHkO>&`icd~69x4jWM?|xRm*Ct}$QjhV&X)asuAMraq&H~=gb6#sJ zSZxmomhY)!ax4!519SF~3E6eT?zT`bjiWGPo$ka_%C_;e6Fs$$k{#uyL}KZq173X7 zdx$|wxhET925DaG;ydlD)*3pXBSYuKyP$?ejMl=g8_AB_{(BAw1N63U4HP@*GoEg< zLY?|W$>HRUsf*5}rswJV2xQ+bM9NNEW%8}}WaIH7a&rIY2G**s7f%cctL~l-tk=0gL+RtY7!{sNeGzC$}<5owuLd?z)>aa}g?ajf_J9Tyh2U|Xr?c=yR~zGG#J z(udnSgEaWL_#IR5IC5j;#C`c%#7n2AFnx43!D=X5Spm8-*`*Hy|=cq zNza8co?Wrw3R~h%f|Tvf7}S{x3{susxjN!2xqPssCESX7?H z*UoFN{bhTck&o(!4(?Y)T~{m6QyvzW5Fyc;CyUWM3I3&TQq`pDu<)$y2oytgN%cKf z$-{-E%GpO^WC-*ZD-6mU;{d@s*uzul0^QFRunAKowo^Z6GJRpgfm(<~on`J?mw{)? zLv87kQo1l);K?R_X}Fk2YNwMtePjZ*v)7N0cE|0lY_t_5ZPuR5LWj7MruvU3;wxj8 z85WvnN^i(9FP3-PS1%<+|2&h%|G+{6uQirdc1f)j*40(dns}h7eN8V$k_G6Mvlyx; za-^q*({6}Kj&gwfrfnqa&x4M*ZZ2B*KCB=mkL3A8y<)pY3pX@?T$g#JtGU}4X1CF_ zk72P$Ds?sECk^;~STk;b^hl|3-!Ch0As4Q*P_QfBcz-Y@;KC6qbE&DsW6wVc5oQrs z;i9uPYc`rbH5jWVb7^omWfeCL=RuGP6hF9p&%gBZCixKXqP9k6^ynVWl)Ac`&X-+q zd2;Eq=(J;0FZueJ=lFKglKhsTKCR3p0c;Xa%F#G{9HQ6jc$~A(1S#@;-NZ#Hch5iR zbnppydK%v<71TQB65(u}buGFqMCY6;#w?mwobP%g_HdYb42Q2c;L$}p8MB0|9Hiwi zWm+9IQnAqTbg1_DH@3Hb>@hkwv-=F7fk*HZQL#*Fdtdn4fLq~iKM7O7wE~;vpbe;4 zVEp9k0~QUOSo#sU*po~5ZZc<+*n7^{%p1STFgu$Yn;RAd!Ups6uFSq(e&b8Fi`Lem zZTyUcKIIc2wY2{uy|5sSP9J*Gryd=S{u$U}Im|(+#f^0yodPG*i#Y)f;V_y`9{1#f z#@XUC_0r19qi^vOr(>O8uVoy9RbFSK6h`0|v{wRp_fAF3dKXpMh!5>XVf?;5 z!@HxvV%=}AfKr+k09uaxKt@{6PzGUFkh#<*MqZnmV}${RAeW`btF_y;+wpz=ZgH$GD>iw}D4kg0&W3%0nHZ(MZ7?GQyr^*Hqn4e@eNhlzVKq zuXxAb?D_b*IqSGGNKkv-dUC&0BXZ+G8nOx-sWyFoEj)@`HGp?MMaSHt`&naYW5>1D zwZV#Ye@j-q!`LpCdt5jB9GArYP@}wJ^{i}JpuqGb-G(l&&S&y8gP)Gnm{WpM<|si% zG)W;R9f~z$xe?*RJDan$(*Ek6S(zS5324SefzVA|?`ub=1d{Sog@pWhk09fyn9~}l zy=b}aislwa&snVx1kYuIks9OMSS|2&8@*2~2G4WuXe>*m+Xxz3su@4Y;nIa900Z$( zqH_D9kocFm6ob!dJu3APY-~UgTL;{#7#R{_Z|AewA+wDJLxh|T5^#;-8IC&(j+ZR8 zgD4}?m7fT@ERpH;bI+@^ce8QOt!+x(YFvQ;t7!+ya6=?)FXfxk@th`f zM~Mhcy-4=w{j!BfTW>@q@Z^bzeXZe!Pu8t8*!b9}`F@=?FVHnKs7K8=(3E>kb@3OS z{Rlf?U(&KT+$Rl;-c3;VNtr8X-G^+59W`w}X_J{uxvXYZABz^WU0WA*+U<+vrWZfc zhN|W18o6|EoN&`_o}Px|h^KGs8W`P@xn$~7f)1n>$@_}>4<-NSq@mM4#GvUe0F+@(V>6BWBJeP6ivWG8Zf zyd@I>RFZD6GV{5+e7Zy@Hg;%%gAdqe^_dQ|tsxOtwun7V+1BfKbkNaxakH;c-S^Po z#AuEB+rscPvPSgsXXHjhlp)xqOQgJTML>x28^W!^ZE`FHFRN1*CnRWuvYhULNJwT@ zdQQm)DO>CCYe`fu=BqH_Yf2B23~$rHwj4cx0cXD762Uu!++`S71s`T7?L@DSeE$kg zefP+^z%mu7(NSiQuz40lC-wRsKUZ2Z*B;$SbtZ=fzJZhhDY`DM09#avo1Vm;KI#Z% zc9Ge#5p!oqMp-|xyDsy0q=Fy`O-LUG6OCsea@0x#~d*C;XevvdpDAE;V0| zWyg65nl120|Ip;5osznrG0WvhBS`AiimeH!AFD0oJV|>>SI+rOI{>8oXSJ5_(e5&N zn$JgrGfSG`VgGB5FXb^BH#WJo>W`xw-un_m#`=%RlVvU$166_!CRP{M7<7#wQJ3#! zfzj)f&8D8plSsddS_yq z{QdpvP){WW0FDHzrG<3rOzn4-+8MYzU}rnj#d9qNCDw+FXk;$k>*(TC4Yf@8c2vb= zR>Iw3(YQXhJuQf|ZJJ~PK%v9rK$3-`&8_K^eF5wWgUcU)i*ZmZfc$C6-faT%otg7? zA~*s6H9v3%!Qt1i6&Q8aJqaBrJ1ZzT#Le>GZ_(+2pEhAJ_PS&0Y1o_H@dsyf*j#WF@-kaG^HpYddkR_I8>u+;I`35mVlc>r{ zS8Jj^-Qh?0ww%hCgwo~kV<~*$zS~eg5eSX`<_ZFFv(b&<)??H*s w+zY29+weRq zwLCn8?2S&3=q4F0v4&?_i6U~-n%hySV!kyS)o`9IG5(amYcjLV+k5504}sxenJ5Bk zV9pAH9h@!+1vRaoc1kJNh>Aj4i-S621vtBdARAV`F5}b4ZJkU5i-vU6nT&j|jNdxulbzyxk%5Y}$USJKkKa=UV@4 zeX)?}LEY3N=d*}J+t#2@pa#q43gD?-H?=zM-RR}WSYQa7m53olT+9u|RS6eT&MB^E@hs1+l}vYaz>YJ}+1HfbgJ|eU z*557Ub^WnXOayh`fI)@*ugUPCVKDd3AjgXNM10|Hz@3iv4w*|t^W&A?_!6N=*p)?V z!{=TVhtX8z-9}@z&7B;enezG0#~?oiN*?`EZ`IHEXT?@cp?#38>C^eHlZdqLr&}Ji zKj-ao`?W5)#0zpA$0n(YI+rt6D09?4=YD!C67av-Y~+oOrq zQS(hPk~o8;Lb&4F4oEDN_%rR3-KwM=@jG-dXq)A>7)6^1$=43ikDW$1-KW5o@LqSuK+mu-;YTm*jL^3tJfFz-) z2%OJ(=FfS~zw>)Pd;i#L@Aa*k_<{eWVH0j6ECye0w9hvwM4hwe#f9C6QDq?w1=rOphNOuq9&! z0KdWhEov){0hjLogpI$KI7w9kD}0^QF(ZUu9?giDTE8lZ2QLV;>{EKC6Wk>}0~vJ= zTt7J0rY>L;F01xg?ArsQGxB2XVhbBW*ep9^Z?o~W=k2KVUIHm$3TbZ>_*r(UZk8#; zO=v2$R$%X=%J->YV!d`KC$`Rp^jsiR$aLv6_vu#U#W5HYgVzPab?O@cV72txaYvi! zb1%{zGig*Dhh5uf1UOII9t`@dGnY1J536^!%m{dh5uoA9jL3dVd7`@cmCPVw)H9iPxxDU9@11JM|~$Lm4{{Xtg**Ey9eC z91UKYeO19FR>`JWA97TO9F9YpSeIlB;;GVLMEk!FWg6|~JC(G|L3FG0P6lE+C(RBh z;Y~N#44aE^4Y*HYPr>p`HYZuQT5!D!&BVlbB{Zu;JRI_wQIjQv@gUS!-nL4aHk9Y& zk(OK2BVCwBx;2HmO(f^CHbioEi?qt*8)n$1LUsNS0)ybDpp&|!zy{BKCwv_ihLtZK zFSahuQ!LDnk?_fA$4sNGkkmNAQW%nK*=NfWH-8u?aP2nTiGLU|wph)$plXEJpwZ9A z3;K&I!1A}OChep-jI@wy<<+rJ;N!bSl$YJ7LQh=s4UV4Omww#!i!C6>{D99ve-QS| z*5^hj@_>cHCQiFY(LV5OCFbl`-e%^1t|>=QxkxH|YH`gu%TSBpCBY5gYOp+}4?rz5 z;7}?HZ@xgejXT@# z+7$WI5Ud2!)x*ll8n?L;^p{}rCLF(eJ1E@o(^k+m_~L48qk3yE5~`F)vK}h?(T&;p z7szQy1XSPhCu~xkiqOs(bsOzCpI(J1IdoC`0Y7!OwuU~a;l`66*C$NT13j)>w(Vn( z)*h6+H}VcXC3>(lwM(|C5!AUFiibk>djC!>JMwWLf`~oVk(ePmmf!L0o%+V%`Ua)6 z`&x9EKRibla<8X?vE@yOzYmpmb$LRL2YMOib~cS+J8mx+o0)r%zV2&qfg0UPxl!|0K{|eb{~0idwab6XtHenLNK@gH^4WW0_nnc#xSCRD!0I)-b=^RBZ?RI z^o+WUmQ|desjI_f^Cvhi_pB^4?~G2r_B5qC!}4fVcZZC=4Il;i%u!JL)XZ<}37omC zEeF6d#1+YDvMm;kN?Si*;#$yC!SV6)L9cCzu-iT|u(6TC(`l z?)mWv%5I!)0qTg`4DD=?wzo6;R=YEd%RNK4*+59EV90#32O);nu$Gw)zt$d7Z9sFzR7 zLOt$fF{ZNbvm-TKZ*CmskE}~`@9IMe9T^#2;Qr#mNPssKoLDc<0sSR>UxNd; z9-{#^Z2fki^|Zo#Ur3PGCH#;w+%26I=R4J@-djpZm5Vrd9;MR25a_wRVp?0F_KufdcBojWd2Mdq@_IKz>*W9h z8ln(r6a8{)EcWHcOp9!x;pLp^7)6q!=ZTv5(2VG+2p)gHxJYOI4^X-{AE=lKx3%yb z6#xoj^@E44*4QJo@B72XTUXzJ7vCzoXsE(qlkEJ@MK-->8~aShs2A(f5_yQy6WZhm znJeS4$Hv6u;%TC~cb;+#J(laB$34si6v*MYb<9iq^6CRTyF|EC7GDYR7C9k+>gG3v#FuJd$1*u(gaht?x)Z-h3 zs=#$ud8v?+8P`3Be`8-_ngabqfkP*fGcDYJMCwZo8N;ex ze!|D4n0VJbd`~IKH}Vb=^y)2E3Oc7A6}8JO95d$_iiHnNVG7z~7#+J)#B7&A&-(kE z3CFZZ;e1yl;DOs#R{V6W(r$8$P?2BcH*5uojhE%UF=ZPZK?zw)ckB4&O>MeFKVib& zn|adP;d9(NEaUf>x7{ni=?T|#*0fPgnKtn;;~&pOz0Bp0rLvow?(DvBvZ>!))RGpA zkEh>7iqmv2ZhAEm-x^A#Z$tfk@*;2X?B)q^uiz_rpTeb$6{%O90J;ID+NCFG@y9m{ z