From f270ab83f1257b9f894c5a08a74d0642c7226567 Mon Sep 17 00:00:00 2001 From: Ori Hoch Date: Wed, 24 Jan 2024 16:15:21 +0200 Subject: [PATCH 01/22] migrate anyway to docker compose --- apps/anyway/.env | 6 + apps/anyway/Chart.yaml | 3 - apps/anyway/README.md | 52 ++++--- .../anyway/bin/anyway-minikube-one-command.sh | 8 -- .../migrate-anyway-dev-from-hasadna-nfs.sh | 9 -- .../bin/migrate-anyway-from-hasadna-nfs.sh | 9 -- apps/anyway/compose.yaml | 100 +++++++++++++ apps/anyway/nginx_anyway_proxy.conf | 6 + apps/anyway/secrets/.gitignore | 2 + apps/anyway/secrets/airflow-db.env.template | 1 + .../secrets/airflow-scheduler.env.template | 11 ++ .../secrets/airflow-webserver.env.template | 2 + apps/anyway/secrets/anyway-db.env.template | 1 + apps/anyway/secrets/anyway.env.template | 29 ++++ apps/anyway/secrets/db.env.template | 4 + .../templates/airflow-db-deployment.yaml | 36 ----- apps/anyway/templates/airflow-db-pvc.yaml | 12 -- apps/anyway/templates/airflow-db-service.yaml | 12 -- .../templates/airflow-etl-data-pvc.yaml | 12 -- .../templates/airflow-home-data-pvc.yaml | 12 -- .../airflow-scheduler-deployment.yaml | 100 ------------- .../templates/airflow-scheduler-rbac.yaml | 31 ---- .../templates/airflow-scheduler-service.yaml | 14 -- .../templates/anyway-main-deployment.yaml | 64 --------- .../anyway/templates/anyway-main-service.yaml | 12 -- .../templates/anyway-reports-deployment.yaml | 24 ---- .../templates/anyway-reports-service.yaml | 12 -- .../anyway-secondaries-deployment.yaml | 64 --------- apps/anyway/templates/anyway-service.yaml | 12 -- apps/anyway/templates/db-backup-cronjob.yaml | 33 ----- apps/anyway/templates/db-deployment.yaml | 62 -------- apps/anyway/templates/db-pvc.yaml | 12 -- apps/anyway/templates/db-service.yaml | 12 -- apps/anyway/templates/github-pull-secret.yaml | 7 - apps/anyway/templates/ingresses.yaml | 33 ----- apps/anyway/templates/nginx-configmap.yaml | 12 -- apps/anyway/templates/nginx-deployment.yaml | 33 ----- apps/anyway/templates/nginx-service.yaml | 12 -- apps/anyway/templates/secrets.yaml | 9 -- apps/anyway/values-anyway-auto-updated.yaml | 12 -- apps/anyway/values-anyway-dev.yaml | 103 -------------- apps/anyway/values-anyway-minikube.yaml | 14 -- apps/anyway/values-anyway-prod.yaml | 133 ------------------ bin/render_env_template.py | 34 +++++ 44 files changed, 221 insertions(+), 960 deletions(-) create mode 100644 apps/anyway/.env delete mode 100644 apps/anyway/Chart.yaml delete mode 100644 apps/anyway/bin/anyway-minikube-one-command.sh delete mode 100644 apps/anyway/bin/migrate-anyway-dev-from-hasadna-nfs.sh delete mode 100644 apps/anyway/bin/migrate-anyway-from-hasadna-nfs.sh create mode 100644 apps/anyway/compose.yaml create mode 100644 apps/anyway/nginx_anyway_proxy.conf create mode 100644 apps/anyway/secrets/.gitignore create mode 100644 apps/anyway/secrets/airflow-db.env.template create mode 100644 apps/anyway/secrets/airflow-scheduler.env.template create mode 100644 apps/anyway/secrets/airflow-webserver.env.template create mode 100644 apps/anyway/secrets/anyway-db.env.template create mode 100644 apps/anyway/secrets/anyway.env.template create mode 100644 apps/anyway/secrets/db.env.template delete mode 100644 apps/anyway/templates/airflow-db-deployment.yaml delete mode 100644 apps/anyway/templates/airflow-db-pvc.yaml delete mode 100644 apps/anyway/templates/airflow-db-service.yaml delete mode 100644 apps/anyway/templates/airflow-etl-data-pvc.yaml delete mode 100644 apps/anyway/templates/airflow-home-data-pvc.yaml delete mode 100644 apps/anyway/templates/airflow-scheduler-deployment.yaml delete mode 100644 apps/anyway/templates/airflow-scheduler-rbac.yaml delete mode 100644 apps/anyway/templates/airflow-scheduler-service.yaml delete mode 100644 apps/anyway/templates/anyway-main-deployment.yaml delete mode 100644 apps/anyway/templates/anyway-main-service.yaml delete mode 100644 apps/anyway/templates/anyway-reports-deployment.yaml delete mode 100644 apps/anyway/templates/anyway-reports-service.yaml delete mode 100644 apps/anyway/templates/anyway-secondaries-deployment.yaml delete mode 100644 apps/anyway/templates/anyway-service.yaml delete mode 100644 apps/anyway/templates/db-backup-cronjob.yaml delete mode 100644 apps/anyway/templates/db-deployment.yaml delete mode 100644 apps/anyway/templates/db-pvc.yaml delete mode 100644 apps/anyway/templates/db-service.yaml delete mode 100644 apps/anyway/templates/github-pull-secret.yaml delete mode 100644 apps/anyway/templates/ingresses.yaml delete mode 100644 apps/anyway/templates/nginx-configmap.yaml delete mode 100644 apps/anyway/templates/nginx-deployment.yaml delete mode 100644 apps/anyway/templates/nginx-service.yaml delete mode 100644 apps/anyway/templates/secrets.yaml delete mode 100644 apps/anyway/values-anyway-auto-updated.yaml delete mode 100644 apps/anyway/values-anyway-dev.yaml delete mode 100644 apps/anyway/values-anyway-minikube.yaml delete mode 100644 apps/anyway/values-anyway-prod.yaml create mode 100755 bin/render_env_template.py diff --git a/apps/anyway/.env b/apps/anyway/.env new file mode 100644 index 0000000..0f1e59c --- /dev/null +++ b/apps/anyway/.env @@ -0,0 +1,6 @@ +PIN_DB_IMAGE=ghcr.io/hasadna/anyway/db:sha-6dfd43b +ANYWAY_IMAGE=ghcr.io/data-for-change/anyway/anyway:sha-e43df45 +AIRFLOW_IMAGE=ghcr.io/data-for-change/anyway-etl/anyway-etl-airflow:v0.0.54 +ETL_NGINX_IMAGE=ghcr.io/data-for-change/anyway-etl/anyway-etl-nginx:v0.0.54 +REPORTS_IMAGE=ghcr.io/data-for-change/anyway-reports/anyway-reports:sha-ff0aa3b +NGINX_IMAGE=ghcr.io/data-for-change/anyway/nginx:sha-e43df45 diff --git a/apps/anyway/Chart.yaml b/apps/anyway/Chart.yaml deleted file mode 100644 index dda9bce..0000000 --- a/apps/anyway/Chart.yaml +++ /dev/null @@ -1,3 +0,0 @@ -apiVersion: v2 -name: anyway -version: "0.0.0" diff --git a/apps/anyway/README.md b/apps/anyway/README.md index 412604e..0295458 100644 --- a/apps/anyway/README.md +++ b/apps/anyway/README.md @@ -6,43 +6,41 @@ https://docs.google.com/presentation/d/1bXkcCgsXUr1FQA7hCZdb5_m7IXIiP1UixuOHuV88 ![](image.png) -## Initial Deployment +## Install -* Create secrets - * set env vars with the secret DB values - * `POSTGRES_PASSWORD=` - * `ANYWAY_PASSWORD=` - * `DBRESTORE_AWS_ACCESS_KEY_ID=` - * `DBRESTORE_AWS_SECRET_ACCESS_KEY=` - * `DBDUMP_AWS_ACCESS_KEY_ID=` - * `DBDUMP_AWS_SECRET_ACCESS_KEY=` - * create the DB secrets: - * `kubectl -n $NAMESPACE_NAME create secret generic anyway-db "--from-literal=DATABASE_URL=postgresql://anyway:${ANYWAY_PASSWORD}@db/anyway"` - * `kubectl -n $NAMESPACE_NAME create secret generic db "--from-literal=DBRESTORE_SET_ANYWAY_PASSWORD=${ANYWAY_PASSWORD}" "--from-literal=POSTGRES_PASSWORD=${POSTGRES_PASSWORD}" "--from-literal=DBRESTORE_AWS_ACCESS_KEY_ID=${DBRESTORE_AWS_ACCESS_KEY_ID}" "--from-literal=DBRESTORE_AWS_SECRET_ACCESS_KEY=${DBRESTORE_AWS_SECRET_ACCESS_KEY}"` - * `kubectl -n $NAMESPACE_NAME create secret generic db-backup "--from-literal=DBDUMP_AWS_ACCESS_KEY_ID=${DBDUMP_AWS_ACCESS_KEY_ID}" "--from-literal=DBDUMP_AWS_SECRET_ACCESS_KEY=${DBDUMP_AWS_SECRET_ACCESS_KEY}" "--from-literal=DBDUMP_PASSWORD=${POSTGRES_PASSWORD}"` - * Create the anyway secret (see the anyway production docker-compose for available values, or leave it empty just for basic testing) - * `kubectl -n $NAMESPACE_NAME create secret generic anyway` +Set env vars for Vault access: -## Deployment - -* For local deployment on Minikue - use Helm to deploy this chart with the values file `values-minikube.yaml` -* For production deployment - Use ArgoCD, see [/docs/argocd.md](/docs/argocd.md) for details. +``` +export VAULT_ADDR= +export VAULT_TOKEN= +``` -## Enabling the Airflow server +Set secret values: -Set the following values in `anyway` secret: +``` +bin/render_env_template.py apps/anyway-docker/secrets/anyway.env.template > apps/anyway-docker/secrets/anyway.env +bin/render_env_template.py apps/anyway-docker/secrets/anyway-db.env.template > apps/anyway-docker/secrets/anyway-db.env +bin/render_env_template.py apps/anyway-docker/secrets/db.env.template > apps/anyway-docker/secrets/db.env +bin/render_env_template.py apps/anyway-docker/secrets/airflow-db.env.template > apps/anyway-docker/secrets/airflow-db.env +bin/render_env_template.py apps/anyway-docker/secrets/airflow-scheduler.env.template > apps/anyway-docker/secrets/airflow-scheduler.env +bin/render_env_template.py apps/anyway-docker/secrets/airflow-webserver.env.template > apps/anyway-docker/secrets/airflow-webserver.env +vault kv get -format=json kv/projects/anyway/prod/k8s-secret-anyway | jq -r '.data.data["GOOGLE_APPLICATION_CREDENTIALS_KEY.json"]' > apps/anyway-docker/secrets/GOOGLE_APPLICATION_CREDENTIALS_KEY.json +``` -* `AIRFLOW_DB_POSTGRES_PASSWORD`: Generate a password (`python3 -c 'import secrets; print(secrets.token_hex(16))'`) -* `AIRFLOW_SQLALCHEMY_URL`: (replace AIRFLOW_DB_POSTGRES_PASSWORD with the password you generated) `postgresql://postgres:AIRFLOW_DB_POSTGRES_PASSWORD@airflow-db` -* `AIRFLOW_ADMIN_PASSWORD`: Generate a password (`python3 -c 'import secrets; print(secrets.token_hex(16))'`) +Run: -Enable airflow by setting `enableAirflow: true` in the relevant environment's values +``` +( cd apps/anyway-docker && docker compose up -d ) +``` -Deploy +### TODO: db-backup-cronjob +### TODO: ingresses +### TODO: airflow execut via kubectl exec - modify to execute in docker compose +### TODO: check anyway nginx proxy and configurations - for new docker compose hostnames ## Enable DB Redash read-only user -Start a shell on DB pod and run the following to start an sql session: +Start a shell on DB container and run the following to start an sql session: ``` su postgres diff --git a/apps/anyway/bin/anyway-minikube-one-command.sh b/apps/anyway/bin/anyway-minikube-one-command.sh deleted file mode 100644 index e7c701c..0000000 --- a/apps/anyway/bin/anyway-minikube-one-command.sh +++ /dev/null @@ -1,8 +0,0 @@ -source switch_environment.sh anyway-minikube && \ -kubectl create ns anyway-minikube && \ -bash apps_travis_script.sh install_helm && \ -helm init --history-max 2 --upgrade --wait && \ -kubectl create secret generic -n anyway-minikube db --from-literal=POSTGRES_PASSWORD=123456 && \ -kubectl create secret generic -n anyway-minikube anyway --from-literal=ANYWAY-PASSWORD=123456 --from-literal=anyway_password=123456 --from-literal=FACEBOOK_KEY=123456 --from-literal=FACEBOOK_SECRET=123456 --from-literal=GOOGLE_LOGIN_CLIENT_ID=123456 --from-literal=GOOGLE_LOGIN_CLIENT_SECRET=123456 --from-literal=MAILUSER=123456 --from-literal=MAILPASS=123456 --from-literal=newrelic_key=123456 && \ -./helm_upgrade_external_chart.sh anyway --install --debug --dry-run && \ -./helm_upgrade_external_chart.sh anyway --install diff --git a/apps/anyway/bin/migrate-anyway-dev-from-hasadna-nfs.sh b/apps/anyway/bin/migrate-anyway-dev-from-hasadna-nfs.sh deleted file mode 100644 index 594c41a..0000000 --- a/apps/anyway/bin/migrate-anyway-dev-from-hasadna-nfs.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/usr/bin/env bash -# this script is used to migrate the anyway-dev storage from hasadna NFS to AWS pvc -# it is intended to run from hasadna's NFS server -# it's recommended to stop the relevant workloads which use the pvcs before running this script - -bin/migrate_data_to_aws_pvc.sh /srv/default2/anyway-dev/airflow-db anyway-dev airflow-db 20Gi &&\ -bin/migrate_data_to_aws_pvc.sh /srv/default2/anyway-dev/etl-data anyway-dev airflow-etl-data 200Gi &&\ -bin/migrate_data_to_aws_pvc.sh /srv/default2/anyway-dev/airflow-home anyway-dev airflow-home-data 50Gi &&\ -bin/migrate_data_to_aws_pvc.sh /srv/default2/anyway-dev/db anyway-dev db 200Gi diff --git a/apps/anyway/bin/migrate-anyway-from-hasadna-nfs.sh b/apps/anyway/bin/migrate-anyway-from-hasadna-nfs.sh deleted file mode 100644 index 74614cc..0000000 --- a/apps/anyway/bin/migrate-anyway-from-hasadna-nfs.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/usr/bin/env bash -# this script is used to migrate the anyway storage from hasadna NFS to AWS pvc -# it is intended to run from hasadna's NFS server -# it's recommended to stop the relevant workloads which use the pvcs before running this script - -bin/migrate_data_to_aws_pvc.sh /srv/default2/anyway/airflow-db anyway airflow-db 20Gi &&\ -bin/migrate_data_to_aws_pvc.sh /srv/default2/anyway/etl-data anyway airflow-etl-data 200Gi &&\ -bin/migrate_data_to_aws_pvc.sh /srv/default2/anyway/airflow-home anyway airflow-home-data 50Gi &&\ -bin/migrate_data_to_aws_pvc.sh /srv/default2/anyway/db anyway db 200Gi diff --git a/apps/anyway/compose.yaml b/apps/anyway/compose.yaml new file mode 100644 index 0000000..d17c59e --- /dev/null +++ b/apps/anyway/compose.yaml @@ -0,0 +1,100 @@ +x-anyway-command: &x-anyway-command + ["gunicorn", "-b", "0.0.0.0:5000", "-w", "4", "-t", "120", "anyway:app"] + +x-anyway-environment: &x-anyway-environment + PROXYFIX_X_FOR: "1" + PROXYFIX_X_PROTO: "1" + PROXYFIX_X_HOST: "1" + GOOGLE_APPLICATION_CREDENTIALS: "/secrets/GOOGLE_APPLICATION_CREDENTIALS_KEY.json" + +x-anyway: &x-anyway + image: ${ANYWAY_IMAGE:-ghcr.io/data-for-change/anyway/anyway:latest} + env_file: + - ./secrets/anyway.env + - ./secrets/anyway-db.env + volumes: + - ./secrets/GOOGLE_APPLICATION_CREDENTIALS_KEY.json:/secrets/GOOGLE_APPLICATION_CREDENTIALS_KEY.json:ro + +services: + anyway-main: + <<: *x-anyway + command: *x-anyway-command + environment: *x-anyway-environment + depends_on: + - db + + anyway-secondary: + <<: *x-anyway + entrypoint: *x-anyway-command + environment: + <<: *x-anyway-environment + ALLOW_ALEMBIC_UPGRADE: "no" + depends_on: + - anyway-main + + db: + image: ${PIN_DB_IMAGE:-ghcr.io/hasadna/anyway/db:latest} + environment: + POSTGRES_USER: postgres + POSTGRES_DB: postgres + DBRESTORE_AWS_BUCKET: dfc-anyway-full-db-dumps + DBRESTORE_FILE_NAME: 2024-01-24_anyway.pgdump + env_file: + - ./secrets/db.env + volumes: + - db-data:/var/lib/postgresql/data + tmpfs: + - /dev/shm:size=1024m + + airflow-db: + image: postgres:13@sha256:6647385dd9ae11aa2216bf55c54d126b0a85637b3cf4039ef24e3234113588e3 + env_file: + - ./secrets/airflow-db.env + volumes: + - airflow-db-data:/var/lib/postgresql/data + + airflow-scheduler: + image: ${AIRFLOW_IMAGE:-ghcr.io/data-for-change/anyway-etl/anyway-etl-airflow:latest} + environment: + ANYWAY_ETL_AIRFLOW_ROLE: "scheduler" + ANYWAY_ETL_AIRFLOW_PIP_INSTALL_DEPS: "yes" + ANYWAY_ETL_BRANCH: "" + ANYWAY_ETL_USE_LATEST_TAG: "yes" + AIRFLOW__CORE__DAGS_ARE_PAUSED_AT_CREATION: "False" + AIRFLOW__WEBSERVER__BASE_URL: https://airflow.anyway.co.il + env_file: + - ./secrets/airflow-scheduler.env + volumes: + - airflow-home:/var/airflow + - anyway-etl-data:/var/anyway-etl-data + + airflow-nginx: + image: ${ETL_NGINX_IMAGE:-ghcr.io/data-for-change/anyway-etl/anyway-etl-nginx:latest} + volumes: + - anyway-etl-data:/var/anyway-etl-data + + airflow-webserver: + image: ${AIRFLOW_IMAGE:-ghcr.io/data-for-change/anyway-etl/anyway-etl-airflow:latest} + environment: + ANYWAY_ETL_AIRFLOW_INITIALIZE: "yes" + ANYWAY_ETL_AIRFLOW_ROLE: "webserver" + AIRFLOW__CORE__DAGS_ARE_PAUSED_AT_CREATION: "False" + AIRFLOW__API__AUTH_BACKENDS: "airflow.api.auth.backend.basic_auth" + env_file: + - ./secrets/airflow-webserver.env + volumes: + - airflow-home:/var/airflow + + reports: + image: ${REPORTS_IMAGE:-ghcr.io/data-for-change/anyway-reports/anyway-reports:latest} + + nginx: + image: ${NGINX_IMAGE:-ghcr.io/data-for-change/anyway/nginx:latest} + volumes: + - ./nginx_anyway_proxy.conf:/etc/nginx/anyway_proxy.conf:ro + +volumes: + db-data: + airflow-db-data: + airflow-home: + anyway-etl-data: diff --git a/apps/anyway/nginx_anyway_proxy.conf b/apps/anyway/nginx_anyway_proxy.conf new file mode 100644 index 0000000..6ac9b94 --- /dev/null +++ b/apps/anyway/nginx_anyway_proxy.conf @@ -0,0 +1,6 @@ +proxy_set_header Host $host; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Proto {{ .Values.nginxForwardedScheme }}; +proxy_set_header X-Forwarded-Host {{ .Values.nginxForwardedHost }}; +proxy_pass http://anyway; +proxy_redirect default; diff --git a/apps/anyway/secrets/.gitignore b/apps/anyway/secrets/.gitignore new file mode 100644 index 0000000..80f859e --- /dev/null +++ b/apps/anyway/secrets/.gitignore @@ -0,0 +1,2 @@ +*.env +*.json diff --git a/apps/anyway/secrets/airflow-db.env.template b/apps/anyway/secrets/airflow-db.env.template new file mode 100644 index 0000000..e2bf25c --- /dev/null +++ b/apps/anyway/secrets/airflow-db.env.template @@ -0,0 +1 @@ +POSTGRES_PASSWORD="~vault:projects/anyway/prod/k8s-secret-anyway:AIRFLOW_DB_POSTGRES_PASSWORD~" diff --git a/apps/anyway/secrets/airflow-scheduler.env.template b/apps/anyway/secrets/airflow-scheduler.env.template new file mode 100644 index 0000000..1e35fee --- /dev/null +++ b/apps/anyway/secrets/airflow-scheduler.env.template @@ -0,0 +1,11 @@ +AIRFLOW__CORE__SQL_ALCHEMY_CONN="~vault:projects/anyway/prod/k8s-secret-anyway:AIRFLOW_SQLALCHEMY_URL~" +SQLALCHEMY_URL="~vault:projects/anyway/prod/k8s-secret-anyway-db:DATABASE_URL~" +IMAP_MAIL_USER="~vault:projects/anyway/prod/k8s-secret-anyway:MAILUSER~" +IMAP_MAIL_PASSWORD="~vault:projects/anyway/prod/k8s-secret-anyway:MAILPASS~" +AIRFLOW__EMAIL__EMAIL_BACKEND="airflow.utils.email.send_email_smtp" +AIRFLOW__SMTP__SMTP_HOST="~vault:projects/anyway/prod/k8s-secret-anyway:AIRFLOW__SMTP__SMTP_HOST~" +AIRFLOW__SMTP__SMTP_PORT="2525" +AIRFLOW__SMTP__SMTP_MAIL_FROM="Airflow " +AIRFLOW__SMTP__SMTP_USER="~vault:projects/anyway/prod/k8s-secret-anyway:AIRFLOW__SMTP__SMTP_USER~" +AIRFLOW__SMTP__SMTP_PASSWORD="~vault:projects/anyway/prod/k8s-secret-anyway:AIRFLOW__SMTP__SMTP_PASSWORD~" +ANYWAY_ETL_ALERT_EMAILS="~vault:projects/anyway/prod/k8s-secret-anyway:ANYWAY_ETL_ALERT_EMAILS~" diff --git a/apps/anyway/secrets/airflow-webserver.env.template b/apps/anyway/secrets/airflow-webserver.env.template new file mode 100644 index 0000000..f8877fc --- /dev/null +++ b/apps/anyway/secrets/airflow-webserver.env.template @@ -0,0 +1,2 @@ +AIRFLOW__CORE__SQL_ALCHEMY_CONN="~vault:projects/anyway/prod/k8s-secret-anyway:AIRFLOW_SQLALCHEMY_URL~" +ANYWAY_ETL_AIRFLOW_ADMIN_PASSWORD="~vault:projects/anyway/prod/k8s-secret-anyway:AIRFLOW_ADMIN_PASSWORD~" diff --git a/apps/anyway/secrets/anyway-db.env.template b/apps/anyway/secrets/anyway-db.env.template new file mode 100644 index 0000000..6346ac3 --- /dev/null +++ b/apps/anyway/secrets/anyway-db.env.template @@ -0,0 +1 @@ +DATABASE_URL="~vault:projects/anyway/prod/k8s-secret-anyway-db:DATABASE_URL~" \ No newline at end of file diff --git a/apps/anyway/secrets/anyway.env.template b/apps/anyway/secrets/anyway.env.template new file mode 100644 index 0000000..c0e4c1f --- /dev/null +++ b/apps/anyway/secrets/anyway.env.template @@ -0,0 +1,29 @@ +AIRFLOW_ADMIN_PASSWORD="~vault:projects/anyway/prod/k8s-secret-anyway:AIRFLOW_ADMIN_PASSWORD~" +AIRFLOW_DB_POSTGRES_PASSWORD="~vault:projects/anyway/prod/k8s-secret-anyway:AIRFLOW_DB_POSTGRES_PASSWORD~" +AIRFLOW_SQLALCHEMY_URL="~vault:projects/anyway/prod/k8s-secret-anyway:AIRFLOW_SQLALCHEMY_URL~" +AIRFLOW__SMTP__SMTP_HOST="~vault:projects/anyway/prod/k8s-secret-anyway:AIRFLOW__SMTP__SMTP_HOST~" +AIRFLOW__SMTP__SMTP_PORT="2525" +AIRFLOW__SMTP__SMTP_PASSWORD="~vault:projects/anyway/prod/k8s-secret-anyway:AIRFLOW__SMTP__SMTP_PASSWORD~" +AIRFLOW__SMTP__SMTP_USER="~vault:projects/anyway/prod/k8s-secret-anyway:AIRFLOW__SMTP__SMTP_USER~" +ANYWAY_ETL_ALERT_EMAILS="~vault:projects/anyway/prod/k8s-secret-anyway:ANYWAY_ETL_ALERT_EMAILS~" +APP_SECRET_KEY="~vault:projects/anyway/prod/k8s-secret-anyway:APP_SECRET_KEY~" +AWS_ACCESS_KEY="~vault:projects/anyway/prod/aws_prod_app_user:access_key_id~" +AWS_SECRET_KEY="~vault:projects/anyway/prod/aws_prod_app_user:secret_access_key~" +FACEBOOK_KEY="~vault:projects/anyway/prod/k8s-secret-anyway:FACEBOOK_KEY~" +FACEBOOK_SECRET="~vault:projects/anyway/prod/k8s-secret-anyway:FACEBOOK_SECRET~" +FLASK_ENV="~vault:projects/anyway/prod/k8s-secret-anyway:FLASK_ENV~" +GOOGLE_LOGIN_CLIENT_ID="~vault:projects/anyway/prod/k8s-secret-anyway:GOOGLE_LOGIN_CLIENT_ID~" +GOOGLE_LOGIN_CLIENT_SECRET="~vault:projects/anyway/prod/k8s-secret-anyway:GOOGLE_LOGIN_CLIENT_SECRET~" +GOOGLE_MAPS_KEY="~vault:projects/anyway/prod/k8s-secret-anyway:GOOGLE_MAPS_KEY~" +MAILPASS="~vault:projects/anyway/prod/k8s-secret-anyway:MAILPASS~" +MAILUSER="~vault:projects/anyway/prod/k8s-secret-anyway:MAILUSER~" +SERVER_ENV="~vault:projects/anyway/prod/k8s-secret-anyway:SERVER_ENV~" +SLACK_WEBHOOK_URL="~vault:projects/anyway/prod/k8s-secret-anyway:SLACK_WEBHOOK_URL~" +TWITTER_ACCESS_KEY="~vault:projects/anyway/prod/k8s-secret-anyway:TWITTER_ACCESS_KEY~" +TWITTER_ACCESS_SECRET="~vault:projects/anyway/prod/k8s-secret-anyway:TWITTER_ACCESS_SECRET~" +TWITTER_CONSUMER_KEY="~vault:projects/anyway/prod/k8s-secret-anyway:TWITTER_CONSUMER_KEY~" +TWITTER_CONSUMER_SECRET="~vault:projects/anyway/prod/k8s-secret-anyway:TWITTER_CONSUMER_SECRET~" +SELENIUM_URL="~vault:projects/anyway/prod/k8s-secret-anyway:SELENIUM_URL~" +BOT_TOKEN="~vault:projects/anyway/prod/k8s-secret-anyway:BOT_TOKEN~" +AIRFLOW_USER="~vault:projects/anyway/prod/k8s-secret-anyway:AIRFLOW_USER~" +AIRFLOW_PASSWORD="~vault:projects/anyway/prod/k8s-secret-anyway:AIRFLOW_PASSWORD~" \ No newline at end of file diff --git a/apps/anyway/secrets/db.env.template b/apps/anyway/secrets/db.env.template new file mode 100644 index 0000000..281a555 --- /dev/null +++ b/apps/anyway/secrets/db.env.template @@ -0,0 +1,4 @@ +DBRESTORE_AWS_ACCESS_KEY_ID="~vault:projects/anyway/prod/aws_db_dumps_reader_user:access_key_id~" +DBRESTORE_AWS_SECRET_ACCESS_KEY="~vault:projects/anyway/prod/aws_db_dumps_reader_user:secret_access_key~" +DBRESTORE_SET_ANYWAY_PASSWORD="~vault:projects/anyway/prod/k8s-secret-db:DBRESTORE_SET_ANYWAY_PASSWORD~" +POSTGRES_PASSWORD="~vault:projects/anyway/prod/k8s-secret-db:POSTGRES_PASSWORD~" diff --git a/apps/anyway/templates/airflow-db-deployment.yaml b/apps/anyway/templates/airflow-db-deployment.yaml deleted file mode 100644 index 0d5a0f4..0000000 --- a/apps/anyway/templates/airflow-db-deployment.yaml +++ /dev/null @@ -1,36 +0,0 @@ -{{ if .Values.enableAirflow }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: airflow-db -spec: - selector: - matchLabels: - app: airflow-db - replicas: 1 - revisionHistoryLimit: 2 - strategy: - type: Recreate - template: - metadata: - labels: - app: airflow-db - spec: - terminationGracePeriodSeconds: 10 - imagePullSecrets: [{"name":"github"}] - containers: - - name: db - image: {{ .Values.airflowDb.image | quote }} - resources: {{ toYaml .Values.airflowDb.resources | nindent 10 }} - env: - - name: POSTGRES_PASSWORD - valueFrom: {"secretKeyRef": {"name":"anyway", "key":"AIRFLOW_DB_POSTGRES_PASSWORD"}} - volumeMounts: - - name: data - mountPath: /var/lib/postgresql/data - subPath: airflow_db - volumes: - - name: data - persistentVolumeClaim: - claimName: airflow-db -{{ end }} diff --git a/apps/anyway/templates/airflow-db-pvc.yaml b/apps/anyway/templates/airflow-db-pvc.yaml deleted file mode 100644 index 9277d23..0000000 --- a/apps/anyway/templates/airflow-db-pvc.yaml +++ /dev/null @@ -1,12 +0,0 @@ -{{ if .Values.enableAirflow }} -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: airflow-db -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 20Gi -{{ end }} diff --git a/apps/anyway/templates/airflow-db-service.yaml b/apps/anyway/templates/airflow-db-service.yaml deleted file mode 100644 index 2fcbd97..0000000 --- a/apps/anyway/templates/airflow-db-service.yaml +++ /dev/null @@ -1,12 +0,0 @@ -{{ if .Values.enableAirflow }} -apiVersion: v1 -kind: Service -metadata: - name: airflow-db -spec: - selector: - app: airflow-db - ports: - - name: "5432" - port: 5432 -{{ end }} \ No newline at end of file diff --git a/apps/anyway/templates/airflow-etl-data-pvc.yaml b/apps/anyway/templates/airflow-etl-data-pvc.yaml deleted file mode 100644 index 03abd3d..0000000 --- a/apps/anyway/templates/airflow-etl-data-pvc.yaml +++ /dev/null @@ -1,12 +0,0 @@ -{{ if .Values.enableAirflow }} -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: airflow-etl-data -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 200Gi -{{ end }} diff --git a/apps/anyway/templates/airflow-home-data-pvc.yaml b/apps/anyway/templates/airflow-home-data-pvc.yaml deleted file mode 100644 index 5c95dbb..0000000 --- a/apps/anyway/templates/airflow-home-data-pvc.yaml +++ /dev/null @@ -1,12 +0,0 @@ -{{ if .Values.enableAirflow }} -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: airflow-home-data -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 50Gi -{{ end }} diff --git a/apps/anyway/templates/airflow-scheduler-deployment.yaml b/apps/anyway/templates/airflow-scheduler-deployment.yaml deleted file mode 100644 index d3a6c2c..0000000 --- a/apps/anyway/templates/airflow-scheduler-deployment.yaml +++ /dev/null @@ -1,100 +0,0 @@ -{{ if .Values.enableAirflow }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: airflow-scheduler -spec: - selector: - matchLabels: - app: airflow-scheduler - replicas: 1 - revisionHistoryLimit: 5 - strategy: - type: Recreate - template: - metadata: - labels: - app: airflow-scheduler - spec: - terminationGracePeriodSeconds: 240 - imagePullSecrets: [{"name":"github"}] - serviceAccountName: airflow-scheduler - containers: - - name: scheduler - image: {{ if .Values.useDevImages }}{{ .Values.airflowImageDev }}{{ else }}{{ .Values.airflowImage }}{{ end }} - resources: {{ toYaml .Values.airflowScheduler.resources | nindent 12 }} - env: - - name: ANYWAY_ETL_AIRFLOW_ROLE - value: "scheduler" - - name: ANYWAY_ETL_AIRFLOW_PIP_INSTALL_DEPS - value: "yes" - - name: ANYWAY_ETL_BRANCH - value: {{ .Values.ANYWAY_ETL_BRANCH | quote }} - - name: ANYWAY_ETL_USE_LATEST_TAG - value: {{ .Values.ANYWAY_ETL_USE_LATEST_TAG | quote }} - - name: ANYWAY_KUBECTL_NAMESPACE - value: {{ .Values.ANYWAY_KUBECTL_NAMESPACE | quote }} - - name: AIRFLOW__CORE__SQL_ALCHEMY_CONN - valueFrom: {"secretKeyRef": {"name":"anyway", "key":"AIRFLOW_SQLALCHEMY_URL"}} - - name: SQLALCHEMY_URL - valueFrom: {"secretKeyRef": {"name": "anyway-db", "key": "DATABASE_URL" }} - - name: IMAP_MAIL_USER - valueFrom: {"secretKeyRef": {"name": "anyway", "key": "MAILUSER" }} - - name: IMAP_MAIL_PASSWORD - valueFrom: {"secretKeyRef": {"name": "anyway", "key": "MAILPASS" }} - - name: AIRFLOW__EMAIL__EMAIL_BACKEND - value: "airflow.utils.email.send_email_smtp" - - name: AIRFLOW__SMTP__SMTP_HOST - valueFrom: {"secretKeyRef": {"name": "anyway", "key": "AIRFLOW__SMTP__SMTP_HOST" }} - - name: AIRFLOW__SMTP__SMTP_PORT - valueFrom: {"secretKeyRef": {"name": "anyway", "key": "AIRFLOW__SMTP__SMTP_PORT" }} - - name: AIRFLOW__SMTP__SMTP_MAIL_FROM - value: {{ .Values.AIRFLOW__SMTP__SMTP_MAIL_FROM }} - - name: AIRFLOW__SMTP__SMTP_USER - valueFrom: {"secretKeyRef": {"name": "anyway", "key": "AIRFLOW__SMTP__SMTP_USER" }} - - name: AIRFLOW__SMTP__SMTP_PASSWORD - valueFrom: {"secretKeyRef": {"name": "anyway", "key": "AIRFLOW__SMTP__SMTP_PASSWORD" }} - - name: AIRFLOW__CORE__DAGS_ARE_PAUSED_AT_CREATION - value: {{ .Values.AIRFLOW__CORE__DAGS_ARE_PAUSED_AT_CREATION | quote }} - - name: ANYWAY_ETL_ALERT_EMAILS - valueFrom: {"secretKeyRef": {"name": "anyway", "key": "ANYWAY_ETL_ALERT_EMAILS" }} - - name: AIRFLOW__WEBSERVER__BASE_URL - value: {{ .Values.AIRFLOW__WEBSERVER__BASE_URL | quote }} - volumeMounts: - - name: airflow-home - mountPath: /var/airflow - - name: anyway-etl-data - mountPath: /var/anyway-etl-data - - name: nginx - image: {{ if .Values.useDevImages }}{{ .Values.etlNginxImageDev }}{{ else }}{{ .Values.etlNginxImage }}{{ end }} - resources: {{ toYaml .Values.etlNginxResources | nindent 12 }} - volumeMounts: - - name: anyway-etl-data - mountPath: /var/anyway-etl-data - - name: webserver - image: {{ if .Values.useDevImages }}{{ .Values.airflowImageDev }}{{ else }}{{ .Values.airflowImage }}{{ end }} - resources: {{ toYaml .Values.airflowWebserver.resources | nindent 12 }} - env: - - name: ANYWAY_ETL_AIRFLOW_INITIALIZE - value: "yes" - - name: ANYWAY_ETL_AIRFLOW_ROLE - value: "webserver" - - name: AIRFLOW__CORE__SQL_ALCHEMY_CONN - valueFrom: {"secretKeyRef": {"name":"anyway", "key":"AIRFLOW_SQLALCHEMY_URL"}} - - name: ANYWAY_ETL_AIRFLOW_ADMIN_PASSWORD - valueFrom: {"secretKeyRef": {"name":"anyway", "key":"AIRFLOW_ADMIN_PASSWORD"}} - - name: AIRFLOW__CORE__DAGS_ARE_PAUSED_AT_CREATION - value: {{ .Values.AIRFLOW__CORE__DAGS_ARE_PAUSED_AT_CREATION | quote }} - - name: AIRFLOW__API__AUTH_BACKENDS - value: "airflow.api.auth.backend.basic_auth" - volumeMounts: - - name: airflow-home - mountPath: /var/airflow - volumes: - - name: airflow-home - persistentVolumeClaim: - claimName: airflow-home-data - - name: anyway-etl-data - persistentVolumeClaim: - claimName: airflow-etl-data -{{ end }} diff --git a/apps/anyway/templates/airflow-scheduler-rbac.yaml b/apps/anyway/templates/airflow-scheduler-rbac.yaml deleted file mode 100644 index fa2d8e5..0000000 --- a/apps/anyway/templates/airflow-scheduler-rbac.yaml +++ /dev/null @@ -1,31 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: airflow-scheduler ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: airflow-scheduler -rules: -- apiGroups: [""] - resources: [pods] - verbs: [list, get] -- apiGroups: [""] - resources: [pods/exec] - verbs: [create] -- apiGroups: ["apps"] - resources: [deployments] - verbs: [get] ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: airflow-scheduler -subjects: -- kind: ServiceAccount - name: airflow-scheduler -roleRef: - kind: Role - name: airflow-scheduler - apiGroup: rbac.authorization.k8s.io diff --git a/apps/anyway/templates/airflow-scheduler-service.yaml b/apps/anyway/templates/airflow-scheduler-service.yaml deleted file mode 100644 index 00a91f8..0000000 --- a/apps/anyway/templates/airflow-scheduler-service.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{ if .Values.enableAirflow }} -apiVersion: v1 -kind: Service -metadata: - name: airflow-scheduler -spec: - selector: - app: airflow-scheduler - ports: - - name: "80" - port: 80 - - name: "8080" - port: 8080 -{{ end }} diff --git a/apps/anyway/templates/anyway-main-deployment.yaml b/apps/anyway/templates/anyway-main-deployment.yaml deleted file mode 100644 index b30dcec..0000000 --- a/apps/anyway/templates/anyway-main-deployment.yaml +++ /dev/null @@ -1,64 +0,0 @@ -{{ if .Values.enabled }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: anyway-main -spec: - selector: - matchLabels: - app: anyway-main - replicas: 1 - revisionHistoryLimit: 2 - strategy: - type: Recreate - template: - metadata: - labels: - app: anyway-main - groupapp: anyway - spec: - terminationGracePeriodSeconds: 5 - imagePullSecrets: [{"name":"github"}] - automountServiceAccountToken: false - containers: - - name: anyway - image: {{ if .Values.useDevImages }}{{ .Values.imageDev }}{{ else }}{{ .Values.image }}{{ end }} - args: ["gunicorn", "-b", "0.0.0.0:5000", "-w", "4", "-t", "120", "anyway:app"] - resources: {{ .Values.mainResources }} - env: - - name: PROXYFIX_X_FOR - value: "1" - - name: PROXYFIX_X_PROTO - value: "1" - - name: PROXYFIX_X_HOST - value: "1" - - name: GOOGLE_APPLICATION_CREDENTIALS - value: "/secrets/GOOGLE_APPLICATION_CREDENTIALS_KEY.json" - envFrom: - - secretRef: {"name": "anyway"} - - secretRef: {"name": "anyway-db"} - startupProbe: - httpGet: - path: / - port: 5000 - failureThreshold: 240 - periodSeconds: 2 - timeoutSeconds: 5 - readinessProbe: - httpGet: - path: / - port: 5000 - periodSeconds: 2 - timeoutSeconds: 5 - failureThreshold: 5 - {{ if .Values.mountGoogleApplicationCredentialsSecret }} - volumeMounts: - - name: secrets - mountPath: /secrets/GOOGLE_APPLICATION_CREDENTIALS_KEY.json - subPath: GOOGLE_APPLICATION_CREDENTIALS_KEY.json - volumes: - - name: secrets - secret: - secretName: anyway - {{ end }} -{{ end }} diff --git a/apps/anyway/templates/anyway-main-service.yaml b/apps/anyway/templates/anyway-main-service.yaml deleted file mode 100644 index c0669ed..0000000 --- a/apps/anyway/templates/anyway-main-service.yaml +++ /dev/null @@ -1,12 +0,0 @@ -{{ if .Values.enabled }} -apiVersion: v1 -kind: Service -metadata: - name: anyway-main -spec: - selector: - app: anyway-main - ports: - - name: "5000" - port: 5000 -{{ end }} diff --git a/apps/anyway/templates/anyway-reports-deployment.yaml b/apps/anyway/templates/anyway-reports-deployment.yaml deleted file mode 100644 index ee2ecb2..0000000 --- a/apps/anyway/templates/anyway-reports-deployment.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{ if and .Values.enabled .Values.reports.enabled }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: reports -spec: - selector: - matchLabels: - app: reports - replicas: {{ .Values.reports.replicas }} - revisionHistoryLimit: 2 - template: - metadata: - labels: - app: reports - spec: - terminationGracePeriodSeconds: 2 - imagePullSecrets: [{"name":"github"}] - automountServiceAccountToken: false - containers: - - name: reports - image: {{ .Values.anywayReportsImage }} - resources: {{ .Values.reports.resources }} -{{ end }} diff --git a/apps/anyway/templates/anyway-reports-service.yaml b/apps/anyway/templates/anyway-reports-service.yaml deleted file mode 100644 index 5f25099..0000000 --- a/apps/anyway/templates/anyway-reports-service.yaml +++ /dev/null @@ -1,12 +0,0 @@ -{{ if and .Values.enabled .Values.reports.enabled }} -apiVersion: v1 -kind: Service -metadata: - name: reports -spec: - selector: - app: reports - ports: - - name: "80" - port: 80 -{{ end }} diff --git a/apps/anyway/templates/anyway-secondaries-deployment.yaml b/apps/anyway/templates/anyway-secondaries-deployment.yaml deleted file mode 100644 index e0fffc5..0000000 --- a/apps/anyway/templates/anyway-secondaries-deployment.yaml +++ /dev/null @@ -1,64 +0,0 @@ -{{ if and .Values.enabled .Values.enableSecondaries }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: anyway-secondaries -spec: - selector: - matchLabels: - app: anyway-secondaries - replicas: {{ .Values.secondaryReplicas }} - revisionHistoryLimit: 2 - template: - metadata: - labels: - app: anyway-secondaries - groupapp: anyway - spec: - terminationGracePeriodSeconds: 2 - imagePullSecrets: [{"name":"github"}] - automountServiceAccountToken: false - containers: - - name: anyway - image: {{ if .Values.useDevImages }}{{ .Values.imageDev }}{{ else }}{{ .Values.image }}{{ end }} - command: ["gunicorn", "-b", "0.0.0.0:5000", "-w", "4", "-t", "120", "anyway:app"] - resources: {{ .Values.secondariesResources }} - env: - - name: ALLOW_ALEMBIC_UPGRADE - value: "no" - - name: PROXYFIX_X_FOR - value: "1" - - name: PROXYFIX_X_PROTO - value: "1" - - name: PROXYFIX_X_HOST - value: "1" - - name: GOOGLE_APPLICATION_CREDENTIALS - value: "/secrets/GOOGLE_APPLICATION_CREDENTIALS_KEY.json" - envFrom: - - secretRef: {"name": "anyway"} - - secretRef: {"name": "anyway-db"} - startupProbe: - exec: - command: [ "sleep", "30" ] - timeoutSeconds: 50 - periodSeconds: 50 - successThreshold: 1 - failureThreshold: 1 - readinessProbe: - httpGet: - path: / - port: 5000 - periodSeconds: 10 - timeoutSeconds: 30 - failureThreshold: 5 - {{ if .Values.mountGoogleApplicationCredentialsSecret }} - volumeMounts: - - name: secrets - mountPath: /secrets/GOOGLE_APPLICATION_CREDENTIALS_KEY.json - subPath: GOOGLE_APPLICATION_CREDENTIALS_KEY.json - volumes: - - name: secrets - secret: - secretName: anyway - {{ end }} -{{ end }} diff --git a/apps/anyway/templates/anyway-service.yaml b/apps/anyway/templates/anyway-service.yaml deleted file mode 100644 index d1381b2..0000000 --- a/apps/anyway/templates/anyway-service.yaml +++ /dev/null @@ -1,12 +0,0 @@ -{{ if .Values.enabled }} -apiVersion: v1 -kind: Service -metadata: - name: anyway -spec: - selector: - app: anyway{{ if .Values.enableSecondaries }}-secondaries{{ else }}-main{{ end }} - ports: - - name: "5000" - port: 5000 -{{ end }} diff --git a/apps/anyway/templates/db-backup-cronjob.yaml b/apps/anyway/templates/db-backup-cronjob.yaml deleted file mode 100644 index 4824946..0000000 --- a/apps/anyway/templates/db-backup-cronjob.yaml +++ /dev/null @@ -1,33 +0,0 @@ -{{ if and .Values.enabled .Values.dbBackupEnabled }} -apiVersion: batch/v1 -kind: CronJob -metadata: - name: backup -spec: - schedule: {{ .Values.dbBackupSchedule | quote }} - concurrencyPolicy: Forbid - successfulJobsHistoryLimit: 2 - failedJobsHistoryLimit: 1 - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: db-backup - image: {{ .Values.pinDbBackupImage | quote }} - resources: {{ .Values.dbBackupResources }} - envFrom: - - secretRef: {"name": "db-backup"} - env: - - name: DBDUMP_S3_FILE_PREFIX - value: {{ .Values.DBDUMP_S3_FILE_PREFIX | quote }} - - name: DBDUMP_HOST - value: "db" - - name: DBDUMP_USER - value: "postgres" - - name: DBDUMP_FULL_BUCKET - value: {{ .Values.DBDUMP_FULL_BUCKET | quote }} - - name: DBDUMP_PARTIAL_BUCKET - value: {{ .Values.DBDUMP_PARTIAL_BUCKET | quote }} -{{ end }} diff --git a/apps/anyway/templates/db-deployment.yaml b/apps/anyway/templates/db-deployment.yaml deleted file mode 100644 index 712b425..0000000 --- a/apps/anyway/templates/db-deployment.yaml +++ /dev/null @@ -1,62 +0,0 @@ -{{ if .Values.enabled }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: db -spec: - selector: - matchLabels: - app: db - replicas: 1 - revisionHistoryLimit: 2 - strategy: - type: Recreate - template: - metadata: - labels: - app: db - spec: - terminationGracePeriodSeconds: 10 - imagePullSecrets: [{"name":"github"}] - {{ if .Values.dbNodeSelector }} - nodeSelector: - kubernetes.io/hostname: {{ .Values.dbNodeSelector }} - {{ end }} - containers: - - name: db - # we don't want to auto-update the DB! - image: {{ .Values.pinDbImage | quote }} - resources: {{ .Values.dbResources }} - ports: - - containerPort: 5432 - envFrom: - - secretRef: {"name": "db"} - env: - - name: POSTGRES_USER - value: "postgres" - - name: POSTGRES_DB - value: "postgres" - - name: DBRESTORE_AWS_BUCKET - value: {{ .Values.dbRestoreBucket | quote }} - - name: DBRESTORE_FILE_NAME - value: {{ .Values.dbRestoreFileName | quote }} - volumeMounts: - - name: data - mountPath: /var/lib/postgresql/data - # postgres doesn't let you use the root of a disk (it complaints about having lost+found directory) - subPath: dbdata - {{- if .Values.dbShmSize }} - - name: dshm - mountPath: /dev/shm - {{- end }} - volumes: - - name: data - persistentVolumeClaim: - claimName: {{ .Values.dbPvcName | quote }} - {{- if .Values.dbShmSize }} - - name: dshm - emptyDir: - medium: Memory - sizeLimit: {{ .Values.dbShmSize | quote }} - {{- end }} -{{ end }} diff --git a/apps/anyway/templates/db-pvc.yaml b/apps/anyway/templates/db-pvc.yaml deleted file mode 100644 index 92f454b..0000000 --- a/apps/anyway/templates/db-pvc.yaml +++ /dev/null @@ -1,12 +0,0 @@ -{{ if .Values.enabled }} -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: {{ .Values.dbPvcName | quote }} -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 200Gi -{{ end }} diff --git a/apps/anyway/templates/db-service.yaml b/apps/anyway/templates/db-service.yaml deleted file mode 100644 index 2efbd9a..0000000 --- a/apps/anyway/templates/db-service.yaml +++ /dev/null @@ -1,12 +0,0 @@ -{{ if .Values.enabled }} -apiVersion: v1 -kind: Service -metadata: - name: db -spec: - selector: - app: db - ports: - - name: "5432" - port: 5432 -{{ end }} diff --git a/apps/anyway/templates/github-pull-secret.yaml b/apps/anyway/templates/github-pull-secret.yaml deleted file mode 100644 index 04f047b..0000000 --- a/apps/anyway/templates/github-pull-secret.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: Secret -type: kubernetes.io/dockerconfigjson -metadata: - name: github -data: - .dockerconfigjson: "~vault:projects/k8s/dockerconfig:json~" diff --git a/apps/anyway/templates/ingresses.yaml b/apps/anyway/templates/ingresses.yaml deleted file mode 100644 index a2ca7be..0000000 --- a/apps/anyway/templates/ingresses.yaml +++ /dev/null @@ -1,33 +0,0 @@ -{{ if and .Values.enabled .Values.ingresses }} -{{ range .Values.ingresses }} -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: {{ .name }} - annotations: - {{ if .httpauth }} - nginx.ingress.kubernetes.io/auth-type: basic - nginx.ingress.kubernetes.io/auth-secret: {{ .httpauth.secretName | quote }} - nginx.ingress.kubernetes.io/auth-realm: {{ .httpauth.message | quote }} - {{ end }} - {{ if .permanentRedirect }} - nginx.ingress.kubernetes.io/permanent-redirect: {{ .permanentRedirect | quote }} - {{ end }} -spec: - ingressClassName: nginx - rules: - {{ range .rules }} - - host: {{ .host }} - http: - paths: - - backend: - service: - name: {{ .serviceName }} - port: - number: {{ .servicePort }} - pathType: Prefix - path: / - {{ end }} ---- -{{ end }} -{{ end }} diff --git a/apps/anyway/templates/nginx-configmap.yaml b/apps/anyway/templates/nginx-configmap.yaml deleted file mode 100644 index 38479a7..0000000 --- a/apps/anyway/templates/nginx-configmap.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: nginx -data: - anyway_proxy.conf: | - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto {{ .Values.nginxForwardedScheme }}; - proxy_set_header X-Forwarded-Host {{ .Values.nginxForwardedHost }}; - proxy_pass http://anyway; - proxy_redirect default; diff --git a/apps/anyway/templates/nginx-deployment.yaml b/apps/anyway/templates/nginx-deployment.yaml deleted file mode 100644 index 9557eda..0000000 --- a/apps/anyway/templates/nginx-deployment.yaml +++ /dev/null @@ -1,33 +0,0 @@ -{{ if .Values.enabled }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: nginx -spec: - selector: - matchLabels: - app: nginx - replicas: 1 - revisionHistoryLimit: 2 - template: - metadata: - labels: - app: nginx - annotations: - checksum/config: {{ include (print $.Template.BasePath "/nginx-configmap.yaml") . | sha256sum }} - spec: - terminationGracePeriodSeconds: 2 - imagePullSecrets: [{"name":"github"}] - containers: - - name: nginx - image: {{ if .Values.useDevImages }}{{ .Values.nginxImageDev }}{{ else }}{{ .Values.nginxImage }}{{ end }} - resources: {{ .Values.nginxResources }} - volumeMounts: - - name: conf - mountPath: /etc/nginx/anyway_proxy.conf - subPath: anyway_proxy.conf - volumes: - - name: conf - configMap: - name: nginx -{{ end }} diff --git a/apps/anyway/templates/nginx-service.yaml b/apps/anyway/templates/nginx-service.yaml deleted file mode 100644 index 4213f6f..0000000 --- a/apps/anyway/templates/nginx-service.yaml +++ /dev/null @@ -1,12 +0,0 @@ -{{ if .Values.enabled }} -apiVersion: v1 -kind: Service -metadata: - name: nginx -spec: - selector: - app: nginx - ports: - - name: "80" - port: 80 -{{ end }} diff --git a/apps/anyway/templates/secrets.yaml b/apps/anyway/templates/secrets.yaml deleted file mode 100644 index de81850..0000000 --- a/apps/anyway/templates/secrets.yaml +++ /dev/null @@ -1,9 +0,0 @@ -{{ range .Values.secrets }} -kind: Secret -apiVersion: v1 -metadata: - name: {{ .name }} -type: Opaque -data: {{ toJson .data }} ---- -{{ end }} diff --git a/apps/anyway/values-anyway-auto-updated.yaml b/apps/anyway/values-anyway-auto-updated.yaml deleted file mode 100644 index a7d5d8f..0000000 --- a/apps/anyway/values-anyway-auto-updated.yaml +++ /dev/null @@ -1,12 +0,0 @@ -airflowImage: ghcr.io/data-for-change/anyway-etl/anyway-etl-airflow:v0.0.54 -airflowImageDev: ghcr.io/data-for-change/anyway-etl/anyway-etl-airflow:17190a0950a05f5f13b2d2fe3bf22ec2f1f339d2 -anywayReportsImage: docker.pkg.github.com/data-for-change/anyway-reports/anyway-reports:sha-ff0aa3b -dbBackupImage: docker.pkg.github.com/data-for-change/anyway/db_backup:sha-e43df45 -dbImage: docker.pkg.github.com/data-for-change/anyway/db:sha-e43df45 -etlImage: docker.pkg.github.com/hasadna/anyway-etl/anyway-etl:55a7c1ddb4610b2f75f88db8615f373b62c9f226 -etlNginxImage: ghcr.io/data-for-change/anyway-etl/anyway-etl-nginx:v0.0.54 -etlNginxImageDev: ghcr.io/data-for-change/anyway-etl/anyway-etl-nginx:17190a0950a05f5f13b2d2fe3bf22ec2f1f339d2 -image: docker.pkg.github.com/data-for-change/anyway/anyway:sha-e43df45 -imageDev: docker.pkg.github.com/data-for-change/anyway/anyway:sha-c0242b4 -nginxImage: docker.pkg.github.com/data-for-change/anyway/nginx:sha-e43df45 -nginxImageDev: docker.pkg.github.com/data-for-change/anyway/nginx:sha-c0242b4 diff --git a/apps/anyway/values-anyway-dev.yaml b/apps/anyway/values-anyway-dev.yaml deleted file mode 100644 index 31c5393..0000000 --- a/apps/anyway/values-anyway-dev.yaml +++ /dev/null @@ -1,103 +0,0 @@ -enabled: true -enableSecondaries: false -secondaryReplicas: 0 -nginxForwardedHost: "dev.anyway.co.il" -nginxForwardedScheme: "https" -mountGoogleApplicationCredentialsSecret: true -mainResources: '{"requests": {"cpu": "25m", "memory": "684Mi"}, "limits": {"cpu": "78m", "memory": "1500Mi"}}' -secondariesResources: '{"requests": {"cpu": "25m", "memory": "933Mi"}, "limits": {"cpu": "78m", "memory": "1500Mi"}}' -dbResources: '{"requests": {"cpu": "25m", "memory": "2062Mi"}, "limits": {"cpu": "165m", "memory": "3500Mi"}}' -dbShmSize: "512Mi" -nginxResources: '{"requests": {"cpu": "25m", "memory": "256Mi"}, "limits": {"cpu": "78m", "memory": "500Mi"}}' -DBDUMP_S3_FILE_PREFIX: "" -dbBackupEnabled: false -dbBackupResources: '{"requests": {"cpu": "25m", "memory": "700Mi"}, "limits": {"cpu": "165m", "memory": "1000Mi"}}' -dbBackupSchedule: "10 0 * * *" -dbRestoreBucket: "dfc-anyway-full-db-dumps" -dbRestoreFileName: "2022-12-04_anyway.pgdump" -useDevImages: true -dbPvcName: "db" - -# we are pinning the DB versions so they won't be upgraded automatically -# these builds are from this commit - https://github.com/hasadna/anyway/commit/6dfd43b -pinDbImage: docker.pkg.github.com/hasadna/anyway/db:sha-6dfd43b -pinDbBackupImage: docker.pkg.github.com/hasadna/anyway/db_backup:sha-6dfd43b - -reports: - enabled: false - replicas: 1 - resources: '{"requests": {"cpu": "25m", "memory": "256Mi"}, "limits": {"cpu": "78m", "memory": "500Mi"}}' - -enableAirflow: true -airflowDb: - # pulled August 8, 2021 - image: "postgres:13@sha256:6647385dd9ae11aa2216bf55c54d126b0a85637b3cf4039ef24e3234113588e3" - resources: {"requests": {"cpu": "50m", "memory": "300Mi"}, "limits": {"memory": "700Mi"}} -airflowImageDev: "docker.pkg.github.com/hasadna/anyway-etl/anyway-etl-airflow:latest" -airflowScheduler: - resources: {"requests": {"cpu": "300m", "memory": "500Mi"}, "limits": {"memory": "1000Mi"}} -airflowWebserver: - resources: {"requests": {"cpu": "50m", "memory": "300Mi"}, "limits": {"memory": "700Mi"}} -etlNginxImageDev: "docker.pkg.github.com/hasadna/anyway-etl/anyway-etl-nginx:latest" -etlNginxResources: {"requests": {"cpu": "50m", "memory": "100Mi"}, "limits": {"memory": "200Mi"}} -ANYWAY_ETL_BRANCH: "main" -ANYWAY_ETL_USE_LATEST_TAG: "no" -ANYWAY_KUBECTL_NAMESPACE: "anyway-dev" -AIRFLOW__SMTP__SMTP_MAIL_FROM: "Dev Airflow " -AIRFLOW__CORE__DAGS_ARE_PAUSED_AT_CREATION: "True" -AIRFLOW__WEBSERVER__BASE_URL: https://dev-airflow.anyway.co.il - -ingresses: - - name: nginx - rules: - - host: dev.anyway.co.il - serviceName: nginx - servicePort: 80 - - name: airflow - rules: - - host: dev-airflow.anyway.co.il - serviceName: airflow-scheduler - servicePort: 8080 - - name: airflow-data - rules: - - host: dev-airflow-data.anyway.co.il - serviceName: airflow-scheduler - servicePort: 80 - -secrets: - - name: anyway - data: - AIRFLOW_ADMIN_PASSWORD: "~vault:projects/anyway/dev/k8s-secret-anyway:AIRFLOW_ADMIN_PASSWORD~" - AIRFLOW_DB_POSTGRES_PASSWORD: "~vault:projects/anyway/dev/k8s-secret-anyway:AIRFLOW_DB_POSTGRES_PASSWORD~" - AIRFLOW_SQLALCHEMY_URL: "~vault:projects/anyway/dev/k8s-secret-anyway:AIRFLOW_SQLALCHEMY_URL~" - AIRFLOW__SMTP__SMTP_HOST: "~vault:projects/anyway/dev/k8s-secret-anyway:AIRFLOW__SMTP__SMTP_HOST~" - AIRFLOW__SMTP__SMTP_PORT: "2525" - AIRFLOW__SMTP__SMTP_PASSWORD: "~vault:projects/anyway/dev/k8s-secret-anyway:AIRFLOW__SMTP__SMTP_PASSWORD~" - AIRFLOW__SMTP__SMTP_USER: "~vault:projects/anyway/dev/k8s-secret-anyway:AIRFLOW__SMTP__SMTP_USER~" - ANYWAY_ETL_ALERT_EMAILS: "~vault:projects/anyway/dev/k8s-secret-anyway:ANYWAY_ETL_ALERT_EMAILS~" - APP_SECRET_KEY: "~vault:projects/anyway/dev/k8s-secret-anyway:APP_SECRET_KEY~" - AWS_ACCESS_KEY: "~vault:projects/anyway/prod/aws_prod_app_user:access_key_id~" - AWS_SECRET_KEY: "~vault:projects/anyway/prod/aws_prod_app_user:secret_access_key~" - FACEBOOK_KEY: "~vault:projects/anyway/dev/k8s-secret-anyway:FACEBOOK_KEY~" - FACEBOOK_SECRET: "~vault:projects/anyway/dev/k8s-secret-anyway:FACEBOOK_SECRET~" - FLASK_ENV: "~vault:projects/anyway/dev/k8s-secret-anyway:FLASK_ENV~" - GOOGLE_APPLICATION_CREDENTIALS_KEY.json: "~vault:projects/anyway/dev/k8s-secret-anyway:GOOGLE_APPLICATION_CREDENTIALS_KEY~" - GOOGLE_LOGIN_CLIENT_ID: "~vault:projects/anyway/dev/k8s-secret-anyway:GOOGLE_LOGIN_CLIENT_ID~" - GOOGLE_LOGIN_CLIENT_SECRET: "~vault:projects/anyway/dev/k8s-secret-anyway:GOOGLE_LOGIN_CLIENT_SECRET~" - GOOGLE_MAPS_KEY: "~vault:projects/anyway/dev/k8s-secret-anyway:GOOGLE_MAPS_KEY~" - MAILPASS: "~vault:projects/anyway/dev/k8s-secret-anyway:MAILPASS~" - MAILUSER: "~vault:projects/anyway/dev/k8s-secret-anyway:MAILUSER~" - SERVER_ENV: "~vault:projects/anyway/dev/k8s-secret-anyway:SERVER_ENV~" - TWITTER_ACCESS_KEY: "~vault:projects/anyway/dev/k8s-secret-anyway:TWITTER_ACCESS_KEY~" - TWITTER_ACCESS_SECRET: "~vault:projects/anyway/dev/k8s-secret-anyway:TWITTER_ACCESS_SECRET~" - TWITTER_CONSUMER_KEY: "~vault:projects/anyway/dev/k8s-secret-anyway:TWITTER_CONSUMER_KEY~" - TWITTER_CONSUMER_SECRET: "~vault:projects/anyway/dev/k8s-secret-anyway:TWITTER_CONSUMER_SECRET~" - - name: anyway-db - data: - DATABASE_URL: "~vault:projects/anyway/dev/k8s-secret-anyway-db:DATABASE_URL~" - - name: db - data: - DBRESTORE_AWS_ACCESS_KEY_ID: "~vault:projects/anyway/prod/aws_db_dumps_reader_user:access_key_id~" - DBRESTORE_AWS_SECRET_ACCESS_KEY: "~vault:projects/anyway/prod/aws_db_dumps_reader_user:secret_access_key~" - DBRESTORE_SET_ANYWAY_PASSWORD: "~vault:projects/anyway/dev/k8s-secret-db:DBRESTORE_SET_ANYWAY_PASSWORD~" - POSTGRES_PASSWORD: "~vault:projects/anyway/dev/k8s-secret-db:POSTGRES_PASSWORD~" diff --git a/apps/anyway/values-anyway-minikube.yaml b/apps/anyway/values-anyway-minikube.yaml deleted file mode 100644 index a09c313..0000000 --- a/apps/anyway/values-anyway-minikube.yaml +++ /dev/null @@ -1,14 +0,0 @@ -enabled: true -enableSecondaries: false -secondaryReplicas: 0 -nginxForwardedHost: "localhost:8000" -nginxForwardedScheme: "http" -mountGoogleApplicationCredentialsSecret: false -resources: '{"requests": {"cpu": "100m", "memory": "250Mi"}, "limits": {"memory": "800Mi"}}' -dbResources: '{"requests": {"cpu": "100m", "memory": "250Mi"}, "limits": {"memory": "500Mi"}}' -nginxResources: '{"requests": {"cpu": "100m", "memory": "250Mi"}, "limits": {"memory": "500Mi"}}' -DBDUMP_S3_FILE_PREFIX: "minikube_" -dbBackupEnabled: false -dbBackupSchedule: "10 0 * * *" -enableLogs: false -ingresses: [] diff --git a/apps/anyway/values-anyway-prod.yaml b/apps/anyway/values-anyway-prod.yaml deleted file mode 100644 index 95a457f..0000000 --- a/apps/anyway/values-anyway-prod.yaml +++ /dev/null @@ -1,133 +0,0 @@ -enabled: true -enableSecondaries: true -secondaryReplicas: 1 -nginxForwardedHost: "www.anyway.co.il" -nginxForwardedScheme: "https" -mountGoogleApplicationCredentialsSecret: true -mainResources: '{"requests": {"cpu": "100m", "memory": "500Mi"}, "limits": {"memory": "1200Mi"}}' -secondariesResources: '{"requests": {"cpu": "60m", "memory": "500Mi"}, "limits": {"memory": "1000Mi"}}' -dbResources: '{"requests": {"cpu": "250m", "memory": "3000Mi"}, "limits": {"memory": "4000Mi"}}' -dbShmSize: "1024Mi" -nginxResources: '{"requests": {"cpu": "25m", "memory": "100Mi"}, "limits": {"memory": "200Mi"}}' -DBDUMP_S3_FILE_PREFIX: "" -dbBackupEnabled: true -dbBackupResources: '{"requests": {"cpu": "25m", "memory": "400Mi"}, "limits": {"memory": "600Mi"}}' -dbBackupSchedule: "10 0 * * *" -enableLogs: true -dbRestoreBucket: "dfc-anyway-full-db-dumps" -dbRestoreFileName: "2022-12-11_anyway.pgdump" -DBDUMP_FULL_BUCKET: "~iac:anyway_full_db_dumps_bucket~" -DBDUMP_PARTIAL_BUCKET: "~iac:anyway_partial_db_dumps_bucket~" -dbPvcName: "db2" - -# we are pinning the DB versions so they won't be upgraded automatically -# these builds are from this commit - https://github.com/hasadna/anyway/commit/6dfd43b -pinDbImage: docker.pkg.github.com/hasadna/anyway/db:sha-6dfd43b -pinDbBackupImage: docker.pkg.github.com/hasadna/anyway/db_backup:sha-6dfd43b - -reports: - enabled: true - replicas: 1 - resources: '{"requests": {"cpu": "25m", "memory": "100Mi"}, "limits": {"memory": "200Mi"}}' - -enableAirflow: true -airflowDb: - # pulled August 8, 2021 - image: "postgres:13@sha256:6647385dd9ae11aa2216bf55c54d126b0a85637b3cf4039ef24e3234113588e3" - resources: {"requests": {"cpu": "40m", "memory": "300Mi"}, "limits": {"memory": "500Mi"}} -airflowImage: "docker.pkg.github.com/hasadna/anyway-etl/anyway-etl-airflow:latest" -airflowScheduler: - resources: {"requests": {"cpu": "100m", "memory": "500Mi"}, "limits": {"memory": "800Mi"}} -airflowWebserver: - resources: {"requests": {"cpu": "50m", "memory": "500Mi"}, "limits": {"memory": "1100Mi"}} -etlNginxImage: "docker.pkg.github.com/hasadna/anyway-etl/anyway-etl-nginx:latest" -etlNginxResources: {"requests": {"cpu": "20m", "memory": "50Mi"}, "limits": {"memory": "100Mi"}} -ANYWAY_ETL_BRANCH: "" -ANYWAY_ETL_USE_LATEST_TAG: "yes" -ANYWAY_KUBECTL_NAMESPACE: "anyway" -AIRFLOW__SMTP__SMTP_MAIL_FROM: "Airflow " -AIRFLOW__CORE__DAGS_ARE_PAUSED_AT_CREATION: "False" -AIRFLOW__WEBSERVER__BASE_URL: https://airflow.anyway.co.il - -ingresses: - - name: nginx - ssl: true - rules: - - host: www.anyway.co.il - serviceName: nginx - servicePort: 80 - - host: reports.anyway.co.il - serviceName: reports - servicePort: 80 - - name: redirect - permanentRedirect: https://www.anyway.co.il - rules: - - host: anyway.co.il - serviceName: nginx - servicePort: 80 - - host: www.oway.org.il - serviceName: nginx - servicePort: 80 - - host: oway.org.il - serviceName: nginx - servicePort: 80 - - name: airflow - ssl: true - rules: - - host: airflow.anyway.co.il - serviceName: airflow-scheduler - servicePort: 8080 - - name: airflow-data - ssl: true - rules: - - host: airflow-data.anyway.co.il - serviceName: airflow-scheduler - servicePort: 80 - -secrets: - - name: anyway - data: - AIRFLOW_ADMIN_PASSWORD: "~vault:projects/anyway/prod/k8s-secret-anyway:AIRFLOW_ADMIN_PASSWORD~" - AIRFLOW_DB_POSTGRES_PASSWORD: "~vault:projects/anyway/prod/k8s-secret-anyway:AIRFLOW_DB_POSTGRES_PASSWORD~" - AIRFLOW_SQLALCHEMY_URL: "~vault:projects/anyway/prod/k8s-secret-anyway:AIRFLOW_SQLALCHEMY_URL~" - AIRFLOW__SMTP__SMTP_HOST: "~vault:projects/anyway/prod/k8s-secret-anyway:AIRFLOW__SMTP__SMTP_HOST~" - AIRFLOW__SMTP__SMTP_PORT: "2525" - AIRFLOW__SMTP__SMTP_PASSWORD: "~vault:projects/anyway/prod/k8s-secret-anyway:AIRFLOW__SMTP__SMTP_PASSWORD~" - AIRFLOW__SMTP__SMTP_USER: "~vault:projects/anyway/prod/k8s-secret-anyway:AIRFLOW__SMTP__SMTP_USER~" - ANYWAY_ETL_ALERT_EMAILS: "~vault:projects/anyway/prod/k8s-secret-anyway:ANYWAY_ETL_ALERT_EMAILS~" - APP_SECRET_KEY: "~vault:projects/anyway/prod/k8s-secret-anyway:APP_SECRET_KEY~" - AWS_ACCESS_KEY: "~vault:projects/anyway/prod/aws_prod_app_user:access_key_id~" - AWS_SECRET_KEY: "~vault:projects/anyway/prod/aws_prod_app_user:secret_access_key~" - FACEBOOK_KEY: "~vault:projects/anyway/prod/k8s-secret-anyway:FACEBOOK_KEY~" - FACEBOOK_SECRET: "~vault:projects/anyway/prod/k8s-secret-anyway:FACEBOOK_SECRET~" - FLASK_ENV: "~vault:projects/anyway/prod/k8s-secret-anyway:FLASK_ENV~" - "GOOGLE_APPLICATION_CREDENTIALS_KEY.json": "~vault:projects/anyway/prod/k8s-secret-anyway:GOOGLE_APPLICATION_CREDENTIALS_KEY.json~" - GOOGLE_LOGIN_CLIENT_ID: "~vault:projects/anyway/prod/k8s-secret-anyway:GOOGLE_LOGIN_CLIENT_ID~" - GOOGLE_LOGIN_CLIENT_SECRET: "~vault:projects/anyway/prod/k8s-secret-anyway:GOOGLE_LOGIN_CLIENT_SECRET~" - GOOGLE_MAPS_KEY: "~vault:projects/anyway/prod/k8s-secret-anyway:GOOGLE_MAPS_KEY~" - MAILPASS: "~vault:projects/anyway/prod/k8s-secret-anyway:MAILPASS~" - MAILUSER: "~vault:projects/anyway/prod/k8s-secret-anyway:MAILUSER~" - SERVER_ENV: "~vault:projects/anyway/prod/k8s-secret-anyway:SERVER_ENV~" - SLACK_WEBHOOK_URL: "~vault:projects/anyway/prod/k8s-secret-anyway:SLACK_WEBHOOK_URL~" - TWITTER_ACCESS_KEY: "~vault:projects/anyway/prod/k8s-secret-anyway:TWITTER_ACCESS_KEY~" - TWITTER_ACCESS_SECRET: "~vault:projects/anyway/prod/k8s-secret-anyway:TWITTER_ACCESS_SECRET~" - TWITTER_CONSUMER_KEY: "~vault:projects/anyway/prod/k8s-secret-anyway:TWITTER_CONSUMER_KEY~" - TWITTER_CONSUMER_SECRET: "~vault:projects/anyway/prod/k8s-secret-anyway:TWITTER_CONSUMER_SECRET~" - SELENIUM_URL: "~vault:projects/anyway/prod/k8s-secret-anyway:SELENIUM_URL~" - BOT_TOKEN: "~vault:projects/anyway/prod/k8s-secret-anyway:BOT_TOKEN~" - AIRFLOW_USER: "~vault:projects/anyway/prod/k8s-secret-anyway:AIRFLOW_USER~" - AIRFLOW_PASSWORD: "~vault:projects/anyway/prod/k8s-secret-anyway:AIRFLOW_PASSWORD~" - - name: anyway-db - data: - DATABASE_URL: "~vault:projects/anyway/prod/k8s-secret-anyway-db:DATABASE_URL~" - - name: db - data: - DBRESTORE_AWS_ACCESS_KEY_ID: "~vault:projects/anyway/prod/aws_db_dumps_reader_user:access_key_id~" - DBRESTORE_AWS_SECRET_ACCESS_KEY: "~vault:projects/anyway/prod/aws_db_dumps_reader_user:secret_access_key~" - DBRESTORE_SET_ANYWAY_PASSWORD: "~vault:projects/anyway/prod/k8s-secret-db:DBRESTORE_SET_ANYWAY_PASSWORD~" - POSTGRES_PASSWORD: "~vault:projects/anyway/prod/k8s-secret-db:POSTGRES_PASSWORD~" - - name: db-backup - data: - DBDUMP_AWS_ACCESS_KEY_ID: "~vault:projects/anyway/prod/aws_db_dumps_writer_user:access_key_id~" - DBDUMP_AWS_SECRET_ACCESS_KEY: "~vault:projects/anyway/prod/aws_db_dumps_writer_user:secret_access_key~" - DBDUMP_PASSWORD: "~vault:projects/anyway/prod/k8s-secret-db-backup:DBDUMP_PASSWORD~" diff --git a/bin/render_env_template.py b/bin/render_env_template.py new file mode 100755 index 0000000..b7bf9e6 --- /dev/null +++ b/bin/render_env_template.py @@ -0,0 +1,34 @@ +#!/usr/bin/env python3 +import sys +import json +import subprocess +import functools + + +@functools.lru_cache() +def get_vault_path(path): + return json.loads(subprocess.check_output([ + 'vault', 'kv', 'get', '-format=json', f'kv/{path}' + ]))['data']['data'] + + +def get_vault_val(val): + _, path, key = val.split(":") + key = key.replace('~"', '') + return '"' + get_vault_path(path)[key] + '"' + + +def main(filename): + with open(filename) as f: + for line in f: + line = line.strip() + if not line or line.startswith('#'): + continue + name, val = line.split('=', 1) + if "~vault:" in val: + val = get_vault_val(val) + print(f'{name}={val}') + + +if __name__ == '__main__': + main(*sys.argv[1:]) From a739941fa7167d69c58c9aad688d63b8dd6e3437 Mon Sep 17 00:00:00 2001 From: Ori Hoch Date: Wed, 24 Jan 2024 21:25:39 +0200 Subject: [PATCH 02/22] migrate anyway to docker compose --- apps/anyway/README.md | 16 +-- apps/anyway/compose.yaml | 40 ++++-- apps/traefik/compose.yaml | 11 ++ apps/traefik/traefik.yaml | 2 + apps/vault/compose.yaml | 42 +++++++ apps/vault/deployment.yaml | 41 ------ apps/vault/ingress.yaml | 18 --- apps/vault/kustomization.yaml | 15 --- apps/vault/namespace.yaml | 4 - apps/vault/patch-deployment-unseal.yaml | 35 ------ apps/vault/pvc.yaml | 11 -- apps/vault/secrets/.gitignore | 2 + apps/vault/service.yaml | 11 -- bin/migrate_k8s_to_docker.py | 158 ++++++++++++++++++++++++ docs/Migrate From K8S to Docker.md | 63 ++++++++++ 15 files changed, 315 insertions(+), 154 deletions(-) create mode 100644 apps/traefik/compose.yaml create mode 100644 apps/traefik/traefik.yaml create mode 100644 apps/vault/compose.yaml delete mode 100644 apps/vault/deployment.yaml delete mode 100644 apps/vault/ingress.yaml delete mode 100644 apps/vault/kustomization.yaml delete mode 100644 apps/vault/namespace.yaml delete mode 100644 apps/vault/patch-deployment-unseal.yaml delete mode 100644 apps/vault/pvc.yaml create mode 100644 apps/vault/secrets/.gitignore delete mode 100644 apps/vault/service.yaml create mode 100755 bin/migrate_k8s_to_docker.py create mode 100644 docs/Migrate From K8S to Docker.md diff --git a/apps/anyway/README.md b/apps/anyway/README.md index 0295458..396f513 100644 --- a/apps/anyway/README.md +++ b/apps/anyway/README.md @@ -18,19 +18,19 @@ export VAULT_TOKEN= Set secret values: ``` -bin/render_env_template.py apps/anyway-docker/secrets/anyway.env.template > apps/anyway-docker/secrets/anyway.env -bin/render_env_template.py apps/anyway-docker/secrets/anyway-db.env.template > apps/anyway-docker/secrets/anyway-db.env -bin/render_env_template.py apps/anyway-docker/secrets/db.env.template > apps/anyway-docker/secrets/db.env -bin/render_env_template.py apps/anyway-docker/secrets/airflow-db.env.template > apps/anyway-docker/secrets/airflow-db.env -bin/render_env_template.py apps/anyway-docker/secrets/airflow-scheduler.env.template > apps/anyway-docker/secrets/airflow-scheduler.env -bin/render_env_template.py apps/anyway-docker/secrets/airflow-webserver.env.template > apps/anyway-docker/secrets/airflow-webserver.env -vault kv get -format=json kv/projects/anyway/prod/k8s-secret-anyway | jq -r '.data.data["GOOGLE_APPLICATION_CREDENTIALS_KEY.json"]' > apps/anyway-docker/secrets/GOOGLE_APPLICATION_CREDENTIALS_KEY.json +bin/render_env_template.py apps/anyway/secrets/anyway.env.template > apps/anyway/secrets/anyway.env +bin/render_env_template.py apps/anyway/secrets/anyway-db.env.template > apps/anyway/secrets/anyway-db.env +bin/render_env_template.py apps/anyway/secrets/db.env.template > apps/anyway/secrets/db.env +bin/render_env_template.py apps/anyway/secrets/airflow-db.env.template > apps/anyway/secrets/airflow-db.env +bin/render_env_template.py apps/anyway/secrets/airflow-scheduler.env.template > apps/anyway/secrets/airflow-scheduler.env +bin/render_env_template.py apps/anyway/secrets/airflow-webserver.env.template > apps/anyway/secrets/airflow-webserver.env +vault kv get -format=json kv/projects/anyway/prod/k8s-secret-anyway | jq -r '.data.data["GOOGLE_APPLICATION_CREDENTIALS_KEY.json"]' > apps/anyway/secrets/GOOGLE_APPLICATION_CREDENTIALS_KEY.json ``` Run: ``` -( cd apps/anyway-docker && docker compose up -d ) +( cd apps/anyway && docker compose up -d ) ``` ### TODO: db-backup-cronjob diff --git a/apps/anyway/compose.yaml b/apps/anyway/compose.yaml index d17c59e..5e2b413 100644 --- a/apps/anyway/compose.yaml +++ b/apps/anyway/compose.yaml @@ -14,6 +14,8 @@ x-anyway: &x-anyway - ./secrets/anyway-db.env volumes: - ./secrets/GOOGLE_APPLICATION_CREDENTIALS_KEY.json:/secrets/GOOGLE_APPLICATION_CREDENTIALS_KEY.json:ro + restart: unless-stopped + networks: [dfc] services: anyway-main: @@ -31,9 +33,12 @@ services: ALLOW_ALEMBIC_UPGRADE: "no" depends_on: - anyway-main + networks: [dfc] db: + hostname: anyway-db image: ${PIN_DB_IMAGE:-ghcr.io/hasadna/anyway/db:latest} + restart: unless-stopped environment: POSTGRES_USER: postgres POSTGRES_DB: postgres @@ -42,19 +47,23 @@ services: env_file: - ./secrets/db.env volumes: - - db-data:/var/lib/postgresql/data + - /data/anyway/db:/var/lib/postgresql/data tmpfs: - /dev/shm:size=1024m + networks: [dfc] airflow-db: image: postgres:13@sha256:6647385dd9ae11aa2216bf55c54d126b0a85637b3cf4039ef24e3234113588e3 + restart: unless-stopped env_file: - ./secrets/airflow-db.env volumes: - - airflow-db-data:/var/lib/postgresql/data + - /data/anyway/airflow-db:/var/lib/postgresql/data + networks: [dfc] airflow-scheduler: image: ${AIRFLOW_IMAGE:-ghcr.io/data-for-change/anyway-etl/anyway-etl-airflow:latest} + restart: unless-stopped environment: ANYWAY_ETL_AIRFLOW_ROLE: "scheduler" ANYWAY_ETL_AIRFLOW_PIP_INSTALL_DEPS: "yes" @@ -65,16 +74,20 @@ services: env_file: - ./secrets/airflow-scheduler.env volumes: - - airflow-home:/var/airflow - - anyway-etl-data:/var/anyway-etl-data + - /data/anyway/airflow-home-data:/var/airflow + - /data/anyway/airflow-etl-data:/var/anyway-etl-data + networks: [dfc] airflow-nginx: image: ${ETL_NGINX_IMAGE:-ghcr.io/data-for-change/anyway-etl/anyway-etl-nginx:latest} + restart: unless-stopped volumes: - - anyway-etl-data:/var/anyway-etl-data + - /data/anyway/airflow-etl-data:/var/anyway-etl-data + networks: [dfc] airflow-webserver: image: ${AIRFLOW_IMAGE:-ghcr.io/data-for-change/anyway-etl/anyway-etl-airflow:latest} + restart: unless-stopped environment: ANYWAY_ETL_AIRFLOW_INITIALIZE: "yes" ANYWAY_ETL_AIRFLOW_ROLE: "webserver" @@ -83,18 +96,23 @@ services: env_file: - ./secrets/airflow-webserver.env volumes: - - airflow-home:/var/airflow + - /data/anyway/airflow-home-data:/var/airflow + networks: [dfc] reports: + hostname: anyway-reports image: ${REPORTS_IMAGE:-ghcr.io/data-for-change/anyway-reports/anyway-reports:latest} + restart: unless-stopped + networks: [dfc] nginx: + hostname: anyway-nginx image: ${NGINX_IMAGE:-ghcr.io/data-for-change/anyway/nginx:latest} + restart: unless-stopped volumes: - ./nginx_anyway_proxy.conf:/etc/nginx/anyway_proxy.conf:ro + networks: [dfc] -volumes: - db-data: - airflow-db-data: - airflow-home: - anyway-etl-data: +networks: + dfc: + external: true diff --git a/apps/traefik/compose.yaml b/apps/traefik/compose.yaml new file mode 100644 index 0000000..3e59204 --- /dev/null +++ b/apps/traefik/compose.yaml @@ -0,0 +1,11 @@ +services: + traefik: + image: traefik:v2.10.7@sha256:c5181ddf303f1ccfd4bd6d1d9c4867b0500efb6089a0f9ccb16612438f6e934f + volumes: + - ./traefik.yaml:/etc/traefik/traefik.yaml:ro + - /var/run/docker.sock:/var/run/docker.sock:ro + networks: [dfc] + +networks: + dfc: + external: true diff --git a/apps/traefik/traefik.yaml b/apps/traefik/traefik.yaml new file mode 100644 index 0000000..f5b0b20 --- /dev/null +++ b/apps/traefik/traefik.yaml @@ -0,0 +1,2 @@ +providers: + docker: {} diff --git a/apps/vault/compose.yaml b/apps/vault/compose.yaml new file mode 100644 index 0000000..97df458 --- /dev/null +++ b/apps/vault/compose.yaml @@ -0,0 +1,42 @@ +x-image: &x-image "vault@sha256:79d3a9c8b1b6e9b9e7a3ae9c3d9f27422d0455c8924c5ffebcdf1f97652e989e" + +services: + vault: + # Pulled Sep 7, 2022 + image: *x-image + command: [server] + environment: + VAULT_LOCAL_CONFIG: '{"backend": {"file": {"path": "/var/vault/file"}}, "listener": {"tcp": {"address": "0.0.0.0:8200", "tls_disable": 1}}, "api_addr": "http://127.0.0.1:8200", "ui": true}' + env_file: + - ./secrets/vault.env + volumes: + - /data/vault/vaultdata:/var/vault + privileged: true + restart: unless-stopped + networks: [dfc] + healthcheck: + start_period: 60s + start_interval: 10s + interval: 5s + timeout: 3s + retries: 5 + test: + - CMD + - sh + - -c + - | + SEALED="$(vault status --address=http://localhost:8200 --format=yaml | grep sealed)" &&\ + if [ "${SEALED}" == "sealed: true" ]; then + for KEY in $UNSEAL_KEYS; do + vault operator unseal --address=http://localhost:8200 $KEY + done + exit 0 + elif [ "${SEALED}" == "sealed: false" ]; then + exit 0 + else + exit 1 + fi + +networks: + dfc: + external: true diff --git a/apps/vault/deployment.yaml b/apps/vault/deployment.yaml deleted file mode 100644 index f600dca..0000000 --- a/apps/vault/deployment.yaml +++ /dev/null @@ -1,41 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: vault - namespace: vault -spec: - selector: - matchLabels: - app: vault - replicas: 1 - revisionHistoryLimit: 5 - strategy: - type: Recreate - template: - metadata: - labels: - app: vault - spec: - terminationGracePeriodSeconds: 30 - containers: - - name: vault - # Pulled Sep 7, 2022 - image: vault@sha256:79d3a9c8b1b6e9b9e7a3ae9c3d9f27422d0455c8924c5ffebcdf1f97652e989e - resources: {"requests": {"cpu": "50m", "memory": "100Mi"}, "limits": {"memory": "500Mi"}} - args: - - server - ports: - - containerPort: 8200 - env: - - name: VAULT_LOCAL_CONFIG - value: '{"backend": {"file": {"path": "/var/vault/file"}}, "listener": {"tcp": {"address": "0.0.0.0:8200", "tls_disable": 1}}, "api_addr": "http://127.0.0.1:8200", "ui": true}' - volumeMounts: - - name: vaultdata - mountPath: /var/vault - subPath: vaultdata - securityContext: - privileged: true - volumes: - - name: vaultdata - persistentVolumeClaim: - claimName: vault diff --git a/apps/vault/ingress.yaml b/apps/vault/ingress.yaml deleted file mode 100644 index faa0c91..0000000 --- a/apps/vault/ingress.yaml +++ /dev/null @@ -1,18 +0,0 @@ -kind: Ingress -apiVersion: networking.k8s.io/v1 -metadata: - name: vault - namespace: vault -spec: - ingressClassName: nginx - rules: - - host: vault.dataforchange.org.il - http: - paths: - - backend: - service: - name: vault - port: - number: 8200 - pathType: Prefix - path: / diff --git a/apps/vault/kustomization.yaml b/apps/vault/kustomization.yaml deleted file mode 100644 index 368a8b5..0000000 --- a/apps/vault/kustomization.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -resources: - - namespace.yaml - - pvc.yaml - - deployment.yaml - - service.yaml - - ingress.yaml - -# this patch enables automatic unseal -# it should be applied only after you initialize vault and create a secret called vault-unseal -# with key UNSEAL_KEYS containing 3 unseal keys separated by spaces -patchesStrategicMerge: - - patch-deployment-unseal.yaml diff --git a/apps/vault/namespace.yaml b/apps/vault/namespace.yaml deleted file mode 100644 index 0158c8f..0000000 --- a/apps/vault/namespace.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: vault diff --git a/apps/vault/patch-deployment-unseal.yaml b/apps/vault/patch-deployment-unseal.yaml deleted file mode 100644 index 8666a78..0000000 --- a/apps/vault/patch-deployment-unseal.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: vault - namespace: vault -spec: - template: - spec: - containers: - - name: vault - env: - - name: UNSEAL_KEYS - valueFrom: {"secretKeyRef": {"name": "vault-unseal", "key": "UNSEAL_KEYS"}} - readinessProbe: - exec: - command: - - sh - - -c - - | - SEALED="$(vault status --address=http://localhost:8200 --format=yaml | grep sealed)" &&\ - if [ "${SEALED}" == "sealed: true" ]; then - for KEY in $UNSEAL_KEYS; do - vault operator unseal --address=http://localhost:8200 $KEY - done - exit 0 - elif [ "${SEALED}" == "sealed: false" ]; then - exit 0 - else - exit 1 - fi - initialDelaySeconds: 1 - periodSeconds: 5 - timeoutSeconds: 3 - successThreshold: 1 - failureThreshold: 5 diff --git a/apps/vault/pvc.yaml b/apps/vault/pvc.yaml deleted file mode 100644 index 6570bf3..0000000 --- a/apps/vault/pvc.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: vault - namespace: vault -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 20Gi diff --git a/apps/vault/secrets/.gitignore b/apps/vault/secrets/.gitignore new file mode 100644 index 0000000..80f859e --- /dev/null +++ b/apps/vault/secrets/.gitignore @@ -0,0 +1,2 @@ +*.env +*.json diff --git a/apps/vault/service.yaml b/apps/vault/service.yaml deleted file mode 100644 index 99cc2f6..0000000 --- a/apps/vault/service.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: vault - namespace: vault -spec: - selector: - app: vault - ports: - - name: "8200" - port: 8200 diff --git a/bin/migrate_k8s_to_docker.py b/bin/migrate_k8s_to_docker.py new file mode 100755 index 0000000..aeb2acd --- /dev/null +++ b/bin/migrate_k8s_to_docker.py @@ -0,0 +1,158 @@ +#!/usr/bin/env python3 +import sys +import time +import json +import subprocess + + +MIGRATION_OBJECTS_PREFIX = 'k8s-docker-migration' +SNAPSHOTS_VELERO_BACKUP = 'k8s-docker-migration' +MAIN_VOLUME_NAME = 'main-docker' +VOLUMES = [ + { + 'namespace': 'anyway', + 'name': 'airflow-db', + 'target_path': '/anyway/airflow-db' + }, + { + 'namespace': 'anyway', + 'name': 'airflow-etl-data', + 'target_path': '/anyway/airflow-etl-data' + }, + { + 'namespace': 'anyway', + 'name': 'airflow-home-data', + 'target_path': '/anyway/airflow-home-data' + }, + { + 'namespace': 'anyway', + 'name': 'db2', + 'target_path': '/anyway/db' + }, + { + 'namespace': 'cluster-admin', + 'name': 'terraform-state-db', + 'target_path': '/terraform-state-db' + }, + { + 'namespace': 'vault', + 'name': 'vault', + 'target_path': '/vault' + }, + { + 'namespace': 'redash', + 'name': 'postgres', + 'target_path': '/redash-postgres' + }, +] + + +def find_snapshot_by_tags(tags): + filters = ' '.join([f'Name=tag:{key},Values={value}' for key, value in tags.items()]) + snapshots = json.loads(subprocess.check_output( + f'aws --no-cli-pager ec2 describe-snapshots --filters {filters}', shell=True + ))['Snapshots'] + assert len(snapshots) == 1 + return snapshots[0]['SnapshotId'] + + +def create_volume_from_snapshot_id(snapshot_id, volume_name, availability_zone='eu-central-1b', volume_type='gp2'): + # check if volume already exists + if len(json.loads(subprocess.check_output( + f'aws --no-cli-pager ec2 describe-volumes --filters Name=tag:Name,Values={volume_name}', shell=True + ))['Volumes']) > 0: + print(f'Volume {volume_name} already exists') + return + subprocess.check_call( + f'aws --no-cli-pager ec2 create-volume --snapshot-id {snapshot_id} --availability-zone {availability_zone} --volume-type {volume_type} --tag-specifications "ResourceType=volume,Tags=[{{Key=Name,Value={volume_name}}}]"', + shell=True + ) + + +def create_volume_from_snapshot(namespace, name): + volume_name = f'{MIGRATION_OBJECTS_PREFIX}-{namespace}-{name}' + create_volume_from_snapshot_id( + find_snapshot_by_tags({ + 'velero.io/backup': SNAPSHOTS_VELERO_BACKUP, + 'kubernetes.io/created-for/pvc/namespace': namespace, + 'kubernetes.io/created-for/pvc/name': name + }), + volume_name + ) + return volume_name + + +def create_all_volumes_from_snapshots(): + pending_volume_names = set() + for volume in VOLUMES: + pending_volume_names.add(create_volume_from_snapshot(volume['namespace'], volume['name'])) + while len(pending_volume_names) > 0: + print(f'Waiting for volumes to be available: {pending_volume_names}') + time.sleep(5) + for volume_name in pending_volume_names.copy(): + volume = get_volume(volume_name) + if volume['State'] == 'available': + pending_volume_names.remove(volume_name) + print(f'Volume {volume_name} is available') + + +def get_volume(name): + volumes = json.loads(subprocess.check_output( + f'aws --no-cli-pager ec2 describe-volumes --filters Name=tag:Name,Values={name}', shell=True + ))['Volumes'] + assert len(volumes) == 1 + return volumes[0] + + +def mount_volume(migration_server_ip, volume_name): + volume = get_volume(volume_name) + assert len(volume['Attachments']) == 1 + device = volume['Attachments'][0]['Device'] + device = device.replace('/dev/sd', '/dev/xvd') + subprocess.check_call( + [ + 'ssh', f'ubuntu@{migration_server_ip}', f''' + sudo umount {device} + sudo mkdir -p /mnt/{volume_name} + sudo mount {device} /mnt/{volume_name} + echo "Volume {volume_name} is mounted at /mnt/{volume_name}" + ''' + ] + ) + + +def mount_all_volumes(migration_server_ip): + for volume in VOLUMES: + mount_volume(migration_server_ip, f'{MIGRATION_OBJECTS_PREFIX}-{volume["namespace"]}-{volume["name"]}') + mount_volume(migration_server_ip, MAIN_VOLUME_NAME) + + +def migrate_volume(migration_server_ip, volume_name, target_path): + subprocess.check_call( + [ + 'ssh', f'ubuntu@{migration_server_ip}', f''' + sudo mkdir -p /mnt/{MAIN_VOLUME_NAME}{target_path} + sudo rsync -a /mnt/{volume_name}/ /mnt/{MAIN_VOLUME_NAME}{target_path} + ''' + ] + ) + print(f'Volume {volume_name} was migrated to {MAIN_VOLUME_NAME}{target_path}') + + +def migrate_all_volumes(migration_server_ip): + for volume in VOLUMES: + volume_name = f'{MIGRATION_OBJECTS_PREFIX}-{volume["namespace"]}-{volume["name"]}' + target_path = volume['target_path'] + print(f'Migrating volume {volume_name} to {target_path}') + migrate_volume(migration_server_ip, volume_name, target_path) + print("OK") + + +def main(cmd, *args): + res = globals()[cmd](*args) + if res is not None: + print(res) + + +if __name__ == '__main__': + main(*sys.argv[1:]) diff --git a/docs/Migrate From K8S to Docker.md b/docs/Migrate From K8S to Docker.md new file mode 100644 index 0000000..65ba2ee --- /dev/null +++ b/docs/Migrate From K8S to Docker.md @@ -0,0 +1,63 @@ +# Migrate from K8S to Docker + +## Prerequisites + +* Install AWS CLI +* Install Vault CLI +* Set env vars for AWS and Vault credentials + +## Migrate + +* Terminate all workloads +* Create volumes for each snapshot: `bin/migrate_k8s_to_docker.py create_all_volumes_from_snapshots` +* Create an EC2 instance for migration +* Attach the volumes to the instance +* Mount all the volumes: `bin/migrate_k8s_to_docker.py MIGRATION_SERVER_IP mount_all_volumes` +* Run the volumes migration script: `bin/migrate_k8s_to_docker.py MIGRATION_SERVER_IP migrate_all_volumes` +* Remove the EC2 instance and all the volumes except the main volume +* Create new EC2 instance for the docker compose environment: + * Instance type: m6a.large (2 vCPU, 8GB RAM) + * OS: Ubuntu 22.04 + * Root volume: 100GB + * Attach the main volume to the instance, note the device name +* SSH to the instance: + +``` +# mount the main volume +echo "DEVICE_NAME /data ext4 defaults,nofail 0 2" | sudo tee -a /etc/fstab +sudo mkdir /data +sudo mount -a + +# install Docker +sudo apt-get update +sudo apt-get install ca-certificates curl gnupg +sudo install -m 0755 -d /etc/apt/keyrings +curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg +sudo chmod a+r /etc/apt/keyrings/docker.gpg +echo \ + "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \ + $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \ + sudo tee /etc/apt/sources.list.d/docker.list > /dev/null +sudo apt-get update +sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin +sudo groupadd docker +sudo usermod -aG docker $USER +newgrp docker + +# set logging driver + rotation +sudo mkdir -p /etc/docker +echo '{"log-driver": "local", "log-opts": {"max-size": "100m", "max-file": "10"}}' | sudo tee /etc/docker/daemon.json + +# Create ssh key +ssh-keygen -t ed25519 -C "dfc-main-docker" + +# Add this key to GitHub dfc-k8s repo deploy keys without write access and clone +cd ~ +git clone git@github.com:data-for-change/dfc-k8s.git +git checkout migrate-to-docker-compose + +# Install the apps according to each app's README.md +# If the app doesn't have details, just run: +cd ~/dfc-k8s +( cd apps/APP_NAME && docker compose up -d ) +``` From a967748de8498e806ead0c6d94d6031cceb83f48 Mon Sep 17 00:00:00 2001 From: Ori Hoch Date: Wed, 24 Jan 2024 21:27:47 +0200 Subject: [PATCH 03/22] migrate anyway to docker compose --- apps/vault/compose.yaml | 10 +++++----- docs/Migrate From K8S to Docker.md | 3 +++ 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/apps/vault/compose.yaml b/apps/vault/compose.yaml index 97df458..923dab2 100644 --- a/apps/vault/compose.yaml +++ b/apps/vault/compose.yaml @@ -25,13 +25,13 @@ services: - sh - -c - | - SEALED="$(vault status --address=http://localhost:8200 --format=yaml | grep sealed)" &&\ - if [ "${SEALED}" == "sealed: true" ]; then - for KEY in $UNSEAL_KEYS; do - vault operator unseal --address=http://localhost:8200 $KEY + SEALED="\$(vault status --address=http://localhost:8200 --format=yaml | grep sealed)" &&\ + if [ "\${SEALED}" == "sealed: true" ]; then + for KEY in \$UNSEAL_KEYS; do + vault operator unseal --address=http://localhost:8200 \$KEY done exit 0 - elif [ "${SEALED}" == "sealed: false" ]; then + elif [ "\${SEALED}" == "sealed: false" ]; then exit 0 else exit 1 diff --git a/docs/Migrate From K8S to Docker.md b/docs/Migrate From K8S to Docker.md index 65ba2ee..fd15423 100644 --- a/docs/Migrate From K8S to Docker.md +++ b/docs/Migrate From K8S to Docker.md @@ -56,6 +56,9 @@ cd ~ git clone git@github.com:data-for-change/dfc-k8s.git git checkout migrate-to-docker-compose +# Create dfc docker network +docker network create dfc + # Install the apps according to each app's README.md # If the app doesn't have details, just run: cd ~/dfc-k8s From fd10fcf72792f056a97797e38a558db45deda344 Mon Sep 17 00:00:00 2001 From: Ori Hoch Date: Wed, 24 Jan 2024 21:29:03 +0200 Subject: [PATCH 04/22] migrate anyway to docker compose --- apps/vault/compose.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/apps/vault/compose.yaml b/apps/vault/compose.yaml index 923dab2..8ca9adb 100644 --- a/apps/vault/compose.yaml +++ b/apps/vault/compose.yaml @@ -25,13 +25,13 @@ services: - sh - -c - | - SEALED="\$(vault status --address=http://localhost:8200 --format=yaml | grep sealed)" &&\ - if [ "\${SEALED}" == "sealed: true" ]; then - for KEY in \$UNSEAL_KEYS; do - vault operator unseal --address=http://localhost:8200 \$KEY + SEALED="$$(vault status --address=http://localhost:8200 --format=yaml | grep sealed)" &&\ + if [ "$${SEALED}" == "sealed: true" ]; then + for KEY in $$UNSEAL_KEYS; do + vault operator unseal --address=http://localhost:8200 $$KEY done exit 0 - elif [ "\${SEALED}" == "sealed: false" ]; then + elif [ "$${SEALED}" == "sealed: false" ]; then exit 0 else exit 1 From 1a09a633853cb333ceaafc6119fdf8e5bb54830d Mon Sep 17 00:00:00 2001 From: Ori Hoch Date: Wed, 24 Jan 2024 21:31:06 +0200 Subject: [PATCH 05/22] migrate anyway to docker compose --- apps/traefik/compose.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/apps/traefik/compose.yaml b/apps/traefik/compose.yaml index 3e59204..d822135 100644 --- a/apps/traefik/compose.yaml +++ b/apps/traefik/compose.yaml @@ -5,6 +5,9 @@ services: - ./traefik.yaml:/etc/traefik/traefik.yaml:ro - /var/run/docker.sock:/var/run/docker.sock:ro networks: [dfc] + ports: + - "80:80" + - "443:443" networks: dfc: From dc8f7d1c5bd4d7e9ab77eee51f5e50e740b0da5b Mon Sep 17 00:00:00 2001 From: Ori Hoch Date: Wed, 24 Jan 2024 21:34:48 +0200 Subject: [PATCH 06/22] migrate anyway to docker compose --- apps/vault/compose.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/apps/vault/compose.yaml b/apps/vault/compose.yaml index 8ca9adb..32ed3b5 100644 --- a/apps/vault/compose.yaml +++ b/apps/vault/compose.yaml @@ -14,6 +14,10 @@ services: privileged: true restart: unless-stopped networks: [dfc] + labels: + - "traefik.enable=true" + - "traefik.http.routers.vault.rule=Host(`vault.dataforchange.org.il`)" + - "traefik.http.services.vault.loadbalancer.server.port=8200" healthcheck: start_period: 60s start_interval: 10s From 7dfc1734cb5f5db1bee57c26bd51ff2c6b7a7cb1 Mon Sep 17 00:00:00 2001 From: Ori Hoch Date: Wed, 24 Jan 2024 21:46:52 +0200 Subject: [PATCH 07/22] migrate anyway to docker compose --- apps/traefik/.gitignore | 1 + apps/traefik/README.md | 15 +++++++++++++++ apps/traefik/traefik.yaml | 2 -- apps/traefik/traefik.yaml.template | 17 +++++++++++++++++ apps/vault/compose.yaml | 4 +++- 5 files changed, 36 insertions(+), 3 deletions(-) create mode 100644 apps/traefik/.gitignore create mode 100644 apps/traefik/README.md delete mode 100644 apps/traefik/traefik.yaml create mode 100644 apps/traefik/traefik.yaml.template diff --git a/apps/traefik/.gitignore b/apps/traefik/.gitignore new file mode 100644 index 0000000..76ebc19 --- /dev/null +++ b/apps/traefik/.gitignore @@ -0,0 +1 @@ +traefik.yaml diff --git a/apps/traefik/README.md b/apps/traefik/README.md new file mode 100644 index 0000000..92b7103 --- /dev/null +++ b/apps/traefik/README.md @@ -0,0 +1,15 @@ +# Traefik + +## Install + +Set acme email env var: + +``` +export ACME_EMAIL= +``` + +Generate template: + +``` +envsubst < apps/traefik/traefik.yaml.template > apps/traefik/traefik.yaml +``` \ No newline at end of file diff --git a/apps/traefik/traefik.yaml b/apps/traefik/traefik.yaml deleted file mode 100644 index f5b0b20..0000000 --- a/apps/traefik/traefik.yaml +++ /dev/null @@ -1,2 +0,0 @@ -providers: - docker: {} diff --git a/apps/traefik/traefik.yaml.template b/apps/traefik/traefik.yaml.template new file mode 100644 index 0000000..7a05a8f --- /dev/null +++ b/apps/traefik/traefik.yaml.template @@ -0,0 +1,17 @@ +providers: + docker: + exposedByDefault: false + +entryPoints: + web: + address: ":80" + websecure: + address: ":443" + +certificatesResolvers: + dfc: + acme: + email: ${ACME_EMAIL} + storage: acme.json + httpChallenge: + entryPoint: web diff --git a/apps/vault/compose.yaml b/apps/vault/compose.yaml index 32ed3b5..bead215 100644 --- a/apps/vault/compose.yaml +++ b/apps/vault/compose.yaml @@ -16,8 +16,10 @@ services: networks: [dfc] labels: - "traefik.enable=true" - - "traefik.http.routers.vault.rule=Host(`vault.dataforchange.org.il`)" - "traefik.http.services.vault.loadbalancer.server.port=8200" + - "traefik.http.routers.vault.rule=Host(`vault2.dataforchange.org.il`)" + - "traefik.http.routers.vault.tls=true" + - "traefik.http.routers.vault.tls.certresolver=dfc" healthcheck: start_period: 60s start_interval: 10s From 5269dfc6d9c112bbc0db0cc665fdd758c7947240 Mon Sep 17 00:00:00 2001 From: Ori Hoch Date: Wed, 24 Jan 2024 21:49:44 +0200 Subject: [PATCH 08/22] migrate anyway to docker compose --- apps/traefik/README.md | 6 ++++++ apps/traefik/compose.yaml | 1 + apps/traefik/traefik.yaml.template | 2 +- 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/apps/traefik/README.md b/apps/traefik/README.md index 92b7103..dfe6423 100644 --- a/apps/traefik/README.md +++ b/apps/traefik/README.md @@ -12,4 +12,10 @@ Generate template: ``` envsubst < apps/traefik/traefik.yaml.template > apps/traefik/traefik.yaml +``` + +Create acme storage directory: + +``` +sudo mkdir -p /data/traefik/acme ``` \ No newline at end of file diff --git a/apps/traefik/compose.yaml b/apps/traefik/compose.yaml index d822135..21e14b1 100644 --- a/apps/traefik/compose.yaml +++ b/apps/traefik/compose.yaml @@ -4,6 +4,7 @@ services: volumes: - ./traefik.yaml:/etc/traefik/traefik.yaml:ro - /var/run/docker.sock:/var/run/docker.sock:ro + - /data/traefik/acme:/etc/traefik/acme networks: [dfc] ports: - "80:80" diff --git a/apps/traefik/traefik.yaml.template b/apps/traefik/traefik.yaml.template index 7a05a8f..51cc657 100644 --- a/apps/traefik/traefik.yaml.template +++ b/apps/traefik/traefik.yaml.template @@ -12,6 +12,6 @@ certificatesResolvers: dfc: acme: email: ${ACME_EMAIL} - storage: acme.json + storage: /etc/traefik/acme/acme.json httpChallenge: entryPoint: web From a3b5c43ad8035dc211dd1d73aa5a951b4756d8df Mon Sep 17 00:00:00 2001 From: Ori Hoch Date: Wed, 24 Jan 2024 21:52:31 +0200 Subject: [PATCH 09/22] migrate anyway to docker compose --- bin/compose | 5 +++++ 1 file changed, 5 insertions(+) create mode 100755 bin/compose diff --git a/bin/compose b/bin/compose new file mode 100755 index 0000000..05441cb --- /dev/null +++ b/bin/compose @@ -0,0 +1,5 @@ +#!/usr/bin/env bash + +cd "apps/${1}" +shift +exec docker compose "$@" From 3f7e0f82f7571dc3b379ad3328ebed4bc2e82a19 Mon Sep 17 00:00:00 2001 From: Ori Hoch Date: Wed, 24 Jan 2024 22:10:59 +0200 Subject: [PATCH 10/22] migrate anyway to docker compose --- apps/traefik/README.md | 2 +- apps/vault/compose.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/apps/traefik/README.md b/apps/traefik/README.md index dfe6423..d2aa271 100644 --- a/apps/traefik/README.md +++ b/apps/traefik/README.md @@ -18,4 +18,4 @@ Create acme storage directory: ``` sudo mkdir -p /data/traefik/acme -``` \ No newline at end of file +``` diff --git a/apps/vault/compose.yaml b/apps/vault/compose.yaml index bead215..5825cca 100644 --- a/apps/vault/compose.yaml +++ b/apps/vault/compose.yaml @@ -17,7 +17,7 @@ services: labels: - "traefik.enable=true" - "traefik.http.services.vault.loadbalancer.server.port=8200" - - "traefik.http.routers.vault.rule=Host(`vault2.dataforchange.org.il`)" + - "traefik.http.routers.vault.rule=Host(`vault.dataforchange.org.il`)" - "traefik.http.routers.vault.tls=true" - "traefik.http.routers.vault.tls.certresolver=dfc" healthcheck: From 9a09dacba30bdb844a4576b4ea57a3c47f546e22 Mon Sep 17 00:00:00 2001 From: Ori Hoch Date: Wed, 24 Jan 2024 22:11:58 +0200 Subject: [PATCH 11/22] migrate anyway to docker compose --- apps/traefik/traefik.yaml.template | 3 +++ 1 file changed, 3 insertions(+) diff --git a/apps/traefik/traefik.yaml.template b/apps/traefik/traefik.yaml.template index 51cc657..e5c99b3 100644 --- a/apps/traefik/traefik.yaml.template +++ b/apps/traefik/traefik.yaml.template @@ -8,6 +8,9 @@ entryPoints: websecure: address: ":443" +log: + level: INFO + certificatesResolvers: dfc: acme: From 9bf7d153eb739e69d0538837a3021e2ae55c250d Mon Sep 17 00:00:00 2001 From: Ori Hoch Date: Wed, 24 Jan 2024 22:16:44 +0200 Subject: [PATCH 12/22] migrate anyway to docker compose --- apps/traefik/README.md | 10 +++++----- apps/traefik/deploy.sh | 5 +++++ apps/traefik/secrets/.gitignore | 1 + 3 files changed, 11 insertions(+), 5 deletions(-) create mode 100755 apps/traefik/deploy.sh create mode 100644 apps/traefik/secrets/.gitignore diff --git a/apps/traefik/README.md b/apps/traefik/README.md index d2aa271..01a8686 100644 --- a/apps/traefik/README.md +++ b/apps/traefik/README.md @@ -2,20 +2,20 @@ ## Install -Set acme email env var: +Set secrets in apps/traefik/secrets/traefik.env: ``` export ACME_EMAIL= ``` -Generate template: +Create acme storage directory: ``` -envsubst < apps/traefik/traefik.yaml.template > apps/traefik/traefik.yaml +sudo mkdir -p /data/traefik/acme ``` -Create acme storage directory: +## Deploy ``` -sudo mkdir -p /data/traefik/acme +apps/traefik/deploy.sh ``` diff --git a/apps/traefik/deploy.sh b/apps/traefik/deploy.sh new file mode 100755 index 0000000..21fe266 --- /dev/null +++ b/apps/traefik/deploy.sh @@ -0,0 +1,5 @@ +#!/usr/bin/env bash + +. apps/traefik/secrets/traefik.env +envsubst < apps/traefik/traefik.yaml.template > apps/traefik/traefik.yaml +bin/compose traefik up -d diff --git a/apps/traefik/secrets/.gitignore b/apps/traefik/secrets/.gitignore new file mode 100644 index 0000000..03bd412 --- /dev/null +++ b/apps/traefik/secrets/.gitignore @@ -0,0 +1 @@ +*.env From 73b93624f95dc60b5c2c89444f05c77d088e4484 Mon Sep 17 00:00:00 2001 From: Ori Hoch Date: Wed, 24 Jan 2024 22:17:41 +0200 Subject: [PATCH 13/22] migrate anyway to docker compose --- apps/traefik/deploy.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/apps/traefik/deploy.sh b/apps/traefik/deploy.sh index 21fe266..484fb18 100755 --- a/apps/traefik/deploy.sh +++ b/apps/traefik/deploy.sh @@ -3,3 +3,4 @@ . apps/traefik/secrets/traefik.env envsubst < apps/traefik/traefik.yaml.template > apps/traefik/traefik.yaml bin/compose traefik up -d +bin/compose traefik restart From d312674230482df24877561b25be13c844299c1a Mon Sep 17 00:00:00 2001 From: Ori Hoch Date: Wed, 24 Jan 2024 22:31:00 +0200 Subject: [PATCH 14/22] migrate anyway to docker compose --- apps/cluster-admin/README.md | 11 +++ apps/cluster-admin/compose.yaml | 17 ++++ apps/cluster-admin/secrets/.gitignore | 4 + .../secrets/terraform-state-db.env.template | 1 + apps/cluster-admin/templates/daemonset.yaml | 76 ---------------- .../templates/github-secret.yaml | 7 -- apps/logging/Chart.lock | 9 -- apps/logging/Chart.yaml | 11 --- apps/logging/argocd_dfc_plugin.json | 5 -- apps/logging/charts/loki-2.13.3.tgz | Bin 9385 -> 0 bytes apps/logging/charts/promtail-6.2.2.tgz | Bin 12731 -> 0 bytes apps/logging/values-main.yaml | 17 ---- apps/monitoring/Chart.lock | 6 -- apps/monitoring/Chart.yaml | 9 -- apps/monitoring/argocd_dfc_plugin.json | 5 -- .../charts/kube-prometheus-stack-39.11.0.tgz | Bin 398212 -> 0 bytes apps/monitoring/values-main.yaml | 37 -------- apps/velero-backups/README.md | 81 ------------------ apps/velero-backups/kustomization.yaml | 5 -- apps/velero-backups/monthly-schedule.yaml | 10 --- docs/Migrate From K8S to Docker.md | 7 ++ 21 files changed, 40 insertions(+), 278 deletions(-) create mode 100644 apps/cluster-admin/README.md create mode 100644 apps/cluster-admin/compose.yaml create mode 100644 apps/cluster-admin/secrets/.gitignore create mode 100644 apps/cluster-admin/secrets/terraform-state-db.env.template delete mode 100644 apps/cluster-admin/templates/daemonset.yaml delete mode 100644 apps/cluster-admin/templates/github-secret.yaml delete mode 100644 apps/logging/Chart.lock delete mode 100644 apps/logging/Chart.yaml delete mode 100644 apps/logging/argocd_dfc_plugin.json delete mode 100644 apps/logging/charts/loki-2.13.3.tgz delete mode 100644 apps/logging/charts/promtail-6.2.2.tgz delete mode 100644 apps/logging/values-main.yaml delete mode 100644 apps/monitoring/Chart.lock delete mode 100644 apps/monitoring/Chart.yaml delete mode 100644 apps/monitoring/argocd_dfc_plugin.json delete mode 100644 apps/monitoring/charts/kube-prometheus-stack-39.11.0.tgz delete mode 100644 apps/monitoring/values-main.yaml delete mode 100644 apps/velero-backups/README.md delete mode 100644 apps/velero-backups/kustomization.yaml delete mode 100644 apps/velero-backups/monthly-schedule.yaml diff --git a/apps/cluster-admin/README.md b/apps/cluster-admin/README.md new file mode 100644 index 0000000..e3b5a3a --- /dev/null +++ b/apps/cluster-admin/README.md @@ -0,0 +1,11 @@ +# Cluster Admin + +## Terraform State DB + +### Install + +``` +bin/render_env_template.py apps/cluster-admin/secrets/terraform-state-db.env.template > apps/cluster-admin/secrets/terraform-state-db.env +vault kv get -format=json kv/projects/iac/terraform | jq -r '.data.data["state_db_server.key"]' > apps/cluster-admin/secrets/state_db_server.key +vault kv get -format=json kv/projects/iac/terraform | jq -r '.data.data["state_db_server.crt"]' > apps/cluster-admin/secrets/state_db_server.crt +``` diff --git a/apps/cluster-admin/compose.yaml b/apps/cluster-admin/compose.yaml new file mode 100644 index 0000000..305eabb --- /dev/null +++ b/apps/cluster-admin/compose.yaml @@ -0,0 +1,17 @@ +services: + terraform-state-db: + image: postgres:14@sha256:b0ee049a2e347f5ec8c64ad225c7edbc88510a9e34450f23c4079a489ce16268 + command: [ + -c, "ssl_cert_file=/opt/secured_ssl/server.crt", + -c, "ssl_key_file=/opt/secured_ssl/server.key", + -c, "ssl=on" + ] + env_file: + - ./secrets/terraform-state-db.env + volumes: + - ./secrets/state_db_server.crt:/opt/secured_ssl/server.crt:ro + - ./secrets/state_db_server.key:/opt/secured_ssl/server.key:ro + - /data/terraform-state-db/terraform_state_db_postgres:/var/lib/postgresql/data + networks: [dfc] + ports: + - "9001:5432" diff --git a/apps/cluster-admin/secrets/.gitignore b/apps/cluster-admin/secrets/.gitignore new file mode 100644 index 0000000..d25e54c --- /dev/null +++ b/apps/cluster-admin/secrets/.gitignore @@ -0,0 +1,4 @@ +*.env +*.json +*.crt +*.key diff --git a/apps/cluster-admin/secrets/terraform-state-db.env.template b/apps/cluster-admin/secrets/terraform-state-db.env.template new file mode 100644 index 0000000..308e78a --- /dev/null +++ b/apps/cluster-admin/secrets/terraform-state-db.env.template @@ -0,0 +1 @@ +POSTGRES_PASSWORD="~vault:projects/iac/terraform:backend-db-password~" diff --git a/apps/cluster-admin/templates/daemonset.yaml b/apps/cluster-admin/templates/daemonset.yaml deleted file mode 100644 index 6b79824..0000000 --- a/apps/cluster-admin/templates/daemonset.yaml +++ /dev/null @@ -1,76 +0,0 @@ -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: cluster-admin -spec: - selector: - matchLabels: - name: cluster-admin - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: '100%' - template: - metadata: - labels: - name: cluster-admin - spec: - volumes: - - name: host-sys - hostPath: - path: /sys - - name: hostfs - hostPath: - path: / - - name: pullsecret - secret: - secretName: github - initContainers: - - name: dockerconf - image: busybox:1.26.2 - command: - - sh - - -c - - | - cp /tmp/config.json /host/var/lib/kubelet/config.json &&\ - mkdir -p /host/root/.docker &&\ - cp /tmp/config.json /host/root/.docker/config.json &&\ - echo '{{ toJson .Values.dockerDaemonConfig }}' > /host/etc/docker/daemon.json - volumeMounts: - - name: hostfs - mountPath: /host - - name: pullsecret - mountPath: "/tmp/config.json" - subPath: ".dockerconfigjson" - - name: sysctl-conf - image: busybox:1.26.2 - command: ["sh", "-c", "sysctl -w vm.max_map_count=262144"] - securityContext: - privileged: true - - name: disable-hugepages - image: busybox:1.26.2 - volumeMounts: - - name: host-sys - mountPath: /host-sys - command: ["sh", "-c", "echo never > /host-sys/kernel/mm/transparent_hugepage/enabled"] - securityContext: - privileged: true - containers: - - name: debug - image: busybox:1.26.2 - command: - - sleep - - "86400" - volumeMounts: - - name: hostfs - mountPath: /host - - name: pullsecret - mountPath: "/tmp/config.json" - subPath: ".dockerconfigjson" - - name: pause - image: busybox:1.26.2 - command: ["sh", "-c", "while true; do sleep 86400; done"] - resources: - requests: - cpu: 1m - memory: 5Mi diff --git a/apps/cluster-admin/templates/github-secret.yaml b/apps/cluster-admin/templates/github-secret.yaml deleted file mode 100644 index 04f047b..0000000 --- a/apps/cluster-admin/templates/github-secret.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: Secret -type: kubernetes.io/dockerconfigjson -metadata: - name: github -data: - .dockerconfigjson: "~vault:projects/k8s/dockerconfig:json~" diff --git a/apps/logging/Chart.lock b/apps/logging/Chart.lock deleted file mode 100644 index fc3aa22..0000000 --- a/apps/logging/Chart.lock +++ /dev/null @@ -1,9 +0,0 @@ -dependencies: -- name: loki - repository: https://grafana.github.io/helm-charts - version: 2.13.3 -- name: promtail - repository: https://grafana.github.io/helm-charts - version: 6.2.2 -digest: sha256:04e64fef2aac055e286710a80a85fc9974b5e61cbb00fa108f4f4c32563cd461 -generated: "2022-09-08T18:11:23.906641957+03:00" diff --git a/apps/logging/Chart.yaml b/apps/logging/Chart.yaml deleted file mode 100644 index daec8b0..0000000 --- a/apps/logging/Chart.yaml +++ /dev/null @@ -1,11 +0,0 @@ -name: logging -version: "0.0.0" -apiVersion: v2 - -dependencies: - - name: loki - version: "2.13.3" - repository: "https://grafana.github.io/helm-charts" - - name: promtail - version: "6.2.2" - repository: "https://grafana.github.io/helm-charts" diff --git a/apps/logging/argocd_dfc_plugin.json b/apps/logging/argocd_dfc_plugin.json deleted file mode 100644 index 3049f83..0000000 --- a/apps/logging/argocd_dfc_plugin.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "init_helm_repos": { - "grafana": "https://grafana.github.io/helm-charts" - } -} diff --git a/apps/logging/charts/loki-2.13.3.tgz b/apps/logging/charts/loki-2.13.3.tgz deleted file mode 100644 index b06d1835ed701c7a466fc9601d1e757363599c9f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 9385 zcmV;aBv#uWiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PMYMa~n6(D7>HNSKy&`OOju4Na|*rRnB`9TXB5Wc2t&=t*5*> z6gUHturR;`z)<2U+TVVv8<;DHqU6YmpFNrnwunok0dzOI8x26HbKZM7quPcGnux!A zjj!MD_Ye2?@&A6m-~7LSaM=ILV1M^%fA`?&!QkL8{lV^FzyBA~|0>utzRXyv|I+`% zZ8bahKjfn+|AlG8l^l}!AfRbl{@e`@!$A-;6KS4WOxt{`&iRlCe$L2=Rtd8+mYE$g z&McWIO@x}7a5I>xgbm5e+SCkty{V=XDrp$0qzCjC@Cab#*_vL2Q*LM3I5SK~N?Il@ z7WNgfQZJ##GTn<+WO_zrI%1|L)KrD3oCfFFm=%cspFue2hy89pNGO+=wA23^7u z%EgcXxKyjpEVBP=s?=1lsa9EPpv`~~NdbB2D0x@b4_q?h@0$mZMIW&POIQc<9I4%K zuovzHfA)MgKOEXQ6&W*MO#s}?|GT^UhX+mm-|rtj^8Z78JfTxI3<%LIRfb!o7ei8` zU_vaN0{wz8ASBI%I8lN}iy?V4d9Un=W`;={1cYpCke^UcP$3q?q%7i-1)-8qt?7cO z3Bl%0G9gY`q?t9LtL1-@Br}$b8A+(j5JsdKwJauF5<6qankJhF>At^i1Pw31vLhnhc-?bTQMYKp{Bjv{%*h5-|zKzdpt?C znzMvSYr0l-?TmHvHfhScTy{$UUBI-r;ql{gip3*nx~nE#D)Xv{L=&?iky9=&145{j z%2FT_GbC5n0U=Pnj;OC4BJ{HAazQIhmqq}-V|B(l0U^UGv)>6f+w?Ta~T`J=)m6mt&lpy~DM|}fuIFgp< zcnt&Sf@Z&ET(kI9rn#J+Ml%*?g3IZfsZ>Ss@g<8gR0jgb41$iCIAwxGR%w?AUqWp( zJHAX|Dsj4toGv+Miy@(DS|kyoQl=>YAa7(P*{w~(N=nx)!Y;w8R0%Z&HXM>pedJ(v zKw@-o22L%tY?6snW~)RPGzl`;@SIDmrV*D@oU)jWv*`|z426-gR0#5!vMJMq%93q0 zpU$k$7||({b_7@i9u$y@%RGX-AAvlBz|E;6BX-G+g|SESgEX4i*{C5)0zwj&jF}eP zSV!!i6_+EI=*b_zfvmt0EJSO}CR{S0KVmFQC$S3B85BcVdog3ulRpSzK4HcZZpfHH z=_!*iPh3ued^$F-t_YWr$YMr1FgM{O69Pw`gyj0VTjIJ2sB<}GpvyTlqgf`;M?4m6 zlrqg#JS2NbC1)&DbUrftUu;Nr4|fOq`;|=1K$aI32d-j5FGp5WX(miV5zUzyl0N2L zP>~N$%=M7;VrspHdEw=P;1d=tB9UWAi1u^mf3Z~X2uWr%p-A*(5aeUNL0<96glQ%% z)+26u4T-3PfzAwzLvkEWL-JBdlZj%os;vNZ8>=)(pL(fP?U(tkLKPD6lCa~mo*nf2 zomzgX*@RyXNvEC+B54!}4uouZ!c+!OcKfDY48U>&dizK-8k->jaU8% z>NKinJ?}q12wVr~l-0WKdNcC9$q}NF<#RT2*u-3;cwf{wralZ^SHoA2Xf$IZSOJ~s zxVjpatktqsV1Emlzd>F)?%@(tLc?N|$`iB+VT2}1Csam^s5t{ORDxv2Irrmdc7XE? zNt9+J=H{HBBAL(4jA|CIn7Z<3MRK%^28txm4V-L3V6|}u$`neSkH$1QFN9X#ppHEj zY?M$*r}+$M1`GvE9y0-JT5}bs7pj4aRFXQ$;Dnyi=Uh&2H;YBx;Kq^JAnzHA{X`rI zreRHJH~LY9!KMVY%-EjJ1T(#0gM6HE18d7?Se+;_9GIGT^=St|y9on14+`3?z}JvqPa@*hPv~KIm;e34c@+km?{}M_d;CIRb@pNP0F&dnVGL0J%&G zMvute#F%W$+ZqABG?mqDVVq%h}5Ten|Il+gC;-D z7-+L-pMseyaBy+iG=clS7$RKo?uO{iN`Ce%@R=GG2op-w!6vR!Yl6H3xKxtQ^2M(9}085#6nb5xXPpm)M36?9H6 zxSe^GegjPdmga0(*pIFbmK-yoE&w0YK?|%S)@pOpC}PIEQ!&Gpy-PkY8vjFc%YKq5 z{heY7_<_0tmP}5~%a-Z}F@=@mR3Ef)-nv?a8A#JKtdDrbcZg83@d=VSYFnk!|58w% zI5^D#a1?W*V&Ym0QWd`~vCT7&DuxYOcx4v?P%v_jEg%H~Dy^E%^=!v?ohsvX0s#6B zr47nFZHS5)9u7Uu#1&H*XxU7;r`e#MQ>(BJxf7EhT)FGPSM zTPll%E!gt3weSTO0?UnA?q&tV`|x{)zq@- zqNJ4%N(e5eKVx<=x$l(ZUX(70Z7wa-b1J-uq=nw{cCCa)srE6qRR?|Ntn-qfWcpIr zeaHmMP17a)dPU0{q+Gzfww|G>iVj4~KUGPg$r>~#3p$|}%&3HQOB}kW2byrISsGg9 z^vZB%6S3h}4eyr3a&C9(L@QX^J}UK&%Ebp}EY;Qog;mZjQ;oh$Ib~)mb)`pG3T^q3 zarA!mS&d)(8yz>D>raD&t7QDjqY1o`;^e%#in0tqu?pt4k z$|_lsP>_A7ihBHrRf;53E{OIWB3tNh1KaNEiu~2J9TsWV*V|Q~wcX0jk<-L-*fScp z!FOV474&~fLVh`V`|~k*fkm7upaqkV-$O#k)>o-+@#-(#{I`L-YaCwNmM`8k6g5)Ke>| z*i}r|z|df4Gl`C2hrm4($O)A^YSIVHTJHLAGnYcKkyVz8PlNu7d4dUQ&d-BQ4`O)# zv%^h&60WX5g_L$e{@M9kxI6i0r<{Vn75*Zy$`GOZp02kPjE_Zg!nS7IST)r&8U2<~ zX}Mrq{qXtoo!c_tIE&7iy+Y#quYY&8{(rt5KCzUG@JZ+T(?K!ef^Bba6JW$YYo3K0 zf%~87HXgjo>>Kj@xt)=e>4@PBNZVHWK25Swf zYHkfuaTtJo>ukYf(FJ(rZZuj0Za1EcGqV`0%b{~;Ijcb>36=4XeA+a#%^kAYjo@Dv z%@mn2A=Kut-q*5>V#VuocSJSNi9ucEa#2MR)Cw`CS~E?b@Ak&j@Tf~OJL}e}3}ZIO zYE(~)ZM-h&pdY(a{_b|O)L6}E^1{2u(C>!(7GO=(iefWPqkhq2HtN-y#GD?Kkr>nB zs)AusLBRD6nkpP=#o#!LWH5L(7!;YQR#rty49UlrCz$HIB=2CMT!LH2r-E*|I|}uj z7hpvX0zaX@IB!hLYQL!AV-~DNbGuUhcdL$7fllt zY%YtGX=bxj}d8cZyMj=5BLmJ&-YOY$!1BxFNBM&?W2lPwwVe z{|9d3Vq2WW&QV8&QO;Xu70eK!&K2&rzF_{LDd(~a$&t*>7m&JUrY>Y|e9|0mKp+hA zpCcDX=jN|u1`nllljrPGtfxQn>Fnc7t86+;Gy7IePf-$>oLdSdh>RCo#jtJ@w~$s0 zm~PDGJzOE3>iQjeK5{U)F775lkQsLDeQx;_IEPA`E$T)mp{e7HPUo8o;`;+15|3p` ziUibq|I^3g)6ibp`)p%f{O{h=!$$ny-r@e!$N0a8_zM}5mo>U?{`E%$<&#Y z7%4JihUKaVs)py;m_=5QZnyO3UtN*#0~4TihwqEj>uVIg-HFl{RL8me?yZR(L1@3Y z_*7pd1UTgS8dx*aBHu|H>^=?qVLu!US6AuLl=o7tk{)Vy|4EGeg8f;rcG$m z`wInL!~gq-Pj?&qzkjg5_sIVb@m*c@o{%|DhUhMyaKY>%WiJvKmT1O?Cst=N zB8PkUCr?hZ$%J2$PPYWcWQ>11)vAl&gpbLhK zSwu6#h*1fvM(JW_G2qsq3kWxUa_yEIvNd+{^VR!PC<}rT6tC?tcrzi|2|@?NYc9r( znM>oP(wrH$xk?dvk8S(7mO?Tg4n8S{GS4iAGcU8Uz^%qxm=e-o5%=MX+fQi)&te!H zl-goZ;#y0+GlJeJ(D|F`{>^k6&|JHBA+l9}*NCq&tH3D!=m*Rw&a5XBR|?mkRkMpl zIxG899cuTtKl(y`$JjtvZae>9hjd1rFXyBtoBNfNP`9170`vO5-TPG(S}zv*sDbXa z3kSctD#&VUrEajj3K$~YB#8#tj{l=`Do z3IAT6unS*vn@b!3REAH5=g)BKdp@YqP)ieo{Xg8qm|0qB2g|Wb%OsvQC~%N*laX`o zRY{_x_l>WRXD-u?7fsV42$5V{uBkX+s{|;w+sb%>j)lBNFkG^eAalkvx9DE2=K4s6 zYCo>8???Y@=>LVU!)-|4&ym1&_W$8Q)BZmk96aj(5At~-pfuUah3YEjSm-@t+hl8M z$(CTUki!iJ;5O-R1F?3y-Jo&6_?*jlNM0hDy`yQ6FiT@<>99C>yUaa}(? zjl@{#dkE@#VA$)LW|1>`NPZ`h%NW+(eW;itcSp34bB5&iu8+n?zi836RsT&Bv1<4# zC>(wbp09ol{?FHndp!!ghW~dVuWA1u>_77VLwpS_F`xfD)VEN^fY{%Ag>1FIt|)Hi z(TUO)O1HY=ih`whs6lSiSwg=Gm-6K5ss`Zt+KU&j6}1bOvMVSSzN+wWg)wZoIl`4a zc2{y~)4eJv+5vmr#-uD7Hue3yo#shgS9|$vyPb!n}r5e#{u!fWMYe zLl1R%o(m5h7e6blU{1BK0Nh0`VxMa{o)9O5{Z`|GPMfaWY1Rd(A2B%d1W%pSGFt}I zePbG(GZ_zCN`EOLgj7O{>)$Gtt$(QxJYK4uC1a*t{ahR^RWGcERam{h1rENb+azA! zTzyz;N$n*0HRXR}{r6Lbr(YKLr3I{6{|AGErvLx2-+x^HALMHY@!DahLJMdtyRG)V zTY2AC>wkfA|Fsunw^V}Ah)*j=d6o|H)Wpv^jEOt*v&K2#%H3%F7wdBE5OQ(OehF#! zwV=KVr<#*+X+2qk8}acorizgld8@W)A4rNleqZ`Elfdt1_WH+FKkx9Fomx!GY3DR`{9TmlJC0v#_4<+<+NDdDU_6{nCmhS=7jpvdp zSC(m&R(BI~z(;T2ev5MVTlt#uzc`T!lXg$4;5zxgKX|&d|980iDE}Yg^YWj{xM{=r zesKKx&cyK?0k6t9AEz${O{Zs_pAY|pbva%(% zGLJqGD?K5rz*K^=@Jf;*YN$!$T2j)u zexwC*ncZUNlozVB?^jmxi*3sNrW32aQ+m57mmA|q{%nGO{A%9{`Cq=+aStoNI{Dw< zYsUW{9zK1H|9FtEc}mpje&zJvr1#yhNZj%{n1_n@SiZ8jMV4n{!OiTwvUrd6Q5Y6w@5Q0kr_c8f%eA2@?#qf@sIy}AxOe$n(R=@F z+I;-J{?{)5ANc&&vj6|!@&2cW`R-Z&|DUS%-+1_{(M+J1IxUYpUdNLj^P*rGBfTkN;?a-Cw) z>}-=QsVv#Th^VE~#e%xMz3ngODwo(6EQ;LrQ)O$gdRrOGHHcM*y@FjmxfR8Fk(*Dy z-ENXs<z6*}7)N-}^Tv*35SP6h$%5h-dyjMH@1C z=FRi_pK46EumAp%pNEP6>K`uKe}loJ|NlY0TV2ew#sti_wyNsF7q9PkSc!8iZ&;AO zV7Kjd8qCeF%q)wU0@oYreeJ!zwy&N4eYD=g@c(ZA>E06mKgRz&%y)AL---jEYl1mX zYd{|KGyoy%!YA9}C6|};b(P9BzSW#qgTjqhKdeWlChpdRXx__Nr*+3emo7Y5-b1NK z)s};|E)uFZR@yFgYppODr;1DKqexrdbz3(N`6E*~-sPiHtD}IMbsC#TH#b;&n<}r; zc(7`9)2+4d)P73sEH7DJE3v-pW323d?AKiX{UiD2K7)X6UjGMs2M0^>fBTQ;e;?+n zF6%T+O=T7Lq;UF8p5(oqp|I9fhc`hiKWJJJi!J%C{qk|pO6feY&EEeiORsOIepk({ zLo}8jY-}CIda>oH$lLS%tPl%nJU(@oPT%ncj$7Pc(ds=e9@1@=YH=PvYnG{9=CeeR z#d^FxysiQ_nz88IWQo6wv$mhQh1boJzlI$rv4z76*TSBKSOfw-IX;tPAvrfvKmh0Bm1F0R_3YQ3LHK9clf7r>zXYrUD;ND zqpS|qjl50LT6+CuvSx0ZSG@X^R}*)4Z)%IHyjH0s>%nfz9d|7k(dF3tH_29aAfJ`i z+WwLC)zv#aSjak!0>$&~RdG_jLm&G5CeBx1^Qzsp?&bI6t{NNnSlEP~v-Lw>yZEWz zOw0aH{xx3ITaJ#wR{(VgAVvbmuNfe-H|Y15sj6)^s*crEr_mQ;165aG^SuB3;4av# z4X;`;b?w1Fx9-TDf{t$2izSK>e9mew@7K#Wn7&rJ#_)Bh%MbeB2)17QM!5O8z4ah{ z$s3@pR0&qVT=nk$4NWjPUj|zhy>i|rY?qpba;sZeDPS9|SxqA@r{QPHrc57AnY2Hu z)#UrXkB(m-e;6ITK7Rjk^y5#b9~*e$`c+@jSGUkvkMEKOi)+lWod2LzvNWzgRBqK< z9=97tYt8m>MNwP5M_kk9a%HZ$QB3@%_40LpEi+s#*sdYc$pjS1#f@O{LhT@|5=_@^ zn^q{5aw`Baop6aIUTYe$6Q(&{Af#kmx210^S@AVjukax&HJkh%AOC=Vjmp37lDuj; zF76t-kJPz z)xb0$-p*sOR;2j1e{YZ{d5P7+q{RnO)mB^RXtjRa;G(ORhk|Ob{XpU!S+{GU^?I#3 zheVLHY|!7_ZhhY7CG6aj;&+mo-m5k|n;xweIatL;H1AV+cB9W|ExdNG=Cd}33ymUX z%sUmcJAg0iwBy{OOZm6pYuc3`v(;u2|5wY_p|7>VX;ZDGpQKn2C9x);1Zx2iT(U3-U!9Ilto$eY4!Y{2~8;I6ivy?l?^1 zuhYgF{y%)WbpONPpnvel{}1tPkhkiblOLH#2s+?{U}J-vXomM{8g7{hf_L{)7 z7@aakJ{5T@a7Jw5pAi)5ZIg-8`J3k?R#Ap`rQ%I7qX7Hxilss=+(0TR7TAq3H8Y1t zmQFQ|8R>TY5V!|IeGi;>8u8oMAU|VSE~oIT@{>?Wa;28|txXWvlt^|#68c%`{JmM2 zuFB86c|*{n8Iu{)3~U7+xwlKHCDx@GXobs2B`LLhEEpMUM)48&Xoh@SymfdhL2rmJ(-EgoQ_JiP!EKqStJLH0q-0G;fLdT23K?y@mNfOZI+DVPZe zgv#Q%T`qwUq$SG14TJ9&Nb*4WBx2g~iIcAgz`so|Jyv<_Y6v4n(2G;-D0sn0#?c`4H>3~_-{Z+N{zWtIv(O*ZXr9RAifB$euX0proDLHrfBMx?+UGc(a&%0F8NVP zsRMxWhub1SjcI-C4s*&#V3$}20)y0b$0~8u))n=x%C^?9zJHOf8jV)GJy(5HuI2H$ z9MS5_ayOPb27}ac<$s5g8!~CFD}69LXzAw?S|TM!&$?Fk88)7V;_vr#3k|RLKv0{cic_Nj4@+6l5z|GjDGk~f=vq(}U zK|o#1crHamztdX}-7C^WM*1(U><> jDpaS^Ts!}>jm*dI@q7Hf$?yLL009601B$p&0K5PIhcR7+ diff --git a/apps/logging/charts/promtail-6.2.2.tgz b/apps/logging/charts/promtail-6.2.2.tgz deleted file mode 100644 index f2d3dca541d581726640fddb832211cf06f26bbf..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12731 zcmV;sF+|QEiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PMZ%avM34C_KOGDX>&;wCxp(q;B@dot{~>?4Hq%FA7UN8xtM9 zB3K2IXn}=l040ed`+KVM1n0?4AOTdNZX_kqa?cE_BidpWkVqteydV>aRPedNl=V(# zSg3G;=j?Zze)|1>|LEWV{_Xes)qndhkM@2yIM_Qn+}q#p_h0_5KiKc@z5E^OZyb|` zCzA?`-}N8eR<(2gAP-LIUx|>ECqs0-7vMC_f9{1x;UI{Kj08;;ygIY91yPA`g7B0i z3f;_TG(&PmQ;F1!pok}mBuXMaL5xS3A;zZ?DUL9D%dcpF5KW}QNkoDfpOYb)DV54$ zuQwHVf)gA@eBNWaB#m^d?z6x*;gqUbHqImwwizgFD?+8-97{z+FXoZ#NuG&_$R6WU z9;V4Om}8nKOcNsHFz6yO$CM3`u9ph_3yIW!O*x-3G8H^ar3M}#lwgge#vQ#Y>IYr> zAxowijWU+Wz`SsaDzMG#mhwJA2WnXRB|Iu{DNUzZzC$OW0KFnfR0=6CU|BfOgdS8bsp6~Pxl%(k&g5duZ)@-ro-PBS z@N|d<;r@OLB5B4LN;#uZ8z!b8RM&;ipzIKxPTq5MCWtiCC@0sF5l~!1ozQ6}G`xvC zHD%x7+aDznr>@`-4fb9IK|UC5LlLx5d>OriGFhFF%VnaiUFIJKh$i*Tj7zP*n7?&tyn>PeuZ3<)Ne5Yp4D_QvcU`P?0=I@|Iqcgh;7d8MK-#W{(1 z5<8Zi5OT>R(rk$K`u(~2IR|+FYyBP7uN*|b_@JeDF|3kAnI1f&*WW6bq$!VKPMzD2C+3?b zqR5hCsoBjC_1(`uX>D5nUI8}ei89FlY-)nw_(Q@LA30Y)P)6iJDl)ff0YVW@@t88I zs8+po-(ta2^A|#0bo}=^>QSjKmouG2#ib)~{YZg0pVQ za6*tqO@@Ig;OfcJMOS1ogpXap840hlF%bz-1lYZS1gnOpx}NUVn_DWCG-~Z+LLxOp z@AgW z41$^EB1@p_GcMJcmO_?YIf;}dz6#}Pc?@$&JbB2z8aG=msf;*9P|9YgUZ5}_o0hlV;M0D(UP;l8hvW898nso2RrDE zotOdY0?h=!4~jz|ji9 zT(hE$Twy>tMX!yBmMM-1Kx}KyN>nIV7OU^``X#Zp4xp06a|%ego^OZLWvc5=!Bi{N zt(Al9A4?iC28@;gL|kJAn!5S3+}-ACRwLKz@=qMao}iv%g`Sac8lu6We6Ce`sBvK` zEQKuyU~T7&*#%Eiw$Oh_SR@jS$%G4HfYM|NkQ%m&3uCP7gl6NrG2>&m3I3W#nV$R5 zl^#xMIFENMP6j1t?O9AF+Ezj%`|Z-=J9-Z4HoT+Bw4_2kpr_cF^9)O~r6CnbUH54+ zB~lsF{_FMM7N6PskQfv98*!+HLtA|=otAKSh|D5 z!GZaZ3a)s>*$`cvoS9b^B?}KB<7+r!nWpvWnR^|%7j|XX*J-5zgdFofJ#(@H9<4kY zZ2am~zF}W`Ou@b3IQ||poJ4gT{BP&L%sy%ju++T6>OyGMJaXGc-i}4xUMq=&)rwA9 z1)#-7>TJP$acf{np5|Z{1I)%jGX(ev{l_5g(tO>UaA4d!lZ*xGJQJ zetCL!QhsrE`r6wu&rN)z^kj?-(YGJ<+v8-R0Za0hCfRNK_bg2rftAT%b3nEho!H%j zw(l!80|fasqk_b*1y4_E8v|xDAh7%_$}O`<;0f$^JB3HuAx0C*NCGFY`EQzO(hM!}BtlTwLrZsW#CDq$>OtdJlRB8b_^)$qY|H}l4Dk%XqH z)>y`b@f)OORBCH$^>j0cly-Ub;Ofa*VIqZSgxI4v)+~9?AA>)+xt_Qs| zle1ha(^@jD3O+%CWKwIQ#YBW@8{uSm2h9G^i7}P)x^uiJ*+N`sdq;63NSwj`XPhN5 zPNIdWf1#&4m56|egc)0)8DZ%pW9Vi^5;V`4qA4S2RBSn1$~YI{pj2m)*mao6%)r3c zS|Jfrf>NyIHBC^&=X1@**P*cMkKI3}sn!k1xx!P&V>IC-L9O13EcD_Vjtol|BxN`v z_B}#I*}k*_E`P17TwczJ!k1o0QyyPxxp@grS69+F1`PH-iEll483_)LRF~I!4fHnzms03m<=h(P$rtl*gNIFIVK2wOsaHu00l|jgH=n zZw9>=n#n(SfSP-d(Rfq+yu3`Ynq6LQwwr=X$*s{Wde6ca&o|uvLc>jschWCFx#eV+ zGYtHBeQ1vYb3bxhC-~_E`~Zr(t^YVS0b_-6WQ@gp>)n{(zwmKrK>)kg3|^v`jI(KN z`$>xzD2wCx9IF2}AHOyDSpNue9{IoV48&BLDKsP6N=p`6b+Qu7ZKUVQoDoW}DMx(8 z?^~%=Y%ROLMPtUJD~GKwCCEHg#(4+^**TOq2BI9IPG=Qf9+50roJqal8M?v7?}Fnd z1lPd_U_K0=idn1?=oIs%tCvkD=cdq_HJ9_|w8adIqm0ETJF$%Vg_-250_I9)ekypJ z!3ytPNuDG`<(tCRt8GyZ86BGfF!gesCFc{r@bRTFlq>zpXTB5hm$D?|^>cUEMT-AT z+vVY3jhbMaby`ALRuIr9l+Yw5i9!eH^XD8?qXtuEA%ZjFOA=HaoO1D2X0&SU3(i<| z@q4`R*-!oM|A)JO?}k7B#~+_R>zbdFpYLAn4*H*;|FKl3jR`j~6g5wmwEw^k83N%n zt+2#e@74g(P<}bi%b>QA_kaKM#j~IO_dkFBkLS<+Gko# zy^Q4-?Q{cP8}50;=P6HIoZq@|nrm&i^G%It{zNCOys0KgeU=0~$5)ox_+uRv%Yh3m z+u=fzxZK1V4AfXpZH&`^xS?v+3ZOwOwIi{-9gDv+mQM;fTm->87mt=jVaek6c7U<8 z8$mXd!UVn*n?xMZ+|I^QlKGgC*m$w(M!9cG<7-ainkl`?rqw-gGTEp*ZlUBmJ41AL zS0%CA!6^t;-C=2}RqUh`^E|uLAgIv=Pv}R} z$tVjYKXflI2o&`do~m$O)zOlgR7dMR)LITHNX#~Hu^rtKN@TZ-5fs!PnnH z)+WaSx^neOqT{nu&1_Rn6IBq=aFkaE2mAM+oNq%x^khypUct)`BlycJiRL(=6Nt!E z+=loYm)nQ&FC_BA%aDJn$~TZ~&;#YY>p=&~B6LNQc&M8Jr;`a)v!ApI5o3ji_P6ul zIY!g9Aq@7j?r~9cjH4@(#24VBn?|V(f_sM(Jhgkz`YFTD1Gw@gIL_2;uNw&xORtzi z#q{XXAQF7-(=6NPzE3W*oVFo*?>}6;IS3Qy6e+&gDs z9Os8ZG?-0wDEKQ8P6T2gGG#TfW5mrM3abRF+m--nnM>&-9e$Qx=QQz zjF~Fp`BAowVV*1!7r~p`6eopAnXt=br#ZpO6w+5}~7g_><1hv&n?sqE5E}rkAw-I{*aD(OZP`HZ+r1pkFi0 zOt3UgQ$Rfo{)ZUoP+sXabT=d#lL%|8M`|JUms}+`9iC9aVq>v@P2ikARHA2NBLiN) zKi6d;GA||3^DsD_AiIfafLKqNG<36vT?*$CSV3?cStD<;ZKrL)2D^2xTs>5smuW4q z7R{L~AbkV)55HS~SUo&*QWz*DsZiirdV6mKQ$Z6oL7jh>-G7&z3N+L1eI{Dl-=zuY zjjUcUR#DNT3ZrYMiYWyfjLSwCigjB14N1H?f)t4nX&snCe#h5|0Y{H+BX`btNWLWk3|a)_uwkMyd1LceBQk&13m zhcX94IPQ)Y!;@MPC3KiBl=rJnUifYsX{BkkP>t2M761xWA+3}g z&7~eMKA^Xqax?z|;^S-UcdMQz{XgaL#&rMRt=9iv9=)vQ|2jB49BlRfr+9$bo$)yL zHX2QaCN>9!JI?K;&}kPFDUUBKn2vK#`Fq%?IIj_ue9~)Z35CDvmG6kHxqI_u7}Zh@ zF5McWl0(`*aFUmbW+b|j*}P|C>V4t;40s9(9Sy?ou_R|$%}}RjHpsyr*fIV^Im3I0 zM>3nQ>W+U@{c(MA4gyr1r6flF zhLkB?`s@vwJHxBLdoFyF{|0sZZN^dqX45fGO!WD4Z)MRu>(J-V!xe=Uo}$m6J5_|v zyi_$SAQV|`%CQM{AF>?X(nY0sPjd*jT4Et#Q||^%bc>KYD4gTl%S;lH$N9+bTJdU4 zIaEea)^mCkPs2H=*11uddDVOm-o&V8g1E;jsm6@jHglKG z)fKaI&CT_-=jzhgiN#b_r)H==959DT{l`xg;CE?x9~!bCY_>OTbo+8GlH|IXZ0?MIg>Vp$1Sjw-ACTFq z`$#7BFZP?Ew-$9_!ecOrmW7A8^ZpO)aBCP_VJ;tr-2%Br7FOE0-u8xg zH3n39?996*woBQU+-_x+lk7a&a$GK89|Pa}b2IjT!~Ty=-vHUWHj)l{RsQ#*!G2}` z=V*U#oB#Pqo{E7j#yE2O_MbloCN|L~`1r^f3H-=LD2y{TioT>?2C{{a8Q>hoWnb$?4@`o<;b(Yhk z*g=!2R`saVTs_Or0D9}qxm0Ay_L^%!|F-1my1$?6$TU{T0AEAT_NiQ~jHYX1%PxA%WN$+J4#e}w=j;sXA~C4i-5!c`MB zy(@*veru86`QvT6dlmiLiE3?sNx8EX82<`S1OJDu%5Hwz_3=VrmHj{HSMPs&*+1Iq z|4;JV-B|}+X`|YnXx5CN+wBH-cjc@J&(SwFzWZx#U2UHYJPqrAmg3D`1G!57J3OkN z|J^^_uK%Zatk!~)c$p5kzCu&d6pJFg>%B2i*lCR|7byOARmj}T*LYq)cB4E7rAawP zd18mx<+~v7)2jwIWfS>L;nIzgnh4$tTf)C!5=s;=YzaS0OVRrBTPWSWXxFBLcNdsh z{nPnd3eT-|@TOV*#x!tzO$442uaR=mk&hI+=%uVEWf1Zb~8@{|F`*4 z%-xBbkOV9E|IuKts{b7wz1;HuCwVINe<=%;&)2mY=rcN7P;>vn*<(1~dmlzKOV1A* zG@W-VG75Bg!WK`--s_p4%qqB8q{WQ^r^!?hDebQ}?gxQCTp`8%n3g(Rnv{x9N-==- z3c-^Ofayv%PUP1j{>FDR8pg3@IuHS#wcFB zl3kqA?MS+j^!C}x?9QYi3)5PRXg$EyvQ0*k<**=|m>)Lhci%?F>N0*r>^gvSZ)o~G zx#W?D5iKYkRZKHz(XDz~itN`K11 z_+LR-nZ0LNA^*(0VU@u0mS;XBHoNf3qZ6K(t5#li4x)SpqFOOO46($l{f%0<+h^I+ zVE?B)cE?vXvj?!s|8sEgvg-diJly(!p5$rR|Mg=)OYe#s=&L)uW}ft}2mU5+?Uux^ z5)A5j=iATb+GDDfoY?;g46R}PZ|>lSeO9giqn9=R&&$1S{Lhm-n_2%$L%VmYt2V4LDlRWp%&{EwL_Lv4toBMN(Z?rVLyE92$J|V_$h-hLY z-#ng^eA9HFTM}w0N^e+jVy8$BOBACIj#Q7Pgi44ou0a+ zH3gE9`(i%iKmAyymi{r0PaZ;;QX)mAz!!BBC!`Nou1i7 zychQzmL{+l0#7D1^7EZFep*VK{DVhF4_XSA20L40{#j?AfBLm&lA$jY8xUk?sIvm&xo5q zRaoys_)D#S59TlJ>)+lAumJ;L_4==$|LSk^e?Q67y#6aUIILLyZmVidF0drK%GWpw zTwUFWKNOM>DRidmoK= z;4j;xSVjDDY-D2$=RL^scS{EQJ18pvdzo2u% zGfxLCy?%5fg23#ciJw>9d%4+!vz5jTsXsQMQ2X>iM1Hf@`Imok`5(>*o6~8+1=(~P ztMvcFn*P7Px4+H*`XtW|I>Sm4k-#NpX8h63j3j8BQ5Mr=ic%b1;VF?}u!AmUR3e$B z=7xVcBaERb<72~kX)@gfzM$weK`B-$c9Uy;coC|38oc=bgB|o&EGW+;I(_{{24O1r zFCr9#7{^o6vxU1*wo8)<7jszK znEg?z1tZ^07*<{RYla1Rj{fbZ3vg64wZ zY$FKrd+Mn~I6-)-6^ol0jb=#BXe!Meusl&DQ4;Y9Vm!hOF+K$zi{bJ}JGk9t6j+xe9v18RIuv0tk|Fjd~_Yal!2{2u7n(#1qLGfxBT%IUL8xwuq`2*#1!7 z)8)GWM`|#D#Em`JMK%3(v!wlgF46#tRy@TLt7DEO*Atd@e+7J6-9}4WC_grafSQkpB zMCyV1v+ni2Zd;IFGb%_Nyg>H)xf#ADXiP|AGkC(4(uSr$L_V3&h+^hnM*S0LvPh7K z&*vnGjj32n;qoo8FqRQdB9bcEIz?J65c?pAZM{PNVO>gSEEWA+bba~a03nGDw=0fp)rALdF+kd5}7a_ zyL2L)=mKsVDh>mL&WT1t6Kui-iiuuzvH?1kDB(9qY6SuAF2pv332;p~Vmz4=VZN9X zP494;UkOeXn&XALJ_bpWND3NEj1}HRGK*#!-7%IlLO4@16bYiu35uBvg4Y>w7r>g~ zGt*6Kl?RbqDwXaftarwY@)N;E0Ne@=bKYt}+Jv){6AVN%L&M+#W;hna;D8xhAa%nL zPwiF$Owb+l0e+)F5d4_f_RLgcaeh^~ridV2|Fa%cuC*-Fj=Qit;XnYyxRhbR_26^F z2-ez~oMj5d{3ZdoH-g%0hDUJI7%Z;^p0g3ahK3v-X4C;#N~0^3r3gcGnV-P21^b1e;Dmak}bBa;J5d8`SBkmfoF=@k_zW=BqcMBN1aKHru21L`s@vc7X- za@Tg?yWiVC{(zeAb8uV?=Bs0|~`xwL4GGf0PITY_1F%$`CJd_sSL=%Nb~B4clEhQDMasF_Hgf=^xj znE$(fN`Jwx;8T9L5Bh`*i$$N%=A)# zE%)=PYF;_AVGXcK;9ZnA9SJ-E%DIIseHI!5@wr~oF%^1>EMR1=aiYv^Y?{fAyeP_% zopxI87F^r$bP&vfOo$+G`y+56EvS)=FVjOO6Pl((Nz3Dvwk@y7BJ_F~MvQ_Q^$D)a zXz8aX5BLPRDt4XZjLZ0H(K{=Oa_qENDEG_=G#ERAMi$=4M+?NxC)e9%tWG=$m8*k# zC>%y%j!WK}Cl^C>sx);y+Hx(btf0hFk~wV71H%*~lc1gCM5PJhA|?WK&TCFJ+mEv( z#z|BrG2_#>j~U}_j;q83C2mOIV8G@2FjICC~F7-Sl$)$#Wf27^utXR0mNZO^#Ck;ajtIN)V_CAE@B$JBI zi+Wni(Niamjhd9t4?Qy?Qko#J(?ca9pt6C=F(WLUWXx<2%`>KG$_N@2qU}<~msW=y zfx43AfSHcm~u+Glh(% zlq_^7sWIZ*PPIc#ceqm^-PKIFgMQ)Tb_C8rKQ7wO*9n=YAOlvRP*JcKJVQ5{wJKvT zStX^!klT@g$#`F6uE@ep9H-yqjNZ(LIu74T^sSls-=Z<&(N&IA+g*j8AnRal>72Q{ zeBa0j8|Ak%1chO@6X6t(DWi%K*%{t-V!_kS@Tbo4+qa#cKks$~!SRQLEk1ItexQuV zg;ZqT87h&H&u*E!Q+I~L-YO&O^4oL);rgW(pU{}Y&5k1tYy@gR%J@PStO9GfRu;NV z7qc#vOHRu$x7?ZQU}cC-xDZ69Jc(g0j_f6Pqp;q}y&ACNs}~+L1&ds9&^khNnxHwC znr}#Lo2VI)1j!lCSd6SOVhoo!L_bP`M*fv`qu!`?MeGP@?M?E?up5hv>&?=Pp~XPJ zqyVuAF(;b(Em=Zym8gKdtSLXsWiBZOecja3YF_%xqS~rjD^g|VfL^U^e|1tzUtA}Y zH33{g=9UTHO43pu`UZj&H!oM&bMg62a$WoSMt?vgxu$|A(C{@DRHH3R6=8qoK9xZ& zk~Xr&Fog-7&T;C&b$PCv;r`{77MV5;x?ZV<97T0=D59>vpX8c@w>pf=1oU2en_P%~ z-~tgG&3pw=m)k`cMLCzyW9*`_sYE6yD-MApcnrbcBq?xg=2o?#sj(ZsgbU61a7~1u zapTl;-(;~v_^mcE=4qxGkpltnYWIVeG|$t?d#=s|kt9)|fxhO^6%nQu(zWbiY!6m` z?|BJQ3>8CKD6$q*QQU)&Uyfda;r3mfDO|_MubG20m#MFylButY-psfxG)Y<}A};P= z&l~W=#;Rj>S`f<3e?2vPq|F2=-`&52S)AK#JE?U)FyjFIgsMW;LK~7OyW7PToh;BC z-)bdLd=7GG~?Q}fUXqzXYy z!M0`}I%QiLYj37`UXL@m81vhu)A^oFnK?gU9Gf8u_xC;M`s)&a<=d<4JoT;pj#5(~ z_=FzDl5#H8oa=V2*>BUGp);H7!Rb+2hceu`p@mW=$Lg9b+OS*Xk*kePPG5g4n+%N3 zsX{o4G(8k=Z!0aC$FB|!_KUU_K$WXk5*?qN=D|+JZmt6?=K;Jo_QnX*nkkqC#@uin zm=TwG99joeRcooxXKg~(V#Idg6K0YdgHmzZ@IrqOu+7Pca!5!pgUlY6-;%T#NpNk& zW{XZwFRQ$+pD(aFTML4~2D__qKSC_Qp_~bDdFy99zV84WOS2mX+6I@hNXZPwdX`v^ ztTzq`AtWyM)?sLg>EByk$N4>vNwIlf+AK|Ze7tnO^o+;l9aU4wI^vqkTlau1y4;i% zS#m5P6GUg&-!(tATc8qeUF8I)1RG9=Rs| z$(r-Ag1QMa2+^szN=;fP?#Ogx1k*ueL|aGzg-SFf2@%lCOd96{DeR3r?Wl)hQ+##< z7cCX8F_@N6`G$FZI&r%0ZWU-T3!P&?k7y>*hg5e-H!B(ku@+j~Ki+x(0rfdP?9nVv3)njQL?NTABNQ%Z}!iDbDlt|by zZ-|{qbGml9rEBB6G2`Rj97{z+?=_FIIZ4cj_i#$XdAwsWw0oq_VlvTe1&vHsFDo0( zqvuUzDMV?*kR3BPGY-)QML|6`S|`r3CYH(D9C}IU-lrL{*`c)~3DZz)#Oiy2smH83W92g zk?*(7qnR4rwt@4UB}8l2SS<2Dqf%g?X6z}J60~N)v+2x4&Zv})&?HN2?9cyDH3MaQ z*T^;SCRbvmKti@Tg#UK@?rrV@3C96ztakOxRhdY3b8lYabbhHt z?I@+GW(VX_Dm*0;qJA>DYjzkT8}3ncX3hvpW!(d5`UHOKh^LEQswV>?LU19&psMBl z-~Z$9eulv@lYF-l#Yk=~qnYC?mf(%1o0|;Z zN)+=*4ufE=a7!CZkZ&jUN@{)2#3G(AB;!+bZsP1A&QfB=Y4xX?oyVfz2zAjfe0*t$Qu37JR9mLgF$%QbfF z%mU`|-#pW+G_JFcudw)jF~|hPI)L9k@l&j3L)5#*qR05OSFHi}7GB~h(cEOV<}y=c z9(Svd9=F~sw9AdJG_$tcsmI-dYsc>00}-`!xXco&mLLnCAGYisx7r+{ZWrtFiY#up zh*vJRU=2EyrXTHOqMm#4|STA!|Z5YP173|7oj zSGj0+S$(3So>wxcIceMQfsl@~_Qm4DWrnan(vFu8r-Doam`2uC4s5ki=$gfSA@=6F z8NAa5q8s%xgS9&Ggl9=?qMlsSH#axoL=X}ad8K$7axv{mK2bMVke*#6y*Wyf`(|a*C)2eSKN8GAEWzP~I?Cx@`NRoKjzOl?lHFJw3z0&75VXgPAAmKy&lyzJ`eImFwG8mfb1ail3Ya^cokp^@(Wum{VvJH?9J;DuScIHkSoK~Li{ z3WL*0$M+3XUY9w$rI7x7#E@?bOZdL+Tml~^L zKr^Wgay@@Focwi)rPPYl(7J74h+EG8*3W;3Q?BOe=5GIAb^d#Bc-XJr|FnN}w9WtY zBv0vLJ_wNs%@nse*@A`w_BihMIG)QqZ_k3w&cLT`^kZ;wK6k3w&cLjO}8g>Dk#U{o{+z^x~A>j~X@Lbsk!&lB3Y zyX$=ZytY3SN_Vzi(Uk~py`o#M=+-N`^@`RJ-Fij0UeT>rbn6w}dPO(j6|JbRRo`eu zU2XE{HAC?Hq&bXsZ)qDAh0nAM^MQ7%fZ3^Jt(&%17QWPuPxNJ&)Sc#|5+ja)b{`2 zu)kl`|Mmy{t^W5E&sP82>VI4P?@{{S*IvTgXZviQ?en1L{{;X5|Nr)wL)ZW^0Ra4q B%9j8D diff --git a/apps/logging/values-main.yaml b/apps/logging/values-main.yaml deleted file mode 100644 index dd7f016..0000000 --- a/apps/logging/values-main.yaml +++ /dev/null @@ -1,17 +0,0 @@ -loki: - persistence: - enabled: true - accessModes: - - ReadWriteOnce - size: 50Gi - - config: - compactor: - retention_enabled: true - limits_config: - retention_period: 168h - -promtail: - config: - clients: - - url: http://logging-loki:3100/loki/api/v1/push diff --git a/apps/monitoring/Chart.lock b/apps/monitoring/Chart.lock deleted file mode 100644 index bd68f76..0000000 --- a/apps/monitoring/Chart.lock +++ /dev/null @@ -1,6 +0,0 @@ -dependencies: -- name: kube-prometheus-stack - repository: https://prometheus-community.github.io/helm-charts - version: 39.11.0 -digest: sha256:2000f95ea7c9e6ac6ec0cc0ed3f08ee6adebf5e3ad383a0e8d89d80ab61439eb -generated: "2022-09-08T17:57:25.889732515+03:00" diff --git a/apps/monitoring/Chart.yaml b/apps/monitoring/Chart.yaml deleted file mode 100644 index 3792818..0000000 --- a/apps/monitoring/Chart.yaml +++ /dev/null @@ -1,9 +0,0 @@ -name: monitoring -version: "0.0.0" -apiVersion: v2 - -dependencies: - - name: kube-prometheus-stack - # # this version should match version defined in apps/argocd-apps/values-prod-infra-apps.yaml - version: "39.11.0" - repository: "https://prometheus-community.github.io/helm-charts" diff --git a/apps/monitoring/argocd_dfc_plugin.json b/apps/monitoring/argocd_dfc_plugin.json deleted file mode 100644 index 90aa035..0000000 --- a/apps/monitoring/argocd_dfc_plugin.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "init_helm_repos": { - "prometheus-community": "https://prometheus-community.github.io/helm-charts" - } -} diff --git a/apps/monitoring/charts/kube-prometheus-stack-39.11.0.tgz b/apps/monitoring/charts/kube-prometheus-stack-39.11.0.tgz deleted file mode 100644 index f87e810e137b562d8a87c769237991a2d14cc3a5..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 398212 zcmV)MK)AmjiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0POv1cihI6FbdCS{)&1@zekr4=q4%3QfHhqv?Rxzkz_`slFa1E z(A7Y7cbNbRt}2jhi+Xt~LlE zBqI&2*@VF1AjhJU1%nrabh4U|h1RW_j7D<~pBJJYMF*=8b=@^wFGmYj)mdSHs08lY zR%yv-O^&4afff4putm!x)k2PXr+IZkuH}SmYT2>P4chWQGpV>}Cggl~gSM^zInMW= zq7>_b7vKpIg5F%MC z6xTv7!@PzTDz}s6qPJw{ZiJ8Wo&Ee_I;KXH?8Rj(q-JtuJW)5MUB+y~Pdci-e6K&K zxui4N(3SDn=WDumU)|W_<9u&7f4EUHRY=~3y;(tQq!3lb3a!Y0byFrArkNr&ZTO5S zt+vS@u}4x;wU`PjOSNszP*a*SX(18WRZNjW)KlKDl3Z}TAf+g}nl*Tn-~$|rB3hVL zKj$SQjH)HkVuKJohK#VL%(Tc@Q^o@-s!nMpNi7<)BD|SnC(#%>WuEE=ty2$wD-mHM$2Y`ZL+`2d@037g#7x0+fYC^ zU{5}VVBGZ8+B2<}t=ZtVt#|>qbR!_Fr}@rKKHm7XY4NY|-*x<7C5p38(Z>z^-}uY% z{tExM^Y}CW_e=cO=Wc#EzGdut`^C7D9pB}rWIT4p8zrAJr6)u!=< z-D733Ki=Kn`EqY(f3JMBU+&UJU+&MI?66(Rp6))`|8jTsi0u`7JF};Id;9Eh@n}|3 zx-n-BFbL&@Z0?SCceC-6Y`lB2^LVniH`#xhf4TGM>ElO_emCBmjK`Zl2XPJG|8rV( zOnoW=@Y?&o_h`KH<(K{Y|K<3z{P&Cew?&?_8SN@faL>t1$YIKzZ)}m11y_VCLdkz0 zyn30stu5d?zB^}9@{&!+<|cr44}e=P zSzC#v;nblc)zX5wFX6|^=V4@LPn5g)W>&P*A_xkE*9K`>wx6&|TDO(Oq$gC)nYL_d z=m2=t$ENpd8re}CRF$|O5w~mCRba!CHRNK!D@F>*sCKdeZ|0II<+@l0ytnvT5YRtZ`fIU~G51YSi?&Yr~Y&2}8L zTrqjh*cyOUw5*R@nC!JzvW7cxuo^F2FI1?58#<-v@`;-e6=!D^S)xb z_vA>5%l;690Q$$(Nhj}Li;}%zg^(q0=Dk)Z`X01xe~|d%jXN@fZ;!Q*blzVZ`);W; z>#xdjv0!Cat;{%9=0vX=rZ0p%i=T*+^?o{~%YivM=>+4~LkkeF+u+0RywVC@ZVUG?OrLwFB7tvKisq+?DaHvCb>l$#Nt%AkI?iWs0jz# z$7)3Lk^QPf1rV()K=?Ks2y+o}%mBl;HqRrBumX(sMsque2ZLigl5EB=0gUXLsSs!6 z?VFb>CvTM@8641;h-t`-OQlImr8bz*Jh2~|?}%PdZAc{IHIMSlI^}?4u&JyjWYcR{ z@S(~F1lhb~=e~j4x#wJgB5m!=OWVNhAgGrPjt-xTi^iX^Edn?4;PCl#HkY(y4!0Tf z`kb|r6@~{T7jzk`v5HP9!)2J~gv_PrS~bBRal=!14dMH?%K(2%quaal_7<4N(&^339*DHfe1gtnY|G( zeRBiYrDjbD(`J`k!RnlIcCk%Z$u($5X<758_o*syqiS1bO!6xpMu#VY48% z1*C68wo(*oB-xBf))Z_+i-IYY(M~TK`2U|qW^SV`I-g56HwQhl8zcoHH8i#Xe6}R5C}V6E8r(FoLNoB{*iZWBI z=p@(6%s$(qZA)b>i!_Mx7>Y@)2dz2Jne=W{+N|VQWzWo zRBuA=J-qi}P%Kr8piIcUQWR%Qx_1GhTigJ0%Ji)u%C6D8W&xz5==Q7v#c3D;URE+Q zcFDBEE1eOfE*7jIZC6$1Uh$gF;lOTf5qZN_XsXU&LuP#5NtT(dD1_CNj|{{Nz-6uE z=Tx&yvN=~;E=L=7SK#$gS5?P2EI`&~K^#Wfv;Yh&9Qr1_hjVC}4K)Cc-i`{5C^Lsx zEgQbkpIu~faIR;Z$mD`o zmDx+Pt5%I=s4b$sct|-p5=!xD#hi!^0`|@}Ip6i&rdCYs^_a6X*cmO`w}n|Vgf0)*bNbL$Txgxx-J8cdXG04zPy#zuCM?tb5 zJ1&vKJbM1MXCf+Qn&GcvL7O?4Pq(&)>>y!Y@t<6&j;Yb3{k^A8+-|g@eC`MTH4GlN zgssxCnm1NLt=NR@;4^ypwxQwarsGVL1C}mA$t5c^KOaO@*IniW%xEk5i98{|ga3x% zU9hPZqKaTj(V2fUEg8!UOCqE{s@MUpN8p5jxnfFG=j_y=Z_()q*{|UZZx(#Y^=YI* zFuWJatfw{A#RBY*fziy!J;lzMp&R5YQb?|OL92Vdg$8l$=1>1GxuCM)&HRctGZDUL zKXzf*_A4(Z-bnmKP+P7Y@`!L-Cq^=PP@#x}y!3%0yhRit4a zYq!#fF4dASRnV4|Lf>m{{7KkNFcFro%@@9UD z_NmbpIEQ3C&n!Vzqo48dsa2{25ZzYD z2{=kMKz`ibfOP`cXEay@HObZ%`FiP;S=;`DZ=k)|8L&ba5uU6)oj}6*ENnkn&~rv8 zfl~{86V=UT{1OTMlo8MumpM6R%pS7bpCdx2;@na+!x{p~-zKyyiO>rsEi9(s%+eBd z5XqZu(}yxFlHu^$l4=WYxG$8ti>d?tmQXBo@qvW;Znhd|a%An>90-!bNmuEoggk`DlZU2Z9tkYD>gt-xC3*jzWaNAE78R_yCvETFf1iS~+71Nf z?^0MQ9Atk0&m$+i)nP;~dMjW4QPOrXc}V`i$@oeY^6 zH-a7!Sq29U^!81pp|-cTBw*zg4J?n9Y3)GluOlJ#gghBP+40c76-p~ocS>7+;GCC+ zs?5lt?T#zAmAU;0{#lq0t%3zR$x_`wDQe0aaKdw)9Z|hdR<;LW*i8wQ(;29iTB;ZB zEC8<&bRaqm$E>B`cxut}@U^qMl#^$)@yAb#IRh~i zEEr}!S^BSaZ-Pn34!6Ai#e)INPl+d?Cw(cgzTeEpv$`=Svu!RiM zz8-2cKds1hc$8jT!-=kR<*YthkcunK8Um`HaEXCEeL8-+=NXd7tO&*@!=YX-3A@yi zK654>_%PW?(3l>rfP-NfGJM$z#SE(qd(?>1F(%}@rdnc$eC8G-H@C|0!S`N^5}4?F zac_-%I3auEr(@sQORm5R=kUnz>Sp7aA_g%oxaDc1peb~Oa~*;otFvI-)}NqLhE?i# z$wn588f`JFEy#H5@udS8c`ca*L~o*&U3*4i$0al880YricvNfym^!^+jRrhYdd95{ zB8htx?_Q8q+)NISLZ6kO<=3>LP2o>q|1rjbzA=I^e&=ZwGXl0U+YGK$?r@e&afvE9 z5HWnmL`yoG@xr`;Sb$0tv?7M}!#j{&KqOsLwt_c0Ax{p*34%BRzk-Q#Fo{r{y&%gr z<&*)7KXX^@7Cb0X7F&9l9wR~Q#H_0n(}S#N4-?$LPOg9MxWCcgJVQnRMkU@dJ<$c@8^8gQ0!VBl};*Ib&JJuCzM z2ZfMKsKIc|X(gs3BYTXV$Dz_A+VZ?Ew{)d&#EwaHb8(n%%BW=WM4Yka8(y)ApEr7I zzhS^K;a6$IfkI0Hp)<|GE^L!&XE^4WkRW+8Gt%s3%m1m4VTvwiQ~xwK(B%t4;90y&VL zzIMP|_vzO;?o_!>H^|Ch0@l~GDXA=pnEt>DeNUNFPD`q3PF~^ln~A{@M@~#38r%*K zG7EsJj88i)q_u>P6rX2Q77MOfp*zXUu(Lum=Y}m7jWSbk{YN+ie!GYW+LVd6ANZBE zQnVEOgq@xy;ka5+s+2~E(!os_w!@mvA+W9Iq!y@|X%IY)LU`(r9bFnpBucwL`!LLz zn@`C3INyDgkL@G1pb4$8blpq>)dNPX@yaC0R4W?vIE>u>sS~?bJQP!6UI+ zRv0+p`r`9ONLG^jXn+Q?6kB>9z+RZIMZ=sj!;d2Ixbhk=L)KOKWvXa!_-0M0<3-?MYY@V z_#wcue=hqv8FvY}D#SUHOO$?jwM|4*ElIIp#TgM7O~6PuoLJxWhaFuHe*HnU-Q4E9 zdT8m9^^dPRwW|~O;NzQ&^wXT;o*DhR7TNB`hphLF3+<0Es{cNIEjfPN{7)cs9*);8GE4J?+w3_Bnl`r!0Ll^yn|u&y=)fcI zrI?d%z%$fBdaD?z#C%q3a^LEq9+>0(gA$E-F?UjJCFc0y#I}zVkaN3MLt!^l7ARG@ zN}Vb(e`&s*fM^u>R{j%n>|~5~5fUOSm5YHqM^@{df0kb)~NAtHlFyzvflN6)QwjD&qdF zdDCgIJ9kn&$WxVpMsaaM%mBg;V4?xH3BXW+ImWEpLR=7K8zhGL>2j5^bZnuzbCpvt zS*ej7US1~xlXB@3+!ZC~qUvh)tfIU=iCk)}{v!zYB>FsZ{Fqy^mH6>mr%z@J|GbJiP_2m*akwQrDBg7m6t8MwL*P*f+aCvTc1}SO+ZnYq}Jb!%* zI4vjWc~2sHP*3mwR#uZ_o@iRIChndIYR(mK{h+B{(59@c3=l@#DK_h>?Vt*dU7{g+ z+v?4^B9dK54hks%h(RVe1G{hAUW})OK|2XFu87iRwZYcl<}mHF_p!9rQKtMkz|A0( zlzawJvpSh@s?IhT7}Vc}-kfz)R_F>xpI-Xl>^O-$TMlQAE`ufmIMV|4Le>ow#!@ZK z0^k}uRhRP79diMy4U7k2awcTW%5B0f3)X6zQKMp-Inb#li5fK0*J4=Wg$&1QbF&-o6bMD7;4ojl=^ouM(!SH>SX*`~5QeU-6pT08MkGDwe7VK45Hx zsM`*LlWj+%6npz*F&?9>B9NNZpjCS`9>3y|!LlT@(LAFw!0k&?(8io9Loo3`y4*2% zTic2jW^dyJv6c#YH(}5-h>|55kuuJ^MK+a~=}l5I+9)3#6!m2-Qx99nXz&nCgxWVC z`a*a^Z)=W#aC#ZvJ6x$okaLHCEqtGt|jhmfMt}FGM;cu&HNDZ)BovhK-~*GZdR-b^RUc3DP$$`X6d4T9%2q9*{`S@V21Aw}p{Xov?m zQi}4P*|>^Hnh=hU-6+F~>x@EPY6mpgt*EcWng(mMdB&ETei~7-^%q8P2yb8^CS()- z4UZXEwkBlrwQw1_Hg7R`JpM$rl2K3rDlN@4K4LL0ggmPRE!D{2EJ#%1;AaRwi{SSb z2HPD&vuB}IvP?C-JU(L=E{=XH`Vj7~`>_@U5CUeEw~eBjs~N}m`{&}d&~D9qLr^uW zstDF92_R)ys#%GRCXnUinP@b-)MO#5QkgBtP|S5%Pzcp%l4HthWFZfhPZeQMDcCVn zELld%@kTVr1Y5I|UXYHLWM@1c1IRfq$?kYO&dI~`o%~3Y{jnu%^3Tj{;q%lK2t3(y zm3Hinc3pFz{wPJ)PGF$%Ka9NX#; zX@qs_@dF`VeIst)-sEz~hf5qi^w%0SPr~$*0d#+>(3tlRn&hlh5+S&awALrwIXA<0RZBx@CvktLejiJ?elK6jSB+qmItBrk0 z%}YPWqgB^Ya?NbPHA;&@R1?k7LF-vYAN4~MBaPSvBgqAzYY6Be$e#t*1|ygyET?TADS0B!IV}7U z8(tm|p~Wm-r}*MwnGEKzy^Yi-lq~psQ7t1SjL)GLGmvTb={$vmD2JF?hn|VedD;^X zq>G7wD|Er8VV2fA@}N9tQgg))@P0)a*@_ojJ4bZbYS)(VCMaZIGghjQ90G$u&A<%d zd-Kh+ou@lb$lrGUPVTqewBp5s;M<7@3@y)IU(i^X>D4Gx68|KCHfdniorTGWK5>XG#}@W?E~i%W*LC4s+`aG;q0~0N0KSlXgg=X2$(MKIn~r@_go5Y z|A=_U9k4K&6YAy_WnN!UL%CSvv(&oz%?7(kFJm$kmweq1#69?g<8YOr(qY)#fo>;5 z!6*mAz6syI7)U92!fR$kJI_(Cfk(cB$U4!Y-kC}^AyX+XjC>@dL2)+RkZ22WoA8|F z*uf3ZC6eYwJ+dqacYu#0vTTV1&(M!`w4&W>Q zSQq7u&Fqdw@Imr=%iluMuOvrx84=WLR?yQ0*LsC)ng2Ro#$}tLg|tysQKH+>aev{q zLT%5qtP_-YiE6$~o{pc6N4^(#plwQ??T|}1$}blFgiJOVMt10;$b=+Zd#$4fyfXXa zv<`v3yeb)900EEp{-gL_@r^Y<&x zBdq-1nvvt6d57nw%eXsNiz2l9Bz`O78DmfP*v@WQd|B)=y0g3UWVZ8^vfX`FJf1#z zy7%buc>n2m)Sk`b_=hNrDW8k2m%ID>*~{H0kL~bq4pD}EYndJ3F4rKC-q~G`LB4?$ zEg*41I3g6i;LRC<_&RI-_o?tfQnZ`P8+UN>=nSBo2{+szbXGz#n4sz~Q#g(sj*W;2 zt~&BW(t;h9&zb3J1uwxd_tSc7F7kg;7Q#o&dyNo)H$b8VPfj`b3c4U*JlB!3ELMdU zOlp<+({IHL&|e)PRc5;IvWimG$TsmV{_9{!M$7M-Y8fyRx=ti}+8d4Y+)VZpOjL4y zSXytjB)N2?sG6_bYDMnbf>tiOsBWtVz38jS2+Rw)BjG~MN5E5arLA4f?=ElVqpb*j zQoAJD>6MAaNE4>$gm>__nh>X*HP1k~Z~#)hF8~rfjaYpOTu|~BtrI0Jgnh$GuF>}7 z?vHu;gA$Dy?@Q#@jzL$!E)?Z@>DM34plLM2ET6F97}S9cd+R^o(r&|5ZdH za&=y8lKc&;7*)(C;4_57g7HQBcA`YG$nLrwR^1d>9pI##>z>7%wyG4FvPxVGCh`c% zL#I33SQiQ%Bpd2NvRz2^vp3J7e2m4u;9L-sQxPNJ!7SkGqj2$?jaAxjfdMl;5VCB; zQdLe~@%aMS;ox^=W9OO7r4ahGlMth=nD%0k=VE!oBffldWWhRVB+|P~;woO=3D>77 zN*He>cDQk1NwjrWw0PhEN7aY)g7ubsShTr=V0EjL@5id!SZ=eEPI!o-pRtJnd*YIg z?~T>xaNHm!{NmxbKq%@~H0Jmx;q+#-gtpw?2v>OTpykK#U`W>(wj1{v8ou^rSaI_9 z=zzVM#n{v#-(Nf9!X2ho_(4qVmKAQ*?MlUt4FgUMzyZ2XCT3skwz!vGeu`Jx>oNYx z6AO5u=eZOuc%mxB&snu3jo@k-mWxcg;*2?O8WQCpD5YrqV%jU`KRdN9m#5D6|I|9( zpCY{9-yi2Y`&Z+9_iCK)ng5v|kIetfACIrb`IlGY{K?fge|oi(@9tmig}yDv>;$5trH^dFY*IJ||na zL+tJs0QaGf=!YV(hT2)2ciMBp8*1wEoSYgaE&brSeYPm^_W{!HVNLzC5{hzqYVEZ4 zP^}P^NGEF{8@6@w=+WL#zA#(YmJAuXU#1D-w$MCBrc~ZUo+^gyt^GS&2xa)p;-Ea| zN_di0p`CH9Va(MChw7SZ`P^TK0NphO+S($h1{+>ZVUQ%83yeFkeyWgi5~P0o7T8q9 zykFYSxSh77&(qz<@xT#an(wGTZpU+v3W^(!nqE7Vdn(OoZQTa!*|;s}R*I=pAzup^ z8{QVI^C7w(u=lrdMm;0Lxsx?z1vTIyMsuT`g*OdmbCcbmD52(2#YQjwpS6j2(X0E>C>fYay3+w@3*8^nOj- zmX)VwU#`>zZEv@!trUg_zq{exHv>9#B{+msSK#`53he2XUfBJim;LcZ&f6_3JkA8F zYKUJ&+Ynrr0l4hWW?_bqKkSbXie&kb!C)E@{CNikz{_p({+9jczx(~Y^{NV-$~Kxo zZ>O4ww&ia$`|0%WzkBfeTdN}c5U&}{2M@zmIX~4!d)g_3xA5}0=UtgTj}MQ*hkcay z;KQc#&q>3O#aX3b*J{2#AE!@uoc{4d=&db>$4;S43s*k!4U!!}1_T!jU_OAF+E8K@$VMq}HT zQ93+Qg!_1;ndq95*do8sr>zkXc?|80^PNXK`J;Sycjd|6%9BT7q?iC`aDKV(2qS|r zEZ=(2gsKprUbT68R~=_o{ZO&rrmMhHvunJy0JDUEmxrwzRg!Yq(3%(EoIRxq65iOp z%}4 z`d+Z&Ec9?!2Qe-5iKZJkJodC4pYe93G}t+lnCm-7XS9yDd1nz;ShZ~d!jN(0RtGgY}7x$VgEDs`i#9kW3Qiwy)1?r#9kIGqm5W>J?cGIXUnott6%M}`D*_&9{h|4KjXoFIXw8! zb<{1gyxzq8`NaQ>rM|F?ed?~DOpx+oome_)sDtMJ1380rkZi%oJV9tmzUe*t*PYwk8(VdUL!AZEzlL zGay@?%kh~e(SVT1B<1?HPrVhY-j^_jtf)9^bXG8_eOjZf0p@CJs}~!m+{5d_pzy0m zQw1e-7eZ#-G`Qe?7+dP89^9a)9F$T)yhtSxJ+^1HTc* zAz>B#bpBzUyAIvz!%&~?B5yhK3bLg!_%9s61Y^qITCq?H1b*^iNJqJ0y#jw(wwuOslsQf z@Nrb(x3HRbEDV}qIgev65SoX0YX*E=HXfrMXIY0|nzlWPi$to!EIt2pBFx<|&VWMpySk@KB=FWm zbc97-M)~jj6PpETl>hF*{V%RY53cWQrZT;3S=7;e+G#OUS5w~1YJFOBRa{Nm*%ju~ z*!_R65QWUtRmr9u{(IhP_(#|6OkK@7#R^?rExI|=)pVw=xDrnvKOSGzKX$BRSB;vf zE6ftI#3`Boo2jc7N*`Uxwm5Bh%Vz4z*_YwZiZ|V*`Rm7ys>KX4=*-j=WTKuaKquFw z-wh1e$8bYoW8GiBE}!(RxFD5i=A>&huLyPUY>q|Xh7`Fy3-uf4p#C*kn;SCZ+=9*m zZ3dKLI2(1^%+%?9C|!PqGvK0uE7T}+T^^j~zxyDn8^Ucrb3nfp4rpB^CKMF05EB*` zOeqw(rWBL8fDm)1V)S9?VOoOE3HK^xYh00tb-LRCGjmPJ`8eNunqz_AiXzL@g4yxp z!PdG`uXyukmr36Kaq{wb$HmmdmHjW+bRoorT5)DrmLY^6{ zorzhd7c85KODG5NUoS{2v6!MSW@r|Mo(o>Oy0$Ye*@fX)fm_LgDz>4OS10d}?V2By zwx*~bmRnzQIHD36!20-lt+plk z)_4d`z}n5n{#npBS|)3q$mIqRS7-Jl`pB*a_2qwUwcy4U)Qz_jCT_0e4`RB?;|*00 zw(mrFFjzp#&?{fNK0Kx~DA~M>9%)fI-X_$BLr(o}iq;eI0cGoVKc;N`DvR`q3fIT{ z{c!R6wdL!tDPW(Ju#d{s`wbv=5I}4!XYzxXh82!<+gNz-KgD#iW}tDktl=II+pKl~ z&n+>yO$W9fam4aOg>?faV?OU1lRC=$LDm&++e)w{9Gbqb34zDYn2a{YWzsj-hlFxv zR@3_sXS^vVWYbnpKD6&Qyt@skbKrug zLbOP|fK5S0)_LO$u@{cm2I_Pli>Fsy=?D1+iSs?zoyG!XY z*2k>ceKX^DiJ(MQya*0ULfNv)@Y+qXQI$E>J$0rNyhzb0E$TosTo*Kw3=V;5E?BS2 zv=NGpD@{V5YoX``Z3J+t>w4Po+??f~pF<&0%dYu4*>Sy7SDqcp&|{@tx61LT?Wy|< z*9*~Uo7CO0Snj(77WB5D=gwy?hL(jgM_KZGoF_kBp}xt}@zY1X9ufk45JvP%4=4BM zCRgW0Zu`lwYAcL2D3X(nn2=33D2UK-2*XxpBD5$(*XU5LKf=GAV)@1=Adum?)gxxM z*HO_I#SCK) z6(bEBWot+`)e?mXTe6E6EZ55x#Fu-oMac|^dmElbXzZg2*&C0aSeou0o|xh6jcx6U z)L+1em4HY@%U0GPp8AbDScs-ztyUxZmC9^RIo{0Ov(XmRTFp$aZY$NsfUANTc8nfg z3R+HSWzdHthezou4K329`QmH)#b)TDiXPiN=|9E-es5?qXK4ZB=d2Ni?F31ND}Mt@ zrod}S3nE3Q8DW>Us-%{N2QHB1ELjE@2tw`c^}8@kyLV=br4t9^1VK2Fz|!vC9W=AH zM9J>?wrhEKv`yl*2up!A{Cu-eXPPT*(COh3u|-l0tF5i5+aqO`*t?3QToHOsd1WZF zgZJi!gJXE`Y~Jyb`J*%1a?{UvJGd-|NAdB9tGgOLq4cD}U*lk1_Ed1Ss%uhZdk9J^ zd#F zz6ldcmsU&)&Q^c>d}|Ui%%i zBRIa^jdV>V9(z5^X54%Cj%X+es~OpJPLfHD<$Tsvm4UQLa`OIt=8CFBHB$y@oL$a- zZA@2RF{(GYHc0Uo4%s+PyoP?ZqtU8u4CTn+iI5hxL35TfJXn$9T8qhw<0slKf8$P= z!MO7AbNpv;l?MuC%N13;=30^e#~EuqZ_-!0ZP}*I+oEVY(5BR`dNPz3fk&_S1`3=A zG5KO=^@|<&0v^6``DM*z1wN;-Sx3vbe33Uh+*e((AXJfqzZ{bn|8@KTrD`h$K6`x_ zS`@V6g?O+H{luk~q^PpCq7CysO_u<#0CEZHwyweW9)NDB(LKW}JUe{;1}z_b^97b{ zGGAME(5>o1DE%6l#K<8#kS*jm3`?W%<{QdKWe6}V2_DE>u%{810jwDM>~qn05n@G) zX(iL3vh*8ai zh8>9B61NTMMA=f!rpFh#J<*ylhmCFmlz+X8h8=Mm0tX7K89g;RKv8 z=Ly-|b*Iu7fG-<0-dLmao;hXr$}Be@D7+Z0j`vsA5`bFuNb+-Du{nF83R+oRaZp>k!uw|S-*~68b%uS_=hu7aVY-ImQZq)9Vy&L89LYh$W4QEwJ z9DOs}JVO)0g`sP#w6=H^WIyv0z6yMhff>BAX>uQ}LO=B=nry6bC5n|JsiN_Ejm(gu z`6#~mzhOl)8Bh{$pe-~gG_*Z1PMyeAAm~uMzt1x8+Wo3*l#=JaJDtn6$WL|A=3l(KUd8Y}!y#pUDESxfywv$VW)jdQ@V(gs z-*^MPtNbl6mq0Wz--wR;rrG@?u)`6_YF1CtYJjON$c>`}G?fgDycU}L&?!T$+a-D< zQKi}c?}5K+!@8P4I&VH>mE^u#-|yBI`EF(}&VWw25RwV?G0x7qQqg6L=HhV6lu^m#i8x~oHNd3vsB5`luko5X6zEsKj1HH-ye(b$^&u7&~u)zCRX2-{3#+soe&`G2Xi7)wCo~+ zAQJ9bsB-P-S5lNB2K0|+D!%1e_yGTlVGoRWiB>!pKHPWVpUQ3Fqgd6R#|nrWXd~e0 z6@Ton+prr6={fe{8~fO)9-~Y$AfekJSlHDk<0nB88(#=`;aO7A7?LD0xQg6;$ya;$X?@ze9Ktz22MifQ!7oieMjvGHO9@=};r{3kf5 ztI?zVy{AtipQz`4@L$8=*WU1&HwTV`m=MIyHNAY>(D2k^C31*SI`(EMuX9^3N(ALB zemb160x5!#DWj~JfB1^*%b9F7q~Q8CeTPT|!IRJOK(cj&Uc95c4& zq)aO@AMK8J$D{G1(Rg>n>sE?$aDPyl77(!LdZjJTc#}mG!i+UJL#8=|4`pJO(Z+ph zhtVJ1gh1%i#%)-8?A=1N;=_**h@$C4Y*Bu;aBUqh}3FY5YY0Ib1J#$6hva0anlCb4?8Y|avvlPo#@^?gauU#R+1@IyZ~0%EJKN* zyr5TLVGQ0ekVnpW5NqfIHo7SO$}!W|+C|JWGkWi0MPL*Ya<$={24+G`zM!q#`Qp28 z{m zH*28$NAdy*tu0#RP20N=r ztlLT{MOc=G-8i1-D;a zqKCfM?dQj$a$Tw82x&)0;n=D$o&VJErL%jK8o{-gGbp)>j`>XL%(?WXGt+E6ie+&w2~PC`0|4GC1G1pqTq8#hLdu zM;N14l$m$Awa-xDtmcgdvJWB+;zXAJICiRvwyTOGn>vt5efk~=G3Nw-=_{_9Xzt(6Xm*0JjKmGR#OzV zR4IZUrF716t;%U$)5~mHiQ+7C`D(t}U63RpTh%bh2C@eFaGheNJ_ zmJ<*&L$V?Fo)+YSS{0+MC#D6FOtqpZ-8F|;@KDqv>SZN|?MAVYB~Cc~cTPr@T?xnexfuQ8J_| z^x3aJgRb2NWzCy|qeIK)B^f;-xs7?xm6niV6REdpj_x+RflSeg%(|vP2FtKeF60v| zc0f#d4T?1$ojrF;?d>b0sPf@+7+rD4a78DoqM9i^`mtlu$i(IrjkXNV$Y2Uaq)5%N z$@Ke+^A|Qfd3lW2%W4Ug7YPg|uNlO@nj>e{#oqmzNoLf+?wTg22 zLE2c%i`n=)>>Hv*03;&}aIqmyRdQ||h49R4bX*}YgKL$hvyZ+zusMyyjQqr;AVQML zsskE)V$ULOwIe)UD^}CXWBwC^faxfU9bTkwa5)r-FH`V7jTvlr;Oz>!EAbJh-GMrF zphnTzb|Xso7q{MytOkq+AwyyojWlKTZy$&i$FX61SMp}>%Qf*x;mRc_OgK&RA#dg{ zdc_Z87skzS!lSe^(NlC^^Dg22(*2`{rfvlaG3G$W1a@ zEMjIbIm`Vjn;)7k^-fIYP+HTuL%IudJ`@6#+q^5KZ-B4(6qH1sILz_7bJ9LH(=aUK1`^;K5+%SC7_J&>f z{jl97hs-`pTpJMOzoKn#KjY`W;Fd<+-ngqsk89ehQ8LZK!$@Wdan#2xD-uETM~to( zbqzHy%w;nq!BQkw#$bS3ziZ9}2Bw_jzMUF8OfF-Z+!>fBdnSh}N`$EI2%9#%+P0q& zanXc5&ToL;3uIjd9$P6t{R)M2$u1893N)DMB#^YO3W@D6zQXE*D=D$I6ZTG zU4|(u>GtGzCp@i9C$%=2R6MTh-)0yZy7lpEnJl6d7271XZewrBZeE>L$zxrH65PGO&2yr(?9pZ_MqK7yqm7BS{dNFYwFIK5;d9)-5Fcc@lB^K z%4|bC%v(~{n`qy_f(#R(4_X=C#6<#r<~ps8=jSchM_y)O z;%8IP0O|T6-F)2QL4EMy8tCvYFJKt!Zw-@KB!>@qkRtsgR3H@1gzSvV z;BsXRo{Ikj8p-RvMB8GdW3$QE3Q;>|-6=IuSBy31Dlxa7EyoRQ+mz5>(CS(EyssO) zPGi|h0k%scc0`Ji)Yf3NRmqB)i(am1WWB-HDsmMVe<|u?q*a1KzCSSgrVfeja_858 zgDM|w#cfS*0~9nzW@=h!T17@@&{Ep_pATr6)r5pNpBH~UdhzD))r;3B2QMeF_X&1^ zS?FwiID7RK5semiIa=~sK&eLx<(eUtQ7JAO2gz49lnj>_LiEg_h-9_(aCRzYwN3bd zt8y*Qqy7#XD8FF7yS5L;!P$7)fv<|QMQPr24!!$GX)MU;HF$nFLGLE47HnRLDU8X` zkY1KQ+LZ2*Y0S-lsRRbK2V`VsfIgk*E@p$lAWv?i-M#z% z^wcJuIX(T};rW_rngK>kd2Cpw_$0j)bApuxdyeE&7NzMVJjwkKs#)-6CK6a!H1z|4 ztrpiHQPhMpNJuv4N;8T157aghSaIJhQDhRp*M1e>DmLpX#~fU8W}QwX!;N_R=4Gn* zjiSybQOv@ztGthz+j|Pu7z%!pSLm}j6N5U=DAeB??ex--3NxP(#PFEADx?~fW?@H) z&oe5E1=p<5on(fDWQAzX5iKi2PF(*UuiM|Qb_*0gj*^W65@@Ap>742iKoT)MZKPrL zT$zO$89J*TE$$nz-Se|2DqCmVJ`yFNjpmt8u3pf_m*IsAXstE2NN!uvB2_L&XggNA zi;^W;^2GDTa2+$fNoqzLdl1sTY!u1E7Lv$3#H1S9Hz4{#czYmJpb<_}?|TPC(+D!} zsHBZ%5R&iWFO#9!A(=~g&5*bv4_$8ej~dWWpPOmbz;@1Rg=_1a8)5eEY4)D2y$?dF>x33)#+$BEO54fRzKzu!rNS}gNlWJLUZLsVw zW!}O;nK5}A7e0E!XqkAwbh5&MOhzMYvNJN@xq*hDqc0;Aw$! zn0o^i^b;LN%2HZ?%l<5%dr*A==-PTek^IpwwY}BLBOll8dF1N$^vqx67=1gzrVO)S zQh_75CNUFpS0^I4aj21VqODVVK^S1H;&==4#gQNFpCP#ISw(prf4$|x-r&uNEn*ho zA{F9E5dYZzq7dl0&$#3pp|kEQQG(0trn!5tsoymP+x&anvX|@Mus)c6h8=$-8<&Uct$5j>%C5LmMXOxHr-1w$p~shWM&u zrqTC+2cf7JSlEMyJM&6(js9?;_*rr_1859Yd}iaeAnwuCtX)EKfiQ?TbOM7F6GW(T z7x$Px_E<);l?d;&Wk@FDs%i{WRL;qNVkPnTLy)E+xE!(s2r%v8B3zH;RVyIF~|rE9eN+7I%So(K+$2wp|T~&^H2t1JEW-53$_dg z6@uXNhqcoA!)+f#8EfrrwzS>7FP~!NHK@4GbWw)T*^vJR_QpA%i3U{OQ8I#fObHu3 zylM##@q?J2qW>|JY%n7T!f*)3RHZ%QJw6!?`XS3(&nGzu*1A#_LJXjwr!(+6CTo5A z%!sn0;;hkG!KAhiXbgo(ZQ*<%6nGFpI%7*WppSu+ov~#ko4~fOu3L!hg$6ZkqY>Cx z*42Pm2!=(7_w(O9h@c@6J*`48tyiwas|DF8)@4tI6x&MF4 zXbk;u+IKteC+28hJIKKarqRA+I11Vi$6m2d*Ub%UlbrLgDEY%{mm*>~wdBR=H3!2% zjK<5wsgu~RtXkj{)dHu}-qg4_m2A#Mb2acrsG+A+7K@?hPRKvi%l0OE zrlk~i^CGoMf^}WS5QDNMYnkR4XNzvj+mL3(5V;H5Xs2Qc$UV}oTRy>HQ`E6qg^B@S zh=pPd^00&~)Zfnw7NIxHjbQBxjF@>jB(@fvUb%_K=yVfYuMJg}+GW#)wMqMnu;IIR z607H!PRZmelB2;ipBF7GuzDZP66Tfq0pp zMx9TejD4_?{2Hq2(eV~}hDA`*WY5DJdL8YwITW3+WtL+&u?q(E_+Mvi84^fDxy*yX zAIVFs{I*QH4X>eTfpRn5sFEzsJWsTX9hebZr{M35OK)z*Ij2OmylLnemTq!t)pLya zv7AO&)olXN%WS^P{db0Gw(ZRV+=CUk*IU2q=9oxqfysj~vR4>q)e~Xhc7koK$FPZ6 z8lLron0n_1$gUGh46e)D3J#x8VEFfVl=f=pJ$UC1(N`S3tbLShvbTW9F5pE!kr-z zju}93UeaB#+Se+mmccsS_i*|Z$jrd*-+Vp>NX`IlaX&CG*J_%I9&)u=ht}(d;-mXDeky7HLl|{Ggc2$8iq&ac}x>Q8QBObkdvWy;gS>}F8$(0rDFaPvBnTwrzfiYjG` ze+D-8NR&N4UThxOoZ@UJ=&_bc0+yJ$ham0P6#LX*eyvvGe{ISrxIY#qYtFe8P2w+k z5*>W-1i5UPlF6^ zC*{UIrnES_pc0NLU{S=}Yx=okdp6cc=*PL@)8v{Wo;X6Cw}kDE6KPvzxSWuA(Z!G+E_|8hvr}=DYuV@$BUE@VVFa8ZwT5J3-eG_st$$0=f$e zQ%rw=JWTnL)>UYUet6cbj2H`(Zj8>U^nGHhEC7guxe?)bj*T}z*nET$;qZ7VO5#^D zO90T)U|M5}@u+ed$2=LAOZ4(QO1$j+f$bUuv6_ToNrAdq70vD`)e4nSvkNv2l;c27xt3Hezd1ethlP`c6y1Dr{3=im z23Z2Y5j&+YK87Zgy0y_`z$4joWz=;6n87cT)vAG}6SLkpx9BuJz}^&=&vTolhiGxe z8ia;3rR!(W7XZIQ&tvwjXoR%xwor!&vm42dIp<^s=L8v*$OU>~KD3q<$b6hYQUHlJ zy^uyf=_H`bcDRk4Wau{T!Zd;z;7rBp@UNZW39p&bv~FWPs&{~A%}mIGVTUfWqHWI6 zzM5LD2L=&(ScwM#@57aFn3eSgt1^eiWTkaTIOv)35TpokOtkqxP-Ky58Ky&iS>ky_wFVa*Sn5@P=!DK~A)_ThQnS5@!URG`c(*B;U&fIX0--C0p z^Wto8T&>hCaTsQ_qIP?ItyRn@>Cw`54|i?bm^(AiUa}2@q#{MuH9K?7;r{ro2_o!W zhX3I_{es~+A71CxTs$uYaJOFDrUKpbnE}nZ{^_L+IYOmDCFXOMD5`);xL6|}VRa!n z6uC1U)mX=jDL|JQEEIbdAlY zFIz=MB|9J4Hd;U^A^&G5i8!vAHE{H z`Of2fj9K<;LsUwpDX-Kvn7#Y;2}GgD{cF^j*7FoX$FfSyM`+*wG1}U7*!~!-?k{=G zwNJ)`v={w$4G$Co^N`Y(KB0V4`Ni;3twF!IFcFK=EJ@Ul8-m%gmaXJ(5OM_9*k5+1 zsPx>e(?U&`n5@|(T7X9i42M=;Eg8)T=Q6U15WA+dnnz|N?E(6@vPCv7b8s_axQh7=xtq<1 zJ9C=>6nx!=xQNo*?L-XT?ZoztTd{3$BWraeDcd+s{D><^kGyRzGortOTC-;(nha7W zr{JMdh~c$?{6?BpgwqJSVGxys+nb(;Xd?bRcy5Hr%yPK{x6*OpLzmG87vmv^@d3Jl z1kix2SHPGtx01z~Ut6KH<>azZCSu!G4AESA&rHAAuE4Q^04cLHV;h6!RwBnLvta8m z%N!xRKKk6vjdTxGqhS|JrV9rYckmt!EnCH!xn4x`1$Fl=*N$4Q0KS3K*39wZC#(4n zv~GrPc?nDM@hgZI;RBb@-?RQ2_7K7^yoRoKx0JV8L-75&W)TmJRBJ@uinc9p=3iH$ zI8#1l`Z<%D7oZGufYT`7IMVlJt?*<+F9*YXe9zqdl_KSah(b90~pSN){zPOs*W;!4e|Ez{$wh#gi>OWLTJ zi^X2?mqYNDCr9oe1s{3-rYgu=b^(#i*T8Ruqt2^cIC(G1x#IkAg6ssep?BJ7+g3b{ z0@xakkBYL*!025*9NP=Z^O%1oh1LwG6$7BJAUlw``)Nr&5(>>3Ic=FBGiN@oc)_(7 z)`QFpf8l*F9j*d|U|pC`FHX@ZxqM+gn@=a&{i#>o_UFk~a<#8qb=TxxI8ffOf$Py} z%mM;Jv*PEr7(+0R_(^2eC)b_js52S!v1zw9cgF2{ZPWh3AbP!m)E?DvOtjAtciyY? zh8*_l_6#SP58e49K|Zav^(~9)V_E@Z2zV%-w>MT1Sg5fBMVrmhL23@(qfzdl9w^g# zLPoAd57zo>dqc1iFT4QhBg*CtK@Z9N9c;&2*$Eo}&kjJ_k~D~akb?HNqXz}UTGHa3 z*F$7duYq}d#@htaIg|J&7tMNz912EBWKC^Z{B?_X|{0813X4eLkZ|$|B{_PZSy}8DU zrtuA2MeEBM{IhZt?z9ZB6L(n7)iB6W;|=oBbIbE(w$qUtqJ4gVkMS@gDv!M8lA=Gu zlM02G4RR~Fl3k1b2VDuu%%LT^$(HW3=vHc@{rP|M5JPq_8?(;{G-@97g? z9#xdj{oucb!B4EVWhHK_=FNe#xVX|=HNAY>(C`$ghONUr2+3Z)533mOO148{HBp%} zd(Nq~n6avK4ZI(u?d5I@#Ye}$GzXW>Ow2OcWJ#s=mC;Q|Gw03a#=6r@Tt>DuMX1us z+xJ5F`^=Zk581a8a%8x&L`*Z%4crTZo@8#*XceLkWEl$ZN4&hNtd6$!jEDxy_`A&t ziEm@bQRcmPKy6Z7+zcmV<@>O6;p*>``z6y%)vBIGJ9JPz6qUn4g;yr2=-89yEG`YjPXFa2TXPp@EbiyLVe5_m^8|Amb; z5e@o`g!uX`)TKj@;57w9&dqr;NZ{UUQ8EMMUff+{A5O^L`004xGxwJNJ3J!RVUww# zYtVzmgPl5ut6+n7@ZQ|M{FYOvjka92&y2TTY8a5=z)jSwjA+?)XCxIWWt;}c^>la? zPIe_|`8BO*Q}`p&e|!uY^EcqpnJ~T28OG`GS)y^Y_EQ)vV8Kw7O-nkP@dCphN|sen zt64~QNV5xG2KB~Z&A$@_aU?2UEGNVo09I7e<~$?^4)Dt}cNgr%^ZA((Aq1~YC(ZS_ z-}DaJRz7)<&4%RkPI*#Dx9??Pojp|g&7f?`<7(Fg^IFYZ=V{V(xP4Gd?(LhG7|mcE zw;`3WCk9>#;1o-#gRF-Vp$wSp<4BI%&)8|TrKG2)oo@|9qN>nhku(TuX<75y ze}`DOf?I8>lE8DiW3et4V!61VyJ6-!KBC{^7_@JmYkiB(@NXe!`R0oxX+ENR?SG5I zmbv-wW1IyhEH@hck;o%hInvTcJ*ne;!Z9TUqnZ2EY{DDQwNy!O%7PmI-){S-y;srO zTn?O6j?=0zN10Pc0(Ifl4EasxYzIf2mxl?hD=LWzYQAi92PAuP5$8U9#)-6(!bN2! z?MM$RuQ*Su9zg9Y&iOEl{|GvMwRxBMMTl3~tIhRQh%3JeF|h&Kna!XtL)4cc>dO$< zbs3_#7y6?+0sN*3QSLV%i7O|-uD}+1;dK4OcOB+AFC~@YD=O00XJnM*>02+tuTLEb z1-EEi;C~`{?Fy240OVagvC53MB0yl9Md&2doorjPyA;I5Dezik5Qr;^gfNi{Q`7~} z*C525ZoUU?Aw1+r~aJUB_Z!AO`$*(!NdfKX{f8v%j3pixqbw&iPCy(^#MHf& zshCrq$}(X~axC-L(L8y&>_k%V()`!i^w)K=U)N54U6A{_DD|~E^R?38{5FwdiQ^lY z>M*ZVHC@M%Qn;H+&eTrn;o>+H#t=n{gqv==*A;H8Q#_f5o0?tiEjD7ZKEEw8J&Lk? zbwDzaPN50X1ZoD6ZWVfXB>ZPjz)e3fKH*wYMRHejaT}_T-WI0V1S7+#=c!u17=}HqP!MpR%?@r%dzB_Bn zQ{lJIABFXrWe!F{Wtg0Jt_dler+w9cXZ1#@026Un)``d$#7t6h@AF_#rl?g_oAlKv zTOa|k3s%SXY0BS-eUiG$A<{hl_W5Ii1Az<+ihUZQ<;=oCVvlDBh1(YrrU;OUsDSAb z5{e4!-X#Ss9%mZ#g+7qn$Y?;8`i1G~&VIdMu%j(9QYXxh86Bv&&?$Xs1=F;8{FbRC zpOrUF`CM@~g^m@1TYhrMF7u3#`>|&1oxFqU^GBYBTBs3OHmO^J8E0S>@(Zl^CkQ4L zg&2oWKRkbvwMFjZ3~tCzxC&_G-7ECjOx)s3PXy;cVBs-~IHalXO>6h0TM=VOAU6C0U}+#baI`rO1yZ-cjyRy~z*OE_kO|K%Ka#I!pyDcAqTd!L7ZL(7U1 z#bcgBew@P!$L>)UaXl}#F>-FqM?qoX{*X=p5Q>>xO%}OL~A(6bB0jM!$yAOO%X>`)!G< zyF#q47Uat9V9X4}rIk=rOLi!E5mRccM4w_T7O@Gosrdab%p}1Ro}DN3S55k6x-&1J zs1-HTNz2>|TqUC~jC+Wkx6cyU~K66GAIe+=i%MkK8- zn0KNm#13si$7;oure-VAR?4Ks#>luv_i@VlcqEK>Ujt~zzp#Ng0S5bT{2DRy(g`qr zb;ax=qsGVc)en4+-KJ-{j!#MW8FLKAtxK+L7g~NNWLe?=wPgJ*UVkf5e`a7f-322% zjj2+@G=p~+*XUL{Dt@0R$hNQiqmTmtz-;NiIX> zrnq92?|-J;BpaP}6Z~}3YoEJTwr?qTwxH**{4Vwi-O<#XKS3(akIeh)BlFIgF+o17 zy%RVsauWl#>v~tvyxxz_PE3L2B93^kaEKu%Fy!=7fCL}Tv$t(05}e2Ym1Lv8eb{HU zh3_Y>?_&=L+iCi?X)a{P-;fn**P1QS$=Xs=y);$H?6&D*x#yQhaG7anRY?hxkTorE zMOg`DLPBPmq67**Rx{yPMO}vFQIx@!nIl+yJ$Jqo4y(MDT^46WQ{Gom4O8e(k;Rpw zY#jrWgrJ>bX#0CRfY&DyD9bOy3D-6Te&JBvvV9~< zo_+eC|L*_K@awC?i>tqU7~cmU|6;Z8W^U)aJL{Wm7W*QcP$C@e5!VWswb(|`VcIld zy=I1Y?qwxJMjt>v2{SyA=^#;L2~S0|CGHF53s$alX8R(1?eb*W9FZ}WDDqCR*a_ER zYZ$X_|`%w-J=!Aq9CX<~@$7>29vH2-GUQm`@o|TZ!Op1+ z(~wP!1KYj_Ujt~1%Y;0S+faA@ig@LWo_$p~Qhp?oF?^ATwqs+;tk)vhD4yZS9~S#y zSGceUD=mX49y0gZJ0HgJy)|Ja(T$aCYDC5Xn)Zib=B2RnqPN`RNybidn-P{Z$l#P1 zNyVlQhO|+sm_uc^0B5Cg_8A2*CKDRbR08NSpe4*F;f<(4klN7GcYJde~q1qn^l8YcY zXw62+XeB**(?gaUy_96Nl<`YBIBn|)CO;x~5akB3VDBXL+jU1T>11EJg_4yoV;hNc zHF02xjF3Ld4(X?yI5`zl`?u?U87o83IQ|+D`~!@CGk`HNB>(+gwD~Q^02BOK`3>)- zQx?}_i5xmL`^Tx-hJl`!v5N?Ii`LcsNeHVVRxD#pm4)Q?Nf!|SN%OaRf zhue?XuYkILgEL!6P{rxQ0#6Fh%5RLqyJfl%0HzbY{942Yy&MP3lxz#xuO)8Z zet3ukma1K^IE>qS4O(`@QcX!FnLZfeAI7}(7D^pi`18+F;*f7VPYvd0(bHQs zS<9ZJrA32OP`{Yc(7Ni3-e7=?HZd*6wPOim~)U>!KFW`11|o=^bu@6JqD^m_^f^WkY#QYpqXgNpgLB&Z7q>^EUVn-DmLPV(LydDX<~ zhN&eQtsJf#UFon@QLke7*!Qv22rZdOcda9tZ@+L*v16e-Ias2;R7nFExuG*sgSAi< zs~G;ocrd?bbmzH*iiEOjn}niX)SZf=@{K2Co{E+@E&QScrURD1D$9Fo{8~zjB^^3dNnx z4QCnq7cB8+s?o2Nv!Plfp$uF+{*_-4cs!F?l)f;wa7C|fp$x;JE+`!KkOd|TI4oCU z!(oxVITtM_hsPygx4{s_BODG8B>@UI0^3AO9%#OLigwxSd3M=e36J5K*5+X`o^`bt zd+}J)B|N3yTOLn|8>_LMBjUoXoc=2wP9A|0r8kimt0ormO|wx>e4WTcz>bn+pI(Wi z9w%?)5e&M?pA%IiX?jT-*S3n`5AioqLPJ<_m`HhZ^@a<{T(kG#Uh%Q`UDGQq{u&7r>t1JI=YJmklB5YL` zEwlR5pWY+8ECsymzF;c-kg3FdmYs`xQN}Ja^A!iOt!SELJjTnJp23{cvvcW!DY89& z@fpQpthuF|-{sD5lyH*?d?fC^Y_q&&=Yef=A85ZV6gc7zN9X`Z2xJM99=NBo7ZE># z8T5Rxd;L26+It)A?E^PmM!08yU3OQZh-H}~dnO9BcX&Tec0>xbL|4Lh^74Wl z>}b(fnR%5y9Ac+LdYRf*=7fXsPL%mzCkg{>WUEe@UUnWHs?HT@)em_=cq};-3>B8< z)CVVmQ+St?(JBfnbYbCqlY+1C>`|qCNc_PvEHVZOvhb-v**1lfM)dv^^7eSnPUe-+ zq_<@Ci!pV$CI zt}}CWGH=Iev_@Di+PNmTQ1D1*C9GX@ln#XR*<|o*?K%>r#K+~#y3J1zm1($L$%V6B zllgysBcf}G7koWYuZSs^)zxMTD!IoBIjhvs$#c1sh}{69>gkkH@1)Za9o|iuM9Qk_ z?y9-1a%vRTKHZyJnGwxY#4#PTO5x)c80e5ew2EoZb~F6(G|OBVm$ zyz?b(#UI0+Nn>7E(gEFNq_<1h_i>2#u# zC7okujuR$T>vG0UX6xjA6q%lz_f6EYoIWKk{}9qn;x>@ReM{C>)jyZiuQZvuuI?6< zO{TRI;DSsJAbZ=z+f{JNd_>y2b=aVLglJUH^DY0o3`Y zoM-gJT&81;lnZiv%NSPdM z9tbJxT2ANE+1kV?rZc!T?qsIUCCNtFWN<=4%IAoCcvzsuxh0bLW>^#rWai}@&?Zys za)weS^5YtQkK~h^yo#%zcUHzOG0{7wlo$8=esV3b^VGjJ=x=f5YTHdi`+p<<50;UI zt1=t7e^ljv>ka#dS^tm0VNd&itm7&5|A@10wi!N-a@WLH(SwsWQKE!o;noj+ix%XD=Sb!6~JlrSm{ zEEaH#kvbgdr}yd_-S0F1%W$F9TcyIV&B}tuN1pc~tl=BDIvgU$%;tPpn2B!j(}@2| zgKz`h|6MizKR6g>`G5bQr}_U{o+@vyTD}GeM?rQxL~&F_dsY^V2*1U_?jL5JjiS2~ zFZg8$W|T_mm9Wic4>AO? z`?ZGMPjolciKu7L!yiOUSy`PQ(BeBfNVsiX)|L%X4hehUYciyk6& zP%V3;7UYV>iKw58h!Uzw)+9#M`8GR|PpQ^-hyo=DdtPZoUb8B?o!SwVetXeo;Q!5N zWU_CI5n*{fsi{i4@C7!%g{Mv@6W(G8;VXPw$xISO0ce5nPrgPxTh#C>R*f@HuUI=D z@}ZM-n_k$U;A1I`dW(_AReQ;L(7Z;Dl~v^z zE}Y~e_(!&EDT_%z;dkYW1K(Eef=o;UD4X9;(FAUwi{azp|>b>Qq}|GBD zR^h+H9R3>~X#L-Mo`vwA+?|Mg7VDu7TvU)Z1&)a-R1h+Tay+eEQEdv>GZDiO?roaX zcUB`pHM|oY{ymC+uJ>8b5QRmG+>h8VP~+Cd?ys`QqLpJ!3*#_M(Ttx8LbAa7;1wI7 zz@gZdYm4#y7Dxj{z_8My2sDyUl7p2x*cTYE@N~uT2|V{$C4{IXQUnRKSkcRZ9!BXd z>Y}$-@rnEzq|#-CB2;Q4DnX{2q^Qo65T|Y=htdHkMCv6)YxF<@)k>LB-BC5P1fT$> z)-J6ar__rGr1B>LA2W@F?;~ATw0PTU!ZUWqa9X@fBL|Q~53*+|1d*;)fhRycOaT_f z6`(e@P>yi?6kv?XHIsY_u?AQTTgnVW0Zsu;unH)}D?ou+R`WS^uyV;3YGwDdOR|fW z+Wtjs4=wspEspW3sh!)Ld9T*x?^QLIs?}pYvht%h%Kzi=D0~0cLAS5-f2`$M2>+?pLqXDzYBrip)|arq zoaft_FSAHV`0%sIEs`->)SkE*cHTzUuCeb)zA3g()T=9}w`^4p`M9J89g7x8xinIB}{ z)JsSvh$gb9R_FYFkEtr{cdDi+`FHG+kWGLKdhOmpyUVg6=6k{t-9Zn(CvM>RC*bct z@|?9l{*g)rlA(#yR7<)zC5?r}-;FZ;iQAp1+@m%>QjPL&a$G}JIr7X#B9^Vn5 zWs$Y?d|U&|!O>CH{?i+1`_EdQwebJiOg}y-e&$O|9|MKQfNP`A zXdHG!GSHI2-2otR2rp?U{eaz;DOjrX(oZJaVq-L4-p9hMU0@Mw#j3>Ut$mvE|E9j* z-&OPf{-B@L|MU*~L(Tu!@vNQyr!Ovu6+9P0oa47Wtb*^a(2+Is>2Djl=av*-p;xO% z@C~-n1X(9w3~fI=7rqyF5}7VRBDNIJdk^{TWDqP@{Qnqb>iSW>K{JoupJ5Wc@Q528 z5y*<(aJ_l-r{&%{w~$zG&p*V4!nNX4Efkv+&oc>(gKPg(Pv8!`cI0&wEQ|E&&9xMDBD7 z9dPlE)m7Y9;K>LHTL7md>8HS_jGT`rGipY9D>=W=Viy6h3jo7UorLwYqf{C*?3{o& zi^dGzoq)rGgTcWL0ArsE8|!S7AZY#BvF|^-F8u}D$iMd~n#mbX>XRNF@Tm9@ur0>ZIJ?<$c^KP$lbFQ2xnRvcTOnvO1CI>BBilW{&!BUO9c~k_|^f-fQsTJahTN zhx7U)k*s8)d9ht+{S0mBnDIcQ-&K!BzK#Vtals6+pP7Cj-<{;InXpb1Tck4dro1KT ztjem&`uya-$tg%7BpV9_Szw&XwPK{F`;x%%7@J(1Sv|MN z8ejOUYcZeXC~vDHUQ~aTq*QoV31{xgD!ha@G-dt;^_q@pqxOhPUDLHsz~$+AJ+2n# z6=XL?*XOC(lF=sa=jJr+YF68?Y>8fFfN6M3GNGr|Lnib2Q_C;3%SJ>#KJ+J~UNY{YHuZApf5!f{RP{h}_ASGXolTt2#WxxPc zT}#M%y{eqo{Vmsv&BOl%4qg`j9~>U$@;~%?TK}__XBqrorSE8VXYfU;qUWwqTHJM` zPJGJ3hYJ7%*$Da~z_Ir9IG=qCg*4` z-5=ywp3ARZU@_XIh_M1Imq#mQb^yB&{zhJ23V{5(w#qPDfg)K}&8~RFy}OStD`oJP z{aw2&vcSSU@y#iUN0a|mUx%71Jbx#y5G06Py4T401;^3tnb)LmfjIy`9%xA?t}gdOy#!sA)kh5Va4+W#+@Rki-(!;PYyEB#We3+`bDc;2TXO!d!O`I`m;Y;c zsO7(PJS)oowVM1}6LPYsz;+ENQ%Y%-~3rIAXl#AX?u zii^&f;VE5V#@-n|X`5#?ePLd!bjd0+Te(pW0HtBCaT|GaUg0OGzR5w^Ce;SL@F_Ox zWvVDN;}!HJGU&+nF=x>eyEbXp%M?so@{;Z3l1+I9Rd~7L8GBx~ zuQ>}|7WaZ?i5Qk;G)txU@+qWf9N0dhnSOY#)l$2%RxqN%Mzd@-HruJDS#d?NLVB!{ z|Il4HZ;1FE(B7aFXA8_<~LG=12k1!+g~} zy&RD2N=_0;58vj=1DR8EDaV82oGTrMT0RnuYA8Q+ORK7N^wz4Oz`!2KC4S2Lfxl_e z(7ub`!QuLL)_V*sI*djp;r|4Yyry!v7Sw1qUR7`++e4@kEB+x?!*yY!;H~6Ny zeJ`JJN~A<0zE*v)R9hzR_caO-jQ;rgqme5T@(`Gv}N2t>9Zgm zv?7nfXQ2NtKL1PX02Sx|aM;iI{|~zTo<9HA@~r0kmx`W^F(4Fg-X}IE6n9K%T&NuJ z4KOmS&FP?wBX6z~Lak}6Z6s-2(<(d!=Kadr)|c8fm0E;qTx{P=2xIBT0VP3|-X+sp zX8i$s(N+1G(Ad~qv+i zUxqN9j{u2YZ<0zb?9dGQUyDLPDA7`iRu77{=c;NkHJwdoB#2kukAnUd7AP6CsN#OL;y&lCrZ`K3y%OvF~7~w zzNC)W^24FA-lcgg$SO50^9Gevl&ytR73Iaae_9SeZPGwPWLjLcqSqDqo$A+Da=Vjq z87D-q=dp_GeZ`XW8_SL;DyVY-9mZ2e6g8Cp5H+nD9-rx_3jgl<-m{GN&YOWlaIdVYlg!Q$^+-^_CHX#S4oYs{C-&GkqLq?#u;h&vQ zQ*#cbXR3`h2QHiZ@}<8YRr7t^+^8%$*8)7Lm^u`JgwQFMta*H>^gI}aHLS882XoFTCB zpijP6hs$YA#af;2Dz`>(PMcPAw2|p*Nqamkor<=YDWFwQ2?m*X5Nt1=i`Bez1=>en zEue&>HFv~QVNbYyTw|uAE@uADHqRf&FQ~AT=(zAuX8UbYNvX}BsjZytGO$rpn*TAA z=B)(8-~7dw`R(pDyYl=~>`=sg&kVY&00O*DAgKYY?rSEP(VmZY*xo*4834*hJ$6_D zbeUTNyIsv_ee~x4%2WLIOZPg^jbRU5A(F-iZ1q@U`>ymCC{sdHX%p1Tgy9 z4M7U9hE@#2&yhkm4G!OUFx3J`Zd%!bk*D&PW&KyuXSp>vIgK_KO=ANpE_Uy5+)ER@ zd}*ZA{PA*CXFjK@`Z?g+=J;Eaplf7q$enH*UUgqh@)Mg!#m#p=J=S;iC*SfT@~AJG zLryZI-rWk>ERa~FodlysLl3n|lLx!ZTqV)5RM(l_ca_S$NNtF@^{UNdfYc(I<8x@DZeOQ z*Se6Nx`a1Y!{67m2badvBcs3GZ`YD0do+Ij799EcKD;{)%`rVi(g#kRf3?e-A18cK zdA`qA0e*;MPq4N7Z#%o91K*W9>XVNhX)gW*PpbeL{58B{o;*7(-7FdWsTZ~lT6uQM zW^15kOSMApygIpNYv5!SY9e*pW@?qVqSiWB&7`c>w}WH}cd3*OkAz!PmpuI_(L#@T zgv9nT@8{*a$1NlOu#Bs` zr;<~a({wMBbE$%Pk>+dfV>kd|LZybMI(HOQ9qB(l>!d>ZN(B-rt=NYHBy_!b7jM|qL|~>$8!_*F0`aNGHb3$ zNy=`N1s`2baQ-#Vd~TD_#d6*txr)Yq#3No;PolDOrm$VX8D_a?q}cnL}=^gH9Se*P(4xSkg$` z`Xfu`uA*psw&3YI_|&ruWfh@=-|XCkxJzP11yh^~RD3crW1J})cx2jk#C*63K3cx& zimBUkkzKB^uBf1aTQ|msSkJ+&*x0jSD%C7n(7=y?l<#70U0TocY#oLJ%+DIZ?1jUX z#nU_?c2<7(o&KY~!Cs_EcQOX*Oay#Aj0gXz@cdLY{>a_`s;!Cn)|nw%4V3D$VFcxu z_MCp#?P+!En^$i_-L@a-#y(mlA>|axx!fLEbO`OmG{kz{J%lm)M*OP$+;*w;L!hfy zsonY+-DL6o<8&kHpBC;fuoJ3*`T*{ZT`lEGE5JC=X3Tk0b~C!Zmz32GB@Atl{nOkq zEwZH-Q$%J9Ab{lbjN#78Jg2zI^ODYkroI_iYr zCr#$Mx(DAbNs?8}9e~3LIt=G?4z^SF01@L|s&i@F`Ax$;`J=(ZuKsB7gy^xiIP@Cv zwzfoYl_^=fL8VJn>WSI=X%5p3QiCI?j0EOn?2uI8h`gQAlHoo`UVq>k=BHAG9!4Oa) zU$FA7zIR-+HAWtk92q|+@0oeOKULat+O%4;K6XO81z3Mb*0P!JM{dWQZw98Q6~GD- zK;eg_&}T*LFcC7u%9e7v`m-WSsyyYjRsIosilS9#;2Oy;d2Led)|!OMqC``>R}M_o zY))Lk;OV*ssZ^AS=0nv}N4D3NSGTbj9YxBkZn(pkt~SmV@7bxv2Ig8W)q%3ho& zw{(_7+MZBdKPi-Oim^zL6D*{p3A0C)kxnc-etBUQkzgFRGf;5p*1ctA45x3RgVk~8 ztDWr20K|&gSz_Ms`$)0(&keOeR>e+y#@1kM?DW-5*b?By0;1Q-oqFq6*vc%$i(G%5 zG8$X{1hK@1u}gRf6ciX8L*KlNdWhUyWZ{FNa*9SD32yokDijD~vdSF3li{a-A-xkK ziBcBPC&|wc5~R?8a7U&PohYZ1tXoMGaIv}^Ch#M9*GiHd zB(&I|I!3E@0&IfpQ8-UKh$hoLn zI`%{CSlxU6FTC4EjvgmW4Imyu;`y99zuncUg9KUQEGJV~_B1r7Ta*`Ob>nJ>Q^@dY ze-=r|gvH4uNQ{&}hcP3Ni-t7JH{EU^kd^@fU>TKfkpj-nPu zG4p~opibV5EqsTwX>M_N`mY0-w)>4Ol@)m}g`BUQ*o~3PgXQ{+jv5hjSeCi{jBJv0 zJ?JA=#tLhO=w_jKi2^l_q$Thv)5JA{NNG@i-f|yFZ!ZU>D0yWb;elcXO#Kn4GTSV_ z-fQ97?^QWP_y?9g;N)52lo0!bvYbyd!`za{hW$C+*zkzBVDmOMm|t*+d@|U=d}_lG zc7PkQJ!G?)Ivq7K^`=>VI{T#*EolfTZ7sEB2vinO7;a;sh|Hv;xtL^He90d}-A6|W zcOde_lUbBKh#ygUrGCQ+V}?*P58yzY`uj2xsJJp!FZh^8US1X zvI%ck>!Zgja1A$P>9|P7JOOEm(XE8eZY7Q3sZB4{2|t?F5Fk7*?x&J@j7 zs@_7f6-6~%6MV-}!=iCifJlCHT&OXdA+e-tYmnYaUf(2SxRI01A=uBuhH^c+@s`Zc zuyAZhG8WQly;t*rXtW@0?y`caK_74jYGHVYcg_}Vjb+sUZea5xN_sD0`n%$$?mja{ zjz-+xM;>&Wy6(Wk^qye?jlI7pYtlg^9f^-?BQ(=ZXH zW`9asWCi|8e?l>rOO2D+L0MPIoizVv!8T zJJHB+!W@^Wv8Ji(8btUEZfiWlK~dC^zHJ*mE=+3xn$`pJS^JH_jL1keE$a&jk+?nH z3R~(d5iActIL%k^jC)SyLhTh;4X{4ssO$nh>XCM#^)%*s1A8L!hP|e&r*p5ZebAQ) zp@Ju?I5fbFE?A*l$)0B!<>nNYLM;?0NWNBTWp=%XqXFp|$q|0QsSGqENpGZP*~H$? z^@_oWujtSxwx|VOsm_u*Xn{y(Qj>L?v{D?(Oj^TJG~}iBD%Fo{)|5`0B$^4Vh&&+8 zr}s2#ugAnf>0*-?O%u)w!HCc!ph6yG#r1`4_ECOoDu9CNi>hexkxsfs_^xee^ zEC>_~Jel&{^zFv9yx7CbAu2Xr=nRkU;K$M5ik2Igl`#f2#Cdq}k4Ozr#U=)l=u2P;{B zi*6eCMX`mkpnp~VkEfS(>28*-jMa*Ry-u&7aJwIDhsQ7LKESsiYG_Mue(U5hOce9> z<~^`RXPT&a<+<1W$vID#{2kE;-$>Pm4J=_nisG>Z-X)E`CRF$=kR`>$zF9Ul#)K_ACDzYrzM-Zkhki2P)g%yxMb1Kr{dTY*czk6hDwc_ z%%hpa3EIdPR>lj5$`&s$Ysi@RP_ocL5TkEd_z!ul1}ibMh4+gAzx3;{oCd}tD&i)X zZUs05huTmld7IoB>lBw4tfCh+Fs7D;lxVz{01?~Aw%1W2=G}^iUauj^P5ou;MXViY zR8(4C6pe83>@mbqP8;z~eo;F_i&HNH5-WA91+Qv0ty28BxSf6DKWVid6LeWIW9oi8 zFBu5k)>Gj_dO3}C=BXr~lsr~COjH&n1`OWu8EVyy46sRh^()FfxMjM}CKat<rZfDRh zbnof!Utn;df_Q{1HGb6H-}yT{XLyHKzPPx!r|)>nx5!)H_@$~luX)#AYTwy#V|2df zdr;HnvyN>Df;QCNP(eK)guKGKlT&aIFzb*uKIEfTdD6vwF*WiY-C2Zox3@C{bcPz# zdWBd{ofaMTx`tX*QLb~ru{!V_>oQFa%IemFMO#;K*h z=UnxGt{hR3zGJ7esj2frHhpE|pIfT1~U#BF(hPmQk-*h7^B{b%QXSZUP~20cZ@D0fB1k^?Tw;@4*17f^z_He$fz)N)k)fU#pihJW%k*U`dyJ zt7B3jzjlPx1U0y;`~T!Kx?gI>Sb<(2uK#te)LJ%KjsK%u1QVb`NH-X(C1|F0hD5v) z_M%M7XpE~Bz7p&AiZKA zCn3dzS*Mt~d8lH~?olH*(l!Z@Nc=wJT;}x6dHN-<5wHcMtxi{HAy1PzE;p+g^IX=H znH1VC@-QFqYI$N!WYpQ{_CvGV#e9(Py~Xy$mG zsN5{_PCcedF+3fhGq9!^>kt~UMgaw`288Fw2pn4K`}K~t1yL8ix4-BMBXu`K1i5w4im2OC zVf4*9crPiD*IIsM^o}Uk$T&=<`sl7}F+wZLDR-Sk|f;eKk5l(8m~A7ug{1 zi-(O%*cwOD48@GEuicx=J-Z|IxdU3*4A*Efh{%DQ=e&tx<%Aw4MX)U_Q(J$gvL7TQ*8 zl>!#WTyp12`2+t7FyqHI^4F9Wu?mE9fxEhTvY=36l}L3ca;DHoEpVow<4H241iU$soa3eIdZiG;KB1VK|sdjH3et!QsJ=-nbEv* z(yedmS0XUushTSkc;FOhYCA{O%XP=BgR1I21++|IWJH##W7?~G!wOu2m%f2|tbAaF?3$ zRhrw4r9kFKuQgM3^lcw*qBMv$e+=G0sPF0P%5Wo+?r(49#O7n*G&jJBsU5t9f~29r z&Nc3ndqK|ne%-&@c(qO4ncmU)nOnTE)){+EyYqL~OW+MK@IIDJE4V1|-r26_Y_9*6 zlU*0=BsKnQ_k*+lRhoa@U~4_N)`C_iBgpneBQ7K!Y8Iw%eT*;Yw z>zq4gO?)bBTuK<*qo2i}*93Ue^vSO3utw45Odxi)KcVjNR$G`h6%@Moo76B7tC(Hs z&m!ADiAAx`{(xbS>>2i^xc2p~)&S0Ut7dYAi~A=ad5f`egd<%m>?|^6_CH}=({sgt z);T&NJb;E9DI}-5m!{{!=OmCUPt2;B<$w1jgBpt#TPtH)rKWobHG!^6Rxg1@L||6J zjDP5~h+6Iap`RA>x2KO~_-%#%tL(bD!v@~jkB9)?gCGR&)5pa?V`Q`iDt z{bw8CcqCV5`*5sTJ9A4RLvw999Q>YG)CkcqbHQl%ACpK}@}Eo_t3|_cyi2;OqO28N zH!%jv5L?+f=&zWtnO>IkxzU@yJlAO;W6lK(fddjbvFI!PD1@*Dqqb8wI4;n}k;qfr zSc(_Y4qY2{^>WD{65YOtc~!y~{Bt-PDyW!)eY7Zk81FLktaD=MN-LJneGI}{REn?B7?PZP1&0xuWkcr`*d=YH=Qh6Iy)D0OW0P#bwk}lBXp?+9 zq<74@xetYr39dw6278eo@QaHgv+A7cE>Mz6y_ z=EIFw{-x>v2+SL_573q~ zH2c0f0zz2#Oj&b+BdWA2Sp$nZjMxNxmuox{=pKv7RN zpGg3Ki)JQ-^bPH%{}*jN{IA7izIlqL{0QhMp$d@kYP({ZMq z&kP4U{|~Ks@c*GT?+)G3`gd_o^%bswHy>PT>J78~lvXef#>h@DC*gw$=-JnPQ5VB9 zkut*5zM`p09FbO#V8u#e;PuRukiwVYt z4Czt+!Gk zmr~etrr@mO%RgCC$FgRK+`UzxO|%oGEXjp)R-@*DaBwe)o$!6xi}+gJ--;T_odf66 z;b-C}E9b(gr*dZ)%Lq$g4kxK^3wWgLWBuGs(raT@v~BM5rjJnIcipAajEGBhHe|0y2x`)Xv0k+a-Ye&APjdNn};fK@k$Mu`TRz+17$ad6nDD{wQFcDv`treXSGF_Q)WtS6w7uGl}69mvn6l~a`hOk4@wXUW zIJ8iAnRJOIKfRI-O)lcphu=Ar=r|A0-*qci?UQ?rgL92(zQ;#v8=QWrdj4K+d!YI& zSpJ4XYz#pnvfVDtVs+G$L;_8|JI0u8h0GRU&S}8h)nUhjfEY%=c9wv^NKOzS$ z5}cV|k~b2Fc%eB^-CwA*L;Uw|P*Cj@FwbEHfhaqP1xl=wX}FzKTsQ?V!u=(u{S(sc z7k80tcI)}@1r+D~DhaY_mBnyZ8O~c9k?faZ2{Ipb1+s0nzkl9;-j(~gTx#q}_@rF9 z5SixjE8GE>CKfU=MmtpU#Q)$5u3{d_(*4*4SYdQCSOXUYpGHou5yB0JAMXPRK{Yz4 za<0J^v6a{+BKy`?aMqw1dCu-vH+j@bvy{o$enr|kf@Ngkji)E?STcp>xj1r(WvB3@ zLU5F^v!~)QwG`%s@e-Gb-Q`5 z9%yR|?~hcJzB^3Qr%3&sg_dU$fYk^prOYv73L{w|&?a&yg;{)07NYkrGvb{jf zXB#|0*Z=YWNlm1=14+HK%iD{RX6&~c)s|B_qtCMTmZDz{`~6BI1VXe(RUc*LO;x`b zckiXLU+YXQI^)=_yn|9V>(IzqTN|@`UMcWB%NY=Qu-(RW0T;S8IM}~ud4B^Q!xgSo zHlPj5m8fErV(DIU^j#`NidV(f?Tb?0u?^kv)w|7)nAq*kf|*{nAK>riz0!cdI|WFm zV6MB0Z#RjVm4HY+*EK zIBCylVw1u~Gj>ii--k84?`_pZqHVuuvWKhN-(0DXvlMDmU9Ii1vB*;6?FcHWQj7@; zXwgoN?zOJbQ@$#j7uJWAnR{H@rZF@!rU(cT#!!(U90w9?gpd5XMBQU?{^;moU4QHGryFX8&2>|7cjs z3%<=afy!NqAUSJR!YIy6C}J%_doN`K5;9hE%w`0py_M(JEMs$*ALBo}blRj&7>mlk z6<0mDv{(05$mi3MJ83JJG3Lx^2iyBZ^Xcby9Qu4#n#aGhN7yd7DWEw__9DDJvIRJx zr+O2KLG&wWk1B}v$u=SeIO~qouVXP=5Fh@&^g|&#WY!)LFcF~j@{R;8D?KWAjucg( zoS*6tHViaad%(ez^9>EL>nMXyd(6g=*aD-GebM+Hj!KA^Bxg?oe&dZw&@R6o6j!u* z3iij$qXw0KgNgHyONY?`LWYrN=AQ#F4g?ri(oAL%lvuuf02f(zWf7i(7eV#fW^4~3 zA2X#;eX@2Wf6WshZyzUc6EYa9%x-Jeb+Z@Av%nA$b`Bf^gK7(Y22DnsKKmH3gty7i zbi)~dq{l?CiBNi3c(GPB)t~`tl;|k6+n@#NRG_%*>>lgcK!LIg)M{np)Ye(Fz3j~P z$f>-3;$9gtOT8p)XxD0yasouKHVnPQB+@CSiklg3)AwArbxXHd^k?}Sb_qJdv5X)JU?{VgSCEvZblz~}|7H{5! zyHqpRA$p$4mnAdjadqhu+>Xlh{1_~0TWlzb^lVwYQtmQ2dzOPN(^dtGs_;yHl@LbW z)Ilaty~LxjRrv2xvW-3xMb;@yb=JH5R+Mv6^Ek$7=Eu|n*nCDNQl`vTAy(-_8Pd3T%l|9_QYsL{&R!R z3VR&;*V|f%EK5@)l!U@lt&;e!r~aeA94}GCMQ<~lV4D0^$3>$5qUl-Y_~8779}Eo^ z>^4laD&})C?m~w1Yh44ove|0oSyQ;>oJdTC$+$oQvD)( zKOx1b&!-Ee(*N;0q>&C0T|v)LKz_giS)NWiLWmRvdh_x7l&)OD^_YJDe1CGG){w20 z?yvLyJ%5!naD!@k3IcBl$V69HCnt9gANy-?`VQjiu}u&3Y7UB$e9ogW2FwHZoZO^?h}|{~Q*{B* zSduCCQxqBfI|#S0tHjwX(7D_9boKb{vda>C#53Me=ev*yU<#@vW{Xo;1s;{$k^l?NG6q$Fg~F4A1|@>^Y&aH5u=C(}S!hftQnh}ObL zZVF;LbzUrA_0>ou2r_}TJu*-@oC60);NwN_(dMTe=U1-XVbY71Gk}_xx8^&xjQTu{ z6^%M}y3HkelY5bO!453_M!VAnJ_FZ$^vMvp+fGxs14zla1ELEkKP)dkMK2;fN2*rw z1q_xxn8s0@@M7z4?%7Th3Dr5YB#TrGN{9|d|=~mHB!jPe4@W3rO;UiM+ zlyJb6EzR3U1b|97t7fu7CQN06t1WAih%~rVEtX^R4SE!>Rjp$x6?=rNuf;}Wl+NEn0vBLoT= z{v!kux$l=1BOUOUQz=d)gX}JxmKTXNOPfC|)`DrXG~XFq_1sy{NH$LKH5i7Qn*Am% zXZc?tP!&>MRM!}oE#^P?g2_9JAHHCrU>hBx%*$zVE1X~ zuc^D7n^}_qMd?t~D^5PGh>uuRoU9jr>reMzo#8*Fl{L|Ph5(o>y!p;xdbL&IPh1dO zsL<1nO>5?tt?ew<6X?!kNZ{3OnWvkR-HUds?iSS?XSP^u63p-!B5Bo0f&RxFhTi|hkh~bUn3QDQ_%W_ zbOEr~c)3E6{LKU$ZQC}Rr7xgguQ-nuy*0W;CVG4@v`-B z!>git|3MjS#0jmfw)3u0I2T!@Us<8Dr)|5IjOH{?QV=g*%Ll+;x4Y$Ub19kWTz@S7 zsur7W(g`+7oy-;E1DxuTU=l?ZK zUiiXYyqUQKj+S%X;|uh?#Io(R*t%+J3*Cyizxndn;I+nTj#!+H-=AogwCdxO&SiWM zv&%w5x#We4T$1gUv^qxPoC9ZdOry*33fP*4kVEH>kHG>cydi-~5?3Ci6m2@S7@-v^ z{-i0v+;P%7f03Cq!J_g$QY5Q|QT3E#bZJ5aa>RLC9u}#l5@w4?y=ws;L^ZP{l zpDrfjo09y4wj_1b&&2E-qRrm^bZszg63GBt04`Jqa`Zb5jH(;CRsWw^ZIzhH4F+8y zby|gt29RMuW8R+uQPAi-Ko=oe`e;+!>rF4)xG$hRptK_PE5$+mUqLylrv6PszkeFa z+f@cI%GH3p$_5SoO2k?Iw(t5Hgj;!PMZLD9ri>O{y#>@Tu)&E2f5X&Ec!ZXiCtel_ z4{i!63a6G1E_4N@!a@R52u{!JJkt`z6^CdVO#(C6q1vQvkM$^F6C7H`qoAwWiBO8n*9-hN7DX71co_Bqa$z@Zw{;M4v4yb9~n88KXQ&EBub=e z+rY!V4Al8{!-MX8&)e|v);fAI^Rk5rwF8J$-ZaknIV)m?w^?Put0c+E=+h44egD;K z^PW4D{c)Hs#P=x`_b8Mmjw!Zq`5e9$>lVqxYY@~&Klw03nN&fdNRmW=g)v_e0f$6{ z+dE!TtjtEVbUVy^#Qqg*9UfJ~$y5^@D6V`J<;IcI@(-u0;E#kr6G+28Sop?F?ZrAq z;evo7j&UwhUG1h{JGcUob0*+}6mc0${Y2Ex5;B7*Wl?4x|DvZ-_$C_lw!tRnn1XHL zNlL;0F4YlT%F|#?&dqDZ{#Gt;gt;IT(uvT~So67Dbg)8`+^M@msUpIdSCAE~vBoV^ z=zkwxZBgGO-=N#u<2n7gCD)I z+*KtYm`s2jDeqWfIfeiDO@I)fOX@X^5x~dif^Nm`vRi-aJUuSjf6FahDBHaGSO;4i zqgRWch;U(yr6-V<3IvEESP7f0V{_`n5e=SQgPB+wo1KEN&`R6>g_#EsooD=NT>elA zJnxM!6twfPgLaVo5eOm_E2?i8e;yGPh?+b?@|=!f0!6HefkM;64=NH^U}hdSxx{A* z{#Y?|5DgvqRr#;>0s{Hp+6w?8;Wq?sEi? z8T!rkQ4dUpk5N-#FBjWX+@~zkZDGSY6)fb0DrIZ=6atA#n5K0<9t~^!u;%r=prmpb z$xBDgD%QF`n4DMLHd8kuTZaU=_8{~u>oM_+D;r4iKLWr>OS0#HRV zh=zLJ&m%}83B>qE6@zMO_}NkYXUB%Tpodp-sFKyvtDwHMQ%eAx2o!6+}Ij+moZc5ru#%K_fHm7EIgO7s??p&JCn!!!|h6F(Kkq$gP_jDmI5e4|xS z?yi1Z2oLV&2!TrU2=eBLd_N}+%8)_RGJ~>Wj#*C7xCGwgSh5Al5W#V@GNUp_kj>$9 zbV6l70bZPRm(dt?7wkhNj4Ars9K9VUnx~o_8#FT*R$a2$-cC)*0$sH%o%2bU7Pn(i z7}Kj0Qx?ZTnw)n1!E`Qf6(-lZAtu*ZyW?q{lCS&T04m_^9AALk*Y!Dlbx6T#KxH0I z>dFAOh2%UB;eKuldFKs{>lDhSaF14^YS#r1wttq^fC$X@7~rV6q5ha^N>m)Y4!yvY)J)@K#Zdty;CnW}F0CKUmNUkj8;{(ja=l&5|KIP^u% zkeqttpWJN41MjXHrSiX@rB*1q#59WYlp!^W>#WJuDv_Hc3ErzUisiTMek)cYLrN@H zD6;#6P=Z{R<>8<-DGGpr8|Q#>g2c9w-hCnn>@7Q{N=U`o&)QlwYtuK5Q1B}k^&4McuiQk$5 zQ-rYuQ2!{O;0YKxBvH)W_zg^S4yq=Bi%FQu0j5!uax=a_{&~UuCJwS+DH8MeT;gX78xcJ zdDh`8IFfc)Ao-mplUFE?&>Eo#(@Y35S0eT`tJQ@PiLc^yF0e3_0*t)VNK10?FnyiW zkp8ewVv|f0(r^+{bHD-Pdi5|y5xiDXzo&Z(dU6E7;NyU@hJz7u813*1K)mN3J)4kI zL;xWKQBuDkLwTA#IG?w#lt`z)YI4PkJzf|s%GxZV zR6D@vZ#rWF6f|oPNHVWqA0j>?dpU7hO>?{dKzG!Q=vbp)3cH0;+aS#~Cg;zF2xPL> z83yHDAzn*no#HQ@J)exJ1$zvz;maFl7#rk|q^R0>iGm0wQp7~C(d{bzcAFb2bdkX@ z|Lb@Y(fil&HsgcWjscvq65PPAv zkAX?@yko$l;(95+#o`?MF7#+A_4p+I>M}d!xEEY7bNo`B><-g z+2vH@1`EUwmL&=e>a`C|s!poMN_0>b+fn9e7d#BMbzta3e+3&`+W}@cf&CO4&mxW5 z9-b$e+U>RJ?q&vo@wYSeg`O98;)bRK=^8vK_#-B5M3&m8EJ%#c!ED3H)QYC5 zZsKbrUEsngP0z2E6MFRi+jiq++!Y6GE}IFBofhO6nG*@PZsE?#tibmd9`-IG6av5Y zD^a!qUQ~T_A39PlU_c(oaE*0m>uNdx7S{?HS3_u*Yn473Hs}0Tp~ol zlPC6^6l{8>#QMm8fLqmMGrD)53q+)Bf*F@$-+HW^N8xO9P)p}XMC%)lCx!H|$ z0!X3$Pb088s+M$uI02KfiZ(zBwm_P-%Ce+i>-vFRxGKS7bwVS3Fa5TkyI6Xv;4dI7 zEhGNcO!?Sd>p-Gyr!Y4(z<@CjuwWOtZY~H>BQLP%G=XfOI3vZy31l$`VixSb~l)lMw=CvBj^>(Tt4xPBHY@Hs3nU zj^|2-o}c>IZdmLnB06bjY@Wy-x;Ui@Xh`9>dB>L!rp1S0fK=74m5+NB3{2>&*XF%#TvaOx z^Z(*p{rVM_2^^U%Y(vhgG8J3U@zM1mT?wDCBy+OqzX~amO2iCO^W=i zKD~sI1C9oauEfU8a~1V5(|>J>1NU4zgVTozm3HIUe-M+T>SLt5@fHSy3+Nm9m*}G;@0Dtkoa~hvFYxye zJ?>$jCb-zq64UxSnZ)^ zD<%Q2Q2GyZqG#wLSBfX6=)?TL+kco7+hAbFB}SX4vVT#jeV}i!I#QXwlW-%0b$idA zcW;AruZ--KuX<{`r-ir`lA6MLCR@d_t-!(U9|#x=jRhLgn)DPvWeTOc9uheOj{d~H z#Yg7_htZ!5m4uIIqxs0Yg1i$RovDp`5z1WI z>QJQ9$Gohjua1`1tv3^n&Ax3p#0*1HM;5m4)nVGI^i2|`#w*`4E%(*#{|RAB6y>FO zBr-`sL~Fz_;Dw8%n6mCOT5cdJs3F#1lQoVkkj==8jfR7!kV@2n5}hP7vr&Q$BWx)Q z@lsx%s)m>do1c^mGaU!o{y7tjifzQ?+T`fxZ!SFVhroY+^Q});_cJG@%Fk|M#)j%; zc4aDLu+`|WsWl-KPSl-q7Q5GnM=!k`D>0tuUhg0VSn4N1#R+}Loztx|VR*6ES0(gS zGjC7*`X27@8@8}r{;RNX!?pyJU#D+htxUkxajo5*Ob88e%}Y?Ru_FQJbSxav%R4g@ zn!b@z2gM&Q&3hs&Zv3CS1?hOS=3MY4F&+aUVPX|X&2QKP@vLM6W`+h~4IEaT#z%$@kXmn;fExu6{9Ww-! zRaXayauI<|b)!ajW&zhg&-t5Pv9z!#4ZMG$Rqbg2&NVP7AW8FT5s~W7@4toR#V)tE zSunS?3=O^AB}G<3?AEAhX~MMaWFYS>rbEDVvRuSW*b1J-Xo%id2Zmv~@bO$scPo=z znI%ac+)G|9c^dQ{!6>k*{iD1wYuKOhgliZGrWq7Cxw+LyRws}XE>VUDC~A<@ql9=L z*RgdnOvO77^^cE^dz(toX@Wr@$jO!@)3NK|iXy;{$9(ehl7Q!Iq+Fdt=qm zP?P5#jcsYv(TGtZ*U+UBqmHIQ`v@w&!Eo}ceYF=9?KuWw`cIifm!^E?aOdB<$~t2k zf~WzUq?FwvM zqT^Sp4v^RPu6dFsA)-}oBW2Qjho8mS(x^BdWp-3jM2BePAVpYinDpmSteL76D~%Nz z7Z|LKU_|H@NFBos88G|%DXSDruk?bckHr6gfwe!B@tyy-=Wv*kt2i@pCQt%PI)3yt zGiT&PEkO2Xm1CcoRSU+d^hPMLwl#90V;?yMON0cXIdUS2F9rE9+;{UM`0fPGhi^xH0Th}lhX0O#un#D&#p;n8pCPnZ+7tB5i2y0_?S+{#>aI}en zUEl~9dtpd%lp25e9b*$TU%>ia&d=^0iVzR$X65Ez@F0_Fcy;eOY zO%Ue?j1nEed7Hq)p?}L0(NMGX9;CX zD!V7)a_k-&bw{q1fa@X2+0h(}`F<&y^wsH|6vHDYn$0`nC*RIn*E6K>FT3WplT|b2 zUnXoNd@!Y*dDY*UD#XPT=bCRh$=ecGhyRDQcMOv3+uD80wr$(CtGaC4?y_y$wr!hT zUAEbUF55T%d%x$t`=0y8`E*u9M$A~bW@O}?nQP7Y8_zR_%ENgZr$J#d(?mM8W}f`@ zqK<{19Iir6`&a490?+syM`aXLp6r>p-C~hCeQ89CHT93L7}X#DEWVD)6=MN6^$DpD zwmW1en4fa98zBXrkFN_)j_B#Ye_x~-b9c;>c-L-nQ%6rJPI;pUh} zf$(M+{&5%cVc5f!yfpGwtO{S_SPqIj&+XAEHm2(CVe%g&qKfHo10Bav3hGsg&^_sz zZAh##4i17@YY)EJ6oy}dK!b^e5Uq5@^#~Ivjx-EOP5q6YsOT@zdS{Y3h1fSzJK%DoELiUs@sf4f)+YDC4>vS3_1QNIToLb?>%Vq$ z$_mV52dqbOOF=BgZF{P5_yGVn#9oo?Aw@h>u`*|RK&1FW;=d%3y4e~62!%}8Fh586 z_P$N7H}W^z68-(23<3{JHF#t7(`?7Hrnkx544l(#vLqc?{=~r~CWK_wCl%nY&ObYR zBMgR9p@0bsk|}BbZjr74heGL&{-krm%#tiSY91j_m z=@4SoxnzL%7*t*}8uZ*t9W|}9SKKA&2_Lcbb@T1AGMsX4%q|~CY+QeH;LG-};q1+( zx*-craP`xY%h;MNDsH@-@sd43l%DW3kA&Xq1;+MG1CBly=}kzwqgqNXB&3%nxn%l?hk(O{OvzZPqisqEyM?p&BXcawAjD(XOZM*~Z+xIyRs> z*Yaq8dHOkPY>iB_h!E=T%{}vE^F^u>9mAsRGK(A??nXzDf|a~7bZ7n3;wNQWXyk6> zdR4P#kxs9hL&BB=x5h|!(NULgFn#k8_O^YyHy_rGVE4BD)ok(b&h4JG!`$_gLf1H@ z)9tym!Qe7 z$MD>^@cK=aDf2;Wel5AIyZTW zr83=4=e7-A_k>F(H1Snp>vmn#izCKUNnGwcVZM=^BT0^8fh@)30_aDdFuovowx6<# zon=pGnM-|mSLF4`y&`^FT_#$Aa_e#y60+5$vkl`P2=`Et5(K+QKYqhqqL2M3}nFR6KhP8xMcl%z|2lvJmT<8iOl0?}tt)FUHtNA&&@R7CL8sjK ze2V;H)1&47mB7tv%RZvc%R7CEBaAAl-6MFLKbi^eAY-3Er0{m8eU!^sS`}*{1a(=4 zAg^sfk=Ms?3GsU9v0{co>V3+=_t?f#Fbs{Hzl}1`$_XeSkHAszAqmXt^oQlfIuFm) zeZTUBFH`2+tdxz_d~l;3FPw89;ZbEfamJ54 z8kfmzasH4?>()rhf#yc{;+=$K;@a}UPsNSr$m6E28AOCR%m>LmrY0;eX z*kj+gUS=rqsb29#_%@xGVg~kD|&_bqKBkbFBhS*g0H+{SLWm1GG?=2TCALi0T=<%C$(lJS)Hg`-j2kB_=@isVvq%35C`?+)i{m?h zq?j&Q_}mSBdT_V!Ddd-w-oorp{~-Msw8%(I$JAb!4&_Lf6I)7AgUqIp=tKuuHf_nQ zV7fKMxQcqtp#^CLRII>PBRD8-J+TUt?7tu`pBxkKuo!`#k_UJ#~^B@R8BxlIAU2^D2HdANRf=t zdu_$y{GrQ)RrXSqm5MEsC;F6Wlp>nm^O&NpI4wJjM5((d6ImKp6No>aor&mq zRm{RlI)P>mHj1_7-v+Hw-+VctxamH~P$eRjnC$NzV)v?><4wJTq^0dD)oUo3KtYMB zYWkH7`9__4i))CO9 ziash?U^wg8R-)t=RK%==1kxy0sW_brWkV*7{fEKq+v6S(f0zPW8jqo^4yG)OSZ%4bo82pUhyekXMi^51{P)@t|^NYd6- zw&thC*44GBV%SEEl#(=)Kk-qtMqi~JB~5Gu^H=8;tkgnSmzZV3xKc;ocHCv9TqvWU z9M*)zB|IcmMC|6?7N0>t=SNqEt>oahz{OQs-Sub=7r9-yTWr07d!xn6Ekx0{t{8Wv zRu#hls>|A*MNK7fi1J$3hsYnK(6y4}#YwEuanBp+MN$9M`&;KG18UEyEv`0$ngmd- z&{I{9tE&HSztR@%R5X7UAWuQ3C3g^)J6edpPgo92mT?p$H-lpp`&qho$b9z37`LOF zmI8LdSx9tauJ2y^?fp9Ba26*S(;-p)7klBYzjyd+f6}P#>w53S5$Mrh|F>_?}IgZujHb>Ax8=}ev2Qi%4>DJR?yQS0QW{iA*b-UsvN4FRh z>~>mOCwk{E=P-RMrA?esTQhOn>FCuJ25p^k&DtJQ8*@PuMvJ#&q3S0XK-#m&Lt+ln zQ@SPgZ%;r9$|6zIId(HvvF#$q+``p0N(iUFrFj^$Si1#3 znT9zpA3~?5#u%c;o)F^S%A+^Q*-f06jk-UR7cqmc=5MXMv^6P)R7U81hK3wO1e~ea zJ<(rE5g7$CC=d#~?2L6%Zkw2r4rk}fx$&zysq*V{y z&iKv7-_ysQr%1fXnR}!3an>W>k1hWGDE2o~>R)HQzekdB!g*5O&pfC{7dKOdnUsni zpMVKhOAW82fh2vfQ{`{y8Hw&Gi8dtlP>@K(-EuN?Z9C%|#~*F5vKnAROl61?(*j~g z%=t}zdLMA6%hXDR*{WD%_L`_hJRcOZ*u->tcVpqX=Iq(w?3v;0=@?B{)5(|P`C6P3 z%9Nh(Y(O$yWwD+P!Kwkl%!sH<&_Tx&{MFEl=RnHqs*h4ehp31VMqy#lT)^=k^V;*<3Kk{SQ~v=7iU)2BiGi29ML&ubyexb0Ofch7>AYJjj<); zT*O;H3*5_;T)3w057QqY?wwG2?->7GN;FCnWJR?6$=|8cfwDLnm5vy_L<(x%y~n{> zv+Tn5Rex)qk4&Er>qsD_<80EwHDuyV)58=nKq!4%X3MXLEEZEoWT%YDe;_ETM#bj9 z(oY%lnM#wDuz@IJylN8MQfa}B{7GQ!590D`BpQZga0mCyYQo}@KGNwKLg&zu5#6Fm zy5ulRDK#cT=t>6Pln(xjfjH%ZH9+(uodjZ?N0iI|niy^$7;6X$ZhwX|gjPMWMI(F$ ztX#yQ)DvHu=DD?TSU?07mp?0ZCclAZliO#lF5~wh?t|p*VbCMo%Kb?!N{vNBUNh&a z5&v@>;h>KI#65Q4YtQS6b20q3_eO_54~M5JCyW0;mF(7y5wGb1MnAn~hvB~c4xok^ zI4r04eIxyr&uzzoRAjQZb_e6YkT~GY?ob_{>gBACFlR#A_N6xVocGLjS|;mR|E^?W z-qV#P6arieK7=mK!9R@1O|r)v%h+qSR6oB^aa7t^$O<9V4UHx0p@<@58|POe$U+2x zGk};Hkqt?%u`$)k{g9Xv55a{{11QwPC|uka`Wyit}TY1KT4EqXMX1EW7u*ot)pB^;L136OF zF~i}?1;D5KZ<^auO^J1Ia)jh;jUooXb3)@j5kTYa6dPc3`~~JvWvR&2A1>HQ$l22i zOqj{Z&K)R>&B@vZZkC0lgVj{G%Ly>UtOcI7=TB2Z$odN}16dDcPF(MI3mUKv3EV6v zvvsRC{xmtUh<~`lecpp=6`}Xg;%#~(7O$DAHI?u7jF)E)wlnHHlL^=7KC!J}^GyU(r+qJMDzb>hQ&TK5?)L}U^+h~Q@yF)|QI zY9R;_h)_yzC$s(A@DBg2B4QOTogWZi%Tz}5fMd9b^B>`$VY1I1%K5X#H}t_Yy-Am- zb{PV8K`|tjwjiO_*s&s=_jOL(qPnx@aSM2uwBO+{jHo`3r!9iFvJQk5p|VwS!mUWY zWo*BdJwY^K8#vw%r=DN0Vr>u$e~%qN4z%(H+FU1>JZgSUIbOC|Sn+3+GEQ{%)S;-TjK9$}F{ci{ry+jDI8~)}lXAfJkLY>nE{CmtBD~oKC3<4Wi<=sXEZ?zj zra{aP_Nd}eW~3YHn>*OgJSJAW@)w$MR%kNNc*+c(7dgplWk z67T2+S#~Z8yzgL99Iok>us$Zf{ivmI%`{&LLmqjFH^2)rTVRSk$``4alc8l}1EQG{lm;Dd7vLnpMs5eNgi7EEO&0qsSPL+VBsHr7$9mN`O}M~=Lf z{x8tv`6Tnk3>$Jyi^&|Fl`<$Rf3T76{jFdEV+B{QDTT|2R=f@|}Jg&PSr>3BK*u0c+Q`{j&$tp1)i7_OakQB_#mpD0l_? zwfisd3vl!JE%5UR2ypuabydFr1Z{b&Qs=q9Sc<8+it{e)Y5UUkq^tq*dB1A$61i_FJUe-LwIy?5d{Z9_6XHhK3AUn??@XSPFQlkfG1yLJ>=_OjkU72XVkLR=uZ_~jF2hc%+TEq?Od^W-!#UTso1umaN4d5{sn{Aj zNPkAyJ17;6Cs5>6sNdbRq=s$mgBJUFVAe_6aR_f{_+8K%h`u)lYA%>~qhwHU-p?(9 zmOzh6i5iGZFRaY}%>Pc+z7C!Y@srU05uF!jw`tS^6)m_0yF2_ELf?Ed<7174?|m8S zWN)Ee#2B#w(TI&B*6Xx5Pk2|#W}aFOqjzVnglN>QZFit`WBYfzg7e5!>cYxW5bf31 zxUase#(ZIzAgq6fxf1>4AV;nC}T*kgSf8q!p~==6NPC z9C#R;^wEK4vY#yDGB452dY96NUnq+sbq4342;owvE@MR&F59!<2~i0r#@T2wPV3H# zX`TFAy~siPj`|VYT&S?q0U2Qf4g(J}?R7SP~MSYnKgJb5FQaWyJ0$A7M1ezWhpOf#6q)5Y{a__oMoNBK2Wo%{GYFSNUvDM=o`(y=j0oa_V?<8 z{JrmB`|zW*AiPS19$aq9eQo6EIJ+O@{O-~axzQt76Y#NSIsIh2c$dE*)yU%dE4Oq- zo#+`pN=;FKwCLHr*i6ZrtAVtDn?Ov-OTbK1i*;C=?m%q>T^F4#U9n>(CtPC^uh!sH zvOS7NO0!h6pTqqWLAntX!&fEtdL273vRVTLhsw@QGrFY@_h7CL;Qh&KEBpfd3;7iY z9`8gJxA#Q68T?=hy2}c?9|ks9$D62{0Xahy^%HRv^G-ohG^F9E>XQI%kyR)~0vRQJ zLPdgt9$n0UJD}rHvdzdlS!<;Mk5Gt!+mI6Mm}iIITmd&g`>A>XH)$2X`)bLcL(_=h zNO>7Y@=y*yP>4wSb+AGn0XN1;Wkfv$)<0!2LZ!4voO-h7agBSshL+%3lxy5q)iK|D4=Zl1zsImHY?oM?N2I_Z@_ovJAykJ1QXh&Y)ia}%zt!a*I-cd|oV3(f!(3;=orI+xD2-GJ2NU83DWukf8AWf(lB z;r{xRl;Fe5uOTA$`J)Rf6Uxy0H(awb9sNW$^&1fkH}R*g#ADvqB(=r(0x8**4$;F6 z6imno^mSmB8R;I?E0`in!I3VeyU-+y0BB0jJQcS;(m9LVq-Q*Mlbp~bahjgcF}Vky zE|A$ayhLDpIq}*O{$_-N7##3@gjYr)%Nk#wFf7^E+TIg_W~&Fpn?rkh|IDAWjMsiY z)EsfGjrIOYU#;PuD0!p5u7tQWyGk7Dib-ro)%c*lMi)t(LjqF8F%6Gpj0dJtmjY4= z@o1w<{iSC?r7+wV6ccnq6AgeQAYyVZK-`jmNh#Uln^J$p*ZU!nCR9J&fcjT(q$$6OZ6hz$PWuN>Lzp%v0)m=d9qJG**2mp=hJtgq)7~ix;+JQG}+Gh@# zTy7PYMZ*2rkoYBBcYqg~>+|qpy~WJK7zm z7MJ9&Z&csfK&)^6H?luekQ||Cgnz`LtkysPKi0)Kt5{!-JM#DD`vonzmeNBwSvrh6 z`JDyiN`?nb@m`<@HI{bjz}M<6gB)b=lFS6Bh;{vi>{8R|0VZYg&sDC=T$J7)H}gj? zmUGwm2vXOYgm?$VIj3a`8)(FS@FH|RnlvLcR|_r67%+`VlKCs?qv5FsSwY^MTHK&o z$O5*~>PcjDNa@OV_{izbNSOP>AqPQyAc556yU2mBZJr>>axU7XYhv@eL@cF8yd*5U z>*QSk3onAO5=MNW+?uEdb zv?PnQ%0<5wEl$eUU&T)kh1``78depThan#2p0mGO<@mJHSiEA0>qlhf{Q`6FlFX_n3NUGs_9uJ`*<8Joq2uR8d6os!oIWmSv15RBB7Y z_?BIdD%0v<5^6WLY?r5!XZBd&XV#--+!d=X~04U{eqUU5Fjv_i>`q|-YfLqg2A*O`> zb*T_G)jDY*99l|X5Q}1{0PaCMs1`kWIE!MbDBwhPt{%KuK>#dA2b}8gonTu8IgTP0 zjWKk^X0v5WZfoI6Ef~zGUcl{LY+J8k%214`czzT|wgGEZWE8|&T@gH5lJcy*-1Dz- zPN`ApZnerxJr$A~Iy__+<904mbs1pn#sp+q%HWtaCy|K= z`tqh1F=e?it8OvPt6OLJmKVU_l3|Nq3P4tqh$ix*-OoSMVU3K${l#*ydd)Hs2~;m^ZzNJIEk?zI{;--mF^>DSsH*_P@6(J8l?UKb2KPSpxXz2G${QR%-4ZG z5qwCQVm_p9H&lmz?Q|qwVLmcVEJm3nV2XDkvih+by7F}*lKp*sW{DPOmI4O+0kf`_ zoohmALWr^XFd#Stk&s(n;kN~a2m*SHBgBwj1p%5lUI7<>&Wpxnh`LWAjn5N#TJUvSkml*tj zAP_-+@8{*yQ~N6)KI`|Y!+mE`>Jm44{krkH}ikc1yKoiF#8ig?yib`FQ z6N?J%p4sSB(?d2i(b$??5pl~LL`c9V;uUfuCKq}#Yl4p}*@*&)4_HsO(P4ham&X9r z)ED3hIJUZu2b$IkI0l;L1Wt=4M6h(MOyt4g17?G=WLgC;5Ecq%p2R2^ysTJ3aAfLi z!$(-*WyC}>dOZa~F6#v)0Tb(}jc9Oe*TQX$++kdOY#{8Of%*U^aunJF3}PTCNIYN= z109yFG=N5uZ8ifv{0uO1C4FEmeKL{eI!-~@^o8Lpdy={$Ep2FK!cz`kYJ2OU|{{SZRTM0sMc5SfuUoZ*p4wz&INu4@c^Ii zJGd5Q@8|JxD8>%c1bVE{yWcpGMsBeGl}?%f2jiywdp6@!s`$pP&+V85pzZh4Uwz}B z|N0GIjs8U#{)~vm2RctG?g#t;Pt$kNDtWDgM)%$1POt~uK@(-?wyAb|sNk@B-4AnHSmeEO{f#h9MK|AR@6Xwj1)YACL(65t0R>@bS+@iGFgoELba~=1#DkP%!cugMLsD!w4H{ZS z9|;Jgt;~)Hgmuqu75vWQ?zwr47aUCM=|~Ri!lmhjPg+LrfrsjWkJ^F2E)HxrO5F*Y zu&hfE-G*M5cGBf8XNjoS$RuJBsJebVom^5nc&m83dh{U_=w>DyqdUHUgH&8T;f-SF z)hgIh$QSUn?)6;c5tJ1CU}~u;tT)~4%3wZNcg@Q-%)w@dGfqDwdmuV7d(*<;t(Fmh zUYwSa^_OV`{e)*s)89>pd9OsW$A%3eoz7j znCH5+rziX!iBE>1r|>ROLbl8sequIj0`C4W#)|dPmAi@icimLX!q}31#4pc#v6I$| zdQn4~_OXQ(BIZpx=G~wXC<3*%5wa(2D0%MJIH=$5L|j3Vr9q^;KilT4+sRA4aKZVL z3W!dKR+*PbkTF0O|BtINo^-~KG|8e%f&SDn!Owdb@7hs`z3E?Nd%HvVNrnw%XfeCG zs!pCfIA7?P1ymO>8cfB5)tXC^ zHvLGooT^igip}NiPiU_jkZA0H|GG(>Xr*iflvwdZo9m>+o*8W-uIq=MskG~p6Cc?} zF;p0;O2e&Zr!FP*c8>j(TN3%RWI=!r=>un0E0fIq3}zs7|A^gq!#HwZ{Cp1IB-oT~ zi3ah+z>2tpm50F&(Z0f$&2-RC_m*kiq|l^bI^rbvtAd~2(rTte0M(kLvBC5Xgq*u5 z#^;2^Gyxhx)~X6aqeV-bSs~JU&RogMFcLvpT!nWWuK2l$Z`Krjo`zL~eH^}1xQQzz zgJXjb_||^Nq9e})nS)e#z0S~bHq>0TGi{C!01U}bjJo_R^ecp@Uh2s2$--N(b``eTLytg!KT1jFr8KK8&1a?ee;A2uF;E3?6*x@Q-;-}HATs3ZiLGq2RrJr|Z zr}}k8>l9mfW}o^f-6EhO1BXhXef3y+4I~9;v7A4R$`AK1o>H2$m=Jsp&f;bwW;VJ^ zTv_mrJB()IRwo;^$A^}#G}p>d51LaJwW-T^vfLLFzzwXs%6l)jwa*T2J=r#%|45|Ao%&8@$RB$3hUE zbVQ_oV&?jgV$%vagZ)Qy))#>*ad{J{B-jJHTFjA6bV=L)m|9=>iDi`Xu$Bi_HYp73 zaU4sTBW{Zqx}^zR-~x0E0wbw0{iN# z_RBC49EM%@d`1YcSS#mmW?1Hneuk*I)i!l0Tvkep6b2yS-+~kK{8&ONQjzO>B<48? z2ldjmey}`6t_lJ5`sEIMiaci`3vzmEG*>K553`2cU_$N|g9V;Y9D$Qids6!G(XADFF|{DE zD82_76g$DgSWHu^+P<~dcUB!Pnb4O-*#lXV9vd+1f=vXRfxx7PTsHjzXZW^l=!MN( z41Is6P$YA@idW`^CE-4e9QGz3foH5EHGm4d^G)(mL4n;;IXea^S zRB>A1#b8!6wKUr(TPg&u#o#GGu--)5AOv=1%`)I#&iKaSlhp|5Me4nQ^B@e?B)ZZ#R-I_TlU@faD!^cYF67$nt~Lm;?)^cty-b4on(bd2C! zCDuPi6ol~SdKq@s6I$BY`Y4dRkuzbFzW_#H*mw9WrUpp>FA*XRN#Puy#jZNKyw>43!~0(&A!oOk#V zwLWoBp@*Mf^%zB9+~TGFFG$OC@e`}F*n)K5sBhGP~U^DG3g4D zq`4X9a)YkRnm?OO-CBR(MOagNh9&Y`TI9MqC(ZI%D-dQSUmYEXdn{0$#$1!quxZJm zxC#i!nVDve*npp>LgGWL`0)h}j}q79Fm4$}xJuMdC{`ZfI*QrFDc%Xy1(UASQyd&1 z4rBrHtydmh*yJ=tU4#M&E}cMe82(aYElZk)BKhz~zzcIHAKD#mBXsJ9sW0EF zPeQr_7Q;LORYegM5F%$k0<9q@EU;Az@Ci6M0aeAA;7&vq5&dbYkmvjk;}2GsJwqcKm89P z)nt?Ur*I_hXag&qr#&g_6c{4CD+WjRoYuY4Vp+grc{G=8sapS7)gM^i)v@YNR{#w! z?!M|SSvrpD`lQ=J4h=6lt#{#m+{yi4sVr+y*h?`YhtUI&RyUeScQIoeO&g0^6wpy5 zG5~F2RkW9Un&>$a8qI~d!%xhDP~Xy;mH`!a|JS7jr*VH1MKFOj{GY#i7xV=qese_s zcAr7bZKdOAoXb%I7cRjMShH**h3kdg!JBcx^!iP(q2g|)<}qM^)? zF?~g}M#`dTQpD--7t}3~`Q=gOG0@+wG@(Z$G7D7o%!)5-iq`0AN$5==a^S=K+L3mI{J96oFL=C(T!2`RxQXdHjU=EZ4-+@noWGD~28-TAen_FA*t}r7i4%3FXs4@dW4?BfQrYH~J3P-joO3;ZS`+g0_zQ=o<;sYxNznAI(A{o5(}|daSyY?GBb*@`$ksgH zyNmNwcneg}5HF8FMRJ^6+^sSGnzqZJppm#jB-KSAPNY&$cqtA*&?QwgP?{Abz+^cq zsv;6c=^*k`oB=7bT~kn+l_kQ-_afI}e>nsaX(Q#{6h?lfN}>x(V4Au}GfbRn7lp;t zSvyUfis0tXmv)H=S!+0}beodyb?Q06NL>XTF>q@oZIPRhN?mQ79@Uv(OXqB=4MIOE zcXJr(*v2yDXq%$VwBca+1KIj|zi(b%0&vy^*2nDbi8Fa{y!-t%6^ZEb#)j3L9%ZOK zKsmBCyEI()kP9plU574ux>~30vKY3{4>ZSeP61*GfJsyI?8@Oz3nBzS$3RoSDX2;y zDLNFJhE$X>ilB6mnpemTy0t|JKqmkoVaRZaKY$m|X$S874@`njwenm8-Zo#OtG0t| zz&2zZFefG-I02xfu$hA%yn&g3Y(f*n7C$piq1oeN(1)C-FR0UX@CUe4Pt>_)0LwT_ z1F(!P0Yjbv7XZy!1TF)_m4FsgO{YLBKoy@O3hMNijRsr+U3Jr+5IPVXx7!Z7hPKTw zqbR)kbytUXPB{)wf%hy2<^jDWLF3{8y(OooLxFQ3xO#{9l|x0*fK<}s5tv*zcnz%w zmNug*M-d@o+Lxs84<~E120Q|8fexXmfe-1E?U=@@sg7WY5QTQEpJjpnL_z~z3ZnTzifK`vJqDDFMUjlPfX9t|BwO zf(>&oVW7q>`Jl(B{zu5RCBV~@i2k0Qg`pjrL>j7;jNjKHo7Y%JRn9lFzS9fiCuW;= z{`aGOO;P}Ow6kUjXd`~Rqkmnqe)k)-4t*cqd<_ogv<3GGkKP)1v#I!5Hyi8$>7uN2 zbYCXD+?KarKktSvJkR)ZBTi?4@*x363{h-@H|G{qAmZ{-ID!yC(*pqQ#`u9_V6iw? z!3}i>I+&$Jnd(q_^k|fN*0GczoNym-0$iHy+;GqQGCbv(a(m&i#=DWXz+19O!CGj$ z3WA)$nGLrA1k!l>pDAeXw}=Zb2m5?MwQY>%wW`o5T&TVQ>4Di(n{fRJSsxTLKTzEu zQ!ir5rZG`?74ny?QgNUX?%+a=A|fXK+?%Te{1_Eea@oE9&*9B_>?@NwwSfg!Ko!TX zQqB4#$nO8J4%l27jX|ERyWavk{8eFu)Qv}32+7R2INP))tait7x*vr<-BaXSP8sb3 z?kDU-Ec5Q20IeM3_Ty}3LangiLgfx|OW}EAk!ir?Lvn>?~sFhLBYm2R7 zva~-07VQlXpy#y5)%+Hg>EC2g?hOngkQPJw*By)*3RdY1EBCM% zlb?l)0@SG_KjyX|x|?!5`0(otIWs2)@jZ7M({Gw|ULt?j3I8x(W6g%1<6GaH1LPay zD`g~r9NF;WgaphM8EDMk5&!UbabAkDOiRU4k3DURE>n-b2qcl7e3nVM{IjOnUj8mq z^72g7S^2DfA)}9dbVFjlvY+=b9dpBsiQ->DB2(lOrES8_j2V4>%iNb;e0*GuCHEdk zM5CGU@j8LBR7i3vw!*eqCPX$xT~7kC4>dDWg3Ox;A~`E(aptMV9WSLs{B)M!K*IJY z!c-1Mju^srJ%07_KMsdF|Inh#5Ze+Yb5yGU>h>t=)F&K{7;5k{y@6Dn(NvkQ5BS5W zZN=28*R;)-D_*(;nRl@6+%`{)V?iP-hS{QZj8a>#wI|Uw4WqZEM-6Ex=)5A>DQqi@`=k|4<=Oa7ZJ31I#QTS74U54L1F_YYfIl=$D+(#uN2AI*>%DaAHttPSTv zY_&Raws_e|i%8Fmy4_4n8YGxLo5>!N#SiklDkpH2c;1w?A_BoBIbeCL(Z-%?=dS&qRN%g1LwulT@3R8`{0yBaH8S^^i;iZYAu%4p_g#HZMU3or1N?Gwx*> zNJ|VxQR&o1Fjnc7jl;^5Sp0In11SYbt=QAvCAU@EcBQMHm!u2k3!5}s{-!a0sfZeF5D z6cuaEy-;T~_$h57|Bh6{M=u#1m>PF#>{j8?CSpP{sdFuofZOSulqle}AL1Cn%4;Rud2El_9Nzdl>$!=GQ z(wB>eFwo^wn<2`m`kSXUvhP1MDzOth>rEp{Q4uniI}Mj9XovhZt0MR-xdOB0dqwNF z$0~@vm$>)OkoY*nZc0WM6Q_R;8Kx_vVXOz&+|%9~{pC7kU36~FKi=)_wQDHeAgkMq zedcrlKcX=+PeP`R@E1%LA8=Af>+*khc316{t4bdl&+Y&1$HJjJIM zuKklzhr*+nGPEXeAj!e^k+A5*ZHNM@+MXh>v-PW8SdXJt&n{r zQMl*1p|aySK_%lv!CEGz+M|6~QG(WCNQuuI2Hp4#+n|>Ej}?u+uqTrmrGG2r!XZ!3 zfES`zN(vbxJOgWs4+XwyTX!Inp+93<(lGdOHrs|f9F_o9NXGqttdIx86D?u}NUiY3 ztZWfp$3jB@VI1p8@_!2BsQ)dDi&-dY$qRcD_1vXQn?C0dJ zj#g+?kG0~v`skc|xTh1xkAGt+8p9%M3$5};5Y-c=uz#>rGu{-ny(;(UxeAUcn4&!L z6!p~PUP74D(0iH+9jOF+^E=%K_SxDfkD1w3Q)w8V9i#2bf58l;wMq^ZxQVF8WSKc( z)rV_e)oz1V;QgX@O$0SodsOzayuxgm02#4$Wnn4m*KOlIf=WL#(74lx+{?Jcw{_IG zetKvV7dQgWSGJEI9;D2-fCo$$uCC=hL=KaZMib$!CA6mkJ7x0hq4A#)*BB+7TpnGp zg>!o*7#}|P{_d+a>AS@_#2VyBCQ@r>K|!HI+>zlFPXDQW#YAz!c--8#C(<`8meo42 z(jjgVBy$*}vQ#;a%V3cVtHcWVj7r(rVPTS)M;|rrKGOk6JcGR#Wfz}8ZW8gKupD_9 z3wPVwb$pr|db`%*))}`FQ%bxoV!ySdnjTVsq}W2n7UH03<^bf6TLd8m8s-B!lq@wM z93%^h_%{L>b%rFQ4zjo;flI{$R6I79_ zc%F^45Lks(Gh-U<2KmZD_+T+m=sScGq?vdfpt!27>n~a7Gb@qS zAJ9_6DPd6rS|CuslF5x@(b@o0zuWK6li6MbotiYAx-7E~D@dIXNq1gsIWTTQR5iU>O9EdIjjoq^fYSlH-mF%E5emfCi*Dt-S*Qdevyb7Po3~S=b7EA{ z%bccIovCC$Dd0lY(jBTfZH9vqZgU4>rh(x~*ZyXI-XUTuv4A?=z9~02>mrBmx$eeN ze9~6EP9r}$6#Nw~bfx$4GWO{&Rg#aBJXZ4tFm506Y#xJx{B3NJvvS#dg}ZrgFTht? zPL%@>7cD<7=0xM2VEe4V%7_`gOlN=nft6ux7%CR;zkhvpN=sZMKjr0v^?MG%Hiaks zUpavIlj@p6b1xP2HPRP6#NU@`8L_TtOES;?p3m*fKJLA&s$;;Yaf)b~xbvG(2EX{F z`RJ6U7=l#Ajs<5}t%4;7)m*~FB4C3zz?XTTd&)|2Uxf1C>H>|0fIGmXG z2eVc475^7zt7c1h-`OZ`o1lP6pGp|JnRixQxP11~)*zGMMp-`%x4mySv{2;bJ5_LN zHlv|V{(QZWpk!kxbkF+wl<9%K2ab(@1!^L@i}Y1i;&WE@Pqd@yD> z%h?{;{T``z4uOru`>HU>)+)87xEq&wzP8?E82AfD=cAiFm@SBvR>xNbijeGq^8uX& zO{|$py>|9PovsV*5u0kDGARIpH|3ZA4&HpucWb!a{yTV^9GEzLoPn5)x&yt!8@#YZ4>VwJR&Nx+-@`{o- z(uaDESc+7~5j3A^sOc-a%%mgFSR65*Fn0Iz2<68Qu@B@k_do5e*CSX=knG*FkVfXO z866RD4}psx;Pdr37cWA+L}QkAONCN9G-rhu ztJE^wAbCD|vj2iFup<4__pthZ_B{mr>3i4$_B|v5`yMpj`yMdrN{2~q@kJk(1fn;Z{nB^zhJRnubVocv4mQrI#_wpg&smh)m0uELJYUc$P|7)# z@BYJi`Uf!O{86>I>FR;}3z;^h3S6+op0S;mGUrwi?#AvMZF|WacU$SYqD(ZO%F((# z!ck$`?XN^p<*T)$NFU51QqNva^<%C{p3|MZzZlycZfgwkx+7j-P8{hnPI!Rm%n<8g zO`+5HM+f7dovKPHoOCA_DN2yqk9zfPqd6q1AtShjMeV)8Y~3}8bV+3p6{*6%D(YAI zk?iM@YJ{`#X4Ty|6e?|y9+y^PlfU0LQw8A4DFmk3g~3!?)qNpAGwh2LaW?ET@xYIf zUomWM_+ZUGM_V~%U1+ER-TO&b4pQ#Oq0gF&w-V-z&Egopmv8B_OXU%&?|^A`f0|@e zyfn`*Qo5!ONo+81$aWvTiPM?Z0}B@@e!Gef4Wi#>X_<4SHtKF?KLdxM!~Ic(y_Mbg zySy$X%9kFpUZoTFR90mluZVEr>!2vZbemMZ6?rBp;$^V9NL!qklqhp|93H8_bdrvI zT)WE?St#CRXPjSr|{x1VpQp;U2~EfZv-XsvH)oykHM}?%wwkfc1P~ zBODh%`57dl{VbW?hz;IEo1rr?FDkMIR*Zu;gD3?*8>*XeGlIKy?pH9#AFRu1!UpFd zI5>)(AV1!yzlB`C;Up1HE!w#ZBgQET`}AmCft|TMY&d{Pz%Q1}`i*KKf?@po-XrS_TY%--P299~{(Op;cK~=W`EnyxL<(d0T_khHv=Ci z%JdQ+_+R&8zX$^=1n@+_osq`4{kg&(Een1Tp6Pv^!bo2FqA@)X)}MQbJ1e_tcS|zE z_S4X)XG;={viw1y3<-8-569Zf>aHAz2ztccYl#oS_p6j^{Oe>#=623LMuScJ&70G0oAx-8HLehvwXoT@BL zv<<1MY7U&dm6QPq3UI_yRt9JcBZIBTQ$?q;L?#%6&aD7VQhkRg+YWspz)N5J$k7G& zLg7saJ7gDum^+3iAJs#Yc*w(vWBM22>)SV*UvIp4(S67 zn$nl4gD{Ufht^C2!3F171m}1l+E?!hGzs#962;u?g*EI61X@Q20^g_o5%1If&^5!| zSI{_i!gFA(r31u$h*aCJBhgy}(@_{VmtEj|B4quXfn+#6*G+t0z?S3(1fWX>8ldA; ziRIT0=mGJw1qER8!PX$@8&tvh1q0xW5@`K`k3wiRg?fUc`+`U2X~4`i z#Gt1XoIqGA2qA&n=rs{@jh2;)&Lxra)MJmuyfs5gx?%tgf(C9)OBhPc1Je?u(d7$9 zsVyYwr0rb(byy%sDm^MF9j30|7K_T%DY#F90S=H%^<0?2861ntbN%7u6O#~lNXPOJ%aUwSGPr66sh8(b-s5apt+ zoh{JL*r>zyc^!Fp$PR~c6yUOybKIS9gNzn|+sTq(A#TK1cv0%gVN$=vultW__2v@=S&YVU4pU5NtcH^HUS$%l9!VFkfcvM zE>_?9TseG{Z9?h3`b+0Web7Pqa*p%`L@xZ)SqjKEDBt-;Tk_JSpAEp9oNKem z@hgp{qrp&TMPkSk4wWuEQ!Ypqq#Y||8;)@lWL1c28xFB&n-GFCg)xOB68s+{tR}^~ z5%w-_eq8beUv;B1d#B%weZOC$!YgZQv23|cyw;Qg4)Ag`Q!HP}ZmR_>hYKYLNnyQ7 z9@oQU7UOCE;fVUcTo597;s70tKX4_(KW3<{I)axMO6@{(9Z{5%O>>1l1vwH-d3r8L zF2VRf`;DE1J|v(@euUrdV9gSB!8Sd>(OfGrqZxlL(!|LiJ4%O+{ z1RbixuXf#d8b;ftQN%T0AUP{lbjo%Re})j!YtzzK3+e?SqSDYGew2K1%L9wcs7(2{ z6}AC&bC4UPor+n?Q>~qd>0kmieW9uw!M}8sRa!f6z^Z=03l4?EO=SrsanX#BV-NVj z%dz3V35}l&E7!&dm7pZmb()aBu;o92k~{~B9TyKYUT`}vPjVgaljgY3X7jO7B>$$0 zuG6+$J!V69^%#Co#wW;~3R>pt_nPeXz~r^L0OXZXkz5Z44V{`xJ>yzZ36Psjds3W( zMzRHpCO2WQC5XC8NAf8}co%f_A^=Yyl^cYNJi42!2N#=YlEha1@}^IM?QBV14O(ov zQkYq`+q@wmwMb*YWtx7#ymIr9P5+nWi$Wc!1Zuo-(6GB(yNU zG|MPt+EY`@ye`5#8K&^-PRJ^uCa#ps$J1CpH})-Noyl70jQCtDX6A+iA?7k2X>JT5^U0whR0qCO^mv?NeuMGlR) z14SJy$>nT+Ik3DnNLu|86r9vuA@Fe2B8HtOj&6M%{oV^Mid`okyyxQE`w^GVPrXW zQ$imJLm&Ojf*8*-6GR8Hg+S%RVaw9L6nIwAKNNU){2#V3LhC~CMVwe9@3yUP#rx9Q zfcE35gj+L3*V=hRsp#BpgD}wcT3Zq3GvO<35wEDma?WmeITiC=7&Z36jhJG-;rRc;7ZiYe;RMJRivPhEuq%_9mjCdD*B}4y z_`>ABs}^rofqX%#JRGn4oiBLc{DUu0?fi=`kO7MpOCy5+i!anLkY<cl7Z>a56u!#*jM%a}m0G zzVz&cv=zIR^Wuy!^#FM)ey+f*;uMJz65Ss+o^LyF4-v4i##7MLaigqEVgG>;Ggpwf)Fzx)6p{|g!< z?>BYgkYwr+d;cHMAT;%VKm&Q&@c#e}EJpr2G#E|*LIYdrnf;VQS8X-4$l%J)DqLd4 zRK*mj4_jP={M9uJT2^Qs<5oB?v@f4vC?o?UA0|XuMu<~_-Zr@g$BGN$FuAdC&7TaDVYq8&WU!Fel*rg2zU-6yOE-D7zvozO;7Oac3%RP8Ht7LAj7KAxxrd&Y>8bU%>1HoGC`80I zt01j(xn3Vyz))}~2}lkLIrogv1a+3}#8FjUNZ;!G(T$1Ynhov!iJ9K*W{mJO#Pw?7 z{xrTYk1@j^X5-^|ndmtcq>2K(#0!i3zX8t~_$k1e4xC8DW0jDTc#^6l`dct5$eK=5 zs3d-AD-mK%|4Ah1wdOLoV69k$uM+=hLLqt=R>N0Y)3+aP#4li@3zR8W3B_kaE*X^7 z*zc0s)Px(`w|{K7N2|?x&qyGTbhRrB7J_OxDUq%iN&q=s$%2x2Cby$@u!vJ|JuM37 zYH&W89n#sD6zJHy9yG>gienEUw3U&AbT`@yiep!kgLgMdI3}7rjZ7l;5O)%)hW3cI zCP~l?lLrP$<7>ts$>Td+)G>=PC4N95u5^iFharT?1=f$Ked78f@kk?M{MWaK5g`MV z#kxoWW(Jb#SfSv;<6wqQY!yXzaHbH6*C4wT;BVtl$_`Hl;ZBI= z#1$+#DF)+C{3PP_ig_1K&o8qhuc8_ie+l6Z=t&X5q3KV_=}4N1HE^e#5yHm*V{nC6 z?Q?SS;wvv+U?)*P3cI-w2=|QbV5I_`i4HMQMPYjPh8AdwNmS2`$J`#@nyK_fpOFK^ z9$=5ey4>|5_w9Rcv>n$l*l@o?!Kt*IiZ;Fgp#Wh}bQArT+Idg|krnR~v(Bde8;utePGb;|6t=_qx|CbMx_ZC58Mz~t&r zm5hucs*fO(%DgGa0@+l%rK2MWJgV3^g4w^s4oXK^1QLq0fF{2>6@y~mAw1++;)1ZP zxm9GuP2HA%MORmyKm0y;kFJi4wLiL|eJ-}JJ!@FWlM}j8YsKC6DZ+R8cK$&Qe7ez) zqR&!Y^41Dx8v-*Rsx6!j9O&{J2S!FA>nQ-HAmjUO00uaHHu5D%1~~sVKU0ti(OH+W@Sa}nZCegwli0NMaf%-$7vho-Qf!RB?z!7HfS z0LN-bVDpuQHpKI^tJd>p?zdWim0#O(O>=96#Q~Shxsd z(LGxV>q9&HsSEsI=sa*hSKOq~@-vAWhRy|zpP2zF4;*kNQlV>6h+s)(1zLjvQURes zT?nqxF4HtpgCX|<(1B}lDUD6u)av~-4X{py0a=cq^J_vM09XUnBDD2;cJfR1;j4o# zBKPjfiBw!g?WUB#rW8OuAPz+bX3RL_M9QxorMCcp51~k4x%5f=ApXT)+aMij6*eDk z6&8J9Q>~=XCSP0d#m=u4m~1t$A<(DmS=GS=ID+gClCA(8w+V zndq5KnPecT#7faKzebC}R~Zuw-_oXqs@>8d7ylq%@a2uu-CxOHO2w}79Hpu3j4NgC zkR;_#F+03qhjAdon0lbIq|UEGjrehU*U`Q?lz+IGs`A_iw?Ktpg|y6@XoW^8Tv@Lk z)AXj?f2_bT!7*tAuVl)wd%_sDekA|CjTyHW8n^e28}4n6=a@b(v)ds%L9$^Z_m3oT z4Y3>#_nnbycPjN6VOMp;8=6VAsSWS!TaIT)F8EjWE|93jeQI;?=#GIli)#H{Gjn<2>?yTGg9XKR=`>_IU~0Wq%Z0t}uzGM69tmHvw zcFEb_lXz0`|2c^#7644*d8tnVEl=mWe=JYFlmE0lxis_dj>(U+{Zo-JZ~svw!y|Ej zl6b%Wk0hR^?c<*=Flp{=O<)qQ;ysBc{dW>?OpU%AhyxGaap31gW)CrGZ=- ztjh9t9H{+WF>WlB#f>7+g%iN{hX)e+DWOq*UGvr5tj}z%dgpA0aH!t;jlBp&e&|fk6l9pX9}2;*-FLA z_sx^06{(P&m@TjddasJRe;^5-%srOh){(NvPC7Mw`Y0!B;PM$*T1zb__1Vl-r~up_~ESJDB-BJV~1 z>FUUmGntS(-|b@a)%X#?H9LW zlZbW=9)_h%nmVMf>~p_T;0u%HWIu6xJ|la7Sdfyy)g})bV4QB;9;h8OUZU;>wd9pT22 zC_@t|4CpK1STsk=cD>=pRySz=b}2uob_Y1FdiBQZ|yxzKm-r0M_Rij zfcu&+`Hce362e@-;fE~H>W$45CRa&GtoePGjU?7Dz(;nZ0I6(&ylR6Jo=Fk0CMF3woup(gQPenj#(FI*2wAItwNvEgd3fnw?cK0il z0^ia6nHGx4h|9^+33GIo3wQgGX-47X&HZf*200NhpIbv{KIGg`{mKrkks!S&%5dh) zl(b5OB80}p-MsGY6@-kdC~sFW;Qpz?y{JxAYxg{@zAo^2y2}c9%An3dC7?|j;?nwr zF1bS_w_Rin!W$lsT-{5aYy9@kISospoPS}-`nTewBTSpj`|X%)o2$nve51m-;G!5H zwmpC9c5QT>UEz{MnG)FBE!V2XN_Ny+>(Hm|vyY3!5H;;1 zZ)!}j2jlz!c-KurCtYK~F2)xHQzMB6UJdpJfNQ8ET2 zyZt~^(}#enz^c@5lFpq!f00C`a_8I+(E#Yw@{)vUdI21#}M+>`+~{-Ur_ ze&`|fmIB+i@3aPyF(Vyp;OJ4xVkPIBGI8Wy0BR+-u|9G14cUTQ6tspL&!reMQZQ)Q zOE649n+6d?ib#l-QlJ+C+2UaH3o?#!IGuf~o5~5UNnp0T@%f!%0!{HDlDiRZL7MW3 zy9UDN4XnzC^OWFI&tHy=h)ZcHJLL=PVs3$LZUXuIVg`ziB}1LW1VkmLbc39-fy-jN zcI^RKLOLt%JIgjkmcr&MbCs+e%1?l4Yv+I(zuflu4!>N}z?ETOiLX#R3k_j~H%Q*V zY(GxlT@_IhEs>J}3`h!6QJo*4`D1NRjU+fRc*}$-D2PpQqSeK36KFd)5F2T|6qnS9 zO!2RFQ0;I*-xv3>nvp5$_Rl~KY^1;67Y!VnZ&YM)cx97ju zmV1_a*2c1etcMA?Op9gSd*-+1pW9KsLWyYa?)Z&}?i|Cqd}CR6v!=330;g$?f1$|( zdO};j$Hht8dm7SkQ7u+q+Z&jOEuX{;vc7%%3B28=R=(w|sxjL13qHulsa^1R}Iy@B|f2`8xm?5zKl^?gbv(D;F_2;#`to zd9d@*@3)}FBwn3y^w8yWqPk5T>u#?c?ryK20s8r>n0_%8@%ai)$!e$T zMVQ|Xv9u=vH)d@DJKn(TEIf=p%m8zA;}Zc>ejQJU(u^zux3B_YmCcf=KX z6MZ3`b0fyTZ25K_{eeZHzgoRBYJkah(zo6q+g}6ME`j4> zQ0WMq5pa*~fy^15gSe76vMyfea#Bzvxny!mivWP9UtLJSvYHAFWZIV-j;RzMt)3J z&2l(ny;d+gf0L_4u;&Bw@9eXM#20j}Oc!_CQN12sXPAPc5sJTItAl<@1l0)p zPS`@%fA8{S`A^HwCDGi4|+41#9(`N;y<1gT-H`U)4x>tXC9 zh~r=dsCIWRX^!^}xqb!o(8$1o*5|hSX;LCXn&zo^d`yRU9RoR%BQ1+@;`Va_UNQlZ zz>Kq@se_Zij1ht=fm2|ok3G=hhiWLt1aAPY!zpkbmfzQ*0k{t33)65`J|iAa{`=4H z8#pMKZ$d!?-m2{x-joCdOp6+;CVJ))JZX&>7QZR5;s^ISbpiPYH>zp4@jj(#>ap4kNWOi_*qxjH}kw%~m zla$aQ?}fZ+u&^9V=?2e1kYh&`;LcDuNd>bz*}#uN>kGX;8bC7<=9w^D)kzGVjYCa9 zTl``zUaQ@CL19A=D82^%vahzQ87*Y0HsvhK2@<^$DUa zCq~nT6PWlhUMI zA+bJpCm;@=DulySsnQ#iT~+LK;iwwMC~PLiDk9$qvpMZ=Pj9w*=!_~?lumw&f;I8h zn|i$g9v0ePC(yjwV-pTGBF#dNcBILpkky>HK#-&ogca44&W&EmxpR&C`!M8cj@-NS z!9q4r_9E;FBR!bEI_%qq43cuZxxNM^o&k^B9kupzE!8O|m(B?GYZ@ zMIvfWd$V!ss5*`mD!fdgn%6KWHY{KBhGI!6;ib`w^!SW#;+5Qu>#WK4t5Zk6LbEHG z&QdGEyr1?vn~A+7xT@tC zA|W?Nk|iSe-bX45ol6Fk;7K#X7u zXRH#Qlbj+jT*RQ{<)g8Ry8JA~=~?dyfL^Iap7jVx!R=;4Je%k*F=FjYXHDDR_x4F# zvg%yZioRq!xBn{s@->lP{=KAg0`t^n=p-}4?4a0;emv2pea+o}+*w6nQ<_FE4X)er zX{Tuy_Sx-tC6EA`1XS9vz-~ZfV_@Q0_U1rAYO>p^5!}Zdp#&GQ*}d*_)Rpb3j|@}<+QQo{ z@Rni0H`+=_D9JosdFKqmR%>`(D?-tV#%!NM3<;9eC1mys#ug~?p%s7~R}U#%DoWez z!j=SZtiHLWUQ7|=yGbpxxevMxu?+RoM3~GZ@_l@A8|RJ&@s`2Wg9Sg4xo*Ne}nTFj%k6NyCdB#V*~=g)cC-&QX@rld>+a*{ zXGpFnMK!sY37<_4SggEMaZ39^#wkov(Hutm$V4Bb_o;+P5o0 z8qPQLb~*IloQWvjf=Nq3lC#kcsvN`JDkPp2EcDdIr3s>(K}Qzf!jE+sXzLBqaOARq@C(tb#-s zQ5%0xAT~ZolTdBC5zikh?n5}h#+xjhc<>7PAeN-L2n>%JC*|oIRQK(sEUFCts8rUU z#bO|4JuZtEA0C>WAp=uDceMYWjqw&or`;+0i z-8$`&Hse~yvHbOXx;viH2qX_p1XMj$GChuPBlxb{R@7mo1Dww&wkAFdTW+|5PDPrz zB3iDXvOa?X3eUWgZyrYGI{DYQF5A5=B5RpuIdBiDLugXT=<;7WLl~%j;$|%jVEG)- zPC14~4jge1YdOMJx7iVgL-e`_bVGC%z7DCd#JS^-Lt-W|q;puIMZg+DVLY0R+yguD z@XA-!N9}6peYdZQdp_B@QvVVeC45LusgLlUyLPjb6SqfP%63x>TCuOu#gM{bb9^L?ko2FN|uHo zz=%JDk$uWB6F`gSJ$GNd!^B68MKfN^EB#^`K_>`{QHr4)ZMnBsCzWk_J>54 zmAj;ry2033nb^hsD$w`w6fmuw@u(KHUY)}1VW|gFz#g>@yi3;`Ire3~F)Y6IeK?Xw z$Ee+-kpzZp`Ogg5mdqOwmpt@WW@{k2r~;snPFPdYN>#1`-3M};3E7d@_(;g2{fDCL z>KugxB#rLdx6%Hz*!soAzfUfG&i&zrLO|F@O}vuo%gAmbEij$FH4*oOal7}1l}~ta zi>+op2s?}G$g(kP_l0REIM9o&8uv7Y%R|%}4AA1+R~J|W5MhSsoHpJHpN%AB*07w1 z0)JmkNIJ%IP?Z^mk*ASPAI3)xh(!N6_%$w;Vcaxy$-G3!w%^6=hhP&6UxQp|^AQK&y%2jh8SxJ^;ln^ES;s+{-vj$cg=J~LrQQ~6~0Xy&$tu0o3J3; zH^pyb1(NDf#Jc$2(-)<(zv*Kpb&%?Fh3t+lvGU+QmRQzrWBo*}EpXP-cErhxMy@=j zR5cVz9SWd}2GJ$EbNsT{CB>NM+^C2T#szSkioMDyDL$R`Ma)S^!oIM39SwBnXT8 z#9J{2V4^#`A4MdLW2SdSJ`(orHXb1n5fgz>0u&Ylzc2!VOX2+bAOXRN?gb$Y?Q{MC zO*kN*07?RWXr?GO$VymBpRfFTY|ifi%#wHx=4|wIF^cHW22htT3ltb;O&gJ>!Wn_& zG4aApz3u=)QAj0HtzbI3T_iFKm!P5KFpl=qg-~p0OSKiK*B(gzSYgB1+%6Q=Ts(V9VkEzTSY5l=BBrq@8byZ7RG`s zMWLRx2+xAHm{J^rDNI}!d~L-WXro|Nh`y_smKA0Nh$Nr^L;zvq=)^rZ(D-gg?v>8C z?enpmY%FItzXt=_m6ihyPqCZPP-@OV4)yOfe?wgK#>_(#2EmI%2X|>U5(eB^8T&y4 zfCuNiKcQg?-huAeE{hcqaL~+^RkXnvHD`cf;zYY4_d5u??{f1{xe*F!4=K6X5#z{1 z$9Cp98nG$DNUany`5*>cZoSSR(rh@%XjR%evj8%?kl%$^ehE<=ehJ}0+Tc>Af!dtL zQ>X)ZKAnW7$Gv#k0LD8I;f}YV6#|7q(i&or76XEZdx*Gx;6JDz3ZL_gSuHV}{?bqM zm}toGI2qQz>r1?aA^Y1hsAD2GzUWu?MJt=Ec}d1S`*M`cKf88Sw_d;ys^aPfAnlB zzj2*Cm)%9b)!>!Z)qjImbZ!(co8Coz#h>15ZK zvHmH@3qQoVDUf*)!t|C~n}VTy<3zLb3|f?Bp}_}+V!Xcrzvz~sk|5G*w85vx6O7J{ zP}my;LoZ{fN@mGd;v>%f34__jP8q;`)0DQX zxc(NJSy(^MObJGZhN+f-O7l9&jiG$n;sH5IVw+v(DV<69Sxi!AvNxfwHwv8r_m{M_ z{75av4yT#_C{SpAijsZeu!B_!mDHrnNDJvtRa6g*D(s84&`YHV45GJ1ZR^< zD6iLxh*FX3+W;fR-x2jq9VUXg61$0V*mFV_jst<=4vS9}Wui0YD~Y%qhoJjGZ?BAw z^-$q5Ycb4qh+?Ak`v_*5&!Q~;LfyS!)2r{Pd@}!c}?t#|j zYfv!5xL85_<4sW54k`;yR#11{h3SusPxYBSiJn@nzU74 z%ceTbvG_i86#tr8oo0-XP8||8Yv7`9aw}CEQZDV#Bf2E~8SG0&khH>!5~x+4-KVmr zImAm}HjA6rLqSkLtP)baGRJxybtUrlDGj!0jRJ&h?2zBYo!1PCYkq5d+N~YRsocb= zJe+&SeVvl~bH0>jk*U-xv^`D~Kg;rrz*roQkLj-Ik>atOJ-ssa&_rt0-cfv{ecAWo zMCHjF7jfVA(_d%V7Uxa3&D=$LT5!Db4X!J9yE3~QGtQE_KgaF{zDrfmFQ<2zKcVC} z-8NgVtvQ~q#c;mPwMJY)slTKEB_MNsxY@|U(ZIeDO)UBFSH||sdo-e4j3-ay;JN_+ z?Yd~W_Up3PmEz*NBhlxZmy>*7OVsDN@6=Z5nBLFC8M}PJbkp;T)4emwB-zZJewJkF z96l_AHF>&hLD`}FfkP|C^SJ}PL-4PD?Kxz5e2O~@($UQjceC%u!ADZ>B%Pt zE>Z_|ax2zo#y1GTdwU(#{<|(BTtHNJ7Xr8Uj8$65ex&K%o5OU6xgHDM&ChQ}lPhTa z1p2XqM|9KP&zmt!&nUX~^TmO#i`;hM14MQ$JOY$+n!)R+s2KK|%^itBQp%&5rTQc2*T7)X^Ou}tsx3_%kz^I7>LjhM%kC%Z9JtyZBbl&u02*E zB4YXkJoh?XHce!WQa$+Ni!^Kgpw?BLPzsf1l5kp;+Se8k@c!*u4|G@;jU-s%VsmYooh0>%7K29ZhT0xEL`bt7VF(^JM%FB6Ej zPe9#wD zT8dSLC>`jp5Xro^kdI3N)%-BUBSvw0$H>LW%PV%OR6SF&7jJ^fdsmeyIb(2#u$&9u zR3s3SRZkSd75C&(^mso!OqWo3gq1@68Y7}#nc_q2zF<+2DgLkdw6Rsf`~!X|l%afj z-whRKd9V)5*!jxeZP>QM!83d-=k3=!(@fi z7DgeK$43L6=zMp}zS#B=8o!3PQYir@RFg8PyUg-sa^!pP+?;orN5zL9k_RtXjq<=f z?E;UO>Ghmw)$}7l`^tAb9!oZ-Wu-CBALJO$Bwxi3z?J8&`>{6l8OD^q#p=Frmi}x? zU#Qm^Makodce`x})0NHQ_>CN0f&Oj7z+POWGE6r4BzC_;F{ljJUCY>aIeC{r|1;PoXB5yw_C zQV1mE>bX}Oi!KDpc8ej4!=(=|}qA6T`d(^nyRH$&#UyyEPG zGGF9!4wbhT-)Q26;tgCYyqqPzgXdBYAw= znnoy0F6@jUJKdOQo{FI!weCJ0eM0CcpjzzOYl6fc_qW1bh@HBs7 zh$^)Hkn13$wk9& z)j`iVma||CUd*!+*&$ZUyRvZ7TV;E>XTunM`8KJ6GVpvTyEt`tP_ophJUlC`10ojf z$5gLbek*0$n6%oV7U^m5qdHZ;Mk!}n)H-GKuy~-6&Ls|%&X|pRQ;0a8cU#DTfG+XF zw5S*e6ZkL^p)fg_{|D>?fU(4H2;;E3V1W=BV{l{WIHG645Q#sW%4*oBmWW`-Wink1 zl&DThNW}S})q?bKHTF>va%$k7s+Y{5WOpy#cjrx|{6fWzHP}tL7)hGj)TInb-5IvF zAyK6m)?T+5$vrffPAjb08TQgeH29%Qj;QOi3lWbVi#vWdf0A|&5-shr#$ZUZY$x*P zH1Uj;;#%GQQpJzfR+U>7gEBE}`L%4z=zV-ofzVa4EUNg?qs`#-i6)f#aJ9=C375Oq z3!i;o8!yjvcb;%wPi<4HJdZGcgfUBl1?N>zQbS|25wYEkvQg4)ghKE#4uvIaX>HJa(1 zUN!`J&&Cc5Qzn8&FM1haulE(j$@aEQ9a_~z{2nEnh|&F!H>U5v|LM!Xe6de3;jR1Z zq;}qu$p->+{rJTvmYTS{MPB$!HorqHyU9R%4f-ZNR+`-s7kPNr5G3GC*~GJ8_nT$Yl?BUdo%bch?`b?gHQwQ$n{3E#Fwdxk!&xCu@+eervQ#xv=OIcJd zEktnG2?yrGg~A@w9WYvT7Sb3A@RQ4Ad7muVOo%Ktg5qBZaSVUrgZblzwP8G6d zG$2W)uzYDuKbP`C;g_Ik6z3^Sd@eyI&sKM+SvgbCJB>^?Yqg>OI`ia0nXZcmjT1{E&?L`X)A|7;z=V1%Lq-!UX=Ti zb2D!Ifwl{GY3)f-GOpFCZD561q`WFh&Zy8%H@12>ht$iEYueH$n=?#%MqxCBu9Hps5D`Wi+;}a z><77hI+Xb)-Fu)>_aUe#0ln9p>N8hu0=)@FsIrMA}MD|1J)}-wyFWE zN6`;0XroS#Fix)Vy~>@bS#H28V4YQsY8XdG9jL>2hxr!|mDa$dI#3_him+n(s2a%7 zh}yjPfdLnd_G;q5HW!IHuxQb&sR4HjbzoaB&ZTNA zW-!H)caB(6tziLdg@Pn{-hGrsZ6)VW=L<7!7PNZzt?`PmO;&{3(Bp_2W=%8LO;O;$ zvH)6HFK~V@TC=}uV?2r^S=kinC}-e)>H+kRvSO>qmaqGz224Zb!!%%1mVs7;p0s-4 zvPH9Mf_IwD(#;O4;3gDHyG&_0+$sGqV)JI6MdaLdfayndka(6p8o6NXcyM>$08N4NBK+d*zS$46Wt^(xGR&Jb z0^LB-Zv1G0da2Gnt}{nr`-{nuPEw(pS*yU)pHr*t!19bd*b&aW4~ z(12l#xi4@|&xarpbf6Vlq^-DzV9BOr{L7^-$i1lD=XghT_7CpTrxo>o)v`7=froTH zF&~9J$02j%gOC~h#Dc!*P|VPvPCKM)66Fdrj4Q=ohHnwa51-!4)yh1pwZiTF17rx? zj#6rgy|SkNSOkeEE=o|G%GKC`Vg5ANpPviL4vSI7 zg-b-B4WU+(Vh=YO4A#$3FTK9c)tWQh=6f5o*WaQ<+53&&kR(Y8(RCdea(Vk0*Y9?H zMsK_@;ud#gy7AW(ue%WrO|Wv~O_)5pLq;I>dDOTzZP6uVDs7;ql~v1hU4O}4 zoj?LCF=V0^KKK@YurX)x&UNX-`K_In)RNF+YB%7tKck&mU3tdE)aq9nVi}ueP{iUd z0w1Y$X;5)>--gCPfVHyVO-T7k9tjqOiI*3@HhfM`MzS8nL>(s7Wb!#a(MxX8;$Wd2 zw#-GML!tNS*Km1lantv=QJj^BbzijNWAU}BIV-a>mxaaBm;uebTT|I3^%^X0U{z@# zOn%4Qh8U|zQK>msCpAJexiyCPj8Mi>y=&-sb+QbRgj+kyfl8H~b7E$v+Vyiop_U^Y zZSF!p?^FCEbP(~cSUK^rG3bH@g3F!2L<$L6)`FCC1qbjDY*AKCt&XSkTbu`-c;&NE z)3xQZ{TWOw{G(3As+Q-dUaPT*jBtYl*ereFIW{VfnQ68>natHCKQb9x!<+hx7PIQdE1xc#AluX=_f?s{UdT1Ohx69kGasN!!Y7g+}z4nfr zjcKvVu4Y??sf8Yk=cQSNmh$hsObYUolX~@Scy-QpnHd1b&ZsasDZj?>jVo>8x~e-# zvz-yccj

b_DHI{9h66bZf4C{qKm@fwJI8zfl`RfE7X&{_9#dMenXGGI<)h`)4el zUA<%mj0!3->z3rL}j6#YWaMajFL+y@`t1?mt>xJ>ll+4^k+5l!KydeEPs--Zz} z*pVc!_j7QS3GPZn6tkf9iG`}8pVu89MV1e6M=$6ReoTe&8@8^ayKnd_JuPD+57}yp z(B^Ob2>ezII2GdafMs-cvAu?F6_q>rz>NA*?A^UfCh78oJwOh|R#hEpUm`+A=F3u# zQloeSkvd9oZ%z*Qh=Cut%=HOMiH2`UuF)Eq9lL$w$3Sl(&+H=@y8j7@_uSt>u^Z8b zj}C_A=Yx0uTDZapH-RxR`f-r!0kG;i#|1KQr)w@b$3R}J^6udmYY^`7D@n%@b^Lhk zeVYL?r10kZNf3a!dZ}q?f6PGtor?(DkEGZVwRu>5%!9nzUtp%Su~AiTgG-$O@Ovp< ze>rul+Gss|Q_3|P4(9132ea{iPiWVe012(DHz1*Xg@31U%b=FAONj@Z3mGSu&9#d! z>qUMqz(zAt^UxxaNuV7ilGUJ*TZaxbywc>$K^75T6AU#>5+JRlI3pL}7S^A>1Wq#1 zxi!I5^)s3(%O#m;W}C5yFP2#*CbL3Rb4|9XMKYUrF?s}8b+%W4RloQmd3i^91ERIP zHGKwk?Ik!+f2O8Ro`)UTM!NoK{<}aeNIf%D3J%<@h^kjHVD}E}_W)`Eg(}TJ?er2k zx(Hyr^<9x0%#8ZAq2vAATg(RMB@*OsueyZ@Z%{r*h~II{sOz=~&a%xqx_WKmmQ}5~ zHhyQlncUyqcZTLInfq#rsatntp)V}j+w$P>0a@?seqCuC3R*s=uk_}K%?c2;2lEt$ zP=PpLzxpE;3qsRa#Tj+(hO|7}XG_LRu^5|)Ctl7PHc!n(xYdQW0P=R3jT>#4a*vEX zZJChhXugVuSs(iv8wN~m zB{c0hXS)u^*74QXIaRBt^7pz2K5NhNJ_o}00Fw}^)|)%e`QEVGSc-E`w+o9`SUZH@ z6l=FE_^bPjE1v-YrQ0F>HTS*}H(E)I!Drj?g*k|Fhk@_CJFFR1G$+n;fKOa1@psV5 z`jOs|w~0R*DqtU_RL?}~;pyTMcjS|O`sOiNBL@?^&G{J+43WLGYzARxh8WFE{@S+q z9KYhJR@}3I&{V6!5Y=z_vA+Vi3FDmnny-ehGNm=XFVd*LmQI3l|v*erlk<>vdUJ zpX5r#a;MiV5Lq0U5#tE>BDgH!huCxXtrPeDC2bvr;-e8!6q-`2%qJV+wLc0KLTlbHUAk`T&-qQ$mwYmLlUmDde>bWP=QbL&ZwRHz& z%CbNrPn`}B^g2FE`0TG`OFhD@O+4I>8+=G#1iK;a(m~LPpLEp)83S?hz6Og47 z;VH$mff<6knw3!nJ7LGK1@qOS%kF~;9^t;#_}Q;@D3|Fz8|P)J1Y%T1{%N>GK*g^$ zsUuUYzO%rxhviw{6#UBLwkr%TtEKGD_^Ynx=b!B*-cK;1R5xVwS97u8MXx+C6$9~p zN248_)@x1}afH|d00ZK+z-YHqC7Dy&-!ILOXlMPHUDqto$NW<-J3ZmrVRZl5ZL2@dJGP>8oN??WKy4{oU~*J&So->vMq(4Ih%&M}PFg*@KMqbot{ta8%r<%m=kv^wZa7Rt5KVj9cR$=~UsNaIJFLMub2qe81hWupT8y_xaSi4scEVl<*E(xxzZ)MQIGE(QD4Rw26< zG9zk+KZ~*LDCHFCeokw)OF!nQwn}5>);MT!=Bn1x(keNj&2t8x%97D&n0LbIBY!}@ zN@Na;-w+fCM3K|&_3POuML<0e100bg)3ovLcC8#pfJNP$34k&XUkhDza+Koa}w}h+V0FHv*sNrXTLG?xP;wu4li!`-jZR& zo-GxM$zzNO;K0UUlmYOqs#13_Ted}B{qkenXl{roG%4F#C}S}v86KnZ#S()B5}_r? z$%->bXNaRk%Lm#!Q^&!u1ZQe^T)2?ZD|IOSf{L4eqEq=byM)2N#HkvX~eM4GH-T*<2cO__o znKwY0Z8xYByqf^I!BvLz0=w=%TqRNLcFeDBaEDYazGA*0X<;9{+ya%jGkty&akbO> z1!{nQ9W*_g5-L4|fS!vV!F~gB$4CV?FG34552}bD$Y+tC747Ly!r|{Vybr!E;&YL6 z2z4hYupbWm_U#b<7IYdRO+Ul+Bs8UMtwD)*tGS9{xtrZ{(&9^q_Y_uzAIq1?pICls zBhG~#Kt2UrBoqli&sNIV$7P!6$28eh{++Xu_EAT$>28p;=+&BIzp{mvlr%u7t%VVb zX*a-C)x#MTwf=IqCA4pC0pZD#^)RxcYznDj#bIda`OvChib$s*)F8lUz^Xxq+8q>d z4oKZ%Ko~WovDn!p^?`yC$Mo4G(m??+l;3?XPRnH^#@9FKr&61Q9csLXQbFZxgFu}) z;X|la&F(V{KdG2eq)j%3^bd3)?nt=K`6m2^h8b#Vn#T^Qt_&7eF?aH17>UET9R3HV z++rTJ1H(!EPp2&WGbhSLy%AonP|z=6PI0y&+M1T>S+SpmjO3frs3g`pOhYTBw)$UD zZh|TDI+>GXATMZwQYEhfwa_QhdOC4E^l)x-ehYC$m8zB;#SH!3Lh3Nq#Dy4bIISdf z*?$jn=Ze^Csx4NR3I3VpGJ#maU66{WP;lef(f?JF;61@x%ML>-%BlhyMkT=< z@1e8U%{d4p%R4GUkt^n0cmoCEN74WjJn7|cP`EixV?dfZwNe(&7saUIQ>5Yy_In;f z_-D)R;nAwa#pQejtmq=mjN@Bv@h^}E|CiMQ}SO_uFP5Vtq+_eR7@@!S9ljl7L701>vS{w z#Cu8Y)92uqhv%%E+ve01PT1%BqmqtGF|jj%s73o?2EA65Cz#XmObDwbWT+jZ-WShOzgtFzZ{q9yR=1o&NJone4k4zY4vX6Uu4 zLx2rmJ_Yfr`Bnnw$R;K7;LbCaZk!I5w0ZBvzqnOPvj~sXN~5?Bj)kV+V^-Ww(K6kU z2q1jD3LPAGFrr*T@=ooazNc(FWqetr(cFTgWkPJt)OUA2mL z)6ZKsc^*k`mzDAc;G138IGvWU@p$>zc1?>h9OzDzX+G^WEQMU-*bbEK_1h1$&SEp* z{E52Shr;tFZ$VQvZvSw#lkrD}2h`I8V-SzWMoj`!m?X$!(F}=f6RnRsZFq z9ZZC`EPhAcJO6X!4X~e#`T*29V)0+7^IiG((-qgz>F57z;2k=x!xg`wi%*(`G%@#4i zV5Mh>u%#R-E&Xa{VQidph`^elVDlg=AAZIau_g8b$%2FD#AJLK*YI}o;zLjCR8jnJ zrRnhRdAFDEf0K8AomnfH4WWLzuNw*`CEhD^@aMxe_x$f1bX!X*6=Yix;x%>qmrcQAD2vIoWd{WgS#pG0s7$V5(n9 z$f{!>+=4VpQ=ow+uew5U|F;?TX+sMH`0%rl){)qlX^dO1ZZa$kzLd|! z0yRf!GvCeDQ!QAf=gDloBeR8-a?7%>K$fIh4J~fHD)x1;=I+KENp;|x>Jh@UpZy2% z{5mmeqMFxDRN0#ju)wG8qgbHg`GaLl*ZuFw+{xzIdAWp@oN<9Xsd)S|69 zI;cEc^bsquv@w{8?xc3?CYl#BeTZMm-rbgZk;hxMTq{piQZ<@Q?O)uI?500WOXs#V zg4X|%JQ#5EpR_rLwMV@;4eCe*$6DAd(?UhI|J-PWkH5(n1n4}Pp|`-AQ}K<#cn0Ld z-z}`~F!z5evinJ1cF07US-XW6%LnK}8tdcI@j$O_aQ z$V7M>HLi^WNWgFqxj};9A$2KQq#*eeFxAq&QmWu4*4#O};ER=wijwy17fjpkaLqP* zk7y;|K|dBo)N|Lcr$@7Pk5o0Gfsh z1}_V!yn%YvWtiXCF+zM|i|FPv${J2`Ce-)$9vJ}{PSP34Al08PtYd&Y#)ux4pJr&> z-rO{Pur<@q1`hB}iS!<6#n*+o0Db^jmw5+Yml5{_O$OQ4%S`i1X=&4am$+gCf|u+L zFf~~m4d?)YhvlqJr}YONOIRm`hy9YATLgI^R(`y)pGls)S@^CSd#wjsLN{sSw|Rr* zWTa8P@6(1f078b4OC2aDyHFBjeY%xH@BuYL=L8>ib4uB?9Ts>wZ0+5Z%GZ-~XIy25#;2@S1MIh}Gp6Aha-=ZWz{$ z^obdOUv+G!<}UQWVH=g1+4=w#S_U*91VkBF5njSRufAue}q(i^lu>*vYK_S9+{x2U(ez*b4$j5a%#WU+IF5k>n;l460Ln~HCT)Fa3VUU$|3Q) z0k%xv=HIlI!vLN+;>DLUTlWZ>DX=uCa}d%@+Ni>gf7E^p4*KJL2!@LZAb?OUI0W{#KHoaNBf_KWP2FXH|^=wfTHBZ(2>2@l~AX#ll zG8|-X`3~1Iv3?E#)^0C3h*TzTyvS)DzboXa%8m>vWTR3R54>NtjsO29XlVLp&_Imx z^gC!+|px4h^*2_CYyZ=S!TAbf+|IXJ;_K&1t(3iZ(BpC8vNdp$)kCMB;B@JJP z{%V8uqq+0ZLNdQUbN{@Ot24w-Wk^l<7!$hzWDU*JGD$Id_C?Y-rAEw}ri#75_ZI0V zWUclD>q=(&xipi{F2CTtAn3nyiqa=RKnB;jHQ*L9N*k?z%ds60SFUAE2uR(5$@5l4 z&&-y+|9;i5^|;D0Z3rvkbN4Ai5{(BPai+%;Hb-JsU)!O?`$AABY+Le9(um{I~#Zp{x>#Igva5(uz|4Rf7n1f z);;y#Y#=#+4P^EEiw%@qa5kcS0|XAg*}%gu=>O=1Ntt4m>M4BN0;MkGdMcL{Cxf;q zhmKP=QYmqVVEPm#3Dn^si8d^BWi5fhl_j_tLX7f0<0B)hfjtiqk`2J zw*k?CXs-{XRz#xzE-zPp2M8oW#!rOzzaQ*g7>GQC_vy4iHAm7QMp>vU()}06Ns&V* zt{ZQG=hfw(VVb&Bs6lDkS_1tSTrmt>yHDFR>s)JE-#7eGD3EPQ=8En{^$*Se8gKHP4I+GSPP|`fuF+ms?TKxb|KYb?yx1LtCOj@{>w4m{g#8T;fr_q>Lx zw(z;Kj+%puf7TY%m&%GF=j%alpl6aqk3A?E9JZ-0(rl+u&oYm5|C<1bf;wR$26So8 z!X@`|Z%{n<>j0Ahz?O=>hi}5+ZClFWalu~tjxQt462hP%m$E-qD$u>_vgVf*zJD_1 zBb(kyQ;bw(h9z5of?duhWHe~Co`7A(L3m6(U^Y<9gVZ6v5BKDPI0Y|G0w@K~k%V=r zQ*c}Ehd_VtnXsQ=Pew2o=R7W3W*6YA2*pVr#YyFBGY#ALj11lF`}*DOCixux6hMau zEh$NWQPY7JDgx-XHyEs@xLF14GL1pEKj3C62xhg;h@4Tke=wD2gbQP*d7M{jwny5t zJKre9WW|Qa>-+6(R#DMMl(^DDvHk~(BfYtu{7Yx3WCr!eo&eFlXeD8`+Xgrhg&SCh z$b=cgudHR9+b@4k(aWRz<2#c9^T|j2g!S|$G_`Jiq;& zUD?hz8$#lRd=O#yi6f}Odl1g#jDeD?(GcWy62R9<94i8U@Vkb69Lwz9|Kcl@uLl-D zIF+#M^7JvD|MV_Vs#?J{b~q<6Y!&I2pBxU5A1Wu_AlVcyE%s1+S48!w)zcX?kf^~I zAQ2#x5q|^+`837eD3w>&U@zhjiPiEQ+5%DQuQ+t+= z4=4k_4JFM|+o}zR*3n~arIbleSSU;3hcL#>SxjH?S=IV$*d=O6+83oH?S{DylTdGP zJDf6&*##lWOPxm2EVKU&%p}K{;STg0zHF??n&n5Q8i;I?fyP@>=QysCV zuQY)xUp!M&>ichw&s-+2nGz*X(hbap=$oKCad5Eag|qnE#V*5eop2fy9~sk5`Nil9 zTeR5@CfjE8D^%Znp6BYRfQ!>Kve>oBdaKHD_GVNa4VSx_ERmhS?CHtI+kgu7W3<@?Goit^#xE z|8;cpzwIid{ZF2^VjnPD^+o|=dzuXnD?J85QptgQO1G#^QkhX8Hjn3F`0 zN4;4ndH+8$5EM_pC5f|n!+NQMi%};)k`#+yU;j^%f}M--3(K?5(1#?=y_KNk)Uss^xip9*F2!zehIEXy2p&tD{G4dPz^kTS}!m0VA7X zO_9HkY&1ImKC)S!L-;Qv8MKo^)SH5rk>R1`;W!ge~fJ0%pk@9BbzM1$VNG) zi0#kFrpQ4mQRMs%?1?Yi$a8^`CT=DSB)6d#H5M?m$%u{uCQ%mgl^FX%Ft;!QE32aT z62U^%oacBJ_L^VlG}l~fBH#i`QDhKA^w{?^2$%PkeN3cE)T9F5Q%s&?JFAHF=ys}X z_Y2U42MR{>k!_{dCjHMwmB}xF4`xB%ZL^F`8>b+65m-#7-b4)2Gcvw~lk3NA#)Gqu zP0V?>VT@4%#sqzDsp`1Pd-i8P2Ct4^YE)^Dmw9=4IE%tA-ObrH4i+9gNWaUIe4)3d znii1|vN19?9zwU*{XA8A;dvk!fD0B_I+xJgx~Y^?cazs3zuL+!+}-cqQJ(ih6Kf`YaG=OTfMLR*3k(Lz3k$FZVa<1^%XB^@fpQD74sDLin%@5YWZ)U+G-{6@>Hu~PVX$+Ek(kpK+*ACUX(UQ_9BQpW`-H{|1hh0uhW@*7T9Qc z7SPRpAB!>4@_lP^uL53;tnXfE)fPljWos#J_sK!QT_`?oPOZnBS`&pQP=w(b-pyV8 zJa^x+sQ_|Hki+k%Q99KvbPxdyk#N`v0zXO+!d;6cD^+nGmL@GI6nwFBIQd&)-Ouwg z`Qsd{%z}SH#1!;F?*=-Qz90hCM0NCS!xa483KY+7;}o1*tR=b(jqU7Ry_|2dBgex8 ze-mC|S0b1?v`M6lUp5KRBm6{)n{+sK1t2W>6@`8l9GE#Sq4Yl-jXTL0`H5+V@dw9^ zM4O0n=%Y2|7j)gUd)Q2_LM|WN?oZf|@Jigr{=YmlposSH8&D||ty93?xQT8##f0*315JaW7c%=O(ql^e{4DTNrNhg-~) ziO8G0T`1vu>XRxNn!SJZO<-Z3PIDuydqqQ}G&?j74}EksZ;CdKvsThS*66LgKa-8T z&M-|B2_GqSUK(pWdK_hmfnGZ;(nV0NCfCq9+377bwvfj22}5onz$b}Q;*v%6+H^)< zK}$fL<{vf~`PRT;rfs-AR&Nj3KBWJwf)3FV( zi*j;coDT9>Nb+h!zj4OG(41QG8xtj8Ysu_V;_-~Yy))z^=<(z)Ke8s}u;df?J^hNI z76DAZ3Ub$cgb)Iyr8LV%$M=~EG1h1beVK#vaf9cIv)2Jc@7XMH0db zr*3Se!{psP-?nh}s!iiw7H2;2TPt19*4a7^v%0Fil2|`p#nx9R1pKc0J}&w`_{%gP`(7lTAqmq2XqK{^3OsksxD90+{A_3i!4oS%94G7wKlII-~180ceC#3Z_)YONh<^@5cP^GRl`@BMFq>2@t3_@ICUViB&twE|<&ZDNz-hsM6BC;IN zmaa^d#!(YAVNXL+;VC-JOt;O)=nb)s)$U)j?r1soUsaV!Qo?C?F|ArSY)@{Q(#vKK zU-fp6Ey+_ideC;)TS%r4yfBfSWP0}WVkHfb-$rE{72 z85+G^_Z4e{KUajK-+%OpgbOcM0dH5}`A0Kf);m)Y&pFfS%k>P2en%%0an@|=nW|NG zRlP7;r?NWn(#&jP{bB>IR!Ou2CsUxfc9n6p_K%ls!$?&Z_?S|<2eAF0YC=N9Yvu4h z9x9glH(!`l9ZL(tE>5qhnfqV2*8c|_12E?9T2x%*r+LM9cpjI=TWB7x0rV^{ZdQWztE^0-}JtX z=xS=yPW`}Z8?iX(G$~~>-VmU5ST$t(^63yTTj<%5VIu;1qG`}GztWGxzdu|w4H7vrCKvcy7!WClm+HxaDQYBk#GWIxgS8NMPR^`r}RJ(1-(G1G6h*}!e<}@zZrsj9GsVes#AQ6 z(!O7Sis%)C=;Mq;W7|q7fUW)!O)+W=FeYqxad9aCV=@=DBy?Z!*XFLe9!uEJXU`=_ zpP>n0t{>ybc)4UAbd^G-%N-Vj$T?Yr-X5{F z{8N40?|B5H?VU`OHD9uS4q`?FE8=I4SQx>7qFU>e^UM;-;-G8pQ5o4Eca9?{~!&70X=p!Bszqj+Eju`GLI%5{yU4d`b{3mA}SNYxu z?~MKT$!0S4-U$?2p4}2IZxA31o zUcV)@D^PIHR9^mWJA)#b<;@%q*y*_U&{;-7+=dWOYG1`i0!)O{XE*J#Xt%lz+u*|$ z```Y-@8A5xD*GD4>PE~87YCs8G^LkJkug^{hcT=p0S?yLzZ=~0tF2JLPNq^Z=kpf+ ztDq*NZdkOiN=&EHZ+?2{|B?H~*}z!JQK^pd@STVy>lFO-RwYAgX*12s3fl7${N zi6|KpI3^rKQLR4bYOzjX0p|W-Ij|qR9+aW;5#Y#{A-;rFxj{3iq9p zJyGI#n&N^FNn`!4nsE5>?5w(oVQHP?m_gU70&pLKUA3p5vnY!h z8xK%=PSMMKx$nU`U(cVOk%c|Ya_VB96IuxZeY1SU#rwiGL$LOkSHF9CASR{(T!eWch>sNtOyuD* zGY8Ax+RtnU_Y4c1=w}mS&|0M?O7MoQ+LpW87_gB;r%-viG=G@tkN?V4Z>#@ds!=AI z@1_AvwFH2vp1}W$sa9@KH9oTUE$-3BR=OIDi_wc^X85KeNhA|?>lyfpugElUZ)VC| zs@R>Xn(Ts>n@|D;dsY33fYHW=feolRCa7)iMTUUvt&Hp; z-x+ztLe8OZ4m_0WdAr=E;sVvAfANNs_S}H+Dii{~m?)Fp^HR;ko4fNWQD6}?DuF%) zMB*3YUJK@mB(3d3;>Bzz(=rshDJv#l-}%|YTJh||93Ui*GIWwIQ*kD0>?J$7xb$g< z!DC{?!@<)ra0*i^%T5vbV4<(>0>|wkf7V0n;0-5Muj*F{kcoxYtLl;!Dw07tcpB5x z1Da%B$S|$k^eaXD39Dn`)ZZ;eKH&pS&%8p|q$b;Y`o>KyWmlgBJ8$XI6BFUHqBH{x zIANfk1-`wiBh}pyN4!>>Cu}GfYTTx4za&alf7||Mj_UH>UoCE!_q&2q~4ZL8yx1;Z?e=@BhM1vsjZT3qDl+6Y^ZQgoxiT4Eo>d@p=$bMgIR zy-(#sod2^#@zhqrDT{+*i&3{wK}(hY*Xz)n7@JQjwJ2-#*}@MFX^VhZ81aj97G`(! zwap0#C?sq)Ka2s8GuZ>+WIJ?cy;>$6v`<_A!EVh%Ofx~BJlm9`6To#%?>}@9I^z)) zk6p-3U!v?V(6rImz=iXf+gU%jq=XuU@uPw-$kTezL%Tp#w6V!K;`r=;LdlJEkEyVP zmGRj#Q_dS>&ig!v=_7PnGw(GT*cn+0!+T{09ss_ei&$Q&`Xx_Gv3R=SaeG3_5NRl; zaXxV^;|qy>gL5r%ti(U!_{N;E2|L3iO{R0$DIRgVB9;R85uk_cG*s%|F zFX$2?ROJ^rpP3_llyi_a*VE*b82}ov7ddMqlbw>TRvTA~UB#f5ddMeQlxHQ;j2 zN@U@%5)t{H#Y}5XtT`EUARE0;PG^1ym1lKRb?g6{7;$$8&Id_NW~c_A%YkpqU(sPy zNunY-s>JD2s@5KdHtuupA~VdH8X))9rdP}ynN@l9+{H0yI7a?Zk@vypqIK|)%B(DUa53z1%Ch!X=9L{`hrEkW@z|_?)XkpfF zEK31J_5Rm-I?gaQQ$T#vr$W4&bgpoo{MB7oFj-6UT_OUF?@*DMD1p_-C2a;Xb*jmS zEQTz-Q?)Okr_KmTd==eER$x@w9Y4xOQzz``zrceL+2kd15QOjj3iZHv9X~9Sd&X26 zp>ZHSf0Usw^^+nSIjGcK?T`3WCib(rhsIg8*og&`K5JYR=Zjb_eI)DBz+MaY4pzT}oRxAqtrtPiHy*4j# z`hCfwLHwvU8cr2lu8usqO1^Axc~!iUSR@prh6hm*>U0%o1Dm(vy64{vB+h75Z=df@ z9p5A2wGw?&og|QQc>RxAv-k6mPE5&A@#UCAtoPmXV3>}yb)`y4K<6y9+M~2qxQ>L( z=UMF~CzAs9-kp9(Y|D z)VB?!IuYOwrDYvYNuNu!Sy2*>6Pe2=zg8J`;pMI?EAzy_vxsL;CbE-o?Q)D)C{g4P zx*3Rd4)|vC#PAA`;lb7w__3%x7Z`n*WUy8qM3m&lmMxL1pw+6qd2aaZVfu8$Tqxz? z@vuiw7Q_cZk<;oW(mQFF@_cro-rlB51DR&wx9HPcP^!ukX2g8=M>N_zS5_`2fy$0<4 zWI;>cCKnj6NK>xxO+^iU$=Mbhp(F7Od0>BT948PdF;F-VGTRRzWI*DEK}tQlT7axb zoZUa5xI3g7M+!7RB?J`F3gd57!U!~=d~#Gd-74q^D9+NI3=aC9l(j;no-%q{OX|GB zAo<>YKezi`MU61o3%|xhMlh2b+BYfOnVn+YbN%L1LRxubAhlxSfZdnVxydHH<;c8T z;Scp~-x>F_h*&EXw&d)&XSfX>b1$YiBE7`hoSoI5Wl6-WSy7bYR2Ngt4g0XDTqqcO z5B`)#!hI-z0k*~{lij^i%AEs@U|8R#tVCpD1anjVQAd?;Gah;(vn%x;W6i;9z^%j-jQ@c)vJgi}b_8&CXJ*hb2 zA82g$kpcNo@6{KsQElT=M+??xq-3T)8*Ym>L-wy&NH}C-wcS(sZl!JthSdZh*Z|PN z@P9xHlUOU93!AoQ_U^JB_3%-cfD+|-2_x}GX5|=Sgt^!De~t#Yr!D_pq0F_4Dx#Q= zYSsO#bsIIbZT;8M;g8=jLA#LIMZay}<{39|j|E#ZVS0wY6N^S>imP8i#b>+_rSZFl<_k~8! z9-eNimj4zLxXVxK1D@n)h>ysT7>B)=sqf8nExj@8&-dF9y~5+-fSADW7{>ORos4(&>X}5ni!QQd={bw-A2!vl`BaJ4YY9*T6y}j0k zz+J)MK(aN_-KZ?Fk!2@6@vH0|Jtm)QWGm%AE3uiN)gG{y>^*|rv|Zq?$gib~40h0) zLyr6iMLNA=2|ZLh3#GSU$S?KA`=$$B=Mje8bMhIH+G?8XD}A~Fj&oG|atS14{0hg@eDLT5k~|AB?pt;GVdukca@328<(PmdAOh|DwzniF9fw`Af) zkfb~e`Lsa0;9ysSsYjAb^%W+{(h=5rd_6++5UkG~(-?MF94picB@^+2W*{+)bAv_z z6G<3Nxu+AyF7u{|RJWwzC(gVe7AqQdhXMi7kTjz?Zmk)z^@(hPuQO@92Gd1sjiX3K zh|Enxzi7Cwl+^5y@wr(c(ocA@g&o|B;R)BcDt%=S7$Y@#E4V2&rSa0Sf76#qFVxSM3ErR8H}vEyB!pv#oc&K> ze!rK2W?}iX&P2Q3LPqzKR+5sjh)3p_xtD%CYaA&KYu7 z<<4_e__h0T)@x4=>o>^Z=SiVm%t7kkLQ5(3)n_l(F1PQ~jyG00(Ae+o%MMg3@Yba* z8os985B(70Y32ib$9;(m8U;1M)!GlA>kC&wtEcshl&ZlZ?xQT?Gm841N1kr?G{CZY z1?&Q_idpdEivy5&C`9%W7gy!AbJEDCzCF-sf^=MeB?ifd!+f(=!nD5cuS;j?@j624 z>{^v(Oc4@dkZNOL2YA;Ba{-|Cd3GlcrDp69abe97^_?-XOZWmZG)^5Yobq=_wKV;U zwV!PU-PqTi*0dJM8%o2?@zSC|bur>r3Uub;vHXzZaZ++gBsgkvfzm;CuCzoXmb^v` z-l!O;3FFdQCtw~C?T>kW-QzkvQZXAQl!mnrOyma<*6q?te>+uf-BOq3p}%`XO?o;f z8+n(8isj8g@G`})!loB-eS|LkWFw~G8^nemUtUKVv3@=Zz=3@BXI^C^=Qj?B?2kjzvdzy(nl(>f(6{xK$#M~H+r=koQMH3R5e*5WqeOTNK%(KY3rshe zy%HH6+`7JHSRD}rj_l6BIns1g)kr!2d_LsZle+{;zm*Ps%F`ZLWd7`tJZ^&;W^s^` zxyo%oO}Zl|za zcm3VUC#R&9o{D@`%*-}fVAUzPO4p=5QkK~Q1M8d^MMVIJU#HI&2tsvp`Qh8${1;OW zolik9;WiEDw?tY?`qGQGI6;O!0wr{D7a52Sgy}}=-+m>Xqmkgqwha_RHhhkv=B@n< zo0FfIv{vV~tLc@vaGnCYN+m8;lwmX~E4WHUj)lKTRS0`$|FuDuXTYKeQ*BzF3Gf3v z1M%Ojijswkl9dIb>6l^EcoJ+v`Q&-xO!`E)<9Mr?Ea|Lc@5yI2NqM&AW|iwl#Tk_0 zG7w?Qg%Jg1STDPJwK9h6hkW^s`_G4;;pd1-yyGE>w7| z61sbJ_^t{H*dh+tEzEuLi;V`!hDlt-lDtcA#azTls~eR1FmYn`x1Ubi1f;X@u`xTh zU|J5d1j+W|d@L#ZSnZM3*KZ&5R*}Xar!*fbIk)d0?*=X|yyNR10@(Njr!OA_B&Zu7 z1g=$`*ZTTTRaLL{E(dxdx^Yv=ojG5Zq)9uXV_wm zIGSNJmpz!uex)wlYPNQzD%^8*7Rqy(ahp5t8}CZ{y*&-+5F?#~-A*Qo%l(R)4-2(0 zzxVS;99_aov#wW%TGc_O6bjBG60%HY$;PeQrBDImf+K0wrJ&xJWBaHf-~i(Gem`zW zDK$Tb3na(8O|-ZJwZ-`NF(7*b9Tjou2PfrjKPTd|7d%s=*rf1Z8x@U z+qTV$ZF9u7ZKq zATujWjIM^*u>K+8pMK9hX!7siB7NhW)|j1jX?#V^m;~J+<5QktpN(6-#WDxwkgm)S zwgYLEO9R9_@-^*g%XR&pi*o~9CIRRPPh3ulPZxPja5Rosuui4xFz5wKP^n{V)kh3? zs^^@i@aia@Z*F!>BR2%hmd^D9+DduCdFVR!#e!PX}^AJ+x zf<+#x<$a$7sz^LKWcEdT=o4{x+b~1tWT|*~j$5hVnIv+Nik*?d?LI47$Z>ZIzuhpA zWVn#e6-c(ZTr|lCrwfqo4_fgH5D)G3uZuxkN!H-9A^VWHGH}8U^J2w~D0cACZAsSf zvJt9!GR*`n;iWv*@X>7I08&}jc`P&lsW&bb+BC@x!DMSRM5j6Wm<0_Kq@6r~(p!dp ztp1JS0iTDG)*-=H>XWR}ah&=~QdG74I5ARH088m@QIaKA!?g*@(&xfg(WDBum@2C~ zRPY@cix%1*7*=0U)3tudZgf?tCV?DXDb5kB*D>c8gVv6-57D>`HQ6Y`j68?~3yd*( z!ii%#=DpgN6q!71iE5BYIhgSRI9Wl|VmxTY3*Vd;77d{=l{3=hQ)me~;HB@3Weylr z&VrM`j#ZbC%8twLA(MQV0|iR_)mXlR`!cn1#Um|i-*0b!%)GyUFkmsY4t{*3@?~es z=l6nAs*CniugDp5)+(#%a>o+&*Db;|oW;=ZXK0P2+t_#mcP*8x|2Pjq^VAYxSH9^K zsk4GS6`)prj}wW1sXbi_`qgz(O+_0>R5;m*k(figInSzdwfySyb!nx&tb2XY$eZ5( z?xOr?lfXN@#6<3KA+c47vv!aDc1h3A0PlbJ&qlpjL97!fgE zokKMmP3WrZyA<76qmZhs{RE~$@R-4Ou#}38G<=TLG~W_^i4*Dzd|?}-pRlc`sgIHp zBpLa1TElFUIOt1GEvcp&zqr&7YD_GyOdFoDwDYI|bVZg5I`A&Tiw}iXF`Z~3!;9(4 zZn8R%vS#C-XF1BZ>qlO+0xiwMS6(KdZriW=)5SKk>|3FSPkS^Pwtq33Ej~|u%y<7N zlK!Co3SmG4GPGcJ@$Fvet<9Sqf#^$B_>kGDivm&j(JO(^el2Bqy&2m(#p^H@7XK4PyB=KG9>mNmPm#%yC(i1xrE+-Zfw zba|s7c88v{QEd8~_;!EKUH~4VU-Mfve0xjDaO{`2MdwAF>IP=;)=8lnGvXSrpT4qS-BsMoD}MJ*Ab&hm ze87vcDB`BN(8Le2DdGlmQE4+*(Zr9*G4yFHxvS! zEp_%Z`_X7{59#4p+ewdXz`kcQ6_&Y{Y(ByC?fUSyTk0s(!Q>T>YeuRFHt7U{l?Z}V zolgV!T#w&WV=;MB8HyaE0n|R@Bz~|p%dSwU0Q9?*-f_xLbaS&@)1;9*#gjtlJ*}EH zW3ru+nr_(2qWuj*rk-N#tfwSG(gDdKaxhxSM@ZuA>i2xeGBK{jV!UFK9avk5)*l&O zmDMCOrEVOjqveM!l}A@sp!p#QG@nyI#V?EWHUwzVafWN?Tbj zz_##5^+v}tG-}^pUV%0XLSV&;UQ@%80bk6)7JvAznt-SZ7gJV=D!NsP5L~R^yQQjW zo(x)wzTLhb(0QHjWa@G8UO__ygScE>P4F+jF0f1Re_wu{Z67AG0FpnDM0B2KXH}bH z9SCdE&YfrtI8K4b7J5HhsekDw1)JEarnhY*(cnCDx*uC+B)JuIqm5O5bD22ZwQ>9H zsS+@Y&1{@*=y2-F$5q7)b<Gr;Bh3m(R83R+wgc|7F8u_cwCOrT6cu zftXY0x`7v^zpKkyJk-=M@vX7@#X3+g9-`!{egY3amUXWCajKhb5uLA)oep!ZN&jWQ z$F6Z8($EJ`1*UT;xHLyj2c~Q@#UWrm;s3)2e@A5n5nhsnD*lbRkdcD1X=s_*8RNpVVgN9F%mCT zRAF>F>*sE>B2@{e^c8c5>1rmIy7UK8TxIF1tP_ClL6|iD+wXOS&rSY53)70!a~m&X zT}=$~*g0DLD)a+9=V#99oDVE4Na^^Vwvd{QXlOo)`dz2K^~?Y^!#0AB zZldq(sM3*iHjN$^u~k3*Db(;T1szpwH{ymNPzn4#yzMK~>nT08OZ z5fBm*e|}Frxt~>_`kugTQ%1a0>>jv{q*U#Mik9 zs1QD-N@3YoPFUwga9#W!nvgeDvU2v2AVq!?*svo1u`MhlBtX!8ni$cw>wI(aH(w&-{9s|@q~#Ss_kv)?Ov?{mlg&ejy9=utsB8loo6c`qFp;_H7k$L8^VcLrUJH$6-Z-G&<+iyD zt_qDVA&gK|e7uy1$LLKKpJldGaAm#78meXUf5~iZVW;Tl#2u`gpF5B5AjBVeaY+*q zyPlIIijNSQu{{F4+Jm8K=nw7#e-M@%9*UwT(fhsFCJ-YT{2&rx0rE5xwhee!cr1PB zUaLo;EY{Nwvm)ci;+8k#hHqg;{`<@mC!{G1=hc+&3wpB~A7YO^7#9oW>n^TGVDz87 zL6u#YSZcN0xUM;35>GMxLFOVQ_KwhACJk?rOlWUh1$myiX#;lHQUtDpgX|i>Z;6>g zsygD1z=_Ce+b2Yc$$qSgSso#w`rL^~ogNo3@;_;&KGS|eJLO6j-G;kY?Y(2~2$2pw zO41CqLd@s%O3;?vS!)4LIx!|wZuz!)=v;W;gPgbh6b!N`D}ZPVej3v(1W}1)@mmZD zqItPdcilhv4xyuG`@(a|e9ui02LZ%NMOx z8i8#N)aE42OxFi7u<>dIvNJ0*Zb^-);+#a{R>RY?4E$xK9QPKTiZBk7Wmt1rFPXss zo}?vZm|(8geVEocY0Q?niWF^pe~(f{qpZ0jF(!eQA!$9o42neC8(Q$M>p#I;hOG1$ zgeIu-#(z+?7|3jd!-;`+C`XqWBk8z)MFybFQU#;UJF$9ES@AiMnk$HZU;xXb)rCcY zluZ%8`RB_Oi+cDR5qZ_3+fZFH>b5!eA@E!r;P)4eZ*BU_v$^NL^re_VZ`le|-RvLU z>`QyqG?m6Eo5^a-YB#57n~f3LsKrwn!DI+5Ypa^ca>B<`!qakQD5MGyGek!Zr{Kv8 zfn*Fyn8{)m4X0EWHkng44W|IFiYMQV!tf$xCL2$=#K4ikP`aqirg&@LSQ;)cnN)UD zI-Hs_l6s{2jiX#0)mEVj4o^)J%}(JvIba<_?ayx-I;srPI#gHj-Za7bgHPv~RwL+4L z-hRUhQ=P0}gjo+MWQ2i}1Bl9`o)$7l&oa!pc7!Tq)t=k#PEW>RuzA&h&(^-4cN3>24!<(%Rfoe$~#GAd8$*~oAQw0I6ts8*r7J}A6wE!QQ^#a8V z#4Ot&Zh*Z6zC|@@T|^7=86wlZf|)L5(Qr$3Au9m*4z~Px2N$|A6!bjAl+APtS?h*@ zUyir=^W_Dy+a>9MFu+P*3!bHImW~)+|71aFCnzj8=cEFrz&2bXDstKSvQ^HJuC|C_b5rso1`cN7R!#)J)PLXKv}lGeMs`$jAVI z-ZnL*aorzv23io=2N+*X%o6F-Q+=*+Tw%Y%SyteMlF#o*Q3`Qa;*W|&n=)xr;28N2 zUe14A#5m}i<QyC;X{g4QE34>GAnC+cy3xq!`xs}ofyGHXxlKy&t zA<~bHpWS(RO0jR#Nk8OGlCK#~Ybg-%7z3XgHTI|_R!0c`+E7(Thv)h91fnD=Efe)W za=(eh{{{D>do=$Xu4BKKEE*TJtR?Di7S44*IUt;9-QG$U7B$P%HA_W9VimQI8%x_V zgPw-SI{($UNSR06jS~xwlF_8lcc@pdpMEpGK`}n%s4m+@jqd#dXsJkR>eVNN3DwW2@_J z(+}<%Oy2uKwsaR1D)j&txaWz695iDuSkA>-uF5KZH$WB*Xi6>k9aq(YgdeumlGyyH z5V~-kqcS=_beO(MInILA;YgtKwgfzrUfD+e_$h5p+}&+kWr&E*?Ctc}L`ku(`5F)0 z!hTy$>7>VM1C8H0mmv8pUE82VA6rh>JsO(ay`?NhP;(f`cTE=?ZalDZm5crI%C&M* zOzn8%mjIMSCaItdV2~pJYaA!)amfB=h3x6ss?#ERa_sWEKfi=iLmMl^Y;_)sdbIzT zgLSHyA-8?~C0b|OTi)-=oL)W8*(UkB;|HIvk~x`Q+h-5+A5W3eUAs3mzpYpCiJlS? zkP{6bpnwgLKKfbTIH+quq_vu@b#Dv$ujHgCGndG9Pf;XLyv-toxqVL)m+ywdlmDG< z!2}XuuCf+oWh8RiLD|RKaZgV9P*Ur`Ve`onNBWl%!p{g4S^LBcV4H07)I?~Y4+&Cm z!LnKm@IN0b?SO-(=|q8kDoON95M&wR0#ln5K*9;Z%2M4Z=gyi8iXU6Dp|6gp6>IxJ zg`;FNp|7SUX?u5##12ksVvKuO%!Z;^FP%hG+fzU>XQ3ZJ$M)mX8w#oLH)8*;>}Xd&xNjr{vFy4!k^{JEBdpFr<>15rw5hHma*3FYLC zntX5)Rd;V2QK4yzl!gXUmlDiL7LBb>{9YOY-_MLL5{WmCj&>Xa`Q3BX8Z!1O;Jq7Z zY*HM}33JRQ#7g_8nsbd(EqO}V|0L+- z28@pS3bs+6G5W=c#DG-+i%tr*Y1}q|@f^PD#0NrZjZwCNslQ?}^`IJ4_{XpMjHu=N zg?O<%p{XeUcnnZ=L%t)yWuBL%y4`5FdlBzT@Pm;GBAP)@s&FQjDhwrdWuY`j#|pHQ zqFaVYx$sDFx;1$sx)0*KV-;1I-#?_sh#!1DD3Oy!Nez)x$Zn5>Wa`i4d*z8}e8MnN zsKcr@UW(opQ}&%B#_ShTT2d&lK@$Kui_`=Pm%UrWZq06y{2(hg({<~_56FC|Lau?c zvf0E23w!IPdeu^B*^mtu_Q>e=JLaAPsVkh7f(iO2Oa8_~=nr4P9q+ojkRN$GX19c_ z!829Ry|-5Pl5U*6{I*I5Z{0Gn%c46vGwO;gGaJfD+kP7d^b1~wh#xF8PDmhovGs^y zarv_qi2j6RGm`$fS5=XsT(GAF>7US(qJ3_yrT+;uNNDgQDe`&3^R5qGV93bKVU+Md zNyUEO!0CcfUFtb#OU%L$eqB$-7v9FPh{b+cukt*9JnwtJ^j%)pIi?$1PLrqfWD}z< zMM$&Rj3=8@+x_%+|KM!FR8j2skHS>{Yw+We-AjGRuM9q^^7|BD3(AJtFMl3Nmgw13 zLt}dm`jPf(8u5M=S6-?r^KL`bw8_<#>Wbyj$on3lSS5jKPe&izt7!2AZTF*P^IKJ| zE2qP{_YZYaSUu1jw5YK!!&r|BKJhrsV!zThpEefTw$TfVCK^FG@4Z=$?^GY}IL_Bd zSHFCLcaQfQuk=KH**EpHi@X%jC#-Y;U(j>yh-IxIIg}Bf1RKAI%<{2gQu;=Y^2L7j zVscr(uT4Mfc=^X?@Xa6aBbc}_nMYDO=c|@RgA4&iePI|#w> zO%rfJVHe2L?@qzxtj;OQW~Lgmdcg;Scqm$`S7ap1dciqA;287>>~h;Sc@!NX4`B;X zKWzlp^&Xq=2+`b^VbJS4#yKd4F__0wFSg_RJ_}phn?bw2)L-?yO<%q7HxlD4fkCu_ zh%yFM4%z%7yL#kNsPEF&X(#}WFOLqM&9xzyyKcylgmy3W@rt9#Jhx}g$KN`Zrko)~ z^g%brvOkpz5igv0iTRs)cPw=+9tC|0W@x|Eb{~nUK=Nodk{tWmq*qWi#MYwziL?!< zW6tc^ftRId;?sDpm6ik2EEdvt<7N@lPVP63^YA*I}S6qw4kNu{Ey zWY$R-O>~g5hd-#bm~kn_pk_%<`b6e+G{EhW)Md&=RVNKXDG*cgnPtX-6J-7-WCeq^ z*eM}DW$F=}loAIH@Lr77L+2!BjX6v;_SIrW5zsk)pOSlUxAo)aYJL|u@BPvg4Rj?~ zNTcHCI9pm9sv>ILNza7AK_LoAnFHxG$^Xn6+Q3<($#(G754C1%d4nQ_u54CWPMj98 ztiP~GeUL6h6{#~FxeTh;ig-~<{w-&o9%F3zj3k z+gnGmvM81AI45%=n$w}WbW8F_TI^f-YCB(KYkW0ZF@(!0tnc~2^@ zZju2d8wXGBfrfbh_o|B>Jp}}d1OncAL|&>dxqMvq=gwv0D#&pV5p1A8edpQLOd2Mu`6N|TrpzDjq zh^bk#c7$Q#$Sjlg3P!ZD8oYG+q>1TzclZ`8x{ULCM)M1F9)`uiGuOz0Jy{duZgY2M zOmo7)Pioi}DxtPIRw^|*kE(8phq)#Et5|0g45giguSN)wXp^)9=8r?#1VO^brPhwN z=s%6Rd64d_lB})@R4Cy`R7$<^TMd$`KfCit^k6A4hm1bWmNA6*7%rPVpNu$}Q?K@l z)SEt7m+*2$Ga!km(+C=Kvl^?hPC(v~eK#Kv!()qWt!gpH0Rrfo&NaXZFMu6Rr+u{( zZFvk~ukr1t)#M`0B9D5VR$PD*uAsW~6QRa=5nEeB0@35*BAsg(tMc$;T}#A^;6}!( z=-$4vUc=yNF=16~In#}CX@aKU7fS+qv&b&{I(WzfVf9t__&49#pc)d?N<_$h}N9lDx62gotJp-+~q#;;G zlOaRAk^Pw4pL}1;roW%%d2}Fbxmjk-yhmS=TB`P=?h>Z*ZHE0)=H3z4;U?EMfHs|X zC+Sn$ztOH=Z_>{zp{3GR028a#J;Fd459WjZ9Um^v0Q`pC32}pxYqA!_jwDd}&(w90 zy^^?S!v!T0l#CYuiZZaP<`jrb77vABf!$VOI#h))3(J<~2LYdH(qGa0JZ%?vglo(! z!SpwzLe7FTJcZ+)K2C#dgK3NXcT7bDVk*mbpNhJ|ANNMHO|ErECh*xw?iseCFcq~yM1MIwb- zk5_84COK{*4=lh&br?&OS(-56~9#c2zx~a{RT17r%po<@h=CJ8A8q6!sN=3P^mq@^qo_ zL=L=*IZ|glUe|Wbsu?GN0@+Wx`TaH%NSpJ8n=k6Jh-&^}=WwhIw%cFrQ~ieB)1boV(de}lMS@MULI$;^bGk7sn3V75EP0Q8<`VsFqCwg!HK9zSgp z1pUrQHNL&;4cx0Dts-7a)XgL4y+tSQyE2`c`L+Bv8mE*1 zecCNsq}O{DIu*Cq%8-4*P^^pqBnyj81brL_Uj5ZFc6A+VHAks>@o2{T?cLpSJj1<> zK(QKo7=c09x+531nto*7a^HS*eG33u-cGe`3bk-QP`Db3$Lag5%0N4^MaVjGt8}C2~f@hPw-ummU`SOv7SMLxZEAftItS+^G z8Mj{giF(1*`s#g`tJRmv8f2?Ffb7y#Hq0wuY$h1Z1kviIhKNpR-Ee9OSN_@Z+Qx#D zs$$iy`Db&joqYn|+-V%Q;W&JgF;TN9+RQFyEVFvohvMNpu9U_*t5Hm+bX@oN~Nho)c8Y?H{Y*0q6i5M-~FkJ?cJ3Z`r& zi_Yye)#{=eDDoLYts+=BFs??U(Hpp`mIeNSKNGYBV66Vs6Z^VFQ@CnI6}7GG!Re9R zh{cmNdC&D_%hC|?@`Fqg)=xJkWy?_$#WuGA&Zp;lh*wQ=x5KBd?O&$77HhgrT76|( zj>~UTc)GUM*>L!)j!-qG)6koqScw)A9MHW|9YNv`n)fL#=&S0Ea(0dF_{JJ$HHcyw zn^}s%woICia@4xiinZKjt(zi!BCCiA1x1@8j&f&;HUM5PvI)_(zRbKPf5Lvq7`4h;Ln9_Y{Z+sw_-0TErbscUiO;|F#Wpm_Sm(K z>~LCagrCW`!X~@sxiAIfH_FtDN#e{ zBNt6vDw*?HZpqtjL!WMrYyEJ`dLy@O%I41pCX20o4!s%;zgbSrFowex_RIaWr|{%vnM}f}2S3ct==5_;bh*BhE{OQL~cW%WoqtXofAd zHHunGdwryGkz?EhoLGiE$>^cBV2bLYdLTaA(ucH>nV(hH!5rX@(6(Y0CGD%!!IVuk z)mTDY#20p`t*Szj5tnO}eyiG&YT-zsd>*pjFlm;`Pqe;b>xg7Tabr0EK_Z zDFv7&u^gi1Vk%_bSabg6cp%J4yT+U@#cO{jofXsB=S~30@@WgOi`mP{$+aH^S4}V_t(=c^U|JJFD5G@vZ&1bkwqa1RX7^{MnH(? z^{`qq$&!sTp6)5#*GPayZ^(o#7 zrp*gJ*y+4>S)wqkN*-ZUHNGH8XW4gxk!_1-HpAG)PEI5DksajVQ4hi2;K^4@kyD6u zD)9nQK-I=nn<0_+Y_27GE-glfNf&$U00k>0MF&Q)Ot6pSzI=10*!aJa+s0Q5oXAaV zew@nPLgz|dc%1iqHlNA_O}vMAaSQvuRR#?YP_x3g3%!%@;j6W_K_oot$Xy>wP3#L9 z1CD0OSY%DL`0{< z>fPpnYU}3Jz4RssrEYh;_7M`Fhc{7|VS^_JUi61=m*MNj@15gkujguEyvK-~Q)`SxU@x=tHhwQN{im$MJ} zT`Kt@v!L8z z^LO6_>tpAkyQMyQ9cM=`h%X8@A>yafx&HG4Z8xOUMiQ@>7!5X+^i>OHTHbGXJ`X}W zF*3?$D3&IaU1N&xa9%rkF>CA?`74~-G3F`aN%bn98xL@U&+7xkM4|rFOu#4`|6ete z?<9ZKOtAABp@B7%Xc=J5#DMuG zJrj&65_DkCjnds|oxHBM)i1kNRT+5YuP|$vrgob`-*Jii z0iL9j?FV)03!Gi^1jp@JlT2k()sydxqTf-agGQ%m&lCGz_3hi1R>2cI)?dp?&#tPa zA#SS1x$>uhsSkwW`T)g(9gaA+iao6ojkPGhL3pm})v#jZ}P_G|i!S zqo)*D4;DK2*ZLe%#ODX80p3WJ+0s_t4N{h8Mw`%1 zb^3}_0|wN{soC)YNHtv=DKU47-+yA<=cwj#SflP;fFDn;!X6bZmXGdaI+^THyr-#l zE)m=}m8cg31Uxu?xQrHV1H0^0<{?6^EnQX#gJbv%F>a+TCQW7t0$n~< zT&K8oh}8b46xq!ldW?jatcb4^?xCyngtSR<>w($Y7Ky`^RKLq(Sig%RV0#XIVoxT< z{#>fr`8QkQoFT)=qSfewyF9L#e}*O|(F+5kyXS4n8lcNwmb;?c_GD;PV1h|%j!Ow} zhatKlAZ`k{V<7eC;+i?FFg?Q;KkLTMfv7t(TQ=}z@OWY@Rx~f4Rj&@G%s%$skk5fp z5EQS@$Tu&>Hdh3Y$#G8B>L#Q_x72Zt?KRogwFO-0;~P!Dd>wwS2882tbe#^{+j>n6 zoz}pk*QHWz4Tt8gBN@uvR(f2s4J_5K_dUddzYc){U{{!t%=_sAbP>G$?AL?&u()MO z5?2B`>l1{RgJl^}xsTo8CZRSQ@o;`@IaD~m-gG#B8`$KrUyV<^GJUh&*AwC9a=vq}sva7gEYVVma$D@Tnhc1GjKWQ{7DiEGA|O7N|9gBavdi^^-nY7foGa`O z`heikGcnTww z6b1kiA|+=ULTE$^X;VZBW$6r*-1M=R6z+pJ$$F0Wyhw?}b)3r2H*H-Gg+Jy%C0ybK zivY5@Ikd_YmLvZkk*Ncjo>t49*nw7e2nGx1f5u0K{~aGkYX`~xfsc@X<6{~S9}EA9 zk4t~yw!C#H9D+HY)e z1DCOc@QWz3JnB;)Qau%MMAaqf!+v|pxEos1$iB9=>5RQNG-hv_KF&A3ZH!H!!(%32 z4WpMN`BkwM4Sx2?5CW=96Vsap4BM8&LvD%bCJTn&{T-UnnEcErei}sFlUUTtZ{IOt zzZb$YkpWUE9)<#vSVg2$$$4_)s4_S&5}`&?Nd*ML8imiFrb-4VvRLcQ1m^#x1?aGgb<2Ib~w%s$Lr|P zD!7_GIm^)GUJ$8uFl{TqhkPr4X#cbYQ$t*nRL>!mFF}c==WIIpqGgKL{KuI~L=uBH zP7x8etF>Wkz;Vc<7*fj$=vvw8FBnGfzwB4=f7q`$AOEsnyHfTr0EEH+Wxq1Tpr~;D zXH~f@fBnD5uj1YRCVq{%t-$GN1-hm9;1H+dyEjqD|=) z3P)suW%cCh{}(#|yX#+efEZ@y7POSlFCaNKDo|1J;Kc|xx$Y`eJY(Si#4X`ri}Y8= zIu|sRL0_4VSKUdR{y~m054E0j>VY)m4R(zfV-%4j1|=LOckEzm2Jc}Z2*C5k&mqnH zk$IUMKl=p|`+*zzkIyw9&*@YDMUDh{jre~G%CbOmeE$z}6k(g; zfEBxbNm(3QEA($G{2-wLA0P-w$Ux*liIPmZH88#Y#e6+26^D&?m67pP`57bPE8dxu zxk-I($Dg{h!j230728&pLZQo?gjJf86d;^D)Qtov&hj`?NLK7j$3%8eke^Vdztfy) zlX-K4rZHVxu{g*p;CSAo@Ze%VVXQ^KeapA6`Z02`&a9GH7zWiwCJaJ zxS5H6WWTL+zwSyAT;8)eOSK&JpzYDX=TDJK(}39Vey7vypwVonT6UJL z&2_T{@~<^Lan@(iVKW(wNK7_x#tuoYJE4> zxqkbNeG6U)aX!=n&D8qXlZ0E+&EGbcb|q=NNAfDplYYT0ddu^BNA--OQu=x%YYS!Y z6E2#u)P=f^_Esp)&nV`(#C>R$m>`4e4{S41M^8k#o{#Xf*8}eR_DNs8jCOWxFCDN< z-NJ}ii}}{(Fgg@FR{b=J2S11E9}MX>)j#O$zNsCq#1w#oC<2Re#_B;cE^#y$CmKxY z@>=7~RZ7z~l6JYT`Ki@wmE&s7{o>6TR_5oZI&_^&-AQw7MazEr=LI;-NNE_}Us*K1 zr2C3y9B&^u{cgICpZFZ${qXC?_GMS2V6ob*-7aAM)SFw{P};^i>*c<5w(;6b+`dxx z#Kyj|sc1NYHGDW?C)-5)uQnYg&*DyFP%uj&N9r2vX6ZmS;)9 zXb^pqF1qc{E*W2%ZTmr{777sTEg)-v_|5v@+FewhUqm8lXu}d!RdC2TLl=K5v$CCr zPhi@7_;r7=8(M0+LT$M6#-Fcj^BX(%DFY(WwNE+sz}Mw1RL>uW^<>qqu|w@1Nm(k4 zzA_314%pHCu3cY_H#tq6B2FFKm~}Y1M=Gb$iWf)GQUwR>;%pJ?53zAMbwASVe3Wfk zqWhQiz11D2qR{O(4g@xQnCl&;2|F;gHWcLgEdf;N5@&dd39WMy_=+umKEzA`z*Pf( z8!7Y)%Hlezb=#Ev8wkx*7v?ldYyb}}$wCA=fJaAFm~(z5B9)pm7bsGk4ToCCc=h8W zd;ESy2>)I>>wFUba{ySUAkQGX{)$YbC2Zd_^kjuW>^xslYKs^q`W{?JBeI~TYLVZi zm>`?30(ju9Vr!2lOtW=st9pE&!DMzWtF@_iZoFNiN_RS{v-mT;K?c0O2BBA4oyI8W zk8>p|=mB@7v^dIX>6lT&ug^dBN|k5y{{~yC>0Pv;2x&PRnJv$XBV~T!OYCsk$%>xcm#7}~(A)fct zUnvIA^UP^3CS1hDLhS93*cR82Jc@d;*5?bA*cQKt4BFrGM!X*36yL$m`6KV75_r5m zi^W`%CNih3N}8?@M`GKyc%^qy!0EYC^eqY9=Ln<}=D3bry38)ekdZYy+ey|<5G=E4 z(QNU?(YAaiQ>>f9B(3ApvUUyU(xRy>nAAsoleG2?Z_~2&9Wq;^N8@I+P7O~{&S6j& z&0(O6Y8@*Md9BL%QZ+^f^fQjOfR(JkL zcBxvQb#pq!bOE>XRLp=|Rb|Kc$b=zlWqZKOdg+wnz?h%ZnH)(UzI? z26M~1*ama{tgCbmOIp}^SP|TMn2KnvBF^7^K1H1GtDCnwFVU>yTvxpdsx4A1q|kT9 zNyXdphqx@Gm3iiTGr8o@zaz4!H_AV#UXr)RK5GND2yYjj2|N5IH**N*{Z>N1*yy6k zWb%<#(h>8Fh3klT!TLp0$WIdTKa5OQejaPaiNGrsIcEOEEGkWHQB<(&S62R+i-8E( zBXEIX8n;)QLoip@Z9)L%y#^j{TK}%pH-aV3j&Y1t5+zA79SwH?gL$FrMOgc;x2i$O zT|rq^q9V=3Nhu{57>In0;U+QHIUUzWOVPOZ*K#ex-z)xq<-JkDeC#=&3O7X|KG~ZG z4;6a`A}3vtHfke;2+N}AB(YPKU+5j@8Mv$1Jq(&gscJMvL$EXa8jvlcxzeux{AkJ& zIhIBhWV^AKRN?`n(1R0;lXR&y;W9TBlHN?flpj0H8_7-!`Vn`k%0olOxn3C^qP|o+ za6`56CFn0tLhNG0w+6a&4k&cIh!!kVZ{+xY8lid^Y9z$sY${BFPn&ehB(viXl<{uA z<8iT7M3sGwTw=odY#K5!B=2J^@XE**8(P*^<`k!)5JsD);nHvrp`odNDXprzvBsS< z8>qGVp1uZ@#cJDQ^litBH3r~U(kNZJmOeLU`1tYVJtsl!4$WT!>w8a8^lgGy7uo8 z+zw3yul=59v%KXsrsj`|68cq8gT~{j2gKX%xvP&VG2J&Cl_5;$zkPtMi_ND1zPwU4 zG?nSfABr%3-_UN#;qdCQM;9=-{M}jlqh?BeAm7vJm;eJytfA0VqKP=nt#b~&|56b~ zviO%ex>z~`z=O}aP+j^VeZl%}yo$xMF5N{UXI`!PP*%diyjkP%3d< zh$eMYyZ+a3!-HXk6X`FQP+d+0HC!}5B39Q6r^zd2R93z?K5<-A5-G^pdh6d5%+}^u zCO!XmG@e-%X8B*y_;|7{LfVWK(LbaTFKv8aIBxJbYqlq_W#040Bq?z}$-8@6)q`~F zV|Iyz`cw1!nAVd+G|CNQO@MZ!TG%sNIDbk^sO@uGB}SrN=-bVio6FfFU-(n>%d;)r zKKr}qcV~2R4HmLWX4t;cGUOcMa10XOd3memIq8S*O?bJE_)q(}`2*SKeL(Adu8~{d z64)Fh>N-Vy9qIbxJ{R&;g#2^5>GQh!J?oPQW12(`541n{c5=bQcv+5;CQ*7zFV<%z z0>Ox33Ma)7obdejUC*P{jbpM$K*eXl)ND8Isb)2}sI)5Tc#rBm*Dt173f@wI6Hu6W ztKun-P~We5e(AOauA?O9h6!A;KRyZ~`C>EQe{QSvh*oX|fk0c=|7;yJR7@FA&<0`+ zT?ol~DFS8{7AI{Zl8WNaQ;imL$1@?rs75oT>-i(h@%NJ3kGLTT|pJrzyY- zu?Z1qnEa}bbNI=Q<|c+a_4nHDc$7d+c{jzng3d1l#3C$Pc5_ur6Sj#|pF;wj?mV0J z&M#^|L*u;?cT9AbWK1cCs1wzotYmITAKg@jzLwZ-ZDFPiDr%1pN_Ad$$iiAJ zwxQZZ-fGC;ahu7IekR;(PrFfA0AAzgtwa&NG*0@l+9}jtPV*0Jaite#UXHAfB8zB3 zLF*p)#Urcl;BHhLF=vVsnE$^fgF4S%Xc4UVaC^cz-^;qcE_71%p#43 zDh~dt6PER(D)h__6~TY}$39SfkZia=f#S8bC{pMeZ&qV?jtfQT%Zu!&wbkiH8;eRX zk~TxicF_XTS88x~fxK}2AtH0eWqEFaz79+-)l|*rmR}^N$6e%MF3z3e9MB+6xX$Zv zaFQR8gubrX|EdheRFkCp!Gp|knKD9vxNWWjR7}g z@)jsIcsl!sjOA$4j>aw=VuKKW^#{{z>MMwfknuHFK6Y;{(O&~+XHGu`M3v4yMqrRj zKZMJ}_HG_}mfw);pNQqQBYiAfPld>1nRPdh`sH2&X#)$wlglKYda9Q{2DTbA=RP7w zBK_-td!2;QB{X~KV|uu94oM$l*}N7sX%!yPFOH~A^&q(^i|J9wgcF(r+!J|S!ajYn zd2e2qY7d2#KepqRyoPt173D(9?XH``4dRmFDi?=61eW{GveHOTVfjzpjgDQ{CT*mC ziZ{=ND*J{gw!FS~Rl79Dq0XeQzdxi%ySUg2iFRcesCcsZbmhivNl3!H398LWFuyaP zMdF5kQK4+*EAWzo>UB-VUDEwQnWl?n{vsd4u>c`{Qz4LqNF`+Kf-YT>pG86gom7K_~eiqcRfjSryZl+zl>H?T4U z74Af+*@5Cq4#1FwOpat?@HSUz~~xcbvg z(E5V}=a6;aB;x&baOk~9Fy`ODBJ|f^U9V3reIt6~`oTxFqQKKU|%2jAVWI<=eJx+qUhVw%ya_w5@5| zwr$(Crfu6@+wcB1o6RQmMA};DJ}d^^s7mA4NZJ zO?b8vmuNnGY>QvH{TwG8JIvpR+D%p3xRG<*tyvyZNsU8f96nCv`dHDH=v0vCv@%&5 z454`68MIX-nlYaQ(0uLi5|};#b}gBf-T}-awxp1`q9Q@agiw8y61DXqYw7U(Mr)R> zo8?wQ3DO3(OU(RR?Y5&2Kuz1+a=3viaGZkpRi%G9xU;2nd{74!r3XhJrirSVaUcDH z?qcn@gDR=~WdMxe-#5PjwUW@o2L>*!c-h&8Oe2ss`m)$aynUti0YBm6#U-Plo30iq zTmSBj&JX-LMkh-fdIUxFlE3Q8*+<9wqFUjJ?fuKPed0C*gA=%pr*w)nVCS1fF|yDk zpJ+Cw$z5z9VG3v(r`JGTJ)v$3>IHHP;>|ZV;xcub;W&|x@bdYLENpXt{Qly-{aS4R zApt_ew?R<9QZB$dsqX&UfD9g4nintB_I4x0+t=fyAP^X@IBL9Sm}l#Cw~gbkd`ka2 zq+-1lS$kL-EAN*#rW|iHMb_66GnY6qaQtWH6mn-ne z(!sw3@wP`8W7;K25@H}*q|d0ATC?}y$?Ys>_cI4dwplA4NzO5bC7sB_CjndG9@8s| zw~4s4jucgee9v*R7?iPq0}LfIysHAHfMax$6|3WdG?4)5P=_e<#T0}C7pU`OMFgO` zY-nR@3}gL?dMRE?Dwr49?gBCv>M8cc!1-A>8Bf$+lws@NZysm&g-fpD4XQPFZTK=! zt%Gl^TL%>BcHHWhlB^~yABQ`N-8uF+83(lIVU|~?Y>S)BE7n1J=I&w`$y|tp4zw`wcg>9yT=)!H@mB}FO zkb#bjz(d74p72x}Q)LKwzuS(;S%1$GNpjxWUF_*}*jfj2nH7ZjJDo+XfV#N;sRqAT zz-EJR4;g14+WbfEY5dQ#3*A#d75=vAv5JNt*WcZ0c^U2SNLA3JtQ2ngE;kZO^vBPy z=}uV(1HgxG_$DmOe+K-?s$=<%gy1yJ6}2k+N2i9g3Kr!7ag?Y0T8MEwQNT2=gy56& z=v2M|HpLl`DH39oZ#K|@?iD&`dywi+)^n1yz|*O3434}5f}7FLjCyGDLN)Wm&r0r(it3mx66RylB)SekVLNltlk z4o_lMwGdmxhQ3lllLT}^t3VP1-7>g(;T#c_vhCHi>tzcx^aaKT$1SBHo^s>p+0^C7w}&hv7{D!S|J_Yi@rU z0AN=K0)S6&_SGv1UAY4&hzlJ$wP}HItCpT`nJ)Dfn0@n}JIAF@?~cjPJ2t#m5Ku&s z2aKl`z(;##kwpJ$UM@If zvJ{+IX(!T~?bj<%vMmDkvi;#_fz(a`!hUg20IcV*{~m6dS^&!H!h)62pEOj4pzWLV zR&7R4Y6HTidQE8*can~3%YDQ6G6i@uziFboB27w@v}~|!b?iM&a&AGTp$Y@a-y3ob zvu|O_0;0*OLacSi^_#!bWB&46l9>4^8ZOV`e86NfnTnbo*cMJS(hm0%*kHvj<*v}{ zaCc^_L$(>8akjH+1rzt;?H>CqdAapLsHd#R)VP|$#R9^mh>KU|mMj3q=0}PfKP-63 zw+Fw`FjD@XM-7#JGNym~fCr}+`J**ewI%l_ACtD@@7g^R&B;opjKX15+_b3yHz~fh z_};gkKeKH64OxSgpU*VdL*#-W;~%Vvn0J(fS5w#^o4;YD%+=TCa(+T@3x(7y&omct zpTyeaM6)Ah6Dfoe2zu6kf^9bWd z)6yFiCloi3J?#*}nIy_Vx||&vCOLerZN*Zq6y!Nkh}G*BbP{ zd2W$xxT><)x5stLp^gK_Y^s%5rzxZN@{PX)v$|{+_sey!}jGZ$Q4-2IL$rYPIOEO@pI)J|`r3LS8JA zqbbmB+ZBm}=sD<2mr=Tk^J9IHpB^mv6;B0p z2|J||$;I-=jLj|uyG=Jxs*t%Z@J{ysWMdJd(Ug+(^M`~f%uyJJ>$p7XL$3WF0h8n-Wjtqpd!zLQ+0`lab1ItQ^k!=3nC{&fg=KDzC zb84msrw{@yII_zoTQsShSiqY`gm+9Q8pdChjEMfyPsD4_3n!dDWZJLm2~AN%@d>um z%sRR;CzrXU#>RQeJm7SD@eW$S#1kP5c%)JKspAv;+mL-* zrR;$Z!$|)cXZjN9x!MzGnawb9Qg&UbeWclp zytVe5T<^x)yRm}iwT3vt!%keKjOOK-OsU`JE0i(r2Q#MLSr9*zeAMeyjGb*-nI2`W zS&!E0Iz&5Orqr+izMZF3j8(hbBwkST*&<@XiAv;Ja}IM&{x6tOhmI$ya2ATgi|o-k z%SKSUOad9cB_B0C>|-|i@-pHOx4yozV)c)S?r@=tW2R;VbO((xK8s;!_j8&IB>ea;OBJ|N{pQc99}|vG_cs;gLk38H@El=RbOkUuH-G* zq#T}E^<>XJdV|vC%7QZCfDc)Ifwy)Q<+17MBJ8+xFjAB(k2NsWU|IeTK;lBXn>FK4!K;F}&kJ$Af| zV)m^D>PaJ5ki-fr=W(3YUg4sMc7j1F>1AascEgNM==kM87U^UwbGlC& zGL9s`B~s2n6W(N%LqX4aaeaGdUT@pB&;^(w6;5ctUiOu`Vo?9r6IhRG3he}EQD`m-Q$zLT2te~JXXO&owE~89$6

c*rDD(+t%eS5W-swMvvzZe~h5RcZ%2RBkFdgLba>W{*_HXk&dT`)6IFRgolz z#oD@1B?jLB;mq&zSf{!wKl65a_p=QO^2Kz%dx{a=tltShvxgDU@+&Of{;s$qz}4VbvWF+V{Q|q$7eqVInEK6*)%PG+RS(qeOHytAN3lZT~otQZb># znY~Q3#lIZ7$|$hyHT1E=S+yyRPHPCxr{Jnj<{5)|HDnQ~tja?W7fAJBu8N2?8wa`Z znvG~wM&RQkYRoPha!xe~&uH5e!~A-UD9OqjV7TLMtOvs5?Mkw%8%f7Vs6#24n|n7S znVZPDPnbykD4%qybuPM%17@$beNY2T=q>$^?Dp-a9lN5#cEwLsZ7rO-U4MHuJXAbD z;Z2PgH33=5qahTr__|K>?6^|n3|BljIY^c8FDZ}{)*9y-8$GDl2!n*v8=U)fzM!%S zgyn=m$)-~@#V{VWhHtYJX{=+{-=23fY{P?GQSXg!!=skZ)D)I~h^om-pDu)JkxkY_ z{0f5`4!JRg!!nFD`kby7^o$`r@OWw}f+u4ulUSxb$!!^Ic-yl>rD`#~tG%qtgWs&L z+kTi%ro(ustCnTG%Wjzr#@>uI9x>&!N5#{*KDZu&+c0SMU&+cRl;c2IJ@Q-PbTx3v zr65D%gFAgm%93!oQ^Ex#zSKAS8^uUEv=OaLDqhliXYuAQgIE!=N~tG*e)%q)KKWYC z-$wkn9P=Fy{!f&BWMb62LZ_+xts7z##ZNei(j93J_k3k8ozuz~jqD9KVCB@QVR&0_ zu1o%-Eqq$yrEmCndDi7w15fWLC91r^ z!lO#t#d7oU_$Sb|KIh7u{$;89K%*^5+q>LMi^lTncYbM4>`A?7;zurDtL;Y5D6+|t z#1mscMF+rrY4RU{myh7|#ejf(i?aj3yp?ByYUw5yYB=D-^fvyqm79VqdT(6DO3j^H z9{0ur&4z1?sCB?WPy#Zd&V!AFH3Uv)6H=_OMh5q_mL@Yljtcj3%>t7^)IS=n58S_k=ri)W#CYlDaQScJe&I&AV+ZiD}7%4Jj$#QelZveonRU4 zLbo;RDcfh>(|dVN4#3&<$_|JA?#IP7@elBikl^gYfRLQ8;XAc*^xD-gkn55$_q7db zH6VBBWm@pIUfQhINh_-2t7ebAhJ0MsrsP5Zd7s5Q+Lldpg*r`S6V^OlFv$G}k>)Rr z4a2Dg-0K{_Dt!$i>-F|>hYh$X#5!#IyvA$f8Zcu^Q;0(!9jk=d&&B8_=8V(25%AHZ zfH@pG2*2GCi?QGsnt3rZFRD5vbFZDGUk#y_bt67rI_M?x6Sq*6)pgRqVa4NZ?P;?d1q@X(9KyNfk87{XEbQk#`c|37(E@4L*eh(i1ig*X6wJK9vv0GrQ= znG06C-{rm99AZScL3}Ek;QPqWFlN^JcRGDdmJfy15}cM-nL>G4tFIK5cYrr7E3g=` z3)Eh*e|~T8whp{+DG|1KbSjb9@+)Y~J(v2(Z(t4t7xSe@*6ln!r7??zb;0dJ{MQzs;tYI6e2cU(EE zJi9>ZzLEc&LCYd5L^?J<&L9Aw@#T8jc5AHQ^^G?dWY2suL8C~jJFBeV(>LbIri;?i zh3>>=Tjt2AA3IKr4Ri_wYg||7?XneU3iM&0kE`G{t^6-(LXd>HUPvmYQLUiNnGR%z|(U(tugHAs*4Vu-+_XCaXy1w5|@usS&Cc#I#ru@@UuW`CRrUEFGtOHN9y%A?X*H4O&99H4lzR(p}2Vk0D^Vt`Eb-dQ94G zxMyM-rkJ$y&H6kpH=b8Gs+SytJm94yhh`kOE*giN_;;l>0(njn7c5h;Kt24Q^BONO zu(k{je}!ZdQg24EpU}BjEksyrY+(`zpMx6`{PrV@kcM&QyaEodcw1ILhTSQbKh3Jz ztJmCo3{~}!wQM3Ef|S0xvUs*HEEO>1Jg#K_+g3gY&j>;W45+ZHB_u`U76#;nD1a&7 zWcEd7)cW@YXt(gtubl^qm5lYC#k%_LQRSG>FSz3#Sml=SN_-g`$I{8Qad>})E_QsZE(U%tZO~De^5iE;|5X{t%)S%39U6;bRK^Q33p0YRh*j}TH;Wsn`Y4y#OWH+)S91xj-S*v52(t3GG#m`9PiQ5Q%wiM>&&cWePKyK zfv~FR)hrn(-Xvz?*FSHe(F{NWDg^=Tf4*x=7ekK5s>%r5$E+_NO-czlwFFUQ-aE@k zd$-8&(<9|9e(3BiWyd{(HXpWXf5G>?V~4v!DKZCn!EE@lNhrJ&+CJV$%juUTBNl6u zxDfQzV*f^&YhM@1cr}jj7+LOpbno^VBD{6EgWb=d94gXYQaz~kr)m)8Ln%C8;1M%9 z>o0mOj0q&bw<^EpErCH!e(p|2MD7J2>~EhJ@7YrU9ZYtZ5FcXF zu7R_8aW{GSD=gqn^~99UuA)WZui(0@rU&N;oG!%S55gr?PE9l%AGRr2+#xY2xuW;W z4QX@L$ehylf(4&-9Fb3ge&|iJUY)vySrUW%Sw_;mFkj7nC!kTGoj=5B(GOz;z!3>p z;czerTOev-d+&Vw-dTU6@&Vj@dOsFK0`x~!kpS5QyQ8t+F@A64mh;2@H|B6{IXX9k z<;_;e%V*^~!>Tuye6F5(nc}LwGE>L6Hl(l(oKecZ_L3~55308iz+6ZREmzi`#nSW>5yA`s>brm*j&o{ zW~>9GG~IOG01C6SVWflKes>0giHnKz9u|Pw1L``!5zuPWn^~ej$vGgvRW8EtkJIIT z?7~ti00ED0FA0f^N7i?e&SU*DI_bkjB@GYNU?xDm@q%0-o4&WOr3-J%{JGNxTUV&U z?LN)AF4?UkVRo*2Yf?=6OPDf#vBw=-j~Qlmp-*_;wn%hvEShds%)&}@IA7wn&?#Ki zz#ml1Cf1lF!Orly^Nuzj_X{bw)bZyIW|Q;pyIzQuibq0z9TbM{l z;ySEJG8P>W#n5rpBpX@++a|V+Kq&48KfKysZrg4c(0k{Na*%vr5fGAqj+>`#?>M2) zu(HUmgR`$g#JUOviJOCJ$sqPNy_jBtDvP-t2Zfa!_U-8N`;@cF$w2QmBhG3b1tc#K z>hJLG>wPKR-zk${^rw~x?`*ym&LRy;JTZC}D5sZ8?2I1x(9TX{|{4slHA z@QYJP3h-8VLO9OBQUU62RO5I8VW?IE>>-Y?o2Ogdc;#bZl~j*Lf&-n44V5?5pI={3 zl`l>r_cW^p6GoTyD6f@h@EG?joQl&?9xFcvD+SxQo?E$y6kcaNIxXhRF}u0UAu^E` zhgMD;gnnl;{)(?85kYN@i0m#RW2ue!K*5%>=$h}#FBv=NZpz#zn|5=WKhn`#CochZ zUJs54ACC(|;-W8^AcdF?p&XVLxO*vG@FXhxsUCB)Uoox3Meh?sV_9nwz#P^80H~6DX?A3;+)51PfGaKEi*(p7i};3K`vmkvyAG_VFz8m z?g*$g5x_z2csn%b5$IfBHA#5fk}(~&d3f^i=X zDnjc>qaCMj0)i25-9-yi&RsL5|1H5kk-xY`6$^A3K!oxB z-Q^E$R1sD6apQv30a!8fw{Vb|(5KVrcf#t)O?)BtVDqf8hbJGlu=lnQyalh<4{QBb zDJ$QwO#mgkah_E{WyHIm#df^X$)w&drBnfCl^ilL^6BP{m|cHvi03wE7`?GbUXfU@ zFtS2s(wyDMTL+(5K=Puj$re|yHpq|0BJ0?fwx~#Jgzch@UJu=5hg?6}k*dDZkjSq) zr7sFh8CM9nEB6`tgU;@AeYY6R^79t8*kQ3E<_;w*pQC1VhP6g(>uZOK08 zI51mUOoBW*7g*z1#UAUdF9!*gDR@-+z;BZ6&1 zRd`es&pbQpVa~QBq7L^I_7+M{QH~UEY!j9oI9O6Lgb zm>bxOm>JhdI{ws$B-AZA$CGRQV8Xu`nk^o7V*Az~BKLk?#IFcRV;A2HS=Jhuc&%mS z_xj&D_TbZD^^gl0x-!hb0+K3O=UIo#)BU(Vz`T^({KE4&?ek~jDk73IQvv9deM`$e zV4Nuk>sPuxuwH_S_em+HsOv|WE7aUd-1rVF5bt^0>syQh7G-Asmh$1)8wJRd(WQ%7 zZ<~vcP!QztfP>y5CfYf)cD|9Vu{C#r&)>wVZFz7rN+!5{C(CjHEU-U3KD&#jDU6-> zm|XLhUW@aNI#vC54gSd+zt~VrMg^6Z-q|n<%synF$2#ZF2yQsSK z4Qlt;xat9nW6i%)9{Fv<)26br6CJ}SSO%m9)a@!voH6V;Z|!A%#8ff|I0dv`FVLcM z8I#xvY;~?pjxM$8+rWHaI{-q5TgYs@VK%$~s?jrMs2%<9f~~1oHwrHm_Pq~Ew3V$A z^dFj?ye+Y#F2ynxlSWe zkEjihz?eYN8Wy-plL5k(aA^4~s;jl!D?`FD{xQQUpOUz(VMAz~Q)(nwaz#>=h%b?t0531)4d*JhI+%0Zk2>VSsluSh}d3&u-y%bXudbM+IR_*xT=nMpThyFCF zL5-P!Gm+lZDTe8Oelr?@MUw?QcMNHE*D$&t?!#%FnjezPTnbHWtEtRR0(Xv-Xrpcr znf?wudx1H`v5-d-7`SF4BvZP|7mVW6<;{_)2!mt{O&A?|jCb=*9`7L-yh~9Rn}GU) z>rpcW+QTq%+N+E-{Sqx4_o;$4GkFe%E9H5xyiE6cagS_PP-K2fk@+4>Oje4v1;5t_ zaMbacy5j!&;tk>1$5^0ee$FD7kg-e2G9sH7T!8e)@p_}-p7*mH4$y2)2&C$44sbFx zKZtzv*40}(CA`eO>_XJL2qFyFkb9Pt!MS&WaOlKg9XMznlcMs!p1=e{M;Sag`X>%{ zMiDaBkRko=$K$WCOhshpTK^HvBS|daTq<`8a>w_V!MbP=x?Tta{Q!Lt0WZlr2fZ(7 z&wfiEgfQx=ok4K4(~8njnp0<9SN+VGQSzqfC3_l9f z_>USIVbm-?%1=guX7vdNU}j;ubYi5+xRKM*`lC0K+(9jGt0^iPn$a2I0(UT7GOU)@ zwIE~PWnKgU0-d>@L0xRlwGh_FBXvgA5CXnb3=8Cfuna^KNcmylpZN(a(6e>YQWk}c zM}-@UGSc{$WgTQfM!n=!ebcePI3s$;I$0>3R?>QE#Woj6NrpsJC!N_I`O9{_vHLvM z2$AlgN(&aG&Mvd0NUmfp3!E}%20(p1$K%e>#k7Nyt#);4pX6KZnC<|dkrl6eiXT?n zdFhUEGI0X$@MZ1-E6qq68BkDj@XKhW)iDidPxW)i0bO@P`BJ#IJK0n0Z+51n0`*XO@@9^v_oLFjS1UJXlefm`1>B8*9j(5>s zL1PW0=Eck3^4B?@#X8Ez8+vEY;`<%yH5)V<48Mt+J!(3dql%&Qg_Mg;!oy6BEzY&I+S5!H&Vx~9LM7VdwaMyEwy_>$BM};e$@o@ zR{V}}OYi2qZ!N#!gAVeTd$VhN{lRVeuKX;#Y3p4q?B;A=7MZ>!TLKAIQpZ1pt$$w{ z){jNN(zFBI9eMZ^M*vwdp_CSSpR+tU1+Tdcz}NeM9c_8ZGUGjux6v88>gVGS@Q*g$ zR&pcJk>oUqnG7SAC&p1s$l=?;;A>|5>T33aeFchXt03f4`?@BIf>}RBzwjkHRzreSN=0Zy-X!E;n-nP#3DHNnS8PGgOp}*qkMjGKbHz0hMr|;k(ShfG5v%Y{^ zMRv%5OP>kWbetMdFcV?hqBy`nQsHo`+*R@W%y>y55N-5DI;EUFL(#eJ1;ZW%D>i>a z`YOWu1Ern0z3iIk``&z~9g#Ze$m=wxZl5G}hxBO+9h=ms!LW<$*g}D+toQv z#|Lz?xL<_l9MKuct_-yg{z~{%ET8KzBW$MAd`Hkh! zb+0cy)88^h36E|i2Cj?t(X1NS7mA#&t}pPP5Kk2Lo(B~5d@#wc#B)b5uyre?vGcLr zg;NzNW4#8G5vap0Xbp14Zr1`l%;15l0SzRj3baMkQl6RJThdBaMFN=NhD>jYhljK7 z)JqNmb_o2XKb`CAG4sy<5cu`LgkcqFPXMU7$mL5gPJwiS06`zeoEd;44_^15`Rt#; zwcPDH7jO6avX}S6ub>fd6BN<5ck(UmaW?bmemy1l5-!MnExy5^i7ofWo3JVk}L zN@FIwmBY;zG%CQgPLy)^N5+}EK~KzVtAd-Y`M6el{3&5WhP!J4-kJG=Jn5>(Q7`}B;{Pbe%%l4S5 zgE2Scs~9)-`wW_8_})I(gi3iq)GGKHF9LpHzX}_yd0vMI+nK zW#T>X))@*Kcvxf?DbB|po^%qT1KlEB58q}s<1xKXQ>GT+o^>UU9ZfsKC(g&{LgTjCdD3JM<_q_k;gD2kP-l zyQ`rk&*pD9q$NYsN-<-b@h{NFB|}(yJV6@B!@RGg#}I7!7Mg7Qz4`7&3O^l6OI$8j zM+z^?EHZ;h`?4UE#5y4)H5L3#XBT*I$uDK4*vjp zEXe_bc+SEWa2;>ZL@6hJSUJ%OGYfBo3bP8GpNJQKDvtc5;2lzd3S@!q#Gr|M;Vkw; zE&QdVa%q2$99ZL^$~_(ypM9&3TxAj zMw(JL*HZ5d&vXAUNhUhUrMbqjf3iyL8@f^&-8NiDnY8AcMtXbyPCr)#mKGE-8?H7K zsIvRMq6>)`6hY#QBy1#*uH?!4oL*?|6L77>_%(rdduv!ld9HYB1g4hv%~P~meiYr^Bt^-7wdpt?G2`!r0c`Y!{Qz*T5{cE|R)KzC-W z8Y=fvQFmxEa`(cAqd<3M$y_gXt*5L%shUBiS8afZk2Xg*V4)2>!#2pJ)4}Rt11&Oa6s+6b;(wkLg72% zU?S#8`fKd`u*V5NZ?tg=pu^U8aR)X^&@}_v1xm0BLTJx7;R(Zodv-#f5Il3xIZ3cn zpv?I9Tq%BHmmre+X&9J7SI9V@bXWNU3dy=q)M3|a_Z%jwA!OE@gu%yt3CXa9%ooT( z)3~Rp@mp5+z2i4^88vGj-S>kHn_M-ZuyHZc?#p0Q)$wZ*SXQAaChM?Xm^;V7-756 z+!_C;+xfTeAE+LHAQ21H!f(IVFSE7u3NG*QFS%(WP|Cm|ezR7SP`cooxjzj^RDCsW zsqJ;=M8sHRTf+tDbP0Vw0|;(ca;N&!OpEzu+j_Slo>Bo4{%aZUjoA7Q?eRf+do!Sk^et+=Z3asIXCS!7k!ibiz_|VLc>j*e8Fj2N6W* zizP>5O*W62;WZBbh-o`7uW@#|rbuwFSx`;epbC7+?l4lhVlkW99+&UrTaXL;M1}eN zPb~r~`b8yjOZMGeIhtxfd!7^?^9hQlh&>Kw5MS zxp-eW6SRHNNI*H2@uofv6j!k{T)OS6C&SK%VLbI-q2v!nTWSnYDZ_*+EQ79;Z9#K5 zyzUP2T4Dxx=RJK%DAT7azjYAg!3o8vefu>Ot~B|+F@Z|#Wl_cMKu-|dVMNvbKTYRa zO>@MbeTcHkV0Vi0H|w#rmNiA5(F1<`jL>g zxfG4Ao8osZtY8g^nhz7p%GzPFqXWn{qr;wLGN^h0P9>B1Dc&)R(|)p9_6Y5b!uaD% z4m#TlfLAIB+!sRe?5j31G6?|iel=cu`}wb@y8}pqZh`x{K?2c&`%a{*F&{1p8>7yG zl4zaAfVjO<5#byi?_~q0)t}_8rx720(S@f&6_BE6ogN@TL*fUX_$OT2hv9tG2bJs# z?SLS9Ex+XCMH-_{|ICwU9StJ{Xb+YD9Bt~@BR^HY#BS8`J&uTKvP~~h@1DFz-!dX_ ztix(M+mJ2o0KdJe5&3IvAnUfi1v|O;rFQ^4g1D~F0PP&|=U(Q%ZG^l{;3j;KBFT^9 zlRKn?+F+1xhNf_G`+Ir**+~6;oI?36HY|`OTU@t4n}$)&54ZWht$U5*X8j75D!oDC ztec{LSSPDX5V-s{h)FKSxU4?BvQ(kl zU-y6dLI_765$fyv>>MPnmA&xdE4rQq2qDp8*sXFO0W}R^1OWrAADV=EU+W)_)RkF; z1c8fgx7+AtJ_7_LzT0e)e)Iu8lEYqLSK?+y@VGXGc`c-+&SU*x#3V;ZAR^Ma)CksE zSt=#>;IgE42+&yBpqQuzME}fv&0{x$Va(ygWS}PFU8qIHsg92h^#r;e?t5SMpZ=ba74UR#@pF><1KF)X{{$GKyu?Z~9P_Y8C&{TZH zUo}b9aD3CCh+4sOB}g%#!kBk`oKyOWF|3C)#Nm3;HyhX;$d=jy8vY6H94@K7tyC;b zYB}-|W|(}ZLe%8!e*~l1RVC+gAyroV^NLh&_JNZBK(WAwgB%xKfKhecPog6DEb zfOk91vaQuI+;~IXk$6?)Hbi!nyuRSjni!J^lk)eyIMBxQk>htHL|P%78AAT5x3NXPA|u*x8_l>DAqx;JJdEn(;II8?VQ8IuV1k(Tlf1Z zCR0EAtWf*prTJI+_7TZwO`A;@ZmYp_Wrf`xcx(-G-l}asf2!{;Q#QvxZz%+WCeBWl zx}n1GiDljf0tvUhM-)SHQ93(Mo-&)Z6&Z51!PX9R8xh1+8ys#vM7kT_V<@(3z;jybx0Tw?6sXb}Thr<=`JQ8auRgNjOQ)|M1^fZciCcgSom&!kg2s8F54ldr<)1i%->llKMg#QnsA;MB;GDZmA zHim1~%9kf1p}C8V>MGi4CmaRGej4!yGBbA)s9p#)Fbu=-@4eAF=$L@}D+mUQUF{bO zdo)%Wuk}?nvkvgCKfr$I5W`=rP%o8DZlyZ52Mt%son$busBxNolPhjQ&{9LH7{S`d zp&sOe^sF;(KMMPA=aAUCc11WNnh{zG$|1%`b>m{jsC^jVBM6e@5c3)eze)W~!8X70R2Nv3~;c(n89%hrEfmWcBMOG7DE znPL+-$sM%`)S7$?^WlOdHy}*e1|0}7zAW87qdZiX4LPpVL|vDWj+8P<(ea`&>RsM* zX51*syssP|L)$H?ia4hrq?_w&y3c$^@Bu*z|CI0kcH{(!so%-5Z%Fk27-85@+XPR= z^b$DX{vd#LB`;v?h=pf7%_t~_4idcnAIE|x{+3-VFceIcf2!@qKfgKX`~jKh1me&H zNRE~#_FT83X1LNRSGy1&_7kJBY0to?ms6eG4%>Lu}`yjJT z47)$S1dcj9u=E&UWjH%6{GYR)40RyhW#eQWnRahmh1AuF^+zFO=5WR_+m?jY$KAUb zt5v3IC_psAKSt8_6n27s9KVilj%`gzKricTE9mI1IDy*gl6)0LiBaG|g+#lr{E?vZ z3-!yTNe!CBu}PdZ91jBvEIDm~g#m(QNBuA&tg1e8JjVH8lV{7HkT4TB!ldAd<)}5j zquOtoi1Ei<9w;~%%U#yRYG z^v_tannm-F$(__aT)$|c(qXXPTN$6aH>k>3&&EN}2(%|lyb-YXWs23_FYe;~{j+u{(DIdFFpKQ4Cfl}dWs9gRt1Oq> zPrTKvmBTQerV%gvCs&CUucuspdK_D(;{w?{%xk?86KaJT$-lr_TjTddm!!Gs?);#P5;);FgQ3&*45#S)B*=;IWP;8Pfj3FfBPe1A*65f{_W^}Z*({G z_&$MxoqRwn_Qt-RF`eJRITmtU*dHpNbT?$<;xzM!)XQ|050zNR+H`3J^DMu+_RAhLH+B2>CeL_}wGyi-X7Ky8BrI`fid>jH zPy9cnc!_afZIbzg4#b^b^8*NOcPOg9yk;MrKD3aJ=kKeC&JrOGOzB_Y7U&?Ctnw|& z9ju)4sgvd5P$?uIKcByQP#p?%%aHsPtAJ&!b&5|%ENuQLOF0=8n>kQscUEMwCZ0jo zkj}!E7!m>EK1B!>=)xLUpckOP5REGgT1&O}_+HDncLV}nH(3X5e$!L}&Q_ey{5b=7 zO78a4o#I;5D{0Y_{KK?AOC^fCY;hCZ2>^9)LWt?N$(G^^upRWr~(-l8ig$ zsmq-aUqZH}VB|9mX$4)~GfDZsOu`n_s^=A-Br|G+aDtuCJ)N2qAh?rM=%1L<( z)s{6w6ozMjAtNe^#X%tl{%0c+qwo~fGi@sYOo8#37c#uhjLZ$T6S!yiCj&PzDKdFB z{tF6=9Hh`i;>G1?xeMDb&4uKshcz^1D>6pUx=^w2)nVByHt!485kpY4;gmn^dSfMi zuHZ%b%RWk=qIi@*me;u|38(iQ`nZq`!;@392fOJ%F=A%K7OHbOZ`}Hp|8NW<2`IE^ z0vxX+r|4M9Lp9ekJAA?kx`K`2mLEMN06I-27Z{h}6{u^0Q|dP(by|=VxV!A+3L|~t z!?d=x92sAzjZH*-5Om6iRPPHXT+ zcx@Y2iNDQ3!s{U}Su<~j=s&|Su)2MKNsW0&7|!pE926R1OI+E^Yd^Yjp8+#@lX`02 zVt+~}^@|pn?O)|Oq#d@ZZMMb&z)P4kC6cuJ&m2m^Sx6jcpQK)A9m5vZ&d_<=3S6>pHm}s^z0+BK>An!PPRc-(Lt|%*B{4~VZZ8wawI@9 z&MpH|6)c!nkq{I6A_sRUEjf%H(<%X&bMZ)*huSJFBq@nLF~u#Kj#3^cAwS;IQF)48 zF;*Xk_AX;UF%-xzx%iHAs$`DGVLasgUbH1FWF&a;UETpXt!A(?`JxG~FJq>qo&pSd z`{=3wS{Y}-_!(kR>|-E>GDb4?3ag4WX|WZ}7d8%@*n^%CJguZPZyV)Ys4Kc~^aPgr zLm++LT!lI%kkoyz~PYQH5j{ygDr$bze?=d-6 z^p?I2E61lBlRS#&O+V8+Hw!+rLd2eO50_}qz#vN<={9H$P$6uaI8>nV9Bl;_z&&U%iIH!=@^7S#6S!U zxd+->^4LFO2#c{_>B&p+sgUhJh54H$@8Mb?{JMv!wB|+xU(iqa!*4>Vyli+!Mn{9M zBIZ!(4fXwXjznE+BJak>_J#Q!sc-mPn?Xn1#6h)ZKEvYNi&dywc>U^6hB7tMV)WlQ zqxB;wXM8PU8+U8!36fI*HVH}nLCOtqRy{-mo$Hz?C4Xa5WKD>|!gkv`Za?W?J;M?* z(gi9~33}!gjKz`+IpX%U8#=d9aBE-^fcHSkx@ziYVNVwg-~N(YY!#^AQKMuaDwj6j z!O-nNON!yW>aTQkcYqXbXnb?7wAi$$==Fa2r$t6AiQf#OC97L_x14dz01%y%dMT4Y zh)GZ~C4jV+k~1e<7^YK-C`Mw*!}^l)DT$dH$QE__cZVI<8u1#4d?d{eFw>%UvGDwh z>ryxXII^7 zhn;4=3qt5Cd+xM|} zbawsT*!A(CH;)Qc^SioD9=*P;cDR=3r?kD*fUVKq)>>glP3)((U%F?tr%n6cK_WK| z_;UOI^kjH`lD_|S*5&_R&r{3(caZ3e|IYZ|@7rHtW`@qp-zPKQL87^h|Bl+|9To2p zv=`OPe6z(iTKdnjfuq#Uiy8F^Q(T!+23*RJzTYuA2QDVQK)kimJn~P81EGQ$Ts4bz zNenSpgQ{N1Nr+%pu(c@B%qlLE6}_VKpDcPux~-XjWLS4gu&I$N_2l7KIq=q81p!wU z38T?2N(JUx9s;(=MVnI>fqTks9SUs@T(|%e1Q_Dh9NE5PXxjqfXLy_=BgRXq0BJ)^ zJYsb|+b{$Mm>wJOdq-$GMV7egy`wh))xC!>XHZnz?iMYMRD|3i zsE@**y$|$z^jd0pWPiU1igCa61?85Uf}bsi`u1Q(>C8dO0>Q4Q)1CBXM|~q+?K8aR znJ@cuNNfkOWA0JW$Aa`84ja|L+pg%k%@k}piuRlHy837% zi|y63M5JYg3F7<*2YQ~IwUzCWOw(;tO&{h+*}IC6Fr^utf>1G)+40)Ll8sbPUBbk~ zxaSqy_bpp55h2s$h@@?p48fR#ut_#pUX#cVmh1r%hJDuXfB0==6v0di_IKc9FU^2! z2hCpl`nGwss<{OXw^i!G1ye5AKjA5|7M6p+n>z_4@W@gfrv||{--tQz^rDX)1nhu* zDXE2$7hK^7lvI)CmTd*kL9-Cc{93rx=*Jugcq{d?pcFV%{Q($qFc(QtRgxJdLAVUi z7)w0H`t@;$Png``GMhZ%Q~1YKZ#ekoo8ANX?h1@{<$6gy0j2hhfK2@A{R9Of)}o%2 z=C$5NQ8lM2mlXM4MjRbYqMWQ7Dvi_*a1T%|7s-%TgElFFvSCv0ax;*8^UYCw!z+?S zYLD+JyG1M`iitcUw^91z!pz1w%V}KS-a&_fwV(Mh$G{JT z*I<8Fu};J~5qkm=+ox45W8}R@1l>cYPKL@-Fxx0-H6>~eIhd+iCfdPB(7ifO&9S-; zswAJ(NgNXgAJMtT;bWVVOb_0&Jd~0()oD%&WRz>Nf_-V^lvN#!HB!ohlP(FfHx87{ zn$}EcmxI}3q0L!jHcn_WtLKVBo29u#XoID5j|4OX8plHa65LA|+{O}xEz~^YhJ!@) z`+UL6+bpP0d6&;YVtqIHO3ngy@_t{JLSwg|w(kFh@yPY-zYWh$MyHwjZ>KN1`+w_r zD&PN$2DrNc*xdkJDgDPyq$(<=0ErrG{^h_(O1kTTdviT78uOeBg3IT9?X5)wqWT6S z(PUe<8L z{oh&roz=hBc|SUXeqRjw95cS6c^=H(pD}l#uqxh^NHy9<6aB*+F$AQtD7^b%KQ8`z4TWH zcfSq$-~9f3p#OI`c-}iy6(IL85rK|(sdL_Lw%A5FH74)N>$lNyu@3dfW+wQ9PL@=H z4DZtq61L*wTEu}Mc+kF`39d-)Cw2g9Aw2%UFf$X5GZ1bNp`@8M`j&A>R#@ciM=siF|&Z>JX=F}J9!1DYf;AXNksr%%X=SNrEjY_78 zetSo<@l_Ao4(i3mduWj{B`BAX>2|3vs{5`4e#w2e2+fh)zue6dh$d0wz8n7whW^k3hhxIf-ysnjW&hM zTn=J62?~d?hnNDUVrrL-O(Mma@pnLxi(JYUn#G(Sk$r~-ZY>ID-m4UZ3a%B15B~O<%YW|VKOfbUjQ7zG#32m=|CYOVlBLsRddR)3f9@>n0YZ)xn(VE8U(TPg-lt-l-7w@#Rt8Ky!J(>$tu#D5@!*=8;SPd zWZFwdnEVyM&_@E4kO2oxg;IxlJ&^1LzPC~^iJUp=pJ_y~>MH>6d)Y%~gEyE1k0Bdd zBDlEi6CmwiIt?(EhH-H5oS=^aoScC<^_QJGr(F^;USq|MVxPp(l#7KYt>xYWIL@@@ z_&-Y=FNwy_!Du)H--6M3gbgINfmuNG*uexrcCZ4Xzg^6KKLRIb&o740FNTNU+vsk3 zy3cec(h88XsgxR{B2T<+&}ZQDtvv$ol-h19H86#7F6?d4Y}=*Sij+*-ifv={+QwcY zYNFU)Ixgkn7hn7`Ra&a9YD>58lv|t1t!*s^)o4*)&?z@YD_@UE3RGD!RfX{UuQ_;a zwyG*J!5%?voDR1)B(PH(o!WRbwQ;(AYU6aX)W%Mk8|tsd`>15=PG_vHGq9Ytd`;dV z_1DUKr~u_w-9zfn@suIdK*gv(D{GgthWn@LD0Y6KPM>x9Y+a6_M^$QDqSH>+q|-K5 zrR|iBX6((>mn-b;)R&!JYgMm3;^uB@3|B>;P!3|7s-@QG4%#y-sM8po#;B$-PPa;9 ztkDy+A4bMI9b5cf$4kFqRdP+_x7$V)kxeR*m3T}9VpC}4lzK?35Gh%RsLOYVnI-3A z9Wl)62oMCT=hb!)_cSU+zf$IjNNEJY+5DaFP7r%V2@wohw{M7G81Y{@va5;hau{1K!BuiC z(J8P($^p`(s|0R7M|MjBHpjC$QB01y3VQNmCY!RR-c6z=QJNv4gw1j&M?g@m6tIg^ z#&jS#({a>%98wlo#d*Jt6(lW9FV6Qsem%*YoDIty3vWlE81#y`3BfLvS>e@*NPq zRNV_Bu!}y9>2%6fxjc2rK3`sxIacIwwGqR22lXHZ<@fUZCyD$XE8zSs=syb5-xfQ4 z_9ALfO}Tee+$@MSXOv(r4VdbRCEaunl#ApnH)&p?P##H*5Gr^M*E6ali)xWNaWNTF zRh$~T$dn}6e9Q$D{xUI2_)bmPG$6U~qgupEl+zU$UF@G6zJK}l^=mX^(5||!n=Q6c z>LmUEG6okpPMwsW=2>;=#01zOALX<~!1mQ%j1mMW)3$((`K>NY>odd$#)giod*wF6 zcZh3n+@DUdr84ab3a0oYz?}OCKwnT7DyP4*TJfGpwi(2>og7j_q!q(nDu!VWQtug- zvumr&J6vVh#SGcGCm*e)0|I@3XGC3v2M3DdhrtFnMC6nD_NoUhf$vc7=uy#WR0enl zPH&Vt!2I?HJ*jKxkhsw{s*#rhI0$l~ksw;(Yn_zt`%+Uss{ z()>;`JIUOB$^2#o$=q1$wblHCE9CzR&ZtY%|CQH&KTX$vKYKCi>OZdKS(g7V7~u7k zevEUwbqN4>Gyz}`OS6eN{{q~)lz+RN@-G|Wxk!B*3Xh%Sa9HbK%ajAIu(cjN|JdQv(|GYOG}EgpS?RI=7YcW9>RFQ6Vt{$+1}0PPG#8M z?5DZ?Ut0Dpddlqo7Z>UL-)E;6o&CR-XNmp4uCi}k;rG4T1yGIWrfmVbGH*M-0jONv zO;GO^Ocrs?+-MY!fJf~^a4YUY~E zLsj`$eXps`RG1@`3(3V6`*XP+I7l;4jq2DzQ=$4Yt8|4UmNQVGl;$N2lWi+k+vC2Q zA-rA*w`AG2;)-zPCEHT9&`6yUZA;pgmtp!22 zMkg=Q^`B2qMxFh?j;Fx>&l%vy-w4FN{1UY2HUYc23CNCgi1kp1S zBkH0LR~ep>MTsTFIh~OvPChgF16hKvLHFyptxh{j_i-EeJc2nf+IO||j@sxaN^gCyxn4@c z*ha-vC|@zTRTam(HEv4?wUMJ(Ut4j+gyrOV%o9X)CI@YsAgcjPJP=QbMj1|jV+2S_$BrML!A1|LhG>S2^Gv3DnnTF7$Ikp`Fdo< zFI!Dr__4&uS0Gms*{drsOx#D@!`=9M^oL5t_CB0G&FuOVkiC^*7H}fx2JtXA*>V-x z&fc#Gh5c#7KO~Z+hTBZ%6HTXxBa=lQi)-%eT}a>z+2g3|Fv&;QO{?4dE!GF!-Hok! zR*nB!{r<RyiF8*sRPig$uI>WxYaIakt_lg3s;;-5W^ooDppHQzZ!fWRv zyjBhD`X1V^RMy-&d#k9?mhYuXqacpcZ+O&Bl(32O=`-X|Xsf&1VH#qEUQ2r(IrRldxHyhNGId1&3DkFN5GZvuTL3{bDDWNPM}Q+_ zKn&N?`}_L=qZ6MC4>1d=!5CnAtR@#GvpyyL8T4m}_vHc}tAUgLP@P2CNI>iud&ojJ zjHY?)KrY6b;xYFv3voX64M%EneW~G>sq0DI*fddfmBl+M@Dy8WF8z;>eDvNYa)Kez$1*tEs8U`^0wpUWs=&V`S%6O4Q#Y7P4IQL^^|y8w);kie1aKSm z=d+xgmZQ8vzQ{ap<(dSQD!06qHjJ!JHw_ zSI+4|i*ZSwQN+&_Cj|u%$jygT4GA_>%Ga4b<4)?B{6p=PG|X}3&N(8Y)vgbX`{<)# zoJ#aNFxpqO_l}BJln`~|@qsp0c1yr)ql#!63iRhm|L<@n9{iM&h%Tbw;?_sZeD-?UTyUG4^RhS)zCEA)_bjBq`?pt z!HYqq1B#8qedYHGOZosgm*bkur}Oqzk>K`3_sXY<@hUceRN){V;3}ubMAZb;HlvOC zZBheaB2@`b$gu1+@FwY7K$6;3ZHd!)_F(^P*DEw9B~KkIS!%{Nl-(?ZPJXM)uN84` z-7*~aTvv|6mXRP=6knsqf{T2e0N1tk-;x>Pawu+~>pAse^m3Z-wde-MG7fnHxMs@Z z_ayEY1I686Sp2>EvprmjJhywapLp$i zj@+)H577AVN;JuPUQnM0zv}Rb@nNKt(`92q?z3@o(Zz(!<084p?}{!vcW zcP9Q)FGBxhSfKCG9FtmEsxpoDdi4s_^1Wn-v{tJvUmQ#{-*Z#r)LysRH(@mjimHh@ z$oY#_nhCnej-1Au3rXS0d`hd$@obK`FgDhhgjx7oiWuqxJR|CM(19^uj)2dcuzUr> zv$<%1y$;_DY0$Aw5h3kTacJt}lVPWk1$vD*X2`yoLuNPFT4Z5#`Z-ihwq^_9nzt5o zEZ@T+GGkXL#zCu$7z5i!%CGFu`+SNj z3cB7~ViBcz)y#YJnJEVoWI>-JCDO!q zCy1#drr=lfQG3VL&&KW`IB|6(^B*C)RY6z4=U9|RwT6_ZN#fK+!6qcYUA}*Zl2nDQ z60|G{gf-8a#~!85I0QE~xzg!{)%1b_-$X4W8g^P?HLajUC^(HRQUnW82ml87dQAnsEHoQhp_hw zCD{5`)F+_}Fu7+)N?4h#F`@Qi%<+HFV`&SGr0hoaQd?~#h!ArqVoD@TAb~bg4?I>4 zDIRp%p$+Yzugo;p4axSMW>~vs2m(DHRW0Z~Dl3K5(T7q8S(_n4!>anhN_Qj#@nbC^708S+bv+yrY5;VW^C+&Sdmh|>=`uN^kae7`d%2|wc5{C|AJ7C%u~E7~v7a2sW~HG$M| z4==CZs<|C!9y}TT6~H@)9m#VLCcTro01F)*O?W!q}Gj(;2p?~{`rzIKQ&GL`%HSuGK&nkCa z^?H0<94e6PXB;EEdboh9eD(Fd8UlIw0$-9vBCp+w=?7Ebwo%bkPCn>jqC{-1NeI)q zveuMi5RwJVj%&Uuin0ruk#MKWk_)D3DhkkYF$wR%g98(v!!;)yJTg1~^3Q+$>j^Uu zmf=!-apH7m0y4S^LTh|#)c;XNhlQ$C{7F8`>;DYThvz4$`adTpCtdxYwLB@|kB57J zh%z}qssKt<>f}aGhx{5RWmQ6qq9)+sp`R#u@w8P-`l<38968f|Q1vCT5*w@vB;#lO z)<8B1{#K#cR0LIeS}KQRZ?82r(Z`Y@ zOSY@U0rXKIMxgWdI^cluMMVynAXXR)xu5(VI*?c~1CrmBaUlz#F#-Zf>K@=Eb8-B+3Bg1C9T@@sKr;t=>Twg&YWIL;o(P?H#qzHD#g~wk5$AW%Pva znSC02Fs}j#&uFe4i&Z*~-;9She`3mA3gvIfj3J&_$zt}-m}fmY%aVAkz_=u!0ITa- zTr2@mPy0vqy#!Ew-AT8Ll-@~J9{h=e`8+Jn{Zdy?N4#`u6|~b(IdYICSMtz0P=)mv zK?3msrpLJzxZ;nMYzYG?izUjTm9dp0E{&|0(9zuSC-1 zbbom0nN6SCQth6{cvj00hJ$;d`|9bJ_yxae+DoKg_Mac=|142BXK=>LnRoal@C}sKHhv31@}PUooK4N|}1)T4vnb zB$ux$`@m$w%x}s8a#m=7%r79nt_jQzD4|MV#cK#uWHUk@Y*u#asjqy-bLU;Gp{z& z8~e+v!dqbw9^04Rq}NtF>r2M4MawzXM2}`cM_n|wq!SPt8iFwgSFo&8!?2oB7y)a` z(vASGWN~Mpw8QY`7Wm^Zy|c)>r@>R-{)d)|2&@qXRAT>+&PS&y`~UR3v;WugG`9bP z+3+%$4M76E61zWmyP5f4*!jCy(LA{;IHf;})NIQ@E$VudAR-b9{1F3=!eL)M3@8s$ z)g8^up%dr~unTAC+IO5AWHF?VqtoA2+0>=mXub%B-Qt7lZC}~y>;E7Yu08#KdNxeQ zf1X~PTy*+>9nY%zKQHDnwFm?g29w#qq6|?!u&8^SUK)bNyBtp1Tpx!%lB5mqLSfB+ zN(A_?zG4Bukb@xC?D}f(UVj>>y_XTq8eS(bqhou5`KV{|{3eUA1Qg+`{0h<49Nq&5 zB^)xx=P-#6BDO~{3HS5MHi*@t=*nk3CIYcL=!6Z!&lLlO)6G)>VU^L~)*Qvy>rYi< zl@m>yA|M?8N?m)7_SWGSdN!6B0a-Yo0SN@)VpZfO2r|Sz&|5@)z)nPK>g$U9Dgc%a z<%43bgRG?WaN|#>_#@~Y_bSXqMty;<8Imm?9*$ik7`Aw?+$0Mz)Ggj4rAsiGMLxXD z586QU9B@#1fU>|NMRjqQ+3Q!vnPstMX*{c<$a0a}F|)0;r?LH4BMhw6{u^Cn&i{s| zo&C3tXSw~CALLc`Vkn6Phk@(22ZNJBt|#l$+k`26Hq$Q53A3wX9d5b_SRT_;@#L22wKwHI9%muxgy;uiizSUU8=F9D+UCXax7tQRyT;MBN zfu#^TTQKiwZ2$4<4!{!o?__i~OvnEZhc7z&Zyir#|6hESD=Bll@C@iD%*7X2AUDVx zqhnR-f>zmUs#ud!edJn{fkuq1N_FNQ#Uv2J0$9ON{3?c#PQg*n7W=BP6Y;B5#*MK5 zP%Fo5&duwQ`MDUHv4({fseBA;%zztxn*%UJ?GHLpoyHx7-{?U~|6Z`*XKc`%fsM^m z1IKK`d|VT$hj<<&z8rwWQpc0TW1yj#-zFd?UN1!}?8Kw?hunTrKP0+JH(J_Tx1w(2 zQ-A&U5M#)5um!7H0A>E47boZG_5Y;1|F@oJ)$_k=#NG$9!EpCTs9&jb{emdew9{LI z&>BX7eh4DyM7Lj_93nq9IXZ0*McN)|E=@a-0ug6ZR;0|ivObX;8IRmrdE+Cr_FDG%f0|z>dntC6)0; zKFQmTOcxH50?0_GyFa zG0Pwuw_KtMa>ACsGSTM(3N-Z{jzkIpkJ|k-68**WKQWVKmLPG`W_V4{5ViEj5<-Kz%u{OS^ECp>B-sYNoW79<5_C| z{Su7$5<4(@C7Klf4CX|$Mrsmeng)TMYyzz?()fT-Q4h3*nD{wJN*i==n08jF9-uGg zl;QvA0-U#BD@l)x$Y8;EPo2DLj15jFBTUobvr+~0=E!jee10rx=t(t$`l{}`;~dGq zeQ(B~jgCCZMf`*O5d4yb(zlU=1nPTgwd!4h37S%d`sz2uT};W5`ow)p*YH^B%=4=x zm1@e>w$0Rerz+5V8QQ&nXVmwMbHu0%hGv)xW{zKQn!uH5VYE>-8=$~s7U;4>`34@n z=lY`Ltvkdf2H+VI(civjLxBpSm(`T>xc4TteUhBf-j`r@N~@yfpYbj@}PD%0T+%4l#yp^YSD|?j2&UsOv$7K<_&+8jQ{d!~U?Bhe^Em2*v>X z_DoNwXTR%($l)mWEom_k34@1k#x_MfJPMr6k>xWi778*(vPH~j#oFJV`5Xmbhpmmn z<^D?2xEBsBW4WGSmCL(+e&4dE?EcS-i&Xsg>FJBnw&(wC+pubf+RW3f|0}Hj-)o8K z%z$;90n|b7(NrQ4E-p)k?u*bPW?F8|gUMnFxIg&=Sz)kI?nO5M+UN+Z;$d5U0axl5 zEm8W?Q~TP#RR3SR7@nr}|7h#)e|Gx61^xdxN`9go6_G;!2c5L6!2^kEA<(qxLa=e_ zK4i%XT0eA&huf&c7U<>m+hBb8;77FA~?xTAe$MpQP0TCT$Eq-`*X_0RRz5eT0SW)c+|Y1y$Ge@7m}=ZoJ}9H`u?oxm}q(kwex}$jc=0+b%h9m z)ewS-8U#xG!vX~BMMO{sv9tkWd|3;f<|}1--W$i%DY02;UT4Ltyk_1?`@d*^86ff$ z`~QmHi4Z;ih<;7PatuQ!Kwcl*D}eAwgNf2dkaGrQaT zcboqw*!-ubqTcKVrc0Z<-L2S?Yq*Lh{i)t=25aqA-2n-j=Z(V(>p}3T+xT}I|8C>I z_Z$DDB8_D>jv`GXibZyjvc_ci2HQWM6_QbT|rp z3=X{q7G((BQO9?Yy2!%^Ux46q6rTJ{$C3XGy=UP!$o0hHHD=Kl9;1ICOCUS?M%%8@ zN1NW0d&umU*KgxSa>jCji1=UC<0}VZSN=MuT)ac#p0e8*W%=dX>sQGyuHU|nzhFLj z$$#Z2xQ+D}aE+LY1qWh|;_WIBRKBT~d`78=8N>nP;2t^7KnH944!Q)--b=7A$>N#H zVfGUy{>QL`4|B`|c>|Dh$u-rPG>tfb3;~~GG6OF??1i`C6`&_8kH9uM6E@L>p(6(j&5+_CKOu`w&7X~oVUL*au@Z%-8I6pr< z{{nz1*D;Ih?2{pA|3aL_drHL**g<^31#-g?-rWHA?pgY@ZvUAV|AMD1{{Q?mmH+8< zG(6e%_|GkQw$}c8viSeUx%l@~fuj3zV_@mU!CtTEdZ0G7N-y{sp^RI$iav_|Pu(Od zyZ=2rOP~LroL+4E`Tv$Yo&Im4{~zt*SGNpo;>EG<##s04=+pZ8pHn5WbpLmeiT@jQ z`G42*bnAb^f|cDuzsU=I{=r07C^GYed2IqId1dCcX)6}I?ELrQES>-BY0{Ry0PZ@PDlLc^& z|H@jk6d^B>*{B zSrh3;bzLB1bx5(~SWnGl7<`FF&(Ub`d!N`&6U#a=iw|2g%{4_KX7%THL{m|SqQEYq zz6kDo)bAkKK7<;*_a5D0bRSK9@LTV0)H?#bAb_Z+GuLr!qc_v3atwiYl&te0A5jqJfo>Oq#?{}`pte@Y(NQ^ z3*qt0QI*)YHdo0TgZZW$r^-9XjDMld{FF}=QLoPv2Fdy~mG(Rx`8Dt)WoqITjVqZ7mx5i_q0h3x(QMZe$Qu<0r1O0((Nbe3hO zbvMmgon}X%r!}PfOV^)J?ZY4S(Qfbetu|h|XXU4f{b%|!syGNs?7y=YFD}ycKVOV4 zI{R-OPg|a^er(LGwDZH9`-r_qQw8xa;FY!jA>hcFay%o*25;3nM*tH*nXRuKTH$-@ zUfipf%FTtR*plB)Df{9tK(@wY1_DQq-t?21`6f>+!)Z@h=#tADZvxTK6T|VU|cmG8K7HX zlpNQ-?5#!qSPV5z0%GE02X5&G&Ix1cONf$dgAg3}9Mya3ot=I?9L|UCkoS@f-AG_A zR|*}@ore~6T}m{EdKMf66JU@Fv8RxE_3{!(qb`_kq4<(OW`LMOA*Y(Y%nK*<4uM%P zC+)P{3aZIdU#?#^)eyHVlva=;uC2*um~Wcnvsl2Tf+jb$< z`f9>(2d$VQCW6#FLrjiK>5FBjq=}=?K1eu~vfms}F@X;LPu`D#%jt{c$tlWyam)o2 ze$MwP;9?F5RZgm$FVZikTv!@-?86E>n`H0_k9MP5)_w5o`Liqoq37`|zl;jqRe-1q z-zgB9Z!YvgLc*KhO@MjSPBnEf7wQk~d8-B{w9yhD(kw^B_9!N4T=o5QqeMqkhqf*j zD&=gRAUrJAv2_y0~#)BeAU z)2+|{za`IRtpCOL>9^esc*;tp5&rSD^TJE#^+T1ixpbp#O?UHrYn~?h-$tH87cL?d ztHmzY|0l!Kv(xnc@BGC{r~lXSNMZXbl0a~IWd#5BN`re%(LD@h_p89O_22$P8kskD zmMV9U0NuaUKbCiqh##($$+;-*-1B(6_`HthaNCQ{s-dG#zi3tPG^Wdn6qOXI2BI+8 zYv|Nv$aAm-`6U?XgRLMlI#5|Ig*E>vQJG}bSQ6QxigQ;`zDh*BCw;WbtH7*QFQtXy z{JPq3deqho%umz1w8hdy<)z)$s!vlH($X?Eamknp7`9j#rVv)G@-MY!j}Zc2PV4e= zFumo()vtU~zrKr!U@t{lVIh}C#XEyVX=#>9=p<^en0;i6u#^vLu+RnufAXeM{PaOT zT$1~NVP8_UBn3A%As!x%KYfZ$w+f7bdVoP1-CSl@;f6zJKTzgEk;eds&iYgJYYFXz zP*%a~Cv=CLBD5U&V>wp2Fd8FeBeIAtdhtBed$NNoxz0=U<%h4x zve$EnOjJ5j9Q}$k;FX>@7Iai8=F!QE!Ei7fjB3t+_^a2NW#2=N-by8v*PpQx1sv{A zAV+R#Qg8EFzw-~mJIaRelii*DF`F)1|?IT{c%oU;$ow^JHKzv|%e$~z$?BW)> zR$wZ3>>`)4#Ul`|0oOpGUGnq0ucr*(5-uRI(DJoDp$>7-r267t(qSWGpgM_~jWq}i z2Cor$na&=8xcIATqi3kK`eV1WvqvCK2N=9vwub3f>MzSC=sGIdY*%M-Dj{XrO7!$3 z7K|onG@S2!r>d$6C|40C4W{ez{vKhz>R6Eu*-FkK3*xhin@GM~jgngl=hg~P8@&_`W& zFLf(c!RPDY*Tcdt%3OwZ3+0v+#08Bjl}1F}6qP0&omBJl7s{}%hW9h|NtUOYV{$HO z6_{eED;r(wv?#$X9Pbbq>FOp~lYw^$2Mwj61Bst1$-8@K5iz+pA zZ4zu0V*W;7mDS0ub!5|WHQdToZ^KR+m2WN&St%#nsGAt$lPIQWOf;MD(BU6M^8A1q z7yra!{-bWvWRO=c72TlI=H;Lpbhc{A=gm*Iy>U;I_#cmZ{W^C*%HluIhUxgv^Yinr z{@+@j*5W@)>M=ikN}h1~_C4-xM3_x*MMNDN$(A1=n;{We!NxJw;1%@X1Upz@#0UTF zPf+mE;O{tkKjeP~(l2+2F>E7ao#V*8L+llGJ;)H~eFsK^(fMH5ANKMvd3Z==MtPK*h^AfghfJ^MYm+L_r?o_W*`jQ|A|Bl&)m-9$dWJ@YwwX69X~cj2!n zRI6Je+R^`|cL2)t|LG_l|M_Ax?DYRyo~P9RVbuSgF9Vx!ML=<*?do(@t_pOQ1)lb4 zsQ+svhA+GSeVVTSc5-?$>gvC(!hZ zCZ@S0o_R_0!oc|E%S{;m>@j?Y9W+Ds<^N;vU)STdv3y~?Ki5@Y+x`FBa;r*5+lls0 z_oLWOq8;1OD=En{<2PfWNK_Rfl3)X%r0RChGq*9fH&^mLSO9n`vIv$+vJ?X!5{m_b z3#WC$!f&Aoj)amTkI`Wiu`3iXPK>t{$$3h|Xi)Q>4$%{RLjDe?PwW#Cr*i(9^87){ znGz@@%%5laN}h2n(SG7d{5pt&y_KGC`9mI!x0;9y5+OmNN~Zl%Uf$ z&{q4mvNVkdAn!(Hw02YVT_z+{*Tc?nGA$hAb{XJMsb@eFbakrQ84axO91uJU7kG@X z573L}&-b1W5Sj?B$lT>Otwp4*Z&%w-AGZt%U8A6mM96X1gzmcUsF>Z_xjxFGv217V@+ND zXO|w(`2I>GM6PuN!O^i9q0)n%BUEl`4RaSU9Da)FWwI?9z z7fCDss&=aS2B-z-&jAfNI{4=1-!o2P-5@+^J|(o^wM*|N*-t8^7(IGrSJk8Hk~rgd zGNFN6N}l?vsJy&z3Z93bxMA%sL|zQ*ktn7e@^|-czh@yiW?bg+bBTH2+ErV><)k>R z2GK}3jL_{HvMVpF5PvdU2>H3mFx+qy&LXjNAoln78plD@2cmi{`lffFoo_(T)9!1Q zm67|`zaDvQ{JxYM=>J%|bGyxe&hww$o%;Fz{;tRWxRbJ)|F3(GpSNewy8?vSKfW;|GNFvL53~#}(G5*W^uKTG*PEUve53Wb8I5Z(f|NQf|Qi4W{Rf`TyST%ew#P`Th%k{(mQB-TeQZSrmdq z6Z7x75NL$J-KvWQ^RjmC*G)NuW-MXcpjs87<<3qR zyA9#u%VmLSVgGhCQrntY#V=&riizYjI3cjUX)?{N--REvUoDN$Q)lN|`$zIk^kQQn za-?@3_#*YZPIq6Dc_Xn49-w;!ewK5`(?y!{5Y5~Jw>qw1bJpYV79dpHc}c`p5yJ$#Z9*|s%Pca_Ww@| z;r(6!pJ)TV(c&?H`+1G(U=B7`BCM-NNshpG^8iGL0qlFi=F(2<;n9uN)bdnzdlxFT zS66KHw3g0*F35Zn{aL9UrGucQE7Tkaz^mwA|I!jnHSh_IU+j}4Xptpfu2|{C|4n*@ zUcsN;{Qvp>e%=1x-GAZv|DBWu`@gcoYKDLLH@g~2RwYP>6wBG!JSAQG3@_XeW6fWZ@N`qISASVl_^hlgaHASjH^7qbBvh7pzni(ygkw-Na;;wr>j5p>PREgz@JNa2U4bmiw^itEo>)M-!ts1;td-@^`hyt+^#MqQB=r~ zRz_2M*}kARbJ|j?1%_yhgA0;`2Q?6p)ArOPZ3J8cuaVuiDvwo zHW0C#xc6?Pls?k>)do}tn@qCtuM$~9zka^-_0!1h+SX17&yzN8N=EIT;3-p#;l)d;r{I{?7uZ#chyxf0T$N$*f@%T@7 zQUXb}IVfq7vZ6yjX6c_RIGrbOE+RQUM z+8Y(umCUwiV}AAHFh{TJ0vVOqYi-s!_dT2Esk31Zc}tKf z?f~^@N#~ZUHpGb}iL@rZ8zVArR9fn@-!E~LfsS)j2})gj?o3m2ldG*Nr5V1j$3+$g zItxGbU1!bh*B4xAFE@V`{qrUrTorj2#b!vJjbRJT~(vJF4?!rkh zRB~gK^J1(d!b+|66j1ifuCXY=oAeorM>EXB9POp{YoRy&J)@k2uQN`Q>1i+{VHVM3 zdNfT~{`k!`2{N!3@|!`Dr7U98`Hy7oZWUEYI4hbc2PME(tLl5YfY$fsI#t%QcB_`7 z7>4Mda9yzZpl1`=%TfpEDA`1pKkk@n0TNzPe-&Q7Ds*sH8>`2y z^a2a+e6ims^o0lRYU3s|(i0Hat%=o1SQ`Xz{|~K>{oC}dRY8B3&9x)i@33I3eHE4_ zY}@wUxncV@ybY%s)5~hyjE1rzs8wl0gDdM*{fqG9u|gFgEgsUdhpNs zi>&~K4d}dXQN-m3YY?o9XuYj#!Nc@^31t=i-x>JVl&(K1_F?qU$r=9*a*a1yVt-+zX7I*3&6>)eK{_hO@Yf1MP}DL3c;_Y(2<9{ZDSez)^BAV3$Si#rVHnjK`H1y{5Nr#xJ4u`ai_ zm);dw1)sOa`wj3MZiJ+qT^DhuU_)Q)pi?(OZ2gYN^Urs_bM;@Hi|Sq7t5#LlUj0;8?X~x_*%l)ZI|7teE54%501;IEHx+_I z$J1X;`seK>r+(a1`sXiqUEEZEXBd-!*CIqCv00AJtfVkF<}3j^?No^L*9l=W-TSmn zB|Z}466nOH+?G2s@h9XJ4wAoM7@}vLGJ*n!D2bJ8&ZpfiQ3otvY!SlpHN!?U#n2{ zCrPh=Ka_RIwMB)E@pMe6(x$`0dg|kvrJ$z7jJ+A%*?o$G-lxwdrns{c_{|Jj+CHghL%U;fS}Y z_RF48ki;f|3>^A9gLE!c8{Dl%eEO@@{YS-3kAZnmr}4WGKMlQtU0$pXFs#r(qii7h zo3;Nq(ern~<||vIa;BCpuTb);iU`^uN(;cdDvLrH)MX1mvImZzO(bb5G7Wzwa*`I9 zbB7ci`TWo6;j%g+ao}0VMUI`y8SyC$x}O8KHYFPSFn3ub0NLVce`4p%%}&fA3>?N^ zvle{fULni_l?a+A+a5EY76XWe_tU3Xq~xkIEp8iBiyI0Oc`k^WX=)}&lz3+v=9_9= zibw)EybgWEiov#pTb_uG3V|EQOgn=SO%miXdrwKNo&+BqZiQD2z{~YB#)h>IU=oxe z&3QECx>aI+lg67t?nCttXA)+mZp||rL?lYjiMK=2KT)(U6-K*1-Dg!|E3b0&4%n5E zNHEGR{sp=R!ON>IgZ9a_<-R=G0Hu-k;@1hbcpF{#?q_c2btQ`M{GFivy{*Z<`xUjjoEP@3=8$s)qnL~Kz1dqNK zB$vR|5YFd4bpuYJ;V0oE{)IreT5@eW@QWYsCphSDYG_(MzC3Fh6G6`U4b0}&1GV5^ zwhpKaRp{G)rxzDPjB1V3G@@Be1d~V;`<|rFc@EBjA>b&qho^SD=pvft!XqK05;QI= z-~@^91+Qp@h>b3$V5UL~p_D5&9<0AzxC znIypSVefn|z78V}JYT0d5YK{J1g?*UR>hccX9iCvl$gtoXkSNtO9ZA(DC0N+n5%)! zBPdeinHe9hm7vwF6mH>xma)|87!!q`Ufl51 zO*aFQ(l2k7#wNCg#qM2=2`5wK)HucriKoZJMeZ{n7PMf#jCPN=!|VHrp{LNR&G*IS zz1Ij9`0DvkSi9ZvOnWO|zfGQ!-?uc{TPZDW7 z*&HRbfW_`3Z$7dAkCqJKs<@B@?Z~wIL2HxCjjg4iwWQpzT9l=c%vMMUyH+?QuZ)I7 z$Uc{;4p46LKtf9UP9QdpLamC$cXmYJ{ZIZzoT_+m{<|42@MW})>Dw5uuu^vF3xvCzD?6LzCPV=6yVAs6WR0dm@<@8 z=q)(GdAD*SKmNg-B$`{-Wt3sU5phVQldu?D2$d+Pk`9QCJ0XH~*AOh9))9}wL6UFN zyS&jF6;l2;C7ls1+4XAnv+6Oai6v9N0+RaPUD0cM2fg8fPGiF=zCbyqM{u=?KL@m> zROVIH24*=l*(-h6(9|mTypBnBVrCmd8hkzyeD0LM``Sfxz|>$SGD#Pb#TyTen7;@Q z3J57;4Urlv1LKMCdBX^>Cr+*tv7TqEC8)Tht2lFEuDu1{0gwAl-Q8h0S(|toswh;Y z5anmS&XofhD14W5nmntAaLai0?mqzQUlRy`@$SQ=$di1oa zOwaajmLKbCh~%$S>(k_ona#18M+18xS%ie(Idt!oCujG29}{kTxKfNmnwZmX;b@n)-C6qG_yZb5!Gv8{% z+a?|Gctu_bF%L|!?{bb8jV}Mh=}4@GN;YFYB85M;cHYEVRG07wG|$*qfO}d3rq!iD zGh?ND6J2{y^W@1Ss!XwztMLwU3hxcwB_Z}kWypy0U{<{tTQ@}vA&pW-fjSLtH~i!x zdW^m|H`v3q(oUbF2^ONGbt=0&$fV9Jf=)@fv41X|g5!IIxJh!T zJH@^^laPof4Z1xT#NI`)_!@LcWgSzGdw*~W|g1Ujk?D;r~BNmcHC`4_C$Xj?32%X`0*%E6ufXaP(|OMGUaTHpuy(Ze)wU1aNnR?2x5gRe59T6EF>u_ls8 zNA}#L4tf-u5=YX8<@MWEvf#bvryb?5MsEe#$d-oP_#T-mcv0~A2q;uO_xVydecIqA zm8(k{{D@P495l)<-g8|4JC@rk|6=A58vkrhQI4Lfr7jnX&06pDjNcf|x8MWF*hwUj zeLw4mwG25j9R&kpkTH}|sIm20%7NqtKhov{arBAW)50tyeu&3i+_s;W#Sk-TgKl{d zk=b(QTZO}&%tMN#19`=7kKIo2pU)y&9dheiFJyssBDY5gJ!eGkP9xh3mS68o?k=m` zrq@j<7ThfY^*h3Bh)OUa4q~L71u#rTC6Iogz-V$IR6G(n5-D&aqM%cZiIei-K`vSs zmg59#dywBU+fAt-km(Il{is5rd?YGc#)=xnfWf;zyzbU9-XiXK4bia$C}W}~LRC^I znJ*ldzBYpnUWRy$+ZYy%of;iA{Hx4qe^%#SD6jzj>^pCX$zq3R{#m!ts4qw4o`j*f zw%c)~w-UzPB~vWkI;2h3tC1o04{{%UGI5n`S?pU)g6dKFL`jlwy(zk+JOeB%LFJ!p zIcx8*RK)4HO!K|GVei{m;u+iai1nNE#nKVD;^Jq{I9i7~<(|%5@fIP!!uiV8%C$n< zQx(Nkgq#*?tH-NgEY?0e4P6sSs3Lm6coYh2KrHQ{5=BvVgh^L+($lOny+r70JOYey zEKcurV}P$#jRG2nhj2zYe8lE5v5qoKvZFntAwnRzer;SNhUN`zp&TewFn|ugj5iC` za=fR;q19SiI&bg#Y%OoF*=OC#Dl^CEuS@%0OTO2g^YdpFR#>q5`i{5vgIW1oTFFzw zje0`5kntOBeRcAg{-AT;Muu?mXWblQ%&asPvmbWlSejG-7a7nBy8<9*P*n)v0N_8o zaJqdJHA;U9_CKH%CJw5gbLT zRXRbNxr2Y35)nJ(=}mAlTxlpeKO1KIWo}?BD73^Cv$;YYHX%Cg z!#Nkm3MwCQg_m+?4=kBj^Jf&_`hkA7YCmAa1AB52erMHC8mX5FM_zPCpED9mc6Q#g z-f^bwAd|tzjRb+;68$Zju^Ppl#8$5_$-+$T+^mn?FG$ya5aPvy14=x|%wm~cS&JbP z%!Q4%bil@-ObtfqzKNtQ}4#~}E z+!78h3u+|e?$qL!7f)I4CL@chkLfG+=4;n*mviyonW;Th6m`4mVSMV#ld~4mN;~-YS}K=8MqB8ZCx!B2m}I zP}LbFEeEDkMXQt*r4pC;-`CIM=PiNZlo3ruNee<>8G9po8af3#otNI`TXPOsNuaii z)(#l@Pn+wbf2>Yk%8J=Mag+r*6K_0riXAzfdL_$_VyI5KQu_L16Rhd-DsO9olXiIy zN!eW8$c2wJprNWCwk%lQL+*Fr0wVXba-`Hh$OSBoYzA-g2$Y*8az0DTJ}2jG-73&m zk)miVay>^A+2*fzirj46)_yL+W?ts@CbsG=4vKfxGd3elUeuL7R{aI0u&d4>Ow=yX z<9P`pBKx~nS`#5Wn) z$&n`*OI)}^(fE_uwJp&xqo6sJ9K-n^*GNlC@&4X(L@R9RbMW4C+f{goV6>okKszjX zbB>vS7>6-!WgVUhNrFxv29NO zh+S^`q6yTXXnD$?T>%(*>UHm#?|3}=?}q|->kpM@LnVP{YCqiUK9=8nmAtnsFPMC; zPzo;wFFQyaTRgl7C2iO(u8o5n0Q7>8`Q?bjDAQ}$s{eVLxbEA6nsw=E3v z`Vs=BP10G~ZDUetZYMGbF1%Hf?6~zgNB(_OJH0f0h>rfdfTGx16u$8(eyBQFL!j*7 zesLuwxl-$_44iL^w<}kErChhHdAR^KpL|Jlh*xLMHSRNn@AibT(bdG!Jlg z%~B7!Y)QxRjf>n#)-S;7^qJ3jll-6g4qR6nfNaow&lY}*-fZ$)mC7}#!-<(6ux^`f zdy`X6m+!lg`;-6vmN@ZKbzU`WvbuF*WMp`W?r%6AtqsJt@XxzCnxpkM)T{4IdfBdf z@E=W1T_tgEAsu?Z2{1o}?s9MC{ub>irSn9~Xsp-Pyl=CO^!=rO|E9m1$L_`+T6XnY zTb$e&j;e4z;v}KZlxO5tnmM-Jsz_PUAB?oO?huM$Mx2{F(Q?BfeR0EE>uJ6rOA7v} z*jWvW`GSMWlw0U1v@o~`thS$12EEzn_DwBjXw;Y+C?GT-w zZ8Znjs*R5GT4dxU);(v}WQ0po8{|YYHPLv3w{F&Kwaqa7HIbKLqlUi+F!|1?Np450 z-VnjAifjiaX0rT=YPBpI=#S>XH#&zvt{gx@0-+>KPSiq|InD|XHXnTLlxZveDsvbV?j1vwnUvrW+ES$7H*2v8TMB0Q${=D>#1ASd zb)j$->dXBY9h_}?D_=hG-PV($cKq`09WtcO92p21ah-Tz~ zW?sc4aH($&4Ay_uHHg$~NRUCJx5=?9GSXXd9_wVj;Tj1 zdxFj99=hJNo76jU5`CR}n9hgx!R&$bH)51W#^-JdsllgB^+Z!zK2`&v>_vZ2gxOER z--5ygM6H1<;b4oJ$5O}RZ;N#BkyDxxXDXnorSixU{doehFNo{Z=zRv^nw@gtc>`%( z$L_&TQ&!%|zN&#Y!`a>=8a#m_#t8hB{kqEjo7Q(rh|i;i*Dn6GDl)yAewKg+Vu1}s z=v(f0Bl5TGbbc;K4EKvm08J_nx!(fM9Q7}0y!>^(k6psrcnl%TBs)YsjV=#CaICS>yWo3C&s9=zq|<{)$?BZuX@MY0{W^~Rm=^(PDpQHk7PB!I!!Wp=w6~s8$69ts^$!mi-2^!lS@g|ptwqC0m z{Q?T8li(Gm1dJ-FO)HKHW$Hsx9EbLmb#JOj^UlUs)*mG(*h=NdLjDs~wq;J)Rf?Et zf-kDuX*Gs{E_5V}Rf&@wZ>)#?>;o6?{UMN}kKKhu;Fv^KPyeeP*?)EOjweRsh2|oYSh1rKC`|La-R1xf0P}u}O=y&PB8G!4_?Bc4(#rK>#AP zlI&p{{~W-XYX|Qum=94mrvsI!GmZuCY`XECl4*} zjlD}J$64$vXi}*VKjm3ztgZ8W+x@w)I;q(M_0VQC0nvv@k`$azHIAvF7R-PTG?79x zn$@l=&o$9D^A2%+;T<%5o~~4upohXE{LG*Im+4e-!v&|>wTLXi*y&N396j>aVA+gfh8Wx$=ASKnILIX zeyn2p=-HNqOe*WkK%+4Bn`R~Yl8UkboC}$m^6e466gsM{_uP{DOt^#yG z<4|V7hUJn?xc;@Nl1&6NR>V92w+(8XWEB~mbj$hE=TDRcR~KL8T$m2&U|^~dd+VIK z!SxS`pCxRqs**||6%%GH3%B7R0J&5ZLVvg<&R@gsMy!p6l9y{d4z6^hKK$PY#%!uRNxUE#4p_}SGze{ zj%9lkFb#->)PSTJ1G^yKQu<3b>7Q;cYzY6xP5n2<67pe+;?g=(f?qu=OpYzmzP**M z|6u<#t3NeWlnmBUJc+`9kOxGMkSnDVlpZi-ss<&_ekOXbQYfuq#($f&>Vre1oW^)P zSFww+u_^wDR3k=1kcQzQJQ~t55|>9xPGoJam9_3NktHjZ!dcyrBDf|~8;>#s`S#gB z(j1JJfGe6j!Zy8cFBsMmOe8PpExhLXpfsiUD=zj24XoOI)#3P(&l9Ds$bjG?)e)C3 z;-$}4Gy%@~4eSBZk`-g)a&$*XU1%_i14&vHn3A=O`F_R|2!)+{Ol?4L7)(=4+`h8M z5X({Tm2P01hyeM8&J4qJK+C1ZPMOtF;*(o2r;gHuy(7yokO(UG2r#Y+cLh%=f?yq6BZv37!sIn^f)g)j_s}XjJm_jwGH{&asMhU@Ux~jK0QpM_4#6jH>=9p`s9%v%r z2g1?{jO`B{Q}BVFU-66Qo(( zn7*_R6oH=>ljaIvbe@;1->I#>yVeL4DApX`opK2+u#7;vZ<}>ugw^0$!rKnaPyf!x z%-z|RdypfS21~U(K#qC`AR_iGV|8lmyFa(<7J}oDW&Jz}#YUv}^(y-;KR=@cv|A ze8`Y`)KcW_SKvTEO~T^sEo7z*QNDO0`VioDV!Jg`G4$YL^tiW7@dh7CYDigN|JKrn z5KA6Zq^0RqE~eFQHR~kkipG~NH>8LK#P%43@v$6_vTLC%utgS0i6bT?>c|)tfmkn- z?Ib7Y*a*Uz9k44I4Wh5BLONSXI||*?ra~3X8gqk)9w1U;%J%_%QG#H!Ng=oj^^oy-A z!|ocGP|)gNY@as=FIR*1j~$C^ur`w9#hcMQ1t^Gu44GpWke_Vi#{mTpR(TU=h(}_t z2p#n-CApgpqkIjnB=%q|a!c6P3}%XwuvdXT zVv1BEVJ96HJXkb(!&;%V*q(dEnR@f9RKQdgK9;!pOVBD_zJFuRf-F|V-44V4UGA$T z2mA;}dfI@i5WEVX%Gl7WC7vp)uv+QoPmeO8p>;$KyDC$w2AC zT}g+2#J>Z$O9O^yn&k!0PGva}Otif~_V8v}rp(9cjGy_w-$9I;I(4Y?c+S18g8~!5 z2NGz;%n2!Sh>fL*gv*=8L)_g6fEh=`E8!jn(-ApTORywucYrhL{Ic*7)0eiUnB|u z?#|a!;+B=OFn{DNGrq*3{<47l{d}mVc+7u2^DHFb@d}y5B3S|q%P9OHs2}4AUoMi} z>v^~dg&D0q3R7p83c`)=Oo+D;;&@fKwaoVRdM>*Npe(t*j=(vk^WkFZPt72^-tx1) zVMJ_VgACk2dF7-MPj0OAra4=XVmkIqtSNt;?o={vDxEV$mZNZTeuu*;pOBsox23^j zl}k4h=2ZN4g6h?!cCwL>{uMZDy|w_!vcjovL6SY(_l`VDP`Av`&T~#L?+1!a#UOjy z{p9hUPC`p^yN*LJ;ZwCoecBog;!-5I0D>RE_!HQ_K%fDFJdTBS;7w;GuoFa^%^oJ; z-I`;B|1<59oP-I>M#Eo%u6)^oVHr0UZNoa&K@K&1k{A-AX$&THf4F*9=*^1!dJGL@ zI4+gbrFKkkfxEq*MTyDdg~P?}BsZfN{DWR2AmoHyp6~q*MVb&lN8FQ$z$Qi^TG~D;TdMm4eE{1z~2e{Eo&L0FW!<9@dkt%y}ydYe4Z%Se&4X*yOteeu3Yu#jNj+VMx5Wmx7mL*$UTXfx1Nni!>c7P5~a;)iEg0=u_M;0z9CHZhttFLR%K!tx>Hi@ zdpkma1w->CvKVn@cM&MlK0HN;jZM;C_x;K!xbiSu5vGYML0yn_Ug~P9*3b-%GF8}6 zS5yT>ixn@Ckl>w?RA&}Mo4m|%UWNllcbRp#tccj0;+%uuhJ>_+M1^HhLep#-?N@Tk{H;%27pnNQ?5H4u&Fx?3}$?zGWZ-INEJ5jScAhaOMAhB5)nn3!sEcS z99$1XDv<#j-Y-w}Z2g9R&^vj9NZDqJ4G+5qkw>^}t-*5UePKF4XwBrV(>og8JB6d# z*%-;NQIwQ}Gh^g(IM&A`ahn*(Kw{4+A*P1OIoYsfY$1l7X%RF6%CmoInMmt#@S$4Q zNo%x|iFe%KxlN9eCPqc)kd&*q@ZVhI-ZcD6W0k+{&(iPuiI-3~oAI*C^1)@Wg87IM zB>h_qK}r731*X8-E8w71J{darTRa1S7L0NftJAy~Wx!;0X{ z7VDt%htNC03l=Ex;n(p-4FK9zLMiO$8)m`j{f;!DmuM=I>2KSKhe$(9kNE)zqu_1e%lFY zk$OB%Q& z|7oSIRS-{v%fEv0FeTwLPFB}ajhB+B zDG#z|%r7z8o z)_{c=HR^kT3dQ!1@%xBOxm7L2nTv90wc!v#3|`~RX{rLOweMNgpk(W5U=nn|ax`^V zleXpRN1KGce!fVE2|=W5Cqja?wp1CP7zn z039{YlGm!>(=DqQsVE#~)i-o5qNzp|J{b|j^3$e7o40y+=1_V`^^2AyR|$1*wt?1E zJqbV2)4`t)0YRI(tn4tSF|O3(27{q&3?HwMxn0?4?WMI;PeK`kAb-Zfqb=TPPna}uNg|o+b8?f$_^L`;V z9LOD=wH+NDA4YzJpIsdtx-VaokCTzfZ`^*XD_d)uUM(NH2Y1PStD74eD=S}UtDTK{ z$x`HiL%-F|n}4U7UPK2sX>prfTKoia_8b-VVi`(%UPj@R?wO`U$lT6G^T|slLTL6J z>d%rW1Qsb$R8U_DfSl`SW?16tvYQMlyT6?T7t~4cmpVxqGbzyFd-p%cG||7$n5E3o z8zAiXn!2MEnG(G&F-e=GLUl;Zy3UH?`#|tznp_#V8hpHRFs(QsS_*=@JS7oIHH5 zrdJKOSh=zLkE+T~3FIPZpjn~scd`$Fv2>B`!fZLt)PTz9L`^c-U&fmX4oic0ASyWY z-gQkY3FVyeFV3e*TGxfejaj^kne1-o*2xK&CLwV_X6?7qS{Vfy&}ZNI*rK-890Ha# zw)l910Uad#S&FB$-Mrw|Y14lDHj&icVwJLK7Tp+?7dB~ueVn@@J`kporMyl#e>OGk z7D1?Aiq6G;1;iLk%{oBFIUyf+kR3aRc`)Py!I}0<;EJ6!ZiAzCuN`bxcuJ?Kdj=PV zp$Z8N;OJ688Uwq#%=K8UZ1|=ZiJfi_?`he~446*yk@oc3DI=&9z{JovutO**y!=X> z#g$5X5&#c7KUc6Ekq=*>5)VJAq2hn^6QK&Je9_>=A7fzdFH#6ZH(-_haY+wg+N)Au z%vXEO<@l!euO8s_O#^nzrbDP1rO5FGiNqJzIIT_LJD+ z!L1bF0G7+D^fy8egM_qH+4jB0p1n3#6kOa0dwmx?pobzi+V4&z+vS8N3k|lHFcUQ( zX??<<-IA$sB)pt6oDdgvXVx7|_5!UGt|Iv``?TItzOa^7ycJ+JVrgs9!(?Ekr6tP6 zhjK?1=c#iW7%}T!P8RhGnj}6Ps6=PeI9ZkY*Nm@T1HvihD4Nw-{m1p7WlB!b?!myK zYT6&(Hpa8=L4E(o(!}>m!$04g@Fwx#{+9QEMx@d4*j)C68Gz1HJU#y2CJV_+CzHBi z10lk!3bMb?Op)K(&$i?``f1wc+GG{0ylHq+aNYxo8D#ArI(NFHXw}JGzWKDF8yhoC zn)^TflZ8Q1h3ui%AvlPY9iy`_i6U_Ezt0>}8cYBO>Z6Ojd|1gkcaNda=mrsB?t)$NJ0k>{ABghg{W&+vr4!{;+R3P zVepxBF`EXG8}ld180<)By+tqtgGIMdr=RtG{oE799blVs;Z0iHB2xj2tr~^8_ZBEE z0moF=Bo7zyl9;lT8QVB76@?1i7uQL%CcUPpW{N=CL{7b4cbItf8`L8H(*IQJuM=@4 zQVJ0oy2|!@v7<*6NnpDAZwPz-B72+@67$aRBzk``8b$i-VMtVJg6ttO$(BX`JC1M=~1v~iVIYG4l4k^jm9uW_a(?$9!1 zlAStYW-LCfTU?%<^ZN3Mh0^=Lvhi69-0gai}Ae{EUIqpk4Hd%MB_49yhk*Bsa_5`~4E-ynkhktbOOi30|e8>E&F zBGm83R;JvsXar#!OEjL3nvT1*(2Jd=E*o#p);B}1=BKs6!Jh9YPIvcH*;$`Mm!Cb4 zu1BcCK1tYhx3-0~9F2CXGt+1~1W2LeGl97EtYgD8Li7o?OGEModZm}9clT^fPAw;{ znxztsi3w#(WRfGO&S_-CS%GQ3%8aGyo^`c4(=KogZZeHd*Z9TLI{dZdb^FTWKzSz8 z-8l>xG!niM&B1|UnBr{kBdna`i~|O`10XxMevCbOR(-m_$%wFjD)=(oab7l(d%()J zZd9LngUVPGCy8^2$!7TaEY_hRuBaCnzb`AO0P>f}>a$cj!et;m%V%3=GDZkE{63nD z7H7`v?-IH+Dmkm-bZTkP{UeF>xS3fcen=yXW{|rb5f0rd;gUkA*b!`+&TB$_3wEi} z^(@D0AIA=^Sej0`2H3CUToK-yu2iYQdD!eVmTaarJ&MFOs z6-BH!-61dt%3j){SCdERShoq_UqopfP%{`!e{goDhU#_fumL3rr|YfcdW2(5xPq0q z;tzpd10X6zhtRvi*!#(nidbEef$+eDY#*v<%^UK?88x>eU+u>w5SlvxY-)j~3KwFe zhM=(%>bCxe{Z~P(uZxbqO!z}gYwx@%v=XDx$^fe(oyLonja1^uCx|B#^|2$eixv%8 zx!m+Srtrj*{=g9sw5?GRDJLE;R7=78SsymiB5Y*z2o1Nl-s#iPvkepEOMet3d0wXDhHOq|_ zOsxm{c=~D*lV9n|+AJd`Rgr9xLF0Que#DMR);|p)XfzS6#wKex7Zx~oK~DckN0QgK zpS}PmfkAqY+HAepmm);^6#*vc{6&8b?bqkR%>6NvIFFz|aJ(h*1@ZJ9Jfny^TnHW0 zd+YxQd7+*5r0BgR7yig?R_42l<%K<%kTR1OnA)#qWshH&=FhpA5BX1vaLtpdf0FDW zYBmXMBAH)p<}t$EK~!+cczjg{voL?>TbK7jg*JA6e4KB}Q5NqqXXAZ)f=A78K2a&W zr_dAv`cEmtoOs0trSP0Xf@`GNt-=M#Rdi`n(l|H@fk)D}u?ZLpknBxEjoiI9NPs!aQ78vmmg#h*c1nD@A-!KUay)Cnc*ItR8(vbKl^2=b zu_j?rym7Wp+v)|kg6SsRBA#!c%&j%vRKehOiP=DxndA)OxW5XZPTlB;w$fgY{;jRE zpsA~qu*yUxXO7ycgCt#AZ=8V`%|@ds0~U%I6ev8Gbb6nPR~bF7P|G5g6E#6bOha=9*x?Q#X ze)Bk#f54B9y$DRn&HZ&lu%fA)!bsDEoU!S5h zz#Z`#bIVc;8bBGi^70l|c9AOMZ4|~QsR&I%PiFzc*fuUgPaD=D`)Y`gU}N-lkW4iPl=tedkdPKAU^t2 z(Ul3G%Z1nv9RUUu|MJa4hs1Nc3trH0jzMcc{C07VyAt_bM(y<{L{$S)~UF)!`DaKuxIZjycU zn7oYta9Qxl3l=((KiLHJ-faRF9qsJU?nA(zN5Wv^NtMd&MPH@2O|)p8okhfrLum)+ ziFiqe{m}nRwvi_l7x-Km91>1W#@r1DOO>UtmfCW}GY_8d+q2W?5na~2S9JubPDt*# zUaK{0CF00}l#xxEgydVq3^$4@fMlH6)#m(ptrKq3DAt~BF?75G6Uen-S}3{%-gC)9 zY=?c-JxUd|*+=Y?H8F>U z)V2x@CU+1$Fk)+96RLLEwO*1X!hTIMkb5q|w84Sq=}w(at>tjjf$zYy{~Jf3{bx;? zdl=_lqBHflU1q+q7R*=`Fl!`S6 z5!>5uB*A=#>{Y{3&wPaak2~O&wC}H%Wb|Jz_>?WeBiWoi^~;V&c$}esZtzx|Os3-6 zB9DfV(n+5fCAxLEjDG?&spjW)&h`Cz2mDo3QsRBDIdR)5_v&<`y`I7W0?VeMPf_Id z*0pXTAh$PFnFB*@ukPxhx1oRCGXLW?N&zU)p)1eg`D{B~D@6Ax{Nu)%GUL5&k}%J5 zBHYq(_PgKa?X07(J7IYFVr4HIaY6b;)9?f^loc!&2A?4}5v9_0u{I@eGK1h_G@ivV zm{>ktHMxXcih$>`CiXE=o|W98m<_kZi>?w$wfdGts#UsFQf(N%=njHcX(pAkS+os0 zBVFK7EjDu$fliyO%?LLWQADieBlngbcHBfCp8ueOE>5EvRq}5k%u_SQ0^B@LK~l=c3H8~s)2n9-XYtjG zX5~g(E8GlfV7{xcjy6&in}03&#?LtZ!J8qDPb_oIZ-JPwzSGkh9L_(8=e8v_0})ER zaOb<8zV)DIk_Z8&f-1>@SGUa){64~k3*z2`SNi<2e_m{C5b=8Zh(7M`eI%w2H6XE zYauwgMR3b`T$s_H^C}bcr)iB_LvggWf)6 zgdC+G>)5z>WVB4?i9%urq4x1#L zL|rS&^6nB;)SBTm0V77qzYyX8%VfR^>duNCA^vCwDsf>y#A|+KmPHzf^^Q~RZP*A^ zJ_(+bNjpbpyNtn2;5+NGt}0qixSs|9c3@CwThH^VnVh?D$kghc2Il^0d*Ts%E7_drAOG~M8bD0(m=bTfBrlD{Ns*vD01oUx|EU8HR z>CB{Yh^Uuv)r>9_gOD07tP}V%S@WJK%UiNPs*0BixtV7xjS zw`L;#v&&*c4>*~<`C%Ia%W`-gP*E)Im*OlXrv%Q?nH zvS@`p9zcnvMDu>lBwJ(^)F{_UkU4k6XGO>N6gTBFulpWe%FpOR^VvV2o$|UazLDs2 zNt*pOe8hMA-xaruVdTn*aN&D#%_8-RIp=f?M$LXJ3AFy7Hd=b#m-&;sPJ}P(;t${A z;jDJbXWxmC6a8<&uFCttYu@wN1A*khpY`e|32M0k(o&TO^GDH}@lDcF9&owujvLYa zqW1neyfen|50)x?cY!hRJ#@?8vj2)C)rXe9T#-{g_Xh7gn{k&uG~dA7if}9Vr*wdS zf)v*C4RWuW@lQC@$IZA+nS~Cwg12>X=?Hd~_S_xQDWewsx*=SgN)->`JrG6>JB#L@ zQ|Da@W>*N&X5SpgxjX;!=KqUWQbO1L>40yY)Eik55BxRaA;WJzX`N?Krpx13MbOAG zhRz3d{({wU5PyPCaloi*&d4x3dHa}&_>0SB7mo_PLA+z6kSK9pvL>FlJ1l8gLRJLI zW7FtN$E@=77Iy+MY z2P+RZC?`H<1I<&ubJl$2PT}-{$>^fSGUa8B$?nvijqUq1_&`Ur*Ni>KE4I4fei<6H zXJP%wnzRvZ!oJtMM(Mi0hD4>VJE_J0_qfJC-KAC$lPcEmRIx{x(8l>D85m0y9w#Kj z78w^K<`vMw`HbWFqh+CALcC9JSl~uz5H8j81q>!tdX_o!snp{@?Ka<3H~D^*{)o!b z@`{4Gs1?#`F)oY=jk%FseN@||B;5+O+<&H0EHjB_%4UuCOmLqro5Me&C_DV`4CoSI}Op&8os3GkQd zJHCAX$H&lIF=11v{?}u2^vmGZt)G74Cw|f=FU~X6<%2zR3kMyJ3RD zru^r3GyT6lvuxkDx$e-E#k-1v5#NOed>#x0@&;K!Za`Q-^?%VTEWrDX-uR~f554hC z7y}eGcam#m{}tcpm0aVBlwW=PzoWOn=Kqe~|IYQl|J(nfSAKP|KCegk;*aQSCy1O2 zUH1f4aRo)}eXWNnS~!z$%>b@k*m^IOkF~ZQRAPq2W@ta*GKLYFa}`fS!)M?$ zfaOrrQ352=%7bJ?a?ay!5(VG zu0Ew%^+3I8OEXCa1;TF3H9AWocRr45Wq`93Zb%CMKgQlUJd>vB8xA+NZEIuOwrz8h zjqQzX+qP{x+1R!>$#-6R-S_)^??2!7yMVm+P_jH^~jed2t>%Mh{O}Z9A=Yz+ZhEH$~zT9A!RX|tz|ia& z7*Jp*J>r>mfl9B)k_yJZXP`Gy4(Qa)i-5#>jm(pAq&`X%E%K+a&$>b$B$dFB2qsvH zP(QfZGcWNL@vd&M&g!SBWzHkXEK(ZOWvdm)!?`S57EOkYyxkM9LR=IIh3keQL^4w? zWww$+{;J~Gsax>Z%~_zqbiwc7h|*?DCpzOEy-RZSJCFaNlS;wA1LdQ5FWK`n{I&FE&a4Iw(D4Qe9?*r#3 zG|(cAk~}WY4=2SHeh&Ew-0Orb$BZ36B4~-LyMo1}$nA{*p|$JATu59jlo@Az%u%!z zs&KKVmXX4XeeLb-g67dqSCyoF{iBpMD9*8T^;~4)k+xNRBq*~3PP69+*+}r*55))m zjkie_=Qj#9i+g18wRZDK7e{Wo3nH(!bFlL5G2<0H@67pWnk{c#WWp%!c1O`+=3)9B z4>yKmx0J8$9FqQ4Yyi*{9p-Tx4S5|_n!+DO0+I(LK8Fc`p=&W3t&B415FgvURy(C_ z1>I|G&1|fm387nWgg4fZq>9eiot&4N8mB97T>EUd6Fv*~TU|Ve&2ZxbQQ*VlH=_L_ zi3I{%T|`=SA#eY>!|G!B68WgwL{R=KdH?jB{j8tXJ`0qK$oHk+`pQM}hOHu`hHK78 zP8~vw#MJYUGm>G*PH@CZ_jb(JL`cr*29iQWtOD$H{tG7I4_}u@mm5GrssBe*QK!5;UE&^n`lrt0;ZTYC zHSOQ7^cVoudhp*L&H!2ATZ1XNp?z0$z~NDQ1Oc*p+Lxa73&Oe@b><>sFRcs0+6OZ8 zA3CT$F-HjYUyN~mBbD<8OVk;D$=6&hRH#S%O&BW97AjoPbM!v?UferLHs94`+Vs28 z02)ToIQKjOV&Ee{AK6R$z!<;iBI!yi2k0IE;!{xVE!>0$CbEZ|dQ4*2S+vUTLWV(& zYPV(`7_!%V^Cq`&u%}cuU4;k!z1P(^1nz(Ji#+fgy)JW6?Aim_NuLsHV0P6imv45h z&1m~nn(D?#vh<7PCx|B1+!RL`yQ)r${)uO((1$$lc6stt6q{*ExIM42@yRooDchXA z*&S@H&4P&ywD>jFSlj|q&z7fjvdf?x*WU^b7FW6I@yLyebV9GK{k3eZv(zi=EDQUO%k6)NR1N1iTZ@#UBx+uzYL(d zkqi8Wbm#9aK>iGEog%O|^{c)i6LN2amelxyDNIGH!39ic%?le)apIZROJ7tXzg*C= zpH0ji<C3xQ4p9hH2kkAzs7Z_8x5}@z%CMus!!4{loCC z$-XeiUwLcY|F5OcdxU4=Y48KVrn}S4;C_0~f9h`ygL@y|r`{v{)!%t9*70&f+nH3q zdN}uMB>7?|m_O4Cm2X!_X@;2J^WDs@0fhjT=Rc+W>pzMyU_Gc%0>&2w9Qdo9T0H+y zp|7?Cn&Ao{^z(ns@jMOg$%b&Sw`OnZ&FlVuw9cEq#QvjR{=@DDqH(nVCA>7)i3`~r zP3SnP;pAkIurplVzFNSSx-eWeT*grDIYY+%o(k@jTS8EsAt$6IsnDqLVS31NLe7$o zBYrvE+@dUk_F~)&PfOTgbzqrwoD&M8@f7Il>Q(5}iG^bl7{V2^21u>tvG>>l)sww9+z zI!SU$8#RS9FqY(!=Ma2)yxra`Rj`+o5cqoC+Y`j-A z0^(SOW>^MNnUCLGj_JlcYA3gpli`AdvQ7a<{MfCkgniiuB3(EBaAdkfnD+r;NHPtv zD<);aeboNYi(?^N6lg)K3^xd|+@pkld&m?$h<(0l_c_;_DMP3FX!2Kn*VDzBg{xL3 z;_$vdJDAdxWZ-ah+=i+_Wx=RHbw;m2bt^KctE@)l@DVdnCB zOMN;sJ=xKOYhjCbo&a`PDYSeiW6^wdStQgDXmXd=n=`Uw*+nP`gJ^@XVCx^Q3lFk!*jOn%Sp5wMAewSh zy|t7c)RgW#E8uRTzWYdhY*w7N3UEb@GbnfhsC)J5fRVQ|rPHi;T#h5^> zWbqnx)59}c=Le5h{CNsnh%oZIp*v6?jD_;Br(`|<$jH8i@!J$3l^8Q| zynkin186cnMiYp&zjfL=Uj%xm_dtQY2@Sel24g=wE>MKu24mre1|~VtVt7 zkMJR1Vnfq@P~)3bEAcci0EA?GvnwJ855V|Ee|g4V4Ob4JIb+sS{_R+k?%)0^%K@Zn zdKryE>>uAoJ6~%v9{Rkhb&_-?QC~~=3cxON&u{(*c#3`isH_0^iXucu3837Yc4|8$uiPLs@m7E~eI-H1IHZTDS3i1sC-{r@(0kwSoAGAfQ(#TECQm|cK3)Z? z;CgzPxmER1;S!qa1Dh=Mqa-T=3SbmmUBJv3a{$nL!8`?by0hSvMc?3wMH?LB!2SU{ zdQ8H#nKfiN?+ z{{1Z0HJ{X;7E3?8ui#oQZG2)5?V^iK7+whQ`}>Qf|K1L!-eH?KU+B`=rzoTBBWOqU0 zg$4P4IFvVbxW|8hYhLkc1wbR`*vr3lCL-iX<}|&qp#UxQys*OoEXtA;kPY2qDB?!* zm9L}x%+Bvg{1m9Bev>|x8`77m`H!>$C`9Dw0<>283#a^rZ%c&2V(?JXLW4&kEy0aWvL^>`Y-gwnd$S<=heuR}uqz1jb8D6iExVHmzB zk(poQr~R4~AX=)q{RGBFHDfb3fZ&=S*}t;8xj4DFJzQRztqZ<9-0nV4KAtm9PCi`u zZ7ad8mI!NSO+1D*^uvz#Oi8gK8ad*nG`|N1TVM!-AvH!vJ0we{%e)J|6M#I|KJyx9 zCYy;e1;vrN@g8h`FA5eb>yDU2mzde<*pgIs^4kd`Qx>USfTZC1Rq_kcd3pDHd3jxer*PxVdvH?r3LX|GSL68D>%zjG78d^_ zrs89_|G(97H;WVadR~^s&=5U69u{Zw+u7N_HCUW`@B!@r9V`41WiHvf#z!66=Dop~ z!XJGE^_`n6dx&$L89Gdof=@dn|yX$%ofiT=YtPD7sIJD@p{E4rA0D9ij(et`}6 zeQ^}YWRd_rLg#}@8su_15UEE+eSo*R(}&5Bz_M5Ty!%M;^sy{g8D~6QII34rz*gT` zc_@i)C2L3uU0Q^#rWPj{u{QL@^UT<6;bmZ|-DV2(;V#=zjBiZ^yH`Z|whEpFsvO@J z@Fmb#aeqaJY${OyPSU3+dPa|;0t*1 z03tzqbb0A=ToGo@Zy>IFaC8hV-6Gv=>c!U<$kI`~OZ5YAt$kK^Nexs6D1cfX^sIyo zB7e~-T~|vM1*^>v9$z!G8hJ z@&COp0Zl~#LwhkLTm74us(LdePXh?$!Q_u|E%e;}MfE(>-Q#!^ zZ%a?tj>%&o;H|m)iMJRJ(jL#VJS?N6#J}ob&87wl9zpw<@MHhkaf}WQ59YU1lnEI> zDl1YHf~2CQfEmwI=qQEUUuT0#h4xnND6K&lNuCJ9897Q8&hi=|?cTOtx~Q3MLYL9> z3$N4_C|?q?6>E$orHW&2-{jh4Lrr@*98ZR{zD{A1CQf43u@Ik(meeRHdeUI`1bQYI zo4JU<5j&*HG2V*9U5#=D#<(Gs;#*x2B9<<<@3>~N&qn<|js5GuuKPu@SoTk*%)?Bu;Va6xApPdD zP*v4Wh@Zj4#WHLm)!$Wh(n8BEE|sXkEG# z$>x0hFHqDrx`E{kYupkfPJx*0k(l(PyJ(_Nq7SqM^oiDOhjKw+{9gs3eA%8GMoqxM zSBP8n;N|<4ZGqn6fds&*ReR-xDzL}1us^Z%@$#<6VG)xscZ#=0LXL^#jDAXj^^f5K z{J@!XyioYgIEWnL8iaGC#h))KMWmX6AGfV?vu8pQM)ucE=?xXB!_R&(wu-+N^ki=^ zM5a?1P=%Hq(kv!g4Qb?Jbtp-z*KnAbte|iY+g2+>okiNN@?fpz3m_801`nq zLdR-Lxq-cN_)0%tMLKa1~vdYCftIqVeXcS!7(R4M}Nq`NfkS&P_3K5iE zy4UO!U&o+gM)JmYH;;f_yb{ZwsXg>HaurZPI*~Pp(8`&TPJo?~F60zt580AVeg~1z zsI{1le3`{aWc^z7J7Tn0GPaRElk@$nz&P3W_5P1a{w0PQ8&0VLG2Ntznt8;`;zcY`Y+} z>c+D7m#@69M@=QF?FRPXv+JYk^8EKk6s)Y0&v-SU2lhS?6>Iexp;<$%b-@2|@C0V} z2>Pubjt-g3{M0lfr>MTBd<6Q9)wp4uFJN0BEr8H{L+4&4Ili%cm-cC@%~m7xT(*6( z+xD`tS!l)3{4}}J64B81l+UEYz_&SF6X^cD-$#GS0yX`NMq?Fih1W*eM>0gyDXzA{ zq;$p?zE^+Vv#Dh~f0zJ$XbaKr>sysQaG7B^2Vl3FvQhRQOLxUhd~_(fP@%mYBbuE& zg)gkVcwyPdBaUdUb!+Mkz#qfY^X?ZQP5QdNu;<@)ue%2X$?dxAO4(r03H`Q+Mw~Oa2*R8{3E}?{;AgW1EG*-I+$%lorJD6$pfoaBwi!{mVpkz8kU`}<2OF< zmsMkz=tHx8IWw$Vt101;B@-TaBntVWIv+iKQ=bC|E~r8ZM0f z6)e34GJdXlS}ZLeWA))ma5@@Fc+wv=PiP9L1(4MnkR`?G{IHwdL{gF_f?=#Eq5eF_ z_tS~Xxs`%V-~)`nl_W%T=HbKlfOw+*H;}emsL_-&Y0w|L z`Y?7kGL*q%ktB_bl?G%AWDNRslo1JkU|^2nj~;*9l^?ag>((A%(quRmiv2XP0(cs0 z{G;UFOz48$jfI?tS%*A~1Xn9C_BFEA!7gs69lrPV#Ro3ss4IDXwJZ~#u|6qVC0#MM zN#G{*(&P~ef<13xNrir+!$a_M~O>p&f zYU$ax)%L?!zVN2_gF{vmK}YJ=oM30sj@<;Zj%QB)(b7eg{jOI1CV|uo5fA2)EK8u zK{DV#ogrMeo3N7$-HyU}rSC=bYLVkpScoKCHKYtfno`T8+$heRL#Fll@ucc&AIAvIgPM6Fqg*{>HVnhw;q>%_mrg+JPzleiUtb^bF|HqwmMHnkm7QCcC&@JZBS<*Dm>p;h0|oNy zCuocCo;@RwC>^wrl&ycVj%5jFzlCT@h1$Y09+#zfjn&>#^ji{qC(v5Sz{2`^WQC}% zGS5*Bl7RDL{%{n!ql=I z-f_=WJVn2$3ewYasmo{EkKGEg{l^*x0!bxF`-0ugdQWWBT#4i~1VOjb*TD4V8*_fY z0{snluw<1~%o>jzY`UH@)SS0>1B>|z=MAV-oHDTX%t{UnFhg&|n<3W2UKk|vK?3+x znsq~qC}y(F!yaG>@bR|TsccUHCBr|b!y}-{a%4zIL~*4~k8Kb_DKu2%Vbi0q3PA?; zc`s(voJ7cwf_Po$2ARvlKZZJI!w+5XYeQ&ct$2NKQn(N%F=VAon7FfYgN{YXmdZ-e zX4rq3B`%Ap+*y@94-Mi#4q_-m*k?sUPseQylF)pVA}Dr|)oQQnoWPVMwS&4#iu5&E z<7~CrsJ;1GIZ*61^2s4ch>Bct?kjB=ZKN(-n?tJITQz(uz6^yk!9XFUx(~w>z>af9 zt=9v%&6|`j>Qj6G$pVU3a;M#imvx`B23^_5RhhgQMBIOD*(LFDE$a8^D>y>Lkc{*FgibHYt^57jSp6BIB*3!?mBQINBBr$BlhE8}k)6dk^}sa4K;*phM) zpAMNSF$V-rbQ0=1;`jD*>)w$Z#sU=_iSu~lOs%M?5UT$q+on+nEz3$p+#F~$-hz!x zmM;Xv)VY?@Er-io1j1+Wqr>?sY^%T`chr%Y&)O+$^Ne@pJx>kvQIG(}TjvbD>LixO zYz&8S(`t1)FlS0mky4KlXb&wT*P4FGm!68&4F_XE9trX7L#fwo`ov+Q%e9O)a6;0~+sAyB7b{%Mus1$ag-Y`*?C2C&vcMTkn zWH6^PEBmv`CY6}_VdH>You|iHfj)vvruzmX(FfK|fbsX%r{RL1a3rvDvje}#E4b3J zVKqc0WoXC!D&0VW6<&y7&ewV~AZZg&4GDF>+!~2%3i4rT7ioH23dmnsHp90G4H3z#`GV zKW3!T325hod7ug0I+pRWW_`NVmban-(zUX&PggNurfPT0)gYbOKY`3lIzUfOzuOI| ze;J(N2QAV1E<&E3aEBw(Cds#f;%M3V_tY)R92f4R&ViGKV=TA$l(E^Z^|o0joz|;d zdj2l%NcCJ&M1>5L@LHR+3`;pH{XFuL_4_M-%Pt+Ny~!7JRIw>y^Gko5Wn;4}MA|S* z7JKvQAFRsbg=7;}>w{O-5D!pkbmo*xP;f5&`(=6^tB{gTH_5lipP-iahr`zcB-Z^V z!3{Qnqv_=JTjF89xk~SR@AgWW7Tw<3pqYl!0!yQu=Sy>i0hsL^8=PYx2ooAB< zs(7c20zwR@1ch(PEx8Aen($EEMb2T-O@u<jMW1htMB5xIn)PM1oL0(VM{Tl+xe1=kG+RtFLtX7!$1E5h02GV2vT zRz!v+3(ZcxAtJaY!@Nrpreb91L$hXDEl`Z@)t*kZD&FeeYTgplHEhT_V;|n-Dq-0r zjn=C_jE1@e+dPYy-roX#PlyCPF{0#s+~Lsd zT6MT;9Z9>AvMcTZlfdJoM_qdDk!tmWdHC9E<1Q{z2qZm!}m z(w|Gp&pp@h-T{$~F4)q!82&0O4c+Ch*zy$g^+w`*W{etEDtC?RTX#p(CX<1DGy{it70PoSKan zlf-r17n3#s7YNTU{?3QHz#G-WmV3O;o7S|J$Td@K&`le$CGy763$YtoE&|5UAg5LX zRVTq(`ad78I5yojm2mwy-3m1QpA zf~OUwU@Pq1E}Mm4xb6V=ljN$(WAXn6etjvkhF`@6T6N>k1z!bUWmQWOeIxXP$F;rD zayuHFnr3)0g_Ai>Jx&0PY(?~Hs%!oYzY;I8`>1oTr573aM9=^^k&}6s_l%uQWn8C? zauktBWc~x=6*BY0)&ZQ44@|a1 z8mSUHs~I(BVF^o5kNymT!@)q%cEsk6$)|f5_+iVXxdXAMyGHc-8QGjows0K7;YN*V zLhwUpw2$}k*}7L%Q?Bhq6oUv0tcGwf{75A}c>`gCj(Zc;7JI>)WX&?fL*NWMT8UwZ zD4%;bonJRXQHY2J306pgZ-H^HV4yP%b;S>YaXB+ckDMHP_X*3~oQcO)ek;^^rrZ1& zt=llH*tRoqG%tM!wFszIeZkW`|NL#34y=~PxnCHXENKM?%wd%x8XNWsWq3o zW3UH*;Pu>kQc9jSVEs;SZz8E`83FG%s@lL0#`kxlZ`msiF9z9tUw1a$DHc5uPbDHa znIzuyb4TwV!7acVACgK<5F^BV^0<4sm?8xQ-~5M%3D~;h!`z35@SFFc0}TQlLp!?T z+-5Y@CwG@5T z%yoyI%vu3H4fO-9#PLP6wWDw?nEng3E+Hgq!P?+9TAp4lf&{&Cih zeD;f{&rhONmKZ+}ExZQP&&}ZNg($UbH|B61O^Jz@e&){x8026Vp@;W53Mx3pSwe){ z{i1{)CEe^1$c?z=RR!@pieAYqE-fvj@@30aGC&yg-F@?~GCrXtJ^@~@{|-+@eBxjB zGOZ!Z(qKMGZN!5h!X2X%e%7BytI9&mVC5LxcM_GkgZw z$EYR__=N-I-x8x?`+Tl`4M~SeQVu{%?1E~Zv++yDv+=(dfx~|v;pzWAyib6O0bV{e zFn1@yYn#7XQxje`i+_ z?jbsHMNe{Tf{M$d^YU;&y3H9L*l6hewri*TMZkb<`xj9&gd-V0?B@vgNJz@3r~9b&7n;W(j8e9>_FD!XK;SmajcA#Gab!A|Oh=ND4Y>KFkVMIh zY^Xdn<^LQ~DkgTBtU&KUaP|rzH*p%$NHlI5Po(eaisuyVk6{Jfz6MN}{L#j5RJ_Q# z#;{BZLwqA%GxbWe+dlSs3d#j18a4d5hgk;?(EthHW>eYNUOw>bK3};OZudl(rH|rM z(!Tb$aCymlbC&`8;dgmOBLuh5;0j(X!D+1?e}>vh%D$p)YXCB%n&lA)gCO#z*oZA! zv2}?lN`qNovBWJl2OX8aH2VrTQEKrPSg0noa+lQvLye?-x%_zDJ=;8d+yXkY5if){c_(AsGg3l+jflEzw>BDf zc7+^8DT1Y=)=WCPVG008YS{PR!yDiXM?AfXd>>4=gsDaknPXtR(U0^i47!b1 zm&#Peh^|M=0;M`9Sx{Z3m_AJGBD0}VubGve`8dn-%6?}Z3D7xoTXO`&x4g^IKonU@ za0x{8)S{wd>IRnn0DFMcqw2hBT1W$fkQ6HA1WbZCz#%q}9+BqODo zS!n7v5}aO8i5s8QqHou4*rRi&WlC2l(?Iy6r)d3dGm=i(fRdJHEu>VDghr;nuxMc# z$^5W8H8jEB^T+jJU?OK$QgMnoJ##(AIj7TOzVi{fs*rZDqJeqLo!l&ObSN@qq9JLr zp}{GxH1uh$tELUHvDGL((K-|SX__zONQ4iue-?R5Oarii!G$(o!IyfC=3$$HfiFAr z&yCUBaZWdnZkCVg7q{yt-S6#)g&Mh@Rbx^1phQ;|iq5mqL;D5#57f+9cPzA^#H{RM zePgmD4K&r{OHZy~_pcwE1i8D{4oL0!7>|Lrp#Jag^zB=Y!EaO_gROW&(B@dA)%U+F zS9$d6) z)I%UM`{#o1D~qC&my925=~9T^AX8 zfY1=YsuO7)k|YV|N3QB*zUJScqW4=PD8EK`Cf|d3DE5GA7^iM{NJ@>$(D%6rKlgmx zoBQ0KBI0k&Pde3n7H5Q3D1jt<3Z=_^=nRfKZt&;lU`lEelFF6t=VhuyF5!aFZPz0~ zj{$KqP}hSM^PCH-!f1E=*XKhuPxzYHkpf^jn9n$skeO8DZ=f`3C5TVcO>h#EJ1GTt z)pI+7H0VzQ$k)4naB*WxRHGutGtnw8%Ab7)70pKF8kkIHwgGxdc30t+tW`upquh9b zVGg2cBbG^DD(&+Ajj761+W;@K zR&LKV+6lCJ#g}VRF6S)k*qgnlrMS~frm9Ij)s`Iv1vfzEz9crG@1bNK`NTpeIqWDk zu5Whok)B8vdTJNm3>h)WZ zjFtb5UU>ZEkQHBvGnH3>jdbJyN=7vgg6)cdS6ycyY;VG3#T$2)45wems+Zb#!ZOd|=VM4oYJS1F6HBFKSFj&8 zkm2<#FnY)UW7z7dM#C1cq_$a%McXq!@zhbuJ(#_hJv{^QcD(y|4b7>U+17mujiaih zhygc~LMs(fMje;Ae$m+7NKeizdj#s}x3KMAzEk)uIo(WDXNb(- zJs(9B)9vu-e2`+*2MbkdTVM}jd9t6OfLu*lh}m#bAr@oQ!>!#E>1p4KtV zObRFHT+S*Pi-%GvqZ})R*;z3squMNSdX^i0$Q!+L?iM>^CGxHzkz!BA$dO^1ML(@r zW3TLo`b;B|N%{@X2yK?p5AI^t^sJBRpjlbR4^&fS9yFSG(++3h7{4^Gei1w-`HZ$f z-M5LiXzMU$=c%GHTvMqU;75Pf$BgZcG0^tT?)RIPjA!)~S3#>;7%l-aqf$YB@<*lc z@2n@_>*9a2dJoFslvcC+8~D^n@^Bu4*Gl1ri@CncxYUec*bhQ~Rtk`VstPCvwT&qq zs-?P~38})gWNoi>_~kC}XMDJ4)Az}=ePcGFEtWYAP4I8pkkFbsAQ?#MADg!Kw%cN@ zN6xlczpy+?WFPcmC8~CgD^^lgT-EKX>G@y0`{LvjZ}i|a#%~eZ@igRwmm=aR*K{dG zm%#R1Nyy>IL|Sf^f}(9=2@liBH!}z(!|_K2-lDj#IB0Pgt+x}>zN{V?f# zxFX4boN^JZR;7VTP5El@lvn2zL$6Mvi7>8Z$3VR+v{SCtxFMRbYH%`QWM5Pu%kTnh z2ibK+=SJ<3`p9oZL9DEwT1@W!Y5T_%FGYn16QP9Wzb&o*!ku=)QX401kL-&!R;PGP zy{T>mJMwRSq>UGDXwrQSdj@~P z@{s6RfF9u=JHsHMWS}>d-|~>dC?QaT?-*sy^zc3y9cP-8=HEzoC41_GyyrSUmOPXJ zU0}(DM&k$-21-n3QM?rbmfrFHXg zK>=TJ@1}V$^MoZifeT*Umr7?pSD7#ob%Oo!DnQ)%Hqnikbtwq$L0Og<R|6chdW(n^FD*7ahdxab^=c*34N~QWy~T0 z4#@M~1Y0#UK5d~QDIb&8Z*;hwmSx;RPWG0dsYgV@U+#gyTvBmJ=f}OXoRgj%`IER( zr9`!ge_3qjpfpn%KO#)4k6xgitP_Th3^Td|q&0(9b6sLqAw-GnW4O*W)tYXjj#rJ< zZwPS1sRrtp%cFS-dM!m0>mr3P^SC&r_G02@J9M**XQULMQ_{Opc)SjPFI~t*qQVq_zCzxeADX}pWF$Z-!AS(LWzq+Py^se6aJ3>$j9`;iRN@QW@$6}aYMtZV*T;AqB zZw^mS$Hox0yWiigj_xP`mYNW1htF>%F%z+(B z&e8|gyX>fhOjkfs=^bR9!+g`%SmZ>41BQ&8f{gttxIsPD5s8vs-|nu;u&8BMaX<9a zWAil8favnh@CkYQ8Ps+@i_o{3cuH@Y2=+Fjt$cfFI&ndkP_wPbn;TcOl%p7Ihqoj z*a|u0E^O|DaZv)KoTzZwnMgdEZuyVN(ezbktHK}TJgShf(>LH5SxW7#a%rpKIpCH` zo28M)SAWX~0@P|oww zNd$_;(rNZuGe2Ylw{gzk--yY~vT7zc1yrN2=xkY()#UJW^s!@w4JXE?1PAmqpUe@*P!~ z>LMo{2egtnpggy@*nzpqeK^6>pPJmV7^Cl%SISM##IMJ1>oaN<;_=*9&YCB!oFSrN zo7Fc!|K-K0@U_z$u=;jIGvzDn#aT!jQnti-k5PAb`K!tHCxAiV^dX67Fx=lqh^cFzHCL z={D_}UBCfHqRsxS1n1NYahD>fqSQ2IuDu6!GO;@n$*poE!P`PUKQt}-vA{nLUiNRn zkkT^qA*Q3rY>r_!9ZLrleQgG41|=$k6ITwI>fvS?!It=2$q%^@AawbZEQyWsbML@C zfKv-CvHJmEC1j`7z|5VBvUVdIPWdIqjGvp0jxIr4=CLi{V(i6{>7Z$>o?X*PV3a5kPd#zA z`02O!!`m+yJZ!~E?%UOyN4jmt;91vNi;+ENep=9!pLAuwr@k_?+6V7mrlCpG7g z#uDe(a1gc;9M4pIF zxzP%2EM}5+VALKqT#;rC?&(x?%-Q%RA^r{{~pDNMS1&{jaolFn!bPV37kSzx~DPEIb}f^1AWT# z9xt#%1<*DmFwl1+s^mtZ{KR{C`4`F9q4R&+7UhfY_0El z9t^+VtH*fMP>k0eivVU*{Sb-~b&*5YQ7mvv zurekVwG_1}s>-O)5X<9m zFzF5=V445_Kh>AK>TFbDf4k1RP0 z7H;;#7H$M^*9E)YES)hS&vQ53tYQQ27H%RLBgZBgSa8=@nE$D| zvVTu@Rj~WPZsUf)XH>PqF69>!QPl%nK_nZQm%*S_w}zd$kelxcENfI5CBb%dG3>X6 zwQ-4n8{MM24hG?<=J4SgbvVzcX|+@w^L-GpGq&o^;pe!<9S*>2H2lVaK!-`91Bz{e z^JNsH7rRN!?|Rk{vS17CLSu7Sp{P3HX4}YJJh%RENxPRS)DhU9>77;U!lnJl8L{2B089?HS;8O>*&rH3voM%FPBQn)0-5QoQ< z#CW?G?)c*J7rN1NQ4rj&`6gvzHwN>ALhC@mq#jkqMpZM?L>yV3=VP_!k_zvZ=GTKQ;pNJ zPm;5b;N$sccF+lIMcz?VrpZ=w@hs$PzbI=bp-2nn5J zpDDHzZ6&gvqM3|_Xe0azAIgAK-|xwFyFUd3rV!paN2WM1W1u&w`6gxi{1t+=6gCYh z8JJi%w&>>-EShABqk`71>yuzyAUv{*^c7sXfY*Do#MmL`OeIy#8HAC4T64A-385&8 zNRDJjrUTioqMc9aF$%peV%Q3BJPxBr?woBq3vCWCrii@q?rK_^&B@8rHqx52M$dL^ zUc}pd92qqhL~Mgo^%ga}0>34EUZy$%`v44bCXQ=X=+aMX*d(oot@pWJ z%VS+e!A=lAlCwXjG4dEL7IJQ62*o6)S0%EefdSVe2zs`nH(e}*+`;$09->sEOJ2#N zTTdfV>+8;7ftWojD=qvzyk9dDE!o5S9GY!SubBM;%6@8KRdaiR?bKi77Z4~GnP zW!_9P)2cB&b9Ql;(vcGTu})wc?L1fkrPvytSV#gkPPBIbWLV#;6d&Iu^yPi`kM>)l zpY?xm=U2yXUoR~H#F>Acpqq!6m-BUZ!&QHKQ|D7ep8vDA{Eyz(!|eft)2lLR?7~7# z_l?{+RDeDX`*y!2=aa7}yVD=Y6#U~(BPDSwVCeUuWbCfK(Ax?^%3o+wQOah63)_&{ z*bvX~#n?}c48>YPupnk1aMXx1Wh%rK@giB3&^;;=rW1@-SLlNTMr9j$OCLVip=~*= z+U|=F)dlWxg4~R)B+BQ^5KmqT(|^XUjBbzwhqIeHwLKh2DPJCiV-Od!l?im>=BlL}yv%deRi)J}d*}&M?m{P++;D zgER%~s&*oua+@WIM1zpzRHnp=2qlePq4V;ydh}Km3WG;E1|0>@qfB%1R+bHxdnUn= z$gj!KftfRD5IUw#FqZ`w7db*VgANCe0_bO3DG3Cn2lU+wV0#f`NQZdzA)1FfR0kXw zm4Rn*gU?UYs#*bzV|M=S&&#Ld`<3hJ>N(aFkp!L+WkIEgnt+$C-tX+QtF5X2Q_<9P zSw(*Y-7Ztp<4Zw_vNHidDQ5b2u-4b;m@RLlQpa?__Yj7MpsKlIqDaN**mgAksMLT4 z{YL&~T1HU*>q}G_USyL z&i9{BXFVZaSXhOy8_5WGDv`1MlY;MWeI|;L-0u$#m+1|I+^GC2m05yYy#k!_W3Zbd zSTP&+TvR@-q!L}zq`@Jr(Va-&9|iA(X(;B&^k6c>@u~NN*Nq@OmD4!VYut{xi-<%B z#6P}CLG8~=M4ws5GHBg_StgOxy0XC*ie|{7m`UH2)#7*<_h1{uvScZDKa}ze`9XUnS?+5{+tGxk?&`*-+zF%0Z(R>wC;r~n2V2=lhamq8DLOlZ zt}jy{v)g>_2=w?)Hfs$fiqm%q`7~Jmk3I26|CWl^OF+7xMpn$ZOJQ%f9d~9MZDJAGKN`}W@)xd zVgc})0Qgr>V;Pg0lUPQjh?A09aa=M1HVpjj>Z}Rl0LD50$PKy`9B+$sC68~TeXBnJ zVVT`;BEYQ-Y6grkS|q9Rce3+xpjCgL(8pf$mF~gjUBK_=|A(@B3bLhb76jb3x!bmF zyL-27+qP{RyKURHZQHi?^!I;fW=_mROvGGOtg3vgZq`L*){}2O!?bGVS@ytsoY>%m zX!wwcbA+k+xat|4ML0o?Y%GcqS;`R0)IIK?Nb6lJ`vb>tl}0?rsqg#@x(*q$f~SBj z-6LT9xJXnG*j7;CInT||H;LPjaziC?3Eefamp4)(18D&+>eO^z>Q9!4WruzQHN{YM z;^r@rnpDWS`K(o8rXNDF8b7ckGUxdsZT0~mT8gT6^GS18o z*_v_78HnvE zQ!9}Finzsg&=uzP_mpS3)8(_HK<%`S&wM>3Aa=~YPzc<0LFA`$j|J$Fur`gvnnLS4 z1RVROc7s={pg~=IbwWE;Blu}2mfp4MulJ;Y+#Odu<>y4l&fjB_p}VdVTDy@7G(rkl zTWH^sW@aS`GaVZb&lkDV{K>ja>E|~PB^;=PD5`nG!09#YJz``y!KzueYyzqKllUJ> zRrp$gk@b}^8bHb^68cwM^kaoOpx8mQsu;y+nV5o}SWe-R&Wqp&%pGFRIPxO|c3LZ< zz+03h$XaeEIp%v$b}Yh;#K{N@l_8^SQ=a4`oa+Ak_=ww(f{}aR%azeF1gW!rye>5O zu2WNRn_3`yT0>B>O&L|AD6=e73zh5#q`BG>Kv@(@uoZj}-DV~DSw(p#(<)lba8?Jh zFhJTyZjc-joM+wY2f)cxrMxYKG$%$`tqMqh-$Wte>i6@5a_UU%UXW_QAZDNf4$hTq zas=ylb8Jn91TymatUuo=^NAOJ$`k&~T1Zz#^`a(wB=q}T{mi7((u+g;Av zc1f-4L>>c*5OQV_@NQhB{QB_k@Kn>R`-}&idRtYs`jV~1;^vZHL36)i?gf{9ai0~C4*r@lf2B>{pZ>?#?Q$*Ifs=3!#pEqG|A?lz<-zg z+~tq4*s$Q(Pe3*Un&flTPL3PX&s{P9v*KQj-2K0Wa^>8KQWiC~Z0i1ALP;c@BmSH3 z-lXPcCyXfkdM@)Spon0-K_qkt0@d*Nr|X(}8+O@>|*V(8U?LkMPfL($0K+<%qSRxNaZab325{Ynw08~# z2FsNyM#j9d^-x_KRK|%+sm#21TfAQvk|-j!>y@jYbnH*ECL_jcDQKSMg6;$?cLR~) zk!w0L(NU=9hlT=FMd)XqOE#)y<%1BAOzV-Sy5!^*9-x*>L6xetDijxgEP!qdnk6UF z`+GO^=Woz4){wR*0cD=NLwJJ+GE;xbd6eHGIqxA@-v&-d!pk?T+uO&7yQUMn)Y$tZ zM~nGzYC{a=U++oo(qq?L@)@)Ga6tu4R>-Q?Kw9q=fBikJ@c?w?;;La=6qA7%<$y~Q zX6J3PofwT-&BYPnku?ejWNn+u;E0f?M8b-h?ml(ak+Clv--*VB+Fg#c5Qkfps--A-28WwM`hmR`n!bPc zWB*pyK<<;gzn~-NQ<7%j14=8yFpa1eH&*7xD?6~i(hhE8)fi(#iA5&4y80?Q81gA6 z1sFw!PrH}0G#Tm%j)b%eB#hZ)cXz!_WSA<;=p?d4TQkjj3}~n`Qs&|>avzNGNKWAu zwH(5lxrQWwQE`CuQ+SxJLKTkM%gZ${BHoht%q~2gy8;O9aT&Rbp=5Q7l=1{%owG#?WBLvd5LThquRmuPniHd15)YT+7v&1Z z-{0&7(J}sh=w-x8+*(LQZl0CNX1eD-ggp+M-aLaJpG5~KFB#rC!^+7>-JL&=XuuKF z&@%F7hQxI!>#<#4>|Qu$dn#I%b&q+!RmC8sza<^OVO2DDTuq7VhN}Ye-b)FEf#vfv{F9+bo4AiTq)D|ZM~)VnydgMv5-$%dqakgL{TLq<<7YVx8jqrUqh>X zJq^irU3=25@Vv9Nxa@M0^5@#9UKcXTZr8} z)ER{hZ$(X^e{t9nEIq`Nd9do%C)gy|bA;S8A7_kk=5k(nSb;qrG(d6kaPR@OJ`0w%ZZ->@Uh0~mTBI2H}W6C zbyVC&vY~CLxQWuZ1#I*M&-$~~ztgriK(l`)?w%WZ*MM5CpeSeMN?IXWQ!^c?5u}5T z)ezjA0*p*?$RPH#^^qTpz4jBL-el*FBm z8s$;O_AEyyoz^2U?YTHHw%F|Q{lfM5N)HfB#*d_A%9b~UK!5b~ZXuNmatWZ!@M$Wk zV9rfxB+tx`2#Jx*Sug^KFNzv3&eGluz}0QaXm3BDr)x zn9^X0;uq9JfFxjipRdrY3=X?~Pi=y1r+{!2Gz0dlmHhF9G6SIF$axU1lepJ$#$?E+2aQ{Zw5Sv5M*d!P@BAL z+5WWIR6=4-Y$RR-yOU&PCfI97-3oj{KT2x`Miy3n6fUB&;NHni5@JBAo>)AsB`i6t zppcMDCLh6Kri1JjQ!8(B+9KF06+%}t(wYx)5~dxTTYKQNs05hnzJ9Hk!8Iv0v0B)l zDBpln`#^!(E@KTXC8bTZN4maqZ>w~GFs6UWr#NI|3Xan7_^KOmal5;2!ZN%NrCc{V z!+7_Rl~SD@Zn8dXSD>tFs(1>pF85CszO}Nh&|GY2FaR+YA%P`%ZV^-gi6EhxOwpr1 z`fo&x;@Zmo2-?zlE~y@!)+qoHlJ;^v+giwAfY`??_%v#Ab`E{|Pt0cnjbwGPQ2?60 zGe&aZAO@#H-sEi2JL~G=Ro@ek^Zx4bRGoB^Q_uu6)B0#2^5TyWyBAO1ACU@{)m|hA3B z@Njf~+rzJ34f9~Lo@NZP0Z&G_w1c{IpH!$|W;FH^lwB+vBNtGC8t`LH93yqDrXQY&AYKlUm*6pST%htmck9&WZWGOnkw~LXaLq1TXDLdThB1*DJdS+i2TvMG5@a)+>2R%@U9>j8rMc z3bp;8%)S^`h2&%Xh0XQJI!4g=SO2K@48LcL4UM(AFn8bo_^b<0pO7QCJjuvY#ZRL~ zi8B<*;eUXZF~Qa0>!2RsprR&(V99QH`!5JYgQ_yAhD9Q1NnwF^RQd1sB(wJ5Nk@%`)!M&=bxhVfb@*+!0Hxx`!G=c>~HH!LYuDQe;ly$2) z+r)`-Lu!MK?=t~h=u&mLoi>{7TSg@@?N}fw3CU-uua~h{U7sItl>dpKa#ZH@VNZDd%a=TQ3k12+By$pbL*TTGcL$TPwO2&xF(?vA!bo3p*Mr*L|-B=a$?2f zrn`7hm3PRI3|}tl)7Cyo_J4y}6u8v0rXym+O%siII}{x{5A)DnMC@2fc>#r}LOE%jS5IprbZjJ*Z4 z9R$%%WT7BCwXmN$icWcdA8WwUDgeZ9=dVcuBP32}2dY>|Pe`Td?XtU=r;~*sxe=@0 z0W9Q9tXWaQIqd7cSp(+<5NeDF!Vy?&cM$S zwr2*4j`aRDf-c@uSHq8}mt{Vp8bD_0obe(7q7# z$IG%O(OM-qF(|d{3|-V%+qt!kp_h`d6v_f=D8pO;R&Y;=UB})h7AXfEW0x+s#h2(= z;Hx;rGn!2C$=Lol$vyO6afN&y9SgUP=Q}zn=k@0^TLQOKl^1iHj&C~QWRhZ)i4Q7Y zGmj(R)(2(M#r6xZ>!Bc*?dz%F{bb~-V#AQHIMfGav5NO2kM~`kzQFUU;5DYntd)hk zIs6nro;|;b$)ovs+6>=2{EVxaYa>i$X3hw|d&?0;yoAQlYQmHm#Tu;9N7S>)H%5bk zxp1oilo`{dET;gK*+YTLjCmC+66}p^Zcjs~U{47W))EmX$I2`7w95qR#zN?hreMym zdCsiV*9PJ!){-C^Zd()+mM0?3C(=y3b>UX8q%ThxN3wsS9HjpBeguFOOCKmn2-{adSh2zjf8xHFx98DqdMj6 z(?ch?y<}{^=^ei$DGIIMfwLFY8XnW8Ob|&!t4PSB88cc^m8V zrF%X4GqG%+^%?cHdUbZW^T=BlQr605x;tQX(yr0+5+nMe6chHM;XDIatsn6UQA%d4 z#8$olh@aTxwr$duGWeLW2glCMc}wPQx1;86fBt4-|3ILBagb%yKQ;)LYwhRa!>gIw zOZ42WPVCGWD--7S7Q=sq{wN`-&7VcKtGBpbgBmrqNdS20n!dm)LK(k=*mN5W8dzG@ z6-S!?ZxyuN!6(wUFzj%aM%`qwAoj}uLT6OPot?{=`YpOqmN(SeAy=DGvNgO}LbU0v znW!JP&Dat~3Tm!dd}R7p5T;?M)yA&@F3e^Dn+AT`RY!GZ-^e+XPhst2~#Rkn7Gq!T;evjtdyd1jH!o{mevVV*=`XERU6C z2|;m-)5%#;WxhKodjXZX$`7s6OdBYRDhm`~kPs?D6b;0DzBWt%%fZRgq81DH zM6$D)+cPM-bJT934&3Dt3*QQzDq+)?KE@w;BTY7(LW)xL2T9z1{w8Su?r|SJG37u@ zNRo75aB|EbCr_d=b;mq)sveI0eG1T`8K&@d$1tvkz3!n$>0epw@$(ao?6%LYn=p>+ zm+E8IzNSsf4mA*Y%OKp5;QvP03&dJTLFYo^H<<_zh z150(A7@sKCT9rzZjsBYT*8LesYTb=~T*8w^zGA5vRjyq{fHk!htP2C5Zkr>$6=5f| zoS~YA1MeX4jU35_SUv13aCf`_2_zHJyFwx}I;EpEsso#}uJR1aRF0U9m;gp$m{oUct$7AfSX8BoU+ui5@_^ zltLbXTi?$v|La;9;QpuVk!_0A*sreLfL`FKYirH&cw%~*l6L%<5p0@8<1FU(#c;0{ zC)_8^7@)2kbW--Z6rx&`eNxHF#@h96#u`ptb|cbT3|b_2`P5aFeGLCNWu6WLWz|ziA6os0gj=#fRB$-CgxJLJh!f z7^m<1!GZ`*2C~jr;F);)hdJ_n?(WB3psFUK7ai=V%--i89eF4RmOmu*EnoHp&8#?m z_`^3(PggUxGk+iMt4i+JWmIgec|+)DQF2kKI!Pf4BIbHjhdZ1U1|HcR^DnT#Na)M} z*h^1&JN5IyTk+*sepE=ilJET-Ol1)}#82Mal-FDQi&*A@9U{0KiVJ0A&{4--I2lzS zN<28ZX)lCn&jf^ul7Q4qN1#wtejYn@5&2`+ORH}DVqLX)Zd|+}Xyt~^mO!+T{L8%` zffMkiuX!pw!04TP>LzPZO$Ixjr3&`F1UIsZ+YQ&wg6I4BX57 zDgjPl$u^xn%johhuK$Qm)uP$4&e6f6w2Ery#YNJ87Z-cA|4&iwd_U8hOWfb-DGwMgHzun`0|c)2NF$cJA3)r@SF-dw1lrx2R;**) z?x6~MLa*{jnX_mo|3e(OM7q_jydtiA?o95lsTS^2zLr`HNJ-Z#? zr=u>TtRlP!R$ajtlK*n=ja03znHy-h3@ZWT18GXS>{9{!af*$Vn#AsRJX;BQ+aV-8 zN-A6DiSjJxipvGYYVEaPK@Lahjn2+*6#CLkZ%@SM+(wVB9qmmJk9pB5-eL-cNWMp= zuacFboqBYNI)L;2okVFm;Kg^OeISGeu z(lRtdYU2L+07Vk**1MxFxi9;Z{}TfJh@FoX^Z$UKAMBI!ujTpvIlM$Obbp#NVgG}G z9GL#YemeiAGjwl)KeA!5{si2_{6`S&U>JI}nSMSGW-@elTK>48|MLmkcTu4gYazV$ z3`-;E+;o%@v)~^ZQ(i3IxrC%?PiJ`)kfzY>%rNJ_U5nF~Ez>!*wR4bC6Xvp>#WIO- z?kogRYzRrtAp9M|*g5#qsB4o7jcR6n|9rk4jhvmSl9BOsrhUJa(8>B__3?dQJytBl zK8MoD%F4?4ygqNOxU!}4%`L?8)l&AX@Og8;`D=ZnKps9mR?u}Wcm(XO3{SP#X~cZ# z&P8MM^%sqB)TAxOYxwp1)D?-^-s*o+LPQt@D;y+Y+&!`dlnnQE1(t>ITt$|pAO!lU z`vyV{I#MQ&mJ`d9RrJ%LDy%s~Wpsevg{qyqm^t_S8P>lxol?PN>AEn}F`AWuxgK47 zpY-R!OJee^@A%~<99KwLwy9-DI%ZgNmlsXfa+Uhq&VP)b(O0N*R^Fa>Yb;z|`;JnI zV7JjAmk4kfg0P7Y$bb%{*4n!hy;&KjG3D_kqT0SVsS|7-7NV54wggQuMQxLFCRh2Kw+!ksipw8AFr52Ypx5=mMf zNiodPc|HnS?QDB_dnG9C5~Nz!0yO$!4#!D4B<&RIROjzmh66sP``d>11pY`EI)SZ6 z!E9s*+*R7F?b3elOr-fhlr9l=&t9y#UqD%fB6m<-+@PDoKufn@h-p21B2?6~LvK?v zExsLJZ=X*c6_!p@By+?wXG(F4`xW>;bo7(3%&fE~dJP4VQl=EX2s&KF#l+|QVPqwQ zeV`$vFn~7Q2L-OWAQoB0rsiYNJo=W6<`9NSOocWgdPK#$m*`iqG*Xkju}7{EEi(&F zE@_}K12u=pXM8chYGd}C)CQm2(h}?Ie|k4Qf`+x!ZZk<`5r4{9UGFsnx}snd1IR^1}zunKBW0w2%rlOcHqn z)kL-+zrEu=XUBi?tQ8>B{Lpc?yyjp1+e)M{$5h*IGUgC-Bl11|3jM9j2?g(%hmk4V z0vbmUm)Wqu=5rxg;Z;**E!xfk5#-*-<VWRJbCJSKI2HMIv0V* zm_E`$PZon-Rwg94hChq6gX|xXKuk4F8x72>2B~1-YNU?nt+Auxm{5jOsBWU!6rU@Ua_lC7kirro83Tc= zYz`M8ndC4}3~b>4Q~tXGeFMra<;VfD5eQ`)b1t1}u5PK_4Sa&#t;g4~=w}j$B9bSe zY9Yyf%FVE=mFsD(@BMiT;sL%^IbF96+-}nh%}d#VRDdH)*}+LuYbVU^zhixx z8_hrtSET-86G2{Wci#0ofGf}EFg- zhdGZ1>V3fQXRIgn2O{1`9$&<=Kzl9)1R1~0GV;j7Bq;zUA(D6TlgK+W(UN+2kNQ2jQ9;TK~L(ui|;0ricOU4{oO z#N4nDrHx5fiaB)qVe#*92{(vQq?N7XPC0(->vMiU-@@v}(l$ zON=(2o{q8VU5U~e)}X8CAG5s<45ifRA;ahcqSVm`V;$I8Ld^mgcHJLXQIA;=kNMNP zU7BGB?lUV`+SDukMY@77$2E3^b%z7Yt@w~biPQ0= zg;3d$`lr!K5FoVRH7+mkI#ta z1}yCZHH5ba|MX=`EcxpYn@+KQp5S$h5&bn^X(A5Av?aI)33I*d@ZtKo^NX{TN$yD1 zy7--|-&`gbVo164j{lfy`esf-Y!8*}Q+l?DooSR;nF?ZMH=nwqAca5KSV8Rr?l)tZ zDj;~?gmOsPP;toYHkfw40?tz(`_#3(w%DRQ1oleP9DmFB83_7zo2iByj}|N zOa;Nc^aHMBxQq%uf_RW?z^uWmKZ|97;V21nZmc%+sJ3GRFdMo6yJ}s(VwDLMBdF8V zI5X9BE2Nof0)Q!$^1yj)KHWM6gsJ&yTLUV3H1NhNav(oChK`_2f=s*Z@+fI9;G+06-0aI4ztDSfwx*uSe-CwJ=4cG-)*G1oAOv zhCAoshG%d>pq>~BCdzVn^r_rWmcv3^XCN?@s=K6lA5>&opGmm}X7NUvu<W_x_E^9J>^f*OkEO|w=Nf%{J(jmcxFAl!|i(GB9*|15fpTo9qQGie~_JOx!AmvsA zzXu{3qFX0h;nZBItkRIGDHJjk`1F}W3OYxVY8Nvk62I1nPb0#!Tg7T>kNl-^;vnDg z@Zp`Es%gUQ6a$xrA>o;R(^phzOW0T|lNUvT*2NDv20&@;YcbgSPom9?B{2FXf=?jD zfR-ojl4eZFg*&usnG@jZi`R)PTV~mB_CVVOx`*T1rBg`&kx|)c8ivf52i0dM>^d=_ zB1sipBH-Nb#NObu5dRRJFO$H3@y>2cOmM7R(7+nKJ#*U9~ZeoTLy5zj#j+4j$|}m8e`fSFG+Dl^MbC(GE^wRJl12TLxYBkEf0d&-Hz-tiz2-7Jc_{K-%tHzTEi9T z8pyIXCZ|#pj@ae(w|F?oXKE+K@$R~YjuP?sG3SYE-GjA_DtPG9Il+FfMkkMrP+fmG zOu4%>2%w(hr%5;9*9(ehK)tajLJAUDg^$9WsyN9k*5;s3#twu!Qq~6fCbr@iWKd#4 zr{ckL>m27YZQW^Yn;op%rqm%conl;digOEvXQ_yX5bvDJ6W)#Gd zjFQ{}*&ZS7mH1x11|p~?D%6t+>QD)81fcgS24Z~ySrE219LB8 z31*^2rUiJ;dIEnCC zBH-HuZe2q24!eATb-urSw$X5=73z5%r>!&Yjw%breesy!%YQ~Yk27Uh<;N|iNDESZ z=SuB3>#4D)*6)fWn^)Xn1+Uc_CgXQtNN2x{wG^N|qCGLp*}Ft+3a4UO=H=^u6^@=a z*xIH16eWE}cJ7PZW@sl8Qm@)f)#RU)hprKC=(HAoQyoZ=@Sr6(_Kj#`l`qu5BHzvL zJ?D=RSue^b=H@HozjS;Fuj1FPFYolc9`syT2DpWPe}M|8MTC=z^DCkbOxmYV&`_Bf zC1b;NL)X0wTVjOv&k-JNZS5p&uF9eo;jbCwJK|bMU;Rp(t;@5CGpg4tv9Jerzn*x{Pbksi-cL=uALkDxZw+f9zLs!R>4hYpczsY22x@mlu_AYx;%qiggR1SfJ z=^V2Qol;uIZYC+L5vmZ-duc$$jauXpTAwSO?gbDXsfmGi`152SrL${XJJi3N(W2{| z7@K?x?hF3ls@E6nFEC%M1cY)k8^h5NFY30}*9;56vkTi#QlrMXfEKW>^qIqTus?y$>qUYs_h+??@S>{Xko%quL#UFq^Wrr~tlYqT- z-jwG~f~aq);gEt%I)|BxVgZ>1QqPcF`7t#1a)Q?@hCO~bKUQw?m0U~lbxoNSD*~35 zn?uxWDR%`l??5jR3y0iul;z&ki9$0GKHDng!E^qTQ(@T9VA%JCjTv4)VnU`9BcIzLHsB1dMba#yAVzF>BK`J9)RGso^B42!f8mIA6l0 zr@c%n-$D$*uEmC^cRH!NBLl!_lx|;e76?h1N;ENN(Hw7P{PjNic?|S9f-d?2E=#Kl zW2w&`EjyQM4UW6NJcbuc(Wx<0fLZxLFGAKc_`3_3Y&{Nq^E#2VF}=Yd!A7p|3E)fV zqRa#5(_1?loCy|aisXuL%1P+;`~VaqJS2VOfQc_ zF@?IMq&3mKlg(siHYV_EKYB4UQccN7F>(x zrS;s|rV?QpkWOiG5`T+9|DiI8e)`2b9~M<-5smoSg`8USCluNM z7FZzL6yftY2a1piGO4K2W9g1zTQ)s@Ah4*Vd|z)p1E9C0ZaO$E-LQ7Y!|prPnF|l< zI&ZMoPQ_cwKQtd!0wUaGByOa;`FtIIHHda2*cl~-skoWU4LqcFTht$9)yYYyS*nYvsuQV7rcPqi z(y~8I{+KatMvztsxiE|)=jNQ03EW{rRMF?cPvTqS_jWaX6Bl6Vy#SnP3^MH^=4_T< zU7;ud?gTNu=Ak%#0NjI+ zNo1RL75#&h=FwiuJFHTRp<3-}dwsFzKr59XxRkZGzS8s9vVDN=!@Q>kPZjnKoe6RfF>*K-oijB&HuRkO{$ASrYv}sm0h~H`A}t4|@t366c;tU$s&v++h;92?#yr>Q(>QDZ2ke&t{P)W1^F zrk#DG^}w7(Adi}&YHU`vZR^bQz@}}#f717}Z0wd6| zLj>i=T!0$0yeA53%UnGk6<-%e=?{=bJPeOA`xHJu&gZA4i}molZEr{DjSwF`rmxw< zgkm!p9{J^;y*c_v1L2k`wpgxSp+2HL@{fhQ>!5wyva4Kjo%CFih+$?K?m)g z&BbBZS`L5^CR2Il(Db-;m_)Edv`-NaRiF5Ktae(KmR0oZhEcB4k%LPQ>uwM2(&LOy z73@z~hikLB7h$(cC+6EDyZ!J)pxr30RPs2`h^>o#>Vrv2n4F9eEQ38WHRx^Lb?~PV zC{&2aNT$~l8QX+vU^26QZRo^A>J%jwaW)VZ65wVL7w^^me=(dVt>Oi^8}b`wGf_w}S}GWP~^$+?cKHULbavx|-SQeCC>H z4ChA}v-`QvOly4m#LJdA?_IxpJ}=dHp1fR+#KpXGX+L}@pWD%S%l3G|J6>MoYbmcV))MIJYN`E<+9VShiCm)YTIpr-W&u zl+@CL_vMp)%D1%n1snNt!Tz`G`1*#fN7wXCmg&W>gSt5IGk5#WXoB;w3>(O#V1TvE zo6sQMU!U98=)Yx3jUM=*QNn?OZ2NY=~Pa7A+$xxR&E5C zwO-!Cl*kEwl|S;a8|@S~?ECoCerhI=>|)06zL66iQDQ_5E+zGs`eWzwp`Ux#(oAO= zrEw!>)4*4|hNgH{uX!dv*kZhRHPJci=|#l~uX-KHHlt06x}ik|rhB?|GfSAx)_ZM# z7F#$^F}*&!=)j*!QdYuv@3~fMu>>C^Z1EW68kf}~G!>lAlR8-d!yrFj`ft@qH8UJ? zvW>~*?Kxhyz-u0J8e)uUwfczTZrrI|`p~ty)TTC^0#60T1Qr~QXqgpTj&KS(1j+mB zQ>?mKW_ADVv|%=0NLo^Jrd9DG?J@yXeV$it!LowwLOEZ{B)$I9zhIb2m?l8A*6Fa` zQWm}c`L87>4mJ+Ni6_Adx=wXo(Z+pc>3ITTB#x*T5V&|dN{uRSzg zTe=(G&^uc>ExI7>jf6$bJQY1eS(vIRvN}W$s3$L{g#~?C$T(!D3RxJ~+2!gVjEfY3 zf?6HH3zvfl9>=xWc0c=Xzql+i-!!Ac9zw;OOE}zLGrV#YgU9rXeoj;k`<+Y7Aho!P zSZ2yN4{!f|zxXog!1#8YC0_DrWn&LB zQ+nO>)aH$dcth_6p9;OzejwlV)VI@PaWeWEw8}% zxckeG736K?XUfRr@olD%{0~>8CWStCISHmsnfEC-93D10+g*_!b0kzPMB>4q?WUhm zCck@qea>`bX;X1KRw+X$SS~CaeJ$R|s*fJBtU&mzCoMuU_esyw)D8wW(jvZdP#78C z_E{J*%?@+@GS4$ydyoXmT%|C(@A^jBJ<=wV2(>Ykn({pr^j=v!Re6!y!%89c1|_re zf{}}jy#OnTb6x^ex{;Sm6=YdzWgHo>AUjU;Q zM=D!!Dy@n`rT<7U0)d7A^AEVFRi{NnfSKN9LYkqHJg^R#PLM)JN`rTsZrb1 z+0jb8t4SbTuKFS7P~`Y5h?oBF;O=cYg^v3(7nbWvSEhauEg8jC`SpBP!MnKiPBA_dQ% zzkj-Jd~FVzpRZ=#sOZnL;};{6E(@hEHdbN`xTEKfYCy1sqj91 zsFHf3*#wW?L`ObLjjQ3V;~;@fQ|S@62?UuO*Uvs+Ld*XSg6?NK}&dp%2JqQ0WQO(RxWSJoDl z3j;Vhg25pd-y6G`fmq3;S2PPWAW7ubywFI!C{xe1hrr+2Q6R@|qmJ*1a{`6bzM9Dqdlt<^zZv8AU4g!U9=HFPT6dg{zmMI$t_t1_yTszeg;EltwG=Wi_^Wr-mH=&Is^s}h zOnua6C`4Te9Aau@0yHOu9*0GYS1bnrzWDU=m(n^B9RTGhdx0uzw{fC=+tImCAzEW? z0!Qgj*MmOfljJw@L!bnt4~f`Gk}7Q0%@g&fDX%dPuduJ1RW+qYGVGPm{*4=mc&p&U z=7ySPn_;u89pWK`FnWAJszr!e^axqjx=5jNM}#bt5Z<{7T7<44T_t(SBSag8K^_9O z<5;cW*-T)!8Yh8oNb)CRmaA@MrGl8lu#0)m%_=k6Hn`Cy1t@!y72X@8;^(hWH-=(# zlvUP4sRSn&_gqK`=5&lYYp;?Me$nc?@}~u2-oZ|Ba?y5!kCra-;$})lCjdh{K;;7owQNlbey4g)<95C6JGi0 zlm*dn&lGA~rI zkme*Vw%LcEqP>T(#K~g~lif6y)v^F5(=o`g98wtX9)8AR;xdAi0Xjqfs#L|5e2(Lv zlTb|y)oKR&&D@j5kFsG@q0Z=_UTp`V3o=1Gdx1pmP$6WXCC7xip^|9*nt?3-uA^`W z>U^**cqF3Yq>5Zw_7UHh7`RH2m}qr8r!52J26}seaTOk#LHX`E?yEnPfFU zN4)>ZR&%WJM&$}1h^zwqEM?LiSariCwe>_|^(Q%*=P_%-tFaIvu0?~<8LgQ+zHp>f z(!&R#hXkR%dkAL0k7J;`sms$$H?8h)y3O4?YWqp`(tgE6?Ih#lHSj{)R~z0nS}z3| zH!|hbjJ001ai~H+No)3KH0M@>+AYOvu*VpYF2J|*Ac+lo{>mv!!IKzkj#*!$lER{j zx=hS@&e7}?W7sP>AA3m3YdMt!5T74P;Ih^T<-9T^GB=jczS5fEAs3P5gOH3Q7eQj> zLlKE0Qe9WufDNgxspDLT_R0w+EA?9ZBu)oKxLiP46#`itg#{bkg3*O*3E-m-MGz;D zs*60~xzPGgwg=$6d^hD;fN9<=%J6X!HAQ1l-UyoDUOA)Cr$n`CHTo05AI7I{9iS!v zO0Nigp;9Ate5Ve21sMq*(~9O%c4$pAxOT|@0fj(%zs>F*sLU0F5>m}4+;kv?df2p+ zK-MxnXh=7wDOLeeC!||lwQgz?cG?V!C|RtuZ(|4+b>;U)eLEC9>~Mlg+gnACSUZD$ z5QHy`6iuOe`_xyoa(=l%GruunMj`oj&WmsbSqvZul1S%RcMupTf$m8z1(vTh3*mIV->ygi z77s_NDN7$fxe+WKVB;{P70-|LW~NDrLD1pJ7fjPr^0itEy!Gy_G=;EF4YHSH0%f>5J8aX6l z|4ta0^V!^y%jlA3MsAiY6EaU)?+!gzQ(d_u(j^Ii>tv6nbwA_#J|$z-6V|UG2=^QB z#>4oUS87mS`&-G}m3){%Sj}szkgWAdR7{SfTbxBg7@YPjeDOqD_ze+YtngAQ=OJ6M`ks~&`yiTH7xd4VBasBwg3x!FH z9BGJ`?L|1-uFE$sQq|bx*ap%9?gR7O*8Ft7K?toWgrJGaS(yO*WOWv)jM+l7BxX5K zPZUE6k!RkqRZ!S5)!;B}f#G$>I)K*Oug372R$A2<$JyL)xd8)+2J5Q^-AnB>8Ey)| z%Z>il-S^WMsFtu0j?-5b0cokgsJl5|Vmc_m8&BQrBM8|blCEi}KVFq*3t?#CB=F*FNn4U*O`yXq-JKQW;33V1(P#o#Nn)^ zj(mjb5T0-Qx6Qg7665BsbZZ-4Bf}GtpLNroYP=q%nGNkPh!C$L#g5mnU6i@OGq@@3 z*b?C&=q#{U@_(D785aKkBr9)Rsxi5Ar8ENy&QcY8ERm>bjZqT*Rq=aT*n+*ZBn;(z z$lP0#*HZWQ!(1qo8GHcz(H&bIoo(=uqpR{Lm8$cvHh6}Ye87Qu1iwX4KATsYxHv=* zd@PM(H`}x|HAYJ9u3u}Jv1{+Q0A(bM&P_n2&XINSgZs9jLYd%{xa0v_8fm{4`Op!p zU-V#vjU@E@Sdw6P@y?O+h<;!4f~l3#5QvaMa)C&8kPuM{O?a6VRgMq=KpY|2_CJtY zEXDdow+3Axkau3C88O;YARs!$d%?4mgopvXPTKAL2lohOqx0uPl*G;lk`q1GwAkx! zo_kQW&g|W0o^C7Ieg%;(xy6l1MS!@xzH&%2Zuh~df%jNWR5oV|ikvLEXS^B}R;_oD zZ8uOr(&wIKqP%BPgO6!e@*kpJCTxMv;{r8XgB2J;>fsQxMN8?*B~?~s5^bkYwD8s$ z*Dk9d6N^Pva=ki-_o=heCOsU>NBe}0l&rsUg~H@DGAwQfiRn8EnJT4Amy)(kx_rx+;_1+{ajw5-gr z2n{l7ZlowxO~4`JD~xI}CeLGqQwYYY+1$yoQ3IdT1uLFY)t=F_&uN7~kdc{|-6pm_ z39vD_FKt5hYloHQ#X66kCRxGmF)1}NaJ2Na-r9-oX6k9?sUQn6etd1CX(XQ~YdkK< zj6@qmWiwR)K;KB-F>qaX85O_?RX#;G+#S?s$10``cXug2eO(fwP*_e&STGRDwB+ob z5h^EKOA1&fIIm!{?Nj_PHdUi}98ggV)fxldMcP@h25VOK%OyT8a3~H)uq5IVXQIqs zB=LrO3XEduy{;!JF z;L;vKzOTbqfs)ZollEu)8KH%qi)uE<2>H|)r3JMy#e}-^5CGWVD8%SXjB~BUE4nmX zS@Ql=I#5R&vD;%G9EYV0c(DSZs?4pE6?+ziu`n0U*Vf040GloV1E!XG0U{6kCxPcoVhRH^$6#i@zkkCF8K z6C`{OP4*76lKRA>ltk}luzC;0-X!m~6z(3H@dWRL^z9z{jjV>m)a||%@A8j!Pum`V zR*{@C@i^%c`%jg4j5LWMDG~#c9|jmp(~=$rCOixY_8-vJv=oMc=?jn2)-)GsLNY=^ zB0{pGXIm%FfW+s=NP2#hgy(_D&MECoPjv1|V@|RkY$Q2HQ<(e4wk5&2H+{KR3u{Ym zPEK9!p?p2XuG%57=MeM!eXBxC3Y(S+mPVO>i{PEI!NTLE<{@}NZHK9h+Wnq<7I zC_W^?_#h=8q~wE?{44lGxX8XaW*bazQO;4>otnrU)jqfXcc2Mf9 zONvdPo0c{kB*Z4r>`$5PPKHe&zmYEc;qL5Igz}{1*DVrX`vZH2C%vYh+ryJxhbFrE zVMtgu{YkE=SqsT&OheLEgLKpc%A_}Cbt4ruiRy0YszXy%2c)T{r>G7aM&b&E4N6ZP zoYOQkEj2YIwUK6;+~Ll2)XfyrWSaX)MIAh_!%|R_(@zKHXp_Fw(;(+6eOY#=ovwc? znPx}IX?q%JGS#+p)7BKyWQsebnhs1e-6F+wSi0qq)Y89&f? zpxGIkI%<7uQPpb2E#Q$=?Yr}iyPZ*T1!mh?F| z;j@v>nPyDS3bY6pmOHCgTXF#v{Mc|pFYBzKh?^O=5Jip zStStZ)kDz@)W0gB>6x|FKoimXiDgta#-(@dLv__LoWe4koJv_c_+XkYAcX0&HriNi z*?s}cq|l{4yDBZR3QaTEs?D(te7G>K{mlelGRx08)+dPM_8A-U*y{_&@V~Yhhl-F( zDP~3sfq}PCl(@2b=(^L?^$~Rta^tOX$95FOG1m~oCZ;j8x_WTh(_ZG zT%^EW%8h!|MEfYRL<%ABrQCVrfGa?itCcW+U^#eH#f)&u*n*^rlH$4^ERrV}w$HQvJ9X zY0wgL<(!SsVJjzqeGuH|AH?`Am{N2$e9-KBZlvbbf|eu6XbxZ$_Sd9w<7EyA1?6mQ zCz*K(#xiBN29{)@Dh8s|(Q|wajnD`&aMq}~-<$f57d6jIeMS~EoAc71BTCZ}htRsN zus%5N4`a6j03sMP5YqeInmkq;!Bc(5?(9qSB*2VSQZSU;~Mm>V2BxvmP1Zf_OU*Vv(DBRk{Dg0U^+?t>>=!w z)BUNRyBgx74@7>{bhf#anug|EIx`F9vS3nU+?}ig4hdfvnE(@!a<(kQs-20y2!ay5 z-_p?i-hvW-KPC>c&`b|xh=I+*e81I;q|9W#FxwGqDbGly7&$(M79Af$mM5e67$I(L zJL$}!TEy@gs3J=$wbS?T-LK!iYDuw*OrI8ov&Hm`@zpepv;>3-ksqs&!seKEsy_|V zw@3`-m0M2_*1y&?n`5qo{Su_Wwew6f-`YWSt^^WtsjXsg!dh z!1GF7{Q)O%zp8>Fe?m@`cLZy6^jWkv2j*r74=s;iMo)A zGKa=Nv$h@NzQDo8NPm?WDA?yBwh`8CA%Q`B-^+hhv=}!SGv4Z?YhT^~On=}-o>7U` zbqn08gw3Hc+^3VG;l+;i)GI+*=Ps3+XH`L^1I$}(JrDIVyJ*@w%ya#%b?I-( zBo~;971Pw$Hp&U2N4PaBrjGCUO&x^WM~H@C3--V~4LG^qv19Uum(I=z@0OiISBh<; z-8OcLY9=rhlHD^&PI5tFIIirTXZmzZ{vVS9mR-qaRP%cux#TQ>8X%AW=iq{zz-!&@ zTr615sbfe4AT|_YhJ2W|I<$PlcQwJl463^OFut#Z>XST$q z;!X_WJ_8`oK9=e8IR0tYA0?8_V2|PM*>Z;^$e(TMm=;S>h}r69DH+Y5i&AL`9AImK z3F#391R*`bQrudA>S$sB9WxgXm~RT-j7mF8kt;$M!b(One$PtZ>TTp62%x{|NkD0I z=vDZJcZ_O5rjQqJTMsQAlWUPj7N-{mkr}NeNSN~`6IH2^e9knJ3tqDq7YoWemDUt<`;aV`$H{NmM`lZcFXVBuSqA5^xEz&Uy2CP9 z(mg9lSu2l|uQDW4Wq>U%Jv-&G@=^w5q@)+~+Bz3yNLh}={FBGXJW0xwZ-jQnxbM49GOnG} z;6O2!MgWF#*EM9EM~s7P6Oewpb+>6#K6k5HQ#k`aiIs}o;+YjvCle7{m+A7;|8(yfvRo5US_)52pbMwu0n8N(dWR;F zO9;d>jXn8v^rRc`Ta-;Q_gnz_s_p5?lhbjd>!yoO>n?WEbzN`t8d^=u6@0RrA2?QU zS*{-Fs+S=+b=&Cv4isuBS;lgo{)79NyFw%Qv2G5=^_X1g<6{NZ9Ggys$l1=kYpq0P z!eMP+SX*DW6T%|!bmeFS2DMM0Zf#Io_#K?Y@{j5rAGmL53zu>XrL%vzV;tYk8@#uT z8zB>j+I2`^%))9h4Ng_}^Nd`J+#8h$T9vv(p{Fe?8%l~xiLO#;{ajfkg`4l3$NT5k+_8$7w()Yh;v6fxhMnvGA5U} z@D-T1O+TWB_{cnW&Y9y0-8}z6l*igXM;1adOU5#yYjc`_KeY^6=1Kz9hv}J-8)&7N!@=ri zddf_!a|?ZX@+ldSi&L}8OWZ~T2GlP0IIAL0YR=JYX$?59Ehe_k>067zO5+`Mzc8vtKbLz*ew8=L*-~v zWp_+FeO#^p^1sq#LJL}EEZ_83L?FB1<46%&g?aOYI`s%X8F;+`r{2hfk<*+89lb1+ zI3o`=;Y|$;K7oJlKFZ*PDq$|2cL)FNZQWzS#xt-jHdjU`&7)?*@LVWe(giy@!$C0% z2TeXsQ?!6}G1nMgmt_uR7S@*Nk$fZ1z1VduhCya&&teb)7S`4;##_tXLPEyKHft|BrNhHgwNGdTj63&;) zP=bR1CCAvvQDY*H5ZJMMk2Z96J_Ys!YCE42cF*LBEQM0A^I_vsrTDB|#EhI%=b(dA zAA08w$Rm3~9)aX78r*fCGF)JIiR&7D!W#MX{K@%~4WX=)Xeg{*!+*6U#r=6TZINvw zEYJ3-u~QO_Em6+&6l@=#p4PS)^6B~0^Cu^!&reTH?*nVf)6tVt5{bZWP_#W`s$oyL zDlN$UgOIrmI zIOf0^ITfz;w?L9={e6SAw>-6F@XUQzP55Rck`1a3W-SO7Y76*}jFkiZsro~7z6l<6 zbw-*+M8!1lD>a^P86(>RQE4N71y%JMwMZKutt&nlX}^W$gb})2Vrf(@>>_WFumUA* zjeT!3TzK4gS5qWMkqfO8rpp#Y3Mz(nR{Bi~O$wSCI6)`@P-4SlAdK>xx+qnL&=&v* zZxez9pSz}do+P!H2OX}4wQ1N?0&}QhS*`WD0Wsgr0wavZguJel2BE@|B*)J>Gl+Xd zGVGKTOFDzqn$)-Tm+F`&6v!5KH%Lgqg{LAqjjyS1q-C=}gQ05FFnXXXLZzrm>$K{m z=z}|7uQl{dfRQl{%UMBwUIZg z$=3VQZa`Rs^|tg&@VHy>X_ov5w`kb4qa$*HPaZ2Gh0v#4PoM4P%XiDP2uMiOGE9G& z(&ug&ryh$)pTDq%TE!Q z>zAj7qeO&o+uJ%JCv17}ne_?kUb<@&=h|&%0C6NI+1I5H9;3;Er%a_l{%TiV7)6;98 ziPN+#v!%jooKu)Jn|58!T>1)mi6)bt=(;2JPJecEMvmT1mHDI8Q*|^ZR|{XcgO^h# zC9akUvoAzx@@XiDJj$Yoe*gBX7hgRCF*z3qQp4`e*#`v~y($*WZg2V9Oe~gCEO?NJ z3Y#Q`JDC)>2sZkdRzNn^sDH&R)8Ix!_~@(NpbxJ6Ls62GmHWEk zz`-Jfuqyl0dCu<7RZgFrK@)6swVn+X_LC}d^yFwvZk!}^7WUge7o|8A(l-Rm{1->$ zL`Y~+MoUsKSJ>7vniYm7pGK==ra09|l4Fe|XcMHR;vT-?a>QiC@Bp6*Y0C(^N1~&n zmO;zZyC*r*|}%< z*KZ})EXs|Njv%wd`@qK=9da+Y&b$eL?Q=6z<^g*a#Se=@OdLGyK6>%>+p9sH`1x22Lm~J#5niyx4`)U3_LA91szg&}1>!bWN21`X-Pd8-TMCme0_2s+q`;aSl9rM1b z$IV@Ao;Iow%QS0*yWPyGVWebH6`C(2K5XKayjfrnHR-XDX$I-7guGzrcF&)=)RW#7 z2+OsV*lX}JSXfi>@uOUsLZ zwwdF0?{>3?JuCt^&9MHtH(d9SA;N7E*;t89>fgZi0Czv)+PLi|&e(E3P0M~TkA8X6 zw3t3;%Q^Y-#!J|Nzc6M;fMzSSuO2H>@F|M`*d)Oyh>~j|)8P}2-5X|h-@3UVuYialFUO1gmviwj(qdF8HsU&V zGA864CuYH>Wa=&>jy%$0ZqjozgkLSu!|;rJtMS)|j zC1Yoyr72o?_i?0%+Hlh7YL86OtF8gXeIEnl{Vd8Mr%g+%wxNB?rfnl@Z+p*goZ+AZ zMk_tXKzgveT5+Its1dp0rytu?0GC+ANc-r9mJU0Lda!j*+#BJTJ)A!XdB@Ay=z;6` z$ofFfO{3KLFX4}#wmC<~Wu9C2Yo*wbrps^)`EnqKIL z?J6*uy_&x0&C^i!COo2~ll3Ic1;issnDO{26)b0(FL?REaD#ps(}^rw%a6RwyGMP^ zqzTV91xS0(I$^wznU>w2V<$a`(s`kqKIqoHwLbidmHJmP!mp2(c|HCgj^ns#l#3gP z*rOTcoF{IOX|AuaNG!$WyYsw}_aOa!ka~a8xw*q|rpb8Q%ON#iUJ3wZwIE-;q8M^3 zXLo>H2P)};X(ns*gG`jAg^zy+D4qvxyFhA60rqzLBxPgAk z-S`vxZ85m;HC?7zlHAj4vVgyhup=1Ex)jT*pt=W$I2vA+vUe>HALgVDUTU(eg}F1~ z+B2NEJCJF_X0k}0q9mEkkB37&sBYmsbg}F_bBRp5EM^b!ba8QUf$%GzfBrcUl2DSf zj4#$7j1oo)zj^XxO#biX>sJu|xYUYFgr3{4ng<$$BOn{*`rkKSy{XgKn{R^F=!dfr zA{=k#Z$JBNOkQvasd=2KFwlDGf`dz;2?bCO5R>A%?Hn@&HGqC#LI9u5waxrCtGD2p z#tcDZowy+4EEl6*E%3h;1EIrbq~LdqOx2&IsFpP(8-~M1X<8^DY(%{l71QrA4yo5Z z+1N|)^qNFyv$OBmYJ}@^Nx3AE)Nx{CIUw`{Gf0{TYsPZ&+_M=Mq`Z{kpRfetj^xtS z4zbFLvO>4ZSPxtU4o|=cA$`bx_7#hozX>f}aAj5}pxJEM;yNzdtbB!QsVX-pBWgz6 zfQJ0qR;9Jjv_afAq%BxL7W-_CK1LQIBvG15yXVdQeS##vrb~s8q(+DZ&|d)v4RzKC zO{xI;p1_H13+>w6D^BjB=U8rO*zv-i%3p1HD&y61HrvVv1q%=3@W4$VyVoNbuSYnT z@fvbGUrnR1Zo#-VnVjA5p+Mz$9V7)NP#kh1_lG&-wdZpguPsk!yi(6-yoMBQ?(^{B z)htP8-F(=6%TkduPW_-Ij0n`lSq4mGOkP{2jGK#2lqf2V#8Vc->n2aHr9OwC3(VR- z23$OWY>obaOu3Kc+wP?@y8Qt;FWWQG*4wlf5a&LV$A@d~*t@ACX{NoJm^x5fK@_6fxwGo$xBcd`u@5A|@GORB6j5nSa;iHt{q z7|az+8>(0!9W`p&csFEfYM_9EAW`Rg(pZ-wXV=xF;A(y|*y!K(G6r9HmA$Xt9P!?U z7TdpKP=5LzPZuLQ0UC{fY3LiD^$jEHLb2|rH+B2J=}+;*(uq0yx?G0ukc<|ET1UQc zY(Fle8Hx-u95RVmzvK{LA3wwAaV!R_ThL#@(3@rt=#Yd6f#+Fkt@56Y;0r)I19E} zf`!^|+)c(<3k4t#;LQj^3p7|{l~KfyADcO=;}!aA7$q#-gaip_=eA;PE*{DUD)Yyk5-m#z33)W^}(*nw2uY0nhOQO}w6*J!v)pLq% z;Z#FQS(NI*sdjLxeH>1;D|D)bg&`aK#sN;nt#m{E7B6Z}hvMye+E*Zn_enCsZrXYl z1KHkz?1HqkCl3hF>QP`?`g~lckRTi^ItK#}rfQ4<1Bl`&5 zO*2pv5U-}mvzVxe;I*APg4Z@~#2)!0lrfUFckMnr^Oo4A`>-Ker0l|e;bUFENTHe} zf;7d91hOga!@xP1;yg-l9|n>|l5;l2eHh3WNo*oX0%=GY31mNN_hE2oURzJ%rYkXF z5JLMlj5C5mSaE+`BlDWAW<7~1dsQ~vhsVd`@i7K|)CxnTr=#ByR%Rkk^-`NQN~J-p zs!dU$^K{|bJIF1G?dx9x0~o%;Df)6tp{N#xJmQhkM1A8K0Q4-`P*M#|M~X%O;yiF)yV*!cre1V)uf#He2xM5_W3*%KM8> z=_Ld%vll!uh0#6TOkB`xu@sWZ70In>Y&8J?A^^bH8T1d@mvgyG7UP2DyjlzZ(tzi~ z5qSWRS_^*bVk+>lxD(gHm(%PHwIn~BSV%m`vpqVpe((jOeYQX}MY|$mX1pCCY*WMh zi!RiJy;>KS5|X?IG2zjtk0gTt@E_PKBjZG!QGKUm`q`L#BCaL;xn{aZ6)ix|v~V(0 zsGC(Jz~zyq6a$OrrQ55{5onf>`65bxU=}S@+~7@@%YtVBeGi%{OtW7$w?S?7N|{A2 zO8ZQds@*ZZfe#L~Uk4@6oBDg7OmO2zvNi=lMyXRTRRzk1?E%WaQHo*;?tL$ADvyZ1 zu^CHVr0+%tVC^TNDs3Rz#`bC7J(Xf|G^=<%Y~Os4Le7?=P5-IpLfz8pTKmVF=UM;> z9Yn)*c4x98w65`F*}n4--+C*JJ@2wrW+7X65==Zc1D6V9fQ)=0)mqml6E?+2mG13g zXn|sF^I&pTFwKGr)Jv@KD%nEZn^pPul6C7P;V_6%P}z~C<`d7 zQk{{>sf!KlCJZ%BW&D$;>X%jP&)v&G zLI9R4D!|HI1OXkF*HEdBt^BUJkz8;y{y~`AwFxndU&!IQlj) zmj`ZFv!`j9k7!|*-Ss!m`$7c#PHn_s-PYw$U11|5p$*!j1Q!5XOjw==C1${e@=#(G zWb=>fZ=RnKK4xS0uP8}J#vKD%%rLm#=X$_`$D-)9p*c#^jFY4L{U1!n&6|H5{UIoG z@W=1Xi6hMe3AI7&8(~1Vug~`Vwa9OlEF0T0Jl~^6OjxO9546^`fM_e8<5qz-OZHC} zHesu~S}vGT&C1?LWtRq93XP<(mMo0P37838RaPwo@EzcVQJR+}VehyC2oxM!m>P;v z=3YQCpEN7MA>PCns<2DwSEbOu@=M=E4}!!Y2)!5Fm98=@pae^O&k)#Io~+1%D^2g% znA{kFBaB(VnJfu_^Rt{(rRMRlBlD*JJ`6)Bq+CsjsxosZE+rc|aj0+cw=q6(hy{&=8`!;1FRkn16`H4 zu$x2PZ;>`Ud&ab?qcZV4GmOznFV5W_Kt->Yu_beQzrBgMmR?7`#0)fP1fLr{N%4gw zgc7=Ipo=XfQPo|BN8Kd*gVrE_{JWOb+kg!p5|mJv%3X{b7W9n#sv+Q5Vc2W*n2B@Z zRQ$1>5CD(+>vs7ptIKkQL-`_DGHC8e zqB%32G73*gCk5sb`s^_1H!U9MO2Mv9o+MzVzONRKyKdlHHtnfoA6~-(7a&{|f}YZz zUfX$>*H`ee(}8C24|lR9dqUkcVP@&qus|?v;Wq}yq2bkBuYZN&6xO@sD~?NMzLZQ7 zdOC($c(h#ENHjg?G9N9e)GM?{ocY!#6Ap6&6JHt}_|R7`C%hW-4MXSLLe`h)9q=%F z$^EQn`LTMLl8ET8MlZwq63)8tf%Y;zFaaPccm%>Xe6Tl9JZx-Y1jBAo!l8hW6!g|D zBN%?Fn$bR~Js^!b;3CZQ@^T&M+U9F#gm+sb!;6wqlp~vw?j03Y#<_s6W#(O^QLY zt`$?D&EZEbudghtJ}E^B%rA*5(mTbN=5}!&9~qNx=SlcTBs@Sv$Hti#2zZ&BQvps_ z(FfS;E>&e2W8P2}7X7Uc0y{hlsJ}2%qE>j8I*A9R84H~E zrAQ0jo6zj;fy!J#EAi<6x-ns-w7C2d=kc~goy^%erfd||4(xoJczEf!Ss46IXp z8hCydzI1|f@TYAm5FJ3cvBL@~wuDR~q8|j|3nQ6RC}KKI%IJ5O^Nj_oU}IE_s`KqU z4HK%dp3shlh3ri;y~oSBVq7`+G(oK?@LIY?wld=a@)?plGt2jZ6>%$~yQqpXDm8Y! zCj(a(pOu)u&6Tr3+4PB%T#Dt=+LaflXU(1^s%=a$dCwGtd$_a?Gj*;EKh$YM{Ke!` zX1%EmhC4>UoKy0(N)>Pd*6njz_oif_@!RTI2hHc8`LuTLp!u|22hFE>edL;t&mpdqf20HK_H|^z#g~ z=K95Jm&?KqfCW!6G;M&*QnGt4sg@$ABG~P~6Eh1Z{7m@8!jL3%?zcawkmnQ-gg_q?CV3x!9 zF!s(DD+`Q&pjABZNHpvEr3Hk+Z{UM)(ChkgfEhbs|mp zCK!t373GI96iG3vrXi%JT4T+1`Q}Bs(mWvEgKU^R?7X*iBAFt=;qx>aCFyHx7rA4r zbV~=Z5o)%Wq9co;nT-N414#CR9yYI`ixaP;0w3YkRqO-j2GIJ`N-2aFg3#J2fgC$C zY$Cn$WE)cjUT)5I7zRJ>jclnqw(7yW+`JI?LzHUHm#)Ae>~p&s$Tzg$Lsn7PL)2!k z$}{ptX!FNQ2(=x!F3t5qF!e@gc>ldj5_W%wDYEu)4z_CyhlgC`f$gZ<;=_9UQ97>WPWoypRr9VZrg}<7c7V5!Gy# zV5@3g3npiPpOYmO2&u1uXB1vruIpiOitZX>f5fZ5L`d^#w`kHu;GtUR@ScMp^a>)v z-;e6L#hh+RZrEUyIu>+kxXynY;Q}_${|r!6xm06vNfa+<1q*37yIt_PWU{73MiKf~ z#qVjsF!6(yzABEGZpfeM+ycws8Ii!pSRCE4)zR5HUrMHUbX6YJ2x$!-2_uKnK zevu*?j9_*m4QDQhj z!St~rbD=a@&}`024}DU4n6#ccGE33P{8NL7&%A~~MoiO`Cly0-i@7NYWnTrRK3-Z9g zKWd~Ah&fUzNXS9&Ap$iMi=`9`u3XBkT@yP4D-~4~>bg0@MO8Knkbe1`Xewt+8#<({ z784f5tl2Mi{NR!-$G#>@qZiv3R3YT8qXGua|MuHA=^*;Y^*dd&`5=9Y0;{{*O=l9wD27l1av?k*<0tl>NA3Fxz3nSJHV6N+if35PUi zq31;LMOA28GEu2w6AL)#2s&xj%V5 zCIWlMGMh`cEUFpr%zS>Ybq?#2ZIuG>w)j*A6%KbjBDO0%_;HE>x2`B)a zCHb;mr#K)xkG;ib|LIF`9Xq7>#)%O`G0#PjE5hDs*2Y0OaKNH9@^5s#twcp0EPkBT zQ*Qb48F^W%O0pX4dF?ZOYdBGBAukb1P(5?{NtEzF6Xv>^GD>^jt0DTaBzx()O|(zT zcpQ7_l1dHgR{G-fuQ*m1+$eWlomW#AXMASSwLFTsdnm4Cd)NeX3WY21OAotC&U1Eu zu5$Y144ROVMAYmjRpjW&(U{!u1uv*9F#Fv@0J!JkCUGHsL% z^p?Y{P%G%s+1?l1BYQW0FY`g7%P~G59I2ss>H0Sb}+FDpc8L$M82YptGfeTI@Ae#HFT_)3H*BiC50 z$2Yyx(2%4}xzaZ2N`kK~BdOO=TncZeAwps;1Y1IIJU$*nB0< zw})kvsH?!~8xz8FHy7TRkgr_MOF;8%kxf>{K0#r99^rA=3a4Y$K42k+HHuGX&0gISar&LdXzX zgr;f8e{KF%XXkbjhW+v8t6Qkc1peZk6&=%%Xu-|VXapvulYbhSIWJDhx6FQDK%prK zRnX_cSHXe4_0K45RfO}mZ=V|qM*hU(u|bD303@!x$2-Z_TX1M+ZTC`Pup-APNZ5|g zQ=(Rjf|qwSM)g#f6@rc3J^DbALU^$_xf&v(NtG*n|!C2$lJx zBj{a^#QqcaJVCYJf#-6SDW1k~;n4=SEy>l*^P8)tUu4Vp>4X64sDj+(7wI}op*Q=H zRkJx=URHYkf-As=N*7Qz-VAauun?5>Mi6cWI=WD68qfc7c}-|#Mo-%+96L$|bsujq zGiz`U?Rz`)&rx`c-t9MhzTwB}vAk2gg&!+U)3$7|A1m&^dJm!aJDxPKqyJreSG?q! zQ!V5mzd_?IZ$hb*77N^AV8-OV*|u-Mn0GbZBv^xNf(`^@epMQ+g!aUoHRGSpNXZ^- zo49+Q{K1+P0SCDF%>i?-|fy4J^A7;Mh z@Ta$~@tSLBJq>TXy`)k-(O$H)J=2nw%FJ8SUvg}noX6xuXUnL6Z|^xUMOB943bykW zr{k5+fr&L~&rU#C)#(;3`@El@u>IHY8+pYQgy!^>8-$0svQ>XTa=SK4CtrR?^ISf| zGk9txDH)aDhzIkAFiPjeKGCbCg$uuZeoe5%?(cqk0g~LOPk(z6o&5KkcQV+L^j^J- zJBu^JV~ZOx#HLRmW!+$St>LA1lf&ZcVF-DBYNX3)huGMUJT}&)w;^LnUU=b4knX+7 zfe7{b9-1x9|?Yuk6G;fx@upQ2)w$@^Qy-^(iEq zL+Pq>E`>|B4zrXWgEQ|u*5uLnwrAVl_GXDj2c=c-+mFuI&olg**_t!Vg%;%&nKf-M zHl6m@@WgXpsJC0t@I)|v*}IaAEa}cfQ97qm)1|b-9{o9`)$h}!zw1_A<^vMh%)@TX zuU=RQ(`BM5yU0kwDkGaK?a@#4{OZNl8&gRAAmk8`j^-t`$b_L7bfqb?vyTq^zBihK(4O zVZRdC#Y!SFO$%3X3+tIi>0Vr1pzZPE^UpuWQpGvT_+p(1!KZ%n}yr5?@BslpR-@NuzaT+Xu zOwD*`A)sV-B)}9e5e6I81+AfkXIu_U#_~oc_L?TtS#3s0x%Wb>9YQCf(k_AlfA1xW z_zwWZgCo@Y#;`gb1HkH=;RbL#H06^s!e}-pcWgCEFG`KjWVs=(HhYms z)%Udy?=d{s9>-M~d}GLX0`?&zRuYGRBI@e61c5|zp7rft-%zX&Y$>{x;3xYmHSn&! z6w}obn~Pp&eF9RJdXv5g;wq{rq%GUFbOgh%$z`iBp!_| ziIYh*234DAY~j~*sjxnVk-MStj(`MSJ+}vUB2_|Y0@h)8ZBuJ#V5On1IzzUfb~g>F z?6FmejzuDVduy|gL5^qu!+FVK08P>*CWWs_+Jopur1I2y zhGc-4zR|6%YLWK2-q)|D1|Q^x`a{a5BW*V&T0ohXnt6`NYkS}gTs+jsz)BRA_GzkH zpPYC>$6T=)L>q7<>(g{_x9yRbehAxFhaV6_D=`hJ!xZ%?uU~`fFAb}{lwQ?;SfF2G z@7{AbAYMa*0u#xmgbw00a6LMKc#C;*uR3Tdp9<8F7dDzqJh79BZQHhO+t$P<_QbYr+qP}nPHw*U{(s%N zr+Tf`y;tw*b57N+u7&5>cCb4c(zAo^K=~fRK`=_&)e4@7M89jKKIr+u@fX_tGdk@W#+uX&Q*Dgq zNrp)&Ok__mDpiI_7-l+{qE7Hv!?0-*S0e(%@6-(RY60X=T84t>WB7B3QqpyDPVuI3 zF-|oil(u068UQaGT|PP~Y5c7grFw%zOxqL4dixBEqNy0!P#*2>3Z`K!lR#@fd|bSk z;b9@u;r(&-#>%<**=tBDrr3Q$w#y_CEQ`R0HE;yY20xjULt9>+5wcY>2T`bqGgq{fofQo{<=}FK zCN6M9qt{bR)pW3=77yiQxAOCoRuYY-bzY)h=Lgr_Uk=W1#qsgoI*~r#F?!h_-Y~we zi>KMLzRuq-kEf@jquXC^Z_~}obl<&lz8_i|G*>rzd|4k+ogZR^vGenMpTj-DtPj6* z&tm@(Wz3lgj~}q3bZppPH&vhKcL&e>DZ)pPM}lehmBVu5daQ1ClvI27LAtbSX+IQl z$c4d=&TR#;nP@uGZ1-6GN>Re8rZG={%hgEo4OeFgToo_)3#t4b3bJTx-P)_)g#TqN zu7#YpK>tM@Yi^nFr==x6`HMiZ@|#n*6en*1PQg;h9QQvPLf$BppgHCes>mf=dPyJ& zo7j}3-Z(I&0W-)cf4NN|JDKFsHNmKm_@=s18wixZqSXfu<_E0ZOjEFe)bmy&apfSi zVxH)fKV(-sv{6m~WS3gM@%^u5fSPT#sQD-FL_Gcymwpd|@4v%a#i<6&s1mjqj;f?Z zQVlcCxhz?$0_SGV7%tSOV&X*7K=NMvC|1nqb@6R8lP0==08@M2R}(x(()^+y(_6gK zPLf=+Vy8|z=7rV22p*+r{L4+fE{vr5AB^$y9N<{H+DkZv=3Lgn7dAabN@bcOcf1gV zIh_f$p`&|F&s!q}G22gDnMpTK5hx+*hwU~LCGG40wPAJ8UZqtoErwW8IQ9oG!fy_> zo}rKJUV}I%Bb7IT^Ko}g8~K&Kx@kLw0Tj3ZKsj{)IdV=5uC(;pJ2f+=r7Rty3w}*# zz?a*RVW!~t)Qkrx6pqG2*X@{?2qzN*{KxLrr@^iJolQt|WKNaklhk9!EGb4@6k#1| zwrUJFHFtt}+Jfm46(huU)K3|G@&>Y~YlwMQ=*FIr-qc7)sWQQfjk9g`$UpHsoj~>) z>o?N}F{}cYqmvbl6H`%CP!e)x(cRZ9MyB%rnMn6yzU9$s=ni=&@E5y<xHBRlD)O344v2YM%<2=-dV!?J0L;7}#|D=BxyAF?GpSShz9F)h=QnR;K`%T`ltntLwnWu>& z;DlHO8!lE6sgwfebRF&Te&x?R(7k#ODHi0wYIw(S-%t)TX7cW$H8_gEOL zNNVFbohVpAo7Am|m7XNr4Yjy%;)T}DZ#k*T&dm%(9}?T$)ig7shkGf6UPO23<2QVx z1jQT@Z_8n}3L)0{1`rxMA}!bR6(Jczb7IwC?>g8y`*nsj`$=7vk2o7Oe>&3QifTqu z4vKRBc~4r{|HZM<}08otk25%E;C_TW8AW zfu9yk(1zy7A#C>qk?WO42@-KaR=UfeInFxR83Xma`hKtEZA2mL><(Ra$PZUb0a~E$H<1`#T=a8^EvK+VV(WEmeTErndMPNdOx8GgPlW<5iqc(7jLQW#kc6%;d!0K1C5X_0Wm!&o6_6N zZL1V5V$`fDua0YAe79C&Xs=}hf%(K`DJYNb*ZbTfC>&|W0Soy9Clf`k{s>9aeV)sc zpT;xuz_iYbr)sKM{*&~OXo&cEuO3W`TRv+dDVn43>4kzFo|+gh>uJ-q#jmAW$%Uv3 z3dHVFWUGkUHNG9lL2h>wAbE4&e6}y}z+O1g4(3$(q%n5dpS*~J=c$*nvjYdHqahUH z^R6C42hA-S0sB%dZ5HS;X`;oIQ~-{9FLO?Zz*nU&H1D{7za#22KZ(i zYp3#!PEJzY6eyecO6aD)*uGXzlZzD9yz7dHvX!t4-N5ad*tYd3gYZr9&SF)_dcVPf zW65B&X5L?1aoT4=T3jXeRvHsc`8~%irCu&QBJ>N~M03?<=(`$;LHXqWG^NdV0THM} z>mQcI)M7{1ZhAuW$^IRdkGA9p+PqjNGtY1VEvBX0T)Ei5)K&{PdtI!yUb=U}tpWBS zOtvy5TMx@@+Og!>{ER&inB>#?-kt4~QMJGL*u-1elpE+k{v4BICTN=6s5??0_FU=& z?J%K8QbB|kTqmz=3HS!??vB8+OfTaYHZYX+bX7yTQ;}j-lf29zpG3(iuL7+k-(}G+ z_x4jE@mFeH;|TL7L+}2)sNa(0I$v~tTNU&z%uKQ_^WifVEX*WWRnjt*x@=yMt#->L z0r{j%^S^Q&_Z(uPxc1Vgbv0}9@Wu7WuuU=QTE4gi=GZr2bx$yrEP648bH8?WIShF= z_8ETFW1{lnQ;}$@6k%-mrR*!}W?1Cl23d1^wiS~O9VLHbY6iP_Op#2u<%*K6KBM89Kl2r+O02@tUv z89eZO#8L86YQDp% zsrzdH!O(+1aOD15rs{oUf7BT&oi(>9Y-v@{u76AgPJDyQnw?Njb-1iT{-o^l;$#}~ z;`UY@+;gwnpH|+uw`aa_!i{$KTV)WfdCYx355E*rQVLW?zxTIKHxF+S#!-By6f{d| z%^T|rd$CeYi`h|UWveFjvlmJZ_FLY+WLvt}zwRvs#$#7|cZQ&47f&E7@Cc0zpDA%G z^}j=zT`O9G@UcmO8>#}tkL8G;88XAg4_}@Up+X$p)^zz zc-9xq2$u_rM4<(_%Xdz~z&kQs7x}Vgdi9L}q$mm=j{-MC=K@EN^T`;)%3>RCq1dF? zNq&vXK?_PrGoRI?w)DuKbls!Mtz>LDDM%DlfN|9E;iT3(lI-1VO)=^SI0oR!EHaw; zun=RUI_<(Z5j{mybqY+$B?pZA8i(EL(oAZ+%PFB4Q(>v>{k33;b=cITO z7i%G4hA^j`Con}{G!BsH^lMy*6GJ=hZIf45s`qxrf_+btvDMq$*wKqcZeC`)q-yz=A4!Qkm}FZsj?i7Wq`$tS2=sY-h^Vy2;VY7~QbDfa4| z%X!Izz;==};{%N>ava)gyWelCv9;Pp{VAQ7pHsq8-S#iZ;emb9!@k=0h!+##HYE_B zk`G$dLL;};!?qc4*6nt2gN*76trHRzp{SU{@vW8aQ6KahAjvp&nPL7b<0UOk9PDX= z26Bp?!-+8U*m2S4`rfiO1EFKd<>T|ris$Fu7cJ;6ZHb2P4Nl)ptgO_rni3Bp#|Oz6 z9WictvbJU+DoXKq8GWG`5U&|jtezUl4q`)N2~%3dd$#wG^8iMhopf`GRS|tGBg!-D z+Xl5#vsT<>%?<-3)z|*3zdzi(;EpdZL_2PiKknAvniNeXPb?~oR+c`8^^gQfKXVZ@ z12Zf9qRn3yUz(<41GOqZ-->=Ppy}N(lgBx@yWt!;3<0T&Ir-@r7&(M!{pfLRs}9iq zn!U+DX~iC>7?+&hx2=2Jn-Z-flzI>b-P2S;z!C!TmVQDxXte|4WMx+}x+4i>#-d2G z7=socD9f%#9N-$8p2p(2)_sOL=P5tnX|GaxQ3|;=QAp`F6YoLu{H^mS>XJj^@%k~S zr#tjlYFvBr6o-q6j@nx&^dCq3zPwy7JPT?9f*5*S-C(m(J z{a3n?ZMW+8*8Wp$^cqd{s_@XZZ->u_*g4UFKS{LKngPd0PM}eZFG~S-Tq(w`cZku4 zzBDIFGY10tLuO`&u;@)%*M5X0;-AzrVb_sM2IHvsKR}d&Y$cSe8KfPEg8t3|yzP(2%SRaRrTJ^^K15+@)zXsey|sr8sVpP49Fza<^rh9+2vk0nxT>WK3 zr%vNy7!|g#a&;0cJ4SpT&(OM^KH?rF5pxbtb!+bG5%WuO&RBcN!_ zzj-ynwGFy}B(=JXrvb^Pl&Vbw3l`%@LRO*Bb^DYSKJSiih8$i}maJNGdfQ9DanUZb zjw0qo=aH(SWsGKZews2XJFGtXCVvoi$tJkljpvxN4~-0+=zbTal3mp=ej4F?TA4vQ zwy#o)aLh^5xJ2>S%uBUX<837J@ z@?rbC$_N=#BUx@@dt@+8jMk zw_c~alx-gE{XN>WdVvTtL6&K^JNg7O0NdeTo41>3Nr;(8UTSvG{e2v-hg}7K%2@nr zehT)>>BZFTICUcNb=#c6F-EmJFT$|gPW$Kc@l-#(GaV5Tag;4b%iHdL_kb?P`~I*u zKTYTJ{%XhjJvcZYG0p4w2JKk;yw#+gIH&xzXLxK^>2^ib>T@c>ErB;gexwpE0j&#y zq*ucon24@*y{Q-Jd*6N=1QKKGX__$lu~9{?J2jO0Pn!Hb@p>tFjVyomB!2DYc0#=Q z2RlHLgzwa|AjjLfZ}Jt%U7dgy(VVo*-@pJ-G7L7)T>R%3sJX^(W|Fmfa-qd4eMe@a z!fJ7H#UhL?&P^4832%eXx}w(X`5oaT&YF4~I{5;pw# zqTA$`P@JUZ|K#Bq;2#K}!t+xSKOp4RjqcHu>tXZLV)>0v?KP&jYho*jwG)APq=zo& zZZ@*Y7Tai4IDGf;n#FOjlK!YS#$wV(G%F~;+&X;lb4k7aj}LCZyG@3DzyW@4=!}9M z1pM`eQw`=(Og4QZo%j zPgE)T10E>CKZretw_D?*hB!~5Yk+G{A!m5(dukl1yfXFy@&$*yCqAY`ezwkESu;jW zp&TlG0uul5++53@Y;*~;06?PchV)*rEt4m`%R?+U^?J_cxu(ELDC`g*@JhL3rfFj< z5z7r{f0;(E$dGvI*MWhMUrkVO)z+p#(f(5nfWsn6&JL;sHe)#v0bWuGfs%tZEIOBA zs}kK9K(FolRFc-kayqg$h!{J!-)r2r2oG%CC26JT(tzFFn{DgIs*nv!1>$ADeH1mCIXzpkdC5;1zxr)c=S+*bV{p zw~Oh4wlAl6A!sS+j?ie>Rx>Z>Aw~d#U%siqgfBmn{&Ej+z+dz7AK$JsvUE^)|ifmm75K6eRf?--YzW=PzB{WRRVRgTpinQ+uhRO*o6X6W zjmb>ib>>gmXMC39Ds!j~pD(H91fAc!)TN5>f zsjk#9<t)Er&{&BKdZ3q>0UAUeP%uxFM39P2@)=!~jYQOD&Nc`XpM08GM%7=)7v zpQ+=LI56ZA_u>H@_ybAwD>^fMo)}yC^zFTov=;GjoH@MYM?dTdNzA$d>lSLAI!U5hdK*4U(aeM2m)eQD%pHXv&mMqAx%2z%}sb!r<_P6 z}6nynvScwid2iTB`q=0{ZzG8!znXR!OHYXIU!S=2A1av4N1A zuJMH*Hr(#xMW?GS`U5$eQy)PHiEHtA;|+Y|OdXoJ&1xC|0IY zXUBeXw!YjR9N3}fZ-4JE7njfTy>|0~`c4OQ{~UCH?(&}n9azN?I&mp$_?ArtUEo-RNEi_c}_3}CL8a2SI?uZx% z%cWn2S=;3j4eV@nG{CZN=xNj*6v!NeF>m-5XWg6h0b}^}j`CK-M(YHm%(@vYT_ULO zG-`T*^Vi>l<6H?4V7WEiggR`bNRupWs%)@0AjsX~YfvQzFGHmhNc|M^9l?#``?l_G zrLG||Zq$Ae+7rW%b{`~6iQV>bcbGcRPC7!aOueL z&JL{qa=A9*r^$`yr_C+qr!zS5*X?_GUtATVyXEM9^2~bYJZ%*w8WlWHsm(HK^I?%A z^8zvaILTBSnc%$BBn2IMvR37Wu+Ff5SatWCF)e<#Li|TF>Zaeo6i%-=gG%gNl27&1>x@xde%Yu12&lNVf| z!4%Jf>P!lz%1jeX*j;kmNyVqzzE2B5(wBG*gjF?-&bLc;&c!(z@p0vAl!E~N*JK}T zn(~sLH$^$h`FB_~@P* zV7qSY19yF`wh|to5<1^@)Z0b6RV}6^oXfD>;i`ouHV8~@n{T-WCR}{ZV+mb!qI+2q znQfu+Jf<96tB{{P_8Qojpw1-|PMl3muIvTqm#%((l`9T4kb{I=bG_hdqM;~2)thFXsL^)zuL1bqF>Ih5Sep&dWteI(ItH;1Opm$sGaRZx&V12n z5JW%a`+ry&B_8B;eo3>LjMm8=bdgU-j!n{N`&APS%ZGZ+cnJduR4=4SBxtlNL)N6p zi&!Y|Qjm!y+AT@<(m9p)fl+2gcb}~!Z{E;>CM(q=H?$&d4C|uZeNJ8!j_$RoM3KW> zzm7YqoPX%!JR$1cG!!U&ru+WYSrKr_@O|>c?rl=`A*X3$;QG9W*I+{8V>sN|2Gz7r zXYsy%+KoVCeTT$jKoKFo*yJ56D%X2BDK}lkU}G#hXJF4A5Vf`s_OY59Xj;_fq?wr- z!s5vrV9}%uCh$0COQt1pBzmNPTpv_v0TmxH=`Jx?extTViVls-I}m}hHwbrYi1qNJ zLfmVAJQtk*ckt)>h3ZE&o*(1Vf$uD4>SoLAqx0eoK|HKt{q+QZ`)hUS=SecDt(rk) zT9O8+?96TV@Pm{(7oZ>twMi9nY00sCKT8#t+t_C|ZU0or8rHos39q9RlWgV}ekyPz zOvkccKNJQ(T!Fg3OJicfI9Mfn5}IegT7noy=FR2(N#u0!G|+ zN_$-pUf~G0hki_+4o^+-<2n9a(6ZQ2dK_=B)L@-tT{>6SN3aC13@OwKt5~t0@52juJYm(F#mRPBOJVXDD*CsXuI}<*68rRX;N0);W!{yTyQu}uK zw~_L-znI}fy!;x-E}5itd$MuZ*T$u$PWZ=9s^uA#tKF7YrlFt^p#T1-bMc`?L%X7| zG0(YFl;4)0qv1r{d#b^1@3<@sFbGNIce ze26M*U{7i??+r;I{>~c}M)@A)Nh`kny7)L9n!IMKk=n*un&lM-q;`wfect#ZPE@%D z-No`MwifSN%u$ADq*;|XxF~-nqNO_a5Xfv?3*fv(lsEvvVdW2lsJU)5gv1q=;TATQ z_G;a(skRpfH;T}Oy#9*MhxwwRnYag=<>=%OOILU;hL)+;#Sa> zH^^Q*QOx;u88?w#AggbO*RWB~#=z7e^nbkPrJoTd?v zP=h|9t%PcYh-?=a{NA1)ka2Ej>J(#$2RVZ#vLCJiyl~~OqU?^l#d|_q=HRUU8&j=T z_)D9^7?T|Ue?QAx<$8^nO|#yE$k@VNr&`_4Y3@axofk2mm1bnAw>1a|LFzGQ@hr3J zP@60f)qlV~T{%+qci-zZX6nM~)3l_sX5lJ2-Bm3YD&BU*>rB zL-g|zn<#?Ii^Q>34$YweWcr-o9A>?nk3)-3aPn$JKIgte0rTY56jLhIJ>UI!VCii* zZTMyP4^4!_?fNut03RJKZJIA{>&wTenViq&N`|*Ae=G zVK&ZX8)aeX$Kc@9w&wMQnB(W%`U$Z&#&k=TTD&BKMLpY4syZlCEs>jH<5qh&#`lri zeuUE#+`>tdnP}?7w2cPs{}ZG-P75%>|k1$tN#OZjV#K-OX=-45bkM3{m@-x31 zyPm_f)_3blh-tKiZb4I^OSc#BSnyJJ=sE(K|GdADp<#jFV&?#*bLinXmwR{`5AWjc z%HpSOhu}nzP|;OacfCFoId~%L^kOln(2JuH^;kNNNgEwaJLc;rFcCQhjk&aQ;#8Cl zL9H`er3ddRbpslY2M7SC269rGk*iKRxa zkNe)Spn|vzz&x>HCa}sWV9mamFcql`H9n#$pal6Tms;13O}DsuQv6?rc$;3bM1|;S zC)eq4r$I9!%6g7v>iIfAf}{qiEKfCV zO@&`8#B|e##w}lCUM8QxLLkm7cTCQzCm&Po)?lzy-dIYMAZ1veM<6o=sE}N>e8}r0 zdAh2SMk;j&I7%%Wdo{gh#C=|kv+%Rhj0J(zW7RE21Qz}Y%wxXYp~RcEJHIUphO8I z&TlQ;&jEl?N2oh%^q5NyIU*pEO)%lq?^($TRbl|MGC|6YG8Um^H?;APmAl~o4w-)a zUiExGYO$f#bN|kg^S>*oD!_3Wmpw9BcC%CpuO$9U+N6>c*QzA3BpQEW8@U4X11i4K z-oE}qfdfLiAO)^jbi9CKP(jupgunf3uj^}Oj-o)9-U<;R&|;=kSerZ&D`9+(2PMUU z&lNTyl@fI^EeMDtoFIO~6lQZ`PoZk-KKfg**2W}cWH4>W*oVqZQ-mgY#J{-gi<*thnb-qSXcmUnrm!x_*ZS-r^#W(qFo67;TPeK;vP&Dz(1eWyou>= zj*)-m@~;d7sK;xhvyDqUdrkHR1`x^aYi*R9CN}gM!>>T+(|6bKr;LBJ;qa^?d^>rZ z57?N;B0Lg0%}lS#q@&ma%LI|PtWzc5UcUz1LC`vdn%O|FaUqvY!#L^6c2|}_5GuI3 zR|FfsMrz89&de~XIT1_$%0*h5DPF2bgXb!_?Z`bNMeitvAe0)ZFEF5-;eRkXDJY+^XE|d_a7Gj0h{Z(jiw+~^@2k%`B%GAg;sanh@kpKhtnxUs zI7KDrp2bXX6;ViV!d9_s{KA}p!0+iJ z4?kxUu@ZJor8iAb~!4M@C~MHkeY;X^&HE4#e@i?+f5*lz#Kh z&s$80Vtww%ZLj7jW?Hr+cSX=jhgRjEN0$^CR!-LcGHYh~lFe43ML9ia(Zye{OS1uk z&gMX}!w#$0=ruE=qJEram2_{@Ky6kM?jWee(KYTC|)S;wG-}Ty9&rkO6f)q8GXU% z{9VNZBrLkuQP^t)GsGp;bAkyVO$d%c6dQuvHzdwAya)(G6k_m%{HP1zZhID+Tm@k= zGX~B6MYIAIf1Ht(!Hz$ z2m{WnOJvFm+JU1O>KPk>kdaJW{$#@*Rk;Vd=?B__Gc*z#Jlv04Mb&bM{j{u zqH|Jv(6jy)&QrJC0OCpyN0Lr^zp}nfiwb|4k8NF`Zpv}B5wPyy`AqxxR6BU}S>AWQ zfG7DU@j-M!6o0305Op_iW#M&VH&^5RW5%;z5S#dh;N2Lyt>@4{>oMmFtgk|jlyxi& z`hG21v@IjQ*%U33=ZdCf>i1}7!DjM&%VSbsbJ{RuTx>>7#qc+h8vc3B%ek)p1>uNT^1YucGSIWPmRsMWAw!KPo^orMZrNfQ$S}SUxI&5DcQDoy03x9o*2K#vT<-$ zPYwsJzT>C2PL7e^KJjbQF7YRQh@_pbuQ6${cnQCFv5{D@3OLCNns9ir3f>)pmfDgu z{qeCa&ovE4Z0=ulbDI&%N>HB@u>n|xZCH6&(1R{CC~@bS)XdEuwAgv;+~}b!Hn_h7 z(^=uc2=&rKe)U#Q3hl~o9ktqv+udsuH#B?DBki?|Fj(}|{@bQWlNd*Y27WRZ{pHP* zHYztH7?4h8M9^1762TSw&tUlp8Yddp#wj9DC{#xZio}%$SMfrVzG0;?1d_qk=39RM zNgsKMli;DnY(Row1S)bP@Cp`2Bzn#!h;o~Xc(w6>A}W}?y~(ZQu7)WAqmJ7v1BzfG zQwRrTEQ3{*W0R_E;eK*3~F*p|U{{3sv^WauZ^#;C1F$DhK3#sT_;} ziAa97u-0UlcRa`)-zZ7}k-#EIZw5#Llf*W<*aRnlmU%K8Bkhv_w6U})$t^N)NW1|g z0db*MNvOY*;3V@_)pSeh1Lcth4;Y1t66BF4&07hUkxaOlo%sqQ=t5|cv1sHLu5<-; zHX9s-$I)6@i5;spg91~x>oXJ%?yFX2cj`oI4PHfJ6vwed%w19VB&nTH2(W1Z36yOx z2n>AAD^1sIa==XY*>;1!R(8P1@Yi|*v;1HDe?budFAb`Rfjr2&F#MV|_X}~DOo`D< zo@iLVK~CNbhh)PXlZa~>sR}07a@S}fKXWGy$voUk6WoqIeDRXJvROUf#{I0z*K>Us z7sUGS5B_QU48;nHO zC_}NHB1RqUi{@h*l!~gCAtqTGgA!3McGV~g7xXB&MBtzW{1%Skpb_oOuXoGesa@yw z@L~Fmo4>>G8<&U(11yFI41SDwlv1F|&f*mW(K$y9H42wfi-wPD9#XDpOM%U`go zwzY#K-PnFgC;CuAh?M%;zHbI{jsxKAI<*Kn*E&y(XhqmYrI&a4`o0B7uke4zfZ$0k zqlL%iY40Vu#L+s&b2YR71!>lO?hPHB#wQ}FZ0b0d#B*4~_VRN|kDHRxaABOVddR1$ zL~oF_O3<&lyEd?R?_>I>8<$Sv`v`;g3o*H&WN9HJH*WNE^ zC;|{V3aBaNg{u!o<3Qx!@c#Sh{+2yI?HeLb3fbW!q$W(+L77dcDj=hVKr3&Bk_qye zX5+^V@8mXotF&PBC~x^)f8RCU@;kN3LG) z-iUHfe{tS$&AhU1M4P?mT%4F0uVw6}_tnLUH0K|#+-&V2zW6x13!$sh>fRbcwe6Gn zb1=R{Hx95<9dM&|vx48+{nV*`a4PULPF|f>svVbbamE+hup3t$_tP*3D=$zQEl)|i!R4QS)Gzb7rs&m3U9<=S% zLh@>I#uzFit5s3+EuFwWLZ&DOgSf{>(@@OfXi3$LrOL#MCwtKK|R0CkM!>=Iu~Y4^D+%z-}c_XTjlx+LLS6sr|F)$BuGv<>9TD z!6@9*&e0S!CRH`VYFe)T6+~t&vTv%CHv903B*XCZQz>%y*Ks+W{DaOh)0BM}D5CNA zg|gx6AWCn?%CqZSJ2_F6aEY`MO>&oMweP;3>>LS~q$GSR8bfuqLcz0J`Vh4BoXWvH z0Ik=K$S7M&8}zXfb_&Ws7cN0h*$wIv`>Pn;q%Lz}l5D)Mve3`-C;x~MXDGSIj<@@P zZxL?uRQdQ<44e8q=|AW)x_@n7g73Re2Q%sk!(THAjlm zNHk@CE;~}lE)kVh1a`7In(`KV!Hnus7G}u0qJye{ie^>-3aAtSLk-+3nH~ewIn_Z} zV@QoemEPWWs?Do?i<*`_a_MpPoiK~ain|WvRD2Rfi^7v8;kibZaKk7@vR+!W!sZig zG-mdX2fviDv2GvQ$Y*7Y0G8287e?90jEfZL&sGx`VOnguTsp2hQO$`~@BD1I^jgUX z8GjESxxWprI^^NoCfZ%HpSnLeN1Cqtg|>axIjVV{^_KUd(De^~S<9@sgS^>v01so` z=(Fvx@N>X)y=zuKZvM3&c9E7kt2C2>w$^bQ@oG;dyKtFiY1V|;^mb`KqCLldV>ov; z-RsxXv2vKJW@_nZ1ND2?Hv2kUWLfmoH8WT>oN;O5($a}rbdT|{=@=gJr2ZQ-*-Non z+o*MK&#_HQsdo1v4yY!q#(qjt{-v~piiE_g8F_rr(M-gZ>0ui#hX_TtBy__?R0a@7 zFP*F3mD~d9M2q2~+D(Csi z9k;C<%9hotl{FM8gxx7U4s##rm>lGQ9yCuc7s4Af*-LW- zksZf`A~LRG4yd&rK9BPsvw~C%Q`IgrodO}Id8qhmFy*_63BtEGAkwIOIKG0^p-$u$ zah5Eq5rLdaiall4(Ll`OS1n&{Z{GK^?lwA({r#`8D}Vm&!tT0o3Jm&i069@cPBylS znW|7tB*wi-K-ofLTpS3X1`W-qxH2V5Ke5q=RkFvu?2MZ#;dLM^@JRqY2wZQ{%LZ_M z)S-W)G$3lMM=-aLsu+TQ+E>QF--bDgrXbg%|mbQFM$Kb=Vd0_ZEol4;3a(Ilh7l~&; zAElJo{bHPclSQ74#~*ng?2nfTjTk)&g*B1wbKbL_l1=hPGYy_ z*2#Xi^VEyx?Fl481(T%-N}zV~r*A@1;Gr|zgtJ_PRoF&gfH_!|&+h=O%A3=)^HSk0 z(R2+r#0E0F)1p-Usi+Wtt(^=a)6dx1^ZT|z0f7I&vf{uCjya;4Ac|?8;QycETqg&K zVw@od$yERk=gVRo0}g!lM`4&$uK~xL|FXS^Twh`eS?#tejG78Z^V0V2!=j(m2x1NUv1X0oTFi$Cmabjm$!x!DxZ zS!MRA*98WK^J*acZLrA5Hji5B9Tc3I_K^Z4b9^|4Xtvax$Dy9_+$%H6b#35rWz zh1qe=p?8|4ScI*$v`K2~3Q`a=>dYYGA!6-K8UN*EI7G{)7@O$Njdp{_10`wQ$ID$u zDy`B&&Kg=#T6t5-1*##bjJbX6jp*AXcm9tsyZZ7dyqj7U=_(IzbT4IKJz0E{P{4( z|Mx!+%KBh8&Vk=s7C)8!J#`;l%Ve1PJySAGGW{$Gpzy#Q@n;x1jg%t0moql~9$XVQS#FkU0` zm{^Pi5xE|fBTXsEEplX1(ELh?NqbEP=b+)P(~1VXJM$W;bNYPI>%KsgUas{c%BU?i9Gn^%{fnIn}MjAvMjzKiH6GqXzMB%p$T^Md+ zBG}qfsQ|IUcv@p})bGpk%1fhi!S#80y7mmHq*C7kUEaOSoeC%USbv*02RDv)#DoOSx^9G}>&tDK%9~ zcDR<2ydV-+CWM0TDPc2T?|)lbAz@iDa|KL^m^YjQgVSSXaETxUAjek7s-xjI_&!`W zjAYzM*yat0Tq^8KTc^Gk`@pbszLS00jVKGy9-=Iki+3*=wvOXQ&u|sO9(*+S0rV#Q z$dz+tp6xWgMNSbv@T-BP`?+wM#FJT?Rc_ABBdJjoJe@kRq4Vbc087m1dcy$R-fi4M zyboGL_Z0K?WMG!p+fSMNkvwhzn+TyYT~TwUFAFg~8wx9UQc%^uce*&IP{&|C*`#Ue z@8W~p#;-+6s!h`2>b9CjQMFC9P?~B1c*ovASu*Ps25>EVib(|ui*fyd8LyL^Rfq5rSbuUp{dZGLc$z+I|zoVRA?Ph+Z*K5&;+&3LA{ z0sq63l^~QrL7cQ9Fk;$fNO}=6mPFE-oF8%xQmb8)Gzo*@MYg zsXQ1&!3Nw@6rCQ5d(M*YvSpNTxdMh4U@jgN_H>w(`h#&pc&CX7xgm)Nsav->HpP5oXbnug8N`tStdAJXAa(}pn!1`0VHCkOm8sqV9$^|eJ;7S)CA5pRNG|^-O2Hw za@?Z#@9|=5YsjmaR2E5RhQ(kK)rVTHPcQ^EYvJUCNq61_d1uXr(|XApKJA zcKoUK&l2DV6t5fsNr@fVL4*OCCBsq(AO7JLS~A^>n2m>WeITDz4y;@5oap_nz2if- zkOI?DY*oD+lK}cQ-{ATBkJn4qzQ^tXkqn|=c5NEuA(zP;{@{_LW0*ror=O{)r-=L2p`ZuuY53wg0<%RIelNfS=zBciRX6UFb|^c}+Ftgd zl{o$S8GQ@<;tW2njE5cV)?g0-Vh~>wheeW^<*Vj4k@$g$=BWlp4TA(LifiLBs=#xq z%@FPyS&rS(uqrA|z2HYWqS97M!v0e(4GPHXmieSji=r|YdUD8E!HIY=j#j0H7MA_~ zPJM*0`Z}>z5|m16##;E6G?MjNkKrN}BBNL6vq|nGu=>`ekskb@>;1yju#wtQ_a6DO z-EQQTlPxLv!t+E+UTjWYNQSeP>(NJnMDYlvO~^rLB%a&kjRQCtXrPH`sjmM{ia_o8 zi%!0P{J)~F1)wfYxpbY<^6M1QzN~>1_2CD%>3#IAFgXQ4L4>u?h6wNhz-ez=m;#_g z_yF&6Rzj$!>V;5Zc0#Bt24!YKC{j&7QD@L~QRhHJ9D>Y|&}anQ-OyI z>0Y2!w6z`lA3FETU5IDzbV#h#X%GpFGRErJAG*FAg7Q|{2U4?Xqw4d`oO?cSD%|6 zu;uGFTfdn)@bf}y8!Az@?$N13dI-a+K=lwCi4&cNy=1`{2Hw>PbWgCl#D<~oS_9z@ zb>$U;Fgrogp27={=xc8*b*vn3 zN<0-qW$Nkt`I@QFx?xvEy7C}~8ow+lI#JApVVa!AtIXz}yLg>_yWaszaxQWxOwyjw zvuFQp?}`3mM_{4m1xHFn6Yri6ADyuB2+y5h*);|_3Z;ZH+?b-nE*%Gz7j0}*RYqbM zYHTB3yoG`0aO|6wX{({XqdnXsSbAW1Y;wuBPZvmxq2SI@SSZ-FaRFRj5%gQ-`;?Rs^`aokyLsXJv`Xw!t zg~ZLwO?yMJDdmLA*U&wl8>IH&;`t`K;I+-;@nccRIqMh=zA4UF7ZuIY;jA`Q$yrJx ztEg9n`TOo<#%W3_e-1wD*$QEeRZ}{E;Ow-U)l*2yRgx4-I74IXx7{dFhJ)_E5*r?# zKHjZu_`LAG03nQ37KXLFqmwi(lVA=jP9>U=oiceualQF2LUja(@UFf%Q*eCt{zPK^ zc?80;eiGY`0*wp-J=+%=1HE}dc7n>$m$J{SBM*Q+))jX#SZ(7f(R{9$cQbJXODU=D zYWME7H}tT&u9bE4{3WDZLhm-e6Q_8x-&~GQs&;4e)Mh&$iRw6&z|n(_W5~q5DmB5$ zdU`q)zLHcpAg3;F9I_tjJ!_70T7mUC<&Fe2=9K&e2Oe>G_}4rb+R`KE;z@OYY`q+kUjP;EZ9K;A~!@w-Y*Ym9Lk ztKM1S|6%MMqeKb1HO(?l*|u%#lx>}|ZQHhO+qP}nwq4bAzv-Tt?seCi`IV6oJK|qv zM!x&mZww0Q)!~=(Bqf{L7WAn-21{W{g(VUC^9cWVeZGF(-NnR^{k%Qk$*_{?Ec5NS z@tthXNZyva;PPG9B)5@rx*lx8 zsGq)Kopep)osY9AzMDFfHDWim72uL6T&}Xp^g{}*vRQdhQ=i7V`-6{Ezk7G6w1GPefPL;Lr zhf1HFG}?`PHW$ZLk~KsPF+t`wu6mSaO_OZvGESq*qO&Jo);Mwt3f3udYu(!5GI@u$ zZIwoRFg-K{(j>15cSkayqBgh#BH3W9Xx`)5kKMZ8a*)&q$b|QGL~ecoMBl*u8~sX~ zoF}*EAi){^dwM6p4H&e?qlq-X*GPPAzrx?71&6IyWzus+GL)W%SFCF@+_=^E@A+z= zg3E#KqAX@5T!N8gnoG!rqc&xnQX@IMn<}D!Y9NIs{<_obrzX%g@&@>-);K;_5hYVM zW6%k-zmce=`YH24eEP#I8pM2dMa6{0jTzG(ZI!jbedJRfeJE7YKfXz_+uo~8tIR$n%2N+)ZJJL#Ldj=G_*xQM-9YdmUwBCT-$n}?JQ$ewRV>> z5xiz4rpg@DS1#{Rxfiih=<^~uEMEL0@PXb@Cxt@{ABy%!&I;@rx;5N@Dd6zv>$iXW zPUQ$Ybc=gROKA3Z-^Y0@0wGQ_qa?uRaxwS-R~xfs2FO~BEoL?<1{JpL5ZDQMR8_MG zt*jjze>HB}&U^Mapzx}XX{UkBsVcuG9ngcWWah#IKs{8G!TYbrO^WL(Bj<@>oG_{3)uY(=fx(=~hxab`DCtwc%<_=})1}aRR~$Eei3? z3MFiP*GOXX>r^~ch^I&_4JBH-VRxwkL<~s%iSgK=XEKw-XvbbewBW5>^Vm^%4@Tj* z!(*w(`q=afXV*gladBY?ydQ(lg&(L3+!1y?`t_=IIyw3hod>sKBQYW3*relnGw304 zSDzLQSzh{>-VfYlexB6Ar+)DP!S}U+(r7ZE>qL;I$P6J-Kv9IpqZgtGOz%VTgV@58 zTLjUTC1wSoZ)3lujtETYq4)F@I{o8%#9H2e;ywFVF$dMy#jZm!F)8v-rkJkkqU?IynIy*TxjC zO={Xbp~ftaJ!VmeN%-~KA=j#2cMeRJ_#y<$^*AZkNXr8a11ChajP8GFRbA)m7&a#Fsi-0I-^Y?4mhfz3#(%Z= zUg4Ys1$gqL`6a!t_c;VPF3x$N2txLqBO^Z;O{_wFtWuSw7O3#|o)$leciSMwu-Z*+ zJ*J|P=HYP7{rp*Mt05}mb8PiJ67nL=yUk^?r}w}i)HJ62`iA;q2V+v*AW669mG_gd z>u;Yc>x%7hECJNHoEN2=%hgLfo{Ahtan{5$4qzWIt%E6|RTz`{{Wj^zGU#|3hy}j5 zO^-EF(ltcXB%}P>z3Qh)=_Hh9oFYxAZ)<~a1NR86drckd@QuNu>N8D5W+KVXVoiQa zQ0Qlu@Xj-a2iA*Dh!l|Kfb0NtX(2y2t4C|(!tGTYp*_YvYPP_u)v4(T4kA-&JDawl z>~br05|C0sCmX3a2I^78$L6&z8`(LH1~W2$Wb6~6PM#}qQICq`R6CA1X0l&bppw(2 zbO-?ltnvNh7>U9Zxmf)G*CPCYa*fzz3_5|^4u_^0mDFWN{8>#E5|Czog+;I4l68t%<|B}Jg1hO;osetz0I~79hgqaw(jJ&$YoGUtOY3zWX z)-JEDNb%kq_E6dfNHM#(wk8eXlcU z6vK?cD86nf3Y8d!<9Z!`oyoVh6z#T41~a71p(r8vK|hX`Fbbo+ZxFwrR;Q3>s*5ZO z@sFu@Se7&=s^l4QvR_BlBWjT=qzoEqO3yX8ZpF;Grw_@GeZ@&JImvto*dPJH6eLj>EW%i?#|uv7PRScWDw%!?=e% z+l3)p&-T#0w+SJ#o!(f%rHGw?brrg_4bofB@?qenpbx^hQ+z+Sg6Lfk!`@{nk9QU* z%yiKxsE*h%&pY(!);4f|Oz~I5pjmzaTchomWZ{TB`}qn$w{A7O^3PMZ0bgZzuQgQs zD1wipF>L8QUQQi7M5M5#=;&y7@`i$^v}r#YRD9es)XX;Ir%Ji`+# zYSSU)U*F#~l;H84&*FTs9`1V4yqbr?`Kl6HOwMU_yoq6s*GXS7SWec-iqGcdMB0Nkyj zIN+GOBnTqy)IBP72;c^-AuOvcKXe=`YVR!nQNRDZrwprp>5SB@GNl)kt$5vPl)JJi zH3{7tsd)lx?Ke+zrzB}dQljYR=OorIB1us6;>7CH{~}gy!e%nC|N&W-YY~&d+VRMj3-8-$!8U}UwbUvM98R2T;4DtAa7_< zB{vEl7iZsI98YF75D3&RElF3@@i7fx`3ajBg@{z#OI4Kg&Vfc%dD$kJ>8%>x!t0>n zGLRrD9@sfw$M?1ORY>vS{<(nc{rZwXC%fI@^SO6;`1(51)Af3Me7A3k(sh`ZEc!r;FZDCtAb~b(gy3r%@!Ai%#%30 z4Mq;cyeO2!2Ew@62v>HD2i5k4yLwe{hoAQ~90mTdsEI)X{_-Uy!S4v5#&bpm$=e&N z*R}w6D&#dJKQ>X`TRx&Oe`B}pjLI2IVUZ()%%|{r3Dh{;pntu3q^^f&6?L}bmpa0Ur7~#7VCai|1#M16dC1T(4oXo)|3pD)@Gs9<=~7zbD6ACU!6E1 zLMM6qI7*w!tcHK~N}BdCtWQ<#JlSb_sdtUK>o{v73V1RswMjYjODb0oardcm3t*J6^#8e!h3XIq5Ey4%f*bT2{#5hH4$a2zNbWQrw(|u4A z`{WxbFvV5aG#V?LSSG=m5wXV0@YDA76O>3$mhKvgW!q!?9fG1`rlVz?|8R?wdK%tW z`?0h+Hn;;3YbD89g&2yyQRKfzlFcn*iz`h|`A!*d2*(qV*k&C-^#mE3$YTtr34Ohu ze$7!3QgR8nWa3byPE)iqh_614uy+29Ec_?-G@lGQRZ7X)I|5&mC_XkYe!Q0(;i9w_ zno3;m8I3z2!^jPz7Y5Z%Y9i?m-NZa?JG^#?M(BFJsWRD}wI3R~8t}q~VXOqsGu+Q6ZLsVahU+n$uH z!7u*g^xi!DyN_z?0V5kFgR@2%F$ni;h9`XFa08G+*;~>UHf;dRXLr{qyvyc~$z+m} zXHar;#1%4n$Ff;BN0*7_W*2@DM|$$LAKcQkHcLT`;zm(&^e23+A+Z;>UQ_ER%8;m3hru>5H1)vXH4w##kf9F%e6St$F;?6dZaYc zx=U9`9nAP?rDJq!xa|>Zk9?2Y6TYvr2tH|PHXM@4*`v3K2euVH?f~S1MCC4*KtvEo zIJzVsn3^|szUSv=N<(wvv}DZnHwkwQJXgMw6)U(!02?1RKaSGM&f~Q!{>_nszFU>fb6c!eblb*9X%ZN0dR_?_@+Qvm}vrP0GR zXdu6mNRQFq%A%!Vi2|~9USf#Y&t><~lT=jQhqBbZzkqPAD$C7qJN?fU&~>6UnK<35 z+0uzo>598!4HR`;Jq*XzY3*S|xM?1;A1tfd^9DuuE8*bKpq6V&Q_wu9OBiVmQ&IEM zCUM3b}y~%#<-nKwf`Ejxt;h^}bS>g}tK~8og8=0xH908Sk-81vWn~-+mN)& zl1?&$vBiACr>*+42bsvO2L0K`iF^Lve*?MQbh+BKWnMMZ=+)!5Nx+aO`_}Hgc}wPQ zw;Shfc`>&|2R=+)@nCKW_Pi>hf?wutv)9*t2OnNdUE!MMZnaxt##os!x4&5bXK2mF z$i(LFBr;3a7~cKL71e*fvJq81Kota2m3bL68g*;InW_W%E&$T{l@Vgi$Ctyt+ZY=- zu-Gy!TJ0d@s!I|!s%0^VS}QU_>JzcOk^S-X=qAhv=|}+U{f+o-Qv&My zEQ^(8^^x$Uf%}Vo=yP<%PH+~;+hlo3jPQ#1rJi?gjw%NGlYbM>xF0iCRA;zxp-47; zgA|&NK_>xN;m#)5JGZPYhae)2h4f@so7uXB0{7JO%*?}|np{w{$~gMU5kY8bIUy8f z5m+{gVQB`NlAb{)GX-WHf&M+_IzifY+oBT0w#&=i8w)hI5=I%=Hjy6AH4W*uxMb4Z zak@T(V7aO97VE=Jp0@O^X48l}f2?zYMUxOTrPk+~t4|eU=wzKmS%2H8+^(%bNeTxh zYf|rI8m2=TMVwLch3V+?F(e2sC-U6QBRlFOjk#innCrCsNR0z9@CUPBmbNeTJw+TU!JNvG1H_z{d9X<_GMM?1l;II4 zg}oUT@pj3-{!FNmvR!CJZcFCBwDd3u><+^;kSVZO7RH>m?CvLhmsC}GFd_mEoIZ#U zxT=e^;qmOyYw`{OuWDeP!T6?orfa^Lfgps9LPyb4hAb}E-=1nf04Y?t(=PyL6v<2P zU=+z;x!vj@oT0T)LnWKpR!=sU@9BDkT9mci)8amWneVcnxJ`RQU+Ky`YR%L-J80-O z_3gNCu?mFEu*z+y=0JdU)JN}*v~TGZ3)zM@6MxqT!js5Wr24r%XmgI=jii=mzR7l% zm6M1##(tPo5%?bESXtguPC5PGr*w1_BuBINLxiZUG0f6E1wc%o_OsA4&bh{j?}C(@F)zTTcTBRj`ZS9Cgs zqHWtukFqy4GTISum~O2CKUvPWE$gLY<@&n^|8*#=D_atcSP&BX+6A+ekdyH0>b74s z+w+C1p@Y4aaep1DhG0&&IwuKaR1nDbby)oGtz&{hQnj zY4KB??$D110R@m<{MFrW=+0+R_L4YLqYcY*SP9_LyxTm-=|zobhJFt$ho5%iejcl;K8ziI`zX=K=hOt-uaTAXmM7U zfu}PKJqJn;K|uk){jLYFSlxXkflB)}5SN3#6+=yQiG~F55B#fXz?*er*=r8)A61q* z1b0$hhbw$b>xn}Vid>AWTKA;hG5XRaM}MI)e1!sJ#~@IcL0(t971g7Ob=78uaWSUA zlN#D;0+B}KJ#IaSEZ-O1bz>pLdZ)zV(@d*LJQ%!OL=+{;{=ZCSQ+d-CFQ<3N-!Eb_ z`Lp+SSx?K80bOh#s^G*HoK&4lO%5OYwI5L_ns7UG+1hlJQjxs8fT(&GVq}ZnvccOn z?JNM=9eX!2>UAMO9!-I>Mw3N`DYM)2O~rZ@H;GX#-^e^7KEgM%Is#5_4r(gmE;S|Q zZpD$uzHe_GykPG%j&7jN$mWB(LfaICk9{o<&hWmDUwOcExnY?-nWCt*NB?9s`ys>| zdjFMvCrduf<3_Wt+dfpGsL1!eFRv{S`YTNhr;wk(lj!RInuzRAbAKL(f52)`xp3U% zJkg-=m_v-F<_u7m`%ch+(#{Er$y^HZb#tgCmvovjRw<87e0fojtV1|H<((HG&6 zcDlS63qGQS1e^<&3Oewkp8Gq-6cVY$xj+odF{CiLF$~Q#c7#y@~kTNI9_RZ~4Dyd5>SaXLu?_ z*sAK61@_4S)rJI7t1HfSN@#L2FcZUl&tqF2yhr12T@!})(BEuP={om;RGdrKaLBWF zn{|(20JJ4o{1?`KQCK+inT&SidAzDHEMN%=Fb<@16!ADYA^!7UfQ{u54>PW%K2z}@ z#W@z*#`qPvb|AndGG`rp!=NLphIYez;cE9t6KnHb)x)gz6k>pt-lSZMf3cu#u^6zq$Q-_=08#Q_F-)d4Ipmg zQI8ZK4?&(;lS_;7qI*9-L1^lPW~OVlHGdA?r`{gWQt0L+t3&nNw2S;JQFTZlJ^b=) za_j6kKr?Wb{&7ycW&K%afFYZM{tLu`f}!|@Fujm zLBf2PjN4&$3qL(ydOG^SxHmFnGumwSJk8Y)e4NH+uBov?9b#{Ifm^AzNp=j`zX)$) z8pXmi9dck4RuvyUc+Suc$3q1^EN#adY`n2hF%*m@>kM8>)+NS zjXJsLcnDgCk54J^20jY3Ga?cFVi`q4;T9A*3Z2Y?1~$7h)(Bjy^Q7Dg)NZR0p%qJ~ zA(-jPIAW6s{jSGnKcSA#lGkry&fY^wZXsstsZHKm54WJ?-k{wcjLuxlccgmcFy)yw6Xs{jn4$Af{%f*ypUpk z_Id=efu|*wjT5K1P#UWIF8Sd;Fi)#|CCG5=lzdoxAY@@DPJ|(>x}}LLMJ6WV&{J0e zt85WcL&xscg1sR3vwDhW@}f^*TP}KtZQJ|!gXC$YasVkHgMT~R$D<}r7|EreG+4R3 zQ;tFL_-8)fwrE{!kw8+_RRCV)304^!fs{%QEu1pZVV)RRKdigQ6PNf69p{2KyLa0k z$|gKRF2_pC=6Y204raF&pZ3oIhj1j3x{+iLan?ibx^1mmS8J6+ifgk!aZ42s@U+V1 zs!hT+hepU=@{S}S7{kO3+$6PEoXpJ~>kC7MlQ8mh9aIkTfbPY-A8;~PdH8ef+N?de z+3=br992~59s}#gMT3HPcR{7QiNASpnm{$(u5w}9N1*I#zel2OkoDFJ5%V7@uk3$Sv06?1VR8tRu79DGUsHl@a z-X=Ixb1*RY>bJox=#1G&Gfw9D)HYJK>E5&wb3=mX8ev*e3(TS&J7vNv1;Td%_h1pb_%!LQ{K`f?vGg-xe)tH zg7tTzy-gWedX}**iASseb9kBN<1%PLV;L*&8@ z$~ssCi|V_idI=VZr5A_KVXxVJybE91rZ^p6nu(QcDR{`N1oa^a*8~&bFLT1**4j?~ z_Qf&D`IZD;ULc~_*WK#fk_2`g^&;Y1DC)7RDZlA1Qu^PVkkfQY&!o=NQAWB zpi+h9K=S+%wzJa;j+>o@jh~6QczC|Zody`M$(H(Z34B0FVnkKV+rUYq;ph<_!Re*a ze$6O^b~9%C5Q@Q%?h{s*7p3u|oJe$h#yK@qi2*|G?^Pad`_-Cfv%!Gn%TnHT*`}@) zx}KoIw`@Ea39defTb z5DpRl&5L$}9u{+~#U(`GXI5zLhsigvWB_#^8>W+(Y=Sjfi2E{iDIc829McU`KvpRU_WpKTrP1>`AF1kOrKZ06u>W`fbMQmk9f$J;ND`8S$Ku#4S_sdnXXd%{+lVu=vhWTETWNkCp?;@8{!KZ(&}Zd`u;k>^BAtUbOb!C) zOW%J3oNig%z{rMG@Z_s>Jex<6tWa~51Yb> zR@Be-D^!q4Kbs`vQpswK0J{eTfH$+_mz?JG;+~&sf`{2EC$J2M^%|w>sT62YTw5xW zmppLT#SJj|OHkiR=9iG$-4Y35dj{34z@0|B3m(nq1kCB9upsXxDV0EJMZO z%ws*KDpMzZJoy-eo=#++xqw0&&!g~8P`%V&7B-X-E(uL*V*nK^gQ41;@9oT>+Ym&R6#@2PAaw-A~p0#aWo7DgA_VS0sw1~@WHO)l^#$;;%oW% z5L7`8Mtl{oT!o0KkkGDV#1`c?&(MrQg0Pfl;mxc%1)s^H3P{yGofCRFNL%>wvyM4}uP>e;XuVU3< z<6X;$p$Hk6ap-eIIFeMj;!7Z?Mm}}-wmJvqUqs_mBgP+xxzBxuf#WUzUY`#v`!qsz zmcsR$Q7w1Hb>V}7MVGoDdx-ao=owbMu#SbILfd`_E#qx|?7F!eLKBi`$5!|jb;-Jc z8hA9I*J?o}%$|BLaE+5zpNlmcZY7<`($s80mLvOtf{oVqLMb+9#dQz#3wf19o}%a94k6neJ85ZXKDA9w zcuH%rPVlEI#v%XlN^w(~x>?Qd%v~cjOW<53Zaj1Wd#^SK8FHYI)K&?q!}O_gVVzVX z8M78qJaL1XDkbU~^0IWyydZ3uJ6ir%>ZZm=W&eJ;(n@a3-qE$Ua~I?}L>su9zx4uS zQQcj+O0)mf%Oc$Z)jd0JpiY72xyh18`n9f2D8Rdk%j_nK<+MmzijFe+W6g)ujHM=f zaT4?Mig%ofPdn?w9Sou9W{!?{tK_9uZ7Xj|^IN>5jE&lDVQ|w`qr8qPgGymz{hfC- z>|I?-OmSR7dXl%i7`=i zZ~as1AIp}zr7nXhY#$n^`1o9lB39S`i%j(k^+J1^v|}ya_y%v^#2#ea*UJ}Ed(d+(oMYn1; zgJ$`?-ni;`6T46ccG;DGM>{p@A`ewD!~?2lUIO1tVo~V$3tfniM%jI>kW5Q=A95h7 zTx@~Q8YVW1h+OYTe3sz(o?ro09(K4Hx@k}wU_I~iFd7#HtRit*Rd45Nt z(#egeFYuUJPKq|6(tJcmJZ1hSrvF1t-xu;+U7roCi?L{ zD4}jca!!begS!F857_<|u7ovYxy5D4|6-{}fg|Z1nfIV#9t7peyRk`ZX6oUeubNp> z7h~A&@z&N|FfBj;iG6krIag16r02_NKYq;WENa5^mAkE|F#zD;?AwyjZLNmcCTH8p zDUGK7FUN9oQlq2Y{dr8$ZcAYvD{~q8&%~x=!cLh2nDVb0tSkJzk`Eafs5}VuPsy&@ z^c#+#s#8tWhVGCsndEJ|K+#CJ0}Z#|75T#Eh`4EzVB6%%Vqu5N?4aBAlDJT-f@D83 zORLMREbS@Xv5rMJjMPSlG_dow01`3GL31n%WQNTSh=N2)n$@`b5w0;lwmm3yc^D)#M0X#<3Ta! zcovghCB4asFLRCWjK zE$1g@YtUVBXtB4)8d-Ge0);c6^`9@R@)VX_TMuY zBP@|S!#416a^|3l`g(y9bBtrE!T?OT-aX%k&=y9(tb8{S=JsZwm?k*TFvfcJ-;UG2 z|K=8(drr7?E>Z%XQ({ZLLtD;=n}rF&uU-A13MFTX`x|rbpnEF`rUJz5eoqra*JXFWhRtI5(nVk-iK`wrY8^SFJ!4yodw zu2=3UUZAPTbAf3l4-M}dwliNeSa)28GnKar|1jo>XiH%Qyb25Caa!$J$1c!JZwat6 z*^x;?Kpyw&KBwwCs!(UELSZ|2ZBzx6wgB?|#EgPfMv&qCyd1m~AKvx+uz$TBN@{$) zzS`XAbp9NFO?^bXsFFQSB+&J6uF-g4?_O9V`GlAhimmmj3Q1iOW+d%TPH+Ne+O2iL zc%Y*;Zz4Ja)y5d-T*0&AZx%D^j2W#snWHZX!Mg_450wqj736Q{xHS1}8=mT)#WQh| z^NLXUryX}2kA6jL{af#8Om+^jW(QzEK3M+Okm4%b9U$iGr8+Z=z?@*IfZ9oNiCB$e zv!?#nvhP@nBG{SOuB#M>`N{u#IT>z02(Hsxq`M5Q)v z<#?lBSX6tp=NAwfmzmcXmHvFG_C^)*jr{6qwC@E4ID(c2bN{#z39e__2Y^|Om&-E( z&;zF7g23xp^6~Lt1a*Bug|_hh7gJba@}u<;=@>G=(6ZQ6u~i+L#^G2Aia4Ie3&7M( zN`~W00h#i`g1wFWZCCdpLgPsb#XBH8QngJoFhDV#mA~M%rvX?gUOlT&@Ny)x#h(`s zvAEq88o?A%X6AE%OgM#>Si<6b*B(`8A#SkhcQ^3w)ghO?oun|Z`@Cu!0@pdvJCbaj&IM^B?ec%v4x}D zA1l-!N$ZBp^xx8hf{%YTSILTo=nci<~#uj{YtDM#HOa2y3Mczu`l;wcE1TOTCAG-eeahYq#|HdU5z5SWS1 zqv4mwk!-q`dNKKgZF*d(cfb-`e|Wt=zgJD|eAw4AJ=K3aPrfoe_~^QFRJUj5f4aEe z>~rT^Joe5b$nD>I8UQ`A!4>UpVzaDqCKVS$9Kk~xNPrjf18IgY3qftq)4TNVyDzYs z0xIKjUa{>2&=RHR+9;fYG(GuSHc`P2u33_snKbe~YPKd{9RdXv7ta`&QhPKVXXI0S zv7x#C1w!Gji1x3`k!wgX(L$swM81GdG|8i|xRLFz=27v{76T?Tv57F#zgU^*v>&Q~ zu&FO;fOs&Ps>z2qk_Q$8$Cda<@E@|Resve+*L0Q@LtxJ1pKM zXSOXzI@M?RiA;|2ogW)($(GQ(CfZjyB{g#fu3kBMIs!Z9m|~H;KX= z3em~|((aKMAG0k}P*@!kPwKq5g_jtGH245xMRhLxMW@}JzflV(RoSI%)$K!S41hYN z-pAfYc=X8>U9I%Xrl~bsEvLcIsiFjvhx+oyU_-uePdIgzv5$!MIp556&X%2PBkk$` zLl=4)x+|Gle*EcFz*|AMMl4@<-`a! zm@gQNGkF~VG9RSk>2HdbKat(?j9M%&P?TP2%h5)X5&d@a`AiG=(1x<@olJ|4R*0%r zBMyj=SO@I7_K<#zkj-lf>-Pq>?$*BHYjy~`OZHxVwep>b%U!XwQytW!9v`JT`zQWr zMTmLN#hdyux^L~n9sJ7FM}crxkO2{%5>o?;{7k6JoX2-%c99JT8Y^8-e0NT7m`F-P>T zIdM9|Ru<`?^DGIlqPsH65X%_I+4!>g)HO$g^4~t@4Wque;An%hdam8(HFaEib9EH> zj1$ljpg)0RwyEFF(t&MuWB%uQi0UJtP8Nx~XaAI#$xMRxZ;ZO?kzS*&BXK4I8z8eC zg~JQA3gxz3Hi`{^b4dszRU?e3q-wxT%kZJ{L9KXeN@R?qkVY#!fQ_Ec)3#3-rJH53 zov_GZYqoQ~x^<>!ua1`91Kigj);wQWKn@Sh8g0g&*i%gm6QJ z-de12ybRX3WbRO=z%+dm<(HH~B7*|8nzNmE@BU!{ezq>-VeyYn({O{6Yfd+^PZGG+ zDkDZpp(!$xLBX3$=B<>hLbz`AxjTuRB;f(xgq1G~X;2Xlr?Lp2SQ=EwJ3lQZzSNsL z8Rz3SZBDHNv%Y8x)XrsMyGpk3iMJ7^yi`0FanYN_GCL2LAgupmNYO|qB46m(=g6{o zRBP=Z&76)OxaA~wAH@L+&?~56tQ$hHgz%C%VGZAU)v%v#XKxNOOOfz#6<}&4)CYXq zS(^u-H%#(vw{4fzb`N=Scd?6Wv9>>UWMBwJCft^pqdI7Cz-ng6Bo*5TGJJVWd;T*o z67Lem`T{xcOt99WNqY6pUQ<^zUT+HtJ_RE9djP5C-5+@;6X@l%5t19`uVGqXYE(0c zrMWgWB`PuV+L11b7qb@$u8$M)SiRR@>KiX?W`xNhHC*v=Ap6aBPO9}vi5)Sfvf|D>F__m`YRAvmB=Y8^Hp}^Kgvd<}{(hpWdRZbX$c9tk- z99iqsM)0^wqg6W}cYUc+y;+gwQ7;Zn1+e=ecPAfOcw4@#*L1k`d|W{C@EdAEW9s5* zifyc}AL*ttJ1sXjtm=-f@7a-grGM>)ruPD5MOL21;V(-k@7duV4Sd{v)JEOubtG0e ze9$bia8+AO+3gBluTwp^pcMy8gHUKac7RG#HA&W3-R<=ZFZc|tX2O5&>#)lxxSGT?t$ zqwS2=W8ITlh_$`E`7y@xj(=^T|0mi#+S|HR6ndOCd>8Y>$@%_fHI8eu4NhxwIYvWRdY{S z@ATj-Ued`;`KRIV?MN9>>&6YEDu5+1j}2QthUiW3;F(3_l0-eNpIYYv27a*6oQ)Fe z)E*3d@*ktwikWw#H=LgU~!B4sO?uLbZ;bNcSEwv)B45#;HGBj-W3_$F?5PVncF06e`vBqQZ z_LRNsfrktNy_-Raxa3EiOJ3ikLhg^^mChQAbL1#ZBD)?ORsm|TvtSjO_KIVT6dKdo-_U;*!FKH>2Hd8dXqAow_sb%7i!i3pWo2Q9>R*XD$Z2R@1I(3mQY@vdu$iHoS0oPZ9qJI_5McBQZ}%qm+9lD@IRaL^4Kn+z zL-Xn%MIBDz@PnQY!PA#bMgvo%oS$c}&X1fPkBiclX@`^?D1k*LZ)W3ZA30GCrJ<-8 z@e}Twp~jNrDEf3MZRHKJtVVt*@3VV_-57r~(6gaW{?gnQ5FWB$&m<}=(3Ap;pd?;_ z6`?1OseF$f8Fp;Bf~Qepr(|XMTtw}ReAPdzQyhy#e8O~N>7j~_96n=9NpbJ*YYljs z1`zn1qOvgj>!bVoVqbnLxczGhfMO#EYQ$1P zZ(dxs1e7NG%8H51HW-dAK5}|>$n=n1v1UHT-(?URE*&lszce*LTV1kaxto=**e5aI z{qO<8^2DKf`g(eKYBjX8lGOiD7z{?0=?`J;ez3{)2+gfN4-q5ei z`HYcFVefZy9|ej+O3wb*>|6@;S&EJZ@dp<%R<1$l;!UyVMKsXq^2(OJF$CHe)KF97 z(zvkguA)g%q2l@DC#MXTg<$3#xfb@##I16Y2Y+f9c#%$;^`EbhMTG`&4_o|}Z&O{{ zz6|}zE8Di%h+SWDair2SGAe9B*Y&B=<0BYvp@eYad#KwYpB-CTG$|wQ;958r+DrFo zOzau4$lao8Yl=_tI)OGhxT#p3v@3|Ac;<6FkYmPLfECI=lXtNhLq70hxZD{HH(Ynn zr&FoQUZH5L&^9ROovRi+9o%PHTRj9M9GGdgfbq(+y39p(%EL0>fF&J4+~~&>(*Qy9 zz&ET?*-&BbW%Fr2A}}(R&it>Fu2|W>i71RnyBhc}_uMnC%?0gNls@Jjv*GS%VD>)Y zZ{v}dTd@{Po4gdar}xtaNWlkN`Q2BY>5x+L5A~8pnhtGC_WEQ31hY69R|DY!Vc7!Z zri6;cskyZKQ-TYbk~o4R)(EX!c;7~wD1Np2tj+IUFt-|$GF?nr-fWSX)xH7`W-DOOO*##Mu^+im^^n^zk=&}{_dLwDsW?qMnJ$Zbz*Ls@DhFN6l;v_!Dmp^DPVVLodpt@{i@u2oaV)% z4v#^-7y={+jYua`H)capc~=`J=)J5B-nvgk^}|k(c>XI@m8Mv=*>}f-8*c14 z^wzD~x;#{x$Qj0DucJjB3-EKO6>aKA36VNXRp->-AN@2)*pX2|G{Vt%DB@qY2)5VR|#->8Q7*NQi#^^R`K0k3`g5hYeX%U zQFh`4Yp7>y7zIj-m$6n@2A(1ZtfN*R`r)a_^?bz}s7TWIz}8*NRg7UY8a+Ex3jc$* zcj^))SQd5Lwr$(CJ=?Zz+qP}nwtKd_XWO>z(`&D@$2j*7+?R@s%u!h{SydSkUq&Ew z9E#pXw@h9rf*rYhG5w^fD_J*QQd-=&AVo80LQF#f*cfQWZyx8<++kTRD{F{BC<}Su zQHR+^_%habsTbYyLDnRzNxekP7ByiZo1qoToD}SI_j(@R$xq=xmsn3nwNM_x|CiU+ zHct5S&V4kvQB2V1-p2-XViv^U+6y`L? zgGphuh*iX80?uZvh)qW!pEAH@m{7_gVjx{R3SBz{TRQ;b)|4l4gtbA>hg{zS3wJp6 zWo!3Z+gZS&7S5p>H9*3BmJja?n8WBs+dkp$I*4F!m5!GWhLL5l zv4z}|)@f^Yyzf^L-(6q<^c&;v8UBCav^%QiceKTx#LR*Z6=qhAEd_c9yQv~!E2U=E zIoZgZaquAV!@0HqVf1i&tVGfj?VW@{DA(UB@l1KbsS+7N?5X#J7D957rss`RG3cR& zZXo1yof76X8U&@a|E2d}Y=v4{U6}Imi>?f(7P70k53CI;2eac7-$*4|bZQ7PRQ+}5 zfAVSBOR@jTUOpZzRmG>3LneF*!mg(jq#$g&7!wgvr4MPNal4LrUWrqQdE*1FRK?d&FgnHgaR+g2#XV4ZImpPULgj^-M zQg(`jHZ4Wy_s9wPBH(s3fuz0drZb)DMh&B~C8HDmHkdBwO{63e3ILD7$*f;@U%9Ya zu-dskS7L?ldN7aq``*_;RSiThd8%=l{WpCbg{WOiJZWRwr$bRI8|nbT=*`>Y1^Z5p zpUa(2{w>E$DjyrZForwSZ6v8Ka5uYqm$UXF42M(V9c)n|Itl;|NGH7A>M0-{ zWImXkv^x6xAHv*#7!>e;Xz0#XoYg?V{qESHIW3hNI3J^Z%sQaLzlj85$=fL{d!fu{ zW*}B{gn#C%10`Y<=TOmD5I%N&wDnTxt@PGLDTt>La{D^lLowzRgCBwkoq@K4EV2+~ zCzcg53!PdS{aC#HrIh6>AfTsE{>&#G@# zS7xq&2d>$59eKU`+&z2B85rMRLDYk5h;!sWcriWu&Xxh(uR{B{O-At0u9uL6(iqbc zb%ea6S29CudX?C=-<2LQzEFFF{XmzFW(_n*w|a6bk207tfsapa-Z4(w=8jNT70MBV z5IxGm=fHPnHUt3{p2Fa|{mC4^9q}~!Q>}O%Ac;w)fvgJNwdj_ly*Sp*ho;+9)kOg> zw9NiQK`63f>lJ1TC;LZWYAu9wKipb<{=mFzU4 zTQmUJ-`P!+z5q#IY!~Yu9>QnM)Y`YP3Ls=J0*l3Waa3j63eaq)+Q$=6_mXuW8sU%* z-X|*2>b%|^^(YTHocup<_Ww4+$}FPk@&AX@&iyZVz4t3#S{QpjeR*;I)9<+P3uXT@ z+&>wNy*wh1Nw8TM2a|3a|3hToH2?O^@$ugM0^B#2|2yaZgMqv8Ah$1R3+6SapBI^V ztEfiiuUxmh-?M%O{7u$h{s=2I&YnIS)Ri|YWtuL=n;fn>cg$-~4y-lzYvyD^tYZ_| zqf$teL!bx?PXZ2}K%y1}@rwNZcrD}a&dc`p@cukFnDG1l3_Hjxy&dYy^Y*yk{yKms zCm$Q*|GpYwXIDe#Urc)8|8@FVeLsD_iaXvp5hWxg(ep#QUf>1ldD;1bR~@bWuQw=r8Z& zBi*5@Xc{jimZzy8rb1O%a*AE81-=Sb%WyV#ZvQ!8fY+Or!)s}|IIX0~&&J43hn0JRmm@Bk^+gc{+W? zU9g}0W}E00q3<9HJ@QC_YSi>jA-Mz%?F|?mJwmZ|Rkk{#IdNk$A7jZDp@)DxR5orO zmJcR$%)0qKw~8Ksee$M3=WfAu8O;W3B;y$RuLMGS7^V8F`>P?OALditpv>Ki*Ty8w z!kBYVicewhh{Hbx=VXXzboL?pu;wkIyXTMj6tlSR;vr>WmD)<$kJ)%y!d9}w#(hCh zB;o?M(_D9Ns|L!!)Hc6%SFgqbZe$(x@(h8Uc|Pjw1d0wRX55CIC#A1CLb0A%q>!NY zpY8DUcY?Qq6y!7JI!-!c_%ujG8yyHQrwo?dx|^>% z%oJiKH#(T&kt`cT)3N&sXJpT#UaSrRi`HPC7u(bw3c~lvz}@U730JX*r3Lp;HTCVp z&CfwiS1an;id*Y0cVuqg8DnU}xI3pHOm!=*0B%ZAj?Nw1h+~lbPgH8QI!-mcl?>hq z?vooaqOHb@fb`&iXOTKEoXXor4^hWFc5YJpO}EQ?ruV$>hv+Jk#{Dqs z<2$-(rP-)|yYcdD;mw0>B87_a(TBk%3YhiVNCpP>udbZcMIfz9(ld_(GTZ8DGs4HA zH_S4(EgCW8Ae;gH*x)bvq!T~0+g)zrwpwq6dZ5x7E~IbDD*TrdBzzgh6I)jz>@}@o ziW_cni3ef{|aZIe27v*Ass zT+dxPH#s$9d#N|5Nk!>LAL6E|HYqc6?r9$c4aYKz$(BEof?!%{a5xQHf=bT*)9t&{^$J&q($_7aI0Xj+=0BS|u z>VZX8;zSb+3yVL8wCm1e0#naL1HQPdU82A-AyI>|FrR#K(7GdUbsa?Fc3WVe2z9xM zG5CNhwiLiV@on7_HUNfR`vV%BQS+8D(D$?iM=kCBX@@tU736Zqh+dt-m4u2g&*8HS5n1u-ffyTlYR-5k-HoNL}1t;?>w-9eDf&zqr*|M_oobaSY6p2Y4|4 zQ1q(IQddt*!3<#Nbd6p9A*DBlsLu2O2g#gk^otQ_o1|-5U*L64`Xi*6R^iJoT-q&l zLEwb-yY@7pox)|y+3)vQh5o%bFbK~lOJQJz6F#J$_98J!ukI&^55ER27#RmXStc8c zmp1R>v-J|N%}m1O=l~h)_zRm;lwq@qa?4t_Xe~l$EzmU&B4QxHYW&7H7SJ8@!`)k>7^ewP!-ND-AAcNL<$a=y_+i+qwN6FV0^&#c@BhR$7#d zb7W$gTrwk(c{xias5ZUX&+GbM=$rXo?|-3h4Y#Nn$T$WWbA=)ui#=}@lA|hAr-UJC zF)1nw+u(L0*N8OhX=uL$aB`$r)QY5CQwq~|GEO}^`3Q0pMeB$z))^37T~Lkzp+qk# zry|KYW8jtLW&#URz*Z&ZOxqJFC7Wp6P{N;~M>tJkCO}erHmu+4AAyMh)ExiBFily3 z31sRIb?>v=aeh;D?>PB@9748OekdzdE#uha%b^e>_@OAe8XeA1I#XaC^LwPt#MQGf zW(CxAABI5pLD7zJdAcxAszfr;;TZCK7?G%&z}xRwIc0E0eT@>G(tN)}bvSBx4hDc< zRdpu$*bnn1!8KvDmlO-1uO`-Uw?zB@wYDU#~ zgm4#1DBU!iM0oxyA0>&w*GjeB!#zDTCqGpsL4M0TA^vns%^0>oL3QAJ|Lw+4I#r8U z2i%KAst7I9^ohu{T0M&wNY&_2o*QDj<`?N^3lk9?O|n5r_(i@O5nmvDR)h`qwErq5tAy$v)WMnzMXE$znXx?OlJ7)z*1EOF z#l$)Zqp)>udP2j(W1EW35gO9U(=Ao5^;hI zQi6%ELKcr(XxtmdAl@c!AK3Ri<31Xk;x={@1CZ}~&#yN8Nq(8C@|d9Yg5)bujD(CT8oNzLQIAGZ%z>Ks+W5R+~>`o`(0&X`*?hl zAEJ{|3X3oFBSLaGZ+h3|_}Kpb^4^;}0g!2}@TqL_kO12O=uWnTHTOh;CfE=iWm-Zd z<&n+-c!BFWP7TbbZiV_Y%$S|f=f=E6#Hr|qBl{x{c|k3M=C0}&U70QW9UjRJoazUN zMqL7fHU(%-|KYuv#0adU{(&rifhZFdskAmq{`u%1CN9O6TT)rN4=BTr<3w_Ddezcq zXE6Big(o)u^L84Ztv_iblLr-?B5vE3^PLrE0vnko)E+J+{`T1uT4y0TB* zTHpqQ)a@>2!oV#B?HJ=kJSl~&y6Hd}nT?vcsW1U3ExgP}1$(f;Wm{MC#4~mZe%s4?ca)TGdKYS|RBJzc) zLXlPSnhCG?B=^gEdw4;{?q**e8^gf&%$oRCpMSNZwG)Mw?%rWCZe+3>~KAXXVq~DmLf??rxJYzD+H{LDN0N)-2C|K2xkxD$JO_n+Px;1I!?pv zZ6pP;`?10QLr5Xq(nisSuFwROOs`*{5&5$sk^PB5HpqiQ>fy1f zd+S1|y@addcBI9ycncV{ym&OjlWV&tWyw;O?oxQgDy5MTK}+$Yy(R|`8mfr{{>*4# zl80oP%4mXlQK!FmpIb>}!n6^H4?VNBY7y}`I7k6{?7G%$EmA=wF<9?pCWc(hK})UW z>BB_J9}R6|i&l+dF^lqv$GYy_u6Kr~M8RnubEynqBa0;}ZDPPBu-I;*h3$~Cm`Fhz zYT#*8T}o{bRcR<^C9-{#S|67=5ojs`ov@}4Lzr>0AkRe0*<}>`mvklZuMKP#=!>0} z{)HIgFR*Zk7Of;feLL_s+~L3P&-^B!!BIh|!YPjt*{fQ19kQZrX@zqlfyLr*hFb z?OZ68Sr5u-XK4C#Ifm=QtuC?};0 zGz>tk%JiS}?F>OZoC{BzF2(aK;5bUDXNuopFC*eez+$t*bfa&DGQMYQUh5mX(NzfS<1V`c z_cpF|aa}aVAT|{k-pBQm=VL^M_s57JVS$qYJUtdPV&wEYG$(8 z?qn+uxigX^prH}XxCZvWsY>^leCMNH+L;>|);`&0ynGin;fS%@8z9uv9iu-zdG??% zmT-NxT`Rz;wpq>()unaNB~{rI$EMV%5)>0(iT)l>;eb=sUk*k+y>NSt~`bP%0{G#FiC{ez_X z>$)?;8n9cfZ-OimYxh28!n$K#r~RSyO?m?Z9Oe&){t4}F0PsfP(jNP-I(**QegBHf z%n_E5x)6DLo z+6}yEE^_01@x|9}j>@9FuCT^brF=Y`ft^@1FCf?a8~@dq_799#Bk~oNvZKv~B(%3} zNo(b5iRts#CU$&jvW^VQX+A3p#Todxz-h~>Q@HaC{UX^5NCrfd@ z%}`ckswg%ZW3MPql6rTis!#}odm<)UxX6cYDAAJjTqq`or5h_IA7DO{44N$_PmuhB z#oa6UC-bp*>|c^K$0IiOEi^a69)?rIS`EY_mnp_b4mC_>qtK}p#^DaE}ed)tMt}S8u*N4#Q4Im|_tPY9;tgOY|HA3Z#<82bWxH!J2V%(Q6 zFL!knmC^b17)h04sxPhRcd0t$TA0+TiV%GeZ@fp%b4qVZ^07}Ch%G= zEuK0B$8%PO9$cz4u1BX^``eQ-%q0Gr)tHqJaSXXXQNT%YgtJ8bZr?-A9dsIo(q{!d zKz6Rs7r&NuYsfd?T%#W%RwEvETsEXbSMkJ^Rq7Kd#1-r(n0*10>_y;WXx!?;H#LJ6 z0saUMg!G-Ta^N{tRSVc)w7UTC7H+hq= zDriAw_yE6?qc^;sJj6BRhsXn?8k^3cDI(abn`9h2^c|H_7Q;St(Bm_$5UDS|{MKbJWp-jY<(IFt81zMfsNzT?O0UrL;r8Jf5Gs!$Z5-lfIv^ zAC9fu?~3oY-Y2K^caOz)PP?z_^**&SKd!H|JG03lNP|+lk$0=ykmQ;lbJnej;x*75 z*2_!&Z7!xu%-VSsrUu=W+ul{+@J`smjzUWf#hwhrR(1Mu#%Sl?Esz7gvvASIwABah zDL&!sxgZc}*SDS%C(MW_>)Y*R>|e7Cb^Z&Axf5!kiORoB(2Hf~R3NU^ymh=)VLR;a zHRUwH$kC}>&Dd$sS42cwElUNJ9j?70e6+fbF_0g0HNF!_=ey!sm^rx0NK3_>n&YK> z1+>AofTM(_T+&qS_i52o026$Z{WEi)u_jt9IDm{z{9O}`mR0adh0at|I(-VnU%mjV zTAvr-i!8`i#rwLzkQw3BeLIzD8;$)k@DPaG)u`oHd@#Ve@!Vwd9h)}^NBbjo z=(FgDR)h&9r7}vn6_^UqR|3h8XY)h~hr{=>i_JYr;B^4cn%|7Nt@WSyl=$Sf< zSW;=WSl5FA`+EKoor0abh5R$x?Uj8kWoj-({#~ntUsLkCWnUw9gadu(Y7i!80VYP*B^Zgi$lthN3bXlURw>V*b3w4R3fS`xXXhj86jt$A8# z_Be4A=cr1WZR829x(0J=Pr9XMQrl_ck;w$JMs6~mA zei>DD<@=D9)#b&UD9>TCloFWI4?0cZ3XYf5E1j{zK7LQngzQ74D(AZ6ua@~S|0+|A zpotFVjG*GA%Uc+{24`SFas6_5eWH<4k|eT3G=G>Qng{H76C|pV8D+kdKad@8*^?tK zc9|V=A}$`MPtj*x1~W0tBiQ#-N8V86t4P+n>o24@+F9hR5co{|)aUj1M#|ZuOJ(31 zI~fbO708RD0CXs69q-e!vZUGLx&F4y1)CPC7ljO#gD-VoF*d~}g1$u}dj2WtX{+#J z|FM60oBZ8k3iAqu5GKy;V+c*dWHq8Lqa9`uZD@*3MaADt@w6B{9PJ(M1;>|5kgqY=$A3>XlZE=J<-b z=<0I2KdkyePaT32L8)IOeWUbUVaXx$6uM%xpX{U6UTX~(U}o}h&h}LF==49dreF#) zvH(`x{NrLM3)j+e(q-KhYVYdV9M?$-4V4(N2Z5BT!NM+jB(_@tBEmD}Z8~j2Qgb9&*+x2{$NAWoM1Y#~&MIwm}R(Mr1i5MY` zgdYDWi%O3kXWV-dqvvQPi+v@DoMn*e%o2lWwSi6xLqTH~ZxXEDHKxl(rSOJSNyFBw zj1B+vF+De%-H1(F?aLbR2XwBu#7DqZ`1Y*lE}qs;AL>8wBn4d=T(EPlg7rO#*!rL^ zI!Tf~k@v(rU?jZS>`;PJSj;rLV9Ylfi^2v3!8N|9+2MDp1MuVHKN+nN^e%;<3=)O} zx%>W2778r#r0*Fsj~nXk^MoED$e<3l_)1WG{R?%{?GC;4-bX?oSoADMmkoKAjTHd4 z!pF&4hkhd8rcF6AR%7=2+cCn#>IiNNrT-qXpolJ2qcIrC*T1P5vei|(f{JGmEgA;x z1}1g-^Cch|)iMcde^-wA?==6Sv-L1^n=vuGdn(=39H2&|AN=GX_jIuPZlv%gk)gHa z+leF2MNw~q@EqEZgx`$C69sk`u_K>r?bCYZtEn(`(Z!nj!%UR9*5(XusE4t7Yc6D# z{IarE;948JRd6*pu;BxJ#$yJ>Q+j{={Hn#Jwwd-l96FPN{z~9oVV0w|;B%%n@cTTP zMCP2)cN#)`_%H{SC&|s#(XTmof}7jJ?B!Qn!AZ}|EebW_f7ON)~N3z&FX z4RDCgiYe+o8xy^^^v-|MMdD1Sh@PhE?>B24xp0Fm-?C|Ss+VTW-s~yBeDTf zxtDd`=R#h=R3D1C=zow5q6(njTNGCDT&@4c9-t~1yG#qNVgcG66W-xmWGTsv9S7<- z?OssURaE6bt)O)&3H{6N%-@rgZk$wsXV{m{C}M?3#|e{=ov9$0!sJZMUi9E7ng(Wy z0*|PG%RJ0G%`yW$eVC(1;9UBE?(j!dU@T;&H9*6o47m;e@I)4wIL_FCA4L!5Z49q} zwZ0L$-zW?)8rJpPf9x4>RA2wx0LLs4#VQw4(K_-a2k6|F7tlqi+wLP{-zN-=d*nmz z(jxLD*i%g^l88;Yj1J(9SE$OXB$cR!CaWz& zYj?)3eTaj%X-2A6Vq>%?YF&BB?AaJK#VP*mH2t}nEBLZ? zPyu-pWWWbFGkm18Y%n5l#QZS908HU6ks<<->UQc@pYgrtRL}g#bym>gla~mMC{Rs< zA%c+2W-`ot>^hUTk^9Q@b6uPw_g(?9$wb3O>N^-RX(J2E5rEWAI;S;s3X7_I9 zVzradc%DXoPFkd8hDJ{C7GuZA3%+lwJELpfCiWBG-9GXLxq7BuBz5JQR_=p4^&8Z4 zG1Xl*v#(h@HK|_rXOBS#R=08O};&vos$O?%iwHRG$H6qSh!Xk3oDrfyM=HiLjK5jnMGC@G-APaLg zAjiAbeeVAEGD*RdPilQ9)mePU+xAnhmt9tlt{!l3^p3qmlhJ5xO}nBL)Yt7OA$#J7 zu~Km7(_u|FwSD|vPv_H5PcMEx4|zLzec!u*K&1f6dP5V!uk}w^Ji$Rbo<#5llp~fX zsi3WOHd>iYDDH7r5V+==%?HcG$;kjV60OgNOV_aXP?>F<#IE&27*}>ZTCkEPr8bch zT37$ri{kHy#?cN;DVSWz#AOgSeuh8%X`G_7J6-KA|59F7wh#;Uc&aPw^m({E9hZ_e zkU6kMR7q-I&77js*ZTeq1k$CpuB2dKNTTF$iu8R?5#^U1$hb0tn!&-kM9JoCD5K;+ z&eg-P%cOz|K4DftInA0bBlRF7W&8Y;Dj6;wZq1X7z{R>O9{zpH6b<*@Lhec{3j386 z@=r3Tpk&(o8k9Z`N%oyTUaUI5vZ$a0F3qW<4tJf2+c&!nF?AYYWc%7Nma_=!{UUro z1%K`!4<}tR4iKW5zwoEb{is9Od+2%vhtx8$I zVBX4CQHft~!G|T^x9Nsn+F{P)@Q>kE^{V$t9L)f|JghX_lpdCk)n=J0GZtpKwk|&} z*uR2skE0w46Ulnl!Jh)>sTTE+CI~n<=Gu{ODs2+N5+_pPIW-iWnhEv&ruh=H&y9zo zTqJlj5o`xhIa`Z3bmJ>&GGr+9t;wV} zAIeiQld8&9+oDqf$oyd0B}*V!J#cLs3oMhM`%W{H`s7|~pw^qEg- z4HM^dhGh!+!b`%wiI)3HXXO17t}NH#o4xRt=oEeaifWpu2)taE;_qSWKhJGw!m~On zQ*RU|1_LB+FpRrp~b* zg)AKU4%v{gf0UETI?KZbQ)2gmS0|Q4!O`<*c)Omf#SptKGgW7!0`i~E$Xv8t3Unct zq)w033mcLdkAO%+x`9n@Ywin`hiI5RGtQX_NlSofNGqg3`KzDd9%1U3R(B=;-0v%( zDK;cZRfga+M6X=q%JfQ3B%XPVLP<0gWuhuKJ^DK-hVf^;ea#yEbVTIfM+3EQWANE4 z;XC6LI;OJ1p%S;QiPt)>%0}Phah)G}*d9by0;;0yYL*>Tj2_CqJ?uXa68Oq&BvIhw92xPc1qBG)E@ zvbNmeJ-+r-_287qSd*d5oTXlA8XW2a_(C%Yp;AnxNTxz$9NyLT0R1C&!k<0;v-0v& z&(D+h^ZnuHeJt!lYQzJ|SdKSi0UE`#&mrJN;j0P_GNGIjprG934gHQ|m<4*PK|m!f zG72P=p->!}+r}o=x<%GL*RT5p^SB2?I{2`=6PDM!uA6Ze-1}yJ8fW@6u>Rw0R+sZr z<8qvSHHgQT_LR^lWPaSc$ZYQ<)rA@Xb41V+j`}v2p1iXm$44`sH8bYv3Hljx16|Mu zzGITvn7nDHK95i+WJWP5-P6J?CC7(@>%*}{4mjJo!T5ArcOAHtadr(V(N!`rN@Ufq zn35sTSn7+7t988lczMRj9tNiaHCZDY;-*2bX};d3FMIx3B7rJN!i;3*N2ytPdh!9# z!}p}bgpyiN;tAUuUFwn435&)!+o4)7A%0i=I3C{BZ=_-Zb*I|#yZ0>Y&62Us-2?n z!deNKPAs@S&~q-5N6qb#*2GntXM*`mb>BaY2)X~6ItV|P+vt<% z+JDrD}w6~w7R8N;TsQGavRXu{-Ee?p+fUy1*K&(2@U zzx~tB`z0Xfm}{clAc9h%@aOi2lb&j8@{z4DF|ydXYMj@oEz%k@rBdAMO=C{Fn@Y(_ z7P!l^fgE13))o?lSs2%;gY-Y~PaiJ-tk;Pj-*4jBm!>}2Z-;mCE>Lp6ue<#*{vY>; zgDiadKW}+*KaWe}5#drz(i5uPV=1jCRQ}7w!N)f5$=1`T1PX?*_?pETZ)pV!xi)UM zyzV1B%p#GtfMv*izgEexB%;tX=BI z*PCdXs$Qo)-O>X|@q*l>Db2CvXI)kp)CBKS}XQm&yjUyQPD zHB7G)%LARDhtk=J7PEJOkJ70`kJ-jgQ@y&%XiDK4faPUu8i!sYmHFdy(NOfEzv*f& z^L#=}wjAI2od)Jb7&DwNRwMlr+yAO91(46GN3W?*;~m(Wu1k^8mmy_|6ToPnu(c{T zT7WM;FSjlVU_9#{%Do&;FyY|3zM~L(gN}W42oblunS~~3H})M0KpCNBbja;-Yie5e zqSP4ZKkR@Eulaxpg>sJCZQ>E^bCrbChrY%u zPvOL((sdS$!qN+$Mxx*V8mfGx^?{ldUi^RE_5@U0mq%6u|F{bZo`TT9!_azImcOhe zIt9w$3HA%3hGZXjP)g=5BhJpc34}UXe-qFAb-mfwf>xLsDA<1~+-u|hI%v$aYgViM zqWnp83k?t!kc{vH#5AWTT96_t&0R>eY=r|^IFYH%P#{f=u~X$Iy?4YIbWdNJx-fa^ zB=eaA+rA4BxYa3%X7mW6Zl#a9T^yfv(!~1v!yn2EjQFLes7SXIn5}U#-|x0zw@R_> zdQz%ql=;=P@5a((a%e7yp{WI&6S_I+z3;z6!&WtnJ;q^3Xc{MiJy!p z6jivunb4LA)Nlm$;nF^XT*kKz(7VF79FKx-Vt&ym(sEl#-f#`0+7Y?BFwsJ2B7brE zXXFD!NiYj%kGy9XN5tP!L*5weUVaEYL}%B>NvdY>=f3N-?r@m8y?EcPQGFO!TI@vQ5C0TKQ zo$RbR%8TMEvcl|Zv&T;6t*@7uk|Mc_L^;A5h*T>}{*`-aCHYBWr+iOodm(!_FV84w zC)9*LG!}z&8Ha;OB~4N5@U@@sv7@3OgBStwBubhRsfhs8PWU1~N!jHhGlAsz{8Hq@xTvMjR9H&y_c2u$}mtw{;3q*G$@K?Hl zyY0;cSlgg#9tW_Yx;8w?8iM@jV-bT$fn)d*hlI$$q~t!+Oy~1=o)!fi%MK4gnVf7N zpdU|vLb=}O1G6*mZ%r4JY{)qZgfSt67U0z?>zw5H{CfRvJ71P+lU)B*8%mbEqD+=Ih1afE)mVEXEantsWEmNX+9p&)G$cB9v190f00hOhB2%@uUGU-EyU{2 zJD++!g%OrD7gJX0L`Z}gGMR^KD`lrhTa%CIA|nAg@Q_ZR8*drM>_FBqS^a8dfle{m z$0Pe#v7BJySQh3r+`^pWzmXjq{VhkNKI#JHOZH%P>zvVgR3Cf)64)&eiTV{pPCf*}E_@+>B%HhSO z3mBji8BGpcDWfL$(ye;3Pq!Aj?EuIG1L3BgfT?MjCTD6fS}B^&GR2oF1WVQ2Ezc9O zsy?Z1|7DOTD9T2T;lIjdhS>gtprK|$S?nr(w4l2+_s6yT5C!OYF9_R{y}2cXz`DgS zf~=6Bdb2)TGSdaTq|#Wp{CxpxJVWKgNfS;pTr@H_HCg(EtqN9NEVh@jHh2zQJ7CER zYUO?l3X!+aw&DCaQZYiup z!@znV+e!w*Ru>(Uu&3`&Ru4J3sdl*l5!GbjT%=@%Cx|iARPQ4$-G7ED5R$4aO4g?7 z7`NqM;THM7xzR3?=S~;(zuCsm;dx+Tx8PrJxM2CvHyLK2<#)YCz^;{_1tsue*jpZ= zVK`l9`4+TiSVA}qwj*Y-&mD*1;I2}{qeZXvXVt@IQot%^hzh;XZSI=Gq2eI=4) zz5K`s-x&z8TpfZ8@Xw~bq2&N-&ufJ10Je2*RwsKmTG+05rUJjb~p4%m;0p3eYi>hw(TwNjNhepGQ!+k$z$aTJcZ(6!yZM^99q-zQhSsOX?m7=gSoMKU}j1?)Qy1 z|FW?c(76!Ii_LVE58n2aGdGaL^qi-$a{bs#L7B!Q8t_@^XgW{TojnegNHNeFXf5ul z(dyg!nq?Ivv-%CT!jjNa7e8LMb&T1H%|!mZzUQ+@+^1Fq+jQ0vpk^SD3~M*qaKVjt zhZIgbZzULKRSuVReD&g1s(E2S(XA*FYe;m7nv1UYN;(%G1KR`p1SGGT27zWU`){?7 zr@2;7&NbB5>u5L~W_=&O6T%5|6_PCTvx^28JTqpm=_=c z1sbA#RpHg)o_dOZE;iCRuj%IA=_Zd1y)L_yaXhj1_IW2rX4frv_!#SEl9t)fyWHLr z8nu!>=pP)m0OZZndmsZFro9fmSYyTtbRRwv!l7MZ0l_{JAK$&=rk5FvK5$DzD;JBAN zHXo#oGY72^%dHDXQFB#WiqRr>Pd1st4iH_YMnq5%ZMrspA0j9Mc8-ba{zzolDr?yr zm1$&NJuOBk0jsL$TJ%G#HLEOPjBN_4Ze>e$xC{vh8gQw)WT8r|4d`n<8Zjbm-@J^D zS_%C7bT2wl&+7GWi25}4$5_?@Wp_y%nzdyt_ji$HPap##drXtP2pA2a+2q5|B20}e z}vfP(C+(K3#0b~$L5^r(e!wgTkAK6?+fmH z#3`Wbz)Nb=ha8Zb9_)J=m)m7?_^?_p@xzzDuXb_o+Ruy%I@3<+pYVqZIEBDG30d># znv;jPe^xaT!z z3*7Ke9qy+r1ScKClFi^kdUDI&QF=0~JDG{iZALOH6Q$KJcR^{D)cEZFcRdu0rRm_J zFZ=2rwuOnA{|;&jYjyNI73Ff)d$*R+AzajhuX?;y?nAWDDFA6^E#L-*Plz9X;jLJ>L$wDr{D0Am*TAVwJZe-()tAZ&(2X+)k75f zjqS{~>%wP)Oaz)(N2|uaS_0cy9Fc+%gONYh6-m8(ZjpJ-`?|_P%*1kv4tni!7sVPA zyX-zJf~+A0NE41)Qk&MOv`9sYjyljy*=VTKjkFUZxZ2O?rYMzp#Bje%wOI_TaN8!C zDkjyT=n4gl9L2)RM9a}R(Bt>px@ZW%9w~g`c znQ7Yz+X-C^R-E==RLzBI)DsVzAmdKDk;8f(Don07Z_mUif{ez!914A~w8m4dpequ)<hxNLN~AdGtQPs-+@mE?T=-eX1$%P~9a4ZFRr6?HU(xGZWVgy30* z*_P7Gn##*e3*{Xx1<^S~`uakmP0N+H=Q^gp57?<`qj0!W%GhdmLr6!=pMjpw*lCJe zeVGQ6tY(xiOPJTS6s@+{zAyT%w$h=YaCn&3#|q6lmkhGD2`EZ*1E*VsssE@bJe&{D z0h!KgS}w0aZ6KcR9AY*N#ug*f=($)&d2(`B>EvL;y7f7uZwfgZ{D% zX`Rr@p=jk&Gz!eq75p2zhww1V5vM4phXIz(-xQ&?ro<-3|F2Y0&(JlJ53k?(SORmdOcbh*b()g%wr z=P+|9rve`W6SuRf2Xs|OLvLOH=)c722sFE5UTH6F?3dtFMGPm{Gp z5_XM)nD71RP?6iC9mJ+Ieb)*;HhYU!5jfOnk)@ugF6cACJ za{GDoBY8S(8EKum!)2A(J`t2)nvTABO&4?C)WTIG~F38^t za#qy!vhA7nxo5LtvwLCMFUFa{I&u4|upE+_44Ai}7Y|=ZyUEOV3kgC9&p0tK! z+LD|rO>e!0gRdPks+Ut?m?cy$V=1Yim;eME)?c{%_LZOZ(fqNA0f3Q2O3CI9Z_F$p zS0Gk(i#Pjdv|h7WP1YNViMwSAox(w&g*{@DLG>>0A+^pnGi$>D>wmyTs|9&y%d zUvcG>^@3V5 zoN3xn5Z1%QJqi_Qhicz87`u*!Uoy+^nv0``RmPMA_g4ERRzHM|luncU4Gw4ypPRq%p={$5apj3m7V%5}wmTF@Z58wghMA=^~>?SO3e+N6%ZSG3}bI)gc8qrDb**J~4 z=f|hk$I%f_i>7eDAzvx7j7eB1n@t?E@tgK#61elR=+LaWfpEq{!R{k^blMd{OcuSl zaNRFPbc$ngF%jgf*y0ktZjnjLu8ZiATN@HnKD#KJ6u=?7X+#lS*0Z!lKbyf_v6W5M z3!m9|)hc`XK&|TyF@l|}a>b{j`Xv_Fv{ounvu%H&3&0uKYnN93 z%3a;&C3BbliQ%nhm*+V8kSul2*KmBcR`<{wF4K8QA=i3aGBsvO z2Kerv6)wiYcOm3tz~xs55EDXSZH}c9d=l zn)9TsG_}*NV@L{pX?SA`SJ8iWB|XCx5*A}$(&Y9Yf=&{VmsIm5Hxr2Iy*;#(maYZyv+c8c8silp4c4f&Rhyv_ zT4|9}%@gqY@D+jhkVv}9(VuJ%le_jp(GH4-i+D9AZEu~C-N)>Lz88e&MvJC}u8Z9# z01l7$a-(*BZ^ev3^4*4KZ3?pR?hqsqGx2-T0H7e=x>(u6q-HznXLPTIqnR~pv7wnE z*L!9(W7W@UBKo!CTJ+5uqv)XIzVq)ygcRd*l1fpQ)$`5ab;et8fVcksAhA zItcP-(F#z0><%+dOKjznpM1qMJtgne4yHnVy%lE=hRh)AI<|JsWP41u2bpY-?lajQ z7N zRspJs>fD5k@`lz#+R5NU&|=AKfCkh~EG4_+Vle!p{n&V=%7#QMZSQ3^e7$kqCA6f8 z(VMX(dlbF9l4zRh%85va{{mMhkLX&jcl@!XBt~4t@t850H+%2;!}z*SY*1hSThZK= ze40U6-RGc?tlg)}U*2Mr9sY7@9U3lJ5Q7^d2PalwwN<*&ij+I~qshOMhx`mvkmq%` z^ClYbS@;l;v5X$&5mVDy_;sCyE4%Bvr=e3u_93UC)_zgq+OI_`&m!mAK?Kka2D9#z zbi^|q*(qPuaZOF)S=*%s+W$QVfU0PsCOmg2)n;+$4jbG$dm3&K+2beAGe$I4gE$ep zPlr6~EP6ymfHZr|l`@K()$5|PKmmn*dCDY^l697bO|o&?L>vHwcghif5RvrL4;#@7 z5E0pa`BVi^YyCl1C6h7FA_&x*h6cI2KyU#cR!zTb!vHQfsR*dMB>_J=v zU@Uf@0|ay&%*E~#3wtqY@;eY2127n)x(q;OjDp43eGXdeFl@%|6Ahy=YGJyN8-uVK zqxy`1;25slFx+JXB*)_na}T0pRJVROk66f#ygK=#`P za3*%2k(Sxm`350GcAtkBbE9`~EaXVE@zwz*2|$oUb{YUG>4hYT>^cs(q=qPownCzT zOd@+6izl}GJe5W9FyFLwHNMKIQhu0h_v~cG?!4cFfgG_q*R5Wf99dUc=COUKiTO-S zT=Iw`jeTE;bnFT?FV=NtI!Wkvz9hl+!v|NcF4poj&zRaO4S@(TUFL{#0tpd?(1aIB zR;36L0G(sCjmKZe14yxX(b1p_1gbBu;+zs98 zIYmz9Ju|f#g}F2Uol!@&T{CIAbQf=lDDIflaL2SR_z&J&CLBSX#|37#1}`v#)PoR1 z;I5o*T~cLLMD^_qiXPs&=GtWyBqGnNg6r)wh~MYS${1(QQg+9(XNs@qR3;m)S)wb+ zp3#!eVS)vig^N6mxwMKnEB+h)?!LNfecC}QY&OYdN?yIWzVU9Vy@o`98I1pH4CZEI z&C>H?Wf53CJ=UqTtVprGI5KK(v?x_A;X=mUKoBh!)EMX5cHDv+NaB z{TV%vxvdZgGB?}uu#F8T0d_X`jZMhDaAh!RwXQCVAz8-mFe%luaI~oVy0RNR%+%xD zQ>`pSzxX=D(ukHPJ3OwH8HqlK%4VuUZB(Oq`|75-$Cv;{sj5?S+oyxp*|Cag!`)rV zPiRU)V37&v8Mv5aT5@*B2$f5&B?T-K+*k0~h73Q9P1Wcg2UHZ(Yg69SMcP@lCKoAR zZNqv=9Tzwj2c$(3evLCy=g%VS*`JWQF3?W3Z1$FIRm=Bl9nO#w7x=u(m=khMjo5-- z5~|r+Nb}DVm59>rCHPxU>n#cNd_lLihKY03sur9dNb4pqP1!F1On12Jk+gt&_b6l# zjtJ}S6DY>cX;u~dpA~EB270Qpbf5E(8^ck(xqmLikf8gMW&N z;89NVktTJ>Q5>82{S-;xKSRRz*ktc^R#Hekib?eD2CD~p3?_N^rEmxO^e1>nq;CiM z?_@PZrf!EQ-sK-XJZ*afT19lq#M7ipJbtRgQ>00ZNs$Xj$ z#-%WfOka4CvBq7IMkFIdBqBs#^c;H0Ga~W%DUzO_B;k2vvUAKh;}e~S(wL+C2YX4* z-W2B0+V&(k2h*2>R#;zhb9Cx*p!b^{G5C0C%Og{kAt5=m6i<<^JTg_;denkmw8%8& zZW40nNQ6?9_Y;sqDxEhyxi|SZ(4#LkIgof9=(#T~Ih1r9=+cLN;7vFVF6&M@a&)qB zhyt2a@uVeBTJoeN|H`!F$Q0ctO3!_w)ZCG2xv{J#IwiMB zxQ)@Y;?i-u$+l5S;m@3k8!t~{Q*aNBQjJbG9G_}9I?eEtPBDCNdf`)~*?zJqwj*Ly z<5O!V8vkX{_+zEdj!K<%NwE?A#-+`+5@I9z45!QvC&NZ`zn3oi>7MLZgz~85*8>t? z!-2iylV0QH_V{GigDam$kWDzrH8yJ@I*sYT>gW+YlVHl~UMgx-uMbOC9h<5;B2D#x z%Ic9llLOLIN9Qz+O-ntf5_|N72h&maQ%s}#e4JF&(F;2+1$A^4_vq;dQcqhsSMg*y zoOZhVt>`|(Rp48njqWwNB7Ag@4@xy1nPz%Gis`s?%Q2~?v1z5FQc4dk5G@{$cn)hSWsmIo)5BGMCOZpt0 z@YzY{jB_Ub%*mdShc7nC^MC};uy7ld-04y`gV7leNbDT7Xd}riE}1hT;_tzUoR1bI z4G!z*IBCR^+__gsDk;H=DzK8gvG9YAaIqqkGzY`cnTiy_hR z_cRR|)kO?{O@Y%i%LEkkzlys!J47pra^;S5EJb@~W%_o-HIG(U0G zWR*aqSD;6?Q2(rirZelSfg$4UCzes!TbCg1Lv_^!NMYIDoJv_g_~<@eKnT;bzP_>A zvi$&?l(mwv7#W4Bmxf_+Q_SLq*6^ zinXyqVBu{PB~n(PUnfo79MLAC8L7*N*OXe5Rd7kMuU574g3zqo&{mY=UWM^Mr`|XM z7b);4Wk}udCxP$_6bP-e+R;2MmyHc*v36ipq)cX8@H1jr_D3NwQ6TM%Q3IQooP=}A z^egulGwMbai#+$JMW3(QbKO_Axr(Z`AerJnFz{C(%V@^d3I;Y}@%RdwLe+1U9{bld zNgkD6UY9rwvWGFG)%@o0|_lwv*7z>_!?!Z-#X6;&i*{tWYdaYP~K- z8?>Fda?VESu$2?QKM2?7pTzp*Oewk^zi9S7w^Exbr^Q?{ngSSw{cF^^@gfC;f?~aM zlFYue)-qBI$m3(^5KFn=IWMWd>qTVWBbFfcQfwX<(uxXel(Q%LrXl3) zDK}J&ao$4vA>SqbacCzV#p5j9Q4A9F4)j!=SCyIG^CW3nb@*)L0;Pc#GaAbl)jp8 zeXx*(9~Q&`7Mjh0{4nrXn6D!ln0`yiz;Dt={*_|n_!vfXd<;3BjHU|&xV7V?Ylmsk zWCKw}N-A|fGK;R?eSh_~C&9|Id3r+&(Q{5ai+gkft#;6LY*wE8CC0NzNIjrt;Jqsg z_aUuKf=oC`00+r_g%x*PiXvx)UXZ^Rcn}mz2H=3OdJ2;qqC7K*EzRkcBpX_+8Bu&) z@D)#Jp|dS`N{tGa+CA#;vJjdlkaR_hEx_3Upr0Gd&KGO+$G$K2^zO#sa#*`5th--5 z+Uvn@oh_+i=lP)KymM%9#mzgGfcUCT6{CgYl_8oYLv-DLbrRquYgs0U?0A!@S3q4c zbNTbti7>Lt7(rCLcS5r- z$t#qwy*q9maGQcx;p}Uku^D;Aq{g2N{rr_}%|F`t(iXO5SlhgyWerSvd_13RZF`J4yjNFw~5 zbxYb10zLY|)~GOdoZUaW7xI=D>$zd1bDO~Z3?SE@A@W*;4RQ0$>uEQ09F zXda|sTCiG})e1D|NyQv93o@yg6R)3C%-|O%6?0NC_oq0qo#vTT%wG)8iBU1Fd-4D! zb5AAP(>DEDmA$ojOf{1iiY1j~*SEa$;z6ZrNuLtYfPjf|n3 zTXg*%zR;Mk_eretE!$oPq**|c_08)iQ|W^;?uq2v0kSQU+a6S?5a( zI0-dgI>n^CM@ptRsT5PV&?k+eB+(&K2rsJqnTehCeQygq+yVc_=suw|q`p2L4-3qf zM_#R-yW7;}3V%ZtDJ4r-3JH{epi|%04yj?9u5AS^N)nMTd4XvY3rB8_XWlh&35exa zu!Jc^<XD*IwW%p0b2W+a(bN$%H7EG`SsGb0sVcl_sfR7(BG(MM~(J^1_xw zx)donzw}LR_+(~c{WZqVM$FB%1sdO(6Na=jYYnjl{bOQ9mG^&cPLB424Db(`Sg-Q_ zV?QVVr3ON#LVGLLZ`mD-+F0B4=a_rSmQ_ECn1d)B_|rX={i`xZ%;rN@Ea#p8^3H-? zV9N)t7a`x2m}-DwNC4fYG?a9NDD;9{ef{e5&p-dYjRQ9V4*rtb;GltS5l83_VzFFE zqIqwIpz&0Z`HR$a_Hy&Zzvd1uD9~wDa0>;Is~J%g2`?|ri1?bQgR`=9$1gCdhAt= z4^@l(G3jGe;s~|QuL^&vYVaegz!B>dR(%gtd;Pl|QhCGbu3yz1R&#?Y?pXD|iTL z_4$u3we)n`q?w-Hw|-7rKW|z;=dGVr`}gYfPpAFasKKT5;zaDMqf7Q~SBk75?K}8O ze#cCA!68r6sM1ieCS~c26m^AB^$g*+U8d!r&DeiH!{RH1?madmI+zU|p9vkE1^r28 zKp&j_JQ}6Dg-+}l&!>UT9pN@R1HtLq_&M8uy=bj@>~p>0lyrt2AGrGW#YDn-PH&#r z{`T5ju^ojlu+0M#d)+#KqjScFy{O|C-sO!A^!b#lE@{Gxb+n)4rro}iql14Syr`WZ zH=99dM$C=uWMbJ=#@!q+n^IMkiO4aF8*;0L`Yi}0OUWoe%-z$;WfC)m$z?LROj^%a zmq~|*L^?~ld}Po?QnQtg0y3~@e&0y-;)m!)O@NB@~ zVS}-_x>Ye`!E{H|YQCE|Odb4FWAAj@51ly-b`g~>D^0F7)#j96GmXc>Vu^G<94dbA zV4i4MvLeOXW@I6qZfuwhrcTeT`Y_OCtyJ`{vKJg`Xa!sQN(mSthPolM`rD?o^Wgmg zX`2^A;vptp20ndB^~Ps&?guYfv`P!vWK}MzU9svK<<-+EX)tYY6h;k4@mPpDoQNEM z>BZ)XGI4Q|Qj~NJgc?29-4{v9G?O`a)HdQC{|@(7-iemB2Zz|?!XDrXty#WKwcz^z z$U2pxDpJelYE;ULodLgVAyRr3F?{NR+DoRXIU_F?FP=Ym`9twbJ8BeHC^iAx9#+Ju zCGKoIctn!X^qV5{28wm>WRXDOMF4vS3td)hhQGR(T(c;noRE_h%@i|QLRHk<>~ztw zLZC@_nxViURV^QMwk>oL5N&g`Ymz8z z75SHwZ_lp2e|L8A<}|=XEY55SrA_PL&DIP$P#ys{Nj=t{O?Bfpy8^t<%?ED%D_zkn zumUPG~>0y>$-~y_f}oF)zrQy!0S!BibFx zJ(^{mPLvh(t&Q!LtRL1CB_r>|wb_~~V>5CIe4_ac9L9Iz%}170dhl!o&y~kh(k%?$ zlw`yCbxN`|B(E6GRfp>aB1Be$3)KO!R|S1_-&#f7-u$zoSy!~|_;5&h8!z9E(HpM40bl4_d zQtXg|6{TLD*;9ZJPhzXMUrS*PvCO(y?|&KkqeQYboH0B-2cED9kikCvNsCfsV!gdC zjaBwa6iQ3r00%2f*dI~QA%@Umj|VGI14C^2J~!eX?hWvpUTvoosUkENRx?`jJ66=A zK1A<so;nnBZ>*{6bX(w2ZLpV4=oQIT^M*glzYVDKNbQ(Wa-~Xpn{muM;7`W zU%M!Bou8tt@6#0Y9bd{fRN!=U5#L(Qdb@p$^1Trh7SUvUhH_3nUf;6&C_VQ00vqq# zxTkC_83dA{1q*6q?l}TWMyi6{F|%wbHx#?9z~K+>yASspR=h71)m*K>ZU67D#XF&$ zGw#E%B;$K25v5UpA>cISD_7KY$@D$5)sIm79k$(8UH!bi6-S_qS}S(Mv(ChlW-fSk zc*Ae@+SVht|7_Iq&H#qzUf^lrYrf2wRnv`Z`+-T}%FQ*M?lkoDt4PL_LZs{qUcAQk zP_~e;k2EhcHp6JL&*wjgf{`Svl=g-6Ix=c13cSGM2P+H_D4^!ioOP|O;p;3k1gRn~ zpS^tc;!7je(IH6{oAvCB`Syzi`EjsEGm{tONBI9s`~T0$kK{)}F3BZn|KI$N{7B|z zk?quctNFsLmJQJ>MG77{;2=vzl%;Vn-|&+VpP2}cuggsN<^Oc=LS&&PqOd)@IDsjg zl6!Dh@x zY|U&CLA86=dWp=218qOIzP{m02%E?;6r$I1sD1wOV24^>pWrB#f7G1#*7XhT;ZlyF z49+igjN`jahxhhzBV+^NjA}*xe$?d`e?I~@ zX{{yLz@DZsX@AKIeB7}pnKYYdB;8q&Vp*00xpHTHcGdxEgBoLltii)8_g2L3;YPyU zPzA+I(N8Xl7JpfgGbDTk?rk#;MMNNxLnjgs+=EcXk%FRf6H6w>&AuRhk0 zX)ksD>q#@)Q@Cz(Ok&v9tC@#U?poI^i&{ZZTvxzAW~5;EAQe67$z*8J5?TO$OG}u} zjNU*i#a!anFw;|JW8JmT=O>?&IeC6+sJy^q1e@4aO^k^4W@ej#8l%AMh=N1~=zd3e z=oFiA6`%%t^b{s;5#o7qDbns0!f=n6NI}+A_m!ZrjUGkrIu`xc$QXc|roFQaZ0bZI zQoH+VLEeef>MVnkG+c{N>qoT*kE`0%%Trcpp3tn#nhe|HDI3n6A~tWxnnOU5^`#2= zuIYg=nrtvw1wZh|VFkztm7`^q+%oO#aS7ndCDakhXpyjV|Gq-^gVdM@K8`)Ys4$g) zP-h;&CtJ7P9PnQf=9A{MHPN$7i5a!f7@o{Z&;Az^uN;MW%N0txv zd}4zRPKjn&hJ2$|r9frSqS2W+^xU3h_8u|R$i)SzPl(NB2 z+sfJ{{MUF=-2cy4J-V%j<=HuPPD-S+#mkvqg74$=)5aG=K7aP|*^3i1=a;8u_APJ9 z%lV5_;wiJ)>Cw)Nsg6J8yl^QFLZ&w8#BSnXw`OJtiD<-f?!+bLS~n-wSWU+o-9TKE z&y3mh*)Y-9{S5j$hTIiFtd`*moVhdMdjHnaqZ9T+?_n48v{m)5P*8OpQv ztd~Cv?I|Ix$9)}BHhxm&r5k-{b}4md39Lp;UV}j6es6%8Vv;bWSW1>#u=ZQ1LWT1L z9HQ6Id-W!xO7rBaOeD8v?vbvUzBfBFEy&q-*W@)3_g$AN&zV(o-IN^Ywq%NUqJ zpdREj*`U|Y-U+ggrBHsKsau<|kTDkH^qHlb-_U!-aJow~UGrx)WQxT^>aNs{IeLSC z-(7BO?_AR>o-s@ZffMW?Ng@yqV5PUBBKH(in}DY*$PF*QBySvYzYY9tKI8Axj;t;% z?lM+j*D&(Suw|RTLf)X$BoJSB#6IdTj%MWO<4T$T6?&zP7UVpy!RL6fVp1ZtESY`5 z+b3VO6_F<)3h(z3L&&JfsUY`8LuPkI_5p@_ZHTpY*Hcd(pG4%wZsV;~R5&EQawSob zi{Pan1x;~Wzv9TW^^1=3;k`dGPY;2fuN;=)%tpas*aug2BX5_>t^2y+z%3$#z$*Kv zXDPdTrc(N1217tf38cYy=1CPfdT~@k@MYUsd){?BZ;vY>>w$oy|M?L)5fVm}(1K)) z-Z5vf8%DFm;N;Um-w=tsRwGeYYvd5PievYN%Mz0nLjk@LGGP|q3!8XXM=`A}np@k6 z@sl!m5)F5Oy`R61Unlnln5qT;XT`|*YscVACKVJM(In;S*1J$OwlYUad~%l4A4Eak ze06Pyb^0?c+5@2w+zNR$Y){xO{h^Y~=p|8#PThJ}xiP;duc@Y}<5<{Me`F2_M5Dey z;TL?RrKCJSpGbi1uP;P8LaAuIEpiQ9jP_M=Gj~p8EBUj@pRwFyJI1bWg{P)GocfzWKQLDfG&RuK6u5yqPxLQ*2rT zU}>URC*bXRLk%M(d6j8idTz0aBY8t$5I0%Zc%TU+xDxW3;l+FUrAs~uQXr6PZ)X<( z)0|rFN)WX<1tJgkc!CbeqJE9uQJ&Ey&$!+i{or)b0kBrE3=if;qg9?-#Gv>OC7K_Y@}g;-FIWK>Z~wiyg=HHh6z^{vcWHt7Ez^tD#g#pR9&ITr+vc z6BaNS>^8)TzeIOBGDws+D<1=hVs&MYs2zRe!@ z-*0zk7(#h7oMzno+#7Cs$PnSz#B;DBhZH`*%>oZMabrC65GSnMtm5(?Ow+HgyB^b5 ztlW^VuWJpvbzkW7Bfzi~`d5z?$@q$SAZ+50Neixpj0aFSc5j&7y>fd&E?U2(BoSH0 zlAu>WtZ*UfE_+Nj8;ztEx4#49&6;V?a08xQy*Yb*@n(^yzuAcUxfb(Eu{qa1$rzD! z9GM3jldD^fL54hrn=P(vRY98BTCUXQ^|>odA++Cmk<`LvQ|o@KvJBT+OU7nxPm`yH z#8YVzjpL*<)qqYBG}oZV#})(Rryt(h}1NEW)!&F}c7`e=3U`5_B-wE9R{W)VH)(Y}L22_Sf~zub<(d21YBr!BBee zyjpdjcc~G(;pbo5SO}MJdG$}XOaeYnP-12qNLOH zBuxdxBT3kCzm#f`Gfi_|d@|f12D=tjmV@<2UZlgTzT?t_wp|6%{?1;))OXCZ7`{1n z+Jh+EEp+z|y7z4DE`PpN|IFt2^?8{#>;LIo9Cw{^eg_eIGN+uoi5umb3k?=Ki@EZB z@V=3sK>Pb7?fxja`GDn&)A0`1LmIwZ3V>y`FkeAc%vQp+eh0{QppxcHGuhxDB%&xR z*zz|eE3P$7ZoRi6lYa1v*AE_W;p@l-Gem7}S`#RS2k7TKjX(3fEe01}&@#@G(EEKgC8 z#Ae8YP&WeHeyYBq^X2E6Mm7~I=4aos z?HuW|q+AkD@;I@v91!|}86;i7ny{3-s@aSSQZA+VFCYQ`MRMT^ep+KiS*6?MthcTT z9HM|xLPFSn_7#hpzYi{*ab>6z@N5noaTAwqC|@BhRmEP!f+lu>! zv;_;vV%x^-SiLEopghHNWw!~!FwK~mQix^c?K7wH*4T)aBQGGoMAc|8h%kGHw@W$Q zw)3`vV?AChj%~R?NtCA2o_X{8$An3~prt}kQlrEI?5_Zfh9+x-+Lihw;EC-BEp0w3 zQf?j)%RK`-&aG7b=0K^8PmgT2wGT4Z7RGIX8`15fie!AAKrrJoMm(Rdyufa)b?q`a zd*Is&mE(1g6d2Lt7>OJXbH?Y9|whOVY zhAX6YhA99Kw_zd+a$%V=9xl36BC9lZ9zzTlU7p@(eGWqxn04I@xOhaj4gLc%`m+E_B*LyF55d_ps3D z=E`L_8reH1RDaBl-tpAwHgLt=0BV+0S#Kg-l`AC@?ge5nPix!I!~*T8Q`M%vhKx-O z6i^bxd-)z$u~($*vRYR|o^Z zDur7S2;D%fqAtfV`VvL8AZ112I)Ivz?mG=KfPb`-*#qDsyXms!7k}AucocP0+Kje9 zPCD=f-uXL062+y>w-S7#NGT9vw=rzW42R1gh3!Jo$S%inWKDhggu~7;@ zAHZJ*%6+FIsf;0p{MhVS6R!}iViZBT5eX77&O_DORNNQ$RHkQ_gZX1!m8@ysR!ZHk ziTOQUib}g22G51p{_WV$c?;I(VAH~|vb~!uFG=*?a{1hML<@eH!y|;MXa5_|PchkOFns`W)5%$nFyV%n09n3ChOOJE| z0(}Jxn4UQwHz_0t2#c44tsBTv1l)S~fU*M!_E-XOX7SBuXvISjW20G?G+|!ct>&o( zYlM3_exV4IlyvH8OzUB6P=}~vu*=eT73^!#3*x`A(#o1xgugU>%`?9-Mt9d z?(P{?q|XwJ59Y4>?1SFbu5v>xAk+-~#H7MEPjdka#~N4m38ow8peCSRt)h1^(h$Mt zFmnW-L#`16`bS&Gh&tZQ_2I1c#CER_JE}#@DGVzgy9!23uTd&USIvm%Hs<=UbvYPw zc@%Md*wQSbE@xw|4_o?06q|_BKss7RM7O`_>%*4NytFro`&Wq(i_rFO!#X24gjM$! z4KlAeYW5~E=B&!j_2KdHVsVUtAC19K>DByqgcXTMV{fU=7^TvnRyD4u_T_2r#yjd- z62})Nfe{Sf;S_y+pi26!z0+d3v73m`S1BhJxo#@Foj^M^wIKA4cnlksblBy3=WV5;(4Vm|8xHOI(IhK+X>>2v+ z!=L{6%jD?G!^0m>Cx8C=kB2`^;XnRx^ySen_8)&dIyyZ3@!J<)-(Fw-Opku~k(H}E z{jXmRe5qWwLqzP} z;;r==Ji3G(8^7}IqEmVSfy?ZIMy4>@r|XFelB{xG;9`wZV;WlzsDI%Vz}UIyAIvYM z#V%QlE0WT3HK33NJn!$w0~Dz>#cyp)g?=pT#5Lv1adM}%B)6TqmAIE@`{ar7gRcng zvju8Xv~44%_S*u|bE=ttwF@=ku2$`(c!6GknDFSwhoXxB(0`HVO2!E~qx!gHJa3HV zh>e6lJ53v@B01=prkuKniUH)gw0G4y0u>6WFKX!z%%YhH8@zFzXEcG* z_n@i5F*~%m^}4H+gLs!HwI=$`k|{rB=NZB`6za z1zP?MLgaIB?>li*xQgf-myyvd{x;eI*6t8WW&+VRu21{zDFrDei;||p?#+8CE>K518+C5(9YhFocFB-0MIkPpwHh{~Ked{5R=Pf#k-3gk>Ao%s7AV#x4<;oUk;Lmko$D^I1zGWXg_S=s^u5p?)^5Md{29VW zwX{&7^;SkmsuN?p#(+i1#4(y3+1S8tz|iHiSb0qvzajrSn&JMO zT^&#-C^v2&m+SOdvj;8Yr(-k@tgrG}{()uqqVL4fwA&YvD78gE)E>MsNrpK-SE3vE?5RPg}@ zy*=+~TH;J|06qCmkmom78Z2Eb<>Y~YOII`Viq_ak(q?38_bn5^VWcteX)`?Z!^CSS zm}deZYq2Fg8nwa5HVlAep1Ed;N{R$)xH?)9>WjO%M(8YARS0)KYhI{(1}g=iOJR=@ z-0v&=xh1PS!!kaIR5cGo|g_k{?!n_7#(x~&?b+QvpoLK}2P zkwyTrnvpd1TFihA<$>uw$m$>0Kb#*UIwe#4uOLVZ#$d2Xp*aXs z?URN3<}YgD>dn7S{^GSc`0E?RaSHW7L~juDh9A)F`m?>c=IKpNlBsFK^G0jLh%j07 zl-9cD5N$@%$VoG zFtF73Y=JrD*&3~=kob;F(Tx%~{FnuOk_+)pq!iVb@ins)*)Sa+Piq&@0pn^*$m=_wR4tKq7WQxPbHg|AOU4- z6E3991jeDmNJ50b#ag#_rP2mN>rmS8T-6DzFw+gf3Zfe%mkFE{Mzez75$19dY={0J zNEf|bg|0%(21m&fvjwSgxK}s@9QoF10DWc*dm4DIBy1|-SY}EfajvePm@8(g-OJ&- zYPOJOos0(!a8Rs>#3`0|P)PO*>{@1-P#4%RF9aqoS<`6(Jg1OP;%yk5Gwcx*QIb>i zl1I8&btE>3%Fswn7bkOH)5MabC@n!6uZU@%GcejDtE9U@J9=AX{3lg-E$l^`tl96i zQ~(K+v>>*if$kp;8(lJu*!3;%w@53Ry&zIlQJI>bDZ*%^7h|#kW(UX63l$qHMZ034 z4^eQ#mlXHyTl^5;oNfg7f~RqgyhhKq>g6iyLTB{|uxsfDqWldjfFhf1Y|#?mZ*O9* zq}PdSF#}VYz~?4UV|*bIp@en}bg{)Gs@kDw)J?QMs8RCAy=zFl3D|HUK@oka>>yN; zpl9e0H37#6!%m~unK*}5#h;o3u|=cmkH>hbQR9OknYC-FCSxehi)bZ(C5abcOSid_ z3ZV<0Wu(x(*|qi`hX%FsCD3X``@D{w`Nyd$thG)0=CJY^7P^e24M+g9mkmd>-;DDZ zR`YUMR%dLjxAMY68Ex)~g1JzOQVI{lvrOj_y6iAmH_jgLTEMN2J|rNfZmp&scQwIR zWZu)u-XFsP7a&{|f}Y}@Zrr@H>nnKK>Oc$lhvjV1o=`hxM4^6F76^{b|Hj}rG(GD0 z`Ykl4Fy1BCal9bvOVJ=kO~zq(Qa#`KQLmPO-x3* zb5s}^(}u}v{TZ`3DMp)hjhF&+_CIoVePu}XA>#~)Ulddg??}fqw~O=oktzE7GO9ij z@)@Y_*f@3q0cEM;3cy`?U%_5GM42RnI76A=^tWOJW_wmxCd;TeX@mra;-W(0EUVg5 z8#Le`V;S#>FM7oh^4o?eQII^t#war{S)!x*s9X<;N4sc>#-PUwZI_~RZ9A{@={Uk_ z5eaNjYt2io#G|DdQ#kJ{9v8ef!^zzPE>Z!x{8&=mob0$Zy~AoPao38abt&q|SqKDi zjj5{X#sMuQUtviTuujpr=lNN=)(O_ZA9txhbO7PTY%8eP1!NK-`M?ofDajl|6VrKA zM!y}_H|Al%#;zz;=kLq7nou=-(snf6$X-p;dAzJE#nn>?+lU~=JrNM@ zVbeO)(b+cq(5Fq;UySB5&8gN1?o=1dIYQrySOLc)-7cqfZ%URnej7b&)O<$Gr*(Ow z=F>Jt&8I#-aLvbM5)9XRsstS`h|G^@bPq%u{@TpfS9A1=B>bKfn($w~%`sE5?^l>+ zv1H${2+zC*y?*L`o`Kd}hr9+|R%QcC@e~Eq1lZ&Sxu?90+XoW|T1rh#g*0;Ik}h0p zJR9-_F3cj0ya$FV3yEbZ>dEQ}IEMDK|uDHngGHINVUUIrtnj!%`A2=g`oE!B?VIw(3N8#hy5@ zlPbD8*uK&q1K9y`xs2oe`0d`0S2j; z-OIO1_=S2PTj@njAocQ1uocl5<+jlmNp)0BO-PNk#;S4l@*-Yo9uV(=Hq0L8+}jor z4H4<>b1-Tx=__j&x+Cj&O9wI$YNnZ@1*=0dYYkuqfb1`NSRX@?Q;(q@JF&l~%5qfe>5fXAYbfwG-UiRGkN@CnkDx zXgFYn1;?X{pM`cuSdvAAt*Sm&q*y@xoFuA2NHqrXC_T2s>tS(e1gKr2e!; zns^a-s1`bWhlucZqq=T!rkj$Rp0JiWRybEw=YN!N0T<|h2Pmqv5L0x91Z9hi z_%N*9&ih<6ST!T12>r99_c$Xu@dGp06^G9^z5C&x{?6bfClQj9jN%uyhBv_wO0a$L0fAcAmj`f|rqm~5@r4pj?netWHiN<@C39kg?o ze*ixMpQEqh+Jkry=}JlHCPSWai6~35GSyvM06f@JVs6eBTe=kjSFc*kwZUD^Sr}_Q zXiJ=dC?XwpL511j{jNTeUc`t76F8l~0}oAp$kwtGwVVDs0NF!HJyaalvU+B zssre=U8#Fz%@cx1of8ge&Ri~$psO;Im=RuzY#l_WcXRb-S zFTrrwSa(AxCLymP*Ue;pR1Gcl5_a46R?hugvF~>^pdMb~2tyz4I@F{>@T88q9?6Fs z=dD$fig&#|hHPXwi&VmWCWS4+uVWwpcdz6@@QWL_Lbu`vSf;U&nxT!fPYg-Kb4y3F?D6kdjZDo9>sK~VJYoSGk41^db4LL(5y+_MVYbQ-3Wu_f9i?Q1=c;H72# zAc%x_xVoTjXY%y@rj{}XyW`OkyI!S!b?pp&!Yiwivt=vtGbVIr|9u6)ZftQ6I#hWUG9{{eXOhj%_T%az zx{cvn#l1bk&T^Lse2HJyoU)ze7pyLmB3cpE^X7{T{%>(B+Eb-eB$SydKO|6|*^o6B zWpKkAZ0sQXsD@NF+X7#$k%LufXB`QJ*8PNqZX?P3e;^yE+_lGS(=V$kD^9ADSHgy* z8_BW?I-`KTTAejrm&C+(Uey?}fUUwQ#{M*$`sQ}*Yz)UVZ(0WwFu zwuk`guSY1ZL$FDTepu5XvpH<&#$_$RxasGbQM~oeS8jQT2s(&2&$!~ZudRJlRq8zgjsr@V$<#O|fJZd`NXm%4J5;62b!Rxw$BdSXD#45`{OIZ1q)=ZC{m zYtBVutJ2`8qR_03wYk;49de)#K{7gy zhNpnZC@F^1=dFhEMPpj$<=E1l>E##&K6$hYP#7{7DjC*F8f|r7yl7WYdY8SO0S~GB zpzVcd8lkX0Qd5}PwmqXA#LlK5A@hQ4S6##MH`dk?JqYH>%n6SO}S=+n&1fAgFnEVTeF~wQ4(t(;Xs(luBKXip+>qYU&;C^M#)YE z>Q2;UEJ@qQkE`&$eWEcu8Jr8AeIL<{)k3)X*7S2l-Agx4hplWyRY9h*ZLJ=2?@Z#p z{<6{(dzF7{?#tNkO!%g~o^RmucdlEz6)Z7!xjZK-J&Jf6nyHb&Ooni^cJvA-($K^M*aYP7CE9=_!IKDNJa z2@9GXuGHt?R~ddb@H3p>XXx^VD42@qAHquk)SX8c-q+p66*Hm;ZB zUUpbve7vvB%qX=RBwn!NP#EsDlba<&*<{>F(9KUy^@Ar|4}! zz5|6EED+wJo;o~;y*gKxU~8RsJDF^kZFz1?!VhM;=~_9RJ8dD}@V}Wtg0qvV+-}9s zuFW;$$Xd%_qG><0iJHu4LBEiDxAxfIWIew^W5Ged?Y-2IluBvhNnpNEspw2{Yb)$6 zZhG_0cy#Zs@Z=&$kma@c_i;WTk;aBBi$Nlcs1e4-cs0lA<>gxcG<+E9vpXD5g!`n9 zg~)PjKSeTcXM6bB;mz*w56d>7<29dJN$(uC~a10|qTm_p|!)@a(DOq@vw(`>otEWW@I-w(W~;OwAIx zQ089lKa^FoxOTPJ(p3(28T=(5fxNp!aE}*JQqHsCtLkWtIj0KUh3|=U$qm^^EQLy^ zr@Y~fe|u_h-ID9ZDa%L0i7=0;b9AE#b0o6XVzoPREfKEI&dOVObH2{x{pYJAl@n)G zks;^heZL;hP(D}Iq7)?fg*br9b=0fonS(&?fTD~azwLUwHJ=7p{NaGvo}5u*+pe+- zVCX-lTb~TuFRx(w+eAG0Rxlt<(x9a=ZTb;AG}iIrp#e{lr1#`$<(g;ks;i_Db&zv@*$If%&*ykV&gr%=;0wq@ z;EC2+v(A`ASw7A7dfa7i7&1WVk+-|i!V{MQ0p)m`@N5-WTEZ|hbvPKh6WYl2=o|$z zR=h&vJtr&cf*vE%mc$s3JKp{0Z}19{;x`I6*n@8#uoPp5rvp{#o!C~22y0rK%=`4p$QCXUQ+5-PB}Ld zxE3aR<1SQKq~(HQYER+_1{Imb&_?`KWB_-~EYsaX=Rp7Yo{63L55NC_>b0{(b0bj+ zaTF})^S7L_veYdosOJ(k$~k9-xje5{hyth@{Jbxk;00pKP{W)PhkvD&NslbaNhvp* zYW)3M7k>e|Cdg12vMq>^9k59Z3J;8hlE$0wfuJBC(38Q=RRT{Q;Pv7acSHn@jFtFE zke0K!MXU)AjGZ`uo%l@922{?|l1qq1P-0JGU8z^(Tl4R@%=%W(uFP184A-)gI00w9 zOJ&G8QV%1H9l^6MF%WD<>TF)6^*GC`Z@{JzQ`fdHsH*L3*AzPiVB3I-$_nbSNxkh?kPA?>WczDp@3PUQlu zl6+2qKe>O!g71xoZ5LqO`x@RS2cAla5&cu?q?Uhqx%slrX6$ya8Oq=0ycp0ztFIUA zvX^$3r92HH+>vV)?&x{0r>(0;s;c2tShVcnmmQ8&=`ik81UR#ZU>^X593!GK1?(Wl zZ{uX@4h6pFV_R%jR5RW+E(dQQ>^`R3ZHHkVbVRgpEc=>5uw)B|X$LNz4Ns%w{BelC zY}3`(J-qvq-%VnjX=AXei!_#4b!)&W9aFnFrh|QVpP#3Mq$`+!LLK;ulQDagOcd#emO6O0(kPO%&2Ucsxaug9aW(az!FB&<8xZq2E+?c(E-Co5 z6~d68bhN!LCMcIdM8vbD-9Yrcb=D||>D3i^F?AJ{4I~qkiNN15 zf3pTyCZ+Ftu5+L9QSV?}})k2TWT00Ez7zy{mE!UuF1Zm3)=7 zCUW4|H2l-L%?^$_=|8cnAzOvsI-tgv8zajDu2MJUyZzC*ErDxqor3BhXFQ|TklvqH zv}kJ_qu9hm7M#q@r^m~|+2KztQ@;e!utqi;atk+_O1){st%4((k8< zy|}~s6A1!was4m9T@h<9AXBG-s0hA!a|yILM+&ditL-a2^{QT~d{!Ajfjkllr|($0 zYqxWK`;(-a*H5bT9S8S`_kAJEUpjw|e>X8^)>vO1n?3+gCLHVqnV0@eHGEhPRh%(l zCnx{}n&CMVu11=$ALU^7XTl~~iKJu!xuU=^F-jol?kwkVidLV-(Ms5biz5`xgbVCyzIc7MZrfNX z3jb6ehZ-b{bhbJV<^|6tvUk?{)vyyE(&&OcxC9<8WdiK3(G)>S%Zf32J&Y+^uG1OL zu&|7K@y>c_FfHPG40+<&@7O>xkm>1P+G~}@L`(<7NsXRlS^SHDnvzkwFi4uFkkP_9 zf=_Ktz9LRUXptzBW?4ZfD)Y?aU7$M(!Cq@$(`thL8&E#)kLXv*PN06@^g|+oSIZ#6r%pfV2JCSr zab}sRCM(giMNj;Ue<}`}RFC_ldo8-Y;&%N`DY~kG!UK~=Nj_CbGNbXr*!JpG$S1HjxamKK#|?B8iiQa0dVJ){EJoSaDv+aLDr)K zp>nU%-7v8E5}ijqeJ4>V32bBDO_Sak4xac&;F=y|$BsQNwPMKFsXa$KG0l?imZ9@J z>mapq)~0J8nI(vud{Gsf>;(~5OHDdjrQ24y5-i1eCEj%*zfk5Ej8|?vhNepYrYqvV z{(CR%i8{d97Ifat^bHJapJU0Wlm>p|QXy72llD!as*8-bv9Bu^K4jv89-sE)enku} zN@J7Upx#~*%wuabx%+8Q!0eYb3m=`?ncw>8PtKz+xQuwz#=4wO!e#>Pz2RRjA%N^T zpzD$^sItYL44D6YHJzTP68_^uo(SXm%_p)2?R0yM@>kKx_{@3 z-s4&fPyJiS=phN=>-~_xP7cPEr?*;`;#d?A?%EZ01`HX`gbXV?pZE!hK39A&H}a+D z=S|DI%Cx6Xa2Cju%coX9{hOL+xbkF>sQ%6{+ZUEC^YfO^MYiq2SEdK;Vzak0?DNv`!a-jhN39&}^`c7l=dib8ds|3DxzfeZ70z>rK zAW7uZo5=a!x(N~xefyGhmR{8-R9crtMS_@}o^+Gc%yO!!&Df8{Ys38Fu;!Nld)j|^ z!ta_k6d9f!%B)53mM`Y-JDIM)QVxLt4>k{7JL%ZjIlR{!*nz*4n7 zexOX5gN;!(eH*r|2;Ir%;9yvSTFJXCI;rATEZ=)|nw?%kBwvoBclR^z^R*+JNWrB~ zmSc~=vo;BE5=dl}tN=Y4m~bV8+{=5ACJoemfm zjU7jxWg~}RDxX$R3sOV2DXv=K4_6dKDz9yGCIpg~>iaxv+LvaVv1j`=%d`6FR`4dN_SVsT-Q!K)F?>^>f!>ios4;L2T7wDM;NVX&JDP<)~_D*iggAZBJ9F=u?3yv zbvEI38#lsB>Et1SBA^2z;Ntd_V4O0LyEn^m1RY9|Io!V7hpd}MV4x`F$e0~ILVGla z6F0%Tq)jKFTW~S(vrOj1O0f%T<;O6R!8aM@DBHGVomuTr?A{NJ08~j;NY_~G5?cc( ze#^hxLcUdYDKABzEWFT^ z2!ku=yMIsD)G8<;jN*)>rxm1lv6*!SE5tNem~zpOY928~lNKW11iSBF4HMSUsHe#; z!hy5r091pyXHAHdO|C1cKWI(0gx-xo3bks*sH|D0AA*l^3+9LCn@evpT(8l2sI<^}81}Kf z(F8K#Jc?dKlucGDX)htzL~xP6-Xvog79zxaTY#}KpeI^;_Axd0y~ihngi~;M8U4Kq zJdQH{On7TgxIm4;*|CdGq;uMYGcc8IVjYtm(xN(nWO37J(|sq9j(8_f>%9vz3|IMq zeXyS=9(=-mSZcS=sc_C>X0fFouEgUGIvMANKC{!ZbM5$x{e4;*zD)!A%sJv47=|g^ zncJy5B@Cu#7=*Dk;pl4r+K3_!r8MB}=&0gcula^SKBig))i zs}_aR&K{t~{TsKUSo!4w3OliW)R38WBOrPK?8x}7&FX-WozvkZvnPX z`A2+$w^y$H>LPTKl(YKZ^lv6_k7tiA$R-l%-UN*~p}GNxQpT$w>1UU|DFx9?zzZRD zv?VdIR;EiuY^6xYOq_c0+Ek6PFnXEG)v@{w6Y9*$wZ!Gy_P*T^{-$Iu6Z7G5-`SIP zxjUzTm}EKo*{cWaqyymEaFS3ravx`JZ{Gzuf;Ue)p-2JEp!F;n`2;Jxb6u`Kqg?1Y zo9eGra+0z()+<2Q{42kgFKo}w+cmR$dIw^MhJ!+6k>f51yQ+19JLCuTc!M2_DR%6i zz7->-M^IC6>K5+6NVU0oTwJ)=iV2BR8fEWBUj`E1ow`I;oYq@zO=M;w-=3|R4bnoo z_(ck?X&p&GsDNY?Z4THNvV}kSV9sJe|5`j^j7|5ludPvtW7p^G@JvPg%2g<4+)7dj zGq(PmxZP}`tA$0zf=2oUPVqN!tm+m|Bb{!o1kaD_6I4iHlq&VY_>tAUrH#u$=kZT+ z7ALCF!&VY`@w`oCzyp{&e-I<1OWAVZ+Ua$a;5{JL z>6Ici&goUctph-j>d(MJE=C8zcu|!!QHS2J#;q->MzIo$C$CcpW28JP4>^{Dlidkr z(ThlG6xkCL?no+%9AOFWX}9D|Cg3gp`r6fUZ`T#q_pgZNddyXokkAdAzES4Wy#Odp zPs@)aLC@Kj>Szmq*zk-?qXjHdCdJ(+RURU?y ztzryUbLa7P8?VQ@`a5#!YUO-q!VW)T$*$jw7|NgD+c#J9f;ePN^jaII5oekr5boJn z81`>8ZT~g^XE2&ElG1JvLH(tgvr9tg7Pz;#(&-30y@CrUo~t*rj#GKF4p} zcbI6_M0BkWOrhlj%%@=in8kX2e(=>HYM0ZzVOO)TC?Z9a1&l@YDzF(pB&Bg*DB}zT zZg8KmLh%J;&V$2*`o8Z}OH5R*0eNyVaD?rA>83tz4Fk}1M(PcDjY{`ISw)9A zCgeeMWNi{DDv2T~V4VG&*(6z8)RY;_jJn16QCTF&lk*Wdp4l5NQJ8dnN2p`W8M`Uk zYUp%rLzqTKRway8(D7rQR4#rYX#P4;1*oQ0waX>N%Zd}})(;_YR7C?jw@HVX`qV7j zB0q(EjVUY@WkcO8AhG9Fl+dJhe-#nXav)|Hm40ZwOMzW(%1y?JF9kYp17HfI$C{LD zTXqHPJD!hPCU(f<%``?gfQ2>LrtK_Eimr~W*<5~O*`}+Omnx)}_H)s%+uYzwQeHN3 zhbl)=KtGbqLYJlTR)-@5MqW3I`YX?{Gt{mZXd6_3OsPI$hc3I$YpGqw0t$euCkmL^;tvh@kN=5WSa;!{d1hq3<;)Y zx0k;#_A=J`F5=q}b8m&2v5{EDL`539;BK(v9Eh#851Pf-*)s!F;!rCV|B>shC@V(& zV9+Mc8m-s_79^FHOb{gQM;$_Kl~fiZ1_cS{+sZdqdiimmy zuWOE(vANX`#kGi7qC9_Ao8^-UPA`zoqPeQ=K(g3qU_?5y3XK}4E7)dpH~Y15Z5)pX zthzx35v7{lRX}NH3$5<8qtKmaU)*GccNZ!HBYxTFM;_c-PvY8c~ zYR!)U5R5E~)V0Ka4Q{74%)y%KXpRX@(cB&=QwTj?c=+-HX$85WFizn=S)h&D@XJOGRz8tpdm)oN2 z@qTsI$&O6S!{%qxE%up8;=`*&KXTkeUdM><+EWatFw;j>=0A(+{6&8>iTR7hpim(H z`*kPIuk}Cy-A2juMJ8luY)ew9Na&OQhF&xskx}EEQ@8r++`@&yP-T*4OO8?oIykrO3G|F-SW+3!!{DMv8 z-GV9IN2Pr=hcHX|UJa?l8*1Y>vpj!CA&qa?v^3%Cd2%~lyb^@gqc}B@V2TUl`wpoy7zOd^|3WLC%5cF8IF2K&*Yzb5+Kc)6Hp z#=?ZkJskRNd`FDccbf=iMS4x}cyyCWm+*V@=Jm$Lx9W?d2JgCp(Rw=bwSWd7+;p1P)W!?jvkzj&?cRBQH7^(yu(4f3`XFuicq}NIhwB48 z<e5yJk-0Hmh_EeAAnZA+DX&rCeGuA;Rr*HGFF{4T+I)%x1MJn5JP|@=j4yK$gPO z*EZ2YK@~WtwTTOEQ9|6sN7vyLv4?CU^_(Pg@~w3!G-|^~Igt;=&?2L%bm!m0`fLC; zF?OkGj(MdW@^P%b^I*ZiT#e1WgefMGltTQw(JjGGRDBtVZ6wnDZ(a_!0WfY30Um+B zf8R!<-|rf%pBN=G0HBVJd#k*YnXnO>#yOSQpG2;r1}=5%$BG!d=h3Pb%wItwJ$G<3 z7p#Gy!9<^WY}9VoYj&F%03EC%ed#r=-UIh+bL$^0jkFtZM)v~;069AgeD{!z^g^ln9!4t&9rDGdBtCY&L=AXKC zi3Lwi!%Gr5L-hG(*99_i9*lFfp3ec#j3>O6ky#jneakNX z=iZ;QN^s>r75bs|+>6Z{hmPem_@(}R5cXMHANKn_R|E4w#q_0+KR4rby0y)~Y#E#o*dJD@a)}pS$_ylzDR5Nl=f=`y z^H*+XHO_xwHG;BAAz*2So82|Y`L@P`^t61MT0sdC&{@dg(hjTOBvopl4XRHXh?=uS z%}4_F7TT1lU3uToXeH(LDc|5oUx*c-_0BiHP>q{zy`V!_dSl{+7KTK~dj)ZX_g6CR z`oNzg(PQD!Id3g&Y(vAxq2tul4J#|4=d?anbq!lTqpJVja*XB9o#o!4A{m_%KdOp* zES4bW5B+MQbg&BBsbXrLmaLwldBg4pqZ}w^`w9b-ZL%lrFAi8Xoo#Dyr*@;x=U3iQ z72%HT!2g)ytKlS=oQLAy+<^wphT}4a-?6pRoe;IJFYlaxfYW{h#PZ(E12_RfJdYZv z+#XS~BPmM zbh7Kv&AZA&tvQ-i9U5>G-cHu4DbilwUD6N}p%*$w=S^(9M+DiKajvzNi*^xal1W4$ zxhBGGdk=>Peat66J0B^o@&R!|Q4kAz6j)5*{ypkV?l&&%R=wct`rF9WTiT6BU%w@` znplHsewUVmz9IP%n|?{6@V<3!N!aOyg0p2eC%yeMnNC*wiY#hUz`zi%zqlc&RQXF) zt%seP{ZR0*`gmf9c)HMPuV@%(*IPhp-sOQ8EncC%Tb3g}mgsEA4cjIUnMdod8rc`KL%py`TU}LVVPUr9nh9X;)znGzZRSb~ zv8_8hwjj*VAe2>(IVq7~M;=j3Kl;C<(H+kMEsLUJdi-ni=$ycog(^Q$)mf5?=XzbV6EI8abArMYDlRt> zB9WalQSll8r31}(p-TL+-xx0XPy8Q9Iab}VI%vV6jigTcSrrK=p{TuS;9mz+ zI}_$|lr0b?$$85dG(5R)ho)4jp)iB$pZj+CzUos-x`l84YWypPQ}|+#PCKng^>I&q zsu%H)$`!Nc1_*P1I}MDH(l0`gDb$cM`=guOYg1ydF~(IJaGQe|UxgaQ_f z6az^Y!??YFL(OeU7w`NK-jom3=7?&mS}7hEbRDX*(UN0k&}crPd1pTU-cW^Qlxa-@ zWFeZ>^)0#`%ypEPrKsCIoyXJDBJu;F&J?;3ri_gcMSogbmJ8Zp0e!2kc_sVWYF1FW zO7>Sii<_PtR2wxLT1PzT;>I%Kz*4>#yuWK*mCEm^@*6WBDyfqYi!~#RmD9y=3YWEn z;lfEK5YRfpb0s|H#J7CmuElv?SJn={y+0dY;}*tp^}j#<&^=AW269T}gM*A>MjHNw z(1GyKV;qhoL=j0!uL9OC4=`Iv4AD*$2(_?D7$-=W4`7)wC?7D_HLv-Sxe){LghQU) zf*POpRE2cZ88^-1z3yawD(j5c>GiU!;6K+EO!sH>+JNz6`aG0hP;Tps=5hHK5)SPZ zlDA)3U7+M)csgIP?IB02Sj*udR}v~MPUilBq~NpA1^CHIxW-{GpwvnjZzb@z@=E(+n03Xw>)Goj zHtDi-YHH+#pcNWdr)#4!d2rv(&_eizB}@+mUf3Qr_)fGZnH+P0t}w)OpM=|PtrreWfs z5eN=*(f%wfL#`^A@`?PP=;|7gJM~C3XyaQ?c-&&g(lSi*oU;)&ciQa;Fcq{*465l2 zl=kQm^JA0ya{us?xVdJb*bGQukD-Fbn2p>l4~jq@kB4&DR-*e-M^o%{*ywp1wd-Yj zr^|-Dl!+LIk1{XZhc?7U*@Vg8*tsQ~1Xa2f0AoH*@)1)}>-w-@?=doz%YpFjg zn1AQ**-$gv%~tDBToWLn@K`R-&gCtLT;Kc0ncPAcWRNm=CIqRGr`7}=v@RW*i_Qk& z;0nWfS%^79S-OJG_bjdb3Pig9#%FK{WR(o$7E)3$k;89gNgAc>6N&C{>0SS*N2ePS z=t-)MR^Pjg!61lktqOarQSGG|4v$k8D^AJYM~(X5!83Z)9QI8x;xPGJ0{?JgRpNxt zkthIZ_0x3s~F5JK=#p?*v2CxY4x)h{~Z|3Y@#t?dYML|Sx4-7&0wjl z#9BUjy1UtC-Wh>?pToYMR}B!_im3-CIQ}MkqV2Vlg#H0z1N#lj5-;}$10G|+mTSwA zd8;c&iG1orMhurqQ%vOFQ_*da7w8zN*=fwwFQ3A?>I_?O_dDU~g-TfOY_TH+=fJiW zU`04EEt-tb70iZ6RH0n64;+ zD3ty*J;OL>;F#p5Zjn80TQuKzenFE?D1HcxcKW#mIYvVklN;0J{)@ z8@e9b7{w@98h1?DIa;WSpO0Z3g?uPc$c}cz4$>R@-X^!otZMQd&4dz}gc8QdS^NQC zLh$4c%$dF{fI`;TRNZ<(wl=&(t6O#HfZ;s0%6-dCG=6q9Z{ zKtHqn>}w}CXVT$r0h!yD3PDae1}EmMb%i?2tqvj7*jp4hJFqVL=O8-xpKSM(W&ifa#)P48$h2>>kNnNU^-{8hJ%0qQ!TD?l^Gau+%JqoAn@nbj(janf^ zQu?V-BUyqcp5++`P1XhPwWQ%Q5U~$YJv8z73T6{Qv5TTuMv3zaCvs)frYvi^V$+SD z$zx*!hJ(~!SnIjpZY~9T9{g^u@23fD!TncN;gNFv&c$pA!<@lSO)-Da-Tq>iLDUPUh zn`$xX5t^G6bKK>~hsGsUXlu5WAkvJqh1q37NFn4Ags@wW|8ch>CsS-dRT|@^w!~)# zngXL_13w8Z+yizLjZ@yf(qgekZfxbLG=YWzIi5h}eq=V03P6 zxXoEV$a}sUKLdCOAwTn6G8HHd0yF*0VwQ|0{iiSyUaPziQA-JaET4uI!{hOwYP-wa z1tWUNYvgZ^*3UL(d6Q5B69oaa*{1G;g3XNWsb@|Cd~|7Cn@RCz#d^QZxvo0ZljeoXYsK4IHr8tl zTZB%w!(5*f+N;vFquT+N6X?|tq50EkJ zxBlof0-Tbjp8L}!H{oypc1=Og3QyG;Sm3sg&Cz;XPJ6@(otIHoAh5lKYn`m@p}9Pl zK`EjxdBksokW)nh?`j@mo+itq360Ts+hBe1(q3Z!$bR5Q-M(LEc|@75R@#5mFRM#O zpp=qcg{*P|m2Nn7e65zKC!kPwp=+ve*K{yT?a@MRz1mpgd^?7KB}}4XD>9J2iM72a zB3}E&tG}mX`1MV34=eH5O9A+w;GHU%?@#vV?k$L#U8TT9%FTo5wB>c!1lTl52nD{K z-4wv7;TRa>h`q6`hm-iSe5^Hlk+cok=}-Jlf#%Fev5OBhQfp4%PL2#ah7H6eUJJJ2 z_4&&I!a`m&y6vD-bz{P7Vs(95m;QXUrc;QEw>Ixtk+u$0v(+HiOLaenSMmi7vl zzUyBfQ-lr;-^jUtsX061kG`z7Z$p1D=qj|+nE!xWk|8-{K1WL_=^8zAZyP_r)5CXK zP7a2%?*{YVA_;k!RPAxJg%I=*n5X0w?6T)M6QTt^6#I+2VTgXKX?%tGG? zS-QsUK4DG9qdjI{RdHvkp8(lwrn^0klev+zm4F;t2{^sT;xEDPSG`o#kZ8lyeSq`8 zkGa$D<+0@XLChwAn=Oub#ea&qN6krnSaSo_`$lX@!(hv}_P8k52_KYG;ag0p5%y%> zX`Ja&KG^qxbCo_oUamj4h=gL{ntAUs2L%b0WDiE{`^Z3B9(5k98jAtQ6@%@FGFCPr zl$9#{4Vo$)Vy2>m76<}{ik4LJ#Y&ZlYK2??<+Mu0>P=GWTGEZ^)F>#*M3Pj}L^B>a zYXM3o`|RVN>YJmXg?wSG+E19JI;#Wl`2f~MLaBi|w(X#fp6>Q0(Yqx_^zrpzkN0u( zIpkuPBHN!ICaA`maYIz`1s1ZDM%3g1S8%aJ`8m#b_1o8D=+}jErJI?%NRtzdcya#! z2c%8U`gjPB)tPi&bh!k8%hu68lku*z5=;BYw@dffDV46B)HJ$#uh1$~&g@FlCoUoOpKY(*ZW04yG~Pf<;5IX=a4y49)8QV?9^lk)2Il}!_?tywZZGt zVz~3`_mE0r(p9x;;)(|og{pNu{&C4y`-EV%MPxIq&}CfD>`R1320M6;@ECcey7Nba zy?3002Uw^{iIBztRc`Qm zTun(RgPlZd50R(LRl=uBV64(AXHi3@=7pexA#$4kYP5uU=l{K#&*22X{MB9*Rm^Ly zgJ4@&X(-p)+_Ivk{STWF`PU)Adm4dcedH=o5#pG~nW3*safmh*Tx@}|3#5e9(N8`I zwmnaCLQ~#pfy%R745Lk7Y(AurilTIx+cM6fu(e~d92QKpM6VwMlG9{@k?SQyhp0g$ zp6la+cF&AWCdZDYL;13`mcCO+bqk-Fb%29GOfKUYo8ph#CHWSora&P@c-ghbm1CV) z5NwAb@n-cCBPjA?_+-z#u`mOqhe=@|(M9Lg-OMr|kA#5N$fxybj)nr$Y4^7VeaP>p zPG<;#O@|M>72eKMYbX!SUxyE6k2;Ncdw=F`sB7ZLDleYV;W@*@+*=2|c|eo7KPF}M z?|;QB>YZ$B1x(G|3bwX&^rjd}wsYpR%1HQ|McfG9!n8AOgdu{*VI%GuRF1(Axe|D= zl#7l`H!8e2#4Y&#k~qnUbM0q0Lz$U>T-|RNMvJZzvr)^(V{8w79us6Y5D+55YLh|; z=?Ox~{wD~|G$vFC%Q7zT->%v?DNqd4A}Mf|0_2GwuW{U6DMC!U4jgmgtL7?N_9FcX z&}dnFwS`LhvMLgy%`la2F$UZSCMZw-^9OjZTY{l@fBajP9dovg`1ed_jU+hkEc>@+ ztMN29Uxj9fGqY~H(n2{|>G~K>fMvIi zC8~WngB2F%#V?aaJm!lK1EAp@^P#D%+C>@4zbQ18mdKr*K(ieyhFVC-kCncs;$Bxq zv?Q8mZctz!aqFO(RfBvyPV#BA<-YRBXU~W_pDI>6=Ko|Pk*6|ST_xz_)WJDRv$--< z5Z>uJ6EF4z`-*P#Lc3TjDwokmNC#jJn%1&Rl3Kz0{n|w;rkY5ukaavA=g-si(pq^= zF!ifGoqw(Wx+ciH4-w&HX7Y))KQKKo5bq7cEtJE@`)L@3a{T9yF`jW;pJfYiT)q=8 z?ki{Fy(1JL?Tq6Bfj=z)2FsLy`M)1q43pyV@SPB(8@X3((&dfatHJW}vVQU(jrB{A zSKl$u78MlPi6sGq7w#%C0>6Kp$Jq)b4v&dT%5=nPWE#)X@lUP-!s_@ZH77B7qB+gVhWrDJP!dB?)Ho&ZHv6O4n z^2mF|3bZHvW`1I3%aYHn2gag)t69z)&Bprfvyo&N>&{zAWj%XhCicP(m?s)K$sk|S zHyVRef8!85X6#keczg^1VZrr)4-3mg2Buo~l7O zBebn)ypV8=5=95rAwhguv)ds7HtM>X_Qr@>D7Z>8P8(tjRub+=WuSm}h0^aKX;z~P z6}wnkc*`<47`SpfPKUcEt+Z^lYTBAUx+O+-ai8ul&D4B7$h7McK%)oG0Ub;NQ;K2ea!3>W094`3MfSO+3a}1-DbC5U{mR`1#hO)TG%G>q-j2!x~f8BZF5 z#@U!R-8}L&%m*HM2FAO@Sl7Lb9y8R21QC%@J61C5$Z7|uh3*ihKsS6}qhlIyU`cY_ z#Jt(5B^YaA0-UlsD05(r2Fz7pSsqWiTCoH;XEglxiGN(yR@ruz@nW*LuIFO%JD`ku z5X1FIQ629;UCaNxzxbK_`}dOLaKA*@+AFY(gi%j(9&9Cl(u!bnE<*I$5trPh*ew7JoIxXW7_ck0R z73y8G3?Txk*g8+y5u$x8tMI9sO*zfs#JDg_Q>^_1RBK6vNf(V6ppiToP8%Kg)kBicDP;hEUZ-YCW|^bfpXKG1 z-hwbGOX6@jrOrGw*5K*8D;@7h7!Z^>s+ncl@gn-GfR*Z$!K9-%Z31Q`Ze(>iz!-;0 zER*t3p=w&Gm*8yeaC_ayUA~H><3~YNrTI|62@U;Cj0A|F&n%EcaLZhE!l9%C1>#mD z5|Vj|0z7_22LbFZbISOu(5>6z~E zp|_Q~yA`z?$biRQ_3`#)b^L`t+d2USxLxDbf!q*qdMK#hj9hLzmfYlY@xA|h5%KUg zdP`gpH$lJahlx9-k#|cE|PiEioOkQ@Wd^-gohLL!r>SmY=jUKyAH#`_EmSEEHcSV_gsgkz6#UAe(kWp zj&#Fm9mTmxn&YrIbcw-QpTlTn^l7{}BqnR~pRUR@Izz+wf49}%T(Y0CSbqLV+Onuo z%Gl3Y$jg7>m(kkMikX^4TfhpIy$o9_^?VVnyA4{SEPgJIAduQLhIk15&m42sAjB*C zKHFtWH@J~n3v|bNd3T7`J(=zP$ZrKp8L`LV)X0eCEr_AZFm5Xp%@VM&FhP+~G8@t^ z$|8;eWM|J{z`oHpWk{=x?mjb?k@rd&_vRo}U~U2*a4YatxWd+m{l8{2LLDW3Mwwyv z5uzYoQP55~+bWV(UnOJG{`$mSG-=VFi3H5725x_JJ=cH+E+O9NPuDf@U&62|c9whO z9Maeo)IP}AHKd+PX!3=if;c)E6d)D!v$Blwe7vwm2fwg}=RXr3i|CH~GHUzi|8s0> z;uO`lcMg6SQyA5daHyfqe}*RGDiV(WQY|s{i3ZlB{aQ^1=A8YrM7(00d07U(3g}o? z_2ufE&w*C4S&<+XQD6hARk3kYlo@_CRj_fCl^8gf+cx*-vx0#LTmZQRTS0^8byx)( z%l6lo>}n|2nMbpN0i@8DFsL=7lW9hz(2Pl=>Jvpheh4o-d}>Xb==#KAjj;mn|L|o5 z{j5_&Zv21Z{gLs&5B0;!S|9Tx`9iW~-jV;X3Htxv1y(*9KfC)6VNxE7_CL_Im)cR6 z@mIeb{kRw_A4wbkDOr1yc-pc~zm3jo+V!lVyt+bSrqdI|8yoM>MHBNhO9XLJtVv z?{iL@vTgLo3Mz#%6hm23Ei!Kh5FmI6F)1d}xy!JgzV^Dw8v~}m+)@MT>?BdQfazTQ z=Ds1(iDH;b=m1~Q-Jxk9?w$h7i2udfI|j$XHQ}O3c5K^rc5K_WZQHhO+qP}n$&PL7 z=KXG+^Z!=eKQle6SFf3xs-$LhKj5#7PUS)X3ZqJql*HSkqG_aIf)+lZwg{L8oHjQR zY?a6dHyBwLm|I$+-pb;uG}`E4Bfi5yAg2=(P#8!^>8s+$T5*Md(=gH87Ro1h*Oc$o zw?@95@-6OhCJnF(zj-3bbtDOVyNhm`&H`JQ^O8Y|V08L5+l!Y}fK0kCQo5&Ku~e5x zk2EDCYxgvecoUyM+W&F_a^ZDX$W%Sh#T%^9%_Qks@wG|}nPF(NVCkyDd1}g5ppOE& zBP0QtfSQ1!TwM%=Nz?B%D21^P1SgLX@6xR4-!kuDnP>)Kso8+*ph&-56!eoiPMTe@{x`3l)#n2b+Z>; zHz>G15Nf2f2kJUJGvZ5I4nvy~pr5IrU@<*0f zI!nzAMX#shTHWv&+S%$mQlm70Hc2d?@l8YjWEp3mTcV31UJ&Yi_bUbW9&KQ82irBw*jGQ6m;uV| z;?3sa&dwRw4yG)E448f1St{XPb~I1K*J$5yn;rH1&g?n)YPj@oKl&ZF&@!nsE`jI8 ztgEDcQ0bue7a2>k&^^@q{0K*%yPb1`yCgw~+i?j0cA=_Iuh`f5i*gWzoGHNz9#&-K zWH-z^%>fY=QP;8ZNHf#gY_kW~XvOELcyl_*npLRbjeq_Uw=r0F0&GqzQ{^nYVOl}1 z0CnO^eW8hWr$+z&?N8w#&b>wPHp%N~pI|ZuNwyP9EeJJ6bnV%$ZeX2OM#6W(qHHFT zm_)KPi{VU0QU6+!1;hHo$+$&yeThpOf3-+L5&U={z3XLQZd($kv=F!SRWm=JKmccf z^_kplq-8mX%yAEA!{m{LTDvj(q)!mHL;IIHfP-Cqk>WlBWqqGjEkCh53d}2F zsY94W-t*7cBMpgGlOCmZz6$>pRv*HIR9scVX|Gr)N-`skfVByMSD%Yq&yQtIT@>2yP}qxZE2##0-HnlKIfWyfZSim8uIL z%pV~40S)bZiTNt~qVO+jYuDZj6Ui@0)(;ADAp-#qk#Oz?&X>*e>HTOua?%E=YQW>3 zWt5tPf>JnH&b-9cF7Ng#2Q{mjkGwsDDC&B8m7||DEuFYM06b?q@o^2!2GIbf{?`zi zDTyu1rIZ|N5t%%@07|D~`TP5&E+C-D*q|(DIC&ROvycpaPo`~-lAoBZ)$*kUCY(9( z^@?#@X@C5to0l76mW8e@BcUh5!x`g|a%>I>Zvt7n!ZvY-rmgRzMh^}w$3x60U{@iWW2!zqjA+3QQz#k@hzi$Nc&yVb(DFi95GI6rC3}O z^!$(Ic}qfTBAC5)Q^0jTBK=YxRw75a5HIs7@P;snK^Z@*j+0_I zxy2m!CM+d_EDQ&~twOl|Ql2Lx7bSfdrjx+ul|012bs_nX<3aXIO~j^W;gtGrAQ`nQ z6e!kc<2LNlvD^5yZ{O3YzzT=H5iWS!w%8x=i= zueY=P?}s|CtejNUKQSq?M8Y2Ulj86<$mWH*wBX#GKZ%L1q1n-(mB^&>CBNkob9CWu z)RI`tUN-T0`X-tTcZ{!t+vR(W4vXG$HzEDe?+S@aQ%wSH$n0*>keVAG3^G5Y`w^gd z>Lg&wKHVJVd^{0#dmc}ac1IQD=Il+0l`mivZKfeI2|Eq_lc(qzyai#`2?U6!S6FF2 z3a)MyH3W_AC#6a^-rZME-g{n;iZ%X7Z=U}IRnIqQtd7a=6xmOOv6u036yygs3hL^F zy*lxN`Bc;&Izr)t@q=|#j+Kvi&Bm195t^&8jxnFzBO3~K){qeV=~rvYET&Gifc+oQ z&_Tfx(G%WPJu>Z-h5_lYo^rEnmGhcH1)Tf(t)FUlF@ps!Cc{2u0{oT8$yoIfrkC5b*h zjzBpn53fpVBO>*6t_Z3=j#$#MOM|9We=}N0aedFdj_7#1ixQyFe;gy7n@b{US8(MF z(cFKWh0-li^QxSSCqmT~D<`e3Q#0pl*S^$i7=gzIdUb|m-qVk1`_ z$2)GvHaN%u?%4@tE0QG%hxrJ?PF2WYH)ITo;uoc%<1B-gZ`yx|_&9zz>e~(v*?{9t zGy<8?>c5>WiEi34^K0$H=fqZaw7mBX1{3F<+edNaJZwpE$Yq_!NL80y^5^0t)=rV5$*jPn^?~NUZo4=O_Fs3(g`wJl+zE2CUPk#Mc_BEsC3` zZ%>ub%a35tp%QN{;ys}->%=(3IJC8B^I*#fRU<&1gj7WzEaRibqe}n}<6*BGdO&`@v?;cFagk$bAWfZ{PEud9HwL#8C-ZW&T- z<8e^aWazr2*DB1?B!d9&>5_A2DkHdHm(dF*i->vo_A0TP=@zSH9p0pO<=h+_4Hq4) zoos2AKzC~2@WI0b>_)V=J&@mn&?6)>R#tDr@Cy5Pju){#^t(6o^2;bu-4>e*r{D5O z<2vB;8;`{CpJ>C%J8I^PFYC$o`+zBP{1tF(;PHlu9KK)qtA%(1D^5Bw88r*4-Iq(C zrDcPs>Kv6bhL6~gIfYlde|C!{P*F+!SiSTUdhiBi)L%PV@7!Yf@HCic)gC%<^dL!i zQ8mg20}y;?BNLmHWML5z3hP`biGD#04mS&h@iTW2&$2078<$B7!_E^!BEMe0iRU85 z*cVyx0j3xf9i^GS+6lB`Id{$F%tH!JMD=oFGXx3st>7JI+o?NnOq7-+^GYQd_ zsK^C7V4|-N6!Xh6qgQ?*cgy%8g-2RrSjA?-FWKyEEx!`BRFez|gdH03N)#&VnEUNP zJoq*+{1#<;$U=pF6rpWH)YD@A$7v=a-jx&~3CL6v9-PBwy+~&95^&OpI%~MRN{}C= z=OX}>VR@8g6{CvMmMM3KGI_C00S8&_9!!u zqsc3=jA@T%tb0ZDi0bo`P~|KwqL1rA(7M_ADM)8XIJnr@**5;(3b|P2E=HLx7%fh3 zfr58TG%{Dc;d6^9jimfjLM|sy-v&$^b%+8MZRn#dMezwH-Y-}RVuXC(@23MB4I4WI z=eBdf*XJxfO`$4peqYN-4U1QUD(BeXDuhU0$2>*vxqRfrNkrk~}+4 zp_fo%4i1$x@9EG$%$6v51#Oxo{rzhZ*V#(KXzNRkBUdP_FMQQQI;g?p^GhZAVvdJt zD8OGQ|08E9PJc3Nk^5*oE_@@!YC0LbBtD!`$ygjIq2ov@n&_WZdV1~=@g13Jam>gy zxk6j33?H6THp_h$JI)G~!0;2Yhs+Qvz2n1#D^w8u61^YP{yPMlTac>H0WzH7m|-oo z8yVR~BVJWq?DL-5xIXXnc%n_zCLbTuRVyMAV|8U>MtuxGh7@|=30c*NeUU9-`H0lX zoIeY=PCj01DSGK4#Zry4zgUN*Il%6AO$2209U`1@H&Qz=ktN!s z2t4j{#%=5*%|!2kBE2RU2=|uQwI#MEL-gCtiQsvU(=zlX$&|>r@Eq0c-b(6n#x|-A ztDxo}O!VIly$?(S+LM}29M<>)AdB*sK&Y^@$g!4upY-Y7R+XOes69cGg?P{zT9{Om@I+yN+{d<+_~0pK zh^AgWv0P0+S8+?h6SFKFY{iv4vbX$RP+k^tQfND@ky`Pme?Eq~9O-3!8TT2bvto$VQlv;Y^X0fy#JQ@4yPi=#i2dQNB zh7&>vdcdk_cwcDu0%LRzBlX4Am2c&cI zX}2RGB$*%(J*4D-7HbM

_ITnh7y8JGrD69Jl2JF##|~zM69$+-a#ItDtJ|i}`7h zQ#b{@63y{_AQ(4zviQLBCA99kjfbDy24!meNNqk!|P;wXlzJ< zth9za2lbf}2;FRQq17MTl)LqDNGNegl6LeCc5!6n->JK@$I|SOj{!$$m4)ZOVv35l zbtk#a*s5Ir)pO6XBk2#w-mB(d_t;Nt;Uc0e?%0FV@a{?ajyt^*nIvkIo3%R}N_qp` zC`GaiQ#iY0XxGC&_m@e=O?G?2;?z;Q9jlu*jN_*DhJ?-MnGAo>7(kf}Z+0`>YD&W; z++hwQP&PvY9C~`0v@Z_5f>sU@y@-ZMn8tCKhEW)oro5an<|QjWq^3a__=7ncmbUCm zTl<*gd>NFhzh~Oda-kERWHA2;nyrJ3-@bYZ>`U!Z~P7IBsU^06!h9pgeC4ept zBT>nko1?+kTLTCng(`44T4UgMWuivUcWkV}T4NR{*=2lWu1tGLF*T~sYeK;we-u3p zH{jI@hIHgn9VtJvykT0{&J7p2?|qyps@O`n6({p>ZaNyM756jpPdcdbj+K0;i<7@^ z68^QL52Af10&2a|f1#o8Sb}rEkC20i_^LQcxdil(YHE^Nvyfr6`=t^a3x@+XHi#}r z(iLD(b@GyOo`kOL7@j|@q_;wq5myL>KTW7D#g5=qz&gC()LR9e4stLToG<5rFu&0% zI)%-V*^|Bl>S;wq(AOuzCd^!>R^9Elo8=m`ibrJYm_XhpF7lV^;oF_kr}@}e|AgK7 zc%(uVZ#srZ@*E7I&Vru;+4E~=MFtAY%gwR==sHOCXN|>Qq_LS(z>Ek57}7Zghej_; z8eLrvo(4L8iLJahA4iKicw*Gs;qR|#R|0}%)h8cTcbhdhI2>wSJ zP@{h61z2B+;a8&5Efp4L%8!w(qes8?5CjGQ3}ri%Rq7D{4Y&f7m844YsT6*?Pa`6b zZv>>96?qLgaHu>oP_C?^PS9S8>%f>#NgZ)0OiAqwnl%f8mq<+>!amA`M9AV0M0-B~ z)Bvw5mP+Mq;ca3?1EV~}?r!@CW+?1fm`xU4fNYO@tp!6qP71G>g5#IBD=H0E#)pBD zP&X%o=~(u(!OfmM@WU`X56j(q4#R?a^`0wZJO@dVPcC{e(7^WqB{AKS=uQW z94-F~#~_r#I}6*nnJ<2+G>0Lt)t+~)tV)|4=++T9t(Yw~ikY)BFEvlQ=5#-*<`pSD zr8}j0hbp7h4Khx4d-14BDcv-KUCZsQw9MNPP+ip%&DVey`NiD?cf6YHJ}cmBdz;OI zl@XoP9&>}KIaZ6}>cfe7_eqp}hd{k8XvKIm@1JW@QF}tItX}6JA_P^z>*gg1Ci%r+ zXfEKo9)HJI?z*aRwpY5p)UYZ&>L`j?us5or;h&r-F*-BXHxWvn({aOdy7fS)xTJ{o zu{jGS?DPmRDpK~&0eUw!!$_X7myBg5qG{a+y&$KucAco#I@esUFxKgBw~KH)%I)fE z;Zfb$nZe(u8%#s5HycLm|ModBj{H~F^^s2B!v*{p z2$P9^Fv&Xlzbf0P-?hIyTz4i>bhcQ(HUHv=SFb4mNmLnx+zs#G(}o_J_odY2zV$NH2i zW#>Q6$KWf-wJL8P6@AW3~)u}FeM;?T~VvsUe&JEqy5NDN@L_dD!kB7$3g<>cDd?BlM4pph zD(bhXh7ZPz?f*88pkd%YGh3s(`?)%O(HM!QN;g0Gll%KG(uSz@Ubq)hLR?!MLVTTZ zy;^&>D_g6|C(jZr33bUMjs$&I$ERmF(eFXwit4+I?n=OuSZiXV2%ZVNW`GNz_NmOSY0! z*zuJ7#ruwuJhsa7-Py*qi8vg2kF8Ma@6TcW6$VpAhvY-9>z=dZ*ZBy9uZ}WyrlF_D z=&(w-2s{qv_?}yhIRO~4bo}L+;9EV4MAC<+?Kcrk@bS(49ej4A29}J%Zj4{q_BM8ZEG?<*$co8DV-Hfyr17VB!wnvECf=JXFU60u zZsdu!?=So_g#4eCZa}dsZtvZt9dui=5ZP>aH-ScCG?&91pR7qTA7^gfxx75z6duA? z`1>D7TW$Z8rPed3~n-WHz`^At9OzgS2tlQ=Rubo#Tzw41Qt`tYdt)G1W zAsJYY{Da_^fe#z$=UyXM(PwM0K)+tm&0wc`guE}PtKLv!!k=7q8V9e&30+C}o1ZaZ zg?Z~Qtu(`8*Kf-!I`K_~v~Y?s(wcw?nGZq7hOg`DBvC%&piPrWRbZTew)=q8 zCQQ}9UsBUd1{m_&vC31nDW&4*q(hfA;_I5pi_we{Idl{dre0+8TL`B)^L3cu@Fxv; zfPw6tW$}S@8X^EBSQjyTh2REnTj29Ua+re1AgeR5%QM6qi?$(Csz+7gy3s*}xHGvZ zWDKD(lfCYxv70m2bCUfn=q+Mrj_-6em3eQto`JBLqBE5dm!TYPkgA!il(0~AT*A@Q zvHoMGcEdoJ84ORv*%@SZL^3;%8C)@)_kkDA0V5W0H96!XNOoLOp1~UwnnBLfDr~eC z-6(oT!KeWMq~XOl{v2Y{yG4p(a0u;V3N$Sr0vbo{Hpm7YJe7{dF-$#)B_*?%8>!Ir z7WdB5C_mXH*qs7eGK9<}B(9(aKu#J}>w`QkfD6&yL{=dX*>zAr%ay5)5J=kgqW?7+y#0b?3}3MvcZFV4SXQ`0~! zK>L&j3kC<|PN{$dlus%*S0(G)6|E3#u<=(Omeg}JY}uzno~zKwt6%zId8Eno%&>xo zvsa$PrfOAv`0-)a#QDWrU@O(qG5INTaXio5_^emsFh0s*tjz z6jdop@O_BED=F2}u_-S=Lu~^p0TG)Dh>LetsQAL34IXJ+s1GSDW=tYMCYww!NzNGI zb->7Ivhu{oSEg+0%vV1ZC&;}kd|3Sb*Drn^&Z6Qb+xD6uR*zf5xWn>||E~AM;`$|w1Cp=*x9N}E{qJD_NuR`24geB703c)(v$12POIh&TS}GT5R<0>qm6gYR}E`pf|pSc@8| zaRch5?01jO{QEMJc4p{1Z)Pv3-RXA8Vz7GCWJ}$94{1Qum%16U%d^&t|Bz6d(l8BH z(tm{13bPUp)?0b~$4neIje#VTG8I%xF0VxmC1R$%XvIuT*%PV&q_xNLviK>oj8bTs z8QfWd-5W4hm0;nvxFRk8u;9%u554eq7vls4)=pwwa0>i`xWT~4eRkmNpUwstw(6{I z`*(FZFF>V&RJ~svzZ^+4tS;d83#qaKoYBy@gxXnn&$WqlJZp-Zq|z<|A)K7>>U7sXD}GdL#2Wly^8hgh zKddLymDM-#(zq!9iRh1$}O*YM9%Biz>9&to9AffR(alxn z`>6GL2IVi{LeV{;pTusR0|4%LI({d*+cTXNgX%NaGhN=9s1EEG{BL+2Q-vlzaFG)M zrkTW~&2{2NBsU1}HKBw5nv;sDGl9BCYMD(3BbXzuRG6M}O6MXp7Bm+|jYiiABoei4 zx`H)AU?K@EXM0M7=}XtIqCaJ5mpSh$DvXwKJo%fIbeaF9jOp)XxTpndSzOgyS!8-` zwdSe$SpRy3U|;{XX8u*PTRU@3_R}&29^I zIlq$M6YMvNIh@GeFM{R*@XN_?DXBHG(FqWY3~S_;(9kgPZUD!1EaPo)JkK%z!g4LU zQ}nOi`H>F+jN%%%3z?SdV6_qz?~R-e@!Opx_RA0E|s3+xU2;AGfenA3BIN(R`&K~HOhGEYLou-@bwtNFl!OI&?M8i+qyK?LS1niTHC=t@F*MJ z`j<0M+k`N-fyx~3%nO(-W|^$Rd}fZ9<~HDTP~1_G&U^oOKrd=y1J_IDOoYU8^8ya! zJ0U812+Zpqb)*>IbU$>(vgrF%9;KIQo!pzOw0U3FAGAVPG2(Pny5IbYq&d$C3Zm1M zr`*I*k#dN6B62J(oz`}cjBH72;UG!{s|JJ;XdzX7@%?;w@a7qYFiP28r?x!RE8kMI zn;ZOM91cNhq!)RG{rK%C)#SKPsK)9nC`i)wS|_VMPwvwS_ZC+m*pBstrj#$0{7;f+ zY*|w|@#^>rnJvJvK{Jt_>yan*t={1Y%g1gBeNwHSQw*UoojPYdW&n`+^@A}}@Po6> zvi}Qnhk_KfVM48@mR@-w%3Jir`!q*;eDNcpxEO#6C?O%}3*aBkGqfgcSk-GnB@tVPJ4_MKunxIMDbl3wA^rC4&GHdqbc~lUsQQ0)Nzl&Odeg_Ta3T+0`0eYnj2jFTrWx1|^-og@ zEbgDRGRjwb=;u`q+^4Ywcc$<>NAC~%sHB(zvjs~EOHjIp1zkjCF$QlF%swIr_Yhb- zv0a2LwS_flVsDQ-3=>f~Jv(WvHZh`xa^qYx_Se7C=b=h8HnTGxe2+tzw{{(-hh5=u zJos~Xot|By6G?49L~o?N_@`7mh_sl8_ef=}kE-{V_h*wCVtq-KuAj|dK%XmLYF*M_ z$_~61SP5xrC|mY&30Y@h4xjg-4hKJO^j>UKl*ELaKCAM05(DI1=E_`?&^FS}FdT^- zz;;Ja5U33$<}C`3784*;<~1r4l2;s`UdnT3pW}`qtNGVI)6Qq!o$6550_5)Rub8Rd z$%9SQlh>J*;jUPK?AXxz%>wCaQSCM}xj)vXBs#`!eO6T-{Vh#oyP*}21Ei9NfoUFasg#+P zxH4GwLKrhm>G4A4QHJRsTZ$Cr{D{Kq`+?Bj)4~fr5xt^o{6TAj0hajbRaTY&e+|l3 z>VP6Ac;H@8e!aHVWFWhlgRR?L9Y~=ulgB4Lq6nQnK;7-XJ98_Od+Z`$lQap%;z9n8 z;J8(P)2%eqK#Ux5luB~ue;>9_ROu+-C>QySIm)EK`0eD@-X}@AZUjp?E*6C1PTBQQ>;X24&huw-X^AYQ5ULD%=Ef??OOaAooJyy1@mxa=L&G z9r>y~!%cpbP2o}9%zN{0ks5UtlPB$N`5!v9H^v$LxP>F8WqzkT1Sl@Mp0*~=FW3LL zqlE%ebU!#~_zdLIa5p3b^OM&<;j_pe-9rXYy70flK^ASUonoN<1dCy+X@PqycVz?` zf(-q&{w6SovLP4u-{jqt?W`_xbRX5zao3?|E*lhOxI>z;r_PT7YoPl)Bw$sdf+uLk zx<*yoCL5Q8x_V8z2!tITdh8OHYI4K!({SU^r6k#b8R-<_M+$tN#>TS;B~B%4!O5lX`p~ylGU^L%cMA` zT~D%lU>c#Ocl~YIEMJvDiwyo_EvPI}7Qk z7X$Lj$1-fjx(psu<}_xDZ@>X1GR(`!jiwn_5>pdMO=fWKaHi78|se9NGZ_v3jlJtTw+Y4J1%qTQY;OvX$Z5$TK&<4fYoJ6Et|jt%QdW zA&ZO(O+Pkw2cRiaSkujqt=x}VTPA=&j_|d~0p&1guC}_3i7bdL-p@ex8Ci%#d!N3Y zka4Zm#kq<9C;&H7xlL1Q#1Z9AM0G9f!Z16z9Ds&{iFttP5q8jlL$ta3>{eGTRr6DU`_!Wc6Tq6skJ*hT0K2pPd;?}CqdsV+nL5uTQO3l$>+wyO)Rw$(U#~d zvuS|D+>BSWh#_PBJ@q*29^oT@(M5FdkC%kPu3s?e9ewwV5ecvqxjbu%k3GWSn^R@cfCzv(d5`zHYYz36k$ATIP*RlCN4@Y^@vwj|&=oy_Hp^^jz*|?4 zSB-JTZN+aMj_v_}23T&?n?n0!rrP`{RV@UYnx=Omi0)!9L{O#a&T;m~p!q+dE`^@^ zWX$DD%@N0$_D;HsQPxeX3Yp`rxFE)Ph+fEPD8_jT8<3GoTTr@XCKMZFDK%ht3^`_p z8>vK@lRVW_3cdY2M<(+RRNx8l6D>Isdh5QYkb86*GX#!uc)$~{c?m)o2zWbm1>Aey zFYfN}e(ukCe-2(>ZFx&>-9C84+=C=e;rVa92pmg>1tF!~`cLIg)Jd`Af4w1woLUkp zdb%8bsEvKxlZ944ymZ_5o*8BGS`q&NiY|1WEd(^6Xc|TauVw%SoHA^OR-y)}0c2FH zNOj<-#$M-uMcMpdP$Z$c)WN9%iLo+1h}PIP79>1seX!jEIrun>U)vey>U9_vEfBh+ z`Le7VMfU3QYKSOng1pXgzDr?2@o zI1I0BAg5Jms5n9BS-*mm2W_9kJDJ9HJ{q>b(%XkkB`dZT&wZpw+lYoN*0khao3s*$ z&cWc^1p4dcu_-DOriufG6tpdZ3fHlUencUQviBZHkk;!PEYf?8G~-_MByzp#6i>6f zv8*kp8R*Yw|GRILC3z&bGqt&}al^gHjEM#Fc^tgqmDSuUNW?R_9lVk0W&g7Jx%*gL zOib+kKALW2RjvIVk>&kSX1dV)Ts=wbZBX@e6YG$D>FR2A z6{N!6wtfb#;yI>-^z(U)-ZO0r|NGfX7r9N0^r{{mPI?0`C-L&eKK(hWinM+Ls4V=< z&IVU7%iI2tmpGrp)*5)SSFf9>F#WXDRw%ULZA!hwPL+|lhd1HT!q zR$vW(g^X>bHlt`o(o`NCy9=j%x7yUB{v&fYOjA+0+K2-w1IwUD!j;Ah>m0en*7`_} zd*Hq$Di`B5CudVGrB~(p95786Iqg=?4BPSq|LNL<@C6voaSsznpDvxU;u{qjfYC7yTkF4EMiFPYd&BmjpOOP**4)qG6bf?NdI(~c&0Z5<8F-a9vhej54JNEV(^J>{S z=E~4Q6Zsui6j!1S8eH80++=C_I7FSycvqmIX?DG7*)dI*(F%xmt*+!J6btXcf9tX} z{6Il;V^G%qWf@Cr_RE7kDaxU@_}Z)IM+oJIgHumfd54g1pxQ_CG4^Se9mtd<|IJq?r78=lBsnxn z<83Abt%(3G7uXP}cTt;jlyk?4R#n(Z_-)1my`rsgcEQ8xf3>)F9we53n>ZggJBR89 zT^}hehk6^RUsCQ^fDbW{QOr#hrI$MgKfpUy$J`N$PSAsbx%=O&Uq^;OJJEtvqf0U+ zblK>j)M)w`?PWjH_vhsQdd)y|7)q)qCLS~%EaHI4CP3vnaWL$AgX$EJuW6J0{4ail=VCoG{%x3|ylxB98-Fq5+-mgQpm^5np)n3f*uL>yqIIEvWR zacp_7i?9gQDZ!QRY&7g))JDRL(Gy}>rR58=uk6RE=DJxk7$lTUfVhW9pYoR=REYK8 ztgT1P7wG8!)e@us3Rh-uw#L%mk%15r`sDv+T)@Irq-*6(&x5oyf3XH%h0UeK9+{qA zZmrruq{>K`W&mhRQHD|n*--z-DAH3^6cOX(+N7|&c8P534A|{$M3$CC4JwhII9ZAD zCcDnZ2+TppQd6T`pMiZ=%NcQUmOOM3ty(oyXnuPACUX@yy8aLsV`=>Rrcoc_xyHYe953r}R>IMudlwi$(NCuuno!U5_Rh zYmn(3E{dIoZD03Hn<|09;(nQ!bihPtYr-Za84l^-{{8%Uvx-NTH$-l%ikF=aEIuH=WeKzGK{CDKd3>Uj&p`4A9j|jY6CeA$sw-vvO6=>3go-L9JtiDY zRgAxK%650VsXcrCDgT}DYX-C1mxcCEwa#usgA0nfW5)K*A|;q&){55*6mDf9p_-{K zy%-nD!XKnz$K$MIGqMbNV)D5A6`?V-B(%MUew92@pq%8HmwnGQAA6GL*X*Z3xbw#F z4tY;VE^ihR*OOeSHmv*@_aU%-p4(4E1G+OqUO7wn``>i~qu+)-c_&TSZPW*tj&2S1FNhJo>qbd9Gw4aGg>0v4&}gV@-^2eah;)yJ?DcES zHI+bYQJ2tR0UX_a2C}2SsT2gQX^*#FBAcfk59i}&)eBuS99?&O4mA)eS^kvcJuGdp z|89o|Z1ki5&d06`5BuhSVb2rxf05_89$d_ef9&sa{>h%3>ul;_COg~C*Kf?rwgVUA z`r_3-@U`dmgTlE}h*!UJK~>#XdbFbJzZz#cGEak+y=6trYH4o;MmC2!vJqu;Fk^#r z+TFgrKeP|_Qc7;T<3Y=vN|M1M7(gJrH|&-C@t{}|u`Bd*sQ5}M`c9IVlxdV(bYm;k z?rQiwMx$$}r6~3+?BO#)zKqOkwEBw|nQw!0*z8R!APxSEJ?j}3LK_Ryq?@jgLYySM zc5SRk(-!<%Ac}mqyQG%mAOo0I-(VsoPr0t2)Jb ztTJziqCX8XnD$4XuQjy^f(?FgH!FoVfJ9EN?Tx6hkjhq9G46o=dj47tCKD{LBTS0q zRPTe7`;6;}8oYEd>!HPm8sc|D*R$7*! z2}54#F=?hdFhLMdqC8gsRxRuQklYCFuOvb+J|!U4Du+9|cTPPv-`uaq>Y7!1r{VSt zjOVUC*J21)b(+gxr(LDy^05O9Dr2R~Q(Z#s-feN*C{;7dRCw?+4aLr@si@p2VM!}u zBf}^i9C>7wojXETj|aRG*K94@#URYhqX}!#p*-xG>3Ylk_-I1E*D55QRUjz(bV5v! z4S(sL!6$pJE>j;Z3g(*NRQ}i(gC{30|Dh1TG4A>trZ@A-2YczNmFunsPbTl_9p_E)o+^5~1 zr(OQLZQdUhaa@aN6UHpSrwzdZ+dT{JTK>DWsc&K}4-!N>iuma|IPd+c13LMcw7WC@^JVdU>P` ziZ(f~@>C(o$27E&$$?uipd_@0iPx^RI20Oe6FQRC{GE;W{@UDlOOuSn0~8&x`k|QH zSK~{?aRzBtDs&WS47}2wT9$_LOE%M)?X~CggJEI>1>P|~Ybc50+ErInPMWOS{pjI= zZ3?*mpp2vs(VPE48Hpj;MrBaJDM|upD9TVp#0X{ox$5~z9{PD(k zi~b$E^L%@LzuC?HIa_x1A30#sd|UGhkc*?hr&4*0L6E@g|CvuaT?jA406!)^z!G7m zGXr3Qbi&*DyZ%Rko)2bcrB3IJH`oYNm=@&{=zaJnf>f$6%mwAy{*w|F+@@KKTJFsg z{hV$5B-L%9ol+pghf<>io>!xdC!pA>Zqo_O(A3+cu+bmR{HGzBsJJ1R6^Wmj z!FgdUn_f%l3vxa0lS^|H{$-j2ssza~#J;S0l-MA~mszd5HGR_)TC~B+9^(R0ZG!gh zbZ#v_g=5C9rKi4o73#BIA#&KQH&XR=cU=F2M~LwP@9<+#%HDyXp0|;bVxbm_yThd9 zDq~Wjz5C;9cZ8=I=RuDUmZ?sm6-KP5{i9_eq(57i7m;qj#ful;$Nwl75?RcjDWu~$ zUIuTAf84a*X?){Vpa9T*QmjGg>YDbYw@Jx->0w=@Ke_=?3fXrJLEEPr9i0AH+_i)V zQnsYHQj0Q=C>RjZk*sb6=j!r^F=x5@jM4EPrsCaC!o3}Ze%=fEyb<(rbxHl7&})zV zf7!uVf?luF-HeO$`(M)kWVLkXH~EqC zze7L&m-)Z%#hnYW^&gy3L+0r&SSwX}dd%}9qti>C$1XWx>iu;oNh$(FHv{S%nsZTV zTdPDzHFfl`7};w&v~e23q$>kCxKc=(gFhd;P$ou>R8nKL3XyK?hy88;CAai)bNYUTuTf`__-JW1`d{SO}ykv}EzX?H)2ym5LrH}x~f{yrC3iJ)%+L9wL z`7t(RcU}O?ou-&dPR`pP7DS+?yu;cxRl0fN=-AC971U>#XE}BOcn`C!;uVK(EumWh zgT^m&L3!%|5VDRcnL4S(>itc?_K&u2B4K0zZT}XuLN=oq?(f~)R(d~QIDDO7V+T=VYcbja z2T*6e;CJ4W3uLP(jQwQ?daPP%B#hF|*8BeP7`mRCYpND@p6{r>>dKrFwJ+k7WR@4pDrIM2`W zN|rca>$GVFV^T20wIZ+?Q?U1o?w2hqDj<#(4vKg8({y&2MYbbs!2M)d2V=Fkw=(>EfnJ}7?Z)I|EiYe5S& zAZ3D7I~T%(rA(U4*LUX|Z6PFYhkJwMOvu`3j{4i6UbK=KL6al0b~X*9Bb!YVW-Ic! zvI}};zcq3}@@xfl?)@UaHA3_^SB&OTM5;4NTCXrNyr$}w<@gKZ*>zrA?C@-ccoRE* z)@2K755~E{4XmxLz@3z$96gR(qBVgue+|sKNkc z73B~5glwIO*1u2Q&<&x5k|{bV7rmyKvH$d+=dxZU8-B!89`Dkecu}MlhlGn!q-%Q1 z6e%l~v7Cu4sslQf2rGl**=4_h5@4&hQs{%3%vhH;LT0D$3rvW$8H*8=y@e$o#W#S%LS%)4XF`M|s>xPx3Ru@VaKv^; zP0;}{8`|z5&A6By5Ty|_JSJv;c~Pp^cU&}|FsWvo8|3;Gyh<{=La?*6EDMeW!QDiu z;8I<7cx5u6&VqcQMIp5ukI3nYid?RD2B{Tc)&c37bp%lg>m3w;r*i@o?2bhMNVbv6 z^c#8e*80OK~Nof*a)STdhW9FpI#O|EH zi2jo1)I{#yojK{tx;rPhF~6KSB{``S%QCqxuPUic%~5xNd9@9oVZFNFq;wl5R=4V{>qrfU8W9%`ca+!m2xH_jf#r_5*p2x#%mB-CE;?Y@Ii_vI}Gx8CT@;oWd*!?CBP( z##k{*5n1&;DxuZ`Hx0X7qeSf>w@<_e0eq&%J=HdL_j6IQ-dg^wun7?!PP&JT9DIl^ z@;$z473EAHt(uFa^6e2C3Ap=i`96cha-~B_-BsEna^6oc4;u_aMnN?0`w&z1XTR|Z ztt;*0zFV#py{PmwYEFymGK_>qc94ADT%UJe2Xh8ce)VGNzZ06Txl*yb3jN%(`AW)L za?%65;-$YSzEo$1*{6C2aSSdl3YWD6rmU!y_3ywSGdBy^2!yMQON))8&|L0Kez9ZoMEv7gG3^_lZ2LX zA6U0GIfhz7L;BeFfZVhvJ92Ufq;r)kIz=;Eiz$$6R;O7>Ax%QN)&!)`tQt3ew0yy! zAnc`)=iX9Wv;k}rPmB^>6m$tSNmz8>&hehtD?p!Hu}*L@OzIh!pOEYq54l%&rJS-ux5`uIufOdGu2#_W4d9;W{Nx>pmrYF4UjR zGZRmU#^U`E(7V^(8=ev8BBEC^hXjQdd?45{0f0UDPgb36)ny?uVckdAFc7Xe(U#J% zU^I@Sby;X-sWXzc`m-(2RTDe#fL&qXfejAGg!~tX2bY~|ArY<|S#(YWF2jrphjvv< z>#HI;Uo4o-9G){$(u%J2C9a5B;yGJ#5pMEeuY_YoToK#^uNhvGHD9h!i6<0FY>AB; z7m^OI0-Ru3k$YOLwI)Hc6@;y+AbC>(Y-i1AzL~0;*4o%%nDRf&@1Qkg2cYDKjfNb6 zk`F-1(G@)aB@cb-0F-^BjPZ1JAEdy*U6S_dN%ojfRcMY6U7$-G%C0z9GxB7Eyk`auhbwjGgS z^#p)fhW8#ji}#Z?)yV*>*XD@6diUCK%CO~c;ar028_G(AF})MRfwqA~?kiz2Yn>HR zh0!Z;A+i+}f?4B>*N{LqXG{=TG83MnL~*e!7@>7dv(>Pu_#R3LaDm(0PxBj9SB$Q0 z7VesI{0c&|N~+;aTQ^0`OZVkOF-YgfJJKy2q>tAHX5s`OUe{&4 z!CW_k3RqY1_Z6>e1{(~JWq}>$V!I&uxSO>_-dN%-QGG{2_nf* zbU!G?Dj2^pE9^W1Lc>h3t{Rciy450~(2p<35>lg#g8heQ|NgIJzR|bqAVsY-*0QFB zTf~BirQRbDHToX%li=+N1LS>p0iJ(#JMXFvXF0n&^Y(38$mOgD<$vfhkDB>CEGi40 zZIYPO!X}ZGyhrG}9uAAwQkJr83iKMk)|?G1)+n}H(bRjMLMv)XZ%H4M9cPCqO?J8Q z7HSzbEQ+i>`1Ts}$ zm}^=T+RBPLS!)R!-^bVw=Ic6*g_Bjvo16dCdgHKEtQ9L36Rde~mfA5~LdQnBL6ONW zPTzy?mpfTBYxa`e@zgdWoj0tPrQiwxq2`6mZb@$bSO+0*z`8S%G>YU9Nv9YbVJDGd zP0NytC1$`^^d5&BwC{k1=69&_P5_)p^F<@!&{f_uul6Oo>?Qn+sn(<5xJX-*;pT{U zj9w!+p<&lZqVqSNBGQ?maK6_yt&OH)oy3%stWsQQQT`Ej_@bbE9hqk9vU~h=;vU+m zw?}~w1(P|FD|d#IGVlNZdTQF4zLL3l2@WkH&h{v2X_@uOB6!T9{@Bi`d#3eo+@Z!# z1-5$sM;Qh%@+89gRtjc4ld)J(r|KCUv0RYnv**u#3DF9p*%Ga9ooK~#vzKvMSmP06dxMPYp%!zC zdkVkOMj&fj)I`?(1XLoeReIH=r+r}J3Db?2>Z)e`$kUI<9GSU2{GQZ}OxV2NBMAH{ zA03es{Nyo~Peszo6Svz;|JA25f^D`{{#H_L%cBMpT8pR})4iXD*WyoXMei6Cc=3W( z(dwvLl53nBnKw0I;*M8RteL3E9j!QE2~-TKF}1Gy+mnyy?;%DUtK`CBRWtua*^+*L z7T%X7CYX?cEw*#e`vWr3&Pk7A-P8>YmEhvTK4nFt_}xC_Ly8XNZq#2;g)&u&FZm!> zZ&gjUo3~To2+qlFO~&xh`&{P7%GGc9!BJx@W5wNcZ?r!L|FXZwyMl&NbkxLWygz%up2W?iNJ%`ZNZHF8aO-}=eDLL9L zy_)J_E!Ml|WlH`_^<+;4n7xq8@A`3ZcczD^JU_?mayD;vPvsQC+&#a(r`7J9r|6*^ zvleSE-ZPpHCrI}uor;~vzg{Ag&XfptUu;N*_0t2c2(Rg%{(6TYM8!sv<+blx%qpr@ zkb^2ABHEi7(#>L}ca#@eXXz@1&&WwBb0-PnoWLeuVGJj)0(IS((YCmc917)oh zEp5-WRY!4BOI9n-dD?f6p})WOb?;K=;LQ<$V{+lv~Fi#2u7+Vf3o0@hL%CaX%z>fz{r#p;T)J4R?V=XFJ^ zjl;i#K>7yM0BySbqhZwsyi8CZ6vE>~)N&}B%`v5XEpxu;FyQtj(tn3EidEBP!*h1# zZDL5Y4@#3E>zq98{=cCm=;82rz1?^aV9!m0R~K7t;A>^Iq=Ns1tDn)DEoG(ud7?5| znmqwM;?!GWxBUXP=_nJ^%95Cjo~mRhb=oYp4nOq*J+Y0WcQ6oYtG79_Z=_?lL{*tkqJtT%?4NI`hc z)}^fVEr(3yU$cWw#sw6_O3~+{8-1oZ01_`as}w4L4^Y|y{8GxQ?uRSw0VL9^21n4< zW`YqUa0h@t_kL?89!p3O(;4#xJlD5z2?gEpThnSOy#rT9{`ji|H*H}31@ zTI;b5s3hvur>tmlmcOp#`juG7sxQ;Jd*H636v))&<+LB}^V#b6ZRb=&1|u*G2-)a* z4t*@#SvC^B?^t{u{H=Wx6qF8ZE_p+58G)vR15Nn!ARPg8DVX1wS}d>m zR!Mn9UNWs!>T~i!^H~o`w!37g6B-bk-NP}Mu&~7{{?3?@S`I8fTL4$hfh#48i$0Hhcbj_N>>w$;pZ@SA7AVgXiktx%y}GT>YbSN+Ysk>qz5tl@0i5 zQk+$UwP(JPeMz1sQAQf+VlOF>1@`1mr}#&x{Q=%=9UHrcVeoQKP>1`(sWI?k>+#k@ zdGh=&PF(8Apu=jPfe&XrMMn4DSy^_Y@PHeih+(-klvhAaB-G*cETUGBT_S`n#|EdH zG0D^!R0p)xE`5;yVd;tl9`AAp!eykvWF*03l(eo{C0>yKbMnLQKTl7;IXU_3v+2M8 z?e`}?%;1OLoqlur+5Y4Ar>7?;fBnmwZ*Q(%{f(b~{;O!#xA?EmCx2zH{+3AO^z@tG z4h-l)@D<&A;5*#JHbqzS%bI?II4Q-evd&51j}@z#=+7WGEBAtY z^@m+YKvz$Oj)>O&@FP5GMWKirlHVaZvXE7%P@XGt{M8>;#~7sE%9F0xvMFe#cdf$W zZt|ny`?dP4KCeHoKIfnBKW|Qd>>+)!=0(A6Vu=0knv14})c2-RB&Qoi?issPWW#8s zdUA8U1N`i>J$I*@_6(lhdq3yi&nxfewfD2~f3HrzIo&;~0l`wqre;?aTkua29YUKk z@M%)Q$2&V!u_af~zyz>AS5)LhKhp3*+E!u)lGo@7P14@+3~!fjb>y8xaP1X{*IYUP`~kGpJAabQrDKN^*T^LF%H+x3-;>a)A-)5fKS7AB}l4fnZWDxLvj6;k#w77{oh)RrDN=m1(Rjg8{T=?w`Ck=Y^3E`D2ZE_bPuJwr$CE1g1;Tjb}rZ< zTQq#_K2+Bq=S zvp?TClk0UCy%KxnD9$Ft{yp}Sbk!!hjhz5FpjOP+2`2;0vIfW)!2=;^}Obi0&H7J2)5}D3}4PeOKp>f49}PrL35@Vm3=A$ zh_MC$?Mj-a>VBFSNNs(BH~O%2&SD5&M9TtM)pn`KoGO;LLqFN#lG7QvG>o;PcSBn% zBw>q%woauWtX#1*t7y?3ltC(eVbZoHCdY2wpW#M~o(!s5&MT{TyBmy=qj%!Hl=T~~ z;MzQb&mWxwn!wSJDz<}H;ofjzh7ivWP#ro6KF>cW7prQ-d9uXUl0^%?T0%>2Kynau zwSjb_9TYv+@L*t09~4s#+1g%U4zeC9LIBRu%$DF%tOM3~E8z?zFo%VsRjm!*vH}=JnrEn1i?x+j z$w6js6syoa1RSfK3kZ@kEvzhnun<~XP8zz!Bw<1!{>T>4g&Ed|%a`OCIRWe+V37so z1=gj}!NxILfG`V7c;>EEZBZKFY#~ubneh*ouIyAtCZC4h%rAT%d>UH5AEq2T4Iv$V z7$*!k@PlFlPMICq^kHwZ$p?DS?ASf~$aA*%(8w(NfgzG3c5rB~0@qmL4)%QO5N9XI zvnRU9o=Bc4_8k|^CxmuSaV=|>x_$*OArSVb+L#S!*W|{o@hq5tR^aC@477JJeJUL4 zaYaSmo58D}?UA_>9&djRm+0dz(YVXI=tuvtPZtFUoB&+8twXN>I={E<<&b+W1@t+| z*;mOvjD+5?zn2JmPTk=3%fH~*;Uj5dzuA;qW7jYLf@5z6ue6=9>)Wq8cDRmysj)|V zvx;SzT$fjsT=c?k>`V`RCGe6d3$a)34!pTS&&Z%V1>8mtlmdf#*yCh_%xJNast&Hl z&YEn$);2~XRDUb{E>!A*5BSpHvj$oNT5hypS!jyhU~4V-oQYlpXllvaLY4V+YYE_u zZKGBSlVTzd#~MmnuO=p5h7d>)s6=)DSoz3kmQT!Z14Q8hg~D$b4LCCF1-QV&&lNfP z&Mx$zF~4s~bcEmS_7g+xw_M}~04;HX4%ra(kTzzBCx}+;1^Gb`H$gIOStl68!+hv8 z)_IRwORR$yB-!_>JJ#m6{I~T50g4|4@P!`hRGU@16zt0MI|4~k-D@z&g_Q#j5|W;? z96T>6y6Cw}X#n@S@>S5bhn2Bv^a>B#YF#C90=sQOVx$MQ9%SA4n^0CrUt{x?l(*!>)|D-J zy=vyOOs>5Wv#H`sb!K>Usz)8d!{?%KMa7*qZFXRp8#yc|9J-v$Ly-0M-R`78T)|d7 zN>AS1h7i6=)3i6$%#{e=*%7AozW*=eiig10h(3 zf2@3e1lY?fddJ$DGYnE|OV(S108JFFCkO?tg`g?g)@%usDOvMRdSpJ!WGRcPw@^qi z?SJu9>+-GQKheCGHe|2)uYgzHvRa$|xE#K-*&Nli zY$!0*!KhIuJ_N9(ofuKrD-(_$^||a*vbx&mVfTL|8TTPNz!SL{1AjE2cjs9q8{8_;2Uk0}F|vy%4?kQl4E2VE** zFo;9S^TBkZ*nOtu*oXpn3)*chj~im%LP zvA@{00n(KYe$|-lL3l#aZ4F@hs<-wB5aNPBVmcyu+RQxY5P8GaWzpL=0H2YF35F@p zOuxjl-`M1<{?&|Y_G^~&zQ!2+D~g}?>oxAd64{gt>l5(E;Ku^8(0UnZc8jd&wJW;u zl5x2rM@P2N5Thb=t6B+SoUO-R-y$53=UEq~gMBoS|HP0uC9)!K*cwLoxIK$(8A;Qa z75|9=vd8e&1;JfX;aw5|UbY#<4bNT%*l@fBMS&2FWthMQSWk$FV{=99sdo9V5CP*q znGWTsp{r0R51bAesN9 zdBPwKP}_{)MMnzH|9wJuz1yJ&9T7~hif3C>8;U>pU3wlWqur8E-3`0MK}>i4^w2A} zM>|Ljetz${DFMG1DjuK?j*5Ir3n>`6`gjpeWdHy?$a-&6-c1}^!sgmOpjz7Yu~k?E zu=Siltje$Mfb4Z^4P1S^m=Hc=Gy5<2XxL2yjW1xHBaP~hf7Daf z@BPR0k48U*fBk5jls|6$7O%4aQ5b`34g90F6HAuOaQW1armzc)=NY!Xj^(nF))xba zJGI>?XIpDaK|tw?_4W!`BjJ$G2;ju@I-Nk~+b6m%3vC-nNeU^Jr!(?{Am@UxPh7#d z#WfAI#x$O37==X}(?i)V62kfXPRROqmYpL5wJ+9^&^yU(?^5Wnfd$&RE8f_UHCNh} z4%ztERv5YEROpa_w)`w7ji`BHI;z-jxcYbz=6y7OOb7w0DYQ91wUtSF0l9)}wf1Cl zh)3O;O&nXVD5m%z5Wi^^BFqtUU17tjvYoXSfbJi#(P~EC%4$suK!W1RD(k};sRYlG zvm7VTvzEJlB?bo&EIU5YT5_F4WUxXh7p!aF5b%HKE6Pppd2xLhrnsLcvN(2Oi5|)6wSsdY0$p)jTxSH z8k55pXIh%Pk$L>1+p4hlYFj~#HNFaLN&G;RDj{pvB(dAtdqwXau49&NDXk{?8ywIS zzHa(_*zmDW0#X4!iFgJ6heN0Z_R$guRl%`))4th;u6>QxcwiHz#<&(RFUapYDvD84 z1ufM|D;@|^c%sZNW@Zy+xBmt^)cts@dAfdnx1$lA^q!5=6nGANoIVb{DZx8sTYI&= znP8zz-cicNul!g8gh>!qb>f;YJL5sH`vi(syTW2r(Hk}Ieq#br9Fv7IA?IR)OZd`b z6VI+opva94iOC_|dR)`Sx)X3rAn9glP%zuUy=My(){mdrbkRq^N5um*rQ1(8(edgM z>xPZ%4bcSbU1i~Qljsst0_~Ja)NK84NNg?NeY(8z7j98+=dA4!UorhXIQrOKYM<9| zd^Se+s8_torzM4~tWC+(#2E#rhh3F^odFVzLfCaMDviymr3l6-64#obvh59` z6<_2;02EDSXMait^NsyyNbN=fxh3nB?aI?lk1{~}`l6fD?Dn2kxq^H$TJt&A z6G)-%5ADR$wE*_cKf9+XUIEfpB^z6{9cs6WrCt^(*f6fm))K7IpR5m)4SV6$4vL2b zs?#RzKnuI>qj#acmxQmi7EMJ>a=tKkgmQ7YQ9Hl0V%i}29(vq)>x#Z9NRmjI_`PgX zr4gA$E^MRM$(H(=OjS!Xy=I;mnrL>tXIe8>{h}s;u4_QsGjD8?1{n0#zmtFjh|fu0 z$+9#a+V$!7ylu~6fVHwXo{1Y~danX@80IzN{jojFG%eA~JUjUltLZ8EptiCvU3e?a zAdHzowp}LLIS1S0V0(~*?a_S>wg>t3+8%-aaNAGU?(mx_xfC@&11Hw;t25mJw=Z;O zf|e>Mq+fk1snD9}Ys!nEUb@}K3iH-kWqR`Zk&sc|(Eg@)2yaj^lb}(rsL&VZ9hZaY zAO2(Vm6{qQq^eC^2HTG!xr~-H(|R*PmM8JMk+Z6%bz`qcn<);VlRdiD-Hz}3mJId# z+kVCX=I*>3PUGu7sY!kPZzW4t@?|Drb)N^NWNkmA`wJ!xuCEK>FV=5x`xzzZWBmxX zpTk-B?{OBA`X4^#Gz|4aOr<%{HL<@xVj|J>E{d_H1?@AUt70O>FJ5Mh_^=x6#Q6wXsZbo&p*?u0h*zs;R+fQ=$n^6nX?UXav z4QCY1gw8p`7*E3_6FTYaXP7&kbw-g5ci~Cxw6jBXjLbLldk9~S$#Jt!y0;CVQ0JcA z&qmtAY(FC{v$6AycK+FZ9%Ian-ode*f|8B5PCubY=b%KQk^VxxorDrer}Z0horRLE zkmUYDi4@1S0o;C`%A$CjZ`!yTFAAzu7*NALTa~d}@Asf3B&^Q0N2RTiwHS2!_Mv9_ zYf|!(M;vLS{YK_vSFnB2A<}h<(C!kIxqgpf7i zA}g94Ap(Fn;&SbOAs@hs?TeNNZ6c5hUZpuP`br=mJHaE_rRM3NpD~H-gujGsxfP^F|wIXF0oL#hK#EDXp>bZ!BPzQ|larR>cZ-hefG@g`>jJdT%y*Sg5DD zr@Sh}@b&c&OC$L{*^+TyWhD9_8dIqXDC%1C4k4`CN1Fgzsd6Q{{^_8uI##h-OLtrH z6PuEhg~Fan(tv?ftgbk_V}w?7URM;bOmJVpXB#v8FgLYE_c)-UXsRs`xXrXPY7I6n zjO!&XFK{dlh{qCPjWbc_FB0t8pOL%Xpq*;O>@C|U&-ZH_&QKE<`FdM1C#xmZ*A`I8 zXw8yfz2O?3aF)N&bVK zBIjTUb8KyU3Y??m%TX(=uedq6bU8x(X6qWRMb|hjY%DV-~F_kV@p4?k}9HAI0O^y^EM=1A|CC7@6BP2uU2f>2l=(28=BPSOd z$2g!ZMIKdX9CMkdu|>v@RmH~?7$3CcgO+^IlK;uHK0B&())vJk&`m3w^$KDWXvRxshl^no$nTWPez_+*6`?$-`1JvW zukpm*@kOuc_xAW=*Rh4JZW$8TCSK&4TD6c|#x$mE)hkC$piH7At2?ErNmL(Kt~$0< zbwrtJdWq_|WhAyy*r@W<(KStD%TiNIQafd)$rBzdN8K$kO{Te@Qq<84JFWyZx%_lw zjW&suo_aM`>1;V%cDnst$utK_PW#J9ld1NVoA#EFCR2P=sp-fv(+8B8jw`nuQ(Br@ zRywMr^Z_MyDRUcDM*2|0Wz_DBEgdyQp$WrCEF0Y|2u+z{v}AO<7&L)sq+GPO5Hx{o zf2ruB)Tw=I(+~G{jw|{cUGUi{=S*`Z{=&tciH9$>$nyaOp7G0VRB@**-Hc{uJfg63 z)S``Kv$SH)gp9vO7jo_`OBx*3$$8R$eOAGD@rV6wMGj+>Ijz$LP>itEWa7{ zd2f5o{qto^)2wc2VaQ@ibb6eoWh2+b@SiDhnihqGhW_u<0%s4=ijrKp!l}+}FmKR$@oj8M$=zg$1paHah5? zVoN*a!gJ*#%*IoV-l%`#s;w%4Os@z&0+kUE{-qSTf5e1N;dp zx%rGqd5p%wG5xP^$Dt!+S;?igLSW%d7A104gs#0!?Hti2q6Kkn#2u$Pwu&w(((<~M z3qp%>MZGM?oetv>qQN`@n<=oDHl%j=hYR6Xcp-RawWE0&DVv(mV(h?1Eqd3SGZhejHxcBn7dvTD_U7?O;%iP5=+f8GMe=xom1MfxuKP?_#i2Vfuz`*srQncY-c z(CZ;RcyYQUIxCb4lKR@ zMson8Fn>*2H!gBOC=ko7lce{>Tg#N?8rhPCst}0Mz|8SAbV4JIqrXY{iASM^sG(E};osVSjKQPh&R=04f*^5X$>4PadnC!q?Burc69Onh&v+`V>?v1Njd9+>=ZAck_{X80*o()xvPUt>&|A{0eGT!5l)afS zqn`i7TC*{B0N?x6TGN}%H#YAKIuU_G!dazp(>RmsvS64U*P(9|L#$vl5^}yVAB$O> zZMD9vh_)pPRwtRC5yI9u-JkjSSVw&D1A#x*vatSwU6$&w(dEL=1_TrZnI9{k!tO)| zRrC(&8zhEz>W!lZdsNpnTVX!G`6ejS>Oa>tMdUf!cC!VguHt3E$RAzkcfuA6mev13 z8fBf`@cE%FaN*ZK+MoWTZ&PF1J$~!Z(d~l4!AGs8Wak0XLn?YfV9Yb}Dp>T0mo)-K z(W2-OQKoL!+t|bgptNG-t-RJ-(-dq%t{{HZ{svCdTlwk}%bI%d1Vnj1kYU!XYicvf zaDJVPvX(_{uGsKFlV&{!*6o&UTA+H9#}?@p?3l-<0$~!*|1_aGxt?=@gEM-SY`=Ao zs15sz90mu&dgvm@lG{2f{Vp+?Ef&T!S-^d1YhDi8tA8}Kn30!WMl=3ukgj=o2h{tX z7kNf2^Z*-hQ6){CkCr}z6f-KE=xI4YnE)iMYMwO(tt_b9=E3{WvgtL`YW(0O-xZ$Q zZ*6NRC9Al^a-onlxph!Z5aGb`tXx>R;|{f#5*{Gx0|H>#Z+_}Ya(7~9#Ib ze@0H=wc&BD*DU9>X2s^z<~Cp+!w`d5%b$z-U;hwfqL339hMdGXA5HUQZ^h7_*kT29 zl?G*IPyQsHL@zhd1FMXQOjm30Uz-0Ysn`2>iG=SAYCEOO6`^ZsG@~WIW5SL4A$kua zd0$70BsvrN&VR!N?`laFP`hnL4Da=9=FfATvI-1Sf#jx$5diGO%29AsxK1!^-oiAF}l{m z)=@<1j;pdr_x>kURy<8j#h7Y}5&oj|3W}$yofuIyk=}6X!SxbjT1O<-NIXS#M0#CB zdiSD~iioz-A%S8-EyPxhL&`ZAtb%xGbwhGp!+1}0!r~|6T14s>5-S%HeYGj0PpnfI zpL&tF&QDR5@HF)Z<0}zj`Prju5ZpZ*B)gC5g9Hvs_{jKLgEjqhear5X^w{G!_~EVc z@tiFy2ASSy!GapO4jci%HfMKCFI&zPcC}!+ao_!TzhdHpP_*W1!RfqU|IbVLR@T-T z_v7$Q#%rrJSm1_IE5Oi_xrH@zsAfQkWt4hKrZ@ zdBoRapXjoMo zU!6UFp|5pxNK(ZnJv*bn`}vG~9;B#e@|=8z|9)lu`!)GYJ`-|9u899%{U7p~O!Xq0 zsfAYaxn8YIuFZ~uM-C*&oIx8Q&EsIc;a37GS|$U&Ek)-Y-+ zHt?0h^1zCMbFsOno2Wpr=C-!|EpSm;v5e)eL`4K0a39%`qiE zi0*9NyT(hTHyn8Tnep`v2O$hf%upSH=TQ6ls|P#O*6su+iTtDX#Czcz+9Rc`KpC80 zZUx8ptB&mLlSU{6f_@$1IkT{%Nk>w(^PG??nLDQvL9fy<$%@fhkspq_^5TahaFaSM z!Qkw*dDWp_2=-W%tkRpPZ@P0~T5~*5DtFdrYaJl98Oo}c;Nh)yRwV4+PR#0U0yaL=qv7?%0>QXJRrb7U?2FUJO+Ii=~EO~%U^U0M-KJ;efP^tRP22#+ z`Te$hbT(o~Z<>)GM6gsMc$xQH+Fwn)RS1pLeEwgO?)dgD4_|mM%%z-oN#lQm`dG`R zz1;aPC+%!cA>3w##IUXBgojq{yl~6RDJY894G544bW6~;qF$WfdFolT%(ks*FVl(E z8)&1L#cCQBdP;As4GVpJ@->-~XQ!IW1s)^VL|-)lsL*iV*m|Xn0=*-u?F_M{JOE2> zC$J1s4AfP4jCd)oWZn%S3{&*rXJ&! zOqHlrr9fq(*We&Q$qF`d)Y-@*1RoqeqaB-_FF-tj+0GY)-LYyzN~si_d^osNDZUiz zkdt#^19Wif!|dz@d1P+LBhb8MN4oA)hw~gSVOt}ntdXzJo}WG6QOX91`pViB{IB(- z*#BNGdUV@>$TM^5oRmaoOHeX>1-_53Pg`FM`TFduv*#yz&R?DC*?ZoUucpsWNgzwO zL($BPsg6J8QWzlids*cs>BMZ}AX(_(Wzm`W+FqA%{JayZt)}A|-9Wr1ztd*ZaQ}vu z&Y-_z$XyW;!Jz=o)S7U;fAch{-oNjN_MT5YGq5-iw`@QuiLlx*T7OUTRWo1% zU{jBV3z2uMy5sEr>|R!SiKkk6PEGreGidmEhJ8N=rhN16<+~T;JkN~?XcSvCh3Q5! z^Sb9x0JMKX8lHdCe+VP%B1;S~Calf10iVBLG1DM|k!#!)SrJ~NIbq!nA@p1v(_G4e z^>F*JROk=o2G8-BV3>h)iJa+=2FTVln(20tl?yLu>o9M7F9HZaHnlcuu4`KB4Zdb| zrw^_DsL)^8%|F$Vij`j$;?(~oi3K+C}9c^>opKOrD|+-LtBo~RSLr;?>{BUK*dn)U^H7i@hir7O z7*2PtrwesfLl=EY9@s+NL`n?1%Z;D6j*mqPn&vl6!@-7A2=q#CWJB&LCe8!G`HbA~ z@&$P%R8z4wt*rf;Xr2XV(AX}u#d?EXGo@!@Y15<0D^$rN*&9dfQ~igd2|4<-Q2IZj zUZ|rPxm-K+axNCEs*qde%)Ah!$rq#%UK6J$V2a@P<5i~Z;#^{(KD%S0#->y*lFMFLS7KfLA;vMI zblgPkGD!8+r`gY;S3Y*lW1Sznr&xa)d}3M6I_VVGE2;%4SvN(^%Rr2TSeDle23a`{ zAChKJK1Ik&hGCujg-vaaav-p4FR?e!-zPWHm0-J{9GE;#@dSem!o5cCC@&~BGS>RR z>8#TuNx?EaS{jX3d7Q@Mmp3nHp%^*Qe>=O^V)7KhjH7xFbS~afnCy##O3@?rm-t<5 zC2sHoAKqU+>aNz3B>k?|pYFY@;SblWy5kv(7z|Q8@pb)hX3Br9%tVaWden{HzGCk~ zhuCjD=zj5EaMH*H#=S?*jVuD%dXM{~C*2uFLs<+;c94ZXYX?Ou>K-ft<%WKpo}|FZY?-ErH-!ub7Lp8|K4=Spg|E6H)3RKKRT ziX^*wV#~UcoIE{gu8bwIyQsJXLy(d;FW>!lFoQR8xg;pbcHD|Rr?I%e5EuZ1d7nUcDd*Jt8(ScqXM*^n1)H)B9dTVRw` zNF-QBi&-CaQ!!I0d~K{Y2de1xC=y&$*iqJzPnv(~iMO{hI*lP1jS*S1JXJHbH?jF!a= z9W_Dos@Z`?RAXfD$H#4Gf`E`}`oBj@y?Y+eX78R}H%(_~^4+RXsk0is=~Zh;{qJ8< zx#9J48ViWU%3;OZZz*p((|FF)-wieB<}nS+a%cXLr}1j6*HoI&w#q>2ciISJZOk-X zZ8}2&lmEiWQboMX0gNn@5gXlRm!z1h}e5m${9;sFV$SvU=dh| z$@kvtMm_-d_q&w)gYM0HpfileyE`A^=yE0?>7Py_)5(eApYYc10l!ckd%7hjji7s2+t3uAMrs4gJv|gtw$(pM-V_sN-({2uA1?K+Hnc_rB zA{~DTm%5kXd*r;3J9JV}VWQ-03X$F2-CYdt|MJT(iO2~hF^l-T-mn!gLil2DZ$$on z@aiSFKW2p_V^PfXS5<=w;Fch6_59z9*QYK_vf2}*MvKl$KHBzSK70CfM2>h4p&y({ zQ&0|_f{K~0-&GI_LF2$Cwad0Mj6^9Qs2sfD=X^RVbY!90y$O#Bj6gxsi5sGwB=0XyXdUU%c)BfF4gXYYzcQ9vGdDTJ73~nD$^y%7?s_wKtp=1EA#2pho0Xz zBvsM@|GI6+irGb}IOR!JlzN%K4O5MoNr{mqUImXVhZj447NJ2zTWI=O%=GFU$Ov3q!W)f50DJB+@N(zVoE@p<9(V!}5A1L{y z9--cw51NN@-dP}fX46TFmqyZ57+{oQ-&iFj=y^PNtZ)bc$?`VAb6t3*D@ZnP}%cISF zIDJi0kupv!(gH97br&*^h>XZ9O_cF)(XkXsSs?I`&G4#9(;e4mGBg6Qw#|Tw2Y_|a z#YmL9NWPw4D4~0}M4@V~0jA*xNfO$n^7#F#J04us5wz0np^ObUGaXFOLnX4&v9lQ5 z*g9cg^+F;a{pqx8`rb>T&q(qxO@icP^Uwy|83&@1v|#y!Mr_O1FtBXK<}7bXfn=N^ zP0ZVjrg4G_^oZp^NZ7lA=*7=)@$Xr-=cgO1!M|e=^%;3L+MEUg*nbM<3#)cZfk$21jG}QLsE)zz_ z6aYVfFE`qO#v&>qO$^XuwPwy=p}R&#z}5{2kbrUCm934%ZF)=d_~2}1{8*JGbM1Ym z)VwC@J(l9uF$^sRuVw4l$FzbqDcB03NZFDlt945>TDjWPcSLsFVs|jAp{A@A>Z4KZ z(Wv%m7}ZYDsOA?QtI!**b?wm7^|f0ZIZB7@Z9VMEfGU;X+6--5?qVJqu(eIt#WFQ=SF#BV&QBZJj-L8>M(Ck*PS#j7ChIwh&dj zxmW|#%i)M3P_WFfry;HD8JMuA&AJxN*qp*YpDVnbb!jl&!zEG7T){Az3Crh_h{<-v zFK=+O*CD%`r&kFmyE!E zSrW(By#;y@e3Pf>`5l=e#|qhuM|#3GNn$WhWFSbA@Hy9oKNaC&vXEpGUyh=z451mi z^_4RQC#8-C}jYDfd7nf-=upS|p42$a7iDbp^A#r@AQ4Tn6e>FGaFVwie_T zLOfF@^kwM{xuLo2o-ygqX2tx5%a9tj1a8E|>wwKlFhz3@B3JDbJov^0wOm&u)VWoW zGItd!sXjW%raK!oo_DW3HI8{QS`;i#_sRcm{^O6o4!8b$bMuGY;h%o|c8^gyi+;>fywNM2Zk`3 z*44m;g3U9L(|kc>r$A3-S(kW^ur?Y6n}YWJ2>ZE}(7Hmy+giLnF3 zYAR#gqo!D8RetZ{2`(%qohk?-N{x6aOAt2n43PhAg(xOq-nZDNt4r9ub@Y84# zSldM?Q|*YhbbOjmPbpbGoR&Q9cW!={OwJuyo9 zP~*U5$-c1=Us^4VzVD(%q*J!=pfvF~4BRRZ0W!3O`kbs!#%zL~Dyxr+f(3%Lj)RF= z!V2b9IL)wzV9w^^M(xUfq~wi63+rmT%w(U?tx8y^M7cF(EXKeXuk2J_rgEE%w~TM# zYQRuKFQ0ow8bE!NGlgJCV3UhEktxmOOhAE)h-Nh6MN4h0oJLSk1&nntyloO~X}@NF z*{ZQU#Vi-)bT#8fZSN?d(qOj{t`?6ai5DsDj@dL2lV?)%f%3?T~{5mMJR0 z(pY#79S3J8(ih`(!7ltl>*N!WPW?n%?u4p)Ace|tH#{zBf;RvTekI7mixULPr?X;s z%fO_Im${=gW{|w@nY#LvNw{GOt>8m7JXBkw3rLu!9U&{eB^?sA-jPi^0H%3hOK~YK z613rJX=Pj0#pO9d-7=RU+`h)U5GztD0brHD9>Tcaxczg<=2=3Ea3_wz_nx}kGrOuY zP1ATt6SeKmzB}x45wIt<;)8YR%IzVefE-${GfHp+u=$w9u~%XSbSSqeR@qd4oPBq= zP56k7%wMe_4H$C`6k>|b^)}W6Har&Hb&BRzmc+`c zgMiu~x`*%34TN9)_4Z7}7a5C2x(v@-l!ysSi@YPX)|rU0Y!x0A7<114Y1}4s^*~Jp zBU-Su(^J`m!KR|n6|taJA>d>a)P$z$Um*n09iWA+Fb`6~-f;;jP!PAUG!(teErX&y zsdj?Nc+O*HQbGw2MFLXL)OVmjukv_7=3Ex^nvKYX zVmN%C1zgFLKyrQ-lQJ!MyW5fKX}=F>@R^j836W)_F2yWoL&FYrZT=>Lsl0`Qz+`OPwdm7-*vi))tJm;_V*xfP`K-gd65;Ikog^*a~CJ*P43 zk#DU8(51#Ot3fA0}eDgsTc=!p%iG89t7v09D--WCMHn^rqE$9<*}*b&LZww94hzA(5^vD)TU|NYFm{LxsW7%&?W{F%oCfi1;JD zASP*4wRwo8n$$iBoLRG!sw0NNtcZs5SDbhbx^xpOsWx;jl7!`0`4^@Cux(IDUjn68 z(B`#m)jw8LNgIpsEdl`2`^UW}ep&OTtvN}i?h{_{x%b>a^2c#(jZ+PUg{+-`v9Y|>FF*?;;uE`YlzI6Z~6uARJt zvlHlSWS}YhVQ#iyOQ?Cq3`-B2v_P&maUjy{+aE z6g`zyZ=cW^5M+q8x=i?yUY4%|SzCQ=oAA}zNdKWE73ok%q+3IU<}r<%EXvO`4dY@^ zt*hA-7_J&sy9=S0`Uuiitx73r@5J($0j54{VXUy67erk->|W583LZhP-tG= zuA(bpuX$t{MT}WRnP2qRT?86Eb6P~RAU|nBq=4k2vY<)g%2MlXAb`ix))Sxg3M1r~ zHC7^LSwgi^W>TgRdiC*Q(Z?U{sLmRL94}EX#V4pcck*-?VKo~GbWyr$yWx0{o6(8$ zo{KQ&y)lihZ)qM&h~=jR$Kqt$mEmo=xr807G_G<{TUJ9LnJrA^h8qU7EX14^JOb?$ zpLmv^xhErvWq37Q#ak)70Dp$yw$=8%Wl6gh(L7YP5-K?| zvnM@w7oVmWzs;r5LFw>`%{UiXruEA6t?lZ}0>w5aS$@MLxONTkKQ?>K- z)aKgFtGCNsBS0rlQ82ZGO_sA8F3K=GXg|=hKx!%r%~#I&)Rx9GE?;26%;UgwpsBJf zXi>^)uzCcBp$9Y-*tLHjw<~(HhEk#aIe03)!$XV69m9*r-9n7W@72k*`aD214_Tr; zFEJz#Uye0zXk4>tdqLs)BPJjjmId=-4mC~aeIzPrt9Gy|_RxYII`8V%@|FJ6^Ex0l zmhtg?{QI7da}y_9J0W;8hcB)T%ve4ll`Mnidwm#kG3Q0WjJudU8DQs&0}~YakERKr zmP7wA_Rbb7^OS!eRowCxZ`S%#2yls=XP8SG&h}6TF&K4}qZ7ekKM8u$t2qWqhDGhx zYKvn>ox6yRSwem)S-v2O@iXqTVSFSM`;t7?PQF^n8zT1guB>`r=Eefn-re1Zym_|K|hAGkJF? zW2ew2!Y5DeqN>2htl2%#V3)lTEp^Qn9XT(TAI$q9QaR(9DR2nqT<-?*9Zh(jUF6RY zrP-5oo1BV5{pT25ZF}xZ^&AN%PelR!Kgc5C^zX4mT0hP~ca84w5R2S%9BwSut;a4t zm*gZRBG=fx!x7Mf#NioTsWZ*=gxD}Xz2G9Rtl)zU)mo4`e4>{hgacYwFg#lSStxfz z3pNeVRaKuk%cqb(CkiSM;+~#&6h3#{*Zuqy&C^H!h);KkkZNnQX~J3HzEWuanFAyA z5K4+jY7W3~_Lh4qS$`3JtP69GHd& z@LOPlN1|QY>nw0T*7kkMP50H}Yeno~LZu8%6IIL1P=nA=N+bwR7akm!qd|ulEoqs9 zK;Bam4YA2#-s-&w!i}!W9g<;vgV2x~Be)oE!E@U6}!la(<_)j~T_RcLz7$2lX1Gn%F>@e*vI#%|@9X;IK|H6MS6xwj zkS4$0-&Ir4WB^cumoU`Dfwt|Nc6AXXax%B7RGv;)o+En4Om}F7Tdndt(nU~a;+DjM z+%m9_DsBXPj$}wCWN-H1ff|W;m+H6{Y`+jMUFXUTmaaRc6UDJsY~DC7NARarOuU6Pe@i^ zOgMx&i(*D3pO;BNQzlB8ELykIhg^j2%Qa!|@F0X;vbK5kvIU1u9+?H}^c*yHGv{6& z@7SBy=0srcSfpd=vZS2ym66XMw9cU`*;YzO-qya9UWLQ^UJ-XIJ@{#|0hf(s2T9B_ zmUe_|i>s}b*M`XyU%4?nFXov@VoBJ$B41rNlt8-Y`CKuw7T$!= zw4HPXi4G6N48)%>Ga!3ctK5)&jY@}w%Ih!*)5L`IDqPtGF{4u2Oe;W)^~sXe*eNAT%<9|JWGXNp&`A|qs9S!+jW0dP%QRiRXhEzQEvRHgmpZP> zpSeDYdiZBV|Ae(EV?sMfhE6R+hJVp)URr@N5xGT-Nh94(e~nWRd|Tl-XHiFTtDxPl zNA%{+$x&Z4sXm4ggnw626<}$Fbh`Yf(ig!XgQG=`hIPMLcAlbX#GK0Xh|BA+^y*99 zsz>X^;W5!~10|PcJzeF}hsPuGMvF4~ zT1Kj-=CAfNwD^#S4LZ8_&=7>k^X+#)P1awwIeZL+wd)hQB@^6Hcjl>han7=pP7*av z3LDq-zr0W{gyc}7h8Bb(F^S5Aw%LtP`#T~>$7koqhXt0 z@Yp~FoiEmoZ5xR&p{c8n0f{APN={N<*y?5NykC@vRJ&p;s9IY+<;6B~diW9bbLA^7 zKp8p1Vm)@~D-{hv(v&G}6D}m!+CnBa9F0%zJzhzjisDpQJq-~#)@qnMMU18ewyI~FR^zxjTm^|R;x8|9C#Xgj6!E{*JFspe2&S6XEy6ZSb9WDIqo-y zZpzxZ^xf1IlRQsW9@!dwHO*@hs(q~^<=R~rK&%0J)vF?y&Y&($3Q&Ee?bt!>oF5+? zy*eJv?Au^GOX>)C@9*9`SETKa> zR2aU$SkqqYwl2|Naa)BDH#5u4Lp|9rAIOhB@dsuK>)7bBZ;TlpEGYj_%)BJ)UK#ER zx7aQtt>h%%AA;}8MA{>^n$28YU9po4DvH!r%)Yv|rgfDFW;q+$%o}SZ%va zovO!Z=8PT>dnb#UE1$=Utpp1ybS`x^t0Y;tIuBYqLZ_JcH`kVuEax{oVbeB6;EbnJ zFS&=GGDH`lsVeecslQxw?n=OLK2Bd>LR}`X7vEdZQ3Gi$xH%jSL8Y|$PsKCG$rkyZ z>F*0DG?haY^qH_#aA0oTD+)&y)A{S(I|_p0Kk<63z~KxM5WNT01S2PTdTsV^&S-lyZ~b<-*ABQh^)Gs9nL(kf&e`7# znb6K2zA!%+!0b9W_K!UC0MY&)G?&Xr@-Tu6O)JzkB_|h$7bjJ_$Q}Ks101MZ1>{wB zkyV!|%;sTu)o4bugR+<%aS6Gh!WopMo?Z+F7J|~&2*MSjTQ{nMarn1`GeS#+y+T*v zxF=`e=6HdTS-oed``u%H2EzN8-NU-iSL|3Fns-{ZpCdfd5^OICbCA7om ztm^-~O;UEN$HYy4@@K79ggn5>U-pBm(=F9vHM$~KK=a-@HU3jL+2cQ@HBBi_^?yp5 zAo@-pLd{o2fB5Js-ONDUGMrj{Nhv$Ly=bauR^&95YTc^#k_~O-+#s7pl(pLT9y|sn zDN~Tr#gZg1DeAO9KrMqY9Wt~p)h2B9&Ry6O*bZf8p9 z@>c$h*ks<|Mro|ro5dp2>B27$&j^;-{p#5+aB`nNdA8fS_#Zaz zq_-yNgIX8w&Cc}qEw1m+af%9Ee zObzB&IxLQoqtlD4mj~Y*zXZIYcT0;#vY7Go&VG;Kr*_r(>Rh%o)M%I1%ylU_eST4~ z)Gb-$R%=k|mb&|jPU&PN2Humt(@Tq45mFUWpd>^-dY`(vmI;%OWR6lZM{IOij`|y- zx*3amJJ$taw3~6s`$S-FV0*)}sPluwCs*WO5q>6RNXD4@uKTDv>s|`qp`OQG$$ZvS zL?(>FHFou@>sRPs%dzsRcCRYGW&CKUc7~N1jav5i!{w59uka0|U%40Y1PJ}SLv5FO z@bLQdRcElBBep_o&m-7w2eEdy+7bMH9lg8Xk{wwY?6uiCn>%G?xVQX) zTfPU)F&(rbLoJ-6I24pt-dTFzRK$$t&Xgn<>bKROs1gy=8kP50J0nTds)*FD&Y=@4 ztai7@!V+_u>Ee&ExJ_?q9=Fu%3kq|GjXQl?E+G7dt$bSp!6x0iwoHyuZ3E#0d2~1&|B>b9@ ziG=Ep?Xe^#i*U}QV)-MQs!`#G-0qUBH3`wf8Y2Tr?Nu#A`Y@Xk47w(WaU@4t&~X?7 zjC_@Eo>{243_5{~BRn(_P%^v4!4x0iI~%!z)=?pBMH;rDg;}Awov-)YH=Fx-8&|tpp4G8jCgsLOofE zN>eA1#R|Awo<$&3J6Gr4qiC?cj?2{hMjw1a?n6d2Ck_rp)YNhD9EoN;>N>x6pjaVT zLo_?VF7|e)59d*iS-fRCsohO?YS513>XkBdf1owcQ3k&|{N*D|ub zU2cj1oOLg- zZCrSb)9wYgg)0xOXGnUm=}XhPQ!Uai(|i4?O7LE6sJ*0gIMUsgq!3W%#SzaDd8IGB zo|}g%9$1Q`ENqzSoo`NjU}C1&3}zcJAl+@+d)oR+48MeR*Zvno-%3n<>M*t1l`$;ne|O<&X=u;YRp~5L!PkbrpoP$CWq0|y1kS+_jgJQqn)fJ>0sIb!^!l@0MI3HF zaskC#Q5zFJYJ7xo0gm^vcpFVqfkm|CHrAExQFM;z+X}c&&vz#GEQGyy$Gg?lCEoqe zx0YlD$r^^il8k0-PJ8oN>UpkK=1jAfw>d8gh8YxDK9@vH`j!DD6|3UlX0J!NJ$&w5 zG;?C6axc`Lc|rcDvjh=4=_~vY&tuDK&=j%1!L|E9Xz5=SRPmS=mAx6|Ud2Aiy=xen z=YATQ22G67uJl@^Hcia7VSD-tS8bXYqh09-^8w6{OE81Xk-b26X<}fldO_^g#Q55k zUZ7hvF~K&?Wtc%W&fXfSc1;Y40{CnH`S;SqcN~kw9#jEYU9<7LZA+>*;@D zaDIIzc&Dq?c+EV&H^c1MWSg0#N9|nm*tAiaUv^$S37>PFU`dfvCVSc$HW9!m%F1mG zY&2(ckuSC_K=otKi_MKjL)!v=JSy{?rA4y%z?`|oUuY#+|EVsh%|447GRuSY<{u|E zTe#eI>KOHwr8ne;=B+;VP0yW~>zLngDOw|bnjV@iUiUg01mhs@MA)mn?=Z>QLSASV z0rl>pEV8oDcUAAD)TGYjNV2DM+saG5K`Qxbuie#j`N?Qeusq!-|GW8*KmI!0`tQxn zA9ja-`tgsO{}{nP{;>7mTfdq={^+v#z?p0q0rXgs}?vpokP(%s{JeZsp&G$2T>%-w73-4EWiP!rb}3Y z0BHd0x`hy30%#wW!M$G>Hd@A9iSc*XW2UR0fH#d+FPLEgars$jA-}Q(9YREwLLnN;N$!+z0p*> zh5*HO3jGF3Gp_T4y$?FY-eo+8&3?fmk;ZpXTrI(HEEAZ+f>kVWiC`eQmnJ;s#lm`o z>9Xz=&sV>NIgoD63C*%x&}hb_H}dXEf9}y~Mr;6bQcih_LIFTlTw<~yxhQB6yn~jf z=^eXF$9jcpC@^p%|@#bYx@GP;| zX`RHm0j6(B-#S7))jP%PUzm0~qr9E?ZrU-hw7^nqxw?omnp2DZNX+L{ZlMu|(5T}U z()laZy_nO)VZrl#x$ovISW44Y+i5k^IW#BYHZ`?ku-y6rZI_*$!mse)qOEl${tC5RpT!DBT@CA^P7l;@S+OleJ63# znqF^d8fH1YQvvkd+I=AhI878;X_v=L_NdxM88059RCGvrV>~)58?=(s&U-c=hh-bv z$j5P&hMm(`Nb*f0qHA)*fNB32g^%-b{4izY9*dCu3lt&C$L(_Vr&NM$PNzM#BQ&>4 z2RNJf3aHdW6`8J_w)L5~9Ts9(N;c%JzHdPjzGe$>1Pq?C?og5a3IR%9c(0g^^KXvc z$S%E+$5!vKBHD>qHrvtA?@o*!7(H{5@vO6Nnbw%8b3zajE641^}*2e@I|~fDpkDv0HA6a zE)BX}T=hs7IhmkT5wn(iAAoFCyJq&KnDW$62cfOp6Utlj(LVA)pFAHV zWpbR-anf#St!`-Bg*;E_lrZ>XC+1T9mt0)D1WQVpc9-PUf$y6B+K5sl3im&&Na%VM zXYl$Ep2lhlOjh#8=@y;N>ePncptI4Kk;@s6uFpKXw>e9p7p563~`RWM$Ikgtk;#@gDXE{QiB+Pr(bcK|tyaLb#8wZHtSTrum8qQ*=y z9`6w|?ni^S!VHNNUycFqT&`8|;T@6R?ewo275*?)N$y&Uq;CbN?uhQdNbT^Tj-aUQ zhl<7S;dUDqcO4vU-6IoaYmD`Zxak0}4|*Bn^B%5beEM9>80{Q_*REWV)fndhh<)y2 zxNiesKJbl<&%L6U`^7Hz2?7WU00@pw?vqTjH70pE&Nu*KLnLx%ba4P!s|e^7Qyfg_ z!eR@$qlN<_4<0O-AS}|fXMCxP9Bt=r`jk*GO{0th z;sI=$7>88I0P1Vc-@(}liE;*!!!(g2(vZ(aqq`NV<`xZ4M~i~Zv!Z>MJR0#nc_ZF~ z7zAeJoTfu{g29aE-Kwn^s9z!@qR%Q`t)TgXkTxt|ACe@Ex?A}HZ6yHj4){Utpmypb zkp*E#U#wb>U~y#*xW|6@%AGFCfsFPUL~l9>)ofKLsL>=5x3Y7X{zb0VUCmF2laCph z^E?;1w&wWLXoU%$CrVCaIf_QP_D{HAh2A2t{R%;7ih)L5x&q@E3ez{X;xU`i8!pNm zAs2!S^iKnIS1v?*dT*ndE+M$VVpBG(ncWQmO6FJ?#oUm+F?h#zzOhR~`)|!RTHAlZqs7Tlf1d&D zXKo*9{RPx}@(q<8WbhSD=@gX=n-^!_yxLMb1++&eM|BId&u!rcPVXPqSVKXt+jptw zdqBejL~fekO_S}b%frmd#^Me`}Mw-GpvIV8s{OTCSx|Bu~!f2%&ZPvr5+1(Ta6Yc$L3pMM(d zj=or{Qr8(%TuqERCxMm1ekvIzHKb`wZn!LI!hePq9GsRgjZ+$vIV*A=$ z;w~GdtXSib`i%J{r?(^I9ZSh_?K%c*q}iF~znXc>%5lP@9X_A#Bw{MAikzl0qd7~9 ztEaoW??zcVT~k}$PV#^EMqiC~hr4TY%5_aOxxY3fY)*NyPkyH9Oma5+>s0-%KE0+j z?Di+uI8VyxnzO$~Tt=eOHZSle*LF@tKAPm5#dDheHD~dR7L_il!6f%O@Lb4*-i&56 z{&~jPO~a7>U%{t~T=-w%$zK&GU9j|)CQ3|zvZL6%^1~Xw(+FKN#CC1i#KqUpzouoN z3@!e=mgQPsCvPP98i7_^QS(F8Gn|Wr?Wq4Fn=#8+3U`4>i2^jTYWWx~%{vO5l6coi zDcP|GrF!oJ4H}BcP>MMlZfY&YRxZFrDwCNBcQZrEWcEg~gDgA9=OVYS-6!{LI2wCb zfHe#BlqM)b%A&2NhSFm}Opp{~s_$~I;--NJhIihp=vq zTe;8ae1CuM$>&eMc=qL2f7;#M-B)dPIGqonF|3yrS>CSG)KQ`4_~cDFS+KDjBY8@yFDGT-Wjr-m6ho+BYbF z9^5b`<-93)!hfd7Up?Es3v4WI8wMVC5+iRF;g5=huyAi>Qy|o>!%7?&iBvDe zoW6VG#8k7f8t33CAV3zEMNSJgUG$rSb!oU2`E?>_EKw;bl7xXy(tKoR-F#rpy}Zz` z)K=50C=#{z-hd>nj)>x)nUrU_7{f7FV|igB&A{)J?9hzw%ot6yo;wqHu}?nV-Q8VV zOZW}DM}IN+CM@43Y&0E_fs*8}2cz(v1BqFlL~*!78llibZxC*vUr};Ia3F+Lc;ZZiAzfcV_L`^^?w74{+qqg(-G7# zw#aM5KlqxJIWHE6O3ZwR6ltygQf;3yJ&z6aUXOi?WMlVCoy| z1X&$iE}Icp?>j{QoMvmdnuq3ZbLFm+W5uDkhSHkH)xsM%nTX}uI{6Mg&uCs*7vyma z0QBDTSR8$YvAmE&Hy&Iz_|O>=9acnEW{@)3(M@DI#s&%kpJ1&1D9Q`6PBxAA^OkOm z@L#FjogFSp{YMiCMOMX*Zq2X^UjbVH z9OaqML#UJEzka&+)gHMN#;;8m3R36pojxarh77KerPU$&%;-NdyViQdYi8)LFrnE# zUN9#U82&b)Mmo~Jlf!fHSg{e~5K89M9NN_f;wjeGn>1XJ$eEBko@S)dWm%4}oR^jo zkha(>ci-e>p~*hko2z3T&6rWG zs&z{w5_R2LMmf#cB{F$xDJ2|PfXLG+l1)ud;jE~&)x^}%(rdPe5<#!mfOwj1qBhDp zsqPi;ZEbt4t$W!cGZ7=dJ`=JyNH~?urav|Z)iKx`67Mpvu}AKCwoe9oqbH-!N8o3* zuCsgtat*7Yn2o`F0pC-rt+>N6D?p8DR&YNR{sdVK2oQ_Umw>7kemX==K{AnGIAC+U=@@8CDhIz%THipa_JS7wR6*6qRVkeuag!r!Tm zYT>mdd58yXsFOR65)nbk+;ziOL4Y_$@`Aog{gd6We1T4bhCS9!vzI!fm-bl)ZyW6q zZ;GcGT#+$Vl+sY>k1NB zO-sI3Ms*ftr4oF1=lCb;T=vP{ldoQJ^-8-`1vOV!_^F7QVI39jGZ7OC z%pvH)0>m@#mQO{@hUitoMY^-LzNX$>Xg3qf09}ei=Z(ATH?3}@vh8=&#a@8>Rbf8? z9EbZ;UoMITo=kYki$%i_$R@j?NeOp0m6pbA-D7A79AsC8lbv;{KM%vDX~Bo)jT*4| zw`17jnCtjV^#ifeoP3bMIvta`)OOS-oQ#cJ8xVz)loytRa=6rzBTdPLzJP3Jb%RzJ zFX_nBoaq7&5O_dn9HRlZo*o+cH%PSL36g6yxWN3c*T1$;eqF0bVDC^zsipOwO1e<^ zn9})JB!BwTj^QhY&~#tnQWnsI=2NS69qK%Z`Pay;nb%RmSy~Kv{B`XOk_h`2dksZC z{rbN2JJg9xzt+6??g;+3uef2;uFPbS zGddrZd1Bh_J^2z^?(G9RZTKidJgP_=-mQupKy3hi?ljd;i+swid)3G6EF4wS*i8xFspUZxNlgn5MgU z`)gLP^Vd~p&(R3pM)}BuOc`Al#!juT6S&T;hdxh-c=@W9nsYWzr4-Q&;v7$3;T;W# zTv|(jda+)tpWv;4l zjXFMnUKy-^&*>ECxQwn+jjsG5|rqg4c#$wsxqd)#v0aC^R$lJ)Gw<1CcJbEYFH;wb82%8dii^i&nVcq zcs&2G>rm@W$A^m~~KR4*y(R$N!#DDQ`s{Ls*DNr3;J%RJO*w>eW}2G%NBZ+L%k!-sJvgifv%GyNV9=u2~!j4#on=~1lG_V z5;9)+YJIH@Q)6Z#!~n|U@X%;lJ-KT{qhqKrXt1mbs90E81sv>gTrH>sSS$QVFl++1-qR_Re^xuE?hV=usAH`kWpC-_iBzY zJl^?#9nZcj$Af(`&`FE+*Y(Hu?fCaw#y;5ABl>)#qjTZnhM+>7st^}uAxdED73wJ& zmplRMo^Be^Bw?|)+e~VX1K5e`15Za*(L53AidLuxW6q|*xbO4>7+d!FL0m7OkoT>0 zh{kve)d#k*YQLptroI6v1WxGtEiZ3LZ#l1Zf6oQ8jZ|9jU4*t zYqt1{d8u=@DAeq`cZB>IdHEc^hKiuSAG~_`7lqdEY!Az~9iM&&8VARO8FTlyY@zeq ztXKTTjP-k%8bbj**NPW`Z(m)r1#0&y*}^Lswva$ySF=axY!r~6)Fg(}iD|Ss)GR8H zYquTN46E<-43M8i!YQ&wnunEEkQ zVv6S~ii!drF(B;blSBK-HB<~}YyV50UQ2J+dAfSv!2>)s@KC_rykp%O|v!}bewPt8jwdk=6 za(HoqqVd7ciqHF&Ey#Bupf4>-!)B60B~P;gxyb@4;fu5n$oLExakOb!*SBfv8)A|9eQz<^%g4DHU&BICIM=_=34al+;7!sY@b z&CfdK5ikMBsG>qK)d+@J&eMozaN1+GWS%x7P@{=*7R!hDNIPNDsZ-hrQ>BTfFMgWE zCHev_wAEs`+i(WwX`%C=?zSDTs%qX?c_Q`K>hJBfes8bsdov+Tk5cA4P?A61!T1l$ z!oTDb7A>NLk-rIXEl1=S6>W;;Mb&vk##GL%I!@#$J<*i>?eg->=t0*K0|?+)7CjTP zxG1P|NMP?+@E!(MuG|p)NwgCHU^G>4x5_#eACcXf_;| z<8i{!HzA`bOZ4w%TSke9uJtb(DX9K(UQ)E6n$Xp)UFtd>nNVAiPpv*p+sP}=uIp7m zYu=y6Il_Adfq~k}=f@MH3Dj??8<~xBW)&mGM5yg)OYh4(u`}`1DN6E~#<#|p2<=b$#W|Y- zTAgm9x(S?z^1YUxCM++sk2Er6!)Qj+6dZHc*X&o!MzAmZZQxo}v5W?G^J^8;@LL6+ z@Mh1vS|^Mv9^E2MHy6UZBGTvIQ6_~DskF96B>#*}@ zGX}ucU+}c+U(GG;9eVwX9eBstx9w{Cz*LFa@RsYuU&@I{V#R-KY*aUiwn5;zz)FTk z3hkIM&_84D==p1`D;{`DoH@R91&Yjp>{?AUFpC@{($m+M$NS_G-FqD{xF29$fT`9s z8Lc6MEaQGjkTlyu@ybgp?|ms_xyAoB48tnsQ>};B;;UP6cMqBqV#EkBXG7b}-G_>j z?UP?UR_e3!gYU2Y@5Sp=6VOr0Ld=``sloe|4Jh5+b zhKIv{=We0Oy@Nl4%Rti*?Y-mG|HimkYh2zbm@NE}5@haS?>2%Tj;UnNp7#IBaQy6P z`-#dEY}`aJmoq^ROcn2S;}fq zt#h_CO?e7(95^ncD+J(Vna06yiI__Bo0xi$kc3!Pb*ZQRWzEufeHXPvP=TK~O%?@& zP^*s7j78U16OmtGmMLkafkaHP2~;{#_>!0xKm)!?O}K02==hmr*4HhCKB)RMYOSz# zF>%&Ir}WUPCaeiup>z$LrxcTEQd^;#b5bS=!NfCULL=3`%oCvVisq_~n~PhiX)wm3 z7$0c#7Xh|Hu4#czu#FVEy0!FO< zPvrb(0~)AVSWn==ue27$a39sKG~*+$J34dVcNm>tafoMgvt{v>$fq>b(en03bR$)a zX7z=2Zd@lXj}FcrYL{8k@xofSb%k$;0)zT$eBuh^p}jw**{Be6DDTVD8=CMKT?W;9 zt6!}&TZ{WzUtVnQ7o;&)cu`kQw*6v_9s(+sh~cGCi<^AQMo+Ge$JLA_nPMf2EU9o# zI95LlNMXp{CtlHB)XST>j`Sq&Lr>Qgw4s954~ptx)b$1d2LBBXqHn8iNN=Gmud}jZ z()A@DC~ey?p~4D&4d+IwXrtFtU7PT&YCKd6_jaWh)H->K(B9hUcH}6Cm>>XH`L|V* z9B2rwLfq)bwL7rcO7;up&tHdYE?#q{shZf=&h?KF^1}~EdgYHldded5H5tqo zuu59~H;O}un*5qP`}~=HQA&0tWn#c;rdFM%t0Ix)Yi~`U*!q>c=GoN^%lTwc`*qCI z_$p4-$4ef6{eR@PD8E+JMQ+E@*YkzQr|KUVS5`S37q2cG4o7XjZwGC5IWHb&pDRFX z>i_m1ZbK???HjV&18<=IHK=>v4a{HKWXxk0QRC7ci6k-g>AYxo#Fs6|2{AWt@4}9i zI%H3$N5yoAZO+8}0pR^rYqm z+m$L|DN?E$Dpe1Da*n0ob-YfNqNT9M7fT(!*ah#^rqm4J(0t9a%S3*Mr&L#!Q0E)2 z%4?nxb++LUn`;@u+{!Vey9T!@xeUo(fq1^&KtYt}JYg6_YKcKDlZy^yu4HF1BYi2R zBw;r!vCgO>WkgK&$9BrrXtt7gBr2gMWIXwGz1Syvw(dRt4$m2ItoBTFJCJ-;Gh z>D&jvX~eo@uj^xH?v_l%m8$A9k;M8dKmeG3Qpl#RlKWN*anAwPDV;MQZju$4lG|vU zc8YoC>s1`5Z&JSK(Wu?9O}M@RjWZ{a#Mm&fxA^8Qx-yo9KR%ok zSL@`-q-ricBlD;>e z=VGo1sk{JJf-+}sfuVpwRj35qoR#rN(`DoxSC>envJVdY0;#a2W=x#}$YhH;Fl{uP zs8M^#bI4SHhqR!v4#B}r74Wcz7r=1ZWD0tt82=Xc}g zAR@|wP8o@FkwH}}b+R(5`srIE73BQla_9NU>9$EhqT^X-;+7=Bd=dvnZYeLM@jcI( zNlW}+?hDl=XvF(7$s)2TdGw!KE%bi)r)=`; zr#ij9z5^AV1wKVL*UlkG1PmWwL5Y0I!7lBI6)xao&6;G;x@LO0TiDTk?;>*}K`TfT zOwX)iphCPuZCd(A&*WoT`!*kxMigU?H!pq`ik`S?W4dRhpU)+MmIQ*JK?wFQ z0^H)eBBvGa5ds-V3SHfZ|ICo3Hw&{2)WqXz=twGEfFba`70dq$E;WE5^@N}hj?^^o z&5~BX)5Vj9^IQ(H&we?!i_3Z;#orOr^~iIr;<=8~I1@b8*}2l#X919dsQBX`9QFFm z`OAGW(8?OP9%n)pkO~0uc7mKDu`I8H7^_L1%tS z30QbdL@?ijjhYx)5eVc zD_L5aTL@h;cC9-|e>ggXP#ZCho z#>gE=bMz_dLvK8fu)9(m3nGN(SpT}d6vA};SELd5I%h5W!Qw1@N35;8EYr0l_-;nv zY-#>5t*r;jsjYA(l9=dJ^*Bm(^3~~40E{Qp-?%J9zR*L^`MVDw*jqA)Nmdf_Tog-E-%ln z{`UIfa-R%z@+tG}^W)Q_icJ_?wUg(Wyjra>#mO(bb(zl4b&lEfsUQl(iYP9bQtz_7md{ z$+Ejf!&q$CiO36Az}BVE-B1_(MnGS%PmUKr_FO83H13Vw8++nQi(IIQA6`__pys=d|gFLSHm`7Sy&quBs%u; zTHC?8>XkJBnno&Q!Ck^SCMzyL5Om*u~a_avI+!I`EJROTNjY*Ny$%IGh z2hgecejSyx^2AtxPjnVtf4g>lO_ar5KX>>-|m&rQ|F^vO6mz;x=UKm`wX#9VoyErYI4t|v$4KT{tBk7>aj6yHq|l>B2@>p zx~J{_(LnumM{TDS^Mrf7q0ZR`i9b?dOd62vV zoEJtW(`88DyC}d-eV<3wJ1hJtppINgcUHr@zD_plV6NMbT0oEk zbK?I>Y#A#Xh{=#<&MrFeEw0ASIyp9h5%AaQRn-j$;$9~PHSY+d3ffmVNDG$6mA1$4 zGPUouyR_~wB)>p*8cbYeGG6VIlXP3#toO+e2HcOoSpv9vd?rb0+y60}zrW>ZVG4Rf z&*5;}q@py{FlwjRs45I(!;(G3m>R9r3$2Gt2yzF5 zIM36V-|)Dk2__Ua+Zs=}@xEpz;lD{cY;Az36tG=gW7XBw5FkS>1^gMM4q#aSVn7^^ z{@=*_Tc6}MoPE$UCRG~MVn)84`{jVW=QLVP5ji?-WnPHGHDGupo&$v8a^EBQk=9;-Me%I?* zxRAys!z*AtZOA2JvyEhaz`IWFkDNZ0G;l>#)W?v6}87Y!8suGsp2INqXeQRy zo{T{Hc~MQkqT{q|=`Tf<;ZpOEp_O59&#HlF9gYj-Iy${T#gAY2OS_`M1&@ddnB*t~ zTO)ZBjSTC6)k}W)h46_Tuqn1I8}l^wnU=41w@H>TDjB*!F)wP>i^Ik2 zo=nG*z?J^??b|i7tZ~Jg-K&$h>%GyH5%sHy`+LpHuCj(Dnj|YCnho?{8xhT}QdV3+ z0FGXhum8xh4buYC#*BHo<8C%sx_Hn;70l9D&)FE=H)b?&eI^2?CqG@Y`g1&2~M zdbx>-2U0s(y;I#-8sk3+OC-}RU+4mK=4iY*2UFV(m%Q*!yOvt?B2|<5frIV7-iF$I zE6Lzg#87ra~e0BEv{POG1Hhrqno1D~01ymOUR`iG6A4jPk z)Nccq<1XN6ZY>Y>M=X8^4$pPdsdz!>tyd zXTNQ1RSx%OZpizquB@SV;w#(07UUa{=1ovLpJ%U+Abo8OIiMlzzdi{W&@3BORlcg# z*DL#D*X`wQK#5a;IZq+& zDrtFqhz~hyZ#_RYJKy{1DgXJg`oZ65m;d%Yf4a9h-0=B6 zDDx*gVT$g5Jy&RnW^AAQVFxJI&L7r}-(`jj`9^NoE2A~tZm5krb+SElzd{V<=n%RA zg*IeLwX|+gzmg&^(}+C#9RA7Y7v*Ha-;u%40aJ%=h%|5K4{J`2bZY!HNU#Y31s zK7--!e;vN6-Z(8L5K8sZwqvcl?LELO=V>t^ga0Fk|3?mL(D1u`_Svd`SN5N`u4b=2dwUm8svfg$C4z}2&8!fgv|ev$>N?kfGyC4 ziovi@UuwmP8q0&=r2=T>;W&U`ILxNu$e}KG4x*y22Ocv_(f}2mJO{7LML)y_$ZA`CO#hnP~Nd@OPZej3x7toFTsk zGQrZu&?H1FfR=x+)`J{4O%b0EksG>lkY$FnSe4V9PT8oSQ`KQvAiFVkD^E~yU4E@! z8QuqeB|nv-U^Pi;`3o338xO||{D{H2w&IcHV+K|>oTx@eA^uM1$?676GMig2Yt`>s zusVi^jkB>*-O>skP*5d54WZ2 z&hhu(VK0TamO4dU&NgIIz9=*$KzhVNT8#(fF@a>C1u+Ftk-^R0fDF)@J!rU4ecjGh*M+-Py<5!Z{7ZrGG-mJYPlK2ibU+4G z`_-WBTG`BL8XqLtjGmTr@^p8L{7S~pp0YHuJ2vE+IcG(gqvoDwSuV1igBWC84KPFH zm_{uqhM!%R`rUd+GYb9@oXOF_*@`dL<~J+{7nPim!C$_H3}3_DL2Xf# zaH}C2p<&CJV|?s2eyNW2?nQ3`Q$c>`N0*ms#d@=M1xw-6?_+^85npJ7r}n~Xp+rk< z@3rXYkY*>fYPp~FTy76_wJ-c0kbT5uUV<;yH)T9!t%Sd!^}`^16|SG`Jpisl(A=^x zT`1-g>z~Xekp-ILI>{547tplwt)Cih!X|pAgwWN5BV?$u%+L){zp&v{0Yf)^PikHL zsfe6xwob>*UrnaSOQtpf?3#O{q5b@R6}G3g`r|UASY)IJ4$pL#e|6k_Y(@M>divUb zG7PFQ& zffnw>&k!Q<@~DIGYmn7}G_|Rv8QR)XQ>vsQk^7Ca^*`P=U4S(cw@}>6{e3vD#xvmM_q{Z(e9q5R-2uwwTQCrs-B;0D^;D$iLKM~1eoLOMt|;ID)^)H=2E%jp z{}n=1`OL^dsm;H!9eBwq6l{}0y%@{j$4cIkM)Fa`gl+0b$uonE8^5yTnhEC6=_Cu0 z(@h8 zn;qF!Cjn=1Rj-v>epQE+XR>`()yR&8p z|5$f^qJGA^XcIc&Hhif9gEHA-NqH2L!WQK!>*J2Xs6{cQjA+qiX;kQ*jO-Sd17x)PyXl4@zwK_m&d0EuZ}N57IhWq!73~UtaL41;POCWbY}<4XzSW` zb;!Sxe+r(G!S>(|L#~#&SsLWUwafZdOfZ zS;<10gfP{8#TS<~E@}P4flNb{=nuVwjZ2q#*r8j^Q>|8e^t!8LG<0>oA1|qoc}b}| z>aJIm+XeLt>dwU9g1k5BcZ2&^BK&Sv4@>q}!~OJ#{)(|wYMPm`R12LoToBb>%a=p@ zH><_f+>KNzxz_O2TECT_{dc+F?Do9d?dDMx{oNIAwKaXccCXD6vf1QgTW!5XM!`l6 zr^VHoXh4T=NV$H8=>04g0(}0gbX*IXZvs`lij~-{;kZ#Xj?a&`?8q6UdMzg$s@zcx z`G~4tjcOK)Mo!mLt=x^(sFwG8WHmk(tI;TJ*wyt)3#^b>!^9U0Fj#1=_IOa4xfOKi zC2GoMHVo?Zi>sH%-z}qN<&c(P^%dOPk*=$2{q~yz3(?>$jhE^}lHYzac|P2*9zY4O zq{IGKUCzk4=zt$pWf+cRK9SZCC4g|%UC=- zKRLVXyUYgIJqEN~g>iXsP%-A};`sc#`EQPRl`1fd2)Pu zd7oj|Kl3QN{5!}lb{DkBE$zM?C}TKi~dVjotDR&DmM{>=QN zdFyw~&btMED1QFY3ifCPd$fW*91jff3spVO&FIDRtBd2qH|Hmpf4@37dUbMo_2%OE ze5<|T(aFWZH!qK`PEJoQPYzz{j)&*Rz#VTb&+h#Ae*mspit5yS2ONTzbNF!Vw$L3vs-lU>wr_;K~ zWi!C$EBWlTHRe6a6#v>X#e1;#ub#dxLwaYX-LKyI$guy871}WyjzQO7xi@oeM*FYCn4390EK|M;>LWw`$dErW05A$MPZ|bbe`~u>sxEf!eM8*YA)sYWvzE{^xK$zi%=+9l%)vBtfoMyu z{n$CYt4*XFH1+T1!NBj>9>>-q1^r$l0e@)=h;~c$8IaeQ<=f;luZZ3kVY%=ysn<0^@VPmo@?|TCTD>^^wjL4pXoypwi{jR_p*}9 z8}VUg+vOom-oG14wO(ICmy5%*CHmGlCPT*Vj$I#|frd5z8W3(8!0*c*@po`xS(@3$ zSJ0F9E2^v*%8JlH^8N!l$nPs%z|sjf%uN&5_DfLKgYP_s{o$q&Jjm`jhfU*no)wED zogV-Cx>t9<@d;PQHV$+`{eTQZ1qPo5ubH`4+^cV zhU}SpKE49E`758IV)EZlmAv|UpW^yGlw#SQ)&HNpKW}f_))q$b^S3?)UOD^N?$4Ag zPs!2mwD-79+WOrY{Mt!-&Xe04QzRszrU;e*?YMF7XTJ{?27)9wNOGLE+uYAiEfT}R zwAR8JCBbt}+v)3zx5qDEemHyi?#I*D7tPZZ=&MfSjJ0Lhtj>U~Q}3YeTJWU22F@Mv z>h0P6oZ(JAyH^ydI1Xg#D3-y#x9z(w=rwzBgG4QP!HWa`PJWcxBgT&`^DVS(z_vM=( zE0zGA+KuSUjSOYGPE^>j=_XXGT0ejD^XbLuo7bnWe_X8#>+(=#PV2(e;rRMzjY6DU zDu~i5ZW#r{Q}Q2|oou5gxw>n#>)>HK0at~ouet-kp45fU1At^m{v4i?gv>%lR+QXg zbi1wM7rE^M-=ch4ZH)wC^J-djSqiiau!?8}KT=U-yLF?n%6Qz~Y)7qS^WJz;-AtWFTs07= z7zaoKICkHlWc`{uoUB>NAJAB*Y~oUBrQ=n;atDwH!q7fX-Yo?zo@Kxwo}^;hP}LH( z1^eH^zdOJ4+XSP2avk(bhru=tFcr9zNS{PLF_-K>{CI7z|CSRFHNQ}|voL7eG7V5E z+twQ?<37jJEMl0;5pSTF@;QlTz2Zuj=b^#)fyA%yf~L3S3p-YFZ#`2B9FlA?MzVCL z78&^iza$G{Z({wbC~I!5T~_Sdo7zB%J~;}ytpU15Y;x%$+ncHkygZriX=rO{sev!2 z>ulF^u1@SdS=A2wzogE%#S`DH!tBu6+Ur!))P3&IMt7#FrnIG%HAn1h<~~Q;606mv zjBRac%`w+BwDPDsXnggMa$;TKdkZ?pB2!Uj6w0lLM-i}BG*pGG7hjee*11cQl>UYT z?r_j649yf97eayLwOzMK-ABMkbL#;k#dbxF`unL<=GCI~uIpOQZIQLmqwdbLxEm-; z!<@2$`dRFY&E5tuM};(O{+ieHUHa^`Tv3_ zV;rX`jW8Ghb?T!z|KINDXz#F;|8M_j^qBweK_17Q2hwE+DHcprL2nKpjB+R3c6`kk zexWeHIgKz}3$92Uj?szSIpS?EPxCoOP06`?3(S4N*9hDo^W|H@?eb+OQpxabncjh0 z!et`KsdI0=sF6h-R0JqXaGd#}=~Wd24a~o-C4hO7NF$%g^DM%wP^^hfZDHo5$#p84 z9Ip=NIsl0NJ>(|@(w(s}df)H=iZ)QcFP4D>0tG?F=zyje9iN?|nJCz^<+SL1KhRP- z*55&W$#5{p7j=!(2^5)OF1~^Dw)i6=jQ4*nndlYvOvC&a@q4~!c2PBEup(b_meKoi zm-4R%JpZfX|A|GxD_aUg`B8jw%T5cld*M4+?0~&|j zTXoj9)PwuGc~8_aviyir&pZy4pzXixXx~;cMdL2Q{x5UbwGSpxAN#C@yT`H*yk@(t=NSGJ2ZKcF3 z^!YRTwxZq9)frDoJZq_KjGT0#Cv}>hO0{acb>^#1MNru?y!%WRCs8L;hZ67e2ob-Q zEy${iSFHPYo&Ea7XpJ6GG0Cf6zM3`=%2z}lCWk|Tb;7r8L%TYqd1FwBEQ_jsG>wSUQ}Lc!=X`q!RKo%#nw)smlYQZak=y zBTG~5LVc)dxM5RjaTSsjd5L9&&%m>$+)Txnt?odHb#Oq{X$4n}_R~C9PpXB@D!AhQ z%wo(>Lr3JFERC$dKS7p8$YWPi^nc4+vACMYIN%;vd4P^~&8LO`5nku-3dBz>&*bPJ zpfMNQRCVJ0g!;!pfD=AOev(8a04`t%A%09trY+SDr&l;GG-1mj$4Gt`D^)CCZqZs} z(aMR0&3g+M+%h=-f5DYA%)fp2_6P4--x_9luRIA8u$vfvi~4;yb>#&N#kVa<_FTKE zUl$N$+uGt@d9m^DqG@FSZw#G_#WZZ+LeavB@GAS?D;)r@NG{dv!an)@xu4IscmppK zAroKcoF{BNG-1~Qx)}NiDMy8p4ahAjJuapDoA_#Xs^5#Y^Lpm3x_zq7N7ev_8o~9g zmoglTY9uFPg5usGhC{SD^gJ~926^7_e<3#P=Vkii!8bd_7s#55LSy}%;cV0Fm*Rk| zv*AIv6QALu1LTGF^s8O>9qQ}aYCY97s9(k5FA<5$o~W9jTs6qiD;vZ=fc4B@|5@_> zZ#grFCGk4R1KRYzhlhJ*`TyS2gU9>-Lp=4|m}0`GB*Kz20I42YD{A0<%Mu)(K_v&9 zCBzI*mJ~BQDT^6Ez+6#_Nq1)(DuX!-bCU}c@((}IECy0-d^J0BVGaCOd)!4A6yGAA zW;%A6a)Fjk+?L5AAZjBParLVw>dx!sL`r;V4aDpMw`hB_rMBzfM{HO=@d9mI*OS(8 zjd_p2IhLkDQklAnp669AxqoWHvn>9{NknfKIOa$nw*NhjC=K=w)~7!7Wff~XVxm_4(@ORW$H?zUW+cQ7MXBRy6Ii9I_d`$f+PqRwqT5D#YH=Ban z+Q8z83PV_75YL>0NND)dweNC3pH%<_?X|s~G)%!92UjdxC{-VU$i)#`Z)?mp$HPia|+}pDx{|^oj-olT`6f@4cT>@J8|J~8_`i zgM+7skLUj(o=+7&KfT1tRi(%dI-|tYiUn+6@HXKZyh7+0>&OJ6aSBwN~8pXkX!w%Kpew{z;!@@qgkk zWBDteHvGSLSoZ(i+Z{dP{|9+WcVLG+up+L_iwv*#CYbvgIsZgc@&}E%ADz+gSQW$R z%5q#AK{;pMJSFU`&3cPai zi)Gb$#rl6jbF}`hOM0U;8lD({Pjm1Ufrm!5oKKWSm5GctZQNBi(jw{Tgf3 zHYh3)JuFZv-x}d@wX`Zw&h*)i1lsoAZbX6gnc|<-dO5T}Ij4*tN5p5g$F%iw3Fz#m z?g6qSB@_l5`HU6UwDPF|nKm@D96Wix_DaqRljdE0v9WQtT;83#ss_e)g}1l;`YWR} z>HP}9y<>Nh|0*L;wY*VL zIZbADYc}C*XX?z-j;|!pY|IN*YQ>dQ6IIi=*j477CqH67F1G~n8iwV!-GQqP)5^kG zoVK6dzCHVJ_U8O;skgS|WrewLq?GF7=2yP>TvvBWYwD^pw8k;A2BOM&swKCuGyKG# zkce=CS$UPhlqO^Je$$Vl&0h=OAkxTLO0G$SXZQsR{7AW|fkkAR>5m4sBn29tyHr^zDP=7${8$)5cndQ+Nl^D_{2QlPGQ>IIeM%tVS6ovw4uv# z#vL_~_Pjf7%tRfrZMqj)d3n_8cF)e!22Vr3rMx||PJ8yArXHl4ZVprzhxt)D zxW==d{4d7*hNf3u0#vz%cxJ@_m7>Jgc1!mnP4tL_WF@I$MM@%=NF4Jql5(zMS4ee*cq-6x zfTk&3=x{DZAeYea;vpnsR!gh%}`tn{Wun-$isBpK?bDqs(0vUX~T`tL6sRTZ2;$z*Dt+m zvFmy>)G!9Rm=qRY;-plDAiciY(O`2kLCkaBj8R$ zH#W(#f6GLe-37GR53NHXc zuyjxb>{Eta$MY*MlnIXOsG*ey=7fn#dxhc)UT}nq^y&yKwBR@r1jvIAtU7i z&`J4ik%~4}{ZyZRQ&;5r(#a!M)s0mPZ^M+-uAfSYSG$mN%D9eR>o7zplu|S9f#s5I z8k3teah~M&b8%erbbR(%Eo@5rL$3JTbz1)^F@es+P{1&y>$dK;4uO`6Yur+4*HzdF z7eW(1xWYx_4hJMQ9jb^36e2A*QIBbg4={<9w+O}AVxq&j*(lsCqNo_^SdhK$0Eg8> z*Df6=xC)Ht-e7rC-s2LizXY|j<~n7ak79fCU+#pK(e9(vup= z9AMgeQPW(zDspL6(~(mAEe$7bGBB{N8_t%XIJ!fe{%=O(8osLA{5M%TH0b`yQbSbC zXyEP`be=Cha-7C_dX}pF!)iLhF4B@4qrKo^N| zSswUNGWSa{e1NaU;aN(jBm&_f8>7vT23I&8svN{SX%=&`!20)Q_vTd%tNAf1H^1q+ zt?Bi8$MA8I9H)z%XZDlC7r*nKCzy8|mvbPU+H()Y*`Di?s~y$C+&`_|gDu6sXC%ep z^OPnh6)(9B^jzh?W|&K({O2&QJMymn{P^U> z{FOYk8R(QXoBECROfoN$l>UYTjzjY%V8r|_V?vvsA-#!j{4_j1JIx!=Arkq|&^ts? z6kq3*aV2NTCqcYCJv%ABI6HlAO;Z*hvv&+Da+_v?fN!3Qx5x4ACeY)TB+fq8f6tO6 z!V4U8Kl(AHS;7iMUuBF#aXAFgf*Df2fqtOrgoMZsLlVyrpJN0bYBSN$z|8l8n56iU zDfl=>M~8>|hdqR*40?UoPV2lP<+T3gd5vZ1|8;Qx@&BIgmgT>Dy9bZ{Uk~zFs{Jn? z;}sIX)R~8#x$xaz;%eydptZ+tOM#aX13M%=wVg~!>__Aeoa#RE7oEG%WY`Y^%-Aa$ z;))%Lb9{O6TtEzQ6`IUUEU#@q-1zqlvs^IBI87n2g?+`eI%VXKl52hWN^2LEjg<^Z z%5UrYa#sIT$vauQIK?Y#>*d$ETt~IyK5rf3vn2jcY1A#|xBax;|Ms39mhu1I=+XZF zK^_PGhdV`(Vu3FUcppAw48Kq~|C~m6+hrA4MYmA3=3Xe8`AgvWFQMQ2REfV{zJhO6 z*2auUCJr)+BNF1kPpy=jIr(-LGs*HB%Oz1ZBXM4)01B9$i3L2*BFwf`b~j}(*DhP| zke?8Bm5_M<{U-j%aSR!kA(lx_Cv<_b42ob`@*1ZTT}qbB7%sG-?ziZDhrRWyW0f9o zC0bTN&U0b<-uL^zq7BsVi>*cifv(}g6VMc+{FR!JnZ%ya> z{tR>R?M9F&@kc}$?^mX$a4;Nu1J#A~vyBw>U&?Yz?j!WR(%E17%JrvuR-peAvA^P3 zcQ&9^|2H})=l?uB*n6b^5AnEgw4(j@LfF5To8@1YzKa8+;<;;FJw|fUGCrp%`2(6$ zhEzQr+Z}i!wKg4iFf&!%rnP7tTk)oI^-)$~W->$6xaXmQcc+R++6+!LcInFNeJ_`w zf8l3I{9npt*sYHi{J(p6Sib-5@9#Z*#QzWRd}_^sS>wwsKCkG?jpOSF#_ZCO`Ay>g zo?$D|e%ZIm_N;Pd11z!Vo&O~zKyC7$(bJ0j|M1{3|HFek zx%}Zzl7D!u1j6ejFa9Ff?r*@uIQ&;yK3X6bbSXoukL89x}WrCvz?l~14{w(?mp^&9^@$oc6yLdPG8q>yGwkgl_N6U zdkiKm0uub0Wm;i;gutxA1Ze7Sqb)E*a~9lIl&&?Z(^7GqS|T?Y@%~BZL!XD!>fq& zT4%4`6~LeXqIiA-N5xmxp+2!`PlXy|yiE8)lYZ^i@fWBfl zYYtzmif!u?h*S;%4NF~xLOid^4g~$$i;oFqP?+U~T;Wd2rMKJ6jqW3l^kan1Kl`&9 z|L04|eMdI1P5ygSiT{7Fcl5~rJ;>w6{z@~WHGwT`pw{`=+~9irS}{9H9h;@0Z0ELY zd}v|4?K~q{0rfqs>guav$JNgNg2sf?^nT9&-r-*5{O>>J|9F_keg0pm^|kJS<#79I z3y^p=2xy8a8w7MQETab1(8?FZX7J33avi{Kb*ifHqo(gE^D@7t{KGp-3CmXqv6IKXdGdkqjMn59#!mPoV!- zNts{iBKIZmeq%KDmhIAAe<=`H;F(qg&A28ZPL~G6bnIxX0T$cd;Ll?K*+3@0t+JlM z$$G{v?lpp@yRU|2(B+!wKOx>Z(212@Re2roqWmO*<63&OM0rpw-o; zjAkUkP#&HY*lbVOI`2@2`|H}ir3h6VWL-|OsH>xFA%NggZmQ5lCEQ)RyQ+*mo_Bg* z@#-F*`+b(=|GC(H@NbELH1*LY|9|>)REht$|0w@|kf(%D#mfGW`U`wR)2mi9kP{sS zXGKGB(c1$v;u^>_iwA5zMt2@G@?QcJ)PF1f{R#UKpZC!xg}$;h`nC^2^M}I@qZ;}N z8O~)JJ=H`&L;UTNt(zI<$b+nTIQ3G@5*jls-XwziL7vBzRBN;=exw95G(t~4Woh&o z?S1#}BXo!Sn=7FwLI;U`7h_daiKtIpn|{u9w*AAS2R>hJCD_R+8K$%S!O zKmXlB!L^+K(Wr9&e>ysR^#6E}$Kl!R#sM88#L2BNydF(3_eb{|`Ay@C)la{Pa8eso zObLWtk;qnzyXA;lrGsj@V{X}B8zXL61)agYtnXF;GY^^QW$??2JqEvZBr~ZA&{51} zMMmJi^3w3gzx@rK)$xD#P%y3h-(ETX=fVE|WBlg_dDh1NWiRns-{xF+yL!NvufZ{@ zU?#3mC6d^E)i5P6BfqYWiq|{;-9kaM@qfFAmH6*RN00U&5AuAi^S@SHh_8YM)(GUV z^w91*yn?vb{Q?j!&AAkSLz|1%nXElHlkBBMXY(PF^n!#Sl_{V|eMDg*UwwSX7m z2y^VoJ6wN^`V%~*DfZwapfy6{9ry)};1GxX6)=dFIaU$VY8b3>#q^EygvK0y~iRczu??9lH}~yDJwQ2UQYn?ag5z z><~perXeooo3r068K2uV4@JAL>6FBT->N;VepS6xv}?+85y3f)aB5qXSud6tNkC)n zlNe%$mnOPwp{q}_cwnKFA+K{^L4nVo$F&8xKT}q}raiGeq|%_Z<-BO#MnD$}U*M|u z{UJ^GaN=_|oRAp)=6# zokhYZ7zzUUavdX}FIuTAfml;4$QsuZ_Zna0)XB?qqW=SdILR!gDPD!fwDJFk`{nqb zyN7#^`JW!-*+6GL=QxcS;uOg>MmKXDqe(_0$eNP)!IeM5Y|z_4Z|8)8Rtg-B*&Ig^ znniRXErLiq+X06GPOdSyR9Nr*IP7hp7|#G5p{*pvQ}Pjq5`+D(?Ew-81ko633Xo8O zQxuUH4|;>=7auM-O>u7nozTUC#^~ph3lx%+^#(J-hw!fizc-ltkq+Ts{bD{FihuM^ zb{!A%h9-V+l_h9OBFuW<4A@Q5`(`lluX^7M_#)|j^Z)iX(9eEKXvWa#^B1f)xMl$j zac`isW4!?hu|JgMQ~F!)%`dNCoL~GUE)1Q{|M`pK=dWH27U61rG@k#_-qYQK()k}f zJvw~k{~zSpKtIYwMnBTTi{X99QQ+Hh-K*@bSHJwpRIu4I<_u(SLaX)9@@SWQ8gd=%pwwD5nUDY};T&|dFY zy^tNK*W#DBJ#0nf3Zv`MU~jOGyzkKU-e7mIyIly5?{fi4iVNs{ z>|Y5eRC_VT0N}!pGe1Ip08BN2zk%LTbRe2XTgP#T_6MWA!Dw5|A7KVAm8Oo#gZACG zXipT|&09DWE%bW-Lo+n@ujR1A5P9B|rUCrCrCEw#!7`Yze06*|smke-POXWDw&Wnf zyt5b2>9lF#WIhXC@f1NERI2FqngIRf7`O8sjqjmFzF55B(U*`Rs(Gcb7ztMuk zWRWdUp5eC)S4^T+AghO~kWl!t4le&Az?H>L$kv1_N2C`#^*Ns1)-)ydu`Y_3D%;dL zy8MLt{5HY;G3uXF!1C{azV*@PCU^m^h+N|sGj^8J32rQnUaF!9$|8n22WQs<@!Tn!KD%A= z#rkQvT)1t+_5RnDW=vs~LMYBAtRhWu%oR%2tS^7b)2xv~bb(9Ism3<$>??wX2|T@P z;W9BPmjkWA}rD5M|BrI?R07hf@+r6N9 z+sgu1Tt^f3u$GNEjb%tjdx`+Qn(~)|KCZjJbPU9X`Eu+pUCRyEIz-D6+ST3Goi=)~ zHIxmALQwfe?yehL^6J;f6`f>^(}lhywzhsha0P8=`c6g#68lS)HLH1g=7#G&*0C7x z)zRFY=-v;*6c-pFP9dl(ny9*Hi%hjdT&(H};MKxqM}M`hVG&_m;EB^SbaMLqoFSFP zU%4v-h!Y1~%aWra9m?an*6n+}Y`Um5fsRY;n)FczlDKHYfp_Rc+9>%**J&h?cjyva zca{eY;3~&iZNOj0VMrv~WdM?Tl_^b;O8jW)VppCpIbW3VG+HC!F=y@scN@2^2kjr_EX^Vh_y z8m>PZzSnSxn{x~QW#%ggaKdpYHH8gu4c8EF*>JsW;#qUJfJvp(X0QZYXQ0Ad8n^;n zaGsjQHI?}ib->K12CnygxN3U%qrXTZK~n-h>fgs970B((=kq#&zG6lhc^+6T=YI(__LdzDX<66fdL2Bm&O+f~yTC+0R9VrE3E14qf*9 z_XXF_(%j6|+#OOMr9xEQQ^CXyhls=uPISdRmc#Y3jd^kKFJf{vT z_{)ZCN@71Ef4Ip}9b9>(a{0^msGoDvf_qM`120J_$G{Nxk$VcO`zxEA)m{(p5Exn` zAF*tLLXsL$cxAh-x%n$_kyx^$P6T_0PK&6EFvypv%I=8kip2Un!e z#Ls>1HxV$HW|)H=6w-K;i@O0<*pA)^wqs5bQjhRbmkF2Vg*?#1Zek-8bLOedCQbB`ks<8y2=xM0s(Q+_Qx zf#d6r$Q!)?$r6sQNlN7%^V&~|6b&anV;JsJ+F)hf>s@>e4o5$vw8E*C;c`MWP3Z#p z`Bch%FhCbrn&=*%ouZHi4AB_9e<6BPY9E&rOVD00VovcCrvljzXE?^Gpnn|rgh7u>@T7^XUmX6gA$ zrDdxOf_<$~h%2`}3KM>_!DhuVioDvNVIb!?4sqJHukO$Vju{wccRKif9LifSm`1D3 z*9jFUxJ0W;wfK_6S55Nn-*CVkwg^o0>;!hOiVaRKJdtxHy%Ose-cl~whC!fRhuHvL zm6`Hu2@L_RpDl06Rp3(0{e8kEck_vkRNTRcN;-Zk?+Oi|33Y6hU(1L}3+H634O7-M zU&c$cG;=ko$CjzIl-DW%WYbDE!KDL8mcUwZDdp`Z%4VcZP%hy*lSLI?il{FTlONG| zCe=pTR#TT>YkvuTt&`g0&NxuyyUMDJwlw~lr!IwO zvwQ;AxI{>}w09nfTjZg4`n+v2l%!wxcHK0iJ~e#YlG<|L@q zj;<*zcVz#l!>e!S%4<+?(3TKbQEiI>6BJ6e%;_S!1PA6F#OH(|VC$q4*&L%Qd@Boj zP;gM-h@kR^MjuKc%Iu>ccbA;j zHKCWkXa232kSlUSW+@4WSI?NII&4~sDqIa-L}j>&a#|-`qrvDu279YXZi{d=I0lvB zYI6))6TuhYI&1I?D#O+07__G3R>Re5(3HbviZ-`?Kl{Gb-7tr%gOB0;!6n(QcQN@r z!#|J+gVgA<2p8tk6V7$M(7V^C|L5HcNW%8|_|=OGr|@KePN#@rE|_n11qV5mYU74P zk&>V19#fY_rmS91dxUbl@>@gR~`MG)0Rn z;v|VMPzjKdN%>AIyI7dKoHeguUvukc@FY}@5;r8oh+#hs=79Yz4j-ZdgdrQs2pMc> z1z%Vo5*tcZhP4i^ixYimyL7^(L*@xesh2}v)C!wzE$_1`Tqbv5Y?JakBzL0Wr3=Kn z0v5{Kc8zi^xM(^fW;yTBX{f=W>CBG_lYs`shQ67TK*r3l7Lv_r7KOQxwX3^-D_m0= z<-@!~FX@Z~euU&}u|p&{deUYP`@VFET!8?z!W9xGcGPp&ub1c!9S59Tiv!Ck@~AI1WqDEp=sUg$ulF-Vy1M&j2v-Muwn)Kv|+BBQ!1o0vaFz@w?Mi?vbr< z6|ArBklw#dzLr+&=u#laFL55_Mq)ptbRp;gyWnXS@GP}~l{2Via-8a9w%j@bi0O)Q zDj`r81Rxr88s3U_6?Nmg@p&+Rh54L@1@*FgCB~4+m^C5hIN&)oQ9)SP0R2Mv9Q|_q z_T;B3@d_#O)iZieGja62H|I`|5> z-U96hgY5N1768;h&`9FifJPCdfwCdp%3^S)bM>c;UuE<1j!l^0+qMTXh9LOXz(&rE zjbW1x`63yX&?I6op}&#Cm_jM1kI1 z;GZ?Edb>@T8H^4jp`Z{v&5pqYfp%|X*+dn{Vjuu>+_)J)M38ZNP31;NF$5*Ue%N)G zb%T<;sbP%`vyn5)fXF0QpWuK@2@ZFvE9T~L<=T0$cmiUzaLiI!v%woNpc}&Enwk$e zgJX9_7)rAk#H)I9W(? zBvmAa>4Hnuj(r4aiYAoL0V457CvCm!67`X%eno*<&{|sjg@Uc1uk7fkRRX|h^xW6D zuD7^cG1&bY*LaJ|;c`;bHe#B?(}|ku;ww*{lbm)Vq@6%ro|5LUIZ@i07%d0-Z-&xp zXVHl=z5>RuArjc|-TBL+c;kmGicpqD;+mNkFDbudU9jcDahOmNbGXox_?ljo(XUus z9aU27MHM?0Ot0sZ@$vrd?k)r#^TP#+hvr&I;@QxGcqn`AUpDO3E0UZ;slqt|BqUXc zgdqxMr69o9YQ^&x|L4QI^Ot~q#NV%8y#49T^BU8u{Ek(C!3|A#;iWcZ4xpQRS`XRe@Y|?ni)y1KMFJ&$bpR}fEAbh- zp=sCz+e&chh9zA3R|{;?HbLO!E(^KrIzq$tLONWXIh3#-hI=z{naSGQ6hgj!0<1}~p(h+=AK0L(f6^<>z%Ke1hGjP?K zdfb(AuC-Zu+$|4K16)!T;g%z+Fiho%s%!mT=PRx?^RU9TDS+U(N-^$^j70(#t%i&# z?W4Ao*VV|hb~dEw3*kr#hA)*k=TgShtb_M0W^V0nJ-pJR4>SG%fCCwpp+6>m(6I83 zJs?;)0q*(t$0rTi^ELMXz-5?+#?Vp{E(YmZCD)s0H#V{`rMA<;I2EnZRFS`} zSZdA`LiEQ0MrEcMK+PC_p^%$srG}y?alDUGDizy$?G0iSACL!v`o#P;hV34jWE?Rr zl?{>>*_k|HELL)7?bTtr6FXv#Q#^3&f;=&B`)s2#8eS+11!?<%wt&ShY^WVEc`=9X z8A@=vAdCSr^BKCqk+hR`Z<7LC?-)K#lH+ty7Y9b%M`WmdT@FcN45!5btcjOj8T)qg z-p%0xIh9!K^DL^fG$}}}OjtH6YzXW?yZrlKYbU?)DZyoJa2I&3aM=fBeYjMrgSt6- z4hCo@A%eV+DfwrJCbzaThjRP0e2G^R=gUAou9S&x3iwOzDXxU}GLt%%o>3)4xF+^< zBuJ~9J1FZ-b>Yj3!Q7x!US?7An**11f~(O^t_Cjd&s>_{J9K$H8XTbKZZi~b_bZ+nlowm;4{V)5e+Yt8-on)zCF@mc?sD#?q(PfaO5fo%Y z@#j*OJ9ThX5R411CKKE{boq4fbbqjXMC(SlDu%c&xSC9G*EGMagR2re!39^73GSNc z&YUQnVxgWqyeTT{jk85AnJmF2=4*#X0z&s_vl3bA!E*8wO zTV!#EF5sJetyBwUDdUn??B%i^O!w8V2Fx}msa7xrhwYN5 znj&>zx;>_9!0eh#sTRyOmaY~|cV;CwnEAbSSqL?l$I*>{+Z629b%g38Jl&~q;W)nb zuKiTv>JsFufZ2w$9bgtE;YIh*%4~*qKDTnc?qII4=uKW=&0uzM33G$F!fZBWooE8{ zC(1Zd6}!WTI?*2om`$1Tn!wccPyp%jmI8BgbJe|B6Q;7B3N1r;%3!vMAREARrM#-l zrk(kuA-r50m~AX>3z${gq$V&kCPm5<%ICR06A~Pot>Fgq+3vGO@uUMxMOV*K%4tBO z(xU6v_H97RS`_GkA4L;CxB@G-`1kMWZ zJJ6JC{yz$gO?Yn4n;)z@bZo1oK!~NkO5Yw?Hxe61yteFQB{EeKC55&E<3_Hs1vbL( z*kca(iAML%Ml6QZ-a~$jR6V3xbEy*SIdsijL)N&ao^fl(h22-*bK*+wcZZH+Bwk|Fbc5;zW0Nx8$S(C=pyksnUJW6P0WZVsvrvNk^-1K z;*W}hA#?hH*+0zBwMt4o!2;OPV6=}yikUb-BoQjg1YYA`h7r z2Lm6$1NM601+59^(O_R1_)q9H?p+f0kC`cMNp_#h6?2bN7f2sp>!_}o+Q zi@w#KQy&nd_hJ$#5B1&fh~{N${k+G^%gf><(J87#QtkDARyj75w)i%&QzF>2p9w4PLQUN?+lE7y63?^fE?WeYW>7Q#@f3)TRA4~JJ&WON~xSV`)|(Gmp1kCi2`5B28s##j&f!Cdt-&X+as zMy#f?e3W}#bdcK^$ae_+#%Mf7cRh`nKJ{`e)wfKM`{SPVWiS|6zc!G-a}nkkngfSx zusAH$u$$(DN4P&m{R=T}qtx#2*o86@iX#3b2uFMS2gQ#H|MkacWL|%Uzhw5o>R30V zD?4GxH`iKULYuqL*eey16v+3j{T)&@=ATsCq7{2*4$D9c#MD6HT&?Ue?rT&ez&pp& zG14L5G%gM3!rGa`Jym)ZV}2Trk^Zgkp!u8Jv21Lq%HSjTu2m-paIfw^^>0-E#f;%J zps_$-0FC%P%=Hk%h0i!nZ6Hgd)+gut)tT(*W6!N_4|8N76nZ?;J1~e06oA zMh9)@9YP_VcLt_ zGiXGv_0S)FN>ch84!9@q{paB%_2XcU+3=J6%Om0EA+$gIB>n@x)wF-7xTRtfVsrFN zS(GtpAts>P9BwKLF_LOSFo;GEb8?Gby}NiTHf4&F$Pc6(@gI9XsMWW75i@Fz#tt&D ziudw}K*I`(;`)Rn9SuX0?&U|Pr+10mNQ5;`ndtZ*dq0S-^Z8N-Q%;rW;vaiIh)%?R zbT?+=;DqW(bj838J-N}abv_y+p-DG{9dUfixd_EKDRs>)^Ax7*B{WpgM)Kkiy$3_e zblaV;(>ilvgRjG}l05t0%#h=BvCTro=}n4zoaCz)Y~bLdX#@SG{6OV$HHNl?Fiq z%_J#Ja2nmB1xZsFNAB=D==C%QodW}(8-PqMLR-)Qtbm#RDdOsKpel@hLcv6fDck@wk zgqtvDC5FU8tDlsJFfPxDNqa(5Yg_GzJ)6zuih`;QfD8Ve)Ovo(p)1@6s3#AQ z2Gu$}sKee1&K8~5MjtZ zoKh+vQ9ZB$6CC*BXxULAG=Wj8gOU^i;=vw65xL48F(t9lu8xprD2GFg05Vehi8xOw z@p-;XMz+i;TKF*-U5GigPFHT%?1v$;GZ-L0^dU7l2%g@n`-qG;JRU-TVXY$?&~zpv z8xY2&K(-j-U_;$nyu5i&`KpVR*e+a8%p8q-_KXe0XE>ksu?NP!SVwWn|H-(xvhQeV zVfbA^8@|;XuWuQ(kYJiub1>8VP;{_(L6d zKvjp&`7O$f;5)&6ly3%wz!%SUpY2v_iFuodlc9I@j_5gKrbGR{vYb|3aX!lR#Ji?C zD$G`)j{a!Xn@}2kr=&td6}%End`1FDET9U)i{p&X9X;lS%{eaDdgq4Ks;Ot8T=T3t zJ5GoJ8{4kubL@vWWvZI^e3E~yw6^fmD}}^ipV&v{mH!bqg#@V5N8>F}#AvLzW!kxuU@8(I?BGgZ^kR>gV5i#9)22 zT(9{07cu_h6P)rw0c$M)DmsC5P%2nVaSS*P(%S^cgRBh3IQV~8K;;qBUG)cpLBH?; z)EJE)|A}vl->wS?&|WnunHHN4&^itYFAyFpcBuwhlo1=IEXJ}K7!z`%iG6Vdi20i_ zFXd1(UzK%{z^HJY!Q78y95wPV0IY^edqZi3x4hQ(F6TH}Xup9=dCB$VEaib_N=qsF zf#{_?Z~s0RCO^U{uNh{Ef$Av+3grwG1PXZ&E~*kms)>23NbYEm3&N#MYcn$iv*Ova z;^|qjIVrPRw$$EL%ab@nGAk_dgDd!*k#KC5To&0tnD9AHdx|OeK#X{C1JV4o?CX`_ zYu}_ZiDn4X&ml3PX7K8V$buJMNjX3U@AT=XwM zxWE`)USx?19ets+@8C6QV%i#=JW~ZFg2R3=SIs!K9k6!_WLbS|q^bc)1dbk~&Hw)I z|K8NBAHBly7;S!}A1C@YU}=1GdD`JbSyq-8e&RTH-g}JqFXCRnWiw7Jcq=j*8_^KU=@g&nQZ_+-h*`6 zWP)26TNWIah8rMF)vazT6aWsvmMj-Ml^wY_i_TBe$e*FDj(Iq@i|ONYvUpmU77JsS zR_?vH1PmY>FbO_T@$1)o52J7OCYEL}ABcGMb$KE9V z?-}k%PG0lkX4GT!pRoAfl}Dd{fYF@BL6n79vyk0($he|Iw`>EXI#EaK0 zg9Z{QarP@3;xXDiIM}V|zMI#xq|%1nWegfB<3Jg3ran3`Y~Tf_sbG&zV~*3QA7Hd~ za&fwCjU~b=%4r&{S3rO=S8qE1!yAy zQ9xlmS`V(3UciVayD|vD^F_Js&P!Hoki-#*ab=#}{CRMx&7||Srgs9Z?AYf!5 za66%f(Wo?nRDk1S&QmhUcrO3a`$kXEiK1YOTQhQfm5gbK&$3BG*jx_!98dFR)JDC! z_JS0L%rbEhE3NGzAxEos8mkqS3UI|=F^REY1yj7B92YFaNj!6|U$Yb1a1zmp)?S^z zIDY=>#b6O`q*?5d*pr^^)}j`SH>-?*+2y5C6>KAWz3*>xnVHL=JY-TZ0LE2**&Vn$JaiId}RzKXj&G7#7;7=B%Z-N{g!6v#)sH- zD9vI+Z%K@NG#Bmoc02mYBdWz%N@nCt!F_X%{Sfj4Xa|Xjv2aC~`lB)>lQVlMdIHw$ z(&Ei7#r<2{pN<)d@kfpr#|d<*Bd;>dvqYlYLSj;9YjQL<{%sF#syc}N!k0pHE%B{D z&nco45Wf3S1Vv8Im@3^%3<*I(8m9<`yU5_t#vn&OLzY5@%h_6;$Gnu zEr^1vA)w@(a}LN*p)$`pN}c=I-QC?iIyiv;?(XiE|GPUn-2J!F!T#?4)7_(|hfn`) zcW>|TX!LJr_lu5PJsIPE`fs~y_f;O;U*y?9FR`=*B1{_W$e59U%UPDHK>H`Bf+8?9 z$w(A3xh)i}&lVJNON**y+R;t!)c1c=b7NXFM>G^Gr^yq&SGj_zkooC;x?}C0v@!cT6&Aq zg{6p-N)zqNVt+tr;qzer(l)O#kDnxivcyetx?|1zdK@#}T20hx&papNdIWCKRE0c3VgPH6$eppcPYW$j|k(Hu~kQhP+#!e z{1hBh%Ag_C&$Y<{KF>2!8_%nZ1fjmX-uI=9!0~-f!iKLTpz#TfXe#wq0H7`8~E05&Szkj&RDEtGr%Mvz7X#GM@{-f3<#nF3i8SRB?=_FWp`G zV-#mmRQ!_q$^0#)5hqE1jCKnjiL**X;w#4{PW%{0j`z}K;pg1n=s${|`E8^oAiXO3 zC~<%0Xio)@CGo6&o7K+}C$K!Fdef9H1Pn2~@s8%DW$JUPzV#cMO-OKs(`w@>o~D@1 zKj@&4FsA+?>o-Fw7%tIoX->4~*Yj+#xNUL$It_#W`9GBYa@E!MtJdx5Ya{M^dRC7zTGe20e)?nr)EgdpFwLR}*g7;opFhhp6lhnfWh!;^wI4!W1BdH#?tvXs4$fx2 zV0cKNk|2qDiLn>G!BU?ZfM5NDW*oUjFT*Ba63^7-224RIiMcW!v(vcc{$t3FSYR76 zp{h3iYcIO>EOq{iI_&$p|L-0iRqy}1dynV;A)bVWxlmEY7Eah*y> zPgLC);$jT`0Xn@e{+K{S8_COi5x&Ne&QsKz(*?F7ljU~Yxru>m^YyOqEjVP3d!A}b z{9z(4_B<;XTFqyI`XJR9K5lw61xd8yF9CSl-5*Er?V^uK1}ZK36m@-XPhzpI1onM;Yc z!bC|v4&rf1pS_;(0Y4aw#JZ~WU-tapzy0Ul-sovr{NAWE6^g_r3l#uL**H}o4My`EhRPGCl&%l_XPi_E-O%((M(I#hC-h@awGV)r4LYZc zD|fAY(@y+g45K)mDh#2LbpJaz2AzL@d}56ssjmtT_GCnXhfmE<_>LnrKY)`ltQ~C6 zsW>>dG)p}bB3abx=>eM$7z1xF93l_BdHwQ#)U=bS zm3LL3n23RA7TS^llx#>;oEM3Ktx%Vtz_)hRc$&)O_M9RyWW?!q58^gih3o}54nvgS zbU_#cGb3?`PGF;&9Lbx=Psooc%@S}q7cC5})&}TeuH(i6L?jlt>9;JFF(F|4$tF$S zWl11Z+C)}#gaEKqrm2P_hjC#iMuo60+ORHl zypt(>O=l)^t|7J;D$FyPA|IX65M8L`d`RV2ar5HkSWKd+^OhYN&^W*eXG7^;JQO=r zrvmiUyWYk|FQK6ZBG;x>R;#?!po-7O1F38BBKq@vz_{TjiJvZ1^q~7{l;J>dSohoJ zEem+0npDOLsvncQao|VEyzEw@(zBeURB*D88D@+&zu8=-4ds((wJ}DU($8Ig)9vXA z%^P&Mx;WcQvzU_w&KvC6r&wl!FqEf|b<(9qPP6!!0a+ZQqr=1f1N{ynADUOwVj24w z=}wAyl&p{wz~D+}da6#mjOSuqOq7+DIBk}|9ILr%agr%R&N44`SAk2o#dYsu*kN?mn={rGeI7UV91pCgJIsQ-Wl5( zN@&;v$3n+t6Q)AYzH<6iQ5i%e1a2n14OGd{3UsyC^$ez2>{-%K`%H$Dp#bnXVQB`3 z|NAV2KwNToCv>s!J%$rs@|}?qW>|9X30BhXaG+%@P)gvClrYR>Vjn-?sunUa28T37 z5XcK9KIb?Uyq)Bnfeb)1GO=iUD}SUIEix{n8RC!PPEW4!peGwX)|K=sw?QwsZZ!gl zkH7W^o~vSQ1F%rGl_X6H5w7rUDSE8F$w`5Oyi#ql-iAhzvhM*Z#cWYyRoIqE^Fg?3 zh!N%2UD*nZn1}+%8s^IM!p$_2^T5n(F%R1DMmzc6@y=i{_;p7dy>H+9N%E`sy}c<$c8tV@ zE5d>m(E>Cz9=LPoL(xf73^0CtYo=fVF;sny=DrvT!`G0D45wnKzPP55g*m3I0KSCk zn_oA#^=6SAdU4asD|UyWHf}F#Pgy9h>&|+xjb+1jPn#=ma@`$Pz{MQ<3wv`_zuwdtyP2Aj2jaZks#!t$5t08BAcNNWPW7a0dZ=?$LD zDZMJNY0Ma{%MB=hN*OQQ$%uYOL-kjlMNbAsgIsa$PwFiVL&GLafK4zT5+r+IroFPUMR6~ zuf-+^%1eVblv%w-T^i&a#4rX4?+S`39pBA!cPh@t3mpPZR97*Q0pTV-llh-K&-!H2 z73QgL)IBLL27l5l;RlYzf(xU+j=gFV7>LSP2GOa8eFp%!&`Ee}*Adat< zs#Tm?RY$U4r&HasNef#f3$l(%KF=jQl^QmI8uZGajn<={1X|q{IK=xHWd237@g1P3 z@~R*=wmKLV8;CPc1P;U@PevD zcR`j$w`h{eodRj|HuI_89H>UM?f*t@`oEArwH5!-0hs-76wLnf;-%92d#?y=i8I5V zT|Hwa*{-0>kO;uiN-0S}Q4XusVxX`Zhz5VKRpMe&-$DRsWxkc~snK9`F!&F#;Tj6b zL#PlO!%==iEJduf^$KyQbrk58lPN-*uPt?ZZ$r^l zkeixk0)$YhwbWF*IDr#h;=pbA<`&kPlj?zUjg z1GW;%BtT|MVuRk>xsjpfl&4~))mz_6E06xHy31{p-WtJ-x=MdknL(%&@BH-k?U}jM zqMXlJD_ksHsM56vHY$mH0tzK0c#)KHI?1MjI$&vcq{e(41UTU;QP?1F zF9cD7Bs4O27t0oT2a{VX5(FX~_zep0eWkir8JY<*rf)h!nK2LZ?M7r+ezQ7*-Xm@4 z_Nn-k7)&i@znPC(?i{ms|<_dW(L~{7A*UPZAi!p!W-wtwVV( z`Va$RCaV~uivp>Gp{opq0@uNnQL8%%Lt7Im9D4rxLX-s~&IAYBkX+rC80FG`nE*kW zxRo>uaAg<3D`>mSa!yP1z*=c=?W}L6k`v1Q^>VN33fZ>1CzJ@Xbu2htE0$UdC zi@i3-(PF^nlHD1%GU;l-g5&O011QUEkD)iYg_g{cX%U&TlHhJ>4EX>xTV5@c_$l}3 zv>m|w1|g9_!@1U`uP@bXRSQU0b%Jhxn|17Z>Ao3Ck4!lv_)iwk@-%%G2qbFew82^r>-StTk+k?A@b%#hCirfDI0-9)!*%A_$p4i4Jm6_JW zG>oW+P-Q?Be59tV;P_Mou&t=!1y&!Ig%emNrETM$hjhL~n+5CKg^K|lG z0*(LLr{Z7dSsnjd>Z_J$0L}P+w0}^^|8jVE@EHH+K^_}{`$@tCt}Y=m+uK{G>K6xA z;gH-pzJRaf*XOxH(ZWR41g%SAwY3nzdFBDngJ6$f>(SaqA?N7pLM-Vk$ZuNvw&ityt<01AHRBG2)D*uk~J+}$m>)40341-Hf} zNN>I~_Sl!_X8nO0tL9qst$OC_*^Hg2J2*W$*@x5J!F^Hdk^hF6hV>YFlT2DZ3(Z^W z08qaGQmoee?Ty#Y=6W?(;FL=A2Oc?dfHJM2+M3Xic@Q|0ycK@L}>L5c6e~= z&hxKKQX@2IfcxKjseG7d-GQx0R~3c5)M9!ua*s|;)A4&!`VAkdP;*|~ykS59kutdax|bBrH> z=d->yNZOhb8>DGYB5L*xa=0XwS(=BvL#$kB`#uGHsjH9Ds|jwa-%E_mT95hmD6r(q z)yAMI`Xc2j4E$pEoXjcfeDkOwxGa`!jp;K?9}6X=3+lAqcfPxF`jO~uHdp;=^6%c; znhz#UuKl<6*EhPRi{H|Z*q@6z#0}F1r?{c78P^4ydviRCo#;_}_YLrJxsN~JoY`HX z!IYZ11f@UYdJ!L9!n}U3Yb?9(FU3AQ$LaIDHNnxKup# zs^z#bB0a?rUEHA6Le&xqISv@JOPS?aaZtrwKx+H*RDne3Y>j)8c7!FvtEP@ELK7PQ z)}A`U_JA>-EvRz2cm)kFoW5s0nkjd)kbWG(#4`o)v;yXI3-y?)qznhJ8@CVVs_JyJ zIlI~H(T;a)c(zOJ96ui>6`XUKEXEL>Z)*{s$W1h`7et5dwrL{y85YJihRjqkzN`Nk z&TFWp{p#VXwFujdEDk(fC<|EGfsmh*CtO1W1-<8B0ztv+RQ5vRcAt%p+$6J)N3VXKmAQ*y)DP^)?Oe|QR}5d_S?G9}+q0jhNF zWS*hv$xX4gHQ>prvBlE5#$0Ye#VG>f=0<+a#O5Io5jLx`*}BJIkO(7wQ}>e2-n!4R z&znI4n$Jd2{3h}*MDOdm2l`j;10tb_nT;_nz`vRM_+^>NQC{E#{dly=Q~ysP{B6Iu zXw+Ml;qP3=)^!UubZhW0z(?Vs!2g4#vLHj^4?WE@SYqWJBZR^PMuxKw8ER-!V;Azc zR^*s_Ib+Vgn45Lf;eQl#@_G*V(-Q)sE#|%{(opD*1P{qT80~%K7^MG0r3jq>VTmn< zQ>(FTQx~~-UJs)D^JO1cW&e|v-{3+qWvCz;>p~X{a0wvy4{Z}Ee}R=`z%CD+ZmeOj zFR{I^kSvsD0i=a%ga^}on5hTL2?AUyTLGpWjfUEE_IxMu3wye;ru79C>z)H^0Q(_W zGMUg&|L=`ND2en7bPCO--mA@zfI3_FK7v<*i-vXMxxv_9k1zo(e?;j(>mj4(90wFpZM=L3qihw{S;-L}zn3-|Np7UBX6jNuaY)YgV79sBU+ zj#fv(AoT=GjONCE%6~Y$Co}7jxGJ4zTT!JeeVpgL`&K}YRzIFMdv5fUBVmiype7R7 zfiaBrb+uOj|MfqsomD`Yy*;|obcC2xt4Xl{r5PokIc9cA*>M_Qp0cM~x7l{8HM+4Y zt6_5!1ul!ji=?;GgZPw0VDd!CeeMfCXZ8txl)B?|Vdd%7$%TzxNT48aHTE(5NB*I} z92+V9Uk_IX+{y{R(0{k^f1kXvlj=nG7}cyrE7f3&J(2~2Y<>cV8rjh)7OAS73bw&H%*UzqX8Ug9Qvh+F!2Z^R3sFarXmD;!ur&DOa8X_gESf z#NA+()H&pnQ+$3{H~3|dM*a{Zrb=ul6|*)}A4?v=7MHuC(UVa)sF{1=FFZeQA9!nh zG(hj{53q%4VOgU86QO+1RLa-wsTjl_!vvC z!-e!OsZW-}hLsY$_wx6VpFOpL$`Y!qGM7sg;p#ce-5YamzcB8R>f+)i7Fd(MzY>s^ zzh{o8tXyo7t*Ez$YT*}6%+*<@C$aG{zYEWNEoB0fX;Gb3Q77r*)+PZojAD+gl|c=s zG9xXu=dNi6;mt`Qlc_>>A;e{qau2rBt%X_t^thcZ}$Zmk?jDe$S*6V^^nsy zMYD4Wf_Lnld zx!YCf1aj?5j8B;*3QrT}r}#$1G)9KVyN-5qxg33=zp|Yn+V6XUEj`^q8yzgWHy^df z5?vPEze~tAnn8dfDl}Vl(f~J$yS@sKs!Jz{coujp;W}tM|rmad70`OI5S( z{p7fjeRe1*-NxTySNy4&wk7tD*X2%#QVmGQo9}77%ZJcndIj>1waDC;)aAU2# z-K$Dhy|f`JOt-q2JFY2mD~!`O@vsVL56ij>vzY<3O&UpO9X6XLC+H1ZM7PHehnK&5 zgQ`rt-e_Xznd2So!1GwPgw|$?QnWklpAl0MjGQ2@^E2m(cNBBU#^H|!Ih|a!wsF^wMcD5RS~4YAHO~F$zwDrwj_8;BI)UigKjfNw6zQmklYp!Tsw_2@Z^U+~>?!SA zpxF4}if~yOf}C=vG5{Dqk>;uF*^sIO*7Iwrr%N_p3ku!T<)EBZ$y87er~l(Cn1aH% zJg$NT;Log5frt!<1_0!lZ)KKGa`uCfLY%dnQ&}vGz3zY?Z~zn5d~_zPGS@|)RDEs6 z`-}VeKJD0C=SR$F-$2_9xx!Ys7RY45S8Y$^>X_*JEl!}%@c*&~> z<;TqIPFjcE8){z(-(kCRA3zQ~ZJ$AQ*N6hYPaJ9XgZQxc?2f8E*yfbf8pH86Nb7aw z$1E<#gDvOFs72}W2c>m%#;@KE%UtokKgQuWTJd~(&CI6Tg+&h-k3N84P7o592?R0? z6CAz9djMtbEo_<*dj_{Gs^=KL-JrRyc&ZqMy)e9^;tKbY(>^y_eu196o`ByRyFX3g zut$J0@q}#BGzWg1v&u)zCUv4-rvb4jy_C3VI=0-N`;`ml5hN+oT^m{v1slR1>Rs`- zGhjQzOad=f_DZZ)(YINB0gIt2N^$5t?%)~Lw)}ur)yF1Ma-qI$!3#pW5eiW;bu^%Y z-=uI$d&`)oTn87)HT@3jvzsqEynM)kvd%(3X#PSF^q{xW4;qg=Dqw=K3ik_~MTIMFK0FLk3Appj)jx6GO!Np?mKDMwC$7DjjYI%(QkI{B@BDM z4jUAclW@ro(D+FyYW&&ET}mLrGG$@t26#Wch-lKzq<36GLJx?@$&{v^d*`MJ}Y6$<p524wE8ja$1XJHxg$u@1#Xo+$W(Hk-)Yi{ zLFKH#l$KbT;oC>rI~N7V+vB)*K83?0JY)CIS)11aw-8>02tI7y&0C*p5tXu~9c#HA z^mmWuenLy6p}tG=;^(LTI?gX~q@fUDzo%^O-2;)bzJkIwl^ltTG}0ivl@| zepb+&AATGSlV-##c%nUsaXOL#qWL)8|5nB6^=A|%&I5u2#rYz)4_thN%kjE{)2^7| zwc!=5Nv1seN}4ymuL{pcFjgdB(Z3q0danz_`r(hj7M@a2>&2ne={Yt8=uZ8o%A=Do z)VF9K($V|2PhShf0Pm}$!PKzj`}^lk0u@%d&sSmaB&GQQE4tL=3|eSBOnvEBVc0pA z>;PLgi|BM;MX&6`7iML|b{SXV6P*`N(xFZ1;G>Kxop7n(5X6*kxW#o8e_=k9Mni_K zx3;g9^smI>#evf{iZ<87v)jJJL*1j$MZOc!3X=MY=(Tj>T`0vB?BNka_);EirHS$< z<@KrU*Nfcq;_K@G?E3As%&?v{WzJ~UIGgaPf;UG%d%iwgU!6!P{xH0YZa*f*h?y~^ zDx-$s3T9(q$~ASCp`Z|(g44-xrl~&A4)1hvBiu4*7>*F~H?rC_B-@m~QI8`PA&$bU z;oCRikNb_jrqq(tvdr=E;*p)2A+nCOejmo7yHzfDN^j+P{GEy_KA^QpxxyT3_4i(Y zU%52Ld0%s#ZR>c&j-WH}p@Zt=WUPdFa(0m+L~p;wng2TKeoOdYN7jKi!m)NsY!*v7 z_zd4NhysQF={7Ze|5S zXwOvIV$@%(-5L==qDj)pfp^?0I^PG3MR zI()+TNloNTqDJ}Nc6m?WMmy`iQA_H592ys2n#F8;CItMV{o;=g7Aw7+sMlpTRF^x$RsR zS<0U+iG4>WLNik`A z-|UZ|-!55w%}U~O`x==kVdmynIb5c`w11AK6Y4(nKZ-pdDf;!_UZ4%^s4~VLd#*%C zYh=0b`up@t5fvknEc6mX%5EW{%swgf{+j~&jwN97K@YjC$#>nlZ!WQx zdQ+8+xa)g0!O`Z2=s0c2d50O17+&6T=~T7WQaql(Js3FOB9ZeM&xt?LmjYR>wZBnD z9!QBqb_j7PqT^<)gx@g>Zk&@E*qdV{oE&I&N79TCci8Ac;=02Kv;BphGL=$P;s}_N z+s75!oQ!(VG3~HDS~w?#Gf%pdi5VrOsio+B6^KtcNE!UxA?}u1V4m{Lesfo^+^3km zau1CWx9-SgBh1d^U+r8hMeFaxyP>hK=m^(Vs4Orquj|Xx_0oev@jxX72Z<`Ne5n&y zoae7d$JiKVn%|a|d$RUreiMk_@{t;3lZi%=ofm-^cw$s!vDTD(dWn7CwnYcG8uK@Y zGqtFTEfHrB-^!gvnp$;qMGppd zB-TVu{TL5h-lgBufu}>hAdHH5%G~^Ji-90Doauzu>*+mK^}A$shTJ`i_yl<}cq_Vo zuH(JZXN5wKi0?%h70kKdW!V}W4PCya^K-c29Hw&jOD6T!5nmgV@{}>9c6MrIc^RqS z8ntXGS9)_Rlon{qI#qw?tLs@bu+cnq&y*TzMHSVu;?UKqq|^+h7UFM>hVc@nR0sAs z+V8hBFuOx3I0IQ_=eIVlQ#u35n}>w1%x1%ODmQEW3u}=XvcHHADq4D|o7lEFNT?2quqY?zOt~Aj6D7cR zlfKHJafJtzD1^{2M-5_CuN5HSjfrX0O^PwLyRWj7CpH(G$&sWcKcKkGUk(E-E_c}+ z_pzY6w9+{~p3O@>8NLEv>^f7!kTY z4o`XU`PVgHsgC=$7|b`~&honmdi=3q;L%fBKb{f~6e(}n!x-m=JFjp zkINjh@y4OtZMt{?Wf7s6xIN{e*-kSAvL&sFA%C7#8sK-EkV<7<&)%?Ln7;d79z6rD z7o>Xa9)6N{sv;P5;3TEgtP{1DpL6KD%bK_efB zg3k|;1SkP_N2KB4xMQ*D4)VSp?H_)u#Iehni(JR&?F<5P{qU2)S(X_$@b&I`N*{>& z@($E~b#N4Jl`nv)-yzICnT#N?D}v=tXLt*-Y^3Bq(*5Fx!$n4YQj}~alreF1Kk)jD zW20M?umUodLz7_CzE^_Mm@F`+Zg%)<+_QhUG9^{&MPi836gvIDq2D#ANgdY@omaUt zD(LI#?AM)9U%F<>%*`rD-*wpQJqQ){VH5-=eS}7)4HTjUwW9Z@dwIi((kD#iD^)_p zpv;~JHg`iLSi@g6TlLqvT;j&~9%X{HHprIhX(?yuVtxpnL`rl%v^GaMu9+I00UR2s?o;p0=Q~;6xH(2k5V0m z`aaaE#+m-A<#F=bN&b{JBhT~`otXHAYTp@z%slMNv@PC0)}E(WFy9aYG?J1% z+UoOeoO}9bfMd0P5!6!!j%uTRPm$bwB-@qP!e79(A>OFvjV}C>THqVDgms(l`iOu7 z2o9-B_?c0pq2NV`Wju+P;MiH5ss=YiF06u^l4SRZ+uNFsgZe(%t?#c0Rt_DqTN;~! zQHkNLPYRDWb)jDQXeVkMLxYs+CyM4AYGW3(Qm)8Nlr)V7|2uF-;i1J_q;ppI zr{ngalzNPU<^FcxAG^ns6E!q{yGIC zieY36Zgi`IeSc$(woWV3k|;02RuaZSlpY40>;3xQYy75&w=QSL!_jH8 zC1uT{wDMnZse`eX1uOPF_iqwLR{h|*N$_S9<3}TZPHT)v8&rSy1+kyp4G6s1ARbY~ z0o<#Liwh))_ohSn+~tc}ct$ose86eQ)Ihf9pU0PbEh-z{GK9z!U18R4wxE^Q^W4pA zpP!(M*q_zKc*DnXv!=PsI9*>Pu&dvuZ!^mV(TR*;2D$zaexQ#n8$5?`s}s?3;QdVE zNJ9WD!;J26Mqh@5p|Wr_Pj5AWnH zWZfe}g0}JMpo43W>Sc`qwqdOM4}F3s zxniQ}8DBTbmSMJNWUVyBmdq6LukW+E)8~tqiL7FX<|9T2uWR@m7s+yJ&>uafMa$n8 zbIwEgFsqLo_2Vu&I)yYWQKeAZ{@D|~<;HDFD0cSbE06AS>Pfj(JJ$y!8h(3WWMjvP z*Fb0*S=FTGQ(w=mvxaL(ZTxHTRl_cm{maq&CP_{(ugw#$EUOG}8kQ!5#3tWdey+7H z)18_Yh*&-EYs$Ui`9&qnTJ)r-f$ZMp3*cJMby+$i@{}{D?E1878+$z0KQY!(ZsiAq-T*JCTtm&aDhUGRVKii>u+m2kQ5z zw3H{7Y5X%_dv`9up**^X|C4(%e-hNvae!cUL36kH>*?v`>Je(};ri;6GxDbdYSZ*s6!6TRgu_#@d{!}s;ykv-rNxWsE#$_Fpte;d>l2b-3 zJ{*M~nGkJVKI2lVWzc>lAXE@wVm#)5&6_xBcKJ_OzNVGb3s#bLSTX?U5TY*9YokT8 zq!B4jH8?fTHL%cRO)Iw2QJIXO)%{(dZNMBooyaKGY!+eTVNi=)If}Kt@Z+G2H(IHG zrWdmD-LW zPl%kWI@^fOL(Z!SQHHTM0nwmw3B>+<%8d&LX^#kqOoR+SX0~ zwK(5RZG=VtB|}{t)a0I;_JRMAEKQ+c-PU5Io}i)upgAai5tPNwRXaB`R|4el^1`U( zJIJ}Bw$5)NGqk@co86~2`%~tdd^KbclQWmchn@A5;DVMYY$j>ZljqpJD^?az>z=34 zvrO>zkICd25ERs%Zo2cgMX%7TkpD#jO8lM@Qr6hnRn49?jaLMiEYV&CuD{L4tMIz& zZ{%q)C^Y2c&-7+&f*RMg$Q2usup|BPzFYKntT{vuV&3lSPcM?W?kM)AI&O zD;NyE|1po8TS`!`T9cXgEUn3OnRZdPh%6omT?_oqt{GXi1C&Ak-d`<>QTX8*CWZNK zOE`*9E?O{xNX|hpgGBC~U?7 zTxopA=-uUy9{~Jc`R+&!nnX1~-Cg}>j=WC#G>Cq1U|zG=B3%3I;mUQL=^65a5wyWi zs6;2dnqPBN@8R!(O=e*$30;y=Us|(u)#KonaX;^ZtjJ>K(m&ff21`6bGLC=!)hCNi zy(Ypi-QvQE-UaaOTKo759=!!;jFwM*)rxV#H|=3QJ?jfC8I#qFx<=q|`E!}epr!nI z%|=_ubZU#n#q((aO2*o1gNoL{M#cR0K_LO7PUgDc{ZD{5Jqe|twn2T`%)+JQ81WBZ zY`f6&Ionf=W28@`mwyf?FQx2J^4*0RHeEE|>47m_L44XA+ExuZCjA+LuRcdXEMdmOZr>gC3&x17=Z z+cX5deHop2Wev{2(jLi~rKU4buFC5Ie(gEer*7qodU>)8&i}qe0xzo9=8a$DWzlWH zq^{|6- z>kMYTfbwr_A1D1c2b!qg#Y{{_$i0n7j~dWj^d-T?-!qDK*Xb-lDba*ZOvGZQtQpt; z^Kgzk7wI#_6U5X&bHHjDfc2YhjM zowBP@c+*!v0prRaAPMn@UDipndr*F*E;S;6A9hA=zXS2DEY=z<#~}jcWwv%V1yr>3 zFU*&(n`W!$ga-l$$iXaQz-$M>o1I|*c{zSL=7S^MK zo9YnxtMEkgaRMKgJgXfK>PmxzVEP)R*Ty=k%IB?aLTez`-244S+7&wAtT5P#G4<_g zm)gsw2`_AMyZa>i6$Z>gK7cfs_5fC-qk4{WS7r0-PU8(pg<^~Zc=*7*_PRf|F=}K! zvU%`4`Lt(XSx#!XxiDyedwmbigeE*MX zflz&Z@o#Dd3*6~uhx2s~4LSpDgd%{nB(HX^15F(Q3*-FtFb{p4?v)k{(X2T^iC;3J zN;Af(${}{|su}I);B<{?yn#BEvJ=ovbGO~?l+=#$6US$}>baV9>DlAX1moG7BySOE zukT7HL#f3l&r}o~;ryAdxGARm-N~5uq$`g-6MVSRzcmG^n{Df*hGF_I4D|k&z z3%eLHepZU4(1_0#GXDaipWT2 zs;u1LX$(q47R+G~^+xtD>q3HfU~o~&+`|2H{Al`URPmf$FKa9%S+DY7^7}s;p0B|c z2G82>Hm`p{3JsnY+f$TUugI^}$Nqkwo{EbS8pl-`PWb=lD!zVH$B%%Vg7T5V=VS;a zwUL+S&wau|jQbs#X^ipN`6S*Egvx^W7yt_tQC_m#4?6n~MMng0`eN ztexT@qh7sWYwTLc=tZPg29F@x3 zV;Nc`Bnn?-69Y@yf?TUyg+;rhQx;W$A{$?vtZIg22oX@~st^Wm4$32En~J5Ai&I*6 zTk+?lV$5PUhxxoa*4=+XyW&EhwPMBswQx)rx?0yTzQG9V`c)=(yqoc;o4Yg_-QjEF z^i{QfhJT2~B{OsSPKiX$s$dY6px#$ESTp^eN#}Q$AL@-SiG0AMd=-L_WnN;z6jG<0 zre4-f`CsxF79m6N;{2yFfP#VZqqSzso|!|h2Scp!BIJ!t$pRgC4XWS#b!I!nc^~S7 z88 zHk$YkV?TwK!6-)$p-Kb8Vh+>D@yX!iV1j9jVMRan)Ww}`n{rX#!X}&n!YSLbXhmt{ z)B6%Hh!YQ!s)*#RtT@u28mzrGg8l%$`n -aws_secret_access_key= -``` -* Install velero: -``` -velero install \ - --provider aws \ - --plugins velero/velero-plugin-for-aws:v1.4.0 \ - --bucket dfc-k8s-main-velero-backups \ - --backup-location-config region=eu-central-1 \ - --snapshot-location-config region=eu-central-1 \ - --secret-file ./credentials-velero -``` diff --git a/apps/velero-backups/kustomization.yaml b/apps/velero-backups/kustomization.yaml deleted file mode 100644 index e08f491..0000000 --- a/apps/velero-backups/kustomization.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -resources: -- monthly-schedule.yaml diff --git a/apps/velero-backups/monthly-schedule.yaml b/apps/velero-backups/monthly-schedule.yaml deleted file mode 100644 index 14c7386..0000000 --- a/apps/velero-backups/monthly-schedule.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: velero.io/v1 -kind: Schedule -metadata: - name: monthly - namespace: velero -spec: - schedule: '31 1 1 * *' # 1:31 AM on the first of the month - template: - includedNamespaces: ['*'] - ttl: '800h0m0s' diff --git a/docs/Migrate From K8S to Docker.md b/docs/Migrate From K8S to Docker.md index fd15423..e4fc2b6 100644 --- a/docs/Migrate From K8S to Docker.md +++ b/docs/Migrate From K8S to Docker.md @@ -56,6 +56,13 @@ cd ~ git clone git@github.com:data-for-change/dfc-k8s.git git checkout migrate-to-docker-compose +# Set vm.max_map_count +echo "vm.max_map_count=262144" | sudo tee -a /etc/sysctl.conf +sudo sysctl -p + +# Disable hugepages +echo "never" | sudo tee /sys/kernel/mm/transparent_hugepage/enabled + # Create dfc docker network docker network create dfc From bffb573fc27616aebf4d187f0c125fcbc4bf9d9b Mon Sep 17 00:00:00 2001 From: Ori Hoch Date: Wed, 24 Jan 2024 22:33:40 +0200 Subject: [PATCH 15/22] migrate anyway to docker compose --- apps/cluster-admin/compose.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/apps/cluster-admin/compose.yaml b/apps/cluster-admin/compose.yaml index 305eabb..95a1844 100644 --- a/apps/cluster-admin/compose.yaml +++ b/apps/cluster-admin/compose.yaml @@ -15,3 +15,7 @@ services: networks: [dfc] ports: - "9001:5432" + +networks: + dfc: + external: true From aba27289ab659080cf25bf71d3f29eb3a930fe70 Mon Sep 17 00:00:00 2001 From: Ori Hoch Date: Wed, 24 Jan 2024 22:41:54 +0200 Subject: [PATCH 16/22] migrate anyway to docker compose --- apps/anyway/README.md | 2 +- apps/anyway/compose.yaml | 2 + apps/argocd-apps/Chart.yaml | 3 - apps/argocd-apps/templates/apps.yaml | 35 - apps/argocd-apps/templates/projects.yaml | 9 - apps/argocd-apps/values-prod-apps.yaml | 26 - apps/argocd-apps/values-prod-infra-apps.yaml | 95 - apps/argocd-apps/values-prod-projects.yaml | 13 - apps/argocd-install/.gitignore | 1 - apps/argocd-install/argocd-cm.yaml.template | 27 - apps/argocd-install/argocd-dfc-plugin.py | 152 - apps/argocd-install/argocd-rbac-cm.yaml | 8 - .../argocd-repo-server-deploy.yaml | 33 - .../argocd-server-deployment.yaml | 10 - apps/argocd-install/dfc-k8s-argocd-apps.yaml | 25 - apps/argocd-install/ingress-grpc.yaml | 17 - apps/argocd-install/ingress-https.yaml | 17 - apps/argocd-install/install.yaml | 10706 ---------------- apps/argocd-install/kustomization.yaml | 16 - .../patch-argocd-server-cluster-role.yaml | 29 - .../patch-argocd-server-role.yaml | 41 - apps/argocd-install/plugin/Dockerfile | 5 - apps/argocd-install/render_templates.sh | 14 - apps/cluster-admin/Chart.yaml | 3 - apps/cluster-admin/templates/secrets.yaml | 9 - .../terraform-state-db-deployment.yaml | 79 - .../templates/terraform-state-db-pvc.yaml | 10 - .../templates/terraform-state-db-service.yaml | 10 - apps/cluster-admin/values-main.yaml | 18 - .../controller-tcp-services-configmap.yaml | 9 - apps/ingress-nginx/deploy.yaml | 660 - apps/ingress-nginx/kustomization.yaml | 22 - .../patch-controller-configmap.yaml | 7 - .../patch-controller-nlb-service.yaml | 16 - .../patch-controller-service.yaml | 7 - 35 files changed, 3 insertions(+), 12133 deletions(-) delete mode 100644 apps/argocd-apps/Chart.yaml delete mode 100644 apps/argocd-apps/templates/apps.yaml delete mode 100644 apps/argocd-apps/templates/projects.yaml delete mode 100644 apps/argocd-apps/values-prod-apps.yaml delete mode 100644 apps/argocd-apps/values-prod-infra-apps.yaml delete mode 100644 apps/argocd-apps/values-prod-projects.yaml delete mode 100644 apps/argocd-install/.gitignore delete mode 100644 apps/argocd-install/argocd-cm.yaml.template delete mode 100644 apps/argocd-install/argocd-dfc-plugin.py delete mode 100644 apps/argocd-install/argocd-rbac-cm.yaml delete mode 100644 apps/argocd-install/argocd-repo-server-deploy.yaml delete mode 100644 apps/argocd-install/argocd-server-deployment.yaml delete mode 100644 apps/argocd-install/dfc-k8s-argocd-apps.yaml delete mode 100644 apps/argocd-install/ingress-grpc.yaml delete mode 100644 apps/argocd-install/ingress-https.yaml delete mode 100644 apps/argocd-install/install.yaml delete mode 100644 apps/argocd-install/kustomization.yaml delete mode 100644 apps/argocd-install/patch-argocd-server-cluster-role.yaml delete mode 100644 apps/argocd-install/patch-argocd-server-role.yaml delete mode 100644 apps/argocd-install/plugin/Dockerfile delete mode 100755 apps/argocd-install/render_templates.sh delete mode 100644 apps/cluster-admin/Chart.yaml delete mode 100644 apps/cluster-admin/templates/secrets.yaml delete mode 100644 apps/cluster-admin/templates/terraform-state-db-deployment.yaml delete mode 100644 apps/cluster-admin/templates/terraform-state-db-pvc.yaml delete mode 100644 apps/cluster-admin/templates/terraform-state-db-service.yaml delete mode 100644 apps/cluster-admin/values-main.yaml delete mode 100644 apps/ingress-nginx/controller-tcp-services-configmap.yaml delete mode 100644 apps/ingress-nginx/deploy.yaml delete mode 100644 apps/ingress-nginx/kustomization.yaml delete mode 100644 apps/ingress-nginx/patch-controller-configmap.yaml delete mode 100644 apps/ingress-nginx/patch-controller-nlb-service.yaml delete mode 100644 apps/ingress-nginx/patch-controller-service.yaml diff --git a/apps/anyway/README.md b/apps/anyway/README.md index 396f513..206ca98 100644 --- a/apps/anyway/README.md +++ b/apps/anyway/README.md @@ -35,7 +35,7 @@ Run: ### TODO: db-backup-cronjob ### TODO: ingresses -### TODO: airflow execut via kubectl exec - modify to execute in docker compose +### TODO: airflow execute via kubectl exec - modify to execute in docker compose ### TODO: check anyway nginx proxy and configurations - for new docker compose hostnames ## Enable DB Redash read-only user diff --git a/apps/anyway/compose.yaml b/apps/anyway/compose.yaml index 5e2b413..4019b38 100644 --- a/apps/anyway/compose.yaml +++ b/apps/anyway/compose.yaml @@ -51,6 +51,8 @@ services: tmpfs: - /dev/shm:size=1024m networks: [dfc] + ports: + - "9002:5432" airflow-db: image: postgres:13@sha256:6647385dd9ae11aa2216bf55c54d126b0a85637b3cf4039ef24e3234113588e3 diff --git a/apps/argocd-apps/Chart.yaml b/apps/argocd-apps/Chart.yaml deleted file mode 100644 index 6413881..0000000 --- a/apps/argocd-apps/Chart.yaml +++ /dev/null @@ -1,3 +0,0 @@ -name: argocd-apps -version: "v0.0.0" -apiVersion: v2 diff --git a/apps/argocd-apps/templates/apps.yaml b/apps/argocd-apps/templates/apps.yaml deleted file mode 100644 index 4818027..0000000 --- a/apps/argocd-apps/templates/apps.yaml +++ /dev/null @@ -1,35 +0,0 @@ -{{ range (concat .Values.apps .Values.infra_apps) }} -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: {{ .name | quote }} - namespace: argocd -spec: - destination: - namespace: {{ if .destinationNamespace }}{{ .destinationNamespace | quote }}{{ else }}{{ .name | quote }}{{ end }} - {{ if .destinationClusterName }} - name: {{ .destinationClusterName | quote }} - {{ else }} - server: 'https://kubernetes.default.svc' - {{ end }} - project: {{ if .project }}{{ .project | quote }}{{ else }}{{ .name | quote }}{{ end }} - source: {{ toYaml .source | nindent 4 }} - {{ if or .sourceVaultPluginHelmValueFiles .sourceVaultPluginExtraHelmArgs }} - plugin: - name: argocd-vault-plugin-helm-with-args - env: - - name: helm_args - value: {{ range .sourceVaultPluginHelmValueFiles }} -f {{ . }} {{ end }}{{ .sourceVaultPluginExtraHelmArgs | join " " }} - {{ end }} - syncPolicy: - {{ if not $.Values.globalDisableAutoSync }} - {{ if not .disableAutoSync }} - automated: - prune: true - selfHeal: true - {{ end }} - {{ end }} - syncOptions: - - CreateNamespace=true ---- -{{ end }} \ No newline at end of file diff --git a/apps/argocd-apps/templates/projects.yaml b/apps/argocd-apps/templates/projects.yaml deleted file mode 100644 index 1c51934..0000000 --- a/apps/argocd-apps/templates/projects.yaml +++ /dev/null @@ -1,9 +0,0 @@ -{{ range .Values.projects }} -apiVersion: argoproj.io/v1alpha1 -kind: AppProject -metadata: - name: {{ .name | quote }} - namespace: argocd -spec: {{ toYaml .spec | nindent 2 }} ---- -{{ end }} \ No newline at end of file diff --git a/apps/argocd-apps/values-prod-apps.yaml b/apps/argocd-apps/values-prod-apps.yaml deleted file mode 100644 index be4f115..0000000 --- a/apps/argocd-apps/values-prod-apps.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apps: - - - name: anyway-prod - disableAutoSync: false - project: anyway - destinationNamespace: anyway - source: - repoURL: 'https://github.com/data-for-change/dfc-k8s.git' - targetRevision: main - path: apps/anyway - sourceVaultPluginHelmValueFiles: - - values-anyway-prod.yaml - - values-anyway-auto-updated.yaml - - # temporarily disabled anyway-dev to save resources -# - name: anyway-dev -# disableAutoSync: true -# project: anyway -# destinationNamespace: anyway-dev -# source: -# repoURL: 'https://github.com/data-for-change/dfc-k8s.git' -# targetRevision: main -# path: apps/anyway -# sourceVaultPluginHelmValueFiles: -# - values-anyway-dev.yaml -# - values-anyway-auto-updated.yaml diff --git a/apps/argocd-apps/values-prod-infra-apps.yaml b/apps/argocd-apps/values-prod-infra-apps.yaml deleted file mode 100644 index b4e956a..0000000 --- a/apps/argocd-apps/values-prod-infra-apps.yaml +++ /dev/null @@ -1,95 +0,0 @@ -infra_apps: - - - name: monitoring-kube-prometheus-crds - disableAutoSync: true - project: default - destinationNamespace: monitoring - source: - repoURL: https://github.com/prometheus-community/helm-charts.git - path: charts/kube-prometheus-stack/crds/ - # this version should match version defined in apps/monitoring/Chart.yaml - targetRevision: kube-prometheus-stack-39.11.0 - directory: - recurse: true - - - name: monitoring - disableAutoSync: true - project: default - destinationNamespace: monitoring - source: - repoURL: 'https://github.com/data-for-change/dfc-k8s.git' - targetRevision: main - path: apps/monitoring - sourceVaultPluginHelmValueFiles: - - values-main.yaml - - - name: logging - disableAutoSync: true - project: default - destinationNamespace: logging - source: - repoURL: 'https://github.com/data-for-change/dfc-k8s.git' - targetRevision: main - path: apps/logging - sourceVaultPluginHelmValueFiles: - - values-main.yaml - - - name: velero-backups - disableAutoSync: true - project: default - destinationNamespace: velero - source: - repoURL: 'https://github.com/data-for-change/dfc-k8s.git' - targetRevision: main - path: apps/velero-backups - - - name: vault - disableAutoSync: true - project: default - destinationNamespace: vault - source: - repoURL: 'https://github.com/data-for-change/dfc-k8s.git' - targetRevision: main - path: apps/vault - - - name: ingress-nginx - disableAutoSync: true - project: default - destinationNamespace: ingress-nginx - source: - repoURL: 'https://github.com/data-for-change/dfc-k8s.git' - targetRevision: main - path: apps/ingress-nginx - - - name: cluster-admin - disableAutoSync: true - project: default - destinationNamespace: cluster-admin - source: - repoURL: 'https://github.com/data-for-change/dfc-k8s.git' - targetRevision: main - path: apps/cluster-admin - sourceVaultPluginHelmValueFiles: - - values-main.yaml - - - name: redash - disableAutoSync: true - project: default - destinationNamespace: redash - source: - repoURL: 'https://github.com/data-for-change/dfc-k8s.git' - targetRevision: main - path: apps/redash - sourceVaultPluginHelmValueFiles: - - values.yaml - - - name: selenium - disableAutoSync: true - project: default - destinationNamespace: selenium - source: - repoURL: 'https://github.com/data-for-change/dfc-k8s.git' - targetRevision: main - path: apps/selenium - sourceVaultPluginHelmValueFiles: - - values.yaml diff --git a/apps/argocd-apps/values-prod-projects.yaml b/apps/argocd-apps/values-prod-projects.yaml deleted file mode 100644 index 94aa383..0000000 --- a/apps/argocd-apps/values-prod-projects.yaml +++ /dev/null @@ -1,13 +0,0 @@ -projects: - - - name: anyway - spec: - destinations: - - name: '*' - namespace: anyway - server: 'https://kubernetes.default.svc' - - name: '*' - namespace: anyway-dev - server: 'https://kubernetes.default.svc' - sourceRepos: - - 'https://github.com/data-for-change/dfc-k8s.git' diff --git a/apps/argocd-install/.gitignore b/apps/argocd-install/.gitignore deleted file mode 100644 index c2525b7..0000000 --- a/apps/argocd-install/.gitignore +++ /dev/null @@ -1 +0,0 @@ -argocd-cm.yaml diff --git a/apps/argocd-install/argocd-cm.yaml.template b/apps/argocd-install/argocd-cm.yaml.template deleted file mode 100644 index f8b17f2..0000000 --- a/apps/argocd-install/argocd-cm.yaml.template +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: argocd-cm -data: - url: "https://argocd.dataforchange.org.il" - exec.enabled: "true" - dex.config: | - connectors: - - type: github - id: github - name: GitHub - config: - clientID: "__dex.config.connectors.github.clientID__" - clientSecret: "__dex.config.connectors.github.clientSecret__" - orgs: - - name: data-for-change - teams: - - argocd-admins - - argocd-users - configManagementPlugins: | - - name: argocd-vault-plugin-helm-with-args - init: - command: ["argocd-dfc-plugin", "init", "."] - generate: - command: ["sh", "-c"] - args: ['argocd-dfc-plugin generate . "$ARGOCD_APP_NAME" "$ARGOCD_APP_NAMESPACE" ${ARGOCD_ENV_helm_args}'] diff --git a/apps/argocd-install/argocd-dfc-plugin.py b/apps/argocd-install/argocd-dfc-plugin.py deleted file mode 100644 index f1ca219..0000000 --- a/apps/argocd-install/argocd-dfc-plugin.py +++ /dev/null @@ -1,152 +0,0 @@ -#!/usr/bin/env python3 -import re -import os -import sys -import json -import base64 -import urllib3 -import subprocess - -import requests -from kubernetes import client, config - - -DEBUG = False - - -regex_pattern = re.compile('~([^~]+)~') -regex_format = '~{}~' - - -urllib3.disable_warnings() -try: - config.load_incluster_config() -except config.ConfigException: - try: - config.load_kube_config() - except config.ConfigException: - raise Exception("Could not configure kubernetes python client") -coreV1Api = client.CoreV1Api() - - -def debug_log(msg, with_env=False): - if DEBUG: - with open('/tmp/argocd-dfc-plugin.log', 'a') as f: - f.write(f'{msg}\n') - if with_env: - debug_log(subprocess.check_output(['env']).decode()) - - -def init(chart_path): - debug_log(f'init chart_path={chart_path}') - config_json_filename = os.path.join(chart_path, 'argocd_dfc_plugin.json') - conf = {} - if os.path.exists(config_json_filename): - with open(config_json_filename) as f: - conf = json.load(f) - for repo_name, repo_url in conf.get('init_helm_repos', {}).items(): - subprocess.check_call(['helm', 'repo', 'add', repo_name, repo_url]) - subprocess.check_call(['helm', 'dependency', 'build'], cwd=chart_path) - - -def parse_matches(matches): - parsed_matches = {} - for match in matches: - if match.startswith('vault'): - match_parts = match.split(':') - if len(match_parts) > 2: - parse_type, vault_path, *vault_key = match.split(':') - vault_key = ':'.join(vault_key) - if len(vault_path) and len(vault_key): - parsed_matches[match] = { - 'type': 'vault', - 'path': vault_path, - 'key': vault_key, - 'output_raw': parse_type == 'vault_raw' - } - elif match.startswith('iac:'): - match_parts = match.split(':') - if len(match_parts) > 1: - _, *iac_key = match.split(':') - iac_key = ':'.join(iac_key) - if len(iac_key): - parsed_matches[match] = { - 'type': 'iac', - 'key': iac_key - } - return parsed_matches - - -def get_vault_path_data(vault_addr, vault_token, path): - path = os.path.join('kv', 'data', path) - return requests.get( - os.path.join(vault_addr, 'v1', path), - headers={'X-Vault-Token': vault_token} - ).json()['data']['data'] - - -def get_iac_data(): - configmap = coreV1Api.read_namespaced_config_map('tf-outputs', 'argocd') - return configmap.data - - -def get_vault_creds(): - secret = coreV1Api.read_namespaced_secret('argocd-vault-plugin-credentials', 'argocd') - data = {k: base64.b64decode(v).decode() for k, v in secret.data.items()} - role_id = data['AVP_ROLE_ID'] - secret_id = data['AVP_SECRET_ID'] - vault_addr = data['VAULT_ADDR'] - vault_token = requests.post( - f'{vault_addr}/v1/auth/approle/login', - json={'role_id': role_id, 'secret_id': secret_id} - ).json()['auth']['client_token'] - return vault_addr, vault_token - - -def get_match_values(parsed_matches): - vault_addr, vault_token = get_vault_creds() - match_values = {} - iac_data = None - vault_paths_data = {} - for match, parsed_match in parsed_matches.items(): - if parsed_match['type'] == 'iac': - if iac_data is None: - iac_data = get_iac_data() - match_values[match] = iac_data.get(parsed_match['key'], '') - elif parsed_match['type'] == 'vault': - if parsed_match['path'] not in vault_paths_data: - vault_paths_data[parsed_match['path']] = get_vault_path_data(vault_addr, vault_token, parsed_match['path']) - val = vault_paths_data[parsed_match['path']].get(parsed_match['key'], '') - if not parsed_match['output_raw']: - val = base64.b64encode(val.encode()).decode() - match_values[match] = val - return match_values - - -def generate(chart_path, argocd_app_name, argocd_app_namespace, *helm_args): - debug_log( - f'generate chart_path={chart_path} argocd_app_name={argocd_app_name} ' - f'argocd_app_namespace={argocd_app_namespace} helm_args={helm_args}', - with_env=True - ) - yamls = subprocess.check_output( - ['helm', 'template', argocd_app_name, '--namespace', argocd_app_namespace, *helm_args, '.'], - cwd=chart_path - ).decode() - parsed_matches = parse_matches(set(re.findall(regex_pattern, yamls))) - match_values = get_match_values(parsed_matches) - for match, value in match_values.items(): - yamls = yamls.replace(regex_format.format(match), value) - yamls = yamls.replace('docker.pkg.github.com', 'ghcr.io') - print(yamls) - - -def main(operation, *args): - if operation == 'init': - init(*args) - elif operation == 'generate': - generate(*args) - - -if __name__ == "__main__": - main(*sys.argv[1:]) diff --git a/apps/argocd-install/argocd-rbac-cm.yaml b/apps/argocd-install/argocd-rbac-cm.yaml deleted file mode 100644 index ac3c7ce..0000000 --- a/apps/argocd-install/argocd-rbac-cm.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: argocd-rbac-cm -data: - policy.csv: | - g, data-for-change:argocd-admins, role:admin - policy.default: 'role:readonly' diff --git a/apps/argocd-install/argocd-repo-server-deploy.yaml b/apps/argocd-install/argocd-repo-server-deploy.yaml deleted file mode 100644 index c6cbb45..0000000 --- a/apps/argocd-install/argocd-repo-server-deploy.yaml +++ /dev/null @@ -1,33 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: argocd-repo-server -spec: - template: - spec: - containers: - - name: argocd-repo-server - # Built from apps/argocd-install/plugin Sep 7, 2022 - image: ghcr.io/data-for-change/dfc-k8s-argocd:5bdac3baf0cf39cf794bbb439875814d27405087@sha256:18ca005ee504ea666fa1667f87488ad1f9513ebffa18b833b6c632f32e4a35d1 - volumeMounts: - - name: custom-tools - mountPath: /usr/local/bin/argocd-dfc-plugin - subPath: argocd-dfc-plugin - volumes: - - name: custom-tools - emptyDir: {} - initContainers: - - name: download-tools - image: alpine:3.8 - command: [sh, -c] - args: - - >- - wget -O argocd-dfc-plugin - https://raw.githubusercontent.com/data-for-change/dfc-k8s/main/apps/argocd-install/argocd-dfc-plugin.py && - chmod +x argocd-dfc-plugin && - mv argocd-dfc-plugin /custom-tools/ - volumeMounts: - - mountPath: /custom-tools - name: custom-tools - automountServiceAccountToken: true - serviceAccountName: argocd-server diff --git a/apps/argocd-install/argocd-server-deployment.yaml b/apps/argocd-install/argocd-server-deployment.yaml deleted file mode 100644 index 9afba88..0000000 --- a/apps/argocd-install/argocd-server-deployment.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: argocd-server -spec: - template: - spec: - containers: - - name: argocd-server - command: ["argocd-server", "--insecure"] diff --git a/apps/argocd-install/dfc-k8s-argocd-apps.yaml b/apps/argocd-install/dfc-k8s-argocd-apps.yaml deleted file mode 100644 index f2c2a61..0000000 --- a/apps/argocd-install/dfc-k8s-argocd-apps.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: dfc-k8s-argocd-apps - namespace: argocd -spec: - destination: - namespace: argocd - server: 'https://kubernetes.default.svc' - project: default - source: - repoURL: 'https://github.com/data-for-change/dfc-k8s.git' - targetRevision: main - path: apps/argocd-apps - helm: - valueFiles: - - values-prod-infra-apps.yaml - - values-prod-projects.yaml - - values-prod-apps.yaml - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - CreateNamespace=true diff --git a/apps/argocd-install/ingress-grpc.yaml b/apps/argocd-install/ingress-grpc.yaml deleted file mode 100644 index 8f74ab5..0000000 --- a/apps/argocd-install/ingress-grpc.yaml +++ /dev/null @@ -1,17 +0,0 @@ -kind: Ingress -apiVersion: networking.k8s.io/v1 -metadata: - name: argocd-server-grpc -spec: - ingressClassName: nginx - rules: - - host: argocd-grpc.dataforchange.org.il - http: - paths: - - backend: - service: - name: argocd-server - port: - name: https - pathType: Prefix - path: / diff --git a/apps/argocd-install/ingress-https.yaml b/apps/argocd-install/ingress-https.yaml deleted file mode 100644 index 74fcf18..0000000 --- a/apps/argocd-install/ingress-https.yaml +++ /dev/null @@ -1,17 +0,0 @@ -kind: Ingress -apiVersion: networking.k8s.io/v1 -metadata: - name: argocd-server-https -spec: - ingressClassName: nginx - rules: - - host: argocd.dataforchange.org.il - http: - paths: - - backend: - service: - name: argocd-server - port: - name: http - pathType: Prefix - path: / diff --git a/apps/argocd-install/install.yaml b/apps/argocd-install/install.yaml deleted file mode 100644 index 20284d7..0000000 --- a/apps/argocd-install/install.yaml +++ /dev/null @@ -1,10706 +0,0 @@ -# downloaded Sep 8, 2022 from: -# https://raw.githubusercontent.com/argoproj/argo-cd/v2.4.11/manifests/install.yaml -# This is an auto-generated file. DO NOT EDIT -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app.kubernetes.io/name: applications.argoproj.io - app.kubernetes.io/part-of: argocd - name: applications.argoproj.io -spec: - group: argoproj.io - names: - kind: Application - listKind: ApplicationList - plural: applications - shortNames: - - app - - apps - singular: application - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.sync.status - name: Sync Status - type: string - - jsonPath: .status.health.status - name: Health Status - type: string - - jsonPath: .status.sync.revision - name: Revision - priority: 10 - type: string - name: v1alpha1 - schema: - openAPIV3Schema: - description: Application is a definition of Application resource. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - operation: - description: Operation contains information about a requested or running - operation - properties: - info: - description: Info is a list of informational items for this operation - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - initiatedBy: - description: InitiatedBy contains information about who initiated - the operations - properties: - automated: - description: Automated is set to true if operation was initiated - automatically by the application controller. - type: boolean - username: - description: Username contains the name of a user who started - operation - type: string - type: object - retry: - description: Retry controls the strategy to apply if a sync fails - properties: - backoff: - description: Backoff controls how to backoff on subsequent retries - of failed syncs - properties: - duration: - description: Duration is the amount to back off. Default unit - is seconds, but could also be a duration (e.g. "2m", "1h") - type: string - factor: - description: Factor is a factor to multiply the base duration - after each failed retry - format: int64 - type: integer - maxDuration: - description: MaxDuration is the maximum amount of time allowed - for the backoff strategy - type: string - type: object - limit: - description: Limit is the maximum number of attempts for retrying - a failed sync. If set to 0, no retries will be performed. - format: int64 - type: integer - type: object - sync: - description: Sync contains parameters for the operation - properties: - dryRun: - description: DryRun specifies to perform a `kubectl apply --dry-run` - without actually performing the sync - type: boolean - manifests: - description: Manifests is an optional field that overrides sync - source with a local directory for development - items: - type: string - type: array - prune: - description: Prune specifies to delete resources from the cluster - that are no longer tracked in git - type: boolean - resources: - description: Resources describes which resources shall be part - of the sync - items: - description: SyncOperationResource contains resources to sync. - properties: - group: - type: string - kind: - type: string - name: - type: string - namespace: - type: string - required: - - kind - - name - type: object - type: array - revision: - description: Revision is the revision (Git) or chart version (Helm) - which to sync the application to If omitted, will use the revision - specified in app spec. - type: string - source: - description: Source overrides the source definition set in the - application. This is typically set in a Rollback operation and - is nil during a Sync operation - properties: - chart: - description: Chart is a Helm chart name, and must be specified - for applications sourced from a Helm repo. - type: string - directory: - description: Directory holds path/directory specific options - properties: - exclude: - description: Exclude contains a glob pattern to match - paths against that should be explicitly excluded from - being used during manifest generation - type: string - include: - description: Include contains a glob pattern to match - paths against that should be explicitly included during - manifest generation - type: string - jsonnet: - description: Jsonnet holds options specific to Jsonnet - properties: - extVars: - description: ExtVars is a list of Jsonnet External - Variables - items: - description: JsonnetVar represents a variable to - be passed to jsonnet during manifest generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - description: Additional library search dirs - items: - type: string - type: array - tlas: - description: TLAS is a list of Jsonnet Top-level Arguments - items: - description: JsonnetVar represents a variable to - be passed to jsonnet during manifest generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - description: Recurse specifies whether to scan a directory - recursively for manifests - type: boolean - type: object - helm: - description: Helm holds helm specific options - properties: - fileParameters: - description: FileParameters are file parameters to the - helm template - items: - description: HelmFileParameter is a file parameter that's - passed to helm template during manifest generation - properties: - name: - description: Name is the name of the Helm parameter - type: string - path: - description: Path is the path to the file containing - the values for the Helm parameter - type: string - type: object - type: array - ignoreMissingValueFiles: - description: IgnoreMissingValueFiles prevents helm template - from failing when valueFiles do not exist locally by - not appending them to helm template --values - type: boolean - parameters: - description: Parameters is a list of Helm parameters which - are passed to the helm template command upon manifest - generation - items: - description: HelmParameter is a parameter that's passed - to helm template during manifest generation - properties: - forceString: - description: ForceString determines whether to tell - Helm to interpret booleans and numbers as strings - type: boolean - name: - description: Name is the name of the Helm parameter - type: string - value: - description: Value is the value for the Helm parameter - type: string - type: object - type: array - passCredentials: - description: PassCredentials pass credentials to all domains - (Helm's --pass-credentials) - type: boolean - releaseName: - description: ReleaseName is the Helm release name to use. - If omitted it will use the application name - type: string - skipCrds: - description: SkipCrds skips custom resource definition - installation step (Helm's --skip-crds) - type: boolean - valueFiles: - description: ValuesFiles is a list of Helm value files - to use when generating a template - items: - type: string - type: array - values: - description: Values specifies Helm values to be passed - to helm template, typically defined as a block - type: string - version: - description: Version is the Helm version to use for templating - ("3") - type: string - type: object - kustomize: - description: Kustomize holds kustomize specific options - properties: - commonAnnotations: - additionalProperties: - type: string - description: CommonAnnotations is a list of additional - annotations to add to rendered manifests - type: object - commonLabels: - additionalProperties: - type: string - description: CommonLabels is a list of additional labels - to add to rendered manifests - type: object - forceCommonAnnotations: - description: ForceCommonAnnotations specifies whether - to force applying common annotations to resources for - Kustomize apps - type: boolean - forceCommonLabels: - description: ForceCommonLabels specifies whether to force - applying common labels to resources for Kustomize apps - type: boolean - images: - description: Images is a list of Kustomize image override - specifications - items: - description: KustomizeImage represents a Kustomize image - definition in the format [old_image_name=]: - type: string - type: array - namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps - type: string - nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps - type: string - version: - description: Version controls which version of Kustomize - to use for rendering manifests - type: string - type: object - path: - description: Path is a directory path within the Git repository, - and is only valid for applications sourced from Git. - type: string - plugin: - description: ConfigManagementPlugin holds config management - plugin specific options - properties: - env: - description: Env is a list of environment variable entries - items: - description: EnvEntry represents an entry in the application's - environment - properties: - name: - description: Name is the name of the variable, usually - expressed in uppercase - type: string - value: - description: Value is the value of the variable - type: string - required: - - name - - value - type: object - type: array - name: - type: string - type: object - repoURL: - description: RepoURL is the URL to the repository (Git or - Helm) that contains the application manifests - type: string - targetRevision: - description: TargetRevision defines the revision of the source - to sync the application to. In case of Git, this can be - commit, tag, or branch. If omitted, will equal to HEAD. - In case of Helm, this is a semver tag for the Chart's version. - type: string - required: - - repoURL - type: object - syncOptions: - description: SyncOptions provide per-sync sync-options, e.g. Validate=false - items: - type: string - type: array - syncStrategy: - description: SyncStrategy describes how to perform the sync - properties: - apply: - description: Apply will perform a `kubectl apply` to perform - the sync. - properties: - force: - description: Force indicates whether or not to supply - the --force flag to `kubectl apply`. The --force flag - deletes and re-create the resource, when PATCH encounters - conflict and has retried for 5 times. - type: boolean - type: object - hook: - description: Hook will submit any referenced resources to - perform the sync. This is the default strategy - properties: - force: - description: Force indicates whether or not to supply - the --force flag to `kubectl apply`. The --force flag - deletes and re-create the resource, when PATCH encounters - conflict and has retried for 5 times. - type: boolean - type: object - type: object - type: object - type: object - spec: - description: ApplicationSpec represents desired application state. Contains - link to repository with application definition and additional parameters - link definition revision. - properties: - destination: - description: Destination is a reference to the target Kubernetes server - and namespace - properties: - name: - description: Name is an alternate way of specifying the target - cluster by its symbolic name - type: string - namespace: - description: Namespace specifies the target namespace for the - application's resources. The namespace will only be set for - namespace-scoped resources that have not set a value for .metadata.namespace - type: string - server: - description: Server specifies the URL of the target cluster and - must be set to the Kubernetes control plane API - type: string - type: object - ignoreDifferences: - description: IgnoreDifferences is a list of resources and their fields - which should be ignored during comparison - items: - description: ResourceIgnoreDifferences contains resource filter - and list of json paths which should be ignored during comparison - with live state. - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - description: ManagedFieldsManagers is a list of trusted managers. - Fields mutated by those managers will take precedence over - the desired state defined in the SCM and won't be displayed - in diffs - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - description: Info contains a list of information (URLs, email addresses, - and plain text) that relates to the application - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - description: Project is a reference to the project this application - belongs to. The empty string means that application belongs to the - 'default' project. - type: string - revisionHistoryLimit: - description: RevisionHistoryLimit limits the number of items kept - in the application's revision history, which is used for informational - purposes as well as for rollbacks to previous versions. This should - only be changed in exceptional circumstances. Setting to zero will - store no history. This will reduce storage used. Increasing will - increase the space used to store the history, so we do not recommend - increasing it. Default is 10. - format: int64 - type: integer - source: - description: Source is a reference to the location of the application's - manifests or chart - properties: - chart: - description: Chart is a Helm chart name, and must be specified - for applications sourced from a Helm repo. - type: string - directory: - description: Directory holds path/directory specific options - properties: - exclude: - description: Exclude contains a glob pattern to match paths - against that should be explicitly excluded from being used - during manifest generation - type: string - include: - description: Include contains a glob pattern to match paths - against that should be explicitly included during manifest - generation - type: string - jsonnet: - description: Jsonnet holds options specific to Jsonnet - properties: - extVars: - description: ExtVars is a list of Jsonnet External Variables - items: - description: JsonnetVar represents a variable to be - passed to jsonnet during manifest generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - description: Additional library search dirs - items: - type: string - type: array - tlas: - description: TLAS is a list of Jsonnet Top-level Arguments - items: - description: JsonnetVar represents a variable to be - passed to jsonnet during manifest generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - description: Recurse specifies whether to scan a directory - recursively for manifests - type: boolean - type: object - helm: - description: Helm holds helm specific options - properties: - fileParameters: - description: FileParameters are file parameters to the helm - template - items: - description: HelmFileParameter is a file parameter that's - passed to helm template during manifest generation - properties: - name: - description: Name is the name of the Helm parameter - type: string - path: - description: Path is the path to the file containing - the values for the Helm parameter - type: string - type: object - type: array - ignoreMissingValueFiles: - description: IgnoreMissingValueFiles prevents helm template - from failing when valueFiles do not exist locally by not - appending them to helm template --values - type: boolean - parameters: - description: Parameters is a list of Helm parameters which - are passed to the helm template command upon manifest generation - items: - description: HelmParameter is a parameter that's passed - to helm template during manifest generation - properties: - forceString: - description: ForceString determines whether to tell - Helm to interpret booleans and numbers as strings - type: boolean - name: - description: Name is the name of the Helm parameter - type: string - value: - description: Value is the value for the Helm parameter - type: string - type: object - type: array - passCredentials: - description: PassCredentials pass credentials to all domains - (Helm's --pass-credentials) - type: boolean - releaseName: - description: ReleaseName is the Helm release name to use. - If omitted it will use the application name - type: string - skipCrds: - description: SkipCrds skips custom resource definition installation - step (Helm's --skip-crds) - type: boolean - valueFiles: - description: ValuesFiles is a list of Helm value files to - use when generating a template - items: - type: string - type: array - values: - description: Values specifies Helm values to be passed to - helm template, typically defined as a block - type: string - version: - description: Version is the Helm version to use for templating - ("3") - type: string - type: object - kustomize: - description: Kustomize holds kustomize specific options - properties: - commonAnnotations: - additionalProperties: - type: string - description: CommonAnnotations is a list of additional annotations - to add to rendered manifests - type: object - commonLabels: - additionalProperties: - type: string - description: CommonLabels is a list of additional labels to - add to rendered manifests - type: object - forceCommonAnnotations: - description: ForceCommonAnnotations specifies whether to force - applying common annotations to resources for Kustomize apps - type: boolean - forceCommonLabels: - description: ForceCommonLabels specifies whether to force - applying common labels to resources for Kustomize apps - type: boolean - images: - description: Images is a list of Kustomize image override - specifications - items: - description: KustomizeImage represents a Kustomize image - definition in the format [old_image_name=]: - type: string - type: array - namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps - type: string - nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps - type: string - version: - description: Version controls which version of Kustomize to - use for rendering manifests - type: string - type: object - path: - description: Path is a directory path within the Git repository, - and is only valid for applications sourced from Git. - type: string - plugin: - description: ConfigManagementPlugin holds config management plugin - specific options - properties: - env: - description: Env is a list of environment variable entries - items: - description: EnvEntry represents an entry in the application's - environment - properties: - name: - description: Name is the name of the variable, usually - expressed in uppercase - type: string - value: - description: Value is the value of the variable - type: string - required: - - name - - value - type: object - type: array - name: - type: string - type: object - repoURL: - description: RepoURL is the URL to the repository (Git or Helm) - that contains the application manifests - type: string - targetRevision: - description: TargetRevision defines the revision of the source - to sync the application to. In case of Git, this can be commit, - tag, or branch. If omitted, will equal to HEAD. In case of Helm, - this is a semver tag for the Chart's version. - type: string - required: - - repoURL - type: object - syncPolicy: - description: SyncPolicy controls when and how a sync will be performed - properties: - automated: - description: Automated will keep an application synced to the - target revision - properties: - allowEmpty: - description: 'AllowEmpty allows apps have zero live resources - (default: false)' - type: boolean - prune: - description: 'Prune specifies whether to delete resources - from the cluster that are not found in the sources anymore - as part of automated sync (default: false)' - type: boolean - selfHeal: - description: 'SelfHeal specifes whether to revert resources - back to their desired state upon modification in the cluster - (default: false)' - type: boolean - type: object - retry: - description: Retry controls failed sync retry behavior - properties: - backoff: - description: Backoff controls how to backoff on subsequent - retries of failed syncs - properties: - duration: - description: Duration is the amount to back off. Default - unit is seconds, but could also be a duration (e.g. - "2m", "1h") - type: string - factor: - description: Factor is a factor to multiply the base duration - after each failed retry - format: int64 - type: integer - maxDuration: - description: MaxDuration is the maximum amount of time - allowed for the backoff strategy - type: string - type: object - limit: - description: Limit is the maximum number of attempts for retrying - a failed sync. If set to 0, no retries will be performed. - format: int64 - type: integer - type: object - syncOptions: - description: Options allow you to specify whole app sync-options - items: - type: string - type: array - type: object - required: - - destination - - project - - source - type: object - status: - description: ApplicationStatus contains status information for the application - properties: - conditions: - description: Conditions is a list of currently observed application - conditions - items: - description: ApplicationCondition contains details about an application - condition, which is usally an error or warning - properties: - lastTransitionTime: - description: LastTransitionTime is the time the condition was - last observed - format: date-time - type: string - message: - description: Message contains human-readable message indicating - details about condition - type: string - type: - description: Type is an application condition type - type: string - required: - - message - - type - type: object - type: array - health: - description: Health contains information about the application's current - health status - properties: - message: - description: Message is a human-readable informational message - describing the health status - type: string - status: - description: Status holds the status code of the application or - resource - type: string - type: object - history: - description: History contains information about the application's - sync history - items: - description: RevisionHistory contains history information about - a previous sync - properties: - deployStartedAt: - description: DeployStartedAt holds the time the sync operation - started - format: date-time - type: string - deployedAt: - description: DeployedAt holds the time the sync operation completed - format: date-time - type: string - id: - description: ID is an auto incrementing identifier of the RevisionHistory - format: int64 - type: integer - revision: - description: Revision holds the revision the sync was performed - against - type: string - source: - description: Source is a reference to the application source - used for the sync operation - properties: - chart: - description: Chart is a Helm chart name, and must be specified - for applications sourced from a Helm repo. - type: string - directory: - description: Directory holds path/directory specific options - properties: - exclude: - description: Exclude contains a glob pattern to match - paths against that should be explicitly excluded from - being used during manifest generation - type: string - include: - description: Include contains a glob pattern to match - paths against that should be explicitly included during - manifest generation - type: string - jsonnet: - description: Jsonnet holds options specific to Jsonnet - properties: - extVars: - description: ExtVars is a list of Jsonnet External - Variables - items: - description: JsonnetVar represents a variable - to be passed to jsonnet during manifest generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - description: Additional library search dirs - items: - type: string - type: array - tlas: - description: TLAS is a list of Jsonnet Top-level - Arguments - items: - description: JsonnetVar represents a variable - to be passed to jsonnet during manifest generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - description: Recurse specifies whether to scan a directory - recursively for manifests - type: boolean - type: object - helm: - description: Helm holds helm specific options - properties: - fileParameters: - description: FileParameters are file parameters to the - helm template - items: - description: HelmFileParameter is a file parameter - that's passed to helm template during manifest generation - properties: - name: - description: Name is the name of the Helm parameter - type: string - path: - description: Path is the path to the file containing - the values for the Helm parameter - type: string - type: object - type: array - ignoreMissingValueFiles: - description: IgnoreMissingValueFiles prevents helm template - from failing when valueFiles do not exist locally - by not appending them to helm template --values - type: boolean - parameters: - description: Parameters is a list of Helm parameters - which are passed to the helm template command upon - manifest generation - items: - description: HelmParameter is a parameter that's passed - to helm template during manifest generation - properties: - forceString: - description: ForceString determines whether to - tell Helm to interpret booleans and numbers - as strings - type: boolean - name: - description: Name is the name of the Helm parameter - type: string - value: - description: Value is the value for the Helm parameter - type: string - type: object - type: array - passCredentials: - description: PassCredentials pass credentials to all - domains (Helm's --pass-credentials) - type: boolean - releaseName: - description: ReleaseName is the Helm release name to - use. If omitted it will use the application name - type: string - skipCrds: - description: SkipCrds skips custom resource definition - installation step (Helm's --skip-crds) - type: boolean - valueFiles: - description: ValuesFiles is a list of Helm value files - to use when generating a template - items: - type: string - type: array - values: - description: Values specifies Helm values to be passed - to helm template, typically defined as a block - type: string - version: - description: Version is the Helm version to use for - templating ("3") - type: string - type: object - kustomize: - description: Kustomize holds kustomize specific options - properties: - commonAnnotations: - additionalProperties: - type: string - description: CommonAnnotations is a list of additional - annotations to add to rendered manifests - type: object - commonLabels: - additionalProperties: - type: string - description: CommonLabels is a list of additional labels - to add to rendered manifests - type: object - forceCommonAnnotations: - description: ForceCommonAnnotations specifies whether - to force applying common annotations to resources - for Kustomize apps - type: boolean - forceCommonLabels: - description: ForceCommonLabels specifies whether to - force applying common labels to resources for Kustomize - apps - type: boolean - images: - description: Images is a list of Kustomize image override - specifications - items: - description: KustomizeImage represents a Kustomize - image definition in the format [old_image_name=]: - type: string - type: array - namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps - type: string - nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps - type: string - version: - description: Version controls which version of Kustomize - to use for rendering manifests - type: string - type: object - path: - description: Path is a directory path within the Git repository, - and is only valid for applications sourced from Git. - type: string - plugin: - description: ConfigManagementPlugin holds config management - plugin specific options - properties: - env: - description: Env is a list of environment variable entries - items: - description: EnvEntry represents an entry in the application's - environment - properties: - name: - description: Name is the name of the variable, - usually expressed in uppercase - type: string - value: - description: Value is the value of the variable - type: string - required: - - name - - value - type: object - type: array - name: - type: string - type: object - repoURL: - description: RepoURL is the URL to the repository (Git or - Helm) that contains the application manifests - type: string - targetRevision: - description: TargetRevision defines the revision of the - source to sync the application to. In case of Git, this - can be commit, tag, or branch. If omitted, will equal - to HEAD. In case of Helm, this is a semver tag for the - Chart's version. - type: string - required: - - repoURL - type: object - required: - - deployedAt - - id - - revision - type: object - type: array - observedAt: - description: 'ObservedAt indicates when the application state was - updated without querying latest git state Deprecated: controller - no longer updates ObservedAt field' - format: date-time - type: string - operationState: - description: OperationState contains information about any ongoing - operations, such as a sync - properties: - finishedAt: - description: FinishedAt contains time of operation completion - format: date-time - type: string - message: - description: Message holds any pertinent messages when attempting - to perform operation (typically errors). - type: string - operation: - description: Operation is the original requested operation - properties: - info: - description: Info is a list of informational items for this - operation - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - initiatedBy: - description: InitiatedBy contains information about who initiated - the operations - properties: - automated: - description: Automated is set to true if operation was - initiated automatically by the application controller. - type: boolean - username: - description: Username contains the name of a user who - started operation - type: string - type: object - retry: - description: Retry controls the strategy to apply if a sync - fails - properties: - backoff: - description: Backoff controls how to backoff on subsequent - retries of failed syncs - properties: - duration: - description: Duration is the amount to back off. Default - unit is seconds, but could also be a duration (e.g. - "2m", "1h") - type: string - factor: - description: Factor is a factor to multiply the base - duration after each failed retry - format: int64 - type: integer - maxDuration: - description: MaxDuration is the maximum amount of - time allowed for the backoff strategy - type: string - type: object - limit: - description: Limit is the maximum number of attempts for - retrying a failed sync. If set to 0, no retries will - be performed. - format: int64 - type: integer - type: object - sync: - description: Sync contains parameters for the operation - properties: - dryRun: - description: DryRun specifies to perform a `kubectl apply - --dry-run` without actually performing the sync - type: boolean - manifests: - description: Manifests is an optional field that overrides - sync source with a local directory for development - items: - type: string - type: array - prune: - description: Prune specifies to delete resources from - the cluster that are no longer tracked in git - type: boolean - resources: - description: Resources describes which resources shall - be part of the sync - items: - description: SyncOperationResource contains resources - to sync. - properties: - group: - type: string - kind: - type: string - name: - type: string - namespace: - type: string - required: - - kind - - name - type: object - type: array - revision: - description: Revision is the revision (Git) or chart version - (Helm) which to sync the application to If omitted, - will use the revision specified in app spec. - type: string - source: - description: Source overrides the source definition set - in the application. This is typically set in a Rollback - operation and is nil during a Sync operation - properties: - chart: - description: Chart is a Helm chart name, and must - be specified for applications sourced from a Helm - repo. - type: string - directory: - description: Directory holds path/directory specific - options - properties: - exclude: - description: Exclude contains a glob pattern to - match paths against that should be explicitly - excluded from being used during manifest generation - type: string - include: - description: Include contains a glob pattern to - match paths against that should be explicitly - included during manifest generation - type: string - jsonnet: - description: Jsonnet holds options specific to - Jsonnet - properties: - extVars: - description: ExtVars is a list of Jsonnet - External Variables - items: - description: JsonnetVar represents a variable - to be passed to jsonnet during manifest - generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - description: Additional library search dirs - items: - type: string - type: array - tlas: - description: TLAS is a list of Jsonnet Top-level - Arguments - items: - description: JsonnetVar represents a variable - to be passed to jsonnet during manifest - generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - description: Recurse specifies whether to scan - a directory recursively for manifests - type: boolean - type: object - helm: - description: Helm holds helm specific options - properties: - fileParameters: - description: FileParameters are file parameters - to the helm template - items: - description: HelmFileParameter is a file parameter - that's passed to helm template during manifest - generation - properties: - name: - description: Name is the name of the Helm - parameter - type: string - path: - description: Path is the path to the file - containing the values for the Helm parameter - type: string - type: object - type: array - ignoreMissingValueFiles: - description: IgnoreMissingValueFiles prevents - helm template from failing when valueFiles do - not exist locally by not appending them to helm - template --values - type: boolean - parameters: - description: Parameters is a list of Helm parameters - which are passed to the helm template command - upon manifest generation - items: - description: HelmParameter is a parameter that's - passed to helm template during manifest generation - properties: - forceString: - description: ForceString determines whether - to tell Helm to interpret booleans and - numbers as strings - type: boolean - name: - description: Name is the name of the Helm - parameter - type: string - value: - description: Value is the value for the - Helm parameter - type: string - type: object - type: array - passCredentials: - description: PassCredentials pass credentials - to all domains (Helm's --pass-credentials) - type: boolean - releaseName: - description: ReleaseName is the Helm release name - to use. If omitted it will use the application - name - type: string - skipCrds: - description: SkipCrds skips custom resource definition - installation step (Helm's --skip-crds) - type: boolean - valueFiles: - description: ValuesFiles is a list of Helm value - files to use when generating a template - items: - type: string - type: array - values: - description: Values specifies Helm values to be - passed to helm template, typically defined as - a block - type: string - version: - description: Version is the Helm version to use - for templating ("3") - type: string - type: object - kustomize: - description: Kustomize holds kustomize specific options - properties: - commonAnnotations: - additionalProperties: - type: string - description: CommonAnnotations is a list of additional - annotations to add to rendered manifests - type: object - commonLabels: - additionalProperties: - type: string - description: CommonLabels is a list of additional - labels to add to rendered manifests - type: object - forceCommonAnnotations: - description: ForceCommonAnnotations specifies - whether to force applying common annotations - to resources for Kustomize apps - type: boolean - forceCommonLabels: - description: ForceCommonLabels specifies whether - to force applying common labels to resources - for Kustomize apps - type: boolean - images: - description: Images is a list of Kustomize image - override specifications - items: - description: KustomizeImage represents a Kustomize - image definition in the format [old_image_name=]: - type: string - type: array - namePrefix: - description: NamePrefix is a prefix appended to - resources for Kustomize apps - type: string - nameSuffix: - description: NameSuffix is a suffix appended to - resources for Kustomize apps - type: string - version: - description: Version controls which version of - Kustomize to use for rendering manifests - type: string - type: object - path: - description: Path is a directory path within the Git - repository, and is only valid for applications sourced - from Git. - type: string - plugin: - description: ConfigManagementPlugin holds config management - plugin specific options - properties: - env: - description: Env is a list of environment variable - entries - items: - description: EnvEntry represents an entry in - the application's environment - properties: - name: - description: Name is the name of the variable, - usually expressed in uppercase - type: string - value: - description: Value is the value of the variable - type: string - required: - - name - - value - type: object - type: array - name: - type: string - type: object - repoURL: - description: RepoURL is the URL to the repository - (Git or Helm) that contains the application manifests - type: string - targetRevision: - description: TargetRevision defines the revision of - the source to sync the application to. In case of - Git, this can be commit, tag, or branch. If omitted, - will equal to HEAD. In case of Helm, this is a semver - tag for the Chart's version. - type: string - required: - - repoURL - type: object - syncOptions: - description: SyncOptions provide per-sync sync-options, - e.g. Validate=false - items: - type: string - type: array - syncStrategy: - description: SyncStrategy describes how to perform the - sync - properties: - apply: - description: Apply will perform a `kubectl apply` - to perform the sync. - properties: - force: - description: Force indicates whether or not to - supply the --force flag to `kubectl apply`. - The --force flag deletes and re-create the resource, - when PATCH encounters conflict and has retried - for 5 times. - type: boolean - type: object - hook: - description: Hook will submit any referenced resources - to perform the sync. This is the default strategy - properties: - force: - description: Force indicates whether or not to - supply the --force flag to `kubectl apply`. - The --force flag deletes and re-create the resource, - when PATCH encounters conflict and has retried - for 5 times. - type: boolean - type: object - type: object - type: object - type: object - phase: - description: Phase is the current phase of the operation - type: string - retryCount: - description: RetryCount contains time of operation retries - format: int64 - type: integer - startedAt: - description: StartedAt contains time of operation start - format: date-time - type: string - syncResult: - description: SyncResult is the result of a Sync operation - properties: - resources: - description: Resources contains a list of sync result items - for each individual resource in a sync operation - items: - description: ResourceResult holds the operation result details - of a specific resource - properties: - group: - description: Group specifies the API group of the resource - type: string - hookPhase: - description: HookPhase contains the state of any operation - associated with this resource OR hook This can also - contain values for non-hook resources. - type: string - hookType: - description: HookType specifies the type of the hook. - Empty for non-hook resources - type: string - kind: - description: Kind specifies the API kind of the resource - type: string - message: - description: Message contains an informational or error - message for the last sync OR operation - type: string - name: - description: Name specifies the name of the resource - type: string - namespace: - description: Namespace specifies the target namespace - of the resource - type: string - status: - description: Status holds the final result of the sync. - Will be empty if the resources is yet to be applied/pruned - and is always zero-value for hooks - type: string - syncPhase: - description: SyncPhase indicates the particular phase - of the sync that this result was acquired in - type: string - version: - description: Version specifies the API version of the - resource - type: string - required: - - group - - kind - - name - - namespace - - version - type: object - type: array - revision: - description: Revision holds the revision this sync operation - was performed to - type: string - source: - description: Source records the application source information - of the sync, used for comparing auto-sync - properties: - chart: - description: Chart is a Helm chart name, and must be specified - for applications sourced from a Helm repo. - type: string - directory: - description: Directory holds path/directory specific options - properties: - exclude: - description: Exclude contains a glob pattern to match - paths against that should be explicitly excluded - from being used during manifest generation - type: string - include: - description: Include contains a glob pattern to match - paths against that should be explicitly included - during manifest generation - type: string - jsonnet: - description: Jsonnet holds options specific to Jsonnet - properties: - extVars: - description: ExtVars is a list of Jsonnet External - Variables - items: - description: JsonnetVar represents a variable - to be passed to jsonnet during manifest generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - description: Additional library search dirs - items: - type: string - type: array - tlas: - description: TLAS is a list of Jsonnet Top-level - Arguments - items: - description: JsonnetVar represents a variable - to be passed to jsonnet during manifest generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - description: Recurse specifies whether to scan a directory - recursively for manifests - type: boolean - type: object - helm: - description: Helm holds helm specific options - properties: - fileParameters: - description: FileParameters are file parameters to - the helm template - items: - description: HelmFileParameter is a file parameter - that's passed to helm template during manifest - generation - properties: - name: - description: Name is the name of the Helm parameter - type: string - path: - description: Path is the path to the file containing - the values for the Helm parameter - type: string - type: object - type: array - ignoreMissingValueFiles: - description: IgnoreMissingValueFiles prevents helm - template from failing when valueFiles do not exist - locally by not appending them to helm template --values - type: boolean - parameters: - description: Parameters is a list of Helm parameters - which are passed to the helm template command upon - manifest generation - items: - description: HelmParameter is a parameter that's - passed to helm template during manifest generation - properties: - forceString: - description: ForceString determines whether - to tell Helm to interpret booleans and numbers - as strings - type: boolean - name: - description: Name is the name of the Helm parameter - type: string - value: - description: Value is the value for the Helm - parameter - type: string - type: object - type: array - passCredentials: - description: PassCredentials pass credentials to all - domains (Helm's --pass-credentials) - type: boolean - releaseName: - description: ReleaseName is the Helm release name - to use. If omitted it will use the application name - type: string - skipCrds: - description: SkipCrds skips custom resource definition - installation step (Helm's --skip-crds) - type: boolean - valueFiles: - description: ValuesFiles is a list of Helm value files - to use when generating a template - items: - type: string - type: array - values: - description: Values specifies Helm values to be passed - to helm template, typically defined as a block - type: string - version: - description: Version is the Helm version to use for - templating ("3") - type: string - type: object - kustomize: - description: Kustomize holds kustomize specific options - properties: - commonAnnotations: - additionalProperties: - type: string - description: CommonAnnotations is a list of additional - annotations to add to rendered manifests - type: object - commonLabels: - additionalProperties: - type: string - description: CommonLabels is a list of additional - labels to add to rendered manifests - type: object - forceCommonAnnotations: - description: ForceCommonAnnotations specifies whether - to force applying common annotations to resources - for Kustomize apps - type: boolean - forceCommonLabels: - description: ForceCommonLabels specifies whether to - force applying common labels to resources for Kustomize - apps - type: boolean - images: - description: Images is a list of Kustomize image override - specifications - items: - description: KustomizeImage represents a Kustomize - image definition in the format [old_image_name=]: - type: string - type: array - namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps - type: string - nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps - type: string - version: - description: Version controls which version of Kustomize - to use for rendering manifests - type: string - type: object - path: - description: Path is a directory path within the Git repository, - and is only valid for applications sourced from Git. - type: string - plugin: - description: ConfigManagementPlugin holds config management - plugin specific options - properties: - env: - description: Env is a list of environment variable - entries - items: - description: EnvEntry represents an entry in the - application's environment - properties: - name: - description: Name is the name of the variable, - usually expressed in uppercase - type: string - value: - description: Value is the value of the variable - type: string - required: - - name - - value - type: object - type: array - name: - type: string - type: object - repoURL: - description: RepoURL is the URL to the repository (Git - or Helm) that contains the application manifests - type: string - targetRevision: - description: TargetRevision defines the revision of the - source to sync the application to. In case of Git, this - can be commit, tag, or branch. If omitted, will equal - to HEAD. In case of Helm, this is a semver tag for the - Chart's version. - type: string - required: - - repoURL - type: object - required: - - revision - type: object - required: - - operation - - phase - - startedAt - type: object - reconciledAt: - description: ReconciledAt indicates when the application state was - reconciled using the latest git version - format: date-time - type: string - resources: - description: Resources is a list of Kubernetes resources managed by - this application - items: - description: 'ResourceStatus holds the current sync and health status - of a resource TODO: describe members of this type' - properties: - group: - type: string - health: - description: HealthStatus contains information about the currently - observed health state of an application or resource - properties: - message: - description: Message is a human-readable informational message - describing the health status - type: string - status: - description: Status holds the status code of the application - or resource - type: string - type: object - hook: - type: boolean - kind: - type: string - name: - type: string - namespace: - type: string - requiresPruning: - type: boolean - status: - description: SyncStatusCode is a type which represents possible - comparison results - type: string - version: - type: string - type: object - type: array - sourceType: - description: SourceType specifies the type of this application - type: string - summary: - description: Summary contains a list of URLs and container images - used by this application - properties: - externalURLs: - description: ExternalURLs holds all external URLs of application - child resources. - items: - type: string - type: array - images: - description: Images holds all images of application child resources. - items: - type: string - type: array - type: object - sync: - description: Sync contains information about the application's current - sync status - properties: - comparedTo: - description: ComparedTo contains information about what has been - compared - properties: - destination: - description: Destination is a reference to the application's - destination used for comparison - properties: - name: - description: Name is an alternate way of specifying the - target cluster by its symbolic name - type: string - namespace: - description: Namespace specifies the target namespace - for the application's resources. The namespace will - only be set for namespace-scoped resources that have - not set a value for .metadata.namespace - type: string - server: - description: Server specifies the URL of the target cluster - and must be set to the Kubernetes control plane API - type: string - type: object - source: - description: Source is a reference to the application's source - used for comparison - properties: - chart: - description: Chart is a Helm chart name, and must be specified - for applications sourced from a Helm repo. - type: string - directory: - description: Directory holds path/directory specific options - properties: - exclude: - description: Exclude contains a glob pattern to match - paths against that should be explicitly excluded - from being used during manifest generation - type: string - include: - description: Include contains a glob pattern to match - paths against that should be explicitly included - during manifest generation - type: string - jsonnet: - description: Jsonnet holds options specific to Jsonnet - properties: - extVars: - description: ExtVars is a list of Jsonnet External - Variables - items: - description: JsonnetVar represents a variable - to be passed to jsonnet during manifest generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - description: Additional library search dirs - items: - type: string - type: array - tlas: - description: TLAS is a list of Jsonnet Top-level - Arguments - items: - description: JsonnetVar represents a variable - to be passed to jsonnet during manifest generation - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - description: Recurse specifies whether to scan a directory - recursively for manifests - type: boolean - type: object - helm: - description: Helm holds helm specific options - properties: - fileParameters: - description: FileParameters are file parameters to - the helm template - items: - description: HelmFileParameter is a file parameter - that's passed to helm template during manifest - generation - properties: - name: - description: Name is the name of the Helm parameter - type: string - path: - description: Path is the path to the file containing - the values for the Helm parameter - type: string - type: object - type: array - ignoreMissingValueFiles: - description: IgnoreMissingValueFiles prevents helm - template from failing when valueFiles do not exist - locally by not appending them to helm template --values - type: boolean - parameters: - description: Parameters is a list of Helm parameters - which are passed to the helm template command upon - manifest generation - items: - description: HelmParameter is a parameter that's - passed to helm template during manifest generation - properties: - forceString: - description: ForceString determines whether - to tell Helm to interpret booleans and numbers - as strings - type: boolean - name: - description: Name is the name of the Helm parameter - type: string - value: - description: Value is the value for the Helm - parameter - type: string - type: object - type: array - passCredentials: - description: PassCredentials pass credentials to all - domains (Helm's --pass-credentials) - type: boolean - releaseName: - description: ReleaseName is the Helm release name - to use. If omitted it will use the application name - type: string - skipCrds: - description: SkipCrds skips custom resource definition - installation step (Helm's --skip-crds) - type: boolean - valueFiles: - description: ValuesFiles is a list of Helm value files - to use when generating a template - items: - type: string - type: array - values: - description: Values specifies Helm values to be passed - to helm template, typically defined as a block - type: string - version: - description: Version is the Helm version to use for - templating ("3") - type: string - type: object - kustomize: - description: Kustomize holds kustomize specific options - properties: - commonAnnotations: - additionalProperties: - type: string - description: CommonAnnotations is a list of additional - annotations to add to rendered manifests - type: object - commonLabels: - additionalProperties: - type: string - description: CommonLabels is a list of additional - labels to add to rendered manifests - type: object - forceCommonAnnotations: - description: ForceCommonAnnotations specifies whether - to force applying common annotations to resources - for Kustomize apps - type: boolean - forceCommonLabels: - description: ForceCommonLabels specifies whether to - force applying common labels to resources for Kustomize - apps - type: boolean - images: - description: Images is a list of Kustomize image override - specifications - items: - description: KustomizeImage represents a Kustomize - image definition in the format [old_image_name=]: - type: string - type: array - namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps - type: string - nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps - type: string - version: - description: Version controls which version of Kustomize - to use for rendering manifests - type: string - type: object - path: - description: Path is a directory path within the Git repository, - and is only valid for applications sourced from Git. - type: string - plugin: - description: ConfigManagementPlugin holds config management - plugin specific options - properties: - env: - description: Env is a list of environment variable - entries - items: - description: EnvEntry represents an entry in the - application's environment - properties: - name: - description: Name is the name of the variable, - usually expressed in uppercase - type: string - value: - description: Value is the value of the variable - type: string - required: - - name - - value - type: object - type: array - name: - type: string - type: object - repoURL: - description: RepoURL is the URL to the repository (Git - or Helm) that contains the application manifests - type: string - targetRevision: - description: TargetRevision defines the revision of the - source to sync the application to. In case of Git, this - can be commit, tag, or branch. If omitted, will equal - to HEAD. In case of Helm, this is a semver tag for the - Chart's version. - type: string - required: - - repoURL - type: object - required: - - destination - - source - type: object - revision: - description: Revision contains information about the revision - the comparison has been performed to - type: string - status: - description: Status is the sync state of the comparison - type: string - required: - - status - type: object - type: object - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app.kubernetes.io/name: applicationsets.argoproj.io - name: applicationsets.argoproj.io -spec: - group: argoproj.io - names: - kind: ApplicationSet - listKind: ApplicationSetList - plural: applicationsets - shortNames: - - appset - - appsets - singular: applicationset - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - apiVersion: - type: string - kind: - type: string - metadata: - type: object - spec: - properties: - generators: - items: - properties: - clusterDecisionResource: - properties: - configMapRef: - type: string - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - name: - type: string - requeueAfterSeconds: - format: int64 - type: integer - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - type: object - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - - source - type: object - required: - - metadata - - spec - type: object - values: - additionalProperties: - type: string - type: object - required: - - configMapRef - type: object - clusters: - properties: - selector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - type: object - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - - source - type: object - required: - - metadata - - spec - type: object - values: - additionalProperties: - type: string - type: object - type: object - git: - properties: - directories: - items: - properties: - exclude: - type: boolean - path: - type: string - required: - - path - type: object - type: array - files: - items: - properties: - path: - type: string - required: - - path - type: object - type: array - repoURL: - type: string - requeueAfterSeconds: - format: int64 - type: integer - revision: - type: string - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - type: object - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - - source - type: object - required: - - metadata - - spec - type: object - required: - - repoURL - - revision - type: object - list: - properties: - elements: - items: - x-kubernetes-preserve-unknown-fields: true - type: array - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - type: object - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - - source - type: object - required: - - metadata - - spec - type: object - required: - - elements - type: object - matrix: - properties: - generators: - items: - properties: - clusterDecisionResource: - properties: - configMapRef: - type: string - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - name: - type: string - requeueAfterSeconds: - format: int64 - type: integer - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - type: object - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - - source - type: object - required: - - metadata - - spec - type: object - values: - additionalProperties: - type: string - type: object - required: - - configMapRef - type: object - clusters: - properties: - selector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - type: object - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - - source - type: object - required: - - metadata - - spec - type: object - values: - additionalProperties: - type: string - type: object - type: object - git: - properties: - directories: - items: - properties: - exclude: - type: boolean - path: - type: string - required: - - path - type: object - type: array - files: - items: - properties: - path: - type: string - required: - - path - type: object - type: array - repoURL: - type: string - requeueAfterSeconds: - format: int64 - type: integer - revision: - type: string - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - type: object - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - - source - type: object - required: - - metadata - - spec - type: object - required: - - repoURL - - revision - type: object - list: - properties: - elements: - items: - x-kubernetes-preserve-unknown-fields: true - type: array - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - type: object - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - - source - type: object - required: - - metadata - - spec - type: object - required: - - elements - type: object - matrix: - x-kubernetes-preserve-unknown-fields: true - merge: - x-kubernetes-preserve-unknown-fields: true - pullRequest: - properties: - bitbucketServer: - properties: - api: - type: string - basicAuth: - properties: - passwordRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - username: - type: string - required: - - passwordRef - - username - type: object - project: - type: string - repo: - type: string - required: - - api - - project - - repo - type: object - filters: - items: - properties: - branchMatch: - type: string - type: object - type: array - gitea: - properties: - api: - type: string - insecure: - type: boolean - owner: - type: string - repo: - type: string - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - api - - owner - - repo - type: object - github: - properties: - api: - type: string - labels: - items: - type: string - type: array - owner: - type: string - repo: - type: string - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - owner - - repo - type: object - requeueAfterSeconds: - format: int64 - type: integer - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - type: object - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - - source - type: object - required: - - metadata - - spec - type: object - type: object - scmProvider: - properties: - bitbucket: - properties: - allBranches: - type: boolean - appPasswordRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - owner: - type: string - user: - type: string - required: - - appPasswordRef - - owner - - user - type: object - bitbucketServer: - properties: - allBranches: - type: boolean - api: - type: string - basicAuth: - properties: - passwordRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - username: - type: string - required: - - passwordRef - - username - type: object - project: - type: string - required: - - api - - project - type: object - cloneProtocol: - type: string - filters: - items: - properties: - branchMatch: - type: string - labelMatch: - type: string - pathsDoNotExist: - items: - type: string - type: array - pathsExist: - items: - type: string - type: array - repositoryMatch: - type: string - type: object - type: array - gitea: - properties: - allBranches: - type: boolean - api: - type: string - insecure: - type: boolean - owner: - type: string - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - api - - owner - type: object - github: - properties: - allBranches: - type: boolean - api: - type: string - organization: - type: string - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - organization - type: object - gitlab: - properties: - allBranches: - type: boolean - api: - type: string - group: - type: string - includeSubgroups: - type: boolean - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - group - type: object - requeueAfterSeconds: - format: int64 - type: integer - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - type: object - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - - source - type: object - required: - - metadata - - spec - type: object - type: object - type: object - type: array - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - type: object - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - - source - type: object - required: - - metadata - - spec - type: object - required: - - generators - type: object - merge: - properties: - generators: - items: - properties: - clusterDecisionResource: - properties: - configMapRef: - type: string - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - name: - type: string - requeueAfterSeconds: - format: int64 - type: integer - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - type: object - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - - source - type: object - required: - - metadata - - spec - type: object - values: - additionalProperties: - type: string - type: object - required: - - configMapRef - type: object - clusters: - properties: - selector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - type: object - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - - source - type: object - required: - - metadata - - spec - type: object - values: - additionalProperties: - type: string - type: object - type: object - git: - properties: - directories: - items: - properties: - exclude: - type: boolean - path: - type: string - required: - - path - type: object - type: array - files: - items: - properties: - path: - type: string - required: - - path - type: object - type: array - repoURL: - type: string - requeueAfterSeconds: - format: int64 - type: integer - revision: - type: string - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - type: object - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - - source - type: object - required: - - metadata - - spec - type: object - required: - - repoURL - - revision - type: object - list: - properties: - elements: - items: - x-kubernetes-preserve-unknown-fields: true - type: array - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - type: object - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - - source - type: object - required: - - metadata - - spec - type: object - required: - - elements - type: object - matrix: - x-kubernetes-preserve-unknown-fields: true - merge: - x-kubernetes-preserve-unknown-fields: true - pullRequest: - properties: - bitbucketServer: - properties: - api: - type: string - basicAuth: - properties: - passwordRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - username: - type: string - required: - - passwordRef - - username - type: object - project: - type: string - repo: - type: string - required: - - api - - project - - repo - type: object - filters: - items: - properties: - branchMatch: - type: string - type: object - type: array - gitea: - properties: - api: - type: string - insecure: - type: boolean - owner: - type: string - repo: - type: string - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - api - - owner - - repo - type: object - github: - properties: - api: - type: string - labels: - items: - type: string - type: array - owner: - type: string - repo: - type: string - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - owner - - repo - type: object - requeueAfterSeconds: - format: int64 - type: integer - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - type: object - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - - source - type: object - required: - - metadata - - spec - type: object - type: object - scmProvider: - properties: - bitbucket: - properties: - allBranches: - type: boolean - appPasswordRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - owner: - type: string - user: - type: string - required: - - appPasswordRef - - owner - - user - type: object - bitbucketServer: - properties: - allBranches: - type: boolean - api: - type: string - basicAuth: - properties: - passwordRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - username: - type: string - required: - - passwordRef - - username - type: object - project: - type: string - required: - - api - - project - type: object - cloneProtocol: - type: string - filters: - items: - properties: - branchMatch: - type: string - labelMatch: - type: string - pathsDoNotExist: - items: - type: string - type: array - pathsExist: - items: - type: string - type: array - repositoryMatch: - type: string - type: object - type: array - gitea: - properties: - allBranches: - type: boolean - api: - type: string - insecure: - type: boolean - owner: - type: string - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - api - - owner - type: object - github: - properties: - allBranches: - type: boolean - api: - type: string - organization: - type: string - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - organization - type: object - gitlab: - properties: - allBranches: - type: boolean - api: - type: string - group: - type: string - includeSubgroups: - type: boolean - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - group - type: object - requeueAfterSeconds: - format: int64 - type: integer - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - type: object - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - - source - type: object - required: - - metadata - - spec - type: object - type: object - type: object - type: array - mergeKeys: - items: - type: string - type: array - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - type: object - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - - source - type: object - required: - - metadata - - spec - type: object - required: - - generators - - mergeKeys - type: object - pullRequest: - properties: - bitbucketServer: - properties: - api: - type: string - basicAuth: - properties: - passwordRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - username: - type: string - required: - - passwordRef - - username - type: object - project: - type: string - repo: - type: string - required: - - api - - project - - repo - type: object - filters: - items: - properties: - branchMatch: - type: string - type: object - type: array - gitea: - properties: - api: - type: string - insecure: - type: boolean - owner: - type: string - repo: - type: string - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - api - - owner - - repo - type: object - github: - properties: - api: - type: string - labels: - items: - type: string - type: array - owner: - type: string - repo: - type: string - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - owner - - repo - type: object - requeueAfterSeconds: - format: int64 - type: integer - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - type: object - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - - source - type: object - required: - - metadata - - spec - type: object - type: object - scmProvider: - properties: - bitbucket: - properties: - allBranches: - type: boolean - appPasswordRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - owner: - type: string - user: - type: string - required: - - appPasswordRef - - owner - - user - type: object - bitbucketServer: - properties: - allBranches: - type: boolean - api: - type: string - basicAuth: - properties: - passwordRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - username: - type: string - required: - - passwordRef - - username - type: object - project: - type: string - required: - - api - - project - type: object - cloneProtocol: - type: string - filters: - items: - properties: - branchMatch: - type: string - labelMatch: - type: string - pathsDoNotExist: - items: - type: string - type: array - pathsExist: - items: - type: string - type: array - repositoryMatch: - type: string - type: object - type: array - gitea: - properties: - allBranches: - type: boolean - api: - type: string - insecure: - type: boolean - owner: - type: string - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - api - - owner - type: object - github: - properties: - allBranches: - type: boolean - api: - type: string - organization: - type: string - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - organization - type: object - gitlab: - properties: - allBranches: - type: boolean - api: - type: string - group: - type: string - includeSubgroups: - type: boolean - tokenRef: - properties: - key: - type: string - secretName: - type: string - required: - - key - - secretName - type: object - required: - - group - type: object - requeueAfterSeconds: - format: int64 - type: integer - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - type: object - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - - source - type: object - required: - - metadata - - spec - type: object - type: object - type: object - type: array - syncPolicy: - properties: - preserveResourcesOnDeletion: - type: boolean - type: object - template: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - finalizers: - items: - type: string - type: array - labels: - additionalProperties: - type: string - type: object - name: - type: string - namespace: - type: string - type: object - spec: - properties: - destination: - properties: - name: - type: string - namespace: - type: string - server: - type: string - type: object - ignoreDifferences: - items: - properties: - group: - type: string - jqPathExpressions: - items: - type: string - type: array - jsonPointers: - items: - type: string - type: array - kind: - type: string - managedFieldsManagers: - items: - type: string - type: array - name: - type: string - namespace: - type: string - required: - - kind - type: object - type: array - info: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - project: - type: string - revisionHistoryLimit: - format: int64 - type: integer - source: - properties: - chart: - type: string - directory: - properties: - exclude: - type: string - include: - type: string - jsonnet: - properties: - extVars: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - libs: - items: - type: string - type: array - tlas: - items: - properties: - code: - type: boolean - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - type: object - recurse: - type: boolean - type: object - helm: - properties: - fileParameters: - items: - properties: - name: - type: string - path: - type: string - type: object - type: array - ignoreMissingValueFiles: - type: boolean - parameters: - items: - properties: - forceString: - type: boolean - name: - type: string - value: - type: string - type: object - type: array - passCredentials: - type: boolean - releaseName: - type: string - skipCrds: - type: boolean - valueFiles: - items: - type: string - type: array - values: - type: string - version: - type: string - type: object - kustomize: - properties: - commonAnnotations: - additionalProperties: - type: string - type: object - commonLabels: - additionalProperties: - type: string - type: object - forceCommonAnnotations: - type: boolean - forceCommonLabels: - type: boolean - images: - items: - type: string - type: array - namePrefix: - type: string - nameSuffix: - type: string - version: - type: string - type: object - path: - type: string - plugin: - properties: - env: - items: - properties: - name: - type: string - value: - type: string - required: - - name - - value - type: object - type: array - name: - type: string - type: object - repoURL: - type: string - targetRevision: - type: string - required: - - repoURL - type: object - syncPolicy: - properties: - automated: - properties: - allowEmpty: - type: boolean - prune: - type: boolean - selfHeal: - type: boolean - type: object - retry: - properties: - backoff: - properties: - duration: - type: string - factor: - format: int64 - type: integer - maxDuration: - type: string - type: object - limit: - format: int64 - type: integer - type: object - syncOptions: - items: - type: string - type: array - type: object - required: - - destination - - project - - source - type: object - required: - - metadata - - spec - type: object - required: - - generators - - template - type: object - status: - properties: - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - type: string - type: - type: string - required: - - message - - reason - - status - - type - type: object - type: array - type: object - required: - - metadata - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app.kubernetes.io/name: appprojects.argoproj.io - app.kubernetes.io/part-of: argocd - name: appprojects.argoproj.io -spec: - group: argoproj.io - names: - kind: AppProject - listKind: AppProjectList - plural: appprojects - shortNames: - - appproj - - appprojs - singular: appproject - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: 'AppProject provides a logical grouping of applications, providing - controls for: * where the apps may deploy to (cluster whitelist) * what - may be deployed (repository whitelist, resource whitelist/blacklist) * who - can access these applications (roles, OIDC group claims bindings) * and - what they can do (RBAC policies) * automation access to these roles (JWT - tokens)' - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: AppProjectSpec is the specification of an AppProject - properties: - clusterResourceBlacklist: - description: ClusterResourceBlacklist contains list of blacklisted - cluster level resources - items: - description: GroupKind specifies a Group and a Kind, but does not - force a version. This is useful for identifying concepts during - lookup stages without having partially valid types - properties: - group: - type: string - kind: - type: string - required: - - group - - kind - type: object - type: array - clusterResourceWhitelist: - description: ClusterResourceWhitelist contains list of whitelisted - cluster level resources - items: - description: GroupKind specifies a Group and a Kind, but does not - force a version. This is useful for identifying concepts during - lookup stages without having partially valid types - properties: - group: - type: string - kind: - type: string - required: - - group - - kind - type: object - type: array - description: - description: Description contains optional project description - type: string - destinations: - description: Destinations contains list of destinations available - for deployment - items: - description: ApplicationDestination holds information about the - application's destination - properties: - name: - description: Name is an alternate way of specifying the target - cluster by its symbolic name - type: string - namespace: - description: Namespace specifies the target namespace for the - application's resources. The namespace will only be set for - namespace-scoped resources that have not set a value for .metadata.namespace - type: string - server: - description: Server specifies the URL of the target cluster - and must be set to the Kubernetes control plane API - type: string - type: object - type: array - namespaceResourceBlacklist: - description: NamespaceResourceBlacklist contains list of blacklisted - namespace level resources - items: - description: GroupKind specifies a Group and a Kind, but does not - force a version. This is useful for identifying concepts during - lookup stages without having partially valid types - properties: - group: - type: string - kind: - type: string - required: - - group - - kind - type: object - type: array - namespaceResourceWhitelist: - description: NamespaceResourceWhitelist contains list of whitelisted - namespace level resources - items: - description: GroupKind specifies a Group and a Kind, but does not - force a version. This is useful for identifying concepts during - lookup stages without having partially valid types - properties: - group: - type: string - kind: - type: string - required: - - group - - kind - type: object - type: array - orphanedResources: - description: OrphanedResources specifies if controller should monitor - orphaned resources of apps in this project - properties: - ignore: - description: Ignore contains a list of resources that are to be - excluded from orphaned resources monitoring - items: - description: OrphanedResourceKey is a reference to a resource - to be ignored from - properties: - group: - type: string - kind: - type: string - name: - type: string - type: object - type: array - warn: - description: Warn indicates if warning condition should be created - for apps which have orphaned resources - type: boolean - type: object - roles: - description: Roles are user defined RBAC roles associated with this - project - items: - description: ProjectRole represents a role that has access to a - project - properties: - description: - description: Description is a description of the role - type: string - groups: - description: Groups are a list of OIDC group claims bound to - this role - items: - type: string - type: array - jwtTokens: - description: JWTTokens are a list of generated JWT tokens bound - to this role - items: - description: JWTToken holds the issuedAt and expiresAt values - of a token - properties: - exp: - format: int64 - type: integer - iat: - format: int64 - type: integer - id: - type: string - required: - - iat - type: object - type: array - name: - description: Name is a name for this role - type: string - policies: - description: Policies Stores a list of casbin formatted strings - that define access policies for the role in the project - items: - type: string - type: array - required: - - name - type: object - type: array - signatureKeys: - description: SignatureKeys contains a list of PGP key IDs that commits - in Git must be signed with in order to be allowed for sync - items: - description: SignatureKey is the specification of a key required - to verify commit signatures with - properties: - keyID: - description: The ID of the key in hexadecimal notation - type: string - required: - - keyID - type: object - type: array - sourceRepos: - description: SourceRepos contains list of repository URLs which can - be used for deployment - items: - type: string - type: array - syncWindows: - description: SyncWindows controls when syncs can be run for apps in - this project - items: - description: SyncWindow contains the kind, time, duration and attributes - that are used to assign the syncWindows to apps - properties: - applications: - description: Applications contains a list of applications that - the window will apply to - items: - type: string - type: array - clusters: - description: Clusters contains a list of clusters that the window - will apply to - items: - type: string - type: array - duration: - description: Duration is the amount of time the sync window - will be open - type: string - kind: - description: Kind defines if the window allows or blocks syncs - type: string - manualSync: - description: ManualSync enables manual syncs when they would - otherwise be blocked - type: boolean - namespaces: - description: Namespaces contains a list of namespaces that the - window will apply to - items: - type: string - type: array - schedule: - description: Schedule is the time the window will begin, specified - in cron format - type: string - timeZone: - description: TimeZone of the sync that will be applied to the - schedule - type: string - type: object - type: array - type: object - status: - description: AppProjectStatus contains status information for AppProject - CRs - properties: - jwtTokensByRole: - additionalProperties: - description: JWTTokens represents a list of JWT tokens - properties: - items: - items: - description: JWTToken holds the issuedAt and expiresAt values - of a token - properties: - exp: - format: int64 - type: integer - iat: - format: int64 - type: integer - id: - type: string - required: - - iat - type: object - type: array - type: object - description: JWTTokensByRole contains a list of JWT tokens issued - for a given role - type: object - type: object - required: - - metadata - - spec - type: object - served: true - storage: true ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/component: application-controller - app.kubernetes.io/name: argocd-application-controller - app.kubernetes.io/part-of: argocd - name: argocd-application-controller ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/name: argocd-applicationset-controller - app.kubernetes.io/part-of: argocd-applicationset - name: argocd-applicationset-controller ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/component: dex-server - app.kubernetes.io/name: argocd-dex-server - app.kubernetes.io/part-of: argocd - name: argocd-dex-server ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: argocd-notifications-controller ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/component: redis - app.kubernetes.io/name: argocd-redis - app.kubernetes.io/part-of: argocd - name: argocd-redis ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/component: repo-server - app.kubernetes.io/name: argocd-repo-server - app.kubernetes.io/part-of: argocd - name: argocd-repo-server ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/component: server - app.kubernetes.io/name: argocd-server - app.kubernetes.io/part-of: argocd - name: argocd-server ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - app.kubernetes.io/component: application-controller - app.kubernetes.io/name: argocd-application-controller - app.kubernetes.io/part-of: argocd - name: argocd-application-controller -rules: -- apiGroups: - - "" - resources: - - secrets - - configmaps - verbs: - - get - - list - - watch -- apiGroups: - - argoproj.io - resources: - - applications - - appprojects - verbs: - - create - - get - - list - - watch - - update - - patch - - delete -- apiGroups: - - "" - resources: - - events - verbs: - - create - - list ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/name: argocd-applicationset-controller - app.kubernetes.io/part-of: argocd-applicationset - name: argocd-applicationset-controller -rules: -- apiGroups: - - argoproj.io - resources: - - applications - - applicationsets - - applicationsets/finalizers - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - argoproj.io - resources: - - appprojects - verbs: - - get -- apiGroups: - - argoproj.io - resources: - - applicationsets/status - verbs: - - get - - patch - - update -- apiGroups: - - "" - resources: - - events - verbs: - - create - - get - - list - - patch - - watch -- apiGroups: - - "" - resources: - - secrets - - configmaps - verbs: - - get - - list - - watch -- apiGroups: - - apps - - extensions - resources: - - deployments - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - app.kubernetes.io/component: dex-server - app.kubernetes.io/name: argocd-dex-server - app.kubernetes.io/part-of: argocd - name: argocd-dex-server -rules: -- apiGroups: - - "" - resources: - - secrets - - configmaps - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: argocd-notifications-controller -rules: -- apiGroups: - - argoproj.io - resources: - - applications - - appprojects - verbs: - - get - - list - - watch - - update - - patch -- apiGroups: - - "" - resources: - - configmaps - - secrets - verbs: - - list - - watch -- apiGroups: - - "" - resourceNames: - - argocd-notifications-cm - resources: - - configmaps - verbs: - - get -- apiGroups: - - "" - resourceNames: - - argocd-notifications-secret - resources: - - secrets - verbs: - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - app.kubernetes.io/component: server - app.kubernetes.io/name: argocd-server - app.kubernetes.io/part-of: argocd - name: argocd-server -rules: -- apiGroups: - - "" - resources: - - secrets - - configmaps - verbs: - - create - - get - - list - - watch - - update - - patch - - delete -- apiGroups: - - argoproj.io - resources: - - applications - - appprojects - verbs: - - create - - get - - list - - watch - - update - - delete - - patch -- apiGroups: - - "" - resources: - - events - verbs: - - create - - list ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/component: application-controller - app.kubernetes.io/name: argocd-application-controller - app.kubernetes.io/part-of: argocd - name: argocd-application-controller -rules: -- apiGroups: - - '*' - resources: - - '*' - verbs: - - '*' -- nonResourceURLs: - - '*' - verbs: - - '*' ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/component: server - app.kubernetes.io/name: argocd-server - app.kubernetes.io/part-of: argocd - name: argocd-server -rules: -- apiGroups: - - '*' - resources: - - '*' - verbs: - - delete - - get - - patch -- apiGroups: - - "" - resources: - - events - verbs: - - list -- apiGroups: - - "" - resources: - - pods - - pods/log - verbs: - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - app.kubernetes.io/component: application-controller - app.kubernetes.io/name: argocd-application-controller - app.kubernetes.io/part-of: argocd - name: argocd-application-controller -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: argocd-application-controller -subjects: -- kind: ServiceAccount - name: argocd-application-controller ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/name: argocd-applicationset-controller - app.kubernetes.io/part-of: argocd-applicationset - name: argocd-applicationset-controller -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: argocd-applicationset-controller -subjects: -- kind: ServiceAccount - name: argocd-applicationset-controller ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - app.kubernetes.io/component: dex-server - app.kubernetes.io/name: argocd-dex-server - app.kubernetes.io/part-of: argocd - name: argocd-dex-server -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: argocd-dex-server -subjects: -- kind: ServiceAccount - name: argocd-dex-server ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: argocd-notifications-controller -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: argocd-notifications-controller -subjects: -- kind: ServiceAccount - name: argocd-notifications-controller ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - app.kubernetes.io/component: redis - app.kubernetes.io/name: argocd-redis - app.kubernetes.io/part-of: argocd - name: argocd-redis -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: argocd-redis -subjects: -- kind: ServiceAccount - name: argocd-redis ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - app.kubernetes.io/component: server - app.kubernetes.io/name: argocd-server - app.kubernetes.io/part-of: argocd - name: argocd-server -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: argocd-server -subjects: -- kind: ServiceAccount - name: argocd-server ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/component: application-controller - app.kubernetes.io/name: argocd-application-controller - app.kubernetes.io/part-of: argocd - name: argocd-application-controller -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: argocd-application-controller -subjects: -- kind: ServiceAccount - name: argocd-application-controller - namespace: argocd ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/component: server - app.kubernetes.io/name: argocd-server - app.kubernetes.io/part-of: argocd - name: argocd-server -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: argocd-server -subjects: -- kind: ServiceAccount - name: argocd-server - namespace: argocd ---- -apiVersion: v1 -kind: ConfigMap -metadata: - labels: - app.kubernetes.io/name: argocd-cm - app.kubernetes.io/part-of: argocd - name: argocd-cm ---- -apiVersion: v1 -kind: ConfigMap -metadata: - labels: - app.kubernetes.io/name: argocd-cmd-params-cm - app.kubernetes.io/part-of: argocd - name: argocd-cmd-params-cm ---- -apiVersion: v1 -kind: ConfigMap -metadata: - labels: - app.kubernetes.io/name: argocd-gpg-keys-cm - app.kubernetes.io/part-of: argocd - name: argocd-gpg-keys-cm ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: argocd-notifications-cm ---- -apiVersion: v1 -kind: ConfigMap -metadata: - labels: - app.kubernetes.io/name: argocd-rbac-cm - app.kubernetes.io/part-of: argocd - name: argocd-rbac-cm ---- -apiVersion: v1 -data: - ssh_known_hosts: |- - bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw== - github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ== - gitlab.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY= - gitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf - gitlab.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bNKTBSpIYDEGk9KxsGh3mySTRgMtXL583qmBpzeQ+jqCMRgBqB98u3z++J1sKlXHWfM9dyhSevkMwSbhoR8XIq/U0tCNyokEi/ueaBMCvbcTHhO7FcwzY92WK4Yt0aGROY5qX2UKSeOvuP4D6TPqKF1onrSzH9bx9XUf2lEdWT/ia1NEKjunUqu1xOB/StKDHMoX4/OKyIzuS0q/T1zOATthvasJFoPrAjkohTyaDUz2LN5JoH839hViyEG82yB+MjcFV5MU3N1l1QL3cVUCh93xSaua1N85qivl+siMkPGbO5xR/En4iEY6K2XPASUEMaieWVNTRCtJ4S8H+9 - ssh.dev.azure.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H - vs-ssh.visualstudio.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H - github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg= - github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl -kind: ConfigMap -metadata: - labels: - app.kubernetes.io/name: argocd-ssh-known-hosts-cm - app.kubernetes.io/part-of: argocd - name: argocd-ssh-known-hosts-cm ---- -apiVersion: v1 -kind: ConfigMap -metadata: - labels: - app.kubernetes.io/name: argocd-tls-certs-cm - app.kubernetes.io/part-of: argocd - name: argocd-tls-certs-cm ---- -apiVersion: v1 -kind: Secret -metadata: - name: argocd-notifications-secret -type: Opaque ---- -apiVersion: v1 -kind: Secret -metadata: - labels: - app.kubernetes.io/name: argocd-secret - app.kubernetes.io/part-of: argocd - name: argocd-secret -type: Opaque ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/name: argocd-applicationset-controller - app.kubernetes.io/part-of: argocd-applicationset - name: argocd-applicationset-controller -spec: - ports: - - name: webhook - port: 7000 - protocol: TCP - targetPort: webhook - - name: metrics - port: 8080 - protocol: TCP - targetPort: metrics - selector: - app.kubernetes.io/name: argocd-applicationset-controller ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/component: dex-server - app.kubernetes.io/name: argocd-dex-server - app.kubernetes.io/part-of: argocd - name: argocd-dex-server -spec: - ports: - - name: http - port: 5556 - protocol: TCP - targetPort: 5556 - - name: grpc - port: 5557 - protocol: TCP - targetPort: 5557 - - name: metrics - port: 5558 - protocol: TCP - targetPort: 5558 - selector: - app.kubernetes.io/name: argocd-dex-server ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/component: metrics - app.kubernetes.io/name: argocd-metrics - app.kubernetes.io/part-of: argocd - name: argocd-metrics -spec: - ports: - - name: metrics - port: 8082 - protocol: TCP - targetPort: 8082 - selector: - app.kubernetes.io/name: argocd-application-controller ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/name: argocd-notifications-controller-metrics - name: argocd-notifications-controller-metrics -spec: - ports: - - name: metrics - port: 9001 - protocol: TCP - targetPort: 9001 - selector: - app.kubernetes.io/name: argocd-notifications-controller ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/component: redis - app.kubernetes.io/name: argocd-redis - app.kubernetes.io/part-of: argocd - name: argocd-redis -spec: - ports: - - name: tcp-redis - port: 6379 - targetPort: 6379 - selector: - app.kubernetes.io/name: argocd-redis ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/component: repo-server - app.kubernetes.io/name: argocd-repo-server - app.kubernetes.io/part-of: argocd - name: argocd-repo-server -spec: - ports: - - name: server - port: 8081 - protocol: TCP - targetPort: 8081 - - name: metrics - port: 8084 - protocol: TCP - targetPort: 8084 - selector: - app.kubernetes.io/name: argocd-repo-server ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/component: server - app.kubernetes.io/name: argocd-server - app.kubernetes.io/part-of: argocd - name: argocd-server -spec: - ports: - - name: http - port: 80 - protocol: TCP - targetPort: 8080 - - name: https - port: 443 - protocol: TCP - targetPort: 8080 - selector: - app.kubernetes.io/name: argocd-server ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/component: server - app.kubernetes.io/name: argocd-server-metrics - app.kubernetes.io/part-of: argocd - name: argocd-server-metrics -spec: - ports: - - name: metrics - port: 8083 - protocol: TCP - targetPort: 8083 - selector: - app.kubernetes.io/name: argocd-server ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/name: argocd-applicationset-controller - app.kubernetes.io/part-of: argocd-applicationset - name: argocd-applicationset-controller -spec: - selector: - matchLabels: - app.kubernetes.io/name: argocd-applicationset-controller - template: - metadata: - labels: - app.kubernetes.io/name: argocd-applicationset-controller - spec: - containers: - - command: - - entrypoint.sh - - argocd-applicationset-controller - env: - - name: NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - image: quay.io/argoproj/argocd:v2.4.11 - imagePullPolicy: Always - name: argocd-applicationset-controller - ports: - - containerPort: 7000 - name: webhook - - containerPort: 8080 - name: metrics - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - volumeMounts: - - mountPath: /app/config/ssh - name: ssh-known-hosts - - mountPath: /app/config/tls - name: tls-certs - - mountPath: /app/config/gpg/source - name: gpg-keys - - mountPath: /app/config/gpg/keys - name: gpg-keyring - - mountPath: /tmp - name: tmp - serviceAccountName: argocd-applicationset-controller - volumes: - - configMap: - name: argocd-ssh-known-hosts-cm - name: ssh-known-hosts - - configMap: - name: argocd-tls-certs-cm - name: tls-certs - - configMap: - name: argocd-gpg-keys-cm - name: gpg-keys - - emptyDir: {} - name: gpg-keyring - - emptyDir: {} - name: tmp ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app.kubernetes.io/component: dex-server - app.kubernetes.io/name: argocd-dex-server - app.kubernetes.io/part-of: argocd - name: argocd-dex-server -spec: - selector: - matchLabels: - app.kubernetes.io/name: argocd-dex-server - template: - metadata: - labels: - app.kubernetes.io/name: argocd-dex-server - spec: - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchLabels: - app.kubernetes.io/part-of: argocd - topologyKey: kubernetes.io/hostname - weight: 5 - containers: - - command: - - /shared/argocd-dex - - rundex - image: ghcr.io/dexidp/dex:v2.32.0 - imagePullPolicy: Always - name: dex - ports: - - containerPort: 5556 - - containerPort: 5557 - - containerPort: 5558 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - volumeMounts: - - mountPath: /shared - name: static-files - - mountPath: /tmp - name: dexconfig - initContainers: - - command: - - cp - - -n - - /usr/local/bin/argocd - - /shared/argocd-dex - image: quay.io/argoproj/argocd:v2.4.11 - imagePullPolicy: Always - name: copyutil - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - volumeMounts: - - mountPath: /shared - name: static-files - - mountPath: /tmp - name: dexconfig - serviceAccountName: argocd-dex-server - volumes: - - emptyDir: {} - name: static-files - - emptyDir: {} - name: dexconfig ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: argocd-notifications-controller -spec: - selector: - matchLabels: - app.kubernetes.io/name: argocd-notifications-controller - strategy: - type: Recreate - template: - metadata: - labels: - app.kubernetes.io/name: argocd-notifications-controller - spec: - containers: - - command: - - argocd-notifications - image: quay.io/argoproj/argocd:v2.4.11 - imagePullPolicy: Always - livenessProbe: - tcpSocket: - port: 9001 - name: argocd-notifications-controller - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /app/config/tls - name: tls-certs - - mountPath: /app/config/reposerver/tls - name: argocd-repo-server-tls - workingDir: /app - securityContext: - runAsNonRoot: true - serviceAccountName: argocd-notifications-controller - volumes: - - configMap: - name: argocd-tls-certs-cm - name: tls-certs - - name: argocd-repo-server-tls - secret: - items: - - key: tls.crt - path: tls.crt - - key: tls.key - path: tls.key - - key: ca.crt - path: ca.crt - optional: true - secretName: argocd-repo-server-tls ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app.kubernetes.io/component: redis - app.kubernetes.io/name: argocd-redis - app.kubernetes.io/part-of: argocd - name: argocd-redis -spec: - selector: - matchLabels: - app.kubernetes.io/name: argocd-redis - template: - metadata: - labels: - app.kubernetes.io/name: argocd-redis - spec: - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchLabels: - app.kubernetes.io/name: argocd-redis - topologyKey: kubernetes.io/hostname - weight: 100 - - podAffinityTerm: - labelSelector: - matchLabels: - app.kubernetes.io/part-of: argocd - topologyKey: kubernetes.io/hostname - weight: 5 - containers: - - args: - - --save - - "" - - --appendonly - - "no" - image: redis:7.0.4-alpine - imagePullPolicy: Always - name: redis - ports: - - containerPort: 6379 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - securityContext: - runAsNonRoot: true - runAsUser: 999 - serviceAccountName: argocd-redis ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app.kubernetes.io/component: repo-server - app.kubernetes.io/name: argocd-repo-server - app.kubernetes.io/part-of: argocd - name: argocd-repo-server -spec: - selector: - matchLabels: - app.kubernetes.io/name: argocd-repo-server - template: - metadata: - labels: - app.kubernetes.io/name: argocd-repo-server - spec: - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchLabels: - app.kubernetes.io/name: argocd-repo-server - topologyKey: kubernetes.io/hostname - weight: 100 - - podAffinityTerm: - labelSelector: - matchLabels: - app.kubernetes.io/part-of: argocd - topologyKey: kubernetes.io/hostname - weight: 5 - automountServiceAccountToken: false - containers: - - command: - - sh - - -c - - entrypoint.sh argocd-repo-server --redis argocd-redis:6379 - env: - - name: ARGOCD_RECONCILIATION_TIMEOUT - valueFrom: - configMapKeyRef: - key: timeout.reconciliation - name: argocd-cm - optional: true - - name: ARGOCD_REPO_SERVER_LOGFORMAT - valueFrom: - configMapKeyRef: - key: reposerver.log.format - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_REPO_SERVER_LOGLEVEL - valueFrom: - configMapKeyRef: - key: reposerver.log.level - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_REPO_SERVER_PARALLELISM_LIMIT - valueFrom: - configMapKeyRef: - key: reposerver.parallelism.limit - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_REPO_SERVER_DISABLE_TLS - valueFrom: - configMapKeyRef: - key: reposerver.disable.tls - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_TLS_MIN_VERSION - valueFrom: - configMapKeyRef: - key: reposerver.tls.minversion - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_TLS_MAX_VERSION - valueFrom: - configMapKeyRef: - key: reposerver.tls.maxversion - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_TLS_CIPHERS - valueFrom: - configMapKeyRef: - key: reposerver.tls.ciphers - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_REPO_CACHE_EXPIRATION - valueFrom: - configMapKeyRef: - key: reposerver.repo.cache.expiration - name: argocd-cmd-params-cm - optional: true - - name: REDIS_SERVER - valueFrom: - configMapKeyRef: - key: redis.server - name: argocd-cmd-params-cm - optional: true - - name: REDISDB - valueFrom: - configMapKeyRef: - key: redis.db - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_DEFAULT_CACHE_EXPIRATION - valueFrom: - configMapKeyRef: - key: reposerver.default.cache.expiration - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_REPO_SERVER_OTLP_ADDRESS - valueFrom: - configMapKeyRef: - key: otlp.address - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_REPO_SERVER_MAX_COMBINED_DIRECTORY_MANIFESTS_SIZE - valueFrom: - configMapKeyRef: - key: reposerver.max.combined.directory.manifests.size - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_REPO_SERVER_PLUGIN_TAR_EXCLUSIONS - valueFrom: - configMapKeyRef: - key: reposerver.plugin.tar.exclusions - name: argocd-cmd-params-cm - optional: true - - name: HELM_CACHE_HOME - value: /helm-working-dir - - name: HELM_CONFIG_HOME - value: /helm-working-dir - - name: HELM_DATA_HOME - value: /helm-working-dir - image: quay.io/argoproj/argocd:v2.4.11 - imagePullPolicy: Always - livenessProbe: - failureThreshold: 3 - httpGet: - path: /healthz?full=true - port: 8084 - initialDelaySeconds: 30 - periodSeconds: 5 - name: argocd-repo-server - ports: - - containerPort: 8081 - - containerPort: 8084 - readinessProbe: - httpGet: - path: /healthz - port: 8084 - initialDelaySeconds: 5 - periodSeconds: 10 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true - runAsNonRoot: true - volumeMounts: - - mountPath: /app/config/ssh - name: ssh-known-hosts - - mountPath: /app/config/tls - name: tls-certs - - mountPath: /app/config/gpg/source - name: gpg-keys - - mountPath: /app/config/gpg/keys - name: gpg-keyring - - mountPath: /app/config/reposerver/tls - name: argocd-repo-server-tls - - mountPath: /tmp - name: tmp - - mountPath: /helm-working-dir - name: helm-working-dir - - mountPath: /home/argocd/cmp-server/plugins - name: plugins - initContainers: - - command: - - cp - - -n - - /usr/local/bin/argocd - - /var/run/argocd/argocd-cmp-server - image: quay.io/argoproj/argocd:v2.4.11 - name: copyutil - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true - runAsNonRoot: true - volumeMounts: - - mountPath: /var/run/argocd - name: var-files - serviceAccountName: argocd-repo-server - volumes: - - configMap: - name: argocd-ssh-known-hosts-cm - name: ssh-known-hosts - - configMap: - name: argocd-tls-certs-cm - name: tls-certs - - configMap: - name: argocd-gpg-keys-cm - name: gpg-keys - - emptyDir: {} - name: gpg-keyring - - emptyDir: {} - name: tmp - - emptyDir: {} - name: helm-working-dir - - name: argocd-repo-server-tls - secret: - items: - - key: tls.crt - path: tls.crt - - key: tls.key - path: tls.key - - key: ca.crt - path: ca.crt - optional: true - secretName: argocd-repo-server-tls - - emptyDir: {} - name: var-files - - emptyDir: {} - name: plugins ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app.kubernetes.io/component: server - app.kubernetes.io/name: argocd-server - app.kubernetes.io/part-of: argocd - name: argocd-server -spec: - selector: - matchLabels: - app.kubernetes.io/name: argocd-server - template: - metadata: - labels: - app.kubernetes.io/name: argocd-server - spec: - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchLabels: - app.kubernetes.io/name: argocd-server - topologyKey: kubernetes.io/hostname - weight: 100 - - podAffinityTerm: - labelSelector: - matchLabels: - app.kubernetes.io/part-of: argocd - topologyKey: kubernetes.io/hostname - weight: 5 - containers: - - command: - - argocd-server - env: - - name: ARGOCD_SERVER_INSECURE - valueFrom: - configMapKeyRef: - key: server.insecure - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_SERVER_BASEHREF - valueFrom: - configMapKeyRef: - key: server.basehref - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_SERVER_ROOTPATH - valueFrom: - configMapKeyRef: - key: server.rootpath - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_SERVER_LOGFORMAT - valueFrom: - configMapKeyRef: - key: server.log.format - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_REPO_SERVER_LOGLEVEL - valueFrom: - configMapKeyRef: - key: server.log.level - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_SERVER_REPO_SERVER - valueFrom: - configMapKeyRef: - key: repo.server - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_SERVER_DEX_SERVER - valueFrom: - configMapKeyRef: - key: server.dex.server - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_SERVER_DISABLE_AUTH - valueFrom: - configMapKeyRef: - key: server.disable.auth - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_SERVER_ENABLE_GZIP - valueFrom: - configMapKeyRef: - key: server.enable.gzip - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_SERVER_REPO_SERVER_TIMEOUT_SECONDS - valueFrom: - configMapKeyRef: - key: server.repo.server.timeout.seconds - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_SERVER_X_FRAME_OPTIONS - valueFrom: - configMapKeyRef: - key: server.x.frame.options - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_SERVER_CONTENT_SECURITY_POLICY - valueFrom: - configMapKeyRef: - key: server.content.security.policy - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_SERVER_REPO_SERVER_PLAINTEXT - valueFrom: - configMapKeyRef: - key: server.repo.server.plaintext - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_SERVER_REPO_SERVER_STRICT_TLS - valueFrom: - configMapKeyRef: - key: server.repo.server.strict.tls - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_TLS_MIN_VERSION - valueFrom: - configMapKeyRef: - key: server.tls.minversion - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_TLS_MAX_VERSION - valueFrom: - configMapKeyRef: - key: server.tls.maxversion - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_TLS_CIPHERS - valueFrom: - configMapKeyRef: - key: server.tls.ciphers - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_SERVER_CONNECTION_STATUS_CACHE_EXPIRATION - valueFrom: - configMapKeyRef: - key: server.connection.status.cache.expiration - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_SERVER_OIDC_CACHE_EXPIRATION - valueFrom: - configMapKeyRef: - key: server.oidc.cache.expiration - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_SERVER_LOGIN_ATTEMPTS_EXPIRATION - valueFrom: - configMapKeyRef: - key: server.login.attempts.expiration - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_SERVER_STATIC_ASSETS - valueFrom: - configMapKeyRef: - key: server.staticassets - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_APP_STATE_CACHE_EXPIRATION - valueFrom: - configMapKeyRef: - key: server.app.state.cache.expiration - name: argocd-cmd-params-cm - optional: true - - name: REDIS_SERVER - valueFrom: - configMapKeyRef: - key: redis.server - name: argocd-cmd-params-cm - optional: true - - name: REDISDB - valueFrom: - configMapKeyRef: - key: redis.db - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_DEFAULT_CACHE_EXPIRATION - valueFrom: - configMapKeyRef: - key: server.default.cache.expiration - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_MAX_COOKIE_NUMBER - valueFrom: - configMapKeyRef: - key: server.http.cookie.maxnumber - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_SERVER_OTLP_ADDRESS - valueFrom: - configMapKeyRef: - key: otlp.address - name: argocd-cmd-params-cm - optional: true - image: quay.io/argoproj/argocd:v2.4.11 - imagePullPolicy: Always - livenessProbe: - httpGet: - path: /healthz?full=true - port: 8080 - initialDelaySeconds: 3 - periodSeconds: 30 - name: argocd-server - ports: - - containerPort: 8080 - - containerPort: 8083 - readinessProbe: - httpGet: - path: /healthz - port: 8080 - initialDelaySeconds: 3 - periodSeconds: 30 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true - runAsNonRoot: true - volumeMounts: - - mountPath: /app/config/ssh - name: ssh-known-hosts - - mountPath: /app/config/tls - name: tls-certs - - mountPath: /app/config/server/tls - name: argocd-repo-server-tls - - mountPath: /home/argocd - name: plugins-home - - mountPath: /tmp - name: tmp - serviceAccountName: argocd-server - volumes: - - emptyDir: {} - name: plugins-home - - emptyDir: {} - name: tmp - - configMap: - name: argocd-ssh-known-hosts-cm - name: ssh-known-hosts - - configMap: - name: argocd-tls-certs-cm - name: tls-certs - - name: argocd-repo-server-tls - secret: - items: - - key: tls.crt - path: tls.crt - - key: tls.key - path: tls.key - - key: ca.crt - path: ca.crt - optional: true - secretName: argocd-repo-server-tls ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - labels: - app.kubernetes.io/component: application-controller - app.kubernetes.io/name: argocd-application-controller - app.kubernetes.io/part-of: argocd - name: argocd-application-controller -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: argocd-application-controller - serviceName: argocd-application-controller - template: - metadata: - labels: - app.kubernetes.io/name: argocd-application-controller - spec: - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchLabels: - app.kubernetes.io/name: argocd-application-controller - topologyKey: kubernetes.io/hostname - weight: 100 - - podAffinityTerm: - labelSelector: - matchLabels: - app.kubernetes.io/part-of: argocd - topologyKey: kubernetes.io/hostname - weight: 5 - containers: - - command: - - argocd-application-controller - env: - - name: ARGOCD_CONTROLLER_REPLICAS - value: "1" - - name: ARGOCD_RECONCILIATION_TIMEOUT - valueFrom: - configMapKeyRef: - key: timeout.reconciliation - name: argocd-cm - optional: true - - name: ARGOCD_HARD_RECONCILIATION_TIMEOUT - valueFrom: - configMapKeyRef: - key: timeout.hard.reconciliation - name: argocd-cm - optional: true - - name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER - valueFrom: - configMapKeyRef: - key: repo.server - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_TIMEOUT_SECONDS - valueFrom: - configMapKeyRef: - key: controller.repo.server.timeout.seconds - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_APPLICATION_CONTROLLER_STATUS_PROCESSORS - valueFrom: - configMapKeyRef: - key: controller.status.processors - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_APPLICATION_CONTROLLER_OPERATION_PROCESSORS - valueFrom: - configMapKeyRef: - key: controller.operation.processors - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_APPLICATION_CONTROLLER_LOGFORMAT - valueFrom: - configMapKeyRef: - key: controller.log.format - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_APPLICATION_CONTROLLER_LOGLEVEL - valueFrom: - configMapKeyRef: - key: controller.log.level - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_APPLICATION_CONTROLLER_METRICS_CACHE_EXPIRATION - valueFrom: - configMapKeyRef: - key: controller.metrics.cache.expiration - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_TIMEOUT_SECONDS - valueFrom: - configMapKeyRef: - key: controller.self.heal.timeout.seconds - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_PLAINTEXT - valueFrom: - configMapKeyRef: - key: controller.repo.server.plaintext - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_STRICT_TLS - valueFrom: - configMapKeyRef: - key: controller.repo.server.strict.tls - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_APP_STATE_CACHE_EXPIRATION - valueFrom: - configMapKeyRef: - key: controller.app.state.cache.expiration - name: argocd-cmd-params-cm - optional: true - - name: REDIS_SERVER - valueFrom: - configMapKeyRef: - key: redis.server - name: argocd-cmd-params-cm - optional: true - - name: REDISDB - valueFrom: - configMapKeyRef: - key: redis.db - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_DEFAULT_CACHE_EXPIRATION - valueFrom: - configMapKeyRef: - key: controller.default.cache.expiration - name: argocd-cmd-params-cm - optional: true - - name: ARGOCD_APPLICATION_CONTROLLER_OTLP_ADDRESS - valueFrom: - configMapKeyRef: - key: otlp.address - name: argocd-cmd-params-cm - optional: true - image: quay.io/argoproj/argocd:v2.4.11 - imagePullPolicy: Always - livenessProbe: - httpGet: - path: /healthz - port: 8082 - initialDelaySeconds: 5 - periodSeconds: 10 - name: argocd-application-controller - ports: - - containerPort: 8082 - readinessProbe: - httpGet: - path: /healthz - port: 8082 - initialDelaySeconds: 5 - periodSeconds: 10 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true - runAsNonRoot: true - volumeMounts: - - mountPath: /app/config/controller/tls - name: argocd-repo-server-tls - - mountPath: /home/argocd - name: argocd-home - workingDir: /home/argocd - serviceAccountName: argocd-application-controller - volumes: - - emptyDir: {} - name: argocd-home - - name: argocd-repo-server-tls - secret: - items: - - key: tls.crt - path: tls.crt - - key: tls.key - path: tls.key - - key: ca.crt - path: ca.crt - optional: true - secretName: argocd-repo-server-tls ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: argocd-application-controller-network-policy -spec: - ingress: - - from: - - namespaceSelector: {} - ports: - - port: 8082 - podSelector: - matchLabels: - app.kubernetes.io/name: argocd-application-controller - policyTypes: - - Ingress ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: argocd-dex-server-network-policy -spec: - ingress: - - from: - - podSelector: - matchLabels: - app.kubernetes.io/name: argocd-server - ports: - - port: 5556 - protocol: TCP - - port: 5557 - protocol: TCP - - from: - - namespaceSelector: {} - ports: - - port: 5558 - protocol: TCP - podSelector: - matchLabels: - app.kubernetes.io/name: argocd-dex-server - policyTypes: - - Ingress ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: argocd-redis-network-policy -spec: - ingress: - - from: - - podSelector: - matchLabels: - app.kubernetes.io/name: argocd-server - - podSelector: - matchLabels: - app.kubernetes.io/name: argocd-repo-server - - podSelector: - matchLabels: - app.kubernetes.io/name: argocd-application-controller - ports: - - port: 6379 - protocol: TCP - podSelector: - matchLabels: - app.kubernetes.io/name: argocd-redis - policyTypes: - - Ingress ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: argocd-repo-server-network-policy -spec: - ingress: - - from: - - podSelector: - matchLabels: - app.kubernetes.io/name: argocd-server - - podSelector: - matchLabels: - app.kubernetes.io/name: argocd-application-controller - - podSelector: - matchLabels: - app.kubernetes.io/name: argocd-notifications-controller - ports: - - port: 8081 - protocol: TCP - - from: - - namespaceSelector: {} - ports: - - port: 8084 - podSelector: - matchLabels: - app.kubernetes.io/name: argocd-repo-server - policyTypes: - - Ingress ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: argocd-server-network-policy -spec: - ingress: - - {} - podSelector: - matchLabels: - app.kubernetes.io/name: argocd-server - policyTypes: - - Ingress diff --git a/apps/argocd-install/kustomization.yaml b/apps/argocd-install/kustomization.yaml deleted file mode 100644 index 8a86d73..0000000 --- a/apps/argocd-install/kustomization.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -resources: -- install.yaml -- ingress-https.yaml -- ingress-grpc.yaml -- dfc-k8s-argocd-apps.yaml - -patchesStrategicMerge: -- argocd-server-deployment.yaml -- argocd-repo-server-deploy.yaml -- argocd-cm.yaml -- argocd-rbac-cm.yaml -- patch-argocd-server-role.yaml -- patch-argocd-server-cluster-role.yaml diff --git a/apps/argocd-install/patch-argocd-server-cluster-role.yaml b/apps/argocd-install/patch-argocd-server-cluster-role.yaml deleted file mode 100644 index 3139944..0000000 --- a/apps/argocd-install/patch-argocd-server-cluster-role.yaml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: argocd-server -rules: -- apiGroups: [ "" ] - resources: [ pods/exec ] - verbs: [ create ] -- apiGroups: - - '*' - resources: - - '*' - verbs: - - delete - - get - - patch -- apiGroups: - - "" - resources: - - events - verbs: - - list -- apiGroups: - - "" - resources: - - pods - - pods/log - verbs: - - get diff --git a/apps/argocd-install/patch-argocd-server-role.yaml b/apps/argocd-install/patch-argocd-server-role.yaml deleted file mode 100644 index 30369f0..0000000 --- a/apps/argocd-install/patch-argocd-server-role.yaml +++ /dev/null @@ -1,41 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: argocd-server -rules: - - apiGroups: [""] - resources: [pods/exec] - verbs: [create] - - apiGroups: - - "" - resources: - - secrets - - configmaps - verbs: - - create - - get - - list - - watch - - update - - patch - - delete - - apiGroups: - - argoproj.io - resources: - - applications - - appprojects - verbs: - - create - - get - - list - - watch - - update - - delete - - patch - - apiGroups: - - "" - resources: - - events - verbs: - - create - - list diff --git a/apps/argocd-install/plugin/Dockerfile b/apps/argocd-install/plugin/Dockerfile deleted file mode 100644 index 6402980..0000000 --- a/apps/argocd-install/plugin/Dockerfile +++ /dev/null @@ -1,5 +0,0 @@ -FROM quay.io/argoproj/argocd:v2.4.11 -USER root -RUN apt update && apt install -y python3 python3-pip -RUN pip install kubernetes==24.2.0 -USER 999 diff --git a/apps/argocd-install/render_templates.sh b/apps/argocd-install/render_templates.sh deleted file mode 100755 index db0a05a..0000000 --- a/apps/argocd-install/render_templates.sh +++ /dev/null @@ -1,14 +0,0 @@ -#!/usr/bin/env bash - -! which vault >/dev/null && echo missing vault binary && exit 1 -! which jq >/dev/null && echo missing jq binary && exit 1 -[ "${VAULT_ADDR}" == "" ] && echo missing VAULT_ADDR env var && exit 1 -[ "${VAULT_TOKEN}" == "" ] && echo missing VAULT_TOKEN env var && exit 1 - -DATA="$(vault read kv/data/projects/k8s/argocd/github-oauth -format=json | jq .data.data)" &&\ -GITHUB_CLIENT_ID="$(echo "${DATA}" | jq -r .client_id)" &&\ -GITHUB_CLIENT_SECRET="$(echo "${DATA}" | jq -r .client_secret)" &&\ -cp -f apps/argocd-install/argocd-cm.yaml.template apps/argocd-install/argocd-cm.yaml &&\ -sed -i "s/__dex.config.connectors.github.clientID__/${GITHUB_CLIENT_ID}/" apps/argocd-install/argocd-cm.yaml &&\ -sed -i "s/__dex.config.connectors.github.clientSecret__/${GITHUB_CLIENT_SECRET}/" apps/argocd-install/argocd-cm.yaml &&\ -echo OK diff --git a/apps/cluster-admin/Chart.yaml b/apps/cluster-admin/Chart.yaml deleted file mode 100644 index ee5d340..0000000 --- a/apps/cluster-admin/Chart.yaml +++ /dev/null @@ -1,3 +0,0 @@ -name: cluster-admin -version: "0.0.0" -apiVersion: v2 diff --git a/apps/cluster-admin/templates/secrets.yaml b/apps/cluster-admin/templates/secrets.yaml deleted file mode 100644 index de81850..0000000 --- a/apps/cluster-admin/templates/secrets.yaml +++ /dev/null @@ -1,9 +0,0 @@ -{{ range .Values.secrets }} -kind: Secret -apiVersion: v1 -metadata: - name: {{ .name }} -type: Opaque -data: {{ toJson .data }} ---- -{{ end }} diff --git a/apps/cluster-admin/templates/terraform-state-db-deployment.yaml b/apps/cluster-admin/templates/terraform-state-db-deployment.yaml deleted file mode 100644 index 22a1191..0000000 --- a/apps/cluster-admin/templates/terraform-state-db-deployment.yaml +++ /dev/null @@ -1,79 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: terraform-state-db -spec: - selector: - matchLabels: - app: terraform-state-db - replicas: 1 - revisionHistoryLimit: 2 - strategy: - type: Recreate - template: - metadata: - labels: - app: terraform-state-db - spec: - terminationGracePeriodSeconds: 10 - initContainers: - - name: init-ssl - # pulled Sep 18, 2022 - image: alpine@sha256:bc41182d7ef5ffc53a40b044e725193bc10142a1243f395ee852a8d9730fc2ad - command: - - sh - - -c - - | - cp /opt/ssl/server.* /opt/secured_ssl/ &&\ - chmod 600 /opt/secured_ssl/server.* &&\ - chown 999:999 /opt/secured_ssl/* &&\ - if [ -e /var/lib/postgresql/data/pg_hba.conf ]; then - if ! cat /var/lib/postgresql/data/pg_hba.conf | grep "^hostnossl"; then - sed -i '1i hostnossl all all 0.0.0.0/0 reject' /var/lib/postgresql/data/pg_hba.conf - fi - else - echo missing data directory, will have to restart the db later to initialize properly - fi - volumeMounts: - - name: ssl - mountPath: /opt/ssl - - name: secured-ssl - mountPath: /opt/secured_ssl - - name: data - mountPath: /var/lib/postgresql/data - subPath: terraform_state_db_postgres - containers: - - name: postgres - # pulled Sep 18, 2022 - image: postgres:14@sha256:b0ee049a2e347f5ec8c64ad225c7edbc88510a9e34450f23c4079a489ce16268 - args: [ - -c, "ssl_cert_file=/opt/secured_ssl/server.crt", - -c, "ssl_key_file=/opt/secured_ssl/server.key", - -c, "ssl=on" - ] - ports: - - containerPort: 5432 - resources: {{ toYaml .Values.terraformStateDb.resources | nindent 12 }} - env: - - name: POSTGRES_PASSWORD - valueFrom: {"secretKeyRef":{"name":"terraform-state-db", "key":"POSTGRES_PASSWORD"}} - volumeMounts: - - name: data - mountPath: /var/lib/postgresql/data - subPath: terraform_state_db_postgres - - name: secured-ssl - mountPath: /opt/secured_ssl - volumes: - - name: data - persistentVolumeClaim: - claimName: terraform-state-db - - name: ssl - secret: - secretName: terraform-state-db - items: - - key: server.key - path: server.key - - key: server.crt - path: server.crt - - name: secured-ssl - emptyDir: {} diff --git a/apps/cluster-admin/templates/terraform-state-db-pvc.yaml b/apps/cluster-admin/templates/terraform-state-db-pvc.yaml deleted file mode 100644 index 5b4c98a..0000000 --- a/apps/cluster-admin/templates/terraform-state-db-pvc.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: terraform-state-db -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 20Gi diff --git a/apps/cluster-admin/templates/terraform-state-db-service.yaml b/apps/cluster-admin/templates/terraform-state-db-service.yaml deleted file mode 100644 index a5123ef..0000000 --- a/apps/cluster-admin/templates/terraform-state-db-service.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: terraform-state-db -spec: - selector: - app: terraform-state-db - ports: - - name: "5432" - port: 5432 diff --git a/apps/cluster-admin/values-main.yaml b/apps/cluster-admin/values-main.yaml deleted file mode 100644 index 3638994..0000000 --- a/apps/cluster-admin/values-main.yaml +++ /dev/null @@ -1,18 +0,0 @@ -dockerDaemonConfig: - "log-driver": "json-file" - "log-opts": - "max-size": "100m" - "max-file": "5" - "compress": "true" - -terraformStateDb: - resources: {} - -secrets: - - name: terraform-state-db - data: - POSTGRES_PASSWORD: "~vault:projects/iac/terraform:backend-db-password~" - # openssl req -new -x509 -days 365 -nodes -text -out server.crt \ - # -keyout server.key -subj "/CN=terraform-state-db.localhost" - server.key: "~vault:projects/iac/terraform:state_db_server.key~" - server.crt: "~vault:projects/iac/terraform:state_db_server.crt~" diff --git a/apps/ingress-nginx/controller-tcp-services-configmap.yaml b/apps/ingress-nginx/controller-tcp-services-configmap.yaml deleted file mode 100644 index 0a3b00a..0000000 --- a/apps/ingress-nginx/controller-tcp-services-configmap.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: controller-tcp-services - namespace: ingress-nginx -data: - "9001": "cluster-admin/terraform-state-db:5432" - "9002": "anyway/db:5432" - "9003": "anyway-dev/db:5432" diff --git a/apps/ingress-nginx/deploy.yaml b/apps/ingress-nginx/deploy.yaml deleted file mode 100644 index 6a96bb2..0000000 --- a/apps/ingress-nginx/deploy.yaml +++ /dev/null @@ -1,660 +0,0 @@ -# Downloaded Sep 7, 2022 -# https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.3.1/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml -apiVersion: v1 -kind: Namespace -metadata: - labels: - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - name: ingress-nginx ---- -apiVersion: v1 -automountServiceAccountToken: true -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.3.1 - name: ingress-nginx - namespace: ingress-nginx ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.3.1 - name: ingress-nginx-admission - namespace: ingress-nginx ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.3.1 - name: ingress-nginx - namespace: ingress-nginx -rules: -- apiGroups: - - "" - resources: - - namespaces - verbs: - - get -- apiGroups: - - "" - resources: - - configmaps - - pods - - secrets - - endpoints - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - services - verbs: - - get - - list - - watch -- apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - get - - list - - watch -- apiGroups: - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update -- apiGroups: - - networking.k8s.io - resources: - - ingressclasses - verbs: - - get - - list - - watch -- apiGroups: - - "" - resourceNames: - - ingress-controller-leader - resources: - - configmaps - verbs: - - get - - update -- apiGroups: - - "" - resources: - - configmaps - verbs: - - create -- apiGroups: - - coordination.k8s.io - resourceNames: - - ingress-controller-leader - resources: - - leases - verbs: - - get - - update -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.3.1 - name: ingress-nginx-admission - namespace: ingress-nginx -rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - create ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.3.1 - name: ingress-nginx -rules: -- apiGroups: - - "" - resources: - - configmaps - - endpoints - - nodes - - pods - - secrets - - namespaces - verbs: - - list - - watch -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - list - - watch -- apiGroups: - - "" - resources: - - nodes - verbs: - - get -- apiGroups: - - "" - resources: - - services - verbs: - - get - - list - - watch -- apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch -- apiGroups: - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update -- apiGroups: - - networking.k8s.io - resources: - - ingressclasses - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.3.1 - name: ingress-nginx-admission -rules: -- apiGroups: - - admissionregistration.k8s.io - resources: - - validatingwebhookconfigurations - verbs: - - get - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.3.1 - name: ingress-nginx - namespace: ingress-nginx -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: ingress-nginx -subjects: -- kind: ServiceAccount - name: ingress-nginx - namespace: ingress-nginx ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.3.1 - name: ingress-nginx-admission - namespace: ingress-nginx -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: ingress-nginx-admission -subjects: -- kind: ServiceAccount - name: ingress-nginx-admission - namespace: ingress-nginx ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.3.1 - name: ingress-nginx -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ingress-nginx -subjects: -- kind: ServiceAccount - name: ingress-nginx - namespace: ingress-nginx ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.3.1 - name: ingress-nginx-admission -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ingress-nginx-admission -subjects: -- kind: ServiceAccount - name: ingress-nginx-admission - namespace: ingress-nginx ---- -apiVersion: v1 -data: - allow-snippet-annotations: "true" - http-snippet: | - server { - listen 2443; - return 308 https://$host$request_uri; - } - proxy-real-ip-cidr: XXX.XXX.XXX/XX - use-forwarded-headers: "true" -kind: ConfigMap -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.3.1 - name: ingress-nginx-controller - namespace: ingress-nginx ---- -apiVersion: v1 -kind: Service -metadata: - annotations: - service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "60" - service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true" - service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-west-2:XXXXXXXX:certificate/XXXXXX-XXXXXXX-XXXXXXX-XXXXXXXX - service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https - service.beta.kubernetes.io/aws-load-balancer-type: nlb - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.3.1 - name: ingress-nginx-controller - namespace: ingress-nginx -spec: - externalTrafficPolicy: Local - ipFamilies: - - IPv4 - ipFamilyPolicy: SingleStack - ports: - - appProtocol: http - name: http - port: 80 - protocol: TCP - targetPort: tohttps - - appProtocol: https - name: https - port: 443 - protocol: TCP - targetPort: http - selector: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - type: LoadBalancer ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.3.1 - name: ingress-nginx-controller-admission - namespace: ingress-nginx -spec: - ports: - - appProtocol: https - name: https-webhook - port: 443 - targetPort: webhook - selector: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - type: ClusterIP ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.3.1 - name: ingress-nginx-controller - namespace: ingress-nginx -spec: - minReadySeconds: 0 - revisionHistoryLimit: 10 - selector: - matchLabels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - template: - metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - spec: - containers: - - args: - - /nginx-ingress-controller - - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller - - --election-id=ingress-controller-leader - - --controller-class=k8s.io/ingress-nginx - - --ingress-class=nginx - - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller - - --validating-webhook=:8443 - - --validating-webhook-certificate=/usr/local/certificates/cert - - --validating-webhook-key=/usr/local/certificates/key - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: LD_PRELOAD - value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.3.1@sha256:54f7fe2c6c5a9db9a0ebf1131797109bb7a4d91f56b9b362bde2abd237dd1974 - imagePullPolicy: IfNotPresent - lifecycle: - preStop: - exec: - command: - - /wait-shutdown - livenessProbe: - failureThreshold: 5 - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - name: controller - ports: - - containerPort: 80 - name: http - protocol: TCP - - containerPort: 80 - name: https - protocol: TCP - - containerPort: 2443 - name: tohttps - protocol: TCP - - containerPort: 8443 - name: webhook - protocol: TCP - readinessProbe: - failureThreshold: 3 - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - resources: - requests: - cpu: 100m - memory: 90Mi - securityContext: - allowPrivilegeEscalation: true - capabilities: - add: - - NET_BIND_SERVICE - drop: - - ALL - runAsUser: 101 - volumeMounts: - - mountPath: /usr/local/certificates/ - name: webhook-cert - readOnly: true - dnsPolicy: ClusterFirst - nodeSelector: - kubernetes.io/os: linux - serviceAccountName: ingress-nginx - terminationGracePeriodSeconds: 300 - volumes: - - name: webhook-cert - secret: - secretName: ingress-nginx-admission ---- -apiVersion: batch/v1 -kind: Job -metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.3.1 - name: ingress-nginx-admission-create - namespace: ingress-nginx -spec: - template: - metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.3.1 - name: ingress-nginx-admission-create - spec: - containers: - - args: - - create - - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc - - --namespace=$(POD_NAMESPACE) - - --secret-name=ingress-nginx-admission - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.3.0@sha256:549e71a6ca248c5abd51cdb73dbc3083df62cf92ed5e6147c780e30f7e007a47 - imagePullPolicy: IfNotPresent - name: create - securityContext: - allowPrivilegeEscalation: false - nodeSelector: - kubernetes.io/os: linux - restartPolicy: OnFailure - securityContext: - fsGroup: 2000 - runAsNonRoot: true - runAsUser: 2000 - serviceAccountName: ingress-nginx-admission ---- -apiVersion: batch/v1 -kind: Job -metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.3.1 - name: ingress-nginx-admission-patch - namespace: ingress-nginx -spec: - template: - metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.3.1 - name: ingress-nginx-admission-patch - spec: - containers: - - args: - - patch - - --webhook-name=ingress-nginx-admission - - --namespace=$(POD_NAMESPACE) - - --patch-mutating=false - - --secret-name=ingress-nginx-admission - - --patch-failure-policy=Fail - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.3.0@sha256:549e71a6ca248c5abd51cdb73dbc3083df62cf92ed5e6147c780e30f7e007a47 - imagePullPolicy: IfNotPresent - name: patch - securityContext: - allowPrivilegeEscalation: false - nodeSelector: - kubernetes.io/os: linux - restartPolicy: OnFailure - securityContext: - fsGroup: 2000 - runAsNonRoot: true - runAsUser: 2000 - serviceAccountName: ingress-nginx-admission ---- -apiVersion: networking.k8s.io/v1 -kind: IngressClass -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.3.1 - name: nginx -spec: - controller: k8s.io/ingress-nginx ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.3.1 - name: ingress-nginx-admission -webhooks: -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: ingress-nginx-controller-admission - namespace: ingress-nginx - path: /networking/v1/ingresses - failurePolicy: Fail - matchPolicy: Equivalent - name: validate.nginx.ingress.kubernetes.io - rules: - - apiGroups: - - networking.k8s.io - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - ingresses - sideEffects: None diff --git a/apps/ingress-nginx/kustomization.yaml b/apps/ingress-nginx/kustomization.yaml deleted file mode 100644 index 45ef857..0000000 --- a/apps/ingress-nginx/kustomization.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -resources: -- deploy.yaml -- controller-tcp-services-configmap.yaml - -patchesStrategicMerge: -- patch-controller-configmap.yaml -- patch-controller-service.yaml -- patch-controller-nlb-service.yaml - -patchesJson6902: -- target: - group: apps - version: v1 - kind: Deployment - name: ingress-nginx-controller - patch: |- - - op: add - path: /spec/template/spec/containers/0/args/- - value: --tcp-services-configmap=ingress-nginx/controller-tcp-services diff --git a/apps/ingress-nginx/patch-controller-configmap.yaml b/apps/ingress-nginx/patch-controller-configmap.yaml deleted file mode 100644 index 8e2b9b8..0000000 --- a/apps/ingress-nginx/patch-controller-configmap.yaml +++ /dev/null @@ -1,7 +0,0 @@ -kind: ConfigMap -apiVersion: v1 -metadata: - name: ingress-nginx-controller - namespace: ingress-nginx -data: - proxy-real-ip-cidr: 192.168.0.0/16 diff --git a/apps/ingress-nginx/patch-controller-nlb-service.yaml b/apps/ingress-nginx/patch-controller-nlb-service.yaml deleted file mode 100644 index 8ca2fa1..0000000 --- a/apps/ingress-nginx/patch-controller-nlb-service.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: ingress-nginx-controller - namespace: ingress-nginx -spec: - ports: - - name: "terraform-state-db" - port: 9001 - targetPort: 9001 - - name: "anyway-prod-db" - port: 9002 - targetPort: 9002 - - name: "anyway-dev-db" - port: 9003 - targetPort: 9003 diff --git a/apps/ingress-nginx/patch-controller-service.yaml b/apps/ingress-nginx/patch-controller-service.yaml deleted file mode 100644 index 404ef3a..0000000 --- a/apps/ingress-nginx/patch-controller-service.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: ingress-nginx-controller - namespace: ingress-nginx - annotations: - service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:eu-central-1:896911843692:certificate/e92ec1f3-a1cd-4523-bf26-b7bf9b1921a0 From 872c525c0b85a9549430b1a4efec91c77730ab45 Mon Sep 17 00:00:00 2001 From: Ori Hoch Date: Wed, 24 Jan 2024 22:50:01 +0200 Subject: [PATCH 17/22] migrate anyway to docker compose --- apps/anyway/compose.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/apps/anyway/compose.yaml b/apps/anyway/compose.yaml index 4019b38..5326b8d 100644 --- a/apps/anyway/compose.yaml +++ b/apps/anyway/compose.yaml @@ -42,12 +42,12 @@ services: environment: POSTGRES_USER: postgres POSTGRES_DB: postgres - DBRESTORE_AWS_BUCKET: dfc-anyway-full-db-dumps - DBRESTORE_FILE_NAME: 2024-01-24_anyway.pgdump + # DBRESTORE_AWS_BUCKET: dfc-anyway-full-db-dumps + # DBRESTORE_FILE_NAME: 2024-01-24_anyway.pgdump env_file: - ./secrets/db.env volumes: - - /data/anyway/db:/var/lib/postgresql/data + - /data/anyway/db/dbdata:/var/lib/postgresql/data tmpfs: - /dev/shm:size=1024m networks: [dfc] @@ -60,7 +60,7 @@ services: env_file: - ./secrets/airflow-db.env volumes: - - /data/anyway/airflow-db:/var/lib/postgresql/data + - /data/anyway/airflow-db/airflow_db:/var/lib/postgresql/data networks: [dfc] airflow-scheduler: From 3401244b968ff9c827a627f2b6795ebc05a6ac81 Mon Sep 17 00:00:00 2001 From: Ori Hoch Date: Wed, 24 Jan 2024 22:53:21 +0200 Subject: [PATCH 18/22] migrate anyway to docker compose --- apps/anyway/nginx_anyway_proxy.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/anyway/nginx_anyway_proxy.conf b/apps/anyway/nginx_anyway_proxy.conf index 6ac9b94..6141f6a 100644 --- a/apps/anyway/nginx_anyway_proxy.conf +++ b/apps/anyway/nginx_anyway_proxy.conf @@ -2,5 +2,5 @@ proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto {{ .Values.nginxForwardedScheme }}; proxy_set_header X-Forwarded-Host {{ .Values.nginxForwardedHost }}; -proxy_pass http://anyway; +proxy_pass http://anyway-secondary; proxy_redirect default; From a579a7949302fc954fa080d7b4d061865dea8db3 Mon Sep 17 00:00:00 2001 From: Ori Hoch Date: Wed, 24 Jan 2024 22:55:57 +0200 Subject: [PATCH 19/22] migrate anyway to docker compose --- apps/anyway/compose.yaml | 2 ++ apps/anyway/nginx_anyway_proxy.conf | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/apps/anyway/compose.yaml b/apps/anyway/compose.yaml index 5326b8d..dda682f 100644 --- a/apps/anyway/compose.yaml +++ b/apps/anyway/compose.yaml @@ -34,6 +34,8 @@ services: depends_on: - anyway-main networks: [dfc] + # we route all external traffic to the secondary container, to keep the main container free for airflow tasks + hostname: anyway db: hostname: anyway-db diff --git a/apps/anyway/nginx_anyway_proxy.conf b/apps/anyway/nginx_anyway_proxy.conf index 6141f6a..6ac9b94 100644 --- a/apps/anyway/nginx_anyway_proxy.conf +++ b/apps/anyway/nginx_anyway_proxy.conf @@ -2,5 +2,5 @@ proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto {{ .Values.nginxForwardedScheme }}; proxy_set_header X-Forwarded-Host {{ .Values.nginxForwardedHost }}; -proxy_pass http://anyway-secondary; +proxy_pass http://anyway; proxy_redirect default; From ce35f3c91183332edd059b0e726e8962be636a12 Mon Sep 17 00:00:00 2001 From: Ori Hoch Date: Wed, 24 Jan 2024 22:57:52 +0200 Subject: [PATCH 20/22] migrate anyway to docker compose --- apps/anyway/nginx_anyway_proxy.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apps/anyway/nginx_anyway_proxy.conf b/apps/anyway/nginx_anyway_proxy.conf index 6ac9b94..d8c95b5 100644 --- a/apps/anyway/nginx_anyway_proxy.conf +++ b/apps/anyway/nginx_anyway_proxy.conf @@ -1,6 +1,6 @@ proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; -proxy_set_header X-Forwarded-Proto {{ .Values.nginxForwardedScheme }}; -proxy_set_header X-Forwarded-Host {{ .Values.nginxForwardedHost }}; +proxy_set_header X-Forwarded-Proto https; +proxy_set_header X-Forwarded-Host www.anyway.co.il; proxy_pass http://anyway; proxy_redirect default; From d10e460e8dbd10d4ccc659625b90804de34e3a03 Mon Sep 17 00:00:00 2001 From: Ori Hoch Date: Wed, 24 Jan 2024 23:08:01 +0200 Subject: [PATCH 21/22] migrate anyway to docker compose --- apps/anyway/compose.yaml | 24 ++++++++++++++++++++++++ apps/traefik/traefik.yaml.template | 21 +++++++++++++++++++++ 2 files changed, 45 insertions(+) diff --git a/apps/anyway/compose.yaml b/apps/anyway/compose.yaml index dda682f..18797d1 100644 --- a/apps/anyway/compose.yaml +++ b/apps/anyway/compose.yaml @@ -88,6 +88,12 @@ services: volumes: - /data/anyway/airflow-etl-data:/var/anyway-etl-data networks: [dfc] + labels: + - "traefik.enable=true" + - "traefik.http.services.airflow-nginx.loadbalancer.server.port=80" + - "traefik.http.routers.airflow-nginx.rule=Host(`airflow-data.anyway.co.il`)" + # - "traefik.http.routers.airflow-nginx.tls=true" + # - "traefik.http.routers.airflow-nginx.tls.certresolver=dfc" airflow-webserver: image: ${AIRFLOW_IMAGE:-ghcr.io/data-for-change/anyway-etl/anyway-etl-airflow:latest} @@ -102,12 +108,24 @@ services: volumes: - /data/anyway/airflow-home-data:/var/airflow networks: [dfc] + labels: + - "traefik.enable=true" + - "traefik.http.services.airflow-webserver.loadbalancer.server.port=8080" + - "traefik.http.routers.airflow-webserver.rule=Host(`airflow.anyway.co.il`)" + # - "traefik.http.routers.airflow-webserver.tls=true" + # - "traefik.http.routers.airflow-webserver.tls.certresolver=dfc" reports: hostname: anyway-reports image: ${REPORTS_IMAGE:-ghcr.io/data-for-change/anyway-reports/anyway-reports:latest} restart: unless-stopped networks: [dfc] + labels: + - "traefik.enable=true" + - "traefik.http.services.anyway-reports.loadbalancer.server.port=80" + - "traefik.http.routers.anyway-reports.rule=Host(`reports.anyway.co.il`)" + # - "traefik.http.routers.anyway-reports.tls=true" + # - "traefik.http.routers.anyway-reports.tls.certresolver=dfc" nginx: hostname: anyway-nginx @@ -116,6 +134,12 @@ services: volumes: - ./nginx_anyway_proxy.conf:/etc/nginx/anyway_proxy.conf:ro networks: [dfc] + labels: + - "traefik.enable=true" + - "traefik.http.services.anyway-nginx.loadbalancer.server.port=80" + - "traefik.http.routers.anyway-nginx.rule=Host(`www.anyway.co.il`)" + # - "traefik.http.routers.anyway-nginx.tls=true" + # - "traefik.http.routers.anyway-nginx.tls.certresolver=dfc" networks: dfc: diff --git a/apps/traefik/traefik.yaml.template b/apps/traefik/traefik.yaml.template index e5c99b3..09ac30f 100644 --- a/apps/traefik/traefik.yaml.template +++ b/apps/traefik/traefik.yaml.template @@ -18,3 +18,24 @@ certificatesResolvers: storage: /etc/traefik/acme/acme.json httpChallenge: entryPoint: web + +http: + routers: + my-router: + rule: "Host(`anyway.co.il`, `www.oway.org.il`, `oway.org.il`)" + middlewares: + - redirect-to-anyway + service: dummy-service + + middlewares: + redirect-to-anyway: + redirectRegex: + regex: "(.*)" + replacement: "https://www.anyway.co.il" + permanent: true + + services: + dummy-service: + loadBalancer: + servers: + - url: "http://127.0.0.1" From 05462ad1c9bb03393825b3c9e804ae10763bbe5d Mon Sep 17 00:00:00 2001 From: Ori Hoch Date: Wed, 24 Jan 2024 23:14:14 +0200 Subject: [PATCH 22/22] migrate anyway to docker compose --- apps/traefik/compose.yaml | 1 + .../dynamic_conf/anyway_redirects.yaml | 20 ++++++++++++++++ apps/traefik/traefik.yaml.template | 23 ++----------------- 3 files changed, 23 insertions(+), 21 deletions(-) create mode 100644 apps/traefik/dynamic_conf/anyway_redirects.yaml diff --git a/apps/traefik/compose.yaml b/apps/traefik/compose.yaml index 21e14b1..ab2cd60 100644 --- a/apps/traefik/compose.yaml +++ b/apps/traefik/compose.yaml @@ -5,6 +5,7 @@ services: - ./traefik.yaml:/etc/traefik/traefik.yaml:ro - /var/run/docker.sock:/var/run/docker.sock:ro - /data/traefik/acme:/etc/traefik/acme + - ./dynamic_conf:/etc/traefik/dynamic_conf networks: [dfc] ports: - "80:80" diff --git a/apps/traefik/dynamic_conf/anyway_redirects.yaml b/apps/traefik/dynamic_conf/anyway_redirects.yaml new file mode 100644 index 0000000..04c9f01 --- /dev/null +++ b/apps/traefik/dynamic_conf/anyway_redirects.yaml @@ -0,0 +1,20 @@ +http: + routers: + my-router: + rule: "Host(`anyway.co.il`, `www.oway.org.il`, `oway.org.il`)" + middlewares: + - redirect-to-anyway + service: dummy-service + + middlewares: + redirect-to-anyway: + redirectRegex: + regex: "(.*)" + replacement: "https://www.anyway.co.il" + permanent: true + + services: + dummy-service: + loadBalancer: + servers: + - url: "http://127.0.0.1" diff --git a/apps/traefik/traefik.yaml.template b/apps/traefik/traefik.yaml.template index 09ac30f..71a5ecf 100644 --- a/apps/traefik/traefik.yaml.template +++ b/apps/traefik/traefik.yaml.template @@ -1,6 +1,8 @@ providers: docker: exposedByDefault: false + file: + directory: /etc/traefik/dynamic_conf entryPoints: web: @@ -18,24 +20,3 @@ certificatesResolvers: storage: /etc/traefik/acme/acme.json httpChallenge: entryPoint: web - -http: - routers: - my-router: - rule: "Host(`anyway.co.il`, `www.oway.org.il`, `oway.org.il`)" - middlewares: - - redirect-to-anyway - service: dummy-service - - middlewares: - redirect-to-anyway: - redirectRegex: - regex: "(.*)" - replacement: "https://www.anyway.co.il" - permanent: true - - services: - dummy-service: - loadBalancer: - servers: - - url: "http://127.0.0.1"