From ebd13ab824fdb45a8325099ccfd8089b448e95a9 Mon Sep 17 00:00:00 2001 From: Bryan Scarbrough Date: Mon, 12 Feb 2024 22:45:26 +0000 Subject: [PATCH 1/7] Simplified TF, added CPX, updated download URL --- .pre-commit-config.yaml | 52 ++++ aws/multi_region/README.md | 101 ++++--- aws/multi_region/agents/README.md | 104 +++++++ aws/multi_region/agents/agent.tf | 18 +- aws/multi_region/agents/availability_zones.tf | 3 - aws/multi_region/agents/cert.tf | 32 +++ aws/multi_region/agents/cpx.tf | 27 ++ aws/multi_region/agents/dependencies.tf | 24 ++ aws/multi_region/agents/elb.tf | 57 ++++ aws/multi_region/agents/provider.tf | 6 +- aws/multi_region/agents/proxy.tf | 27 ++ aws/multi_region/agents/routes.tf | 51 +++- aws/multi_region/agents/security_group.tf | 147 ++++++++-- aws/multi_region/agents/subnet.tf | 64 ++++- aws/multi_region/agents/variables.tf | 167 ++++++++++- aws/multi_region/agents/vpc.tf | 29 +- aws/multi_region/deployment.tf | 104 +++---- aws/multi_region/primary/README.md | 126 +++++++++ .../primary/availability_zones.tf | 3 - aws/multi_region/primary/cert.tf | 19 +- aws/multi_region/primary/db.tf | 26 +- aws/multi_region/primary/dependencies.tf | 23 ++ aws/multi_region/primary/lb_s3_log_bucket.tf | 26 +- aws/multi_region/primary/output.tf | 62 +++- aws/multi_region/primary/provider.tf | 6 +- aws/multi_region/primary/routes.tf | 57 +++- aws/multi_region/primary/security_group.tf | 242 ++++++++-------- aws/multi_region/primary/ssm.tf | 29 ++ aws/multi_region/primary/subnet.tf | 86 ++++-- aws/multi_region/primary/variables.tf | 158 ++++++++++- aws/multi_region/primary/vpc.tf | 25 +- aws/multi_region/provider.tf | 8 +- .../{settings.tfvars => terraform.tfvars} | 62 ++-- aws/multi_region/userdata/cpx_bootstrap.sh | 29 ++ aws/multi_region/userdata/db_bootstrap.sh | 8 +- .../multi_region}/userdata/guac_bootstrap.sh | 4 +- aws/multi_region/userdata/proxy_bootstrap.sh | 27 ++ aws/multi_region/userdata/webapp_bootstrap.sh | 2 - aws/multi_region/variables.tf | 112 ++++++-- aws/multi_region/webapps/README.md | 84 ++++++ aws/multi_region/webapps/agent.tf | 17 +- .../webapps/availability_zones.tf | 3 - aws/multi_region/webapps/cpx.tf | 27 ++ aws/multi_region/webapps/dependencies.tf | 4 + aws/multi_region/webapps/elb.tf | 79 +++--- aws/multi_region/webapps/outputs.tf | 8 + aws/multi_region/webapps/provider.tf | 6 +- aws/multi_region/webapps/variables.tf | 91 +++++- aws/multi_region/webapps/webapp.tf | 13 +- aws/standard/README.md | 94 +++++-- aws/standard/deployment.tf | 31 +- aws/standard/diagram/aws_multi_server.drawio | 8 +- aws/standard/module/README.md | 135 +++++++++ aws/standard/module/agent.tf | 16 +- aws/standard/module/alb_logs_s3_bucket.tf | 60 ---- aws/standard/module/availability_zones.tf | 3 - aws/standard/module/cert.tf | 14 +- aws/standard/module/db.tf | 13 +- aws/standard/module/dependencies.tf | 25 ++ aws/standard/module/elb_logs_s3_bucket.tf | 50 ++++ aws/standard/module/guac_rdp.tf | 23 +- aws/standard/module/natgw.tf | 14 - aws/standard/module/private_alb.tf | 62 ++-- aws/standard/module/provider.tf | 6 +- aws/standard/module/public_alb.tf | 95 +++---- aws/standard/module/routes.tf | 67 +++-- aws/standard/module/security_group.tf | 264 +++++++++--------- aws/standard/module/ssm.tf | 29 ++ aws/standard/module/subnet.tf | 91 +++--- aws/standard/module/userdata/cpx_bootstrap.sh | 29 ++ aws/standard/module/userdata/db_bootstrap.sh | 2 - .../module/userdata/webapp_bootstrap.sh | 2 - aws/standard/module/variables.tf | 196 ++++++++++++- aws/standard/module/vpc.tf | 31 +- aws/standard/module/webapp.tf | 28 +- aws/standard/output.tf | 7 + aws/standard/provider.tf | 6 +- aws/standard/secrets.tfvars.example | 2 + aws/standard/settings.tfvars | 43 --- aws/standard/terraform.tfvars | 61 ++++ aws/standard/variables.tf | 102 +++++-- digitalocean/single_server/README.md | 71 +++-- digitalocean/single_server/module/README.md | 64 +++++ digitalocean/single_server/module/firewall.tf | 2 +- digitalocean/single_server/module/provider.tf | 2 + digitalocean/single_server/provider.tf | 2 + .../single_server/secrets.tfvars.example | 1 + .../{settings.tfvars => terraform.tfvars} | 6 +- digitalocean/single_server/variables.tf | 1 + oci/single_server/README.md | 90 ++++-- oci/single_server/module/README.md | 79 ++++++ oci/single_server/module/provider.tf | 8 +- oci/single_server/provider.tf | 8 +- .../{settings.tfvars => terraform.tfvars} | 4 +- oci/standard/README.md | 106 ++++--- oci/standard/deployment.tf | 6 +- oci/standard/module/README.md | 111 ++++++++ oci/standard/module/agent.tf | 11 +- oci/standard/module/bastion.tf | 30 ++ oci/standard/module/{guac_rdp.tf => cpx.tf} | 23 +- oci/standard/module/db.tf | 12 +- oci/standard/module/dependencies.tf | 16 ++ oci/standard/module/dns.tf | 10 +- oci/standard/module/letsencrypt.tf | 29 +- oci/standard/module/load_balancer.tf | 49 ++-- oci/standard/module/provider.tf | 10 +- oci/standard/module/security_lists.tf | 152 ++++++---- oci/standard/module/subnet.tf | 90 ------ oci/standard/module/subnets.tf | 90 ++++++ .../standard/module/userdata/cpx_bootstrap.sh | 0 oci/standard/module/variables.tf | 53 +++- oci/standard/module/vcn.tf | 43 ++- oci/standard/module/webapp.tf | 18 +- oci/standard/provider.tf | 8 +- .../{settings.tfvars => terraform.tfvars} | 18 +- oci/standard/variables.tf | 54 ++-- 116 files changed, 3880 insertions(+), 1491 deletions(-) create mode 100644 .pre-commit-config.yaml create mode 100644 aws/multi_region/agents/README.md delete mode 100644 aws/multi_region/agents/availability_zones.tf create mode 100644 aws/multi_region/agents/cert.tf create mode 100644 aws/multi_region/agents/cpx.tf create mode 100644 aws/multi_region/agents/dependencies.tf create mode 100644 aws/multi_region/agents/elb.tf create mode 100644 aws/multi_region/agents/proxy.tf create mode 100644 aws/multi_region/primary/README.md delete mode 100644 aws/multi_region/primary/availability_zones.tf create mode 100644 aws/multi_region/primary/dependencies.tf create mode 100644 aws/multi_region/primary/ssm.tf rename aws/multi_region/{settings.tfvars => terraform.tfvars} (53%) create mode 100644 aws/multi_region/userdata/cpx_bootstrap.sh rename {oci/standard/module => aws/multi_region}/userdata/guac_bootstrap.sh (76%) create mode 100644 aws/multi_region/userdata/proxy_bootstrap.sh create mode 100644 aws/multi_region/webapps/README.md delete mode 100644 aws/multi_region/webapps/availability_zones.tf create mode 100644 aws/multi_region/webapps/cpx.tf create mode 100644 aws/multi_region/webapps/dependencies.tf create mode 100644 aws/multi_region/webapps/outputs.tf create mode 100644 aws/standard/module/README.md delete mode 100644 aws/standard/module/alb_logs_s3_bucket.tf delete mode 100644 aws/standard/module/availability_zones.tf create mode 100644 aws/standard/module/dependencies.tf create mode 100644 aws/standard/module/elb_logs_s3_bucket.tf delete mode 100644 aws/standard/module/natgw.tf create mode 100644 aws/standard/module/ssm.tf create mode 100644 aws/standard/module/userdata/cpx_bootstrap.sh create mode 100644 aws/standard/output.tf create mode 100644 aws/standard/secrets.tfvars.example delete mode 100644 aws/standard/settings.tfvars create mode 100644 aws/standard/terraform.tfvars create mode 100644 digitalocean/single_server/module/README.md create mode 100644 digitalocean/single_server/secrets.tfvars.example rename digitalocean/single_server/{settings.tfvars => terraform.tfvars} (76%) create mode 100644 oci/single_server/module/README.md rename oci/single_server/{settings.tfvars => terraform.tfvars} (82%) create mode 100644 oci/standard/module/README.md create mode 100644 oci/standard/module/bastion.tf rename oci/standard/module/{guac_rdp.tf => cpx.tf} (50%) create mode 100644 oci/standard/module/dependencies.tf delete mode 100644 oci/standard/module/subnet.tf create mode 100644 oci/standard/module/subnets.tf rename aws/standard/module/userdata/guac_bootstrap.sh => oci/standard/module/userdata/cpx_bootstrap.sh (100%) rename oci/standard/{settings.tfvars => terraform.tfvars} (87%) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..5439b01 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,52 @@ +repos: + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.4.0 + hooks: + - id: mixed-line-ending + - id: trailing-whitespace + - repo: https://github.com/antonbabenko/pre-commit-terraform + rev: v1.81.0 + hooks: + - id: tfupdate + name: Autoupdate Terraform versions + args: + - --args=terraform + - --args=--version "~> 1.0" + - id: tfupdate + name: Autoupdate AWS version + args: + - --args=provider aws + - --args=--version "~> 5.0" + - id: tfupdate + name: Autoupdate OCI version + args: + - --args=provider oci + - --args=--version "~> 5.0" + - id: tfupdate + name: Autoupdate DigitalOcean version + args: + - --args=provider digitalocean + - --args=--version "~> 2.0" + - id: tfupdate + name: Autoupdate Acme version + args: + - --args=provider acme + - --args=--version "~> 2.0" + - id: tfupdate + name: Autoupdate TLS version + args: + - --args=provider tls + - --args=--version "~> 4.0" + - id: terraform_fmt + - id: terraform_tflint + args: + - --args=--fix + - id: terraform_validate + args: + - --tf-init-args=-upgrade + - --hook-config=--retry-once-with-cleanup=true + - id: terraform_docs + args: + - --hook-config=--path-to-file=README.md + - --hook-config=--add-to-existing-file=true + - --hook-config=--create-file-if-not-exist=true diff --git a/aws/multi_region/README.md b/aws/multi_region/README.md index 303e43e..020b478 100644 --- a/aws/multi_region/README.md +++ b/aws/multi_region/README.md @@ -45,50 +45,85 @@ Create a user via the IAM console that will be used for the terraform deployment 3. Verify the configuration - terraform plan -var-file settings.tfvars -var-file secrets.tfvars + terraform plan -var-file secrets.tfvars 4. Deploy - terraform apply -var-file settings.tfvars -var-file secrets.tfvars + terraform apply -var-file secrets.tfvars 5. Login to the Deployment as an Admin via the domain defined e.g `https://kasm.contoso.com` 6. Navigate to the Agents tab, and enable each Agent after it checks in. (May take a few minutes) + +## Requirements -# AWS Terraform Variable definitions +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | ~> 1.0 | +| [aws](#requirement\_aws) | ~> 5.0 | -| Variable | Description | Variable type | Example | -|:--------:|-------------|---------------|---------| -| `aws_access_key` | The AWS access key used for deployment. | String | `"AKIAJSIE27KKMHXI3BJQ"` | -| `aws_secret_key` | The AWS secret key used for deployment. | String | `"wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"` | -| `aws_primary_region` | The AWS Region to deploy all Kasm Management resources. | String | `"us-east-1"` | -| `project_name` | The name of the deployment (e.g dev, staging). A short single word of up to 15 characters. | String | `"kasm"` | -| `aws_domain_name` | The Route53 Zone used for the dns entries. This must already exist in the AWS account. (e.g dev.kasm.contoso.com). The deployment will be accessed via this zone name via https. | String | `"kasm.contoso.com"` | -| `kasm_zone_name` | A name given to the kasm deployment Zone. | String | `"default"` | -| `primary_vpc_subnet_cidr` | The subnet CIDR to use for the Primary region's VPC. | String | `"10.0.0.0/16"` | -| `aws_key_pair` | The name of an aws keypair to use. | String | `"kasm_ssh_key"` | -| `primary_region_ec2_ami_id` | The AMI used for the EC2 nodes in the Primary (Management) region. Recommended Ubuntu 20.04 LTS. | String | `"ami-09cd747c78a9add63"` | -| `swap_size` | The amount of swap (in MB) to configure inside the Kasm servers. | Number | `2048` | -| `webapp_instance_type` | The instance type for the Kasm WebApps. | String | `"t3.small"` | -| `webapp_hdd_size_gb` | The HDD size for the WebApp EC2s in GB. | Number | `40` | -| `db_instance_type` | The instance type for the Kasm Database. | String | `"t3.medium"` | -| `db_hdd_size_gb` | The HDD size for the DB EC2 in GB. | Number | `40` | -| `agent_instance_type` | The instance type for the Kasm Agents in the Primary region. | String | `"t3.medium"` | -| `agent_hdd_size_gb` | The HDD size for the Agent EC2s in GB. | Number | `120` | -| `num_webapps` | The number of WebApp role servers to create in this deployment. Acceptable ranges from 1-3. | Number | `2` | -| `num_agents` | The number of static Kasm Agents to create in the primary region. Acceptable ranges from 0-100. | Number | `2` | -| `allow_ssh_cidrs` | A list of subnets in CIDR notation allowed to SSH into your kasm servers (use `["0.0.0.0/0]"` to allow SSH from any IP). | List(String) | `["1.1.1.1/32","172.217.22.14/32"]` | -| `web_access_cidrs` | A list of subnets in CIDR notation allowed Web access to your kasm servers (use `["0.0.0.0/0]"` to allow HTTP/HTTPS from any IP). | List(String) | `["0.0.0.0/0"]` | -| `secondary_regions_settings` | A map of AWS environment settings for secondary regions. The Primary region is considered "region1", thus all secondary regions should be labeled "region2", "region3", etc. Refer to the commented settings in the `secondary_regions_settings` variable in the `settings.tf` for an example. | Map(any) | 
{
  region2 = {
    agent_region = "eu-central-1"
    agent_ec2_ami_id = "ami-0e067cc8a2b58de59"
    agent_instance_type = "t3.medium"
    num_agents = 2
    agent_vpc_cidr = "10.1.0.0/16"
  }
}
-| `database_password` | The Kasm PostgreSQL database password. String from 12-30 characters in length with no special characters. | String | `"1qaz2wsx3EDC4RFV"` | -| `redis_password` | The Kasm Redis password. String from 12-30 characters in length with no special characters. | String | `"1qaz2wsx3EDC4RFV"` | -| `admin_password` | The Kasm Administrative user login password. String from 12-30 characters in length with no special characters. | String | `"1qaz2wsx3EDC4RFV"` | -| `user_password` | A Kasm standard (non-administrator) user password. String from 12-30 characters in length with no special characters. | String | `"1qaz2wsx3EDC4RFV"` | -| `manager_token` | The manager token value used by Kasm agents to authenticate to the Kasm WebApps. String from 12-30 characters in length with no special characters. | String | `"1qaz2wsx3EDC4RFV"` | -| `kasm_build` | The download URL for the desired Kasm Workspaces version. | String | `"https://kasm-static-content.s3.amazonaws.com/kasm_release_1.13.0.002947.tar.gz"` | -| `aws_default_tags` | A Map of all tags you wish to apply to all TF created resources in this deployment. | Map(Any) | 
{
  Service_name = "Kasm Workspaces"
  Kasm_version = "1.12"
}
| +## Providers +No providers. + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [primary\_region](#module\_primary\_region) | ./primary | n/a | +| [primary\_region\_webapps\_and\_agents](#module\_primary\_region\_webapps\_and\_agents) | ./webapps | n/a | +| [region2\_agents](#module\_region2\_agents) | ./agents | n/a | +| [region2\_webapps](#module\_region2\_webapps) | ./webapps | n/a | + +## Resources + +No resources. + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [admin\_password](#input\_admin\_password) | The administrative user password. No special characters | `string` | n/a | yes | +| [agent\_hdd\_size\_gb](#input\_agent\_hdd\_size\_gb) | The HDD size in GB to configure for the Kasm Agent instances | `number` | n/a | yes | +| [agent\_instance\_type](#input\_agent\_instance\_type) | The instance type for the Agents | `string` | n/a | yes | +| [aws\_access\_key](#input\_aws\_access\_key) | The AWS access key used for deployment | `string` | n/a | yes | +| [aws\_default\_tags](#input\_aws\_default\_tags) | Default tags to apply to all AWS resources for this deployment | `map(any)` | 
{
  "Kasm_version": "1.14",
  "Service_name": "Kasm Workspaces"
}
| no | +| [aws\_domain\_name](#input\_aws\_domain\_name) | The Route53 Zone used for the dns entries. This must already exist in the AWS account. (e.g dev.kasm.contoso.com). The deployment will be accessed via this zone name via https | `string` | n/a | yes | +| [aws\_key\_pair](#input\_aws\_key\_pair) | The name of an aws keypair to use. | `string` | n/a | yes | +| [aws\_primary\_region](#input\_aws\_primary\_region) | The AWS Region used for deployment | `string` | `"us-east-1"` | no | +| [aws\_secret\_key](#input\_aws\_secret\_key) | The AWS secret key used for deployment | `string` | n/a | yes | +| [aws\_ssm\_iam\_role\_name](#input\_aws\_ssm\_iam\_role\_name) | The name of the SSM EC2 role to associate with Kasm VMs for SSH access | `string` | `""` | no | +| [cpx\_hdd\_size\_gb](#input\_cpx\_hdd\_size\_gb) | The HDD size in GB to configure for the Kasm Guac RDP instances | `number` | n/a | yes | +| [cpx\_instance\_type](#input\_cpx\_instance\_type) | The instance type for the Guac RDP nodes | `string` | n/a | yes | +| [create\_aws\_ssm\_iam\_role](#input\_create\_aws\_ssm\_iam\_role) | Create an AWS SSM IAM role to attach to VMs for SSH/console access to VMs. | `bool` | `false` | no | +| [database\_password](#input\_database\_password) | The password for the database. No special characters | `string` | n/a | yes | +| [db\_hdd\_size\_gb](#input\_db\_hdd\_size\_gb) | The HDD size in GB to configure for the Kasm Database instances | `number` | n/a | yes | +| [db\_instance\_type](#input\_db\_instance\_type) | The instance type for the Database | `string` | n/a | yes | +| [kasm\_build](#input\_kasm\_build) | Download URL for Kasm Workspaces | `string` | n/a | yes | +| [manager\_token](#input\_manager\_token) | The manager token value for Agents to authenticate to webapps. No special characters | `string` | n/a | yes | +| [num\_agents](#input\_num\_agents) | The number of Agent Role Servers to create in the deployment | `number` | `2` | no | +| [num\_cpx\_nodes](#input\_num\_cpx\_nodes) | The number of Agent Role Servers to create in the deployment | `number` | n/a | yes | +| [num\_webapps](#input\_num\_webapps) | The number of WebApp role servers to create in the deployment | `number` | `2` | no | +| [primary\_region\_ec2\_ami\_id](#input\_primary\_region\_ec2\_ami\_id) | AMI Id of Kasm EC2 image in the primary region. Recommended AMI OS Version is Ubuntu 20.04 LTS. | `string` | n/a | yes | +| [primary\_vpc\_subnet\_cidr](#input\_primary\_vpc\_subnet\_cidr) | The subnet CIDR to use for the VPC | `string` | `"10.0.0.0/16"` | no | +| [project\_name](#input\_project\_name) | The name of the deployment (e.g dev, staging). A short single word | `string` | n/a | yes | +| [proxy\_hdd\_size\_gb](#input\_proxy\_hdd\_size\_gb) | The HDD size in GB to configure for the Kasm dedicated proxy instances | `number` | n/a | yes | +| [proxy\_instance\_type](#input\_proxy\_instance\_type) | The instance type for the dedicated proxy node | `string` | `""` | no | +| [redis\_password](#input\_redis\_password) | The password for the Redis server. No special characters | `string` | n/a | yes | +| [secondary\_regions\_settings](#input\_secondary\_regions\_settings) | Map of Kasm settings for secondary regions | 
map(object({
    agent_region   = string
    agent_vpc_cidr = string
    ec2_ami_id     = string
    })
  )
| n/a | yes | +| [service\_registration\_token](#input\_service\_registration\_token) | The service registration token value for cpx RDP servers to authenticate to webapps. No special characters | `string` | n/a | yes | +| [ssh\_access\_cidrs](#input\_ssh\_access\_cidrs) | CIDR notation of the bastion host allowed to SSH in to the machines | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | +| [swap\_size](#input\_swap\_size) | The amount of swap (in MB) to configure inside the compute instances | `number` | n/a | yes | +| [user\_password](#input\_user\_password) | The standard (non administrator) user password. No special characters | `string` | n/a | yes | +| [web\_access\_cidrs](#input\_web\_access\_cidrs) | CIDR notation of the bastion host allowed to SSH in to the machines | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | +| [webapp\_hdd\_size\_gb](#input\_webapp\_hdd\_size\_gb) | The HDD size in GB to configure for the Kasm WebApp instances | `number` | n/a | yes | +| [webapp\_instance\_type](#input\_webapp\_instance\_type) | The instance type for the webapps | `string` | `""` | no | + +## Outputs + +No outputs. + # Detailed Terraform Deployment Diagram diff --git a/aws/multi_region/agents/README.md b/aws/multi_region/agents/README.md new file mode 100644 index 0000000..dd8ba1d --- /dev/null +++ b/aws/multi_region/agents/README.md @@ -0,0 +1,104 @@ +# agents + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | ~> 1.0 | +| [aws](#requirement\_aws) | ~> 5.0 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | 5.36.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_acm_certificate.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate) | resource | +| [aws_acm_certificate_validation.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate_validation) | resource | +| [aws_eip.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eip) | resource | +| [aws_instance.agent](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance) | resource | +| [aws_instance.cpx](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance) | resource | +| [aws_instance.proxy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance) | resource | +| [aws_internet_gateway.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/internet_gateway) | resource | +| [aws_lb.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb) | resource | +| [aws_lb_listener.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener) | resource | +| [aws_lb_target_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group) | resource | +| [aws_lb_target_group_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group_attachment) | resource | +| [aws_nat_gateway.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/nat_gateway) | resource | +| [aws_route53_record.alb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource | +| [aws_route53_record.certificate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource | +| [aws_route_table.internet_gateway](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table) | resource | +| [aws_route_table.nat_gateway](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table) | resource | +| [aws_route_table_association.agent](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource | +| [aws_route_table_association.alb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource | +| [aws_route_table_association.cpx](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource | +| [aws_route_table_association.proxy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource | +| [aws_route_table_association.windows](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource | +| [aws_security_group.agent](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | +| [aws_security_group.cpx](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | +| [aws_security_group.proxy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | +| [aws_security_group.public_lb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | +| [aws_security_group.windows](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | +| [aws_security_group_rule.agent](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.cpx](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.proxy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.public_lb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.windows_cpx](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.windows_webapp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_subnet.agent](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource | +| [aws_subnet.alb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource | +| [aws_subnet.cpx](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource | +| [aws_subnet.proxy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource | +| [aws_subnet.windows](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource | +| [aws_vpc.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc) | resource | +| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | +| [aws_route53_zone.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [agent\_hdd\_size\_gb](#input\_agent\_hdd\_size\_gb) | The HDD size for agents | `number` | n/a | yes | +| [agent\_instance\_type](#input\_agent\_instance\_type) | The instance type for the agents | `string` | n/a | yes | +| [agent\_security\_rules](#input\_agent\_security\_rules) | A map of objects of security rules to apply to the Kasm WebApp server | 
map(object({
    from_port = number
    to_port   = number
    protocol  = string
  }))
| 
{
  "https": {
    "from_port": 443,
    "protocol": "tcp",
    "to_port": 443
  }
}
| no | +| [agent\_vpc\_cidr](#input\_agent\_vpc\_cidr) | Subnet CIDR range for Agent VPC | `string` | n/a | yes | +| [anywhere](#input\_anywhere) | Anywhere subnet for routing and load ingress from all IPs | `string` | `"0.0.0.0/0"` | no | +| [aws\_domain\_name](#input\_aws\_domain\_name) | The Route53 Zone used for the dns entries. This must already exist in the AWS account. (e.g dev.kasm.contoso.com). The deployment will be accessed via this zone name via https | `string` | n/a | yes | +| [aws\_key\_pair](#input\_aws\_key\_pair) | The name of an aws keypair to use. | `string` | n/a | yes | +| [aws\_region](#input\_aws\_region) | The AWS region for the deployment. (e.g us-east-1) | `string` | n/a | yes | +| [aws\_ssm\_iam\_role\_name](#input\_aws\_ssm\_iam\_role\_name) | The name of the SSM EC2 role to associate with Kasm VMs for SSH access | `string` | `""` | no | +| [cpx\_hdd\_size\_gb](#input\_cpx\_hdd\_size\_gb) | The HDD size for Kasm Guac RDP nodes | `number` | n/a | yes | +| [cpx\_instance\_type](#input\_cpx\_instance\_type) | The instance type for the cpx RDP nodes | `string` | n/a | yes | +| [cpx\_security\_rules](#input\_cpx\_security\_rules) | A map of objects of security rules to apply to the Kasm Connection Proxy server | 
map(object({
    from_port = number
    to_port   = number
    protocol  = string
  }))
| 
{
  "https": {
    "from_port": 443,
    "protocol": "tcp",
    "to_port": 443
  }
}
| no | +| [default\_egress](#input\_default\_egress) | Default egress security rule for all security groups | 
object({
    from_port    = number
    to_port      = number
    protocol     = string
    cidr_subnets = list(string)
  })
| 
{
  "cidr_subnets": [
    "0.0.0.0/0"
  ],
  "from_port": 0,
  "protocol": "-1",
  "to_port": 0
}
| no | +| [ec2\_ami](#input\_ec2\_ami) | The AMI used for the EC2 nodes. Recommended Ubuntu 20.04 LTS. | `string` | n/a | yes | +| [kasm\_build](#input\_kasm\_build) | The URL for the Kasm Workspaces build | `string` | n/a | yes | +| [load\_balancer\_log\_bucket](#input\_load\_balancer\_log\_bucket) | S3 bucket name for load balancers to forward access logs to | `string` | n/a | yes | +| [management\_region\_nat\_gateway](#input\_management\_region\_nat\_gateway) | A list Kasm management region NAT gateways to allow Webapps ingress on 4902 to Kasm Windows agent | `string` | n/a | yes | +| [manager\_token](#input\_manager\_token) | The password for the database. No special characters | `string` | n/a | yes | +| [num\_agents](#input\_num\_agents) | The number of Agent Role Servers to create in the deployment | `number` | n/a | yes | +| [num\_cpx\_nodes](#input\_num\_cpx\_nodes) | The number of cpx Role Servers to create in the deployment | `number` | n/a | yes | +| [num\_proxy\_nodes](#input\_num\_proxy\_nodes) | The number of Dedicated Proxy nodes to create in the deployment | `number` | `2` | no | +| [project\_name](#input\_project\_name) | The name of the deployment (e.g dev, staging). A short single word | `string` | n/a | yes | +| [proxy\_hdd\_size\_gb](#input\_proxy\_hdd\_size\_gb) | The HDD size for Dedicated Proxy nodes | `number` | n/a | yes | +| [proxy\_instance\_type](#input\_proxy\_instance\_type) | The instance type for the dedicated proxy nodes | `number` | n/a | yes | +| [proxy\_security\_rules](#input\_proxy\_security\_rules) | A map of objects of security rules to apply to the Kasm WebApp server | 
object({
    from_port = number
    to_port   = number
    protocol  = string
  })
| 
{
  "from_port": 443,
  "protocol": "tcp",
  "to_port": 443
}
| no | +| [public\_lb\_security\_rules](#input\_public\_lb\_security\_rules) | A map of objects of security rules to apply to the Public ALB | 
map(object({
    from_port = number
    to_port   = number
    protocol  = string
  }))
| 
{
  "http": {
    "from_port": 80,
    "protocol": "tcp",
    "to_port": 80
  },
  "https": {
    "from_port": 443,
    "protocol": "tcp",
    "to_port": 443
  }
}
| no | +| [service\_registration\_token](#input\_service\_registration\_token) | The service registration token value for cpx RDP servers to authenticate to webapps. No special characters | `string` | n/a | yes | +| [swap\_size](#input\_swap\_size) | The amount of swap (in MB) to configure inside the compute instances | `number` | n/a | yes | +| [windows\_security\_rules](#input\_windows\_security\_rules) | A map of objects of security rules to apply to the Kasm Windows VMs | 
map(object({
    from_port = number
    to_port   = number
    protocol  = string
  }))
| 
{
  "api": {
    "from_port": 4902,
    "protocol": "tcp",
    "to_port": 4902
  },
  "rdp": {
    "from_port": 3389,
    "protocol": "tcp",
    "to_port": 3389
  }
}
| no | + +## Outputs + +No outputs. + diff --git a/aws/multi_region/agents/agent.tf b/aws/multi_region/agents/agent.tf index b32beb2..a63d778 100644 --- a/aws/multi_region/agents/agent.tf +++ b/aws/multi_region/agents/agent.tf @@ -1,10 +1,12 @@ -resource "aws_instance" "kasm-agent" { - count = var.num_agents - ami = var.ec2_ami - instance_type = var.agent_instance_type - vpc_security_group_ids = [data.aws_security_group.data-kasm_agent_sg.id] - subnet_id = data.aws_subnet.data-kasm_agent_subnet.id - key_name = var.aws_key_pair +resource "aws_instance" "agent" { + count = var.num_agents + ami = var.ec2_ami + instance_type = var.agent_instance_type + vpc_security_group_ids = [aws_security_group.agent.id] + subnet_id = aws_subnet.agent.id + key_name = var.aws_key_pair + associate_public_ip_address = true + iam_instance_profile = var.aws_ssm_iam_role_name root_block_device { volume_size = var.agent_hdd_size_gb @@ -20,6 +22,6 @@ resource "aws_instance" "kasm-agent" { ) tags = { - Name = "${var.project_name}-${var.zone_name}-kasm-agent" + Name = "${var.project_name}-${var.aws_region}-kasm-agent-${count.index}" } } diff --git a/aws/multi_region/agents/availability_zones.tf b/aws/multi_region/agents/availability_zones.tf deleted file mode 100644 index 87d8f48..0000000 --- a/aws/multi_region/agents/availability_zones.tf +++ /dev/null @@ -1,3 +0,0 @@ -data "aws_availability_zones" "available" { - state = "available" -} diff --git a/aws/multi_region/agents/cert.tf b/aws/multi_region/agents/cert.tf new file mode 100644 index 0000000..6257cc9 --- /dev/null +++ b/aws/multi_region/agents/cert.tf @@ -0,0 +1,32 @@ +resource "aws_acm_certificate" "this" { + domain_name = var.aws_domain_name + subject_alternative_names = ["*.${var.aws_domain_name}"] + validation_method = "DNS" + + + lifecycle { + create_before_destroy = true + } +} + +resource "aws_route53_record" "certificate" { + for_each = { + for dvo in aws_acm_certificate.this.domain_validation_options : dvo.domain_name => { + name = dvo.resource_record_name + record = dvo.resource_record_value + type = dvo.resource_record_type + } + } + name = each.value.name + type = each.value.type + records = [each.value.record] + zone_id = data.aws_route53_zone.this.id + + ttl = 30 + allow_overwrite = true +} + +resource "aws_acm_certificate_validation" "this" { + certificate_arn = aws_acm_certificate.this.arn + validation_record_fqdns = [for record in aws_route53_record.certificate : record.fqdn] +} diff --git a/aws/multi_region/agents/cpx.tf b/aws/multi_region/agents/cpx.tf new file mode 100644 index 0000000..37fcc88 --- /dev/null +++ b/aws/multi_region/agents/cpx.tf @@ -0,0 +1,27 @@ +resource "aws_instance" "cpx" { + count = var.num_cpx_nodes + + ami = var.ec2_ami + instance_type = var.cpx_instance_type + vpc_security_group_ids = aws_security_group.cpx[*].id + subnet_id = aws_subnet.cpx[0].id + key_name = var.aws_key_pair + iam_instance_profile = var.aws_ssm_iam_role_name + + root_block_device { + volume_size = var.cpx_hdd_size_gb + } + + user_data = templatefile("${path.module}/../userdata/cpx_bootstrap.sh", + { + kasm_build_url = var.kasm_build + swap_size = var.swap_size + manager_address = var.aws_domain_name + service_registration_token = var.service_registration_token + } + ) + + tags = { + Name = "${var.project_name}-${var.aws_region}-kasm-cpx-${count.index}" + } +} diff --git a/aws/multi_region/agents/dependencies.tf b/aws/multi_region/agents/dependencies.tf new file mode 100644 index 0000000..a9545cd --- /dev/null +++ b/aws/multi_region/agents/dependencies.tf @@ -0,0 +1,24 @@ +locals { + kasm_agent_vpc_subnet_cidr_mask = split("/", var.agent_vpc_cidr)[1] + kasm_agent_subnet_cidr_calculation = (8 - (local.kasm_agent_vpc_subnet_cidr_mask - 16)) + kasm_agent_subnet_cidr_size = local.kasm_agent_subnet_cidr_calculation < 3 ? 3 : local.kasm_agent_subnet_cidr_calculation + + all_security_groups = compact([ + aws_security_group.public_lb.id, + aws_security_group.proxy.id, + aws_security_group.agent.id, + one(aws_security_group.cpx[*].id), + one(aws_security_group.windows[*].id) + ]) + + proxy_security_rules = { for value in local.all_security_groups : value => var.proxy_security_rules if value == aws_security_group.public_lb.id } +} + +data "aws_route53_zone" "this" { + name = var.aws_domain_name + private_zone = false +} + +data "aws_availability_zones" "available" { + state = "available" +} diff --git a/aws/multi_region/agents/elb.tf b/aws/multi_region/agents/elb.tf new file mode 100644 index 0000000..e96bcfd --- /dev/null +++ b/aws/multi_region/agents/elb.tf @@ -0,0 +1,57 @@ +resource "aws_lb" "this" { + name = "${var.project_name}-lb" + internal = false + load_balancer_type = "application" + security_groups = [aws_security_group.public_lb.id] + subnets = aws_subnet.alb[*].id + + access_logs { + bucket = var.load_balancer_log_bucket + enabled = true + } +} + +resource "aws_lb_listener" "this" { + load_balancer_arn = aws_lb.this.arn + port = "443" + protocol = "HTTPS" + certificate_arn = aws_acm_certificate.this.arn + + default_action { + type = "forward" + target_group_arn = aws_lb_target_group.this.arn + } +} + +resource "aws_lb_target_group" "this" { + name = "${var.project_name}-target-group" + port = 443 + protocol = "HTTPS" + vpc_id = aws_vpc.this.id + + health_check { + path = "/desktop" + matcher = 301 + protocol = "HTTPS" + } +} + +resource "aws_lb_target_group_attachment" "this" { + count = var.num_proxy_nodes + + target_group_arn = aws_lb_target_group.this.arn + target_id = aws_instance.proxy[count.index].id + port = 443 +} + +resource "aws_route53_record" "alb" { + zone_id = data.aws_route53_zone.this.zone_id + name = "${var.aws_region}-proxy.${var.aws_domain_name}" + type = "A" + + alias { + name = aws_lb.this.dns_name + zone_id = aws_lb.this.zone_id + evaluate_target_health = false + } +} diff --git a/aws/multi_region/agents/provider.tf b/aws/multi_region/agents/provider.tf index ea82995..2039c6e 100644 --- a/aws/multi_region/agents/provider.tf +++ b/aws/multi_region/agents/provider.tf @@ -1,8 +1,10 @@ terraform { + required_version = "~> 1.0" + required_providers { aws = { - source = "hashicorp/aws" - #version = "4.56.0" + source = "hashicorp/aws" + version = "~> 5.0" } } } \ No newline at end of file diff --git a/aws/multi_region/agents/proxy.tf b/aws/multi_region/agents/proxy.tf new file mode 100644 index 0000000..1c3d455 --- /dev/null +++ b/aws/multi_region/agents/proxy.tf @@ -0,0 +1,27 @@ +resource "aws_instance" "proxy" { + count = var.num_proxy_nodes + + ami = var.ec2_ami + instance_type = var.proxy_instance_type + vpc_security_group_ids = [aws_security_group.proxy.id] + subnet_id = aws_subnet.proxy[(count.index)].id + key_name = var.aws_key_pair + iam_instance_profile = var.aws_ssm_iam_role_name + + root_block_device { + volume_size = var.proxy_hdd_size_gb + } + + user_data = templatefile("${path.module}/../userdata/proxy_bootstrap.sh", + { + kasm_build_url = var.kasm_build + swap_size = var.swap_size + manager_address = var.aws_domain_name + proxy_alb_address = "${var.aws_region}-proxy.${var.aws_domain_name}" + } + ) + + tags = { + Name = "${var.project_name}-${var.aws_region}-kasm-proxy" + } +} diff --git a/aws/multi_region/agents/routes.tf b/aws/multi_region/agents/routes.tf index 3d48abb..ab69335 100644 --- a/aws/multi_region/agents/routes.tf +++ b/aws/multi_region/agents/routes.tf @@ -1,21 +1,54 @@ -resource "aws_route_table" "internet_access" { - vpc_id = data.aws_vpc.data-kasm_agent_vpc.id +resource "aws_route_table" "internet_gateway" { + vpc_id = aws_vpc.this.id route { cidr_block = var.anywhere - gateway_id = data.aws_internet_gateway.data-kasm_agent_default_ig.id + gateway_id = aws_internet_gateway.this.id } tags = { - Name = "${var.project_name}-kasm-agent-default-route" + Name = "${var.project_name}-kasm-internet-gateway-route" } } -data "aws_route_table" "data-agent_internet_gateway_route_table" { - route_table_id = aws_route_table.internet_access.id +resource "aws_route_table" "nat_gateway" { + vpc_id = aws_vpc.this.id + + route { + cidr_block = var.anywhere + gateway_id = aws_nat_gateway.this.id + } + + tags = { + Name = "${var.project_name}-kasm-nat-gateway-route" + } } -resource "aws_route_table_association" "agent_table_association" { - subnet_id = data.aws_subnet.data-kasm_agent_subnet.id - route_table_id = data.aws_route_table.data-agent_internet_gateway_route_table.id +resource "aws_route_table_association" "alb" { + count = 2 + subnet_id = aws_subnet.alb[(count.index)].id + route_table_id = aws_route_table.internet_gateway.id +} + +resource "aws_route_table_association" "proxy" { + count = var.num_proxy_nodes + subnet_id = aws_subnet.proxy[(count.index)].id + route_table_id = aws_route_table.nat_gateway.id +} + +resource "aws_route_table_association" "agent" { + subnet_id = aws_subnet.agent.id + route_table_id = aws_route_table.internet_gateway.id +} + +resource "aws_route_table_association" "cpx" { + count = var.num_cpx_nodes > 0 ? 1 : 0 + subnet_id = aws_subnet.cpx[0].id + route_table_id = aws_route_table.nat_gateway.id +} + +resource "aws_route_table_association" "windows" { + count = var.num_cpx_nodes > 0 ? 1 : 0 + subnet_id = aws_subnet.windows[0].id + route_table_id = aws_route_table.internet_gateway.id } diff --git a/aws/multi_region/agents/security_group.tf b/aws/multi_region/agents/security_group.tf index 4fe5d53..08dae14 100644 --- a/aws/multi_region/agents/security_group.tf +++ b/aws/multi_region/agents/security_group.tf @@ -1,30 +1,129 @@ -resource "aws_security_group" "kasm-agent-sg" { - name = "${var.project_name}-${var.zone_name}-kasm-agent-access" +resource "aws_security_group" "public_lb" { + name = "${var.project_name}-kasm-allow-public-lb-access" + description = "Security Group for ELB" + vpc_id = aws_vpc.this.id + + tags = { + Name = "${var.project_name}-kasm-public-lb-access" + } +} + +resource "aws_security_group_rule" "public_lb" { + for_each = var.public_lb_security_rules + + security_group_id = aws_security_group.public_lb.id + type = "ingress" + from_port = each.value.from_port + to_port = each.value.to_port + protocol = each.value.protocol + cidr_blocks = [var.anywhere] +} + +resource "aws_security_group" "proxy" { + name = "${var.project_name}-kasm-proxy" + description = "Allow access to proxy" + vpc_id = aws_vpc.this.id + + tags = { + Name = "${var.project_name}-kasm-proxy-access" + } +} + +resource "aws_security_group_rule" "proxy" { + for_each = local.proxy_security_rules + + security_group_id = aws_security_group.proxy.id + type = "ingress" + from_port = each.value.from_port + to_port = each.value.to_port + protocol = each.value.protocol + source_security_group_id = each.key +} + +resource "aws_security_group" "agent" { + name = "${var.project_name}-kasm-agent-access" description = "Allow access to agents" - vpc_id = data.aws_vpc.data-kasm_agent_vpc.id + vpc_id = aws_vpc.this.id - ingress { - from_port = 22 - to_port = 22 - protocol = "tcp" - cidr_blocks = var.ssh_access_cidrs - } - - ingress { - from_port = 443 - to_port = 443 - protocol = "tcp" - cidr_blocks = [var.anywhere] - } - - egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = [var.anywhere] + tags = { + Name = "${var.project_name}-kasm-agent-access" } } -data "aws_security_group" "data-kasm_agent_sg" { - id = aws_security_group.kasm-agent-sg.id +resource "aws_security_group_rule" "agent" { + for_each = var.agent_security_rules + + security_group_id = aws_security_group.agent.id + type = "ingress" + from_port = each.value.from_port + to_port = each.value.to_port + protocol = each.value.protocol + source_security_group_id = aws_security_group.proxy.id +} + +resource "aws_security_group" "cpx" { + count = var.num_cpx_nodes > 0 ? 1 : 0 + + name = "${var.project_name}-kasm-cpx-access" + description = "Allow access to cpx RDP nodes" + + tags = { + Name = "${var.project_name}-kasm-cpx-access" + } +} + +resource "aws_security_group_rule" "cpx" { + for_each = var.num_cpx_nodes > 0 ? var.cpx_security_rules : {} + + security_group_id = one(aws_security_group.cpx[*].id) + type = "ingress" + from_port = each.value.from_port + to_port = each.value.to_port + protocol = each.value.protocol + source_security_group_id = aws_security_group.proxy.id +} + +resource "aws_security_group" "windows" { + count = var.num_cpx_nodes > 0 ? 1 : 0 + + name = "${var.project_name}-kasm-windows-access" + description = "Allow access to Windows servers" + vpc_id = aws_vpc.this.id + + tags = { + Name = "${var.project_name}-kasm-windows-access" + } +} + +resource "aws_security_group_rule" "windows_cpx" { + for_each = var.num_cpx_nodes > 0 ? var.windows_security_rules : {} + + security_group_id = one(aws_security_group.windows[*].id) + type = "ingress" + from_port = each.value.from_port + to_port = each.value.to_port + protocol = each.value.protocol + source_security_group_id = one(aws_security_group.cpx[*].id) +} + +resource "aws_security_group_rule" "windows_webapp" { + for_each = var.num_cpx_nodes > 0 ? { for key, value in var.windows_security_rules : key => value if can(regex("(?i:api)", key)) } : {} + + security_group_id = one(aws_security_group.windows[*].id) + type = "ingress" + from_port = each.value.from_port + to_port = each.value.to_port + protocol = each.value.protocol + cidr_blocks = [var.management_region_nat_gateway] +} + +resource "aws_security_group_rule" "egress" { + for_each = { for value in local.all_security_groups : value => var.default_egress } + + security_group_id = each.key + type = each.value.rule_type + from_port = each.value.from_port + to_port = each.value.to_port + protocol = each.value.protocol + cidr_blocks = [var.anywhere] } diff --git a/aws/multi_region/agents/subnet.tf b/aws/multi_region/agents/subnet.tf index 598d6f8..24802b8 100644 --- a/aws/multi_region/agents/subnet.tf +++ b/aws/multi_region/agents/subnet.tf @@ -1,19 +1,59 @@ -locals { - kasm_agent_vpc_subnet_cidr_mask = split("/", var.agent_vpc_cidr)[1] - kasm_agent_subnet_cidr_calculation = (8 - (local.kasm_agent_vpc_subnet_cidr_mask - 16)) - kasm_agent_subnet_cidr_size = local.kasm_agent_subnet_cidr_calculation < 0 ? 0 : local.kasm_agent_subnet_cidr_calculation -} - -resource "aws_subnet" "kasm-agent-subnet" { - vpc_id = data.aws_vpc.data-kasm_agent_vpc.id - cidr_block = cidrsubnet(var.agent_vpc_cidr, local.kasm_agent_subnet_cidr_size, 0) +resource "aws_subnet" "alb" { + count = 2 + vpc_id = aws_vpc.this.id + cidr_block = cidrsubnet(var.agent_vpc_cidr, local.kasm_agent_subnet_cidr_size, count.index) availability_zone = data.aws_availability_zones.available.names[0] map_public_ip_on_launch = true + tags = { - Name = "${var.project_name}-${var.zone_name}-kasm-agent-subnet" + Name = "${var.project_name}-${var.aws_region}-kasm-alb-subnet" } } -data "aws_subnet" "data-kasm_agent_subnet" { - id = aws_subnet.kasm-agent-subnet.id +resource "aws_subnet" "proxy" { + count = var.num_proxy_nodes + vpc_id = aws_vpc.this.id + cidr_block = cidrsubnet(var.agent_vpc_cidr, local.kasm_agent_subnet_cidr_size, (count.index + 2)) + availability_zone = data.aws_availability_zones.available.names[0] + + tags = { + Name = "${var.project_name}-${var.aws_region}-kasm-proxy-subnet" + } } + +resource "aws_subnet" "agent" { + vpc_id = aws_vpc.this.id + cidr_block = cidrsubnet(var.agent_vpc_cidr, local.kasm_agent_subnet_cidr_size, 4) + availability_zone = data.aws_availability_zones.available.names[0] + map_public_ip_on_launch = true + + tags = { + Name = "${var.project_name}-${var.aws_region}-kasm-agent-subnet" + } +} + +resource "aws_subnet" "cpx" { + count = var.num_cpx_nodes > 0 ? 1 : 0 + + vpc_id = aws_vpc.this.id + cidr_block = cidrsubnet(var.agent_vpc_cidr, local.kasm_agent_subnet_cidr_size, 5) + availability_zone = data.aws_availability_zones.available.names[0] + + tags = { + Name = "${var.project_name}-${var.aws_region}-kasm-cpx-subnet" + } +} + +resource "aws_subnet" "windows" { + count = var.num_cpx_nodes > 0 ? 1 : 0 + + vpc_id = aws_vpc.this.id + cidr_block = cidrsubnet(var.agent_vpc_cidr, local.kasm_agent_subnet_cidr_size, 6) + availability_zone = data.aws_availability_zones.available.names[0] + map_public_ip_on_launch = true + + tags = { + Name = "${var.project_name}-${var.aws_region}-kasm-windows-subnet" + } +} + diff --git a/aws/multi_region/agents/variables.tf b/aws/multi_region/agents/variables.tf index 5d59afa..28c4d42 100644 --- a/aws/multi_region/agents/variables.tf +++ b/aws/multi_region/agents/variables.tf @@ -33,18 +33,55 @@ variable "agent_hdd_size_gb" { type = number } +variable "num_cpx_nodes" { + description = "The number of cpx Role Servers to create in the deployment" + type = number +} + +variable "cpx_instance_type" { + description = "The instance type for the cpx RDP nodes" + type = string +} + +variable "cpx_hdd_size_gb" { + description = "The HDD size for Kasm Guac RDP nodes" + type = number +} + +variable "aws_ssm_iam_role_name" { + description = "The name of the SSM EC2 role to associate with Kasm VMs for SSH access" + type = string + default = "" +} + +variable "num_proxy_nodes" { + description = "The number of Dedicated Proxy nodes to create in the deployment" + type = number + default = 2 +} + +variable "proxy_instance_type" { + description = "The instance type for the dedicated proxy nodes" + type = number +} + +variable "proxy_hdd_size_gb" { + description = "The HDD size for Dedicated Proxy nodes" + type = number +} + variable "aws_region" { description = "The AWS region for the deployment. (e.g us-east-1)" type = string } -variable "kasm_build" { - description = "The URL for the Kasm Workspaces build" +variable "load_balancer_log_bucket" { + description = "S3 bucket name for load balancers to forward access logs to" type = string } -variable "zone_name" { - description = "A name given to the Kasm deployment Zone" +variable "kasm_build" { + description = "The URL for the Kasm Workspaces build" type = string } @@ -64,9 +101,15 @@ variable "manager_token" { sensitive = true } -variable "ssh_access_cidrs" { - description = "CIDR notation of the bastion host allowed to SSH in to the machines" - type = list(string) +variable "service_registration_token" { + description = "The service registration token value for cpx RDP servers to authenticate to webapps. No special characters" + type = string + sensitive = true +} + +variable "management_region_nat_gateway" { + description = "A list Kasm management region NAT gateways to allow Webapps ingress on 4902 to Kasm Windows agent" + type = string } variable "anywhere" { @@ -74,3 +117,113 @@ variable "anywhere" { type = string default = "0.0.0.0/0" } + +variable "public_lb_security_rules" { + description = "A map of objects of security rules to apply to the Public ALB" + type = map(object({ + from_port = number + to_port = number + protocol = string + })) + + default = { + https = { + from_port = 443 + to_port = 443 + protocol = "tcp" + } + http = { + from_port = 80 + to_port = 80 + protocol = "tcp" + } + } +} + +variable "proxy_security_rules" { + description = "A map of objects of security rules to apply to the Kasm WebApp server" + type = object({ + from_port = number + to_port = number + protocol = string + }) + + default = { + from_port = 443 + to_port = 443 + protocol = "tcp" + } +} + +variable "cpx_security_rules" { + description = "A map of objects of security rules to apply to the Kasm Connection Proxy server" + type = map(object({ + from_port = number + to_port = number + protocol = string + })) + + default = { + https = { + from_port = 443 + to_port = 443 + protocol = "tcp" + } + } +} + +variable "agent_security_rules" { + description = "A map of objects of security rules to apply to the Kasm WebApp server" + type = map(object({ + from_port = number + to_port = number + protocol = string + })) + + default = { + https = { + from_port = 443 + to_port = 443 + protocol = "tcp" + } + } +} + +variable "windows_security_rules" { + description = "A map of objects of security rules to apply to the Kasm Windows VMs" + type = map(object({ + from_port = number + to_port = number + protocol = string + })) + + default = { + rdp = { + from_port = 3389 + to_port = 3389 + protocol = "tcp" + } + api = { + from_port = 4902 + to_port = 4902 + protocol = "tcp" + } + } +} + +variable "default_egress" { + description = "Default egress security rule for all security groups" + type = object({ + from_port = number + to_port = number + protocol = string + cidr_subnets = list(string) + }) + + default = { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_subnets = ["0.0.0.0/0"] + } +} diff --git a/aws/multi_region/agents/vpc.tf b/aws/multi_region/agents/vpc.tf index 4f5a78d..5935f27 100644 --- a/aws/multi_region/agents/vpc.tf +++ b/aws/multi_region/agents/vpc.tf @@ -1,23 +1,32 @@ -resource "aws_vpc" "kasm-agent-vpc" { +resource "aws_vpc" "this" { cidr_block = var.agent_vpc_cidr enable_dns_hostnames = true enable_dns_support = true + tags = { - Name = "${var.project_name}-${var.zone_name}-kasm-vpc" + Name = "${var.project_name}-${var.aws_region}-kasm-vpc" } } -data "aws_vpc" "data-kasm_agent_vpc" { - id = aws_vpc.kasm-agent-vpc.id -} +resource "aws_internet_gateway" "this" { + vpc_id = aws_vpc.this.id -resource "aws_internet_gateway" "kasm-default-ig" { - vpc_id = data.aws_vpc.data-kasm_agent_vpc.id tags = { - Name = "${var.project_name}-${var.zone_name}-kasm-ig" + Name = "${var.project_name}-${var.aws_region}-kasm-ig" } } -data "aws_internet_gateway" "data-kasm_agent_default_ig" { - internet_gateway_id = aws_internet_gateway.kasm-default-ig.id +resource "aws_eip" "this" { + domain = "vpc" +} + +resource "aws_nat_gateway" "this" { + allocation_id = aws_eip.this.id + subnet_id = aws_subnet.alb[0].id + + tags = { + Name = "${var.project_name}-${var.aws_region}-kasm-nat" + } + + depends_on = [aws_internet_gateway.this] } diff --git a/aws/multi_region/deployment.tf b/aws/multi_region/deployment.tf index 9d4b835..cf2a038 100644 --- a/aws/multi_region/deployment.tf +++ b/aws/multi_region/deployment.tf @@ -11,6 +11,7 @@ module "primary_region" { ec2_ami = var.primary_region_ec2_ami_id db_instance_type = var.db_instance_type num_webapps = var.num_webapps + num_cpx_nodes = var.num_cpx_nodes project_name = var.project_name kasm_build = var.kasm_build db_hdd_size_gb = var.db_hdd_size_gb @@ -23,39 +24,43 @@ module "primary_region" { service_registration_token = var.service_registration_token aws_key_pair = var.aws_key_pair aws_domain_name = var.aws_domain_name - ssh_access_cidrs = var.ssh_access_cidrs web_access_cidrs = var.web_access_cidrs } -module "primary_region-webapps-and-agents" { +module "primary_region_webapps_and_agents" { source = "./webapps" faux_aws_region = var.aws_primary_region zone_name = var.aws_primary_region primary_aws_region = var.aws_primary_region + load_balancer_subnet_ids = module.primary_region.lb_subnet_ids num_webapps = var.num_webapps num_agents = var.num_agents + num_cpx_nodes = var.num_cpx_nodes ec2_ami = var.primary_region_ec2_ami_id swap_size = var.swap_size webapp_subnet_ids = module.primary_region.webapp_subnet_ids webapp_security_group_id = module.primary_region.webapp_security_group_id agent_subnet_id = module.primary_region.agent_subnet_id agent_security_group_id = module.primary_region.agent_security_group_id + cpx_security_group_id = module.primary_region.cpx_security_group_id load_balancer_security_group_id = module.primary_region.lb_security_group_id webapp_instance_type = var.webapp_instance_type webapp_hdd_size_gb = var.webapp_hdd_size_gb agent_instance_type = var.agent_instance_type agent_hdd_size_gb = var.agent_hdd_size_gb + cpx_instance_type = var.cpx_instance_type + cpx_hdd_size_gb = var.cpx_hdd_size_gb aws_domain_name = var.aws_domain_name project_name = var.project_name kasm_build = var.kasm_build database_password = var.database_password redis_password = var.redis_password manager_token = var.manager_token + service_registration_token = var.service_registration_token aws_key_pair = var.aws_key_pair kasm_db_ip = module.primary_region.kasm_db_ip primary_vpc_id = module.primary_region.primary_vpc_id certificate_arn = module.primary_region.certificate_arn - ssh_access_cidrs = var.ssh_access_cidrs load_balancer_log_bucket = module.primary_region.lb_log_bucket } @@ -64,11 +69,12 @@ module "primary_region-webapps-and-agents" { # Add a webapp and agent module for each additional region desired. # ##################################################################### -module "region2-webapps" { +module "region2_webapps" { source = "./webapps" faux_aws_region = var.secondary_regions_settings.region2.agent_region zone_name = var.secondary_regions_settings.region2.agent_region primary_aws_region = var.aws_primary_region + load_balancer_subnet_ids = module.primary_region.lb_subnet_ids num_webapps = var.num_webapps webapp_instance_type = var.webapp_instance_type webapp_hdd_size_gb = var.webapp_hdd_size_gb @@ -87,26 +93,31 @@ module "region2-webapps" { kasm_db_ip = module.primary_region.kasm_db_ip primary_vpc_id = module.primary_region.primary_vpc_id certificate_arn = module.primary_region.certificate_arn - ssh_access_cidrs = var.ssh_access_cidrs load_balancer_log_bucket = module.primary_region.lb_log_bucket } -module "region2-agents" { - source = "./agents" - aws_region = var.secondary_regions_settings.region2.agent_region - zone_name = var.secondary_regions_settings.region2.agent_region - num_agents = var.secondary_regions_settings.region2.num_agents - agent_instance_type = var.secondary_regions_settings.region2.agent_instance_type - ec2_ami = var.secondary_regions_settings.region2.agent_ec2_ami_id - agent_vpc_cidr = var.secondary_regions_settings.region2.agent_vpc_cidr - agent_hdd_size_gb = var.secondary_regions_settings.region2.agent_hdd_size_gb - swap_size = var.swap_size - aws_domain_name = var.aws_domain_name - project_name = var.project_name - kasm_build = var.kasm_build - manager_token = var.manager_token - aws_key_pair = var.aws_key_pair - ssh_access_cidrs = var.ssh_access_cidrs +module "region2_agents" { + source = "./agents" + aws_region = var.secondary_regions_settings.region2.agent_region + ec2_ami = var.secondary_regions_settings.region2.ec2_ami_id + agent_vpc_cidr = var.secondary_regions_settings.region2.agent_vpc_cidr + load_balancer_log_bucket = module.primary_region.lb_log_bucket + management_region_nat_gateway = module.primary_region.nat_gateway_ip + proxy_instance_type = var.proxy_instance_type + proxy_hdd_size_gb = var.proxy_hdd_size_gb + num_agents = var.num_agents + agent_instance_type = var.agent_instance_type + agent_hdd_size_gb = var.agent_hdd_size_gb + num_cpx_nodes = var.num_cpx_nodes + cpx_instance_type = var.cpx_instance_type + cpx_hdd_size_gb = var.cpx_hdd_size_gb + swap_size = var.swap_size + aws_domain_name = var.aws_domain_name + project_name = var.project_name + kasm_build = var.kasm_build + aws_key_pair = var.aws_key_pair + manager_token = var.manager_token + service_registration_token = var.service_registration_token providers = { aws = aws.region2 @@ -120,13 +131,11 @@ module "region2-agents" { # file for your desired region. # ######################################################################### -# module "region3-webapps" { +# module "region3_webapps" { # source = "./webapps" -# ##### Update the values below to reference the appropriate region number # faux_aws_region = var.secondary_regions_settings.region3.agent_region # zone_name = var.secondary_regions_settings.region3.agent_region -# -# ##### The values below should not change +# load_balancer_subnet_ids = module.primary_region.lb_subnet_ids # primary_aws_region = var.aws_primary_region # num_webapps = var.num_webapps # webapp_instance_type = var.webapp_instance_type @@ -146,31 +155,32 @@ module "region2-agents" { # kasm_db_ip = module.primary_region.kasm_db_ip # primary_vpc_id = module.primary_region.primary_vpc_id # certificate_arn = module.primary_region.certificate_arn -# ssh_access_cidrs = var.ssh_access_cidrs # load_balancer_log_bucket = module.primary_region.lb_log_bucket # } -# module "region3-agents" { -# source = "./agents" -# ##### Update the values below to reference the appropriate region number -# aws_region = var.secondary_regions_settings.region3.agent_region -# zone_name = var.secondary_regions_settings.region3.agent_region -# num_agents = var.secondary_regions_settings.region3.num_agents -# agent_instance_type = var.secondary_regions_settings.region3.agent_instance_type -# ec2_ami = var.secondary_regions_settings.region3.agent_ec2_ami_id -# agent_vpc_cidr = var.secondary_regions_settings.region3.agent_vpc_cidr -# agent_hdd_size_gb = var.secondary_regions_settings.region3.agent_hdd_size_gb -# swap_size = var.swap_size -# -# ##### The values below should not change -# aws_domain_name = var.aws_domain_name -# project_name = var.project_name -# kasm_build = var.kasm_build -# manager_token = var.manager_token -# aws_key_pair = var.aws_key_pair -# ssh_access_cidrs = var.ssh_access_cidrs -# -# ##### Update the provider to reference the settings in the provder.tf file +# module "region3_agents" { +# source = "./agents" +# aws_region = var.secondary_regions_settings.region3.agent_region +# ec2_ami = var.secondary_regions_settings.region3.ec2_ami_id +# agent_vpc_cidr = var.secondary_regions_settings.region3.agent_vpc_cidr +# load_balancer_log_bucket = module.primary_region.lb_log_bucket +# management_region_nat_gateway = module.primary_region.nat_gateway_ip +# proxy_instance_type = var.proxy_instance_type +# proxy_hdd_size_gb = var.proxy_hdd_size_gb +# num_agents = var.num_agents +# agent_instance_type = var.agent_instance_type +# agent_hdd_size_gb = var.agent_hdd_size_gb +# num_cpx_nodes = var.num_cpx_nodes +# cpx_instance_type = var.cpx_instance_type +# cpx_hdd_size_gb = var.cpx_hdd_size_gb +# swap_size = var.swap_size +# aws_domain_name = var.aws_domain_name +# project_name = var.project_name +# kasm_build = var.kasm_build +# aws_key_pair = var.aws_key_pair +# manager_token = var.manager_token +# service_registration_token = var.service_registration_token + # providers = { # aws = aws.region3 # } diff --git a/aws/multi_region/primary/README.md b/aws/multi_region/primary/README.md new file mode 100644 index 0000000..16656b2 --- /dev/null +++ b/aws/multi_region/primary/README.md @@ -0,0 +1,126 @@ +# primary + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | ~> 1.0 | +| [aws](#requirement\_aws) | ~> 5.0 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | 5.36.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_acm_certificate.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate) | resource | +| [aws_acm_certificate_validation.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate_validation) | resource | +| [aws_eip.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eip) | resource | +| [aws_iam_instance_profile.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource | +| [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_instance.db](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance) | resource | +| [aws_internet_gateway.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/internet_gateway) | resource | +| [aws_nat_gateway.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/nat_gateway) | resource | +| [aws_route53_record.certificate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource | +| [aws_route_table.internet_gateway](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table) | resource | +| [aws_route_table.nat_gateway](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table) | resource | +| [aws_route_table_association.agent](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource | +| [aws_route_table_association.alb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource | +| [aws_route_table_association.cpx](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource | +| [aws_route_table_association.db](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource | +| [aws_route_table_association.webapp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource | +| [aws_route_table_association.windows](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource | +| [aws_s3_bucket.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | +| [aws_s3_bucket_acl.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource | +| [aws_s3_bucket_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource | +| [aws_s3_bucket_public_access_block.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource | +| [aws_s3_bucket_server_side_encryption_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | +| [aws_security_group.agent](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | +| [aws_security_group.cpx](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | +| [aws_security_group.db](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | +| [aws_security_group.public_lb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | +| [aws_security_group.webapp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | +| [aws_security_group.windows](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | +| [aws_security_group_rule.agent](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.cpx](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.db](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.public_lb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.webapp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.windows](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_subnet.agent](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource | +| [aws_subnet.alb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource | +| [aws_subnet.cpx](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource | +| [aws_subnet.db](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource | +| [aws_subnet.webapp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource | +| [aws_subnet.windows](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource | +| [aws_vpc.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc) | resource | +| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | +| [aws_elb_service_account.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/elb_service_account) | data source | +| [aws_route53_zone.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [admin\_password](#input\_admin\_password) | The administrative user password. No special characters | `string` | n/a | yes | +| [agent\_security\_rules](#input\_agent\_security\_rules) | A map of objects of security rules to apply to the Kasm WebApp server | 
map(object({
    from_port = number
    to_port   = number
    protocol  = string
  }))
| 
{
  "https": {
    "from_port": 443,
    "protocol": "tcp",
    "to_port": 443
  }
}
| no | +| [anywhere](#input\_anywhere) | Anywhere subnet for routing and load ingress from all IPs | `string` | `"0.0.0.0/0"` | no | +| [aws\_domain\_name](#input\_aws\_domain\_name) | The Route53 Zone used for the dns entries. This must already exist in the AWS account. (e.g dev.kasm.contoso.com). The deployment will be accessed via this zone name via https | `string` | n/a | yes | +| [aws\_key\_pair](#input\_aws\_key\_pair) | The name of an aws keypair to use. | `string` | n/a | yes | +| [aws\_region](#input\_aws\_region) | The AWS region for the deployment. (e.g us-east-1) | `string` | n/a | yes | +| [aws\_ssm\_iam\_role\_name](#input\_aws\_ssm\_iam\_role\_name) | The name of the SSM EC2 role to associate with Kasm VMs for SSH access | `string` | `""` | no | +| [cpx\_security\_rules](#input\_cpx\_security\_rules) | A map of objects of security rules to apply to the Kasm Connection Proxy server | 
map(object({
    from_port = number
    to_port   = number
    protocol  = string
  }))
| 
{
  "https": {
    "from_port": 443,
    "protocol": "tcp",
    "to_port": 443
  }
}
| no | +| [database\_password](#input\_database\_password) | The password for the database. No special characters | `string` | n/a | yes | +| [db\_hdd\_size\_gb](#input\_db\_hdd\_size\_gb) | The HDD size in GB to configure for the Kasm Database instances | `number` | n/a | yes | +| [db\_instance\_type](#input\_db\_instance\_type) | The instance type for the Database | `string` | n/a | yes | +| [db\_security\_rules](#input\_db\_security\_rules) | A map of objects of security rules to apply to the Kasm DB | 
map(object({
    from_port = number
    to_port   = number
    protocol  = string
  }))
| 
{
  "postgres": {
    "from_port": 5432,
    "protocol": "tcp",
    "to_port": 5432
  },
  "redis": {
    "from_port": 6379,
    "protocol": "tcp",
    "to_port": 6379
  }
}
| no | +| [default\_egress](#input\_default\_egress) | Default egress security rule for all security groups | 
object({
    from_port    = number
    to_port      = number
    protocol     = string
    cidr_subnets = list(string)
  })
| 
{
  "cidr_subnets": [
    "0.0.0.0/0"
  ],
  "from_port": 0,
  "protocol": "-1",
  "to_port": 0
}
| no | +| [ec2\_ami](#input\_ec2\_ami) | The AMI used for the EC2 nodes. Recommended Ubuntu 22.04 LTS. | `string` | n/a | yes | +| [kasm\_build](#input\_kasm\_build) | The URL for the Kasm Workspaces build | `string` | n/a | yes | +| [manager\_token](#input\_manager\_token) | The manager token value for Agents to authenticate to webapps. No special characters | `string` | n/a | yes | +| [num\_cpx\_nodes](#input\_num\_cpx\_nodes) | The number of cpx RDP role servers to create in the deployment | `number` | n/a | yes | +| [num\_webapps](#input\_num\_webapps) | The number of WebApp role servers to create in the deployment | `number` | n/a | yes | +| [project\_name](#input\_project\_name) | The name of the deployment (e.g dev, staging). A short single word | `string` | n/a | yes | +| [public\_lb\_security\_rules](#input\_public\_lb\_security\_rules) | A map of objects of security rules to apply to the Public ALB | 
map(object({
    from_port = number
    to_port   = number
    protocol  = string
  }))
| 
{
  "http": {
    "from_port": 80,
    "protocol": "tcp",
    "to_port": 80
  },
  "https": {
    "from_port": 443,
    "protocol": "tcp",
    "to_port": 443
  }
}
| no | +| [redis\_password](#input\_redis\_password) | The password for the Redis server. No special characters | `string` | n/a | yes | +| [service\_registration\_token](#input\_service\_registration\_token) | The service registration token value for cpx RDP servers to authenticate to webapps. No special characters | `string` | n/a | yes | +| [swap\_size](#input\_swap\_size) | The amount of swap (in MB) to configure inside the compute instances | `number` | n/a | yes | +| [user\_password](#input\_user\_password) | The standard (non administrator) user password. No special characters | `string` | n/a | yes | +| [vpc\_subnet\_cidr](#input\_vpc\_subnet\_cidr) | The subnet CIDR to use for the Primary VPC | `string` | n/a | yes | +| [web\_access\_cidrs](#input\_web\_access\_cidrs) | List of Networks in CIDR notation for IPs allowed to access the Kasm Web interface | `list(string)` | n/a | yes | +| [webapp\_security\_rules](#input\_webapp\_security\_rules) | A map of objects of security rules to apply to the Kasm WebApp server | 
object({
    from_port = number
    to_port   = number
    protocol  = string
  })
| 
{
  "from_port": 443,
  "protocol": "tcp",
  "to_port": 443
}
| no | +| [windows\_security\_rules](#input\_windows\_security\_rules) | A map of objects of security rules to apply to the Kasm Windows VMs | 
map(object({
    from_port = number
    to_port   = number
    protocol  = string
  }))
| 
{
  "cpx_rdp": {
    "from_port": 3389,
    "protocol": "tcp",
    "to_port": 3389
  },
  "cpx_screenshot": {
    "from_port": 4902,
    "protocol": "tcp",
    "to_port": 4902
  },
  "webapp_screenshot": {
    "from_port": 4902,
    "protocol": "tcp",
    "to_port": 4902
  }
}
| no | +| [zone\_name](#input\_zone\_name) | A name given to the kasm deployment Zone | `string` | `"default"` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [agent\_security\_group\_id](#output\_agent\_security\_group\_id) | Kasm Agent Primary region security group ID | +| [agent\_subnet\_id](#output\_agent\_subnet\_id) | Kasm Agent Primary region subnet ID | +| [certificate\_arn](#output\_certificate\_arn) | AWS Certificate manager certificate ARN | +| [cpx\_security\_group\_id](#output\_cpx\_security\_group\_id) | Kasm Connection Proxy Primary region security group ID | +| [cpx\_subnet\_id](#output\_cpx\_subnet\_id) | Kasm cpx RDP Primary region subnet ID | +| [kasm\_db\_ip](#output\_kasm\_db\_ip) | Kasm Database server subnet ID | +| [lb\_log\_bucket](#output\_lb\_log\_bucket) | Load balancer logging bucket name | +| [lb\_security\_group\_id](#output\_lb\_security\_group\_id) | Kasm Load balancer security group ID | +| [lb\_subnet\_ids](#output\_lb\_subnet\_ids) | A list of the Public LB subnet IDs | +| [nat\_gateway\_ip](#output\_nat\_gateway\_ip) | The NAT Gateway IP returned in CIDR notation for use with Windows security group rules | +| [primary\_vpc\_id](#output\_primary\_vpc\_id) | Kasm VPC ID | +| [ssm\_iam\_profile](#output\_ssm\_iam\_profile) | The SSM IAM Instance Profile name | +| [webapp\_security\_group\_id](#output\_webapp\_security\_group\_id) | Kasm Webapp security group ID | +| [webapp\_subnet\_ids](#output\_webapp\_subnet\_ids) | A list of the Kasm Webapp subnet IDs | +| [windows\_security\_group\_id](#output\_windows\_security\_group\_id) | Kasm Windows Primary region security group ID | +| [windows\_subnet\_id](#output\_windows\_subnet\_id) | Kasm Windows Primary region subnet ID | + diff --git a/aws/multi_region/primary/availability_zones.tf b/aws/multi_region/primary/availability_zones.tf deleted file mode 100644 index 87d8f48..0000000 --- a/aws/multi_region/primary/availability_zones.tf +++ /dev/null @@ -1,3 +0,0 @@ -data "aws_availability_zones" "available" { - state = "available" -} diff --git a/aws/multi_region/primary/cert.tf b/aws/multi_region/primary/cert.tf index 9881f83..2284fb4 100644 --- a/aws/multi_region/primary/cert.tf +++ b/aws/multi_region/primary/cert.tf @@ -1,9 +1,4 @@ -data "aws_route53_zone" "kasm-route53-zone" { - name = var.aws_domain_name - private_zone = false -} - -resource "aws_acm_certificate" "kasm-alb-cert" { +resource "aws_acm_certificate" "this" { domain_name = var.aws_domain_name subject_alternative_names = ["*.${var.aws_domain_name}"] validation_method = "DNS" @@ -14,9 +9,9 @@ resource "aws_acm_certificate" "kasm-alb-cert" { } } -resource "aws_route53_record" "kasm-route53-cert-validation-record" { +resource "aws_route53_record" "certificate" { for_each = { - for dvo in aws_acm_certificate.kasm-alb-cert.domain_validation_options : dvo.domain_name => { + for dvo in aws_acm_certificate.this.domain_validation_options : dvo.domain_name => { name = dvo.resource_record_name record = dvo.resource_record_value type = dvo.resource_record_type @@ -25,14 +20,14 @@ resource "aws_route53_record" "kasm-route53-cert-validation-record" { name = each.value.name type = each.value.type records = [each.value.record] - zone_id = data.aws_route53_zone.kasm-route53-zone.id + zone_id = data.aws_route53_zone.this.id ttl = 30 allow_overwrite = true } -resource "aws_acm_certificate_validation" "kasm-elb-certificate-validation" { - certificate_arn = aws_acm_certificate.kasm-alb-cert.arn - validation_record_fqdns = [for record in aws_route53_record.kasm-route53-cert-validation-record : record.fqdn] +resource "aws_acm_certificate_validation" "this" { + certificate_arn = aws_acm_certificate.this.arn + validation_record_fqdns = [for record in aws_route53_record.certificate : record.fqdn] } diff --git a/aws/multi_region/primary/db.tf b/aws/multi_region/primary/db.tf index 6f7b8e4..65716ac 100644 --- a/aws/multi_region/primary/db.tf +++ b/aws/multi_region/primary/db.tf @@ -1,9 +1,10 @@ -resource "aws_instance" "kasm-db" { +resource "aws_instance" "db" { ami = var.ec2_ami instance_type = var.db_instance_type - vpc_security_group_ids = [data.aws_security_group.data-kasm_db_sg.id] - subnet_id = data.aws_subnet.data-kasm_db_subnet.id + vpc_security_group_ids = [aws_security_group.db.id] + subnet_id = aws_subnet.db.id key_name = var.aws_key_pair + iam_instance_profile = var.aws_ssm_iam_role_name == "" ? aws_iam_instance_profile.this[0].name : var.aws_ssm_iam_role_name root_block_device { volume_size = var.db_hdd_size_gb @@ -11,13 +12,14 @@ resource "aws_instance" "kasm-db" { user_data = templatefile("${path.module}/../userdata/db_bootstrap.sh", { - kasm_build_url = var.kasm_build - user_password = var.user_password - admin_password = var.admin_password - redis_password = var.redis_password - database_password = var.database_password - manager_token = var.manager_token - swap_size = var.swap_size + kasm_build_url = var.kasm_build + user_password = var.user_password + admin_password = var.admin_password + redis_password = var.redis_password + database_password = var.database_password + manager_token = var.manager_token + service_registration_token = var.service_registration_token + swap_size = var.swap_size } ) @@ -25,7 +27,3 @@ resource "aws_instance" "kasm-db" { Name = "${var.project_name}-kasm-db" } } - -data "aws_instance" "data-kasm_db" { - instance_id = aws_instance.kasm-db.id -} diff --git a/aws/multi_region/primary/dependencies.tf b/aws/multi_region/primary/dependencies.tf new file mode 100644 index 0000000..7cfe6c7 --- /dev/null +++ b/aws/multi_region/primary/dependencies.tf @@ -0,0 +1,23 @@ +locals { + all_security_groups = compact([ + aws_security_group.public_lb.id, + aws_security_group.webapp.id, + aws_security_group.agent.id, + aws_security_group.db.id, + one(aws_security_group.cpx[*].id), + one(aws_security_group.windows[*].id) + ]) + + webapp_security_rules = { for value in local.all_security_groups : value => var.webapp_security_rules if value != aws_security_group.db.id || value != aws_security_group.webapp.id } +} + +data "aws_availability_zones" "available" { + state = "available" +} + +data "aws_elb_service_account" "main" {} + +data "aws_route53_zone" "this" { + name = var.aws_domain_name + private_zone = false +} diff --git a/aws/multi_region/primary/lb_s3_log_bucket.tf b/aws/multi_region/primary/lb_s3_log_bucket.tf index b43677f..5067a24 100644 --- a/aws/multi_region/primary/lb_s3_log_bucket.tf +++ b/aws/multi_region/primary/lb_s3_log_bucket.tf @@ -1,21 +1,15 @@ -data "aws_elb_service_account" "main" {} - -resource "aws_s3_bucket" "kasm_s3_logs" { +resource "aws_s3_bucket" "this" { bucket_prefix = "${var.project_name}-${var.zone_name}-" force_destroy = true } -data "aws_s3_bucket" "data-kasm_s3_logs_bucket" { - bucket = aws_s3_bucket.kasm_s3_logs.bucket -} - -resource "aws_s3_bucket_acl" "kasm_s3_acl" { - bucket = data.aws_s3_bucket.data-kasm_s3_logs_bucket.id +resource "aws_s3_bucket_acl" "this" { + bucket = aws_s3_bucket.this.id acl = "private" } -resource "aws_s3_bucket_policy" "kasm_s3_logs_policy" { - bucket = data.aws_s3_bucket.data-kasm_s3_logs_bucket.id +resource "aws_s3_bucket_policy" "this" { + bucket = aws_s3_bucket.this.id policy = jsonencode({ Id = "Policy" @@ -26,7 +20,7 @@ resource "aws_s3_bucket_policy" "kasm_s3_logs_policy" { "s3:PutObject" ] Effect = "Allow" - Resource = "${aws_s3_bucket.kasm_s3_logs.arn}/AWSLogs/*" + Resource = "${aws_s3_bucket.this.arn}/AWSLogs/*" Principal = { AWS = [ data.aws_elb_service_account.main.arn @@ -37,8 +31,8 @@ resource "aws_s3_bucket_policy" "kasm_s3_logs_policy" { }) } -resource "aws_s3_bucket_server_side_encryption_configuration" "encrypt_elb_bucket" { - bucket = data.aws_s3_bucket.data-kasm_s3_logs_bucket.id +resource "aws_s3_bucket_server_side_encryption_configuration" "this" { + bucket = aws_s3_bucket.this.id rule { apply_server_side_encryption_by_default { @@ -47,8 +41,8 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "encrypt_elb_bucke } } -resource "aws_s3_bucket_public_access_block" "s3_log_public_access" { - bucket = data.aws_s3_bucket.data-kasm_s3_logs_bucket.id +resource "aws_s3_bucket_public_access_block" "this" { + bucket = aws_s3_bucket.this.id block_public_acls = true block_public_policy = true ignore_public_acls = true diff --git a/aws/multi_region/primary/output.tf b/aws/multi_region/primary/output.tf index f735419..fc10d44 100644 --- a/aws/multi_region/primary/output.tf +++ b/aws/multi_region/primary/output.tf @@ -1,35 +1,79 @@ output "certificate_arn" { - value = aws_acm_certificate_validation.kasm-elb-certificate-validation.certificate_arn + description = "AWS Certificate manager certificate ARN" + value = aws_acm_certificate_validation.this.certificate_arn +} + +output "lb_subnet_ids" { + description = "A list of the Public LB subnet IDs" + value = aws_subnet.alb[*].id } output "webapp_subnet_ids" { - value = data.aws_subnet.data-kasm_webapp_subnets[*].id + description = "A list of the Kasm Webapp subnet IDs" + value = aws_subnet.webapp[*].id } output "agent_subnet_id" { - value = data.aws_subnet.data-kasm_agent_subnet.id + description = "Kasm Agent Primary region subnet ID" + value = aws_subnet.agent.id +} + +output "cpx_subnet_id" { + description = "Kasm cpx RDP Primary region subnet ID" + value = one(aws_subnet.cpx[*].id) +} + +output "windows_subnet_id" { + description = "Kasm Windows Primary region subnet ID" + value = one(aws_subnet.windows[*].id) } output "kasm_db_ip" { - value = data.aws_instance.data-kasm_db.private_ip + description = "Kasm Database server subnet ID" + value = aws_instance.db.private_ip } output "primary_vpc_id" { - value = data.aws_vpc.data-kasm-default-vpc.id + description = "Kasm VPC ID" + value = aws_vpc.this.id } output "lb_log_bucket" { - value = data.aws_s3_bucket.data-kasm_s3_logs_bucket.bucket + description = "Load balancer logging bucket name" + value = aws_s3_bucket.this.bucket } output "lb_security_group_id" { - value = data.aws_security_group.data-kasm_default_elb_sg.id + description = "Kasm Load balancer security group ID" + value = aws_security_group.public_lb.id } output "webapp_security_group_id" { - value = data.aws_security_group.data-kasm_webapp_sg.id + description = "Kasm Webapp security group ID" + value = aws_security_group.webapp.id } output "agent_security_group_id" { - value = data.aws_security_group.data-kasm_agent_sg.id + description = "Kasm Agent Primary region security group ID" + value = aws_security_group.agent.id +} + +output "cpx_security_group_id" { + description = "Kasm Connection Proxy Primary region security group ID" + value = one(aws_security_group.cpx[*].id) +} + +output "windows_security_group_id" { + description = "Kasm Windows Primary region security group ID" + value = one(aws_security_group.windows[*].id) +} + +output "ssm_iam_profile" { + description = "The SSM IAM Instance Profile name" + value = var.aws_ssm_iam_role_name == "" ? aws_iam_instance_profile.this[0].name : var.aws_ssm_iam_role_name +} + +output "nat_gateway_ip" { + description = "The NAT Gateway IP returned in CIDR notation for use with Windows security group rules" + value = "${aws_nat_gateway.this.public_ip}/32" } diff --git a/aws/multi_region/primary/provider.tf b/aws/multi_region/primary/provider.tf index ea82995..2039c6e 100644 --- a/aws/multi_region/primary/provider.tf +++ b/aws/multi_region/primary/provider.tf @@ -1,8 +1,10 @@ terraform { + required_version = "~> 1.0" + required_providers { aws = { - source = "hashicorp/aws" - #version = "4.56.0" + source = "hashicorp/aws" + version = "~> 5.0" } } } \ No newline at end of file diff --git a/aws/multi_region/primary/routes.tf b/aws/multi_region/primary/routes.tf index 50c62e8..47bfb29 100644 --- a/aws/multi_region/primary/routes.tf +++ b/aws/multi_region/primary/routes.tf @@ -1,9 +1,9 @@ -resource "aws_route_table" "internet_access" { - vpc_id = data.aws_vpc.data-kasm-default-vpc.id +resource "aws_route_table" "internet_gateway" { + vpc_id = aws_vpc.this.id route { cidr_block = var.anywhere - gateway_id = data.aws_internet_gateway.data-kasm_default_ig.id + gateway_id = aws_internet_gateway.this.id } tags = { @@ -11,22 +11,51 @@ resource "aws_route_table" "internet_access" { } } -data "aws_route_table" "data-internet_gateway_route_table" { - route_table_id = aws_route_table.internet_access.id +resource "aws_route_table" "nat_gateway" { + vpc_id = aws_vpc.this.id + + route { + cidr_block = var.anywhere + gateway_id = aws_nat_gateway.this.id + } + + tags = { + Name = "${var.project_name}-kasm-nat-gateway-route" + } } -resource "aws_route_table_association" "webapp_route_association" { +resource "aws_route_table_association" "alb" { + count = 2 + subnet_id = aws_subnet.alb[count.index].id + route_table_id = aws_route_table.internet_gateway.id +} + +resource "aws_route_table_association" "webapp" { count = var.num_webapps - subnet_id = data.aws_subnet.data-kasm_webapp_subnets[count.index].id - route_table_id = data.aws_route_table.data-internet_gateway_route_table.id + subnet_id = aws_subnet.webapp[count.index].id + route_table_id = aws_route_table.nat_gateway.id } -resource "aws_route_table_association" "db_route_association" { - subnet_id = data.aws_subnet.data-kasm_db_subnet.id - route_table_id = data.aws_route_table.data-internet_gateway_route_table.id +resource "aws_route_table_association" "db" { + subnet_id = aws_subnet.db.id + route_table_id = aws_route_table.nat_gateway.id } -resource "aws_route_table_association" "agent_table_association" { - subnet_id = data.aws_subnet.data-kasm_agent_subnet.id - route_table_id = data.aws_route_table.data-internet_gateway_route_table.id +resource "aws_route_table_association" "cpx" { + count = var.num_cpx_nodes > 0 ? 1 : 0 + + subnet_id = one(aws_subnet.cpx[*].id) + route_table_id = aws_route_table.nat_gateway.id +} + +resource "aws_route_table_association" "agent" { + subnet_id = aws_subnet.agent.id + route_table_id = aws_route_table.internet_gateway.id +} + +resource "aws_route_table_association" "windows" { + count = var.num_cpx_nodes > 0 ? 1 : 0 + + subnet_id = one(aws_subnet.windows[*].id) + route_table_id = aws_route_table.internet_gateway.id } diff --git a/aws/multi_region/primary/security_group.tf b/aws/multi_region/primary/security_group.tf index fe1cc95..31ff8e5 100644 --- a/aws/multi_region/primary/security_group.tf +++ b/aws/multi_region/primary/security_group.tf @@ -1,145 +1,139 @@ -resource "aws_security_group" "kasm-default-elb-sg" { - name = "${var.project_name}-${var.zone_name}-kasm-allow-elb-access" +resource "aws_security_group" "public_lb" { + name = "${var.project_name}-kasm-allow-public-lb-access" description = "Security Group for ELB" - vpc_id = data.aws_vpc.data-kasm-default-vpc.id - - ingress { - from_port = 443 - to_port = 443 - protocol = "tcp" - cidr_blocks = var.web_access_cidrs - } - - ingress { - from_port = 80 - to_port = 80 - protocol = "tcp" - cidr_blocks = var.web_access_cidrs - } - - egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = [var.anywhere] - } + vpc_id = aws_vpc.this.id tags = { - Name = "${var.project_name}-${var.zone_name}-kasm-allow-access" + Name = "${var.project_name}-kasm-public-lb-access" } } -data "aws_security_group" "data-kasm_default_elb_sg" { - id = aws_security_group.kasm-default-elb-sg.id +resource "aws_security_group_rule" "public_lb" { + for_each = var.public_lb_security_rules + + security_group_id = aws_security_group.public_lb.id + type = "ingress" + from_port = each.value.from_port + to_port = each.value.to_port + protocol = each.value.protocol + cidr_blocks = var.web_access_cidrs } -resource "aws_security_group" "kasm-db-sg" { - name = "${var.project_name}-kasm-allow-db-access" - description = "Allow access to db" - vpc_id = data.aws_vpc.data-kasm-default-vpc.id - - ingress { - from_port = 22 - to_port = 22 - protocol = "tcp" - cidr_blocks = var.ssh_access_cidrs - } - - ingress { - from_port = 5432 - to_port = 5432 - protocol = "tcp" - cidr_blocks = data.aws_subnet.data-kasm_webapp_subnets[*].id - } - - ingress { - from_port = 6379 - to_port = 6379 - protocol = "tcp" - cidr_blocks = data.aws_subnet.data-kasm_webapp_subnets[*].id - } - - egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = [var.anywhere] - } - - tags = { - Name = "${var.project_name}-kasm-allow-db-access" - } -} - -data "aws_security_group" "data-kasm_db_sg" { - id = aws_security_group.kasm-db-sg.id -} - -resource "aws_security_group" "kasm-webapp-sg" { - name = "${var.project_name}-${var.zone_name}-kasm-webapp-access" +resource "aws_security_group" "webapp" { + name = "${var.project_name}-kasm-webapp" description = "Allow access to webapps" - vpc_id = data.aws_vpc.data-kasm-default-vpc.id + vpc_id = aws_vpc.this.id - ingress { - from_port = 22 - to_port = 22 - protocol = "tcp" - cidr_blocks = var.ssh_access_cidrs - } - - ingress { - from_port = 443 - to_port = 443 - protocol = "tcp" - security_groups = [data.aws_security_group.data-kasm_db_sg.id] - } - - ingress { - from_port = 443 - to_port = 443 - protocol = "tcp" - security_groups = [data.aws_security_group.data-kasm_agent_sg.id] - } - - egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = [var.anywhere] + tags = { + Name = "${var.project_name}-kasm-webapp-access" } } -data "aws_security_group" "data-kasm_webapp_sg" { - id = aws_security_group.kasm-webapp-sg.id +resource "aws_security_group_rule" "webapp" { + for_each = local.webapp_security_rules + + security_group_id = aws_security_group.webapp.id + type = "ingress" + from_port = each.value.from_port + to_port = each.value.to_port + protocol = each.value.protocol + source_security_group_id = each.key } -resource "aws_security_group" "kasm-agent-sg" { - name = "${var.project_name}-${var.zone_name}-kasm-agent-access" +resource "aws_security_group" "agent" { + name = "${var.project_name}-kasm-agent-access" description = "Allow access to agents" - vpc_id = data.aws_vpc.data-kasm-default-vpc.id + vpc_id = aws_vpc.this.id - ingress { - from_port = 22 - to_port = 22 - protocol = "tcp" - cidr_blocks = var.ssh_access_cidrs - } - - ingress { - from_port = 443 - to_port = 443 - protocol = "tcp" - cidr_blocks = [var.anywhere] - } - - egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = [var.anywhere] + tags = { + Name = "${var.project_name}-kasm-agent-access" } } -data "aws_security_group" "data-kasm_agent_sg" { - id = aws_security_group.kasm-agent-sg.id +resource "aws_security_group_rule" "agent" { + for_each = var.agent_security_rules + + security_group_id = aws_security_group.agent.id + type = "ingress" + from_port = each.value.from_port + to_port = each.value.to_port + protocol = each.value.protocol + source_security_group_id = aws_security_group.webapp.id } + +resource "aws_security_group" "db" { + name = "${var.project_name}-kasm-db-access" + description = "Allow access to webapps" + vpc_id = aws_vpc.this.id + + tags = { + Name = "${var.project_name}-kasm-db-access" + } +} + +resource "aws_security_group_rule" "db" { + for_each = var.db_security_rules + + security_group_id = aws_security_group.db.id + type = "ingress" + from_port = each.value.from_port + to_port = each.value.to_port + protocol = each.value.protocol + source_security_group_id = aws_security_group.webapp.id +} + +resource "aws_security_group" "cpx" { + count = var.num_cpx_nodes > 0 ? 1 : 0 + + name = "${var.project_name}-kasm-cpx-access" + description = "Allow access to cpx RDP nodes" + + tags = { + Name = "${var.project_name}-kasm-cpx-access" + } +} + +resource "aws_security_group_rule" "cpx" { + for_each = var.num_cpx_nodes > 0 ? var.cpx_security_rules : {} + + security_group_id = one(aws_security_group.cpx[*].id) + type = "ingress" + from_port = each.value.from_port + to_port = each.value.to_port + protocol = each.value.protocol + source_security_group_id = aws_security_group.webapp.id +} + +resource "aws_security_group" "windows" { + count = var.num_cpx_nodes > 0 ? 1 : 0 + + name = "${var.project_name}-kasm-windows-access" + description = "Allow access to Windows servers" + vpc_id = aws_vpc.this.id + + tags = { + Name = "${var.project_name}-kasm-windows-access" + } +} + +resource "aws_security_group_rule" "windows" { + for_each = var.num_cpx_nodes > 0 ? var.windows_security_rules : {} + + security_group_id = one(aws_security_group.windows[*].id) + type = "ingress" + from_port = each.value.from_port + to_port = each.value.to_port + protocol = each.value.protocol + source_security_group_id = can(regex("(?i:cpx)", each.key)) ? one(aws_security_group.cpx[*].id) : aws_security_group.webapp.id +} + +resource "aws_security_group_rule" "egress" { + for_each = { for value in local.all_security_groups : value => var.default_egress } + + security_group_id = each.key + type = each.value.rule_type + from_port = each.value.from_port + to_port = each.value.to_port + protocol = each.value.protocol + cidr_blocks = [var.anywhere] +} \ No newline at end of file diff --git a/aws/multi_region/primary/ssm.tf b/aws/multi_region/primary/ssm.tf new file mode 100644 index 0000000..0032064 --- /dev/null +++ b/aws/multi_region/primary/ssm.tf @@ -0,0 +1,29 @@ +resource "aws_iam_role" "this" { + count = var.aws_ssm_iam_role_name == "" ? 1 : 0 + + name = "Kasm_SSM_IAM_Instance_Role" + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [{ + Action = "sts:AssumeRole" + Effect = "Allow" + Principal = { + Service = "ec2.amazonaws.com" + } + }] + }) +} + +resource "aws_iam_role_policy_attachment" "this" { + count = var.aws_ssm_iam_role_name == "" ? 1 : 0 + + policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" + role = aws_iam_role.this[0].name +} + +resource "aws_iam_instance_profile" "this" { + count = var.aws_ssm_iam_role_name == "" ? 1 : 0 + + name = "Kasm_SSM_Instance_Profile" + role = aws_iam_role.this[0].name +} diff --git a/aws/multi_region/primary/subnet.tf b/aws/multi_region/primary/subnet.tf index a626318..c461f7a 100644 --- a/aws/multi_region/primary/subnet.tf +++ b/aws/multi_region/primary/subnet.tf @@ -1,51 +1,77 @@ locals { kasm_vpc_subnet_cidr_mask = split("/", var.vpc_subnet_cidr)[1] kasm_server_subnet_cidr_calculation = (8 - (local.kasm_vpc_subnet_cidr_mask - 16)) - kasm_server_subnet_cidr_size = local.kasm_server_subnet_cidr_calculation < 2 ? 2 : local.kasm_server_subnet_cidr_calculation - kasm_agent_subnet_id = (var.num_webapps + 1) + kasm_server_subnet_cidr_size = local.kasm_server_subnet_cidr_calculation < 3 ? 3 : local.kasm_server_subnet_cidr_calculation } -## Will create Agent subnet x.x.0.0/24 (assuming a VPC Subnet CIDR between x.x.0.0/16 and x.x.0.0/22) -resource "aws_subnet" "kasm-db-subnet" { - vpc_id = data.aws_vpc.data-kasm-default-vpc.id - cidr_block = cidrsubnet(var.vpc_subnet_cidr, local.kasm_server_subnet_cidr_size, 0) - map_public_ip_on_launch = true +## Will create Agent subnet x.x.0.0/24 and x.x.1.0/24 (assuming a VPC Subnet CIDR between x.x.0.0/16 and x.x.0.0/21) +resource "aws_subnet" "alb" { + count = 2 + + vpc_id = aws_vpc.this.id + cidr_block = cidrsubnet(var.vpc_subnet_cidr, local.kasm_server_subnet_cidr_size, count.index) + availability_zone = data.aws_availability_zones.available.names[count.index] + tags = { - Name = "${var.project_name}-kasm-db-subnet" + Name = "${var.project_name}-kasm_alb_subnet" } } -data "aws_subnet" "data-kasm_db_subnet" { - id = aws_subnet.kasm-db-subnet.id -} +## Will create WebApp subnets x.x.2.0/24 and x.x.3.0/24 (assuming a VPC Subnet CIDR between x.x.0.0/16 and x.x.0.0/22 and 2 webapps) +resource "aws_subnet" "webapp" { + count = var.num_webapps + + vpc_id = aws_vpc.this.id + cidr_block = cidrsubnet(var.vpc_subnet_cidr, local.kasm_server_subnet_cidr_size, (count.index + 2)) + availability_zone = data.aws_availability_zones.available.names[count.index] -## Will create WebApp subnets x.x.1.0/24 and x.x.2.0/24 (assuming a VPC Subnet CIDR between x.x.0.0/16 and x.x.0.0/22 and 2 webapps) -resource "aws_subnet" "kasm-webapp-subnets" { - count = var.num_webapps - vpc_id = data.aws_vpc.data-kasm-default-vpc.id - cidr_block = cidrsubnet(var.vpc_subnet_cidr, local.kasm_server_subnet_cidr_size, (count.index + 1)) - availability_zone = data.aws_availability_zones.available.names[count.index] - map_public_ip_on_launch = true tags = { Name = "${var.project_name}-kasm-webapp-subnet" } } -data "aws_subnet" "data-kasm_webapp_subnets" { - count = var.num_webapps - id = aws_subnet.kasm-webapp-subnets[count.index].id -} +## Will create DB subnet x.x.4.0/24 (assuming a VPC Subnet CIDR between x.x.0.0/16 and x.x.0.0/22) +resource "aws_subnet" "db" { + vpc_id = aws_vpc.this.id + cidr_block = cidrsubnet(var.vpc_subnet_cidr, local.kasm_server_subnet_cidr_size, 4) + availability_zone = data.aws_availability_zones.available.names[0] -## Will create Agent subnet x.x.3.0/24 (assuming a VPC Subnet CIDR between x.x.0.0/16 and x.x.0.0/22) -resource "aws_subnet" "kasm-agent-subnet" { - vpc_id = data.aws_vpc.data-kasm-default-vpc.id - cidr_block = cidrsubnet(var.vpc_subnet_cidr, local.kasm_server_subnet_cidr_size, local.kasm_agent_subnet_id) - map_public_ip_on_launch = true tags = { - Name = "${var.project_name}-agent-natgw-subnet" + Name = "${var.project_name}-kasm_db_subnet" } } -data "aws_subnet" "data-kasm_agent_subnet" { - id = aws_subnet.kasm-agent-subnet.id +## Will create Agent subnet x.x.3.0/24 (assuming a VPC Subnet CIDR between x.x.0.0/16 and x.x.0.0/22) +resource "aws_subnet" "agent" { + vpc_id = aws_vpc.this.id + cidr_block = cidrsubnet(var.vpc_subnet_cidr, local.kasm_server_subnet_cidr_size, 5) + availability_zone = data.aws_availability_zones.available.names[1] + + tags = { + Name = "${var.project_name}-agent-subnet" + } +} + +## Will create Agent subnet x.x.4.0/24 (assuming a VPC Subnet CIDR between x.x.0.0/16 and x.x.0.0/22) +resource "aws_subnet" "cpx" { + count = var.num_cpx_nodes > 0 ? 1 : 0 + vpc_id = aws_vpc.this.id + cidr_block = cidrsubnet(var.vpc_subnet_cidr, local.kasm_server_subnet_cidr_size, 6) + availability_zone = data.aws_availability_zones.available.names[0] + + tags = { + Name = "${var.project_name}-cpx-subnet" + } +} + +## Will create Agent subnet x.x.5.0/24 (assuming a VPC Subnet CIDR between x.x.0.0/16 and x.x.0.0/22) +resource "aws_subnet" "windows" { + count = var.num_cpx_nodes > 0 ? 1 : 0 + vpc_id = aws_vpc.this.id + cidr_block = cidrsubnet(var.vpc_subnet_cidr, local.kasm_server_subnet_cidr_size, 7) + availability_zone = data.aws_availability_zones.available.names[1] + + tags = { + Name = "${var.project_name}-windows-subnet" + } } diff --git a/aws/multi_region/primary/variables.tf b/aws/multi_region/primary/variables.tf index dca6b3b..d1a5518 100644 --- a/aws/multi_region/primary/variables.tf +++ b/aws/multi_region/primary/variables.tf @@ -26,7 +26,6 @@ variable "db_hdd_size_gb" { variable "db_instance_type" { description = "The instance type for the Database" type = string - default = "t3.small" } variable "swap_size" { @@ -70,7 +69,7 @@ variable "manager_token" { } variable "service_registration_token" { - description = "The guac token value for Guac RDP servers to authenticate to webapps. No special characters" + description = "The service registration token value for cpx RDP servers to authenticate to webapps. No special characters" type = string sensitive = true } @@ -87,15 +86,10 @@ variable "aws_key_pair" { } variable "ec2_ami" { - description = "The AMI used for the EC2 nodes. Recommended Ubuntu 20.04 LTS." + description = "The AMI used for the EC2 nodes. Recommended Ubuntu 22.04 LTS." type = string } -variable "ssh_access_cidrs" { - description = "CIDR notation of the bastion host allowed to SSH in to the machines" - type = list(string) -} - variable "web_access_cidrs" { description = "List of Networks in CIDR notation for IPs allowed to access the Kasm Web interface" type = list(string) @@ -106,8 +100,156 @@ variable "num_webapps" { type = number } +variable "num_cpx_nodes" { + description = "The number of cpx RDP role servers to create in the deployment" + type = number +} + +variable "aws_ssm_iam_role_name" { + description = "The name of the SSM EC2 role to associate with Kasm VMs for SSH access" + type = string + default = "" +} + variable "anywhere" { description = "Anywhere subnet for routing and load ingress from all IPs" type = string default = "0.0.0.0/0" } + +variable "public_lb_security_rules" { + description = "A map of objects of security rules to apply to the Public ALB" + type = map(object({ + from_port = number + to_port = number + protocol = string + })) + + default = { + https = { + from_port = 443 + to_port = 443 + protocol = "tcp" + } + http = { + from_port = 80 + to_port = 80 + protocol = "tcp" + } + } +} + +variable "webapp_security_rules" { + description = "A map of objects of security rules to apply to the Kasm WebApp server" + type = object({ + from_port = number + to_port = number + protocol = string + }) + + default = { + from_port = 443 + to_port = 443 + protocol = "tcp" + } +} + +variable "db_security_rules" { + description = "A map of objects of security rules to apply to the Kasm DB" + type = map(object({ + from_port = number + to_port = number + protocol = string + })) + + default = { + postgres = { + from_port = 5432 + to_port = 5432 + protocol = "tcp" + } + redis = { + from_port = 6379 + to_port = 6379 + protocol = "tcp" + } + } +} + +variable "cpx_security_rules" { + description = "A map of objects of security rules to apply to the Kasm Connection Proxy server" + type = map(object({ + from_port = number + to_port = number + protocol = string + })) + + default = { + https = { + from_port = 443 + to_port = 443 + protocol = "tcp" + } + } +} + +variable "agent_security_rules" { + description = "A map of objects of security rules to apply to the Kasm WebApp server" + type = map(object({ + from_port = number + to_port = number + protocol = string + })) + + default = { + https = { + from_port = 443 + to_port = 443 + protocol = "tcp" + } + } +} + +variable "windows_security_rules" { + description = "A map of objects of security rules to apply to the Kasm Windows VMs" + type = map(object({ + from_port = number + to_port = number + protocol = string + })) + + default = { + cpx_rdp = { + from_port = 3389 + to_port = 3389 + protocol = "tcp" + } + cpx_screenshot = { + from_port = 4902 + to_port = 4902 + protocol = "tcp" + } + webapp_screenshot = { + from_port = 4902 + to_port = 4902 + protocol = "tcp" + } + } +} + +variable "default_egress" { + description = "Default egress security rule for all security groups" + type = object({ + from_port = number + to_port = number + protocol = string + cidr_subnets = list(string) + }) + + default = { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_subnets = ["0.0.0.0/0"] + } +} diff --git a/aws/multi_region/primary/vpc.tf b/aws/multi_region/primary/vpc.tf index 133c952..a881f43 100644 --- a/aws/multi_region/primary/vpc.tf +++ b/aws/multi_region/primary/vpc.tf @@ -1,4 +1,4 @@ -resource "aws_vpc" "kasm-default-vpc" { +resource "aws_vpc" "this" { cidr_block = var.vpc_subnet_cidr enable_dns_hostnames = true enable_dns_support = true @@ -7,17 +7,24 @@ resource "aws_vpc" "kasm-default-vpc" { } } -data "aws_vpc" "data-kasm-default-vpc" { - id = aws_vpc.kasm-default-vpc.id -} - -resource "aws_internet_gateway" "kasm-default-ig" { - vpc_id = aws_vpc.kasm-default-vpc.id +resource "aws_internet_gateway" "this" { + vpc_id = aws_vpc.this.id tags = { Name = "${var.project_name}-kasm-ig" } } -data "aws_internet_gateway" "data-kasm_default_ig" { - internet_gateway_id = aws_internet_gateway.kasm-default-ig.id +resource "aws_eip" "this" { + domain = "vpc" +} + +resource "aws_nat_gateway" "this" { + allocation_id = aws_eip.this.id + subnet_id = aws_subnet.alb[0].id + + tags = { + Name = "${var.project_name}-${var.aws_region}-kasm-nat" + } + + depends_on = [aws_internet_gateway.this] } diff --git a/aws/multi_region/provider.tf b/aws/multi_region/provider.tf index 041dd35..30e67fa 100644 --- a/aws/multi_region/provider.tf +++ b/aws/multi_region/provider.tf @@ -1,8 +1,10 @@ terraform { + required_version = "~> 1.0" + required_providers { aws = { - source = "hashicorp/aws" - #version = "4.56.0" + source = "hashicorp/aws" + version = "~> 5.0" } } } @@ -31,7 +33,7 @@ provider "aws" { ############################################################################## ### ### Uncomment the below provider section if you want to deploy a 3rd region. -### +### ### Copy/paste the provider below to deploy additional regions, then refer ### to the README.md, the deployment.tf file, and the settings.tfvars file for ### code blocks to copy/paste/configure to deploy the new regions. diff --git a/aws/multi_region/settings.tfvars b/aws/multi_region/terraform.tfvars similarity index 53% rename from aws/multi_region/settings.tfvars rename to aws/multi_region/terraform.tfvars index 03502de..5907377 100644 --- a/aws/multi_region/settings.tfvars +++ b/aws/multi_region/terraform.tfvars @@ -1,37 +1,53 @@ -aws_domain_name = "kasm.contoso.com" -project_name = "contoso" +## AWS Environment settings aws_key_pair = "" -aws_primary_region = "us-east-1" +aws_primary_region = "" +aws_domain_name = "kasm.contoso.com" primary_vpc_subnet_cidr = "10.0.0.0/16" +## Kasm deployment project +project_name = "contoso" + +## Kasm passwords database_password = "changeme" redis_password = "changeme" user_password = "changeme" admin_password = "changeme" manager_token = "changeme" +service_registration_token = "changeme" -kasm_build = "https://kasm-static-content.s3.amazonaws.com/kasm_release_1.13.0.002947.tar.gz" -ssh_access_cidrs = ["0.0.0.0/0"] +## Kasm download URL +kasm_build = "https://kasm-static-content.s3.amazonaws.com/kasm_release_1.14.0.3a7abb.tar.gz" + +## VM Public Access subnets web_access_cidrs = ["0.0.0.0/0"] -swap_size = 2048 -primary_region_ec2_ami_id = "ami-09cd747c78a9add63" +## AWS SSM setup for console/SSH access to VMs behind NAT gateway +create_aws_ssm_iam_role = false +aws_ssm_iam_role_name = "" + +## Number of each Kasm role to deploy +num_webapps = 2 +num_agents = 2 +num_cpx_nodes = 1 + +## Kasm Server settings +primary_region_ec2_ami_id = "" webapp_instance_type = "t3.small" db_instance_type = "t3.small" agent_instance_type = "t3.medium" -webapp_hdd_size_gb = 40 -db_hdd_size_gb = 40 -agent_hdd_size_gb = 40 +cpx_instance_type = "t3.small" +webapp_hdd_size_gb = 50 +db_hdd_size_gb = 50 +cpx_hdd_size_gb = 50 +agent_hdd_size_gb = 150 +swap_size = 2048 ## Settings for all additional Agent regions -secondary_regions_settings = { +secondary_regions_settings = { region2 = { - agent_region = "us-west-1" - agent_ec2_ami_id = "ami-0d221cb540e0015f4" - agent_instance_type = "t3.medium" - agent_hdd_size_gb = 120 - num_agents = 2 - agent_vpc_cidr = "10.1.0.0/16" + agent_region = "" + agent_vpc_cidr = "10.1.0.0/16" + ec2_ami_id = "" } ####################################################################### @@ -41,15 +57,13 @@ secondary_regions_settings = { ### additional regions. ### ### Make sure to add a provider section for each additional region in - ### the providers.tf file. + ### the providers.tf file. ### ####################################################################### # region3 = { - # agent_region = "eu-central-1" - # agent_ec2_ami_id = "ami-0e067cc8a2b58de59" - # agent_instance_type = "t3.medium" - # num_agents = 2 - # agent_vpc_cidr = "10.2.0.0/16" + # agent_region = "" + # agent_vpc_cidr = "10.2.0.0/16" + # ec2_ami_id = "" # } } @@ -58,5 +72,5 @@ aws_default_tags = { Deployed_by = "Terraform" Deployment_type = "Multi-Region" Service_name = "Kasm Workspaces" - Kasm_version = "1.12" + Kasm_version = "1.14" } diff --git a/aws/multi_region/userdata/cpx_bootstrap.sh b/aws/multi_region/userdata/cpx_bootstrap.sh new file mode 100644 index 0000000..5125904 --- /dev/null +++ b/aws/multi_region/userdata/cpx_bootstrap.sh @@ -0,0 +1,29 @@ +#!/bin/bash +set -ex +echo "Starting Kasm Workspaces Agent Install" + +/bin/dd if=/dev/zero of=/var/swap.1 bs=1M count=${swap_size} +/sbin/mkswap /var/swap.1 +chmod 600 /var/swap.1 +/sbin/swapon /var/swap.1 + +echo '/var/swap.1 swap swap defaults 0 0' | tee -a /etc/fstab + +cd /tmp + +PRIVATE_IP=(`hostname -I | cut -d ' ' -f1 | tr -d '\\n'`) + +wget ${kasm_build_url} -O kasm_workspaces.tar.gz +tar -xf kasm_workspaces.tar.gz + +echo "Waiting for Kasm WebApp availability..." +while ! (curl -k https://${manager_address}/api/__healthcheck 2>/dev/null | grep -q true) +do + echo "Waiting for API server..." + sleep 5 +done +echo "WebApp is alive" + +bash kasm_release/install.sh -S cpx -e -p $PRIVATE_IP -n ${manager_address} -k ${service_registration_token} + +echo "Done" diff --git a/aws/multi_region/userdata/db_bootstrap.sh b/aws/multi_region/userdata/db_bootstrap.sh index ac7b403..b4e74a5 100644 --- a/aws/multi_region/userdata/db_bootstrap.sh +++ b/aws/multi_region/userdata/db_bootstrap.sh @@ -2,7 +2,7 @@ set -ex echo "Starting Kasm Workspaces Install" -/bin/dd if=/dev/zero of=/var/swap.1 bs=1M count=${swap_size} +/bin/dd if=/dev/zero of=/var/swap.1 bs=1M count="${swap_size}" /sbin/mkswap /var/swap.1 chmod 600 /var/swap.1 /sbin/swapon /var/swap.1 @@ -11,10 +11,8 @@ echo '/var/swap.1 swap swap defaults 0 0' | tee -a /etc/fstab cd /tmp -PRIVATE_IP=(`hostname -I | cut -d ' ' -f1 | tr -d '\\n'`) - -wget ${kasm_build_url} -O kasm_workspaces.tar.gz +wget "${kasm_build_url}" -O kasm_workspaces.tar.gz tar -xf kasm_workspaces.tar.gz -bash kasm_release/install.sh -S db -e -Q ${database_password} -R ${redis_password} -U ${user_password} -P ${admin_password} -M ${manager_token} +bash kasm_release/install.sh -S db -e -Q "${database_password}" -R "${redis_password}" -U "${user_password}" -P "${admin_password}" -M "${manager_token}" -k "${service_registration_token}" echo "Done" diff --git a/oci/standard/module/userdata/guac_bootstrap.sh b/aws/multi_region/userdata/guac_bootstrap.sh similarity index 76% rename from oci/standard/module/userdata/guac_bootstrap.sh rename to aws/multi_region/userdata/guac_bootstrap.sh index 484d063..239b5cc 100644 --- a/oci/standard/module/userdata/guac_bootstrap.sh +++ b/aws/multi_region/userdata/guac_bootstrap.sh @@ -2,7 +2,7 @@ set -ex echo "Starting Kasm Workspaces Agent Install" -/bin/dd if=/dev/zero of=/var/swap.1 bs=1M count=${swap_size} +/bin/dd if=/dev/zero of=/var/swap.1 bs=1M count="${swap_size}" /sbin/mkswap /var/swap.1 chmod 600 /var/swap.1 /sbin/swapon /var/swap.1 @@ -24,6 +24,6 @@ do done echo "WebApp is alive" -bash kasm_release/install.sh -S guac -e -p $PRIVATE_IP -n ${manager_address} -k ${service_registration_token} +bash kasm_release/install.sh -S cpx -e -p "${PRIVATE_IP}" -n "${manager_address}" -k "${service_registration_token}" echo "Done" diff --git a/aws/multi_region/userdata/proxy_bootstrap.sh b/aws/multi_region/userdata/proxy_bootstrap.sh new file mode 100644 index 0000000..ad47442 --- /dev/null +++ b/aws/multi_region/userdata/proxy_bootstrap.sh @@ -0,0 +1,27 @@ +#!/bin/bash +set -ex +echo "Starting Kasm Workspaces Agent Install" + +/bin/dd if=/dev/zero of=/var/swap.1 bs=1M count=${swap_size} +/sbin/mkswap /var/swap.1 +chmod 600 /var/swap.1 +/sbin/swapon /var/swap.1 + +echo '/var/swap.1 swap swap defaults 0 0' | tee -a /etc/fstab + +cd /tmp + +wget ${kasm_build_url} -O kasm_workspaces.tar.gz +tar -xf kasm_workspaces.tar.gz + +echo "Waiting for Kasm WebApp availability..." +while ! (curl -k https://${manager_address}/api/__healthcheck 2>/dev/null | grep -q true) +do + echo "Waiting for API server..." + sleep 5 +done +echo "WebApp is alive" + +bash kasm_release/install.sh -S proxy -e -H -p ${proxy_alb_address} -n ${manager_address} + +echo "Done" diff --git a/aws/multi_region/userdata/webapp_bootstrap.sh b/aws/multi_region/userdata/webapp_bootstrap.sh index 5f781f5..5ee0d2f 100644 --- a/aws/multi_region/userdata/webapp_bootstrap.sh +++ b/aws/multi_region/userdata/webapp_bootstrap.sh @@ -11,8 +11,6 @@ echo '/var/swap.1 swap swap defaults 0 0' | tee -a /etc/fstab cd /tmp -PRIVATE_IP=(`hostname -I | cut -d ' ' -f1 | tr -d '\\n'`) - wget ${kasm_build_url} -O kasm_workspaces.tar.gz tar -xf kasm_workspaces.tar.gz diff --git a/aws/multi_region/variables.tf b/aws/multi_region/variables.tf index aca2488..44a457e 100644 --- a/aws/multi_region/variables.tf +++ b/aws/multi_region/variables.tf @@ -30,6 +30,28 @@ variable "aws_key_pair" { } } +variable "create_aws_ssm_iam_role" { + description = "Create an AWS SSM IAM role to attach to VMs for SSH/console access to VMs." + type = bool + default = false + + validation { + condition = can(tobool(var.create_aws_ssm_iam_role)) + error_message = "The create_aws_ssm_iam_role is a boolean value and can only be either true or false." + } +} + +variable "aws_ssm_iam_role_name" { + description = "The name of the SSM EC2 role to associate with Kasm VMs for SSH access" + type = string + default = "" + + validation { + condition = can(regex("[a-zA-Z0-9+=,.@-]{1,64}", var.aws_ssm_iam_role_name)) + error_message = "The aws_ssm_iam_role_name must be unique across the account and can only consisit of between 1 and 64 characters consisting of letters, numbers, underscores (_), plus (+), equals (=), comman (,), period (.), at symbol (@), or dash (-)." + } +} + variable "project_name" { description = "The name of the deployment (e.g dev, staging). A short single word" type = string @@ -83,10 +105,20 @@ variable "num_webapps" { } } +variable "num_cpx_nodes" { + description = "The number of Agent Role Servers to create in the deployment" + type = number + + validation { + condition = var.num_cpx_nodes == 0 ? true : var.num_cpx_nodes >= 0 && var.num_cpx_nodes <= 100 && floor(var.num_cpx_nodes) == var.num_cpx_nodes + error_message = "If num_cpx_nodes is set to 0, this Terraform will not deploy the Connection Proxy node. Acceptable number of Kasm Agents range between 0-100." + } +} + variable "webapp_instance_type" { description = "The instance type for the webapps" type = string - default = "t3.small" + default = "" validation { condition = can(regex("^(([a-z-]{1,3})(\\d{1,2})?(\\w{1,4})?)\\.(nano|micro|small|medium|metal|large|(2|3|4|6|8|9|10|12|16|18|24|32|48|56|112)?xlarge)", var.webapp_instance_type)) @@ -97,7 +129,6 @@ variable "webapp_instance_type" { variable "db_instance_type" { description = "The instance type for the Database" type = string - default = "t3.small" validation { condition = can(regex("^(([a-z-]{1,3})(\\d{1,2})?(\\w{1,4})?)\\.(nano|micro|small|medium|metal|large|(2|3|4|6|8|9|10|12|16|18|24|32|48|56|112)?xlarge)", var.db_instance_type)) @@ -108,7 +139,6 @@ variable "db_instance_type" { variable "agent_instance_type" { description = "The instance type for the Agents" type = string - default = "t3.medium" validation { condition = can(regex("^(([a-z-]{1,3})(\\d{1,2})?(\\w{1,4})?)\\.(nano|micro|small|medium|metal|large|(2|3|4|6|8|9|10|12|16|18|24|32|48|56|112)?xlarge)", var.agent_instance_type)) @@ -116,6 +146,27 @@ variable "agent_instance_type" { } } +variable "cpx_instance_type" { + description = "The instance type for the Guac RDP nodes" + type = string + + validation { + condition = can(regex("^(([a-z-]{1,3})(\\d{1,2})?(\\w{1,4})?)\\.(nano|micro|small|medium|metal|large|(2|3|4|6|8|9|10|12|16|18|24|32|48|56|112)?xlarge)", var.cpx_instance_type)) + error_message = "Check the cpx_instance_type variable and ensure it is a valid AWS Instance type (https://aws.amazon.com/ec2/instance-types/)." + } +} + +variable "proxy_instance_type" { + description = "The instance type for the dedicated proxy node" + type = string + default = "" + + validation { + condition = can(regex("^(([a-z-]{1,3})(\\d{1,2})?(\\w{1,4})?)\\.(nano|micro|small|medium|metal|large|(2|3|4|6|8|9|10|12|16|18|24|32|48|56|112)?xlarge)", var.proxy_instance_type)) + error_message = "Check the proxy_instance_type variable and ensure it is a valid AWS Instance type (https://aws.amazon.com/ec2/instance-types/)." + } +} + variable "webapp_hdd_size_gb" { description = "The HDD size in GB to configure for the Kasm WebApp instances" type = number @@ -146,10 +197,29 @@ variable "agent_hdd_size_gb" { } } +variable "cpx_hdd_size_gb" { + description = "The HDD size in GB to configure for the Kasm Guac RDP instances" + type = number + + validation { + condition = can(var.cpx_hdd_size_gb >= 40) + error_message = "Kasm Guac RDP nodes should have at least a 40 GB HDD to ensure enough space for Kasm services." + } +} + +variable "proxy_hdd_size_gb" { + description = "The HDD size in GB to configure for the Kasm dedicated proxy instances" + type = number + + validation { + condition = can(var.proxy_hdd_size_gb >= 40) + error_message = "Kasm dedicated proxy nodes should have at least a 40 GB HDD to ensure enough space for Kasm services." + } +} + variable "primary_region_ec2_ami_id" { description = "AMI Id of Kasm EC2 image in the primary region. Recommended AMI OS Version is Ubuntu 20.04 LTS." type = string - default = "ami-09cd747c78a9add63" validation { condition = can(regex("^(ami-[a-f0-9]{17})", var.primary_region_ec2_ami_id)) @@ -159,26 +229,23 @@ variable "primary_region_ec2_ami_id" { variable "secondary_regions_settings" { description = "Map of Kasm settings for secondary regions" - type = map(any) + type = map(object({ + agent_region = string + agent_vpc_cidr = string + ec2_ami_id = string + }) + ) validation { - condition = alltrue([for region in var.secondary_regions_settings : can(regex("^([a-z]{2}-[a-z]{4,}-[\\d]{1})$", region.agent_region))]) + condition = alltrue([for region in var.secondary_regions_settings : can(regex("^([a-z]{2}-[a-z]{4,}-[\\d]{1})$", region.region))]) error_message = "Verify the regions in the secondary_regions_settings variable and ensure they are valid AWS regions in a valid format (e.g. us-east-1)." } validation { - condition = alltrue([for ami_id in var.secondary_regions_settings : can(regex("^(ami-[a-f0-9]{17})", ami_id.agent_ec2_ami_id))]) + condition = alltrue([for ami_id in var.secondary_regions_settings : can(regex("^(ami-[a-f0-9]{17})", ami_id.ec2_ami_id))]) error_message = "Please verify that all of your Region's AMI IDs are in the correct format for AWS (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/finding-an-ami.html)." } validation { - condition = alltrue([for instance_type in var.secondary_regions_settings : can(regex("^(([a-z-]{1,3})(\\d{1,2})?(\\w{1,4})?)\\.(nano|micro|small|medium|metal|large|(2|3|4|6|8|9|10|12|16|18|24|32|48|56|112)?xlarge)", instance_type.agent_instance_type))]) - error_message = "Check the Instance types used in your secondary_regions_settings and ensure they are valid AWS Instance types (https://aws.amazon.com/ec2/instance-types/)." - } - validation { - condition = alltrue([for number_of_agents in var.secondary_regions_settings : number_of_agents.num_agents >= 0 && number_of_agents.num_agents <= 100 && floor(number_of_agents.num_agents) == number_of_agents.num_agents]) - error_message = "Check the number of agents in the secondary_regions_settings variable. Acceptable number of Kasm Agents range between 0-100." - } - validation { - condition = alltrue([for subnet in var.secondary_regions_settings : can(cidrhost(subnet.agent_vpc_cidr, 0))]) + condition = alltrue([for subnet in var.secondary_regions_settings : can(cidrhost(subnet.vpc_cidr, 0))]) error_message = "Verify the VPC subnet in your secondary_regions_settings. They must all be valid IPv4 CIDRs." } } @@ -259,6 +326,17 @@ variable "manager_token" { } } +variable "service_registration_token" { + description = "The service registration token value for cpx RDP servers to authenticate to webapps. No special characters" + type = string + sensitive = true + + validation { + condition = can(regex("^[a-zA-Z0-9]{12,30}$", var.service_registration_token)) + error_message = "The Service Registration Token should be a string between 12 and 30 letters or numbers with no special characters." + } +} + variable "ssh_access_cidrs" { description = "CIDR notation of the bastion host allowed to SSH in to the machines" type = list(string) @@ -292,6 +370,6 @@ variable "aws_default_tags" { type = map(any) default = { Service_name = "Kasm Workspaces" - Kasm_version = "1.12" + Kasm_version = "1.14" } } diff --git a/aws/multi_region/webapps/README.md b/aws/multi_region/webapps/README.md new file mode 100644 index 0000000..2917317 --- /dev/null +++ b/aws/multi_region/webapps/README.md @@ -0,0 +1,84 @@ +# webapps + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | ~> 1.0 | +| [aws](#requirement\_aws) | ~> 5.0 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | 5.36.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_instance.agent](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance) | resource | +| [aws_instance.cpx](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance) | resource | +| [aws_instance.webapp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance) | resource | +| [aws_lb.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb) | resource | +| [aws_lb_listener.http](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener) | resource | +| [aws_lb_listener.https](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener) | resource | +| [aws_lb_target_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group) | resource | +| [aws_lb_target_group_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group_attachment) | resource | +| [aws_route53_health_check.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_health_check) | resource | +| [aws_route53_record.alb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource | +| [aws_route53_record.latency](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource | +| [aws_route53_zone.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [agent\_hdd\_size\_gb](#input\_agent\_hdd\_size\_gb) | The HDD size in GB to configure for the Kasm Agent instances | `number` | `0` | no | +| [agent\_instance\_type](#input\_agent\_instance\_type) | the instance type for the agents | `string` | `""` | no | +| [agent\_security\_group\_id](#input\_agent\_security\_group\_id) | Kasm Agent security group ID | `string` | `""` | no | +| [agent\_subnet\_id](#input\_agent\_subnet\_id) | Subnet ID created for agents | `string` | `""` | no | +| [aws\_domain\_name](#input\_aws\_domain\_name) | The Route53 Zone used for the dns entries. This must already exist in the AWS account. (e.g dev.kasm.contoso.com). The deployment will be accessed via this zone name via https | `string` | n/a | yes | +| [aws\_key\_pair](#input\_aws\_key\_pair) | The name of an aws keypair to use. | `string` | n/a | yes | +| [aws\_ssm\_iam\_role\_name](#input\_aws\_ssm\_iam\_role\_name) | The name of the SSM EC2 role to associate with Kasm VMs for SSH access | `string` | `""` | no | +| [aws\_to\_kasm\_zone\_map](#input\_aws\_to\_kasm\_zone\_map) | AWS regions mapped to Kasm Deployment Zone names | `map(any)` | 
{
  "af-south-1": "Africa-(Cape-Town)",
  "ap-east-1": "China-(Hong-Kong)",
  "ap-northeast-1": "Japan-(Tokyo)",
  "ap-northeast-2": "S-Korea-(Seoul)",
  "ap-northeast-3": "Japan-(Osaka)",
  "ap-south-1": "India-(Mumbai)",
  "ap-south-2": "India-(Hyderbad)",
  "ap-southeast-1": "Singapore",
  "ap-southeast-2": "Austrailia-(Sydney)",
  "ap-southeast-3": "Indonesia-(Jakarta)",
  "ap-southeast-4": "Austrailia-(Melbourne)",
  "ca-central-1": "Canada-(Montreal)",
  "eu-central-1": "Switzerland-(Zurich)",
  "eu-north-1": "Sweden-(Stockholm)",
  "eu-south-1": "Italy-(Milan)",
  "eu-south-2": "Spain-(Aragon)",
  "eu-west-1": "Ireland-(Dublin)",
  "eu-west-2": "UK-(London)",
  "eu-west-3": "France-(Paris)",
  "me-central-1": "United-Arab-Emirates",
  "me-south-1": "Manama-(Bahrain)",
  "sa-east-1": "Brazil-(Sao-Paulo)",
  "us-east-1": "USA-(Virginia)",
  "us-east-2": "USA-(Ohio)",
  "us-west-1": "USA-(California)",
  "us-west-2": "USA-(Oregon)"
}
| no | +| [certificate\_arn](#input\_certificate\_arn) | The certificate ARN created in the primary region for use with all load balancers in the deployment. | `string` | n/a | yes | +| [cpx\_hdd\_size\_gb](#input\_cpx\_hdd\_size\_gb) | The HDD size in GB to configure for the Kasm CPX instances | `number` | `0` | no | +| [cpx\_instance\_type](#input\_cpx\_instance\_type) | the instance type for the CPX nodes | `string` | `""` | no | +| [cpx\_security\_group\_id](#input\_cpx\_security\_group\_id) | CPX security group ID | `string` | `""` | no | +| [cpx\_subnet\_id](#input\_cpx\_subnet\_id) | Subnet ID created for Kasm CPX nodes | `string` | `""` | no | +| [database\_password](#input\_database\_password) | The password for the database. No special characters | `string` | n/a | yes | +| [ec2\_ami](#input\_ec2\_ami) | The AMI used for the EC2 nodes. Recommended Ubuntu 20.04 LTS. | `string` | n/a | yes | +| [faux\_aws\_region](#input\_faux\_aws\_region) | The AWS region this WebApp is supposed to represent even though it will be created in the primary region of the deployment. (e.g us-east-1) | `string` | n/a | yes | +| [kasm\_build](#input\_kasm\_build) | The URL for the Kasm Workspaces build | `string` | n/a | yes | +| [kasm\_db\_ip](#input\_kasm\_db\_ip) | The IP/DNS name of the Kasm database | `string` | n/a | yes | +| [load\_balancer\_log\_bucket](#input\_load\_balancer\_log\_bucket) | S3 bucket name for load balancers to forward access logs to | `string` | n/a | yes | +| [load\_balancer\_security\_group\_id](#input\_load\_balancer\_security\_group\_id) | Security Group ID for the Primary region's load balancer | `string` | n/a | yes | +| [load\_balancer\_subnet\_ids](#input\_load\_balancer\_subnet\_ids) | ALB subnet IDs created to host webapps in the primary region | `list(string)` | n/a | yes | +| [manager\_token](#input\_manager\_token) | The Manager Token used by Kasm Agents to authenticate. No special characters | `string` | n/a | yes | +| [num\_agents](#input\_num\_agents) | The number of Agent Role Servers to create in the deployment | `number` | `0` | no | +| [num\_cpx\_nodes](#input\_num\_cpx\_nodes) | The number of cpx Role Servers to create in the deployment | `number` | `0` | no | +| [num\_webapps](#input\_num\_webapps) | The number of WebApp role servers to create in the deployment | `number` | n/a | yes | +| [primary\_aws\_region](#input\_primary\_aws\_region) | The AWS region for primary region of the deployment. (e.g us-east-1) | `string` | n/a | yes | +| [primary\_vpc\_id](#input\_primary\_vpc\_id) | The VPC ID of the primary region | `string` | n/a | yes | +| [project\_name](#input\_project\_name) | The name of the deployment (e.g dev, staging). A short single word | `string` | n/a | yes | +| [redis\_password](#input\_redis\_password) | The password for the database. No special characters | `string` | n/a | yes | +| [service\_registration\_token](#input\_service\_registration\_token) | The service registration token value for cpx RDP servers to authenticate to webapps. No special characters | `string` | `""` | no | +| [swap\_size](#input\_swap\_size) | The amount of swap (in MB) to configure inside the compute instances | `number` | n/a | yes | +| [webapp\_hdd\_size\_gb](#input\_webapp\_hdd\_size\_gb) | The HDD size in GB to configure for the Kasm WebApp instances | `number` | n/a | yes | +| [webapp\_instance\_type](#input\_webapp\_instance\_type) | The instance type for the webapps | `string` | n/a | yes | +| [webapp\_security\_group\_id](#input\_webapp\_security\_group\_id) | WebApp security group ID | `string` | n/a | yes | +| [webapp\_subnet\_ids](#input\_webapp\_subnet\_ids) | WebApp subnet IDs created to host webapps in the primary region | `list(string)` | n/a | yes | +| [zone\_name](#input\_zone\_name) | A name given to the Kasm deployment Zone | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [kasm\_zone\_settings](#output\_kasm\_zone\_settings) | Upstream Auth and Proxy Address settings to apply to Kasm Zone configuration | + diff --git a/aws/multi_region/webapps/agent.tf b/aws/multi_region/webapps/agent.tf index 299f515..9e4ef22 100644 --- a/aws/multi_region/webapps/agent.tf +++ b/aws/multi_region/webapps/agent.tf @@ -1,10 +1,13 @@ -resource "aws_instance" "kasm-agent" { - count = var.num_agents - ami = var.ec2_ami - instance_type = var.agent_instance_type - vpc_security_group_ids = [var.agent_security_group_id] - subnet_id = var.agent_subnet_id - key_name = var.aws_key_pair +resource "aws_instance" "agent" { + count = var.num_agents + + ami = var.ec2_ami + instance_type = var.agent_instance_type + vpc_security_group_ids = [var.agent_security_group_id] + subnet_id = var.agent_subnet_id + key_name = var.aws_key_pair + associate_public_ip_address = true + iam_instance_profile = var.aws_ssm_iam_role_name root_block_device { volume_size = var.agent_hdd_size_gb diff --git a/aws/multi_region/webapps/availability_zones.tf b/aws/multi_region/webapps/availability_zones.tf deleted file mode 100644 index 87d8f48..0000000 --- a/aws/multi_region/webapps/availability_zones.tf +++ /dev/null @@ -1,3 +0,0 @@ -data "aws_availability_zones" "available" { - state = "available" -} diff --git a/aws/multi_region/webapps/cpx.tf b/aws/multi_region/webapps/cpx.tf new file mode 100644 index 0000000..6393d07 --- /dev/null +++ b/aws/multi_region/webapps/cpx.tf @@ -0,0 +1,27 @@ +resource "aws_instance" "cpx" { + count = var.num_cpx_nodes + + ami = var.ec2_ami + instance_type = var.cpx_instance_type + vpc_security_group_ids = [var.cpx_security_group_id] + subnet_id = var.cpx_subnet_id + key_name = var.aws_key_pair + iam_instance_profile = var.aws_ssm_iam_role_name + + root_block_device { + volume_size = var.cpx_hdd_size_gb + } + + user_data = templatefile("${path.module}/../userdata/cpx_bootstrap.sh", + { + kasm_build_url = var.kasm_build + swap_size = var.swap_size + manager_address = var.aws_domain_name + service_registration_token = var.service_registration_token + } + ) + + tags = { + Name = "${var.project_name}-${var.primary_aws_region}-kasm-cpx-${count.index}" + } +} diff --git a/aws/multi_region/webapps/dependencies.tf b/aws/multi_region/webapps/dependencies.tf new file mode 100644 index 0000000..ba0a1f0 --- /dev/null +++ b/aws/multi_region/webapps/dependencies.tf @@ -0,0 +1,4 @@ +data "aws_route53_zone" "this" { + name = var.aws_domain_name + private_zone = false +} diff --git a/aws/multi_region/webapps/elb.tf b/aws/multi_region/webapps/elb.tf index 994e22a..8b454cc 100644 --- a/aws/multi_region/webapps/elb.tf +++ b/aws/multi_region/webapps/elb.tf @@ -1,14 +1,9 @@ -data "aws_route53_zone" "kasm-route53-zone" { - name = var.aws_domain_name - private_zone = false -} - -resource "aws_lb" "kasm-alb" { +resource "aws_lb" "this" { name = "${var.project_name}-lb" internal = false load_balancer_type = "application" security_groups = [var.load_balancer_security_group_id] - subnets = var.webapp_subnet_ids + subnets = var.load_balancer_subnet_ids access_logs { bucket = var.load_balancer_log_bucket @@ -16,41 +11,20 @@ resource "aws_lb" "kasm-alb" { } } -data "aws_lb" "data-kasm_alb" { - arn = aws_lb.kasm-alb.arn -} - -resource "aws_lb_target_group" "kasm-target-group" { - name = "${var.project_name}-target-group" - port = 443 - protocol = "HTTPS" - vpc_id = var.primary_vpc_id - - health_check { - path = "/api/__healthcheck" - matcher = 200 - protocol = "HTTPS" - } -} - -data "aws_lb_target_group" "data-kasm_target_group" { - arn = aws_lb_target_group.kasm-target-group.arn -} - -resource "aws_lb_listener" "kasm-alb-listener" { - load_balancer_arn = data.aws_lb.data-kasm_alb.arn +resource "aws_lb_listener" "https" { + load_balancer_arn = aws_lb.this.arn port = "443" protocol = "HTTPS" certificate_arn = var.certificate_arn default_action { type = "forward" - target_group_arn = data.aws_lb_target_group.data-kasm_target_group.arn + target_group_arn = aws_lb_target_group.this.arn } } -resource "aws_lb_listener" "kasm_alb_listener_http" { - load_balancer_arn = data.aws_lb.data-kasm_alb.arn +resource "aws_lb_listener" "http" { + load_balancer_arn = aws_lb.this.arn port = "80" protocol = "HTTP" @@ -65,34 +39,47 @@ resource "aws_lb_listener" "kasm_alb_listener_http" { } } -resource "aws_lb_target_group_attachment" "kasm-target-group-attachment" { - count = var.num_webapps - target_group_arn = data.aws_lb_target_group.data-kasm_target_group.arn - target_id = data.aws_instance.data-kasm_web_apps[count.index].id +resource "aws_lb_target_group" "this" { + name = "${var.project_name}-target-group" + port = 443 + protocol = "HTTPS" + vpc_id = var.primary_vpc_id + + health_check { + path = "/api/__healthcheck" + matcher = 200 + protocol = "HTTPS" + } +} +resource "aws_lb_target_group_attachment" "this" { + count = var.num_webapps + + target_group_arn = aws_lb_target_group.this.arn + target_id = aws_instance.webapp[count.index].id port = 443 } -resource "aws_route53_record" "kasm-route53-elb-record" { - zone_id = data.aws_route53_zone.kasm-route53-zone.zone_id +resource "aws_route53_record" "alb" { + zone_id = data.aws_route53_zone.this.zone_id name = "${var.zone_name}-lb.${var.aws_domain_name}" type = "A" alias { - name = data.aws_lb.data-kasm_alb.dns_name - zone_id = data.aws_lb.data-kasm_alb.zone_id + name = aws_lb.this.dns_name + zone_id = aws_lb.this.zone_id evaluate_target_health = true } } -resource "aws_route53_record" "kasm-app-url" { - zone_id = data.aws_route53_zone.kasm-route53-zone.zone_id +resource "aws_route53_record" "latency" { + zone_id = data.aws_route53_zone.this.zone_id name = var.aws_domain_name type = "A" set_identifier = "${var.project_name}-${var.zone_name}-set-id" alias { - name = data.aws_lb.data-kasm_alb.dns_name - zone_id = data.aws_lb.data-kasm_alb.zone_id + name = aws_lb.this.dns_name + zone_id = aws_lb.this.zone_id evaluate_target_health = true } @@ -101,7 +88,7 @@ resource "aws_route53_record" "kasm-app-url" { } } -resource "aws_route53_health_check" "kasm-elb-hc" { +resource "aws_route53_health_check" "this" { fqdn = "${var.zone_name}-lb.${var.aws_domain_name}" port = 443 type = "HTTPS" diff --git a/aws/multi_region/webapps/outputs.tf b/aws/multi_region/webapps/outputs.tf new file mode 100644 index 0000000..4a94a28 --- /dev/null +++ b/aws/multi_region/webapps/outputs.tf @@ -0,0 +1,8 @@ +output "kasm_zone_settings" { + description = "Upstream Auth and Proxy Address settings to apply to Kasm Zone configuration" + value = < +## Requirements -# AWS Terraform Variable definitions +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | ~> 1.0 | +| [aws](#requirement\_aws) | ~> 5.0 | -| Variable | Description | Variable type | Example | -|:--------:|-------------|---------------|---------| -| `aws_access_key` | The AWS access key used for deployment. | String | `"AKIAJSIE27KKMHXI3BJQ"` | -| `aws_secret_key` | The AWS secret key used for deployment. | String | `"wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"` | -| `aws_region` | The AWS Region used for deployment. | String | `"us-east-1"` | -| `project_name` | The name of the deployment (e.g dev, staging). A short single word of up to 15 characters. | String | `"kasm"` | -| `aws_domain_name` | The Route53 Zone used for the dns entries. This must already exist in the AWS account. (e.g dev.kasm.contoso.com). The deployment will be accessed via this zone name via https. | String | `"kasm.contoso.com"` | -| `kasm_zone_name` | A name given to the kasm deployment Zone. | String | `"default"` | -| `vpc_subnet_cidr` | The subnet CIDR to use for the VPC | String | `"10.0.0.0/16"` | -| `aws_key_pair` | The name of an aws keypair to use. | String | `"kasm_ssh_key"` | -| `ec2_ami` | The AMI used for the EC2 nodes. Recommended Ubuntu 20.04 LTS. | String | `"ami-09cd747c78a9add63"` | -| `swap_size` | The amount of swap (in MB) to configure inside the Kasm servers. | Number | `2048` | -| `webapp_instance_type` | The instance type for the webapps. | String | `"t3.small"` | -| `db_instance_type` | The instance type for the webapps. | String | `"t3.medium"` | -| `agent_instance_type` | The instance type for the webapps. | String | `"t3.medium"` | -| `guac_instance_type` | The instance type for the webapps. | String | `"t3.medium"` | -| `num_webapps` | The number of WebApp role servers to create in this deployment. Acceptable ranges from 1-3. | Number | `2` | -| `num_agents` | The number of static Kasm Agents to create in this deploymenbt. Acceptable ranges from 0-100. | Number | `2` | -| `num_guac_rdp_nodes` | The number of Guacamole RDP access servers to create in this deployment. Acceptable ranges from 0-100. | Number | `1` | -| `allow_ssh_cidrs` | A list of subnets in CIDR notation allowed to SSH into your kasm servers | List(String) | `["10.0.0.0/16","172.217.22.14/32"]` | -| `web_access_cidrs` | A list of subnets in CIDR notation allowed Web access to your kasm servers | List(String) | `["0.0.0.0/0"]` | -| `database_password` | The Kasm PostgreSQL database password. String from 12-30 characters in length with no special characters. | String | `"1qaz2wsx3EDC4RFV"` | -| `redis_password` | The Kasm Redis password. String from 12-30 characters in length with no special characters. | String | `"1qaz2wsx3EDC4RFV"` | -| `admin_password` | The Kasm Administrative user login password. String from 12-30 characters in length with no special characters. | String | `"1qaz2wsx3EDC4RFV"` | -| `user_password` | A Kasm standard (non-administrator) user password. String from 12-30 characters in length with no special characters. | String | `"1qaz2wsx3EDC4RFV"` | -| `manager_token` | The manager token value used by Kasm agents to authenticate to the Kasm WebApps. String from 12-30 characters in length with no special characters. | String | `"1qaz2wsx3EDC4RFV"` | -| `service_registration_token` | The service registration token value used by Guac RDP servers to authenticate to the Kasm Webapps. String from 12-30 characters in length with no special characters. | String | `"1qaz2wsx3EDC4RFV"` | -| `kasm_build` | The download URL for the desired Kasm Workspaces version. | String | `"https://kasm-static-content.s3.amazonaws.com/kasm_release_1.13.0.002947.tar.gz"` | -| `aws_default_tags` | A Map of all tags you wish to apply to all TF created resources in this deployment. | Map(Any) | 
{
  Service_name = "Kasm Workspaces"
  Kasm_version = "1.12"
}
| +## Providers +No providers. + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [standard](#module\_standard) | ./module | n/a | + +## Resources + +No resources. + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [admin\_password](#input\_admin\_password) | The administrative user password. No special characters | `string` | n/a | yes | +| [agent\_hdd\_size\_gb](#input\_agent\_hdd\_size\_gb) | The HDD size in GB to configure for the Kasm Agent instances | `number` | n/a | yes | +| [agent\_instance\_type](#input\_agent\_instance\_type) | The instance type for the Agents | `string` | n/a | yes | +| [aws\_access\_key](#input\_aws\_access\_key) | The AWS access key used for deployment | `string` | n/a | yes | +| [aws\_default\_tags](#input\_aws\_default\_tags) | Default tags to apply to all AWS resources for this deployment | `map(any)` | `{}` | no | +| [aws\_domain\_name](#input\_aws\_domain\_name) | The Route53 Zone used for the dns entries. This must already exist in the AWS account. (e.g dev.kasm.contoso.com). The deployment will be accessed via this zone name via https | `string` | n/a | yes | +| [aws\_key\_pair](#input\_aws\_key\_pair) | The name of an aws keypair to use. | `string` | n/a | yes | +| [aws\_region](#input\_aws\_region) | The AWS Region used for deployment | `string` | `"us-east-1"` | no | +| [aws\_secret\_key](#input\_aws\_secret\_key) | The AWS secret key used for deployment | `string` | n/a | yes | +| [aws\_ssm\_iam\_role\_name](#input\_aws\_ssm\_iam\_role\_name) | The name of the SSM EC2 role to associate with Kasm VMs for SSH access | `string` | `""` | no | +| [cpx\_hdd\_size\_gb](#input\_cpx\_hdd\_size\_gb) | The HDD size in GB to configure for the Kasm cpx RDP instances | `number` | n/a | yes | +| [cpx\_instance\_type](#input\_cpx\_instance\_type) | The instance type for the cpxamole RDP nodes | `string` | n/a | yes | +| [create\_aws\_ssm\_iam\_role](#input\_create\_aws\_ssm\_iam\_role) | Create an AWS SSM IAM role to attach to VMs for SSH/console access to VMs. | `bool` | `false` | no | +| [database\_password](#input\_database\_password) | The password for the database. No special characters | `string` | n/a | yes | +| [db\_hdd\_size\_gb](#input\_db\_hdd\_size\_gb) | The HDD size in GB to configure for the Kasm Database instances | `number` | n/a | yes | +| [db\_instance\_type](#input\_db\_instance\_type) | The instance type for the Database | `string` | n/a | yes | +| [ec2\_ami\_id](#input\_ec2\_ami\_id) | The AMI used for the EC2 nodes. Recommended Ubuntu 22.04 LTS. | `string` | n/a | yes | +| [kasm\_build](#input\_kasm\_build) | The URL for the Kasm Workspaces build | `string` | n/a | yes | +| [kasm\_zone\_name](#input\_kasm\_zone\_name) | A name given to the kasm deployment Zone | `string` | `"default"` | no | +| [manager\_token](#input\_manager\_token) | The manager token value for Agents to authenticate to webapps. No special characters | `string` | n/a | yes | +| [num\_agents](#input\_num\_agents) | The number of Agent Role Servers to create in the deployment | `number` | n/a | yes | +| [num\_cpx\_nodes](#input\_num\_cpx\_nodes) | The number of Agent Role Servers to create in the deployment | `number` | n/a | yes | +| [num\_webapps](#input\_num\_webapps) | The number of WebApp role servers to create in the deployment | `number` | n/a | yes | +| [project\_name](#input\_project\_name) | The name of the deployment (e.g dev, staging). A short single word | `string` | n/a | yes | +| [redis\_password](#input\_redis\_password) | The password for the Redis server. No special characters | `string` | n/a | yes | +| [service\_registration\_token](#input\_service\_registration\_token) | The service registration token value for cpx RDP servers to authenticate to webapps. No special characters | `string` | n/a | yes | +| [swap\_size](#input\_swap\_size) | The amount of swap (in MB) to configure inside the compute instances | `number` | n/a | yes | +| [user\_password](#input\_user\_password) | The standard (non administrator) user password. No special characters | `string` | n/a | yes | +| [vpc\_subnet\_cidr](#input\_vpc\_subnet\_cidr) | The subnet CIDR to use for the VPC | `string` | `"10.0.0.0/16"` | no | +| [web\_access\_cidrs](#input\_web\_access\_cidrs) | CIDR notation of the bastion host allowed to SSH in to the machines | `list(string)` | n/a | yes | +| [webapp\_hdd\_size\_gb](#input\_webapp\_hdd\_size\_gb) | The HDD size in GB to configure for the Kasm WebApp instances | `number` | n/a | yes | +| [webapp\_instance\_type](#input\_webapp\_instance\_type) | The instance type for the webapps | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [kasm\_zone\_settings](#output\_kasm\_zone\_settings) | Upstream Auth settings to apply to Kasm Zone configuration | + # Detailed Terraform Deployment Diagram diff --git a/aws/standard/deployment.tf b/aws/standard/deployment.tf index b3c978f..4ed6bab 100644 --- a/aws/standard/deployment.tf +++ b/aws/standard/deployment.tf @@ -1,23 +1,28 @@ module "standard" { - source = "./module" - aws_key_pair = var.aws_key_pair - aws_region = var.aws_region - aws_domain_name = var.aws_domain_name - project_name = var.project_name - num_agents = var.num_agents - num_webapps = var.num_webapps - num_guac_nodes = var.num_guac_nodes - vpc_subnet_cidr = var.vpc_subnet_cidr + source = "./module" + aws_key_pair = var.aws_key_pair + aws_region = var.aws_region + aws_domain_name = var.aws_domain_name + project_name = var.project_name + num_agents = var.num_agents + num_webapps = var.num_webapps + num_cpx_nodes = var.num_cpx_nodes + vpc_subnet_cidr = var.vpc_subnet_cidr + create_aws_ssm_iam_role = var.create_aws_ssm_iam_role + aws_ssm_iam_role_name = var.aws_ssm_iam_role_name ## Kasm Server settings - agent_instance_type = var.agent_instance_type - guac_instance_type = var.guac_instance_type webapp_instance_type = var.webapp_instance_type + webapp_hdd_size_gb = var.webapp_hdd_size_gb db_instance_type = var.db_instance_type - ec2_ami = var.ec2_ami + db_hdd_size_gb = var.db_hdd_size_gb + agent_instance_type = var.agent_instance_type + agent_hdd_size_gb = var.agent_hdd_size_gb + cpx_instance_type = var.cpx_instance_type + cpx_hdd_size_gb = var.cpx_hdd_size_gb + ec2_ami = var.ec2_ami_id swap_size = var.swap_size - ssh_access_cidrs = var.ssh_access_cidrs web_access_cidrs = var.web_access_cidrs database_password = var.database_password redis_password = var.redis_password diff --git a/aws/standard/diagram/aws_multi_server.drawio b/aws/standard/diagram/aws_multi_server.drawio index 1edf218..18c3b13 100644 --- a/aws/standard/diagram/aws_multi_server.drawio +++ b/aws/standard/diagram/aws_multi_server.drawio @@ -22,7 +22,7 @@ - + @@ -107,10 +107,10 @@ - + - + @@ -125,7 +125,7 @@ - + diff --git a/aws/standard/module/README.md b/aws/standard/module/README.md new file mode 100644 index 0000000..d4f4a86 --- /dev/null +++ b/aws/standard/module/README.md @@ -0,0 +1,135 @@ +# module + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | ~> 1.0 | +| [aws](#requirement\_aws) | ~> 5.0 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | 5.36.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_acm_certificate.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate) | resource | +| [aws_acm_certificate_validation.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate_validation) | resource | +| [aws_eip.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eip) | resource | +| [aws_iam_instance_profile.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource | +| [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_instance.agent](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance) | resource | +| [aws_instance.cpx](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance) | resource | +| [aws_instance.db](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance) | resource | +| [aws_instance.webapp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance) | resource | +| [aws_internet_gateway.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/internet_gateway) | resource | +| [aws_lb.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb) | resource | +| [aws_lb.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb) | resource | +| [aws_lb_listener.http](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener) | resource | +| [aws_lb_listener.https](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener) | resource | +| [aws_lb_listener.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener) | resource | +| [aws_lb_target_group.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group) | resource | +| [aws_lb_target_group.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group) | resource | +| [aws_lb_target_group_attachment.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group_attachment) | resource | +| [aws_lb_target_group_attachment.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group_attachment) | resource | +| [aws_nat_gateway.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/nat_gateway) | resource | +| [aws_route53_health_check.kasm-elb-hc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_health_check) | resource | +| [aws_route53_record.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource | +| [aws_route53_record.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource | +| [aws_route53_record.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource | +| [aws_route_table.ig](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table) | resource | +| [aws_route_table.nat](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table) | resource | +| [aws_route_table_association.agent](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource | +| [aws_route_table_association.alb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource | +| [aws_route_table_association.cpx](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource | +| [aws_route_table_association.db](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource | +| [aws_route_table_association.webapp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource | +| [aws_route_table_association.windows](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource | +| [aws_s3_bucket.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | +| [aws_s3_bucket_acl.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource | +| [aws_s3_bucket_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource | +| [aws_s3_bucket_public_access_block.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource | +| [aws_s3_bucket_server_side_encryption_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | +| [aws_security_group.agent](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | +| [aws_security_group.cpx](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | +| [aws_security_group.db](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | +| [aws_security_group.private_lb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | +| [aws_security_group.public_lb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | +| [aws_security_group.webapp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | +| [aws_security_group.windows](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | +| [aws_security_group_rule.agent](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.cpx](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.db](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.private_lb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.public_lb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.webapp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.windows](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_subnet.agent](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource | +| [aws_subnet.alb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource | +| [aws_subnet.cpx](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource | +| [aws_subnet.db](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource | +| [aws_subnet.webapp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource | +| [aws_subnet.windows](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource | +| [aws_vpc.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc) | resource | +| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | +| [aws_elb_service_account.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/elb_service_account) | data source | +| [aws_route53_zone.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [admin\_password](#input\_admin\_password) | The administrative user password. No special characters | `string` | n/a | yes | +| [agent\_hdd\_size\_gb](#input\_agent\_hdd\_size\_gb) | The HDD size for Kasm Agent nodes | `number` | n/a | yes | +| [agent\_instance\_type](#input\_agent\_instance\_type) | The instance type for the Agents | `string` | `"t3.medium"` | no | +| [agent\_security\_rules](#input\_agent\_security\_rules) | A map of objects of security rules to apply to the Kasm WebApp server | 
map(object({
    from_port = number
    to_port   = number
    protocol  = string
  }))
| 
{
  "https": {
    "from_port": 443,
    "protocol": "tcp",
    "to_port": 443
  }
}
| no | +| [anywhere](#input\_anywhere) | Anywhere route subnet | `string` | `"0.0.0.0/0"` | no | +| [aws\_domain\_name](#input\_aws\_domain\_name) | The Route53 Zone used for the dns entries. This must already exist in the AWS account. (e.g dev.kasm.contoso.com). The deployment will be accessed via this zone name via https | `string` | n/a | yes | +| [aws\_key\_pair](#input\_aws\_key\_pair) | The name of an aws keypair to use. | `string` | n/a | yes | +| [aws\_region](#input\_aws\_region) | The AWS region for the deployment. (e.g us-east-1) | `string` | n/a | yes | +| [aws\_ssm\_iam\_role\_name](#input\_aws\_ssm\_iam\_role\_name) | The name of the SSM EC2 role to associate with Kasm VMs for SSH access | `string` | `""` | no | +| [cpx\_hdd\_size\_gb](#input\_cpx\_hdd\_size\_gb) | The HDD size for Kasm Guac RDP nodes | `number` | n/a | yes | +| [cpx\_instance\_type](#input\_cpx\_instance\_type) | The instance type for the cpxamole RDP nodes | `string` | `"t3.medium"` | no | +| [cpx\_security\_rules](#input\_cpx\_security\_rules) | A map of objects of security rules to apply to the Kasm Connection Proxy server | 
map(object({
    from_port = number
    to_port   = number
    protocol  = string
  }))
| 
{
  "https": {
    "from_port": 443,
    "protocol": "tcp",
    "to_port": 443
  }
}
| no | +| [create\_aws\_ssm\_iam\_role](#input\_create\_aws\_ssm\_iam\_role) | Create an AWS SSM IAM role to attach to VMs for SSH/console access to VMs. | `bool` | `false` | no | +| [database\_password](#input\_database\_password) | The password for the database. No special characters | `string` | n/a | yes | +| [db\_hdd\_size\_gb](#input\_db\_hdd\_size\_gb) | The HDD size for Kasm DB | `number` | n/a | yes | +| [db\_instance\_type](#input\_db\_instance\_type) | The instance type for the Database | `string` | `"t3.small"` | no | +| [db\_security\_rules](#input\_db\_security\_rules) | A map of objects of security rules to apply to the Kasm DB | 
map(object({
    from_port = number
    to_port   = number
    protocol  = string
  }))
| 
{
  "postgres": {
    "from_port": 5432,
    "protocol": "tcp",
    "to_port": 5432
  },
  "redis": {
    "from_port": 6379,
    "protocol": "tcp",
    "to_port": 6379
  }
}
| no | +| [default\_egress](#input\_default\_egress) | Default egress security rule for all security groups | 
object({
    from_port    = number
    to_port      = number
    protocol     = string
    cidr_subnets = list(string)
  })
| 
{
  "cidr_subnets": [
    "0.0.0.0/0"
  ],
  "from_port": 0,
  "protocol": "-1",
  "to_port": 0
}
| no | +| [ec2\_ami](#input\_ec2\_ami) | The AMI used for the EC2 nodes. Recommended Ubuntu 20.04 LTS. | `string` | n/a | yes | +| [kasm\_build](#input\_kasm\_build) | The URL for the Kasm Workspaces build | `string` | n/a | yes | +| [kasm\_zone\_name](#input\_kasm\_zone\_name) | A name given to the kasm deployment Zone | `string` | `"default"` | no | +| [manager\_token](#input\_manager\_token) | The manager token value for Agents to authenticate to webapps. No special characters | `string` | n/a | yes | +| [num\_agents](#input\_num\_agents) | The number of Agent Role Servers to create in the deployment | `number` | `2` | no | +| [num\_cpx\_nodes](#input\_num\_cpx\_nodes) | The number of cpx RDP Role Servers to create in the deployment | `number` | `2` | no | +| [num\_webapps](#input\_num\_webapps) | The number of WebApp role servers to create in the deployment | `number` | `2` | no | +| [private\_lb\_security\_rules](#input\_private\_lb\_security\_rules) | A map of objects of security rules to apply to the Private ALB | 
object({
    from_port = number
    to_port   = number
    protocol  = string
  })
| 
{
  "from_port": 443,
  "protocol": "tcp",
  "to_port": 443
}
| no | +| [project\_name](#input\_project\_name) | The name of the deployment (e.g dev, staging). A short single word | `string` | n/a | yes | +| [public\_lb\_security\_rules](#input\_public\_lb\_security\_rules) | A map of objects of security rules to apply to the Public ALB | 
map(object({
    from_port = number
    to_port   = number
    protocol  = string
  }))
| 
{
  "http": {
    "from_port": 80,
    "protocol": "tcp",
    "to_port": 80
  },
  "https": {
    "from_port": 443,
    "protocol": "tcp",
    "to_port": 443
  }
}
| no | +| [redis\_password](#input\_redis\_password) | The password for the Redis server. No special characters | `string` | n/a | yes | +| [service\_registration\_token](#input\_service\_registration\_token) | The service registration token value for cpx RDP servers to authenticate to webapps. No special characters | `string` | n/a | yes | +| [swap\_size](#input\_swap\_size) | The amount of swap (in MB) to configure inside the compute instances | `number` | n/a | yes | +| [user\_password](#input\_user\_password) | The standard (non administrator) user password. No special characters | `string` | n/a | yes | +| [vpc\_subnet\_cidr](#input\_vpc\_subnet\_cidr) | The subnet CIDR to use for the VPC | `string` | `"10.0.0.0/16"` | no | +| [web\_access\_cidrs](#input\_web\_access\_cidrs) | CIDR notation of the bastion host allowed to SSH in to the machines | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | +| [webapp\_hdd\_size\_gb](#input\_webapp\_hdd\_size\_gb) | The HDD size for Kasm Webapp nodes | `number` | n/a | yes | +| [webapp\_instance\_type](#input\_webapp\_instance\_type) | The instance type for the webapps | `string` | `"t3.small"` | no | +| [webapp\_security\_rules](#input\_webapp\_security\_rules) | A map of objects of security rules to apply to the Kasm WebApp server | 
object({
    from_port = number
    to_port   = number
    protocol  = string
  })
| 
{
  "from_port": 443,
  "protocol": "tcp",
  "to_port": 443
}
| no | +| [windows\_security\_rules](#input\_windows\_security\_rules) | A map of objects of security rules to apply to the Kasm Windows VMs | 
map(object({
    from_port = number
    to_port   = number
    protocol  = string
  }))
| 
{
  "cpx_api": {
    "from_port": 4902,
    "protocol": "tcp",
    "to_port": 4902
  },
  "cpx_rdp": {
    "from_port": 3389,
    "protocol": "tcp",
    "to_port": 3389
  },
  "webapp_api": {
    "from_port": 4902,
    "protocol": "tcp",
    "to_port": 4902
  }
}
| no | + +## Outputs + +No outputs. + diff --git a/aws/standard/module/agent.tf b/aws/standard/module/agent.tf index 4914007..13d4a65 100644 --- a/aws/standard/module/agent.tf +++ b/aws/standard/module/agent.tf @@ -1,14 +1,16 @@ -resource "aws_instance" "kasm-agent" { - count = var.num_agents +resource "aws_instance" "agent" { + count = var.num_agents + ami = var.ec2_ami instance_type = var.agent_instance_type - vpc_security_group_ids = [data.aws_security_group.data-kasm_agent_sg.id] - subnet_id = data.aws_subnet.data-kasm_agent_subnet.id + vpc_security_group_ids = [aws_security_group.agent.id] + subnet_id = aws_subnet.agent.id key_name = var.aws_key_pair - associate_public_ip_address = false + iam_instance_profile = one(aws_iam_instance_profile.this[*].id) + associate_public_ip_address = true root_block_device { - volume_size = 120 + volume_size = var.agent_hdd_size_gb } user_data = templatefile("${path.module}/userdata/agent_bootstrap.sh", @@ -21,6 +23,6 @@ resource "aws_instance" "kasm-agent" { ) tags = { - Name = "${var.project_name}-${var.kasm_zone_name}-kasm-agent" + Name = "${var.project_name}-${var.kasm_zone_name}-kasm-agent-${count.index}" } } diff --git a/aws/standard/module/alb_logs_s3_bucket.tf b/aws/standard/module/alb_logs_s3_bucket.tf deleted file mode 100644 index bbfa0e0..0000000 --- a/aws/standard/module/alb_logs_s3_bucket.tf +++ /dev/null @@ -1,60 +0,0 @@ -data "aws_route53_zone" "kasm-route53-zone" { - name = var.aws_domain_name -} - -data "aws_elb_service_account" "main" {} - -resource "aws_s3_bucket" "kasm_s3_logs" { - bucket_prefix = "${var.project_name}-${var.kasm_zone_name}-" - force_destroy = true -} - -resource "aws_s3_bucket_acl" "kasm_s3_acl" { - bucket = aws_s3_bucket.kasm_s3_logs.id - acl = "private" -} - -resource "aws_s3_bucket_policy" "kasm_s3_logs_policy" { - bucket = aws_s3_bucket.kasm_s3_logs.id - - policy = jsonencode({ - Id = "Policy" - Version = "2012-10-17" - Statement = [ - { - Action = [ - "s3:PutObject" - ] - Effect = "Allow" - Resource = "${aws_s3_bucket.kasm_s3_logs.arn}/AWSLogs/*" - Principal = { - AWS = [ - data.aws_elb_service_account.main.arn - ] - } - } - ] - }) -} - -resource "aws_s3_bucket_server_side_encryption_configuration" "encrypt_elb_bucket" { - bucket = aws_s3_bucket.kasm_s3_logs.id - - rule { - apply_server_side_encryption_by_default { - sse_algorithm = "AES256" - } - } -} - -data "aws_s3_bucket" "data-kasm_s3_logs_bucket" { - bucket = aws_s3_bucket.kasm_s3_logs.bucket -} - -resource "aws_s3_bucket_public_access_block" "s3_log_public_access" { - bucket = aws_s3_bucket.kasm_s3_logs.id - block_public_acls = true - block_public_policy = true - ignore_public_acls = true - restrict_public_buckets = true -} diff --git a/aws/standard/module/availability_zones.tf b/aws/standard/module/availability_zones.tf deleted file mode 100644 index 87d8f48..0000000 --- a/aws/standard/module/availability_zones.tf +++ /dev/null @@ -1,3 +0,0 @@ -data "aws_availability_zones" "available" { - state = "available" -} diff --git a/aws/standard/module/cert.tf b/aws/standard/module/cert.tf index 2126e66..f95dfda 100644 --- a/aws/standard/module/cert.tf +++ b/aws/standard/module/cert.tf @@ -1,4 +1,4 @@ -resource "aws_acm_certificate" "kasm-alb-cert" { +resource "aws_acm_certificate" "this" { domain_name = var.aws_domain_name subject_alternative_names = ["*.${var.aws_domain_name}"] validation_method = "DNS" @@ -8,9 +8,9 @@ resource "aws_acm_certificate" "kasm-alb-cert" { } } -resource "aws_route53_record" "kasm-route53-cert-validation-record" { +resource "aws_route53_record" "this" { for_each = { - for dvo in aws_acm_certificate.kasm-alb-cert.domain_validation_options : dvo.domain_name => { + for dvo in aws_acm_certificate.this.domain_validation_options : dvo.domain_name => { name = dvo.resource_record_name record = dvo.resource_record_value type = dvo.resource_record_type @@ -19,13 +19,13 @@ resource "aws_route53_record" "kasm-route53-cert-validation-record" { name = each.value.name type = each.value.type records = [each.value.record] - zone_id = data.aws_route53_zone.kasm-route53-zone.id + zone_id = data.aws_route53_zone.this.id ttl = 30 allow_overwrite = true } -resource "aws_acm_certificate_validation" "kasm-elb-certificate-validation" { - certificate_arn = aws_acm_certificate.kasm-alb-cert.arn - validation_record_fqdns = [for record in aws_route53_record.kasm-route53-cert-validation-record : record.fqdn] +resource "aws_acm_certificate_validation" "this" { + certificate_arn = aws_acm_certificate.this.arn + validation_record_fqdns = [for record in aws_route53_record.this : record.fqdn] } diff --git a/aws/standard/module/db.tf b/aws/standard/module/db.tf index e802b50..bc9212d 100644 --- a/aws/standard/module/db.tf +++ b/aws/standard/module/db.tf @@ -1,12 +1,13 @@ -resource "aws_instance" "kasm-db" { +resource "aws_instance" "db" { ami = var.ec2_ami instance_type = var.db_instance_type - vpc_security_group_ids = [data.aws_security_group.data-kasm_db_sg.id] - subnet_id = data.aws_subnet.data-kasm_db_subnet.id + vpc_security_group_ids = [aws_security_group.db.id] + subnet_id = aws_subnet.db.id key_name = var.aws_key_pair + iam_instance_profile = one(aws_iam_instance_profile.this[*].id) root_block_device { - volume_size = 40 + volume_size = var.db_hdd_size_gb } user_data = templatefile("${path.module}/userdata/db_bootstrap.sh", @@ -26,7 +27,3 @@ resource "aws_instance" "kasm-db" { Name = "${var.project_name}-kasm-db" } } - -data "aws_instance" "data-kasm_db" { - instance_id = aws_instance.kasm-db.id -} diff --git a/aws/standard/module/dependencies.tf b/aws/standard/module/dependencies.tf new file mode 100644 index 0000000..a71327d --- /dev/null +++ b/aws/standard/module/dependencies.tf @@ -0,0 +1,25 @@ +locals { + private_lb_hostname = "${var.aws_region}-private.${var.aws_domain_name}" + + all_security_groups = compact([ + aws_security_group.public_lb.id, + aws_security_group.private_lb.id, + aws_security_group.webapp.id, + aws_security_group.agent.id, + aws_security_group.db.id, + one(aws_security_group.cpx[*].id), + one(aws_security_group.windows[*].id) + ]) + + webapp_security_rules = { for value in local.all_security_groups : value => var.webapp_security_rules if value != aws_security_group.db.id || value != aws_security_group.webapp.id } +} + +data "aws_availability_zones" "available" { + state = "available" +} + +data "aws_route53_zone" "this" { + name = var.aws_domain_name +} + +data "aws_elb_service_account" "main" {} diff --git a/aws/standard/module/elb_logs_s3_bucket.tf b/aws/standard/module/elb_logs_s3_bucket.tf new file mode 100644 index 0000000..b959e30 --- /dev/null +++ b/aws/standard/module/elb_logs_s3_bucket.tf @@ -0,0 +1,50 @@ +resource "aws_s3_bucket" "this" { + bucket_prefix = "${var.project_name}-${var.kasm_zone_name}-" + force_destroy = true +} + +resource "aws_s3_bucket_acl" "this" { + bucket = aws_s3_bucket.this.id + acl = "private" +} + +resource "aws_s3_bucket_policy" "this" { + bucket = aws_s3_bucket.this.id + + policy = jsonencode({ + Id = "Policy" + Version = "2012-10-17" + Statement = [ + { + Action = [ + "s3:PutObject" + ] + Effect = "Allow" + Resource = "${aws_s3_bucket.this.arn}/AWSLogs/*" + Principal = { + AWS = [ + data.aws_elb_service_account.main.arn + ] + } + } + ] + }) +} + +resource "aws_s3_bucket_server_side_encryption_configuration" "this" { + bucket = aws_s3_bucket.this.id + + rule { + apply_server_side_encryption_by_default { + sse_algorithm = "AES256" + } + } +} + +resource "aws_s3_bucket_public_access_block" "this" { + bucket = aws_s3_bucket.this.id + block_public_acls = true + block_public_policy = true + ignore_public_acls = true + restrict_public_buckets = true +} diff --git a/aws/standard/module/guac_rdp.tf b/aws/standard/module/guac_rdp.tf index b464ac9..c4d89d4 100644 --- a/aws/standard/module/guac_rdp.tf +++ b/aws/standard/module/guac_rdp.tf @@ -1,17 +1,18 @@ -resource "aws_instance" "kasm-guac" { - count = var.num_guac_nodes - ami = var.ec2_ami - instance_type = var.guac_instance_type - vpc_security_group_ids = [data.aws_security_group.data-kasm_guac_sg.id] - subnet_id = data.aws_subnet.data-kasm_guac_subnet.id - key_name = var.aws_key_pair - associate_public_ip_address = false +resource "aws_instance" "cpx" { + count = var.num_cpx_nodes + + ami = var.ec2_ami + instance_type = var.cpx_instance_type + vpc_security_group_ids = aws_security_group.cpx[*].id + subnet_id = one(aws_subnet.cpx[*].id) + key_name = var.aws_key_pair + iam_instance_profile = one(aws_iam_instance_profile.this[*].id) root_block_device { - volume_size = 120 + volume_size = var.cpx_hdd_size_gb } - user_data = templatefile("${path.module}/userdata/guac_bootstrap.sh", + user_data = templatefile("${path.module}/userdata/cpx_bootstrap.sh", { kasm_build_url = var.kasm_build swap_size = var.swap_size @@ -21,6 +22,6 @@ resource "aws_instance" "kasm-guac" { ) tags = { - Name = "${var.project_name}-${var.kasm_zone_name}-kasm-guac" + Name = "${var.project_name}-${var.kasm_zone_name}-kasm-cpx-${count.index}" } } diff --git a/aws/standard/module/natgw.tf b/aws/standard/module/natgw.tf deleted file mode 100644 index b30eee9..0000000 --- a/aws/standard/module/natgw.tf +++ /dev/null @@ -1,14 +0,0 @@ -resource "aws_eip" "nat_gateway_eip" { - vpc = true -} - -resource "aws_nat_gateway" "agent_and_guac_natgw" { - allocation_id = aws_eip.nat_gateway_eip.id - subnet_id = data.aws_subnet.data-kasm_webapp_subnets[0].id - - depends_on = [data.aws_internet_gateway.data-kasm-default-ig] -} - -data "aws_nat_gateway" "data-agent_and_guac_natgw" { - id = aws_nat_gateway.agent_and_guac_natgw.id -} diff --git a/aws/standard/module/private_alb.tf b/aws/standard/module/private_alb.tf index 81c67cb..ae00787 100644 --- a/aws/standard/module/private_alb.tf +++ b/aws/standard/module/private_alb.tf @@ -1,16 +1,12 @@ -locals { - private_lb_hostname = "${var.kasm_zone_name}-private-lb.${var.aws_domain_name}" -} - -resource "aws_lb" "kasm-private-alb" { +resource "aws_lb" "private" { name = "${var.project_name}-private-lb" internal = true load_balancer_type = "application" - security_groups = [data.aws_security_group.data-kasm_default_elb_sg.id] - subnets = data.aws_subnet.data-kasm_webapp_subnets[*].id + security_groups = [aws_security_group.private_lb.id] + subnets = aws_subnet.webapp[*].id access_logs { - bucket = data.aws_s3_bucket.data-kasm_s3_logs_bucket.bucket + bucket = aws_s3_bucket.this.bucket enabled = true } @@ -19,15 +15,11 @@ resource "aws_lb" "kasm-private-alb" { } } -data "aws_lb" "data-kasm_private_alb" { - arn = aws_lb.kasm-private-alb.arn -} - -resource "aws_lb_target_group" "kasm-private-target-group" { +resource "aws_lb_target_group" "private" { name = "${var.project_name}-private-target-group" port = 443 protocol = "HTTPS" - vpc_id = data.aws_vpc.data-kasm-default-vpc.id + vpc_id = aws_vpc.this.id health_check { path = "/api/__healthcheck" @@ -40,19 +32,15 @@ resource "aws_lb_target_group" "kasm-private-target-group" { } } -data "aws_lb_target_group" "data-kasm_private_target_group" { - arn = aws_lb_target_group.kasm-private-target-group.arn -} - -resource "aws_lb_listener" "kasm-private-alb-listener" { - load_balancer_arn = data.aws_lb.data-kasm_private_alb.arn +resource "aws_lb_listener" "private" { + load_balancer_arn = aws_lb.private.arn port = "443" protocol = "HTTPS" - certificate_arn = aws_acm_certificate_validation.kasm-elb-certificate-validation.certificate_arn + certificate_arn = aws_acm_certificate_validation.this.certificate_arn default_action { type = "forward" - target_group_arn = data.aws_lb_target_group.data-kasm_private_target_group.arn + target_group_arn = aws_lb_target_group.private.arn } tags = { @@ -60,34 +48,22 @@ resource "aws_lb_listener" "kasm-private-alb-listener" { } } -resource "aws_lb_target_group_attachment" "kasm-private-target-group-attachment" { - count = var.num_webapps - target_group_arn = data.aws_lb_target_group.data-kasm_private_target_group.arn - target_id = data.aws_instance.data-kasm_web_app[count.index].id +resource "aws_lb_target_group_attachment" "private" { + count = var.num_webapps + + target_group_arn = aws_lb_target_group.private.arn + target_id = aws_instance.webapp[count.index].id port = 443 } -resource "aws_route53_record" "kasm-route53-private-elb-record" { - zone_id = data.aws_route53_zone.kasm-route53-zone.zone_id +resource "aws_route53_record" "private" { + zone_id = data.aws_route53_zone.this.zone_id name = local.private_lb_hostname type = "A" alias { - name = data.aws_lb.data-kasm_private_alb.dns_name - zone_id = data.aws_lb.data-kasm_private_alb.zone_id + name = aws_lb.private.dns_name + zone_id = aws_lb.private.zone_id evaluate_target_health = true } } - -resource "aws_route53_health_check" "kasm-private-elb-hc" { - fqdn = local.private_lb_hostname - port = 443 - type = "HTTPS" - resource_path = "/api/__healthcheck" - failure_threshold = "5" - request_interval = "30" - - tags = { - Name = "hc-${var.kasm_zone_name}-private-lb.${var.aws_domain_name}" - } -} diff --git a/aws/standard/module/provider.tf b/aws/standard/module/provider.tf index 099cb9c..d50a6bd 100644 --- a/aws/standard/module/provider.tf +++ b/aws/standard/module/provider.tf @@ -1,8 +1,10 @@ terraform { + required_version = "~> 1.0" + required_providers { aws = { - source = "hashicorp/aws" - #version = "4.56.0" + source = "hashicorp/aws" + version = "~> 5.0" } } } diff --git a/aws/standard/module/public_alb.tf b/aws/standard/module/public_alb.tf index 2728cd1..dc757dc 100644 --- a/aws/standard/module/public_alb.tf +++ b/aws/standard/module/public_alb.tf @@ -1,12 +1,12 @@ -resource "aws_lb" "kasm-alb" { +resource "aws_lb" "public" { name = "${var.project_name}-lb" internal = false load_balancer_type = "application" - security_groups = [data.aws_security_group.data-kasm_default_elb_sg.id] - subnets = data.aws_subnet.data-kasm_webapp_subnets[*].id + security_groups = [aws_security_group.public_lb.id] + subnets = aws_subnet.alb[*].id access_logs { - bucket = data.aws_s3_bucket.data-kasm_s3_logs_bucket.bucket + bucket = aws_s3_bucket.this.bucket enabled = true } @@ -15,40 +15,15 @@ resource "aws_lb" "kasm-alb" { } } -data "aws_lb" "data-kasm_alb" { - arn = aws_lb.kasm-alb.arn -} - -resource "aws_lb_target_group" "kasm-target-group" { - name = "${var.project_name}-target-group" - port = 443 - protocol = "HTTPS" - vpc_id = data.aws_vpc.data-kasm-default-vpc.id - - health_check { - path = "/api/__healthcheck" - matcher = 200 - protocol = "HTTPS" - } - - tags = { - Name = "${var.project_name}-kasm-public-tg" - } -} - -data "aws_lb_target_group" "data-kasm_target_group" { - arn = aws_lb_target_group.kasm-target-group.arn -} - -resource "aws_lb_listener" "kasm-alb-listener" { - load_balancer_arn = data.aws_lb.data-kasm_alb.arn +resource "aws_lb_listener" "https" { + load_balancer_arn = aws_lb.public.arn port = "443" protocol = "HTTPS" - certificate_arn = aws_acm_certificate_validation.kasm-elb-certificate-validation.certificate_arn + certificate_arn = aws_acm_certificate_validation.this.certificate_arn default_action { type = "forward" - target_group_arn = data.aws_lb_target_group.data-kasm_target_group.arn + target_group_arn = aws_lb_target_group.public.arn } tags = { @@ -56,8 +31,8 @@ resource "aws_lb_listener" "kasm-alb-listener" { } } -resource "aws_lb_listener" "kasm_alb_listener_http" { - load_balancer_arn = data.aws_lb.data-kasm_alb.arn +resource "aws_lb_listener" "http" { + load_balancer_arn = aws_lb.public.arn port = "80" protocol = "HTTP" @@ -76,44 +51,46 @@ resource "aws_lb_listener" "kasm_alb_listener_http" { } } -resource "aws_lb_target_group_attachment" "kasm-target-group-attachment" { - count = var.num_webapps - target_group_arn = data.aws_lb_target_group.data-kasm_target_group.arn - target_id = data.aws_instance.data-kasm_web_app[count.index].id - port = 443 -} +resource "aws_lb_target_group" "public" { + name = "${var.project_name}-target-group" + port = 443 + protocol = "HTTPS" + vpc_id = aws_vpc.this.id -resource "aws_route53_record" "kasm-route53-elb-record" { - zone_id = data.aws_route53_zone.kasm-route53-zone.zone_id - name = "${var.kasm_zone_name}-lb.${var.aws_domain_name}" - type = "A" + health_check { + path = "/api/__healthcheck" + matcher = 200 + protocol = "HTTPS" + } - alias { - name = aws_lb.kasm-alb.dns_name - zone_id = aws_lb.kasm-alb.zone_id - evaluate_target_health = true + tags = { + Name = "${var.project_name}-kasm-public-tg" } } -resource "aws_route53_record" "kasm-app-url" { - zone_id = data.aws_route53_zone.kasm-route53-zone.zone_id +resource "aws_lb_target_group_attachment" "public" { + count = var.num_webapps + + target_group_arn = aws_lb_target_group.public.arn + target_id = aws_instance.webapp[count.index].id + port = 443 +} + +resource "aws_route53_record" "public" { + zone_id = data.aws_route53_zone.this.zone_id name = var.aws_domain_name type = "A" set_identifier = "${var.project_name}-${var.kasm_zone_name}-set-id" alias { - name = data.aws_lb.data-kasm_alb.dns_name - zone_id = data.aws_lb.data-kasm_alb.zone_id + name = aws_lb.public.dns_name + zone_id = aws_lb.public.zone_id evaluate_target_health = true } - - latency_routing_policy { - region = var.aws_region - } } resource "aws_route53_health_check" "kasm-elb-hc" { - fqdn = "${var.kasm_zone_name}-lb.${var.aws_domain_name}" + fqdn = var.aws_domain_name port = 443 type = "HTTPS" resource_path = "/api/__healthcheck" @@ -121,6 +98,6 @@ resource "aws_route53_health_check" "kasm-elb-hc" { request_interval = "30" tags = { - Name = "hc-${var.kasm_zone_name}-lb.${var.aws_domain_name}" + Name = "hc-${var.aws_domain_name}" } } diff --git a/aws/standard/module/routes.tf b/aws/standard/module/routes.tf index db10bbb..6116221 100644 --- a/aws/standard/module/routes.tf +++ b/aws/standard/module/routes.tf @@ -1,9 +1,9 @@ -resource "aws_route_table" "internet_access" { - vpc_id = data.aws_vpc.data-kasm-default-vpc.id +resource "aws_route_table" "ig" { + vpc_id = aws_vpc.this.id route { cidr_block = var.anywhere - gateway_id = data.aws_internet_gateway.data-kasm-default-ig.id + gateway_id = aws_internet_gateway.this.id } tags = { @@ -11,27 +11,12 @@ resource "aws_route_table" "internet_access" { } } -data "aws_route_table" "data-internet_gateway_route_table" { - route_table_id = aws_route_table.internet_access.id -} - -resource "aws_route_table_association" "webapp_route_association" { - count = var.num_webapps - subnet_id = data.aws_subnet.data-kasm_webapp_subnets[count.index].id - route_table_id = data.aws_route_table.data-internet_gateway_route_table.id -} - -resource "aws_route_table_association" "db_route_association" { - subnet_id = data.aws_subnet.data-kasm_db_subnet.id - route_table_id = data.aws_route_table.data-internet_gateway_route_table.id -} - -resource "aws_route_table" "nat_route_table" { - vpc_id = data.aws_vpc.data-kasm-default-vpc.id +resource "aws_route_table" "nat" { + vpc_id = aws_vpc.this.id route { cidr_block = var.anywhere - gateway_id = data.aws_nat_gateway.data-agent_and_guac_natgw.id + gateway_id = aws_nat_gateway.this.id } tags = { @@ -39,16 +24,40 @@ resource "aws_route_table" "nat_route_table" { } } -data "aws_route_table" "data-nat_route_table" { - route_table_id = aws_route_table.nat_route_table.id +resource "aws_route_table_association" "alb" { + count = 2 + + subnet_id = aws_subnet.alb[count.index].id + route_table_id = aws_route_table.ig.id } -resource "aws_route_table_association" "agent_nat_route_table_association" { - subnet_id = data.aws_subnet.data-kasm_agent_subnet.id - route_table_id = data.aws_route_table.data-nat_route_table.id +resource "aws_route_table_association" "webapp" { + count = var.num_webapps + + subnet_id = aws_subnet.webapp[count.index].id + route_table_id = aws_route_table.nat.id } -resource "aws_route_table_association" "guac_nat_route_table_association" { - subnet_id = data.aws_subnet.data-kasm_guac_subnet.id - route_table_id = data.aws_route_table.data-nat_route_table.id +resource "aws_route_table_association" "db" { + subnet_id = aws_subnet.db.id + route_table_id = aws_route_table.nat.id +} + +resource "aws_route_table_association" "cpx" { + count = var.num_cpx_nodes > 0 ? 1 : 0 + + subnet_id = one(aws_subnet.cpx[*].id) + route_table_id = aws_route_table.nat.id +} + +resource "aws_route_table_association" "agent" { + subnet_id = aws_subnet.agent.id + route_table_id = aws_route_table.ig.id +} + +resource "aws_route_table_association" "windows" { + count = var.num_cpx_nodes > 0 ? 1 : 0 + + subnet_id = one(aws_subnet.windows[*].id) + route_table_id = aws_route_table.ig.id } diff --git a/aws/standard/module/security_group.tf b/aws/standard/module/security_group.tf index 2b8558b..a7b5c39 100644 --- a/aws/standard/module/security_group.tf +++ b/aws/standard/module/security_group.tf @@ -1,174 +1,160 @@ -resource "aws_security_group" "kasm-default-elb-sg" { - name = "${var.project_name}-kasm-allow-elb-access" +resource "aws_security_group" "public_lb" { + name = "${var.project_name}-kasm-allow-public-lb-access" description = "Security Group for ELB" - vpc_id = data.aws_vpc.data-kasm-default-vpc.id - - ingress { - from_port = 443 - to_port = 443 - protocol = "tcp" - cidr_blocks = var.web_access_cidrs - } - ingress { - from_port = 80 - to_port = 80 - protocol = "tcp" - cidr_blocks = var.web_access_cidrs - } - - egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = [var.anywhere] - } + vpc_id = aws_vpc.this.id tags = { - Name = "${var.project_name}-kasm-allow-access" + Name = "${var.project_name}-kasm-public-lb-access" } } -data "aws_security_group" "data-kasm_default_elb_sg" { - id = aws_security_group.kasm-default-elb-sg.id +resource "aws_security_group_rule" "public_lb" { + for_each = var.public_lb_security_rules + + security_group_id = aws_security_group.public_lb.id + type = "ingress" + from_port = each.value.from_port + to_port = each.value.to_port + protocol = each.value.protocol + cidr_blocks = var.web_access_cidrs } -resource "aws_security_group" "kasm-webapp-sg" { - name = "${var.project_name}-${var.kasm_zone_name}-kasm-webapp" +resource "aws_security_group" "private_lb" { + name = "${var.project_name}-kasm-allow-private-lb-access" + description = "Security Group for ELB" + vpc_id = aws_vpc.this.id + + tags = { + Name = "${var.project_name}-kasm-private-lb-access" + } +} + +resource "aws_security_group_rule" "private_lb" { + for_each = var.private_lb_security_rules + + security_group_id = aws_security_group.private_lb.id + type = "ingress" + from_port = each.value.from_port + to_port = each.value.to_port + protocol = each.value.protocol + source_security_group_id = each.key +} + +resource "aws_security_group" "webapp" { + name = "${var.project_name}-kasm-webapp" description = "Allow access to webapps" - vpc_id = data.aws_vpc.data-kasm-default-vpc.id + vpc_id = aws_vpc.this.id - ingress { - from_port = 22 - to_port = 22 - protocol = "tcp" - cidr_blocks = var.ssh_access_cidrs - } - - ingress { - from_port = 443 - to_port = 443 - protocol = "tcp" - security_groups = [data.aws_security_group.data-kasm_default_elb_sg.id] - } - - ingress { - from_port = 443 - to_port = 443 - protocol = "tcp" - cidr_blocks = [ - data.aws_subnet.data-kasm_agent_subnet.cidr_block, - data.aws_subnet.data-kasm_guac_subnet.cidr_block - ] - } - - egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = [var.anywhere] + tags = { + Name = "${var.project_name}-kasm-webapp-access" } } -data "aws_security_group" "data-kasm_webapp_sg" { - id = aws_security_group.kasm-webapp-sg.id +resource "aws_security_group_rule" "webapp" { + for_each = local.webapp_security_rules + + security_group_id = aws_security_group.webapp.id + type = "ingress" + from_port = each.value.from_port + to_port = each.value.to_port + protocol = each.value.protocol + source_security_group_id = each.key } -resource "aws_security_group" "kasm-agent-sg" { - name = "${var.project_name}-${var.kasm_zone_name}-kasm-agent-access" +resource "aws_security_group" "agent" { + name = "${var.project_name}-kasm-agent-access" description = "Allow access to agents" - vpc_id = data.aws_vpc.data-kasm-default-vpc.id + vpc_id = aws_vpc.this.id - ingress { - from_port = 22 - to_port = 22 - protocol = "tcp" - cidr_blocks = var.ssh_access_cidrs - } - - ingress { - from_port = 443 - to_port = 443 - protocol = "tcp" - cidr_blocks = data.aws_subnet.data-kasm_webapp_subnets[*].cidr_block - } - - egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = [var.anywhere] + tags = { + Name = "${var.project_name}-kasm-agent-access" } } -data "aws_security_group" "data-kasm_agent_sg" { - id = aws_security_group.kasm-agent-sg.id +resource "aws_security_group_rule" "agent" { + for_each = var.agent_security_rules + + security_group_id = aws_security_group.agent.id + type = "ingress" + from_port = each.value.from_port + to_port = each.value.to_port + protocol = each.value.protocol + source_security_group_id = aws_security_group.webapp.id } -resource "aws_security_group" "kasm-db-sg" { - name = "${var.project_name}-${var.kasm_zone_name}-kasm-db-access" +resource "aws_security_group" "db" { + name = "${var.project_name}-kasm-db-access" description = "Allow access to webapps" - vpc_id = data.aws_vpc.data-kasm-default-vpc.id + vpc_id = aws_vpc.this.id - ingress { - from_port = 22 - to_port = 22 - protocol = "tcp" - cidr_blocks = var.ssh_access_cidrs - } - - ingress { - from_port = 5432 - to_port = 5432 - protocol = "tcp" - cidr_blocks = data.aws_subnet.data-kasm_webapp_subnets[*].cidr_block - } - - ingress { - from_port = 6379 - to_port = 6379 - protocol = "tcp" - cidr_blocks = data.aws_subnet.data-kasm_webapp_subnets[*].cidr_block - } - - egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = [var.anywhere] + tags = { + Name = "${var.project_name}-kasm-db-access" } } -data "aws_security_group" "data-kasm_db_sg" { - id = aws_security_group.kasm-db-sg.id +resource "aws_security_group_rule" "db" { + for_each = var.db_security_rules + + security_group_id = aws_security_group.db.id + type = "ingress" + from_port = each.value.from_port + to_port = each.value.to_port + protocol = each.value.protocol + source_security_group_id = aws_security_group.webapp.id } -resource "aws_security_group" "kasm-guac-sg" { - name = "${var.project_name}-${var.kasm_zone_name}-kasm-guac-access" - description = "Allow access to guac RDP nodes" - vpc_id = data.aws_vpc.data-kasm-default-vpc.id +resource "aws_security_group" "cpx" { + count = var.num_cpx_nodes > 0 ? 1 : 0 - ingress { - from_port = 22 - to_port = 22 - protocol = "tcp" - cidr_blocks = var.ssh_access_cidrs - } + name = "${var.project_name}-kasm-cpx-access" + description = "Allow access to cpx RDP nodes" - ingress { - from_port = 443 - to_port = 443 - protocol = "tcp" - cidr_blocks = data.aws_subnet.data-kasm_webapp_subnets[*].cidr_block - } - - egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = [var.anywhere] + tags = { + Name = "${var.project_name}-kasm-cpx-access" } } -data "aws_security_group" "data-kasm_guac_sg" { - id = aws_security_group.kasm-guac-sg.id +resource "aws_security_group_rule" "cpx" { + for_each = var.num_cpx_nodes > 0 ? var.cpx_security_rules : {} + + security_group_id = one(aws_security_group.cpx[*].id) + type = "ingress" + from_port = each.value.from_port + to_port = each.value.to_port + protocol = each.value.protocol + source_security_group_id = aws_security_group.webapp.id } + +resource "aws_security_group" "windows" { + count = var.num_cpx_nodes > 0 ? 1 : 0 + + name = "${var.project_name}-kasm-windows-access" + description = "Allow access to Windows servers" + vpc_id = aws_vpc.this.id + + tags = { + Name = "${var.project_name}-kasm-windows-access" + } +} + +resource "aws_security_group_rule" "windows" { + for_each = var.num_cpx_nodes > 0 ? var.windows_security_rules : {} + + security_group_id = one(aws_security_group.windows[*].id) + type = "ingress" + from_port = each.value.from_port + to_port = each.value.to_port + protocol = each.value.protocol + source_security_group_id = can(regex("(?i:cpx)", each.key)) ? one(aws_security_group.cpx[*].id) : aws_security_group.webapp.id +} + +resource "aws_security_group_rule" "egress" { + for_each = { for value in local.all_security_groups : value => var.default_egress } + + security_group_id = each.key + type = each.value.rule_type + from_port = each.value.from_port + to_port = each.value.to_port + protocol = each.value.protocol + cidr_blocks = var.web_access_cidrs +} \ No newline at end of file diff --git a/aws/standard/module/ssm.tf b/aws/standard/module/ssm.tf new file mode 100644 index 0000000..6858607 --- /dev/null +++ b/aws/standard/module/ssm.tf @@ -0,0 +1,29 @@ +resource "aws_iam_role" "this" { + count = var.create_aws_ssm_iam_role ? 1 : 0 + + name = var.aws_ssm_iam_role_name != "" ? var.aws_ssm_iam_role_name : "Kasm_SSM_IAM_Instance_Role" + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [{ + Action = "sts:AssumeRole" + Effect = "Allow" + Principal = { + Service = "ec2.amazonaws.com" + } + }] + }) +} + +resource "aws_iam_role_policy_attachment" "this" { + count = var.create_aws_ssm_iam_role ? 1 : 0 + + policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" + role = one(aws_iam_role.this[*].name) +} + +resource "aws_iam_instance_profile" "this" { + count = var.create_aws_ssm_iam_role ? 1 : 0 + + name = "Kasm_SSM_Instance_Profile" + role = one(aws_iam_role.this[*].name) +} diff --git a/aws/standard/module/subnet.tf b/aws/standard/module/subnet.tf index 60a7ea5..33ca8c9 100644 --- a/aws/standard/module/subnet.tf +++ b/aws/standard/module/subnet.tf @@ -2,68 +2,81 @@ locals { kasm_vpc_subnet_cidr_mask = split("/", var.vpc_subnet_cidr)[1] kasm_server_subnet_cidr_calculation = (8 - (local.kasm_vpc_subnet_cidr_mask - 16)) kasm_server_subnet_cidr_size = local.kasm_server_subnet_cidr_calculation < 3 ? 3 : local.kasm_server_subnet_cidr_calculation - kasm_agent_subnet_id = (var.num_webapps + 1) } -## Will create Agent subnet x.x.0.x/24 (assuming a VPC Subnet CIDR between x.x.0.0/16 and x.x.0.0/21) -resource "aws_subnet" "kasm-db-subnet" { - vpc_id = data.aws_vpc.data-kasm-default-vpc.id - cidr_block = cidrsubnet(var.vpc_subnet_cidr, local.kasm_server_subnet_cidr_size, 0) +## Will create Agent subnet x.x.0.0/24 and x.x.1.0/24 (assuming a VPC Subnet CIDR between x.x.0.0/16 and x.x.0.0/21) +resource "aws_subnet" "alb" { + count = 2 + + vpc_id = aws_vpc.this.id + cidr_block = cidrsubnet(var.vpc_subnet_cidr, local.kasm_server_subnet_cidr_size, count.index) + availability_zone = data.aws_availability_zones.available.names[count.index] map_public_ip_on_launch = true - + + tags = { + Name = "${var.project_name}-kasm-lb-subnet-${count.index}" + } +} + +## Will create WebApp subnets x.x.2.0/24 and x.x.3.0/24 (assuming a VPC Subnet CIDR between x.x.0.0/16 and x.x.0.0/21) +resource "aws_subnet" "webapp" { + count = var.num_webapps + + vpc_id = aws_vpc.this.id + cidr_block = cidrsubnet(var.vpc_subnet_cidr, local.kasm_server_subnet_cidr_size, (count.index + 2)) + availability_zone = data.aws_availability_zones.available.names[count.index] + + tags = { + Name = "${var.project_name}-kasm-webapp-subnet-${count.index}" + } +} + +## Will create Agent subnet x.x.4.0/24 (assuming a VPC Subnet CIDR between x.x.0.0/16 and x.x.0.0/21) +resource "aws_subnet" "db" { + vpc_id = aws_vpc.this.id + cidr_block = cidrsubnet(var.vpc_subnet_cidr, local.kasm_server_subnet_cidr_size, 4) + availability_zone = data.aws_availability_zones.available.names[1] + tags = { Name = "${var.project_name}-kasm-db-subnet" } } -data "aws_subnet" "data-kasm_db_subnet" { - id = aws_subnet.kasm-db-subnet.id -} - -## Will create WebApp subnets x.x.1.x/24 and x.x.2.x/24 (assuming a VPC Subnet CIDR between x.x.0.0/16 and x.x.0.0/21) -resource "aws_subnet" "kasm-webapp-subnets" { - count = var.num_webapps - vpc_id = data.aws_vpc.data-kasm-default-vpc.id - cidr_block = cidrsubnet(var.vpc_subnet_cidr, local.kasm_server_subnet_cidr_size, (count.index + 1)) - availability_zone = data.aws_availability_zones.available.names[count.index] +## Will create Agent subnet x.x.6.0/24 (assuming a VPC Subnet CIDR between x.x.0.0/16 and x.x.0.0/21) +resource "aws_subnet" "agent" { + vpc_id = aws_vpc.this.id + cidr_block = cidrsubnet(var.vpc_subnet_cidr, local.kasm_server_subnet_cidr_size, 5) map_public_ip_on_launch = true + availability_zone = data.aws_availability_zones.available.names[1] tags = { - Name = "${var.project_name}-kasm-webapp-subnet" + Name = "${var.project_name}-agent-subnet" } } -data "aws_subnet" "data-kasm_webapp_subnets" { - count = var.num_webapps - id = aws_subnet.kasm-webapp-subnets[count.index].id -} +## Will create CPX subnet x.x.5.0/24 (assuming a VPC Subnet CIDR between x.x.0.0/16 and x.x.0.0/21) +resource "aws_subnet" "cpx" { + count = var.num_cpx_nodes > 0 ? 1 : 0 -## Will create Agent subnet x.x.3.x/24 (assuming a VPC Subnet CIDR between x.x.0.0/16 and x.x.0.0/21) -resource "aws_subnet" "kasm-agent-subnet" { - vpc_id = data.aws_vpc.data-kasm-default-vpc.id - cidr_block = cidrsubnet(var.vpc_subnet_cidr, local.kasm_server_subnet_cidr_size, local.kasm_agent_subnet_id) - map_public_ip_on_launch = true + vpc_id = aws_vpc.this.id + cidr_block = cidrsubnet(var.vpc_subnet_cidr, local.kasm_server_subnet_cidr_size, 6) + availability_zone = data.aws_availability_zones.available.names[0] tags = { - Name = "${var.project_name}-agent-natgw-subnet" + Name = "${var.project_name}-cpx-subnet" } } -data "aws_subnet" "data-kasm_agent_subnet" { - id = aws_subnet.kasm-agent-subnet.id -} +## Will create cpx subnet x.x.7.0/24 (assuming a VPC Subnet CIDR between x.x.0.0/16 and x.x.0.0/21) +resource "aws_subnet" "windows" { + count = var.num_cpx_nodes > 0 ? 1 : 0 -## Will create Guac subnet x.x.4.x/24 (assuming a VPC Subnet CIDR between x.x.0.0/16 and x.x.0.0/21) -resource "aws_subnet" "kasm-guac-subnet" { - vpc_id = data.aws_vpc.data-kasm-default-vpc.id - cidr_block = cidrsubnet(var.vpc_subnet_cidr, local.kasm_server_subnet_cidr_size, (local.kasm_agent_subnet_id + 1)) + vpc_id = aws_vpc.this.id + cidr_block = cidrsubnet(var.vpc_subnet_cidr, local.kasm_server_subnet_cidr_size, 7) map_public_ip_on_launch = true + availability_zone = data.aws_availability_zones.available.names[1] tags = { - Name = "${var.project_name}-guac-natgw-subnet" + Name = "${var.project_name}-windows-subnet" } } - -data "aws_subnet" "data-kasm_guac_subnet" { - id = aws_subnet.kasm-guac-subnet.id -} diff --git a/aws/standard/module/userdata/cpx_bootstrap.sh b/aws/standard/module/userdata/cpx_bootstrap.sh new file mode 100644 index 0000000..5125904 --- /dev/null +++ b/aws/standard/module/userdata/cpx_bootstrap.sh @@ -0,0 +1,29 @@ +#!/bin/bash +set -ex +echo "Starting Kasm Workspaces Agent Install" + +/bin/dd if=/dev/zero of=/var/swap.1 bs=1M count=${swap_size} +/sbin/mkswap /var/swap.1 +chmod 600 /var/swap.1 +/sbin/swapon /var/swap.1 + +echo '/var/swap.1 swap swap defaults 0 0' | tee -a /etc/fstab + +cd /tmp + +PRIVATE_IP=(`hostname -I | cut -d ' ' -f1 | tr -d '\\n'`) + +wget ${kasm_build_url} -O kasm_workspaces.tar.gz +tar -xf kasm_workspaces.tar.gz + +echo "Waiting for Kasm WebApp availability..." +while ! (curl -k https://${manager_address}/api/__healthcheck 2>/dev/null | grep -q true) +do + echo "Waiting for API server..." + sleep 5 +done +echo "WebApp is alive" + +bash kasm_release/install.sh -S cpx -e -p $PRIVATE_IP -n ${manager_address} -k ${service_registration_token} + +echo "Done" diff --git a/aws/standard/module/userdata/db_bootstrap.sh b/aws/standard/module/userdata/db_bootstrap.sh index 5317314..f28ff02 100644 --- a/aws/standard/module/userdata/db_bootstrap.sh +++ b/aws/standard/module/userdata/db_bootstrap.sh @@ -11,8 +11,6 @@ echo '/var/swap.1 swap swap defaults 0 0' | tee -a /etc/fstab cd /tmp -PRIVATE_IP=(`hostname -I | cut -d ' ' -f1 | tr -d '\\n'`) - wget ${kasm_build_url} -O kasm_workspaces.tar.gz tar -xf kasm_workspaces.tar.gz bash kasm_release/install.sh -S db -e -Q ${database_password} -R ${redis_password} -U ${user_password} -P ${admin_password} -M ${manager_token} -k ${service_registration_token} diff --git a/aws/standard/module/userdata/webapp_bootstrap.sh b/aws/standard/module/userdata/webapp_bootstrap.sh index 5f781f5..5ee0d2f 100644 --- a/aws/standard/module/userdata/webapp_bootstrap.sh +++ b/aws/standard/module/userdata/webapp_bootstrap.sh @@ -11,8 +11,6 @@ echo '/var/swap.1 swap swap defaults 0 0' | tee -a /etc/fstab cd /tmp -PRIVATE_IP=(`hostname -I | cut -d ' ' -f1 | tr -d '\\n'`) - wget ${kasm_build_url} -O kasm_workspaces.tar.gz tar -xf kasm_workspaces.tar.gz diff --git a/aws/standard/module/variables.tf b/aws/standard/module/variables.tf index b9e0e7d..715fd79 100644 --- a/aws/standard/module/variables.tf +++ b/aws/standard/module/variables.tf @@ -31,8 +31,8 @@ variable "num_agents" { default = 2 } -variable "num_guac_nodes" { - description = "The number of Agent Role Servers to create in the deployment" +variable "num_cpx_nodes" { + description = "The number of cpx RDP Role Servers to create in the deployment" type = number default = 2 } @@ -55,16 +55,30 @@ variable "agent_instance_type" { default = "t3.medium" } -variable "guac_instance_type" { - description = "The instance type for the Guacamole RDP nodes" +variable "cpx_instance_type" { + description = "The instance type for the cpxamole RDP nodes" type = string default = "t3.medium" } -variable "ssh_access_cidrs" { - description = "CIDR notation of the bastion host allowed to SSH in to the machines" - type = list(string) - default = ["0.0.0.0/0"] +variable "webapp_hdd_size_gb" { + description = "The HDD size for Kasm Webapp nodes" + type = number +} + +variable "db_hdd_size_gb" { + description = "The HDD size for Kasm DB" + type = number +} + +variable "cpx_hdd_size_gb" { + description = "The HDD size for Kasm Guac RDP nodes" + type = number +} + +variable "agent_hdd_size_gb" { + description = "The HDD size for Kasm Agent nodes" + type = number } variable "web_access_cidrs" { @@ -93,6 +107,18 @@ variable "swap_size" { type = number } +variable "create_aws_ssm_iam_role" { + description = "Create an AWS SSM IAM role to attach to VMs for SSH/console access to VMs." + type = bool + default = false +} + +variable "aws_ssm_iam_role_name" { + description = "The name of the SSM EC2 role to associate with Kasm VMs for SSH access" + type = string + default = "" +} + variable "database_password" { description = "The password for the database. No special characters" type = string @@ -124,7 +150,7 @@ variable "manager_token" { } variable "service_registration_token" { - description = "The service registration token value for Guac RDP servers to authenticate to webapps. No special characters" + description = "The service registration token value for cpx RDP servers to authenticate to webapps. No special characters" type = string sensitive = true } @@ -145,3 +171,155 @@ variable "anywhere" { error_message = "Anywhere variable must be valid IPv4 CIDR - usually 0.0.0.0/0 for all default routes and default Security Group access." } } + +variable "public_lb_security_rules" { + description = "A map of objects of security rules to apply to the Public ALB" + type = map(object({ + from_port = number + to_port = number + protocol = string + })) + + default = { + https = { + from_port = 443 + to_port = 443 + protocol = "tcp" + } + http = { + from_port = 80 + to_port = 80 + protocol = "tcp" + } + } +} + +variable "private_lb_security_rules" { + description = "A map of objects of security rules to apply to the Private ALB" + type = object({ + from_port = number + to_port = number + protocol = string + }) + + default = { + from_port = 443 + to_port = 443 + protocol = "tcp" + } +} + +variable "webapp_security_rules" { + description = "A map of objects of security rules to apply to the Kasm WebApp server" + type = object({ + from_port = number + to_port = number + protocol = string + }) + + default = { + from_port = 443 + to_port = 443 + protocol = "tcp" + } +} + +variable "db_security_rules" { + description = "A map of objects of security rules to apply to the Kasm DB" + type = map(object({ + from_port = number + to_port = number + protocol = string + })) + + default = { + postgres = { + from_port = 5432 + to_port = 5432 + protocol = "tcp" + } + redis = { + from_port = 6379 + to_port = 6379 + protocol = "tcp" + } + } +} + +variable "cpx_security_rules" { + description = "A map of objects of security rules to apply to the Kasm Connection Proxy server" + type = map(object({ + from_port = number + to_port = number + protocol = string + })) + + default = { + https = { + from_port = 443 + to_port = 443 + protocol = "tcp" + } + } +} + +variable "agent_security_rules" { + description = "A map of objects of security rules to apply to the Kasm WebApp server" + type = map(object({ + from_port = number + to_port = number + protocol = string + })) + + default = { + https = { + from_port = 443 + to_port = 443 + protocol = "tcp" + } + } +} + +variable "windows_security_rules" { + description = "A map of objects of security rules to apply to the Kasm Windows VMs" + type = map(object({ + from_port = number + to_port = number + protocol = string + })) + + default = { + cpx_rdp = { + from_port = 3389 + to_port = 3389 + protocol = "tcp" + } + cpx_api = { + from_port = 4902 + to_port = 4902 + protocol = "tcp" + } + webapp_api = { + from_port = 4902 + to_port = 4902 + protocol = "tcp" + } + } +} + +variable "default_egress" { + description = "Default egress security rule for all security groups" + type = object({ + from_port = number + to_port = number + protocol = string + cidr_subnets = list(string) + }) + + default = { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_subnets = ["0.0.0.0/0"] + } +} diff --git a/aws/standard/module/vpc.tf b/aws/standard/module/vpc.tf index 27442b5..edb43ee 100644 --- a/aws/standard/module/vpc.tf +++ b/aws/standard/module/vpc.tf @@ -1,23 +1,36 @@ -resource "aws_vpc" "kasm-default-vpc" { +resource "aws_vpc" "this" { cidr_block = var.vpc_subnet_cidr enable_dns_hostnames = true enable_dns_support = true tags = { - Name = "${var.project_name}-kasm-db-vpc" + Name = "${var.project_name}-kasm-vpc" } } -data "aws_vpc" "data-kasm-default-vpc" { - id = aws_vpc.kasm-default-vpc.id -} +resource "aws_internet_gateway" "this" { + vpc_id = aws_vpc.this.id -resource "aws_internet_gateway" "kasm-default-ig" { - vpc_id = data.aws_vpc.data-kasm-default-vpc.id tags = { Name = "${var.project_name}-kasm-ig" } } -data "aws_internet_gateway" "data-kasm-default-ig" { - internet_gateway_id = aws_internet_gateway.kasm-default-ig.id +resource "aws_eip" "this" { + domain = "vpc" + + tags = { + Name = "${var.project_name}-kasm-nat-gateway-eip" + } + +} + +resource "aws_nat_gateway" "this" { + allocation_id = aws_eip.this.id + subnet_id = aws_subnet.alb[0].id + + tags = { + Name = "${var.project_name}-kasm-nat-gateway" + } + + depends_on = [aws_internet_gateway.this] } diff --git a/aws/standard/module/webapp.tf b/aws/standard/module/webapp.tf index 1361856..9b05b61 100644 --- a/aws/standard/module/webapp.tf +++ b/aws/standard/module/webapp.tf @@ -1,20 +1,21 @@ -resource "aws_instance" "kasm-web-app" { - count = var.num_webapps - ami = var.ec2_ami - instance_type = var.webapp_instance_type - vpc_security_group_ids = [data.aws_security_group.data-kasm_webapp_sg.id] - subnet_id = data.aws_subnet.data-kasm_webapp_subnets[count.index].id - key_name = var.aws_key_pair - associate_public_ip_address = true +resource "aws_instance" "webapp" { + count = var.num_webapps + + ami = var.ec2_ami + instance_type = var.webapp_instance_type + vpc_security_group_ids = [aws_security_group.webapp.id] + subnet_id = aws_subnet.webapp[count.index].id + key_name = var.aws_key_pair + iam_instance_profile = one(aws_iam_instance_profile.this[*].id) root_block_device { - volume_size = 40 + volume_size = var.webapp_hdd_size_gb } user_data = templatefile("${path.module}/userdata/webapp_bootstrap.sh", { kasm_build_url = var.kasm_build - db_ip = data.aws_instance.data-kasm_db.private_ip + db_ip = aws_instance.db.private_ip database_password = var.database_password redis_password = var.redis_password swap_size = var.swap_size @@ -23,11 +24,6 @@ resource "aws_instance" "kasm-web-app" { ) tags = { - Name = "${var.project_name}-${var.kasm_zone_name}-kasm-webapp" + Name = "${var.project_name}-${var.kasm_zone_name}-kasm-webapp-${count.index}" } } - -data "aws_instance" "data-kasm_web_app" { - count = var.num_webapps - instance_id = aws_instance.kasm-web-app[count.index].id -} diff --git a/aws/standard/output.tf b/aws/standard/output.tf new file mode 100644 index 0000000..f119c29 --- /dev/null +++ b/aws/standard/output.tf @@ -0,0 +1,7 @@ +output "kasm_zone_settings" { + description = "Upstream Auth settings to apply to Kasm Zone configuration" + value = <= 1 && var.num_webapps <= 3 && floor(var.num_webapps) == var.num_webapps - error_message = "Acceptable number of webapps range between 1-3." + condition = var.num_webapps >= 1 && var.num_webapps <= 6 && floor(var.num_webapps) == var.num_webapps + error_message = "Acceptable number of webapps range between 1-6." } } variable "num_agents" { description = "The number of Agent Role Servers to create in the deployment" type = number - default = 2 validation { condition = var.num_agents >= 0 && var.num_agents <= 100 && floor(var.num_agents) == var.num_agents @@ -159,32 +153,59 @@ variable "num_agents" { } } -variable "num_guac_nodes" { +variable "num_cpx_nodes" { description = "The number of Agent Role Servers to create in the deployment" type = number - default = 1 validation { - condition = var.num_guac_nodes >= 0 && var.num_guac_nodes <= 100 && floor(var.num_guac_nodes) == var.num_guac_nodes - error_message = "Acceptable number of Kasm Agents range between 0-100." + condition = var.num_cpx_nodes == 0 ? true : var.num_cpx_nodes >= 0 && var.num_cpx_nodes <= 100 && floor(var.num_cpx_nodes) == var.num_cpx_nodes + error_message = "If num_cpx_nodes is set to 0, this Terraform will not deploy the Connection Proxy node. Acceptable number of Kasm Agents range between 0-100." } } -variable "ssh_access_cidrs" { - description = "CIDR notation of the bastion host allowed to SSH in to the machines" - type = list(string) - default = ["0.0.0.0/0"] +variable "webapp_hdd_size_gb" { + description = "The HDD size in GB to configure for the Kasm WebApp instances" + type = number validation { - condition = alltrue([for subnet in var.ssh_access_cidrs : can(cidrhost(subnet, 0))]) - error_message = "One of the subnets provided in the ssh_access_cidr variable is invalid." + condition = can(var.webapp_hdd_size_gb >= 40) + error_message = "Kasm Webapps should have at least a 40 GB HDD to ensure enough space for Kasm services." + } +} + +variable "db_hdd_size_gb" { + description = "The HDD size in GB to configure for the Kasm Database instances" + type = number + + validation { + condition = can(var.db_hdd_size_gb >= 40) + error_message = "Kasm Database should have at least a 40 GB HDD to ensure enough space for Kasm services." + } +} + +variable "agent_hdd_size_gb" { + description = "The HDD size in GB to configure for the Kasm Agent instances" + type = number + + validation { + condition = can(var.agent_hdd_size_gb >= 120) + error_message = "Kasm Agents should have at least a 120 GB HDD to ensure enough space for Kasm services." + } +} + +variable "cpx_hdd_size_gb" { + description = "The HDD size in GB to configure for the Kasm cpx RDP instances" + type = number + + validation { + condition = can(var.cpx_hdd_size_gb >= 40) + error_message = "Kasm cpx RDP nodes should have at least a 40 GB HDD to ensure enough space for Kasm services. If num_cpx_nodes is set to 0 this setting is ignored." } } variable "web_access_cidrs" { description = "CIDR notation of the bastion host allowed to SSH in to the machines" type = list(string) - default = ["0.0.0.0/0"] validation { condition = alltrue([for subnet in var.web_access_cidrs : can(cidrhost(subnet, 0))]) @@ -192,12 +213,12 @@ variable "web_access_cidrs" { } } -variable "ec2_ami" { - description = "The AMI used for the EC2 nodes. Recommended Ubuntu 20.04 LTS." +variable "ec2_ami_id" { + description = "The AMI used for the EC2 nodes. Recommended Ubuntu 22.04 LTS." type = string validation { - condition = can(regex("^(ami-[a-f0-9]{17})", var.ec2_ami)) + condition = can(regex("^(ami-[a-f0-9]{17})", var.ec2_ami_id)) error_message = "Please verify that your AMI is in the correct format for AWS (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/finding-an-ami.html)." } } @@ -258,7 +279,7 @@ variable "manager_token" { } variable "service_registration_token" { - description = "The service registration token value for Guac RDP servers to authenticate to webapps. No special characters" + description = "The service registration token value for cpx RDP servers to authenticate to webapps. No special characters" type = string sensitive = true @@ -268,6 +289,28 @@ variable "service_registration_token" { } } +variable "create_aws_ssm_iam_role" { + description = "Create an AWS SSM IAM role to attach to VMs for SSH/console access to VMs." + type = bool + default = false + + validation { + condition = can(tobool(var.create_aws_ssm_iam_role)) + error_message = "The create_aws_ssm_iam_role is a boolean value and can only be either true or false." + } +} + +variable "aws_ssm_iam_role_name" { + description = "The name of the SSM EC2 role to associate with Kasm VMs for SSH access" + type = string + default = "" + + validation { + condition = can(regex("[a-zA-Z0-9+=,.@-]{1,64}", var.aws_ssm_iam_role_name)) + error_message = "The aws_ssm_iam_role_name must be unique across the account and can only consisit of between 1 and 64 characters consisting of letters, numbers, underscores (_), plus (+), equals (=), comman (,), period (.), at symbol (@), or dash (-)." + } +} + ## Non-validated variables variable "kasm_build" { description = "The URL for the Kasm Workspaces build" @@ -277,8 +320,5 @@ variable "kasm_build" { variable "aws_default_tags" { description = "Default tags to apply to all AWS resources for this deployment" type = map(any) - default = { - Service_name = "Kasm Workspaces" - Kasm_version = "1.12" - } + default = {} } diff --git a/digitalocean/single_server/README.md b/digitalocean/single_server/README.md index 18ab743..cfa9ad4 100644 --- a/digitalocean/single_server/README.md +++ b/digitalocean/single_server/README.md @@ -9,13 +9,13 @@ This project will deploy Kasm Workspaces in a single-server deployment on Digita # Pre-Configuration ### Domain Configuration -If digitalocean is not already managing your domain you will need to have your registrar point to the DigitalOcean nameservers: https://www.digitalocean.com/community/tutorials/how-to-point-to-digitalocean-nameservers-from-common-domain-registrars +If digitalocean is not already managing your domain you will need to have your registrar point to the DigitalOcean nameservers: https://www.digitalocean.com/community/tutorials/how-to-point-to-digitalocean-nameservers-from-common-domain-registrars ### API Tokens -Create a personal access token with read/write permissions at https://cloud.digitalocean.com/account/api/tokens +Create a personal access token with read/write permissions at https://cloud.digitalocean.com/account/api/tokens ### SSH Authorized Keys -This project will launch a droplet and allow connections using the ssh keys defined by `ssh_key_fingerprints`. You can copy the fingerprint from the desired ssh keys from https://cloud.digitalocean.com/account/security +This project will launch a droplet and allow connections using the ssh keys defined by `ssh_key_fingerprints`. You can copy the fingerprint from the desired ssh keys from https://cloud.digitalocean.com/account/security # Terraform Configuration @@ -29,34 +29,57 @@ This project will launch a droplet and allow connections using the ssh keys defi 3. Verify the configuration - terraform plan -var-file settings.tfvars -var-file secrets.tfvars + terraform plan -var-file secrets.tfvars 4. Deploy - terraform apply -var-file settings.tfvars -var-file secrets.tfvars + terraform apply -var-file secrets.tfvars 5. Login to the Deployment as an Admin via the domain defined e.g `https://kasm.contoso.com`. Single server installs download all workspaces images during the install process so it may take ~15 minutes for the server to fully come online. + +## Requirements +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | ~> 1.0 | +| [digitalocean](#requirement\_digitalocean) | ~> 2.0 | -# OCI Terraform Variable definitions +## Providers -| Variable | Description | Variable type | Example | -|:--------:|-------------|---------------|---------| -| `digital_ocean_token` | The DigitalOcean authentication token. | String | `"dop_v1_EXAMPLEb8f85b081895f489921abbf26e64d7f3a0e581f8a1d8d532a5ba553"` | -| `digital_ocean_region` | The DigitalOcean region where you wish to deploy Kasm | String | `"nyc3"` | -| `do_domain_name` | The domain name that users will use to access kasm. | String | `"kasm.contoso.com"` | -| `ssh_key_fingerprints` | A list of DigitalOcean SSH fingerprints to use for SSH access to your Kasm server. | List(String) | `["66:e5:d1:85:cd:ba:ca:6a:d0:76:86:ef:1c:11:63:97"]` | -| `project_name` | The name of the deployment (e.g dev, staging). A short single word of up to 15 characters. | String | `"kasm"` | -| `oci_domain_name` | The public Zone used for the dns entries. This must already exist in the OCI account. (e.g kasm.contoso.com). The deployment will be accessed via this zone name using https. | String | `"kasm.contoso.com"` | -| `vpc_subnet_cidr` | The VPC Subnet CIDR where you wish to deploy Kasm | String | `"10.0.0.0/24"` | -| `digital_ocean_droplet_slug` | The Default Digital Ocean Droplet Slug: https://slugs.do-api.dev/ | String | `"s-2vcpu-4gb-intel"` | -| `digital_ocean_image` | Default Image for Ubuntu 20.04 LTS with Docker | String | `"docker-20-04"` | -| `kasm_build_url` | The download URL for the desired Kasm Workspaces version. | String | `"https://kasm-static-content.s3.amazonaws.com/kasm_release_1.13.0.002947.tar.gz"` | -| `admin_password` | The Kasm Administrative user login password. String from 12-30 characters in length with no special characters. | String | `"1qaz2wsx3EDC4RFV"` | -| `user_password` | A Kasm standard (non-administrator) user password. String from 12-30 characters in length with no special characters. | String | `"1qaz2wsx3EDC4RFV"` | -| `allow_ssh_cidrs` | A list of subnets in CIDR notation allowed to SSH into your kasm servers | List(String) | `["10.0.0.0/16","172.217.22.14/32"]` | -| `allow_web_cidrs` | A list of subnets in CIDR notation allowed Web access to your kasm servers | List(String) | `["0.0.0.0/0"]` | -| `swap_size` | The amount of swap (in MB) to configure inside the Kasm servers. | Number | `2048` | -| `instance_shape` | The OCI instance shape to use for Kasm deployment. Kasm recommends using a Flex instance type. | String | `"VM.Standard.E4.Flex"` | +No providers. + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [kasm](#module\_kasm) | ./module | n/a | + +## Resources + +No resources. + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [admin\_password](#input\_admin\_password) | The default password to be used for the default admin@kasm.local account. Only use alphanumeric characters | `string` | `"changeme"` | no | +| [allow\_kasm\_web\_cidrs](#input\_allow\_kasm\_web\_cidrs) | CIDR notation of the bastion host allowed to SSH in to the machines | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | +| [allow\_ssh\_cidrs](#input\_allow\_ssh\_cidrs) | CIDR notation of the bastion host allowed to SSH in to the machines | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | +| [digital\_ocean\_droplet\_slug](#input\_digital\_ocean\_droplet\_slug) | The Default Digital Ocean Droplet Slug: https://slugs.do-api.dev/ | `string` | `"s-2vcpu-4gb-intel"` | no | +| [digital\_ocean\_image](#input\_digital\_ocean\_image) | Default Image for Ubuntu 20.04 LTS with Docker | `string` | `"docker-20-04"` | no | +| [digital\_ocean\_region](#input\_digital\_ocean\_region) | The Digital Ocean region where you wish to deploy Kasm | `string` | `"nyc3"` | no | +| [digital\_ocean\_token](#input\_digital\_ocean\_token) | Authentication Token For Digital Ocean | `string` | n/a | yes | +| [do\_domain\_name](#input\_do\_domain\_name) | The domain name that users will use to access Kasm | `string` | n/a | yes | +| [kasm\_build\_url](#input\_kasm\_build\_url) | The Kasm build file to install | `string` | `"https://kasm-static-content.s3.amazonaws.com/kasm_release_1.12.0.d4fd8a.tar.gz"` | no | +| [project\_name](#input\_project\_name) | The name of the project/deployment/company eg (acme). | `string` | n/a | yes | +| [ssh\_key\_fingerprints](#input\_ssh\_key\_fingerprints) | Keys used for sshing into kasm hosts | `list(string)` | n/a | yes | +| [swap\_size](#input\_swap\_size) | The amount of swap (in MB) to configure inside the compute instances | `number` | `2048` | no | +| [user\_password](#input\_user\_password) | The default password to be used for the default user@kasm.local account. Only use alphanumeric characters | `string` | `"changeme"` | no | +| [vpc\_subnet\_cidr](#input\_vpc\_subnet\_cidr) | VPC Subnet CIDR where you wish to deploy Kasm | `string` | `"10.0.0.0/24"` | no | + +## Outputs + +No outputs. + diff --git a/digitalocean/single_server/module/README.md b/digitalocean/single_server/module/README.md new file mode 100644 index 0000000..13390be --- /dev/null +++ b/digitalocean/single_server/module/README.md @@ -0,0 +1,64 @@ +# module + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | ~> 1.0 | +| [digitalocean](#requirement\_digitalocean) | ~> 2.0 | + +## Providers + +| Name | Version | +|------|---------| +| [digitalocean](#provider\_digitalocean) | 2.34.1 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [digitalocean_certificate.cert](https://registry.terraform.io/providers/digitalocean/digitalocean/latest/docs/resources/certificate) | resource | +| [digitalocean_domain.default](https://registry.terraform.io/providers/digitalocean/digitalocean/latest/docs/resources/domain) | resource | +| [digitalocean_droplet.kasm-server](https://registry.terraform.io/providers/digitalocean/digitalocean/latest/docs/resources/droplet) | resource | +| [digitalocean_firewall.workspaces-fw](https://registry.terraform.io/providers/digitalocean/digitalocean/latest/docs/resources/firewall) | resource | +| [digitalocean_loadbalancer.www-lb](https://registry.terraform.io/providers/digitalocean/digitalocean/latest/docs/resources/loadbalancer) | resource | +| [digitalocean_project.project](https://registry.terraform.io/providers/digitalocean/digitalocean/latest/docs/resources/project) | resource | +| [digitalocean_record.static](https://registry.terraform.io/providers/digitalocean/digitalocean/latest/docs/resources/record) | resource | +| [digitalocean_tag.project](https://registry.terraform.io/providers/digitalocean/digitalocean/latest/docs/resources/tag) | resource | +| [digitalocean_vpc.kasm_vpc](https://registry.terraform.io/providers/digitalocean/digitalocean/latest/docs/resources/vpc) | resource | +| [digitalocean_certificate.data-cert](https://registry.terraform.io/providers/digitalocean/digitalocean/latest/docs/data-sources/certificate) | data source | +| [digitalocean_domain.data-default](https://registry.terraform.io/providers/digitalocean/digitalocean/latest/docs/data-sources/domain) | data source | +| [digitalocean_droplet.data-kasm_server](https://registry.terraform.io/providers/digitalocean/digitalocean/latest/docs/data-sources/droplet) | data source | +| [digitalocean_tag.data-project](https://registry.terraform.io/providers/digitalocean/digitalocean/latest/docs/data-sources/tag) | data source | +| [digitalocean_vpc.data-kasm_vpc](https://registry.terraform.io/providers/digitalocean/digitalocean/latest/docs/data-sources/vpc) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [admin\_password](#input\_admin\_password) | The default password to be used for the default admin@kasm.local account. Only use alphanumeric characters | `string` | n/a | yes | +| [allow\_kasm\_web\_cidrs](#input\_allow\_kasm\_web\_cidrs) | CIDR notation of the bastion host allowed to SSH in to the machines | `list(string)` | n/a | yes | +| [allow\_ssh\_cidrs](#input\_allow\_ssh\_cidrs) | List of Subnets in CIDR notation for hosts allowed to SSH | `list(string)` | n/a | yes | +| [anywhere](#input\_anywhere) | Anywhere route subnet | `list(string)` | 
[
  "0.0.0.0/0",
  "::/0"
]
| no | +| [digital\_ocean\_droplet\_slug](#input\_digital\_ocean\_droplet\_slug) | The Default Digital Ocean Droplet Slug: https://slugs.do-api.dev/ | `string` | n/a | yes | +| [digital\_ocean\_image](#input\_digital\_ocean\_image) | Default Image for Ubuntu LTS | `string` | n/a | yes | +| [digital\_ocean\_region](#input\_digital\_ocean\_region) | The Default Digital Ocean Region Slug: https://docs.digitalocean.com/products/platform/availability-matrix/ | `string` | n/a | yes | +| [do\_domain\_name](#input\_do\_domain\_name) | The domain name that users will use to access kasm | `string` | n/a | yes | +| [kasm\_build\_url](#input\_kasm\_build\_url) | The Kasm build file to install | `string` | n/a | yes | +| [project\_name](#input\_project\_name) | The name of the project/deployment/company eg (acme). Lower case all one word as this will be used in a domain name | `string` | n/a | yes | +| [ssh\_key\_fingerprints](#input\_ssh\_key\_fingerprints) | Keys used for sshing into kasm hosts | `list(string)` | n/a | yes | +| [swap\_size](#input\_swap\_size) | The amount of swap (in MB) to configure inside the compute instances | `number` | n/a | yes | +| [user\_password](#input\_user\_password) | The default password to be used for the default user@kasm.local account. Only use alphanumeric characters | `string` | n/a | yes | +| [vpc\_subnet\_cidr](#input\_vpc\_subnet\_cidr) | VPC Subnet CIDR to deploy Kasm | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [kasm\_server\_ip](#output\_kasm\_server\_ip) | n/a | + diff --git a/digitalocean/single_server/module/firewall.tf b/digitalocean/single_server/module/firewall.tf index b8853dd..6fa87dc 100644 --- a/digitalocean/single_server/module/firewall.tf +++ b/digitalocean/single_server/module/firewall.tf @@ -1,7 +1,7 @@ resource "digitalocean_firewall" "workspaces-fw" { name = "${var.project_name}-fw" - tags = ["${digitalocean_tag.project.id}"] + tags = [digitalocean_tag.project.id] inbound_rule { protocol = "tcp" diff --git a/digitalocean/single_server/module/provider.tf b/digitalocean/single_server/module/provider.tf index 68aba8c..441a4be 100644 --- a/digitalocean/single_server/module/provider.tf +++ b/digitalocean/single_server/module/provider.tf @@ -1,4 +1,6 @@ terraform { + required_version = "~> 1.0" + required_providers { digitalocean = { source = "digitalocean/digitalocean" diff --git a/digitalocean/single_server/provider.tf b/digitalocean/single_server/provider.tf index 6225189..2572fc1 100644 --- a/digitalocean/single_server/provider.tf +++ b/digitalocean/single_server/provider.tf @@ -1,4 +1,6 @@ terraform { + required_version = "~> 1.0" + required_providers { digitalocean = { source = "digitalocean/digitalocean" diff --git a/digitalocean/single_server/secrets.tfvars.example b/digitalocean/single_server/secrets.tfvars.example new file mode 100644 index 0000000..9d7c029 --- /dev/null +++ b/digitalocean/single_server/secrets.tfvars.example @@ -0,0 +1 @@ +digital_ocean_token = "" \ No newline at end of file diff --git a/digitalocean/single_server/settings.tfvars b/digitalocean/single_server/terraform.tfvars similarity index 76% rename from digitalocean/single_server/settings.tfvars rename to digitalocean/single_server/terraform.tfvars index 24fe958..a22f219 100644 --- a/digitalocean/single_server/settings.tfvars +++ b/digitalocean/single_server/terraform.tfvars @@ -13,12 +13,12 @@ digital_ocean_droplet_slug = "s-2vcpu-4gb-intel" swap_size = 2048 ## Kasm passwords -user_password = "changeme" -admin_password = "changeme" +user_password = "changeme" +admin_password = "changeme" ## VM Access subnets allow_ssh_cidrs = ["0.0.0.0/0"] allow_kasm_web_cidrs = ["0.0.0.0/0"] ## Kasm download URL -kasm_build_url = "https://kasm-static-content.s3.amazonaws.com/kasm_release_1.13.0.002947.tar.gz" \ No newline at end of file +kasm_build_url = "https://kasm-static-content.s3.amazonaws.com/kasm_release_1.14.0.3a7abb.tar.gz" \ No newline at end of file diff --git a/digitalocean/single_server/variables.tf b/digitalocean/single_server/variables.tf index bd7b230..efcd66c 100644 --- a/digitalocean/single_server/variables.tf +++ b/digitalocean/single_server/variables.tf @@ -126,6 +126,7 @@ variable "allow_kasm_web_cidrs" { variable "swap_size" { description = "The amount of swap (in MB) to configure inside the compute instances" + type = number default = 2048 validation { diff --git a/oci/single_server/README.md b/oci/single_server/README.md index 2053122..703e557 100644 --- a/oci/single_server/README.md +++ b/oci/single_server/README.md @@ -34,48 +34,76 @@ Create an SSL certificate that matches the desired domain for the deployment. e. terraform init 2. Open `settings.tfvars` and update the variables. The variable definitions, descriptions, and validation requirements can be found in `variables.tf`, or in the [table](#oci-terraform-variable-definitions) below. - + 3. Verify the configuration - terraform plan -var-file settings.tfvars + terraform plan 4. Deploy - terraform apply -var-file settings.tfvars + terraform apply 5. Login to the Deployment as an Admin via the domain defined e.g `https://kasm.contoso.com`. Single server installs download all workspaces images during the install process so it may take ~15 minutes for the server to fully come online. -# OCI Terraform Variable definitions + +## Requirements -| Variable | Description | Variable type | Example | -|:--------:|-------------|---------------|---------| -| `tenancy_ocid` | The OCI Tenancy OCID | String | `"ocid1.tenancy.oc1..aaaaaaaaai06vvcguozt39d4ilmwtpdovl998wsxpyn0hjkab2kuh7z16po7"` | -| `compartment_ocid` | The OCI Compartment OCID | String | `"ocid1.compartment.oc1..aaaaaaaauepg1z967huiazuiwjt80rtbszp64x9oxaidkoi7wz0pgr950bzb"` | -| `region` | The OCI Region name | String | `"us-ashburn-1"` | -| `user_ocid` | The OCI User OCID | String | `"ocid1.user.oc1..aaaaaaaau3me8nojmdjrbj2vzfxeouscc1i7cf9w0aoy0iyv9b38t2y0a1ba"` | -| `fingerprint` | The OCI User API Key fingerprint | String | `"66:e5:d1:85:cd:ba:ca:6a:d0:76:86:ef:1c:11:63:97"` | -| `private_key_path` | The path for the API Key PEM encoded Private Key for the OCI User. ***NOTE:*** *Ensure the API Key contents are a valid PEM encoded RSA key file. You can tell this by ensuring that the value `-----BEGIN RSA PRIVATE KEY-----` is the first line in the key file. Otherwise, you can validate the key file by running the `openssl rsa -in oci-private-key.pem -check` command.* | String | `"./oci-private-key.pem"` | -| `project_name` | The name of the deployment (e.g dev, staging). A short single word of up to 15 characters. | String | `"kasm"` | -| `oci_domain_name` | The public Zone used for the dns entries. This must already exist in the OCI account. (e.g kasm.contoso.com). The deployment will be accessed via this zone name using https. | String | `"kasm.contoso.com"` | -| `letsencrypt_cert_support_email` | Email address to use for Terraform-generated Let's Encrypt SSL certificates | String | `"support@contoso.com"` | -| `letsencrypt_server_type` | SSL Server type for certificate generation. Valid options are staging, prod, and empty string (""). Refer to [SSL Certificate Options](#ssl-certificate-options) section of this document for more information. | String | "prod" | -| `kasm_ssl_crt_path` | Bring Your own Certificate - The file path fo the PEM encoded SSL Certificate file generated outside of Terraform. Copy/paste the contents of your generated SSL Certificate to the file designated in this path variable. | String | `"./kasm_ssl.crt"` | -| `kasm_ssl_key_path` | Bring Your own Certificate - The file path to the PEM encoded SSL Private Key file generated outside of Terraform. Copy/paste the contents of your generated SSL Private Key to the file designated in this path variable. | String | `"./kasm_ssl.key"` | -| `vcn_subnet_cidr` | The OCI VCN Subnet CIDR of the VCN where you wish to deploy Kasm | String | `"10.0.0.0/16"` | -| `ssh_authorized_keys` | The SSH Public key to be installed on the Kasm servers for SSH access | String | `"ssh-rsa some_base64_encoded_ssh_public_key_data"` | -| `instance_image_ocid` | The OCI Image OCID value of the OS to use. Kasm recommends using lates Ubuntu 20.04 LTS-Minimal for speed and efficiency. | String | `"ocid1.image.oc1.iad.aaaaaaaahiz6xym3a76xhwkmwmhrz6luyiehho7dpxpkphxhsq5q6z4m3nlq"` | -| `allow_ssh_cidrs` | A list of subnets in CIDR notation allowed to SSH into your kasm servers | List(String) | `["10.0.0.0/16","172.217.22.14/32"]` | -| `allow_web_cidrs` | A list of subnets in CIDR notation allowed Web access to your kasm servers | List(String) | `["0.0.0.0/0"]` | -| `admin_password` | The Kasm Administrative user login password. String from 12-30 characters in length with no special characters. | String | `"1qaz2wsx3EDC4RFV"` | -| `user_password` | A Kasm standard (non-administrator) user password. String from 12-30 characters in length with no special characters. | String | `"1qaz2wsx3EDC4RFV"` | -| `kasm_build_url` | The download URL for the desired Kasm Workspaces version. | String | `"https://kasm-static-content.s3.amazonaws.com/kasm_release_1.13.0.002947.tar.gz"` | -| `swap_size` | The amount of swap (in MB) to configure inside the Kasm servers. | Number | `2048` | -| `instance_shape` | The OCI instance shape to use for Kasm deployment. Kasm recommends using a Flex instance type. | String | `"VM.Standard.E4.Flex"` | -| `kasm_server_cpus` | The number of CPUs, memory in GB, and HDD size to use for Kasm WebApps. | Number | `4` | -| `kasm_server_memory` | The number of CPUs, memory in GB, and HDD size to use for the Kasm Database server. | Number | `8` | -| `kasm_server_hdd_size` | The number of CPUs, memory in GB, and HDD size to use for the Kasm Agent server(s). | Number | `120` | +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | ~> 1.0 | +| [acme](#requirement\_acme) | ~> 2.0 | +| [oci](#requirement\_oci) | ~> 5.0 | +| [tls](#requirement\_tls) | ~> 4.0 | +## Providers + +No providers. + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [kasm](#module\_kasm) | ./module | n/a | + +## Resources + +No resources. + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [admin\_password](#input\_admin\_password) | The administrative user password. No special characters | `string` | n/a | yes | +| [allow\_ssh\_cidrs](#input\_allow\_ssh\_cidrs) | The CIDR notation to allow SSH access to the systems. | `list(string)` | n/a | yes | +| [allow\_web\_cidrs](#input\_allow\_web\_cidrs) | The CIDR notation to allow HTTPS access to the systems. | `list(string)` | n/a | yes | +| [compartment\_ocid](#input\_compartment\_ocid) | The Compartment OCID | `string` | n/a | yes | +| [fingerprint](#input\_fingerprint) | API Key Fingerprint | `string` | n/a | yes | +| [instance\_image\_ocid](#input\_instance\_image\_ocid) | The OCID for the instance image , such as ubuntu 20.04, to use. | `string` | n/a | yes | +| [instance\_shape](#input\_instance\_shape) | The instance shape to use. Should be a Flex type. | `string` | n/a | yes | +| [kasm\_build\_url](#input\_kasm\_build\_url) | The URL for the Kasm Workspaces build | `string` | n/a | yes | +| [kasm\_server\_cpus](#input\_kasm\_server\_cpus) | The number of CPUs to configure for the Kasm instance | `number` | n/a | yes | +| [kasm\_server\_hdd\_size](#input\_kasm\_server\_hdd\_size) | The size in GBs of the Kasm instance HDD | `number` | n/a | yes | +| [kasm\_server\_memory](#input\_kasm\_server\_memory) | The amount of memory to configure for the Kasm instance | `number` | n/a | yes | +| [kasm\_ssl\_crt\_path](#input\_kasm\_ssl\_crt\_path) | The file path to the PEM encoded SSL Certificate. Leave this empty if you are using Lets Encrypt to automatically generate your certificates. | `string` | `""` | no | +| [kasm\_ssl\_key\_path](#input\_kasm\_ssl\_key\_path) | The file path to the PEM encoded SSL Certificate Key. Leave this empty if you are using Lets Encrypt to automatically generate your certificates. | `string` | `""` | no | +| [letsencrypt\_cert\_support\_email](#input\_letsencrypt\_cert\_support\_email) | Email address to use for Let's Encrypt SSL certificates for OCI Deployment | `string` | `""` | no | +| [letsencrypt\_server\_type](#input\_letsencrypt\_server\_type) | SSL Server type to generate. Valid options are staging and prod, and prod certificates are limited to 5 certificates per week. | `string` | `""` | no | +| [oci\_domain\_name](#input\_oci\_domain\_name) | The public Zone used for the dns entries. This must already exist in the OCI account. (e.g kasm.contoso.com). The deployment will be accessed via this zone name via https | `string` | n/a | yes | +| [private\_key\_path](#input\_private\_key\_path) | The path to the OCI API Key PEM encoded Private Key | `string` | n/a | yes | +| [project\_name](#input\_project\_name) | The name of the deployment (e.g dev, staging). A short single word | `string` | n/a | yes | +| [region](#input\_region) | The OCI Region eg: (us-ashburn-1) | `string` | n/a | yes | +| [ssh\_authorized\_keys](#input\_ssh\_authorized\_keys) | The SSH Public Keys to be installed on the OCI compute instance | `string` | n/a | yes | +| [swap\_size](#input\_swap\_size) | The amount of swap (in MB) to configure inside the compute instances | `number` | n/a | yes | +| [tenancy\_ocid](#input\_tenancy\_ocid) | The Tenancy OCID. | `string` | n/a | yes | +| [user\_ocid](#input\_user\_ocid) | The User OCID. | `string` | n/a | yes | +| [user\_password](#input\_user\_password) | The standard (non administrator) user password. No special characters | `string` | n/a | yes | +| [vcn\_subnet\_cidr](#input\_vcn\_subnet\_cidr) | VCN Subnet CIDR where you wish to deploy Kasm | `string` | n/a | yes | + +## Outputs + +No outputs. + # Detailed Terraform Deployment Diagram diff --git a/oci/single_server/module/README.md b/oci/single_server/module/README.md new file mode 100644 index 0000000..67ce747 --- /dev/null +++ b/oci/single_server/module/README.md @@ -0,0 +1,79 @@ +# module + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | ~> 1.0 | +| [acme](#requirement\_acme) | ~> 2.0 | +| [oci](#requirement\_oci) | ~> 5.0 | +| [tls](#requirement\_tls) | ~> 4.0 | + +## Providers + +| Name | Version | +|------|---------| +| [acme](#provider\_acme) | 2.20.0 | +| [oci](#provider\_oci) | 5.28.0 | +| [tls](#provider\_tls) | 4.0.5 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [acme_certificate.certificate](https://registry.terraform.io/providers/vancluever/acme/latest/docs/resources/certificate) | resource | +| [acme_registration.registration](https://registry.terraform.io/providers/vancluever/acme/latest/docs/resources/registration) | resource | +| [oci_core_default_route_table.default_route_table](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_default_route_table) | resource | +| [oci_core_instance.kasm_instance](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_instance) | resource | +| [oci_core_internet_gateway.kasm_internet_gateway](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_internet_gateway) | resource | +| [oci_core_security_list.allow_ssh](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_security_list) | resource | +| [oci_core_security_list.allow_web](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_security_list) | resource | +| [oci_core_subnet.kasm_subnet](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_subnet) | resource | +| [oci_core_vcn.kasm_vcn](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_vcn) | resource | +| [oci_dns_rrset.kasm_a_record](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/dns_rrset) | resource | +| [tls_cert_request.kasm_certificate_request](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/cert_request) | resource | +| [tls_private_key.certificate_private_key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource | +| [tls_private_key.registration_private_key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource | +| [oci_dns_zones.kasm_dns_zone](https://registry.terraform.io/providers/oracle/oci/latest/docs/data-sources/dns_zones) | data source | +| [oci_identity_availability_domain.ad](https://registry.terraform.io/providers/oracle/oci/latest/docs/data-sources/identity_availability_domain) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [admin\_password](#input\_admin\_password) | The administrative user password. No special characters | `string` | n/a | yes | +| [allow\_ssh\_cidrs](#input\_allow\_ssh\_cidrs) | The CIDR notation to allow SSH access to the systems. | `list(string)` | n/a | yes | +| [allow\_web\_cidrs](#input\_allow\_web\_cidrs) | The CIDR notation to allow HTTPS access to the systems. | `list(string)` | n/a | yes | +| [anywhere](#input\_anywhere) | Anywhere route subnet | `string` | `"0.0.0.0/0"` | no | +| [compartment\_ocid](#input\_compartment\_ocid) | The Compartment OCID | `string` | n/a | yes | +| [fingerprint](#input\_fingerprint) | API Key Fingerprint | `string` | n/a | yes | +| [instance\_image\_ocid](#input\_instance\_image\_ocid) | The OCID for the instance image , such as ubuntu 20.04, to use. | `string` | n/a | yes | +| [instance\_shape](#input\_instance\_shape) | The instance shape to use. Should be a Flex type. | `string` | n/a | yes | +| [kasm\_build\_url](#input\_kasm\_build\_url) | The URL for the Kasm Workspaces build | `string` | n/a | yes | +| [kasm\_server\_cpus](#input\_kasm\_server\_cpus) | The number of CPUs to configure for the Kasm instance | `number` | n/a | yes | +| [kasm\_server\_hdd\_size](#input\_kasm\_server\_hdd\_size) | The size in GBs of the Kasm instance HDD | `number` | n/a | yes | +| [kasm\_server\_memory](#input\_kasm\_server\_memory) | The amount of memory to configure for the Kasm instance | `number` | n/a | yes | +| [kasm\_ssl\_crt\_path](#input\_kasm\_ssl\_crt\_path) | The file path to the PEM encoded SSL Certificate | `string` | n/a | yes | +| [kasm\_ssl\_key\_path](#input\_kasm\_ssl\_key\_path) | The file path to the PEM encoded SSL Certificate Key | `string` | n/a | yes | +| [letsencrypt\_cert\_support\_email](#input\_letsencrypt\_cert\_support\_email) | Email address to use for Let's Encrypt SSL certificates for OCI Deployment | `string` | n/a | yes | +| [letsencrypt\_server\_type](#input\_letsencrypt\_server\_type) | SSL Server type to generate. Valid options are staging, prod, and empty string. Prod certificates are limited to 5 per week per domain. | `string` | n/a | yes | +| [oci\_domain\_name](#input\_oci\_domain\_name) | The public Zone used for the dns entries. This must already exist in the OCI account. (e.g kasm.contoso.com). The deployment will be accessed via this zone name via https | `string` | n/a | yes | +| [private\_key\_path](#input\_private\_key\_path) | The path to the API Key PEM encoded Private Key | `string` | n/a | yes | +| [project\_name](#input\_project\_name) | The name of the deployment (e.g dev, staging). A short single word | `string` | n/a | yes | +| [region](#input\_region) | The OCI Region eg: (us-ashburn-1) | `string` | n/a | yes | +| [ssh\_authorized\_keys](#input\_ssh\_authorized\_keys) | The SSH Public Keys to be installed on the OCI compute instance | `string` | n/a | yes | +| [swap\_size](#input\_swap\_size) | The amount of swap (in MB) to configure inside the compute instances | `number` | n/a | yes | +| [tenancy\_ocid](#input\_tenancy\_ocid) | The Tenancy OCID. | `string` | n/a | yes | +| [user\_ocid](#input\_user\_ocid) | The User OCID. | `string` | n/a | yes | +| [user\_password](#input\_user\_password) | The standard (non administrator) user password. No special characters | `string` | n/a | yes | +| [vcn\_subnet\_cidr](#input\_vcn\_subnet\_cidr) | VPC Subnet CIDR where you wish to deploy Kasm | `string` | n/a | yes | + +## Outputs + +No outputs. + diff --git a/oci/single_server/module/provider.tf b/oci/single_server/module/provider.tf index 7539cab..2814e4c 100644 --- a/oci/single_server/module/provider.tf +++ b/oci/single_server/module/provider.tf @@ -1,16 +1,18 @@ terraform { + required_version = "~> 1.0" + required_providers { oci = { source = "oracle/oci" - version = ">= 4.0.0" + version = "~> 5.0" } acme = { source = "vancluever/acme" - version = ">= 2.0" + version = "~> 2.0" } tls = { source = "hashicorp/tls" - version = ">= 4.0.0" + version = "~> 4.0" } } } diff --git a/oci/single_server/provider.tf b/oci/single_server/provider.tf index e65d81e..743dcfb 100644 --- a/oci/single_server/provider.tf +++ b/oci/single_server/provider.tf @@ -1,16 +1,18 @@ terraform { + required_version = "~> 1.0" + required_providers { oci = { source = "oracle/oci" - version = ">= 4.0.0" + version = "~> 5.0" } acme = { source = "vancluever/acme" - version = ">= 2.0" + version = "~> 2.0" } tls = { source = "hashicorp/tls" - version = ">= 4.0.0" + version = "~> 4.0" } } } diff --git a/oci/single_server/settings.tfvars b/oci/single_server/terraform.tfvars similarity index 82% rename from oci/single_server/settings.tfvars rename to oci/single_server/terraform.tfvars index a5be31c..3324718 100644 --- a/oci/single_server/settings.tfvars +++ b/oci/single_server/terraform.tfvars @@ -32,7 +32,7 @@ user_password = "changeme" ssh_authorized_keys = "changeme" ## OCI VM Settings -instance_image_ocid = "ocid1.image.oc1.iad.aaaaaaaahiz6xym3a76xhwkmwmhrz6luyiehho7dpxpkphxhsq5q6z4m3nlq" +instance_image_ocid = "" instance_shape = "VM.Standard.E4.Flex" swap_size = 2048 kasm_server_cpus = 2 @@ -40,4 +40,4 @@ kasm_server_memory = 2 kasm_server_hdd_size = 120 ## Kasm download URL -kasm_build_url = "https://kasm-static-content.s3.amazonaws.com/kasm_release_1.13.0.002947.tar.gz" +kasm_build_url = "https://kasm-static-content.s3.amazonaws.com/kasm_release_1.14.0.3a7abb.tar.gz" diff --git a/oci/standard/README.md b/oci/standard/README.md index 5c55570..b3ed1a3 100644 --- a/oci/standard/README.md +++ b/oci/standard/README.md @@ -35,56 +35,84 @@ Create an SSL certificate that matches the desired domain for the deployment. e. terraform init 2. Open `settings.tfvars` and update the variables. The variable definitions, descriptions, and validation requirements can be found in `variables.tf`, or in the [table](#oci-terraform-variable-definitions) below. - + 3. Verify the configuration - terraform plan -var-file settings.tfvars + terraform plan 4. Deploy - terraform apply -var-file settings.tfvars + terraform apply 5. Login to the Deployment as an Admin via the domain defined e.g `https://kasm.contoso.com`. It may take several minutes for the deployment to fully come online. + +## Requirements -# OCI Terraform Variable definitions +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | ~> 1.0 | +| [acme](#requirement\_acme) | ~> 2.0 | +| [oci](#requirement\_oci) | ~> 5.0 | +| [tls](#requirement\_tls) | ~> 4.0 | -| Variable | Description | Variable type | Example | -|:--------:|-------------|---------------|---------| -| `tenancy_ocid` | The OCI Tenancy OCID | String | `"ocid1.tenancy.oc1..aaaaaaaaai06vvcguozt39d4ilmwtpdovl998wsxpyn0hjkab2kuh7z16po7"` | -| `compartment_ocid` | The OCI Compartment OCID | String | `"ocid1.compartment.oc1..aaaaaaaauepg1z967huiazuiwjt80rtbszp64x9oxaidkoi7wz0pgr950bzb"` | -| `region` | The OCI Region name | String | `"us-ashburn-1"` | -| `user_ocid` | The OCI User OCID | String | `"ocid1.user.oc1..aaaaaaaau3me8nojmdjrbj2vzfxeouscc1i7cf9w0aoy0iyv9b38t2y0a1ba"` | -| `fingerprint` | The OCI User API Key fingerprint | String | `"66:e5:d1:85:cd:ba:ca:6a:d0:76:86:ef:1c:11:63:97"` | -| `private_key_path` | The path for the API Key PEM encoded Private Key for the OCI User. ***NOTE:*** *Ensure the API Key contents are a valid PEM encoded RSA key file. You can tell this by ensuring that the value `-----BEGIN RSA PRIVATE KEY-----` is the first line in the key file. Otherwise, you can validate the key file by running the `openssl rsa -in oci-private-key.pem -check` command.* | String | `"./oci-private-key.pem"` | -| `project_name` | The name of the deployment (e.g dev, staging). A short single word of up to 15 characters. | String | `"kasm"` | -| `oci_domain_name` | The public Zone used for the dns entries. This must already exist in the OCI account. (e.g kasm.contoso.com). The deployment will be accessed via this zone name using https. | String | `"kasm.contoso.com"` | -| `letsencrypt_cert_support_email` | Email address to use for Terraform-generated Let's Encrypt SSL certificates | String | `"support@contoso.com"` | -| `letsencrypt_server_type` | SSL Server type for certificate generation. Valid options are staging, prod, and empty string (""). Refer to [SSL Certificate Options](#ssl-certificate-options) section of this document for more information. | String | "prod" | -| `kasm_ssl_crt_path` | Bring Your own Certificate - The file path fo the PEM encoded SSL Certificate file generated outside of Terraform. Copy/paste the contents of your generated SSL Certificate to the file designated in this path variable. | String | `"./kasm_ssl.crt"` | -| `kasm_ssl_key_path` | Bring Your own Certificate - The file path to the PEM encoded SSL Private Key file generated outside of Terraform. Copy/paste the contents of your generated SSL Private Key to the file designated in this path variable. | String | `"./kasm_ssl.key"` | -| `vcn_subnet_cidr` | The OCI VCN Subnet CIDR of the VCN where you wish to deploy Kasm | String | `"10.0.0.0/16"` | -| `ssh_authorized_keys` | The SSH Public key to be installed on the Kasm servers for SSH access | String | `"ssh-rsa some_base64_encoded_ssh_public_key_data"` | -| `instance_image_ocid` | The OCI Image OCID value of the OS to use. Kasm recommends using lates Ubuntu 20.04 LTS-Minimal for speed and efficiency. | String | `"ocid1.image.oc1.iad.aaaaaaaahiz6xym3a76xhwkmwmhrz6luyiehho7dpxpkphxhsq5q6z4m3nlq"` | -| `allow_ssh_cidrs` | A list of subnets in CIDR notation allowed to SSH into your kasm servers | List(String) | `["10.0.0.0/16","172.217.22.14/32"]` | -| `allow_web_cidrs` | A list of subnets in CIDR notation allowed Web access to your kasm servers | List(String) | `["0.0.0.0/0"]` | -| `num_webapps` | The number of WebApp role servers to create in this deployment. Acceptable ranges from 1-3. | Number | `2` | -| `num_agents` | The number of static Kasm Agents to create in this deploymenbt. Acceptable ranges from 0-100. | Number | `2` | -| `num_guac_rdp_nodes` | The number of Guacamole RDP access servers to create in this deployment. Acceptable ranges from 0-100. | Number | `1` | -| `database_password` | The Kasm PostgreSQL database password. String from 12-30 characters in length with no special characters. | String | `"1qaz2wsx3EDC4RFV"` | -| `redis_password` | The Kasm Redis password. String from 12-30 characters in length with no special characters. | String | `"1qaz2wsx3EDC4RFV"` | -| `admin_password` | The Kasm Administrative user login password. String from 12-30 characters in length with no special characters. | String | `"1qaz2wsx3EDC4RFV"` | -| `user_password` | A Kasm standard (non-administrator) user password. String from 12-30 characters in length with no special characters. | String | `"1qaz2wsx3EDC4RFV"` | -| `manager_token` | The manager token value used by Kasm agents to authenticate to the Kasm WebApps. String from 12-30 characters in length with no special characters. | String | `"1qaz2wsx3EDC4RFV"` | -| `service_registration_token` | The service registration token value used by Guac RDP servers to authenticate to the Kasm Webapps. String from 12-30 characters in length with no special characters. | String | `"1qaz2wsx3EDC4RFV"` | -| `kasm_build_url` | The download URL for the desired Kasm Workspaces version. | String | `"https://kasm-static-content.s3.amazonaws.com/kasm_release_1.13.0.002947.tar.gz"` | -| `swap_size` | The amount of swap (in MB) to configure inside the Kasm servers. | Number | `2048` | -| `instance_shape` | The OCI instance shape to use for Kasm deployment. Kasm recommends using a Flex instance type. | String | `"VM.Standard.E4.Flex"` | -| `kasm_webapp_vm_settings` | The number of CPUs, memory in GB, and HDD size to use for Kasm WebApps. | Map(Any) | 
{
  cpus = 2
  memory = 2
  hdd_size_gb = 50
}
| -| `kasm_database_vm_settings` | The number of CPUs, memory in GB, and HDD size to use for the Kasm Database server. | Map(Any) | 
{
  cpus = 2
  memory = 2
  hdd_size_gb = 50
}
| -| `kasm_agent_vm_settings` | The number of CPUs, memory in GB, and HDD size to use for the Kasm Agent server(s). | Map(Any) | 
{
  cpus = 4
  memory = 8
  hdd_size_gb = 120
}
| -| `kasm_guac_vm_settings` | The number of CPUs, memory in GB, and HDD size to use for the Kasm Guac RDP server(s). | Map(Any) | 
{
  cpus = 4
  memory = 4
  hdd_size_gb = 50
}
| +## Providers +No providers. + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [kasm](#module\_kasm) | ./module | n/a | + +## Resources + +No resources. + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [admin\_password](#input\_admin\_password) | The administrative user password. No special characters | `string` | n/a | yes | +| [allow\_ssh\_cidrs](#input\_allow\_ssh\_cidrs) | The CIDR notation to allow SSH access to the systems. | `list(string)` | n/a | yes | +| [allow\_web\_cidrs](#input\_allow\_web\_cidrs) | The CIDR notation to allow HTTPS access to the systems. | `list(string)` | n/a | yes | +| [bastion\_vm\_settings](#input\_bastion\_vm\_settings) | The number of CPUs, amount of memory in GB, and HDD size in GB to configure for the Kasm SSH Bastion instance | 
object({
    cpus        = number
    memory      = number
    hdd_size_gb = number
  })
| n/a | yes | +| [compartment\_ocid](#input\_compartment\_ocid) | The Compartment OCID | `string` | n/a | yes | +| [database\_password](#input\_database\_password) | The password for the database. No special characters | `string` | n/a | yes | +| [fingerprint](#input\_fingerprint) | API Key Fingerprint | `string` | n/a | yes | +| [instance\_image\_ocid](#input\_instance\_image\_ocid) | The OCID for the instance image, such as ubuntu 22.04, to use. | `string` | n/a | yes | +| [instance\_shape](#input\_instance\_shape) | The instance shape to use. Should be a Flex type. | `string` | n/a | yes | +| [kasm\_agent\_vm\_settings](#input\_kasm\_agent\_vm\_settings) | The number of CPUs, amount of memory in GB, and HDD size in GB to configure for the Kasm Agent instances | 
object({
    cpus        = number
    memory      = number
    hdd_size_gb = number
  })
| n/a | yes | +| [kasm\_build\_url](#input\_kasm\_build\_url) | The URL for the Kasm Workspaces build | `string` | n/a | yes | +| [kasm\_cpx\_vm\_settings](#input\_kasm\_cpx\_vm\_settings) | The number of CPUs, amount of memory in GB, and HDD size in GB to configure for the Kasm cpx RDP instances | 
object({
    cpus        = number
    memory      = number
    hdd_size_gb = number
  })
| n/a | yes | +| [kasm\_database\_vm\_settings](#input\_kasm\_database\_vm\_settings) | The number of CPUs, amount of memory in GB, and HDD size in GB to configure for the Kasm Database instance | 
object({
    cpus        = number
    memory      = number
    hdd_size_gb = number
  })
| n/a | yes | +| [kasm\_ssl\_crt\_path](#input\_kasm\_ssl\_crt\_path) | The file path to the PEM encoded SSL Certificate | `string` | `""` | no | +| [kasm\_ssl\_key\_path](#input\_kasm\_ssl\_key\_path) | The file path to the PEM encoded SSL Certificate Key | `string` | `""` | no | +| [kasm\_webapp\_vm\_settings](#input\_kasm\_webapp\_vm\_settings) | The number of CPUs, amount of memory in GB, and HDD size in GB to configure for the Kasm WebApp instances | 
object({
    cpus        = number
    memory      = number
    hdd_size_gb = number
  })
| n/a | yes | +| [letsencrypt\_cert\_support\_email](#input\_letsencrypt\_cert\_support\_email) | Email address to use for Let's Encrypt SSL certificates for OCI Deployment | `string` | `""` | no | +| [letsencrypt\_server\_type](#input\_letsencrypt\_server\_type) | SSL Server type to generate. Valid options are staging and prod, and prod certificates are limited to 5 certificates per week. | `string` | `""` | no | +| [manager\_token](#input\_manager\_token) | The manager token value for Agents to authenticate to webapps. No special characters | `string` | n/a | yes | +| [num\_agents](#input\_num\_agents) | The number of Agent Role Servers to create in the deployment | `number` | n/a | yes | +| [num\_cpx\_nodes](#input\_num\_cpx\_nodes) | The number of cpx RDP Role Servers to create in the deployment | `number` | n/a | yes | +| [num\_webapps](#input\_num\_webapps) | The number of WebApp role servers to create in the deployment | `number` | n/a | yes | +| [oci\_domain\_name](#input\_oci\_domain\_name) | The public Zone used for the dns entries. This must already exist in the OCI account. (e.g kasm.contoso.com). The deployment will be accessed via this zone name via https | `string` | n/a | yes | +| [private\_key\_path](#input\_private\_key\_path) | The path to the API Key PEM encoded Private Key | `string` | n/a | yes | +| [project\_name](#input\_project\_name) | The name of the deployment (e.g dev, staging). A short single word | `string` | n/a | yes | +| [redis\_password](#input\_redis\_password) | The password for the Redis server. No special characters | `string` | n/a | yes | +| [region](#input\_region) | The OCI Region eg: (us-ashburn-1) | `string` | n/a | yes | +| [service\_registration\_token](#input\_service\_registration\_token) | The service registration token value for cpx RDP servers to authenticate to webapps. No special characters | `string` | n/a | yes | +| [ssh\_authorized\_keys](#input\_ssh\_authorized\_keys) | The SSH Public Keys to be installed on the OCI compute instance | `string` | n/a | yes | +| [swap\_size](#input\_swap\_size) | The amount of swap (in MB) to configure inside the compute instances | `number` | n/a | yes | +| [tenancy\_ocid](#input\_tenancy\_ocid) | The Tenancy OCID. | `string` | n/a | yes | +| [user\_ocid](#input\_user\_ocid) | The User OCID. | `string` | n/a | yes | +| [user\_password](#input\_user\_password) | The standard (non administrator) user password. No special characters | `string` | n/a | yes | +| [vcn\_subnet\_cidr](#input\_vcn\_subnet\_cidr) | VCN Subnet CIDR where you wish to deploy Kasm | `string` | n/a | yes | + +## Outputs + +No outputs. + # Detailed Terraform Deployment Diagram diff --git a/oci/standard/deployment.tf b/oci/standard/deployment.tf index 842eeba..c36861b 100644 --- a/oci/standard/deployment.tf +++ b/oci/standard/deployment.tf @@ -18,6 +18,7 @@ module "kasm" { # Let TF generate Let's Encrypt SSL Certificates automatically letsencrypt_cert_support_email = var.letsencrypt_cert_support_email letsencrypt_server_type = var.letsencrypt_server_type + # Bring your own SSL Certificates kasm_ssl_crt_path = var.kasm_ssl_crt_path kasm_ssl_key_path = var.kasm_ssl_key_path @@ -26,14 +27,15 @@ module "kasm" { instance_shape = var.instance_shape num_agents = var.num_agents num_webapps = var.num_webapps - num_guac_rdp_nodes = var.num_guac_rdp_nodes + num_cpx_nodes = var.num_cpx_nodes kasm_agent_vm_settings = var.kasm_agent_vm_settings kasm_database_vm_settings = var.kasm_database_vm_settings kasm_webapp_vm_settings = var.kasm_webapp_vm_settings - kasm_guac_vm_settings = var.kasm_guac_vm_settings + kasm_cpx_vm_settings = var.kasm_cpx_vm_settings allow_ssh_cidrs = var.allow_ssh_cidrs allow_web_cidrs = var.allow_web_cidrs swap_size = var.swap_size + bastion_vm_settings = var.bastion_vm_settings manager_token = var.manager_token admin_password = var.admin_password diff --git a/oci/standard/module/README.md b/oci/standard/module/README.md new file mode 100644 index 0000000..d17d8eb --- /dev/null +++ b/oci/standard/module/README.md @@ -0,0 +1,111 @@ +# module + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | ~> 1.0 | +| [acme](#requirement\_acme) | ~> 2.0 | +| [oci](#requirement\_oci) | ~> 5.0 | +| [tls](#requirement\_tls) | ~> 4.0 | + +## Providers + +| Name | Version | +|------|---------| +| [acme](#provider\_acme) | 2.20.0 | +| [oci](#provider\_oci) | 5.28.0 | +| [tls](#provider\_tls) | 4.0.5 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [acme_certificate.this](https://registry.terraform.io/providers/vancluever/acme/latest/docs/resources/certificate) | resource | +| [acme_registration.this](https://registry.terraform.io/providers/vancluever/acme/latest/docs/resources/registration) | resource | +| [oci_core_instance.agent](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_instance) | resource | +| [oci_core_instance.bastion](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_instance) | resource | +| [oci_core_instance.cpx](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_instance) | resource | +| [oci_core_instance.db](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_instance) | resource | +| [oci_core_instance.webapp](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_instance) | resource | +| [oci_core_internet_gateway.this](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_internet_gateway) | resource | +| [oci_core_nat_gateway.this](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_nat_gateway) | resource | +| [oci_core_route_table.internet_gateway](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_route_table) | resource | +| [oci_core_route_table.nat_gateway](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_route_table) | resource | +| [oci_core_security_list.allow_bastion_ssh](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_security_list) | resource | +| [oci_core_security_list.allow_db_redis](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_security_list) | resource | +| [oci_core_security_list.allow_public_ssh](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_security_list) | resource | +| [oci_core_security_list.allow_rdp_to_windows](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_security_list) | resource | +| [oci_core_security_list.allow_web](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_security_list) | resource | +| [oci_core_security_list.allow_web_from_lb](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_security_list) | resource | +| [oci_core_security_list.allow_web_from_webapp](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_security_list) | resource | +| [oci_core_subnet.agent](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_subnet) | resource | +| [oci_core_subnet.cpx](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_subnet) | resource | +| [oci_core_subnet.db](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_subnet) | resource | +| [oci_core_subnet.lb](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_subnet) | resource | +| [oci_core_subnet.webapp](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_subnet) | resource | +| [oci_core_subnet.windows](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_subnet) | resource | +| [oci_core_vcn.this](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_vcn) | resource | +| [oci_dns_rrset.kasm_a_record](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/dns_rrset) | resource | +| [oci_load_balancer.public](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/load_balancer) | resource | +| [oci_load_balancer_backend.public](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/load_balancer_backend) | resource | +| [oci_load_balancer_backend_set.public](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/load_balancer_backend_set) | resource | +| [oci_load_balancer_certificate.public](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/load_balancer_certificate) | resource | +| [oci_load_balancer_listener.kasm_https_ssl_listener](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/load_balancer_listener) | resource | +| [tls_cert_request.this](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/cert_request) | resource | +| [tls_private_key.certificate](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource | +| [tls_private_key.registration](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource | +| [oci_dns_zones.this](https://registry.terraform.io/providers/oracle/oci/latest/docs/data-sources/dns_zones) | data source | +| [oci_identity_availability_domains.kasm_ads](https://registry.terraform.io/providers/oracle/oci/latest/docs/data-sources/identity_availability_domains) | data source | +| [oci_load_balancer_ssl_cipher_suite.this](https://registry.terraform.io/providers/oracle/oci/latest/docs/data-sources/load_balancer_ssl_cipher_suite) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [admin\_password](#input\_admin\_password) | The administrative user password. No special characters | `string` | n/a | yes | +| [allow\_ssh\_cidrs](#input\_allow\_ssh\_cidrs) | The CIDR notation to allow SSH access to the systems. | `list(string)` | n/a | yes | +| [allow\_web\_cidrs](#input\_allow\_web\_cidrs) | The CIDR notation to allow HTTPS access to the systems. | `list(string)` | n/a | yes | +| [anywhere](#input\_anywhere) | Anywhere route subnet | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | +| [bastion\_vm\_settings](#input\_bastion\_vm\_settings) | The number of CPUs, amount of memory in GB, and HDD size in GB to configure for the Kasm SSH Bastion instance | 
object({
    cpus        = number
    memory      = number
    hdd_size_gb = number
  })
| n/a | yes | +| [bastion\_vm\_utilization](#input\_bastion\_vm\_utilization) | The VM compute utilization. Defaults to 12.5% to reduce costs on long-running instances. | `string` | `"BASELINE_1_8"` | no | +| [compartment\_ocid](#input\_compartment\_ocid) | The Compartment OCID | `string` | n/a | yes | +| [database\_password](#input\_database\_password) | The password for the database. No special characters | `string` | n/a | yes | +| [fingerprint](#input\_fingerprint) | API Key Fingerprint | `string` | n/a | yes | +| [instance\_image\_ocid](#input\_instance\_image\_ocid) | The OCID for the instance image , such as ubuntu 20.04, to use. | `string` | n/a | yes | +| [instance\_shape](#input\_instance\_shape) | The instance shape to use. Should be a Flex type. | `string` | n/a | yes | +| [kasm\_agent\_vm\_settings](#input\_kasm\_agent\_vm\_settings) | The number of CPUs, amount of memory in GB, and HDD size in GB to configure for the Kasm Agent instances | 
object({
    cpus        = number
    memory      = number
    hdd_size_gb = number
  })
| n/a | yes | +| [kasm\_build\_url](#input\_kasm\_build\_url) | The URL for the Kasm Workspaces build | `string` | n/a | yes | +| [kasm\_cpx\_vm\_settings](#input\_kasm\_cpx\_vm\_settings) | The number of CPUs, amount of memory in GB, and HDD size in GB to configure for the Kasm cpx RDP instances | 
object({
    cpus        = number
    memory      = number
    hdd_size_gb = number
  })
| n/a | yes | +| [kasm\_database\_vm\_settings](#input\_kasm\_database\_vm\_settings) | The number of CPUs, amount of memory in GB, and HDD size in GB to configure for the Kasm Database instance | 
object({
    cpus        = number
    memory      = number
    hdd_size_gb = number
  })
| n/a | yes | +| [kasm\_ssl\_crt\_path](#input\_kasm\_ssl\_crt\_path) | The file path to the PEM encoded SSL Certificate | `string` | n/a | yes | +| [kasm\_ssl\_key\_path](#input\_kasm\_ssl\_key\_path) | The file path to the PEM encoded SSL Certificate Key | `string` | n/a | yes | +| [kasm\_webapp\_vm\_settings](#input\_kasm\_webapp\_vm\_settings) | The number of CPUs, amount of memory in GB, and HDD size in GB to configure for the Kasm WebApp instances | 
object({
    cpus        = number
    memory      = number
    hdd_size_gb = number
  })
| n/a | yes | +| [letsencrypt\_cert\_support\_email](#input\_letsencrypt\_cert\_support\_email) | Email address to use for Let's Encrypt SSL certificates for OCI Deployment | `string` | n/a | yes | +| [letsencrypt\_server\_type](#input\_letsencrypt\_server\_type) | SSL Server type to generate. Valid options are staging and prod, and prod certificates are limited to 5 certificates per week. | `string` | n/a | yes | +| [manager\_token](#input\_manager\_token) | The manager token value for Agents to authenticate to webapps. No special characters | `string` | n/a | yes | +| [num\_agents](#input\_num\_agents) | The number of Agent Role Servers to create in the deployment | `number` | n/a | yes | +| [num\_cpx\_nodes](#input\_num\_cpx\_nodes) | The number of WebApp role servers to create in the deployment | `number` | n/a | yes | +| [num\_webapps](#input\_num\_webapps) | The number of WebApp role servers to create in the deployment | `number` | n/a | yes | +| [oci\_domain\_name](#input\_oci\_domain\_name) | The public Zone used for the dns entries. This must already exist in the OCI account. (e.g kasm.contoso.com). The deployment will be accessed via this zone name via https | `string` | n/a | yes | +| [private\_key\_path](#input\_private\_key\_path) | The path to the API Key PEM encoded Private Key | `string` | n/a | yes | +| [project\_name](#input\_project\_name) | The name of the deployment (e.g dev, staging). A short single word | `string` | n/a | yes | +| [redis\_password](#input\_redis\_password) | The password for the Redis server. No special characters | `string` | n/a | yes | +| [region](#input\_region) | The OCI Region eg: (us-ashburn-1) | `string` | n/a | yes | +| [service\_registration\_token](#input\_service\_registration\_token) | The service registration token value for cpx RDP servers to authenticate to webapps. No special characters | `string` | n/a | yes | +| [ssh\_authorized\_keys](#input\_ssh\_authorized\_keys) | The SSH Public Keys to be installed on the OCI compute instance | `string` | n/a | yes | +| [swap\_size](#input\_swap\_size) | The amount of swap (in MB) to configure inside the compute instances | `number` | n/a | yes | +| [tenancy\_ocid](#input\_tenancy\_ocid) | The Tenancy OCID. | `string` | n/a | yes | +| [user\_ocid](#input\_user\_ocid) | The User OCID. | `string` | n/a | yes | +| [user\_password](#input\_user\_password) | The standard (non administrator) user password. No special characters | `string` | n/a | yes | +| [vcn\_subnet\_cidr](#input\_vcn\_subnet\_cidr) | VCN Subnet CIDR where you wish to deploy Kasm | `string` | n/a | yes | + +## Outputs + +No outputs. + diff --git a/oci/standard/module/agent.tf b/oci/standard/module/agent.tf index c149f0d..d23146b 100644 --- a/oci/standard/module/agent.tf +++ b/oci/standard/module/agent.tf @@ -1,6 +1,7 @@ -resource "oci_core_instance" "kasm_agent_instance" { - count = var.num_agents - availability_domain = data.oci_identity_availability_domains.kasm_ads.availability_domains[0].name +resource "oci_core_instance" "agent" { + count = var.num_agents + + availability_domain = local.availability_domains[0].name compartment_id = var.compartment_ocid display_name = "${var.project_name}-Kasm-Agent-${count.index}" shape = var.instance_shape @@ -11,8 +12,8 @@ resource "oci_core_instance" "kasm_agent_instance" { } create_vnic_details { - subnet_id = data.oci_core_subnet.data-kasm_agent_subnet.id - display_name = "${var.project_name}-Primaryvnic-${count.index}" + subnet_id = oci_core_subnet.agent.id + display_name = "${var.project_name}-Agent-Primaryvnic-${count.index}" assign_public_ip = true assign_private_dns_record = true hostname_label = "${var.project_name}-Kasm-Agent-${count.index}" diff --git a/oci/standard/module/bastion.tf b/oci/standard/module/bastion.tf new file mode 100644 index 0000000..214bd30 --- /dev/null +++ b/oci/standard/module/bastion.tf @@ -0,0 +1,30 @@ +resource "oci_core_instance" "bastion" { + availability_domain = local.availability_domains[0].name + compartment_id = var.compartment_ocid + display_name = "${var.project_name}-Kasm-SSH-Bastion" + shape = var.instance_shape + + shape_config { + baseline_ocpu_utilization = var.bastion_vm_utilization + ocpus = var.bastion_vm_settings.cpus + memory_in_gbs = var.bastion_vm_settings.memory + } + + create_vnic_details { + subnet_id = oci_core_subnet.lb.id + display_name = "${var.project_name}-Bastion-Primaryvnic" + assign_public_ip = true + assign_private_dns_record = true + hostname_label = "${var.project_name}-Kasm-Bastion" + } + + source_details { + source_type = "image" + source_id = var.instance_image_ocid + boot_volume_size_in_gbs = var.bastion_vm_settings.hdd_size_gb + } + + metadata = { + ssh_authorized_keys = var.ssh_authorized_keys + } +} diff --git a/oci/standard/module/guac_rdp.tf b/oci/standard/module/cpx.tf similarity index 50% rename from oci/standard/module/guac_rdp.tf rename to oci/standard/module/cpx.tf index dc3d129..58ddc8c 100644 --- a/oci/standard/module/guac_rdp.tf +++ b/oci/standard/module/cpx.tf @@ -1,33 +1,34 @@ -resource "oci_core_instance" "kasm_guac_instance" { - count = var.num_guac_rdp_nodes - availability_domain = data.oci_identity_availability_domains.kasm_ads.availability_domains[0].name +resource "oci_core_instance" "cpx" { + count = var.num_cpx_nodes + + availability_domain = length(local.availability_domains) > 1 ? local.availability_domains[(count.index)].name : local.availability_domains[0].name compartment_id = var.compartment_ocid - display_name = "${var.project_name}-Kasm-Guac-${count.index}" + display_name = "${var.project_name}-Kasm-cpx-${count.index}" shape = var.instance_shape shape_config { - ocpus = var.kasm_guac_vm_settings.cpus - memory_in_gbs = var.kasm_guac_vm_settings.memory + ocpus = var.kasm_cpx_vm_settings.cpus + memory_in_gbs = var.kasm_cpx_vm_settings.memory } create_vnic_details { - subnet_id = data.oci_core_subnet.data-kasm_guac_subnet.id - display_name = "${var.project_name}-Primaryvnic-${count.index}" + subnet_id = one(oci_core_subnet.cpx[*].id) + display_name = "${var.project_name}-CPX-Primaryvnic-${count.index}" assign_public_ip = true assign_private_dns_record = true - hostname_label = "${var.project_name}-Kasm-Guac-${count.index}" + hostname_label = "${var.project_name}-Kasm-cpx-${count.index}" } source_details { source_type = "image" source_id = var.instance_image_ocid - boot_volume_size_in_gbs = var.kasm_guac_vm_settings.hdd_size_gb + boot_volume_size_in_gbs = var.kasm_cpx_vm_settings.hdd_size_gb } metadata = { ssh_authorized_keys = var.ssh_authorized_keys - user_data = base64encode(templatefile("${path.module}/userdata/guac_bootstrap.sh", + user_data = base64encode(templatefile("${path.module}/userdata/cpx_bootstrap.sh", { kasm_build_url = var.kasm_build_url swap_size = var.swap_size diff --git a/oci/standard/module/db.tf b/oci/standard/module/db.tf index fb150dc..1c8694f 100644 --- a/oci/standard/module/db.tf +++ b/oci/standard/module/db.tf @@ -1,5 +1,5 @@ -resource "oci_core_instance" "kasm_db_instance" { - availability_domain = data.oci_identity_availability_domains.kasm_ads.availability_domains[0].name +resource "oci_core_instance" "db" { + availability_domain = local.availability_domains[0].name compartment_id = var.compartment_ocid display_name = "${var.project_name}-Kasm-DB" shape = var.instance_shape @@ -10,8 +10,8 @@ resource "oci_core_instance" "kasm_db_instance" { } create_vnic_details { - subnet_id = oci_core_subnet.kasm-db-subnet.id - display_name = "${var.project_name}-Primaryvnic" + subnet_id = oci_core_subnet.db.id + display_name = "${var.project_name}-DB-Primaryvnic" assign_public_ip = true assign_private_dns_record = true hostname_label = "${var.project_name}-Kasm-DB" @@ -39,7 +39,3 @@ resource "oci_core_instance" "kasm_db_instance" { )) } } - -data "oci_core_instance" "data-kasm_db_instance" { - instance_id = oci_core_instance.kasm_db_instance.id -} diff --git a/oci/standard/module/dependencies.tf b/oci/standard/module/dependencies.tf new file mode 100644 index 0000000..c2f4afc --- /dev/null +++ b/oci/standard/module/dependencies.tf @@ -0,0 +1,16 @@ +locals { + kasm_vcn_subnet_cidr_mask = split("/", var.vcn_subnet_cidr)[1] + kasm_server_subnet_cidr_calculation = (8 - (local.kasm_vcn_subnet_cidr_mask - 16)) + kasm_server_subnet_cidr_size = local.kasm_server_subnet_cidr_calculation < 3 ? 3 : local.kasm_server_subnet_cidr_calculation + + availability_domains = data.oci_identity_availability_domains.kasm_ads.availability_domains +} + +data "oci_dns_zones" "this" { + compartment_id = var.compartment_ocid + name = var.oci_domain_name +} + +data "oci_identity_availability_domains" "kasm_ads" { + compartment_id = var.compartment_ocid +} diff --git a/oci/standard/module/dns.tf b/oci/standard/module/dns.tf index fbe4c4b..da27b0f 100644 --- a/oci/standard/module/dns.tf +++ b/oci/standard/module/dns.tf @@ -1,16 +1,12 @@ -data "oci_dns_zones" "kasm_dns_zone" { - compartment_id = var.compartment_ocid - name = var.oci_domain_name -} - resource "oci_dns_rrset" "kasm_a_record" { compartment_id = var.compartment_ocid domain = var.oci_domain_name - zone_name_or_id = data.oci_dns_zones.kasm_dns_zone.zones[0].name + zone_name_or_id = data.oci_dns_zones.this.zones[0].name rtype = "A" + items { domain = var.oci_domain_name - rdata = oci_load_balancer.kasm_load_balancer.ip_address_details[0].ip_address + rdata = oci_load_balancer.public.ip_address_details[0].ip_address rtype = "A" ttl = 300 } diff --git a/oci/standard/module/letsencrypt.tf b/oci/standard/module/letsencrypt.tf index b9bf330..940b8c8 100644 --- a/oci/standard/module/letsencrypt.tf +++ b/oci/standard/module/letsencrypt.tf @@ -1,28 +1,33 @@ -resource "tls_private_key" "registration_private_key" { +resource "tls_private_key" "registration" { algorithm = "RSA" } -resource "tls_private_key" "certificate_private_key" { +resource "tls_private_key" "certificate" { algorithm = "RSA" } -resource "acme_registration" "registration" { - account_key_pem = tls_private_key.registration_private_key.private_key_pem +resource "acme_registration" "this" { + account_key_pem = tls_private_key.registration.private_key_pem email_address = var.letsencrypt_cert_support_email } -resource "tls_cert_request" "kasm_certificate_request" { - private_key_pem = tls_private_key.certificate_private_key.private_key_pem - dns_names = [data.oci_dns_zones.kasm_dns_zone.zones[0].name, "*.${data.oci_dns_zones.kasm_dns_zone.zones[0].name}"] +resource "tls_cert_request" "this" { + private_key_pem = tls_private_key.certificate.private_key_pem + + dns_names = [ + var.oci_domain_name, + "*.${var.oci_domain_name}" + ] subject { - common_name = data.oci_dns_zones.kasm_dns_zone.zones[0].name + common_name = var.oci_domain_name } } -resource "acme_certificate" "certificate" { - account_key_pem = acme_registration.registration.account_key_pem - certificate_request_pem = tls_cert_request.kasm_certificate_request.cert_request_pem +resource "acme_certificate" "this" { + account_key_pem = acme_registration.this.account_key_pem + certificate_request_pem = tls_cert_request.this.cert_request_pem + recursive_nameservers = [ "8.8.8.8:53", "4.4.2.2:53" @@ -44,5 +49,5 @@ resource "acme_certificate" "certificate" { } } - depends_on = [acme_registration.registration] + depends_on = [acme_registration.this] } diff --git a/oci/standard/module/load_balancer.tf b/oci/standard/module/load_balancer.tf index 7f791e1..075e4be 100644 --- a/oci/standard/module/load_balancer.tf +++ b/oci/standard/module/load_balancer.tf @@ -1,32 +1,32 @@ -resource "oci_load_balancer" "kasm_load_balancer" { +resource "oci_load_balancer" "public" { shape = "flexible" compartment_id = var.compartment_ocid - subnet_ids = [for subnet_id in data.oci_core_subnets.data-kasm_webapp_subnets : subnet_id.subnets[0].id] + subnet_ids = [oci_core_subnet.lb.id] shape_details { minimum_bandwidth_in_mbps = 10 - maximum_bandwidth_in_mbps = 100 + maximum_bandwidth_in_mbps = 1000 } display_name = "${var.project_name}-kasm-load_balancer" } -resource "oci_load_balancer_certificate" "kasm_lb_certificate" { +resource "oci_load_balancer_certificate" "public" { certificate_name = "${var.project_name}-kasm-cert" - load_balancer_id = oci_load_balancer.kasm_load_balancer.id + load_balancer_id = oci_load_balancer.public.id - ca_certificate = var.letsencrypt_server_type == "" ? file(var.kasm_ssl_crt_path) : acme_certificate.certificate.certificate_pem - public_certificate = var.letsencrypt_server_type == "" ? file(var.kasm_ssl_crt_path) : acme_certificate.certificate.certificate_pem - private_key = var.letsencrypt_server_type == "" ? file(var.kasm_ssl_key_path) : tls_private_key.certificate_private_key.private_key_pem + ca_certificate = var.letsencrypt_server_type == "" ? file(var.kasm_ssl_crt_path) : acme_certificate.this.certificate_pem + public_certificate = var.letsencrypt_server_type == "" ? file(var.kasm_ssl_crt_path) : acme_certificate.this.certificate_pem + private_key = var.letsencrypt_server_type == "" ? file(var.kasm_ssl_key_path) : tls_private_key.certificate.private_key_pem lifecycle { create_before_destroy = true } } -resource "oci_load_balancer_backend_set" "kasm_load_balancer_backend_set" { +resource "oci_load_balancer_backend_set" "public" { name = "${var.project_name}-kasm-backend_set" - load_balancer_id = oci_load_balancer.kasm_load_balancer.id + load_balancer_id = oci_load_balancer.public.id policy = "ROUND_ROBIN" health_checker { @@ -42,22 +42,22 @@ resource "oci_load_balancer_backend_set" "kasm_load_balancer_backend_set" { ssl_configuration { protocols = [ - "TLSv1.1", "TLSv1.2" ] - cipher_suite_name = data.oci_load_balancer_ssl_cipher_suite.data-kasm_load_balancer_cipher_suite.name - certificate_name = oci_load_balancer_certificate.kasm_lb_certificate.certificate_name + cipher_suite_name = data.oci_load_balancer_ssl_cipher_suite.this.name + certificate_name = oci_load_balancer_certificate.public.certificate_name verify_peer_certificate = false } } -resource "oci_load_balancer_backend" "kasm_webapp_load_balancer_backend" { - count = var.num_webapps - backendset_name = oci_load_balancer_backend_set.kasm_load_balancer_backend_set.name +resource "oci_load_balancer_backend" "public" { + count = var.num_webapps + + backendset_name = oci_load_balancer_backend_set.public.name backup = false drain = false - load_balancer_id = oci_load_balancer.kasm_load_balancer.id - ip_address = data.oci_core_instance.data-kasm_webapp_instances[count.index].private_ip + load_balancer_id = oci_load_balancer.public.id + ip_address = oci_core_instance.webapp[(count.index)].private_ip offline = false port = 443 weight = 1 @@ -65,24 +65,23 @@ resource "oci_load_balancer_backend" "kasm_webapp_load_balancer_backend" { resource "oci_load_balancer_listener" "kasm_https_ssl_listener" { name = "${var.project_name}-https-ssl-listener" - load_balancer_id = oci_load_balancer.kasm_load_balancer.id - default_backend_set_name = oci_load_balancer_backend_set.kasm_load_balancer_backend_set.name + load_balancer_id = oci_load_balancer.public.id + default_backend_set_name = oci_load_balancer_backend_set.public.name port = "443" protocol = "HTTP" ssl_configuration { protocols = [ - "TLSv1.1", "TLSv1.2" ] server_order_preference = "ENABLED" verify_peer_certificate = false - cipher_suite_name = data.oci_load_balancer_ssl_cipher_suite.data-kasm_load_balancer_cipher_suite.name - certificate_name = oci_load_balancer_certificate.kasm_lb_certificate.certificate_name + cipher_suite_name = data.oci_load_balancer_ssl_cipher_suite.this.name + certificate_name = oci_load_balancer_certificate.public.certificate_name } } -data "oci_load_balancer_ssl_cipher_suite" "data-kasm_load_balancer_cipher_suite" { +data "oci_load_balancer_ssl_cipher_suite" "this" { name = "oci-default-ssl-cipher-suite-v1" - load_balancer_id = oci_load_balancer.kasm_load_balancer.id + load_balancer_id = oci_load_balancer.public.id } diff --git a/oci/standard/module/provider.tf b/oci/standard/module/provider.tf index 9e55cc0..2814e4c 100644 --- a/oci/standard/module/provider.tf +++ b/oci/standard/module/provider.tf @@ -1,12 +1,18 @@ terraform { + required_version = "~> 1.0" + required_providers { oci = { source = "oracle/oci" - version = ">= 4.0.0" + version = "~> 5.0" } acme = { source = "vancluever/acme" - version = ">= 2.0.0" + version = "~> 2.0" + } + tls = { + source = "hashicorp/tls" + version = "~> 4.0" } } } diff --git a/oci/standard/module/security_lists.tf b/oci/standard/module/security_lists.tf index 946824f..7eba570 100644 --- a/oci/standard/module/security_lists.tf +++ b/oci/standard/module/security_lists.tf @@ -1,6 +1,6 @@ resource "oci_core_security_list" "allow_web" { compartment_id = var.compartment_ocid - vcn_id = oci_core_vcn.kasm_vcn.id + vcn_id = oci_core_vcn.this.id display_name = "allow_web" dynamic "egress_security_rules" { @@ -26,15 +26,10 @@ resource "oci_core_security_list" "allow_web" { } } -data "oci_core_security_lists" "data-allow_web" { +resource "oci_core_security_list" "allow_public_ssh" { compartment_id = var.compartment_ocid - display_name = oci_core_security_list.allow_web.display_name -} - -resource "oci_core_security_list" "allow_ssh" { - compartment_id = var.compartment_ocid - vcn_id = oci_core_vcn.kasm_vcn.id - display_name = "allow_ssh" + vcn_id = oci_core_vcn.this.id + display_name = "allow_public_ssh" dynamic "egress_security_rules" { for_each = var.anywhere @@ -59,14 +54,24 @@ resource "oci_core_security_list" "allow_ssh" { } } -data "oci_core_security_lists" "data-allow_ssh" { +resource "oci_core_security_list" "allow_bastion_ssh" { compartment_id = var.compartment_ocid - display_name = oci_core_security_list.allow_ssh.display_name + vcn_id = oci_core_vcn.this.id + display_name = "allow_bastion_ssh" + + ingress_security_rules { + protocol = "6" + source = "${oci_core_instance.bastion.private_ip}/32" + tcp_options { + max = "22" + min = "22" + } + } } resource "oci_core_security_list" "allow_db_redis" { compartment_id = var.compartment_ocid - vcn_id = oci_core_vcn.kasm_vcn.id + vcn_id = oci_core_vcn.this.id display_name = "allow_db_redis" dynamic "egress_security_rules" { @@ -79,39 +84,28 @@ resource "oci_core_security_list" "allow_db_redis" { } } - dynamic "ingress_security_rules" { - for_each = [for cidr_block in data.oci_core_subnets.data-kasm_webapp_subnets : cidr_block.subnets[0].cidr_block] - content { - protocol = "6" - source = ingress_security_rules.value - tcp_options { - max = "5432" - min = "5432" - } + ingress_security_rules { + protocol = "6" + source = oci_core_subnet.webapp.cidr_block + tcp_options { + max = "5432" + min = "5432" } } - dynamic "ingress_security_rules" { - for_each = [for cidr_block in data.oci_core_subnets.data-kasm_webapp_subnets : cidr_block.subnets[0].cidr_block] - content { - protocol = "6" - source = ingress_security_rules.value - tcp_options { - max = "6379" - min = "6379" - } + ingress_security_rules { + protocol = "6" + source = oci_core_subnet.webapp.cidr_block + tcp_options { + max = "6379" + min = "6379" } } } -data "oci_core_security_lists" "data-allow_db_redis" { +resource "oci_core_security_list" "allow_web_from_lb" { compartment_id = var.compartment_ocid - display_name = oci_core_security_list.allow_db_redis.display_name -} - -resource "oci_core_security_list" "allow_web_from_webapp" { - compartment_id = var.compartment_ocid - vcn_id = oci_core_vcn.kasm_vcn.id + vcn_id = oci_core_vcn.this.id display_name = "allow_web_from_webapp" dynamic "egress_security_rules" { @@ -124,20 +118,82 @@ resource "oci_core_security_list" "allow_web_from_webapp" { } } - dynamic "ingress_security_rules" { - for_each = [for cidr_block in data.oci_core_subnets.data-kasm_webapp_subnets : cidr_block.subnets[0].cidr_block] - content { - protocol = "6" - source = ingress_security_rules.value - tcp_options { - max = "443" - min = "443" - } + ingress_security_rules { + protocol = "6" + source = oci_core_subnet.lb.cidr_block + tcp_options { + max = "443" + min = "443" } } } -data "oci_core_security_lists" "data-allow_web_from_webapp" { +resource "oci_core_security_list" "allow_web_from_webapp" { compartment_id = var.compartment_ocid - display_name = oci_core_security_list.allow_web_from_webapp.display_name + vcn_id = oci_core_vcn.this.id + display_name = "allow_web_from_webapp" + + dynamic "egress_security_rules" { + for_each = var.anywhere + + content { + destination = egress_security_rules.value + protocol = "all" + stateless = "false" + } + } + + ingress_security_rules { + protocol = "6" + source = oci_core_subnet.webapp.cidr_block + tcp_options { + max = "443" + min = "443" + } + } +} + +resource "oci_core_security_list" "allow_rdp_to_windows" { + count = var.num_cpx_nodes > 0 ? 1 : 0 + + compartment_id = var.compartment_ocid + vcn_id = oci_core_vcn.this.id + display_name = "allow_rdp_for_windows" + + dynamic "egress_security_rules" { + for_each = var.anywhere + + content { + destination = egress_security_rules.value + protocol = "all" + stateless = "false" + } + } + + ingress_security_rules { + protocol = "6" + source = oci_core_subnet.webapp.cidr_block + tcp_options { + max = "4902" + min = "4902" + } + } + + ingress_security_rules { + protocol = "6" + source = one(oci_core_subnet.cpx[*].cidr_block) + tcp_options { + max = "3389" + min = "3389" + } + } + + ingress_security_rules { + protocol = "6" + source = one(oci_core_subnet.cpx[*].cidr_block) + tcp_options { + max = "4902" + min = "4902" + } + } } diff --git a/oci/standard/module/subnet.tf b/oci/standard/module/subnet.tf deleted file mode 100644 index e6ffbee..0000000 --- a/oci/standard/module/subnet.tf +++ /dev/null @@ -1,90 +0,0 @@ -locals { - kasm_vcn_subnet_cidr_mask = split("/", var.vcn_subnet_cidr)[1] - kasm_server_subnet_cidr_calculation = (8 - (local.kasm_vcn_subnet_cidr_mask - 16)) - kasm_server_subnet_cidr_size = local.kasm_server_subnet_cidr_calculation < 3 ? 3 : local.kasm_server_subnet_cidr_calculation - kasm_agent_subnet_id = (var.num_webapps + 1) -} - -## Will create Agent subnet x.x.0.x/24 (assuming a VPC Subnet CIDR between x.x.0.0/16 and x.x.0.0/21) -resource "oci_core_subnet" "kasm-db-subnet" { - compartment_id = var.compartment_ocid - vcn_id = data.oci_core_vcn.data-kasm_vcn.id - route_table_id = oci_core_route_table.default_route_table.id - dhcp_options_id = data.oci_core_vcn.data-kasm_vcn.default_dhcp_options_id - availability_domain = data.oci_identity_availability_domains.kasm_ads.availability_domains[0].name - cidr_block = cidrsubnet(var.vcn_subnet_cidr, local.kasm_server_subnet_cidr_size, 0) - display_name = "${var.project_name}-db-subnet" - dns_label = "${var.project_name}db" - security_list_ids = [ - data.oci_core_security_lists.data-allow_db_redis.security_lists[0].id, - data.oci_core_security_lists.data-allow_ssh.security_lists[0].id - ] -} - -data "oci_core_subnet" "data-kasm_db_subnet" { - subnet_id = oci_core_subnet.kasm-db-subnet.id -} - -## Will create WebApp subnets x.x.1.x/24 and x.x.2.x/24 (assuming a VPC Subnet CIDR between x.x.0.0/16 and x.x.0.0/21, and 2 WebApps) -resource "oci_core_subnet" "kasm-webapp-subnets" { - count = var.num_webapps - compartment_id = var.compartment_ocid - vcn_id = data.oci_core_vcn.data-kasm_vcn.id - route_table_id = oci_core_route_table.default_route_table.id - dhcp_options_id = data.oci_core_vcn.data-kasm_vcn.default_dhcp_options_id - availability_domain = data.oci_identity_availability_domains.kasm_ads.availability_domains[count.index].name - cidr_block = cidrsubnet(var.vcn_subnet_cidr, local.kasm_server_subnet_cidr_size, (count.index + 1)) - display_name = "${var.project_name}-webapp-subnet${count.index}" - dns_label = "${var.project_name}webapp${count.index}" - security_list_ids = [ - data.oci_core_security_lists.data-allow_web.security_lists[0].id, - data.oci_core_security_lists.data-allow_ssh.security_lists[0].id - ] -} - -data "oci_core_subnets" "data-kasm_webapp_subnets" { - count = var.num_webapps - compartment_id = var.compartment_ocid - vcn_id = data.oci_core_vcn.data-kasm_vcn.id - display_name = oci_core_subnet.kasm-webapp-subnets[count.index].display_name -} - -## Will create Agent subnet x.x.3.x/24 (assuming a VPC Subnet CIDR between x.x.0.0/16 and x.x.0.0/21) -resource "oci_core_subnet" "kasm-agent-subnet" { - compartment_id = var.compartment_ocid - vcn_id = data.oci_core_vcn.data-kasm_vcn.id - route_table_id = oci_core_route_table.default_route_table.id - dhcp_options_id = data.oci_core_vcn.data-kasm_vcn.default_dhcp_options_id - availability_domain = data.oci_identity_availability_domains.kasm_ads.availability_domains[0].name - cidr_block = cidrsubnet(var.vcn_subnet_cidr, local.kasm_server_subnet_cidr_size, local.kasm_agent_subnet_id) - display_name = "${var.project_name}-agent-subnet" - dns_label = "${var.project_name}agent" - security_list_ids = [ - data.oci_core_security_lists.data-allow_web_from_webapp.security_lists[0].id, - data.oci_core_security_lists.data-allow_ssh.security_lists[0].id - ] -} - -data "oci_core_subnet" "data-kasm_agent_subnet" { - subnet_id = oci_core_subnet.kasm-agent-subnet.id -} - -## Will create Guac subnet x.x.4.x/24 (assuming a VPC Subnet CIDR between x.x.0.0/16 and x.x.0.0/21) -resource "oci_core_subnet" "kasm-guac-subnet" { - compartment_id = var.compartment_ocid - vcn_id = data.oci_core_vcn.data-kasm_vcn.id - route_table_id = oci_core_route_table.default_route_table.id - dhcp_options_id = data.oci_core_vcn.data-kasm_vcn.default_dhcp_options_id - availability_domain = data.oci_identity_availability_domains.kasm_ads.availability_domains[0].name - cidr_block = cidrsubnet(var.vcn_subnet_cidr, local.kasm_server_subnet_cidr_size, (local.kasm_agent_subnet_id + 1)) - display_name = "${var.project_name}-guac-subnet" - dns_label = "${var.project_name}guac" - security_list_ids = [ - data.oci_core_security_lists.data-allow_web_from_webapp.security_lists[0].id, - data.oci_core_security_lists.data-allow_ssh.security_lists[0].id - ] -} - -data "oci_core_subnet" "data-kasm_guac_subnet" { - subnet_id = oci_core_subnet.kasm-guac-subnet.id -} diff --git a/oci/standard/module/subnets.tf b/oci/standard/module/subnets.tf new file mode 100644 index 0000000..fbea323 --- /dev/null +++ b/oci/standard/module/subnets.tf @@ -0,0 +1,90 @@ +## Will create WebApp subnets x.x.0.x/24 (assuming a VPC Subnet CIDR between x.x.0.0/16 and x.x.0.0/21) +resource "oci_core_subnet" "lb" { + compartment_id = var.compartment_ocid + vcn_id = oci_core_vcn.this.id + route_table_id = oci_core_route_table.internet_gateway.id + dhcp_options_id = oci_core_vcn.this.default_dhcp_options_id + cidr_block = cidrsubnet(var.vcn_subnet_cidr, local.kasm_server_subnet_cidr_size, 0) + display_name = "${var.project_name}-public-lb-subnet" + dns_label = "${var.project_name}lb" + security_list_ids = [ + oci_core_security_list.allow_web.id, + oci_core_security_list.allow_public_ssh.id + ] +} + +## Will create WebApp subnets x.x.1.x/24 (assuming a VPC Subnet CIDR between x.x.0.0/16 and x.x.0.0/21) +resource "oci_core_subnet" "webapp" { + compartment_id = var.compartment_ocid + vcn_id = oci_core_vcn.this.id + route_table_id = oci_core_route_table.nat_gateway.id + dhcp_options_id = oci_core_vcn.this.default_dhcp_options_id + cidr_block = cidrsubnet(var.vcn_subnet_cidr, local.kasm_server_subnet_cidr_size, 1) + display_name = "${var.project_name}-webapp-subnet" + dns_label = "${var.project_name}webapp" + security_list_ids = [ + oci_core_security_list.allow_web_from_lb.id, + oci_core_security_list.allow_bastion_ssh.id + ] +} + +## Will create Agent subnet x.x.2.x/24 (assuming a VPC Subnet CIDR between x.x.0.0/16 and x.x.0.0/21) +resource "oci_core_subnet" "db" { + compartment_id = var.compartment_ocid + vcn_id = oci_core_vcn.this.id + route_table_id = oci_core_route_table.nat_gateway.id + dhcp_options_id = oci_core_vcn.this.default_dhcp_options_id + cidr_block = cidrsubnet(var.vcn_subnet_cidr, local.kasm_server_subnet_cidr_size, 2) + display_name = "${var.project_name}-db-subnet" + dns_label = "${var.project_name}db" + security_list_ids = [ + oci_core_security_list.allow_db_redis.id, + oci_core_security_list.allow_bastion_ssh.id + ] +} + +## Will create Agent subnet x.x.3.x/24 (assuming a VPC Subnet CIDR between x.x.0.0/16 and x.x.0.0/21) +resource "oci_core_subnet" "agent" { + compartment_id = var.compartment_ocid + vcn_id = oci_core_vcn.this.id + route_table_id = oci_core_route_table.internet_gateway.id + dhcp_options_id = oci_core_vcn.this.default_dhcp_options_id + cidr_block = cidrsubnet(var.vcn_subnet_cidr, local.kasm_server_subnet_cidr_size, 3) + display_name = "${var.project_name}-agent-subnet" + dns_label = "${var.project_name}agent" + security_list_ids = [ + oci_core_security_list.allow_web_from_webapp.id, + oci_core_security_list.allow_bastion_ssh.id + ] +} + +## Will create Guac subnet x.x.4.x/24 (assuming a VPC Subnet CIDR between x.x.0.0/16 and x.x.0.0/21) +resource "oci_core_subnet" "cpx" { + count = var.num_cpx_nodes > 0 ? 1 : 0 + + compartment_id = var.compartment_ocid + vcn_id = oci_core_vcn.this.id + route_table_id = oci_core_route_table.nat_gateway.id + dhcp_options_id = oci_core_vcn.this.default_dhcp_options_id + cidr_block = cidrsubnet(var.vcn_subnet_cidr, local.kasm_server_subnet_cidr_size, 4) + display_name = "${var.project_name}-cpx-subnet" + dns_label = "${var.project_name}cpx" + security_list_ids = [ + oci_core_security_list.allow_web_from_webapp.id, + oci_core_security_list.allow_bastion_ssh.id + ] +} + +## Will create Guac subnet x.x.5.x/24 (assuming a VPC Subnet CIDR between x.x.0.0/16 and x.x.0.0/21) +resource "oci_core_subnet" "windows" { + count = var.num_cpx_nodes > 0 ? 1 : 0 + + compartment_id = var.compartment_ocid + vcn_id = oci_core_vcn.this.id + route_table_id = oci_core_route_table.internet_gateway.id + dhcp_options_id = oci_core_vcn.this.default_dhcp_options_id + cidr_block = cidrsubnet(var.vcn_subnet_cidr, local.kasm_server_subnet_cidr_size, 5) + display_name = "${var.project_name}-windows-subnet" + dns_label = "${var.project_name}win" + security_list_ids = oci_core_security_list.allow_rdp_to_windows[*].id +} diff --git a/aws/standard/module/userdata/guac_bootstrap.sh b/oci/standard/module/userdata/cpx_bootstrap.sh similarity index 100% rename from aws/standard/module/userdata/guac_bootstrap.sh rename to oci/standard/module/userdata/cpx_bootstrap.sh diff --git a/oci/standard/module/variables.tf b/oci/standard/module/variables.tf index f0d19ad..785fd32 100644 --- a/oci/standard/module/variables.tf +++ b/oci/standard/module/variables.tf @@ -94,7 +94,7 @@ variable "num_webapps" { type = number } -variable "num_guac_rdp_nodes" { +variable "num_cpx_nodes" { description = "The number of WebApp role servers to create in the deployment" type = number } @@ -130,7 +130,7 @@ variable "manager_token" { } variable "service_registration_token" { - description = "The service registration token value for Guac RDP servers to authenticate to webapps. No special characters" + description = "The service registration token value for cpx RDP servers to authenticate to webapps. No special characters" type = string sensitive = true } @@ -151,23 +151,54 @@ variable "instance_shape" { } variable "kasm_webapp_vm_settings" { - description = "The amount of memory, in GB, to configure for the Kasm WebApp instance" - type = map(any) + description = "The number of CPUs, amount of memory in GB, and HDD size in GB to configure for the Kasm WebApp instances" + type = object({ + cpus = number + memory = number + hdd_size_gb = number + }) } variable "kasm_database_vm_settings" { - description = "The amount of memory, in GB, to configure for the Kasm DB instance" - type = map(any) + description = "The number of CPUs, amount of memory in GB, and HDD size in GB to configure for the Kasm Database instance" + type = object({ + cpus = number + memory = number + hdd_size_gb = number + }) } variable "kasm_agent_vm_settings" { - description = "The amount of memory, in GB, to configure for the Kasm Agent instance" - type = map(any) + description = "The number of CPUs, amount of memory in GB, and HDD size in GB to configure for the Kasm Agent instances" + type = object({ + cpus = number + memory = number + hdd_size_gb = number + }) } -variable "kasm_guac_vm_settings" { - description = "The number of CPUs, amount of memory in GB, and HDD size in GB to configure for the Kasm Guac RDP instance" - type = map(any) +variable "kasm_cpx_vm_settings" { + description = "The number of CPUs, amount of memory in GB, and HDD size in GB to configure for the Kasm cpx RDP instances" + type = object({ + cpus = number + memory = number + hdd_size_gb = number + }) +} + +variable "bastion_vm_settings" { + description = "The number of CPUs, amount of memory in GB, and HDD size in GB to configure for the Kasm SSH Bastion instance" + type = object({ + cpus = number + memory = number + hdd_size_gb = number + }) +} + +variable "bastion_vm_utilization" { + description = "The VM compute utilization. Defaults to 12.5% to reduce costs on long-running instances." + type = string + default = "BASELINE_1_8" } ## Pre-set values diff --git a/oci/standard/module/vcn.tf b/oci/standard/module/vcn.tf index de2acb8..aa38dc7 100644 --- a/oci/standard/module/vcn.tf +++ b/oci/standard/module/vcn.tf @@ -1,43 +1,42 @@ -resource "oci_core_vcn" "kasm_vcn" { +resource "oci_core_vcn" "this" { cidr_block = "10.0.0.0/16" compartment_id = var.compartment_ocid display_name = "${var.project_name}-VCN" dns_label = "${var.project_name}vcn" } -data "oci_core_vcn" "data-kasm_vcn" { - vcn_id = oci_core_vcn.kasm_vcn.id +resource "oci_core_internet_gateway" "this" { + compartment_id = var.compartment_ocid + display_name = "${var.project_name}-Internet-Gateway" + vcn_id = oci_core_vcn.this.id } -resource "oci_core_internet_gateway" "kasm_internet_gateway" { +resource "oci_core_nat_gateway" "this" { compartment_id = var.compartment_ocid - display_name = "${var.project_name}-Gateway" - vcn_id = oci_core_vcn.kasm_vcn.id + display_name = "${var.project_name}-NAT-Gateway" + vcn_id = oci_core_vcn.this.id } -data "oci_core_internet_gateways" "data-kasm_internet_gateway" { +resource "oci_core_route_table" "internet_gateway" { compartment_id = var.compartment_ocid - vcn_id = data.oci_core_vcn.data-kasm_vcn.id -} - -resource "oci_core_route_table" "default_route_table" { - compartment_id = var.compartment_ocid - vcn_id = data.oci_core_vcn.data-kasm_vcn.id - display_name = "KasmRouteTable" + vcn_id = oci_core_vcn.this.id + display_name = "Kasm-IG-RouteTable" route_rules { destination = var.anywhere[0] destination_type = "CIDR_BLOCK" - network_entity_id = oci_core_internet_gateway.kasm_internet_gateway.id #data.oci_core_internet_gateways.data-kasm_internet_gateway.gateways[0].id + network_entity_id = oci_core_internet_gateway.this.id } } -# data "oci_core_route_tables" "data-default_route_table" { -# compartment_id = var.compartment_ocid -# vcn_id = data.oci_core_vcn.data-kasm_vcn.id -# display_name = oci_core_route_table.default_route_table.display_name -# } +resource "oci_core_route_table" "nat_gateway" { + compartment_id = var.compartment_ocid + vcn_id = oci_core_vcn.this.id + display_name = "Kasm-NAT-RouteTable" -data "oci_identity_availability_domains" "kasm_ads" { - compartment_id = var.tenancy_ocid + route_rules { + destination = var.anywhere[0] + destination_type = "CIDR_BLOCK" + network_entity_id = oci_core_nat_gateway.this.id + } } diff --git a/oci/standard/module/webapp.tf b/oci/standard/module/webapp.tf index 380a120..b881218 100644 --- a/oci/standard/module/webapp.tf +++ b/oci/standard/module/webapp.tf @@ -1,6 +1,7 @@ -resource "oci_core_instance" "kasm_webapp_instance" { - count = var.num_webapps - availability_domain = data.oci_identity_availability_domains.kasm_ads.availability_domains[count.index].name +resource "oci_core_instance" "webapp" { + count = var.num_webapps + + availability_domain = length(local.availability_domains) > 1 ? local.availability_domains[(count.index)].name : local.availability_domains[0].name compartment_id = var.compartment_ocid display_name = "${var.project_name}-Kasm-Webapp-${count.index}" shape = var.instance_shape @@ -11,8 +12,8 @@ resource "oci_core_instance" "kasm_webapp_instance" { } create_vnic_details { - subnet_id = data.oci_core_subnets.data-kasm_webapp_subnets[count.index].subnets[0].id - display_name = "${var.project_name}-Primaryvnic" + subnet_id = oci_core_subnet.webapp.id + display_name = "${var.project_name}-WebApp-Primaryvnic" assign_public_ip = true assign_private_dns_record = true hostname_label = "${var.project_name}-Kasm-Webapp-${count.index}" @@ -29,7 +30,7 @@ resource "oci_core_instance" "kasm_webapp_instance" { user_data = base64encode(templatefile("${path.module}/userdata/webapp_bootstrap.sh", { kasm_build_url = var.kasm_build_url - db_ip = data.oci_core_instance.data-kasm_db_instance.private_ip + db_ip = oci_core_instance.db.private_ip database_password = var.database_password redis_password = var.redis_password swap_size = var.swap_size @@ -39,8 +40,3 @@ resource "oci_core_instance" "kasm_webapp_instance" { } } - -data "oci_core_instance" "data-kasm_webapp_instances" { - count = var.num_webapps - instance_id = oci_core_instance.kasm_webapp_instance[count.index].id -} diff --git a/oci/standard/provider.tf b/oci/standard/provider.tf index e65d81e..743dcfb 100644 --- a/oci/standard/provider.tf +++ b/oci/standard/provider.tf @@ -1,16 +1,18 @@ terraform { + required_version = "~> 1.0" + required_providers { oci = { source = "oracle/oci" - version = ">= 4.0.0" + version = "~> 5.0" } acme = { source = "vancluever/acme" - version = ">= 2.0" + version = "~> 2.0" } tls = { source = "hashicorp/tls" - version = ">= 4.0.0" + version = "~> 4.0" } } } diff --git a/oci/standard/settings.tfvars b/oci/standard/terraform.tfvars similarity index 87% rename from oci/standard/settings.tfvars rename to oci/standard/terraform.tfvars index 22f5c3b..139125a 100644 --- a/oci/standard/settings.tfvars +++ b/oci/standard/terraform.tfvars @@ -1,7 +1,7 @@ ## Kasm deployment settings oci_domain_name = "kasm.contoso.com" project_name = "contoso" -kasm_build_url = "https://kasm-static-content.s3.amazonaws.com/kasm_release_1.13.0.002947.tar.gz" +kasm_build_url = "https://kasm-static-content.s3.amazonaws.com/kasm_release_1.14.0.3a7abb.tar.gz" vcn_subnet_cidr = "10.0.0.0/16" ## OCI Authentication variables @@ -33,16 +33,16 @@ redis_password = "changeme" database_password = "changeme" service_registration_token = "changeme" -## SSH Public Keys +## SSH Public Key ssh_authorized_keys = "changeme" ## OCI VM Settings -instance_image_ocid = "ocid1.image.oc1.iad.aaaaaaaahiz6xym3a76xhwkmwmhrz6luyiehho7dpxpkphxhsq5q6z4m3nlq" +instance_image_ocid = "" instance_shape = "VM.Standard.E4.Flex" swap_size = 2048 num_webapps = 2 num_agents = 2 -num_guac_rdp_nodes = 1 +num_cpx_nodes = 1 kasm_webapp_vm_settings = { cpus = 2 @@ -62,8 +62,14 @@ kasm_agent_vm_settings = { hdd_size_gb = 120 } -kasm_guac_vm_settings = { +kasm_cpx_vm_settings = { cpus = 4 memory = 4 hdd_size_gb = 50 -} \ No newline at end of file +} + +bastion_vm_settings = { + cpus = 1 + memory = 2 + hdd_size_gb = 50 +} diff --git a/oci/standard/variables.tf b/oci/standard/variables.tf index fbb86c3..2261d24 100644 --- a/oci/standard/variables.tf +++ b/oci/standard/variables.tf @@ -104,8 +104,8 @@ variable "ssh_authorized_keys" { } variable "instance_image_ocid" { - description = "The OCID for the instance image , such as ubuntu 20.04, to use." - default = "ocid1.image.oc1.iad.aaaaaaaafg6lg7dejwjebjqontwzyvutgf6qs5awyze6fgoiqepyj5qkvcuq" + description = "The OCID for the instance image, such as ubuntu 22.04, to use." + type = string validation { condition = can(regex("^(ocid\\d)\\.(image)\\.(oc\\d)\\.[a-z]{3,}\\.[a-z0-9]{60}", var.instance_image_ocid)) @@ -244,7 +244,7 @@ variable "manager_token" { } variable "service_registration_token" { - description = "The service registration token value for Guac RDP servers to authenticate to webapps. No special characters" + description = "The service registration token value for cpx RDP servers to authenticate to webapps. No special characters" type = string sensitive = true @@ -264,13 +264,13 @@ variable "num_agents" { } } -variable "num_guac_rdp_nodes" { - description = "The number of Guac RDP Role Servers to create in the deployment" +variable "num_cpx_nodes" { + description = "The number of cpx RDP Role Servers to create in the deployment" type = number validation { - condition = var.num_guac_rdp_nodes >= 0 && var.num_guac_rdp_nodes <= 100 && floor(var.num_guac_rdp_nodes) == var.num_guac_rdp_nodes - error_message = "Acceptable number of Kasm Guac RDP nodes range between 0-100." + condition = var.num_cpx_nodes >= 0 && var.num_cpx_nodes <= 100 && floor(var.num_cpx_nodes) == var.num_cpx_nodes + error_message = "Acceptable number of Kasm cpx RDP nodes range between 0-100." } } @@ -333,7 +333,7 @@ variable "kasm_database_vm_settings" { error_message = "Kasm Webapps should have at least 2 GB Memory to ensure enough resources for Kasm services." } validation { - condition = car.kasm_database_vm_settings.hdd_size_gb >= 50 + condition = var.kasm_database_vm_settings.hdd_size_gb >= 50 error_message = "Kasm Webapps should have at least a 50 GB HDD to meet OCI minimum requirements, and ensure enough space Kasm services." } } @@ -360,8 +360,8 @@ variable "kasm_agent_vm_settings" { } } -variable "kasm_guac_vm_settings" { - description = "The number of CPUs, amount of memory in GB, and HDD size in GB to configure for the Kasm Guac RDP instances" +variable "kasm_cpx_vm_settings" { + description = "The number of CPUs, amount of memory in GB, and HDD size in GB to configure for the Kasm cpx RDP instances" type = object({ cpus = number memory = number @@ -369,16 +369,38 @@ variable "kasm_guac_vm_settings" { }) validation { - condition = var.kasm_guac_vm_settings.cpus >= 2 - error_message = "Kasm Guac RDP servers should have at least 2 CPUs to ensure enough resources for Kasm services." + condition = var.kasm_cpx_vm_settings.cpus >= 2 + error_message = "Kasm cpx RDP servers should have at least 2 CPUs to ensure enough resources for Kasm services." } validation { - condition = var.kasm_guac_vm_settings.memory >= 2 - error_message = "Kasm Guac RDP servers should have at least 2 GB Memory to ensure enough resources for Kasm services." + condition = var.kasm_cpx_vm_settings.memory >= 2 + error_message = "Kasm cpx RDP servers should have at least 2 GB Memory to ensure enough resources for Kasm services." } validation { - condition = var.kasm_guac_vm_settings.hdd_size_gb >= 50 - error_message = "Kasm Guac RDP servers should have at least a 50 GB HDD to meet OCI minimum requirements, and ensure enough space Kasm services." + condition = var.kasm_cpx_vm_settings.hdd_size_gb >= 50 + error_message = "Kasm cpx RDP servers should have at least a 50 GB HDD to meet OCI minimum requirements, and ensure enough space Kasm services." + } +} + +variable "bastion_vm_settings" { + description = "The number of CPUs, amount of memory in GB, and HDD size in GB to configure for the Kasm SSH Bastion instance" + type = object({ + cpus = number + memory = number + hdd_size_gb = number + }) + + validation { + condition = var.bastion_vm_settings.cpus >= 1 + error_message = "Kasm SSH Bastion should have at least 2 CPUs to ensure enough resources for Kasm services." + } + validation { + condition = var.bastion_vm_settings.memory >= 1 + error_message = "Kasm SSH Bastion should have at least 2 GB Memory to ensure enough resources for Kasm services." + } + validation { + condition = var.bastion_vm_settings.hdd_size_gb >= 50 + error_message = "Kasm SSH Bastion should have at least a 50 GB HDD to meet OCI minimum requirements." } } From 9c6245734a000a7fb4bff0b00c8d78302a9d0e06 Mon Sep 17 00:00:00 2001 From: Bryan Scarbrough Date: Tue, 13 Feb 2024 00:20:21 +0000 Subject: [PATCH 2/7] Resolved AWS Standard security group issues --- aws/standard/module/README.md | 19 +++- aws/standard/module/dependencies.tf | 11 --- aws/standard/module/security_group.tf | 129 ++++++++++++++++++++++---- aws/standard/module/variables.tf | 12 ++- 4 files changed, 131 insertions(+), 40 deletions(-) diff --git a/aws/standard/module/README.md b/aws/standard/module/README.md index d4f4a86..db93ba4 100644 --- a/aws/standard/module/README.md +++ b/aws/standard/module/README.md @@ -69,12 +69,21 @@ No modules. | [aws_security_group.windows](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | | [aws_security_group_rule.agent](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [aws_security_group_rule.cpx](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.cpx_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [aws_security_group_rule.db](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | -| [aws_security_group_rule.egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | -| [aws_security_group_rule.private_lb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | -| [aws_security_group_rule.public_lb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | -| [aws_security_group_rule.webapp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.private_lb_agent](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.private_lb_cpx](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.private_lb_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.private_lb_windows](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.public_lb_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.public_lb_ingress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.webapp_agent_ingress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.webapp_cpx](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.webapp_private_lb_ingress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.webapp_public_lb_ingress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.webapp_windows](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [aws_security_group_rule.windows](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.windows_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [aws_subnet.agent](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource | | [aws_subnet.alb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource | | [aws_subnet.cpx](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource | @@ -115,7 +124,7 @@ No modules. | [num\_agents](#input\_num\_agents) | The number of Agent Role Servers to create in the deployment | `number` | `2` | no | | [num\_cpx\_nodes](#input\_num\_cpx\_nodes) | The number of cpx RDP Role Servers to create in the deployment | `number` | `2` | no | | [num\_webapps](#input\_num\_webapps) | The number of WebApp role servers to create in the deployment | `number` | `2` | no | -| [private\_lb\_security\_rules](#input\_private\_lb\_security\_rules) | A map of objects of security rules to apply to the Private ALB | 
object({
    from_port = number
    to_port   = number
    protocol  = string
  })
| 
{
  "from_port": 443,
  "protocol": "tcp",
  "to_port": 443
}
| no | +| [private\_lb\_security\_rules](#input\_private\_lb\_security\_rules) | A map of objects of security rules to apply to the Private ALB | 
map(object({
    from_port = number
    to_port   = number
    protocol  = string
  }))
| 
{
  "https": {
    "from_port": 443,
    "protocol": "tcp",
    "to_port": 443
  }
}
| no | | [project\_name](#input\_project\_name) | The name of the deployment (e.g dev, staging). A short single word | `string` | n/a | yes | | [public\_lb\_security\_rules](#input\_public\_lb\_security\_rules) | A map of objects of security rules to apply to the Public ALB | 
map(object({
    from_port = number
    to_port   = number
    protocol  = string
  }))
| 
{
  "http": {
    "from_port": 80,
    "protocol": "tcp",
    "to_port": 80
  },
  "https": {
    "from_port": 443,
    "protocol": "tcp",
    "to_port": 443
  }
}
| no | | [redis\_password](#input\_redis\_password) | The password for the Redis server. No special characters | `string` | n/a | yes | diff --git a/aws/standard/module/dependencies.tf b/aws/standard/module/dependencies.tf index a71327d..6209fb9 100644 --- a/aws/standard/module/dependencies.tf +++ b/aws/standard/module/dependencies.tf @@ -1,17 +1,6 @@ locals { private_lb_hostname = "${var.aws_region}-private.${var.aws_domain_name}" - all_security_groups = compact([ - aws_security_group.public_lb.id, - aws_security_group.private_lb.id, - aws_security_group.webapp.id, - aws_security_group.agent.id, - aws_security_group.db.id, - one(aws_security_group.cpx[*].id), - one(aws_security_group.windows[*].id) - ]) - - webapp_security_rules = { for value in local.all_security_groups : value => var.webapp_security_rules if value != aws_security_group.db.id || value != aws_security_group.webapp.id } } data "aws_availability_zones" "available" { diff --git a/aws/standard/module/security_group.tf b/aws/standard/module/security_group.tf index a7b5c39..47c0955 100644 --- a/aws/standard/module/security_group.tf +++ b/aws/standard/module/security_group.tf @@ -8,7 +8,7 @@ resource "aws_security_group" "public_lb" { } } -resource "aws_security_group_rule" "public_lb" { +resource "aws_security_group_rule" "public_lb_ingress" { for_each = var.public_lb_security_rules security_group_id = aws_security_group.public_lb.id @@ -19,6 +19,15 @@ resource "aws_security_group_rule" "public_lb" { cidr_blocks = var.web_access_cidrs } +resource "aws_security_group_rule" "public_lb_egress" { + security_group_id = aws_security_group.public_lb.id + type = "egress" + from_port = var.default_egress.from_port + to_port = var.default_egress.to_port + protocol = var.default_egress.protocol + cidr_blocks = [var.anywhere] +} + resource "aws_security_group" "private_lb" { name = "${var.project_name}-kasm-allow-private-lb-access" description = "Security Group for ELB" @@ -29,7 +38,18 @@ resource "aws_security_group" "private_lb" { } } -resource "aws_security_group_rule" "private_lb" { +resource "aws_security_group_rule" "private_lb_egress" { + for_each = var.private_lb_security_rules + + security_group_id = aws_security_group.private_lb.id + type = "egress" + from_port = each.value.from_port + to_port = each.value.to_port + protocol = each.value.protocol + cidr_blocks = aws_subnet.webapp[*].cidr_block +} + +resource "aws_security_group_rule" "private_lb_agent" { for_each = var.private_lb_security_rules security_group_id = aws_security_group.private_lb.id @@ -37,7 +57,7 @@ resource "aws_security_group_rule" "private_lb" { from_port = each.value.from_port to_port = each.value.to_port protocol = each.value.protocol - source_security_group_id = each.key + source_security_group_id = aws_security_group.agent.id } resource "aws_security_group" "webapp" { @@ -50,15 +70,31 @@ resource "aws_security_group" "webapp" { } } -resource "aws_security_group_rule" "webapp" { - for_each = local.webapp_security_rules - +resource "aws_security_group_rule" "webapp_agent_ingress" { security_group_id = aws_security_group.webapp.id type = "ingress" - from_port = each.value.from_port - to_port = each.value.to_port - protocol = each.value.protocol - source_security_group_id = each.key + from_port = var.webapp_security_rules.from_port + to_port = var.webapp_security_rules.to_port + protocol = var.webapp_security_rules.protocol + source_security_group_id = aws_security_group.agent.id +} + +resource "aws_security_group_rule" "webapp_private_lb_ingress" { + security_group_id = aws_security_group.webapp.id + type = "ingress" + from_port = var.webapp_security_rules.from_port + to_port = var.webapp_security_rules.to_port + protocol = var.webapp_security_rules.protocol + source_security_group_id = aws_security_group.private_lb.id +} + +resource "aws_security_group_rule" "webapp_public_lb_ingress" { + security_group_id = aws_security_group.webapp.id + type = "ingress" + from_port = var.webapp_security_rules.from_port + to_port = var.webapp_security_rules.to_port + protocol = var.webapp_security_rules.protocol + source_security_group_id = aws_security_group.public_lb.id } resource "aws_security_group" "agent" { @@ -125,6 +161,28 @@ resource "aws_security_group_rule" "cpx" { source_security_group_id = aws_security_group.webapp.id } +resource "aws_security_group_rule" "private_lb_cpx" { + count = var.num_cpx_nodes > 0 ? 1 : 0 + + security_group_id = aws_security_group.private_lb.id + type = "ingress" + from_port = var.private_lb_security_rules.https.from_port + to_port = var.private_lb_security_rules.https.to_port + protocol = var.private_lb_security_rules.https.protocol + source_security_group_id = one(aws_security_group.cpx[*].id) +} + +resource "aws_security_group_rule" "webapp_cpx" { + count = var.num_cpx_nodes > 0 ? 1 : 0 + + security_group_id = aws_security_group.webapp.id + type = "ingress" + from_port = var.webapp_security_rules.from_port + to_port = var.webapp_security_rules.to_port + protocol = var.webapp_security_rules.protocol + source_security_group_id = one(aws_security_group.cpx[*].id) +} + resource "aws_security_group" "windows" { count = var.num_cpx_nodes > 0 ? 1 : 0 @@ -148,13 +206,46 @@ resource "aws_security_group_rule" "windows" { source_security_group_id = can(regex("(?i:cpx)", each.key)) ? one(aws_security_group.cpx[*].id) : aws_security_group.webapp.id } -resource "aws_security_group_rule" "egress" { - for_each = { for value in local.all_security_groups : value => var.default_egress } +resource "aws_security_group_rule" "private_lb_windows" { + count = var.num_cpx_nodes > 0 ? 1 : 0 - security_group_id = each.key - type = each.value.rule_type - from_port = each.value.from_port - to_port = each.value.to_port - protocol = each.value.protocol - cidr_blocks = var.web_access_cidrs -} \ No newline at end of file + security_group_id = aws_security_group.private_lb.id + type = "ingress" + from_port = var.private_lb_security_rules.https.from_port + to_port = var.private_lb_security_rules.https.to_port + protocol = var.private_lb_security_rules.https.protocol + source_security_group_id = one(aws_security_group.windows[*].id) +} + +resource "aws_security_group_rule" "webapp_windows" { + count = var.num_cpx_nodes > 0 ? 1 : 0 + + security_group_id = aws_security_group.webapp.id + type = "ingress" + from_port = var.webapp_security_rules.from_port + to_port = var.webapp_security_rules.to_port + protocol = var.webapp_security_rules.protocol + source_security_group_id = one(aws_security_group.windows[*].id) +} + +resource "aws_security_group_rule" "cpx_egress" { + count = var.num_cpx_nodes > 0 ? 1 : 0 + + security_group_id = one(aws_security_group.cpx[*].id) + type = "egress" + from_port = var.default_egress.from_port + to_port = var.default_egress.to_port + protocol = var.default_egress.protocol + cidr_blocks = [var.anywhere] +} + +resource "aws_security_group_rule" "windows_egress" { + count = var.num_cpx_nodes > 0 ? 1 : 0 + + security_group_id = one(aws_security_group.windows[*].id) + type = "egress" + from_port = var.default_egress.from_port + to_port = var.default_egress.to_port + protocol = var.default_egress.protocol + cidr_blocks = [var.anywhere] +} diff --git a/aws/standard/module/variables.tf b/aws/standard/module/variables.tf index 715fd79..f5a8088 100644 --- a/aws/standard/module/variables.tf +++ b/aws/standard/module/variables.tf @@ -196,16 +196,18 @@ variable "public_lb_security_rules" { variable "private_lb_security_rules" { description = "A map of objects of security rules to apply to the Private ALB" - type = object({ + type = map(object({ from_port = number to_port = number protocol = string - }) + })) default = { - from_port = 443 - to_port = 443 - protocol = "tcp" + https = { + from_port = 443 + to_port = 443 + protocol = "tcp" + } } } From 7b8e7b4217d2c745f12bf659dfcf75b20682b087 Mon Sep 17 00:00:00 2001 From: Bryan Scarbrough Date: Wed, 14 Feb 2024 14:08:36 +0000 Subject: [PATCH 3/7] AWS deployments validated with 1.14 --- aws/multi_region/README.md | 4 +- aws/multi_region/agents/README.md | 19 ++- aws/multi_region/agents/agent.tf | 9 +- aws/multi_region/agents/cpx.tf | 9 +- aws/multi_region/agents/dependencies.tf | 10 +- aws/multi_region/agents/elb.tf | 11 +- aws/multi_region/agents/proxy.tf | 11 +- aws/multi_region/agents/routes.tf | 4 +- aws/multi_region/agents/security_group.tf | 86 ++++++++++-- aws/multi_region/agents/subnet.tf | 4 +- aws/multi_region/agents/variables.tf | 43 +++--- aws/multi_region/deployment.tf | 54 ++++---- aws/multi_region/primary/README.md | 22 +++- aws/multi_region/primary/db.tf | 9 +- aws/multi_region/primary/dependencies.tf | 13 -- aws/multi_region/primary/lb_s3_log_bucket.tf | 5 - aws/multi_region/primary/routes.tf | 4 +- aws/multi_region/primary/security_group.tf | 122 ++++++++++++++++-- aws/multi_region/primary/ssm.tf | 42 +++--- aws/multi_region/primary/variables.tf | 42 ++++-- aws/multi_region/secrets.tfvars.example | 2 + aws/multi_region/terraform.tfvars | 54 +++++--- aws/multi_region/userdata/agent_bootstrap.sh | 4 +- aws/multi_region/userdata/cpx_bootstrap.sh | 4 +- aws/multi_region/userdata/guac_bootstrap.sh | 29 ----- aws/multi_region/userdata/proxy_bootstrap.sh | 4 +- aws/multi_region/userdata/webapp_bootstrap.sh | 10 +- aws/multi_region/variables.tf | 29 ++++- aws/multi_region/webapps/README.md | 2 +- aws/multi_region/webapps/agent.tf | 11 +- aws/multi_region/webapps/cpx.tf | 9 +- aws/multi_region/webapps/dependencies.tf | 4 + aws/multi_region/webapps/elb.tf | 12 +- aws/multi_region/webapps/variables.tf | 4 +- aws/multi_region/webapps/webapp.tf | 11 +- aws/standard/README.md | 1 + aws/standard/deployment.tf | 23 ++-- aws/standard/module/README.md | 8 +- aws/standard/module/agent.tf | 7 + aws/standard/module/db.tf | 7 + aws/standard/module/elb_logs_s3_bucket.tf | 5 - aws/standard/module/guac_rdp.tf | 7 + aws/standard/module/public_alb.tf | 7 +- aws/standard/module/routes.tf | 4 +- aws/standard/module/security_group.tf | 76 ++++++++--- aws/standard/module/ssm.tf | 30 +++-- .../module/userdata/agent_bootstrap.sh | 2 +- aws/standard/module/userdata/cpx_bootstrap.sh | 2 +- aws/standard/module/userdata/db_bootstrap.sh | 2 +- .../module/userdata/webapp_bootstrap.sh | 2 +- aws/standard/module/variables.tf | 20 ++- aws/standard/module/webapp.tf | 7 + aws/standard/terraform.tfvars | 8 +- aws/standard/variables.tf | 11 ++ 54 files changed, 642 insertions(+), 299 deletions(-) create mode 100644 aws/multi_region/secrets.tfvars.example delete mode 100644 aws/multi_region/userdata/guac_bootstrap.sh diff --git a/aws/multi_region/README.md b/aws/multi_region/README.md index 020b478..db9c6b4 100644 --- a/aws/multi_region/README.md +++ b/aws/multi_region/README.md @@ -94,6 +94,7 @@ No resources. | [aws\_primary\_region](#input\_aws\_primary\_region) | The AWS Region used for deployment | `string` | `"us-east-1"` | no | | [aws\_secret\_key](#input\_aws\_secret\_key) | The AWS secret key used for deployment | `string` | n/a | yes | | [aws\_ssm\_iam\_role\_name](#input\_aws\_ssm\_iam\_role\_name) | The name of the SSM EC2 role to associate with Kasm VMs for SSH access | `string` | `""` | no | +| [aws\_ssm\_instance\_profile\_name](#input\_aws\_ssm\_instance\_profile\_name) | The name of the SSM EC2 Instance Profile to associate with Kasm VMs for SSH access | `string` | `""` | no | | [cpx\_hdd\_size\_gb](#input\_cpx\_hdd\_size\_gb) | The HDD size in GB to configure for the Kasm Guac RDP instances | `number` | n/a | yes | | [cpx\_instance\_type](#input\_cpx\_instance\_type) | The instance type for the Guac RDP nodes | `string` | n/a | yes | | [create\_aws\_ssm\_iam\_role](#input\_create\_aws\_ssm\_iam\_role) | Create an AWS SSM IAM role to attach to VMs for SSH/console access to VMs. | `bool` | `false` | no | @@ -103,7 +104,8 @@ No resources. | [kasm\_build](#input\_kasm\_build) | Download URL for Kasm Workspaces | `string` | n/a | yes | | [manager\_token](#input\_manager\_token) | The manager token value for Agents to authenticate to webapps. No special characters | `string` | n/a | yes | | [num\_agents](#input\_num\_agents) | The number of Agent Role Servers to create in the deployment | `number` | `2` | no | -| [num\_cpx\_nodes](#input\_num\_cpx\_nodes) | The number of Agent Role Servers to create in the deployment | `number` | n/a | yes | +| [num\_cpx\_nodes](#input\_num\_cpx\_nodes) | The number of RDP Conection Proxy Role Servers to create in the deployment. Set this to zero (0) and this Terraform will not deploy ANY Connection Proxy or Windows resoures like subnets, security groups, etc. | `number` | n/a | yes | +| [num\_proxy\_nodes](#input\_num\_proxy\_nodes) | The number of Dedicated Proxy nodes to create in the deployment | `number` | n/a | yes | | [num\_webapps](#input\_num\_webapps) | The number of WebApp role servers to create in the deployment | `number` | `2` | no | | [primary\_region\_ec2\_ami\_id](#input\_primary\_region\_ec2\_ami\_id) | AMI Id of Kasm EC2 image in the primary region. Recommended AMI OS Version is Ubuntu 20.04 LTS. | `string` | n/a | yes | | [primary\_vpc\_subnet\_cidr](#input\_primary\_vpc\_subnet\_cidr) | The subnet CIDR to use for the VPC | `string` | `"10.0.0.0/16"` | no | diff --git a/aws/multi_region/agents/README.md b/aws/multi_region/agents/README.md index dd8ba1d..43667c4 100644 --- a/aws/multi_region/agents/README.md +++ b/aws/multi_region/agents/README.md @@ -49,11 +49,16 @@ No modules. | [aws_security_group.public_lb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | | [aws_security_group.windows](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | | [aws_security_group_rule.agent](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.agent_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [aws_security_group_rule.cpx](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | -| [aws_security_group_rule.egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | -| [aws_security_group_rule.proxy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.cpx_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.proxy_agent](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.proxy_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.proxy_public_lb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [aws_security_group_rule.public_lb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.public_lb_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [aws_security_group_rule.windows_cpx](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.windows_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [aws_security_group_rule.windows_webapp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [aws_subnet.agent](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource | | [aws_subnet.alb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource | @@ -76,14 +81,13 @@ No modules. | [aws\_domain\_name](#input\_aws\_domain\_name) | The Route53 Zone used for the dns entries. This must already exist in the AWS account. (e.g dev.kasm.contoso.com). The deployment will be accessed via this zone name via https | `string` | n/a | yes | | [aws\_key\_pair](#input\_aws\_key\_pair) | The name of an aws keypair to use. | `string` | n/a | yes | | [aws\_region](#input\_aws\_region) | The AWS region for the deployment. (e.g us-east-1) | `string` | n/a | yes | -| [aws\_ssm\_iam\_role\_name](#input\_aws\_ssm\_iam\_role\_name) | The name of the SSM EC2 role to associate with Kasm VMs for SSH access | `string` | `""` | no | +| [aws\_ssm\_instance\_profile\_name](#input\_aws\_ssm\_instance\_profile\_name) | The name of the SSM EC2 Instance Profile to associate with Kasm VMs for SSH access | `string` | `""` | no | | [cpx\_hdd\_size\_gb](#input\_cpx\_hdd\_size\_gb) | The HDD size for Kasm Guac RDP nodes | `number` | n/a | yes | | [cpx\_instance\_type](#input\_cpx\_instance\_type) | The instance type for the cpx RDP nodes | `string` | n/a | yes | | [cpx\_security\_rules](#input\_cpx\_security\_rules) | A map of objects of security rules to apply to the Kasm Connection Proxy server | 
map(object({
    from_port = number
    to_port   = number
    protocol  = string
  }))
| 
{
  "https": {
    "from_port": 443,
    "protocol": "tcp",
    "to_port": 443
  }
}
| no | -| [default\_egress](#input\_default\_egress) | Default egress security rule for all security groups | 
object({
    from_port    = number
    to_port      = number
    protocol     = string
    cidr_subnets = list(string)
  })
| 
{
  "cidr_subnets": [
    "0.0.0.0/0"
  ],
  "from_port": 0,
  "protocol": "-1",
  "to_port": 0
}
| no | +| [default\_egress](#input\_default\_egress) | Default egress security rule for all security groups | 
map(object({
    from_port    = number
    to_port      = number
    protocol     = string
    cidr_subnets = list(string)
  }))
| 
{
  "all": {
    "cidr_subnets": [
      "0.0.0.0/0"
    ],
    "from_port": 0,
    "protocol": "-1",
    "to_port": 0
  }
}
| no | | [ec2\_ami](#input\_ec2\_ami) | The AMI used for the EC2 nodes. Recommended Ubuntu 20.04 LTS. | `string` | n/a | yes | | [kasm\_build](#input\_kasm\_build) | The URL for the Kasm Workspaces build | `string` | n/a | yes | -| [load\_balancer\_log\_bucket](#input\_load\_balancer\_log\_bucket) | S3 bucket name for load balancers to forward access logs to | `string` | n/a | yes | | [management\_region\_nat\_gateway](#input\_management\_region\_nat\_gateway) | A list Kasm management region NAT gateways to allow Webapps ingress on 4902 to Kasm Windows agent | `string` | n/a | yes | | [manager\_token](#input\_manager\_token) | The password for the database. No special characters | `string` | n/a | yes | | [num\_agents](#input\_num\_agents) | The number of Agent Role Servers to create in the deployment | `number` | n/a | yes | @@ -91,11 +95,12 @@ No modules. | [num\_proxy\_nodes](#input\_num\_proxy\_nodes) | The number of Dedicated Proxy nodes to create in the deployment | `number` | `2` | no | | [project\_name](#input\_project\_name) | The name of the deployment (e.g dev, staging). A short single word | `string` | n/a | yes | | [proxy\_hdd\_size\_gb](#input\_proxy\_hdd\_size\_gb) | The HDD size for Dedicated Proxy nodes | `number` | n/a | yes | -| [proxy\_instance\_type](#input\_proxy\_instance\_type) | The instance type for the dedicated proxy nodes | `number` | n/a | yes | -| [proxy\_security\_rules](#input\_proxy\_security\_rules) | A map of objects of security rules to apply to the Kasm WebApp server | 
object({
    from_port = number
    to_port   = number
    protocol  = string
  })
| 
{
  "from_port": 443,
  "protocol": "tcp",
  "to_port": 443
}
| no | +| [proxy\_instance\_type](#input\_proxy\_instance\_type) | The instance type for the dedicated proxy nodes | `string` | n/a | yes | +| [proxy\_security\_rules](#input\_proxy\_security\_rules) | A map of objects of security rules to apply to the Kasm WebApp server | 
map(object({
    from_port = number
    to_port   = number
    protocol  = string
  }))
| 
{
  "https": {
    "from_port": 443,
    "protocol": "tcp",
    "to_port": 443
  }
}
| no | | [public\_lb\_security\_rules](#input\_public\_lb\_security\_rules) | A map of objects of security rules to apply to the Public ALB | 
map(object({
    from_port = number
    to_port   = number
    protocol  = string
  }))
| 
{
  "http": {
    "from_port": 80,
    "protocol": "tcp",
    "to_port": 80
  },
  "https": {
    "from_port": 443,
    "protocol": "tcp",
    "to_port": 443
  }
}
| no | | [service\_registration\_token](#input\_service\_registration\_token) | The service registration token value for cpx RDP servers to authenticate to webapps. No special characters | `string` | n/a | yes | | [swap\_size](#input\_swap\_size) | The amount of swap (in MB) to configure inside the compute instances | `number` | n/a | yes | +| [web\_access\_cidrs](#input\_web\_access\_cidrs) | List of Networks in CIDR notation for IPs allowed to access the Kasm Web interface | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | | [windows\_security\_rules](#input\_windows\_security\_rules) | A map of objects of security rules to apply to the Kasm Windows VMs | 
map(object({
    from_port = number
    to_port   = number
    protocol  = string
  }))
| 
{
  "api": {
    "from_port": 4902,
    "protocol": "tcp",
    "to_port": 4902
  },
  "rdp": {
    "from_port": 3389,
    "protocol": "tcp",
    "to_port": 3389
  }
}
| no | ## Outputs diff --git a/aws/multi_region/agents/agent.tf b/aws/multi_region/agents/agent.tf index a63d778..f709561 100644 --- a/aws/multi_region/agents/agent.tf +++ b/aws/multi_region/agents/agent.tf @@ -6,7 +6,7 @@ resource "aws_instance" "agent" { subnet_id = aws_subnet.agent.id key_name = var.aws_key_pair associate_public_ip_address = true - iam_instance_profile = var.aws_ssm_iam_role_name + iam_instance_profile = var.aws_ssm_instance_profile_name root_block_device { volume_size = var.agent_hdd_size_gb @@ -21,6 +21,13 @@ resource "aws_instance" "agent" { } ) + metadata_options { + http_endpoint = "enabled" + http_tokens = "required" + http_put_response_hop_limit = 1 + instance_metadata_tags = null + } + tags = { Name = "${var.project_name}-${var.aws_region}-kasm-agent-${count.index}" } diff --git a/aws/multi_region/agents/cpx.tf b/aws/multi_region/agents/cpx.tf index 37fcc88..7dc96fa 100644 --- a/aws/multi_region/agents/cpx.tf +++ b/aws/multi_region/agents/cpx.tf @@ -6,7 +6,7 @@ resource "aws_instance" "cpx" { vpc_security_group_ids = aws_security_group.cpx[*].id subnet_id = aws_subnet.cpx[0].id key_name = var.aws_key_pair - iam_instance_profile = var.aws_ssm_iam_role_name + iam_instance_profile = var.aws_ssm_instance_profile_name root_block_device { volume_size = var.cpx_hdd_size_gb @@ -21,6 +21,13 @@ resource "aws_instance" "cpx" { } ) + metadata_options { + http_endpoint = "enabled" + http_tokens = "required" + http_put_response_hop_limit = 1 + instance_metadata_tags = null + } + tags = { Name = "${var.project_name}-${var.aws_region}-kasm-cpx-${count.index}" } diff --git a/aws/multi_region/agents/dependencies.tf b/aws/multi_region/agents/dependencies.tf index a9545cd..e037b9d 100644 --- a/aws/multi_region/agents/dependencies.tf +++ b/aws/multi_region/agents/dependencies.tf @@ -3,15 +3,7 @@ locals { kasm_agent_subnet_cidr_calculation = (8 - (local.kasm_agent_vpc_subnet_cidr_mask - 16)) kasm_agent_subnet_cidr_size = local.kasm_agent_subnet_cidr_calculation < 3 ? 3 : local.kasm_agent_subnet_cidr_calculation - all_security_groups = compact([ - aws_security_group.public_lb.id, - aws_security_group.proxy.id, - aws_security_group.agent.id, - one(aws_security_group.cpx[*].id), - one(aws_security_group.windows[*].id) - ]) - - proxy_security_rules = { for value in local.all_security_groups : value => var.proxy_security_rules if value == aws_security_group.public_lb.id } + region_short_name_for_lb = join("", slice(split("-", var.aws_region), 1, 3)) } data "aws_route53_zone" "this" { diff --git a/aws/multi_region/agents/elb.tf b/aws/multi_region/agents/elb.tf index e96bcfd..402289a 100644 --- a/aws/multi_region/agents/elb.tf +++ b/aws/multi_region/agents/elb.tf @@ -1,14 +1,9 @@ resource "aws_lb" "this" { - name = "${var.project_name}-lb" + name = "${var.project_name}-${var.aws_region}-proxy-lb" internal = false load_balancer_type = "application" security_groups = [aws_security_group.public_lb.id] subnets = aws_subnet.alb[*].id - - access_logs { - bucket = var.load_balancer_log_bucket - enabled = true - } } resource "aws_lb_listener" "this" { @@ -24,7 +19,7 @@ resource "aws_lb_listener" "this" { } resource "aws_lb_target_group" "this" { - name = "${var.project_name}-target-group" + name = "${var.project_name}-${local.region_short_name_for_lb}-tg" port = 443 protocol = "HTTPS" vpc_id = aws_vpc.this.id @@ -46,7 +41,7 @@ resource "aws_lb_target_group_attachment" "this" { resource "aws_route53_record" "alb" { zone_id = data.aws_route53_zone.this.zone_id - name = "${var.aws_region}-proxy.${var.aws_domain_name}" + name = "${local.region_short_name_for_lb}-proxy.${var.aws_domain_name}" type = "A" alias { diff --git a/aws/multi_region/agents/proxy.tf b/aws/multi_region/agents/proxy.tf index 1c3d455..8341592 100644 --- a/aws/multi_region/agents/proxy.tf +++ b/aws/multi_region/agents/proxy.tf @@ -6,7 +6,7 @@ resource "aws_instance" "proxy" { vpc_security_group_ids = [aws_security_group.proxy.id] subnet_id = aws_subnet.proxy[(count.index)].id key_name = var.aws_key_pair - iam_instance_profile = var.aws_ssm_iam_role_name + iam_instance_profile = var.aws_ssm_instance_profile_name root_block_device { volume_size = var.proxy_hdd_size_gb @@ -21,7 +21,14 @@ resource "aws_instance" "proxy" { } ) + metadata_options { + http_endpoint = "enabled" + http_tokens = "required" + http_put_response_hop_limit = 1 + instance_metadata_tags = null + } + tags = { - Name = "${var.project_name}-${var.aws_region}-kasm-proxy" + Name = "${var.project_name}-${var.aws_region}-kasm-proxy-${count.index}" } } diff --git a/aws/multi_region/agents/routes.tf b/aws/multi_region/agents/routes.tf index ab69335..39ee67f 100644 --- a/aws/multi_region/agents/routes.tf +++ b/aws/multi_region/agents/routes.tf @@ -15,8 +15,8 @@ resource "aws_route_table" "nat_gateway" { vpc_id = aws_vpc.this.id route { - cidr_block = var.anywhere - gateway_id = aws_nat_gateway.this.id + cidr_block = var.anywhere + nat_gateway_id = aws_nat_gateway.this.id } tags = { diff --git a/aws/multi_region/agents/security_group.tf b/aws/multi_region/agents/security_group.tf index 08dae14..c2896f2 100644 --- a/aws/multi_region/agents/security_group.tf +++ b/aws/multi_region/agents/security_group.tf @@ -11,12 +11,25 @@ resource "aws_security_group" "public_lb" { resource "aws_security_group_rule" "public_lb" { for_each = var.public_lb_security_rules + description = "Allow Public LB ingress from ${join(",", var.web_access_cidrs)}" security_group_id = aws_security_group.public_lb.id type = "ingress" from_port = each.value.from_port to_port = each.value.to_port protocol = each.value.protocol - cidr_blocks = [var.anywhere] + cidr_blocks = var.web_access_cidrs +} + +resource "aws_security_group_rule" "public_lb_egress" { + for_each = var.default_egress + + description = "Allow Public LB egress" + security_group_id = aws_security_group.public_lb.id + type = "egress" + from_port = each.value.from_port + to_port = each.value.to_port + protocol = each.value.protocol + cidr_blocks = each.value.cidr_subnets } resource "aws_security_group" "proxy" { @@ -29,15 +42,39 @@ resource "aws_security_group" "proxy" { } } -resource "aws_security_group_rule" "proxy" { - for_each = local.proxy_security_rules +resource "aws_security_group_rule" "proxy_public_lb" { + for_each = var.proxy_security_rules security_group_id = aws_security_group.proxy.id type = "ingress" from_port = each.value.from_port to_port = each.value.to_port protocol = each.value.protocol - source_security_group_id = each.key + source_security_group_id = aws_security_group.public_lb.id +} + +resource "aws_security_group_rule" "proxy_agent" { + for_each = var.proxy_security_rules + + description = "Allow Proxy ingress from Public LB" + security_group_id = aws_security_group.proxy.id + type = "ingress" + from_port = each.value.from_port + to_port = each.value.to_port + protocol = each.value.protocol + source_security_group_id = aws_security_group.agent.id +} + +resource "aws_security_group_rule" "proxy_egress" { + for_each = var.default_egress + + description = "Allow Proxy Egress" + security_group_id = aws_security_group.proxy.id + type = "egress" + from_port = each.value.from_port + to_port = each.value.to_port + protocol = each.value.protocol + cidr_blocks = each.value.cidr_subnets } resource "aws_security_group" "agent" { @@ -53,6 +90,7 @@ resource "aws_security_group" "agent" { resource "aws_security_group_rule" "agent" { for_each = var.agent_security_rules + description = "Allow Kasm Agent ingress from Proxy" security_group_id = aws_security_group.agent.id type = "ingress" from_port = each.value.from_port @@ -61,11 +99,25 @@ resource "aws_security_group_rule" "agent" { source_security_group_id = aws_security_group.proxy.id } +resource "aws_security_group_rule" "agent_egress" { + for_each = var.default_egress + + description = "Allow Agents egress" + security_group_id = aws_security_group.agent.id + type = "egress" + from_port = each.value.from_port + to_port = each.value.to_port + protocol = each.value.protocol + cidr_blocks = each.value.cidr_subnets +} + + resource "aws_security_group" "cpx" { count = var.num_cpx_nodes > 0 ? 1 : 0 name = "${var.project_name}-kasm-cpx-access" description = "Allow access to cpx RDP nodes" + vpc_id = aws_vpc.this.id tags = { Name = "${var.project_name}-kasm-cpx-access" @@ -75,6 +127,7 @@ resource "aws_security_group" "cpx" { resource "aws_security_group_rule" "cpx" { for_each = var.num_cpx_nodes > 0 ? var.cpx_security_rules : {} + description = "Allow Kasm CPX ingress from Kasm Proxy" security_group_id = one(aws_security_group.cpx[*].id) type = "ingress" from_port = each.value.from_port @@ -83,6 +136,18 @@ resource "aws_security_group_rule" "cpx" { source_security_group_id = aws_security_group.proxy.id } +resource "aws_security_group_rule" "cpx_egress" { + for_each = var.num_cpx_nodes > 0 ? var.default_egress : {} + + description = "Allow Kasm CPX egress" + security_group_id = one(aws_security_group.cpx[*].id) + type = "egress" + from_port = each.value.from_port + to_port = each.value.to_port + protocol = each.value.protocol + cidr_blocks = each.value.cidr_subnets +} + resource "aws_security_group" "windows" { count = var.num_cpx_nodes > 0 ? 1 : 0 @@ -98,6 +163,7 @@ resource "aws_security_group" "windows" { resource "aws_security_group_rule" "windows_cpx" { for_each = var.num_cpx_nodes > 0 ? var.windows_security_rules : {} + description = "Allow Windows ingress from Kasm CPX" security_group_id = one(aws_security_group.windows[*].id) type = "ingress" from_port = each.value.from_port @@ -109,6 +175,7 @@ resource "aws_security_group_rule" "windows_cpx" { resource "aws_security_group_rule" "windows_webapp" { for_each = var.num_cpx_nodes > 0 ? { for key, value in var.windows_security_rules : key => value if can(regex("(?i:api)", key)) } : {} + description = "Allow Windows ingress from Kasm WebApp" security_group_id = one(aws_security_group.windows[*].id) type = "ingress" from_port = each.value.from_port @@ -117,13 +184,14 @@ resource "aws_security_group_rule" "windows_webapp" { cidr_blocks = [var.management_region_nat_gateway] } -resource "aws_security_group_rule" "egress" { - for_each = { for value in local.all_security_groups : value => var.default_egress } +resource "aws_security_group_rule" "windows_egress" { + for_each = var.num_cpx_nodes > 0 ? var.default_egress : {} - security_group_id = each.key - type = each.value.rule_type + description = "Allow Windows egress" + security_group_id = one(aws_security_group.windows[*].id) + type = "egress" from_port = each.value.from_port to_port = each.value.to_port protocol = each.value.protocol - cidr_blocks = [var.anywhere] + cidr_blocks = each.value.cidr_subnets } diff --git a/aws/multi_region/agents/subnet.tf b/aws/multi_region/agents/subnet.tf index 24802b8..df107d1 100644 --- a/aws/multi_region/agents/subnet.tf +++ b/aws/multi_region/agents/subnet.tf @@ -2,7 +2,7 @@ resource "aws_subnet" "alb" { count = 2 vpc_id = aws_vpc.this.id cidr_block = cidrsubnet(var.agent_vpc_cidr, local.kasm_agent_subnet_cidr_size, count.index) - availability_zone = data.aws_availability_zones.available.names[0] + availability_zone = data.aws_availability_zones.available.names[(count.index)] map_public_ip_on_launch = true tags = { @@ -14,7 +14,7 @@ resource "aws_subnet" "proxy" { count = var.num_proxy_nodes vpc_id = aws_vpc.this.id cidr_block = cidrsubnet(var.agent_vpc_cidr, local.kasm_agent_subnet_cidr_size, (count.index + 2)) - availability_zone = data.aws_availability_zones.available.names[0] + availability_zone = data.aws_availability_zones.available.names[(count.index)] tags = { Name = "${var.project_name}-${var.aws_region}-kasm-proxy-subnet" diff --git a/aws/multi_region/agents/variables.tf b/aws/multi_region/agents/variables.tf index 28c4d42..47a55a9 100644 --- a/aws/multi_region/agents/variables.tf +++ b/aws/multi_region/agents/variables.tf @@ -48,8 +48,8 @@ variable "cpx_hdd_size_gb" { type = number } -variable "aws_ssm_iam_role_name" { - description = "The name of the SSM EC2 role to associate with Kasm VMs for SSH access" +variable "aws_ssm_instance_profile_name" { + description = "The name of the SSM EC2 Instance Profile to associate with Kasm VMs for SSH access" type = string default = "" } @@ -62,7 +62,7 @@ variable "num_proxy_nodes" { variable "proxy_instance_type" { description = "The instance type for the dedicated proxy nodes" - type = number + type = string } variable "proxy_hdd_size_gb" { @@ -75,11 +75,6 @@ variable "aws_region" { type = string } -variable "load_balancer_log_bucket" { - description = "S3 bucket name for load balancers to forward access logs to" - type = string -} - variable "kasm_build" { description = "The URL for the Kasm Workspaces build" type = string @@ -118,6 +113,12 @@ variable "anywhere" { default = "0.0.0.0/0" } +variable "web_access_cidrs" { + description = "List of Networks in CIDR notation for IPs allowed to access the Kasm Web interface" + type = list(string) + default = ["0.0.0.0/0"] +} + variable "public_lb_security_rules" { description = "A map of objects of security rules to apply to the Public ALB" type = map(object({ @@ -142,16 +143,18 @@ variable "public_lb_security_rules" { variable "proxy_security_rules" { description = "A map of objects of security rules to apply to the Kasm WebApp server" - type = object({ + type = map(object({ from_port = number to_port = number protocol = string - }) + })) default = { - from_port = 443 - to_port = 443 - protocol = "tcp" + https = { + from_port = 443 + to_port = 443 + protocol = "tcp" + } } } @@ -213,17 +216,19 @@ variable "windows_security_rules" { variable "default_egress" { description = "Default egress security rule for all security groups" - type = object({ + type = map(object({ from_port = number to_port = number protocol = string cidr_subnets = list(string) - }) + })) default = { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_subnets = ["0.0.0.0/0"] + all = { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_subnets = ["0.0.0.0/0"] + } } } diff --git a/aws/multi_region/deployment.tf b/aws/multi_region/deployment.tf index cf2a038..a6416d2 100644 --- a/aws/multi_region/deployment.tf +++ b/aws/multi_region/deployment.tf @@ -4,27 +4,30 @@ # agents/webapps that map to this region. ########################################################### module "primary_region" { - source = "./primary" - aws_region = var.aws_primary_region - zone_name = var.aws_primary_region - vpc_subnet_cidr = var.primary_vpc_subnet_cidr - ec2_ami = var.primary_region_ec2_ami_id - db_instance_type = var.db_instance_type - num_webapps = var.num_webapps - num_cpx_nodes = var.num_cpx_nodes - project_name = var.project_name - kasm_build = var.kasm_build - db_hdd_size_gb = var.db_hdd_size_gb - swap_size = var.swap_size - database_password = var.database_password - redis_password = var.redis_password - user_password = var.user_password - admin_password = var.admin_password - manager_token = var.manager_token - service_registration_token = var.service_registration_token - aws_key_pair = var.aws_key_pair - aws_domain_name = var.aws_domain_name - web_access_cidrs = var.web_access_cidrs + source = "./primary" + aws_region = var.aws_primary_region + zone_name = var.aws_primary_region + vpc_subnet_cidr = var.primary_vpc_subnet_cidr + ec2_ami = var.primary_region_ec2_ami_id + db_instance_type = var.db_instance_type + num_webapps = var.num_webapps + num_cpx_nodes = var.num_cpx_nodes + project_name = var.project_name + kasm_build = var.kasm_build + db_hdd_size_gb = var.db_hdd_size_gb + swap_size = var.swap_size + database_password = var.database_password + redis_password = var.redis_password + user_password = var.user_password + admin_password = var.admin_password + manager_token = var.manager_token + service_registration_token = var.service_registration_token + aws_key_pair = var.aws_key_pair + aws_domain_name = var.aws_domain_name + web_access_cidrs = var.web_access_cidrs + create_aws_ssm_iam_role = var.create_aws_ssm_iam_role + aws_ssm_iam_role_name = var.aws_ssm_iam_role_name + aws_ssm_instance_profile_name = var.aws_ssm_instance_profile_name } module "primary_region_webapps_and_agents" { @@ -42,6 +45,7 @@ module "primary_region_webapps_and_agents" { webapp_security_group_id = module.primary_region.webapp_security_group_id agent_subnet_id = module.primary_region.agent_subnet_id agent_security_group_id = module.primary_region.agent_security_group_id + cpx_subnet_id = module.primary_region.cpx_subnet_id cpx_security_group_id = module.primary_region.cpx_security_group_id load_balancer_security_group_id = module.primary_region.lb_security_group_id webapp_instance_type = var.webapp_instance_type @@ -62,6 +66,7 @@ module "primary_region_webapps_and_agents" { primary_vpc_id = module.primary_region.primary_vpc_id certificate_arn = module.primary_region.certificate_arn load_balancer_log_bucket = module.primary_region.lb_log_bucket + aws_ssm_instance_profile_name = var.aws_ssm_instance_profile_name } ##################################################################### @@ -94,6 +99,7 @@ module "region2_webapps" { primary_vpc_id = module.primary_region.primary_vpc_id certificate_arn = module.primary_region.certificate_arn load_balancer_log_bucket = module.primary_region.lb_log_bucket + aws_ssm_instance_profile_name = var.aws_ssm_instance_profile_name } module "region2_agents" { @@ -101,7 +107,6 @@ module "region2_agents" { aws_region = var.secondary_regions_settings.region2.agent_region ec2_ami = var.secondary_regions_settings.region2.ec2_ami_id agent_vpc_cidr = var.secondary_regions_settings.region2.agent_vpc_cidr - load_balancer_log_bucket = module.primary_region.lb_log_bucket management_region_nat_gateway = module.primary_region.nat_gateway_ip proxy_instance_type = var.proxy_instance_type proxy_hdd_size_gb = var.proxy_hdd_size_gb @@ -118,6 +123,8 @@ module "region2_agents" { aws_key_pair = var.aws_key_pair manager_token = var.manager_token service_registration_token = var.service_registration_token + aws_ssm_instance_profile_name = var.aws_ssm_instance_profile_name + web_access_cidrs = var.web_access_cidrs providers = { aws = aws.region2 @@ -156,6 +163,7 @@ module "region2_agents" { # primary_vpc_id = module.primary_region.primary_vpc_id # certificate_arn = module.primary_region.certificate_arn # load_balancer_log_bucket = module.primary_region.lb_log_bucket +# aws_ssm_instance_profile_name = var.aws_ssm_instance_profile_name # } # module "region3_agents" { @@ -180,6 +188,8 @@ module "region2_agents" { # aws_key_pair = var.aws_key_pair # manager_token = var.manager_token # service_registration_token = var.service_registration_token +# aws_ssm_instance_profile_name = var.aws_ssm_instance_profile_name +# web_access_cidrs = var.web_access_cidrs # providers = { # aws = aws.region3 diff --git a/aws/multi_region/primary/README.md b/aws/multi_region/primary/README.md index 16656b2..756866f 100644 --- a/aws/multi_region/primary/README.md +++ b/aws/multi_region/primary/README.md @@ -41,7 +41,6 @@ No modules. | [aws_route_table_association.webapp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource | | [aws_route_table_association.windows](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource | | [aws_s3_bucket.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | -| [aws_s3_bucket_acl.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource | | [aws_s3_bucket_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource | | [aws_s3_bucket_public_access_block.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource | | [aws_s3_bucket_server_side_encryption_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | @@ -52,12 +51,20 @@ No modules. | [aws_security_group.webapp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | | [aws_security_group.windows](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | | [aws_security_group_rule.agent](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.agent_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [aws_security_group_rule.cpx](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.cpx_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [aws_security_group_rule.db](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | -| [aws_security_group_rule.egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.db_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [aws_security_group_rule.public_lb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | -| [aws_security_group_rule.webapp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.public_lb_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.webapp_agent](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.webapp_cpx](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.webapp_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.webapp_public_lb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.webapp_windows](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [aws_security_group_rule.windows](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.windows_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [aws_subnet.agent](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource | | [aws_subnet.alb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource | | [aws_subnet.cpx](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) | resource | @@ -67,6 +74,7 @@ No modules. | [aws_vpc.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc) | resource | | [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | | [aws_elb_service_account.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/elb_service_account) | data source | +| [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_route53_zone.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source | ## Inputs @@ -80,12 +88,14 @@ No modules. | [aws\_key\_pair](#input\_aws\_key\_pair) | The name of an aws keypair to use. | `string` | n/a | yes | | [aws\_region](#input\_aws\_region) | The AWS region for the deployment. (e.g us-east-1) | `string` | n/a | yes | | [aws\_ssm\_iam\_role\_name](#input\_aws\_ssm\_iam\_role\_name) | The name of the SSM EC2 role to associate with Kasm VMs for SSH access | `string` | `""` | no | +| [aws\_ssm\_instance\_profile\_name](#input\_aws\_ssm\_instance\_profile\_name) | The name of the SSM EC2 Instance Profile to associate with Kasm VMs for SSH access | `string` | `""` | no | | [cpx\_security\_rules](#input\_cpx\_security\_rules) | A map of objects of security rules to apply to the Kasm Connection Proxy server | 
map(object({
    from_port = number
    to_port   = number
    protocol  = string
  }))
| 
{
  "https": {
    "from_port": 443,
    "protocol": "tcp",
    "to_port": 443
  }
}
| no | +| [create\_aws\_ssm\_iam\_role](#input\_create\_aws\_ssm\_iam\_role) | Create an AWS SSM IAM role to attach to VMs for SSH/console access to VMs. | `bool` | `false` | no | | [database\_password](#input\_database\_password) | The password for the database. No special characters | `string` | n/a | yes | | [db\_hdd\_size\_gb](#input\_db\_hdd\_size\_gb) | The HDD size in GB to configure for the Kasm Database instances | `number` | n/a | yes | | [db\_instance\_type](#input\_db\_instance\_type) | The instance type for the Database | `string` | n/a | yes | | [db\_security\_rules](#input\_db\_security\_rules) | A map of objects of security rules to apply to the Kasm DB | 
map(object({
    from_port = number
    to_port   = number
    protocol  = string
  }))
| 
{
  "postgres": {
    "from_port": 5432,
    "protocol": "tcp",
    "to_port": 5432
  },
  "redis": {
    "from_port": 6379,
    "protocol": "tcp",
    "to_port": 6379
  }
}
| no | -| [default\_egress](#input\_default\_egress) | Default egress security rule for all security groups | 
object({
    from_port    = number
    to_port      = number
    protocol     = string
    cidr_subnets = list(string)
  })
| 
{
  "cidr_subnets": [
    "0.0.0.0/0"
  ],
  "from_port": 0,
  "protocol": "-1",
  "to_port": 0
}
| no | +| [default\_egress](#input\_default\_egress) | Default egress security rule for all security groups | 
map(object({
    from_port    = number
    to_port      = number
    protocol     = string
    cidr_subnets = list(string)
  }))
| 
{
  "all": {
    "cidr_subnets": [
      "0.0.0.0/0"
    ],
    "from_port": 0,
    "protocol": "-1",
    "to_port": 0
  }
}
| no | | [ec2\_ami](#input\_ec2\_ami) | The AMI used for the EC2 nodes. Recommended Ubuntu 22.04 LTS. | `string` | n/a | yes | | [kasm\_build](#input\_kasm\_build) | The URL for the Kasm Workspaces build | `string` | n/a | yes | | [manager\_token](#input\_manager\_token) | The manager token value for Agents to authenticate to webapps. No special characters | `string` | n/a | yes | @@ -99,8 +109,8 @@ No modules. | [user\_password](#input\_user\_password) | The standard (non administrator) user password. No special characters | `string` | n/a | yes | | [vpc\_subnet\_cidr](#input\_vpc\_subnet\_cidr) | The subnet CIDR to use for the Primary VPC | `string` | n/a | yes | | [web\_access\_cidrs](#input\_web\_access\_cidrs) | List of Networks in CIDR notation for IPs allowed to access the Kasm Web interface | `list(string)` | n/a | yes | -| [webapp\_security\_rules](#input\_webapp\_security\_rules) | A map of objects of security rules to apply to the Kasm WebApp server | 
object({
    from_port = number
    to_port   = number
    protocol  = string
  })
| 
{
  "from_port": 443,
  "protocol": "tcp",
  "to_port": 443
}
| no | -| [windows\_security\_rules](#input\_windows\_security\_rules) | A map of objects of security rules to apply to the Kasm Windows VMs | 
map(object({
    from_port = number
    to_port   = number
    protocol  = string
  }))
| 
{
  "cpx_rdp": {
    "from_port": 3389,
    "protocol": "tcp",
    "to_port": 3389
  },
  "cpx_screenshot": {
    "from_port": 4902,
    "protocol": "tcp",
    "to_port": 4902
  },
  "webapp_screenshot": {
    "from_port": 4902,
    "protocol": "tcp",
    "to_port": 4902
  }
}
| no | +| [webapp\_security\_rules](#input\_webapp\_security\_rules) | A map of objects of security rules to apply to the Kasm WebApp server | 
map(object({
    from_port = number
    to_port   = number
    protocol  = string
  }))
| 
{
  "https": {
    "from_port": 443,
    "protocol": "tcp",
    "to_port": 443
  }
}
| no | +| [windows\_security\_rules](#input\_windows\_security\_rules) | A map of objects of security rules to apply to the Kasm Windows VMs | 
map(object({
    from_port = number
    to_port   = number
    protocol  = string
  }))
| 
{
  "cpx_api": {
    "from_port": 4902,
    "protocol": "tcp",
    "to_port": 4902
  },
  "cpx_rdp": {
    "from_port": 3389,
    "protocol": "tcp",
    "to_port": 3389
  },
  "webapp_api": {
    "from_port": 4902,
    "protocol": "tcp",
    "to_port": 4902
  }
}
| no | | [zone\_name](#input\_zone\_name) | A name given to the kasm deployment Zone | `string` | `"default"` | no | ## Outputs diff --git a/aws/multi_region/primary/db.tf b/aws/multi_region/primary/db.tf index 65716ac..252e455 100644 --- a/aws/multi_region/primary/db.tf +++ b/aws/multi_region/primary/db.tf @@ -4,7 +4,7 @@ resource "aws_instance" "db" { vpc_security_group_ids = [aws_security_group.db.id] subnet_id = aws_subnet.db.id key_name = var.aws_key_pair - iam_instance_profile = var.aws_ssm_iam_role_name == "" ? aws_iam_instance_profile.this[0].name : var.aws_ssm_iam_role_name + iam_instance_profile = var.create_aws_ssm_iam_role ? aws_iam_instance_profile.this[0].name : var.aws_ssm_instance_profile_name root_block_device { volume_size = var.db_hdd_size_gb @@ -23,6 +23,13 @@ resource "aws_instance" "db" { } ) + metadata_options { + http_endpoint = "enabled" + http_tokens = "required" + http_put_response_hop_limit = 1 + instance_metadata_tags = null + } + tags = { Name = "${var.project_name}-kasm-db" } diff --git a/aws/multi_region/primary/dependencies.tf b/aws/multi_region/primary/dependencies.tf index 7cfe6c7..18145ba 100644 --- a/aws/multi_region/primary/dependencies.tf +++ b/aws/multi_region/primary/dependencies.tf @@ -1,16 +1,3 @@ -locals { - all_security_groups = compact([ - aws_security_group.public_lb.id, - aws_security_group.webapp.id, - aws_security_group.agent.id, - aws_security_group.db.id, - one(aws_security_group.cpx[*].id), - one(aws_security_group.windows[*].id) - ]) - - webapp_security_rules = { for value in local.all_security_groups : value => var.webapp_security_rules if value != aws_security_group.db.id || value != aws_security_group.webapp.id } -} - data "aws_availability_zones" "available" { state = "available" } diff --git a/aws/multi_region/primary/lb_s3_log_bucket.tf b/aws/multi_region/primary/lb_s3_log_bucket.tf index 5067a24..74269a1 100644 --- a/aws/multi_region/primary/lb_s3_log_bucket.tf +++ b/aws/multi_region/primary/lb_s3_log_bucket.tf @@ -3,11 +3,6 @@ resource "aws_s3_bucket" "this" { force_destroy = true } -resource "aws_s3_bucket_acl" "this" { - bucket = aws_s3_bucket.this.id - acl = "private" -} - resource "aws_s3_bucket_policy" "this" { bucket = aws_s3_bucket.this.id diff --git a/aws/multi_region/primary/routes.tf b/aws/multi_region/primary/routes.tf index 47bfb29..8d6e2ad 100644 --- a/aws/multi_region/primary/routes.tf +++ b/aws/multi_region/primary/routes.tf @@ -15,8 +15,8 @@ resource "aws_route_table" "nat_gateway" { vpc_id = aws_vpc.this.id route { - cidr_block = var.anywhere - gateway_id = aws_nat_gateway.this.id + cidr_block = var.anywhere + nat_gateway_id = aws_nat_gateway.this.id } tags = { diff --git a/aws/multi_region/primary/security_group.tf b/aws/multi_region/primary/security_group.tf index 31ff8e5..21c87ef 100644 --- a/aws/multi_region/primary/security_group.tf +++ b/aws/multi_region/primary/security_group.tf @@ -11,6 +11,7 @@ resource "aws_security_group" "public_lb" { resource "aws_security_group_rule" "public_lb" { for_each = var.public_lb_security_rules + description = "Allow Public LB ingress from ${join(",", var.web_access_cidrs)}" security_group_id = aws_security_group.public_lb.id type = "ingress" from_port = each.value.from_port @@ -19,6 +20,18 @@ resource "aws_security_group_rule" "public_lb" { cidr_blocks = var.web_access_cidrs } +resource "aws_security_group_rule" "public_lb_egress" { + for_each = var.default_egress + + description = "Allow Public LB egress" + security_group_id = aws_security_group.public_lb.id + type = "egress" + from_port = each.value.from_port + to_port = each.value.to_port + protocol = each.value.protocol + cidr_blocks = each.value.cidr_subnets +} + resource "aws_security_group" "webapp" { name = "${var.project_name}-kasm-webapp" description = "Allow access to webapps" @@ -29,15 +42,40 @@ resource "aws_security_group" "webapp" { } } -resource "aws_security_group_rule" "webapp" { - for_each = local.webapp_security_rules +resource "aws_security_group_rule" "webapp_public_lb" { + for_each = var.webapp_security_rules + description = "Allow Webapp ingress from Public LB" security_group_id = aws_security_group.webapp.id type = "ingress" from_port = each.value.from_port to_port = each.value.to_port protocol = each.value.protocol - source_security_group_id = each.key + source_security_group_id = aws_security_group.public_lb.id +} + +resource "aws_security_group_rule" "webapp_agent" { + for_each = var.webapp_security_rules + + description = "Allow Webapp ingress from Kasm Agent" + security_group_id = aws_security_group.webapp.id + type = "ingress" + from_port = each.value.from_port + to_port = each.value.to_port + protocol = each.value.protocol + source_security_group_id = aws_security_group.agent.id +} + +resource "aws_security_group_rule" "webapp_egress" { + for_each = var.default_egress + + description = "Allow Webapp egress" + security_group_id = aws_security_group.webapp.id + type = "egress" + from_port = each.value.from_port + to_port = each.value.to_port + protocol = each.value.protocol + cidr_blocks = each.value.cidr_subnets } resource "aws_security_group" "agent" { @@ -53,6 +91,7 @@ resource "aws_security_group" "agent" { resource "aws_security_group_rule" "agent" { for_each = var.agent_security_rules + description = "Allow Kasm Agent ingress from WebApps" security_group_id = aws_security_group.agent.id type = "ingress" from_port = each.value.from_port @@ -61,6 +100,18 @@ resource "aws_security_group_rule" "agent" { source_security_group_id = aws_security_group.webapp.id } +resource "aws_security_group_rule" "agent_egress" { + for_each = var.default_egress + + description = "Allow Agents egress" + security_group_id = aws_security_group.agent.id + type = "egress" + from_port = each.value.from_port + to_port = each.value.to_port + protocol = each.value.protocol + cidr_blocks = each.value.cidr_subnets +} + resource "aws_security_group" "db" { name = "${var.project_name}-kasm-db-access" description = "Allow access to webapps" @@ -74,6 +125,7 @@ resource "aws_security_group" "db" { resource "aws_security_group_rule" "db" { for_each = var.db_security_rules + description = "Allow Kasm DB ingress from Kasm Webapp" security_group_id = aws_security_group.db.id type = "ingress" from_port = each.value.from_port @@ -82,11 +134,24 @@ resource "aws_security_group_rule" "db" { source_security_group_id = aws_security_group.webapp.id } +resource "aws_security_group_rule" "db_egress" { + for_each = var.default_egress + + description = "Allow Kasm Db egress" + security_group_id = aws_security_group.db.id + type = "egress" + from_port = each.value.from_port + to_port = each.value.to_port + protocol = each.value.protocol + cidr_blocks = each.value.cidr_subnets +} + resource "aws_security_group" "cpx" { count = var.num_cpx_nodes > 0 ? 1 : 0 name = "${var.project_name}-kasm-cpx-access" description = "Allow access to cpx RDP nodes" + vpc_id = aws_vpc.this.id tags = { Name = "${var.project_name}-kasm-cpx-access" @@ -96,6 +161,7 @@ resource "aws_security_group" "cpx" { resource "aws_security_group_rule" "cpx" { for_each = var.num_cpx_nodes > 0 ? var.cpx_security_rules : {} + description = "Allow Kasm CPX ingress from Kasm Webapp" security_group_id = one(aws_security_group.cpx[*].id) type = "ingress" from_port = each.value.from_port @@ -104,6 +170,30 @@ resource "aws_security_group_rule" "cpx" { source_security_group_id = aws_security_group.webapp.id } +resource "aws_security_group_rule" "cpx_egress" { + for_each = var.num_cpx_nodes > 0 ? var.default_egress : {} + + description = "Allow Kasm CPX egress" + security_group_id = one(aws_security_group.cpx[*].id) + type = "egress" + from_port = each.value.from_port + to_port = each.value.to_port + protocol = each.value.protocol + cidr_blocks = each.value.cidr_subnets +} + +resource "aws_security_group_rule" "webapp_cpx" { + for_each = var.num_cpx_nodes > 0 ? var.webapp_security_rules : {} + + description = "Allow Webapp ingress from Kasm CPX" + security_group_id = aws_security_group.webapp.id + type = "ingress" + from_port = each.value.from_port + to_port = each.value.to_port + protocol = each.value.protocol + source_security_group_id = one(aws_security_group.cpx[*].id) +} + resource "aws_security_group" "windows" { count = var.num_cpx_nodes > 0 ? 1 : 0 @@ -119,6 +209,7 @@ resource "aws_security_group" "windows" { resource "aws_security_group_rule" "windows" { for_each = var.num_cpx_nodes > 0 ? var.windows_security_rules : {} + description = "Allow Windows ingress from Kasm CPX and WebApp" security_group_id = one(aws_security_group.windows[*].id) type = "ingress" from_port = each.value.from_port @@ -127,13 +218,26 @@ resource "aws_security_group_rule" "windows" { source_security_group_id = can(regex("(?i:cpx)", each.key)) ? one(aws_security_group.cpx[*].id) : aws_security_group.webapp.id } -resource "aws_security_group_rule" "egress" { - for_each = { for value in local.all_security_groups : value => var.default_egress } +resource "aws_security_group_rule" "windows_egress" { + for_each = var.num_cpx_nodes > 0 ? var.default_egress : {} - security_group_id = each.key - type = each.value.rule_type + description = "Allow Windows egress" + security_group_id = one(aws_security_group.windows[*].id) + type = "egress" from_port = each.value.from_port to_port = each.value.to_port protocol = each.value.protocol - cidr_blocks = [var.anywhere] -} \ No newline at end of file + cidr_blocks = each.value.cidr_subnets +} + +resource "aws_security_group_rule" "webapp_windows" { + for_each = var.num_cpx_nodes > 0 ? var.webapp_security_rules : {} + + description = "Allow Windows ingress from Kasm WebApp" + security_group_id = aws_security_group.webapp.id + type = "ingress" + from_port = each.value.from_port + to_port = each.value.to_port + protocol = each.value.protocol + source_security_group_id = one(aws_security_group.windows[*].id) +} diff --git a/aws/multi_region/primary/ssm.tf b/aws/multi_region/primary/ssm.tf index 0032064..98b6dd3 100644 --- a/aws/multi_region/primary/ssm.tf +++ b/aws/multi_region/primary/ssm.tf @@ -1,29 +1,35 @@ -resource "aws_iam_role" "this" { - count = var.aws_ssm_iam_role_name == "" ? 1 : 0 +data "aws_iam_policy_document" "this" { + statement { + effect = "Allow" - name = "Kasm_SSM_IAM_Instance_Role" - assume_role_policy = jsonencode({ - Version = "2012-10-17" - Statement = [{ - Action = "sts:AssumeRole" - Effect = "Allow" - Principal = { - Service = "ec2.amazonaws.com" - } - }] - }) + principals { + type = "Service" + identifiers = [ + "ec2.amazonaws.com" + ] + } + + actions = ["sts:AssumeRole"] + } +} + +resource "aws_iam_role" "this" { + count = var.create_aws_ssm_iam_role ? 1 : 0 + + name = var.aws_ssm_iam_role_name != "" ? var.aws_ssm_iam_role_name : "Kasm_SSM_IAM_Instance_Role" + assume_role_policy = data.aws_iam_policy_document.this.json } resource "aws_iam_role_policy_attachment" "this" { - count = var.aws_ssm_iam_role_name == "" ? 1 : 0 + count = var.create_aws_ssm_iam_role ? 1 : 0 policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" - role = aws_iam_role.this[0].name + role = one(aws_iam_role.this[*].name) } resource "aws_iam_instance_profile" "this" { - count = var.aws_ssm_iam_role_name == "" ? 1 : 0 + count = var.create_aws_ssm_iam_role ? 1 : 0 - name = "Kasm_SSM_Instance_Profile" - role = aws_iam_role.this[0].name + name = var.aws_ssm_instance_profile_name != "" ? var.aws_ssm_instance_profile_name : "Kasm_SSM_Instance_Profile" + role = one(aws_iam_role.this[*].name) } diff --git a/aws/multi_region/primary/variables.tf b/aws/multi_region/primary/variables.tf index d1a5518..243ebfc 100644 --- a/aws/multi_region/primary/variables.tf +++ b/aws/multi_region/primary/variables.tf @@ -105,12 +105,24 @@ variable "num_cpx_nodes" { type = number } +variable "create_aws_ssm_iam_role" { + description = "Create an AWS SSM IAM role to attach to VMs for SSH/console access to VMs." + type = bool + default = false +} + variable "aws_ssm_iam_role_name" { description = "The name of the SSM EC2 role to associate with Kasm VMs for SSH access" type = string default = "" } +variable "aws_ssm_instance_profile_name" { + description = "The name of the SSM EC2 Instance Profile to associate with Kasm VMs for SSH access" + type = string + default = "" +} + variable "anywhere" { description = "Anywhere subnet for routing and load ingress from all IPs" type = string @@ -141,16 +153,18 @@ variable "public_lb_security_rules" { variable "webapp_security_rules" { description = "A map of objects of security rules to apply to the Kasm WebApp server" - type = object({ + type = map(object({ from_port = number to_port = number protocol = string - }) + })) default = { - from_port = 443 - to_port = 443 - protocol = "tcp" + https = { + from_port = 443 + to_port = 443 + protocol = "tcp" + } } } @@ -224,12 +238,12 @@ variable "windows_security_rules" { to_port = 3389 protocol = "tcp" } - cpx_screenshot = { + cpx_api = { from_port = 4902 to_port = 4902 protocol = "tcp" } - webapp_screenshot = { + webapp_api = { from_port = 4902 to_port = 4902 protocol = "tcp" @@ -239,17 +253,19 @@ variable "windows_security_rules" { variable "default_egress" { description = "Default egress security rule for all security groups" - type = object({ + type = map(object({ from_port = number to_port = number protocol = string cidr_subnets = list(string) - }) + })) default = { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_subnets = ["0.0.0.0/0"] + all = { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_subnets = ["0.0.0.0/0"] + } } } diff --git a/aws/multi_region/secrets.tfvars.example b/aws/multi_region/secrets.tfvars.example new file mode 100644 index 0000000..8cae349 --- /dev/null +++ b/aws/multi_region/secrets.tfvars.example @@ -0,0 +1,2 @@ +aws_access_key = "" +aws_secret_key = "" \ No newline at end of file diff --git a/aws/multi_region/terraform.tfvars b/aws/multi_region/terraform.tfvars index 5907377..caff6a7 100644 --- a/aws/multi_region/terraform.tfvars +++ b/aws/multi_region/terraform.tfvars @@ -1,11 +1,11 @@ ## AWS Environment settings aws_key_pair = "" aws_primary_region = "" -aws_domain_name = "kasm.contoso.com" +aws_domain_name = "contoso.kasm.com" primary_vpc_subnet_cidr = "10.0.0.0/16" ## Kasm deployment project -project_name = "contoso" +project_name = "" ## Kasm passwords database_password = "changeme" @@ -22,32 +22,44 @@ kasm_build = "https://kasm-static-content.s3.amazonaws.com/kasm_release_1.14.0.3 web_access_cidrs = ["0.0.0.0/0"] ## AWS SSM setup for console/SSH access to VMs behind NAT gateway -create_aws_ssm_iam_role = false -aws_ssm_iam_role_name = "" +create_aws_ssm_iam_role = true +aws_ssm_iam_role_name = "" +aws_ssm_instance_profile_name = "" -## Number of each Kasm role to deploy -num_webapps = 2 -num_agents = 2 -num_cpx_nodes = 1 - -## Kasm Server settings -primary_region_ec2_ami_id = "" -webapp_instance_type = "t3.small" -db_instance_type = "t3.small" -agent_instance_type = "t3.medium" -cpx_instance_type = "t3.small" -webapp_hdd_size_gb = 50 -db_hdd_size_gb = 50 -cpx_hdd_size_gb = 50 -agent_hdd_size_gb = 150 +## Kasm Server Settings swap_size = 2048 +primary_region_ec2_ami_id = "" + +## Kasm Webapp Instance Settings +num_webapps = 2 +webapp_instance_type = "t3.small" +webapp_hdd_size_gb = 50 + +## Kasm DB Instance Settings +db_instance_type = "t3.medium" +db_hdd_size_gb = 80 + +## Kasm Agent Instance Settings +num_agents = 2 +agent_instance_type = "t3.medium" +agent_hdd_size_gb = 150 + +## Kasm CPX Instance Settings +num_cpx_nodes = 1 +cpx_instance_type = "t3.small" +cpx_hdd_size_gb = 50 + +## Kasm Dedicated Proxy Instance Settings +num_proxy_nodes = 2 +proxy_hdd_size_gb = 40 +proxy_instance_type = "t3.micro" ## Settings for all additional Agent regions secondary_regions_settings = { region2 = { agent_region = "" - agent_vpc_cidr = "10.1.0.0/16" ec2_ami_id = "" + agent_vpc_cidr = "10.1.0.0/16" } ####################################################################### @@ -62,8 +74,8 @@ secondary_regions_settings = { ####################################################################### # region3 = { # agent_region = "" - # agent_vpc_cidr = "10.2.0.0/16" # ec2_ami_id = "" + # agent_vpc_cidr = "10.2.0.0/16" # } } diff --git a/aws/multi_region/userdata/agent_bootstrap.sh b/aws/multi_region/userdata/agent_bootstrap.sh index ca26186..7dc4430 100644 --- a/aws/multi_region/userdata/agent_bootstrap.sh +++ b/aws/multi_region/userdata/agent_bootstrap.sh @@ -2,7 +2,7 @@ set -ex echo "Starting Kasm Workspaces Agent Install" -/bin/dd if=/dev/zero of=/var/swap.1 bs=1M count=${swap_size} +/bin/dd if=/dev/zero of=/var/swap.1 bs=1M count="${swap_size}" /sbin/mkswap /var/swap.1 chmod 600 /var/swap.1 /sbin/swapon /var/swap.1 @@ -24,6 +24,6 @@ do done echo "WebApp is alive" -bash kasm_release/install.sh -S agent -e -p $PRIVATE_IP -m ${manager_address} -M ${manager_token} +bash kasm_release/install.sh -S agent -e -p $PRIVATE_IP -m "${manager_address}" -M "${manager_token}" echo "Done" diff --git a/aws/multi_region/userdata/cpx_bootstrap.sh b/aws/multi_region/userdata/cpx_bootstrap.sh index 5125904..7159ca8 100644 --- a/aws/multi_region/userdata/cpx_bootstrap.sh +++ b/aws/multi_region/userdata/cpx_bootstrap.sh @@ -2,7 +2,7 @@ set -ex echo "Starting Kasm Workspaces Agent Install" -/bin/dd if=/dev/zero of=/var/swap.1 bs=1M count=${swap_size} +/bin/dd if=/dev/zero of=/var/swap.1 bs=1M count="${swap_size}" /sbin/mkswap /var/swap.1 chmod 600 /var/swap.1 /sbin/swapon /var/swap.1 @@ -24,6 +24,6 @@ do done echo "WebApp is alive" -bash kasm_release/install.sh -S cpx -e -p $PRIVATE_IP -n ${manager_address} -k ${service_registration_token} +bash kasm_release/install.sh -S guac -e -p $PRIVATE_IP -n "${manager_address}" -k "${service_registration_token}" echo "Done" diff --git a/aws/multi_region/userdata/guac_bootstrap.sh b/aws/multi_region/userdata/guac_bootstrap.sh deleted file mode 100644 index 239b5cc..0000000 --- a/aws/multi_region/userdata/guac_bootstrap.sh +++ /dev/null @@ -1,29 +0,0 @@ -#!/bin/bash -set -ex -echo "Starting Kasm Workspaces Agent Install" - -/bin/dd if=/dev/zero of=/var/swap.1 bs=1M count="${swap_size}" -/sbin/mkswap /var/swap.1 -chmod 600 /var/swap.1 -/sbin/swapon /var/swap.1 - -echo '/var/swap.1 swap swap defaults 0 0' | tee -a /etc/fstab - -cd /tmp - -PRIVATE_IP=(`hostname -I | cut -d ' ' -f1 | tr -d '\\n'`) - -wget ${kasm_build_url} -O kasm_workspaces.tar.gz -tar -xf kasm_workspaces.tar.gz - -echo "Waiting for Kasm WebApp availability..." -while ! (curl -k https://${manager_address}/api/__healthcheck 2>/dev/null | grep -q true) -do - echo "Waiting for API server..." - sleep 5 -done -echo "WebApp is alive" - -bash kasm_release/install.sh -S cpx -e -p "${PRIVATE_IP}" -n "${manager_address}" -k "${service_registration_token}" - -echo "Done" diff --git a/aws/multi_region/userdata/proxy_bootstrap.sh b/aws/multi_region/userdata/proxy_bootstrap.sh index ad47442..4de9f6f 100644 --- a/aws/multi_region/userdata/proxy_bootstrap.sh +++ b/aws/multi_region/userdata/proxy_bootstrap.sh @@ -2,7 +2,7 @@ set -ex echo "Starting Kasm Workspaces Agent Install" -/bin/dd if=/dev/zero of=/var/swap.1 bs=1M count=${swap_size} +/bin/dd if=/dev/zero of=/var/swap.1 bs=1M count="${swap_size}" /sbin/mkswap /var/swap.1 chmod 600 /var/swap.1 /sbin/swapon /var/swap.1 @@ -22,6 +22,6 @@ do done echo "WebApp is alive" -bash kasm_release/install.sh -S proxy -e -H -p ${proxy_alb_address} -n ${manager_address} +bash kasm_release/install.sh -S proxy -e -H -p "${proxy_alb_address}" -n "${manager_address}" echo "Done" diff --git a/aws/multi_region/userdata/webapp_bootstrap.sh b/aws/multi_region/userdata/webapp_bootstrap.sh index 5ee0d2f..9bdb0b0 100644 --- a/aws/multi_region/userdata/webapp_bootstrap.sh +++ b/aws/multi_region/userdata/webapp_bootstrap.sh @@ -2,7 +2,7 @@ set -ex echo "Starting Kasm Workspaces Install" -/bin/dd if=/dev/zero of=/var/swap.1 bs=1M count=${swap_size} +/bin/dd if=/dev/zero of=/var/swap.1 bs=1M count="${swap_size}" /sbin/mkswap /var/swap.1 chmod 600 /var/swap.1 /sbin/swapon /var/swap.1 @@ -11,24 +11,24 @@ echo '/var/swap.1 swap swap defaults 0 0' | tee -a /etc/fstab cd /tmp -wget ${kasm_build_url} -O kasm_workspaces.tar.gz +wget "${kasm_build_url}" -O kasm_workspaces.tar.gz tar -xf kasm_workspaces.tar.gz echo "Checking for Kasm DB and Redis..." apt-get update && apt-get install -y netcat -while ! nc -w 1 -z ${db_ip} 5432; do +while ! nc -w 1 -z "${db_ip}" 5432; do echo "Database not ready..." sleep 5 done echo "DB is alive" -while ! nc -w 1 -z ${db_ip} 6379; do +while ! nc -w 1 -z "${db_ip}" 6379; do echo "Redis not ready..." sleep 5 done echo "Redis is alive" -bash kasm_release/install.sh -S app -e -z ${zone_name} -q "${db_ip}" -Q ${database_password} -R ${redis_password} +bash kasm_release/install.sh -S app -e -z "${zone_name}" -q "${db_ip}" -Q "${database_password}" -R "${redis_password}" echo "Done" diff --git a/aws/multi_region/variables.tf b/aws/multi_region/variables.tf index 44a457e..beedfc5 100644 --- a/aws/multi_region/variables.tf +++ b/aws/multi_region/variables.tf @@ -52,6 +52,17 @@ variable "aws_ssm_iam_role_name" { } } +variable "aws_ssm_instance_profile_name" { + description = "The name of the SSM EC2 Instance Profile to associate with Kasm VMs for SSH access" + type = string + default = "" + + validation { + condition = var.aws_ssm_instance_profile_name == "" ? true : can(regex("[a-zA-Z0-9+=,.@-]{1,64}", var.aws_ssm_instance_profile_name)) + error_message = "The aws_ssm_instance_profile_name must be unique across the account and can only consisit of between 1 and 64 characters consisting of letters, numbers, underscores (_), plus (+), equals (=), comman (,), period (.), at symbol (@), or dash (-)." + } +} + variable "project_name" { description = "The name of the deployment (e.g dev, staging). A short single word" type = string @@ -106,12 +117,22 @@ variable "num_webapps" { } variable "num_cpx_nodes" { - description = "The number of Agent Role Servers to create in the deployment" + description = "The number of RDP Conection Proxy Role Servers to create in the deployment. Set this to zero (0) and this Terraform will not deploy ANY Connection Proxy or Windows resoures like subnets, security groups, etc." type = number validation { condition = var.num_cpx_nodes == 0 ? true : var.num_cpx_nodes >= 0 && var.num_cpx_nodes <= 100 && floor(var.num_cpx_nodes) == var.num_cpx_nodes - error_message = "If num_cpx_nodes is set to 0, this Terraform will not deploy the Connection Proxy node. Acceptable number of Kasm Agents range between 0-100." + error_message = "If num_cpx_nodes is set to 0, this Terraform will not deploy the Connection Proxy node. Acceptable number ranges between 0-100." + } +} + +variable "num_proxy_nodes" { + description = "The number of Dedicated Proxy nodes to create in the deployment" + type = number + + validation { + condition = var.num_proxy_nodes == 1 ? true : var.num_proxy_nodes >= 1 && var.num_proxy_nodes <= 100 && floor(var.num_proxy_nodes) == var.num_proxy_nodes + error_message = "The number of Dedicated Proxy nodes to deploy in remote regions. Acceptable number ranges between 1-100." } } @@ -237,7 +258,7 @@ variable "secondary_regions_settings" { ) validation { - condition = alltrue([for region in var.secondary_regions_settings : can(regex("^([a-z]{2}-[a-z]{4,}-[\\d]{1})$", region.region))]) + condition = alltrue([for region in var.secondary_regions_settings : can(regex("^([a-z]{2}-[a-z]{4,}-[\\d]{1})$", region.agent_region))]) error_message = "Verify the regions in the secondary_regions_settings variable and ensure they are valid AWS regions in a valid format (e.g. us-east-1)." } validation { @@ -245,7 +266,7 @@ variable "secondary_regions_settings" { error_message = "Please verify that all of your Region's AMI IDs are in the correct format for AWS (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/finding-an-ami.html)." } validation { - condition = alltrue([for subnet in var.secondary_regions_settings : can(cidrhost(subnet.vpc_cidr, 0))]) + condition = alltrue([for subnet in var.secondary_regions_settings : can(cidrhost(subnet.agent_vpc_cidr, 0))]) error_message = "Verify the VPC subnet in your secondary_regions_settings. They must all be valid IPv4 CIDRs." } } diff --git a/aws/multi_region/webapps/README.md b/aws/multi_region/webapps/README.md index 2917317..5513f65 100644 --- a/aws/multi_region/webapps/README.md +++ b/aws/multi_region/webapps/README.md @@ -45,7 +45,7 @@ No modules. | [agent\_subnet\_id](#input\_agent\_subnet\_id) | Subnet ID created for agents | `string` | `""` | no | | [aws\_domain\_name](#input\_aws\_domain\_name) | The Route53 Zone used for the dns entries. This must already exist in the AWS account. (e.g dev.kasm.contoso.com). The deployment will be accessed via this zone name via https | `string` | n/a | yes | | [aws\_key\_pair](#input\_aws\_key\_pair) | The name of an aws keypair to use. | `string` | n/a | yes | -| [aws\_ssm\_iam\_role\_name](#input\_aws\_ssm\_iam\_role\_name) | The name of the SSM EC2 role to associate with Kasm VMs for SSH access | `string` | `""` | no | +| [aws\_ssm\_instance\_profile\_name](#input\_aws\_ssm\_instance\_profile\_name) | The name of the SSM EC2 Instance Profile to associate with Kasm VMs for SSH access | `string` | `""` | no | | [aws\_to\_kasm\_zone\_map](#input\_aws\_to\_kasm\_zone\_map) | AWS regions mapped to Kasm Deployment Zone names | `map(any)` | 
{
  "af-south-1": "Africa-(Cape-Town)",
  "ap-east-1": "China-(Hong-Kong)",
  "ap-northeast-1": "Japan-(Tokyo)",
  "ap-northeast-2": "S-Korea-(Seoul)",
  "ap-northeast-3": "Japan-(Osaka)",
  "ap-south-1": "India-(Mumbai)",
  "ap-south-2": "India-(Hyderbad)",
  "ap-southeast-1": "Singapore",
  "ap-southeast-2": "Austrailia-(Sydney)",
  "ap-southeast-3": "Indonesia-(Jakarta)",
  "ap-southeast-4": "Austrailia-(Melbourne)",
  "ca-central-1": "Canada-(Montreal)",
  "eu-central-1": "Switzerland-(Zurich)",
  "eu-north-1": "Sweden-(Stockholm)",
  "eu-south-1": "Italy-(Milan)",
  "eu-south-2": "Spain-(Aragon)",
  "eu-west-1": "Ireland-(Dublin)",
  "eu-west-2": "UK-(London)",
  "eu-west-3": "France-(Paris)",
  "me-central-1": "United-Arab-Emirates",
  "me-south-1": "Manama-(Bahrain)",
  "sa-east-1": "Brazil-(Sao-Paulo)",
  "us-east-1": "USA-(Virginia)",
  "us-east-2": "USA-(Ohio)",
  "us-west-1": "USA-(California)",
  "us-west-2": "USA-(Oregon)"
}
| no | | [certificate\_arn](#input\_certificate\_arn) | The certificate ARN created in the primary region for use with all load balancers in the deployment. | `string` | n/a | yes | | [cpx\_hdd\_size\_gb](#input\_cpx\_hdd\_size\_gb) | The HDD size in GB to configure for the Kasm CPX instances | `number` | `0` | no | diff --git a/aws/multi_region/webapps/agent.tf b/aws/multi_region/webapps/agent.tf index 9e4ef22..8dfdc9b 100644 --- a/aws/multi_region/webapps/agent.tf +++ b/aws/multi_region/webapps/agent.tf @@ -7,7 +7,7 @@ resource "aws_instance" "agent" { subnet_id = var.agent_subnet_id key_name = var.aws_key_pair associate_public_ip_address = true - iam_instance_profile = var.aws_ssm_iam_role_name + iam_instance_profile = var.aws_ssm_instance_profile_name root_block_device { volume_size = var.agent_hdd_size_gb @@ -22,7 +22,14 @@ resource "aws_instance" "agent" { } ) + metadata_options { + http_endpoint = "enabled" + http_tokens = "required" + http_put_response_hop_limit = 1 + instance_metadata_tags = null + } + tags = { - Name = "${var.project_name}-${var.zone_name}-kasm-agent" + Name = "${var.project_name}-${var.zone_name}-kasm-agent-${count.index}" } } diff --git a/aws/multi_region/webapps/cpx.tf b/aws/multi_region/webapps/cpx.tf index 6393d07..0829519 100644 --- a/aws/multi_region/webapps/cpx.tf +++ b/aws/multi_region/webapps/cpx.tf @@ -6,7 +6,7 @@ resource "aws_instance" "cpx" { vpc_security_group_ids = [var.cpx_security_group_id] subnet_id = var.cpx_subnet_id key_name = var.aws_key_pair - iam_instance_profile = var.aws_ssm_iam_role_name + iam_instance_profile = var.aws_ssm_instance_profile_name root_block_device { volume_size = var.cpx_hdd_size_gb @@ -21,6 +21,13 @@ resource "aws_instance" "cpx" { } ) + metadata_options { + http_endpoint = "enabled" + http_tokens = "required" + http_put_response_hop_limit = 1 + instance_metadata_tags = null + } + tags = { Name = "${var.project_name}-${var.primary_aws_region}-kasm-cpx-${count.index}" } diff --git a/aws/multi_region/webapps/dependencies.tf b/aws/multi_region/webapps/dependencies.tf index ba0a1f0..db16943 100644 --- a/aws/multi_region/webapps/dependencies.tf +++ b/aws/multi_region/webapps/dependencies.tf @@ -1,3 +1,7 @@ +locals { + region_short_name_for_lb = join("", slice(split("-", var.faux_aws_region), 1, 3)) +} + data "aws_route53_zone" "this" { name = var.aws_domain_name private_zone = false diff --git a/aws/multi_region/webapps/elb.tf b/aws/multi_region/webapps/elb.tf index 8b454cc..7774dd9 100644 --- a/aws/multi_region/webapps/elb.tf +++ b/aws/multi_region/webapps/elb.tf @@ -1,5 +1,5 @@ resource "aws_lb" "this" { - name = "${var.project_name}-lb" + name = "${var.project_name}-${var.faux_aws_region}-lb" internal = false load_balancer_type = "application" security_groups = [var.load_balancer_security_group_id] @@ -40,7 +40,7 @@ resource "aws_lb_listener" "http" { } resource "aws_lb_target_group" "this" { - name = "${var.project_name}-target-group" + name = "${var.project_name}-${var.faux_aws_region}-tg" port = 443 protocol = "HTTPS" vpc_id = var.primary_vpc_id @@ -61,7 +61,7 @@ resource "aws_lb_target_group_attachment" "this" { resource "aws_route53_record" "alb" { zone_id = data.aws_route53_zone.this.zone_id - name = "${var.zone_name}-lb.${var.aws_domain_name}" + name = "${local.region_short_name_for_lb}-lb.${var.aws_domain_name}" type = "A" alias { @@ -75,7 +75,7 @@ resource "aws_route53_record" "latency" { zone_id = data.aws_route53_zone.this.zone_id name = var.aws_domain_name type = "A" - set_identifier = "${var.project_name}-${var.zone_name}-set-id" + set_identifier = "${var.project_name}-${local.region_short_name_for_lb}-set-id" alias { name = aws_lb.this.dns_name @@ -89,7 +89,7 @@ resource "aws_route53_record" "latency" { } resource "aws_route53_health_check" "this" { - fqdn = "${var.zone_name}-lb.${var.aws_domain_name}" + fqdn = "${local.region_short_name_for_lb}-lb.${var.aws_domain_name}" port = 443 type = "HTTPS" resource_path = "/api/__healthcheck" @@ -97,6 +97,6 @@ resource "aws_route53_health_check" "this" { request_interval = "30" tags = { - Name = "hc-${var.zone_name}-lb.${var.aws_domain_name}" + Name = "hc-${local.region_short_name_for_lb}-lb.${var.aws_domain_name}" } } diff --git a/aws/multi_region/webapps/variables.tf b/aws/multi_region/webapps/variables.tf index 30d602a..7f8e150 100644 --- a/aws/multi_region/webapps/variables.tf +++ b/aws/multi_region/webapps/variables.tf @@ -172,8 +172,8 @@ variable "primary_vpc_id" { type = string } -variable "aws_ssm_iam_role_name" { - description = "The name of the SSM EC2 role to associate with Kasm VMs for SSH access" +variable "aws_ssm_instance_profile_name" { + description = "The name of the SSM EC2 Instance Profile to associate with Kasm VMs for SSH access" type = string default = "" } diff --git a/aws/multi_region/webapps/webapp.tf b/aws/multi_region/webapps/webapp.tf index ea4bd18..0375658 100644 --- a/aws/multi_region/webapps/webapp.tf +++ b/aws/multi_region/webapps/webapp.tf @@ -6,7 +6,7 @@ resource "aws_instance" "webapp" { vpc_security_group_ids = [var.webapp_security_group_id] subnet_id = var.webapp_subnet_ids[count.index] key_name = var.aws_key_pair - iam_instance_profile = var.aws_ssm_iam_role_name + iam_instance_profile = var.aws_ssm_instance_profile_name root_block_device { volume_size = var.webapp_hdd_size_gb @@ -23,7 +23,14 @@ resource "aws_instance" "webapp" { } ) + metadata_options { + http_endpoint = "enabled" + http_tokens = "required" + http_put_response_hop_limit = 1 + instance_metadata_tags = null + } + tags = { - Name = "${var.project_name}-${var.zone_name}-kasm-webapp" + Name = "${var.project_name}-${var.zone_name}-kasm-webapp-${count.index}" } } diff --git a/aws/standard/README.md b/aws/standard/README.md index a5352a7..9226994 100644 --- a/aws/standard/README.md +++ b/aws/standard/README.md @@ -79,6 +79,7 @@ No resources. | [aws\_region](#input\_aws\_region) | The AWS Region used for deployment | `string` | `"us-east-1"` | no | | [aws\_secret\_key](#input\_aws\_secret\_key) | The AWS secret key used for deployment | `string` | n/a | yes | | [aws\_ssm\_iam\_role\_name](#input\_aws\_ssm\_iam\_role\_name) | The name of the SSM EC2 role to associate with Kasm VMs for SSH access | `string` | `""` | no | +| [aws\_ssm\_instance\_profile\_name](#input\_aws\_ssm\_instance\_profile\_name) | The name of the SSM EC2 Instance Profile to associate with Kasm VMs for SSH access | `string` | `""` | no | | [cpx\_hdd\_size\_gb](#input\_cpx\_hdd\_size\_gb) | The HDD size in GB to configure for the Kasm cpx RDP instances | `number` | n/a | yes | | [cpx\_instance\_type](#input\_cpx\_instance\_type) | The instance type for the cpxamole RDP nodes | `string` | n/a | yes | | [create\_aws\_ssm\_iam\_role](#input\_create\_aws\_ssm\_iam\_role) | Create an AWS SSM IAM role to attach to VMs for SSH/console access to VMs. | `bool` | `false` | no | diff --git a/aws/standard/deployment.tf b/aws/standard/deployment.tf index 4ed6bab..2a8c189 100644 --- a/aws/standard/deployment.tf +++ b/aws/standard/deployment.tf @@ -1,15 +1,16 @@ module "standard" { - source = "./module" - aws_key_pair = var.aws_key_pair - aws_region = var.aws_region - aws_domain_name = var.aws_domain_name - project_name = var.project_name - num_agents = var.num_agents - num_webapps = var.num_webapps - num_cpx_nodes = var.num_cpx_nodes - vpc_subnet_cidr = var.vpc_subnet_cidr - create_aws_ssm_iam_role = var.create_aws_ssm_iam_role - aws_ssm_iam_role_name = var.aws_ssm_iam_role_name + source = "./module" + aws_key_pair = var.aws_key_pair + aws_region = var.aws_region + aws_domain_name = var.aws_domain_name + project_name = var.project_name + num_agents = var.num_agents + num_webapps = var.num_webapps + num_cpx_nodes = var.num_cpx_nodes + vpc_subnet_cidr = var.vpc_subnet_cidr + create_aws_ssm_iam_role = var.create_aws_ssm_iam_role + aws_ssm_iam_role_name = var.aws_ssm_iam_role_name + aws_ssm_instance_profile_name = var.aws_ssm_instance_profile_name ## Kasm Server settings webapp_instance_type = var.webapp_instance_type diff --git a/aws/standard/module/README.md b/aws/standard/module/README.md index db93ba4..b7b8a9a 100644 --- a/aws/standard/module/README.md +++ b/aws/standard/module/README.md @@ -56,7 +56,6 @@ No modules. | [aws_route_table_association.webapp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource | | [aws_route_table_association.windows](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource | | [aws_s3_bucket.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | -| [aws_s3_bucket_acl.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_acl) | resource | | [aws_s3_bucket_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource | | [aws_s3_bucket_public_access_block.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource | | [aws_s3_bucket_server_side_encryption_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | @@ -68,9 +67,11 @@ No modules. | [aws_security_group.webapp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | | [aws_security_group.windows](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | | [aws_security_group_rule.agent](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.agent_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [aws_security_group_rule.cpx](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [aws_security_group_rule.cpx_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [aws_security_group_rule.db](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.db_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [aws_security_group_rule.private_lb_agent](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [aws_security_group_rule.private_lb_cpx](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [aws_security_group_rule.private_lb_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | @@ -79,6 +80,7 @@ No modules. | [aws_security_group_rule.public_lb_ingress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [aws_security_group_rule.webapp_agent_ingress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [aws_security_group_rule.webapp_cpx](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.webapp_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [aws_security_group_rule.webapp_private_lb_ingress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [aws_security_group_rule.webapp_public_lb_ingress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [aws_security_group_rule.webapp_windows](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | @@ -93,6 +95,7 @@ No modules. | [aws_vpc.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc) | resource | | [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | | [aws_elb_service_account.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/elb_service_account) | data source | +| [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_route53_zone.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source | ## Inputs @@ -108,6 +111,7 @@ No modules. | [aws\_key\_pair](#input\_aws\_key\_pair) | The name of an aws keypair to use. | `string` | n/a | yes | | [aws\_region](#input\_aws\_region) | The AWS region for the deployment. (e.g us-east-1) | `string` | n/a | yes | | [aws\_ssm\_iam\_role\_name](#input\_aws\_ssm\_iam\_role\_name) | The name of the SSM EC2 role to associate with Kasm VMs for SSH access | `string` | `""` | no | +| [aws\_ssm\_instance\_profile\_name](#input\_aws\_ssm\_instance\_profile\_name) | The name of the SSM EC2 Instance Profile to associate with Kasm VMs for SSH access | `string` | `""` | no | | [cpx\_hdd\_size\_gb](#input\_cpx\_hdd\_size\_gb) | The HDD size for Kasm Guac RDP nodes | `number` | n/a | yes | | [cpx\_instance\_type](#input\_cpx\_instance\_type) | The instance type for the cpxamole RDP nodes | `string` | `"t3.medium"` | no | | [cpx\_security\_rules](#input\_cpx\_security\_rules) | A map of objects of security rules to apply to the Kasm Connection Proxy server | 
map(object({
    from_port = number
    to_port   = number
    protocol  = string
  }))
| 
{
  "https": {
    "from_port": 443,
    "protocol": "tcp",
    "to_port": 443
  }
}
| no | @@ -116,7 +120,7 @@ No modules. | [db\_hdd\_size\_gb](#input\_db\_hdd\_size\_gb) | The HDD size for Kasm DB | `number` | n/a | yes | | [db\_instance\_type](#input\_db\_instance\_type) | The instance type for the Database | `string` | `"t3.small"` | no | | [db\_security\_rules](#input\_db\_security\_rules) | A map of objects of security rules to apply to the Kasm DB | 
map(object({
    from_port = number
    to_port   = number
    protocol  = string
  }))
| 
{
  "postgres": {
    "from_port": 5432,
    "protocol": "tcp",
    "to_port": 5432
  },
  "redis": {
    "from_port": 6379,
    "protocol": "tcp",
    "to_port": 6379
  }
}
| no | -| [default\_egress](#input\_default\_egress) | Default egress security rule for all security groups | 
object({
    from_port    = number
    to_port      = number
    protocol     = string
    cidr_subnets = list(string)
  })
| 
{
  "cidr_subnets": [
    "0.0.0.0/0"
  ],
  "from_port": 0,
  "protocol": "-1",
  "to_port": 0
}
| no | +| [default\_egress](#input\_default\_egress) | Default egress security rule for all security groups | 
map(object({
    from_port    = number
    to_port      = number
    protocol     = string
    cidr_subnets = list(string)
  }))
| 
{
  "all": {
    "cidr_subnets": [
      "0.0.0.0/0"
    ],
    "from_port": 0,
    "protocol": "-1",
    "to_port": 0
  }
}
| no | | [ec2\_ami](#input\_ec2\_ami) | The AMI used for the EC2 nodes. Recommended Ubuntu 20.04 LTS. | `string` | n/a | yes | | [kasm\_build](#input\_kasm\_build) | The URL for the Kasm Workspaces build | `string` | n/a | yes | | [kasm\_zone\_name](#input\_kasm\_zone\_name) | A name given to the kasm deployment Zone | `string` | `"default"` | no | diff --git a/aws/standard/module/agent.tf b/aws/standard/module/agent.tf index 13d4a65..045739b 100644 --- a/aws/standard/module/agent.tf +++ b/aws/standard/module/agent.tf @@ -22,6 +22,13 @@ resource "aws_instance" "agent" { } ) + metadata_options { + http_endpoint = "enabled" + http_tokens = "required" + http_put_response_hop_limit = 1 + instance_metadata_tags = null + } + tags = { Name = "${var.project_name}-${var.kasm_zone_name}-kasm-agent-${count.index}" } diff --git a/aws/standard/module/db.tf b/aws/standard/module/db.tf index bc9212d..5bc6f56 100644 --- a/aws/standard/module/db.tf +++ b/aws/standard/module/db.tf @@ -23,6 +23,13 @@ resource "aws_instance" "db" { } ) + metadata_options { + http_endpoint = "enabled" + http_tokens = "required" + http_put_response_hop_limit = 1 + instance_metadata_tags = null + } + tags = { Name = "${var.project_name}-kasm-db" } diff --git a/aws/standard/module/elb_logs_s3_bucket.tf b/aws/standard/module/elb_logs_s3_bucket.tf index b959e30..d0ad6a0 100644 --- a/aws/standard/module/elb_logs_s3_bucket.tf +++ b/aws/standard/module/elb_logs_s3_bucket.tf @@ -3,11 +3,6 @@ resource "aws_s3_bucket" "this" { force_destroy = true } -resource "aws_s3_bucket_acl" "this" { - bucket = aws_s3_bucket.this.id - acl = "private" -} - resource "aws_s3_bucket_policy" "this" { bucket = aws_s3_bucket.this.id diff --git a/aws/standard/module/guac_rdp.tf b/aws/standard/module/guac_rdp.tf index c4d89d4..d21f4ab 100644 --- a/aws/standard/module/guac_rdp.tf +++ b/aws/standard/module/guac_rdp.tf @@ -21,6 +21,13 @@ resource "aws_instance" "cpx" { } ) + metadata_options { + http_endpoint = "enabled" + http_tokens = "required" + http_put_response_hop_limit = 1 + instance_metadata_tags = null + } + tags = { Name = "${var.project_name}-${var.kasm_zone_name}-kasm-cpx-${count.index}" } diff --git a/aws/standard/module/public_alb.tf b/aws/standard/module/public_alb.tf index dc757dc..dc42854 100644 --- a/aws/standard/module/public_alb.tf +++ b/aws/standard/module/public_alb.tf @@ -77,10 +77,9 @@ resource "aws_lb_target_group_attachment" "public" { } resource "aws_route53_record" "public" { - zone_id = data.aws_route53_zone.this.zone_id - name = var.aws_domain_name - type = "A" - set_identifier = "${var.project_name}-${var.kasm_zone_name}-set-id" + zone_id = data.aws_route53_zone.this.zone_id + name = var.aws_domain_name + type = "A" alias { name = aws_lb.public.dns_name diff --git a/aws/standard/module/routes.tf b/aws/standard/module/routes.tf index 6116221..693b101 100644 --- a/aws/standard/module/routes.tf +++ b/aws/standard/module/routes.tf @@ -15,8 +15,8 @@ resource "aws_route_table" "nat" { vpc_id = aws_vpc.this.id route { - cidr_block = var.anywhere - gateway_id = aws_nat_gateway.this.id + cidr_block = var.anywhere + nat_gateway_id = aws_nat_gateway.this.id } tags = { diff --git a/aws/standard/module/security_group.tf b/aws/standard/module/security_group.tf index 47c0955..1076e98 100644 --- a/aws/standard/module/security_group.tf +++ b/aws/standard/module/security_group.tf @@ -20,12 +20,14 @@ resource "aws_security_group_rule" "public_lb_ingress" { } resource "aws_security_group_rule" "public_lb_egress" { + for_each = var.default_egress + security_group_id = aws_security_group.public_lb.id type = "egress" - from_port = var.default_egress.from_port - to_port = var.default_egress.to_port - protocol = var.default_egress.protocol - cidr_blocks = [var.anywhere] + from_port = each.value.from_port + to_port = each.value.to_port + protocol = each.value.protocol + cidr_blocks = each.value.cidr_subnets } resource "aws_security_group" "private_lb" { @@ -97,6 +99,17 @@ resource "aws_security_group_rule" "webapp_public_lb_ingress" { source_security_group_id = aws_security_group.public_lb.id } +resource "aws_security_group_rule" "webapp_egress" { + for_each = var.default_egress + + security_group_id = aws_security_group.webapp.id + type = "egress" + from_port = each.value.from_port + to_port = each.value.to_port + protocol = each.value.protocol + cidr_blocks = each.value.cidr_subnets +} + resource "aws_security_group" "agent" { name = "${var.project_name}-kasm-agent-access" description = "Allow access to agents" @@ -118,6 +131,17 @@ resource "aws_security_group_rule" "agent" { source_security_group_id = aws_security_group.webapp.id } +resource "aws_security_group_rule" "agent_egress" { + for_each = var.default_egress + + security_group_id = aws_security_group.agent.id + type = "egress" + from_port = each.value.from_port + to_port = each.value.to_port + protocol = each.value.protocol + cidr_blocks = each.value.cidr_subnets +} + resource "aws_security_group" "db" { name = "${var.project_name}-kasm-db-access" description = "Allow access to webapps" @@ -139,11 +163,23 @@ resource "aws_security_group_rule" "db" { source_security_group_id = aws_security_group.webapp.id } +resource "aws_security_group_rule" "db_egress" { + for_each = var.default_egress + + security_group_id = aws_security_group.db.id + type = "egress" + from_port = each.value.from_port + to_port = each.value.to_port + protocol = each.value.protocol + cidr_blocks = each.value.cidr_subnets +} + resource "aws_security_group" "cpx" { count = var.num_cpx_nodes > 0 ? 1 : 0 name = "${var.project_name}-kasm-cpx-access" description = "Allow access to cpx RDP nodes" + vpc_id = aws_vpc.this.id tags = { Name = "${var.project_name}-kasm-cpx-access" @@ -183,6 +219,17 @@ resource "aws_security_group_rule" "webapp_cpx" { source_security_group_id = one(aws_security_group.cpx[*].id) } +resource "aws_security_group_rule" "cpx_egress" { + for_each = var.num_cpx_nodes > 0 ? var.default_egress : {} + + security_group_id = one(aws_security_group.cpx[*].id) + type = "egress" + from_port = each.value.from_port + to_port = each.value.to_port + protocol = each.value.protocol + cidr_blocks = each.value.cidr_subnets +} + resource "aws_security_group" "windows" { count = var.num_cpx_nodes > 0 ? 1 : 0 @@ -228,24 +275,13 @@ resource "aws_security_group_rule" "webapp_windows" { source_security_group_id = one(aws_security_group.windows[*].id) } -resource "aws_security_group_rule" "cpx_egress" { - count = var.num_cpx_nodes > 0 ? 1 : 0 - - security_group_id = one(aws_security_group.cpx[*].id) - type = "egress" - from_port = var.default_egress.from_port - to_port = var.default_egress.to_port - protocol = var.default_egress.protocol - cidr_blocks = [var.anywhere] -} - resource "aws_security_group_rule" "windows_egress" { - count = var.num_cpx_nodes > 0 ? 1 : 0 + for_each = var.num_cpx_nodes > 0 ? var.default_egress : {} security_group_id = one(aws_security_group.windows[*].id) type = "egress" - from_port = var.default_egress.from_port - to_port = var.default_egress.to_port - protocol = var.default_egress.protocol - cidr_blocks = [var.anywhere] + from_port = each.value.from_port + to_port = each.value.to_port + protocol = each.value.protocol + cidr_blocks = each.value.cidr_subnets } diff --git a/aws/standard/module/ssm.tf b/aws/standard/module/ssm.tf index 6858607..98b6dd3 100644 --- a/aws/standard/module/ssm.tf +++ b/aws/standard/module/ssm.tf @@ -1,17 +1,23 @@ +data "aws_iam_policy_document" "this" { + statement { + effect = "Allow" + + principals { + type = "Service" + identifiers = [ + "ec2.amazonaws.com" + ] + } + + actions = ["sts:AssumeRole"] + } +} + resource "aws_iam_role" "this" { count = var.create_aws_ssm_iam_role ? 1 : 0 - name = var.aws_ssm_iam_role_name != "" ? var.aws_ssm_iam_role_name : "Kasm_SSM_IAM_Instance_Role" - assume_role_policy = jsonencode({ - Version = "2012-10-17" - Statement = [{ - Action = "sts:AssumeRole" - Effect = "Allow" - Principal = { - Service = "ec2.amazonaws.com" - } - }] - }) + name = var.aws_ssm_iam_role_name != "" ? var.aws_ssm_iam_role_name : "Kasm_SSM_IAM_Instance_Role" + assume_role_policy = data.aws_iam_policy_document.this.json } resource "aws_iam_role_policy_attachment" "this" { @@ -24,6 +30,6 @@ resource "aws_iam_role_policy_attachment" "this" { resource "aws_iam_instance_profile" "this" { count = var.create_aws_ssm_iam_role ? 1 : 0 - name = "Kasm_SSM_Instance_Profile" + name = var.aws_ssm_instance_profile_name != "" ? var.aws_ssm_instance_profile_name : "Kasm_SSM_Instance_Profile" role = one(aws_iam_role.this[*].name) } diff --git a/aws/standard/module/userdata/agent_bootstrap.sh b/aws/standard/module/userdata/agent_bootstrap.sh index ca26186..9294b71 100644 --- a/aws/standard/module/userdata/agent_bootstrap.sh +++ b/aws/standard/module/userdata/agent_bootstrap.sh @@ -24,6 +24,6 @@ do done echo "WebApp is alive" -bash kasm_release/install.sh -S agent -e -p $PRIVATE_IP -m ${manager_address} -M ${manager_token} +bash kasm_release/install.sh -S agent -e -H -p $PRIVATE_IP -m ${manager_address} -M ${manager_token} echo "Done" diff --git a/aws/standard/module/userdata/cpx_bootstrap.sh b/aws/standard/module/userdata/cpx_bootstrap.sh index 5125904..51034c1 100644 --- a/aws/standard/module/userdata/cpx_bootstrap.sh +++ b/aws/standard/module/userdata/cpx_bootstrap.sh @@ -24,6 +24,6 @@ do done echo "WebApp is alive" -bash kasm_release/install.sh -S cpx -e -p $PRIVATE_IP -n ${manager_address} -k ${service_registration_token} +bash kasm_release/install.sh -S guac -e -H -p $PRIVATE_IP -n ${manager_address} -k ${service_registration_token} echo "Done" diff --git a/aws/standard/module/userdata/db_bootstrap.sh b/aws/standard/module/userdata/db_bootstrap.sh index f28ff02..96b3004 100644 --- a/aws/standard/module/userdata/db_bootstrap.sh +++ b/aws/standard/module/userdata/db_bootstrap.sh @@ -13,6 +13,6 @@ cd /tmp wget ${kasm_build_url} -O kasm_workspaces.tar.gz tar -xf kasm_workspaces.tar.gz -bash kasm_release/install.sh -S db -e -Q ${database_password} -R ${redis_password} -U ${user_password} -P ${admin_password} -M ${manager_token} -k ${service_registration_token} +bash kasm_release/install.sh -S db -e -H -Q ${database_password} -R ${redis_password} -U ${user_password} -P ${admin_password} -M ${manager_token} -k ${service_registration_token} echo "Done" diff --git a/aws/standard/module/userdata/webapp_bootstrap.sh b/aws/standard/module/userdata/webapp_bootstrap.sh index 5ee0d2f..e861646 100644 --- a/aws/standard/module/userdata/webapp_bootstrap.sh +++ b/aws/standard/module/userdata/webapp_bootstrap.sh @@ -29,6 +29,6 @@ done echo "Redis is alive" -bash kasm_release/install.sh -S app -e -z ${zone_name} -q "${db_ip}" -Q ${database_password} -R ${redis_password} +bash kasm_release/install.sh -S app -e -H -z ${zone_name} -q "${db_ip}" -Q ${database_password} -R ${redis_password} echo "Done" diff --git a/aws/standard/module/variables.tf b/aws/standard/module/variables.tf index f5a8088..7d63f38 100644 --- a/aws/standard/module/variables.tf +++ b/aws/standard/module/variables.tf @@ -119,6 +119,12 @@ variable "aws_ssm_iam_role_name" { default = "" } +variable "aws_ssm_instance_profile_name" { + description = "The name of the SSM EC2 Instance Profile to associate with Kasm VMs for SSH access" + type = string + default = "" +} + variable "database_password" { description = "The password for the database. No special characters" type = string @@ -311,17 +317,19 @@ variable "windows_security_rules" { variable "default_egress" { description = "Default egress security rule for all security groups" - type = object({ + type = map(object({ from_port = number to_port = number protocol = string cidr_subnets = list(string) - }) + })) default = { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_subnets = ["0.0.0.0/0"] + all = { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_subnets = ["0.0.0.0/0"] + } } } diff --git a/aws/standard/module/webapp.tf b/aws/standard/module/webapp.tf index 9b05b61..d29d35c 100644 --- a/aws/standard/module/webapp.tf +++ b/aws/standard/module/webapp.tf @@ -23,6 +23,13 @@ resource "aws_instance" "webapp" { } ) + metadata_options { + http_endpoint = "enabled" + http_tokens = "required" + http_put_response_hop_limit = 1 + instance_metadata_tags = null + } + tags = { Name = "${var.project_name}-${var.kasm_zone_name}-kasm-webapp-${count.index}" } diff --git a/aws/standard/terraform.tfvars b/aws/standard/terraform.tfvars index d284922..ab96c86 100644 --- a/aws/standard/terraform.tfvars +++ b/aws/standard/terraform.tfvars @@ -6,7 +6,7 @@ vpc_subnet_cidr = "10.0.0.0/16" ## Kasm deployment settings kasm_zone_name = "default" -project_name = "contoso" +project_name = "test" ## Number of each Kasm role to deploy num_agents = 2 @@ -17,8 +17,9 @@ num_cpx_nodes = 1 web_access_cidrs = ["0.0.0.0/0"] ## AWS SSM setup for console/SSH access to VMs behind NAT gateway -create_aws_ssm_iam_role = false -aws_ssm_iam_role_name = "" +create_aws_ssm_iam_role = true +aws_ssm_iam_role_name = "" +aws_ssm_instance_profile_name = "" ## Kasm Server settings ec2_ami_id = "" @@ -40,7 +41,6 @@ agent_hdd_size_gb = 150 cpx_instance_type = "t3.small" cpx_hdd_size_gb = 50 - ## Kasm passwords database_password = "changeme" redis_password = "changeme" diff --git a/aws/standard/variables.tf b/aws/standard/variables.tf index ca7601a..c923e38 100644 --- a/aws/standard/variables.tf +++ b/aws/standard/variables.tf @@ -311,6 +311,17 @@ variable "aws_ssm_iam_role_name" { } } +variable "aws_ssm_instance_profile_name" { + description = "The name of the SSM EC2 Instance Profile to associate with Kasm VMs for SSH access" + type = string + default = "" + + validation { + condition = var.aws_ssm_instance_profile_name == "" ? true : can(regex("[a-zA-Z0-9+=,.@-]{1,64}", var.aws_ssm_instance_profile_name)) + error_message = "The aws_ssm_instance_profile_name must be unique across the account and can only consisit of between 1 and 64 characters consisting of letters, numbers, underscores (_), plus (+), equals (=), comman (,), period (.), at symbol (@), or dash (-)." + } +} + ## Non-validated variables variable "kasm_build" { description = "The URL for the Kasm Workspaces build" From aa70a59794fa0c6cb04604554419df231199f902 Mon Sep 17 00:00:00 2001 From: Bryan Scarbrough Date: Wed, 14 Feb 2024 14:11:22 +0000 Subject: [PATCH 4/7] Added extra tflint checks --- .pre-commit-config.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 5439b01..0567e7c 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -40,6 +40,17 @@ repos: - id: terraform_fmt - id: terraform_tflint args: + - '--args=--only=terraform_deprecated_interpolation' + - '--args=--only=terraform_deprecated_index' + - '--args=--only=terraform_unused_declarations' + - '--args=--only=terraform_comment_syntax' + - '--args=--only=terraform_documented_outputs' + - '--args=--only=terraform_documented_variables' + - '--args=--only=terraform_typed_variables' + - '--args=--only=terraform_module_pinned_source' + - '--args=--only=terraform_required_version' + - '--args=--only=terraform_required_providers' + - '--args=--minimum-failure-severity=error' - --args=--fix - id: terraform_validate args: From 48137a4e15526d9e6b9caab70608dbaf0104f01a Mon Sep 17 00:00:00 2001 From: Bryan Scarbrough Date: Thu, 15 Feb 2024 13:47:35 +0000 Subject: [PATCH 5/7] Updated AWS Standard diagram --- .../diagram/aws_multi_region.drawio | 68 ++++---- aws/standard/diagram/aws_multi_server.drawio | 154 +++++++++++++----- aws/standard/diagram/aws_multi_server.png | Bin 149914 -> 222719 bytes 3 files changed, 146 insertions(+), 76 deletions(-) diff --git a/aws/multi_region/diagram/aws_multi_region.drawio b/aws/multi_region/diagram/aws_multi_region.drawio index 084fa9f..73a4cac 100644 --- a/aws/multi_region/diagram/aws_multi_region.drawio +++ b/aws/multi_region/diagram/aws_multi_region.drawio @@ -1,6 +1,6 @@ - + @@ -14,13 +14,13 @@ - + - + - + @@ -59,7 +59,7 @@ - + @@ -97,11 +97,11 @@ - + - - + + @@ -109,24 +109,26 @@ - + - - + + + + - + - + - + @@ -143,50 +145,54 @@ - - + + - + - + - - + + - - + + + + - + - + - + - + - + - + - - + + + + - + diff --git a/aws/standard/diagram/aws_multi_server.drawio b/aws/standard/diagram/aws_multi_server.drawio index 18c3b13..76b2e3f 100644 --- a/aws/standard/diagram/aws_multi_server.drawio +++ b/aws/standard/diagram/aws_multi_server.drawio @@ -1,32 +1,32 @@ - + - + - + - + - + - + - - + + - + @@ -35,16 +35,21 @@ - + - + + + + + + - + @@ -61,57 +66,46 @@ - + - + - - - - - - - + - + - + - - - - - - + - - + + @@ -128,36 +122,106 @@ - - + + - - + + - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - + + + + + + + + + + + + + + + + + + + + + + + - + - + - + - - + + - - + + - + + + + + + + + + + + + + + + + + + diff --git a/aws/standard/diagram/aws_multi_server.png b/aws/standard/diagram/aws_multi_server.png index 6098881c8c3ce284c4e1fc5d7b0d81636813ad37..0f4fac24bf6080f19dda068794fbbea4c8e438b3 100644 GIT binary patch literal 222719 zcmeEv2_RM5_kW29>)`Ar=^^heXyGP!NM6cARM1h|${K+I&EO12w1Xx7 z965b$aIEfb?`A8gZRz4+=>naB>(IeV#RctTqmHq#v!4?2C9rLDCM;nGs#gb&Qn=62RD z7nZV(Ca2+Mj$u96vA*w7omw-t{fb(a7LI`xOEGmZY!qv?ietb?CTSqtC6o|`ni_3$v6hyeify605M?#|DqH`MNA4|?{ z0M{ou9d`uv0e6URn12lVAUy#=JQ5MYbx+y=U5@k^H$akxxgSHLf%<^E$K9UL{A2t8 z!8u5IjJun?t)ry^QCLMlBTz*PTQExs7<-Hh5CBJvBbWer8#f1gaD)JVdfM2!S!z3> z&7q0$1eylgtT2vl1a(0GEyN!a9z4`5PzX0PxE9nS)CX=REM1g5z?Gm0!JlJqk9Kmk zHN#C8)Z$`k?(X7h>tVUi(iN|ZP%Ds4C+N}+USO0PhuCMvu#y8IWHolE;&){CZk3;iS z1Stx14m|t$_yp8cSyD<#1X5G@Geui~9B#Ha9B{z$YvY1?B+fAn+r_(LcjXw5t=|hp@8sfXKoH08=&LRrz9%7sFu#tpIH$W0hW?fMF{42_5_^h5{)Zf zkbhhI|6FU2CWyr%Dz2a?Dk?GGt`i)cKi1>FY|@FBn1dpC8J(km1fl-RCLJL`FyRCR zlw4@hB@qOrB-KEKh!mmqS9B2WnZ%@Py4X6PaZblROKS*oMMVU`f9|e=mca5t7WTJZ z{s(&DL_g-=_QGB8QnH9zBE%$>uCb_dA{$93z9*g418XM!~*r4vPmbskRUkaINOkCT#=Mo2?J+CL{v#7hvRY4N!2$E6A8r3lg_CXMsBAs{6cC=j~ zI96Yrsj!EF1$iR%21on^NF(+Cp%KlCc%X6OMv8VZCr~Sk`|v+3U7}JFkh2R32<*j+ z5)gz$x)3lh&5v@JjrTYHGUJdCGg7hs#Xn7I5u9M%voF$XO1&zCf;`Eg8=B!~(uI$}g4 zMv6)BS)`aGEh$d4j=us+k_2cYksmxuI0u*{&K++R*INKHOh}ai&G`}-aPYs`46g6MeFSn2|lK@@>?6Jch*dNX;p5g=}1xQ0M zF>YuVYmf!RH4!EgdWiT2oa?$UE8=2lk9Gs;B$AVU%|~A7$Ls?UlchMoGLb!KH%muz zZ_@CKgq?&_6_C^SS5g^fXjkC#ii#*|X#cS_Ta@*jOKjrOh#>kSNnXP2=iIj6xrxPd zr1Ly=kSP3aZbDj2Tu~YF+kYT8Aufj$k%!cIfrbCE+yp)wIY0IyW-Q<|B{BRWiJKOS zO<;V2(BkjRO@M&T&C&$u3{oB!Fp*?eh(r4uJPbH;flv%|hmayT93+sxSi}Rj{Sx4d zE~Huhs}TQR19t+FlY%=SuJN<~@54J`G$an8rn{NFtvM;CYn9h_kB z1Y{0)F1QwaMGG#0MuNP5%o#1P2$FIHmI(g|sW&yxN-5+1fr|qUkKp#& z{fOJQsA?|ios;@-@SM)ka|xWf{ess<_^KvUhfIba(;e1@9QG_P|-z>=kSS*(aKeu1H{e>azg4>^yA^aV0 z&Q`PG>WBgNu&|O2-w0-vB<9Aq&3^lLEgY`ge$k4ezcb$aUM(C^^XIGYch!`jr6g(z zYbq%$!EL{!mV`_F5i0#wOW^L!`Vg~<^;<3fn@d!GTrClEttagN{~Kz$FopEndd{lk zT>FP(pnq4A|BqCX|G1jMMM?xGcae%Y*mC~u)|8OMBeAAxXjf zYzV#=5^!8BwD>zBE3v--j(<+3kx*sdBeHOLQC!B7m96EaEW`DL_(}fk+m@ zTKzM;AY746qQtPq{--QvB|^yW#jJ}^aQJZJcL)O94%i3%8#B(NzA04hf;%Qz0q}1S zct4CN;xK~1hyp7)i8uUD#UMoVA^{XdsGjssx3|Er+=1)hNHWojQt?ECIe&RJT=F%0 z!eWfs?**?;ur!n8>*q`N{M913nfSLC*8SISZ}G$WD>^SYLE=jY<}8vzh!MPoIUWI= zVEYx100FBYi3SsB1VuDR^?`~_*h84zpoVb5K1&PRg*3x&2LCsM4{ay&KW3L_P2Hc< zQUvNjTy)+FH8DxJ;a{=MFpoC7pmtWJe=mQ;k!b(^@<)h%`!4(S*W<{A%O8=jjUbV& z#g{+A2IiOS#=;T{IovumGyKhwcyx0N!lIR=a9R1h0!RYB@>h>H9@>(mg)znw@YEGU{?L}Uo4a(H>sY&qzkEhzd^ zzI$PjDv`q{lJ?N0aVyvfm8!FspF`r$t62U^{5;yl4Y0kqeGSd+(XOtbk{crQL9;So z`{7%5w17_{;x+a=0ie)@EwA@5srSAeur`E z@8PwPgwc>7){iA{7L_}^bpdPFh}oMzlRKgi;Wlj|$PH11{~#0e69S79mw5t0Dnhu? z&x+8joXtuRBl#*Wwd^L<~;2k@!6S9M?qv3KA(GZ1_MZ zi(fSLCH6b@^*i;oaF^Hr4^v;FQpE6=puUnYbxoqa#5@wz zl;6U)&NBMAmEQ9kp)1U9!(Cx+BXl&k1)o79tR5#`1R4ay&5%^K|E}!&pV}i9F4g(# z6bpfJC&8wF%(XxQ83iG^$Zy5`t(e4@8jx(}2E}7=MDRbytHV29&9|)IU9s|iR~nB% z!s)$PPJMw3@!Nv_PJsPSCcu7JQUC9X;}OV($uC0I+8n%RK~!X)qUHj{{ckCdpABUG z95M-!mIUx-AqRuRnfa$Gfog!_`Nzvs)T=GJ1MYdzNITDKoHr3 zv4(zW6Xu+R$(@76i{_r7Di}EL1PbAaY}I#iQu8QJq_UI*sGyi%QBUC9|LGl4NbA)g z7h!%y&w_fj`6WFNiMt4GC?;g)ZVuiR0zUl?xlFi0yik!Y-hl1npGzhoJs<(|?*vJe zmL?SVlZdLQln}hv9VsjDcdX|?h{1vVtVP$ibp-E?!b#NcJ%XY29sh@W1TP5J7TK2N zyN;qLEHwn#l9D2bCy8t=o+5|$+4?2ENeniai;C7Ck;dY`N#oz7@&5{G{A(%S~Ozak{jIC>UfB1vHeT(Uvj2o|Pt7Zi7Z7vI?)ChV^T0qflS8}z!<@5Eyu zawTq!_`QhsyC}W*zFu?n5rOxJzpH0pnYE;}6k)P{wy=w!vxJBYRvP@cVL|_UioV1N zt~rT`{mG&)z;WT1z#GD)cTl0%;#FTz5tji}83=s^I)J`Is8{@h0x#UD^OyR6M-T{s z`GN)hKe5H;pYQnjlQ<4na?QbUF`Voyl&>F?r60vRq$ELP3BraXyc_Pjcn2@8``Pme zf#sqr_kRW-;Y!{g668OhSrYVuw|5W`l9GV7w}v_1Av zVWW$kLlBflLBP3EXyDJOiy)9N>Pa*?<3^ogBNRnMgzK2KOd4U2XP(;=g z8rbZ6qoCbM@OSY`d?OOxIhUZp2q4t+sd3`wouq6d9Eie(=%-4M@F+JY(XSz=17bZD z{RK0$C|yl_IFJp2{Ro`TK~jnN3w!1-!UiLSz{}}O9MNtj)}Z3m6YN~Fpz;^D)iyLi z-(k&h@|y-v9s^-j&p#-aL_c@# z-t0u0VAfs0dA$%46J6r@7Wj`%&)?za{&gAq2gGTSh?-CfMzBv(;HB_5`vim0cQ}Ke zavm45o4cV`ygNd>Ma{2fS0RA^d}{LN&D7t%*a2*rj~o2Y8>$7a%y+WG^9>rj_5nXt zf5L>~l2G5ZTZnmFk0iWYlf-Tz3E?ZLe*)VwSWbS*KLLBd&7a?Y$Y|jd{x2G>|0E2U z!$`vEfjPkN%ddd=tA4&10U1c#e08)V+S<|qFa`h*bX~z~Q5NViv1&pG{V}R!*7CrJ@%K<` zgnJ|rN>~P=XE!IU^`q~Pn@iaK0ZWU&68^153*>t)sVXlb1O*15@PAJ6zmPOwA)z$^ zb5{@Gj)WkWj&!Af5cERDMb{ZfO5^*UyU+ka2>ka!`=5nzb4r*cTw%lAV1ZZJi(ZncKRWV-V6p?huG92>3+68{a{c z^qsn=c}hY&dA`*o4(Pkuv%r#mS25-#B1Dk{VvodXE>`gdx4}B_Q&tmxh4~^f@BWtr zUINr4LKp%o1o+Dus=kub*9PBL2m7qr3Tj)rfTsZt`Lt~vt-)@)por1Z8oUP!{NZWq zW&?f^s06&D#t#}ulhlg1yfof45Yri8c;C^I|BQ??k?w#*^pBBwF2)nLZzF7Y1(6dA z#FFsVslP$`z_tkZUI>s3OCyQ&iNnc1Ql||*@0Y|6F7BKoe)Ehv$-1@$I`zFJZ1XZe z&<%c9{iI>{6Mg^?@IhlBc>)Mg2>`43ssY^p6HEo^1NmFB`|wUEfAl~W)<%-NSk}_s z-qy+0k|Y-W!+ajVPEasNh+>H%3pp|%M`;eURR`k)K85ho)&cluv%eK>9jt+;W^Zc- z{vT})z1P*m!qx@gH^v22iYOB!8gqM$yM>Uehc);v{=qIXjdR=&yi_clumux>@9yuP zgoPy*v%%#&>HN2;m|!NIiN6IOBp1dBcKCnzF_17p z|1?a@+sIl9eku!u@?Ss+cqiWfuTcUo8~=AGvB>-C|EE#nd(Znn03`?xGYJ~}ITP?x z`HCN*eilp0{uMuvq)hQAN*{=11dhjm*at(%y3f+t-(j%vcsehZU&M`?SJ(zKd~;|d zJUlJb%%6?&2@*!EizOH$NeO8oX_9}0;v3i@#SdvgT^Vpq9K3$8luMG(^*=9QF#AL@ zY2QzXEy6|p^8)shf&!x3#4ql)f6*#y`daawomMq!0WVfQ6j@Q9~I7%<3iuIKy4Duh<4}W~3 zBYPttfP#XY-e>7IuGAKvl8~g9EYGatiBv%cF75hwf4tp?cXH>)@-r7|xnHPf4!kNF z-R@m}_Z5FJ#>275vncvecw}TGIXC_4rHlMfG5WJHaFr_VuLwFuweW|PjDhPJy`n7n z!kFHzfYd=$f8@UNC^IEqy?bQp;$EjLebqPB;kXCiF5j^VqM&31N#7z2jKa9FQ z;y2lSVYn|j>`mo*O!*oU-|%;LY1vVx;~!pKlsR%|a_VOBG}+ArX;+?5_H8F0MhU#V zk(OD?6}CNKYH~Ei=%dfa`)iIbUnTnd=7GBso$l`Mn=77NRYQ0UnYOvq3g)rWu!=01 zYR$(a6i(-N94!l?=NcNW;)t2?8+|0H-fHk1`{agh+E5*`;o?~K{i~``rAliK1g0b$ zT^F@Q_m=LO`~z;!4|radKS5n7vB#s;;L0xgGOS;T>IGw$6(e0W$2t6_5VeLyL!~Rd z-d#`G_iAtBbyzE5d2X4jsC9WSFOGsq7wA*U5=TVuVb=-;T+9^qfIaX4> z6CyV6+wc3lZF6lnF*EM*UiqkRUh!nldSjo#Tw6!3UP=z%$J=>}Y@cTy;4{kGO3ku0 zNYE&6qvwaVp7)y+P9~~^ZCK0V_rmhRYcOEd@k{D460bAz+e)2M{+;YS3-825S!|yXD zroVm+7tj~l6D>-SYxkViXmXk&TV_DGD0s%Na;bw>w# z)ZZuuLg)iT#ObDk4)OwnL4nhzbrSYAu{nAf`(KyQ?c8&{|L(^kyV&#W+dL92YR>T| zxSB~=*R#Doy%&&-T7WQ}mB%#kmh6>Ch&!K728=sv$|Dr43+M#svYmvrmXylvA+ z_O>c)uOz2GBND}IjE>&nBT+B&bwG!lUtSYy`Y@EW4E6JsiR{rtXX#)cDuu3 z9>d>RUQzM-PtpaV z_sAq`pGXB2wbl8ElIh#tqgK8nHN499=)3)ADFt5i?=0C;>nLN_oL<82*@h03K>19+ zQSbogJNs@p%`9;KhH8H>y>I5E%C;fHoIotM+WF4$4!^xM<`YA&m1(Y~T3iJ}m!zGd zu{1^_`$R{a%#oMdFR*chvPql8cLy`_zVWBr@F4AG(V;a)=atsAQjqt{=Veag zwS|c<97(bA+Hp#{B$MK!1tSjy9$mz6%go%iEO;VZJVh4r+_T-Acb%Bcu^7iYHP{{D zs^?jqhbz_`e@n;cw|-*E_uJ>^)fa>l=s(@izq#SrmdbOi;Z50_Q)Q!~AsA6Sd#pT& zs#L$RarZHS3&yW{70;%9G0JyT4>mBk=ao&*AQk{;c^d9NEE}w8Pxqn!Ei(dLgmz7+*-aWq==JTPjDxFnDJ4s5hH;{I{_LWxF zJ%~4bjmfsLv2oix*Odeb^f0};7a72>tl4S$2Klghc}HYCYf001bB57+-j9zjD_Bjf zh-594ql^h>isnYOu$^Lc5J#5=ifMd)8@AI?FX4qpsFue*F=;*DgKN8$8o6_BJG4r0 zB^G@fYgM)n)k!+Ox6x*1`Wv54s^*m&;rlYVm7VOz!+H#F+t6Q<#5k6(58*4>!@w1= zTiZJrpr)(^P=KJVeo-4N$qNFiv!-G&MQee&h|lzdWMfjr6m-_A*479yo>-0w!Jbdm zO=FR&DgIdWwa)Wn@l4UAWWKCZK!qR&w`$}rr1v)GH-RfUdQ|Uxd>AV%qlPto#p?1% zSGz;;RKPfrrXvJ9)Dckf{(_*9Rgw(riN))O=XccRr)#%J9AKYmCqTW8HQh{zq zV3^F8YN_4R==(SCjfAXtZ+SnufT3Z?_STC6XRbrfQqeqjusm4|ae3AWN1C&G#oMM! zshFql8W+0oKM!B4fBJcbku|5P6u;G1X)UX+hYtC#tfmv_*YCMta#Z@^1z}8*gpDMs z-8g(~ukoPWi(6M$*!6ziqw%uuuKMwM{#H4y<3~<vXzHAN|;o=0fqz^w;6ynQy{ZUv`a8 zjW(?3y%fH5KwIDBNN!E-%hJvn`>X`fodSq`)*svNUzZ>5k9F;i7HDslSaoo(ho0Ha z?wrbx{5&Edfv-o5H>Iosv-81iazq+^ccO0RWLLxl5S+)E2kz>8d+8T*lDV;b*XB@0 zY=~(fHP?oz2u4JJgoPpt*MXLVDMtN*Lhe&}Z>1iT_ntZuX~thAKc@ZCzwVlP%=wdy zlNO)08@1-jeEak?(!u;TW38n{fOzIUQ}kWwqfA1^Qe}so2F!1tnqi@Cj`hzh0OX9WI{sh12!u~S0;|1(t=Gh-7Dr8EgYkMQM^1XCfzr5=3 z(aMfhFPkN)!=7vVw&z%f^{cgolw}_)ZBi4yA33tEq?$#>&Z5*0`Q%i%jqk~WK7-;| z_HE7Bem3nFH~G(Ho9wwHRudG)=K7@dQdBsrTxfIN=FpVpg4h?Vb=BKmUK~t$B`qLF^#wAOP?GaKem#l zH`X*-gffJDZz|%Axn*4SOhL(WZ$OYn;xa1 z!6Los&Aau*Z_7nxWZLzPZ$$)Xt))p$VKg7)wIU~Dr$o_X6{~Nsmh9$kxRhxA5Xl8_ z*-Ebl$;c(Ow6{DgbWNN%N|NUFs>lsK0|?E;&cHz+QIZjI)QqtgJqBMkwUq`V^9w|h z0z#!6N^7{11$^V=P`7SV?(E%s(QFwz8a2{(uq2o_&KSkNXX+@hvZgJFQH!sv*>4gI zmbY5Ojh1|jyWMDl?Ns~%To5rvM^vtxUjODs=Qrgsp=&9GG)xWiwUU*i1%=#Lmj%W%Y^Um<9n za7BBUa~CkZEBTZkF9pDc87^nsd(meyJu7VZMOKn#br>1@VAZHjfnadBLi)}Gjv0#` z`EDb9<=TO!#b}NIET(N=lUebWJd8 z$)G9IhMIDXq|r)`Y>s`3NvkGfpIl2{AE)A{f#s(U4nq~!823T* z6-jk(LC~?Rwc@bmE^`j_PBV^P%nCo(>blTxf{1``;of2nFP}|0x@_&9sK2*t2ht;6 zrI{C9$Qq)!c`~J(pQxprZY1C17TdoX5qVyojC~6#&n=Rb zUAFf`{c7Hiv8K*Rk5+79%Yav6qt{UobtgO}Toh=MpeSJf+yHGrOMX{ax zR=>75Pb;riLDk$iQ%7}|a`lt&Zj10xA^ltZ51g;|12K|xH%l^CKXtag=;m?RO1Cln zbOUteTZ{OB)0hGj@7>s}nQ!AAJ?re6f+N&Xk+GdQ#y#fuR|KY=?P@?dGiV?J7;QQ- zB>hn=yy3>VS2B)7#7T@C_Co|5DZRm4oFB{j5*y+DGQy0O{h&Z2EfY6cF#S~9rDr+n zd)&73X=oXvchW?Xv76c+s6sh090g8IOxQqV2_G3siK#3-h;?jD-g6gC->-CowYsLt zdkq>Dww|UHxtXH9%Q|9;&t`H%bB)K7!hA*9jxnvqn5#BSf0zsUFhI?6G*nV9{+Z>L4tw>^;xfYjG2q?{Ml`By6>}; zlt&+5Pj>AV)Nl3ILdMVdIVgYSJmreO&WD*s-4-&9(tYWIIB{)7WHQ3mj0P$*E+YH(Hij>_MI;LY%R!)0XF@;}mq!mN9tHZKQftRjAB{i z%48m;N^cv>|HAIqkWnTvxhG;rf=>uf}xQK^D zDA;v~=%ZQR)dt_nrM7l(O*AcG*3Wcvy``9PF71GE^wr~)QCl=v`^CO;P*qni)7T&# zZNZ9S*VRap>d$BM^jm3QM$TJ5CCTd+OM`42wq`FRV^Ku}xLX-zl;^qbv*r#F>?$2{ z%R9p+<=<6a?;=zfQn8CMlhd$<`e_e&RMJx3H%tg$eVM{7>T&@B2C>^+&h1V)Bam+_ z-Su#T(%OzF*Y|AXA!1D1`yTHL8ag1i^4U{F^ykG}83q;1Xy_cw)3Fznlui$3*9~Gdeo~ z8QD6%5w*?o@r&*k{BFwW7D^k*8Mydp8~I1wmw0h}rA|JyH6>_@PtQpd!yQ6{HAp(n z#;3LV%Epo-B5c+g3B}vrt zbYz0o43eww)6kHS%(&Z==n3P9>mLin^nBui=-ov5PwuB|6s5Bp80qevk)R!;KwW1F zHQ0GF14*aMI^miV`v4nnJw};nkK7p|J(c`a-Dk+qLTqW3%*m(PsIkBT{#GjI)j@>9bO%eE2 zIDK1hgWCgs3(bw@CS4a*LYpNh?P%V3nFe#5&+7CMI@#o?yu~2tnlLY~8F|%~ZRQ{< z3#nl8$SBVaAM8CZJw5g%gnnvAXU?E-mT1VS@vN|sqthRT4=Nwg)HIi7vz{#ER?gaS z{y|lSaNEN!pK0m@;g^wq9s`&ibmvp;b59k2!;U4M*{p2wsjGh*AT5Mf1JZ&*AnlCY zCesrSDIa1PZBUw657Q)MT@B67-ghy~D@s208MwqOQKHE_)VS#uk8G^ia7PjC=8vx} z;u(cdt$Ka8{C4}cWNJY$i%Rhnq7ZG;kxqR_=>6<+fFP) zZEL$DPx-<{`6-fBKZ1XsljvTRXZi+-Ts2WUG%}_8uW;4r%4pO@dn)tZaa~VYmLUE5 z+C|e7%P4P9w#u)c%=8#W-F3Llw)A~dyg#Q}^@#|3)KYuK)`6XubJ;%00?&X6CFIXg z!GUt|-=Vrzb3;Xr#G9j#8b@#`Z#0Ns?o6~k?-0JH@zN|uB zc~VR}ZASieNB-X7DF$i=i}&l-mSpg@g);JK8C(hKjfoASXQC^(H1Ktu*-SM<^NEI4 zagwNNB$wai4A;o0`N z(|te~yZ!QG#gbt2fSEM67aavh0?bvE`3aUkaHf#SzfyS2d8FH*!TFpy?^;dG?0To+ zHC$2$5drlf%X41J4u{Dv8{D0Jx`AV6FlH)YlbS(dP>ppk|6Q{{=0;hx|5z4sx%TGH zQPcaVmp72n2+@;o3vaTPH1O~Fq8vH2VOnqBy}a_>YC%^Ymr+qp^BBn+Cn7EucQlXj zrO_6d1+srl;T1c(thHvE7r|MkvKInAuVa9aqhmExr=eY%+2*>hZ>E_tGtW7xcE=D+ ziq#v7Q;a;*&MS|7w0*<0vCrPcJurg1_HyT;?Yuqx_YudvpI*<)3!2D(sE`lvaMKq+p)yfX!*-98)FzTf-$R3oq3mi{28+^8fv{d}ns%ZYoR&oi1FZCfWFUb+9< z=qe?;XFdg`D(yuYd9Nf!P&3t3Ge}7w+b1QE0hRfF*&1!;^-XVqoPFhrQw&)<9h??w zEKVEwWZQ#t0(aZClo#2tCt0V^-0GD%(vgpG%8kiewOQF9Ai>Wfka?4-61}AoHY@L# z2;JB!nS3U)wMXlZR#B0swK)aT-(E_=GPW)AoXgdA;FoL{WjHO7cd*;`1(uAOoja7H zD14trIaTH{q$roB#d%#?E*8Gj5pPp=))n&WhfQ@eZy8~hsqV#^Dn`WhMmt=gs?O8g z`sM}OfFzds&BX5P(*2Wp+H}ncl)@un^xEe|)chMHwSqbg`o7-jmTgelh$z*V0U$k7 zCibmLI0WOSDXpxv{c?3#_2yb-!0a%k+3d9YdP&z4^#r@_?GZOGX}x_DBkHeLb4g`3 zF7HxX`n;aiKCY=#;P&u%@LL`(W>)%M0cA~_q}4qfYfE}B9eMU;@aihQcO%6E#dWnW zUCuKjN<+VKE0bG)xM~d8VY3*(!L;Pv+`ncsS?nj|l^4{EpC6r13v^@go{0Kb;bv>X^k!Tgm`Odc3a69>*g`!uXS>NIn%bJ<1nxSQ?d0s z6^=v;)5Uddt~bG&vKN|_Gn>6XCaSTa@Dh8U!@9Z)udl|o?03j@wIZijqH*b4hxA^` zz*bSdV@{>2)@SKgVNs^{(-kR$G$>v;b2uLc(88S=n{$7(w_z{yt-YI$r=4+ol2L9~ zaHDd?wz96l5c=EV`OOoV?Jpd-YCSlWMO*?kcF;wR9^mf1K3;Zm6%>p_CqJzmn=CpX zzNhfrySw)*^64x;Nvvuok?zYZ$h#BPBK zYeSU-(KVs4KY+O}f6>T>Pij9Dflw{W)I+{GL6$mmL%gBnvaA9E3vNw@`c|`C#MYoL2`!>(-IIkl*ZTCvOZ9c|kp|DN7b{L% zI%6&Ts`)5zcJHnkIhRh0R&jTVm(uW$w~R)5*vnShl- zyI#1Ut!b=cCR@#ws?Jj6lOY~HVz_|Zh78y~xlJ|uVktI?^@O7Hnbr-q+V3SL1R#)U zrRSPTh^E<=RKzqVNTx_w!dn^J;#7fp9KDK(tRSRf_v$!Xl!yL;+`2j;MFt>C>1hjq#WDy7@#_rU|-*p z{zR^_V0v~x4f3aqTz#f4S7Wyq+)`B8l#_2e)V3T&;g(mh@1exd12M-PrdKF=Uo>xF z){ixy?Acuv=2Nlul3MSj2={BB%Bj>?&2BGIV(w5_-9I%F=z-dpzHIQpt`!<1($ZJ8 zt@N>`MNBfR`yIG>9o#sTvoze67-C*t%uC{v-4r}%xy_3u;A7g3ehclbn<#H3pRN4% z)!6;&{eq-*e3qM)vyKc@89Q5aWN9ytqiioL>uo8XKq;YK4%9N8nDAioQ#nQ}bpnd} zJ3AlpBnT?sH9(IUGIJGB97DhN%_}(6plBUDcv%~BKlFJ=a8~`0DTn2^g3|Xs53W{- zrkRnSpqF8!VefTSQr^yWyg{&#Qk6-QkJ=?Yo7Tb|Ncmn=E!GPiNL9h}GUW9ard9p- za^ePju=^4-ym)B1%=xICe9<=B^*d_L?fE91ee{Th-VBzK%R=)V`u+eDi zTiSG|FMQr&*6}>>%dM_4@uE#7JIgx~Jn^t3pnO(3Ij1`6ElV;L>tt!_D$&bSRSJsV zfM3Mqt30uN`0SpSr{9t}RLMND7H2af&!0Lg&X|8sGpN%`%{sy8{X|T)g*8ncZTr=; za{eL3N=$uHRuPmDGp%A1Uvy-`m?moi8|ak0LbAK8xRob|rF$o;oFA(Kr5kAJ2xX=3 zi(WBJqbv=%^0RdR8v4WtIqP`FF4-FDrB_{RHSKsZN1RJbgVVdW8jQOz$A>SO=6ycu zbG{_XPUB7A=Esd!%;kAcl*%2h0o(`qh1ZX;sabjy;2wIEtdBDqQVYgDYeaX4*aDnk z_XNJb?Bh-7R=~;_(DFvbei}_*mbu?WzGlSh!?HMbfyR=aE8(TbnI#&i7*I{k>(@SE zV^k{2qqNE3zg243cN2H zKBpl#SZ5;=iqyMhME5@W@@S3qN%VA44QkItGd_oCTsY}n3H-OZ(`2i^7K%$~?b(b8 zJ=47O9MJWT=C3C9Xk}e%Q43|W&UjvXQUN<;Sye3_8qAc>N2_TutR8))WXd61k%jtH zUD#WS1Z}&iab~WI`JdM-o@BaEgKdqU%J0^UO$_Sw8?x6crvf1%m$E@ahIpPuo{~se z=nY{dkOtjI4YB3&$=4qOLL;2_LFy`vf+JYd2!*az0!xRnzj z%=^uaZEIDKw;?4)R5jpozbfbIEo5!Cln|1S(V4!E{rA2UZIIIWtXVX+Vj^L;#Y}zO z%`38UmoN36o#0@In|yUg9+&Uj$V9$bIWXYH2$r9$`SmG86Q4Mb5jiXB5wq>ducCY6 z(>yP$Zau9bSlS*DM6{S%2IGewbs z((P+&DqMs46b(+5FX#HGsrgn(0f^5;MpM>p3jQF=IGor! z7_%uqcSuu9dEJo6(=EC;F0MYjVOM|iZt?dG8S+f(6Fqc}g|Fj1;sqaMh&HcXvWX(4 zZpZFptr-P_CmZRCZqDSII{B>VXfGQ?sea&G9a2pdlGOI0d{m21)39|%Ta!zZGW3A% z?FK1e$-zv$)6ih%{>YYtu?4XnX5P9;Ho6^r%_~P)fKKAef$B;by=h zBYO}7M&|YO!=c={w~D)SMJ#Z{f-dWqEHbiAbuhAfww}5B7u>BZIj1t9=gJ?anJzN2 zAs&#?Z@+zazu+Pdk)8`M-DZ8dS&NLuD*}WNn3o4K7I}#NLG&Q0kNC93V3E=M?@Z}0 zPUB{gl$SH)cpM-~Xr~F8_04I6t%?sAAyFu;``}<9RURbj>8Tj)gDPATaENElM9m02 z+l|%KAEE}+crg36S}Q-I^y*2iTvC}Y)i~yA9!!s}$|U0gB^8Q+57JsJp!yF+(z6sh ziwmFGlvmp{qH%t>$TYX6D5=wMQOHoUwoX>=CIHqB#?* zgGBuG5Sbf++A&)VIdV@`1idtmFTEAo(7OCw&aR`Ixw&6|n&#pkpXl9$D3#DSz(;Z) ztK}fYqB2oB6$fNIi%Z|Xi2Rm-vd(}Xqf2@BgD+JwdrhzfDU5u(_;9F1l*bsLbWS<$ zI{BuIK;rC^9yZYX4+PN{K4ek2>c3-;_j`_YSVp6JaS|wyJ=Y4);BzDW?nB|k}PYs^EqwmVlUfM+2Vg7K(cF$FM z9b+u(>U@_4)uLsRJF`FL7utw?T~*%OU@l`G?L0Y}*v6&*=J9}T%XZVi>*k@c!+ehm zP!D$;X6DNzSKU_3dg@HW(bN06HYiNz+_+QO_jM*VELlJ@*)4%K^LoS<&e@5~)_@WL zMh1hUpcqL0+omLPAO> zmWsRi@{P1-)Em`a?xb*BTk|}Nnnl8AHM2>N@AFOs{?qM5Fx9i6$AS;3;#{ zSw{=SWBR@$kJjETQfJ{3RW+1;;8NkfOlx4|n$#V$9Qx&ad?Fe5$IZJi1{7Bh-!3cZ zug(5;KSAr$EuNl^D3iNQ_A3otYM$DNykE6>gLEjxnU4x_+278l95!^_NrBz5Q$wM# zHfE!cr~HjW$T0VDU+l}|`0_V-VaXp%gg5F(oAs>gsYQx}-t1UfUUB)^qcw@;?!DGi z-o-ba%*upDZ#*^A7gOkOzi{bZPxC$Y&nd+xW0h83ncDfj_MV|~{5nf#m)@hXFI}ma zzZ^Kuwn93)r+)lV?p4Ra)z+Wxl#72;Vx}kBLVp7uAk^nG(()!5H7x?aC@QY7P{DQ< z(yypk`MUbn8J>_5RgHXGHlth$HDSLEpHo(e)lY@knaJJuJ1AGrNs(pUr8Dr&o%Y5N zFJ6iJ6YMTg0**-=&L8|j^RB^bm5<8as_EgC+DYp?=n}AkH$xROL%6j%W8d*TPG_Oc zm0^^A^Y)3;!Paqwp)(u1H{7L8!yH-Zeds*WXvamp&uoEHp9PZZj>I`1>OiL#99nY2 z?4`#IzL@bHt-%y<7>)c4{^7Rzs#CF_3(mbZ?E;9%~Y*- zMq`3g#iz9RL^+efPEfCbZ+wUkfWQXvdnz%4h|=Vfo@zNcoXTuQ_nQ>CyQ-rYc_lu` z`&Wu*O%Ds#v8?1tF(YrVH{C4XH2&q{*FyKC7UtedqYN5@(m~vVUoV%`Je2lu`VAuhZy|N`Nxo4hYxRn*y472KEIkIOOymxIsOeS7@gvxo+CB?XG z7kRvvmd_{cYNIr^vCy~^tM(oV{t{s#XWVXl(Wsa9S6cA>Q4say4moL3WGh#IUASLzd*HH$pwvl708;D{a z&k5jKyJyVToLkweXr&^H>|twVCpF~{TdqFQaV&dllBg3lCM9N0;Z?s(TRvDmb!@ju zdVxox^VGM7nCiYdD#r|imN%QY?901rEJw^Omd+f&JXzvO)qP9gOY*0|3#PR($(rN& zy>;S79c*U`$h@;gYn?mMG18}*%S-sxoSoi@MjlC2yKz{%jnBu#nyIjBAhIF9Xp}MU zK9Xg{Rcc_Mf)vOotlrq#*>%EHB>&f?8=}!w=zEtuJe07a~;i&bY(Xl41mn=MNVP#yn0YfMOjPVjCLa$SJ)jcKDB@6_IO{up5oqJTV-Ytk%jq;A)a=V z39`eWueIA4t*3{#>vc?LN~a}#in|c)u+Cn%W28iIqrXhYr#4L{d&4S4*H{@}8iAWW zO>DOeN4`iHv`onj4ec#*4jk;3reD=d`%n|xg0c~-zC5MYo>N=tvaIXFe!Cldr zrqUT;fHW~deE#V{^xKERTQ~bMvVY}T`P_WQWRxASjdZGRm^0@j^VFj_xR%lG*^hm> zQ^vo{Ro~n@f2mcPlK(aFh?{DvqL_LS?d% z^OZXuX;3ScgsE&K9Cg16aJ&$dPfF`M<8jC zMce__(ia`psf2EmL6$~zHrbH6&(DE}`x+IID!&P;1_^YEa_=F(#i=}WOvUw>WxZEy z%e`%_lm=D@)edZ$HIHBfi(i<9Z^MU+IbL#X2lDuhZjOE0>~%r>&d0FRB5oh_w9{Ck zPA6G*cjX67b*m9y%hE$MY{ivRMhT~ne>on%^31Yzlw!0t zY*bBBrjK@r#suufR%6c=g>eIa!mQ?!RtpQrYWFgBWyX#PuG6^W;X6oc@Ac+%q>|Rqr1)vjQR&C>OvY3@V!~^&+6iuBy{0Pp1?NKpAZ;kMU^VHrEEH3#x0t|>+8;~h^ffHcHZ?3r7V?Om32;Ky$%?~wuQ_G1Ub*nH ziO+xOg{H~}E7B152S*AS40khd-I7-yCkBgw5y$du10(VthKNBvUf!{)+TLTe4osK# zP+V$~FLAXyaf_-uPMvIRF#Yz&BcC#_3jAZMa;vR>*vO~6BLyR@^^vyiq(z=AjaYxYcs=Zh591N$=8}65fJMiDg0Q}~S zr8;^DCD8YtXyli5TnNrD_ADXmtUZo(H{^>~Oz7Sf6}+>%g0tsRT5;_0D_5RfP{UR; zB?u76c5|FHB|O}dXY|ZI$cLh zSf;;yiT+WU^^~DkLqj^x_-61@tRSfur{V>Vvd?Y6n4N7Jlprbx3+e5Lvw zv+Au=IUbnv6+u&lZxC;KTpxROnWevUmok+BPuP_8718ZG>p=GMTDU{t!;Q+2TdY;4 ztd;`?b^5BjQ3IAX%c3S)Nm&y+G2P?p^fl;&LGgI1Il`+lI1V8q%Y-t8fcqh1AVMh&eh<(uh@&jCIzXv><~({y*6RGx3jah@pe z7kefeg3T%q(hbX1dc9rx(f#e@Iq!ROhKF@OH(uL6tTV~JGb+e|GVHjK0%sJT^1V;b z4^17h9*x{Gua|7&$cZ)Vx(KYuW4+VGQXJ73Z-kYoe^LvDcdQi z(Ma?vGFI+O)!Zz+Qlz&?ubMf5 zt+0e?7uHl~*SK(R;@(l!f~&i|xl*@JzIPe53TLbK_i0GOhPpS1j2DkKpnMT_Nb0Uo zN|S^yqfgi`x|-NM-5?-p)>C<;Z~Q$qn~e9m70%9Hp8^iqnB{Bz{VYlUcX*=sVSj@|clB>g)N#&c- z-+Ol1w~8+G?zwSU1?SA^DJr5YxHAoP*|;hU;$fS$7L2) z-6yUszOF;IH?5eLg-A;tMbdfZXJWsq2v@9+d#{RhvT!(nW1!l(6CKvI=ic8Rj{s`* zZWBGUAR=kvfVP(v<|)kv^M&;#5vWsB4S&u$_(Ro@L^~=7oAJb_(e>mD9|f*w8z5uU_Mj)-2xsKhiyT2MVC%1(Z!#_^g5Qj8KfL8<<6z? zjK?@Dml%89I2&WM@&KqkQ!ZKH>CSz(JN;#wGGdkizZf4q9jG)&Gf3ZQGY5YeAuZXGv4JUuO8oiJKd-@G;yLyD^D|C$57k8(6x(m>RHYT z>h7B07cpb&@75LNi=V7lOBgr2IdcZ%D7DgEm3c|N)lh8s-TivXR^jw|ue-J&N;9L} z-MnY8C8&CDuC0;SgR%fzv)RRp=#9DF3r@g(pvZr$9lCEMH zPdCEu>Cv{aS7dc}i*xxa$Lpv<=xaSUlp5*B+7{g%cp6=hW6AB7df*||lFueFfsghc zuqlcu?mkvy_bNVl!nIrI_I16w^a*Y3MHl_kkq#W+X7-;*=H2`D#py%qoXy?BDpULN zxyvO*1B_O-Pg}>)Q}CH(eZU^-6Sa`IaiKaPpyxq$MBnqGLwqv%%6=G33Chy`A|p;!1_3-cP!} z4SW{o6G+=VcEy{z}Dy?)ER8P=D6Vz0VtGMKPdLwo)6Y}=*=ec5E3AKo*x zc=_di!I5&#I=_vEvgnsbhYF;J&NZ@Zzw#8d9^D_RP%!=e8HmB+yk0lxPK=Jtlm{7| ztXHXhsML7HjQ-Q)QTl7s0y1Y$eVj4sMtnI=Prc{4*p}1zcQ>z;(AzRPkic{3ir2I; z&zHHk(?(CewU?bYcvE6UCx|^Nma;7~mk4U|;&*_Y2 z_M9nTEgna$Q5xmx%ucxQI={Q^TDb4><@pxdeVo-}zc%k=b#Wh&ScUr5)-(JxLmjJW zs)DVq zb;opH(=$blsREnz@zW06Rvpi&fw|kZ@#7ldj5F7c^Q%NA?iS}w(M1nFWE5jqgIPdtZF4?8^)={w^PAh|_lhk+!p<}(O0AW#QFIKVAjGXSO z@0$zVeCH%nyp1U647JFFx!tm-03| z{ookfy^Str86RDolx1H0P*hag(UMP%w^y-lcV%?x#VXu?LLq_~UAm_zP3gw6t!obq z*L@Ul?kcy$Cy@P{6qNZY_sR+ zu9~%&_DIoG*8@z|aZ}eAJH*^Ru-uchyzk8+&@kZDJ@V2<^V(Tya6onglHs&wV;q9%R3L;EpaX8r`S>o<`bnFW{6>2^+SaaA-RA zUOrhdQ8m2%8ofV{wZUe($5&Qs7416M7FVI~W~H;FA@gG1Q4UAU!A9e;5}hJ?i=8rs zH~d>QQ)LK2&+5uDo%Xt_MN^c))cRMN#WH5uB(&mVy1F zPF4Kx$F9}nSwE%jbL&}~YH}x0x-J|<$qsKWZDpR(jJeUd={!jUw^{@Eob(zmw+LK< z9AO^23eyAJ%H@e#IghW@(Pq`jpSN`kXQihJd8hyf_!}e1#UyFD4|ESo02ynuq7Q3Q zS(aHv6R+XQt(?k19A?mx#KP>u{ue;ML+5f2wCJrW5E4@*zY*CkamG|nDV)CK%Jq9h z;(P$O^{eh)af^Enoqws~K=Z+1dLiVlz#F3tckWME55}K8-+oIKaXZ~u?209yD;y6j zr61x=T(-4|S8<~Vs-MtrdaCeU4cCD+Z5Xm7A-dp`+tmmWmJ}3x3wbOH`3jyv^0pc zNC=YBA)V6Q-O|!2(jnaq0@B^x-TiGm&-0!$&Nx3le>&j4?rZP0*P3gtxhD>u9!ZD# zoq`?z`PL$&N(e?4gavVm^-v(gXShS;KsQ4Xy!ggX+y}QzXB2z#NM7_mKR)*^UH7{D zT~Xjh*SpT2{px___3cB!+#MhFB-q8SniQZ}4!QV>{Gj+^!I`AiW)so9OMn}@Cm!wk zbREeU@3;DY_J9kT!)(D@{O};!*g$538yx!JPdFVE8+9TA6>7n>_75{-;g@(Kkz7xf*(9ieQC? z^G%}vSx5b+i9%t;XbQRDQ{qMYPvW%#UpgxPS4W^klydDq$7D$c3S69{IVBtjn>RKc zr)LMt?(1Lhwer2-i(=`IEbfV5*(EYSfYY7O{{`n@jpp9B6yq*uUwkLv&B!s$dU~Ew zwRX&;)(eXm0%nQvc-$ytc|$SipTcwm|7<_}3-HD|o`vMP-@#8OaFpB<(6F@Kb0CVN zr1&!VX9;-y{-`gK-BY0c&o5ZfJg?XFjdltLZOgAp6D)l2E<){!wKJ5UZK0;sz_x}; z41$Ov;t0(u4McG|5PzCfuf-^Jyq4@wZAK3Y3aZ*E>48^Eu#Ng>S!%pJHCWo-L+5RD z6*CvnL#V+Awn2aHgr-h^uFOyI8D5`KY^+!g<$QOnD`D}mqfD<`I(lVw)ym%IhE^+= zUF_j5smMU`Z} z`{K<-ZZAk$7Do-zS3CFR*WWnZyfRy;LQ!^T;v3(bwclemudCP$!{xJuzSx^L^o=Kc z_LX`~WPfLT=;3aH`m?X``uEBN0T*KX!`XluLhC$*CPGG|c|w?z%|ZM5Sg(J!!8hdZ zHn_2K+6#S{6ypV9F>KLFTha_WN6V=lnNKpH+u>KFrrr8&eX7>Q0Wl0;u^?Tpv2Lou zf$8DKMUq}JzOwn*=w^R=@x05(P#-O;w{C}vPqUEM-L;j*9QYrWA|d$Y?^ z^_Ct(9f5WPoH`?8cr`y=CKc@XY_H%KNKUXUnzwl{=~YPA>$SS2MHcv+tlUFvj(aED ztu!lg^Hht1uOE7bvv37&3>AK=Jl}j{87%rCUT;MKkq9SKx3-+iZU^%rmE$GDWMO;J zq*e;K3iMCY{|9*QrQ+nXN`_D_q^mdg8m{bH?jUpG}}4rlO3Ei#|mz9TT#@Xgcp z+17m$sgSs$mT--FX1zamm@MA9aMeC*k`m0QkHO=n!#}!F#Gt3k&3R=~c*3%}!^u3F z8uC8>B%df;44iklSediI&(Pfe3|8sT>S&2fp+FuXg~>QAKm6^(39lqJQ+S;8AWK>r zmlMXJ+Xa=g=Hxs)CeWsoB=XpxR+%k^7sqSpLdRZgR!c${uH5A1F*X?0L+jp{lFFve zMX{Fs#`=dn6Nd&W7n!c{6#0L(08dGfm(`0g{3|$tnRA}Qnr6hjpp*a zAb3h8YH5gVl^VQ>uMs6AA8HhOR~&a&$&45BV;D5>SE(OyxOK!s(?=igWt-D4 z2PTv50>TM>kOob?WSbxU1VVTn4qGi(X_hw*l<~V$<&aD#Ev3M z1TI=4wc{+_N9KwILonfMW(I8su!vY(`v~Uh&RL1ak_V?|lJ_fsNwiWA(H;=@|5zfV7Az-;g$goaHWLjn2^Cf>w2m?Ks!+34hb`uu>UwISOL1XL z0TJxuJ9eWUa%fHFH*Rf-4^_246%?jcmH9pkb|Ws)W>fF9YQJV>BxKJZ zWA{Jc%?up`7+2z^k%ifd2F4&fkY;qdVuq*DL7FkBADqEpoPt!y@T=}o3K z_B>B8^7+7MiTX<9TdZww%En6@K1`?oMDYRT6D*K-83;=m8mSz9QXu?NWB$Ec@|^QG3U2n!hfoPvyihg@ zZ+(m};I`tDJXA^JxtEhL>ZkQ!tf7qt?2W~j)Y7eWCOplYU3ZDs`qrhLF+3Rbk9`nUpthNO7-(<#jRs6l%OEN_vA5NS{18klGB-{q>n4 zXP)6sTl<^lYaL8RlTm!vH}s!?5e2n$ir1T6&ZUmt=se~6ILMd1+*U0VY3s$yw$UH)zZ7zbmZNMb|#4~*i0I!JDP5(q3yeb{;qG3U))|+jF;#h zlmCk(%cee!<(`2&_Hi+g_Bl!oq_d=r2z|+SwXQgYXm0s#q|Fb}+hd!m3FGV%!9#B} zuE=Qmmvu01ne#lX)OQ{tPTP7YYisK(i!l{;z6#WxiTo(~0xK;}+cjKUqsfVeVZHe- z=_|dq#VLm+(&FZFn_%4I!BEwy20Pw5y9Uf3GAUh=IuxNQatGUQi&#GkHi0mSu`s9ZZKwrG~^8wXCc& z3^$&B`S}}u)2=(5gfp{8dcOWUkL%+olac)&)vGUaBDOW9(%_4?Zfa$nQtdwh#*Mmr zI5ctxAx40!X0b_%ebF9uLW@i*oTCUU3croIdBHQ6>s%?57~+NBxW)}{i$UOdp4Z!e zE7R}9OOW+^!KuJy(f`FE3?lV2W6ileMicJbxBX26hc=zJ-Gy4cTku*ex>I>+L+LW+ zV?R~r_3NJMFpD*-MPrjozEGPJQD>yvEn51QQ5*U3<>-=toIuF?_wOCA_tB&%JKA#k z-aYr3WxqS@4ICr76bMeKw>Kop4dbN}oAS*5VD=I|02er_K<%Wd!r7UO10RxJwahBB z>F}IBW$opaFI-M1`u^vNY1QU3gIWpm5@|+oMh+HB`l(s9*1s+h#}^R*nv*fwo=JZ> z<~zm4wG`9nzc)`1beG;`QS2MBPYa zpa#!8um<^#wc|qiB|Q6*Xwd5HY6($x(}EH!HgzA`sHRGdE9eU3{Z5R=mZaDPen2+* zH9R2{9&N`jX`m*+QpXLf))G`O6pQkfe(XnK=M2Bl%(&rw8mT;04O`Iv`h>I7v&G;p z_nQG|SFMG~^cfSN2P0Npg|-nahT$T;00q2&-8x1h#;(owCh@^td2xeM)+Sx(M~@+K zp8+Sx`tKMHyA(b*>~KPUlT50;?9dK)ZUcMxo$p2zk(y~tA4%U5yQDKw%cgiOJ|t_S z2B5@%mdg4%XW!aB>jw8|XO_!(Pvv_bC}3(Of$DBlVhs_XSAMDR0yOIi$-n!bN_5Sf zV3{UAN==!Cj?2CcMw1a!_mUP?@OVVw#E4d?N~L{@6Gi9we6ir4D@Plp7icAGWN`rz zgre%|s6#AhlXfsjYuz&_Nme?$Ys#oM)L^5{)Q z%2XMVu>4r-ce~hKy(H(mB;-1i2?XktZ|>L7%g5zIkvmUk+t|CN;p}Eq?OIo;M8A z(lFeO?od66UiTl3jnm(;^y$ij1jlWCmP8nqn86LiI*$n@y&+eSS+3bwI0Mt=S}xmkQ)76bI^1h~+#p{aC`d zGgch6!^R5&-u?_6MvAW=he}5>srrsqTHgIcZaZZN#$*gdTX3dI&v3MWX}`B@yyh7z z)Erm0(TEUmJREqwAwYGB(PNPv;i6_xVqm`s`Zt9J*AVJZ8S;l~xp4U5MYT>`_5O%D4Y*8rMeeBnB z%zYG09?g4hGLdJXx!zlC(x1#fC?dsoIkHPP+1=f}+$(<2UcuB9caliNqWk+-BJNvb zM5PjqfX!5A-1WXV1PRB(1vkf?Yh^2N&aB?wB8{k5Xb;P~UUYI&d#@(a5P!p6{^o8{ zjX#Ywxfi!Ou`2{L{Bu)96H1Lj?*N#f&7+r{1+`^H3~LleGBnWm)c=9Q&qnOwa0yuU?TIuNK%yl6aKHl$Tae^$Ibf#a!XGRJ+q)b6;iq}hjo zM>81h?LAbZWj%K+uC;r?hDxJ-Be(WxesRiBVehou7X~H;C0*Zz++{!aVh;asu<%1= zihnr3sVjZn`y!qTK`Rt9{9~cJNdD_Gh2ldU_p-eN=_D3{tnLScY5{Z zTCOJ?R~zU#TjY`R{1*?Fqv?@?0YjX_#~$0Y-7H68m!&R)ny2Ge59_k>lq3pXNr z%7U-=gJPX;npH`ah}it=2UDtt3ejy8olnN_uJ(L5<%>kRgQfKviKbCZFAq;6-rAyR zy6nCneCy7K#bXg>v5alp?)qfCQ=|H_gTb;P>BLDa3i9fQ z@?t<_Bpc1wdj@|ZZs)PP+j~wpQUL+tEcY8M59x%^he1A*`Ur4E9@c}4R@6!_Msyc@ zV5rV=pqCh$c_P)mh_Yt1=h8D2^9MS450W=y0gSZEJL+qnG#y4h*HhneSj8JTFY56NU1mhH6THlwkSqUze8A-4-OGG{+DGEeMts|dq=}{2;c!|l!`x_iXc3) zU-@vh?kjl7ld`PbO}s9(Ty!TCaD~?3br8&gJEGhYHi?1t47hk9r&S z8<|Q>BxhP(&e(&69Gi$O74LZBHtqZUrI}VDtD*MzPG!xi2ftLd@3(6Bt4pV^d*nzYHgN>(#1- zI)F(?L4L3^KWgT2WwLc?Tnu<~Iw6fCCa=G6LgN1qPQ;q?K;NOARxn2Exn3Qg*&>Z3($8?V)oQy-KTZD*}YCj2DrS zp_{O@RgZv?i&)}FPNX9b1TfPrz_ZW1^1ZI_YpFVTL3;|fOrp%E9P~6i7+zpd@Sp)X zhzpD=d}IV)SPVspeesu3LM9&<{5Q^Xt33qJ(VkER)q#nF{pFM)bqh>ZC2*E|H%#E9 zudE(oFPV`*05Iu(qtLm-6Q}#~a~;PPD3Y*5#tH_spvfQD2$tl9P?Uex;WkjE`f&?N zsha?%Lad<@2#ujx_VO7A+cbD!?+1VG^Ph>~+*2ZA*7caPAU!JIJ=r*v{q=F3st2{D@PO+Fi&Wff}%C7SW2@XEVG0cjxyw7zzY3o}{la zwy_SmVCM~jdtTxIi0YdtJkpac<*ViRoXd{h{QlS1q<)bo)LugM5t8E1m3Zw1@ix+K z^2CJkM{;g={;WR+59exIR1K$zOMF;iXBh|F0LZdRlUB&udK&Q5?P1we#^OS3s0ZYI zo~B4YJxS*}LR$_V_Rk1+F-L#ONvZjGMm|p5|C5 zT8Ew}fisze4JUeGzYi6R6LA9T*L3rQaLEPVaH2NOEBv>7_$5kBD!YpU#|&tK=?OMt zB_FRSnB91+_A3Q_U^R^^XSP|Pg3Um2QAinsE^ffMT83Ntk>=UQ_%cNb9&9KeVU#hv z{Img{+_~1=P26{8@jn72*|>TX zhUMwX7cw3jep2RhPW&S5J04zD7I^pVi?6?UmrLW5iorEV@$h-J!DoX4NewvPAC)k? z;L)up(_!+o><=RZqZRepAy!;6Jor9YK|TX@{<;=mKrVe%_v*hjsDOF-t3eF{!}0B+ z2103HBAN0=(UJKgw}aZvNE%sUzJ8zcXX?(|Ie`%o-LlA3aOXKc(_t*iq3T;cth zO1Yo%RN`NxlDQy*0=KUK=J1`XwaNOr{u`IwD02A+B@`|z^u}SF+P6p6_u*Yj{j4Ev zhoBH<3@dz5ev&rP+c=i6f}4|ur-HAaXc#)(j0DhFJz?Z5be$lGoT)P+!u{im`k}269~yF!lkKzyUBw*y$oc7*iF7Xn%Ni zU-c)l!FBq$!l$p_0Y6|AS%GUx{5K~0v&A3c8ASmH#%#Z*GFGTMI(NB|WU0H_73R2K zIcc_;g(TWSzH}}@^l#lecLlDV|5Ff>C;1!!fM58ukf-5FnKf%MeijO_(DWKFP);%m z#A7qi2Bwl*Lm4j^YnGr^uSSQ7IV}h^U5`aE=@sBbgE3oyrLVTH*Tz6nmi1~EHNNMg z8!(_{v0UI=?PufB-km6NTn*!tig}mBVQ#hHw3&#A_4@Oe2=Cd!JOQu$o?xZPc&TnD zB1Py}fija~4%h*+C$r$KnaYCNgQZp<+K=haILxLzc@G;#V{A^=-p{!m-Wxf*BLI8L zL~ZG=S!Jf`dUxDSJ)$#R{srJS8e+GzVa$wW;6f)1sLzAuNB4$@4K>HrO0RU>Rvz`Q zy;QlOUN7Lj=OG8btS}g0y}tQzdr*%CUYPS7A!h2&KoX}91o!RT(Tjt|OU+SKL_svZ zqi2lGcVBHh(s_V+W_=ebuwUjx_9nu@s7z7DiZF)y_dJJhGiG&NKdB)Y|4~C|`SFqh zc>cFjwSam_{p`+kl=@nhE+2lVb^XE{nCOyl&RO|DD1hOc^6HiQ<-9{Wn|h^*Vt+FC zOJK9xfyC6HT}6C!>yJW!Pv)~CSZ}`{s$FI=&vVM1Mb~t-f+Ur~Gj4WiG?I-lQK;(U z>kDmrxG>MPc9$w6ka7+_Az{!R_|_@h)e!m45~o>5CeiH>_K3nxh1(ig=jGX+S zW)*eLc2t^fRYirNsc; zqx+Ky-m&-r`o#KUVa@eMl5|pULhlTsuv{mGl*O>q^q!Vf2FHWpzObszw`YOJJWQ^ANL4i z{{CrXbuYtAy?%3Oz87R#O|Axt9v6Glv_QoTA#seP^n(kA?~7;RoF(D0-!rN*9vXfC zF4|!>e`ueX-oj)dZ>gNVLSzW`mT^zvu?sD2*@6{Qx&vOKbXT>~-l$w?0ogD9Y(0xR zUGhO&*{@#YP$R54*8|yh%jM7q_jDDW;$vy?oXiPupCy2JWuQ?Gf$Q|H)ms-~w&jpU`g@E;b^2ASQQ&Zvc$UR{-9{ZS30*0! zKVY3@qZMOz_Wn}AXK|a}($WKOfuN%R4-+qFN62B8(AyWBxm1-1Y=E79hB%iOX_EK| z|D|c7Bfc3DfcttCxens(ZC z?|>8(WAf806$U<;d78m3Ph*8Dq*DyOCYA!W3u!JSY?h--UUE?qWB+OaqC*AJY1`On za8X(-NG+Q0FOZkzrF1%A(Vl$~f$zi*X2bjnj6hOfzO(k#MVp>;yPVIJ7WPL*P!XR9 zIA6lXI?2J!!t{g2J#KIQ9UBcw9#|$SG5rbQvqpG*DFD-*B}7222&8qN#5@2~YWY~y zPH-m8gL1w$5|a~tsInDS8*xF&D~TrFc82}>KY1xPYW zu}zESNo7)^@ihp1MpS;9a-SV0dExsi<@%t484x>)8y~;iA#f4WR6I2juutUgUzO2} zi{H*6nAX74{IWG4LNIDU;Tg&6ALGd{@_;Jxt+H37;-4r_>~w6^S}iwT{f*GNP`3S9)J}MDJ*%Wx;Sv^VxjXE|Czjzw5*j3KDVp5OPtP3?R? z(7rhmn|P;*XykW2yUo8nS^d~lzLErZ5Ilm?7n3Iv4Tvu_vY&vENL?!Z+ZRxY4btt! z?e@m|GBx?Fb}FTIjNiU_ihUVu?GbHfcJ94QTzMiEG6S{HO#)ssM4?RkWj3W~c$Zmw z)${^F$gRr3JBZe zr|j5l6CYg=)0NL`C61>+ZA_Z?c^O1=)O+T@#_rbve|b6fk=M)ui(;&Levz|6t^MQK zexb;Yel?Lr-QquGK#x;Z#SY;OXiqYz3-8!~v`?AH7aFv4BEboudClJ09RKRGJ@tiJ z46|1a^M0n$_qO{CHSqR4oMfq2i=-tgI$-ooz<)i9%dDyB4`^j#Z^yv{58LFP9;hAO zx~z@9$NHDy=9*HHceeoDW81*QvEV$oQq^BT|r=rY(`%Y=FK}C^mEa zXuo0b#l(77g=J@XN(c*^&!i7HS{~x4e(l)(N`^Uu1(tB5P{T>_MNN$sL@obhAJy%M z#C1IB#Sc#c-Jiu4PnIlUO2;2lfU!l-6dwEdU*6D97o4Q34*A+vWQe=DyoW3E`GD>5 zuR>RW;EmV*X>sAmjssYRntmGM_PQrC2-_RLKH|P{Fs>cD)j+@V`qN@~daJs^ucD@u z-gnIp1HF>j;USUw_4H2(<*&kY_SJ9F;HQq9T(47C5vW8n74<5l!48&9J6rzx9p2tm zgs&I>09XtEdf(RpuL<@C|5>;Sol@Moaiv9jTCooF)K_mh|7C?#S^X@6<(~vwV^(GI z=3p47+dE|$05)kaI&cNs;Mg3WN#lkZaf30i%_)RjK%DP_a2g9;DCjQ7iuIWCf@D7A zMK{{gvDU!{8x6qD@`Yroc1~<9968%8cDe0Z4@?qSuX0ysI8@XR7`j9pyo(>4UHy^z zQjS#F%k%u|>z^M}_S#6qCZ`H@UHD~71P#ZR&s@j$8IqmEeA4mlHkXOOC8p;ImBu_W zG^t|inToCLkR)Z36di8+o&D_0q)W>V8n%V@(S0q+%PKn;rL4oeS?1jCs~A%=ZZjGB z6$f)Aa)NTX_THAd`U|wlK@@fam;7b!Yb#v{nx@RPq0vHOZb*+Nc^ovEwzb2+pL%1 zRysm2G_6G2?&@{_Y<`$!%u~(ekfBNGvcYLw$um#XxNAue$W!^n>daY>gK&(HP^N>J zdbj@^`9OdWD_EglsgaFg_R=MF{&@JT`q;X}j7T8uoCTF|F#@5{Fh^al zPsc_c(rijWE|y&Z^WJSXkt{32@-1H#(@v@!Nj3WcxbqXS^e2knYG1WF-7V~cFu9mM zm3%jzor9M7KXdc4dh_BLn0PRiSvpa$Kn1154*r!G)6+PN4*K6*Vz)L`s~)ON+3_f* z9+765qOXbLJlT_4(|A3U zZBz@;3hCRmWm#0)PP2O{SLBEi!>EE?v}o#^<}4$)%qQAEdH1MgaZf;j;}LJss9I9) z*XJ{gT90}N?k80qO~DL)cP^T$MYfc7hY64+W-VwAr8HKoMX|uM$EqTk@yCvR99&Qo z)W_GVXg?Djoe&PD!Pl`z|d_1RD37w4j2V0>CH=>c4&?V9IpS5Lvza}|{yUcj^ z&2C3_ZD_aU#GE{&-*Tclsh^G-!qQ}h8R|oq7?wgFvM|~?wVTQy_=p7Z!SKwi-gp6; z5N$N|#x|zJKX`a#i9eaSL>;-?zV`(7jh5ZS@zKAld}Y*txE7XYLe?Regpsnf5--9W zDO#S(u~wH09p_7!Fl|Mq@vC}q7&*XoP^Wbrk9{QF?l}BtVFn$kL5ZB68gX@7Cm(u6@1YNLc8dha?S!A;!vYl072tNYa=LL{%l!?W%IKS4f zi7p18yr$A0wlp;kp*!F37C}Si9zhC2pi{oCI58 zzFKL{dj9C{77XdW)zK(O>G?*+z{#pRO6}?D>b6dTA{xkV^37Oc5)V&DqN39_mK-WH zG;*adn<51lFDjgxH#Xx0L2C?0SC@QLa zM>5?HJ#bStLr*Y~%N@QHj`3}SiupZR%lPt8nt!2T7(6^B#n`$BsS`GJD&G5g%4-5x z!kyHF(4)^mI^8$apWXxQT3EHR)!w2{DSL%TE9LZ<`Zb4cP6g-U`i{H&w@pNks}}lDPZ2 zwMUxh4P{E0N{X>R6u|5!VUjbD_K>Wa%Em`SQU-_NVdN!#N$k6#7_Iqc-XTARcPej= zz{A>nvRS`8Ws(i}8H5*RkXMyY8Gfbtj62bnvZk;pA5+GzS*+SPJDYPjM9gr_RPYP^ zgMCGxZ?B>Fvi4?0kgZke*N!aNORD!`N903exRsF?bfRL+vm7$B3(g)yG7Vfpr-PB^ z8o}hScp1mFrfXO=H?Xecf{B)9YhvyG@$k>Z#F%}C7@+pN3Y4!@H~G+)cC3!jd-HSO zKtaile#H5`Q0EAT-}sTw)HsrVhSFQG@|8t7tWU(5B!`f+zKFgQ<@^I_NLbf}eL$=n zygn~X@0x7YroAz9$zx1=z8T*NCfOyDL!wgF z>b774r0vW!vp%ERoac4%yCKa;Z$9l*9b6zLpYn?K21j+nw#@Ytvf;nV?mcuqJoL3# zzsVF!<%tO;ZH{i-^iAKYY^JEHbE zQQf|=&zpr=bj*jBAteKy8xt;{ezCimjSh*c@TLJX-zt>Zs`tc+1(uAusguF_GzZMA zLYI%WV1+|Nhxjj~GObBLyT6(s?n4AaL4j<)W1G*Fb|ji&-!F`-9N-fmp`-{0zr`w& zFgUB1$rD6LisbMWQEa3CAoBvv74hHA>l1srk2mG4hvK~ngZ`Za@AzW{-Z zj(RdF%t!WOh$YGuNoP32Rt>uMw=5zVMgDqm7^jzeU{Kh*62upBRLWucdX(abjLiaR zsn8gVNIpp^yi{Z}@jF5`%IZhFKCztGZNJ<6Elx>iC9A5YWqaZ6oM%<0awWvjzj~vy z^%W2NaEp?NkjZgL*L)CT_kbpol9(QU$op*i;Si*UA59=crDmxw1+&h_e-T zQY^bTbI0-tMaTG=HA;l?skirwW%@@2A-SZn^1L&j5N#4{d42O`d_$+^m$}r< zG;-4Ojd%jfv_B~-sX<9gxERcOR9(E)3C)_^yvXVkahsJ7UJ7krN0$Ih%`NTY?6>URJNn zmps=toO8bfT-1Q3E?uen9S|Rf-ml*fqQr(WQ_rIFV9OwJWVG20$@Hv5Ojn_Laza6p z&D4Z57qgk+gT`2(Xk&$!b_kA+Z4xZaq_Eq%G7-SS83_ey;9xz!Xu-nLq*f1rx3c51 zouYaf+XbH;!{$wCOzDJr6*F_alXV~d_B}b4`5UUzwNbbN22`kIY_rd{MX$Z6v-vB` zUsLx7e*ao-o~rK)X{9itRd;(K07>uX#Ae4TjPfD}(f%TZOHVF|-zw}2b(jaCIuYus zc$=p~l|ZP*6BZ(D0K-rWKkAB^m!OAKWT=DIK=NLgt%4L6z|EnF>S&o+T ze!OyEDJ%_d4onhb*%y6Z#$ilx>>n^m*cu;#LWgv5LybnM9E~YMqRme!DSSnCvWKlk zvk8iuo|C){xb8A$wJUrX^mJr{q(qz*eZWrd_R|n^rg6gF2!$53XE5E5m^L?H+rx^8 z^*6FV!Hc0X1dL**p8FPxI`hv+d@$0-LSljO;bLfe6SrO-n0JmVE9jCI2Qk-Yl6WF(ZuzAARY# zQEzFaeJ6;K$qi&gQ&J>ps!BS%b6h_JQ6P?>+7peMhTomb{^pSHg5@?b`jSW6#dLQqWo;%xxIb7c`CNxBGD z02Dbo1qAM#17P9}S3J^4TB^;MsPL>$_Z16kE0GJ-%={C7;`tNrhje*V3O3$_Vf3zi zj$p65eZa=nNb!?xeyb~biULrn^a(7={4H|xwMZO448S8INxRPEkWb9H6PT6yA|@w7SwhTbMkIyj3u32wQ=ezZs% zx@}c_`KJPYN4P=oLC+!)+t^1iSYKp8pkk@o1bG~27RXE*Z;3-|;h1!t1~;Z$kBQBS zURhoLY;KK&EZ9_QyB6@!MllpbE?02;ByAzC>E}a+d0vbfkP%9wv19y9-&a=?TQe~+ zFcjDM7biZJnLp1p{t!Ld+l9`|f{L=7fd`RKy_KmZS*W~8KP1GmsSo@6RFbX?u2XtNMcUhBH4@ zXquJIgDI7PK`FT={97&m(Hk!4*Yud8yYy7dW~*`y4<|1&qK1vsDkjqcBGQe* zUv0_PzfwwW2%kG(G*ZbYone{@S8V*OyH^z*6WX(v;PrcvEtA4qh=SSu_PvT~!m7=X z<*S_;%=OdFj||OgLwkhrg5Mx3uo1f( zt;UjhdlP{{iOMn2qpjy>ckgPocED!F=MnJR`5O55P0)t5akI9&92j8sM#0nvIJB%A zKJ?C9d)x=L?xMA~P9U|>xXg}1$20|wEli2f00?n_Wd3K`kb0+byLnzE6e@a@g+ zA1)vC_F_Oq)JFoi)*|BPiS3(zG2=rgC0ga!Gbz{($dhpaa2Y9EGmbKP!H zO8=TTwyz=maCT-gB%ksT1qg;tuUr%)YJUNFs)$7Mdw8!ke5m(+bsr zp23*chV7Fiw$#zj5Z;mnvVek@L?3LWknh9Q8MtjBsfRZ9e8|)&5TJ@f-8M28 z{6K_{B^mMFTyqT0jRAEy7H>--d_RHsN6tL??@)u0(^cwK-sZCvV71eas=@v<_WE2w6&}57fKUod9t57Wh za7dbUu7h?RA1M;VUWOVe3IB9+j6v3jKg@-O4T2&KIU{&SmztMUaJ>wK+`LW++cDg?j8 z|A$Q~=0KFF*s~c7BcYieG_x`T*oo$bo+&wvGLITtCwPUQI!7cDaGRc=hK(AXsBnH0 zB$fLE#VU>ad%^{eE>{4vGJ2c$um{{20_tppX!El#*cMuLpcXI!qEcun_+q7ilL zEc)#_XXYw+*X1?xtlnm$q?0mp9`CXs!KmLO?z4C(Jd`-=ioDHYRpyH5a`(BDqy(mO zTm3?Ts74%AH*1epZG1Uq`&ooKjqKAA4aZ+rw1j3w#=h@V^x1>g`a{Jn1$6DZJM?`A z8;Wp8%dsDRAA}3N*q}C5rmg3z{SqrwTY7UQ-EfcX8)`qnKI4tf>1##DY9!Fvx$ybH zervm)iJf)jNk$|N^)vkZah1ih#5_&jEL=4&T^NU-HhlnW1w;GKE3|%q+ ztjZ$axYq*wpVOdC!S+6!jPG~_Uf-Hkp-=JUJp&qO=ji|g5hP`Q0Ej8v6szKM%!w#K z(UDsMRxB^NnM~5)wQ%Rz!Xm<>yNgf|hG_4h5B`6de^N0#YMO^cI0m)-eyrf%NrsujZ2-DUnHq3Mz^>?7G%`nACzRU(4nWXLN3{HxJM-z&o( z0me)*&2>F++3INAYg{(mlTp|==a;sgP0?HEj)mNe{T|;}4+-X`A$8WjHuY!mG482F z0ihIbolZvr1DcA6w03fe&|aY_6?QUh3|Y-qn^*ct{yVxUdTdHzWRc{666p(V|M*0R z;Qn?@NbQAaBXJmDK|crm*X#6=IKh`Asnb>1FAYSbL8~Im+7`G3VaEi`L>m0Z4FaU^ zh!Z`65P-M6WRlDB28e6ASfjh%q5`aSOrg_4!Jaz#R{17?BAhV%N-kF#v z$PBp=;lI5P$N%ho8hQe4eUS)E@ImkevO|4dnSWY>$&WQWgf}BhjTcX(p-=Pxw%PW0 zFh)euQ|FKeh%y+*!kU8$gVohOV6=MCQ zV-!3&D1|Aw6Yo6ukDpjex)}S z6b0$xD!A+JpmB|Aww?cl-o88(X0WY>Sc0wtI&Vw8WiDs1v*G0(dDQyH-97Lu25m?B z!8)@-}=D|NJND4k9tFJZrD!ll*LHDUya=*#LR5% zqQP#Td}?M!yFZ&7{^6d0RTVimjKtqem5t#`M^{&-)OnYq<32QvTk%4T&s^=-Hi{75 zA2-{z7|H<@{CbqvWnf`XK2gHJbgGp83=hHa%7sNI+Xr+$Odt5mak{fr|Btb^42o;p zqJ={OqzT%1L(s3;dq>RV+jghy8#!{l+2Z#!d3sQCQ z+waBDzN0UCb^j%IXRmaXl*OPEtBPn;zCO;gTuisikBv*n{MC%0`vtD!vTx|18S2lA z4!OC`9h~%$JeJJZU2#8ZGNq!YOYS=&^3W>8^g1wYN;>O2XG7A@TR~+Ei9%mTrq$h1!RU9Or983K9ig=r>?L%(Z+ds_RRmxPFY?f89MS?TC!fgK?wa=|6i8Yxz=b`W46yih zh+=aE&`nI%BO_yFT2yP)tMq86Y?lbFupL6OvLM^6Z={LtJ&(lu!bLFs9?f$}&R7%9BRc@vRP@U4V?l+)&%GS0mB z_rop2mE`s1#T|Wr!Y($RhQ>JsANcC`c5!Hbe#n5!-o8p^R!)&(7}xH^x950e?1g6a z_3-f3oEBp7FXAtVz9&roYFY2kdmb4d59?{;HL<*+1)AJwZWwDPrb3Qok4T+@00SYM;nwhtUj>KuN52VS?es);bKZzo~ z=&Ijz?Ynsy1u~5sjHjRjEy7W}l>5~%H~P$<-;(oR<^_L%qLOz%yHdn2-(<|N=R&zh z)b>z32gIGy1<_2?CNPkseb7jqN$yv4R z+-DPrsi|q5b)V1q-U`x>g^S*-o<--aYlp-`3Oub_X zg5I&!n*YWnB8@7zmrL;{XtM{E9PDt$77I)^XG0p2Y7^`2${LG@1Q8aoaz=;?TFdk_{KR4gnR1XopV)Bhi zek~Ep@UWM3``IQY#-bN;QUfvm_w9JQ#_J&aV`Et#5b?q@9rqm6d0WZIP+ld=3E6wV zm3Mr&N{lIkT_wnI(Sg!ZnK=IF8H{l-@^g&N&)VRtLPgk=!vd0Eqwm+HrI)9Xa&Ao+ zq&g!d=>BJ9jNIF`66?WNW5ZSXuDF4ys6`4nM*@Lv&#P-T!4iyHv8}!jocHq$=-TP& zk$lhq=;)I_Sy=d;}i&?otN9|iDODYP0B0w#BUnN;xUJhRX%o3bxAMxBF~27$&UfAb9Rao zK05qDSF;>#YqpY-5lAb*zA`| zh-;Q9f2o7N^0|UwJq6MGgw;T-+Pz;k)3#ynegd_pL3X{6P3(KB6fiPVa*xU2zKTG@ zFN*5bw&#Es!R}%QG%l9%GmR?6TyQ$sjd4%(XGF3fUfVfYP`V1qSlIQKQoDM~Q{{6K z5yE9*IBb5R?{xjAmBDA1=d{uHvMurli)}AXPfx867b&>u;=exRcSy*~gO;VhxFq4I ztU~J(r-pTPiB1vnQL&Wc5N1MU=})=yHpp^c7yoARdgG(UW`>F_3yr}W2|s;M;8K|H z+~N4B!zKrasoxMxGi7KbgO`O{zR}=9>H`?boQ}W!taDp2zx{j0TSI|=8v|20VFZBf zE5x*gA?Hgh!~Kl67JFPWx(txhU#F(Mw^)T55`?JfY_i6-TeIdUWa-CRz0V(SJ4JG!j0{F7ns z?I6RW?Jwkaxd;$uR6vSH#ZZmw7gT7{_y1)y+^iR6;X%}tXj~h23C5edoOx36s=WdN zdcQyS8=T}f{pKk<5>%?n&!0-!PBNC&dkhGEo2N>_bo2WX)KG+WSiQzJH4Dqru7HTb zckSucnzeKn6oOH4ix=HcJ4;0po(eRO;$?6}|@lfbyczKu6%mnL-)AI?g0E8XmP>Wr~GWAP{56e?-kDmY+; zx|`rU<1K9_QAx{Gv#loMNz=`L+C%hu2i9;zwjw@~D*Q)EY~t>#NoCf5OI~T9J;bn| zNm75jrNw{u?{wc?)4e>je*`8CxSX*CCwZ7ciY!JYMh&sOMrP`Qnae|t>i-yP$W4)SWQ!4~U! z(>ai{UY!l6jDKh|Q1bk@5Cymb%UpmjMu6VdHGJO#At@w+Aq(*(<;E;WGpXCrV-|vc zFA4Tl-%87N>WaNU5m|C$%paV^8=N3DM@BLkWLY$jUmlG$gX~EEEPrtymz-VH(Wb5mIDq^X+Qm^Mo;py6u1mMfk>14+c7w6FuE2JfZ2y$u%;?Y;uVWckf996iZ!*TK@%#at`F9U207OT+27G^kPrZ^CtP+n} z_hVkdmn)ba2PogYJgD~e|JU<~ZYc|rL4l7^+<&RndV9c&%Ks@^*6`|>cPDt@o4(q( z=?I-3@BNw|n~H88kJQ&Wiq-+uyaAv{<1kJ10t^05ua+!&>b*DkGTQZc9nbAp{6)TC z<9LbWU_|cGc!PqpUa7>Mo-UUaF3D7->O-ghG1%ikRJqId_l0QLuwHE42`Do&v(RrI zmw2I8_)b)m2!LUI`sL5e_@%hI_k(T)-ZExXyq5k@{g!JPAQHU*_9qcN}dMu84XFLiE4YNcpN)^J5Y@tLXSFebVH6S#-YmNjuiNF6EQXa|zVB7ILmR94bw<{q86{SeuJ?7%u%S^GnXgbyW@ z?|2Sdhsf&onk<-&?2CGfrPfPPZ*n=++_1_lMrvy6dbcBUzngo!$sN{^jyzUVQ!`Gh z@7C8hp?l~!x6H^%NlClY&7y$&hU}u#JY&WUHwP$h0WMDnDN=+bLgG;OPMhY=&%H66AOP;Ujf2 zsJi`#?EMIlOn)S7b@Wlj@SzYD?aDC);!#t#4I9^ovqu}$L!khh?680jSFu&<%hx() zSA@xbgSe;A8bIJuqUtd?pCOL=Vxa`Xu1%MapNt81sot z?^}2GQ!~0z$+T#T)BB%Rq2XaAfupLItCKs3?D@Q8l!8vbo?R+`974i)LNcG9z-cNK z%O6Bl50*jt`lM}SC0RP6Ko>I~qvLWgh0;b4k_c`Yp(u7BovH~sAb*p($Yah0fgcOT zzRUQuKK<*-RJ9%w9tL`4z-rLy7m|zy{H6HnrR{7*Y-tt$`pj|! z&xXmwuH>cFq-yrN?jO@(@Q2GQbW1hzFoj0KaaO_)EQTH6&!X?FX#fw2)re7}E|cN0 zPDQSb#e{;By(R1rAI~Bo)_l>V`|3B%)M;b{1aUwMGX}!s{QVZVE$uf9qAfF}&|%MS z{Z?SgnU`;t3^C5eW$PJMFzGJdgvCV11RdPF_R2*tSRlS9qmahL;$YdHrAyi8*E;-q zZB*2d>F`cEe$<0gRYqUpiG)~w{#imebuT&ZAkT+iKz{!)Z`!5^eteve@e>?1P8m=5 zNz$1j@$lMy;g|3Ej+%7GYiMpSHvdfO`JrBZmc?<1Bady4{AOviKnyEMUEO-2OxVL- zH+|5m^J%ce;RC>YnK3$;H2vN!69j~Yh91)NxYFNidg!R8n71)c918#BfZDQIkq z9VfAf#Z8}l)L~Sk_ngoEK{<{qee>&LMYH)OuvIL)$vv3?badU#CaeVih-;36RdCIF z^ZGct8g+jefXmpfjAwr`nywmwzsRjlmEsiFj!K;0X({@fe#Z>2ehG!Tc@MmJb9>tC zV7Sk$Nmy^E*kqH1-Z#Zaao{5+d(h4te2k|ti@X?6r&x(iH6Q6u`g&akW-Wi7Xm*r7%v60^0iG&OycL}bOC$Jr_CR= zdM|Cz6UV8Znf^58bo2^TRE;eVqv#3<8_UHr7e-ZJ^FEvrWif0{qAS8kha(9Czcs5`rj-Og=mzTO$MQ2}{ z(2jEpHA>W7C~ef{TbXRae*>5`yu7h2HMX@;rcRVe0ArHH!esFpBt>Wi_A8j?{GptOgUZMnw412(x76*Vr)sQRdZ~DW97nR>};v^zNz$B0`>SsGY5C2k{d%E}5 z2tES{70Ieo*g$Xb(I#)}*)YWn;kH+s8}gZXdPG|zH5u~UGaaFK-*^4;kSd0wwp6L_I2vdi!Qyefa%|?q>eq z=&tl-y$Rb~`qzUQ+!{4fj!`{S4~K+}*{6aKs?GDKIb~?(y=mfr`vL(XI4%hs8@u)p zN-aZL?@)9hPYspl9MVI*V1l#CucZqy=>k{$J@3 z%kq_F_8vLXAn*mO?NnD~0A_iQLDYb2I**1x5(KfYoSg2GQ~g6wVy(YEJi>zf4zI3dHmp~W;@}f z20@YvvFm>cm^A@nq(?b3l_*GHpXnd$Iex9t78dmW0|FGh8_$eA9x(3lf^Gioc#DZe ztj!zrPgow6Pszz?d(QA?CC=0m@p$C3X6Mm+=Jz1Ue3}L($@QH(27A`kq>zq2U!8`rb+dE3S1jitao8ibWV%T-V?=c)MsLXYgG6lW9mR(?k z9$l2#vA4sNz;_!QrnjTzt?))Wcu+EUJ;RFO4^>QaYxFbB??;b1F_e&uAM|dPiRQg3 zQZSaSK3a3@4(xT{EslVidOlhh_Sves+5PXhH$e(6Mh3x z1o$vetnUWVIgjdX-n#_>5*afFGS%X_p<6(9f0@dYtIO-};v~^HzEd=liJ!Q+x)Uv9 z_LyWJ!91KqpvjF<5LTlHaMG27ifbJ z<$CrTLekyEpC?M(sqP!h3TEH>p987jL{jNX8y&y=RDzpBPNMy3+PNC+MBxK-xC46B z6nNBj;w{&|%#PpBrUJQ{lKV&SMKb=vz;~N)Ca*m%K|F8|84Qr_O_h32LpnYdWtN|O zFc4A?M^le^UoY-_OdiXZoyESmG-2IOZB7X^pi~WSa)2fPGzgNC8N+VPdv9$x_1r^6 zhid;+wKvQ!Jj_ZI-k5q4-)Bkv77ulI~=2obx{f!;QS( z-_(j%$O@I`;4NsgMqNxRjsMDFU+Dn?NdkoR8ZjPzN2=9-et~Ht6P6m?(!w8bdl{re zGvq5Z-)u(&41|Z%tL1;4pMRsce>OoYBJvV&0+5O!WVLSpIgkM5;lY=SfBCIYGUU}K z1Hr`Sj_ZLLC2o5YUf1W0>{sEhu110wmIR4Q4d{BIgvk~> z%t5A|BEU;R{-XBY`(a8oF`gIEU1PiE9B`Qq#O}J#Z{O&?IW*a#Jdj zMJveW_WLWmLPMm$yeu&hyxJ8wkj-oNs?J#QqYiNM7{D&~x85Oi(6?W_f&fDt)1Gil zH-k`Ph^P+_DmHnpBO-F~IrWx#C^D|Ijb8N!kGw?imVQOosGAEnppTrA4U{qm4%#(HK)Y#cI*DEP0S}v(^sna>Cz(xMI81Md4*CEuA#4UX&-)>>n zwO#LTTAaMaj(JG{Cc4GqTs5NH+%>+Qdxh^R8qYGvHln#NO=Oq$Jd)3k6FG+LQ2-m? z2t!2v8cI#mI(#!NHa!n7yP?{1e}4RjL#O_5tRy7u0j^-^D!RR67fL_J=b(0wodgCX zzdhqmF^Wn4jb3UfhUtD*vXGR7lX-8DzS>y8x<{g!09uwrF`@i}J54rvqb>m_1DD+~D!=<%$h+;~ptLlC&VajU zMvbzsJw1Rm4O}*h%K`@Zrd$O~zvL*?> zvlRM-O(90}YqGmL*i@olvr3!w{BSXY|H5W`?cyG^B!rViXc)C17e+Y4usQ*261)7u ziKBvs8T|P_OmNjuSe|4ucs8B-exU$G-_}DyYG%2=W8g1j9)}1#ylBn^*Hc@?ig=rt zf~gSG_KQvn^@*0Qc_@?ie+#sgek!SuOFJbbv_-y;81JKi2Opb}33a>-Xt6++G;Q*L z$P@;P6mzJ4hDKFL#AOOdb%;+!C0{&?3ZCQpK*nX!L`0Upo)d5SZGEVz0H|$@C%^I) z|E;WiCIwT@=81w~<_f+;eYpLN-C!{k{-)6q(DDE-441!ZyB{dvNkbpdxiiXy;$ zR+)D^+Z?2%kq>%`0#Nb5D)ep*W!Pwj3ULMFP|}cu8vOqAr}Qj=Oc*x6XZ-cOxxZ=- zU)+rM$r=)flWN-4E)dy~B2vOn#Mm@gTpVwNQSG9mIKTH(hLcIii`dw&yFvaRY;E_n z*$svM3k#^=P*HExvMJ%ueb{BTksutzOtQHZ_AAKGO9nHd*q2VNe6u3k2)Krx-xeUA zPcKv1*6Prr^8ovWZCI`Tm||MuCb;-dBo^rpEUMT>D=wfD$!%I5vf96vk_W`}60|MFMU!VXw`< zr$z;+6=QoG%t`(h#@Pryp9KsqSoGl-K!BFtfxCgA+}l$?dw+T9MPgI$f8(JD!{O>% zSRg?sWGQrrCSWe3fg(KOfJ9IvpG3VoQ$tD%aDg?7?_is)qUe~Ud>=Ny|C+6>Hy^~! z77yM`qC^H!(Ij6e^e>hw5oJe6ec#%?cV1ec7q``pH8rsaejQhRx+X(ouHO3xw_NiC zF4>n3-vC*a+kpCc#Y8|Z$K=#U5#l%$f92vU1(h2K!{1!szW?m9b3JAe$+3!(LxYH{ z8p83k$m-7pf4XDu>6Xsd+50th5E+B9-Qge0g0NR?D&sPzIQlsdO%ioYJ8Kqr4c%N) z-uhcMjr#Qipp!>l-Lxh7znW62`HfF(lh);*{Mmb`^@APMhT>aKjN|@FPdG%y*QCr{ zeE;VS2o zXwb#=ACvG$c5EDwf>gGIcBR8tu7nKm^^mtio?9GBlA= z_7qipoMvzJD1X~plo!h8fYtLbB4=Bzw!lyE^U0`bI>_r~Tu5V}1_dMSRrG!IY%}Z+ zmd6~Y7_s=u0Pt^2IMl_(EneoKnmcM*?0_a_&MeB`|5-gdJM>7DifYCBV5FCdTY35H z>z7QT;TO~6y5gcb|F+1Ik&%~GLwG7VrB<|Grylm_%kLgo8r9w2D(OGyY zhtV+HT^#)%*-eozE2a`Puy2lfXu?%`>g?a!RFOTkfx(u1t_ZdIt0n9WUZ%S_g$D)d zjH|w5)yI=6zE5oiB_x}eWY7^$e8^764dc~G1k>-5r2WaH)Ha3<{y%%8@BkmF5~xbL0}$^>Ms25Wny^~ftW}Jl|B{v<#Js2U|JWLOm$@U)v8gm z#|6V;FQK~0Dd>SLqQ>kgRgC=S&fjGPqzcTyA`|z-VWZ0o_dJXAb_1Pu zb-g(1?p?v$F6}UR+y9(Sd&4OXuew4PGwy^3v%xr~<2E9;j&&JJRjdk+>e8EQKK&HE z46cgc+GE8J{2ex58JBB+>3@MeU&tiA?B2K!^p??$fRv^4U0PEo043CCC_HvFi%oig znOgi(#X$G|#gQN2)qnw*Z{L~9p~w@Vv6mOj_AII3aPi`g361W0&BdS+gv^I$1 z^9or?K-l#|QTx|VKZCxskw#G*%TGy*uvDus*r*qUkr^~*{p{X;^~IYwD!$R+WZMNl zp6&G)DwQ`~iYpftQ;H&7!GK1&^B^6Vrm?#-Ey#mSMM2&xdoKDbALN?6v0@m0F+1Db zX2X{7&mhkt2a){{xLgV*Fh%x^JHr69FwH$~(2Ds5dB~o2&$EDj3qSSiMCGA)9V_GN z0`c8FQYU*=Rt2`J=tV>zbwhWP(3`qHYVX>|%A{4D5}J2`F_NXPP#V%k2S;6(n!Z7} zcQP1&>{|EjK!5%nt1$Z;hiURQE8ZqTB0CXmm=0L2pnL9(=RN3)upGh$ivEj;A~O02 z*mdH!$GT5G;&27O#LK3VM$H~Fxjx?m5YV(|pl|GuC|FU>(n}jqRW@&6Y4tM+@vTaMg*o z8D%CF`H%z_*|31)cptH=kFi|fR)=`h_Y(NFJE}D##a$J@Ux}Ze7 za6K>9gIEBeX?n?-kl%=7Hd~}p&U)xdH3>7Ks=o>&2++5`GA{RWExS+`1 zJf7Wq(sTnZ2#_Gn;-j|W+4}HQ`p-Sz6IKO)+y5y(SL<$o#hT%rJz~xjU`Ths< z6y297$T|V#C$Lg+V;FOZO%f7rTpRhTzNuvOp&z{hzu}~QKP(Dsi^{qFcdFuN{_1l- ztm_)?&uzGy09Dd0xb%ql1DeuG=6V?I0Ko6f{taKdCYLprIjgK18z!G#u=@H(luB_z zsyV$Q1rj|~7nBv2YfQPdND7Iwj*L>xuS=$BI%jbVQ_c@mC60=U9+*^G2i=q=uW?9f z|G9v?>dX>V{d65hPqg`&bt>(%#Ms_qw3AR9f#f4`z0{8BZD&J}uUuZ1o z>i`-sm>f6)%J8t;LWgsov3h>c-MVVr;^NySGkv;ByFXhE6UUM2PJB_`GT`$P2N<*( zoBWqZj8)z#x3T~KR#pOcwRkC#w)NLv@}6w%0l(FLp`JCDuk@Pajk$D1JfW^$%0xWl z8r`alKg|xzdz(e6TH$h{>gkOY1PiLJeO5tikuq>hffO*Lq*91d1Pa4)eJB_2QW^IL`vpsjVNzYhqWOS_BRDN%}wnH9LXrlaR7?8m+VW%eI;LpwU8!2B5Rhcwq&5@JT zsG-&E_DC$%&5+=xMG`6qPy}V7(+n2)K{L%lkhx6TnIK^7o9NCu=N~8$dLbtP)mBo# zMDPtyax(gv&nL2(ufyZd)B|R5e*fZ@a&mk<|Gq5y-L{(VZ@oK7LWgk8-bYny!K12G zfa(x4DK>GDk7{A_VrR}6FavR2f8Km3ZXV*_rwUv@uNSU082P~?f2q?@`1Tq1Ks6Iw zMfE}P?w+G|S`8Oo;{;%#M-H5BTY$7T>ItvMs&1^eF&8EglKNmI935^l+bl=?%aD|N zfqx332tYhZRkO-W#}`XM3>oYZBj&&Ka1<7@J`dqDUHpeuTw^OPE`HVN=j}6WQ6T1z zJTzXmp3bUY_ijfO#}F}|54e|?Y#{1$0ar*REjN36mW384wFH7gphXc?ZJHp}5MfUP zKgW7G24fwBceLFQ(SnlGFEqHvYw)XX0$?%~em62J6MQF-ooFI{=vw~JQ`M{=X+MIy z`q%y@=(epm51V5>*Wp&w6%ind9@y!5RSYLn zE|NeYJ;=Q#b0U|W@PT8M?RJQuuZYEU-+vx#LDh6PeE+eATaj?5=@l^hN~N38sw?Ao z5ZhY&V1rME3Xv3|l?&A4)d_qZ3@gPb3I^wwQMK1S9pBMm_^etUUSe{TjV=!V^LmSB z&mE7HelvF~p~cLVN{m`y-kktTBTZOq=G`IXY8lwg6~6Fme?fod=y{AD0LgWThRX0+ z`}#s?ATA~-k^amF-|K^x;9X9KX~Xx!2f2x6W#TJwKf>nfj7Kgiz2p)rC-o4WH_*!| z`;osW^>&PNz}Rq8hj5eK=sy^phd|>@f6RMpV4PeRIaf%z5Yh35n=n7iErar~_ipFX z_u7X^7*Km`9VE&}C4#)4O866=jn??AizpJDU1Wtl&g=X~mt#DQ2);Z0Ine65^+H9y za+D@DARquR1$-i^m}+-*d&MpKrKZfw?qD-834Y8hHq<6ZD$Rb}w3Qhi{}Ao@@ZAE( zFjCbsA!2R#y3kwzkGeQJ@}H#Y4?zN0yo!JZW;@DuI`L&W4RA~><((d1){EcNZO{bX zIN8NtZ5ZI~cH^IopfQhJ#^#JXqo7@M=Cq7FlH`^F!BcF z-l2Vmtk1Y$;t+)-E((K*Ai=xX3A|WC4cbP!Q-D^7=@l@~V$Ij|lxp4_7w!y9h~g=!acMu}DZEpa@(72p;;1)D7d zyY60S@D!+YOXC63kQ&m3@3XSLTFD;}g;!n|N9c6TpCSew_R$EB4-exiHOfu%uQY!Ckz&Ks|I=Du2^-x8lp48Tei+BGCT=et26&#_GbU)j2*CYkNw zEKc7G`{q?zEg?pTBq$tce4%V?@wk|Pnda9BYziD)+^5*s*uw?l6u`^+`(lVHSNNS) zWa3{6j$L|SzzHx)KA_q(x^5|cjA?Hd2ApW++<7-$Ep#~8j$fz}OKtq-5mNnuF={%a zyK?g^xU+YRW9lM>``fqamsQt+%3HUXDAbI3qe<6)0+>a2_g)H@`Lvh=YD?cENXG`oBOxsq>hdE5anZFM|98DX|>&4I%EUP>y=eSO>v2 zgEw@zUljB+Og249lJ%p z6Wpp#OK`Mtx>dIIC2Rb+*h_dRk>(-yV&rcocpj5Fd2ckICG^YRK3agFkb3;NcF6xV~ zBAIlX(F~&YVDifp+1vp1@rd10hOp-&&ju-qFd?VgKSf@ z!AjxoVQr_?#=ee>9Mf&S15*d%;F_kLtHNZ+UWUx=>YYAiq*NfbE&()CA;|4H8s!9uFVG;`AH0#I6752mepybk`>qqPuIP&o1V4j=A zf&(zMF7*d@Q}20(GEmCMehWU!B@hq1|FFmc_-V_&;}`M2#xGUMDBJ8US1U;Nw=y$J zK?DGctClZPL=&k@S91L&@PQn{WnQ?6HXfBo%a{ZPyq4tv>s#y1@YEOMS!o& z!XeJyIPmd-DH;r&=io;C&En$06B~4UZKJ#p$Mp$Dr#nCcWA{eJuN&&g7q z>u5;z-9>kx3^^11z%Dwdt&XI~^KTi0j$z=8`^~qHY`{L-_3c3(r{VIa-D2C6PDOP^ zBeNt3EzD4mp9BrP#o)4`vPG|*?#~&ES4e`AKIQ&0v|@(8#S`}FbHG%76h^}RO+{YH z4fP`8-KDz?YryJCUa0NV4=g;4xO7g{Lb1@k!m$Nj?%7ad6* z5m`XB?tI7t9=U*Des=#j;;!Zd$dYh$K5C*_jpmoCKLeCkZTLY!LDrLHm_Uq10B+}# zthk14Zr|!mdN?e;r^>8ilJG=2etR@DcTmGspQ%s}p(_DM1^V3F+_4rXqsz<7wTr{W z!A_{VR?H&@0Hsk3!NI0i%`IG1K=5HU(1!ZS71O*1)D?GtLHf_BN)2ac=fbvRhPcDX%hX*>6Ys7#ec4{~(nK8z`MK`U4*+2E=VUG8BI_Tm@E^^P(`0 zEY>qS(kWj{d3f`h&u$4iH!%s(KqJX%l4upIv&f@Ou~?Ues0;{4yb%+Rn7!Fmj%h}h z+_&x@ct(8SrxKz$Sytcd{0#Qv5G~la)BKH4^H7Sn*rU&el)cx+1F?Z$mA1?&+{wQY z%~EcTyd80hR}lWy25U3^X-_-IZ2O2wIz^hx&`<#n+3SUzq18Y{Wa`{s5%k+r7aJv+ zPJiU-YfFz2gy=Crv(=C?;K8GGn2Q(`+cyYyzq1aU{IOGMG`X)?c$7fqF~xf&z0rW%W)%WuJPdaQkVniF_sr<|Yl8 zfb!;Gy2x3oF;|n{zP*CUf3A2n`8ME#LwB)s&mW{J*RKyQ$nmvwi&DyC6&cJ8M0MY? zi;g!{bzdCXHMzrnc(f@=4WS5EPAd$qU*2sIiisH@quUX+ZaOm2(<*MkEU8^e0s$l|S(~p8im<1=+HQRh?{Yh5Z)EmQ!Tjbt4 zwdz2(6vdu%&Di432=`n*R2P2}@VDp=BW@iuYT2uQLDqqxRx|?K`9fLGrb>W|1m5dxn5nem zvsc^)_?@?gQE3OWt2jfz!gl3*M1mTa0)qN3|sA3_IIxTjuB)Iij;yKw4UJ{ z5;@2LQ|I;YT9NrQHYJ~!*fCm<*C`eZ2giUlwoS0gYmlUrJcU#%KsGUI$+I6_q5-qP z+HJ$b;U|f@2l;=pw5wKs5QH($o0+sc$y1v>`SJN=x7#Uq@iyhVBfl6kBHM0pQ?2qs zHZn5%(7^3ef)piyT8yWTQ3~)z^gJv$%Y=O?#~rT8T}y69%XOWamRIb3xQ>k^P!Yf! z{9+)iI|J#ibhJ&Q=J%9c8lWfHN|Z_G>tVC0E|AG-&ONO-&&2g{C52EBt)9 z?|W-rPv~;3W*%y1CI~t8E}^yxmFh`dxuoklG6;ME!=xNbQ@;vU=F!28cCJHqJz_JB zldH25FS`#H+X5)&h)e$Cl;qs_q^F`UEfy%!iKCtDiMe~5QiYxtCxV&PRwTNbpK~;L zs|@d*w~TNCvWO9?=^P1Z@3rJzP(zq(b7BoC%^L=VONC;wsWkLOG>GI1P1(Wszi%_~ zR>ft0e(fG@dfSMUmDEwloBkJFe(KYoifW#{(vMZmb|Y4yD1C+2%@_=`2+lX+i)H>Y znsWt*M9;Lhx);mW1-@)Br~MQaLC@vVH$FV^tVAuJvEPZ-JM4o(FGJb)hjcaG3E(@; zXt{H@xP~fy>UaMBM!XNj;UMOBq!35;WFiP+vY$^eE=T|FW9_G8mE&iTLPAk^5Xptb zbHOKg^fvTKTg`P!eS_Nk5w5R`39B14(^(k7E+p_+ao205|8r8)Fs4!bw> z4T|8?)Xj2J_D(Kprgfjrz5uVTRs!l3kwUPELM`*XYGud1`y#5piAF&Z_~T#bKXy1Q zA3CUDfE-?|L(wKMG`7xdC`|3w%`4v>(?Eqo{?+7JudYaYbsw6Fjtw!Wc$6V&>En`k ziH4v&{7rV0257tjFt8-UR?5|E(v-BwGE`8@BjE&>MKx3H0T}Ue@XNc>MPLSQd81Oz zCj9&>?Pmc5U&e>9MBL3et>oICdBIcdaP-B%wQj7d3v?}d*q`I5=Vu`@uMCzclUqN}aR%eQ-2SxfPO#qLG#*=99fdSK6omQ_SR78yMz{A$ zZ0rI%_8>g&AsOdENBiIdTtPI+cjM0?CR>dlOYbUcZPf%`z>Ab5*S@PtnhISdfI6iz zOtiXjI@Eo}HW^9_tcaArn>yODC`T1Ur;nPSUhO>(CY$fZZ+7pnzcGF|;FI^W=hJbqB4SM;9o99g}|r%cv!q zsVm^Bz8-P9iT}MASka{3E05@6(q?_O5IY!daksM87)awDPe;KJNgDCY#qzf&ffZV& zcLR<#W)xy$X=Lu8LveuUuX0vtJ_5dh5nMKra$t}Z0 zeY?qobE7?%rBQR_Y$t-RUSNdwf%-{1@?!d(7yae^t6k}X1$fbY6rWg>n;_soU8D6M z7g56$r@~kH2?b{I?E5sLg35v+5&$7Yt(;OBg=UI9tf9yz;!J+;|3L88+wkOSBLM7U zPF))ML=ZJC5f@O2^e;oz1zPTWqvb5IRuhSeBsq0OQ)M`wpbRaP{GNKL%gyox=^>nX z@y%kk>BN1o?${4(aWUC)hFY&bu@yVNU|V6xNucOn_QbRFI_Z`-f~TVuEhi5~#2sSJ z7LJ+OS;j8Mvy9(srcQ*qhhl=+JtT5r$<9Vz-;Nim(d80Yxz&4>9VNCO+gz z_vSTcDikEkkj&5=^& zMGvrD;2{CS`jsPmlS&wXYb({$kFl{hNSe>^6;zjYr<@6o$X=@?|FNQMUbK>0R?VvO z`)cRs1(9Sw&&@!G7_xHI#)!B|s=qW~IO?(Y(HSezv7_ z6<3d>ny{h;Z~75C%%zsOG+(4mH2KizNw%g=pns_r5jv({Q53@?Tgo8M{`7@B5%LF5 zNlhVYG9;wa@lqu%nKt~Sx5%H={(Uc{o0TiGHSQgB)jnzjD^h$LKj@)aW z$fdaQ;T1Vo2z;k89i%z_#Iu0qWaNtO%e&Mt9YPP}vfs6J4!?2W4vxtd+UcnDLvOM7 zJ1^{}NCV;`W973U7jAq4*>3=%MAs2etW!@nCymzXaV^nMOQC;OF%K;%z#7=bgRBz= z@Z{i7a!Ccfluw97{FS=L!^L<0WR%WrrN7jt)6K~l#bSd4B{&lX(%behTTIr z+h(r5t9Iwaw2HV86Yk5G&*s2|^Yb>OD7Mh^TG#16K(dJ^{EE;q`->HOm z@c#W18$2bLl$V#6{7;V>ugJWid9Z11=bQl1}(mlbUVrPs}wk5euh_$(MEo42V?xwIT1rRr%nr&Iz>#!L^)2#RS5I9|8)> z@M~iQlS-_)%~^Fx9UZrCy_)RAZtvfkyT?yKint)))3@TA72^u5h|lNWuZ;ihj);kf zrChkucox_rbnDo-Hfx@?dP{7QDzI4{5TCpL5~-u8d7DM@_vy{}WGN41eV4@7cl%d8 zcd%>Du?EzY;x%>4)|cnMy{l`~;kM6wtEV*_>=OccB5>rRp8%%Zo6nNKw}ty#;X`du zy=L36LdxG0;U9F4mOcY#@nHL1u17@Cgl^sC4N=I4%6zx`Kh(WtR25#gJ}Mz>1cXg* znoTMpZ0T+UX;DFtM!KcDK{^EKPEkrqX^;>F0qIWZ?!0UJ`g{NH8Ry(P#u@j1xnI2l`m_{_ZrvfAx3}6xnU_%N2}1V9F3Kkroxi}g&qm5ELZks zNXXLC+fZJT$7UBFNWtme@W_pzRujlWuw`qV*=75hKe(is`9-*1U*n@|cvRa4iBvpw zk4g*Ltwz&>pD%A|Fr~_ex_8IaR!U21a>Rz*%C~c^cWP44F^NwtwpST97LbY|z_W6g zuvY2Yh>yscTIrz}R~f2vBh(l3^IM^zND?_Sdt8t)!;Fwr8Gvh7hx+CiOII`qsM5+k z8^7|VBoB71rGDhF=#!era3CmH5s4zR+LA$a+q&6bS6s(m-I2 zW#9u+Qzo8CNj(-n(Jvz6)JULr_<1k&orK-5S@rpxzr)|xISXo7@NJ2F;Lm|8Y6`EX z4Ab|{6lda|y*XRh9=2OEj;-A=m1{DD?MdA{c74rEKAf^FJu)>@=R}8dJ>IaZ+`ieJ z5agt#)7EQRob-~@UJ$(f7s@qkA%3^#`|wKes1(H@sjP%rerI>4C%^ z%Z%Hyq@fP6@|ULP#ZqG#sKGqfRo?M>hJAO*f{{bWbpksWX+{tfvz1c<97aHHsK|a~~1ck+R^` zmxY28=l5BlklO?S&( zoJ&WMBiLSFIeqcn^@uq+9Xvjr5#j-`!D*_=`nod#>_Y#b&1WuvA;inwxDma4QsFor zU@XL`QTi5_N*2SgL#_}CB?(~@XxRPnx$@M!!zoSZd}=+`#4X%ddRk>aOEX9@G>UtE zX}gfWVU0^N^Q*!lcGF7ug!O*bY3jAByVxCO=a9LbEfstybb{bQ40*6ziCjkIvrW{Huk%WDe2A`3iU?Q&py<#j|mc=xVpEWY)BP%b~L-vZi&sm zG^G`0tyMYlK3w4n6{+Ic+u_UT%Ke@|h!K(JloZ#g3a7g>EEgXeE8x z8`I*>v=WVq>W1VGJbTteZBwURW7YbO%Sbg#9Hp2r2W$@H1$t{ClsMf^)4R=#ws%ER zKhR(+fm7n8e(q6m=X#Ydm!ZJZ`7WNnrkuay$IGu?d&~ZV@5WEy{v3hw3Z|E5B;Ltx z*de@(Vo!4=3U6_5CiDvgn`=CNaXVz0!l^8xKBh|Zp>aheCA~;eRD@079hmO?2V%rR z&WUBwsmXfe10Hf}(W>inY<)2v%M>31j>kA650`vZS_Qjfy4;zi6&T@L1D+UzEbO!` zM=dM9*%qIwfo&IW!Qp<(S{oLD{{~!;q}_nNBrP%0;=~aBg0E56v^~h|0$*gff)67hOsyf4UIFN3+a~Nt9oL?6wv?UEUp9eb4VWH>{Rk%!{p3 z?^YL3#`^1faDUUiVB5)z#Hd?G`}SSGsE8{p_Hik17Ue5{e4}vgD`Ww8-_)J?az9G( z{al@wA;IN=#=?4F`Ky659>UnQ@9s;72MIGHsIWa2Hj=$+OuBMqIX4Ln@f6i?J93#C z#$et0SqaUE>_xpeV z@~rq^NXMzf@Hs9Y0zoh{Gtb4TU$VYow0_L278+PL*tGx zO#33;8!jeivp@rO3)YW%Dt98h+f9toFXY{n&Ku!<)Na9<%vC?= zQEG}!c6Jo#cm=7O`?Mh#@R~R!Q~&MU%a*ml=Gv&uH?p>GM@m0fkiB}1Fr17N(igi|_BnG&s!BJAv${(Q z{iWx<#vjV9W(P9R1~qyi>X|n!J{Oq_`(h7v4-JU?Z6}+Pq__QHF|0lq37)Ls3_^0c zG?$GVTqFIT!*)q4;GZS z%8d&4tEYWacdQ<}q%(893!@lTZn%dR0Z$6Zz@CUI4lnK#hZa+{3 z2S`Rt_38I~bT@<;t)Sc@HuCk`Zfg%gC!*kv;srNLv{=Ee)#{2TXwu)fqrtO7f-NFr z9m{W~oQ%KC1!S{Z%ulQP4aSDN_}n+`?Yp<(yx3Z$ioVhp^{@)#@$ul%9hBTzyC23K zTgHXvnlqvO^|VTBvvxYLv(U7~cLOvBxxe0$_K>>JtK6YuZZ6VQ>+m^h(cIgM4jz zAjiIXmPOEQ@~*YzABJY6q;;)Aai*FH;Xg1!88u7D?I{P_h%YuG8% zsODlkw6@%2Z;N|=|L8<|rzc;nLGsn+%@&ID$Ik)GCqpwQd6Gw)MMF$93JtL`arHin zXq&o@q_`8LEgm#0vDeOf9S<+-w?+FXy;BNieBn(+v!cz?x@jT={xZ1_;;tr5hbiXr@1k zef9yK<$-8Z(@%}K!O~XIee^^zTSp7}Nk1>w!pxf-LUtAWWx0?RZ0W_`+q!F-xW84GoLyB6?7 zpY4h8%%l%(Dy*an6T=&1ysrFhy20{~$!9-Ya|B0H$62{8rfE5H-S}X~Fqb8d8IKCR zo$U-PUJ*%g{kXepXEob^#y;Ws{h?00QG%=fW{F^CBJftPvHl)ytr> zZ_l|2OSr!Wjn4GF@szomTi%K)C#|Tn6Grd4b`2d0k&KJGbRUUeD zM(62vf;d)ML$56_WJw(*6}S>Mxk;PBi)@6Yh6{mvcr7u7{1bjG9n<6 zbOj;Hh|qjZm`czC;Yu6pjANYXeuH>hHGiZqo)^gyeFcpW+1Q@zJo}WyNL&_k+v&w} z*QApJ9h~hhsY>7@6W0`u*)4 zuJxycT!`GR8dU{dWVMthT%oX#-e`L0B?2R8_G38TXXW6eOtIVYafig5>htjeU zlnC#;K#_P`V!e>w+`do}Q)l zY+waWZ)J6us-7y6E_g{|>B9h!UHvy%Bkzc}MvtT^T;CO8IPlSERn)Z6@ZH_3I$kEP ziAP*#vZPjr6x#(dd=+Pfsk})NV=p>eXUbIBG0AhjRLh+I-Pqq zxeaDNn`rk*58CTB)&;JhFgo(uTba^V=*>M8yjDLpgqLwimVi_X-Re6^7gu=UWe#Rc-Vz~5QlPz5s5-xRD8k|;T^etl}$ z{&G{tivrI!zxm$#A_*ENR{w(O@KEK4zg%bhrLYPY;q7)Ny}~*dmh5od@?{?1+7O}2 z3wPQtWz3f!@Cjopn53msce&wr>EZteLSH4S5;CfGGQ!eqa_yMi8EpE>)GW|Qk}XPe2} z&5BKRZU-cvPuAaHL~a;O0xJg0id@MUuUZcOv@ex@9Cs z-tyDNPYm|S8s8pc$(xMK#UHgZ(zUuTcehiAIc>ga{wmhfzO#4OGfOWhC_B+H=#XEn zNWWwbS=V?Uy;v9x`kJLCY;&~23+!B6v`f{#=CN!u>^PuBO)%>6?19Ep#7qK=DiE8Rg7{+G& zX8JXVPz4I3HqE9r9v%H8r^dYjs$*##zZ0Bw`bwq2rGQf;lTb*<&9Tquud*Z6UHv39 znvXHc;pEWYHVSq3fhxiH=2>~-W7QZCNKVctwe@jvzQ@?Pg2SPkQ(qI9IJYCLc&8dd2s6n0$-06a3wNj+?f6)qr+r| zGSzK;Ri%F;@H2MJJk5CEXlD16*F~v;_eH?{p#+J`WPifv*C#1ZXhe+Na(L~Wok;}u zju2SUgBMGJqp{$}UaTjHo~Spy&oH0Y#VTX-|m)_=c_+ z27cdL({@z1`o*8fG;yi+S_92yztDMFmNtt3d`pQ|!jvr|^;n#R-5(Ol%;pKxDke&G z4@6+6^<3iWZ9b3=4T=pe!tPfdP+CNr?vhys8{{YMa}qMA2Z10rAEL^Gxx|JvztYsG z8fc+J*z{T4Fgh#MH(19@4M>|w|HFkEwKB87{(z~)8x`$`7%zv%{y?IlNF%5S$;gqZ zv4Dc_`iYE~v=R)bBfaA+`0>rB2PHx8Kq&g6iA=sMjlC@g&&nbeDtDLa>*kJ6M~U8Z zh3qsQFW!~!X#tLWeJw*ngdxW?ZEf{p25akIizTTpImyx|oLi3@wbSA-zK`7eNDF_v zkt86KNvRMT5rZakVZ2ILo12@%m31QCfP>rK`&0Fh`X@Fn`EYH&0dxPtH){%ts{-zE zAX>~{J`@SgOo-?8Wlv}h#KhV~(t)?{L|w30`H4F^4F9O-0lHASHwLRMxk4E~Zye zR`&96NadY~M-2l4431#euIacuJBWRt*Q8-#6$^cP|7lz=_tiJ9pXTILFPz$bs_EtG z&-<@VeZ>BJxEkT3lGe7mM?Y{GK=Mw+Cy}TyTMs9sHkxltYG!GTaDI6!NY+WTgTnTi zxTYrA{RS{En`!#nvlKv!Ny)!Php?6FVbcwRakB>xt=2HG9y^-q?~m z?~Da}#ZJu93957@x+IGfvj{9;7gcymn#yM*5f=BA>s5y)oIWlqS62IrZZ`xYe#B7- z_>9R`eykGYo%DuMNV?an=a{@j3w{?}4C8Lk}d<0Ts)4|Hm+GQq4O`fvR zM%2#X<0o(bOaKGWfA>oPpk+ByDsj9y z4*Ha_J@wyS`B` zr)HPp$0-5(gL9=~R{vQ1$zv;tTtTJs-#yDbD1z4Hdg-F-;&7XD1x3L1QOT;1Ud96rtMzRc2jb^@ic0o zQ;wx;xE-SN4F=<~n-fRJz)-+Tw|d}9!u}%5pgq`Zq%`>{!VnB-e#c{(co^vdW?$rS z#WSlUCYo!4l_I{kgx&U~;fyxZpM!GcqH~-!MjVp2UJFRhA}B&5>KxYIe4=b09VMN1 zcX|7nhzvH6YwJQO>WaR|pKgRu|`k|ijeQgSN5lKYLr4=nidkXE}JUmo7at)<=#IY6g?^9wVA04^V9R< zxVmb0SK2%3e!#WxeqhkDMmSHqjAO7lEaK5sEIu&5o;jPzWz0EBc=cYat0bZqd93HS zo8c=TQUtD=Ov@x0!SY3q^2T6G*9?Mcl;KYDyZp&aLg3=M@7}{AlJK>ugPXxz*kYl@ zMyZt#;cH0N8&B-gcU0Fy$^D`)U1)Xi>m~kJy`!mOGU7IvCGkjBwj6V?cGjB$3<}|u zmc#<)8cxr~AP#moId4wihd#5S@0}KMUJR!TPv6Qco&ozhp-CY*tgzjfBYid(y^%mziuH)Ype#n5;l;h>rkj^VPo4 z9g_PoWK$o$@M$wHE=7A=gux5X?VMyG~ z@W1Zn46M_&Xxnw07`PjEfF_;_i{bm_jHJ4{x?tEzR9@m1Os!OtOW5OB@x`E8z5?-k z57`JBF=~M3(#FPl(h3Qz&y_in0l5PVJBPqsWhOL7k}+m{)A>PlzDPV*0&o{4`pxdVCfgg~Rvz@B%0uXAoN1L_SJi!pyR zs)y;(Y(7*l_SxzEq4&4&^u!AHBMVm#kHX@8(2#(fVMFpjm#xQm6!affIB&gB%oG(F z7cLM21Jy)DMF$76cA9TQ!33qQjVQX#usG;I^o`VN5aaGQb;{)4FC@=`A+F@gb|U2h zw|xI{f0HODW+lPUxo_4I2+8(s!LQs%{|qg`!l*DXD!~jLJSH~*h=7iPHS5bHrMM_ z)d*@4a`o(3Z69Dz@+3(E99cUgt)1RG?)AlTSa!8kCxn`^IxdrvT)6e#*7B_)ME zR;FP+)c*~tEf+?VJGxTU=jXNSvY$qnHNZ&N=N7l-aUb9v>=)`VzR-#sU3^c0PeYTm zE|Rf#ahFmya(!oleU==>v^OI`nqoQCd7s^!U~kFC(~8VclH=C)O!tdD%WRL21jd0s zMKrr#c;P(D;mw-Rq^V$LU6ugP>t@Gr&lxVxrz7O|aE$voBmKhSV*Yl}T`Ivj&}XS0 z($U~{pxWSSe|dS(ug-@?&%p8Wb09dAf|{u`3O)PSeiV=8$Ri&i&(m`07o3vq4i$Ir zfL_gFZGR_0Vb4?ih%EhHvB3%80U&S-_&`Uq^`&d-VM_09}cMMcHns|2em`IR8&;L#`H%)4bc_SDG_vy@{40+*)Bd98h}2S#Y&|l+!@(dQ z^%9`xD94yt+#Mu(<`h_uSISJ#7#^(r7}Sux_3MN7^NF%-(BnH;Ob*=j7(wPS6)=5o zZ?B8yv9UC0w4YyD2?pJrI262Wd&bCqU zzj&&tJfx4PGVX!1qZwQ%lC3zvVFqO1DeacV^49nT2RtnvD*%PAc%$+Z$#4uH4Yn;X z*rQjfh6_0r``sr5cc@CdV@ri3_oN@G?po$1);Z3VAC`Qr(fbew?W_E%CZh1WCii&F zUKFVQAc{hD1@%Kes~S=Ow3{+fD?R?eYMS`P2J)kz0L}xeAm)w-H0F#O*W-uXTQ_N0 z&FD|$)?4n3^w*6}x4O!9Vtq?B^6t*C=}fQD(7@@_?$&=K+DArRtM^NdO9_!YLzsSi z$uAIzN@%s>;=&lI~Bq6b?!I)Lwpz^N7&xp_t4{~m;#ML z{@tO6xn{smqIb)#uK$x@ld7&5$x%FJ2?Kc{g`CHg)<{K7#jo$U6>E$03pKEIPPJF` z`7rD6+V8;ePL%=QyK6`d^+(2;`}eIUwRh*oj$ZbNdkU2^&D<%yXPYw-BWo;ueyhg~ z&)GuXM7==TTD-bKv6YSs?5qae;DJ4LvV*vzbrr;W5#12zCo?N`bU>6GowgJ#TLD2y zULA`+aPQqpcnKw87>|8#wF9y3$NA=KDO1uL3+1y#-DKwcd1S+UaU*6NBV`HoG&2r8V;2J>>bW? zYuNswKDLVDyiJi{|8RimWifsh1qWl0F8&-l|KS4OcrrOkqe!{ANHAunN}HcOA>+gM z(d1F<^daWcOVSrsqU8c}VZeCj9#C;k-+QvCSn;mj1JX7`tJ)yq#aX^hWR8brsuON8 z+=g3o#_nt5agy^$={EUM4K`pY zCL}{=M(-d^&a+KMp;B7?MQ+?SMP2k`&kOczV?5ql7SXT(!C6oGGSqa1D&Sidew;8l zp5;3+>>B4;>-+F52Ws)w!Xn9YKwerl6u$Ce@eePj!}_3G+Z+6#xvn>|_kEECo4zGd zv7l1IqP|PpuE-?w{W_?CD6qXuOJM@i5|Y{-`e`V}N#^^tBf2DgW`62>U20J>Ra3a9 zHM>9z-6C*jX{2*q*2fg+{@&^s$@*baEYjp7rA>$W;|)aaH!G=q7h@*QM2NNNGkYw< z3)x@yuDC`u9TK2{@txVqAw z{kuj}bY1CShHowb6bsM?jm|EPA@^nyPBRKaNHKn8po`J?$ZS?XoCFYtTQBt2HL`qs zvYs%fj*;`wSPN!w0!7iyGoz%_rvgyI@=!wt{KeDx(Fh0N5>-b$%K<7$O1}m!xycEe zMTcw`6mw)^z9HcuAWAt10unB1_$#E@$A+q9WQdjV=hW1cTDJI8ZB$OPG$R-_|S!&JdJ7ipKQ*RWL4FBBzi+^sP#10d^Dk_AA@c0eO z^Q=2F4+hAzyc`#HtHsKHw_(UvnrO*NE0W#SyFz33zxGFFM+6CDdzh=xCWbP>(p1Br zJPBesRyLZNrP)p&N6$4K)T_`ih)a{A=$TN3ag}V;jL8UU#3gm^f>XojjjHk zRrS{D2>a2jc>^q-dw2X`IqB5#{I&U`Epi^!E(eC3@Wte@aq+YGcVag@Yynx!Nrdu{ zwMdT>JL4goO^#hjcda8on)R8Uw0E|#T=N84D0SJ#mOt|L6g<7-W1;DS*^l(~_dWb( z4(g?`d}BYo9uK-@YYk-POA(e?Q0dv+nV4qb=V_Nn6l{2>e_E9$lwY1hNph^$Nb@0qJo7xPrv^`B?>-em3uhrSFahKHht}o@k{?m=Os&gddWmje~U=ojpnC^X!8lR-EP+O z4HlPSVHAYyAGm*nZdN*j#LFG%ulg&XTyD2a5PCqlk~Qvx&$IIf-X1~^!H;pex}5&f z(iT*_CBKoXLT=l6|3hDBYrx*`liAcBNJbxowDn=Ec-7D>mkW)N;&oct{;!rZH_su( zOSPXXfCY0#@lsyP&~_grXjA^vbB;3<6!HEH=h+aGM$Ad;Aa}w) ziude6M&9@tkfC|c@A5_jz;S-O)&fAlf4@Z+U8fPhh7{D+<%-ZJNQ}RAxZX+is94-2 z$Le-LwahjculeSi5~TrrK(FqX_h>%QNf-wXiN)pp)JMu>x$pW9Dv%o>;WF7I24=Gp zbyEE;3%`|RKC}kk?uf)d`?Tl`IBVasb`dq+uSyP-x0HU9#cyTR zGk=kz@G@TFqGIcNe_VI%o#trS<+SDjxRY!*Ol`3Tl>JBxiWl?p>Sn~qnFH)WHwh_0 zO8L`M`TAQ(2={$Nt^gtX^N}H=Zv`nRm3IG8a4ur(r*ez?RFuT`gh4XNpj*cR^^Yt* z&c7|diUep>{Q=c8TQufKSarCw_@VU?=xf?3|#@t$o0j8Ist zsOm>=yg#ACyMuQ5b{s$O&4VGi-su2zyp5O(mx2EgR$$rVa3rbOJHUkW73$RcGMgNU znloR(QM8)GpK^QURw1$q=-+lj;Piu1;B5+h8052Ck)}i+WjIv`d}VgSZ)2>0CyTgU zlYd{$ZfryWa2#{%>}@r>Y6o5b$R%dqc85N6i8fel4riq8T`r4wW$Ublp#i+Q&f&L$ zPNjYwf3a~gJ&Ic`1V~tRdlsz6`13sZy_C-5pxQZ3-aAWFbS=nQn~@5K1o6j$nIe$N z(M|G)3y%}-z5I4*8*nLNX~0KRvd(m-!Ry0#SltLfU{^Sqrix6kR$ zolc4#@WWpFs#{w%2-8ImA_=2!cb`JRos{gxJD{M0heV0xPQd5n2JfMXSH|iD+J)wR z@1(bs-LNHeB=nr{ihdlMR*P*rFi#HVH0I#(tK|jPkw564MvMe1lybA8OK=7{u>$u5 z7H~0%K0w}H9M_lVKDULAI86QVC~0vm1?t5K4%}O`&Gw$*$;sU52VDtdh@_O3 zzZddF<4%1;m9%V~=ba*K;QbDN)nlFb!x_E$3w;l~dP}FfLCR8uS2}C&_vTm38^fzG zx52@png!1<+UjU zY*)qwT-QWoq%PZ+!#Sdn^mnYu+V^)T%&wem3saQ=2+)nbm4ws3Cgwmq3qZb9YgSzx z@Mr4OKMfr}MXEwa0t^4I{jZPQsitv$KGHP%K?>4tB+#pI$Fq6!(yI%fxOv6{4e?Z$ zbN*?p|Kpa!o$d~IepWz1j7R`q$PQmTWt$B3b-NReSjv_#@>PCoNvA+itdWky(J8)P zXJ+kl|9<@+do=l2jQa^vlP>3bDv9Qxq5*+ouF8c36-<`l&i{Vg%mi#Cs6ayVvIBjy zkx_uVtGPMUXF?BGG<>+r^fBR^-yGr2Z_f|@%g3R_LNSzXIrJJJza5z*!5jqKA-{iy z{R%RTxXfeQnw{wNu_TEX?U&8czn*xr;d)irTa@=P!4tOUFi&+i-&}YQvbq8%`LWX6 zUsmeckPp4~oiO28Blq(}F{qak6|gCWwW8 zB-;Aqg@pS*k#@BwSDfwyj_Q{IV3fa941}9VsBjpa#jeHG2RSB4ca;RB+X%)&l|yu% z|M97jBqmSDV6D-S_UIonYgGRmjogTBH>0tJTp+LMQ z=XA4??qBd8_!kuZ5T4G(L=JAIVG(v`M5?5>KF^ngH$VG?##aM3RNn8FMdpTsI`ym%E6J(E_a`5;uiyDe)-~!>kTfVsM8g zcbZ=%fINS)>S`Z8&@~DK@)wFmP3Idod=jd6EXfox`JA7h(rmvT0$)UM>9hJHVx-f~1)O%9x{@}PZ?}=rAiDIR zs$|Pgq%$JY@aa>i*j9klj^TAv#bDsn_1QpGr`dH6A`(a@6D{uj;6DJJg(Yqy5COE} zuGAw`N+gda_w!+&4l)F20QI)ND*K-v4ZiZ7h!jQ^bn>U9M@#M)%`|bvz0eJ4u=?^q`#-*>Y}kaah0%XMav2O*YBMIH&ksQ*#8xl}^S3%> zA0&$4Vt3vgr<{a!&nIDeStKV}@gKkuZOLXEDx@H`3WsTxvI8Oc`Ak@+j~w6&$I>&Z zfAeJjM|*`Eo!LiftXW~26^^E#G%KaQbjF#aNYgT0LcK2?^Nh85n{`&7_j*eU1NA>}tomz+~aW9Skw$T;jefe!SaNa#^0k*oS6Qrb@*Sv zx${yXF>7$l#wa8Gm(7VFL#GXkNquHbIb(FO?gwxwPRkQjbIBE)@m;s+p8qhnIDh$T ztN(rmo?IOe9#lvCTkHbTYv`LR&7bIueUe8YZnSN)`@;w)c*n3tpnjcr4rWV^->0ss zxm(4gp5c@V1^HAm_C@6WQw#8K6jMXe#A8`Kk~UD7gg}-E@c7?1zAG|-#zHN!Y;e+n z6bVJ~fo`cygFc7hOl~Zm;FRXIf^g6wBd+-i+p~Ft)m)P)^E;V_ZOMmwmCc}VW;2Fd zffl%pcbEloQBgtnD(Y(9KC)Fxm6sD;dV+LVQZWpa`shXEAq}55H{a1#xRK)uK3(>e zs(D}A?y9Qd>{-5XQdzAS#%SisYl^=B)cx1N*|>kZTN4ur`VzOyKN}$#O|DC`nggVc zr

{;pm3}Ege(!(BoCLoL0AQZ>54j%3?$^D5g=9Yl%e-wFxWr<$4$E1sfx3Bu#DT zDyQP)Sr9i}ZY@ny>5a($UZm=XP@7M-BNq==>J$1E_| zX(A}mNP@u#ql$fS;x@bImcz@)zuSFQ0+>PN@bcag(vmVhUuP>6ky<9r0t5DH?<&1~8CoWXFr~<^ z^_w|`OhLOQvmFOQ=?_Ga%2PW$kpuv$fd1EUwv+{fBvP<~wsGhXk}h=g0aVg+YeyT9 zdT*-DlMlIad;M{YJq+YwF`;4Mol9F+j5iI!4P1u-<9BnIMbo<>_TP2P0U`8}$a?=N z7624g)TePhkpQcwRAKH}Na|6XgMUMA6FNP^W#-vL)vV*R-ud( z_63@XQzOs!d)uc8+bOR4sY5AKq>KZlc46L#f7J2x6CEaqE{)Oi1O5j{!AIo?^;Jio z7!1a>Uyc@IkRGQdNGH7hU>b^~p~|bHm;Aq^V#;!RJ4u&TT>`w-dbIHb?;l!4)X}fB z1`j;NW_#qTo*n8FFq~$>quYq$Klj^O%bqs1xCXmuUXOQ%t|N? zP4u3&hrDP#*a%{5^gFW?IBFloY~E1xYf}I(+m+>!pE3|5$wI$}Z^l8r5Mx}_8R#8c zeaCcR3do~l%dF&MTJb{ju>kTPYJ@2H-H??hgNsiraj4#$$1@eLm9Ty8vR+GOG1Z7a ztL!F%f{%y1_{f*|H?!c}DC}So4U}_v)w0Fq^SlKugq%|X2~yve|Jug;XZpWO-o?#+ zgJ&`LIa_V(Sb;g_BdQ>W`1AaC=3A#utU>VqQM>cnY|s;s#9xgN<$sIjjxWFuz8b4P zR|FPG1g-lf527>EMAb{q6L+mq_k!n;-%kAG78I6!flodG?h%JdS1Uan6Tkl&&-dQE zOIw+-`_veJ4LAFInGM#Be)AN&Pr@+5DG2-zj%$uGAWBIpC|I|UMjijjUtaI2#Y1s= z1L>x^yQnH3b-$i4Dm=Pt%B}&?yM23Y#tp z$s;gTXb1k=n1+nKnX`fw#!>wwoDO^U{G#ixI5Ph#&Eub zhc;iIv)-iixcvx7NUu|ve;R#5X z8Xc_<7yCP`|GLMf+d%faFI`GUhZ33njiM6DkqE%xcU-|i)*5ckG*WDDTI%0w55emK zTSzKQ`>9XQ&lP-9h21I-cTmtUx+z|xm^V}dql%if{+flJ&QMXj^qzr8@UKDrHM3B@ zs@r#(j_q6ml0vQ%9e_9w1@ishOL5lHE8pWWDMtv3HqyVt&R*JiVj4)MdmL300|nJ) znss(`AWwcTtWp-aDhX?TexBcLpMlqQ1_uu>TDrQ{c2*W7!R*0)D{dtL!0;h=uF**a zXMue;1oo}nSjT*_f*NJIRN(mSAV<$AM5eXZib?b6#s(CGNvD**2U~l{xD3(nKPxpW zo4nh<_%~Fex*I-pn-di-xILVKFMr}`SHl$%qc7%eo&fCEI85?9jt)s$L4tj|`7kW# zI{%XQPtRNXp4u}uzm*aY$h+({mq7^!n83lhrsvt6UQkgPs~JLw*#DF!|;iX_AMzk)!WE)(l3k zhJ)=}U}ux;dd4G#;BE@9$-#eVVdR%YS?RB+YW88;f|@nX<>!-zwS&gDwLj0Niz}F6 zv0B!E2RVYkrbGeXBHWU;4TZI05#c@#LI#jTf#MDTkHHi_9WbHxVy8Kuk-+U>1(ds~ zJIj{pHB+bZTDO6PLgk)k4(8+N^h|6?ANnA&uNrQyFF>gVE7%ql|Ej#kdXlNhvk;v_1pdvzT#ur}@6&qMz2e&QXis?k!RRhdAgrdPq z?7@t?o25$0g7}(Ufzg*dgAO9m+%Av0^X0Gv#yzX$9sx#ADkmOtfpk{AHzT;8 zAbEl2e|P}}Ta49`I$#}>&}3vxX@^*ZeDT*(k~|PZcKZEcK>GUy1#i|6VA03{ zsZJsEd@Uk|lxH;dUkT`|GeRT8gSVj(22^(vd%u0gHZPQGI{6_a-#~7=RsF?7SaEQM za8qJd_a7;Zy^!ui+-s>#8sz@+=JjvH8Fwk>+}sV@LY z5iQJ9`WARbyq_ea!ahB?gOzAs4r==&R_aSx^7+tSYw7pcPa|FOhHUU@y26o6k$;^Z zl3s$Eyan?>H?3f48O^?tPlrql8P#ho$;pXM6w0SRj`Q?;W7)hJJksqZ4B`AOI1(+uAC$aqsra5~};ju870}mU6)p-m{|New|Gdri&-Q_tiYvu-&Ynw1; z|91;0F2qsS42ZVAxdCoBz;H=YQyy{1ASGGv|4EWxkWtYb5flg&8o1kGaWdX~n-DRD z)?qfG)kbK2(l2S}MY=ag0@u^PjqHxJ=31z#5gx`2n#j-s$*FLnk47Sn_(* z{pl|E^f_ro(sA4C19ZjckK<_!u>>;rTdOwe!ecWiiu$)ZM~YHcMn(GMRJh03dR zl#6sB;Ov!>eYkM9p0I?)G^J;*pV4ktrA*R|#U*Le^>CSVNXtIpGd@K1Y&_*6fdRT4 z@`C%BGYFqqh4MZV0kVvvy#Om0kmS;2-4I-)hBvg*BH&)ai+x+t-&;+-2OWf{J+9 z)_U2O{yQeIk%8l}d|TAJFf3X}3^ySrz^br@o5$%O)qphaJdqxmNhk!R$QEaY42=M8 z%os|$Nk@?x2e(B<<3K0jae|0dv8I5vZLRTJF1;yuGq@owxn{)U#`oDn|4O>Dn8k_i zErWq$1XRH^@OZg!$*}U(Ybg$~s_E!@+4*2#Tb*^FOx7SXwr(^WjQA4b<^ z|9>hfhN4szDedS3y&N-*L*&-hCLD+gmhZhNEMxyzxUBN+#7$4z(kaFa%(<1)=dGe0 zaUwX3xavK=n=(Uf^GY2aV3f%MnvL3{UkQbRz={ezra%Z6SqKCoN4TUf{!d0!g$L|# zgyhU8@HSW(T(O}OoH+KQcYCobiOs1QOWF&ExxXIqm-zmn1J&|=fcaCtA=zb3^+|Fi zt$AY=ILp;KHjqeEUFolnn`M;o_D<}jl*L-QhD0d=`;Nz#!bk|1k8bq5zOSK3&j0@3 z@cQ}Mk6SN^pYLl609OgWJ@Nmd>n)?I`lD`P=|gkqPNf^9I}Qj)OGq6$qyz+{8>Bl# zx&`U(Lrb@$v~)@LyYYGccii!gali0^4||`z_xi1vYt1#4r*OIzOD0aiW8k{);!4;Y zOa-(_`d0x2u{q1Oom2hRLb3$^VQAKJYkeBj+*&)jf+JhVv-N(JR`oMP)L$7ORAb2> zIHhP?DjJJ`aS>ApkJ+=U<_;(^ReLV(x9I=R-BEN-sVx9dJS zkmL<*KBHQ?uSTevfcCoyZTw|4KoJ{Z5Ry(Z5c;3wkP@vvXm!x^;wro{?^GgxqLc6Q zdU7Rm?__7}W?hi}`wBt+)ml4=g$%qjZ^MjH*quKucK{I+X%PtUPwx=5mQew5TsNAj zNZ3D!(ku+}>{NbB;E=${9DfU$!`puao&QNB_O_qaX+)w&yoH5h&RYJgTo{y@v>+s# zQjAMWCj+kWy^mm|mKXAvL{*vjJBeblPpN*rjm-aYS)KdGujCGvo5jh5t^;F_vbNFW z3Cx?Clm4^;kWZOaK0I(da$Xb*;Xm{El0E-B9@VzU*Y|>zme{II+?9?wpWOQ*b2@ks zK`73Y`N4t6V*0>mBtz6@pqqQdQTu@MDqwIR3?qw8*2|1Bch(DQs?GT?d}c^3#qbt>BK(YtQmEq=<2=Bn#(@(vfeSFYGC=N^ZVP( zynx78ma5V~fkB&otbL&py3R=SwOBDMa+1>XNm^PufdFdGo}{0kdfq^`33(4)Av#uH z9wZ~l>1No8^$o?+Sv$R-ZP$1saga($-|MlW2XbH!V#J5C8svYJC;`g2P!50LvAOP# z@d+Yq4DJgzi`AsvPVt4kgNYS(nJ&AHo*{{Oa<3Rw3Bt9ku`32AW zWftNxZT}k#Sx$#*zhigY1gTb1bNY&%z);H3Xl@S80LMjFNWc_;1F452_Btf3CYmw) z(84zGq}N8e?ejoz^>~9q(-7z|DB2VX$ zi=Q$1iK}_Aq)XWJl?azCIE+eM%ImtutdJfU%PpsrnRcLC%M`?3;x;F8{>h*I*%at- zc8MC1nC-OcD8+Q;Jv+ze*4VzJsV79=$E<}%YDAQP)srdzLimR$QP3#Ln~A2_fl-~= ziu?;7K#+XPT~Id@k*|M9l(J&WHPB7ytp>2n$t!{Obe9gOJ_m9Bf7NH*KI~{mE!*ZD zkJ-~Bdh2OOX_uVOP;h76ht6!t&RCjG&*K7?8GHDssoDIMO}F_v^xnPMt#2idm9g2> zWyj-ik|@}PA0k_d7zP_YglY|?u-KnZJUw8i-(4h}PgC+Be`>#he9VYucK5mCD?eV2 z;1_nS)zduiO~+~bB=!A<5YQmGwvjo`Ose$I*N@WsBQh}OkWf2K=jC*pm6kur<6;1J zCGx75fSFhN%YuYM-A7wZe4WuPMnipY;=EcWiHQG>!0NPUzsi*ShcP5eTUlec0e?0+ ze3;IgoF<;89LM_F*MJjvdHZsa9^Rv6ZNViBdG5J*b%j9^Ud+itI5+3IH=@Y=qA8~t zS4knzd-t1P3W23}vDpTxDdJ>Rdk%N2WD( ziLkF}qSZ45N>{Ks#ot>fD&E$Y2BrgL7RUk*?{ zH*8Q|Z;XI}R_>4|Ff{$I83d%rytrDM5dk3mc8p4Mgjb62DeO$e1NA$iD?Sn8c$b&s zL)~XTx)Y_bsOzpZm@2dSHo$S`+rRw3jV! zSJ4cjQpGw=!^LGh_~>ScM!HDWDc!U|;xhl_<|FCT#JBKB$l%M>}@1mTDZYG<_kQ312@M(Y~Vpfbb;NNQPb* z)zuXxx5-D7)Y>?wqseg;)xjRzy~u#jAofZ~?p_z;?ET6KzzRAVAD4KAGrobTjY=+G zcnJo26Sc>vy7C|#_;6~dpy10N37WWx%x|+r(b2l5J3D2F7Jul4R{wagIAh04Z|*(2nKV=%_A9oy8Iry=0a6*G zryG+iEEjvhh0fc|g^J2Bph9355>m@AioxD{o9bs1h*DJA=dy1kQ-1KOh^fS^Ko-(y zK8il}Hwx^0Qp9_4ho!Pyl~Y``3wkDS2}xYMCwtOtsjn3YGl)!tQV7;TqGf=tMsPPC zp&dPKuE|I!cU#;TX1k$88LEIcRah98gISslg2JMn0^=me@#*qyZJ8l{sQp*R({ofW z{#GJ*#n$Me7)t8RpL7_cJm}`kT9Vt?zk9mx8cywh^by}}*c|+BMJ^>&N&#t!Kd};D zk6_?)7{IaoQR>^p3w3;$)J$QLOZHkVbU-yk zVg<0%{0to$O$;Zk=$>aih+*1)B{BQ~W{~Oc*3Sd!{2WU3c=rzvT%Z4%Y1SPm8p|#L zbN?UrXW0N5qs8yl06k(AkSd8MFDM^M;m8Bzecf;V7HD=(m+9gS6J0t8RwyJf8v{~U zjlNGl&0-8QBw(;Vps;QXl<+5KXMupA)id;}_1>rW&r7-k!}l+75@&wsZ5-TQOk%8% z3v#ZXn)=U=QharZK`#`1RRxWTgl<^0KMGMAG*Xicfg&p$mZb_sKI3yeu51mRqU!}D zIKHiv6ksw5qL8{$Ned7U!Fu~TAr2Rl{%u!_Z5AGj_Cd)CxXmti=4#Fd^C)-)evzju zj^!;kt)ijX!JY6r`?1{gah_l5fTj)ixeof(w+axy+<~JDyMx^-+Os&NXQe>zq+Id` z+Y+59q|nHWpqhve6*qi<_H zIvBC^`PbId@OExKzGGeSAq|d5>5Il3I=$ONN^NIWpCR))7*?))M`}eBWH1c2S1B7okWLf#t9u0_q ze72XaU+%odFCt*%FwKSc?X&lbMUiV${OA3&|H~65)8YQE4pOd)ii&da=In?A)H70k z`^Xy0Fy4POsHomfe}o_H#~9qX02OTq(7}1e3;}*7uk|D%z_5pfQuz#Q z)SnRRi7^n&m1r<*4y9l}b1%Ze0C0A?!idWE{uJde<9R33f$AVC(3MyIq2qt?hL7X? z^r|1&)RQAW@)fIvslo3j9305|L;_du`$tokrRrB{;k5%{DcF?I_Y=8cU&3Ph_|y5Z zkI%hkWN8{Q4rn4oZFS4FSb)`wmxo(gbS*d8|xG}7)_Ilk+%yv7m_7g#+BWz&8TCz3WZc?ivZy5lwn44 z-2Fu<1a-&|gK$!+{TE@>pEgR?6tbh0CV#$TqF$dbkpf>Py!DKiANMC;TzcFSWtnW1 zpW%{JS=}-YFFGOuZlb3-%R*rpGnr-c4d&?9d*UdbudFS=MjiWZI*q zb8ZK`Bxn0A4dr=~XIR8@?d)g--k+Mshls|;KMa^nUuPrPB%Smfp@UB@Pu~Q5evi&& zcw-7t{{4%jZRy0-e>w*ky4!8R|EWR*C%WRuRQs2P8rVtZ^}hGzDIvLux^-CH3u>g43) zdCkBq5Db9z`0Idi#8S3OOG&+)%mq}qbN~^w?^R0dp5o4bhH+t4?x!ZZD@w-zJ`JX% zWCy=uYT=yw2H=*86etd@r^tYA=1cY9c^kVUfNTA-`Wftui;L4~_Y$m#`Wo@yEC3{i zlI;diQ!{wxP?GW6_dKs_tuPb?_)yZcLURJMYn}2~f6o3#-wB^w#mdtG5PxdF|Et(~ zHY$ueJ^Tky{8|HWd0en@6DygQsQU?Z+C9)~SZz6OPw=uZV2U7Q>jI!z$J2G$lBvM? z!F$t+`D5mH-{qGH0j5}7U$tPhzVCxMq3MSIiZ0?pP8v@YTQC1gnVpbPZ}{SdE2%7Zd(u4rI4{wb;qm7G~H$w?nN~1(vW~8mTqwe!x92fXIKER-zL$e zzrTP1easIJZ*KIC&@Yg9?K`OX-9$NyNV1sdJ+`gWh1P_^eR8X0qz2mt$X3#GYYL0L3@5?{9R&dW?q}jcL zceZ@0#dv5b5ICBN5@ly-DjTT(&JP=%a=?@cPT(1VSD(ws%(Aup>hVgAsXd7>b|m6> z>u|BETDOL``}lC1ArAK#nbKdUjkcBry|u-&xXKd*DC@`?LJ6!?M9i6RNLJx4Y9&Tl4W1{ zkz%NR_xd?lC^A)Atnn_PH-|`W{GsJwxkvC%G0M|PgA{ft2@1gFs-n34um+%l4*>60)HM$LZ3TLk z`yBSLZ!6j^N#}5p>P7rNDO8%10E%Os!RSP>wTgbCso12vAYe7^&O%-3G+gK7RI5oZ zn(cBk0f%9$L@*kG0E;Z!cVnK{7JIS4ikRt+db6gWImC#YUNKO{L4OdZ{x>(`1XA!xwkxUvDq3N`N_BYKBOMcl5iB z&w}fJ;W8(kaay3p)QCG}`rT3Y53 z`-z-Pm=5fG)ABk8v)lhJL%DJ>26(sMv55Vesgi2vN#d@RaBo3iXFY1^qF~3dv%N)K zT?)Ql1)=q4{VAM$e0Dc;^rS9P3poCa1po^=TL?lHC>O}}vV6^;&&RWv@HtxM(K zWhwjZM)842xjPTVjSD(#`vv;G#ftRk{Xp2u3Qw#DEDD9YG z4sys^Zbgpr8x>oj8$_S98U-f-EscEP=#&U~mUQ@<78=f8uB>U2wWTpiYsKfm^h8{s z1@YXq&l?5R#i|%p7^K4q`A1s)Zf%lb<-}bB*wFEmUGwo#-glR8GH~Af47)koHU%10 z1Bpy{^oN7(=g4lMczFwTL=G6FypPHsljVF;;fDys>Y9}}Wv)o!p~#swA# zFE%LlAn!*)`E-S-%HqH*+U1CPqg`Qmmu&23^G-mQjWNy^x=foK@yU%d-v3jW&L$7- zpD7jbURWSXfiXrP(7loO0pO6iM?8nethO`1_}sa!lMX=+R&@E%u$N!Z&~Wj&Xu@Ui z(28Fo#N&U7mz2PlR0VSeVr#~SXZ!i*%M;2tjSf|Rd3&ZjGhV~f!Xs?3JT+x(pS7_z z;u`Gvq&HP@o38f`lk{W^!vtvBr>6i!PBs*=2qj?Y-K4{+3c&GRM4_Ud>AZt*uFysh z_71RUqc!Rh13T;gD3$%KJoZ;_gKwh@lo}h}iK#9*;{W0@8VMa@DEGZU!y$-?RcJte z!ywEqpw3A-?m3{0b{y zUyaH5HeG4`jxe!Qq3G54@f~^y)4y-IQ&A#4=OtY71CM4^7&e7zH!q|Rv+37RiL>j4 zRcw!~isJ(kp&MKLmU$kBA=fs)&9LYUNkt=44F1N6@|e6Bifn|V%O86>n2T&mK&E56 zARPsyv0ifXLq%Jkk>5PW!}H#AJQWeR`X&Dd=CNei zXAUvYo!s;_<@jy8f?R*#&lU`=^ke%7<(MkNK!CGll76fP{s8*A6Rn?}+vDgFurY)x zBSH0%v@9$U$8DS@Js>Q>{8C^dAyv?sp3;34?y;!Kv_HUHk#lafoL$ebE7_s4fMLb! z4AbaOXZ35HStJB_Ru=z@5hx-8GAmht0d6F;oij_95EMv-QCZneY{rz#VUV(`321BE z^Vi(0_eMa61XKBx^h&&E4FUC5K@sC2-c(H65_G+2*y;e#+O4vlqCel62qyug(qijks~@ zYhTJD$X;fG6_H`C7mEvkcCLHdGSJbR=kH+- zf?T`zs5;x=QxoSvM8EH=AOZi;u#38z1TfDcYfera3W^aPJYoT8N4sLj4o_#L-69{L zY8zvTSvibae-LnZ+NoR%<>+G#3}7>cI{KRnR6gL$MF<4Gu>C9r>{&odG=C9jCzBQ% z+nK^x$*1dm$zT5jKjZ?~j<;+39CEsC2dEwe!E?=$W5;$Ev1ZD^Ah`slyaIKt_DNmF zkUu||PjKM-xeC`J0s|pqq>kafFrLR@MGrU(jC(S95ds6(V455`=V}mo2VvEz^y?qWO35vdMZ?ga ztzme4zuJ71b!cPM?BgwcNU}Ck*TqfOI#Y1hX&ECD;G0a;o}aU1*O1e%B2M$SFQg@9 z);p+}jjA~*1{PLHud)tE?)rZt6GmgkSs;sKJm8J0Eo@V}KgvY&xbP-uaz=>TDz?ZZ zI|lSeja>FN)pl|Tn6tOY9J1BMGC`>5EUHJ_Pqz2h%2+)1ty|UGO|_P>8x-?>(U*yQ zh37Eub{g~Fiq+nMgRKpBtz)hUXDfgNXRQ9;L`9srs|`B;LIU8!J-(4)W7g^%#@6pu z*64*t1Egh0@f8SEfeHQ?;~@1#gf_}WjD$n!wOw}&wsT|70Li$40eQBsDKmxQP?^Uq z^aG^TFXlt4^=fpwe555fFwmz7Vler^srH^z!%8&ehgkvYpy{byOrz|bsE|_pC@E@}-6wq&Nb%EkON2hJ~ z9nb!VaP|Zaz*o`0_ff?D5K#~6IVNciUlB2Wm*Mh)k!(B%P?39t=Wc$v{03JXx{q2JaK z=@R?9rjWA^@MA4Io+#I;xbh> zn5_gCL*8tEkS#LEj&E*1c+D3?L>$SoXl?d?u2u@`q7KruzVJbXY_9as_zHNtt%!ab z_^=|HUumga?8VQaYV>z($Vz_S{c|2AoJ$Mv8Y+QgAh5j&!2=W8 z+by)jIpvDq-=ev@w={FX)SDgrVq8SqyoD`<%_VBHcu?NnUS6o}KRSd!gPcarEM*fN z7Vt%VZ-3GS#d-`jWkv_)rRPa`{ifuZY|9RE0);cf15zemSvYuT(XBNO$Zmf&MbmHR z_BF16aS7Rr8vg(eV)Mn@@hDL@mazM6x!~vaNlYDWFr8&n}_!1*VL|DW-`SAz<&mp4y zD+ObdlvMU&DPc%o$1}n2#gmJ@!AQf`odl;bgYV_w0886D`A2Fv(uCX7`QN*a5`~ z%~^i~4!#~aOja?1gfzo13=8juKGlhbPMzC1cBvBOd)+a|Y)VMM)+nY7x5Nk^zeWEW zpWBn};)^*`SJ0Zv%bMcz{l^-b*Jpi{Xp_Iul%EuihbJGC;hIJzH8l~ED)cdm^}>^_ zi5Xv-h0jwq;#YOPlQ;^Zb0nZ0djqJVNYF=)dst7PxGe{pc0BY2!qoqk)?1tIb>c+g zU>glKIfG)pfCqyHRupf06Xt}EfWFqxi#Y{LV%Xkh<_*fPl-BUDavre$9^pq*BxuhO zkF^!2v1r!@UhmyRamZ4Wf0D6`D+D>9yGv6N#3a%|RktRk@Y|YTvVF-f`V#OpRV zeHci=$`hk&U7YJ*RcyPg9Hu4HcW@xliXVRTYFCrs!*rVIuxHA)p@o5>DCMThaDhn0 zs5av9NoJDh;;-RRkTk~~e4SBUI-I>gE1_@ZTv>@%)DXYyhSS^Ehk>NOwEa_0bnduZ z4*phK2F-G={|G0Db6LtX6bGj9@JrQYjXr8#DsxH|_%VNXNc)XGqwY$>%*r9$g#_6& zn~%9}%?uAy*6_nYx)T`CFNE=xi+tAL;oaL_OT;Gd`Ch{8W>3vMhPv5wda1!j-eTgr zox;v@P?c?gfuz1H%#56)`K`2HlFuiW#US5L3=Q!wf;Lre)O_gx2eQX!YPYVO6mS0p zV6>@am#ok9$ij}HLDXSC!muIT4FM)Wq384vjT(ax3Z7&l1y-9-lB%MQx6Z%T51@TP zuLBL2^NtbM1_ICb*(9Fsc833VLl8TN=zzgv^Q#g zl#6}}e2u~$waO*bOX}6xmWXt%z8u9tA!s;}3LcL976ICx|AnrSNnQaCMF)KWTiqj8BVFiaW#ve`dg0=qKEffWn>eSZxupm z_-GL&xqAH$l;+Bd+)MWo?ouYJs~7}vuaw>gpQPrBSx==z4P=mo4Liesw*U44A^E7D zCglP9@o9$N@Pp`)G4+{`e+K)7cyE9?qkx?hjU8Xktx-jhvAYnGbazK+@SLMj6tpr= z^bBwtUNw%|F`2@$kfkE?N1tpP8vinw`+}Y-&bMv zJH@w}GxFCfG=n*hMlq9L(q!%R`iGb=%OygCnB?Ub_Nj^WPbYJ?j~B-fvFfPog12j!NdoC(O#5QFD7q}`5DAv=`t(!|uy zrU7$eAorLjD*k60FCh3)3Z2D#37n3yR1LUe?(Xc6drpwGZV9Ed1ZUSmUIH|z{A=j{tv)fxytUh$r{Wle=L&_O|h>w(Cv%X zOL9tCyNsxf!O?xAPRUHhiyYT@=-jzG$XeMLi;<%fW+NfM>r&&QfsbRpjBm`$7~-M9 zGH8z8$^Fu}QQ#J*+E&HX^O88{ZR(?-L-#D6{iR!C^VtN)l~Wl98TL1YWDRvGltER0 z@#MULB$f7tOhrC+qM-NupB=tHgWRJ2pFZXLGKMNvBvkRW*25Va48(#-PIU{Ib*M?R zH4u5NN-HL3Yo^pIuZB(q8ev#AioL-(QWGHj7}TU0GaCzb_Ckv_DI31gA~PBRUVQ$B zgP`{@*wT*f`DJ{Os`5um5@wmw&Zg9K=sKq=?CRzFL|e3KlEu2Xj1)vc7okocUm1w& zc`Z28e4+2n^_R0jp?i%dKZL0Dn7|^eCZ&)qABiQkJSkz$K?06f0elOofsK+ToX2W7 zGi2*R9moZM;8|>Bj;6H2N$Jerp^^PJAH{-}ofbeth^&=FUdaa(G6?!kkHk;*;{OsKC3TQ zi!SL)TE%QhDZ|OctRS)X@ynRQA2)8VeMBnZr>J~Z7`*o;!Wbi;gW-*Q8u&MU?p?bk z^~Gk#T*Cpyx9bmVbJmfzQSMTjjJe%`=w^y$+Y6n^Ci)`-YfsfIg>!FaPmM z-QBMP)o5q!hhPzW_Z~f;<-as+dx(W`?Q1I{zSpeUccn$W-p#Jngk-j14#77hW37+D zH4(u;O$us)Z}GEH%IT}s^GF$=W549D>HH8h_rXZ_(q&KL>c6r%nMHN!Q81P}qT+7l z4X8xd@+(*vRn{Fv75L+QEfz9f$P*_{1uxa0KVl%5<&v%YE@uAf$H2g7XS#S>^z}e4 z@vKLrVojRhuhWx&7OvVY`P%YXLcyl_>-*ziue6`>MOvpC5+VleAz)joDD3*-uFwoI zj&XAv3pBC0zm!@}XB2zMdFrh zzSd9wg_wfac7~vq$CqU0lzhgG6Ntr;c#`c{QHg(G7J-6+WtOFO! zdJNc&lXmEGN{y2AU}WsV-SIlyxy~d3+1&%?<+|AJ_Cy#~#Gi(#>Pc1Zdi=3OMiM;?Xa)Pt(ls^;A6`5})2h)?^EqK_g~y`~mH zo7)_rK3(D7ih#uX{{jGBOf&Gj4lADm{&|f@P3qn2kF5rI$cD=uR6yB&Zu!e+S23aq zZY0V;+D(W=r=4HBAu{OB22t=*T;TIeNYc|BS^=0`U0?#V%d?^Zs~SeUY$M+ExqKns z`pV2bfbIy2I%Mx&Tu8y3Zw_blm=R%nXY(Ci+g3m|&kSddKFNk70Bl2$fBXH}6)@kh zYNSDf%%yhSM9#Ar0o|6QPq^c4@9TR0o@G-mml;L&$6I`e{w(yMm8pTfDw*7 zq8d)eZbV%xPtLE%A(gh_>L1OoMK3@9)F{3A8&l!x6@aU(x~Z^W?lpbmOy1(eTL}$X zk?Xj_0xaVtjv2Bx)H;T8uHBL5>-k~CrSl&hWr6_kBPtUD?#iKg#rSW-4sTy^K3Wik z4GIlk*U^6T6rZiopF5w;$>i2N`NJlXNz1yY`Vz{>z1~AHdvWvb*^RObGS5$yqQW>q zJ;d1%)Vp?^_GTbSPzNG!$~NH!$*3QeKA`nMyF=y4swrAQC8x2Sh^u^c{tQ^s1{|+}MrS*N#g)PN{3# z1doxv9h$@V=6Kf&%t#b}>SRy-xD+i&ZGT!!ipX~nzGWh$2pU9{Xv+PpDB!ir4+9x} ze`ANr0wh$%KZ^sD(FQUccg!e1vE=$;5U;Th<$P!>ip6<{aWTl-bu0a$%6+?ty=~N1 z92+6|N(+f@t^!9``6+m91-s|N54jxkBt9gljH^8#;o}Y5ETw)_MW+7l!tM;s5Z`79tlXlq<-%YBIh@-N$~wu=(CuZP<45tDj2v)@rhXYGEw%hjrGY{Tg#`+kdkF`aq`i z5+U(VUuNEbAENNunpAlDC!EP$lFZpR?k&gW%Q6XQl8rySC}Xc}LNSRnw#sXuWJcj- zL#jH4@zFo<;{FI7I2ejG{J>h$?>bs6=i##zN1A5AOynR9TIX8uDFs2SN;&F|WP#ji z5{D}S9>~HiP8qTf6XEDYG9piPGRi@isJ-zSNGf6OEf4yw&8;!C#9#u#-u+<2&|F(D zL6_38=u5BIr>KlV*kvTt&#&NPNN7-=LY0mCR(Vdb;e9gvgPnLC0hN7PR3H(yW2$PC z4#9bI8&xRYfrsyuQhUy;q4>t4g$EG?=>RZmX#gBLvTV34QGYg}12r@20$n6D4R^Sm z>~ui9u8=fYX5`Dy`dnXixyAkbiS#ID*B!0Fmv8aYU}-hoX@mu( z$#(Yo$l>xW!Em$jtD5C`hCbHRLR%G(uK^<6eF5*qhSqa}&zTDUe1e(i|3f-}6P#h( z(}$YcVr>C;BSLZb**7ZmCgL^*MV|*(2O;wkK+vtmB%;!j?p?_bnWmTmz}&&jYPL&* zt+sh_hkw4jE1Ya*IvH^uTN}GMLqA`s_4O6G|Lxg4zqKFzjFbHl4gQaD=lZpj zflBB~&E@{pT2*tEX6btN;?~_AMBX)_fkmQ3FH7eh*e?Rr_{7GP>zn?pDIOG|t(ZZ> zC@J>h(`fqP$cB0l4ejk$7^KD`ph1~?8Y|f-?3nO{FJK^26rc%!NcT-BojsLAEj0rG zB_R__7v!8>s7|}PU>Hbrrl>s)KC_zk<)^Y*H$)g{Bl0uyD=dTRweeT0>R)GdIzzaeq@;42wa`Y*}_=FexTMLZq86mizRM1t`kv zf|9Kyo>Q^Vx>U!Vt%#&sAQf9Z$K2p@I}=8FY22^#c)vnQQ*u<|LzQ{IJ^}v;P57;J zF#@x#JOJ-mkrBQx%=yvYZvQYik#~v5`|UD(UaBXwpvag%ZR`BSRw6w*afV{1)`4Ij~wN;K-B1>-Y2hLrUf= z-#2pZRycz_a0k~zgS`Q&Tse++ScZsv7;9LyjCFgis6GdHKhW(rk(1#@VZcU_}=wu?Sa zC{8ZXho=TQz5@|w1dmN|`|h!R2Tm$`4yqubf=DFV)bd0U8lmRmRuuwj;x!Gyw~MLr zx4DMOgFv`3H_E;&bp^H#z`{!Q`*U5qbVZgcQ|P{BJzjvd9?#gEYy}&i{(=>A<%ioS1smwWU#<#S+ ze7Pv{qg&P8NGKRVLWXfXUkV2WYb*h6>95b4|Y)jb`Cz{1#G@4WR>?wtsk#++Kc+?6Vkc1U~Wy`Q?oJK{h3&HuLq4+ zYB4uXhjOyU+a}It{|~}TTTYn$nXD|4WbG|Yb44)xsHbdYStz~t-Fi8VG-rXnpqyJp zhR7Gp1bXBB*3abXI>yH!p#8+lKWh@SxA+Ihx(>u0x_wjr);perkWSkYsPW zhmdpJBiq|O_cNeD{J}fzg=pgl+8UqVP6@z3Q$d4{Awc1wTtt~~QAqvz>}$DC+tre{cwplF$lz-Cf^+eb&VJ+h`aJ&+=o??hk= zdG}rQhhfD?CYj7Mik3d!5Rze4bWev`oQ{c;>-gI-@SW96mJ)UJ-f~L)QcL_L2m=Ko z(sm9*b-}`7Pvi}vPa^LzsiNo7?bp#7$zpzueuLej;+<^EQRM*rQY-QPi!=-RT@WOd z>HY2E;AI>%{R21SN1^!;UMl-?5>kw%_d=l83dlL{b06CW>-?ZW`US<`=%3+W8Lg?; z%+Hvg^Zx}0k3%`7!uunm@C=|modn(|t86j3K<)QAu0zGHd$B{gk6}5vIcPjiDyc7^rb5y3_tlrgOKDL~56ao^OHIxs;til1%pr`gvKoBf?ePO0e zeKXB;|9H7*C1$1SFG`I@7E|`SVyZA_rqVc!Np~{Q2{@MkY;0w3JD8I_uye-LIsbvL z(l=q!pJkU%|IJlv4ATBfW(;T=HtK{V|6`qRxz>{Vo#X&G7#c*LR2*sX{26(yON^;l z07PMJ!@fk24WAP=lDM*!e_`fe)epR=V%OW!@wU6GTv1>1)Uqi~9ILM;%JWPKYgZ`F z1*5`O`~~)}13&wV7P?nFNF3gacno7DKrRX1BAB3h`RP1Ru)a zlX1|a;FbrPIDMV;GW(8Oe`zwAZ8RpUxksUub=+{hE>~&W{RDC{Jd7WzRvIM-WZ&dw zX7MF}r!w9=>xi@M>1 zLW9mQS&v(8Bx_4Ah}nw_*3%(`Us%z6lUOJ2V6#{Xf8Ke)tR{gE{FG@$ zoB*%~laYHzxZ!~kJYDMc!NBOuT?!owKRO$8Ltn%QGMxY;F;L^k{!C3jF{zQ%r}j-u zZ#RZtSh{~fnrJxu{tfqJn|^ zSIH`iXZlQizSO0XjW5mlA*3lyJ|nPS-zZ`Z0ezH4C(UXf5+F~BsnVi+_5^*zYrL30 zYI9s4^88HGLhv^Ks*D|ZR{gu0s9eHr`wu=!R7f!u-ZVVZYT0wDf!)juya4SR%&Dg5 z-~jn>x*uxTu2b^dnZu2&oU|J6Ckg;B>;b(tJ?}buzzrD~$9={ciK?Sanr@E+0373d zE5vLz0DnoJGt)E9mhL}YMf=<~jE`a#WTHl+n`USGOW!_Y z_y~Yo5sg*HdUhhXk(`(Abo;|az_Xn74yzO5MOJDG5D3!&E~61Ii2!(5eAT=?8-4@; zL{@{s7wZOq+p+7}4$+)qo}!i_LO&j?`^cdXC{9Z`rY(S&jHntvx|AJz77==v0GDj} zN_$5BmF&(5QC$zB4IHNlI=JN_R|UktgZ0GX0Sf*1#cvuiv4Hea%?gBt*V-Vnn# zgZ~eJpB?_3dDzyp-*1uMA_zX&OB|sh(?q*F<4K+t;OOTvOF7tu#(uSHO)i4JWrWV2 zGHSE^3k=DnVo5atz>6uvk;S_M@>M*PvCzVQ02AD7A}z7;c%CQ%t4s37UvP97>v3s@ zkG3T#aSvDAX2;ir^_$M&1Q_9L{^O7goP|d809q4*25AEC3cs|zJY1la!l)Lt7YqLx zu<`7P>{8$^E=en#84>v$d*-!-z(j^um3l`wAMnnM3uv-iIDiB+nA-9*> ztVN__#aDVT00)Bs|Kyhr@x7@r*O#7+(THoi3WYZe)@;T!9?42LwENTdc|f$i4J!QZ zSjN3&0_qsR?oGgX>#kWE4OHUt$c!UVGmzlD^f$n5EW(qK?10-K1=^^k02m_cUVGgV z@P>Z4?;S(|cyn#7e5V{;$NfBemPDT=M`yCr#1A=|x&_+x3DoMgw)TThn+HbQ^*%kEdR$bdYV)}oa4iG3e<$gJ zq;$Ge?AhPQx$Rwq0RE;RrxPFNrdNWa7X;ZU@LGFdzD)uEC$2zi^-^+9DIr;Dp?BSZ z;?M7p58`!GQ(!37SH#ijdgGpxc})tb9M!RqF^f_0tCWW$C@HSM=UjI`PjV=u_-9#{ z=D-|O9+2*L?SQKrz0W)A-2Kd(*<_!K!^`FCyyVCV;7o4x4@?qHBK(?Mt4nkS42nQGlm|E_B-*|nuK*tb z;DqfYyIUMrlU!!Q`o7^+{% zK7g5Qriy`Yz-eO!-^1>)iY%YawpzG^8j7Tk$w&l(AZj+g{-_1GGlTb=BdBz3_XbZE z#7>X8`_DIU#kcgI;t1%*IlX4pf2tObP2ZT*ItuQtEHH>$_L(ynqdO=kGD|56*dySa zbk{t_gn`(2^Z5|;famk4@Lg_WAkOgwVHo>8yI^FXN2Ykw^$!InFqXLwC72V0e_J*)z1k=1ctrpB${R$d zV`)pLSfBIC;8CrUaYK#8;a}X+DYa5-fjl1`a2~D%-vk1`Uw}baDI%Q}IpaGCaAf86 zL}ryUi;%g@4mQ;R;U+9LQH*dTQdKC-TYrp^!*{oaGT?CG^TqEQV#xSU(miR~$pE#! zys!~kb5uxJv8?$U|A1#trk3;n_GGmJkztt{U`a{I%6Z!tXEPQ&)7!P}azA(x*9Iav z!?YppH#G*Lf#>sw=1jOAcX%L&v+rfq!32O>GhS1XtEXM4of*k%tF~WGnw|V;#Kt1G zeRx0%=YO-nGV`8dyS(Rm&I*jm>AB-i28H9VY5^(}dRHz-r3R76;?0CM+Ah+LpsEc5e;jQ46$=0?wET4q*jV_y6OGzR@?YkCc<-~NQ ztu0b&-pOmX;S<$R#8RpmHZfpp|%~XEZ z}|nE-;Qs>hhb2?y!L?WjJhx@-O`rEzl#sPUxU9l=D z2IX&^0Mp>(qFux1A2px$wVrpp0pub#rlEsI*F#cTT3W}4+fTJt6Yw1E*SWtgBcE+Z zloY4}d6|C_(mlU#`3aDO9&kFL zVc@X%R-5LZV_tzAW|O-E*}wVn+JJN))DmKaN~df)AJFtR-KovtyB-n8@xoR@74<^c zz@H?K&ae}d5Sm(;DLG^~OPs34Vq~4Yn&=VOd}ItTH5oMuBa0W=w^CSj0}c*sMNWJ0 z3>TR&Agz}R9~y7|q{pSFM_6Wg69Nidl7OmLTfKGS^MQ=}2ZYQq=A|5*gaZG#&*8pU zQ+q}!SD|QO|H|6`o}+C}mmCt*p)p@2*AoSh%DtnHZrMV?zZyohG{uXp2zss-Bl1z> z*e@zNY}Nh)tBiM;;jOqke1to$;T1Ez;#0~`$EA1LoeGA(wzDN)?4u0aUPw1YA@|}- zTXic(d&123sTu19oPdVzMy&HH(PpOj&O~wS9vcoYCD#8i-e(YZcFa-vYGsa-M;K2x zozSC+1#U3%YW{w(z1%k8p(W7_nOr5xf42JH1dW3P)g4E0Osf+RvXq-PeMN z+zER(V#K2>+HcVS&SD=ReHI%Z-!+5*@Mi#C;@Vw3pz?%KQc|K*357E;F~K1s>VG06 zB>YpUf)zP1Fwp5dCK?J*8c)TBodAG227e@~_jMlWpLc*sd^WX29oqH(@P+fcD^SPT zpd!@6$#QnRVPl~@BzaUO$of_YHY{RsDkqm3EwTImID6}`DBE>yoMsddhVB{z>5}dk zQAz|PrIe5k1*Btup+!_ukWf*&L3&7~LApV@yWw{a?|S#%$Ntv(*7|<`cpQSxJkK3h zoY#3>XV@r#nhCEN@!Q)4=CrQ~7swC z^1%2~%GTFwt!#7p?ErLp55H~l70SH)890XaF$<4g0IYf&75(^+P1QgtCi z1i8alqF>8cg~hR1n!oQr7L242({Eq-?X|a6y3#giT!U~wAsV6A`jdvYcn}z_tr&CR z>G<04T_dBb^s06MR3ETzCtlx)au{t&a**~EN`$OAO)Dq89qN=_`hc5ast`w`Mdr$a zHiI3QFzO0wQRkbCo@;!Zh7}~>w6UWV0o|s&slKYGE+i0-mDx3>D~8t}B$)7~gZ>+O zM?w4Xc;VEPlqds-n)jA!N^!{@5InJX)mzFR{v^;?R6^jxuv_TTZJ{1qcx0IXSk@ys zMQiy&5U6Q$GHCA=qc1RLMe2{@n-TG*_z>s(w%g~>C!dM(yhr?X?h3IJJt$sbKKx~> zFx4&eyO?D?qygzUYw-NM9FN9ekvZq&99ij0%d@y_#+=a>Ugh-KwnRB*%|GN%qD7c< zdIA(U+dCQuUg!5}*ZP8{qIfj%cs3^^v&@=b_HLoncS(xZVddVt9gvTv3LeE&F~d7F z`Ml{sO0EL*O9Frdv`QZL5tbP~+ZeAr0t$o2=hw(?Z<*5)N)&J+Bk6?E{T`NZUia-0 z%TyMi2Aw4A0C#lcwXZvO4Uuv-!QnW&INjV`3%@u&T_x4I^$}!+*|)EF7q?)MEAiUs z2s|=baqSC!o+1_vhCN9{fyJ9#2rS^Mw&J7_)UPvGPTGZ9qm<~a^k#kgttd75zN%Mm zypMU!n3B7OYQ#;N((WluN#H|;r=pkWcu|_Cw%F~6IJddkc&oSz7d%`*si`Vyn-Jda zh+=Thm&I<)UBJel_4m3XaI{P3b@nw{!)xp`I0&j^P#xUYDGq869e44lfDUd5qX%-6 zqd_R)Ip|q&Q#|P?Vr>CaC_%H+?k#4*M+M%j!%o`*NkiOcEx?*8$}JsXhNrWW;?N; zLIs51yi=cbBiCxAF_s@d?8YPG%st`2ayJPVlspxW22ADAF~|*BU4he>Bo^UvKQ6A& zO&ZfGpU85G$CY;j+9$4;St?jHw!YbKWi=AIw20Rca31yGwF%3t%Ee zSD1+ZRwpylEpYUEbbGXcpITwBGZmvkGsUg`frwZeujN2syrqflj6_1ho??i&Dk46+ z)@@0aA~k!(lMj_BObbudCbtu6LZt!@^G>DbspELxq`@Q1`aKnqW^WltNuvyct`0q$ zKn2OnqoSWYt=o1hvF=sTb@(RN*PBt{yvLU5`;m?x3u$s-SmyyfowAKwY2J-`MdWLB zQ*O1CXZmpe7Iuv1GF$oyH-{t7VTaUnPWP6J!yZQk;`16A8iO6Z+DnBaNo~Z{^9(#RWf+wgdv!>5S}5Na1p{lC1HIqxAxmu7 zAIv>Xc!%0F?TrCF{Eym?5t{-z(rni6J~|5H<;<@KY>Za_@Q}RK#l3~Mq429a z_9%CcAw0(Au7k_N<%^LSCvNS)kaLdlxEKx*OL&gwu4?`lqY6jpt%u}?`dym-h%gF` zOfT@LT*z3G175I~ijTMbv+K^S~aBL#FwgI#I_6G~9q?D&XIB?n-U^B@92q zo~!qhZP{>$sop7-Yp=429^evnzr!DW)>5T(;d8S{?N4rV+(s&mg|FU+6Ji?sr_?Nq z2I&CwOb#Z}wb(6TWOFqY|3z_ahykAbuuH*WA}Z_r4;wbS`O{bk92k|2rQ6+JY2fjU zvy|-Eo`CSiY?)JA}S4?k8eJ6QnsM-ZySJG&AyaWvl+Vc+NOx9by->y!tm602<&4M^I)5BpHqQ+eoXoomX^Jzcv- z_dP$0L`^tY0n7XxXaHt!`a`y@-r`HYIfGw8mkjXCIMpO$g4O`|8EEJZ@)X?meKq zi2|ok7N($syX2ppeHOfIh&}`v|5cg=6I`23oA&wgc+<~HvPA?6xr=z1ct}ptqlabX z`rNLYC~UK{ou5pJ@Kqo)CWb9|m`|RZe!C%L!2Q_An`zlor)rOm4|E>AuMKqedLZdZ zy$Y8MCY{mC(rJ;FVHF<=mRA45dXEjyuEi%ji*)`^{6llE91L^#FfIkUj62*K_$E=H z1YCDQ2F6vo`^1K;t;6h$AUt?@^XYkknT0~jQX;q7llT-wKbfvY6JP6;-k_ZO@+h(< zTiE%n+RU%=UnU9(rejV%YT}dj3kfxC=E}0whA|EobGgWG8{rmc?Dz|5>(AlL#;O9R zm13m48108hSzVN*FJUTc`;H{&z9QJc#iPk5%XwpT36gu2kXUoV=2?{+h@?enj^ z3xjXRKT54~S-^@(S;#>0QrwmAB6`0`@GE!s_ zypMQa3M!&^R^T7k8{lI-VZ5w%&$-G{GXuG_yiTvHsahd(!tWbibPdbTKGQTQ9&wyc z8dB85nPN&`+p2Ti8$e*Kiyfw>Iw?esS#~sJ_OSPMAZ3D~DzmE(7Pp70WkqV-1Reqw zv&B!g)Z~(w_JJogw_%*O9j?WowjSSmk6s}HwyTKum+buk)z82f zX$G}>v;fS=gHL-l2B1`L54<%(Ob|R;d){<^dH%;CL(b42JK{Qy&dCh$KXs(yYNkoz z(|!Eg=Cr2G*`LPS>Ky;P$4RSiQ7K^io8OLx$8X;(^Cw6>+qYReTj9zyt_tXLngKnu ziiKGuO>hK6&zoJ8td-l6^)8IAF!XcpRzfeE-X&w2P*#B}cv6y~5C6g$0_J%s0&~m{ zAi>)ilA4oQ>->!0t37F2r)>S!lwW(o6|`&-P4`=vOB5(FFU}dbxjg0F34`8e1?<2s z6D0{HnI^#7j_5$2N){ne~x9JE4MA4&z1?(4tiQpf#w@U#gf8eh8g zn12mCnUYUUR6FAh?WronTm~KMZeJmmr#Rx)JNeL7OXeH}bHlL%X&>nspfB;`0{c(q zEtW5?bhTdqv}>uBY3SHXQR9$^MFZFXstwQk{gslosx?Ceoxq zJ|*10k*b>*8xycwB{cmjjo}PAOrWRph?Nt(x+zkPGo->ObF#JHt&QeCdyzb_0Q3<7Sb zAVAUJ5dN}rP(<=8UH+nBtwP*SFZECYV`BM)i}08-2Zpyk#~6ICM$;7*L#vJ$=<`F8z{zk=3Z;63}^{NPTwJ}^~>%z)9c?3w{G(uZr%{!a|)>_YWH4z1fB^LX5? zBgfsa)fLg3B|a&ZaKopUP*U*-)PBa8)B5Inh1{RF?FliSIuiRlM0UiSWs72}859&;kHoidGUGC{E00ZG6&Gkl?(ph{OG=AW)9>hqG|Z?($I=316O*UB6vxb@6<9b&zw55 zf?uPfzR6)dl(WaQK5N8xFvP=HYa#)K$0i_`=18lf33%xgrcIx9R#Bq&(icLg9G8gj zV8ba;!u!b2LgdeQ(_L+n-Q(8pvKUGG`i43HApgk5G<4x}4eO5huJu?s2_2)uH74u^ zkVG7?g`@cc^pGjS9SwlW<3!>U2l=3#(TRWDDN=6#4 zh{{=Iu(>=}PBFB86+r!UOnc&*cX2O%D0dHdh|pw=dYlA z{KAkI7u{m|IKl*B^owc|G--+hK+A<^P_u+y{w2?~&+`r*-JsjY>p%Ka3p0T(UJ4F{{*Hvoz$g<)U8^S_{bC0;-wcd14V)g8?~#VZdQX~?jp1o0s^#g* zbG6(9*HMt=GKPm|ZazFlm2UiIjdSy^_vg>DKy>6(2+A)1)Rp7Fw3Mj}h}Zx(!&-0K zs@so&P)u~g532S?`HrT_*!t&p#S)DT6Z16iKeD0i-{Kx|e#v}sUS2c<3}S}ze{7bR zL6U&~=s0F+rmg~Rl&;@<9D|Ys;R=NSf zRCJU=C7`UQ0-}_l{=O~{C0e-u51t1ojH*vX^njizn1XC25gICEW0KSoAVG)V5DlS% zXpkw;(@Q7bep|bAzu52x7>*FP6Lg5CAp-9lk)4nOeqvXG=4|H=<^m!I2j^7~I+*cx zRQN6U`Uvt!jFKQg{-b^=%#9{1e5P)I)V$-VHol@>@LCvlK7Wr52BBCfeYJLXl;e^S zh!v_Wc#n=#f9DegKxaq$$8`+_{&#sS!}<<@^*->L&;iyhp>xUN_W`;Bv*zyj(~G32 zBX7Y=o3pLPd@!eun*ANmdR)cDPCI1;^*yq*w6yBFo;N1r`kRyzL)ik>L*Ew$f{CRJ z15WmBW)H?zDD}(CSHBk8E_2?baR!y9Bd*8%vOkQGNqD4+>N0=VmbeG zKj>ov5;y$AOl***dr47IQNhV+q`TYTSKSH|{$Ft}zJJomN2R>)&y83z$@kyh2a78) ziCy>_fLc*v4G_<>E9SM(Vf>xdW^_>ch3fqQ8ra?kb^K%tw8c=-zZACRrRF=W(V&)g z;^sDfh{_DbhB7cT-+S=jLF4aosip)0sy8q9X~QT(8;6CBWx>d^f{jJhqd)zdB&75a zZ+b|oPksqxX=l^o5q}JLEKJe5+`s6w{g`y4Is?<$*%=gyoRYC*WD;*JX&5&+UM$P^SO4kAK4#^b-cb*e#aK$=bwKdQ;1-- zZwLR}&m1nXB}1?_gV*#7VztO+ zhniq^?O$_4Qx~Z1xv$%Q$cSA)w*gJ4(=+3SWr4-sZ@caBV&;%UVH-rV@{?y%wes#R z9m+)}O>gt-TJ!79L-jTzn%;e5O4rB`vvTQXX#4f6MN^%4VJq!HtcPP)1X~V$Aao+t z2dBov6%`t5xjnwySZLKiezrfvXeu32!^hw@-ixu$R7*E9B1$b~hKEnO&S<@U=+Ax~ zM$W~xQ>D|g45%4SW@$~NXk+~@g6=z+2sj0hWL>&G%>ZaHVfa)eDd6N)ISGpaM%C5* z1%3*<0eOvV>V8}o@h8K|$46(o^SWExH_5qZHyu4L{Tqj?4yBXDUQznmjy4>cn~<0s zBzJGmB~Cdmek3}c+OVF4n3|f>!^d3?8QiBYC?&vL@(=1}oy5CPIy&qRn1x>R-R_2cv+8pCC#OvrIpDW;r{H1P%G;Zp0|hF+%z+%Ai3Mr1i3bQT;pCj z)hFez_&q;LIsV#rX`f3dsQ*=*%Ll79d)p=L&cj%J_`UU~`WcM9gc!`*C!59|s;S9Z zSs|Z=hD+bi{x3_39zC%8RUU5@G$J%$v0B||fXFsr0HXfCF_p=``*y9m&%VCM{QNn? zGGDkSM-Q}h&1x=P&gz!DaKRUo@ZcG)p)#gzJ@j;cRbRX`zE4pt;36XJG`BTF=APEg zcD6UyO1(3xHNYFd)u>yzL)DRTPE&hih8K2+a{g4(>tb0@D@PZvRXtfYI;D|!ZGTdt z*necCbQRmm)v{5py-;Y9dN2ta8BUe|Y0<^Ok)-k93(3CA)|4IPUu9Hbl4Lv2c2XZKIc6Z1w_cM zm7)S-Zh`iF@9A+~R42Fesh6m9uwbnceH{~&vE{Jb{UD)rYhH(g?{e-l{aeFI=YeOU zKw8b~6E64Dhp5tbS`z&=*wX&b+CO|m`S8c{&8_2#xULC0JG=DG=Cye75Iq$x09W*9 zIpA#GE;`B80HM*hzqnLmTbWUWpMbx?#$kD*`U&5j`Tmq)Ex@95s{iO`--&o*1A8w} zh7J!w?XhrRs|FCGz4E_F8vsI}j=@z-a6zB;J8lx~AjE+PpftD|UKsIh-hlpj{e#~( zbj>+E-JXIZ2%Q_?>Qkd_=qx%Ui1);a-PcDqo7e<>JC_52pe#1x?$uNWvwu(?2JG?B z@t@PZSP=h}L{c_D?DhwKfZBv>&|i_Aht}g$ILMh0G3ijhvL0+6D?~I5vu_>(W0+~stnN7g2GNpK_+bI`7fL=$X*6W@ocdH8%{Rr zfN=PeUWXHYL_xeU+zI#x4c4>{5Y5j1==~RW1Y{uEZeI#8e}TbJ$t?rqcHoWV=CW{} z?4sWYbO8SQH?n^m2Z97a$BhmlmI(Kp{&4C84~Ox=3hu+D-``x^&FgUhvF78_xtwqv z?$^`e{F$|pa0oH+y!XPNKddY)jKE;XhgaE?70u0K&h>tq^RAwhv`cA-Gp>$&dn^1} zsVM?=HFHEDAVX{fY{#7$@84XYDDvj2D00v{onfJZE<KW$X881^qLqpNJQ!o^L zgGcypK}ktjt78Ve#8rX3S5ve;X!Zr4)!~&j8>ET0o$c@AF z)BfmLU})kc_T`^jn!|=Zgm*D)w#pNiqNt4Xno?@;V-gZVvvo8dak4O~CJnYOaEUvu zE!~wke(otTp7#oKd$$oXIHeP=W4irzK=)$(6mZ9mwlZ!VJ?p<=RQ|ZRh+41!e|GNK zYoXSo(9OBgQZ2xDp7e%1IB61vmeV zvz)vi$>dG%lyoy&?qkw890b!C=ZHdh2_bvS!nDt(ylBiH#-RhSp2}4Y-6{*r$wVQh zdp1wz+gXNp!d^3Rw=Bh+i$)wRjHPbo(d<166*mR#qcI4YNtO-4+xnCL&|%w z3^tZ}MF7h*rv=oI#U7vzC~@4>SiR<_b7#8gXE8D~bRpHn*_i|ijT+gETsW1>Ii7je z)H1qRD9Iz{YP*UBJ75y|GiU@OcD!!^h_d`eH5SE@CWsN%1#6xL$oA2HXdQmr<5}IN z=5sgU8GmhweRjI3v9~Tv8+(U%flmMSov+g)Dft<%vcF{MFofSO=I9R;G>?SV&WN_G-inc}u;`|7^AvAGbZL{Oq`voHHYEovGmw`oJ zIPWI4pNPjExiJ>s>t7P|VqO88mygoCUaXBBGEKT?5Su+qKMsB~lyAu@A_8%n>?Prm zmizJqM!~)9$8|=aHuSZI$Ky6N=%Y0_Khn6|JND0-2=vV{FM?XVJ70jsWrWe!T=N`H|7NX_Y2$S;fi!dnAupm@_+i@Hdrecy!qY7e)maO>^ z6<#?BpvwNw$rj+920q@k_2Y+;U;pZKPZ8ad(j&s|KL9!^?dDYflQ;UiCq*3Hlfo8% zQpE~#9ZbRViQk=A0ni^0He;i}>@{=pE3ivFnDL$&dQ@Hf%|}n}#WGeriOktQ0~MsS zcu?1T#JlgNc!hIi)+PPW0}Cp=?A^!L06K-GXq0{<&C&SrNKaxTNDdZ|v4c;-GI^}+ z!oME;UAG@a6W^~`{OE335p-Wo_N!HZwOzjggLC$?G7lm%fzyR4!Z7U8@a-}1CL-Ja zQ^<;^<2LmS0mZ&eATY59|7uD9o4<0WbO{YeiAlMDEdkS+x@o@#gS#*u2qG)@v;VL- z^;c(&lONV6fGLdPfzwiUVm$$%g(}ol>x_*g`#10Zrs{$_<|ixs4ft{uS`i)#0P_tN071{$auW0etUH2@t=u0ZaN}Uxa{TzSIzmfJ9kOO3`2ol_Rkevar(QEHfrwl-#6_^!9>ZL%}kfY<7 zRU$xGm^z)8L6G+sRNRRH8WsfdEQ-KS%6b7Bm0PP{t_Jum1y}qQ{pg3*Q%dNse=LaA zLkXG${tw#mz{M|>f5fi;-8p`(6r)pR^a%9?&}$xP)CmC!kB$1j!1lni>ZAPZ04@F# zxG%2NRx=gYaI0RC(g$B(#Cs8fyGG3XFQ~6_AaHnPd7bW42P6pf!ceu>!tdAw(Q^Co zF6Jj06?a<<_ixeR?|=;HM(qm7cb`7ELW{lcon$cxpp77*Mo~c|poKa*axKs{KnQSu zgB#Pv;oN-lI^d??-c}_56>6)r@0X+C>JI7ul?KqI{*JvsrvcJwuVn6G{9OjRgNUx8Z+X6dL9y&~YP}F5 z+`&Aq-(-pyool0S&M~t=Srr-b@9h<|z&d6w@os?=tf%PKqe524y{zx{x7Cu7PjdBV zy2LkMzOd~7q6)Hl(uZ-}kw9-_rm&S!bD-M~6Pwp%LFMMHTQd`GQ_Wc#8P#Qn2V)Ky z4`OfQ+H&Ni7f(!ziTGYfpf$h2g!l|V20q$p=K+!$8)c(F)5ocm!EHLPYGY?GXX8*& zuxCP-i4K?=L(rx2pWuYFc6eEZ^}nkna9g7B;ZZn@-sDFMbgy4YyxYNn1>ax@TTJo1 zAw1HRGr)fm1ZAal?{Bj` z1a=a3`wEgBfs2l0!$Aqa`gg{U@94Uf^|f!9(&(Clx}2tPrr!wpa1EV_vLLrHUhNs_ z(qQf*;%ZDmJQ%l8H6*FCrI^ylbN$|*g#~BFN2S)B7nu!k9A1%Iow3HFeYtcas zblOA5yk}6jB{oA*W4A^+H@pug+|c^xB&4JPUsRK3L+_+G_OeSypoLXH2ueavAJLm} zA0{R?s$ujiLPD^sTULe?HSmjCt6jNqK$WPyoS`+s0Nse$RKl1VzHjzoZDd(gmPTZmf1q#bsHNvgv*%CbA9Q(F1( zCPuvpR&ivFpa4nzCp^ywmKdLa==+)CVKbF+)8)mXbjSqg^@-;-#Tq6MJe^vr#UZ#k zw$q3NQW$CA0@J(llJwMgx=~RBgfU$D@+@|&`%@E;NpHeb1takbtq0iGMoYuxV-BZ$ zQxCyJ`#>SW3W?)CvGnxM&CO>3A$swGcN$fsHazt?-2c-J2C->y&J?}8B&06STtLT4 zfIQJb-Q4VKg?f(R@y`5fag{rRLjv6rfk3BSOwgpquYvRnN0pJ!vH1;{>)LRGDP}kj z>+*a(9?#PubRg^+?N0|ZV_8|>;G}7s1#y7aa3Zg@~>_WwLeR*&<2ay>sYCuFX+H?Hd5kyj{uADufV1ikAru+L& z5@wNcacd;@FzvbX{0>@05#$%2ggJ?P7rO#{zwWrIVyUJY*kjJl`7`Vra+2 zJ`GAa7wa;5IkE^C*^vE}0r30cxE%_PCtFn72YsC%oRxS3Mq29e195n&x3FrDW(iV= z8j3iE!}$Vn#>yQQ%amQ2M4b_J$l^6Z*Fw$+MoACHVbq!l)mT-4KUJ9}j!mjLv>@F4 zw$he7Y5WMvXnZ7GjKern2|9TvkdM&Nu+E18Z0npJp$fr)bN89q0sj)eRS$E@`t%xy z&FM@C(}IsOReSQ%M3u0E{13HMsZIeF-MTe18N~WrgGoK0zKcG0v{&x)n|QXpGL+9$ zC+#pPal=XX;1@oVSN)jjBlEU5EQSV@#2=dLxh;hIgZ(L8a}CO)qKOB~Uh*Ml^SlT1 zONg(9V+P*tP^T1jo$r3MEr!GeezPF_uik=sjEwXz=nms$c`JK-&|$oBbo|Q$?3(fZ z-BAF@YBZl|PL73tBGxVbV$!QFjho`}eR>LX7wMKDf5l22@DJEY{f7ds#pRDpE1Ke5{%nzVDq z+x6WVL4CqAIBAe7HonmNfU_I&qW(kD%Z>2_Y^(*IK+wc_e0xZl8)$o|#ZMAC7eruv z7^q*fXosUU2wvc}^O`7|#b4szps!cvscGtbS09{-*&gwRpGvoi6K+e>0q)sROXmLS z&|(6)WmocyOo+JwZ%>mSLA$G|)4LDf3qCV&3IsI!zkha7P)5ycDkN6kEd$nB@6v(U zQ0Z!vTu`G7g$lY!9<*Lx{{pIV*EO^@u^S-!w0PD8QvOht>M0*=*EI}oqmJ0OAD=j` z=Hh-fr^7EQI_6<_(7D;Ox4j+LO%`Fo)5tlIQuC>p%HaU(myd>}FVF@Oc^e!18V|=n zuAUjy^-=tF8HPbwy@`K`Wz*$|IGM=D@4``+E%7uFb{3p0gnisWYe905&vM~UxE`}m zu&-y4$H=j3S*gD*wM|>2cz7=FTC~}obJ<Xz+N1F5OE^(4Zf~B5K$=x=`e=Lpa4n0`3PAvrbyY4|nh(el5wRiH z@CxrKRBI79GIzZt;pt}0sNXz9OA^_R@UJWC4O1?fB6C?U?ubW_n9LNlbN83Mgk-Uv zK@FIi%5YutPoAgLo#pRwOkn6XwoRKapat&yi z9Gf@twu;-S#4Ke>NG@_#I@9I8&xr@KmaH}k@5pHAj~kF{g=8ZHSp1<85ul>?VobZK zjJhyV!8U;FoftjVJ@Rv^9))`3_(5^>T?@GG zssF8rf+y7A{#XmFTlSXt|t1THK6fZt^2o$M)KF|Y?|^hy9{-M zzbtN+AH{XuYdsKH4iaKF{0+ktq5d?1@KIjmI(NCt1akFa_6 zx>HyFDfqD8kst3!EFxAzc@sBqOc5`x!3Hr*6`F!m7@|qgzrG=8itswC5c)6_aqqXb zAFtfR@N1NdT15&ZV_6M+S)zT%Crk@CHF?*9^%F)stKw`yb+A^L;QtaL7t+}g&{~tW z9G40q*ItY-9Az9b)TUKUw#@NZ$&R8@S{mR3-z)X1vrmJnY|o!r`M;m>h?O-K^H*u% z7@Y6CP!lYc_`v7&H{czK?m`JF6u=MSa02WfVK!4t53*Kbkiy%R=gayKPz2PTE_Sc= zDOkD+4o2uA5qOs%iK!dy|8rTu`U-IGeK!Hm_y>+}ibyuH=TN1d2}fR?f$~VRlV@MC z5K!0e%3~}P(+Il9=}0za^bRrqwL?!ed0c(ZFzF>A9Z7M%FrM1BR07hDbG856c%Jw^4x|FCprC&M&Zg`C5y-9ejSY1N~8J<9i(}mj#S#*Py4b zOETubLuS!RB_W_Y`Yv{y`7}0J+2COQDBMLXCOb+(;r$=qJTMlVh?m9gh~Q;Q?i?Uw zz!Py~=5^=l^=V#bhE!1p89a-@ z0R=HWdp;;?NS7_Suw0W2*2dYRu%sDmN2%_k#9~#j9b=h9bu+a0{5q5TX$1US*HKea z274)3#y-~|Y)+G}>!mMo)>B#h79^Wr9)cw)*UIBm0^mlt3Le`~OCJ5Nm%na;Fw#9pl+ zQhiRY;U32r2ckPCW7VZXLCave`}S<2FObDcoWIZ;)uVMm-?017%X2hPkkohltMqx1 zTy#EynSNkPuH*b{=XOTzJHMC1>#Mo+?Qo&2(#iSgi_U07X9SF&gzM_vV1e%*zb z*vq9)6ncebxE_Zak;Xp9%|e&sX1cfh7VtWOoh8AYlOlm1mBjwUm>(TJa(||}PtF|i zh{qyjC!Q?tD{6VUiv;d2R$buIyrDgFJPfkA1!1zD)U^b zdb@>ANnL%2`R8}-?2>~f0lQIvup5W1@)k=bBqSii!sMbEB@0{@)wovW_A1p=r9j=7 zS}jEaB)INaKt!(f{BSD&co6i|cBDue?5={GN&!5L6L@NyCuF3gg3~i)AqL@pSmpk< zzrcLjsq`_q-Ibx9$#Yjo7Dhm!R6AbcoMukG~)={_8`4(v0B`BO=<>S*hJz2@lFUg19j{>I^?+65| zf{-_0FhSPsA{e3*sMcA%ksF34K+v$pM%AVikoVlDwQ>jGM(GLGBjh?I)+33-ahK6U zkl}jP^3H->ZQv6MMD;Awfqq0j($>GT{J~kbs=fAzxy%76bk>c8!U}ALxCt4=v`%A& z7g&lEK^tud5KgtGed^eN>kc0BUOZ@EPd|p4gtcXXe75Gpd<;_r$(XT_!(@)^NA9OT zte7)Ex|v5?4eZ|xbHtnecDv8lU|!IeD|cL`q2jv++%Zb+)eG@V;NRpQl0$Ky_fdT$ zMSuZb^MU0yOU+%r;lYQ4C1Z|Rj%uf06wvyVP?galK>e%5Ehsd zj6CBt8_dy5G-ef$dv^}fu970G0tm13X3b$R3ku_<(fYURG6d09X$C;=BR3{V8ALSq zL7eq}i9Y-Q6?XS?FT2JN(6HT@sIpmPJz~PdYcf7;b`1fYz8UrtKSrP6J5|izXY$T8 z$3yNi066BeIRVmzNnxShq3-+(!yX%>bOZ?v2FU+QKHQu3Raig)CETo<%kn2>!tJGt5PhcBDX<`}Ya~^~@nm zJfdwQL?lO3hHTq2#tu|rU#+}b$R3_#@e6Wqa-~QMEsz9|$hiAlq<%}#Qugr5_F8eb zbpq5({1-46p=JenjSJ2|k$_xxB!NzQMylPx$=e2}XA1Vurp za2gN@gdUfiBxE7-tj~9-z)oZ7zV7vyF*=kE$3~U>qVb(n}d&~W7#@cR!wwDarn>|pa{`w)3rRyCD&)J0lY$p&}c}_Ay zlHN@$x%VhVqrm&rm52>e!0bg~sfSbnoB{(IOZbr~qKy^m1EF>X7#D;KcaKCWH1~FT z-Fpt5!8HPE7K|Va(sX0iVud|XTlM%>?ctMoM|lMF27dkXT?AAL(;OX-B+u<9n<6++Cc_{sOMS^t^U08oj?q3R>l51b;dLr= zyP)FC?y3QFV5`9x2sVJaiX@ih5*4b-(Z9XR&)THQ zGUK7;4-GD(3{qC0DwC(4L48uHP@o1eIiI1fAQs32koBLczO{q+H7wYr79GXU-})i}lVm7$<2T zival48FPM_N+DOPf+D^9Ae?Yia1~n7@gw7I4PZwH?4);JOYftQWmK*Ti|zKUqZ4(k z0%R4{W=~a~UW(S9?ykOxB!wg1DJ5W8m?9_)!rwvLvF?LUC+U?XL+2$oZb%E|{#X1& z3U?R%adLV)wl-_(d+Dufu$+N@cAF>kcv<*xgEvz=E!q^dvM4qr) zFkB{1Uty~_kb;I)?7Bk0qG10gixS2C3s9?hEtP>`F?fE@?st!ILa}|X%wR5Unu)@4 z`Zf33`Rpa}n)|gEH#T`Gu`Q+jW53XgU1VeBL3B|h)zLvQt zQWflDczbDKwM9-^9=I7REnQ?O;ASXLtGWg7qDl}@8=zj+w%5Sg z^-E__eD!6k@##hVFXo{@unLyQ#31OT2CIZ5@DR~muB9LZ$>;nRiBiIzVt*u!V0{N9 z5H(`h2`)yZX_I;&-$5J{*JJc%B@JoV?b%Zz&0Q{+xmzC#FaJn!9=n7_Lg2-cZW)(AL-3KkBB*6V|UxlH%>wM~)^WfaP=@0+R^~8@X zuQ{ME*$$nI+_pO+S{?tgZ9N8MgX&;?4!g}P#!ic`zR^82#J@fNCNU-q_VvchQbLBi z#o*lQU&}v1{T(s6r(yG((*-m574@?u?u0gld%ckBm*lpW!W z%9WfF6P4X+=#MM;WWgWmdr^Kvz0;i>=HSk>c?`qHDJ~DI)NMv=gBv$EBB;x~ z$PxL(!Yi>~Cm8ORnGUD3=vH|WZB*{Cpdd93ItBEmhydC41t9yUPMGlO#!!oO^lJ|u zbVikI#A#Ou!Y?jLEe#hm3iK-G@9-Gx?*kp-QtRE37; zHQ(>YF8*ENDnT!Ny@JdNn;jLKJ#N9nIJe@WrO~#&= zer+a7YB^~Gk}p?C80)Mtxbt<(WiHE^M#3yD_k-GImz?#4$2Arw>9J=%er|jO`*vGs z?P+vTb9)sweCZ5Hjb$Zf=UE6)p;3)n0Eb}u7uV~*a0u2oecXvJEM*TR_#`cb$*|Gl(hke4ha#YDNnra{mlhXd}w`H=QY+%8*${k{`{=wP+h`hor8^B8xlLD(qq!% z!iAqPUxBwYP{Jf;) zr%}#vIMedH)J{4R8~VoOOq0R*wLcihs(kz#!R7ML->AP+?ww)o*>U12_9gd{^qIqj zNY-ToKkO`>`0@qPnU~c}ItNc&joS2)NSqcd;tes*zgVXKWre~TG0aU6!@+#cKOfPP zS;`yk@}G3NcaT!^oqg3Qylj#pd?9XF?AH4AW6#3bYUwU1oXeYxFUYJXL&IU+jkRC4 zgu_H3b(0Yl)o1`^(vdrT>H(*ny-w8tgdGM4W? zXstZRnK-8#T)&`@J`*6=@3Q-3ZjJaA5%06<^$yALEde^FotHa;H$eLR+4S0-t%0Y- zrK#a6p>e)mc$)U9l)rsZkR)k|u=qO>k8VD~t#|;MSK(I($mp|_$##(Uv3#XcHps!a zV;GM6S#%6owgOfCRw61K*pB$+%>1DI_Sv{kVt0o98Ah~s(yn8(>H7V-&`r;UWlf+- z)&K3QV`Gy|X#_4NX_E`=gbhYx` zR@JZRfAN(?CZHlrt3IT=suM!bwtQLpG6sQV+C){S4woxbDEU4j)DseThxk(?f--*O z{Ek=Eh4PwoA(gtI=abW#VOD4UeFc-GmbKHkPfAaiaCl#MU+jyNYnfN?HTECvMQvj7 zqAtC8FKe#Daxko-e63JR0PUo1E=#)$qP?uEXm5;{Qla&*r0!tRCjj)0Q8s1Xo7;X}zFC?} zIVpJ-*yYXmVN5NF3;@ zD+ZS2M8@e8bCJMrQYxdgH;ry!-Uzca2TG3=25c={o^;sx3=zs*m4vgw(KK{lW{an! z8g$&c`nnQHj5jCFLh)2Qyj+A=bnL19pxuVMZ}FHFKHNX#acBl7s()HhmX|gDk|~cm zaPIE?dt}mB+(<`>0*+6?eo=nZ1mS_``UpRUS_M6x940UUU&&z+jt`Hg z*J)2UTn4#l+kR-vAN+sRy>(cWYui0c2nKtW2UP8-*V z&D~ws81@AW1#wMxir${;-Q!miE}73;T1kUjnzX9TIrK_biJss#&geBZzms}qwNX*o z=4@&u%?s*MF;4rSRWz7r{aaw7LnZ%1e3VLq%i zJk9%rLr-dG&jCvN)}J9Q=Fr_yV`o8*Ub@@MUkPpu(-q z*WilWA~4GnHbmUUq|Z_UXzouE#Sf1onj`}hg@$3#fpee~;%r9zQ9{#ue)EL};2JLH zg}So&Tk_1?#$?n_4zUdMR}eo@Eag#-HNexlBT!Qp#BM+V2YD-KcUS}u0*mPx_kRa! zEw)w@ZwG6u#+GEF`)J7T@;!#_H)L7z*xzeypzx=xX`+U*nU0+DQ!+2#i^hS%YTMlt zOh4San^^~{^2AKJ$G1(=ixJRwt<)~Y=&Ib1(aB2X8aU=}3Bq?{E~D1<6a%+zUGeBb zday5%!nG2UwgmxZo<;`OTIAq^eNyjvppAe|^~H0uRJdu6(SY(p^{o8R2$mUk%m-iE zCP?YrUK73$){9Tc0igU4Z5z4=@E?i?cWDK-G{1e)<_~esfJ$VT^XGmpHHOc;Q-jRGfb?MYX@c4NVNB%$r%W zrz!UO7ya2TnXY|zj(@yuTQW<5(m4_ZX*a7+GP`a6>Bk|*;l893`GO(Gr7?>K`MQ&E zQuack;!G?e|SVAQMLV@u56KGK6`7*pNCYNe50_FGG1T3nX9Wg37X81TKqOE-g{rMBOZ;lhVi zkTxD2PMT45&6oRio+K$@QZcu?J$3&a9Wl5aKo{Gk&FTJr3*|%@d0OG3*N{I@l{7N$ z=or@^zRl3hD{|DaQ?Jcqpuy-=l164zdBjPlEE3dQRY}5C$neqBg)mAegqua-I(rd? z>uyg(u{i?zSUwuvw5&iC*H+N|o6XBdl4;sBWDk0jiAp^WyP`r=2?2ko} zvanAzdzs-CN$>S_X)Bp%T)Lj2RWsjRj3ojL*4qr7f4 z;amNx6?3FDOR&BGhNfmU{BR##0rUae4ng*r>AlFAVS)76$Ij9n@ZfSs?!~RvWz2U7 zsOZafHZXzxlY9ll=2_Eeog8s;#v;cqb-Ucc5uWmW%gS=b-d=|MiTecT{>&@&U%8DI z-^o!GAJL;$`7v|5a)&YB4a80muW(i2<0&(A5(i!f75CP=!>8MLdmaOiD?E=`SKvX? zn{jgKEcgqK_q}v?S{uUa{a30JG<#ADYCer@(#FMaUL0TIruh6yfPhd#)&xFV##_Y1 z1L~sHBmUtTazli8neP_>hE;Uy(0;LOqFDk}K%&jE*p$ds9c4t9(^UveQGqHKm#`M8 z!xd=b3uVcfZf%eB^6=|Lsq5&1j@0@`N>SnTe(A9aXO$TEF9d~`_*^${_xjFjp&W-p zuHnSjpoD3T5_`q+GGHN3$g0brK&+Z0D@{w;GQWA?$y7(>cYc*=uXZkXDEvuOgt6iU zxa_iguTwKV_^TJvz!7xaFa0fU+LsvHi3gSQfHSIC>N!^NqlGq9PR&asuQVulO3u1? zbh7`n6Op>>01{ivVq-T2dky}8k@TZ>G`Vl}M)1fN;85A6eh>N2!$9~XS-d(zUI%&5 zIC?)0Ncc(4!~kOgzKemC-~$FTxHA1zK<@KH{w?=ifG?1~k|VfRa~;K9P{{hC9{rcE z|6a9~SdRhPacV`m3KkT^HUXe88O42>ph~$IhJJ9XZPpZVA;7LreOr+AwvDlaF|~-6 zu>yFhK88aMJbq|jf$B{!)AlksYybh4EMh41yy)~^A&96P?je=Ruhd+%1~;fOw`+#l z5Wx`U@NQ~YOOLN#MHBqS&c^fj9U@b1ET|7Rq^S%a)*%H9An@6H0ib8{3r-A*24DhB z;N%@}Bk|(7Wh6X*ab5rya#zT#6N3*%NMPJ^Ni;hBw{@ z5PU*KE?aHaQ8`!%LtR|O!d1Sw5*L1pPzK*Y9TVP=#SnTE z$%+vvoq|8Vrna<$X^1%K0LlW-OxfFY5RuAJjVN$Lpl6kW4Q=CAvl2K`%j)4pH`!|N zg;Hdps#2ilxF!uMoqG~b%YF5h^L_$!Hh$3DjB%M|HcZ$#Ptu6m(~_CPw{9LG_kts# zE$D&~HbCJ0tz9`;92BmD$(ALbKr&?i`WwL9f+rOZ77rHO#7xG0YMT#PvwISMWAjj* z2)^|yf=6pokSG?sUPNA6G6G70zZgOd?%LFE-!*kYc*7?;%nj2N&cGrHf%7W z^o$81@RDS3)ehY?b!7e4B8AK!fr)twt6!$3rlwIW1>k5s-K@Yl0b?R(z?-NDxx}rkZ=o6HDgJSxnh@N9rUa1t#l}drYFl z_Jw7WZDk!$a!o9rzHGVH1Fix$p7~7) zfk?{i+V%m{dj`WZ#?OFbAAXmLF6B2Sr6LoLozC`N&*muR8cHTfo9w z-QnUB)T>YRFrAG`68IMW8b)rSK>i3n1h$1YH*rkM{b&eM2RVLSnsvz#!FB0ObfPPS zS_}z9r&CtWyMCaRw6O?eNkkX*YHp-(;rGwhU5F|NO~;a+f6^8J-!W&)+Te5Ar#476 zLlumzLqZjq-A53qZDw{DxnWJgQ&Uy`vc>h z$I9#&QA;#S+g@Lb8Y6ODE*K*8YIU@NKuTl%MN0cy2?PlhWMZ)2!@?M-hhVb2^XG%L zn~BAUv)6g~o>LLN0yY{UCr3nNtan-8K4q9@)C%5OnGU%lxfOC)tkNxa>wzfMHOnU4 zqVN>mpD~MNr~Yxm%*62t)N|s5&k%vRGI|f(Y>5lMc#wa|tw89+h704R43;rt;!84M zHRy|kc9Cbx=4MSy4QjLS)eWi@%$zf!8%FR2;NcLa2rLBh*FlV5zzs4p@lO1Ly{O+M z&x`TNR6Yj>Dj@Pq7`NRdA}*K(f}{P4Ru2|BS~9WRMaTiYWKIiR99$g%4Vbt#iJ?$! zqRKk7rId0kA)$@?vc&r4Xql=CT<)ZrOFfZc+BP;QxxRx(UB5tc*%!Y>xCCncj*z$@ zUZYy*T!_jsPx;+?QYkfEe(aO#;)To0;za@6b>1#EA7#LE_@1f7Y-nn?8vhPW)!>I? z%aVh9s{ZONu_U<pxfYp?`7N>icn-SZbg!}uJ@z|9O~I_gjG|E-#ktl{+3~Bd(Pfy&rrhC z|B-8U5JzdTf^f-KxBJ%Wn4jRPMq_P<8<+`K{In(**rs^;fOP*Rp zPjgEZ*CPvFt}$8HKA=)v5@kdQuRl8BW|@zKo?ygOzMNUkq&=~w!@>C+Ig#4?-RG?v zXfpPbXJ|G7=a*#CC5!ZG9B`fElnZN!!USJhhl~wf8SI(7IV<5U(sExXfmp{%Bb;6G z6@P#|bjwo`0;`}k9;ip+tjS>DpF&CBKO~WwN-?2}=&tv=gxInDJe(O)^vFzuXCe}6 z4s94(Gk(*`ENV*Gu9rV0`LNDw#W#N<^)Yu+uqB>Ojx~*2Oc7SX;-hAEQ}CMyp#!bw z8R-2hVP|m-QVoy9XvI9Geb&EKU_WzOdq3HZDgk@4h!|| z?OS8wo71X+FNJw9RgE41Vp7A3!y!Y^WlxUE(C_0^{%xR=fL3)iy;BF`Dw)PK*A{ai zy};>_)kMcUe&dfHd$^6(7`+U(_cmyd!et6N6D`ebIO^U|tXq5W-PX7Xc9D+LB$=Zl72HcZLbz!A9j@aU}P9W6)_y*XaTrLb~y2AdB?$N3I?wI5BTs*JPgU$0Lf2 zqT%sV7J%28X^lPr| zrIEfQoZ||M=2zf;;hR&C5bV9_PY~(`(Y7=T#bJ>`Qx?>JV3>^pgte(mST?BEe*n$n zFM2oC9K`-}WYViwC1v`Omo&125KDc9UIAAwMFjcy;}X8Fn0I^RbQlShpyCm&!M!lN zBd-X4yF>eSKG=omC-sZ>$*>Hsvu-Au^puC}96nv?55%}c8iicTKMC~rC)hufAzxxX z>0cBUJ&KVMk32{^HljfdB6}2Y@rISNCup&5m26+Li}nRraldD2A6Ffu7!HruM?epp zTJ`+@8ilrF<17uDFj@0{GV=`6Pqjt-))!KL{@j zZ_6v*yMMHMyMxXgezBjIp*tUI`HKlMv!6;;wd;98{7?mzy=g1+0jec|6{5KpfOlHi zf@1X?aiXJs2ZV_FU{y>mEimd*_Q5_$5n2e`@h|u|OROJn5B5;28b5x~U z%sSxSA`~7Ky~#!k+quK9;5@_(~$pM$hzdK zfq*uo$zBCFGh#g%aj4Xc+B!F6P^?a}3oMq%OZI79+$5I;~Hs z|ClGX6@KOkE@v~@SK8H0pBdxe2hY7oHOpxU!qU9e6nt6OiZ0z5-60S1aN{Eg`-C*& z@S7Yo7qT3YoX%!^^_FOY*?BVg3UcR$IN?lS9O63xX8@^EA%AXkvBQ@dej zVR8B5olnnSk5$#z4zNFVQ5dhLN)4|L;IowE$ceom1YSKfm4c|NJ&knx8Fx~+rF`BH zAK=txWfcAwFyO5cLxgaN!|eO;$73A2?+N0D%lgu@%FA?ba=DzRJUHmBDBTGL?V6Z? zIloeexcjzgBrz8JlJUSfkP1$&f?GU2e>r=z7Kt6d12IuS<~?VZavpVIwvgA!Rx_a+35=M{Aid9zd5!i1GusC$e?eEe)OUpP>bbHFx-RTW9Mm67WiF<>b9K9X zs>yvM9^!gnQ58w$NoDUa6;iXtN4xuC&*8fo6RLAD2XuiwMU(;PF7W;@yFi}26so^uQP?#G*>B2{Gh?i`LCXUW=Yb|W#<)I!@E*^7buZ< z{#pY-y4r@k&*+Iv2l{GP?ZcoOou=KFeB#{8|7bm9V#IM%&CI``76wUj=U(S-`ivGo zO0mRKI{=C48Mo2tY|IG%v}Lc%H!n*WV$=nC`6Ro21yZ&5&>f;IWLuBCO#f%ygjtRm zs9GVEm)KTrxT@NIxje>P8aZ*E%HF6-n2+WAqv7*FcGN$dL5|Mp*Uxe~TCx8NbVI7d zu%RMcukMIazxTlLYXH~uFr{8jrfsN=77lo+JA+bKH;n>TS$h(>?zx=4fjM2(P-=R0 zU(KNo$=jFX)qPW>b)S!wmk-na89c`;IpA_a8{bH-ZA)p3u&c1i{^-sf=M&OJJi)03 zEc+|6<2yeND{)z(B)$zBK5~in1*AgZ^x!1Wq7Wtdc7Xy!+3F06sTY84`H9mjCbf=i! zJ0j)d;EikZnY41P@8o(H#~zGaKDyFyjVy9#dB2KFogZ@!*QOaL@k8yGRN^M$kEKtx z6`VI}ku#fmUk5xrtAig8pI6m%rG#tc7T&T!Waxs?kd-~?@1lTC;;0A_imMK_$RqVv zuf7g{V2+Tv7}8lJY1FD-KOXEDM;$s?L93JOn<%c z`}v_|#sb8s9eSFjYTOj{aFP&D14m*lW~p2f>iCF3{1VV(KduK(6^Gxu& z(QFXo4~=IZkpO&Fw4&_BRRH;pq&4CIfV!+cgeaNhXvTt_RI42-tX70Ic*ychifzD zYq~$g>>T|VNbd;{%EZTeRsf;2{3Sxkl8pdu=R^)K@XM{mord~RvDy{RZ%`ZCKl|p6 zqw5CUb5&Gq$G%RMO&JOOytkI@=ZK6v><=_@wvk`t6e)hb?3&KYtHdCkxOXmQ^GIW_ znq(BZG!X`!o8 zL4s*CXvkf2e1R38QrcmG!CRaq_3a(`b3%WRL<`xao+!7tn#mdhq~*y!w_8CLVc!cO zx$}C7$5sR9jiQ?j7cH)g?_m1tcFARg=XntA1pTn>S&zI>tvphVFYiTaerGRk!7P}$ z3}EvGgAAE~hjB6ZUD5({#BMmE;!pUMPPwmyJP&d5kOY>a{^DeeB40R@ydxrXxRbVf zSYx!v@g%>v;-py=t8{gz?fuYLcGIhY>|4{kDz417t``;^z@t6d$=iK&>KAK&kX<@t z(2$I@S=FU7gd{A|pJTX=7DTF?Jr#N`=dVyNAc%Co2#<;4qe-0)!Z(3ma$fKoBWr>#o{@X5QvgzNSaZlHz?$;w7@vIwzo;MlDcGIuHtWVA8A{_-c6K@56cpi~T zKkQrJGva`HUdO>8XGj8SBJF^>(`)v30}#+G{Flr?unI;IiRd)I>=+mkz0$k7%nEMQ z%mtfl&_C3#L|2RdUD_yq9@aG38^eQH+X|sl1!YjvZX2`FDj)1lA%l0_?a#v8mj^Ow zg-GNTUj{%mGnrioKYfg4W_CA|y;p3H%;<+K;uSM*S6ADwf3IThs3K)bvI~$O6`90{ z5a$C-B`46uI=Gc)f|*J#mb3PKOwfNZI2H|XrE^;Qse`z8>lI6qH@cH}@$UeaXSA>0 zoN_yZk6M0yEi&ksRGX8!Tw=Wza=Jq6Ni}t&ii~yakLK&gP#YvvTD78Uj8*4@=pEf2 z+L8El|1GN#eusE1)y`eh^1z!;i+6GXfS2M^@x_Qz z8qvFsRs^Zz!)9li|8tl8f*V}fin}+@uB=1k&IOdPh`W`y=%u2CAYS?d7Smlx5w~YX za~ET@1Vq;PFkuAY>AuHr7+PU&iAMNoye51_;%Y?HSLaA_uDj0*r>u^k>htw`C{^sY z7X*Tz(!dueUf>9TSJ%q``HS8LARZQFJU+M))Ih%%o$&xrzM2LNuO1lNIrI-j3(0=F zDKo=~yrwPCyz2kfixOtKX~dx>BZhC?C>Z#0P-tE7{LV%Iz4K#aA-@yEsGIG9@CG8Yt14ZsI;wFv4;B_ zx+|roQqCqZ!q+{_WJ}8@Zf>~63ecJto%qMrXAyxAvs@@HPW0aj+OlhqGg$C8;b>}A zZq&N&%A({=mPB2zhD-Mwz2avpoa;{y*|?5Z_6@ev}n{#_UxgG-6n?4TWG(;=EZbEv z+dZ>osz@AIUKkf$y!Vo=O~Z$)kC{H`IL90gh7az^5`9&g!`!rcdg3lzHhn&wR(j^) zt}GO6WX@tYK2K8$MDnhJy{Ft)>0=)uIcMs%NJ{HkW;nJNaFotiN!KK;k={sDU9RB zX;r5#L>soD{Upf?&S2id%jqqTGF75t+7IWqK!p-;20a%xi&ch$77&b5zbn$hR4So3 zf5)*1h*S-u3#NqVHn@!lmA+DwbylLhp{8$gEi3FXR2&=NR*YTLsl`W+MdReM$+(jy zH`x`147#PB<7q8{d1$Z};NX*ka~&is8Sjj&IqRJNLjF3uP8(#0E|IBXqC7xKS8Vn~ za)hH|8E3ts;b|jW4QpIa-C;#UyR{JUxqNe(Sx)_eul20`P334rIceSNj!q9aWR^09 zEnpM_3=&}bg|WZ^evZU1ym8|W5FnNyM%W{_8to3h*#`e9TIZIkgMdCl5MahX%ku0s zLWqxY?s=M-_>=7rHv{dK5iyxAeaYe&-aQ5%-{>^9i&n{ zk46F-(QOCNiTrYg8KBu=AwY6LtKn-P%h?0PgP8?2zS02)czEg>IhTQKIm6VWHYs+T zIBLThiVOtM@~{-ZZ8*Vn6eImFuEW1GeQ=sT3*4~_C#3rwHg*Sxd*9s?fIjhSJe@Oo zlASE$NDP2@>1Pt0zba4wEe9k1BP8*86x~eAXGEP;JuUZBIdWSAwiB40bf=w&F7WEO z{jG1Rf$1UDv+1ECL#FN&OSG$lwFOH(k5Wk})SPSUHFw>4)wXJqP+VA$NBm|5L%LZpj+do8W-j}(REFVsQ@ILgq%$tGNkbiNw9wb$+5jf+gU@xF2%(WqLDLdZLxka? zRi*`C*}!L65#2gRCFE`f8iY|M=KpFOmGe6Vk;&LcX>jxg%la~~e#WIA6F^g-VZFQ# zs2Ae<_2zFtShD=Zd-#{I6bfEy|MfXFAaO|u`YEJ2^JVw}{e_<7U-CA!C?TL04r4ImOFC>2z>lu)qVM_1ZqQr-ZUAWangocIr zj&ym@@|=S8Cp`ijVA%i4MPE8*fQwx@yWNS2O?Uj!Iwp(BifO^CI@z+_hsOXmQ$c~x zxY)M-r17UV=V;97zbYXAAJpiq1Bs3yk`>!5dx!sAC(E6wnApoGl^c71Q3Od-g=)%- ze@L{|q6TAmie&JGo~ZZF2mq$utNK&sfEJ?2NU;1KiTMAWKt~f3?quPNtw%3-E?mzA zUny4X<&E<3z^1#jiMFTB*5})z?pt=|I$wQuTFl>J#qwws_T6ZK!ZtHu zqR2BIfxz4=)&`v7MM#8YJQ_R!t!a8G|NR!x${2R7IjY*BRn)DvGDQr}42?3?{KSYXd5I^n`6Iy%T8q&q4Hi@@sf zWqJ7oIjP4Fd9|F4_`6RHI~|{H&kd+n$l8nT?7^runr;!iGB}!u7jl_ zs;z@B7M|98DIZd%-_PsS?qrUrCYj)0*DImQr)X>V{N}0vYtHKKcA922CoYMH95$)- zNO7$|=0gi_X{-H`?Vv2G-POZ~Z}V)UEk=^W2`Gc$&o-W}p!{`jJTcxMj^9}Dsq9>d zyHT*o*3gsEet*yGo2JFR`N#aFWw|?iT`rXe+jg}t=Z(kKzORq6V;9B`RHjI1oaVA% zz+~MwzqL2-*^}isHgj?~PKN^1dIp|vU&-JR11e2eh6vQdRdxly?Y}yU@4JD!4QP{r(e~<<75l~_!fF0p!WgT17uP(U>nQ_Iuyw9#Nb@+&n+vUiD z<4{WKxyX6*>Ew<0gyv)t7G@qylCi@aTzWI5`1j}GR(rJrX5#puu04Svog z8I28BeCow=uRUcl$la!SeE>eWFO4mb)}5xLcKtyqM9!Zg_e#6qgR?xuAAOMY;z1pR zJV`w#7}N>YCg>^Szmj>=de-~bLzo8_LX8WoiIOFs;gO7wVVkzTlZL}_PewKw^=Ku4 ziQZ~WgzDN<48a^!^ODjH`RSLb`rSCNIFH9nk9$8QT5qmP_EhZ?0~3I~&x{EJH$6h$ zz4N{IUSTTy{g<4_#}3!`?3u@@d1%0%3*aBpJ$&f8!L?t9oU8s+Gb4UD9X6of)Dhs- zxehG7_r1v*h>4@k3c-WzHTbd?+HZ1Ak{W*V#$+ z3fNUDqU{e*6PAoe$$!TRZ7qvnj}&|5vpQz$5@R@KyRp zge%AqxNm=Bgk(9C6U<0o3fXt^0lL-P!en!_P!;2A5MWQQ7$US`$sK@1jaNG3@W0b) zU!NlaNJ#}$-qgJoUvsEaE@lSMmP8_kh$qID@*QA!8Qr4)lUf$E=(Z_2>M7_JJw5cv z?P{P{ya4eVJ8RJai*wc>03jXPH>t>G8|<;I2nD0s+2b0;aH=Ua^)o2CFF9mq^b=?m zqm#)ntL*Cny_vo*BmoqQ*sN4ScKF!OLLwrZ}-F`v5wr0YqI04BYUcvl}kR->Y?76}*g#L@}D9-w@x!Zn;%6 zBA^WZ_7Y%}ywX^+F5ztMD|41c6Q|VB!cvv$V7C7Xus5Qi_5e^h_F?3rg*x%I^! z#v9;P=BVio6Q^Tb9Syl4Cwn%+cJ7aghsG`U3lN5%01e%cfZLoZ4v@D8KTb>qqfTz> z4z@u0yFY06D^sh#=W2+@hX?)yDwve4pul>;6k&&!YKr}$aroy3j)nxg;DJF@Di$%i zIJ3i06jTP|CMsu#>$7z8(jCz2C#siJ%wNB%v)0&~Az(zVyjmEj6WbJzGQy?6@~ zj89htJg~#xJAwC*sLiHHaS2R9pZ`UC{Fh1SUPEt|9>Z^n1|voJdJ;$6Dpk+)vd0iA3cg7kbR5gTTCJM_Kx`t1%P8u{?@DoCkeKbxz57_aB7_Z9wQw#9Fw_&UrEd9gBvGX5%9GMxRzX&;h!zw_Wl!(>x zCrJAU;=#wz&3*9Y86|)5fBpY3P<^S#7^9|iyPpGUGKXZJ|NTG!r~dNj&ks0f@ed#H z7Z#R(R!aV$NK(2khw}%7wSR;*zWkNp#6QQ6KtIgk>)c<}F#XT~nlQ!{keS!uJo-;rhQ8ZGrPfQes$yk$yq2w1po;ot@;h@U2)Rmc|fnDFv{aAa%1 z;skQty35ZKXw{|caY_nraRQT}pPU@P(MFms9ovV4Uv1T2zQGlYr`R)h6xV|jpmYrs zJ8yr~j?5W)|KX`x2l)q2)!!fM(>!QgoxN?aW0j!AV=$Cg(G)F&*Pyv-J|!ddY|c|_ zJoQ$}V!jD}j_G;3?LMh6wtI}kSp3&Y|CU<*!oBs+D(Nx~tm>4Z`4e!ry zHU)pwov#Vt`gUBpH>ALoE4IB6_8JZWcxcQI zlRrbGmL#iY#7!f z2IvHP@Lqo{r2NxtVtAeEWR^@{1Azf$*FdD+Et>Yg;VeD3x2bHhK1 z0%!x$=z%O7z}^32YsFCSgNxZAj<@w4uj0h*>97g=xTX{;RcIWeVb5*nf$nh_=xx3v z6`w~#==x}kzEGaKvRE7ZIOXIYjuSveu=9qTnfm=%6l5H7OPw;DzGxS-Gv8eZ8zJZB z&H_@e7oe~BTRi>EiBHYlfLLKhnP-=;9#-wCVESF`BmY7+Pgt~Zb=PcC#NgZ_#CVS&Z-0X=sj&;^5yQjMnJy1rm232kke z6u?;rup^$Q>juk1`M^1S{rQ#I(Nf0^;O;mL9QUNA>Rw_`1NU`$w5exzPmh3mu=oyD znaj%K(mi11-TVUQe2)9BjnzmI(SVNQ-4;QmSkag0eHOr-@+L6fCm?4_*&hHdjUmnt zya^znIO}D=1D3*jpV5}Wf7L~Qcdhp$Vf1|(dO97zWe5E1(9W8`z>tx%WD-m4c&mpM zcyQx#>ye_yV966Cc!G1SW@ctdVC95XxeG_@ z+iO0+!GGGHJ*y^4z%u0RTa$pIwTeyj0*Owrb}VEEthBHJJ1$kR*|B7o$I2;zZG2OV zh$AS5_CvNSwWP?szfr6JocIF1u_vINoX+f{1_!l_IRrr51LNRv8&PCg<}!=>KpXy4 zqM^unJvmsS?r49L`D9!2s&ZVfUVFgBYhVN%*@o1%Da9!sbD_1V+|~fwNAG`;BE^`V z3)gQKqD=(9<-`4Gn=*WX$GtUReFlGYod)m;<(Fa}rsX#9*6;$(jSsKL>FC7Z5{!GD zdgwfzdWp8;EI^%CRRSi5z?J`@&sDCc|U^!Z28LC?mLBev*bxh94_b6?Syk^e;A@PjTW*E0#>j_-6^-D^nGxN zx_R#)^rzi7Z0miA3atWwyQIYs?DCzrIUK$kG~fDJLREHLA~kN0ogx>d72RWE?-$}{}}+%{9=J^df`e0X$M*KP4V zX^p{j!>i{&V*v=9HmVrMc9DmIevFF9AJxY@v<%PIYim06T<6H!B6x0&eEiYI*J0tY zF`{4ftQ42ALF3{E@;d3pF<7GU<0TX;4!yL6MiyElYZ4EMW&@K64yu5={#!qT9uD|V zx$IxuMKcZ?ZKh?Vo{c#Mud$;#!0M6$K)4Q(BrO8V*~bP_6;AWxA410jFtOk$szg&U zux5q$rZ3^=seRy^nrlA;=TMLmGoo!E5*kf-9-OY0`dF%_I`gK<17x_Dyqo&Y z6~NjQ4t#a7cdjZ%c!PBXk4WKSbzY%`%)E?8K&E#4;R!z25yk28u0B{PNC4Ke^yX15^=06J?^rmXM{A*OBEfGxd@+E6 zL#FU?UqL3d5$(%CPG-G+Ie5cnhh+A#PRz(U+SzmH9PlshH}Gz`vM`tnTdh9zv_6E- zwT2ZE`nl(M2YORaCwyJzo(8LFnj-nk*Y{?EEw!(ngFxrio`HA-*2}apw}5RlSwk1C z0~8^c$_*~Wxj1rG8S5jI)Rc9~q14Pp_K;h!114Sugg&F^9<%5E92lU+gvm0Zmy+~m z>1tzBv6QFiS9>P<7&_zQHHY=-+GhYc)92Z=40hg z26zR}@dL|Hmh&<7P=Po(Q`4E!!HOc+>y69DXlEr!Tg@{_c3jRb>>p0(W&%c`50S}(pu1@-)zX$5@X zQa_wEMC|fR)}^{2s~5|+%$(TQZ9nxE?*%_xqtEAX_z2cuzPa*B=Us74kB4&zFh}B# z#FnD>AVjf`VSMchDowSogX}icA+G|or|&1)!`rPTe;=eL^}rbUBY^gVO2MUs0Qf_a z_dFcl=uStm+gKY85?hu_nyD~jm?2^{Q*P>FZzJ#-DiIbI)q#Nl%T69etxGRJ4nR&$ zmM4A(JPGo}ro@>QD92A}ismlb5_6R>VM&jgN)yBhX<%;i-^7V86jEnZ1_q(_YYV`fF6sgi_^3hqPhCLb3eW(3}itJxzt@s?zpwik60F^?_v4AuJwW?7F{-O3$ z`g%V(*hO6hG_)^ST?gfrN*IWLXK{}6AfIu0HDeRzh9*cT8bb2 znd!hyAuvcoo5zvLfR#%1O4W5e>l;`;--sIeZ=T}nWJjqG0jnTAOmq5uMmc%Tq)0j|ZC zYTD#<8s_?EhEQl043yB^ZbsYb?CM(n*mDPNhZZXDd73!gZ&>IQgxgLZEY&XXt28ZrX8v~UT-cVOT& zjVXWuYjA}scP!ncN_@JI=`g`Yl}MZLV6J2um_ht0=tCO;|7uF^Z2dv7VJ!Fb$HyF< zg)Ty0QO zEIe{uWo9>=vM0!Rx_E{o$veJ!UU->oOnUhw0ILBrN}N_ah@D-iZs5B_&yw=O4-x<7 zu+Cxq;(4LWc6TAK7e6ku&8|OMS=Hw`m@m%Rs5vFoWd+`7y|u8w!^eU?;_;vMN!^21 z>(su+=U>tT9*)g;?C_bF8rctxxai=Yz~0PaikHc11OrMy=Uo?+qJ5 z_B)IRLg}9#M1`xQtDDk^xngjg?(w%ag*T(^e`=AhGMc86v-EMTIu5?yAUu2o`7ka{ zd3pNI^vlxYkk@fZV@J7b4SHgGee}SjmQ+V|v6b#5B_&?k4}Ty*KYzY+x}yJ9$F2HV z{i|r-*A2O1YSMXwi(6VmFbx}hU;8ieQ^(p@${h{n(0(?2i7Y5P_>+u>Km&B`+F4Wf zu}l628^CQ7W!{P{!>;O(;AtjVg3EcqjDzD2m0^0!JL;Ze&2Jpq7#m?R%ZF@}f`N8* z$Q8fh>Glqry54dxDVeSY?<-iW*C)!(0Xv>+`c%vWf{fafGd6Lk%`bXLwe+i9$6rR! zc1T(!i}D4c)f}SwF7gb4!Krl3+l+dd&jV*0XolD1%$k;~Qkej>tEQWn_I|VzSyC^%K=hHnE05*eGYBrM>fsHXneu18DMqG+4n`x$!J;k) z9qg^g!zA=vRn+c5D|MM~ZWy`jHV(QxWyk&MPLT{u$r_CVW;#y$r%FYXr!vaT4EuKG z##>OGLW&Ps5ui7|(%>i!qVzt~F9;9NFaP60l{R46ObG|>X7p@tKOsI_UYR^O5YKg+ zzw>GIL?OW(ZrDI_+SZK$-{GJtox8w2y)UAisHMm=k)4zj5~D&dPP6T6F>v}U|HM&I zM?~p{nvu}}m!rwU*`mm}(4gv_Cnabw`pm|O3zN^iX(@2NbKX}hNkDRIq5`QNg18uP?>&3fG<57TK5Mj zwGalzNCM)|YN5ZUMTZ6LRLRm-daI5XOhybX$Q=@5I%c288r`Sg{?um~xz!foOjc{eM<$MS?0iw((s z3oPqm%%t(Fyn0fP44U~7gPHrd+2PZ8E**)$a#(!>eY{H@_BNxmQSPORDsUg#!B9)OkI<8$!B3A~K5eTUGI^389XnL%(cuy2@w$8$tW#Nw ztaRV0G;d$NJ@Lvu13sBt{!U@G{^}F2m!cca>@5(NcHUcq_bzHw*Ez?ui3hm}&>+A> zB6B&UY`wvb!N==RndT4%G;?`1aZ%U4vm(?Mq_UmZfJR+;Z?sZ9VbssXw=pC>VKf3_%Th;A z##aKKVU*fO@LMPZpnP9Z?2u9?;PC;?gGF4BkHkJN z)KLo_vUX@%tUIbqPK74tG8k)@MY3!6FI<}x?atdV?tER&eG>Jkq+lqF zq3FcZiERA9TJS`?Ql5n@YQTos8rIr^@6xuveLp?n@|V{oANvXo6mIL7ocr?80P&Jc zsW&J)AT|3LgT3m8=V!>fYa83Erh5y)jX6VB-GjcnPcg04hHsm+Pj;+@9vtmukw<+E zR}p35Wx2TZ!dAgVc72dK@p33Mk5YD;&Ob1a+wn7QCMgrI40}pCV?3mjDEtcUO)0SC zm#YDZ>O8-{bU5ePT44dL(Zj}T&1Q1xdAj|Za?xLXpb9HZrzv zOMB@GW#X-?sLDsoIn@^;Xm2tgZXFo4#NwobE#5EADb1OUHe!%7!H$Stwm`yStw^_J z;R`d6zkNA=`T#kW8<_gYim$C${DAuh(KWkjwUkeD*c!ad!>T>7k6u8rag zbdqDfZ-K17mjmPT!m(u3hIIPpjPXOEvhZ_!wrO|wz=O)}?G1;(F7wuf*mRAuo^4}i zUkho0REA_%>8~1j$Cx0xlP~egJd)k+kvBo?3{t+EHEw#Mtl=bf;Oja}D=qGe0FTD| zjK!X~v5EPv$YU#BaQL|+>pz)sj@e~?>zZtWy{@9tAxSI-XU2)Jue0X(tq2E^L3XeD z{#>f}`)uc19&PoYGXf=%L-5?Y3J?%I?Fb6M|Mo!?Cl3kprv2Kd(DYLk<>&gl^8 zAG*>6#f$i+4^)10Ea_W3JX#CJ7_@Wr8`&6E?#Y>Jv3(t+;XE=K$&jqdSETV$sc3tl zlWXl}eE&e=>HZUTqRejxZ-(L@_xY7r$QKe>`yS(?m5z zPqx=h(NmWW0xO9Ms9-cv=Jz-S6U0NZmT5PypL_C99*_ovGV}uUi=9 zg=WIyKTMBd#=CnrvTLfm4wes>Kz3=~ZD>~;*_b(5J9}X5?G8<0w{MWuHPOL(-NnEke!&;mHXp zHD`gDK;(F(t_c#m4u@iqF@x)bVJ?Cx96Oi&%7xzkCv-2BH5$*IUO`^?hBVQUa2P5D(2c zgi1<-l*FMVrAwr{8|gaWpSjf@3P4hgi|d*D4GhyGd7P_5_+pO-JW1tW=y(|PFyyQ z>~4GmMCqTgy%@%u#O9T_z-nI}8YdIlHODz{L20eH+lG0cK^R`^)3J*dfK6-!A=_U( z!c~~rvv^tYMngkYgS$U)bbQoqX8WDJq!@-onv6)Qupw8D{r0DoWS*hDzk*=$_QtxK z9fM?2z(Er&dFx`)8U7_K_A4=8n4*pr!sU!#f7tqq;QWTdQjVqRs!#etQ1@M;O7DZq z7D<^gg@WE2Wc8XY=H`da7B2m2-YlqL&Ph|2fcPxb-m>Q{+i6U{F6cCgG4s4Y1xXeH zMfNn9iw@T~-+Zfz8j8R`qyo4N5hVyA*i^K#s?vOao*xQCs`agkU35vX;_KXZ(>a0Y zFjC%B`2vsnp86qrV_6j)5`oCFxwhU=xP!l_96FgU&w^d}K8^J*p}RpwxP+>w(ig<# zRc>OG*A~7<1Zhy$^%*07Nd%%-(3@QNeHvoTWXSI7aK+=D0o=RZXPQ|HwQQ=*?-148+}AcG4R}ew)66L>R;ipoR(4Sc4ZU1P z0vZ-Rm?UHqm+CxO6(nEz7#5GRM|+J>PiW>0PIeXsl$6!{8NXe0WGCW;ESU5psg7jn ziFyfm%#6hp0^$6m;~Qdml*jRo_SF2uXKOycFvp~K^TJ@Wpp`DG%ehM0JcP$qckRtx zkvMFZf1}<=gmepU$CqjnMbPt!pl8sSq(XVQNvdGbu0M9lt6p*WcX=U;airlTr$leNq%rhdPhyDQM}P=+iEUC)7wp_kW2@K2f0LYv ziWU!IY+nqn^=SxN#Bo-^x6E`-4?D{wVXK?T9Jv=PKG)`Owm+s%axa-t)f z=~Gy^ou>o3*uR#I0zW;W6T5}59fa5iMg(JU%E)xfZ7zk>@AMFYGiml^T!8?B$d^hH zD=+_D8FdN<`<2l_!^lPK3x-RM3>bG^sJ})N6qSi5kvnzb5K3z6Cs_bE=B)wD;`K2H z`|GHRnLWFNc zrP3zKPl<^FWmM<)Vd53*q)Z<=v?B*FOD=T5MDd&P1T7qlqOHR&JNe+9bd^zuto#X* z1-l8+NgWRfU_X&2&l;hUktn#J8cVnhKiQ{pF*kqWnVZ+o8nBm_In|WseFajquvD-? z4qxJwl_dawvbi7t)9ed}g?GQne!d~m76pKHEqz)fD8ye+Vx=3cEGIZgiaM`JF=xj? zJ~M@)9haHJ((MEBL@Gm%W@1zZS&6$XrHqz5u+8!;O~X4<$kPvh($kINlIr!^#e#(J zxd0d=>RkQ!*rosTv5H3GpD-1d?PQYi(@uRWHb+6+p-K94<{Lx} zwp)FTxMG@~ufIng+-nAlFQ9&-bDjOqgIQu)@{L*{4OP7e{d1K>ic!-JRP!AL{@0-8 zMY(`pjIZ1@5FlB?pFEvO>4j7KaY%6hxl|I~#YaR&W^^0_{z|Qn!R|ld)61ApNmIu` zqjTs+yY4PpT`?iCkE(om=UC-@3qA1 zW<~#8qPm@RLDxR;uB|8nhs&^w+{($kVTE)-%qSfTskj$oatSY%{!_L3Q{aQX6ebCm zhjm$bNnE{S%rDO$h<#?k(egUC7p|D_985*G&J3Vu_xIJ~QjgW4)-ccCfzKFQFc@0| zb)hfwfMSaOVe8xAtJ@FVtNcd}dsv0!;xLWw*vxP-TCX=%Y5umwbl{cdN|=rVdzzpV z29S8$@!GPO#a=x%b7If>d214UuC*_Qj$@tv`zHvT$(i-}8je`*?8{dchxMj`9;*`W zzgF~(<02v??EZT((a8tmnS~;`mPSo`6+JP zNBU_wsJ+dHsf`KmCx?39x0v(x&zfk&Vbt(qK{1+NrwtF=Gpx}dk1Q&WB_J*v{ugSS z$-~O7@xPBCTlHX9Qay77Ze&q;VS;1Ps~umFJ@|@bm2>AEk4~kByk=u4B0ucA%G=cx z#~iE?3ZeI!An!bK9`MQ^$?Q>Jgx3aV?9AUVRmA#k^}FE_TJZv*Sk?32FS_ zDuh+jypo^X{!tI2K$0qzx+>MgZCLr*{o(KID`2~q(A`&Crh?maoicN2#%%3H5my4Qe-n1+Kx_tlk5AGxcA4 zlQ+b`&~e1QLJu2Bt`EK|O3nCjuq`TQVwImaG1M-XA62O~)>wkGfDYQ}g2ETad;nS1 z^6n_Z< zm-BHFy)zG6jWPOYoL%0SKXJ7ZXZCCc5TX9yujM}nlYq$K;TXut_{CStD6o}@ zo#yQGxcwyz)5UEIoLag(YDhKX?ob1D*4cVlHv{8a#X<`X8ZhYQ=>P)bj*R0z!q{&2 zW6&ydrT=eJ1slIEnz!~Q&*p{;ey4Tx0P&ul!{5_9T2=Uq{~rjuC_Y<2C?WWrQDA!> zZL%R7Dkl^gkse)pSfq2S6)ztpmLlWPzEt0I+a8bEmLM3Ho>+U~sXMzpCbzg$KS!!7 zt+%W*E29#?)lzNX7l#V&MBE-D2r=2zB?cWn4~*>jR#j!Ik>h{LASD!sz1WS&h~)$F z6Mr&BZXbqeJ2>u^jVwYq5oNeyIoP-odVEU;ns9t+btK)s&F0Psq%Gis80gvRUHw@q zJZ8VqJDw(J{JMjAmzZVrU_oS?rW!5E@H;IU#6`L2m(o{GxraqHXL~#YHE9994sfnk zfNk_b4;BmHzH|6LIAhf0%}h2u^4BO(k;b~;VE-&;6UsA}c!{l%==r}vSMCui@iNg% zm@17auDgC~8b8HOX4wndDj>KfM=JxfbUmt*DH!9Cvs2r_h1?w*zgU4CKLwA2LR0K+ z>#^yUM*J(;)T39X4J@gDOl8A&KRfy^kPvMTE6UXQOy}kz?Z$t7-TJ=l8|>85#wbuS zIPiie>cT^KWCs%^p`+ZEE9?b$#qnh4?;Hnv*2XW2-ZY|}(Uwb02-N?I&5qEl{bj8_ zpja8)Q-MIc?j-*M=FCK4M#N7TGzXbG2oCRO)eonHS+8i=5!5oGm)OK!?W5diz05y8 zhraLZGRv?*#wUFBTgF|pVdZsX0hlWo3%oMO7m;ObsN}N7syc6E>mX!cll(+`==#SN zPnNO`dq>C-Y)KCKcjEbavQG&@$m@RAqE@6hb1s_e&2VSh>Zcn7FP%zdpQ%ZpMRT+P z$s;M{$pXNu|H<4UgzWyt5=3!HB(%*;uEq-u*PDVD{gcHnt+wyH15=sL$}(M=^q@I= zUrxmqH3Yu^cNiMG=O=@VB_Cj;l98R7MK;7A6X-x3%UsiB&cCo;%iZAQzQ`EugZCzC z+m&A`jUMaGfL>XDDjmh3yP1;Sd_yuHu$ua@Lo+3$_vb>+ykO5LGu&d7%(%Ws@oNj& z`PcAV%kIX6>$7jnEa38mkSzT>TD;^6*|gQcj2;}+;izSzuw6X z{*yE@IAx!_;suyBR3wfhUVv8=6Mw9*xupFn?4V;G81#E?oI2jHzyp!|o( z1}@CU1xQ9~i?+IGf?K$>9xmdDEjJz4wiYcdxjQ$y_gah3pb!o;x-7ly`7#k@rt)Df z8K639+{mhV0CKJQCq6c~{h7-177qO3A}G>O&6IRd@jJ3 zYb;?#H;tlNYMLHagfe)aH$N%dD`EjSwFZH+R;7qhCDKsr2JpX*p1^+mUnDT_CJZNv z@-U1tRM9z`7wW77zw{MKbhxN=Her{HXt^cTy?T*9ztYY`#bgZSG^sEdDFzxqm z@pcK`@=aIZFjCGN1x8YZ!$uHx^45Dif7(+85-nkY!{tg0mz74s8S;{tK1Ix0}X0>0NDjcJRVw&e8ij@ko1j*B=pR3(yyp!`D0 zQnSQw-@d#(Xd+}(D>^LP0d!++*0l@t^CSu=bk2?>D4aB4CGOm6vXpzC^auqf=5oeKIsAWyZa{4{vZ zIU0eT03K!1v|>M!N=%4r(^L!YO?n{>@csh%(FhPeJ`ic-cVR0XH@9D{WsAPlNw%Ou zvXoA*Fyi*3YYk4F%Migy4=qTZ%?WlJslm)bnm?dQE>`H|J}e=IJ+1_qN(-O9NQ=+^ z`6vx0*Vi{=6zatT*_#AwNF-3 z%36MM`4-4uK3rkkBe*i@%mru`0!=7|R!~gTl>D5bB8XkigkhDEbVKfmN zfx&=3+U4dqTf33tbz&JHb7QyUNO+-&_rg~XOxnuNI9g%#38r!TI^kKltf-ueYT1+q zRM!{?l|vynXYq$6DRGw;35$Js*!wgAa8OVXAdHsK(jras`1@*it`=`BPp*@~b>0uS zuiOw&4EOf+MXx=@C5Hodm-|)ADkvl_wr=NrD>E4)<+Pc90f^-~oTqd{$ZVTHfLQh? zuo$BFbMKiHy-S zm62rWT0RjzWePH+fc$Ztj{vk)H)05MJi_F>9T_3)9rO24 zc7R-V9MP}PvqmLicw{;jw&iKXQ7HZn1mP>JBi*p~Uz|G0M%nG9?+cH%pBa6WFUtR# zzdY-+@DU<*Hl;u=2%lrIjQEI`peh|0MToO@uFYN4-UQAr*PkgRb|~2)_Kf#n@RovJ zEH;jNR!01olBK}aS!5^OdFYdL!Zt+yp}o3#mow5Oka>|;n@?g}MzTMcE1N>7ix*>A*4_r5L=R|J&qG6RAy+S_{J+hgCMtgH$#niWQv zHZ4~sO~79P;?|#YwyoiS8axY-ViGshKcy6bH@?UK_rWo(1$l$7p)L?efixP#)F&+< zC4R(j0)gN6*{~Wh9#uPGKe-g?c4BC8q7E+4jvs;LoJ zSO*bG{UopA!U0ASQTQyMVJfUxErMSapQmL)f9*8Py;+}m__Y2VYxMqhKdJuG za=b{jk)T`=om~9J<;+S77r1aN8vonoP-o;=9?d4asrXYi7Hbz&yVhgyNyEys&(usz zuK`p|g56{!KC{h9G<+Wh|jNTOZDw$e}CjhAuJ%FR*FL` z-+xL>cv_}z@#B`g-G;QAwdO2|N-i(GJ=A=&Gg?VAfTm`FtBgvo?=1WUvF_{bFH+`M zp5d^UGpww5VfD+DLa<~-23!HH2q_+Jn&m9R=Pr==%WW=8<*R@gpCi2i1u1Nf7jN9V3Xq6KXa_l z4X;8@jy6n%4F`g&-F9+G*d7MLFHL(6l1@)W2KA1i1eUa)deX_>oR1=1o_@c(wA*)L zx-o0XfkM~`(pl4jjHw1YS8Z!)__?2dNcY08-r?%ykWx++i^F(pe7>x%8+!4xRQx%Ex7g6)gU~jU3122TJ4)fY zjJW8BP2*BZqzj^(4%?@DOebp^J-kU7j^DPTOHJA+Fg?p*6meC?WFKoN8eR z#dc2FLRuh3?*lESd7u9>F$RFdfv|k9ZZpRJ(u{hklD8={${-nZ=ULTu?PWZDa`7DD zev13KLQik5f0#kYi*-@EnoygksNFwN(r|dQb@h&i;m=r5smu&c36${<(S~<9s4&sX zx2n03?Qd@P@7zd|robv67lW?TAmYs)+`~xcGSKfj9JWUjsQzhowpZ`-&a}tnpLa z8K8yBF3+Yu<{FbKDJlJqTzzBsGXt>1*lnlrIhsiQF%ADWPiR*JL6Z`veBM}WG!mz#3%FpMk){PiZpevUhi1DOq%^VI#MbH|GkRZ*ckxkfdfBuP5(X~> z(UIY*ZuRmylXJ!HNGaf!S`db-A`rjoeRCP(n#;;@xYmYPe~?FHLHGze@Gw^_>_)j*4xZbE@87+E zur?4HgVB{PCw=_b`IwiS#Xkx^i{4b9v{G8ca5U!>0Kdsg?eXZ!@e2aZAR@Em62@U>!cjel(Hl18iac^i>$cFqpp4Xle z$MxLG@8BZg(?|_-lE5t`)4fgNctkWPHa%hFVg3}wMBy`mZSf__+lOhmDY{+&-$$Dc zKIU12g?c6Z*NuP1?S!jT&v_-GqB8R6#O{~lI1j2@X3(db$G^Vgx3kO-A!RuWTPHTIX>#ESMiej)-QL+(S`nLdBs(3G%LMbLak{QVVRA5Z|_p^=h zxT3!JPkx=;li6z)#!_mC>wd<|@(>QI$evTGyL@+MS1|*+`PEZ4WgeUr8ItMrP@3j) z`ocedU|+q|C)S*s9~>>*po^BZi#xv?Z$+N$hC~iFCted%k&zWA-o@46fc%hl6<@#2 zf`{z(F@t9AhohY0DFNyOUCn)~mx`3q2-P(;HVVH+-tdtX0-C@7Z7GR>*jMdv4;4Hn zbg6EMGgLyg^J@tFv7{~rv0Jp5rox2hfPUxnLsl*>@Eape^ASb>8&9C_@b9F}B%3 zT2F+(F9c}Ny$T>Mh|7MaK5JUGxrpc1bmq?L&fK~$TGh`V)xXo?^F^KekRqqPM&u;X z3^acxYPKT*n?GWQXz2z6#Yl$JriE%|nAsHin_78)!yBI8+!^~J**9MKGp6}J?ktN_ zZbBBaB%XNUkiYzgR$M$uGZOzYRcU7?Fo59IID#%xer&n*M{x_SQuK|0w;F=UZ`3p0 z28uFHXJWOf?R(`@k~=0JRJ~803z>+rcl0Eb`{@AZ^|@3naVa2_vMK$i6Q-3%^Dnts zSQKdIoKI=Bo^z%N{?g1{!mrOEl^Cx?MK>*x0@)Yjvj|6(hYdQ4Rsfy4E~^l}%%?vKad`U>Ed z{^?3Sp0qhZ)kL!-5`r@(Jcsx|xuzkYAoq|Jc3K83LlBima>S6#!~Tv$4GJ zk8>@Tt61g?I8X{ex+fCKimRG26k-)?tTt|B346} zcOQi`aMF$`$VG8;;ZNvZlK)w_ov^IPxHsl5!P) zW@|nNynOXCD#7Mfz>$79jeq@3iDv?9Pd(4#))D1`9kIROtI;P&dhDxfRF?SVR#?m-(m)&W%9FS*8k@gE&a zjDr__bjO4Fr>v{BvnGGF0yKHaJY{`4K$JVBQ2RBiz2@-$CW2+9tReM?E_i_MJAf`w z;{My~lIVrUH)@!D09Vy@yx`k9A{orTY55XwcUDRv+dg2DB*{WE`y9Bb%5(OOvccGV z{iXdZ=UQr<>+{2S3ZOe!j>jau6Y_)=td!(VfS#ulVA7X%vodQy0CFC(6HmMF`HPcP z_oQ2RILL6UNA;RFN;8oAkB_*Ds9e#S59e*&TAI--XmxD<3+8Ph~wdo?s`3NrN9r0#sFN)$b zF!X`GPenT42$Uo1ECo9!d^>FQ6ovAjXX22y>g#*q0K&29=Na)_FAU~%QEpb^MVWk@ z8o%Ms-`LLGbnpLth|HSu`(+gt$zCmXhb*8X&!~5NuEz*&n%z-R5?1c zVUQUJG$3cO$;jFey@LAqY?4cKG45Dgik+&wwt(Tym`@5`w9?lhhrv)pPTPF)Ff z93OQu-d}}uXOU0$jR$`1=Y4zq6$A!hv>(VJLUQ3|K3rK1 zIKIuF-nLPKuI?K-fi*1FWq&76S=^pU-DZ9}S;u23;8A#oFo~BNFcq zkvjpQ55lPHFoKc`Iy=Z0j*_i81P`D*7zldB7)j6JU}qr1z{`&3(Zsr!r=;ZAOAiv8 zNbPZ=3foHXvfJp?ri=M;o>bZE{YN0qWM8u5VJNN_etQs{{WDcoslt`(nfJHwE$%7E z{cK{?2~4u}dWJnbr{^B_^U^Kyo`qFa5NUomFL^t1KSfvIHB?&oR{6KGrq$X33fspDb(XY@^zGYdXp{ zIk>g&@5|R63AKwItxI0$YJf8nSPMb^4IJ$9zJUIP(-BnTSqpidn02Xe+fmAy1( zO2IpKbI{sTyX5@^V30g}%dtc3{{ZvkIS3D0A6nwTN-8RWv(=V{r(2`M zMqO)tvE`;Cl%XQ}Jx70f-dIjD6=_w=Sah;OY#O%d$=|wQ``n$8{EVRZ0!$-qI-j+) z<0S{ hGu#S;CTNzCwIvDxfb22y{2KbwBr6Pm&QtIxPGMj^;fJv;n1{4Tp8W3B2v zdtHn3`d3iAfCSVxq;$$N7cm)pnKqKWT+6e< z)GO+=V@b=N<#u4v<@A>oL=*x2hOhLUD@*%KV*huDVpESRJ3lv${=!mYCZ zPN2tE>W9O;^D;A(Ig-_{vIsl+jl;9I3wH7C6T4bPFxVQ!OaODNjo5`F0nWi-6tz4d7cJOc$ma5jep%8BFp6f}6q7YWHt~ zaG*+5i2^ZI{=58-5@%u3sl&$;y3DA$_3xvjqm$MIF^y#cG!cPPJ3LaYSW6m>t=4ua zLMa>eX{N$h`R*CafBc84tk%DlfuU8x$ z;f7}X9ArK8<;JA(V4~5X1_bN*(-4^%27_mD~sZJJs_Llm*;|71CDMXyzE|I1C2i;UNJAgEWXMm+hjd-S|!T z@;YuHP8;s8cNkq}^tq@s)Wlo8@9Y4t{-0UPQi+HAyK?g}`hr$~wUyzYIS!|jO`v}L zS_UFCO#n);r|}3>#{RWs)V2L7Rp9u=EVEQkOZ0+bT$-Bo5PV#{!ro{V&CW>bxC-`J+ z(kIZi+n5(9r{>lHx^xVqIEhPCv<0llSw`X;B_GS}H&C`_M0cfIW3rv%_>KlvL{F2- z$nDS8axq~7dGe`Yg(VHo78;z##sxZKK?*4cN8PjM6M`>=oSzKGh~lNl57jUJ5jdM* z0xCuta=k_yw@E~lnr7XE)uBMCd#9}OP)Jj0I;f=HsB{6@Iek7jmX-E;{NRAUBk)lH zHg<}VWoT+THfFDX=VA0c_tV5|kR9bvaIrnXwcgp2808P6O_F%DIXPQqG|oc-A{+O2 zNi)jBy|VIh-G?ag63*_k-`)lDaN|GPGN!T97|7y9A3^Y`=JHLmv9cedI@h^~kM3x= zY)OB;C6|>%P_Kg)^jCfQ--RsmJX+R23*|_5HiGd<7+QImVvu9?x+jTc6N@(HR#b;R>+#sB<>Sr6#C=yz^o?Ii86_l*#c; zmb_z*Ks62ntlU^e_2$HNLFkyO_`9#7j|}q|2A~sHE=!Z zU7e@|rgO5f@hUHhH3NdwKQiOgxR0b=E;TqOkn!4D0sX#p9R(C+3?yJ@urnNXFUgm+ zG8x%Z+{f@=iP9`a_0^^fJXPi3xU5t&cC30)r!lBujQ~?%o?07y_D5ZGvFXzm7ve z56iOu??w}#2;{K8l&IPH=@)j8dUDB(ZiCPBC__MY~ih?!obp$hU4J?)*`I zap{s<%BXY9M|C=_`qG7HPgC`sMO{g{+oIQ9I?nm#gXx{_hszh_GQ7l3y<5=zlQmQAHw8u2=OU0ar@N&IvHFPAd~l@c!ay5OBXki zwl)6!+9n6Pyc{(<9fT8#y>&Dmmre%RNEXh3d3kFXWp2k2cEIfC$mvjc4m~mRiML5I z{)jZ#vDzk$X7BSFzp0gEhH6a7PIR?)#$qLKjjSVA?pM&_66<}5WQ%^sAe_1v!&w-# zG2Q}9uqgryHgsGr{`tA`quemp@go}3R0LJz!9s$|Suz_^vz}XfNMG|bvO&F}8?IFByqS8N%7Hrl+{|j~iwx)IboHMuCB-v3 zZ(jXnYU(jBlZv|=Y1Dh)!WCs7L0Gv*8WWE{+%lW7X2ROhUv;nMu(_Zvr@ETtgv7ibxW_s7nwgDv4p^VvJzZ(gKl1klk;Z-LdU zT^exWN1fo*@6YUBm!h6&yNXU_mO@J8|3o=yRg?ogYCT~iyo0T1;QGvAbMhBM7BKQt zx23lMS^w>Y^skeb2*ui@(dUX9u~M~L!h&>+bYZYtKj_H#54Xr|*{07@-R}0Yz%^lB z;UW85<@?%^&s+;VP|~@e{=JB0`d=zk(Qo)K*C*7ECSo0;7g#QqBIlm7oU#=)6brVx zEhAZZZBj_zU#si2=XM5z4HZ9Gb(gFU9NiD`cv2sx2VvQ-++AoB5HC)P{8MPl$`g~u zQK1siL0wWER%^xN#m3F80BSOu&mql^A9M71(g&gGP#ZZbvyUI&c5MY)`neO)ivdf7 z+^&@JEmU}kGE}VffjX4?2RI1Em9508#Pk7D*yh(c)6E<60g-e`y5-cv#<}C=nz7$` z(Gb)JAN>B-1 zsHBr+(h^)8Sak{W&unzm_%IP7F0?&JJg#LcR&Sy{Vt=ll^D4kz3M{6;bF$J0G?br@ zWuyUBHc`yRB;bO~pOSJ%!PUEwf4GC57o|l0Y2=ob+vU!%5v8^0k<5fuQMjB3&nfM` z6!Ys0O+iLyKc;xe5-+@2>@n|uekV!IuaxaXzldZ(+XGae{YG6MQU!hqxq9=ThyM+Z zIpvJJXm(xrzrprZ@R9!7yZes=QPoy~Tf=F;*#Y6wLqwJrST7<+=CNt7mSHx28 zXc1-!*~K8n!P#NEd5+p51~#x};f+p5ZjB9t@NDhc)uEEf(s0AcWCLf2|5ebxj~w?7 zf}t_s9nh}#2bVD{gr?)cA6}fBfA)1oBSxbhAgeqfo12O5sNqIGJTPbQo19=1_@gQT?MW zG(2YjGGZy{@F{uLd8%Ly$%FR|cZAg)Wl;SL(l>@lb6*c@{%pM)S;bP>r7}7i9T9tB zV|iJWX+|#9e^R1vY^DyiVG_^`vv~(B+itJ{D|?666pl-y?YRthgnSc#p3I4piAMqS zyp&6|I;$I=RW;Om?GSi4^&HAh8hK4Ivm_UPx?!!0EP37H>#<6Y4{qOaEbNzyNfU9W zoQMX!|J}^(r)vLZu1+HyE|2n5!^J$fQFt7V0|@cw5DcDT??mi@wW@R}B}8Wzd&78H zvy1s)y{UTtNSl1eh#cNZpGD9)a!n_flMfz$DZL*lv z%e9FpAjy&De^oH$jRoy5_Dj!2aG<*`TU~#Odrp!?+p5?=PE7UXYq&NvcPt(*XJaOW zUTF3PkjZyG1xmGcthsH5;R`7wtDC=+MCtrbOhW~Hbb1Q-raV)=w|otP60!z%T2A56 ztK4wAC&M;KRtGqtbDd8+w&Y0XDuE|NcOHtB+~Qe zh`PxEO2>}9gg>55kMe@+cQ$8X+^!f9AS@(yEf6a=$ih;jTTHzqXSG$S^0Xt2yzKNc}gyW^dTiN#C$Ua zT0myM`yy-A>HQ~V3&p2nhG6#9a;&e+j8@94b-`wai0Na0deQtW$;--(sp zljRTjuW`93X^ez7233!?g%gaKKX^!szGAOX zr{t1+xeR|w{VhoqqEHt&K`8%_R^UTcqk+l`bx6Y8rVwU)jD#USU10XXnsQ`ECD`06wvS&EW57GF}6= z4Fg$jp{0HC^3Jp6+!(#6^d)t{M2=Ul*8>D?W07?h8jjH~zxt#q`^oXytM0dL7v1Z) zy^Vam8#d)a^-QnyBg&;hPyhPM^oKohwU&9RxlaLmh|!#cVgpP`MGoM)B}Z-l_|;vW%+k{LM1**DW;(Ucrk2qI8x`i}nZ$y3EM0S! zcpy)Bp9J4`td_82Y7tDC>zq zE@O}2a^QRJj;Z_S^y>eD%eKu69c9~O1TVj*uhW8V%Ob^x+#byB^a$~6N#S?*5!Jm~ zJXE2;%l1<|zU)#+wMkMG;;`JWX#5cb0_WGQKVEbRDCIIFMhD*JNjYg;b zKD(Su%%rx)O6it>|CrLz^69I1Z9rNrY3}`;T(gJHU9GKx&Dye!6trk1@f*?V9+LGX z1?a8<6^1T?$NoD&I!?QP(&vu`eOfjm&H90127}eX?DG^$tlQw2%#oI}v%gC8=xEB_ zWWg2Bs;V+9KDL{faLU%KsMYSto>54cH4}nCq~2=g%#WZYX##`yb9i^NTHuBA4+4;6ay(m>YZN2(9LJ_}q z?oHObLlJBhuD#s<-g`+Ks=PEAeBc%2#J!q!sZgJ>0S>f4LVgKCk<=}p7K(5SwFcKK zd4_Xi_|A$}O5txeh?Ts6cl`ppV;nH|!#;N%y@SjSm}k^lgpnxUAAy0S3xP&Gl8{gS zhlFH)sUKVF0SMVWS9-}FaDFtqX3w(Peh`n;l8NhoMA+k`@V-+ZEUEy_QGe#O-Pb2e-(e@1zEx(OVqj_hLZdSLh$f%za3i18llSL?W`%0Wi9wS z?UK#lNNk(Gn}EsepWqX`J?+Sxx+hcdJUF=FFAYWqw>MY46c8>@g~=JA$^k@98yOkU zIx}L8vG#yuyalfaU3!7pUzPKq@M@F0fkRr2aa&$1bN=W{Fn>ZpI*m`Uf_bHYo-*wQ z-}{kC4qpA6*?=6UDr@GU5Y!K1zd6{oYAWUvOKlQ|1%_pC&HfXe3>JN%8aEnhU8i|+ zN>TBu#m{CnI|(WO`R2=~gqxnU=ha@$cwq_@zLhy_`Q~KF^Y~W}w_%0{*dJ&=mF*Y$ zpc#j#g#(KVbVUaZAKge2zh@!9FaO8hX}KfzSMDP!wgjv$G*f@FM3i(sS?#!(Fin7EbUUhgNyr6DBve^#V z`tOXLEcy-zWYr5G#EYl;af=c_=rQK7Z37i~321^?7F6D55g7k3(=FCsUi;h4-&Dd& zVw??nuPt;xH>%L`C3V_!VlQ-c-SB_V=Smyi5dkGH(R8>DFBfH zqXbf~-a#=DzBGLpJ|>&b-$Cfuk5ga1bea1$#+;i8!~RtkjB`eS0_dQC8uZGS(1*fQ zeV$NCHzuu~kh`~0Pespp4z07AEckRPS8mtiPP~Tsm7O6SsPR8q0KI@^WC?rJDqEnX zx%Y<0AaX?>Mzp?R0IM{i)C6%iQVdtH_vt=*zXRil1RM{kvsPCTTk>+&!04OL8pJk@ z<|!V#$Z}rLSTSK#QW-aV+&bgq!7oec=$_^C!~uFk>~-7)1PIW!4M=ez<4$SJS3)3J z*`wCKsKvXw^g9PwWg&@zXGAhz!ph7S1>*QL!d{5XfY?1UiBPb4*jKxtByPKTG!34? zv&Uzq0A!rH8|u9Sj-Am#l=b7O1I+Mmh6?ROeS6^+O+z(Q3tloMhMC>bM5bap4Q)Z; z*7@HuBqFabfJM3U5_x_|(?(`@XkHlSu$Qs&@}eQ~n3P{J(w@FyFxMTbu?y zFh<1R?r(v>vQY`)_hDqsD-ks$Pd+6LIX}6YQwZO1a1O6jsnK>RPVryVPrgB4fe1ol z8q7u%ecFxRfLZVg_;It+M>Cah`TVcXR4KqKe>*>FE0GN{QOUe%vl~FLRi=mQzl{c6 zyZQBEc-ei|yTV@%$N8t#cvZ&m%JOmE5!bERtkN%>sj89><95*uPs3c8G7vn=_==jv zFY&;cDj!WIJO7tY_*31t;N&|i)VcWCSq>uPAq-wKYZSm94VAwOrOtp^iIkVa(WNGL zfyn}&T=2fmdjpwu-tSqmf|0l?btq!_o6bBS5^a6sEx_i&q^S2LfE{|tM*j-@IPa+A z12(WCU55~JYhb98sCH8U&kit}CGh_t?JdKq?7FpKx??T6!$pU5h)B19NOyyzq)2x+ zNVkAUhmscwAvy4Z7?d6woxP6}s=6WXdW0^vP+bU;tC1f>YDX!2F_#2kzjo2H}rsPI{ET zwUhpc$p#<%UwtIK+HD;0LLVMkJP>v1eoDd%W;R7wx6uKCU&8Fo`8Dg@_h3=roObCwEM(C4-6P*C2ArcSo6U_BxC*1Pb$G8*WR2Kg zbDJ#U8aKLQ;)`O;tsxx*-6q@eFVyZqFGw7)MJ=Z=!DNmV4N9{S6yQD5z)9SnjBiZv zlEH2uF|&6;Uo^fB_JICVg`UK<7DF{0iEZT(Drjf%C3Cz;Jo|)dzLN+Uug8QG)8ewN z;ftba>vF1CqtT~+x|com9_dI$E!_;v)}rrb(g_LHH1cyNwhQloralS6&u6!aF)%14sGF7yO{N;yf(U zzMf>4{&SrcHwFG$DJ75YA0d5TRo>F#f%X{JXG;%Siy(Y76qxYS>A#+`pA46*J;Qbx zH;Nvh??O;^Y~{{m@!AqeoS)yxn>wI5M8z&p!VRbl6Cm60FrlPdxIDtaPM8yGSRWHY(#@fGjk>)&Lm0Y3aU+qNwQ>y~lA)Zv=?%cp0NMYA&< zKbPBWUi7kILQVo4xA_m81oWEjk~XG)=LE=)r(9FuEsJiPOWr#`_*8=3qXq&K$0LrD&y2|XS^L*cCfB@u zj_#fu^f5y>fPTH{Pn;xiAo|L)9d=BZ>Si4!LYWfCL91uxhM!Sq7`ry4?wt%*4g9sR zYkB91oG8+(rR zHfJtu95-d2>*hCbI=9OSd+vJ19CUtX0)E52EG{I>s(MoDyy#57W z!HfkWe#_Bex0A1D=_i(NGEcVG#(&L^+ylKlA!Z^@{ke5x(oRlXI5;>dnsql#3l53M zMopr>m~ln*-H%;G6v_;N<52;qbloD~bye;%-xRyjbXsgsMtONR>IW$RTBGr*pL`d0 z^sg3<>CBH?%O4N;aT!^?87f>&@Ts%-{gCqt1(dwNqm=E$l`sdzvu8uS!_e*KE76y{ZG?}m+6hrH@%xv9E)v=?mm-3$ z=Hpl+#be~@JI2%$>Sa>NAH5=}3c4f!!~gr&-LzcC4g-FjtXOE)fMa?KcPa7jPfk*Z zd%_;R`l|cMXBWx8{sd92-$ZhM@;<5ho@rTwrv|b1GwZgX3MB~9b}XB*NQ{!nv@{L(al*sY<#&R^ZCBC?Ov#IHzeLw$JcP5PF?YvB!2)j&56 zhgtOu9BuwoM$nqUqn?u4Uf-7+Z@$~`k+9}tqs(rVpU!rfh1Ff2xrbD;baGu+OE;Si zZ<<%sZ;)z1?b65ZZwzpWwA_F?&n2sj#;;Sd!)&QFTrvoW$tQkf4+ZWxw%g8^8S=yU z86qnhBcMy`BzYZZYUn6dC%lU1(R_s7%9+^*1{Pt3i+8Hi0R8+Hjr)IboqzM(l=Z>P z%h5BL;Pj)&po;U(8?~Z}T?efLU`6boNSYNYp)7``d5WD2Q{7rl|J9;s7&sd3=Ku6L zvz&sqJea4{N%;m;LNy+9?24MPGRb2hX~f1e@D4yzJ^vz)ZXg;5a(!RYfq<_+{=AF| zo&qm(&vY1!E#(1YQIQ55&}e2JDO;lzJ_qMdz~CGDK_+JCOt6H&{{}(g-tGfsl4rq; z{4(rJ7vI5;fcTo}FbD;s<@{$M8`SU>`Ne&~IzW%ZeQ$=HTPlD!p8WomQsBCI!N*@E z!yyhx?c-;)4j+IP(bTa29I^fdc-DDE2o8Z%rgRibB3@ZV0mRt=TNEI&74?oikc#}3 z+wNQ3)BGR>{?GAbvatk=G_f~%UcP$c9v;b#z7!>Z*+nl5?_cY|e~m!p`KT5~Xr5Xr zB~@`fBBytf76kQ@*)aiIAxqTQgt4`t7lNJujbPErzK5ZpfKx`u;xNpIXmJD0|e3BIx@i6jlGBFQTDAF;3P=Pn=aC zjd&lOD#3`h8Oe!8j{Q9v0$FJ>5SlIx0>?ky3VQRC#W)ekuzdYT-V#c+QWT&=6{nO< zwHEMGEQ!KkS_*`URkzIfjUItF)u6T9DiQ;~6rJ|Kz{tyKTt3Kco`D*(Y-&4&IZTr3 zl#8LF9?T>10W;X<;(>1cJ317+Sm#Mpz%JPAGj;}K2B;0AAGBdS+XknJ36=kaOc29D z&W8aO$@9gy-6BY51(TBR{J<)QOia~-D-W2=jl9>+-3{;YXM@!zdzfw@Dnr$+(U#@b zSr8}FDI|D2WGyG(aABvak-h^WOsX^NZoC@s}9Xk4ryF~EZlTVM6w%g1E^83tB)wQd?1 zLL>l6o6OGpIv>AUjl3Y?#YcLL9Hog0MuM<2 zDHAf9bD`PUr({X~i()`&R+om$S81SfU@C2D2G|MZ792tq@Y?!qGWcNYB3=Ox=dXlA zj;eYOQ&aOK?Fk7Z3@e0C6769prIHdBlYtwU@bIvlN&4^H?e843>5%cT44U}685cBn ztS<7Yz7T~730T#E49GD5cvh0%7DIue;66^*#Ya*L&FQp_E`*=l6lVw??_x+?wr-s< z@mLYPJ0T%OuF^&Bx*{<4qWrl(?oUh>%o{RTGoKR*JQ-3KGx(Jz9~D zvDTIayI3jh$T0xi<0Epg3N8KUcu{w>%_+>emqS{o;9gU+K!YaPqb27Soq)o18&xd& zqK76cNs_@VY9}mQ%Gi*m^IA_!$%02tz?`;5QX#P^x8yv~0H!#k=U@mO{Vk)N`F5S_ zNJ1i})#mFi3`7xjLc+oQqW-Z7_4jez$ERJaS70Ti?@s#rkrrRQF@U?d`9Dc74TX4< zBJ&ajs(+l3vaECYY|7vh5*{{Pqy@VZfj_Gw!XRp2|9YD)l#ABi1L4tniS*@WPd zR}G-nyJ63PF&ss#3`enrvaOfCH^sNV{$WGKW3&En_68m?dS? zR1CQ_rf-aB@exRHJIl*|f+@g7*0;bEkdMEUeW%EQ3pf~%-1Y+}8RzaHPa#3nfDi+i zv?Y^z07Ds+3C!hb{jT(v}-5UhB*FGJ7+&`4;QN)`+^fGLpEKoBAU4BM8t zr^P2Fk*5?3;{|ukDP+xftXhb;I59v|U1{h%q7>MHaiNW&nZQB3t^KLBfr15e6osRT z6dWr4TgjuPi1$Hm`WM{*kuh)YvkU)^fvhwN#!H6M*r@d1{3Hl`HD=`^`w;8p<8PyU zHwH>mA~2a#JK3s@pJD(5lUW2*N1l`>pOku$(kL&mLB_9uLj8-9`d_;>P@RxX4V?S6 zDyKOp9gHQ&X9k`VNv`Y|_ZR2#@ATyc;#?K%=ZOU1hJJz%g42b-nfF!~;1Ytld02#! zQ*1L3E;y`b9-{&8)q|`_5e*SY=uuS2ijS-q`9sI2wDFP&SyOMIjm82^u{|{Qo*VlE zaH57jJ-t5yJ|`_8tp}oZ73cYM8xp8?Li{T2dRHC4sLFu|0XOs1-tL$TVvvoE2A?rc&~W_!SzjdRXV1W2ZvLy92sB+ zjmLnWVojDNMI9Z-?7Se0PQny^Sp89Jya371hhFj=sXp^qdXN9cYUKF1B&xlAce);m zTCV#$eXte(QOJR0qj?gwIFjDoag1VM&~5S<862K(Drv9^aa*hG9ABcAELg{;_aSH< zk7`-Qpz{uPe2*bt*5>eyl?gaLa(cx&9CoPhx)c9_Uf;Y)$* zEXo6%Kmx)&KmR)G92jG7Bx1g)ar&nDSUQ^ktR>?cgV<7C7e*u@rq@pDFELLn(G8l; zn7f*vAi?63Vs8Zl`H2Oqn;7DN=W~5g-^T}&^!HCy@#8>~?aXGO;&VvofQ9c_Bb6$r zSn=Bh0VO_qt}&(#704fjapEazy$9>h%QN?8eA-wj4=;92<&S{>t;3{VL=^%M?MLzP z&Iggihpiuu8*~(gA(v$exvckUe1f?G4;2kf%>1PthTILu_07_frixpz9`0;r*EGk!atw?1Jwn%9+o z2nN=FYr5hFC?B%T+`7gkq^Q=1jMsfalhRn5(9T&FfdgvS_J;Jw-&Fq_bd-z)1EZnI zEupx21c%)0Mg7{fn+=AA*wVaw^fDY8Q2RXb7EA*nTr`)3>P^&u2ewRqF#RhH)}rg! zH<4#GEa3hE5Fmbz@prt5Uh43(+M2G|T6;rM01?wTY*)=A!6gfDU2W{!nYexoX|Az3kks|UMWMO8`}yyvV;bDv*%yBd%^&RqEshxx$GOdOl&6L}P~Xk2?cX66c6-atMQ zX&%6*|mcUG7o@>={hJR@MLV zoDv$Y6i+FjQ7nf&U1vt0&Y>d%Ze4_iyEHm4kU4*B>;cy~x_$q^9r$o%KWJoj!15t zy$qsUv6vwvq!VB1W_$Rl^+P@d{Ge7?N^9&F8-XhCjo98vd*S<1f+EQkNY6gau{J!QS2=q?cd__KSi05k>g7d1tiWZ~nRnKoC>3<)&Ydt0 z#9V4RxFvJ%3oBkRS}691OCSR~a2e&qGQ|owR)xFN8Sqxfd<9V-#KXfwK=1YA)0?46 z&1X1Qi$g=KsuVpd*kSV9W*DlbU4dg~+TS(6JX6C!#Ye`W@cTN6?_Nfr6t^MwU>V7U z4NjB*%{`zHLY-IT?Um|j>?Y0LlgEv0*wmg3?<QB|%OL%MSZ`N+);`-IJt zcW&kL=TLBL@>lM!4!>h}Dc8$$A8;rSCx(a_2N~foQ#s&LWN?VqZop&I%+(b`C*(lV z5-p9Pi`^aEJ(eqS$`8Z1qxoEYj1yD;5vt?&ot-gG#=#`|@gWPT5M+D|4*mA8W4ZgW zaouaD`x~z%F;u{H1k$`l#wI2W4;RG<&@@Yxdb-;Ej&F9IJ~$IHe(lW%jyidx=_;Iq z2`By)n78$rhvyosPRA{JuyotHkuXu2M+?EQG4#W;?Rf!H%3nWMWjizFS9&;j^78VM z8KgstE)AYxS6!Nu!nVziURL7kp2GAgdyWdty&9Gcx7g~q0*3A+@pjNU4LL4#+Hkg00P=af<6u=0bt z{#!sNiL4qVuoR-%*$>kU_R8*$qWpXj-&EmJAB)v<^o`wneRSX!Sqkw;YHaa5hgTbcz`Q7ZH0Oq8sJ(WZdV? zof{LYiZ=JE?|KaPE9_hVY$xa4h>!$4{lo#7nHyxjHhu-n~-e^g-u6nL21k;~92nTLT$xy!Czl z=A?w9wLq{Q9r`xdVerwYpsNdVFl6d062kXjb91(?(9Rp-!g{N&6v=SCgt`;G2dghi zf0n=yAyV{7e^x6rK2tl`JiOF=+SmYnGqkF@z;`FXTyAq19uLbMGYp1T#|Gc&=wL-<_*Dny5+zQm$0lE#}?14Ky7 zPS3TOD!teDj&3iAr}p4u2u@4Eeip0XVL4~jk)rhVy7;Paa ztOpCjVd=F`Ulpsq4f?`M*#=o61vcSYWw9F+7O7I-r`1B?V)!)KHI(RB3U(|cUj@U> z!*8u!zMSR%66e5fn-Gq;VFr{>-q1ln>XkhS@l0&ZTx6cpzFLZ20EZ1m7#z>KK0&I+ zed6_t*y@mcqWJpC*VAngIMIJ19T`T1`fNJz7oMay*C_9j8?Oyam(#_t(5Rf=SfQ(U}-Cr{CYuq(Vd35!o3aPksX8 z&nQu9u7F~((9H7&Y2Hv4WG$&O|NGnna>Nk%M!{HCI&B*)A%S#OA3z(py~7}k({uwp zO$&T9F9Qv+eo*|OSqF+CZ#>vUnw|0N1s{h?7WRVgMH|D{AuYnKt=x08bq$3-m6hg|aq{IrMzGLOgcuAxkH)7M z(5=C}j1i8wjQ>3EnUg_s!t86TkAi4ikE3&9q<9*|mOZNw3jdmL$EP+Ph#_q<#W$uH z{8G%8*Q5S~-Aw!KBS$70_^Ax94A*-VCk!RvyB!@!i@-K5yh96xH_zlMJkk1l)fsWf zO&?ky_fIRiXmpR&cn*4i#au#ywPC}Cmdc?-w{$$Hts6Lushs1V+8h-8NC}A>Ez$@fl z*_(s!u(VHk*ss~G5emnNRx;67`%436WTa@n8zTdqCoEbTW2Ja{jKyKqrFvS-j~F?= zk>fgiOmjquhUiaA`-nF&MQlz_o*6uzB#Wj{e?do6B0rS3HnnoKSXgN9@*pWu{?%IC z75V6X4&Bop@R`pQQMymf(K&rR~v-Byi*5kbi#zzbOI0rFcWXqOqH21KD#;CB19b0J}(rW0yQ-GeSP&K2L?MDAx%CpKSyt zw5p>(Lla{##1eJe-0k^$B??Zsu$ck5ZSKb|q3->pao3Y~m#$|F6pUo|?lb~Nw7>?B zudi7W%*g{FBSf`8wynV!ue_-fvaa2eZ%e+fR<S$;VSHu)%3XLXhxL{ zUq*aG;ksCHORpM96qJw!J7TQR{je4ErM0&-`OxJ&P_uC~MiNMI2_KcBLL0)Mq#&FE zHYBmO!JinojlCSmZQyiAqat{}pQLG^CRXxOx>@zhpX+18$8J)Y2Kv*L-B%7&j;y;h z`}K8-^Yz6!8EVTR-ptM75v*o%`IJWHN#4g=flC*&kADrlr?M*m_mh%+8@xK&nz}n} zppTquL@(t$zNi1e8j(7ne3L76qvDqL+8NH`-E(IDL}vVXYDHU`{P0|!T0~BO;JSJW zVSe19%&YKkh;6T5*{9xnNATYnl$LLPN^eN`d(iKzj|MwN+>bpN5^De}=H}KMb-3`7 zdivmi zygU>M$wcf`t|lZ9I3v3Fyr9RDc#weDM(Q%wL=Ys$BroH zvseF(lB!*k%WtazC6t+3@8z#8onmPDZLqQBGPQJUcfjvd4y#t+TUFs@NhUo5YzqnXcXVsr(cH) zdj3(8TUSeHGcRTd;MK=wOC=xAHTCE0NLvzUw;z=+)H#QGd>v{1eZb%1_l9tyw~~#8 z=3r%qGG5eem*TuDsE>Mib~ss7;CBXHd@JAQr|&;mmOpt3f7sC)GPFxqto|;t{Mc`e zLI34;HET;uPbeMpZ$^_|JlE3}S0EB|*H7MhII;eWEMDijhBqT&~uQ8Z*+Z!F#2m^MG^_}J@ zz?xcLSl^hGPKV|5Y%BYur-5_zgAG+HLB%5nK(g&qYDYdId=B3n3J25KE{(T-_p@C4tky%O7y%q}YR z+uOZevVxqr*-oDOy%k&l!vqIWT~b>gcRP1z@T$SrRZ_@hA0PFl4m$R%C@tnCoS2e6 z6G$66C?V#1`9p^0bq9ILQQO{D%y|WFiPIp?>#ZBrYq?ha$seZzr`Z!ldi`SgEyl=$T=yWfMbc2l1zW$D&X@Gx> z4}QkyADr|cR$ZkFF2tIL+sevDBL5vr?H#g}!S30{He&=l!>z>#lVORd2!>FC{~wgl z8wR)7x$0KAn8&|;d+rk7WVQt#8&NqfwL6wCgHL5((?8jc*>JiiCYMA;`;0$LwoNtt z=lrg~7Ef*bQAGP*0>eB}e4$17SuL{ulBX3c9_u{6Cz|YZVXt$p;b0U+{OTl)XDG|Z z38zjROMEUe*GG#~D$H1I(oXr2DP_aa=Pnv>z;TjXekxtAcuqM~c+UUg8>#vy$q`Og z^-s4)I0ZscW3&igyZ#O#7dxNx7jVrhd;7h}XK4aqKL z++nSefx;qBpK6kL@{?2(6@Ycd>+!6sXVag#>^^N1$zo4_7H43+O3q-H#XG^U`t9($0+I-)pZ(xSE z?4!1|S`K1(C6bmrj7$c?Co>~r=dB~s}n8^r=5^C{ER)3Cyj>l(Jr=cOtZx- z$IUwlSkz)XVdvy*6RrAT zCoMT$Vb6M>mCv#YZN?AEr~U75JoBHFl?1pK#=QTLEr%Kw&$~;*IF0}YjW!0;fsjh& zc@Cv9luwk%|7$)`P=IvS+KT2MNW-5F-zI7H?_tbAoipMMlwg_3izuMJtrj* zd^t(a7>&-c<7(glL0sRlV_^dZ<~$_I)lO+F z*7M`IQR2#qh6sOF9Ld4PkV8GZek+Z-3Z_J*DFn2zoaGMwC`l3S%`w!n;89}KCK3pc zy#RS!R;uQ`?8Q$=j~{o>keW+giCQn0-M{6CA6W8w?c-Msg~*l=8@ak8lKnJ8dwJx$ z7U3jPQ?XMVA3=5`|I2<;iL_qfp;Vh&=?g7XR47}N>X|O#1lgk1bXrTcxttx)_2@By znx5zwA={_3WfSS}|3cJvPRg07u@&stsjT0Q1L#zAOBzSN40!Li2PH4LAr>J5g=*as zFkVf@%?iEn6dv%|8{AElMKbAdxPbylqaOM`l;`bjo&;HdQHQnsCGpvvZLS-{3-v45mGNWa-ig@=<(QicK{ zzCDQ6d{f>Ry&N=#is^^RE<2aYImePLNsopowVw900-Ff(Wi?I<>NPBdIfVyQ%nncv z5Awt^o_rgB@Kg%P!JMOH^YF4hD}goZ5prkS>3gV9B0sPAhwcmTM>=wI$2mC{?e)uz z%tE)U0nEX-(kR^nhkFYOG3MdUhh>xN*XbUV6MeCisyVCyI~y=`@A$(My52FPc0V%6 zpkwhUBGl!G6WKgzzp{hfP1F9&{xZY7f9|3$`GzTn;P@-l8MWo+OJ(zeF;mfu->Yox{1VXDe6 zid?=io(o3^ zg=v$f1IkhBQUszG0T5MU;PwmyN`(xRN{xfrygy{2-EDfKXfF7^Q#y|h^17N1@28ja zuiK)qF~wb1e^IuQY{SqHiHmo_=ZBtK=q^S?+tTBA2tSfZpm}tk@9qpNAg0-G?TiXP zQ@iiO2TY%!RoaxpSt~0)JT8&=-3qt89=G@kvGik+z$>iFk5hp*krRN( z@3kN(-~*>tU#EZ`-1`0TINv<{$V!gP!3c!RkBLdEH9#v*V7Rx~0N|K@N=jvbSdAW5 z1))}2+ftyL&}?a~FY~b_s$s>SI z`-ds5zVeZ#i-yd{nA5=?9q@RL==Uq`RsqifN`j(2SkKbpU(<7UM@w-tk(T!vNrEqRE?H?&ag|E1E^9b?aE- zKe{^OE*E@@6pqAB5chCjU+vKWh!g2I(D3?&Reu3sBLbtJ^}jD3e$eD*2qKj_SHfnD z-9z9BqbFGl(=>n+BjV7czYl_!T-q~%=@^LYyLIy)+Ul7w>cIip+|U5?%Kq8}e>_Fg zIKDdeREb+b#wSDF^!l^Gqaqtvh(vVrLXe|K>Uk>3t)Q{7dp7B0YXtG#FIcE$u;@&K z5S;g<7G~5M>L)9Uj!cgeL%E5+8N85Gv0)p!dN)Yf^q8&qO8@fL<-Xr#&a_yUh}`qy zI|HFrlh^J7Bl16Y7iqpD+g~wS+fi$4kU|h zB?4h285WnrQHNyWnm((YbcYBuTnYi36PVxR4Xx-loo_qbQt&^#iq-t~w)pNZiTak8 zLlgNI$=jLho0_jh$nTaeid?y5`C8K~ivT{2aNvFV`k8!vC3?ywU;?o>xO9?5Y>*{v zhlIFYPru0%sGuZqDZjK*pdE)HGf^-K7gp%lLAbAa;sxMu8fj=>s1bsfnvhMygSaD9 zOub$q5Yb{Dk~%v;lrJjqWfAuPK|rgm5bdK@Gp*hI-iFHIW9?7_w!$VDxZYs!hXxfM zKWDrLT#F#Cwhky`R*u{Yy9*hlk|(8w)*q$@5HzqEf6yp^0DE-0j{k)ZQj@NYh zWAi`6b#nq^LRl@?t?8NNgOVxq*#oU$T!#IAseh%5iA20Wd}=JyMaI#GR!0@1o(>np z6s-A+hZCZ8=U2A?8_&kY_K5X4kp7ngeg{WDpAcLzp z0c@pHi9iBTBKXD5ffpS>h#5^)!03%gfVHToIAd&n!>&(?yW71n1c2OMBs5@C|97kU zzaWSI<_fX_vK*e~2uHbQJrq7pEeP5X*cl>UTdJejx^-SJ#Fgo5Y^ke*^l0Rp&GZK} zgp6W_dH9?YD<}^TH)*OvaML{_tAw>Oo>wvNaErMIt3x4i`$H^bSVY)Q00`|Z4Y_*b z3?W34m;Z_o82}d$qf&DN0+G(FSb$*PQY(4G{x>jwI}mL69SYOG6AORTJjbp5A!|p4 z3DqXh0Fj@T+Vh){!UFyN*z7Z)E;vQm_m(v1h~tZti){YkIh$zQUZ~ka3RlB+$odQ@ z+_UxKK@JWmLfYJbA|#+2(3#a1p+`8_r&Od9xE4V6!p#ZZ0yqSBk~hLaP%=~YTTmD{ z3?_4&;WVDgXIW5s9ROi5h#4QkG^b~M4w&(65z7)%>UCm2~>U& zYSP4jNL-?P4#a;V8IbzE?5DYN-zNOl=W0D3;Hre&ty^?SzTa+r_L zJzegYxIUtnnG%IIl^IC!8g_)jQyk^EFY6#v#tybE^9Es8tMPE7>QCXS;qoi80nH;I z8ab2OVp_;h6*4$_Izo*EDqit}tDHe0s62YBF|u{#xSD`Zs?|9h+Q5?Fn=&#CY3&ri>5@|nx- zeq+lH#`6>7FilwQ*c1R3p`XY;sze@TZ8-=NY&)d;;L!E3zOiS zm~OGZ%%xuWLD2dNW%~gz=Nnp8u)kbl&YLDlk6l=^v3{@4aQZ7OhcEUv?()L{HSFdI zpMu@3YUH!G8_K}jS6AFTq^&^l>`BnRp(V&b0T&wu`c@_ZiX!>t>F(G5>1F@P9cS?_ z*v2mXmqfC0ZOSh%X81a%)}PiwGOlt>X`q6P3nR>u<;is(w0gz?vEG&+ltgdrMVN={ zmjY}93HyG9PB;)~{TN!?*=I2_+FY2R{#(m{Wa0a^3wY`!$ta=!M1s)IS^~0=e}!30 z*AauP&1HMkwhc0fn}4!4@bV0mr++FC`){b%e{G}w@c#V+esxFoJ&m1VYkSNL!)#OK z-&M>8-4Zn~16g3|A2iZ`ljs7M+N*hAHvPJg$^Qh>1w#x3|ML-yk$T>oYw)mAq<>H7E(~EC@0x1_Vq6B9ylo?LSJ1Cj$?cz)Z(Ix?L{QlIco<;mGnvBVCN&By34`x;PuwU?#ub^HGp zc3+|?G(P-5CLc%M^NsjTEWrO+>?o+_^Wsky%ZG)9Arum+BVV8HM}Auw z=lwjePfjrb4sI^L8slW)(5s3M4Ex>v?j6CmCl6$1a&+oljsv+2nqY^OLU_N<`Y@At ztwy*`P6N=tKet)P*j#Go%n@;lS-gG3@St{?*QxO~4GqnTST`-bWMFtn3F>eBA8|P8 zd2YYg?ayaCkXp_L;xe;txrkvLP)37OsB80654?|$XvI7qCaHZFSzB848-Bt=$f8P3 zK2mq*_Oaz$GW_-KIr_fUuTW;`bog5`?xF2(9u_VxQB2BDesUy_8t}XM_3bb8Ig@xj zTpl~STOfX`>|H^;TnuppMT@}&nNp?%xBrh%15bwTCGQ{SWr+reAAc#Gt>C@bnXe$v z;5O~CdTF_+$)uFUFiO!dg5?kTyy_nARIy7$iGRrXHIZ_B# z4z;0PH&q+*mqEiMvH9nvz)_@WKlz;s+06S?$~`myrutL>n5qPIpUSkF$aHGmBI|4- zebFGeF1K02Si4AMF#Ob=r2oZCTne|M@b=s*ViA{5avMMLfnrp#IIkF2i03prg+l#o zYA?OYjXS`&^D9*QRMDQrKGHEGp*4~DZ>cs|zZaLUZae5yhTXz_aKrgkV{6c^1kMIW zq)}2WLU&uA#@gFNG&ZZjvRHp9HLJy&AeMx4G&5tmTm#qW_~BqxCeQsEf3fU&~WNcplOfOTS^>T%y*0eKL-MQWTtdm0Q{y6hpzs2EB?NUd0cnlFnPxN=ay1sy)uG?abh~cykY752M^Qk9y z9;*|ezcaoy&}H>jGxY4X!yJYG$xmd&Al}+?CWkiJld`0Z8Nv|Es%{D)C&43{`GKo` zf0bOpJ2w|QqYb8P_Z{#sv{90(?LExb5+9XoRJvycw)?cY5BI*~+%P8l!kMnvKqN1# zMy5-7zeN3!pu@-HprJsQiB<_BR%Mdft}){r1ssH~x7tANJ)Qv;)+QoNhQMmMXmU>Y zT-Wv!b^~=^$H-*&X(il$LXKfH*StB@E-!a^D5jU6Hh8Hk(6^z?FNfC?U z_4_MF41W4T3Js|P$#qh62iu=8G4E}!EnmD=1U*27l0lIR!%xr8ewv3zov{I}zFi)K zq5sZIG7dPlp8-NB;}7s(l)Xt5GSV$^pRZi~JtmwZ?y-eOup>EI#l9t2p0IS`7cudq zC+c_5^cuA%MlaUUZB)M1(}hZtw@McM_JtR&@np1#la>sRdJm$1z=)mZ6}C6sU{icv z>re25iICLn7#!qql2LT^{?01rwk%4J1xrB$!bk6mF9S`U@%LvzbOgE2(lr}8eAd7c zPjTBv5NG3Nqz?7fm$&3|@6nnMR=<`w`Y%TnCKVpX+iBKOYL=Y`A3x!7(5Xc| zLhF+M{uSOET@sbJ#|(SUQ@DOtR9{DK=tKTWz;|&oA~+VpvOhki*e7z-#N98_2z1ha3Ewdh+q0p{?BFT!Xs?}X2;yw9 z-x+yCA#5$GZXy;!mSEg_aQpGnr_K2`^5*TO{>ZVVuP_O6r(6|MAO;JtmU^B74 zrA6^rVo{^Uc7~VsoKivD=bRqnh_e6K{U^k+^sZQhi4I4X^M~#{nRsTRXWZtWu-qsB zb3d9kP%XF>qo;xfq}-gerr5C}VJB+#yIVMQd$Q%W!%WQ^k$TY0!OKcXL3uu_@lar4 z*<$LInyAk=w64_$xd!iY4++gWQ$*cv#M6kNbX^pn!cTWrC8%;|T@>prPC3MdHzB0fzMB9a>zh>c zZU=NI?IUqmcLE15q^4FDRhEgPU*grj`s{3zM0k{PT zh|ngdiK`F=2|v3kI+RJSBmQkBX}Xt1GLe1_fza8$48F=iv96AQ;IW33*djl~v}Ol- zHt$^LDlek{X|yZ*@g7toni_|vRi5mZ1|LC%2+&3-nPL4@418Kc@iEn56qJ~7{M*E2 z4YfY$i55ur8TSAm<5&)EZ~&6YVH{aUurrkX-TJ{*cBhFy5C&-PL8 zS=Q~1W*mt)eQGP{qIyCbcWE$scKP_iJ&oNg=gPV7V?x%gN5TsC4x}(MC08GaDEd;q$%GS$16mI_*K zd##IpY})J&i6OHHPg|MJB4I!mgw#+iDk^>|1Z=t|j0uqoniGd7NsrY)ar3pFjgcW# zGUyd3DA1p(By~w0A3#4Oo?+$?LT!$4Q zS*0N1B%aGG=(| zlQw?kf!ts_Lu-*9pC%NU!-ppKEfXJ>0I0TX<=EqOOtWIL73vwA+ zowqaH5xEb1%(f{c9Z={beM7;Z8H>YMA^nB}v)6vdbh1(SGQTtjd~yr&eHjCL(P(se zDclbCbPj%eB(L`E2RO-DtXX=^Hlg@jvito=G#jBRYbr`<@YjEwnGm@x|8Oj1z{Rc8 zkJf?v5pho_j}ZRLfR8>D+&LMV&wiZQsY=WNjaDd@B zgt7P6W)C8b`)fR>#1f4Pm)UC++>9~BU;fN|jyUmh{BiaKI)DPS)w0S$g9yfsY&(&=-!KrQcgC z-=fI+gODSesMf}7ckVxRM<;n}gaXuZ?X5J0oc&@oZAOj3C}Urn|dpa;Fg#7WMxbNQqbww4V#`2Hq8!13wFRlR}M6z;HBev8Q zfWRia{PA39Og zItq!8`N!^`Pm~XKg@XH{BbzR}cZ?pxcub8i^9z?n`eR9nZxcAJ@qRu}5Qrw{F|UgN zctWGiklA`Pj}J>>x>7p|H8@s>N9f+INrT{KvK3)>Hk_|qqn!Bf z%kENhWIV%3ABgt}+EIOwmb$+?U-pyPPy+2b2@Iqk3L}w>Dm|nN^6JnG$_ya9d;lqX?5VE|(!D3;njQR=Gu2c$3ZL3``p#@I!{FP;Dmt9KeF56hW4H2CAM~Go zf4~>8hu2y7e;RuWsI0oSTbP!Hn{E)0Zcw^YX{3|}Nu{K_yTKroRw-#j0qK(NZbVvA zI?mdt&-;Au`2PPK9RnQ0ecyZU6<5wV7h(`yfczNWWSQOc<9fD`rqH9eQ%lPqR4L>@ zqKas#@^;y*v;gIk()XTxUgMVxm@FgKYUE$fkI`4~^=cBuPGAmV-69pH1T43s`7cBjbAX(UUI_?lk^ zdD9@jxM6HTXnSpjdm~X|P?0ZAfOPCZ%>voIN{!fWBHZyCx=rmM2ndv3ns1MBG-*Sh zGcUL}9bDIJtnm{9_1KYz7X18;vy=`l$P@kI*ucge?s7X@&tui%Y%lOvJWFcB?@-+( zcm2d>){=^)TWyO4k=q(Pu^YkZ_S{}gO4xKj$}C8{*5y0@kI}C2#sK_t$DN;FX-K#o zd+2>z`d(Rsj4IP8?#de{43q{O6(><%&JlAqnazY}ZbW3PHZLNEapyL$W_N@KP@Y%s zmrP>$B#5-Zdd0|&C}zLeo`2z?Wh3E!azaDU^9V^%hf^*<>a@(HSFX}+z4Nto={x2v zWuj-8C?aFU`e7#0p$9SalS3GvD89GU9w&?K*wZV$fV;~&CRe0e=CCybtCz_I?rWml z3*WRYHsrK|*g>N7$!Igzha-VFH1CoaNJEWVqn)>T`)^7WG&v zAwZXyx@RBvoUnV3C857QLtVg4olSo+f}+8^1DsEoAl7nibilIj*L@Su$Y5sQ194|& z>ThU-Hv1dCQgkTplXNEAzXnd{wFM#|G003DEOdop>1x!v4!kCmkC9rxy0jibde}I| z6^JEjKPH|m{#0zKJt_)R$(C}*?_<+VphP?qM4lEH?3<%X;j#RFPJ(1-{HV%;P`~y$ zmQll*NhZ*S^1$^*?B>j9*d_P;)Dy5xm>_Iq7fmLfn9&~#-f`atSH;t7Pn5Y?2*GG? zGT*BM_a(~KHXbM>HmCNoo?6p_+;QY*OdG6<6 z62~J|Qn;{qKlC-P2os;`aZI$Q6w%V{624LT(7VY`r!pfzp;1~^{-hi4y{anJbr^ym zMwVVlF~u4ZRg($QFo$Kk{+e(p&XkJ{If7j23dh&lqo9%J|UHi`k#S7WmIB!o1KJXd1pG9b#=Ax2LTB;Me2D)vU%;1hBMt>U~ z6DJ3uA{Px%=zcG+0JM>`US^=YRs;C^_%)5Z^7Kd@Z3Wl-s-kiB5_1h)Gzv=VkwH6lx&z9*PCESo!diq0y(3(SpD8V9wldn^a49 zU1XUFa9g-y@xG&hd=bK?N&Np|)3RQ1%8}`SY8-fPYdPI{&@&zzPnM%WKFt1`Tot`u zOM3eNG&iKs2=n8ZSS5&Om=xt1rywSBOS{FO13GlaWIk7(^s8gc9ENDk#?;bUg``%r z51enq_X{Qce!3j)mN7l9Lw)d?)%$)u7NK#NH0^e*pbsC_OM#Xw;*X*uTj zKR_-3gRbKFHgFTp&HLg61_J*z{?D8&n$O$6@U9M4dx?YY0u(}$W zQl4yytP5SPar`tl`|qOSb=SCBU0SPzSh0hYLG87kr!1as+fksX4AnLN#Or})Xho&Q zm-X&@c%b@-SQu?J@fp4^Llj56!G4W5lNbs|vJ3!cwyBx6O5p(bueVHh z24|Cn_UzvXcp~T&>&yNW`O>)5#zOaeP(-m6+8G;!C!KAfR-L5l$ zQAp8b#dF++<6o>OUvMyC>BW>aP~2}doJB}A{ePY-eO^7dgwH5KCfkA$i>aE&twUlm^^_}Od zy&>-~UT6I-``d(@lO6w@lOBD3*Wu@sH8xT5yb?805J-4T_8zDfuXYo2s((?s%cfV0 zv@=&P8zuL#baMdvB9&I~y>e>oHI=wzjL==$U|7`kqrgi;uZ6XRaF2=~x4_wahNRq< zXZl=Bcije`)%jghh4^wtnytnnO+I6WxR@4~amv0)2tw+=TQNdtVk!BMd;vj1f>1;O z)Uz#k-Yx`?yJbt(iuNypVPQBFq2~*W7byI@Rl=vyYwrWEJ;t&hUa&n|Tlv z1S!OPxR7La9jIeeGsK!~zpH`xhh($5M0U#AT3Vsp_Q3UUZ3N?8*9)0%Ja^nf5DO8) zG3E5@JgCs{T33DUew?SM+5jYDvc<{K(lKfZ{njYr*BLD=EP$&VL3!&_h(By`^1zAW z(Yua-%diEf>069(8Li!~O9bASa4k)}+)U5qEnrsHh%kQHX74blBi}!x!SxU#1 z=q(51dC9HmuNm_r6&rz!an~(t5mXlxpV$ILQ*iX(J6_HawnkD$`HdGzDvsD|604BD zX|5_X{1uuvUW%PsY1Pwz3VJi(SY&_D77U)EyUpfBLW3rvLLnaUsdqX@`nBr``>Op+ zaT#65!3r*>7?f}LSjaEzye!a$`UCYcw7U)u(qXG58CX>TE1;j__+x~WV#<%CP^U=p zElQPoou=c(WDS0wp(v&Em7nUBbhbl^3L>#pk_LLRh3Cb(+9nz+=&cwUCW5tg=4i+Pig_Jfsy-g!)jy~k zJtBM|JtHXd)~Um^WCxiyu||s!eX0YAHXNM*5n8mdYHQRF=2*X1eanhScC&RcUGEA_ zhl_uCXCT2ynw~tjo+0}k?xPw~?jAJRZFFm~g)#JAH(Jj3Grg&0A}ZefuE_F={V_;z z`4?tuk10q>s|}Ev!@q$(zF|%cg{~%x0V&APJ3!a8xhjgid!p0=am-dPNWgJvp(Gt~ z_w3ix9z!mCkoHNR_id}a^EAgMZ7vUE|A;Em?xEBOf>5q$Cn6GowecMBSW2;WR%t+h z0d+{JrZ=*s&c96S#alw}k`Kl@CpKpb(F~Cind(Z5lk1rXE4x5saTfp$ClHp!Bu|x&ubousXcJDvT1I zK%Z)}O_h4IrTg}r^*Sy6w`v7{&Q?LbuxW0Ns_*5SK|cj?L)%@;&A!jhdw3e}R6@Lw z4+3nZNKxs??pmX2lQtfetj&EO_rsTyaV^8*nJiB*n09UIn@i_(GwvqCqgV1zd1z^J zkrzQC=qoVa!_DRuINf{n$!a~ zv67}*{*EJU%(nTPBBPX+9G5VE$vhzNEz@Wh>DF}xvP%m3?DNg59bTT}c&Et6fj&yL z38mdsc^hlvk(;qRkm%v^_#uPMAcsjAp~b3AXI-9~r&U5U_VF<>G|U~;%H(@uZxuCf z3Z_4X_+(Jo0cKq>>e;1Va626crI~-jgfz-E%s_X6t68RLEV~e3)JO=YrvVkz%4-ur zjzC#pq`bdq83Nz^Q;j!SFBA=W+HaS9>yRpV#QI^*)BZjStf-%t7G4^qHW4|N*tghY z(3~R;xAV_;6A^R$P5K zLA3EptkZHri7eWX6LP_cv^#4983uI9ss5(e-9LsfkBm=r+VwP~}&g)2cT>jTvz3PNO1W>Y6k>bs5HlifJ2TH?69 zCoAG}jKnD}(o${jdt1M{IxbYEfnKuQoq6E}J@2(nZ;)|t>c;Sd9E6RAW#^eu1Fo=u zJ9;VyfDbK{Y8U{}Wjv2RSy;Y5UK%`$7OCWI9;ma?1GC&8x`!^}b57D>_p>GBoN@7T z0TWE#G?5# z471!VEGwDj&>lU!;1~&e7xR}a%^rjPwuBLQr8VZqD3yRmf`VBfX@I9JfVokhHG2bZ zX8HN%chnszEK8Y)a8J{?uijC2@h*;exsL2h{a^9(`Al2eQVkvo?ey0>R|0PR7{VOI zEgU;oc{-(cgkDoK4a>fm0ti#UFQMmr`vgj;l4&|0yCy&?4Q9gA5WmDyt1|)gtg5zn zH$Q8n!F&GGi3DzPb1Ncs{?MjBZ(YtZ0YNDs$qhSaCsLb4-5%w^lYC=B_1O8TxGUD_ zrkty11l{_5EM`cqEPn_{dUv0Ud})VjNoD@Yy%b<@*_TYtS^q+Nf8X!l{3CpDzsj;s z`x~NBMW=>P3c)}+0&8r4%Tf++X-&6DYb4b)3(DE)dDbMGCAM&l08V)qNjaBPJ8D;q z`AGIBPbiU}qswzTUk@yV8hQZK781;7!Vl1;w`M_K`D#ND&ak5nSKI{QNq;)w)qI25 zM$tEg3=#Z-v7$hq+GDeC1tBL#z0}2sGkbf>@&ZCanez+vd1~KCLAxu{{FaRHFoa>`_YP%M}7crcp6=BEpB8yxYqV}Whp&`Y#edifH9dvODO37b>XTqxt>yKmmQ zwrJ+K+0NecmGyu3|%Y{6i zsBz;>7xf{!9SzVu+(*>&LAqsTz&@k7pDe&Uk2YfqR%{k#s)ijL92#@Wk`fq=s9v~m znB_9x3WSBCGYXoSAs36)`^TpLisy9^oAGc(q!w#fPE#T3(?z$&x0ER6L(V;l`|NN{ zKvj1bFusi_;AzGgmOJ_I$B%RQ=pyl?W7}Tozw#dzt$FqzAz0f}74_O}jD5|0W0{b|ms|rb61Ygo{F~JJ0&cfaPoYO%LbBYigC z+o~5lyZ_{x-7A=DX>XYks^@38?bY!==Cg@NnlsGP%EvA#XZjD+1dG4qhM&~yu#q5b zp|i04VLVUp3ys{}XysZ7P5ffkvDEMRB$&Eax~tNjCMX~>3Y;&vPfo!4 z2op4Bq;`sZ9HC%sHtRBMQD}hODy2O~K91Y8hwEwf7Cc#XPe+Gei!Ag$o$6JHJbT(gyAE|3e{97{tJLjviS@T-N=jZDz7G8a= zultSEsvjdh`IZVgi^||kOOR#)#V>U}RmY18XDXxjj+;MhH8~6j(_BA>nH{d>sb%BU zaZs!*Wb1WMfiHQ08=Wj}34cT}7jc5Nl+%&%byxAtgw;qT%+vK}2zxF6-U>NpAkt4| z*yxGPo(K?>BFd4vw|*a9yDDB-S=ULRF5|DLeU(Lw>s|vVZDUg<&x$ z1M$FP@eyG1rb-d(^U8@<_VcJ>j@)4IyTvME3tJyre$;=Dx&cxmt^Px}a=Qou= zi>IqrA{vb-=$Ho6$j|bT^$Ko3-#RpmQ#BIH)~;uu?dA5JHlFeE#TZWIB(|}?Pj`df z*TaJe>DWW&N3Rvrf)hmXL<3AU(!Yh@0G8Mj4?@|L`9*}FzhrF$6`5z$;XEsfE$?g< zWi2qh(%Roni&5|;?*Vj9vO4d63IS?y<)_iHi8w7#P%`5NXVOM!` z4}As#J64rl5Kay7oS_T~6tS{p@|Q@&+9_jWVEBb7B{|k zV&$?ON3H)5M2TRCLov5EpB83ypsHMV?9-h_pkPGt@qufHeg1x^S06QRSLWlNp;m@< zNuw_b{%Fs9q`F5YAq|a<8dr}MIxx*7EQdfD0txG%m?8r8Z6QAtQ?Q$&Q~*U96pXxpSr~{Z*aA!p z03~r^;Bgx_*yMPMQAJB6pfoz65YSOVow?Uj?yVX&|ByJI>ep42u&#qU%aOrcpzfeq zj{A>&rnIkQ=;mz5+V=;YU-4eo27RTQe;pWr@s#q0c=A-%|7^4t%)}v;OLU?-yFO%uBwngb9bpd zI&M>yV=?1XTEcB>ZN)IO1MlCP#V*`QDogpMTrlB#YKB@T%V3d{ctUlJ<=aMQ+DEnvtD21P@wytwP;H=h7Oc%piMGE*YB+Q2ekkr)Ob!%fp zW-iBbwHZ%O!ePB4%@NjWm)YHwX-oH!jE`0gi!Ka*!nJ97XTESbC|paBNFK!mPknd) z>_CriaUjEzp*-0*I3mziR0m3a;Cemn)cSM%3($)M#Bi?DljB@wV?kr%9N8tFRT}A}-vnEJJ8Ggv7X^5&iM`1kd-7>48eBdH|lm41NiIY2sP z-PY+O(2&qVwozq{elIJWEt#bqIZ<}pMTDt0kLY!76!O)8PxdUj2p^DUm}TaZ5MUtF z3A6|=0Pmot<=cx1C0(xu0cT@mzfED8rR-+q{Hue(6^7u)Q55%#`FWOCTUMk%-Qfh= zGl2?BR$*$*T=4`I$m&4N8rVvHj5=63CNC5=MsNUwh0lS353C%nEWR2yzy<>ZtB1F4 zAQ^mVLP|ji2-+IPt?h>HJLj=Gdzr1=cAF9+-Yz&vX&ma=!dYT}jaf+U2RRgI&qyNV z>+pjlbi6aA-wrfPyt~%s%>aKZE{k0hcoL?v%Fb6;L%O;CRRj}G9=z?(*5i)M&$11h zh)RPDUW5sGta61Gtp^je3Fq7&?)eT#>B2ze4Hu4s7JhB|yDVNrd!3h*&Fyb-SVj z2L*CT#$XL7`YVXeB+Z3rVg$GeH8jYW|8&xx#eb8uLxo~y1qPcZ>=0&>-8|pu-3_OQ z>h;+}$RwagTF({#j@|2cl2&v5Ic^|ZkaokE?AkYl5Xj5{Q9R`lpo?KQ;+#|QtOV#o zn0R$t$(SJ1`oo%i)TA}w8aW4-FO0$*erUN%-DhW~t-24dAu$Y9VL*IGDaWHC3kD>Q zNeoNbOKyMyRqaOQu=igJ=j;S-Yxz6DZdMS18l*(T60Rbh2v+}ZnZGs3w=V-_XKggV z|D<9@c|>Pp6nmIbCVcoG;i4kHt3^zm@8v55t237*Hb!Kntl!N{Wp0i3$e2Uq*%WqFr zc~FC%(8E@aNflJNP8PZC`vLLLYm#RDSB&_#wdKhx;ktaXnjtY-ATd^S{hD1KJJY0P zfXDDFdXX;dY-dDF0-tyD;FK4rr#t+>RI3wkI4K?QlMaMQ@u<_qFdMUyz$o17Jb$4B z5z&^Pv$cT0L;arCGXQp@Jx!K&@gx=!tbrs74?3ZR_5?j;+3SX{3P>HV_F-|XK4!-Y z@C#d*`n5#m%TrYWE}K#~?N{2>c54j}&*796sA=xwEo?oaak0s|rXPY+&eH+tdtIG? zUE|iv^J8w$L#x(sSdb3S;pRAw_3-<)@86R4PWH^8)>6aO8EYseX|o@dkTVlMpYO%V zXNN_pysq#Ct|g$fyf#_Es9mfdQEfkO3M8WIOqV7rEb|P%3W17fkOT>&O5KypjR=Id zI}TR+2McvLa}^R0fWo)b&zUcKKYGdO72@F#Q7{_;UgdKy5TBm0aC375SW*-4u?z1b z-h-gY**XuWtCE}?IuQ{OsfcGcJjBgD^9=(%Ffjw#B1)E61`f)^`&^U^B$5X-1?UPb z;f(>Ie2WddyN$l-_iV|k<0dup)NWGyeGoe3q_kK8`r6tE!U*V4otWDRPXxGSAL01zEr$G=%wD%Wg6sn|QpYKvl3?4DE& z;eBEe7J*1|R;ll$r*B0+oYZK6R+;rMgVI|eLLedE%-L`en8c`Ry4W0&Ea=1l#LzpB zLyT=n!5MEhTJh52aZm*d5*i0;*^&jC`CI_8W>|&Gs6qi0%|qkJbx9q8I5gX%^5CG5 z{tR(C^=z3smOw3q(z3~>h2XR_av=E|0K|XyH=-MJfJC!G5(Cz8kd~46<=M+13>3Oo z90rle+-8rF=x(GpM^l#h3jPI0cW!!@pGgd*B6l>NFfwP_BBN$n3yVE5m_QG{MOWjx z-4y_@hu%~GBjK`|s$@RenhZ*ylizbmc4>>jQ^bocPc0wUR+uQ{p1m^xx9mu)93Pxn_So(H=?g1Qh=bog58 zzZG!lqwug3;~mlYk{)(!8@{Nf-(y*Z%kofVMF8uMpddg#=>HtY5a^D zRr{;M>Atz47B~t35t~o<7Xl&%5Mf`QZ}2+CE-o%MX+}j6oY27fgo9K#VB9UMONer= zxA5f|DJmix$c5iH^HnlKu~;P6({Z5ZFclNS&JOfvE8iJ3b>R7&-L&;zg9_o(@4q(r zn@}&?V}Vcc{SPR><9`7KfZW=ciW+JxKn0Ay9*M#K{rp72O0I;aNpSS@7v$Y}vbMh< zoc&jMwbdgaG<1^&0&k3F-E0R6&s=NYc>ta!9)S$>w{cjQ_{S6+zG0?8-id){m}Zd~ zG^bL@l_22f4Ws|284EqC2H!Vg02c*-ns@&IYDxqp#vcDmFN)(c5xT;MX(b3yV}UX# z0c{{fmFv6b3m z<{N&k=}F=JuvRF>EJsg>)khu)Zlp%Ly(YpeCqS0WL#6%ZsEvo}@!-n7vcM3TQQr7U z3!HRJUBkh9l12M1DGDI$-M`JsBkp^_1pf6p6pQ?QbG$S65^!Bdqv^n4CIOe*9YfB) z#j03sH*0fkKm0z%d1uZ5SX4TfjgbU+M3iLd`Y)1iM8akSUg||hy{DJproH3NajxZ$ z{90HNd8v}~{he3#%?V>CQeTUS=qk4_c?71po5D-`{_3o8R;j)m) z^DFO}=7sk;FsQIl&e#7^F5-~lic@ARte$|7No%_?>j@=<0!#F-?EUPz+U;uyuN@N5IS z%yI;%iNiGhaA3mKXaYdhN%vOcd*!sEWG;sViOE{G62d!`QO4l=_t%FRAANcL?r>wY zTL|^)tNq?mn|3afPVt+sgX8jIhmJU+I>3*tfRiVNs-Ehk+_RnHKd*#KoPNL}H&f%H z=zI+(YrFJ*62l{IDGVmhk3g5dyV#)iJNV55PEjCV&6bTSBH7y*WwoBI`6ZrPDJ&J& z;JluwS*WcHPCQ^VsBtbct6a+tNw(}y{{{}CcqbWzLO_S^oZ*;Sip(SzOnE(Gsme|J z3s->KUtl}R8Y{Ukyz=`O4)ALJ5@ZO#+9d#oJGsiR=6ZeQLn`cA1mXy34x@TDUW*nQB0lS()>yC0v#MwkZYeT;JGQe^Ot+si31CJZ-Ik)hb$TpzITN}= zNQX@!Km$-JFZY%^rcEBx52#>>#SkyTR^ET8$_F;8^X{TZzOZ zmwTt*MH#GF@+RT{Z+vW{A1wkf2{?Ep+>>;FB6486SwW;z-coGTU^k0%)@~?FSBWTD z%lKa9t&RQ9s^zScdf=-bbJHHT`yBtA)rOm>w$H#Mx@d*fn%bnLX@*h_f5UPNE%OLE!RqF9;eOUhSr)SIn16J1m za=@dFS*~>*?hgNt9Ugl4NZ4)J>83B`3qm9Wp_b+y)@^4i0pI6Bh8pLat&o^#hHrX^7*%#hG?nO7tOs~1^#m#E@d2lGeXs`i z#~VeG2r@|$ayeFG!Ee}of>wCPDdJ&-ERuv*BIB~qoJr95!TZSM*iL`a0HNL{&_G=Z z5j9L~ePwTl%h-RLUxilV&9D|2kzzT9c*n8@6uh-?>vn4+B}KORV7iZcjt0=cfG@%w z?5`Q%xOFLqc{zi+9p34pNifA2G2=h;c|d*1n*&2F+CfkVJ~{@O-=AicTQ(BrLF0%D zZ3nR31@1_2H|INWk>G&6<4#h^hLvI}^D6uFdKK@3&)&7sJLiTJnP&AG*xvN-575NF zm-uT-d&8e^mlI`@sE;k_?@%MKeV)OsNBy4WaKb~~9s$`BaEEvJe|?O8P4e!vFPd8P zE~{Y*IXi~k52@5i;A5LY|6GbnKzw35^jQHn5|$uCftv^XgaqPFS0%IDXS@jK4%i1D z?%9OrE`Q!yf+k(!#-gXQ%b&A@x7a!H5ced~-;vghM{7ML4hqzdPx@`rz++&e$CC?# zCG{d1d~2(fpraUg+*2m=Ym!LVWE?lI%*~9z1z5p9U$&x)?TiJNZM6<{r<5*ul70%r z5mGrfZQ|@h`@P-3dPG8A`Y!mr9StS$p)e!3`b#!LQs&HjiWKJ`!W-uZJPMk zs`$0171yxerKH8he$Hi&FU4o-lUifS-+y;~D8suhI%9Hz-9;6_bC(k+v-zNoM3Ac{#Q zE%$pez?&$@_|FKyv{g31VnCHg#P2HAb&!tWJNPqQ;EHfO8va-_VQV2mSB{0h{enR+yxJ$5Vm^29|}4u3&x+cv%W8C8ieBCagO{J^25*;sJQj2jSxtP-vkzc<8{v z_L&ML<~H3wGfht`VfO}=mC;4h-!wQU0L@&N?Q@n)st4^qSID5nlgp#+dA01h`(*n75s}X)XB8u7TXzez4T^|eSPAIsbVS&)3kjml*@czag@jP9iXQyt&iuy}C0vF0?er}yVHi*hYS#pXAu(#5}n4@e!9dmc=6EI;(QEV&b9{3UwL2QYoBmUj6 z#R7e_C+=l1d^H!eIm!w5Ft(yI1_QcazqHT{V`qmlb6!#r;pm8QTUyNmV}tu*+*|Dt zmiRYfTZant%@8&#OAn&Wovm;$fC=LI2UXvPLR(tlUM(StyJ3sKSH=}MSs~0ZZrJDN zi{?kp5rY9ws?1N263PY|J^Z*}pHuz8-G%-;qU><*{s#}>rot6rXp6zhHs_f&wrB(739Q2zHE|oIUX4V~;`GInR%=s3NWC-^D}{RRB;7wf+hr8$HoR>?}SFqPZw0;h%$3=bV9qL^iWP%W`jxrZQ4Vxwsi-6 zwYL&LxH*XkSUO@{?7>Y-M|JS7Rqq~kf|^4+dmLS?tnciIv4$F(Z+QL!|KaRH!a^bv z5-<_aD!?Thf^ro}Rbdq|P!3?l84dVP!3J#!z0?^4^#OsqvO!ruH0cC}3T&;uNsgFkHD=W$?lOu(ZH0Tbgn7L17< z=;k7CiaEGI*a8S;p6nFBO-D;47evG0Py8?L`C$=+hL0ah5l}^#pgs6rFkbjZ@Mv%V zk^w3RCjb`9fdZfj!rq=Ad?oe{_!exRusDJpk;U!_Ia#Be%^*O9W@c3!A;f|OELmEJ zg^#6WI7}fd1f2r7LRbP_VM`a78;e%U3$ci?vdj6B^e%665TQu?4m96;_7= zGk|jt_z~jhKf+9elRZ{Rut2**ps+gdIij2}E{EbIZubXpAnQDzV-W2xF6L4YV= zdj1}yh~S>UA&MxNQK$g|K*1|bgm{84`xQ6=ubJ=aqDp{O@)XR>FfKr?n7>QFva53G zGX7a4VL>1%30VXuju$J;lkS3W#S-!#Y5$)q?GZS#ScS!vl!b)EmdkaVqVv~${L>U zl|Zjx3Hfe-`vqr3gFn^gjqc?DKd;vk*#3VlQ5Q60oSAF@nb6Aokh;3c)PWb;na^9u zKk`HnI4V{Ug{rC`__shVcpn+`u7x>-+FkCg07mID&jiXH7_fLleRVg54P+@OBFwBI zZ-brrGAJih{-GW%Gk2hV&i54IXomBvtggWSZQ>G=5Q8*bh(Pec7uGCx*W`8IP>s$D5rYzjd;x$ve59!}RS9s4BfoiI72oMzv@!v1w z5UvO`fD^P0CRSW4(NM7g7#jev>-DJsz4#*kAQh;;0gGUWM(CJefz46zgbLKg)rb=15U5?f{m zLIqGm^A(^Af|j7m#ir)37TSWYmN!PIssWEIaG?sBt*V!siy_5;8iCi?58~nwe>t;Q z2Pfz$7<`x5mfp$$XKb!=mCofB?_=i zP!r*dvNHprm__r8zzKp6R6tta&jd1%2q&QQ3JEG}>thL!fOwWzY^(Y_m%26QgNXB9 z`~_zw-uJn*;-ARG>JidqsyYZ0{xC8jDI%(@3MuY*ht5w#CPWp41r;H7ULoQCUSt9r zi(GDeEyOGELCOXDi@UPvd>6lgJz6-XCAM6t zLjGaPMHXDjSo1E4KZ%9^BZ-B7pDkfHX2DwkI8piUVAGYZ|37T{hfV+0W;&slZ9d%r zID`LHUbf#SJt6lo6f428=_-j%c**(Or714>LZIWr5l+y;uz7RcX$8*$%LRl82xBKp zU8=a;GD7bMu4sjG6z`?MXLsA8&CQ`@DyuGrSxi!a96W^63|(Wpxx@nbc@+jX>S8Ow zaW&HdAH(_;9Y*9Q!13>SGokp=eB22ew1O^;fdMri&zg@kErhVIaEC<|qpUSWdX=4C1V1!ax;1 zgKCL0QwT@G|InF;)>u?tZ-lrTSdQHaM%*^@Pca>kK6yu zf>C@%GXWFhIrcwg!RP{n0Fm=&!RYcOpI9HxAHNO|ym*V@H^y}dEs6gtgYj=8iYOjI z@Q8wEass{JUu7{aBo8bB6bKOs)Vf7$4YEL1+uVR4Gv)`j0p61Q3u^>dWrZQ~gM>I} zeis}NP{$S*0zhgV7S{=l$iF=?!h%aJd6*bZPbZj|g`gfG)c=lv)q-3hm>Fg8RsVQ% z5A4b%d>$adJmTyS5Q+Pe|LZsR_}dID zw9GLeEVz<^Vff|xgbWPB2daNXSA*eMkbr}6?l@%x2$_S7RlM%DxIGW9f*#5o?X<$a z{u7}76QG7R)A=9Mm=;Cd&qt_*mM_s0#}^O?=YN^jgm>5xaP}fg6D)=i{QqI`3#5Df zM=XAU+}OWC?OVD2Q)rc3=pU^A#A%GbBsW&3Dq+{@A^%z+{2TR|Rq|(lZiBJ^`E`0C zVmK`YXUvHUueweTEJK|4I}s`!LV}_TtJr^ueuRH}Knk~@YH<;jF+Lmxt)W_oM*X7& zRX?x|7vn})+wUO3lBfBYmJ$AK_(&M8BYzPKBMe#oY?uq-=nMia^P4)F*&v*pKq5O7 z7X!trV0XKPKA7Vx;S5%kojLCQ>cLAKK@f(%VE8cC(%9F}Ci3F~RA3au#Bk5x$PIV( z&qluRWcOP_N-*J-;b^?V`$K0XWJ&$ZdM_(yXK2e%u(_Qo__23HyMjOuzYS8r8U(xr zAbShrgaN-n@EaS@_($GIDBw7+SAjVvu=ajF&JFezLwn*9VIe|TYHdTiNv@Plumx6K zuKE1!)LIY-6_=F2jrc!1|2QfFdrQot({CmR9B~qOB>rAld{q>h4}AYE6k33k`DM|# zu=xU@{RO7{6Yw>U9?S585K-oPZ?}Lbi?Fi@Dv)~h_t9)6t^G6%{ok!8T7X3Yy&CME z1+g}8d_jwcmIo(s%TQEt`(t2t^#NZ>=)PQ4FIw;%LNo9qPxL|#3%#(1joN(qBx!+;NOMlG@(VZ5XZ(V0{=|NdLfI7 zfP=Bpi9iwf!OA0;5T5&gSwF&ibQdrT+XsRnSS>&Bw?uOA**kwV0DoM&e_Xr&ldfG{ z3gzF>HdZj^zs!w`-|+PhW8$_vS(?}OCrjloY=ebuLYCVGOHVjh*r9{KH26o+;(y1Y zz(uLNT(aV_j2F^}7xJP1@0K6Igz+}Z;s&lORER$k^p6DnBS8TT2;p=2ajGspy^KKB z{ntrUT!ICGM8#z^;EZ-XW!)8=``@w(>F;1B-qiZ{Ekjz^qmN+hHNiGEz!?V4+re&R zL*PFn@R0r8z1F~S5-2B-og%1-v4no<<0hTJo?8OOt2*EyA&6gc0Rl8X+#?L1IJoqD zAz@VsF_2!feAyDN@=rPUev<%){D<=bonSxb6#{&Dz8B=vUBy8tB7k%;1IOrqyFc(X z<313}Lcf&UD2m@d2uG>nA}gH&U^NPU$qJ!c0B_I!l2-t~-53G2YAYB3YEnD60w7i; zpr4xL-|oQ$o2ehQLpcBQ>x%x`PrJfQT4f{8A1i1QIJ8*+pOsU(D)Pew@Vm?Y(v*te zg4zT)@XrN!0R8`-eLI(~pTq`Rz#7TLi1mE52O6%0d&~FjTp5yH7L2iwFhi}rlP6LF zYzGWAj3wx0OBz?1SrE3EKdA`x2RtH)8_p#$Vl3ONB!Qof_~92Rf_Ug(9!<887x|w$ zn-GT1hw}bAW^=)p`hPQ>c-|y{TP=hg!V+Z*#t_iL0VnAE&*h<%1xatFDvL| zww3!#1;zY_r1bNhz{;BX44DZ1v^gUsT-sPt#UhD^FZ?1L# zvmlo~I0zN&n;|5)a9Efd8XV6kB#6_FvFq8nL4g4Z>@#42afJ5wP)6C?U_7u`j_n)3 zbkMyYu*rXh#l4`xLlWSx4W6Z-ys)$nx32}X-V1^SJgEYEa^ZNG-#~ss%a;7E;!qLA zpYr(I?IipWAq0XO`$>yXE3^U?> z^kR=6g75(xYX@y8kN>TVwzULQXM;w9|0BTZqOPc;=JV%_VxZISR2TMSFtfq9m-?9P~bVf5SY$@aHz*CjvjZ1SpMZUm1MId7F zheSY>{acL91$*S@bkU`V2C>t>#I9UTQ^mVp2vt?wan>uD?57pa9~hQ^@f|VH!PP44 z!r-huV05ZMXOe4S%uyhv8dqqJMu3Hv;E>>jN?vmLSI7G_pu4*MEy+dsd3ab%W}&X9!WCl z7T2f)ddV&l@$jW>UkCx^V%mHvON*acf;Z0O-0L{J zw1=R1uIPLRBsc9%N}F}BJc;%Y+mrfy5B2V*y^}$dL}Z_IW_TY_JFx_hRNJ@d0-_^i z#{_)d6WyY`qm%fiF*K`10QscyhFN5nlcPY^(P0k`vl5Mt5~ImVsylc0n`BT;O{E`y zTl#_Mk_E$;@&g!ECmwyxudjHC-WkhX$Ox%EI<-9de5$D zJ}Efl(d}qFmuWSp5*jqbS|*1HoGG{3sZmwM*~=(;du%_Eo1|(y>~7_e^xIDQj9bOu z)lB#X>r8SsI5=cRe>=%{g<54MHOH)`&Q!n7;HZsP$=%y~=|@GV4SEC@*yg^z z)U-jrEGB{URhrd?r`o16#iS(kaCUjrMOhtrJHwqpho(*5`wda;Inu5g zdAN-7B#XjXbyHQ{vI~zTU5P)we;{{oeQdnVi}*`kW)Wi?l+}hiFi++zENKrY-#Sox zw`Nj}&!PFT*bF_~0r^t1ud3B=YqmxeL!Q#iWOkcNN2n341Krexl#52RN4u!*5EH$w ziIRO%GjUWe{_z*q*LBP$!TfITPhM)eMy*mB;}TqU#Jt<(9J*W5M3#cLp{~@kXI6!? zG0{1<^h8orNJY$aeo1?c9<9>RTShwZU~)T2AKaS__3>(n3i#agq(#_GkKIR;^mSKL z%jHNj78)Vq85EoH>$ElK$W3N337Gf$?sP;FO?!E_n%sCiUDJ5pC?ekXWVgQw1Lm7? zf|Ol;_hYeW{^&=2_a~do({ zS@KnB#^9^u0CAMP_SJH^O4P;rKGiC!0BtQbIe6>B!-2tiG ztP`edk6AdA(4|T}Rc~<`5fEy+sV{9P6)q-RKMkip7nwP(v*x*+#p^dzTO&81Z3R^Mz&YA2M#s%La!R4qLQ<8*yZEWtZL1kx{?`bndxSBG{iU@M&ILP&1nJk@Sdw+}MPC#2(WHafTPKK$(!>o>84_(R= zFY<7Iv(3C3@F09&@N+IPzP#=CLK4c`Pshq=ye!+uA92=CR@I+h{j})y?}tr>C*ur| z2X`fGc%?>UsJyo(BQ{Q~V&Il?J8+mMXZo>iLE`RLpNr19M^Ix57_IdrwGxrp(*pc+ z#TR!44h0oDaNEf^7wmpr7i_rxwN2sN@a_K2m^^i6o;U-CUaqRx@lT}=WzS@5Exwmu zy|K1pThQZDTfJnH9;eTb$c@^Bi38ai<&8}n>27igFd_AtU)x=C^}Z!tA3A$VFHW1c zbkYM8WK72@b}3A@;~{HwA7#$A?vczc=LZz`LQ6_ zRE6O{$@Q8D-jfBva6heV>xPLQ5i*A<@>%Ht42`nRp*NwuW-kl6t!1pg2W=JF$naV( zt|9Qw#MiSq`qb%0gY@X6%qEJbOD^$k|qG``KAD=@wJ? zF};s$JcTi1=H>dxdWs8$Dt+pa3bPh0I{m{Fta@&pEmqugTZ#(S%Ij@wcY9-ZYcgHt zdWZuu>wr{dt1SyN2g$2kQ5Z|xq;ScTLi!}b$dOW}Tf9l#-e0^G4`oT`<#`F_Vr;{A zzjkocJbH!lT&dLndE$iEWO~oYWr@7LnPbuPB3)tZ)x5V~Yp2(@#cR;INPnzjsY3cR}b{Et^N0Ns2 z?0ommGE=v%>~O+9`-Y<9W_pZCveQK)E^Fw;RXcaA1a^*w&*Oht@H@HyQnMp*Ax=FeB%U z9xYQ>G2cd`?xCjQ7Oz*dZX5%G2=#I_$HSlVe zK2PY$+tpChCMRcGZFeb_eAByu3ggDzB=x2x1KLsrhutR6>dh#$86Md>5iWDq@xJcC zeKj43sgl``4=kSYXxPNSY2l;1%#UCen)R&F-PRhpyW1xLZ3nsvBW|2F${!I$a@!u} zVTo?u>i?x!C79P4bTDmBC(ocDmc3T*u~hIo*AV$^dX6bS>vb$1G3QSXC%6lvBh?Re zR>*0dY2i>D{qU}C*HE%KiPej>2E|6S2#cyIc3X#=(!1e-e5G^=rSX@0)GSV;&RRvQ z?{8cC(wGIFd$}Baws;PG`kAG9*0Z%yeP+4OBc+sDZbwc;=YR4EjyLLH)&SQ&#(2|@~vL9jGMiel~q53X-3Wvy#5;|c8Fbva}KYQNp4{;fWkpt;l+Kc0C;{B5=T?IzAqiz^KjP$eQn5^EP zG}Ew?=J1t0$s`}O-X9u{GIC_4@^i>;-AvjnWnTjH&I%dk#bo zJqhhoCvCYkyYHlS+r^P%l!@sMf=~92I2gOvs(fsz%T50zI)d=|w4=a+J;*4qpw>&b z=}8=WyPvjy24C7PJJZOD4bQzUpb7%JKHmFc(OvntJ7(krh9-~gy?u*?ZMc9K$Hb}4 z0(0UG*X)D1qj|a|MXn2xJ~}2q#$FkzM7DR<&xY)%WSvd84P(@JykuA<-6cs5{t`L6 z*JjORBhEVx@&UOe(bdTSZzjuAc|k*WznXzWoo|G5R2^BbJ?kJ|Yp-&wSz8Nj9UZ}< zYut57oLWcB#lNCVgS4?n;l?vNcQj3&VdQ&>mztjYj_K$Ei5gM<+U|sn-iP3=jrmMR zj^vpK(Y|4FkRB?dV-}9pIl*lkcTB9^mx&>d^M!>qI`Tzy;X32(vwW}b?=aAkwQxiq zF}KYm>U_;_7fcu5)6;Tj#Ba-%jIbf{do3?g9|>v}+$(Ge_Eo2`n^n-tX3_>C6_#>!N_+zO3DJHN4MJ5x#g>huQ!?QQvQ_x#USFUTgSdi|KG}&XEN9|A?Z&gEW*#jS?*Y@n^ z=TGFfj@#FLwxc_tuUjbKB2z{}<1Lx?N?2@h+^v)9bPf5J4Z3H}rMrETWX*V_JH2{yksWhIR~-woKB2{XDnK%G{9yN4u12!m#YZ_Z>Msqw zvKvZOh<18DC-4pRBFsE#{J!k|lG&GDQ~M6@Ma8z(Y86H@pDpz=*E#&Q)4waJYDb>= z)D4e~VYALXJKVa@QyFio2{}6IvK!S6yC34CUggh4E8RWvrl);pVfm=d%g9sl&=Pyp4 zueqkMi=X60=*8=8%q9AJ!bTi`jV1fyu1(SwlF!bK!w>s16bR@c3gGVNXu4%B*YA^us{`*p*fz5Qh!&W42S-B19C5p~sZkc1D2zV9@8tg7NEh|SslNm2K z1SXTv?QoSHeAFRVrVx&$c+#evzK22-|seo~SlrXJ}4_79a~-lD=NT z>3;zx%|q=WRnR7X8n_b^u_1j{!*)6m!5w!p40mYWvnJ;XV_%qlUpZF!yjIH{N1nYa zM`qC+`<~+4<@9{k#=zCuNmFwNJzUZ!pKEdU$E5)Qc~AKS7FOBjrMEgD^b5a{)#|B8 zU9?!Fdilo?+1y%lqV}s;ZSyr%AG32RPwya!r0c7;84ogiI3~U5?n;pcq*Q({(b9#Y zkUhHkYJ{AjXo^cpF06??kiC4{;+rqXLp3{7@0(T9?Ar`K&K`9{cvP8jR^{cn{pOAQ zc>b~;b3!)1zox=1w(=h7ITX>P|M1DD0!-wiTcl4}agcZ=Hiwi{jW%T;^gPpLq0(%~ zC3Ca=UXXxw0S~kG;;a_20P4;j9W*tItkGk0w|H=ztz|~l=dEv@jQ_E~G>zUWVy+Mr zN4bGAUx46gD!H9WaPcSfO|+EBA9#Bt)W20Zp1+)FlO!~tvG&#mYL|yYJ1ZQsPKwK* zn%!KKOpA>N7+9hTs~J>}b(eGvM_#N8P(NMYx-IEo?6fdypPwrBSqB`k;1}$^NG4i;xTIZ1A-+<^d_T;A>cjOn6`IAS%|sqt!d5&zYDave~b5 ze{U2|K&gg=K*$0t^`jxV(Nj5rKDZ))ZdDt%|lYg8x}K$b0FF1<*AFzl{W?W1f7lNcPCr3 zoo2SOS|(DJ%Qd$3_LW!Lv^bq>Bh-0=YhLI))m00i4(5CIUMekPfqT3G;ZDD;@1&x& z(&wv}jy5;dFI|^3-NyjuC}(}G*2dG3h6>)d{}LzC;$zwSQ#=FiEV+ydo30RdhR0Y@ zH}hX63sF65BW)Yb5zb|Dsbj#)RhegK>dIjy1p28JABH_zadxM%bDD{Gt)4>WJH*0! zi#P!Z%?b>MkkQk_TZ)?RZ&*(rhS2?Rb~k&xEFampNNU7EK9!-s>L}r{raSGyKARA1 zXvcepcFLy1bXc@ib=6zzL&?f2X#=jqvOKP6j(6#>%{`V9=-#CGZKoZ5Z~6!JjEPz= zOpW$6qd+l-6r;fq>%i*^Q(%=0;D2_#@fmUwb)>q|V@gJ&-XulxkXoNZS4FN^pEFB) z*-jdASC;ASg{YTOVMc*;+eYg)q+U9HjQ9FSMmjI5%W4`Q*sWuNeezkA>PFM|UHHlz z7|V6d>>-n{Frud}`%xXuZB}@5lDyfw2XTP0HzqyeS-=3#0Pyxb6BZ#|dVR8R1*MS= zit#z^g7?-T0~)Mtmngv_ejvO#M>BywE@@6B>I z_An&r*$j7RN)#M4vz_Mu?xz3xumY-+X)Gz@nZpO2KsvPE{e8!i*lnt*S^Ma08N&;Q zOq-_+Pq00+7Zuseb*@T>0j@>1u8ir3A;v;-ffJAH2EfWIYdq#kPXi}8t zB2AyUGi1YVB9Bkau?D?+TN0|ah`B_Rcfk9)5dYeo`?-DKhK&!-$PnjCd$>ZX7R> zo;3_$JGbWx{|BW!17?#pO&qpXssMGOWTv3_daBVi+jbAplQvQb?boh91j+|XgC|bO zNNK0g<(oJZ)>bG>4;LMgXtXHV44)xCqhR(#m(_^qs!~vL95PEnnpqv!>@)T|BDV%7 zsrjuV<=LX&l^AO^++!k+9+`WZ_Rf#^t3iZ(gNV%a==B@cKi*-t{y~s$821aJz>L?! z?rb=5WDw(%<8{Pql=xxhxnSI&2!$YF{SoCacqeRp7 ze^j<{VMW$C-@G z*_(;tNoDpxEjsXF}D1( z3bLjwFkSb}clHvy>na~yGb5E%on&x6(jjBBDup3=`6t(j1kZiSv3l;|WRnLNEzz&E zIP&RKF35@AR5apYeSX{&jbSetDM<59%8-~2R33>1T!WE%Fm+v!$ebchpzTd6EASsmSu z$?B5i7$(2!8}nSIdo1MU`j77Z!QmNvJ&%MST6s!C()}ux^^!+~-6jC?WD|pl!n0%> zxr@o~3Wd~(T}!pwepD#gDF3p^(|bA^4^4<%qWr0)srS&spO*M<+RwzeH>9RER|p;E zZSv}y3CCFKRwBWhN0OPD>0UX+rc|UUaD3H!5`r`j;EQ!SJ0Vuv$`8>F9}@_Hf8f5m7pKG&|} zsSQ%S@r-Ii&qr15v|T3WrQ>DNgV^03M+8unRkNw`g~Ue1UscL3(y~C>)kK^=a-1|= zb7sx;=(CC(>RfC&#*BHAht8w)*4a9+Bn-Q#PfD@#<~w(Pj2>iCHMsPqR+|nj%DtFigur_{PI#DQ;hmXfqrN848v`Unh04B@utv}rZ0z-*1pmE*!R?dBzK!6 zBf|!uzW85?cq7{SDBNJLwf=dUy!46tersGJAJ=HZ3&l(K(Za9m4Kz1@9Hy6ICF+?` z)(uU665{&&(zt3Qhn0JLe_~PU{e6Q;yvH8rjn1&yeSAuOhBkg5AcrZ^(z{A8E96Cq zbomZk-dS#Y?mRWKkVt9;Qhnq4orrbxZb&&*zJRCOtPY0|RT)yxDR--qIH29lnxArP z&@5^v3ZXgmB-BlX1rA^%TYDR4G*T?*!W$FY!X}N@j-@#;$M(S*mFVgZ z39S_{>*%yXS!1_zyNl9#MB%q<$c-s9@VNjH#@P%i5pujE&va+EHPHrU1cTaA+EFeV z#S%pxzgNuIrv)G2g9-h>za|d z9_U}&sY?ZP0lk}Txy^Q&z0WpmrCzZ2fzl)H&c(2Yw^73f$<3SfLLjE_?irHYCf`Fc zXYVqc*%}v$&^+H9v-$G=8zQ%mwtf2-lvFt&M5a?7NOb~hzE!L`>FO>QahW~W(~Ul# z4!?+#Zt}Ghg48#VI~1M1g0cU6KmUnn#+6e-eEofvsbg#%Z9vDrO%MU?jg-OM0 z5tzYo057kpt4);0(!(oX+_TxaXn95fchP!=zzoOP;37-lZ;7HY2;0JIc3~`J_%ysq z=AK((P8hBmGl_S$IqiKh>4^kP_~A(Fy^&0#!QLm2n+k=<%C=`V8jPPl7h_Fb$)VqS z`dn0Xq>pF*t6rI4+|z?9@@940G857}MazRdNLk?{lT=|-iopC|SJ!z^uWr|Sra*u8 zmoA|VnH;RFnkN-xD+7OvARV$-AB&oQl=w4UcQr@ zU_#TZDSVmt-K!we*rR{Q^qQ}&<_(^ZwNg)cQ=f_FPlym?(>z^AdNLqG$OsVc`fEAD z;(&d+AGpiMP_X41H@j~>^jI+k6DF?JNPe1zcBo6{q*dSYyYXOYUxdn@PKlcXVnh{618&IXO(rv)P)bK=kz|>>fc}6_DPj=b5Y{`@OcMk>v=#$2C9Bktni6Xmy?R4kXe}( z;!bZKZtW9FmNC0)p2rr>D!S&5x8Z?y5k^l1L7xFTswBfp*&?B91#Q1(MYenl_MuD} zZNEcT{8aZ&1LM;ZJQ+H)G%k0m8!Xq9>J7G2!7tXql^@t_e?D$UwDZj7yXVA-XSn6P z$nKC3=@S*%%db7k95NFeLZR-Jd(&ZU>-#+wU!y-ExeMQ$X)%c<+nzn3={(G9nc&!* z7HnFL#8R~==PMmP2k~2R6(o;!fa^y2#l+q&S>pDTaBbXd8nqDh-_zQ%@a!wYMrm% zQEB9Gz5xH3r~Q~2_6Qd7obyxU~0%Z>D?b~Z5{r9;rSb?91>ueqDhtNNy^*X_`VRhk5CSwNcRegicYxRwIj z(0Sz=uItQETo?I04+XGWhZt;K8?i4^J&(>Q&ZXQsdQ+}CRjsL$7X#})*^{ybXlTqX zT=dzSSJU$`U&yj74#4^~Tu#HZszl~Gm43-aR3m1qsZ#lPn{iy@! zZlbGI45>o?zF`{%dNZ{0=(pQsmW6DAKX#U&(F4((=f_DS655sXG-nPUHm@(-gMO^9 zZdVH&$PgCtXy1u3;<+4qxWItyKwB*2oVGKUNr97gi^4#+}Gsh0s?hD!8Fe|F3cJaX3EtmMTWw_2eTG}Ha>gN zhnM?WN0;}#lHrH&(-~6bwxo~xigp+?R!o!}vicAl!x0?;jI&!WUmUrW>=j}Q z+4#QRyBDF-9Z}n*o@elB!{7xE2r9MQYW27R8IKE)$ToIR?rF$6I6(I9s{D?1{Yq*Z zA4L0!ONe|tl|QM*D}ye6BZjQ+pvF{^+|KrG@2Kd_$mk7_eLOC;OZ|>=c#3$%2UiU` zxZe9OQ+y#WUG}U~j>hIKUKJ-kg$$_Zebz;1<;4Ord!){9y851MBjTm(6<-fscfNx< z$A`BQIf)2*4Lj5$xev}6_VT^Xu6Z4U;mFtoDI5z{Q95^$jb7Wizn$9L_>=+2degf{$|Bof)Hk;K zj|62n4kNGQMN%>(l3oh=SVuohc_`%s;ujA?g2|l&d@3xmwhIG`zxUxGEOlJl2gFif zrD8k}5|Zym4@oPd_|`UjGglnZf!cqyWOq}Sw-PiGkNYHAJI7X=kJEav!nWLY9uaf_Fuva zzEj^B?VU)Q2$Uxedi#?4nS>!XgB@eb=#;PC39DBgR(w^xCPC)+b+&)=?Z}UP?7dsq zTW3S~-hRI$6P2eb2cM_4N6d3k;3RQawgeC`fo{6zAH5;lNapOxm_)%&v$^={&EnVJ z9;NpNyo|A}B`$j8{XIM(wdHO1mdC2!lPQC5$E%ZGy!Fbkm`mIwts%&@;C8~K>`n=U zuO3fAX`!@&W}KDd>jwdj+fFN3S2~5Ozw1?d(zau3+znqvu4=ndyQX|yz8#_`9?ib~ z;#II^Ch1IFhWOzstHv}rK#oz{!-kl^40*LY<7Ya=l*hIwoPTQU`8FpV&2B##TBbew z@9bfsI)!2pqvdZtWGZ)+%)v}FYmzJ zT`k}gR6w)B_KtQs;cFV1Jd$^$gO)}ak3j3-$&i`NY~ch4zKOHadD@2 zpA8MXZ0DV)?`NNxc^33QWaC_Fk+oCYL!K)=_C^yzV@1^;);si+PRmP zjb7I@oxhhCsz*WZ#gaVkBd>71RiiPWS?|70-KG{Fl-vvYnE1t;9dm*P^=I6=<0naT6L?zK=#%vPnBP!QZ(0v})|!+|FUdmm_(kP7 z^T!d#uZo7GgXSzW7u0-0t~&|9u^%r+0OTY%HhF z>Xp_Dyq}C{%@Ae&@}gw3sq1)?nvTa2of*5!sRFYvN^%b$3S-W=s6t^d{Q|@p)73nJ z-2k_}2+yyMpfK=|-;-5ebk(&RImMhH(U!()WqzNcMrPNg?37TKGz}*eJ_WP#W(_e% zAHzdw8lP`-O*>_wK2j0o58Uf_+g20dpQb>X9OLQtRAQ`dDEG)Va)iN`V_6ibr9v!G zL?@N46BP4WVFy1urlnbbcvPQ#5|d%{`87*Ux+&Aq*#FhH%uem2(nqZO@ zcgSIJ>ui-Jfo-IiJYP3r#;0fHoq6+c8yot%n<3BP24}8Em`UPM@apCha)Ptw`seiA zC#c)^NadZ|q}csIbssw9zLLUw<>-`8$&9_ZUR~REKa>3|vN z=XjwU+B)OFm)BiZW8@6EX3c|jMh>EB-iI=K10Hzf!Ui59o|W1M^}ec4B|a=G5&Y)+ z#L+FXsP@^UjVG9=d433gQx~TW4@=ZLf$!oH@0#mV8lyJx? z8{3j-ZUF)i-n%{=3M{56QI8$JHP=Z458vp0yy4iJ^XAv}^!u-}PtK&>@@A~EK#RCE zeye|&A(*6Lv5m!9#`U`$GX#eMFawzXPXqKcT+zOGlk zNbU;Ev#j(R%-`2%fJS0 z_s`p8Z=W*?G&ye`v`v1_ZBu`wi7g$o8ml&+x@4ARV$x0NcE0Jc-N~X1rY9_Iu70k( zh^)`dyqQ}K)GMmXZ+v%fKpb$7i^oOEZO(7>Zop;U=rsDPjY9bb+y{p*!QQyuThk`r zd-M6Y)Ul9`R|>rRAW(X3Sm%ozht&hWjhCy6Ho?{RvwmvWbw{nJZYR-KrS%ucO>D4_ZP=$u7(3x2M8l|CYT*ZIJUHz?tvI5)^NsilX0EQX=K)s+s_Ny^!O%h z+TR@q+TdYU1-a@jN0$-`3X!%DjBBp6_HWLKMgvPEMgEQMTJ|?jzHDTL7fszL7rE13 zSv2o9DtF%>2K4>bH#-vYAbo$EPGZ@m8^k?wz2#$5a)t_~j0K^)9_QX?40%<0UG9Y2 zR+qu|I_vUCfl%lWzV>nw2nCbrldXfI8d)BUo*BolCc31!Z4lK{lD)EK?$YVFD@94| zj@=+ac6-f)|2b5*iC1c>(Px#2i9$#{=07P@dWQ7mhJISDI0-}=U$J%&TSlQSf0AQc zW7yCxzlVuD7I_uctel}2heR1$H~6kcqSHM?bhpcL9JT6CWH8`L(A!H7&+<1)QBUdb zl)l&azVew{GH}RoJe;8d#vsqx5ONn^pBuzpJ<}(24(h(NI?5%wn=2#6w!3ip=9VWW zc~{mMm3u$jJS1M%Q5Rs=UJ*p*zUx9SvBIons?qUeL~^U{A`NEgB$N(5PB*&dxzVNW zHY6vbXE(w3D-U=RbtH{i*qo)fQg8X9;#A#h*#mrGMm*j2+S}IwcBv-~lnc*nY{|Z+ zoFWBTItS|aSOuv8al(vfE4}93@e0v1Jd)5cwsU_$jLo9)O^bY_%f}s6E`8!hi8*Z@qj3=F9dQ!; z(&-i|?D55|A#dRR`*W|k8`P9ONKWLOIB3q@#fy3|>$`DB_8EK5yUlV5648FeH+Tj3 zqC?|k-}nt}o|t#H;2ctKJUHw{N#I<^>c&w5hChonk-3VQyzQAqRm8HB+Adl9`_KvMzD^Asb z7HU3TI~r=8;eVB1yL59%ruP;qE*d?StA3+%+AQJTK>|h6y{(TY%Ova)!jUK{--@<{UGoUgw zJVfH_N;W=`+-13z{z{pJtw-mnU7AI+O=SU_b=(`yS5rhrtpgK#ddJZ%SKb9!12@vN7AS|UwW;)E%(omY~%Z;0PK$qmLryq2jFZamxR-vf>g=)e2VYGOX=`>8 zA#0-wMmt*EX0s0+tq?zsJ}6=wV4Y_3Ae`PfqCa95G2OI}WSWS7uD5rKZN-?~DQ}LG z=!!_>0^N+G<(Y+9o z{%V{Ck3W@vtlRSnw`I@elO7TFDpPmRL2F*95mx@?*JRz9ZsWL*(<5_b>8a z)=+<{Vncn)u}W8@{tze4VY3>eO~d(bx4Cuca5P8*N;+mNP- zCUDRpx2%ow-ua0$I{Jx;*Qn-=8;!@zx#M5nG^mH>gzRwS;0Z};%-r;BuyNJycq#v< z9^bMHghuS!udPGzx73t0?kMrgYND8YIauK4WQ`zCA~O&Alt}bdp4h9X)>F&x^lhPn z9?s8RYlA{Ywh~kG5!-Y5+%p(^nc)q&hlA6Nc+T()Jp#F#+~PvaPuWRS$ej=J*}`Va z?cFL2`KJ3-NIdS>yRs&#e7K%?Oee3E@}Z0x z4-kMLDNL6JG&BBPYNY6B_k@bc$!ZbSh7Il>aePS1#v9b)Ck2zGnU9?6S2+0n-Fc6} zEb9)LEKLtiVi%NR#ff?no?*H??SCPt*|$v@fBpGJ6(RvVD9{ z)hzm5;PJzPjUiGW*i!0@Je$VFQ>V3ahA!9bpp<7;+)n(eiue}Q9m=NY(MCz4;Y0 zG)RM#G}4{YT{F@-bPjc1+y9-?VYhYPsNeZK0`gRfTJQob zeDoBLs?*uhbxa+p^E5>`@t3_5e&|FZy@gjL3UOgA@ErQ(|Ah+`Y2<3G`RAemhv>j@ zMH`pj%6of#{gxIJF#OtS$?F7{;WwkW#qS$t(9k8t2(&EhuM4o&;bocEbvB&7Xj?JM) zo}&g*yrNit>$dp`mfs2CtI)g(zq*pRTTXctK#o!t2r{e&lLLd4?l=Y5e2Y@ehSa`&81P z@=6-%PyS(Zp-5G;02*yQ3{CrBk(*F+5q+Q}BYMPc1kVXF^k1Fh$e4bp6{)OP1 zdP6;m)N@^DQ~8OVy!}ZeDDo@LbB;HRd~>n%H_bE zM*C*&PyUurC%C4!UK1Kzj`Ih4mt-?ER`LeMNZWmtx(Yq|?#mbUsz;h<>0FATu_~r^ zvv9dzUB6}^6g%vU)Y;0LZiE4kp5{a3T%`ta#m7Pt!h&Pr55;{E(Wg8zC-Y{|s$*GN<=4{cg5T33KS&AN^!+DVA>dt@Xec~q$9+HK;O zIe9#HyoB05X90MC9(ASkx>*1!@19eQ%m7gNx4qSf;b32&{~DUn^%zjwZuJg~xRzqh zA#pKxUbIvO)yFJ{&AactI-%NG?i%6 zVCDcm-J9Da^XgDW0A3(*(@>9D%C(6H5V9_knR9>zKq`RA4uBLheSz#do|5SIb_gS- z<&GrdI5&luius1y?@qV%_WJF(7~jQxp8VwaABbhEPPL(tj_W0E4FFx1pBSMch97PR`Nit-`1cVxZ0?>t z?s|lL8Z%5HM`tcqlZfFVG|pS-*S6!aEKKbgMl_kG6*!vlZlb;3WT@2qhaxSF5Q!#SwCao2n0l&}+! zxg3O+>5YS`aJOv`L7h+*a&r-H)j7W-FAj6ZBnP01s@}i;u958r)$@}q)HzW~I4644 zlF-REw5jaD3Y}Y zeco)oPQjL3fnn;1*}Q6Sc-vm}wcP&*9|kY6^Ye0?vWXAGy;~GxYr0zrNaAUk5bZnk zqfwsQ>YmuO>VXqj^PJt*U|8H(ApSy z8tXrO{Z^B?dRR*j9Oh#AsjVj<<7lHIUy+UJ%@biV^6o^vAzg5nE18v_M;19cJmJrk zJ6;Fy7c<1yh^Pf@1i{FUfdCvB@jJj>A{#T^7R}|`B$o%+Bko(fiT~>}(7w_n1Q8vi zQ*jN~>nxmBTwv}jJ+xg~6m<8iTWT7x==270m2*l<#Z1L-A%A}7WC*Cn2dOuS-mA*j z?wK-I0K)+2;FCuuXLLgl836tA)YSfLcm!NXMyQQWO*%&IDC3TvRXvER20%wuW`gm< z<(l1+>Z3yGQgool+YVO;3SNiSd$>L7WZ4G~&|(Y=U=Ta~p5wHYJ>6s>w6W-g{^60S zO(1u7cbf#EHc%7t)g)z>Gaw?OCp{EMku;^b*a@4KM zR%-fP{#*^JGO#^^yJKAR9$Q?w$I2BdRS#Z%00IO@Hw*OuJ#t|%$B$if5(wqbcriJa zQ>^IxXM!O?gHgGM1jjHmhV9*J;%jY7gJ2byE9Q)YZqgh*A!zz?hKnIVRL@`?8QE{q z3U{i$95~)(&bj}U6$0U{0#*iS#AR>;CorD|N68C}%?2JUmit#!ER)v`b2vya@3{N4 z+B@m{9THW}Nuw`6bhoh0zExw@f|(5^tM=A5ZWCP7h^oNKTVZaUovf{8pEHpASqMKc z8!y@6=nF+$nZ1n7=b91KV0G(c@ru?2PNz5&kt6;n_bW0<{CcAhCV|d`bT;Js}6$bka)K8vvv(v@uZ{0T1?g+e!N*_IUxdw@zf`!18GN z!R~te@7ZUzV#Mni6Rcne`Tdhl1Lq|uH3s?lV&OfOOTd*$a{vOZ&(~vyt#IWQm7^E7 zf8eW!mfLbcx3KQ-0xux~;^v&wHjJ3#k=NBM3=_G9njX3WtauIxW%vg-3RIkLNNP67j4 z;kkXOZko&W!?g|*pREpECi<^pd+JZa^W6u4R|yiE4e;)chbNvK048lVF7=~-$Ewuv5TzlEx!Och{TR|(a5uo*Pp7| zW9GlPxj-oGNsz0|-E@y-ZIJzY2ilVNq2outotaqV6A!pFB87hc!o zvYD1cPBQ6!w!QNvBC?7?f{{G)u^EN4B1AIXtNW0(`~#y0XKBxa*;dz4JWk7z>k=_2 zb?R%i(%I(q+Uyr`d=2mTti}So9%nI)FPPr`C=AQjMiwA#&!>OuNst=hI%#yP(K#Rl zw#d{hsF8oH?+cBU48w+@eu7n}ie_S`ML5#_-HD%UPzW9>W7`fv_V%wVPuR`3CTF13 zqeEZPYVLoBdzd2-a5!-| zHSX5$;!;kafkda5J!;5rc1NEclvNh~W3h{^D^3I|9_xFx)WPDhzD)>8$D(w+RjJ%j z=SbRlkhmg*2->%heM#HZkj$OGp{J!FK~TP%ZJ0&hybff`S)(Vj7_<-VhD=rCx8osw z&~t0~Ep0x;pHn_H%T`%)<6eQOVX#hH{7I$!4#o-Rzz1`gO3$#hnDp_l{Pd|ne;O4^ zjmJ+NFu7wQwY`*L)ajIYOT^x^2cjLP6M8ef%O55@kf+w2q?oxb;6f#T>JpqNkIjSk zTF7+0ys`>8nUFthzrQa^l|C##kI(PAJfhQkpDAf-C0yo|&cJ`se-|f_7z7aSTgTTl zreUqigdZ*t9fF9umnwhUXalSWL47FS#UhA)2{;&Ytj4%!07rviy7Qq0v4n~lQP-fr z44LrGYV!yJxJuc#+V^xKjU8XvAgw6IRDpfSf6zW^O))c6oq>_+r8{M4luu}~f|1s5 zs*y<5Tpcuf6Oy)LeWk4BcQZm+nA>DwQvWZk8(Li#r3I}BB|2t)En{$e>ZMlJBnkxb z;`&3;Y4NyY?ys|BU4`&?4zt{O=myQ7BuJU;$26lU(7a*D7`8t$#$sl6nwb1kxhVi% z`>Tv^P-!j|&9?t1gizkkxDchqX+f>n#?#q7LWe6}TkpmEj{C(my|n5Rt3+CmG-HZ% z^bi3!#|cP&)MaVS*Ds%IfqT>;l~e2*bQAKG2}xW-m%IR+Y(2P-?Y;c0BZv_wOcsFC zu8+hIHkBvNmV1*a_3e)=jVv|V(fzi-^}Q=n5~?RdxbT2?QT;%d`uw8;|80;c|< zIYhZO^)mu67s0#An?;t^cldY_)p`uR?%hMttSRTZrb!9a9?%kBGH7gdQ!6=@pO34E zVZ~LQ&)xi*I!8pl@a30M3uZ`Foat{MDaD!?o|NcAr}}p%DI+9_4$_MH*GH|pzZ8sL zVqq}pg%qt4#(FmqrjSyr7#DImX)U6u;&d|Rh#3l}@lsD*Z>Zm&@Woxrh=GcZOooTk z7t1{fBENIal~x~tVvj24yLfbQ3-!@sQ0V>XpV_!5cd_gfy0NMC3Q#ZcVElcUQ|U2M z4HsQ^f)a#tdyU2dno!G{0ZZljL5S6e#R8F`>bUY}M_D)Ss&!{ig|hHgKb;1)fQp;C zrVnERA-@?0Uw|HE-9^kLJ&n6%ZNQUdLYA`oalII z4ud|8wk@!f?%qGNjF#x^GOXtX!yS1F)A%5M2agcUf&CExWHjRdS3;&oozSzJ|26zf zrz2|>;B$pPmwNF&UWl>(8a`k>sP)OMyLOfsz{tOnEbLYvXFQSi&1_YIjqENqUN3}Y zAeE{QdpxbXB|MgGl6XW!j~MI!=HdXer!W7){{Y=~5O=g56vKk$0-m>W?vv%-bVo@5 zdJ0p~F#n_gJE+svTDt`U(+4d@J-svykjj}pLeo_v06G%yPEi~%%swt47?pZuBjMGB z=G38td;3a*vS6&ELX_}Zz-ha4A4S_`n1D&v=1s~~F~jFa90wu66Zr(C!A0L*6!k8> zcQZeRH=7n4ylJJ90`LxCO>Sx#T5ACeVkciJFA^Uon~+sI@kgSfaPBdY3Ou6 zq#mgK5r6!W^*fa%z{VV^?}0nWm3?Mn@`%FczSBXr7rmHf+U$v8I-2*?{im!-itWsq1OD~Lf zJBxQ}YNBPh&N*^&Q#vnkDvXLRhY^RlF1P^|?S2x6F)Cd-_2`4A07?oWZGdi0F(%FA z_cXAX^sp_rZa^p|I@(Z%g(KfhtODiZ$C{^}1|KzhM*vP47~6g-GD)klHg0{I`_k`U zF#+X(@n7VpOfZ9o<|X9oQ0nV1>V){qMDcVVk$^B_>sx2ndhl;~j#6HNNrQU7p5&y} z54|Zgl0VrYC&I7Z+TRS+Zy@APdst@`+7Rvw0`HVriS&J}b_YD2lqeYn`&F}b6naKb zG9CjX7=zPdvH)ZUlAaV}8_NnO^4|5axBdp2Ko??^;>f%Ec&40psCTHOi}4p7X%X2| z?+i-shL_UerR8eG| z(WlhK&5_DWLwi79Yw9}l$sJWMf2H=Piqx{!r6C@sp!Stq#z`z}-E4t2=a1ita8zrk9zEgli%~6f1a+&$2t33B&xT* zx%>=W1{DTr82)dyS9+{rfr7JD%Th^Fq<0FCFG!wm5H6~OYzxNHxt+h?69(h!Wj;H? zLDB}>d~O||DrgmqpugPljMEv^WiQdO)q=$YuzVh~+|9Uic8J$(txobs*&4aUUndRE zXDFk|VH7?nn&Se(V)ziRcqLu8y19{TdAT%|) zcr1e?WJ*eq?%0^z7a1$8jajbHzraB8EnxMrgyIr3XVUz%cp6_2dq#OBu7jld6rsVI?&x z_V!daF3;C8NbQ>~^U7n_X7MMtxFhs2KZO6^BY zf86quFj7B?cBdTciEN~M(y+YWNRHv%-@{nt3FSwGsN2`n=-xQCBseK1mU962bI23p zRrjuvlOQg;ZYH~TO}XJRkXGMW=@sw%mrX5xd4lgAfB`HDgnNwuLfYV)*BcETT};>R z06_jdhZwJ4^BuRG+11T<+Bz=37zAFtI*+(7vN0qe8F6vSC$utj4kOX5!4mK9T$osY zxdTLPaZyc@mgh~e zwctJzTS3)>1cRk^u~m?vH;}m9o3s1Vqu|A@;BgwTBt12rgqZhV8Q(jR*=S!YzEDrw zGV7ahl@iLqMtDMoLf4+T(9Q7U!EY$RF4jH+js7CV1qdgRrsqPgc!X2hhrDxoKVZqI zAL>`q5qNOFfU*^;za>8I-fw{;&d*9ulKFf+4_ZT#t1UyzHx_lZS&a<{$+_KR)JIIsgN z)cg;1sq3@;j-@9c!q1V}0{G zM2%t@Z^tv4lJC|}1=6{K_+@HWDm-6s`(z*!-Em>+0E8E+;-+anYI+`8T>R}r6_{&kF;HRgf`j|ehiKDtt^h#6JSY7wcPqV4M^UcX>u_m-;UQ7HPyv%yqamj_9JN#-CqgLGMG}Vu6AF+njDsJ{v3<0)nJGjAZ|8PAtCbMq&8Im4gdxl zPpDkb2DqA#5z=|CwtF`m8oS_so0{L&958jjRFzO;Y4b<7T-Xl61esvhxi>WWciY(f z57H84eC%~DnFy+a-PESR4>idQ$K@?!*R~gz&x&@_g(92^9fH>C3gq&t{Y{xws4v79 zv@q&2X|0@3#4 zZ{9C6m4`j~hvgo92440+%t5lmW61It-Uwvzyvvex-gM#5%+CUN9npAWH|-goZ|km| ziD9)s7f3K@d*NJI1_0Cj8YOsUOzSdx2UI{5c&4a$_AsEEHbuXIJz6Kb4((u=;rR<5 zCNQ4IIRfS?p(uHp#|5kl63E`SQXzBjfnZqh%WnX*%6^`cM|Iy%mjl+;3_j&(0uYcH z08#;RL=O2CK6d|X1phxAD8S&xm=?oC+5>K?AHiuYP(H$_-(Zg za>S&rQ8)EaC~IQn#qUg0W_@nnU)Zi@-srl;eSy7ZW8U--R-O2n?AsP^;HiJkGA{or zdQ|L$m>|9c=Nd+j4^N;W>UTNG=vF~L6f_}A9-+(?K_Lsf7&kkw$bAlD$KL@`sBqA? z4EN_emdMG-#%aXU9H_sZkhX?&4tOvoXd5y1OdR;MT8J&Ht}@b6Kh?h)8x)c;%1O^I z4md~5s$>capHoxoR_fQ)#N6!*!pr(fHiyJ5#BQ}Z0tKyGblYrCHkq|;gK?7&{U3&e zsNNC)g9}bX7w;Yd_8WK#v?}7?28+^}1kUWp z>e|rlSno$*yp^x>W=L;W%c;;;2$#qRmu9G6wbW@d*Q=?>B3M8Em1idCh(2fC{+D=(RCz3d05b8Sr>vp0iL9?JQK@Rv2B3ZK1_^Y4QD z*+y&+zWBAvg)Qe;=x4*Y%K=-TG-SF{-?iP6W4nE4n>q>4Up8ujrP!*%lKU$xharPM1(z47p5{Y5X;I`db0g+mF^o$7WBP-=m6AQ#^ZtI1qYiKhclM767+x%-9Z zSmApY2`5V<$NGxV!3@sP%eYKF$fyL~hRY(?hd-i>>FKKOZDJ+H?}-=_;GeRc>OsHw zqdB_jBcuc!Qngy^KWMWK3&Jm$Hk1p3hdyVURhqvilvi+`0lU;8Kifh=q!+E5iGL)8 z_}WN2HFzD?=1iInD0Ni_OCvR_(}>8t-Il+qSqO?rt!YqYeTp#2pPFQ-GMD|{8LA-} zps%7zQWSOd1&_i#<*hei!RijbysaUGM_9hzM^xu#@!_tAgKv&zND7kLDIeh5)gCh0 z#igbR%F!uM+7#dov?G&jur`+X7)im{S(Ht7ib|PId%;K6RpCr)*s|r;qpJy+hjk*n z*NPrx96&dgDE^k&wP{7&d4yoZUvd0xcC~N1wDr5sDeNwDBTYwez{>hgV~9`8B_O%# zZue`ekXX4HRl~KPWhUq5mU2RjkN9`Xn7ze}bsN+iv76(qjxvwFzX?h2u^m(FUU5i2 z<|+04#{5^nh4Kp-Qs1PQhWp|oHi>?^&e-5v#8C><4c4HLLbLD+B^UH3DAhBT{Vp+%FP*es6gkBPtf>~e_Rt?RP$z>Hwa3*W zqN{)Y&kLZO8~cV9QZuvI7beckvZ}mbu8v0Uz`-8;wnlAb011)dHHq&hfH8UGtGYib z_>%@QBld|lGr*K?kFS!u&Tr_;94zzqq;df%Tjz-q@$%{^KUx64J7^sSJrkvzjm==9 z-a56p0G8G03Ga;F--3fCur5V~l8gswAg(Ug5$08;>f*M)avs&Lul>Lq6D+ww|O;JUPtl%WU$j^LFu7Qjkc>IwT5ONDfniL)vWFr5^PPDke+)@A9_HjT8pSzFkA9eQ)__otEQGH#JchN> zH{O)-`nki^+KEzt?n@bn;b{yk%Fp^H?cuU@?(j6h=weTP%lAxUwl}=;!+D>Q^5nj= zUsJp=d@t~Rzb}hl#6Y=}OEbkam4)5ayZkO~V}Z#=N|mi4!%d>Ze`$I&N^%#b{0nn1Gl!%S-Z z2RP?mB#KCv0St9pPcx7sR40yC3UhZ6-;K)-k|&yfT!u|B6JQ;Y&3x!F`ywjhh4j{2 zxn)=vA`q)bR3m8$H(1P`R6n4+v~XhVFv(RE&osB`kaw0h*v3=YT%Irg<1DLu_fUFM z_7S!FlRqvVj32atVEv-|e{|X`F%%%2swk+WFga6kBb7|nrP6|7o}!AdHhE;ns9q2r zJ5W2AQ%=)-@2Q`3$39=CdE~{oG~X~ll;acLfhCVw-!=p0n&03;4%9RM@2abD5gy0O z1Em!rC;;CD2QMtjk}SU*BS{1>f>B+Hx9|Un67GzDS1cc`V;myBIRy!GX4Q0w&PSOH z4C41cl2N|@$SA;>^X}P)!geeAW?G!u0{Guj_%QwkRi*kZ*^~g7M94v-X)E_X z7a@RfY}WEXIdXZE<++2GGrOVro0iY{`8u!<rcqQB7XiPfG?5P(E>_3z z8s|^xk10{g?Z4wulplZ(oCLjFE1fj24%O%^>rc`rY|RbHvIVf!PZ=@SMa+T~w->N%3OK9A-z>Ga;L=nf zQ2l@DOrYuN+~{ZbPZWcY+^mZwEH%HEb;Ly&CC?n+wzvRDM6j=M(CVM}#PDBnAX-`< zi9E&vUj+0JI%OXKSPO8~|A`N|PB+_?wlgMtDX|_p^l(0F*8emTpjjd&`ky_gFV*I% zo7;l`??IE2m0>j)iu?IZ1pR!$Vsp}fie2BVsnel@f1*RHMZJi){I2yCC&y^iV(kd@ zr*C*>RlHy6eu4HkH#uMhs2Ay8Eyh`nPU=|%hy^x4ZX{NJ!ng1Y0>BGYRRE-lcu~Db zKAlkmw9{$>K47oee5oS)#@>5#0Lc-BvqtTI*m4^BSg*40rUq0aqIPzT83Ofgo`)_H zgDxV>qQpA`?~|}QLVPw_lyuFKjKwn$H%8FoKzhgsfRV2CZ}O`)msP8<8)u_W^}zsL zXGQRD=J+q2s-j+*bUla7p@IOpvz#U-U~F_7)m-X!`dakrTtx;8BXitEd~6FY!#2A0xuU!{NC%uwA-$s@GUgP1WuJ(wAw z+9s7XvlR9V5x{mOKd@y=bE`oC8+fn4$%;17isB8etuEb!O?@fwYG8)tPi`UWLJ9Su z-Z@~(7v}T6sreKri6o$|-K-7zYK_Y2_1?{12@#B}8OaWun5DLTQJe6vr8$m3UL`^` z`Ugl-^WeqOCtpe4O*BCP#^e|2RRH(_Rsw~prRs2@*mecEVM)D^=I9cU+NCCKAC1&O zz>IE9zs}`-RvB<|lkY0&3RVLeKF;l6Ri*VCjdT$&#sn`0W{X;*pot(K5^-j6yT}{8 zXUGF<@R`H3OJX46u4D~ZD-in+0C9eTs8jKYm?1*c38Qc4Jk&M%cUP4BUG(bB{y(f7 ziNI5;D58;F@^diMib3>iO1Fa(J(o%+|M;YDnhr=$`#sreS(&c*wQD+HSY2~tcPXTS zz56lkhI8)=iU=+GGk@B{H|p)=bf$D_bRv;vk=8aBL54(3zM7~HOn9&H_~h*%`@nvL z1o$=NZcG&|r9Un-U)3I4r4=3B5smC7O%QHa|5PurCHrwS@cB1e?Oq}lTGSSAPn4NX z71alK8SxYd4ieo!v2SeG4m;XJFgs?1NcgnG+MY?awc>c^E`3V7u!s7vOTC@m(Rg(9 z+yOEw$?-Mt)dt_&BI*?9T^H{~uIj0!ex3Jo{aqTiLtNC3k!Mj>%HB3&wzBQCr_Bln zVJvzsVyiqu{#>hoe6pJX$)dTp*52NO>h>;d?S|67=0i}?J?ud&GrU=Uw2tp5$3fQ; zHsx;?N1_UzsSHqjwzB=qeKSDfw`B79ig$ld;Frqqa}c#^%HBOy_qSc%>c5 zpn%m;&0Id3KkYqJ*+E=U(n2Ula${8g8=rVg>H`CyX?2xzJ#&S*pZoYpGp0K)0mo26 z19^5Bi(%no$~@;USU_><^88_Cq%(ff_-590Qbp{W(xm~P>FAi~bh7H^Z)HIS2xeW3v{PNwOTCe@5y_*v=Ptj||bL;b`9|lz0MY z05qxJPAcTd1i0@x(}W^(e8zF!6W4ETal^jm@f4>8N>X8Si_ng=XJl{aS~SDuRu#NL!8u4>t&?gw>b9Ar!KS? z&s$7z{uPH;rR&uGOMd-&CT(J6Ls+>)K-4*W^_ zj&Pg*(;s$&taD(;-(0%GF<2Q z1w8*of4=9%sUBggXaSWQOUMVdzTT`%vB#o#e3V%&)tU&ut&$$vzLPT2214_G=x)@+s=&@RU#(Q%Zu+!`_ciFS|R- z0N^n$wkz?-br_IBOsq1`$pJO1QJLv$6N$w8_mUpxhsClS*gX?2_~7t;oBhQ!fHB}um0kUREtwF2$7wWWCR8jOMXuQowgp%_ zz1eKCVY&F3k{?sb?d^PHx;b(uef}%<7C~{4Zm@sz3)Q&5KPsbmOpgw_f&a?I94eS{ zPT~1OKkhXEp+Gl(lMK7MsPh(fcOz|8fy)?`M%98EZ{_>!t5DlhyNY*jh5Z*@`2LQb zGMaU=J7F^>1&DemT;0v|vG;^nY?)b4XM~+Qx&2`y_1;$&uHScAiO5(NxVxl*D3>Ru zSw3QT)qh;zE-4s4n+`DHJ8ZyK+g69tw3ox!E`9_IVv=o;?<_`eTs+%uyr2an(Y^9DHVWWHOP%T4V^y8o<< zPP|(oLF$?{4_EXOEY`#Bi4%KVL1`qq3l3Ai=-yhJbuiee1Gbh1rD?U|wJ<@Z0)R!? z+XT*&*p?2xa}O#@YX+VjH*H_HwDrIBrfMbsI@Nn&UroSQ-oVZ(;MEJxW{NwkOZL~i za=KPb_16>t>jw-mW@jaN3`bT3?3p=X4DrO++_Rg?Kloh&P$0cJ62oHYIwF*+nDG&N zLj}Y0)nJeh-8ZL9+QDHy&DVm$DrZ|v6KUJ>o>@aGoH zF?^n=@&_@WS!71(*p@b^g^7ne7CMuhdOK^*wvo#BA2hEbmb?lx zli$A}>VCphwf}`w{>ztAjI|VHdHm;3dL}gpIWv$47%OYCb z%OVv42e?*^yVE5VP|exd!)X>02**b;ux|Q8-yBF^XXJI1h=jUW-b z!u60$vxNNStsMB(9<#>#DP5+acOJf`&lILGc4x5>0Lv@1#7G;4M_4wX4WkUvLa;v zwh^A_h6etb5cwXAlK}mJm#0HA9hGR|2=fmyksLn5A^7Kyk?KOrp>iFU+dlVXcec zJb`_~ecLSMryn#aP{pY{PYhJxkS^C9}Ex0tJ*@y6)Z4 z7)Kf$quriM+f4y zo9VuQFLHXHS-RYo+WP>w;9`!=)%SQPy3^ba>LKDW!JBK(FQ>WMm>#@`o&LGa6B zh!}oTY1X&euom6LJF8D%yY{!^>-KB~H8F=_B#8aD)TzIPm6hF-7}wV-_y{@|6^G=yKkOXMcadH(0sn)9et*6g?SVslZhvk>YUmk$)J<=??V}?4<5}0wDduDm=D(P+zB`%uE+g;I zKoHgrk;|p89#AhdfWV#zeG!|ll*VVXVhaX?$#$|oo!!CfVbQm@zEOW)sO`Yo+BOrp zSW3P%;1$3AA{7+ex#EhS^Q{99O#4Oh(v54nSc5TYd)whf?A}aS+U8SQQ`tQ0_5Rp~ zhx?ma?=z8sA6&AOZkqkoQWjz8cxtq!B*WEb6CjS@Wm-x%uU@{xhBX|xkBBQrtchoQ z1vCYhclgG{Q^Bhvqk`9!7aYeq5OxoaNF9^jOWZwK^;0E3u5S8KQ!N+EtGvrN`2*Nh zZZ|u=hHJdYXh(ohfsp}Z>G{r&_ON>szEJ14_rmC_ z!y;Kh0`}P!=SA0;}K)ZX8wS%>DlH*NIaZHG=n%=uV^+$GRSSU8Rewf zi?C_Lxh?;UHA^G%ePS~M?!C&W;7t>YZ{z6iglL4dV(D`k*(M|{>|GXWY&`GIXC+DL z;#ifMZLL~!m|j;A!kL5&j2JIf8hNQ=R3+!diI{u{pTflDVc*?gTb$JHG;Rtttc6(0 z+#+yxCId-`XtruTCRziOfBCg?)*h_+#kAhj=Ih0S3d-u{6ye-R+Px3Pv)m%JUZA$^ z``Fs7pnk&ItQi~h_m%}dceP(e z`lDrqee*kaTz5yN>M7;lImAmh-eyTYkYrYHhFLh({>PVu@P;7vz#PV&;+#eWbDNi% z7Vg7nA4Vz{l;1#rig!f?zj^Q^+a7Jm7RephQRUh>CicwuWDdtP=dt-#^GDG7?MGyP zYI$>JcX!Sf|D%+s+-L0KI|tYTXVWE2g->wX&^mjgE^#aFp4^DhjcSPdFFcj35#uoU z0Bw!fjv<(kgbRATH=eDNKI1TaNmN%>_LA2JbIv_uY%9<~i)TS;Ls|qL121lYgd;ILdOxFL>Z>4VL3&zQZCt=s3Dspo&gZO>m33r^G3Rw@pMlf(S5((|u!DdVUG zhe|Xw(%Ei}eM9!6aZm<47TRZFbf6fcS`j1Qz2?KzIp#zG1v|4>rQtn)0zFTDxiO#cLQ|u@CZBN03P)8S`@@xd z0!J3H_k7%PHua}_PTJDnFxe@LWv7#EQBpDOhMM!!6ju_hjZs-_UyfhKw|`B#hBCrW zEH5Vo3BZj8A1?FzmHq>VB7ayep3#WA#J=el-P;|k6RA?(_K%mnSoP@IYR}BuzOV=U z13#X==aTY)pul??sb7Kas~sxh=wHUaHyu!awMR+sB7mxj3AAz{=qGK@#tS4H1J0Y{ z_RsZSDx}h@%@v0zf%StPjK!}k+XYhYfsVZI55~G)rTR-jWSYGq zh5TLQYcsFNREWWEythkRRTD{QaF(MhxK(E*J2H3=AKrK_Nu;mF=`1Uw%auw8lE7M% z*aGk^q#$3kGa?Qpqt=8>wkBITW%5_puvFI?#7Uu>D`%F_dy52TPdMfzAI`%C#syvq zrr}P;w^uFI55x%<;~+=uI{43HtHttm#u?$4VR-~9g=#WYnPngRV=)*&-lk72-dU== zaQj=D=-tlNvvm8&>IoZvSU#$ zUdk-ieRlzMv~?g}arU8JmI3XPS6*NGPo+p=Gw7=??964`Lhap}viVXo^bKwXbuvXO zu20@V{wx&6zHMAc&j@S1+_VmgY^~T;CwdFUHy#Yj97BcXoek&~jD@n4IqRA0yC!WI zCi)6sY%B(FvWVTt$?rrNUU1E0ScKQ2AFY4+1O&+#CC&5-g<|ug=iaTUYupH29JkE* zas+SBw~^ua<9-X!`|Nk9{rz>ERkM4`9PYQ)ENVn}sJb@^1L$Hr+OTT`3&j9)(S4e> zz0TmXN~sqYzPymjuX(0W@47)b!bE{8LV-PN%D@)!`InFp)hfXfYpRkOA*5jRKjGy7cAI;*?+y zS!f`8A=RNG(k$ld@77g>?o4H`gHnXw^DA2y#U?yeIlu@O;J1y<_KH-L$fTA05j)95 zS?E5{dpU$-IvQQ2a7imsP{F(B1BLTH6Kh#uAnGclbt}abm`8W6i=^w^n=`s zHAiaWNjyFNZ`t69+LB3~j43T-(s_@EhP?wj_CLJq!q zV|5-*QUj2~N}rMb-t&vD@4VF?teO3SKG~RZ`SpHd=p72sRn{Krn74r+-QlmcBzrb0Kz8E}S($Fm zU}DGg3}_b8{eCC%=TrgG^^H`6aF8{-ZHAHwrv{)1Vm7fP^2Xmxd0`V2I)oj zLQ)pp-Klg*cY`#@q8lU^Al*m_(%sEB@xGt;dG{XQ*kkM;{9p{2b6(dx<2aA=IIsDN z5At3#UeozU4P8gafmxb8XVHXpL@Gr5(`{N7__*RVR-^aH?!IY8=#)n`?zcy}O)o3G z#HZ$>M#2%%L<(|}IEad4KOyU>P*@=h5kn8XQo-OkpEW9I`l1cokgi-tp%?hdtFj}&2F+< zF?;o<;%!YSQ+siab0X|s5lg&z?8l#U&|rYXnG#3Khhco(Q&v$wV<~e5#qZ$jyEyH% zJAru}R)7c*sYwX#3oz!q5qrr+4AsP|&)f;Jlt1ILg#U@1*AOg8r*@2J0gmpQDrrj> zi_|ES7Y#;4zt=i!iK^wpKx&eTpROqldm95{qJPg6Lk|}%Z?*S0YwI75uB9MoF#|nXL4IhmUC~yn_s^^Ns>yAus>OV^LYx$D}D(TVuH#dtP zh!3eg#qs7M>i}FPNh|B*Y7LgxdDqRY%YFTP+$zc+v>fAFJ5FfG6bqiB?)Y4}NdvjZ z_l`HJ?Jy?KD6x1yOTux|>QVMHD!X=5XJJ$0s85DkX|eB*MwBxJJp~FE?P=KN96Bcp zo5K}d3Pw&i=%J3ounmtAGELSk%4t>6<>kbzW5ovZM`yR^oCSer%LnoMpZW^DmMt>@ zpvxu_7d`LYSd(VqS?CGhj*d*noUxS~it05R!)=w{B{Om+l9m79rbhNtVCq>Zq0zbO zOr>qln_CuXC(Ab9`<4Lshie7+pT!z%< zvD^#;l?i8u>5@Y&YJTPP8Rw`rv1ky#*n8J-mew1)T`ds*qYSSAd;}YmTR#AQT=*v70p+B z?qy-QGSrt4dF+FeR=M$T4fW2TNrHLcWMutRZx|YpH$}3g{ImPp#9Q*-viSq5wn09c zj+&LU&tm)^n~4GlG23HomWm@0qeFuCVe9Gc*l1{IZ`=&&nJ;Fm%{fPf)AK=)coWgC z9p1FCjn1{b#{KT?@>cRSK#}SVhiC6Ui0->1DR6j(f=~EYp3d^1hkte4o_t1^?n3oV zKBKHU|9mZ~N@ieG9K204Zuoh?{6ZDju+4o`Ew|;u%wf3F)+jShu zZZVp{8u`ANylr>wgtPh|w#2`887F_`AP{{hS}s1l_gQ~HeyhH<(_&A- z2#3=<7Y@(bmpY-@){Dil;b6AL#Jl=#vD&O|F`4**1BWZ|h2Woa)t1mRGYOU%&KYiP znEX|!53~Gg^6X-TpT$S(A(xV-Bv19$4YjYHbl2GyE^0VEH6rmUK6X#5GCdw)eiu-? zPo2(D{8nIG%w4(ckM{-xyPf)rr%Zg9F-TF}ai~9AEOZ!d*#G@jM1|{!H>WmeYnwbD zDB{(4J|p_-WsG1_bRwegAh7md4$-aJ=(;MO;U&~#=uaz?hnI}BTVfc+%hn67TzR=p9t#-OR3*NHg~Ttr`hu4 zRd`Kq$60povUCMYRnqrL>q~uUb2h)%&)$!T-QTafN18eAXmPT9Lj%Qt*auQs*wV%; z&F7rDHPmK0D279k2@_KT;RC~$5}Q@JrmRNtRRn6EwtLo; z;koX9z2-UlIHUZmJOZoXBhB)3X%2Wr>g8pwCIc<(9kIPQAgztXR_~yaM9=)G(hx8i zpUaz7VXEJ-o=Q=2dTD|zcSH$!rg;olkvkqa^WYmwV=hDMdHE%yYy3bYbQF&>>_(jl z>~@CZArKhNhQiG^F8bMO^0xKy>!*U^g}*DYzlUFQ^O3To^lC;TODsoumwh<&J?b?` z6xn4`z&cv5wXHWsG{QD}{O=P>g`lch9;;92ayQ#9DyPIcUnK$O#8NP%?E}H+Lcq5^M^vepHvH0qq{A55JU)+q3hJi z-?ZeBP*{ann&TKOvwNFZIyN^5Xr{*-=9T(Yl+i(c)787s9rRv}(4O2gHx-2z#m9v2 zDiX+4K$5Y;_JxvWzU)*JNX4t@xt1z2bqy_MKkg1_0=SJIZuM_T(ggyfHN|b!DzVtv zQyc=6n9ttgIQ`JIC@?KHIlN})fajJU5wBuPIHg2PbJWX^CveVK4oV!Z?JIiOu(Cy% zMO2mWylc92FZDQkvc9r3ltIPZ$if!M|Kc$sCKrV>IV~hwJ4M0Eq`Z`$k{G%rFs+sm ztvxMW5RE~$;z?~S@mM}O?>s-};xiGYySdG#4J>0AH-+{rxIsN)r`BccJUPv1+&ZFa z2e`?mdnw-x|BSt+nl_A!SGCgqs-?R^cuwGz%ckk6rO;Z}XW_Hmy#5eN_c$=(RUm2< zs3~X$zpJPDIu`idq!rrsX;R7JoLs%9!1P}h%iy(k%S}Q*w5R4awYQim zCRu9g-_pN{Gv67gk6&A}J)ZltY2H{R=w?4BIDK|Z&8-ThV8kTXvhgeChvS*kRj(U}g$)N+Oo42@0i)kV+Db(^2R-Z}4w#Fj&20!VwfIFFllVzAY zdH)nwQ$nFTj$XlLImCnSM$^1T~&8nAkA{gh3!E@x*Q|6_(|Ob-O2JAxp?k8 zH?D>uNP@F9+VEANBUGiYm=2tYf3n%zOSf}b!_2T^Y zlCN%w=Aj3}Sd={cYyo7z^j2!@&X%kpH_x9hL)8p81_!?MqLr=JR-UaqDL7gllQ|~u z$j+gZ-wlK-Jf-6#l2oLLni!r%C^?qZ#V+K1xkg8hxRu z$JJ0<1WWo1-1Wpj!;zO2<0NE(24XQswHp9K9Drw%KL5O;4gn)12|y{}KaaLv(L#_b zzo+nMokVuXACX3b{9cbX=5~mP2A>(KP|2R-LzQxj>HABPB1WvM+ui+n4>D$a-!vgd za!uWNI-y48g_z&?;UAs`x>p#xOKm`|n%v!=Xr`ryugLXdd)_CsoPKwAXGm{KtI<@| zih|#d)(WtYO=IM^-Kv~EXQFrM{R5NgrlFhNGmzcD1@`4wQ7R_wRvPgd!Wc_p9)1FJQgy60yji)LcPh7Q2eMAIPsr-^ zf9zr1v{3ut6t$J$nKrcc;Ar|i?s^`STjXf$LNQtjoMkW+>PcW zUx(jrmxow#KPsuY^>(*DXI*t)H|VSyHf$sZBs$IU5D>=sZ;jnT9&>gl5l(c~dEaEe zD4%-w=)7r|_&)uHx8+XHTEo48uhg>u4TqVhYa$)sOH(%%B}$&~hd3hhDlIztz> zUcB8y`)lNCr*Sqw0|=3w@P77wx1>v#qlJ7yiUGBSfh{i$-?yaF!KiD4f|Csssh(5G zQoDO_KP@^;%{z#B8PGbdh85~w|9VM`=aSXY#!`n}rg@j!;tIo*#EOvW>ryfmccEqYZ22=RH zY=WD)Vk!5`+rPG%buGuw>vjVqmFFn9aYCJ1qLt2Hsqi*C7ZjWR91_u#!;kgiWj)c} ztUb=!%X_YH9QxyIG&zH)0lIsl#f&OHPckrxk+~XUoIT0fS6F=$sTS@s7$Vdwn_FnI z{FH#%gXd(sJYJj7ai|q@0>1rD2aA06g#XODdDzx-g}Bma=%Yd?7!4XPLLn|7rRHc0hxLH5+UDQUL zH6sww%B#PWtUEaG&$o8Iz2Dt?qr8!APHam4no7LYyc6Tqg$87tw}FSenPutntxhDE z2Q3ggma2Tl&|45DKPnb&~vy(M%HZG$< zGmh>|Fz}-vq7BTUumIa=Nei*6DEUg>7w~P-I#s(gw{yHZXk(bNa-{buZXxwCR?#o- zT=$#-JRbV@J(;tn&Bc5P!3d=Z@tAl;5>Dc@;4t)j${efhT#Z+_dD&?4ba|Fc;gdUJ zuwZ_Okw(|G_yXpg8xfE#(d5lpQGU6ZvZAm za{TAv#X?Tv^y}N@G^WpsBaoEu*NOrknI+(1hV0;zl;1NZIAgKP^XfRts$xJTp)LKo zgr!l9N4&`a#p}j`V!_3uaz~Av2&JkI zMx`|7ui>JEAjhC4;L8I?bCqm@3<4EW`J%`xaX?+1)N3({M$g)w^^=0K*cAs>yAefj ziZkqY#81dd&)SSut@S;#iv1lxAna7J=9BtO)F2PajCnQ?apis zEWagctfiPFrps2j-`H}w&@_Pi_kOR#zf1w)lu^JM-ptM$|!W0}x(h@W52f_0CRF+wJrFa)5srz;7lq^_2$ z7w0{<40R5xVMzF$G%oyifa3%&#=kOmbN+PA?hY zLhlY1#(h8Ec8&@HG6fwSLm{GD0^XdSSEcQDVW2BF8@wo=T7yUs{=5_5sr& zZP|F3jGY>tM)99dvKy+fj$+a16Rreop3MmRTXfwn(C zB>uT9&;U7Rw8RLQQ*;s;vyb0v*eLcWFx3wnRZ9G&%`V@DWiYuMD1UCoTC$h!ih}(j zPQP2*Tt-(f&B;r9m7^@8)EwLNoVBirQZqvlD+c{GOnWZk_3Z88tygFJBLHdi64rdC zs}@)L=^#UTQt5Obd%XR-+fOZdV9^_^3jfHQ;SXAj0AK$f*rw-cWW~I;CsNU8`}pi= zn%ka=gKzj(sUsZja%lr6!~0_LeVOBy*&vtU4;%DJkF?!J9~;2YrH?Wf^Vxh4cwfX4 z_>~=n`+hJny;oK}3P(_#y+~M2*%eE3dwB={F&g<^%0HFm9rXmKpfMtqX44TU>!MK` z%Tuc1nFPo_V`AT8+<;A`dSgVijGiJ zf+Q1!(0}-6dW+O`0?Vz}*d#Q0fVq{d^EY8_z+MW1#(GjPu(s{NlM~NRVJdXLm}r}G zmA-oJ8fSgOv-5p+=em_+mu1(xNV?@MZs(OC&Pr_XVtsO3H}ALZtM0es=QNwkP9wAW za2h+*U)245eo9|zfb>?qy^4k$1Hz?V^CVKUm}7y45WcWY&+EGM4r>k2I$jS3$<6H0C3akJUpj09HylK9$)41=mtf z2fKsag~lR^hODFOR{kPy#kP8GBV%49USQEh58==5-Jo!yL8qLKsh}n)?cbvHgjA(e zJL|1V5!s-blVZ3Aja0cY-3=(|cCBWYQqNG>R6g5v(`B)DZp0T6O;&aDaq{0%jFT3^ zroh>^`i2jJLFWS=@e68_e9JEtg^9C!wCFLMRpn4({-&h#c#&keyq2?vOdAk>SjlP{ z>tC?vFU^dYAKZrUD==jFWi^!yGmtNhMg#E0-MRZC1Qhl({m)pv1_ zU`}kHlJog_E0n)s`(@Lx)#w z>oIsuYkD{jt$QcK@>vn|=Em(rmbjUb`hzpBNfYp`NJ(+QI@$Brz#2EnElW**z!1c8 zUaW>)HM`Lu0MAhmX7fSVx&i3%6kuFu#8ug#+0B;UuA@rmi=se3D^)5?gGAN>WZvVB z1>6!~I4k=u52a<_^6n01*qC@Hos_6RtH<8Lj)FCLBTw&zucu_nF`I#uNVKnEm@T{U zz*(()q1oJJuB&kD7}%O{y3sw>ETe>ESiZAa0-D0M%{m&D>@QgmE!K3g46{^16d!aH zXx%yHM_S_04B0rVfhN#Yj3sXp^;&vO>2!@HeB9dS>a2K(2YcqFSUgO$;35`0?~a~1 zit_$)YUfGTbDWcAch%RFX!+QYq^}S#1{U7BTfZTWp=cJ-b(u)!4IgX4nQ(QAJK5tU z(m5WI5Bcd~AFd%4Oa4DE_Ok`67^8wa#5@G@dlWYuS1K~YT$Kawf_|D~n^|hxFCM;Y zR_1@YFD9XeRu*zL?nfsmF!UFxYiWJ9Rs!@)R^O(YNaPaT`$m%L!_AFp<}0gQ_i=9; ziZ2igL$_?A906>r!LK1rnXzx#7UE0|g&DG)YPbuT!8h)=8m+i_qa9cF zCYruSQyNZnN@h7ktPs8`#460^g}Vo%EVrrtV$q$JVn98Hbq)0<2%dozIc3|@cU2T zJyU#BHD}oLbL8!_NQ2?s5Cfrm`PD$!9o&q2LdFB4&#X`m)~nE%s%lxq=zvSI-wv&M{9LGYs{&HjNq{tu`y%lF(B7EclV*_ z2*{%Tdm+xFUnh>(angZvlcfzUa6atIMI^(^9Yr>Y;h(V0_*M^*g+!q(8~)bRbYfCQ zV$zu4kK_VUSf8&g+MU9YEbsmxWye|12|QjuHOqBP-$=f{5%*}(d)%NsB6^(@$|sS* zJngHi7WGJJM9D{@&)nSzdvJH=Iq=sd{>TEJi}&Bn&27hzkTBElQs;WFE0(%f{o1 zw9UgzU0Xt`6#N2BI>dATgz##bl4r@bzFbZyM^IN077M-=%#D|P8TAdT+$4K~(t1q7 z`Yr-weG~CH;H!Xv`z{aXaFep-P)VqfrJ0%Ig2$&c@zGD(n0;8lii~L?6+R)hf{OT8 zKYT5DUy>;ia+anj9_NZfzt#r^pV8wg&e~>H(KjYDM@?%CJH}FR|DL+edr;;o8%jk+sf*E-_ zR*aq58cENUxUL#)PQSm~N48H2-kM>gRwRf4&7T2WA8%xr>f%qB=~8|Fv8q2FpGM=I zovA^pZM)*TEKlul)RF4VsYe%=+s(vr!= zXiC!f!dI>nIydXhmKSRV_EbjS3bW%03A`32CLZW3W6SZ9ga>twX%wEo4g*VihBp81 zMGUdAu;6Eew05!K1{g#o4azH`A4;#OvrzCkt*~eh<|j4`ajUW8YSN&7u`RG` ztweC#ENeC!E2O#4$dZ@(=@*l(S#@(04#Ud})kSA^D6!4n=u%eI3(sNusm(>vYZ=t_ zFYNXl^3QKc4tU7g0?VzjkI}^@>HHi+n3bhCqj!f)dibiN-QK*;qzj)MoWiw)Oe3VIO7{$q^>WZOv3$;@;wesN;=;E$4Vf z)hu|`s8V|;Q(brfC_+)$8N1^?^~~qUud_S7Z6~;crtiGk#5pD}@<^2@mW#@UdhhCpMsV%F&yLDH;V^V}Lf_jy z+$m>U7jI;wZEgbgA)yz~e~} z(K&=4GWm1*$tLBdoX+#B89RD`6lXrVL)vFG1N>p~J__Ukaq(+>30u-&T6jTXcF#AKA>bsS%q}S&yU|PcFk# zKAJAjQAycjPMIReQv0~aBKaUg-pfvK8n0-3i&#a*kmTXCt!khI+vibH<4TppM`R8+ zUCm5zSS!~A_Y~%8b+!CvyK((aKwu|97?oRca?;}_a6d+q@8(jk^M*vn7^z>(u!Cu) z5}oLM1x=s;MQM8L)=d{4+Yf)UG=IA1O%m@__jDD?=wbVf zHm2jCB;2XVdbP9~kN%G{ytBsgC-IF;dQ{F0LFa z`$}Ql52~xRV>T2`I3PF!lj;fLlLh6OdNV8b4~+yXt6ty=_bH6F(6caQoJJ;iKP&m_ z=`aJe>BeL|Jo1YUh~*Pt)~vz6eVz8)v9XScoY4jKJd%h=`c6+gEITT1-g~bbYiQs{ z>4(SW!Q|Py&YBe-XjeC-I58l?yO!yipXVzTmg-!S8pkjg(Ds+hd0NZ&@uyc!;fMHw zb4_|3VoMEt&s}6`V_Qv|_3sVIV8@Hs6kK?G(_+4Z5?fxX_D%O!;=4_>rU@Z_P^Khs zS7r5j$^|OvOuN9bJXdAM)oX z&z-tuoTAbxE5Xi2GY2N#qpSI}pGI?(tC}Sp6fr2G*cwheWyFW@Tr=HtolNsA+||0r zo*9-jdCGrFchY&j;Rd%zZ1PK8UOB9@~6bc5} ztF6=&i?#u2z5zS*5uk#9(`2&j%yN^?2VpI3>im}k&qyzLqFtp^$P$TAD*EViaYq*d z1|}-3d)976;yWYZ-ZZoCN#{Z=i;>cFr2$={o*Fp!-+n)naYrbplE-2tMqLINDo?gI zE3B}D4DWnGu4OLBqCPO_$397-T;A&Ge5v3n&d-D;jhklspze#b{MZ>(uN;sj%Fbpn z7n~o1h~~8nuC`-9v7&`crPjZpVC=?_44|VbOpBrMaBD;>_n038R9dtUmfPSfX=YkT z3$dJOS`+~HlqUhVeGhEQcVnsKq&jh%2l7`a=&!eS>AM_8uuKv9`7|O%-P^~P-P9Rq z)FDaFo0<-jlmc6iPV-nEx}@(Z(aoMynTZgV682X{2)!X82dzSB8A)_D7dQ*lxG!f8 zN^;sj29#fg;8iEUPVW*!C~(hbDrr!}ocr|PG}c;)U_?heXin&1v$xpS>XY@ReTd3E zW42RTrZ;PQ;WF`}*$i@OO_Z<2Wp`NUcfm@Xr->kh_-kM?-bwIx1u)pvZP^v*ljbTJ zV99&vK|J5&GuF0D?9;XCEjJbsH?$(&zb-g^R^wIb1#XD#80Q!e_psQJ{S5 z)wF587|{JJuVF_e(BXM8r-sa97C4ALor$zi2cJm=7Y_I8d(O zHyiEyEKC%=p=dy6(`(l8s|?1VMQSpeB4(+*r|QP+DganGX{l&ItUWI;z_I za-z`qPw>aRwWsR9s=3|gUKnX`x{UKKKI-}sbJt&H@KDz0xj4Q&rBV|Ag1HY3adxP0 zc@8|%6W@_z5rB5g7RKewni~%7RboZDl75FJgzU49bYnq9_Y!(FE2nb3ga}q{DE- zO_6ZGWshO^+B7Ep2QXyx=6d)2aPR;isuVFS95^w~=*;tUGlkdQwaB`Mmi1qpCU9zS zc)yKjh6YfyTq`m`uq0N*tQQlQp%IgoA1jR+`j&ct?m>jCt3OyVS#YC*TotMJm0|NG0eth6G1(G`YK+52VR7>S>JNJjved%r zy7%(TqLD%4zns^y4b~$xP15%)8!jjBdMP+xo-cUgXx6?bUyaLVdlq5lb9K6HiY3sz zGu&w1b8!=R80med9h23nXg!%tv~V>w_v%~{IS3|(b(s?dFiP%c;9`!s8kf1rj>D71 zz>*4l26gm*Xnlq!Lu&nB*`V;JF9>6UfsR|!2HYYFgGOJ38>@pFMHIH4P7mAEL~=&y zMSnxyMvuf#_2U2|e#LLuV>NtBP0S=i5+kn{j^DRR2hZK#eOI)sNL;o$L&HJ5gg3z{?L-1Y!(H+bTUW4^6qHw`U5K&5SU4W zm3r}vJ7U;1z;U?4z}xAp5yG%}m0n0D8nC?SPfyB949rAHQH_coYLLnF;u*d>64THr ziUzqA-%ejVnTETv?~yr{uYt0~)>c+1dXmTn$D;)|bf}LoHxp*kpC5s7FDWCVMzFfl zLG{O#f2HgTp)ka5P3i3*d9sfLt-xx?FfSm9J+-k2g>9lE0qtRAqpqtL?+x6H52-pw~|CPUFJt($Wbi~hUNB1V!|?(y08Du2aS z$I-^XYAjFMqRXyyT41|Sc#KImCKS$F4}@UAJVMzL0#L;{76Inx<#K5Ly>b2QjU$FH|4r#28aoiwJ) z4P2de70#^P=7iJCiQmBH5VXK3Ra^mK6dX#I9)fl- z&jI>{;0YYiRykRI%xwWf{;kpfQ)G(xBciqD3^!jsL=s&348j;-05m{m{0oa_xk>`z z{^!}CjK7zYE{cpvxMF?SIPbq{s!4n9Y}6&Mq3qwmPK%Fd^u=aaNF)S4Z24-g?*V%g zdcZyI82}<9_H4;`2+AN-qbY7GU<_p5R1v?yq*+NjeGDz1$O>4zO#F?h=fkjp+uq;q zJRnRR5sY6JKrNYeDiM7b)eLn1VDMFeIlXYLFd#k<;>e+>LKNWyNyMqxLE8GgpNwVh zo0&en+gK)l-s#5hAXCtw(}j{l4XZ&38xP@w$7{?{gC>xlLRDd-O=HRbf5`o9LY zA0sTC@L@gALJFSDXR6Z>WgkbMm}`Zxe=UgyHHUj5r9Tqt%m=)RZ#=#?#>*xvRt;Q9ZQ^q?k|RGP;nMDhEPxG+(r5lzgah|41}gM| zx6o)`#{Q~sVEJ=jZT)E|U;Ba;<@Zp(BejVmog-zk$CN#F3%h%{vy}~Cz62x@r){c8M(BoOIY1^W`*wAbz0a?7&_~h!!rLby@CA2(HucvNrpWmqY z>+hECmYturA*|-HW*liBTOVG6D;u2iFFcnTQrpf{QH(}JKYs<4YyvzagiyFFgC3Pe zc7rDg`Xp1(N8&S0P?J!zpXe4Q62vdpU*x>t7rwAa9L34YD0OMpoDU-MBYv3@QgjAm z$fQs4*sr_|Ty$Zt$Px9llH+)2mAg(mU)Z`dQG>J;$Y&)ckLsI;Uxr+*U+um5^uMEySsrpiyUkByM=UP@a*Y_-hIl(6GB5w}U#A9~? z?xiUqx9A1dtyd+V+>fx;o&$5ofD!?Q*etN)&w6lk%zR^i#Dkktnu$aXLl$eRs4s4d zg@+V#^j?wsui)Ym!wP`!0Z*{N8Q)Qk!q1E|MKfKHIXaI7X?PKgmiPivm-c>ICLU1shBXh# z#D5AGSd_-U5pb$+#YH0;YVG~MGf+U^$-b|99sBp9P2y@7sWe~qe?2v$62_&8tP z?#%#>2zu@s)LSfi?SC>%>4B2Q@C0bQ=J3aQ{u34<__|XJWGqkD4 zM8z|lb9zJg4|H^o-wC5hhzkIG%XHXH`a2*5=RnG)br^B0;M>MPty~`2-ZTVU7HXXY zaeLw`%1r+tiF~XK%y}L$dcHUTr%k{iiOvYQ`+5r`U(uNwvZnbP3qv@}n5Mpj1BiW6 zpX1T6#M^%2H!PL8NvHOr<*O6MrW3!xq2KOCGi>_qI#T0U9&I~>=brGp67`=GA$I&z zGD>CQe^+vsF=GJf!p{fxb`%$=I9QsGS*+R~DvpGvx=e?|VHY*dha(O2-nj}diOq4j z#W~zeHxguk5Z`xQ*7Y6&F)ri(<3cBOuK>N3i6n5YNcO3;qwApnaB8fpt#H!T3Tw_i zFdty##`AZGzu9OmN(V$H*ca5Z09seG?y8w+OY&ewvQR)VK2iPu8R&IBDtx<|?%!$! zSdgHavxKZ>qB* z4~anA`EMf7fAnbrKN2Y>uhU?!`(+Zi-d06Pp01pkUfKE!-qeZ)5JZ#TQSy(M^%9~| zT~U7Mo_2kN$Pr$6HdfrkQL1{Un-Q^j`ZX(M(Qpq6EmK1U=Ly>3GzR%wPimva80Mk^pb8hH?c{N(4Y&(LRwQC245J*@Vb@qG8pa zP=AFBfy<-I_}vp$!*b?b*>vRd|Gxay=~s~I2Sl9WV|$oOxwQ6#-!!u>Qy(BOoCuLw zHpq+HFjPd^fZ@>ccH^$%-1FdOh@JS<9-pZ(HrJTOc%>>(7{!3zb9F0OQnkSlw0Z)} zEDtFw?q8B&Xz;Tp+7*fmVH+vv;NIgciqwa;2k+s^s2Y54@h(7p^NkO&_{fg79fre; z3BTi20wiSupS#kdkSTIt2;>1#!U@bzF1%n86Cu%PS0nX!)FZQox0f@0Zwr(3~ z2YGlwTJx7mPr@}T4l-~oLH_CLsc6`$WH}!2Wko$+pJh#~KZ)7j^vkn9y&@RTE1zzp zLBDp%?cClZcsL^>LJv+5X=tOZ{}8Lu^YYOiV)di{K(as|Vi#q%$37@%2P!;t4koRf=yhv}Y`? zrm;-hj1Tnt12U?$?B||khaUY@=$^nOiqX=-Oi}@Ga_D5}pP3IrXm&_X*{P+4hsI86 z@iuL`p;3$Wm(QufaF80$Y$W!*J-7_-J{ql~<&mbZtSvkhQ*79v2?mEAq_USB4_LGE zW$}7iRobn1moaLbcpZEnhl(bTjQ&ZPnjLEEfHn}zS;Xq$7t!mfm5ha{zN=eLxQ6S4%H+)u_HD6hWrzxy8O z=WM-^az6znASY?qIKNozm-~2i=W|@OKbUq)#^SZdex+Mei0v}QE0ScZ%*s;O-vnH}O4q}j) z;Mm#cfKqQV zhU)4qR65G{Oqd%u3g;S0r$>7UE#F|Hj*5E84Ha_@d!wA*bjZvLr0QuUlVOZrr?W|* z{N_L5L}?&#epVaMKavqmGT|X}%Wo9&Y07;_QX*pCYplhU%p*iKSZusRk7Z&-C55=? zJ6J8tE|Bxzn^OGSmwIrF`<;mx{!j2#gg$;*72xbu(SI{#UPF@$#du)^#krs>#yd~y z3~4Swr-jUIB+f)yZBGW)bE3)*IWgQpzu10POZ=xesPJt>0Rm&$tAJc4%7@Z`;lHJU zanVZmt-JurL(gLy)Y@~#>0-0MeA}mZ7ow)z#pLRVSzgWRZ{92V8d%-~Byt4Cp_Ae} z;LHHYhG0`^VWEGBbcuf>9XJvfh{(Y{%A*Dz!a`W8NZK5z1P-3pamEQF_g8P-jumH}I<1aKF8=im& zCN`8Z3B6xU!rtmxEiY_RmrF;0f3DLpRU3YZ@{db$#%gK21Y8nE*>5LC{SW{gben00 zOzD-Y1d7^TRk~v;=$-K=;AH-|aM@H}A=B>pNp!-^DSPXzu;RV`=jGiz?`-8awdel> zefu!%h&F+68jW2+NBs2xJl6f26y#9=$^6&6;qE6Zo~ohPMIH>q-US}Em(S~uKmtx) zk*TRPT$(Fu&vuGY_R%4OgZ<1m<~y2NKOh(nrx8qF55N$R_*Db#B=Dt+jirMu&|b`O zg@^$;A)a_eBp%nMVM)c8)JzolO!RBU4gG4*iTjJCBVJ)g=v=;0~9WW*`K^JbJ+x0osF#i`@|11XcYuGswk6*_u#AJ zYM?cUt{iE~%LWV^5^hUbh*99H(jRN*%Id>Tpw~Q(4z1hARq$m;l0jFOv!1hR`|mcwzTZv1lK5Yddjlu{prS$E zGs(v89WX@YhXlKjMpqH}`t~;t(^B*?m?cz^cs^&C2eOPSJ)VT0eK4y~zhk$#p_zch z86ia6_iLdls+X^WIs;wn{R!C_??fIp^)F8N?=|UEYypI*fQI}R{{Y890dp11pS7#P z919~D&KHSL+`fG%cKXBdKA3&C32Hv@3weGtt}4;C(96q48k~)05vzz$1c`Hv>!%y;1FSH#=$IEKx#74vM-bHKrZ>hWIqB#I8m3A7>y)-H+Z8BBezsqbxZhjrlp2 zf4lvJ)Q$Q!n8tD(dx8Q@FCqBt#<|p8>t|H?^PQi$on*r0X?saIN3|#}m~ECw$tamE zo1SmXJ8GVxSAvyX=!`om!_!^;AFnUoB-p7waWQ#uI@Yu>G`#Q6O7XAVQV=C4Gy;`( ze@=pC!-L(HMq%ui##p%E9k5YDuAFtz32&-i)3J>RO5)LzhQB=CM{S+Lm)$@O7;oaL zI~c-_evBDq9u$&G;0BG(!GGE8&I6^kQ+{#zn#kaD+zHTAa}2gAd4@;Z{8TkuJU(cL zl;g`XF7o(w2|i6xxq%&hK_D*O)u7~aM|fcjL(!*`-wd+@l}i2#IBA9nLP&)(XTd3!xfm1$6x zjH+vVP|2$&!Aa}XcKcuN&VJPy2RDJPT-m!l#Z}JeKKDqRQ)%nJ7XISGu^(;A;cz6h zY|R6Ft`Ag>yQz1gph(6J7wt3?QK)-h7$9GQBZ#VB5M2?5|JroyWzX*i+Hd!QxJ-;= z%=GNZ#=&Ruo2zkGqRXBh_0N58Tx(Nf0*>yZ%^1g7yH^E{y;)RZR6`yi|4;SzN~4Ss z8_2c4zn{Qq9;!dS|5Sf0AV@bqgp8_JG}jnWcaY!JGEylT>UBiBxvEd)Q|w36sWF)- zDME*}ik!`)>4(8Ck{yFPUqZD_+;KKAJJL$ch8GIn+?_(RX_TtdUQGv$2G8buiACp` zqywenyz(gq(v(YlDh-`f_2TvP<>w(k&6?<|QhJT|4bICmg#o^c*Gvy?xz8R0YW8lsZs_B1^@g|OW!;Y2{LdHC7|=3 zFD9uQNfTV;-hlF$~2q-bYAR^;MGlfW9YPUP`tuI!B^TX^VWILAEc$S%hVKRu^xxItdOHA zcnSu~&&jd>X%iPuaoq@oT8SJq1;-6F>Vw%Yu(F|g?fnT+Kam zGoLyINaf?zzt3k#K!lDY3?1^QkM(ob<%v&k?-(UW7@>@+O}?hxAi6}KY6e%r6CZpp z4i+hekJ5_c>7OG1pzU+$H}s52YQ=3@0ZkyKjB!9WQa!#f8}1#e^=N^8 zxv7VMbXu#T0Le}Vw`NzcpyB2II$k!XaLcsY7blLdnp0Rq5WJ zQAIL$xrbtXU`>X8H5r(%?QYj`JbAoVcq0P*fVNISp$&<9|D=l z5MecW#-H^3N_@tB5qqn(sEz{qOPtWNDxHqM&JPjwqj{H)MF*RixVJLAvrhb5XC0*w_L-Oiw8o_S9D7n%N)=o=mx6hMUP3Y!1epMMCNG5Kd z;&+SI7jOryX6W36giaQr4>O7q-jVyyV;Ld>aDK#b5LP?P?m9}HFI^rCe~w=~fwD>R zd-V!3&cr4-eBHXuSk0GD&VcWzBlXQkH99lFg!9d^H1sH$q3I(1LmtGbg2BA2PjRuI~ajf7K{1-;ob2NO% z=NoSu9i!Zd)}!KjZcc^$VM|tAJjDbF$VA3KP0tzdcXER%i;5C(NS#@slF?okUz$tX z_fL)6;%H{A$m{5X;`gUxC!5>S9^*ZGb|g{~aQUIx*-hG!qK0Q|IuG@2UcMAK-jHv2 zcVu&S<&@I?UMbaqO8g9|AWfKR077(FcgwiwrW+rt5m+K0jOAt@hvLejfz#HjB#TQ| zN8qEhP>oA}?q33vtTxt~UNw*#mf6fWXfha2^+#doVug|(ya}BUv3DS#w;#?6b2{Gr z(LVp2$uyUTgnlLhJL16VeEzh?Wxh;JUPu2LLc=i}5#++*?qOd2Zo*qZLW#eQZo%*F z$F7%}gNw_JvL?sgjt4&%$?F=X63(LN`kNH_c0MF)TFso#yi_akct)WP_aHZ{P}+D^ zS3BO92J8?C2{kkn+I8wj{b@#cUQ`T2i}_-Sqq*0O6CL3TBsdCxM7u>2I#nNj(3Tnq z9$}#8n{0f4B$vnKbCutWvOW@jg-Iy1N!@3t2N!~fnL8fc-9b5yHI{&@?v)%rKTnE} z1Gij>eV(*R+*x|tFVe5$wfFj$e;eTnWB!j9j#EPCqQXVP*O*T0RMyX)Ir%<){`%_< zay0X1UB~Co6^a`&4eX?+{k6n9fhXQcGhEe^HCE-o5N=7bF@!5`|AR-;gdXxlOtAX8 z&_fP^Ii8CjUc~ka;?tdYQV0P)nV8}<1W*BgRJtIGzyMCo*o4y!U!f;F*|FUE@`Fhq zi~4-qeEr6SJ2Pwy@3PqNge`YAM)a?TqgD^t z;_a@LnPC6xhnCag8GF2SWM_=VozGIxPsa~c8DC&KU+&G`dWrK1a#>UJCz&d|#L>IB zDuNdVp;4vj%B{!;hSza;%9W$8ip5DLBbcP9*Nhy053?y?op0=}cP+5g`CK54NJc04 zGJ3!fW3iy7iY^(x5*OIE`;oPfX8gZYW$E%bpsL~WnR9Le^z`3_I>iBey z=0+y?uiK=(Y~>W-dXq7dXQMQY3KA@A-{cXq}h(kM+ipj_VX?B$GXR9WO0kl$xLfTYADJEftY zKKtcg4Yxh0USSuHoEAONLUh5Hly3Mk{ga9=lRI~}Kx9A6%i-k(npJVxA0b9?1~-?X zpZvjezPYJDPwJ?W|(x*?y+K5%SKk$YrQF4#;q5DbM>7>@T zOID&%0p^rlNF36K){zsp0C28CuHW9vP9sR_21nN-0}D>}fjr}vgI2iEX>~ZcFEuF1 z2}RKG=0|mddcX(yW5A1*lge+KytSGkQnPlDbf*&*uu&U6N#;r$4siN}3h-rwCm28@ z|19UCejzGl2IwfF86@B`LD=IwwITce0!(Q}pT`8Vc-DM()(Z|kzVV65#T{mdI(1L) zf|)A~G%#JrU8w2}pSRw3;Zj0+Jf(T5T)TRV^jt)JPdat<4J8TMpiA#|ptEU+ipAu! zo=v<2j&Xc0gQg3W4dy^M~e=YM5?0rHecH7VAUJ$Kc}5pQ!tGf2B^J-q-#Gf(abyBt^Z> zpl&%9kW~P|P5Pm{Ny}9%07UOeL8}s>r4RS+KX`tv-#w~f`(MLx9vp%`w% z_0|;q3)b;Dp^@(}ojERnXB<<&$NV=D*=8XFCl>v6+8n?+T3-nlHkO-+l$`WP4~>c) z*M;%wry_AH?jC14)eH4j)9DVv(ke`+bCW8k9^~F8VWRha-8rFD^2;Cjcn1U;S);pP z21?y2h~JkLzJiF;>6UO@1N#w*xtAw~{#xz}^lj<0&2oLGg6rXi#IKIM3*4HbE}2nK zCd10)5xmaxQnMo_YlCG=dyz)rtCVmgL|K|6;5c3STD+~4;+is!8o1+SEIeGJNoHw<8Hck{rnqdsdMnUg6quz^Ld~6Hz&>B^QNzYqu{pKYh{w)$43+>6m$NqSHa-C#U5nh zP?hq#QY6K0qkJT{a!!Omqx!&nwmJ1P;^346Zv9ReA%x>PWkw-Y;fq`1kx8H~0}ty( zUH)%(6eOuL2Q*(Q#%!~GP~NU_YFS|oY+U>!t|tE9qTubc z&ozL9x=R%{yYul;i#5*;F|Ie&Nc#X-bp3hlH9$Yp5UB*}Y z78jAmKE%f@XS%S$>hDp~I^UVc*lTy;Q`ZSm9)Cp&c9$uma$DuKs;Hx00UJc`prPAZvxYoXx99x8(J=aH9PeSHCmM~rev!5D1ymWE^6*K z=jJ4XV_ba1WyViY!8wVX0@!wB_R3)zqbEO5F$u5Z|%T>sW?&68BD ze0Mel64`p=H65j@trNt_(~Tv0+BdXoBSn`ybaJ;|=#&4+ zY~Cd*&z+};?yv>xR&Y2tiC@Vd-89+FD1y|0pRV6+*l+2-tCDW8xsWa$UgHUb*=(w_Q;{ZLx-1$r&R9+%(0f)>TVj8><-D0GteqNyqbL)=8A zs&H)a#f)6bZM$ejOnT@sJFFus=8bOha6;i0C`T56OBf{XNoj+XQKKB#bdKnP)pvCC zPaNLxe6sQ3dkJItDfX?p`?B@j;A)WQSB)rOo||8KKkyA)Ca<9V!wB_SRL zk!m%0W2-g!b;URAe%jDl_|Wn0JpQw5xyP}DGHU96SH3NeS=QD)DTVcRYgOT_O&HhT zE?`;(E1v+{H=aqlUV|3&%Kt%yzob2%ytFI6;|JeuRMR-?-8{hT78Ow5<|37VCC{8- z4gENf*_U}kbFcXcegZhA|1rOf|MUqs?1oM=G>S%#Xi-H*hfp`r*Jw3!8-W*2e3;|D z^lya>h#dZ!@VAV%Oq2<KcsqrKT^YNgqBN7Nq%ZT%NT0XK#12HAkDW&vQ{8nx$4F%w72b)2u%jlNr3~7yD)%SC{ucfa2-t*E|I#&m7e+ zp3+PIT`-u?cgQd&*mOs%?}O-bBww}uPUT)f^s9n*RXZjptP+QPC~w|33vLuN%Nj0B z_a-|wUkhPdmsRpw*1nG&0gqMQSf|eRIPDOt@s}#7Zoo)MQ+{wBo&0E7JY^%YU<8FV zRO@`j>t!!Vy}2)S0>=m8nML+|)TC|s;#T~H!vd6pf0ch&K^_Q>$`60lUeLmt{on&! zRaG`u$4!+o@Aqho-71W@SK9iD^@ra(JhhP^tUBe!JxV=|=FyR+IR;>v3ycMx=MAJG>dg^E^AOvm%352SiT`^$9t};v4q8j4pe8 zx3}zg>ENc(fE4r%aX)Mt)Fhk)TcUp`l2HXJ`5S0|A_xsXG({?aR{H)4c_doxCyA!VcV_Beu=`#vhpNvL3^fWqDR{&VU6 zgP}FJnL3PaAN@ zno$y8@r$JW`kVuk_!YOITo&hz(8xv$O}!tMt>iB(u|=vBt}m6IZB%k|U)wPtua8X1 zdVWnyB6f81{PE`IkNWx_O=*4ypEuL|`cH#?$ebi&>;BB})zD66IxMu-ogp&ZT1Qorjy)w}%qOYMf5uMZY9H758w zo!8xTeI46G(Nm*AD+iBXGu)N4`xwHISJCeUr|_wt4d(XA*aVr^Pc!dI*wBtNxQ2Oi z+MPDP&00!rPw`kgMkagqmFKSA4B=RNf4x-|_Uk~PjB?9t`M$CGn}Dl^Q3qocZ#}V~ zBOXcG^60O>^jLjm%8R41LC0KdVa3RvQ4@jmZ*4FR^B;8{XEKeLeY(bIY}F>4YtcLF zyql)VOLf1 zY{>4*HIK2qpD(oN&cvzK&kytPL`(zUOoUTkf=^ID()OjAYS`(*DIruxP2UMaIQlEt zzy7Q|dx8tEv@RFD@^`V{xAB^V6G7SwW!tJgePpK|f!{f-`RBVB;IyTa;ynq22jBG> z=|zGnI*fISIYq-D>zg)eVi(brRSbEL&-@}{ks1tcD&WZ@%pg&}~M) zkxC7VuGb}M4Vl`A2e!9z|9SzwBut4vFcVuKffA2ew+&Qt6@3WW5}yiVf6oxp2N~W- z2<15P-}_8fR(Z~6S=Bs5^Llq%J(c=qyFC+w+vscr&@e=jaxwHUj%=nN`cj|%NLXD|Eg5ILg z_}+YBm$G#$EcC5&gvpxchl0?uoTEpBLRuTuOwW7!{YlbI$M|*4a|4tz2ZI-GHkYQJ zbB{F2i1btp1x__Xw|?O#&Fw%4AT%q~AspCQN_i?J?}tB zBUNLJjYDn{!27RGW zKez-LesJE~gnZ>asx;eK84joSglsb)Kap20>uWde~rNy4v`H2H75yv)P_=n)YqNjt7FIr%4wcwl!e*)e}BJbP7surCo zUttr!yLa8^Av|xQ9quewLA&|XL&U;K%!As!%N52SepB=J8NHHsE=Kij^4x>TEAn8y zdv(!>aNlF>0a=yUu@OY7*)QXT=V-KTBo2k)0G%inkXpuHM>#l&ypvb7=o-S>GvZQ$kUcSBTw*YY{N<${@N@-5a83%8 zS?f%9Co?R)*SE+=EyzPKn9JDPTCU<|No7uEWfDk2r@JYY4evi*bxx^JeJVCNeJBE- zxq-DV`#SkHVgg~D-E-EFwGb0FS0}J0n^mDytWs(BL(+5DalQYwnQ>-MUf9c;0o!D~qmfz3*zgf zm>$TIyyUy;cWyda!6dOMjDH^R<7ScHdaYbr*?KP)l-=;v9DB&q7*)#<OncJCXVWt_&?&;jwZc-N4XmAsbS=p zk`)eEjY0Hk9N_;uC}>26KC*W>T_1hg=aigCZ4y!wL1OOnb<-&8hcK}9+`)k!B1&e@ zaVLU~>wj&Xn|u#w94<}&WDwLyPbV9Mx62@1Xnsl|db~h-lLF3EjPOKmc+) zxdk?pcg1jEuxmu`?>1D$6ucVeFQcp=As(lvNH9^+C49Jm?x`?TC?A=hVcpMq1b6r2 z%0cO#?ZaYaOVf#p97^5UO5w$)?*l!@s?zmS)%4Lp-s~emakCYA zjwic}fj8E?7@xLRzu<=Jtsf(*KV5}4xCUwPYJ~qkl;n0?KkGF0iKT<{_HV{YmeY8L z{Sd0?&{02})&V)lYgg+TAx@#DC#%RQ}>3bfuy_7Dfd}=%2N9cLp zD)^3k?@+{=kI+ z%I8)qKTG?%!jS`%-})O5(?En2fCw2Q|6fOlnl3ZE%wr#c;7*G2%Jt3BI!&G3duW$- z_1%;VD1tY8K@og)?fY8{0<*; z8Rh*tLz_gWC-2t!I&Udi@SseslR}yvJ*nt&#k-a@7_1YPurhQdLKq9`w$lE=X)ct5 zf|mf2qNU$`xhS|r$D)f}{u$+S)KfDSRaR}MSJWCINEHuL#~1j1JWh@{*QdxrINGob zYJOdSEhSHvVEnzLNNQ8=W3KsO?v6)3zQB#sY+MoWJ zKaefIMr{bY5vPq_9)7|9b7=v{;GIRG44KRH7}NOliAE=QF&TM>!*ojBa6eX9n^^Mk zUI#gF>kYcU^Q|sD^O>jY*BMYIb~%=BgDJEPuHlDp@TU~1e|%r{`bjKVKkR=1sRNX8 zU*?gkT(#gSDzfGNFF*ExlFSemB1Z^fp(bhRchytV&486vy3UiE1hrY4xQ(ZbJxpyf zlV7PYH-Ewwc#_Rz@j0a*#yz`uKjAG+d6;p!yopAd8!Faip_z>-=4P- z;e`~I&OT3dZX#7?JY@Uve!1i|d_4X$9yF}W67N;El@EwB2{4s@c>!(erM1nBL4%au zFS1K(fr*$VJ(16r%H*njtQIi;f*iv0s1_A*KC=n6hEb3gdZPsty zT-~unj0)128_3sX_}-fudoXhj?x=YAvq45riN!@*#xUzB58~U|hLn;QvTghp;MLiR z?bbCm__Lb&4DoKO9IAOBWx05}TV2^_WoO!J`byAIPX)8!Riwd8UdD#rzIw`0rEP3; zk^8yy)5gTADKDkQCeKk)G4dFwh43}kDjw%jXqhlx$&Pg{-*;Jksm7e=Sy+F&nKu0m zf=X2jo{%&|Zr6XR9q8ut7OO=!Ivxz+czh5jAwaOd+vT3E)9OxJY|s>CCZ;F)&`m z5A>RK%2jV*t2Lg@Lsk~YSSb5AJt~}buHTGX3eai2%B{{*me}vNK#JvdU~1rFeChN{ zf}kM|Qnzf8^k)WY$$6S@q>p4{(#B~|mrc%&!e1c~E^oo}Dv-xTXU{44@g3*B0vXB7 z{f_1lfwFCv>MWb_h{FNd@h@W@Sx-_bkwu1g{<5YhVxs)9Qc$#C;Qgy;UjQraR+ucU z*=CibY*CzTZk#Q*cRf8dghwz5WzD0h!O{;4Mfk6}OG5*<$o4WObaDs#i27tPtJVF* zZpQEVfBpGT*O)%T)lhEM70^}HpYi60^s7$ZIfID9qWl?Omr8J}OI0RaE+XW+;yEPo zthb=xb-D^OzLPi~?0UCDVT+Dp_*1>th3MZ#V2m!z&e7qVKQ8ZlpwTyE4ZzoGIZ zd9$MUKD*ef`B(duCx=U;(qq34f@HRXpE1TbJvpn;)qCi?D1|Gt%i!dlt$aHr%39gB zq|@0ZSvC!eCrDTd*SOZ0&~qXmtVCPk&{e5&d5ipCyII(3;TDlm0Tr3xDp!~^xCVmjHmAWZ8`D6e%r zW+F&YrRY?#dA70CoJ7!yNBjC&+>#{rFQVYHraL8A zuBIB9*qDyk76pMeE4Xuh7!U0hStLoYMYmf_379>_ZtP7F&0%5C33pers-kfi2Vc0> z$xBMZs34{e$`mYi8~U$?=2Bxe=wvy?cQIbjhMR5dCYKGQAOGIZ;w&VTTbs z5AN=96$<9XAi|_i+?P6RU9*)TCG!dD6jE#vp=`w#pfHH}0?*Zl zHVgj^C*};io)q&JW`VcwIzpE8c1*JgN9?9(Lp8?9o7VOAulx|3zYO=C$2&@$0(8Xi zUW+}sXo?pq-fxO4>I+A;MxK|j(o(F=u;6kC*&@9*zL=`uaCx{4=xR0w_oc1>{CM7n z+O($?`YyIrK8XfBs>zZ~sMdiG&!Dc$)4HxpR90Uajj2l=Jx2#v@JM$zpXtcuO6ks? zpP89`mA|w_)NHG2YL@EYlGx$%$S}%BxWRJ)uSVkZo?nYyo^&uhCsNwuZNAS}+4qF2 z9*6!^T6ttSTH-h&i>g_&jOTEPJ@F9O1iA7oUw=FnEiQCNq)&0x7oNwsG(KSOFht=7 zxcm$o4m?Z7m)tVFMdyx0or(}zp6zx=%d@IJtyE<+s>swjZ9pV|?``VI9fx zr1mVltL9s|(DtSuljZg|WX6UcjvfV<%!{3VSxlm<{@*c)O)nQ>*mS{c%xZV1b5vs= z4rl5Kd^ckKqT@NZ-+%^psV*};h3U+i<4vg4;f!ckO^NLlh#@N-YP@iQwxPOrnaprP zZ$V^~_?n6SvvG+v3Wzpk!x2yJI(vWW+qMPKNe&t#JYdeYtY<4=f^4Z!Tvz zOtdLz<%9~YJb|O$v*1H;iG{D+A9c50{1b1y9r$q)QM>?1>t!jhqeG6U108Z4OSlFt z_Y8GxpLG%~Mj%aa@uNEBJ^GBYD=fOwV;W=wnOX5!$=FJDOL9BY1!q$@nx$*a1eaP_ zw+6yUr4jjI-Flu!pywG9&Hz)uJQ2fYYY6tE4L-nMRc-DU8aTx5s3iq+Q1?Zq2?m|c z$CW9_DI6&Es=JJ4^FOK7kL}}%H?ZRj&K*#Tua2zRi;qwPSLE`&AJ!yz?IOvX=E*9E zhVgV>Kk{+lV;o6XZQOv^D2a6G5`c=yo9VkP(bnKPK?rqe*lxm8jg>jNjBbM?`=aL~ zw{&`$JX%S`7F8!4`b~uE(mChsY!s8W4uQ8t26rVewFhI? z`^nwIhj&)_?_XsiNP=Dg-LKoovFSTAOB)|1lyX}`AWuY=#KZog>*WlF!9LZ1MES%4 zCwzr&$bCZ!e9;6HbFKFbd2x8w8pzYcS;v0*!B4bNC+R^I?n%`gC6tD&ew{>$ldCHY z5D?0qH# z#j!uj3phXP=SnFKde#SNJX%Zj*?2$y8OHR%^GpCrtdXUwj2x)Mh2ltfbUCuTVu`bV zvj1ANpNYpsuPK;Bo08MV$m-NcRtwF+p2mdPoR{H*H?;SC(gWDeYoZt4`i{x%~f)1;2-H{ z;ici|iC}ROY%&J~Lu$cspNrS|hL^OY38lW_(eC;Y!R+aD zJ#{KQwN4e{5B2zFG_WqOYGVjsaT}JgP6ODN`qh85V|+-`+w{dt{$-1%9%~qsu(}lr zKn1?uVS`!hug;3Q%m$`$DpA4D_S);r8C?&WnYPE352zVP(M|W7jnuW4=FXI)rn3DH zyBt;PgID(S8a#B9d(Bds*rGPWS?N|X&)-%Z$r4RiM`5T$e0qr6`zlrD0%7Ji@*Nrh zl4}{SO~@051v+)lmy^zW+G|9)EjrfqBeZQFW-6@JvE{ExY~-XV{}`{{%r9Xm5USPJ zx|BN!M#-f1L=3o(Gn8=ye&RV~Fq5wNsU=JVE{BHR`7&58=1IVx7Gz)OA5`{yc(3=# zpD3Le30EY~Fh& zHzKNUN}LbfJ3NykBWj*`J{@=vbN-^Jj%?p&cBx!1_WUe|0E1hKX}VN_kp_#=cPK!0 zcia_2Rx?P$oBiw3yTlmFRf@{W@Gal1%cpWopA;>ZBclWSC`?^nsr}9xG6E9B(W)G@l4hxL^MuD86AtA+^kB{VE z5v9AK`j|*2N_t`n#`0PQWUrP6Y%3p}Eh{&DCx6=TDsYvnhWXJEM)3J#tXCTtCsZw6 z7$q7mqq=tZFIN1p2vBuom#1M1MyxvitQ)JDYpblro~``1BPXJ6F_S`0ZxFjM9W}_~ zKyYMmZt7hf&+FFj&E9YLUJ)T>Y>qi5+sF{tpurnE5v39$?u;Ra5S+M^Cosn`S*jYQ zvn704r;$VYAC1$q*!sH;&^V#0^*uMx=;*^AbOf}G3w=jx6%DYnHQbm|eS>ncgW*|y zl@#7h&eblS4Os@JFAeTeTG+K8aW+&}p52O&`IT-w=(OV(tM|CeSixd$_D-&p6b_^P zF+x`Q)Vt)?a}%2a@N(I^v>BakiTxEha{Nq?D`jM#^XjM!8NP?r`%f#{^j&hL4_3zf zK{U5r$-iiHgcOvuyDbXF&L}A!Io4o3Q9?)(s)NNxF@zZ~AzW>~COe?cOjc_?4Ed`j?XLg{McJF_$5Yz^^$0knRSF-^#-I+v2{xPh{6$;K@B` zC!kO4$d9vC6_J@85toHrG5Ge7Ep=2&Bb!7gNhjxaHVf{~GAC!9hp-*$GN-<(Spl;~iRK@OL!6pC7 ztg{j}#$P|*R0;&HFqcL$`L8tR9`|8WNmMAT4jtzBBRE3oJiQ`GO!9qCCb#k~0}6+- zJjKOmB@Q7TzdiXA9})g`aA2A8#Wz`6Tlgbm7HMw`G3pjeCdhlwhxyka@yXD%aYE^# ztOf_b<~^#_lr%uoN6VXcdC?N1b$zy(*M%;bcTixu|E$rrtK?pIh1b5_?6i$~+owZ3 z=TW4tljo8by{KsYlfyxgb^AAPrvNjg<;!kq@FSrz*}6poH-okgik5cn(%j-g7eUze zW-_4%D1rmpssjqQ(M3f2ORkRSQ-Ysh#qwvOY#XtlP6z81Tw5Ntqh7xLUuvsg~6`kz=LrW=_GE

N<%(0?j$_? z4^soQl!ySzhv|V`wvk*2f1{d7hMNEKDg=1mI<_7_PWe( zN@x|6uKhpLgF1}HF_KHyQ9b(5OGFTk0LrA1Ghv7}3(mBrc#BFJd0TLkMy>W;`Bp|z zQOQ#0ukXE%-LWV_29gWuWbMp10%cqF>$%mg8K?ebw(l6cyhQF=bd{Xlv?)f9?CzmQ zb^<(tHCWDTEqiKshCG>VVe4Gtt8Pb0g0UKdjxQAR1(IxvJ(C(D{nd*uk+HM49eA1 z&Xas4rvA1bd@XIN$u_qep+jELh29-5VH!pJ7A)oUMt0Ao3z=M8pV#~`m;weG+TS|Z z%1b*~<9u1bv?nBdFlnFAFM0QrsDL_1V3ndobIcFUdp@d5L-YuW&^0|BeNUH)7gTR7 z`D3geTVmv1lH=#_Pgfh79kJoXP6`ogYqkYx-xF-sO}olz1)2Y+7)`88inLH2pE+I8 zZj(51>I|w=9fp3R2nDku=#7FjZQ;q#=(VWALsq-_g!PJ^&VfEhsZNT zx6#(Fu9uWs0GqR;v)l3Rs!6nqw+r48%`S`Bk-tqCp6alEUwPeq6Nw*Zv5bWGV{%Gg z{Ig?8G!!}xF#t5(WLLqYNT9DSzkoohf~9(fsP$zmt{lO*&q;d^@Wyc9>;X!gU%5Uq zSppfHr6AHDZpXEOS|{%9rKS*$e^)6|YHRv(*{Pss!Oh;$?Ok0Hjd`gHmQ!tZ1arQX z=bj5`z)#s~rKVO(3;2JM!SKIHhQ((>t86VZ`;SAL8hI=4Yarf!dRve#T*rUR>uO(U zilg#gW7uJ@m!I?;yk`UPJnWLHBQ_e)O5d^IiDbJO>IAGm7P)#Y?BJQag?@Wrq_pKI z%XC2?emGSMVO~q6^$Lv+cwIQPxtAsxSlBi}Y_3-=#y3CbIqDRs-^VsCzWKNq?cuo) z3p%b zNfw#a+5ZagNKcZwp>q*$IxjB0?o|g9vDyQejb9?yuJxXRmxB$TF3it-g3%jyzzm6t z!L62KtUugP{3Q9?@cLhceVf){q)N%6Yof&JLX)y*#`tG$4=9O+%Q1(T>UPtPPm-SH zwg6RfZvo|B7;ujm`HPmXjB>V#c;F@&HOC!!4gi8K;i*a+fV=oi*PKt4h94JacXBh9 zz7(bgnL$1xUVs(PgGECdpOU5;buc18aMANln1`c@57qDTqe)4I`$JF8B7Y;WXF;EQ z3zjC|s9snL2B4C9K-d$Tb998EePo|pD$qqs?Z12~G=Xxn8q17hTVPy#s0RzmnRCVP zW@bSm4S@2<7MN-{A%LHHEc4NNe1dPj{-A!RM#-%hBHEz#&6HPh4FCH}v|dWtikYC0 zfCGn(t$S68cT?1*MWGD&jZ>a@B3)ugDRPc=|6Xt%E zxm?g-)8Ov!j{-|ic2mOJL{;!WHwhTF?Q!6&Gq)`f+{}b!V5(S|pM!~h8cU}5B%ZkS zpy$HC3nK;nZ&FzY{jst9U>vTl&1xw#WRj~ZvB?x%b#)G_riNDTVAs|itbd!VmFI;{ z*n?+a@|oH&3aa_3nE|a6mIlsW?IyCl2s18Re=`nJSc$~9rpTct5UaiV8x0^%W57M~ zxoKNrZ<9-C183*N?Ba8(6nvbh4AllyUbuoG8S9j|<$XAs%_L0emnZRbH3~Y#Mq}BP z4#>{UJ;YTla5}W$*)b)2{pp^*$W~DMJSik9no-pr@2{{5Q?h(I3ASy%k0;v>t%&Vh z48>t)h!!wx3~t;=o@4h77`+NvO=8Z^D#G|nZWEO?LLI@RSj)EhtKPrso2Hpqf(+IV zr{>@$vsnVj>Z-K^FPg9WJ#B#%XY)Sv0!EV}d3n(eV51vI3?2WkC4{3f5ZICaXIBOe zyyjW7tB*jL?L-6H4sgkhE*?)kqkid-pgfSvu9_$Fn0^k)+-3>{#e9ykoZN)s{2Gfc zg=1X!-8^2KOZPwWKJW7Ca0;qUC=6FO$z}ABi7Hi*gufESvXu@wRwQd>nqNY zL`?Ws@*KY&N^X(eqJt%2lpP87_oY2H2dJ;u`n-|Ryky^>={iw7mRgRN%92|p%&GPY zl;>EDDZHLxUWeRIVn%QrA3>hCqtgxT%wd-1v3m(>fc4$`g@mGLovr1s&IZ=B<{>P* z2J3c5Qj3n8I?uEJrQZNOe!{#(H5MX;;lXUqsGY$|_>@3H=ZZX^2^fYvlWcL_yBN`4 z_HLs5<6?jnpf0wqK_aO_&PJf{7|7=e8zf>i2GwAgc3F(j$W*vxe$ zv1*80R>L=}5{;q?o`Pzdq}Ax}`In+5xzMYqI{~J_-WK*>b#6!)QXAt4+wk=z+>*_D zjFug7W?{0H+ZZKKgFDQR-6gCgLXsl6(ixmW2G}snfWATIBN|M_`6Bv$3J}2+iiwxX zlr8e zvrlvfJaxtg1I*a4Ah`040bcYZ7F)u*4H&`Q^=zj!A+*CHj4ewtlkT?#ytU#O+Ax1$ z%^6_y?fPU~Lat{C4|#?1+pj;sIK#Jq1Q%n_6V1(3_P(7f%V~9_SxFum(YZ+kNy;+Y z-9fM0g)%K0Nd6$RMTfPn_7NMP_KJMOuYw)!kQx@V$Hrm>%4M9t^+Vvp9u-bS%V3NN z5bFfCFkjDzn49}0jIq1p6V=zbV3f6sb0tXCui|9#=ZPn89;>l{s-G9P;P839u*a9H z^(KZoW_;(OQZ^m#Ow3n)qE&|~d(z?6*_d2M`Z#C708Km91e2e%_b}imlk}$>FFvcd zn~uJGal=xDmC}`-tNh%G{cn9_J(J3sRS7|^9B7L}gh9+t_Wq6e7Tkxr0(jTRrMy?@ z&vxYX@O`8OuwCK(JvmbBl}L@-F$HlAP#k^2a@1`#LRh=`0ZM{V0@dH$$Nro?l2 z;*;2?o{JxJZb;(0H(|M655|jfyrSo%hu{n4SQ0_`#o-r~s3tFKE*wDecXX{wnbhRH z-#9Bxf0@UE)Y9L_<0Jh~@>=j|3< zTaB3~_H@in=WH2To(1Knq64-#9I@CL{9%>PoEu5?9?_ZIFw8>by=eF8Q{{1ioqvYO z{!$cxP@y34X^R0mW|H>C?NZRX1vQJvZ9!<%0FVGwp>Ng62_Vk~)!lD^cKQ*LM`?Q( z$beP@a6Q*okD2NO-*eEw)5NJwR*Z4Es&l0|oYKHvuKDZ8sAN`XDKAHQC9n7DEC-y} z!t)$GtCsWL2tn;rnH7h!`Q6V|!!%h8QIogh6uxeLe;dMS&{vf;zvP>6qP?R>cVc|m z_HDnx62eHww((khxvO^Ff_--)&!*_4V^|1wbzth&(xc0=0nlGq5it3fH z9eJO`I%F!~U>XtdY~tD{xaD5zk<9Z;ZyiC%vI9#H+R>SGtypK76R0I!8O*o<)lPL2 zLfrVebrBq8L-(v6_d~Srhf+>5ox{cZuCF?+!s?yMifG}4(CTR~Iugkr*LT-P1+gU_ zJc!I#jO0SJ^Q*_v7#(th@x5Io;JY z@uU)O3ijF2xlM{kO#2kPHsl+Z>>)v)*uv#Efk&&q#`^=qR|j*gzJE@6vR+($-KLxJ z1+56-sHwLp=lT0lvuM83hJoWB8DS)-j80OO=JV4nw;^q1pQXhS=uBZ@Y10Is-=tG@ zd*Ja#M4HzGfnd`w%eO_OGQTiLrG8?7J&}6jkLr4LBP^Up%D9sV`GZrFZ1{$+u=s7= z*@WUVE^0U&oUroSY8-XAwRF&yiGpmD_XwDYcQ6G>UAlZNIQ{%&8PTXFX^-vGn@6v| zRra9Gb*J~%LPft!8~8t4prCsplV=46q9<<09?hK7?BQa5Z9dx*obp*t`_*HN!&x=!kxo|=PA7DGP)aV{B}}t2QiEV4#}oos&c`2pyS*v z*HOj=ib_H7%9SD=3!cz4a;pT^OVAtlB#hJt84N0kW6c~_pTW&K3GS{m@A$yacGA!1 z;*}YbPTeY#|N6GxvySpvNEH7UGS1#Gaoxr(nm6J5I zQz!@H8H%T#@~KnR_(R6eUu2WcUpthvN*_!u_}EYsF7baJ{=gV)?nSuUl%H*QV*_(#PJ=P9w>&FM+LIZ7uqbg=t^QCb4?uTp2~ghinikkUeE&Ks|{w2$vH)_zW}0OEU1$Ix*uapWJ%6?Khm58?(mVPoDOYm6+0+ zoOyV7*r~kzYiV+5|5QKatN3M&)m6=f2oBjA9(;DcJkl<{Tq)>K#G3!L_tDJixBoxR z-ZCJ{cI_IbQ4kOmkX9N*5a|X15r)u_ZlnaHyGub@Y7l`ThmgFK;gTnEVCPHnQyd{oGpM&1yX&2`pwThXS=KY;2KZ5lfi{uOO^@wk0=LP6wQOT&5Y$cG=gPK(*t51we_+(H|9JeSc5iz3&NDcm@x1){j__ot&?{D; zHDg_aHbwa+$zm5&RGk)Y-)vUwMaBlZlSzAnCudtc140FA(2f+MFvK7I5156a=xaW+ zl54CFqOM+g1O?UFgHx}D5RAlNtb5lXZxMHo*;snSty11Rq#e5*EF^zUuVjEpPp;lwpJvqgizoV4Y;h6PF;wo*cNmp%gX zc0!3~%SSpkt+g{1IRTAOc`RHXaB4i1qhZQWU!z7amCjqd6J3o5M(Re-v_pbnmM$cY zsyE~vea8lGVBdKx7SaS=c1p4xFsNMEU{dOyIIDRg>H`7f3k!;25@i{E7A$n8sW*>{ zGAIPKS(*qF=|yu%tlGc~AkW(E@|_L>Mr?Y-2sm--Bd^^OhHE4*;@dT#02B z6C}%CL@52p=C_{hb5p+x7e|Zt2z&DbnaME4O+kv)>8pZsoCdG68`^HYJfr13&U`rw z7slJOepyOAukTM9cGd-tmlha2VD~s;`&oOnd#CmyLSw^g<48G8gJp@ms~cK^Bs?zt0>%L05$L-d zMIe0Cf`mHb&bw&*4puY7dIh>sYFiJgkG_qELD*0g7DZx zf-Kgt_5LlJ?Y;>8QpE)K(`za0$(IzNG)F=n=wBrPy%SE8Cv? zjve)eHuIvUE~nNWyXFLfIl68w1T{S9hNm0e7p2}t<$NPG87Sdv=jKz7d=azWSi_4q z)k`w-9+P$aX})tI47VyluQv(ik#Hmyb^R}l3;_G=4?oxmG*X^vFgHpH7z7D(VW2Q= z+h=0)t9}1`Z3I7Q78TdkPtp6QOQO&Y?MCU)CG|$Hq}CycXX#z^M_R|Dyy#DHbd?4D zA}I7~JN)Tb8+v(#RYt1AEO=2_SVI~!AE;|q96<=muKl>J|6Fu@*m(oqa4_4xox^G* z))d)IB9z44B=dAaKn{RPF-w ztuH{P)+U^^8-QDq+esoRsmn*M4d3D{>f4~qpMW1M2SKgq*#7%o4F+)Eas%BmaZWnoq(eX8N;tR>FaGC8Ii>suI-+->;u6bFKb4Z%wcK=5 z6Lf0@Z`s^qW;^ZNxBl+F-B~$tz;=o*d}0t(F*hYRPu=qZh6_2}VA>um-4?r7WVArT zPzsb!U4BnK@&AK6f(Og^NLLgy2=B4_1v>uG5UN?Jr=<|!yx;SEen)-Jy7Wcl;!m4s zcSUAW-aS`6J9PGyFHwSg($ma`WyZLugd*k>$$M-$XRFS8Y=G(VwpK<^Yr~=6<|?en zvYEmYyrP#mxowFVn^go()h_if)Dt`{jAwm()=&JX?Oa!vdfRM7 zuCSk`$t!F_TUrM_jYL6_?yz9d`xp=~Wc50aF2ajIKZxErM#>y@|Er?5pZFRYM0o;r z0)Lk^sYd^ZF*eYbVJWFS>;#6(avLwAn*eX-@KtT)#^xt`IaVmOWfNU?PF{Xz^>G^k zg!Sgvtox!J6kqQh!x>aEgTrNxpl?LZJR0)7d>q5p9~CV|1Z2@p1A5D8#a!Ph8yKc~ z>#XfpJoeYx)QIYx)AX)IgJ?d|NO<>0o;Yqm%+U;n&_l@vT1a`K1tituH^syTQ@b&p z5_>0`iJ5KlFdtPH0djCMCd{uQ<)${~1DXE77e2di#8`wvotX6W-fe)EvrPNb{klK3 zt#F?FTgZq&Wc><^0_dF;KfH25OoKPZ)jJLkvTI`6?$arq63_Y}_Oz@_!_Xj3M+pT( zzW^!+_vig&Dxki}u7&caBN17$1T&rI2Hl=9I1tOA+a?rn$26u%eP6^LJ_`76O=oKy zIZZ?Y^Bp4O8TGZ`;zJ?uhY}v*-yrS3$6Ep65e%1gdir%ekFPUqgN#b5j)O>~ ziXYXNMH7DI__;9(CO^!GR0|>J4H`n9=8Zo$LTk^sUR!{6*1(b_CgQIFByNEZI~yiP zl?}d5543*83LGv=>3{)+thBMn@~jOZtV^NTpATN;2?r}5&ogmxJ>QwuJqw5{?{&?c z3~>}Ff8eYElvyg;`Z=|3aW%YuZl_%YRt`rYxG|3&{`2?@stdMP|KXAy%J$>l$9+3~ zaoXf;gwH0g#_3Od+q?}nMYT4!-=eFLHk?_2Z@3%yC1$zihFYw~Ctn}$; zA2%*FP;?OJ<5X9ymm4xp3S?C*v4?Cz$De0C1_<=c_IdhW+sa0*Zu>|_pGC2b zY#TuDk0UDgEGyZObvV(s=iyPH+9$os`_Y14h1)1)<@rkBIg8`lp5<0#gGrDo=i9`4 zy(^iWmUKfkmJyr0yX@sE)Ugt$iqp&T*&!AxRaHlX;yKTj*C~J`FrLzg^MRH=OD0u< zmFh3X&%aQ|K18LqJJhT;Z~vUjy1d4`@}UMVLRiAvbv^PE?yGGVV?XEJPu29WjbR0~ zHVPh>a~e~ghWx$D8YePp7ta!GhpM?w`)wcS=DoY_o26=)u(XG5Y^4(V?IrlQuh{=U zUX9%`izc9@eUzSOi9psJJhQ)@1#AI}QVCB&UR1qbVfh%P4<K&IBc()SigS@vvyxVg8gJ%By!~R*}2`B;!E_3q0aIQr$ z)zZ__6^1NXwritiD5O_GK4+ceouBR+7IrKM>SwsuDB0T}jo(Y4nH9E*346W4l=sjp%L6u{0hC5b7nv43zn3e@ibGB? z9o${A*pZK4kW|~SUq%c_(daB%DN7vsjnw4l0f?8+SC!Wt!8^r49l*)+Q>~@@*6iCG zYN*UOO{!Lf^i8EP6jAk~ZHw0wp`XI}JwRCgw{rjA5`TL=^Yj~#!OFK=LLFg7Sqa_V zJyA0Q=`W}y2t?LuqZ-(FdfxOi|KS4Q@4H5TvD{BJP0a~RnA`xzT2=ZlDZl3d{Z~<6 z#2W{P8z0Gl_6ch*!0ItT>%cenK7QI#!qVu-VmWrBqL$W|p;M^n-RYmX-M`IXOh`uN zv&$pI7J%3@)&=mS23Dh#Sn4(bCEemq1_qe1 zn2*K5{-nA3-P@25pu!)^_oXlfY3{XDb=f zeQ1XIC;GR;<4Vdwy#;#D;p@nQ=?4Y|NQ(|(P!MKYH(Oj4PSDPLr)Y4NShQSx^d1jJ zPYzd&yT)eLZe&S|ysXHX-G5RQ62B8Du1XHsPeG*kI5cGsZ8IEhiKOjY3L1MrSWVOtTEx1eiOGKIcqaWnj&x=q#+783}D%M6V7=rnKqiKkN7 z3jJL~>T;S9%hrX+mf}yP8Hb^s>uO2cR-?S8fyn)So<0y%nCiOQnc5?&a=021;5w3O zaG6Brel6zX5fI-zQ=h-481<&X8))Q@AN}5C=-)LkC(%@2-U>1P$>ywtWp^=Jvvgomu^?@k;Y25%~|Da>m5Kg3D*hm}c7f0u5wP6UFJ{Hz zNJ^bsDS9(Wrl+xEmr7FR?zYEIdF}^pWE6UeuCNt_2D7Vu(DoBZg83p*8u@xDsB324 zTJrwI0{MFx|CE0Ct+=Lx203dqmFZ_Rm2n;>IY#4lzU&S1P5l9Jg*~GKwO6jM#`J_C zvX?^KV@|#d(QB&p8^0J-u{1Oc+MuXea9t;hT{gW?oJha@^n5eh?JztoZLq>Z!t(sbQe+cOk@ z?=V^zLd}NgAv)bQ?x12aNLxMaycV4-o@3y1aj&IH7($ssbKC%WdU%yi?8MI?^JSIh z?P#Anoa+w10~53hDX=!%hu8|fFDplRuyD@C4jKCGqo!p8C*xEHzhv92%TB>eqfjy_b*s^#*+5LHLD zw6I@9g7E9N@OmoTVGpYM<_DY2mJWPk@eDldFy!Kq%K#X&MO%?zfiOh5&Lm}cAK{TqsYIvB*fpnPGhNm*2{V zhs&a`{TT>ieylY|VRe?Ziw|AkOHJ8w6`y6|8)#fl3Qu^O`HdshKzH3!KJ1(bxbVMB z>@1C0Y|u)oh;aWA)1;EUSKEjN5ey!S5BPJ$x;cr3@<84iL8Ou!fg@)8lp_9*(27Vu z$9OBr<~l6+*|U)gZ{JMkEA_qi*<)wo4&*$y@~l>FR)11VH%)czgJdVWduE1aUaahC z?y|8+@cTu-*}9ASNcXtQZ2NQL78-=aLG?N#aIl?E;`AoCg>jZqjbZ9<-5?puRNxth7mY3;p}7({p+ zURfnu3}?f_;fWuLtsA% zRZ@E32?nJ@-reeIeEPTDemdB}${{UI(v~$QgB8{+Yrd>MQs+DmuHb018PUrr` zk(U(W-|?~2Pdh97N}M#BxD=GFI&-C8Y4Yf$1?yifpWJd>ThIIbzL;EQ;P(|&A>oJ+Aif-u~`Q8s^^?A7&DkkDI8 z@fNiMWmjOx+k%0;zM?DFGs6HzO${j|fQ1(Zlwu0@TaWh>Yq(6Dg%*j*W-d`YcutEB z%u)u`rg>|f9!Qe~2t&#@6X+&pFytJ3EtNqmDn9O#vDvw&xkEVXwWvJTd_UskVn+D^ z8f3#wCRZF8>X3d{Pw`?Gf%RF;Wc_jFAN4Es*Me0sDpz4`qqlr{cDdogi{5Y-!KVVY ziV4@$KYEgWG?_{AO|g>XkO-v0Z;W%Uv}#V@wADGfeYDg8S?Zrfzxxd#)Ohf_Og_s55WbtmQO9sNp$bHlZ`e?w$9_+j)Fb z#)edZW6igJOj@nxeAlMhQm3rj@A{fr+U^ufV@oWVJNc1-7+De0kgX-`e+5X4l&@E% zhmTiR=NhNVZKI7)o{dH?IP60NJuyK=$uS*<<;O6BNr^2I5OydGfox}RK@@-3UvNQ$ zpYQ)uXf;hr!g*|<;(3;CFzxv2!;D*m@`9*?Yktzi&VdY7;~X&_G&vt=AYN|@h}8Tc zS00=_gOY&`p}nXPcH0^$q7oc=Q(!StX80uB-Y1Wx4%c}tH9~|(ldmwtLJQ;(1r|#E zYZsw{Y&^9#eB^qGi(wcg)vc)*5dWeBMSv)NcET3~^3mKgj*t?$FdRec?DXO}{-v@Mt~Sk}Z;%vn39&%Kq! z_-=CzhEEX^E`kHlccp%R{oVH?Ej&@^T1| zp|O8O5nBH}W-pk$mT$;tP9ZT<^*4+sy&dud5TemT6Ru?CE<97b*L z)_?YNftj+{v*Z`bSX54;D+U(CE0L3QNuKK_q`EDTN&}?2n@z>q^R8e7+&6YXh@{p! zXJ|V%c}|cfxw_VAp>xD^!)*LY*q0&iiq$m?v;{+4<_Kh6gOnmkTb9ueQiJ~3$wRRe z*+n6hwAD@uVCB&GM+5ptJ`YV?o$R)X4Si3@a0v22Xhe%QE>^Qswo3Fgvp;D~!kXKk z2yk!6>#?xg(#WNFh$G@9C}6?Q1`Pj*U)Fj;o)ajybE||_Xs7%N@N-M+Tu0p7-qe~$ zVjLySA396Ff&p3yEhjl+(N|^@j1VL!_e-un>m!>ciw2S1I8>NGs`ijQ^hmkI87JMU z%78mPj;_HFFisl(p^?j^{!zL&IxRvsu<{F%$y04An=^Dc3+b~umr(aovUq2ERxm*j zF1;WWf$=i6pdm5bk&EL=XPkAq&eg*6(r?u2d<(Qa>4T?n1I0%X&CkleQLi|(Sr?y0 zG}rbB;V1b7R8mU}#95Ob2s>UZ-QZ?-BRk{>`&A-Wy*l+m)0a(~GgAos8^lGn5=NUv z!Eu1fw7b?*lnzH(?}x8`(Bn{V5a{K5h2;t;czOz77v_x^9?}G)+Rk-mQ+NoNR|wq9qoH17 zNZnS|ei1lsi7z#xr*M3k054$bY77uqs1trmEjLiMWBe(ZOEmiH#U=P&-$v+8BvlV3 z__PhRpo+>jIwMS7yULtk7`B>LNFExlK>6@>Zt18FNE!!xHxLmy4#VCZP&> zfl+ou>?;>d5yqknhUoI3j=BmgLOFewcbZYd9{`xzk`e0{Pt1J$hP^0b#Mc1Or(l$h z>a@?sANqH*A%vgQ1?q)XCt(}(y&=4`fIWLL5hWNB<5f+7=(HecEU6*r^vf-9zacT; z7cbqzHgqtCuGng|;x+HU&7PPya!(+~ykaFH?8<8#{l0TEEB6C;p}grWCIy)VzbbVZ zID-3uYYO+n%c9$Iy%;7$U|yRQ=WdCYme~lsSx%qN32Kv2+54DW_n&QD*U^_PL~q7$ zDZ+ydE2+T|F-r+yzzOi3^sVqNb2-Zzl3p=ss;R&*g{FR;MGf<*f|1{e1;iu8z)OS#1o*`F-*R~B21f74j%J;uY;Z8;m`EAtZFq4Z^_ zn@fJDjKnET{-oW1yW?;uxaVfk#a?G3WY^YQcg#j#f0fR@+L&UC9Im@$9`5nxUhrKL z-H7U1DqoC*!gD6GUBAU_*nOSiAj>F5ew)0^~qb6k_4IJ)1MoPHU`0*=z5pds~-X#113i^w#y6{B-9t`*~EXE zwtt03{v(>$`;NtQq6WC!E&2_f&oaa^VK?=UFSnNt9z_Ei8TLYjCNMJ7>|x7+m|gU3 zue>G_bU1|eN$S5SU82rj8^xDkMRZ-j{%>QuHTy80~mb?Tq-mUOlJvw=y7 z)B{*v{YE&1ilp&Mgt?(r(i9Ziw-mfEpBPd(4s zvFtO0p9U=N!eteK`eb|h-{#=z#wcCvfa^Q@KrYHm?5#;skLBEF0X#A5@YRZ9T1ywD zze7YETrF!hu?F6S%*suhC}7-`I%>G0(f6w=*U^rP;i?Anv1~x>3hO_7?s{o@+MHfAS7*vKGjfv+FI)^s%jlz`;LQT_z^dcmiS9qp zb?p_sG#LP;SpC~blns!D9xt-c1Bn0*MHWu`Y^yA&uRjQo9da=uqJ>sOe$rY~Oq(`P z%n6lZY_n$$E|s&at^Ok)lvLNM4t+TD0%HF8QrsHT{>t&_?HK40OD3?$rKS*z4^iQ= z?pU;L@a)i%KCFDL9@fG!-TqVYP=!Dgmq*qIiID?5vG>FfWpYdVs9BVp^lrt(olufrF!&Bf9Szdxfua|6LhNEzsTjwwI0dE>KraedHHv0 zHo~>u0Z-&+8Rd+>U&BNk$kB~S~c!-t)y4g?u;T!V+UWAaq0%s>$mNP?Xy>l zi9goshJtVVHln0E&tP`nd-HwiGcI~mID;=kzL@UcW_3vSqW_ls?R}e8Nsj~$xYhuD zRqL~tU=wtGsocTVa;h7>_|=!lgeT4WfIHl2VMZ}sQWM^mo4a4%nwn`U=0G7x62iWc zYVkz1TGUi*{X$V|_u7Zy`lDBUcINnkxES)!J@0I5eEc7ve)^<^#Z4YCCC+B}BXMB) zpy6w$v;vHAsqTQ0yj6R#FNpaPjTyYHhr%ZgHy;jpA6cnJk01m7cW-X{C)uqJt80%? z*y{Fo4&o6G{B>o4<`Y3P`c0=I9;UF8h8}H{SjFut&rW-|Hx@=f6Q6FUQ^@T(+^t~_Qza4 zJV?^$kaB60OWqzHf6(JfqHv$Y;JbzQ-j;^B`s3MQr^|8wmXs+lDmu7Cn@D2) zymxA>paeTKwX*n6E$Oc$sFBfqwTnpPtt7Kc-%c$Tgry7Vmit%JpaZ~+ zG9{VjngfRSaV#7AOP;NUQxiQFG6NRJ3!Ja67B~&^xZn{W2?CRrl?T2Ic#&+1U%*Nr z`A;P-`rq0ed=dPICMOj@Z2UzlT8!y;6exfqvO;j#@;$exdmCO4nhnXg`Y5m10M-LM zQ#bIGz3^~LLr(hpil@LtwuCxT+2c)46Slg#wC#R5 zpuRi#eROB8R-vQw!OWFAwjaVD%XIV0cRo3~&1Z`_n(8o2dM9qio>r>yw{UpV!sWGe=ZYW(g0I>lP49Pif!T ztyQNjR5pY-F3S4(J85l(XA&o;x?XhnE&a$VY`$lj)_m{C73TLP%F3HTBnjLvng4pf z0I3_q#Z@i{$Zp8yt#l^r+9K+n`@3tORU6JsxeHD{y(+7D2}guWUWauLQlJn&Raxl* zs>=9omsYf?jaqpJ-JT;& zw_27^=QenA?7qhQVy!D`YkTJO!j7$a>FMi}o!Dom7l)3Nf>_A-^;tg%th6%Ed>KSP z=*9PySR}~z%ObIEH|i3GWCBR*9Q}|}GE*HjO$jp6L3f-w9u4m5KjnL2VcY5pq^*hXIkp8bF z0kTO1dBSX_jq;2v?v+cm+^1w%eJ!u2Nltaa{b~YXk^`=%gMwFM>3GR?z%o3oCMHIP zO^8mmSL@_*^%Lk?PJ+KEkxzUC`d)(4b0T%qL5+JFy+7G6ks6RFQR_#0TP>=TpWkWax*wVtjUv+g}}CR zPe(b*_sL)QF$Sr#yHvJFuE9Rw$W>Zy?m@W-S!=Gqvp!()r%AADs3cZ~ ze*xvYAz>QfA1=T*cZWavz<+7_{a15=a|@57axnv7cjuFJZu6=S!51nO>Tg=AeaC_j z;VI=s{QXJ-67_EX*Q~6+8w0Z<l;{|1saEUTm? z8>>&vz(y-z!p!fb29$0}O)dhA?7OQL`0x=L53-ScMSAV^|@o(R~K<=4CEDl`p zFD0f5DsNBJ8~hP+)xS}fU(Wvjag#8WmeG)NRTok}Iquq7az+7c!xfvLfGp1U7%*=xuZ_5+Fi;4n;N*PR<1@p7M?7<)?VL+(UdJ&6k^#N!5U$^=K-JaLjR?Qv& zCp1=0tY7YDr)z)w-S)!JM;zTzRtWSX4jML54={S~UzB1sRv$DR)+Z;UoCx`Nqqz*& zCbsP16}k)pY%#)%t(=&Vu?lM0@x6y9^`9kcS7#H2El_{bNZj%vrEHCFd1kT^0*KF^q!v8D=`~Bm)<;VF zR<%_us1K3##uLCaXh@}w-ue)FOGyM(#I66T0$cbJyh!nCj`pY92BzENw@;-HbzR$s zPF6X>o9fR8pzZt5s_b<=t~cY;biB}yhZy)XT;E9cBv!z)$MegIZ$L!`0q5L z8sAZ&LBFg2k#Sa8-4bZnL#1$Yf4M{_AfZ2qzN}hK|G*d)1ViqC@?t+-&f0^5q4p?Z zWLM1F?S__@1#YOovAn~|s4t>ELhKBKqss*~E7_AA;=05x1#V?9n4+m|+l{pRD)^%A zfInS%-v@W#O7I5-20KdJB@NZ2{8a`GzUNkFidRN-Ug&+jaEA24LQ0*I~MeOYv}2gmwKTmMPqW#N_Hb z?na>O@ywE^^ZNJ7xgYCHF3Dka^Rxs`Z9?S-AsoA{*fhJM6K)CloIhepcRQoQTOIjy zO0VCTav$+L>FcF&)t3}=9*uO$&Z^anv2KgNHXNC9`exg3hUs>=7GLZyn*6hIYGt&T z&P(W$r1p5r{loqji0;|M)+LoyookvY`dIbQu$I9|lZ@L^u1AMENv&yTv_G&)L{@*` z5gcUo2Sr8;#M9- zw?EK$uzWX(c)1KXk#9}8lz;#FM$~<=ZHvNUrwCVG_@J2Sg>}tp)&upAPF-zH_%>eW zjEN5y+nLl_AglWMzbC+hytRr+f^)f$R%4%cF=vYlN`0lK1lI1LU`D!3Ls5nTj^K3-#IXR6>dpDAr-CJAJh%%nUro_KSm`~S&zW+tb#{MhS7QY31 z>#X44FV0hYEs9*rClhwyCDg-^A^g}X*yP5guFg_Qh2XYo-F>RoD$!|gEXzs|Z`ujny_ULh@$eJ+6viM#@V-#N9?dc~-6mx9(>6fVW>KW{v z^n(WNB|bFur2TD`R$G&@$B~fpp7!)I|Fck(oYbmA`KXs^@^Eghx7#Kci5T(+9Lp}Z zFn#a7O50foat9UV$dW6?pCLn!XG(CZ@l-G?!2H$(Af zF^Ar{ao6^1b!qusg~kNew`xh2K@4wDv4hH|T2o(El0GE*gRT}NGLyClOq@<9ufM+* zGrr90GaFFxohPe@v`>i?%%OZG#a6Ep2e->r#1)92DaKjZWn`VE- zUrRJFqAIXb8-#OGyui;9(_h8AM66ztQyFEMw|ZS?0Qpsk21pcS>nVx4+|i6v@34In zwAU^ABY-ofMXcQ{A4u1g{5on_He^0r_F;^7)AH@YzOy{VImn>vX0c(tDTP`_Wv%1C zJ)d!{_*Q&>xg@JOe0z1Bznj#ztcbg~F$zHyCtljgnM%6P9;9YA;7f{pVgZVFHSKs(K_%eq9U zq#xv-0df5XDn%qBA3R3Vx(x>4qj~w3e~sRF@gW84{nAAa*w-*^+Jp}k#69VHd!wF& zr$pA+r;QNfG>R8V%}SvXtG=KV!G%vJmC!DUEb@2Dl6=sK3Igw(w38-uA+1(yKQkV@ zbRymZKbNJ!j*=s>1g~&3J7)U=r>F^VOnS-H|G5${xD5{e6hR{m>PCiJ#Fl_&C1Lil zu2$a+vRR@_-bIn zIwn>DRez{vviz^v=pBC$ELY+5IKFjni99UPi<}He7-MQU9uH-O*d@xO2$rK)mtlFj z#1-VB?7$cJ9oAT#A{wC^)!fSdKtzyw!;J10z)TF)3Y=wY@mXqMg9>_%YzWl7ulDda!1zy|&FJ^Q+>n`WXez<`=cFw4^7%A9flDoI- zb(3-C?k7SV->9stkCDL$-CkXijEsGNkY|mFZi*m7LpEgp9!#1)P3nS~Da% ziSkln)m*`7DrLK$Fm`VEGzf<8e|kb3DGM5l_=4>0d&pu93-E)hoe*^p>k8{Ha7nmF z)Md+3dpgo~B*gB1BPN6rFpZ~<Zol0-wYV}FnB)SH^(V=weN6oR+v+1kxnTG%P><26#I_00TO z(kB)&SLRSLTwx4_<1sV^aMsA5_Z0x2pw_9E1=s5y)YKzii@@JBKj&*6Yq2f<{;_5ah$EnT!iS3nnjZc%}%P~I*w{e{Jz)O!*HqhH+=j+A>W5(^Q zv@+pXjcu+keT2}l{G8WZ{csrZrTiijqqB|BpYYFm!{>v7anhnVR&w55r+*;8&Q?_9 zdVb|DGEgc~$|W?!rNTAERp`B8y}GJasOzb+pWEQ6QYh6Pog<-2i%Bc95P<*XLr&?l znr@9d{gtFx!U9BbR~6|T&kmbvLO2%-kI7Y%y`Q^xxh`1J;T$$xSvBfZY8!fZZEjnC z33Uy550CT>qN8qoyUE^^#;4c9A?6i9R><~sOGoITVaJ_h?M*?)w=y2)3@HW*1eWOx zVKouwhH_t7>Pi9*I>etWrI_nTeEh(6ognB9iSpc{5jtaMD)xA+&}wi<>YSIth#Sf) zT774dl>C5j#L$z=V{}wklAt{V4Alrj>ZX1Py|x!w@F8i>Y2WQIPdw1 zLf$*cJ&Bcfcq~S~g>c9}gx#7x*Y^%}bwk0zqYBCVuC>t25Q1kngjlEHv^}|LC@}Lb zh-+s*)7p0Aftumj{Scc4OYg54k&-s2u_Gz1Ng|$|M9u767|$9632BuUj^IAUpZZ#V zbn&jk-`#2-$|mQYKMr>t$C(zTTYkjW|>4ulu==oAvei*W5d(*tCsC?Y;nMp$9uE744Cm@t$FO zuJr0&zBEH)_rkQt+>Zj9h5YHL-NstJ$HG6f8seeCPRBx(SHVpL7i0u@E;yv+4LAI0 z>M0E2o`i9i73l`nUJ|02p_G1=q$d>y2EAMheOK+zN2?r5?mIwIMJezr}+BQz}!gAO6Y*{r)QDUFppbTyTY@*IVEj@V@$q#3iSG3HHuRF5v*Del(sR9oAGy#eqe0#($ znJ$l$9b2yU_q%6Ty+mwf1H)JPH`!}XCe=f^X`eV2Z`6HzGPZ7gL6;d$?q}sZy-o*F z73f!pL`+=XcFRdlyr-s%`=FKXi*hSJZ=>l8)=|}6I#?R!;~!VjPvx0y z7r9>*Wokd%PTH9W-Hr4#BA6Oc9O+HToY@H$GI&|CsCvvevL&Sx;Oqv)wwo-|CW|H4 z3+@;pkZ6j^N=@d!OWN2w-l9UW8#~xery7v=Dex%~3T<(Wk)bFn}@CyWuRwlMb-BGlPjgp2bm+67;!)|=aGyA{nqtYvsixCQislu z=9rN?=v7Ei{ix$8S@NWI(c^d_c|q=FxG148FnvSF{Pwkn8c-D0JY_#0oj@2l;!NysYvQFGduie`+ReHhuSLjUhR7tvtAGk}KN#zOrKAG?V?;k+Mm) zxq?@1&@aACcy`2SiHTC5YCilrb1Xvk7Sfi=#m53K!5wp}Lg1E}u8zj74tqsLt@BOHBlJr|i+_}8#$c}Xgz}3BW{orvfuScJ zLxWDz?97cEiR>%%yqwHv@(16ru%a0_6DL`XO|2X;HE`(VVpwa-WlI?xT&3>3Ynb2(mX!t=}Kh zSr6CPgzWHMTBE}nDz8bl$jfLB9oWe#|x_qoOVlo;b10NW~n`tE|cF4 ziNi_S{bIzTS#~SkgEkWJ;#R>%OcYcu=gS3qG#jy(DEc?OIx3Y`;~Q6n&!@389;a>V z1miqo@4EIC6_pY4GKEWnsJT5Ky4MzkUNW~@J&oJ=xRlFo&!_ffikD*#Qvv}xQ>f&N zy7eEouXJ}WX*VY7ZV}v|H2X9#ad7BX%V~k837?@R5aYx*GgB#EP4J!@I3{_y^MS0T z&N?E3&+gX7<$2-A!hkpXmsw7SyOsgPOl|M?O=5A~tvlYHQbo7H#GSsVnxd97U$0$0 zdp1zE73nqij-EL4<$HYXe&cp%$Bo-ZFH3Hdq-ETEnqlmc#pLvX0Ph&viSj{tdh)zN zXWG`l(>5Xpwrt+L`yJ{nq;!qf_)&bHMo05E9(?%NXvC5U>}DQm7|Fh!tAK$YsF=XJ z%7JM4@jd#qkt5L2C=-=*c>gtX8a=^8>84B^t>xqvmDbK#sIAM(pOk~2bV#kg!+l7W zE1NqAu6zRnLM75o@{3>QEccEkxE)AIcu|{#c~e5Jtl_(3_aVcnQ%h75ZkZ8eMjlTx zRtiMXi>;Od?{K?S?~=s|oKNoC^w24t#nN!ur=~jJl1{s{ie8- zgp3z+cx(Y)AD|no-Y3o5z&jNk+Fr&KlN8`NZREjd@~C7}B}-IzghNP|OJU&E^~fFL zd$Rs4j=A^_^{!yGD2acq7A=X*HMBH*kx?SyF@<;U*ceuz!d`PRBGu|NbhB(2pwi3} zGt#0Htn4UIlS{!DrPfUrAko=&Lpdbp{<1#MnzlYgFdG7FXiD3U2Q*$?{E?0$Vyh2=VaaESG6a4j;6aeip|$ytYY zg#+i&=CrRUy3E|y-Pa3b?Hl9uWEWeXv83Qu8+`-Wf$UMGm&qNW6oa^R*x}r3#cOn5 zj#|KudHkgOX+H<4-;??(FBJ4Mr<$E#ru0c1mib3snT!JQs6_?`3oFf%7$To*I`XhL z`Y-Qc-@QBEyPv5&mQhwVI7~x9Yo^IuqP!Gvk6BxQE~6tRCMI*W`BE~zW(_T+fw8Yd zD`H?zTLhIG_ayYPT2k)VRg7=@94qJDB{>g zFY<<&qdGp~rW8gj%;uEzD7eVtJoN6C3WXP6<5?f%Ig+gtu%HYGO#+W2 ziW63GS-x`YLws0ZurrDvdn6bc9k%Q5o_cIZC*nl1h#7lJT}N%05RLwz_M>>IVEsye z*2l~#=yNd)I$78yNjU3s(5^W>@tE((wXrMdBeGpdJ-Q$Hpv*J}+PN<74oj3Aor_OL|i>yqyFKA~zFn$Kl07e%9ZNO+^Uf}M17 zf>g)P*GX|@k%m)q7Y$}IYA9kF@3bCHfG{xL_jPIEEeaD8p(OmTGU5MF_MYKzeqY-# zf`|msB6=MyqXtnUVbnnoC8H)Xdh|}zL?@VGgy@W3V)PynW%Mq3^iK3BiTCm=|NFV$ zaMnm^h-CNg)-_2~~FrA+iHJ-};9d^#=Cn^Tr1?_YdRFW;eA z+BPw*>*$+`uLxyIllHr_6ngYc-&X%ubfnh9dy9ncD#Q7|J&cUR=IM_+o;h3=_Ku3| zxc>N29LC{w&Rm_PsuO}mgxywtOAFLNF&nnO^hqYES&Z5ujoGP(@8pP7bmP#W@On_#l&Yj13^7dUauUaggt|W)r<{ z(f&>^b(#wsp2Z>byp?PnYDz)pw?M@x3SJWl$y?_CcNPHu<9g&Vz(205C`h;_qEfxx z=lxySuv?Q*05i^gYX&jq6G%*obExpfs6RVH=)n(Q8^) zkNOF(HEN<#Qe$^s1wxpcDIlPYNdH(uYWY*R1g$CZl1>qJmsSnHoT>hE*X8QK_ zn#Q3A2bG-7?BqTDiqg*KmFbNMG!|=Xi6aW(DHXSgMMf)oexWl^ac~o@C)|TC!qt-VExRare_)UIX9AB80ypCeSl*${Zg*PN<8Zz|JBY(! zdy_r$i7^P>EauJRb8-c9gGCOG$W^3aAe?^Ym$DiH$Qtgf8!KXes$Y*2T$!w?wAiHx z>bp}X#9JL5*DZc!_Z{I)Bvfy8P-iSn7Y_&m0ps1gRau8kJH`oRLVx^%v)szgs6}M+ z$apZ2_XW%PEoE>PnD@OercGF%u=n@~5M2inM-#FE#v#MYh(@gnOOa#XAxkAazwzkb zl!T^frBXJL7d^rmq;-VshOH-Q3HoG|i?II?1S(#*+rP0E18(P`Pb=LzO1mI+`%-}S z!{6t1;+Lm6BjNac>7w^6ou4hXa&cxU@(pZlAZje`;}?$bc>o2wY~X7hrQ^|{-#dJ} z-y4R#bW%9kmR`fB{2ygVZ*=wxbzl8br-ey2`q%7D-i$Pn`yJBf=zE$bo`j5kWO6?| zH0|d$jPBQ(t>6VSmGx#=OW$!L+05}E($ji)i3u~>lvmy;@NuT;hT^Ne4}2eG{O%Hd zNDJ0Yzwg*~`F19wLCAC4$jB4cNvuDgX9xZ%wcDQlT&5)Qs$|#Gy$bkhM4CSRNjXfL;zz zDEM<{K|Vx#f)w6{HGX`r5DzBcFE?DS3jMkc8SM8wRY;=M?~|0-$_Tt7V70Nqd0i6q zB0Oo%z=Zb3g|TGk*t} zX_--y#pKaO)NA7k>>>b?Y9+C zVZT25gyiRow#vWMCiK?mRQA-4j^Jy%O$}qqQh@gvSy)oA4?|VBxrfaWqAs*A>(;4S z9H*Eb8wHR%Qsb$ijK++sqt)>-%RND-ZBH3P87lDy+#MjmTaA0j$g>6#`M;WmK2tLA zt`Aj9PK=tFqyEgX=cLuV;=St2(K67DGnKxUz8uH~JuA3hj2llegZcS@`y<@i`iZ-X z>{F8DK+;s$N`tFTNXXYG(YfzeW2^!`Dy6Sw70M*SVy^O5AGR50tSwvW*RV>9^}pK^C6z+dxOO$tfX7+B>|4^pVR;T63E* z@rpdV!<3Az&E78Uja`RmkY_7}AU?CjiY!TkB^KHNCI`u@oFpw`qd9${(9K>M=qg6+ zp&W!Bj2)rmxphyJm_r;;JDNVIppE*ThVAJnlepC1xC{rJKHMHwVglwAK)LB8s-*-p z&hGXjts?U{5OsJKgdG}R5T;$T*kdOd0o~|@9S*{tZ92}gmaHz6G|L+`?fqmWb0gWG z@%UJT#dU=)hGE)X^=Sx_Me;Ep@FIzt&y@NP)0>TB1RlSLYHl+Tq>z5!fAfBq_wp#S z z3R5F@B4>qCo3~~61zYesy37x&^fYtxUgXe#B=uVpg=Ziiu-fp~VbFGFTn!Dj@tbO> zZ;sAI@c`Q#uJ+{g{EnZ&M_cz6+9ewnS;?9o_2dVqRYr$%6mn<9+AqGH#pfQcdEKKs z_iFWRGrpO}yc*v}>*7g@p2ne@l5<7xY>VIySJw9+(5X9jhyW%xsA>eeel!C%QeWNq z!<%kaI=&X4>#ecIB10TS{jqCcH%4PtTEm9l%ao5=>XI~ONEK1VYdkW0v-0rVlWM(Z zJ)3l%Dmv_eqYD-=WK_~AC(rFs_0vF0SptNZDebjz8HSk_-+h@S5F+ybA`Dh=YZ{#7 zJNwvGO*r=LZL+cWu5=$|E!f$QwCvTY*UqQN-3*fvgas-oU5{|&B!{|e=V2gu6bJPFX)w!)sxVHjtz|BaPm0rRNB@>_9316NKhK}^SFY0 z!>&$=AgE86NF)|PqzYcb$A>VU=lS-hJMKFOD-!azSEN zvf$ww%IJ62<*d-oIHLh3wm70tY!F_>*xBsO)n-zo{Cm8Qs#(`mzGzl|=IwI<$x|#oS4c-mDtneeKiyBvz@pF-5_D&}b%3R@QCtzDerQ{aruTJ9HxU=DE~I zS9TwWUx{tnX)0G6IEgh^ui^D=op%k>C+B*RI*0#Y8y@xA&^Gu=`>$!DdEHRs+8orE z8Ln0z<2@JH*?jKai+S)$!&Rdi-e0mXl?O;Cz#w}l-Vqx(zdKUC<*61!Ug#JT z69e^>faYKL!VG`LBz7z;EVwudujTJwMfE2C+BP0os6<{>laeG?w?<_)eRgUiHk#Sz zypvSl73;fzZHTK{@tL=zN}9TyC2TzG#$Sdr%N4onXT468Dt8WFd)alI-W<(YGQAYO zHm~@Ov*eoYKT7wVDJ!+0G1|Q7<)yd3oA39hp@Xi!WVdMLmih?yYt#X7_|9R*T7lO& zzTnPq9_njQ*8Ho{W@4;Q`8bJO8O4o(=qF6Gk)4Faf+Bc-I}B{Z)c4QNsEcuG40Z~n zXsi=dvr=3umduX7w_q~K@PSQs#3_*$2BHOu;9ppim-NehjT@|CEc%I(Q=(SDc{zcm z>6GtAG0SNUx$@9w|22!o!vk??@i(N-&)~1mpL=8*?r}Nw@tyu?(&u8k7<_!>XCe7v zcRt#~gem4`XrEYrOtNSt&F;Dsafv{4H`l~k67BathmSm8AH2RVyt7A$Jzr@!zVCKb z_3`sdzGPEJ+Bt7`qRnyJ09hH~VQwXhnMn^0zcc%HWk%6cmJ7$&n1zAgomqZMdWybj zJq?}tK|ZFXE@f})E{M+aypuz=3~iKorq6xf}Z(%)Je z^RPxw4W$<)Bl(Au_&~V09@V}+sJ z@cGTmfkBvfnTqY3$y!`nS%dc%>1iLbZ@OPBpIF*;AiOAr9J|?Grz3Themoq0m0*0j zZ^kfJbK}w67_&>r@z?b850I@$DLSoOf)S?9Dr29_r${l+*WIsci{|f-It)+gp&FG( zlt2E&pJr3^NtjAmy73dLKJq7{-c;?k8plgx74DPA zp}QYR+o!yPK!2J!*~uiw$aLPO6f2~<6(Xs5`->ZnhNu6{LRdELN*J1S@UaGO=Rp+N zZy2IO{xyz>35Ja}67ab1hywPjc%825J(%{8A1ekzy;bi=_{6(_wDI)a2krA1a^hPv z?ChQn7m#e_jljH=r}ieaF^}6UmPYsAfW6GY=XX9uZi;Tb?CJ1-HH!(Z-7BCK_kNl9 z%>JsM@BYZA{wLrDx*D69rz3M61u5(=YTgL#`fL*DsPue6MQ{Dyo$$xp4?W%eLgK$0 zTGzJQetKoFkZ1X2IoN8x{PtY3FpkF`H}K}8%p4e#w8BYH_%7{jF3S_s6;(-ln^Zhi z#@(jf36UKKUP5ER)a$(xnV{sub7z!9lgmC&!Bp7&j09)LioU{Xe4~clxuVJnr=;`UulIsQcaV-+V;4CTd@@ zEi$WlCKNT$L{+i^`+_EUyS3LmB(ihx;)E87ev#GZrtt0w2dVFwe96T!%|hS2SoizQ zcQz$<*}ke<6&kD+&MWU_-|M;ZARlE_Ql@oLFxCPur%(@y3Lm3}pn}YAnR}7J*xn#W z(vxteZm@iHRmmaGwYt<6jyK1|e{W*I&d}WqKflg?kdxIu-x?{gZ1 zZMvmatF{z~!_+lp7Mn3AzxHEvKfC#g5_aykL|A;~N$xEp!8mDxfjGN1i8s>N`+IU2 z7|)Q?KR%NM{>#dg+Sv8|hB>MLf!fV`x2u9eEoe=intrlc&$>b~R)qd(XL-FQYWMEU zgiWF6=c1c=u5~T&Qg;LMx1Y;$t;;%wnK+^4km)+N0>I-lq%V-q(^(`yquB?_5=kQj z3!1sJj(Resb99H(YR~%mgj7be>eZwdQSDaagpNHTi#;g>ufN- zfts?Wy|(WFEWhsZMY!6NyeW%l8gTETK*#z;M`h(xq}Fh3MTn=rOPXNS@w?gMGUage zr_rf)FG->c-GxXL*DcbbF>DcFhZ1;M{yYdXQT!IHOio@TA-~tLYuciet+%uPeY7U} zx5DF~MhZO>oh8TXN6MfnVQobZCEfWX?%LmqgE|t+KUC-J)4_pd#-12n05$PtTyx5E6*%$ z);!g&AP8xD7H@Zs1Ad)2Au=?W^TFZFm^^?#IoFqVtBeDPSN7fB^XsMZMUQ9tpFjE3 z=@O}Gn&G;*mX73igPEKpnXxCkVlp@i!VsyCEimw#d?;!KmSm@Ppdy<84Q9Mkbz^U8 z05RgRGDK2VCyZ_V%@O-4tjT?@l({8Gpd$kO^{D{aD@?K3OR(mF6Ey9kCWjeFWJIC(R%-1Yy0uZ`o z0{5Vt5Z0Za5=3X65NlA-ySGA}5abueO+B4%9M`YwH?ZoG{Q~~=YP4hQ?Jq+MOY;COj(y&}O;QZtZcoQheoiKO@$CrAV>m_ky z?JeNp?Kk-@s)2{sE!HeoK;>`Lmy(@GO5O+`sM+k2ETxYlna5OV-lFN<_Cl?#zHvaE zHjq`2mTHKS_&4TnD=eDAB>f)4ML9?}&LI;+!AoMS9g`09+B#h$t0b`cat7_?b9HqR zeX)ZcPs@9sGOeeU*d%qjfmVBXsgG;XHE0O{V`vqT+EFy9AEzMD`Cf#Z2${K0VaQGb zuk}@__AOI)FW=kd?$Gld0(f|s_Cp-X##D1eNbqt$$ektbgu9H=0}g> z&wpAnhHB^*XF7u-IL=Zt;rB9rTT+UsUwkhm;avviu%3+hN?xl=?k?wbHg~O2o|f9m z1U=7j1@DAxSv__2Gts1MCF)nJKWX~waX4}BlLy^>kuAaj?R1qU%ODT%_Z;|{xoWxt z(iUp7|(iGv=oOg~SfqV|Z`Gt>@+A=}?gx;W@@sDsX1{pnYq6t;X&d#I1;tcBGV*t*nlKa(5qa^mR9e1-PvmhteC$|1>Bh>( zm6h_*(%khm+|dH{!d0j-{eusHUD{_N=YeHa@Nhq5V%!Y<%@s)I&#UX6Z&Q0C#ongm z>|}mhCiC?qFxiKznMrCcs((zI(?_u(v{w>ZO&2H7!&(}Mo1?tf$I44#m9;)tvgQ-E zki_<5XHQj2hwg2xr5>(9dUhZ}9KX(Lm@|v2lhN{zo)FAAq#~k*`g-t54C}m}-YgEm4)p!2&(e|H82EiQ4yIdhnNwCzvPJO zPU7gPzY~L6)2e>X_ApmnhigY4-Swehk3e99!$m5J}{UxF8YtxQ(ULpPMi?d zMd9|obc<@-e|DRSO^x{yQg#_P9MaXJ`)p)zNsc7Rn#opdcVd6fIBu(==e%3{laHBs z)@iQM_xVa1wFxKR9;!;|o{&&ec|8CU2M*=8naJ}v`dEg0y7eXKQz976A@x=vFo5)K2vyaK4BW$P zP4hgf{4RuwIMD7ZY^!gv6v1JG*1Sk;3l;jNDiQ|y=o6fOUm>vrr8rI#xTU%c<@K`(0?Ly<$SIn6oR7t3#wkTjVNQth@YPt!4Nqx!2@^v8sh4 zyjUy0#XGS@tMVHiO!$-~j+Bku;RS{Gi|j{7Gxd34M8UK$;ZLti21ZYr0v^wqzk>wy zN^&1OCx;0q9t~;N#{_Yd5mj4;hb7TcV>ZdCVOj4?`%aR{ISfK*Cc3m4I(6gQhGp85 zz;$_LY~>;-mm=efEH-E+5v9466oMXZY*_2&5IFF_=q61qzecA6y>)HYE817yKG`3# z^L#hX@WzJ{1om3`HHKa04L|6czCV3bjc<^;V?CXFL$Z1HW@QGV+L`7cLAFn!mR`@gB%c`y%tyropJx-S(5! z9@Q&VAB3EdEjTXcZ5=9q1h4@ZtL=x2uY9Lm&R`XwI`Be*|@&KRtF4-Vcsfq0fm zUYH0*;U$uEFmzgVA=;40Zwx(})WR@lHGOU&$oNblV4+Z9mO*Ozco|gHm8~PS8ml+v zDXga)EHr;UCi1eed1>$T?1R(NB~T8X51TI?o@EiL{&M^yVg7!@VSZiQy#rIzStL-& z^vsuSK%Gv{{X={rDv6d=E!pC9&ahOA?}t0o`{*vaD|>(dH?kquI=;QjjRpx^pGcy3 zcU=TRx}Db-wuz&7&$=j-5`&Ov6EZgg%=+=zf@3rgswwt<_F!rwhj4g1F@*;bokq3+ zz1PCzn(b7K<0>zshMF0K#!Ykog~zPXV6R)0!3#V(do{O`5VCI@^gGLx#y8AXKN4y zkWIV?3mZ`gU}$uRY`S(agpoF}HOMI>y!{iL4JG$@fJBF7E(KAu-0iESh>qa& zxhV)!-6m(buB37bys!iH<$4WxxH4rN*StcGwNLejoyjLBNsg85=WG5=!USXBo-uB8 zE!W1oCdxE9^P1bA+DVhS42|(yY;_2jHh-Lk<}O(rbeta2jFA$Q(TQgFfwu` z`3J~c;)ocFcyz;ro3=lS#;a^I%`4mwBk~M`Cw;kVs&|9O=1=mPsM}@qh*h}jH+@yr z2onPX8#Utbt4Q8Ex+cpmLy`!EQolaJ_!-qHP;v^yAedkG8yt&fLpAN=YgeyG40N;hEq#H{SIdh1=yoxwJR1hr4%57Yej zActQk%{F1G;S{j?g(3CJVAZ?$o4T?wiM{Qa0!iR@+@t$?1>W}2xjfxn2nV@|L(ALe-MXBE$ak^J~2<{T%>9& zD%2;~)StM6&}mf&B^{OThUDc!ZNq-GAJ5uwu>iHI_o^~=HqzN5m9Y?VmPe|c-Qho`}?Pu%^C_7pI zo@5sd4>pjsL?KS4`NmuxQ<0;)|3C?mY*}!&?l?4&q8HvhEx^oe;{a$W2)c60n~I}3 z!nWlxFoYI{XL&79u|gpTLgU{e8Z@hmUkZHlO`C8Fb+O-yk4N4s1GBA@^WT1LAT_R6 zsA(w-qX@!Q$zgyM?vXpOLUF$pNaC;w9k~RbKHBlXxC}k@-NLz~`BHO~ZEavLNKjv@ zPx!O=l;v@HR|kNY%;V*J4VPJsnuhUgGYB~NyhxYY%Bvdqx(G{XH$R>rDDIS-;DiJT zl4_H2GQS2ID}XQsx)VSWG}gcL7Pfzc#S*LTni*NQ=clGew9*NF=g?~O;5la^RYHYv zM_;z#tDT$0lWPeJL6(+JHTd<^-Y23H6 z()Svz{XC%hShP|?N&dDZb=IYV<@?@2k)5`6Ten2Qza*IM`1PEUUBb#>PaNo(PC=*& zLQ=puSzfqjFC#`;A80Q`yVVzYALW}PI2m7fA0p6xouXa#E^HekGD?Pnm~8^OCq0$q zAHXDy=hns3`=I9Os}^TXqv0RKMkAFEEy~jMSk=@}6qZy3>`<*-QqwB<{#GjGO;%Ap zU@nYMKhH{6w5HoCogIsa3JKo?Wc4$g-5Y~^FOu5ozO+7E67jt-erA zx6SimB#2Vkc%tkWk-Lk-ji8R)N}sDh&W(xeD1&)jZ5aO=_kW|$f>-XoP8|o@O%=w6 zP)ZBJ7PSDkPz{x(Ac#2tZc4QE@uA^=9i$+P_`X7YX`au+6E|E(`5&$I6oj)4ICF$&8%3b|4BMEKphIb6oky+mSPJ1E}d<-lUI1 zc1-;F6MA>vbLV_Wc^uWeHybIRM|$62Q@1R}%ikcZqA2xw=J?pOY^Q9qY1o>B&ycbw z`HsSUwKL~CxgI{CH?u?I)Ye{;aGvC4j=1X9=#`J)y7Gx{b|}%B!tWQoa2_?;&H6b~ zoIV{sYwL#7&_AYHn}^vr)i3eWJ6rlVYAz`$+A_!e zEWK~;XUbh`a(SNGc$N72G=HgcqkVn(^^!8vR;89k=4yLRD3e`qhUspA zZ5YN(R_Ft4V^Jmui)dBt8p>SQdkYVy`j~!I_q(Y!Yat=z&hPXtD)N+0 z*~L|7tK37|jkLNQcP#rV}7swqIT9czFkRS0gLI&^qPmC7Tzq*SQreI-$lx%`@EUK4*Y-vPa!8P z?0!{nHv?7%-nApyJd)7!^P8fnBhSz>$IxgTkvWi1asnat^2KXM1*duQa6DNsXu^WiNwhmN{6%$1*RYN6?%%}KDX6{UZQ9Wjw!93m(oDxTHV@1 zEWku0-BF6E*tkm(Bjh7^@@b@b0_zvJ3TLW; zDIzGfiHZb9Y(!`|Wvv+WH4cP$nAo5NbE%sJ)^?zfw9WDIvtomCdcqeSNCzHP`!k?c zP~3FpO}+4Yfo|c)es9olW>tE_tyx2QBc?EZQjP(XD6*5(#;(#CC0`6E)qh zC%ImWPdacoC*NJvw}4d7EsCcr1c-px3zR%f)wT1iJ=A!exWXfaufOeaz1$k&>(Fk@ zOea;eZ{n;pH**Xsg&u|}n9rdz(2JPtS$>iRsQIsiYm`+Tju0gA7c!}|F!v+zlDR$ED97PHgm4^wsF zvyoI_`ZVQPh?U9JCP?0Y;`X2S>7;fCAp6f2Z4Zx;{SlZ`*tD5lp2|#qW0%CUxKrfW+=ghbNBml&Wf|_gc8s+G*G}j zVZ`R-N~mw=-839Nuj`8KJHt@?mP7)ht*s{f?}A0k0{ z(I}3pP^>n>{q2*Azve#xahBx{Jc7LHQSfsSj84nBmw1ihjq+|j?VHbb+XA1j+`5MZ zO>0V42e@KJ4_SS&ixZ-qV&7RqfQV35;ue@aMHm*rI6e;CEy)VK6kk?Bg7vjywn z;3VUuVRS_@fG*;`u4%)2pXS3-JF97Vv1yv2Tgf>^uvwI1{XT>Px(E!~B(bHg%;-(yd8Etb0!_1+@B&y zbXTb6a3UON+R3y0uM7AaaYHqB^fgf53~=%J+p<^eUDu0f<1#NM>C+x~ye!IRn0!T% zc~k1B6Cn0M2z0~|d4bQ;Rw9WU&3%w?IJr!A&zol>Q++?j()M21~BBbBp&iYpzHnE;!yIQbRtz0?{Llbnm=7CMJ<)!pqN4TBk%U- z_x(p)GKAGoK{4h)Wiy+9|1H4`6JP5K(j53dsQdMZz`JnULU+UFjL}yGZZ#Rp&@tzs2-T(V7VJZSv>) z9{|AMBW;7PpJ$F8Kxy|EAk+eIz(um`cG1LKGzEN_-GBMBKEFsVxdlb(y$4vH!k2orl53iW_Ycj>QVz#% zJaND|y>V@L7Q`d5+O@^57DWmx#oW47Fk*C>b?Uue&KH)=_*9uF0>Tr;EG1MBI){cn z?uiIi1+t}#F996gU}Wa>-L1MY(&YaUvd+KKZllMs@Nfg>%|`YJ3av$am%Z5hlyEB+ z7{!oMPAGpx|I4_-mqY9T!YzG7%drCtpj=7me)M=oNKpAWMn{@F)|cB(dU`Rp z9xxIMYPP5UYE=OFjrjd%nS%HlL~(Rz3a{_)xBZ8c^8i04UaoUQ)Wr!M;@}Ez7Tp~J zE_TcKQir4et+fin*+zk1g;{(gTY>gFk{uLVs5|W1Tir@`nDJFlp3 z?wm_vul;Qwe89;fE&3*$0#wCg%bXHGAG1|~bR_ zz$;Imh{4Q^+JVjb>jtrzOwCj)a8H-9@`WBPumkZ=dm=#WcWp!afor!n6s~m=MH}+( zvwEEU4y*mvF-EuK->_@9p>mX=1}@5n-y~wq07#0W-hW8Sb@eqXSSOEFM_qFqhq?w) z;ORZCf-6k^sWxcGrp|%afHpyY{IdN^^}6pHjrvCjgy;awQ^PbQ@nq+Y(A`B2UB``B z@iB&U8#EHsAHp>n_y6k*6!_O%F*?2`>`!iFw8gbNlfg(i|1^Gq03Js&`v3DYaci47 zOAgY1`HgeW>dRZ+6<18WL|OTZrA3Z}X%GDrn-9;bi2GrSZ#?mgv2Ya}4w}esz_Hw* z{$Gy8Wk~`$X5uaelbnqKsHzi4%o(Oi1z=^Ca@}+OYn+b%UzqVbdaQN_R6VEo>xhk* z;-+?%YltQ9ZtF`F4zxX5Q(FfSUgrc9!IjV_OG@Kz=uegrLksA zNHlz7BVxMXzaL(>8fth=EDod3^E(C_t6e5@lu{gaWNlrQG4|&D4DIn{_nJ&Mph&y4 z0gU+8%oxrJ*kMBFLOKtw5%J{l!~ca93gtjd#b@us3MFd_?i0PrDV(jKXm6Ovc=`KV z*b!Q+{vPe=+YsdQqVt3S=Fbn=eC_!-q%a(+N3#)$;D#hHR&F@S`(NCZaOvep)m1|w zN_*aky#Tmpbn$<<=eOkh<~^h7WndG`5jA4{EOeT*0zAoSGK#QtMN~4{~ZVTY3X1R!SNUg z8G4fhSYOUItk8YWl6$i1o|i3`VosU%l5O0iErBy9`XWK#ex>}KOZ+(PSjm)%gib3lG$~d9Nbl^1+4lTGw#YjZT)KZAo_xL$0yV3 zLN$JsNp2JPBKZ?2slA*{Bz?vjliYr*dWdwwgSl#9j!xBrvG0QkH5Q0;8Bhy7_oxa% zA}Kk-r9O7M3o$aiMRjpK$;>tSo%Jv48$jmd$Cf2xz@RFe@-sfQK7h>ff04eb%MZIP zI0p2HXJZdUTmCeiBDMy81w8=?!wQe&Tv(}ug(Dfr1Bu(KHDoY``HUJg0DA^dM4XXk z>;!mQLbT)C;~qeMZ2MYZsOHOCt9*c;_$D8C_j=Tn{lPV@tXljqeN`aeG8;Q_Okdx4 z+Paoyj#S}KrqRe#LTRTtyn;CQLPJ9-3Fh+j0onMr*OEi&K%;hG=hOYr2~{p=%8#dA zx&U(jmqq!%>3Y<>(}m6x|Bz)-5?=>zkBy=%bC|{*T%dB<8AN_2XXk6;9DW`XAu6t+ zop&JwBPR3}(HatWGdC(U$57FHf2~*WZ&nJ?6B=nyurk5o zp=-ur9~4!JngLG~QTBzbb-1983iyK0mB!Q1N3#4+Rhv!*T`*r2D}&0#`AY6pCP&9g zWv7{*H7X^6Z@F>YCQty1oEcfvi-8jNLHJ*TJGvnNUojuVm|=;&wPlvoW_QXluA7S} zw8a?D8BggsR~VIP0CQ;%u*30sa=%~CR={_4BbGfnWFBZ?d`J!^lsuW9XWPa(4Oogx zR24EOcGJfKN7wxU_&s~X?P%liGFXHOW_IgFh2s24VG1%C$)L|AYWi>K<%*8ys0OqF zg-0`b<6lkC;Lg{Qt@JoRWUuFI1j5YjN6B8xRgtkwIB$9vya29U^qD-3x3BE!=7Ip) z)uGA+Sc)yM6!j=&Q=27Qt&%lMaiO|G)3cyJfRWrWZ%&OE<=$|mvD*Cg>QpaahDMk_mm=kcYbi#NqjA_-wCfio)cQdv4 zW7b&#Ha(G#K=C67nkkp3&R>;c8VhdtDr<*|nX65BwY4Rh-Fn3OcP|Y9luwGp904|qe(ZKQpi$)#g6|qQDaBwV1;KQTM&mL>Mx&$tUdHdNxg1^RO1Qr_&rO6? zuIjU|{4D$oJLDFQH$acZ7P;C><-o_~7pfCFd=pNZG%I~UsxD-#$20CByNGw6Vy6}f z*Xu$x-#Q{$pRGjHl-$7D1ft}t)!c`F)=`RIb^{MnJx5gVG5nmI(#3)boTTn|AE2943{6<%(5zOQ^R(2}}G=K?jxFMTvy1j{Q7iVDLK=gTk>D{QNQ%%D{j+ z?C_G`1!kPj6tjOg)7<~K5rx%$W7PINhS@$rJ6V{1(05rm^yJIO(!;rkXaXZBm^}7h zw*ti;xJ4X(ZA3Html0iUj4c(2!)nj1ANtM$7o&!b7#O@a#FiZl_t=$m=_(aA!yVcz z`bLIr*<_CMvqO6}{ICjtRf75vj{A?yy{_&B2P^PB*RJHOFRi&z*#cacqqB&r+ZpQw z>9q4Qg#8u0bCv+xVGzVx0gW~I_VIz;wfk^gCVHwLOdcy7e%(0g(w@t|eOX_#AGIWY zWTyWPoTP7)s+h06ED^#fco*K3*QA`_(z4HPdNk7r!OSKd@QBj0A7}Yw(|MzP#-XIQ@w+^p93nHIo;W`h1rBv4IM7Jdz&!-70MzdQs& zxV1329nc#K#4t?>JfPm^DW&YqRxD3`8g*TDV)!^seP%du=F7At1Ksd93X1pM$y|d6 zM_UmXGUubmg7hlLoh?TXAEcjhBS9q*@Y2DaS&v^7&^2$ErwusMY~Ly&woxubU%;S zkMeokhAsFLIWB%)Vv?@=J;`~8(2+@%vISt#7<+=nc z;`U7)wq&5CLGB|eG`$QDP5T%YS+)5gjqDcM)O{(lGB3m!ha}m-%eX?K)A6PIqm)UT zUD$Bk&;i|#FNObN^Q$YJWiz70#KLh~kg9vh(?9itz@@g?g6J}ZsJx)Pe|*)S#gooS%|){pw7?1! z=BC2sV88IT3Pyh!z)uVUQ&cwmR&EnYT>LcPgkra?Yj+Co{+lQ&x@8q6hQJwN2=u=a zUrzzH0_DJbI$`^qA_<)8c`i3U$DuwlxY+(?J9U!8tEKej?3VXW7gRsvIXmx|{W3jW z-sAKj1ZywY{CZB4~I^S<)rl#bx`BR^ID1$Dx%~Q?P#_r<-bJ3H+~^$yiUOz9ea9Z z4DE9pvrfru&<+#Mfi+j|k^}o0-n zH2)>T?*+8HzFS%FD6%;H=ahMzI+BVEzrwL&vs`_ifbdUtGEo4e|C@#v>G$y@2me+V z&N@;u^mF@MR`Xi4)7CP3L??}dH!Shkp}4>|MjxlYYZI7XrGaIgP!tq$8>Sr_ahBMq z>$F_h=@gFLKclCiWubh^`@NP32u#g7tZ0X&0&FYR-AN#RbzAt)vxB4UqXSFL&u7^g zMSs@4qUU;?T;GVctbv}{Q*QN&s}Mwj6<$aDWnTWkL&8Dz|RIZujt!;Q|zgL z_=4e{61+e!eMMZjJ~>_H{5cT8+l$=?QBTZEmfJUS+!-Rj|Yd?T{JQ-%a7=gZcwpCNf19?MEgj?Aa! z)ku1C_j~|L)R(_uV86?b|F78@F~su2hF38FOA&Kd?#aI*b-ENjk=O;_SZ85_nsem$ z&De2EW9UI%T$lB~e?n_uY?@DyNu5rP_WH|1UTV!<@s_k{>j`HU3n5m!iAaUWU(1Ce zO@vj*` z83Ks47j|G!#FOijivcszexHj0>)N_d7gp_teYtcCe4o2f{90TvkN$wC_1&qeN?CYe z!iR{j5xugW*kKxS1UmF_YbN=aJQB?^Q1z;Xc$$Xn>0}(*D$GxMYQRkxkM}>hnUmEC z%d-R6&SVIf_4c)<3H%Gu+RxdPzHGoZ1_Ms~;#eP2*VLu;HJ(DEy4f`Q))?9XCubck zwj}4*Hu%Z{-Cybgfufsi`mUbL*DN6UqMa&*4Ff-907Wp2`F_uSSGql6|8$|>?Xk@2 z;f=P!i^=EK;(+O`^e_>QKNJ2}?Ii|Gk6ni6w=6}G==WR0VRSh_69}$M5d0Uwl|L53 zcg=VdaDfXR3^>#2K7((VWp)q%pN4w;i2lOT?ICIbHmU6GcJ;$5Gl&}Uq44^|I$Zi`4X40_FTjLF)qJY;zJOI}6^lxLhoM*Fj1}qG=qUu|ovV1|(y>p`gyIJfNHO zD6PWvbIX00uy&9wovZO9zZy>=`U?y9huTqwvSc$AuDgTGS_SUxrZp+&Z;3TZk7Bdw z9^HB9_vzIAoWEpJRJ>@f^ZTh^0%zGJ`oK% z9+fw@k!X(Hx6qM)TTYlARd?U4Ps_8)D9FVL0NzjE5i-{AH;g?{D);dANXhL&thlga zbgHXvk)%rnww299;Hl!jI!hVv8EdruSl+*juaNu(_|}xIyJ-K$snCfuY$Px7Xsq^C z{{Pd~SBFLQeP7d(!bppB%K*|0NOubY5&}v}BOMY-4J|b^C@_kWLx%$@NW;+5(p{1w zpzj?NKi}W;y!?APanIRj?X~w_=T5nr(phlZr*-;^4K2FlhnKR7e5=r98qBw>R}op# zu!>I7IB@$=O+rFb=>JZNKbt@cmisDD#m4FF(FfM?19?&_TJs4wb3tS9#$E(!b#AYx z?odDS^xwDmB3*J1arg~6d{@bQ`WVu6zCL%vj28ZNc22y3YINq+3O*GRu8l-ybAEK#e zKV8{?0qI1lmWvZYgdvtdft(^^b@U;Bs18Gx`qm0o4`-;KxiXky9hx2jZp z#dX8r%(gq?EpWfeE-;Z>NS<=XXLN;L_cy|398zQmLCTTF?<+UI*V5#xEL=GIC_#%^ z$NcBKPAT7iG1+6yEhj08nY9cM#}GFnG49MjMgj#GUhPS1u}M~Z(b&)T?ldbwkO|jM z4~LBb{;Dmu!7WRXy0LDanj6nSE|A zy|3a-OspE&k5*!+3 z>$l+%Xn79_kk!8=uz*BRGo^FrHRh-5VjOP z%RPFARb9PAj{Db4w3~OF72=SZ9nu*Qc%d?ivtuNk=Ax9erDe)Frg;K~nf{8wUwwh# zcc~ylLlA36QT8gWnjhGXRGLA2KZrAxJ zpHu{-V4cX1W*>*%lUzXi5}-6fUEZ%b;4i6VKd3hRI&E$8i|U}`sYsQ6&%45Py7el9 z*1FQCggAfBj7JCCXj0u_!O#6Ln2NjDN_gyyfFVD<%UtsY}3r>Tu-jMr=Ao=7TC zi5^Lg@SKE#`S7YEoV&^}VcbD6&(f>wD!MM#{dlAgMW;BJ{%?vSp)2VJeka4wn0s$x zglIX#ryc6X#lsa6xp*1D6VY%9TeVhWvpjj_&0@r6g9|A2WXtCEu!Wt!`(=>EGP?=R zP{sGm9I31;TX)4Ahhqxq8r_wdgpw&0-D_|sH5=~0dQyTd^!55TQ8vSR^n5Ne=L8qU1^hs54HkNuerAg_$A>8og5q6;4GkZetKYKjISUn%y@8kI2Sh#I(trdAT~mKc9iu~sP|>@tr4{IQ`_8qE=~5SArnk7Esu9!gF= z(Nlsx6l+j|y|MbW0h;0(Dm=d`;;8wZc;K=CBi)eW{%(UFzUbfZYqI3NfJz=v;IXTV z-W9+JVa1*@RTR;`B*4wxXU204nwBRMJQhk_v@E8U`!;wfX)*!cnsw^X&nwCIFB9lh zGeljcuZEXaq&%POV*68Fe7D=)+a|KkpC6TpxS{k!qP-yw+|~AZ1ki@!zAqUT1zfn3 zLObpPP^gECV=}%mL3^kXHacSo;a5n63jS=>BQN^+Mj5;KGZu~hbHfUQC@2QI?SNOw z&~uU5LgEypOHG+$F*ketjOScod9}V{IXuPOi6iEYm*Y)|NDT^RA}dZ*sV2<&NN_WX z5GW(+e(DIff&vuMpZKxcLxVxEjk7{7!7b3f|uSk4g1;e!!@l^X> zm`@i_tj+h>J{T(@teVGMvsMbh*NcuHRaMI&r4VD5f3rTxj_8i&yejYnwD1tvKmbC$ z(GR6VtE!wdp)W4+?$Ymk2f0ziEh>K;r6W@$Zax&%#((a}S!blB%VcmC^+Amdubj3yuHQAfi~aIu384Dt zPzd26hy=FI4WGTk1MOek|KPgC56;lRE<=d>`MCmdl+kiji) zi7CGTF$h8<2T~U$5h!!cUKE zkKW?m5Qb}!oAJ-uBOJZd32n=6Hg1RBt8M=o%U;=fnJqJlbtq#614jK>z76ZT+{do# zGt6XPz7PZXGC-;}Bt>ArjkXKz2cqqfQ&Z>L~YBYPXt1MDP%&i4pCJeyGs)4wN}jrxt7_i&!d&0Wc>Y{Ro5T(=It~? z%;Ef%?gL_f$cf+u9ANzcuhyl_T;+rTX*7qtwf)rC_7BT1)N7J+pn|D`gM9&qHJa(u zG|7SaZk`m9@RMKPbq<4{gy{U%C`WzC`*p5ja|AI!c%mgj*^{I3wLQtw4>zm)+YGIC zZP?O4PjBm%2D4tADsuSGy=LIT<{c(uMJZq#N36CYZlYmw z`;xEyNeY`Z>Btyot}1=>n%L{@9J(N#eGt!OTp*KEz8jYI%@;H=(XrQg5%_(WRA%vW zE%n?e?tvTlj0VPU`h3*Fzh6E_B9QQnj3jokv_)KkVbC1)Yl)yOagKzn=y|J%eD9pe z<&a++G8R^-GAZShDC=+j&eA_gw;~f{&fBP?1fA7%bj0!>1qXP%Mp31*={V_+C;us; zPi$hr@MLK>U$NS4L!A{}3e9FU1Ehq_vIy3+UaiwTApO>?Z-UEAaY-5q8&8Z|{(LD5 z{lQ%{Yrybbuzm4F^ur^(MqV%RL^$d1Q|9YiGEm@G`P!Le6ver^6;XT+KCcHgS!5nq z_|(W*1HU)1rV;|3`*3!`o_@#cmT2JbP-cxbht2Y-il9D!3!JFKm;Jv@_k8Y3EvV^h zl@szX7r=cBC0~N2_EZ_SW~%s$cx}U?o$yO|T(CQpzf^W5#l1I90qrrr+5oeKhG9aN zX*Klol2;8mG|s_nnCD11?A{Ci6SaWYisiCwKXBxepCEj8Y zRCMa)x>1vwugGg!BinL~Q6yh^47k$jR#M3BCPT4~PiZX3s{RSMwFo=jnR(C;d(_tF z9GZj{kbwoZkCa33N@<%*pVf;+bI{p=*Nu?=ZM6v9B7~X#6{Ve;>B7|q3Y35o+ZnzT zipZf;s}CwSHAE||we}tX-(ny=IcC+iweHG1{FEZXs$K2Lcgr{*K?z(km1ez&%Mum^ zM0R1FvGP*Wzva#Y=cn4;@3K4{gHO#+wm}k0_!`CHN3(5 zZ1Eq(Pmres zW!sx**O>4Jm6F0C{aLtmYYOX}q@$X`>S$}NpD3fUpV!T)LYO)Gk#8Y)SHU~;F-De4 z^>g$ayM_{BAi1R$Iy4%MK0P78rFJyONo1W9t)%eNXecDcDO5qrOk!Qs)ajKeR5^?@ zhw_ultPH@F-*COtuS)-Fr$_GQ1wbrYuCwqs5jgWr^#278u?LE4OzpTgA7$&HzknqP z+h=;kVGcjonWzi?j2U32hH?0lh1iS&ris8oE2&308j5gSlV@Z@T5ER7D zaN2*&d8NJ#OSU@=!Nb~)TNj2~r5(o~JgvzX z(_nKK(?*b@nv!zr;Oeqc=G;JK@KKUlJ05F@5n)8FUW5V##2Lc`*KDeMWIGi(UszRL zzkCw-?eteP_u_2FQZ0?o6g2p}AaCnO)3J|ugPcnT(slaysPIi*qmgB3WZ_DJcg41e(9 zCdPCidRNkarLAhg!f-QawHCMKA}e6YG{C#AovIEjbFe~tI{ORTeK8)zKXp4T+#x|8 zY#0sb-$AYPh_S*Nw;~?6 z9D6YsczYzt^?yRxgVLv4)&;w^@VffKpw3ezpL*48?byZMe$~5GW5>4Q$YaS}x~o$? z$O6mPB8jg7K^tDZ%`TC15x-BavE8$G9^(M~umo=_k2h>Odp{3?@a&1_@9{uMx7-~K z@?DcVJ+zZa9T^!8Lh0%4;ZtFm;kP|=Rsst+7chkwMYE8I>%Nff#YKjl)zIsChem2+ z=#guD=}+3d>Gx?^4eYfE9`zP1y+LEiJ=#m|ql#tnb&QNhpG<>UC}DdDczd|+sQ)7< z%Ucr7;#ZDmsf|)?dZ)Al&BQ3L%(6-E(S1Bpn>^#&!R`KWBUBnTVw~@&mGYl|RKM&8 zCCv&;FV!WJ1uG>+i1@Got9V`gPd7;P`|W@m{O(V;&5!;@Hd=~(Shyio2U2_*8mYgU z4H%Z#2mQAJpKF*8+|R$+przyJUA6ps8wP{;xM$@v8!9+pvl7?^?oUg76yyCoy= z3W2i4^UTcA*`ge!FUq#5kGnw?ERssrkHQvs2d> z+~m;H$!H^WKU-xANlWg0>$z?S0dRcpYnx5X?D?Yfx~mj9y`2$-i=Fo8n5VcUE|${2`Sp%+;WNSVRa-M9 zL1=S_qYX@bhQX5ii1yBhA2nZwn6i?I`5pR&xt-6L$9F%watWDc>Tod)q(MVsZ9$cH|Tk?1#1McM^cgAsjjY$rvy|aEBM);z{tAFJOW^%?g^Yb1=OHK0Nu|3&7+Hg)lP`I3655fUhbq6jU zXD(pJ@$#?EP3ZIpOcJ|5kL^z92YE1Dz^ajeoYVhi-1$@1{l_5S6JY{VITaK2ew#j} zozC&`i2dSIL_^jLs@Y>nnw<5wcyZMT2W+;%Z8mN8R>0zb-+tNmIuxs=l8c0p#EIj# z?Ml%WCfCUVmX-W5h>&E44J&Gy=v2;eD|N?XS7i`JdAhjv#5+f_ed;6+$y|<-L~x8b zfp~=Y@V?IXk$9_59k^<*5 zh^q;rCQe#$ml$iNEs0#Ip_7O|PyDz_E6w#Hq;LD{R(eC7ABU;T+1ALnn3>nM_siUx z8xeFehl$QZ!gUn5s&8$4&FeoL!LnOiafC*O_ux#_^&l*@+XZD= zBPJ$wFByB=E6x07Ka8x{It-p$c63Ei@T+!%TRl|#1%_`J+4&TE`yoa)uqbnV+))w` zg#I%=hsC7w+Q%+?(oG(o#wK)%;E8=rC9<1L}vWm z8^)I0_mA8oI>=O`WchR8xQ+}ARkmlnLc=GXn_$XDv8D%3djqvmVdNUdwiewU9*DEw z#yNTLe!b>LuHUhW#*H_)V1)U73C_#z@2Zv#CVPZ*uV9Ni@IGriC4%Cqd&HUv09)J5 zhH_tzdAtIk@DV#%uSI@f&%9XM4qRrazai~|ZM)L9TE3uS6FJ*DU0143W%y;P*!DRE zj(?nYo~t89Y{c$zI>00i40G>fNUg)pPWyEV5`#ZO&qq!-@**oYmzYliem_jv1yf#Z z9`+{H3CM`nO*fc0Uz0_9HM=~J#pFwBkx+-V_-qym~*3R17u3tbP4DNL;*;U8=X|eCk5ADnwg9c$_XYGNyQ~72r|RN z*``(udg?G1k+kBZ^+htqv-XN>Kw9eq)oN=t&E3{jTkWxIt1RZ-6MRGP(2RVK8< zdKWKL_CkOec00XV(Ja2<6=!BruB-U=LR=}iTGmv$*N2Ik7_pB!-g7-aln^+KiC?E- zhZmkOy3TCn4IclfXhpBYpGTEY201ynQXCzQ}4r1DXGP4 zu8{-Jp`R0AkajWAq)mkL<~p8HvfjbRVSnZ2OoEWdMNkMI(eP_vAoOAS$c}J;8@2uA zMw=>Ncz^7VMW&A{Y)_Y%3#m)Do0Rx6AWyfBU#>#Zoa^Xvr=+KmuG}f4UrxkNeH2bl zR8D6u&UgH_n-=W>mvi?l)`(EVs$z;9vrSK@-a%3vSiXoWj26p&hYHzfPZ%h7+3EJ( zu@L6T2<)?7!Q^D`WB-CA`}PDB*$jaH z&(DTUq4EIzQbp4*{w+BStWmZQqxZJ6-TvE3(ZK>GyIbOebKe}Tm0aBO(k@DV^s{|? z*LAQ0|0SiK(Qm%cRQ7!kvBWNp*@rTddhH)e+SK)2ilD8#= zIrt)I_g&!E9p0=w!9_9+8!iD3ap1+=+ET?ad-iT8a%6{L;7|}$(B-o9c50f{+w}bK z^*9gN)%N7}MIktnHnjHw;SU&_u1+^NKm-!e0cw*d2qJ}hd5c^UXMt@_Qlv~_@$R9A{Z|``PSx0B!?1psI zd4Ke?k|{f-$GWk#!H@_0{+WtB=fnj6x}IwrTJQKfZ{&NM2L$P(mFYj~ zO)@<`Ilj?Um1peUTry4KiilYWv;0n5biC|0nFA+7v$u`Iz7jVu6i&#gGk64`(I67W z-IgS(i#AlU5Lr!}XnKSTo#2zRV&FVJWqfWl)GvDclO@DxgUEFII-%}THM2dXr*lii zHB5Y2pveH!y=PVPN8qq|08qnmA7LRCxuk0k^6B*#@EiBo36} zPY>Ayc3<5k@B2fPV5bfI; z9NPaqi1^d#orcd22>^0RVHL0MktvnEDZ(fEGc3k)QLM}0PM|OU5BIp~-gK#H^{px=%!=LmA|JZiE(b6=EWo0Txd!k8a zyUDx!EDAOM@!4E}9Q~{7_pTLT&uoMo_YqsFWpVx8d%A0v_VH&_901S=@u`QG37BBr zRhDd5!;po1bOUA((V9_JB9DP+qj>&rmSoU4VA*P8*)~Wmxd+?GMgO&drUMTamI{|{ zT5`jk$a(%fD8d8QO=Mp`fFGn$qa%QMwa^&PyFs#G13sH0Pa1?i>cb7n|C$H_O;W2K zuzmw+h^TYCzS=&F=b1prGRl@{K#GmfKO$a``L78h(B#71qzg)>k*Z0jt?+j{F`k={ z15G55qXhk0Z5zHZZ?7y0==2@g`2Ie#l^y|1{K|;XI}L2eq5RzM*ZxXP7TYTN7{H&J MlD1-*{G%8D4-wZlQ~&?~ From 56ff3ed2b6b5cc09da41c0a664c3241038437ac3 Mon Sep 17 00:00:00 2001 From: Bryan Scarbrough Date: Thu, 15 Feb 2024 19:43:05 +0000 Subject: [PATCH 6/7] Updated diagrams --- aws/multi_region/README.md | 2 +- .../diagram/aws_multi_region.drawio | 444 +++++++++++++----- aws/multi_region/diagram/aws_multi_region.png | Bin 175040 -> 425090 bytes aws/standard/README.md | 2 +- 4 files changed, 337 insertions(+), 111 deletions(-) diff --git a/aws/multi_region/README.md b/aws/multi_region/README.md index db9c6b4..0a7a936 100644 --- a/aws/multi_region/README.md +++ b/aws/multi_region/README.md @@ -15,7 +15,7 @@ is deployed. ![Diagram][Image_Diagram] -[Image_Diagram]: https://f.hubspotusercontent30.net/hubfs/5856039/terraform/diagrams/aws-multi-region-int-gw.png "Diagram" +[Image_Diagram]: https://f.hubspotusercontent30.net/hubfs/5856039/terraform/diagrams/aws-multi-region-new.png "Diagram" # Pre-Configuration diff --git a/aws/multi_region/diagram/aws_multi_region.drawio b/aws/multi_region/diagram/aws_multi_region.drawio index 73a4cac..e80b08d 100644 --- a/aws/multi_region/diagram/aws_multi_region.drawio +++ b/aws/multi_region/diagram/aws_multi_region.drawio @@ -1,134 +1,92 @@ - + - - - - - - - - + + - - - - + - - - - + - + - - + + - - + + - - + + - - + + - + + + + + + + + + + - + - + - - - - - - - - + + - + - - + + - - + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + - - - - - - - - - + + - + - + @@ -146,55 +104,118 @@ - + + + + - + - + - + + - - - + + + + + + + + + - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - + + + + + + + + + + + + + + + + + + + - + - - - - - - - - - - - + @@ -203,6 +224,211 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/aws/multi_region/diagram/aws_multi_region.png b/aws/multi_region/diagram/aws_multi_region.png index 61de799c3fa5df9815a5fec71255e7cd995226c9..61c651fc550af2a22c1d776c1212c3c1e6aa7701 100644 GIT binary patch literal 425090 zcmeEP2|QHY`!DVLhSEl)R17m?Y^m&$l%-;dG|Y@9!!Y(FX_3%MNs4wYB55J*g)pU8 zMT<5iEeI8g^gnm*z2nY8it7LV-s$c0Huv0n&%O7YXZ=3UdCmsQIi>^pj_li|OP2v= zGmWgfbm^YfrAu%3-aSFfht;y>;GeEu)}{tsl5dZG+oh}Z0dHeFZ#REBgGuY6NHm0h zDH4srZz_Z0!lt+>64V$}MWT@+fk5*$2vDJVt1L6n@+GLa+t6L`EYJ+DaHqJ@;A`}4 zZNRaG57V2WVoh^lu-u_5xE;Fro3be$OD$Mb8WUVY^@r~usHz%g z5{Pu}ANVnD6tpkodatDvD$5V6VIyUCcpCOG24K6xt@O>t&oaKEUo92$Z zTH7}e2t@eJd?`#HfalrJoPF2~?*Q=A6nu{de3h4X06Ii;mbe#nS>75(1>_3d}-D+FPLDV zRwl)X#x&r~I{F&Ohj0f8z8H`;_*U>p^b+u<(0g*@!psBWQ8$0^t{zKq6hAL@93%}rxUX*po+a|EBLyJ~lx5LR1T11`L?CED zOd&!{v@LR&G&&H0sKA-cJu)JS;6mObc+vs72&PdFN{b}ravVVodMY1Zw#tNfEq*4{ z(1tt3u%H&or+h4^t&KdZLp+E)9K(b_sI%Ou6t18^b-9`fkQzQ-DtVW-XnO737G@JjEQQSb~B~`U*ZWwgzzz(sVRyx zH3AOJo8bNJ=rJ*80g9*tkCpP%y0{z0P;qW*$9AIY?Jfg%g4C>`d z^LB;|R7hz3LB;XQ!rs@z8N8{G)uyGXjn~!yXMUfc=RJZ)Pof1qI`cmv>48B2s1UWb z)Dh8(Atw#UhJY@?3VIDqPS-{z6GJ%!)am4-95pSNoH{}|cx_?lPah&3 zQHKx1S^(b$lm~4nbWVraz2z3F8JnPVO||Ikct4 z2;g3kN)D(wpyZ&_kfg+rpV$ihPg|j02pHwq;!N6bQ6I$Y5z+|+buBHtpw|ezNn>pj zqA_G-bdu}Hdk#-Av{)1!<8DnvH1qHq)yt9CYvLIvjmLP&9U1{j|b6fNVm&J2JsrJ3687%x|nh z&?8BUM1<(B6|e@2#DYF@Oxn;Qup# z{3G)MbyyIxBBBI?l|ZNof+eg@0g&<9!V-u_SzHsN6%#^TY(j7`b1vpAhL}+R+VMYV zLZ}PCTtp2-QD8Y3~g5#YmQM7lZHP!=x~#@`5JC5U(Nw{c@u z{EYw+61)twz^%O46dY_5Y=oX5*v5SVe?^?OcH9I*xS<6sfscVRfj$6gz-0IRSMmWNGl)AAe>xxVKaq7rK+pjUONz`n!h`I2 zn4>!4^B`Sdn9{<<%^R?3Ybi${;Ygfv)LJ@wyK_t1opRKQ)Nj>W<^}&y36CgX3^i$> zcpnzn!sF2#vW`%bmatvUO&kG&Qb3aP;aeh=ek(c^6P5dwyk?P@Moaiu6qdm~>-cX- z9O1JBewK0wC|MwsqaiGZ@S-45yc(J=)Dg-7QF%e@K%8=fr1GO!AZpO^FQI9-%xQPF z+RsvsV8)Rs%0Y<>D|3j%PEcT|*urQqTbh%;hX>GMHb_JeN?dD6PT*zFs^N&@sGvA1 zD7-A?-x(F`kn~qa85EKJJUaqoIN;IvAC`%EYNI34Us(8C1Dk*b8Mtb*f%on143L5r z4(>pDkrTxW#5M?OMssZ1wn;>~ntXvNH2%cj2)ms8ZAknH+sO4Lg#ul0E9zb%4y|A# z^aQ~+?i2VMp(Fm5e{;-DTb*QN0>zY2v#=d8H0rza*0+LMn3qn5!b+kN z$FMOs$Zh5xV^+s@X3PyNsPm>d0-h0uka({K(|m^{1)4~R2nw*O8}1Y%C`6_Ipluxy z6PiGeLw*EC*P~(qtRDso&_xIaut*VFLJZ{`vR#~%ARYie(SIg^!2*ZSw6rHVaXt_l zYPMiS9QxRn)i}WD011I$NYZKe$yi(vKQ!sC@;?4*t90HnBW`7P4WD7s&Mb zoyH3`VW?B(32(9eACM>7!udl+ka@wwApmu?crh3p0*2JZ3!J#D+Y(>n@jT$z))hPI z5unQbf2aV)zcM?yL+ne?BtjM*q?Hi|LtPsQDqt8Gk1j;QS_F6^a$`qK0v_&x@iELP zUQl%`BML}42JnF}4?)2IwDv7s+E^ndqqwEqu^nWyUnvwK?&O`-?@kFQ}?!LT)I z(_^_BZR-$Iqdo;@=`f87D!U;_43x6Xa$&hsn8q!w*z_QpKf~J&B!EIz5%il3C4)lg z9`K#cc61d(Dy+HZD;=oVN#mG{Q`jyvuv8Pe6HXZuo=P^22^Kv1^7r47sX-r(5x2bc zT;fu5e`Td0Wa_s{I70bn!Zd=Enj@gWVuatdP;$gDJRX$^SdPb&0MSBp+abC_`Vd7| zXjHH@Yg`-^*2@w4RDzo5)q|~yG1RF*troxq&^uuU0F`st??(-e4t>6GR8;8m z`O>JwAVc1fXSVG%6 z#FogT+LB6QwggT@3l1P=%Z`_z`FFDA-&-RHuPScaco4Ixm`$PD^qp8K>fgzxFxt-I{>6P*Bvuf|k7p zczIly0{*aJ&gX%k&dZPSQN*=CGcYkWj40QlGdwGFzA-k88MF}tDA6b!-RS(Kn!MCG z!5QGsY!_vniderv#DPr$xbOb!D>bofi_UNB2rG7;QJm?=(~RI^nrPit6c-~QFfC@@ ziJCYf67|A*m1tW>%vZb?LYNpQx)ZSQwxMuP#hM)e0q9(i96BIF2O!c15Kic@1wrQ? zK|{m4)RG34iPE^+g#1Qa9eNdr3R<7_pT^Y@r~r$rBPrCvZcOI`>&VkFEZ!2p6mR3g zrLMoZjZ24Q2tgB(8Hfx~*AkW?tzhej_u3&50wG`!2-dkGQDJ0$c{9>N zP}+Nc=1-O zEcu%;Z(0Ph(4 zwj;9vlh`3bQngEW!cwBuLHK)_9lTQb82JU82^f!B9Gnsdr~XHRQz94`3xDC^Dv_-+ z>YvN)z?0fhoLYxTi z@uY#kA3 zZU@)T@fIUv@pG8tgiYFZ!?Ju)GD8}ZiF)(g-vl)Vv>^phc|0Tz<4cO+b7UDK!Ue+9 zfP_jR_*?_Yhe3E0fhO8LPe|VaF;#v@9_bUsOgaZzN0-23=G~UzPG$LloH;SP&J{p^ zKEI>0;B^gN5FH^)ZB(9P5xU>DdJ?ZL><9Cf<%*Y2wybTyRR8DJE&=+Hf4QXKG0+R( z0&a})4_3VfaH%(i;SRRbh1ali1D=1ndjG$&n8^<;K5j6pRrNy9R7bNU5H`kxjgMhJ z70buJ4{29#hnw69NINVpS{;YKh_tHZ_SYT3rIV( zyA1e?EmJd_MWKQg0}7Mk?hL$cOx0J+q8SZO9~QKh6-qX4PxX0yXJ?uhgzn8|xo|-~ z1i8dO{Cv3yA^`@0HEykzK^L)(7GyOOO|&#XnOeau6_AVnq)dPSK5mwFTe~R;;v5k8 zFJc9$I?l<**%hjN*IGh1@`3O~V{=!~xo`jSPa#!~E*rui0w}hNO}$gsz-b{*LxJR9 z%AM6js0Je@X15e626Xj<3dJH%{tZhOxhF0Q19xis#KL3*Oc5jBpdk&w>LIk-WGxM*>;4)#W zE;OEqM0-%gkI2ISF$~TtGmPbM0uj;R9pP_b;NHhe#Sd&*q5?V>1-=cVpa>#0 z2;YdI)6t0~G(-q!A`a}W!UWR}WpFq$fp&FtLUpSUsc?5?hDfND!r<7oJrE6cf>6h6 z@=rQZO?dM}Q6Mkc){zNEa1@LY@CV}jpw6w}vV7k9TyE&CWqt0CmgjQs6YNZY`>7O~ z7Tp=lm5{v9aMq$Z(RpWVF;#P0omXt}TV&p_p?idbI&T$kdqerCWq{Gl!dn@N;9@+q zCoe&)fyEm5e{m~A)TpnuVrJcfx;z556EC~I?1 zA)W{k?@ztk2HVv+WltNMH;_mk>FD5h$o7hm|L2TSu%r zv;x@Q6(?LV{CE3`SYHmxz55{|D8ji^$ANkfEFZQr%?#v8 zflk07{L6^Xo@#B2vJQ(AJX+1^56BaB#Noln6AOwv#f9bu{4ih-%=hAltKm(`c*yfS zHib@SIK!@0C%c^7x=zprDo}DR*NMdLrUGrPBIqS{uFDBfcr;181)9P-l&uu|K#_9( z;&EVeduV@q5iYAhx;dX_LI##gjc|T99>ILE9x5`2KlD(MEN2xp99~NUK_pOE3OW4M zJZDs=bxJNXTD`2J1O?K$p)y|R4n03lP*`yS(ExOe0VjE7UpfPx=v3kr#ySua1&eiv zA|(PEYWN{B{VJs(M98ZKf)XGP0!2v)rf?*Y9#DM;%7hVw(;ksfsA&0S1LA4`S!_$X z{pNy0zb0FRryXS_5s6@;YbLbnMuX~{Y6!N7Oc`PXcaRX!BBn^EsP03lpi=}2O6eFa zhdSX9OY?!;KO2Qz>h0~}#obWc1kk7}*c%WBrB}1OSm0l))NoLaEbv14JW(99$r|ubq2f9i50!g_g9Z-M$d!GfH_g@57Uj)q@EW<<=&b?y zaD0U?u8gUZO7M#232kgIRGq6mu~}z^mop2mjq`!55+R^pO^u`mqM3p! zR;v8zSipvu|GXLETH_uR zXNJ4WJeCJI3-LU|4LB_={~9seT!74FGMvEwDbCOyg^pAPo967zVh4aGUWssLCd-G4 z^YV51;j{}(s({%pBoz3A#9YzQs+_>9p~c=&Er^N$jHJM$*I=g=ucn4WmNay1W)aE6 zH?uJFwhB{21ENBwxG|XEt@VKrm`P*$(x7NO7)x--Jr61?f@y)y;z@`=K~BJlI?x$+ zAU7yrK`ZYjUkaN+0i6RaLh<$i{x{r1tJgVG5EU%kl^>1avJ{9d=sD`3)H?SeOqw^S zAFcwv3?d@o&RJ}ar4)DMsStyMn;|i!0v1$4elfQZhVzPjm6}pZN0`ABdw0tJm>ezz`>JlTDGr{UI(Em7w zn+MoU70e}f5Cv69OG!_jo`9*XZB-#^KL(5u(i)?-E!Bk#5J^XRzoEs)n)f4IWmj!rGzTo)w>O+(vN#JZgY;6j?!`6f&fn;cXj! zYMy^})PIsbsG8bNT$#^rvJnw_z%p@b^dSK4(CIV{XDIXJ7v~>}8A6Q4H~(5(lkQK< zKl*r#ng{7%G>Tw47$)fpmD$h$wI?fCoI}Q=jt;2=B3uQJrx6Gm!ukM}{aA|-ZR?OZ zs0nBkB2x^Vz)8WpJ-9U}Zou?5aCh>8{sEVof*p}O;JYx=g{vzuDcOQbl|NmR=X)cT z8EoFGa9u1+{wHE}v~0lyiK8DF1wy*R#6;x&>d>=zo(9w}cC9>QJ_4(V3CvA~6BA8Z z{R?HAAqj@ekYLbSgbosxEC>io6hQPqSOD%7>vj;31aT~p5m4gn5S1aGEQVYTjcx_fQoj4(Sa~kW8~FOsi3xvSFWbSY$1phN{GS}mPZ;+8lXfi zig?>1+0H^bjKX$CY~7a4i#lYSsH1~}@;_>IU=#;$BMKtZ$&>7KOt-f`$e%7}}n8p*d|MgB?pE&|5&qqQcS3 zeB3;25TgrBJ-CwFf)JOWH3gROVe;uIY;Ul=6Bl%KW>P>H6i%}T%_hJCLp~qo0|6x? z!tfAqe$ikgR%O9;tU92e+UxrgehK6F@laxbCn(VXqLBYpy26U2ze_d99z}nIY=l=( zA-MzCL@5}*bYi1XE^n}7kqMm*1%TDioofxjZ|-h4f)`WVq1C~>YJHI7B_P^nQ=DiJ zK#n1{_T!cRp6!hg9u=Ne#9slKOJFxU#PCH_4|3E&gI0yapWC2-h)+ALYDlVkVt1zv$n-bfr zx$vmo{C{kTYHO<-ia=Wbyd_E$vGWuGwN^XZ62+q{@PCS-MX)Q^rUcdlnQJ|uMrn&d z34!aVJ=vL=ufNAOZ7bf=xtxjUW~@PpaLb?IOEe(=M`s^(LomB#bEyVc2V5+vg=qM^ z5Ro|3Pfq_2!fhB=L?Ah$Q#^%^Z$XLBgaDSMiB2P8P!P2dszP-?9Kb{F0>)WK5>b&9 zvd*O#o)_CP_k02aC7GY~Tm^Ww9s44~-Ykkkw4l^KfHLu@fW|U13Ka+tPX`#Ad+X0` zpR9#uQ=#O6tmQ|jz|CKPoCL2YA|%+xg^3&=3Yw5#PoL3hBUp zi8T%6b^yPI3FUCKcsPbEcXyCZ1=9b($^Wj)f+w_{+6B2R+Wc!RI>%$dBVieYEYTEq zluA0qVZozbQRm95AJ{jjxcZwKP5@ft=`#V5NC7EXTmY~&!6zWR+JTWFK{2c({8O5b zm!FIhQRitsf`)K9vUpnxAW@+`I}kP#)@%su0aC%#(da+I?ojm}Na(iP*%YvS&>8L= zF`*4!MT82lK~M|PxW>QN4f=r{jHVTdfarO01Rk%Sl@8EaVrZQCgu@@p9wVSZ-;Qd7 zmW(kn5>SAA+E$ELa7HjZ&Wp7R7_?ly!u5I}#(`olutx;(%r8V@etnvG3j=>~nnk#^ z1lUUvmJ#ii0DOK+8%cr$VZa-;{vfRg$PY;j2BHg14g=8u!^;Z}k93Pv?Gu&{`yJ(J?64>cXZ_ z8GsB?=NJj)Vnca6(!{JnV#8VMNRp2T_em&xD@+-P_RvHfDMWSPwNP&h6Rbt!w^)Qs z9gjncL!#>9m%_CuBKJqd#xEL?KZ%I^da#zK2?Q)kUMTh#MF*PEg;fy*JeQ?~DWvmd zM`t+R1fr#?65QC#^3ll?UAXo&HzA&)} zZcG!Ce5LkZNCkyV51%oeURif)r{FDqsw>Lv&n5KxjyJ!+A zR)nDza>pbX0)n(P0(^B7JXpYw01GzJnh)Ii4g576ActS53WTUODDhk1LNFl$EdW|H zgj;z9$>C~;f{jpTf^FO<@Haw7{4LNE#1#~QWBk8g@=OE=W8G9lAhd38z|sL@T!@lQ zXj{h^6N!|F850pFJnrXmD=azq+YoVrHgcIg-3`+peBI#QgBYdjW$vv83K)nX2zrFiQE#e^+y;LiHwRFRm`Yj4f-QSMT0>IqoQdle}Yj-h(^WO_E0Fx=C{WC zc!(~L>fE>vxdj_+Bk04uR4{_{uYn9<dv=PR_@=gLH{D? zhn6nIXjDr!%OB+LilLx?ITVDZNuV(wbpqnnU@SEv>Q?c&ktAS9Kr0eDWUCRm5h*?u zz@x0TfFSW6w-~pIq=-gqc}WrvpvAPdnB59$SV$l)OfTNUksEQsRV6)d*RZ;Jq$7DE=?ZB!t9!^WG< zaz*zT5h@c-P}kDJL#bc_iSNeRCPZVX@Ic#;I8x{U*=J=ojqVM6RsaPE6&2?_hYyfP zGBYXsI5|E|)bXh?=n)O6U!Xune7rkwC4T>YXA*nUIcKdDpj+DPz=Z=(NLiCJ{J zp0-4=(E2wI8k+&+JdF*MI*rL>czDq;D!t8p6+s#*mAfA*WDM{{LHKs5hc>%mxKUg{ z#0LG>h~ee}Gzyd91pZF}d!_i&9I4#eMJ%9j2qwHT(#}kl4;AO->jLg=+qP_tmD?4N zX}jI@l8;J7KB0Z0*v^^qoa=%-*`1O93p%>B*8U=^T5&K;9#iT`I0Ho%Hz<0 zsL&~H3?_JOeQ?Q48q=2strh`e2@bjE;c5)fSv<)D;Jqy;;5C!b8Bj>djRNhliQeQ( zVKXS8bFid@;_U-A(S-YN^*U#YM{Ae((cp64&~wze+vI^COqw^KM-_yKgga-kJ(g0y z<~rQ3f);s#d%S7>-YN`tDv&#HyBhjA+%w*6a04BD2-=%FM2+A+FoP^V{;vF3Y%2f5 zd3~w)(VScv-YVQa;mD&3LIcnj@UG*Yr_!8RYznk;PQ`mE!`aoH=7l_n;m+`8phGHn zEn@mZ{k3@=NET-SrWLx5&SX)LF+eJ5fS$lcMIKC0Q69OR$pGI^P#ec^^8i)Cz+7?% z1Em~5S}stFV1atTm@u`$r(qVrcq-7BfZIf6$77P`TVvF=*&D4x&s*~=7{%pPtcUtX zH=2O-Rc8nQbcbYA0N~X~I7HNAM1ZJxC2IL~jQu;Qs!&V4a59kgs5#f--9dXzK%dBU z?%LX3g6I7~{b0Ptmah05#kQwbD1!g@>X5_kpMdxOyY`m=?8IiV0LK`Ef^*;ixLj#-pa4ywatMTo*GV{dxY2EB5q?wlN+R>bU%a z@$wIaM$3EYzcn7xFML&RyRK5kLk3G3pIjBbUrFgmnA}XMDf5?qxLE(Rv8uUzOmou1 zCl&73F2-Fnd#b%&VSN4VZ?9u>NgrRuWtho>KYQgRt3U55-7 z^;fO?_%!vwMta>v{*?$_MO|>kd%J{`sCz+&TR4RyMD`0BdykOVM(%ode&2bbJ2%oJ zm^-)fU?aIDy=T&U%(k6mDf+z!cg=p-;gFs&xBn)6IeB>rvu)#R zat?V97&18I`>;FZa}4#-_qsA1yy>Mog{jau4t~{rPQ300-GEv-!_fX(D;m_S56z-2 z_U#)rtG)eXW(CbwO7r%<0f*ECp7=e>I%FQB#(p(Z?e-1jGp@zim%lfUk})_%&E=%0 zEI2W8aX^{Wy%URy>#Fx}Ui4V?d3oOh!BtHw0vzU`BPiFU516hciIb?%bj?(fNLW$Z zr=k4LKEn}2djGKjueRPax6*NYc&f)JP4~zZm0v%|Zo z$35$x_`R%u7OeTfsyB)CbTlo02WeZ_DVOV^0~)}vTBgx0ID4jQ7DX!MC4GKhJj%?Y z;sJjA+<4u-s|#j)A6+oLF)83yI45tncG^~>rt7sui&!CU2Tz8dNT(L1d%le9?Yyr^ z;d;vD=8;qVs?<-dVP8)+_>$cmJ3Z*U!~EvRqok*&XOqdKQsI`Jlc0Yy?59u?q5BWSLsF$Gdxz6fRUm zlb>4pT8hb`hl7o1qA zxL|};vU#j=h7RlL1*H_nbdRoQmfgR$Rl)S6--oAK#6dxBVbmQdH@q+KzVRdw4Smm! zogWCvmFF6L)ZQNhV>e;VyNZWt6Q)Fvjg7-4@g#zI`R%D6A~~l^U0D}udai7&)QlW6 zRa$EDye?^}Rp;O1yqXLLO{2cr;kwQ7&@3rxLHv`^9~STYV)XX@rJz8|{{G-AqbEtu z=hW@j@{;PSK<__bwASEmJ^P16ljA2e9WdEQ$R8W4omINBzwtdl*qrx0`bn!xT#KQF z##5!==kHJ%H8!vUU;RkAydXg{e{%4bvf-Bg_l{U~lMQZ4eNjF+daZ6KJK5vKwT3qb zHgkp+e7O95Y~`afhM#DmnyjZc!iFf!o-pF&YeN2T#}z~7PWwEMx`(qept16tMX+UW zLPTWHjq~>TW-mwTfX8VQ&Z=H&kmxmVv|deVR?X`;)~*o_>ty`b^c+A)tr^iAQ@J-< z$G=*x`RjXCg~pvjZl+#UTq_xGe>kt^=FT{hE1l3#LhO-Iv0cWp=1fpo-uCAYUT!lZ z>|;8dWyac$8^9px5sB=Yi_T6zRjp^iVS=ANe_;dbmHvT!m#TH&7yV{KbULZJSwQ9_F3ZG z1dW8OSfb17gkG~4^umnkbDKET#B22q>&)lndQ?BZ`dVwH`}Z&9vY+1G&7nHh60f8; zWXPQxGu3w|KCkRX#c*lX*BO^Q%inqpFV?yj*rKiUfZQF~3qB6*5>wQFS56CK`UPaJqQA+U(X*@3+6ibsPd8wuL&>LelNSRGdR)i`Hh|A zaly@B5_1PSnGC59FI{P;%qe|Njk~t0oRGiv1D?3fK>q8{Y4z@&xys?a`u4A1p0Q%< z>NPUd1=Jnp4e1|Z%gpIJ5-CQ9BQwC*zjniI_R0;HR#~{SSZSV8xKgIlYo-25<97CW z`DjgqL<*2*blJmiV#(2670q|3f6I2ZUuPYbLk!%IuRBTVX6~7X(>6QzFPXWgaeJ2S z{(R*+lID|g`j=>Wa&5!Q&2gNG*;xj$S>LXe#3a?8=d9Ro@9EZ5z??cutG;4iS$<5M zmyE1);=TRM{S}lkPfzb*Z;2(34y+pWIjYyXeXh^&vlM1c$eUf)tzX)a2UY9(4bR?1 z8WF>B8biI|dHd3m?`p)2LFO6R*EFj2yV|?w7YxqH0c6Z6-}EippeCnA|3z+vl3#3A zFM?XyMt0$uV41Z0JB`h>jjNI`?bkYV(CLLwLxxKuS(PSDysvbStTg9KfM3Dn#@c+< zTh`8WA5U_M=C=>G((lHTYk(nfi6_gwAub&T&*22GBc3m_O-5RdPW3Q&a*Ae7d{`Dt zPM^2w;RyR8qe<6tHS2He4=W9Q#TmcB2} zYRmHJUv@S2EVIux`EtcMeFbN}Qtz8i#mNpPlecN6x!SLLNR;da;E(dKCc}^3V8&M|F}ON&ITR?phQ%*gib>K?!YvcfcE+^`)C) z-8dzscFuJ&X@%(*wkC`^8<9V4(n$wG{&xMFI`;M5Hw~)Vo?W`|U2c;0r4JV01Bq4R z(@GmZy$wR`;gC0w={^Cr+c|6^J=A~l?(W0`VOiUc8Uz?Uyw-mh-6_>_vE>cRc(u4S zjS3laA8C(s3606T@gg9492omZg}(T?Sq^lo=^onSvj%N0A9~E^eUb5;(=5N(aVevM ztSjSVjq$JI9gI9pd&X<5aw+OdT&g6e^w56PYa3llIseJ_bknWZXDj0Fd&kVNPd1tK z#*Ch^gS9OsQ|r|wQ=p-U=698z==SM0OD()VE-NC%D29yND)~5ob9?`*{T!!7B{2kR zI^L$>40Dr@m1)$m21jV>Ia+iZ-7jsKl2nN^ z`+h!ibd_J$xA1iD!f$WabDZS;<`NoZE$gf}kB2zT9ZD6`_#g99UIfg{zIE*U>KZS~GGl5r5tOCE`~ zo3bED&H2v!rg3TZqpoCr-6%7sq%mA~|L`i~tb#!_>6}D!xsO_OgPI_^2_gR$ASa`= z%?|lG4xej@SD9LLda6e-ZsqL^nHf2?LKgqPDTs`5A3S338Up7`8eBd2Vga`a+J)fvqV&e1{38^#hX)5mX$ zqTyr@hAnw9b}DDq3$_97qE}_qjrw#?QrgaC_m9!ueVSK7lYUk{)-Za${TfRVy-=N#3qT1K901Jb9Ooym`N?_A3Z5rUzwvr*&*e4faA0QmzKS0jO(fE4U*HQGd9QKBpLP# zrQ$fHHlG{RwdQ<{^`XzFZ=G~Vs($|dz0a-n=w@3-#YEuE*9Xq6>B9!T=^k>G8Re>1 z`U}mnoZEY*T1*%ugFhZIx6i>>FHAm1uT_qgi`IN~tpZ0Ucz&2jzf+?n%{pjczozK! z-Ttu*lYlH&HN#CoSADHG9y0O~=Liv%rHhwwoDMwLzxKs8>%6h_5Kj(}Ku=FU`K*3@ zEr(OOlU}2C{xZ+kI3Yd7S5~F&grF@Q9jgo*5bZao3uAgvwh(b`OT za(jPpmBj1UM-eOn$m^jS0jjcpU-3E!osg^P<56hgc_o)H@mhS|Ny>H3*g3mLdwm&R z);G;iD}!FQF%S%InsWMgsj^w049Hh26si)hTO3KF-&&?IsXTsG67lTNX~c+F#b^n8 z0%^&WE?x@(t5-dIRL#>myS1EmQ%W0Glpb(Z_yp*CTjV#>aoLHr zTNM@KT|Z1Ldb@F6n5)t9ZDcB^?69P5GHp}I@JNIF&*M#4H0i8C#Kv@e?JqHtY_dP8 z5Vt)TR3e)n#R*TTY~DgHslPS@8Ls|Cl0e7Plzy9^zY*zHNZdfgiGCU zVmF6;Db~5MdnTenUru6!g&tu_YM@>*B&R}*#y@|wS7(UfokLH0t2sx;&fy#j`2MZl z!gpvw-`u3p^hKVr<0Bdi=XC8qR-z)30D@I(dV3To;xc!uQC5@B=SAiLYc)h{zJxI2wXoLGj|1S{>I7_ZR-U(4D{2xC!WUvBwJ*P3r zuL0`H>$K&Ep4>2iTD*E{Q_=EDSY&mu6L>v?r0e(XTNzy{7~PPPz;FlAuV)YmUN6ii zeb*GxqZ=|CjP91exv3GNUoQ*-RZ<7qdbKjT;>mBvKoWgs}vWR~e2=Hk;yYJlQL^KR-!=H6wJMu@_mw%cp$E=n>V1)G-U`OZz0wk>)4zuyx?ILqmHv#DIT; z1Kuz5ENOc3Y%=M?eYQEjX!P6iJW&RQm)A44zx;HLv#QDbFPm@wQJx`Fyugn2l;9EG)L4NQI zz^)B4Z+p)ed{REm`gLyj>gzgjO7)**BHpi`8+SS9CTAO`)^P5-p?ohecsayoDFydS zZ-5cop5Em1`TH=?LEru>N4o?sqAklS`Q%>lL31&|T)~{5)2^_;+pv_^P*P`fwu9N=9x>Z0h71nlg%AdnK;g5(iz#?w;W^-eT%I+x+*AT zWyF+4gI3R-rdwa|^`SP5Wdts5R>6o>Dk{%bzrS2{OR3u3ba#{IbR4T>{eH*k>krDf z=Z?4SbJ;^G^L()MOM6y4-Jf36clWLfBVsfwNaV#wBg%SSQ#g4kFG6X0v+==6QL;lQ zFCN&XZ631t;iF=c9rW$D4ryvu4Z;P?UbIh5V_vXKkEa3s$-5Tx?C~)5pUW>_9W+*I zEXdqyz?t^?R{a2@M^is4l+v~O1{dDKU-WG_;Aqhl;23ZPkDoM{kC!|~0{%+;99G)L z7tq?(r`Nj{Ua}*m(Ld!B?O>TQdL-EUv#$Z(vd!2t;Q6^3I{nFu=4EZKTpww-e~Z(@ zyRPbm^OYiZ?-}*t+9@}!x-U#BV{ul~#XIZg?xJmsi|cRnWxK3GQ!OberDW70mjQb3 zoB}vsB$p%xJA^B%9Ft=lleD@<9}^h3$>b=5wZvvkvDNDjep?8B3%vTjFB`k0xNc0Z zZ4-=dPaG-Vc;IvC%AhOt>6gBb2cfzxXDobPz5D0hy)%c6{Gu1tjoap8Ci{hzoqs-H z-fo=ojQp3{}9k@UcDhQz%g)eW_(lkqvo$j=2B!|Uzrf^vcBW|J`|+~ z)D1m5L#un%rS}`Zu_EgmzFxZYOy2Ob_07+-iEAA$tRAy@#j4#7BgeTu9_g8vak0i?>ESnA9!`}k|lkI!t}9y4KQqe@>yhYsP+7WaE&&|o!cN-NfaxZ8RT@~xEcInv?EcTEvs6U<>Og4P_p@8;BJCzz1IOt-{!$y18N^P7HTSe%y|sV zh%cVj_poAdB`~eZT%Mn|zX=&BU&cM}-zBv&HcN5c(Z1!8LtZr(=ZteH&rVNYF*UtF z$~?S6#_H4i^3-ozDJG+hpRuMSPfJTz_b|LQ-6T@cVo%|{9L|L1ixsQK(TCNaaO1B&{mpY-pCQ+^n(t9oYRP|Y&C_@^hf zW|$qiS-g3L#xTtBzlnrtQKTy7jSJjUH{t7?3PV%m!VFiojz*ed#`G2!hu)O z#VohU-@gZ)*0>)yAS3XM!CBuk&BN?v=U#tHp5jrSz;d>&-%3wOwlC1o9CK;v6Eqhf zzyHI<(`j4HM@+l8vid~AmVFBtQ5Mp^ZzuceehqneaJuRGuMaF=(mXz{m|nBBvTQn8 zswgtdhCW6HKjzhzl<(KOY9~vc=CfZLfKJ*mL+SlU`D!p4${Tx{4o(Mnz<|3MoPvv% z{T-g398})CxIBupe?{KYO9R=uPvvF>ac1jWUNUUfw?~6wiYl(1^)=*JU;Q-SyhH~l ze@!<-t?}i6EsYt{Tgw;QoxguGB|mOZ7s?BhC1q9jN5+oau~|3Nd{F(MhOV^o%Pty= z{I;L;ib+j%ca$9YREm)=sg`3u!@rQ~R<`0)>JUe|v;UwJ#~JLAy?Qn;-Qf`WEPX@L zt>bcj1q)vH33s8V+}Kw?QGxMp-p!ID5_9G*3N1|Ql|3m9m%MlFs12O@`2_jdJSYS4 zBPKv!*>^~_D){$%ZP9(FaUN3%Q@&p@_3-?R+Z~%)axX9Olc(yGG){FbDWRTYU5=$4 z==YUMpwQ2cS*By!-92FywWu=fZmh;o?x+>s>RFu|_2TP3n;n{~&ZTM}n}v}+;05H? zLSBre%kiU|0Af`Z=59IooI;xYy>#v6wM-cg+I#&p$%6SSf_Cj&&Py>sJrs9fRTfoR z-qn`(Xar)+Jz>x7(_8g`!~QMSS}OdDq@g1&z^%X&SU0%Z==6B{8}o}g3-}+e*S!Qd zc?{jKRl(rjFEQtmrTc}vAxs&kXGT}-KL7qC0q24nacKsYRGH(`^Sc0oDd1e_ZGr5~ zQv>IFjh+ka%^C;EkzFSfr>K7=pWxFsAxp*syCL%8F%50tX6=XyoVeEM<*kJLF2hb8 zOj$fs=GgYxH_eZ@^C@cJazQt(-jh6G;$*<5Mp-ElnZ4h#`rM1R zDG8YcoFL0U+|AOWThA7**JyB>q%rp5lF3KOO8u5eT**)c+ z>ausEby&kgZ#{8qPA<;Uf2p6)?@2Fj**igc^?(K=YAv;4l`WXR3)c>=8MP`>sgF9rt#+`?522*uv^Py#@ z^uSC>=vFyMt>-M8r#m%NU3DGhqc5fOk;1v4ak)v4O%jJ;oy66LKy&v@R~bH11@EQMFy7EzLUz%Hx%5NkvHhbG z(nl4{eX@4XMAd*K0C6vreaplWdHLWw1jF)A>*R-oJO+73K2z^`Z>j{eku>g%A^ltJ zjVEuW2Xw33lTn(+(Fyv}bJnF9gC<2yB$ZF-x`h}t%R6Q9;3uwckr{_ zKWS&rgf7wwtSfry&n{g~HH(u!wWGTCUiYm@4e9e`EUTZ)k@@mrdWBX%pX-ZaGWOi< z_I0=R<2g&-*F?OTpXiZPneJaX0gOtXE+vh9X?E8qi+k`w7;+LgiCqOtm9es;D(-u)Aqq zlaJ)|J5yWrZ0Zo{u_4VHBLbOUo1P@rJW4w8z^|_FVV`8>SgB>*j4BaqDMW6<-Y>HU z`z7ysJrhj$rivYR`pwb|b`5eb?paOhOY3TUSK(R8h9Q<9ED^Ykob>#v=W)-uHOwQs zXAl?1X7tG2Hva0-e9dZF<|%)Ao=H?}*6hREdll?@AD^+J+rztuZcNKcdzr9jV(PaW ziVE9x=HA60ZzFSNxz1Qgichv0yyw^}qCwS0?Z=#`F;Q}T zmfu%dyMtDxRvujUVR7W5fZlIy6b)|~kktb7J(H>&a!%)Lk3Ca*h1`E<+L##kwd0Hn z559SPQfXw&&4Kj87uAFM&3Zk1{mbFWFJ6_6@=qa~-Ba3`l^C+c^^W6%lEks6nrCE2 zet%lGENHyBgzi+@u)2hctH+zITGoT`@*@3^ZqYQK>sFEW7Y4l;GUVpY$=W?NRW?lZ zqJ>4(pWc|Gw&KOu@#ed_Pue!&>T|l{)ugkyVa2h%dU+pTeC0s@6-_y3{P)cncR?$t z-*k5ezyXO*i>~raQ{SP0{HHRG;f7QLcVGECu~=#vP_3sllp*$xPg;F7_`|2K^3ht7 zT2)!YK|t};yXOHP=iM+HGbLn@3A64qn-hGvXE@y=;#Q8T366NM>5Fe!S5Dyho`r{J zhGwo;HHaW+*AxXQo~(J(L$~SMNal(R+=L|UNQ)fY^F0$3E$m93z2DS-QjN)h(wmKS z&t5ld@+&v=H`1EC@^o*TsZTaqYu|OgIV019s9Q3+e6doR&iB(#Zyt$zF(iG6^d_f= zg)f?GGpbjdFi0OOy-7zQ=6R#(lwHe}DyqIMlUcdE0ylbk@Br0<2dkfD&NqI2Z&GzF zN98qRYZW1)X5RNtj*$$3UUqe6 z*K#-0tO;pKMa>UZN;u0NTk@!;^wTZ>Z}Cnyqwqe_#~v0G%y|+P>u^lY`Q0l!pX%Lj zW9DCc_dM}T>c>m(53FmbNzJs>aar!c7*|gYOkObVMoetkd993D^nl0tIxSgv<9aXc z*06T(F&*P8!9W5vkabN^jJ#hyj+V3gVVg&w3+J?j}6x=pZw)y z?Q?DKZvoSaF4^VSX9pE116OP!t~5%+Z&&@U;53PXqRCNs`I{+0hEO?VkbaINtoDa5E)mpEh$3DvLPp~hw|FV9mN>}GZ#kS-mQ z9rX3XVukHWS4T`uJN9U0X5Xw+i4jI#&F=>EUur-4_@F(ec~mp`9uIdo5C7*y4#|pI z)UC|x#jR(4&p(X4FJJJX>8{Q_m0bh;%5H@L@{D8Rhi`US`7kW2pg1yR)cy;yaU7@6 zMaNU8Sn3Aq+?%vbN@Z4gWZ^(t#p}Z>t`0Y^8+R`5l}^B0ot44ICfCwujhXU6Ke*z` ztIwvhcgVzS(U=r_y&`5pY?)2{+a;)U2Vg(IpTeqr7(-5mfMFakc>X#cAc~4cEPT@C zY25KZg|w1-4m%}E;#mFZTU#4#jAO`wa~!jKshFGQCB^&neerat_Wqm7xc70VtHQ`8 zb_AE@O{tY@A3ly4wZVq&=6}@v6+6?gJb8bOZT{>%_I+x3GpWegcE8(0d%EhB;$byAU#KS; zza2q{IHGh|WAw!(b^Fh!P&bYE1k$Olm#6H{PK>Cr$|t0!P<`jg)Tlmnx0a~PEAP2( z(E-(%Sla56wD;>AHD7FYzrRJ%qVENbz$q)AWz#~>)pdEf?V5i5cD*xmo3qXhda{r{ zlW~I)Z&=mXYUb_dc|VG^i;*vp%)?O%H{wb~Ol|$ANifxi^DuHCHUSPj&xxzDB8M^QCUbmltPudv>DsX5*8?hb(<=$SX93)6M&Z zU!XgtT&XG^x#YnG2Q9zPhadV)NtTb5ax8e)lGCB5094-I&pS&8KuI?tPuJ)Vy$p;? zox(}^{f7~V5pn118{I|`63yJ>rEgl~WymzC&Mm35qI;?)UP?RbG(Y7L{Xp%TtSC+? zUO~Dl%htS}^0wcZla)6V(?S}v07Vt%F81lWCchW?(!%qy&bFhCj=eIo(y(2gG|hW# zMEr3XS~q{X-^DLE1MM%3rSEXOWOuIj!kCNKmD5fe(k-5ObM7T*7+b4P+TJaySeDed zEj2@R_LH@h6II9g)KZu9ED9^4ZJB=m#6*kpF$qPZv&$puLypo*(wIvltd$a`9(ZUp zL*wZMT#sepRI@GWeKfOGnL7xlE{>U)WcZPwy^$JmVkVv3c;S7EeN{f>&Wh}Sp#5R1 zfxo}Nqn>r;^c-LVI7mI~S&i6xDh}h5X`wqN&si0f(RG^ff=e7mwLzu9S;vq-Kb0qb z(!jb>^Vz)c+C)P9_2NN0&V5^WjL$k6w9r2Hl;`t@f%+H#BUJz7G3z1KqX0i# z-dD7)RDLf<+4ZIKn-T~5paX9Xncr_(>Qg>ODQ3!=hyC}=J=^H9lJoLH#`1)(##au7 zPR2f4e()P$b*tS8w5(aL13WKF*{%Z_mw_tS6lOsuA1A$gh=BAMN9?MR-pAM_?<~$J z4u+651J!kUk>|fGdjAUWq*KjPV$tLc<;>iq?peq4u+D|VPT*X0EeYs5O%94aQqT2p zyaU~Kw?Sjoxdn|U(iGDw_8!r}#tC-o>E-v|bEjXpKGypNRzuGykl!2WIj+|J2S<1nr8>0o(fN}YUrox4UNhn-s)d^73M{mBP>&rII%*wO(T@{`l=UEO$a43xgvdgHOS-ur|P|r}R^j=zMQTCSGm_eL4 z?BpW)!*AcnA7v(P9-Ac{2?k?zs%^KE7SN=rX9kl`Nn3Ez&T#Iy?>{ydmD_sV4I%&s zF8zFN;S`A)F!JG>w>+)y2NCL$Ij18)e#yw?4t6b9uU@_C2^auq1p9jn4 zyh~a#aK7gEB~=b`(_^=*Gpy$wpEqP(zgL=axW(t!mbn(acvCZM@tS`KhACEW^)LgY zCE=T|oY{5hbZ1Sg`x7NRf#+7(+p|05yZEf(PWyz{4?S~}DjuHNZ}nuM-PvU-brmy~ z%(=Z)Wz@T(Bdf3HY;w*GzrT2$LTs7TgfZh=Fp{ojfGFfLE%YNq5!5KVg%R0-vD*uN<;M)wV7(?n_FVvo_Ufawu0=R#Hg=-3k*Y#u+9giVaC@@JdEy+C_-K+B{a(`Yb6YhY`&MbJ zep^_U|N2|qiMW^NE|KyZWlcFT8ey`qB-SmKu6QpqtA>i9fa|aGG z?yH*FIQR1g9!93;1W0XG#n?Najjxaar|iBjJ8slQpo;u1PK?cpJTR*)->L4ImxV^u zaov)$iiZon{2yg+9Tw&Lb&Jy?pnw9>Dbfv+0wNuvNDb042na}biAaMq0|H7)Nq0BM z(B0i7-SE4|Pki6^yuWkKbuRz&VwmT-WAC-r-g|+~wrd$M;njmq|0Oq?Mdv|VFhTpE zn#G5+^&-ap+6ai+UXJ&2S5(@|W9HTA(6<#!XI)X6^{zVU@WtZxGBSQTlOO_VV#~R* zJIYR;a8{>fFbady5|gVD!EQ-Pz@&*(b4t;eJ!JZ7XE%uPZO-F%#WRve?Anq8&FD=g zk-IBnb2prqJ|j7<6)xu&p=4+7aA$j$(mH(Y0TZI|g=7Q&aEg}eotBu$nDYw+N1Ejw8Zh%imh zXhCUO0{wtSZ&!PMQ25kVIVpkB%hZfq*mKZWnTu|#Ca{6nV2N4VN+Ziv?J&J1U)WKq zem4}J%6nn5YQ4TMdB<*6`Hks(ay8$653U#)%wciZ>`K%LIr-hKH~tHF!eq&wcslrT zLka>Ncri1i6f<6@9bPOqWV%qrkRlEw|JvCbU;of=TLT-T$4otrdsEhugbMaBhuvm$ zMVR0n6L}*3V)NyAoAsF`xpa9L_m4a9PL2-4+2*#)P!svM#-t2|ga+%$;(Lh|?<}ln{#MGoaH6!$;K(s$!^Ut9!{uRXv0~%p2SSn zd$RrdN(>Ds4?CDZwWqB3cpH zWs=H1>cM?Tr*|q1t-El?4N2m>d&>92;v{~t{ct)8pk4s^a?-mZQ$2e&GiM)Wy)-yD znxh4s-GvE!=K8ajo`b5Y`KklPaynJEgejpU{-S-3!Ed1ZB3LX?4V!{oYp;Zmi?W=w zS2ymNFYBFlr(GT^xmtMTMKirgl^l?Gr&$x*g>ku^xYwWS_9z`33KGrTD1n-e)Lc;~ zNX)CTS9MKF-b=&u5Wez!@P4{!h{#|I6;o4h}$m0_Y$Bf|c6sXh(_ zC}#zebv_wo?+lYEbfC{}=C6sx%;ZB*nM#N_^azsO8x{)Z@$_3*+y_%v?Uy8vSU3Vf|@HOiwdhiZLIU3+}nbkGM40M z{QP9-hYiL%)C=YUd}YE?wK9U@Mc0%?j?d^K$VJ$A?ER10#`gw(=(3dz57sFr?AJuB-;mCt#Kuh z9Gcb5t>Yu_ky7B3;p0Vam#xRjbVH9;NI5A^RR8m{zRP7hvjvfaC|xFME`3V zUB8*A+e+>Se7i5)3(vowJ9b0FKIJKVqW<@wJ^bjaqV!S~JY-;y-Xkac{vNT)j*kp5 z6Q|&vFA!}Mfy=!r0hbG$NTerI*>WuxonJ(gW)^bl1u$EmW^<^g<0Wri5legW5nbYv z2Sw3@@7x&6xF58Q34HkdA;gHjgcmLU0RV+&q=JnVDa`{?8!+PKoKLCf+I#_b0&?<_X$^E@1u(dde1qSJLdcfq-S z_qdWO!7Tz_T~|Kh7T%ksJSZ|&|8XxJ$)X@DL^AXeX{#0K{+N{@StBDsweP=3n&b{Hr5{l=0u>j( zMJ;%ZK*c;=tc_s+NxMEbosy!yNUwJc&4KdVFb$c?=zes=bl5%P#K5KSN#wUq7#m7| z87f+r(zISQCo{pamHm>U(Dg{eza}fr&~RI z4k4Il@{Lw7lhaev9#i+7*AyHmqhKK*OIanBwBHgN_`W#a78|oA#G6{czRyVd*3_?e z=j(2sm*T6g_2~t?7vT4~J={ANa9CxXbt~LWWu)7G9aR{fOE7 z^Rf9-;-2S`9MsRx?|TO}m`rZET0fQV16|*3mD2-tpZxvl>@pRJkGo!lC$+4ETi?Gy zQWo83lqX<$Fik;Bn_nUvMPCitByIZoddK(03|cbZqEzYoxUY|%bES{n_=a8E1Hx5q zK@g9ivG?u(6z>F1E-CKc)l%6)>aUMWRFxyPO5Dzp-i-lh>T?bR3iMzbaRi zi~3Hq4jzkixBxdke?@ne>_|x0>+spM+V`(69~VN&_zNvgMe}qkngX((?|BlhoK;*l z1l?FS>_x$~YVFZi*)>CS+)ftrZwjdOlBX#Lk_GLEuIDI&h?K~_%PoE83WGG*V7G@{ z;&&*2ZB4ws07Ul!>DuecQTZm#^fAUkWy<+fie`fikFLkQ;BTh1w2m8ZOv!IHbKHf7+nwlT~=>_lY!&uRTQOnoz-h*s3!@p&0-0)}-GnODR&p5p-{#k_$SLlMH2rM?)H} zpW#AEjHS!u36kyP^mIa?)N63q8(?@Ba`uGLQmMdo_2?6(7%xOTGy*&t~)a$FltD6E8;ntbWd_|(UwPZW436x!cNM&bA9?Ii2QlvQ6V|=bR)Rgno^slKY7KH7R#}cl zQ=CzIhrm-;iv6xU>-t1*K;afwl9dyyT^oe(94ypcOsV(KZrzx}PoG#=G+J=bf|>Ar z5aEL!y_TiI^MDy}hFsFggd41Pq%0+0lntbsEq&S5%i^E465KjEVXkj{tbckcSM!IP zaCXF`-q!|U#%IduIbjt-WqHHh?dCaPGOFCrEAGdgL1!{r@9Y1&ueojgN_Lpu=tg80 z!IV^jV8**(2+qcL#el9sqOI7Zzf#vyyUvl~p;wYmj+2@=0C9D978~i(ls93=M?0qv zn=(>&>8+EsoiDOqIve%leSnN67Bqx3wR~RM9I<#E)*V4dM(O&EPn3-B$-y!39srZ) z{X6HPvJoPJDw&FAy;bfjLFbo`TC8;}CgFl-ZnLyFo+Z}N@AE4^$U_A`6bdq?uRq}L z@3@{kPUPH7v{@hAH&Cs+Yq zukYX*EHrc*k`LY7sE-#}@Q>zA5ufX7b8i)R5zUXm?0$FM*^95M)MVGG56N;nk*esW z_#)zBTf#6lg{s>|A!z3us>R)Hp^9wtZ3f0VV4_YPerYM}xUi($&`MTtB2iykv}Zz$ zM?pdRTpsEtD|5%0XXi$g2}U@NDzV@%0wC)bDwJL%AmN61%Kl*7zBw?U?_KA%SWB*3 z4fLj%EPDu^N_ZNY2jDmPSoP`(y=H(2>R+RiiKie>cY)F%R_D5H+vXVT_U97ZztWPk~R-kJ@7 zb)u#3?=|jrc^!qcic_A#W2dVUQzC9-=ZKh88$}3J+h8E{mGr*PNX4>8ar80q*AH0VH8>DJ-TbK|OHW#I^z8fSZNIy_Y zJk07kGt<0`)ja61Y3S3@H`YSNoxlO&08eD)W4-)7m$*0=BG3nCc30Vb?_@%5fPWzZaAiy)4-#6T9~=?G25(go3|X{rKwgd1@k<3MMPr_dAxZ82fE zhL-JZCINFai%~Lb{8rdkC~PJ0A%o4%g+rcJ38k>pPGHIFNJ#Idos=ERki}p$iA`#M z<(RA-BZ?zOqS6lmHS2f(YPhg|$`tduTOco=r&Rr1_d)2spZ)&P;1G9TSaf8K6{U!+ zqL@d%i&fa{GgQaXwAh)hBrkHbvO=EIxi1cmHCul#Gj`(ILxr0qUfO^1K@i9u5=CPa zAjh-me;iicr%F-w>$apaAGo*Ckszc`p*8eivg8@Ro^r`ixlmC&)Do z%9Gbdg{wS)f-)CM>2Vli0^U zF<=Pov{mWveZwUBpZoSV0v5jR_Mh2N^BBc^4|JQWs4pwMgY->e%(NeB(6)Pxzrzhz zRV9c*FF&Q{R)b0f=+GK!P&OBh>ZcPw4hHiY0FB~@Q3Ft2W>xs#h4qgq-ZQqWXMx#% zps(SqBr0=L9;`Z$p8sT-@2+VQ|8e(}0&iv9Fk6zkuaxo8m`W7aE{AQvlw;oj!Bv;U~mlEu5@d zozvn4)u_Wa9^hx2lpC!CiLP3QC4}$3yPA-D<3LaFFA!l&|GFpp)G^|&Z)4{vYD=lY^~>OWKClPYE1_F=D1yg*lc zC{uK9*s^Z#!rdW>8f6y0@bWUm&~iQ5-^PuAI>m{g@c5WxAEV z*@-{j&GGDoQl27~$zNnNkz7T~?igh6|Lh%HKe_wAE`J zufL3i)3n#iD9g!uJ}un+A|)`Nq)1c;awpjP^uHX9xi}#ev~5Id-W{nC0~pwxSbU*s z6vWY}F2d^N_L)jhO%g;k?lL@|%n?VcrPt53N7r}qm@R+Nfqoa6o&PH*^0!VQFUs|4 z5@MbwvZPtifJQcym$#zX=ONNL{~1XtLagXyf8k{uy~RMQ$kc|O=(bhCrUDv@wt5r? z6{o8`t+sX?juc7-z0ML6JqR9YjL4IewzLO0uwdjAXmMzk7T9Wo>-uv=QxbfPE*JtR^XA^gU>(G&qG^K#ojXMr0FXkf- zUCA8P>{mZt(S#6lHUEBtk8FKcw%1ibzT^KXRir#oqjE<&+CUY#Wc@v1djEZ>#DSzY ztvMKt{l;1Ce$KsHvnTph*y%nPjeP-}(_R(mK65`F(O`rW8>e>W0Rpz%llW+BtU%^u zd&1`8$ZXnSOh>cMm9N;O8){hm0$Rn-uGd5xFKCIyte&@i{B5Gx1Y4`j+z;3)eU}V; zuv)v&;=k1Bg9<_lZrx9rI~YtpNy0vU*w$=qKXrs<$+Dq-50JCGQik21L`$blZlZxa z@p2u#4GHA`dno_%)0>r+-4jIB7Zim#r?Q>*7styi;=0fHrj|lK#-HD(;eA^g!pzGGNvf- zMu=KbZSeF!IJTih(<=}~S&pR1;F61Zl1l{>wVmutg=(_AEq@>VjYTczlMJN`8n9ez z5ZrC{!v-|;*~#8qIIs~SVtARZ(MP%8WFh}f^=#Unp8`9*NFInrI~i?R=Flq7ApfND_1vRu4?wjnHncL@X2>`^>z3{?kNbLy2I6; z)iPjCL5BrpH(j=U)-LJOZlve7!zc2)5p{hq13Q7=It=W=LX@&-)2F)+6`=$f5B(-& zs631pjo&9r;)ka^wIoG&N-Puh-?PI{|DICm(lf5ppS(1)s(dab_X}Gyy@x0hzn69)z1r9{~ z#r;vQu-l7Bcr6c}1LGomGG6cDFXD9nMn4owNv2tG#DL)XGvdelTL7BV{S*BDfD^j! zsoz@{ZR@S;&)bcmIyH_xohfd6bz=dsIcm8H@Jx*9d8$TWC#WbrityPAqY#$<#Q+tV zaal`xg1zO7E6V9+18P#}PSZC2`1-(cPvGY2Q2EUro(jg`%C8XxV>xQrz*>!WLN40i zr$kq&-P%jlHQo2#U5n;3)nySz(;dMbZ^F1d+pn)r=Mn|@-;d*=$GMFTNm=;fq?odd~<#H(Hj>?b|xiv z2gm{8MgYSGF$>W&E@qT}CM>jA5fcSZdH*3a<(B}f?q`dd;`gWjf?P+u8hAzIusc1m zt<;7?O%z1P?z=?!3gP7kkphNc5}AsyklID*Z32zxS5xJdJl&^S|70apymP-v{h2LEh)FL zECH-7j|=Mg+WB>P(Y!qW377Wwc^gAnX~4>FwJ`fl)?(FKGEX-)DBabySsc1* zm&-nHgR`>d8mp7~C1nvay!`rZ)7HesX2SGWG}A+KfgiJ<0KAC7Q&lsieeehGsM9)T zva_K)MWkEg)SN=lh~F*rf?-S_Kw^dpwIT>OiY7@0--a7aKEXw7WKd{E(DgNwcV}r|a+WaiD5+~B_ZPBZzHi49VX{=f`o)3cvnF4@2WnU+s zMqV^@`bDstnT;Ub>8@cWffQaGV=?IUrVw^$x+u#HRb5Jc3vXZ4)g&;nA^ar(4Y5H5 zHf*m?Uhlp}tL|pqjgqR8hR8nUsQvxXY^Y++bBjybin>prvNh73=};9V1e_@ak|N~M z3L4U%Gjj|(fBJdwDB{f>QxPpryhqiA!a&pUbrV74_)4>EhXhqKoN*~{g`Id|z`{9v~13#)q;Tdq$Z#Pj3Mr(7IcU%$rpL1OqDH=QB9 zIYUNtM9o*T3ZNo}Z5k&3CL}vUap7;Wkf0{-C($G&Tl4Z{aH)Y`WI;G7I{CAlB~-s~ z9bdRV9JPi$+ZDxMT;dmNO-8N))JE@zIbn0~Tl$lWh7K44f8PUo>XzMFon# zIfO}i|5W(Qi;!w|J=b`35#9U-pvBl?U^)|CZND+P)Z&kOr@7e>*Pw^=n_*l0-eH-; zmf;^nZ9_^`g8?&+)p@L@Obh657`?5X{W%idxBW-@6hx^Dlm9eA{m+HV5B2}{1+vzM zdOD4or+ruC2=7%+v?-%cq)WPD(c9}sZ@t>MmOTx3r=m*gXmwx$nyR2YSCiuA%z!R7+9+H4ykWBOL#iQDWy@JTS0b35Lr@u%aJ8nY{_*-styj zBvq1l4zXPQf*)YLNu^vKSr)^mJ5mob6Jao95L_SB4K=0Ot(XlHyF>Gek>)Q_h#=3O z=D(>%Jw%u{q%MxN>HLZFL@2t@iCTh1;2YbS{7kqv`577dHkoy;53tFjG41^dq$CV1 zBGv$eb0`T9G{koLKWG{UfxrQ73im(zB$cQDEbq9ScC}fxN-;C!W4QOvR1jDU5y62K zt>negMg+T#5Du`a1pcVMGe~bKx7wC}?aIYeMBQd)Xe~4ygd1K*@Ik#Uf?RgnheIE7 zc^q==b4Mcd^i-;O@R9>*A!10OYiA^W&G_IQId&`9)n}m?pHbeH4OIQ71)$1ECIX!S zT+;dNF>i|)gq9Bfrv<>d!Ts#F-&ErGVk9J58#rZhkJO$m21~y`-kIVrp8OBU=9kz8 zZlIN0KWhqIkIjv{V|x<2FWnVu9CySA)Qb$I3i|3CcM<}F2lIi;?`kc;CTW0vXcij> zjvb#}i*sB|f;Z!j^4fKZp@qo1mmR(NB=d=kRW9nWRQTpIn`c)-^}0{FU#fz-J(ZlO zUVm;^18&(Qn@(L_X?saU`o~Lwg7%U}r*FYqP%<=)Ry#K+UySQ_u~PYLe8B$zd}LVt z9b|uerh^eqKcm`5r7`VejYUl6hwu#F7De#9ORXMoxr z1FJgBpWSgBWOqjk4PIQGOj%1agH6M7IaqF5A4pTm908uX5kTIy`>LSoadWM_IsOlK@}?Lo~{%rb<264f@h|11N1lgu(bm*B8f4V!%0!?-<$@*;d+<(l*D< zVwb>5+`s;;Rv^v41L`?!OE4RM_<((`l7I!Hi`6Ua%T!IQMwAy-PPyAxSC$Siszcf* zYHx@{wK?K^vT&OZLI#p_X1}kucr z#p{EGmPc0BlfbPq6$#ckO#n$n0Ik4EnJlQK}aM#3ZB4efWnxn$ygZ6t`qb!Nk|F`9m&TzC9m4SsBu@rhw9{-%rFxLT!xqQx=J@5m_1go6-y7q+Nt0n)~?*;t{2{t>JZ8& z#KJwSqDbg_Yc>e`Ej(aPq`{v7VZIUg`+%i03kb*Q@=sJy@12 zxubTxIntxh5l$tuHJZ=$VP0G@Nr=#5?5EW3bXAYr<;f1}$}oV_0l*tt(ya1t1dR3o zJC3CqEt&x)H6i_6{hK&)RMT-YHiz?en4af3I)a;=>76!LHe8>)edP#DoUwWm_*xz+ zi}-X{rML}F~e487mk5o9(volht`OWhmOmY z7HpaY1;tr*o-1Ihu2ep_*cMEeYr3ii+?ct5&_KYhJ9Zz2wUk(D59P9+6^Wu5%~T?@v(ycTybFl| zZHT)d1@t(icF4loOkzQtlK>h-2+|T?C8Uln_>oZu8LTY>Qc`}!3|r}ZSee|iCoNc&Dg{KX5}cK5e;&amyRg2W2%wqAM+cC1ePQPV{oz3)Fl4hFgpLZUrE zsA!}e-f@tp9Dd*6^1wno`rb&DYFPJ;wldGMt~%WPVmV5gwxm$It`Q*IEW$a{1r=d= zj-X87ot&8A53&;%iQ?5MNKID7`HWuiua758Q(#-}SNk1|sz2~RtupWqr8BiU?06+k z?<2&p#1yp9T5*vDcca6O2{i;i%zICS2O9>tne1nWz|*S%T<#f^1+JQ+kZ216n~=og z5+(S25G5U8S;{K!_RYTBBjx2h=uJUD3Vv>j8)4!yd&!U|wPW@I-08o(70rsNA(6%c z9_Q&DP^fa;L;hy#`RN!QFjFU@dz(DFIHb~yWCgs6#YxJ`)O^}VoUu@KSY%Z^EksIl9C@JIKXG2;2guM&myuy4!=Yo$*>$02{ z&dqeV(hj{KaiIL+5jfFnWb_vLV}F}$MVz>=gM+fA-^F^N(+?EU8Uit-$kN^(uSKBA z>7P2EJmu-<|0M)^80i0nlqV+@<_~?&fNaqwBfEF$htR`0r~X@2z)s7fPvj8i?9&S? z_PxF4>t@EL$~X-}LZF7tcIIiun%uM4C%J&T_hvyo`wbuKCZE3#v14>#EES1K8N2o# z@sBlSmWOSo*-fm#P&vd|GSrY%EMLzTAvk)bh|FZ{L~DPe}1y@Pi2j8dh2y z>lrr-F}|8#3OvcuKCFKIX|5dUvau-LryT8M4Go`)b{J^9R#9RXPw1t0bxuZ#mAR^C zaJgPCMKNYsU6IV?lZPIT^&04g$3%3DKRZ8_tG*a)bPfw;<55_e;P3R|OxA-Pi~O2? zeLsoWsU?OiZhw2Y*LnHp%Xiwf*~YQfGx=%0pS%GN0`&u9{U0PWVD6m7xMmh|FAi?2 z?ln#k3gqzZus*qC8;D-L`?=z%s$n!*97MM>3%KpWTV2g<@4!86kt3hT1+8T|K0hVp z&~Mx;m@j!cM{S*XMa+GwL;zPI4p((=4#=k(a}UP+lz7*oV6xzw=1Jr?xK_Q_-DbMx z54)QXf-ZG(kIgzCoNVrd@5QVASU6WpY9VG~__$%#p98~t#Cwmb;BL{5Br2w@D_e13 z{@o?I7edrGyluH?cBIC~%Qk^!T9DkfA1pIa{@#t3X@a}`x0~%C-MiP-`7U#6H#5Ri zQYC~kKXF`Mt$A(hphv%vd2~~3)rs}eU;u@%G@~uQ@)4Vg);k+{8!h9Fa01A5@K7uf z)9$WH9(vFVn;`Z)iyNMYkui@GPb1|HBBurYQM(eW?AB`d!>i_M?B=Gq#}8JJjSste zIZFDbYAD+;6mmm1dyal3vWaPykCd!uF%lg-{X9n6a$J3KgaxGpjRdWX$$`z>6FHwo z#pCAQE;an<_(7nh6kb?!z4)Xf+XL2nW^O5y8wn}CQf&^0FbhJhxr47J9B`e~_r-KuQ{6erMSp_CjEpXJGG+tb^)U8%n`~@pPd~Ba zj4HCTG<&EuXH1kRg{NiMJ)INkt9gOsjp1^8hElBwq=nEmT2UrSqf^iDDz>=8rO&rl zPRMjl_uD6Xr}hsg==D1=<4Vu(HF*l2?bBsuos2JZCi#A0p~k&XrR*%}z`FBDsvw+C zhL*%^d2Pj?%Ynhigu|mITbMNV-Dg*8{#9f3lwZD$SThY_Zhm38TKY{{ED;PA7ZvW@ zI_*0nPs#UIn7VJD zWe>0tU@zW(|eRznQLP^j>LaxCkR zv{&gMKUM0O!U6Ylag_7Nq+)_iV#3k_OP!CC>yC8tsT#x11E@ zg4PeUQp&z&^Ri;m`k&*E_>=WoD%AW9Ha5^}#YN~~r8^CsGGC_+U=UWj9H$KAtHF`1 zTk7{?oOzptf#GjGU1|Ep4MR=zo&|e;w9dUJ)9o~68~H;nJJ#K5G(OKuZ?-vL(umJ^ zbj{8AGl2!`+kD5O3lTeospJlkwxgCPXN(yCME~7OraK+YN-Mo3**QHd!Ad$OK6NCK zgaHMj1>}zQ!p-3%q(g}tZ6z&1BWv7cDRyUTlHft5OP0i?r!deSBvkMjAPfo$-jiEPYqJIoTzTpt~70q6yju- zTDlIQuQz1ZP?lzP=2fN(c)D|N2_iSRm%olfZwo^$uE;4`@+QPqZO*v8k-iO`DXQ#Y zCg`LLsvC3CKPdv98KtNV$$Fn>#>yA6)EkSm(g6x(q))Q-We}8=KnK6gvzMU~& zeEG@t)s4a&5-&T0n!zNO)$y6Q3Kytm?y1;|5+|+i8-tU?>K44rgn8}36D3Apgli~P zjALo)F4ai#=nA+aAu$rUsXf1>^*uI;tUp~A?51vQI%@WBn%0K6gl)(?F>smUlh&Cg z>cH7KzNGbXr0{~49p0at4ettFTd!MD4)Oq4!E2s2p5?4h-j?`a zUCW(^-b>?wRtS@yG#6cwCX?&oPpi&3Z3#YhvJS)+Hi-Pa=1;I+1ekDhE&A8_aT+C# z+KblD48M2^Yr`nC$zxZY{2qlJ@e%i_FwjPFrd`H5{p0d6ljD`{Z}iw@td= zj$x6tg@VG9Yd>xMNzKvD{q*(A_C8$P$mx1nC}r(jvH4E6hskqCvgGZCYkC>*={?Nl zCrrX?3qLO6PcLfk%rp11SUL$Nla+rdaTV&G5i>52{st?LSpkP8Jt zM|`T~4@^n;O42VDcYAt1c7TG1Q8hpUcG)T`5n@@R>O+*u^tPh`OM_E5CReH1xpdU} zwqj;$Qm;geOi}xf*!{tJv76eOu*ZXTg9)jlDEjWw0V+$|Ljzj}ZvscM2`h!t?u1+VY;6iI2%7Q~qq+b0^UA2(L5VLFm2=M{=%QxT91+q#aq zk53OfjeVI*Dq8XzN-=KhE6wcXqG9xtlY=XF@3yCZf!ygZya^<64Jx8t%j=E$s$Qe{ z%>In8th3sY^*n-{U}s1ppaJsQ0d(OMC4g+B&Krgz6?|fveUl~5C`%9E5V(|owt{^* zq*PUkTHH967A`Ii_#8LY2WReXcm+u@?a1@`rtzabAz!3&=Zbq?Z>A%r?gYS#;ca=` zTAf@kusickZR31E#Lg?D&wRYNxYTgejt8U1maefUqPUte!AA;-0AGGm9N@7^xYMV? zgSu0ql@Np1PfeWwe^BR@>HJwF2Ct9}MG`teWS!81iHNvxK1nf1u_D>^z^avK2nFs? z?<>Jlq2fyn!>yHj7;08GFD*oZUF3~p-}z!iGNdEbq8rD4Gx@+J2@RAS5-OIwb9?g3 z_MlcQ58IzTr_EF3#zfu#2aukEWz$RwTt9264}{c{(>?x0 z-*)0owu&^Y^3zfs1`O1&A;v^3%yZ^a9^{)Y_jj#!H`=Xgit(3D!#?`gFx<`#^*l5= zi0vrUO2glddtsg2K$X-oZ8Y>@>70)}*FM=+gpq|l`KQiAn9&LK-_F;SOg{@l5NP~7g7GvTbYMRk*Lv`?P-=+Q2 zw379M=T5*@aJI2(zLgbjUG?>{&AX?rKV4N}m~ECbi8cG$Q@8=eYgWuB@Sdry%bWWl zE7oVm)>n#Cid|a`8y4;wTX%Hdz@uvc!Z5t;nOWDqVWBNCc2T)RSt(m;0_cmjsDRGb)m8b;P#2!UIUm0Yd1xz4CDZwBWmqoDFe_8*%Z4 zamVijgN;`D#~o>1gIdHY9*@n5@`IP7A79y8k(6uehL2EGkixn9vGA0j*DiZ#M9E+M zQnapVC*hIHax^86??w(V3DIB;+>PLt4%idAd?yfu_NZlr;ZXz~bzB(y!p4gj%NV!K z)P&D^X4=I8+firk^Y3=MAtstKs@yd&=zx8PaAj!%f7-X=#84#-61gJPCS%yRnyfj# zX{t-b%HtyZ(+cB|DMsGUkcM76=r1tK1o$$`IS*Z-rekb{Kfi8AokZWUPJhLqxVvg0 z7Glj5P$oE<__DESz7eCrXOt(+kqP?7vCICUW^m`zQB9@jO=NxGj%l5En5P zW)c#Qb%MPRB^K_InT1Ao2g7P3BKoHD( z%*`A{)S>vu+m<03$ycb3+WvK+A$+lIgr4t2_WC;W-Z+KRNhO77*x)mgYvcIlhKm#J z<^4E)LtpA#!Dc1e5GE6W+lV#mb)oCVZq#>7p%1xdp6*Riu&HN)iG@KV{U0`Zuf;s9 z{r1E?T&93ZA_HZ%TZafW=iVdB8~X$882I2v&g1?wd*e~>o@f1ql6Jdy@{-(sGh|ZS z;Im9-cxC$xdzv*tZw5VdWRA{$hylN`!B-TU#Y#NkL z4<$Bf#T>vUsvwYH?;6MEU%TvQyXed4k;swF8dEY<3_d+DrJH5+g-33BrCuj5@ak*0BE zeVc_xO!p}=Gtm!tNinfY3<<34WKXXsy~q0MjCQMIlc~ta-+@S7vVr+Uf9Y_RGx<5* zj;C1=g%0kLRVziv%;mGya_umr0;H?MIrNZeL1GJG>y8aK1_!`0EY<)$L15fIPyN=` zF{)#p9}Omy2|`*}FnXaMDz?ApyxutRvQJ3JK#L~DdBPQ&ipz6{p0k&wIQG{C2osmr zi6un8_i;24+JbTLxB&hw5r;J+$Yr5ON%!v3>g<8h=F3HxiP32oHMhcWcq7qr;>g;-OgQt zga3y02W6cFW{SIc)VaR$=Fn3>0?ooniqk$FhW9mQyLA*5UsGXVJD2Eh{~A*GS}Wx4 zCbsxsiL;_jMcd7h{tfq*%Ms5}flxGuKgFA+R@JPXuW-W&?W&UHm9g?TyW3T<0_v|r}OTeJgW>B%y*8 zD@sO}gB9_JIvGvvI&XBK(4d1-I#J8&TR#Okccd?(WFg*q*T zIW13K>R!*BgVJ4JTJP z;^Eu!ckP|%8nh*0H*R>?%Dt=UnQ=9bIFR%ToL}&=k38ToOg^ODop3LHVcvip-e)x2 z+Y~=)T)!)uI~uF9?02@d{ONrIv+sE!d^zJ7Ujq(EYZf4_^Z>hFtD1|&8eERG@WhY5 zBk~e&$v-28%mEp)_rF)dME{@&vdrG^z7(9~C^=;DWYUE)1 z-J)K2ufbXQ%~|#_#|Mq7rQi`u7p}AIdY`LKqFmpMd|27#- zCk#e^xOP{QSc~%tOlsWGSQOgNTf z_zJ)`C6N4JC6Fc4c!8inuD6Q&A-OJ(^T%evo0wQ*_g|4C1I2O`^PkPNd%X3x^J`s2`aCh6js0=_GXlkhAhJZ7H@6T7HIB=tAOmrRtDCVx`;P@o?Z?xQ~ zuutAL;MCCWy+Q*_hp8Dy{Y~?9kIY$9QM{Mo=VaYCq6*R{<=iYt95SNE zF`vC}&pw>|k_NAj1I*S7mWucF%3s4u3hR~~J4@|*Dz;^yf2k zp)Glj!lPt}gbZ{8iijxrFnmD^89JtS=5jZze*hKMM{iXdV51!cNu|PgBeL}IrJO=J z3kncxHO|az+5T|WN94(HZd(G0yU(YtHJtE0KZx9T+7s!BuK%Pf37ZoPL1%y(cy_OR zaI)+8uY85ea;D%mvtS?S-i3SZ>{l+gXiuJg?K)1h)o1k@TKYnoW`Ch1C_r>+y(_(T zpvM#he?Xzi)D+Ho={NKaA5#|VMoQ7xgaq(=jPd8K3P5lHDHSe$$H#xzUgggdpY{>- z31lw~6cYr4D-^^RYQZE8z~468e^J_s7t|&CpZ@O&L(OmWz1nK@nxED$oR_LLkP1y2 zew@kTj88wretR7f9De&TB~AlO~~ z9^Bm>g1bwAKmutzxC9CABte4)r*RD=IE^H@YZElMySwYR;W;_)`R=V#@BK+t7q!>g zYt1?47-P;o=*^g=`CWr8FAx|)IV_ccd#iZr09dvaB!QD5Q*1TzW_xUPP&3A9-!JwS z+{3ov21}@)-g}p)stO$R|H5a-RJBW( z$kn@UMOgRy)tB0J225NW$p!6ixp?3ce%jv=&goXTdzGt5KI`F!fp-z|PWy!3cnVZQ z2N_|pU?ZaC>Hl?rbgrA8w`dgXlymo*MM&N(5uH}(gU;XMpoY%OJ^=Gij6(dcF^XG| z=v*L!b& zK%fKWN4m(rmVSQypWsx3>=EwfEE;`xN1WNF2d-0gtQC*S4^iNi%R4QX0-HB)vDrbf zn4-e_E3=B14Y*8G&-fbqsR3fAAFK~X`v&l$0R$RrvLeUm?hmuSp#I4PmfszTNT$_9JpWtlp-%Q zPr?5GBIcHW3HHPOSSCxoQ^_+X%nh@R9x#_)ouoM*z9)L%oTL#N46etK*K89mXW|v? zlPdra>lX}%sCe`%5hPRHxGSJiG#SfNhC*Z4{ADeAKldkyus(4rI6^yphG}(f{~1wd z)%#wnowgf?S(=f2tiyvPpaHft=-G%P_fv=>BhP?p9?qawC-%PO4fkz+3{CZwC|{Vr z6lxbT09qcrKmw`!9?9pl`(Hx^$CBc+1b1y%Q8MYv7#c4e5X3E`UDJ;Sc>$j)i;L~+Ebl}_sh&RIHz7(A*36%l#*953}kww&htB|fg zqOs$)4nUHrtVOW$i+YU7&hUQ)H$WspotD*;2K|$_R6z1?%3tIJ_yh4+Qh&3F30oD3 zfPOmj3)IQj(vkYlz??csKxhvep%aDf53R@5YNh-+B9JpnT$xgh>H-o7lT} z*j~p73&DKhxQoO%B&E!ep` zXMh6PlLV+h=@HkRq`9`8h8j}&ma5s_tWH4-_;5x3A?{9%4ny2LagW5UHYU!% zymb(92;=hUU7WuB@YiJ`eP23&;2Z5#RaKKMJIl;fs|dEztIHioA9~Bh@EF$@*1x@3 z4UGNlPn;5dt_2{wD+oF*bC#{C8;y9$0J}`l`X}ntVe-Nv301^yfLA_7#vMet#d|VvM7vSyp(fTL8qYHBJJ)3Z$YrH1} zE$qPzw%|%v#jXyXzL24Q8;8C2B+*#DVa}+4z*u=D$p9!eiT4)|A%J50cWM3yyJ&EM z`TyU6%h%~>43fGMO5wyCTs)u|`B2vsJr)G+4G)X%0I0f(@;`$=FE2SSJ+E>dHC~kt zj`x!~9*!HT+VF+@&wp^`WgL9Xf*%$XukjpA-~RwqOQGoZct&%QCLI_a7M!Sq?@8W& z7ea)6T&W7qW0s?b^Fi7n@pWcjrl9!bAESNPt0xzF4rIMhP2lB~^E_rf?Tm$Zk1$JB zYS{@Cn2N^>K%gFL!SI;%@O}!k|Dy}t4gd2FtBSy0RzAW!wk_)vR&R5Jwx1Ub)~EfO zTP#sQ`Ur4~NUr*S+L*uz;0A+SMuSN-21{;d6@R1&B0%8 z+PR9ZaLaeuXdrpsqO9i>-tI^~Xk#HpQjvR)Yf;9!&yO{w=>>I{r>)ppN8SWK6>3oq z7`mTmX#pXP+4;j0ET$cOHkOWEjtx`=Z17)$!yj!miA$S@W{GeO16;J=KmX?G(tRCK z{}Oe?S~e2j&9p6!<@d<~Iq>UFRC(;`2|pmU*IX#X#j+2Ts#*esWcEQYC-=8~x(v_@ zw*%zPm`AaI)Y1Y(%T&EPp`M#h^H{eCmu>n1u~UBR`ndSR0``;KR1!@vAc;(*@VCrE z_vEBD)_Y8o?DKr7I8SW7ZKz+R8TiF@?!cT66SGynqQ%Qe%HW|EX)B|3=O*Js{OXNs z%sFmxc2vz9C3;9iFR6|M+1$8W%W;jZOOD#S7@`~7(aeu_jgsPLE(m+*_RcK+(|_ z2jK>YLcqas1bcWECLp__$$mt$F2q@vF~BI2citZXjiur2kYH4s6N&PBgXsK32XIhRT=TRFe zL*{+^@-e+DqfP_90`%g4IWrVhm1L`>`G*URseXQ+<+7Q;UOgQQ5>G&KQq4afC807M zU}HZ157fl*t-J2`)(9Z0^Oi>H4F>Jl*V=Ghn+xwiA{^7wA)(2SsQU)bF1iS%Dlxf+Ot)AmNGm9^VnTisXT_31rcFu%( zG3E;jV5SQV-uZXyToRz5{?@HP0Mm!NBrJ}V%3FA*XCRi10@S6v5x2s`iyJ?+!XZi& z{CJf~Wg1KRuXnimadp_RVNy?zK_L0}F@SO#>3QH&xgEU8`;cf2@TXR{X-XNnaiE$? z1hivNc_v5AprB{h+lAl>;+W3Qz6v%#EE3^RWD#PBO{-pU5{g;t?P04X(fB@cdlx)9 za$`6%_+kQ22%N7^nY22{(*rnTEY&l!f1x}j<|ngU^pjbR2l75#V88pfHTV`8vCWWmQ8>F37=6s|Ax5!IL(dtY}AbQL?n4 z?feAmE7Obvl=%^qNl$noYI6{=w^%Czn$mhV60249Bg^FQVH-B~fIJa3+fbr*5m!-A znBt4&#@4CQ?IJ0iA5$kxI@vk`wW{IjTKmyL<0s@R? zvXuTCa=`yKa|}f8M;;rF2$cThSy&5gZAL;nRexE_)~5q!-^w=B9J=Zq!iQfyV2m;Q zS%qe4Q;;qVTtGVb`Ib)VQ&UNr(PObpJnYAkK;{f=Dm?4Shv+!o`FJmZcJ2kiD(`vJ zL)&`dm{F(HjYW<2+AW^EhK4Vf?WV5RbZ>6ulcT$5r#?;Ai!AD8iQl4*CoP$G)jygu z%o1Ne;N^&-P{TuIA3Y@B^#8YV7T|W2`P1K=@eo9O!TdqSeR(0s563ns02rqR2E+!D zfX6_I89m9vqjwc0U7a!e&M+j=2J8FMR91T=WZ~@}30btH=ePaIkCvb}8MN0BDW08G z^q-k2t+wXhU$YdBj`hTzOo^!@T-MG+OlUdp*f{hO53XO>)}S+U+EeZK2&Rien~AgO zbEbd+zO}?*T$H^U*iQuQc*6fm(9%F;W%jX;1HYmH6{#%Z!?+-a8Q+kEwWk>MMFV9^ z^BhA%MoI=Wc7@9CCBKa`U=V?T}@PyjsPQ^J>9 zlmeU$&NzP~h-s<0H5s)r1rS2OA*7MG5s%>$?)6`f&;EKl=<|zV58-f8YJ|n~c&Le# zINJG}AFA6mMGNuBUU)f3RR-acVhhw;SNtAH`|!0NXG2AVi4Xfev+a!^FV2hEieHXX zgcL65RcJ~bI`HA4=)9oW8aMRC+>P{kSXU7Q<2yU1aqzOP^$=iH-8y_A>{mL+4QwC&i zjf%eFULga8-%jeHd zZFWvw030q5c)QfS6v8;vgx{qZ)7XenD)US?%_ zc;YQ?6``Gi5W^>c$8k4f8SDUl{)*I_hJGJ^u%VC1NX0^qa>&f0A~EMsa^b5^80Nj) zqxI}*z40+1z=WDBPz|YCO{_^wRLB_7xC)}u+lW+b@P<`X;`7oUn*61IK}L`5{|*C} z!y#Dso#{Io4&i}19q`X7I%%JhnDvU}9DR5h$zoT+ z*6v?_gFv%d@9iNhE}>~cqk2Bb#HqK_sp#j2H+<7gnl?D(s%FM5t&;r`pdY9n9gxyX zRMqxGEr;)fHuSxO$8zWUEWV`wGn7 zodK8sFYHE3u}W$2scEaLw;0F$C?4tB;w#9Gfcol+U3QOO+Jd;wu$uGjV-N+4rS-Z7GvL z#0c%NY2FPj8^=)UEJBI1#**s#%ngVfw1^LEJ?cVy{bmEjU&Vpb=P%I^6#ot~ zS^vBRj!%EpAB5|{^)W>O&idayr9EORuE59LwA{wSsQnWGfOJV6`p5z$0}G^n3-))W zR3B|Xee+p)t@MWBe*B%sIxE~ou_yNFm5nGxdnFcVfX$P=e2=D3D;C>(oiMLMf##_7 z$^~}vjIJcQ`B$4y+8xfY$^Ne7?i~3cy9T8n!cI6g%3nc4I-Zd_@FVzX@$szxn~A_t znnwkn65{~wWa-0MRt9KRM&hGof_>~jf}<6T=6=SXolO05(Pi-~#E4m^4nR`D`&%2d zLq;17hIp%RU)yiN`Ia^0FJ-WE!iqdZb(_w6X_4uzU`*GN+xWImZtU6-99RS^BdhVmT%ihXqc0mT4_^#pKyu<=VFK0O(W#t*6sPMOr@ z1Gg>)VD*BIhR><~R8G-#?Y?Qg7Ey&I)%oO^QyVRA5yf?1dc^QtPV)C0HtT|++qCVp z5$@HbU^xfg=Oz-kIb@HZey^D2zqob(Wl;sNy_&qmFFDb`gSsURImk4}^+4lm0}p|T zCjNfD=_7x1nd5{;M3EnmK&qN4qCEIUbKS3PUdYsh|FB0TAM|@1vn0@Zkt}yOt`a7& zPAP*bOoPf6*9k*Ka}OkMK&4<1)nMV-WSdg`D|6#1kt=ci!eITm)2^{yk)z95XuW zv&WGhR%3;I(^Skwh=_+^SPbYmni#SA;R_|LPos*=q|I7>`sUQ~cxZj4$^|}c<*e;b zOfdbQ2UU_pVQg6Kr($P)_J5(R;u;1t@K11?Y?}l0Is#NNSW=)SaTU0`BxlivbPl z5HmoIqZHi0s&i-5zZ+3Ynj%}~*01g}^F(XLj`~DWcgP+L6$uHjpTl3kxQZF09CIpI);SFzA zB!a##l}%i!&DRksWu=E|X?uNhF&E zky8P>FM}phB_HN55VE6u6F9miP>ti0v)^VKU~QFS&j(4YgPD~c3_4G$;RJ)au1QG` zKwA1)4zv?-=jQ^%eLcroC{Dmli*hl7zMuMXvwjG4{TW#lNuX!6W_w(#V5L8BOQ2s~ zIs*+`^5eP-i}UUXF=RI^bFL`*1Wqpc$QQd;*#0YAv4&#OV@GQYzW|Gm=lC{ztJC=w z%@Z;|2eA(*BU?QgQqd)zN=s^WdieL@&ln*TO&*;KsO^>C)?FOFgu7E@U$mWVj+XN% zuMd8|ao>{m|5iH_b5;+%sf^y)o&cC z-d}##vE3E*Pr!Q*^7Z}NIYAokRonVag7e+hyq5lWb%^@#cX`hSEh+)sm%35zXsfLU z0m93R`FdU}_IDR#cZ3eI+7b?Q^aaLBnKj6VXYxtlW@?@n6x>HBM3cpJh6K}rt~ccu z2Rotas?s}s`NL(e@FVoUr~SSSJ${P ziz$v~7g2taTGdo624K+6tJ%GMF(?|vvi^Djz-PNjrwZkKpZu}~KKT`b&H|-9vN8#e z1fn)!eYM0}Kl?pPjrQ_=QML3I*Gg9| z-Dta(uTL6H`reZeoZF;xkgBAD&t_syCLNDy{75HpzV!BbJfu3NrC+lvpQT5T=Qb_p z^?lPy5^PPVsepdVY`#O^w`ZwJuf+97-}@|%HbGn8%z19`GfE=Zbt!LrJJ&zk#mcZD zofAoWS0Zvn=fKgaL@^r0>saL!9LgUcveNk3Q^S6dPxYaa_(!7_(ODN;M}+;rD;guU zQfVh;)Ub<`&{3^xTCNsCEdg@bQLOn^#&>8R?6+(6k>pt_{NzpojrS^=E8G+<8^XTG zbW-y=nxAV}@j~XAzlQhs3I1-Mi;R0oJLB_NYvLeBQjy9?MOqX0ASdOun*94*8PlPX@XC2!5ou4mgYuKXDI&gN6h&U(z>A zbkw7suT#~3&cA;tHcy7+YF6;*1{ufui`DC|9OJVFEN|#M^d)GBUnKZr&q|}_9~`Ws z9GpY2n|}y=jZNFv?Hkq8=qB>x&B<26W2r#`K7YmlFux_We|c|nDZe&DZC(|G^D5@@ zR!5J(z~!yMVv9uG3o!t_5fh|2lDY>sQ$u+42PY*~Hps{cskWx<8fJe3wf8#jS*?zp zxn&7a+aovlmno;;H5boNo__R{E{NfON@ho%qAjHSp>iK3 zvY#G!;cl6$9dX&F!4Xgs;x;O^up z;^_lC%vaWMODkKgXU4)I>*&%aC@MJPr5XE*RQ+Q=gq$ciphS6)tGx%qtkF}WtA^se zW=A+Q_jE}}*unB_2~zUpFPsPQ)142O?n@WKJglji(XAiQylUE#7u-!BI!SvH*wHL} z|ByZCL6FjaBq^kibp9;frd>CAH#nYFXc`$~fy6o2QCz0Gd8%7?p+4(#OJ*uEwy_Xt zSdHfyP`Nz27cw-?PkPjk`FsE`f}>iz<#Zs#v-$qz58(z0U}6>zUf7c(?@28SrK3hK zQA#JnN=OySI_C23{jo`SXf)fodsO#{!tjvP={YwZD_k!ML9doK5>?$z89{IPxUm8w zq&P@L{uf)%gjtCd<}JV)HI9%Io%R_aQcOA1PUsXlS`wk18j%WVSnXzIqY4SLKhuoG z?uEN!qMMZ{OBFCU%HczTyzL5$h4Ynhi+z4O)7OHy9-|xux@odvMdmXb*PpwZXhD?m zOk9e?-?Ft>BdsEwN9c2^z9-ivVjjlnnjP7^5Rx$Z_z|__SHz{r#vxThO>YXwu-cn> zx*I480jvLyhp9dZD~f-eo5*bDr@Cmh_OWMGQHK|>O`hGvoV=AN4(FKJ99wk&(t~gE zsi!F&9sSDQJl@e@acdoVUSt8sQg0EH&zX{(PrVtf7k^=diKnz6xHF2l(st&z{?e4j zfiEw@POx9pvZwQ*>8IVoh11f3!{$HrXR8p?V8BCJts9vm=HCH6ycf;gs?P*`{!y8O zw-_4*n3CEOlo?CU$&)_1qpf#c&0rmx7Mz-Cr}naP-;U}sooRE#?}{in==aw0buJaf zvjtv>M6djgOX^uaXooZs9d#quyElW|KA;>9H(2j3&vlFP?kr9kD!wWjet)ZpZevKk zGQQhcT3*(AY5@iXr2J`_Uh&5Ro6jr+wGXTV!Y=uO1(D|=ug6*u)o5rsjCJdTVEVR>=3+N|Q z7By-FelpbPuhJfMISM4oN|Cn#7hAA*GcssW|d5iSql^{o-b7JW>m)UP#d8S#G0C8 zlU%oGRu6NfHlRQU(H=;Up=_72Vt9(xu@p19K?S}7=YqVWw!fe1VaWNJ3qM3nzdm5t zZs(YLT7ZP-uF8zSJM~>|Mfh-yleK76XvZ}kVT=SFsp#CCCq~I$ZXI#F0}F5XpNeU( zYaW6NYq;|l(%O{au)LW{ALQ}sEfUQRjsZzTRWdkf1m8E*L0%^Q(d>Y z&CTHPJ4GanBMO4wgqVL3Qo{p8L7=CE#yb2a=d}Ub7GZPh)un!VXqG%1FYEIMb^$~G z^22yN53U`p41n7GgyBj5N zR#wIZGuQxA4WQvR9rVGb3gf}z;ygOgnG|M#PUF8!P~jLGf})9OH~MI-7;eZb0qGVx z*i*W8I$6xQRzQl3G9!RH|8uUZ=;s<_y1Sl=CQk3wT5n}pILi-??@F23VLa3ue;I2h zDt?P@=-QMpCIC_U(BCZE7l6jFRxW)wESA@3Fr3H5>dN(`t)U}4Y_AH+7W-3f=P~_6 z3T(T$%NEsAk)fDsu8@?lzaT4o&64q*bk-x8W5_bIdZFM>k94#9&ijRdzd-XYljs$L zJthnKfxeu}C-FEf<4N&`Spmvd{-sMNM6tG;-kIuNXlSQ)K{by)SDq)I>pB}CdC@}L z@+~Y7_$g4!$g(}EstSf{@d?ts&@L<+s39Y#7l&A~OUwd}&c-+%>ueFXz7vaGEj0SS z_1e#AOcr1p#H)43^{^Xv&Ob*}@vyG{#_X7%gIRz*Thh_cQf?bz_?LHSP_xlml-d~O zQMls?3il%d4EU;W8t&39(vRK@Y)KLhL_lZ`Z+-P$Q`KI4SJlEA0vTD}SdYUKr}u8F zw<65VOYDx!J)C;+3U@aG>eT;+3?;Rl?o42;x3-%ybU{=X7u?y^?PB;be%BM4F*pqu ziC_wNkxX0tcNg$*ZU)ikc;?_1J{fJ{96}A|rd0%(jbtn;itz_vT8$H{V`-m9C*_xc z6KWJSVh&S1xFGn;`)MyH7UnWzK)~v;`*oQ=`}k_FtY_uu+uMxyk$|de-hSm|vF)TI z`Ya6Cvdy9NK<&daXx&q60PWt`!hIG%it))(QA*Tse8y^zbs+~I$NvFWb2)dB`1Lau zP6s;Cy5Bc9_(c)PI|@tdvED*HmO_lhEEDHx~e!tW+_1m=Z``oZWFhk(C^q!>9;lfz*EF6^7)Km$lv)^T@OyB zAMp~Hj(~!7zvN(RS{<^u71Yr!aOu&!{07^14|&$NvPHy*xno|m)7I+hIa6d_Xo#ZU zovMzO3M*&sZB-@+*ixX*KR`LEh>~zX26+Bt5cmC7R<}X0RxB|wl3rWt=Imv@x5wgPZPMnXYhqnj47bWOew2|3 zzJgRkHb>jB{oA>yw-U-IeEK6kdK0|dBOfo0dG`)kk6;yIY?P{uJ0dG%A*S1BV?kVG zo^W*`b#}dc*2}LL=3#bh7xYc@?c1+|k7f<&+kr5&L_jN3vC!UCTVDa3QOL9qr@-YU z+!K^MlTnAo`P1>xn~Sv0#N(3g9yV@q`@e=P0yq^|WEiw3>%`N2Lg>oR4*W>`NY5i$ z@yUul87j4aVJ19eL7}%7SRJC`5kGYVzG8clG7n#5srlFuD}I(QYN%|lHRJRk+<`sd zO}viD93l_>Ubc{Si^o9Qw$ExsylSA_55_SxzC_0}C3zVC?rDwLB#|=c%sNQ~F+x za`LbcfFS1T0>P1QetB9oIiCdf4WO~ObD9}=Vt};urC%pihHjr{uY2Ds%yi>@VYZmJ-wtCj3wm13rCEu$P&ToL7U7kPH4sG=PU3_G{aa6RR@;1wX_24-$ z#6bBV;sl`N@FAuYChpMDR}ku#AwWW5qG02>eIdjAe1C@5VR8R82ADp-nc-lV%XLSu zneleJ9v~e5>(CQNA|6%-ah!tEh0XxNvO^bGz3!kG=Eu&j)wU_Wc-c)j;qF%*{7SENE}kb(ap<=Yy=z}h}z|J z0v(qb9(EBE0%F~u6!3GOLQCO>g~uc$UB7Un z*QeBl`7(HrlG;*8x}nn?!o?F#t}f0kPG-4b&*yB;2Tj06?nx*8l%0L6emU zoXEPNj7?-v6n~dTmIe5C0|?IO;p0O-F83D8)vGUG|FR@5$WuBqA&@B)Em` zPcOd<9&LDDUfcNCt+iPno}6?Z4&&h*UGwAO#T_=|z{N;7*r!LVuA03roQL0tdLNfJ zxMW(O@l!);wLeZp)1Tg*r}_$bH-R@Iq}2Pr))ZulBLh;6C@$kSF%D=lsn;e+%tR~& zPrk%~?7q>sx#0z{c-E$WT2&EI{R*PZ_PgiARWBZk%kIm-5;ySw9S`*aWl_hLqD9=*)qgXrYbFl&!#GFo~fmYN0%?%eKkPA+fZ+3V*su$08NW)roBXz$R=HseY81K$8QVx#?HT zYHG*?o2Dlc=*>}}w;qn`DQm9t&#Scnhwn{?9J3je>Za`1i<~`Y69HH;-{V3*dz5T@GPA<+3>R&ax@y}gM z+uFE}r22i)D4>%}PkUBo-Q4EAuG?{89X4r*!M9M5XK4ALrWhe@V!}7JE&H;<-S2K- zp|?WO$LDPsvQO9A&#R3P^)DHUN6=4`-rmLP7Iv9f1iJ+<@GEs}(iw&(D87!IbKMCY zAIw?9`i|c5GqVJ*L8vkjZlcEG)hv|gyVHW9(_KEIV&Hr_|6@xtZJ7_^YG#SC#XCRi z;vbgLs`M*6J`fsbuLBkzv_He795fj?C3wBG@M**_aAp#X zcz%USsm&Bnel)tcw)UkXk529NS|85mK3563AgBDJV{>?2e%nxjm)jroxZ1*cr+>N< z{x)4cD>rhP|K(g$`JL9!U?#MTw4zohf~P*7?w`M)@$@*#UvBQbjNak zeN_nCv^j}L+Z}vTeR+Mk*z$`tS;CELo*6`TLiiA2TJW2Oni>W}{5y(+1Lv*xg?O;< z3|=oYv(?DD%KOVRM)AxNU5nJ{ZiPD9^THR#iZdxZh3q5h{- z!(ZRtEgJkxkLnn4^YU}#N4-CTND(DSTFezq!hOOgo$iCit{?sXduNi)qC+j$6)FfB zXwOIZa_j0XSz#75eHY(k5tmJv7u6EWJETSz+MRd|u-d(%v>RZd_c?c%)UwLr?Db^Z zr30{LiW2=BJ3to9Ap%$PCqQG5Yuc(DNUPlZALPZbslEah86?2Jd~Aur+4EJH@(e-_ z8-qo;+*zWRB2nvLN(nJd(Ka8V;!75tazkadVxWOMH$&G9!q#{O8%7J!z5R(!s%E%4 z)Igbn^vHH2$t}dffP<4P`dkliZ>Si6=NzbRT%X8>f$Wz zz1Q_F!smd>+#ABo?0ZK3a^tNsMO9VV%rXgu*Dic1ReQmEJBiuvia5N?w2yLvfUysa zNKvvy>lm*f+uee``>=@*bp$I4Sgm~v_bo~3(^Nvt#CuJ<;moGZ-7}r2&a+)1gRQ~r z_1NP3-mgnevoTeGR_q#sn^!p=IL|TJKc1z!FV8L{9kySRyw1!C) z4dri8`A8HBXcu1x#2KVdSIf@tI}e?e2)bB}lD)(G_U=zCNKsk2tx70-7^0`Z=kUPq zW_L>*5|sfj(j;hO#nNkmW=cBa(;+4j;4koc==;}v4cpbCM%{}kZ8Pn*M)pwQYgb_= z7dq{j^JlCC_F0W}9?wBFkqX+B?sISKhTXKE&EKVa)un)xlH8tE;2ahXMO~QlLo_pH zR}mKf#HfFD@e7a-P8AVlbzggM;WWh9PDVE5RUxPBHUC9;jck9lfK&utdsRx08_mAq z%S#aFkDnCr^99}#<#j2$Dw`)JeGF*(awBx|7H3Rp*z4LGz7Z?a9kGSg$e`C2Z|aqd z1+#!{5W*D=L|fLxQZ+Geae*L=2rL6k)hxQnsm>0a?(^~a)LC7^R(fim2kRr*zK?80 z$HA+@ml1mlLVQ$JWy=D9o}9%@4AMh|iPBKtBk74>SDz6s7k5r?2u5ScnnSF3!lQ_V zo79I;^+{nmzk-x{nXP#2QQXq%+t}M|j9%`K5M}Itm&$pqH8AIg4wqyvt#5)0NI*ff zcwPbI>UrPv;bmh$)26|@g;caT1W=+urJPpU?p)6muR{F_QKW3&2|pqMC+xa2@*lJi zhL@Sqn)G4R?BFvcNEFkhwz!9fha?6+E-r3`%f6Y~^NNGFqypxc^USZ%2S^JL8wZUV zWJlfR%H2=O4v)sokVt4D_o63+e!54b4UG-hl$jqFf!WtYVzLSrb3a{?v^LnH-$b8V4!C0xi{ZC*>AvEauPT+q0ndWGr!5%22d_0R7|HZ={71_ydo7romHwo4l_ zT?MnJRtzXi7qcZy<2ew{AdD%B(Y!Cp+Iyl7@_$`8;_js11377&=}Uem2lFvPhMIkd z3H5i^>jsj@Kn3eN<<+AiB&xNm=EJ?K5Qz_H+Y`~AckE@; zcT2A-0_M*G2i_^xmA|>T+tXq0;dTmVA7HcQ_{Tw%Oxc-68u_zGB7by-SLe-T{5IO4 z{u{cIZryZ1++nb#Kl8PnCT165u=*}au*xblBw$7en5V1JSu{#Z_QPS{ykKH+Qn4_z zlYjWl)b?Tm!skZ*G$W<@?(-_Cf^k>?P^`#VrNtUM9V1N|egqmzIoBF2xrW*1p$8DCi3`Y!a_5-2F9-Z{5Dgh(SSEEAhO%>N2Oc_%aMerR>N zI~^09&gII%$ul_3StO9-wT9)npl+irSKUXM^N>?=Sa%{&=R1#?3$hqr2KzLMUHeCa z~om#c2CMuL>_*^iro+eE`ZBupm)OD1Y$`3}vU>vN88; z`~xqZf89cRC>Cd1E*DZ*g7%&}QqCEkZ`*#@Ll2AKA7X9!-4n4^n8^oU{6Q21Sl4=> zxV{Ss!RTkP0WC$|7hK;ZVdk)PpucH&RHC{yjHFwxa5Uh-t_L7^R3HAt+<|$;pMGx% zse7UUF+rku{CUE>(6z0hLU;-fPB|jDQ@bx}y8_DQHnv~S9S1;zaGf&RqbtkIoOg36 zZ)>eZ67L%jua4K(^YB=O4I29tfcGIlGEo-EaAr%p+r8C*scmNV9P#XiWUap;L`b6K zS%0BPb;mD%b65;JliW(%Ro-ysy2W1Ow)-b znI7Q7v7%zLN87H?87B$KF4HM>^hGUcUf9n>(stj=hUpF{l?}Jwoah?r@`U538P$Fe zVYqV;B;e2sGG$adX^PzWBb}NUdF2zS>;EarPS4T6ZVuf}9G9kaaeO*f_)Qo(lBoAg z1~g1`636h0RI#svCvc|m3=*@__agApmgg*9(n2g!P1gpEPGMn zdbKvR`2?u}t!9;uz`OSu|AzcypFAAwll7mLMNqkC(hpp{2cas|BnwQ z=kMR|&m@&K8z-<_ULU?oYLf=;TQ|BvpRZMgTIffbo?<{Xe%JbYrDy*job)7^Rxtc0 z?Wacpg783GzH=GD(Zoc8kuTesO$i>nMyB}I5}!?_=w;IU+ZPU~u(x+5yh;q3742HcCMF9gL%75BfPLgc6vN2Pcl$_?@AyThT!28ru1$Sg_3aWIgbu3*me5@u5!c` zoPEakZc00Q7Zf}av@ThsH^c!C@ySSlN#|p8`p^JpH2ll&;k;B-kFz2)fZFA821PGd ztaROUBvjb(nX&)m(H)<{B|a?L_jib}4+cL!f)APp6)ZS4o&_Ata?6CRVB!ErS^o1f z@o;FYs5F%`{BtP_bL$5&f3zh)Rq-fci?JItnmAHQUjNyZFeP*3)7n(NKh@?QE}Li^+*CF2#~1Y`&cJxYwM~qA9!qSe z=AWUrQw_Un7GfUhA46+*a*cQHa}q82g`|5BP{2qu0sgjRgq0*Mbb{ot(!fj=+2K4^ zVDjKjxf?AcjZibm0A%u>t?gEm@;drUctCgRbaCl3RKT!pY_3a7O+^k<9|uZRGmwU$ zs4VTT2N(2rQ*pKE)ScscRi?;$Hs8WT)6#G^naZF)R3!$!8tWW?yhbI{)EK8|3K zNsYF&>|UG#z4R^qI`IdG=P;`sFi*ReE#Bts7wR&h`H0QQwljhZ^)*qWBow8m%8iy{ z=oOCzy2=6lM| z6^xx)KZpMGPGaRb?81P@|B!Ba43rzf7FPcL3>e5TD%j;B;IqBh$mFIgE}I5D_?w4` z(b#Gt@)_G!%H-M=BAaF-bnh-f?N;5QXE~DDKrgGsbAYz`EUwVAknN>FO~!0hf44)| zAl^uxAOm@8p^7F?*^C#IHBBBd zp#(I~lhl+J4(6ore@G>#L>RJr@O$o*O`G@F_wZn2zHj; zE|N7rA2fucf7bbH+8u2)T6LKBhg8yPE0UXB_(`L-0E(Ksh;Z1WPs`i9QgGUL_|7v`Fru}m3M68*wu>Z(}HF+pDml2?avzm_CgSp~~t4gO;= zHSD{0hZiHyf2+?t_4YGQ&ns)H{WC0}hmGDd;m!pIXyv#Y^ke-7t_F@XeH0Y;j%$+Q z2>lLd?a+~5eArD#cpI-m*!@tIrwMD~?(SYYvA@6HA-gMCQIFqP$GqcPGjOH=gg(#JwAd2mUyYH?U(P& z!5B#Hr2&!E<~+ ?;h=dxu!t@rzC-gdiqdEd^}nA6pqMt2mG`0lUcQii#*m zh=M>Ehv~oy6;5nT%%LrJ#qq+KDF*|p;T1s|;auoHhfd9Otz!UM}x!|l00wiR~DLf{mBLHL~63X(M*QD%I{|dnn9U8Dcr4e+}B=!gh z1d+MZ4Gq(vZEUW<*z{dr81&?uAAv?^d#3R?=7mgoMUC`Onepk~Fihn3pSA}zqmCo3 zjqIX=@WVsoV*T9+hXsF={n$5Ly!=wC@7V|jGTQFFyYzM75fNxPq8G+O84?;AhB(1(->h5UU%nkY3W^AHUTe)M0}oc7&Lytus?}wWgDRu6pZi9 z3oR?$wA$R+dN*|zo%~wIS4!UEGpH&P$4FwaH>_d^14~xP8*egsJN!QThJ-BAvgsXH zRh2^TtNwRpx$`(6TsY)UAQMs*XnQlyNKl6%XA}SjeCn9x@O%_Rx5D;ucM?Iac z* zW~^8nCDW&ghK>)N7V)et&XO~xeLkx78)wr3m-((nU~q7@K{U0Xt0O7N?I?Kx=KFvz zU$|8m-;Y*)Na5PKU9%PZu#T%jPnYa^v;68sjdgBa&)VkKWD6p4@<_3p=%u!V9gmaW zXlFKWIwO>Fzq%h`_+-v0+RZUQTG^&UH-VNFh$*I@hxo_FUoc_j0t9Q{+Kq53Jnm>= z7o>CE8PyP=o+hJ<;h|N}-Nc7k3qwbUWSr&l*{C)T%cSd3f=o@?K=>R2Q)5@VsLKHh zGaVBg>CF*hBC{3d7Yq&FHxz0s1vGqg@%dvqWpBvUco`X0%8cqw$X^ssA&Yp|%MvI2 zc-_%J?~K67&Blga@ZgTPCsKSWKF zBG3?m)@^MCk*F1c@zn>(K7LyZ3$q#i`2W%M)=^RR(Z8s4N(n=Qf+Ee(9g<2&$IwFz z-5}lFN)8|(Al;y(ba!`ybeA-o$M^lc=iYViIsWBxEpVRsK6`)n{>0v&?Po6?q@96x z?#ebi+-5I=F%#=W4`NXOBvZt1#L*On0Y7U)}6Q1`o%xTeUeR(Y&|WytV1gfW_>PT ztKPl7uX71E@Clef>SQEPO2fH}wG_d7PunJ}pza_~s-kzOzf67F%JLgc1D z%Y_IygAl7bMbs>A*D|Rux=wZ9h59<=sT2_^T$w?-Z_;9~_7>5aZZ9P}=$_+|lSfif zdS)HBikL4Rj1co7SJTkavVR&U3AQ=DX@7yG3xf7E+h7j#_WB3hLvY}4xH!PHGrik! zHo)r+v)NrbMy<#5pPP(3mQxn-DR5?+@EXV56SPet&Na@Zux_5hR z(iGHgbm4p;C89wZz8}sQ$I!_XadYwRB7+-kbAD;~Yi9;UpzXzp#)zU8T-rydBn8Sis!eZJ*gEMyo6yTH2Xq z9S&x#NRo!rLdM@j(6uvH9rRTvgFV+UlbYWv>qKi`wO)kND(Az9VAty8pZv0a8p%#i z9B_3QxEOLiiW*KcYY^&=|JWP_k&~jXI5n<0Js{HrAkCd&Uphlgv(cDdc*6&t>EN?F zpvOi8`noYAwj1G*Q{$>y3Gz)_VBLi*b>6HNibdeT-~7pvop=ZXPQgJ9I0gPZ0`dmT zbnS@;h(4U#`%E4g4JGI4vkyI_0Xdr{=UaYxPj>#BLp$((uYV5T#W7Svz%RR;=Xeo) zrM&rN{npmj!P5%UG)qrAf270XpgZ5t*MN^p0+>rU?;aAqWH9$;@(&XH5KWy9?_kEM z<{C1qZ(c;~ukzDwEeQ@~YqOYPsOh#k56yv9dS#c)h`z?IM;n$hmn0O>U<-VB;Tb`b zjD^4QHwXl;sHC$H-SP2Af@~>uay$|-Nx1t`mO$o)-$t5I%5<}s_h!mMcAa#;Otn)~ zI#j}WpvZwb6Wgp(N=o43da2zYwXYAihn`yXw&YCfR3NIDk2X5rJzkJOTXP_}_rRQO}t zRriM=pS!3q0|X1(vv@C_7Gd-0{hZVG<9;1!sRI3gzRb zlC-rb5oQku)}Z4`J#m_=jij?0SB>4W|HRvo^{D|(^U3cBTdXNaoYkVdSp)1&1VW(G*}D*Uv;3hwT?bB4vm&rLUlPk&EXaIK`~zZUFl~3^vZF|QBuns zK2B5JE|T%C?uwLT+ZHokNMZA&YO)dY%#7bKN$Kf@lsoHdJu31}0yDj)A$TLh($#Z}&}$n1yp}jx9H;nV$}c=3T#9!4dEM>3a23hU#$10mypJW$g9iha$v);lyG>~-0o@bl)SG_W*I$e-)d3WqVL=@MBW*UWZ-687z z33Qj1dtpH_e`{U^rcIae*%59_lfttmG4=?IgBJ`2C=K> zYY&3TgavXWlK+H7Mt1bJsVc~`o zty24;a+3qvHXY{Fls%iD7AvWV_`NBDZ;RB5qbPMgtyf=}IUmd;IGGLg4ExqbZaRiL zs)2w3__B3kE)~y0Ar!E}Kx#+II+V#aL`$UVUJ~-*<@V2)p>REl((3htL4W!$3;L{r z57$HyAfPZ9Cb#3U_1YKEn$J(v<#5}Mss(<>Zgu@E3iCw%^H7M1E_)GyNl75(md`^ndQzH>@(OW6s8F*Z40^&htgdHA|({2X%x(b5T{G zpYky#PM40!FD@>Xv(+4!Kk3jX!r*5-5)pOtKYh_q|BywEjw*pJrE-yqrbc_)f=SKy`DSdw%2n{XWN?a3N;_9EhI}-^M*(_qsEdOMgQqgN(BH}`+<{N1X{$BIl zRZf1jmKatd!@x)Gd(C8Cx6;8y1+zG{3E5qM98$5!rb6lbAoD)Jo6n}{3V$<+Gml;! zRHmnT_rWk}2F(HbC2uarZ7P6X|K~GnCvA(=J8%0p%b~ zTH}FeEW~q!j?=d*pkAriO+<|;4vh%&cTjyLzHQ4{cd4d6v()KPnj&y9e58;-S*eXV zK(1z9_qIyZ_a)&n$3sL!v|nxYmsAF}ABILoVzKJh`B~3#UFCJ1oY?CE%fo@Cg~nEm z&btKS;^OweQpbzq6>8G~y2*#|hzKKZR{dY_!LRpgnIgvo{}TfOLtGta!xapoa+WVe ze}p%^*n6XxfOwMf3|2T(W>Lmt)WMwfMa@VjN|d;(rr>N-*@Ht0*5qDLe&5Gsh#H{H zt&<#@;h%wOUhKo@2=9U>-MYV-3DXhd1}TxlFM+$9C!;ZXh*)U#obx@Q6$v@nH@VU( zl8GuF+3g3Xj%fOJB0O>Mz{(0Wus~F@EdT?$W!xR*pP&C0SUj0O2Hppj$!j%!V$s#p zn`=NHjV577tcDG#=)hgJ-+xDJEXa^xtW~ErXBrR(VkLj2K%8mfrVOmN8ljYb>Q~Jv z|NLq3J>8g$`Qgjy%noLC>m2D}2A;vV0Ywxod3uTsu$&+JRK-9flYX{kE`~*jXfyI^ zsN%B#B=OwojOq$uGUr0f7g)y1hjFAqK)M7{(A|LH~`J5yryjjG^k9 zDf=TbFc)QBoh3MiTQ=u&Aj@OZBf4jqNb7@Zrs+IuZ0VbZX~xham;UN2SKVf`t72R+ zzo^u*7#wM?a{v0Jw8}76b?yKN5tD|bygYWubMg>sQ6KR2`R%2Z^;{LoO0&1ISnufQ z=O$j;MLyt9MYCyt!aF4;JS6>(A3s{l_cyu`aq9a1nmehAInAoF>AGU z%ScLoQ_K`8P%9*8aM|zv9TFT|*&GuSW4+wkD#ol+gYDzvqxHiae8;P7y+ z4wHznf{gGxXInk6hIDQIrxl5a7hfu`UCil54<{+DOpH7cES=v871(5Mc;+(P;1o8q{gG*qFg#laQ|B7tB`|R2&i{jfWUrk#xpfi+oz+ioi z#QYK&h9NxZ1W!aD&y!Lu5F8}H>;d{9ntb^l737=h)J53!fG8n#hIf1Vgd*Mx%CtI5 zav3?U0}aZgPrHq6LX@z{-Yg1OI9he*r)NM-Swo-P!*b$^RX_-H_db`o+B~Y;O*yeq zFBHPDKU~0!?kD`Hz8|}SBqp_-V{8mHw#8g1f%RI(Nx`1tuMCWaAJ0$R(v`49LK9Iw zMeRj|m|_-ovZ2H9zhxJ^0ebpB5*3!f{!wh$Qj;ffFcz_NhLF2Gu$ENF{S28aWEKCR zw7h)eF|Bnh5DoYHErHnHVm)WPm9=$LU;Nt~VA*s3}5{PoxEYiL8k8`^x5uMjtsL$RI56$+O*Q`)QFH?$q#`k z!2Dt*t`}gpGuD7mApslu$-|{8BF7mqoLvrPzx1uBWxu!;nhyk4E59G&cUYIKDVxYw ze5=2}(v9jt5%cWfeQHPr6N7j0kAZ-v5-)I}Edu*sHX*4Hha3ZJ>V1~DVbUzti}RE6 zhz0Df8W~vP+np1(P>0_EWr)9l+qm`pFS%?K;DG#kr=oav>-Bg~jvU%s1_~1kRSBnb z5(mt=xjaPvX=%;Tw)&m0!psp8+e$iWGqdligu}vOpx}t?JbDjV(!<4^8Rj!Nf;p*H z>qSwQ1okNdQv!IZfD0p!&3sUXu&2>xf1hqJSDh3#2Jb8Jeak`W?6EpHW;~1@J3Hn6+b65tg)zv32G1I~Q4vNo zD=ZF*N`p+pzo@82V7%(o#ZAtwL*b%?F*G}hs7!(IoUb*r;>6cTd|8X^<0s86-#s#; z4HE468o^h6$ywLV$wle)_Gsrph<4v$b3>*YV31^f+TIRH(;yFLUNM& zU35+cDd-{9!t=Rm*%<}=g{>DgPq<}0kH$uxGsR(m{yR*#%U~0@=xS?u1No6t^At0O zSMlCaBEFYPVtxm#+a>))Gb>>MNH1&bR)$UF3_)$_3EmhYF1zEw{&~!hstV^$M)jf! zb7onL*KSg~0Xns|rY8|ECsqunZ!hrXnWHN*EdVoSqe3-K5oY-nTnap z)gKj7C^hQJ0%Cw<98I3}>4*gx7VcfJ?(_YV?Kgs8WXebN>=dtfN8h9o{rP#F&!Phe z)j`sz5zvuu)NS?#ZZyhj@ypy_TGUwCCCxBN|H(zyHX$kNv>n8SU7%ijIJZR)1~b1$ zaEh}>PY8UX)FLGH>N!% z0qod~d&dCz0?EtEV}7ojjg?ES63qeu7wb29V1HKbf4QrGZ$7z`BvCXYRTxUxCp895 zkbQ3@8V$Jt@Ns+k+{b`QwJur4rEa+{)J$Aw~~8T;uQRVUUv( zXQ1ueNaRuc`G>B~@OY*>x*v`j`oQuL&33Elxr8EU&0$E2a zb{0B*f4krDKLpExIxn5HUP?eU#=}Z-K6;NeIASDf-P{h~n(tMGBb1J@ShbbSYelP&?3DN@K*NTNWS*(Lu|#o4qkE7FGXIwLK-1%s*#uDubS( z`+0Is7Gla&pSZwpDz(fJa^gV|+<|4XG|C{{EKh4Zxod%WW#NB)8XobTuJnDTBk_xF z&3(fNOG^1kk4V#8(&o8z%1Zo|EGxs1cIs}VYBMW}K{7!vq4`hdf%BJ^YvVTqeBSHW zU$;j(M}0aV-neU zJ6(O;8Os;MITj7@UAn4vHVmb}fpgoT&i~vAyRPG7)^El$WlB(3yvr2zS?{V&c6&M! z4hZlmd^0G!S5QdV&A~J{9u(MY^7MX&+jhU=PD~v07aiAM00Tr*lZhE@oQhptp!+U2 zPW@zcQ~1wuLd}q1Yj-!9H`?X9%hag~w`G-C!PzX$mJAiaFUnx6nVO~R>owZEMtNg{ z;i*CuYFz!r#178yjUnDbf%eCo;Nc}gI`_^S0?mJ8^VXmN`-{m*u_v{?#fr@z+2%O@ zu^);om6BFX6#t-3LPJXXqO4y2+P41Kfsk4QUrB|0?y%^{jtB%Ba8dBV1w5*X7on7{ znwN%|gKXgTF|hJ!a=4%{Q2@8CWPhf-V{kBPswI1U_X1bi#jeO7l2zAd2zvMG1Fc)a z{V{W1!%k%@!No$a8k%cN=vrzcazNkFiZdJqQw`j?ojleH8GL4UEWJM1U?>^Vl`CLy zc$8N#*^m4s>lFQtD0E2`36Chl;|V!>Lpi;TS@q}gdIFfK^A1@g)2hpP*hrPio%-iE z8GI^N<}LHrYLflhvaWK2w(G}3K}O97q=b$2bzr%m`q#T-t`eJ)O0P=tDhNy>Se9t^ zd3JOvSJ22?YG>OCqM2g@spOiaQ9C6AF6;4UPlApCQs@VB^_sx$&`yj`)^mkpV7UW{ z#5{^e?zL}QFQBn1tpIi0M&MdhqOkTW9 z2$(5tC3-UZWs>r&q7G$H4m=Z?5`Nd zFzru-IwB$kn)u)=wRlMU(dB06Zqv*x*Q$Xruzsx%Da`KX8ko=XP|CE~~^pK+ytc>6b*#&-}<_JkwdjQ><7 zZz$HD-5Hcn^j>MeVEB;kr+5!OWvL=^x4z165X2AQrD0H zHS9xPL~ct>GhbCp!>)d!v1&!v!HlE!ZY?eN#@6M+iJRjKyOm$YC#$;~W(8XHh+8Zf zNLPAyB!j@{b&*>a>ek;%uRHu+J@3Tz0^KOS`XTBR|WU8o+hO4*NJf zncT-g{mH`q*ky2rc?7IHsdy$GL} zt?(8OG`TF|Y0XU|CaII1qi^`B(|AO};Rx3LX~8gK%wTE;l%UQQrHgI&Szl&(_Q7eL zy|Z`^TR$|9g0x?!|IPb9ded)I>QKf_{jvQa-kJ}Qhsj6TYE)=K4&<4v!Ch2BSFI?6 z_M(B}I6Q7mpCV@0>xKM5O3w!|q2PTx76i$Z^^@#pzZ$9g8npTMaxBSJ6AFw6A91e9 zko3GMO@2-p`^p4$udPoT{;K!^=mSR#^?!F%(G=SiB?ax=Er7Mt=Q?ebnUz{cGw$#B3NSP;Q;~2Rr}4pnU+l> z6Y*1EMh2CjArX@@w(#Ab)<92O@b_c;Pv$zSRp=7Z*a5kTZ&0r&BUqONJN5&K3(5vo z@dHg70HC99h=y)Zr8|qOuqM@U^zBLpyE`l|1cLZo)z$%F0^x%gi@8CR6X2TL+ zjHHxuG+cml2ap_Js${K|;^gwR*5*L-(E<@qpO_TB)TZSkWh*1b?%w~j0P?9K2orR} zCcbjbgeQ+X(alS@#+~pr^9A+?-b03s`d6R6X92M47*U07`?92iL~>CN@sd%QBBY9M zkN_8U$|Ygy&X7F7@|hi^Brw=;_2&hnf;>8D%dr4x^IR~Zrs~Q^lpQv}zUX;JYJlVu zPN&KIP6I{Nne?6faG; z_x664qGvYPz#Jhi2fI!S{q9f4x<$QpbADnkTe-u{e{?0=*RU~kF^Q@oschyto`r6J z&Awofah0)M%8xq3-^^q&2GUk1IM4$|$5i{#x8D4NDoalhQxEm@ogBztva@p>w$48M z!T!#M1SEDphxnds{f>s6sd`+dU-|&rh^Lip2CGg|fb_2nh0c)tj+10>ICf6Hk$NTt zvstV}cq2<>Hdcxn64IM8fiHtgX^gT}NTm_D7wxd|sGihLZ;?Ru(FG&9R6jyioe>lA zG1WWabP>kw8pD6tCF)4{E8p&wPK|Xqm9WP*&2oK40D}xf16U(= zNonczfn>JcWVTn&<87hN_V(AsAJvG%Y(>8#c_*{#RhSNdK1I?@ozMTUh@aF_Z)FZp zyP)0w)4rG+HR_VYt*?vQ^R$TQlk>KpbUT6i`jK6G>sPc+dH351rO95aTmsP#Hsf^#FC|0WXay$8->nEi zze}uw-I)Yd?NE*oZ1{c@PURJ(aAXtu&2Ye_biNOxd52>;z)^Zp^rY?&EIOPV21hHy zB4f?QfCU`F?!zkBD_&0GQp;ZMqYWQ))QYq*2-jr4l+bo# z8!Ky8HKP~k{1lN*W{O_@W~jky)zz@c=eb8QU8;>M=qZSdifq(5yJo&vqFl9@8?W2J8HDb+A0Jt5HmV44}WP!A7hLGD{BB!{L-8Ohx zF#wCX+RtzA+!^6D*i|Jj;A?w+wc;%;BFKboq4GQtbIWMus8H4Ov=29Jc%?fB*I?Dq z!oPO^EAqnX#qNaL={ky#kWhu)ibx{J;p*(HJ&KgG!fJ-KZR_FBA$gvBNEb>ZL1puSjH+Za|Wc6Yv%LNTNW&S87veAJGHxP@W?B}61 zT*N7T0`Oti;9W$`Ac1JJ-Q2tom_Zo#Y%oMm&((P4 zQU*Ssg|OvfM>n6^)O)(ZVIWs%C<}KvTI8qTvwueDE#IM=CV>q;&PD!H(i#bVzNJ_9;%ECq zRwrbOpit#EZm3~s&d2OIXjpSy0cAXc5woG}O#%uMc2}%;N?#L;>?Q^kCO)C8_qB}V zm0twjV7@L=vfn}cb^Z{312ANTP0rqF2@M{ep2oKqyR-F9ZvogR5J2UP0aVWIeCs)g zMZ0tS0uUy->`$|gN?G_a7^I2%iUjHsmP+sXY;;F=oNW$_RT|6u#e<1ib;Z&JT)@zF zl|qBmWtGw z0O0c(fIOS{mDw!RU|T9990+^Uo_$?@87t&E#fRC9pfXK-t42MkwW>w;BKn<3q*M7?I ziMUHYeq_3*<#jz}rq`V#;m0IncLotrg^spr1zq>7A9mO$HEaE7V4qj~(KWp5bA2Hc zx2s-R$e)T+)4mkn#@9IaRGSg!-0j9?)ku{&)IP~Nq{J5a9J?CipC#o}XDb-Vkn{Vg z2Tk;c>5dGI1l#J>umfo2Ce<*rx{A&G_H zgJs#nY<`e-7ad;FXX^Kg z$!Ya4(EcDT{zSW9qtQv@hp)TlAy%ssJhwp8e1=aU6fzG?PPF0%WLJz_;XpA;_f>t( z@n&-Ohu=%zBqSKdWs7rBx;5Y5FEsvd{D2fW)dtaS=xq^PDuKvJdfjEe^!ZOoULu@@ zVK74Y7ji?3m8m*O3kB}-T^N6&c-4FAak+8XC~d@|%s0p|W#x(KQk{;arF1D4<(vjp ze}Df2mx#e^^S2QJ*<79P0#Pf&iocg%?$5-wF-I(BO9w9&YnI34$i!v?v`ud+H&fon z^#1HzDiJUGOMolryOIM9dR*=iMOHNclpcD)P#SM+E-8SuW=JKB38(}@E_~8>Y_vL4 z>g)NZOCU&%iM*q0iH+iaG@M6$?+{N{mV@TiNnx#@oLW(8iE*y3H|+gn`7$0am9Csu`c|(^JnkF0WWx#p z8XAK5JO#009v0Q~YT4bry3&wJ?D(_^w)IsF=O| zUsaa5$u~IaI#`a~>L31py_S@5E6|Iu)~`WJ%mU0b@~!^lkt&S1m@ZrEqoDFk@enw2 z6;Db7|3}=9SB!B;DejY2ap0T1s~??JBFpGFVbF)Kk3*5g zcS!aRpPfC7`kkfRpUP&2Fp1Jqj4c%HlJw0@?ZUp0JFfqpr>=ATqgmuJeQ1e+>**_B zbochBI=&~p(;y(Rd(42r`$g+GZ%31q!AuO`yPJ)-MajkC$<&$o9%B+PKx|1}#4#V6 za06MdBC7TKi=?i1g_McsZ#^0wO9-GMnh88;;TZD;8OKeje-G-Tg zfq}ZkO;t10nu|z}l3H&HkreTjlK!BQG%@ggEP06W%=fMI@h0Y@;R2)H5#Qztu(G!^ z1^@b?f6Tt%zt?0ua!}5USnRQ2ZN4}{hSlixKCE9>N`J{VsbE360lM1_AWhj1?uKnz>CXA$QiJ0lA>WRg1h4)TdNu?! zo8^ntd2Dk4xDwdn!UQ$s{{?Wq1`nKfF)=$skR@m(u5WIk!`XAaDNJt#9w$%$y`YKa zkPbu#TDc(Z=KV4~-SC^8Usx}C$#NYg``8$q!~E@6z6C|7?OK?VwIP z^N(mRaXns!9?VuAOm_qMg1tcMigCfdwMxo(SqhJoEvjl3JJ%Yh`|@6>X|rI0M1m`uTb{mAg>t^x~0Ac ztVhQeEfGi-eY(1-M?ymK?On9=tfw1ppoTZKnfzh){m0pHez=UAc)t$BOA_!7A8k#7VuVeHXq5)0%z?9DIz^ z!B>sHs=a!9&>Jh0?6cM$lPRBRJ3*OMjC=4YuikWD=4{Wkx_gPjAAq)z**-ppC9>&b zP{rDDXh~k~^@9ri?naIc|3vX$U!1-eWEpfg?C1X4?1dS*#VnnMQ>t7J)tj#UwCPdj zbKD|%s51QS=ax3FMI?Wu?q`5j0${-a06_eIfI&`t*wSTP=uf6;e^v{0+*m)GPvn4@ zFiJoDZhbH@-a4jcXx?}emDl-r6su>LA|yA_bbT>l7+x+WqTv~t-9q1Qy@KzGTFt5} zie?=Do1vQqeo;;& zZ9Hn~x0h7MnT7_^ICFYJzU)fM-KU>B z=Q`cpB*}QkmITnq$mb!uQ5i z4(W9Kt&6e-?O$h)eTjXg!hEr1r`TmSVRPTN<~V22@L&0kqsf#FM8=M^J9w2+ldnLt zg_#erD=gOYO&nG8$fu8Oqd%5Yng6i~vDD`*mRqnT;dN(b)GY1H&VngAwE<|I{rc>O zl9h&}T+lSV0l8WE*Y+$V89eeAf$T42Hs<2DNfym|4JNQL81enGAGbedN>mbbjaJ*? z3e{ableop{Nzbn(fP$n9ZI-H2a{0=%n^BKfeg#gHF#JoqiL@>10@57Cw7}&D&n%6l zRKClWiR<-qB26}fu2E$PB>>iO^S$Wa#M0EF4uB-v>ia2!a>pW?&-S^eDOEa{Dny`{|46 z({-Ks^$HxF@_`xLH$ee$oCH10G4`KxhHDtfbYeolp%C$s*Gr-QzxqzaaQZ%wnB8W? zf_Z0-LUn$M*t--6Z(Ef_EP32Pn$5QgsmO|oyW~6ch`Cacpq#Tzcr)C>1vm=?eUMERK2Ju<-4CKQ#4u z_2dqZM4v(+K@Kh%58ftYQpY65#B3MFt5;d@784xi(vs1Zo@cYO^A+gKMbMx2b6yFI zdYH7KQPRETc(e0!>uV1(b&hvN>r`}2LrO9-p;Ki=Dy5iPZ0V6!nq|gECGNe6g2Wfk z0T=3{F=$G?+KBQ~+S=_Dxx?PI#cz9O!(%iQR49Pna6m!3zX4=9k}fhjx+B76U^Y7E zf=mkh2*B?a)%hG^`L=&OA&HpKBokF*agkSa*R<=|;Ds*ieXOdMWlD?I+)hZ(J z3G$RTUwUY(CntP=Uv3vrD;k=sYFj)t69Ac5!HLM}9mW3!AOH_Zm)BI!Jnq6gY8pYS5qs^& zc1$ySSB*o|Hnj1`S1Wu|=bj${eb8ca^9;#njO|XgOL+cMPz%}-6pM}`( zxjzc3GfaQh3;<6^_Sm(PvZS$P1%2g1N(b|h1L{BO84A12R7WiO8ARZFX=`o}5C{|g z^;+36Tv_g9J)U|#*WKcuaEllkzLAd$8a+BespTae_^#2c*0p)L3Hy%C%JPT37|1> zzmuFAa&BglC$6KJv=CZ7z*d#uWVmspECR4~7vCQccmwrga62Hj{xK&PT&`g43)=H- z=az4L8#^ewAYJA0p93S}<|Q@Y!C?KXd&Uq1L@WeRj8*Ri1qHdvxu~c@b0hD@)t)!Z zWh<8-XbJBLi?raFRpV-ZC5G5wSA1VdGnv=YA~)R2Xh+A0@`vzvPd{~!WxBcTDpFF0 z-b271HV9tlF`aU;hKnL=vCmpW8NvztU-xV)Ab;ZXtWG{l0=MDKc=0tpkh31k)op@J zt!6tw$Ui3Qfhu{pF}|_^!yod`Gxg6tpIn{$9}m>5!vEC+_1mklsDi^|^@El7x}{l2wp=~(dzhBhBq{JBe`D3VIhsIIJp7KTKVaku+Ep|0Pv zwj^9mei`b17GFc$7Knwwx3kr;JfgRV+_8kYdLm2h_Vwh+yVg*gBH2F+XOQ_4e}{PJ zv23yvAV0S|i@w;M?yB>V+wB^nlcPy=c6aCKo9X;!wT;*e)Tdq5ajv?ta{cix(jP~Q z{eY$U*K@NoftZ2ts>>=PXt^fP#e5mBRaO)f8YCJ7ROs_wkImXzV(5beI?6uR#0%M} z42nP(7n9oun8A8C0cqtIw`55y^fNPr3WG$tO<>LUU)Tbtn(&-LBtl2*j=2>$(?49? zaPDF!V?I}lk|0uU0~3#yzB-==0T7%1*P>TdW+TH9tuH#W*JmctO~w@aryV~d6+IaT z-Uu61aY9BndGx{ls`{#}*NqjA(D0|HDhdSZ`2RgCKNKq+=t2Yw>GE zJ^HA)-Nlaq%A zQ~oi1vet2W8u@aUU#?ydPSrOBQZu@hqAH%PH7$CagH!pu4jG zy34;Jr%+#a*AIesSOWJ}t>g8gR;_fVei8p!b(98kf!F=Nhg`rWI)C@~W&vGd2B#vFWK+{Q~FW!&RtwM94dO@wsmALAQv0Q^6 z626!HZJC`SpX&vG9D0BhC-^J6Dimi9|77Os)isxH5YM1fmhr~p z<49=XlaREeIdef>y7Tyoi7tuGlZf1FW~FXy+9cxc?BwwK<#?^0Wyhx@PEbn|Kmid9}_j6 z(KLE_($S(MXW=UPx0929`42jNS51-jy-N>(k5U0%uWKP^5_p6Ev5w>r3Xg=9q5=6A zSpM-h^L$E`f%Vy`Nl`sI3$7o`RVx>3u++ayk`zRQnAN-ug{Y^_ecS*3i$wL9Y9DrJ z7({xMTVdL*Bh*Ai|I|)Mp_~`<=2n2X^?+3oZs`sZ5vuvn?PP z4h;{-C^ohPWX1pwX$(+S0WH4>iwuCj%y~JV|NP$MeFp;cs{W;=ES}-cU@orC1O`>D zCXK98nOG|GiM;1krUR(Fyu4re9K?5&3Vr?ogDTEX{1*|mVSrOFp#qRt|NXKIH6$gG z@6dur-kVG5?}9-_9K?l*)k#+s|qtyKN7SdjD@4j zzIarRCwZAD|8ZRx^H(NI<16WM#t_3N^E|X&^@=Ed=?0>%2z<8FM|W`+w!ZtJTfXe= z(Ct*cXBqjV{ZCnA0r=Sz-GD3{QLz{PCT!hKR!tqq$@UuIY2V&ucU^1)6KVwnQkNd( zM@<)MY(|syqyN(aU_Oz{QK=FPX6qDUftbSp@1ONbGbO+%xdFiHucoGWe*jNyu4H3p zU~F+e-#U|zhpkK+Y5+!xwf(zoo?Sp-on_P&aj>5CeRbdN#d|}INDvDi2?;tHTGxQY zf5nQ053?JZEyB+lKk4?830$Euui>qrYOgrN6SaF`Ko&!p{L*1hyaTj; zI71Cz$>IMxKcg8eYblyf17>Q9r1|V(nRXG3fEA(SNWFSvPny4=v7gIhz2x39|Z4zaDh^*-KfH%B+bgY8z9+?J}4h>bA;66@!(IoO~ z)EeFetPYxp=8{gLw+NwtSq%CVYb&$kJ{9R=g+hvcG~W)geA+dq)Q; zpv|!)LZ?zM)lPi)+RsI?q8d|(=R2Vs!-V8RloziI6 z+D4Zfv{e0!rr;;Qr4o8(iXBD9jrnkUX^gMC(GzQiuLal}nCEQ(NUV>h+GH;Fcka}` z(vAh}i8G!@ky<|w9Wh$ybUw9zudqF9^+DT*rqO0?i=RKwCSnbgJ))Q{r&saIslNo8GqsF-zzB__kO;1(~m`3<~?)f6a`jgqHIpxjG>5)W%5d;1JQve%; zBSb_QRGDDNHF*MZde8Ki!xhjDV8&gri1#g+UQ%peexA(p&jFO-Qv#J%y`w4MA`(@A zOPwR5ps<70vcyq%&=6>3WnPQ9T4cusBgwQ&Hz&Y%~wDL&axcvwO9ze{_Bp*-F^KFsaA}x5{NqH z`80uvnf1N%EAW6(5X0eqmdBT0%p>~g^XH1q@Wv-ZFQmXPyp2Q|Wh5gPn+o%PeX4J3 zePlDJt_4}_=l^hk2Vj1=ftl<11|~)V&_7=xO6567{Zo}8^@#{N?@ip8mxVF9f95p1 zISPyA{rbKeW@@RErC}xbo6Qu5)>xR1cIWMq<28~d&TYGBpBIk10@zjo``IjIVsm6p02nCA#+POi|w| zblM2(>?=UJfEY2ox75fBP`4do_-){TkH}5*G!Zlv1ZwnY)T3#ojm+A z-C!!815G6MK4AI*)XazyY9o=Y6MzalzAtMhAMiV{f0nF>*we#TqlN!8>cY(9m4Ygp z%%t(!kr>W5y0Xb8GIss`-4`Fan_2}+dd(5}TQ!|I;`a7x#W%(0f(ikQ=sF1q)q}et zi8uNanM$TXQZ~x8I?6vFnXeJ83F&a+y*<`jFP9M|Ndw%vwgOC~C&#Qnrrn~ZX%TFF5 z_Hoyx$ax9X-x$skxnz!L^60f+F_lnOtu`tm+os=#ESNRF+VNCd*9#?dP%pLkq-J9~ zaQkpg;6H;KaB`|nzbt$c%y!)I{daOf+;eX;BAESv&7@Nh8Zhs8O#OQr!?HB;cPF$2 zQK9@&(xQY4nZ)%!U>;e)s0^<4P@c_WIq8vqolcxf{Db{FER(Z0fZ;SAzcU0PzInQx z-QDo5AOh>m%)geDV30;kQdy(2vJ!ig%W@K(m6i46^b}g?BN2iP#aEn6emMr1C+0lR zAMsY_t4y)}a_8T0nqC%B|F}%p^ZrS9Iy(iyN^=j=_9<5SeN#!QeD=YOQ63$*mWugFHP6c5I%4CA&$Ld6!F$WzG0Y|Z~+09?Ei7cc&ij#!ZC4C55> zjr11M91pX6QwNO#692hisZh3!F*Itg=ja;d#`MoeMPDD38^=$##F-ITIlV|2w23_} z-EVDw9VsNisb`=rbgyWA*&WWZ{LQcV+U@n7!eno!IJE>ZNT!VgbbZ{b`PKCbiWh@j9lR-nw<#%l670V&v5=7XN_UgWu_XpTkf*MhPBjKkf5M*ljmRjiEV6El2WhV9%I zr{BEqHf;Hoe?mS9H4^y^aSG$(gP3wNO}xgAw%mvdAHj0#lNulh$)u$|w_U2wFs_Y7 z>iZ3Wzf(QfBJRG-f~Mr%|IYJZR`@^6^LP#3vpzn_`R2CC^CdcsILrsk$L*<@6 zAe<&0ol6;+aH=&G@Y*3kkX^@-s_7GBTS=t!@O5+0i@x)+s4TJErrGkno~5%O#Fw)0 zB;=Ozz~iG;lG;!Wgs62ySgMWP(zi$5;z!A{aL94Y07V~!kbExOR`2@?;hIzpO`4MB zE2+vay0Wg{wT&+X+C)B>OanZq>3pp1?#E&Wz^AF9Ez-WS4eDhEjk>`Tm!mEDU9mnc z`=%7Z7i;ED95ya4K6dovLlLIhN@6YaWweT;k>;_7u~f0Vg&H?;M?BxTUA{!m)SoB~ z7@r}U{|%NtykiRN4sM6hk;jq%A^2XWZI0 zN(@qOi4JZ3jo*oaE0;6n&?ei~+G&kepO^w3yl$w1_+Ecklhv-abe}-hrVuaa_!v=) z1ej{)vW$mrbzLrg&6T6iES1Jt4o;x9CS6c6R9Tgk6!kRM&)p zf$&n^oZaMawRS&%r6OY|xJ#2g00>IXgRoc*F5ey;pl|!wTi0IcA+!nfEl8 zSzvcjF4qE3E$`9TS2R1*Lq%w*0G7602M1^CeU21FaMA+l<4-&iy!b!XxB_!LTc0VxI>qu6-8LPN$@f30 zKNQot64u(H5dk!-WE*NHYr;h-wncI`PlwNOGFM&S=_U8L~x9ku&)7QHO1%dk(^Uq867 z6mr*yech{F)M&vOvb|p3A+c@vNkqpX&o;1)p&S=>Z~9K?hJ$SPO1bbPH<01CL0^7= zub0;)W>~K0J|!Ow&}$_}1O#=P~OVYzR=nC_b0#{kbP<{E_p`04BNDxYkCx+G5WfrHyW);-EK z948TS5EDZR(Ze(Gwq4!#DNPlG$Ug`ePx$~>F*c$~v9hN)1VezgLB&Gvr5xjjx&fYo z-#I2H!gd$F8xuM83wKl}wnwHX`Jbb9HK|jy)O_)hPWuxd2Vo@gVGv>k@g08eefu@4 ziUGrNOUV*NJ`kaY{_R%4t%SQySn<0B@Q=-6ABN*pV=qcjos`a6v2WG21L1dt%-0Oi z)1swCUn}g^;&T}``$HME4gN*~0I;;Id(-_G@(guV{2a%wzU_Z`Sok4T@*APdOAG=m zq(p0y&|wf%C_QK(tP`*dI>pA+^E2BuG`CRlktkh~7k_)2E-X%=^U`xmtyZLrjzl+? z(cocp&c_x@SZ&aAQYcyZs(syEwCFL1tGERXZo0eTYCcL|DjPmt768Sq^qXiee(0hg z;Esx^#Ag2LZopLLTE;BU;kyosthzd4d&;<9wR;=)al;!MI3O{5&eNx_W|2ETdR_EAvwi%p$1mxoT z7v?L{N@zy(exO8}@$NFkbUJ>0%pR#J{`f{NCy+Z1TB%#fu$D$>? z<^fj0^qy`9l>9m1?x6mIfCg1rk1q5BJ+0gbUdsJw8OwgKbtBYT%pI7eWFBNZgpfGD zutiAIf3SS7o}5qCc$6O@-);q@)o)X#mVX(#?$r9syx-VIec3AdVTh1_1`UXY2)U1BY4x zYzm-xLts(iQ?RvLcstQtA6jOt26eS8>iEX3%V(7A-GxsU6<-S8#8f^JIOTVqM#-~v zuOJ^NT$MO39N}g^5=+svEfVcZ`mY!?VrrU!g&7U?L*EB3*3SkB>murIBn}e8XUj@e z?QVfqErOnNo7O? z1m)+csi_#)*q>8*9SwmjETE8fR~U7(dS5wpbazAZ%g2ksAj(NE0Zm5bKje{5MMVs+xNRcjQ@GgNudc4>)QSln>aXwkDTy9C zj{qUDnDqYjB|MDzM|?rur2d9X370ke-NYiQZ6*S72c@o&Zw-<5i~nY5iK3qZD@j;) zrsE5KjlOcjE2}W|A&uq3KO-h^73lX5y+Dq5U^0nB`KS8B1_{VE9NNu3f&k|n@QW?x zve9m{&gxHK`V8nn0OxF@_&(R<9X{9SxeVkMU%FvlBn!B+J2^QSH!0W^0!!zo*Cjh( z@I(OuXN5aZso$SD28d1%Leonkt_Xj|PkOOEjPH}l{R;p}xwtlv@-lrOi31Tx_I3ZT zo+jwA0CY*J2Q zgce6v)To97tq#RY!>kukiMUwJoEBQ(lCpt!4+j#-nc|^XJGWV4!R(oFlu~HL8Wo@5 z-aJwzpdE(3wKdbRGvH!Y+0K&ynz_;Ko64~4y0yWy@CQN+bS~&!Q%nZa`GYtSHz|hW z7hY{H?d}c$WKFDm_jr9s4jC7XMR|k%d4}cg`ArJWubY27|X7oKELi)=YKDHA4 zh@!6k4E8ZRF#KBp&;dx|BT(D*1%?IqbPND4G4M1!d53^@waRgp$pUjII0yXqT=k5& zWned0`$L~XU+&k3T1yVENT?D3XUq!sdZXt#!AjN!wT{lLIGhSckx75TL$LpBZ#Lxx z^dW8Uu-Zqim@bf+UkW5zfwpO3gOwE(F_(N2(oEVvqb1~(08!h}xm>r&EA;YseHoD4 zcbt8Feb46N8PtKe9>8h4onl%TWo)T*ntX2i9$xt%68Kki*l28TzIiBf8eqB_0U&^9 zu5zpJN&ZWF-Lw-Iiqm?B3aI*cKu^krAmBjRoPG|(1_dL$lvYz{fiu(FCKEF!@E?4O zGSSg4%)c?Om9CVS-6yE1(pf?1^9#RjzTi|D=O{Qe{2o1^e6AUPlI&tBM09SY07(g0e%bnH&ofReL-hCaFt zZmq}@K(8&T3>)KbPGW^c5|->-TwTCmag4|VwuKu|lj|#dd@L8_gL7d#1HbT)PO82j zI0*K=`XRDon=q0Wd9qPO0hJUK4inWc8-L9c?1wI2$`x5fzY5+CXPC4zauZ;{!VsOD z{M-ne|2VhPdt}^brFm;d3m3frKYRLAACOv$^F5uMIAs!<2NrNeXzAM&{6djilr0uI zLa~SQ6iFx4Ng(4u%LlF?3s7fQS7izkQnJz&Ij}Gc+>=u%is(M|b$16#sK2$HOUwl*(zeg6HZMF`yHnl0Y&%xJux(U@wo40emVnDEr9#g*H&b zW%YOM-vg2v(+?4I8NiR_9JQ!g7(+994fZEKLftR4Ei_Qctq2(e{)^Q^d$+1*V8R(^ zgj*_oO{8?yof?rOxL<6JAG8&;8MF7xM7>m`vxSD^yZn5{stY(^AJtRL!*%}&0^YGh zGEA#hmAigty#Y-9hp9MFy*p43xBiff1)#5is#i=rf9d^#gGgbBmklYntOK3GdOcjLz27IT5CqZ z`VO=!*O?Kba(JC>QD3wxB0i<1@^R~Vb<9!Qr|JNq z>@>i;53xhBL!r`mgqvea&=v!=hcykKusIq8)DQ3Gl^lulMwq{WjWk0)wK8_bmfo?l zdI!s}?s>f?w?RXubu=-rMm>bv$FTRd$rf_z`BEUDnWL?Yo*fR{LGsSz-u?Xe5Go~x3e~RsQxUxhnNFb_2Jpbi zmk~Tju4{^yz^!=@Fq&<}+xHkN^r5g=;itpjPF*^lHAr-fyN8+wRj5i*{;=q3V{{*Z zbe@@J#rSWYF9>7t{8x^+_I%SkaBz{f@Qy{C{aPEF{ zY~ngNlXRZic<Gi-K;%a)7Bvc%r%^EuJp z`{x^DdQ7j@(HTr!sYeGg29Qx@-gh}+#Dnf-Agct5lI{LJ!Js)tqY2`n08p#rTS^!O z3_0CwRl2~>7MBe8;mA6Ga3_tmKl6jgR0J!7H1YapgKoLhPmuS@b~Y;?^mjBm#PRI; z!qwl$>i~a*@P!U{`$;mFJlTx9DAcU|sFQY^11h>vea{mM=x-(2r~5y}{pJu4)-v=sG%NsVOKRZe^U|PQEI|=1Z%$oGt#7ALf3Hjl zgsY6q`FdS?zHwwXU6YM?O%~#O7mUQa+-r3~C024%eC5^H0uW}q`j5Q5~c!JVtY zOr03|?($o5A1Af4!!`il*U{z|@KMPbv(yqKs1w7hhFd~^P@O4$L~pb7k=VqV&uEIN zs(7}qB-K^0kC+p5_yrS)*i_h?fILu^!sS8)c>PYDC_{WK?_r}uDc`~OC$ni;J&nh! zSjERh65}#wG2;-{euj;$Ki+g^tPIB1dj#hV(Og@}%ybUtufN^Y5+sENV=A4338xEu zeWRj7%y4Yj3Em4Uiby-X&fao~zt?&lSh^i~fkB`70et~w#2gO*t<7Y5BFH-Cki$kw zGSaRnVeD%IJL31a?eU<%(#=l<_@O>i^LkG(16io9lue$=8qbzW-?Rv7}^`b^VC@ zFpDSTcaAG7Hg~8j`}D)-%oMLfefsA0$QYp{FV zKlo6=AFcnD1%R>hHS0&1COTpt-X6<+@dV>GTJp8^Pl$-G2Jr}G!B@sE&+d7z?jb4{ zk9vu#mx zi2RkAAXZsY*ogN%%uAB#ySck@DH2U-t~Ltq4gtApqZ~3 z=!6vqI7#tN(`yYd!IqQ%5#(SbM;(FPx7f><= zwMrj6TaRO}06gZMl^?0pmmBPrtgd>8>T+@|-moM!42KF;=e&wa1?iCqS>QU1(v@ZSR1G~rd zm>~SW9EjDjqOn*QE(a_D=~pcEnl1JLLF74B^2Tvxr~y)%gBf+tSJ0R@6bhYa?&la0 z*mIO04*3D6+P+`IWjRMOR-bg%lJ4zxE@gW9oP#fGRzL9xNCf?14?qnp-g`d2X3giMp$)aT zTP1&4hIf#7*$lW*we_2~j&>YfQKYyFo%5-abs3CFM3K<91``tUZD+SZ2fo~7JJEg` z*Mc%>s#Toq%Y|gSh11bK63Sn8KNt8X$Pgm*n?1aDgEcIIMLag+a`|Cj#Ct3mX8WG_ z#z((7!*-CWnDNr3(98BUbOD|acRpNP*uJwPbx6#%!XP1Jd_IMj6xE(JB0B9i1ZX$T} zaI!kY9tlcij4E_CUR{#e!_OMtcy3o zpK_UG~@nA~1-%%efmmd~v*?!SV_N>`ty$`aJ-21so8;tuWIu!(=s; zcdBr0#oB$C;DVqScYfWQ0ds;K*8V|Tj+gU?l-X*7qSBg`ytM0;gJI16aatrI9s^oc zr-UIYbADIirtDe9OC_cZN&bxf(h~5olPWC#Nd~2!CdhT zRQH6my-8h)s*BXL%`^Eg&(%zIc6Z^S;$EgVcJ@gI6?l}GB8=oxlV@TYfC#kn^quBB(2k-EWaB~AGAc^N&|L@(-{pNOYkA0L1Tp?hvznuPhv z=xvN|-y%UzS{Y~0hyLRw8QU1gCx67-Q!o`zVA$M&ZkAyKMXe`#eL zcxKyjbvgfoM_)ZXc4n(V=TJj|IAc!Y)jLwP85J#z#WpFFqA_X1uin?72d87R_Fr$c zPui4G-mciBg3?i~h;LVghC{jeDc!G+QolUyLAG4egRBm)gJ%x`Z{iGjSs2*$ZH)I4 zL_^}wic21W9yLWAYd@CF!5=c@S1{yA;ea;MFXBD5qs(tni@a&G`Q%uOUHfP$qbs~~ z`_DiUvgDh4_B|0L#y^|iaYZEYJY)O%ePO02t7WnxB$RQ9^EChw>)VRQq0vnqYJ=?g zOH5J}#m2a)9?fN==^9yqGMQ}`-aHppt2-t^x_e2uuH?gt7cQ{^89B`}QM}Apx6O&` z5ws0S_t@T0d&|?6dAiq76d2ZF+TE=LgxXNMrTA<3HQ#Os^@4Ke`uSoD#~)UP`zX+* z5#{~4J$ggb33ffX(M?;FmeO11JrRh{mGHN4e0y!40B?5A-$M9u;D_ExvrP*Tyr(iu4Am!_VBy@mOSCUyPF zD7xC03zt^1o7{EZVNBc8Q!p1r=3AiJFC@`Bpfe?wT{b-Jh};%JR~mmszC7kD&3}ci z;4RQWd4fyE(BSS1HCT^tbb)l%5PIbLmUGfPzUp=AWrU5yA5z?(Rqzi$FySKdV99n6 z_3t6?EaDF$UsudIkjlY$<$Dl|wG{+fGR|h-_WE7$&MnU7+ZFN}FTb2+Ls5bNyy1 za<56hc#y>s*29cSpp^g?JI(`Js}xtk1}8aw-a};^i2Ux?Rt$S7-Ykrh)$QsTH-yhB zo630`_FdXWaAx@u;g26{Kjey{S5Xg0=!58nWvrrfp3%zrw*o^xj(^zsL0h3m zb5*LZb{8ApU{|Da{@XY^qjH<}8|~}XKdIvLIt3^gK3cvZ#=;P^S%7HGJa9V|aBfL5 z>S4xmG;5K{+f3pFWY(6Qz zMgq~S{bo1rBLgY>NYDnQZ9}d94X*rydUp=E+IvpJF>38Y$)&E4!J%Ji=XsxQRv$GL z^#97d8S4S2G)?81(Gg4R%~(7X6ARwh1dduuPwu31K5D4586Y#+ecxs$xhr2)#x9v$ z&&+#X)vKHXJ2)?~Nq>_0$mO2)3M@9Z#oE7d^NB58XF$Hgb*k?VuU136nIJr-y{es+ zL9;;73rdD@F}K714?l(scRcIp*&TM1Rws%2N1IJNU}9=uzCjy}0N9H7x4rw(8gMUOJ0r@AOajF`Jemh+Vua#S%G){yPB)>Oo9;ZuU@J*@FEa! zNZKIp@qD5-M-lYK7~X%?TzfkEtMy3{SBEc&1{Ycn>IfeFdwFF;P<>0>IFK2lb1 zOg>iXolxxWD_%w+9a;|V2|LBmU1E>(cEUW1%>Q0xs^V7iICEIsF@k>)w z!>;|~T#NNK<71DY>O`jV5iI{9hRNt$S`5yqQglhgFIKo7?Io!iOv;F>+K|;x@@Mn0 z4|RGrnyMwGmu2;wrkRkwx%TO9eN*E(!@+QL)_scxjp*_-Go?!h<~)YeYzpA-&GSbq zDs7C4$cLWv`qqD$To$mS?LH4ZUql95Pr5usX`W>sy8P9JZnqoDD}n+=W=e}VNE0TS zV4Xe6iv!%#t2%NtJKp1ObpPdrt6=h z)5x9Y@!hxnAwT(4{x}fh3m| z^GJ$eACed*gW~PNBZr!o|+0~s;5;< zfzXY?4m06sn#!u;-N40cipe`Lr<~4VAqOn1D8gtzY-P%wrHFp{?%mH&@q1~7?0xfA zwX<_9@N7(t3=HOVYhd}npUCQfTj<|VV z^{dDF=5ml+bnxaG?=j(QSfwz%o%uhjbfs5KmQvBZl&rb|G+<=v`( z(Td*q{+!jX9rKOEE1}hT^_ZKqNe+gmfOHdL$xT5!jPJ`YG;~`=IjlHW|3>lp*9KPp z-AMC=tA?|9d`ZmLjc_0OFB*ZPMQcktETnzMKev95uLo+L)HnewK?zSdOqFRoOjTBUCK-I9^kVp4^mM4U>BvxiS}^Ivm*7Dz)qd7eV(NxfuVY6LA5(Y zCj6yP1%DGMI3~t!rl|1;a`i^AsOxiglLUMb3(mWSjS(Z|HpVYlwN~#Qmy{2||DZr{ z5Evvt4r6io%fbER+7;XA+O_M7Rj=o;&0G%Uz3ybDbg#`=qS6#%6zH&sqqZFDdU1do|B1AL1+Y%M`KU^k|vsXTM&9Qrf-=lRJ_7o3`+iZz71n(*)EAi;J)T( z(fI~5X=XU6X#a%xRwDlVgjo-(dQO|Sut;B`(aTmw1DB?5%N|Diq?)`#El(z*mJ~k_ zz0Wx*EExe1$fG{)LJcMsYmWAlR?QZfcbhM~t@`13po?PPx=9BMF6uU{hR$jks{Wf^ ze!X3{VL4CZ&0y%IP)b0`oJdHLT!t213TZ;Q&U2MKnwytLZ?=<#gWeD=&uQy9b#oXb zY(^hyAp$qIPhtSb2SqDA1o=YzfoE2tL4NS9mnD5>Q478hcL$27;My2H5d-)k)ZpFx zK?gcJlhxRt`)A2?I@#rVUw_P~^3^tC>d?uFmJpROhaMa>^rKVy-oA*joM&5Uc-KGZ^;>980$773;NLAQX{b&LY4#oD|cD0R_=SU8ty1%JZ zUnNoN=@TueuRO<&4fRpOvol~}>ONnx?Oxw&8hU?nZuPNpXx4X8?aQ^`Fn3N~d9}xp zEl$**XW%qFF2wi!%x%RZuBcMtNx%XL;)4}l_A&2dOcB24(^o6<39-p#G3UZ+ejEva zdULR&=U8hbnWz*r01Ds9Ewl6gMnRaLK}SY7*!GW^Chz7q1(t1Q^XbFH5!l$0LKsMp z;Nrd9e-@7PqF2At#SSOhj(aEWmVeWiGBA$-2mNT{`P$rB^YSBC*);vxYB~U-cW|-3Lf0Jd1W0W$%RnJYeajdxc%u{V~T?+*u6fQq23z+ z^M{Vvwvt2oz=ca*nx;Q-Y2xUJd}o*<9Px2C*m&PR*G*jS4*`Eh6Nx$Py<<&v>f%t2 z)+wsb0|B9zjIAC3UKF6;=>XNzQaY1*#{8Fl`cMKACV<9iW!EH^t-Rkrs5LWq6T^5j zth@Y;Or0|{J$(anDjBM6e%3t=v+^K~A;PN{kdl^TY%AN1JJvA^fo&#CS1+4Dc4ch1s+hZ*X&&W_`Ha+de%C6Mvy zt$4;~sNm2Gp=KwW^u`hyuDwqoBdT%B$2)7dJk9H_07N$9u5;E4;W=L?r-x1`CVvVb zz7w!q7*w_2$WHxA3UTmVcy3t1f&WGwjk-uJ{ysim6Zf~%Uc}LF-4qTPfTG_qHzJ|0 zam?j+{!nRY0JvH$=L);nF6=io%TenL5q!kH{Zk{JPg*vm^$L(*=QVwoa(^ZQE6%Q;KDj-rFB*MkB1QUy6ps zi>>(&C|HXk<4S1Ex=1IF%#_@Y(2JE{L7dNFm6g7;k@6RfQuQ))udw$<7sILasIF_j zU`5uGRXX9W9@E(9`hOE#JIBI80O*Xf-fG3uwh!E}5kbTp+)&_>;yaHFIjpTS8Jp0H z@B>)`Cqe*dYR0raik{nsF-vV(MnN7VvQ|5Kl6-~j7No?8DqpzO2Ci@1skY=N)lVd=mQ8O)SXUsVULMX`963Mc&y?D~bL5(}kG*W~pjzTmQ4B?uAO$BfGH_ z!p$aMu+Vbkm6hx>7@)rb`nOOR=Sd47M`8X;j{3q)YI7!dWIA$oo-XcHwG=&FfX{;E zPjmXLgFfolubs$+q1ywJzPrmN6N8DvZO=@*<#1VI=WEqmVM}g({dB&_<*IRT(q_?SY!`L<7o4Cwe?%ulVj0v92+@{@Xc3fBn zotO7PNtCRMxGA;zS0nPIQ@THVEAeH3HVjXH5FnaV{$;N)`&)<7aq;;V75Nz`hP<5om+gr84h1GbaHX&*UuC_xhJr|8?P4c1*Ivlp zx2=!8&0+KLG~2l`awkmM)f50kqP;3z;flNQT%?_~w|G3FseMdl3mK&daIDqs^a1tf zc!_qY;*CLqRH*T1>kRK8MG_x^_jwAugcxAL(O)_Yv*>^<4mn0FDe$X#RD|4#IE2iH z!kZP1tL5_4f3q(fmlLnhw$*g9nqubiL$9wh8B7Ol`Z6KJE@Aq3 ztD7^Q!TJQw%4VJjF&q+%++Q%(Pyb>S=XBS&8!At(A=~z907xDKwbB``S_!!*!$cr} zpKqo-V}6`j|KYj^A0hP;O79&}7#2=c$h}@64dMTp$zR}*cvEySt7pq0aD8f-aGGMI zFEJ$qzGPb?$$T(SA6ySyl~$wH)>mPsO#{C^r7M$;MDRJ=?UXeiIRV?PG>?TbY3M>! z_3Zt#nSWMZ=sY5TLS{0rdt+;dd9<{M!Hs9by07`ubmFPW)jso#m4O&dd9(NhN3aza zFJyJ>B??4&xs)rp{UGx)v=>{~V;>&&iQ$u}0UwWS z_(_|9Nqpy?MOzv!lr}m>&uS^F;jFSPJllfNm_i#D2$|9mLPEcKaaDzoOxhyUia0P6zw!t=X$x0Aioy($j-8xdww)kk0u?{jaMphP{EHui!1SMt{{^9fYT#Pl ztg^2^0CF6HkIgrykk7s!w~Sb^9EdoaFN4|NQXDBYqGUNk`y%q^&l@EZo2DPbm2eI4 zF!p8FHbyq+uPau0xju+Zx#klC0qrt!R|**UANHA;=xAG^@t zteJw6d<_Big?JF+&^L;^KDGQ2_h@P{YVZWnT&gXFd#-Ba3;=FV6@CQUgi>Nm$FE-!&x%P5#-xnOK zzxSz*`t(cY)MsQ?o`EX*&$AuhTX&OwC2b!V56iX_ z&mVF+8MAlrpqU_+lloi{j-ksrp?vJ;W&0HD9eUwaw;KlgIcoYzz3ksqeR#;KRiZ<1A*3blmVZ%d|K@hWOur2@GcQKv8JvjFkS zQ?3<9s&0Moj+s7_2<#3#3(qIkem`k0+iYSmq2H~4TpTbuTiD=JW$Zz8ATe=6#;z#x z%;C*H-Yx0V$G__Nz?gC50QlZ$K7&A)?uB#8T>mp8(1vOD^t}JhQJPs74mI7qTQ5(A z58WUk){1i^)6WKyYas1j2kfX9rp^quX?O5QfasN>Q2lS_^gn>)fnLHBRt7&?4$eF; z-R-!X`^6gk>r5+SzODFk^j|VVu(mS9!9_;o<*Ar5O7_x*!8hjn{g09-+vV@QuFRcZ zfN+_gA7Pp!^GuK5HsRkE{FX}mzjFn*9LI#!kngy-A5v$ypea3_@}{q9iX*Ze6#4yU$~k$Z}ijCGJzFB{``d$DY@@8bto<^lOnlJloZ zifk(*&DC7dgSMBgH48iekV*LyzIpX+GuKdniy5!P)-u?%E2^!eW)}X?)zFY43~%5% zHgYe`)35{Du2djHeX=z{)OdZ;w%>f`zn<><{Jd%}B&lp5+K80R7>6QomAj!n0MYs%#75ijmgTN z+1q3|WuqNMLd6r4AK2H-e?6y1fAISsRlxKn)9n5Cw<7c+nABuKi$O#;Zt$?0^yAoMDy@v>2>+u zmkg!i$xe&0wELa7ex#h7oI~m6V0-ySJ}mI*<~`lST?5*(9zk#yYI3$_q=f@1&_I~+ z+xPE=hqU{Pk+sK%owRynf`SO`l4z~Fu5)Vok0vJ}8W8oezyfc620cQM|D){m(gR}h zwTAH3;ZiT^{6bH1nf=}*990JI?l2W&C5BHy^3KXzyyxM2=N)GG5LBpBE?3nDo`6>awS9?pL+c2l!2 z?A2`ec1ur-RO@c$(_SM<%OG+6f$@Cn1$aCWF7R(OQ<4E8va2A*B>*I;;$S28s8>G1 zod3VEJJ4J37vy?sgE!U!Tx6!S<=HqcUt`_P`E>~T!ht}%@}g~Rn7Ha_!-=X=G5y=y zF2N>OqX52%G{D35Zp)t%G_4)2>aEzE# zf8@##Rcg$&L1+y{m>@JZHg;vbkz^C_gEsDhW0I0WYZ4oBxu2k(to_T@ZxO*W7k!|P zF&|b~^WU{RA|_-vj4(J1FsKbxi0G+7!q7L=x+o(W1rgY{H$2=9bgV9nh7`wY8X-sk z1o=Y%Mq+|&Y@^s0(cVigLT2?7gwPRv711ELuCwhS^>>T13Uus@STP1lQ#6gI`@8v$ zs!Z0mp;2L7U1ZB~~^w0C3=d{l6_Y&DAPxQ^2HheBbii_$ioBeruKL z<|VWN^c;sZ#@#RxSp&csfjpk_qMN#op8}q3$5#f zp~Pc0ZoC%U#r`9>MkeaOIuCnX=N2S(ww+#*HQ75~khL}cxwvj5-440epZ~p^lUZeJ zvRkJgygpACxjScuSE;v~|9H=_m|#MT-Zgor_F|$5pNQ?>-Vu64&K)d~1MO@&M}Y2n zvS-O=yMoB8bLLr_Qo3h7kN%LA-Tj=3{SE&4qkS|d2?t&`iekx1j?uP(ZrN7A}T09UnEG)d5KWo3Zgw99X zQ4E{l7sJ>~86WSC>${}Oh(jK*EPbZf<6sio8`q%&iJJU2sZv1RD{Y(ZsN~#i>t$0Kb`Lh;(T8U)t8VMTrc-{gy5!zrE8<_$yT$Tq? zKT5utSXR>JpC)ze1ndTF(7%oGu4M>QfgjqV-0sv7vnd3u2d1oCell2Pl_xwG&!dze zV|uhdz@F)c)Q?@S((>VGKhWjTq;u+m;*XAxIL#)XLU^6=@Vpy7oN*iV$u;oZs@_za zq5vI-D%QH+x_J+#Xq3A(jb26(3kId@cp7b<>zNaV*DHKf{>WB7PnIe#5DX0s-QX@~ z(fm<6nzyd9IrBlF9@JLmAe6>sSg@Fle{>ZCkes&1Ikq22&kinI|_`V0=7o142B#K&zg zI^Rse$%%7bwHfd+cj@3mhOXI66()_M8{sN5LpVtz=}Q8b$9YNMWQ{3l`sKVC6%EbO zM2b!OckAY->`prATCM`uo}ZeT=fm_8YgFjPyq@Y-s3J?<@ ziSn4aYh#?fs@>XO-1}m9a3GSee7+^1w?B2s@?41PMKC&X8`1tCB@7;ek(Ge}%Nx^b zlt!_emeeN*8Moi4H!u7Kb5C>7;4wTjN;sq$a9a8G{{d+UMiH7AVmlGE^ zemXTXM{-Iu)(+HQekcb*(1^} zUSFN=eF+J9K}AKSe=-?kW~cM{^?JIH^DE+M=dQwPhJ)>{`Ga@edy_w08KOvdgUA(M zcGmAVN9Lu!jvCEdj){v4@E1#eH>#Cl2+OyhtoJOFTiDz6LbuTK#`O@sperrZK{=jF z4+m;gQys1Dj8F{2I`of@zYgc!=ZF9q1(`xCl_cs^vr}=sh{OJ&rdU;fBdPl@to<{& zTD^Re1_>IH1Xx&~MoeUSx0CbxurRh$;`Ooyc6ZAi23$98TPT5wcm~a?1_YuB>kcBv zxsHIut{nFqeku*D-wg`8^*xqW8X7!NB!cwQBs0Dk=gu2J8NSz;@}-T0CiDMYu00KF7#m7v=0!JnEp$s?SDC& z`m67K3Ik-k+7ti(08QP&vBw^Y3%jp(T6>ERdw>~f{g9g@Z8o$fp zpS%o)Uk`Nzg@@S|tJ~Qz=6g4$dD;pD#Ke(OSAvX1-+<8Rf%opvHtSuWz1d9Wo5JyY znzHchCHl8-am!$7QM6YtI}kHiV)ESYYLR{(6*3I3taTBb!|tQg)BS;7b%wz2K9HE>GH3s|XjRYrSUyqK@nD)93OoI$gl!tnoJCC}guFkrAukYH$ z&V?grpPzOMrtuRbB_wbGc^)(uNW2&GGuz0^09ILYhler*oVFm~I!kzzTR{}%NKnQH zMWtz)UAG|~zVGdJ)So!B zo<2U=pQP+BWM%ko>QQBg@(ivq1ovfVlO2Hp-hyiCtDkj1dg)4ise zd1&N{VfMrP;dbNW z>Wi(xbw;CQDZkFM?kYWGRlozD*Kf7G<*jQuxhU8_3SnIAEDxc(Eo z8H&UA_14s^pyh8X2EgX>)HYG3V~qkkCjY@aT&-e%f^bcbuSDhjUvTZNO_9)g;_LLp zaM_T}`3z^q)m1%?4kRjC^cy_z6&EBX^)g0Q|9kTZGKu$%LBr7zV{L|EOiK9(k0dNnTf3$)0d*6j8w@WU!Mre6~C0V(OQ7r*Bp zk?sE-U`|D`TJ~pXv27f-(z$|oQv-Xa3P~K7u1}Te3lExYP-JkUe`&$+|LM<$HJ;%4{K5K7a z?k1($T+of>^Ofo5BT`^!ox1hPsqfVkPLQC?l6mUC#@~Iwr-GQgLmQPBH%XX8mu+F| zKKvtS1^{QUIs`uZNj^FP7 ze!@NXoOAD$LEEG*@Phw!Q{h)AmXrENDE{yYBhTuYqUf1;U4^<17MhI0Nxf8jQScV}Qvf5Q9d^bPSZLbd(-~uFAAH8+vXlg( z+q+UAU_UcTpiv7lj60!)ZN;F(7kH$=?^2y3tP(G_QOs!j ze5f#HM}#va|C z!MGQX8S)#lq02KpXI1kbY|WnC3W*xv$I<)m_?k`yyIah?k=85h! z!%I;-7&W!CRIg$W_p$RVPUb;Vi}6OLEGX$_Ai8*Q&LYAc5n>h{t)tu+c20FyRg*Uc zd9LD~x6yZUAC}wrrI^18Dxq z(qL6Ui-5_sH^DfZdYqP|=EQgVfo5X?nhi;(%b|UY{=*m-7efxA-BZ2A-8+_YEs9Bg zpEkq7!a|`f#r?PB0fW=84{aCvU)NK+XecWteEg^_T4M8ge&QjsRyide9$s#7D$I=h z{4>(_ooosTmE*GLQz|ktPndhBQxf{)^~yA_c#?E4MDdcv;?wGdCbhGjN$oHqZ6M!8 zSb~y=Cao~DY*VdtwUNng%$p%Q-bC|^diDvJdCTLt%?`5>J#HwajwFPe+*#{LK!duO znJ4+re<*L>8vCwgo~{3ox7>Ef9{1_fr!&J9!XF}eUg9Uo#6uGhivj2r6L@r}oN@7* z%bM?P!8I$Zbw+l3PTBnAdhM-a$2*DJ@am%K{$7i~dB3tV*3=(dn=(x&&83Zr>|o~} zz5GC|qZ|{oHE8d@|B14qbA1$Vw29>YWfBo%=#?_l9*_I!d)AW0ep^@aOA2v+-SwIF+yi(~bRUiO z7E4%vWVx(944VHgqili4Ltn>b+-tkabail+-*#b`qVuwfmVMFa=FsL+rc;J= zwHfQJfEA?Mu*&LeJWtMZ781h6pu^I{X}hi`8`<^GK0Xl%HF$7M{WdMy;%=aADX%CZ zigs7Uo&C*S6@IeuQ)MtBZug<0;XN@i5k=(<7A1Vk-K~1tVJC*I z?<6r#+M)#QMml9UbVu)4E%cMJsDBE2{z|O*vzE zKCdnAVc@mgixMZ2ptIumxW6#!+XLoX=}Kv+^coVEH_l=O-PA7oSH378o*l7V3ZuXM z(zGW%%=ied*0B%IGDV?>F*MZ08E`o|*oL;J^sXdMH=leHiONH^K>27b8MFW*cofPm zT9pRP(j|k%v@oA|bNJA|DI9j@7dlv1KuGt@7m_^1?WY z(}15|QzM4BPQO`AVoJlTkoY#e61Ec&vMq|`r2@2!GMj3q2x3x^#>|9nLDOFE_nv!z z#9%?41_xdjx*#_zQ-?yd}!@@BuV-gGG(GU6r1%j?oW zGr9j6i;cWS6i>GtrpLNoe(&;(kzyd8J!l`-%;)~7YIglvio0U-p|*@)ha2^0%6oCu zn8}W2QT=)XNlAtkW_S0)Lr>Wym)?SM>2BJ8z^DIUm*-|+&_VGYJbBK7Mj>CK_SKvC zzwlr5|LXGY5lioQpIq?dJN`^D_$|$I%%;_CdIB=xIA7bASAoP8y@qoNR?yhFMi3db?bWX5QH{R?FqGz3^}vo_mm zlKaS>c3c%<`_=AnODo3aIn6Cn)lX-h^mXWcFU~5Vk~sy%J6;m4&(YcCKkGY*kqFw< z-?B^4whcS_bM+J+b`QIpe0}<)Qrgs$bIo5XST0k>JOolWajfe#4!m6UddtI9X3sO} zt*eLP=J0{bcVi^UV#EnY77EW=o7_A+V~xxv)W>ZpNL`@Hw@7iMnL>Nw!AQ4CUIixhG%irK1fMvwS8pFZT^0cOf*<(lV2L-nWQxu$?CAFF39G`P+^q z_dqyP07;WYN=T`2yOGC0oDgZ!Wf19otEgR`h$4O}sbH`3%1e)OkJl zxU{jxU8m+S0d=`TPg}WN;jMU`W!Z~L!7Z%GBL$jfdCN;^CS7gfn-6|38d(DYEOraF zAot8rWyipiQ+ZZD>kms6M+%2sb*gi<#0hD}TQ58~Ts>#VQ?So}-pD13tJ%mL_kG1~ z(8BXn{{i6#^H+n8h@uNj7WRvx`}vjVaO?#5Hh7hbY3uwQzmF5{?3hQ&3XJLx**JG- zO*^iwPySr7ojKt+=UBGNXj6{UNSZSg#i#-Wlebp>3mzmvhIRV)^vJ8Xbvys=1rT{A zUtq&xwo3P{yljoGEWKt$5ixFsxf#vkohZRL=W?a$m28{&J<}?0*)1i6->`IF^P1f? zbG@Nxd7@VCHY`WML!)ljC_yQ$8edk+TTZl9%$+2^l)R;AFsBii+K6D6${(j|X|5|u zdI0LLr~SssTZYA&+*=sbqIrMAfvK@?=MF~3w{EhN`46HQNZzxX9O6{Rhi$9so%i*- zIS_SrgOSMVCo9P1j^clM`QUMH8xw&UAg~8@8J9LCH{o4GkPPX!%Skq`^)U7EVhq+9 z$;f=$1x;@DM=adDPUN+H71opL7oO8$|1;M_mXdUnHK-)KA*wG#UOq@=W;umx_z>Hw zntAX5A)3Fhgt&4dGxdV!a|hPNH%k1&!@2|Mt+}tZ9EEXUJ$#R&?=8a5g}Q%fCYB0K zIJO!mi^PzAJFB^HDvuH#d_^SEDB;`mB45YzlZgfu5u%h_xZHPfT)BmYUsY^Ih$&x? zy?y&)+q%BBa*W=<_h|;WD?`zS4;G6j_ps-aepSuJfgK5IX-u`Bn%sm-e?!kj(G|Z} z3uDlX`J0b-YWm9Q+i}tbJOVFNZr4~)?&zS#Epfa0KW&|la>*y&YF&*#caqozR4amC zb(#NaQK0x-Bu^S*Q-?0V|E!#;_WK5-A$k~GaDL=TvdA)%*?N~fLT7T$3^&i>ZbsnB zLq>(FwM#^9TGyX7(+~x}glCsC9A8EMwcwx#68pH#MK*YP8R_J_W9*68wBl4S7QblA zS5%@Q`mPBt-4xxb;os^g|0ysQ7}Uc;8egYlm{h>Fs(&i_3TnoL&PpY;9{*5@Ow9k= z8$v$+v>SlhT-$x_+we`G6$_+i|MT+Wi{Q};rG5p(^0U*EG!wuJvF+i_gB zDH=M-_4IikhYpHm(5U1ghjh0lK&Q;eNM=~~(*I5)0k&zSM^OG4O=|XA%M~psDfol&_h9PomLrsi$6#)%xPDU_tcRx@ zfA=Qoq4hS6bZ3}FQ73F(nI{YTnvA0|JgxG89Te51vg49!XjW6`4C=cq#tm%-Y`Y2r z2Gi8GTHr(ni>+bK#_RL+^z_&|Iy%4?g}6iuI`qV=W~de187_BfkG+dq_yjHMeV|p|Ic>v&sy#N~gH0W2=S*OI{q(z+McgLfd=s z@|tJGpFO)?=|lEx$1Oe=pjyJUz6?jwlW=BrRvoB zkS43<#Em+aJ!f=PgXsfTrnD38!Y850#X5=hs+{v!ziKFnr~g>3lCcM`YP&ZY?&QZ} zJ*&9l<7yapR5ls_&wOu{MnR2;FSRfg47$G$!%|>Gq(3lKw4llPOI~J|+-HjEzHB@2 z654yxT)+OX-+6a7iJaGhF0**<23|f135h=a_m%N_Vp7uAPr>o2Q|+-@G1r}@2dy4g zD{L0}c{h|2BuIB6XV?S z+m}3(wZq4qDd5(+mchc0tbKEQE+7t-1hGqM^7A7u(1qT5@{LBryp|LwtO~2qy`>8O ztct^nOQmam>Y+-x`VSES^nTFwc+8X9x$SOLOWRgf}7-t(vdze zKI9uGMj~{HuEZ^zJo)-PV zj5YmNyOow(^IrJmzw#H^nC)U>2tntsHFG9WXJjOtV0xTBNeIws27NbyTdNNYR3Cz`3SQ zlmh{pKJ_4^W@YlEtcQl{%fJPW?(eL5y?q^r$Bspt=1cUq3&TnqsB~ z#c48DF@Gw-<=Ld@xVxSNs=4~!fzVV2bJsGv`74@>6#cKdrcjiS2ZxtuEZcjB5FeQBIo(ItB*G6ZAI&4Q zl&Ui0jW-vVRcUnIxJvkq!+jCh|P8+w10Z8jtEoA(Y=TG zdY+7oAuS*4jL~qp;Njt(X(zw9BOBkfZ2O!CKAR^4u5s5NBXaV=XE&F|n8Px*q=fkpm36+C zRzO^}i|{{T8fPK(x=zv8EtQ57@vP%V3zP}EL@obB;Hkb|^98UrKmaDPn(PrrslRIY3t_Ppc_ z?V-uQ=bZFXlJ5I)?{G)@NJVZbP%WS2Z4n8OS} zTBG>_)-$+-+5XbvJT(D!oL^xKjztr-4Y|}Ij5Tsf@*uc;Bjl2gU`~yNK#sm_C6nB1 z`pu6ddqQ|T>n+^F4GG?uJl=v?HLG`Img}L4!4-kI@0H+#DduhIBjnhpyEtNa+PHKq3^gH&-qi#UhS+^jh#)4)3nr`=*_6f{r4)@e}b zRx|uDr@SZK7y1jT2W^LaQFwU0}4b3pcusu(zkyQSrxH7fZtNqG3_<*PUH zYRZ-TQd8yP@7uczFKYLIY^8rIsMk}H`N$GxCL5yCI2;c)zO(9}PAF#fXK574D|>sN z9jTQU!3Yw=?u8)@6A?9!RRHGovKjZJBS^k^8wB1TiRk5$WNtt2sVc#UV!-#+P(pf3 zE!19HNs^AN(sDVNoUo`$7um;8x0QzFi$3o0_J4K+`xhn)+#gm<43iAlH8>k5aS6o2 zI1MJK)W4wDw6I3xX*L&ANq+g!KBGG>QY-|;tHM#nbxUuiZ`Dd0owtR*YIh+pMu zf9DVax%CkegvinqAu@O=K#u;U=izq>(zWSK#{Ye2_IpsrS>D{t5;oj|Y;8Q=UkE*@ zgw?(u#zyMRe2d*4aU=YeAW7!9w@_%2mEw1qe^>wW?Cfl^V#<4Pyu#SXf@t(q3%i+E z&k09GKafPpWCSC7H#!FPJLzgG5MuSOv8_Pv@1`D-Me>%j!vwcLaww-*6|3W z*EopO+iPvYlQ`>RcC!f~**5tnPOM#d>ht4i2lD4YhV+a?Qwl%^z}WxYK|`U zklnbiWR%NLsXa;K0Q%r{t_L#6#K9~Lp-XFIT8=NdhaDB}Kpfws;p0>LS>#8_`wFc> z!iNC+?N%GG|BPdCw$3e@YNEfs%*g4aMkdAfzwGSV6) z$Q1kN&K*pE4jzE=DE)P$YH4#W=BkJ#ohQ>{4=wft4+WS z2nwC0p|Z~hn?E@88;Arpd-Zsnc5nKSGF|)eJxxXCRg@bp;n?=dI1y2bR)w=_9?}mcR)+s(Op=0p8S9nP?s~w{lm{X%;M*#IIt%8w1(22*>lsp8YxZI6OVG5VJ3@4g zYjsux9pvfJZ2JEap$y`)*Bl*& z58C?!<_KXgZ|?vR7^lktP~a1$<8v4+4KeMNYAYj6uZ-}4JG?LjWp%t0N+mYW@#2lT zk^{IjFv{RA$H~cG0eS;fX;|%Xc6E;-+K~jta|blh-s@Hlye371+GkPC7E$)YdqRgI z8gg7~A-RqB?OJM*&EmjyjPT@lFMxicudxIZYADA^7z6XlRWVM+ycHOzlHe>Dlq(+& z6hw(}UfR~+t2zA6v6Dqbu=rh^KYDR8+2*9rBxKT`{S@4EO; zitrY;MRoe_#?Ntx7S-J~tu`y4u>Wlh$$XQ=RrUx8Wi&;KB%b?7U;3;c~FSYZLe4DGZ3Vpomh9W7tHg zmDprp$znP?ZT1=F#z|6s*RVWWzP~Do$e?f4{A{MPvjany*zH&K@yfB%)rzfB_V)wC zsYHR)GN2DTi9A@Tr+(6xn}DVLygxsn`$<*n;FZ+R?#}`IYu+Y?zFr=@sQdWe7-tI%>a*=I9Me5Wrg518enf;UZX)cSz$OjdsC-_J>sLmHo{k z9c3U+bHFA>8QKljFT8hRlYu8>F*heX5tsv~KGUIQH0>vY?X{I5l+(R?@iU_kJ;VLX z#hVYRm~-+?;es#$5U5HLERTuleOKg$9LBX)`jOz??8gyI+|4Aev#-e>S7sCr-4GVG znGYRsGlI0HL;7tyMjn>PxnN|`Rx=6vVz_B}z&L3zGVXoz;FXbZRpj)T#Cs3$dg*R>QZ}8bEmv&{VGG$4@s_wQCpbX>zKl1GnMVgpE}sDvL600c z7JAfND-2jvr`+drwQ^^nuQzRDSIdvc(kvD9FUE>BZP z@^d%D%tgEUwwFgOvN$-F_M6UFUSeQiXfoo?>1xl}`d;w;F%who#oNZAok4_z2RlsJ zi$#!uI^O+L{ppWN>p5g!M+Qb%P;ZHZB98Z@HD;?!zT|}G-Q2c0rkK|v% ziesZx6?0QjO~=VG&byK&o^ETgn7Uu%RLdD}hm(aDznOdiE&X!Hf?E~dNU+Q0TuaT| zcOpXWsGC2F@&_%2?QhzLAU`|yz$#Yy;TsQpCe~%k%Fn-9G%r{BQdaTa&KMD?x-Qp# zM}p*D+@9p-!_Z0FuPpX=;2tadQ>^&!_ZV90IF$zq%SI89fltLl!z!vZe)j_Wr2{$; zbY$oJPbf@?!7MIjHx)(DMR3KWXIs%~<34C>|MQ{YeUqw(G`@)%I24bh6g)9plU*? z%^?L`u7ReAn=d}|Ma!wX6kKgy4e96+f`ao8F8}kA%VVgRJ?;4TkVKBwu z#8>Zw@PfCpvJ%Q`nTRC?W7mR?@Rsw@3_uv?y>fe5kyKnNyA!wslp=s7vY`-X9|#J2 zNMh7aMMcEGs5bOrsmih)GKuqu5S&ijn4?h^Uy)DaKQbQq23V zzNw1D?@0LWFuo+}SQFmza9?k39T;quF1L?z+W*?hyEU*B5$Q5DXt@L<&=7uG1C~&F zW55j%t;}<>DWtl)n-u1N)q_KN1wb|U*+`Qi-&mJ}fp`F;aeow=)&nSm;DR>7-rXg& zsk(3VK1HB6EJ0psdIK11He0k>xqAcM9sk8K3mp~*?y0v4q8m7aUn{9?9-Iz#O~P3Vz$g8sH7-TuHPa>}y)70c@i` z+w9}-FPfO5 zf2zn?JIo+F_G{W7N=iTs$CSs*zE)f)76GU-sEP`vU5bi|GRnna>FVmzX`lN94BWeM zJjTRT0LCeaYY>z>Linqgt=T0vLcTagwX2}pf4?{`;q6d|akQXkUIPmp2Uy@(v7v%M zW2fO~`>D@)pcPT_Sv{yq1*S=ohE5wb6Jhi%=H+~q5lEXF7Z{6kuwo=|?tw^G4aX!5 z2Z<*IAMFJym>y707Dwp-VB=t{oyA+&<&u}EsiSYQGttnTxGL@!bUj5ihZa&?4*+kR zohw+6Ak@5HXYm6)OYK!kxznER?)q#fyACFBGoJ7dMgXA)jm)EC^JPR;l2;O(61%A| z!;zmq)AG-Nz~4BV-wLNO!H-??a$nbQwB#8gzQ7*RY& zKxtfeQ3;0SQ{y;igO1-8#KP{!1m(^l@> zxsz=%DN$2b*C_Q9dw@h+(#p`=UbECr4wH!^v3KUNRjl_xSyNLWb!?EjE(CoYFG;%1nWEm_3v36rq9AVlSeY<;47YX!x9yFq zU{6ZAh7M2VjcCd+>Xy|VPP(h}R0le*| zOTXUsVOSg2t`U0PMb`00zj!8|0-advCKL}^-se2wR09u=(Y=fX|4WtX{1wV!mt)fo z9|1G=y;TAQmtyWiG>FSWyTa0cxx%ief-CI&(`y!Qj2X_#`8l#g|)a02{` zg1q;j&6OL2*yn~wtvEBa_O|>3bQJoQcKptU`sL80DCBvireWrm)pZVQk$F1~>lfq$ zn()fjL%>1hypXOBJ`grAk<4kM%FpOOubrmo_UWJ|ZFqcqrWG8~%??mF-NVcjZ?44y z<9xg-vM&de!OP)-1J8M8NDn%rQy%bj{D5b#W>bN=lRO!(?5LgZ&jWueh0e2K_T*yH7;kOjd{Uy9xlh|fZgGFt!D zq`S~22%0IGK9c_Zdxub@DtGlCekKbjSbG)>9-6r}x_|lke-f1*1>lrmL-92CQx>=; zo8CVy82G4~w5tFf8ZCY%1gu=swZHuK|8ma!$P|)1zYN00l61Ka-1R?KJ%Iq8B+{eo z7$uj%2%~f6e|3JSHH3j-uycRgJdpAz2cebK2I$VNxnT&;sjyK7Wwj#&CRM=#1fyqg z3BtRDlPw1`xavA$UYwNF1D-sk#~=Lk8ZOAxkmeoxyazGf)#Fw%&sMU8<3 ziC~I;VF)s@4DVlJAC((Pvk~CPV5Ltac<``Z(u|#m9Ljl9b+4&F4#WeCc`dZJAgBQ}fnay;=phbwZVX zOpApYlpw2Kp)I&tli&|m{pAl=P=w1Z=Vmha!&Sk8o4OHSVSJv)g(_JITY+#&JmoB$DCdjliq4#>_iASHMKP6@Z5T}>R&_9RMrr=08miA zxWG9DEBG7w#LH7;l5mlKIigKNhjj{HVs{wFALvItm`sfZ^5BRYnV$9}6xu%Fd+}Cd z#~S>dIaK(d$>y-AH6Ralz(d&KU*@M*@2B%EM%2s8%N6Dyf8aJH;2>M6P@;m$sCt<9 zY_>91YdjtCq8aj$kx1L2F8~Pxgk79J7Z;C#EGo|3E@jwrS5Nb)MF5z@F()XdliE<*ybkRD)2MyIAcAaB%zTyh&|Q4Y`} z@k}zcDp+GxKy8D;^{Z#5@hirhU<@~216tfZDkR^6EDmj%h+%Oe3(dv@1}lFBWJou zn((6?S0AF8{|AE!bd{~ZCydU{dV}nNu%W>-%hUf#V%(dJ!EHKJbC*!i9XJtm5=hZ1 zXgwDsAkN%$&NbP%FITm~xs1}ZG3fed>z@}c-hAR(adgPvLQ)kPN{-iwPN;UGyjIXc zTim@joCTz2i*Q;T2ab0RErCeiGU}=X#qHzpgh@WgO_pxpu+h;{%{lcg@hS)D30ZI&UL{kyrGi$7R)Gd+FxGT9UW{LgdnuFwP6n0 zgxCr0m0`5gj@x9wb$PboYGF*;)#)c$IY5;qq+9O5g%-m0r&uWQf!p9KXwMX$kFqkp z7TR58X^5AI<$h7f@v}RR?$=SslJyysjY2oTyrK*I`0~a^?bkpC4!dRTzAN;HwwzCh z2gR6FGHW2$;fnYHnvlD@dxKMo7{hnS33pf`clQw<5wK*Vf4BZi>0udPCJt!7QBgI zkx-Xx=H2-WxfFgn$)M3!&l%Qp?G#NJmS9KMpt)$7a~GS#xn)|Jint`_E6@_o zjw!|$0xAKw{HgEzhQVeLViD9hI z#Cyu#1`fK{qg|zRy`x+?#wan~*T|QyPx~a;p_z=U{sOezabzPBB24W8^eBuvNEgeJ z>ijM&u20~cPCbruL#+4vFMSE)f?|jHW2Yu zg2>e?nK2^7xKTXsVQR>m(7c&D=awIx;Nw8KTD`_6l~7Q>lLYQynK~9-g43r1n}}cE zzVk!>s7ed23_8biO=s?%(M?HIm1Z32pN@9%1A;3a3}N8r@nde6x<(V<5I#eBi9^@@ z?oY@%D+d10yla>9T>&Xnxk0Q^q;dEKzgH-rua@dXMVCB%<_~Yd!<$N)And^SZuk2c zY}M73m4HY&Oabr3=m|esjAW1ve5*YPn=$n8 z-ZkKafbMLx7Z;a$`}J$i2eLKS>xj)y$82;+vVCpo$95zUR|YEz1IM(!>$Tz>F)~yy zF7v^a6H%_ubg5ZmQ^;jbh^~;l_~>Dv`*pl4MInGqOK6A0+0@S~C2UzBRSB0*7@;ycS=sbz+PhrNtrsW96O07t)dr!Su zCTfK=X1Nm!4b3o-c*#=>3(wnhW`0ORl<#|}%3uk?51Y<$!aB$1_MZ|zNcwl%`!(>N zEZSXZZrrHxX3gU?Xl#%gy=>o0iu5k>Qdt^$$VSx&xt2U@iUJ=xkAi9-G=X=(^{1G{ z_iM^-IK5uGe*P5a-EJSXAJJ1~UVtezPZizb_q9%-D4yyOcq9N`6Ys$B%5Q*myruqL zMn4@E1iXBabfn=F!5bK#s3RZ#f(GEhEbyVYd5SI+e@?U|SbS)ufH^4gx^u2KZA(A8 z5hxV;7Veee+`Oo}#la)8c>UdQr^>t|p}YGDQPGD-{Krr#>R(d!{|!o6eT(h*7-vH^ zwe_8#*Xaxa(6r~*SW+mEfNhGnFL(L@_ut>ebCVsuJTz_u9GHf#Ci?lSn#d;=47orh zTvEOG1|-`8=k+ACo%uQ6N_skJHa1dD`~a5tUlZe$L(b6uz^Z^PDv>&)CBb#bk4#-# z`AT#Z+&V*s5}GS)!TW45oYy1K{LnlY~U8n0-AT&!o1O zCCI>)YxUxm3^1m7ich8goFe%nt+@FLac`BZcJDb-dw(j2$LT=P$7T|It|cb0_4l8JuqJP*3Vnmi+G7UJJ6v=usGeCs&T@%1J1U^CudqeQ>InGX;C>r{G+PKhH z+l_Z+zsR=jw_pbc%BKRsc|qzvnA?C$(n8`-VC5mLLOriM+cUTkmG*`y(RTa1spA&D zjxrT1o4PjY@yrL$NvSYCoeOCqP^^)V1@IGoj1qdv;>K~aLe6_i=a3Y@|D9#_y$1=W zn(%JZo!_B7<}0^=bIrRk3*zJjE56K=5&g~tLmD9mQk?v7Jbgb^GCyO|8SW!S_NizY zu1Lf6q3}OkA34NG?}Oa?F2e3$*_*wsbdvJcz2h0ZtcE(qod5Q_*s#_3*czGS&O3Ie)XEY;~&hXa( z6)tWb*#P-+xjwp#^Pi_Y_(oD`QDYeu~-L+IqZ&3+|4+ zh+GgVIk{%jT4ksif+SzHd4x5!5aH{4SOTJ){{-vY1A_X@>e{DF_a~-$k9T8~(T_8}xo9n{gBNE8O=k&R>9bxPu=H zKI*kxX1mCj2e%$Q!*oeS#h1CeT6*SN!4x{m^OxW5?K~gQ`b_dTGkOz8koFp;jMHIq z{%K~b3M+;aeTnfuzvaq5qbzbH4=nVn4iW5W*uvro-)$1JFLyJ=w(G?J@51o;? zG-S-YU%J0CVd&dlbl*1O^DZ0f5TAeRt*9@Zw*sl?Tn=pm-R-;|h&am#pRw1+YQ$C) zS;{IIt?-h3Lb=UYSMVVsaj{%D_ri2l+erDV$>s5!vmj*bE2c&&8ih_`R<^W|9_|Pd zuUgzKIN2Wll$6JMhVnMcu2S9f;;4tpkV{>D&IcB_-Qks3n?UGQliQ8Q?E5t&z^4sb z1OVyyTadg4S{~!UL+qQC>11=I?iFm8D~C=yba?e-su|wIGxk_Wa;fdF-YPy>^DvI< z=Svd8v8IX(`b26?oYfPp>H6d2I^yky_iXn$&DgNE?T=hUmsgepOvUT&$Ay~W^`$5^ z7utEOh>`Uq@gw8%kDQVbxfkYwoXO8N-VV@2U_Lg$%`4~4K65&1M}k%B{Is`$ziyvS zll@ut?EvB#*@LGV#nu>YtP8GEY)3v^+|qjcQ-v!JLu!{d)@w(P2*x6*J;uYMhV|O| zA`v!7dfYO&B2{hel%ifD5Tf5tGqAnV={KMW(5MkpyfklTvZ-W|TvLWT?R- zhvUfjJIT(*h0VEltGXEmel!`SiIxHY^`bk(5{XD3h|93CIw5{G&-@*9`g1pG91)T`38WS)yE8lM-MEhVb2 z^3y+^mpMdG4N)MW#D$ew0#kv_nN0^ZGj(HBMWUSHux#wLuf@)o%3irhyQ1vEi-}v! zOP|gsWqFbyCzo^hx0dLQHH%K0bF9o<9tflEFg|ZL9{+rG(A~Y}QCq5J5&7d6seHHc zvoYhC&{9ym{!ZM?x|-zaHsyt`KcpbfGdeGkHatX24(Sm_HCL9_fV@Zk1H(N=hO*8# zgTo!k$d|XNxy>~>zerf-8ScZ)00}t1?&NaYyJi$J3uY z%w;9bvJt{Rw+Izb6hm+EL&9s{jL!sDpE@)@j}op>u1d?&>UFIWx;NqQ_2|N7BSX`O zx)K(K#J5|+8E+V;RA^1Dk*_^4$4JRT*BeLQ5k0GA9Vm8IkJ_nu<14okYrz|~a!`Ul z&$~)}+k~(-_>!&sP2vZ(U2isIQ@z-%bCWUOyiy)-U3kJCl6I@>a z1&4(}p>itgyh_?24c(X&=d!t&wuG2L8tZ(#!7W)A_w`9jD+FBtr$fF41vW_UNk=Ct zDjNO>s`9KWkJUTH7ny<`yI2&cyM4OZOPkq=y-DKA4i4Dg8n3W^P#5WX{g8ROmsy zqT|}wHOkN1WXS#7h~3t?>}JlpzSLO>r+a8dUop{|h$X5{tZg7wQ1=fyqBj?^7_#l# z`htYX*4L^WoG#6--{<0DTCOiH>#bOLAmJrb`VEWpS@12(hD0Ano$m}l`V2|t${(asHiwT z--SXzJ&mlUR2C!+eFoQ2ummMJRSassn*Rf!Je49lRkY$i(o)gN9~i*b%Ac~*%x(p!vU`Vr~WH( z%J8tiKq{MXLPz-qeP38YYP#`O^_z-?54?fcIw&p!rY$|CvgT!o+Q;DVTzLDa!WqO5 z;p*X^L7D!kwW&>78+PS5N@9m`_et-ncLKU2K=!3N zNl&lYUt@T^Ekr8&OV8~0>6rB;bBU}Pyru9jq8O(FO`2ey@oR)`m`*SNe*2t8PB%mn zp;jeZnr#w7IyCII(p<23KnI4s-0cL*q3k8vD%1K0(L#?GXB4yY<&UhUc(5}ce}1`~ zt?qTI!i~Rhk%slQP|L`m$EPX7`{I0PG-?%eRw~(*{+Bj)PvJ+U)}Z$?6m!S zjHU_Likoqu&{p*#j5|A4;$rN>VsSz@G!}+Vok@0;EMzr`(!YMx!DGL`6GCC6+|0)y z5nAws_)vXE@OIaX*Nojt$qNBc{$yia)6!1g=wbD&cQDg)x%%RlVvLqe^*-i4mBcny zIqv+jnVRE<4MAK?>0cFVnKhi{i`vQo`}fSXURvBfZ8KH(RKvIQ{TDwd@?cI-pm-1( zoSI2c@Pev@`?8p#em^x{gRy+njzEM_Ci3iU+Ar8Swr-Z#vXvW)(xb?;q2>lDBF+_# zjIuR^uO-flwCBE-OTEKkmv^bjtoFE(H!Ce)4CV#7<1ckS0kX%o=9O*7NZPRGSbRp&KXv@&c3fq@K z+j`@A9A;8%`RQF32B}|&7UU-`hmbZ)5J-z;EL_^8T~$`}u+!AgSnhDp9GPu#a(zq3 zwZSI&JwyIX*$-vzF+UjJc%9VC`)y6Xiq^dnMBd24QZ$l)_e=UgQ^-}J8~E0{>*kF` zhGhADOAN5OMeoPmA7%csP)I*>?R(qdrBTaK zLw4&QV(2^hh46qdHuAaf0h7=m$7#zFW{>c+OCA}Qyf(W_Vw5I7J=L{Yx4+x7Sshwm zH|kRFQnP5u&z`dIh+^1Nz5Xh(H+lPhR3f#>C4UwM=R0l1SrdrR;D~gWt*E*qWq`HD z{q$z@t(=?0l(&D9)zr~HU@*yK4PCjR*bi&)s6X!C<3ED&>xk}&hX7c-VwK#4B^0@ z3UYyk?ZeLAaucmaHmY3yrp>mu*{4odxLub#64STR@Nx4@yCB|nyL+AYBRE!EF-HyC zbS;W3M09C2G&B`rdV(w_iLA#xB1RQDldfuwR`tRtL)FlI^#X#+%T>0+2oa3EVVTrp zjs(TbFWp!J$w`8Q^jyy-;%<02&-0$saAE54(*I7COc{90R^2`c`|W8z+qurlbe*3# zG0(fDpCD2S1PqpT215^j;%<-iDLqAwHmo@de8QMEjk+8C;-IsJh|2opfl8Sx##zsp zodXv0{W*?D{UmP@krza)3=vfSfIJ;$5kihs73uwMUds=%`I!vAD4Xo4M6ECN{rpTt z>^2k1vr-ymF|lS*Kk?FkV&2P876XcyD(o#I`aiK4pfHV!ii@rY-JUfh5m=iRZ(jKE zbg0ls1r_>n4uB0>5Y5@fec#Cy30Gu_{GHHXhmEgqDmWH?&#hBUg%s<>U8dwk;Ld{I z%GG=^_mgnH($5IYyhFZ<(_AilL~n|-9&nu&kJ@S_G>x?_JIoDa-r;c=zj@zD7;7QT zx-PHa1uZ0LSuT4dchsa%kp|=3{sltK9oyy&XNvKY3oJV^tS)Y236u@qdeP{Rlu$k_ zA-qS6y>=y8#;ueA-|!JOr`$;0Y-gx^dFgy>hlS!&7hYQyB7RaaNkDw#0E{OJC=9nm z%&im7x^Z=BdQ?Qd>`YtlAHk35=hxNm=BD=Z3e%g2!c=xgEScin*A}r~Pwtk)XDW_! zKD1S6HiZ41HmgzU`)NBe_xM((_Z8$e zk%NAK4?~K0?VeH(9q8~R7Dm6Ryt8E(#%6;Y4D?`cO7yq>5U4P08q6~4*=T@27Jw@m zYxdG{H?reBzN#Wd#vnp@sWBI~SzeR#?|5i96)Ky7^)E$V;=bZNw70KZ@JE@x6qOo! z1>Drof%*SM*;$8GxpnOxkfl;eBaJB1-HoJxbV-+hN_UrZ2uOEIND3(39Saai>5!D} z=FA1|c;D;$u5->`+r6(Xi}gHnjydKS_xRn2!Ap!`;9sMMY}%ZaDrJOvd(7o)mHD}s zy;S(EPxhW8O+<$Gh!xC7^@sd;Aro&e_n`iJOq!0DE=d`3o|ic?)N&Lx*W;8zI;-w` z44~&}_U)L_MBx3YWTo8Z4(!)|30{pdgkXvY1VjjYb2Aeb)Sy3E30^Z6pJxTN4+B(L zxc8cgo&Tz{=PrK zYTztt3v}ooeAPp6De7I0WnFgV!Lbl)Be}-(kSapOF?OTpY+LXIo7%t`N4fRSPIE)D zdH?K>0FnZ1vwxcFDzk2RVc}QMY_FRlI5dU}MHC42YifGlX(VP8K-+S*7dpNy7bqLF-RZ`>Ct;8%EkdUZ<=v9(|Hr}%$3Sul{b(SJoW@=Cv zT;{P4PT=JL!h+8AzQMvQp)*|$D6Ojzg^B#(<)@o0)-Yv&z+~YTX_1hr_@^r4yPov0 z79!P|BQIpziNag{@*^WH&~h!s1F;;pxJj4+Kjg=CnZC|?59Uv{^UJ4cCWXfdi=oh4 z7insm|K+Fz;*S@rb*!QEOwz1&eY|^bQ>pc1!JHpCPFH%<#d4qZyGf2;+4W_SVoWzb z^u#+GA?!v=*jtJd*Z$`AJo@L&zg6;TG|rQuOpW=50Lql>dAi_{Tuux|B0qIBQF%Lw z%Rg2!p!7b^|5o1jGL=R`b`+*T0b-hTRCt|>582*-3FKUOb?%o#V;jtPM{x~J=EJxtx7iEG8-tkkB2FH z?dNNIFX9pLM`Oe|FBU5lw?`JoHlZ_m&s)1ylO*(zOJ#g-qE?Fz(9Pq z;v)&2KN;$`{(tX{K9BtjmxhBlUhtll!nRZiMsVY^@oF?A8S7z^#{#0w!a|`9%d{s) zan3!tt5TOYd?1J!5-z3ftp}AS; z#eH;aM8tbOOd&A_%J5*f43_Sd@$0MV^b4${CLj!&c2KQ#^hjyr&1UYn7}ID;D_gH4 z{f6i;6OmhMp+Z!Z|XMF-&X?S#_^G+*XTi zZLbUjAJ_?Zvz|6SQk;E42)m6{)+4cfFMzrT*7TQm-`B4cS{ug(FC&2*&6(x?O<3uR zk}?*2+d_v6!GSaIObH*?6^v4>;&ghzz+e$LUD~$wBT$$3V5`1qYjNBVZsa)XR$j|r zCYz>AW_tV7c25CM@kX8tl8y~rD&izzcu)o2fP!Iu z)se?qygAMXWbWK7#b=xaK87n|knw~Vn%}VEemESsA%0b>U!MJ=lM^&Yezi1)dbu3q zgW}a@mXngSJ-hCxp(&iaLkAu8Jmut@J@ARH-^Ssbec zo>Fhd;dZB}cQ1ChT?=3ulFyIq@+XN%hTd;YNswE5v!a@TQJ0$XanaeB=Q;bIdoom+ zK9qv-7VH(wv+^I8TQxR%d?X8r?0Aq`c5; zCwIzrN0S~%i?Wr47?6{HIr=vC-D3Hr6CPE%DW>&3PBP=^D%1)D<7&Yv;z8YqVl6RP zHEy*hcoGfIP0in{Z#}H=F{yR5`w&McezRX}o`euZA?Mxf7in#F{2ic*6yl>~QgPp( zM^rKnyo=rSo2hpNi+x(C82-4m{>=6+3w)dIc+iQGV9qWEcLbC4{me>PG>SIzj^}CH z5vWAx{&KY~&#~>Zid;XJyvcMr zP*qwU?M2=kS2=l(Iu|l9m3GG2a;t^+k5X#v?~}U*G5v*Zq;YaTS!tau>G-b?w{{>} z(!*i~Z4h^7`(uC8=5q|@a^*xPa$Vl+fi$dFKYt_u>cvhCxTVV+5?OIKD8&22*xta7IVfwe9;Jz{tcV#01U(iIi zt)9s${jfo5Mu~QD+?FaYa-+)!pawt4Db!x}e zndf6-CbBTiLC+}1>2{)_v~qvSSHS`dddu4?TxrF5OrRd$F9C@w}<4FR0!gho`Og?h2BeHB*pI{3^|3UpG>C0pe6)4fK)!A8al>73lbzda#W(Yo{v{=D!*l9s|GgHTXcC=aG{FENldPnk4fM7}? zC-jnM6;a+5uxQAZ^xxh*8e)bm(m$KPbHfjO#8N zAt!%@@`L*0l&Jt@;Aop%!0w@eYPhh$a1qx`U@{#f z7pl9-<*o7%3g`1t%9WD<6o91y zz|b78b1ruSlZp&JC1C8V``EX!s)`G#6KGxofKIkMj80Hc5SqfPHj%ItKlTYpHg~;W z>fyH@PD=*fZx>4TMeP>X2&I~lC7o|gA}>t+kxZ_H57wFSJvQZg>ulevw@4VAP>7bG zCqZXx!)jwJ;YvtYzoCBoy#mWyVD-wV-xMuyd-1pXpUU}v$tt$RUW1d7dGV??1Qlx@ z0q-gKrDqi0fww;TfspmgTTaH5&K4 zw#9y^Y&aINUT4v#dyjMK;*(}c+oP}5-?R_WAME1c5r0@s;=~{(38UJbP2wbGu~>h8 zX7Q8!I)T8rNV^snAQB?sr096DnF_#g;pzzO=3eD66KqBdy%!e}4|JMYnVFx$hf~yH z{3x&2nIY?7a?)w9n{vq$pdx&8Q(cgsh=)c@=Omook}k)~j8K5E(4Rs&b`IbPI?IfD zpOQ&$K@(>){aV?f@0!MW9jz=@`ZpHAR@IAowtCi%cb`g^q?9*~T$S#y_ty)5bxbZX zU&-_(jjw!Dq)v+G$Ki+B~X}j2`pOPL6aP;vGd^Ih>$795kn&hSK^I(30 zYcRo{F||tH8Bi4-dhK6y#BmGux@6W2vEDEJwk6zF_2?x0%e=nMfER8>f|cVnfQgv` zsWf1}VCuMTvUBgl;GVEiP(bteC>{h}5gD0~!|R|$06=L2s?Z%EWzKFY1UlEAtp{S51`(8^5EGq_RTof3I)~&0KkO~__Accb%3?zbruHB_uG5w)`G&@u8>A4_P!O+>T=^|wiR`D zPso@YK36)*tEn|ot++nQzb4?@whT(@<>{rbK&~eYA}oJLel>yg%aT>4rLc?CzjeEs zJ&^zE$=1dNVrtA}Q|=+Q??C?Jnf~F%SH`b)4t=T!7NVBjTj*FlU6KVWcp1aQ%r-lh zM70dE<~hs0?aR@`8Asql3HY3t^1*;9LV3g4I<4FBw4=?M-ue@EC=C$X0~FUsgz^e7 zpb4xla+?at#e&m;ycZ@f=Hui0<-9VG1{>N1na?ZoR|Tr{peeUc5sT@u(|oUtRho#I znc0SKFgvD(wO3s~_GF}WuP-rUI^AK1chA0piFWshU6j$27)d|Fs&@PNBuytJoK6ZQ zIk*~55z?Mo(a)lje2C)NZu3wdq@59MsdjZ8YCpqn{*^&!PT1RGQtRp}oi}3LPn2W= z3dl(mS@1YafMujgb2^@2loyMN51P?01gsJ=!1V6sC*)Ul2^qfwj!n0qHixuGvthRL zxbh@}_u54wQQQ*4KQ__q_S-wDx+u03#xDvs|8Cw2Y;?f1UU6tHvZ8QOHS^P)JraQq z9s*eb1XUpLi(VSrHf5dtlqAZtl`qv$CX){v?j4M$ri+P5jYQ9M4cJoazO~MX5FC+W zVR*OBdW4vEvU+gTp5+b01DxR z&BGEvs}l0!n3wZnDs`?;h{f-iuJ$SCrenoMF8~SM>c#2G4z=?AF^^M(nMR{}lUU87 zus|J-`$3fqrckSiA)5(S+T96!QFnI4AkO|==DL)|rw^v`icDWh5PsG&rV^;cJKl^c z>H6{oRq68}00I}j(jUSGeTyh9z69h)w-#eo7@w^GsgxN<1>o^vdfJT}X^Byemx@Q< zcY7%@r0~e&9x0u>@n^FPr^wAkCwIEka`E_jIHMwH3YOlhUrx8T5?YAm&n>g;MjbN* zUT%|FN!aN=rRTMySBCeS;qv;De(`oe^3hd^5egGKRO%|`Wv}e$CoJiDcsD;q2-DZv zYSOY20K!vkI3e%9J~au>M9}*NuzolsuBd*r!2`BiBx{^r50Q|XdtzuY04wUa9MekL zi(XS7sA^4{-$TZ$ZF8p{764cgdM}EY<0v2=8L7pNo6u5%PH-J;DgiLefJGV!2=CG7 z#yE^RL_lFH4u~+!<`ZmnCkr9fw6F6A1x+WgGa4^r-|}G^*lz^p;?a3IHovD{NuJ%K zK&Tk#8SW_3B7UmHy^lw;Bu4A4$KBRew044-S2{j{AD)!+3$l6|$Q8DTJS5{d zP~+BVduRv_kK<{0?TCx3CC5lTRVltF^fL+nT+UjtPmE@r3#V)z#&Q&^BLhs7!}y8I z-Lth6$1nC5C)h)GOB#Y7q`75w;+Q9kdYe+p>b=XBD*MfT_?S%fP&Vbe5x8cYQ`+O@ z2rz(7>G2039kTk?`%+0yRrJvo)NOs{+7+9Q!m}Mc2q_`Vwe*Gd)a(HFJ5})FJ+F!E z7w@Vbu07$Uj|$)FjazIsNgIh~6&QFE8APc7Zv;zSBO`lJV@6{7!a&_yy^QTHAZ@%9 z)JT$s?;~u=MS)%Kc73F5whKPh7nWU@c-B5Nk`Qg{m{07N+my4@!NGTdyZ&(4XO~Ij zWQYuP{e_Wyb$RUiWp&G@B^QseAKQQ;&FQ?wI{7+}um^hwitc4PZ}Xzc<=J!`W<`4f z4z#DcH^IhS;qWv)S(df^{K#LuJL)1&98C)#A5Y~5jgEzBs$x>m-BOvw5|{${K=cD+ z)YLsGe|n*L4X0l;)9uWVA$vSfDW}HBW&Uzt0ZXjJITro}^rSWC_o#R_;27#RlTK6B z)$6u-&f=-p+en^w8Tk`Dthdh}bWi0mKde|B-y5rDv)#JAUKze44zrjFWK69YgCE)+ z(^c5|DDje*)rU1lXuX(jFz8Syj=@H*5Xw`^LiqMv^TV!u#tEurkS?noT4BH{yP;S7 zC*82Ghh6Um3O6o%r^9?C0??z)tSr?tixzqI+(6Mr-5uX;&-1!((kA^{AZI!mW&tD@rTRxx?gJ=s%SIAui_EfBWD}g zIvCM5Y=~`#W9@iGs(sbNB;&^Mq=`5!JIMqD9{0W1*gY1$nz`>>oniQ%nW@J=Lu9uz z6#qx7A(%|!>*B7_M19FUkkoJb1JT4`tL;t-?<8Vrq~9d7DLRerERyB%S7|f|bkE6+ z2~>5+HOzjHcnlgB9X1uZ<5^@~MH5>MP&N!RUC(!&cSGd(ys-qY>BO8p!03c8TQ11d zxT)KYKYM9_LYCqh7yz%RGTZG4X{3K=#243#`T>T#r_#fT$Ke#%BzbND>1nFBI*oqX z9*`!{lJa|pO5x5a;X@&}6K>xUET-Oy)_N-lHemy)+RC>W|I)Yzk00;31V{ZkW(>t- z`aLr*5SyYdj8^}Bq=HU;e`EMqbIs&c$vf+VcS?QK&l$UsJw6TnRn%w|)&&<4z3yKInnoFSH_5Da@ z8*6AYA!fwvi6Q1riKPsii>bH3bDQR#k4&b0v?Y227pFF{ax!UQ9U}g}xC{jbeoFTfkX@?acf6w!|9gY2VMn^t+y>jG5MXpl~7UL2J=m z{gP^>XOhp(;gh9v2(K(WCZ^&Q{ZU)ZxuGxhk@}^k*^Z7|n}F7%wKU_pU;E`Qv+i`f z<;e$FhKXNTebh;|idTQu5WG{Nd6&p#i~Jg#v{hA>X?*5jQmU%txli&-pm}M^Y5p+y zQd&b#}rFKg`ZjgfvgWgb#6le*3Yc~qv)VVNMpj`y3@)m3GeQMW0 zAs&adSSrysI>8Mq?is&tRY9)e)t2_AB=%a=S18j$Wp!1l>PCXm;UtLB^i#s$^*dLO-HranrCFPb*u%%i|OYwwLtE$W_gH8pAH z%!65!`(7u9tk!R)l{#mb2OCduxXNshEw0WW@1l1kkvQ;;DP|h{SC>kjJf_38IOfkY zWeKt_1qDiSC!#tmFI6RvAMD~5_@DjNe@+Wt*T2Jwwcn)4rHOqMobCUA`Og1} z)~1>`#(v5&Q4uUkE!Jz7_b?nc?fgY?Hn=1!tfpV__AEcG!NXuOW$Z^|j4+_RI2B+a zTbgCg;I%qk{5m_~dY8D=na+ec!qqstprFuT45*`x_8x=|(Hv`9_NsP$GJO9g=GSuw z8x=aKJz>&}8|p(yTSi29?N@ZB-Xc{AQAR@FHqAJ8CuWBp%Up~3X76(O%%ggl{twP} zq2He9kA5!FWNs8g;V#|lOUl}grRSE71RGbX4J*$}5w>x=-^L`-X5%c7nbe)|zF5^F z5I^jbV36@?<$2)^?pc}df3y^qDYaVb3okR#rVl->F5Wq-JkwMCJm_k@+~*30e;AGt zvR~(5VPT=W?}ekPA3t~ulyGl~mF~G)B)@%BFa=C{xRpi{Xh%_a#}-TEW`!4p1gr7u zG^=@DRN0{h4PrPvRHkFJD;mZ|n>lIQGW<*;ba?q1tU>@Q=qCXnpF?n70?a@O4KWE) zxn1D0=rd3%PkytGsuF;Z$g4v)k$`h(@y%7xcoiW!#pMp(vp^&NT&1fm^tG|_?2Ze+RjkHdI&EE2-*{G6n}bE-z3{L?o`4|w6c}B| z_6E?Pp&{YTUw&_XZ>I0ftA5Vb62b}7*Z>Bx1!Uy8ZpqnJe%%Su<1b_JG?zSkz}7L0h2vCbQFzvS5rS!_zASe)X2Abf`~4ExdP6Zn*p1M z8s(+aPgb)QI@f&Z+5Su+H#1a@a93RBmFwrNWeq#KcHcBt4RAIZP%5q2X9(##82oe- zzPhqbnCrCz3XcOJxWl|Bk%a+r;cN+)0q&VA=!(%O;RiXze95gcR{)t zQ1yGo+WzoOQq-!#SA;Fs6*;Zs5uFL~v};17k7Kq6i@bviOtfs+=>MMRiGGms%A0qL zVg9(g-fB^pDtOsZqAyaQCzd$1ioh>REptxoD;o)ZDcorY?=ia!JG5u(DxnuO|fubV5dec8;3b0I?T0CSh%%+yC|cqdYw8?Q`|# z0j;H*e!23j+c>>E4~HLuGqLeB(V8zc{3ADx4K-u>cAS$oP}VSitBT&ZWdnabWtxz`p^)8PxJZmYpFgJmnT)FKg2z+rvv1 z?Bw~|jLS@7BWm?Ru690;BH#%)tLCSjU1UxR2$5rARM@adpcdXe8I_+NRD{90rEt zbX8#k^0w4h%)1Mw0iRk+Ug0ahJ0+s|>haUYfE$E@UQ~KDf#e9tpUtIyv$^8%31D_2 z@=Y{MzdLpa-tuJ7^i>Cccl`Z$x##ms-aKT1Sj6&v&x=Ag!Nb$`)Keh~bWfx9H_-$K z?Bv%op}#ekn=8d>vE7X`50V-{AoIkF7mlY8V0OtUU>7j&Fb0?zkaVmNLyAeR?!+Bk zK2*D&4$#!cv!c9s=ilvm4r!`TB>4C5z2@{@-8HUPVePAF=&^0FS|=_w8D0DO`*KT>@)&_) zewol~)iz-1Tp%WKPIi^#X@_WQ)+^`gd$FtQdo(J6V<(s7ap?LM+~}nsbY698cbst&JV8cRXDxUv9$Nrd4Hc)XI+L)*8Le5D&)cJpe2!~m*-(#1gKEO& zXCuwO`is0`FXzsMP?AscU?1uF1}F77;B9Kyrc9__IWL&C6!LvEmW@QFQUmAc(>Qz@ zISgV&_<$Q(&(inzz3;&2&5bzqp9>l2)xY}6O1tqP;K#-X6{8M?HZ1|aws9)$Q|pIR zL0yKE*81}iFOR3n?C+hBvmX5pZp9BZTZ3UI(iHwkO@0|ch@1tx!DH-=>8R!nxebVU zD*p8HG{Xz@JsDWpBy{j0|HgU&|2SpYA#NogZm2-9er9LsGf?lqu;_qd(FQ;j3ZTjwO$89h?}3$jI-rP9 zd%6O~g7xb6$8@j0!0G7da5-!|5)UV#pOt&@B7)J;(eZQ}pnx+xudncpzX6CijCYF1 zs3U4%kV&-Yho>V1$Q|V>LdgJ2_zDpMX&xG4jT5YDUJ0$<<1%}(f zpacNC$L6f*kAlt<6M!-N;Nb1ttb%cM4q&*W)=YNiwsttS`^(*Y;r?6VU0PsqGMr zOXO;Mw6G0mlFm|{3H8Y0_9nP-_!G2BK&?XrS~noB8Pd=PD1fu%A8i@P)nVGQ8p zYZCQG0a;}i^i?DSqemWh-~*33V2Km90H&-!`($;jgtX!6%oHgqlDE7qQUs&ml>-%A zJe&~%4^kI}S2Ua!!W$S;9FP=ayky(x^%74eK`U$r@JM@{0mBaii(trT!S(*u;7 zA0=K6{KSbxi(?CfJkzJhce zWi`_U`47l}HUhQ0ZLbN`#=)lwL^PQI0uZ(94b~f295LWBXx-=JilM-T_ z!siSIk^m$pH`Md|$Qa4$(wDK{C2^^&3sz$VrK;361;<<~`<6R=lm1q|gSE&~sQ z;h^GjP)F_xqla%5et93OHW!PAdte(w{0!~N(u+@>udm4*y_wL;unO_h+Olh(x-f~dJ z)P0%4qq6la#_j&KhlfX*kMww8Xt;>Q@f(R6{tD)a9)E6HqH+kHI;h!ZnW;s@`T?IbG2#l>Z` z(icA#U~UZv5ae{=0dEtO?j&cY9h4mo4CLb)L#fE($G_@qbW&Ud$ubRYQkVhO$7%QYusOCAwOE_=EdpivCd!C12u%r zY(8i=^wbwBlAa%LcLLroWo;IqwAyY!r7Cb5b*Ol9`jfez9A{xptI=y#07Do)_)cR+p#4Kz< zz<7aTg+o9<(;UwQP8L6ac9nFn3HmVK4%1-(L(N(@UC?eSR5W8^Y)W_n>`^50pv-w* ze9gMBYPsT=?#mW-481;7DPZW6J(Vh=%lghf^W+%(F3dKCgd zo@nGB)Dzx9Dmk(`MrY5HxuU2SF z-wu_;bC|RB%s5(p4&uj|DKnz%XyARaL^%kies||YR0fZiES%C^+KB>EkAET$=c}L{ zk`^ayR`+St1&$OLXIN#t=RUI=#d-=wMw4-Y+R)?j#dFw4i+G270T@e32VTgtZqZa)H!Kh7P&p5K}eFxyzu|xy2~C^+y;OLETCM zt?eOdR!=T)k#Togt0Fk%%U&y(UClbUmHy(bs;+72n?@6vUG-ZZp{VlSfEMJbZeFoDOFb-)oJB=W_49)BM0L)J`BXBAvZS!ovnQ~ zz;H`9O$8LGw&AxZ)<;ufPunQd-wwHyMM2x!Db!5m9bgjY(a-<&NaWoG0hiZ78i!a3 zKH%nRvlJoR`xYI{EMwbj9Ruw$S0zEH03`%0qhI1CqxmX==`TLQT^yaKo!Iqr4Hv3& z8@T|nLHjP2$xg>y>Yn8yCG`1x3uJfQi)8iUfb3-o3nmWDRDiDMIhIMkR@45#w>T!+ zv`Wqy!sELPT6Lkt({~N`KFvFQlGJvqH+TXJsJtWQ#@L$+acCPmOBy$u3&UrcKXs>N zSWFYVIdyshK)myQc(ai^`Okd!$`1br*_i$^4E;?z+x|A$YPaX`Uoy z&Z$|QFU7LNzYS(w8U}`hbWR%PN~Vu&ea7XE3DBOUgq9W5QG?TxD2r7h13^`(>Em$} zSfm9i4_6GuZY8k_V=(S$laW8HuFQ_zg%;1Qzd*z{RD=d#V&2)(V+Ql@j}^Y8dj_XV zgr&C4dXjdY?#JzP9=Y4-(!hTdxOz?Pak9(FW}ziKNgeel;Bzd~MZ27xnbLzC1i7kWBV=V|G}5_DZ?A&y?8)y|tB#&z8w8 z>|eOM1N-7pH2>1C+1xQM(zv{X3r(YfxN)vN(W>>pVl}Cwf86)O=r>@SH!c9?n5drK zTY!1jt+J&=wtV0!naWs`E-hipeNZ5GSZb5Tl>+TU6RE4WNvFKwoH_@lI90)e2gZu zhQ3w{9qsFnw&@6AYC<;!zs{A2CyMYfw^iOk%IO9$Co4^f_7^!e9mv@bnP?A7@WsVv znxz@TpGQ5j-#tsm+nGqW1`a3~JdQ313-!-S8Yz!!33xtn*4TUAA?J_G*pPzQ8w0q}^2+E`7GW%3Zv@~D9-#2XAX$TApYi=47 z{+`ilxH?>F1m61pFe4Lz{0j+I*Z`WvR4PK*A1!}wcy%y#z4zbI*xArLs+le$bNtEg z7!SkUqj@2v3$zft)KV_dNxoaGhdf^6n^?;zsb^>Awh(%YyJ zK7dyk8L@eGxI;I9#Z+LPBw>BHjy4rs^+AW9w^vsP7+W>=?PD{UO&s_E4<&>JEXcEnDl*=3widcR`*pq{$5)?x)gMG9-cf*;rcOV*DW|EB zB)=q4z8&T@lKV5v3#Qy0P@=@EJ7id* z(`fwW+xom)Vcu=(x(=||uLy20k>Gv?@ZW6K%V?9}5{X}v=vY&Y3!p2-k^|nKy_5i& zWNCQKa7S4PHc);HJ{&}gTug1y_5~z7$2lqV9L<469B}k_f|s(UjTi1;sG-1%YR0z{vVf(qoFyl zHC!6R&-%zDy_kUqs>+sYL-)(+Qgmd)kjG(=tXfIwPT1rx3>eBHHV^F6{&SK=Pb_{U z`!`uA$q4Dgu>xv#0naPJI_B31sZN>9XUDFi`ZdQJ{FreJe&Bwt9fnVu<^?-NSFh_CN0xaJg6=jkEpLf&XLkmr4PllGK#%*|xL+?-=w{({!}I zXNvhmTQ|-gpybGE29k2RKTuOs>)ZY0uWr(>Bf6&8KDWG_^K&K?aE7^`(Si>8U_zEW zd;#@b*SRFf`bP2t_DeHw-fB)BKu!H!y(d8Cx&!T5+4LK38Nl@qY3#7f~6^iE}TXaQknxB1rqIv!zwZyTbWYYlsNO3Y!UC0}sJ+2xV;`w5=1u$swW zOR6=d@lPe~vmAs`mAUJUlzUFtD#snOGJd{^zB9t#6zItG+Wj-VVhkio$#B0s<_Jc1 zfILrppy2Y_~x7cl40nL>wY~lMmBIR}Iz!J>INHaW0tSxKG5b)2<-qQPbvIv}X)C39`jT0Vd(U-s45{h$b8*q{HJjN}oQaQEu^ zbV1TyZS9$$51y`58;Y?^>fYPxqeP09_ulHp2~nXAn8w|!I1{3fUur^@@$KgRd*{ix zir&FDwe!dYLgD!AK7c}+I50G=#+FanHDHOSNFR}Ad;qLrWtzV6Gq##n9@(L!MMV|7 z76C>i4<{?Pn;(X#>RnA8f4Lfvd33q=`m10r`$VPX2L^4PO!32fWava{DdB(sztEat z)16l9UixXAFLoPFxW)ArWU&laU$o+vCXA~bx1U2?f>4V!E!Q%pcuxiu#z8+cGAb(i zxV^m{kaL@A7XxVROK}jvb98If_dT{iwiWKxlL-E7Z8a=}B z7^gvq_@S-n@B)%43}3I0E5{ld{AKafJq zpf3^aRlN(pz{QR|G^rAsy!BmI)Nz&m=w_vE$o>GYCOZ@pO$>L`{a7&Ev4bxFSo@(p zeCUFqT~gIlFUHKsNLpQeny1V?h*Ul!5ku466CWn&GbP|Y=uQB- zU_lGrzz}NVl`+OMxl`1kSxB^|x<;kJ%)k6uZ z9(@!&6+-aUI_^tIg__5e3{28a@1WxeugV?n7|VL9d`>%D45!`QI?;b2l^@DE<3>tZ zCcEH=5k8j@pew&_6BNp#ASgXNOCYfEoH3r=VG3%q$$uDaJn^3VWs#4!dj2BY%ZjA8 zkAR-mIix}n-WmJ5D}OgwkSDRR^4{_{3lf>a!p;(KP-;IZ+UFfFh~#$9*;6T|Q_zwH<`O2gk3+ESMV9Us=`w;LA1tTiZL8`0s|oi)8Y>g7jh~al&}YVb37LbolclrxsszZ}tUZ z;KvaSn~_z3^^bCI0=lBx6TmdA_J+)TTk8aEH=*Sr)S`?phb9=P(6R=Cj=l({UM};W ztT^)*w~+XE)zxU-V;=W)MsqB!Czjz2?$cTl@drC*JZX zrdY<^OA@RaSxs~?YI)yPjE-X)V7KKh*lk%KEJ6Hd^t?F;IX7vJbZ`>|G_nQFA3x)G zp_NJGXDMv_P;%ZskB$6MJkGmh@$4@GQO}?T*z)i+=)njsC6v{DOxTQH&~PGd6$sRs zAQeF7d}Qo96Y{VX)u>aE3jJLN3Tyc%tF+G_$e_sK=l9E7{#?Y!l7CC4f)r`>?-U8! z`d|C}w$8p|_!Rc^ka23nZ9K|CW#TD9DBs+}VTuC}e0dMAC>ufimg8m@`guK#Njm1G zhou3$llfWcH%XjF%m|OTF&_yKfj{`FKRe74HNJPJ{3*+%T@Dzl>^EYIM}CpvHNzA# ziJEOi`yn0S@y*Y|vDsPu2}Z?|68{xiLEkfOkxuUeLb);2s_yL2w$5n{Hj2I#Stde* zj)T04R_>Ijuk4FP`BwktR{80^C7^^_%yEdoei<#~JO(f``q$3@(P8$h@=bmA7#lDn zRilA}#ww`h)AC$E)fM5t-9(4aA8 zvTX`sv`Nay&lsQIttP7TbaedcPiz)E~bmEL&d4zN7b(BrvsvtDJq{wgd3q*fXq^ z7|76?UGX{3>pKGHsH@XSOucY%pdUs?Q~L=4_-JvBMe+49AtMAUvE3py6%j$c$-!xr zl)-U1KJf|p;t=n94ZGELeN!|wcoX(nFOA0-ULX>1-jz*7Uo>f2g+ePD!T9FIg6Ek~HwlG|fzeG|skKTUVDN+mH0z&@F3GWUn&Az+>534K8Z zx3lI4Z!*q-_s_4FvVO?E3IP1Z6x^4Q=Y@2ey^y~I9gM$X<&C)!4Y~l>IW4*D5}CmB z6_4Svv1L2z?{h$P>-`5S+|CaBZLUed4r$g41GotfY=K^k=8Kikl*4b9{&%r5AD z`KLgO|Ja6Ka6f8YrL!;53at{jyhboBSFq4F2s>9chMNJt$>Kpv~wne=Fc((uf-kL)3sHcR$@qiivUTy0q zBXBSJf$VF`-#vs%Pb`(3EcWNAMBjYJ+tmYmD&BfHWOit(r9Z%<6dnts|187?mI+SZ z%*xbfA@$p@c%p+2JF{-L#Aldgjxw1W_!@q4reUIx!cVs$t_YhrS(@$7DK~X<%7Hz4 zIj+F~iQgrU6MTb)^Ia4Ca`iYyfCYIl~s7VJwV^T%#a#YEKBHolw>UVvaPI)fuVio7XRmCW zKPNd)G#7WsO_7sAjOt$}IelhRB!!pLsg8CH+`^LUu15g*aA!vA-ja~`U8_Mcp~VjP zMr_|=c#1vOJNl}t6QvY5fyUtJX8t@+=Eb49MY&Zd+~<&%LfC7~ z#rOZ|O%#T_dYdWtKgQ8;1nlUw<#*t=aC1+ZvOGG%E6=%gT;5Su@gzhgOR&#jhzKt*kJn;cp7G@idTxpX0dPL_2SYRZU`8gM$3CC@4D?T7-RDJMWGkell{|@I zy9{kE0J9fhPK$u#ZVeAprjmm|rJP z!0ihI3oC0JSdEu>nLFRXfmxq2KL8-T`(n3uD%5rq@P2>YoCDIqZvZ@g`K|@)a1NrC!AX zywV~Ted3kp@!47N8^Oq;A3<!b}Gg9#JBwBz#&J8f=mZse)YVC)YMikYC!Ic4;4(paId-=g$M|JY&u+tLE>rSe=c;n#JECy zU4fqqusgZ8RR5?_CW!-P;=-afMgf=HC43GZdHoqMe2DqcSXC(<$KbS8y~1QVO4nW- zr{f~o{RYb+=y<^d7|ukSm4I1J+MlK>1*&LSYCeQg_Q`k0%$28P;&E^+mY;t1+WM3G zO>4J3_$>4a1m?YnNt%#?FX9ohKHwhu^wX#5)%ueNyF@l=N(eM!m%QRGE;hDa6_;db zva}g1wvZGY$u1_DL=zz%T+L?1Wb{kgkM2v=U_K&dJQ%2NUI8JF5c~@SJ*4k!7E@eC zymP>Zy%??-*r?FB2ZnwDz3)t5rQ!sfxv}p%0K%yTh&B^`l^_}97=%@Q@*p3SfxK6lTMQReWhvMCRw8;1Bo9=2l0t;D z=KiUdC=qPH|Ak^P9}Gi0;&=HvwiED>v;(*+MblAO2bsH#>9`gl^us1gAym~B6v1?i z@ZqBM`M_h>>2N4h422Wwvi>L zL__JA)f9Sr?Sr5t2M2b;c?zx5*9U7urS`v7Aqzp$dJ{nIJx>50@t6;@k(>8QsJA!m=u4 zW?b@#Q1JCH=-^5~wIv6knTCwzqv-O;_0_Rp_V?O6PWv%!$9b?c87qxr3$B62VKJDt z7@V%s(RBGoo0B5L1vMLGy;IKup#>-mRd8V4iVfw+#1#1%5T=iBQR;Fa1pUdP?XSkgY@jjjsf$ zyYkO7N}~0)rYcPWbXRB7yS_)~`U70k211YYrx?n`^|+F9E6Z$UC$0UO{1H zd;(5AGc-X$92P(;@x?pBiDHmfZ?z~orJp_n+f|u8@4qrq<8CL6oz>D#5+$M7JYD;x z7&RJoRRdam=LB^F%?0qgmLwxm=|xqE#twts9}Y}!JH#W{ul-H@lYabJJfhmnn1?wK{_Z*gD!iM3$@@|dUTTicghU}1+2z!3ltRt+?D@_vbT<^>f8E<0i{6< zT0%iU8bm-E1SF+HQu3gH(w!oWfS@!=_o2HxghO|CcQ?H2fX}_(`@}oO?_bA|vCrCj z%{f0Y=j@SSMf~yjDMl-&>4+RH26#ZpA;~SV(_fV`?n(j%|Eh{1S0=1un z?mm1Nk*AuF_czv3;D=7iVyIpNG0srCsF4s^$*3wF7SGxud1S1Htki-Bs=f!H1o~Ul ze=*OYafsG^DMq~f8UMCe^99z@f8luvJUMhyX>Oiq#&RTpTNn0yJsmvNLgaqwDP9APyu$zz6!aUGU{zl~Df6-@ypVjWFOm*_ zU(s*;c8DY+@%Xd39^!#XJ2xeNk7RFsxk%FAlArItm;8bzEmABj^!yxTU@z+%XKCIN z@=1@xPzq&Y7B)cnq?Y-y&|iE8CtSNk5`ytg==SX;;8A#6<=u`WQ)qhi4?;p6Bi&1F zQfAXn`;%FH+_|gI2@ml1zo;cnDLb1Yr9z2)9y<9^ z2!3NkxxXU=vUk#d)?*A_p`6Ab(IVqL(Pmr!+OOKapku${ZvF51N|wW6 zbVAqWj*0_A7)^!Niozs#lDZnKScQd3BJ6^J4% zN}x0lUNl@*sogjG0gKMJ#ef{0 zPE0mmyq%uwj1!yB;vq;h)?>$d|LQJsGxGiWTRnfimTd=Uux{-2zRD6p&DF*9-|y8w zOChw}-7iZPRmF|KolTlHdOrT#XqrQnE2Vcjg%kGBrX>|h=5ze{?D_Lwlnz$uEFE#3 zR8+Pc%}4s)HJEk9n(zn+Zp+kKy77b6sj_c7SqnNEl77WsW3o9t>DZS z8TAi-9zZ_|TG*J4DeC9z0~BYQWgN**Ov6;}18bxmy_W}%+r8B0YM6d>)&G1f@H$I9 zjiQtV^-`dgXi~P4Osa&b0WZ5EL3LcC;}w17lgGnVZXrl5eTvcaaRIPAd;mH~(dQJX&ungvGMiyZXes*9|1L`*9$#{rDS0sBzGu$#0t^ zC3dNRa`*2dz{qp$Q1a(~h?#A; zUYeVqHqv_&H|pwj*a@R!U}~Cht7-T-IKNv9UcQ1RRm$d3k_MijwW}k+x2>b_=_?WZ zp#|mbc%kAq9~8HxV<+S9aC7j#|I_|(CzB%busM!gUwvCPBw9(TT=v7$5>jpc6iTvk z9W=+^u9Qbco1)Xfj(S4Zh9eH9sM=?{YSLx8)S1te>ZegTW=^-`nh5M*tz%kQNz`l| z$Xa;5#TMlFIir3_G_cpwJcR1|Yz~JZnS~1-no~K^~qYSY> zm$)>G$ZbGLWb4m-CV?VQ-% z>G-B34;iX?CQl@e-j0b`k*&k-K4OY@*W+Yd=eTlP zjC;R%-C6n4er9|rwmmk!C~;!n+CK1AB`9^ZRn!c=u2CG~Lcx;rJ2-JMG(3*x}W9ZLQ~sB<-4AdCncRbGb_6 z$@DfDoh?Mqh4dp*=gox` zeJ}!pAKn&}Xg2>SD2s8?sM)e)E60DDrr92L%daW8lw1ijv$h<>eyg9JBFBY23+}OZq~^#EQsVh$ydotR{h~Q(??h2J^wxP?q$yT zhSZ3kUsNiCHk-5xoo4d`e%GI_63~xouOD9qr7dH(I92m2$b7Ccu_aF-bPjB1-|Y+T z28XN3Ug&yaMmANss{gEoYHsrVlttUMC`SxsAqZUQ5Rv0XF^RbXqx_cE!G=J6~tG_{}NPugjD$nL}V39Z6Gtv&6)HI>J zFAWKgJjKpF2P-e`6%I%6ec9gp{bOgP^p1zOnkbcMWC?@)yB!S*(qzfd8zT5jwSP> zB-??2T|8206T8JCVak)Lw!R8zv+{k7r&<80+n~=F`jFB}e6+tvG?L@u|HBOUB=vm` zm#?y}ap*CfsjyAIfVf85Vi`sMw(0A|&GyK+DehL>FL-DWbl<}cZx$2>|@2|2Kl1rHY@L#n%3KPc{liC0~g)4z{Dn9l_D|BWiS!pCI)i|ACB$I&^>`y z%w*cL9F1*W&p~~=3F^69)yW}d_NKmyeDUMI60@PJ+aN6;?)Ux6+Uc-U*n7m2t7ZOp z+%L<9uE-bl(1r(;`D+zdl5e4VFY;jm`)#mzjb&@t`>0v6SQh#ht~2RMb>D9Fl?0+B zcMioba1R@(%TD-jNbFn1d{IHr2GL#sQky{ubIfXe#>rA$V~PcH*8*G}57-K5Az1yT|nT$o0D{htbZ zviVotH-M~Sfyvo2cp+u#0w0OH{o(quJy))du8Js-s6#29VX-&7hp0^X6676Z^6d0i zXtn*Je=&fPWuskaOqHx8<$0n8Mv8TPi1uH?&a6z6h%{smw&GWM!h6ewfLF!kAS~KuU-jf;M?<`6Idn0s>~Ma) zy(nYlWn(jDCvu%oj|M%4Qx{Ixvrn8dOL%9+$5X$vdrP=XAQ=|m#Sw?u;{ZOY z<}b}nGj{-pfYf{WM;xD93{B>DRcc zcU(;bh?>|^@RTwPfO3EB61WPq>8B)sDhIbIenSDL%KKNBc?|f}PV8Hvha&??2sjLl z{=gXc2EUoUH`WdBXm3b-$e>Y+8Zfl=T1Dnd#4fB$VOa|7QRChPtBH`S@NOiHrlKOUfUfKOSwH1#dN~?%n#wJtKpbu8*-$gE>7l#K(XBYEW%q8D3 zX62Fkg$edQt~OP|Yg&AuYze<1{0|xYztn0Vhba-bAODCdwjQUr2;D7A_`zK%^QdHU+%rHLEG_F?aSHYi%l2%r9Oh6(RwDfxeZyWwMiq#Euj%QKBU4GSXSf5 zEqxJr_Ukxh^RZ4z#E|lM6L|}C71NP4Qvu%aUpNpW9rdd47?o6h|=XB!xhLGXrB^wDyTm{f?Y0~Fiaj%YF9#H_gw31t@0qlbR(u5 zMbbR%V9vH#EPlkuEv z8YAo}?IR5SmGhKg(}Af7jmWP)HCw^U%ueWT#}v-$U#q zzwNM&-5egHSQCF^>SS&O$ZB@5nUZCz;^X~Mz$G2e?W=8v`89+-#jD)hisF2|6&H}b78Y;4AjP=fi6GclN3PZan~t0? z_0nb4s=^Cw*b3Wt2fFdL)73eRxo*EyPw^moWa;YTT9&NDD-rU`vFTic(DEFuR$HBw zi~1FdvBMRoCDJygwwA{C(}5vc?-gHkfV!4zy@5esT-BwPN6_^$rB?ds#MPmrcN_We7 z6P9XV6GBh76MQ7ZGfr4f|miHf%Dc0m`%j|q7jNmB*kiYXfIvn z%KcF9(NClu)shP0N!eON05qSA0zE7fvG~}*v5S*U>aE+yKgGN2Ibrsok_pS<*tova zSmXB4>^Rc%;OCO-ov%@9mM%sx2(Xln^1gA(a3_I31vsF4wS5?L_cL!w{DhXEoJ|nq z{s05qU+<+B!c;IAVaTAn2aj%5Z>JOUlJ66+SKr0?b$u5Y)d)+>(Tr(^>xGvEa$wS% zE=)wuy5Z4RQ<~fu5v6P1psH7`Alg|ZJvpC2K`tuKQ7M*b^jtTx&v+Y&{J|^7(q+BD z1Y1|d{&4AoQXL(*>T1nDVo~vWZhcoS6cYN(o@&I%KdZp~!1HwbT-BdrjKJOw|*pC(kXcgnq!w($E1)KpZ*^Sy=_4k3L6fb?9u+fM>;^*2b!gVCi7_ zn6mN?P+GV@5+8Wef_H3afG`*Kd&{1S8Q+}~#vZ=$N+~jhTZSkQk)zHx)`b!JuK1Z^Y3PR7UkFn_ysCH0M` zM|?5Vfg^;P`Hx;Xj-zHRuHZecu#ZV2Q{(~{$%2a@rh9|lliCrrQLS8xca8^1N-KNM zyO4QI^Pcjf_y*eyj1-KC-h3X?Hzeup=aHS_PNbvKV5T3tJZPW8;GFeLWXYwT>#I;C zJKPO;Und}93tXX9CR!d~U;FC-OrkKg{$=3$K<-j1_NTz zL%qNkye}>vf*dPKz32Rf3eI|f+U&;L2M#EN6hZ}cd5ms?3=7?-`yfDwycq@Nvm0tU z1D{+Pqf;u9iVFPG1ddP=#UQB|!h91eWqQr2&cwDsdqU%;jKi;2iV}L};UDFmkpNJ?dE#_r-b< z!nIV;e>pXpTYH={?X#z7kgA+z(B%tn;0dL$yt&M`?q+J`Iw*_D;k%|wZWT4?D}2(R zF>FIOl?w;y>Lc+j9#opCOacWbR@c5_HaSac`n`zS1+vByHrigf#=B65(-A)sMB$52foO$=<0bfyBXVLTVnaYj$I-X)8!2#ggl{UV&7J356R#1EWX zdf=kdSm9%`u$a*;=K0By>B`^o6)!d~t8q@%QadcJetVs{<{VXv2@XIv+W6TzZlfpg zQvLrBmQ+rNCy`svY@Q5% zuL~2IenQYc-@KnDv*n%bvo>cKQ7Dd(>lfjgr0`cO93(N2KgU zFmw1Gd5H&UH`LT^Eoegfga=k|xp%KA>mnLCMVUYZqT>8ol%=DzDJ_>g@UklYQU|xF zROf~nt64Ml${9KvLgswj0G&CQn*<^76+BAYKJzt&!Zf=bWrlv|J}9Kmb+3;0*Gzn*}y>BAnrr}9^j?Htt}Ct3o=MHn3NY=DVSD^l!%^Dd|xAP zI7y~zeMDGw)3>dLSxIL|ryo@|>XSFHI;_%=)uRK`o1F8#x5&~rrowToMRaed^Gsx0 z+g>u=Sl1s~r>-EAih8nRf)!UBqQQn|lxaknroZ=+mAq;F>mR`nVOJII8u=IWk7u73 zwT<+`+eYYUMTSO&O)O!Iur005#h%z+>Siej9Mnkq%bkqdk6;!|xZv6nV(q>-7mdVo z#d-K2N@yBU`vbhzeRq8aTV(!GQw}2{lsfsdKZjGtMkfMx#0w?e@@>@vOvB4TaXE&+ z#TXfL{dbr)ZBD8t{P)N%eRdpPL$PhL!dt|2^C|VEN&;@ajL82qz6~{ufw2;Z1uEaH zvKub0zS#}IFb>gUvVJk9P=#(!y3c8KytcKLUdwp?j+NMJow_1I#ETRqVP|5+OHDn& zq^&DY5Ljw3Uxg^fBRzmy_>mGH^CqW<*gVnDdL7>J^U1>$tdg48t-(~tX+f&sHs$yB zFmqpRtskF=iOmAQ zD!*ba6NRw?1ZTKGbD*A#YcOoVzE4^0I*6D_m%8HXL+cS7JdS6L&<#~vt6 zjY3cloBNV%|Cp}T=RG(0{-8TzT3nR>Gkk#Qo*ADEFe0hk!^w*lEMFI6ZVAqk_mk|j z+59ZpPov+Qx@0Ky=thP~-X@FnEt<$9y^CZMqxgjt`~^nx6oXK|Bhlr19ti4?+Sij1 z(5PCm{BIBRtxWrpzpv@2fs%`?d*dKcEm^CAD_7S>3?;m5&mSS=*W&iWV?V|FKjywj zT2w^I>59SKAb<6le_BT+bXERz&&%!Y+voOUJ&OK~8k1c_D0Ee_C@!7lHF8nCXaG6Q zIdaaAJYGhED3?3j3#wghhk=%_#}LEMLQ~yI6ZHxc7We&m)WG_$3-0v)9oc-dmQ6(I z-$b~2<7~NED-t7%k-gCZx>@?_e9IugMap^+#UGk&5 z7e#-jYq0_isqN|8#TvPMWqHBuH54I6c!>IS?dds03TB#Bl&jxDk{hfQ0M324Z}+)2 zoeZ0`=3tIJu|-Cw`9Z%^HHrLu1II@Br~mQ-@W|~{TE*xh8!5Na;8u=P6>SAJd=hB* zZFM)_X1pO>4o{Rv6(QeG+_eAk>0|z{jQMnPFPKHXF-?*CTQ3n;rPWDr8GJ(tea= z>$|})E%k}|N7gTCqPI*jP^EpTy2|j6DGPM;%GEB>;O91|Jzgs|Lu$vg$+XT+6=|1GoTTf0;YhiWoRRPce9|~aa}FH-400fNmkk*V-Uj4Lho@sxgdR{XS+J_$$o$SnvE1rw)i$%X1SH6KHXfWvTRs8TI$2f7M zVr4}(7)%lq7R_SFIY9enehkF$&&`cIzX9F0qu$-ykPYTgg@ph*!Lb5f?K301f2K1u zx7(ihR&y}dx(-Si_Y>$sp8i%1P{HOWB9QR;0b#COkE5^hJyVWRpnp(Frc`8r4tVO& z3Mq)+knm#sE%igt6ZvR1UWE`u<#QSDU<^o>Jf)w`!F4~5;3AOr)-=U>a%Md^hcT7d zhY!EL>T_bHC4hgBpfwZ&?JLQ#&jS12A_5+$uMyh3{ThLBn6hn6%ZGxAom7mUOs+yQ z4{>lz>q}zx{-w$r8$JhV>1?kNkLtyt59Zn27lZa_t;=2*Fk+~N^U9<=;6^}%IllYf z%lZ}(bwAP(>z;0lE@ERIWx2qoJ#6(mE?c2WE)+kKyjm|YUhcV=J>+spV_y3(D2XyB z)h&R*y#g=oJ?;@x5(9!k@oz`a4G2~~>9@yaavf%L49p^7S>F+x8prw(Q~KqyuEM=b z;&VUV(Km+*5>(vjEwYi!0ZbP)r5pHEul;?qBn=LqBA}{7k&8y>nYovM<%2qUHZnCp z&2I({9l{0aTG`+w1SjG2a)Ya=tQest6Yp}2p>zB?)m`nV1Tm-FV^@r^fKBf} zw&HMfxfNr$qXo){yO4jC5ujEIXoz#xQBhYU`E64hK}o`1=zr(8|09C!^z4+wUOj0^ z%xBY;51K1QLXLGFwn&kuv?Txb_P|S$%ae)iS~+o%_Yr!|JM75Pp*|hG(*=0QDo3lA zbUJu{o%L63BXLy5On+iL7Skt{jpN3SbIvJF`-`{evWb==#o~|EhlAC}TboD1DE9Tv zb@Sj1i%K4=e%mE@Py>L#Z=LHy-v~x^RqBJc6L(teCZ$q{C%q~7i_!0OIo4r5RnAn# zEUBuNSw3-7NfTsFfrNWk*&yT}j#FlIlNeMpz9?+Mb9M`J>JpS#QdwYj%D{!#ka$u6 zTB*k1K?!)|e~^)&!SCdb?y<#;c+m5m9K0`gr>EG*1+!vyvKk(Ua(&~l;S1Qx>i2{f z8CuDN&IF*m|5ASAB8FpilLvor3aJGV7zyYzM>lDk(%75pajHxpDc0rK4kl@+o@#?k zWp_l^(;Q+Q(OwxFjOrGS^1i5~b0t^Iawq~w1`CIe6N8@#YXCSXOG1Upo}=Y?8l zfu`QjkG)u5;e##Vogi871zI~C{@g3vBd8AW5PdX}MwF^~`7<=iW~TAW7FU@poAmP| z1+IiuhrCfqdc!3%4ezF+G2c!CBF(YBBT&GG_Lf+$K{cV@SC%g~*=Ko=txk42+=Cw8gb^^aNH|vv6L}k@ROCQ~fnE zEcvz}vIo@9ZFhr~M821Z7<|<~S;{JDiJ+&X+hDKxNqR>wCZjMsqSeVOanw{?>Y*r* z8OY%y?kdDtPnZB3fMoSw&6AP1kVW*!;+~Kws^5Gm)@~T+#eMl^6?UD_S4N2T5q6nc zyD#SyVrEy;jvcw6Enar$TTdQZdg`qw>P^@OFcSDx$pGBPiqc& zNO*hhSL2n;g4z!ipd&E4s(yRLl9DnXlm zy71YcW(a|mwo`ty#LVJg@J#YkfblVd@YI@}{LV5>`wzBh*XHv~PPE8kyoN&&k% zs8}*~!3*}nF@V-kJC#XB+g!iS&=F%q~(SQNpE2zP#= z5UyCgJwIajEwQwHuu(?%SbY#FbdEj<466kd@--g4kqDgN0Vnmh+2$L;j|S+(Hq8^W zSrI#kigEB$adD~Esnt8x;S3h&&0UHZq*ocPDR&^Gr^(Kdi|-i9nXbFZ9*rLeg_+P$ zxLwjb|1%bFauA@CrTGZ?+WC%#v!N3IHR}SC8)iu|?z583fQdyjx~O+yUFDdfm2RR# zoOg7(d1hgE_sMeCu={_)ps`d*lX2tSkMEv4cmmC%g95HE7#uFIDAhsX#0QLHm^QATqK({4D=A7Aq+)`$Q^wiZSbhlhV>{pe?os&%)$e$HZV^V3qGpR|q7w=VxP! z*Sj=lcyB&E>p4k@~;QVsP#y7Wq*~W&BIFES2u3 zzPZ1G_!LQ_)N(osA>k)3hqnd9oe3h%xhcBN@%ROIdp*rv%7#q7)+aeKCQY1Mp2A7Q zb-(QxRunO_CSPLjzU59@7?Hsx9rJ{mp*jW9^Akj=(YRR}LPp&&$xs*o%hZ~IJ55*q z4RmSVbl66M{;}a7U&v4bU<@G%R5=MwNAbp&XLyo^C2rlg21ferUIdBbkImvw4Z&h2 z6gTobVFN?I^$irjh;d!nL2|6J61FG{8U-=L-QFeQtY<3XeNd@i1=HKf$V%Ji=;ZEq zoRp7Vophupz&KWcL*F5%=xrsEI-52Oq0kav+Ojb1r_>o`cB}sLk!3xcuXxv8bI*ZaNwc_s?u^!0FNLr0k^#Yt++&Tzzg zI;#q^(HAevXFM>LjauBgoqMWzu72?lWH4&Xd1okwxb})xoR}}O>KyO(`Isig+kG`o z(Ym%lc=cPgSNPR%^%VyN%9-Xd_BTXwVid>p=lsX2l+xbOI$vZOZ9BV5-$X_`_*9T9 z40Lfx*SVz4h$r^^IxyhPXq+ZnHoG^2g9pi++1!H zmP@jG?Mayq+Gb6|#&cm&VYMzq7$uBWJgE@Qkf_1CK9I2Aj?ej_npya!4o=EkEUA`n z2V6fB+^ZS5PgPFAMqifYXod=Fzmhl54y$fIpRlc`%+vZnaZ_Awn-;$wp7~ii1p0o5 z_GpZRksDG3%Z7hU~b@2Sna3->ogx`zOB1IXY z+$gr*JpI=1lXM0792-_ht~837p=hyc)4K>WI}$U3C8SYYLNvZU?IIqZ?OxD7+U6g| z8J^yMsa~?W@OgX6YdJPz`5bJbnCYp(D*7;)e_`a6v&y|bT`B*2=$QY-((;T$Sb%2;0G`3}rxdPapC@+{Mn*5N!gt3}V43>- z5jojMZJ&B};X(q@Wk!Q73sRbPKW+#YRbVG4Dy(mjVmKa83qZVorsns8?l?iB$FIdVL%uOznvSf+I$fU@n zdxXl82fGj-_Gu(^6x)S4)tVqlB03BoV2kr=a2!*bUY~PL>^5l#30L`&{a!Ib)SxGN zl@f0BG^lUnDQxeAOwG^&Z!FHct>ncz`E^^S3O5)q%J4g$)baT(n-|8YGo*RQ(t+${ ztbK_)rx-I+=TnnL7XC_>k707@XU~E2h-nJf=;?SkWsML|lS-D)PaY$EP&x5Osa?qm z9BA?nZLr}Tg;FeB9px(^)R=dZ%S7;u1#|}lnFrsvhcgVHonF z=SPb8cm|lv(YHT)(n1$sj308qVzTwjpgV@dJdA*Ro42!v)~=l$+%r;C2>;9?!gjQp zVBctI{2Mc~cO`BH`ac&)gr&iiBrUm+IHvsN8uElh3VdqVJy^FQ5>3F`?e%y-v>D%XR-Ho%= zTl*1I z{ncaorLZB5YP%67C8>jg1)x?oi)y{u2N034cT?k&$OG!8X-lgB*akUXhkY2sQeQ2Db zKYaki0=@hhz{M2!R?K~DO5teimEAtH)Z7#cr%0GpYu`S)XGWsX3H=$9MzIQ=k|am2 z9Gaae>-*$AXE(Q>*r;JKhZ+*KSf?efEs19{+IwRQWp5I89MH!(Kx7sV(%~gPx<7 zU);2E^eGPeFOK~gJ>5w2P@Ufq%k5w|L$g9p8*ixrrt^54869`<&=FweVIy|xL zGk(uyjE#cmSBCEWMN}N2~UDXdxQ_3GkOV~1%WSa#{2XwEF1PejBYtwmtTP}PT47ps1?Y0+73auO zGNqsgxpK$D+WV|FL1Equ67;s3d;o*^hnc(jMf}>D@U?j8uA{jE&ED|*KOE& zCu;vtG}rB}lv7anCec0RACS8q%*L%ft6j=?dd5dGR*hXv=1SDD?CdV!`upn_W;g%H zvUi5nrIuF=7gzgsge+^6O-)U7B*uSK74w<(AD!KEy>o7N6(HM+Rj<`8^X71%V(axj zc{M9xr+Qq#e#N8*o)t1o-6w|Jg?>ahi@ruc5YZ{ZQ}Qhfjw}93bu>bHG+L3_JN$OI z=9S?`-nb1q%&7CnXr#v8pjX=@6ObopbcHL>>sUmFonPKvV2oXHb&nd;M|;>O0vQr) zX3Rkikc6nbriEqx3)c+pq>zs6YwF{wA{06gd*r+luRi3%C7tqqG+hh*#+)PBDHTk| z+&HfOYNq$CoCP=#^I*!MW5pjV_b|f+=)^VKzY{ zD$iXxbp~j}p+7xG=Sf-CJ;>~y?$>>GJ{kM!D+^5?V6oASoSUO)qETvaVRrV#vl6Hq z3e2)NSKO`;AYd`+@K!E!X|wnF#-X!Vr8aWatv<0g0#Jb^KfW8Q1X1@s9Ro~kpN)HN z%~h86*vQnfjzPJ(11r-e#Rx?^#eU|(x&ew&tD&N%NpyemY7;Ogb833*D1jv z@3_=f+mG$yoa&(SVn_N*E9Vx6zho0^8}YT({h%qC>?ZUqCc|!S@wx6YT~c+>O}E@; z#^7MuV>`F(D@3W9SkLjh2>Y*A#3o1x;@p!n*?(^2kj4x-9MX4kPJm9XY4=?R^2c{H z`(jzLUJIxjT2Q^sL(xUkRk^PhW(DRP-HyTmZNcwIAd3umotA)jf{w#u=7;fbZoTY8`qS2s-@-I3*`*c!cxbVb9Av@w&oF%kg zx=uwjJa4@;o{r$Rq5m|S2fKEX$21vhb1kcgYlE%%YQLz>2B*0cpeA zLD{%*?>SH(t9G@%4Xz3*I(r+&>h^w*ooSng@GvGW!PEq6*l>ZP2Qy|& zZge?I42S@DIU_mdB!ySI5wCe45yFQ6-c?NXBZjlRFJ2(*O3K<*#YQM&)WyXLJmA`| zmgR?9Xq!D7pkpkdOV!M~1)c(k*}b2h!@IHu@2E z$RNDT+>8hw7N{VNNc&cD$&HGzb z>uW5Xl8+W3n-!a8M7~S1(C01J_kk_-anR|Y!|Nv$N5YHgDu+miPWI26D4!`KPQlB$uDXDgv_x{+A^qN66>4IV=jq&$mEMcs2xsSfgy!~kXcVW?| zuLU%1mis?AzM5;#cG^H(&PdQV6KPsyPO)$kHrCCJ~6?@?uec5BN zoD5~&?OyYGHRSrH#J&Y-q=NE8YK&Xk~MjCCsH(!DJ zCc!pIC8%Kw5u*(CYyvDs^w`>}deKT+bJj&?XR2QYX0}M|mJ}$c*or@Pk z`IA}ujW|i?Jljg?34lkKj|!uD0dmM@!1}b4EPInBx@7^vyNb7{k%s0!z1!P8TuzLd zF8yCF8i1ia4Ph}v%YB1!2yY0XR!gz&YV2r*7jD8}(Aw3yywEWqP{_H8+k;3}{wO4W z!oGoOizgw!H3UDuRoT{-}=rlROsu`CL?O$)W?1l zAC6D2$79S|4i!`HV&`jmkaQr28~rS^bW6TmP485eRJ*9QyVOpN%SrQTa24xhY2|gE zMs;o{WJ%LD!bs`2*NPth9y@c1X8;NJAp?!O=iMYAwQUY=oDOq%lnl*kJAWt)&+g1| zH`E!LkZAkO$u$%GjDHG98LI!rsl#ENQzPDd^PiOpvUszgeebrvwsX`XD496pySikkT1mWJp#fX%@X96mV7d?$LrRv2EA)P_oVclfhp2xt18sC8K zOulF&$uTt)c4p8GfBznscA36`66zy-<-yGiVQ>Y&5_q*~hvAOBWvcU__qyFDgO?NZ zDd&pf>0v=G{naKAha5(Ys$%TQRzQTbURwNN@7)Mw967VMY8w9R?TzCW#2Cz}`um!l z_>3~>@+A?C>n~EJ?ChqTJMzG%o5LLCIaIa#hkIkht>KfJkK+1F(C0LX541n$*JJ}|8C*0yKXQpMx>n7tTk!$~Obu2B!nx~_PE@DBw z_)>USvOYlJwC|ab{BzX@sV_uh7>>&6JtjocVjnRndbV?!4YxD(EE{GjohJExzH?#F zMRZ+G83%h0iOo6_9qkt7J$yB}-z4gj4Fi-Sp1iw;2K z7Y<-FrLTpHmTJh5j6!y1%JN01}^Ee&)mF^M`p3|sz0h+M%Lkr z!lKuz#aDr;=aB0I^6>2GENL!|7Vos}6?bm-OY%G9w4b!i`tG*cZYg=2jTY0Nxm>#> zOV5@mJ;{U*AXa+-dOZpYz> zw`h5oWyMJE7G+Vhk*|rr+JS%Q`W|r|8jYqo=E0KHz>EX@=2s;m=Yaa6CI1})rZIcA z8V5b3g-+bBQQ?Jl7JSArAF@FQRK0<3i=`=i-T>k4*g7zbqk*B>f(w(H!cGVP%Rwu&Ig>Q~ z?SUR$l`OjwonejY?^&p@iZ#S%T80#n$TO`Wl)FECnYDFQpKPa!$(w7-8cswCSIRFg zjyHb(8jXlvFp%B^I*@DN?EzV7Q`MhF%v#-iM7|vNT^ey1VKd50Nh!G=A5R^gW4Lk4 z?kXBv`neuDlFwMzec->0OBt-7?N=u_ww)(0OsM$DxQA~8=PRF zH>!Vj98I|xdL_QT8<~Wn;;Y(6yR5sfxG8UMkhWAT-KTs9h!Y3GFFEMTR;U-Wj^kh0 zXnf|#`sS!&_skKT)h)Ld6PJTg4i z%QNY3z5GQof0$O%YHeY09Mbh%o_S03R1an#X^s?`s)RpevPJ&2_YnMSQKoyKgXQ0W z@-rJ&7dg$ctVq{|gmyq{^zz{w=WOcCzOD|90K@BYG_G+sobu}B=ocB|2+!>FAu8tD zfm46o2nUH@3T9>H%w>4Z+9I_kA(8zR z9D&DcCm|vX2R5xVM*#6^SNACW|M>dKu&SE3UqU)W8fg%f?vgH1knZj-Dd|Q!L}{c2 z>F$;mHl=h6(%m3+W`oZ^-uImI*=x&Mvu5tO;}_!6;rjGVmr-4(QC~B>nOqRuLw_BKTka((8cKa*0GI1ni4vYclQMFFyTt$O`8C4ri((Agp_d zT|mW~DK&fw#(g4ZBy$+Ko|Uk~HN2Ll)wc0rm!;01pLU0%%EJPF9E}gUXZ1)FTw%KT z^HyS~N|qm?_SGNzg}R10MNEMZN-~RdZQa8LYS0d%VON0%!Unm?{E--%|HZeI(1Ja; zhOJzcLa!_#@}&b1CZMFgZYS)-?Rq$8((8C5y zTeWc^>7^`>m1(_0l{RP9RWtXkZZ=i6I;W&y-VtMh0jD8lagHthW{wSg*f zR#ILlU~A#Xq~-=?_>M;;_81l&w6+cqRTGw zNvg0Cn2^ZwUmJWcGGqsyTq7Aq16*06B2-5SNPJgeT^KR%pTS1km?BP8IP7UUMlJ6( zZ=D6*IK^H$j9xj6-5g$R9Mwx3aBn%@w4Zqq$t9k1^y+677&zZnS7-x?9RMW3Q3{%q z2G_6V{n^!$_A?Iv7x4F#xRtP?f;pK7l~>k!C)e?S?gk*y7U=`G@wQz{&W*FA&OFta zyX)_gPot*b!3xC#0ZVCbHCrLeo-p(intJNyNEtLM$ByUEz8s$Es+H#BL1a80=p2=` z>3J}U63QdDIy7MgW>a!lS@2HGa!>nw`Sh+FGT?x08^SryS4u41z6bt zCt5q|PF-@b26HnP7i!}XwLDy|efHoJeb;gv(qQd;ATKqbKy%REX-bR9>^`rxm!)Jm zBj-B|Kb9j@LyOLOV*lD_?e(b9*QZ=nuQ05!px~v&=O`VdV6Tcl{RasEz)JvYbVb_; zrJS98FpE@N7%8NAroVV%Gm@dYFLBW!gad@3@`QPyY->PUHflPXvE{pQu;b*Qi|aMv zyHrbX&yg+tk*ptesk0}IQ)^w;v1>nFeX}=Y3-ei__Ub2^7d4dG)t}gEC~^vvx4!5L z*4~3l0PCP?oC;7o`qL}4aOfaEP<2cux?WuZIRK@{6CkYDusfKa$^iO(D4>k91s_GN z!8+d5WY=}7Jds+Fn>fC*(K@=;-noRSpy_;J8`4P|VX5%hxDf^~G3V2j?)=7VXHdMw z=JIFgq}!{C(Dj)?yx)@4a5dPXD7oS|=*qy5>ED`AV9t}_$S~=ArxT_r&t9x_7^qQg z^)yr05<7XcIEelQ$M`hoj1nxJzQNy9V*l;1ACvD!Ag|?JynVd#tYg0>S5=`|$2j%7 zs}{-k%`L~@YcFA(`gAhprv~j{J<^9T7`69G^_z$GBzB5pjfvgUYy)88dyW7C5vgd( zL=AP`inoZ3b1KO3G2BUEet)mScUfp@oZm{SyZrxvIg8)xn*rG1xy}koWw*dI%@yKX zaj-w$6#Ya4-mH809jnJV^l$n33;=-&(a&2Qzm_9i!ESZqv!yEFBxS^;Ftf%I&>Vgd2< zN5m>Sb1_lveb&1=-gA_2*dM_0^X@G(0Jk41y8c<)G{H}UZa@h`N9B}2rWPc{pK5v4 z=rYp5KmV~Hib~@mb^2^=-e%xJ#+f22$tj~`T~{SR8#v_wrw;l~?S^k2MWR>H5vXmF_h0K!ouKCF@;y6>qJB(B#edV0$>f_FYMA@M6$qe(y=z)nV%1&AU!l9mosOMk~hW)y- z4CUyZnsqfrq{b4#R!aWR?K^||BcB_TQj~Y}qIn>f_5$kAP|}t(O5Dz{fE2~je+C8K zVIkkqhPcI+)w-to+kObBe)+N%kyEo&-@#eE(_Hj{sZAu9LK?H$Y1*mVROSxx5ezq+p*{GG z>UfSR(1U+M?g{})rP}~w2oN-YM~}zz$$gm-iWinC2#>J^%7^((HcEbNfY;mqxg4+O ztaA>-Bu7kT$+xE35w<^Hy6qvKO|N_uvAgK^k}t2-PA6^}nz1}fbi%uq4rkL&l!vzl zll6E@XVSylcTR6kTkEfnZW^yow&-C7O8Uk&YCBFDYO?zy3t`}040v}->hN_jJU8>_%}A3p2F3k+OmWn112AQv5==FsM+Q<={Ri8 z8gAIbnvKho-f`@Z7$C~%$Dn)_QZDqp7qR7{A5~#}LB~?{J@zT}=j#5=hvmqXs39-7 z)mq%?f0GBZ^!rR-8X7lqleg?A8J){PJ0pP_H{q#7l20LrUZZsjhs{t)!3X|uEwgfm zwn2YN6LDzUTxKK$hvQt(ju~#h|MaA--kH%$@Nf}h^@wq+x{x11SUpjb5)7~IgQ;!A z?O*VQ1XaJjxQ;+Zzy{tm(i-x`u?I(stYQR__4RDt-|C5>0-~q<9PkGU<^9wQb! zayTB}Fm;@h>B-VRa4<&i1;V)(ujEwslDBkC$S^sbK9v6tdGxitsVNqgVcw?eJFY$d zfPIlnRI5oiJn2@TFbq*owPh;?UlfX@$`^Cq7xmd@YAq$F7jgc7GJU;+w;1xU6H*K~ z?HVz9J~=)-*U=jHFI@61Tw-)PW_Ry`;#P>7yOpP&K@@2|&Ahxj{dceQpt4}>m3TB$ zbf!%s*ZL8#iGe?8uMGI`K^_&@Y;{h)Cg0*3AC>z`%}0+WC-_s6JEeu=HzVXQC)$q- zT$>pZu}7J3EqB~*qo9`1nYe6YQ~3VV>9W15)V}A{Dca^EaYJ4%!$U#ICJc3rs`Ezn z;Vv^}w-Jf&(Yzebt(X<#w6ywX)}p+zZ;I8(>Z;x6sS{hT(3EK{N&{#pRMkU##<8L3 zOCQyFyllWUM}xl`2xx%|(zGcN!L<3sHeQ755vh|`9vYcjQ!qQSn4T9}@I$ihu5bc{ zdT!oP)n^!3w$96O^3?O;Y#T0~ zHXTpj#!>(m)kh1E8~o-=LBH*7>ndwkH2mu(m>~g97&-n6p5403cb-DGNV9XNOihBn zWwaf4IHhK|b;$~ZzY+vD`LbqrQ!Anb`yx|KtYcRgELs;|Z&vbTvj1(TxWY-nT}bT|Jb7f@BNK=dem< zUb((C9-4FE&NJg}08G`W$IMaR!n+E&MUA6ZYnKc6dD(Nx*IQlZ1ZWAFg~#oL>lD!Z z<_8BJvOYLzaLjdUN`5lI){|a}5E&b1`sJC>i0m25-w2v$w>6X-+P}PC>|(F;B&;`C zWk@3?Qy;ylX~n$OVP7V*#Pa{q^;-u>`2#hVBA~=e+peF8<8CL2?id>cOj_=uvz}_k zk5iy%rSK_;@Ze?!wXNZ+4)N?eGb;r7Q0nl9g0mQ(gf8AFw4Y2a2o%pyGBDtFg%K!O zI*|%Epr_nuMw_K?0}XR>)lKKn!mdc}<;Jdstggt~j4noQ+S{kywxeGjmE`N7&D_pL zO)PlJT$}|tCok5vas$Q^;od}gg3PqiN0> zpymy_+AHOOP1&yib5kl*vpixOZLrZtGuhxq@2!4L{Zu9;!&nF<@Azk5S0e8Y+OgN^ z>&}F*9;N6rrHrwqy@Wh}jmDe#_kKf7d6V|qIxn2W_F9_D%+7?6AEJr1-gq7CrTL6h zF9%HiIWwIdT{OL_ctKZ-;{S zM?A=vBY&0B%9mV3GM2yVrxTZubgRYk90ey!Qq-|^#Um4Xc3BWS>(hVFpAmeot02RN>K*)DI_TRReYc9mjFDohyWoV)GrIf@7aX@H}e<0+!2Rp~edz01$Yl zJij7uV;T2kr$n|a!-(`k1m9pBZx7YB#OX3|e-aBcfSMuDuRE!XV z{TqaVzyc%=)~R?Fi7bV$LQ!q*`mqb2LA9Dl}e8Z!C`jZkFFkEvhWah!Ufu1C<^_+IwJ zk3FAz{vX+sjXT+sA6$6I+R)(0T{92aRz`hG)fEIXD&Y0RI~Nq|gvM4mMt&O}UXvk; zlHti9Uz3Pn5(eKz#ecLqO7mP;+LvpE?u&3U+$U{awUb!{QKFcHrxk;mPc&oEIVu5v z2^uan{x9KDN(!!%nswx+w;m!7ql=ok5t!v$%OZX9B4_Xd5Ez!SfM-q{F~ae@++kuS zx59^3In8(&t+pI=;!dBhW}+7dKj{F!ewHu@KD$0 z+L=@qXbZ|HYOVjj4jtcO#@zy*dk4a*nRm#xG?`pugEX`4R0bT?^8u-e<>!B98J{Cy% zn-*RVqv}MaB|uJ5DvhHsy|UpBq0KHk>vauXga@P3?>d8adTe;o>7rlIWM>E$1;q`x zd?};AgZ5v)xVixTCfdEzP&2$V(7|pC`#Ms2fNx5)qee0F41)T5-N9D5jR%@f@SB=z z7nx6$2*=}1I{yfod*&zbRhzBI^Z5rDbxvum4}=e*(zL4pH_`EjAi*Ei`mscukt zxq2(WNCVk0*wS|ixkH!IJ3Hh`PjX67X+gD2gemUKyynp14O9}%Ftc7Y!)Wy|O}}NB z(w*oJ@!y3@ilapwWik>OV8d5tvLK7(KZ%7VBtJQgUU>i}M#cT&K+`+?aUd5+pH|@k zN+ysnL;D}M$dwVw2{rk`i(qB&>dG;?lTz!^5v)TSSy9X4KAYZpu+9ZVY-geM_DH}V zjNpefK3Wyr9+HT;)UUgf^H2x;YQ?~BEYFVTJqcHzV@PKL_9UkfA_bX%$22)FAco-@ za75xjkH*$0ht&BX;E60)48-IKQvk~@?~gs`@D|Q*nZDgS2jgy~0frF^;cDP~%EJzl z90OXY*XL5MJSa!+{+~dNmWO!YX#YLc`zzibUD(kB@j7@P{8c|MvIj410BR1PS5pg& z@dQa+ubuVx_4R+hT6^*UvLu1PuaKcGZZDTiZ=)in7R`v{jRd}JG^^Pwgb1jLE3%3O zaMDo&?RIduRGAIpYgo$ew9aR~puS1R1U^N>8L(wGDX*W2)aDEC(}H#LWL=BM_q}WF zf&w)sobYWtp_tI3)^7sx?1}OYRLX5%|JK^+LD2yUuuvCK(B1P=a5Dml1o4=| z<^J6n0H2wkuBh2tV1HN)I6bv-FM$8vA3^x5?8R-fqnZ9Zf6Z6HQ_e+O0o=oJ;5D=2 z?(zB;NRV+2GH~u?ualUJof7YewqToPqP-~w>sc+8RGA9Ch+~0p=@{MOBZvc`fIZxE zHKtpvUAE|wM$Gl;xSjlHFN`{^hwm9QOULu4xkY?ysUfKQFploZZ4`f_jfh{C2Hhex zh>2i_SB;{Q0|v@}e{KElaOk5*0I~g*Yixkk*5y0>0{5-Rm-*~dQ;GpgDaXIO*veHw zd*Z#{eH;coTzObI;2(CPTt0gms4;KVlcr3O2v!Mob=`4SnWFXXb0{`3gO30Ed)vzS zyC2al@`2~^yt88SyYmnGzide@Lh!S@a1Y$g>X$_9@_gr^bCcrdI|_b_@=&#-Mk2(X zhF=Wu|7;wvV{2Ic^-~Um} zn9TtcLxFP~6}po@OMe+BaB4`b;&_7qr};PP`szx3*7m)(HRw_VZQ6g59?*3J%9$#@ z!(&Qa4l_9a--iW1!uOp3nbO^l@_hHeqa3D=lZ2u^0EP!03}o!+U&g-GKlp2SPy`K0 z26yBzkNzAOcHQ4$NX?mW?m+)Pr#7of62V^#nm6p35|V5MRiZ<$Pw@WgfR*tdl@-+H z3w#4qRq%wDao|d6ez*M^!CwQ!X#FU`HCcqidpm)yOVAno@BMYRx=vZh2z9c}dQ|`3 zC&L~>-;IL4H6`<$3EvqVNQXJU0fq#G=#HX$1HlGSKgw`XS(YWjScXx6S;#m@FARSC zV8KH+|C^G+yVKe`!2Y$)l1^fg)*`&`Re_c=4Boyntf-nCUcZgp|NmjN2=4?6x9@(G z5z=|6{0|lYt_AA(?xN}VgbwS~T_}LCd{9MN!;ZM$IOR~s!1s6lEYS9tu1QmoHcCiO zoLZr(udB9Od9%)=O`{2e9Zd>al)4rC#e%}$?qUxzxWVX@P+2w<^<4OV-PZ#$>;WSz zFWAslBfb#zY9h=ogCNUU<-HrKW3brxy5U()q21qBk2h>a_u;SU+8)yX%!;5sdV!QYsd-9Bll3@>oM^7+2EZCf6fJ0WTl)`1O#n|9Y@q5sQjWh7MdqSqvZS_tC#^c(uOi z^#G-^X(CD>Uzi1KKs?9@)VT1kx~;1o$Qu7iCuH(`v%6y&ljWX%#@2}!hAp8_f8fW` z|BTHMiw^7U->>xowM5bcL>uaV#fFA`4UsSIc=l&)+iOyG+B& z7pb#)p8pE2`xQj&M65>m!f_S-h4W_MSfN@+Dmem%EAT!;f6RgGakeXQu+)WjJMXb4 zFn9gax#GoRrD|Dc66OzYz$8tPgO>mrq3^TRJ;R=uJl{umYeH0B!e8?`ai!cicQXTI zn#!NPR+7gXZVjBYev2?>sBtXPY{acxkg;&Z3-)ww-~)j0ZI%O%rp(~+!6Q8)oJ z-RaHco)ChQ#LJgd?CdzpJ<&bD)h?&%8kjRt>MJEM=?vF9n(?162BhV`)GE`5 zRV~pDMZtO61}fe61iJE9pLy)Fegbp(X<=hsul;XGz#mVQVg}gU#T|53zx^d@61CuY zBty1h!$r)1kM;+E+NdR?o@?kC4g#knaR&!BCcTyjV50YEXS!N!Z@w9CVYhA>lR>9J z`M_#@IMaNr0ME951;5MI)3XTp){({%(cg z6B67(Rkm48mq&9ahuEC&`xqhjO_D#RSdDh33;$w7})QSojM)du5;;6`%B^cDdnu zxcWfS7!+sVskI#XEUgVV;1&87lpFQXT_Y@F_aGoFx`V}xTYD&QEDwtJ)9oqL*cV=Z zI36@%m-YRU1b_VPawIoh3(D}5DDp5?l8GL2pNMS9=%wqk1+|;kBucnbmcZVw9Xwl+ zxzhmW#3C@!Qqxy{`7&rJ+Si^c+Y0yc|oIB=bxDlg;jTWuO%uP8qkLC zWqILwUZ%)Q$I7bkJr#|gR~=)q&^HV*8&#HLbP>edgGBPbvaNu= zn;D#bD5S_{riPZKfFcoq9|HwqrZ{b;Ihqc-iR*6uY^AZMFl;e*8 zcejy3HRc?q*kx?}*Tw{)%kI=KBZNDGFygY^vv{t6!(trdiNZpG@%N8XH6QalXxI{N zfO%hzd_x@xkjtlNzB=re8vnSAous7nRaS)}`gsY{AJh<<3{|Kv;0at+P2gJ0Wxp21k zx#iLTaJK#Lbf_1(^3T~`X&WtUILX9>o)3oo@mokDtLy2M8J>Aue0-3@N*}Fr`2&6I zB)P1?*xqSu{XRUZ`t~AV3i>OYxkY|gTfN*+!UQ?S{$yOsj+RJXK|w)EHL>>t_6I4F z4jiK}A3mR(Cb$62D)Y>UTI(q`1k=!>XE8b_z><%CN6nhoT+S#2uufvSo?cF%(VnR%fs9qT$-+m|H#Z!$#RDFLk2pBEX zgGjoR4DAD{{5=7{4;7q%`(7Uo-J%F$B#N12!gUVJM4VjgGss~mgd`C4!RNmjeH~3Z z3PRF-Ma2Nx82`@beG4K8M3L(KUxEq=2}C3}3j7pBkWwh$mq-rw3b2lUlXKMncrTDv z7PLukdVC10e?yx2b61df7gWXec~a~g1+#BZi`N6+A%scbp7n(kIB&+SwCw>D=sD{udOk=Z?kBF)S>h?mZ7z2y z#f5D(9ve2a7-oT>fI(>xuT+QPb7)E-V>+Iv(!px6OenT?AinIqKGx|XF@ll$<^wS^ z{v$Nd(qM-BcfV$_|N052V36s99Fd*=?v&;K2r)QxA7USbNE&8c$2dMRO=5}ncG5tD zC?e=w^Kd5tNAi!nFODNodqFxI-&CGyrrbt;|9D1oE5x6m`P_YxK+1#a3Rl@K)}fI9 zTLt+cN{?TqM~umUBFzK#O6BjyVJ|iH<7uBh&;Jyt@ewh|Rsr_=9j+!Z^Ed2Q59JKx z`zLe#beEX^YX)fC1PtTOMt6OgCWHc8qpmSiF!J=uDOdLr!zK9E@MsYYRAaD{azz9a zyNJ=wpS%my5R6F*koWUd`dbChV*d*C|Lf`=&;Rcf2-<3U@fb&78Uako?uRB6 zmG_&k2(`5p~YyM5!xAU14CH)g&G`{>Ga?ItuF>z zG}nDt{+8S?fY;hTCHH?E?B4p9#bkc3i3Q*BW#Wg{QVBNTdQWn;wsD<}ZTSC8kTclv zivt)FZTz%`A_P+lzml{+MCQN_1&%T6^FzG-NU$<3BT2x}Hb}UYs_tPjccuF%Ggp;3!qt5}Bs8wm0`%hk zqsRnh$n3YGyK|A~iQ|5j7X65rDE#Bd0djTV()P+v1lb0s@`~On(7}X3$r>8t3{Gio1eWnFh}qL}9B=fAt=C&K9=@!;eeftV=A!$;d(Gv1^NfhcdE6`Hxlw8gNlqbDR%!j2lRK8VRB~ws*$oFX_e*by6rzF3pwgd9+dA=uZVG83<(>0I!AY_ z&hX46M`}IgY71-8I{a3Y`mAQzM@TT7l~kx>45j)lqGV>gm z?GxSuNUOwW`|kq?t2arnoUMu7xxD*0SPCiDEvu*XtEaH=A7^m|icHuJeRCuf+5;-m z8R7iTiZuL+(A9^?-|w_5Om;3nI09pfV5GGX)TLAdX`ad+VO0==euseQaWv}ry+6Z3 z2@iKRs3-rsN#qApnFh4`ck`wYFNbzjCC4<-e)dm22sDOD9P8n0%D- zZ=H4O8wkg2vwn=*7vI`(b{Dyk|7;v^HZ@Fr!y6^=^&KsdCVP#nD%)r$;S%-`^Ow{P z-*{#bW79cD8IK&omVLdpMpe$;w%t!YV#e|`@dcU30txPzLks*5PUyLuwr(@gfN=#4 zv#@cDb8`z4SbVrpw`p0m#wlB(g%Vc z$3mTFq74Ttd;s1W1MB*uBy0-acs5^5vk!d5nT_wsBvYHI^Hw@d4TESQw-OoUSV}v# zhIU&0`tQ*B%h#YILd(J-hH&-eu3k=$*PS=`Uri0_D59`zZ)Wdw?vw(>?{uzZH`!%v zS+jHdz3;``R`uk`M>6t^f?k`QWv)%=l$WiQ^0*(cq$S<*tO}i?Nxkec*!m@NuD>#K zzU{~Sh*(ARVowHXf}Uk7rM0Cq?GxWY-;N!1C$>Lxt&E!fu=|- zdD1*_A9_#0N_!NGxS9vf02!|yL0xw2{u>>CtNt;G=EIYb?E;{(TN8z&i-%ZAW-}?B zw3T^;G_p1m%#uAb!ISQe>DA&zsONMm`<+XxV$FkL_5kDQ+^t*Y4MBX;3f6V@*j^&0 z>AO)z=U7t5I5Y3lK!H@oL>L~+4FeCasYKSWn?)7V5 z*C$WGaAD#(H)ka(oYE5Euf*y-YK_tEh8;%qn*&}Q{c%a)YqcT$b$?KRoc5F~Z4Sl8 za;|VR{BiBBSYU8qw%rkIpB2?lsR(-g@iqy$U;7ug@(e$2x~ON8-}jb1f3w4;<)=~E zFeG^~8P;dDbTJ`-PwxwvV-@Q$R%B;hE;aJezbs!k=x>!C&T~+rQ7X!V6z!4gMNRf% zhY{J&9-b!K$TPOQfL=T;UQYRkdsIqW#U`bTg~9mvn?4!e7-B*>cf-@)K4r&T`}h-= zkuHuYiZYsm?N`co7p7Z}bN+7cBgr&a4Pf~8$MMMpUKtqxRHO?Ao~$o4@X!mZs)zSH znm;zs*}j+oE#X$`wu5|MZIC6@cLumj94ssW-QQe+`mLn1E2CJ!)V^5$kreRliq26=0-R~^!q z6aZuEGS)y4C$0LeOi#CaJD7mh>jA`ppBZv1?58oc#FN?EIqf-&QckjTYO9CDtvygw z)GjD9f8mK1m0Az7J09}-&!JJM#EV=RAou$PES+J2&e$Le}V{8Jg zbI5SQ$g;Y!un&m-+8p49^zqBDeg$;@^ZjS;gj<_|c?1`peXCzg+B-thPU!@)ihMr$7q#_F+s$r;AbO+6yv}h%&&^?9a_E98< zj&x2n&CkW@NuSq2!#P@rEy@6otL=_n)gA?i&S)t)ab`gX}ui z-~kpS(Lye9;|T>}*D3=eLL2qF0mx%g*6FWs-FG><$u_EzMJiD2m$ywm_-8bwjOTj> z_Glx!!CJ!{xYH10x|~)x8#PQ!we*g3>mMHh zce`ruOV+E36`{}4gAdC|j@IW|m~87Bsuz&@jY3KN zA3@Pa1Iq#LmgAN^)pTu2EJ|lh_Pz=T{q`8pfj!ri`9u4Dq`Cg|^K__Clx;vSDo#Q# z;*9+jbCcH@(tM&3c_b=sc!)$fasr<>5PdemBn^r@J5h|n!H*5iv7gM?^_DvlXPEl% zdlZbQ@)E>`<>uYj<-QDTYOU*_p5W7N|9KZ;p5PIz)4W4$A$Qk>e@w(UoeS4}SKgUi z(J8UQ8N{Q;yqOgT1C-F5j4e9cVJC>ZWa5d!zC_L+A)&O#^BYE1m)i?IS={RtEF=W41+bj+y^Dq`paZRc)Q8%<>SGrCzOuMO(9cf4%@z`NP}fg0}zW|0$3 zM04P$O=Fy#MTGdqmu>)Qy|$X0yf93zZ&b zZv@7A+XZ3v8$;8@Qx>P^Y;2X~hi4t?H!}v>QjY1cBVWaIwDkfwD@PGyS)_{xadtoSv5TubqlWTBz%bCaz$l2Uy~urKiyG3Q_0dd|y?psR9aMvi4|STqBUR3- z6UbW)=t-7a_ltb_vKp)jK%8a?YhyeFuUp!xv8*@srP}fq|4( z{o2M1VcOWK>oaH_w`YP#h?jsP!R3>lS zcJdU|*~~v=4KM~EE$_xqhmVH-zaM}39%%rmSadK@ofyX;2;_&7%74N>atC>)<}t(BP-Fb`QK|`rX!4Qvb%E7joC(pCv3}ygXN)?x?dhSKUU|hrQ=3^M9!(c3rg5EQ|v3~YmI7)-mM9k&t6B@yCJ|A=X7mhZuB z-F-yy%Yj$weQBB!*XY`Wr!a+-19_N3_pm zpHDYCowGl9D zJ5PTfsM+wrmWk&o8>>HI%GD8Wy%0Eh61$@%hZ`TgFd!6AHQ>>qvBM_uyG zqhnIHL<526b_b^)2 zct-7!<{Fc6Nun&}Gy*o8#iT7atr}GC?1fJ<^Y(HI5PN&PU=Q z+5T{%k(NRVep)4J2B+RPYmy}Ou7uIt?sRhLXclV+qfKP%Gu9NEV|DNzLstPY^g)KR zUOy=+01^Y$dq};QOWlSm@cpXLCK1mb+Yb9LZ|TOMszp77sOtlyZf^4rLnsKA)mFiS zKfhAvD(8EaHWnt(L|sa}yF{imv7+;0!*2~Q62f;C_&%J>O6w?@qdsv<&&x145}tM7*1djw#T2siado4y}NSTOUff6RlA2LtkV zRakDd8xQII4!snB{kezV%R57cBm3Dpiu}UU0O5%b48QW6Ip6IBCywlF@mDI$3|1@E za1!q^_=x2voNVsc71o^nkqa2E98r>bnza1F=|%`$gAHq^bSDsLODHTh0++vb5e2<* z%ZsMc`nud{la%io{mmIk;N#A)y(OTtKoWdexUO*6nGWc^1@cPpRUtQ! zA@lduT9OU6_(|q>^1FpUSG3gDueXHU&3c}k6u=ZqF4u%i2ip4{QNOi3vt1h<#rJk` zT0A52DMF1Rf+h)A;U!^i0|3Z8e!0p>=#}k=0HyS?2UM|e^xbDH-lTaP4 z@JVSc2u**Iv-*nwKX0TnLYN_T?#eIc1|;o$e!VHvvIc_p4}|Vwceq3 zmIp1Ve@C*GRBbZyj5=#TAHg_hz*U>}rex1VM0|!4xzLBa;>=F?&u2e3NH8#7ca|(2 zad{O`R6JLOz?jldspOdm;jj<{uvqs2ok>hcCkya`g{(C7_M# zc+hyZ4j1VgY2)@Li>T=8`!$8nOlP3*lc_)XeYurTTf7)?EOX8hX82GwVPIa_bCuJV z#gF~?Eaw6c@rY@SPE*gGze}4f@#X4KDTGuf4qLoT%Mnd9NdSYtOSuoiff|xNx1@T` zyG6#X=SOtNri_|Z$N)B>3=_-q?zz6|+3p;edY>{V^sJy(W@TqnMlqtY&_vq*4kpgeiz3dn{W28Kbv!*_etTli}KiOCI~=!7&KriCQ|dD({dyWLA6NTufn8% z3CvyFKGI0SDC*vFm>CmQ`-Eg7#Rxpmh$!P0)ArkY0e`^7b#i;@|Vk-g;wyji<_->)NZVVz+_( z!>3xW3sntF8{hTTWihF|QYWMeBanQv@#DG0VmbfBb9^Vr+r>7&JdMhyX>O}TIU8WC zd$1fWv~)BiG*k(rZJ-KZBp+jFN}yPpu>zIz?aCn_hxaClP3m;ic|vEc%Kp!>h4p+B zQ7WHHcb-Bvt~w2cx=2lf^H$L1UMu;SLx$g&rNo;z=v=n5iAbj3Jt6WWN_2hLZZV3+je75^?xgC;=;xxR{vCh-Vd5U=v~96gzi|s34<1ik_UL=39}K)$e6HLEW>E3{ zn#f-U;-=zxz^X_6Vxw{`FP%RDsnAc8E z^qI#iZG&-t1T=tKB7e?V&`FBf#VTgsBMKV{$`I$R@%LpeCu3^#Noq@VOO-={;U`-Y zV#ZoDG&Hogy0{Q*NqnoZf*cYr>){MP#SRe0Zv0_v+S6bR(r`=9su$NVN!o%rEnyIF zky{Hi*k`#-Q2XkI8G?Pj-l#{dlLu3DuAG0NDWS>&ovT1eYR8oaIj@@Pjxq!j5HiOe zQ(p}dJW_n|D2ZNBWHqRX$W5}Jqif8odz1b1H&t+LyYHo6cy%u#2p=ggqTZEpUtE2y*3b)a2LABXE@fLG@|VuxiE+u5xgDE_|fg zlGZu16E8h6L<9+wkTIR^QVrjioXeW9NQAML`j%&r!)X=Os%3qJheCrG;R(x8=Po^(24v3iBUOEUL-$7r9_+869ggG&HS(X zBa-C5VkF5FIQ8_nlV`IKZnRnjhssovxw@{wRSV(V-9t}wFy|ih`on^4*nW77k?#pl z)#!;V?SwKp2u50lH+)-e{5|{61D`0vQ*HOGu}ut#ul9w)IP49ZRZqRm_@R?G;aJzR zdOacn+D``YLRr16`M%!w{e{|O4t0Q!r$|F-*aQI6Z?PL$h+yS7LV8L-4F`0dG{2I$ z;qXVoBbW~C%#->IBxOI49qn=FV`q2uC+uWbsi-JWbD^VPD}N!A8dkw{(t-MEZEwQ% zWp!eNr%Y!mVn?!oe_4Y|hhkQfEb7dMW*?l28t=&M=8I_Yv^U?ye|yd`*CsGSMIsM0Aj8ThfhzXAZY!abiD~ePcelDDv1>)BOf!e z9w5^$&yk*J_f+Zflo-3$H+l=jgszg?3cqswGE%W&sCRn(q;+T=+w^fJT)|y`NwHZy z!n*gNkIm-hb^k{$yTh}1ucOQ}Pm3X>e_P0LSqd}{xU;i9 z#HE$I`uXdV-0<*Gm$f05NCI?cLOa)z6wry+uIb_DvqJc=UW@Kc+=q z(`;r>g)2Q#ZqQFKUXTN&k3~E-DF)X49#`)J_cK0X^U#&m5g-cKU7O1_gW>jOwV|{y z8YIhmo*oOCh5lq)16}Ub+pzuP@#4JEvdpurGBbJF{Vm^BbKSws30^xs2b2kcOCl+q znb}frSGGDJM!H8H01nhA^9n}1;gY-I-Kol#00i%IE1Z~r!U~x31Eb%V*2sA2ZMde_ zcIQpUf}1P)f{81u=LNdUBT+hj!azg$_6lctbHXL)xVqBp5h?i)mJ+NAD#^J8-5@h* zfK}gQc;)4v7mmDW!OOP7M3#0X38=xer(Ap%U5a579 zm;+62mF^8@cp5kmNEX z3>m08P%nM_65w%%2P`WMycAIjs<*9XH_6kKI z+aY?NOaJ%08v1F5pqh-H{XOr3XxMl=cZx_LQvPd6k?FxOn%^8Oc!7uF$~E0Re*~QY z;iGp_=$zw%SY<(Z2r?(Wxrvs|q{BJ3p(Pi$%81KENPkQE@3W*fcVLG54|jlWCAhVQ zW&M901qd*jmmEqvl^mqu1J5Asr}0Aj7x%G$j;q8TqekV23*hw0_A!-x2HB zJBY@&tkOm|AQ*Uwx_G67H_3H?Kyqt?lB`M_wZ4xf*7?1+#^C51ZeV-LInIFd3|$Hjh3^s_j1xmvBkM z+^Y9_rFT^GGrcGmK4$Dm2pBWD(?2NUhCom!haC(b zWUDA&Gkz@l#W-upInw^;Z7yu)qsRQmK5Ecs0(oot!R_Nrq;EO*JBL2)eyy0Lr<=Yn zXn_{q{LM%jXw()+7^?yxJGv;h7kYRXT#Cb4B}rb+=%B;sa0T9lyLwJHDx~2&hQ~B< zW=J=naQ(*cYW?)5zCbOx1)S;1asU6J?knS>UfXVIq(K;vRuMs3kWK|bLFtx`0hN&M zQlu0RBnG4rX^@ichM_}3T0*)z&OLzcy`N{l=lz|J=gZ!oWM=;V`@Ujb>spJHBl8zh zDXF*D_)kITLalm6LMG-0PNsvHkL+3ZMo*_@fxuEkfsExb|rA!gB?q_8+elC1nHT+f+t^jD8b&(rZ)JGVj4;`&~gQ9 zQ5eA}JTG}FCH%c_j(*DaT0VO09)EW< zAgLM(s9|6yG=Lip5}1DXQ6#To%p7crA^6_)jUc^fbF8OS)*y#JSc&#rM-!N?cE?vE@xp)1j z-$K2M`W1K@F9qwOo$)muXU3YFsYKVQmPTbDec`=#mItBXQii-3qXfz|YB#h z--|hPVdZ3xd)SnM(^BG!jAH**DpJfb@2Vdojc>^d-s@#gW<6COoM&aU?ai5=x0Ek_ zk#XzAFM?O|fW6S|!QkC~=If$x3Y_-CyPeVMK_eP!r-6QjH{s}}>1s8+tXvfM5?||C zCK#z<$zc5ks>RRDq*sU_ZdQ8W&h3#Wt0Ao@c~xAzvyHe(M3e&zKrrw6J@9VFFJM_( z;gER>jd*Dvp+$tkNr5LJnT!MnfS0QZ&q>EBfquj=-J`Q~PY(o>>Q|))_`7FWI6)Mb ze>U$B^mwee&S&|bJ3bv(?u@%GtkABsrg%nZN__FuSZV^!tO{H*rIh+{D62dYx5FMj zI#h7r6}0`~+HIL@!b8gOGC>Qc8OL&ynrj;g!Ew_mp^(=GtJF*}F}RTRC=^grVHLQN z3gAni;{uH|ucc`y;i zASiwJ(8ZlbMgT(zZa{4dYI8Z6i{s2-T-+xu%= zXCq*FwfC9m2(uV6Z&4tSuN{2Pd=(mQdT@>N3>IqhU0iA|qGM)WKb(T@%jh09Jbzed zjeRx$+L*gQ*8JWL^PSPojRJJ|3xS$#86_Mz=gH3#KJdUr1G*B^fl3?Vq z>e2#qXu011;=>!XIfB4uTNv9d1PF&aPyjl#qk2UhTs{<@!kB9i4!{JzOgDG$9p3}n zhUdSXzH#(2H~&|@VahT`m=+JJ%*3SP8d3;*m#}@@M4R02X1Y=or}P4oRfppFGY1oG+{McHTX0TJ&BCYX@6Q8c`@YH-1GG98$jzt{e=znVmbw33 zg^{p@gV|-k(Fj=1*@TyD8GF+!HxKi>Z88!&Y$dnsyS)ejOBLTDW&+YiAyG#jZ&x8%giIV)aZ> zN4W+S9hliRQCc=oT2^?C6uqPa8bgwvk-1GACO#9P_RC9F#!A9J5Zf=N4XH2aOd!@IZ-<2mY4&>I>)<<%3&8P%I zo&eFF&C@P`J|(EwwNx73`*wuYr^&E8aWZJ}g)Exu>L z$BVv?i{9PJ=pALhEwppy8h+qC!g+adA~FFtq$Hi_Y-Fm=wSI; z)jPqp3MDU9L5J0by$O$CuxfR+OL&h83Wp_nvLaU^kOHtGXwVjRr(`br<*TVW^x3o| zPeT-IJg^3c*hrghe23S5$f>Ax{xc1Ywx55({&|_#_t5_{swm}p0t2c>276d|{TJzP z4e!^+X#oP*K-3hcr{WM!LV&;eBBM?|+iSJE?E zzure5Y`uAFAZ?!`0Tr%XUnwE$is$)*Ju;|j3^8#5WOjsTffhC*cL1X%wllOS<|e@@ zWuWzr<4=JW!7F?Q>%p8ppAZ&Q}sL2jT6_eCUm>;*GDy zw*>KwcxbL{eAoe0=pR(N;R7B8hd_05u%*XR7{Z7RH6JU3L`6j{4CN)GWP@|~nTk%x zY8vgE`KS+AJgSAfhM*NRLfOtNgFTKL^zz`%I?gYVGGVoYp#qsn-@@i{2R_k|L9(D z|JJ>D+i5(-Kx08sQ<5Y267yXK9$RdBD+6~OBTQRz}eQbpW#0|F3ynpsUtflK+f*O+q zpZM%`n{YscAhTcHOM^^GO?fq9;kieTNZH9f^{zFkk;UTJlk>zY7GS6Hfmjm(usYGI z*0HP=8Okvc!m(S<+hskS*qCzBbB^w2b6Gp@?SBtNdQG@uLe9H|qSkD{yZSI6>yd86 zr>OAmU3&0>ev-+R4|+&RctiB3VToJ$*ON4DK#t}=Gq`_vI^f5|id`efSyE9=ssE?b zvCfW~jjDtNfi{9cZ*ZN8)|`-oxm-i9j)k>*0CSBn-4~GF1%zyaupec5o_7c#_P@IG zkS_UjDINb=Ph-p1JWaGvs>#y5&Bvg;s1p(u?nlhEMZ*QpjxrYAA?sVvZ?KDkN%_r) zXI}4jmi5vh9a^(6JzIKoY%Ns1nR_?4`A^!G=+u{_%<4d#(&?jK7m%cWFN6d2+}?}Q zac-cs^ho^t>U(6ByBcmHklg?1oL3^T9vwNoF0fYlWzT*i>&Z>oCu@qpv0H&}=oiALRMLQNbbANjZWl^XJe&f6-OYUa5#-!KG}pH4heTgU{ieTsGA_lk?67u0fTFz^6nE+nYf1CwS zaa5ip3zw3}tGsK;;#ivZ$A(*XXL;|wA&QfSG@FQgOqDG!kx8`Xt&hoU&}OI0QdWtH z?cbyEH$WAEJ?unv@smX7wq91Gm{m)VX2Kiv=6d%|V}=4kU%8 zV3$b?+MEeU!e(_(_{%&XLwSan(5|?^!oquC5Rz;*oWIbQN&s{SacrLyj+R)_A(FCg zGyOH~bKDv2ehQAV*qif$oFXFF9ca(_UcE^mL*z=#gSkVxnv3vudMn{Ar)U~&7RNWP_cj8 zQZ|Yo3vOpVM*{N4NPrT+fWW|-IgxzCMI-ed6PrrF_Da1kK{KL?kq&3NBTUAs>D`wq zhgflD?C$kAJMjhMvnenv+|m17W0vtdEZye#PHjS;d)b7@{#R52n?X;aqv-V_9Qks3 z!B0+lax+NQMId-rZ4k~h482k(O+TWqYN5aqX8MXDf0s>lGBg<)k?gg!^%WaW&;QQb z&|tO)bG3M$Do7k;;!Jw#rcp0HRGmCCTGqVs%o&?A_#~%)!FtHQQnx0{t)#-hyN|YT zK@Q+!<V`u>%zj+U_7cSHVF6u z-N{k}KdjqXVI2A>p&vhnf2Rdf0a{hA9W@Z)_7lSFDM9s_1~|W*$9aM5wMM$5(tmH2tH0b-Nj;;&Ai=Z@cF;O z6CO^#B>a3)k;7Lwu1y&eTiHq@J8;>iM?o0$R3F@w^@!So>2FZ%=n3a_&?~hidK;o0 zZ4KcY5~}9l*X6zlQlew3i?F|o`2g}mgtw1*Z|5q(lZTE2b6?}m2sBc6uRDdjWM#o= zSOO~Xnijqq*gszk)1sKRIs=xr$4znAEbSP7#u?<=T?4e$sw0bgFZv%L%S@M+i0~$k<_&9!nwGXd}-Zl(v?z4u7pQN2i$*yafeX)n3~su z$_J0~%Mdm9i?B^cpa%hYrIM}5O;2nFwZ7zzH(9`8DLyM_m$a%gH`iEl&u2tSH=J)*9JN*_t4M zsgzO3b^&Tr`HyIgAWe=)278cE|;q zBB>&tA{OcB(1W1?Pl_N8=7hS|R>y>z)Ohy{u@t~x;CC@LGGZK7jQ2R@k6_ad==j7- zCm=x4984>9w7UW!oaKY=w=%>tzG4y)(fP$*6M>|D^O=m%^A6ypoFWt1^ptn(^R^Sv z64(Hxvf=6Rf%IVbHD)$8d{8mRpj1bL89vzNodUB;iKKP{ahfNssZV#nAn+V?6Vb+} zdXIg94izIK0_`8!my96tGAj*xnBDW%TUt7yE^zrLbgN%-{1}zEyWVr+XMv>3-HDr{ zxQBb+^nprDT=-s&Z;x?XO{l%HN=Md*1->x16+&73T-=w7=)u9{5z7MT!zR0QvucrW z=14;y^h%58!?Y2ffPg)sq+Fsla0hKMoL0QEMi5=%ggGQ|=Wr=E8AOtR5IjmAF)=pe zNQrO#KU+VB8~RvQpYT`!8zU{ZodFoX%@=E1&;z`cmW=R}8y+6s2mi3A=%t$9jDPj< zCQdZ>OP|fzcILD3ulnM)YvbC;YT`b)3fH4sjs>iLUIBaO!Qg&MIk|64Kdd-fEgyf{ z(p>p_uF}+u^ST}#F)IS=*%erzwEkBts%`|J=8>dwOp5EwFQJXaZdg+(nNvT>oL)l1 zUyPwXf0jyyQm`yeFH}G=6;8o;=C--Q#KzG+6;O_{S(+QUd`OvW{695izDSbE_0zX#1C`OS$FE9p>*rfQP3tf)AObkr#_ho1iy?P4&8nJ_d%uX?;>mlRBW_ATvkN zw=o`UltuIb>01a$yi8%ZEejis6E3YGgca#tSkEGLU?&x$70=v^sr>>)5%omOL3f%O8enxce;|M_>XNpco}luy#)4iq%Ym2i986jM^A}yfZ_KmJ zj~^Xu^l4Gd-oC*k)En@M?2*dv3h!tZEAu5rAk}rH~9Yohx4IUNUh3rXCzUCJhjREb}O-W z{)yU+r2G@uR1a_NYwn$j=KD+oZrBDCwkn6lR3kngXEbN?Zs>FgR1%P(FSnJV!Lcj3 zIrJk)7Z&sOkq5mvm}^kle#s-#-no80a{BjL?w^2Ob1j&TzA%j1-IDlxB2*hy8{X~C zQAeCHy$?6B?qV46WacW7{;|VZC#}*5Fr_U#dh8lC*CkOZH}M)41*GwUOy#|_wc0MH8 zbl+JR`Us{x4TycWizR~hkx0Iv+4qEzl3g0S%Qb(0o>N?J1awvLK`jGo?7$NWxeiNWDFPNYieOD05v zZ4yx$)|C*HLCU%;PdruzNpxI<&G|+Bi;E{3sO05(39ElQht+=%4+mYg5{o?w8P4^W zFj3)$&y%<~Qbq|RC88v#VxjCvYb7}qOZu%m;)JS9J@^GwkXduFbWD*4j&GL;HL}U^ zt2I^96T^K2O3R}X+p8Ib?vaNKe4;yAzHbya^rm2R z;hO_qK0B58rcYF-)mYxw^}(*2$KPtelxr}ZWR3A426Socx3~SUVfPWr8W*Vzs{U~M z?uW~(A`Gs|Kh@jh!#A!@MrlMw%GS-&6URo$rJQz+J9$beROlb0U+p!;s=Si8r=$GU zlTp3qwIU0nJ(_|%5h0NR$=92V2}wyq3PhioQ9K?BNRxTp+P-={>{eLe8P_MR7AyXI z2QC-h;=R?apS3^j0UPF|>Y0hhQHNQxufmshEEjuL&a4HE;AXS;I1%HUR=1Yvz6x~UToDWv)+adQDzX$!T-_ET{p#WISk)vk4SuINW{ zKMVoLK5|n`0;}Ct0++WeI$bx zrR&nn8YamXx!B%Pu4tyr+DSJRz3I$Gt@^znYH-#=WSqpnYk&<9iy+dH_mW+LQ& zyDJ4{^ZekqnuMU>RP49=r#W|2#{g})jGbiRE$ks6_I$ss;to3g@w9M3k|oXSZq5NK zqq40yjc`nMN%es_pGxl=+#j6gyqjI1;pJ!IBrgZXzFJvyO$?nun^E@QOwN^_8l5t9 zI8?+CmcYPkR0KO@rbdnYQHYkIv)Q&q=VnzlF7qY}woQr;= z;RHU`ZHq9ObE(C4zL-W}w=jTuhv0#<+K#}auSf-1>!&%g619lr>aR;jbjycGuQe

+f-e*3{Y=uZreIZ}lv$h-P@L3S=U#&?Mx zYi{}UGu)Z#MyufujeL1O#bb0%Dy3Sl+KY>h*0GQ;EQa{;h&Xu|aN<)vt&P|>R4+bx zwEC#gy8d)5+EjRx9hf1ELc4feSyYOcFn~l>Q8hqWhVCN|Y(1`H5i~+?2G|fnukLvW zVrJ%D%gLZDC&B`B+>3ywA`YK$>SP8BQC8MiW=PamfnvpsCy_U<+@SiSUUv9TFcc_}D!6kIC zH=%hbotowuOCm2EuYAG*+vBot;|Zd_kkRbDDd)8D{U&Y%f1>lIepK?kthXqf5O(`? zI47lF!Moct%Sn$*ZPRVP&l72uQQ*6cPprhL6LGUOm!dxV;B=cj(KsVX{?WBg+Hw6D zT8(0A#bS1;DL;cNnf-(&)2iei1et?qzaC?TSPAqbSAN5V4Yaz2!-lOi?c&btms7>L7o@CZfS z4vo%!Qq^JK$5f!5)yJjTf_9E3E3{(+H@u@jcH*I)+smDpRpEVKm9?$OQriD z@=z#ANmRo28v{JlD@SDC2hEI(wsXY0!>SqgjJ6^LS+oC6YKQuCBwHgpD#qmcT!*X( zI1CmTAx3g%1--#<~Q8iS%sOB^rc8RnX1KD7#yH3~;`Gh~=fCMe-_JvLnpdNf+8;osx zR~_>WtQ;QZ73pBZG91A&?(2v$z5I=tq0EdQ*1>VRejXy zSRS9oDcfVmS}5Z^_j`6;X+W>&ZKMH-^`B$})r=noH!)&L_t2Bqx(Bw1HdZLzHEhKF-zg%h91$60`-{tV{y7 zO{>^xaexpuENsXpQhvVDoANLS?4J^0w8zK`AAALpor4cROR=T@C`yz(9q?lKrHfX) zl8h^LqwSn$EcuAps~hA?Zt1D^Kh1)3(kjG74OXCbZo9VJ_t%AFNt7(DFUUU7BLU>&dd$VD$xp z1OLmXR?g{m0@I~|!=5-N^w&UYBlh*rQd;RXbNb4@@=wAA0b`qdXx+U#AJXByc2B&P zzgL7~!K!c8UVAXCNaXlM4Tt32l>zHVARPO=l^xasj(sva^?Ku7Lqf>>LM!K$R`1O_ zP8*R3h3Xi0v+PJjumd4Mw#%xxq5FR1kH$fVc(S#tV!&zV9s2g6&rsi|>NA;!RGZ?T zfG5)|VEX-Y=(jgOL4oIFu7o@ait0{%E9Ti58s*Ngl=cUlN%l^Gx>Zg)FPCu%b&dOUb z>|``1cog3rw9RM%s+u=%JomwNOz>Ph0K8w!=`CfZgv5(?^_d>DHTqxSSRiS(1O0GT z@C$oy;@+R~#)XHr_9YPRU428fzN%Op&y%i#A)K4}=BmQOq6lDOyR_cT|LL#uW)|&8 z74hvdo5fV@zx?OHj|w1D1(%`D(+co2L=&ws3(5+!gE}MCwt|&tfb-mJqMlGJHlzGS zjr8wv=KmIxfvQ&bxTJPV4amwb=&&j&q;+6+#>oL`%D1s021)X{nuTh+$2~w`iZ-L5 zOHb|Mb6yLJ^SkSw-`3fsnD$~(P*c_={8fupx{|yqC??V;EodZ0H`0q>I9b;+LEo&) z@_#de`5A1uBa`z8P*0w}Lt2b2_uDnZ?^iKnF0TPA;u?Uey)QU>N3lk^5l25l=RS_S zrIwzmXAoWYkK1tULcbnerUc(Vp=`T_*qKP^@+qz$>aF`bAL;omwVq|hxu)#~?`|vB z^fv+FH)nKKvC0rHjV}o=Jr@m%M!hvunV%df*Th|hAuc(-jLD1P!aFmdoAuB1j3_p4 zFvftw@XO{sM&)hS58fJaFPlh#VjNP&{KpK$Z}HKPMt8kX2)5+vd}{e$uT%-bo(2A} zs@EzSFh{xx2&A-Q!^{w%;C7z0Zg+FNKgEo`cosid{+Ez|Z-KOix?T;$blM^qDe|9}7|1%6jlZI7syGp#;C}AMm2T2q zK96eZG7#YcYS%mzqSd&HO3Ll}fU63tFCkW5a+F@&G3~x@h3g}+|b=mpO^@2S6 z>$O>n+=f=Vdzi0mA}KdatEE`*>bT@Ye0x(2U+u3GJ%MrRXz0ef?vr!&_HC%2NreMv zuN&luVBp3tNqq!({CAnQ{Q)ic;=-TaP4xwMdb<(+kiNCCb=pWQU^!|(3KRGY0!u$X zMW3vfo~K5=RHf&4$*LflJzJ?Y%(eEw+V**9))@*Sa=`*}?`=-RBF^8n3747boh}D)hcmw5HP$Qhy zZEr0O=Dv(M>irstx3In3ZL&T-O01Bf{8(sx{iGE6U~wxq&!(B}J(Vzup$@sPLE}69 znuOD9XLBwX*O&ITiHEAp1)ayN2nNly-wX!k)+8BkDU>~VUUAgq7#6_xc45Kvcyo)& zb#t~E!?Zm8gjK!jlz@+^fW~QBzwo&=eO2rMcZPEM`?p)9Q{MzFRU%19HEzQ59}S_v zNA#-zCoTSmer|2H=jztu@h&t6ck6A0j36Kk?rB8I1^+!HEr}e+3+s$*d7<=uL7q;P zi(ih9p_A8(@O;WU;Y=)`Z9^;>?1H``sPnFH>-jbAX_e)%O0q^7l4e?&vzlZ2tq;-B zFT_%wQt~9Le2Q>f2~@-Lv{QL;s#ucNFVA(AzW)L}?G!*x*Xg{@B>_)$F;~}96 zOWRQLQqAcb^`Z@Sp@Si%lH9J!CU@;=)9=$Sj_<8u7QVE?8`16?-2b#tuJTDW?O859 zkNJ={QErv#aiwuRk9x7O9UJ`W39HVwpvcJr*YbozP1=veGh0#GTd%dqI5}i6%G#W$ z_p^aQpr{WOGGyHsrL2p=NpvPSOE13mV)=mdpzB|%aGphc64>kzlKYJ4r&k_bm|yjN zxn=?Cg$=Z$F-(qud_WF`iB(I0Al^fO+AZD{x94t;<8dtmt||9gH3BG^6iO-H@ln0th$nxgu&6bZqg>TPV7|NMxE zO3)ei6R$=g2=ZKP^bUEJ-2G(ScJBHT87SxLg7vSC0BqYsPU z9yc=782>Cc-fT#){V*!u_(N2bf4wih;j&<^;o7PjOlU(~IZd5Le@eeeM3c@pkQ2SY zhrpeP`{nn05qAWFG(*3>%{pJDy4#ED-^?$9jlqg?fa=?2Z zu2i3D=__k%yBkviV52lOt~u*17nnIPxPwwdse6DS`AUT>7!R{Uw_(@|mlYPiLJEO$ z4T8)7=nP#nZ&|SlNCMIm?|>Q$&-YOz2`KVXbemWykAjJU+M}8EU2Wy>P6mbRv zZ3NI?)nwGmn0_0sq1nLHeX$jVRdAdv=#qlsm2-Kgoqc-F#DF^j;D5i1nQhc%!~L(y z>d_;l201gcUAa!8E0i@yV$}Bfipb=M(mZ;bZb%jwm3;HFsX#Pg=T{^7c4y%ObohDk zYRsd?A{ST-%rRUJ6?yhN;4lImZ8pMX_rFgrL-f4-hBqZN(`t|FF}_ba9nvue*b)=@Vk&|`jnQB2U$nF zQcz_TNa@RfQU**E{uH|H3q3V{L^WGos54Eo_+m9IG|Dx^=t%*jTR&~%GR45ZL%-RJ z2D$P8UAdlRV9NyL8GS|T7WZ?;QF|`d!a~fy;(4$U^`n9=PhT38XkN_0-0v@uwr?|% zZ~*z^2UuO0z}uh{Y6iY45@>=S!y2=aP`oZ&9Z1Qaz)~JwW3hR#^Ru24IBemdKdH?U z_w}UU_T)10++Fdam(g-N+tZyKwbVY-sTS!jVCYH}8Rnm4qs89mfwd{IRw*3v164)c zCksRfOHAc11{Fl8d~)50$gS|>Ws%GEpFMVsZDYHx2lCzz)Itk9IBaV1s7n;p;m6eB zp2e6at;f%Ueg;9zAG4s7H2#iS$I|{eMW0FUGKQF=kh53e*4U? z_BrIMDqg0pG6hrILvr4py!?aW$j{9v$`1FJ2(OF*joJrc3v`ffxrb+TysDa-sa-Ug)?WlCHD*?P$5>V_FLA5B`^HUvRPlG65&$GgswU@BMrPl}P1Ok4q z1Lk0>Ln{4(fUjvp_xDBs#H2=-?8pFS={G0z9DV2H0(d~~yq8H~JfAid7 zA_8G$^arb~jftiD&AXEtFWm;u@}DiQUgJAbV4~!$5itv{wlTt|=4;VKWHVgao|(LN z!A5yk`18MmB@K99yJ`qyoonaDKhF>@MVH;>zeTh(oh|lxAZhpF#55R4>oVyvfHbj8 z@-*lz_P*>Nv|*o(Y={^_c=3}ro=ze@_czS;b^2khV>cyJf+n~~0|C7>kSq9qT_h#)P~X;sQYo_|LXEV8oIgchEjViT4*$CLl#f!zZ3PiE6YD+w1t$LYWB4M>>?b0sn4 zx%9m|4-n=&f8Nso!5b%0V)$@t-fyzr&sdrG|7sgmD@=(n1n$F(HSh_c8n;>Tl#rh> zUvzliWJU31#n01b;Uh#)sY|%*kL==I(`eXN6u|QW0+ia7!FSJno#+w1P8Z$gzcqLN zpC9ZRX4uYV`@vCXwaL;0YPRh9{S9EKP=m({JH>YlPyLcTdL&WD;?f+MoQ$G+=MVCi z6(F>t=yiN?!>7w@|MRr3XH2KaCmy?XwOMa@h{jo75qHbqst*y(eunyv6gfp2vafv| z&Ln@cnBm-Z>wi7ams6K9aF?59T-@b7!=;9klrYz97kW@(T$p?|7z^JCfKv*}$06ng z&4htTJ}^M%n}#bWA`e_7ruU0}eKe4g!izBKD&_d!L22C!g$s&=@?szZeR*i=4gQ;A zoVu*ZKw&9abfdpQ)Dzp`2yDlT4drSCB_f z(USlRz@hk<^OaO;I56hZeEX&oD6=a76Wxo@RrC2Ob&>zY_xjBFuc3>hh%Ce~nC<~) zxJlxyZLAsHckKB3V|WH|I+kYUz3F$O@bRgP0^bOkTZ zzyL&tNq}-+;xYf0bs_(#Dna4b_y(KeZB7pfqy^;C_9LUe)maz)oQ=Kp^69x@S39lK zd@sY_f6|{JswXXx~8hf(Edw8W9x#A2wa&sAa$y=&pVpn$Y1wvO4gZ zPNF(u);1_n)3QQ$KRqx(h#QnLB3MaHft0@Q-{X?pQA9( z9A8iqmF_o3ahc$*kh1HTEhv|~(yy;x9V;j6zo#d{i>{3dy;o%y#?fBvT)@kuM|PPP z*`k`P&;l+~F4OrB_zU#a5y4hRDgb;UJiJCAOYu?+1}JvZ-HGBDE&MLKEEM-lJxfaX zg6s4l@V2(L2eWPAc~&!$VRw`;5L`51S%lcn2xHS8p`-1HI|e2|bb$K^?08tdwj$O` z08?wK=(`S=*kA~qRCl@(1B+G(;cR;(`&VJPuL#es-5_=;DfBEw#0fedl&L<9vriWT zu@*7r+Zg*tBnJZ%tBS_%4OMY;afCmVj@yn(a;P*?_9x4#;j}iO7m<$aU$sAt;|eT7 z&R1Y^w4S?00J>mH%OkVVZ+HmLB4GC6Rr>~0eCXO z!1%0g-hLYGotaaH?J#CXCg8C89`IL*-eBO>(FF^=20X-TqQ~o~fTm|$SP8gcfz`9Z z61vlCfLtXG{vty5g@joZ_xbbZ3!}xk$R*w$;=cIY8R>If@s`TgZ{NNpPxuA)cqA*G zch-SZ)XiJB8u)Sn4OWt@t{4t~@}7blTTb+(5P7f6e&xln`OsH=pIBgPML8evf+O)E z*ewX0cvu}s$=d`pdGJ2W@}YS$E2j}wo$NkiIC>zXuNyO3<>pecKmBeWNG9P`O9s=J zdrC}2?rR@2BPFKojuczQBU1s>rkv}C_oie(`fyF>IZ8s={d0}qyIBX)Vc}jRmKNo| zCze0J+hlH~A6gpGfEvmZZTExOeV~d1{J37B#`$40ZbTvRI_XF3uOW7HfHo7SUI>zc zfm7`MT38qfFqaxLJpwx)2-Bw;!2C6@VYLd{C-QuvEQIApH~Bq=-=;f5g&CCui0a_r zkg|w@|KD}lHH)P8PI|En)M2mIF%q{UBRru{U-{=bRWO zY<+ecX$ri5D}djLqat@w?W$#K8rNh#d`C*|HfG!Rv}p|s3+tec1$hF^jN}Y^(tf%D ztNx29K4@!cgV4o*lqfRct+Gex_YfFaD2Gh_^*(y0Nw4#pNAvleUFub+Mrt;G1bBwF z*NEM|$|8HzvfRCioO!tY>kW{|xyCUM*qXdZeSp!*Vc3M*(9pnFn>A`t-hsrCIm~|b$8#1#lI|>U(IjU>({irPTZ~r>r!_b)Wf#A9NBeM9 z?1?9vl@4&j3JhRxwgNoj`Zy%>X~On>Z+0L9)c|~k@Dh{(OK_%OtlWWe{n4@-!htQd z21{=)4Nk#n(cK$UcLC6ITV<5W--M$eRrcAYrk>HGQg)VQ{yPcWFNGIV94dSa-( z-O8^mcW6jGj7f#*dsUh(@qkGZiVRhqhXVI)rd+CU4TCdQ#4#MQdp}h?;a)(g4T%Ek_@C~3@!<2KZ*4{VpT15t&Tm-X8e)pIupUWvCKedOUk#om ze5b7dMFrVIwZhN%B}&i_AWkKj@^R>j&hpN!g!k&$kz}iWDR$rk%N3%4n^RH;*n~4u zrog&F7jcHgaSJIbtpV7}#VUZsov^gyt1_7AaB@-i3WXHlUFJdlsT&vr^{Q_&dWNpw zS5`r6H4zaJ`4A*+O0y_veKU(vIH8Xq4KVhsV?cJ1co?xReyqLxjGhTD!TnMFlu<7< z4O#}=hXSQJkvrJRmpKio>g24hT)TbTBB(PJuYU7R#Djno50uaTC#6&$*e$EZY`TPf zp7s={HC$bP>RG2#=}g{^LcQB~Roqv{fIJE5jR9`bwDkTCVEqjhk#FkscM=HREY&?K5XD!*_k;n}y{WhU^XFUjU-q@ls@NuBNCrts(#mdF zV)VO*R}CS03!Q>%_snK73mPW8b5Sa=7H(zaNkAgf4$JllugmQ-+Y-9y`}48|r1(xt zDJRSpu_uIidQDRyw@9Q!cgrY8V^KG3$^t{CQ$rLeR=30E&&SEmGRpS;!tG(yG&L+9 z57dljc0S$!n~7Lm7U^Q1mlZd1oSv=dG5B1jUAd<7uc4^Tu9ca<VEp1vGE0QoYWrd+ofaU=wn?DfnwBx(PnQR|^aR5#ta5S(45q|}kl>bJr5Hs`R zs68&PIQ?zW?#t6>3kYk zq*fz}4~WBm{yYK`5bL^fNV|MlR#Bf1t^ZCyQmtn}&hxQ%B#+XFdc;?SlXsV!i1ez@ zchcaRp0EZKZbXNZ>+yL%Yq*8>bG`5q zEd2~#*gFpOId6a^8Uu%0Qp7xnL^(?3b_Pq+k9#!9WYvCSk2gwZvPre6+3l$U6Spv? z)fZE|5CGouqz2%GOV8-9%s|)PcAoaa;ulf>sPoe`8qleCVOkl(Gx6i83R;<;73;{ z04e#AmgBI|(*E3etnP-SQRLtAf^(emZ}WmbhlTM9G_dkO7&msWa1^mm&xQ`O+;y9!=y?D(2;*ZwO3HA*20w}tYrB2;0u#iD zO^F_SIc!vJz+oZiZ;9G^1~5^rTp?z82pH~6-!~qtWTj~UGN_wl+hehk23-4xvy|l5 z7pCiR;hGhO$a5!xIHN&kwVy5e2r0GeLthygK_{bIJMuoSQINrkcGhp>#vR=nFJCe2 zXVS)G=!&ZuqGzXLx`)lKb2dVMqJUQ*qRCBE_njffHalR{!J1%PXIFrSMk`n(o0h;7 zX2-^gs-O6f#lJ}Vy~V^w?>&zndbp|f;fjtKE(M-c6hI}*Cr}o%MYh5q}4bFX0Fgd61xXe!_iUxvfwVIk=`GTVWK_hA;;p85Mjx_H0QCA?!BO_^~Dl zQHHAC7SY)eQC&Xmy=UBVseOP-=MqqOuAH{NW%?x zQ70ZOIbCiv6zCW*eL8*m!(jhReu<&GYHnwLuLWoWWemZhB}YGVJ-%kUBY!Wmzc>5L zMQ*ie{h&)sIb_Gwnifq9?ov^GY~IhJO$pwFQXa=Zcrz#Aqo2L;F% z70>Vs-&K+_+n;$2Kl89Xd?NP62NFHmz7t<&t0Ql$TDPISu;oSoUo5zWDZ3(m7DZq% zhgzLv%S4jpR6W8HlUKg>f6ss13OrG3zYsGc|mIRBN6^A=gW4 zol)eREm#ZL4Q!PZ)yDGK9wIrr*)fv}9b-OtM`HIZihgovU$kken0hOash|lGJr$6# zBA=^OujOcW2WIEd?u+MFwAVl*bXYG88{Be<;rr+<q!Bx!{P4T| zpfal_HL!cmgnV&h(mVOhAb5#j5Fm^(HqDz#e*yNu--@3XQHe9GK0(D4bGSFE@g}$4 zXv8l5Fk9}r<=I1LeyBfo%B^1D@GysvlVd6NEU>mGOrpZQPtd2*rMeWAcd)c^i2cR% zW-*~AABkHo+&wudtYf;Kb}Yzq zWxJhp&wb=rdvzWK%AM9d z86DOb6`Z&oJ3nH;onH(B54Izy?ep#qQwN?C7Bs(rAiukl0}gu~9b+HHHeAxzO^Z2} zj_`DE2ykNX_E+6;xYDc?oVa8H*ep|LQ}Z2MukOuWiL10P*(gAT9H)Zucet*xYN^5OhTc*Y-zR(0Z1(axb!f=Vg;e$znHt6tO?pJ~~`u*I(4ur9668dDN`V60G||Spe(R zH^+ID3XkU0CK@$MR?5J>d0BnsRNfzTh(fO9@C}r3GF@HvVWc6h0oJ4xGs9$KP%gR5 z?M6z{d5cf}mS<5xKzE6EcjT%l?KuA!l7*XxGm<%5`Asrt<*PA9R6T#D0$-EuI&h4+ zCnE)6c6ZK1HH67q=jF)1jZtf|aM>2P4uCsqDH@u46g)n1<>`xjrgm+!;9Ie^1Tyw| zqpLHesXs>3X>v@}Ydy#)TH~+^ZlN35FipPw3r>BPkpGe$>G^Li02buKIV>u3)2*Ky z48>z31T+b_%V#tPNWe(qPf02ZAJcSmG$=0RUc^=xvJ`!grz zJP9c$kLs{9O8l(m?gP1*5en+SyR!}pR|;_bcGOT#$EURX!@ql|8kb5cvDA}@Hp|8} zdL_5++sq)RezYj#B<0neipgBexn7kg0h^_a9mavQWL}U7ICTFz7N);TWv2M5D5-Pngl8JbQ*0%oZX zPfWU4;MR^MYmYeRa{QX-_)O9o7ePzZtt$)~78$2q%Kry=2+iJ0*Z8pl*oW|cSo&xB6imCs8DQgwl=INtbhR|&0ZzD8v zH#~Al+_7h=EZ2Q_kGq_%jEvMgfd=^VzAw>Lw?i$oh*x~YoN`u#-6AVw;jCjFrmGF= z(b{2Q+VOI1m$YT0SU2KWo6DT&(|p7am@LUJLZ}@fJvhhqrQ4s>~*751bb%vc^iW=S^a@4xq#ReXz90)Ky@hG%TR`qk8S! zSy<3@)=mp#rzK_7A34wJyh(f>km2~uVie_bpO3neg5fV?-EhDH`l7!Gx@FtJiF>th zeEF15-4oBeqoMn#Wb+xF)=z9A;z2!-+TCI~_O& zOF4}BhrQRI-VP892v-$3E+2PkE+}iVn-BA8-b5=of6MBqlpq~1n5LdWs;x*G8gwuD z)rKaDzDh1}{^ui86kzu z&33-v7U-4#24c`j6bR4G3(bj_n>H^sk45G`)k1T>R=WB(;a9s@5eAIy5C`xAclav( zi<`8mZH!S}c2!IA8vT(e!+zYicQ@2{HU@uuAH%UbX*uqN`nv0D?l`P*?~^st+Y{iJ zp5rEP`Z1xkVpPPw=-^k@$EvQ8-fhMP*NiSWR3yEQ3dWnb*ZHbm#=Q>4{Q(#JCP<(E z=8xNWsa(_J3uM^aZ1qxkm79s;TI2PGr`EQAa?ReJNEc*;d()cC`yGT+TM7gFB6Lo- zoK<;Dixt_K4aJovX4^!aHPF?L#jmxyZ_y~Se< zwuBRLWWkC)Z)<6mucQ6Vy75=i)}^GGDTbdE4eFqF@2Z1Lc{x5c5HB7Dd>~DiuN!0* zVkcR78Nmu^>v$iK69`&AwCor&5?sdf@7fZ?={y6cJXF0eI2j8hvHBIjT|4ES7>m~) zQ&U?{j5)41mu|IUK<9R1SuA=qix(N+>jrw{kop=Lywp2!Ue1}myH7zIDYq5s#6Upq zC1fT#Pr78ga5pp_T2B8NeFjKvl6vs3e_*1OrWCEcrgF*W`o5O1>3+%RvHv$d7w}9h zovN{UH_5Uc$U-&_ZVLP1va-2tzFdTbrsyEzB#6rSe3KEWaM3y6goce+`JH*G_~WVf z;1OK2Pd9^_0YVgBpmaZjSaDO`JvE2W2+?RD-t}jH{a3rvRouqrK`WxCiV)owl-JZx zq3GH@833GfmjCRz0-F7v^MYGCH!KX3u0wR70YvJQLI-C3t2 zcscWT8`^Fci33FH!ZWlQ!QirAL?pL#U;Gv|;BHwv3EoOFyCjCJ3yHpP&~P2{Pco-C~_SV@iwOdjsLs~T#gRI z<yWbl-1&*lCHaZRBrkNJh4GExQLE4h;joF7VsFYv98S^lKCY?FwJA})7@gRa|B zKhy_l|Fy&q78T=Zi7TKxcL2n^)>D8>5WJC%&U0f!^s>wz)b=&U<3ezc9y<;Wt^5TG zAQy(;M#TkeL)3~?pDSQBXx%(SN3JRU<}e`|8T4&ks)+dw!g;2@C``W#-wn~^X4mYh zU!_-q=I090XPW0A!wEp=Da`%7M{7}z#1XNV&Mx9#0YH9;jxhidVc!Cu&yf0+qeYl? z(0I|}4SP-n(DhIXt8O6ywP;v_6KIg2!1_;8r(2A+;%J3!aqnmh&Z6qA{%?Fk-Q{(3 z>>Wxwt4jB!6oNeVoq*1J*e0u9(0?`!{F(CqU0DFc)dWXf#jT)>H}Uyg)Sz`*&G1~F zOBC=e`)2Y*!|}NDe>~f}Yz^OS!*jqUzMSgvpHuxswU0xnXvlgc2ZUSNoKXt>*Sgwi zn0$1<7`ivxzukxV9x@6}eWA-8^nTt#{^pVai2^z`|LPhAjNDUg#jLN-8x7bzKI3A~ ze6QaOtUX@c`9zJ~>1XW0qDxa~#N>2K0A>nMwnjgp+NJ-#fK@l?qGYZzUO*kp)`M(- zNh%4{7@wSusxrbVAskb$mh3XMyD_c6lK>&F3YSAYUfCa-&Mv7UzcDNQ6ytv_^8;3G zYg^o)3utzfZF{O4rZG+EFb{kA#wnZQI1%ADa~tvy?`JmrQq^>EuvdfL&VOl)12rHJ z=Bn9-<8298Q!&xb4KF`<8BbO45yMW8@g9QLiy{7P&vwc6o?SiNFclb&d1Y@XfgKgh zK=#3X37M-Q7bKks+}KnY75?Iku>RW_Ie2=tkoaAqV8_lhrDLa{!-Qb8CRZD+qgSF~ zg7P#y2kZTb^wY7c0=Eje53YlH62{urU>zV-(gNO|>3Te{6&F?De9>5QT=!p8Ww1Se za}og`IHa{4SoVvdl>pMbm z!)d`2))8$b9=_nN%*Gwc)Zs0#@S*53Xe^Q<=hSDp45#1xTaAI={fd{0@O0+vWI>(Z z{;=-~E8249?b!)JnTUl$(wDD#vawIu<{J&Mz&i3tgzK_7N(d+wHrr{`fi_b-GxEd+ zw#)uKqYtl%1^MC4r^&+g7iGIY3sU@F>a(_3gT3f*1<7mA)b5GYWl3;6;_Pn=Dsnd$ z2sL32RS}@Vy|J1AXow+iQ4chJ8QNoD3l>!qyW3v~+wbzCrT3TP>p#gi2Oldu z$5VYga7QM%U{AWtPB^KF{*eoY;V{u+Y4_9N!`GhjCdQ*c-S~DqYmU&5<TD^vR~!t@ zGTpVJw_o(geO*BIgPQVnmVC)^w$O~Kha0!!SFLa@08VnynHKiR$w(ZjO7@?+C!Qi( z0)oax-P3wI&8XF{R*ZG85LWk`MqUmUgOS*+ayw~GAlbx8-$z+GtdDJ;KBc6%_o(zO zZO`iUt5?-5ppHH5ho^I{Bw3vmJ#w+nqzNo)$1KueIH?*PLblEYkH6UCl5+dMl^uQ~ z3jDU=UgpJU6D+hvVzi#IFXNv!*7vbu_0Nz#R3o^dNKWYz91<|-;t8nm3N&|(fFc2m zHS8{l7;#xRc#YCFd!!EEq+05DGx$OJgPPk@g>cl6#rZj{tU~(v0+?0)LGQRLrO7FR z7j4l~#qFy*6hC-a?hymS^0eJk3?H@rO7t?>W(-f4YMVUd4I6I7ybjEi(Q#BJB3yy7 z++pO{e=GF;Yvi)QL~H2}G*b@DrdVig)wN@*OFCz>TS*IpNlP&oMfA;Z z9TCj0Q8P0TFOxeiyrvwXV1{e&9Rti)fu+?GHuZmc4-J3xGQ#A6gh8d-Waod|(D7%E z;d>4-FY_mjTSyg4S$v7Z(Y8t&)_4jSs@8i4rV|~y1yv^~lCopIhgR1=DweL=ghUhK z%nqJS$N@`^q`r4#&`0D2T+u_^kd!pH=NGA#dqBCE_ZVytq}!=2(986;JT7iK|s6mB0Dnw`T7zFpdQ zz>}q78a>U4qp}!+C0kysP3wHF>N#9?D+>L%Xq=%Xp8;HN^)M*Jq7m z>wq@tlb8_ug@Kf}PB{yArzjtsTdMl8UIrTZLCB7OCeYU%y_4;&5N0u1X% z{-@{m@BwBTlc7A1UijXR=fs2qh|4XuT&I(1oy_~~7F8#C(lxbyI}F4dHnSGdv&TJB zd?li*yP@tXsu=#=DuAUMwt!uDjYjLqB~?;fm1gFGqTv)}4#@aRz{mJxJzk;yBcce* ztuVdfYV(?{)1t~RZ)Kd?e5UwBThYZ7zp9scTyS3vV~^+KF{cpcBsb`=r>AhA$Iw=s zY4nW+{Zd1ruuglx(QIQ4yvKBDIOYC5>hEm+1`NQFq<_W=7qyv|m0S|_diSYgUq&{j zg_G_EsX`zIvE%E7*gG<)SmZvd^{pdfnM70dCfg12U84kxBsGJ`|kmex`t z4VFMl8Z-wgN4`y)xhmKsNdV-a?tqkObp>LMcv&)BipLcOqgD^dCp zuW6yoBEh9LJo`2KTK_yVD+$lXWn8I{PVIgc$6p4JFZ~oDi@Bp~d+4O*4zqnm6Mlf? zGvJh|sK|)quIBzD=Az*h8j$8T0>7R1G2ApnAnTBoI5kR-by{KI*5j>$25v{lll^XsGj_)wx*Jy8XVdT1QWMR*!dk_6 zXJV>9AmcJ9Tx-Lj;VR}E;H#qn<#u_OP-A1zR60DnF!Na9qF>^%1aXD#Z;sBtMJS+! zMO(2Q4L!P7E&%2EC`$$bb0BP6;#>7S@t;3N3YA}vz#G%K-9LYO_T(Ez6>4nS8qKgR znq&Zqt%0kJ8%xqodzn`Nc$?MX3as_ZODN$D8Ca18%J?yKyw=1^Ok4e5FztVGAK)86 z5dIyXkP}aKDBONT2Zzo#I=Y;NJP9&xi-1y(7GqZjUO5bZ(mfQ%Tyut zse6rh^&~o+`4^RG2AAx6a4$xgYQjRFE)X-;r=OOmuAvon>QVI+B?41n<4@C)RQa1@ z(Z}Pl6gPQ!W>R5i_P6{*3XKNw1-z_>3sj*RwYuxvEj$6$u67%J`H-LZfvNkij@UKXlqy(%mjz*^~bsT!aqx?VkL9*6)~# z^Gl)@w7xZDkq1OK=Iniav_?9H`sVW}%Zn^Ny7PKPWT0Im8z$B4GbS`M%94qRN?^)o z#eZM(Tmv2)J|iS~Q%5Iy{^r^|{CdqY3uQMX7K7$h)pzf@$K)>*m7?yWzQcQb>15Xa z#mTIGpAnICgbYPE-P~d<7Ib)3H89=05w|P?0Koeka=$g=}kkmfF{ks-LYzw!L5DAY8sNJabYqhMYcuI{O(a zx-I3rJ@`podE>zva=5~Fn*_(17%*4-#k+b4Hv!!UohdYxbaX!59mHFTp!I0#o6tXW zqag122ME7fJAtaz-`S*=L4>xOA|&R{#ORxzEKa#ViZkJSyT8)PwzL=A8C8hMk<9L~F(w8}>o}a+WGL(U}*bCpKnhSx8duS_JCJ(Wnp$9S| zuf~4L*V7SQ4;AXyxNI%s^;-JUb$LjW|1_+_&fD=0RWRK~1Y8Ie&-iFMLgv&v(R@R@ z7fEE*KiPz2My$4CRTQRqeXivK79=s=%kEHF{QV+}#so}Me8!+xrOxju`i9I+2B6o= ze2w^s^%Nxpha+$vs8)smrt4ir~|TP(RJ>962Y-n@ozKrhZK>Y z)KDxIt??8x+|5R-rKBK?Um&8)YC3(OdaC-G7~idpKm>2sF}@cW_n{nqYR!hp?q_p5 zH0B=So?>ilIh;Nz)5gAF8OgKP=u_#SZ5xD_JWQN=<=`%cz39A^=H~a?NND%VUY)+^ zHy!u493X;48h_}I`2FG^2td(ig3ztJRrXTvzZ%IK=7_`SY;P#QJl;TABbvNP(1LA2 zp!94k5}Bv4x{jw%5V)HB?nIe;Dc8GA4hh#HEve+!Q(_jgjilm9(Jp8o$0e-do>IyuG~wLZA5l;f0?ix=fsq?Es+Lk(jfAlV%= z)Bx#3?Iesnz*4e@#AxNDYTp-jfUgDmKZrHuGvOnv5X${t(MlB24qCSrR{I8?5P*>9 z^`MR#%}mTiQZ?1&o}K2#aA`xpYkq%=Ccy&Lt@IRNL%c%$gxhF0+NYFxq^jk&=SE^) z$><1T@B15gTjk3*b<1!t6V3_;h6k$nFpLpZ#YIxm6moO0h*+UEB8pqGs)fC%tG*F-MHs^{y$+tGOXBVcz=$ z&)04BGZXEMpvXJpFBe{O^llr6ryBq|U?l_3e`_m0$L%G7kZhQe0|^R^LO-fcBYucDt{m^rauO>MY)1~?!?<;mJ~;P$gBOE-edQo&Bw z`dPTzI@N3*VoO5&YCwtKr<J#Ra-uEY`>GGIL!mn;wC3MEy1SVSzt@sN7doy3I0;CZG2UpXamoN$ zhtvW@kMu#F`KGE7*H4TRlF|3ZH`wQXww;m|+3*%C+o3$pnjqezWfSmd@A5wnM6JwY zPZ;s8HcErFl`rVt9rZ`mhapn{;ZFx#)4%a~ zRYqTe!3YfsL#0x4b%qij%()#+>08Ko8Lf{wbjUK3;@FFb0kb*V24m{k)8n5qz;65(z^JQd3MG-Mn?RqQkK@VAU$67R zw=N^HeA@R6Y|z!K8I84i1G2$R8@L~PV%ai^Q8{0A3&fvp3zgkXu>mrzd(EOd{5KdTzHd@8JdcYzPjhGFU zp#bv^C~8DZt<^jkZun1+_Ky@R zAwT>Z4<`-Lig3=_*{prE-Kjpe(_tKeenx&eqFAwT-G(pMM?aLTof8e5M|y^GF;3KS zcuOZ5sVDl1@u!Lp1~miS7?=g8o`$4W)JKz&}!H7^U?zVCUwrGp5Q-`jM1&aKy;(I z#z;bOiN}2D^r^NLj_ZL}D(3gH6Z`^vI9^&Xnp161H0OJ$t0VgPcny;+(<2#O zbNensGw@$uf~wl5_hotaUJkwQNseo3<}u9UJj1y5Wu3=G+f*bU(Oh~_CQZG@J!50L zI1#R&73Lk+oDQM|n994V6a9ZS*>20!{a{*Ms!Nd!m9w5658M%*3l6mze(p~hVrqWG zW8;LqA7J9X>o?`_K+<6Ck~mz%d~P4$$NE6(F?%5 zsW3d^Y87=aYh1s>bZU|m&1LN5Ae1<6_F`Z|UvbYOZnb!|wN|<8&HWn9(>Es5Iu)*- zw1(Dso%p{*_mpot5T+m;Uf@Y%hE$3;w|)IZloz}on0M*4KKmAw$cMgT6-w?KmhDbMIXpYlm?P4& z2sITDF_3k)@vR2Dl#x=usWe%w^}+P;!=*&;az)TI$;Er79Qx*4JQ&>Fu=7diEILQ9 z1950#rgkg6PT%(eMHi)2{(e&b2o}Vs{cKjJi2Wt*#;|l_AI)E?m2@av0kT(1FCvYt zJ$Pg2FCCWO!~kYTtT7}A2|;hCyfniUOJ;N9{3w@L)gBXXX#s740JZ$maklp6_W}&_ zwRhS`8`jp3l2PfEu6+(@t&zcMiGRowT(K~Mu#QVq*fhv-V*OEEH|*ikO0IjpW(S_~ zW1~A^0bLq4+9^sLE8i74RQ?>&|_Jph<$!2|{)TnkUdW zCTb%F#%~HgCJt2$Y`tU3(m4idw?m@E8zm1j}z6?qaLlpR>`lXC*Lzs+Ua#8V_Tm7$Yc@SLX zzW|C~XI&E2#=W5Qpz3}&G;98Jc+>4#hy#JdcC2Q}vGQwjG*P{qLdh=E zXKExFTc<%Q3))pX9ktr;|31@Ds! z;w-X%xV}BQR2hq!HCm3?0O5vkD8;|lt?FNQ9!&3T-RzF#4)L_TUFE5J&cNhUo~Uce zJ-JNv;-nuYXiM;-UNR9T_9lKSkGaENY&g0BNVMksI#`!-w&%EcfO*QZ*buEsXR8Vs z5z%FEoQ7qTAwlG4$%@aU{B4ga6F<@%RS<{o2{6v@R4sm9Cl3?Xoo$6SNFTOsekjm= zB*}1y92~$I|1xL~WbgR^2!Q87vDA<}`5~A?w}X zzTB&z@O>&WKjEI;ya*IuXT>K}Unj>2=|`+IAAK#N+(ORmze3RV{28BpF9%UpI@5TO}gq^5> z0D%&JV?T-G;aR7n@(BUpYLnRaqJyIu2FkWAyTF$`uWeU>*Io4&|U(nX+dfV@UceklDgRca3yXQL`M#NSktI>4RN%>&I`BI2uPBvV+E3&#-`|`Dd4(=on zTGiF~*g6iK&51nPG?IVSLPL2G87c%0CRomx5XFO$C)N&y=dlxwNsn?r>2i{GT_#p>8o%9Wm zZdGQvCGV3SSO8uyacR2$*~u|M*=2OoZ{zyJ(QF$Zy`0!@yZT?Q`#+#8xJsEwR^Tn8 zl_GYY>XLs-_Qv? zC3Tt+_xYEc>u8wPgHXcv7oS?0INk8Jwik*rKdG?4t#Q2YRw<(`ZS$3rD#&uh!lyAtsF2`BATekcZN1qcd-E=bLVHYL`S@F5KRw z2({s)yI~_KM}&%sfbPL33!zvVC)FS6ON0L~dfR|q*nznK007lg(Q=>jrFG4GU)5vL zMYx)iJ>F=QDGxZea%~nhiK!SmWBXodYVpDO?v9jw5mR- zb`MsEX*2DiE4&r;HU|>0#SKOVt4NwSWukPa#C%;0qUSH}XO$?i;5FXfoc}qQu|~Bp zm!^_K%4>gspKIhJVk=&T{rsWmqeFKxnc9y#YBtquky1i%_5RSlczT){M=-u^{cc_F z8YzC!AWxOEfhl|*(3p5oueU$T2mZ3t(AA+EcZd3TwsTJX=qO%kN4?^LR8;sNB=rXm zfWcsmpn6E8(GF;HIOh$kw$ATMigS0wNVi0uZb2HWM19_WEURvEF3Yqg`}F>S?zfyP zh6s5+I{S63q{Xb0&%1qo!$bq`x1DJ2Ug*TXy#CMtNHx`@;*NFy)G~3Y`7m6qb1b)YHzR%E6%UL73SQR>;Hf5+VA)SByw^4 z?xTf3q18RdJq^z}1t_s%AWfaGv!3KZ2rG&!$fPEj1S8~Jfk9n%m1sWlti2iKg@z|m z`E6vrro>sM^p#HO>51tvMb)mHE8vk>8BcYLy3%q#7L3reM_+~w$Dc|&Rfc9p@dALT zA-!N!{ZqgEOEWkT0qn$qkbA^x%6zqO?u@VM`lFKLmUi_6=!}R{r3FnGkc$|x0hmB< zdf$3kjtl<#h4=Ot<{O`=<}J?UYhLU6R~d6ZB^rA7OVLnXGP$v z_IDR`vZLn`8PF5Mr_D1MVZM2IhNZJ(n~zeZ&=MbVyfv92#bnxWGx`Nz)VM?x;m8-~ z>L@eoNg|jto>KXV4LLtWH~5t8=lmRnBhICp!*-Aa$K1G@D6}H=mpbB`vN!&yxNrul zqWkkXKOB$*%BlRD!Zhfo{YNAbG@ef)eQ^crgBXqA7}S&q6^*%B`}x+mcKLbwqTJ8% zu(9x+9_YblFC_I0=Ja5B_VgAaxBaQvONGVj+{azlM&pWzgoWyV8rM?2_o2z`6oua+ z-S~KNni+ifEkF5ahi@zP-*`$9vXC^#EJ7joo#J%vy*g5~9T60vLlst}4qEqjeG5`maWX|!N)ILP#UUhO>x=ka0I-wJ1kFtm*9z0o-X5SM(oWZ;VOL=c#*6Y#99=A<9G zqoNMTFU{pbxK3vTY(9gS%6zf0q}jC=BnNA}B^_y<8S*R4FEw^lKl#5`T#15b)=+@fQTns<$6Cg}ng(?t2(WBfzQMPPRuxeyKbb=(gh zGC3dKbK0)8?aLRy_b*#luk|U?8j!lfrH4$Y^v27lx;B3T9tgtD@;!)R0OD79U5BDN(PxVgcqJ6bX?sV>QtYwdLoaN@`#HQtjbH&Zbj|aKl z+}}RLV+&kmII|fwaV>m368R~4GS;bVl6Ph2vs;&6G3Z(!`s`vFAQ6ryzqDd|<=eX} z2obU~Bgyl7b7d{^<*%))$M=bP0<}krz8+Z}sTnwFTkcgIF65OqtOG%Q#nDQClDn9S zR}~>tvp`Z~Rry7s1rXL;qs-SUr6vp32a%uTT~Inz%Q4P4%dJi_7|LAv8Q)NGykC+b zw~5L#Oz9Nl+Zn|oC6QC9Fn!Lfh(A&_THLK(35j7dok(&}8n(>tex~?|qEl>PYlz>t zfFL!PTV&ts3PK-so>7OO_0cZdVvM{_W!LuFmE!=%i9_9nee{au*ov5jsavIsAttT_ zou}fX@2+t1&pd`7U(IOjmnY7B=-P&!;~_zLteZ)&A@CwMhhb|mi>da6_(@n*YJYszL0(_7nC zviWE^JMiQJ{pmN;HO@2&6`!tGpGG!29cGIJ9mqbh{4qF2)iX?MdQ%#j!&BsX?y}Go zr3A4a3=LQ@9BA%3a%`J+I1h=Zv6f74JFK z5Mgmup_j=Uo5INHL0Rhg`MvfpSC96i@>NSAF`Z|TrBw>qo8<$Q?wH?W0rNSkm$mgr zJ^=#q-47Xc*4HwZM|~2H@=iHoG^+}zWlL}6Wb?eUS&nh6kqwpI$Uc%-*E#|2(WN;= zyH&C<4}M`8z4`E6D^1LfBU~$oF(KvaqRwB@UWYLmjt{TXsH_+brE7}v#4c|T&$yni z4=7RAD!vO`$HT`@bzmjZpXixR@9i~t=4o>JdJZzIow{9`z*?}8sP2`uXz}B1p#>!c>>x; zuUb7%#xs3F&zfdeEulaj$|?|vGT6B|p5vPSlR#J~gPPK7;#T3r8FTn?g#YgSaSAO) z7?Vzy&-Z1TJ2-8C>mNgwd`g8m==<4I^O5+0Lc=+UAOxjQeAG%Ogvd(WgJ^fIqbC!* z3%qiWKfiLkhW4$@C270!5vl^K?)=c|* zLiV5F6Lky8fqcw1D(>%%J8~V%kxO% zh<|_}u$wgO;*}KSGw3U(ev~bZXO2WnI^0f*nz)z?c!WTQB@8n(XH=)Z&=@# ziK|6?>yU3l!?@B-r>$6zHiJ*EoaJa@ni-cO-W#oAxqCWF_IP*RHhM_vzI-Idf~fP+ z*5b;+&ucUx>BX{J!ianVT}UON_1reu)S zVEY2?P{uMzWT92q%3xZqX3BXI0urizds2FPEKjA)`b097U)WN_qGQZ$2>S614hffo zxb5V)YA%MIP*3%NKTf;4`EwqLI39)ao$vc2Gh)MpQB1UHy+b3SQuCPncUjP?xDIs# zVh`gZ2g`(lSY62H-o1MJ7$+^1QSmw1Bs(v~v8^L08sP<-=ujhjO2C$c*2sgF5)TKW z`;>Oacy<3f znNG5OSCxvbhp&_~Q63G|-*d?@mDX0w-RMa>L0X7u!NuX#Y4H!S-~Bny$U8`hVKd-^ zLoJ^tEpU3+q8VBEI>qJK+IPxfo&@L~%8eE1TJE#!e2cr+EYH(e`TufV4_~_ z&_Ye{aHYK@QO_mGmKsC)6m?|T>$Yj7te!(?8Bd(mafjB1UjM4V84tn+9Lg!@N)XHn z@N<1{7LgPVe2BQk=wp_r?q3wEUeAT9kQbC`7&Y(m#V9C!)|BZ`iP&qTlrmUrG*zDt zile>Pxox@G%Z7;g?1k2TpR52A4BPvBqkr7em02 ze0?Vm2NBlf1`>30PP47j)$66TDg}lT?fousPG!zjgZNj0V>A37K*YvLTiD&|=p9J> zBqP-kD&5s#pgIy2L6e74_!d>21?Rf4@D+D)syzE1he_65!lu_9Ihu}i)@NKF$#9Y) z_}BBBdorH~w4OL*U;MNMVgV!KJy^`A8GYmB$$G`tb-lB7RiK$vLbiv53FMcQ%kFC7 zK+5wRGx)DuMa)7Z+^?;B$anHpQ@-NalgtWc)v~?b%wpZ1>x)>TJ83%ic)=^w7cTjp z$kk*1ne)qe@xtc?9+u-1JAQFD4UZ9}_Eq@LOz(3p&(5C+cCK&q)`4l)T|Zk~!fIVZ z2nsAy+Zj1ee$lQGPs+ZhwDmT*-sRcxt<9nF5RLxErc}}wWIL@l@!A{}N1=u`GdAH1 z`zH~{5$|tavw6#ZQ2=F>yaB?Z$(eoj7dF|?Rlcpay&GRodS4E$3%(%DoMe^5Y`sAwRWO<>}%J-U2uJ!^(cNlEuZi=51slGg(-C6spq zTvRwETO^6CS87T%@F&&Iv6P@8in=DSMjnb`>osKeJY*Om=%uTrTO?bbiP6lIdkU^KJu)W6Q?Q66U=ACivXeiJ@UU9B=tQ#ppS*}^@cE)$Si zn28sWJ0Y;qg46=9#>J;O5~VO9U+Kwx#DbK%vO~%k(Q^>(#4)&`6rsk-C?oCQ%7}~m z7oO(hi0*Elt$!|`{b$Nr5nCJi=5^*@haAG}EzqG(N{<6Rz z1s`vD0rZN1M44V30n`WwGUk~R(dWxX>Bj#9lPNQ!)3Hd=_*~7gN zpqudRn2r$E)0Lj4G1^@PlD*lZvIQuGKZU?aXO411DcL8UNN;GtNY-~S62FCKjgZw} z!$SviCABwyxHOjvz4I0ZfIq0UGkUYZ<^ibfJBdZWf2eMK{7LJLQfqKf3v|e~l{Am4 zSv^%;HpyY(H}XlX+qibv_>SI&-kogZr|?cz+5$?3&}#EPFF)9c2@|rtLvUU24O6!h zfHIuxUh=e>4h{qfui}WrZJ*o?1oO}8;DP%66{kpFa7QmL^Bqr>nkDZ%*824}(NRLN zrW(vv>2T|%51*)|UR7d{a?SYZe8Gwkx@+3)M9%&=&79C;9rr1iHs&*i-$z8dlLAu( z_I+8cfo1ah%}vwzlb9tUWju$-YC`Fw_y_{ob`RAQzvT%KvWQgdDQXr)iM*x<>zFk( zO-zq~Y{xhQO4d-8sUR%X55HU^@#XEf^0*6lI3 zNN9}5!?rhLIG;E974q<=HuD?IlgDTi%P$cEU`YKgn7WE^-R92o4ZVW)XWuzaDPUpG zf?s}X({v8egv*cV9I)gj$1<8U2qau$o7L3xDijLYkrs)5jA6GK#1Emueo1JIuN|Ev z1KbCjuThhN5Y^2s7x7m#MWBg}PZ)x9Iqpu_xB=Y-9!q_Q$76&nDEMHzW85tc6~*AW zhesP$aC1D4`D=?NHDa~^Y$eU$-xSMd$=ARye768z+72c$PhSi0t5s(&JMH?YZYUdO z4GnCPrq#88XQFQA?U>-lOA+Vh=B$=OOZCro$<))gm-=)n7WR*KcWmRR zhxPVl777gI%lnZy?YEOU*(N!Q<>n2EQYv~fP0HnJo!DQF73$e0tC#%a8;u;pw~=3q z!y^P8%KPGKmRlG&SyCC+VDKRg2?W~MT1_v)wbF+bz(|yyq~CO>qsL5VqJ5)P;@G31 zK3)_6ks?S94-a=c>m!Af^DLFcnX7#|!hEK7X$6q~v;q>q`#jhqcXJy-@XXPGUO5)M z>wqYWRyb@rku`Oyq165IiS^p3`QFBu!eSVY=&7cwXjG}mi2LactNpR2p;~CjH`kdj zq?>yQ9PIu>R$PPd zGuyu|$i`m>TQ9I;H{{bo&9^WVHsqg_#vPU#g3xx{We{d6V8^_V_JeBpP|Z%rij^jj zy3KQI>S)5jopsC=w_8JB>_+b4k+*>4Nq# zN;&>DBz%2uUVOf>sSv`oF;Em&BWq-owWB=WVu~Rjcjhrzp};a!U6peGoVNibL&Swu zv6Qv4FWt5Kr0K}2afFaLFE_`~rWEIuLb{cJbj&KuMSuP}(StY?VC3m$2)_?G==Y<1 z%MQkuupnd0GT%%Qvh23hf_h28;lJW;hMII6!m2+Z7E((#>nRL^%?#T~<48{JA`KUv zG&bX@6sN=PUjK-l$B+YQ>ZOYEErkrt)Ud*Jboz~PG%^y1bM zEX6_x-2^t)}Q>*rX)!@ejQ`858ynyz_&-JXXF#4XQbtP~^A9reE8Kmthi+_%4X zli=pU%)91wOFkTV_5v(~9N^BdAmwb~Ml^GCris+$|NHJ^RxmSzi%;)9Sf6EsVLj4- zF_9RFuep@vP5ASu(qJSd`MzXihQMi@B`JMXjtWr#!C7px#K90sVy8i-ZiiC3VNlH* zUWh*FL!-&~OitS}wUCr<=_a)90TOzXzWOHD%yBu!rP9rFzE0-MoGF)eq(!V2sCPhb z#U9b#Xah8JKCybYYjHF7HY7qiYtL9hesMeU$bS2=@pz4pYiD%kE!*jw4g-xOiKx;Q zC_&+1g{~ZRCn4VvC5YNt9*6-z21Hc(g;)qRa7b^vX$Azu!t9>eSiqgt4@=VkXb1Sq z3U`qt$~q3+_rT<;Av|||!xZ0bV>_9$GDMTP>Grj|GNn^2W6{A%VO9`n@NjEUzUY~D zQ=Gr;l=cub-K0CwL5g=o^TsXW{s_I>eF;<@yA4VW*iqqDWMlVYIIvP9SsARR8d!CP zxzUMFV#Pkw&1S`_7Fk8y4?GkfVXtjDWNirIJ(uN^I#Z|e#g_{lT{|+JzFIv|s#nL< z!CgP9S4Y&271f|Z&i2I=BX#|U=?^6==qBG6YEt_;l%=Z6e4C)O8+k?GE(hF4&WMPG zm(I~Y>T`%|PvFnJQeOGl zdZeL^oG@*}hH)~dl!pUn7At&|QYL#&C*%q_W;G?7qv^5E8j3m5PeK`|309y+wy+bZ z#WfKtRdK4z1ZB}C;+6O3zaV&OMic%QBv|K*f9W)t{K(&4K`22`D_xg{>S^|G%~S8L z_(`os_fr{X-b{BYYsjiSS4p2@MDI_Nnv&fQztg2w_SE^t&Ee5tvNWl4cKPFezoCO~ z-T*#i!lRdcYFlhT7|cX_FY7U?Io~|YnSCg^h!eZ9{@m+GrViu2ESWfz;u=DhsVAdh zU8XXbKO~~hyQa;5cGx|;6QVNj|NQ|LKUhqhDcsgL&2r1d{%_!_4(eb$sl0R4XVw+Y zD%BE5GJrn9CObY%k8rjg!dNr>>5VImqmj)}rgQqY;y20WI4(os=6nzJx`}CI*64uy z%6D^p;Xs$}rLyUCP!0k2Iz0T2y32CYiqkodYPmyp>?*VZ6^|~B_{pnKN;XAC?wvAH z=Od&=*UfQP{vg|OO?-vS=rTW7+l^skTiZdLAnr5=rI#7?UZ^W|Up?ACv*$|2axb5> ztj#Yk-pCM$Q8jSt3I*X92HT3z-HV1Cr$<>Rg=>FhoUnKnxIBIT1ul zf{~F8tI3pNZQ!xs>aeLSa6ON==gB$E=R5%>8f;QNOSnh!Q^dEHXJ^jv=%~>46TKSS zgO)S0x$b?(&D8@CJ=b0#zFx4crV z!&PGT4wp>#M%E779YsiahRZ#2DhdJ%yZRDacIzm4inVtXowsI*XjBsHzkLr^$Nl#7r`1mWu@O4r(0kEDUv) zqYYK+jWqr^+3om*>q^9@{ZYg9SV)2UoLjGQ(s4gy-q|+&WkkQju}67JjNIX_b=Fa3y#C*^uD~EgPF6%=?|J$KhoTmCVme+UW(d&$1Xd z(^a3hJ##)g`|=)ac28V+oX>ZH#v05I7vKizU*HBeWCcR1>&Z8xXh#@tS%01c7fzXxYktyDF(-_Vob45uiL_STYCyGkL z*~yHxrvmHaMY8e0XJjw#81yCOLweLc&6)144vGQon!F{`>aA|k?smGJJ6}`)5W7xt z^m9PQ;bit!hGKF;C+{La`fQ9<4VL+6tsQrwiXGOk?=4MgYP#;5ygI#acf3+bwmU_{ z_)sc#Lh|SENzRQu;C777s*=Z2vh~LjMgp#rvp1P%+aD1~Tcc@=HQrna{=an)5kyPZ? z2ys&!cY0KAtyp&C^jem(*jXtCFG>0`3xsPtMs1%Mz-&>SG&wy4l0ElZR3pFS{uNe&8ePb*p>Z@YEU(C+lx z6ehspSkA&{SbBI7_Iks?4WhUqJe4~LP(#Au7g^Ju+Co#u^7GUuD@6|-_t#dowbb;Y z@G^%prt8StL#Tt~rY(6$%>$`=ThV1_<;4WOHsslguZ_M@* zG5CFT9;1faI-}d4V22U^#iQf;wjj6}oi<|E@C8D|?h?6_?f+<-!`H(fz`_ zE-etqE!FGRnL6N5N!tqLr}>~F*gsKBYI#|A3eVEvP}VxcV0MYn5RCW2kAB-SWTZwtYSWsf@fIOkFbMXrNZ&BAU!s(?vpwF^J&aHtfj+e z)KPP(q1JHF^5rTajo{q}@Brk?b+Iyb5P+CyuZUipt&0O@hGNEt!=SPveD|`N(vAL) z4~l<$kz>HuPvwQ%aRe-R&xXQ{(^Qb)^FKhrHxHhsQvdf4E~Jmc^l54WK|) zhJT~VO){vj#a3yd)iDhAmnMX-(#29`QPrJ_53iU84m-kwmrYUf&CY_2Yp|ru1QYL% z0nF&Ye*b>wwz=LwQ5w9faJ#AQ2P_`z^6rv}u|!*K^InMY?L2>iabg^>Q(MW-8B{x8 zXE#$d!&ztTwt8jcYRwR%90}^i-jNnUsEJj>H2Cc z{BtujIlkX>2dm%-+bOd)Sw;l+OMKPDYzr#P-i!Rl9$_L2fKOreK6vW}Vs3y^HT^Wt zeSq%@rAtToXVO;@DQLm0UssP2U3er8v@+O5)kpm62k(N-1fM~C?0Z*>9A2n;Av^nRYhPpt692E=>F%=kt2i8AP@>;<^iZ0yc2wfcLQ%>ZZnpO z_4hr7xzpE3WpO@P?2bYgXoKF>|G!U(ZO_NZKdv7?fN=m|KO9vJANqn{p_^YVESLG? zWVrDogU@)niC`hp!EFGYcaWoS`9Y=LbBSN47d8g~t!?O0taeSohrZpUQU}A=_$mMT zIYjUoLHk5=5cn@LW8HTeB6!>QUZ*5o* zB@_V>5S0+5ySoLXMRJpZu<7mwC6or~l&_ zIKwfH+r3xJHRm&*^~||ka(dLV3rCt~N4PH%|A*+!I_N;ECvV1uE2NTeLdbP5@4C;o z%Xs{ngh6i#q4n9MYbqLPrpcjHm^-$&a!yGxw>ORKLH#El`oQU}Rkw6^t!B-%`A{~E zv@$ZuP+kLq1PF#qKlr+l1FY5pI&OGIT_p_QpLS?~XaFf_;+a^+MSSpATP`KMe9b?* zb@7Ryys?_nY8E6O4*~i92Gq9|-Y$^_*i{U*gQJhJFJ@T)mhZDNlB~Uznzv zF>)(ix6IGa07Fif1kFwUK^`IW!m7HL9&Fz*#ekpd6X);?|^XucRri}BQ~WSdUb zQq2yBb#J8h4t{-~VQxk(?VZod7s-bMD|1U zgpt;X%v8Ka4Z;;j=gIyw*{#Vi<>D_+&Y>=P= z#pn5Dz!fFrDvkx8B9~jcv7NoRs|t;0UQ4Xv*!wmbRO#6}7v53`dAOh7+e^21uzwa9 z@-@4w>z-=r8dKj5qs2--?w|oSu630#lJov3`AP;;bgkWXFURG^{vhSU;79Kseol>g zkfiqXO@eX+3+BSkKFM08?UG1Ce}y!4TShuuq3dE;i0@9W=9!(6K+1JVh1_u}yJX$f z`U?9`x!jg_{=hia60n`|)mz3ci&x0EV*!DDtMp>V-D=2Oc4sUI@{g$O9JbZ90&iwj zvaT(^b5WF(NAyb8Uj&U%&OOgj!9V zGOpI{@bn(0G+6gVBF$)>`1Dy`?X*CnWQ})*EpJQkEr*K;VxAX|-S?<-PMk?8)A>oI zkS|=UzE_u)o*&au^2+Ats(_6jWzkgDqj6ZCd`-)$*DH#gJ39w71x_?>RpzxHm638} z&$Y^EXD_%a>k2E*XFP=;9uO-|%E%P7E-Y~y&LlO;w=P+#ewr%FSLRQJGqELr+VGID zFx~7BH!QQ!v{$sQ67n8>zeJOjsKYw<6AK~C26}(A0Ex5&gFjU2>~)Lmb|>?-kIPyO zkloID9x6U*~7 z-`Lh>N!#Sy!QJ=ZG=lwF=-hm?6V~NuJd?2(ZErYIbtXCNams2`ndCxpVKLmRI(ocN z@v=)$K+rOt7Qd^2=p@W^DQzCiU0hqS%G&>Cq>E63iIHd`Txizmh{x30632lUru=Z9 zIOgkPCMG57GKI*^4|8>1D@SW|+y(t#=x4HlV;){j35nv946Y41(%xCtn9b*qi>92a_>t;Whe1_IUfD;yx9;uL)Gd^l7_w`q}QmXvFP_P zW(4$oi1T#i!$LH(MdS*A#3Xlg{Qi~y4Zape$a)96W9qk4x&H|`uIccZl7BfRmdC;9 zFC#q%PB>a|b~xACqzaUaw+ZuAvOlaQYd#I>Byf0*p`^QH6}x=0ADbtn z8nNhDu;t6Eq_#Eiw$7A$vg%>Oa|T9!AY33BND8?y86z4_ZpTl(-y}=*U17Bws*=3D z()I<S9vtNf!)~0ePcW?)lp~)QdcL54WI)Wo zzGde2(UK>tnw2gM=L@)L8JmIfUAgIJw9U7^5n`bkSpLpOgI^*XzV-a*?LjjUW+rd0 zv``3#!AvU0T&kDDp>xug$~xt(i%OBL^BNr^Ds(YNV*c!R2cx#C+ZDCT=9Tr!>w^i_ zUF~+e*3;#+jo%?Xv#}OJ9~M)4hRdl+>{|*~lGm1#L~~m3c6#kNWmG`38k8B7Q>Z)xjxBe1O!jq(gC;YS~ir2MgC&4|9uR3Tber?*wGR@=9 zdU4`}9wJ-I+Epm}@K-x8l``vN^>?Q=>~8Zq)5l-6l2d;q>z#x?8nqkM`QVax0M57h zJEVA?syYd{5ChzGVNsg)bblIsXt9jK_=VQVJQzIGW4m|elGUhFp)#tZJF8P~`a#^&4+5;FBYF#bZU3?p~O5WMG~R%0NC)fRmVPeq!eTXBTZat@WB&XQijKJBl%DCMo_&h`bgIHx#=o-Jz!70&Y9|2^;8GEPlMnI;n||yK zKR6A5v6_t)hV;C8P1LCM!&j;8*McoEF8kI?GsOnq&DzW;7#8l`2M26BDXvsw3EBa> zldIZ2uVNN)#Bgs?YR5Z#{b16w%C|!}P?*1&tH}EEJ`jY#bQ^XY5;fWzZp@%c z!sBh?f8GU|+nJ8E0P!H#R1_rEZoiClvAKtfCt=zwd*E?kR=A!Rb2pzY`^u%<4 zeYYDMN17PJQnGfKd$qEVkaf+@W^Rt>sU&V}V*Bm2|;C8-BBjTOe)v7AmWL*FP-i9$QQD*$9zG272n7Zd}e0mI2Llw6`#X+c>`0@ zNbI47s&FPchb7KV&;u2~VIv(G7*(!t}BMRmeO4<}VM5?TJLpcDsqiO_=oeqmgrubVWu%y$`!e zGv?VZWaqk!ZAp_I?%B2y1*IZZzg?SxAOyBr!(=;I=G?Smn6>G1af)$yw6#a6k|cS4 z_)pH{tLshB9DtzSu`k~-EVK?S`LIR_va>+uuF$~07nWcwZ<&KcfJ77jcRq@S$VYGP z*zORn?Pum@dKB3u>E_p!KJ{EOTwIJ@(MhbO%uIFw`7m7O+tEM2M;bnU!x_#DJ0RWY zUA;>5Q2!))lf$0*?0PW|1Bd?MfU!dmeC(?dTUpPmUq1YS$VC22!Yte@0apE?Kqpza z4FU-i28SguM*$6JK*Gc;f5*xc9e}hgO0MDn`n8zjKeBBzaO3m7@;EVL@AueG6gxWU*93t&l`<3gUm2_@STl_H(AQ|b zPcHNFfo7XJYyvMn#p+n8$x8o!Z!h9{>+)`E(@KND;|eYh|2KBuhyL-m{r8wty$0{} zT1AeZ{U+R7BmNsp9!>$~UjCHJE?klR_iW}sLtP-rWqMy_hMDzG>W{r$4MZhCDSJ9S z`#;{Q{l_rDWfPEts(RT~%v>scU4$@>IK=*cIQ4EWnd>v|qn1nm-uPzG4@>09^wK98 z)Zi9!8C4^~;nM!xStc%TA!l0)U1N3g!GBPv@PGZox4cL@ZM1r-Lk@JPzQSXdY(|S< z$LnzC&JpgdvyIQFkm2v=Y@<3Y#asn_>z9I*BCit;cvT^3Iq>6_dB zJScvM2CIh|_5QJ7VO4@{T6nojxeqg4L6}D9EY_tFdEO5I{MG;PVIY!UCHJ0}B)zQZ zE9{d9?aBfJ5VnYs0-Eq~rGKvNNbQkIK$+Q*-G__?Ps&{uVJQ?*oJ;=9aO$HD!nNjg zvw|+Md~W|@UVIt9sl?&A23?N@rDhh2K$P-ZuB4kpj=1rBoTR4;B<+k%KlGC|7a!$B zpxz-KDm=PXY0=&!!j(YKj4IdW|95IJfUfI&G2Q)%>|4Smvt;(>Yc?5ZKPvDQ8gH)w zN;c>&%$sr8 z%^)vrf%=)jkqy2V0^l9ct>ajMzwXHs|Iapb^^ylx8RA`KMh@U}wU0p#VC%QzAdxba zP-iXG{AHmxR^edACQ-FWJ7=ARh1YgH&NG=;;9C{Qlz|@8^<=(R<+P9u)G^8F-5}(F zCTVasNKux`96sXn)Uxu}&D%6~3<4@x&x!LU;){&V7{;vAqn(vH5--*L_3`Kp<-nYD zP%5W5O{ZKeYmx(xAeY=b(S<#Voo`p5wwhr}YG-FE)M6=Yf4cB@wV{ZHPQeWli8$N; z;oeFil*t-#4k~B78ppjD78g!N`X_<+Xft^$O-&aPDm5BSLw=>$_}?Ms{c-AsD=Zhs zE`EabNY;iQ%%w}UaNxUPSEWPyol28_S@5z^l_R>c4|=zb%bI{d|B=sN3q5S3S1Fr@ zkx`yYYnr)i`TRQS?x$@<*WBr8jcS|sPdoaF;b`)Fxq5Yoml0PY!a%o?1qaC8S^Qk>X~#Kp|kwNk~(Rj^W(%jkNEKn;=>>= z_McpqR!eGjDh((12k%hFF`IqndS$5k=B&=FTK3z}VLl!18gm#Mqx!FE+r^GF)+}k$ zw$;kjq2dsPYOC>jv@G8Q? zeYe^im0L@ST}MH&`P0b^3Vi3?n$8qjDc4 zVsB;HDoL1T?!ACpFbw(Y>A;*2of_4-Km&7^@3U43&%A&wvo&8MU3WIsJ zf;7tW{kn-N(>W9cA-R{rfcB-$zrl|HV4x!^8sq0dFTR1c}md)X6r$sDt!MY`PH%3zW}C4!!@IwahA#GR>W zRXanoGq$u7#!9 z;t*iSLz1_HaMk0(ct+C2F;+TxE0ghFQ5pw@ggAI2MPmJhIKsz&T%Kgxne4GgH$K`& z(EU96>3aap?i2+Nx3vkq(y;_72)wq=(9Yw0IPP8@cze)AS6MX9a3*i>NNqM74JP|Z z)2d!a=!{b(0E@(CRm#k8#Ac~&EtQ8Z8z}X8CrJbx;pl$ErlS%~7d%}@nyt0ydLxz| z0-KUla8@SUk{3UbwUsN&VckD*sSH;6$Q4p9{M3q)4_xDW^Oy@NVH0#k(GbedZboC) z)5Ga`lnNJ0Dzr&k{O87kc>>TlZ$n~Tb`kYo?YFyMMVN7!5AB6K_&Dw`1nSv;J1_&+ z%V19n8EW`f5TqmR@9V`lWyA(GIqiQ1?MBJI7B)*ae$Urf2&7g1Hbk4_ ztME$_2lw35sY{dNbZzVIn-avO3nTrG^S3t#6^^RB@x2ill6#w_bMl7>dHdP+npN$= z{$x`7ZLfIV>7%S>`GYE(&iH8MqC_s0o+O^6b{x6!?2r;U4mj&v49}t^R+W=ZAMrAq z$D%nAulwimFi1BZE-tQeoCByQAOTh93tiC;$ow#Uc)g?<91AzuOCD{ye$8S(_|M!9 zWk9PRL=6je2mKX9EI=@-F9Ci4tg~prFT<|o0A0#1UpB&{IOfj!9MjqJ>j@lQdiwnp zErojIO}3)MJ1s|Y%k5&3F)Q8?07f3M8SeZAH6V!BUxp0@)uP2o?6 zxMJ2k_}1pjO&P_?#Dleu`!EqKv@mRfc7+PuOy#IFxqLeL!l3B@ zs#21>p}o4f-IG-XEYIVaaRlVZz3j7LgY6C{_j(d-zPyzeg}d zIsfR-gqQz1fUYyyZ-!$u%a+70`av8kqyJRq7!P4?bi=&R0@<87sU_%rL{ZPZ7u);K*4YS6F&UJ3CD2ic#*A46HTMd zI{an|b|7@dZ^kF%OX2_VVFM<;I>^EDtUv^wGG#SRa- zR$^%eE1YIMffF%l2Bh`zz@+6+^}NG8M@W*cs;otm7d#;Y#KpBLP0PM_xHiWIyQA_Q zs+&mzj>&R=$OK{1K(PAhxokZ5P{=MJ1Ky{(nB!tZ%KQl$UqM2N{XVC+4-|!mc6Mm>)>AFr z%c`6PekJ+&Mv7{8GG}JhY+9;k8gLuK<847alV{alO|}aic~doZ;|~7{-PCutO&LuA zqWRo=CJS!W?ocTG7Ln+GxXcae6NFKC^j(KdHIcMx+_U5Et=SC6hO73| zPHF|pp9D|!?el*RA{l*f|GZkk!EBhn2vh37?bi>f27ZHF*j=-qfCy`Oid{5Gr=#oT3d-Di_;XzH3yPP@+U9oz46na=Vqbe8_0Yq{AZ1b5L@&4bBsTOEqg?8h()89;->6AnF0$TJR_Y#@c$ ztS{)SKb@{eIscZ{8u;#OHVEjcsw%&p)2ujt8i}27M99u3Fca+^&Uk4OQr(*tV+mn~ zUD<07Ir>15WVeNLFO6aqsN}yK9sdWtq(5s`uv2`fx@ly-OC2Qqz&S({9}itaN~7_rVd{jwP8L1b!lQ+idn|7V`K}ipVhO; z%tf+!QBCkT_ontx5+~w!Qy*P|fd5umdHu^&J*P@r@}HdWEi1TOpk8}^2lc<`uj?#9 zmO#XSi^eDNuVm2qG1#yn==r0LcPE5Q5?Ckj&a3csp>^7DX)H5DEdOjU_I8lBnw?@I z707WoAuw)dr_bwzfBd^}GZV5-w>ap;!-{N-ikx;So$%wd)nWvI z81=V7_)g>eGkjsv2PpLkK@%Xit^qYChTI%Ka#RB|cET}-3^7VIb~`_~g(^D)ML z8&d-k|9<8NJpS-YMrR@DCs0-*vg`HJf6+z^$Y5p~2Pn^H!PFDhJqvP*V z`a)(L-l*ZCZH31Db4t+;#evmQ>&56wT-y--ACi4H4xds!{eNxN(>IrEe`H7Mv}u&C z$8LK&Ug~N@(TITg+sa!u-_rcUpJ8Jn_p=fJcHn^od3$*L6)B>FAVq$c^!|x%NGSDy zI{5V^xq%E&k-saJ{r`l|3R%*1lz)BeH@`n4q1rU6zb~*3o zF$X`NMO=$g=+IS44gXVE?oq4`o?a&!|NHZ|Z?aiUzn zY5a!?V73!K_@e~?xB{5Nl?(pSb0*6kED`#c?Mky#kI?MgOtgvt0~{k_`I~Sdp`?qD zYAmJ$Mzz)W$9>lKzg03{=>C?r{}Zgexqv;+e1xf?AY?Fz3ivO;rGeF_e;*oy?wd^d zuWzmYJCe_5!2}rr9#F$8(!q=I{Qqhbx!vypjq6D$P(l88S#hB*qnJ8!r1gCI`@!DH z!UsCNX4A(Z@)RnxYR`u|@sckZ?8j}-8qEC)ysXAg@heSdKIiRpvCQud$NlWNSlr@1 zbl{KMNmD4HT9+@!mTo$mVU~;MY#rWVs@zH33ESx{S<*GVxcD~gLb#r{j_~4iW5oJ= zD5oG3K@^uqNL`(ihO4F9mj7Uwc+%RqlgZVkH%rJT+$@e{_dXT7xmMkxR)qqSU|^d2 zGbT5am~Teh60%Nm>?h)n2-gAFs#o)#lw-t3d?-_wY?ZCi6UazQ+w7gbe;w|6+~sMj zm)|i8tt($AE&{=~RR!SK#LaqbwIEk}W#HG}$#VSX2mq$_s<`igPcWMGU=j{Pl{hIY zvM)Ts2Firy3nb8VkMf7!3GZH+Y7}789Nu)Zt{BG)kD$3snIje7^C$a?(-fn?wEgf-}dJEIu0sw^jQw$;&K{2Tg?mXBYGW|jDR zy;Kx479YfbfkkG^Qr<;#cF?&=w+tNm;@6ukg)iM=H?YxC5jLuND4}-KloH-~Ev75c zmBYvSh&lI;&s+3N$3gdVmj!#TI!@Pygb zZ#<$4S!bF(2cOkWr*`U-axBe_dS0eCZNE$zrQ`6-vC4>$&;KZ*o*-^O0AK~?x*i%g zfaXkvO%3O*d&=VAS=ylUfLlG_4w1aM79taq#OyZOn84(9|MBd56CLQemExKnq~mgC zu`vTXsJMGU!F3*;e zM5H08Y}>eI(FpkkmfGoalteS1k1(C^@!n?MV=GZEGMEwrKiw_Tov5k)f)DtFHx4cw_)PDHg~FS;GJ$vbaL05$K(I z<->{pi*pvbBr9pQhP{duWxYd zcB>&1=enGhDKx1$=uVF0Tc5jpdR0n+{1v6%HHqeEzA65wo_%S*v{%yP=YSHD(>QC^ zo^Ty!XDk!bJf=@L3c_M63jcQ}aJMi0BM6m2luGxI6mCS8Tw9qesDsfyS;_I5&Dpb0 zJ3n))%pH=+!-9)zsU!TDi7+ z3RB3p{|dWayFLz61AiZA**N!rqj5j~-Xy(7xh#nnrzq%zkSEws3%o3EE$c;3gKNM2 zFJ?Nn)Yw^tL-C-P(<0(9fkIFy>cPBzD|tvtVC;MoE+ov2tZ+Fe0rir_bWR0MZ0L>2 zI`e@4cK4+-K+i~Vo4ZhxyRj3OhTgY2Qk)f%$cdoQuqv$Hw=@@iblpFS zRcX+`n;xt+6wZj%_3Cn|j)gFcl!Q^TeHfj2 z%ddu~q$Y-MQRgP=ZVc-s$ z-nskH-8BxRQSVWIYEWb7x;uvoidn1J`-#`aLC2yxJvz$^L~)vYK0J_f@V;={ z-yFu(=Hqb?n8>JpFw~$`%~``zws{~#yjeKmx|!D=MJ^d?{|OB?K%sw~(b=mm*wzlD%6)mKy-HG6_=FeBas(BG(mb!v_JO+tg~`oASm5eDzTDnO zUl{I1ifWw0?y{mlUsfF;|7eYRlH}vX0~P#@@nb814%bR623nd|s5mar#Bh4cl4;a9k?#v|^-PR~c>Te~+M% z0T2hqCS{`(i1NH=TwMCyoyNjf?O}9Yjr9|yCa~-?7PdCdq6Dt~&S5iluenI@; z?hF(zYE^zoYQ4B{-ga5&V6qp<{oMj=EgJAT~}wc zS_N6hLhA=!6f#QewSyCJOu9M(pg~*D zyx-z9x0KLI0~?(_YF8+B#|LlV4SYnQJzcjQi4!G@E)UL!%S7$<#$ymk5gqM88>Rd4 zR~#nD+y5LGWIsqYN63Sr;pn}RKAG#N2yV`VlNsDt?aGEp?rn^baF}hLB2a_NXw&*Q zKt=8GkwWK**7uTP9nYjzma(^2>u;;}{!ZBY%4~#i&BI_s$eWioRl^oZZ#MVc3e|Y0 zI}(I}I`V9GGwZX*VQ8>@e-V%JA*YotV31)XRT`aD%wt7}%5ZSdTtwVV(?glX z&oB@u&Mg@1hQ(s9PiV+V{7bi_4Qy-4%TzBp!T@rMz)MCr=sSQ{^a-+xDExS6&>L?p zuGg4U;bqpVA?q|4gYF6i#70f=B8Zcq{_y`pbn;GIe5(k{kfr`MEXVfPj`9&bJCFWv z^!@?ZCIVHy-N4@d-OQXxg7PZ!+5Zc)knEIRs>=KAC{@~u$6suVkiyWxVI3SW>@qyZ z?ZH|y9HQ-!2>>sPM+lNnY%78O8@W$-;%v&tuX4}>-C~N^OX)pMmYuFxHE9YkTC%% zO;eddQ2JE^D)OZNLLGQJA$vB_Y|Hy!Q5E4fKF0AuwnFcJHs+upb6$>_bH2T@9N=AQ zblCY4mtmm6`TNts(lo>$t@}Aox6AmD5NtupEo@e|nH%iae8K^vAex;)iVV^CJ!&ez z!~D&e$;WcShN`Wk;WG^iXLUbFs)Q(BhfSj+$e3sMwrQ2W|J1$t7&-42;$%!x{Xd=z z_x$BXj~713Iclxa1xmz)6}$`K{XemPeAqpa6A2Ia1V!@&1kCfV1!w*@BBXJwA04QfgxWUJ_A07mO-n&*0%tOGLdu^fHyuoP|!`P_)fK#^i2wIR&9V{$y zgTH}h3?`Ytr>0RV%xg_*I7p`&wOP-$FsoJ=E)o3lve_DQDC*LwbFtg!_DOIcR4O63 zU%cW@xTfX3?p{oCEGf>X&A+7+YBwV-D1a59{LZv+e&LkpFeH05DrW~*czSdUKgafYie&f7dVf5J zSX;YJl~#>W?va8e#sdysysBh}k-YY2U9qvY3)15~($SfGo6n98hE%_op3%^`%kwZ3 z-^Y?FAr40M3Ju6fjq$%7(Ri*=dw!gID6}KXMIa}hd=j5~KlIU4%FBweUv1Wxg*Xse zIB3ad+AnH4{^IzT3?DZ@SEPNlmF%`Z@+32m1+teahkB9+WSFFS1*q_7e>j+p2_ZM) zZa*>DPe#Vk9q;v6o+>2sNRy@nvnG)=l&-FyCK4e$IybQu}&mHNV3hn088arEgSa zFj<7#)9tR-%U0`MOkVNV|F>|6Zmc*3sPhiF%|Xf4Nww8!P1cLa)?Uy>)_yVG$aHI_ zA*b?tyirQOQL0C_ep}$m;m>(m&8k9wERtg6ubv(@r-wgXj}~GPouNSzR3H<}SbMfV zsV$JMUFWzmqG>g})pSt|zApbombARvz=`=-sfYsqPhZs{jV$-0Uo=)T^$(a|dNX!5 z^YIQ$29%t8-24&^yo~#T^sDkDZ?&{YwUcgJA~@2C*tc!Hm0&jcO2Z@DJW)UP$%TWR zR)qZ^IIVMTJY(^ZE6SJx;z4>-}(oRD!2EC@%VQq1Jy{w(s?sZYhB6xS= z1mq21Owj|NO?i^A`N8INzG8;|Vs~N=_#d^S9Zxu>9VabVMJC%8V@U@O9|^b)nFOIv zSRT#Fv>J6MWEE@It@a9C+?JW-FJT9aCm1t-btV!7ff3(?^T=S;6}oK4>bS0sS_ELl zZq|ZEz`ly$nLk8n{dUA}e$Su$%2$ENJuNuKTp$*3r*<*H%wDpbz)sipD@E;258rUT zi(NE8Tqg%xPO2jDDvHT`PO8OPHA&IhRtJNbir_zD82)eL^MSrYkx> zS|Vxt@`YCqBKmxubBX1M$J|qL zY|vEk`Mbxjg?&+G+?5iz6l%8w^E}VkomT%w6Kw7SHk=11>ozbukRgVBPm69-Zn?MwnoJ zJev{kT=Y@h(Uf&7W{;59udh^~;c^#aovhhNp(5xqJe03OXSAo0%p;MsB0M3_H&t50W zzM8g!N^OAs;kKT@$vRA))QUKVGp*j`M_txY1dbqRhk)}tz~V;Cwa9~jM+%o_y?^<} zfr1$E!k5R9OX%PR81$3pYkDq&TF1J!($ zErBjXp|{G`rMPYKsFdgkl+9Q*9!Zc(1cx7OWs(f4;=YJ4Es%OoSqm1I!+eanNT)%A zsqru!mS@rg;ot;KaX`EBLTa{836OY)gK4L=SY1z>Dh{q*N_Df*V(naQ?CAy8?d4bY zV%GMS7;(&9NhOpWoFur5%EemaHG;`*n>Ci3oq2RG!j!2n$gumZahu#GCze7}Z|#J#7mjaGHLDfrF^7)x*yK#hD1%qjb7N99}23ZO(1bt2E;e zuj{YMJI37QJ`d)T%JNF$dni2L$8~SjWOXR72Q$+psjoh@v)Cg7$_Maog z+G|tF0*Bw;$TxF1ZEE4sDnC;YI;+5?j(^_iE54MpZ~+;;yIYP;ydt3m4@`A z@N?ntEHW~(TyEho*wXT!#0gjgGw< z-&4v>JaJ0;F_XAo*Naz^UUY>WykUCFfdoCvb?~&gh^gE4mji z?(xCU4;%vg@55b8O~D(J)wfuJ$XcGANDz3DRcMS<2HbxIR%0pO!Vs2F% z_ahgm7PSO1H7;w5o*pfw-eP$hBeeA6hjXgb6H_m+Qlf`xh67Kmm6T~V3MADg9f`L0 zHLbkUnFZ8JDTa5aGV1TeOFQ(vFbT{afMre)r@n4I0ne4uxyB5znz_#O+w}}`^1ghN zqL5Oh*dUk4+18WHC+@``Yb3P?0#qBTDeW5gRf68Sa+&;C}c_IJs}UnqV? zj!+1T6F++UIif?nizY8@Xa@5k=i97EWh`_H`-nJkWC9$`RRZyZ2yA?dSiMZ|wnAgJ zkX&P?caZ5iCxVlWepa!-YZR%C3o)9Xn^Gt~KS5qtS_(1(z5Lq!n$J$Qnu3=5P)XdM zAM$NXN~U*H#A=c4FJxp58*vIggaq6<)Wb2C;y^!0IXijAp0RYDC{V2( z-t;kdMDyZ1_%Dlx=-b44T{}tj2QzLBvk`HUC)Zwht)O0az3CQXj;i^h!D6z?TOWT; zCSCAM=JkDnom|<*`$%lqrN=s9&~9-oFRJZOO~#BJ;XND zwaachh%F^XpsD_o;=l!p?`Y~3M%QcdsNlWP-*JxOS?o^acZp>^+b>xtsQDcn2 z4EV+(O#|zHJ%zfYYpht&jt&L@_Y*{NH(M?d3aR_%uVRjJ+s$glx4*E4Itapx8VqAW z#uxE!qsNEQ>jlz7zhb_TjjMp*qD>1xUza@ORglnFl*G}x7r|lNN4oNB2>+!Ci`lBO zw_t@V%peb1>PaYpF*Y)sfS)ty?Hvgo{jSY4?7Zi(H>9NS?imFydNdh_NeKg3ffj6W zyZ%piE9yhjSqBFPZPtj+Y}95o>lrXAGZQ`&2X>^R$!XX=J5g2ixYwQOAjP5b%;HH| z5}B$=i3o3IOSOf)sF{XF0*S^DY9Mh|EzRAa&s-Xz&vMEJ%7qo8%)l|eXCvN4MkSZv zJ6xa^Bydd%o-WvD3x{?myjxbed*P4yFk3H^n}+;@x3|BT=6TM|P^&TXALPseX!JU6UFqGdCF&>{8`B zVt=AN;d#HOrs4C<#}k{Iiu?nK4}f`iw#m*Jp zV!(%y=|9$@CVxJM^O7Z~jb7$HPY}eml@ynf$N?8E`F(YNmxO*xLiK{TYKMnffylB~ zgiY5z*+e`w9sgIz4SJ~f_y-$1y4%PVB_k#|$&{QrT=ceOw_QKQTpU+*KWm1-S?_L0 zYsC5=g+n~^91X5~=3dBA@C441eXy`IHsW^+x78yJXim3dQJ$04A&gjVgxO`M=uI2_ z^jk@B3Gz1jg7>d;?=xE(_=z`{3M?oGLh$g7H}8{w&=WL>(ak4%0$WUHrF#h0hOag$ z6zA=uOMAfMSsQrH8U%UJjA8czMv1Mr>9232@wrgljea#d$!9E1{WNxu2}9d2a6t(< z6#n9d($l+yG*C$Ly{9NI8KZEXzw?HieH<~u5y}#>!a7o5L{C*I|a?sm* z5A|Iez4%+Q7-0?gL>1--1!(pO?swLpLdo0wjBz+<fjDS>2(vHTjJ>jX zfB&P~b@b#f>3_So!nPZE2#aqe-RX)1D_28o)>}l$8nj;*Sjop?)6Hj%SND{HrRx4| z^BwG8+DC`q+MUEy;rcQAHt1@1Oju;Z#BP({cPfvU(nYl9{0e(7_$ejR^b zA`IQxb&kA)hMTa06(1JW{`dt=@I4sWaDeT?O^9gA)A3TATxL9#o9X6p9fd8lQ8Qe$ zfzM@IwjPSVO{Wy`bN4cNn%YJm;%#FKMuUx38rP;DL!sr1Vcamv6Ob+#;S%Gh~G%gFJ3jKiY2_YI8lxEzP`0d$LQ5``HT-7E#cB?wLOn5@Lf62u$*~^5ro;vgZ+dKLTUNR8)00(kJw*d;_ z_HHxti)MXQgOKdVD9cPM>`dr8Y3T67j^K*75U|D+HlMMl*;^!wevtTlU^ZiSRaVo|ulIIOaw4wk&x&8(8Xb2*0 z*2fQm#4wBF!+!XSP|8jeqWf+Vui?RBLO%O)Sj86XFBHs(Mt`JzCiTp38Y-#Uljbeg z^(@~9Sq&*PnfLX)OZ(3suLHWWZdJ0IS?v=~9qOsklT;w>->=i1IZAA7k&#L9YbB;@ z3=4UOmqUGLYxmIrZb588fV{?|gVw~ugYDV$LTDw^=QE3dbRE;P@KX5;m%IB!vv1lN zJtVkJ8ws6ACf{L=gtpqL)jx{)Wq=Vud0i<7d3R;B_YBGl3P(M@nmxqxunY4I zoJj^MM{0kdUJ?gtJm$=%+rO8UpqiQXtWD3hW$4c8GGayG-mO5^mewDs7ZPeeT$?^| zSioQWesu9LH2>%D_Gd%#)4(pKPO&hWWajlqBkS>a?dLyeKL=xis_+g4%M*#D#{26S z)p6n{0dl85iR!)PZ_6Eula*PrelrQaS;rcD59KkfY!tbk2wt_U$!zY&zNdvo(t@3+ zp-*og=hCZJhnYHCL5SjV6N7FdMI8kXGlWd4^lRn9*ph^H*-CS&v%|`*!`v{p zEvCTl4;oG>B2qpVR`RK~s%ZJXs*&s`ZNMR}`(dK|t{{+Z)+#7P&h=H-oL4EA8<#8R zir>S8eH=sjbEC&l%eX-OkHYUaA8!Pt>6l*MJvpRY7b?TDVB^z2H0+&gYg5qM`YBL4 z?wwu9*xVPYK#e6E_hOmyI`8K~W)6rGi)@sGm>Lb6^oc~&2Pkk4$XFC43)dx;z181E zF7GP>sAEI{H=^fyGW7u?^vV}~zVt<`dIO3FW^p}VHJNQ$YTKRpS$lPv^Al}(EiGpV zILAJ(_*W$L9AHERY{YuRWxu zrfsI14Qp<&Aih23$zz6k z<^Eq2Q?KC}^cD)Y++!ejcUvgv$Zja(ZSdBc<;S*R>2ivH%s`P;dTdcRUGre@#GMf( zr(7+f04?#(`Qy(8co!aFQ?Ipx*LZGtkxbls0q1r9h3#+etaa~T)Ms|OWoYA;Z=86) zR%QMW&cX7Qf@LC83{%g{;p6<1x2BS|<=da+*hP7CIP zs84Z$#vb(t@~ikHN7mtUTt$oE=r;Nt|4+b~^$Xm=kH<5Tgc#FcYjs>RxF zj&(W-f=sv1MU-sOjoygwpa;n>#*CXgmt~SCUSoqBUgUhf^O{EWnq=YZ9{J4*m%fs7 zO{2Zf0tC}x6`$?v%Xe?UsUgs3E3=TjTBrEApHr{&Va~OjB&WFK_?Yd5noAfzSLY`i zMO^j$)!^w(OXo*~j>OZUMtn^_imbf$b%t_ZbTP38Sw^B&dyZ=SOfw84udOHZWgusq zHV_VoGvuUsnQrbYu9C!?=^;jb4|)_ZP6lI={WQZRLBuWE)lnz6`c}P8i9N^@JIzU~ z1X`Wu1e;_J&DF9MEPYBSG%eVvAH(_)gGL=5=^uXUC5o&#NEJv9Nu2HS4oaMe8;6E` z^30=QaTHwN!O@A~v(^lRywTl9`Jeejck)7s&%gqRT&}w z*)Jj6uY>v|^t~yNi-QAq;P_-e^L*dl#Io`xt0y+UP=5}h+M_#1rq?L<5-7-uVoqV$ zue|Pu@KiH>E^+hvqDiNVXXtgjcKg)B8aJi(RJ?yC2mg-vdyVeCoFgLJFGZ}?z=zU! zO>%k*#>a0eyzQbd-!!?4yD;!cFTL>pkoMM5RjzN>sDuI1DIgsp-6f(-)wsz#DH4}ng%a>Q70s|Y4R6l7t2`am$YdSx79lAymNQ`=YH84EvOnMd7O%xI>f66e$N9ii+ z$FJ1Epo{~3WO#|Wy6CjihK^dqOcd}Wk+@x+_(zX=V{>}%-29T3AeJ-pH=1t?3up@d z`b!xxFTAFk-#Q$0jU8x>;-TCgG6nDOs$PE<*+UOwIXyh1{KZm$>BLz(!v9TKpx8UT zsKB-)3?5gXsmtZ3Omdsqca*=Ec{>S)ZUGQtb5rXSAA>qQ`mr|Edm9c>d|Qk zuy3*30g(;>zEW?oJVrml5N%y^T6Huk16Bx=z(iy~>A|f6Cm{`6-g@%H!_cS`2;V^r z+TIgB3k=%QxLGrV)#*_5D;M9Pw|z}o4{w`}?#>Wr8?AiLF}-J<-;T;P1q*7WrP7k# z2yXcBt4(_m5PeIv2&x^(Iv5c-zjU3GAh%w@NotiFs$E!8Z#-4UQ+Ta<(1e96YG@dN zd~rMIPX-7G+|qLJJxa2_&AJNyFUfijp}~-OWQ==HBtX^TIPP=WQI{kTEwVU}!)vw3 zJB3+TWm|L}g!9Bl23W603Q&Grxs>6WdJ``#Qdh3(DFI+2GKT~D==Al)(xq&f4iT8Cf zZ{_FNARH^%v4A?$X_optjN*p5L-$2tOgL+2m(xYR)~cDS^cu`7!j#pcU_r-?)D+ zy5s5gbg6_VM|lKr_Xy_;C}%paT&;!2kKPNqO%9Xf6ZEk$;X3eY>3SHmZkgq;&-w>* zf9Cj$x%2(25%GH-G>|D*@7Vcg$aBoC+#@*D39NmoW&@h zC$QCnQq9$NDfz@f=OFTY{%5>yJbA#|B{v6zl#?60hw{7a0x7eetYfa9(Z}kUcZJ4h zT_^V%{kT4yU;Dl06uckl?5crAkVo<^UH1{HoUV6R!b+^M2lzgq>Q7?Almt#d=es{@ zI3PG21p~a#yRF}x34;N9Ks05WKvi~3v!=|#Fn>@cJ>us#KgQ~q4u)Kg>4%|)ClKQn75APW zNm?J9eRLIrihTX}Q6z85*jd+)_$`fE`l?nu-8%aCL#IBz57UVi2&y>YL$2Gs&cp}c zF~p>=o}A20`9-nbX~9u5*XRPRRAtzqk?-JsH_%p<`dlQOq^j;o2xI>dcsjKyqT@h8 z=l}wb;sp3&%QrSQddfTl!^$zB2Yi?Ck}`gxivB4<=ZgR|nD6hsp+|v?u6ia-K7=di zp3FFD3ZH5J6gY(XafT25Ak?7(?(3sg1D2-LHyUX#_y-yblfc#hQ{1K13ri)-X^|2S;c=@ z*?`VfVrOv?Bp*t64OD0A&Pbl3)eE?x97blvntr!L@ggJ*=h+Yk=QjG(8-;Z~_6$}4 zvk6MdT5Sg0=+9iO9`bQ-K2YQOaGaHhvW@`_-c_HtjH68yfFDq5EVB@kwnxQ|SDMF^ zCoSJ32`MwWR&npc-17`Y<@+w|6NxA)Tp3mxr_Y-KbfjwXg$GKOf4>V&AMCpTHXT}{ z)nY3@8)No9n6!d17D0{t%*RfB(X*z&^V_7I=|c%-XQam68-g1()cru!yvm{`XOr0< z-dou}NItaxay(0GuO7>gT{2(kx-?oNtgBws-{x%~+B;2p`nuJeo%TEx9pEz7Y5#wLz81vKjuhtg+$wgBTf(ij za|aCLW~H9$XbMz+Q|Y;!JEOFeD1TM*4C(!x`7L44ZG70kOnY?R>A?m1V#VV`17CeKC|q0Iww!6ROd{= z!KUqQf1x+!zRyO5s(@FZs&V(@X!C)&IqkE9_f^o9dyQPb+@ui%Yf%xVP%snW@0`yq z>JD!n)!EGGy|z`>$AI?G+&1bnZ#MZY8fUJzd8vzns#9pf&5WR$E6$(JjH` z$mi6SZ#H%BQqQ19h@1)9QIjqGD(b}H{Yq~}BJGwpn9D`onM zx-x{4)h+>}N7k$CgQCs%S>O}?v|zah*xy@$-YBZP8cPk-kK(b&+Wfc^fJ?r_tC6}U z%#jCX0l^dxi8C|yJa{nu%`TK>*jmqCaL}PJ+&CA_Ht*gtM@hf ztePO~orlx<7;=zpHrkj+a5G0$;!nZS6 z%=+^!!>EtqEh)QJSmD$D>bB>P{>A_E>v}9lD)i&dm)^nXntbhB(|hjvOXlltyC)r8 zybN6L6#|M@$2v>FP=XKkwPM2+5lrk0e|qhZV%yzTSWqV4oU+zUe1K;gB7AV4KbI03 zCD(C|^D^d(B2Bu+I-TMR=^=KOS5XLwhWg}Pz5zXS$%xS#P2urG-*iD!JJ+hLT%h}; z^J~p@Aa7!)Dt$o7O-d;f@c6jT->9P7Bt<>mK-}Kx3ubg4^RiNsh5RP0(nJs*G^kCcaZDK_UVP-m01kW$tT;e1Ci;&db&Xm%3MtuLM(!V+tLVkM9-i96b_CjywCIz zDZGClt9VCQ8E&_33|C!q{BL4=&!k>NZN8m6REg%iu-e-ZJnHK{Bckn}p8Y2B+s3m3^267NYhA-EB zXN1T(S&8Gnql(3F@+&XQC}ptL_piA*z@AaF0WCF5{1fbb?L?~whDCHA1t|rnH11KR zBK{{)CK+Nh2_mdplvzTS)cG1|L_f$O%{=Hp##Fm^xnP5K-+n# zssh=wE7=xj`e`#Xdq)U2J}Ue@aCy}q#I`^3{sTD~7AQd}A_6r(>HvyW{o0%{`&Zy+ zbGB5`p25iq%k0Vs#@P4GIOge3H>u<}pE*b@btWxT;2X_7viG7;OxB@*2A--HBSdRVfk`K*&%f%!{5F&mcJ=8{V7j+Ga?7|z)l8( zfl>2>e{0XjVBz>JZA6)W$_WCjoB&CfZ_^ERh}RK(tS>}neZ-I8X7m6|e(ps_Z{U+i z>&GYkwihXRz=17$_%mV$0}!l;V7=|PV6}fGabGH_H3$^q5f)OmZsrj*sHzPFMyVTE zQy~0{U{Lc2{m-C=L^guKhx9h$o{SzhY*O1vNMq4p$5Q<(#6eN-U&2tuN)C&3H^-Yv zZjRH|KbPc3iy-LbbdLX_3Qhk@73w68t+hb<`wsec{1wxi*Gbd^H0o-O?++KM;a6&n z&pk$9Y&^d#VumPcco&A$X1H%%wcb*C6ef8_KKT#i_A*T|l1Z`Nwueu~1|hbXx}vmLgWfU4)JHSN(CQUeoZf=M)gE1V2aX^&{riG7b%WKK#l za8M>3-9kNh@fYpbA->I>^^blFoS6mwzXweJZ$l+&zxtTz+R&Y*b$#ZAv3j8ltvonQ zR+E!cTnCF@{y57Uj`0uMPx$r(k9p3VY>lQ1G!BGzG`zS~>VgH@?U!bfBVmwW@c9V8 z-fq1^>Cofz-8u1dqcOs|L9<}Pxh+}A^e1gkK5al}PwN{@sbEBKeQGgz9S2%rhOizP zzX5J)55-n84Irs)TRa8k>G{}vKv?0cCHorUsz}%@qx84$?uh;G`fh~tA29aFo%o!1 zB+>-5`8!u3_>YR+t&I4`*ln)07bXms9|a}sNmUBZ+t-Brrk4@5?@+d!OTk ze{+KhBp@Gtb+mo@%XhmFl=E#a6jOG@Sg!40cl5gul?GA|`@%$&z`k4*-I&sHpXcIV zsHv1oS6EJ>f&$3kqkU+JfQIpe{uF{sW`)HJ4{M~TU|PG40hEPQ*mM#IQy;i>`df5k zo@V~LiFSzpCkQ(^+AV(qJ+ynZb0aO*mjC)h@MtGvea!l^Kh=>2f0%ju{(aG3OG(L9 z)s9+89YP)t8|ohS+dC?W#e`@aas;W$_~xt#2C1t3S}c2s!Sb)ZiSI^VZ!ylAANKjr zR84#i){S6M332^7#8&d4*8TZ}$YIpdG0o`i()XxKK{NPbSX!8`Oo6Z8mLJd^zL z`p`An0C!-Z+I7Fk9$SMjF`A^Fakw2l&sN2Jh!_Q+|Iix~mcLa7u_~ z^V)1q;>Fd@2M1_7qTV-76h7N%YPN3Jz%XXF9q}WBc+;cw?Vw7XTZq9I7|VMS3mPz8 zLbvoQiKa)SoS>MBnEW2)l~cBEJb^Qz`1>(m{nsc@MVK|HIIiIqp=XW*|9&C7ZN59f zgGy%{Fb{rFYxu;NYNQoFDsLR<@wdl{d+Yiczrb(&R;9|zLe`r4FBkg}8j;d^Z8!_v z(0-mIZH|4*!GnI2zrQ|IlmeSp{{{_oFK$T>!%Ug{-k8cDv?`lu>^jTu`L?3C_|vv0 zO?zScxjpA*3NZRe`Mln!dQXA)Lf!sSh}-OE^~V(Iu3)i?hLCdO3;i~R3iqS!6l12I zS>N=eo8o7qo*6O%Gecog`ooL{2S5)Hr2uIsio8bz8{`Y{PvGQ$Jh*}|hG4;Ta(mL( z5^D?}f!$3GNILJe-v6zgi+_H1&e8I=Him4i(Q)O0&_bEKRKB~Mqm}p2<5xXRelC>u zWA;47juO>Y(nap5#!0Rw)qCg`U%NNp*4wi4NsPIl>3iQ{h*;_CfJMiA0GO$&x_WdHgz z^;puouZ~7&^rl=;_w5XXw*f!fJ_FMPUU0V~e}=~jT+pS6I48Uawm#;wo9~o~8BFy> z9j2eIlq3z}wb41oqkBmohnh*+3e1&+x&V_leM) z1WQWE^cPDnI-WoF0VM1-zsBE&1<9Er9lmE4${6>SCE{)TM1;8s0KXe3_D7tI+$1aX zb)I;xHQ@6ZXh7SAI^jY3lluQ|@-$RdDf9?6Qh%d9%X%Pc||L{jvw2F~4ZQZFeK^iW{fP`7{76Zfi{l4fqX1U{D!;`X8wL z%AVN#9_771_8KB!9h+r|nZ2ufdDnx&L&6I49_3#@QLSQ!JaNgn17Y3G1$oj6N|n z_n|=qGoiO;pQFX7L*&rattnkOOhZ;ZU%~Vqm~!@k=Kpb1fQN#{D?m{fOuEVGkGipd z{5)=BZbFs{&eyO(M{fo`n_$&c%l|Du9>qd%p;Z2u(nGbRHdDY(QK47H(U+<{rCm~D zlKkV69)WE5`hwWRg6#$QJbyL%{P=%q^sktrSOZsaa3fF z_gZvemJh1nV+d~V0u`QQYU#OQ4$#!P7bUuSKOiy${$?zy%^a#d5kwE-SvCUMJYI`@ z>GZ)88E|bBiGX|TuUa_GfU~0igCy2B?!0WBD?(<{DZ{k|V8QK`#)eh>tTVakehanP z!y_h_@k6s7yh z+Ub{LRsR}+>%+lUl)3^Nnv`GqVeC+K0vJKYHHkDZC{v04bZWB~3q2jWf0Rq$ z+c7IRmM-|Guh^b_Wq%;vBn507Z!oBJV{C5Jsh1XYx|4O-?kp%e#bW4>^nszI&-X$y z{v{`%XF9Kxo#uGP>hEKfb-mZ0fttd5?M8;JRz6LKAK9lanLIS2bQxx7ROB}X$Dj&K zQX&9*7t{Q$0o{76vgS|p{wl<*K(J5C>mbPLY#RQ4&-L=e#$80iH{6pJ1Ddooix{q- zrzsY3qz)wVjU4p3gUW~;y_olE(mjDU8;oC4)J`bw7!1Mt#`If#=~eq*p}@82QDNYO z8YGJ#lo(~SOh_ACkN6_4H(`Jf=o-VSx&pqmgrqC2j={03(Hu+758PD2?f_MxdTM0? zC#HU5(E|5&t}SpCi1&=e3oaJu#C}|s2)k8O3M>PHqcl+2^SZ^kd(#{jR+B%orIgfU zSzXZ){{8xitFRIXj6=aG(H%b4CcHk%h?z*vIN|X06KqJT$5vX_-N+vjXYQ+8zfVaU zd#8y6Ve0EYt;kM|K7f#_nQ;$pWVuofqN2RLfN3FN?o?Tm$$i)jyuP?Gpm;($_wI8-UV5OM?-#VkW8iAZlZrpA%njk|blW}cF>+xmlNS%~RmnM}Srs`;~xvcIB-9bXi zjpVu4Wi~#$#JL{^`z3C3W53)T@mM(fQxOrL==jQc=e`9j>Qe`}ImIiDbo(rWlFreqYbP;(+h;$!!dFJmM75s@VQg$JC1P-~mXS)w2y}C!#ns1yH=v&Sazy z7sM*{XK+64IJ~QT!j&kuot0%f2dSh6=O%iZSnfKQ*RQY=loOVr{-xGMPujJO)>r_M z%1~)l7979lM?51gb-h!cPAO6)LK1R=0>`P^NALEGTjKZ_!>2!zgoZGM^c;#=e!t<~ zn0!u4@x!s2pDpMRx5BZ*l2sOoJ!5a{bb!{$;<=9TZ!nk@zHk-%x%@AQe+Qhxz!->4 z1Dj(Nwolps+G}Vbu=X0(-1l+n%!q_jdS0D9Yt_e7J>%$VUMgZGD!NK~+9b!U)q z=QvkYrz3XQ23bQ@-O~6%%EGxr=>2xaCD-S*A(ZGIt%C*_H(2QTh(o@H7%cqm_Xo}| zCXAYGK3^!p=d~A%*NOq&g_dL+bp$w=OOYFeatn{A_jO1dC<_mW0$p{5dd~R|YC1L3 zx4)-I0h1@++0wu~cG55@oNRz~%UJQ>JY!Q0-NA2(v*B`8DG)Xw*QmYkYRqu359&<3qVGmpTuj|yk^ z9IlujbF7T}(Cz9;MOCi9*)QoY1~s}wT0ZGsiSvAiTCayJlWiC^vO`lXr>rdqDLUJ- z%OU#mj*M}%dGKB70Vseu9M6H5%Q$rB;o$(QOsB9QA(4t+z$2!j+*PPs_%(ZqtD@D@ z3{JQp)d4>1X>*AtjXzLT<1xecuWkS7x-1Z5ikj>?D+i1y=2Oq`vgL|F8ZGnV(<+YE z*6iqR5vur(QfCW>eiD_HJG-CN!r`RK^@r*x;QzcpKn&}Zv3Hm0AG6LvcKlfVFVZ;J zx`+Bo^B!~x`NXYI$~}ZW638aMjLCW?grs`G=;z%o#i$&JxyKCa-oyX@y0@6Y^LS!R zeJrS_q(QYT2848_l>z-LnsSiUSpd~q<#Go@)`7Ck+#f|rNB8?#FC93nKui@YqY<6{ zxeNn;IcZTrwO@g*ip=NAhhf65|MF|rk9J%D!S_$eUVzdBM1a@!o&sAQ%*EV0YUvba zK^#MYU&BxOB4cNmb=>~WBQBqKw^!zcN-(iFCs9UDU-jn}0*{0ONM^Whj7}z*Oe+J1 zD$@jeo~_asXLQE?xq}T(jL6E`<#(cCr%IpR5+B_%8H(%TNxFKsB%%U=HUx$M;3BeS zxtCM&W+5+nS-x-JTHbJLiSI>4w!-=%8}VxDku`3*_RTw-wU5q^$w;#lc$l(Qh8A)} zWeFte8evv49spGIS!H(~S@B6UCBWzvI}>_c_3+ggKf0E2FJ@k90Z>WJwf~tU1Dv3_ zzCAV8QnDgBe)h$`{4M6-BHhS>Op%|b4PRO@#JTNwAWAp^<<(c@U)fqhusZYPxj#H> zkT*kq=8c03S0$2gVr1ec4-@qjvM%K#BBQxqQ5TU@XSZ0!i2=nvmv!_5rlJ?l)7hv8eJZQ5C zgim(KuTg$prnK|Av=yi%rxI%wD^JC@_vR>0!z^^V1v6_e7c)6L$LG{O z&C`pb*(MZw)6!9MU!Gm@sTM^imBECmV0)}1MZU~k2;&4hec5tWkL!+6$QOrx3);zQ zkrJaHSgn~UA=gUGNa@=~3Jc=sK8%~9_AL}qkV$Te;leF#|BB_PJm62=6z) ze8-X!kQ#0|5G;J}FTo7`@h^f2B>t7r2l5N&&b*5;!9E3KDi)Y4hq%v_MK#-NA>&ma z#=AH&$c&mv#50>@Dm3aAiE)BD@_)rT_cKgtsLA)0j#YQaMa|`-w#j|=WXPAP`Y9K6 zq+GXdrl7O6FAmU{&R;afx5Wpq**W^9 zVLd<-rb7RNfYcCR%#9fPk{d4Y&k znSKyKv(2~Dg_0j!wo-Rv@-n3=0Y5-tB1noYTwg1oEAnS7e|FhkkY`9_9i~R|5PJQh za(qXj_Sue|I=QsJs$J_wfZEYpL{;6ePD|pM!0DANUA%BTif-J42w+W2jiaU`sJK?S zPa<)d^TtM_8?>CQky6@vb|@pphckoTxf*z@jStUkIuZP(s0Vq`o?y<_1a>pmM|9tL(;-Nkgpg z3x5`Vnmpuc48u}YqiEkK`X^E*;$b6r)x$FQHF9T8u3 z6?`h57=!pqOM@CAyU>-Suxv;v_G7g7p!a*P_wjPb!Daf?gOXzLf(@}yH}!GT(1?!b zWENYk4!ukJB zwdYv@7VvE^-zLUkB;AsW8DGT9JWZI7HQVza(qZm`XMCs}IM24|_6A61`er|#V?kx6 zldgwwX-Jiv3ZLr`?q1cnDgwMNbBp;%2qqiQ6TzQ&UA(HQ_v-$DC<1Fg=z>q<^^-!xDDUImk(Y&j!YZw+$u% z6LnXwwhc|1Wjp%knSiQq_2Fkz?Zs_M;-+5mo*YBCQ|ELz#M6jl;dh>)sYgjB3w(Bn zK2tHyLm1Lbf(0RT>U|~j;?2=5jmOA$Ac3vK>rhukvK>Myc`rsZ@lA_&{d%i zE~`J7nuhbU$u1y|efJB@jUWBGCOa7EzN&%;W1G=EO8*yN+5J#Hvdm%eQA0vSP>Zv2#_5Wl?|v_^DH;s z;V`<61$~f-T`11hr!YDFjAb?98iZy@CZsg@g_ez;D-_M9cvW0P*{yru6vsjlJ;cSG zVB}fBiDFbW?GZr%W&Z{N94{#CfvItJ8(Fc7(0)NtC#RYm{ln$XbFli&>UQmrnU&QU zk|eVGG1>7!Zz6X)D);of9Iw$J6^JRo343uUCAKyCmPhFNBvm=V54IoxlfsggD8h&bv; z#nyT;7Pc`HpOh-xC^|0~dD*&+mqd10VV%H{(pB+0?{bRIT;mq*_cw)4(IlN{(0Ung zlRD}1IQD{@86V@E^#sc1!8yCF`|D(Ji607He0)g{w$TEtsJaYT>9KOG!KiFn#3;oCApr6sGZRupO&`6s32YE#b}EpRBSqA2Rt-Atjk#nfYvFI8T$ z^OnD18JW=3RPwd5=(`@|`E=lJn&giBXHxFmjGj?MOVBP+QMdOX{n5MH_W{Wp`jR0ggGZTRQQkqX+CQ;m)_r!GZq{rM5~<-<8j2Wk&RY)8XFvmU?3B%BWCdX>AZ|<&9@vkC}zdcRi4NR3%=wz#@uOt z>lD2kzp~Otg0^#31n}g_ioeV@H%$R+#O?*EIKRp|9#r?=suZw>QN_oy_?#NHTxYyu zhmqD7zbI}RAOnaN5!ckq8G0?|C(loE+ZUvY{JcmZh?d_caZ2XM_W!Y<_c6X z&Zz%HPj#9cv|VXTPmSs%l-7<@6>9o&wkv#=!v|j=lh)ulW6J0Z*;j%P2lsg3mn8>- zzW?c${pMbaWO6tCtf9Kv=0ll@nxyftR8M+NcI|GBtiK$)L62|AI7^)i7hN}%JkNWb)6+eJV#{L_RPPq}&EVzTPrpiEtG*gN4b2v?NUUFTiG%n{*L;{KXP3 z_%jV?jE5d3v$+ND%0Bs>ucq4=FP;{z8Nx$Nb+H0z;qyN2Og>>Z2*wCAJhBh$p!fmH z=xOB~)9`}!@jV7vH#oA_hENAJ87bLE((}fHnMe=NNf^BIvW^GoFrhCf6j@leK&``f zwwZA~o0&DJKOU6LQH9c6p6xL=Tx}IK?t}Y0pI6k-4F1V5DG5;lsRcz<3eEWCcCbth z$}4cKWfw5%*nwprHTpsy?ELa>yV~4Ua}uR6PI%=?qm`K?Gl?;pmz2iIyyv=(oN!L2n_GgE(u5N0s(Z4>hX-HO5*uzA* zK&hTLWL=mXHt)q{uY3#D=RNU9y zp4~gFEELuN@5j+8t%T+C0+HbFLs&pATo_-UtU2qEsriH)NXupd`wPfZFBBbH8Bq5a z^PKgDd&Rx(f&Grnn4dd&hQAetboEc9E$S(z`))&dZ$H=?eiP#BwnsR>zIHj@nNsn8 zgY(^PtDtf*&5s1j`87xvk!K*jUQM)M0hvAFh5Fqwx))@OSCk8~d2!_~7uMv0^&k(2 zXDOJy*l396#eNflh@#1OF*!*3q3rr5P`6$Ser3Yya^ddwOz6PX+M3N5g}_smsank6 z3am9xoq)**328=0o3l;DLR0vQfz)NOhm%~gqCqyfKhnsI+nx%2ZvCFMXp=+2%T#l} zukY|#?uvZvG z*wL#B{StSQUMWBYV_d{1nB>@F@AJzn)(a=bgJC0wnyfKNC7c3Y>DjyRuuyF0v`JI0 zOgkdq@y(MGi%sE!$~9-n{KmNGzf4SJZWc4UMKfvzul~4N>D>|a3D^V}#Y<8X98_nz z$d>&fNe@sQPJLw*N^BbgwfDIoWz!=>u>6$ImJ@t+t#Vy1AnQW3<^O{S-FDcFw?P*V z_wa1aJt&7ZurGZ*4+Ky>VhuQLOP8BBLT8xF+l*Gx#I%cO;&3^))H5(J#)Hz{4S#>j z`myh+p1yv7e?I?S-CHrwfs>V3tw8-S#fLK)`hLTBlXGCzc~IPQ@juNnr$b(LTB{_IHM7I|*;>k0`$ zNOHDrO))@KQA&R9Y(Dp!JFow)Z*C9m?@3D6st;$pruyiIM8~T!PeChAW~`LbSPbZG zku8$b7uYMVVo~oUTa#6HR}^-K(0VVq4@Sud z4gc{1{FbJT9)|1TK}8aws_79r-R?>bP)$-LNZBe?HI>25oI_DgqMP0KI3*^w?%G!T z9H%zy;_R{Z@QGbR*Z%0ig-@6Q-^IIg2c6NZ@r01Z78(~!Kk@5Em@EwEj$th2doCxg z&9`n7Y3Hfo2gHVnoVIf#Kj$x*dV*tmiF~0Rix^!IS(L~?0kw_|IjqRe>GiUFuOS^n z0M>|M4G?woACC?Xo9w@5qDl|iIo-Egg2fZ-=DsNhvroiuzh88L71tPemDc@FyT8wfgK4x4rzq>=xwHjW_+x;}UcRd(TYv&hU&6fp= z<^9285`nN4PXhH(<3t%u6tO59{E(xF-r(J^7Ki{i=JUPy72BG5fBKLfiu7$Mi_iHJ zXXo*<IecOtm$dxSl~_r7s$Cr8OK>`t*b%Mk}G%1Vg%)=000R{sSwTb4xEaJJJD|4=E1rTdeTpc_&@6hES={$5>>d7kzedKrv^LngGs^y z);sIp?mn*msQiatKiD6ju#)ncT*6sQI29QzUkX3#X2AKl=R*la(8YQaem15tu8aNU z*RD>I+QkFY03(0?JA>sy7t!PAg>7GHr_1r4H4u6)PJe*g%3Gu~aGYE+z9I{pQpO_v ztx%>V{MN^f^gub(HiJC~HbDa^0<^L8$@<-7P&{Q>ca zGl~}_CHB>~sR3_h-o(%J_G$tmK?2tG#J!OV7x- zpc($B9r$9rBuG2Hi^E+5#nj&(r@y*WP;m*WMTGR-8mE$Vd2Hrc-%w%3uY_J&j!Eh& zXOVaDnYI73YY`DAE`oRQTwEFAtt1hqW2syeHWT^4k+N_d^qX!AgmYsRG(SoKY(E3E zeeC*NuD{H`!Ft#@G%nLN^Z09!CvhH}N}7Sj&Pcz+tVIg)LLLt{kgLXUx%VbGsg0lm_C^$S9*))o|4X-!Cc& zfEhA{VLpQGWY95q%ky3@HMa0XeD$N8sP5p~y^UoCsVv%vdKftg%Yr-mp3vMM6_=Em zrso`0aU)x(NrY3B^EXwq78&bdKFGSG?6iV)sP|32#o|MAN5oz3!oa@995~k%upWeB zuefqDzN#8v0x33m`KyEBWfcA(77h1B{!6iH37S)v*M#xnXHq?fGwk%`TbAR`H$V9D zvvpGnP{Zi|Z3^yLPp)K7d!KbI|2F(-lR%;PFPOqyCxY-9WZ0U3zqB?;WPcg_$JG4Gc1@yG`w+4DB^5c zfgJ=5ys|)4;lxT}-&~qMhSR60x>gWC(WfZ`Aqj8!tt^L)EWh&QPNcsvPoSbGl6N_K z(^TiNJ2feEZy_6EOHhw99{3Ab%Gw|cT&(b;Fez&*43cF?eiuQ`4bm$AF1ds+FBaXE zvVJ^BPL-394i&FmrP9qJqxo5ndEKec{`x33jFH}e*mMFP$xJquk8Z*2_y#7=ZTnGt z=vFfuica)NuVWZr8pOa(Q8s@E#+eLH_C`JrGVO&0@51>X*2DvyyZVLL#V<*m6Nu9V zpym1_$tMu~+mL`F-(akCh8W}r()im~x!i7_)AI`ed5ChpQHsBY+ryToDSav)`zJSN zRP(*ZtCv3|Tg=pWAJfb)!-vJKFx9I~%~~o8wPe!~9p0&jUf(G@HOkfpQb0Es<|UIK zF;zanOMwuxR{xl@XxPEm9UbDgv|Qe}Y|YmsOS}@)zQU_x6CEb6E`nmdp$qFUJnJC!A42%YcEUd9}X|0T>DA#M=S7?Mz$^( zAJUy$+&`=++{cUlgez`<2_aclaS=J$EH)zR;!K_mK%lgfa6P6AxO^lN)jd~P?v7D` z2DWe~ya9$(J$caF+;J8%D0;Z;f(8BQT&}h^`-a-t(D9aOhCS~c!;#$1X_bEu-~PhA zy;3bK=pb_~YWAocWSX6RsX^agU`J%2?uI!TO{EXQ=ob}un0In}52@EVhz?J4=(%W4$q)e)XPepa{t_*ph#lSOJstP7Cb#Qfq*xq2IItp7{2{_=jUVda=weX-0 zpdT$M%!4-50a*}w~OvOA^hn)YdPcWc|6SOQTj!54_LFmqEE7STP>W>p6et?sefX> z_)sn0v2%hP!IrpAQX%z`<4q6nJ9~q8CzHgqpP}9i6x}i^69Q1+a>jxr?>2r^p46`- zkM%F@Pk*T}(U6^;HP?tzVmBjpaSwClt)x;);p%hdEEUJ}?a)YDE!#P6I`7So>G>Rk zpMk~u+jGF;x-gn@&O!peJ-U05HYq6!c=Q(6E3mnz&4<*NWzG3jMkYJ*@-l-RTHr9} zPJ}>g9$Y zqiB!jb!nwQ1)3M;5Np|dzO76ip+-ymPye%6aPRP*fd>p+P{icGtp5%hxS*(h>h~uL ztdA9u3f>&Q&CJa7kGQ=)QfU48GaZs4@vin02e^>^Av3$Sy&gZyxM%G=6oYNg~e)7EZqHQwU^AQ z&}!+Y!^KK0D+n)ql_E%-{q++e7B=<)$fJA=*_w6U!!^t9$OmDhOFsCTAQ$`Dm!za% zAg*d=j@f_}mWSnoFa9N?E$WW`CjOZAiZK`^Oj43ZKb7jck-Sc7S@<76)T$*2VVj0T z+42^-JqR@zi|URz>wH~>W+B>~+TT56vvY%8{dU*Veb17@YCPB4C@^df`^tisnG{}f zOTBxhKZP6Kr_puk=C<(zlcM{o$&9Fhn8g2BxhLzql>C-E*$B|xyfvH(ym)N3N&NaAuj(C-v-2qEjNgkz3@r|3j za>c1dwhHuTGrQO5oS~p%mU`s_cu!mmPjxqCM7~&5NU=Smoz#_YOqX^+eI5swfN5s| zmBH6@19*9tqvSF7>8}iXq?+NmRJuW}`M-sP+_m8r-EmVc9^D)8a++E_e&c*0gm4;4 z=5g^v7wawLs(NStx&U{6IB`aI*CYP(>1Y7^=`maP4 zIm>8;>)WfnrKK<-36NL&t5jdsc5@iXZgUuO5eEr^P4h|^BuM%PtCbt$f{0=2^dz8o z(~G5pc?K%?jBVt*X8Zm5mzWbLQx=UnD_zk~I1In2^r%%?rscS-|4QrV>S`vopC*st zj(8`o`vgf(T3TAfl%gaT2<;TEEUbAzvQ6#C1M#prAhJ;;%DP(P36Ev!dGhX@+tp6` zHi+~D8LK4kO7#LT)}^i~Sc4GD6D=AD-q+av@Vx)HSf}LydB;XIFs}W6of;WR;=r1g z#ja4L!4j0(Sw<|MgTq3j=2=XF8rR((TA9>~MLA~>YEUql)o z+FI(^cD|weemnn$N1;~OrSh!WsphmtX6Hx{i+P>8t7Gnh9j#%>eUWK~nXha_VLPx| zk7Ya7`*Z*qJ3ecnKFbtt^_zc9wIN1TTz{O2q=xf~D3Fv`f*s}M(MF53m``&kAZy@y zt=sB9tA#3}YW;QO|=!{WhQyF;OJn-dw zpByQmv~)p&Aa5LF1#&zLI{vemtKMV*q7OfVG3VYYg5*n(ksW=`9~URy{V9_8OmvXci!*dwkw{GWuJB|4K;sn}v? z?Sndg+{rikxLDGMhR3IY$A z&wwgmdDZE*A(trNnO*Ky<1wmvJ07hDgbYeoIqeCYG3(yHf1g4vD7|bwU2fPYU|vPb zmAW+p7J|+&Mrma@QK~;)VV3Cs`Ose#hxY_LW5+gz%R4aYR%f8U1|u;Rr(;71Q-CT6 zZx^mK-wjFd3Q+w&oV|5eRa>|{EC@Rs0<%jc6D>;vV);bP+D(FW~RZ@#U z92-{c1+v8e2=-L^p@PX82H7r0iBtU>JCq2Ljty(eHu~8bkTHsU8g4${`s?D_r)Fi@ zy@#>^A4uO_qu8AtXHwBtJ6`5wG)wSB0`IiYir&}CI;xua7XEhqUuf4Sdf=O*X78$0 zjCi1lS-T7FraFIL2plw}s{QQj2LG|ry*ou=nBwk<1a#cZkpB!zMaW6sVRYoGHWB-& z{;FQvD#K7sme|v5-6NW4le|LA0rU{tM=&Ow5TH!9C)|H-5i5@TOwYb7qZl3O&0m`P zl!V<~fHs@%T=CN=np`4H=%x%HNvIdbv9=p3^@&ed^Cgd+{}?d(X%Xn8KNt9G$d$6< z<{(i)|LovI2OKaY>~7-=TdCo73^zf}X15|9bnoy^;c_o=9`kV+WNo(->qABVCoH(s!#mr>Wdtg!m19vr2|Jh#CqkePO~y0(w)SjqmW~G6 z1O(uvfo}NePj)G7BWXD@hHr8f$rM%b2}C0!vN*rZ8K~n6HkO0FKOJj}{Qs-mQw+_(JUc|uRwQ;paNs)=t;$9Gs`DpMUpzQh7491QxChagly!t zQb#WMs3!0FcZWv^yRxfE5T=TA;$p4!S4tJ`Ua+J?wMSyf#3=K(kP(ay#f72tbG1$C zJJ~^mE#-?oNR!Z+JTWz8>E;9Sl%TGJ-Q>0TR*XXDHQREPn@`DkLb7-9?kgm=6GBhy zPG=1!)lQXHsd$(U%r_Ex+25rH*FJiZLvQu?=-ftfBJET5pz@_LTZ8_EMIn>!P?fD= z8Bh~xtbwVC*mC??W~5LSP8tg6W2z;U6d?m!4@K<^=8Q8^p=SfxH13t*Q3;P@7RB$C zRFpE%7cF?nL-g>HVPL#bS2&SqM|Q-L#WaNk_wb|NmB^sdRuWYOTKi4W5WL^wa;P#` zImn2=3cN}RF_ODWz=S5$G8-s0L78S zGWod$SS_^|oXFr$>F)I5(C_^1g!+>eEcSm4WcabYM;GOM`L=L&uk?95;j|GM?E5;ry9e98%DyEu%g%jkskExQ&j+awy%9#WR&iXxhxy zJN1JXcy1o|zefX=Za5#(O%9w$+U7ZX>0T_iZk=C|<}M2PQqVG>pX$wo?kP-e#b7NLg&@Wb@bblvB0)aI9Z<1=Ue74CxH4*&w<2SY%p zYE{eJNk4*;{UX{2A@R8Kc&SkHG1ozI$X@$SBI!sL*41m;+!#;1Qc;t89=SAwltRT?`$dor9`tb(g4vy7>to00Rd{$o9qbP)x8D3 z)3Uj+ltEF>V&m{EjZMa``ZsiT@W{1?A?Hi-lQq__-8kDa+oWGG-F(4RH3Hk@k~8+T z9n37^ynx%umZ#8QS4Z-J(J)LLY z4|kHJl*bdoPt4)sCiRW)!ueWDvNo#1Q%_tw zqG87ysS8*5Q4>O?BYwncno<&8YTmDp~g`DhR*+K{^&Ie!C z>IBpq=8s9RnO?=6qhvRduWp&E7Zfzt4xV$UXg){zdk0dAv)QIwcnepX(I4xZ(TeW! zbIO@x#-`clAfYuEJ#6wY8ZHXTxW?NWw>|Nh5?ps*-JjY_oXa<%1*W zi=(CaH1f$)!V%d*@cQU_3!%Rb=ExH$F7s>X^0K{=Rh%cxefiFP7^OMh6bLsXNPYLg zoVF4kHmMem;oYXE2b5K!N(x zyY^w7a*uxW?qAK=&0Bji7UqXD!c#|^$+i>ZFLu@)u0kR%pcB!qo9hcIvj`YuCRQ>ROvQZ&65&%a#{ z0TH-p&vQT9uKSI6!PENl64?VGv~r@;uP)nOG#&U!H5JHti=!xlU?l2mqA71%UZI6_xKtKYGN_**4c#)#+#IfJ za4{GNxHnuoVf$)j)k-p_8q1XB9B(pKs){|HgQe48fAp1u36sQSozg)H!~XbKrAkq7 z*JlJ$xUjY?UcA`jK4YSZMs3mN?}R!J-3%%3O;YzaK~A8u)=bxPDPnKuvYCIqo&GvL zwYqa(<2!}T26yh*+ko6qi|#A4Puu!yi@0A`hKLH4>xf5)pMFf2gBBeWa0#LCCKpFH zIK7c~dCS0Ftg{6%3hC+t&oXQ8q1;tN^D~Hruo-V?9Zj^u6W6{g;J?e zPsZmAyHbB9baRR(#a`@r<4>q-oy0|81@#Qsv%2ppWl3K1k4n=ZQMK39OU3h^JF0 zI=GrQ>*E`KJwQ&l9jhD)REkp|?Ad(~*^)V2rl;xhnuZ3>$>Z0DF|SmEwVlc0GSt!$ z#@dzMtx1-QH{tkVL!G6j!kyr6xW_jn`bf$^d8ay%_eI&6T74aODY38+q@jo%QQlhb zO%gH?oknuKHbgpP_z-w&qkhHKSn+eSC4KlJ=ff0Cdsdmd8Y*3^23AHnC90r5Hs5lF zNm)JKwc9U#P0^FYhwl^d3=EC5j7E>vrsAUg`oqIt7s$N6e_x-!lGIH0)h5*;O7nnc zXi~!@q4$d39MR97PqPX8{=?uv5KCLA;fA4Bm(t7;YP1ALSzKF~JaPTj-|^L$f8Kh_{}@m#dzdyz$8p z4;wYLjgeM6l{fO2*?e~noWBT%c&d1=vEf|6(XC;8Oq0Nc6T0Do8zX$z>lduE$|Dm* z{`iTVF;SLZ2zA9WGRpc#LO-{Irl1eFv==C+Ijp>-M@4g+>gpDrpEtf0i@4oQln?gs3gnfqh<3aA|5G4`7G=bp0hiL zM@B(p3cY$Y3TJn?O}^+6t|(sCc*MV-HD0=}5U}a^WDRWYJbFWfa*-IGx4!KU(jQY675<7Z^6i|3IBm(Bqc6RtaFn3vK?r@(9T79>Wum__SP^<%Y9!C<*M5&P5EOC5kwg4Vg}L@B zuyekZXG9VfuvK{oP*>Mo^*))OHF{K`P@g4a;ga@9z#wmqoN?5sh`^4=(xWmyXT!L2{)@$ zXhRMbkw=Q^4@G8mK0^U^a~d^%*@x4^EV#=%gMolU^pzidBCql=r`Zb??z2k=_U7r$ zvH3_*EXPk~*Hpvho|2^~gXsy{SKqL-y)8ooNW9xRHcL!Zl+#hzZ#H`V`U@ z>)tPiv1iB}b}iX|k^e{eD3I+!Q( z>WYjUz{-n@qPAzFOX-gxce_p`h=mlKzenivw&c!0XFGI|W%npQn|Gi+3a1s#%(k+= zw&z(jwkoDIJ8{fV(b-c=(WS1qfxhUKL)aDZHAx_IMry*Nt~jaoRZMYICJjEqLbJC8 z^CrWKy0>r*ja7%^v5JfV-YuCv+3&&#%9GpR*_mu6C0F<7gI6nO3YCkTt&e^TH;^me zm62#|;5Aw++@oX|9jo)-@;&NZn;OR}!jrqSA=Tl?r+9Vel`~kdrZ8BPsZHtalgyW> zxMu*2{dZ>0R+np6QRj3dQtkT(J99lZ>OYN|CCDw;m*DTyLg{%pYoJgtOV$u)o~*>rFspES6Z z>*La%pv0tsE%wXhX2K-cqXWRBPiPVs6IF7?qUPC}0;(qyZ$DoYk_ScgA9X^HlcT_q z!$-s(FChjfN<-NuXp-aU)qm;G4X=%^$z%j`SZ?bk6nLy|0o8siIP2-&@%<<|i?Nn;J##cWl}lGdGr&nOHG|lJOtPY*WAXskbw>)^64{ zbf0beP&irw+12UvuOaGU<&>HV6v^&ko;`U4!{HZU%|4jH74t$IamHczH@m;fx3symsdLB*G2+Qy?0;f zE}Tn(`Jn+A+0`B_dDvPP8;3FQd-Xb^T@N`F>NW9MPL%i+WO|{@y6m>RsR4pg$H(Q+ zQ(|4)p3BuNgCVB=!Qw_g}!}@-sCwEa%PhR+?Z)}f%N`X zj%@@Q2QO)8a(i=SybN^O3|Ceh;l>vjy6|fT1ooKz5sq()DU}DL!94dk79O_P5&iXt zBgelxa+C}&NZ1Vf6282yaVGm{HJNW)vAVYQX&`#YTqfVYr8Iybho0e>pIc7>9H5TInu<@<#~iypE-ek(0KZ8tiPn2(x&;2 zpr?fAqnR?0fV%Gw^c>kHD-g226C)osNnlXzk-4ccEAVKE zWBa@!EHxVOJ6tWS;u*H>W4IW|{$e+T6ML~;A6Fz|3FbKx7;wp47HuyH@7J_kEvIl@ z-(HYh+^h^m$Hs>7@7JLxlW_c=<6xt|cU2TqSR?Pqz@mA33dooAE8iKlf44-b6A zBZ^dV_?lCNa4Ximf+SF%FtzPW>aXXV+I@L`Q6%+Zd+!`C*-5rW?dN$+@wh`FPo_J@cJmS&qO5Q3JuVkM za~@9Wdu!aY-dJJ3+k5%I_&bpr(wlehSZAKi!s#nLizMc>Yhpeu=B2-`?HKR zG(MnHMj3d+FkRYCe4xmjpM6>sAMZ0e#W(BE>8LB7?8NlT;(cy?L$}W%%P!}k7S%rz z7=?=kmjkjGJBsj=NLb}y!?u|#6Wc%1KL2GnhGqOd5Uy|`ONe-XL0N&Mj>8I2Btmny z9ZvCiPEYnb6KF%b7Dhe|S}4l=Y3iso2@U-;~OAjZsSe#8x`6BVY8HlsQ*IDqpt zA#f38Mmh|KfAw2}XsF}c@pK~6CKdP~&%_27;bDKyPZ}0n2zBEkqcc6G2+(RlFQ6(K z)7{kQaH%y_ZcWPgk`G^lICFc01xI`OEkB7KQ5$m4?)Z$yP--_v3VnL*M;D}kweW-w zXHU#%;a^FDgdX)}hw2w-qlo0_6!_>d#NCkCYw0m5eD3F}4an(DGzSyVR`*}O z59PuXwO{kPZITgX^vWIz{M+%WANVX#qih+J#QsScd{t2l`syG^=aZ}u6%d#SQ!Ziv zGo5RVt}v%;3Hna!OWdx&i$zTNgDb98Lig(>RGHG>4~bCG-#;q~(meeDuTmWW$BkPY zNi8>~$SDVIXyN7A)9&4Yu;>am3P!S@L^AlQC0Lx;W@Gus*yxV`I0Vy2%nwMs;7Ov* zaMmiBCJDT9N%rK+6Fh-6=Xh_#{86h7sFb;?v_ledM7}hZmW%*op`|G)aDQtSU}{WNTBz;5&k3IbSEzpE zT_*&$xjy?K9M8q5@j16SGcyx&i^FzNBn{ljn^!tr0^#72>I}ty6V3EIHk=f>yFe+^ zUx{cyMj6Y5ok`f`iSwOc9fD|2{0`;Y?-Ml5nGIGCo$onNiANbsav}5oR>J2=@?q9zQi-FADBNA|2dA=4TYnZ$ZZ~T=k zn}A|*ZIGGZLQ!Od&*c4~Q{hj}JsSmu56hsd{jj#lNjFseocOJ0q>`!i7wsw(EnPdr(z;`G!y(LG$$w63O};KDq%4eP)cF#4ii8g+}C;VmCp)?UHs}R}V0m7+`h~yAwBs zDx^2S2@mM_zqh)BSeGTw*>FR%O~0gup~P>K=eZl7mc5NINvLBNt2u{XA*#V%^Ayjr z28E(s&}+X3&+gozKV@Rie(ARdVm>bY{uC=_<4etn@3E~T*bt6S2Cs3oqn{g{J1MTUNO{^$kPOQe(2P%kFWno$Ma9!;8V9 zKGOBvo5?VzoPlKew(07o1bWZ+)rxawoPqt!Ac_=y`5yuS3*HYu^1#=w6EDVVEoXG? z_~k`IVs5FYA)*Axa8507kIAX19=iN;O1!E8_L#(Jfdej$%?mCC#-WU@GIAbF^|1w5 zr5^p&yp{E@dVDf|=MKQu`3VBk9H57Uq7{Q>zI^%Q?1_jd$b#27+1+vGeIZ(TI=@Rc zV3!hdnqv*}te{m@S1P9S83L}_=5$2?G266ZG%a;fKaIQeS)xgD#4};NXozU8Mv>8v zH`E_@8||om7Gi((;(zWVWP7n>is1l@y!HW}I&;wD?fps$jXe^CJ71~RK&TU`AF}56azu#A=ULqii0&>@35IbmNgwj1D!fc#AGSr z*{qTkO4;K?NoczJc2Q_9-%Il+y3b{o*% zG&?5dpR_z-;lNXsL89LhhV~PZx~)dnp3PX{^Ev_YUa@^EQZh}l+PC~T9w9*6y8x#0 z-1X2P&22q7iMJw4oKX}S60Z7fs?Nd86I^D00f=@l03B}*Fr`8Tbm|=$ny%sAc zytW#_EdG635^q^F_=P0PYW5bloO$x_fnV)>7YRe;Gft$ad$t@{bNY#WEi9(r-jd>s z3f>vCBYlbu0g8;E@SvTPiRE4s*|e~}-^{il4ws$<*YuLQ%-MZTQVc2D|POwt!burhJ)gMNLCf)KIJ_@LSvoGttCF zrp^$^FZ5=laF~7U-R9f<+KxwY*3U6SZzRj!zPe%mVZM-^WF3K$zx*LZZ< zMPfrgz2eQwUZ`!n(LL6WPz- z9YY4LD?jj7I1yM7fJ}%N!_C?p9~2d%gIe=jD@q(3D5&1TgXEQLPkzG5YFat>tlS0H ze|bVj&RduR*R^_;WE$^N>z&BdVThp^A2NzARfV1xepC%{uih7{v;90maug>m9JEi| zKBDm(dUEu0y8U7Z{xGQIw{5JgB_$RjXgB5vG|55HlR+d6g?rsZY(DjsI!Ynsfm}k| zO|$1g*88cb^h5MgwJo9J>+=` zZVWHBJ+(c03?xK6)ygddcmvz;+MGCfEqE)G(zjlDL;(JA*vgf8-09~#mjf6?G=3)e z8gR6ReU+ga`b|`?jVi57Cj1c*UEKEOkRA8Y&`2~7;Ssp4u#xzaO+(e~Rqw3!@Ug7eG}BJ5ly+uCS6E({exj#hOSh zm7o~~e27$wjPfEQkW6INc{JzA@f?bFxcI)M#g7L6`@Ofp;bP2!&+d!G438<{R~MeY zE{#0BueeYSN@FEI)x;46BHgR}sBG;N9#FjS*0J5c6{h-O3LUWRY2&cSfr-6P45paY%rF36*%F29gjdBoQ#y6mza$4wEx~oo6579 zj-z;Ie{GZOTYrg-D&tbzbrNqWGNhjx&p^gkdE4ca#ebj zc+Tp7VBdBbQyvtZ;U^0AARN%2 z@*tx~Ly5Sehdb$RYvD5$0cE+056jFM?Fr0j*sDr=1_+#&$EeS|b!N|w4gUtl*J{*6 z+};O+k4mmR9>f>j&u+#Ej+Qr~jvf1_7%)Q6-C-IFN75!cp$lCs6eGX<1U!66)UDBA z>OAGg;Ui0Ty6-jejMlwRXp&7wwslkgZAS=t4Uw_G<9q+Gcnc}a^dfB9d1t7d>A@mDfl*!hr&C4n$W-OOhGpbT1yKfU zSiwgJjOUpYE?f-^U+2!gOFo#b^I2J82#af>s}Xo$mO0ih+;;t16<`99<6(?^JtbKX z&c-Vc!pioFc(H%J0``I7PPzk|D4b-0cf<&N_$i1S{KdZ!d+!vM-M^8avdpt+TnHE; zy$bO{fP+P=tN&%Rih)Qfm^l9a8vAz@GG}eLU`1PgK08yLiTO`^`8^%JmqZ*mDB|#E zp|KFqUgm(r(QnZoAL9G;uMh7|cC%mDi@WHx_~ zET{EW(@1yj)PU4S{NX62-K{U>bB|VGSC1R`ykAQS+gS_AQjgTtKI1$7mHv>g6!W~R zDS$z7hXtrVh0P+BfSn6}q=kP6Gqbniw;T&i_qP~2E+!0qHs8O}jF5~SMji?!i~+R5 z_%u88ZgvEn@NTPY+YFTUM3{Qh+~$m`nNh$$nWzKvQ^Z?L!9moa(HDeag17j+L_m}W zdTzYOqL{D1L-t`6&>MkU_SrW4)Wf+TVJ15@wV2tg8Gcx%-*9hckcu96%9;okR+M0;zPUU^T zhRCy8{s|K@C8m1~dMO{%8yw;YwN7~OzF-!aX;YWlP{98iV?%w(CxJo+!!pe5`SEE% zt;-7B(Sg{(lrjqzhk<)M?eZo`Pmc|XEMRUsaVtiVNQ_})xJA)%uor4<=>Xrcvp#>r z^D@@$LeMw|CkI-^DKJ;V!bq$2oP}Vr2JMfdpn*61FOYpO2K#sZkJEG%=~LQiHkv^0 zuv6NW$4}<*U~p@Uc{uxZx!!9T8nwltTL%`&@Y^Qa%h8WYQjyME`5jC336uucb)0|l z%&`1`>xIV0)ql7ET_X=g%HhL6d~8XX&=36$W=d@TRAlSslm-}Zbg$rgm>tgS>W_Mz zX1^Ntv06`Oe0a-W5uKQLV7|G(t6Q>AsTPm>ZmJRW$Z2?@R?lh9&W=gSp&S?6_MzXW zgZls)kNGTyVx7V!v}Niz5~fPQ5+T;jId}$q$okr&jPm}a0F#fVLc*u` z>}Ojl!bU3zJ{1p{@-)Q@jL)T-W;B#tGJ6YkD%d}3(AKTdH3Z6N#y||eaXZn#@53BL zkeN635jbzomWNsYuO&N~#iD*&NIrb*4XM;~`CPa%x-%&#fuHpitjadPaxVjxW$&RQA8xq;yEye{*#nU&$jRaNm~=qN@z+_ff?5Bym$5ggqH z)w&EBnyn~1e-bU$8*1F&Lu<*~PrrPheA}M?rJ>wZion^dPG7s>rGdTvq+0L+j-j6z^y5qt)KJTxVSmL1vBi0Y#!(f(TO4&@?!oX_RLK|wm~|{$SR>1BmYL0@ zl+=V~3}t4y(LAq?7_RWba17?#D?onB#=Hr7Pp#n0f z-g8+I1o%MTMxqn&!M<)DD11nHGkT3g>ZJV3*Fx5*QIwp%nSO<+%o%Be27VZ%Qi&?Dy{rvM!;8{)LG`xrICp#p2+gt7?gHSvwCZ(fZKq<8c{#oWLjGKC++z3P(bC1WPL~^1kC!BhssJ^}x; zzf3e_eIS2<%i*K*C9s;mQHXWRSz2J!Rz4gl>5mb26{0l!2=+BG7ySMG8H&^|`}r5< z-Yr5e2HW=a$PGZo9Pj)ejCGLEqj}?y2qpfMSbc>dW6NUmsbS&ch!9Fpe4v3Mq@_`r zBB}+i$i(s&RuU&I{zB@-6X;F7Y{U|o(~DOd7G|?UL7+w|_y)dFflfj!E}Rss$V9;9 zcZ&dNx(u7u%lrQ=+ZeHO!o&F=X6c&Wm@6>fYI?&xER@a zW9ws-;t87{D>g$al>2Hd=#hF3jRVVplHC7V`MD7e1*}V}sK~)8w-Aap)<>Xn;}`i) zD?du61p!Cll5RK?wh)D4X@K;l<`Y!bdvz zauC^=xErTtsbJ{p!-W56Y|na1rd}K$BY`R~^Yl1&SHQ#jTLRg)nEr3=7;*kc7wEuX zyenRdtkD2ddi|f85?bNPD+QnMzY==0b6P7hynu(IvaIzp7`T@3e+Y581ZE;{yB__8 zN4=Wf*Kj-At%%&)Xa`oOHVvXvvzKB>TM%&7!|6HM2pMQHM;OE7wzMwYWTZ`4w+3sR z%1LsFlpFkvb{%+lpOp`3-+^~@xUBdZM1pj1;HgM$*E_N#7M85R$A^7wPDw|jvM2mI-KsrbeZ{0sgMH0_ zlN_PVv?!9ova7s74LyDZ9yrGYVp?k>SbnzysMLiW2nV=+yk(94N@Wd-3U0e=i7Rt2 z7aSej2dkdI>knuLvNh|3-tK6&7wr+RB&{RnPRzqO1#}R<2L`)^<=W zZhL?dVlldS_61Yl`&*Mxb;h!r$%h(Zf;4iTx2E2({zLYEV|J#9h;npFT~>6Ny7UWN zYWd_%#!@*)frh`!Hkf~Gj3)AER-K0^3|A>o{kWYT=7s-bn0!*SuLU8?J8T{^|C&K> zoF37?eGbAqzI?-#A`@r?<)OWP&kJ5?(ZahU#o^-#xU5EBnB93+i5$QC^>d@R?1W&& zTnb6r;PxkYYcC~dP00JtnzF4TP*dJEt_;O|f9NcS(sJv_*$d|1Rlh{UmPnv7j2$-2g_0o^KNX*^V;@1(-r+XDEDw5*Y_PWT6R#}?42L^HUQ%h8; znX5D9K)dzvo)q1#i{p+LH;$7Km=j7MnO7Mi2u`$Pmwhq+nuDXVvW``P4BOj2boY0+ zq_`bF_qaGTf=@p>Y~Q^3DYhPfw$!Wm4Lk_HE#g(YphOEp2r0I|$+v>_!@bo%o$G}& zs;X@!tXn7uL`|83K@=eQKlSz|O@HCUct^Zd@DVPQ ztv!iIP7dGK<~gSsNtsr);Bkl5t-`=TfcVF5N%rZu_+9-(lZ0FD>;Ul=Nl?j5o5y4I z0%FS0CZNo`vLipiIvFx|lbdfmpKotN#=W6(l%|g7|Ms!|P&9#nxY7mU=M*oC|KjlT ziV6eQbXGvC{tU=e*Xbg!svAdlnW3i1vxxbFd1?_b$m_qO5&p#DtrVj}Ck?iF>djMm zHJf`O6hZt6nj;zIvo@M7h1p#76X&4>Yu>z0TE<>#md9*Yf;5rti$4_{dMQo1)jBnQ z7z8r-`y{*I-^9VN^j_W&5o>Tjq3CR9XGp-wpTg}JXoGO_aCj;Y2_6vTa@gt+6!@IQ z_wp4~iY?Sm*;3Durk>)tM*99@0%q4zykNYspCsX(J6XOc9s5)W$X_Eu1Bqy4NO zx6JOPps<{$f=<@%sRF=j3ISdN+WaakK$qkPW^P*WMwAX8z@4!>xiYCR5Eo<8oPp)0 z&}P9%_E?YB!K39YtA&*PtVF=@%sxE1JXe_PdONQk!53B8YpSLXob_-u?QZJDf888m8PXfCUVPB9DU3-bY_n>0G5&-8ud)58RX%+i2nqutk) zo5St;CX3SV% zaU0g~|JUtsJIB>lS46qRrG4JvThu4niWSf$m3dW#h{uRbTJS$eABGdco$OjL$l@`T zAO*yzhsN`ux%wnrbiF=G_YL~+FWH!bWF;BF8p`?#ArxR5VY97&&7a@@gSQ5mop{N} zeCR!533Q(N<*NKM5B0ePj_vucmX*j^IF!6YHh4F;7N#=1Ifk=&kGt{q+|}{~$G|M$ zF2?ki+;uK25dJ?kzZ^GSClWdgNHDf+z+VIAECdj>!wNUf9_G|9#v;|7VQ@WzR%1x7 ztNVQ)=(5`)?M}gQnm>@<+8)Uhaj$37kSFZv$I)+=r?3~DW3)J13vtjght=^t)4?LI zVP`=gr&CG?yzt>)Lx-PYKj(+3D|V|QuzQ5=2zfS07aNa#hjSu=TO=L^w{$*vc+ia6 z-ABt>FD=&^5H0H=lN@!VpKxKhhmOG=1Or~wjsHpl3NO1j6j=rV>yQkF_PnPu8x{wy zqws($5O_PMIL5eg4CE|%)?67j>GnE@JD*2IdusiRC$2jasXHU43Fr-+B}mF472!!V z2bA>T=trctexkvW2Hq(;7!(-t&%A&WZ4eADXkZUPpe`5|gP|+ld^v!m!p9zD!Q8`q zUGkQbK6tL`_@|ifjgS8P|oJx`Gbd&bOK=f=+S_H?rFb-B@}M_?5o8xlcp9^{X)b#;ShY$r~GAf@$5os3O zVkn*jtS>jSI|&KUB}0};0@B|lVjwgB=5k_9hkplykNte zop-H()dB|k?gq;pA?D=goO>3RmzPsM_qQ)><^{&S=sY2L`L3h<$J4MnhmCA7M$RZa zX+vcrr=xp(dwtI4a>rC!3y)61t=^G_1+khel>pk%hvQoMpTPWi?PE>z`!JJ)jocW9 z=a6M9luLuM9itE%h{&`z>)%PRk!T3vy7oUp(UX7I3@eA>07uLG@)i@NQFIr4MU)fWbKyIA1j)Wl;mcqi!mdici|r)3s^D`X1U2O5IJ)O|e2-GOkYZ^Nb2#$4w4rP3~LP2)2B zsUsAhDXvrknWsn81CS&_2ZSBg<+;9}?2Q%S?t?+q&4JIonmrJCkT$Ih(LJiVnJs<8 zAHR1BRAh>GtG36BJxtq1HU_#MtWqU@zdnI?9eQOPQnrB=WDoZQ6szI-%AP7+9N;d6 zxL=X5vOQ-Uo}L5LS(2dN3d$USnS^z^Z4Ygp9|Qt%m6j#V;bh>z6O~1JdWjTGwW<*C zpdP3IYvjk9=;O1nh0D|A1;aMoyCR>JAyHF&4KQ~HY#9ySML^2c`lcJ?zbHPvp= zGjA~KtvZBFig8Nh5?R3o@8Ih_0UtJ5dmHc+e6bX%q&_nD_s8^?0|jUzz$4O{Ho-QM zySl$Q9)iv1QNN#W=0q+7T8w&L0!(LkgogdT1X6+LMw1seLXE1>JlNeGEDJ@xJOdgU zj5vx&FMGUWd8dt}S{!1gJ9n#ISH=pCe-eA#pY$Rp${@nj)543USo!P?kkkruisk@p z;n$~v6p(wsfmj4jayIU1i}l7l4(2Geg-hun$Y>Ai2z0pEBpuE^N@<||2D~O7;8ONsKUs> zWPcvN`Q3g^R)QJXqQWKFP{lJqnwZ-`azv!F@Jikcnk)<{0D= z!#2zGJPM(VqcjbPS)*Bvp3^!7Bn5)h0!Rh)gUQ7G?ZSPLs)U7Tw&3ZQ+V*`8;EeFn zxN};LNt;^9$e859RD?~TA*J?-TDdaoTJG+AXVYexZI@Evgnlr>5sp$yHygwl$5D#C zV)c$C8pfWW;*;K51L`twn2!e{J^CF~i|~~FweLIzxF!onbm~?VkY3lMm?)wQ6Zh!F zx%pge(ZPsHFb>bm4j`7K*OTl6R*s|9G|sVjEY*xrgUf;DhU7PTnqt+IsKFSE%iHq> z58BKPT)N*L@tC9Lj=*ZHN5N3x{OQ-&%B z{h{6Ej$5iQdQ~i)k|snQe1X6@t#J^ML{-4Ok{!589dQh5KXYYpHMHsBicJiWrm2V^ zm_ip>SIu)ePT&QKtTB+keUOi_&Yy4cSOMA%nrlHI9%uD_-5xE7)E4W0-m@4*Kv6O8 zzQZEzD*zi@u~;kz0-H zXRdoJFD*3uioI046ehodIPaet1<7s)#T^ufLH=^_a^>j6u&f7Ld z15laLjfd-lMBUPfS911zjB_A|B-ukvS$NOcGo!ji9c3V8X=1$XqIa_T48`#k)Cd(O z(!F&_LSFSLYU{DPV!Zd!_6xJ`8WegMrlYWVR~seSpRdtiiGGt=&nux*K(ZTF88jQF z-H>O0MH8!rWY%+qlfK3(;Py`1;#*^7w%Jg|_9gi@nMVaCzM;C9!Z%-gDfgzzb5b-j zR78_#N@xl@CjXhI23JcF4pHx}+EP$vfy$#Z!T^S1rgFUhgTLHqCz~XAoqZFeKg4-K z5lM}OPbuf$0j_Z<&Qg~}&M}3`K$el|(z50e=uKiddtzd6a(Erq3z@%2$39TsuZ-!Z zw*ai5W@0+=QK!i_1+thN92^?YS@q@IVoY>2N_8QK<2bsguecmHmE&K~yt?DvNXuCd zm4x=3m)37H#=oG=jWscrAxJRs+WSSFD!YFb^We2(yn&7^=GrkJwGpK1OEVzPiiUD#f26)}&BFX~MNBs$Y}U>PucP$C(0$jQE*#6R&^R8m1JhG3> zbG=T6rJ_{LE^Ewj!*g#`pJTP%RE{dXZ}d`^w&`h!p>;-GR}0LVZf16_}VqdH*QjP-C#Ho8>yUnT0*syj;1VT zoG#DZp0}~lRGmGR+T$DG1v2W$u*1{ndxV7}~XjXdI{;a!0aRMiF~+ZtiP#sytE%dqr*24irCm-mN2SQ@=$kp)Eu7uF3sW zJ;XBiL~}nmri6teKQu;~T`8cSnB64UeaW}6PFYWtT!FnbH%*g0i&{tdTN|~QtTZD- zdo0(QhyCNUs8_0@%z4d6NAMIC)H^cYimCflzP0AwXd&fvr$dIjOPbcAteJ-)vLWa1 zz%??;0dZJrl*MxZ!dCxP@1*7el>jekgv%QsA3I{wsw&M9Eh9@Kp{Ryu@J3>QXQ!0tz?+?J{tk)wO?qFSlBkRxd8>EwPgUc$w<7f502hwa^Yb^sm8FfFBcq{?TS&z+5{*J;pcB`iOwn~`qfTmU zr05=iO}&c#XN>(IOTbyW?g!1#SNg2#A@(@>cL=(3S{bpjdGuSC^{hsCHR)$)an~6E zjWIRoy{O1~UZ>+mY-&H#7dl)Sj$`H4X{hAp$C3)6Y5lUwpcLH@8#Mq;_aB01isXhZ zCD?NSJERYy)&5$1Xm>Sxz9!PaWHZ$Tc43B=CEvq`!CPK4i-jypwsd-#ZhN{avNr^) z%sDT&EK)>efq&8E<4XGPhA98i3!tIoGbaZ>({$CL9ldICHuno_XYL6Zbvtw1&@R>mh{i&Z~x-EI#Ivnl`&{f4^d&hYgFXh*8_al??3u3 z$$NhawMT{*{bquQ#WtxscH?#-O!vRllcSXMxT^R{~vE}85VWd zwT+9(g(4v-Dc#5*APtfZ(&dmM!yp~fAt=(_4k_Ir4Bd!yNrRMhgLK2Y$1Cppz2D>b zKhOQ;|G^J_(b>Pf_gd$9u5+!8CyTo(wj$wk?I;@J^c$c*5^PW#eG2}Apm@*gnCQCQ z<_)xnJ}wjokLejHmf;0~bL=ZlL=-jZoZ5~b;-UbFw8L!VC|0_)1!Q0%OSu5h#RX0g zTfQ1!PL z;OTaDAeYsFVte165R);in)HbgqX#QUXW%gbp&t)AsCH0^#r9_ zcQ#gO-t;+f_UXa2ejK~zW!L_ej1Cj9q0es40XJS&c;P6=WIK}QWID6bwaL2DTe=;DSjb@=C8P+*yrA0YdywUzYOex0*lt)h2#7G zWK>*6e{otcx8;b{6+O+!zrszsMieOlawc{<40p=%Y@uq7|c>^^6lZe zuF%02b1dNV;GF#0>kKYytvNK3^K6n zo}E6=R~Fq+Tz8_9-Wgm){nga3-b#do5H zvLk<`{1MV<@6P8NC0s+X3#U+n>?92e9@f!kwkicP+Bpmd3dAGa2#Y|~iZ&zZ_pGG?x$LO$JP4`(be`R~SEUgC339{@_Y*ufZ zx>m)yGSQ+x|9;2u^J`nIh=m5a&o%`Nm9xhfZ{GggIbIn(8al>XZU{9s86G}uC_I4$ zpKSA6rRg2qZh=SeLF)IXl-Pd!B936Cn_s!jZew^hF_d6bRXc#b*`F<>ne&mirHFu(kwNF%l;8$!zy*fAuQTs*^6R$Tg^0nXna9$s;<14U4*6 zD2tNL6ka@y-yoL+>yF?DOD^UFWrHodvysEyjp&Sm{u%B2-JpFNgs{e^8_#aCq3x$F zt$#$m0jD>=Ad=z#(!kKcI%5*FLPN}2GL0(1sFR%zLjAm&DjIpr99UOo8kp)JLyt<= z&zddx)ycp8xuxFsmGR+yor5N+73US$r&=eP>hhKMdm+{7-x$VX%CNHT27U>FLa(#roDUU@3tU*ec+OD+Pk$ZF17D$ zc{bU??7K)EE#>NAlsg%3fTZ5-A&{jraYv|8FXzlU-y9aKFOIXyY5!vf@Zp;$J?kZ> z$KnOC^Mi%{%$qil$#U%e1BHT*Gr*BTIk0XtDU#{L8x5D&b?RQs9a5aOWHPdq(k|uN z-7D$5$9R4~FMYAkAg%YfTFq-S5gDBrAIwSY_CXU-=NVe`$rDP*no}&t$Dwhv|Buzg zUoS(Ap^1tmUoHjr_&4@C)hm6C^(VDFBGqm}Yic>`0V}(Zzzj0t z*%A%S8c4EsG=3`|Q`~fo_sfKy0 zmSSveVuvfI%QF)GWkUO`k@mYHOfjovM+sHVRp?kBP#agiuf5SZ?H$|u@O{I`l`;de z%;3yrfBTn*Y4t6$Wnx^_*kBMa;cthFrj;&U)Kj{zzErPgI&$9BF3?NCL<;iGmF-P8 zm2}^`ii91SFILj;B)~(sxLK89;dqSCoy8;=E3+KDq<|f{~ zg#vK9JAJY!?{pZX*`Kd)H~QrGTLn&g5uS1FHpzFO4oasSl%X;H4M#0+GBR&tOTV@qkUIumg%rneuT3?^Ev@8p`jew!80XJ3qru@Pt7UON%R`P*r8D9(VkSi{dn5uTh4ZKJz~YUD z`3CB>c?tUzT(M|5oEjcKFxxEWIet5JJvxQnaj8R&365>Dd$6R7tUUO3Q4C)be>e2YNZH}%KnnrEevm8%@7)LnH=w1`oToHeXmo!HZRa&BAr zcri?8wP(31IN!w1<@@%-;wpPUsOs9~dk!zTI&RjIFkF3i8GSztitW~pJN7Mw3A&Z1 zUV&=3wR|RJuLo^)_)moh3A%1gL~I^(ttDIcja@n&)H)8ulNFJ>zpuWhx5fJK$?7|M z9F2wE{GzLeftr03-lYL1PCGTmYQNmN{2gPUi02&!SAB)e>&p#+(r4)sC9m|3EipxE z&4rcQs2Z9h>bRIiTtt)iJ5tRN_SwK=mjx2Nu5>T^5038#nX3tdc3m{wwZA{MiEP#7#? znEqod+!BoTBCc?(C5~3jje-I=Afod1U`x@8hMD>KszclJqxqliIO-W{qwaP{t-U(A z*0BnMG+6=w69_uU?;;na{EI#vA#*|{+JClFyp2e4G7TIYc2|xF|D^IrDtZt4Kt&S@ zSP}lf>9%~A5>G+(DYBMO?eK7YxlY@(qW~A45lt#x9#`9LFuj(%v%Z!*RAuHarX9_! zp@$gx#M+?D`8tfjN^NuUTL0O(`nA(}Wi*uRCe$wGXKm&#F$+1>VWvLXXbb#|`rk)dA z*yBnNXE+~%y}~mG52`a|5lOtl7_rh1oKUP*ywHJ?JHo9v*|^C)4)(tii(}4?6tt{9 z{k-&^8dLA>bPNm~F+UKemt`B-UjXJJQH)4y~%>v^l zGMDJX%_EbFJMn*8=JI2VJ%Gy}P&(oBr$6X_TPGvX73qJ}t|fe=ddvbH>fRVnlU!W& z#~*S$^5NZJ+5VT7vB!tbS8n?P8|Ddb7ra}3M(1ZCyNt6V#5+En!Y|Kc3qJWQ*=xOO zs-79{!ux1`y4}6}nAQ+0B7)`fj>u}|*@7?Os=5{;CTen8(9+Wdqd9LmSjDlO&?32; zDj3JZoj9-JJQ(YF$J1&9xkNOX|3l7d@w z{RrsN)=k@*h$#6A$YIICmC>-yr0|wT!cZw{pd&^a!dguaB1?$`^Bufj#Ap@8sHhPt z2N+-J|HJr7z`wxk_1J9*MK5_eBbEF!Uh2VX{Ia)uTb1x3Bz8j+yI*}z%$8>Rw-m{yybN?F36N;Xs0{Vr3SfTW-4PZ3 z>iJ4s47jMh5-yJ(PSAMxtVchwjt(Wn7!7^@W6%D97{WQ6ka=7w)MM{4P*l>ldUG}F zFfO+je7{%?U!0ej+@LAQ!PoEW^UZYs+X(+8xOY~v@fNuLRo7^;zN5PsMSOO8Ux9gW zn$ur`!NjNJmf+jBxFTSdscqeCeEm-ZHE}!G`ko_V!3SpBzJ)Y$$g(-8!}|ruk9Rqm z{FJ}{t%%*2|8f`a3kirPL}ZLFQh}=-RsNT&{ofQZXiY_%{C+|NOi}*bO>EPR&@L@K z^~&=J(Rv?FBDa9abDe}Asf>lDu3nw^{v&je3z>?AUpE=20-M(<2+R5a3jbPdaYfCX z^C|>Tpqry*H5rmKB_kIrqmCGKvq8;$EvUhyZvaxM%*PK~ycbk-5t||-Fd45JuLQ*K zd&Y^0_o9~N>-d$b+I!i;jM4bm8t^(2&~SAe2Z@?mcX2-K9GLvavo+h})Vj4Nv-$z; z$o)A!6#EcuGUfeG4W#w+tIi1jV-CaItXE}|4Ll)J4e~i==XK8fJ};c_?P>H$CG(CF zM!;q`<9)7r-6)&;-aY6bjIf#bL^k9-Jf)SO@w$+o74dqdw5`~*3tHA5PuJ_7 zmsLjz*dB#ty>bKzAMND%;K?Lx7JbGo;JG>}CtGk&xk;LYkX6 zaHVK`XIoQsM-Qq1eSE^_=9C~0AlAod<7=1RxsGV0U9Wp=hPrpa$Iil^O)t5f8hE+8$Y{ zPgK6W@q=&6k8EPb2f(0~C04U3i<*kLa<0+&=(kr{TX*szv+&lQ!GDc-Q$=IVW^5;caE+!)-~rs*mLjwF=`^$b?zGOlXDExGi+Qlk!mAHkS2$jm z%b(okD>Qf4E#`_iu%D8NP1UctT(MIkMoTS8=Z6MD9!q3l8*IR@x9!sRJVQnDvHB%h zIsOdhd7pv@eqKfX*9TeAZh^V`2L4w2!KS}~Z)6@d(M|xM(iKcOgpR+_X{&DhYQkO4sfP@ve%yS&xss7G*J;x>H|$!(B^1 z3(`SjffgrRbv*V3_Stj*2S*DHd>%iDLDI^AblsM(1`}|+=HH;3&MZGc-DsDt5dE4Y zkOMARW+O1tn7%%Pia?dV9{AwAWPFq%a=#lLRM$(W@P45?1E&qTkcML5%-wrcH5m<$ z>GG@=0_tfjhP{CRnb-CBj{LR;cM>%BNHr`}T9MNj`sO`S27ljY(G?p5EUP}Xrp%`+%flK>S^WXXEy44cF*@hgM)#Nh7)Pk37OZVpUq5TRep~ zG!NB1lRAqA&!Xp^85{;|+W;1k%j2QD$4z;@rf_eQha3n(EcVS@++E|aCsHi@k-Zms zyvf29a&C@@?MC@zJ?}dLIA6ETmJQb;tiTurV8IUU{#WTi1Bkzu+%eqv?@Q2iv5UVt zdc^-<$aEamjeocEg5U7!n0(xMd}V9_K56%rA{!{)I0}__&(sTi;}t6FUO@8RG)&g& z2=UFE*js5R=-me);PX~jM1D@)a$xyZ7_(P@h7=C@#FsKH)Qn8*{83p0ODg+-)`lyS zo`4yg3wd205&YMv zC_(1eD~MTEcA zQg86n?ae_Y{*026uC0Wr_RgNKDQ6TRv3>7Qp9)^i$w62%o6UY*KYqE$RwO!)+{K;i z`=?vHmxvJ*Q`-KT`YC>5_KEVtVF;)w7Fh(zf{G&MhPd_+&{7F<7MxFtaC(zQ>FcHX znx>IpE9?)We(ly*m(V>14waOz6{G?!{ujWH%M=1|+ZN_u^GWDX-3HrmFxK#QM@pLb zdz|ZQ-?Y5)TD&}gJ$yM`g&E7Wz7VH(dKw-hhF%X0P9*1+nD`Cfm{Xj-J}DW;crErv z*YC~~TzS$~?l`jd&HiFRXwNm?V~3;Lpk1-9X}BXFG|4fR6yu<~Q*>WFVfrO5W|7>& z)IW`RGrW5@0lqXoFK&y0fi7FjkzUj-UgP^cec(>30Wr-hE&#gNcojZLqNA@x4Cxx$ zmJBLNur^Sp$#iwyK#|Zx>Cn|5cxM8@Rgb8$?a?&>;MIr60I$A_Fsx8yz~aHpTca zYgLV&KYo8TaWtmw7INj?wmXCG{T8-^8!7@i&3?}Ym?2G(l%ys?llBipXD&Wy`tSx! zP6q7V<)N?fpIh*R>1Unrp#>%tbiqi>0;C2bFjyxu>}a`KFR88sxA>pBrW1G4&T>`y z&?WeAF&-AgOdViLx&Ijl@vnamxbSCuex;zdG@KUWWPerlm%-a0@SnFS71Le=d%F4a z&i?|#kc5E&QW)R8D$;Z0vg;%V2s&Osy5#b1TUkcH`YoUkRwviQhj{NL(ZB(Z>20tr z5CqjZB#j)vWU1ey0sh`l+6XXX;kxU0qJ!VnLTA0pE);R8;VVfh@LSN8Aozb<2||B< z>{$taKq=6$zG-3)Y^Yo1;O2wzKkF$EO#j|c`LwrB@xW1zfN^-XGw*}nm=S7F%Z;8w z7tLorj}}mDfQ+)hKKMsPhR79LTw^V?`P#w_S(fXO6#B+xYam$+EAy1aF=~&Yi(Wb40{^f( z6yjoHv?oLd74)VH{db#=j(eU02fit?7vk+~g4!DEm+huK-E2ke=mKMoy@i0QL()^I zIswL?07`W|{;v*&|D}d@J^s4sqmqS4s^{N2??gnr>KPpm=w7p$X@!24)QcgF`wej7 zd-ZY=(}iykhU<*begkOc^d%9N$KaRtf{T-QT(sWvJiowu7hbW7bMmpu`A@ZIe2@XcdeD|4duH%P+};WgG9FXp zSV8H@Hm$h~1Nq7LpFt8xK%8^B?EM=X&=K4cw9bR9jrjf_Zfk(4-ch3vI1(-VeWo&l zgr%aD^_?@{`LZR?=F;95stToceBJ$Ky2x# zlSSOIM9f3*z65kfA0x9X8$zAZ*tu??$LI#oxtzk|;zf4?1EfT`+N9n<=80KNm8= zN7x>r_O)!Ad9!Vsmd6B2#U~%AZwX&_Mg|tU{`mZr-}c9J06EaFP!iBb&*yJXH;Sp! zq2!GfJ6%S3*wc8KJuorT^|mJPZku zMiiXy$aFg|5*`@bCBB}BkwC*T@dDA~LPTgR8hC#023iSnYD#Dv5rkJ28_Ak)zCTpw zB==(Pd*WwSo3FnZ6y82jNm7%A!xBZiT&ex&qsFKBSSvMdDHag?)_wEah3V@p)krmj zPFd8lM;>3Aw$zd@oF8A`Eh#6`;4k?`{8$Qs9wC;D0%c(^C+mNj@kE}RBGr-qUeIwa zP}_>$pD>p~Ne3nx2J7HXmMZD&4ya@MvSK9KfvuhPL(1@rv+PA>*F8dHbQNYz=6#MR z#){2?b_?(_!AoRHAQFal4kdW>jUHei>0#l_C|{Eqqxv~vsnGk14y)x}J{QuN<`9E?As=L&VpB4*xE zhZFh3i~JT!@)ZEN6#$jxBtp<^`T{-Bp!8N{J$SbwW?CBLD+XY$uNzGR<2R*7a|iQD zT||z^wf0wL%PIB%K*PFP)$_4TMP75s^gM@C1)Y5SS4;Vsj;cF-+sk9jVf$~V_d3DPR(f||BU5O-*6em~AbI3UXmqJj56i`e?}}>D*YA|GxNhZ5 zs4vu4PnKT*$Iqj1otOe4M%Vc%Cf8QvpOXt%xRd%PG07Efz6SG8HG({gYxsV@%8~ak z>}U4`l4q1G^3?d7-!IQs$V}ebw;aM@eaw*c89@|{qairdub~_&1G{Xft%f;x*;?rL zuzz<${Q@Uru`Yr%$JJP)#iu~|AeCzjk}f{k@-@1T`&s9f42T9N{iYaENDvLufbj_(4O}B(ckH)<>K`!vV1pQOdwPOQHQ?AM zE&^V0kkab-r3FE$sC3bwXkrhdZf94B_L)vm!3yq>e91ieQ*G@5EjAZoh@PnYcH^?` z?g2z|glDcXK@{m$0wh~0sdnC3p8{kyMGz77L@4 z1oV+TgWdz(RLVE=X;27Eb)jCHi}KlvBtX%FjnJ=9EDlwJuEbh&`W<#$jk0&g=n6lRP^mh;C|Jd;lvNs5?W?70d^A8j-Lw93LO#z>4suMmL zOp>|W|KM4juMtK8vO$ZSAz_f5<=8`Y4ic{diFKK^2Zomww%g%r?~OO0{Fe&+Q&ok=ecCj;(5Jsf; zuP$t>R&H^jvZ0QDoLH^E6H@$d?nbcNM+MrxEcWX@GR|^5JP!$uLA~r*9s!j3^~gg; zy^xLM87At`h=>3qTY8YkDjpF@FB+ZewCCp%hcv|)uMzh?=yHNJbdu7BSJ>b=$W!Gn zgzfORP32-1P?zIl9H3tepxcWaPv$~SGC<_;VBATZpt;TY#!nBNm+;cmP z84Q|WelYX9=@I#Do1&1!5?p=niOZ2Uec(4UgMnIr)~=+&M_v(5qP!nsP=&#qRg-0= zhlm5}dLEZOcLiydIL`7YVpTS;hBLykC?En!xT--(acG6mC<|!t5uhuwk2_%NI`n!CGlT(CL?Bru+k`6)@X-KaL^%P9O$3+ zmw2I9KdH$luUD_+5IBj>v zEZkiHa+*r~cj)0msg}?TNcqV!CPT!r3pgn0f0R<+%*E24`*I7o}OUZyNs`On8*t5x@}w@xYK2*%RmQv+v7yFf}tk; zH>%bzCH0mfRQOcaQjDpsj2XaDCOYg8{ldPB^Je+YjnmB@Gd%>tS%D?`H68#KP2-Vg zYXsps_vO@4UQx&OTW_plhncGk$kgh7y)}2v6rX&nzAF4|O0z<4N>lT@?Zlz6ztyCl zG}X$<$@i$yzoZwV|3-RA6oj?2F>|xM;i;bT3MeBpoOitlAXU}9#t9w(+RA3xoC$E9 zc6l?Sz!b)mr|uEfeL5-tqRBEH3TRBYu#-WoUcGc#KAt*ZrP&$$nSA=eFb!jUH6{A` zTkO*n#GUT;DswePvf>C0p*?l}G-@yse~1RIQKS9Hs9xM0q(GzD-!-lOag@=&6@38a zV3cXkx6)_2XKCiZNsZ#IJ>x{uH@$5UhHE&-Zi2Jlq>Zy_4l6jL%{#az=*=p{!g<5A z4-Ea1J^R?r0;SV5vF9?~RG+IkoxKsB5dTN?PPVr3%GYC%7~zP`e-dNj#KgafH{*Ug zK@)U*8qW{z|fu;g*|LLI=W(whR?40pUOSSyS5bU&5!n;Xk z>xaWo=YrJy>K89MT>@i{J1d8lgu`ksaTbg?*bfx`J*6@!USe2)ZBh8K6+;)1_!I7$ zd}X{X(3p@LcUa>NTO$$^d&PViqbQ0iUhIwqy+d|AHI*qFlV$7;jeG!h4T17YJV{9@ zagz@pQU`A4XYYsXSGz}EAtU8^$K@R&6X=#FU6(}^DaRI~__q_@a_=D!g)npFLu0!c z6Sm}W+*gn;^M^buF2_rpSx*^I3%>@d_#$BfW-?Ucb~LEndgr^&GxeL-v!L2{koNEx z<2Zwp+p&$8+ddF+Hjn3KV~!mA&t0Mk#}_Z1b<(E&a>WkZKip$3CZyh8<}>IMo{wNG z8o&0vOExx_W@z>s(*_+1uRWj8ir)`jT(_A$iC}siu|7AJATnolC-83g^txVPZ>*jq z%NGVbo$0YJ37Mg^M-T?oSLZ?+9^Ob;__MfWgPYyn*CJs{16c-|&G49nHTc)`p4VdS zkFu?-7*PAe!3q(pQi!_XS}S0hH#x9|FG)~_@tYzDoq{WEL(>C--wusneJtIT){x42 zB6)J>olFxY%Pu83k}%Qbk*xQ|^F=y?`rC zi=+46#<+6T0q(c-bmEb`x2-S5(>GgNiKCpcm_Uw6S;4qR`JEVhS(g^?IAOpQn~IS1 zE2DqRVPg84&gq$OPA5@xadKTj@CB&{Pwytl`|s3^aE&+C3(9nOKjRzdJn^U0NpbOM zv~yV_VW&CTGFf7bz5QXE@ zahh4E*sB6smI3Fu+)`%fjy>mhy($~l1q=RxWfj)Qaw6A1;(xXOiX$ zP~`%HL9gCrg0a=+j9zWas4oxb|Disf`T}v1_sFshbHyK=JD0TeFgjoId z$H{<#!T1ig3%i0L=Eq`FNeM<)w2tGFql5QUf8gMU!>-Izgzv%_1q) zQaRl*ekn}e|A?SzF(@5tOFy7H_q#iWg2GeAl_wJ72#T42jqTRz1?I}HPGI}MsMG*8 z75l93{@tnj)02y8+<~TsaUbT!!TNKS2{VpwJG#w6 zcP^YG0kKpnDsKyehBc%3#3rmra3TjI~rl419`J>Ty9?6R4%({7~O)>iGg{FY>Np;}<> zionxc-q*XKcb6wl>?ESEVj7I9{kmx&UCc7#du>YJYa8B?l@a&@lP4+ZwK|tWyV~Pj zGK|D_w(vRDwPF6($q^IEaR$2NNzWy1@dBehX~?G^yX28C>r^^DObLyHwb14Tc&VT7 zeR|jvHe?~9(6A)CgIy|mz&vVFP21u)Orq&QQ^Eupkkx$Z52u|~($PSTrEc_*I1`s_ zNK1MG|G#O^N621}zCz9mM8|B_TM#SkMnbNS-vgtJ9w5tx@Q_jpX3#cqzoNL18-v1T zh!!FuPsh}kIm5W$GDq5qLn(hSmU)qqJQ{oNToXxq`!grgTZU)?OOc3 z2UT9(E-yM9FdYW)`yV}`L#c&B4HU0<8pqT2r&F`rpFsjC>#0@Tgp&~~?+)KkwPfkv zk|fSJUQ!9LGF6vcb_)H8MW_9^9HAPuU4Jc$VF*(IRyo--XdqgT4Vxj9LMThpWt==* zRUt%XfN-2gre2;Mbg^M!vC(&&X9F(z$J^jbJ@cXsrSZQub54&DwNlvW8HPKqqKm!| zQ{Y0}csc}=W1w+erHdVm`(Z*oH#ku2;i4Z}nmKm-;cFIwfSpcNuvfQ$KuxIcKq5S* znbc9QUQU)#X8@bfGU;Q2KBC#dMRac9$~W7#qkZc9R_a`5%H*&jwb?MM9~3J7)ni+1 zB=-**eAb8woKnhFW@X^a!gO6MM!e{Ppuj$uLC&LG}Lv^^ffQzOM~>NG2R_X4q+Ws{-s9)o->pFUEIb2(ZXt}$%4k*uM1 zElGry5lK^+kgvHoqBg@wAtSo)wq}qaT@cn_VNmQBlKnMKU22Dci{~M&05f6qHZrt! zDi1?jk2${0bvWr$E;03TMOFJ$?X~g*Ri>w3It-_wiGXQYwGsAs3>$vY?}5jdLRbO5 z!01i#>P~gB54lK$9<1eN&cE_8?qQQLIHG|Bs<;`dtj`|H;J74^LbIW?Ar}}Ww#fzWv}XKqu*JbJW6HJjsh>EMK#NlU-N{H{75xHDKVDJ_C<@K{YBBh&nHZv}R433T zr5p}&Y8LraUj{f@t?v$fgwD7xH)SkaFh63Uub($vD6KcRei=XKvq(Fevh2~wPBk<{ z;k_kXV`;8~BkO5~6lc1<%k`=|&^%vSZmQik%TR7Rxk%eg zIl`-0)7Kf;Q^C#irp-ytlhGQBdG0$$toF`0w`3}2H!9{SQmB-bDX&~E&evopKE}K+ z#J6{K*t)qAowVh&qmGXu5e6e5gb^U4M>@a`e46g_ieiUO*|SBa(io}?)Q#k&*}Xbq z6DJN|@Mck{O=s<_QE|he=D5%jf4yjtgyTmr(Ekr=)Wb`P={+|_ZxaJ4EgOk1&OVK+twl|c^93Zvu*>-fg-`R z#ax>Jn8V#ZEfOve4l^c}f3}p`LD~CeS6vrRv#d}CyvG%?EiRRrsA($*uti`qcVLo> zY;ts-7NPR^*~JIJY8^-}_Jo&&VXrrPAPwqz4U40F7|b|EbwRzOYhqb>RLCdW3|j$l z>vm*JL9+sc%o7bgx?3LT@}MNu;KMFY9~W57-ndIXnV*IrlG5RSO`lh4lTb%XC9;vJ zEy%)S>3v=h*qM(c)E*RWIbv*#q54H>lX<*ko`mDtYqGFCv%pov-Ey?SXBar$5U1*P z*?Zs5Pp6Jvj%seC|FsWzhSg>pc`fb>h=F(%O>IYN1z^r%@q1E>0HjD0z zR8{NLHxg%8kJf(w(V7wQ&DFgRX%n}`7dI3o!CRzKYxf0n77UGZpjX4I8_F(LnIOOV zW!Q$nR>!WAz)J@hNoj}}(7Txiop^K~Viv=QRIhLHFc2(F=|0^i6s*cP4#~R(Pre7P zB%zfDj*b1KiW~90U!P({D)9QxH!D-0zyksn2xcJLWkX`aRr_*JujQI6lb(%F{1{8# z(VU+Q!2`3oULd@0%TP+;W7MC>U1#dojmCKNs3fBr0^&wBI&Roz_u(QBqOagFkpxgn zQB0d0`^e)IN&6GH>d-q~r zqK!JFFS4fYZVfvXOw@x3t8saALhY$c|MH1U#r%HBPGJ_Q^wqX9Aaa`iPnvPDiU1(x zDN-;FT^lyyV4*>&XdNDg&k5c&9&umkOeItf_hzo&8ZVQ=(=oEb4G73T?WQEBB!jEL z4Fa}Fl|u^`)W^G)2?#rw>y6fZw6X=LE}v(GbVqcU13s$1X)7pA?S{@WBIeEu*8oRl zz4qnVWK>5!?v00Yvw&o9eSSou@S9GYc56o3AZDW?q^tr6oBRV=-Qo;V6jW9^%uH5~ zkKB(|!oD)$?+i)g8r-7esd}JZ?Gj;hM`rjv``*peF2?zU*_xl{HB6<=u(M9mfyImM z1;J^l%YKWebsNs3ZXvi2WL&M11;LYF&%U5&_&$P{Q`G5DVA%t%%sr#RqD7tRy59yR zr*Pm~A?oc@vq^J;*^gUB_x#iRP1Nxy!~(2_4QgzhUf9r#H@NGLv#<5DA{RH`1_V5D zsS~*R8E%;|e-v|;s)ptm&#l-gJ@J$R0LOsNE_Wn?_0v}ngOd-~pe<{;0y+c^mZ@Yl zUbA;q@PIj}5t$6vzh&R38L1u!R}r|6uWDuy z(MBsCNANU(viGO#j{PKW zYLWX#Rktpca&Zw&DTMb!%0uI4!AzlTm{B3%2-HfHig{XH+M0&_5y=~f@yPdcJ(`he z@1>0NJ=?)M5j-Lc{+olWfC+g!N=>yaS3p*{y;UoRy1X6R(cqevS zpLECg^6z6oAE5$(d>InqGOD&fH6EfW*BW@T3N^P5Hj6l)uL<`scT~nO4Inq$!F(O8 zfH)b`gdRGDMds2V?P*Yw01zImkpt|YtUSl;n?rF2i`FFRl|D7^YOje|SIduJ%#~WH2p2G?V>c%P~x8 z8w%K0aIMExYq4T76Sr=FU;Y>oLI3N7JjtGX+z42%Y{r+YtA{@~5>HG6^y9-++$?HF zDoxEYRO+g8SD$_oH!fnL`i|G6E{RYMuzF!COn$W@9_pMcQvNj>fNROA&nj+_HHrta zJHqFPyP^Cmd)H~=rc~V0m{}rJ-7W^Ia^J4TTAx3W@GzKj2)ahAbPr%2C%HH8!M?8z zHNs;AHZG7z(66r)U{3ZMPMdm^i7V=LY3TqA;xH)oO;fI|-my-o=R14Pm%o)cxJC=> zwv@S+yPD-VRgG_i1cg(a!Enut_={+*_UTh$ECtHO)#Pc;xBNEjl;S#a;C737C#vnH zgn#KXOGU{r*Tdu(t4$3v?9+WYpQ^ZRTJoUg=I_#?up~&CSs)Bm93efcsvj1D74ko5 z^=*EwH(vL9(ky0%$RNr*PSSzsg?;bcnH+Ziq~gZMX&*i$N%uCu3R%I_Prb3+EXw6p zuJT(ga?-wc#vMWSzJ~ic1`QCtJUwmpeo;5_UH$sG)|Z`o57Pra&kH`p>E?B?bboSF zz;=ig9r){**8~yF;eB*a5dhO)W;CYQC!8j)M)w{Kj&3 z*N2@onn3gdEBsb(oG59#!vbpwjapvLajd6RaZ}{5PZAcyf2gy*rl$01PWwrKE-ox# zZhfWz3bMDNfLJtpCp@O%A=p>XBoM(fvh>&(2_s>)EXz+M_|NUO08M%Kqrac|dyZvj z!$ZNEH~0`@XQI49TXoHEng#1zl3RZQw?eCE2QR!>En;7Ui^##_dI#EX8inuIaC%z{ z#aB}iF(}@chAWMlWr{J2lc%U9iLnwzTE{+4quZapO?}7N;j;!W6qpz=MxRf;O0hHs z)Mvnzn^=*ctazo^*MyHhiH=3Z?Jkvn6 zo}RZv?!L8t&aW<+oHc!LAAe1s*>qs>>WnYs-R?&@ulm!rvK2Vbx9Q^W~$r@(r# zZtjJK={S|EPv)KIxp)Q@H!~XJb(V!>Ay4khbYQE31p33d$u)mVNuLb(b{__T>1r_P zff#?IMSx3fk=+r^ip$f0_vTZ$!?{7E^l4|SU@Rh3gxX%pD?)`!A~QA{*FuAHwFyhurHwlAY1aN&_WGJS{`9?Mq}gAo@%#u{5-a zXHUzFtTY3xlusO~-%hb5!1(Sm1^t9t^4%;pS$!%LX^I%v-5y+yLcDZ5zrXQNMHWGL zR_k;&=b>5WinSZM(YPa}24=KyX^b?0lTjz&uJAd54lRSV)sbT4fm;}(&QmmA4OXM- z_u^A2>>ein&4W#FRO_qzpF<=fVEXc{NN?57Ah&?Pw_&heR_~or*y4}Gp=_uX18F9d{G!P?y343B}FJS4rLsH-*^ zV3(!|6I|C*#63ImzyEAclcfRY@%c6SYHlPwhTcs8r3o>@ZX`UD$!hewf3V6ayl!-& z;^jW7HRf1oKU@f1UCG{l`>GlU2}gbrK1Jqj)1!Ag*eVW-7bBIg77NA>;Wxgi=Y_td zN(?Me}X0Fk`@AfLjS>2$rx0N5B1(B)Oj?!Kr{L=~gnjp+>dboXZ_eSai z7V6o_D{8a#hdb|{ZC(Xv3EyJGIeQ>G7r|IO+$?L}6An{w|5J>oO%evjxo7l9o#ceT z>PE(i0M18h)XMB#nwHT-5r@(&f|-~81T$W$TVKa#h=>E!ZQXpyd-KA&tHb+}M2}Q} z7*92x9sFBQ@!9PgUMjEvJw=V!-3}B?}ZPaZoph%#%wU#6OzD@*Tjq?$cJ z8s04+!CY^7u;ym)3`gHDm=jk~I6aFj(}8>gh#U=x+cj6~Knj_zYD#mrQz0DkFd-`! zR;T)7n5**@S_R8Z*n)M9LR}PgxXo4EO)x9m81IV`G4Y}rU$aib>)Pvdg~uH63H_7URLo+ zB2Eft=!L~eZZqvXX%4#QsVD3zpyzfH?8()U&-|_c5EwM30mLmwPj}dky!#g=QYu^( zo58%fp3hR|un^nYib^#Jh_Yjc1jBh|o?4-9K^BTU1bDhq2Wv~W)yzObsnSc-&mF1{ z|6NZkoiSzm+<~qq!m)VPY|&~3|G(E0-^Xos!wl2 z7f&TQ|JkLa_@T+StPv?S9U)sBOTx{rs~Mj5b7R8P2dp&pBU0_t>4azNeTST8fSF??|{xVl}-Qfkoq=1qr1n)Z$Kx3uq!DTlMA#w^c5Q6~(7xe<} zPz8De)};O6MD)KAN%YEdlm5FViAmN&jaa)-fh!hs(jfw88OPX@CoLtrxRE~&4Io|e zIDeu^tzSSs-~^{0;3a#YAKb}2y36#Tvkp@i8ZTpG+M~0O{8VXa5UYztPiD0)YRN1; z59ll(KWf@@T<9kKsgjlR9vYtyKdmsl`OFKXp_Ha@nQ%!!5+bfa?KF+VWc|!@3egg* zB>+yhDAs^D^5|_p97loqB)8BnPm6CQ4rcsL*Qc9;%xi0#$#K)VEb_;J_=&@9$7~4_ zB%y;!M;rU2jlJJL)oN+Z-;c#@EX6M%Ukm3><^g-Y1wEz9%IV~IVfK=GM_-?-MZD}z z&yV6JIZzc#wc4K43oqrrI; z3RbX7@_#6M>$t48tqoK{rMr<1Noi2JQ9w$%8vy}9xfA&&d8_@+}vzo1J+cHGv$@AmLmP7f~-uVr4(#*@$t5K}-ikD{HpICDchI&U%<8 zIwl*b2oz~7ZP|aj(EV5@Wwve+*}dy>WdA?#7q#5+CuWZTb5m)&wr|cUC!)8ujQ1wF z`_ziFmnD^2Z~SAym`01yX>4lr+a?P%Bzx zdP~20|8;LylB>?)^amfkzyh)q|IMv8jT{s?M=GE|Tl8F7iUc`mwk)}oz|5zuz2>zU zA2mp`h?TABo4%oB=$lGwu=tk=w17;% z*#Qc4HP2&yMy8gRroJo2@X>gB#s1;=mY4DVYP)HI{;8oQ5nMK?U?(VZn>jpyAVkT3 zLkKP)DVTXipw)CDSq>IdI4*PS7g;$Q-u2O=OVu9LnA3)b^53 z*3&Za43vv|ueim(t^~__Tyv{en=+tm4PXHc%#@S#P4})w4aBceK>Qk}4*7!{&=1`x zz~VFGWNz^dbOjMo9PKGm-~c!rFbOjF_#LcPEOyWX6>7@6_d{TB2ydfLApir@k}bQ& zcSg`72QCxPIW@J{rw+}@Q&Uqq0}(uY=lwT$aO~#?DgQf05fqGPPh+sxOU^jvszu9w z{A3Ky2L5~Vw|uD<#oQB)BH+>!hz}&4TJL*vvcEg#2o*EQ%8kX6AQ$VHWRL)=FMsnx z;9p6^`s3V2CXP2PC1Y^5t{zri*U}l z2jf_`;uumPk3dJ^8sw!f>~U*i$Uy}b56Ec^K+`Nd&KFHXQfCP2CGP&Dabs#JC#-J0DFWf5eL zUi?;p%=BD_=S4EJwLy{zvm10;Vv_YIU6xvliFE&=Ey#WXe$V?%(jr9m{@`Dp0XWfG zW^rF%Ch%=pK~6~5naV4tlUd*#JEk_}c$Z3sy4|edS90o-7g=gK9olJ&f|} z)$4v}o=2T@vc6I~a1hH1OzhLp>T%t|z2a+JdC`j`*MfxT4_4JLqt&K45d6X6Tj#4s z`J9yV>d(@kZ~kDNqX0Lu(QhX~q?GlXe-LswRse|N@3y60+pOe&*eubWZrNZPRLz)M z?NyC|1PE!I4J>*8cp!ilHb@Avs!f@_?KhT(U?1jM6Q{wESm0BgzyiA~=d#^n99AZh zeWqY?(ha?r`9QANNHa*PTY(rQD7_bA2ekxHOu>G@Eib01s9~=@r_KvCHRohb)#jNV zl{a@AVFa?N@wHlNX-XXMY<%Q6w@6N~#rg8VvNpgs{eyTroOtnNd*(}t(T$6SZQ~&A z5MDF^OXQ%_Bnw~rIp0zfzf6goVW3Pw@i=9}?NB-M7ZAWwk}}WZPrO{!i)Ur}|H-_- zn$k*EsA@oINTtdL!(G##GeLgjLcYXYg6%99uZ=?-r87J|1E_cSU2X}Vp}pa{y*#ES zyAGYQcc^EzfHB`d-CTd!9jX*+H`*8U&L28wN$BAJXG#O?5|t>(^{{-~CE6id6%1^Q z%m8X6b^ZJUutXve%uXnm#|WQ~jeq*x_H~)+$Gnr!?uv9r;MQOsLaGqz`K7>i`qjfi zv7r+r$UG7T>woqNw*z3xH0TO_Vv)rEE7g;T9IO7fh^8~mUn0oYYG@xJkdBic-oWdo z<2sVAGjWM`-9AZ^0@EWoqWK%Cv!t}oCwj>Ip1(g%2>i6Ur1EPCn^P``g}1^*O(9z> zbKQF;j0IF;6T`3ni6%DjmV=1o-U-2j7NL%gFYy{yY#%w{9<*u@@0+LG*JZ4iZtGyF zU^wHFo(f>8!3K}(3fAVz?1sDp)8F19=~-Nn$~m=vmd{np7KI2#?InMug(vrTOJf+W zb4=0`&zBk)NBfbY!B0FR(4c@YOy1RtlnVtCr_sG`TgbmwlKrz}ryfIg|Hfc}mdZQ# z1K*8txq8Jdo~MSZho~A`j)lcuJSi(9Ynk1m2c%6scK{L%D!_hpwSYH`wTVZLLZz_7 zimnX#64v}{lx1ga;?rgj@dDs1Zs;VF+;PKu1SL$!8Imr*alUF#SOq+s_v-L>M#{S$ zvn?@(TK9LC`!zH^Z@a=QXd)$PxIH(5u*hM-uVwY;)p+cXGUqZ2f<<4ccshwtfRLNi zeTyDe;A-gBQ%wbqk1a`QuAsbm-jiB@JtjjVc))j`uE@E35EW?|d^j&=F63QDLd9}F z|Kna}oarK-!L%gf2X28)cx=iTxthsbaA2n3!TJ1OO37-TWKbAe(He8gp>N7QqQjR1 zPrSWq%h=N;6X9Sv8%Qp6zqOJ`n5iP~U*}|i=8TKUnXk{%47mNWvO^wi0l=rnQSEib z{0GpTWc-H7!Gi-r`z@EQo=(PkjQAQUayL&q<>(jQqpx<`SwL0(f1?l$G8-TUsK#+v zVcEq_vuL2;ye=n}_f8o^mj06CvBE^Mr>87Jx+8#JUmPwrQvVA4x?0D-$x`UO zik$v>uQUrY#AA=JBhd_`HxS0BSL%7;AuWmlE%Wx=6qPtsI}+vm6&b)n`=+ebQe2XId<_Pl;Cl%RCb`65dE%{`471BvITZ^+le6IO8wbb zG}QD#K~5S&Td==f6Q}53SG%FWj~hAJXu=6!58QT`OArClHUJVJ)LknXolzWzF}mI( zz{?GH8?XP$*$PY<(@tvJ6KM>7zM@(b+? zBvG_}tn)g+II(i0#cC0#@Uq2YBT+#a5tckTlPmZp6mo%8#(#qYa1@JeH93W_GL{Qw zwu+?9o!??Dr^eBKs^KIXXgD39`&qYfuO(}!=J~Sgdsj9_4vcIMzNOp(_FN_WJZ^{e zu49wE>179ptoADd--HX{hY}_+z_J4g}fQ9{}7QA0k9`BOQkU3%sOm z-DrZ!@J0cZgN@*Ptg1gNNCHNrXs}+e_5nAvmt<$tDwQ?7m+5iSZiqcmtFo5S6YBJ+ z5;5yHekUGX>>s~ND_tiGW6$6SUST6ankIk$2m#Pk1nd(l{@?fjdg{paQ)Akvmsuh^ zQHn3`J8;w~~Lv`pq^3BmJ?tyQ@ zqyMiHa)HIb%FoQmL6GgP7t(S}bb-hhEqSNvDYe-FYPXCBoKcMZ6JeCUX4#`Z4MbHp}^YdN{e0=owf5!7loX(g;VWE@-bay z4ZE4glw>1uTz)uoiC?C5Vs2=c)cjE_qS~tJmpMa@FHN?95ew8;_ko;KsnXb_ryJP% zsj-EgNZMyP$$qUqg$rb@2PZ|9U34w8Rkw>I#qY?N1?YHq3O7ZRT+ZzsC0z1@w;PT#>rrcZREbTc&lY zt)vaAemPA(ZlHT|i7GW+grdod)uHG4vmhPs{7a7guag2EStVnktUA0rrOPbmQ&{@S zT+A07=d6zQ!scs$7d_4;h)W|1zPj~H^tW&fiVL8%L*ORA^>yH0ibWUDRl~HYQcvjp zX#7Jy@P?0Fl6)q%CPu6l_KlY2|E&tf* z;^0PIr~$p5V!zg$c|r3xkK_kdW=WoP-%ru|0~gy{vEVF!8iCXErSl1G^{i z90z%4IaG^_LBqPrcia7fq-gqOQ{zOBB!VN836^Lit!Iqo^)L z?-!o^3==U4oNTvd#{q9g{78pBAsz(q&c7)`5Ht0dU54#yu{G=O5D5|yiRg>?YEqj} z8N%SUYUgqp5Bp`>V$yPkaDc&oS7FsgH6zf8yC5#CBu2Fmhm18-CE_zJL@z}AW$((A z;}tfd&4Hq6{9lUnP!NAIJ`NH!r&r3pC7PEn;Cy3c<-HCy8$%h=_K~{j4sSD{4wA&e zYHvwXLPQF_Teq7u8~6iVCF?&=2u=sc+LkAXm%raUJ~pAF-hM|f`LkER?+45eQv|Wv zB~d$Lw_S>HrRoI(*3Yd%rHrSA9KX#0y;Q`c(5ow74PuE`oxb4Q069;!4M^brZMrI} z1yQ881^3X{9U0i23%q}pNVZA(9^!4Vjy?HQNqcXBXMxsqsR)$(8Y;zKX2(na=~gkz zA?vgr!Us0%I27JG4?uQW(|>q**|dXb8b9T1Uu>Eir#?tU39LG^CrjyH7ZMF3!Td$l zLT!9#h}~QFRYs0eFbFCL4E;gC6x_a1e{rZ2$7WF9t(C%O7uhFrb!RE{g+h`If=!8G zBYf?46Dk7(gQ&bb8oAfLvg6t?>o=p$XNs=h+%fOm_noY9dHI}at+TTeXOz{TUiT*+ z85!&Rns~G$zX8>RhHPI@FOkke-pi@7*JTo)RIeQol?o+hGZKS1a2iry_C7(11G-9@ zzcgdlsOCqi6Ls0_?Ckb@tRf1|;-t%TYvaq?H=|?I(jvm{RU?5hNSF_?XQ*N8&H`3L z9|H`0F7PcaE$=(86Wy!ZS9vyC0+*MU2iLJ|H&;33jtV9=60sYKCh2X~9qEIN4%g&s zB);TurbN)UYA0(Jtun-+d<`~OL)k4L-;a~N$As|uuCol-1y>QoP~YE}Ui#1ien_y= z0&yOS+ZZC7WYkdpcKh8wfYaEs-czuU;Y)8l6eLx!Gl%NEJh0=-jayN~aC+WwAb?>M zUt0+c!og35^>K1>MaRXx0)w*Vz)(mjF#d9Te?akN8+D8&n5=UQ2K_x>>?Ypd7$*z~ z32E=>XiTxI4++7&JDY4>)VNVO9m#7mmSHnq;d;LFwZF#2Zhv(M6->`V26GANPo1}> z^lF#9`*rs(Z7L@NZ=sX?++P{URmz0l-QE56L6Ji2d9>%t+n5CXs$m4IIMKSu$jJUr zllh&P?tT6V56w~wj)=hDAmOuRc~AM{884}H1WCZ<#TlwYF_;%PTSp}k7;HaWq{lp_ z!cAnOQ_g2Wi-9caSiv;E>U{PyPdoZ@W?2m=0Kyx?j-Rd z4wE({>gf5bh7|*9B*ro8t*JWy=LKMP=rYFF-n1KaxyJ&8zL;c11Y{u%l`J1!L(Ed3 z#6j8^_qm2NB@*xtDDd2yIPTYFM?e%^vxRB!Y2_vuKZ0{Jmzk;G7k!>ZDbOxQ=@Z-w zr&MHs4;7}FZAWW!E7+@^Nom)cL<(%D2WFcd@4ms{W|yy zbyi3)r|fOdm7GMxMk#A5;$D#}&jN!6@{W!U*M)cuL}cf=2tIc@7#NVrIxLy^qK=rD zxCj&$s#3WvV;-i{;`BaxrhEoQX3l`&dX9B6h%;dBW&l`nWVGP>FCrVvdq~9eS@o(_ zyNAGR%$=j&G=aJpEy;T99}ll^W}IhRkU8iL!hIuw15Ak2?$@CQgw-&n9B2oFFk-b; zo3R7b4)**nX?7aCmy-#7M{vRF57=FL#kVZ&sdn`z(pd5h=ewwjy=h@!=pH8L+G2_w z0V0}|9rllbEGbm6rf>=o{V(FQ_)^r^nV-Py(CD^@?|y(;Y|PY&4Ar4ymzQT-)HrLv z3lZ#LQAxcb!qyusl8GXxp6zlYd*C1$E+a{*7uP0J7EZ(gzqip8u(Gm}tCACH?HTHrz04K*B`a+HLoP>Xt%J0=@&#*5*yVfsG;7U@ zXT-wCKM`uLF3+@W#b8qRtdPqV#dnSp7E!({3I1aF(Shl6Pw2A58yEjtT!r*}yPnG=9d%kRmf(;(wMwAM%tQy7Y+=npf{vtVOl)_S zaB~nQVYIYllhP>#wgfm^w8OygS*c;cZ?f9iWXWhbm&!-^v(!Fe4uJ{@Wrw6Grj%*)oqge+wB!t#%LLVT__Vnvp_#aBvJ$k$uZKmkHE2h`%+|ZxS?#>ku&3xR7Q4l= zr6UmG2q-9`{19%hy4=6fuyL=4(!7A&^ zmfotxp~3X-Ow>}u%7cX1+Hsr@5s9P>`=20$2xdRbqwqc!!;+Sq3MUsDGr{!)^FOoR z<4Z~R50zVMh`qt?-~T3o88X;B_cbbvW5tfCUSXaH+Zaz-O4&eCNx6_sn;BaoO~B>w zkvTS;R2j~W^gCQB6JUU>>eJNcLiKer}6(k~^zG@OKgJ<9gq6!-%H%3y2e}+P54Xg7R>uzX*Nk^jhci z@&ge!A0mF_hiU`75P}ZobyI@EApJO7FgTOA<6uX3Q5=HoIeiZc+I~UyQC7j*G)j=V ztd{h*^7lF}rg?zZg*oH3gBlwAH&%AKEoM}P2M%)cTZQdLHVH`p)`ii#k^Kih4E{q~ z>-K+FYQQ_?lhVa-tYjcM4=9o}dF60B^zVmqw!wpBmB{`3BiY}UDFWKU$JAKD@F5uo ziZ<^Tk`rK=kN(3lb9&v89^JlpZ59$og#{k<>3u5a4L4(#YdT6I1L;p`21T`N;w?6k z5Lo>H@+agRzaq>hEGK19ntA9sfY}W4FDCWXf}q!q-!Qcj9umX5YH}fqw7N5G??v?a5zLdf6+ugwr zrAMVo0^iKxu)QOnLkV)kS|NBTAl1AsQ2^f5&+6?s7rX<6o`NWjFtDMD8G_0`GV8)@ zn6S|Tk-YweyJll`!;j`=r;}!*w3oM|(BK#5n44a9k5%DjXt-C;wGz@$`hk4vk*`I6 z(RHb{bothz88gI?n|<4B*@V~|TM_8jK;7n=ojZm0SGbzppO&tjg$AjIljIhZwugWG zgbn(~Y*ZWl+2I2rm?x3fRoeu3y$?G7h&P}W$nUk5J%>G*sD&|`HCHk>sy;uyd!daY zV}5comWm`Gw);DWLqC=*NA&CSIx}iB>8Fgpk2UvtpXAf#ZSHVUi22!3zorH9|B)lf zSWFsl=1<<_%k1*mYAL?W+hlv2WTX~t&pZ9)iI2B7{Wp2@c;sj!l2_n|O5dj%;hErw zfdfVx8vc_L!u3#TM(X*?ZPjpJOehsA1f|LUPQ}2_Pyn%oUTbU1T-uOblX)ewVRm*_ z{|7gp`7wu`&E!hCn^3>?p>YWyvGG|PCi*BKa)Ki6bA$l=wFhve;Dm33s7jNyKJM>8 z;rBuIuU>74B`J*S-rX6jDr+xbT8QB|Z`*M-7NaQkt^aPx8OZ95ljLUM1>Xzm2Ob=n zAx+>qHlivb7KI76`{0L|?@ts=K(rAkZw(Nhaj8$W);i;Zqmu*g^cIE)9i4H!|8@xO zuT9nWsz);P9T2*w_Uko7J-Al_8ZfT>oIKQl3S&9}wMvq%z2IL;Ee?1b2yh^}5^Pvq zr*UDnhWZtpVBJ)12`R2a{K&%LpQ0`V)3QZ*4NQk!OgK(HjCi6rI-NQ_yqD_kYt5X?zNWiq1wBJ*^_SQq$Wv3MeBlp7cH5xWQ^Disf!l- zb22rWKwf+L-+3J^fLA={R(nf;tx-1V0plE~Io%Yfy1iAD7K~lk z7Gx?&LYr!u@IBdqN+S4n43uMY&ty%}Z0A1Y)iA|AXBa)WT%v zT+4~Hn^|F_Kt^gw6sV8*P`|E`g(-v{jl^m<^0lG6DbUM$$MbBY^{Z-%^<4eIsEZYw zxs%H~-h1O^Lv|fGo$=}h>^$IOH;}!>BV+Tu76o5G`vvw?<2tV-n0#LQ zYyc_;SgKmC2LMm?LF9ihA-J!I6g)6$DRb-x2Vd^G7#S6BA@=XJ*PiWsi;proj`4F{ zOE^->cd!w>+IWaPG+4J&_jxCcS<;k1DzxsiG57Z;B*9k{ef*JMi^;;yRR>cpFitBgOT_$k$6|4&^o_gHY{uL=WXR zi5*?Hd|VsGb*V`8cx%wZuJnCL`>ewnFfJJ9-)cP^RK^>5wbd4KC~00ed4c=v5FQ*G zztg;>nU%G`Ok;7nPf70hwsoILE667O5k4Hv42RWZ?a@u@nNA0ha=nt5tvIEzIf^U=9_&M<)?`b z7V1XfO)cU4Okw&d->sL4xC7%N1|RQtEzpXDPY`qJ$y0BgJ3@(mDW1p(p`-l=HV4JdDq#fd)I<}r{YMN zsviFG{D@DmX5P}%p^v&?8b*Kqm$J?nkrpsdtjOCeV?)<4j9~Ih?K3mTnWMSC9VLUv z@r~PmQK#Tm9C#`iL&Wxh8rv-QP@B~Q5`+eKZd%h}=IIED!cM1_C%7Z)mvDVk_X$MS zbwm2R&yW=Lu2{&=YWWrqH5nEi?!uq|lRg2{ti2k^6k&J&q2%ehM7S(;q%bkQ52veB z9B{mTaqz^R`i!XPk)2KNs}VD^J6xIF1Y2@ zMfpAmQ5S;ecvC%#cE00_6Wloc|s76T{PvZ4Ry-LRoirUg=_)aJ?#*LshX%$S? zCm85b)7?}wC(x{Dz5z1r1SGj zKMyg-W*eEw@dE}K1HL_)y+42^<0XU$+e&7ey35&h!WXS|q&ut=E;UksK44D^?qa)} zx<9Z+z1!iY+;}PnCg3GrO$FF;352#6^m(VyAmz-+y={wkDwdK}NzNC&2q~D;tXY!5 zt}1svilXN1PWz_a;DYWwRdWjypP<;K_r=J%&d!&Gi`Ox6p@iz;&O-> zs)vu1S>6^kU|xkp%iRv+!Aas-+AMyZ9Jkoyclq{e=|fiJ8;@6`4IeNwv|C?L<0j!Z z^%R)Q8zUutl{kUI?+F|Z-;U^SK>CF0jH|Yk*smSZT$%1H{_q6dQ9e#O|H+PL!^j_+ zs#i+8ge~Vu^RP9C+H|omC1MJSdT+dEBx1kH1n%Rbz0=XUPPE4BFfA8vs_zTSS;o6T zedOZP%oJboor)Zy?}J-!2ZkRvO$YIr=#Fc&#uA+M)L>o}_7l}5A4pYdk+q)1nLnge z+Nzr5$lF63RJ3HEE@7Z97?7$AIn_^e@F16TB9N7~J?lfe6=D*;lZKaz@L?Gobow*^u!6_$5yjvet6Jorr z)=6j5y=#<(kpMFv9=T#^85|eEE3bY?9=h$mp8UZpMk~(Y{?D+WZT*oSxlicGx++=P zbVL-s+!Z328$lr59{WhxI+|H6JJ^jf^d-*L{RrWWzzZuRnfc6csJcP?*kpA%tUi_N=wbn0nhHWvRrT*CrK(;L~iF8()%KX$){{07MjRullg-2V*i0DtQ6!G3pJMUA7-RqZnhl}sq z$Jj3Bs2Uf%@BTA1M$z-#2QCG@J>H5tCpxc{4^&pOM;5$pR!NP#OV`J}Im0Ns78qzF z)#!E?v^wcYy8bXC#5PjAv}5ROr8}X8F{oJ27#J8HwjE*P;|IJNl@xTEWKT6X5LcFb zJ1j9G218x{PP~3) zx?px|^p{-aFTvQ5N(^P+GSH@Pi#9lc&c{a!-q22JE>F3*i-JJv=Lx4U{0uG3Ff zEX^=A1s(dQ8?ABJ7pLLkTBE3NZWdr$l@-%D# zU^zDaC5N=x;<~yFLmA5Vz;B}Xkn!o#N}~-HbO#PV@=lI7wWkL-13l})nA6YnNL~~1 zrH5;=P1TW4 zhxofR(o-tZe3pbA%mQ*JDFVBDg=;IsB;u z3gDU(Fi2iGJ^26}>eb<+z?DkvIk|TLf`aav`P8=Hh)8rKM|THGd}TIokW*oWYx7}% zOQ%3;Kb)H)cb__Y%5Ium1D(kCYQj0iU|PqyhRnzNkl5RE4t?TmNJF@T{RLHP{?2W< zKk)bRX~H-={0zV_1>3V-*=NwjS>EvYf#x64g4tPGzeyH2Fr+nz|y6xmt!l zoj?o1uiA+cIc6gg15|Jg__;SIbzM6l{Zl*PHLwfqb+4C3f8DRBAukSJsaU=XV z(R%vk)Q8BqnTWP6p1Hr`lbgte4R0Ft#CiJo&gl`G;l&hBmQVAitLA|bp)lEyc)hs= z{Q1nSS`YgjW&Y8{%u;GhDG*g$oxisNvY(;D^KC>I*rV1w(X>D zhGQBJ>U20s0L|4o%@lKDjK5!vv%PA9Q)R?R{BN}#s*z71A1@6SRIUwWnG#IFgsKFU zJpU?Br`B6D2T;- z557*t)^Hdt+&_0WL~!TzXqPg-__XFBuXRCBKYb`{oMp1z;$Oe)*l+Xn!e>J+yxg|W zs`m84bzP(!({7r-hdHU-{>ojja-CSd&Wm0p<~#f8T4t_t9zA*Ota8*&XR^ze^V=Ms z7M?0Uc{VvUNLQhj02hvY~yYzs5Vnt7oKcBnm zK9d|_;R@B)9}`^nQ#`cu*zGRZ;m}q3ninM+vaJGE?{Ti3*vVum#5+#7St?RdNU5<- zmSN%YE3i;)WduacY|6b@_L}ZzWx5#V`mywl$JEDYVZ3!c3{ws zOWX6((!NA7i=o>W=^E{vjWKSa#Wde-cK_vZ(n3d)I{;dveoZT-4Kyi<^}{+xEsn=}C_Y zoAakdqKI8QS8=OrET&guyH^E@?+ z?rLM902CjEjN;d12k+pX$Fx}6ccGP}y-^_wlI~xv3IwBXY9%*7T|~|UUrRz1&;~17 z*YA4TCs^lX{p{k@I^BO47j0-&Nyb9Y0(5o555%rzddztQ%rY=p{YYpn;uf|WV`1gA zUe3DvT&z6od7oLGl*Y%*gWb;3H$z@;zbe%)l8rmVyZbm0PHpjy40-o#QixfGL>UMW zUFA=!)HWE8bB14;-=8(XZJD-k=%wW4C#cl_j_+0Msk=cRms%$Y=i0F|QM2YMEdE)L zyz@3Zb6Z67NT1*wE`_&0m0j9*tZThp>sbsoJ1+=Q#5z9jqu&AxQTvyWesd~E3R19S zc%3Pg23mMgzM#n(S&idgqmhBnmWHE|zOjGRBxk|77L>-k)0D!|`ieV3Y1U@4-CkjSr2t1Z{mqkcViJ$>DwFdD^-#fkgpfW}*K?D{y&BEq5zqM_yW0)!tlJJX z`()L1e)X;#9W1o+?CAg+%kdr;hko=?dhpO_qs>XtLdkUHl2>31y1a!4wd2e8S zAC7+ZNi-m5^|)Oa454!D45MKt$v=kft^EUqkl_9BO}@^q88yr9*X~p;eQWAE6O(V$ zlMnU1miWq7i@9lyK@H#)A4?Mq0e3k7x*S32cQhpn*7jsSesU8h%GzutHxH@H^adw$ zQ}DK<7^M<*&$qAjD8^4Wjg1f)_}2nn^hq6d#NNZh$yaU65b`)i4kVZ&yktp(uCSQp zg>JaG17MS@;`I#|e_d(v7KDvYjR`q&dQHHF-@1q9ssd1hXA4sxP~eoaoX^t2H_vb? zydy#`7lh&Ts9Ra=&Mb8!DR4f~pmFe^o1byEn^WpVbqD z-Jh%$0D`qon!SV;3WvjSTqO$K)YZYgAN5Fo+*R<+D!a8g)l**9oi)J@iTZ!(0g3n! zF?*1Xe*u@)o+d~bIMZ7BssE2sBu$a`*|##fO@sOg&88Gp?dzHk{iIs79zdl)+G7QK zkp9edZn^*I&N@t8N4S^|34(C)<~K80Hk**1LZu!O#^%l}C{6bIi(Jcs<=*PZsPjrm4-m$u42%Sh`3$?hPKi{^On4o-G%TJc(1g?;rVkZez_y4=Tfkg>_I3YjkZ1-y8r-AQeVC)sS z#KJ10s3TfdU)7ENa#9*5Va6}YRaI(O?AKSls5!F~KOuy22`OBH#Fs$aL<&p@M9t;L z3Zj?O(@hmGgq{Ue#xurHmapnXz5(y>$PT3?o*9P8$Nu|@m>EqiWKQNgvD>I;gh{zEE4a2(kDI(AyGESX!_i8wrIHk$y7IW}9#rx8)vHir;I?oIkuSp4C7;0U z4tY-+t~G8$z0djtBU7ss8!NVsN|13p>;+oNy>XO7@SAyq;%^W4Ygur1bqa89mvbfI z-!~uLG?JOB#Em{02rp^Ga(T?wapB(aCxf8l+cY`ueaKKYU32@8OGfgYs%ljy_6v;Vyr7UHvm5pyGy3#V6i^>t zC}QXP^lZeW1rviLawPo>JH&Nf>_@sKCN?d~p;gm&DZJWr@&L{vd-H0*yy8X$E(HA$D)qARie+}*Y6%SzIFQE z;GOd+)b8NEampl>5C*0p+Mk@$6x`<0=54~*^Y6kCV5C-`K$MBSsYUM@2Z9?jeHA@E zAogY9+Nbw#IwaP<%0;mZE>fXkXk2%$F^H1+z)!0h^@`065yW{=k!OA_bM47^7BnlV z#4-#=`oN}Dc9&*Z>rsbRd>yQr$S&OYIo)o+g$k;R=%Y4fk#qTCvj{M3y>jnw7ggEz z5YD*1e%dVcqBSO&5S+vAd>x6xa6sp*f?JHiyUm-wH^_z2Pc3p}3M5HUjAA^K?oEYz zxO{mlD?gp$^Yfc-?VdBqoM%$;ic-euQP}ZHncWo=8IHf+apw>X4mgZ}8)I^3Ous_@q#rRy@>{_u{R6$W%JgUHbvP#`N%`eS$pTaN=h4r^Qz zu?8QR|A^X>>iw$t#o19qDJg66WY`^vU_qWdwF&@Vm<}zhj5X@+EbB>~D|* z3gfe;M2e$?{p;3Ev&V?LFJ2!=2dSi2laA~vx9~KO&Nk8$A2oaLX1Ek&nP5-vXtn51 zs0*Ic+MSRF%jO}RB{gSoOP`erc^ln%F;)I>dABTo1E~AHeYQ7Qe|NDum&|E~0B1ThJ} zx5ITknDTXc>`Pn$7wV03%I`y{blq28*bYlk`;2y~IWLqpXB2OYMqk)sjz*pWfc=to zN{ARl7FG^=A-d>AYL$Y0W|W0fHc8bJy#8*`kOCxsqd;h>`5bd;)ChZ&@+D`I8J1M( zn{Z!qD9cF_FJJ;9Zii&hhIoB*oZ+&EMcof%Rf%^k_=!mKW^#%|YNaHdLe-QR+!D#$ zi~a-;KX16LoVeYn!}=D{9eSlT&Cgerhz=Y)zOt~e;K3ds?FQFA1u7;dRZjT7Id+|3 zccA^K=cxPzcfoUz;^w%<**c+%9z~0u7sc*KAHL%J!BS|EGdYe&AD-fa?kf{y(C9N7 zrVYojLn+Q|ahPp}fjhFx0k$+BF=+@WCr!=GsTmoOfoQfZzqmeh+UJVw;`E@ICQ8s> zIa}Iq?2dr5{3lXDS9a}+XN*%ou1XO}E)=R?=RPwRB_a*}>JE^IW&kPNGSJ)ApDdDw zlk#E2GpUJ#f7so2O+EMfWr|9_Mo}2NpP2aK^V_Xe4uLBM8hWefXs}SgnMS!8Dj3KO z)$aq@m*D`NCWiXVH}VkoEShI$xI}g}tUJq~xWkQMw6tyQTzP>hb7IaQNR1bUS(FVc z0-S!srCLids6=2;evI45SlpX#k*I1 zpgwUt@!~R8y8_;{-c#sx`WkN0E8Ak~_l;@{Vf#$Nq7(5))IQC3i=LXgqZrTDZH1cu z7}$gpx+wX?{C?By;b-eC4bC+nyCi5CA~f*ylL{k1{@y_>bO3aP#z&izu0S&R{B++^ z*S;117%bHGb~EPO`Ci{w@aKC-9~Fg9Bx@Dk3NntJ197wegm$GZ*+=!lP#`3wq@%m( zb#~|!VG}QepXUVKYyov!hYoK3bR&X;`jT5~Bv8ScseA|&MML_CFV;3mYFA6;jqId< zH1PscI`R%k=eH0=H3l-VhdE&PU<1ZOfqS1h1G%OuihRV#6O;IN2(!0!ZL zUhqdv{EA7^9Lc>$=J>k+)pH0 z=t4N%Cd>NrHnN@pwjxuv_Y%fvOfH6` z0N9`HY4lxZZuZj)36Y6h?Bhbp;ZINd#cN#-*R^!r7UGG7+__`5RJ4yKA7JTl$58{8 zMwZ)+<$o08BXCd#cWYNWGA08t`iFGyF*-+k&M>6hg|5V~WPH3(gBoX>sGIe>oy<+2 z*Qe@gMgqp4@d}=;!x#+e1vhK9g!>P>lepe+nB1y(_5*%Z(ezF6TB3nBP|F zp^IZ&#MJG1cZ*JiKGF}uzxmTc;U#5?I>?eMGTtAlafLl(qRwB&;dvzNbL+6+3Hb|J zM;}~{gL{}(`kROhPQxL0$azqJR+WJ^GyoRwam(U`qIKrm&rZdD`k9|+Ne;wS1Ckpt z&AMc!`s^Av10U=)M4%UwY7rbWC8@uf#|r=y1m}u`jwf3^S#J@4{8`B38${~zC5u| zEz;E*722O0N9UUW6}vYWPbe#%GDy7!X;??&r94Ah8R$V*|3PFQh6EM!9=ta5 z)+^sA#MaRdR2H3pzU$9*ZVRZH{zCQ$I}>RGaI z3fk3d@WwG~V8G0KaN6jJ^YA(je!j%a0toRes;QJ$Sm5s zE)#l6pF=q_Tw2tSXRFbB7r{uNc$((OJOZ@Mf` zkG4OZ8@H!)={K!ZvUHZ=V&J%Xv;D&8&MvRKLr3gLfynMXkfG4@u+t!9X!N}W7yAWD zXSg~hoEi6SeG`+k8nPN2G>LGVuA}ibW%O3wIcyP_CYXM5(!eTtnXFYphN5hLu&miK zXyZTHRTH)^b!vatqwQtM##!O3JG~S}=TxwE>5MIpGQ#DWR4a2b5pP{jgMn$hejqrI zQj~p%R0NzWHW2gAeuW)Pd0>K;j>r;`r|Tf(Onmc@ri~R1#n5CR061L#LDT;3XxfJ&Zj;Zn9ZNo4m<%`xN7gbH zPHW&GfX2J@EBPKWTC}{RYXlL8IF>#ha)s-Tu`+415U2Io;fA<^ELFzfL#A!nTdRY4 zPi|^S-C~W_SCx3Fg8WpTx@lQMTlT{p?x(LQTRv(OM@j@?AU8ehO?{B%%7ULrr?o<; zqivCRPw(5iN4WD|BKU680;_&;&(Rn-*Xq$m#wB_CizkqU=xM6mw-qy)oNg~HQCm9@ zjw(JN&m=!;xQz{R!m7t#>xL)|0VCwRVI8cuSFO`iAZp1XbM_|rarB@KoI-;vV<}z; z@$r2ycE)$(n0MY&q-{v#D)h1)Y$fc5=S=;W{l&qk_r-zLp)-+1L}UnDT^7m}{#8^2 z{+3%U1?k$4Kw-9LOH+K|S%Id@**X=5Q!gOYf<4F(=`t_&RurNT>#I z&)cO2O-LEJyFOI?bc{{E=$}wRHc9uLC`^X+YbB}wsN9Lno7c~<&~F=Y%1PvuJPh}R z1Bq7G4cRjPV33PgYSGK{V1(lcdvK zhU5;no3iFMqa|Y95`;tJ?zUS8KwTx zCR=nN(%kCd$(k=YN;7WJDi5d`gKMu&#;xVEMg@5B1S*h_LMgv@9Xed~rPeGZOx8>| z^a^n;r5*|Pc{y*@S(w+mHT>Y>YDhbg&MG$3Pr}!`iok!UVUt#(Xw_LwhnM)M|7ZU& zq7dDs`uU!wLVxwa_wDVRyrXsdYSm2_=V2)@x*GAE(!3{)p3Y7oHa9fdEKEs#okbu} zeehJEW8bU)i(bwea#UyF+O1EmQ=P1Joeke{U<3~@m`7T=?0$Gja9ci!`ejzS&yAH)r)d@XJ12xSE>T4smVxY;ODB!1TeS zbWxGKhY)PaA;${S_^JzBdQ-$Bz4F|eBX)Ik`O$NqM7H$V@2PjL;CXe7eAB z#vPSLDTHzVZn487+9uxSo=X2&zW0xI%r(q^tO)2>;-BdkcCQ}B%9vdkj2Cxz-mAlL zXZHCh$~fwerZr>1=aIbHSVxbJ@|d{Y&LR{ybM84Ql2>#^c% zLd0Df-#76Td@5C754y}U9+)O}-JsU$R*}lJaUs-q&7`Bvi&tQ}f7XmC@+?G&sUo3z za99XGMb>6++#=npppP>|i%B>h@1p!GSjpX#^LOo~ieb0Ggy!-Qw`^&NSV68Rhtg5fR`l{CI zfdU>1UDMVPZ4RyiJ#*W!=erscxrBVKzUu>O3u|uk+!ZSA8La1`HC%t1eOEJwbsw3c zLyq=uW#>1_+kL7WgZCXh6MA@`Z9GLS0PhDp4DPtEo<)udQ>Z*#-hDTQaeaR?-+w3N z)fL_uzrZBDp@zF-XBm99o1DkXZqsh`hKY!(+Nnk=7#S924y__HF+P*yXbGc9EQ0W9G2_@jA@H>n4i&QOsTj zH^w`IeW6+srTlRZ`EcC?P2Yng)S;*b(m8kW-&0^d{tr-mHRqbNxr7H<`KTnh`ueU``HxFv7>66PNzf&W#FYB>FG~4y%5Ox*AF-NgSxzerb(uGfQ%!mohPPe{dL^s9< z>tVC~!!JC+J+UwLw9?G}=^_`55d%9fw@my{RirpF6)|=wYq&I|vOb+Sv!xLF6!k5} z30^fHV&a!P=<8RPUx5r+(d@+Lni}f!%~?Fa>-X7iKH)sI*6watVfrq#TRNV-v&1^> zUMr!_aLW7z){1XV<9Gw_ z+ZC#f`FX>47ILpF_FDY7JL2DUX=L_i{|qzQx4)d~dz@+MR8kzf_D88r&G^zH8Y9Sp#9Hch6_@^k1m~geuCZqi{nVc6oNmsGIYC0n^U~a; zfE1r=Ibip;zIEcRb=s~qMPf4HBSA`pw1w5)+k(&Jve+{vj=p+A^oJkDgOg^X%%t=6 z?s!$rLgjE`yr#4mTV%*a;cR^2W@7Q4o=ZpV{m5d>{cXO!{kevnOSGEtrAZqjUE(8O zwn|l<6!mY<#(&}=U=N4K4j-~FqTY8E^$7;G7MbuTw3*143w9UHMG2oL@_8`j>wKg+ zz*W$Kftjz!c$P1_EaqQP;MptDV`${T{V2^Y=b>b7Zd7r*!jCxJ4x_(q2V5w1OKH7b zGg7>{WdXBWHeI|$R<$ABr_Pu4E$rH30Le0P2m`m^6kE{_DxIxZCaG@mfijoq z{%jW+*ZWG@4>lYf5<+hCC8B%gU9MWZDexLO933w5f1B4Iu4jPfs_leBloI-`Hf(+E z;x4Vcc_J_VX=&4;7q?rEI6M*NIr3)~U9id1!rB$%OYm;%>xSjEjgLgP1+g!>#GdyYbM;d>0aQ? z7uoSFTJEQPxPrAN7+18|avdMAU_52}2REqdxt4c9TU zMp$izYQH*J8v1<{1xcPqs_#QV9_>jz6}O{sCA*4&!!O=&j7e>yR>Y>bYPICzc+vOy zoS%ehX+^25R-J|Z7d_b?zWi2VaUT6`x?QN`b64eCRbR8(nPl<>k(bEwh8+VFn{_*6 zY)*}1!u^??S5oSACRZ0JS_)&#(cuEKkG{QgarN5zATj$~M-x>L%YvBVE{RFkkWi0^ zh^#0%+-s81uI4gL-aO30A2T@6?R?qCY-;K=kb zCpP3-#XoVX<9R4O4OO+^VDhR2d9N^~E5s}!(P!}wz~TSg!y{236i_u2>J<*?)wgg| zDKVuN4|HFeBQ*&dx=`nG7lKE>->pOC(&Ey9Ihzcd2D|Xb86S;Bv`6(Knh%W~ttO8_)-Jea?_FKagt*bjME1rajzrQAIh336EvSqo|=+Wz-?YZxdnAzZ()4;Jx*8MD~ zbFs^ zrQ+gOhKq#eu8S{ut@4qfwu(bvJL56=`N}1)=VD*Oq|%f-WfF zQvFu@`4NdFpr5#k%mX#>rZ+c7hDR2U@vB~OF?jfW-`$^O)lvm}uW>BTe!)jc4%QmC zE|bp~!;jxm z8v0jCSyfACOp|wWV96C8FX%j0>=(oz=)UPD@xnLcSn?yQnA?|nku+#gs*}BQFct@U zFp|qK%3WLTZFc>E{({%r7v*1S@sYV4b7<3I#=`wKD}A+Af!FJu)yFgDCO9IgrmBng@~;0%Zb&SrxZw8`0?*^Oo!r6C!xJ zeAtgfWL1d1%7c=Q!8Y3|9h7v|N@NvjYuuKLTMiAnLk$N>%hHvpdLU~JbgBcs4!&%` zW%&^{S^P1tzR@!NtkgG`oexe_RP~Z)u3p1u2!j{%PhDL^`JkSB(qWEOSk4Ghe3)JD z=+Eh3fF7=H{<`wGHOLL+Amgb!bTnw1jM@`<*TsO18>%A7KAg3i-mHvDzsfsvliA9( zujI^lO6R03f!(C1wsgbFFm6I_SF_&Nb?p|lcWY3e#rEc@xQOKJ$E6HM+wCwcv?)fb z*`B8fq(nl%8?JdzJ*#E05_=dDkLZ)5mc7AZ@M?hfoGT8C2vzRM87!Z9rV`tCCN^jH zEyX9k`I^KbCDqK>@>RzpUUFqA=LsQ}s~u7VjieQa^cO2euVcE>H4{u{bo609Lauq2 zL`$p8trXd~$inX*jBJG3B8G0NV#`--sJBR3iX;t7hES27pH$mfh@b4?N zTf}EKE#LJ}OxIn;u~7Ri>hedv&o2U>KIt{Y&oOs(68o21w_&Z*s!nLjGwK5zc}+fZ z_=xoL7cb3cNm1gm|6q`| zmhe@^>l^y=OO_L-L4l>}pNLK*=dSRgyRNLV8F@-sys!8|JQ|g$ zyfmtqE|O7>^k*z~wZnLpondCE%aRA2v*T3}jqy9aChVfLj>F>1_r0wsxS>T?GQp>L zx4aW-8BMsWBS_gY7w+!E>k2gm2OGP$;N%PZrw_ky)|9g{ydwsHDn2q2bDndZ`W-FJ z+{veS=CIGki#=!7ehklxf&ljw9@4>;@04~g4QKK;sH9lt%9&uYDjyVP+ol>KCi~RM zS4K5A8>Zd zShV_$$`vm6sHzx^YDlTEIx=W9`s%FX_S#JNF0~XrK3#d}OZYSS#S6pksWe{4o_*A^ zbWv*VqoIf=>Vp1H42~W%wY@msv&5-0Y;Z|HHM)tDg1~`H7V8|zx^sg$AZeB;^9G!~ z*beVYQQM(f!+!ew>>w?F%=D1ej>Zw6V7>e6B?_%v%0ov)`cJy++MBg5=!BYdyjd?f zrVqU>owdrj)FMsW?lyi*Oja9`tn60BjiTvEh|=0ckJ0D8G+At3s4Dj2&*ijco4FKi z+Lz`I+m87)JQ?AwxYX53DwB9dYeSP^Ki+3^8(F>-Q_@$bs>~Fj)VUrhd=A&yb!udO z+9-SKTLXzH{mCSG*`KIxw3t|lkW z+AIrR@l!DpoAjBo42M(EjGIfO4BbopGTq9&sAqD;+ez-(ljhSkCVWTUYxk&yo@s|{ za&Z$;Rq-Capl~g(XXo-xTeqfuId<`6*4FEg-41~Uyl!x*w>!I1v#O|GqD)Y=3fHA&!CE^# z5hYMj`&3LRE0V#zRUadf!4&Ioe!9I%M74j+Kk@!d+iyNPn_C!^G|MqlHu#X>$lEf- z=SPRj!dR8UtqXYxDpWO{{8PPGGkuIWv_Hx>x_@z5XxJ#p7>*{`0Hti->It5J00sb) zJ0I=vE2#y#lXcR0;?H;Cy``3u%3sp==UrcIG^FhDmUfWM>>}4H?J8&HOhl0z zmPg_i%vwfu%-jl7GOl7zgWX(L8ie(26kWi~7K(Z973TH0XRi&~VHVP<*G`(N*QqDu zOpsOB=dqUR*MqS*VD{h~C?{CcXWTUEFZ|aO)st??0^T@|0+SygT!l$-eV`#Xh zgVJc_YMt2wmIM8;vDA{Xy!f?;;_d>O#7-FJbF`V!SvPscTX>+Bxl0IYbZdtPVr>Y)xkJvo6MZjt@CApT4#9ux! z{JsM>9~uqTK5{lkz`B8*1yX^P{}TWIr5y_KWYFaJYxF zTNTPAC0rAaFmQAry=f4=&r>-rU=JydFlp7PVEL&15`N(eKl^C_%szPGwk z_CBcKkJ+v2VAdwa1T(yn=*S!Qh%czF2*qb3Hs-Y(XF9b9e4h<8;5a}^i1{w#sU$M# zU36*VGArt|DL3t^#86y&Exmv`jm%EzbzZOPegne^KbN}7BKTETev^wexvtS>N=x+8 zX32xfb$z{WIR)_uzts?YR){VH*;(L0M3Ag3*v840SijO!=4hb{;&ApW3HXnN9?j)g zY2PhztTdPdhrO_%eT0pARXs2trkY*3`e4Uu$a6D}b1BzX<(@HC+#@bQ_go_2S?Q04 zq&M!g7TJ;{Q$%|Xj_ehvCU%ENL?@tU9aR&3OJb%Aw941aWKdaMlYM*BrHGZxQ>t2n zR~MXc{)qPsr{Oyr;7eNrJq^k<(ywaz_v;uQ8l@(=7E=hRqDmhF%-va7Bo*pb6i{92 zQj`&6YOd~cJo)MM$%2&MKzIpjeP%$mgOVVfR2G|Mb6GARv`Jd@8;$I@!m=h6u%nD7 zP+9siS`A7Gn=EE#kb#4l&r{7Va;)O1lcE&rZUo^U{__{r*jnB`!{=JcYsCg$28lobdX76I=4E-T}+#(YO^s(zR+g`&Ocf~g&Who<;Uq-YRnPa#l<=Gg)rZH zwsc6PD8fV|aSr3y)pnG|`*HW2js7E7nOntJL&hq8Q`#fx+IfD3hJ6mZcI%K)Y_Kik*nZ~!k3bU z$)TMwS-p>`&9!Q|GOQmCKPW(qAm?*#2!T>rsV9g(K2CbDd^cl2=Ysby!of`cqKmR> z`Lf~W-gKaZiWb6b!E@0+d!buY!7x>Pg6~uEW!U(tMBk4uL4DhuFZxDb${C`YGD(YB zxul*x0g>nXWmMs8sT6XR}pe~SqT7F zD}2p(ilCtbm-q{8r6>n_Hi|fvJM`IvRB3*QspYuHU9n5=3mm=_UFwMRPq}A{Eiw&l zYbnxm&vg)57PpO3(61k3=NeggBTXf+*0}dkRH>74Om*RXw|B0Yx4U3fpyWl;b*!OCG{gU-iy=%qyf z!n3{2j7N-iO%G8;^=@I6LnYlF{>*bQo~Dd;z`(Z#oG*wk7N?guy>- zC#Qjv?wk~87m05vO5w0lTDd5s^ZDoK!}^2`+6)|ghU#Iq)5kQAmO|4|6LySmNOz4p zCd13%V`-+sVxqNc$~~<_t_A8h9@EB>0+hl8?Iu4+^eOxH{IWjwiLB&Eu84c z^($>D;G4SQ==-ViClW5@J5^02!EF)rY*i*r#)`*OgDWq094n& z+{Hbw*M3SL!osUXR42yVRqfv0vf15jNRS-ZdS6J@*=DVWE&8PQ^MIr%F|!2N-Q@aY zOOi7mEV`&1oG|JntAp~d3~DVeP9>Q6{GNQX5pdK=Tu!A1aMa=9>%Ul_8JiI2wH~uy zqNP<&f_n5+njcfbl~5^WZNn5Ayv9YMD#1cS*#49lr-mbgP@(huMa=N_05WPy?Ftuf z)e`2Fog?)%&+t#HdTKmIdKDITk>7m>iB*aWuhM27_)1#Aa0d&Gz#ryQhwq45keQ=P z$7dxh7HWLv1y@cjL5iV`yVNP!W-@>Tx3`s+DIo&G3Rw9N)M=XekqyCfX;lPV--J!j zwV)$`lX-Egx|>zNZpI@2rj9jz6rZO~R^(Jv>E{A*oHpl@K5w_9=96T-ESMFF17@{x z<9=MiPijuP?-JZ>ONUJ!%3UGLmcG^Y5u;W~;Mcz0R`M1(YE))5%8(&X%o{29)&hluz&t4qY9+_54Lm}18Qfm>s3RYwHI27?4@8wKV9SnU= z#r8G6n@xq!!v!ksQH7P2=}E3XSUK})_`sU$zIQAv6tom@S)g}F}sRrd$0lSa^DPfkUWu@d5yL#Q_V;|Jz?Ao#AdZihs&Dhy| z3lJMpD;iRgo8p{TUZp2QU*=FPrQ<8ETGD}ewCV{-ko%@&`f4;PcHLfP;~1m}x@Lv2=)$1Wx0&!(Iytgj08gFXS6|Cql#C-nS& ziEbYw2%}SCEZ7_nMf1ML8qB7CCuH5kp-!)WmZDJ(Yo&>JVu8Y`kBLe)N8t4Ayac+3 zGQ8-$k`p%b(J1%K^mDy#XH7Mn+9R- zy`i%)Z88>VIP|9$z6RpZ#lMATk6+JDO>CW>>Um|DA9sR-yROZj5{T|~S_|oeU|?SE z%bhKpAdqqi*ELIlV%F69MWr*lS<>Gwz38+WNYKt!KC?Q5e%4A;FZklxW;1hdG|Uxy zXIo89to3+Z0So>4DX!%LyV+u#il_?{S`pso6Yyo~ z^eN2@)AjMT4|6A(KMq-qT;HO%DW1A|&a5G`OdN4Kjbm{(Hxe1*heIFPW2SJKJuXJS zJ8w^^*QqCX!*TCG-NbEAFIw3M$_lZzf9CIEkR;xGQ59HPOV(a*!A6~jy_r(&Hk#pn z<;CCzilr+|Q@QpKl2wdnE1QxM zT>vH4kL}TKDa=4Nj{YMX-*>QOKRLJC#@g+}Y4tvXGnKwcY^E!>udf;fM>ZEey~ABm zfM`9!I0&h2ws$n~#FaWq4jG!DeEgk;Ck3Z9Ni09MzQ`^*QlfU53>sQpr14sKSpGdY z6)}@~;pUZ_qce47@X;l>m^t=H`Wh=CjH zS@>D`mbcW1RW-LN9Im{T=(57ga#Su$d1#xEu*twF&*yQ6a^E%q)zjOZ5%1bF#X~#k z!+I>MPZN{0I0XW#50x9<3suf~sWH&cg^*~5yn)}r*ol`jQAigQAcxiu< zfk`zT_c>LWxSog1qN`4MCuRlX@Wyy)9rs*9X?=IL zuiOuzQC7`$Ui>!Kc`F2ZMf2j3bUD&)eEvNCF0cEI5Kbxp4xkrMCAdhV0FX=WXTgP~ z$4RqTn?F4{Cl76i0t|zm&)+gEcZWG_LZ=^dxIn#zg8N2mo5TJTL(7+8BlV@?U#ZId zzMtqT|DIakSE%6TNpU)p#pJvkwp=a+kg57yrI)-}Q)jCENwg$>lPS8So=aJ-F&u>A z905s+OV=Jj{T7D@f0|XGln0KsW4L4~m0&(}Hs9O!Rz1^I0ac`sv76B$K_5(%C#KZl zhQ=aQ)6%OzS22ZfczXM)v#~6`;5Sk{zabv7jg)Ilo70a1P7wSwI{!KNy3L)oEUfj- z(SZDF5wQEwUY!Sm_+XM_^aQAC{n&E>wn>)S*xdhei5d?) z8~;I8yPhl-clk!E9Qe%<(h7oUr6&CoKyN(#FTL@h4mkH=Q9~Y*{3N}-uh>^9x>Zxu zeOq~v<^nHq^;|V0I?_!p`Zk6Kh_?PqLg1?dp&3t-P+w1jalLi>3#<8Xa z?rQ=ZMBWbblpWN8f}ONX)xn_3od?C>->O{st5$=O0`j(*N>V#7hcjj{MN>cOY1`W_ zWT0yK(;NkKPwCRTRl7(R?X}eP?f*LNVzk!e|xz0;#Q90ff}# zmCRm)&?HRH;IEm5(m1H>;V+KgxEAr7xTBSevkJ*8&dZFk#tV-2F^t@>s6wDLSm5kwOLt_H(P`{qPJS|NE# z!-RK0L z^(X;=mIt)(auT{cQG~|1UdQa5Jx5D031*paXi<#oO+fq_bDrDbJuhuLpTD!4ZkWnkRnUN76rQAv_O*n|i0<7(ep?ZsP74XOsa#14lTF z#{R>~hJ{J4gL=$5xe;J;H_OkljvDVQ_K$ZwAf` zG@dbyjw=K!z_=gTqaf2J)28iPEB_WkkLkvcIQ%wNuvBilHwz4J6v3Gnh40;5Zas;A z8p=A&BsP7&l)OrO9V8MguJU>AXG=(MtU3+Y%f6b%`|M`R)%!2c38!vBp^gg@0^EGhr!?AII02z^uguz%<5vPY=B}H1%i&(KP0q}B+NoHI0XC#vn1!pG;VfI+F$r0UzyAMW~O{nc)L|K1O<8)z=> z^is)PPyXN74Ri*9kV^CT014H1@qY`2i>c-R2hU-r5!=nl?UY-YhS zxv~WRaRp5%2dLJ82CIi%Bs`roi39%!ju4@9sdc??C_8zM4TwL1_O;jaZ|nDQhLdgJ#_{x(~$S% zxAXB~t?TdeCg2A`^1ERW8PHdj9tMH4X{6aJw1kpccT1Vl^r}m%y(ThHWCEj0ooz|)}@NghxGKr)zY~H5fNd# z4J#m4OVg9=wU}CYK#iNS9LYF(tBFFPl(JgmHxCQDmdR-^!Q@U<2_^5;|DL?B2z1w< z`XV1G9`<+T928V|{MpJu&~W9&zEf&dRUlFIg=9R62Yo5`A$lMHtqF+%Pl|7N@kXSD z=Ui`)zU66w!gx1|`V<`&exPT0%83~ufH2*iIdF==6kLvrxISx-1{F`mscFk(mph=? zCQ3;Kq5it@qxs0HABUi4c?U{AB5!JpubSF+EyR&zh0)5yDY&C*IKuehlaAR$iGoDn zr%!n}%8UR8j5AYb`25CA&(Iw;k5L|B;UMq;YCoa|3d#KqVf=s8e7o3W=J_-h=TVz7 zVEaEe#`(Xoi!#77Ni)05BLBT&rK7{Sz&FhPK? z3(&CFA7ZIC^nRU~QjGP-_6&1_cjR(e=({MT^Y~=DyoPcmzea823+G=m5PSe(C^mE3 zHW5-%Pmv3BQ_I9d9BD)%WF$u;+s>ae(0sb(X=bSjw;+;c>s|ZHTTxx*Y;20mt!u_#dTE^fcxwI8_pJv4gheG)3N zgk{4d1faviWVayKU&&L>Li$Am=RMgDu)1LEmmF9kU{yVT3&^OnqQV=7{kiUsTf1Id zz6i@|z2P!MZ@e$mPp|W#wKhi24>%TXhH_5#U-ap9tG4^UIz@p=m{R<|-7%>sb^aoc zU?`qH!`$}GM7EzswH6hN1+BL10eNe+^UoHm49=w1>mM@;p8Z zh~yxSOXyz5;J5EfVA{Xu81UwVN<>HmgJf@k1Wrxn6hsB-!7rBop;igUyRQ2@QX~xs z5CiMSt_7R%5JP|)WoAg{b_&Q0usf0q>t4WEbFzO)j(2GZ8S(G|O2{@TrgosfpOv({ zVjv*B10d=C>03Y`bDlf(4=!^KEr&;Nh4`g&EKIIRk+uUB@SC!U3ubl>u8&{9w+2_I zt+7<8f~D3G3P#%l{StRgI6)coIOg5hm*#c|Be6`fYGMz4o_CY)@|t`-Fe-s=l721> zeu#85pr-?yeY1uswR;5Es_)+@%b&}er$WUVdlAG3Xg=H_uRcUcyPJ@wx|yB<<9|FK z#RxJv_S`=!r(X`9EFXZ1{D-k10l6}{XS?Q{`D+;vfjj+$yCvDVHTl3Vi4 z)Zl9CeWew0P%7~SVp(WSPJ~ISokNg=MD{wpv({7k4f8`HQk@TUX5Y#m`>9fS9-#|= z_oUGNW3=egp}^`7d={2c7_Al_X8tt~M*g|{$JV{4{4VgDO_<1f|877H6tOtR)HlvV zSAm@>Pq08>@GuBy5Pua=f4k%y>D}3^zgy~fKnFP|bchTx_^t_Varo2dbJ5(FRV+s1 zup;|-*645HL5NS3BoBB5o!NG4+%f6f##xT$O?z*T|9 z#}i%DGP#8;>&eDaJqM%@0B->}r(LH2IJqk0ddIC{Jmw2J^2v_@D|fIicgWCu*+ECp zk|5MhRm<~ys!wsUX?F2=EDZSK)Mm)+8^}56%yw(p!{EE)xql^x=6^2V_f481F##~J zz`Q!;41kTSVt>r)B^^Noo;l@8GZ8qh596Qz!RCIsWULsW!Rz~fw-m%pZ>R1=`HwN8 z_rS0aTIPWAMxp1n#KZi5f`4bc>&9Ntk=KAA?v=&UxV3gV5D!z4pr3WBMEgA*f%rTR4y+ z5@qLNpOoM$(C35*630KfQ=6_L4<7h~7lhep2Ub;0+KaG=S@Y+40wM z!+1B%o*d{2#uNDOkk|pYAbOk*%DGQQvfnp`A?NOz(9aGCPzHakhPxGplmjT}^EXoV zxP5rw669f|fasij6FE5~_ZzR7=7c7zX;lCVp+o{>0T2K|{ntL@|Gbpxs)g47yb8QW z_phA#zl9EPoWP?GD2ti(34Sxf#SR~K{ho(1glT}0Ik!a*@R5NY8F`0f`A6Y^j&}oh z*zakRs?_M%K=x~7112{bwh=P^EuZlq-v>WpB85n$#c@KD7R|#aOngl!q9G~jV7z71 z|6ce~Hl&mB;nf{vvRMzs zjH(l;ojKM-|8`{#`CVy?0_&IDdBBX17U7wLkpRp?nE-9Eb_UuNyZ7m_v8xl`yH)BMDgt++_*3z3 z?Ii(^j!vgy?f2Y1-I+Sj`k%M*XC6~l7Kpw)QsbOeS0L0^f4hR{`%uJGl?sLjUMa`d z|JqJ32%j_RN&6GbpEtLYccP3km>7sGZv&=rv|9+)9TeDA_ZqHr) zI}j5ctdK6Gf&fBk_+30#D1PW>* zHvHYDm-wpvlFQqarFn}JI)$5gx ztpo(1DgRruN}O2U^hc-tSBFSd3D}9s&v;Yv40;)@z}gqa54?yjA#~QyIDQu>&fGQ3TBsW(!2lm>nbIFO?wa4dK`Cl zN0t%V(1_D?3Bg4$c6}Ep9!4M@e3rz|0&c-bssaM(xl0{C_sZsnQ*%O%_NOkdSb!^} z-ArTD=D#qoI%-q>H{S;7jyLY>34AFCHXq~;xPgDugo&%vc6<1F$^~D0G{ri1HohpD z+8IBhi{m(1qvl6*)c0YhZf>XTVZeOA$DY8@B;MhY@K=!oD$hG#SeKW2}A_-@5+>z*W(3VO+&O`S>a&VN9QKPPnkB$0351ULo*=p5t(cNd^IFb!+?!KKN^T*&HG> z$P-m-?p;5=H|QFkDPEE{a{}E$M*_SbP%ySPbMi@nzpgy{fA{{sGx|wvz+AWZm1xKYW>)$1i;NQO;sLJR~B-;%7xQa#)uey5; z;4<>%!)xaN?FDxreKwV)1yTHf04k6c>Yu4mL;oMg+MLa(`GEB}$KmsW99MZa_YTAc zp9AtnA)csn58PD~5SHyuqfcj!fg4m?$N!T4fFu&C1kMu>v(5m2^Og9i&40HjhIC$Rkhhh{Vc!c{30m^}y^})r*M*tKWTF4N1 z`22t>c*-RULJRz=9H1!-tL-AkLIR$M&5)j;ui*%jG+mdRvNE7@PSlmodWT5$}BpCI^Ia)Yv1X0H|4m(SV+Y1^$cx z6+aPl5TMw@Bj6*w^HvYn9nABvE9(Zcwk~UypR*hz4_M*bX`4l2@HkoU<|j|XKIav1 zO|upBxIkG(cLJ4WTN?@+4bwo3pW{W;zy&*3SlyN_0(DTfD?RHwwz9VR(4!P)%PFVY zpqpV#N+byAFr#;3E#!ySfP8}%YiuTm&hZMc^D`}3MsEU@7F!208wb5C-J5O^O00!j zo4&#OaBUuKZPqM8K0YEsP!_^S8&uMvjVA$D>HZ~Y;ekq-{p9sipkR2Gub5rNW`oc> z&z)O@G7JwkgaM_#=R;R@9WygVv5bnl%9*+Sy)+PYXHRh4V}_gv55(P>fQ$JAz>|%E zk3U*6vYn$344F%cL3vdrzQFEDlZP8Tf_a8}^K=js)B;m3Y~sxxll)(AY9$*2PmyK= z&XN1{oxLVe9x}K}y^L|yuQB17o)*o8FSGLncO?iP`$gUYD+hc2Poa)AAlO`Z)Oo4^ z>8Jl9_QaoA0Nc9sjjldtRP?A}o+<3vmWP77gtNDHo*Q?ZH|6Te-t~Q+2n9^}b@SGK zFqe=C7Pm9v{pmd9Co;f_`!n1;AVzO0fsi9gr;p*PsZ76mKb`9njgb`U{TVI{OFl|P zWk9QRny2N89xQ&;_7janYwrT0y|;Y5bJN#(x!6ZTN_U|yp?sw`|46A68VWEyOn@Hn zS2x*?17)LGE$_gs!cTf-mtj{lFGi)4UpDf^Xwa(p+umK=LcbbxBY4L9!1a_tao=d~ z%bop|O1B-iysehKPgho&RwY?|yhpgS9wC(%d$3c5mkmw2Z%#zz)ki~H`sA5(yrtV< zOFmzD)WDYB-UeIR_W9mU!!353*kEyRAjR};=Y~u3hqpD{_X>+v^adO>&DCEh`BpFx zyH&ymD{gyUTfE8pRuKe*@nKFi6c8>@he$EQ8A4V|IdDVDm{*Fl_*KZ4jhyU^!Zigb z7;-6*nJoNPe^X7AI^^2SLDiS_k$REsFC(b#7Oxdt4R3i|OiorsYOjtoS}wZ2Wh78B zI={NRSN+L29i7>_wK-aKU$+*mm>ox9I65kNa{e}0fQ&=-uhMcH0M%?;WF52u4;28O zxvw~RP7^F%l3QYxqcYc>y<i7+lUZnDSH}9Ow=AG~5 zkuQoCrz=hcy?zeV7Yf5+9Vf`mGoXQhOQOM0%y&Ei8ExFd$^9Nt-pXS;J5j2KT~86H zFdG!j3$BelB_r@ATL|ikIoDbv?;LE8RA+4~b!SqXS75<=@23KyQ6+PA3%S!mR2XJb zmUMTaHGk9D$h+z5p>IzF(bzeX{`$^A1W0atC)gyQN0Tansw*-CN?gs*7S6h9D5>cf zof#e+VU9V>L>g)vb9ZkxV9ZDKtySyPjJpP_9~V|CW&78}To*4`umiVhbYp0Pg8T>Q zmhw!!IwQ}77kCY1Q_@?dsXFsd&Z%@bd%rNj!!5l^C|dd1Dk97?wK|i_m}3@~V{T1$ zb~3H$0*^AJCH}7U{$tP!1a53FFSgD~2ijZsjj)Yv6*B%fQOmJxV@syRA?7UC%nDY* z?s>up!aTx6NcQ$seSeHvU?q4QyD!hUsxxzou(x;EGF-G1T3y+7tHvul*cxec>?!jl zbY*aIEAQ4S{;+78k+)oaPK%TGY1n8;9ziSjo5Jjl+t;oMKLELfU|yT+IJYQ)+;Xe- z&ZJm`s<;;%x z6Qzf$_OxcqHxha#$6U*Uj9zav2Gu9p@TQDSain3!EA*yX_MV($?iQ_n{oXB6fsHx# zgBwG{sFI-;`Nc}oDi5Hufj-2)6q$5@d09v(My@3R&<;w!c&$Hy5x22hJt(zv%0ra( z70ep{a|6+5`e;qZ(_uYYB+F{vc2na8-nX;sS#!i3Y%jrIb8@K{?+AB&pCwz+;e`2t znF$r}3{JT|C}IL+MF38hKW~wOF!nlNsn3Xgh$2m@Iwr=i?0x9bk8)goXdSNo0cY@| zi=RKdqc_7|0=p0$mO29h>i*gPw|hT(6k0l({Ya9HR~c7$%VN0x!P@XcbEB}-1_Nq+ zW7cxlsj$3EW6};#LBRMbUr|AHjSvU5-}uG)Aea6T04#TbQRgv_34eLc5OO0oU}q$k z*KpBD`>|{8YBAATGD~$kK_>@uz4e}S^|X3RqglImo!=VD3Av$Oln}|Jw;IVzMlBT} zLrV1Z7Dz~=+T$ijNE}J>W*yU2T5x?T`m?4*_FMyRMaEQL zs|4?O)nw^frureX?lmUI@ackW-<);eA_2FNr3ILY{Kg6BcYv%Fz+XY3>GSi1lqHlS zy?3teU@X8#-<7U&is)4X3gdDZ)xK>Tc@n+iEz`cgILO94*pOZ$%n z`K||?!TvJ%r4Y!kel?mX(108=K_%v6jo~}9=gu)_`W7l&EV)J+W*3h{tt|WQKj;=g zR#X~Tf{&u)^PD@uwwS~Zb`HL_a{k!x&Y%N_BH{fGE&8)S;MB%<-i@UpIL5Tht4bH9 z=V_1MdJ@&V>lK?pQ8p@E6;Z$ETAqY*40B1PT(F=O>0ehWii+@^8rgf5G(c&AeY|y0 zOD4me*Fz|}s8?t8#JE2<8l|ULYKlv(vYY5Y|B5k)n1i15Rmcr4t9@RTSYhp+^6n}B zu`D_n^W37H#-2B4C%74Rj@fQ0t9*ho{IU`WOc9}1OfCFP?Tl)e*j$KC4RN&$viEHH zcLM=0S%q5k>v*cygptkq59hnEPBTR+=k~w5&+fZVor9gsKX(j+m%->?Hz?C2?YF2hbn!4d6Q zxTPN6T1Csp-H{6V{05Ar>Z$CZM;oQu#v$5sy9|xDsT(b8b%HY%FK6SZBF5-{X(Y4jrfd5LLhi+O61D?(=vb8lr~ zzAm!-pifZ3Oom5HHA3D@o2R_{bJ!&+F-NpYi7Q%K1?u zNm17VNw5akjyL#nB^~&j?Wq0pyT{3qNCechclQ!U0hCB{{1};u?!I!Hj;yq`XAT?t z#d~FT-SD0tJAt~ZD=zomyKJ{XE>14a*mMrHm;(+?bcTGWmCESCmaXv6zGD`r^_(kr zWQY6d*0`bqGOb*if|bz4J}!1w?Z}jKcC)Mc8Zj0h(pZgFNXNPo77Uxbf_>`j%j|`3 ztx`_3g^2HbP1m<02_Sez(-AtC0Kty2uKjYg`+#U8i_!`IG zln@tDE$gsjt*)X@DB`>RWZ&uA9UG)WHO~##P5Y6#AMb?W@@2=sOX>oMjNI0>4It|H zXny8rxz#b+8d>c1bIQ*<`G$Yv>XO1q!HXWV{Qj{Ve2q8!ESzlem%WDIsy=R5W&YjC0XWkLn zD?-k=i(IzLb~t|TL*LKOU$?wo&)4($cs*aw^?JUMXlrN4r7z27X;{-p6v8Y(LVK`9l?Yr+7C=NFXdn|D_2tt?RbYNTYgVb zAFtZh``<1_B6pt2tQFRLE9!#wDTup`W6f;@Pg0is9InKe9!Zc|H4ygvdKz%_z0gz9 zr{hv2UL@}#X+bOC#9^mY8fV z)#02m8>S}CS12ZH>*!$@D`8o~9B$=1kCS7s+%>@N5q4Kcu0qo>33oJpDeWc>4!I_b#iH&?UyCbx0famt|C&Ac@WaRS*^>@{-VY6qSFIn zW1V`ss1Ll488q`hdaf;XjvCwvKz2iCd7{whLJax$LRkulvYN5){*I?KEZT3gMOVB- zx8VQ-16AL$+5KF%$lEp%P_#bgJC?}&zV?vKKlrKfG$&&=s>W4hEVke~ub;`CtGr?I ziqnL%KvXj!o#*jJD}5)*nQ!b&*l^*EfQ<-_{F1`LZ*@9#-br@_3{o-TSc_T{A4NNZ zmd`s+HS82JI2yfd+fpJwr(M)ioLTa%bhR7qSI*|kYmH4o>~CQerM#lgT&=`#2Cixt z85s#B5CXCX-K+!zY=d3`J!PlE-iT$;Hlx!q@rpw``*B4i;1cp*@d{cyXJP3GwxFBh zdkbuGtLt4)rqOlnZ`+m=1H=`16&3@ET`HTe4PYF($o}}#=@#gESLV9dipX@9XPA!7T$e{D?(KBF6qFgFWOJkg2I|iUG9iM znJnb}%3ztww!_d3(~~c&^QDmy_{RBh|13a5#VrP}&kc+Y@Jb>S zwKvI=mywhab?!}eF7hkbUSJZZ-#&?$1~7BWCd8zdLJ2l9v2r1jM}PWtK)kM{pb%Jv zeVpzA)-+vw-^8H$w>UDW!_o7gLU(#y*eyLLm?dSq?!fbXEGMRJ(PK8s>{^U+u$Dpn zth{&N`c3<+}QQ)kCFR<&t z1#>M2gLEK$dv0z3US!J7|GcEH7rSXAh$v1y>0YnLP!R=sW+sxRaNwVlnr?pYLHm4X@jcZn!*r7Qt~{dorRk4k~* z@K+9CBEPM^{#gmAP?sw7PO zTkeJLutbG2N)4y)Xu$yVckzf>1KRl}-$dz7*RzBP9^2sk98Tz@?N36(%Cz-rOWWGC zKtnB0{8pU6s8Zc519`j0ak}M|W2bfoo{!m*4@I}A1si&lHUWvMg?1E?+E*G}6nZ`_ zLDC+9J%oC;O6*eq=0?!92(+viu6l|z*6$L=XiWC`lOh+Z>~}T-&T`0hazGF2>i61| zb$}N1+57w@OW{Df@=>>T;(5Beug)ZGKb!q}ab=uKx>4uIx}gKC8*cw3c`8doRk#@y z13#Zg=T2Onmv+fqlypj7^lZIsWCb2|qU2H(h2YB(-2<&)cz3PqJiS~{6W?XIz_&pg z0?|h#OZbOw!QE!H^g(qkDRhJ-vhs*_>+2^q?Jd8iEq6q>MUyiR*jQTYAARJHhY! zdAvq%EvARxyGjiYwlB!yZzA>pbG6RdbQGOuhrR0YkJ`<_;l`U(?+fr5XlM!4)KXmO zEoy26h@7fF{3%Ol&wX`1BfWL-@hMT}h1D+m?~=Xkm!#?nOsBK@yv&h$xYl7C-IB3t zGq-~!db!04Z3(;eJD?qaF9gdQU0Dqnti@^zZ%>y^D-X!$}nEYzk|95Zug|aR|^*T&~5Ijfl z{K3c$evvUcJTjMt_-pYD>dcQEFZz9{so^axb#+(SZg1(KAyCue+lD<2XDmgA=v(>W z_Y}XbI$UDt-A$f+B>md4cXD(Gi zWG(g6`pS4wfkX3^xd%hGz9S1aFJopVhy8TAjf7G0&jcJq$xm`(-31)@p~LsMNw0ja(Q9D`1~X2o%)wrp>1*35OZ|yS+>_u?d{uAP)pO}=ryoa7hVI~7F%MyrK!u0(r&kV4 zyAi>fn)%P#yiOwB)OyaIl^_jU5{b%ts%Yg+3p+=9{dkVUNoeRMfgCWa+kr8V4hEFK zt=Ld-`RZrNR+pclyr4UCSJ}X*e3JPTP&v+V&;)_%t?3LlG(&_NAp={kKn(Y!?aaiYA2A-@{ZKp{5%_El9@1u6~bZ+U2A z{M3JV{Bx1+(B=p5$bV}$#mvdMGJStU_l3-XBq7sSyF3@hs-=Cq$WAzsW%rjn#2s3; zR)k5_#+5F%Z({s-HcwX`+}aANOVgST1@2!fQeGC``a_fmU|CDiAH7ovWvu^nOK4%? zF*rRKRM(b@w%3)$Vf$1sbeSnUgW96OuhG?WGGDARZ0u_ZuUwx$^h+vl25gsEc|9QC zO9j$)4iHEoS>HQxe57Sx$lSFz!P+3OeZfS1e9bTxce^T|5R7m*z0W0iHv-w+4|Kz^m3I^3d6zhfH#Z*vu=(-)n` ztq>B(66NwZlvr<6MkBm{{MsoJXYBN7p062e?ICwa6jkoOsf2BH3o;+W|8f{&Sc4cR zZtBqy_5+n>?jl(O_1a^(-Dp=Y56O*eWR2l*Xo8H{jpg*>s}Kil6B?V>K7SPH+fNic z%$QP5WNPDKsZ;;sor?=ofLiv`*-5cxzO+_~r>iahkbpgV9!5e)P&1AH3T}mzf~^|h zhv(}=>f(d(Sov&>EIevihL3m1v=9`27$K$d?O*DB2Mb00yN3wouAsk`#g!KEEB_n) zb=RV^=n{h@^wvtIHW^#>O>Wz%)L>pp-QFBcLMg%fLo>}*f&)K>WOq1e--fToTbps4 zmb;r9+&;6^{BQJOK$eF73=l-JkGy`1TBiVr?fy+Vana~b+DScr?}ygw|3IQ*}N)X*`{v6`ea_<^y1Kz^zrqG{}CXWGbo zAH#Xd#h{C0R9FoLU-}$hy_yhe<}%1(Z5x3O=*A3Ri*P!%+(Ja@frn_ zm=^hxJrTTRc|Gis(QU1QVE6X9(A#n19^m(`9%V%*UiO zODzF7E&GV?2r`YA!>Teq!XwDUB-c|V+nw*#ob03ge}mc}RX(%hj-E=( z*5^Stq_MSmy1R6UJ;xZk3S3CJ1x3(d-G|tDgu7isYmY^yN6ps1*7|hvSY+IE2=S=S zB4JmLdnf)iADfiF5VN|Am${3Ei}8edUwmWKU|6K~42}7_iRK8adT1)?x^q`I}xHfuG;tuc2z&m|0oX0c+H41M4_vC-| z$uzVt83CYYQM5~oFM+c^S};m?PK2(2o(qbzk@wppi!ZDV4vh<~j?X+G2mZs>)q!j$ zh*wS5O1LdxnQ_n5)$Y9AwVzt=>}~1nLHLi=+N%3KoOs~mvh2+WaswV0aNm#D zwY&xvZZEVPv*>Z(I@8S$}^-pvQQ530E&Bi4}xD z^_iwtR8S|Pp&zGae6Hzw9;^NB7mcsMNdn3-orSGWys{(i8|EiC-Kc5Mdo-LtLv!-I zwz{fG)nk8F4fPPk8@!lWzD3B?w_*|N+_CNFH|Mm@GwFW$e@9ISur-P7hK~e}cYp?+^DaJ*tIEMja4^K& zMs2afox>7sdfx+e?!Z9pAqaGRb)*eGJQrcbNT+Zvw!M0i(ZF52$BosJB*sga<0_|H z@;c@n0Hy}2bMvO{(@_G0`v(gx|5M7=b=E~EN!m$NCw2_+saf?)o)7)X(a%GQ8s?;%mHx1k z`>Pya+<;FWt%Lguy_pM3!1hbC$BdkqVD*S~J?nscg9YK)H21HfW5vA#bs|@U9?XZr zSzMGXuBDk{BMTW|3DG{hk9kyZc;p@7M=-C?|=;6pI`i2ZP4f}mrH}T6};tdvy2=$O`OqFuq)=d8x zYsXg`MzQnIOKI*hqvg#Xkgf-jXBPM+V17c%UY5Mndum5Bge?N`cl)-eI_jp}gF^h) z#x$8*J@#Zx={$_@O~|`}!=(zexzk=0tEilyTjBMXYK?=kh+)=EqKxG#=yZ%zD_B_r zJeynDx2tPzXc_Gw#tfRDUMV^H-v)=dvw( z|4fkCPMMu{_QF=*7CZ+#Yo%$bIQeOF_s!kM)6Vua)?AdI2p>zaSsSu49%z4ZIG74I zP^p7TmPf^&KAJ3%uFqE6Z@(Pe9o`)zkqn0k+j`h68)dIWuy&nC_%+nIV6K&>FFou@&fi{5=Gxa6@*3g?ti%(y_N0A8%jfWiaS*0 z02psRx8_3;@CNwATcc6*k(VmGQqBCe^6>0;NzL!#rYF6vFvZH98k2d-O>Vv;Fc}LJ zp{Vx?Wt%n(HtU$lc1+y6?G(4s?zHxsni{k7^;3Nrs_y$ zwDe$>5nM)k4yfkGuqWPm>m90;$q?+5aV_bW_$BMQhp7fvN$9bpe*2`fXTIdh8hP^E ztKWMw-{0=uT^&0g7&1T~n|84_>Nz5p@4xgYWJh$V07!jsv*f&*{B zSqns~PTM&?wj|E<#Bub*>8{~^;k2P;pox$tm6cw6lQT(}b7EH+-p_->t+i&AVf_@I zhuC_%^*NKZ+ih|)72$^?Qu%5b`p~S(F?90?Z1)lyH6MV*!Ep8hD^;OXShT{xa>#Gh z9DQweg3N1w-78#aNXJ-B!l{skI?ta4-VmI9LW{9hX(e8|X7t{S(ZI|%8-^?Y@kphT z=CcU?)G_)ZtsX-9PN1#eq9qjqt|Z**3_dLNO0s4|!QdyslL+uxtL#CtEtlnlWmlw zw#Do{G&Qs~5GR;dB89W?=wn{uIffRL5r7tg{GsYtl1xU8=bb57A&fs!s2b9O;T60{ zX!2^)jCHe0S9;AC$?EA`bM|n%(9$#Lg+3e()xXoMaVYtRUr&q=w4RhJZF#$X%kSb~ z;L^Znx@9p7GX(Gc$eV%1>V9wVYb8f138`6B)Ali;G+{r0P58pnga264e0tpGscc?m z!fytg-=ooHd7pzom#2M~wBSqe<*&F$Bmx|jHxRsW#P4p=(tbs7CXD{?^B}_jjb*t%oTH^5Wd~S?c4I8!z?7&L*_6z@! f@ZT#tmTj*3X8oco7w&Y^0DsyV2I^&M4`2Kr+>pJ` literal 175040 zcmeEv2|QHo+yBf&wj@hPs0hh6W0$OvWGy|`EMu27YeGgPTT&ESq$F*!ugOxOvZR!K zYom>X?A!l7GjlYSo~NFk_j!N6_g^2MPjl`$bDwkW`?|i@_ge1zgz0Ll(NeQfBM=B$ z^&Kj^5r}0L2m~39aybHlIJ;l?I`|Liv0F_Uk@kfB0|F8E#Z%SL)A@j{gOd${M{FD6 z6OWiG_-yTfwR6Wh^N6Ayta-##ctk~Qyp?^0tUZPHDNB2c3c2Xn+F@KlGdRNq>uf_f zN6A1B9BX+wc{&K~wy|??b%D;ncj$aT%^mAzujOiO;{?vJK0x>dMnVEZ=*8NX*di(g zI)(bRbBC`@JOygdb2v!67zRx|&C9{s#)J4{LX)SfE4T%>`HfbtE-p4!p7Tz`y1Tpj z%scxh<~;up?X z_+(;(hdtKX)ratVd=q};++AJ4FIDjqw9Uo|8a;Si2*2C@op0yv-`&QAc-kFkU@kAyNfYa5zJ0*KT$=tx);Ty$Q;!egoV4dD7Dr{j;HKHv@s4GWJ! zAEYN>=8n+9`0hy?pv#dS<8P3pVgA?9-9UZ7-Qyomc;PYO2EjRE%C26XP7W?M+vcPZ z4H|*2Sv!DP+UDxy>J9|J#nlB&fU>=(vlBSNfR8@*4xTo8Zdfa5Vtjxqfi_!L7f+%- zV1Swtj)?;g^$H~36AP{d^$7KWp9vdxRc~-5XhI0*I5}b6JRB_X(*?D-+gN$IdpLO8 z?6&bBC>zuYWYZ10wDSRQuWt6jSRW5@VLNwMFE{X|ox3`?){@_vdqCYec>0=uJ6X@u z-PIB54Bs*S0Df>DQ87_*X=#i&=oR3S6G^+O%yuzVNzm?XDI^iRpj!4A5prz><1 zSmKeBjV&aT9$=^(T2K~j)>sdF8%XD&lVBD9rZYgIAT)xmY6GJd z)C9wtjjOYbr@JpWh4`(wBoG4VCorN(%MgxzNZf^~Bf0#8Z!20RPlo(MQX7?E$c zC+gv7<7ou}Dl{`o;s_}g%wfs=Mgn}yZzEy~X(JvuAZ?zf%7oTAHb zEp421T|FF#-CMePdb&D;v*8n#h5{>qa}fBE;^<#tCf37^KoV>n4nUx=H1N6Gc({7G zTiFm`4?w2JQUGXU1)(xQs@IxoWQmnMvLEYG9OMbQb3L%K>8Q(1Y8CWecxORg43vE zW##Gx+!Xw`Botstt3M~(3#}g-FmF*4?zl!ACP(o7!2fpLkjdO zHeHN(yWezB%g!0{?e%p5?_WsT@!mb~@BvxJND_WYqM!39`oHMg{%wEM+sz7Mbqfio zw3G}+2J$XRz0QADn&vL?7t#bnZZAYWb{LOy`WK@K1!!z5z#8|LxE?N6OE*wKPx82^WYMDB!O z@e+E85tmX`R{9^+%ehO;=_M2_BZw#|%KyAx!n#4!OQ|Jzme^7-F9!ecmlPAe-)}Il zWDK+pgI%P3|8*da^~O3lVJ#h;puplmLa=lZq)UiPDE|)=gt<%nmFU1A`NNpLfFR7- zeG*KcBN3#Sjt|>G;QC9VLj-6Nr(ekqN+NupB7pG!Z;J5CG3g(s2tO@PnE5Ur92z1K zCs9e_Df7e$j{p3MI7t!N?GoYyr~*Da03=HdpG;Ut4Dj(flAOk$GyA!SA2IyD2TBd7 z2ti@EC3qdUpo=v=^8dXI3rPZI5xi{Qjt2ig&xCIbh{1j6TJz9gVHO4i+ZSY9Yz~0H zJRGE0I{gB`&c;a@Yvl-KQCzGSPyo`PCUi#&!nn|V;_npeZbi%&L4MN`7Vf9TN@l)T zVc@g|iCkgej0CA%fxIu_^1mWiqKh3F7^dKKrL{5w_o-uKYI1$ov5 zuH%wHhdBg>;1ISM|6tsAiSUD%FsO6D-@CaT@mA+s9VlrgAuS;WMH#;1%Pj=*e*&W6 zi6YK0Oe{$zSWH@2Oq_5j(kX_g{a0pKj2M|9nc+nfNGJ@zPwPB)>wCsX6b(!&RLX-T z6fJ-b@uz+_AwOr8h(j>Pkx9k?<~gJTAVa)^UmAeL+-K1M%yYk%jD*aOX%iF1^BaLZ z1-a|_ZNJmpOPAX$;76e5&|6}5!>_%mGk zt(I_+9-bI}s~^Ev?#<=SNFj&NNPr@kRubC2{Tj4?rwZ=3TK*f=CqJ*23t|Uw;qAYn zri%knzpW>}ZWgbS^A!zm{RxFEcv_2G#>w zJ%EqLcr4Oc;GIHsr{4{)5mQ@B#O&ZQ-?>O1?A*brerE@3Yp9la$%^T35kELg2G>tR z$AsG?^+A4O5{RP?*Zz`>`cke1?3Dcqhk?tANjS{!1P@#~zfdgxW|8<0CwK_5^W%XR zQCLu5xmldE$H1qMl3z)we;{WM%Ion+u}E?(7isD|61-%n9D1 zga5kJ;Ll2qI2=#^Ny!lt`zIu4F(K1+cW_?1*24xY0{C6)L1b#MJ49e<|NBvP$l&2) zP5<_Sp#MK=J>XD02@jB13eTnBNW`x&0b-1iq@K#g8mv(yrcI%>7_N4%E?6hkZ>^-< z%jSTCry;EoB{O3LVnOqH;F z1KcS%gJ=vrvF>(Yg(JR+n3sS?kr^ z(ppN!@*kc`qEqzmPvv5cwHxp!8wp^A(V8GZKXeB-N1ciaIDB_9H9qEU_M- zia`{uqOJGm{Oxyc;aeE;KOl%HBQBw`9jX_BDfAC4p_5P&Ln}k-yr>@K=a$eB{Go+j z(p=1Bk(*6I=NBd^@y8@3I{#!46FBUiHs(NQ#FX(RFeHlr=OO^#1^J)w#)uXaGDx61 zQP?PxT5n=9kklE2nfR~RZVdYGSnqva&Tg=M2UR^_c57Hy16U)Eb+G~~V*hhXD8TY?C$P33TIXx-1n%10629l9Ybl^Q zHW)o&F@b}Jz1p0xJ4@gD29=`+r(I_xA=*3zt3o z=mt-7@cZLD5LQOmUtFxjb2X>)lo*Zx{~8e_UX4VH7cu&8iS8d*+VYc&OGvimB2w)| z4&HZ&+oH8G-xj1m-r!<0{_|4<$K7Fkg&8{uzRp1@>D0h8`YSU7Z(KNUVhC9JFK)f{ zr+ekhf&1^Rw?N(EqU}R|S5?8w(BR16Ke%Rs)Mdl3$b%g8|Dm|y_qN{pX_sFD_5)$4 zhk=3wQ2xjKg2l;pn4A5Jc=D%P`TfQd5HJ2l3yCW;=5s?3-&?S&;L_U?Ekq+Q`v9Wm z|C-SDEsOEHm>Rzw@RA!C{gZi!|1mt7Tg3k_;0Z?b?}QM4HIV@2_UEb#paUb2WP#)w zq@?jx0CVL9_#+5sq4I$R0e%~dwS>)*TSv-(k~r+r$piwSToAz%MgK)Tz+5VTG#*HR z{a>g6!2eXq-5pxNIJY?iF(C^g0K}ekq0N%P3DB5;yO)Gb3v7LerTBAOKL5q};!=dH z#<#s=33q_M8h$5PHF%5JZ%u!)x$NA~%%ix#2#{p2MgNz5kMAUxe%kl=X{s>iR}d!) z1IKzuRD156f7VTWG8n8mgsD-0z+D zpxEtS5#fb9M&M`S-!9Ypuiv-(=k-@o3SwIjnh`Zv97EJ95)Hu&K$AHikD*1;gljHJCVp?fi}{WWhOisb;&CRr5<-BHiAoZMk*Eh?V=Vk^ z{qR%}d)J-sr3gt7`yqBqJc8B6)z;PndUXtF{^o~(_W}Ks=K%{AiEV`E_FIblcS@Y# zJO4W=amb@0$j=fE^&%<$u3*mXJ4cir3CYEk7jxSZk-{?u7CTtb{?6-CWQfALlwAGQ zE04r}XT-mSK7YUR2!0{bfB!3wV4e73ezmZyMM9cb(nP|rFfg5(r^9fq%P;9L(W;T? zFaeiHT%qr5GBv0E3m^4+M)$ig277=o#avtx0EdG}pC8U9{nFzvUTL!E@qc@Q^YS#` z5-9%x%Rqj=N$GFDNl6CQ{DtcKT{R`fX-IHsDOiHren~Bfm-;hQ`mL6~)e?G@;s3EJ zi=S7^|Gh1yz)L^yKJaff{aw89|63gOr>!R>BEUI-^CNJ=;@_~Q#Gn9)n*QI|V(KTb zlIU8%MZ_edzLab6Pk2`Fe3Oj&?+u#&=|zQb*)VZ>VSyl-UQuabxDuMwdHg447GX$jlM?3V&EJ>i z&r@IclCr;1ZuXZcvmYoxBRuWTrp&-Q{RlrK&6)jYl$(i(60Gk3TDjR0Wl4Waf_^4> zIwwISHHt={91kyre^RiB|J}k(jQ&!r{>L)0@Jn|{rRv|y#1a$iBvu8^*8TsGiT%zv zlVoBg&_uWM7gMh=1BY??AIY_1;Fm>`Oy8n)=HC+NB>4WbI~Res{@QqW0286E-eXQW??A=@#KHAoCX3Ze0j~E zt%+G!3kadol6z%ZdRaL_+nEve&H3)Dqy7PwAp!4#0sALX#DoM1gB24MmLyhZ%ww>` zGhy-lI~iPYVjm>JN?Pc#{SOal$CGd3O4v7HPV)BrNxjEU7wODrD&TdG|GV3+E!Y8N zu`yaa`^5Sk(%o{v;tD*CTVzQ@(F?fFccbp0_yi*j=k8>=^O*JNq^MZLxt#$zRIN-xUg?iJfz5V4r%Sog~OIv5pDI_unr}!Voz!ngoA{ zk*TGTM-Ny$u)Wcr;m&_@of$z>zN_hgG{YO35yzhBN&ej#{YTXt0|&H72*&@8p8sv# zTdc+lR!aQ<6#VtBPy`KMpr#874hiS{m8BpQ?k$#=AC`xCy7^~olSCJ1a(+Y+0qy*6 z)kUH>FCJVX41xvjXxPjWwNdClOC1R^L;{^KQ-kc_ywK6lx)%1Ho^BpIVoDIUi*9!W zucHu#*44OrxPt$|t0@SC5PU_r5`h&GMfw{Fm|vu;j24E%5oq#_Q zhTi#2y8IU+2urVHkb-zL>8bcmp||o98u4p=;qu~z8DqkJp7Wd~k}75RS8!4Cw|zc6 z+`x5Pf!kn{^mn`!3}$g?1QtfG z9};*;H=x}hIt(iW_+$t9c}fO);P+ZyPM!`zyKU?M#ek5_2CO)>b#;f{#iC;4=H%*2 zTK*2CA6)Z0qW_=qj+QwG9HP>AnfR_NJKr)w)ybq}8d}o;9mC>Bx|t|J?MXxJe?z2* zQCwK27T5oY!6bB^2TVNgCu9oDn!Bqjm~vGfv2EZ0l+wFn-R!kot!k;ZIN_!5N^(Igi>{UHG)Ai9WW>xe_oW0vJvdU+rV!WGP zq9~=6ai?lcnOj~{Qf}N7{wSJ^jD>Xv0vWPNscaVoQZ^s?xhWyWk*NQ%Q26hBYeD%A?rxX3zxMZTC$?Kz>`5zq1%r+{b7W_GHuxQ;) zBd`I3lzZ^C* zO7mA}X`!;2=qkF?Mf>s%V&)pP#tn@s7QY#`vbHmR>2{+EsOHl4#^nB(@G}SNZtOO{ zV1+YMQcsR7dN{FZlU2Bidcf+s&YL3*qR;aM9>3cyzKh2pcg8&aKFf19t`*6hy5>42 zhl-w;QkPL7guhl^@NO%c*m21j8i-@(R-Xccrf9J0qV+wa^LefO0uwW;)DOa zcO|2$t$8+>H`ikN-<@VGl?zt1&qXlCM8|vO#GJo=0VTM`OlaWgW~>sj@hG>L0F~!C z1i9fgKiqH(^t|4bV~o84j7c2A6YHO`^WoZ6bdNUiVD`U_SslRv>75xrgM2))L+-{_w?csdgC#k za#|po@`~Uy_g#;Z^9rwCdLkLnGgBd=MWKXALBkuXpW0hNTW9+>jppV&9KSnd5-S-& z_vp-?L+3INJE&h00Auf^D)np!q+s?kL1TkO8(*EwQPJTIXgd=er#bl6{q?2~v!XY& zid-M1k3KnCEMj@2Xo|<(fh<1s!GX#8UgXed;dsL8C>)QF#_@jBi0o0m0xmO^smeB9 zn;kFe`%ZcI3U8v(FzDAeW6O7Xe#WToaWt9X-HT(!PWgjs+!pkQT)r(ZDi(kr> zx%vAK7}OeYB<`CQK~;|%-PJK&r$0&CFr;xv2W6@T5aH9E{?G<J54em6O0W5RoP)bpq>l=%fuzf@cm>Os#uL+bZVEYSFmOThFpG_@dsyL0c|{l5WBB4@ zpl^n5WTfkPk+M#Pr?U(a!+q`Ic^jqGA5E0n`3zoH;1x{IN|jEYjJAG)xX|jvf(`l9p7t$ z-aB#Q)z>Z*XVs}Yd8xhT>vJ76iZFECgOl0SyRNif=cWmNS^J@^jiu_`Wv~5@s_k`a z3Mc!+(T|Tj-ZkCo)rf3`uS{lVDB@PrELWMo5)Yk@|Et#H2uJ9~+&!0J_39ZfAvEfa z%Ru&Ey(`(igcmG{o5r~`Mh-phUKjf6VtvFWcfSW82X3<1>}XBoeI^mMDt<-c%K^$c4iu5eRwg#H-C^`p(tcaYW8={c`6 zEiTzlA9qk=)vfU~5y`0s`ctDXa=B5l)@r-S1fR&voXD3Bc}f|-F8IW(_jJheTFQ(A zIg-$wevAyCl5YaI?A}rA#17#i8U6L#qnjPpg=$_@FcdaAacMN_Xxvw>@V65;Mi0L+ z=1T9xvNZ6%5_&PMdY=y5QIIEz6h{YO^>{f-3eK`xqliMMMsv99rcpgtxp0x7TIIjjEYG z^!l)9^6a((GFmfD6;#I#pk8bJA|)a9!f^&AGd`ZGk69V*=DRUL)~l}j#)xUIjc;^% zr)*?2?}RX0w}{Dcnv8-2$J-kBA$gq{Wv8E0ZClxM-J3e8PF7g|_3$29IbA(mnB1^- zPKhqSAQ;x^u4M85Hhi)J;DJ)7BqN^Qil%~Ti0aI)`ZkrfgbHmtvR z*sy=JB@_{}$>z$m4l+gRSaz~7B!$5V+hZVYQaq(tzY$}0S2Nc7{<{$|9-(v(-+fd< z>Tk4%hCW>%y?AvaGL~tV#un_8be)wGtB_p7kJbIuHJ)Fvj~S)sFgj$XFV>IrNZs4U z!$9wj2n(bPZWa|7N&2*pe&gAKqG|V~gpF%#)U;Z<|@_ zXVlLPuYBcJt@4H<<>=SI3&rN!i}iM`4pCrMMI~$i&$Z@r>KP&hs$X@Tg-275`MK?R z#rh*;LJ_z6FfTSIc0+=*>JowmSH2NqRwu1cS>~VW+4Ixe&hcvWT0g$HH+N-!Mn@yM zb*+kGkIjB$qm%ihM{&VP*Sy|K+plVRZp8`c^BFPR`bZA6xBFn$ z?wHSNPp$?-Y4m}rRcS%HA80S^x0F0N@Ah}B7XUbrRnM4nWI_8Vgb!U6PU{y8^#Ab* zD3E0vYwJsC`1>GUD zF3~{hvoJE|M1V;x+L6sk`n5KY$WLTmjYel6H-mK8*VlnDA8ao&ZO$V@dhg7{shxA! zc{%h3LU^R=B}2I_PE>?sG87+xv)Q&kJbruqDi(_h)W~M0{RZK8^kbiEd-^g|0Xu{| ztxhVfUxDg;$h20cCOgM$QOVA67TedrWI@ewpNmv>_W(t@@!A?&%V577C#NU)a#QAI z-EtJ7?NR9(q+^~zd?JaUD1rx!XI78BqI`)T$*fx1yDNp#k*0@@h5QOa?*kjNGKmmg zQpBM&kz5f^xphr(XL-=x6`|(@M>Yk5pS2&#%z7W5WD!Z75t4WQ5IOF)+HIrRO#bRL z)1e|M4zY@J_q*2$$$$NP?VU)>L7qtDNV|RJwb`@&`Oo!+qGpHBr|59nWU!W*RC&vP zzNW=B+UBevM@#OPkXb=@_sxfX!Dm<6_Nvp<9eL<|(0zud_Dp&EH}!s61jg}Te!p1D z;67BUVA9Cx4$~)JERjAeg0|aK3}q%(Pp`#g8uo(QqeRo2sOm|ZS8Z;79j8iprs73p zC9}@SS&_5;F#LXf)YH$_L`lwmp`eRDKa#hK2E5) z0=k2pXYLDjZhj^>UMiwo#nmTnH9+C`WjV{hN2#$VxC+dbUF}up?$aF?I@GS3wV6IM z=`8 zX>|n3_A=eHh%oQM-KWvkea!G6%TUI!Ja*FO9&@_jx%&=R8dGP#mNjd6dsuFFYL#}W zp^KzkuOrxy)j*{{FMaCz=5yx-xHMF-Mk^+`ZkFPr_ztQT^KMrqhId$$<@Ygo_<2=Ep8o*vzR(xOKDQpEQ%MrbQ|8Wxu>Sqi)6qNULKKGhDskH5sK$o`pn0k2)aE|M@ zE4VXH6lzc$2@bX#_-u?4%$mJ1{_tUS3gV3jY$1UHodX7mQ=ZwCSJMQ)djy-?lGIC=ztL%C|Eun&&OZ52FRMt?lJdwbzxc%KMQPJ!>LvG`@T^I4VG0F~boNj8s>^L?Sd8ga;l- zaRup@lR18oWZ{WO+FSW~qu;#?n})azpM2g&FEC!>|Iv~u!2LslJzMU<>HI6*$5lPT zyvYQON9-}TvnYY}uDG#NY^PQ<4(KW5u-qN;k? z^bX@^Oi2%5&Ww*6ryKmK6T{hpPt0FF*{(XXA0>zp(NH_*~|{$ft* zbCe)I^=j2?ci+6>&SWrI$;#r8HpI}mEN|-}5 zK96*{tQvP2!5-ryqm8RAc$Nqy^{@51F$ zIu%>yZ*_cTx+~|_RTgqXje#sTcr1gUxQs+_)Y)8MZyXqF^?gk)7Q0DW*yc8Frp{;_ zwD~ZH(6vCL9glGi-2{|PPwm_dlp_s#@=cKPe%ruIGz*$S!bO_g@J(-g42+`dwQ(A& zJ}?&Y>M~nAyGM2VPB^(>=Xluo)d%Yi=z;aP>3^YI_^FEz-va>-bnEBeG`ug&t(B z*<0xUME>E!h=a98`8sRFgR3W(Q?ENXFhwW$Nu@uOR#k7T@UG65@*dr_<{l#)&%+xp zw&ynJg*TUtpJVWaWDit9%RN*mVwrQL%@s3;jOT(cDhcR&lby+WH zc#w^wM-FpLjYYisT%_XUp=KqHbBo*!@tRx9-FyLIvF|4ZL$B=Yc7uEBQEr^JS!SUR`=OaQ1|Q& z!(HyuJ`+m6LLW7@5%=)w1+HE%hJ-=BkI%@u;(cu{RMX^*A+sB|Zcwgcb;1VutTmB- zkW_FhLh%f@>9yfvONBnQ$e8rBf6DGgJBBMe8;{ zSLKO0pwW`Kb(ccfSLg1b&?W<{QCT*<==L(@J7*mry0*TF>;R=&T2Wl&6-0GD-O+XT zcZF=boYB0JiSO*;LI>+APgG45@4b~J>#L`!(IFAIfw=YCQ7cBg>7{zkybiFrmz6*n zH0a~;W|lc<71atvfMf5CT^CUo&!`9P4Gj%F={aDp0pbh|^k+;M_BN?nT4l_V8@cl< zXIf@AGcZ~lc~cYo;ONiI5j&-Yxk`7j(ggsj|! zT=%8642}*P394B6`npKjYrnF+UpEVTGmtfBgq1{`c+o1*!#k;sThkn@Z5?)Ulc9&l z#uGQgqBi@LZI+B1%`LosQRKkUn9{oHuF-DQvJ;%_j%nV?72PbdrYcW`0-db846h?@ z@w~4}%DOL4+n;>(DzIOicFkKLxq8YAl(ALC$cz|3ei6CL_^{!_v#CFt>WW#@HDw4)BYV7y5H?@YAj?5b!$J{v{vgK*At_Yv(qmDP-=jEy9vUrauT z^}fRseIh?X^k7KZo>-wu)y(R(UHui?q+f&}m;khF8U5*me=%=a@B5O0U1XIO`*)LR9=y%oHy+yC65b!MGaRRySP{#yvTd2Z zS=Oe>X0!#TgEw7#EW*RDtBO87JGq$ImX7Zz7m~SvB6V-&KvsV>%U${Y`<3^d%;VkZ z41JE%=R`vwpS1%3e0H-yj(Q~UKiH}?nP1RotRlZ#+FNVv-+@@yXW|&rm+Q{4$JP9g zT)kBR^bF=B??tW-X)En@vFI^&>^eWfq%z8xb1+Ze;|}&3J)8dn<6hot>+i&DxFv*S zXRcja!Xj*Zh&91e+MlZD4QGG7dempK9WuFD{<>Ssnv3lA2OVPYOoMne26D39^w z26kt)C)91~AY_%0(`Ie}8hj+|jD~qaYtOWuYwx@8cJfqKW6rUwM6_3&fp~MeP77BQ zFcKvlK`5u|fdc*KH?N~vcQDnDjV`R1LPPs)K?BF5Qz`5zJOr8-WClrPar>m)Q*Y`F ze;@a2aqD}|3!A9H9PBAA1PfAMchj}(K*shzN%N)*L8fJrXImhqqrO^MY+jC8U1`?N z8u{7yaI@jsvk|b(ykr9Gu$N<9_X`*5j0@gQg+^XFN_!mS$>XWFe{X``ato=)UsgbtiOk0`6Nhn!s-iir1LHU@<993Jbq!DGjXN=6 zCR*V1hNH43@^R~TN3t(djap27DyomqJk=^>}k+_ ztG6D!iYH;fKH&ci}tsGt8eRCEKZ*IV`?hey%gqn`B$G z=VMmmUU~b8lmxFqyNjOPs*+5#xtp4~rw&fl3DvwiUXk-kve{-?N}z#3V_}@X0cx`UvmsXD%AuDJeMg5EF2P zPLi4N_Pw2k9$xOPTL3GGy0?$j?=GVv57ssfS20$A-uFW9CRN6UOgrX8`8NmX&paD$ z@HMC*@4d*C)Hv)qcF}*NJ4UCuX||JXl6l-|hyUu5{;DrSve=gEeKoK$Zy@_h&Z?ud z;?)yz)16@IHDraK_I@@wZ2u0iJ(gp_uXv{h1C9O&?(yJ*tBAbFRjhvEsb^^|&Y#+` zj|LsKbF~F$UYSS90ZiGahzwaaE1gx?kp|y59SXNIr(J28*&=SMu;1=)`?3MScRxJz zK^o3mIeI=A?8}fB+L=6O&hhhq9Qi*YQZMi+30H5b^K*qe%gX983RsyjoY^m zxV3x`(~e*FezWFw;^5IT0!gG@yPJnQZvDP_I=0@IE`EA{W@t-5NqRy#Tnj+%kxQPU zA1-{Z*rK<#@%1LXvUaRx^*Qp4g5|-lHOtt=+b>L@RxmfMJ#s{)W=H36Fs(w+Jrs?< zI$1MfB2kd$y4b@NCrUDNw$gtgi>J)ip$o9fkM0hd_I48~JH#^~wLDM9_%JI~Mzd)7 zfgC|~Tw$H$8rA^&#}{AG=PWNe+CoH-OAvLWy<$}fiUg325yhS3l2J?+BM;F9EruSM zrK8ns7qYN!(}yw5Dr7D7T;Va)^iIJ;e9zB z?U7+Pb?EC^36moG7?t>{XBqBa)wwKqPVr1;s<5tc$Zmv92N_!||14*RAL4nI z^HGF=TA>Aczaht<@4e1H#sy~r6$V24KhmIOSg+6>=@Ms_Li8l6Osz=j&kpc*!>Z#} zkBr8RMKW1jy^7;{!bWdlS;A<#J3RvAkdLU-qnqCD^Lvyt5eh~3p+Ch<$N*%e-l}aa zVx}w%z~#QLt$}rKV!yvj%kYeRoSfOSKLlIPhS6uduZ}m|7LSOCr7>nFKQh3e#fA>> zp{2?=NROsP^7`HBHAt1{ahn-HOWFHU$C*^XQ7_>r8ne3F_s!u{n zOny5xXoB`7U1!S7Dyry`)7QbNpXKgaCOMc>vHmDXV-YL_Ed!((=XOb~9bI63)_-79 zp~oI+e8PVT{hGXH_$H>3(^~86VcY(jART?ipl@=O(hK{RIaug`u)xIcgtyO8U|Q8O zM*Xioe)!bU%E1hG#;iuLnz6gs?AhuB#YZgcj-#uqiBE2eYDH=Kk<)Qobo83ai`s6Kr*Kh#{ zz5K*Jh`+;~QjO-Eu-LfFwYo89Cg`ZWr$AfT*_0^QV@^&L{>d zuU)(PvK-Gmq@e3duD$b`Y)kiOtK4OgvIEpf-s>{&t^n4)TGuWI0Gm>(NLhQt$!;>0 zCi0n15yys6uBu z+@}2*FDUW9Qd^lQzm~a^>gG=J$qF>85p{ihQWRPiOsa~07-!U5ny7KEH0xj!7pZHL5-y7NN zKK&<};^H(yN>0k48QdZ>Z8L?Mui8FU(a3j7lt{79%dM;$tl)OML(Z2(JF{;v@wOi0 zGezX~(z;R_@8sZwLBGCA0?#Rg{O?bnYn|TgMAdAkK7y3W_swMmBZQWKQW(U7Y9R(-5EttRn>;oO$jCaS^unwK{b3N3E(%LvCx)3f>HWcvh*uXg3*q#|ng zkbRSPMmQlpJz?6E7miAGEE0a?)`t|lUXN30UFM~D=8qT<5qg$YzO($+9fYI#okJ#D z)!9~=FPBlqsaEqK>7yJcD5U!HmyIs#sj-b+ug`^Gc2|D=rTX>f_eV}C3ou|C&lPfW zVVNvy3j~JpaEj50D_!{r@rW7;{I#coQG!jMn*x9<|EWY?!zyzG5u5Va*ddqVqiyfU zW0Z#LmX|sRx`fi)*o;cedZ$ssBH6H#KFmYoI2mj2nN{NxnVGhE!E%q7YN(m^=S%3H zh*fwb;1Mh_Vs90xQhQ7oIE3vIO}?_ZOal9KW>`6bLrOE3OAG(*4ed?c>w*YU~)71dgEx zme2MMUgpI4`_o<5GBF#SV?TdVAK8ry{>t?{2RMR;ZMxZ9QHrt4KNcVy zM?V}}sgZjSIXO8tFeI$A*KK^VzHv0Yi;7taWovsyV^yStS{%1YTfvs%y0?gvN1X3z zAFeZ|Utlbgi92|R{C@+#k27d&+J0+OlJ|G8I}QS{ekZ0Gh^VkP$T zD6cHr-)Om<+%PZXvbL7W82kjg$Vz0N4gir-opoFKrAk4nd*_V?ght!<#xue zi7(7Bw6tJe5#fENgkAXcN0l<`q=G!@o|{T~Qxm*Lf?1YNd`Xy5VjoJJl?goCrLa!^ z>+|QwGdlU1w0rWUP1E`(t81HBOj*P2tOEs9p86B;B#j9KiYq)1E(oCzoC^5?~69Hu;}S#C~L~Cub)npk6SG&HiZ}Mhi;Ealx z83ngR%fN&-$M#jgI_FOYY(+7<aH>7u8Y|o52;D8mN<0-qiuUy)HCmgxb(oMt z3c-iv3L8%isVC@a;LdQn*kMqOzN39FRK(x1PPmNvjmk!QKkB#3<;Yz&iu3AxS8*6J z4WF_PnO{RZ|GYo8i3xbDDPJ%iN650|b)}k9)9PZ;^j>~NZ{x?qs8EjS@3Y6$!>%5! zGqkcx@ul|wp{mei<$H%3jfeOUv(bo&0ppPU$M+tV&Z&8ZvSVJ+Sv|__)foWc;Rn^4 zZn?<9fyuXet7=R9`3(CfioL6I`#-e`9030GQbwsU>sC{>I)jD#7-EHXP(|&2dS)S2 z6(;hSO>u#@kKVfnDv-*3kp0L{!-p&;+cYf7J0I>I{yI70z0C2GJF0cmt52>Mu$j*m zzG8_eL07pgcja1_#WM@_1sPYTnThc6Gw9l88IHK{gk_M~YWvrsGTw#u^Oqg$s12C;Mh!T|I+J-Hr)4xxA}*-V|96ggpJ_Wzx~N zkF%Z}Zv-gun+rM;GC9uWKvg?flIeTb-%%+%hCaUY=ve-|bDBj0Y)gYts^4 zTWPOX)wf}7pZ2$P2o&qBqkCnqW3GqG4H0vs0uC25W%y%4)xjQt)Jg`G+$|vKvh8es z^cD$vT6znu?4BbbDfB(LI3N|0b*WuV{G=08)4o0^mF@+tnHI=V^c>fM774nHq{R|A@O!ID>Z#v@F0g(Efw9ivo1X=;x<^{JM+5)u>8tdG-> z8-{QkZJ>iHiCm+ea+c-TJJ7vQ_nrH)IP2HT+uNOlTsQ-JmNnVu-fF7`4?M!z>oWNvu%ja|rv!uY9hlVb zXj*$^izo}RrUTS#kaN?ht6y5ZZ204lw|rIE-W3+RcY4G!M+9HtyD7 z)9Qv1`t$KF_6|jl_+U^#7o>QN6XAK&jNDp~ivoJQbE94#^zjcUGnV=G1{ITq@5kCx z&d=~8NBiPdU7PRCpu#)81Apv0E8#s*NxPP=#ealbAg8s;9f}fbtrwvWb<#`m^5wha zW$tq!XEZ|(*WIzKC^Y~mU?Y~lwt=&3x4yYVVWpz!34gg27A8VP7bw@xc2kVj3uc>C zRaM6{yS&np%~k>-%C*yq0(Z{iDg!$BF3AOg;d7a-N*D%3RiEmywDtIVS^?dYO(t?= zN7iFaf1!!aDfxIU-m)~4;Cr*h6yDuK4mF8lpN~`6UVD5pB*&O>7fo;2=741{*_H`L z4rSrkFJx(<)KcQ!JJEd^Sck~TE-r2D(ef*KclKHbr|yJF)Yy52M)CKq%vUp=!jNoc z5~t!Q%-KeVU!i(W7**G`nDh;=0%H_^_3d?9CJUL5HAhq4dQrU=F!ycJbWCM0!1OZQ zllZty?Ah!H-HA(>u~Hwa2Re0;WJZr{us-a8l}DnECf91PsUmq_d+Dzh_FH379>kaT z)hPOs?L_@i=}~|G*-ybEm1K&aC#Bx?nIbH->mOV_I7)GQf4-UA?HM!3@zFr0Xq|?c zJfxep%Rdg*Ke+bh8b|mTn@4l^Ce1@)lAW^amPO5ohaXfI*CaEV6;8yN4zQ$_&KzA& z&pUbVpfi6`V@$IaM{mh>t@4; zo7P3$vpXb}WJzy(p50FYwru!Zdha0Rij;EaHIw7!>y2#>RLlHP%bq)V?aGe$WC0*7)F!3e#<81}1wUkE z3{@r$SbSW2llhupoE0*^#?6d7=7eB=WZp1y&|Q`F2X8esx2DqD_mo@|EMsoze%EW2 z)2fb4QH}1t4szvs_u^ZW2fZmDwx*Z(wOM9vs-_Du4QRW&%xYy3>XYl3<;Jv|rdgWw zR+R=T-?9#!qS1|?0?Cz*frgbI4p_IZq3exrS*b56_*FesNT~1>RjHO9>C+n}1M>)9iVJLY|QD~l=+gF3)Yk=b!)wo^D(w=oXj-o zqX|G<>L}4}xYe;TwkZKZ144ZLn%eV^>j4{4ioYYdt21_en!M|~D^((9Cni)>;(9-2 ziIn0ZNB90AHu1-8M%A+6V&AA8p^rN;^!p!>nO**p0;kzeb4ME;d-(#gTk zYmLGm-SVUCHI~oqo5*?`f*eEPqLz)VL(EdXY#tOKYpgssycxlVC|IR9CA%8c9roS@ z@p*`PD?2XR;3_BLkV$fFJ*Pw9IgP4SMJZ>*gvi!!ojsSbDy5bWNmE0PURJgtCCBp8 zM^$7a=Q=Q5basslppsf}6;sR&hNlb`=QT@(w=`rl-dpRiLT7V&9GM}dfUIZlV0iMV zZ}91R;vC#BX#_F%i{E;x8)=3r`YGT%7zLdQ5pDftQ32C=iBq~KhUBjZT35z8PkApx z@iPtb_xsHrYU}WL=gb#uyNRZtT6armC6yG`hYY7@%%iK<{4kk=_a(>fjs44S6>7@9 zy=M?|o^emWmC@mS!FZZM^Km=xJ{Caoyia}BgxHY202{~kz}azr^T6lKRweIyDP_jd zk+oc987_Z#ZVD;-Y;>pR(sbIy1D*QQ4{|o1+=b$@*Cu!KZIKVN@8F`ifjG%>K9T(8 zlR+P0YA_|pUD~ZOWj8$ ztnm7++If|+vAmr}pXBaJ+Qo3jT_aT0T0N)V9CtAY74d8xd=C<@KI$JI9V%@5$aZqW@X1rzQNo`F2w=bK9%*7QPO? z;L$%q>7t$rspb=8K%B?DBkpqCA1IGYnQC+7JANw6+*4I!)$FSP!_hwOn+cYz?f0@y z?^-z&x=tf-Hc|g`Ufr45H#!VQs(bT}`uZ}oIk&etrHky?*vez6Szc*?V5faKiIDFP zqvMlwp?IklaKX?-?*!_xs62~OjA%@Km4>4#F6_~by!Krx@u5n5h8HOJ4?lK&)_un3 zY1qqX$_Lrq_Gd$rmR0wK)1X;8hOYQN)RKL9g+=IYcWK^Nl{m_4`%Wo-5blcIh%HD5 zwRVY)*^J)xGgdd7-zV9hZ=?@$_Fk(WcMSOCY{rir07(VOqb@!{B~TC(&sDR6`6?9P z$$Z9VlOHhQOi}VK^8Cz!J?0-Q?!PB1e~^wyt*G=%SKi+;D`9Opdww*ulTP1%U^c_- zM6!AQ=FN63HzS)rJJJm?l^?qp?PL|A2-(wDwlp1}7jihJa!+N? zIH(zrk*XxqyPdN;R^>{vwgMYV-}#$^2t}uuuj__X&Tfp`6t9xAk?mc-Mnv2v8f|(U z*VAKEXjiJF%yHepfTeBR-5nE1N$ip|hGk zmJgZ<(Ccy8TFWG<+=-6us)*|@-1JoV;tu=GD9JutRBLelR1FTMt(+n+eE zn!Mo!YgvNT)14pf4!baZUxT_u+J4}?!tIIAIk!0D3HgUL^ACfJlJ1G zNlzDtkS=6*9vJ;YT`OzFQ>tvAxGPpJuJM$~pQ?Hu4ZeJb@W1Ady3i)lbIr@I?CncB zp9#y;#Z~;FGo0eHFO>2rv@YH)AH6j$`FJKrqk4pg3f&Sh{3=U`>#p_qn_?uNNaGfA z4CnA*+@3oDt_@CKM{yOSk0hEt)g-8+e0{$()C3fBaDdrbS(VBi55yI{nRm~|r!|TJ zZO>fge6BfHCKP_SemF^$J7S`=`_q@#t;2HJvjR*h<-6LgCNWnMj2cP?`2_LZxc z#~(-3-=IL4757PdWyW%sn=?Mu(|&#{vJb?9hFpNLwvK=Z0=kdWj+lHl?-6qZkpo&6 z+e;WqhKg2)N>6@w?c$3>37RUW8-CWpoxM;d`sNlls%4+VDwhpxSh6RI;kr`gI zKf?{Y_7Ih3YbvXH%v2vb3YE%n+DJ`g)))3KHV$;2tml3jk_}X z%;b7B14ZI_A9T(5(rzCeEq>P#CqLm>>z-|<|0u=~tTq_s>eJ9zFQQRapLhO)x?&7a zT3)T#Gtdfx@z1aCQlmfQo|hl);qyNDW~?v2ImbMgF>$8tprC2yOcvdt$pLW@+dpzI z>jejEs_>U>X^vr|7O*v5NZ(A}}b5=42Oq# zaH-nfGiM(1gr3L}RApCuRqEs4G4|M)OLHVZuE=t_gTicD!Ou2b%EXnP-0;(y>|-Cv zl&7Mmpw(7`uSY?WqbL#hhw~EQmn3vWwtQaaV_KXycBL=2Ky=O+P~h_R1rIIwkJ18@!WnD%t~1EyiEhcvK^4 zI2AG;r*z8~k-y#KI-dRFw3(#I@I;ikx%=>uz?sNo=a$@|wVk3^xkU%$(?bnwa>YC?{n|teegw1=0E>3#`wzkEr~sWA++xl&+JA_0Y<3{W`Tmza2|AFU{#8JYc`H zKD!|=zgsGH{LK4$efOS9wk^ckvysf6yO%mf@mG$_xTewP`X+?}8kmutk!UrZlfc6) z@xl6@A{_uh-mv|6X$U|^%ms3KGW8tH*23$H9J^zf6)jYs_QbZueQ;M-YS*M-X99X5%F^EA#$&OJF+T9}BxB?k?46yp?{f^-q9SHih7DKim9f^9{I%T5-0yP( z;|vg6r*&EH-?L!5m2;mUXppeSH?*Me7QQxH1rVv@OPj{S6}|U9x`wkkgQQ43T(|TS zyjFm(@{9fSV#n_T78|P3KhW=QS~QCm#**dAbnHEd;cw9l8JpIfjl>zV?X;EzJOpe7 zNufI%x={9iBCF=_bqdp5$ZPD|Z$I_LKLN8y3%h!P(Q`LyF4ISZ9&-#<;oF5wgewx5 z@FYj$g!zQ7g)&#Ms3(RETfSaPW1$%`9CC+Fc&EvEXp`y^(rI@DO*hg&DvWlMJbhjv z5q9QgBWMKQy*%;e4{@U8m#{XW1Wch|nh_Zh)X5(OxevZeixMY>>J^zE5ssbq)9qGW ztjzz&jMWxcE`QY=BQz~dS0q{d*%%-uCBGVsg*?H46?xL}n=x1AAp3Stjxuiu+RVl$ zOQS##Rf(4qJi0`o&TK$E=PwfmkVdMSe(y%gqnC!bfe5DENLC~uKDBowvmit5>z?}H zA1{DuJoHOMQFx9YayeW05)vISa(1PT&S2{}MD5mU-^5~lRf7Y@t)S5E?;VDJh!7E! z8jS!R5vqrO1VGG@`Os>DM>b3c9$+fu%=3ZPOkF=I-Rg^4eYre<%*k&4YjpqNgXs~T zi69xje#YI8y*2IqGAxW9TP&$^QTlmJmqI}^kr zP|Ls=xa<1*nwwJM%KUMiTCc2lV{*1TL6xT_(1al-BLQ=U=f zOeL{+S2AUvVm%($_b4W!&^8Zm9_0Lbks{sGHv z>`3biyQlth^lL=WHr-c6T)=zSHjsAIDU^*PnJX9qXxcaZpDuo%Kl#owz(bCFjR~;X z`9m`^OeAWJGC-yXMi_dEIn-`#5O|b%LVY2o^;%h-+svGya`L4MAYG3R`%d6!@emJoJ=Qw%fhB=!TjQM6XF1V z#~ylkfBm|ooowJiftkhl=aoGnoUkBmh)Ac*Q33ayqlxx6LHO4@(l(Z-`p2|nsZObq zO{0Dgvy2~I9uwIW?_K5Pmm+xBmhZnaecC7xHN`nDcxE<^B*tBwClqeiG<({q&eck@ z1YqL}sUoWz9ru$SJXOCozm+QXCadz>iiw@-Sco`~3%TK$!-Py1QgG}hX1rq-768`~ z)v=!5QHHzy`_W$}8Z!r_K)yC#>iGgX2JbE~paSU;UZ4om`KgUmqH5K(zDN4&iJuJ% zxQnrgn~oB*rTdRD7|qgFOwBBbO!J-`{oXubTW5VXGuc%f@5L)Pn*Qh4iv#+g#UHUO zM)e1ss`1EuqAWywWwXz6>O+;);f3lbmDfYR*G;Q^jW`ZXjSrMIc`=s_c-^oBsfIsH z1{RSSpd#yM2P62JKAbbZ=?;sUN^)oS8AnS4W^qQK{g!)N`UBDw3BnAR5gJz@|Sz%+c?e$TM8{vbNV1ozlOG$bi~zqxXX{gGBu(!m6s|Gk&3=(XI+C7=BNj> z4_P%2-|{5d#KSxNx;XY1Qub?=@A|uNtxXTerj9NpUa-47q-TWb+Czrp+{rmC4^ z{kc9>Sv}#MPA3}JHiFj7@=TNR0&QiR8!={}h8j3cv7Ru%ryE}M221c@4EFkLnHt#O zB6Spn7eC!@JvW-h%lh?b{*o#wdRQtrjdIQiRPL}aX?6QH#FGIb(`}*7_Iy8O)(5nB zAPTyh>)|LBqbbzAzDT>r)lH>}R7ckwY7h#zvoWuS0~bSFx16IIe?V&zb4fVzdgNH# zg$|4V2J6El4Z`+O#=gkoSDjdH8rdqU;<%mj2MIV_j=U%P&C@}l@T|C17A#FHfB>9o zNugDZrcUs5m9_Ikk|HuG912A9W_Yud6Q!1I0bSqo4S)F{!&H{&PN(ErU%uR%y~gP2 z`M&Lw)AhYX{_sV{2dojSml~ju*0)PA8%lnm=WbXkfG;1Oh zGy=Ixgeu7fCDPGbUVX3fWr~xgG!f+g{;jUO0zGO8gf)H>*J=9kq&rGLC?`7DQ5`&z zRs@t)nC7Kho2O_mHE#A9%+Ry1M|-~~&zR|9PP4Dix1!U^X2nVDB}&`4KVGNFa%Y%b zVTG)uv^zzmaCFhCM82ubn=Ojux!=iX!{$C^%6}%`M4~01NIEPEhkstbiToPjR(*4K zM0t)4=JcM&6ON0w=Z~-FsJ9x=Wy#uQhdJRg$2ix{=@?BK2_FJ^|GBA&9OK2=#HzWP z(5c(Gq~sKT65gaZg#E;oav%IBcqaiR3lHzdL5^RjL=iX{&=bHl-yMsPs^EOTwEu(- z7D(9R?9{gj9t@<-v~J-;dBF!wX-@odn(RaB#raSlZqab=@jQ|J3_Mr=@`Y8%p8n}BM4`AvCVyPzJ+FaWT*!3eY|%)4<2<04>uMct$?xIhAB<&abH8K70o{ z^#U)wFY2z+gx1orE!-G>OenBG_Yi%++HZejf4gt*BIRd$c%a)65i|p1HNqkrQk@@! z@wMsaTjTj-X~s7s7;_luFheLQhFBq+B%r{@ZyajnVEs>NP_>{ppXk7tX9B*<$6=kc zKQLXGZeQ#zD)Q?@a}PkHOt5<;fx0s0(|aB=s;zS8so{?SE@XB{$Hb9EOLqOkGw13q z@=T;1P-a?PHWs?5MK|3>yA{^NXffhB$Y0rSDW^v5nLjoLheL|x0#U{gfM+ENULUZ; z2S;MO2zNV0KSwcRAz8|NDWq!gA<$yfbW+8oYC{-|)q-ym!<~A|J_LTkOGJ3R@dy*g zJAuDYAqFX%fr7u6m3iJ*emUV(d?M}b@Z7(abPe~!$KPsx{Clh~;YiBX{^ zfYOfFJc?$+wffb7d2tMx4*HC@L37#sV+e=`QGz|c7dU+{iS3*OwUk}V`reY?pT1DD zylcI(;IetUJ)H4J(v4e}CCn*(K))_6C~uT7fb$e;-W!%bwFb(X>RUrNrS6T#(*M-h zIzGf3+JHcq;@tj^TK30#utf`#X$o8k(^EK~dIcCa<2T$tBFXF{a31BH__SJ^*fV zmC6jzp!s7yPJZll1+t0^+%P8K@Uud}Rql%IlU!`p5k{H_YNIRi%mnWYClckieTwMZ z+rvhNZCfh&zzqk)8Bp?|ux6Dgxp!(Pi0jklb0a&D58QZ|pP$ZvhWCKw>-DCN{aFkE z5oZ%m2cWi48)-BD&M*7eJA3l)e3v4<{cy*axwU4wt5%7rDu#aQ6?CqXjdmDwpg}cn^cDHRD3Vx1GC`v8!QGZk7 zJbv_MbSK1E6J-fG9ay*Wo;1+konL3bHd<}r#E6&sA3ck z6BOEQ4WcUtauP3Y$AIjo+$xeqcbjfHRQ|Dd!49>?sDQn@^=_(G8ozf_2&snlw}omy zH~MKdHJ83sV|(77V%Bn=zAsbnbU3q7MTlw#JCMy?ES&^*l4q*^QkU8<6*@Z)2Q3Cz z=yxq`8(=4wXdZgsM2LbON4MCT+x>y7df!t@d;=L^s)}CcQ9}3Jg$zAgIM-TxEZl9R zn}e!SZjJEmwj>_GXH zA_&d;sc6I*;H5Y7%i*MJ{zi%1r&m| zwP|cz?;8%hwtWw=0}q@qJzf!m2mpr}KwWE)osDnHwsT`-&SHOvKrUfag@hTPb{d{JKNFJH?igDF%Dh_gdE6gCM0hWCwQ}gi#y^tN3QQz(R z-9J(o!JCwGlQRhq1Ub@q3IGAa#*$y`8PLl0WG274;noDMYUOy|I$v|3`%z~!b;J8| zf&Q(ccz4;5ya0tP0dl0C0;RTLH*TJqBoMhc(M1b2LmZXkv3Iz3jpS2>*~-2|6Mg-; zfJX6Tk|Yf<11M5`0)N$0K(W!_XOLG~MfaN#9)z%%cnhiNqrA-u%vb_KV%R6l1!cJ-wA zj`Paz)-xeC$r8J>-mS8|C{J(8$2s_X%4;s$Gy!Gvr?Q{r7yH?7s@q?=Z@5%}xc=FN z17S~re3!BZ40%K*=2z8UQ*AJlSv_{sOTM^WtTgu6}&#j;_V{`jF*uAQ$k{;dk8pbP7>56SpG_G z54Mi>Lq;<5NuiArfUSa-^k7AgTBx$#8)TRKxiO$4VW{~!fyS=+-@fXLWQ z3N7=!FS9UX|`TlA|=h9&)w~IDoaHQ~r--8O=eeK{k=k*F4AbLU<}zupX)t0I^LOdD&u|^TPSVuPmgUC^??Tt?Kl$ z_ZdH4(RqlUi5>F-(0|^abo(4BkmAwC5Anw@{91th^&sciH5*UN`KtY0B>oQ{6rsrn zJXS)sA1=)4M&d|7F+-+8x;Blk0a|pNe>NQ0-Z6SOa=|kFwSU}N(o0v1Qz6A90g6Df zP%6Z4s^N_#J;YHRN#$q!w_L{ACx@~w0Ty7r^-wW$U@F))0$Kids?+cP%L(yZJv5T^ zcgDVT;`lvT{6CQ#e>{J;Q}Q(5#go~)zyyg6K> zZwn79AutDjuJMkyX%l|BNKSaAz~1RrSFU|*pb^q z#w!xzkUXw!L`#|=ZN257V*)#%oklfDbn z&X`daD$G=VWPw+XWaf;VccEe6RE|u0BDU;z-!&YX2i?{TUYPZ_>B==TMA#~vYK${g zE#ilUcg@*7>kSqI3UXV$9;d6od>Cl{!<_1n38#0|Ej^|4I)|X!o0~@K*>GqL*NZ>+zXsFzyqb$-mWgZ zZS}nSVm*hf&qLk{C^Si zl-$KfKF4a8rpbyVDt?g?UKnNi*QBI6!nd#dQ9bY-68HoNoZ@>dcszF5?jPugo&7(c#eW~$ z6dSQ`b3zqox8R$U+43|J9cY3KH;D-8F9<~mD!VL>@e2A_X z0%_WRxfIFtA@daZqApSK9Z1FVyHkhNM4LLu)4#I19#$#s!()io# z4twf&!|`Co^B-mcNZwtat^qVAv6=!;;vhvBG3<-^ivBH{;O)8=HW)qyUJV_&Hs6=) z;VCk`8h*R2kfZ_=XTI=Ll$A}O-Vi8z*ik^)RWGZN^3M^lnttWmBabf!zy4P_I11Qd z2{_Q=U5v0cfT-JR&Qi2LIJu^Z*czHyRXk{pM$;L5Ql7+R)cARm)zZMIf2uYofHrUi z?0RWmwZ9i`)zLGZUU(ok3?FwfT?SXXr35tmQS$&9-W;c%7!MJk6#VEY1-xYnyEPFR zuwTm882-}o)>5#Q*^{d_uIp^D;dQr6YdiRCX5t_R*Af0Km7F*lzEWvMv!qQP&Xl#- ze}ql-Q^R)0{g{C}jkt8bg<*cShK1iQ852czYdyFEyfj`Q$~hvT&fV(xzirSw&~-Ar z@wBj&PX%EW<6-5>ton7T!S%t*WCpGg9Q?Pq{+;dBS=g@biEqL6uOn?lPxo=;Wj-*O)`MzS{b1QEv&x_5{Tl2pn&BHK z=7Y+Nzn97!AMxJO4(t@${v{*4yEzSo&l>U_tH?KLQj;O6&Ki%$ihxXox6k~yu7hrW zYkb=H_9sdR6vzjOY1-GhwD83TVP`wAY0JlmBj-jE2{{KEQ|xCgooh1IPE+R5z}L$` z;XAeTe#A54bhNCirJ9l!@1~CdxFCskqvhY*X_`$Ugo+yCBz9h%u67-S6GA8U+inDs z5a-lh+t?N)6Rstm6(^Wq8E?eLuKACD=g<+}K3HQUuz>qpO#fRF<)Dp&gC(c~nvV&g zulyR&HRA*eR3;J0W;Z5xZP;Y z6eED*`AYsB0H#=n{`USWalNl)gf+(l<}1>)gE%{ylH46t1f{l4k)YJ;RMCd>+|EzY z2yiQvmQE(_S;$}E*15ZbR%xSGldyPa)CxQTg;n<>oGhBia`?!QRcxrP zrfX?o&2=2ZEn~g%9x@{WXtpRJ*{FW~H;Om|=k|f<7aLE1{cqXxct{W8_HM7nf!l0e4W0} zd+2!7=WX?y@jV}xza6VVfEP2m+E+$mdIeI9-frs8Mrs#4LmUCB+Z;LW*$n%#0P|<( z3U)^Gg#kb0@pkUTo#V!>SSm4HpkK)+%$HMznkkT%q&~!~EaT{sX_NJA2aDwN0mY#+ zM!ul|X8ai8e=;hSX)#p2^WFOX%*_jv(%v`55mnKB(fg0JhIsK!*+#(<-?;O)q6(BC-+DAG@Fhsa_s?|y1@xeyDij0S{>HPSp=Qr$ z$&g(%*V|CWks-;34>-@^(G{bxVR4LwvY3<{-Noegn^jL|4}okaO7q8QF@?R7oY?>UXlF1G2b`+ODH~e zmgOe++EEGta-6#<)+6?5_&f!2uJnU~lroc!Xl))=o>R2(t&gb?Z%AUl2cF;I^Ei6hlzc$2{Y*w|QN z#n|1?d0E6`M?O2MOZ4i1C=qU`>Nr!#3y-4 zDSEKMnJM9z-=vI`W47-Fnf-x>n5mKtA={6fYc=l!r1DlrFH(o5yN4CdwuGN^TMYDb z#t(H2HxFMahHrAmLo4hJEnwq$-`BI;d$z_-4;!KEG{OZaPr0kKM8KhPy8ihODwdfX z@2bNiAiptQl<_!5Kt>$M8bcj*e6R4i(fgm=_@`$7llSS2-4@oS79Sr!t-YE%NxqDO z4;kpgB*rP|_!9?(zb%ssj^AJ4DuAAd5Sv12$pj5&f8;qwb2Zs-OAAdzGc*Pj6C@6{ z+19-U5>D@Ezc-m2Ud^9|+Y&*m*e%+2PACtXkGGhrww%1zHupRR>j?vW*pQ1sDlV-R zOy1as#Z6n$GbV?iv%v3zCv(a5KUvmM&vc{C8?p?6Xf=BB;u3P%PxpV|EsM#KRc2Xr zf}4eo#jTIYWj=|-gczAq+zc8&?HL*3^OIhE5^;F`O{Cdv9}PT1i}aY~UeosEzsCd-JsiIIDDVDJA87NT z`THVc!-;(2(Ao`2rv~eT@z{>A?9ztHoF8FY&_TfqTY?eHZPh(f1&D#8t$Alk$xo9Q z#-DMkin3W1RlZokkKOx4eqYdxw7;3t71l7pq)07YokVmYHY6EROxg6TROyG|-i+qP zHrQ{t!1?>C~AyE)M(K-z>NLn8u=^6iSVFC-r|0~GVdJ*@o7?I?(o!KAuf20*>`q! zYASX}fd&1m=CQJh0CgMlTiK>Gwwq-q`%_#n%q$)frN1>OMYoTnT4x~4!nAa7T#18G zm-z#P67?hFo-9sbbd-RMRRmy`h_?4Fn33(R-?}FVzPwk98=-FR5N-%{AI@@6I{X$JNWpZ%s~Ej!_JQxTEMS) zr$7G>Lz;iKB;wc&$bD7UUGDSaffn;%C%098q2X*Rf`;|ZCLhp2qZTmd_N{m7^dMUA z>2b6An)3|OWp35!P1uuHc#oB&4%Et3+WTbp;!d6^W9D0V50=G>7B0FxvSqWTMRFwU zFyb_Q(1oyi52D>JD} z;S>O^BzBRPZt!=zu2w~jk-;F4elyh4)*yJYt_?tvxt__X*Jp@ec8{`~9A_f$gg?7# ze0{_Wew{ey%(3b)_R1xKaQ8v;8?5n&2H<)d3g9aCyD3jaq_UEPr95VvOJ$`zaH+3H zQs$xkPZn?@XIFwa69+#Ws?RbW-zCG>fBchlBiVE?uW0-$koo1jxih&Fwq%I4Uo_ah z@>4JtbG6OE&^Y*XijmvksnhD?Ujz5qbsr|3EGNrO2tB{hKT-8KJzK&Y>CS{d$ySUe z9J{%7wC64q(g#q)b`Jlv1>-p@N&LN!O*ilo$NPLaz3{Ooy8h}{yC7OoPtDDbng29e zjg75|vC{QVkt6Gcz9SgHlL8rUx8J0ePQjrk4d|~XKD~DyT*fK7UeXjv3rDy7 z2s=hJE{EipU(lVH=aUwfKT6y`w?7O1jy$GTDDj_dUWvR+GxC#vdP5kX5r?qH$LiORU4#U8JF;!2J&(Jd&T5z~?W)zWAbFf|r zTHuXvTw7-adv>h60dFRLU7N2DANK#Xa(usE7GZ)7kUED;TFiiP)x7BToEWehE1JYC z#$uM0XN-|{!|}tp!HU#wQr52*qjMi?W2@>un+oR8AWgT$yi~aWHi=W=*Kz%6fT6CY*aPW3IU34EZ<*p8Josb1s`sJ(Z$-*yF zPfz1OnPOX-Ocmd^p~u=Q3;BA(3?y*MJkt~1F-u^%dsh6x23y0uKihJ5xZ%eyR%g#+ zm`*1v#!gdb7n~*Gye|FkYitlXWL>iuKzb^s8{aKKqjZxuM&srPaW#g>(ju zk7#t++L&vpPR~x}0;4jFHeBjL7hX>Vi_fGQd zAWy2HGJmUr^pUywIEG3MMDj*9(BT+v9X=MnB*qZu^`SE-pSbW$WIZn8ULAK|2{(Iu zP>_rqxOyiQ*?By(Sn1#Kdl`tmMsQc=KvFhK*NGKv9o+52LFqHhES!x)>DMzufbjoi z`;wLVW{6jWf|qhL#nh3uLxVmcRGmkA;-oSGRKNMk>OeCmc6KRob=KmV)>}{JY$+?Z zGFxnB)A=a(52CczMLIY`08jU2)sT|FIlpXBbgF)r!aDvyZ7i&{<^G}XJvw%(0`OLc z#$awP)UGwu%~+k0erYLZ@_U9e!Lgt4vFTU~eSh=ToR_)U4MM0M%awd<~w35a&^nGwlD1cA> zzu`ON zA5AnCrDP6kcal!Z8^=K2DV9NZ zxw;mjZ|0QJJ=-_pq~+3N`ErSYi>?f!oYQ_p%!#aFgC zXbOySJu|hr6yLm$HFFht|JIwSd6Cq&-sy?WUOB^FhRX~2yYr`*U5Ig}2ml)FR69b% zr+;u)F1HP;LN*y^_KWuy4?{KFVcz3Tt`iSpOtS8ZNm2GHpv@*&Zje@$_~KQ!PNL^Y|cZb`m3gX1A^YZZ45W(b~z&wyynXKV8aBs z$oYxXZcRJ;6_yJj?#gF~d_PwI0Qg6c{rSnND`4GENWB%s6L(?M`oxXDn`!~LN)M5_ zTc7X4)6gEhnDky^n|ALvVUkMPQ*7?4E^j$U@OQEzjiEwX?Q1vbqsUdv+*?!0(MK{t zOt_v%xyUgo%(++-=%DqT5G`jENdvheFN8~LYNoF6*&Xv$DDHGN+_ab$SIkC1WbKoa zjS+~FRSWhhRLD4~c#{kWn0F2xKS6=4Eh4RgknzcR~w2AT>iA3Le(DhupevZr3v+lbeZcx|yK;a&Fpu`RoItQpQdQUL4ZP@Qlr`?=R zJ_etToLtd$iSVcbo#WIOq4klA(*U74>))68cI2nRG6BF0gwzxocL4~c^V5GvC^{b# zNhmhpw;{z1qxQH#WaQ~-1GO4({rsIhHk7I40>kTR^U;nWZe3cifwbvNK#seB#W`lQ z_tZB3b(QW^?8?dwJxSau^;?k7uej-=KaCo>*wkk?IlGm%H*6=~H3k>BfEi*DwX4aM zA2WU_{?2(hsEP|!mOpv;?i7<-m>5t__-&IhQo>AD%0*PGCplEh<>JZewWGaNJ!+bW zBf>P6fP}(QsHFE zNjJdsjF+FnXGQsBqQDPxq9P*LqBrXi4rFBNA8~H>AGx#Cb?baTzNqti&D7tW){fRc zGGH=p=4-{(@wMrdu)i3UyenJeHzx<1@ufga%m3K?L|q|&LBvl0ljtLEU+6QJ_`tg^ z6nIa*lo5$VC>W;FP2QXcK=Z0TrZ+A>r2-tSu%EvWwcPkBHv4+Ew3 zUSxaC`(Vos)-Q#>l?NScn$Yj4Usir{tjb{54k8b2^FCJja`ECWNHTOu9k*hYDvS1E5*{gK9J@MB z@R0~L7AU$FNL|7CM6ijZcK-eac3fl|KoQrCxU=|3!r| z6nSY3v1TT+SmCbfNdh_V=l@3fus+AX1Pg7Sc zZo6?1PT(3DdH;1NHe}Ya@^0^$MXB>u7^|}5FPeK^ z6jf*QkL}+aG8RJ+p|dr~45a=`rRgL_DXi+Wd>&V$L&8d2UaEN=8`YL#r(rX^*WZp4 zNXazwa+$%m)i;@qukKMA=PpO|A>AHueq1T1$@x80&f78bh4r0j$#K_=6d_^Drpf7f zdJWDKzK4>b%EoOp)U~iOPD#NYUfE}$%Da^H%|tQe7O}I;Ls4(?UHQTqK@jJ>`K>OV z%iS46k9w5}Hyxg421VG5-a7r}Z9j1HOK^aK%bI!yGTu~Fro02RWu7Nj8O;I9^}XCI z)I2I_M);%asq5DA2lPp`TPxRH>tYH-3GWn({wMxBu#%TH*0G4^?}&J&n-!z=6@08* zG^B0rX^=nR>zYqmXX4%Sn#j6A3PuAFsxdxoXU{AQcMeo z?gaI)HA_x5HQ+{lCdFlf?}LO*yUA-Kpo$=5MA~?{T2CM%UHtM4NmWbmr^zL-#Y(pQ z_|GNCmpgT#ASNq?9wU(lh7xg#=LBV}I~$|5;Izq@uQrP#>b?wU2u{~|YM&s8eO5v;$W^ak9QN?J!U6ITE5R|Jy zAHjw9xu(*R)AMxrcFxTAn)V{$%l#EA{GZJEpWgjS?|N+X!=N-Y?T6*!_0!}|x?MJf z6xzgiy#qT-ngvx1hyAk{z$&g67hv4F>w9>%VF-V-Bh0jSLxUPr(Y4d-lzM`bcCNSH zF{h?N>>V3)kdZT0B0w-=%4K1f3Kp0(W{Zszc zSH3Ev<*!q(Ow#==@(em=u#`_DJ0r@*uZ;ij?o=E%){ghu2Td{lBpfOlHdVS0fxS{r zwTDm2igAEU%wIZE+9v7YJ5i?Ccouklg~7o`YRp; zwG5aV3)($Ceo@iP(tv(_Znn~IdyG~E3EwOtPmeId?}hY19(e=YNl<>QMZ9!BenJ(Un&SYC}pfr{J44QRe-^9 zAn%Efyrk(%2&P~rbo0h6@sph6VBRenP+rahhUcA#KL@!1+g{YiC&dnIWVDSZVJrwH zYrrT%Qvs|Fjc64oW#~Q#v!I>iRo~yrnHw}26P6G{{Ep>nwzhx-|N5^VVc{lkNZqli zNl$Nl>Aj>MRc~iTVyHp6=zKOM`Tkr`lQl<*_GQSG^3~7NEnW)MMqUhoJULRE^(iMu z!HA;@el9EQlbQ@cI+s=L4bB~G7$5M5t}$b-%vAgE2f<7Y|K;Z(2hOe7y(GRL2ywes zhSYB<{AM_EOhLW~m%vcM81Me3VqpOBDMPWW5J+i9bC>x&8N#Z}fB1y&cfw6Vl(G42 z_u@j(fM<$-<6dwx(wXnqszw=qZ)T5!dN!M+=@4HyZr$OHo9<1&$6+fpH$!fOCAup5O1_}oVc}9h zo8T=_noDMK81v*TYODM;qvaei$r~@T7`k2&i)pJc`=cxr-Hqbwq_=49)_--kh{V)h z8PVcj3rl)*X^W4$8}G(Sh+k}>8K#c)r|tdawmVuQXU4g`nCG!C>Ykc zT_z1#x<1D2&aNI~{JSr5E506X|7(_R$uDWlM|f3LnIpOdp-K)Ktjv1Nsr>O|^TzG^ zOCakMtDT$EBqEQ%DVL=439BmOWeIqo9H=y-w%E5fMM2OD`^n1W=|}M)5L#iYQK1cT zYT^~9M==|vnpy%pqaLHn9`5Hs)}Oq3OQcUj$aYFudfjxT3XBYy$clp&=p)y)ioDD@!NL|KviXm~?|uD%NsD7FsOO#udwXH> zYT9C9L-*0j{kY4&TWwd{mIz@CR<9N)!O;xF0)DMUo1Cv6@#Ly$6k%u*p{%Q)nqI>A ze>xh|xCeNs`gX>RNtNS*HHbh5Oj3;HQ+^$Xrr=SdZ#wVCK>|snH%sn}<$yJB3{qu( z*W5r;!dMi080phN3fD7Z8i)dJvqASSItZowsR(K=Z1P-o_S~V2;4F zE2!7xzM0(8zJ^u1-H{^oEma6&ODY-jXwbI#4f*gJ&*C!R_DirSVG|EU|JY3QZfqJu z!Ac_qQ`N_+yTk0K=Q|i7otTjtUl-=O;WH3)b&IedNb>NGF^H)V)?uvUhYEgkmqOxE ze39v+)Nk(?DdPp&vX#-;;u=GVsppxJ`_sM=_vAVXNghaoy&p_}6woXQ)4@r$MrRn{ z1Fr4RrrhQ+G3-;GHHdaAORtMfs6P2qr;`tg`HQ9dZLRW}M_hU@Yhd5Kr@DR9UlJhS zZ(g}oyXZMyy2 `pOsM(zFKUj#$4qsKC`##%mjB0fpJd#}KEapq=N>pH2T#T-`+HG`y5t4YbQ~gI?l*%X8%qm(2}y@H zuXolx-Osti17Stp;|ajs5^#LkmO#fxY&dl zJN3Gv(d8;c>OgE6vG~nE<*g6togaVE2D-jEv3o_g1K25#P_LGWfBR8cI8!Ub(5j?854jOaCV7wotc0h!mleBDL zDuzKlxJls`J@cM-TzjsAv>Q);Qm2np`0vhU%!|k1XLYm#9eO_}01REXkrr*Q=Y48S zvUsA}rX{qHFIqW7!>hPSs;G0Iu}$>Ui+y3KS5}QiWW)$109s}VE+po^{SNp=k4vQS z-4+e*G|I_wio_^jE)qCy7%~Zq54NV=sW~sa&fUnfWKj;W7!rBCWMLlR%0F{i<&t=h zOBUv0S69KRC@8Z9;e$#$xAD|EX5w0~nvHPOZ~HKmXo2j=iv4uQ<+k)Y2EuBKg$1tV zmBsvr@agSfE^NBsf;5ay%^|e@PlfJ&{JqYak)?JxX%yF?E za&yI%9J%D}xj|Ky5f}fhM;(l+zf3t)%z&XM_2!k{Bu15|G)K90n+{JE<5}b@IUvgmjd>L;;vnW!^@PfT6o4oq%F=CAIMqdhg^#y+0RA0Sks904@PRd0+HV z`1M@7n9%^;NWV=cM3p|FFZx&^t=bz0U>gbMZ+Qiy*&qQAvC!+Z(W;^%G*|TpkBHy< zD0ql{F?X+~{9>LN6nq>^M&6Y`Q)I~i(pLh}BR?P*h@R3Ye+c1XGcZQTPBD@qtlG13 zK3UgwFkNELw~l=vIjyh6vgTa!^1C8yMCiMi<2Upoc9%ejR<)lQkQ_#k*J50p4hc#O zRV~~`ES%Rp?rmF(aST#$&jlbH{RncDh`TEU3F=Fk5yaM&EDuO_UQNVa3=o;FA4^a< zvq_d_%+;&R@s{=?ES_}*j2^^h)4H89o?x|Ascdxo_wV|UDHCs4tvIYB09X2ZfHde)~)^^{Sjppl~H^SyfKvHkjc zW+SU$SlRgY_`+obz^ud!SNNK*6#f1bR}YQofHKwGlK_H~gXdHr(seXLoHoy8Uj z>QVa#MiImP2bNl+6qCOtpz900;FCVnGc8Lk`@Uy}q-s+TYXV_rM25BnP^*Ev6La)H zku3s57N{$Eh2L&G(?3q9zcOcy)>72s9}>C@(%(6nH%BD}7T&X>0WDi~4+Z2kPZRCC ztGC=FN>cMrkYYYxpgiZTfV!Xr^E4BKgkMN{AgX|C z*)G(t+(F-;3tRT;uCln%UK?)cjbjK*z+KonR3lIgP5-A zj+&7BvpUuAhziTU0Ga*^7 zpZ1Df{eyiKS>!$@3U1ZmWGe~={N6ud?THaYMOoHAyP9?dp~^ns%U!G9ll0i@QOS9q zZs#Z*yh$6yc^|EH_Ocvp!;BJS-)Xk>unzjY87lhjma~GBj=iZGCK()VSkMa^vq7(@ z;~w;Zh&;3@8MSUCl65$OH&xpzkwUB9+=?CaRfww~tuZkqQE)G*ZHl(fP1qy@LPE^( zusVI*8`SdC_yBmfz-zqUKtipa-7KHs>f<6`+MPc?d-JTE0EF?JJv;F6IXkLrXxtF0 zSiU>p3)yl!Jxd(ALgdXGKubRIpzqDINl~wFcE>zES4n^OS)0s!LT_&M`5I(N`l`P` zRZa2NICNBIPam%DPOY3Z|I916j3`Obm7V-n8E07!MmEcB8j@m~AV!0Utnsvdzuu(V zt13~kJ26Tbfl)0l>@S6LF!T{wGRx8R7Mt#I{2prpozw~FnsQ%vZ<2W2@(Y-$ z>3^YpJ7&kU#Q*IQXmc(-ddx=zFnTy|dk+<#iJMUOWkT6AyIX^YH?O*WmiH5a5`o-4 zo28FBUkd#xQ$g<1c_am}f;9>oMpoM$vFn@4CMv(@UOeXth%ahtnbH~MJddJwj5^Xj>Nq>AM8{F)5fOsO^IRO?Wvt)}BObp` z<+|LBdmt?euhHH>J(BgE3@jz{ixo|U>JmeF-rH@JjJ9FDiH5hHPj9;!xg=m*Wh%^M z$sdAI6uQlYpe7>zK61oMro@_OdrGX=M{2@#{=!>cmUz4sd*5kh^@QgtKR+;Bv89|m z{9xIw^ zfr=3bi(Cu@Qm#Dap%dM#%TQ10{ee5qX>X0*KggP$!B$#j&DlUf!c^>J@wWs}HL#_< z=3C5?B>+D7m_FbcB|rqD=?N}mnjr)AIBCJp~kT1hgD_6*! zoD{@RN10X1IssZ(P zAPPNysi-u?1&p_ci;lI9289o!?0xF|rn00U>m|c)sT}MSnC2vxPbWcETB4!zl>?Uj zW7YJa*N>X`SHeQOKdwLC)3}x-l3gwUp$%;sVf0=W|}ErqPv>iBYTS zUJU|JUdZ)Yq5-c|gNS;zgj=ssqx}^=@RXQ%=W4grT$-GOpt{}j&19bc#n^vG(-n5@ zqww0c-ic21-n-}}dJxgOt=H(iZbS=-7F|dPqSp|86P@Uy6GRZbch2%W@B90{GsZb% zoPYLT8L`%V-}9c=yykVyHK2tN8O_JraL6~IP3J^|<%U$9dp9W+a`3J?TIOaUat4n6`1KYG9T;hJ}3yyj_gCljML#&T_=Y5*@o2qE9x z1S(=Gnu+5R7T@vCBe2{y;WO;rs3dck8d2YAECFT(Vo_p8OYyYyMz{-pWH1OD$_jR$ z030|#yjtURl48Y(O^g2YSNwE&G{I=kmt=ca^oM8qdLepp@yn5q{0win}H(S50!jU zE8Lg(m4FFJH6~oPH@G&QyIYZs^TUd$(Mn%$bMrv$O|slym1QM6Pa74(8_ZFX6B7o6 z{BYK8+SX-6aPpgt#KX@Nv~1DLlbNP(B~zgpsV5!3ll3)Mw#KY2+pG^(2fc*Jmg>ZR zA77+Qx`mI7xu4b>dLW(1X<_NmL$&G?tFu`SW29Nmrt2G-WzrCJ1m{7yv z>TARPxgn%$EIp1J4j?1-SEJHGFYX&q6$L@a<>}|1#U<(OcEbyy{5H~9EBEEfa0!NA zq_sVqFmiw+5p|+-a6?mS{NrXWQ+kh|=!)*^i_y$o3HC?}E$}m8Ub%3JJ9RWl?NZ-T z8cG@wK4})7pTwIKA=I0-7@r903egZmnrTmcLzu%j4TSGE@5}RFsE;riiKH6NmZZVM*@}Cc zDzR|tyLbEKfGdE;iY30YGa{O|dX)C|eCJ?y`Fk;S-&c2q(cQb%Q0e@ekG{m@BN2EP zy`Cv7^ip)WP8m}P!{2tsN}QCq{dXe41B(uv3@X z_!nY&mDs($2GuFJO}-`sK)Kss_u7=&#k6^~mXqyGUM2&rX(0w&QaFIj_GKW762g~*~;+h{#90(Vy&9=Ly_H1?Ny>|&#ohtGZ%@yT1hA-`Rk5(!3+ zWhq}YDh0$x8T)CZU)>Op00&WY%uEbh87fjZ>M)21FLs9w*dAnlh2E zkMXXw5y_OZvUPIU8T{gJsVxyck5q+ILRu)gWsM}v3^o2A2ZlJK;dRukC>v=C@e-yR zmM?vhvcH*w72Z(GzNXc=zYyAD3tEE3ld9Pe(7oX$nk04P|^Grw#4-6OxB7R=b%fBrhyZikW zl>0&N1rqGx>ac@sB9yFb;{Lr)#=~Ee90~uyzEYv4YxZIPU||w&gEzj*M)Cfxt%QV$ zSWEP+6d(ntpH0j|or8cM%_r!O*aB)e$!gY}TA*l!FA(?w92fUzXhciJSw6=yKtWiG z^g^{*_+$ShFVrxS`Kw@AV@S>k!QLX(GyYaj*sec^*QiA~cVsM>j&;|e#Sc`1@NbtU zd@BznX`Y!JwO0p-7vv>T@7*I}H{`_1kH6Rw3sa!fDErKv>H`#!#gWx4O3X+fTVLQ{ zl5q?qA~&xw&ftln>_ZOmIOwZ9)3awgdS6 z6yn;Vac;+Dymj>~5}$BKXyYo~&>Ji)k+e($y)0Ja)w6{xyot}_XKRhT9f>W*^OGR! zXOhWa#4w1RS^xK%KkY4PcjW;TB{{4+g`p^5z?{@4K^z8)-ZTG=yH~+F=diYl(hnmB zI9nMA=ch@2`@=B+y+u1#L#6gVj_@E8^WVwA7;h{WCmg!hltepzix=-5@b6?>FxK}D zVCjL+J7lGdM*|4dDKIqqk)yNRcvb^yrU_(R?El<;B$M$X>HU+m&a1j2!lC%p_dDeI z(KKl$E$Z%>LKWY~aguQR?uYV3Z&V=e7iY|1d~xYTIGq>19&%7@o4H<4O?*8YkU`)i z`cjW^)onS)aLy`Mqy`D@Pe^phLWUnVnJl3X@N#s_Fnv=W*7?}%9rQ`{XnkSdIf0Z} zqc_E2Js3l*9-&7IoL`i59G!&&P_4uL!Ey#<7^!zP^Up3S%ig!JpUkdkm=@7 zkSppB;X<;gj7~f{wtcQ1*o7N=rPYP=b4B0w>+{I2TFxO^J>uzGPFj`ZXPOJLW^_PC z1oIH8>4pW8Di%<%jUT67my_(;Ie3DED5owtJ8YnQjZHQOhbMO_kK1{pJ`Y8G!O`+r zk3@d{K*(xeP%V!?Wp6KEZZ!`1^egL4*AzAxpUu+#KO@c|%V&R$UliA@^FC7B2mggy zBjf<5Q625|sOBqtABsdfq(bJ1rCrD-{{uj_*v7JDODVX&wgQokgvbrt7Y#c3DdKmr(e)Etg3EDf)gXOkoA-B((y|%*@-%-@;u)NIeeuMFZ z*I|M&4=3ISY%~;*)OEDZLTw*J-|FD`FL!7Cgp*_4#eQIt7yoM{1Mqt8vDIh3hSWha zk~Y8mH_kI9`_7SJ)TnXEw)FxIh(O3NGA4;TpFOh>g)$BwOu%*+F__A6G%PUsNw-Xo zb}Tt9Evn9LGzwX{YtftgY@yM$?|5T~&*RG`y!)l}9g)77KU0gX5+Hoh>FMAGW!>I2 zj$Wj>*6^Ri#rTu8%ZrWykf0VQ)~L=s*_M$GWP<0OL9p3@1Zldvxgbqp z(o`DO-uYGG{!?h?)AMND_$0^id=#i+Rogj5%l&FJO}@|Ge1@1eJML4l?n>#K-MX*( zRn*jezai$7b8~ZB(`BT36-JTopNjLRar5ydg(?2S;xqHQ`zf-5Tod@kZXlWIvQPTH z)1Ym+EpUBW-y8=Waeujv_e-DsZOHXPhkA3->~HV@(E*gl)YYPRIVvf1#V-g5vABt@o@TcPM44!5cQT zez$Xj?lBD!jqsYyL@+f%V4W9YmsukKY&-*{#-Iz^;c4PZdKh<`ocEd5bn*MISlwf} zykZKEnr zm3WlG*xTFN*n$L?+cQ-(R-^USsfSWXs>sdg$gfyGAvu4*mqCIfXKl43jm_6P{6M5k zpoaZeaA|p0G6=Rvwj0)O-PKj1eA3TXOi~}hYnFPuQJ7_)8ND7=% zQpjumx%wlzZbx-CpPViR8$RG6_Vj$C$N2p%mr61e$he1shsbhgmB|{-Sh0HF(SU>DxnS%y_1VD>c*z)1IC=7PCgn>*M|t7z3;bpg^+1EGz5>|81K> z7Z6)hYTU>T^&mR`N@Uqd!e#VkRO)7UrV^Cn73`;)Pb_|0L(- z281aQ1;efU)J_uko?Wm1k=p%C$s?0uv=$axyyJX*?N6HD>O%m;&uEQv7k9vzurltD z;4`JId&idouGw-U10-V?b|4!*^DtbWAwX7bKNxNxIBD@G+2+f86|_Hs2`BvmNqkFn zhHP>Q5Lh?r>&5R$k%t5_pLu05Q5abajbUN|6Aj((vp@D@U5bLjwqsRNV^NN$t_BdZPW zyw@lIROm1K(9RFQ@WU~=eWh*n6#RI`zPfv*mQ|NQ=7Jxg9)=E4=XGP4;q-4g?$ zyppvs7Jx~h&NcwXfQfpoJ0Zo?L4v8onOst=C7=kzolgZUI}&lV0h|z-58ovr83Wm! z|HYSbM`EvL#IUv=c^0gL-LXtF^U7<&h$tLu9JWp0;P$`Ti*A!=yAr$)5$UPaS2U$m zmAQXS`a37rCxh&w*@Ch313Py%PVCI?^jiJ!fp}jZxzrQJ$;<8nMMs*3#OG}x0bMj~ zi%BxGoYrcTpY?mN64bj(Vns|ZXT+qmaMkB~*BiY>4bJ}goBB`qPD;kwk267NBm+@d&Nu2R9KudH z_F8_wB>@x%Jd)|wgVw`XX)w$|&Xl40IVEogL}ruM3vyU0vOPw7K(_rZPFj;5_|_R{ z4pHrPOfpgG2ymR!UFOxmTwxR)bbJ1qL&2iAc5fJdG~9-r#+QD6!JWKiV}ucj20yAN zcOhrt)F7tRG+!}3mFm?Xi@1Dq>6YEgcozf~wQ@D~@YX%Cp1g0&KWSj&bnB|*LN1J| z$7RZp>W839^IwIJbxJIJjIkJ776;@Jg%LZUt=E2kazMf%Ip!!{Hz`&Es%Jf#jxwCy z;r$j~-G9nL2$n7?pMx+36a)KjpWnqlduwX*6M#+b-*LPH3=mXQ%VXV_j2LajI&wkD zST;|XZqqU&z8&QJ=y9HV(!7=aBjV43qye@1fq|deNJ(JnHohVImC>Y2Bd%6HTTz;LKiL z!a8qs`q4#7j0*R`@M(-V?JUa3Z+?fX%YH7$-CvH}wtK36Fv}i`xg7Y3 zJN|0LKCvC`Grd@heED#~79}A}HY8P`MDDimagXo&ie}K60`vUJIPS?x&QRrOrc}C( z%gE)WHtW68E8(}C1H*yq#9n*jk=s%pm#kK`L{G(ice@4)%MzP}pLE<^i>EMsBL0d` zsTe>_F-A(vp^M#DAN^_41R#-93a|W!4HR`mFU3IUu@Dk-xNNJ6o-$c6@g?WVL7M&j zA5l&Al8$OO6E}HN!42m1UeR*|H-={=kP}BC+0EY5=%P?pe!AJ+&u*7(%8@WyBZA}i zusO=5!xhSH12<)pA?8aazG`pNba|Z$%DB{%QA?-4D1xuk5&x)GvJ>*s?7&k`jr#7B z@f_nPl?7xymaAkky-kEG>Cx{OsqR6p)KWQ@jf4AP&qUbnjuJ}esNku$z{0uMh>RQx zML8DPFMB}Z;q?y_P9zv|tNrsob<3*+P({wnF26Hm-jRcToJbVynS$MC^$FjE;dpJw z-Eaa}%LHZk_gCI8f7Z`Yz>ivE-zfr$_ppl|HZEm>nabyPQD+5d5Udj`mQU9cNCm7a_5pGa@lWIq#5@I@AOEpU8Kl z?%X7`4ffPmC0Yuoi9~aKig-W1oRS_@g+8QgYZ_F5rP}Jl@8#jW@AUIkX$6RsPs*Jz zft$@FL6MJmq_k+%rtKB3D5&qHGW;-aLRfn}-)QL3L2Jv1sVrSj`Vx0}UI=Jbuyl9n- zDuo=T5_-G-?>!1EWP4NEK>`RfSIXLyQ%jk{b9}eYwo4p|>lj9jiJ?*1pMlec#AnT6wvbr@CvjD!t8g79O} zGatbQgg5e(Zpo_i_Xs_wZR|0jij?U##5+Wg8YA^V+9t>HgXLdUwZXKiPDIGv6pNbQ z&DVyHf>7Jh6R*i=q3i-*1g&5*PEUN$Qz1XYaBN&}y5*gdb> z-o0y0$538rkDB*ADPWNqq*17WC(CHNU8th%e)wB9{^Q{@tGfOJ^Q=?;N~gJSrY+4` zF3YM9`Na7zu*o3omJL(RhOF3RXB!)&MV80)r1aE2_H6${6+i1pTeKuVh83`FE0%75 zj;4lP)Ll^V?S~mN`cWkAr%C%~cJVgFB};0G9%i)U$A*94Z})bZ?=!D=25XPPF`g3E zyW;0X+nju2cIBTw0bIrn*5u&eGRx{7BH%pXxr2+!4OO+H_xj=3ROzLV0OgPw8#eUI zPT%=ocW|JDBX*@rdcRkW=)Oh6>D!L`${+0f!n=3%Paq3zyAy?(Ga{jk5_VhL-m{2c z4CSyl&57g!+WJMK3NHfIAu+5eq!7RsAt$F(1Ar}e94$N=sYyygP}@$q zsTd{Er|@xu*rV$XJSp427FMrB1o7T_zC4wxu>4s&x8*k?+udTCP)p}&kiN7#9?X@W z$i5zJF*vu!)DH?hLTi_V4TjWkb=(?(a#_8o=R(+fPqia2Jb3f!&WUGwX)R6uO{O}7)x!$dOEagOL#im@cAPBSDzR!Z0HnOMt z701-bBzZ&;ohN0hyXGi<7nvOfYuKvUl2=rsplSSd{G~&#*91W zH*92fb?eSm+AUnJ*yC#K`_47Vtd7oEbB?a}H)H|lA${a)4Zh%`Si%6wKn!*h!icNq z@98!rAWivaPI~5w!0>x)-UC6`x9?;RQ1RA%moaSzFhI=}6GN5K`5S|YQL}+39^}>k zt=+oB&BS>$UZ4O1S7gX$uB-k>GR=M<$??-Z73+h<^QR5=eKnL|6Cj$F0trTP+4cm; zFeBtE2q7Xz<@7#P1BmGDUDn=pRVzA8&Yc*TPS3pTy-@h~PTk*;FOyur7LNN|kLG*1 zl=e=RQ)MTJSo=o^v`6OHw<(@hmrMD+7)bo;{j($G9#B*9eYyKf@?!DF$ek8H54&A_ zl9^@u_38GHT9V+S9#T#QD-#nc@#pbxJ$f^)oq4IDnGgi?-MS3LpEYcQ4u^F5LL=P$R!H}vm6%X7@2uWBNmCuxH;46amr8y7sfN-rviExN^77CiJV=%zUOdsY zvD`%oK#rDHY44>R*~LTJ5HNqXG`POb#!|f=_;Qvm^4WQw8IF?g=IWB&ds2Z>8=*9t z<=LR>NnlnK5C?)5{Q%~ZVgF~=V5cuycdt0buG7(Z)vAM!VmnEjv{D{)U1#FJl8qzy_uA6bZZAZcd1Ob!gkf{hg=?Oi=gO}D0|z>Zmq!CbfYc!x+f zq8Rs-<85c2ogo&1UsqyDVp+3IP80h(@Y5S{x3kwb=X-u2@x$l7CjWJgL6xr~@WKVv zI)=`;#fJ+jZ8Sp!FMt=07bvYq;7PG|6_ps4zIlV#HK7HBLAGbi-)d^*@6XsoWT=1R zk`HBN>#^!^wn)Oa;%)x`)c@52#IGhPQFl(2Xp;j4fm6On7J}S`9TKSgDDXmR<&?rM zPs9hGgP`y9E?aukc^w{v#=ip2LkPA4e$SPH7Phw(ONj^s$&&V9dxhxig)#S5V<=sd znED_|3X5jLT{ITj87;q zWwi-lTifXbK#|l?T)<~uc@F(b`K4y>xZMtV!v`lvy|{lI!?V5bDC0g7^m@8H)}0_h zA%X-08917ds|`|H!Fh%vG{mz1=F{Fo0s*`F3VmnFi+IliWc0z0jq?D06@v@h z3DPGGY=3f`A^$4~Qi~IffOr~_$eUkUkl~8H_W+7`^}4y)ZYqePl-+|Y-w~yiyRY}M zY8PQ!CD&Iv1RJ7jzS4>hxx2ms5`PI5x~Kr0;^GT^UIb(UU2puf{0S1Zh>c4A<6ZNS`p|3ZWy z+k|G|XH=vF>Sx6J$EGJgz?|$h>wYYs_tsG6|HljtJNIEdQ1hB6W2gMU8z6jzi>OD$ zAPu5_Vht?wyMQMR#K>j~*x^zKpS~(LQphZY%tIAF!w01}H?m03LFVL@qzztHeuNyB zxc5IDOLY2ytZKCQ*Ijsju|Qn~H6FAm$94DOrl=)(yvE!{ZM%t7baM&&b78O%-j38I zW#+-%-cTgL*Y@$9y#PJ=g&PjbHPaThO*F029?Q${`Ae^J^V!>;Cior!G|ko%AQ`@u z&wu|8l0or@06`DGV}|ch_{2&9w#T+^)V+w0p^&*2X<5sU8g8i-L>L!OUdt~&Hb@}| zdMUR2&QDy3&C%9>6@Evw0NKIr;b6^4lcjy#AUP<`c`5X>jH%k>1GIV!hv<$%2YXg7 zEq|;|MhLl^`TSDgXN79l=ifX%0T?RW@qrH>M|LG1q=50>)g zBLtE20i_0?mP@WzFyMuQ3jr`}5-6sby+X}92z=FO??UM&0`w*hX>v_cmO`9bS&mS{ z^0NCj%xBB0I=PM4s)(&qa)B|xGutJkW^9t zwNDihA5wZ3%p=Jeeiy)VWC9Vl7ny88tW36a+4&btIDv8Dvb17gpM6JGKwc*J&5Tm1 zy0hBeWdWoRWM&#+_m%AZ)5ijp5fHx;db(-Qs^jvUrGkhDT!1Gxb9QOWz)kQ~8&QyE zxykfKK^NyxY0GM|K9G?c5(+Ti{;a(3eF#dlB-H#o$J?FOqIPj*zzPcb(`v#mJIwNb z{?wo+S(XHK#)`lM_T=b;mf9apfJ8Wu?6P@YSI51d_C|@bY||h-zfhj`Tqk|cfu9v4 zy33dN;qLH{(X(I)yobz?50QWmxdHL?PHGS3Iv&y7+Vn}u5We|{?w2#-Dw@94r6zlK zCH~5`0=b%zHlcesdnW2ws0SC-+{d_$s=(xs(|~LKw7<*dm42axr<>^_wW3gxvqw=P zL$y3M5hPy*JEO~ToYK#m5SI&3q-z+=RSJz#wLnnogs}@f`qrjoG?SR5brGM}>Ihb> zdh1B(l0mu6loRnhPm%7M);{+0x&&e9`9f`A?9=nqm5aV_ZKXcT&CI6K>>j2Bhw1v2 z(d<>Ne&C70L%ivjn_juh#k0}+_aoIS6J0jvm-b0y^tkuuD`0q$(b59+?@d5Nxt!t8 z!9LZ!ec%;7gzVjD9*TBv5CzZ{mG8!Ty`Z1FTPvwZ2aJC z_qUP2dA1sX86tcAoD>5iD8!KA_I88(Hdt`f_imGCbnT#k)ZM?1(Imt>{NS3aB-QQO zfZEL8%Qea8M!jTjT=E`h(eOaN%>CDFS{JI?VKb0=AHMhBoJ1uSgXaASJF=Vq>Htz; zpmp|b8jwP%R_PHO7qaZVg&2I|j6wcDq__tK&|2Focy&%`LStv72JdSdTd~t>N7XD4 zQ+JbK8gW#P&ayZetFz$tfx;}PD>Z5Ounzf9LFTH4+ewhfQMn>DnDlkF14JtH@9S~Q z4qrKR`l>s>4Y1$%O{dy}ViUf4TBFc!qP1pw1k0{-mlS~`0jJ_)FFQjW?@k&6af8&H zWmG)wFQx+6<^V2RXsV^m?tsR^g!PyxY@W&>PF(wN^p((|$BOCY&8$Mh=1yh;rR8Ln zfWbAz$4Om-gGl0cN4?*JXWJriU2um>zI_)U_myzNu*IAEN$B)dw9zGk8)YfvkMi68;Q>lvO%hq#1j5!P+;G@o6;XD>At zq6*#!o?4L#A(ECv4Q@I4v=F+DACwO494*ermYyBkX%I-9uDvZ2tSYm@uG&dNLNcsM zSTZh`8klZj#()-0S?t~2SFr5eBGUiS7dldz{i_2{LAsQ`%@YVB{LmQu;muMn?ay^n zBS~i4ww58r(#uxM+E@Y+gchm48Suu6wRI0O6gT?p<5%tfz=#pf99yG7PzATkXc-O> zn2f0R0=t$jSka}S<_DB3H(wNwr?Xmi4z^5*eI+!B>!NqNERc)=)b=1zb~7VX?Eq5g zw+_dpMc>`p0gMgHjN9}V@7Eh$N3X99*5CR`2voQ{;3$ zI_r~+eVQ6z&MEqyhlFN^st#NK`bF6u4gz$HMT%Xi27_cp?U%MQPPyAXiA3OceiOgI6lG4=BIfa|nYNd^c{$4jEJ*~XHc zdPv@`)JM#I&r%jtO?gE|sC>Z|1|E|ddk?Hga=jj>goDm~uFXu79!Gc1FNuI|iZT1A zfHpt1?K&vw$R_FdWbJdzd!c4#v%nw`AJ@-seE9dDYGdgynV4xWFC?6%>zTiHLLJ`a zl%qNsW}*kk(lhC~yN8euebhJ&{Qn0Qb3EFrQh)hcE?nPpg8q>c$484@_1NYYYaAm0 zdqUn?ZF;zrXn%j!v;#xs+1B@n#usG8cz$dH&w3Y+u$ZJ+bMSa_{~f}F7UxLM#Vz@4jF_ zeWfe&PX>u2bFX#M=b7*o`$7ra3Y?rsXgKm;PKR7i@l+B3oaij1;7@_VC(K7^&w&I# zGGd?K0J}@pkUDeV&?vRhbak|qKp6oWInHF1aVR1N!eNwaGC>x4??Fw|uC_}$R{NZ3@xqU*RqXFepO3|fxOhN; z^;3m7G`Nt>wMeCu?(RMD%!eNg+EuI`dGp0PJQCIF1^xpN@Nz~Y8>Kqz2gMFnh5e6Z znSXZrdy=!qCfM0Op3vKU%AzmbxY4FyBPd$;e?#OyJ@{eg(HMLH%Jp`;Z#Nm~lc;tn zhS#tQH+nGGG~+jl0aMW({cnZe?66-0uNv=iP)qF5*KG8=t)`sx*Y@g{X0LJfR+Hy8 zbIOs1DZjlq>8>uS&@zZwT{W%OSL>~~&{4SiyTSW<%qK@ID^BJj@8B%3249}3-o5|y zI_Blu&Qsa$?<)55rAX9S1_{AZ-RECQuri|V)^UG z_(+ass5(#$lQaZ>xa@)@$v=_u1OuGOs(#~glElF9^;NAB-v0`l#9dpu^8C3d_B?{_ zhn-N&9@eM(7&egsTOY!jLw?Y+iKn1Q)lK#G%-K)`87QhYUqrm%L&W$<`;%A8rFi|* zhCaQ~>FZwzu_WCQ;Ys*BNol$N_37-lE0b>L;_3bPZ!>(q8$8BW^Y0Q1Pct)T=CU9H zHxS!j@}O4tk&yy{I!%_1ra?>jT_S2U)ny8g~iXi>7BM6rIQpW94NnjnGaJEp5t8&-!4 zYi%TFxle1eH|DjZJ`LC_&?o6tw)v~ib+r7U?b2c+mj3mm?C?1n?5`AJn7 zNeNd=kPw^sTlhS??a}g{ipwMD`T_Lg=DK5ohnq|R-^7h76CIr^8#R+|Jn%g|d%%P`wzY@D)X-LC5boU{| z7WC4Lf+EdT=(+_3^1ld2y{KKMro?RdR2z;0hIDNy7yR2JW8+6j;Rajh{m z03J66P+Im_hJdPyzsv-26ZqYI*-(D2!3rL7?bytt4^!jPfyq%Zf~R53%*p`Cgals8 z*^QuzR^jIh$L!i&vD@pj6$5^Mkrp}5S*tpV^{%EMPIJGnWKd!)mRt6fu@cPY(>833 z4J*FDOJS;c1-mc^UVK$_*@8~@_sZNcW$z@LFCDe_irG+JPta#QXTtm6r2}8V>E&nj z8UXYX_dS%?mjEz5qZN(UCszWl2^EKdETEzN=4eoq3jPk%ee53Lp1WA94gG%V*S(=N z9h^G<9A}t*nfylBo)}<29bREKr7p#|&Rjgur&`SHanWzD=cM*K#uT(SgRmt0wH%r$ zu0GkUn{B$v5lOLdYbbo4M=8jYfI6cmQzx8iATBPF*ON?oZ@s5kGDnNCzS2rDv?A3X za*Gw#um5Ys*$E)Y@$NEz0aPC@Jj)>QTkgh0|bwf4Z(Z$ zIH$hr0Q3svhZembK>pK^i!bO;$EeS&iSPBy$Uu$u#U2owEI)-(jmK*LK0fpOpOpcs zi%AJF;H9X7Sr_83eWbnagzi8gUkeI>4Jm&W%PhHeB!eq-?84Oke zG6v1_p(t%4(XW|YubM*CcT~%z!nl!4bhxdFtFKoop1n7f&O4h<;319Mlxj}fgJxgN z9xUVc=U=B-&Dj1@4=7D^7jn5*o_Vh(2oOICl{cN~vq4IFk&0r-~?CepXzB4Diw|=o4vo&M_Zd+YSjA%Bb z;2<{IFkhkg*J_K;4f98c$=;(nuf=1%vDeDw_;KVv8rFVSmecQX+^KM%=>FYMdD&Pu zWa4oip{2SH93Fit%osN8^WuXb)I>_Sh~J`=aTWK3Yi#ovaBY34QZYl7yR1vCvo3A` zUlbjvv$TGUqkRisaJ~n;ng}sX3f9aA&-kBi<(PN`JD8$hi$GDf!>`!q!u24$_yCqB zI!yA|(h9Y=-8h8G>EWQ7hw)VzW>|H0i%yUF$Fkam7c27#58z%c-0MOcmy9D!3r4?y zTI5f10m^9G^kZlLo-9ZJTrw)|%z$=+Z3S_T&26i zQ~yUU^KAkN32x{R%+gTt9|lvZN;en823{PF4y@QV*yZNIvz~qdul{{Af*??rkG(0N zu;p19MduQYXL?dA6W=KIpPD7`>7)7BTJ#l7&bDu3H#k2lVKZ-1lyKQL!D(F4kC>*@ z+a1Egv)WUNPW0wp8S?Uv6?6@psjrMz1ed;A0n<@P+0t7o>l@_?w|EiTOYEG9j<+@f z0z0XJy}#&U%=HdFhTM$z2+-Yh^|E>mOIv7Me=3ZzzXbE*dC=)0x4eHK4?tE`m~W~P z+NnyydxHX0>H33yr(vgY`}E2GBmOBBAmjB+iBUj<+D4IrS8WvW^IsNE0gl`^3}Z0# z7@>}Dm{=l=Fog}o$O)&!QOic(?8-l_rU39ov~X6qrK3`mJl-yrO@E?t+1J7$vQ-Y% zrW;cjo^2d@Z+UW^ax0u_vRxIrz?_eW?C_*ksUZ6|(`xW*g`>uS__iW%qg3oyvac+J1kNo?;y^*;m#?1iP z9%%~WUYlhtIO;|r2t&cc>7XjfYBVO;^zZi~Vxas%eP;rWpo?L87cZk-K*ARPEq{gD zXIG;A@;5EiBn%T$E52VfAVUhN+%pq?7jgrA7BZx|?Rr~PQ2{YfvGT8=oB&4M0sg}Q zh8IV8_chVXY=D9NIhOwGx|MF!I@r%4skkQ#?LRWxjG?$EgMo@p%Qx%NlY&)P{t1TV zb)y-ljvHm9fqDUXvhAWb0__Ud#G=_q{Kxmlsy#B;?Q_TX_s$VM4@=oKx@Ms+k?*xU*;zW~G#DK|_;n(uydPG& z2#j4 zJ->f9(Ly%-_j_|E+vXtKK>urQQyJ7ib^h)d{8Y#((`EoJ*$W+~=GNmi*_Rz1(#Cc# zS08Mz1j4FtJwtfWyVOuY^?v?ePh)G@sXKi#88}NfufdY4WQ`K14ptW?aDIqmUI@9R zi;;+Mp30}+r*IRs>S=Jjrp)7>jcY-jLNR4Y+nGcOob~pMegw}=2&QuVo^=X@2 zwCnxeAl1ebd4jUsw4ce|NKla1MiyTvDHte-Ml&|;$gRgE*Z!D>WD;sXkXDTf56)!1 znHYlIP)l{nOd{dwD)l0ajj>BycKRDS!V2z>=zKkA(f?@P9xM=wz&`CVS>45r3N1<9*Ghs%ubo+h7|w z5P@U4&fXNdW|CSI&=n~0;|UPor>c==VG+YU*sN#ipjW^hSyx@VacH*jItasiu^4h8 zmt<)+T6=v_0lcefJ5ckcljM00Jw-)8rKOYbzK(43y0sP+~1t`~y#uJc#< z^f;?@6_^3%vxrf?=wdTge(*Id+YYBU{GU+bqH+c?5N7RJK-y8th_PNVod5qZDiSOp z8iOG6=cIAsLA^b+m)~#-Jn1rVx{qxe41VipXCl8<%?VKewU6&}Cnl8EG;P6bdQY#U z`4M~N^Ku{)%vD7_4#f$XrT3RQm{?10z(FZpd}_-+kfvY?FDKYH_UTBhCLJY2cB7=E3y@9$~;eW9){Bo{3MhS-&eNZO-(Eamkj zfMJ6zJlCPlp;T|gnxIHm+~n_ylBqvX*rV-aPsFuF;(mCcDAmIzG%Ji>`X_5V(JOjI z=i{3-Z-%5m(`^W>_1>;%^jQRC@+G}(H#0r*EASJnaB_D#Pn!Y)xcY67Oc8QP1-8Gb z(FIE3b@?-baQpoWrulD%pwFkxANK(pAK<7|1Veb{H?`jeE9&isFrtL{jkImNc&W#kv0d4R0O{K&@Yyq}*@B|Im^*v;R; zuJe>io);EC!Y+C7Gvvuo9qijv;Kl)UEu{Wv?ew}I99!^!>c$Tv;go+D{|+1oyH%%} zX2v_a)W_4{B@DH-cKI1{)HB)eI5mhJg+Clp=aO82183V!w|vzZzI_8);I4%U2_s1o z!`gvszm?`h#^&qU(zT z%?)uS#T%Z!Qcg0C~#X>ItxO0g>DKBO6u!i5_r5I z&vvJw&?3w**XBo34pO_RSncDJ~7q`}1#k zzIV#_=$?A3P?+Ak*z~a9M|NesurH>^N3#cQoK>&73zL0yTToT-?%?5fJ6PEwUlY7c z77wYo@3$mFw2+Qn$t*l+Km+s1WjJ_afdZ@C8g}qn0Jp2#yo;L>Bq8$dwBq%%40)5@ zFzlLt{^|(dRCjg&VAMV`D2Sj(~cFe8O5i;`lpYF9k!=VPngaCRp z8tC@n!Uhi}-%1%^kf`{s!jmI8prSXEbS+{EV3e#zMY;J!x9LO-w75SzcIA|Ol%0nQ z*D5O50lY~l<`{gY_|$-zmU*d}Jtl*sS2cnjzMhzX&aJ3(%4q3vzE-E=%fgmGqdAKG?xKIilR# zT?aXuoie>g6%N@W+b@rvA5{o0pEu3PMm_|d+8u&HqPAk!P0brjnM#5I8nkS|hHBmG z-HW>4*YA_vKH!IMb+8PFvT+Q>R4n{ze8%PTn@}m((cCbH5YSF*-_KT@4RWUdVM8sg z;-4Lv-$Q2~(;--Y{Y zr~%deeiU{b()h)+VEMps%QQHmcH!X9xhq$wR=YAda1(#=aH(z7-PC>3O-Tf%Nr(e3ZCq-T7 zd1xe>KAkI1O>0Wf#gd3Li92AsE8_>&_s9s&{`+lY)JH#1{|V@E0&mF67qd1WaS?vt zy9|dPNgzOp&&^Evl<@Cv6b>$pLf6=*zh8E}y6;TwHU-7J^nn7FULPJAM-ek#G zR_5J(k=Ew}c9Z^`?tjSaj42(ylC=UXSMq<1siAH5G1h!(@1{Ye@qjz~YfVs8uv|=CdbN6wm)PQufvIs| zCBwm7DC{B3V=<`+j}H=MF2o%a4n?39tz}EYTieXnZwG5+Ml$8#g{tn_pAS@-pUeEb z2yF)KLH*a?!4YMlQ1cw2mm!vy_}=IFi64&3&Eo}WLA2rYcm+ldr+V`Pldukr7DhF% zp^VQ4156fQj1?*1M9q5hBPi>j>k@T%@!&(swg{k)cExpIz(E~-E>~hZEY!eBSla3S77*Vt>dD>8$7No3T>g{f*SA7jc4k8l#A%(RE(txf|+Z*k*}tW;KJyv?UfQ{M#BRvg{x`3@BaL z*|i?9lcrHlaM#P-z84FmJh`0+V<4i{%QD~vA;FUGP%IbN;ELx8>T=b!aW5r>lleLb z&@Q+3u<;@LD>V{f1gV{K2i3J_{b|9)A}RiC{P77qmXYdncGh#KRY!Z~6S7cn@+p&d z2!{J~HeIEQ)9smB6C$wp7V4uL*v~H2n%tK7DgBARQUk41k3r;?&GpuOkK|6$-85EY zv`~Ejkw=*p7=iyG2yyj=8R^0O@&xy*KU$60haF%zFLTb!cxYl&dj(IoB;x{#7Eh3B z+?zX_QO$9dlYVUo{9gY=!^eM5584&130R4h_YWg$S+v zYv?>GPQl(I*ET!T-)%&y{2=C*w;bKd(6M%V+!wd?`Gz$1slkg?LuzH#Zy}s(ag$@F zAe}z;+CD!D=g+$5cVfN3dx`gwy6=t6xD0A&_)K=(L-w$;&c5xxsGvbH5(l#tU)mf` zyWc#?V}VmB19FHv%yT6`Ib&QZGNQb$KG>K97;g8p>dPIFF$W&0d3Yq#*?24v&j&Rh z)wB7`BY{`GMa}hcKfZLir=(V?%q<}!*_gpC`20NYygx{Ept0|TsrgArb{||XVSZdl zb?XTWP)AEi<(+lW15Je3 z;gC|6y*D=?`Csr9{>nZr@Q&&y0oZS4L5_UGp zC4G|Ow;|iVlse_=|1ZMcGOntvYad>lE(J+xl#(t1X%q#Ol5W_N(j_6e0Ywx6r5gkV zk=k^_R*(*n25IRA>3Zi@&$-XJpXd3%U-YLRV6D04yvB81W6Uw=w1Cd#iGl1+xul7& z`txYiQNKGNkUsAiD+yRT&tRd8!R2mz!!Ehsf7Z5BwT+rI71#Q+!Mz1H8@s^6kl`E{*o4FBfrt z)cd4!y_SAbh&9yty|(raMW1L|c+>ab%nPZ{K8&FCh3XA?BTe=qOzf5ZX+6>z8^bk& zWK!b$>DLP6g(_#FZW6XO&JIlL-6>)DSVH5a&sl3?F-5R3^BDho^wZhRSkrxLXRr0p z&zt%2^##1sjJtWR>$pE zu>>~BE$W<%IL(*r=Rz=C*)%2y@tLDiPdFOseBTU!G)?F#-mZabp+B|*2HZILc4!}Y z!`lA~Jx|REd4hvz0 z1_!%CHS%A~7$EhFNQ7s!K|kJ*)AsXrLKF+rVfR*NOGMAcvhSsI7dZZh-EC^R%d^<< z)jKzPk6C>S#LcN)Jbc51a@oC=)&{c6k6%2Ka(=iXIC(nk-YClr8WjW2^NET+x+Y@; z%xN7J0>+lj`qeOi*ePpk-(0LQ;1jPK3!&>n#r{euD-X(ta=&Xt9j`NA8{XGoI_%=r zIUDbd&6C4<)%_l6!!U0kDj{IxUEMEXC% zJduq20$T90fpWUP?}$g>;VAtruF?6yRQJAS&}|1u7Gj^??+HYxyK~mm>c=i*e&6jx zCqr)g)8V58O>U-sz6jl2KfszPd=zH3^D@|qV=q@~jc708BCllb=xdACD^U4ICx4={ z_vE8g?pt3A?__ZnoFYTO>+Dnfsb3C=3vdENSnt_zVQnD+O!t1v)-{8M3*lWn%d;`+ z?92u78cjovVZND~P$wcM_kvOI@XNB-{x&k(7ahOkyxOWRn;j*-V|R>h)i|PyPI_Qw z*}mq-yYZV2#vf&Hf~-86G@yl7dBp9GtN71b+9jvBK$o?Chx+)q$qD@F5Xmbc@+X5Y z2(?XdwukCx#-d`rTT6oXnuWnX{tTwrNPShgocd+SPd^#w`wqn;zRR)@x4d35!^q19 z8S27Z_Pz3ludX<0_kun{VyU1Z^88iDd;)~qRcMf=#dt~EoTh#JD_K#D4Rh7(ja6Db zfe#!XMeI0o<7#X%F&{4Yd#dWFeg}@t)s02Nv?-=<2$n4yA~Ymm(XLpS!p z!NSaX$OE`c#5vVO1?+Yj;)kA?)pwV zyXGkK1d1>E$~X}l6xVTX!^=ww?ZlE}z<0-{7P;<>z(5o5)lU;|J{4icUEEpqZX4MZ z-k&KYf+6wvRDvq9)T4+I3E)C=#pIt0&D!mtGtphBlh#JJsPD%7tit?P27Xq2rRj|h ztFtgEW=_gr2F@!l=^Aons$U)MPjY2D4e_~-Js`pRf04SszYo@>R=@f=JiX6E4BpQP z5l_ZaWqdjpG3nb_D!OPncI_iH9Jk}sZ}+7eeI8rsOi=_m z-v#4@pK)EG9$-AB^A6S_P@0Q%%5dFPh`W0JLpu3*+P8diW#(;uwO9Lh>35I+G+F3e z-6#aKf}0bHA8}|dRE7Bc4DRHbUl)Q;d~KAf&6#f`LaEdk9uAF)aXkOso2DESZo6=G zKeVde;?eu=*-Mk@!r`6k+U5y*d&Rj|ST$wCT0m$rqX>E-dwaJ>2#=}_(|3?eZMrv{s2K=6COg9^i2En= z?(w{EzCTMJL2kkj{c@t=f#vOX&qb4K*mcRS;W|=ZuJYdZT5d62+Bl@p<>SEYKmU{T z@cMBV+MAQaL6Nh(<5nT=SvNK()(x9ZJEn{+y)ke{g~q$dMpFC3pIHbs1q?VS2S(F6 z=F7`4P*R6(6lL_|PopUH^{a;miMMd_)Z>a)SuuBHE+`c2Hi?taQre0A9)(cQ;lp8q zEcPIULh~YMB}h_1SI4z4|G7nsZY%e(^?!#%?=o74I0WBi2vZQ3_s;M>=N5#l(0H@` z07nJaRwHv&=iVBN^dWPxNu~5~0eOyx0AE7}8L0~vja~YxvHlLahu7ZxNHoVaHGBa~ zG22>*NOq2Qc6cUw7`EZ@uC+*^EKQejd*=YPK&$1UVCO<|C$q2 z2}K^-nIv%GD|i^+|_uxhT~hw>;cb~7>RL^@vE zSp;u>b`J-|yLwO_?-TTd9n590$O?iXKgA>@CNj%3wps8^e|G1C%s9(-sTkg|Upedk zMD%o|Vi61o#|8FL9r;KE7UA4(DMJ6k# za$PEl?%EC09B212@aNYV2}aVCH$Mw%xYaEkI^14H5*7a{8MD+%?bfYEgUkF;q+CpI z=LcFxivo=JG;%q%RT*S&?kyp_%0@%~noWT2ly-^&?KaJCUU%&lb^}G9XtM>FN-K7Z zFJb|o%wa5aYdnV5_xF~vZz}c*CZB>BI^k!LL2{cK!&EOypR&0(nm@i$1oP66rEF{C zdnr@wW51biQP&@4@(9&E!vGs3w^?~y)I?%x&fWP1Mdhj~?%VIeJI)UWBpJ7JzWZ{M z(v~*EOmQ_A5IGg?EdQEfFn#|6;{RuiK?ji)Rsic`7D#0HVwT`n++Thr(RG{ZN534) z!+I$_t!kNWz>Jl41mW^@-;VDvk$CLY5XY<1x;zS#vcjjwM~sZLpd}{kKZQRpq~J8M zpwqyRZ)Y56Bjb}Kt~Q%H?hJZ1$_?zZAB#^XlZ^3M zFN+5tG?zAW5I6_d)a@s;+2Db<1E6oW`0g#T!rnbKjlPXn9-{v4X~e~46U~>`u3=n( zMUr?CaIhRVq(0fVvs_3Smnu2#>`X}TF5sf7t+7hoNj{czwe&kqc5OD1(;zW$n&y?O zdAwC@rA!RtA31euTT>9_F({NRY;74JJU3FUOf4HM)S4R|ooh7dU zt3H_Sz?bN-eg6$MNmM6l23N-dH7Nbg%=eXK^5Aq~R$9{YK8uYm8;inlnq%KR#jm_~-ba%kO8G3FaY)t|I7k<736N~Y3=MSXIAe`z0!-y@Sttp^YOqTNV?8pbWP zW|Vt4AGBo!ou#mu2Jss}WMK}{m(RH4DMIe(oyXuHV${ToC&hZMf4}*)?129)I^fgd zfoKUDr{ zHk{Uk_Uz)+#b|y)u1%XE3QvpvAkT(z5qTI=Tn`z{L}_t+cpV}_?C@DQltm=%#;q{1 zjRf4;pVS>EOYdvUaSV(hzOS=(g=G6wI|@7smkvyK^YD86q;GxXNuzac5pub9o;Yu9 zsJ9w>jOey8q%>u_bvmyQOgi{|A6NJIYai0Qyq2Y^EOUdhX0~k0`(az2zvf^pwM5Ef z!`H0|P@=Ve*e*bVr??$bPW@oVGdvQeSe%koUakWf%jS7zKrMU3;(+1AM$iG^bgG%wMdSC z1SCm9Laup(-!~rR`LtH`3c};VE+O|qnH08Ko;dA!!jPLD600z9Rxe^*yjOc1= z5170wL_V<0i^=D~5o63**wmn=e@JuR)Bfkv>4B~?JTPk1YK#QNU3bQec%SV{Dy)Fb zzjcp^h|5Vc$4n!9H*!;>DqOU_yu-a=Wvs5{#Y1=O)E{5kccFVzb|ZDOv;_--dL>9@ z(fhfDp$=&hmDAphc<@}Wtd?b4vqnBYik0|Hxdlj z%al>tf$8ixcD<+ckam~^nSc06#YR9&#)b|aeAGEy(1Fo+0Lk3sAOgLrVfxr2`;`gC z?fzm#TNYAOJ!Y{97sM9mOiQ}>c}UR+$=*KTCR4m;waelYVW>dO`1Xgrj(?Z**s9a0 zzHfEPI38-bPItso4)i7yGoKBcdI%Nvh9;RL9#2I1`=0JfF;@sEus_}yFA{5MpHtl0 zs3~lToxDL|;J4G?Z%}z~2EMWD?jm@Lr;I9NL!U`e!4aIQX(A(S^tbK=eTRm9*IO#h zKSfGz$HHvW$JL`d6w);#=Wr$jyk_`gYz zF_WmjYmodCuJQb{F22;Gst!@Tl7*!LjNz3HzB<#f7ydGhWtWj%Sl72}^!%weNe?2e zLwW~|n+k`oKDlvP*9f_P6__B;x1-16k2_MF8QZgG$ zS^UXp*5XTLwdO3@r5z|d&qEr<{jyk$OA%5ml>6&ZAl-2z5;;`Iqoc)MgOtiKdEY{3 z3e?%&UdG1ylSah~3jv&V)Ln=fQsRN7xVz-l5Sp^iTA(^grAC8PPhR39cq;ej%ZF@) z4LSyv_fLtX#T%g5&kjzcYUMJLKUgu#H}^$b{I8Vh$u$J&`}5r8(o*ogQY(mHCD|Ve ztFnJI=##%NHs5sG}LBwrs zoNYKdFNUw|Rpt8k6lleDHB-NbtvpF`ieCyUo(`t7G`n~nOjCU6`Jr+9VYXH~a0(|rOD*Dz3< zUez_I3z`;8)toPyeNDGMK;&0~WT?}$&QqN4sa zplhk);Ae%s`olTj($fA?vmGXVV$|oO71Y>#GG26x@V3BcKV#S6H*FV!VJYP32}JU| zr+ilslk)kIUa2)zPdQIXn2dpU7uc0CGAUN^B&Fp>?f$Phw%XEUl>Gs&#keskG; zCKT^^?#0;Sf(HsE&bzmpyt0dah$fRn9t+9roO(sKu`eb0E%#bZ!?Kkm$_+V{1<$Go z;N?dnv1T~jw>dE4?GF~?m=R01_d~lVkZp+ZBdxp%0?&le4GEW$GVi^`z3v6k2%mL!Z^P3$9gJ2;PMtq@J-jJdeoPPm)_cj}y{?T{ueyc)*e1##B-0N&?Y3l?$@ zvq6gxKuSzU^RFSXxn;P^mVT!WP4oV={SC+AWBFs*dTP5HCh;YgcPP32_i{B%M(&MQ z7T+AhRU5Ohhq%G!9!u2g=D}Wtl#X#Bg9~;mWiPD8#L@rt4U2#5pih&VmYRP(@WaT$ z+wy;r64%~rCYmq{xo|L0+TYNsY+Ww$DStp=6(gU2nbpuXRWbiA{{_(VZ7Qlst5N(X z1riH6o!Q=(t*qi$;1m^1hWg3eND)$ZE3~95`La$(S?J?bH&DGFLv_8SicM+I2j8d5;!Ryz;O>6k_E zZ3K)xy$Ba{vTXEB?MOLO^!b3=#<=F_yfHn7nWVa_=nX%6@!sOhy?DX6?omHWdwUlIV z7T*tj!b1Km<#Xw>hT<1_l3chAgT1}>7X{6eZq_}VxRf`YX97wm8{8^#k>H&LW;q36j|?kbrge23=vY)0P9;U{OUnqV&w zPOpI<5n(^uGnlGe#SO*p5ix*XJXeDtOV_FMvU< zq~tXccpL48x6$Y9{*1N@qTBD@nW>-Mpq@Ysa8l zf&;(fb0ds~Ii+LeuTa#Pq%3KBOc_@v50%gB+qz>E@XI*VpHZ%soJ$YGgLb7n#aC&c zPZvynf7UA_N!id)Gb^m&y-`CIF136^^2k5pVc|K$OIm*yOt1a*u$^wY(6rN^B88pr z+J?N(>7|xEefGT-rapHx>)hlk*sHJ_TJtQoHu%NIMt@ouSm43!+lB_)u#n|HT+hrM zKC3l^TKf3!ydjL6E~en>2*TN2xfmeu#6-8>Y$9;(wFejp=C-DuI8=z+{e7dQ@OmfF zoqXn;ZIOm1N_y0R)9C%{)u*WY(8{95Ir;52_$j=p_n>9+oLU@Pt(`Vx%rARQ3NA4n zJ?k{CB?=!7+3@Tm!|qPDDJCf_dW&8{2Fj*DN#1SgNtxd zq!R&Vtitx28Iz$BbA8VD%O&TcD7aLpNTR+8@;K*9kAJQ4j{DjfpSN-3xkOM~aiG!q zSWXP9*2`nf>x+)x(Y98X?c<84T|pm25OF@6X(h-leWuuDOoYu zY%5O`>UIq+>4#BexL#i@q(&V5p0H1(oEL~B_h($T@?A;dqpXcthh z{+`$0xY%?q`n+l_MqWAZ*5PzmV)M}V z;WCBp@u7XgUHc2Vr8j;(uyvC!fFo_0F&D#sE6w*`<_X?a;pA0$&?mY1=r0$GNq;He zs*ctXU3hGycSJJ2sdU&!;omuX#G7PdS|$V+Ieqh(S~}T=%V8gt*c|jII(8l(^=>>e zKhjNSo?qf}`{bDs$(-Z4hhJAybD_V$xWSl(tjeHIn>?MR= zXeUJSYT>#!$3%7JTJxx6Y9^#x%R^X^df|VIkMnGF_dX=2iQ5Um%6aB7bMw`o@C}^= z2rFab!L2`T$d7|)cYO00v`$)}vP8whY-QRhct}v>Umkyr-h;9RZm$LCcNAuf75S2s z4Yc8)GL%n?@)PF1tD`_a7JmpifGRgm@+{Af0{_LN3<1)n{G}MQU*`=;^kuLKrA7|3 zTH+!>k#UX5hQWIod<5A!==aF~j$OP}oHVe`fmG{Bkj_HOc0p`4@9$-5 z%!H6-U-&hPco?BtC`8Hn^l^tEW>zkH{s;$(C_Y8yUfj1c*1`DzVIVHPy+lgWV}n(? zFJ&zmB5$3hEU8e`QoMeRP$O|(4`1M;6<39S&X4klU2UsbWANL2xG~r2(%R8XJhG2m zKCV0AGmYJUa!7o*KFFy0X_1j3)VR*ux~jh|ymnY`0(-9{ZDQV6XJg!~NDOX2j0Rl! z{|f*dKEJt7wFXU*LFXSej-Nmbu+7Ju6T%<*0S%SJ(4}NhQLcDV=%I8frXpjdlt+lFH|;|I)=RKX`S%#n;7|+! zfd5&lnqi5dOUmi-an>B#e+KC~LfieW*AY_5Sp1>NB&9IGi_$!ggb0bVzqv$}9jxz% zqn^cu_0S_mfB;ay8XioVBZ^;i-`TBzr=9M9!lBKJxHmKr(pc|&dHtx%$k=ja-=pI- zxY4j-d}Hs!?B?RRRB+vy_ce!;whI#rLq=|x6J9GkCk{tO{9F5N>}i@E_Y>|#6}H@b z&agO=y0d4<7iD2ryS;Hf72wU-WELSA?0<5aW~>Lx_j+#L*wp=IlJNyxo;Un*h@}P< z%5Ih~F(ORS3KLaHm|>ar{J$g{c1qw4I#egYlpSmeMR0I;ekt(f`T}O<*CAY6SmkAu z7*vk6sfitFT;RiNG3OJIy#Vvc#n8Q(6gd*<%813}SG$ngXx@A_G(x0H0L3=B!8M+* z5NB`89t|@`n3eQ6#Eucg+q1Q2$;@7ha)ZbaX@FeWHT3Nn6Qww{J2U8BpxvT(^vXbu zjC)LkN!8clx*wku4CD>(D=^D#rW%t|QPR+3ZTjHPf zaYWJ3x0;>FU1<5QIA|2aYQYlZw)8Y~Yiy|@w*V$I^fH-`-~I58j@KTGkb8G!$!4E{ zL%wB!Qi{ZSaVD-m+X}0Ur(OM*`N~JDUxcXz+T_!oERSdnhw8l1&KJc+UK7Ip7UGSe zo9mlavIAh(?Hby#4K;KnfY>z7u{s?J7kR0XCa?om#2SolJt+Sf#ndRdY{UKX`%InY zJxx#B0@p~990`J$@a<^k5q_}~jf*MR{7LcLm>3_n9W8U1`*inP)ti~XcE9?#0A@G* zp{Q>oUUGu%qHxEs3amq2^7#^T!h0^>RD|fH4_S7aYhqkiq-XWa3|G+(uf!AD$MLJN z=7pV?MDFMa!Z9=>N4BjxM%xfC_;ic~VR6c}EL+ykK~O0qf^(pQ>K`D=#DFR7Xp?pU zrk`l6$CWRIur8Bu8rR%iFfbd^sHz zlXn;yb_45O=VURC(#1BLgwA1;w8PxEeDT@ueYM+`${Eqe%c8`MM=OQI2?Yl`W1t%p zrsZI0-R8-p?I7aWn$u!W)(hnlKkgU8@LqSb0c`#*-SV=SUooxxbi@TfcE`6e->a}Z zd;AoU2Va$Mn2*P`*>ypi5R?#jZL`$>ePf_4>W5j$z2K9EJnSgphmKlPT@3-jK76*d zDzD3yu83eG>!%IaDPLW(0`@i;oc5=lH{9)TIvTR1b?fb*z(-}|lC8b+O0qi0=8-Rn zSF*;?Jr=h;M}9m#`AnpHmyrxLN_?UXqNBbRFYSUg0Qmeth7V;YoYnL|_Zg(v{n35n z+;IcX`}PLxQUzX%ql4t`*zfouR5({mGiwd(gA?m!B@sdRcWkwi9y$9I;out_#2xR=w(?ay-y8NOZoq|mC|Y^Vo*8jRjmy9yGfb{)HX+HW67*|F z2w=`@YLcRom%~5bXe5eHGRps3t%U5#i+Oh=-58n0k$G!l^?|^8a(-(5gZH}_r zE#Xmsm=Pn*_pi=@+(m2WeGCE;R52~71)K!|TJXgpIKuRAfjB9%;svPI$5Tv%J?%dP zZAKl*1aGRn!6RD#@;$qDP$3664GH*dB17_~fd9X^mva9Oa0axQ@!kqQ*@NH5-xG9~I{d8e$H{`q-x^ zLAHw03##3{Y;?th)0d$rs5YCa)=rGkN5Iu7TP}yquHv>vUAZbjmrc*pF215sNMwPJ zcYG!2i9w!^ovA% zxSLi1F5Is*cfTHaf)W3PhRz-`s6Q|}Ikj3a>u^kcDUB(rG*b+xf58RcN7?LP%F-2# z4R#Re(k)x{W*JG2m3NAq*{zL4ci7|f-)@Rx-l*C>*TK9&gYaS7I7o!1qS`$^iT~JOhQ8yZt4>LoKF6%= zi;JOM^xlt;AHzg-#CW{$WkBu4h<_n&;CYfZym|jLi+;Z3OAM8KM^&NDDBLHEb@T+@9JZR|G@54fE`>y)I(=RPpY;(AsHAll=!iGAu0xX z!-yhEPmsTSne=N^PQ-RkzbiFjmb33FtJ_ZDOP-=SkGY){*egu_Tnvqwmh&SYkxLVMeeY{BJEIvkT}j>I}VT4z$F&6+PPHxw8?7jEgoHOo5> z((zuq?$8?95GHYC{Fsw#E^w}^>Rt>n#^u?r0nZXzM)M=reQ8Yn_@nQ1sEk)pSjb^V zdt+=Yehgi~H$#{1*>7K4rmillsKT=GRU?{#0tm zg65>tgRgb_Hp8D}fqsURqwk%#sRv4j60b<2Ox4 z@!+1==cUmh;2-E`;(=L8{0Z&s)Yo8F&&7HDaXQV5eo!5FX^>n%;G27*E=9f-q(*KW zrMIWS2r>C(@DhvF;{xQEUFSs)A5o#qpEn`p21B3Gb5Fi~>3!7Sg}CQl+2{PT&Ug^~ zwex8@t-@f!oGEc+BN}GrBTnP!KHG@OZ$Q9;D#9!XOrwe72YrQK0whFx+~2Z!V&=%3 zV$C(gUO-t_GfU)M%JCJPywckQv4;?Kw7OIxm?$IYY`#Oi%_@?b5JOj&o(hBHfgp96 z2^4RXu>43+6BnwiBgM1y9Z}_?<}T^(G)JABJRk~?s)1;Gb z1cjFB6 z2L@nIu@)G>(BvWNgP4K_N!07yO*ax00V9S0{@0U$0ZjhTA*QAu=`ng3@i9u+*ZR>S z@OR3!?;;Cug2-7B*3T2_q%h*^w7GM#AtAVzzKuRmHnGHciFHvH2EZJ}hwH6RW*j;I zYy9K8twu~(XSs)qaX3IMTr^_Uw+fS?ipP%s-;iw~ImVf|?*hED+(7%2k{g{0A0=?UU3q5^3;j`+ z!f1#S?xQwn4kP8i zgRk)F;&b38zaIkWs9#Pb7IJmZkNWbfi<@3~Se=~?ii=gY1jD~_9o7T13I>mae6cyr zeyl*!oUmNcooitS9T*7fo~eg8uc(ohL#7#%WGK=YiLLfhT>g9<5>#pQJ9`^VI zFrwQv(mOsL6r1@`F*J z!=+^vp}>{8riH=a+M|eo=1mLVO_9O4LBo12(!YY>ua!JtN=&QoG*$d|1Y^qgDj8Pz zSyhBF7j8X5i+R}uqj_X8M*hU&mr7DTDb)%_hqu3D^*s6Qg_>3lTmx*RON;4FBXrX0 zzQC7Fqhgi(AbsG#_45<)o7j+M^XI4xB`GE5b+o{Mp>v=wNl~SZof8bOPGhdvehq{z z>L*Af^)K@k)zdeakIgM`p8q(vxNti=OuU_bJnn;ay` z*rGhIIZ0MZOGhKNXlD6fN^)Q3K@9*Fa$YSGj*p=mXj<~|BL)`I2V2f!JV>@NM7HDB zkZiQX;2j^a+t{%io>N)U^q=0`mBjM*Og|go61sF6G%FkYbF!#^D@emYAy>wyOv9Q| z5I!p8iT<(f1=PE)`0(XOaf=7&EF?&kDc-AC)hsuOwO_WlpJCS^`Ti!3Qad(rtVzsP zx-|Y5RenshHd*!ar$0g2%b@^!$x)3k=X391`V3qe7n`A|jaF$2ZJyihbV(8S_jIZ)$kC5o?pcm2^@Xb7Pf5`F8S#|Mc_fYM@jp+5CU_YV-oBb|Wjf+TB4ojWgG{=F+9zcoRzfpu4#fC$H%2?n!`!@E?Id?q*oUP%lLhDv9KX zy@iF;HFs;imdyl~Il+nLDk2P%U*z4xSw(~o6&8Q&#)GFv{g{6eHN5ZLiduvC@5c=D zn0@~#!4^Sfav5&y5id;W)J;oJUruh>Kkp{at2x;6>@|e7v0~{RY(s5uo?SLr7J+Gbvj|fQFugw^ zqVE{P1WLtra>0*}r0-d>9wfhO#;HAcJ)=QWRxaSL@VBTPiyD2{xaM*ZK8q0G}F+h;X`8tFOXPv4lJ%QJ0rhfq6=H=*4fIGm{ z|NcZyWZ}O-*-0m7_Wa3%fO3j!9!eJUu&KM}rP?Yt?F{s3(lNAuZ;K2qt8$GHXfWJs z4SXnDRhgk4fJZ~#tvu(qKwC(|%hj%F1`~ZrdDkAS53_1yT^VfBiZ;4Y@=g2b9{N=X zp{#t`A;hz5_o2RvLf+n3{NDMx>Z-5;SYMxdpL#3#ZF^{p9;E?G+lMwE2f62A!`UI? z0S;yni_F*7iTYS}_OPiqsJzg}PZ~iOv$AplPK3BeQ4=;wm*;f@G3Lw2z)-?qFPwsg zOvwa-Qm{vXz}FfSOkg|@$FO`X* ziMkI%Gr>c?+ko~&pet)Y1;`)TgKro3^%^D{^y7Ill1SN!C)WJSkIh0@R9?4lOwZ{` z`McGQ`p)P!_fw)gG0(qh0Sbxpew2FY@%t;#GQG+1$7w%VxbLp$vuXA1M>0P|rknIY zz+n&!peIv)WvQ;?G-@UVzrJu6r+1j@hVVHblFeeTU^p)h7Pb2bC*-}dV3|NUa{wb` zx|0%|BO6Qpdu4~sUP6>LO>SIFzw=|R1g4~%3)$i1P-g>pq~d&d6ABs*2i*=k z+Ru}O%^v~-=@_}I@~Jbat^3}SHi9;Bj`J#<#S>f9$x4r<=G5Im1Yq;lC3-zU? zf@_?we-Vq9Mhp)B^*PDHf6;FI+7K}r(;`+LE?K0bo_OkAY)x_|L{4kGFEe1ZN3VZ# zY>+&;HFwf~$uOu9ckbk8z9P?bXuQ$#g(LOb*nfEFFbgPf5)gtf-AlIVN)C+wc#@D? zOO5b7ADVnZ{+_p}d?n+QU6Rrk`+Dj}3{a0GQO}FGz^IifZSTUNg{vnVE@p2}ekhkq9zR&m=xSJHq?QI_D#qJJ>k8CWYW+6=CWMQ$QfrU;am|r>X*C zLBu-^itX}qZCeTcOItH+L^k|F(1 z>AUFV>s^&n5`oyJ+-6d<&8EL$GkCU5o_g)IM5NY!CTPNgAHK*&#^NF7YM$BAQ#hFb z&^Y#u4tb7+yls9l|LMQK1Ym~4#g-5o(rsOuY9`}(Pi_Fu;Yl&3|5Kq2i6V}tpoWM{ zRSlLmLJS>h2j^#Ev~m323PlQ7=!%*In4;>8rtLg=ljdBH;oKU=@C)zcaCT#Fte*PQ zI2HRz=ToDt_sV;pBT}m~-tuB0JD(}DJg2olC4Mn^_fj{W;6Xq&fjO}LY9eg^qi8{o z=`z!MQrO^Nt12ohb_tSn3Brf`ciC^8c_<9H<&5mRT!kr>D2$iffm{n!7uB}FW}_(V zkuv~0jE@AZ2toZLK73^Hbjp1i3u*T=sl!+V3y`lxm!aMYI*!->(XT2-pV2~7Zk&1z zrqprs7hf55zJQwN^TAb^e1bL46R**?8A==<@>XtdSNeFNmda^+yv2077<)hvY{1Z@ z20z-t_5B2uKx}&v&J~%%A|1xhd}$3A$S$Tnt(Q6~8^1KO|32bXqt^59_ z5~L*o?Ytq(uvZX&8J5zEs{4uA7@AD!vcK|i%?y>D|0?tQi@$U6nNGMy)otdl5%1p~ zwp-)bN;~8mqG$rcR?`~jRqM|lWfzBKG12HAO|P4Y!-n*{BX*?8UW+Y!5~%b%#~=3k z>YjSKW0gFAx*vF2keAalEMcBoINfR#u~lEQ3vA&Y#fE%ByJp#MVCqw`V~?M*udCQq z+B)1$i-sjyiqF{_=^+|7lauL-X2UbU@0vzU5k z+~yNDYJYwGY{8MnvW<=~M`eBUPG`YB$thPL#xJ^k*_)g6Uz8H+AMhn_eolI(Y z>w_Vro3}qHw`2$LVlVtN=?B5zXxzJmV zGT|Sa{4d*P2(e_HW1SNNY+XV4_MytkMqrDHKURaEpMF@ZhHUV4 z@s$!9QMy7<&E69Jz!D;B_0F-$vknFc#v1#BJH(wVneOdUE#R7QeTfsp=k7OdCK%zs zwv37~eNrZ{StdJxs*1m`0S{;XvLTr!) zij5m{{#@FQ`J%t$K{jjqg5NcQq`*fa(|8!e73DIY4WcNq_+=Jfocc)}d5;vqjUHZ# zJVqN_o%1N!LZNKgzmiLx2r;*}=tRRsH!EOD@Zh4O51VZZCF;!Tc>18{#Q(|4XY;6V zH*JGLHo~k6@M35AOkubmo*=Djhzo{hM6GzHrRzl@9yN%w5~tH7LW$?6RSD4#Bj3#~ zW1Kt&#K4$XFHV77I}7clUfW!yn{>Yb6(*EvFij2OS83+&gH_(wqP-x9Y00X={R~vk zwJyI>bND>1q+|a1jka+UT`X*6GE=7eY=dyC9XwJWNl*0#3-_iyVIe-;QX^EphH0<^ zB%MA!5~=0a<4EYfR_-yrNtiO|eov%BNr$KaSffawwa&vs?<5AszX%ObQ4gTw0s`B4 zLEf4MR7LAoTj0a1y{aw4pn3g>$~9FWOVTUKsrg+e#EuOSp^VZE8ku9*$PXK!@BGQh z2;Z#crWE{BF&K$)F4>mE>Dek`(jqf2Z8C1y*g%+}XT|1jK^D#rMID{iFdeN3`n4YJ zPUywP5$V?DrUS@!Fp>HhPGGJO@aG;w#=lAig|eC0-n#fLf5qW%3x8%WJjsceQ&^fQ zzYXXrHo!{V?xZ!4jm+VYvIq_^c=wZx|RRn@HL3($}LR~SGShc*+%YYfT2I&;<^ zc*p}g#N{=V_1?VJ-413qJ}~$tIbuOq!mRzdvZ~KfB~{)U623?NVKwl^Uv+t_Wq}MD z0d`z}#VP9lJ&3l4#t$tuFbo>mpSE7@JUrk5G1)yEWOU!W@9f71F&P(RIJa13&(eO! zWKj0`z%DNLDlqCK{!z35sO%IQod`Am+Ta*Q{Hn^q5pLmNZDU76;dx#O?^rtS$u)Q1pq~V{1F$A< zQvOs;S88v+a;^%6N_=~iMnJ9u!_aj;uFskSYlabkCLebS5&(^wNUNAy8-{giCrpvw zPFQB=lNXt~>Th!V^Qj7-uuAdwlRK_keO3;i4^9gfqq|67N6&(Y_4CYjw4{wjZgXM8 z{~8-QKQ^{$CC2$R_7~-&mIOupPeHaUf8|4d6h5$(7f#yH3B;g3aAN@xT1GF!bR*~1 zeV0@Ug97`Qg6i8!TX(EpeZoFgMkH%Mf2bHtC@Rc!P#*ikUjaGiUv@o+lq~3z^Qas@ zumg%Ux3pdJOUrTh%JeEcZj6~YDg;y^pTmENdDaO;3GHmwL^o6Q0=y)r9}6!ZDuN$M z!31D;vcHZEk)vp1{~EI7(PAScMG21B=ZMjRXulW&e(aA?-t+m(yUS9pgb@6oS=drZo-)(!iOwP#Q zH}@%VouI?z5{fPEx>;g5FyI#RAlNIlX%29b{)?jl5dZ-50``){1DMK9bEO9XKPg)O z<7xjaluX0@pCs)H;!CdMrF_DF=oNA`-0}p1cR7E3Hs=4GN0m?s0M|0DUL}_m9CY@L z4>41aX#Kwc;zg%~x&@Eg%)>!baL8j_&I7c_Jiwpkx zbynzI@?V8(WGKNQiv-uoKa3zO$;rGxW65cr9Q}f!?fh2VSoMekBE3^B8^-)FI^ z-0atkD*p_atpM)_*(0>^xPi$o3F7w91vCJGnq|Oj_oRo=Tgh-cQG?`{lG4Qfrxm)A z@?Tb{pdLUk^WAPU`@dudOlW6VrThg!W!_(}A@_f*nlfP4hf6D^`rj6%;MRvtUOBS8 zXyTpUvQirNmpuKI1pnp#2PQdT8OTE&swUY3r1c?UJac+{6uR&K`Yk2@&&2}%a_25P zeRtL`sIvG6Q~`(gpVod8M@XX0H|=;dwZW#i3*?UOk?+(~T(Csd|G}HEiG|Skl3rE4 z?MMxhl754q!iE2iH$wk2-r&KvmJM#N#2Aq%U|fd5ZSdpOZ_^K3a=y;`i&?$`rSbpt zHvWiVpG&TON8biwuX_>4=SuhSalRG>o9f9*FXfmVWUF@LSsxyp;HtP?AT;l^aAQ&5 ziR_{!if;AYtC}V%0jpZfB|qN3+>@X%w0qKtc+c+qQ5bk9AGfUvTrhO!tGQh-ilPNg zeAU^z#*yEiBlkaobmzYT{iPsw(ZXcGV6^i1;I|YN?TV$BK=r%=MBz zckBJ2a$H}4wjB5^QP*b-yKq4Kzt4UFUGx&xk1l%2NNFbcfsHyEFD>dbs@shJjyVj6 zK-Cj|{L*8quVS39g|OLDyq>Sh+PE_s@q5i62d*c6@HH7SZd3uaCe}?=i5D>96QfmV zz5(-*CP(Ul?V;9Vi91g&xlYpJda$6{Wpl8il`%TsG*B@_nXp;^WZ+L)ar~SUCAzM$ z?%K7O8|>SaCE4)+#`z!@b-~Q{DqRaXn2N_ z!Dv4t%@qI9^&{M5zX(o*w$oW8;T32SJg;AU{_&xMS<@@w`z2Ed7JKj=m3n0iv5}7k zTD7HvHhF}MCq*5wxg+l+P^MtDf21Os3}mt}g=w?Q9!c1Yg-()ou7<>V8q{Gu%DCP! z?>O6Jrl9rHY1A}-#5TItiE;) zu4eLVI0)I+P)6PW=Xj1fT@f%m7q4JB;)R|?gE8`A=&*5yfcNJzC3uy*=zUu!wv-#e zK7qaPK+^qOA>Xm!LyTf@gao$M!e5~_7FJ-;nitR%d;0yF6#7k8`{vlEZ804THfTlP&OR=%Swv~1C#PLum<8chbq3TQaG?ZHGw<^&w z)P)SZ87dE}C{|7L$-w#8@m`|bk;Wn`@g}4y3;Ri-xjz7ArjTf4Uzy($e^AGVcuLWp z@I}2DyjH*BX}SWhhpn$*ZDE-xiMU{^NYS|~E&MxqmhtDw#XhIw4UfFr(PF+LM{B<5 z8eOL%(PHPkMfHhQ2OkGC5tU?L(w%ARnT~w-@74R>+o13j6Jo?|Arau8`tv#vvB@k-f7wU?9v1I*zuv{%gPwDWwkkt+Y!@ z1GGkhCGU@buaPZ1w`%tAJ+yvCd&1y#*VNZ;<$L@h=O_PUYM5z}xSyD0?=G+!)yDbJ zlAZ>>6{lphX-t~h#%OrIh%@;)x+;ElAs^0o%sMuKb{@9&gECaew2lsG$xS~v&;?kv%lC3#7|d0Yh1LQFJ0h#3-S?O(Lr7hC1sp<;7i=g&W} zC%F~E5D3%krM|i^rYp9M^-SBF9)Fxf)LuBc!7HMuQGIXz7(!1AubVp>^lEaHKZD@H zwSYO$Z8sioHhRB}P$MOjv@>H1+#PfBV<|6?sWf}=*JnomR3EJt z{)g`qP{zlQa>o=-<}d5k)$UNh3RkTI4MeEI*Au+3Sj9un#&aGQ4fWY1^?qyC#s9ei zzT1utZI>Pj4w}N)2p)>?0=C=s3O3E>pMHiEU*}T%q|E<~xqw-8xK3^(Y}JpfDkZ}0 zW2qpqj56de|6}{und%NAvIPp$nirr0X1qiOV^YK&4LVLBpi{uA79)S6cH+aiUyNs5 z5kv2ExKxDRV^{W={f9}{(pO8`X|zr~sRyplAEWOl1t=|^G+4HIo%gtVTlI?1y_*a$ z0!QBJgA_m#7P3XMx^ja~gOgt4eopL9Om7UFSnlxuYVc&`t{qV^NP2@M> z6`wAVD#LCHPA8v+4TshyC(2i0)2L>sMqU2%{C7r+Ls?V6r03&3DOjKIYOOn@e%*>0r|wEA>xYffN(Rc=12O zi(U4OQyz6v^~*YD`RV)=5B5??P>)!2;dnh^J-C8}|Hs5W6K#-bk*Ic3u|;FDlgoL$ z4N#Y;--WC7;b8l@R*l?Y@Ejv9tj_F*ihrLVo(u=Dbg}85>PMGf%ZDvi>oOjq<;g9zpUBd(jq$Ki{ zYI^xT6jAI|OulLfQ1QbBbIe8Faat+8i6rn}I<)Tk)pAkyrKh@k6KrRZ+NzY9x2EtK zJQ(5Q&&@5FJ?D6N5~Zeo?%lg3CgAHC($q0uEGm#|)zP&tDlkT9MSbd7@7-$IxRuva zwC`QzWY`1#ezf8zA6gZgjJFOZ`QPJxKoQcA_=TCkjOVnnMSrPva1mnr6bn$?(Th#z zSOJZv>lm6|p@#yrFEWZcY+q7i<-Siq1Xo0yHS908;p?xQ=Fymiryi#C%!mf&m)?-d zb5`p}*qFInfMP-HDcaNPijj{S3g!{`;B~H-Bh+B8VN4VG+ZzIq`PONL<-dMA7~oY5 zTI!#jMDtk{@>g%scQwfZYqy&Xhc+}Pis(`IHbd0`vv$KJArt(3@2(B*<8lb!p2oy} zmt{7)@3B-@gU3FFuSaOND+b$@J*lSkQ6HAqm>0g(%Zbcrsw3o=khijD%J5d+l8e8U z{Z>3gm&c_uzHr*&yR@5m|2?h85U%qW)V&R$ID%%!6wZd4G4fjUXIx)XTfQo$TJKWj z!o#J7g!Sq*M3eD66YY@J8ed~9l2=K~SYt!h^4QoGGb0thM8>!ENOtpX{pVqWf9?}t z?WDkR*xu&Orerd z2^~@>ykS%5Gi`MuSA+K%WS80?WH?YStk>uJR}&Nj9a(WHAENUV!dCa4K}gq?BNvLS z%!pdaM=)1DJ$sOnDi!BneNbOusUvo1^fHNmwrZmk4#;ANRt~_xvR4c0B%Ev`%iugJ51s4E$?07-}$!KLS6HQ*u%NTT?Al zxaNooHMdbM!>}H(nrTa1z51Ey+@Jy@f8QMa{rcYh@6V4p_s{qkn94+r=9?M>CQw(; zikkzdoC-yWl4YXVl{pSvo8->kOekCL&=gPd$Ab=vu8jP%PfzZH1&EL{`DGfr0@ISc z>6LBP7~>UpNO44OHb5pUX#Hh(W3GUfx|RiXVZyv|#s%|967A%$qXnDis#I6)j@;08 zhM0Rq*_i9}@r1el*}AVb_eFz^-4#VC9b_O}F5KgnGHjI7pPBd?JT3cOLn$)+qx=s4 zs#L&4WoDj0-8a#C=P+P&AoWJ^!aehp{e?PD(;q)$Vm5xbo$tpOpGK|kS${c~b3g1! zBxI=6s5|-0{Fzt1QUxPl`^2rucl(bPz%)1YSu{40Jmfd#SB<&#A8|Rslx`~$a{RO0 z1{}Sx@tN~<+g_0@Ihauz@v^zGLd( z$Bfe4lqctYN0IYSa<}bV$%JmfwVhKKD;89$0b|UT<+VDxUQ-bv2s9P-b&*`p2dv-ru~JI{yLPGN#tpfw#R`g*k-)0^)c`-@2UtnUmnC@D*HsMvPZ)-hS`R+qF zEG~L?kdzF^kz6v!vlXlUZLnifj`uS_LJKSDF&~l&k#kz)0GHup0KTai8)nUYpX^DmnNNeLtm5hw@2#!a00xwUM$mfNh0? z3bn|+kwLuF{_%&4=Fxrperc9#e@9BInE#HH2R&F5AJlZ-NK)Wzl0rre@MX={WS5cjx2;Vf4+%CmC z6=7PtRx;mCa^B_K%b@$jzk;s|DRD&e^jBAb=>P4ITvI`I0~C;a1qijcK9UtEyaYt~ zHw3F7)?e}d-y#@oQGTh^C40d(iW!oN-{7>6vsYMn_eaAxG zdjfyry?*ZCWZb_vHuG0Px@B0DR{8doO`iAAMEDnJ61 zj9?sFtumDs1mUn82Iwmn>T+o?uWwy)rglSOJj;K}>mZEL+woB>I|YGubf#f`0w_J$ zyL6risp_pUG%nM7)VxS_KcCVcD3V~$g{rX=^wmz>uqD6fHv3};>BW!zsyOwk6?4U| zU21Lq&Iy5l#?F31mp9=5iArf* zPIFbr!eYuuE}HGLY0Qj&^VJDVk@aHdn}|mru7fRdN#|i%^zRqw@b}QjIZKc-Dum5n zi<~VNJRsSWU-uG5EJF#$y^`d*zVzS*11?&!_j+>m&oo($YYzckV$Hu-+7e9_8O%$bPmV8&0C(Fq*3EVC`oIEd&Wwke z%6fz`j@P%*IR}W@m=?b*>e@93`D}K2-WcP*ZC7fhGV%1J&Sre-y||C=(^mHn`>>2< z($!29wG`2dPrrbzTAl=jUi=VwZRNHuB)Qo=@N1$k3G4;l6YcMSQM*oZO>!+SPVd}3 zza!RuzkQLg=q@!X#!eAR-y3P44`#y2Z;uCPleZ;gQs|e7ze48*JGMNPL?N7c<>u@;v*xSV6fiFT2mFXzhi)uF94mxwhfV)i3JE?!k zcQq(;p{V1pj0`^vK+fJptzR9MMjs@yKW#*^wmIl^0XI-$174LAsDtLal8tDWb0^KB z!-i42{}3pds!VY0_>Pu!Dl7iw?R^Mylz!yX0G@*0WCmVJBbhiCfQ_y5$4vHIz-sS) zrrgmz7HdiT+vcEr5GzoKQ_!YFTf}p3O@+6+uO+LGvD=LSmXRX{-q+?I3>?CFq+1N8 zu6uXh_gA8TRi=#q7ZXOm4}lZcHc_JE5++@{#84*`Jqz0s659?w+LzESIMfLve~ryb z+66l-)4Hx`CY-7uq9ptjt+2){H%f%X5!*-+1C#$bHrk~~kXUPh^`CWmxoRHF3SgYZ z+UfFKY*@h{#gLEY&|fI18+UIj;IbaQ!53EmDhBX??G1lHi?0%#b0+XdjUwv@IM=#h z=#VbM9w4^7FMoo^3U1)G`HlrPRyly5wU9VVQG4fmLn+Sp-z(Ep`+q)nehgtr`4!;t zM3DS7<))1eJ*?t(%3PKe(ng1VPo0i{QisaD4te%T=xMK;DqgS9K82ltWSp7cnh55% zV5aw*z(Pih;Vzxb)iCg$D=dt7tBuqAZXYUU9<@J_=v{*{TaC8Z&BZh&`thD~1Yykj z58SpHe+nI1^I!V3Be|K==Lvu1b6Rq$M%Q@}nv)H|DTn_HZ35EiG9qArJ^NyOe0X!= z?jFm;19ado=BF!X_3gh{ELw4zw8RO*?h3M}eRdU!r$)#4C+Tp%^szF-f)*^dmW`{z z!4ke<*mU1|B$LieQ`W;k36xVBKga%|`WMpG1cyZ~F%Us`3P)011XISFxXkd|LF7xf zYGu%ME{cF(ka9#8)h3Bgv~{c-ga6zFrvm!>!ds97DqyBJuH zEnm<%zj_!MzV8meCf?ry!QXHx98^Vw_tP#U>6P-P3H>MogB5Dwdp8pPX}4461sx7n z=lCSdus5^e!ThbKpgu(8){$YqwQ=)j9x$OTq&4jXV=F^M{ti*G`nQfQWC$41L=_0|;o8QzI*wOg}zKq4ezHGj2z=kT!OXD%V>f^2% z14Pu1tQOYMJZ$puwqLZP-I``_0Ry@lr`vmx{VB^DXx9r!Y<=%q?W$dy`(k)2400+u zv7iq;#L!}nrF zrVFCX8tH)2PZAxxQ#j9JKp#J3W3w@I|D)hT#Y*S`IVH*deYnLX?S1pC_k69K- zxyYM?Guzjr%_x!WjPCVSWjZ-dqrIYrNb7gBaR1ZWDGYJ>gyG^;KEQTN6x%!6(w0Ve zl1ZCCIs3Ugs4_k|Lo0J)9AMNg*0noTsJL44bY;gJegZ^)76b<-+4d;BGf}#Ukr440 zHi?&Z@Ml1Fvy<+tBf&r61^Bnf((ucNfP?nl?Wjc}>(!Xs)9yuPmdU>3$>se`+yS)l zx8^G5uIg%L(Zw(Oseq|S?jfr+bqp|?5i_kuUk;3aCQS;Wv^x<(hJTtLptO0Dy=x}F z#nzOx<b~-tP%p0ItEr1~NHqNeqoE6;P!L+c>%<5W*k9X;*8vGYWd{MZA z!H)J{{@5Q_aNL70&&1<2n60w92AiT3se*mawu!%ZR^TSK&p28r-rF(HMFTR#%9_*0 z(7CG(y5%|F_BNHb^=KIv3|aAi%U-n8FscH}_c4w{?Wgpo=_pcaf0Z`Qvi~S;zJ6s> zy2oajY+3;B>&f3GJIz3G`Qt2WH-%CkqZPk+VaCUYgrH@0pNQ?jt5_?uX8w8&9uP($ zavI(~SJrpk1H4C=;bjcL8vUOqD3rWJe!vR5b?rr@gFVrj09#;bDbQJbK zAj9f*@tkllKoV10J|Tm|=z9i%DB2zbyvJ;m*!I{){71nCkNvVQ5s)gz!oypj#(!R6 zsv6l+r2ErSgaNHVUo}!LCHL~x6jAUvA}?{Za%Z^~%Jl!joF3d<_>~z!{_4QW91m1K zwqziyzT?A}AjccRx~E$T&NRtZb|oU2em=dwv%>#NnZtwzS46RQHq9NCv6VF3x$?B> zlo&XshBX6T1)!qFQ@TuFaH1%Q1U%Xxxj*%cUdc?PK8luH>1I0rMO9el9w#blg8ls} za>Ps%>wpEqR;IriI+wiMG)(~*U=|C*sO8{JXk6yCf#J%2U@7?vSyoU@IwZ;fA(HCj z)?j^#>dbo{vg1uY`tj~9Linq}?alIC-qVo@9QX%-h7%%rT5-n{@BUqyK5%Cn3dNcWQGU+wC2!ZM@{OQw~6EFMZ(? z6fVeUlaz-J{L5{mnb37ekcBo7R2I0Alj)7Q+-2tObgj25P(C6$6*fN3k)XMV*S}h< ziu$hqQqq@9p`}ii_$)rZ)*!6F8pZQ2G*Dgyhlb5i!h1#ET*U`qKB@p^1dx$`U{SMw z>ls1dw~XmI2k>ZkDNW#7G$~?u96S>TtVhnspC|ouszS~eE(0zFnLCouj}5GU7q&4lFfft9gd(v(X#IEw?{>GF~{6NgS%A(_yRHpPQxv>4dDs_JGTAZ{^dQfdeiDW>0_hr>~C85{aVp+lYf-r0F}X zh(3Oa#kOK<9O`8NHFzs;?}6(7Jcr-xswBYbftEhu(`s0IROZ6+H5{dIW&|W1ie0|z zp6a3enq39$twM^>QTqjXke-W`8HE%8ih%nr26q19P}wgd%PahEu?5q?qp{ECUBV^~ z%Kn>-A>mG+V^;)1G-t{SkXRkjcOjPf|9LidIwjuvr2>sqX#;Z%vn8{OY=-JDj)3fz z=2qZAM4VL9G_w1`bO|G>j!^!K)y5Zmyp1{sgyQu*^~#y6i+?_!=ct@~72w_6z5$Dp zgA@6}?;Jx?{GXU^eRPgxXO#a%?UDOg*5S25W*u7n4n1W&Yz!q+Uhw0Zbh|`lR;%?1`*cO{U}HG zN91G|bkWCUqZ(^)UrP{*sYEH12_-u&zMU4h{wDdIvY*x^D>cG8(Fg-21pi#tla{1| z?q%h2e}qegljZ9xl+Zj4wK*X*xXnN447z_w`Dnb?yp%aS9u%K~p7Fm#=vMZ~WEf;J z(R(|neWiOm8L@j!nj zxMm9&O$(=eqJY4gwFIQw){@h@3gW&qQX#9QY#7cTc<>jkb?FiYQ*Q?~v+BO<&4CAM z#3bU*HUfHxt57?DRD*>;P&jw1k=L(6Fq})A;^T-7@P6-*3F>hdw*TFpgFOMQxcsd- zIHUU)Gl-C`Nkd18O^dx_T7dKYl&2A93K_TNa4gX%x8ofILM z3ZoVNagGk4*PF!8(u-w}mZO;aSP+c9mW0g(VXImH=(M0FjD$pOp)fY(n@pXkUORQB zP$o3&$u~*)p_k)pgl=Nu@#Gp@-lba{z3*VN5Wf~J?IcdH#Ack{`6%lq1+8mNxn^Tb zX`1Y{g{#@9(6ig`&s>BF(4P5&#HRH{Wc*cd3OP%GB7(n0FMjirZEtX2_=-k93pO$D z!LU!{q%`9Z;z{}ni&_?I_s7a6x5q(Eez@8p&-h5ANv)ML z(ueXAivsVKBYC{-OYnV6u#I>DLQf-OjW4ylQM+43kZn8V>uAN`Jkh3VsR?5pvyB`( zss=us>JSWE%>dZJ(78aDzf1bR;G69za-*(J#&2fqDxh^OAYBgk=Sg;C-_vq%2SdWH z!IN2ftIkG((#|Jbt7gMWha<3Hn=*}+RX;wc*{k%mbmjq6!$P>4D6oBeW0s+gN=(}? z9ZJSOj?NvsyR{K*F+Q7YAoQWsfE}D=$xo8|aXlLc+ARGpODRF`Q45yFeGqTw{?0gD zLomA$GDyBYy1NhS1y$Uic{g#+4dW*GvnI}^91Xs;DGSlZVb8D>-^!9$kS}J}ODfM3P_eHr?Q2EUwbhx@k}Zz%XBVz$^4I30KvnV17j*K*5Fi z&ctk$HQT3P+lw)9aN($SrtuasI~!jDOp5y8il@Ja=Kg}N2@G5}zbnHWhy!!WWzqZ9 zk@)?WxIk_n8*5PUzwtYDAd;6a{GHL`E+Kv)=X?KRw_xK6lb84+IBpzJw3vK`+We27 zhFnC7UaWie3{lWqe|T;Z^Kmp>U*Mo9F3@IMd@G!lMo1Z|eD0i3h;W3G_E0f*Gb;N% z`@>#lIGGOSyh9c|mwNS;s@Iy%S2yk+E#=|kg{fw3AUxQ@#}T7~c`1k%BIYo97y~0e zYZ^)pn1(JiC35qhvNdmCMgu{NcLwFr6|%4qm1;yby|9-?Vf9e|N@S>^C3f4vIl`Faf`t+FMkFQ+FCga3?E zpqh2m)*p%kJuf@8_i~SF$eU%L+dEi|m>ua=vSQ(bPu_pz%njX z*gS8eZa)O%9xj$!BHN?me?&u-33Q{t#T;lAY5fpZC0hQ`{#pdBsI!!04Hne>)kE-= zj#CJoQb#en8Xf09tjg*?tqQ!lK9pi`zHF`(wdmt!lL(7i|7z0_VWRtttX8%4J^l8J ze^Cyg6wAHqJ^thId!3$2WxupP=ME0zUc{I`S{?$6Y#WR;Z4CKLiuLNV!h>aAfq+N1 z?RUX}#XEY0pjcg%=sJ9BFu@v!_zK7!UP$#82H#y2o_|_~X|j@?f8MH4m3KfPqrVl8 z5{)FjKeTuBtHEzvN)CY>q~Or0nt99Yg;p%>SGRDGMcJ+lEe2GYkY_zP`{W*L|MS)k zqK`A0BeCfxb)sW0x1iOA19Dt5Y31Pez^O)-nk_g4sBo%XZhfP5QiNh={Ok%Yb!pM7 znJO_SLWA>Jb-m)5ch2DII2DJ?)*x!w@`zjr5{+M!f1VedaP(jWR2^J9tHEPhiQLb@ z@ZvYDE}suFas8tOIKH_chhL9z>bWD`^gb`uu-7N{cyl5(vaoF2L#z7P4HAx1GMs33 zxb}Y1U`}E;(E~{G>ihSzNuHn9jqiVx`JhAziS^_3<3)YUuN;d3zLTVIwtZ`@?C=cl zhJs|74&`KkfuX8SI*RQj{GM2A^ludlsB*K!kmn!CuG)MkYO|VTj0!~|TDW57L*u!7 zBXJv^Gd+Srb;cHVE)rD`=@|J&r*4Ms?n%e`oNBH1)bIV!ch;o+Z<(KS!$vhb4UuPi%%lW7{Rj>n8HcMAr}7k_`5&2W>w% z{3vX5TQofSB8YF4VIagI1~nr7`RT;hY>(DzoU+TGocZn1w6@@gEKsKZTx)0bEmGh1 zKQa(ZasVTFdI_&$+rEn^hSk14=3+0|bDX_|*?X@|^1~aqubkNLbB{VVbGiWxf%2+e zbI(U|?aMbQ5;Rgffj76ABgOqdwV?w9cp;J5pB7k_$zGhTOB zt|#ht*v#~|EBIed$SXX~aO}tAIm>T<@TDF#g~(t&$de++*{f_Kh0aTYfCmiPmO=WGlK;W3Y+3TNy8L9dm0E5cW8cb(@eg{yr$hi z*C5lP>}f(iH`;kcA88&Jqg9Xf32F7)O4BEJS`9eh{7v1Bmv}6%|D?k#4ryc%`%8$f zK%w(zm-YZrQ5BXnnS8r>X=|Qc@0p-O?|?|bz9ljI1a5r7W0mluj_V80>zk`7Cv7Qb ztKV0i+qIfTBpFT-(X+q~5rI_^&z z!vIAhUs40HO*AgkVId*^O^3N)KLDR2i*2?pRl)!IX*i5e2X!IY$b!G|C#ovAV*VQR zQ|W_`3f$I^u6)U;{5TpNu-3CN(4xBzqxLCil1W`FN@#AvhBUpYXXb z?RK5>_@F!uz4=8vs@D`Ac96hNC~afeSI`~T-IuGT$2r?fpRhJBd;DWH!X>hr7~s`TpH&2@-#7Z# zOht!pOn6bB#~yoi*K(Fgrpb#FDX$ECQ0n%qIRVW0SKSZ|nvw$JR~j+9M(@xx)AC)xe%ew|r`NPaf;%Y>bQkE_!-S<7W?739 z+pAo@J8+f5f44&&AQx#>_IPc=R|Qg>eX52(nl}FAP=mPGlc3Dzq+$iV7b)Tq`$O$- zO8MeMV?o)2T2;qE0@1G)fnhcXv%$D&iNW?196C(zs%yOE*+P#8jsZQ*?h($Bi2PG% zMb^{A4@&`7ECe_$DM$(nSD`1p{jXOhhz5ePf#K}U0{MGg>9H?e#;+qAAE_T+g!NWl z0tl*_NJ-(JdD#mUWr&LKIQCh2T)?ub?`P9?=gh*xJ(Ivs(gsN?Q>Q<{Anu+uteZ^Y6<3~F**;N<$~D0k z)PCGcfs9_6f72+#YypI);NJc0$zaV)B)ci`o82tMfTG+6XQ;7!zHBw6yN}>C&DyZr z8Mv%%7*051B${*{7n4d*CUmc1wID=I#Ou$_@}_U2IGnl09H#cbCNr(@a%_{55u@dQ zR52W;bp<=`v578q5gGr1?j$5_vgoF_vaIa9UHiPoQs^snF9&E{|;Gyg%Ms4*_jsnJhLfda#OF3mw>O(2wwQ*Dfoe{4-O_$*I+IwjKtK z&2bP>WTJ%sg>im7UbcV!4}=;O5dG&(z&oE8K@yXMIl}2)7C36#u64R~IALi}>xCE~ ztdC(&Af*qPshmHtv3?7&GO;^Lt3hI-Cnr9d&-`;{MLOg?(YDU+9^-#T0b}3NCk83n zYzetbn2jCXMUM%zlgGn&bx1qO`_*G=Q-s7o*kV<#b76y*<@k_*cdE~&JGyDw)3A1c zmrzfHWJdwmI3YK-|L8+Vw@8EsUrUR~0C~XQ?)i&V&G}dN1o34xF0?X^eZui$Y_>o~ z$(x4NGy9CHGpnW7-gyh@C&*Q$%#qP_LR+bP>t;<#`$$*>so7@HRM1 z`wQ`@4|i6ZvT7he3I8#wMCG`mU5*6zB~B@^_WFNG1Ei{=FhM;XW$Lmq_;>J`edN>a zUb87(xMp|kUM4Fe3M=a_H|2fEj?@pCm3c0MOKJYnr{BNO-u?sAegaqE-^rOiuJ#up z8;{;@!t6?ZQ(D3VFa>I#&sUlL!0&ViHi4n@693t!Q*pNwzz>XF~SGo5f zPytClEBui|plJ2c(-rRNUaTU>L$!#(Zuz4pTj$j6%(B>0)o8`-L_~O2h?}y{$bny8Qt>NRWDzKrg){ z@mLrf`V1~h_|Hicu%??8hV33r4E4CqM`LYVV;Ctr`t;+DSRO&G*j1OjdfdB$(HOooi%zhv?G+PF+d zq7XKf8f|SUWY;at<*g0Ir(ImFh$g+T^NKti! z`X2!pEU!`j?APJ`JcU_o^%c=e4VanHQOtZeoAREZSEeX-SiMp5Lz2yR)8%c9kJhgF zp)CrOslt}m$$Y#3f-F*nGo)3QDX474v zq|8?}SD}%oD|_cGm~@DcNhT`u%o87#`p+i+DJy1nAo$4WF^TPc-+izo?e z-5pV#OWp_?ResRjCZCyk4!{^5!hb$_fufw^M*JGH_?^c@BH`yo@SPQaD^E-x;EG!Z zVC_q>N~}Qfuw_igy)N}4wv<ba2v8Is(lVvSaXeFg})HW^X>OackSw zP}v^lD|bD`E176+lfN16|E~Atot^oC5sRlaEC9gz>3y=>#ERAqwC`PWi$&Fyj4ySa z02g_C1K@JHJ2DVR>m#$h*qe2gTKJ3FwTi7V^W?skV8Wcr%IK@2J6{DS^fm+q_7c~@?1aLmSj&6%p<)hFHIukW2{01=n#e6%=# z91*eHwK5vBY65H`J%~G?%V#x__^m91BH)VFbp{CZaWkuvNXAuYc&=deUU^0WuO?%e z2ri5p-WALJT-bG8-ncE?23oe zCP|+g2V&n1)|;{;^gSiJl7BkjLZcj$uD)9G@g?AD(iRNK{$@{%{Wc7xA7Ess0>G!w zMKc{sHCKSlw=_OePxtFzN6CoU@&m2F_V*CZ{>?Vpjk8|-BQJ7^T2Qs4S3Oo@EY0@n zvoe>{f_&AaB);g6PuC{2%Prm(*?#oi9)uz4Tv9<^>pUr?&~#+wUvUA0#GYcJR$j!)(sFWdt?B%XTYsd;aAVxO`bUT_t)M+!8Uo9>PA!^_$Lr-8 z69q)h`D*M_PxyxKd=>#P(XbaV>Tc5G5EXPI--`p#I^5yY(J90R;IE1o2_UR`S?`2l zZ_+x=-n;Bi-D9-|LQ|LCswz4_g6N+(E%rEnYy)tb&d05a`d(lW>M48d4rv<8eXsAt zsj`_MVKs)nf&}_1l0rnbyLj~h?mjNNDKpu0NJf;BSloNxGxrgt#!>TaisKGgvmEuI zSimPtTCcBRp`wRBqSkw@6TJDvoYzMCDxBaDOl2caviI`t0gMai=uAX1LTY zqfa;_cv2kd4h;&EHw+uSYH)l{js|m7jp?kSNw=&p;MJj3r&W`VA-YUAp=V+Q@!9xN z;8Nl=52qM}tl&++#ZwMVp3tG=-Kcw4-%MU^QY^S7HzKpuRrAgCA(r}@C)&%#QcgY_ zo%u$??hPBSAhj&-oTJ%q<*sv*>#OSCfvN{{0$;`sWgp!evvoTrv79dD(0EAe#c`7f=!q5Kw(o zufj$6X3mA;=jL!X!5zX=9>gN^=)vZkK47fOqry|>+6kMjc9>i8$KeQ)T0HOx_n&f| z@h)`1kZ72_0z@6&8odgoI(>ZZ?K$4c15>ZS@%+*iRVAiw!WK~^;A8hFm}+zlAKvdm zhAjbMh8Cb~0Re15ey;ogn|-jVhVlx~is$-;Ttj4Qx|UAe4A|z#*#7h)_zM}G47i^o zn3s%V3muA4f8dMpun~+W#j#%oK%p`*DMStfN`*IP>Qmnm@j;96iHt6|s;y%}oRM5c z7&sm(@*&2Iwx)Lwrvkdpzw9TVee?n9k_P42foPWHC+Z@BEP2fiC=6zCN@|?R8v@kb zfCjj(@+1j$!8bka77+}k@-_gJ6-av>paR=B9!p4dK;T4u2_s?k$088frFa_)i?3#f zRMOT5TmB@Re0SiH)o6We^K+i^gMq$1Byb*We~aj2ZstuDvoiBumlz@sNEeVMP-mQb zC3fGyPULV`P3~H^W0ygL$LE_bsXoh*LW~9H9xzQ}a9BlC#5Xtw!A!-zpEBMnriM>0 zk)mo@cR$(sqEWXlnv=Hqq3dPG0JWEf)?8mk6&km?BWaT_@FnUb8v|Ry50~gQCYQ;* zE{U_XS19n(0fp~{jzDpcqUFnhA9^aD3!-*%OVJi{1y$4i!JQ|#54hoE%pJF|q$5R_Tk3N0;`3b)Ck`;pq6?#%8tM{?7$e>|7Ofb${D_HJYL%Vok?F!2g z7%ufBc%1D^37TXD`ypf_2!-pBu`lS!VcddSk(T3C>9c*K-?OUC`VKGbU5j7$*-fZVo8j=yxrfXEI*O_U z1w5TvilpTh_$Q?Y#`${Aqe34NdS_{@;5k0?c6J^T8Bo+IZEw=aku!6=R_5xSD!`li zg7!0%UY+IC>p0vAuEV-6fbzr>Ep&KB(c_f*X&@2jz5MSCK~Ha*E>GioSBN{;FA-zg z=~D_73*mUCdLOIK9j)eU4v84;3()e$31VxUkOKJ!$Jf|lC^oFf1Wteg{ECS$-_p!l zRQLx8qvvcnXH5-d9=4o5q4MLFBYwWqNiwnE#XT1xOK&K1UU)ud`ZB+fd1d`PtLo{j zanXqDxka0`RC$-6jW}%To<|Zskav|(l59J&=K8+d;bBACZ)CBVx5s_fF=+4`R}5B* zIU0}|eluoN8Q?ZW17n94(Kbrr3zT-E*BHplZx%%TD~@zixmS4(53Gsn@hiP~Px7{Z z8DPuycp~754nUVHD7U^CTKu#-|L*gGNX4cEAZw0k2BI0S56xF6D-R@`zcUEB!@%N+ zpBcVbluo@pZf=t|x1>%qT^g{LUw6Zd-iwWPR8I_uu5bgPfrOtwD;+-gIb?2GC~%Y* zK~wa36et^f*SG!$8sh7X2f4H_vuU56#U06J;{#F3+)e!8H|%m)0=kq!UlKVNidRm< z>4qAe*7h^^hgFYhj$e--_X^%9ZFl?v3_sn$9v7>U%)6qM){(R3N9yOec8b*1#1Q!oX9K&9Mz25i9fpx;AJY zoF_ZJ1)(CHA@&zkvQj#XX;+{a&Y-9b0p!6IZLy)@hvlGIm;$;FzSWWdt9QL9)M@X& zuAFkW)ca6}D;N_$?Z!3rNQ!i@YpC$t!V-LfU^yvS`SVD4iZYl?o({0=BP@OF<|NaF z5pqMA_*o5FDP>QG5JUGg%1b>wr$5^4m4H@u`#jKnj%R7k&} z=?eHsM=O>@{wNwOU`pu^dvM8R0IqYL3iZd>@U9!57@b8%+Oh81HXfP@G@PUc(oncI zlAXVIbH}Gy|C%b9w=abAO=vMuGK7?qL=No}e^kadJ2~Dt%$S;mc&nxQ?Vb;Wih_Q7 zGrqpHKO*H?yyWIl0X8fc!>xPF!&k_po8mR4A@T&y)%#t#id zuo3|;#u%ZKSU+pHA~(H1h*f3f=IvMrGsi z*Gx?>*OrNOJ{I zK9e@t0-?U=Q1L2uf(Ffy{5Zy*EA<=``=Y`%JWlx$hNVmv0AuLObw9QhOql77_^<5XA>3eqbUnxs6#m>t7r-8lvHAFc-H%r@ zynUPl*x~*T&w^9if!D4%wC7zL2^pcdT1a$YCotQ*L7q~#H*Phx^mZ(20bO+Ctn2~6 zJ8QC+5_f7qh0aS*^9*QJkticl&5Ze80Kg-G(L>TzCYnY88}%`ML_8$#!qu8?NwMaU;`ib9nK>&MZ@oo$Rs@1_$wINb%-eTU#`CyhcKX zcZ0_+HZGhDV~lC8}2m5!WOp89MIZZ!0`mQNNHR?6ZVmVzKuvfSb{&&}{@653cF-pMp zAtvBCfz_KLad;62AKk<;x-JEQ_BVGmiGth33&vS)gKr72DT$vx(@VqMrjX7Syn%@t zroGbExcT`0G<~aPDMJv|;Um3P^Vv|paC&H>-`6$XZH{~LUZPXiAK0OFB|xA1p8agb zpUQXv=2Hi(G=W^EKC7S$i$nY50$8047+HEf!Ft-CE~8SVT9|tE6r(>7NBZF=>(SAy zlSS_;enyzJv(P%z;Ld{Y{N1$!_`$|quDtkJtJ zVa=a&gQm1)q(N4&I$zt!ZCKmbnlr&>@CtIp0 zE4{3s;1~m{R-hzCKjyY{ZIjhBWh>^bI?p$}Re=8nOD!GTqiG)CG#r zLhC!|TPMewJ`|ARDXTOBE~y_>0>K$q>cRX&2gp9Sr$+W^t>FX`+i=#*3nJ3~+ZWL< zR&hIV1`{^V_GB0XfNIN;f)^wIu+2*c0@{Iy1C~)A%4jY_d0QAvDk!Hd2N#OE^!zYO z`U;E3W5*vnE@E!iUpBg+Ip5tJ+4+phRI?`>S{+9rASTmI+wi8}XEC`j zCG)7F+#E5fb=u==prQsu_x1{{_=5mO9IWfNK9pI2AxlMwmj?srlqr1sGK3m#qQ=Yt zQeC&ei7B*HEr@mRqi`5|7y`2DFg~Q_^hILagK`6+S~9{q@sggPcq#rPM{`!q@`||r zr?KnCLU$*ZVgw#9n5XZ@4$b-#H$U$FO0G6$&gETV{lb&AX@6{uB6o#1mTd6AyiwS& z+TUfQ+j&FQ*&%M>sA5oAKtSVx?>V;PS()2SXwLY8D}Ea7sS2{HIbr#oZt#EON}%}D z)8vTwj1gtILpD(rxkL4Jm+NJ8B%Cnzj44*P+fQEPdxY0_==&d>74%)v+Hoe$zdMFk zm+1Bzk=!|hFUX{`t$E^W4LzaH*{+G`e~*X%rp!A8M~7J7v!-eLvqUREyfU6JPAepg zp^6BnQs~}YwOHKB3*K9k(J_p{iBVNO6($`t^6bXog6Tim{JHCTt!#!Zkwk!~@Sb0( zI(%=#+2o!)&m9Q#<#9a<96QTfXvF&XfqtR4DvR7T@#k?x_D^3K#_a``v=DvdKu@X`}&-( zBp&l?&W{`oOgD+oeTtuMcpfkAPG2}(D6XrhuudAgPMR7^}(Mr+m zB@?~Ts@YbYj+J&9nGw?|`n`tK=7BSIUUuw!`R_?RlQ8rYJtVLI5WhzMwD!+@SBug= zv)a$<23)YP&p|4-R&tVj8B4z7-g2-`2j}Q!77PKj{v7&Q58;xU3N(CloajT0a6j*^ z##levrXT#dLjNX_>Q(lt>`3cXYnLeN2ZlxYuMBfz6*Ii;MrD&vN>yu(WM?+`qv`dm zo-T%Ldo>kd7%1K;K7g>XezYe9DF6*-y3>YfCq^X9FVXTRt8Tf?3c!dJkG%%jMEzv{ zGP@J7N~eXdr|b7t09sNC<}1Rpdf(3*+<#Ec=t_I_#9#$GiyX$2!K6B*3im`kA6xWF zHwLyfIyI#$nR$J7b+`LyODev>!997HMFeiU_2vtLtZn75boMI9NG8)Jso)SXCte&! zFJ};pft(UFeQzj;I|jsP`Q((KkHzGa1|R#ptD|m`y=IMBtlujQbUi43e7dm?*=D=9 z=F`D9m^veIWdH4{gWR<`e6hg2dJ@@`zF{G#D98Wd?JdKq+}gI$dlI66G}0kRgQOxL zAt5c@H7RLOLZl}u5=tp0APv$D(jXw9bV-AXbV*BpV@_~A>wUjx?_>Yke>m2X$$gJ; zjVsUV9M|+o%EhN#ymn-*PtwG9m!-?@`H$aaUJt^4o9_JFrxGkm=QasKi)X;TT9asa zxomF>e5L0Z1b5*7K~BPIj+xOolBx3>YJ%X}K6hboZMVQG{sH2+sOJO36;UR0jvp+b z)oKx&1sC_MwVqZ{xHsJ8$QOMn8ArAarmH1j71NGQD~(*87mseX4|&mdG50|yw7(=};9H0{r0M2tEM zKL)c8zx$W3_59gx_B=h-v)vEvAZo=gTL0M@*eYpEC;cp*uHHbu=lAz<0GAyHSXRj?>)bafZ7nRvzkl9-%u;-`h|LMbmw= zU++~zv~jll$I50SYq#9oQUEP0Xf$bmymHlh{A8Yvk(({;YbtSYI(*Og6zVcQ`#}MW zY>6b|)Hrs!1rI_;WKy+w_|QQyI@R08?{+Ylhase`7dd~_V8`M;T9bXrEymwvQT-h~ z!Q;x$qmN1Jys6nCvGg@qw`B`&vKT9_;n9-7c=q{fTNoN?o_0R*^t06o5B;-mo={`P zq(6POTxB&SYAm9C%D(4V`y8tk@8!IYsWM#y;g|u9y<)b{?<=Eaa#oq})weU+7_y_#3zjD&Zl4@szN<(&h388ASm0z^ z`EXxjq>WVmiQjPX6-}Z1KQI74v^t+9rk$uZ-Txn!=ZI9W|805HuzXV?mX#pslt0Du z@lsfQF$uDtt?ntwHGjgo{c%MkLQJo9Y1yFgL3^TX^puxcEa6CB4BJ#G<%6RKuQ|DX zSq9;nikNuZD0rVcOVPxf!KG7$h6Lrx9$hP>$)*4ySrdEov>thEdb>-Q2)$t%%h}f; zgp9dLOGbwL>p|kh)t+ZgwF`(f_XE1c zdig0)uNE_wAQ{zONT*ZYv?OT4H})(tUVK8*q+!copSrjWpW@O)L*pUVtRi|-Pwmrh z#Nm@76HaHT)W9hAkdfzR{WB~m=2BBs+7EXnioIu|Qn}@#Y?x5(@weev8<|G>G+&3E zZz2kV1@6aYagE1AOap63=gWz5zL~aGTgSsjWJ(m3M!7zjXz*I{rX+*$5GNv!cIr{; zFEQEK6Ko@@fxsQN1bnD&Oc>cu*uh%vizR+Y;LuR#wd%IrkbJhEyd!H%S5e|MsJPSL z9BH$rnaq=v>!*55$dj{qMFjZTUna1n4YwuHRj611%8G8V-;A2wh@lpach{Y@)qu^d z-{CG?891=p&->QH$KaFZ*E{_6K55PGb++f?TYf5=F;T#hq9Txvh+Ru0cBb->tzdCi zAuYhcKW^s6WhQiZ@07eq^0o)O%nMKV2GM7%+b$TZ$Oy7V%D+K($KmQ@0nUk)+1mEL zLct_OntO`$txsAgn%b-kjA+-TC=c%jy=D)Q@J|)oTS|Aebb4|t-`biZmZqX!a_Q>v z;qp?#Hst`=6+n(~|}rC_htWht6XV(~V%KT`xvjam2w1xAzJ+ZMNn=TMaL$gXs*vE8m_ zkhSvEYj?vtWt(q+LpJ_|4uKBK$HK70XUGa&+<50z>Y0iy;s6v#weEvaY#N|zd(ZXs zV4+s4ac4kL;L&#p{YGEWtK#4h$mmFT!V#X1E4L_N6|o?Ss1FUo2ev23zlN z;I%WSP9ag@5LN8PM+>TY{)Rw1Ml`tS$fTtBMm@C<7U#NCL^4;6v#v@o zjF6&zDVClYponDXePD)ylBnnJSo30#tT#3gJLXUoN_twZ;?dx*et}+hKB%i$m(AFj zoflinCMHv%srl;H&B~Sua`y^N5r@**;Ab9FA?Un~ghA@TfXtgL$`MOIH*UZ8X!p*V zZLW|7y+gf&#Uw4y25nIo2<}sK$I-4WWSV2M5sRl&$xe58g|XX!}1P% zQeQvqQ-9dxq_J(ap;6^un`!B!S5t4kra~>drh)-pp%V2R?H(&nd8LZZRH2!e&0OKn zfehNqk=rDN%ap^GYxgPAgI7zIu}1fiWQYQTj{`_lno7_y{mmZau}^-0egjzEX6t|^vi@QII3?$_BLkNp76^zYhUpm*M9mFzQ*rtRRsg#?I8 zET7>@B?vlY0gSE|@wxLFMG$!*dB~rWxz5-@KtnKmYL4L3F@T;7$g_N2UK!4dt<`h} zl#cZRe6c?%cCWZMR*0FE9!)%6ObtAIlNSfs|8&UPU`i{Qz_8r0E-@tm5|Yw^F(|5<{rwTht@KJo@HY2DzBGL=}8M1$oM`faz^KQSv1ud zEB(!eH7$v;C<~-812G9IPC}Qu;89=rlIQoGrprPrC;392G@hv6;P835@73u}&YSda zpr)@9O=@AUR+Yo2QC%S4aXc##9m{uz_HNM(pUffJ@aQBL>*)4uAR8kx+6K}3gV4+l0JV(QHmR;2lZ1>-L3`1sW0C{rufoa{}^LTyx-{QZRv6P49Rtz8?q zcX6$8;r4;oyAbb!A5d6t;lS-*!5rqh-j#G1nC*0y2cC!lVe=b{c^n+qb&;9**y09I z`|PY~grB`KfogxokTov67|Qz@)%BJ?+;YW6+cG(yuOR_+;8=@D@ub2Rp=35RR>nj`?&(XGXukI%Z%w zt%hQwRT~E*r#r&K$4@2kyVNZ@O~C@OClAac+$t@pAZ^w;m+TQ7_^U$dEau6YLrQg5 zM*%w}ycouh57FSvSFohs3aZa3cRU_74gAcY&fIJfgSPcX>QX_8dHX{QxUn4n)dxz= zKQJYX+d9Z(C+mVm{#4lS6_IivHlNB<(>rk8`&D|SDS7+PGk}=qVh^pJI=A2YXgr>I z)F^&)&s6Uq4B$3=kDYf}-%j^*VgauL}M&88)91sd^m3FO#daY%ThCuM?*I64tr>KsYxJ@hR)3H!iUuIAfqO0n4SE-in$crvG4TDsm8a@~JZcyqNxsm#8ekNNN<9x}uT_bo! zHcOG9x?uVR<#DZ`USM$3<_a@R&OrVSU-x%iC9kG|&{wX6#jg9aC*MhnebVrZ{hNm( z9P#76_0YU!C=a#X`SUh?EH zYv;&*t4|(PZF6E4-+ir|mj@yArbL+*5`_?gKpw>*Y^$U4`csP;HN7LeM`i|A_NLPahM!rPjzU*FeOaIQfjUb`q@P zr<~ZxE6JL?mNVI+MQti{YlCvDq^nDd9;V)oqto+OgZuf({(w%2Lt`8o5`ftF^rrV2 zRP3GmzOe@Uv!DKiu|~+Ej{0wfkr-$6;`hDN^2fd3@&lBQ|&*%k}Z z&KDi2oIw@=3g<ukNzqB-x?!XPhBvPAby*>68bX&EOse`mjDXB&qBF7HVTT^nlu)M$k4pM>OOAnWrd zsQO&JVm8>ff?`v6!iwkx*pxaA*@0cGIJotTg*ZM4jZZ=NVJfj7DwPt&Z?`;EiBs>M z*-d!RK(G*&sUdmjW#oy84*?r-#3lRX1L@wgz^_wB0)3_z4|h3m$V(oGzkOqUQ^B4a z%GZ>YNS&A?Zt^~brSuitJ5i;7hX$BU+y|bj<{)9tnC{ZO$}ihG?sNGsm#BBB{3S3r-@kb(ZVZFS?@KRnziH-b@_cXbPS>@z&w3On;zPxHS4+=7qvN0 zKL;4YLg@CV#|N!TKgz0=#=Rc6B|j}NX`B|dn=G^)D(S(AxJMb{dryBw(>0! zcH{ItzViIp!6WmDLVN!({6~ca1(`ChuJv!tb=qvtceAB-PCSI-92h0q=)ftoaWI_Y zt-(6b0>V_fgY`Rplg08gQdZSFm^aj0_&e0J<}3;(#SxD+U-w!VUQ_SJ>E3F+zJ2IR zEBg7p#;ABEWdiqCfylse1!ThFH41}cqVb5u#T981();>>80kpi0y&#Wf0a(H!(vX5 ziZt#4n81IiAlxeWMy28$(gk-5Uj zF*p1@vC84cBhH0E%Ap7PQSCHIYLhgjgV$##rC7lyjfAak<1$ij9y zzeIASJ7&?VX5^HB+3LY)HEltLYv*&g^OzBSfX4HZckh+y7NEI>aQR^%2(P2Xd~k}V z&Momt>q)hd@!^P}zvi~Dw|W=q`q|@e_Y52N{fIjs_Z7|D1A6hLUu8Mt62=j37PGOa zq74nwm6CdX`>3dkmgiD21^>go$!eD=3sUCmShel+ZF9>jD@INS?!;f>`K|E4tkQyY zAL?K;0<)+5z^?)CjL|jJ*|6D5=ldtM_KcGT!F2Op-Omt?#k~oq4=s2i`4%zDu%^;? z!rNZqz&-g67k|91JQT=qwoIyKA$fxV8IgKdce+?WcQoz&6jqTp2Z5qYk+rUY%`YD+ zCG|&(p;+8~`pWD(Z(5{B{y8-Wu5b4~PL+}Os!!<+>foG}Za!&Z!r3f~_!m;xO?6_E zZX-tJsMc?wyGg7dPMUjif?#lv{GDe^LDfoud(#}qvRf0Gq~km}2877%55x)-n8z^k zoo8sD3!D0?Pr`;28ViH6hLmT@>4Wy9HTv9*_w}wrq`Gr@{cnQ;9yBH05ReWleD@P4Q-i<5X?+)M0IVQU=$q!QxlD zER1j6h8u1pJ)jr(%U*cC>Wm;SaP3=t)yoIMZZG1xk0~W75095a$FXw|2_eRVt0{XH zSKp27yD68Ouk9#H;f(dP)?|WCMY0L9o0K5N%?tiR`-x)D19=s=kO;{w`v2g#83XB~ z5I}N^%6f$O`)>Nq&4~}59jy_U&x|zQpDiMnT@xuM%W)bM*%(OHJ`TQ_@H8i={+MbL z)fb8IJ5ysM`CZfm677{+YCfun8;`%moqhYm&2|CjU4pj7IpU($m{X&@|{12$1}-;RVBpMyEty^D~jtzzn+ab2zGx+aI6~hS&KI@o`a8I5VIQ<#CGngEjy5e`MmJ~i!vFLdCDTuDBxbLk;3X;>4R08MpO`5Ta$b`51eILQyr;`uxA0s3=UuOd~NC#Oa~+&3)ms0 zG)i-ik|`oGhqQ0}C~g#VNX}l<;UULAxlbR$g!T>4>Ene8ZeP;NAFoZgt+Bs8HJKSq zt>^j6e`bJbwtc{f&RgK7?VQnrr_yH|Rf;&_N2evO%S#`sB3cP7p;v2^20FcQ3UuDT zO*zfxeBSSqnjF1aavk2u+39-Q+t+j*eJV2~tBbTTPR_;7={1+B1?w-qDKFRXG5&~! z0+G0WdK*%RIfvPPtf1+;$4Ly^02xN)4MsY7u~MxOBq%`+aZZ%bbofBU5*7jd0@$Ns zYHhp?>wmcb>FA8u)@eAwi)aj<5`SU3e8t+C?9^(-xbeoq_Uh9R+njdT^RgD z>J2RJW8hZBN3Q+efX2(Z>$^>8B&>CyefU~90rz-?;Rsdvp2K0dnnhQ>{3{Tr=9H2B)1v5iYX@u zGgfkQ4qhgoFm8P4WBBs3^rD>|KKW5|WEDll;G&@WOtJu4n_AJ}{rAg<4tu$zE40O+ zVUl{1Ss=klTCYtu-2IfL(pe&H7*rZ_$^|pPRcYv4@p^L`=`qi}!bX-6Y?Y+@;=6o3vL}tz9XeBNOnCad(@VC(F2)aJk{?#vb+Am!pkFa#z) zTAf#q(znlW+tT4&WJr`Y5Fzlj%x>x%7c+XloQs+Gn$bD0kVT!UJngEm5)~-0jPmBW z+y<9dLT$nl*)nT?Z^)d=XUz9km#>Ot#4N1(wqpO{KZ;=s~rlk2UIFGTez|=zrJGTOjA&vgP*zS zSy>-4-g;UrDkgkJ89f-O*Y4F*3BiRFFQbD7=#lh$nYRjC*ZzjFRql#PmLIHNdRUk5 zA7FqQi*wod<@OTk_YU%kJPQIwXKU*`k*H}21qT*chhDcaGfyWA#lQJ0tjR*wJM0^H zIJWfxvdN+8f{GvT_GD0H`3a{+sWs6d?r{TVPKeImegsm)$v6Lth&K~3V377YBh%m> z<5i!mkkq>*thZ4ewR0WF6Vv$Ld;`#fd<$6Z(X_~fitSzH41k>hs-9JmeiyWBK5_hQ z*Ia^dPBkL#U4@EqTiKh_kd+w5MY;*9vvo%L?7bu8=5ce;;bhntg%^El-S2eIl-MDJ zW!kl`3T!}jT*EzPWwU~4{+D%2cI{J7FcG9RSgPVAm-R208^tN&=oDjsb$Eje8wd3l zLtSZt>42%lAl5#QWNHaq29x)V5*9A~LB6odr7=aAmHq?bKYqfo97h)oaV5yQ?N^Nb zXX-h5K3TDG7`FF`*GyiH&H5dFO^TYiwZNpGqEEQ2 zST8>f*LF=RDGG8NFMqsN@n!k#9^1(6%vzIwSDOpFpxQK^>+!NgDir!(M??gzC`j*0 z4+R9>W=~@zzBM52lXlcfG&BBlO7P*d^g*0bAB$=0pYCS8^<<556JwaosQeW;ZHLPW z?#N`CAJq*2WH_=0`t3$CKi5&mg3bIr?L)p%N) z>~Xg%XZ8$+$CPZIjanF-uqI&vx0%iCKeEcmm1;gJGip)t#u54q)VREzq6d|i% z--RtnbfPz*MSuL>mdV1Cb4eaqMt#BqN)OtcQORg*u+^aJgIbxVqO$dqmI2B=&8k|~ zZ)RUKX3~7-K<|)lBlpJr^+)enhdZT&b83N`ro$T;kD&hCn0T94J9$&xQP<&ppW*K1 zz&5KwM$$hywuh0n8CTSgrjcvdFGi6?y6yjqK|Q~58I(tTzO1TA*cL>vbOks3Te)uq z>q{OQgWE(bUj=U6ydo=^hJUG8RjzU6&NBS8QR@XeCCnv$C-YKn9bs_>G!MI{@ojC` z8l!8cc!!oB8H6qjaqKFR9up+O2vU6^){8_KF#jfHB}^y6!M$efGv`84t(TJS2PVz5 zJeiVbTMbzxqOu{hc9(A*3sqvhUL;jN>c1btYoia_JKeQLnTnmvIy}>7rY`!9K3RqKq{Oo^WGoXBD zO7U9zACCOfY#QueX@4E(%~^wEV<@gFgJ%(?g>=fSUl@WUqAWgMQ%;BAGJ{%=NU+P* zkyJdC-wEeJ`W;p(D-iKIvl#nSS>cgrf6x&!?_oMA5-+j;6LI*c2R>cHLSW`Or4}Gr zR%@tM?lT(T%D^QBpcM2jsF-nna__>Ip$!Ou$y$h+h14Eql=c8lmNflWAB>a}ph6P< zt0=Aul1~DPJ*qL-6efftr>oed03P4{2GuEc7a4u7vCfFxD;2z7<|va)dF{)uaeP{s(k z*P2+H8QiwD;%l; zD&p}OMY6I9vk1Aco;Z5bSDPK;{?-X?yTMd_G~f-htvntD`sM{X0R1Bzz_5W_g2b#WxD|f z3qM*7>)e5mB%p0d5N#R|Oi>&wW9jJWh zw1E>bzhd@g8Uta;*J{~`)?~3;-W`v`X~iyhRL?I0!De3SU+9zSb&N z9{yvn_5yh<39w$YsC2toPTwfH>?^01BR3d5eY zH%~5VLnY6y1q*yA=B;;?kRmd5F0;Sp_#8L{EX?0n2b4QIL1Y^A7L^9Uu`X5yZetn#%{c%0C|Q;UJIGN(3&EZ*ws6b=M}l*>(7d0(Lh22O z6Q3bHL>np6^v-i{iTvQ%zl3reK7Tg~19?diP5U~CJ-1}eVWxjR?cYWEA7-GXST1@U zI&>|i>RKFb*}{5O>U|0{yu(pUBVv!?+y_;|*qLhh{#YI9Br zn;90w%#dDjA6SkZ6?Xf7KKn*Z!V_Nv$n@cGAo@Sr6D)H1`CqAn&&sJv93EgIlksIK z@Z*Bn*-G=`-al~)!Y)TE)+(#)rVukwAV(quww%GEFhp>Nbpavgz4A)C@8st`3Mm;D zaH9z-zI*kS-!Rm4y!1l-UoS(Tea?YU3+g}-{vH8lK1zX+@zAmeaSlLq<>Hh6liU-# z6I@C~g-evCM5G{gXrG`WF+Ror(}y6a^Nc(WOve~a%?CYc<|jc0rv~cYx6qnGihB7r z$)T8FeO8={C=6kbf@fmWN;eU}%1jO0y+QL2srpY@cuwERjofEft6;9@Fb>bC4#4Y! zCF6AA$6@i{!)c4HXd}E?(SX6-XxI2#xBid4UIVv$k**CzY{p9T|3}$@*a@^DAai0` z_3C%vqHPx4`pbX+wisMLMHV@P*vJ$4j{A>vfvqEoQGLPR5nsEhAx^=QM}q(3w^QI+ z21tNHRgrZo%<3O)K#KVVDFl}LB2d$D9)edd1=jvcun^`dYDs0bFVK*l_zwC%@&QLg zpN~8?=DQir{8&(@viRiHfBzQ#5w#>OMiQi!HBtOab0lDaXmUg2-0;t9P@P# z*W;cnDtAd;`JnEWk#lp4|0+{KU`WG*+$YG1AY%`E-{n0dTpAA&drBh=zx&$AUD_r#I z>7_-~gvF~BE${zP4T(O~5#0+fc@27sd~fm=vG)_J(_-Yh6_%^CRc`4BsN^`a+urKO z923NYV(On%5&vT)pnL~g;9TU5i3GLheP>dmAGcwz4T#lSI(WyheQs^YF)S0A5JB^b zLf{UsYKk&uF$N(z23T|oN^H+44fMt^5td8_{gY9*anf+$J*sJ{315WEXYFyday{4j zRtl)_A&z($Og0tq8Jqq};OF<~BPkM*7rOl7LKrr0A4xO7^9D8R(uGLGN(XY_f0nT! z;tghUaJjijRGh$Ok(U4{-(_$Y7c4j~GCETW(v4{*{o=p?UGpzLkZ$e7e{1L<+teU@ z65#V*ArK!S#_73jkUHPjr?T+=w|uI_@p6|IBlQ5zv){9MBU~FB*?l<2cPU21WZWGS ze12BhPpls1?~;<%?uLt3TecS3uaRu~92tK6iA|$Eqx8YNSC1o>UH0t6WF)+*K5oLm zu>mAE)w_4baWJ<&Ak{ghv41|D8H&S?45puyk}U&A?=dF-aQ{ilFK7~_=I1`DWAIb{3i81k*SUli3_r z4|ozmxQv(2Pfhn+KUC1p^`p&-D9lxnKu}dq`MNCs3#J?2;jtRBO$_}hm8LhYn~{*w zyz){RbYVUu#>}28g!hjev_Hbyy%S)~A&#is@JM^`xRPW_KK>=;<=2uwnysjm0c4DQYqpSVZ3wjuQIDo?x}+Y@Peb3m!S{A91+ph(BWe4@NN zO67%7(VE3chd%S`D<8$>w7k2o(=2V@=x>e7nmjYa0HboILYEFt1Bhb&& zI?(cA`61^LAn8^!wv;QmykDT0b%}@D`swwSQMuQ+)%g3D?&NX^2XMS+;V9=%Vw9i% zWE5%KqIfKsaX;^pRlR>>UR5kKK)M8J;JdW%=pmbvjI8-~YfL62as*>@wS=YrO~ z>{~{0`n8R>+8R7hOs!{~gVnBy_t`8zTDu=3)pqbDvQ&4XZY}ucJy+pAU1FJxkoh7C zQMo|z`Q+$tBV{JWqWpT5ao9~&^_S3$z89$NzbJQk8@%(*ch`2dnJb6zx^q^oDph@Z z1!;f_dM$46{rx)#jYHgTUsW(T37-sJb*OU+N7H>~tzyzd%&Ka8;fQT60K{IVpo)x~ zZq6Xy_NZEX&g+D-hnzu=Bk@#PS$Kub819gEr}7)|D3mU+J?4%oQTwr|(X7Cwo}t6z z{nY#gUn&ma&bRX_>Y z)2b{jxdJActm20VHqdJXYl!y0(;7X|Sz7GJg_m>$vzU<jrD7`wC?H z-v>vM`;KAaWcCIj9<0m-I=*{h8CyVK=BEBeE?QsZ=b45?u=|xX99Cl<0eG|TXa9#G ztu#w9gq0N-{k4XJ5|(N8sv6nfavu2-=U!HEas6BsF@P_uABt_W%dkTB>LHtDj1OQn z#-`NJkH4v6s^q*y7}m|#*?M9u*BrSgWoHS4;-aU}KBP#_x)W}`bQvs@;(YygORWrTzp*oBF^_I5`3o8lz3heb=Y72 z`(1|H{>qa)+>oTQ-s5ozAy(CV5Iki|_Nb3vqU~J-Pldng^`QCsG(A#QDHb3li?$z0 zGgVFbj&c~7bT5ptE)c97NQqE1Maou>U&}E&W1f*sN%qaac9{!(nZVB2uzxLb7j9sM zB}0Ja_#7=j1L<=)CKnae`Og>0yhbD)NeP29@HJolCrcyrIH0V=QDoi?+n~CXqOdm`W&#AruSZ9w zV({nOdY>;+vAcaiirC1?1OuRrd59MQNX-8-GKegjgGoxr!sHWrD8T8!=}Aan!>^c0 zG&ggCT|vbb=5W9ouJG^yqwq-DbabO4|qPpnx6GnkmS!}HSMh0yk#DWd1h=4GI>GFr(wXd42sh0 zRa5Su>YjYcYNV>Quv;O`3t5kSV*@j8s-;&8h_UeQf!SiwDA`1#53ql5c72GvQ^NH= zL1=5e)R^{dC;C;0v)w;vB2^+7IiiSTw^E2DW;fC3r_`nH=V+Mcwm14+QJa_H{5DHkI@g0$7Ag4;l1gsie=O-XnEasfb+gt$nOAo$NW&GcZ0YM8%Z_QUxO zE-!muHX-#6W`puROT5uTY7%{G4%Q~GLL{M6@a0H+U1f>kAVv0|4qA4HC$ez zd@Y9BARbMcKB+d9VLL~nSjKRGv_Pw$6u2wUsLgr>a}})Yp^je@75HQIb2qhnfU1DC zh2CCjy8R}dSt9^kr+Imwrf39DS?#*;^Pro*M?m9Q{JknR_UH$M0Ah}) zDxab?EtJIn`D>%^@il2#{glw`fc^O4EgbIktX9%|) zWnFuaAP`pZsECT}rjbMji^o?(K8JxnUeB%Z?IrzFz%Wi^r?jRQ4)DsnbG+1G_3k%#^57WmP`F;iZr&q)6MxnVd|JD@{ozGKAL)$K46D@)+DX|vbWFzCDrs1 z%v8PpvdDoZ1jVRSsF8uQtw!Yb-Mce34a7d|_S-ozxuXco^^agK+2R=Es zcs@&-n3{D>P&wdSOc#9Kgu!oCN#88kF`Z`B#CW}!)Zta$OvSX_AS+EJd2r!CNs zP3n^`5X!S(;Z!IVZo-mwD(y+eCOnAa`33$3$1-}z`w;_T>d8d?RQheQTX`YFm%h~% zlkPq?i-;7>yL2OwjSXlWpo%EkB2su&n;1|U_v$61>6J9C`s*97kBOvD%4by_WaOrb zg2P^WtY({L>}co@2Cz%xDsdHO4)YD{Kmmzgq-{05IVM1?H(z7_Js~Gfv!(cq;@?KqxDw()mN(Yjo5PNy1wvzPh$)HQQtYP=5?vmGcd6*HNvxA%RFjcj$F3q?iJzjOU10MUG@u_ z$vs|;XPU7<6PauNXzM1i5*FO}sFuBD zs;>B&9`ieUeDZ3qI)bHATk95z>p*mplFdli#{b+=igoY-;0wS`b6S<82$^)ljBLe3 zqGM0FqOeylJ^c2sJ>XQdf%4r3u-$X6b4$HuF1NyIvTXasBZz6(} zB&1&{17mzk()7k(3nTYwc&wLDSW=<@+I+)1$j$-ME%njaBxvnCWUcgL=S7RDGI^c1 zzux(kq^YYuWbu}=Yn1<;$^`o>Y3{li3RRKhKgyo6e!9ilrvOH|0)7cDa;C|%^Mv6c z_|_d#C?@lfjB|no5#9q)I`!N_EsWRuPuT>QUM|?eN~>b|LC{u9zlKnE>t=Til(+By zM$7Xc%XDD$Bj>%YyJ+*zv^g0*h;KfW24d#gXYPDP?m3i@+aUMy+T;r~45)=3M1d6D z3nVD-B7=~JG~$y6uAc}9g}l{n<(Ar+tJatMWzV8srXTXb_*vZYDwmV+z5)&HwJ*=I z-PzQ`T`bs5XJQksN5<0e@wnL+{+YC3R(g$iXF(%f<79SCdbVh6B{N!|E;f|6o2Yg4 zq##DKEtz;;@jk#-V$R1`S<8Ci5{nA_KAX3 z6*MH#b#D?L@kP-o1Bj6x9r^TP+?R^K!8D^!c7`34&K@a%-(9+(Do9dna(p3^3Fpkcn?{RdjubI3dtOszxWW$kdolk?+v zrw-%k@s4|180(H7CzM#t1!K%v95%>NZ#b$L(H45}zKHbwT6aWT{&bA%9*Kyqe%&@e z*D&%Ccaal(nv5=OtESjr1n%R%j|9~<{4r z^?QjEe(x(hcM}c%e1#8zEE|R#;RLI}9z;5d>T^dy2Wmf*q#{M(o=;L92&LB8 zXtWJy=C)9$bl)XuTy(BcRRARBqEUBMz*nEfNGDyO75kH%ejF&Xj*`%Sf>zG5uhNPTRM-HA< z3Wm?fgBki;|47B|UiBX3L)R-cwz0dCX5!@#otH8H{EHg@gwXH@FO45wD{lTgLw{bY z?^H6^1fA@Zd6&A%Qs`@UVaxRrg5>3up6nkykP`n!z2;MRDXuNx0nuv{UhAIozkm3H zo$Np#eRKd*TKL-L*3Fepyr$zZ#nVl2Z z8NN0#T=Qwf>j7v7ni8I29hSYeViTb?$b%L`>1W=3R3DtcojDeZaw#y+kWvSiuoxSg zTRYzDs8PvF0~%%65aYeMqC6S-O1p{-`xjvE2r zd@F6s7ehbKC;7H%ysN-9GFx-O zi)lJG-_XKIcjd(7Sii=lNjxf)l{&`iDcL`A0k(8?QBjwm^`-IFzF}08iz+`5kdRllP5!O#KXP@w@O-8Gk695y4C2D+*MJvu zM&+!XJ|tK4A;gssJ+rLekF?BaLgtaZgN%hBLx#O(<>x}+lM1M+u`Bob)$@Ar3u;>m zb&pXs;XTrbBu3}4GX4M8g<1|&O>Li=%Z;k}M5T$%i^+J_s+ap~evZK#G%oCIrTq%3 zTYAumqK@qJW||S!MHcB%7lEet!VMYHT4&G|j@wSIQ-!ajzyHmuye!EeJP=3#Zo>CG z9zr*%UY`@Dn^Ob0`~SBsu*rTs?)nFV8}!Q{+vCY}%3qFOR=q17cHWCHO@R z>qnKrZ%|(1%`BUh0aTpG#HojVPt_eE*?{Gx*Mt-I)$2hZt*wBrI5{*-kh%NL2U=64>aAIrq8A1phfZB7B`% z$2$)x*ue1Y7F_S8dXb#X;5@?)g*tXT3Q5BU6)V!+PREgyXHR`@3p+U3+upsbR&1Zq zBC1MXjYi}meHT$MG%=r;oq}pZN}&2vN}ft{=lq6mGlm^EsF%`A>Spq$4itlb*lkG7 zb{za#i}HNAC;DPM)OcBvJa%^GzzlBZY3iG>PnoWe$9Ajncn0&EJ0DYU{q&t@*eEE|~T?vcQ#WgE&uYtw#IvP7=4x zM$7Dp#OTW~e&Ykj8qeQiK+30J!u3T%d%|Rm6%%=$zl)Hbe%`PA*E#!utT;sS=Do>V z`*9-^U%hqtPyCE5Dd%Zc3{v;V#D6vGZ*zp#c(vxfRC&A~elSIM4LbmDnP+XzbA~hx z={4DqgI?uOUDC@6D9k3iBs$s%($y}F{;XVm*HA{I*Dpzd)mU=WclEhr$bl%n<$K+h zTQjE3gBdm6p_DpP_kVmGA+l0dar6_ELXNBel3JeHEW9@u+o>sHOSpc1!wA57!RKUvHqS$5ORPs(!JR~@YJ(y$4( z57G|hyQ9&C{fkfbhMhYIre@y=8-SG))FB_M`#YWUIVA+A2-12XW$s7rkC)~w zc9{z-3iDI#pMMYUd`&0u6?yYSY~oeA&2e}c(^e8+gSw^SkhGm}_ft#jN;ja05T-s! zhh>-?9vJK#vIhyw2w=03*gp3gsL*G>O72uH3ovbJ+KIW2z%|rj_d5*HvY` z#{J+tgHJRNr-qCgEp`S#PhR%Jz!OR?AbahLFmxNHJIA}AzI#POI)GS`xG!LyRG+zJf(X#rpUZqlQqslTRkF* zzO=f1Gf5`o5A`jEIy@ST_U9DlM9GbY^Ou7UP0^7?`&|dAK3yBSUlc(D-Pq#hR|RK} zD$i}Q6DQ$puiCu&tKl?t$IagR)I}*bhb_gId48~s{2#`?!Y``tYxm5+kOI;jN-5n6 zNGTx=(mkMnl$3Oh7=Wa7gOoHwHw-8s-6awtAuTO^58(IreeZqm=ic`Zm^u5bv-Vog zv(~fs^1hAmX%cNXM^K;heYKyqO!MQlbh;sA6_7Eh`rxHKI-i5oD}eO=$!YLDF~Mv> zR{rJZS$f1p=#?jQC3DICN2h^tt%kVdj^O*QDiV~4<+y#)o54u95$M?;S8@1bd%=6B z%H2!2MXr7~u11eA>Ef6}@Z40zkk+93-g*B$`VL!=*wY+z! z`y2pL>49wqCKKLY1oW3kNXD~6&e26cKzMI;ET#GW(LMX=rD~@%#hdhM`lBlm#X6>o zvOO=~YImvoR17tEZ~F_aJworXcS}z;zus#KpsBmFUR_GKbaSpTW(4}bre6Czdb~aB zyH|}>*s*=( z6ni&fjmA{ZdG1oH%>1|P{rl?6gH=FqE%Y69t{tVAu8HwAH%iq)Pt%G_d|$R2`CWLj z>{mnJ1Q8kLSu2OqBZ8s58(F^s7SuTJQVr#Uin=H+sYx0Vqz|?kzA~t4yX*`LU30qQ zK;W`7T#(#JiqbYZ-LQAHR=sfh;wuQVAIB7>vf6Dvm~q%S^9xrDP3tRt241T1fm=EG z7Vr5`MZ3>O!RNI%b1L-**oZIy#c@1$lgE&gD2F))i;u59eL_oX%)za zKe<(zLZhDcH8eu|L7)E`a23_X+Y`1# z0C-b2TbDnG-WTf72eGQ==k3KuGoLQz+WS^Mnh`v8d&GZs^qO13ihgLeQ{cF*kA+K0 zQ{RXr)OKGebh|-Tp@9G8V>f2y?!aHp*`p7O_RexRSeLL?25h%%7SK=>6>N6}!Z!q> z_|Far&Mcnt@pgnz4m*awIIQ_O@LtoQ?YE4y#CReL1hpg1q?rFOPq;M@ya&E1>y6A) zFdN^z;snI>nza<5#4jWD>~IN0dixG-cUKPYua?YytNz&(WVP~I^LKZnsi#M`inWfB z@alrs`GJy;G`$;p2n9O?$RM^Wn`YJ7PSqFiWpn%QA#rJo?1Df@J z-s?Kb%zDrN@akY@r+Le+aM1LMzsQPxb}bZfw!lihHARvka$AJM`mj&a z)F5X)anI2+WJ#o?d2{c4NXlR#Qd`JLW1$+!RVTJbnURouwH(Q%*bVm$szKb54g8t{ ztGei4Nl4sCNSRF8%umSM^f>Wwhg+^Xt%_CJojuU{^u0c5Bwc68E#c{&y;M&~B6GE% zc~Bq_&?O}u|!1T)&}}sYAPW|D&k`Q= zc~&gZPf%X%>xX;(^KejmAbe*stj0yI zcbGKyK2ovX;#Zjozkt=k^H8G@aMEdP?XO8GpuCH=J#?^)Qw1iUAuBX+kUIOM=2=Czrd)YQRu5oPi=+)RGyS{Q>%Eb5cd0w4rg`(!qQP{hIt=@6MUYrfluhU~&|m70SVe&I4LyKC_7LPoPC9=RN6hdviBw5+8i{ zV&0XNM!|#q*AE|^SEynY2~A3Q2ev(`##??UM9T{Hu?Q5q4^Nk``F%Fbr;+{6VQ^E6 zUvY6=TL`OrDBQm!2=E*|N(IQ;1q+EEUM5l=Tr;fdG92&$9w6&tL@e?uzt?#KXg?@Y z9E<|}Nb#e5g!meGp=rr!@mft3?fs6=Z@*u}q`sij#ls}1bzoL*MCn*)atu;II06-Q zwI6|SFGTOA;P>u)O$5$J=Jlevu^>HcZWQ<0$Czl^G4<0iz>A5|C2ITVZITluM8e9y z*}q$>3(%?|U9JuDGHzTVMByxm2_@wL7lZ4@9U%rxdZY^oP5mfiiWLE|eG*ElqLT3_I zFZ&8t?|%LUn(vFz)z-}yR{3}18XHp58xm3pG{QOkJJnrP8im zLaX`Kzwa#tP~S+$LA|FzvxTH{BP>I4feK6qC?c-4!p^gWO{gZQJ6^TltiJ$X&653g z_b0GgX3F9SS)=flbJt##UdO$!B%}rhO96R-0U|D?Qk+yT;C0e_X)x}CH*vc*mMN652o@a@3D`K7(Jnz63_FNPO` zTn7gw4)Bno@_;%>4FRebc!9}7gSrU>MI(F1)gW8K9g3=fG6}1dESO|5UA1jCRmGP*!-sbD9oq*2?{=Z zq~zK&x2`->*F2=9EruRtaf@(K4-L+Tz>IpWO^7rA8Y15?2Zb16%+UcmNA93Jeu=d^ zcZX;(Qtq}<*@hZIxr;uN7&5Gf#PNo>W1=W9-M_Le55<>hqV^JGUvFXc(~E#2l9zWd zFYQM#etPkb7GUPe89Y>D%}AIKq>mPd_CJ=V^VZbtpiMjmhJp2)JP;%b6Ta)M&cU20 zT~mzVU|N>yEl!4_0jQ%0`GR=%Av|rLD&G6M3_y`BpTB>i^Fd+%lp@#l|Kd^NMKkw} z#}0{4`kQ@@rK*^23%DSar36Qtl-8Rn%&Ilpo9@ABL0|5YyY{cizy4LqfgNBgRY-tZ zxDhV_&Do0xjLnb3MS(ZCHizk3qFT9hqXtXDA%!Yj@%Jd*xTrZqVTO`R>IT59E5hwH zPCD^m?^s;Rh5S#!lHDepd|0;z=#a*Lx32s3)(z?NZ=aiIOT(HV22xdItDaGROol|s z^#x7i%zeU>M$PmErskEKmcbl7cD(iGq-jja3%MNV5E73q&e5DgncLkPIR@>u4*-BI-)^ZI^e1_whvD6^0JMe~jk?_6`DB%mZSerj+thSsUG>Z16b zACt;AZE|Y&t9r-<`VHPBHbQKDb-0+!V!I_OmYd+psMS8L?xo-?;fH|`*(YFdA-E1M z7JS#iC1h#7%TI`f|JG~N*f}txjISFL<1FUXCrkF(H(kwOYN27EANY;|7XXAanS%G} znKL=3B3C+@>z2ZGN8Ge?je9?H>AIAUQl?@hSfa9yP;pPFt2(8f&o}&!va;_DS}w)P z6Wfs$;SF0-fva$7FCs4GP7GWR#8G?o`0r+N{MRi(OI8Jj_ys3Q-#@jCU|OBSMD~1r z|K15EzbJsi%IAIC9aj8oEdg@l07$EZA&j>`EgjI3Bt6b5cs^~%# zxG>u!9gG=5E8oGOiH_D58gvjb!!#}lAN#}t&M*&zBgA?zFB8n+jWui^tz{(GpG`fi zeeI=I7|$VKP|(*APU>?RgGk-Q`cW*p2LT(?Gv; zXTM6>f}j8O%l{JOr6B85m}$R4cT!ZDe?0Xi0PkyCAqjnA0qNO`S8ir}dHW!zqx}GU ztH8Kx;LD!~Sj32iP+xxvKJgkXp?Ge@8FC7q?CYLJ;*K5Ic)ZR2=d4SPnnn;(C>3;D zGra-eco_CE56slkO4o?!uHq%))~0*}@Nb2A1M7)&_vVH<*H%%nh*9z0gBG!FKfMxD zbe>&bcB5c$F)yX#wgQKGZyYFrw&1zk^hh{=4k{ZP4kNqY+Ux8{DvoPbZ0mvt(Ot_q znd>XxYR{E0j&)h;5!sRoF>v6l(zfpuF2{lso@W<4tuqCll6|?aj34$EG!Ss*FpwO@ zAHhT@oD#>oUUOv9V*8(2eqiCk%SL}srKq%)%qAy|I=m`y8*9|tN&r!HYX3&Q5i9OI zGr)!M8;SOSWMmAvE36}tbHN(gmoS>Hk9=@RDzC_l#c0SCsr=dgi{rTxcX0?oF&5rC zBP0>({akX{uMB*IGL(l9^$at@57QH5Lb)KgV?xKh1b41~@rLJrHrqQu`;;@VEd-&g z>n+waaV(sJ7ynvY*?>CDYiN$#;39M_wVCMNe!?4j8h67K@$=c`Ez=%n#wP}B;iA9( zU~EikHi~wxlXOxo6+^xx>Ww&0U`@zM<4w*&b-Ta6J*{HSkdm58b## zaom3ct-ya0*i%nOb8iQ-dlUjt*N#cIr)fDS=`Q6$&!-Co$L!Aq)_#dp2~!xj*|m)s zC6#7-;=a&#uuE||vXvtFUF+5+P_j8X-C^;Tk$7he6OPk_-beCy5$!EH@;4z5vG{&< zi`yG3nMpd(hHsx-MS+p;IHOz;j%ZtR^`PK_-!JfS;E{%mI`g51+6(zn1PJ*ra$*S| z(z59r-)sl_F8Q3DF`i`0be_)UJ&%cw3LH5vBKXpMQK&RpUpg+mwR%)n#>EGamaN8M{ zpH=9B6jken3j8|QqaFmt_%0@VyU@9d>bAH@vbnft*WfDC(j$ukza_=_y)eP6O5XnU zKHL|5_>b%3Hp6)17@f_fI9L$!=vMRd)W3(Liocu}iI}y{m&OmdC1Oeul~SGesD*5b zld;lzCSt1Xd=+XNH7QnT88khi{ov09lg>{DLM0=BxQa9z+>BM5sp2A+Ii+tzy7>es z@!8{AOnVbsgS0Zm)y~*<+;I9;NPeWU0r^v>a@Ca*0_hea9TET}EV6;p2{^ch2YujEFq(RXq=)QFBPs0u~C7z7kMC6@k zrSAFt@ilT(Sl-HkEA=HWK5a&2hj8AuMAZQi5?c6bqNxSUE8_cH6HH~gi| z+yA%FIK}|5Aeb#1^aZCd$M+gO_IZ>bfh9~j=8v|5njg|_BeEG}UPb1+&52{0wj)j) zmWQzOvM8j$2`{o2RbQI@n#yLd;w7*H=uu3^LOyd3xHICg;gjoecfR3XxU&!eIiibp zS37oS^xZ!Aodc`?hRNjrgvnco7+2g3rX@9bp|Tcj3J}}!Y6fwiqM|)E*@)p~GC_P% zW(&CRRhmTU-Vu#7PN?2aE@wC!H0L-jjTx#8#_~0uFR*`Byvpub;;oAxWZQpqKprP9G zOIdi_2rtVGMBbez7CFsIzdvvUI?>t8l`j9>TGPo%Ie9`!WPb7y@uWM4b9i%c2Q6M< ztkn9aoF1{=GjMq3H%&dlHsj91J85Z7zuZdg4#!9kN97FpN&#%RW>uVlPBXn}u)*25 zV?(<(fvqDXXO5-Rjj8wfmM3J=)7z!ups6$w02v%VB(dp>R-2{K_!PEUjEo?dQ>}0) zey)O1$Ka-N_Q$y3ghh|#;pz}TcVHzEcf!Bw^NuMg&kgwNfLc|tV?^mid*T%x{LI$l z31+kC0B8upe48Iq_%bRD&=%PU9xMmx_uhOy#ZSR$Igk;m!;n3J(RFKz8FJnVA0<<~ zP+SlPUPJ)x+{bjXw<-O#$Gm6%Ghc2&;%aLE+Os!5+e&fxKU;6jg)X`fmiL`><*wU? zfN5;v?scBe`!~-+b+@Y+#P_4#>i!O2h8|t4mk_l2T^tmOxcGVwVHvva1WMYKB8zb1 zVLZc`0^mY|CX(o=r!qm5_fJ*f`F|1*_*x**<#@sK9DN;3i8z9ZU^0{kaI+0H*<#2M zGHvV?QQ$Iu{auF5)iT(gV!?k*6Oy1>4>hYTnh24$ZYD?lh{Y&EH6z4&b9cABdeg?J zjtU=1)6U?$=D}w$E|0I>9zPPGjJx2oiuy*@%vlb!a|E^>GI(V{HBtCiekN*RHiUDH z?ekcX%g7+8s$5d(csX#1P#2HzF&7thP;P9e)7m$95wHlT-UfeACU5ZXcFL< zJ)mM^J=O!?TnHXFwQGARFP+1Wm*4}GB#_I=tzk4%rf&mS`U6fr2FzpP(^uiU?^$?adSy+WtK@Yh0Ux=n=a&FgQ&5Ys2i^$oiwjdiIBtJ>=gKV#(M zd7rGdltseQE-m){uQkdU9itQhwiDg&J@F*cGYun?8*NIIw z!PMQn3sqrYa%4cj;?Xj5xE-~&^~U#Ip_=CE%Ai9gLfdOZARMP;Ukt5&*!yYCli8><{%9Fx@(`4I-hYgmj-h;q%EE+!KAsYDWK4hc^H$rz0RR3dmFR z9+UvzI69;!Iaa7D>x%1?si(cO#i@sf-bMtG)o%Xmg6SuuS)M1`drfv>Kkm%z^UJF^ z^i4Alc50(U8A|d!H@-1vis_#F@hIuYXW}Tifc~-<#9ts)3HP|HNGksQgsT57yWapG z0$!OUCGPsM2=N09R8&ISc^!1|g?8FykjpRA#+A}ivCH56gNFZ)-}TL7V8h8oS)b%w#*r>TfmqNn9{-IarvD|5 zNCCJdv^K}2Jh<@73ZQqZ8@eSs7~Iv>uk&Cr(dG8kYInGz16*?7qG5yiow84z?!dum z(*(|Go_mm|3Gc3XP4Yv~SJYk|U!#X(yj%bMWt3Z`u3sit1Q>%MPV<})`RPO;_P^$4 zudQ2l!2gK;hZ&{*C*^}A6=X)Y1)h7hbYWd{v#zz<7Ac2Xh2Q&H)WDLE;njEelQm=& z0pw(+p1HV?383@5kgD)|*D?L@(srExBinKL&902VW}Ael;Rua~)srrW8UG_;`MYOh)4@fpK4@x6t3JL~^dU{70l5sUiiWentP zb$*otGLiHvik!pm7c$O_po|;I$EXFHE3~Fj4mVMIFD>n|CBc4k98g1n`i%cuO)aIh zZ`trH{ya?pvi2PZ7^O8*IZbGt=Kt z;{}rP@1QH?#NlPT0AO1X9f|BJHLim$!r*&XSRq~QigvwCH2C<983BvxC4g7Yc(RWb z83cg$ji-ZG^tVu1r|-3gQuA7m+)+vtzy`;^ztp!{ISgbBL(R3kre1gM2&1Lox42>K zcLt6G{z9BrmF1H+o2?kK||G+(P`G1fp5U`I~aHX*<~j6@Pn8=?u& zLfF$IY!ksn^Ib!{RUL*L;D8z7BlC+zCDZjDUOc-5wFe0T8x=w?L1*`^q6Hkxq>UN* zQuG9zqr~gE_q-=rn7_ylrU?#Zx`7T)60&PWy+YG)(Js_|MJMJ7|MUAtDLT(9O^=r# z)Ax_D`sL!s-&NFfMU0)2Bx$%o?~wnC=_u#1;ML-OZK7Nb4XhO!&hu{|1gE3Xzi?3C z#2Jr8(!G`8juQj2RTK>pTdHz{ybV8=BhMAe-=w*aAl;rBM}^Ex#dF zL4nupH$0DjfTN~~Zr__ISTpC3i*#D-5;)0fH1Cf6n4jOZ_OvVd?u_o)&uARq2#uc& zzguw|tC%9k8@=56g-VU+M#J9k?Qc#`**t0&^g6KZ7hh3bVUo;W*Z65WS(be-RV76v z`=wEnckOr+D*M5Xb2yz?YZ`>V0nUs_I9BF}b6o{=$$_0uU66eL{F_2~O2xiPawxF8 zmMf>13VteYa5I^!TaWB9=Y7E_FJ7bdER8N9)-Be4bsstry<7rbZMgd^y7)D{GL6H< zmhzDyBwliG(lTuW5+U81qmr`vDjZ67biPqN+peW!wD@Ysz`il&8`1KtagFKccbb$i z4e0%yt#`NK;N_}Km<()GOIrqZL7M3=!3pA~KU&|WrtAdvuJV^^0diF$3SzHXk9L>6 zK9pLfdbFQZS8!IbCFxgMFIGB#y%oUV`~a$&-yj(U#5~AXKB}G&d-+R^#<_==P7)`* zvnIQEk9(h-Q-7f)&0E}ceS+j`{>Iy#1SrqlpY#_MR>KYAm5gv+45Wp9KhM66I?~lO zCE^b~#^MP@6DHW4?sj8yT+mGK`5RnF0~ry@zUS}t@Eu~XHfs863^1k-aWyh<5!enr z3H%+ep%AiH7(s93qdN(teR(`~I$1T;smz0=-4<@dLdi%633)m(QOAc{X|5_t3<`ZA z^3uvOEhGr}BsMeFvjRW%JCTlHb(}4O8DP1|#8c&Sa!_%8s?J0DA;SCcb`P6a$FWo~ZM=xGKJy3nXN807vV5%5Z*Sk^#S*qV*{SswQ!t3XSJ8u6ELG zc<;Fgn(~FG+Ys%}1?u!-t6)z;$ItSHt4{#n3KB-WB+>zIbnu0h&#K>VfKff7_;1rw zng(LqwHs%Gecw6iq2IR(;U?bAo|9(2TMgjE7WNc+7ENhch}5MNCHdBX8V8^;$Lxp8 z)0GJ*A!KAy#X(tG1(vQ55cNFXb~lRCm#FOt_M=ra9+#X{r~sXj2&OmGSv=Mc6 z`Xe`80JjXLZg)tm7Fp24qMEvHcXtmh9xCnU+F=OxK#VT#FYX!|+#Gf7=}Qs)bo(t) zo6Q|4ivvrL%Cj3!wCw~nEf;YpA^g0Sg)n6Grfk%`t#{uem!@B^LU_o>P8$q>^)EKc z^$cbk2_PqtHwO!LNh$(yIMJoo8Esf13}At(dThRTbZ`hDnsVWR&m&GuMo2GS6No$T zS0CLCBtodGkuYJ)2>}|GnPu5QaXXjeN79*Spxn?9-x?x^CjiTZb`blQ17^iocS2Sd ze0FEt42h$T{c)4<-lTh8h^*s?XN*TIKb~Wuvh4jLBYK!B% zdxhNby@3}0gFiF}QurDDg%rouQQx4(tJbSeLi)n>?Q`K`Kxn1y11-Dt!6`PXR9uhl zwFbWtE4x`laQxX6?pXr%qnf*sT29$R+z0TNn-JV2K`u66><`|g|1UId7#wn5e1Fcp zqHd3SqTW@H69voVKGUIbpvjM$eYaX|k+VMOyiLH$z{0nmcD*$7(@QICaXH!nmY=wcPIPWHT#l z_9b-u;&?}^@xWx)ykzTavm}a^L2EXL9}YDMy>L=>`U82SeHR6#ayzHf$2Sh?brU$0 zrz~vLeog+gKXDvsGii6%>mb>Q6TP+Tgx8xu_iG>*q_DyAmYgbVKK*(JKA@VvZTOEC zAdDYz#GrJpx-HN0rr8|j!;)x9Eu%R%M*fbxwEA1Iir;z(k{Y!sl{vn6BmQR!uF`2y zA0jV}|DyQBC+f3`Tz5;%gtuI<+J3ePq^8lv_;cU*3&m6^=h8z>2+~GjUerrO5X2lE z=Hk$H&cGa>FPHW5$JbrT{ra13fQFf>@8(W9Tk`uBuJ0`(_zZ}ZT%E)^bmV&7y<}#o^AmjF+O3!gfl8T8{%89mapwjEMj>JaFw_g>6v&jv zJMrA%F2gtYQcaNlOG#{HEc&DmdZA2I*nCRNzg_ zJ|DX*3#?w(qkDfiq4UsUqRY2_941&x)R1Jy4*0>(FO&iy2At11EK#eft%F$!$;%4K zE7srauw4E2h`txC4gNyC$bIgUepv23TQQ}kS&~ff$wf|J#gippM||FACdik$!)AexzwS5C2xzS6)zWYCKyj&f@jx+JC<(+bxOozeW z4ZBXE!$~hhhtYU0D0y503l5axgL8Uq25RJ$ktWf%V`J-EyRcA9Qb2ccl+y3b_JR^b)|6qt62;NROrem%n%&?=^;bK8nNt-p%D?tA z69T)ZVW*3oE*{HP3`|1zcYFA^kJn1P(vF(R9X@o2E~@8EFM8E-=%s=)e`r1j5Cj;-f=|b> zxasvSYq9SEj9sP8A$`EYy~SDsT?x3sZXx83tGnxZl9_R=5p#|_u-DSyvMp9l)7{&0 z!$qV}jKACmJ4hp2(bgRg5RSMRR`geFl<3-(&$w>>ef5D$C=HH^YP%fJ`AX^H{7fSa zn_>SF+#1S6WcB5$XExX&sD*5Q&$Sb%fw+2)K_2m<#UDneDUYr|cZugtIgkh793e0D zyRRgUM0cI@)|#ci(L)R>o)a$hr)^boo6q=J?LV|72BNmH zzuxuAQiesgG(%uGgnrYGiznIRhRX=#K$S`X+2v8(ptyf{` zZNfcR!6N{dr3gIfug(^vA}{b5u9zWJMmk7e8@Z*qr>MuS&J)CiEpQjuvEPsK>prw* z&jiL6I-?p_al98qVK0BShwf%*tSTka@0~99^FfqeMTxx5>GP5&QIc7pg7O4G^NZqJ z8a|jBxDpk!w)`F~Os+uj z!oSfb?kLjn&eTqQP3=75r&{BwkY;l>ig3orv>qGoamEL#DvkL{Z-Rh^_bN%1TkHRI zVEKNi0yvwtz4a|_%;kRy5b&upk@_uJm! z(xb2?;qqJgw!yXMF9h9r4+=f->SLL=a9;QxZ|^^10jk_Ww^}V~ zCcN?iUBfNhf~a@rL;yLO`vimz=lF!sReX81V~2L^U$$HrOfH!r(tBA!y^9d# z-)T#Q(lo<;bt~rg?J3LJNQbY>P{T;nL%XAHGF}Zz(nZm{a;sq$?#Z_g&iS7uq=BLP zv0i1{Z%m0lQsBuBkrL*)T%s3&Vv4aG+mUa+>Xr6z1fKK5hXVY(%~UO#TNa4>#EHJ%nkN=!Y%Q;!Cy_yX0{O1dTb#pvrC;nrUPJx>spb zt5^xk*aT6uKhOrckElsOC}I=~k@7?c5W+@eDWf6Ci}(i0I(}+slZz*MUJ< z5vt4M7LS31H?GBL%iq^5!yh#(?%(&~@WIsw$oO#0NN&RgOL`xM0=j%_-rdBQPiN^_ z$~5zrhpDI1gWL!vjPE-%lpANC*6$A}5TINeTn)Oy5{HXhjG?;nzJon-s2W%)Q`oal zn(6;2KbOF^_9j?l9PWNMBm$6)oj(R93d)fk;H7!cCw9j(Z!CB(sLrn6_y3&F)UVPG7+Av7`W4 z^&VxX-@Xyyw{@LqRb=Kgy|7;+ET-R?ZRL#8y~*nk+taKGNREsv$Z#`tPT>sHCqy<# zC zirl$>dr<(L2|M7Kl;*@@Zefr$qv_6a&J!+}>5nRkF@5W%Cd07?b|-S7BpAFqQF#|P12w+Mj15G6vTIHnXs{vh7GF-T@Q4T4W8R6o z9Xtv`2wG)iz_pdl`zdPKl^8hm!%YF|2R%NkgP3o!Lmz-uC0Z5-+zi4FBq10RSN}pa zoByKU|3?O#0!qGtsq&XX2Mv7eE*OP&7mm+oDlMTX@8n9=YVnEk{2@{2>?SqKmQ#s) z_HF=MzC^D}nscW_TzzZ4YKVT_@qZ~DHbZlk%U9gc%Na2C?_7#EBT6pcP`AlB`_3X3 zT;@aVvy^LzfC7uZYzL^p(}qk$PUeyUisC0Y2%jR>v3`YcM5Xwt?uhsHi`Q&bA_pf9 z;~YEYT7|HxcbkV@r0muF#z#9S z2zGn^Uxj_}e84|C=t^vqYcn794l6Cn6Mj|*vFhp?d&rHO5mnQ~K0d3Qo%{+ni5>qw zT@lwA?m@8;*>UR<7|0*(?@Xzk#Tp8v08+JudKvIRPf%E}QhKRClwSY;$qEQ<2ZVsB z{ZEs5p>H?(r~;Pc4p5f-m|4?9qZyyi9bA19nai?iA^@7LLR}3P45bZIP4k_LTF2$B zkBf6{AX;}$3)n5;j#+435(5Eyv3WJ~ltbxZv`y*BGiZFL33U^rQhsL@2p#WaU44RE z%Q|ya*zi}(>`6F=h6!$!TEM{$4Hn`qbZTpzdT{si|-4dv{=EmDN`o*nCK%hVya%2%eINryx+JMd9;vg zG+`?QwGheZc6)Q=hHe1%wEj=wdhv~X$EyN1$tI-We3)i^PYy+bnC2fqqbKNDm?>T$ zlfHoqwMmw&y}7C!ZE|m_Cji8 z*Z#7J2_TL95?>o}_sV0BY|;cFTsrFNF|&h~nlY7{o_oy0*H1pzTA7bcPq382N)x`5 zFG-d$MH?@iWZcN$wE=aiLYscm$Uj1E)))o`ZS}oX-f3b zt{8;}bjUXmc74&fNmo(w)7^UeL;6h5MSC=Jsqf3I!APHNyoq{W=0ukhY$}&ivMQaK zIhm$|BYEbk(<*u@m-TnCK7K)*%^O=jGi9>^>-t9q>qZyV$?_uK3=M;(wMtAo3Y;)F z9A$gYUT^@mM2H}OMHF!=I`9;1G=s%`hFiMv;QGrzV_HBE8xy5y;J8t#{!}qu_uugT z3{rOObh&Uk-6n70I=3z3fgteam@-a`%M$RDv#*wNG>+0;sShc@a`2mc*Xq3T^jnBF zFWmX!xFs{W#pDr6-gfuJ<}vi?NR#Xcd?DWVeLkqX5F998jm+vUv#v0at`kO-jb5skkHWgNULtlBASX* zX-ggLb~-5UZwp3#vZk!!j^T%6d!eJORjBO_xov6JdW^r=dj7tw#}j%DKYi+T$v44f zQv6#`w8jkVf#vKBu!^uFkvafrt&m2bfdr%Q?5$c3Dc(7uiic=gz}VF*17Js=}A+!_zH>tp!$wh)GZA z-WhGN5cyWD3(lZ%9u*#KKWgyn9$x=*%lM_uR0j3j=4ltXW5Gtr26J!&Uyw-WISkdL z2=E_yeRX>yFE~jCqQ$o$TC|`SscXm~HczM_Htgg=ZW}@UmaGtt&U+^>*ItViuxVHpTbG!sBx7qx+*_Hz zdp?74V$2r7w)$w$^+D-TOH>=bjxQsvjg zsa_ zQL5qz-&pSOR9KI)h0q8Op>a%B-H~K+U{+(A<<_sj>W<~yol^!B#P%V&msIHtMADN} zY{Fn6xn%Y9Xt%LyVcXAlR7=O>=l$bfnQJLN=sZoS{$Q%Tl0EeaWq+K#1yu1s;E{Yk z5mMNIfzNnt9zT31#f`9>8(L)oCfb9_R9y*n2plI(pWc_ly2-t|g&$tj--N4-e;iA` zeSFASM8#n;^@ww5!)@{*Hy_J~^69iQJOgsWw6QR6le29;Td!;(=+YhqUbUBp9I7?d zsz)&Gy8S0LW5=Ng67nOk`c{sG%FoY#@I3PQ5Ll2N2HNRi8iU1n)I#pdUqNFy=Yo~o_;b)nDovCjDZja zP&1m&_6x4mZ~5Pvz407pfk_gM0p4T_r&M57%~*&}|LSO$7Rl&65PM;RI;cvQ9}Uvz-7u)@(sZt0(~c0*+ho9FJ7u0@eW{y~<_n+c?32An67%c&2A>fe;YX8^5eH^|@>s7Xc6sc0^+t zm4isPj-Z#rKr*#w$#@FJ{xn)_0!;nvd!ELpky>W@`_I?1Gi?#pK>qU5^X zK#)q$kHLmmW4XDLs}jQg^v`y@h)aIlP3cz&$yyq&xkW+Hh{-;apB zNeFKI6&6BE?3)LpX>SH*!O)JFJkNOZ_K3a`x?0!qeFOB6z!O!ceS1H6|0~M zM4@XX&2&lk><{`(v1#)9&%hbMFQlT+Pq76TEd9#xNnb_vYe6H9BOMl!T0Z>ewJv>9 zY`@3ARs-F3%HLz+*vuD*t$~9&zK#AS!rt)pSE^f-@xCVU$)vl?Yd7~3X}oEYm+YQA z)GpEA^wAz{;QVG%3Z#Wiu||KTE!GVbGbwHlYZiZ>m||jj_-QM9%=&L2<3|kL#aU)QOV&Z=? zw)3TB;xM36k1YH5r+ZcM`)YcZ#Sy5eAoRV zG}Mn+akc#~(l7?Ffsf?qGW0nd8hjDzrMgp)WMMRZqB4C~8Yn1W07cc>F*-g_ir>T3 zOQ#>rJ4(_p;dg12`pCazM7$GE`xSR6(Uw1hn#sTS#CyaP75dy!)6JVttlP)5H*#gw zC_NOUQL5g&Tk91j$!8^o2n#u;Dh6MtM|Lkciqz07QKxq6`jroC=c`P@^ALj|aEE;XEZ0CM0?MslI*`}vq-=WL4TJ(zI2lj%3$ zG3B{k;Ymp0Zb?&XV%l3YB$`}PUfv-#7w6{m%!{I8Bls37Il~-F3iL zeM656!c&X%=&f)bhREH9N4{Z9D9SAQPCjf> zcEdIv(9JxY}xFe>4@{A7>A37o`gL7X{;l&K0d{PNT6!~k3Okx z$XGjEq9nCxPndiYrAat`h850VP4K4V}w@Fr}G2|>oxAt zL#rv+aU5uT>bbx3$vI9$BS$IE`GcdlojH5vCVtf3o)fojQ}~7dVvoqV<{n<FLC|HYXM{=<^`4Zbs^j{&G5u%dK;5_U?VmKJGYzJ8@L9I8kxu!dqGS*bsI^ zT-0HU-UFTo9^Anzx;zY{0M?3jevkcHQ9K?8hMivPehyVS?yPPQtzXD^24T7oGuf%d z3pYePuo`0ONfhj^e<}Pmlk0h`Xt!)A71)d48e)TkHbN`|MByeeLvvDPIj1u04si!-%snwauZG8Yk(xW)kH3DchIZWYwC%2qw|o`u8rgor}`dST}ou!!NxzYX)AgOp80ZyOfb*0um7vD zD-EY|{rcNRId;WShRARXC37+>TV+l{<_z1Mq0IAK$P|&W44LOC&Nlwpln4hLryzAM!bN=VN=fnH@;@a2!4EM0sy4StdZ~Y$Hjrqr}_~L$9ucdT!SxE`svR`DuFFG%?uiwz@`_*-E{5pimkkFCt*15j7GGI?OE}y_gVB|woBC+}F=+2wA*-67nVyF4U&U3v%F&LFuDI(4r_u;>x;j1{eMzcaM z-NeGdX+1|DeTi>7zgKG@U)t>xWZ&t<6KZt!Zlt|ViAZ6O*bOegEdYi}K1Ikx8#nUA zx~De6FaT9RP#r&s%Fn@->~Evg-``vqtMsNVC zV^nVT$91-?%^=g=F#S_qL%Y54)-<>a>)nNAhyfma?7v`r9K6wPebAA3|13dFPL%tP zIc03g=0XxyD;#?!9J|s17=*dDBn1LBC60QxqIJ&~J_)&Hhf+rI4=O}?OOiI_A~m1I z7#@?2`tMTFKYZ@!Cz3gSi9YOvO9|4Y4Q7$&~2>!lG5&E#KsLD9j_CjpQLx)6#Rq}Jm)<6&8IP~gxLM-@#1u|PLu4# z4g+4?4>Jtk{VFoldgq_+SeUj%?%SE3lqUO~EH#a6JeArM_4vb6U%7*NW|6}ko{4%) zJws+#mZpG1SzOS1xSw^Y%~~ zzc0g~0twg0u7n~7nWV4`|M7~EovRUv_pLBSz*UQp8QdV~xegv~rZ3VF_e+w7S{#?k3L%aV_e(W>38XG*G z6?z9YtseoF(jaiR;dqKE(4QM@j%cWGKS$2sE2D_#gwZuDJz1e?6nw)TFX>(UuA7d) zH|vWk$UH(vCfg`GqAn|0do;FTA5*q9>|@HUzG*k^MDcJl+LHn*NL4cx{m00-MOo&m z*%656{Y!>O*s2-uS~G%4rWb(DM&0Q^N3O&J=eezw9RAKGz{N0233^JS$BvLyeGD+C z^O3=6q6vDF9=Gh3AJb^o*y#4|?tP*04;l8#xOAmcv z;Vn{-tcAJi1gy#ofQZXf0#5;nNR-%c*%FjQKNXDl-H`T6)N*Wk+jg8KSQn&Kn#(AH%(IOh1L7~#cvHW+-x$7crG|W(XBVvZ&7c# zxHGo8(f-P|Yu6UMq5vMFOvQi4lk`+P#yxSc8T^bLhk1GUpvTTRn%p<*-u~JhUYUlf z;(scsnecGlkk;*GssELl0E|V;G!9wbB6&@?^8&r))@?wi@)tG7-%3X@1Y#_NI)jKP ze*TFri%mzc&s*<~>qWKI$<3U$4jW8q{X4HbxlE2G9$( z4jRF@qTtkCHWpRW>I*{E;ddK?fmFCZZZj=U#`4DWA&zbJzZ_cz;UJ|zaIw3Zs@{>2 zqK8xE?t!_{ZWIDoN&~)B1fbhiYi>uJw>`x38ja$K2EpB=Q=}3nepT)sxW0sRm`^vOCp_fP=R*-UT#o*6yJ$8Yiejj6zKu0_ z?Z-#{3QZMhAbGES)m%3l@gfEy4#o#Yz%Lwh9czS6{U$Uhs!2Sn} zNA1n7pB=H8XA$+M8T*Uo>0S>^-fV!iy}ILFuyfv^Y0-sdT(W#<11po1ln*3}(0mAA zc7Gl~OysGAlylhn_q(@!KinIge6}34dF+TxJ(p4}TgWHDhb;5UX8XHT!ul;SA95>1 z1~XajA@x(1qW`L&nwshFiVH_E_%M#hqDVos=A=F+cRYHGUszD}PNnev8jq5(Cw=m+ zUGe5t`av5XoWu{tvtOepmR9AOR%S>2P&`_-{c=YD;Vb)=)* zOQV9^VDn`oJ46NpXp%oJSF(-|J6uI+e*Pwx%h=+wAn82NfmPbsSk(6HnssAOzXw6; z_bJy3KP)frvtBj}9OlPbZd8i=VD$2nh$z3y=E-{?)2CvzqNFg#f6J#kSsT<1U!)-m zdJzGvM^)dq#0I%IgB9NdP>MsTgQ+PCSsA#vsm?=r$E;oyVYf&5YGI-3#I-mt$DQAm zHI`cy-MzIpZKuV*@7X@x7|=6e-4&516Y=@;s;AAK)k`5D7yHj?(*-29Q~7ZK28j| zP|-k4rzxEIgxZ1NHUU0sA##-O$ze+n%ox?&eNvw!hmNWWM-dkkqxW%aGyVJ`-J3%qQTkq5h`o&1)ftH)-Pr)#4A|)uY-lB9z zb?_QfD{gy^juP$Xc)5<}7a;q|MdJV<@?`Pr#tW~hPm$9c*XbzjcjHe*8Wpb@p`GYH zY`2BY=B{?A(S!q_CTM3bk3Gk~?r5Wrmc%@lK83mu?^z!e3DlZjje+e1_1RXS5o@L( zbfDM}c8HDRB-jQ>{y!3HdZv5$Kp^eBEXSrK(KlIKFWLW>al znL~^}a1n*uKKlVeG9I5pvr~>dzhc>0*cXOW?~&sMH&*pi3at%#LtD1{f+Gd#B3ZEW zCwI5^CavxTtG;$1G|YN?me$z2$dD&Hn9l5cG5`1Gf9}Vv#iCzuBaP1^%s~ZVv#R4@ zPQ!&Wzc@!;!09reo^GyktnzpbTmv^>ZQS+ficG5lw3(rF9p>Z+gaE* zD1hvcL0*7Cuo;BE-QmPA8wk>}G@}$7K^B$i5xmx3_w1n#M|Ln~0rTFHdv6a<-pr!I z0)E3Y`1{PQ`UOFLz7BQ*nLaA{yH7c zrXF-Ng3F4j2XIc2&sj-6UIV9 znWulnKW(O|4CuWl`b0~s{2}OtZ+`OX)GOhjU#UqM|7a0o&kN97r>xg zITEW%3Q{@cud$ejT0H2Enk&`Sy-E=?L-zT>V9Q?t) zR9!6Umbe53{TM+LZobb%RtL`C48r39vZ3`lSfW#zjFiNfn&ycOg*ChguYs(tr(iY)01nE)YL*n1Pf_LFWJp>X#eDGf za*N1r#>SEGE1^Je@!dO;D;qM2w9r-RY`%#@NSdY=KIKtFOx8z*;*KjpDXNkd`I{5$ zlq6D%sJIjeqO&l;2}{u~}};nonfIVQ|j|re>1yPK6fQCZH={)jI5VK$(X#6B@9nB0gB=#&?URUS_=X>slFfYM{s7d{F zDtPe!vQvVhN%fB-V@hxE()0RJGF1!joR%jml5c|^(W@ItoKON;WE#%7b{F$-?t4@+ z3>-R)L^r}fW%Za$#_d($rN4z)ivQU_?EK%AXY2bzE^yp~smIDtTpJR8ckx;wH()-Z z@%t9G=g9;-g|4vBGK#Hi2!o-S%0u;+J%91&1ctr}fq9th@%lL+Lq@ZnY^kNFn7}xn zyqW6y$?ABy{PFi1YBA|q*ADg_+%q*;WpjSz@bu$Zzs{ZV-T@@}M-4s8*USj`1n7(B zFF=xzek0w3)w6{*myKH#ol2vV@q0H zkSs;y^w2-rq>ypdcyUQdpbaQ8lpYWRL8Mp0t_%ml&ZO;s$E&V?%ZPmXLIOoJ30$lXJW4RC1A63oy7Ht-Yu@CQFxbsu4 zh?hLpfx)QdpWAs^60EMG2AmoHy%VzBWdtw1^Y5ix*f=_&9Q^N1@S{pKWS^$yR9nig TvcCzS;7?UiL!sg#?)LuxY$87L diff --git a/aws/standard/README.md b/aws/standard/README.md index 9226994..6359ae3 100644 --- a/aws/standard/README.md +++ b/aws/standard/README.md @@ -5,7 +5,7 @@ Each role is placed in a separate subnet and traffic from user sessions on the A ![Diagram][Image_Diagram] -[Image_Diagram]: https://f.hubspotusercontent30.net/hubfs/5856039/terraform/diagrams/aws-multi-server-nat-gw.png "Diagram" +[Image_Diagram]: https://f.hubspotusercontent30.net/hubfs/5856039/terraform/diagrams/aws-multi-server-new.png "Diagram" # Pre-Configuration From 2ab047978d2a5e7153f9e7f76c4879e006fb74e1 Mon Sep 17 00:00:00 2001 From: Bryan Scarbrough Date: Thu, 15 Feb 2024 21:58:20 +0000 Subject: [PATCH 7/7] Added outputs and updated documentation and diagrams --- aws/multi_region/README.md | 31 +++++++++++++++++---------- aws/multi_region/deployment.tf | 2 +- aws/multi_region/outputs.tf | 33 +++++++++++++++++++++++++++++ aws/multi_region/webapps/README.md | 2 +- aws/multi_region/webapps/outputs.tf | 10 +++------ aws/standard/README.md | 15 +++++++------ 6 files changed, 67 insertions(+), 26 deletions(-) create mode 100644 aws/multi_region/outputs.tf diff --git a/aws/multi_region/README.md b/aws/multi_region/README.md index 0a7a936..3eddb16 100644 --- a/aws/multi_region/README.md +++ b/aws/multi_region/README.md @@ -12,11 +12,11 @@ It is expected that administrators will configure the traffic does not always traverse the **Primary Region** and instead flows directly to the Agent in whichever region it is deployed. - ![Diagram][Image_Diagram] -[Image_Diagram]: https://f.hubspotusercontent30.net/hubfs/5856039/terraform/diagrams/aws-multi-region-new.png "Diagram" +[Image_Diagram]: https://5856039.fs1.hubspotusercontent-na1.net/hubfs/5856039/terraform/diagrams/aws-multi-region-new.jpg "Diagram" +> ***NOTE:*** This deployment has been tested and validated with both [Terraform](https://www.terraform.io/) and [OpenTofu](https://opentofu.org/) # Pre-Configuration Consider creating a special sub account for the Kasm deployment. @@ -35,25 +35,31 @@ Create a user via the IAM console that will be used for the terraform deployment 1. Initialize the project - terraform init + terraform init -2. Open `settings.tfvars` and update the variable values. The variable definitions, descriptions, and validation expectations can be found in the `variables.tf` file. +2. Open `terraform.tfvars` and update the variable values. The variable definitions, descriptions, and validation expectations can be found in the `variables.tf` file. -> ***NOTE:*** This document assumes you are using a separate file named `secrets.tfvars` for the AWS credentials generated in the [AWS API Keys](#aws-api-keys) section above. The .gitignore file in this repository will ignore any files named `secrets.tfvars` since they are expected to have sensitive values in them. This will prevent you from accidentally committing them to source control. +> ***NOTE:*** This document assumes you are using a separate file named `secrets.tfvars` for the AWS credentials generated in the [AWS API Keys](#aws-api-keys) section above. The .gitignore file in this repository will ignore any files named `secrets.tfvars` since they are expected to have sensitive values in them. This will prevent you from accidentally committing them to source control. If you would rather use Environment variables or some other AWS credential method in lieu of the `secrets.tfvars` file, check out the [AWS Terraform provider documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables) for more information about configuring your environment. -3. If you are deploying more than 2 regions, you will need to modify the `provider.tf` and the `deployment.tf` files. There are commented sections in both files indicating how to deploy additional regions. +3. If you are deploying more than 2 regions, you will need to modify the `provider.tf`, `deployment.tf`, and `outputs.tf` files. There are commented sections in both files indicating how to deploy additional regions. 3. Verify the configuration - terraform plan -var-file secrets.tfvars + terraform plan -var-file secrets.tfvars 4. Deploy - terraform apply -var-file secrets.tfvars + terraform apply -var-file secrets.tfvars -5. Login to the Deployment as an Admin via the domain defined e.g `https://kasm.contoso.com` +5. Login to the Deployment as an Admin via the domain defined; e.g., `https://kasm.contoso.com` -6. Navigate to the Agents tab, and enable each Agent after it checks in. (May take a few minutes) +6. Navigate to the `Infrastructure > Zones` section and update the following values according to output values from this deployment. + - Upstream Auth Address + - Proxy Hostname + +7. Navigate to the `Infrastructure > Agents` section and enable each Agent after it checks in. (May take a few minutes) + +8. Now you are ready to add Workspaces via the registry and start using Kasm! ## Requirements @@ -124,7 +130,10 @@ No resources. ## Outputs -No outputs. +| Name | Description | +|------|-------------| +| [region1\_zone\_settings](#output\_region1\_zone\_settings) | Upstream Auth and Proxy settings to apply to Kasm Primary Region Zone configuration | +| [region2\_zone\_settings](#output\_region2\_zone\_settings) | Upstream Auth and Proxy settings to apply to Kasm Agent Region 2 Zone configuration | # Detailed Terraform Deployment Diagram diff --git a/aws/multi_region/deployment.tf b/aws/multi_region/deployment.tf index a6416d2..29c27f8 100644 --- a/aws/multi_region/deployment.tf +++ b/aws/multi_region/deployment.tf @@ -134,7 +134,7 @@ module "region2_agents" { ######################################################################### # # Uncomment the below section and update the provider and the settings -# in the secondary_regions_settings variable in the settings.tfvars +# in the secondary_regions_settings variable in the terraform.tfvars # file for your desired region. # ######################################################################### diff --git a/aws/multi_region/outputs.tf b/aws/multi_region/outputs.tf new file mode 100644 index 0000000..776357b --- /dev/null +++ b/aws/multi_region/outputs.tf @@ -0,0 +1,33 @@ +output "region1_zone_settings" { + description = "Upstream Auth and Proxy settings to apply to Kasm Primary Region Zone configuration" + value = < [kasm\_zone\_settings](#output\_kasm\_zone\_settings) | Upstream Auth and Proxy Address settings to apply to Kasm Zone configuration | +| [kasm\_zone\_name](#output\_kasm\_zone\_name) | The zone name used for this region/zone in Kasm | diff --git a/aws/multi_region/webapps/outputs.tf b/aws/multi_region/webapps/outputs.tf index 4a94a28..8778f56 100644 --- a/aws/multi_region/webapps/outputs.tf +++ b/aws/multi_region/webapps/outputs.tf @@ -1,8 +1,4 @@ -output "kasm_zone_settings" { - description = "Upstream Auth and Proxy Address settings to apply to Kasm Zone configuration" - value = < ***NOTE:*** This deployment has been tested and validated with both [Terraform](https://www.terraform.io/) and [OpenTofu](https://opentofu.org/) + # Pre-Configuration Consider creating a special sub account for the Kasm deployment. @@ -27,9 +28,9 @@ Create a user via the IAM console that will be used for the terraform deployment terraform init -2. Open `settings.tfvars` and update the variable values. The variable definitions, descriptions, and validation expectations can be found in the `variables.tf` file. +2. Open `terraform.tfvars` and update the variable values. The variable definitions, descriptions, and validation expectations can be found in the `variables.tf` file. -> ***NOTE:*** This document assumes you are using a separate file named `secrets.tfvars` for the AWS credentials generated in the [AWS API Keys](#aws-api-keys) section above. The .gitignore file in this repository will ignore any files named `secrets.tfvars` since they are expected to have sensitive values in them. This will prevent you from accidentally committing them to source control. +> ***NOTE:*** This document assumes you are using a separate file named `secrets.tfvars` for the AWS credentials generated in the [AWS API Keys](#aws-api-keys) section above. The .gitignore file in this repository will ignore any files named `secrets.tfvars` since they are expected to have sensitive values in them. This will prevent you from accidentally committing them to source control. If you would rather use Environment variables or some other AWS credential method in lieu of the `secrets.tfvars` file, check out the [AWS Terraform provider documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#environment-variables) for more information about configuring your environment. 3. Verify the configuration @@ -37,12 +38,14 @@ Create a user via the IAM console that will be used for the terraform deployment 4. Deploy - terraform apply -var-file settings.tfvars -var-file secrets.tfvars + terraform apply -var-file secrets.tfvars -5. Login to the Deployment as an Admin via the domain defined e.g `https://kasm.contoso.com` +5. Login to the Deployment as an Admin via the domain defined; e.g., `https://kasm.contoso.com` 6. Navigate to the Agents tab, and enable each Agent after it checks in. (May take a few minutes) +7. Now you are ready to add Workspaces via the registry and start using Kasm! + ## Requirements