From e98da9b6370eea60210fb146987c85cb01fdbcd7 Mon Sep 17 00:00:00 2001 From: bunkerity Date: Wed, 11 Aug 2021 15:13:44 +0200 Subject: [PATCH] docs polishing and fix install.sh gpg --verify --- README.md | 2 +- docs/img/autoconf-docker.png | Bin 46697 -> 51926 bytes docs/integrations.md | 61 +++++++++-------------- docs/introduction.md | 2 +- docs/quickstart_guide.md | 18 +++---- docs/security_tuning.md | 75 +++++++++------------------- docs/special_folders.md | 24 ++++----- docs/volumes.md | 93 ----------------------------------- docs/web_ui.md | 9 ++-- helpers/install.sh | 7 +-- 10 files changed, 75 insertions(+), 216 deletions(-) delete mode 100644 docs/volumes.md diff --git a/README.md b/README.md index 84070e86..099e71c3 100644 --- a/README.md +++ b/README.md @@ -48,7 +48,7 @@ Fooling automated tools/scanners : -You can find a live demo at https://demo-nginx.bunkerity.com, feel free to do some security tests. +You can find a live demo at [https://demo-nginx.bunkerity.com](https://demo-nginx.bunkerity.com), feel free to do some security tests. # Table of contents
diff --git a/docs/img/autoconf-docker.png b/docs/img/autoconf-docker.png index 64d87945f4fcaad63e2784591b9dba71188abf83..6306e60c901cae4240f61e3ad22da7a1e3e22a86 100644 GIT binary patch literal 51926 zcmdSBc{J7S+diD!rBa4UsLT}^lMrH?X+V;B$}IDgd5X*=8Os=zd7cT$JQG4T${aF< z&1T!b^P{?-@AItZegApayVm=*)^~kZ-FtsN*Kl6vc^t=iTs!E#yv(T+=T96ubm-J= zS;+^74iVxG9XdRD>@fVxKUoZ2@P7pM4`jp-<#k{Df&80^n4H+5LxthQdwNIU@5gOq z)$I=*B56SWN6=!OVR-0JyZLQNv4_q&OJhXtO3DpKR}UXt(A~*E=i9sjy_s8G3 z-OpD^joHEPY4-@v<-O&fyTyNrpBzs{4u2FY43?Q0;m-*#jpd%Mt}c4yFR3Uh-Zp<$C<==m4Kr2YXpR@aMyFr2Q=M$Yh>fmYH|30k~hkQcvdw69s z@(GqbZp<0vBYvn^&)*Me`Ok-lKhV?re!=>KUh&BE2c{boXV11$!^hyWsbmyq&iHy> z*wN`;JWENL7E~ihPW~gv_9;A=rSYF@nDn=AA5Fb_^~x?OFi`v{6(uqz@p~Wby`-i6 z6POuO@6$IQIe3oJ3|ja8{TC*4cG?7*qHHgP&#_&-8d3UgGbku%_~vI+`~8OxFU1E1 zvIPEp`a=eciLtS?v~=(l23A&9etuQH*gJA^(OvIe>`N)x*%jq{4hji5lM74H*=t~~ zqzp^<;{FJli&4nOQ(F4ymm)Rx$B!TD7v|)!SN5XtDWR`xJ$BEXJv(f{#~#!)P%5UV zNN$!ezQV=Me)jiMp8R3&3Y`IfJI+?Bu$50k? zuKj{Vej^)7j4U>T^z?p3MMdpQV@pfg?TKvW%a`@|goU-c7aN$--jc;Hdr}`d zSe}T#%k)lU&bNcGGs`BQ*{8PZ(#I-AMa7Kz8yp;6Gfs}Lkd^$ekJ{C#4eJ-Sy3mkM zDk&+=?4j^cQBjXn-g?R2yH}!-Th#R&*^;ww7QejDf~{wGb7BP(Tla)CkaT0Q?rZk+ z%uG-X46cJ!2-%MNm;P=`CYnp6Gcqdb(%jwXsHi|8H&~!nRv9xTZ26wlvclcFk-uPp zPxSs>n){jPa5XNo4Z5}R5sS&)TI?c0y3o#93JSfa85t}B*0B*0Pum+CB?TZz-yG5| z=TnBTJ#jp`9hc%6mTf&z`{T!tt5>h;6Bia1E?h}c$)@1VXgPcg13T5%*Oy^iMgF3K zjis@vNw2uAt*z*3V4x2b*3vTT4vgY-BaUBt-#BJ_gQRum!MTtlZ*+;59M{&?j%~O)Az-BxPm z0+Za9!%_P$=Kdik-|2#5%TTR-oj-e!wdeRc^QGaM4!_$O7f0oiN**2g^5y4pYh9NrGIGUDo8iknFJHdAw%*?F=N?vxKlNU4 z-P`0Cc?4;p(&ZjId;3?rxPZ!J8ZwtpJkJ7K1BNqSnsnkko6tQZfw#U>i%U*REIn-F znf0vGUp66h@SKHfvd$VjK3ekX|=vrA!*5~5#! z_V38zc5%V~+ptz9NRIWec0UrBVj7%y-(}p<+RDPh^5WMZ*@X-7uV1s8WaU;=P!aiO zCXgP!n0hdZEFpDu^>ZOo-4Bl+b-Gm}#_O*_a4`6IZcHqkY9=J1)}Ghb*LUB>c0vw% zs$4wvi-Sb*V8DZk85tSV(}n^{E>wctj0PvWT3cTzzX^i5+W4C)DPO-}KkG@iZn;b< z{`Y;Tx9RByH@iDJphEP-?S{4DUc|)(E^hDbxsR;&pl;v3?dRubH=FGB`Sa(3IF__b z7%|tQ9G~KeA2@4|<(~HT&vmyNS)CDN{vRfPlx8;+vzk5)3sg(wPc1*TDSqGXB|a*1(vRgDCK8F29-M45WCdrM$y?1iuJvg-;(YUj zH(nP6s}T!O6=S=las$7#w#p95rEmp4e=dFIk+#MC&BL~~w)*C*nC!4e9T`LpjKk-# zG!Lsr&!z+f2M3?-FrdzvT;2?tQ&~DsO3;z!?I(ruOH2*r_~u+7#(t&hT4C@!fv`1! zLYl^Dxto_fNarPn{dAFdQab)ae$cE`|67A-kjzs(Sr4sqM@~vW0JylgK<&da94BNs z%5{(Xp`I*-MDFITud1%Qq#^3jI?~0Uk?Z^#x-#}cjJb0;+kRx9c@-2J*U!+Wn@ui zXK1?(A5Ix+i1ar(l$e%0zC?795Xl<(&m7W&$%z_XoOd}As!!!VF#N3VTrp!NVe{4d z1lp*#hnrnb_NIn5NgB3XANCQcHK0twq&}MJ#7z@)lR-i^o?0Q1#jhV-Zam~H{rvY+5!gcQlgn6E5 zxf*!BP!1;++?D#`)vF+qyB6sM1@}2-OM(M94pk{?Wu!=Z8O_)a3(-a-FfgVrz)ny+ zzCaZIhKPw=T3GSwcroQl7cmv}nKNgkvhVyl@w$1lZt$sv7LnBtlv1cW z{w&YV%zEPMsZ-^Y+bs6R2)?TiwwOmLD&f%KR);&7aM@04ioVN)q%sN{cjPtCY((Fr z-OyjKBqWU&*J%mX=N6;kdr&bSbSRc6qh3ReN@>^Ud}k`fk%&!Ofu{lQIaxnGrXbZk zbdhiC`T2w5OumrF>aQJ|bPP@9A!$hIl-kkJ(IBA|e5WqV-}cTa&BHN`>r~3zDp}

Xplvo0^-m?j9qJKV1`zEqdCoCsc1A;>R8RtIC8h`w*>5L{<8OK&ZHTwEuBz%d;6yxXSYL*COGmUF?R#y#Cf%Q z$phN6o@X2Du$e0qdQ9GTHm(lSEY!Hv>ArPm4^3&G+OQBt_0EFnlw^R zVz2a;Pa1`*udPeVc;^u$9@&qAQ|3Gp$g)(zE2bRG!7@olhPFIWkT1Dw`A@+$k_$xd zQGCK1GHTMBcf8eY3!f_Yx_m#hx;G_I&*QDG_3&oyq!qE+X@x}B>$W8~FX8MLCH6(2 z(A~TIR!BKihRW(%3R9^;#o3iW0_k@f8xEmHR5!R2-rR1oifa0p9-wmTxc*1wjl02$ zR8w5inxRhm7a`4rdJm`2zVtOcApn{5@@Ely6!nS3_ag5@yzE!|FKi7q{?Dq+a%ggD zD(z>oRf!sVTxtS9$x)w^|Fe>&94gSrb=FHyPoHX&S?(Fah1wSUf3TSUFBrp%>B^NW zzOAP=L=LK{UjwI0OjJ}OdIe?NgX4?m;Nek9GN-2YJ$mZpw8lZi6*0bRnM(7cd-{fCZN;00i~z~a z+<@q=VJ`SrP7nyu!}l2(4FGpNTIN4#Uq|RD3g4HMZ2neo_aoYx3LxW>_c4T-gx2fD zdRIx(ZGK! zl379URJ9vsS=eFzg~fYOgWn5eAeiDb;Zbfo)$Fmm^|L=+VP(8#cXM$F=;LC3oerN; z3c{zU8{+gZQ{kxE`P7icg3)YMu9MX?f(}&I9(n(_M^WlHGhDf1JXZB2TzG4^%yQJu z&hCnQLSVNnUqB#}%=5j?Azc{4Sh@8?p+SqGrP{&1`*SxeYg*R~mONHkGRI*zM*%<= z8_Q{EXvA`A8}b}E|9e-c`U%w8V?wxUov|A~cucyrN=(Vc@dbJfc{N)aBNuNnD7-pLd2js^xfT9`M7Hg0s@t~b)H494u|~?m(Wg})7X=t1OfXP z4o&|g)5bt@LL!o=uBSHhy>En8KJf7IZN0q9S--Y4QK!o{j9Y7=>xku&DQdYr8D`%t zkgkv{LMpQT4d@MJF#hcCFlVwyiQ|_>in$Zy5(S@h#&N@DM0cGvh1eI9?T0#I*X$r_ zU5DcnOc7eHm|Cu0(J3-)n{JB?Af=-n#_UE$M*a-aK7Z}e$DlLJ_q|rXiCxr#!)PQi zQ~J37sOnApPLEgPbMeCm=OvWdk(iiRv(${&1G}MKY;0s=qVW30BE5ZFx=;=hLJQIss)dOJ|aBwNXb5n`)j`jq4LDD^6^R zrd8!kR(9UY#S6>3D|PvbY5v0RV#(_AYCHVjuT#Z zoJq2W%E<~JDn}`5-xc^Y)tNKJ`b{TJR$t(^>TGYX`dK!5`t<2(?6|;_g(&ujd~O(_ z%fSeh>j(vHCneLQ!#Ha;J}-||rzzBzXqH<&S^OfkKvC>%=ism*$3J$%acLOYadd^P z>B2-^9r_t1#HH)Te4*2dj)1Ok#r;BNdm;!G$^N-yFP;6DDT1pHPf}l>Zevc~gHzBr z?lIp$irRx|&D`TX$Q2FDm31)xT+Q<4Ro3PafN-I_0IJP~e|{}pJVL4E&8>Q>8a7et zoz?`gW|>93={`K6)n)xEBslt@$3R^w7o0?8!f7ohYH?Lh7RkC)^L1)me$B?}dQ#u! zXJfnDX*E$x<5%xXWKiXa!y-E{(;f|{xE8yRJ#&TCXGj`CWfc<~7KZzgo@{8z`vEiV zrg6z>V={y*^>I&zwt>5Y8$VUS0~WCp{CFwmz3ncnaA~%UWzfkjE$w{tmz7 z>HX(4Li(4Q-hataFNRz&r0XSo_3GpApZxTsKcacjFE7FH70^wJ%Gjg&=6_ALjsmoOXY?+ectzXm~H-=Gqrc>qK7j zbJ#@S)?sugozCufel8A{2d&H00T|2+~t0oyfFY?A)|y?#d1$12C4Ul}C)-@bhtIMUhKNzG$?l1A`s z8pnydG3>9d>3zyjO#6U$$Jb!S*^aWC4rUEPN;D+gIR?qdh6Kd3>jJQBBs7Azw!itx z&MCdWCuZ`L!WdT4Q^{xDP7*OH|41oigEHO5$%hvK}0GwJPAX})2`NcP89LLT9%LbKiw>Bp_N!} z@n$q8-{|k}SM=>GGsFD4Ei3z?A(V!b`R{}d|DKS8sCJcuSVi5`bD{Tg@&1>pAQs-f zy%g2N?jut5=8Z%^cY**96O+MUma>}NK!&24blyteQ$nJR+mtUly!LlYMzk)|dF>UV zW4e_Tg#F$_$|}>TaV^R!T1Y&{{XxBPVOe9c=LcnohS{m*x~EJuot^n7oPVA3oxWr*eUEA`x4lUWPQ3i_Kx zB09KlK++`aqa$RK4*uQ{pz!LtRA-)A;biUZvcxHA&68{b0sTab{rgG#sN8BvOyOe6PzcYsfT*ld{r7Y!ai0t6= zo%+|BZbDAeI$5noRXj2>LY2aNFRnL3kqK82|LWBaoVzxU`HRA?CATB5*uA~#XPNo~ zl0ySakgYoVZRKV_O9?fgC*I3DL31C@)M%NdkZErUoN+8<`Kqn2=JEX2&oe8u!{bsr zs08fZ#?gQ%w)(w6k;zy}4$=?gVc}kq3-xDlcQDO=?Pu(Pu zf|}Z;{s`qG;)>I&`%~+j)?bT_I?mn5GyUsrnkt8%?W zB4d> zE$m``OM%-|7=N((Jp|-rDYM}UMsw78obapTdD=n(pQAo)O-)XAi|j5zPM*vn)NCLW zu$vCldddo#)3uv!rJ1a+v?v5q*z!MIXJVRy0+E37+6RQeXN3-=H5n-~V(Cc~a@tv+ z5prA-U9pFF4jF+rfx4e+?=t@;ps1*b&w4!cGVH}Q+sQ^a{4+B%!mA$%Z-ycT6tZOW zuFW%%?(v@wAANp%+s-c-U_rWZ*K51d2hQ}S*qK<}-u$+#6TE=~A|HJ#>fXfKw>x1b zu(V$(K6Q35a&EbDOb2jGzNv$=WQM1@w7=(;N!)q3W4oK@u zlj*2$W?E9r6OC>};w0lwob)QIYDdS!#3UvP8?{Fb3_NrYo~H+}BGSp|(({UEE<%Qu z`i3dl>qhp;{ZMM27h~yi@i9qBwT5k{*@J40mxc@HU2W>Ui4SSXUSejR(idHBAg{XS zMyf=hWzb5&>VwwJj`=lb*&CVq11c0nd3&blmuYsU|8-b1}%3a451O1pPdYUCJhZ~a?RHqc^|{Uzal zQY?qEIOH71Yp7IaR@Fbts#j_+^wGV+`vZOeIN20^sLT;^0Thi#+cCQ~8=X8ot@X`m zrRGEJ6d5l;LiRnQj9@2a4$OpY3(c{S`TH-vQF3ar*r5dJH`wRz6v$0`Mm1R&8_&Y7 zMC>AH&~0l8pk^?Js@F1z0bvW@gmkl;5#pR!L{;1(}`7p1UA;rIleqA)fCP zFO}L*zHWF_IQPR&PMr@_wsgEymW67Lj(pAL5xa9;@d4^5s{wedKy_N;#57Q-YB2;{ zPKSw?c>vVF601Q)kjdzg9i^{*wuaJQ6}9N8?ot0 zu4db--{)N$*&VsP_V@G}{29<`JndawO)tyGUD;e&HuM1#Hojz2$@wU4Rflt|Bu!L6 z;m(d$u6`o^i3>Fc#D&9QCT33PY|qA9w@#^BC`zCbi z%48bLJjo3bRtBd=+N0T;2-hh7#uE)B2^uGK;gdy`(8@`=!Ip5k@Qq|>51l`m1Bi)9 zIy6qe{(T$;UB1*Q=~2MJR$ohwPi-~^ohkgXFqq99qUQvuqeAv$D;wrbu^YxJbVx3q zFIwU`8)&;CJJfRh$TG^SBFi`@M^s|a^8CoV-oD1h#?TA=Bu_n)XsY6@#;W9!MQC#4 zq;!i-`%)oVE{>frF1#g}hy*dOEIv+(E#|{Mc5xT85`O&=H@kfo?~udNF!>SDu0*Ht zAdzg#(XuVt=2F-f{UPOfi8_E8>y=(zuX#<2G;%4mzOA{HOTUW%+};4s2q2+39l!p2 z&766RYhcf|7*u_2e<5rsB@p$1>RrQf?;8m&!2AJpo@ytnd5k+h>U=FVSKZ&Wz5}RO@X106Fo=o$_~PRT zTbRoQ2|4oDd%^|CrMOMnvt|Psg#iD6d2HpDk7FT4O*5!Gu(jpRqn_Tyd1FM zYeeA2@9Pg3-p+=dUrH3&~s!s%V``GZe7+3hQ7Hgb8&xmC` zF~|=*9@`q`Mvz!B{G9YRcaGO{g19egAtgD6rE;8b|J4P!NQIVBnH0g2zoD14U=9+BHY5=2c9daJe`53)F)oPwWr7w0A{IDCt1-%8pPY ztsOo;0FQR7SnAsD!`GtpADdfp)6MK3J#`)qEuB77ZPNj&we}wa?Ah*#>aBA4!5ALo z9*h*@Fr*kK@YD1H=(qOTAsUyVt8_N0IpGOth^PCegjLDF=XZDe9DtSs2a;8(oEE`& zRX8c+)11N3Me0@wJFZK9>YrkYX_n4eUWi23nf5Uj9!W-=1=s!g8Tm)M>xv1Jr+pc%)zK@UA3e_fG#-O3t^p4-pI;LaAl zeX`Dm30B|!{?VHI0+9^6x&2lZTlTBn3pY#)tS3bNTW9?7 z?CLV*{np1IBx-+k3l%MrCP;^!$3b>n_ii0Rs#l~sQoUUI z34Tu0;XyGe#t>3uE2cFMs_J^QT^{#T9K29!Hs}hmIn%fO3Bvds1;yoZ9abKmGjgrC zB(I!C`{n#s{Y?5&>48gIF1j_Wtlxw3b+aqq?M6~un z>9GCrF1DST&Si73NHNs?IkL;I{_HZ@y+pymangr5PAlV6E#VWD_9jPGUaK}kwwkux zZXK_2gSxC$x%mJA?)?B!0G@JYYh_)-{Wto~ZO{ z@IR%mjnX^V@z{nuOme|bc+j0Y!A<&)2eYDcviR2g_}A%xvww33vw@+Vj-x1YejleN z8n2vUeGwIPmWBodwcf3tqa9fbmH7SL8L{ndpg@ZIy4PlVlEbe|@1Nt)fOz=OhBH46 zMcA{?fN;Qi&&xl#FEdgAw#fWHS5eZ%t;Lw3;e<`r5ZX zYLkSg^Ams!HA>CevdrQ@*F_8OoIx^{$^lti5lZnTA`RyM)KRwe!1t>v+++laa;3sZ#M&DX9HD? zcKNNHlMx|n#%#aw;MA`KjKQ#jyae*KtIMd!qj-95{Q_;HcDZVib(?76&gm(7YDB`l zS$Gg47#gy@ITSuqvwRs!DrRZqmsnMyV%fa3hnY#6sx+#`>|Z9sKrWZIv=%#*C9Ijkbox`kF{spusEvD!Af^9tMs-W>04r`1OppqA~)Z zV3nt5TgebkOr3`aIjo}uVmdlHxf-RA+#J4rBv60%3#6Zis{+)R*ZkH=@$qc@(+W`F zgM)%1+&FmcXYciC)bqdO5@2S`HgB9AC&%9@Ai`_|4&4>DA6<<#mdRO2edkUwKj@WR zCCy&%6?+&C}kBw<)z96rsC?CZi5S;-cpdTch6w9>ZBV{SxX*j!w;2n;46Jmi#@gP^NO_!2-!q3c5Y@QYPv0K<7(hcYg}V;@8MWewKzW zxSHYRg2GH6Dp-99gR*1LlT@VXgFR>)b7%1_EsxhA zLLk_k?#8fR#k0kL{w)Xci-Et>Yd%XsuYLFZ>#BgjFB~-@N5@pukH<2WYF6Sx`5l zv73vakAV)p*h(I-+tl@nC;gKqINYRlJT?abeBW3KQOnI$TgBKl1X#`6E`GWRqFl;$opf^$LkuIND<-W7Nx3}js?lQN(yCPE*+aR3@ z_)yob?J_^wrU51i;8wGe;RFkk+ApUdF`hL-a218$`vpqq=l=fu>gB3u&z^zN4N^Pi zM}N8(ejjB1ix74ok=ppJwzK7fOE6jRoo55W3#gL790?C<*88;> z#cCV(d^WPG*;MKK3Y{8t<*S>ElIY!aW{xw%o<6`~zC*TbYa``D5}2b1b2`zZ3uDIjyk9 z4ecj`%0*d%3tv7jw|nUvak`Q98l=zV(Q<{0xeEXJRav>eUxmn6BCqNMWmi&ZC;4I? zNE+EHxkxw3Vz>YrQsXuar(l!s$;z6Je{k``ux>^s3A<_Js@Q%UL|mkXCucp84ki6{ zM8Fs5cNCqm{_F+Kpr9*;u8L=9XgoSN%5Q;SqU(j*1PCIPJq}`INJxk-)ZWn0P((aK z+k5}rjrDpU4 zTcHOuG9cAOpfi$7tta+@=|xrNA3dl;FmEK4=-ozO+^aG|R{WF}Se`OaaQYy?_AwJ) zAx&9Fvk|}wp2N8W`{(GY2{b?&yZk@RfIm~b`ge+B)lTItv)7^4$5__>`qhJ)qF#nR zVc7ZT-6uLLz!~M1bAC(g^=Jj8s$IH_fD@CiBpG|*>m=uI$d>KYL$OFmN}|1Rfz4@_ zso1#drBDX#|HXjQJ`Cx&MOf#cGeX6w*QZ35JJty^ft z9ia!WMG&GgjcRIY0=E-bo#uO1YA`zLcdsBi>WBH?8*7h;(PthpON2PkC_B;$5mL7^ z8xQc#a;%END>fk^L59|48kmnv7qpw`Dc4DnktP=(n0v9-j_~+3dl94~UcV^+XNSex z%bh+MVKFOQqn+R-3~Xh-bLS3N3nL>V(^6BX=Tjr2qhWB!#(Y@*6JYdfE4i+Kw*4%4 z0NcVFWN+V&@Vz4de6xb}*uLJ7aWM^vt<3X_5u{ht5Z=Qj{Ci8$DAQhgHS zcLYMXH)(HB){#(`G%QoBYS2;T zdoPkn#}ehNUbfd)5FwL=W>X zIXl3<+jp)Nxo(>63HYpf2>-W%!3pcf8q;{xS@0pl8U$~Aqoq3|6O+BYy-_Yrs+W#V zQo`{sXs@r2)1&cETlpv4?SWLs1&{pp8GK)OISYFU65Zm)kN$8Pp(|!5eI-B>GpzH( z<@MGtK|M>L^=rj}G9L3w%oo9C1b>16<;s?D$Q3$!LeSi`;G>3cOl4K#Ulp4#S7R^w z5|+}1n^|$=F={`1E2AxvIb?)6$@y@x<<}DOVx$K0IZ8|JL5WXoz6NB2vYOKx`V@8y z)yml_Z(goo;;H{#GZZw6a|3!GkCy#}=NJ{YA+e$yHfSbg)l7eyfuz7#(zVCJa%#4TtPe-+zb1Y$pzMLN2^OGJsGdxb2QdBBvmW zeJxS@Bwbu8yE)q@wDqM~&rin>V)By^W(8<@agRs`7-iY;5WVL?`T}k~R%t&6igZd)2-QhKekhtlZPoF-4SNG1du=vqCxkImkmQ7r1axw zuH4$0j+|L>J(r54p$~?IYLfE`_wG4h&t>xa@L)m+x{JYQA<90Hsl=>K!T28!{(-hW zC=T3U0q{R{;j8XfX(6bDzz#})zP@~U+T|Wtj3Jd?0PPme=sX@=-C1N<1{gd{*B@xk z+CZX!{p>~1V%Wpkk^#}Q`hWWZlEhx&f4rv;jR$2>{?+w&&|=$WQc;4L_f53D$`S;a z38H>T-s<++)H<2O3Giho`a#l`N=|!v*(G=_6APG!!}vsuM}{L7PY2*EL& zC3baP#-kOs2H+Pc@f;GG?B9VBT?fMMO4VZC(vpS6_ew}|zqoXlNG6k1L1|MYl#c-RXuLpc=fYgqE zMfdFPP#qxugR`rZG3}W>7%Wl_2tXrUll&hXTV91e_y-gK0LjpKJWQ-!3luv1bGUE{ z&L`bXo0M4mC-0`~*RLbp+sfz^1W-*AR5|q3Ky$1;D+{K0`rorrpS(+Y@#c%f#IYiy zySXh-NIg`br5drR>-yszf)4YR%q#Ysq4dr|XR_L9rC$N1y*wHQTlme4;gSfp2YI+W z2s!hEND@=#jk|{N!v08K1d;(~8RDG0ezerw2_Px+rAt~+MC@lfUEl*a3?KEsqYz8l z1u16@PL}ytt{b?TKvNnAQgda9yB!)(H5Mb+9bzHuBLXJxfYk(+&v)-jGLl1QMl8y} zx4tnA;REL9qB7Uc$X)I`-HAfwKnC@1Y8=1L2fxK|O0D1$+rRnah~=^uxNbnC z&)+1nx?wh8+8%XP?Oq<)&1CoWHfRP4<3l6?$U+$ts1#pC5{8{mZ!&n?NiM#bfNL{f z&3Gi1@mr(T%yO?US-HO*0@4UBk~AAgUe7_H+4CreY1F#!*wKwM0J^q0j2P)F>6g6s zVWU8&hZfM?MMAAgz+Qb^OJmild1Mz!F5WDFvjH@#Bh6vveY_PGRD+ol_0J$qWP8j? zo8d0d#Pi@_R`C6m){<>idO<$}L6=mU8f6xl`?uY}IRJpd1z^#AD`>jMpo>kyU42(T z^iV3F206b09AKBrROJ3^AvB3LAm=cBG0%5X6?9tu@VNgyJ-)LO5a`NxUDosbRuIX? zm8MV{nHe7d=z)eouR%*=<2K)h1l8O=Vl9FuH-+yQM14YXGRgz%u*R8$HERT-;;nwt z54=;&OW@4_3Doa3P(l=BNNQ?o=;eL+5*~;U@J7}_z_h<>mDZ|*D4f}N9+T(Qnm@{| z##{kUs!4OwY$SPXsjulo+=X&|_sR10=>tk94$Xu~5ka$iiZP|NXYwlXfWDuHg;5w> zoD|W=A^rbm2b|ms9rrb>1P9%jb{^PR98%~!F=LN%-yBq(EZ&FoNpH;UDxWAw zQ49_TwZeOYP&9v6RLYYyz4krA%-E52ICL9*GIVV-;!3u*YZbOr(^Iz3_Sb;1M06ZE z3#pA<-0R`Pvx0M=Pon%hkJX{;yzrjnYimoH@s=QbQSgGKjI^Sq!oFR{_-^|>1Do6& zECU(uuh}k%Q=JI{N&^qU>-nc{60CTGr24idr$a2g;Bo(z%KP&Y3UkXk#y}l~T-M)e zaf(7kXq{$17gB-0r>~#dWgJ=RN#4ETC=?Ne+*=vVFeM}Q9ySA zT3})x@PwHU&$pciUtYdD4foF2wW}Vw3x5k@PI{pXt?s{}a7ZZS46{7iany2~Es7sp z2V~enO|GASK=!uR*2x9W3p!-r$2Hf1*pa_d2lR9d2S!8BQ#i8VN<1`5wJPmquB*OS zY7%vviB_F_6Vwj2q>%Q3fdR<4idVrJK(Gmd5!g+llpTjXA=rAK-94-rnV1-M$2O9V z9qCjkt{6f=JaXj7x@ZR^fj`CJJ`Dh|05ZolW*Z+ix3#ren^FML#odB;MKowOoM5vf zwOVZ;Lm6sRR#v9cNy|nn@1NDE#P^`^XHoiO({LDOHtHEbU-^?4yd6Zr#sX@`fKKLf zxTd4y`r~rt{cS8LIG}~F&=t!A;)3d9UikuQUr=j8V@o^15%n1a>?kA(z7t2pxzj!m zsvUnel8*z?T(5W%w|o3|jpwN)!~!&36(7_|d)~Y9Y{JA1EnxHQV;r}^G}F-IzEmku zL8N7I{S9c^eHgIXw6Wq5jFybwBT|qDJ(AXI&sLoxs;IcQX`*n?4X(ue!C};B0;ClT zKDEy}iO>B>={)Cq87f~q&Ip%UV8D7od9*v82H_krf;hl*RB>;kxW!p8`I_Y_s+2y&x@={?;!nm>^$;22J<4mXy)lzo5Kp!><<>!qaovLft>Vw z4t?9zwMy$#j!M3cHuzw79HJILkAr;15xa`qYP}97UsjP~S_%rkrOW20&Wcxh0f2T+ z6@>km^Bn|Q*(59qSddy>8Ln~t-baB3!4y!jrj9#Z2gz|{i4M4=6WX>VMa&nm&)#Dr zHm`?vGz#&iN#Tc!j6$}#?Q6gvN9CyNg}jsS8Ql83=}>SC2luCnzNqQF*o{!1nwlD1 zS!dKl$}(_)+PJ2ak$l}c7^-$BV^lbJ>Y(vCc{DR)WgxSkqa4ksQK$mZ{3TzP%lJD` zy5?qOA6;;=LgIVxSoQbr5xD$9^LA-A${%HvCqG$xwTUlZ@cxO4s z71BfkV4sek*cNbXOm{oHmrrDk$041JPdae>=NPUvP)bUw=!*@EcBOKTcAy2WsJg?Z zt&Lz6)1>vbpqR)|55%nl$_(Z&g9hc}PEOrgEp~d(X>(8$SxBj`H`eCN0?(K1g7H4T z&PlN_lpj6U|w z=K^;TU+$zl$F4?SzR1ssTCB4g6C7EBJBpHL$H}lwnxAB|SvtOo9`i+quYD2`m2w9p z07pDE)Z24mAam!}TpAi=M%>UA*`ngBgoIE#V75O)WY{&!mSFQHi7d;k##m#Xfuoy} zx8fno)vM4+Q~lW?tz}bx#Iy=(f?{)1d_T(Hpbqj8oE}y$Rgkp)&dt!ZFqO;JgMFpOV6MD_9iBx03ZgTF7A7LDyCRn;6J!88PM6V$Br8iI3ti zBQJi~TKZ$bV|wq^^(I(wFrA9I%P_!&1I~q3qdYiOzY|<{KAe)7zW8r0UnJ5Wb#e&V z+u2QXdVB|*9W%OF458nl9b*QvK^+k*MC}RHV`_{W%vY`)y|p3XJngwgI)L;DfWU(T zz!u=10pFD??;%6RJ;7ciN!o(KLqr@Xs++GPytE7m&Gc)@Rb#07Y_V*YMPvrv-j0NT z(XCs9%rKCpyoe}o9WMXoN`X2@(aDM34KSPgK!KI#tF{AEb=U>|Zcq^+bOXPRSA*mL zkaZVv-<^u?z;(s*>zZN;C=u&bl6>Cd0PWVF`@edK=-j;n{Dp(H-AGBzfHlbL%G%k1 zp?~f8L*cbPX*{y>1;BWKqxXd{ZiK8vAJuZ6-iNc0E!4+Qo3B#+;^yi|=E3)x4Slz* z>w_+9O_WB(Y_JR$pss0^WI~MD1Dp$MWDuoH=GkxU=em>9 z@X%&s6&6+mrL7NfsqhYC~}`v`YIAdRj;mR0TKR4!8F-ngik5S{_3zwIL$_-0sh8fw!%`T*7zyFN2ed3QjdE#yr{Pk^PWkdiBmMo1;^ zak^dIzIHHc_Uar1n4h>PIi7$`5$>S38tVe0O1+lm?+tgS)G020x`N@-D3QI@FuD8+ z@l3Y|Zcdu_%kDwEhXw`h07m8xxyQBK$>e!t2`s#Y`R5~EzYbP+1}F|#&1S*_6Ep&Q zeV-j^Cp=Pd=b<9n0V)%8WWz?!o8dI^s;9_9+CO`ePGY)@u5@I9jQ9o10Lx zvA{I{mXiH>Z%EY7=2S?@waQ$kqjndE@=@TbonE;x2Hh>RHv!@F3CE*z`ye~Md;1oo z-YFnEW}n{%Y1Mak(6R1g>hK(@EPgfF;dilQ0Pp;W99rjDq0syCY)G`u>;qVCgA&gc zJlhpNb^q6|Uq;Gc`Tvt)-Ny-nyh8i$%F1S}o)Pg;TE?u>`s%=l;o;xV;Vo=2n0xN4 zifh*~4X60g^g~yp;ny)n-4R(=Jh998?!9}G%t5`@g=&VDtH%KawK9c&+ga*;xkfTPXya2$bYTB z!uM4WiODbFw;Hz*@LP>LTJxd2r9$9TzyB&Ji8C7v(SM<(?h{e?fr_5=anO~F;=xBG>GpR}^O#1n z!jOF>K1xH5h0Dj}!bX-X$BNOUV7+^_-IoNl7kHDxLr%4VL%dWGiQ}oKCn!LXD(u(g z;Nl|PcgA3kQ2|R z!AezB=?a^D*kGtvsSod1Rb%dlsM0!~N_OZ8FrEj(Kn68bmOb8qCI#vUE*HLi zPD+4kQ1|YqHRr(HmfP%voc8!<$Isk%fsWHRv+pn?Dx05+kGWG`^B4XXDq^PT1=nyX zrD-N~;=kV!EmJ;fUuS|4FO*y=+IcFhDED9)d@Ji-f=(d05(}M&Y;n1YSx;xUf&z_O z@in4PR0tOXiRknU6k`n3A&QQu9vnb#2|3WdAUke@JzZ~p2-Fd(n>LR&>zd(q;U9Hm zQz!*$Hnie3+`?kSo1-m(F6$z!t@3y^Xe%K^nxO1RKCMUVQnzAL7dtvTqm&s~LhVuX zi-55u_g*1bo`CRZVEEz<(_Ya%!cA!AUdyf>%HDqukgX3yZjN@4W|F{dqL%XdUj~`& zN%Sn+{-;rvZ??;b%I!`Z1)?N0q297WI*+nMdYXn8ISPr7kBnf^x?k=u>x&Lu(kwZz zO+JdvvXFjop?*e6d`rIXK~>81z$H$}l1!Si6u$YA)IRVgH`-3m&bDXuo*l2$9j$7Qw$T{`AH#v12%2;epW!P8Oaq`@*p$EsRriT?|D}>hb5d zAcuWsPFCkoxb*aZBB#_tpYV4v$$L#hcHIdQTdAr|CYTVF%anBn?eHKlUs5gLxru>B zq&EA?D>zrKCu|9YnmWu$Ny)Hc-DDB?ija}+Obz}OK^t@G331v;ye zxdR8yDCmxe&BG5OMU^se-n2(08Ey`0;&%YxLsRyG*6}5{2n+UNz$M-mtMSNnO;YIU zdD@AXA|3YM`bD-eQ3+@9)D;pqF;LGVB{L&R~ z%ge`{QfBnb%YXf%0QY(q%+n9ll}`n||Y-yOukvK5%7S&*u7p9>3rq3SgtOuHr3Bo>s{5UYT+mG%i8; zXXRJDj5yaJK?4m-N8`aAf5Qr`_C@73K#P4$TXyr0^)$h9MMOC}aTI=h2VH(hTPxc7 zIL)*V-$B|y!A(wZS^R{o+H^zm`!~eXnqO=&|3 z0Ji{C_5z`odvhG>9^B#BL!7F)+Z>n%5D)j@F59DUyNU67rcbOOdbGnuJa#4~2^BxC-$!&bQMl)xY(Y%&J#klTFZ5jzTuB(Y?}G4PGLT#iAaS@|Lc(`O#bbRzB*w{BL$#cv6|hqQp>s5^~|L7;iF5*!)|Ua+Ds z|NI$%y!4*|AdcIT0`(JPm?)Cj5tZVtw8@Sdb5tGw6e!=lg5ppF&`5x`f~Bl z*FFD!{WbXU&hg!a3E$@XC#;|chbYlRCPUz~{5=6fs_en@@bf4-#Bb{0XK22>{$pY4 z9XyC#Rwq#a0|TFoGa(0d_@|IVKL`-S`nM(Mk5{RjXFDdqhioNzGK%YTDm2bJGo_%)Oe#D_jd|# z6}Ati0Qyb4f65wgtybS+;yN@QKv0`+F(MB}2RuNYlnu8L55R5LMJ$kpgWYueyPE*! z%=C%}Ao(#}@bSkEI(-jj%X@KZymBT+bNaO-fA)C0S$yWSw(@=^!x(9JSX`- zHrEj2IFX4Hh!@{l#W=sy#?(()j(@1s>d%9gkJ#oR+h>!U&d7xs=z{Y>gQxPDHgYlE z6$^=GX5urvk8wQ`jn*Q^B1kp5^3PdI3`foyT&Jz~ z0x*~NK)Vsw(FO|H(C3w?C2hwMBZz*(522wa`-tDrX9rd$FChnqQx=I^ZcG4xcgE{F z8XB+XeLyKPq8Rymx?dn~G*~8egKJSn@D?T@=PAEnbvipbBH>56{;Yb)fvbd{hAgJ7 zwY4HZ{65SDND12>jV>~m|3lq-$79`weZZ-dQ6amsD;beW!ycD(6KNnaB2DeR8%q(8D$IM;{Bdix}WEBKmWe(AMgFS{|eXj`<>%BkMlUbgAtT8 zhn*K_H|UMM$dV8_{zo??MJcrbJZDU*f$Q`-H=|4gu2Xz>zXru8Qx_9p$@08+y zRYj8J0)v8%9z80P^17@nPSWlT=YRD}QqmyF<0PPNYhnUiUO?Kq?f+FTNx6-i@9=0p zh+m{z7v}L-n(nXQiT=e`mTd9LGBWRgV>TY~|Bq@(LZw;>o^D1nWKn2>jb#Dfg`lu zsK5HZ(lqB7s8}UD>yY79)eRp0?<9$F1+Ck>d8NA5eEYFeMF zhCFudWv^()Vli2^TP8L(54e7d2xCmikNwqSAL!@@R4;RCQ>xY&+UPC3IfpdRc)xdc zR)`BH)cHB++(}t^>y~?tdHdm6ij^+Tqn<@5K@hM6KH!i_H~D})+D{v$X@9;Nvxa`d z3RW7#z!<`<7iVc75jp$T>!Rat_RzC}q|To30~&bZ&;-n-P%IXkMq}G<7ERhdP5-QG zFJ-+&t}(Dib%R1kdBUdTdEQLG29tPi=)3IF^s589$9f~% zzME=pN#rGZmh%k-$WlDA1tmhcNAx~-O>5Dl8xj5&UM)Q(Tx7n z5P03N22wN7&2w=>BM)C^wGvuxL@KhB+}vsH-0VRA3LLy|hzODI_RC&l&LN~O;_qKg zXBtc1dnZB;(@`J_j5~whz2+$63M&jBcEMEDx{kvq@;E=Yi{RUy*em6 z4GOTRIsW-0(_4{0}2sKi1t{5Xz3j60i7>9(%)Yk z*c{pyWI}QW5uNhs2Em3wYYQ11ZN}&$5M^DoLLwvAlYiE#i?YRzz%ePB&>nj0)AF`3`=ozMuTZIp$t5Tjqcif0bIeqD-OvN8N3e}9&6|2~Cm z^qYvnWMrO!+_Qq@rS1$<{?k3@S*cERf_4G^6-o22%A1y%xk*mW_%bkO;^YUYGSbF? z_hDR|ptv|wi|%}+#n)gz&>msg(LWusZioqN!8re(U(dovi9~Q64Ql7_PbA3xd=!by zrpv9YtPmrGN4AU={vDQzwvb=B6#{G+R56Tn#a!L+-;owB(bCrbAPfa-#Dz2{Nvp>V zHb9nmJ%P8)0ypTxzy8ljXTZi5x^Mogext)LR~Yr@fFqx%GXKakYfRVf^6>Qsq#bvScwvm?vusbqn= z?b~^sDh#7*5}id0C(h4=JrCUz-P1w&B#`-}>ixa0ARqq?(6tJ`R98tgzR&PrVuJj7 zWvsToVw30X>8{r%_8*2XRDGXJ5EN$O$A}8vclP!TD4l(B?>-ktsK((>HNORzwH|h5 zS&>p<0+&?D{b#$<`<*XQI8Qq{+Z_w{+oD(3@IzOP`uk8JW7OeOXP-pvYkGh3ptC}I z_D*h=%l`fg7sn8K*X9B}Jj2*2HXW_TqdF(r>o(eDNXNWW3wYN0YUGRX^*0)J2S=w4 zedBRzJ{gj1`KTj1<@Ao+pQ6b(ogNu7+tGU*?cLdvd4Jotar;jaEjJ|PqU)v>edG&M zS7c+O=Q?+c9GK4WH>Pt{;=}wZB+ew%?2I~cG5bpPnuPrUOFNr3qG zzQ+>jryV3>+?2W&Pcz0|3vh@@iRmBT7_qJJ^JU$}Z3+&d{{G8+R~VDPVUql`Z7_O6 zWvTzuh5%0szoGq+TFp{};(0qZnym6(!{u6}nh;p9qyO=iO0Sfic@Z^5a{8{K2~vrM zefH8_mg`#9x1{%;2%=D|B*&U*`%0~Elsdj9L7P7=A@orv#co5Dka$GC=`$0DtU-f@ zp1+T2pd@7{+i}^MJg8^oiQMD4u}>1y9ro6Y6zNyW?sOV!wN$3hvzCtd=tO0AfDs}HL(S4 z{Kl^D8qHiD)t8$`oXb7ux#0Er-n5Tv4L@y6Oiwqcv(cJ}Ggp;}=s)}|^S-fO9`nP; zuUlSRD*qN`GEnm}aH^$o!r;la&^+Bf64Ey>r7WeryH_>U*mfhgm-Yt-G1=VZo=bN1^3Rpr6qNmH?wm}$-iIz}`5@ZF9mWTP@rFoKSK zrg}W8H0TP1y@h1^0D}8Pfzu^b(S0Tlzbk&XsgA6rjwhs@@vj)z*7bOw{7ECe>1~zL zqIS`%$42>s&7HF3CnV%fmbGjPXvVdvzabThM5+9qWA8vJfCxn)dQrgaWZ17qzU`Mr z8x*O_ZG(B-oGtHZA9<@(|C(H@b5+F09ou`l75Pir&$$g49$dOMzj=MA2k4KY&U24X zd;s8RsQnVlgTzGF-uKoJKFq#_V}x&E7%f+Nsoa*4Xy|EuBHLBKn=Ys8bjhRl0S+hA zlMkzwyc=1X>`~I@RF!D=CF)&<-jkc<-?&W%F}8(@pFg=~=?G6y28di3k-{pY0`P^D zi0u|r!X?^A138wNbohl#la?774ylKZp%(c!zA+`bTCYCyC3#mK{q*wFWo8FY_P#Ha zZHWA}l!ZUIyfkxGz9TR@x;sX2z7R#NY?Fj7Xc!q)!6pV0B%4<2(bVKaG<}F(UFsq%j018`h$#|mc zyn6NHgF@DFMdvJpkScZD$DmzcXJIZ1C6p(y z4)IqROrO6fY?$OzJXdd-1=z4F8k09m0f>jZVgdRE>%gxzD|QDGl3@xWqKC6A>22n$ zw}X%d6r+NMGZP{mjh$EzVw+c{t|89+ov`Oa)}5h z9J$hZcs^s^H#7~25!{aDq4WT8EOaI;yn+cmW_RF~Ivrfl9ah}7B9ZpImd#sObx4M;7RJ0CHM`16v3|U z#EIGyP@%Y6Cp(t>=3E@a~eTh@x_q70VnU9+*eQ=t8!lkLR@g| zd*ufhiV_S7lpo@KJ%a(|`qst01j(s;PcpdPp(xN9(nBJdxu68=9z5h|3>>9sDZhI= z=F1y+c~k-~8(kixXXaYQv#A}R$uh}GfXI*7+S=~l|Gxg=0jG5rx}f>B4daL%eMIE= zQ&d5r0QDZ!857-#mK~)ZA0IboGr3s7iHx=)E{ZsOAeA=ftfpE?hE78x^V;IzcIfD! zzHE|zDt=;O^u;YvVS;&N z7WN8QKko1m5*1B?!kxTZ;f`qn3VItO|LOEV3A8Ct@Lg{xNWS(N?Q5gGPnSd<*IsAk zov7dIZDr_dn(o}8oBP=0p!i`CA^9e2%IiSJM)_BkmZni2PE4O4ML8WdAGWwq5`djYK`LI(UB2=?>xWya$6GlN;HuG^;`Jn*|FNYH#K-=gO#Rw(9Np@ z>)WaAE<#tl4R#(nTPy8e0Jrd{uut4%SsZ6hzD>p3wCZ)^xnD|g+m$7H1t5)%&MVUv_o1XSWo^HMF(0al(>P6F8SNXgq z$-Ku!=>>`-&W8or^E<<|JO5!lPB2e^$E{}xf(6jhsXwuEiD!l(^P>*-zNv{E&WQqZ zyLagwatq`?%B3e9c!I~&>h6DYSoX%rH+Np1%6mJaUDR~DNyM!{nd$V4Q7@wU+a-e_ zw_8;JQX9y6;+mz|)5nz!=?qe(Q_t)!_;R(nbUfEIeUKxlrC*~Y+TdW-jsBMw`qP`8 z+pL4!m6mZgJ?7?%I+G{srfKHI%rOga>iw8i7eB_SF2ZFw7%7z+Q=!w}#Alo*?Z#_^ zTc@=nx>~YLe%x@b`gk+{gVT%sT}QL3p6=L~B(HSqg>0d0zuT96I-CMa@|$gbzZ}h! zZJCu#Xl>xy(7YUs?z{AKxfU;%oK-=PvaP#DJCU~ZP`!jx?n7+sa8(PP?2+dS&Thqz zed@w#KSp}aq&tVLlH1ddGpLWqGJ$O1+{(RboBbr9MwR#ATflm`#^i6*JtYUBS_IbI z1!kdus+vNt480&z=nVr7V14q}5qZ*BR^Y(8(di*tA0$Gt)2Ab}+3^+&1LC+EdSZaJ zDS<8u(&XWf2DPuRt?p8VLVkssH*K_0Yuj)fh^l0ei;S0L>;~|kjVfLAb2DUtAsITt zfG~6;Ui;Jhjh>^L5O#{yT0BoF%gGfYg6>{2>9S4K^Izp*#vK6Y?JW>Av03~*G|!%rhng{gy7I1_)>EN@;i6YY_)y! zbk(k_Jp1$-wB zxEdG!?;D5@0ND%Z1z=?f$;rD7dS`x^&%NJ&-g>KJ>-jff>yU!oxP$OD8n zLCPD*GbKo2K$3$r&xw*Ka2My#pGUe(&SpFUR5FHfsuR&aG`U5d6+yKDtY%UV+Mqya zyuj+@1HIHvl(I=3?-tMh*VUASJ|y=#d-h05NktNasjYvCK>PH>fR?GO)Y8&|yk53= z{wr|kSONkAEw`&tIDkGNMX7z8GHK+0VxFL=1|u+ghI9E!P&g=)0neP2^Nq3m7xqN| zyLhya-8eWn?BBm~+Ckh2XwREGZ;$^PwhKk^eeH33=MUh$9IU_{x%U>_K#iN5Nfwn&85tRO20~H}@ZX?P zC-mURxOkZM#2KKD%#|jkXD9hg~+o<ak5g~TAQ1ke2 z|Ni3IU!iwN<4a$>*n2>W%D(gw-Q-I%*bk^=q|QHS#iovz3J;#Xu*UaH=6fTF22X{2 zAz@RHLjDqvhtQS~9`oz+J6n7Z#5vTJyXm+W{5<3DKQmu={e1`UrTAD2?)sdI+Hsi$ zComkR!009);N^QW)#3O7(izi%!1nT5M%3F!zRkjV!NB(rz>f;tMzWPE1P&%#3kqURif#W@ zfGrGWpTfQePv4@%IX7SZj#cmB-kwHDuN5ToPe(SQzej8K zm1Oljg{#uAledCn@gY10q*_VKpi`ZJDqK8bcp`NHUueD+#Ll}u#Rd2i31m`${;dV+ zc{805QW#GTtLFPOL)P=_xJY_`l>1_>h{}G7BgiBrYsFGS4b2Z3ILp2n8~0= zF?tI>DRKe7!hT%bAR!7Pp2%r?8UYV5GJ0f<(S4R$5!t@ zaA47#lea0)r{p93A(^TK8feAR(`d{gefaI!f9xsMa*n3u58pg9lKoNF6OY4@wNU5p z4kVQ#Fvo^V=izsq$3T(p$YUGoB#ZFNg;Rl5wjX!y`tjXV)PAFHQ?Jjnln+h?u6#+v zry;EFBJI+Td?JP8vX|4P-{==!@w)VtvHS!7q^LP_?K6)O?X2+keBd`3m_UL4If45_Vhii_fOi5PkT`ay0vBtv0)@8>Or49cq6j_8O%csv769 zevbMe+ZbdmW|H^dWtiL-VW||^8lA$k(^sli!MCuQKEwO(dzq=#aXW4Uyo`SG^!o2M zIgJ>lVLuvG#BLMsghhw0pX5g8Co!W%)!P3 zL^y?mtB(2aJC5u^FQ720xWP6emjjkNJ3GG3B0S6lv9cA+w*ydl5FTdKmwHPA^~|?VN19yvU_5KSuj>hL6tBX(k^uTdqRYzmKx; zy#??CX3$b58)1LN{t3&#;Nb2-3HH#P^Fx9FATFK~7pL-ZzrTc}B*;21Vr3y1V{N2O zmka)ycWAF7Fmk{k-cb&s`>d9 zYqxESj8`u1>g@Cnp1$`1)QjxMW%DqaKk@KEqS6c>H+Q+<@g?8|cKAI#b;}TDqIPd; z%VP9pJ~H6$77lA36n!9_VOlfRUv*e)63C{V&wt?P*uxNSPEjdd%ro`&9$M|5QJ3;; zWtY6>R_MODlAP>!5l8oOkI4S{uJwN`&c9F*Ip$ya z=IvYSfe8T@m-z_y#vU}r?qZquo5t?INs+6D?z!xOy^G*qNX+=COiyWu03@!PIhSn` zAFC4IoC+U=;aVkf+cd}{hsQB^F@Y6J#!q2WVY|H_kPAi{-wpnpga;PlBwRv8^Ofdh zIOh2Gi`QZ z=B*Rai%Z&s-F~pAd$3f`w|;MdhNk8{NxO%D+|$e(nF^b|aofS1C~4BY2hAdyF^F3_ za?~mx;?)PA@l+(S5^99gxlxHbor*x#2?zv#Sn?^52uDPw08vI>H8rk^O62K~`^qF< zaEHnY2zk>`{Hr{>nM+MMq2#KA~ZZ)L}?(nI&g~?usJdlMVG3o#M{)E z43qFUyl3KP->#$iQHnANE6jO5!ZK(fK{2KPn`b2cmIn zm~RTpu^W?lA|?wuySo9=0a4YvF7_Ia{Heez1BqfVk)+ocC~xCYe8?b2S$jV*Q7EU9 zn^E5k@zULmtA$zlrs^|GTHo5qjLs}6JF=LouRwrtb-4hl$N~Zxdz;|!m>hilx-L?4 zf>@cGxs>zDGRxom@^i-U+qYBZBK`B*E__}Qd2sMo96$3>?$5Y@g-scR6+P|w%KQ4+ zrijsapvN*!A=}btVwk-aP{}^1U&WiUmUBu*&T?@?E=4IUBEmO^Ii$heM_+4q_bisq zVyBs3C^ME8R#JD5_B@g~eDL69g-h(}>s;#>@o(ne!Nq#)`c!v0R$F!8#P_V5g<)m8 zSO;W+a?2VPiYxxqV5vIVQm44_79*7@>Do5^#0%|hHfqpDL%z^LXVx5?Cw+~21?Kj8 zri&QhV%HwFpviE~fi>_ZzT{Zw|N4>?)m7~Au}_(PuihLv`EiHTg6M3)0`~U>0%b|X zn=}kXZ1q%@mn!l{T^OaiX!bZ|YsT7j>%JPZ(VHwfqVcPU)%Kq()ub(zqh^a`Y%ibt zRKBOja0h|x(J!8RO~G0-q?2QJv3@?C7A})!AYmE3<44MQ_FV@Ue>Jn@w?g6S+SRKZ zj(I_p>orSRboRw|ip5UD0wc0~7fRKkEe*=_JG#7*YKPognJ;VhEVWT9DK)yUqc0{n zxqUr=!zJ1EnvY_383}u{w|!Z>Sk>!s^_Ke$dbQMrQ@r=jaMT%o+nb?O`0f7rfu#o@ zBqf0=-q#kdrybcQC?%~pNYBj()84OaiT`I%v|hLe=q{VQD?v|z)WhTjBb0h)O%FM* z#JFUwjymJc062`4l&&J{Wp|TBaoj6)c8~U5nv^=NY+Kft;C;Zn#0nR?&w@1)H#BxR z=W$0nCUffqPEG1nSgaqDh;}6#*2nv30$?9c{X%&ZdE&N&>Qk<$UwLWA)otP8^7w<_ z*4>P~&B2$iJ-+tMuey2nQo^sJ=F_+`qi-XZ2 z@zYmQ&3#=4L>FyhpMq!Xz7Wd+lH9YKKeXyeYQOklKXuWK5337tv~}{5&orlf=Igm@ z0EMxpbY2afJbFj}%0*H473-rpI5>F5%QjDVTnSf@kzwP*F~*^MK=s9XQBlqF7gqBc z&YfVLKQ$`v7YM{$ubt+LwP)W;UvbM8x!TZ4E133d{XP9~cVtJ<0iG)Bh*+5kj|+mx z?flGw1nxhGgQC|3{zb=5p!gn2U1|h~_M0u=w!}Z&G%^B>C(ErFKTUa0?gfgRb0(gLB^#8VHXOS zQ(?UV==Jz79Dk(beG9G`0GCu=II14C5$2|nAGL7DH-31%q*i#_y2?Y#tU0wtMn^Ry zlJ{2mr(2l&OZOF-Z-CY9Jv|hK3^Nauyy|y8;PYAR2y?s8<_O$^>t3Gf@2X1GRu+*2@ zitzAc7GGHPlOtka8@;8T>N=@qA;lU>TsmFxjF~)KyBJ;v3Rem5j^{VxZQ?f9Qa{CQ zD4ksXy5G+3=ju~g^c1T#@$L(q?2|t&b)s)7Z}$@wpm*x*;C(Jxc{A{pifn)=Wrkmf zsY9eCxlBNJhHqcMNz1dt(Q%B-_c%2f{3maoJH(%};hXALNAcT3L&K-WieB&1+w}8v zVKr5^%usUZSgC+de5~4vLP4j6cV=Q!>Vg6-u2-yEHdRfXr9qzetMJTi-<5QUl9;fl z@TkK1P`!7ZLK8nesVRLd-~4zXKl6yNWnvn&Tfk*(_iMs;4v`Nv)_Y#+A0})hZYkpY zTG!hiZ~pnltnlK1W_2qHJ6Fh-@qT}!pY+rF7p>g(=q^)Q$Bk)I2fCrpS!{cpc2DUm zJm0Y4S%YBd_6G_4n(+G5V| zQx0LG=C2ITr3le0?zgv>)IAzqJ$1e2;Lvl84DHU9IEv%vfJx_IrF%o2@>)vA%wm4o zwcewGI+Z)7b76h8rF`!=OCN)a$GQOSQo1<7jWME;BD{ zSH`Er+v#M_^(^jbGui}=O`3Uj-6%Q6{RQ7pe~;hU7-u%8yDcoX(oEN`_m0YA;W3f8 ztG_Ly?rmQ=v#=;F zan-z&vR`HK+6j?;5BL6TUobTE>X;hq8U3vkx2r}GPctK*<*99`FW=k{sLvY1_JyJ- z95nlKXP~j!Uh`W>R9t_>9(2kRQwg7K;~n!e<-a`^z_s_;=ZBN0Rxss9pIQ|dO(xVQf)oXsq3bGfhg}l< z1jrz$a*%)Sk|6gVVR>i%ZVCqP}Px zTI$5}`FdcxZmRp|g)7w8L`<4xeDUGG&aUJBeRuw$02@ApO?=MHeKVhiQ&(FaZC&ZL+=^R z1)`VIgqcKo&JV3B=e=%b=t5Z^zx+rd=o>=XR+j$Tq0AP!#j)5TMZ)4zJYlnNurgRJ z5fv{x_mku6-o+;OnW#-oH#vWa^97zuOZ48$cUVs+&QZhiWnW*;9sj$Qmo8|EPq`(f zGp6jfS7nh+b}JB5U9(NDTtItDYJ^x#`n!Z{12JDg?O3A8v0;5Rm4S*JxF-li{<8E~|LR5E3N`1W=dcQ= zf+eqP|3kY$xshHhrwag7LK0z{()q=wDNLU+h0DsY_@+1V(tqysDC08ie^7~!6dq_7 z`gXC(Sa>w6(f-YNQMBq6MhEk%KdcxRNm^Q05Sy$p+Uce69tWX|>M|r4u)`s9ikfETFW}xGb?7c7qwr&Be6~ zNAl>`n0x-D5WjMc;|lYF#Ue(l&Hhlm0O#VkU#c`AG8UA#1y|3P)8We~`d5B@h1p;6 z9u+E=)egJ|(VRWE5>*vCsNfwmbMN*-xpu&Se_X(PeTvfXkKT~mw^!L@aL?0{R@0U% zD$rfNP6M@s&k!qpURWCbW&wtzNkjN9%RT>$5@Teu03Tn=r$;DLph?GSEu8Z%c8;gz z<>rZRzpl3~fdV^t2xsFnGg&vZ$Y=!$OW>YhKZV5U0Xeb{ybBYLD5#c#0M}O;dh5E90#c+&#@bv0 zCbEzxi^=?8e1PgN2ZYwFY`&hGO#-OePjycgxO##9DM=_hH8XDCwr!h>GJD0J<$z9} z;7YGzt zEzEaD%>|~QR}T8bZyj18TiNWK&{)Ej^%H}zP6FV;u*vjnR|E_y;5Fq*H0Eg@!^Bw` zFTmejGMQ)*s$AOZrxD;|f?bAW!R%cA0+o=k+!t?e(ztWP(*Smaz>l1Vv?&l9FbH;s z3{8~{(^jzC$Tkbzv|}z*;b0F-Zxi!MU*Y1OvhBS9Txfn=B6HMv4)7cFAzfjIg8Ucw z2TQbCVb|OHDI<2?jQHFVGQB9A*>LrBd!ryQd0!RC{o|e$`Kz8)>iXZzKTs25(_O}( zw2m&(OG-pmR<^=C;7Zpl@eq7{l^1PSGYDh?uo5~Ac$LH*u{uIib5O;?dyXp6E#I-< z!PlGG;?1kVtygB3g#FTQ&lgK}*0mmx_A5|kAn$K%2#psfD23M-7#pDp4*w^?U;ywEu>t*nQgtN$x`5@aq2gezt|Nn0$0=wMsM1>Hkt>|(SH}2bGJ8+ zlgRbLG>%Gy^6^{mH8yXw4vtRTd7#AJXtz|ket631&vA;KfxO-4ax)Dww?_^%TKscz z*S62wAFNuFZ=`WpUGa>5KeW=$QETc`EDidN@~%r5=NKF0B^32H{pi|koa?ZcgCpd^ zE9FW;BTsgC-1W!N7COXx?kb#xCI4@^v!O+^T?9tHKml!NXNu2`9V{3B z^3O>>(ILpiWnVmhnMiSyJ}W({owtmR$IPKNHtw`Z7zAsB-vR0uIJ4gC*6-9jBpJv2 zz+ogQ^}&0&?kDfhellw056y8c;BMv*OKo9tFnlMQoKWst^<*$VZ{+lpj(fYyVyP!R zE(+H@5(H5eWaZ<#_6aR;8XIr<);}(_L>~o40wwTwK7|{~(ctC0o2_7E{T{+Rz~%Y^W@l= zJt|_QZr5|gG--94I_mbDai4GD51STop4(9G^w4M87pS6s`GNH2XSq!BEuj*+MIk}? zjWD37>JRXtpe;Ko)DMP+h*^Qz&_4rvckfmi(5#Hzdg47Wsn?p7p^{CM&#I+>LV(as z@-2n4o0$;UaB85c`3(5rt||VQ9Zm`GiSBR}tWPx@ga%CLTf&g}<25VRj!HtcTE`3+ zKjLGDCAo}#n2)pe-PFxZ$!7g2UU05Dw(HL0Rav~WA(s!^_xUU9-#5^@(|O%Rc07Ag z%jWj{?RnE5SFOo=aPon@QA=yHeOs@4v$7V`j$*Iy@bKKRRci(h8wyPjBx#Q*uvWc% zz^mGQgb~qMhA{%E0jV19KG?iNJ!O(oi-;xTsy#AA@Sni5Bb1~AmvP9@e(3@G(*V}O z*cM8@C!o>e{`v+mE{oK1F=4r)B^dnC)v0gR^D`V2oja$0+aH(MxowAi>ujb=?S<6-A5Tu2f9e;BZx4xxNTfyx3!@c1GiJBiEJbZV z0K1t)BEaMtAK@h-tfLAse8>E+OHAHBM<{}#(+)^2fi@kS{qiMcIn(i{(9q7Zf~>aQ zy=^{fz~E$FX!awba$g>w5VfWGB$K6@bW}CZY{h0RVed2}3d+QH=Nl2+m)bqI6;IyKw@QmMj)2Gc3l$e?( zx^H@G2WV7=WlK2l)BCr`rS&>nP+#0=x?{Y^wXmFS#p)*?PPTY?-(_+x@$wCj=Zi{c zM`Napr5~+46uYX7U&2&Pq>k)#Wo2(zc0=uZ2moiqfbV|%=NO2SF%HRBKtKh>c>{~& z--s#Q2n;)V5{GO6XUDOwLH7?e@~}f=ro~G@0y9Gq+FK!So4+;$ZnUni-t;#TMO>zX z5ZJl$A|QqKs#S`+H$ic55PKNv2skH$PCz*Z0!`eX-IOXieRfWKTPLE#y9W8?^BXFZ zXZ!zjaJXfq7O)murDvr;L9`Sis{Sg$y^uJZ zSyjcZ{F75az#Mf*J8JEn=3ui8CG}WrP1raXS)t~P>?SNLNUjqF*0t`{$luNYu!Yl< zcqhZFEz47qD7|ANMo1W1o&n?!mK6m!7M8H^N8h++++{1W=azv$F^piG!{ymYRGqYK;^u+VnEl$eZ^D;A9V zv$nk#IqeGsP|*Btj&^a$lp06t&^hk8Y(H%(1Raci9Bb|L`t{G+rvS^v>LA6xR|yKc`(_EA4#4m%KW3#>5&&cP>$I|23mgr4j3KO5_k+= z@ePm06W zu}fiJF8$ttPkvq?k*>cGG(+gNUw2W^ZF^%}GQ55wsA=g^#$Q3Eov?g@bqerUV(sT6 zJnD3sF)>i!s)oec+qXoGlWhQ&1EWYt6~;dwt%cJSz=>>Que#?z5_kp(rPk9nZz9aw z?`0xRJS4Islh66AMF_cf&GE(X>AMswg=H}vm2GY2Kk>cLS~@hgo9;N`6kr5B0Dv#Q%6l5RiV(+~#jBY^pcdF$c!NWZU^7+*s0Rk) zqttxoOt*!rDBdC^^cohDJkH9mJ)A5@&FWuNkFs3YIrlu$P5jIHTiU9s7bkVS=QEmL zvX0JkNGT~v9H)SY3@@j^4+tyZ_52FZoKag^`gAhpI%GBk$B1qdp;&+kk&}}Hst8Uk z+<^||PXFF>d+VE4#@)ngX?bVpTN`Ky4$h9o&J}|t;2y(FLOQgvoJTtUDF_LmSD5(b zDx}*>5N8?@N9Nuct0#aL!>d9)r3u^^u5W3-#PDF3Sd=zQB|h(KD=ASB9Fbj1_ucDg z`<}lmg?JNhw$=h4HH-?uUaY>YA6I;x1$f^CS0Drz;%}t`Me+deuF43QNO+(eBew%- z@uT7qEe~Zq8_;92uQhvghHBQJL5-b1y+;$!%yva#q09nhAkdCEL%C1g`)sSV<##Wp z?Vx4v+-bDz^z3AN?Dm2=s0eW_WmO@Y1o2aZ#sB;@l9dwQPkNIEXHpWp>)sInY^iV? zGc@tUoD~*Q;lu>VZ(_~>>}#OFWJP7=IZQFGISt6$F>H?TAAn#{IftS#vH;dS4QGIh z?T~s4U&s%woHuUCxr+DgMcO>nuKLWipFmSZVx={E_CvAk02$j&6F5%VSuWDFLO6RD zA6^e8oQOp;ho>tJ1;@dGE}elk;7!rP7G3dtHA+PtOUjhW+|*}i-n4(8ey_3d7YN&3 zlH_;%goO$zPS=6v-*6M>Q9S43?7aCwGOn!xwwojq z6R8uUoAxJ+M&y2dIm=(H$7M@6dcqQRy`Q9nrc<-0Haj~-9oBo-*z#a;)DO$Apy(yM zdRA<_I(l1s^t&p@Os1uAO%KXV!*?1@qYX(mD^%q_6`pwFs@GFE=H7Gb+)%` zg;FJ?t&j4q9f94Sy8vPu%80UlC*B=VB2Fb(%` z)T1ld+DMe%vE)Mb>g+_?Cg;>~+2mk1WYs3`3^e9w*7(VOJFTo%lCR0XYmBBVs`QgC zZ)>CQ+b=;i5mRYt&W{W-;QW2-kjVbr=y%&AA{Ff`Ee5|_br6eMF4cRcZ{*0D70)fA zuAiQwR=EDsr^x+5?(N7rKgoYFsz5;fLX>j4Ean7H?go)1RJ20$8xVx_&a!rHCy`MM z6biBSlo_u%NY}DWIPFuiD7}nj%5s1*2d6=1U#L5M%PQwD`iiwtJp395r-g+HBVhv} zloMwqAU*CzM7SdTAksHUDvHKgeD$@_J9AJ$a~8PX>OJS_;fKL^eCsE~;^83{wdMMd zTWD?2>TuD$O6MmtO}?y%H#f1w5HI6)%-(h$0?(F*`IoJfJCMy9)B3DU*Ij6fP1(R$6Y! z!x`|MJVqUKkPiUUAF7IdodXQNlIK(f5bwau6KwRxD`Fz2m0vqLC9SyZB`}-ndCKY5 z^%#kU;^|B?uXQJlV&300DZDwYvornpF~`%bmy)wivz78io^jfAeQBI|b3a`V_sCQ-GaG)iB4QCP}ZZUj&>fQm23R;;n_*aMA zKyy39W5|Hev5Pk0M_-Z4@PK+Z(kW<$O3yWzDVDXtR$!Ou7I&b5ewjZl#O-9*@DNn> zqj#Rh^+(+9>1o{jVxevB{Q4c7?7C)4LoEsfR0W&_YDE*gceMTUPgQ-IlC zd&}d@VCzQn;XB(%Iu4CneM`#@@ahoUqc$Fn3=iL8S>}J(p}-n!j+>^q#bC0Dx*Vq3 z;v%6xnHF*B;1W_>QSn^z9Mc}QG4zjeZQibWY$=oG8*~}YS`OqS_?Z6r9fY9REP#qo z@IK7Y$W201MpxGDmynWlfkIYA((_telvp1PzTgR;24I2GQ+|POAaAcL!z+fY@dPfL zUlECKKFUbQKRDvI;Ae3|_Jj8k3WyWdeC5>M6LvfN2D1}Q1+G3dn0qd+w7^ia-S!g& zUG?~$e}JuLCfdpC^u;F@E%^cd(|Oc8om=05lF7dE@qrS#p*S=5uk-~Pn-`PJ^$Kve zOgp4c2S=Hw%0m8!=@C2Bu$%^Fv8zWm=zN1JC6vnx&Py#DCL)NQe%yB-;kB%xh2E)>E?h|^+<|VVCBAT6{w`y@uLC&>4 zmRY?zMt-|V$?>kiW^)2yEva=Z)uDX9e3#N9tuP9g1cSa0m-MTsL!g?FLMlvY3TH;DvLYo&o;bMjP#o$-8>_me~p_uIn9*%+uz| zf(aLL&@X%QCZX2p_pVDHk}jMNn~sTw0UctV_h*o`7;>^N`fy^{hf3?oeaGzkUGz$@ z4Bxh9Eq;$ME5YJF`}^4B(ASZ(!!@vy2+;N=7C1E?@z4Q>5lz@Mv!+rlmB;PXfhbs4 zLx5#QQbIy|OhGq~l{Ig+{?nw$#DNM@x^`)dV|M$J~JQ@)2jF0=^L~^ofqHp)d3jZe ztu{o#%2gAme*F-Q<(oJ~HxAL`D$X@jFj3*ScF&~d9x|#b*V5}Or@awC?n+!OLUWOW z^-toGAX3UIIWWeOd_x<6TRt+93uzPcXo>uLd7(50GcE^vrI92EZu+c!(L_2Ow&XqtpQ!EvEN6% zbRqNK1lP>piwl7K24%>xlCyal^z!04iUFA3Y$xG9C}Oz6vjJ0TtbxDFal1eu-n^M2y?*_!^Kp^>8!{n`Ul#1QgUxXdnpb24 z((F>{3>%wA5hh|>KN_JX4DR0)L?FW*CoqZLNNhW<1QS<VQv$;9`R(K!P*2ArXHO$vlT&Gta1&~@8v2TC1Xco4Y)^Ol{5J%g^}8S1zTrYVmm zZ=;S+n%qP0fpq2A9r*0$h@Nn;Y)SWm3UkuYCJXd5#=G2ytPx*SV#Ner99Z zDd*aDDf?6pj8@iEP_Xk_oisyP+9eH6 zD5Uj(RHk5twFaSn<;s;mWA^A1eci9r!~6904j%06I=S5!3hMZR0}r)xQC6vFP&03+ z@pjU-SKvego~%%Xke@J3`0(LF!`t&?P`gu;ns&Wcbn(#?x|+kc&f&UnSKN@j2p z!|l##HeY(Ljg0t4s_!%L=sAd@u5VB~VsahwW?3fZi*Tu=PZlN1ObyhPl(br$IsAaS_4PUAKlzC4i>FCEPiQQ(Z-dD`Z8 z!$0t7f`RCG3(B)bN}GFq(AoZ#hnyZ#hZ@kOP=hluuKsDWie)%2_HJ8TDv?p_b5w<9 zEMcWjo3i=Gqc&%d)rX|42=ssAbPhw$$TJv?0kjqopY?X0pBy4?Ra))2pUhr*b=eC2 zfDcJSL5p7EN5%7#n;xY-UQug@dSEyni`WwJ1)o}wpWp#vJW*0Eu<03{ovD5Mma|r! zrei70Br6m(t>5EV7k6<|h8WjPkV@U#N8}oz;gtiX|C&Y4#Q9Y+wVC1jbTKhKJ{Ckf zzhL&@jII>Uem({F%$cM)^;L2=khY^HLY$5Wi501xCronkg>R#fgiZeKt;Z4wHNz=N zpoVua{vHu2{ZTZ5Ga&}u7iR?Qoq3LJN(H(+!y_}b@D#39NB{%3t&6+LWN`km6wP~#l{E8mHkgWnd*Gy`zA*J^?n^cb&QGHwX2afb`yU0=tWcwex45g!^F^c3E zPxXyqs-462Oo5TdwfJ{AyKsUaw|IeoV$P(nBbGg-XK8JLHw00Rze*%ZA$jy)4(wI* zy{GsiE$7s3EcQ@89Fj$9Rd1;^LAi2L`)sCjmsY{!PiCIK^oRMc$m4Fp zS$GxcPz9&S3xP*aR&n+XMAar3RZdhSdamM9cN(c4Cf4kUKA1ejJJ>nHqI~qXw1Z>d zpE?qhJDCHTGaMQN>N4h{uXZ;ppBp>=7&3WpehY50EMr)+zq=;pf4e;c#4v~!JFQdQ z?szaBS0jVIBBC>%7j>%$cTa5diJ{gxa;;04y{xp=M7eX(K#lhwxlTWUd0*oIe>Ib# zZZFQMhH?)8Ce2;GV1T)EAR^v~9%gRUyC$d_;N~`iB-fJnEA|=$q@}o|#Kc1N&P8n$O36GxYR8aa={;;V z|EeG8I7wy2rSR?z=aE9UIv7s)UNWs77_+2edk58e1#lw|L7F(&Ye)=YUr(V}+WB1zDV}<<##hJuLWWN)`SLLsJz&Dz zD^P_bXQ&rc-tS3_59yZRdAwh78XnmuB=j{MRiqq_N@%qg7s|ZGESO6MTvTbUl>@LQ zEw%f`G|un9%}dNp79?-HH-yV^?X4|INI#CpKn?s*)V#q70Y5!O>^yXS`dKAWxk2IT zC{8Bq0^%%;gcP@t8gw%%zo(q*dzjQI)aNg~jCawyIbxzIzd~eclva6Q;d&>)y&xgX ze?v6n@C^k9Pt+%eR&+?E8|5siIw(HDBA{ea-ABb^Sf-ihpAxc3MYnJ;i!JLyD-@FI z0^=#?{edc{8BLLA5@lb%=XvbVq# z+e`T>&Tx7TwKY+t)w) z=4S4}i!$r915!Qv{X51p@FNaK;DIjujUVzaBA)hL@G1L$+Pm_9DA)h3I-QDyIB3yC zNgFDa77P(Zg;0@{R1{Hm%4n0y*6uhlwj4{Aq>^QDQfN7eY?VpLG7Lj9Ml|Mg-4cCX z-+$oq!}q63FV8%4KlgLr@9TYC_jM7n^q(7W7hTcMn_S&Gw>Wr>Ktx33sVpdQ;*~l} z!nAJ6U>iW}eD^r>o5}{V`}rJ8m^Mda4LGixbAs50)OY3A zCQ>5>IC3T(OI^D*0tT*+cZ;_S0rFnTEHMIu&(q@7CYeqsW*tuG?P5cQp*K7=<`XBX zfq-#Y?a?(*_Ubu)dx|q5h5d~pnFmKQt%!u-g=Eym%i8mq2=vuh5k-u7&PznFXyz9vyWON*C)L>qsvf5Tbh-u@r~ZaKG@o`a&$VPnw1OK>GlosQA}b9^`l> zW9|`#7um&6uP)}DK;Yb-Bk-(Icu=<#b@p(;36{sbHt5Iq^@vVG{r3SJtWwxZ5GRrp z&nkecTg&bA4;^ZO*yZV@nk7|W4Ui7-9kmY_#5z!I|E$&)uUx@i&Smu6ekfla33 zHw4X~jZdts0y^$Cfr!6oYwlzQ1?O<230BI&d|{UX$J;0lcMImt-L{Rcu@*5$ISzVH zz(d3fw5JU{ilg*?Yz$IW5j0YfFAKQ>$bhP?7m6)xZ9g?W4Qie$VfskqUA+MNRZOss zJy`rDJ5t4|QF(9->FDSHzm2t{ydYHx`9YxKln!Z{Kq~wsX{<-0q?9#udX<-AmsXBu8>Se?#B|c&lHAqVyTi z);z6lISmpqCH9H|8fY`W>5*jb*2WWenpYuo2*~N`i-_svaIwBIw;Zkn#DxbOCKo;* zcEmRAi4#yD32hm?M_TqqW-iK^l9cNZtp0R;aJ@(Sxwo)839=L;f#*l{f-mfP=oFD!2^DCZMZMX2NUUDw z=2z2UjyxO>hga#ubyS(?bQ+ylH7Nleae8wcn*WVZo5bIS;uET4*pU+!3BY#2+OW!Cw=GPNNs00r4veg{W=7vF(&Kze&bdbKI ztbs>NeW5?~Zw#3S@1RiDr=Rx#cN;0)IcJg`xMY>S8|Pa{l?|3#FC7RerP5l;FSS;H zAIGQhq7rnznhk%opzwC*P3hmK1}$57q1i&97csGi>jW$I!MjE8z+wckH-Kp?@l z<#mLv=M;Iq(i(KK*7z>&K$4dT8@uQw;-kuRr_LmG@s#1Z`0;w)ceKtLv+p1pw;u|# z8v@S`6uB$xUqu2-?u#&~KqUfTN9b1d8qMaZM@<5{=(fA=i(UPzOdAe@bdBq1A$>pTb3y0q=;X8ZZl$AS9t_%c)pb56W<+9WT^2z%BVtz%IRswuZ&r=+OpLq@tR+)Pvs@z&=%IgSflba zJzWtPEgP!Dpeb@JS71lvG3kOS^pb*F`4%*wlc#BUtfOtFTud1Vy{zV5Kjqu*X z-=;FVX1-NEa^IdVa*VenT5AvefZf`YY-8Qme4*g!{hY7|0Oe(GffDYAHaz%B&23n9 zZ+DeLxrR&?2iO@`%+h#PLQt!)hzR%1>18aMkp34RUii(M2$b`s&;#@V(!Ri zm2noSs%C$9TXGCq8%&QHW8ovZya~&MnGFu^)R{V-K{GoeTF1ZD1d=tYP4Ys|10FQ5 zG`_x^Cby2I7^c^gD7;l4zi_EMPk?B(hXvlGCx~=F+w|J`O6ZN-MO7jcOWA%CFJ9+B zc2Wi1N98h84Li3-NG|7$h>AD*M9ojxq&f#2hs!q308&vT_(U<#Q}FF&#k#b{kvcALq0~i5O`T8>harVjUFCxWS6aBg2xc&& z=j!o_jWTU^Pq(|e_TUr}H@@+JJ5?zDx4#F)X0IVmdh8M|t(8!AHOjztDimliZq)>W zvrgvi>0;5=$p4sHMR1UnRSHE+DSmLAtfDNFdhodv`_Q!oTPuw| zZO+)O4tvZ@8)2fXO63wxK(+e(*w~kGzM-c|f@HApc_irL*v%2pSG3y>f5JIW%e~i~ zUDKHmZnMsvb(uExoDSx-p-`>>rem4TZU7nPJ9o0HyB8SKm#UKnH~=Ge`zE-BKpU8* z%lJ|<%lEX#?V`TFw zZNm8zrAL!}*tO&HJlGHI%jYnB$B%u$$2bwo)Kd%%4Sji>G)nPl z*j34`_hg+_7*D3v6Bix@2BtL0e4uE9j2e4nle!Kf4{Ke4Jr6bh?m#){R{zaziyxi1 z5wA7jykPomYXcNh2K}Pv^&df+#Vua53{oAxHG1dC;@jUz+~qzDRAHG(4{y)%7tq*u z1WnJbaktAtpP4;PWp5C-(tm8ao_8-td~%fqdyBrlzK>6i*8cl%U6kq_P&J0J!{v>K zU$R7|YMM)$5ucqf8P=+Gx#2fDJZ3H5f6n7GstR_3_~;Ns$}{I>%&pnWbyEP3LQ(m> zr>Cd4c;ya;%ZA{;hF6kO&fW*GBlr{D(O#A*W9Dhh`DYBA5s-ZLeh6o54jnkKOYFX9 zrxnAHS3Kj#-k^5-1c1z+@as^qo&@4IQA}n6nzGaUWe=lgII!!2ELmcX*YZ)#J0SBr z6-lpOP~2xp&$|*G?T=3B3ptWB%P_~khH}uXbCsEK&{?^Xe{92#wR>tC9h=!6k{tTj z<0F)Cm4QL0!6ji6X)`!-o#YKtL?njarh?qP8w9CYuda%Lz?g5Ls~&c}si5ApvQXzV z{njl}RB^e{sZ%kD*QuSLjBk!m5IBq!@O~Aa`oyWoDfIiI%mxxve;MVHrM3q7CL(p5M)Gc<;me{5FJBoY6kT;Q&ySHrTF}AwZ=}#s;_w9@b2UQh#~)b%8+KeNA!L2f@u{FRx8NN-MS3G5;#`5G{4-bbp#b!@Nh1&5( zJ-^(FzxY1TE`OBTxYc|jZ)3`^b?}0BTIN>PT)Y6oc6tpV;7L(J2%=aXK#mrvb%YXIA z+_Cm5L{&pcb!k;nQo^ZeR<-2R*=tO+kc!#51A9n9H}Fy^PPgUo;Y2Kv{<&>*kNt-| zC#T8_FL}`fF}-G`7RMVmZ%U`RB(*j*vCfugV<|^X1x19<6b(ez_ zx%T)se5HcVLxkyAg4Z@n>m=CQwD;$}c4U=XWzSyeV8ZYhJvF-4$mDY}8yainh&mJf zl^LJ7Uoq3utsXr8*FWNd#5{dgpn>Q}z4R2rg!3lNC16(~PcAgrWNb|6H-`TkuUC<4 zT{9ra-83|yIyM&G%q*D5dYsO^1K5j`Gd*WKJ{FDho1>JJp02WRp*M;E91rZ3v+jK? zqRRTJ{o{j@2LpQ9q)$to%#Rk582a*@h*Hs~7&yDGV)T7FQ>%%Crx4dpKSoFy7E4+`{^~(l7H_sm3+4h-F4=18M zWd3Wh{VfznXXqY=|Ahx|$jqX4A!IQSISy>rIXY5HM+48G?z8FnE3(*+$Fz@{&J5H4 zu`K3jdm39>zQv-Op<;#^QlorzuhohfWPj7@q74QfIaxMPF)x=Qs_+xY%o*I1yJfZC zfIHuPE~>>-rYDDMB+FTa@A7@Jupx*2er0&Y&57|O5_qBnGrpJk?t!CBZH6I-e9Nb; z%)O?jnWY)1C!43X(NWGBPq^s1LgD;F+roU)|&woEyO;bxbuc zj z`gww43v=`Dm{RCx@KHb!Eu|&SdtH9--d4GBN3Yo_Oe~?`#$pad-PxMw{RTZ4$VmAV z@jyW1O*fJWZtG@d0XrjLpbu=-8%pgV^op_j?Xc{0fgL|Id8)meYxT9(Hqoj-rR6FAW5*>NF!Oj391Z+H$<))J&up_vGOU2T-u8=iHF;L9grlT`|I zup7Jk4cmtA-gqkr_SmMr0IdB6(bD@*{ohNi3Ynp{;Cek#X~i3hEH4_nt8*iF_1AeZ z${a)Iz1}dO?>#L4`!8SZ^3Sh^XC8&mARh%O7F$hs>RrJ&*#J&p3|a&7iKH&cZIwb9 zxd};WirK1o?gv5N4>XA%?eG`Uj~$dJIjGg|u;JIDq`=O(~i6acS*Kv0>p6(@N| zgvyb@@18jE*I|?FWag~D6L#y<7g$VB>to6CSte=n;d&FX=$ zhqp4;o<39$?d$cHs;a8W%j;0$&O_vB<56t^oy?r4UE{~5|84e<>0jjts7Z1|a7b+7 z3u9Mu*qkcX+c|STXutt+CB$$KBJTpL^KF-Nb-zs0_K|6N4v_)*uFcPp=pc`?;^uA7 z34BkS#ln_Y5s1(ul!Boslb>GtgD|s0E9)PR&C>()A8*fjG;kZhkC6wD9^^fkZ)dE2 zjcy1!_I#*HT3cGAWn|bEk3z@BA(zrEG4_2}v?7DC*$uo(u^oM-fC5jR`(OCQ)Loey zDk+y${e6w+-W<7Op}G41n}7RW#|LdvH(s_4UHyc?aYEWl`_l*EnBhKdoc>~f6PXD@ zLfXCf**GB~Aw4;!82H>y-stoE-gDkRzVV&$jq#l^j^l};ZtlI-Tr;kD&1>DkH?Av@A7wmBKtMo# z^@_qx0sB~v})vga|v`_umkDcH&QB*H7&VNEldi3a{yR$F0Ydl4C)&*QYak^G$ zt>dI+CgU|ZEUsH?m+rdHbYbPygn}&wQ6#tuMwx&;?+J@Mus7?+d ze;L$VcXDC$Gmd-zZ})_-G}Q2G6E)+*j{MsDG^B=q+TP!%u{oiTPeksSVz`h`Ec>?O z@L#waflk9eaZmU^ACeXm6}3Db$d;9z-Dd8j?L6Cc3N5Rk&Ku9T^)>hkTb;D2bEr?c2vCB0@r<+h9MWjn(zY51C4(Zkw8#PM?Ei9uO8p zR=gQ+`(sx=kYYio_+6nNYY}Y=Yf_4gw{E#bX<%SrhSMwGZ>KI?&?q>=&MtUn<`A+s zw&<`SHaa>wdU|fnBXV+b!NI|f&H=NtchM3=U+c6_Ffi~WoxgPHQll?&BQihhRDC>XvUp7b?VKzBjn^wXBToW@l!$IG;g|y7sVq#m(FcV3s5OZZ)VCEv%oLeBF9R zO)iV1OHjs>fPmIBG>C}}PyaP_=8)h>J2=*^1=B-=BayM=~(-#d63sW?8 zbF0*cBQ^AUp~ut12=4F%_He^DEKeg(Q&?D7U0wZU;MkbanzB^)*RNfVTx|X9Q7-d+ zQJl&zn=Mx^m_4yRgvE7+yG(5aS`uYh{-e6lCPQ_Og0L+m9`d5TcV$iHkG5 zFg!AU=EaK_hgWGwdlQ~LJ1IkUa*X?Khk->7k8 z)~&g`!l?^#3JUi>Sj8DFj@0a7efPKuk2rG8_=wQ^nT3&&y-0)PaD^n<<%rDAZ}}M? zZy{{bIDrDA}y)(w_3ChUGh{}HoXE6^Wv&{+C4+>MgdNs25C^fY>m$bCB zfWUQ%!eo~gvwAFI8T?e5qSz%_&I7&hAK&eWyf_ zo&A7FVYPm9Py9B@ESE#l&7X=IO+}(nA}A~zi5~Ti-xeo`l&-!M6r>;Y_-y~Dp+(Jh z9J60DtHCJ+1%XDn=kul*SKb*P3RyGCLMnE4x{35_>%!Qo6HX|SlO=&#hp8h;9d2-L z$8QfmMW+!_^?%@f64dN}F(=Bq9e2NJsFN^ge*DBGg{e!-w_9Xpd@4*ZKL`}oe;+-? z?s$qK*Nn}nPEQ!?M8NL(&&nduqi_D(WnozS>hhzg1gA=QD1xU>d?;Y?CiI1x6zooJ^Kfx zL6492u{QQUy?3LyhiJfo@nvdiYPiNl71<0Oyh|U3c-30 zt*&@i@tutin3$Y|BcWzxEl7zHdT6qIDfso#Teh>x$VGu5mZkd3Ra^b~QoTx5%? zn(-+i(h7o#mEnLTc;)T(*zGxEguyp{&2hrQ&$t1Ni}DMm1UB;W^6I&p^a`DBrFqYq zn}UqKBpH3-K32Zb{V=7V^oL+hc9_G_A3Q;{U$WOvD^}z*HZ>X7AH%(R^(rSxXWk^6 zq+aML*V(&YWZpW8GqY4&5rCxW0E=#6CJhlPkZN^Y*r3feEj{}zF1Rr za`Koj(SqNK2SwNL}+vf5lhVU>pSJWUQoc4zk zD&UB1#A;#f(+FBJwn}kbliMY;s$HTJUP4b_3o`ZnJnGIO`SkO_wbIDI>@BYSh!l*bTg_R&XEF;4o@^Z7*##Z`ME4sH_2gEGcsQa75 zzAW?=6N#xlPh7G(-+pVZl+#GrHbUowQ|8t&`W(Hd6g{j5!M4UsAs;rGhick!n8&;d zJUxkD#*8O1LxtW4*~cax^3OF_4IBhLBfXu<*PUfu^}-L zVa23Dm3Dc&!n(#M7>jA2&rka}XpOl9Ck5;_d9v}l6n7I{XT`?55kF$J*PN^3x1yjCs6gRrl(|8}@!kMiz;BOzI?X+xu4MhmD={`U!0P;|Q*z!9`J6C;#ipN32HuBe zc?YXjaeC0QOkgf$Y~)p@WEh2ijP;Wd=6V^msYY0P09*7%U#{cBiI*|fpYQ(ev;Rf# zq$4tdgM)+m=2E)>InM9XY1R+TpYMLU@km`(^|y(jI?2M>u7aiytRWNQVGjx9iHJ#e zZV{7^Od4~%EK;<4G{Eg~BN%nEZ|A)8OC+{eY`9-3*$qid>zUTIjXAny{8S9dGxWy+PU{ zm%l6yMU(TZj1%hT(Z^Y$Ss``el|K)8axMMO<#O4ttE($2%T??Q7gvUYG&}pHf|Yas zOBI(o$J)35}ws34Sai|QwSowDg^wUAa3@yrB z?!-aqcW`i6)(r`RD9y-^d`NyFlC-!uK67gNl7d3Vc&Ty%IlYk4w;XlHQ=+1roQehl zQ`Ycvw7b~4y%t7>KCLs34}*e+0=fkn0@-{vd;zXGJ{*EXPeyX`0D|1T?FTrGFumkX zbqo};fXx&Xw#G`8>xT-N0MIe}9Y*@I)ds6LKeVA(JI>-F0X5Qv{e0XlK1X|94;qwt9|8*502Ib=JAW9m3m~E*gzhp@=HkLJA?&Y!|5F#V zMJ8KufB2fR^0xBiV%=V?$6BtwYU)Qk*7eRB9;~p_Q>n7-Os#R8ev1DKyj|g^(tNh8 z`b*69%B*`z%-d-BbxZFLzq_6yA?>*ylh@LXH~Wju((TV;qcJ?UE~`|1P7?c6ss~@T zzA)IeIh)GV?hh++z zepE@m=+N-!&|%!2Di`mGV6G|aPPF&-IxKDa(FH?a+}hVnSy&(EF^G}w7a z!pf~vV)p#3hLE4k+P7P$x9muE|2-yWxO0nO|BKskhjF*ER2m+L zT7S!t0X%5kbFJWvnkhuXr9=P`kGm}iwl*dsgbBjHu**{|A+-FAGG1qk0Yu>Mvrk_^jLVQ%Kahl_lgl^7>yCNwOjA43z) zTYUvX1(Gv;uX44k9a)ryn0RcI1-X7q{~Uq$*3az1n)QLa!rFJ9*!wZhl9Q8TVouYl zC!8|}t7^bm7hCt_Ha04R$`O%J*bbJz88URO+uQXFXBJoC!3j`%)oo0WqUTGu)_%dE z@AVa%PNa{7;sa11!3DLqv(jtmdq<`6QM`*HOY~xUf(SHKm0p{UDpg5hcHt2bY~qe) z+S>6$qr$G3p~wr47a*`tM(_YIy!eA89h?xBk*oPeS2gi`L;Rx>hslrbD>I67Cqn!@ zTB10&v5TXHhIQGg9@fykY4>EQGWGit9Xoa`QS_e2`n(Q$o>@v=nA1rF&af#LveK!Q zTL&!13TB7UD{X>xI}k@tGpf4AKLiTuSDvIx-tQdargq^=Zx5Xgp&0(I~rXv;z61h&MNIO>WytV6L%I|>cNBataIzAtMlm) z6lF>gth4Kr5vW+z>-bC=sO;!lb;;n^?A-j}2{pbLm z#za^^;Qsq3NAA3P&|n+V`cg3@fQ;d5o|fRJ(NSp19ta!D!54L;p#-&_g+OT_?kz%M z(djCtP_F_5z8cw~6iWZF;Q$epBWljXVWip}B8~5+%vWF0+Rh&k_;A3&4gO3ddY+Vi=Z5T&q~QtL zakQ$L+0;rWDlI;KOtul%onc%^4Nh)lZF26JA0p;J6%0719nQ(BEQp8+&Ngo%Mn`WaURE z-KbYYEEFzN^(mjy_7q9F5Ww>}s}L5jPZ7(GO4}m^Mz}&eJ0v&CgC{UVHxadKJJo1Q$pJd|dn0+xDE7 z%QBH{mL{(wS^Tliv6Yg(s1l^WReAvF%%CqyoK8&6_$^=Ot?8%m1t{Hvh*j@=ypql>y1b!~xPORD1al?c@BP6EEZ$)Oe84Ja}|$l3KIH^e$MO2A33&Qgv3V zKtKC>%JyO%N=T^4ZE0ebu=60ZZ&h`V;6i`-Jtoc9Y!80o!k}~qX)z(;u zv%43+oNsg==Xa)QI=n;t!R)h2@eX7F@Ks4PYgmcR8_HyEiiGofGm?1w;vgRS=&X3{ zjF&H4;{->`Y_!auUQjIo5Yt!+*vGIqsKoi#_nush?(0=2&fYFs3&g^%+7iwXZBZUM z!gD+4288cYK2gnhfPR&WDn?eP5s;^T4U(<}n25SeBcy4Wn6{VO1UpluJ-_GcKz;fc z^wzB9*f-1e_+s1slHn>>(^dD~%^yt@fLkUeCWI=%Rm5aue13g@)8`210MyYPDA|w+ z4cx{LC4a1k1V+wyI>MO3G})>T9ccU^poIl9J^Lj?+-WAJ%DkSuA@^4Hbz}W#RqSoP z8}3Au6T4Y6u{@*SeVG!^c2b>@VZPBbo}oRt(R=RVBYaiuk9UdO;JTiSRFEYJ+{Z8` zs0~tfBT`Eht}6MS>+|l*EnL|u3GB4ODg64CRQ!GPAz&UQ^Nru*eKxqQHNl$IW1`(8Zliik_Ov85`2T|27ROeq=?2KYRIqj9zwEG z*dZrvh2>NzUy$h~T;_u`OsE}vA$fVug`*9Jtu~RcJ z1alEB)6WP!Nw^&ES?@%K{!nug`=ix-(}yYal{UntZ*XBNIS_W5l4=% z@H~>#y&;#lID{54snOOiGHQ5rHM;AZ<5V-$HI6NgRTKb3fRiUW4|WZfT6F`%E9Bi~ z8t(}uamviJ7d&U0B1RE_Z-aj>0+veRwm*e21wIQSJaoiocW09wYfA9G`O%Am-t5>6 z0ouuli8I%egN9HR?eRRfviJrj7n^tzfXJfh=*UBvH`|1589?beJnSlFqQ~&CHqepk*MA_Xh z>i-Xo72)5|DFmPg=^|88%341y7`MXq?xkF8mAd7{RuEfDCvsG&~ zNVe{!T=CjHu`JBy>Z&Vm-Kd6-Q?_5Ga}4G3i0V$(UaWtqkM}pF?3)I=n>8j(0|_td zUVGo`_Dgv~w59E%72yq-luE2o#fp82&r z-PXqQDG?amxSh}}V|BWx2_#db7kbI7wGU4? zoW3X7)mkMwo`@G?^O!xQk~miy;{F!OE94CA5Jg)*4VW@ED2fg0?dplIPTJ_;d_* zwM~|dv50S~yRMdQ_^5V!oy2(~MO;;jkNJm7zu2~aB<|FH>5X8!F+%;SU>HhOvpj6r zh>8wZNrew9<^&hX2eT)YycYeCz3lDc0G#GYDLPUBNnuY2<2sRxO2p|ipOcbUHw<7* zp`RK{QI6zsFvaS65>~y%`bqhQ!;^;1TJZh31QB)-4t~(`xB&ZAdNP=Q!@Z<9- z9DKXJI4Y>tb_5)>Ie8la2paI8OXabun&Qv4jlXLp!AU+F9hrPLgtGb0_a)c{k2^j@ zT8Y6*DYgv8!o)_NWh)kZK#JoBd@mD8m;;qH>r?FyX~+i4$;nR8pzdt0v|SfzO!5h( zLXYlR1}#kO))nkJt^O4Hv8xJqPwB*z3Jy`wi^H(Nsn`%l>7{s!X*El~t-J4OYB2U|}x0c+p6M1G+Z|m>^dDaD2fGSE+&)C2F!Z+k5qk(sFWh zCei}8X#=s`AbyTOHA(dI>Tj%2-sp0IbTbZqG6rWs^?GZrCvUp-d9U>gw?J7JjIY6^z2aAuwC-uJ~w)((T>wwJ1d>j{gv+%L@Z%EWVXlvn5O6` z9B0JyzD}GtO(HR0AzM*tM|j!@P1x_Ror^#8ho>UimgAaABDY~2KC@9sZAtVuDhh$A ziAZQ3f*91z)8t2wu`kxRy3%sQ{g(wDgg)k67!me6bYqZL7l*5`tc8h|P4Aq4O}SS# zLq-GY2Vh$`aBMq{m+25+VVsS5Mqvl*iG`y1!IV0Ki=1=)&A24d zd&jol9ob(E?Tg6DsTCo$w+7A@PB3KYL2-s4wc0@7=pODQsIV`YI}+Qq{^hz|;x8$-n&R4C-@% z8@l~QS3^{1`UVD=G(XM@;Pzf?GZ%_ApZ5$cMy2r;A##~3Y~gBE@z1Bu8)-c}aEJ<* zbipQ;S4*IO>It-$EgzyKk(kpe!^fN#!8@wRI4oTIdS+E669(!7>gebYPGg(;&b5L=Lf*a8Al zhM>VR%{x}iZUod8EYKW=kiCBW8u&CI|3pRm%I_sv&Dv{zd8ugVy{6%C!?hCf!i?b0 zG|_vEn&SZnNl4nx-_8sTH<4k^{)bIJdnYP~mtiNq>w5 zH-3Mk*Ccn91WCTrAT0rOc%GmEPM8f^N&uBD(<-dKI}Y9SQQqU@NlZZDlkKsGCM|H%>AM_iuE~+B`YfSc0nD8GyslTC&dLj-*38CRs_6I^AV0JD5PsZ z0kvYT&><^4QGj2e1VIA;PRHri3$}el;OQ-A!hj?hp7cIf4pbKp=vrK+t^-5%O`>fd!jx9lm&wG9f_Y&fcFq&bbuvUgGz>YvKvW+#| z+>X!%9yMRDq99qQBu6FT+>s+kN;tk!BY86g$(xn7WU{}ZJwUB?$wM`P)npKD%=e{vE`=!e8$Q%WJK+!x>>IsAk z^g0I*9RlW@d!1{x<~iUGIsl^% z{+q9^Jb17QooB%vk?q<_fZ`)7c_<j8ywiP;E@U0Am(5%3CnCd*yjV!&b$V8FPtO?H5Pm?>?&kB()$z&Cmm<+Wj7 zTn_Y7Nei_z+hMmC1yPf|qGj#aguQLU_+{c3O<@OE`A<9(37l^bt~71>iQcao$;mE- zK>h$TdPX(TXnX^4r&qjQQ(!euUxqT1cGk4ZGV<(5(SF{P&#&BUtM(z z_}wA72OD|u1x$e*FbL562rrc1{c@oDK8z~h zA4!LaMxggjb8+nf&w$xoQffVm@ZB37Rfkw;C#V<-sYu zN5M1!c~1Y|=Xgv-DyhhA6~Oo+NaNl>X{2iZ_pt`Q{S5cSrI0KYkk-!#y5*g=8TzNdoiTl8%uY&k&7!gXPavJDQV}H#K)jFiT;V`@4aW z04^@%t@DxpT)^wU3&=IBtL3>g3PiSG@!1tMiXSb}*^un`^~&b~*VOsoQa$Eg!x=yE z_lKnLGj&vB?hJ5Npe>`}nwR>|M@IgAWa|zm4m{6n3PT+=yM54Ro(i4O=M)GKPg>oP1R>OH2#RWeK!2hp#!=|p|S0y~R^|AOvd?9JaA$mEvn>UeQ3SjX& zx5sScZ1`uRJ-N?$6i3%!h}PyT0hnevJIzPJ zcXtO^dMIn+YN=Aow(TdlZ=?f-2`9QYn-MXUD$s<-YcoE`Jo%&oJ`6ul$VN!7$MdL< z_P{s>-60RTc^8I7%opvAAci+wuU@&L4Ma(ZU~Nz=P`}M#L$DX9#D5G}f9sC{pDn9e z?G-?O-t7Dl(Qdw?{PR6yf4>LdK~|}6FCgZ#y$qE2c&YXsP*qc_o126&#u>X%Q10%N!wKqewtj{cD-OXqF*4wiuYi*AEi}*To6+KXIBJ5Ho%atsycGy z3BnkY?H{kxUbLEw6(bGCdZ6^RzNHktK>mJ@$4Dlu`4IRpULJ9q43n;%hgq`9wQC+g zUqc29VbZ9$e@D=3kP<2Cile3K**d_Zv26`f9e7rDazs#nR_kI}qOODKs?vXZz!&gD|2?7I%VddQ)IK63U^m5B7cU+JE^%N_rvL zBioEXWjLlR;fJjsB%SuWvBPnjBq1+VC=fmAL_3&B4F)M`kylr*5xra%m7vcnTqC-2jCsd zAZc5~cky!&HHVNmOq=xiYFEE1YlGnfw08ilszh7XBXpVWgSS8qJIuDbV1{_a&gq~X zIT<%S>LSMv;Ok_-XB_a<8kY};0ew4C>#bKHN{@GfjT;!0^W1Hislfb-hZY7wPouTC zLZE%GhB=j8^-_TLw_6?_TM)>=cg|QDAvyqUPO)=vcKQVSVT?Ac4t;R~RCj;<*^3*y zO*rH8et&173EP1D5;nbMASa^j#~%&7H^RGd!%!i}djEWCM-ppT?Y0D+4-6&WbL{n7 zrY*o6zshBS@%-HzFwcB+i1e(nAyI|_wCKNj@_HdRKvcu%TtG%<_qmpVI79PE`>-Ufl5*3=s+AN|9qGkBN=K6Y^~Cc(VKlb|C@p1Elyxag7UItbI(=aC#>Ncki*#TD3P{&n z&|trZZpV3m75_N)w$mPPl(7PLbThA=;Jh&yAe;wI(Y$2`D+jnU)lm?T&Bg`{Qz(Oo zZt2}fl&_DwEfX@;wui0J2DLPDR5J zd9U?o4P(zSIHCT8t3m3vq1RFq@KL;{2Fk(CorxEIL1@Hn&rSnOF#x7HpbemT^R416 zvz90Tr7O#YyJqKaAc3w96uDt8HYIo_s(A z{h)Q0H28GxHiO$7x*541VN~WB3zw0c-)d9|MepIayH_OcvfEXCyb+!@kW7j|4<+c^*$$;> zekb!KbRCG|B*}w(KOs6`_Q29xlVaFUedLouZiJbTXzyX0B8hV*}&FW9Gt4%K}iH6=yVufE`0J*F2iqiKp4ry!b?Tg|ksj$?)z~l6Uvp+R8wSP^MSrI5t!amXqr?~v;h#T!t2&)*xk{gd;g(eJSalO$Uhss7o%GI2VLdtpX%$vwt0 zO3+Y7iVYZ)mqXuNjrc+$A_O(_sC zh>jeifsq~GT@yeAu>}pEqa^49kTkhBy$h+-RDk!+yH#k`&AWZ~03EP}AtNdMj^9AB zrbFgjcGSrLd4V=E;X?0>`T{P&3l635#=1)u06&&ruvIyC zf!V-I`RrbxVVL>~ZapnX?W6A6ctpcg2M^}_ezHF#c)s`(>jzbuFhFtCVK6;GWZdfX z=gbZdJbv_OrZY`2Nu>+4bz#Lv)s85%fwt=lckL9(pdf6tR1aa+AfHYJTR?*TQ!cWJ z(*XpYoS#UmKakoVQi0vfgTNT}-NP+^w>GNY2C8W4@;m(0J-YEvXp^EVbTZ%^z*pZ6 zT`}CRyDx@(e{`^1ScTc3SUWG^X}#oeq+RLM1IYZR1mj53fr%P_m@9Spv+>YU9d^CX z5efvfnaz3y>cF~2knM{_f4>+)pn$OnjGlS{eRC&OBjUCu=ETi1k$+D80jr;Yeq|S= zk?Aj11rW~QG?7dU0bAu)_!agHeKr;Ezo7ezcML(DWswPP*J^I(3@crFQ z{jpyv5mi)84_gUH0B50?O^TOROSpiR8g&;&G zcpI*!nBDr<86PnD{eDml%c<<-Z)|LA<_`sJg9ai4a8(Kb#^X+$QjbAWrp$myW z4~xVBh7D1CvJ8jt0IpU_OS6RBg?ZgB2pXDn=X)w0CdrvZgB1HJ?ARoNcPiyb|*n8C@F>pX(98U)~X^Qj)U#DJQmM}9z`jfITH8o z6EbmWI1i@a)T)B=2X@^#iB(GyC0_tdf6i#N`>pDVTJTBj9k}-y)6aWSHsuzSZ?>iP z-$B3lw8^|JHkiCI!pj-P%xlo~C6#N0vY}Y{p`AHA=azfp)fH+!3VI=ekU&Z{&2_TF zMH}QsQ@ap&FT9~AFW~`7>QBj)Ad_9JUJ2i*k><}Et(evY$wZV?JTHJfrS)H;nxnt! z?hi|#2U7OS5(%1Z#XtT9RLTm#)xi=6wxAeTbf$)R0QpeHHYlI3WNK!1dJYtf!uME< zAOnJdgV{>^YrU)bj>+IwZN|zUO>VcHY1-fO|SUXRodavvB7fOb~tRZj0m{mws^C{o~Ail_+_w{L`Q;wKOGg1@F>~5GcH<#X%1;DK!nJRP_ z)fu1yH)%rGp&5^$7k*#*W}>XuK;BD<6YhE4x9+em0I}hp3iF1DDz(-0d;>1uUrsKq za9-ugm1ltu`~g_C`3&cS(q#D=156N7V`I;N8|<%&0~><65eK>n?P3#gnC7OTP_!_T zj~BBu;M1+9B)O#x>n(nGcoq8E593FHqpkIF=UayX+xIl$}Ia11Oq?fM%44Q(D z03>0Kk|h6Pj_-t5c52k}K$ZlxGfDs6XPC{wgh9%@HRfvcnN!x17)UEA5KK_)1tnp! z!K;ybe$*_Lh*m&9DDpbS>XCf24^|6jQhBxOy! z^!+k+zn=I`?Lz*~8C3|}fYFbmI!WHCDsWs!XW4oPvC)@`q-ZLtBG*L&w0b~H%yG29 z$#gj1fr!JRHs4k5#{_Q-6#>cdrx_X&BVdto6M{al^~3E+DECo$Z_o~tmjNqHW%VO^ zgD**n7+;`l6_G(F<7w=9IcvIw$|GQl$T$68)8&Y^zwA{l*3#Iye;at`oTtA)yq{$v zhA1cQh;>2#14J^&!f*2l=$2lwwFi;|U}^9c)WoI%=pT}$Jzc<&Op2kAur{az?PZRi z8yhtlljuBTCYYEW4{2Ulp~zQsJlj-#Rh>1<_Li?&MD&7#u#s>?y`9`;Fih^OjPW|lQejXD;vq2Y1x4`z& zcW3DnXmZ;8_jV;c*YnqDyg_c-t^)V9ZLpGOC7Yi7Gxv-$-`Ft<|58cZPe*0qK?6jT&H#UOHib2ynlBJ4T9$X$!k( z2wgY&aqwf*?Hx?jVk^tJvDvvn&O1SP-a{sC86yOHOAE;qNl1^vnMUBntIR8Zh;f+j%e?@Ez=&G0+BfU=>zk0=-NyatEZi89zXBuCD0b+={h^C1 zNu>XPIj3=gnAFt!OX9afk3+St&|e^!@yP@HpkC+Wjm|#uu@aiOmY#xrMLb(8&K|Vh zP%K-}pF+krgPXFS{F|cmFA~5!;Hvv?D@6EK;6&zB$De?@Fg_5slYrML=%LxJCtqBG z2{H`Wd8DMOYtX>cBL;83R%X*19u!0sW^8QyvKXRQ`#2NP96958Sx+M)Bd9=Tc~^mj zhL8x=01zFgx-bYu@PS}R?a@cc(Wa9Mo+wv`%0H$b+FQF{Zqr`egp6jLz?GNf2ZOKpg9 z{U7J|la>x95CpmgJ9pIpz{7P3K}H~u9@Dlr(+a8wcOH%7*P~UVH;Zlo2-lSg$qDWq ze_0;!Ts%Zf{IVE8d-xMV7~K6q<4!#U-+*r%O3MWdoJZ;NNfW+L!LNZqpCIvo_ZA4TWSB#fZ^AT=G>{yQb?Zu%1^Vcl(BqY2L6BT} zl5*;El2-eJjva@je;{WZnJgk#Z=zhio+fjrpzY|4&-OXrM<&3iI;J@7r;#``8_<@| zVcM^v0#IhO##2o9oA@s<2koF=&k)M2nd&?(_YHzhT5z_9M|w-sju9pA93%aw;K99= z&+)?Y?tT`{ae{2AN1B~=fc+W;33Q`cbPhCbyuIRq_`}@S(k@AtgEd%X2nf3!}Vgz8_rIm6T+3D>v&I)o1a zBg&_G`O4=TAmR?8{3#iZ9;K!=oDDv8v%vlU9%_X?+a8A^i>NN!d1V$o)!;@&L#gLj zJt4XdZb1C)VW$Y5kd!w$c`S%6T0B?8fPOlXcV5D4qiCo>;m6QkD{o=Y!UA;vNka{d z2}5k~rV>x#25oob!i_-Hz8j>VQP6lnB?;7bc?~Ji0eDnIt340mVD&Y%?++h7gt^dB za&lmh`e3>;ABD}gI1?oc5N4{R7r7?*hcJS*w5I?MIZd5BUV|Np{#7F2iQa>n87mn- zo4gI8QqJ;D z@9RSJ!-^rTEGo$@xUN@MY5F5u#u^?^Kb_wvVd-XecX8XMXWgNOPnXoe^#K~gN1&nZ zY&la1v^Ucq;M_u(0~xK7NdpFZj*8_$X}_F~9V^#!@`XZe7EP19ll6$sz)jA@>=-k1 z{;q__`hN8yb*kGSze6wXc>4V;P-6mH7f-{tVMExe_@K@J?4DL#!;cm&;71F|41T{W z&l*%$p1W<jB`QVWzZU}=TW+vnHp=HUs)QS38#Wm6lTR}>c^2(}y77zRx*h4ZY=xk0Pw zcyr17$_|(Uxg|IKdF32J_cs0A6439q9`;wEk*Nl4HS7s6E$apAn0W!cqbJU;!iz+n zjts?Y!(BCmNN)XZ3-2ZB+Ldu%*OtQB&)CH5-x!7Q3KAU12O23>Nf(v%iSi*z@Vp<& zf;CS#T1_R1D-Ks7XcImY#Uefq!iG3Yi>Mww%Y7zjBzgNP+# zphTkjKomkHwXGAB0>g1@AZ8ALot7JUT_+BPNuV=12RH@I{@;JkETDFgOjRD_V)k!F zpS0~yp$r^q9k1YWpQGaU|C}lxzJgcc3=(w#H>GNIi&4}zUVr?;jtmycu3>8ORe;%3 zPxJAt*WV%bGh{xfUrv$^I;!}uS?A4LkE7q)YkO9y!?HkJ%fu~_<90FgO;kI*skf?=T_hradsuabQn{%61~ zi}%lPGFcIe_Sw<8y;}?b@4I1|0&jtW?Esh-1sOZqpRT^;JZK)l+8{!8m^oQdL_RpS zu9MT#Nzk4HXw zhIphY2I~p*h9wZf%g6p~llmcG}dGKO6|aJSSC9Ff#*h{;2G@H}c{lsYc(|G&9Laxp>sUlY?J| zd(ei-I$5muq%EGi$Sj;>U#6f>hnuXC4eoLnv1yWf->|d4o~!UrQPa{HWGVSi>hEkc zB#^OKPpiL>HlBXQVA-YwFHb^}z6fh4?%K8AS-sc<-DZw+hHm}dcPr0h+dA@Bt$g0Q z#%&yixMD?C(v99rJ=L&!?d7Zc+&6>wT+v<8o!n zM3ePMYo_H7#}nrl5_vT}mnt;(cRpLF>1qRY<9bM&m{RaJwQlZ?uJ?8gr3ajy#OPqETwsFw8CsIYB zs`Xa8$W}{C^K9002D<$I*w#m%0|PWKYn52Ltl6k(J6*F_fQ+X@pR#Y6i&$O;IdU5I zNAW?TZ8;CgF$I-O{NK`zojjdMf0b@0+_Qcw&rbK&CCs8!r=U%{yjtc^cZMm?(a$pd zo_FItTD7e*NyDnV`xYXDf*$x2!gU2khGe?x5j%!sm>JS;UDB+u&&$oj$OCQE8%-ud z6->)tf2Ii5Z*RSjtM8Nb>#O6Pk0oWlbe(#vZ+gVCGBV`Pzxw(0d+NH!X@F41Q^=bU ziGTdWVv}C_pHcBkbUA;4wDoD#mrLY~q7|LT6;%Q?^!{0A8*|)qT8B0KN`1V~zR|XM z_fh2gKy{P|o91(?=k8qP>!sZs)YL!W{S)nO64(%-$e)>4(RXz%Ipw(*T$2`w$@K>H zRE4ZVN;IVj&BrkB17mSMGy=PH7FRihCm{CEhTg#=k{L-ITiQ+=);pVXw+nO zFrRNLREwY>TRAttH(-7uwBcshjmV9%I@(;O2xh3ILCrdd`;$2C4Ugh_IUbElCn9$w z;2oC8_itRr^e&OhBsk(%r-rN!(~is1YW1(Ws@v^Wp<%`RPHghtPGWqaC{H7;g{0N6 zw_w+B#_%v<84@@G)_b&ErX!}81rs0Z+7=!o(NNR;l+A6wOp0 zh-&aNiO?#f#yaR&^`5chv*bIQH-$-j6I0W}qHvJTd4b~E0;c$cgr3I01psM>Skl@b7xr}59ZB8K3BF|V~X zpIaK4{R87ec1Lm6As)2}qbZ=%J@BAI4m#csE&6A=vlMU`QigjS{jBzn?m`^Y*f%Vffbf>0~i>Rf+!bg^MS<$Yp|cA zI7o~4ZSa!&W=DS{+J4SaC3XUS45nmWZvIAYcm1)yDYaADzx5wWc66=&mij-J%p?gR(<1<_$uLG1tIQ(;%Hq*sU8)E z$*_6r5a374*+zB0VgYaWT3{gYIkYplJlBHTJ>E6g&Gz+>=2kcv@*TDI44?^X)~q3H z9x+hFu7`(!eiZjIfLmi&}UG}BgjChS{{l6=t%)h&o3Y#Qr>B!{Uo~EpZSF=p=WN*1c;2S z5h_HWw6H!~K*AxsOGbbzHJ~lyBP0_1waE3p*!cjuLI2#Iw+?LI zg^Ly~TDXvF{QeD`$uGvP`}j240OD!Y$}zAcGN@Id_JPXg%fo&s%}+K@jz?3Wc9yr; z*M@ntVV;|M(SWIDjABp+SbBsZ`z{ht&vrGJ4WPFXMTz)CG`rwc5$l`TVUvlN%!f&k zSr3??(1C9Jeub}qIQGaC24TabKPYRtEDt0^Y$%Cn)n=^+hkcQU=_UB0E0>wRm~10M zm7WX|DX4}J8rbxahDO28y0i{J6=YAne}9uRhXVG>uD-eS zOZS^0`hd!e{Dixbv(_bQa2!kP?wL`1MI|K-W#d@<7ae;h(6kdqy+hWE_4L2%1;)o> z@VU^<1H@J8jRmUwrBs{)^~93arJ=aW`=XUr2h1HpXTZ)!AkR9BkTzgzeooGs7p_i_ z-%dfj1Y%F{6u%!A_<%sFbiU9*`Zz5 z2%fM4?@Rp+t=m-583Dkwnrtk3N?mYzot30u2f=g!a%$lJQx>+YuLoVGO^byyfi*~P zMUvKg1k9$jX0BJz3Em>k5@p`;KU^8-6cyO-B7JOPVU>VTv$+H;fPpUdw=nrW6k zS4;xLbL!NofxAq*wVY|Un16`A)p(i>;e>`NAZ#7jvi!~8yA}snd3{bpY<-rkWTh{J zwU=nv|9#%?fP0U|WSOHo?=X%(_yeUUba4%ffUB;Z`ZTMYeB(nz*9maICZb>>$aiQa9{!6{Pyu(f8YFF)5RYW3Omof zuqyyn2kqfE*`HpAOUeHLBuP%{+2507Pk7RY9+rY8(Tt`C-MvsmYXf2%uySg^dau3kOOxxy-^4MEt&mHLIn=h6;;joz9lVmrGLV~(w0rTjSuN?oviF!F)^{-;n(gjXV(Z*X2Kwwwl(j2rg?h8;!b z?+sbK;C4*521pVDsoMqU%vw!Fzaf-tTtWOopG6Bwq6B46LP}|hnC<^FfF$|GojWT~ z4@2w;f)j!PKT!iN|S2??=-&pe*P* zzshHgVl9PgyKEA%|SeoxZZ@#<-|9tn-HuXO{ueoOJT5;ayJ4C^s zWDcBCam@Ia7``xYme;mh;sMuX!JOOAY+v?g_4$TS-&nufL|8`V2#FHx7d__s^KVh9 zh&n5xJNJRdl>qSRuGgu5e=gp3!2jyit3g5B7Zet@eEA8r{RGpKf8OX}L3Z}mwe4)P zi{8As%KebCVc-mMn^GUCv_B8^fj3o&@BF19kXm28e*HTGISy@S_!$84A%$@2-*>z3 z(Ka)Su`a(J6}9mU@`IS(~CrmzlF>L4jJ3EHo9HOcwgP0Av)vVDZKz`E;QnjFA|O%f?monm)qpf2QDBHCNE_3v}lXxlG*_Ir6!h|(CNb$ z)4f|;8?F6CuSKP#q_%B4MpnfIOnH)phAo^sj$qKa8*S2?hHws?rjyoVH*ekI2CaQ3 zMN8|d^;#?eN_S-G#r80lzAqjf=R>C0)SbC0|9$29=AAjV+)m_&M_rw5IoJ$J`OW zQRh5(Q!?&>`RmZoXa0#FAYg1Q#|Xkhi}mE4@S-GVW)S)+$H?o~uX#ss_H?JWYxG8F zC_19mJGHg7Zu^OEag2b*%3PXY0vF+HGS`TRv{thqbYiZilj(ed4zuF0 zSR8e8%Ok641`&I*n%adMAg{?>O|i`u?rR6wW($nJB@nKOm;c^ByXJ$LAmpF$z2)TJ z_`P%f{+kZwlkjn%K)!qTZsyO)O#{2&;WAJ51dV1cJRv@(S9v0Vo0`VlD zvWH>j(hyfH3(AXA*DEwcuoH6Ef=gDds;JU_IBTk-acWhi6G3L=AomHsgk8v4#%G9A z8GgnaPX6r*UcD))NFg5mj8;SVVd?_W1SPx73U$~GJ1Nf2&ZPf;t&rTyF;9PujZ0442oEoXi1E}hxyJec8gxr; zE1q0|8|Q>`Fgi6xfxO%UQ_q8{1=d1BtG3+RW6Y!Vp5BRH1 zl$MuXz|Iskr!E;mqKzH;jw{c6Roja33PlUOyop8@V#H>v8Y0^{eE9H*^&BoU!RErj zN33Ko7=WiGlK*E~e?%LSfenacC13q${s!_nAG-c_DtF-sDtPBK--1cDrX)$dk$bs% z<%$(ozb-N=<5Kd&vgBa}rMa~a9Y;n2LfkEOHCA)G@zIgDvV2!k<~RtlW?>Kmk?qwH z8d%lt;RHp^8yVO5Mf)2I&Pp?KZ|c%K##Wl^aPPR{=Z)Jclvd6*?}U+-mKH|1%pFHC zOP-+oi-Yn~+4ndJQgCXKnMlW~&?;5d*VhMbH9J9Aix>Y)8g=qY|LiqhuD)Ni}WomrBfFHhgZ`J8LxN?3HhLW+4z zMfhl%#I|j`4x8T~%%6+Ho!nZJ!@q6itbpP@-^ zW|(Gk(KbHED-Dt7ek%0e=VtMm=PO;6?{&*B?@Drq2PPN=1_dozuwa>FR)AViA)DO3 zNBNno$WJmpWKo^b_~A?H^epGa!Q-))DBd2X|Lb{gI=5}mt4LL&DPGrcS7fj+ zx4d3|uuw1XxTgD$AfJjH{;K6LAz;h6`|NC#cDRD0@iW*{bRJ|fhJwY4_jc-JUqz_l zG8@||ZBDOTT5)@MkwAm8o2uIOzVFoF+SRL92S!2@dDYUTF-=RnofX(#imlNRe3xKb zlyzscTBs=~-u<9S?g_{y;#s^%p_#uWcP9sN6h{NoXdffAX zEMa|X@%&WIXA$+0pJH2N_8x4$*1O2J!h1^8J_N$NPD?ZvFED}2=wi24qh+{lXM`@o zZ$lxb6arh#=-R!grZyYahjcuR;$O<|=O}O4!u3FFW453CNQEp-uy-3T#U9SGk*)_; z-?h^RUcK5F!4t-D5K=^W8)Sw;Yl&RKW& z@TfOIt0Tku4~uVqy>^|)DRo3>nZ(a~dr+0fa=AlnnNLmz;xwP2R$FG~j17B8US8=F zDZ(@4bN|WU(Q>No&1?fH$L&eejyeaK^)yKUL1J?W$dHVM`dIX#b4+`34$8zUG4Y_n*pw?s?ySWatz~ zxFZHso!q5GJ6IGi-7EDo@OCHhXXcltCXh7~xq3W*>2H#Wp`1C_bL&TIPD{9`uAR?YT6%WKzS7 zD@wwTvcaIC?Y>pv#@a)PM|+L?Z7-`rl6)yw;{=4JqIoAGK2{}#Brj>@(RMS!VAz8(*xiGAH4jWz4dk`1_Qw z<=s^)b^KNQ1FJW0R|`5Krz5{Zq4?)a{c{Io>bvGw&Eu~26J_1iB*Y(ZG~zgy>1OL| zORlX}zomYCr+ljPi1w~sDx!1gt#$16)j6kZeV)u(uP7kYwxD>mpMz?ytY1Qva@4k# z_nPW=bF$f<`EA!q;f+ryS}o)eyo9U&mW@m+|Nb%g7!G$cSG#CaF4;HwcLfDnW7E?V zxet~EzAAX4=Mxzm8LKF>eTVvJdQnpNsDxjzUQ6`6$t8#tl;+3AhqwDBzIs>*{~xZ3 zoYcj8V)D)M^Vj1)c3x8RiR((B&PZ8sh9zr`3rEVK%n1hnjrliH41e`1 z)Am2)KJsi+%)?!`)>Zo(N>xWiCOw^DbSm0gAf&n&%V#6u;OOy{>5Ss+^0u zraS>u+YGjsXEjB|?6m5Qx?iTP=zqe>k$>>28oJ?Gg%?u>%5tExZTZb~!GeC6M@aNJo$#K6Dw%k)|GIdufm2Aa-m7-vdW&)z_F z={Bg#0#`0#XQ;wzyM|4lCrYA)&L$kFL$-}Tx|GDS@G@G%)Pr!9&N-?b7yw43+j z2#S`i-rH-wgI(uT&1M@(od=$yEGc^KJtixum?`qfOTbvOB$OqjvMASScH+{87QL-Y zwikYXLJ`6Ux{|ax{kNBJeU6bkvLWi`Jjcwei&i};Rgv#?#T^RP!Sm>fOsJoq5ET%* z{U-$4{Dj!Hz8lnNi;1RyJGzJc*-7Yq+KPvE9Xh`^eeE-2U127Kh@kOpjihi1H zzNs$Ub^2mv&CRV8gPci(toA<^D=#xTep9x(^*s+8SMT7CMH>E#?3Cjr6ZN~z64+QS zQ0F<<3q+l~Z{YF^AEjig%vss8?UI!mHxJLHUtY8H!;JTCu(@4qm(=dOiihjGRm%Ks z>tL^wO6kS>KL1{Kg3fb}MQVui_re8f^}jt!5zZJKmxh38I|pCc_^u;e@{Z?bX8&$g z6r7uTT1Ks_IOfiaXSW^GcZz*{BYi=_amRTLE6yIj4fS#z@gI9K(gT6s*6NP#=Q1#2 z(K$8w{=Q;Q#WSr)E4z*Wud8w$_dVk{Pq*@Hz+%s8SztG4SKq1Sexcb@ed3M7N;?)m zQK_!nhv!!4eZ+X9M=y>P8Lf#jnp>-~YFV6R%KS;HW2PmYvA;FtRKM*GwS4y18`|gA z7{*ya#RU^NP?1Q4`h5%{t;9j=Gh*S|%mc4!uY5>cnt#zf%&*!scgL~Boias6o1i=Q zP}|zK<%F+&b0(at zY|{~NjD2c6Bl}0ywx6$L7YHU?16ml#ST686&)_82;?61aDlG1eU7&B<7 zL-UP&`oxJk9c>N zAVc=U|BwTxB2csKpy21W`*SHmEkZ}FOq$-rSn1Y0uqrXG|MIcg>-qfjGaK6Q`tOD{bi%SGAqtV)97+f=r$PnmyC)GwpU z=!&TBY2B?djvPJr9p`Ml`b#u3LlJ|UnxgCD6fX@Hz6)c2F6B(u#YjUfVIk$gg2{31 z&!sPyY@6tvoY3BQUH-TZ^GJq&NqVgMA!65S`@&@*5ziG$OLO>V&3yVoWia^-xJAf< zrskzQU*9yu7gt(Zs>kX59^gVhVu9#Q4iscYD@HOXU4l#s(9~z8Ljg+h@QB(M{PGkY zScaU9nLk`pM?}|}006B3Sj$v~SGtE+f`}&oS=93O=wXxaD-HhdKdxg44_)#0HeL2= z-Y=4 z7svxlgD>y}R5JCxLXzJ~a+CpKdV47K`4d=!JWA7zQ8WY8l|O_a6Oc@<3qrBg#*=7& z^@telcP_D-HI@BcL(D`zF4W_?l@S*g*A{J9ixw61{?KNI6zUmHg2_Cvqg4{%$=(QM z0a;lcS&op)SR>PX=v-deHOlvXT%WLhG21|p$8W)#f@F$?`{DM*Q;3R%^%S>|;}k|0 zmahNRKaAOtdWYLBJ4Ita_#|s7OePhD==Od2p}cP0eBr%lgTeevTnnVEoM0eh{aiRE zb0=zQYJk;Au2}UC z3bGBMAx%xqw<5ZSZ&-Xb&$%}i;d1onB6Q05cxVbmV?u`sKyx%ZecJQ{J-%Shg9*P3 zDLOaHFhnYbHho9!8sf!}uC9weD2z!a*sj=o_fcbr<8KTlvbW5xXv}cP}$*%=VK$;^%8gfsrUKBcdnLjJnmFzODA^6+>LX5 zo!fCXgJLILt|6jhyZ=plm(KOyhN+(m90#90+Vd%N&2zTfG!NP+T7@7WD=R2?9Muq_ zssddCCCY>wb5zQzM-c5Gg~4x7a3NxT=xM`zkadiL+sHAXvGldo=5t~ls*oqv=P-4c zc~PbrB+!g>bnXO_|FDNVOO~KdC6c` z);+aJJhFHF<{<0LN2vn3;oA@EhNq+iq+Yq$@ad$%cw~JB+hHfJfUb}&qk6H4I$58( ztr94QbEz7qKCkjG<%9GvO21GgxqwPOdUm3=+OEfeS@3TCv!HM*Im?+Ri{0=LuHrME~`I2Co^HC-# zLqHa%J}L2#Yr5g>6zdoA!+m#J&J2cGM~CznJczojpYkFlwbf>_UGwdE>qmuZ4(;m# zR7>|+57|~4 zhx2l?4fZ^B9JFjdsuj@rhEUgrXO)RrJ6^?-{^YI8=i*JEU6zq}{G9iltf_}gWQmSW zIOFko2PcDf)p%?>rA*tkAwJf$33QL}wb95_rH0uzaqlYbY+=9bfvO+~K|oA2L4Lr@ z(_*10)(!gUb0x%5vQO1KMwWbyPw_cA!E1Ggyq3E2ZL?S7Q*E0rkPhU(L7luvKfj{{ zboL8g3A%rdh|A<~a1}ovU(i<}%vHr;w#=@VVQLw5AB3*yzl(^Nl~gWtXI+4k+!l!w ziJ#7!ISPQ|rWI>d(|z(sSlGTqnf2C9^IzH=SG{stC@U$jH|pA}F{|<$pIlYz%G`X8 zF&;-g%3(_!PX6AIp8U>Wr^UvVIp`7kiRLZH#2lOzN~-sg#(6lvDDoe9xEsAAT47?< zK;|Ix$dE?yL4|#tUPGFtwsjpuInv|r-9Ln?inT!S13Prmp};4`lc52kNlHKX`k4N8 z^zKV2oRPY((|vSkd|CL^m_SK!4)mNSg_b=uJ18On=2zexSsNjC^p4f3ly&BT^>@X6 z?z~F$Jt6QpQO@AesoU;+MQ1v+uqT7$bkb|w$AEv_hdezUH zx>-ixGu-&^sEyzn35Gx+%;I z&{Zr@&>LtXLE$_X6dm+%yle&21tUY2a&h@+xGZo0eddV$_zTP;En6*yMv@C&>_^FA z`+mz6oQ$KX7P}R+(A)PLHQ1+mDKmp7VStU$j%2grp*&`v&K(gNLiuL%5NAk&g(O2b zI~hkBCZ=>Gyd-3lgPJztu7pVwn9e2?wU`VOfqGDS5_K^YMUKS0I16S`3(@z=BK@`4 z{G-gxx1?)&7RIig#lrWq)pZ7BGZ6vs(eCB&?;z4S%Y~MVPgQZ~WGIH`VYTF=pA-WHy3z$|I)!3 zl`I%v@Qys7PmVHXv0=fN^J5W;QPO+*Z5O>nEG+CRfO(>*f^m3D=(=~TA*l#p8srgG z&k{085A>-f4CjF!I+kz#xVabP$8ey|1DDss*quReXVC3m2OTM>$>0p$cSp#8R<*_K z><#9rq?Eo=uC?qX6dR8{-pjkTzM-$hYq5r=rg`VB4y`(-T5&o7fA?om9Uyt#($WIq zprGZO%+NUIOogIscrqi@(#3#Ya(?BqW!{AtWN???T~O$@!y1OBnwl6#gCQse_7Sv- zh{Nf68)AgGQ`Y(|EUE`lKs((}y~jA{rGqaj{;j9p$oJ+skcr>7XrLN4w#)?Sx83e( zxgwDn0CR5KhqN2H{^~n^kf`D|U;L2-lSvF?CoQkG6@PsT-DFf?}=rG}dNpBtc=pF4O@ujYqJV=y=bN13?dI2L2b_)oIaINtWTdiwzp6s90MkBJ#JNg?9vru*i>Q zM}!k0O{*YbznZM3^q9@r#|LxcUqp=a&qy1)EKx#D&=&fFttS$g z3$*yM96I*9?57305zcbdu{qD&Ycv*mN=l>pm>av`{vCX4K=j| ztGCOzHg{~cu9d105P%fG?xzB|s3=h&odYghH@JQ!ZH7b?kQ|87pJ#JIF1si&+Ux{3 zeg}J@PVJcKNVUFE%w`AW-`Mp@FrJFDX~&2bv8dWp-!(}878{mLZ$%vL0HH|w`|n7F zIe!HX??{9IHJD%717;c&k}=$kZRkc{Gl8Big~5u=C~^^L&q-Go(#qHN(umCa`caw* z*hK-n9%u=yvw8|!Hx{(3&zjCJ@3`S9NkDxkDptKMLhf{|Z5O>c%QiaPQc(<)B+@Cb zAjlkO*kZ=qrMkC@*cf*xhN08@nw#Xue~z+m1yXELaej$NQkHN*w)Xndg)GN=#<5e)Jo9TM@pVxuA&o{DkL$tYn0wQG@i^dKni= z#Ov!L;9`{pE~xOzA*tl#lDXrc9i;lpX7r+7891uYgtX|x|H`O7qUC4COz)ANhmGX8rd?>V5Fw;XD+Q> z$MryLTGG?m38Q9h%fZR-U^dx$wVwp{$PQ(%b6&hti;j0A?U>17=KEU>ckAM#13YHZTg0 zt6TVJpDpacW&=s=ZLSE>#cP7XjLkoG$P~sR(TRFwk|{(4IdeCy7Znj^V#*uen;-QSev-@X|e0s?<6HYeWvAbAVJjJapuV@ zGA1ARH0cRvh3q#2M|nJhjiR3bnIE7bJqXmWu_r(f!FmRmTNA&@0|1O3x^;Bea)u9`5SjhnqjP>-ctmnFNS zlSeyc-I4f9qPD4@DBtgrun+PFb__Ddn9y=YI1@N@I3xCbJaOVj?)nP3H0tixTIT^S ze-l4`PcMC|XR4K`yMc95d1uqu?DWV61(pl3uB+~p`mCxLH|@W$A`{vTi6EAu@&4Uy z$!Kf)onVLlF21*&bSgh3OjSN;t-vc-db=LEz8Z7j1eKmeKI$DTbeMrbf#j9s9n)`) zvb>1!of8Shqp;kTYq0s+c?nCMTEM=rNcgV)4c=he!0CN@dbQvthU`Fq{2Xx}Q6u4E zVIe6Ys8xz1;)>X1%C22=>3ZH1V8Fc9Q8wSQ+CcW7x0$amw%-doyG7c}{>{nE+|=6Y zqV)Fzb7P8&wC2h+)R&iqM_+Puh!nlwSlaZ!->|fwI*A12*1Drw#^DjOSy?|LNZ1u3 zWM9VxF9#;G_+o8PLLfX)OH3uy6huWt9wQ)v%-IJ7k0C7_n?ia;adJgx=%E5Pf~=5j z!E!0*z7_gGGS%?8rymT8X?zj-7auOD;PFJJN2h;DOs+@eBT zB{%RL=QBsv&x`iab_R8LICtE0k~;kk03P&mTYt#4kWmtN7fdjC#&Xi3M(yj&xiebt z6Dmt%OFi@UFKUkh3%pcw?3M&{n9Lvw4E~TD+zf(0WNGLMK(Q#vAy{CI)&{*#;N+t=y20$BivN9h_(9+;<`S~6jh$~CK=OnmceXiyHJg5l*&HEj zlzqpw*#$>itB8D}g0A^5$kak$a%1mIxya3yK?V7&vD$R)efzi`D9gxvY%Wmxv|*WW z(Vc&^!avELTw^epXdUJGZsxNS$xgZ_x-DP;?ro_Ej(gO7oHxIhtjpe{`jw8of7j($ z`S_(Wj8iH{j1&5{9o-14xgQ&jynoq8wBF14cJmO=&Kw=mwyHvLkw>DA9GGFwQD}qk zJHr6Ed|<=EHr!_Du-;(!Y$Sn;i}hrTDjkR%M{n_~!{3I6&ewHS?meiNz4G*yKqvF0 zrS|XSsvnwiJS_b9c%%5Jt5uF~Ub9m~R{hzC3@IBzfu!WZ(&T zYV>%>DDHZ(6ACVfc|cOky)x zMAw1z1>Yeza?8nkBj$#zS==2=y)zohB%ImtBlIc*;VZb@n0^J+{!u8UfwTGr-6}{x z&Ose1=M@clB@n<22;b73fI(5XlEJIC2{G1aGp&*fu}U4Lbc}Ys@tx&|3og!fh;%7P zsBVY;Do~JbjbBe9U>@qtGI}n_fMmR?w}*n|EwK5bZuL+l1vUh&*zyko3Us7E;6c`aNg%ajz^KS0!8Bt$iN_{)D?qQw7)AnXM0AS-$2u_vrMmq#xvibAo zJpttyNlgO8;DAUWt0f+NQw{QjApqz4J%un|*k-N3as#=2cTBkwNckk_>`mmq64yk}lZSu|TT;V~ZAAE$ZZXM?R6lAUct5&xm|@X z>0m7D&H}IIt_#|bvdqEwd4WG=8frVX38YdN z3}s`EcHjf$crZJ$Jqoaj7)#ZinRDiYSy!21`vYh|4}^1QDP=Sy1a`DEZiL>U^3=Bg zZlOgf=;WY+D@KdTuPmbiXIr||bMzq~hmv4^LL6Bcg z0j)$5Wfq{cLv)nemHWj#htYTK>i|8X!O7<(bvC& z($9d+vIh5V#nV}vBK&x?Gv>8G^LPOpv%EZ}zo*cS-6a;KQ|RwnLA`5QD)GF-ltSJiJ_DiSYTG;{WX5z6Jm5)#BTxO z_z!`!j<|xD`Z7~e_3Wd-Mw1fIj4n0EPaI)#%5gY)XV>LU_ z`<3$tBo@iWoid5H-?k0)p;=&W#Xi-5Sc)$%t zSQ)}R`aMNyE{*$TMu+avmyBdVrM{Q5?0rOuQqfj6+64YiRd#BTPBRzjeTN5GIjGji zVOkC{P%=sQ>TZyGiJ{ANJS&5pJ&Rs6XOTV#l(%Ku%SB%pAGu(eZzHy66bdw4m5E_2 zmB;b&x89Qk$C^-)GogJ`66Uwf|$6Er3*r+gi+sJ28J9Y-byO04ZplcO>V z#2{3m&51B@9(V!@I=(@5sM7`l*V4`EqBJe^6t70P>Ex&DomAfx^v> zNnTK=HI1S4zF^SGTu33eMT>d0=x@h8Se?kIW%#B;0PAXm^^sIA$k`r%kVhKC2q$+RbR+q5BHJ$H1hHLz34F@QoY zo0S~KRSuJi?f~i#5ECJ&?}FBkVZ0zeccbBiIv{Qfo)v4g!iYdQUmzSgqh;q~t7;BTV@#PW4 zY%YV}-iq#2Mi(DJiS-qZhC>l)zqaeQo4V&R@vh4IpCAYuSoQ*hH&k_q0Ys@!-WW~0 zNVUJ3lm`(R#-!ChA>rl!MaueAL#Bl9HDowts}l>A4H13Q7BLP12ZtOfE()7hHBK%@ zuSFnSE4{#gz?vJTvbh{7FrOUZF|obMEE56vbBoZXc?_?Y=NQT84NZw2B`9kKfsE?d zkr1qoBaM?e-Tw}$K?ToX7@i%+tL>NE^ElXNi|=XjXn{Q^<&bsy6HsC!N8?chTlv(F z_oRGBenh&x{5%{T6~%{X*^&IqmXYoSF#Tz5dCH802PW>W!Q~!w9xq2MY*8!ObyVh7 zOEJ)CMge*>IW`zvtC0=t2<3{afmkDnNEtA`pYZ^%;0S;ReMgnRj1tj^g1R&`rlUFM z&+HEr^CZZyd4Q6|1wn1~nP<-oI|Xcpxw*4EeAO2WSaE7{(WKkbQPe7rluM?*KZ~ON z$w@CZrFUJ^^{0lQs$QSow`+vTWhEt)9T%1eTn)v{MEe3pIThfYfPF&McJHiQhtK~-_u{ONMmwFfr3qRRxpG4r}qjQ@jU zt%SP4@-tyqY`GOdOCU*8cd0MdLouOJZ1y!xRo?~h0oS_4X0hH*^yu~Y*8%j9-kjM(U+MLLZ)}cGR*_>1n-0z7lFOf(0E^V!|}fW-gO7UZr~DQ(-5nM=-w| zO!D)nGC$x+91z{t8Tn#zOTcY0>cYy6W5WyS++U`$ejEF9=cI^V=SK-;`PH7h50Vz* z3}w{h^%k(Rk0Pc1X{q9l7_N)QoLGR`rJR?4DgE&Fo}H3>OP!7gL%u8At$(&k5ARKs zP)q?YVFilnQSk|IkC@ho42ESKL4sEl*PGV!;0hlaXQ^=HNMG|1>EgX1n4S-dZhyh? z1^V6xmTf6w^Bua}Ir(9aWZA4yj-KJ*``|#V4Cq8}cuWX-8l5fay3I|8F+nnU+bssn zqAiF2-lQ45!M5P&r2Yg^8QrsmK~z6&9zO86{zZsE=__QjXAg}=*bijD?6d||?jH0w zH!)maAjj8va%j%vcH^1aI|(}CV$X|Fp$g7@ra3;N$Eg)fm7y-mhLh-$N}@f|Kj+O3C^y=M zu`gHvOU|!e`9~-h2Fg-|m0j}kF0_FkbUC>K2I&VzFjGspFaov#paoEw(r*hehv2ok zP;i$M%=#wZEXyhzScA;Ub`ep|lLtk#3d@YN7~I`0kp&f5=;CrMx@i zFo{i(xSjU)G(8!qE?lfs$vpUhMliadU0EbM)APD>bR{NIBsDI7hT_Pw#F=O5l_A0< zXyE;(AyR9PDn_`5di4Kz=ElK2lwpiO7wieXq?Zlw6UUbJn1uxxYE8Z%+hn%cs`OYy zZV~)rs4vn{gw)duA6Z*8v2N|!69`uAFZ-1?W9AN}C*#Y3l80$it>*#J?-A8@qH`6& ziVFgan#`Yi@1~{`rmMaqM4ga*E3g1_bS@W5rT&x^xM+U#UnS8t+nc+~ORO@Pih5)Ri0A>mU1Z zkTjVC&Ml9vTc30+O(V+cGvH0Gw*4qP{s4x)bm<2u#lll7NK4xT{j+C}{j)5SScnL- z0jyO(Mi5kb(6Y3F$eJMh$sFdDO+t0(U9>X)N`56bJ=s$LDpn<^jC~!4D65J)l8K4Zp1~Z6DyA@HS#~uHT(vkbegHOz*OeX{*$p=X633< zTxV8)!Gz83`242ch4|2w!$d0JzY@7^pl0S_@*D`0KMU@(BY@9rV(C3Avj48tu+w}W zh=8`e**hg^4}A)<_Y`c>!^&L~G9<^+9$bZ*+=EvY&U=_#U&H(GJvnfUruY?E) zUhm^mqm?U{i61H|pjf{}=gQOphl^Z!c%?;Knq@fmzR-t4RW(3vMYY!o2!JXY74xs= zFdrryiOR};9=ab|ep|8`c_q@F_n@4i?gga>PX4b9_2q}VJ|_iyUCIZuM@k*-jrcHJ*f?FH#Lm*|Gg+}|+XD5N&GO=O_N#`)1~&`xyatx%KkQ%g{kv=D<%YU5c14qF?5f!F^|yoUxxR5zybqvV_p5TwY+k$cv9 zL<0D=qN@%&6h4}U zS5IZp4IseN;9Ke-{K5L*gO&3ZEZBgeH`tqe&Mho;G{K;;BM(BrxD9#W>_P`7$0(*{ zV73S7z%QbFw{C*?t(_KPu~)p(jKjBDrjk~V2-k~0yPqg%Twq|_8Y=UqeOkMB{|591 zVR}0tB#4=2v~>dkf@ZBt&b=T^`w{3}mI@9ec0<>`fZ?{b5po71`=NmK_aO_Y4zTAK zb0!{q@C7I?vG6TOs_0}+&~81%drv?EKnoNGJbQY2{#t452=FfC!7nX3kL^GGtX&4d z;iKX!r&n^439%gJyMOVCPEtLBr;Wiqmk=L7JVqYMFZL7$zWttp><+N7#J?P%t zdXaq$^#_G@(_gHeL#BlQ>XDT7pyza0gf7JIygmsWMd$~r=X?P;s0G4xw{xQJUQU1( zz@3uc$LMGcN0jwoV8(?44q=U2ig~d6a%n`*qNDb4z%j^JO}?8I%uU1W4r2ZPIr2nE zHos#%14fS9zylKXdQ=i$gY?p_STGFM_J6+qH!6u6$Y;F|AjKnu*)Yh z%yZzn1wM^!vbCQy4^|Y(G=%8Bb?R5ttx6fSsaTEF?*)@2mv-#M{3GjB=q>;EyFm#e znjK`QWbnbP!gFL)r^~Jm5@o}Brkd!wBD6tQ-vrDU5~+iH!P76INvD8TQFIcyaoE00 z!Q_BI+}HJydt+i^)LhYIZ%vNR-(NaG|Bb;#kN4lxN9gb^r0X>DbR}Fjg&XTZcG>0F zvmI4IBcP}RjodVS1u>%u)Deyb1tbC_y-v!6n$`T3JkWcA3|MLz4cQgYSPrAJjn9u} zlCfWZH+(CDyaAcN$d|YgqekpqX7GSHauGm{MeoxpWMpu|MnCsEPVLG?dUF9qSz1n( zjAa3cYmsmk2ZhU|rx98^br0=um~mar&tfZKW*zEI|96L+=)Z9)h|K%9{w^WFKqUe~ zu1@!00uS=NJcUPom2_+T1H=-@=|4}$oox=lY{U!<^x=%IdLeqPFGkg%IXh5BQi&T9 zP<71qUnG6@tkZUik;5hk9PmxK>Sr#plcN`&fcXoOc)9u3uLv?GVJuF>(J;dTcB}av zp$&B1ZXrob>aa0{P=b2)VD3Z5mRzhyfX(YyucRsa_#KqD&6+Ydn|IQGgL`B&u)7&q zoBXetsLp1|Z`@^Mjs3ofbSz`I=z?G+*JA+MQ6+HE6)}W854HO z;fg?PfCqwY(a2S4pjmkROk1D$Tiwjl&h0k027X3o)LakF0>|&4( z)P(=Xy8MQ=-n~hsXgmP8Pli7`PXm<*yHd9C+BF@@nd{7H399`$)WzY2#iHjy?>UD# z4t1v+aEozge0tJ`&aNVJ9GtTxKDujheQdc85k zeCp6_V!TEOtmX=5g)mjZ;H)!{=HfR&i+d5b+kT7>sXc>uIQ0`oviz}@=nQhhhY%?q z;>+0oqq(4<`{N^`_`}BM3?A(~81->n`@dJ7|J}G08fj86di{86nJ>7l=4tTDMlUWN zm2KPuf}dIkpr@Pr&Zf<2Ca}R^%N;q}pbR*i=MEh~)~P*6P4bXdrnsYEZvD;q zKh~F$!?t*sMBk8X*yvJ{cNE9g{u6r_%=GPh&v#%UK#&?mZOczm@G*1>$nPmKyhi4` z1MiS9exP}at9fiQ#uV0B7~nnelWMw5DXVw?*>Xe?U<;~&K?YTyniKk73QtfeEiIf$&_7+*c_8&H~1WerD~hnd2osYf0YW~d^ZD87Y6o|BA_c#4XrKH5#h z^}CnL+1#ylN9d7C28{l7OO`nusLiy>y%;|DcyENYTkIrEBamd?I-gNsj2reS>sg6S zMd6{N8O_t z0mU+4v)_ML%w}>5v?Hc`=|1|EP*H8z_+=|gN=nQ*6ptk6NPq^&7~4n4tY*pZ+42KF z3ed&0z;G%@n6$4%e3zi0GCT~_1)R)fvpyq}5Ux~hL&Svt8icpN|3sXss)6y+Tn?ZI z3VFmt*eJ_yjKJN!F??cfOG~gWjOQRi$eZklApZO0cxZ8eo&(E=y%7N-YH@)g7`#XX zsj8f+ffi>okO4@VypFme7a@a-H+WL@RvVKZj}lV1Nn zBJw=5VfeqRht245)_P2k7!nsbZ5?cYZw zos@@A5DL5UBn4eqpF zT5Un*50Foi$tyg4I^b_?dw>0Ze44yI6uVmY%O;|<_mQxc6z_ z4gw~hJ9iEs2G~wlpIg7{Lo8mNdx<&SMzz15+Uo$;qKNIK#e_|wf+Y3Vm0XlBK+gv)coL2a zQ%BNCJ6$Ake(FtgEO?kp4FD8DO4#5Qpc$lBF^`2=Ki+kMnFaScRAN+PE#hk!)BPI_ z20t6vVtn&a|4&U4m=Onl^uWWU!g}1Aiby%_jWttosWT4XINIJ=zwVoAt(gnJ>oDGX z-}m}GfX91CwtD_7DT(}g&tgBD2^h6|j7k$CUT*tUL#qsYyi9%myLv70h?D)P zeU_@RVzTAFR#$xjyPw5btdDHiDZZuJ;`oC#4^vWA4s&0dBhI~9rY-0F_w&ZR6@z(| z6>Ul#hDIHO#|(|$Rk%BS2>u;3=Q2HcUuRbL2HU_I#YeD8kWHZluD*xPRUb9wfD@A{ z37sA@8%-jwpQ}68v?9*cgUdsFpdx4wg);f;mvg`0P}umaq?plp=P74*7N4+mIdhjD zVGdl=#afdFxxwPs)n|S#PQOYQts2jm$94POwhamn3uFapscCsz_A@H7P`pyei9H9K)0z^0>3{!(`RUWA z5ns62YaWN>jkEOs=~tY851gP-DEJ`~9)po_^-AoQZhkASM(z8fXE=9mlz(f`cD`~I zs+;AmqgjN>2fPPBDUiJr{STU3g1>jwDp#$`f3T!;qTc)J+xG*Xw>AzYpw^E>Q6Y0O z5K9I;7*WSCP+zoncz_xOCuvK~wj1iKMvoMiNxCy)ozea_&Hv-hh`+0-AmOxR55@f4 zxxPX#wqn}%;9JJmPaJ(lxqtM$GC3BzvZs#)(jBDHgia#aQ_RcD`x~X< zehrGbqoZsdrQcJ1J81X-=leB=g8p5)SJS)G23jYm?xp6g4`ngQ*~kL z@J&?XH!JUMO9SSr@OH8U&g*qBTk#i(H>Bp3^{W`Ev8ILwfgapAKBfI#wD{bqMPnZV z%nL|m^)`D8^E_IG@kN87s`mHD#f}OJ{au{u z@g*FiZ2Ia9P8_aI4?n-ZKX+bPt?2KSc+M|m_U8hvY+THd^5?|@=~w*7>HNR_neUFd zg5!d2qw8gN++_YT%cZMRk28a7>KSLOi(x+aj3a8yx0w;|$NcRX2RN7yG~>Py^C@Sj zsQ+Jofm!#2P1fit{qNY+=lnC`cb;zqhsigB6?lkrMe*iTTU6TL+ diff --git a/docs/integrations.md b/docs/integrations.md index 7a27d311..590d3cba 100644 --- a/docs/integrations.md +++ b/docs/integrations.md @@ -24,7 +24,7 @@ To use bunkerized-nginx as a Docker container you have to pass specific environm To demonstrate the use of the Docker image, we will create a simple "Hello World" static file that will be served by bunkerized-nginx. -**One important thing to know is that the container runs as an unprivileged user with UID and GID 101. The reason behind this behavior is the security : in case a vulnerability is exploited the attacker won't have full privileges. But there is also a downside because bunkerized-nginx (heavily) make use of volumes, you will need to adjust the rights on the host.** +**One important thing to know is that the container runs as an unprivileged user with UID and GID 101. The reason behind this behavior is the security : in case a vulnerability is exploited the attacker won't have full privileges inside the container. But there is also a downside because bunkerized-nginx (heavily) make use of volumes, you will need to adjust the rights on the host.** First create the environment on the host : ```shell @@ -82,7 +82,7 @@ Important things to note : Inspect the container logs until bunkerized-nginx is started then visit http(s)://www.example.com to confirm that everything is working as expected. -This example is really simple but, as you can see in the [list of environment variables](#TODO), you may get a lot of environment variables depending on your use case. To make things cleanier, you can write the environment variables to a file : +This example is really simple but, as you can see in the [list of environment variables](https://bunkerized-nginx.readthedocs.io/en/latest/environment_variables.html), you may get a lot of environment variables depending on your use case. To make things cleanier, you can write the environment variables to a file : ```shell $ cat variables.env SERVER_NAME=www.example.com @@ -116,23 +116,22 @@ The downside of using environment variables is that the container needs to be re ### Usage -First of all, you will need a network so autoconf and bunkerized-nginx can communicate and another one to allow communication between bunkerized-nginx and your web services : +First of all, you will need a network to allow communication between bunkerized-nginx and your web services : ```shell -$ docker network create bunkerized-net $ docker network create services-net ``` -We will also make use of a named volume to share the configuration : +We will also make use of a named volume to share the configuration between autoconf and bunkerized-nginx : ```shell $ docker volume create bunkerized-vol ``` -You can now create the bunkerized-nginx container, connect it to the web services network and start it : +You can now create the bunkerized-nginx container : ```shell $ docker create \ --name mybunkerized \ -l bunkerized-nginx.AUTOCONF \ - --network bunkerized-net \ + --network services-net \ -p 80:8080 \ -p 443:8443 \ -v "${PWD}/www:/www:ro" \ @@ -142,15 +141,12 @@ $ docker create \ -e SERVER_NAME= \ -e AUTO_LETS_ENCRYPT=yes \ bunkerity/bunkerized-nginx -$ docker network connect services-net mybunkerized -$ docker start mybunkerized ``` The autoconf one can now be started : ```shell $ docker run \ --name myautoconf \ - --network bunkerized-net \ --volumes-from mybunkerized:rw \ -v /var/run/docker.sock:/var/run/docker.sock:ro \ bunkerity/bunkerized-nginx-autoconf @@ -179,7 +175,6 @@ services: labels: - "bunkerized-nginx.AUTOCONF" networks: - - bunkerized-net - services-net myautoconf: @@ -191,31 +186,26 @@ services: - /var/run/docker.sock:/var/run/docker.sock:ro depends_on: - mybunkerized - networks: - - bunkerized-net volumes: autoconf: networks: - bunkerized-net: - name: bunkerized-net services-net: name: services-net ``` Important things to note : -- autoconf needs to send reload orders to bunkerized-nginx, they need to be on the same network -- autoconf is generating config files and other artefacts for the bunkerized-nginx, they need to share the volumes -- autoconf must have access to the Docker socket in order to get events and access to labels +- autoconf is generating config files and other artefacts for the bunkerized-nginx, they need to share the same volumes +- autoconf must have access to the Docker socket in order to get events, access to labels and send SIGHUP signal (reload order) to bunkerized-nginx - bunkerized-nginx must have the bunkerized-nginx.AUTOCONF label -- bunkerized-nginx must be started in [multisite mode](#) with the `MULTISITE=yes` environment variable +- bunkerized-nginx must be started in [multisite mode](https://bunkerized-nginx.readthedocs.io/en/latest/quickstart_guide.html#multisite) with the `MULTISITE=yes` environment variable - When setting the `SERVER_NAME` environment variable to an empty value, bunkerized-nginx won't generate any web service configuration at startup - The `AUTO_LETS_ENCRYPT=yes` will be applied to all subsequent web service configuration, unless overriden by the web service labels Check the logs of both autoconf and bunkerized-nginx to see if everything is working as expected. -You can now create a new web service and add environment variables as labels with the **"bunkerized-nginx." prefix** so the autoconf service will "automagically" do the configuration for you : +You can now create a new web service and add environment variables as labels with the `bunkerized-nginx.` prefix to let the autoconf service "automagically" do the configuration for you : ```shell $ docker run \ --name myservice \ @@ -255,7 +245,7 @@ Please note that if you want to override the `AUTO_LETS_ENCRYPT=yes` previously Look at the logs of both autoconf and bunkerized-nginx to check if the configuration has been generated and loaded by bunkerized-nginx. You should now be able to visit http(s)://www.example.com. -When your container is not needed anymore, you can delete it as usual. The autoconf should get the event and remove generate the configuration again. +When your container is not needed anymore, you can delete it as usual. The autoconf should get the event and generate the configuration again. ## Docker Swarm @@ -267,11 +257,9 @@ Using bunkerized-nginx in a Docker Swarm cluster requires a shared folder access ### Usage -**We will assume that a shared directory is mounted at the /shared location on both your managers and workers. Don't forget that bunkerized-nginx and autoconf are running as unprivileged users with UID and GID 101. You must set the rights and permissions of the subfolder in /shared accordingly.** +**We will assume that a shared directory is mounted at the /shared location on both your managers and workers. Keep in mind that bunkerized-nginx and autoconf are running as unprivileged users with UID and GID 101. You must set the rights and permissions of the subfolders in /shared accordingly.** -**We also recommend you to first read the [Docker](#TODO) section before.** - -In this setup we will deploy bunkerized-nginx in global mode on all workers and autoconf as a single replica. +In this setup we will deploy bunkerized-nginx in global mode on all workers and autoconf as a single replica on a manager. First of all, you will need to setup the shared folders : ```shell @@ -309,7 +297,7 @@ $ docker service create \ -e AUTO_LETS_ENCRYPT=yes \ bunkerity/bunkerized-nginx $ docker service update \ - --network-add services-net + --network-add services-net \ mybunkerized ``` @@ -366,6 +354,7 @@ services: placement: constraints: - "node.role==worker" + # mandatory label labels: - "bunkerized-nginx.AUTOCONF" @@ -401,7 +390,7 @@ networks: Check the logs of both autoconf and bunkerized-nginx services to see if everything is working as expected. -You can now create a new service and add environment variables as labels with the **"bunkerized-nginx." prefix** so the autoconf service will "automagically" do the configuration for you : +You can now create a new service and add environment variables as labels with the `bunkerized-nginx.` prefix to let the autoconf service "automagically" do the configuration for you : ```shell $ docker service create \ --name myservice \ @@ -440,11 +429,11 @@ networks: name: services-net ``` -Please note that if you want to override the AUTO_LETS_ENCRYPT=yes previously defined in the bunkerized-nginx service, you simply need to add the bunkerized-nginx.AUTO_LETS_ENCRYPT=no label. +Please note that if you want to override the `AUTO_LETS_ENCRYPT=yes` previously defined in the bunkerized-nginx service, you simply need to add the `bunkerized-nginx.AUTO_LETS_ENCRYPT=no` label. Look at the logs of both autoconf and bunkerized-nginx to check if the configuration has been generated and loaded by bunkerized-nginx. You should now be able to visit http(s)://www.example.com. -When your service is not needed anymore, you can delete it as usual. The autoconf should get the event and remove generate the configuration again. +When your service is not needed anymore, you can delete it as usual. The autoconf should get the event and generate the configuration again. ## Kubernetes @@ -458,9 +447,7 @@ Using bunkerized-nginx in a Kubernetes cluster requires a shared folder accessib ### Usage -**We will assume that a shared directory is mounted at the /shared location on your nodes. Don't forget that bunkerized-nginx and autoconf are running as unprivileged users with UID and GID 101. You must set the rights and permissions of the subfolder in /shared accordingly.** - -**We also recommend you to first read the [Docker](#TODO) section before.** +**We will assume that a shared directory is mounted at the /shared location on your nodes. Keep in mind that bunkerized-nginx and autoconf are running as unprivileged users with UID and GID 101. You must set the rights and permissions of the subfolders in /shared accordingly.** First of all, you will need to setup the shared folders : ```shell @@ -470,7 +457,7 @@ $ chown root:nginx www confs letsencrypt acme-challenge $ chmod 770 www confs letsencrypt acme-challenge ``` -The first step to do is to declare the RBAC authorization that will be used by the Ingress Controller to access the Kubernetes API. A ready-to-use declaration is available that you should audit before applying it : +The first step to do is to declare the RBAC authorization that will be used by the Ingress Controller to access the Kubernetes API. A ready-to-use declaration is available here : ```yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -714,7 +701,7 @@ spec: Check the logs to see if the configuration has been generated and bunkerized-nginx reloaded. You should be able to visit http(s)://www.example.com. -Note that an alternative would be to add annotations directly to your services (a common use-case is for [PHP applications](#TODO) because the Ingress resource is only for reverse proxy) without editing the ingress resource : +Note that an alternative would be to add annotations directly to your services (a common use-case is for [PHP applications](https://bunkerized-nginx.readthedocs.io/en/latest/quickstart_guide.html#php-applications) because the Ingress resource is only for reverse proxy) without editing the Ingress resource : ```yaml apiVersion: v1 kind: Service @@ -750,7 +737,7 @@ List of supported Linux distributions : - CentOS 7 - Fedora 34 -Unlike containers, Linux integration can be tedious because bunkerized-nginx has a bunch of dependencies that need to be installed before we can use it. Fortunately, we provide a helper script to make the process easier and automatic. Once installed, the configuration is really simple, all you have to do is to edit the /opt/bunkerized-nginx/variables.env configuration file and run the bunkerized-nginx command to apply it. +Unlike containers, Linux integration can be tedious because bunkerized-nginx has a bunch of dependencies that need to be installed before we can use it. Fortunately, we provide a helper script to make the process easier and automatic. Once installed, the configuration is really simple, all you have to do is to edit the `/opt/bunkerized-nginx/variables.env` configuration file and run the `bunkerized-nginx` command to apply it. ### Usage @@ -775,14 +762,14 @@ $ /tmp/bunkerized-nginx.sh To demonstrate the configuration on Linux, we will create a simple “Hello World” static file that will be served by bunkerized-nginx. -Static files are stored inside the /opt/bunkerized-nginx/www folder and the unprivileged nginx user must have read access on it : +Static files are stored inside the `/opt/bunkerized-nginx/www` folder and the unprivileged nginx user must have read access on it : ```shell $ echo "Hello bunkerized World !" > /opt/bunkerized-nginx/www/index.html $ chown root:nginx /opt/bunkerized-nginx/www/index.html $ chmod 740 /opt/bunkerized-nginx/www/index.html ``` -Here is the example configuration file that needs to be written at /opt/bunkerized-nginx/variables.env : +Here is the example configuration file that needs to be written at `/opt/bunkerized-nginx/variables.env` : ```conf HTTP_PORT=80 HTTPS_PORT=443 diff --git a/docs/introduction.md b/docs/introduction.md index e0942c5f..daa0280b 100644 --- a/docs/introduction.md +++ b/docs/introduction.md @@ -27,4 +27,4 @@ Fooling automated tools/scanners : -You can find a live demo at https://demo-nginx.bunkerity.com, feel free to do some security tests. +You can find a live demo at [https://demo-nginx.bunkerity.com](https://demo-nginx.bunkerity.com), feel free to do some security tests. diff --git a/docs/quickstart_guide.md b/docs/quickstart_guide.md index d0f08708..998de74e 100644 --- a/docs/quickstart_guide.md +++ b/docs/quickstart_guide.md @@ -15,7 +15,7 @@ REVERSE_PROXY_URL=/ REVERSE_PROXY_HOST=http://my-service.example.local:8080 ``` -If you have multiple web services you configure multiple reverse proxy rules by appending a number to the environment variables names : +If you have multiple web services you can configure multiple reverse proxy rules by appending a number to the environment variables names : ```conf SERVER_NAME=www.example.com USE_REVERSE_PROXY=yes @@ -27,7 +27,7 @@ REVERSE_PROXY_HOST_2=http://app2.example.local:8080 ### Docker -When using Docker, the recommended way is to create a network so bunkerized-nginx can communicate with the web service using its container name : +When using Docker, the recommended way is to create a network so bunkerized-nginx can communicate with the web service using the container name : ```shell $ docker network create services-net $ docker run -d \ @@ -289,7 +289,7 @@ LOCAL_PHP_PATH=/opt/bunkerized-nginx/www ### Docker -When using Docker, the recommended way is to create a network so bunkerized-nginx can communicate with the PHP-FPM instance using its container name : +When using Docker, the recommended way is to create a network so bunkerized-nginx can communicate with the PHP-FPM instance using the container name : ```shell $ docker network create services-net $ docker run -d \ @@ -429,7 +429,7 @@ networks: ### Kubernetes -You need to use environment variables as annotations prefixed with "bunkerized-nginx." inside the Service resource of your PHP-FPM instance : +You need to use environment variables as annotations prefixed with `bunkerized-nginx.` inside the Service resource of your PHP-FPM instance : ```yaml apiVersion: apps/v1 @@ -500,7 +500,7 @@ LOCAL_PHP_PATH=/opt/bunkerized-nginx/www ## Multisite -If you have multiple services to protect, the easiest way to do it is by enabling the "multisite" mode. When using multisite, bunkerized-nginx will create one server block per server defined in the SERVER_NAME environment variable. You can configure each servers independently by adding the server name as a prefix. +If you have multiple services to protect, the easiest way to do it is by enabling the "multisite" mode. When using multisite, bunkerized-nginx will create one server block per server defined in the `SERVER_NAME` environment variable. You can configure each servers independently by adding the server name as a prefix. Here is an example : ```conf @@ -513,7 +513,7 @@ app2.example.com_REMOTE_PHP=app2.example.local app2.example.com_REMOTE_PHP_PATH=/var/www/html ``` -TODO : some words about special folders +When using the multisite mode, some [special folders](https://bunkerized-nginx.readthedocs.io/en/latest/special_folders.html) must have a specific structure with subfolders named the same as the servers defined in the `SERVER_NAME` environment variable. Let's take the **app2.example.com** as an example : if some static files need to be served by nginx, you need to place them under **www/app2.example.com**. ### Docker @@ -593,7 +593,7 @@ networks: ### Docker autoconf -**The multisite feature is implicitly activated when using the Docker autoconf integration.** +**The multisite feature must be activated when using the Docker autoconf integration.** When the Docker autoconf stack is running, you simply need to start the containers hosting your web services and add the environment variables as labels : ```shell @@ -654,7 +654,7 @@ networks: ### Docker Swarm -**The multisite feature is implicitly activated when using the Docker Swarm integration.** +**The multisite feature must be activated when using the Docker Swarm integration.** When the Docker Swarm stack is running, you simply need to start the Swarm service hosting your web services and add the environment variables as labels : ```shell @@ -721,7 +721,7 @@ networks: ### Kubernetes -**The multisite feature is implicitly activated when using the Kubernetes integration.** +**The multisite feature must be activated when using the Kubernetes integration.** ```yaml apiVersion: apps/v1 diff --git a/docs/security_tuning.md b/docs/security_tuning.md index 785094bc..b7a711de 100644 --- a/docs/security_tuning.md +++ b/docs/security_tuning.md @@ -6,7 +6,7 @@ bunkerized-nginx comes with a set of predefined security settings that you can ( Here is a list of miscellaneous environment variables related more or less to security : - `MAX_CLIENT_SIZE=10m` : maximum size of client body -- `ALLOWED_METHODS=GET|POST|HEAD` : list of HTTP methos that clients are allowed to use +- `ALLOWED_METHODS=GET|POST|HEAD` : list of HTTP methods that clients are allowed to use - `DISABLE_DEFAULT_SERVER=no` : enable/disable the default server (i.e. : should your server respond to unknown Host header ?) - `SERVER_TOKENS=off` : enable/disable sending the version number of nginx @@ -26,11 +26,11 @@ Here is a list of environment variables and the corresponding default value rela Using Let's Encrypt with the `AUTO_LETS_ENCRYPT=yes` environment variable is the easiest way to add HTTPS supports to your web services if they are connected to internet and you have public DNS A record(s). -You can also set the `EMAIL_LETS_ENCRYPT` environment variable if you want to receive notifications from Let's Encrypt (e.g. : expiration). +You can also set the `EMAIL_LETS_ENCRYPT` environment variable if you want to receive notifications from Let's Encrypt like expiration alerts. ### Custom certificate(s) -If you have security constraints (e.g : local network, custom PKI, ...) you can use custom certificates of your choice and tell bunkerized-nginx to use them with the following environment variables : +If you have security constraints (e.g., local network, custom PKI, ...) you can use custom certificates of your choice and tell bunkerized-nginx to use them with the following environment variables : - `USE_CUSTOM_HTTPS=yes` - `CUSTOM_HTTPS_CERT=/path/inside/container/to/cert.pem` - `CUSTOM_HTTPS_KEY=/path/inside/container/to/key.pem` @@ -53,12 +53,23 @@ $ docker run -p 80:8080 \ Please note that if you have one or more intermediate certificate(s) in your chain of trust, you will need to provide the bundle to `CUSTOM_HTTPS_CERT` (more info [here](https://nginx.org/en/docs/http/configuring_https_servers.html#chains)). -You can reload the certificate(s) (e.g. : in case of a renewal) by sending the SIGHUP/HUP signal to the container bunkerized-nginx will catch the signal and send a reload order to nginx : +You can reload the certificate(s) (i.e., in case of a renewal) by sending a reload order to bunkerized-nginx. +Docker reload : ```shell docker kill --signal=SIGHUP my-container ``` +Swarm and Kubernetes reload (repeat for each node) : +```shell +$ curl http://node-local-ip:80/reload +``` + +Linux reload : +```shell +$ /usr/sbin/nginx -s reload +``` + ### Self-signed certificate This method is not recommended in production but can be used to quickly deploy HTTPS for testing purposes. Just use the `GENERATE_SELF_SIGNED_SSL=yes` environment variable and bunkerized-nginx will generate a self-signed certificate for you : @@ -74,17 +85,17 @@ $ docker run -p 80:8080 \ Some important HTTP headers related to client security are sent with a default value. Sometimes it can break a web application or can be tuned to provide even more security. The complete list is available [here](https://bunkerized-nginx.readthedocs.io/en/latest/environment_variables.html#security-headers). -You can also remove headers (e.g. : too verbose ones) by using the `REMOVE_HEADERS` environment variable which takes a list of header name separated with space (default value = `Server X-Powered-By X-AspNet-Version X-AspNetMvc-Version`). +You can also remove headers (e.g., too verbose ones) by using the `REMOVE_HEADERS` environment variable which takes a list of header name separated with space (default value = `Server X-Powered-By X-AspNet-Version X-AspNetMvc-Version`). ## ModSecurity ModSecurity is integrated and enabled by default alongside the OWASP Core Rule Set within bunkerized-nginx. To change this behaviour you can use the `USE_MODSECURITY=no` or `USE_MODSECURITY_CRS=no` environment variables. -We strongly recommend to keep both ModSecurity and the OWASP Core Rule Set enabled. The only downsides are the false positives that may occur. But they can be fixed easily and the CRS team maintains a list of exclusions for common application (e.g : wordpress, nextcloud, drupal, cpanel, ...). +We strongly recommend to keep both ModSecurity and the OWASP Core Rule Set enabled. The only downsides are the false positives that may occur. But they can be fixed easily and the CRS team maintains a list of exclusions for common application (e.g., wordpress, nextcloud, drupal, cpanel, ...). -Tuning the CRS with bunkerized-nginx is pretty simple : you can add configuration before (i.e. : exclusions) and after (i.e. : exceptions/tuning) the rules are loaded. You just need to mount your .conf files into the /modsec-crs-confs (before CRS is loaded) and /modsec-confs (after CRS is loaded). +Tuning the CRS with bunkerized-nginx is pretty simple : you can add configuration before and after the rules are loaded. You just need to mount your .conf files into the `/modsec-crs-confs` (before CRS is loaded) and `/modsec-confs` (after CRS is loaded) volumes. If you are using Linux integration the [special folders](https://bunkerized-nginx.readthedocs.io/en/dev/special_folders.html) are `/opt/bunkerized-nginx/modsec-confs` and `/opt/bunkerized-nginx/modsec-crs-confs`. -Here is an example to illustrate it : +Here is a Docker example to illustrate it : ```shell $ cat /data/exclusions-crs/wordpress.conf @@ -122,7 +133,7 @@ That kind of security measure is implemented and enabled by default in bunkerize ## Antibot challenge -Attackers will certainly use automated tools to exploit/find some vulnerabilities on your web service. One countermeasure is to challenge the users to detect if it looks like a bot. It might be effective against script kiddies or "lazy" attackers. +Attackers will certainly use automated tools to exploit/find some vulnerabilities on your web services. One countermeasure is to challenge the users to detect if they look like a bot. It might be effective against script kiddies or "lazy" attackers. You can use the `USE_ANTIBOT` environment variable to add that kind of checks whenever a new client is connecting. The available challenges are : `cookie`, `javascript`, `captcha` and `recaptcha`. More info [here](https://bunkerized-nginx.readthedocs.io/en/latest/environment_variables.html#antibot). @@ -132,15 +143,6 @@ You can use the `USE_ANTIBOT` environment variable to add that kind of checks wh Automatic checks on external DNS BlackLists are enabled by default with the `USE_DNSBL=yes` environment variable. The list of DNSBL zones is also configurable, you just need to edit the `DNSBL_LIST` environment variable which contains the following value by default `bl.blocklist.de problems.dnsbl.sorbs.net sbl.spamhaus.org xbl.spamhaus.org`. -### CrowdSec - -CrowdSec is not enabled by default because it's more than an external blacklists and needs some extra work to get it working. But bunkerized-nginx is fully working with CrowdSec, here are the related environment variables : -- `USE_CROWDSEC=no` : enable/disable CrowdSec checks before we authorize a client -- `CROWDSEC_HOST=` : full URL to your CrowdSec instance API -- `CROWDSEC_KEY=` : bouncer key given from **cscli bouncer add MyBouncer** - -You will also need to share the logs generated by bunkerized-nginx with your CrowdSec instance. One approach is to send the logs to a syslog server which is writing the logs to the file system and then CrowdSec can easily read the logs. If you want to give it a try, you have a concrete example on how to use CrowdSec with bunkerized-nginx [here](https://github.com/bunkerity/bunkerized-nginx/tree/master/examples/crowdsec). - ### User-Agents Sometimes script kiddies or lazy attackers don't put a "legitimate" value inside the **User-Agent** HTTP header so we can block them. This is controlled with the `BLOCK_USER_AGENT=yes` environment variable. The blacklist is composed of two files from [here](https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/_generator_lists/bad-user-agents.list) and [here](https://raw.githubusercontent.com/JayBizzle/Crawler-Detect/master/raw/Crawlers.txt). @@ -169,7 +171,7 @@ This list contains bad referrers domains known for spamming (downloaded from [he ### Requests -To limit bruteforce attacks we decided to use the [rate limiting feature in nginx](https://www.nginx.com/blog/rate-limiting-nginx/) so attackers will be limited to X request(s)/s for the same resource. That kind of protection might be useful against other attacks too (e.g. : blind SQL injection). +To limit bruteforce attacks we decided to use the [rate limiting feature in nginx](https://www.nginx.com/blog/rate-limiting-nginx/) so attackers will be limited to X request(s)/s for the same resource. That kind of protection might be useful against other attacks too (e.g., blind SQL injection). Here is the list of related environment variables and their default value : - `USE_LIMIT_REQ=yes` : enable/disable request limiting @@ -217,47 +219,16 @@ Here is the list of related environment variables and their default value : - `USE_BLACKLIST_REVERSE=yes` : enable/disable blacklisting by reverse DNS - `BLACKLIST_REVERSE_LIST=.shodan.io` : the list of reverse DNS suffixes to never trust -## Web UI - -Mounting the docker socket in a container which is facing the network, like we do with the [web UI](https://bunkerized-nginx.readthedocs.io/en/latest/quickstart_guide.html#web-ui), is not a good security practice. In case of a vulnerability inside the application, attackers can freely use the Docker socket and the whole host can be compromised. - -A possible workaround is to use the [tecnativa/docker-socket-proxy](https://github.com/Tecnativa/docker-socket-proxy) image which acts as a reverse proxy between the application and the Docker socket. It can allow/deny the requests made to the Docker API. - -Before starting the web UI, you need to fire up the docker-socket-proxy (we also need a network because of inter-container communication) : - -```shell -docker network create mynet -``` - -```shell -docker run --name mysocketproxy \ - --network mynet \ - -v /var/run/docker.sock:/var/run/docker.sock:ro \ - -e POST=1 \ - -e CONTAINERS=1 \ - tecnativa/docker-socket-proxy -``` - -You can now start the web UI container and use the `DOCKER_HOST` environment variable to define the Docker API endpoint : - -```shell -docker run --network mynet \ - -v autoconf:/etc/nginx \ - -e ABSOLUTE_URI=https://my.webapp.com/admin/ \ - -e DOCKER_HOST=tcp://mysocketproxy:2375 \ - bunkerity/bunkerized-nginx-ui -``` - ## Plugins -Some security features can be added through the plugins system (e.g. : ClamAV). You will find more info in the [plugins section](https://bunkerized-nginx.readthedocs.io/en/latest/plugins.html). +Some security features can be added through the plugins system (e.g., ClamAV, CrowdSec, ...). You will find more info in the [plugins section](https://bunkerized-nginx.readthedocs.io/en/latest/plugins.html). ## Container hardening You will find a ready to use docker-compose.yml file focused on container hardening [here](https://github.com/bunkerity/bunkerized-nginx/tree/master/examples/hardened). ### Drop capabilities -By default, *bunkerized-nginx* runs as non-root user inside the container and should not use any of the default [capabilities](https://docs.docker.com/engine/security/#linux-kernel-capabilities) allowed by Docker. You can safely remove all capabilities to harden the container : +By default, bunkerized-nginx runs as non-root user inside the container and should not use any of the default [capabilities](https://docs.docker.com/engine/security/#linux-kernel-capabilities) allowed by Docker. You can safely remove all capabilities to harden the container : ```shell docker run ... --drop-cap=all ... bunkerity/bunkerized-nginx diff --git a/docs/special_folders.md b/docs/special_folders.md index 10c2fcda..2dfb6aa7 100644 --- a/docs/special_folders.md +++ b/docs/special_folders.md @@ -1,10 +1,10 @@ # Special folders -Please note that bunkerized-nginx run as an unprivileged user (UID/GID 101 when using the Docker image) and you should set the rights on the host accordingly to the files and folders on your host. +Please note that bunkerized-nginx runs as an unprivileged user (UID/GID 101 when using the Docker image) and you should set the rights on the host accordingly to the files and folders on your host. ## Multisite -When the special folder "support" the multisite mode, you can create subfolders named as the server names used in the configuration. When doing it only the subfolder files will be "used" by the corresponding web service. +When the special folder "supports" the multisite mode, you can create subfolders named as the server names used in the configuration. When doing it only the subfolder files will be "used" by the corresponding web service. ## Web files @@ -16,8 +16,8 @@ Multisite : `yes` Read-only : `yes` Examples : -- [TODO basic single](#TODO) -- [TODO advanced multi](#TODO) +- [Basic website with PHP](https://github.com/bunkerity/bunkerized-nginx/tree/master/examples/basic-website-with-php) +- [Multisite basic](https://github.com/bunkerity/bunkerized-nginx/blob/master/examples/multisite-basic) ## http configurations @@ -29,7 +29,7 @@ Multisite : `no` Read-only : `yes` Examples : -- [TODO](#TODO) +- [Load balancer](https://github.com/bunkerity/bunkerized-nginx/tree/master/examples/load-balancer) ## server configurations @@ -41,8 +41,8 @@ Multisite : `yes` Read-only : `yes` Examples : -- [TODO basic single](#TODO) -- [TODO advanced multi](#TODO) +- [Wordpress](https://github.com/bunkerity/bunkerized-nginx/blob/master/examples/wordpress) +- [Multisite custom confs](https://github.com/bunkerity/bunkerized-nginx/tree/master/examples/multisite-custom-confs) ## ModSecurity configurations @@ -54,8 +54,8 @@ Multisite : `yes` Read-only : `yes` Examples : -- [TODO basic single](#TODO) -- [TODO advanced multi](#TODO) +- [Wordpress](https://github.com/bunkerity/bunkerized-nginx/blob/master/examples/wordpress) +- [Multisite custom confs](https://github.com/bunkerity/bunkerized-nginx/tree/master/examples/multisite-custom-confs) ## CRS configurations @@ -67,8 +67,8 @@ Multisite : `yes` Read-only : `yes` Examples : -- [TODO basic single](#TODO) -- [TODO advanced multi](#TODO) +- [Wordpress](https://github.com/bunkerity/bunkerized-nginx/blob/master/examples/wordpress) +- [Multisite custom confs](https://github.com/bunkerity/bunkerized-nginx/tree/master/examples/multisite-custom-confs) ## Cache @@ -81,7 +81,7 @@ Read-only : `no` ## Plugins -This special folder is the placeholder for the plugins loaded by bunkerized-nginx. See the [plugin section](#TODO) for more information. +This special folder is the placeholder for the plugins loaded by bunkerized-nginx. See the [plugins section](https://bunkerized-nginx.readthedocs.io/en/latest/plugins.html) for more information. Location (container) : `/plugins` Location (Linux) : `/opt/bunkerized-nginx/plugins` diff --git a/docs/volumes.md b/docs/volumes.md deleted file mode 100644 index 7f57bb99..00000000 --- a/docs/volumes.md +++ /dev/null @@ -1,93 +0,0 @@ -# Volumes list - -Please note that bunkerized-nginx run as an unprivileged user inside the container (UID/GID = 101) and you should set the rights on the host accordingly (e.g. : chmod 101:101 ...) to the files and folders on your host. - -## Web files - -Mountpoint : `/www` - -Description : -If `MULTISITE=no`, the web files are directly stored inside the `/www` folder. When `MULTISITE=yes`, you need to create subdirectories named as the servers defined in the `SERVER_NAME` environment variable. - -Examples : [basic](https://github.com/bunkerity/bunkerized-nginx/tree/master/examples/basic-website-with-php) and [multisite](https://github.com/bunkerity/bunkerized-nginx/tree/master/examples/multisite-basic) - -Read-only : yes - -## Let's Encrypt - -Mountpoint : `/etc/letsencrypt` - -Description : -When `AUTO_LETS_ENCRYPT=yes`, certbot will save configurations, certificates and keys inside the `/etc/letsencrypt` folder. It's a common practise to save it so you can remount it in case of a container restart and certbot won't generate new certificate(s). - -Examples : [here](https://github.com/bunkerity/bunkerized-nginx/tree/master/examples/basic-website-with-php) - -Read-only : no - -## Custom nginx configurations - -### http context - -Mountpoint : `/http-confs` - -Description : -If you need to add custom configurations at http context, you can create **.conf** files and mount them to the `/http-confs` folder. - -Examples : [load balancer](https://github.com/bunkerity/bunkerized-nginx/tree/master/examples/load-balancer) - -Read-only : yes - -### server context - -Mountpoint : `/server-confs` - -Description : -If `MULTISITE=no`, you can create **.conf** files and mount them to the `/server-confs` folder. When `MULTISITE=yes`, you need to create subdirectories named as the servers defined in the `SERVER_NAME` environment variable. - -Examples : [nextcloud](https://github.com/bunkerity/bunkerized-nginx/tree/master/examples/nextcloud) and [multisite](https://github.com/bunkerity/bunkerized-nginx/tree/master/examples/multisite-custom-server-confs) - -Read-only : yes - -## ModSecurity - -### Rules and before CRS - -Mountpoint : `/modsec-confs` - -Description : -Use this volume if you need to add custom ModSecurity rules and/or OWASP Core Rule Set configurations before the rules are loaded (e.g. : exclusions). -If `MULTISITE=no` you can create **.conf** files and mount them to the `/modsec-confs` folder. When `MULTISITE=yes`, you need to create subdirectories named as the servers defined in the `SERVER_NAME` environment variable. You can also apply global configuration to all servers by putting **.conf** files directly on the root folder. - -Examples : [wordpress](https://github.com/bunkerity/bunkerized-nginx/tree/master/examples/wordpress) and [multisite](https://github.com/bunkerity/bunkerized-nginx/tree/master/examples/multisite-custom-server-confs) - -Read-only : yes - -### After CRS - -Mountpoint : `/modsec-crs-confs` - -Description : -Use this volume to tweak OWASP Core Rule Set (e.g. : tweak rules to avoid false positives). Your files are loaded after the rules. -If `MULTISITE=no` you can create **.conf** files and mount them to the `/modsec-crs-confs` folder. When `MULTISITE=yes`, you need to create subdirectories named as the servers defined in the `SERVER_NAME` environment variable. You can also apply global configuration to all servers by putting **.conf** files directly on the root folder. - -Examples : [wordpress](https://github.com/bunkerity/bunkerized-nginx/tree/master/examples/wordpress) and [multisite](https://github.com/bunkerity/bunkerized-nginx/tree/master/examples/multisite-custom-server-confs) - -Read-only : yes - -## Cache - -Mountpoint : `/cache` - -Description : -Depending of the settings you use, bunkerized-nginx may download external content (e.g. : blacklists, GeoIP DB, ...). To avoid downloading it again in case of a container restart, you can save the data on the host. - -Read-only : no - -## Plugins - -Mountpoint : `/plugins` - -Description : -This volume is used to extend bunkerized-nginx with [additional plugins](https://bunkerized-nginx.readthedocs.io/en/latest/plugins.html). Please note that you will need to have a subdirectory for each plugin you want to enable. - -Read-only : yes diff --git a/docs/web_ui.md b/docs/web_ui.md index b93caf95..fd08f5f6 100644 --- a/docs/web_ui.md +++ b/docs/web_ui.md @@ -12,12 +12,11 @@ The web UI has its own set of environment variables to configure it : - `API_URI` : path of the bunkerized-nginx API (must match the corresponding `API_URI` of the bunkerized-nginx instance) - `DOCKER_HOST` : Docker API endpoint address (default = `unix:///var/run/docker.sock`) -The deployment should be very easy because the web UI is web a service itself so we can use bunkerized-nginx as a reverse proxy in front of it. +Since the web UI is ia service itself, we can use bunkerized-nginx as a reverse proxy in front of it. -** -Using the web UI in a Docker environment (containers, autoconf or Swarm) exposes a security risk because you need to mount the Docker API socket into the web UI container. It's highly recommended to use a middleware like [tecnativa/docker-socket-proxy](https://github.com/Tecnativa/docker-socket-proxy) to reduce the risk as much as possible. -Extra security steps still needs to be done like : complex admin password, hard to guess public URI, network isolation from others services, HTTPS only, ... -** +**Using the web UI in a Docker environment exposes a security risk because you need to mount the Docker API socket into the web UI container. It's highly recommended to use a middleware like [tecnativa/docker-socket-proxy](https://github.com/Tecnativa/docker-socket-proxy) to reduce the risk as much as possible.** + +**You need to apply the security best practices because the web UI contains code and that code might be vulnerable : complex admin password, hard to guess public URI, network isolation from others services, HTTPS only, ...** ### Docker diff --git a/helpers/install.sh b/helpers/install.sh index 53b3fab6..a96471f0 100755 --- a/helpers/install.sh +++ b/helpers/install.sh @@ -604,12 +604,7 @@ do_and_check_cmd wget -O "/tmp/bunkerized-nginx/nginx-${NGINX_VERSION}.tar.gz" " do_and_check_cmd wget -O "/tmp/bunkerized-nginx/nginx-${NGINX_VERSION}.tar.gz.asc" "https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz.asc" get_sign_source_keys > /tmp/bunkerized-nginx/nginx.key do_and_check_cmd gpg --import /tmp/bunkerized-nginx/nginx.key -check=$(gpg --verify /tmp/bunkerized-nginx/nginx-${NGINX_VERSION}.tar.gz.asc /tmp/bunkerized-nginx/nginx-${NGINX_VERSION}.tar.gz 2>&1 | grep "^gpg: Good signature from ") -if [ "$check" = "" ] ; then - echo "[!] Wrong signature from nginx source !!!" - cleanup - exit 1 -fi +do_and_check_cmd gpg --verify /tmp/bunkerized-nginx/nginx-${NGINX_VERSION}.tar.gz.asc /tmp/bunkerized-nginx/nginx-${NGINX_VERSION}.tar.gz CHANGE_DIR="/tmp/bunkerized-nginx" do_and_check_cmd tar -xvzf nginx-${NGINX_VERSION}.tar.gz # Compile dynamic modules