From 8e2d5590c024043caa106601d192cb88fde9b696 Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Mon, 30 Mar 2026 15:37:42 +0200 Subject: [PATCH 01/13] fix wpb-23987: fix debug_logs.sh --- bin/debug_logs.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/bin/debug_logs.sh b/bin/debug_logs.sh index 8a40701b3..3138e025f 100755 --- a/bin/debug_logs.sh +++ b/bin/debug_logs.sh @@ -4,14 +4,14 @@ set -euo pipefail echo "Printing all pods status" kubectl get pods --all-namespaces echo "------------------------------------" -namespaces=$(kubectl get ns -o=jsonpath='{.items[*].metadata.name}') +namespaces="cert-manager-ns default" echo "Namespaces = $namespaces" for ns in $namespaces; do - pods=$(kubectl get pods --all-namespaces -o=jsonpath='{.items[*].metadata.name}') + pods=$(kubectl get pods -n "$ns" -o=jsonpath='{.items[*].metadata.name}') echo "Pods in namespace: $ns = $pods" for pod in $pods; do echo "Logs for pod: $pod" - kubectl logs --all-containers -n "$ns" "$pod" || true + kubectl logs --tail 30 --all-containers -n "$ns" "$pod" || true echo "Description for pod: $pod" kubectl describe pod -n "$ns" "$pod" || true echo "------------------------------------" From 01c86c6084ee88ff7cc4c283e675582532c9db60 Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Mon, 30 Mar 2026 15:38:51 +0200 Subject: [PATCH 02/13] fix wpb-23987: improve UX for helm-operations.sh and add more flags for debug logs or cert-manager behaviour --- bin/helm-operations.sh | 78 ++++++++++++++++++++++++++++++++---------- 1 file changed, 60 insertions(+), 18 deletions(-) diff --git a/bin/helm-operations.sh b/bin/helm-operations.sh index 1298ed065..62b0fab85 100755 --- a/bin/helm-operations.sh +++ b/bin/helm-operations.sh @@ -3,17 +3,35 @@ set -Eeo pipefail # Read values from environment variables with defaults -BASE_DIR="/wire-server-deploy" -TARGET_SYSTEM="example.dev" -CERT_MASTER_EMAIL="certmaster@${TARGET_SYSTEM}" +BASE_DIR="${BASE_DIR:-/wire-server-deploy}" +TARGET_SYSTEM="${TARGET_SYSTEM:-example.com}" +CERT_MASTER_EMAIL="${CERT_MASTER_EMAIL:-certmaster@example.com}" + +# DEPLOY_CERT_MANAGER env variable is used to decide if cert_manager and nginx-ingress-services charts should get deployed +# default is set to TRUE to deploy it unless changed +DEPLOY_CERT_MANAGER="${DEPLOY_CERT_MANAGER:-TRUE}" + +# DUMP_LOGS_ON_FAIL to dump logs on failure +# it is false by default +DUMP_LOGS_ON_FAIL="${DUMP_LOGS_ON_FAIL:-FALSE}" # this IP should match the DNS A record value for TARGET_SYSTEM # assuming it to be the public address used by clients to reach public Address -HOST_IP="" +HOST_IP="${HOST_IP:-}" + if [ -z "$HOST_IP" ]; then HOST_IP=$(wget -qO- https://api.ipify.org) fi +function dump_debug_logs { + local exit_code=$? + if [[ "$DUMP_LOGS_ON_FAIL" == "TRUE" ]]; then + "$BASE_DIR"/bin/debug_logs.sh + fi + return $exit_code +} +trap dump_debug_logs ERR + # picking a node for calling traffic (3rd kube worker node) CALLING_NODE=$(kubectl get nodes --no-headers | tail -n 1 | awk '{print $1}') if [[ -z "$CALLING_NODE" ]]; then @@ -21,13 +39,28 @@ if [[ -z "$CALLING_NODE" ]]; then exit 1 fi +sync_pg_secrets() { + echo "Retrieving PostgreSQL password from databases-ephemeral for wire-server deployment..." + if kubectl get secret wire-postgresql-external-secret &>/dev/null; then + # Usage: sync-k8s-secret-to-wire-secrets.sh + "$BASE_DIR/bin/sync-k8s-secret-to-wire-secrets.sh" \ + wire-postgresql-external-secret password \ + "$BASE_DIR/values/wire-server/secrets.yaml" \ + .brig.secrets.pgPassword .galley.secrets.pgPassword .background-worker.secrets.pgPassword + else + echo "⚠️ Warning: PostgreSQL secret 'wire-postgresql-secret' not found, skipping secret sync" + echo " Make sure databases-ephemeral chart is deployed before wire-server" + fi + return $? +} + # Creates values.yaml from prod-values.example.yaml and secrets.yaml from prod-secrets.example.yaml # Works on all chart directories in $BASE_DIR/values/ process_values() { ENV=$1 TYPE=$2 - charts=(fake-aws demo-smtp databases-ephemeral reaper wire-server webapp account-pages team-settings smallstep-accomp ingress-nginx-controller nginx-ingress-services coturn sftd cert-manager) + charts=(fake-aws smtp rabbitmq databases-ephemeral reaper wire-server webapp account-pages team-settings ingress-nginx-controller nginx-ingress-services coturn sftd cert-manager) if [[ "$ENV" != "prod" ]] || [[ -z "$TYPE" ]] ; then echo "Error: This function only supports prod deployments with TYPE as values or secrets. ENV must be 'prod', got: '$ENV' and '$TYPE'" @@ -147,7 +180,7 @@ deploy_charts() { deploy_cert_manager() { kubectl get namespace cert-manager-ns || kubectl create namespace cert-manager-ns - helm upgrade --install -n cert-manager-ns cert-manager "$BASE_DIR/charts/cert-manager" --values "$BASE_DIR/values/cert-manager/values.yaml" + helm upgrade --install --wait --timeout=5m0s -n cert-manager-ns cert-manager "$BASE_DIR/charts/cert-manager" --values "$BASE_DIR/values/cert-manager/values.yaml" # display running pods kubectl get pods --sort-by=.metadata.creationTimestamp -n cert-manager-ns @@ -158,36 +191,45 @@ deploy_calling_services() { echo "Deploying sftd and coturn" # select the node to deploy sftd kubectl annotate node "$CALLING_NODE" wire.com/external-ip="$HOST_IP" --overwrite - helm upgrade --install sftd "$BASE_DIR/charts/sftd" --set "nodeSelector.kubernetes\\.io/hostname=$CALLING_NODE" --values "$BASE_DIR/values/sftd/values.yaml" + helm upgrade --install --wait --timeout=5m0s sftd "$BASE_DIR/charts/sftd" --set "nodeSelector.kubernetes\\.io/hostname=$CALLING_NODE" --values "$BASE_DIR/values/sftd/values.yaml" kubectl annotate node "$CALLING_NODE" wire.com/external-ip="$HOST_IP" --overwrite - helm upgrade --install coturn "$BASE_DIR/charts/coturn" --set "nodeSelector.kubernetes\\.io/hostname=$CALLING_NODE" --values "$BASE_DIR/values/coturn/values.yaml" --values "$BASE_DIR/values/coturn/secrets.yaml" + helm upgrade --install --wait --timeout=5m0s coturn "$BASE_DIR/charts/coturn" --set "nodeSelector.kubernetes\\.io/hostname=$CALLING_NODE" --values "$BASE_DIR/values/coturn/values.yaml" --values "$BASE_DIR/values/coturn/secrets.yaml" + + # display running pods post deploying all helm charts in default namespace + kubectl get pods --sort-by=.metadata.creationTimestamp } main() { + # Create prod-values.example.yaml to values.yaml and take backup process_values "prod" "values" # Create prod-secrets.example.yaml to secrets.yaml and take backup process_values "prod" "secrets" +# Sync postgresql secret +# sync_pg_secrets + # configure chart specific variables for each chart in values.yaml file configure_values # deploying with external datastores, useful for prod setup -deploy_charts cassandra-external elasticsearch-external minio-external rabbitmq-external fake-aws demo-smtp databases-ephemeral reaper wire-server webapp account-pages team-settings smallstep-accomp ingress-nginx-controller +deploy_charts cassandra-external elasticsearch-external minio-external fake-aws smtp rabbitmq-external databases-ephemeral reaper wire-server webapp account-pages team-settings ingress-nginx-controller + +# deploying cert-manager only when the env var DEPLOY_CERT_MANAGER is set to TRUE +if [[ "$DEPLOY_CERT_MANAGER" == "TRUE" ]]; then + # deploying cert manager to issue certs, by default letsencrypt-http01 issuer is configured + deploy_cert_manager -# deploying cert manager to issue certs, by default letsencrypt-http01 issuer is configured -deploy_cert_manager + # nginx-ingress-services chart needs cert-manager to be deployed + deploy_charts nginx-ingress-services -# nginx-ingress-services chart needs cert-manager to be deployed -deploy_charts nginx-ingress-services + # print status of certs + kubectl get certificate +fi # deploying sft and coturn services -# not implemented yet deploy_calling_services - -# print status of certs -kubectl get certificate } -main \ No newline at end of file +main From 80ab1fddfcccb68e0ccab6382d5811fcac5ad1bd Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Mon, 30 Mar 2026 15:39:29 +0200 Subject: [PATCH 03/13] fix wpb-23987: adapt offline-deploy.sh for hlem-operation.sh UX changes --- bin/offline-deploy.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/offline-deploy.sh b/bin/offline-deploy.sh index 61c7d3dfa..3bede967a 100755 --- a/bin/offline-deploy.sh +++ b/bin/offline-deploy.sh @@ -41,4 +41,4 @@ fi $DOCKER_RUN_BASE $SSH_MOUNT $WSD_CONTAINER ./bin/offline-cluster.sh -sudo docker run --network=host -v $PWD:/wire-server-deploy $WSD_CONTAINER ./bin/helm-operations.sh +sudo docker run --network=host -v $PWD:/wire-server-deploy $WSD_CONTAINER sh -c 'TARGET_SYSTEM="example.dev" CERT_MASTER_EMAIL="certmaster@example.dev" DEPLOY_CERT_MANAGER=TRUE DUMP_LOGS_ON_FAIL=TRUE ./bin/helm-operations.sh' From ec9ab5f472ae842474340ae94c507469e2d32dcf Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Mon, 30 Mar 2026 15:41:05 +0200 Subject: [PATCH 04/13] fix wpb-23987: introduce private_deployment variable to manage SNAT masquerading for VMs --- ansible/files/wiab_server_nftables.conf.j2 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ansible/files/wiab_server_nftables.conf.j2 b/ansible/files/wiab_server_nftables.conf.j2 index 709c0e6c9..bf36bb6b2 100644 --- a/ansible/files/wiab_server_nftables.conf.j2 +++ b/ansible/files/wiab_server_nftables.conf.j2 @@ -67,7 +67,9 @@ table ip nat { chain POSTROUTING { type nat hook postrouting priority 100; oifname != docker0 ip saddr 172.17.0.0/16 counter masquerade +{% if not (private_deployment | default(true) | bool) %} oifname $INF_WAN counter masquerade comment "{{ wire_comment }} masquerade outgoing traffic" +{% endif %} } chain DOCKER { iifname docker0 counter return From 7fc123f3c93c0ff9b44a1f9211f0fd83af4571a0 Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Mon, 30 Mar 2026 15:41:58 +0200 Subject: [PATCH 05/13] fix wpb-23987: make nftables run explicit to make implementation easy --- ansible/wiab-staging-provision.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/ansible/wiab-staging-provision.yml b/ansible/wiab-staging-provision.yml index f0bff10c4..5f75e9656 100644 --- a/ansible/wiab-staging-provision.yml +++ b/ansible/wiab-staging-provision.yml @@ -297,9 +297,8 @@ kubenode2_ip: "{{ kubenode_ip_result.results[1].stdout }}" kubenode3_ip: "{{ kubenode_ip_result.results[2].stdout }}" wire_comment: "wiab-stag" - tags: always - name: Configure nftables import_playbook: ./wiab-staging-nftables.yaml - tags: nftables + tags: [never, nftables] From 599afc3479aea8e79ba05251a4a3afbf92a66ede Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Mon, 30 Mar 2026 15:42:22 +0200 Subject: [PATCH 06/13] fix wpb-23987: disable WAN SNAT/masquerading for VMs on the private network by default --- ansible/inventory/demo/wiab-staging.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ansible/inventory/demo/wiab-staging.yml b/ansible/inventory/demo/wiab-staging.yml index a2f35b678..1ff9bfc62 100644 --- a/ansible/inventory/demo/wiab-staging.yml +++ b/ansible/inventory/demo/wiab-staging.yml @@ -7,3 +7,5 @@ wiab-staging: ansible_ssh_private_key_file: "~/.ssh/id_ed25519" vars: artifact_hash: deed80d356cbbc2274de3b125313dfa506a1034e + # when enabled, disable WAN SNAT/masquerading for VMs on the private network + private_deployment: true From f612be4753674bcb04eb8b313e29203699d5ab2f Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Mon, 30 Mar 2026 15:44:08 +0200 Subject: [PATCH 07/13] fix wpb-23987: update documentation for nftable changes, no default masquerading and UX changes --- offline/wiab-staging.md | 363 ++++++++++++++++++++++++++++------------ 1 file changed, 252 insertions(+), 111 deletions(-) diff --git a/offline/wiab-staging.md b/offline/wiab-staging.md index c460d87fb..39c77bef0 100644 --- a/offline/wiab-staging.md +++ b/offline/wiab-staging.md @@ -1,6 +1,6 @@ # Scope -**Wire in a Box (WIAB) Staging** is a demo installation of Wire running on a single physical machine using KVM-based virtual machines. This setup replicates the multi-node production Wire architecture in a consolidated environment suitable for testing, evaluation, and learning about Wire's infrastructure—but **not for production use**. +**Wire in a Box (WIAB) Staging** is an installation of Wire running on a single physical machine using KVM-based virtual machines. This setup replicates the multi-node production Wire architecture in a consolidated environment suitable for testing, evaluation, and learning about Wire's infrastructure—but **not for production use**. The main use of this package is to verify that automation inside and outside of the wire product functions in the fashion you expect, before you run said automation in production. This will not test your network environment, load based behaviors, or the interface between wire and it's calling services when using a DMZ'd network configuration. **Important:** This is a sandbox environment. Data from a staging installation cannot be migrated to production. WIAB Staging is designed for experimentation, validation, and understanding Wire's deployment model. @@ -13,11 +13,11 @@ - This solution helps developers understand Wire's infrastructure requirements and test deployment processes **Resource Requirements:** -- One physical machine with hypervisor support: +- One physical machine (aka `adminhost`) with hypervisor support: - **Memory:** 55 GiB RAM - **Compute:** 29 vCPUs - **Storage:** 850 GB disk space (thin-provisioned) - - 7 VMs with [Ubuntu 22](https://releases.ubuntu.com/jammy/) as per (#VM-Provisioning) + - 7 VMs with [Ubuntu 22](https://releases.ubuntu.com/jammy/) as per [required resources](#vm-provisioning) - **DNS Records**: - a way to create DNS records for your domain name (e.g. wire.example.com) - Find a detailed explanation at [How to set up DNS records](https://docs.wire.com/latest/how-to/install/demo-wiab.html#dns-requirements) @@ -50,20 +50,32 @@ We would require 7 VMs as per the following details, you can choose to use your - **kubenodes (kubenode1, kubenode2, kubenode3):** Run the Kubernetes cluster and host Wire backend services - **datanodes (datanode1, datanode2, datanode3):** Run distributed data services: - - Cassandra (distributed database) - - PostgreSQL (operational database) - - Elasticsearch (search engine) - - Minio (S3-compatible object storage) - - RabbitMQ (message broker) + - Cassandra + - PostgreSQL + - Elasticsearch + - Minio + - RabbitMQ - **assethost:** Hosts static assets to be used by kubenodes and datanodes +### Internet access for VMs: + +In most cases, Wire Server components do not require internet access, except in the following situations: +- **External email services** – If your users’ email servers are hosted on the public internet (for example, user@gmail.com etc). +- **Mobile push notifications (FCM/APNS)** – Required to enable notifications for Android and Apple mobile devices. Wire uses [AWS services](https://docs.wire.com/latest/how-to/install/infrastructure-configuration.html#enable-push-notifications-using-the-public-appstore-playstore-mobile-wire-clients) to relay notifications to Firebase Cloud Messaging (FCM) and Apple Push Notification Service (APNS). +- **Third-party content previews** – If you want clients to display previews for services such as Giphy, Google, Spotify, or SoundCloud. Wire provides a proxy service for third-party content so clients do not communicate directly with these services, preventing exposure of IP addresses, cookies, or other metadata. +- **Federation with other Wire servers** – Required if your deployment needs to federate with another Wire server hosted on the public internet. + +> **Note:** Internet access is also required by the cert-manager pods (via Let's Encrypt) to issue TLS certificates when manual certificates are not used. +> +> This internet access is temporarily enabled as described in [cert-manager behaviour in NAT / bridge environments](#cert-manager-behaviour-in-nat--bridge-environments) to allow certificate issuance. Once the certificates are successfully issued by cert-manager, the internet access is removed from the VMs. + ## WIAB staging ansible playbook -The ansible playbook will perform the following operations for you: +The WIAB-staging ansible playbooks require internet access to be available on the target machine. Assuming it is available, these playbooks will perform the following steps automatically: **System Setup & Networking**: - Updates all system packages and installs required tools (git, curl, docker, qemu, libvirt, yq, etc.) - - Configures SSH, firewall (nftables), and user permissions (sudo, kvm, docker groups) + - Configures SSH and user permissions (sudo, kvm, docker groups) **wire-server-deploy Artifact & Ubuntu Cloud Image**: - Downloads wire-server-deploy static artifact and Ubuntu cloud image @@ -79,7 +91,6 @@ The ansible playbook will perform the following operations for you: - Generates inventory.yml with actual VM IPs replacing placeholders - Configures network interface variables for all k8s-nodes and datanodes - *Note: Skip the Ansible playbook step if you are managing VMs with your own hypervisor.* ### Getting started with Ansible playbook @@ -90,6 +101,7 @@ We need the whole ansible directory as ansible-playbook uses some templates for **Option A: Download as ZIP** ```bash +# requirements: wget and unzip wget https://github.com/wireapp/wire-server-deploy/archive/refs/heads/master.zip unzip master.zip cd wire-server-deploy-master @@ -97,6 +109,7 @@ cd wire-server-deploy-master **Option B: Clone with Git** ```bash +# requirements: git git clone https://github.com/wireapp/wire-server-deploy.git cd wire-server-deploy ``` @@ -104,8 +117,9 @@ cd wire-server-deploy **Step 2: Configure your Ansible inventory for your physical machine** A sample inventory is available at [ansible/inventory/demo/wiab-staging.yml](https://github.com/wireapp/wire-server-deploy/blob/master/ansible/inventory/demo/wiab-staging.yml). +Replace example.com with your physical machine (`adminhost`) address where KVM is available and adjust other variables like `ansible_user` and `ansible_ssh_private_key_file`. The SSH user for ansible `ansible_user` should have password-less `sudo` access. The adminhost should be running Ubuntu 22.04. From here on, we would refer the physical machine as `adminhost`. -*Note: Replace example.com with your physical machine address where KVM is available and adjust other variables accordingly.* +The `private_deployment` variable determines whether the VMs created below will have internet access. When set to `true` (default value), no internet access is available to VMs. Check [Internet access for VMs](#internet-access-for-vms) to understand more about it. **Step 3: Run the VM and network provision** @@ -117,30 +131,49 @@ ansible-playbook -i ansible/inventory/demo/wiab-staging.yml ansible/wiab-staging ## Ensure secondary ansible inventory for VMs -Now you should have 7 VMs running on your physical machine. If you have used the ansible playbook, you should also have a directory `/home/ansible_user/wire-server-deploy` with all resources required for further deployment. If you didn't use the above playbook, download the `wire-server-deploy` artifact shared by Wire support and unarchieve (tar tgz) it. +Now you should have 7 VMs running on your `adminhost`. If you have used the ansible playbook, you should also have a directory `/home/ansible_user/wire-server-deploy` with all resources required for further deployment. If you didn't use the above playbook, download the `wire-server-deploy` artifact shared by Wire support and extract it with tar. Ensure the inventory file `ansible/inventory/offline/inventory.yml` in the directory `/home/ansible_user/wire-server-deploy` contains values corresponding to your VMs. If you have already used the [Ansible playbook above](#getting-started-with-ansible-playbook) to set up VMs, this file should have been prepared for you. +The purpose of secondary ansible inventory is to interact only with the VMs. All the operations concerning the secondary inventory are meant to install datastores and k8s services. + ## Next steps Since the inventory is ready, please continue with the following steps: -### Environment Setup +> **Note**: All next steps assume that the wire-server-deploy artifact has been downloaded on the `adminhost` (your physical machine) and extracted at `/home/ansible_user/wire-server-deploy`. All commands from here on will be issued from this directory on the `adminhost`. Make sure you SSH into the node before proceeding. -- **[Making tooling available in your environment](docs_ubuntu_22.04.md#making-tooling-available-in-your-environment)** - - Source the `bin/offline-env.sh` shell script by running `source bin/offline-env.sh` to set up a `d` alias that runs commands inside a Docker container with all necessary tools for offline deployment. +### Environment Setup - **[Generating secrets](docs_ubuntu_22.04.md#generating-secrets)** - - Run `./bin/offline-secrets.sh` to generate fresh secrets for Minio and coturn services. This creates two secret files: `ansible/inventory/group_vars/all/secrets.yaml` and `values/wire-server/secrets.yaml`. + - Run `bin/offline-secrets.sh` to generate fresh secrets for Minio and coturn services. It uses the docker container images shipped inside the `wire-server-deploy` directory. + ```bash + ./bin/offline-secrets.sh + ``` + - This creates following secret files: + - `ansible/inventory/group_vars/all/secrets.yaml` + - `values/wire-server/secrets.yaml` + - `values/coturn/prod-secrets.example.yaml` + +- **[Making tooling available in your environment](docs_ubuntu_22.04.md#making-tooling-available-in-your-environment)** + - Source the `bin/offline-env.sh` shell script by running following command to set up a `d` alias that runs commands inside a Docker container with all necessary tools for offline deployment. + ```bash + source bin/offline-env.sh + ``` + - You can always use this alias `d` later to interact with the ansible playbooks, k8s cluster and the helm charts. + - The docker container mounts everything here from the `wire-server-deploy` directory, hence this acts an entry point for all the future interactions with ansible, k8s and helm charts. ### Kubernetes & Data Services Deployment - **[Deploying Kubernetes and stateful services](docs_ubuntu_22.04.md#deploying-kubernetes-and-stateful-services)** - - Run `d ./bin/offline-cluster.sh` to deploy Kubernetes and stateful services (Cassandra, PostgreSQL, Elasticsearch, Minio, RabbitMQ). This script deploys all infrastructure needed for Wire backend operations. + ```bash + d ./bin/offline-cluster.sh + ``` + - Run the above command to deploy Kubernetes and stateful services (Cassandra, PostgreSQL, Elasticsearch, Minio, RabbitMQ). This script deploys all infrastructure needed for Wire backend operations. ### Helm Operations to install wire services and supporting helm charts -**Helm chart deployment (automated):** The script `bin/helm-operations.sh` will deploy the charts for you. It prepares `values.yaml`/`secrets.yaml`, customizes them for your domain/IPs, then runs Helm installs/upgrades in the correct order. +**Helm chart deployment (automated):** The script `bin/helm-operations.sh` will deploy the charts for you. It prepares `values.yaml`/`secrets.yaml`, customizes them for your domain/IPs, then runs Helm installs/upgrades in the correct order. Prepare the values before running it. **User-provided inputs (set these before running):** - `TARGET_SYSTEM`: your domain (e.g., `wire.example.com` or `example.dev`). @@ -148,16 +181,20 @@ Since the inventory is ready, please continue with the following steps: - `HOST_IP`: public IP that matches your DNS A record (auto-detected if empty). **TLS / certificate behavior (cert-manager vs. Bring Your Own):** -- By default, `bin/helm-operations.sh` runs `deploy_cert_manager`, which installs cert-manager and configures a Let’s Encrypt (HTTP-01) issuer for the ingress charts. -- If you **do not** want Let’s Encrypt / cert-manager (for example, you are using **[Bring Your Own certificates](docs_ubuntu_22.04.md#acquiring--deploying-ssl-certificates)** or you cannot satisfy HTTP-01 requirements), disable this step by commenting out the `deploy_cert_manager` call inside `bin/helm-operations.sh`. - - After disabling cert-manager, ensure your ingress is configured with your own TLS secret(s) as described in the TLS documentation below. +- By default, `bin/helm-operations.sh` has `DEPLOY_CERT_MANAGER=TRUE`, which installs cert-manager and configures a Let’s Encrypt (HTTP-01) issuer for the ingress charts. +- If you **do not** want Let’s Encrypt / cert-manager (for example, you are using **[Bring Your Own certificates](docs_ubuntu_22.04.md#acquiring--deploying-ssl-certificates)**), disable this step by passing the environment variable `DEPLOY_CERT_MANAGER=FALSE` when running `bin/helm-operations.sh`. + - When choosing `DEPLOY_CERT_MANAGER=FALSE`, ensure your ingress is configured with your own TLS secret(s) as described at [Acquiring / Deploying SSL Certificates](docs_ubuntu_22.04.md#acquiring--deploying-ssl-certificates). + - When choosing `DEPLOY_CERT_MANAGER=TRUE`, ensure if further network configuration is required by following [cert-manager behaviour in NAT / bridge environments](#cert-manager-behaviour-in-nat--bridge-environments). -**To run the automated helm chart deployment**: -`d ./bin/helm-operations.sh` +**To run the automated helm chart deployment with your variables**: +```bash +# example command - verify the variables before running it +d sh -c 'TARGET_SYSTEM="example.dev" CERT_MASTER_EMAIL="certmaster@example.dev" DEPLOY_CERT_MANAGER=TRUE ./bin/helm-operations.sh' +``` **Charts deployed by the script:** -- External datastores and helpers: `cassandra-external`, `elasticsearch-external`, `minio-external`, `rabbitmq-external`, `databases-ephemeral`, `reaper`, `fake-aws`, `demo-smtp`. -- Wire services: `wire-server`, `webapp`, `account-pages`, `team-settings`, `smallstep-accomp`. +- External datastores and helpers: `cassandra-external`, `elasticsearch-external`, `minio-external`, `rabbitmq-external`,`postgresql-external`, `databases-ephemeral`, `reaper`, `fake-aws`, `smtp`. +- Wire services: `wire-server`, `webapp`, `account-pages`, `team-settings`. - Ingress and certificates: `ingress-nginx-controller`, `cert-manager`, `nginx-ingress-services`. - Calling services: `sftd`, `coturn`. @@ -165,115 +202,220 @@ Since the inventory is ready, please continue with the following steps: - Creates `values.yaml` and `secrets.yaml` from `prod-values.example.yaml` and `prod-secrets.example.yaml` for each chart under `values/`. - Backs up any existing `values.yaml`/`secrets.yaml` before replacing them. -**Values configured by the script:** -- Replaces `example.com` with `TARGET_SYSTEM` in Wire and webapp hostnames. -- Enables cert-manager and sets `certmasterEmail` using `CERT_MASTER_EMAIL`. -- Sets SFTD hosts and switches issuer to `letsencrypt-http01`. -- Sets coturn listen/relay/external IPs using the calling node IP and `HOST_IP`. - *Note: The `bin/helm-operations.sh` script above deploys these charts; you do not need to run the Helm commands manually unless you want to customize or debug.* ## Network Traffic Configuration -### Bring traffic from the physical machine to Wire services in the k8s cluster +### Bring traffic from the adminhost to Wire services in the k8s cluster -If you used the Ansible playbook earlier, nftables firewall rules are pre-configured to forward traffic. If you set up VMs manually with your own hypervisor, you must manually configure network traffic flow using nftables. +Our Wire services are ready to receive traffic but we must enable network access from the `adminhost` network interface to the k8s pods running in the virtual network. We can achieve it by setting up [nftables](https://documentation.ubuntu.com/security/security-features/network/firewall/nftables/) rules on the `adminhost`. When using any other type of firewall tools, please ensure following network configuration is achieved. **Required Network Configuration:** -The physical machine must forward traffic from external clients to the Kubernetes cluster running Wire services. This involves: - -1. **HTTP/HTTPS Traffic (Ingress)** - Forward ports 80 and 443 to the nginx-ingress-controller running on a Kubernetes node - - Port 80 (HTTP) → Kubernetes node port 31772 - - Port 443 (HTTPS) → Kubernetes node port 31773 - -2. **Calling Services Traffic (Coturn/SFT)** - Forward media and TURN protocol traffic to Coturn/SFT - - Port 3478 (TCP/UDP) → Coturn control traffic - - Ports 32768-65535 (UDP) → Media relay traffic for WebRTC calling +The `adminhost` must forward traffic from external clients to the Kubernetes cluster running Wire services. This involves: + +1. **HTTP/HTTPS Traffic (Ingress)** – Forward external web traffic to Kubernetes ingress with load balancing across nodes + - Port 80 (TCP, from any external source to adminhost WAN IP) → DNAT to any Kubernetes node on port 31772 → HTTP ingress + - Port 443 (TCP, from any external source to adminhost WAN IP) → DNAT to any Kubernetes node on port 31773 → HTTPS ingress + +2. **Calling Services Traffic (Coturn/SFT)** – Forward TURN control and media traffic to the dedicated calling node + - Port 3478 (TCP/UDP, from any external source to adminhost WAN IP) → DNAT to calling node → TURN control traffic + - Ports 32768–65535 (UDP, from any external source to adminhost WAN IP) → DNAT to calling node → WebRTC media relay + +3. **Normal Access Rules (Host-Level Access)** – Restrict direct access to adminhost + - Port 22 (TCP, from allowed sources to adminhost) → allow → SSH access + - Traffic from loopback and VM bridge interfaces → allow → internal communication + - Any traffic within VM network → allowed → ensures inter-node communication + - All other inbound traffic to adminhost → drop → default deny policy + +4. **Masquerading (If [Internet access for VMs](#internet-access-for-vms) is required)** – Enable outbound connectivity for VMs + - Any traffic from VM subnet leaving via WAN interface → SNAT/masquerade → ensures return traffic from internet. + +5. **Conditional Rules (cert-manager / HTTP-01 in NAT setups)** – Temporary adjustments for certificate validation + - DNAT hairpin traffic (VM → public IP → VM) → may require SNAT/masquerade on VM bridge → ensures return path during HTTP-01 self-checks + - Asymmetric routing scenarios → may require relaxed reverse path filtering → prevents packet drops during validation + +```mermaid +flowchart TB + +%% External Clients +Client[External Client] +LetsEncrypt["(Optional)
Let's Encrypt"] +Internet["(If Required)
Internet Services
(AWS/FCM/APNS, Email Services etc)"] + +%% Admin Host +AdminHost["AdminHost
(Firewall)"] + +%% VM Network +subgraph VM_Network ["VM Network (virbr0)"] + K1[KubeNode1] + K2[KubeNode2] + K3["KubeNode3
(CALLING NODE)"] +end + +%% Ingress Traffic +Client -->|HTTPS → wire-records.example.com| AdminHost +AdminHost -->|"DNAT →31772/31773"| K1 +AdminHost -->|"DNAT →31772/31773"| K2 +AdminHost -->|"DNAT →31772/31773"| K3 + +%% Calling Traffic +Client -->|TCP/UDP Calling| AdminHost +AdminHost -->|DNAT → Calling Node| K3 + +%% Outbound Traffic (Masquerade) +K1 -.->|SNAT via AdminHost| Internet +K2 -.->|SNAT via AdminHost| Internet +K3 -.->|SNAT via AdminHost| Internet + +%% Cert-Manager Flow +K1 <-.->|HTTP-01 self-check| AdminHost +AdminHost-.->|Request TLS certificate| LetsEncrypt +``` **Implementation:** -Use the detailed nftables rules in [../ansible/files/wiab_server_nftables.conf.j2](../ansible/files/wiab_server_nftables.conf.j2) as the template. The guide covers: -- Defining your network variables (Coturn IP, Kubernetes node IP, WAN interface) -- Creating NAT rules for HTTP/HTTPS ingress traffic -- Setting up TURN protocol forwarding for Coturn -- Restarting nftables to apply changes +The nftables rules are detailed in [wiab_server_nftables.conf.j2](https://github.com/wireapp/wire-server-deploy/blob/master/ansible/files/wiab_server_nftables.conf.j2). Please ensure no other firewall services like `ufw` or `iptables` are configured on the node before continuing. -You can also apply these rules using the Ansible playbook, by following: +If you have already used the `wiab-staging-provision.yml` ansible playbook to create the VMs, then you can apply these rules using the same playbook (with the tag `nftables`) against your adminhost, by following: ```bash -ansible-playbook -i inventory.yml ansible/wiab-staging-nftables.yml +ansible-playbook -i ansible/inventory/demo/wiab-staging.yml ansible/wiab-staging-provision.yml --tags nftables +``` +Alternatively, if you have not used the `wiab-staging-provision.yml` ansible playbook to create the VMs but would like to configure nftables rules, you can invoke the ansible playbook [wiab-staging-nftables.yaml](https://github.com/wireapp/wire-server-deploy/blob/master/ansible/wiab-staging-nftables.yaml) against the physical node. The playbook is available in the directory `wire-server-deploy/ansible`. + +The inventory file `inventory.yml` should define the following variables: +```yaml +wiab-staging: + hosts: + deploy_node: + # this should be the adminhost + ansible_host: example.com + ansible_ssh_common_args: '-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ServerAliveInterval=60 -o ServerAliveCountMax=3 -o TCPKeepAlive=yes' + ansible_user: 'demo' + ansible_ssh_private_key_file: "~/.ssh/id_ed25519" + vars: + # Kubernetes node IPs + kubenode1_ip: 192.168.122.11 + kubenode2_ip: 192.168.122.12 + kubenode3_ip: 192.168.122.13 + # Calling services node(kubenode3) + calling_node_ip: 192.168.122.13 + wire_comment: "wiab-stag" + # it will disable internet access to VMs created on the private network + private_deployment: true + # the playbook will try to find the default interface i.e. INF_WAN from ansible_default_ipv4.interface ``` -*Note: If you ran the playbook wiab-staging-provision.yml then it might already be configured for you. Please confirm before running.* - -The inventory should define the following variables: +To implement the nftables rules, execute the following command: +```bash +# assuming the inventory.yml storead at wire-server-deploy and run command from the same directory +ansible-playbook -i inventory.yml ansible/wiab-staging-nftables.yaml +``` -```ini -[all:vars] -# Kubernetes node IPs -kubenode1_ip=192.168.122.11 -kubenode2_ip=192.168.122.12 -kubenode3_ip=192.168.122.13 +### cert-manager behaviour in NAT / bridge environments -# Calling services node (usually kubenode3) -calling_node_ip=192.168.122.13 +When cert-manager performs HTTP-01 self-checks inside the cluster, traffic can hairpin: -# Host WAN interface name -inf_wan=eth0 -``` +- Pod → Node → host public IP → DNAT → Node → Ingress -> **Note (cert-manager & hairpin NAT):** -> When cert-manager performs HTTP-01 self-checks inside the cluster, traffic can hairpin (Pod → Node → host public IP → DNAT → Node → Ingress). -> If your nftables rules DNAT in `PREROUTING` without a matching SNAT on `virbr0 → virbr0`, return packets may bypass the host and break conntrack, causing HTTP-01 timeouts, resulting in certificate verification failure. -> Additionally, strict `rp_filter` can drop asymmetric return packets. -> If cert-manager is deployed in a NAT/bridge (`virbr0`) environment, first verify whether certificate issuance is failing before applying hairpin handling. -> Check whether certificates are successfully issued: +> **Note**: Using Let's encrypt with `cert-manager` requires internet access ([to at least `acme-v02.api.letsencrypt.org`](https://letsencrypt.org/docs/acme-protocol-updates/)) to issue TLS certs. If you have chosen to keep the network private i.e. `private_deployment=true` for the VMs when applying nftables rules aka no internet access to VMs, then we need to make a temporary exception for this. +> +> To add a nftables masquerading rule for all outgoing traffic run the following command on the `adminhost` or make a similar change in your firewall: +> > ```bash -> d kubectl get certificates +> # Host WAN interface name +> INF_WAN=enp41s0 +> sudo nft insert rule ip nat POSTROUTING position 0 \ +> oifname $INF_WAN \ +> counter masquerade \ +> comment "wire-masquerade-for-letsencrypt" > ``` -> If certificates are not in `Ready=True` state, inspect cert-manager logs for HTTP-01 self-check or timeout errors: +> +> If you are using a different implementation than nftables then please ensure Internet access to VMs. + +In NAT/bridge setups (for example, using `virbr0` on the host): + +- If nftables DNAT rules exist in `PREROUTING` without a matching SNAT on `virbr0 → virbr0`, return packets may bypass the host and break conntrack, causing HTTP-01 timeouts and certificate verification failures. +- too strict of `rp_filter` settings can drop asymmetric return packets. + +Before changing anything, first verify whether certificate issuance is actually failing: + +1. Check whether certificates are successfully issued: + ```bash + d kubectl get certificates + ``` +2. Check if k8s pods can access to its own domain: + ```bash + # Replace below. To find the aws-sns pod id, run the command: + # d kubectl get pods -l 'app=fake-aws-sns' + d kubectl exec -ti fake-aws-sns- -- sh -c 'curl --connect-timeout 10 -v webapp.' + ``` +3. If certificates are not in `Ready=True` state, inspect cert-manager logs for HTTP-01 self-check or timeout errors: + ```bash + # To find the , run the following command: + # d kubectl get pods -n cert-manager-ns -l 'app=cert-manager' + d kubectl logs -n cert-manager-ns + ``` + +If you observe HTTP-01 challenge timeouts or self-check failures in a NAT/bridge environment, hairpin SNAT and relaxed reverse-path filtering handling may be required. One possible approach is by making following changes to the adminhost: + +> **Note:** All `nft` and `sysctl` commands should run on the adminhost. + +- Relax reverse-path filtering to loose mode to allow asymmetric flows: + ```bash + sudo sysctl -w net.ipv4.conf.all.rp_filter=2 + sudo sysctl -w net.ipv4.conf.virbr0.rp_filter=2 + ``` + These settings help conntrack reverse DNAT correctly and avoid drops during cert-manager’s HTTP-01 challenges in NAT/bridge (`virbr0`) environments. + +- Enable Hairpin SNAT (temporary for cert-manager HTTP-01): + ```bash + sudo nft insert rule ip nat POSTROUTING position 0 \ + iifname "virbr0" oifname "virbr0" \ + ip daddr 192.168.122.0/24 ct status dnat \ + counter masquerade \ + comment "wire-hairpin-dnat-virbr0" + ``` + This forces DNATed traffic that hairpins over the bridge to be masqueraded, ensuring return traffic flows back through the host and conntrack can correctly reverse the DNAT. + + Verify the rule was added: + ```bash + sudo nft list chain ip nat POSTROUTING + ``` + You should see a rule similar to: + ``` + iifname "virbr0" oifname "virbr0" ip daddr 192.168.122.0/24 ct status dnat counter masquerade # handle + ``` + +- Remove the rule after certificates are issued, confirm by running the following: + ```bash + d kubectl get certificates + ``` + + Once Let’s Encrypt validation completes and certificates are issued, remove the temporary hairpin SNAT rule. Use the following pipeline to locate the rule handle and delete it safely: + ```bash + sudo nft -a list chain ip nat POSTROUTING | \ + grep wire-hairpin-dnat-virbr0 | \ + sed -E 's/.*handle ([0-9]+).*/\1/' | \ + xargs -r -I {} sudo nft delete rule ip nat POSTROUTING handle {} + ``` + +> **Note**: If above you had made an exception to allow temporary internet access to VMs by adding a nftables rules, then this should be removed now. +> +> To remove the nftables masquerading rule for all outgoing traffic run the following command: +> > ```bash -> d kubectl logs -n cert-manager-ns +> # remove the masquerading rule +> sudo nft -a list chain ip nat POSTROUTING | \ +> grep wire-masquerade-for-letsencrypt | \ +> sed -E 's/.*handle ([0-9]+).*/\1/' | \ +> xargs -r -I {} sudo nft delete rule ip nat POSTROUTING handle {} > ``` -> If you observe HTTP-01 challenge timeouts or self-check failures in a NAT/bridge environment, hairpin SNAT and relaxed reverse-path filtering handling may be required. - > - Relax reverse-path filtering to loose mode to allow asymmetric flows: - > ```bash - > sudo sysctl -w net.ipv4.conf.all.rp_filter=2 - > sudo sysctl -w net.ipv4.conf.virbr0.rp_filter=2 - > ``` - > These settings help conntrack reverse DNAT correctly and avoid drops during cert-manager’s HTTP-01 challenges in NAT/bridge (virbr0) environments. - > - > - Enable Hairpin SNAT (temporary for cert-manager HTTP-01): - > ```bash - > sudo nft insert rule ip nat POSTROUTING position 0 \ - > iifname "virbr0" oifname "virbr0" \ - > ip daddr 192.168.122.0/24 ct status dnat \ - > counter masquerade \ - > comment "wire-hairpin-dnat-virbr0" - > ``` - > This forces DNATed traffic that hairpins over the bridge to be masqueraded, ensuring return traffic flows back through the host and conntrack can correctly reverse the DNAT. - > Verify the rule was added: - > ```bash - > sudo nft list chain ip nat POSTROUTING - > ``` - > You should see a rule similar to: - > ``` - > iifname "virbr0" oifname "virbr0" ip daddr 192.168.122.0/24 ct status dnat counter masquerade # handle - > ``` - > - > - Remove the rule after certificates are issued - > ```bash - > d kubectl get certificates - > ``` - > - Once Let's Encrypt validation completes and certificates are issued, remove the temporary hairpin SNAT rule. Use the following pipeline to locate the rule handle and delete it safely: - > ```bash - > sudo nft -a list chain ip nat POSTROUTING | \ - > grep wire-hairpin-dnat-virbr0 | \ - > sed -E 's/.*handle ([0-9]+).*/\1/' | \ - > xargs -r -I {} sudo nft delete rule ip nat POSTROUTING handle {} - > ``` +> +> If you are using a different implementation than nftables then please ensure temporary Internet access to VMs has been removed. +For additional background on when hairpin NAT is required and how it relates to WIAB Dev and WIAB Staging, see [Hairpin networking for WIAB Dev and WIAB Staging](tls-certificates.md#hairpin-networking-for-wiab-dev-and-wiab-staging). ## Further Reading @@ -282,7 +424,6 @@ inf_wan=eth0 - **[Deploying webapp](docs_ubuntu_22.04.md#deploying-webapp)**: Read more about webapp deployment and domain configuration. - **[Deploying team-settings](docs_ubuntu_22.04.md#deploying-team-settings)**: Read more about team settings services. - **[Deploying account-pages](docs_ubuntu_22.04.md#deploying-account-pages)**: Read more about account management services. -- **[Deploying smallstep-accomp](docs_ubuntu_22.04.md#deploying-smallstep-accomp)**: Read more about the ACME companion. - **[Enabling emails for wire](smtp.md)**: Read more about SMTP options for onboarding email delivery and relay setup. - **[Deploy ingress-nginx-controller](docs_ubuntu_22.04.md#deploy-ingress-nginx-controller)**: Read more about ingress configuration and traffic forwarding requirements. - **[Acquiring / Deploying SSL Certificates](docs_ubuntu_22.04.md#acquiring--deploying-ssl-certificates)**: Read more about TLS options (Bring Your Own or cert-manager) and certificate requirements. From 4c17ebbc1cf148a936ff0bb8a2dedd4241b2ebd2 Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Mon, 30 Mar 2026 15:44:51 +0200 Subject: [PATCH 08/13] fix wpb-23987: sftd helm chart values for joinCall component which fails to find hashbased images --- values/sftd/prod-values.example.yaml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/values/sftd/prod-values.example.yaml b/values/sftd/prod-values.example.yaml index e10f2d60a..1c2374f9e 100644 --- a/values/sftd/prod-values.example.yaml +++ b/values/sftd/prod-values.example.yaml @@ -1,3 +1,5 @@ +# this value should be set to 3 when deployed in a full production DMZ manner +# replicaCount = 1 is to support the simple wiab-staging solution replicaCount: 1 # image: # tag: some-tag # (only override if you want a newer/different version than what is in the chart) @@ -7,6 +9,16 @@ tls: issuerRef: name: letsencrypt-http01 kind: ClusterIssuer + +joinCall: +# this value should be set to 3 when deployed in a full production DMZ manner +# replicaCount = 1 is to support the simple wiab-staging solution + replicaCount: 1 + image: + repository: docker.io/bitnamilegacy/nginx + pullPolicy: IfNotPresent + tag: "1.27.3-debian-12-r5" + # Uncomment to enable SFT to SFT communication for federated calls # multiSFT: # enabled: true From 42a6a41782d98b1f1d3cea275f23d465adaf6cdd Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Mon, 30 Mar 2026 19:02:46 +0200 Subject: [PATCH 09/13] fix wpb-23987: update helm chart name --- bin/helm-operations.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bin/helm-operations.sh b/bin/helm-operations.sh index 62b0fab85..d60a1805a 100755 --- a/bin/helm-operations.sh +++ b/bin/helm-operations.sh @@ -60,7 +60,7 @@ process_values() { ENV=$1 TYPE=$2 - charts=(fake-aws smtp rabbitmq databases-ephemeral reaper wire-server webapp account-pages team-settings ingress-nginx-controller nginx-ingress-services coturn sftd cert-manager) + charts=(fake-aws demo-smtp rabbitmq databases-ephemeral reaper wire-server webapp account-pages team-settings ingress-nginx-controller nginx-ingress-services coturn sftd cert-manager) if [[ "$ENV" != "prod" ]] || [[ -z "$TYPE" ]] ; then echo "Error: This function only supports prod deployments with TYPE as values or secrets. ENV must be 'prod', got: '$ENV' and '$TYPE'" @@ -214,7 +214,7 @@ process_values "prod" "secrets" configure_values # deploying with external datastores, useful for prod setup -deploy_charts cassandra-external elasticsearch-external minio-external fake-aws smtp rabbitmq-external databases-ephemeral reaper wire-server webapp account-pages team-settings ingress-nginx-controller +deploy_charts cassandra-external elasticsearch-external minio-external fake-aws demo-smtp rabbitmq-external databases-ephemeral reaper wire-server webapp account-pages team-settings ingress-nginx-controller # deploying cert-manager only when the env var DEPLOY_CERT_MANAGER is set to TRUE if [[ "$DEPLOY_CERT_MANAGER" == "TRUE" ]]; then From 8a1235192ac780b298e1895ed41921acdd3ea15a Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Mon, 30 Mar 2026 19:03:40 +0200 Subject: [PATCH 10/13] fix wpb-23987: update wiab-staging documentation and add an architecture diagram --- offline/architecture-wiab-stag.png | Bin 0 -> 149893 bytes offline/wiab-staging.md | 31 +++++++++++++++-------------- 2 files changed, 16 insertions(+), 15 deletions(-) create mode 100644 offline/architecture-wiab-stag.png diff --git a/offline/architecture-wiab-stag.png b/offline/architecture-wiab-stag.png new file mode 100644 index 0000000000000000000000000000000000000000..9c5c5fd0c2d95184b35c722138556f27af2a20c6 GIT binary patch literal 149893 zcmeEv2Ut@{+jc;)fQkh~QN*r*h8l`U6Kr4rO#(8Jz}y3#wS zpt3YWk&XrFpi)8${1ZqNmECvud$-{GyO$T6%sFRf&dmL^`+3gE6;WsSjF%+5|o0xC)!l{zPDeYBb3Y%{o++Hw|aWngGE+ca~M@Znto za^L{lqsV*mGZ6zuuWGO-&U~X^p zKFuADTA?kC;aCGhGtjYt18qVgLZY*CGH{%25t9&`Z7{N;k3$=l+JL|~(Qk!zcSg1t z14CN&lQK!rblf*W{5E|rjHCZadwvGX!^;t25V!q0oH!@`kAKh*O9)OR#+_P zZ_cL89+>-=3R-zXGwNc~*O4|3fX$!3_Va33eFpe{)18@;-J!E;@>cp7J%RJe=Y)~+ z23R`0EYV-apbcwn<4A|FjiCd$^+VP+R#;O*d8`?hien3`1=yrRKwQnfX)?AkHv=b7 zCGQ;8!iI()Arbm_TF2DmK!9v8U}NRXFh*1{GRGJgP)9w4rZwn;Tc?T*kYTD6*`dvB zY0yvy0!dwH3-AX>yucxFqk1-2&hfJznk=p z2V!K1H8-@eas<5^&%u=lZ8z+{U{Fj5Haix57*X1HnxuV3BAO-wMxVQ;&hU@G1e`-d z+3!z(9x%>}05C3f=-)?x71q|mz>q4X)LpZuE-bj(d(1jW7%vZPqXBwal#m|9$W)O7*ZH_UcuBe)!l>yoU zO>3qDO&omx4nJrsecJIElkhF@Y_QaupyA{T$aV>dno*%o#W7f#_qo#?H`^qxRse{|GbmmLBP*F z`5GR7SR#I+OZY$Qm!IhRiLReo_@|uwZGOp5E&K!sQN4Uov^mw?oc;UxtHoLCStoSX=LCyAw<|dV^O;!Z7?lp8xuxIk2i1|MdbWRM zlmnv&&vU{YK|xVk>_dxlgkSeP^zY*2B9Fv{H>4! zAOv*uwOO3UO`q2fo9Ddm`ue*6zXN}QbR5mWpO82WYc%)?3(t^XLIO1GiO?~-aIi<4 z;2#aM{{rlZ>l@CGy|dyl5x|wrgS{CYGsCye5}x*GDw*|n?CLz+iI6aWGIcE4riw~{ zFVydJ?nIn+eBo>=jodLb_>QmqJvz7u#*Rk8(U`(Hf=NGb zzAgHFx{500^nb$gV13Y3x{cnCB^G00V@g7A^eUoyT>vz&@%6AO-x0LtiT+4hu?ia$JYGCHLx$~o2)%L6zp!tOa zj#JY$GpShtkR=ilkhitA0m&2a5y+&lumtD~sB!9PR_Mn;i5Z%O`k%mu0$da9y0W2-J=V%}R%QGHn=UB)b(kP1@r~7|XY1(d z>)+pWnm+x%TP}Swv^Ag{fSi4&Gk(urfi$a?;~c+}`t|f@_Y!>h;(1aJDNw~`-Vow{ z!OqR&APUlrFC8j>y``IP)NezcAJ*6j(p<~m*JfX=&L2oK&oN3s;eSc_ni-y(O}bK@ z%JpWEI>H{Na%q&10yR#Yhb%RlXG9uBQs;2kXDD*XWMp@9+P@@OEhS>A$D~5SXtDK*{#( zjB5lcr-TI5;9!eBLuoc~M`!8&7A(=^Z!VU^Xl*ng35$q)#ug1o!r$tj1pp+lI@AUF zeIR{NBvj2XpMyKcI)1B2<~q|qN!(do^80Z))!_yU{oA4Iyd!uf8~15svb+AgT5-Z1gFhu`#XFp!TFL{bdQPVR0#^uvs!fD zoK8e7AcIC@N&YDMek!6rs)z&yL}1^hnm%*r3kU#zh>HHAe*Oype6Hs=0OkAoHnR`U z04|04T*hzLLi|?9PV4QvpxqvHzTeu=3UG|TF$E>)mf&H9nFQjjviQE-VU9-GYmT;{ z<{mAv2G-zVpwFJooKt?Q_3zL!UtE{Dv6~PKDoUdVK5H5fzX^Y1>b_;I7C`*=hiL7; z1Zy-R=r2Lq{N&L86wc;hn*?co2@PUmAaVXJ!sxk{1*FYrH}cP!v!4i~hX4PO1Q7qv z2on|&g^JNYM|YU$)bYYW7#;Kf9KwE+lKd^pIKRHKK4)VvYuWxu3r6>V=h&}ry<|ZN z5vatR|Gv)CEkKuv&anTB5YWehM;ob6KLSUEhL68E0WnW}^Z5Zry4N8nAqf3Cl`aCK z$@u~jSm2mZeY4-+t^c1WJFsP+9oq$weGn9+>-mM7dl33V%bG(ag0$VFX);hl4i%*72^s`N>4ts*X|g{=8vjpgG6l2^S{c040_gLF zm__~OQ3TP2$M?|-2!7uheoN(f9oXNZcH}{M6WYSS3O&bweZ|cD9V%oV5B9TG zp{tMYv*)7p%NCIO_~)qJ&rIK6w)Lvu$v0{d&Ux@m3hfEH?;n}_cd#J**>wC49O(5H z3kVMX0`dEo!Qn8dbObMtu{H#+_AvgpwSllWlwRUQL%?iZ7Ci+C{{J#%JJ|jua}J6Gp!Crj!M!ft! zjDCisUtVfSSNwC5D&K~rq7pDDo#di3TJ*~nP7EUaCrQ->#YX%{A?bW@Sa`lCoj&^^ zHNgT8NyUZ4p#on&^S=PYP+^+W^FtzF;fA5}ZT4n3xb$ke23I(4ps_ zBoBXvo1_T;(dWE)Sa|-Y2<-ui9}*7>Jp2?Cgn>LcP1!DB zmGC2TkqbBeoOkyZpaNJ3bmYGqfC>soi2V@BPZ3&_{1?A1Yn}>~Kla|y-+2KB{Xx8c z>fMch`wLWIbDq}tTBQqv)H(hA%zySBrQrO(GAgdQu*O}U8*L8(6vNUc(#)qM%UB))x( z5{xeWbTIt;kKu~Yc-H^B>iquI)n6iHDh9rON3QVvk9YrYdiA?^;?7ej1pC&j`Rmn< zprH77^-13i`{Sw{nlAkb&Oas}R9+T{-1l!fhtUZaTD0|@Rr(u{DL}V;zcuEM3riZ= z{C|h#yf0_{T5bL>IG^7sNkIS#=r;w>{{|Mn`(2P97mGBX`zID>bl~)@{l=7k0F__@vqDZ&kYF;i-|61r4+~1VoBI=#e-@O$Q2)E2{MJ+W9|9#! z!2j={{7;e2|ANW>TlpfGz}Mw0Fz~1~jaB$}2%_&M^!G<>-wjDmg#7qgpO!EADPX^? z_5b!?wEEhmfQe9lK5T}S`ga6OoL=QY^Kri8CjR=s^SdGGkGcQ&0!B+o{S>f&O~3%( z_Kk$WVE?X!eLthW--dlZCY=)h@n!74P9^^I5~)8&`$zxH6PSO_lF)62_`fV--%jYe z*8%_Qf{nI9px!eYTs#~t1!@U<&L|2bnTw52f| zym=1%()OHlW{w(Q&_-5hbJ_vg1>lFIz%OM}PhCEaoq#~LLXIoQAsuvko0r~MhiWYT zc=W*b%ct0QJQ%khL!30@UyoEkt~S$WT^J!a5o5*vRr_e8N@xTJl8bMeJhTqcNUeee49E2PLN zdvo^G+%ytu-+~cqvXpatu~vn91BKj*9p8BC z7-HI%8%GjOtjem^yb?2{JLgQN`YxfOl#3SDi14= zatzu-V`|Z*OpT;+h>t%+|!Eo7B9x$jYs|FRW`>ThUNX&Ukn1NUauDqVa%j z_bY^o6l!0&Hrp5QxofWjHKiT4{Ca~!Q7IJdv>e`KCkUmURS^uxn}tAV7(o2uW3`p`C>R}O@UXJV`djVI8HAgSB_$Lep}*Kks-*T z@MU|pasYH%okv=~3j{?yO2kkjse${iO7-sip znZCQTC(NM;n)Bfhd7Amdq~&46HYI;vRGbNQcQ#ZpgfJ4``bt8rf?TJ@N>KZTyKDG_ z{F4;@c}K{tt{mAean2|&f8xz*k@lhdX-Z<3WA&qZ&Q(K(@LMB`&Tt7kkMuqx6tTtp z^3hRcXzZmklH?Mt5}x-|iES<6kRWM)4Mdp&?oa+agM+&k=j>{!tAVBQlDj@WRtqpn(_ZXfP> zBw><2cj#tMH;|29{C#4Bcm_^qcW&nTISM#)J5YptJMMat*W`}elD@`gh9JEmv&u{+ zvAhp+?$127`X21{sso){?XMB_Q#7)t<*XV~Fl(YF@$Z<#ma10Tzq@fX2wwd|ynwS$>dCmr@)Z+_k>o+JADW31Ol z*O7W7c+ZQjJcIiaHP)+F9B11Zz^~V$18uHQe@Nl!tRKoxT#e|FA@=2xTkJ~rr)Llf zaipPV8ikeHE^R&w;2$b^A{e(9c`70i*G<_NLQEivph|F*;X0_>%Z%<2<|&Juk4HE{ zmT1{P>QYVB?L&0=2l4RWhQk~>2GL*;|l?AouvBjO5oSGQuYx89F-3&HucXUg(3}xt6*EsWJ zH5;zS=oW9p@U>FZK>RJ`1JBE)$l8eEeJei;0mR*ms;bh~@X1k74)<8I2Rkb4?YWvR z%WZ1}#-h`MjY%JOW^I%IhnV}mRxFg*F8K_P1Npl+k997}mJXR9twC+HdVkj_3v)TB zoY)%` zjv+)^w#Rb_+#c6ygrX^)peXo?O_68Pd&=p<1~1EsgM-&FE;2Bt6%zyb`4n)g{nIE0 z3CB+c9K9G~j2Q(FiN?0(jd6BeAf^n}amSs0gxB(nQwoGGcln^QQ}uX_o(rOF@bx9` z_nAwX5}8A=*?nox>JZD@Zo1^1>QmXyN+^#{Drr5BWC-#w_bGX3SlYy6lOH6svH9L2 zaj)E|37JuCKC_y^k3EU`#l1Iq^M?ix``hDKmRNR#yXFyy!nG5}D9pY`(To{L*Or~u zu6I|pu}$)+4%T%d_1Ft|EbA(SrYW1H1b~9G&KHT;&VR#xP01I>=$GTbr#W$7PA_eB zr3eBQNf_e}N!1PF-O6@oxU=fRf*^5_|?HpV6&E{X^vLj67uXQS}M}1KVqv*I1>z2e{gzo&~X*Xf%gOI zaA@siQbrnvwELX@897s@sP4qj)2WVLt!$#*+|v@QcH;gJXnhA?%@o_a#DSxmlFju0{CjL% zWwQQJvBQe~mPF{w>Lc)IBx$KW6I&s{;Q3yRfmgp3gKcvmA3 zqj(-4T!b}HeA!*;OsNKp;_yW%)D3BkrCK&^_lQsTgkN}RlcS9?XKPw6Cf=;kQDq~R z$0gMVl8A}Oe7wO1tbuWKelw&H|o0itQb6A~}!%QP$-wdCV%)gbE=(9KNL@eV)`+Gt_eG0}mEP zIidcnUtOWq^6^SXyxX2nC(f^!W6z%Q$U@XZ#3AL=;)4+`?>XgSN5loKO$eDBp=ATo`G3C+TBw~DhB8~CM8N-NjQkr?=GtP7B zdM>HW_N^{Vz6c?P5LX>|6zbUYs&mJClrSy=@$1^fP|x?C zAvL&H!Fx_%I57|5+rshAxZxUg3m;yTUa<+Y9q`{+(=~E6aSYnTsfQosx1w^NM*?5_ zM*rS3Hwmq$fbMe4VDlj3$-GRgb$Og>^|8&zVuDTcgm z-ni)(s@p8Si1&roaevbKkY4-_qBV9gbJp70t2 zB7`(_2z3PWB9Pb3gQ2p(eUbUI>)URywiDZ4E`5DQN#w&RCV%N=OB#0tYM%v0#-V7( zy(GSjQHMB=-3{Ryn;17cw7FZXv4)|pNDWsbmJh@2G&ksw&Y@5-Zn6y80tSjOHxj2s z!;?a+W`&afL1v{%9y~LQ{hEkH(Pq2eo1q-&m}C$=X9+(?ed^BbE}EFy^8YtB-xU9KxR z1KhJi$evmZ5wB^v&I7rKY9Agrx!z@N8}eqMFz$FI@>H_+_8SfTNWCq4W8mlB-t`ER z%=7yajLIIM#)O2@OmBs@2Gc|zB$|+=#Ng|Zac1}~@hVdAKK}Yql3cR^QqAXp)6VSS*4Rc z?hZlv!PRVIS-CTyrBHZ*NsMeygHX$KlBkB06 zWRDRC4!;&ASjO&f-E~-w%DGE;t~}(f(NR=A2L7z=fD@Ax#AyH%D$Y4aIn-|j&hEoDV$65Mdqy=2rEbEvPC`05@B7)AKIQrKWX&ynGC>jgig}#_6QAploL;0V z4&Eb%idEa+st<(BV39bAg+Q#-<3EAY3TlY4y;JSsFMOD*;BdI!wovZdCeg>eTuq4M zC;jzp5CxrnnM7s^A!X`3F@jVFGpxsIvZ$i(%1EU|q~F4?Hf;!RP5F2v=Of~Bm-=R2 z4P;D2fF2}}=!&bjoIucVAKo{*znMWBJ$|coL!54I16**W#gbE%cX)2+4%ce!xO8~H zgR_aDUgnrPLB{1^ZFQqV-LE!~!0w7*L^mT<;FS-Fbktw+DeZ-h9&*i}Th>7JbtuyAC1L?ygOVvPIO)E0lc*deWS zi{=wG=NdLvB;LCWL#dQ-?EY{{-~rQA4N?#fd*cBot>xIS$u@SgDA+@K=X$)%^Cgy= zEM=`4a@=n0oR|ZFLA=#$0;B%t!Furwk(S!HZX0exlFnq{VKpgvx9}S$;1%w?Ig`8+ zOzR2>1y0hMDaLC~v+|4Y{z!~CE9Dkc%o)NNomwt33{xWw9f1cTNm;HzQ*kqkmd`6m zxqdwRF>k>Kd4!H|hIGJ`3~li?P4}g@iuRogIpM9#y6*-As$m#SzAi(l&rhhmeW4@N zzG<4bnjD>Mbihq%c*Y9p0f~_C>^Z$e?Cu9w9B}ryR4Qo!K5GIPEsYY*;xA7xLK4uY%mnWyZmm72ZWSe}+14%c&6Rw{&d7fEzpM00GN&`-E z@FXQ4_2F!92{gH~*wSf4#J>*PfUcW%%`HLcv|o}c95CGO#v;v6n94amJmtXdZarUr;YML-a5L(1_hEgTJkYKYua--y zK?=!I!nczpO~DRT^YMAV2eGcxGZhaZ605MxH;@eN>6|c=JL~J~*iOl;CXv~4p4DQl z>e$p=7hP$|b4()bxdgr94BQ2hnugdur(bUo%5Ug1?FDn=w9vlcT^5Nu9)B zG+8lpVRRFE@2jC`&pm5FaH00>ePUyD4~9!26oHDzJ$qoOS#g~^55L2$binas{;4sl zJ;#(Oc-7+&TZs{kt?ptOr?2{+l#Lf8SyU93sSM=;1(%zSbm_)s?XZq-C4?svBL?}r zhlTY!D{-Gvfx_%IP2dbqt)CD!~^Qe>z1(@t-=?iZ368`79r2R&&k4R;=1boER=mE%m8 zPihrfQxMeJ2zkaxjf)=5ko{S5`g-cuFrWm++%K-rXNBG#$XDJLn(t{u?r-h` ze5tqNi=xH4h3ibR{6)PgmpXVI)yzKOuiUWlOEd&K_+-usYvK4)SggD zd%Iw6;|2m=eSCk5FTT(j*klBgw+9OxgMj&5U<)WVC9Wko;fNZ+2W*Ltn)Lmov^DPG zmIT|KsyVV2M+!Qf#hQ=Nj6K8#^Ga^TO_+y0Z5!NlA26(0w(nC4-HD4}Tq^7~!##EO zE-!7~o+;os7)azdB=E|36%lJcdX^Q9CTga>KsoVrRt_n6`2`&ys4CQW;7S!B(WX%^ z!yVph9#siG6T@??M$_HN?hULjAeL7mpJ$(1JNh0&h;Fp)^5L9P#OqtNcdCndoRm}5 z&e}XRIKU`Ayd%HkX?{MHA#rxi3aGV13&=ot^5O3K4kr)}%5pAd z+h>v$7KA^^tFga)ecBXTG*jKz$$({T4og7(!hPTB%J=LIorPFp&X5>aWu4P-cRT() zk-%G#IIdI|?-ei8m8DYd{l&EdpV+)Wn0a!q)hdty*;>XJ^gfPIG*!Gh$b`UiGbkuN zwN(UFt2eFsT00P`^RnT7((s;mvC`*Xr3c&(fm{Ro+UtQ-)p&PprA2|JIy6HT_n|@a zt@5U$O^zL*8@o=u8ozZT`2F@d5iYnnW^kiC5g*rr!6Pyjr#xy0q*l-Rf^bpupxDcU zVgyxjj;3VcbuKHkT!qe8XfOK07=cg6)BtC3TF`fnAMwSb*t#6(=AB96bNKKt7rPq( zcjG4eTZiw`KGZDGO^^dnV)T~(>L%$I{~UB?jsL>sb=O{VN7^NenvkeX$F^!`?&|-% z&&%QgI*l(~^xZ~JS9PsZh14bJNCu0VYmP&U?ta;%5RgM-Wu&{_s*GTZ726`LOKFHx zH3L|CdZfaOeueuRz&Y|sJ11PD3B)cHH%P)e9|?PU!?F#aM+SP2*Cha=em!lyiw>Ht zBA~~}jm!r;=pBH3T*BfNLg|<3BBsEyy5Qr9&otXzD$5xHQ$Iw<>7gC65RRb8h#mAv zG6F5ESg_UFn=U7^Db&>9;-8an`(Ig!V{OFPgol8ysR?s-Yaj7Q_O zjlyPKFQY_FYxl+KWZP+EtK`#j+wO7f0DldU_uqa-*C$2}y$i`wfG(h)y5^lx= zbNS*nk3LBJq)AbRNYBHstA7UYGB%LJR^Pg2>F1Wr9c}7`hg;XwU^9h_o0ijX`U?;x z=mq^lexHX(mo7ZF4S>Mi zJUHGYN$d6YG51bhabm0DJN*JU%@3Dd0_0ria#_^pk&>1f@6Q0UuXP&fecpgYZ)6*H zr*$d82STJr@})kX)yYSuNotP{ik~kZ0t+40dWUcJ4zD8^^+GClMfYC{mfNbn*!Mz* zr*Y?tB)nRF=lvTdvCRPTiOBpq}Y}%IkAyJ`;@`vS(PGtggV(5 zWlv|%e})4$*vl>7zm*Kc-U@pna|czoxHqi@-Nt`>XF=;W8z{ksE13|+<6v&P;KeMo z%VR+Mk<82uv&&P@4{na4|BUNh7-;YJ;j#aPdfV5vfR@UHg*C05Jq^PFted1DhwN4i z82!O>2bzN0NX5opF^*Y)ZJhu!edxL()3b?skGX>FzB7YbDS?emFTRyMn>F9s2Rg^> zdC$0P=YBA{$VM;+s-@g|AGB|5e}8rsXa@OUMk9XP?5{ghCnJV$T0@>wBK*iUNK{Y-Fv|uluil0TV+K>8M*kjUH5CiTQR&H>^+Nt>l84fdYOw&a{biF zwA`^eIx}eIE^t3uZ=W~Qa9{^IPg!RTyo2>%{erH6In1o?Nzi`H%35&NC_L2LdV-

=&?9A*hr@o3$b{XpxJ{~^k z;~sw6Pg<;gsoz1fqg*y;UM5xyvH0fqGH()huyhX$74F>Bh-);D7Z7FA-C4GD5@s3z zlS+G}LwdU}n{v~;xyETIv%Y16cx3=({E-xhN|wYVf5yZWbDHeF{ynM0KMqcTy<>t&B~qpkG8usPH! zg^|g@is(AK zYZ|m`M5stM^`*z3CFPI5d=bENi%pcFDL^}vKlfL)cwKWnDYBV+01je51tO?wu6z~dYlyjgYAw5jWxq*d0 z=lbo_LEFFgccQWqB+Pq+Z^%2cr9;R zB{ONM_2`_>O67=~_XJ$_{c8Fs($6bXM%P<*J0qI8P19DYaJOTAoN3)T?8HcVYv1FN zEvY+LU&-8PyuA6AFT|q1$V)B3>~ySJs>vyrszP*(TO;{)f7++;8qtx*tjxXn+yy>P z(^96|t{sei{MX>_dsGG)kOfg2?~rEo?DfZtr`Ht_Ucga$g=y%=OD6otjcQE1#M`mz ziMmDd{w9#X4@_&tlOiA%VCsT=6IX@WPNFp8R`a%`uFKeOf9&LlU@h$JaHC8bxL^bz zF54u5q%66=f=Ac64<-p#tq<&aI>;vpRcR@XX57mn`)m?x04oz0M`nPAmZh74WLymq zRmzm@g<)c{bZQNN>NKP^n8faf-a3|%dST2e7Su&3>ijy;a3xIOhV*VHsIUB1EvBNi z1wKLIRU;Ca*%Z%Tv+vD#0^o_SNe32TGW6V8R5rxry8>N*i516wV! zx^_DQi3P+YPWY}da{}WX9A%u{!F+l%lg^%e>0-vaQqF0Z&A6#CBYW1YJ(<8G&nv+3 zJ-cGTYycZRsc$uqOD^8*DZfhM$r0bp7;2)PLH%BZ4?fj|`Hgjjlo0}d;ygl>{aF*J z@kx8UO7fkg^p&RQ=@rHegP^*oGwcz_QZ@U$&Fly>O>eUDc9tHx(6bQ-lJ}oZR6&i+ zepxfHQM@PaQIqidVE7$@LatcC1E(XLVism~I`*N?e(&neg1y%}2=rEYj_dRkRHK^h z6VN`=pDr9(YURXj-(CIug#+TbNS{_;fA)Z#zYn<6>|i31T%SFVXSyzz^>xsxCOmu- zd0)C&z0k|23JHDOap5}-M7JP<-Y10f01{^@@oD$l^Cet?iA!4*K+zFE(6Hl>VD@y> zbi-i!Na|ZwEY^0FIo2>ohT|M=5cO+n#%_2xTFhDIu`9Q5aSnG!nqKL8yAH#^ELe_* zX@QQVv&=+W54QJy33qCkSo7IixiTHG*z{1YHpG_lbQo1ZFpYxn7RPMBFD zzAOj!0{ZYkOE|nx^zp=?JjpJfTd4Z|eoX_(nm9~o1EnNEro*hUe4@RWf5(xAZBiBG zgF!6H2dcJY^*3brSpiC;N;DBSc_q|ZNe{u)?B_a(PIp3FZS2bp%)L+-+8?wjS4Ozs z_2aIIp-Y9LIb&K~JmO3rHEaC(TK@zngRyh>PpHeXHMN&vHWBexCEp)zXKNUZ z3}s~Z+Q`h7vLwu7FN&kZuF)L&D^OTjehLZe68(}lpL6uy7~4u5IhCJ2DBYF=(k-GU z)q9=W{ng`~$^HF?AIG_3uPUO$4&4TIkeRCc)DRIv6*AM}i@Y4JNQ*JM4V^GPkV52# zF=?{f2CbcpCl~H%$=%}=&g{(gp2y~tY(o-S-We25HFMfI59Frz#D>k3&H2=wJj!Lb zDAy}|9ar$=KAG{(9kJamF_^l9P|Q{G7U$mA9-Zry#S4ABWrm$9Bjoz;IPBMjL=TgZ zryc7J12c(AQu)l~Y&qSzu@J3_H=2nr70{s`CFZ%T!4FlrhguGHgjk<&4{WjC6KZpl zWyf&SUQ3dLX_*WR^+fH1v?`%%BTr|;f&Q-OaJzw6K$}-*LN$^KLRI8K7@fRsC6C9f z4!9_LeBCl7NV-N)S(B;2-$140D*-ZC}GVyc>**7G>ICA@W$s6|qp^jLL3 zqNX9X$v)9mqF0p+eCMWAljrh&$KX&U8E5u_X25)QQV=S9#rftabUb)2F>Hn3FFk z%ZzM5M4c&Nfm#(d>FQS2zsL?eE{xAkj_sl7bTm#?WV^Nw9&*iYzp|&VY+@j_yrtqi z%k3AtaDTd;~XYMZyOK_XytmDbV1cT1X>sWOeSuoZmkHpSV&tppnL0lHz-p@wS52y$bl? z`?BUiyudRoQJEwxP#hamDZHVlWnHd{>t-Z6I_Y>HD5tSu=uOD(@2=f)`%(k&VcLsP z=)0Qt^lx2m2a?s{f$_S^jHy9>j8+}Z87#NAa+lh2;~}yyti+0jCKwu z999`X3dBN`(LuUBD#Gg5)t^r!HG}dVa?6L{Lx)hEE4dC-kHvIJAu3Zj_;q`W%F9C~ z8@>7SHb{hfC^I!Vaq|FIr9>fI5I8%5i;Gql@Ti*FtEq6L?X@}SJou=hFRsO<_sI^w z%Se^6{-vSk@hdlpwX_U*KxIO-lDoMj`)?}sb*$MDH?j&gxY&{(Cr}V8D%m7i!F7W; zdhsY%U(tRhhj8gJ1p{V6d1R%@6XyYk$lCmxfn-MUP;1r!qp~{wgGQ+7^d$tn^Xq#b zaTj13dQ=kg&cf}RpN3jLf7qUOv;(S^d}!>LUh71+spN20PkgNUM)FH8%JxmF7eq&o z_BcKDPe>$AopNrNm?&$vZ|&h-q9Tb$yt`2?q6_Z`ove?(aWxZJ>n2$~F?dh0{ne(; z&Cc!Y2}RHVA3cWXm7HubsULU~C?lgi*jF`VnKS9y4(`ousID=1VSBw;>zhMLUV*L- zuJ~Tp?k>lotRq<>?P4Mw8*7^+?a9x?FmyfhBFKw{GOu#!x^eKwmvuD4iRL#Y@e(-`h=^>fgxmk z^@=Ky=6+BuE$T`kYA~p<4DkCfuLgy!l!JAHelf?B4B1F@M{ynt@L{%aE>4JPQ099HC&G==a@s7M~RNl<4fzP z-95Ebi!dc_+)W@>RjWDruL;s65Nd;hy2bj~h^og5<7QwS#rRa;SEAUM6z~GKjl;?*pg4uY){pVmwdh~l1y+SgkT@x=l5WkXI}8KP{uhRON20@%CBt0G z!?Fl|!<{cBtYYw)&`-Ez0d${d;X_$ioZ_3mQ;`I zl#zVgf-8lu)9pq*nS2tjs^PlK)Cee(SfuWRrqV4B5touV@#Hs6Y!p5f+pNw|9KjK8>9c3HsIjeYlKU? zyjfz&yn}5q(Q2PA$>uPVC~ou~D3%8WoukhO8iZ7a4uHHmF6n{u;GzxrGQ=|^5&8JW zXyyV3imz=xvlM$?)O|)}b~Ll~N<q#c_MX+#{lRE8ZoXLFy-vz44Oa7d}0Qc9tbRWob*nh2TFd2`&;w zk=WS^Fq$8w$W6C8Qk@cc#SyT3wMs~@5MIWbdyA+L!{lqq2Yzo?mLIxy~$bho2S8FrP7t#r4Xum!-Xf+^!GLRJN-ZOIeqeIo4_pmf*|Lmz)s? zOD#?^h)pym4)&gPx|QDF=+dHTP^c&t`Z)2W;!d|sk zhf#cM3)X>o~ERiHedYyBpsySr&dc+_7)38%a=;PpR-$$XOVZS0PVKR>c`__Q@w%cK7Oz z?{-6gI+{)oI0Az*$15J{JKMd~vI>ABaVpDgES@16bMb&O$r|P(Sk-Z)j&x)xaW#q4 znfYBxrUwzvHg0_4EtBPyCL=(moIJQFd0*<1$l8mfENqZwJpRmh@1sFzCD#S>98gqL z83gLZ2=$t!l~`u3Y@4n(c4jrBeLXIhk?r@xSeYJFF=)%xjfh!SIXNZUX`t9c@rPsA z6zrO~<@?t9WJJcI3~cUj8FG1m9?9le`j%1qjh8R!Io2e&cB0b>MQf&=`IqW7rcDsi zDq|0ZeX7rQzgFvp_#k9dDVCN??uZ4|TF?W=ia^|?qszI#-X)}vk_#c_l+dWMJiDay zOgHWprh(FMlQE!f`+DE{*|&1O*&i6en<1Ca`my$*R!1Hl^GLH}pZNY%amEbt7F?z8 zNUi#CqeJ3&hHd(!*i=<=YkqaBm(5fP5`Nr5HQSeEP3o2i-U*Sik$yg?JwqHmIP7&i zf3$2ZR)?iwMz!-KwdnFNL#4n(K#M-*HfUNmOZ0AB|Li%W-;-6^lI7vj z;94eumz2s(MKA+l9pT=dZ+PGM1oLgKAskZ7EV37+^Y<(6R*j{~VcUNc(dwIZlG6%A9} zK)5Qy#Frd|SLZdWI$%wVKtj|jt?zSHi5ylprC_=r1rd`(MjFne3UA}hii16Zp1G{w z?WSa7wl=x?+*(belcp_Wa6QE61I46Hor|8ucbBzI@;qc-3JbuIRuyPQLqT;$&oc}~ z45iCEx>7VAMo`ra7LHj{U^uG61LaV3f3vEsJipJ*8B=h{Vt;z5DJ6S~*ecq1&UrjO zy&3s<<8))lYn_1#FH%BwVOXE@BaWQOX^Z<)rYUzlMHQB5LCA$WShIb$cl7X~=^SoOGF zIn<`ZI-GkPYh~_vV!ADM3~>0VH(6s1)RA5mOPy+PMoyc?YzAwKNk{|uaWxWK%ScB^ zPkd^6Z1cN5f!Mc`ZNsm;`BPhSeXhs2v9$YbKj1Z!y^vK~{!SYbU3obBh{-q_hUHof zi*J1Zt3lSUUD3wYKN@+(mxR5UO7JM!%5*;Hjb`QU6+yTdE{#-;Z0;AvCMNn=1~jm% zlsJd@B;Zf)_F8E|+)5IWM)C4=ejGSz`WB0L5m1!5NUK(-ChB4k?(Q*TwuAY_C)xcpgDYBpEtt-$J&6z?t`yUCrPz|&6~Z?&6OGU~al$u_SW9h=WZDT=I z5qR8KMg*aYTV=OiV!A5qMoPFN$&GtJdAmPb;B61Txz<33l?}r9Ql+(Z>u zZm8m(ER&dZIeO(eR^(8}RdvunxL=Q1stK~<1*HFjwR7fH^OprGW|yWZxh45>=H(G^ z&dIB}966W?>-GC=vfY>1ubH-ew^uUbs0xQN?*k-@JdlaK;-vCqncVSD>)%dRmL|SZ z#2#PibqQ>RB3;du&pqJ{AXymImwgVwulBe(ZOryghL_ zN6vNasYz2_2JKbT2jAAx@;tX?%b6^3yS!^zNht`FIM3?JrDpMl>?_(ta+OhLQqChb zC~UaP$X$ZR5z|uy4|se8L|IbL#ATlsmicswd=&mcch>#f);r_bqQ#t`epQ^wq~Y$# zVBWnePT4jx16+8?X350sMRz$6KfIKg8pn3aqp704F4ix31rinYVn2*2puwTdN36xt zG=spLK&2v_ul#bPaIiEVROMT!YnZ>OOf%Oaqvg>AVu*;XhTP43+!;U%)*ePAMZ1~~ zE@S#da}PY*idd0qQe)+AG&H)?DI74{Yq^3I_Sv#pktll$s-2I%?g!6Rc6-Eh!X`XM zz+sViq-hp`5tW_TJ+2umc)$(ONzhSFy>Yq4zTui&ut>}sMC5Dm;L^L=Qc@4B9~4fb zrc=XOKuPzTL*l5%@!FX$y&ReQhkqS)$JubhQiG{1!rpR7|E&R6OSGcpRZPk>AGeEH z$4G7s%8x))?2|DXNs4S)q7ZcR6`?tww7JefCR-)*y=FSZHBLv>+nL#9JG&*;^wb< z?dcKMl3Q-8rv`~8iZeNbXI0u)Zayf!c8J~PLJq9$Y%{iXPgqK}UMDtP*CtZO-mc;q zfzpNF!(CI@H`Sfq;&;%5)d?L`1VbH@b{T~CYx(7j2kDU8%jOd2E*lu^LGHnC|p`_=wJ;xxhW&FGak!-DIdfrq1-*pyK_ zOBR>-o)vQQp7Mv;(blbkauHEZ1-f(Z2`H0nQ{C)y)b2o(w}lg54YkxP zVR2dlSmUg;V%frwLzOzY7oPdFM z|9wVFPR3pE2yviz;LM>Oh-LRFsj-Gq*rO*)*F+A|*Mi zW$iL5>BJJS@4Td*a=7FkKE5^^KjsGH$Mgwkc1D4DfV$jNyNXO>T1!Q8MYtpH!$%$0 z1@-$@C*D&^JSl$K=n_}+s$>wY9#JC)=#O^!2kNXQ;9u~gigj$?Z?wBkwqI%fW_4ne zup2dcPvn;}>wU+Q7A+PW>65P2yE&2Q+Q#Z>z7&h`;nu_PRP-lmmc~DJnt|PCP zY}V?5m$fdhql9i>Ez&)08-6Lw#W%gaNHnZePOYvn=~mqH{7sg_oz{=it@~uP-uIo*YMJm-J)b(z-)nRMPFTSl^0aE7|5Idz^i50w}ap?s1X~;MMSJp@=x` zn^Zjp>ixN{E~eK47}-jfyEwlb+GyvkUQgVrh&W9i#J#qrNEij<&k;TNHr2V2Tre-9 zcypFqkbG7QziTGxREXR(5a>q9aWjq%nqFdpo4|}(W>1Vwi8{U9iM4ibS1V!Jo_fWT zSjwh2-iN^6B1(oimP@v>W&g?&hIC&~U0D(gMR+yPWz-w2=lW=Q3%{|6WB%lUxV}6) zkhaKhUMcEh8t=(!Yuecg#B3#Bge9W{R{^{4MRj^v!#?*n%xxQ1 zE?#|^UzTaJ%Fm1el(j8Ver~1GZ=M56kygxRuU1=uto3!) z)y=eIKeaRpy=l$3r`wu>kD&UE>Tvw#IdfiBfCgD`mWgFmGPLRJ2Ge=S5GlFLfiaGu zM4twO43Nw(l9C=;H5-alf;_vI#j(!SV9F-7Ooxx7XwF}Y;51K%)ueWeJU7B^8I;mByVmob?&3P}wA?Rvg=E1|&sd+9F2M$ms z0<#OP1+!k&VhJ zj!#;rAN5r1DE9vNqNc*MiDT@<$;k^Wh7gWVl{foma}}!hn2-!dOINzD8d#N7k!@S< z6Z{(5`^;WimSJZ37#1Jm1*`nhJyL6S=|CAp786K=@=+he&*FbP_PM@oEhxrNf5XiH znO#)bhzFqZ!N2-OM;`5zt#j&3XP4_3b-9FA+t3T}taSe$cW)UMW%q@T4j>{RScFK5 zAks*efLJur9ZE@ew*i764bmksbPgRB(%lR&O6Sl$aP}zhzUTaZ*Y%$B^?X6EfqC}c ztM=M!uls(0UgrEik)NaRUxKcRb;G|V0`wbu4IDaxxYW)`6#g;Ezkd^o?gSAKEP|i+ zGCdCk%6%yAL4CTOtM_gJYfQ79W;tKbATSZ5@z9jOvm*El7E1o=bM6cxRnTfz z^tzVn>>&~|V5avOKAyMM*~y`&?iWdZ`iXBSo}nXTx1FnN7~JLeYz7O z{4zr-N@}tEiL1?zK;l2W7l5ZA_nv%P)v2Cn2!O~;#bzSU<#E|J;S!=#aEZkn^r_d> zfotE9`JVKZcizC|+w0fUJVcSM)tEOBagyt@QKemS9`qCdA$)uc(_*y~jePsK=tlWYC0Z{N(Dmlvc0l;~}ulBUZ=Ql7vW-8}`z(3{-!K9a` zF~Q;|$oN_Sm=Aj1S)d6(0C+}!C_|c5jh@e_HInsd9e~9Q0$)LcDC1ifh}U^ln^fdr1sGi!=<^t%@>qLV^E;3k9s}@7 zhJgRW0p+>~&4Lf1uiIph$_858q(J51?)+cC(M@T%2#w_w0 zx8FqHG_HV~e*1^ob#B{m)Cr(uq}n zc37g@B6J7bX%2%f8-37T;r&V�_KpUgzy=yABSl5aj#;EGwr17u$Ws%BCH!~6P=3OWdTUO0`%t4)csSpML3sr%9I%>P6fMaA7T%*3g zCt(3F$xMPfL=%j3ecU>pdS5aM=H$nK_;P?fw4)hSNVRjIdUykA$noUYqczUfq^(d) zB;Xxj=SX0=8iI8e&6~jr0}~=|oMu}P%=_4OB0fs5K0`BerWHZM$vb?~>V@PuT|tAU zpk~4>ydOl>+sMgDz_UZn=To!M%Dj^5PgRmzSU)P;CG!~|q$$0D16D7@pP-Q5D?wbH zHd&WIZJ01uC6~lLCx^Ncid-~tfK=E{J4u`yo2PpGp>J))eX>TrLkr^Jsfe_pE%lHf8MpMD1Y=v|-Tuw z^dTP*T#)9da$pvnz%1@ptot12hf1bu=Hc<@k7UYTCDLX*>fOI#2?%O*`Cfj%r1mb; zafE0YC<&}$h*7&w(55(!X=f`A+>L?*mRup1NoN^oy{hsupTbe80;EiXDp*vm(_vwb zYiN$8rG98c?#=#Nj)1GADrcv!s*EZTlb;OQ$_mcZfFmJIDaCmzm~RwZEY9bwo>699 zWdr-JO)yT~>GtjmCvIKJ6^w*YblVay%O}t?q!l3>WrObYJJbcSrh|ki z8v0TeBVtfpIul%-Z@Ilwb{=<(F?|FkE7bAM2roaHRcrROh)Oc!5gxDQ`;_eg<$x>_ zW}m(-W$Yll-)P1jK1$`9uV#Vspo3>g_i#EwK8^(t^AN|r&bhkrhmWbQv`b`c!exqp z4_n1sql?|AuU~g%s~U7NS2!gw{VIzv2UI`dzkaKq<`EL5ATY-H3OqOs3N&k?z6k*F zm!Y)Oz{suie8&3TRc$P}i=!4|=Jn{dDyRLKm>R~6QDHIGn~hLSxfe;|obOaeZ}W_h zu=}7p^2#knda+eTZ610mL$WfZxVQDAo<~DT8w20O;{_)*7{V(f;YaRjVmz z4A&V@{rQpdP6Y*J;{v%`J`;kdwlBvGsCo!SUQF(S&6gLw%2Fzx(43Xbc&ieStjv=A0G{v> zP)8)^nt>YPBtUu&`u7=QWAh|tIU^_TUugr@fzK_w1NCKm!xo@C!?+RQCZ; z8dZL1{?qhUp6*lyni)gXa-y~he+85ZUsIfySpG*OP{pyieEZAW1iCCYq39{2cOz2b%cR)F0}eQxwqM1vCA0Knu03X;tY9%<^ zS0upd#RWMW&L<*K0iIg@PC)cbKx>6SUh@B-hyH&huje_+jGzr6o$-D8xr{D-MmNuU z!V<{Nlyj+E41@rvIEEF_UtU zQCoEEe@zh3aP)vg-CF7DS-=6(kVpo`abO|9b!Hq_&3w^0Ihxw8?&oiWmKEvNg+dWRpe4iN5!oxiiLvUbNSUXmy^W-`;BK1D2{% zs8ZH{D%t{c?eiM768)zf0ZwTI@FU4Qr1*#Zi^da#o`uqx_VZ|#jSb+{R)EKm<3Cpd z64794(TV?BNeVdaqcgbwoFJ!B>u`7KqkM42PF-b4JcnDAps^`q&q9yS#mI=4jcGMp z^a3DQ57s%)s|550D3~U?FlU+f=syRKJXe)HS%1U&$%R{yG_biLn{U?AQ z0$h*kp#6-?NtW#oeg|Ddi+l_o8qU86KQ~DP?mZuJ9ym&VVlL7em{kX3M&D{BfSH(3nV#`!Z8 z_;D``Jd@sTxXScw@{M^GBPHl$npv-2nBq)GkpGka^eYPh8Eh{OsAkHwbi)RjAw=SsJG0+g=yH2m^`1P`4LuEACW*fw*ut4i{9YIxg_Z&%Mv=NGze zdUCVp(b?itnz0A-Gz*fIZona#x+UrU4YzLtns2rVdC;EkWSKt$+RPA0a3LxR80}&(x1Xy)_>DJU}rd&+0|i1z)G8i zdG_UdzLCpBRfra&S1PrT>< z0lu~YgQ*g(hLfLJ;nipQoe2VipgIR)Bk$9HSqvJX#l?|zjtl>Kj{~3~$G}nEVzxc@ z#WI!WKUG30py4dPi1>4py?z6YMm~jPMi1lju}x9(Tj!w=)~nR(fE1kG*D50W4gtuU*Q=#1O{%DC7kCYVl;jr{|Grta%lj1 z`L0~TtDhA1K>!4idST*0#d%mZR0UHmozOlHpqJh??yXOuOCr2h@XF^~{&MFwSj7Td zqAk6x?p)2b7n(j&nxosW0kPf1KX}7G>+|JC!{yHLJ|OD6Ai4>k%bXOUjdeA*y@Q8m9bD*%k4z^C>O zwq_5i<^V=qx=o_ffQu+`+f!Vs#Vl_rjUJ^#Qls2=(xPCtcfM$v#nt|`Qr~637Twlq zn?CecERo8-y%`lHqXQMievUbscfgml9_qljL5e{J72mNRd>zH>(TmA$qh;*fp#l3b z!ep&80o&}I&Ka{nAsd+0%Iu6<)vHP}>b#{iMoLbOouTHZDT^f$+N}_=d`o#qe9~3DHf&6H;&*(S7oFF{?)KqsPidK3M(^dIB?EIe0I%sgpbQkkzSV ze94;n79(b5_vI(QggEUs#1Fl`Tf}qQn@$@N)OF{F9cDfK#okDEHfF(|o+UWz;AC+iWvvM%--Gf>fOE5L zA^qZL!lwQr`G|X<$yG^iAV)bzpVfJ+MU!`;Map$-?|eJ;bpc)^On&Nxp>3Fem;n}c zW6tFvoIQ6YMpNKnCUm6wNe+hZ3e7Wd;L0yu@3^jF|d|h z!I3Zi(RM6rt>rRcby$&SJ=0q9!8DqHe*DRw1SdruY&L;W$sbO2Cgz7dm_PYSG$g?| zy*7ux+-yv>Xo_%jK$EYv{lEsGm#NmiYOj9#;yp6-=p^4QSI1s!tP6j_DMulLBWt?+ zbix16gLR~huK+MMcHOId?q4_=dc2Tsx>qZtM^(V_TuyrrpGCWRbmG7`P4?4zh0q8_ z{?eFk%@FHRfWX;NJyIP6q3c3haQ;&dbHV)9)K!-3CvQ(uGceXECzw|Z;=+APUT{a0 z&Kh^)GgTcYm?ZhKrq zdp*iCoK>fIlqs6sfT6yk&oYgkyIBbt@)@*$3TaI|BYnWtx)(db4 za=t}N)i!q9askvrU&14Qn9x|yA@}Gc0itbwaPgJw;!_gkp0h;`nk@xEW^8 zFBTh5F5H!;Fo{XBFCjR3L3Hf|fQ zMKWq4dc083XS_?f97I?{+QNg22z*=oO76E>eH63Ss36sF|KdQ7=D%ku7TLH3jaW%o zOTuc5PH63_A#Sbq904Qm-t9D=qbQuPf~$=9nYl5$z+^$;uTZ5J(6(S z)KjON&S}geQ(6hKdRF&bUWmH(03{R^-A6!2?=K*!pB(U;yb+WPEXf}Pv12}lE7 zIVy$!%7I=&{}?_pm_K#Q>$2BSQ_y#o?_pek5nZxs@1B~^gqcjmG2RDMSl?B-*)=O2 z%ExyPIM6n|GMQ7q0w^te5Nvry0 zdHG~b0i|pt-2986r^`=+U$NC^WDZ~srR4CME1F(Y5xkuSg9 zWs_SYra1G?OOY178k;dAhm%2emmY*z8RwG^N!)x3VSAC2CScPy+u=0!p<(2=k@>RE z;5OI|HFon~8JI%5yd$X zRiumWZatMzDJe_ox3T_GgDY_Q+gC6v-+l_5O^L-<9j+@RuxD6ua*-Z`K8;EfxPNAr zfQ*4iy}>K7d^95`IB{P-yl~p)%oI`#@!K^j;S(sc&yOm1`s?znI$E(`gLFJ41sh4sEVsQPT>Rw>-zkeFyqV=7gB_Tik#v?DlkVRx6p+Ib1&B>iwhe!G zB@dj|PPlNE3g45&TpF}4ixH(VJIT{9F>$mob6-*AnjB;BY3uG=ZzT5~E^}>L3FRfo zcTLwMt7eKh4}!n(mvw7u`LG?!!5s(Q-LrK=eCe>C%Ey_%@soia2&oq5%8dXsm299D z^_ZT1w{!H<03avvoCa+z1CNdp&U12!Cn*}^`IggqZFw>yCD7W0f6lS=x`>P`{=*w8 z=F15NaT;xYJipzZW5oDAo9S_WHvBnOdL`w7bMc_8nF%6L`~289tf;>*`61t8#7@;T z-kTK9N}-{IAhxKxHKtI1bFLF68_%bapSUP~E+LxGl*TntlQD$oamiE1+|i72P0+nR zuR84?yvwWO(mUqy(7a)Lxi*CFhe0lF!$pSkMF09Vm)T+fQLV9tm9p2ix+QtPqpX&{ zbGVj!d#Ck-{AgR(17kk8Tf;U#a^tbwkNaoFjE?$%Um*X)XL4NAhSV+o{_?72>(yKZ zjF{P}RRoFfmxDX962gg|&M%;*fLn8>$v2CST(J^{?Dsqu9FU% z?8d>ikn~}s$~k4h1c^n>QZbAXdy@Qr^Df^L1EdVXGG|oum|K#QJ|i^s6-U&413#J6 z%dyv=NQSi=-FxiUuEZ49s;n5+Efx{Z_~=eA&EqGpJksaA>vK=4SKQ$*knTHGCT@d= zRn&F6tEGOEqb4im4NGLo7%F1K5{mji4#%e3#&I&9bi7oo(SC?+6YFXnYc*b@BjQ+ za|))AGj*ui zhxFz&$MGF+Z^@$i>a#I(e3()|$q)Q<)f^Au7bs+Q63;C0WwVrFslGbJ&y-hBW3#-r z_(eq|qgQHwjyj7>{;TqTzLbJzDC7Ii-lX->l`YPZ=ZBXm!iuG~l>Yq(*_e`ewWaIQ z`z~`{P(5gv1{@8biwIGUsx;CCBec(mTKTA)>Q_j&;GH%zPH8JV>Wm2vg^LOON6Xvy{ z$)7XDbD|t4*6?v2I`ilgmrx*uo{u7S2`|C+DalAB>RAg(vq#>Oze=YO#;YybxHIC6AgwAjHDz>MuaXSD z=Y#)d;)9wuy|v}&ohT{N=++GUcmE7vSzH^%# z&=gkFRd}qe>jEhk)beHn=>>dltd@6b^OLWS5}aWVpB>UpgRmt;h+2KQJAwjeuv$6O zs`=OOUlvkJs@TfD7nBgbUe1!Sxl9sEJBc?erUkYCSm$+V3?1YR^Lj4xGCTyQw5jDY z^olinA52n*{jm0=eYY_a>OK~w1|jW?PaW!ap4nUX{;WlFJhpJ_gf&6Yd^|_&E2E9~ zq|i)`UDW4+jtU0&uw&!j>4&4I-)mtqp;vfOU2tfh!Hewr^tdqP)n zR(r%KD#2a*le@dwPzam$ruW+1NlVel68$q6SB6rl)GxEAODgCksOUdO3Vqhj$m!k4 zl*7&OA=E+(-1qx)v7y87pXS=BG63(Ls`i)?`0%j`0!mLlJtX?EwR@}}y0)s5lk?SO z{$!+ISN*;umELs@o?4Cy?p&SGxzTb#w1YcfU)-wIVN$7ks##XW)05G?{zubShw$dz zsE7Kkazuzg|f%DWm78gs7)V{A{)@*qi6*|DC+{qxzq@Ur+>dzYw=9L$Mh3#J;t+rwF(P$m-uNj%K14k%md_Su8(+T4RRl z-fbwW+EK)|`BjNarE^qlG3F={H^@f+j$N36LiSZ6P-ti)-qy|NaGCa(InuVJ7^wX*zg6PyZIRV1ep)OR zB|3kL;p23}jsxqbBCMyO?w0~0>yCHx5pg`7_e80YzJDMd;_L0rZibA3kyXrEE{O>!=a^5ZLuTq>}RZDgA7RzYt7@4c}d>OxKgK7PMM-1tP?(elq9 zEBNYppC~1{xu#FI#H#p>>uO+V^IN^f2+0qdJUNoCF3Y3UC{3XHms$ZxDUREmnINuA zLZ8@S{?8o0HvkX&c|!5*PH;U8RYr zDTd>)RX&v%C3yk*f7A;1)RHzGEUD|quS`ALV&3bar#)E}Jl!ls+Q~-kW&6BSSm}Wy zt-zI07|;wDn&EgKkc;ei3as=i8QOKl0qNYI*_CnosXUgh6Ktbg=m-L`*lXtQ{J!Ac zv~5;vr^^+h4 z!bXu}hPFO^;(0f7d()9s-YVFaZKl9K#*rgN!JM+>Ng;1_!9Nqi_WHMZAKFlD@PIdN zMl$>0mo{qFF@+-V;3KKfvbu~9{RKn(U!uBy{dI~-v{OuOl0$oggh#~Y!BEq2DA zt5a6~>?ENaf1acK@8{TVZucI;tQ0p#m#%B$Qr7>O#yZ+Y*B>;5-Acr)lwd4Ge_f20 z2~57dv;h3TG~fOshbkR|sto%pRhe>cE~tt77os<5F%R?#Ji4quKh1)$DYlx|pjYtz z&&YZI9@$Ij&cbj;OnJ?n?Y(#l)WLhOAw^3#J{$u96Ug%g(Q^ptEL0UjYV2F? z1|lx;e1B%D!|I@X&Olx~XtY@SYopd^Wh3{4`{#)opGdh{s-X>90o(_^NOA-}NYr!H zu&-^r zo4RgFY|ILypli(g36yzeVNP#%OQ4Rw3KP5}O%$rg)If1^Xsxk3;??5hv_nKM=(Z&f zb$B8ouu|67?x<0cz(}d7&AcS)qSo2!1j{=)a&L*-&QqST?E748v2T-@;A*V8KRq_7 zSi3r0oX&}CSpd-+r^SBN^;&GsPREi&$RSmvluAK>#NlZ6sYTA-1NxkuPk5CdSvk+L zzqh0}y~Wijk)66!FUp%K6t{yaPW`mQIZBMy44EQYGoE=O`8exw&T1`*lyOpnrJdm> zy6TMd(lOg`J7Em|Etix@9lMh?T(kovm0#M%+8ysxh-Qgnh@eVl4~{RFB>v=7S6=07 zV2~wZR8S20c#1^ zba%p4$H{v$YWl$mW>twc{ems>IisEJy82-VTUBc95*Y;|S#R-Ke2!GVZYJ6cF)&YGkuT+mT+lPU|`W+#0w4;`;fzZcN z6f%%?0UE8YMO41@)1*bwG@;7OVqbrS z60K%HcuamFqp+-UPLAxw2fYCCHUAxHPKdMThxqAyzUbJl4G007dMoOxOQZ3X%8FI^ zx+^DyZ>eW}W0aY_)r8ubu#$zEk2?4>w)WVPd9&xECaJ1G74bw>RPE_PiO>rrl9#*e zyb}0YW2R51p~W;Snd)2m+JxiyZp{#j!Y*n@>=;(yY1r6ZEcyCc^d6>g*qDFfktI5!VIHb`uDx;jIhQPP2zf7X>%G9v_aimM%XZ!a^i?y9IXp&9@R*40 z>AH%^&@pQ>x;qRaxARBGjgO5n;MtN~M$1LVC8kq2c2WrMj5gI!5iII(=|H_O3R-ML zXZy3JThF(C>~u{h2)hOks17AzP1kym-qoqu+ZX6<_-VOu5Z7fmHM(oqIxHq!B$jN` zm8Uji$LQrM31VZ`Ug|M2DzMpshYeGS#xquS;1I%&I^&O1iT%F#(E z>c|ftbdpxvMfg){SX>TlW7p=jF|q~Ps&^-O5nD|#N~5i54N313wrur|UxEkoee9Cs zetdL?%c;qP66Fy1lE-dc$?SMk30F!T*F|{0?YGMw=^X5nD?TjaDM@~-M;x?|nnjm&#yRk45q;|3rFzhj~Qvvm+Qk;n;=Ox^ z@p(}Z^rvM!vY}LQLZe)Kwmt5yr6BwTOX2%(en#UJlOBu}aCLdFy<;J$Zf?DHXhVv{ z#G0?i{*O7ujHi?aPnvO=iw6WN%vpS-8t)*2%|#|k6goTH>sj1Qaxp%d5<8d=l|^fh zA>6p0b#hwhUx_{GPv0<1c`ygpfZ#kgs9(Z%xV78N)gp3uRI72fe*AY7xseTG61>2t z_9mZ-+)r9ljG>KcCQieCWkw}fTFB(Zd@15fg_yUF1ZxitRBA3Z>_|&`FZOItP*avi zPXm__x(8w+O6N}4E~=2-U6PPm@SdghLin=ux6)$mb>XHTnGH^`UuLW4^i#})0)KxQ_5VHplzGww|cRx`^G+MK#FepaElC`P@H8>#< ziszT{%lsKc8NquJbD&GbE$Kl~qie+>cONL%mc_;~x>d;WwT>~z#QQ6N?N~;u(v)z; zy8;693yPy%v91}bbmT42XcGJCpCug2U4QM$7O%eba#>b}M(&R31fE!}<_vpuGU4$n zxQzXDyHUa1?ocE%t@kk!IKY~Fmh?Mp8$FMc3Y(lKECMB|f~=cX=I%QBcVJ2r6MGqD zuWTIqu`1C=Y8+~>?{HB~WnXm#v51MvWawi;uVASUv!aaF7p_lu9Q54Xyv$6(FS9sm z{yb21VO1r#gW0hzq{H>Yj;@{pLT2A#m-?=`2Q4v(V%|gDp56%0yH_VbWA398Yoyhb z<<=K>>(GD-e|7jD=+i-C+MUAQjx>^(J_3BpD z+j3;Q#%_Uiz(c(D_ls)RzwlONul;CQTn3j4Q3U~}x6?#ay%xn0!i1dqccdlPZgH+Lod^$obX{g_nMol-NtD=2dovv%wk$kb1PD&=9#-CH z1ke(1iJ8U(zS{bXpjg2%ZIf~jul-v$lvqh16jRhZw$Uw}pPvxFC&uR9D?f}4BMLxn$)`|!pp;}-4_uH1w%+=N=xlu|G4M_+Wka$IG!YuV6U5 z7B*dz;u8?_v`E%u9S_0A<`r8E!DnN}TIHd`*5`UG?E7>mQqtKFKc>!_Ch^_VkS>jv zV$r3aZrYe6k-dlRD8xZN?wRY3$}Bt-K3Vu_IPBxzyUbURl)SS4P5axMptlz*NnY4W ze382HemH+Og{U+lQ`z;~Vg_alRXwj&Hl*`Fr7%>_ON7>3WYk{qDLaEtIvWdu<90=? zBCRYR|9aGM5_zoiXcyIDt)4XLLg!hs{m2!C>iXPFAM^AJWxftj zE?TUa;0Ic)@*VVMTisrFwM?W6qM#W3ubn3Ps`}B^=%KEPKDuKAq({<)`BuKe;T%fRuSM}@tezun1A79)Pu%Jw)+U|Bf=tNcMZN^ z7D%q-8vah-Y@gNmz;u-v?^Q3kbAZ!zfjyqsnxTuFnuV7ryuz}ZHDu;}#V);mZ2xFr zTSQg0avsUhl0(AkqWF>W!L2~J<;2mym+Q+FlHqO{<6U~^uc=#AL~k3ZHxG= z%T*8?^;B$=#@qaJTLE|EFm1m3Xq8*}6IEtQlq5NW1554x0rRZ&yFl%i`s!cApG;>A z4JC5}a)(x%c5l^vS zo9Nx{(3+&ZK+N!snfyWgyQnJ&63wX`abKkod+n_4i^DIron#aJjM=)qIzQwpUhby6 zjIeo^ue~8|+FP4%t42@ObVP40{liDdA`imvGd0bS#HC?Xo{d?Y=5w)O5HSSL)eWB* zc8`A)KNy@#)`mqMcw2S#@cAKh$uk>oaV{To5RXkg>~XP|0lb=GYn1$~7XayeQV{n3 z@c0IUTr;TeUCbK`jK4Yl#b_@jN&M37i2*4c4P8=FmBw;RJcPD%R53nrqmfL7ga=c8 zo<}@iL6noMd21C0sbopoEFOdwF984e(sy~Rgcq&yw?$-2tBHfPW|{-!C32lAVkgJc zZ#a@q&{TE|x5qO_vxV#GSaA-TLqzb%q-={9xYll0<<2$I30RQyFKNN)Zcrtfdm%}E zHhVKYuZAQEOIult-G_QxT30@WVgD|9u+#qAaDC|F&LRuD$ZlECB|7|9s3w`d^*(Sew_D1i-xxwyJ-(f+# zY;PKZWi+fI_uC|v4)R-}Ep2&s!<^+tCwbe9O(XvA1pCe?&293wPmCu`-(}yX9eVA8 z?6?{^N9oJ)@cX=zvCxluQ%y@bpKJt>76+Ooh5}sI>Ny3UCWD&DTtp~TCH?d?qj}|J z-0fE@N+I%6(N*@-2$7BUcBta?@87-Irsn(mYqvFEhN%gly>O%N3$;9^jSr<)*S5OG z3a%lc4z)zKSW{OOd%o1`d$opFwII2iC0e=~t7bR0HdmtB=#l%R&G^hB5`kU6(6YWu zVv#t?&CMVJ`61`L%}b^ckUUsybm;-ZPM%HO>UYVt^xzAm zhxKEuGfb*s%u-PV-)#@2L@s}a3*9Q>PZ03d2%MdO%JOY~J$l}2H!h3Ycuk_*x`J@F z6rG5+Z_|R!>i!y)=K*$lIf)95Dp5CL=+@DwbZ`*l9zddmR;t^+z!-T~)Cy5BX$FJ{Cnz9(l$1q&)}{g$3- z^hM5$s}#1b-}pJRZW8@z+Er5-gB_&Dn`x>S3sfL67(KLGVOvz+E7N%EV6Qzk2MCLg zkDrAcGlm3tH;YxEFh0Gl+Q^8BiTskDiC4rhj9Fk?%6r#fj*Bbn0^EdG5>{G@^D;z* zhs=SkvPi!qOlh~w_8Zn}9P`W)yL0nC=`>%gI&#(1yCl!r3xofb^Vr=Xf>md=M!a7t zzka+LIG~hN^)=*8+QYUGfo=j?pa#u*^QVIE;yyY_H3%Am5?n*H1>ZD?0+mpM8zflc<*GIT#;Dn! z{qyycSBT3ARcO}#)DQ*KAaf0k-qu!g-Wi(dOjpzKxGOEI+Ha{yvsKf$MmOH1lv8#- z+_J+@tM)GL7x*(?pS0WNcFdTp@PPOew&;Xjz&WA4&@SN~&|S=FNNG zq@|`Glaf;GJ0I`X?X&mDrCn?&(D`+J-|J+;aNYGa@@wb#f#l3$IjT+|y^@zZwqlwU z9CmGpb`@))6|fz=;}vGM?9pZ2BrvM1d}{k)4cITu^C6wyzK(BxH)LuWEHgdNer%wz z*vgP%q&nivw$p)Me3{p^y zf^6Xmi*oHxCuxt#?8JkWb}Mjs#s$??Xq1S%JuNa@6O9c(c}kcR4{=1Q&Uf$FJcp;L z027;*O%rcgRMZLQ8rFlMVCm5ahnFWGVg*0^{D`6#r961T)*SOJV!|+IV^p1v zIC~@|S6I~f^R$qtJYCJT0n21ND_H@0>51%B1GB_Fl%YVrqtpMhc8 zr~coT7<$s{S7N#?T($Ok*yGoG;u*)O@Ew_AwmDX1R@F?ULnz+&&zKqJSE5zACYkp; z+sGnNSDdp#j@Dum?)B@)bturnW#46ZjZgYLQO#EdC2CB(c@bVWD=c)K8Xw!{7(b7k z=!9qBmVuft{s+ELRwVl+b<9NaQytQKLb6(HUm~6kvNe@~i<7Jeo|7I&wG?ebx)|Cr zlQW~Ppq_onALxj{KZh(=2}8Td!5+nkZBvk8=b4JhKcu+u4mU-tUV5>OVJRtMvr8%F zvyEJZl{PTf&Ewu`6%0Obp#Tm(9iC}JfA8P((Dpo+gf8_~fnBGe5h!6u**r)GyOUW{ z4d%J`dinvM^D-grMYjTSQf!<1Ht}YpQ`(^JL)`ddpB3zqpq9?Tm~uGGfgA5@2C@S& zZgy$~$lMcFXK;+Q&x+8Ex`~&dRrzrlUj29@A^pDZSAnT&TTuV$Jd_3(zi?2)t;6K! z+YQi7|5NlVLK}XPyZE`;`(rgyih7Ah*X`&c<~;YOHw%p>kEuJl0C*im?KAl4v)HP( z0KGSjyU8(rXT*UclT?Hs&vam0V2(Hy5&vA;=tf7DG`({H1(irfjGKxW9~&N`c7n^T zjtNl#gv{)-d6?9DfWC~lPXz37tGyK1e%Cup{uAsSaLU@ByHCdR0v41g{Hy?~ARDJW zsm!ESKufCY@&a;sCI*ecKEZeuEQv=UVE1@uWsCuE-b5R<=|-zX*VB@cGSa*`7-!lx z(*w;yDUC^WqRjv{ON)((2oJB(XWie~Gzw=naoXRm5S<<_ZkUD(S1Ai66L$xHz~oQ1 zX3Uo(mOvNT`l9ZQV8^}vr6)kbs!Lxw%MvB41#6M_Cv?A|Q20>*8{`g;T4PulWp63t zFDDDV%Qz{_KM~P85;vO!_bJrVY zhwxed!dq}YQLZ{ZxNCQU^(aFkjP}@B)qE?jF+rfKIUAI|9Rkue+JjQVSMu_bmfp`@ zk%_ApJGh*1??Lqh-R|}>jhgZ+M(TV|Ib)GJen@z7*tIt`Ej}WYQyQ<|2g#yEPir@2 z3T`C9h15i*9!7%1-0B^}spv#budj5BY6S@i?ghpYyH2D(CI$ewIs#CswCvd$Oe1`e z)8oV;hl1}#uozl?8|50c_M0jezoa+#oI-Dey@Q-&C+D+@OnR^yHaj#F8j$YxELa&B zQXKT^x$iCG_>hatGP)Xn;fxis_EpZmrNcmU%uEu`Gci_Jk*B?1-A*7@*-QW7$1Kg) z{v~Z}vzFq9<8aXv;af$1LIY)(*+<}xV!C<4d3vjFz^>1F!Eq`L(us7JT2lIJ$K+AR zb$5F(;A!;Mt?zB^r_)139oge_$<*-RJyj9YonC=K?(j6K`9${MDl*$SUSnx zu0?*bo=giXAa!D~=?RARrw}Tg;1Z z&-Nx6^Y7>3QHXe`$^nk+4t`?9 zqu{p@W2>*sKB`8J%b2p0+}h{4idA6SmQ-?39$VZ!{t0jhqDS(?GM_Wh{WFsI|BI0d zG*N7v9^cigc1F!n=#fnE`k|h|TXly|P2nkSndMLdDCRwIYh(wp8vAH%IAV@$A-A@S z^gO(B!OJW1j_64mpYcs%esCR2ck*s7KDn2kE$l8qF1D9hGvIu>)dXGxr9#7vF2YbZ z%Eod&0WXTBN7inB?9bESD#P8}TabXQ6z5*66TSt3_sNU00;ZLyH#k>X!E3l!Vzli7 zOk^)!p<=o7G$@q4;fV85@-95Z|4M(h!Xu}ZQF`~CWywt?JcRK3II$Qe5DN^!W~HZJ z2w4ThNp??@TJ4VZY)^#Jd5m)~uRPcaJ=#9hCG+x*2^}5Z=piJ#Zw0d;JgQk5tGhjr zLH&^cTPmtjnJKzPJoCbJ*Xib@4*M*yUyJx??eDme@f@4(&yJybKTF;)wewVBRL%~a z?n>6Po9kS0CEUhZB}TYbSx<^=mU^KCHFjFtN)GCHd>^w{w5HT2(g951D)XkzOxlm! zw-z(;FpG#}Ldu;r$vSQl;^y#~%Zz%k&)lZZWiM_o5p7&0Y6Nj@|8C$LJX!)o{mHR= z)qL8A>DTydp<32;DsH>0mYkaaf5(5dV$T`NdYlN`#!A`FJ9yP#+?;ro8C^kqflj5C zi5pi?tIwc{6{X7~hlwYNJ-4`2e8Fq46bI`o#EoUiBY!z1yDZW#Jg^D33D+#tMTyz@ ze}$!R^I9V;|PrcwVYTw7&UQ9co*n6ns_qQ|>gaJM-QkZM>PcB8H| zvsS^8pI=nPeX_OU|%putt#cZNGT=u;J z^M7n!{@nWDNQ7ep5Z>`e;1ykV6RvZT(Ja3()}iAU!YqV7lXFFgQkX(^0gqY>po6&s zUXm6Ai1qFU*Mq?Hl>&g=`=V$;9j0aafOh<6bu`m5DX@yt?`SU`X7(8?THvaht7k0n z`gZr!D$rzVGVw=6c`h$r`i-KTy1c4tJ)|`%tm?E~XQIe*9*Gi-;kA3b^lOh75?V{! z&Cc?jZ=$z{P~h4NUO;Hoxe*w`_au{MCD=PDu+fxl3*GgJ@X>;R%L~-i1J~*5tOd zT-w#ShKkjo4&wH42RvpOs`;85ds888fFUdv3Ry)qoJ1?hKNvWATbhk;#y=2zQVsO( z`jHqMxrzW8TBm!w;qb8Q#*R=f3K=x`35ur=6S0u+c6G1fb9pHw+0;FG+Jl^L|(_SNetdTPks3< zvtDLVkQc{P5Sanf0zzQgoBTK7+|m$MRZv$6C$OoyzBLY%=X z0GiP>TfeQx?b=u|i3FyCxTbrh*?HJ}0sDy-XJWvBr&?NY z-MQJeYjO}iz`o`R7|4tOVVLiylq|`XaC#%~@}l09hgf~(gp`68Y6)iPmu3Mh`7?M^ zYKzy;2i%sU4FT(3sBJZ+pTMo@4|kCb)mYKD*?e#J6uTq!FHs@c=Z6> z0F-;OBJU}D{f?SF#`nu?INJCSD^!1@eH;+U85hjd3xijgg>P>HS|tuotp=|;;6S2^ zAo`L42DSf-vG)vXYTepKXA(m1AT?5?OE1!-1W@USAQ*aYQVbwnFm#X(3L-^Nu_Dq5 zJ#>&FD$)drR0X663L?mP;$D02_j}LzuIv0*>&IG%$(&EQ#~63veA0^x3{+Y@BPK>- z0POt*@9C_#-(MbPECOpmRj&o&F=buv7%QN-)ve2*{Z_GgGocGPqYwMk&00pS z0^St)+P(mP-uGEc#b8Gr(~BDGqqAi}1;Ou{FKSNgJYc_I0<(91ZrNxZ9_%X=GBd64 zD1A}V>|*eZD)U(r9W&XVnzoOxi{)zuR^FDflF*601m&R!>c7`(qSv?Cxe2gyU8eL z)KJMGaMnw;N7AqAbXOPoBvrio-5@Teg@6M%H-qTRzfTC zDN4>YsgVuWGXvJ_hk!4m{13mTpFH~rI7XPY-3UXxgS-!qhYOUROE zF%DuvnZ+$~Wbm!xKUAN9_H^eBO%i}|d?g(oWd*L7otsjv;~b}PFJ|!tv?n!seNeT6 z6>u=WsXF>jMDGo#flHg6@B<&xQm8E1peA=z)!i!Vf?c$!_mP!WJKG?Y`yhVDBb4mP zBJIuf=d>XvngBh-QPZ;$geb6J+sZK_3{Mr{$vI$*V9&jTzKE)a@5+qprLapYmZZlB zF*}lFjyDFbT!*1dscB>+vdVw+j_YE$RP2~wyt~h|@k7LpY-=3beF83OC~ z@u!>#gc`SpxQN;E!frsk?>1HK_8mkJauCkJdar+*{_rI(m!L|6Qw?7Cyk1r2@upZV zX!SBehqL+P+DsIa&JmBwNB@f9?js$FPl=Ez>qb8C%iu^cm{%}w!IwA(ser5X>-#4e zRWgF!qVW+PANnnKX#8IwF*w3=qyF0(`a$7G_&9qrLdtVxe@=x2d1+66$E|;?(Q!99nfW=G zmEeYH!XG$3C87b<3!brL?}X^7JZ5@o*SaT zAf}fF^Q50qOQb-)cqV5RH=2?qaJ}9E{#o2x2_Lv~&A;}1GoT|hdVO3|hGFqV?bi^s%*=zuXzn z8Uf9~h{(4)gYc1IJ(19*H*@s`#vQmlV5%|?e13HWcU%W z=+oDz=<+q8hkK94ls(UUnMr0v!Vm17a&$DjmzvR=K-A_=VUr9%5@TM{`r1j_)GM(0 z;O!QosMmvf?+4Z=8!B$}4)uXNF&~1MWn{-T^Do-1+ac<8xWI@jt3f6tkp3&`ZgS+$e_CA#ly5j+9!71qC|&zgtBoVRnzOPMCe7gDv>qi zE`6{-2NliokdGWauLgLYw`HFst1-^7$&EPmX1ri{{HCyl$+p3UPcLlCi(giq6iOZ# z(Djvdn~sv_^}u7v!Y2RMv4)TzM0VTlApuWy`<7K5-Cb|ZuCEt?*8362;1sSv#M7}Z zPrqvUek*x1y4c6SGh?5zUTtSczB4v!n8A;+8%IEnHEG~KM6a;|vWVd;V`D&L{4>XG zKjG%V5U}`)lQQlwt%_`vxqy0iH7sLsFz^=bdZ2d#Ik?$$s(WS=wUHFmL=$o>hEZi! zq|pmJ2qlC0yH)qQPL5iwN4=%PAs$s72jz}Is0m2%DLY@!r%_}5e|Cr@4l$$LYL9j3 zPLq8ZBg9U@!dm`JPZ@@vw~L9n!{^c`ncWuAIFe>k8kJG#t32Ue{tj2WzNT-FhP8dJ zAKKhmIaZ>Lwt+le4i#>)jnw-aE*-s2L!zV}VJ?%iuWbyrh7t*|oj**pao;?kz!?|J z{29i-(L#=%XQY2swAjlRM&TBrb{9xy#W z7sJbkprBXqMSz9{Vt<=RP`d#zk3IuqbLo7?g>q_>c}m(r28Oq{O|)b?$Twiqlzy+j z@=UFM;oU&0CH1qC@pZYP`UlzpXM#hXK^Ok+9lhy@cQO(J&bh2P$doqt4f&dL)!&9t z9#4HiIb_k1qq!MmSARz0=22w6%+dLw#5|nQm91m{Gym%yQ>btP z;Df|7x8+lWHyKb5T=JKeWQugW;YT$}uA6CYC;2wBbb0g@eHtdp$}FDF33$vtdpW%R zOQo_efR5N3t--Z0{*{d|wI|_B@x6l4b{&O>VQtTX3N>ey5Q_Uvql1XTY6>Z$WcOoI zA}2ooSv*R9Vh9Gh+(neQE$%`ibAR2kAsm@jYXsc0(FPH_uXQR%**bpwQWJ{DvA=0ZQ*mDp1Z z-sT_f8eeB&)29sLO7Pffu}ZJnukwy*95iFF{u(G7g0cu= zw^eyv-W)_PO-~@Fc#Z09>sKpG(hRW zdi2h7mkMQxP?oDfnVk|uzsXlpB2SL07&zqVPZ1K8CE}j7yn$$n;=S>?!C_DH^j`d% z3-G2>@?MBG-wene&Re%mmBJeK&R>KTerz^-75G;xuowHcDSq%^g$#>{b@~w8fn>i6 z6|x#_s(f?g7qU?Hs)Knc+As_MC>$#zCx#Lk`*5nh{2!TQ5k3h5PpHRfdEN&?mexp` z(1Vj&Db#(xeQNzkrWeF!t6imrkoZolh0^KZE&*)wGD8JQ(gW|( z+N~I=X0%wSxv6+=-}Rzs?r=s@ej!tIz6UOesnW@zcr#}h!Qc7-)CJt0UuTTsA6-n|P(=KPQ|=()3ST)I4&G-cfHT;Dn^I z*IWcY{#4^+Iz*EIM_~xmcfIBhygTVyua*>YP2p$Yy3!FD7RQC71D7p(w(;#r&k;ql zW~2@bYu}g8g?q^3C`2(A+C&s`q4^#4^EfW1DwD}Kc2>aOu!lKCq9CqKD?$k%h^q+kVpVsrqyl<2X<5%OU{D`6`+L3~^9c ztktrarGF=cof)^K^ctA13(30=$>b)QTyg$1K)ELm^08S?C&s{l!4`Mw?=3nILLWsj z*7ZGW^Omp^HbQqbsN*kdTK(@3thMb6QpAa1owo0CS7T)$r>_w0ge1qGvLqb*SThdh zmZ+1t@~JuG73aCD!22howKqMNg37A6vN*6;XJHd3Cb5N$?zvsW!fjMk6#rgmy6@aQ z4JHSYtEgN>ncBYZp(@~@oe;mr^1#tN_>T##3V}W7Z3W0hv&zTk-lb4;Eo6|L@%$>n zOb-@?5Lq52c}CNpHdVtwM})5n_~nR(f4xc7Ba zDcNEU+~VGWq!(=43!y60u%`|UB^-YCid&Y;By&yPSG5z;iFU*!RY|M)&&R1?+@8{1(dT0p1S-8-d%g=two!Iy9-=u6g{BXIQy^1%1C&EpY*TTH^VZ z?Ptd#o$CtZ7n;BZHeg)c>z_&w^!1yreI{YoG={mktpUfnIGA{zbmWwMB?ij5dBYtO z?Q*SU&Pkd~9d7#Fw~47M(I0Woa~? zaN~ojOW-5QJ*PY+860uULT8}93-LW4t$db?YcIUfVNW@0R)}aU>Tzxn4zU`$t6 z5z9%55lZVpeI^DjYR6Q^60Z~UbN=rZQ(;O@opG+bRenzkhqBxY=-@#+nedTIlL}UY z&9&1D{N#_o0iCG$q_C7#6NY+{gW2203I8GECO6sTIQzuC!zx3@!Q(w{kSuvS>lHll3sI|JdnDr)5eS@~cGSTwA>2!S% z{-nqpo#F)_jnOp_FrXNoITj0VSw5GQCVaH=JATBINLJ+Iql{dMz*%X|iEMBy26%d> zfLdzCfton;bnzP(fY2{ngBSeduJ7N?v9)fgtGJ>Y3omWiRdM)!-Ph!gt=^+LmD>@N zMW9NdC6t~_e5W=zwXlT}zD=2{v7S<-^&PCEQ0+`8^+>Sf4O@#ImZm$0Yyw?ymoL>tl1_*5lN3;<}y~!bD5h~^LlWUXn zKUI~yBT2V3_edQl?sWu0_56DS7 zg}8uJqX=F3eAEvh*KgHSkx-@1NY+=vC7e8Hw%uv}&t)+dsNY^cpQJ{I$T?e3%tdhM zViG1tIEH&A!=%>O<&5XvT3F?R=oU1I&G%b%i^hF(NV7w#$}y1>0w zc>!UmLc`$5$7L!pX)XEi7Iq#!1hKu7c4U&F4KX!g4KrmbIMwP5vo+Wj-5aVkMjxy<9+F@2B6>XBHrry#n%(0=dTVKcZ%4fPa_)efUQ$u1*D1D;b9x~#Kq za7r+|rO$KQU?GZ0)ejj0C;xXytk301N0{`0^56hxlNrTMubNz<4+qI1P_dK^{Z=?x za{pu%(p>zRugPrfx1d5c!nQiU3ICI}8&4(+E3M$B)na9vcfZODZ(Ql6z%N|CyY2id zF4w1RDm8$P`y@g7Ny&`2->blgKrvk4i`&1~NLP%zCR9jQagw%TcF+D5KyRk@2Vi?u z3?HkrGkf{cFY#!LAhE|VW$8ID`cN1HYFC9O*A^pYm1iIwbYY<`S#HF%U3a8$Fm($m zoe>vnEr>U}KX)H#@CRgsZPy6ckw_&b(hYp?W=DS_{+{4K_X3z2q!S#W9NwMGBfLdm zoLBalYn#2!dKVIfv_Dr}b2zM+mWV_JWLt|I(|-xYDvQAxksidVDIlNQ z{m?5wTohHFRU^=QE0`2u6O9=NQ=zC-n50Y=1zP1|Jnj@m0U4{?8*_pcoziChfRjKn z;U*ZGbWoBRIt>lcJn?HGGxJeH*OHB0Ds*4>n|}zE-4&mY#n33494qTDoSU>xcRHzi zU#4q?m5D~rd56^fC^UKUpYF$o{)WrYo-CO+}1qt(} z+e7zNFa~)NY}JL-MC}|?n62kQ&l(t;#D}^6?L|+px883$!+_yySB zPkB0ek>RU*XmDKysg7lsZAR?4yXL7-ktu_!?;YhTlHS78LZ2X+6g>HeAOmm~_4Gks zu6{8;pKNg_-VJx&Xf|2^r$o3I4$-rC9}Me@Rx;KEz;jho=q#zxon&)tYoAiia}bl5 zzkybWu5CgQa&HvO9ts+}B=aVjhPbgKRz9g30R2^x*9uT2Nh*rJl3(VziEw7tWqcn7 zo-m69(JWBC?gxNrGo*Dtt}cMlEI-8cVzR9Fd_QW==rywYvpD|ke8em;1)SUy+vDHh z0!zJl8sOpovD8ui%2m$7Ib3sgl3ADdSVOa!!R;Cr=O1bC_fSk~)&Oy$vCHaZ4#%aP zQKN<(XEJr1oFn{ky@B@-3Nx3eTBB_o)NY^SSOEzoOfsncf6bd;Q`?SXG-hg-9)*s# zUEa_Udg}x0D{j~RRsDT7eMuu#VfXYHT%4hZ{`1yxE2LaOv6|(Z$gVxJgQL2;gAko*GGOAS89Y1cM*L~nf|1;e|%rfUCRA=a_ z!r`pUL$_JiZhKN-#d>m~14kh$oR0U5fO)`F51jGtA~^x(5bJV&GU7A`!AX)Fs@-7j zuEDx@7=N<2{igVkQEQ6@|#~EUFIa3`wI$qNMyo_HCP@bN5 zpy(ds-2HPD*p%EBF@fIUtPBkkO_cstI0D<%95c$Gc2gxz$X(KZc>Y=UZ{^J|Gx`A@ zn&*4fuQy1)57zk@_3qcmCw(h)9p1HDh^!mB@XIZV%)^Z)z-Jh5EA2D&_aU;~D| z&Rj+!pwSX0MPkQQ{%d4Y{OK6bE3CS~M4zYoS-C&O6%{8hm zFoUf^auSbDRq#Bis9hO4gOd&jN7&1f6@ zgX0JM5jHExT${>topk6kNx$(5>TbPf7HsQrtlx>Vpg>{`i8eD40}1Cl3^J=+yu4nj z%-XM904KNK% zpnd3Nl?w^CvN!J|r!afW9NhiJ?pLetJ6Wv<`#xsC=(!+`I1uzg7-=e$F?!X}+rrs^ zSvOgSXFeq0Y4i`Qfw#QWSA6M0F8x#Y8IXFSw=F}KvZClaEl86+5}5jf+M9u1zw!(D zt@rleM{$W~+(GQl^7-DTPZ7^F5}lV5nIGN zm{-;662w>6#Z-=o4)lqunv4Wvy)?reQg4u6wlaYf{sef>TIGi5l19yUVvuw%36A2A{>U#YgbPUj!3lShE=8gUio{hI5e}tAicM1g!)O zQ@cghx_qcpY5BV?10O*fb7zCz&RfWNZ^%v6{*wRob=2vVgIlXcFY7<^^I8Qjj0O3R zZ(kxdf79L*OmPUi_}Hk(o&IMLg-V+e+ro+Y;9DU^Z;JQyc7)Hk%|9)^B!3Ety(E9) zDvW*O8L8{p3A&!(HEB|0J(p#M=*9J&4YTe>-;Ee?e%X2m+JSF}iq${1jPA(MqWS1c zj9Ihp{V8p63_s~{6{2Uv{V*}8gv9xYWVt06A=pI-`Nd;FP)l&TuibEaAks4~{7Qszq+Np`d0uGeWsF=#J2 zX7ewg%~Kbz3Wc!|ih`%TdRH3_^Q4xo+m7R8h!iruG%hevXSyUIUeK%+>wV2NTgg|~ z)4L*ABY$v70@szzCHam!Fg!#@bW2bGEWCRsULSb&Rd@%6PAr>l@GtAZY{Tcwj+#$r z$|5V{BCd}+Pt`63PBk1Srdnh}_g~+1YJ+Gc#b#BNQn&_{!~tpcOC#(9{NKD%0LVyv z2l`VME`kusMTnjnox1PdqGw)d()FAiy(of1D1Lb5FxPT!LBpfwo$5zD<6~0?nbuVK zGm!2a?hcMZBF$%AE9#=Hva{6uEe{7*uRsD0)(h_gDm>}dU9$yv`WpXqbK}Uj$Y;>V zOS6qvJ55p_?@8ibSk*kPx+;($xKYY#+g_#I*;*8ur<;zFn>w8d<)vUXz#hU z$N}a_?6E)ZG;Q+;ll2u%!U;(HrS{EeOTjV!UJqAwz8PrTla;$5MTpb)8A2}C7037r`+b%;Z zmSTGoVRm`G!y|&Um={bpX_ZXcTrg;7Qd>lWd%#XFyi;Arr?xd>@7`5#uXGR9PE7v9 z3W*HLj0bl3Dg3J^vh+J)O?dBl4Oa7g+c3`P#u>Tu3)a-3%g1MFHdHZq_3!-xBFV`g zC5b6bo)d69v7B%tGt`e1wH6qLY2P<%HAtD-n6~vfW#M0x&j6t=idyG_(OlWgror}X)+Y6_klwU z>I;pAgD;@yS4x1{HYNp;$F0q^gUS6lswE)?Lsod@PBq<^8l*VS%upr$sf{dSBStlb z(pulOfU_gD5Gv^NpTzh#put4T$A?y*8iVM@>E5)+Af2x>(em!u_a+;j^nX!#3nBQo zX5D)Xn7*gOntMq&Jp``2CQNmCJ_^>KU5IEfY4gCzmrv;3>pY?`eej5!xL@qNy(IC{ zra`d+bQ4OX*+PK(xkA-^Au`kb^Z4PfowPv_Y<{R8rZ7t(o{Um4n!$0M5RLGv*Im|{ z?^bak0KaekDUWjQ)8o3`c`#FRC3NPG7m&VJ_ae9dEWrB}4hibJXS*VbPM{ng9{!0R0ODP6d>k6OQnFMO0bufphQV{-q z3qD-z!*dIHODTNzl(I?7<%Q=7Wwg@WQLRG}U-RZBgkLKs=LLCvu6Y!ZH(nt$2AKM0 zVB?s>v4`}AO170%i>K0wfEztrhHd~k3zUr1dBzZz)N@v8h<=|uPN3d-p*Jmuj(Wlf zV)y-Qa?kn~;2gMtM2KDk217NEj(cf76$HtHTX!U?1pMQXr&MV`d0MLxdB71exeFDh zQ4Da5!r6UG%HE&K4WdlZg6yyzF^pFX4os4Tp}Yn?^{MTiksJksO`3b6-j)wiYmB~{ z$=zIb6tk`R{rh4|;rL4n9)p`VSF*DN zbi=sdQuZyk*~Kl5?kQdKvuCE7Oh3CCxi{-!J2GD?_*xmny`5S}2+DeXCC^{ox5;1M z<}|65H0%ZI+r+L2YjAHo1jTcXRgHVTp@>PLXyosoXG#hr9^=Gqz~s2RTdHx9d7(|; zG_oLa4@5sGfa1|s;3v25BMa&ir(GS{rjq^X8safQkhbmfs!4$k_>_hJcDMC#rySu_ z#dx_8PHE=Kdju9x(d3VMnb|RV>y4c9?t);~30_D?c|~Di4LwbJ_1+UE*rKv?EI9Ac zmM6Pwnq!_zWrDBo-Jx6%e6gvrvY7jjVj{c|nQaHoe>LM0l$kE_~gSkSq9V2iLy%I6KFZJ$M~h8bOzWD5Z@>@kR_0)PYoaI zEGkrv#fvbUR8^RLrNDWs%C?J|!BCaJ<@XeKhFQ*$)9?Y)t>HN9M|w=p?3(NS^&To~$5vmUw-Sr~GCL$I;t{;36?rn9q~4p-Slaf6lD541=pZ{S~{2@6R9^)I2x z|G3JYLg`VO+hfjvo#@OLdT@DXe$cQgcmE2+Ckw(=04>q$KeWWyaj>5PNEeZB2f%I8 z<#YXCzSf>Q8+C}UV*3qPI|wM!&MX_T3S`p~EnMp1wIoKBpn~Y72XVWr9|rNMO=4&T zh|S7qV8*c5!d6p%8kh27*wJSVe(?E|0rMS@{btjjt{S@Kh#2tkM*v3vZE~ujBjO;XlN}H zAT{0UflEf1^Dg4jL-bSFE@wZWqPmXHxK(@Yczl0f+I2}@@ta=g{|3_>0Rq%Sv)rwW z<0G+GHH|K+~_8)@5ncV86>*_e6P80e9&68Lx`L&Oe9S_iQdyRlR+ za3rd>(E9LZ05J+u&NKe%_8ff+^z#g*zzK7B@j}|o(_8X3_Z0j@C+0>ah_4;qVtQ0v zuB?7zJxR^@@Hzl*z0ZH&DKm7P`hMbFQYF7$224C>}eSRGc3;~h!(S?s43tZ*~HJ3hbs@27M7 zF3BD^3~U7(#ZsE-#c{u{88}dOTeQ5G_=2-JN+W4Ra^&!Rvyb|=ag(nyP%5VwZ-&;U zazgi}f+j4?Ho?_!M<)ux12S|ztv?7R1qKLv1)=g} z?>EPunOE1}{I$f+{{qGNt?kc&cjJ2Xpb-u`59m1`Pln9!OSf#rP(6(tlx*l9DLT6Z zvQu+bKfD-p$xwGM83XsfvAX8rRxFjUM%Z_tE77l#O{G*dF*;S=owT51dum$X;Yt74 z!XEFr{(HJ}U%EIw3igru4}(>b$MsyeQKPO5BxdSN->vvE+0nt9jOh zU&oQ}xMsylxbtd*zLU_*SYXr>lN9d1`GMYJ)wz4OILgswy z6}zB2DE06$oJ5QVViF1>TNmzE&i^ifYhKJYG>RbmLVnJ71~2>dn)i5l7NF_5KfOlE zr=*%TmZ%4DG*oQCkUU>8OTs0Uk}bfWRUDw===>r&zA@=-deopT_H<&1$a;7V_6ovfTyYy-2u#y1axWn z$TZrHetujI_W;te<2`-v>rcS?d^bKo0+Qe$+4z$Z{{rY9Iwg8Scux?LjS8wvm(?1~ z>_h#Nr#!rp8IY5)b2Ak$3k%jR=POn?+@Lkk&3Z;Ul+2e*YGnTl;y}j&bm)-e5)mXC zW!TR0<5-Lz42QdVHh4XAz9)qn7w5)?rkC*;#K91*APQ3M#y&R3A{~ws7(B^HJ?Unr z8y$huz|Daq>8!%>@WpiH$y*wQdA)&I=LMEZFO=h*y?Bu6liZ zkiNS*E(|*{%AfcE9D6#K-psuLT)r!Ba;}2+&`$VEt=b@V#AZu7XprvPa_hR&Rx6f( zDGCVSid!^}x#|(YF2f1P39%=I+1Dk{SeY&k_?PeMz##Ju&`8+Y zhb^7(0yMIBo3Kz^%ii40In0C=jq)lW(% z|3wP)ii%u&*}yfZTuvt4^yPu;#5~(AjV}o{<#jlhRPduf=eD*4CaUt0Wsk^+``~Y$ zGCGUCC_yGx_#Gx(CG0vgLc;W$IpbeUV6*r~FLOwJzsJzX|FMZdKTX`ctSFU7o}cKu zJr^b4=ApKIK{tt;exv=ft*$5|rM&|qSk+d5=Xr(sSul|9U z`D49T_N~CU;^f(2)_DRl4gV#a$bn-j~ zjeP>H9z@Y`y-)+s`>+}8s~o#e&n?6kD(7>syu#vzCbU;)nAHYR( zI+1wC3fqBX+lntkWxmO1dwW3!Cy>DX7G z=6gEhbmqN(30D8B(+1ck5RO-xyI~FjqP??ecQ@xWKa4od(_y;a(QKWtg^X|_67R4J zyEKHX_#kj@i_}ek?5!{m{k#OI*>ajuyOKhXZlSU*8j$wiUl$o+fL46s;#l#E^Kcrd zOu9QEu<7_T&M?G!HwI{LNfI=trn>pZ)<~?s{2ke|ndgw$`%!=HD71dn__exbCwn$z z+W#80!nNSm+NRR#TJIm%oNKYS5fluAlLLW^U6LQ&-jBaQ5I6U*3J-(+w8Qi4tS`TI z2x?R)w>hs`>$})2)s*qW?j7xwr=$v?@i$n&A*x}Gr&*zfkWG7*z*G)5&~`H(myjLY zSKr7Jga~!46MB4^HK?<}L$0hs9M6sAi0rtB_UPMyio~h)OZ}U(Q=-ii-bfdt4mK>l zNy?$kc67jNpsx;pYd&H6$wl6rI)%$n;tTQIYu!0r58hayp2l&je-``o zr?UUHm`EbSw$7E80tc*o`cuy*?6W;Q7#Iv!mNk#>?Y3Og=Hs`!^30;S;__3|4i1zj z)qQxV1=x)G!WX%u^G-DDJx={96gD#O)g~4^6yw*K;=m%aI?n6Le`c^AT0)#~D)xP^ z$*sAZhag$q2ISrHkvQ`{AM1zlDW3rIUe2YL7O~i`dUX&arSk!y%5A5vgn>+couOAp zaO~L9^@tv>mmqC7+V}%2OHF$FrNb}WKgbZu%o1ZD0vM+!vC$uF&=Fs6+ZaIp8rGwS z&SHXe$*oJck$L9M@0j+|f_<6EAs0}zFXdd+kY!7-0>I>*Jzx&ciM)JU1Sb`vBBWx} z7*^Q)TiW(YS#GJSz&A16VA9nCPEC;Q08O;cg*HAg`r#U3p&9g{>A^*qv-Mtk!;_Zd z1KPQ>d#kS*9!0cM$$4zt$PqO$To#uJ-9l7{f!pH7+jDbV6OrZD%o1#~K#ZY~Q8WCn zVC(PY3d`vaxFx;hl{>V5!q7U> zB?xi#NJAuKg@BSjUjh-V@7b&{`XcRs5iOF_%kH}f9%rvU3@9_MN-(9I5El+w9g`){_5TDBeS_e-a@*fp6o~+6 z`B=j%ZG&|blw7KRORju6V$#{LaVw9;f?d{%`N{+YWz?Y*M&&F6>hSq}9lG-8=BqVu z<@U?t;SaQ;!OoMMX2_&J*{lz!`|`eAo+++2>r8d7ZE%$H#0wjnwu3K14&0hihjF%- zs?v-K6)a>hqs%HuF2$$f6LvNxKw7e3C~}>5EhV+>GPr!$In7_4`-kvNLyq00#9ufC zj7MnOFu5Q6T5ZmUZdv z2ZVWJX1J|_{!pfR#7|eC2U9w2NJZF=$i6%TVyp3U@R9y>YDN$mdBcns^dB_NeJ5WP z8t4MjpfW)47tUOdqhd*|o86dg9!`j{(S|oJj<@~?$g{qIukv>( z_$lUyTvSYyU}c`ea%cx%9be3s_n@YrM)i;KjF0~0>;3u0drsN4^x7`W(6Lw-Mb1Rc zkC(|6DGu#Kk^4)IQ+>JfZhEMc&d;Fx16im4p~6AOA=>Z3WZzjvx3#1H$}lYR090{XZ!rFY6L7Mu}WHF=r^MVhnFf|g>A$u zEiO$c4b;48B_7C!JB6|mr#_Z@xlH}}ywj#o@*Csex?9GK#J2U{4Hp7WhkbG_#ohow z3Hx}#Srv^-}IV0qim$;bQSHrJ@OPYsa$ z1LR3kuwN6_BG*2(OcAO<3tRXk1|mZGXgLB~Zaq$HwRQFRi$xF)PVRcfZ)OrwMBBZ6 zaNbyA1V~TSsR*B?E=Hg(Ko5Yp^6svZZFIo$p^{0;L>oz>B-|^K$mDvnx0BwHyqji3 z#<%9GOVN-rAiDb;q#&ttMHL^#sH2{lmEH1RqG)o8Z1H@1N}gQ%G@~_aOLtCXi;oo| zFnC`>pQI2*X)tZ(%xzaw0Mza*JMyCgNVp$aiug_d5^06y<5}9!tV$lxSmAp=J(lpt zoX-}jm_xi@>`XB*n2XwbK69xAosODvJ07_r^m}Sbdjlvxb#g}=s6h=Y?DqNu7^(af z`GCht>S2Q`iDXLM!PN`Bn&nOm30QtKxCH%(EdP5M~Ci|qv4~tTjNHWorH5t z1W5#ojjM7}BG;?^?h@3|yo60q#OVbbb<43oJ+BAP-kR)US`FaI1QxlSt^<#GfwtB( zTgd9d!G&HAi9bLR>w7@U+NJ%<_hbFzHz1k0o@c4>8-j?ST!8P(Gbpe-h21$F3Yy6=KU8Wr;M{;NcE3F z3`rgQ9`o!H%(i^!^5GA2fcW1$BOz9IrQhfWH-3H3$L9#T`Li)E6B9CmWC*k&H_E3f zi2(_;gnM*rGJGFH<{~|wS3>k__-eO7VGG0l=zlQy9an!p=)V9Q(rtyLJQA+XJAaSB zjRT2lYJtavg9Jkj+^AK*;+4h#w;Z~A&Mtw@LVCj2JUS#|T^m1d1K5srTu_+=E}R+lnw7eZD^N>Fsr9i8~In=S9Vt=)YeLHQU5t3ZID z%m)gTURgzWF&Nq?Ej7$VyT|G*D4_;fF+=WXNs4RX3 zV#;bvL7bAK@gkah;uyd(Yf|v8?QXPfoN*P^fX@+zj-?aV#pNBgUax-8F+HM;naHP* zxI@)G4`2r{mRh%8TM4uv**Nf$%-;VqdZ}`R^%>Gz@_=;k9Ps20q^%3bz#29YmLpFr z1&socVNy+71JU=#e#n!jxo#i{@2H$#{nXlQRG|3nk)dD9_5~NMz7(#Kez>yzgV4`4 zJxzhuhDyI9P#J)v^uOywlZe7BI%gqE8gi}1nJ8 zIs)0PrA*#!dEoX;v95}EdH;>YY~O`9ktAv8fBLXJaIjg*_RGO$xiR7`k!nENEZKiI z3k+q+4A6Ux{uncDTA`#%R)^F1t0n2|PyStz92#WCTA(c50sS3AV9yOeYiJ%^;07ua zcB9pcFBlu>D!&M6nOv26>YCC+y_oM&EITg1O62xm-B*_`>F9aG9*@DW)MmVW0!B#I z#lpyxNgz@i1a=#q#1kbFS1N3KPZs;^;$-PBh+@PLh4egXo* zC>CxU9A<^)VWR!9F=yAY*UmT2>x&_Brm{$_IPID;tf2Mmw zO%0`wQgk!-aM6kC^RL6O<$)_B%kuS;9*l`gfb_99!voQKpDhl-f45=$;x!Lv2j|Ii zjF0{1KkJy`|5(TW`}o!W&9g;naY^77mM8}i60n24&HGnfTxF5v$Y$dyhRHnbe~O;% zY(If2Vou|MB)<>67TS~VOzkkA?Dq`{5tE6MFh!YE`E;%YhlI&UNld`S2p%#HBC&&hL%pH-av()tdS$VgEFw8=z97 z*(!&u^wvSdGFzaG^8$9d9nsjoYGjsQE8+8UP=a`sG`{}e@-6kZcp~dA)1Vyl$49I$ zvb|wG05-{CvpT2KKYC$Bp>Z3qNV#O?ecQkBGkEh&Rkzkt;2yT4RKcVPS-d@HirOuEgN9N+jHxLylh`(KL%u7 zRrg}q=l5D9zMI8+i%IFVKq@rj+%2K79iMDiJB0cHe*lCX{ZRj=7yApw8P%gN+%DAQ zpn7tC7K6N1H(Ke^XThp;*|t5YjP*3GtB86~$+oWYOJFV_@E72(x1hP$Hgw zI+F&20%Oebw z$d)=~RT)sA?C)%*2cNm<@8K3%|AzO~HyAP0vNAW(43Nbh*stFhf3xx&SW$U=B5^DK zO&(JRWy2e-M^{11Ky0bb4s>858A3^OkdajH7KQEVz6?4a;{;{r{jHdK-;atcPY)`Z zH?qNui-T|FMyUW%F}fy^j$2qKfmYUd9}uhuzy7=xLHN>HY$>~B*c<(M4AtSG*aIVT-|t=2n7X6s#29d%W1rA+sO z9;?F}mqt(Mp6E{^-P~chX*y&OCq&D>1G-lO0B)yoi>z&w>LeQZIM0`=}+52zoiIiwn`YV_TpN=!*O>->o(_Gact%LLYVGO33Kkf%H0o!Wy{Tf8M z9i|@eRcb8XkF0^;>v2F<+x3Izh06GObXnTOdYw9i8W5;Fp!r+ywod*k|L4eS0r?#N zy?Op`JGKx?&y#}VT=LPCzB4yNVT(xm$#@|+a!nD2#uFa0slSG($$|0L+6+ zhj45Q8V&((iK{F$$@QU5LOVRtUfssuUtAkwp(XAY4aXTg)|%&n!Kk=Q6fLW_KX)2# z!-maG)# zANZGOF>{Wa&8(`-K=`T+zp3gTuujVhE6Tv;rg`C`i+L06iLSbx-5(n0eHoxc9w0$C zdgbl)2c&`MeeW4cJi1Y_3VhohlhQ%{<-G@bI)*d^r}1KW50k*^vK|LysD9UJ!7|#L zUUla(?d^T0)R3SJ^JgS$eAynf3J-ZBJm7xj9}>533R0DRX3;+PI6L1JzdZC>&HeS| z1cS#z=c!Jdax*B^c6+TBCwlJLQ$4P8Ugw_OJ{V~ZANQSGn28wC@OT-qr?O)AX5s7a z4XcQ6bvL~?>n6hYZtCUV`50!^u*^!_QcChpQXylaJLZ=CP^op!ncQPYR*(U=#96)C z;Y^e3kIje+imRvBiFizg2byQ`ka8*(VbL{4L4I6{Fta=%yxZ#3H|}X_LBi)vJ+o-s zXY9=wY{L4}yWWGjk_D4UB{+&+yHKQ-Mx3Qv>nez}2i^Y*jy-VivzS)b*SGa$H-M77 z*7xJjnEh*>eTx_PcSUl}=o2;JtVCwpIr{!vwBAY>1{aga?H=|rVCH2I8XF`z?t1r1 z*2!t$x%3=Lq}Rg6Y_aNHk2%A+%#D$Ha+!FL{)=baZ(sQ#jRqP3G+mIHUit}{ltXpJ z@+Lpy4}YF=Lw<$%SaJgcI4Vl_EZ(o&&?!GHLv5c}n(}ey5-u<@rS}j9Dt$BFQMgd4 z+%Nkj)$y|p%t+-y7cJO`nqvcZ>mr#l*`0*J_h7gnmGsP|ZDM=E84pLbX?F_2r5^|z z-xGxC!leFe2)weDWtS4mi2M7%r3qnfEkT;sm(?k;lX2C87YU0Oq6_u;P=CL!OKgz1 z?PS(3)+&j*0zxV_|OfYirs z@%L&9oS8A(E+roaQ1zOnF<+oKSvSB0BG%*!o0W^;zZI*28f|rf)<6d42fV4C`zBpW z(rp4Y*bk;otC>RSPe^6TXZ@MKyIC%Z=6SF&QDe75*iCUYYG9EJA%dIV8k*o@&md;< zGQTDFs6}Iu%DZF^qD&c-T5pOhrNPf+u-MS1K}h^}A7-4R&2__mn?TBnTzP3-CgI2wIP7J&egPM|#Mwzsu%;bvVyxvWEcJDT z#~W&vPnw;^0vF}wf;;G>`pg?J-qCH@BLKn8t90tnlzW#kte<10#(z@Z{!EwelT{fT54TnOgkU8~WT+yQ zcW|?QyKpKj_FB`AaT^O6ukIbH%Zx7Y<3ogTLHmQ7HrzYufF#Hlp){A)m*F9Y4TGuS4p0-ppWlAU1jq4%*1y3U;CCxX=K9E&u= zcc0$UYz$hnQ~~q)0ALLuQ9hq3(P72-gl;^z(lK_D;>|7KprQxHxpzvQ8p_Zpk8vw_ zW>Q+5Z$u^*e#wq%t_9V(2! zPc_EGGtaYqPGOn%Ac_mlyAi0jz!=AH-V&$CN7ku^g0=aZ6e6k;7{x_F!$RLAR=NPQ zNZ93-Eih%EQS4sbVkh#IN7KPyJd|n+?Hp#M(cJB`%CzU%{*^gz$4-r1zAsYG!3Cqn ziUkIom0lZfks>(JCnAx{3PnGpYR?M)xq1ng(k{C%k9KqzO*&bG=Gr`9+Gp*4gyhxY&|7$1zHS6g+c3mh6h&-FcVn zL>aR8AuWP3pBK)@l}w86cT((xyMF6RA#>)jw`a`S3h2C$0Dzpim8G}hISz_$V77r~&^L5odbbO%eu>Aq~_;*rb z^dy()Q^Y0O3K%}hR=RDyREkWtMQs~?p`#A`vVzNGtvz)*Uvy>!4{zRGS`(xdxmbL; zz3T?=sgq{Io0C;KCu#B^%G{9{c9m)#ZL$vzb>KVRES_}sB<+r&fp0D4Hakra`}Ayw zH6I$5zNcl)QUc{=j_VM1o-jv`F%pRzDMO2s2*)|-A+#=3S+NOtg>rmoEpofi6HXa1 z$E$z;FE81ILz2td#H%a6OF)VLTp2s5=_s9Wrp*Rc0X&f4DSDWvrA4~Dk(a@={|Ol$ zypCtB4xPWO>#mkD4|VKA5$DzuD_@bUBjwh?2QXmBpfJ&ajeO@b#mO^Fe!K9-0rx(? zh|g0?Es%{88(PI@p=x&TA<>Y&oM>98ooB*^<8TZ8RYGts2h-ly;UkFQXhj4gu zom>pl`2h^$9oy3Iyo{4u0R%(%gOf4yr;b#q?e8%zZ^?~E`_)-#lz+(_FzEBv;r)?f zMT33+TK= zH8e;gsicC6Af?FALrEhdCDI`RN=hho-ox*^_r81IeeOB;&wHNxJU)+%!iSmnd*y4r z)>`Zvn6|%kED+bvSB3c~36XuIB4O3qD4110YIb;_@g^ZM%X7xqy#Qv#*YUj!Mo|Pg z+P)Ldc}P$a19_!z?&x{t1rDYEs+|t00SWU+jpt|(dBq9q;5uy5&VL{CfVT1@PhU66 zn;)Y@sY)#Mv+&UmCW(_bD_e+PcOC?`MbSp%mqp5rfrj0&P$F!J)ac|Et%5!(;cU&+ zmKAGubpB;_DmE(7ON6WakNc?A+IV(K@u?k$pD%l`paojF+BHe;&+KO6z~~>6IGEFCu`DQgF=q}?{Yi^SKg_UH^`{0OKmS1Z1x zVqgWbQ~O0Z6bpz^+=r0-AVKVzdT?5vaMDs@QlSM#*L#uFKS_4!;ppQ43@^rl$qm>! zXw&SEKSaoCZF*V%YQ+UGdru$O4&w;k8v>nqU|)Q7)R!!ezY@XZ5v5tw3%}=Cla(+X zB9dgSOzqKEMHWuslCOx$_h06 zgNJXc3si#H;~rk0za=Z)%yCL&<$H3l`O1c}+A2~p);|z&^DIHUZUV-zn$~pwZ(IQF z&uM=Mg_i)OfXCYxUGKW7e6hSZNBD5J9go?#X666wAugPOnL1Q;=O3kI8zOGXAL{NP zcgZ#*9qneLI=aISV|)8kzA36)aP+oe!?>Jzq00AuLlXIK^p$C1pjV}C(e z(YV8jPe5$f9YdqfLWEWneya#$px{yb30Ry3kG5tk{{CKP*Hbuqq{#ZYurajQZtv(5 z1&*77`C9QX=pd=kZdlCPV17dKpd*Ruz)mpM-=n%WGADkD=p61*hM)Qdm<-Z#74vqb z#I9@+N^_d$BshjX)Xi4*Cb641WI&hyt7GHAMEhQ-sR$AxKVR3ZnY~SjB&d&OD1*(9F+p>Yf|bc_fjSaY7e;{~$<^rg&%6F`&^OuBa}o?tF}4#pK0L*3k(X|9{$ z@qqxfxK~=7Kp&-59iROmC=T@ix&=t#d`fhOH;>f|tUfO~{ATKCE0_yoA!k(OsRviQ zXz#gD2&XDgJU?N60?X?=qnObn_rMQge!pp39UEZ}hf9*l*?|F>&|y)#|IkY?bjZ-w zCvPjiF*}VA*}Fxs?+`4dStuW})ZMv9EJAUeAeJ9fTmwdbmW8rM->g_i@RKUrRzJ5z zA(~E&V)ejSP+Vf#)Es|hJhN`Cj(KJMrcBpeQGkKDJ|RvUx^{(Bcnfqoy=ilUlIEK3 zdZ}u9xg^Hr%lPpTDg7oo`vPA>`7mg|0~h`FTpKDhrM~ZHiFLx-6Idrq#DTF-?mUf| zNIAkfJVR^c;Q93Y+y<-qV-R+5g+rSMDwq5Q96L}_%I}sB9b7actRQrgvam zf$13|!Dgx=X=SN-6?^g1cP#w(0rm9 zd8AMDuzv|$GGB*4*aJTv1WKyGGUg47YUK&Oem-0SMGzYIl0QvgOyhzf*QT${#9KJU zLMj6uGb}H+<9Wv2%c%qx7|9XZG*K~%F|m=A*O9EPirwa8po3aKgcl&$Q$Xl zT`;~%2mCY=FJ<6u z*HHCT96yQ2pBFn^t=pH!y79eNgW9QVmn0?ux98qv3fezP@~bn6+I9lb2DNZpbbUOZ z@2~{;m*WFJVwpqL-*e#%+}D%mE6ixN-7RI6v~NS9U3QkR?9vQwQdzHRGPl{rx@lVs3uJp1RGnWoLR`nN6Q$DWbR+4>8!H{=UlSA~$7k1vMAr2O{pxpxH~=drWZ zE}1*-nj;3-}MYiPNDH*=lmsvX5ENfuEz)?b$Gq4>kZX6jwf z!;v`l_#JW;@9dN&i&gLf7Ncp5#mr}xBd@g1EECCnr-^e#q#+pSF1l$#!S7~eBB=MpP|jLF^w;%*l2JzdANyMfreMH8Hgc?qSbiF53u8XQ9O{+=NoaQ{t}^%0*0 zrB5*Rqo|1V`vsU%R<_x5&>?-zhc#}olW@jIKX0N>V)oIKMqm7p9LwE{qhH^$k00Vp zz>gWJClKp9i&wmbRW*Zik3Pkb7?3{0k1Nu3lLJwZTu-<1Ha7C^xc+hMCI`*Fz-WTD zAXI2HG{##NR55KjdIT@@@fP2&eW$JZm95=s){yMu%{}#23py-h3j}}(DM{aAxp|l> zLZ+ktjKI43Ylm5A@WZ$)m>AOhMf;;`Y*w$k-Gnpj&L&LhkXk-jPj9~IJM)vsjyZU) zb%VsW<#hH02aVJSNbJbX{`}ks75N$tC3t?VOUxx45-YqqOe=QWPs%Sz`D&!}3EXb+ z91QAxGjA_4(H!9IEVq^@h^IulL>IxbnTm4<)%oz4KJ*J5b}dRMKkhDYR+@+?7PywQ zH3AQhz{#!@x1GNMs15p%r37-G00YX5$1X%X6Ub7{dctF6jwBX%Bj(gww4p2;bsf)) zH7C#BSuu{`25@Ze(N{YaUQHfqam|-o^~8kP z=E$eR^6ozm{bc}BY012#IrfxK*`8siw+r(23QgeR`p45LBoq$Q{tXx(O>S?L8jiRv zAaD^i4A=w}myA7h&#C$Pk&DK|yb-fkYS#|)`hGl-TJ?-d149WFvNGhlHr$*@oe!|B zRz-*xm(6FF?mUzf#MEq9c&U0KqLjJ<%3`=4K_-x+vcUB?LOM<&K80rZ=Wz9#CP1dn za4QdsaqX%J@6LILnWbXJe?s~R&ViqBdl3LO-|y3DC9NXB5?$3 zgk`5Q9yWKB3H<#7UJOa?#XXBvV=)hhcQ9f^KV9P|JBvOMP)300Lr580QT!)&yiW6i zX)Xm>I=;HI*x3*B+!!n4D<~7a6E73iahed zL8+7tw~zDo#fbspfN#HXg~FW8nE3Iz-Lfp+cjIRI8T1(*-I)0Y6j9(+%Zi1%v-G|r zzR4PDPljwABa}D6-~%5*q(?lwih20fcI1^p&HR@ks|mtwnoFXQLzG>D`88t4U%$MJ z`Jj*ax*O4hJFcUM>~e}6kI=nRAZ|uJZ9&d`Wy=UD;X~bJ9T+z6Yatn=eUGGunt+xA z6Rp*Mz4IT9aGnOP77o)ZR*p{3L(ns!WjaI$Evf^$ZfRIHuFu)01 z>`|&7L5H*oEWVj^o z#6QIQ?Os4k0gdv=j8X-KC^ewDN2>^yJ z4*S!geJeqko8~e{+LCV#QADv%6C8Ok4Jayyaim0`-$9VE*P0-kX792QsCf&R(62W)Eor7nc_KV)$d~u@6$?}iMUY0sc?D z2vXw)O5@nZCBS+}(M-RpuKxSgYq(@r$o{9$#{py$0k8M>287Fpn8oAHMZS)3MM%G3 z67QLsYG)&(zvuM*P#CGz9ZM>RS@a7YYyZyRz%f&%Uw!R1y>7knDdTgl3MFJdsMqu* z!Co;^;Ku^T7UfjaE=}z~-sKyo0obYrKCB4)bI_vRqKO-cPOnC`fTllVcO5wz$5zxc znTmU?vh5wFpN7(+@Q}+f+b=ymlnEB3f6H8Xehud)CHgJfBBUa6R|q519xzm$+}WIx zLc;@``wJogVvu>2om2P1$KU?zK4^xC$wPW_f~&k3H}iL20YFy(3+OUz-P-;^(^HBp z`{oR?QO#b5cqSMaj$B_NbMa0)$`buWwvtq+%Uk6P%DPMkz^*oDO8-1ncv;Sby=@Z-499+9>{ z%*fg+h5OnEd@p=RwKhU8ZN6k5ne?+_ieb1=;UYo^%+gjvY!C5b)-}Np?DA$%@~8zo z*jyRE%Gy+=pHk)@*J04B)M8jlv54dOJ9Y5}1N@IkZD2Vzwn&xUB4Wo%M9!;nF?8(_@yvXWQa;gks7&_@9h~eEJ6cP z>wQ$`?2lsZci)AxdG&3ZitspJ(5}8{58{HWP$(O_D7+RBwodGsuOI26>Cj!mOsvGupmHXf}n4X z7RjlWr#Tof?ZB_^jGkj3u1+@jUU7xU$tm2I>s|Z}SrolQutdlgm=#Yk&U-2r97*$Q zCp2AWQS?F%UBwGe+sUZ|h9hzcd#f3>QQn(}%=hx#36NJ}^`2M-X!V|5VP4=^hQfd& zO1m06sh%}>(QQvsZwdUf*6`^=5L$}qjI#Z6xa$SPjB?h8tryYF)piEy!e-xt`l;DD zArh4a?6-S|liro;w>PJW_bh9$xWlZ_C5b{a0bhAB?P_npo+ph8{@)htR0{}2h7Kxm zXF#+y9opy;N9w3i8<_JI{YbKWO^uYq6}pXhfsi2CU1d3BjnT)RF#cf+AVPLI+MVG_ z@SuZ=<;?Axe~)U7f(fSwWHqyoWZBHiZ{8bG1e*(9T7A^F`-NAo;GRLQU_|6LMZ1yn z3fS*b22n74ltlTt5Q2kzp461P+V_iEQ`2AW%S`?KpQZ8^ke4gTpm@xD0tbl8Et0-by_;V7)oGTJ9+O6z^sLD6QG)qSNTf(*WyL1=K z)ShwkxW(k~$`}6itS9`+LKs2934Uz1fmeOE$Q{%-&>vX)NaY0i0)#eJWvMr*D_+FtmN!a$pE$Mcj3i8BTbRb;EaokJ7mTM$uk_y7~sGFPb zY%z&BM4UglUCu}zM;$?3KlGsSY@q`zTc({LL6bu?;mP>Kbx&N zzvdakIwc2FIrIE>MtoCSUB6y+iGbeF$0Y1gFF-iQt0fbsgP%j<$KSQ7r2jDZq3^qg z-iG0E@OmBdt;3CR{t}m4p7P`_09XQy5Mxs=^%9i7KVl#cJ{fKvpw1Ak9n|2pYA77&I`w@})gO-~i9-ThNW+lKL9W7AL=Qv7 z$jr{7*$$hqcwd?$)~8tF{qEA5c#EZMCVn|aqll}|_jv?jcR#Cem&6Jwgo5B@O&+rc_k zX>Hl?Vc8LbIU&38S{yE!=ef94HySqLROsg6sqxyt(!#(6 zjAyvzLh5NnEil2Fs_>_agV&I!N;~(uVrB2chMM7rjBdovT_m6kO>5sz@{a`DXv&56 z9lWXg<~-h*ztwW_*NBrEZH9CK!Es|mWv$4bzM*>RDP_T)=rtLz4$n#VdMAu7Xa8fFjUyq)$t3s z+Mhjk5{@H^_ebVT>ND>HN_+m*PmY=>qHYpqZjw4r54a@9Ez}OKn-fQ~QY{^Nk$sos zJb82Sp~S2?=D}3866kCz$EkQJpF)q`?pPYW3~cK_u$MO50RR@0Y2Xv7;wNWoup+!A#ivp*W7 z@HW#S1gWSe5Wu~eCrcX~u<$lJYRF^Kc~2Kf&ojeW!y080l})t7yY56Rth3g2oR4#&1;A42tSY#?CT}t*R!^-du)@^1xC~QSe`X0K{l)f@tCF0V z78#6%$t{e@>2Dal)Q)$b#Ye^oPrtZLX3-K@=XDXgsZfD8dzq<$Qh3Cib_K!&2c3K{ zj5Gj{5H%JON_KkT(kkJehNI5HgpXWw&_lV+heTxv7-3g}rTbHKxkaK&#e4$~m{ihn zy56cNS#dgj_+m;?{QH{7*Xmp_lUS8!{LA~{t9r7<=`ymvM^rTahL@24*Mt8%ZK#+K_N)#I!aa#Id`_v9`d0K#Pt2usjZao(X#q?590J>PT8m3wgS{iEEo zL<8WYc`)5S-iEY01C_{56ZgvpX2$W_eJ#obHcr|Vf2=n(LWzN%32?ojn7qOi_sC{T z;$He`zI?3g!C0btW4ohKE+itW)B1R%sYO8oQ<|M9f zY-jtUAvjJ|!CGq9MqXt;+8*Oz63U(Y@esWI=X!t^ClM?>drrB~e1q=uXPQdK7BSt+ z2v!h#XOF<0-M+lD3G7*!p;R^tLk}~JD`#~+CWfeky3?VnJGjc{T#9B&l(g? zN&IfEc3}5We~lNTRtTX{skeP&LkLG3cQan)UIxsxPIW+6FvnVt99Uk!%gd)bgZONU zW&s&PMjFh=7?hkQ?X%I>rJ=X;;WtY-C=LDXs`vGBX}Trqg`^=nOtpS&_OHVqXwm!U ze7qRllATKg!9`@)r7rV=d`26T5sW^l!#KbZrUzkGnu8DP=U0ad99JVFZ#z##c9t5w z(oK7m)I-O%1Ez`$pdXSA^i%OWjiN(Gi+w^=1m9hwxUPbNF~B9o{L+ssiy>=gB71kp zcrgJksyv{UO@zJQXEQ%?w;3%tpcHXx*dSB(jrjLf5=-B{V~zdQA2i%02Fo8uUmG~~ zWeXRs4ChMw%rVxl51U83BP^_X(FZ@v51+Sw-9RiP4Ve> zCL=3U2m2n-{sDAA+6L60HR)D54%H;S=Ojd?Q4o8{Vx8Fou*dZ%9V=#C6j)IJBoLR= zA5UJ?y8e1r8#=%w6}lt?Z1U<_p8V%&EWiZ>JJHeal}|R!y#?4G#KWvga6rk1%in$<)RY*d z^wePw^?*Bke|2H${5v}YC|4@}2n;CW(N~v34Z!+d?Icsk0Bp*buFOnjcF4dY=-W02 zk*6`Bzks0{rl^;L!@ zf5Hc*vmWRdkq~CQ%;+`&61$_R9#4!ghz4XyS|LAcdYl0NxPO(Iy0;xjqFvN+lL8b- zy0;#dGI(j7UP4?7c(J!w1mT}+`2KHP0Gd8IOn?+cpllY7ItB;J%_2f#2YASAp;fwl z2SMvS!HRpQ5(@=%>*v>ZUPCu0dx7gI1;Lk613)<*$5EZ)>!bFE1pyKBADO3@+t>ce zMvw|ZPW3J5@Iczgat((fj0=39mIbQZvcA$P^v^2b*o-Q6Oxr_^yIZ_K>4lnA&uJHlq~N+;@2As#lYCTt8$k&QE; zYgIGV^4;B}M;l`r*d;KaGrSJal++4B|K8Wg7Ro1Pls5k0G0TT_LmB*Ly4bNHya3He zXZ^M{kbc_Bp3>VMiMI-9t$da~V7b-`mP7GtJwhJ4jZD-I1L2fp1bc*Q?+)>SKrrp$ z^2ffn^>c6D=oZLY;F2=eC)at;H z}{Z-c#6a#nw&-pA@^Pas?EVTqi5v&IGa| z|Ms9%WYK^>-wVFEVn$0VgNGGt4|syzYI)!H%S)X%`Lj)aT39wmgI-JIJjH zR~l1)Q9V%p5xJ0=4v7_SJ>Aptu{N^_Ce=#r+@h}~T05WiVrQl7O`ZQqH@Yg&=>bGnW{9wHHX>d&dHT%yv(nx`~) z3L1<}PCz5JmOITvEV=+Nj{D=t*+KpOAd13qZ4EepD}ciJzo883)Q;c^RzaN!)CfQw zLL%tU{r>oyOl+H1{}Kr&Xx!Z!H?!3M^=D_$UDh8+42RLHN}4w+A(g{#GDN-6lmDaI zE%F8afUO3CQ{5b}|3*OtrNYdD0&ZP+HyCiY4!(k%2D?)1jS!CFZ)ld^ou4P)pLufV z708Z)ji%0w*;bzc3P3vHiRjm7K`qkF1#Sv{{qW$K@!LBl=jSJ$K0@XfN|fb*L;2?PEE!ljczTehkEJMuMNx!h^Xz0c3z2vssxjF`QGGgMr#oc@|`Q}{f7h-H|W#$l&^ zfPj&s0mq#7ZeO|@3;s*vd(dn)rgK^p1TMKf15DFDSW?61f5M0oZEV)@2Wj*Dsw#{l zbpngUbI9O;g?Gjd zlLqKifXnA7pDGhem_s(q{edX86$uGU*&W18xr2pxsn`+B57hat3F5*8>jp~eZ;5S*Z-!uIR74D`c8j0;l48V-fO&V zbf0`n=jMb`Ah9+Zu@kC@tM5b??Z#a(od@oIKJ22!D{~BdrOu#VqMp{(hDWi$f^N^J z$Z|riMWJ!rWb&?77MxQfv16cuciQnZ{*tSsRHDItzCPQqvr<*LU!jCi)`dnp3^7lY)bH~LUUd+P{Z!OfOd41Q~Dr>8V61pfc$eNG;aZwugNkzjZQ6&@ze$U2rE-L!1 z=LtfZ?zoe&iDd{KpP44bNe$?5f>>((i7IqhW*JMs1rhB#;+&x;sM`cH$f0hpAJ5uk zr)7K-a0Wq4;gZE|$qw#J54`_97=vh@GOfx7-6yaaU^FTny4oL5ETz4>=T-^axcP`l zrInNjHA8Jl2Ze5rk=B;bXINg?2cxmrAJHX5f_L8QYp|v6Kt#U(J^aNFLRg*A5?}rY zUtT6r2rm)_0WJt1d8JvEjmCzud1O;L^+KvUEXz|J0-dyQQEHY=gsaNL1vM_ns^f$^ zk@8XzBDdCJ{S_i$d45|Ez_RTDUpZsk3vgsLLD+B`FJ`t@8GJ!i;hq6PAb7Yx)xw7O zCN~-JH9;^^LL-ZMMx6CVd(x-{TOI1lH92N5`Z%-Om|E@&dRf--dg!;pjwPcIG1#6 zX`iKv$P23_z970a*h<0qxUY|WGoscGP5}Xd&s+o9Khb*@^j!eO4iES@CPrG{0YdPF zX?3ju1q+l0XUPQB^ls9;%%rLTGtJ*13Rc2$+Jt~%y759UUelLBj=+q8vaTz=)A8nR zy(N!TiNW4Qvp!rF!`aZ2U;PmzY}p`t4jH>klU{Qo1jWv zG_z<-a;RplwY4gCKIPAwtcwtVa>O>aw>JI&P_sr56|>kC-&jDlc8|~ULj^^)-4I-4 z6AV8y5qcx(DG6f`7-4y&v=HH+C1l-L= zHBe~?BD5-jSJL6bKJzsP;-SIz@j zUK?Y)7QkAKR1!1Y&=<81HoZmGqR&7ac%8qC^YVs#|Jxg4gHj-d^_mIPF+n&TR13rT zCq|;SMkWp6Y~mJP&R}^g-y!V`pU+FfZ3A@mZDddI>26PEv^B`SR5rZc6Ce?{s#*^3 zC~3=?li>1mKBme1BgUNJRr=z~wAj?auHQb0C30QpJQ4uCk&|W#R9lpBx?MRCjyUM{ zq#EezYN{eJ`NAosN@Sl_{59AjArdn3asbI|SrY>`Ef-M+uxN2RWVKU`Z^A`B17Py` zj5H97w+;i*cb@B@=p~UwjjfsdX1Fb?=r+=8!G+Cj-u5Gn6^gK@m%$FvKQ4X%^;MR@ zKLa9x#%g5(jyj4O*^H--iNpc?xVej+YGcolFElPcb2Ld)t->>{z%1R&QWLOfSWbPh zO^Edaoj@m|`~gV#MnTAzdLjeni(V6V&uIn&a=@zU`lw*5JH}Dp)*sZ*zFg{B1rGck zjmKLngTHg*+SBh})4vzu2f3N#_UvWD6#+nv{&_!e$rMuJCN(UckbDFo@K06bfH4TI zZ2@wv!mvx$SMTqEI~y~8_m{fj``==V^L#bXgx)BEl>X^S+b4ompIAsKkZRz=R3a_j z0&s%Q29#U=vkAg}SQx`LlwyY^92EYn43lp8Y0U5yr$}r;Nf<_R7Xr zJnqlFY)NE1NyV#5w*Rmc)>amys9i~!e|T_*T?sT?gO0J_>FO2q}h-VoDI3Npk&eDkee8`V$kr; z`s%e4JHNgH!9Oc>CF-ztkW>@h;yDNfkwz|H&HqoY5(QcbvX9Tm6b7z-vCS~q^zHrh zDm2YdB0Jrx!F%B5iDSK`kJAO#O_^WIv6HX($_!>Kn}AZNuL{H}p{0o3{62d3H*e9QZPL<3w!WMqd> znquOmSqulQfml+&zx@CYCg73Xlpt`7g#V}__!p%96emR-IRN6C#Zv!^?*89&1;`N@ zDPfZ;OavQE_~8Pk)qi7m)lt9%?J}`I$tX~e9%WE0(zf+i-14yPc=XO)n2-Pjga(v{ z(ua*eefDw;|2^OW5X(Owh;qT7EEQnsig}2Iz#F=_PqVMx1kbc!;`6Y`gpzW$RM z3&BXvT>+=Sf#AkLGbKF<|L%N?1boD-*vJ171Q9X)C$$F;?;?O!-d=Vp3dl78@F0Lz zp8vc5ScvHPPf7qlv;Of>-%>bZ)I9i5!k6H8r`tWY6;Hk{s006tX!pW;L!NY4dg4yYdaLhyFkqMeJn zA~>g3f*E{dz+QIR;MaYNE%ImF;VT3TAz?Ln17E{odEw8Zh?uS*zTyD}@Vc!Sc4{BshNR=Yi^n%O9``80+69umP=9p4Co{V_z1Kv_T5+d;b-evp}mT!0#PT zvu|6<#F{*IJ#0^exMv1<;Vs#)AkvdA2rOw1C+1I|fZm5&zzM)?z>B$Z_Ri35eyq&g zF1VDLIczxj9qHBXn9OMj9QJiB)czBT0{0|f+HsmSQTr`sw`0yO@oRw;fZYO<)Qqhp z3@)xj^e||B07<=F7G#b4o$OaSAfW{QnUJ-hs$}95s;Wyl4)~WGzW^_CJNw`%Qd#ct zATSqz4(r_wsJ#h}kYa}qI(%fqc7X4|~jLlX8R{muylCUpGxoKp-o7ZxJN58|7RLEWJn*bk09aD}Y zIUnTXG*#t~^)-9Ffcy*cAA0Ny23;Zl!5Swm@aVe)$WYONCvU;&rJ~FTkgZ1>z16n6 z*t=Lw17`XEn2Y)Io_Ya{v}EoxYc6Iu`CCHSDqqMDcw{nQ=3e<{?ns_ZY^|A%-fS@S z4gnQRym|Q-=nM0ZSf6RF84L={Xm}F)brb~6tWs4~>|yx|!rThqSS&*{^q$_- zRF|F7g3aXG4r}&lJ}B|om)`r4)5>dO_lk*qH9FgLAi=vw>lwArl?m&bz-Koeco#l$ z{igq2LG0G}XBflzQ8^KJ|F0xB9NEL;`0bTx&@Hya2bc6ay5lEC$-r7LRht}tNs ztMbokm1pMN2iw{3cg*RBZ#RMrQ8GS%Y5GDRL_BJHmpk}WT(+ACXAO7ggcnMpe5Yu% z^oTaVV^PzhZbjq1d6gz8ptxlXlze_*;{18$Av7gq<7@Y*--4r8z{H@})+dGg(6udJ zt-5Keof10N0s!`6IDzsBh1W=9^;MM@D4&5e@~7`*-XC!9iy;a?gZt?xG2d2F6o&g^ zo2a$IpV1A}HF)=bCNt|*qp^1S)34$wKY=5O{A7YIINjT{C=6P^6<+jR;F!_lP1wa* zN^p=BaQN$3F+ zwGaX92u-zlCf4*k&w;F+@G!~x%5hy9g^K&Un76ZNqmB8`!Xol_lp~pH4~9baCSC>@ zmYwR*SV_%rxeVT6V`lzq)y>6k@H6n5cy+>9xsO(QWATJc*tuu!PM5d5$o-~Z|D8B1 z5VsUMn^D<5v*w(|}(etB1&vgE(UamBBQGxt^IWe=0%7?8f?n1`1 zJC7-cw-eaSY;KYL3Q%&d%Ws;?et31Qw`n_!&1E<*GXlQXYn|_zEkA3i-uP%exNRtN zk!(nPw5L>9mTTzQg!bXq=d4(wHCX|~Sf2C#gq&gdL(lcm;`qUQ5z$@lUlD}m4KmXT zECV)q0y^}jdR{;M<}XURT9mGAWsp4c>x*R$!2;1@3?BPdJ5gH6J-|dwaRCD_ZvR0K zYvAWtfPtr9#@M8yxUd$kB{d6XwPy3e`TV&_t;bg*!}`0Nxrc)Tqub%}qiuec0bU(v z8kNDPB@KH;desrvv-C?VPJ=fRDK^(eqHy$?W8ER=`djghT{Yn4*!wZafHaDEUQB|H!5yg)Q z3EI2eP^W7q<@Gyf=Fa+EUYqwtKSPe#!Kx<5hMMC8P1IN)`G`WCefHhKA59-e(|_#= z)b??w=AUle4)9lH4%i8=+&hnrh4(SBya`vCOxEEjcD3j$lrXFHOG$2-EK#~?aXz}N zu`#>s&78mG&2D`%{hnj#B>mcas2yQL$$8gz4-ffy1AJpAvIuNd0ki zPwByIf`9@QfRM0m;@|(U+{Di)H&>$;3}e5k+wBch1&0-Ts)FgJFos(9jv;d8iTKXV z3^jVuVm5X@)elwjfz}p&>#%k_Qhbv@!AM(YBHfE3X^s|By z*I30jM4iTN6spYygPcM5nh3h-ulIm%=(JsdE_@)R5^!k>G&SI$aiv{`?yx2*|I=mXftZ+>2)x0~jb-p@kd3#87H->-{m zPgKko*A~0dm>5?~{$wgl{Zs12E@az+r6YV22A~7hWB>Cf{2q`qp{KV~LQ-ymkU${i z-W>vDRppexkPLBpQ_%bLS6n2T&Hb7;WdOwu% zYjrdktQw99GE<>o^0VHF>UiU5l^K2R4G&NZ)%PHtVEy-_0AGYlVoxI(uP}Q{3VRx4 z8sIb#o-9kv4WY?ion!C_L{#xy>+xMNCg${GKl8@+rMKp3u+fcVX~VZ(_sfhIxj0j$ zv_SSJck;}s;pLkd!{QP>hw}%r`W;U%7pIUNBZ+V*{S8 zc^2kEa2plmcfoD=(lv;)NJ(Agv#CFQ)~D3zo9Q-Bj8HP0?^2uoHcpT39Zv7f41V4) z2OTJH&3ks<*+cz)pLKf)x!`GJ*P&OrBZq=AA&$}hAi5I93Wqv9ELgaN#IGO|C!HPR zl756spel?FI(vi!anNFIc_v%0suwgXtwKzaRVR(dl&s^t5dn5*(Xd^ThrL|#GYX&K zH!=e86wb9Zjqg!q{2Wg5&QzxvgpVgdV$nY8;>FALfBcktY$HpVD^~QWg>2Z3?l$vm zA1`&a`%qGQneb<)6F8n|bbCp>kzT|{N>-XTP(S9L(SPSMz$cN>s?t3v6MF9f#gWk% zXvR3cKp3PIDZ6Ms82u|x)kC_~+3TPM75X9gkFgWBu=7~gP(arB) zb6{LV`C^muxd5LZ1cvmi;A6pstFn^)l8pPv?1oltv)%@($Y1QCD{SShH^yH3w{ORZ z;MNbW*;gr2UyxAL)mOEhEqMCAc+{lP0*oL&dNzTSDM8@v!< zKqF%}m{P>3hBViHAR3kdye| zxB%jbJxNrS8dV-ctLxk`HX{;Y(5+RoiE?vfxoz&7kL0^YfycG)Ha0;v_-8Tc%lC%Y z317n3oS$H`QBj;@n}xSZusJr2%c$jY`&=rD9?0~}2;mElJNQTv%ir1Kt&sC`3vr*L zv^Yp*s&oTvM%@07X?Y+#bM}kH#$VA~kEvR%R!OvG>Q``;y&i8T9?gz8vSQC z4&dRLb2;{Mx|QU~+4Vfoo2Df0aAssVOu=^Gk` zW-dYb7lX9xV;}6NV0qLyo0DY~6=%1SpYc938_J*??+3aO`sbkHw91ZgmCo`TcgBa! zzeVoW`|b|6?hqpFWm9E2c%VWX5o``{tenR213B#)NA5ekKtT%ocxX9%({R!+&HUT6 zY1j;zLP5G!^d_%gkD^C1dgg^KLv}=~K%rEvti_>xE0jlo7=a zXiXp9lLJS=5XFtJAF}1j`-PiK_i%%c<59ZY2`SgzukO>|s}#|NZf> zWpAinp*OC5*7;{-i?L<#L}aw(>a_JrXXNb?_c8~=n$x7cI=vs3b-qn{KN>ZCAB5`e zt(+ISUZwV}ejk}|_e;$9YHRB+lhXzy9DQ{@xGG8o{k7wHmH+36+DV#ul56T(bLQrV zAkY}AUy#$PzD55RO~Fn-QO*Wxgz;V~XU8LJk2@PD3k++fLod$qYAa6W$E8ZlCclq9 zxA@gXT-NSU+*5dm=ZNe?f*>-?^v+sMI1XA(YeMtHqtm3Wznj>h^(V|ep*w+b(U?s@9AMy1x%4f?(e-WQa-dA0-r$nde5NfDw;7gO;IQVe{hBT^CMCly~8%3CdQD}5A-P4hdF1;TZ zPgdT&uq}5hvn)?fq#IRMwaJ`xWzL_1!~(Jm|@n^r(XtGuYW7AbLu;_&67lz z4i~g(x1OB41O%M3j}~pcWu28nFzr)$a)997kAlYVBJv6W^3|u)H#7Pd$ICNtkrOPr zsW8)uV&VBP=XFzT7!Xd&jX6?IB)cvwyn(-yo7l+e7^}gOhD~`SR9uOWS;DbHJ(A%s zwuQ62rDW6_E4m#|H3I_r$QPa`1BZY;PQW0YCu(L^$5?{H40My7qNhM&Au9Si_G6_G z8r&O9>30EeP5j`0jRPPevqW%AW>i=7(0Z_KJPYks) z^q_LkPEf)xYc=XD$kfc{*2Mv=yMvc`fC0F04um+gm8RoX&lL>}Ayod!Wvx`53ahP- zpylM<3<>yg@O`X6B851#0ofnCc&LKfjz(W|wYispSP;9$d8OMUUGZNUj%Bw1Tnc>C zEdr#03ne!_D3P;-zs9P;7#XWD%SWslU<*%ORF|mivwu)obqv<&BrZ8QUcRdX;9TSW zvaZ0pXu-P@5ie@aLxbTe!+XeoK~lg2({f_e@(uFb6E9QY0-z-Z3Q^4{S`bW$e#Fhl zzG`*}u6g_mTm!BQfaI^m9zRLK!d8l7SAmh*h)tydrLbe|k5i~UucgOWz3c>2p)SiU z9CjHH8lPJaYeg>IU?6aVs%MBjm_s6PgS7PeHo8`z8`C8K{SOF_!b!wxK98>WC6s8O z2M*~qv$Bn1A~`rD$1D8<@%)!DuLSrl*!oi{$^e+nYu$YxFP+N<0dOt{D!oK;B0ygq z-4z3*9$rRHi-5>@S<9rju8B&Jej)jl_7atl12^|P6h8neatrmzDUpOnn7a}bN8ZWK z{GV|N3;0jN{`T$eb-iF0zPC84C8jZV3NHzLk~LaBk7$roiNPPH_*2|iC_&j|kmc!r zd(<}gA?B86xz~%+-^)j}n+p0qk9T7vwk(+nmOEVyWpyy$*~;1 zILK}eS%|XAlG4J610(KNrZ4cSM6b|h9Bd6sjDX{5mh#UFaiZJ5wuodRpxs z=9nKG@H@`xpv`UNyC_x3{FN6gjS= zCnApyQZuVsUyI{@YO58g5X+Ye(d?f?mcDnN*ZHUu%2gr$NCB+JVhi_~+xW$-Uf{NG zJ7Nl2DZYtUWp4eV)5ymia{4<{3T+@>pVzSo322pVvWw;z^GM~vI1i_ru(-?L*u8&$ zcDEAMbNFjc)7O2Lr!7w^zXF0+T&K19cW-qKKygw$UIsK1j{T8Vh=mz?Isy7;L+|r~ zn3+PWWEFy*{w?xJ`1JTsmBK}aAiddur%PC7P0CQJcz$3MZcLqFKK4M;E)PUtC_d-n z>A0Y9to+~q!QNL#RlT+A0)ljRFHk^Qy1PRD%~O72uLU)NJ)1J zOJb3NcP{t$opbIO=Ztahxc}aN_TFQS!P@Kh{^oq=JD=x$pGWJ}ik_-VM{9QA#UbX8 zw&(FSBfe!E3oS}mrWOy49|tnawc8uT{cV!U-qHsBzLajLqa_Wi6Qkaa+Dgm89&sF| zO$uKO%lEIH!7agA!`%PQxJ=P64mjTn&*Z?$VC zXusTJY5nilMBpRr+(VNYwdN+=!Z2>S#gy@`4Bw^=ix5`L>-E8)U(4nq=UduaSjHdK z{aSC9*J7(*hgtcr+P+F>`y$r9{PvwLUFw4v$z=L2Db_#j%*{lz{`eG`{f#=!r;F=e zys&pH)3bFY+Z;)4xUQP+@Gy?mRh^q`ScX@HMT#a~FyznIcP6T7Tr3y30Y>gyV_BQN zW{C+ZnZlQKg zW5_JxeS1(dEV1;IP4Tj(8%fA(or0-nnfN28P>Fe0QtQ z)N1?I=d1CduNBL0C%4#`S_95*AKT8T>2$x0!#LugbBqJ)vT5jUforG#GK(1f%$cPk zojc7(>UJ+Y@f$QGo9STdqu<4vjjOn1ig%t$lLiVxu&iEXb{5Q=eGPr!Ao&&zzY)gz=EeJ=3AzM)oB zksY=vqviRcUQEoANpZW?jlBG0)X`h~|`GCUd9 z7C!m@sY#3*p8OVmW!&aHIawi>OuwTne7FfurPmeC3svV3@F6s?L?(2v1;biUO*`$JQ2K+Gx?Y94)@-n>AoGd96&y zV+)iZ`KV22p8V8J94?HBVRfoUr}q~>HUe?CqMDCTK&~9|6r2?bO6Oggzqd0R!L~tXodwp-$4L>jM7$?cu1`Y)wu*Lac0-R; zA{EUn2Cw!!U=h5}er3EbxL1L0d%H@&Y58LIqs&%lEPDgeMQ=qGs)0KQL_ixK^4?WfN}%XhgEJnd*3{unuQb_t{S#@eR+Y^e}^}UU2Vv9#OM`qbjCtHLQpf zMcxTpI7rpVBq(^Zmge*`ftdT{1LKblxv)Rf8yd3Zc?;i(by9W0~!Z`G2GP-cQ^Pvl10 zzf3zaJ?~}hISh8n@@(lWo^P-`jYer+hIje;DE~zIkc?tlOW5+uhiiY4Z-ej%kyl}@ z@)B(2tL=7F@dwhWiK- ziU%bkY*v3A4=?)$G9OB&IOm``BQE4ATp*EpK5#-LQu%D^Q~R`D1+|9*p%K{IeSNUh z)EW+=e#g)_8&Lcfg^nlVkQsfzaKreG5B8KYfFhc0zIeVP;n0)+tP^mN(;R{2)^f6T zFJO2bt=_i3g{8>4IUpHGy|0pdP0?o4FZ&S5@#mxWH2Y*tfK%fhD0#S8y@I@LueM)H zlq612zH2}#S+dd1$N$>Z%3X!|JQP9`y!F))ORec^P&h+>&-aqxG};>=#1s5#ARC3I zMZZ;~hKPaT;r>XOavM_m!phj4Dl%6gq4Lw%xVFddj|mJ>g)atRivedtEWAIv=sx<) z;{J7)h-VWGz7rSYEEHPgeQ1M{*M^8%T*P%zP8KN!Ls;!D`9lD|0!7G zV_;_EzE;1sT(lsGjY3p~ZDLnMQQbH$+~1<<8yMNDs4;ZQ!C~%^>8UWd7M-36lA}*{ zY;@6$rPT5aY<@=ORvMS#)V%am_6}73sc$~$#NgaGTIhj7(AWz_8EL&d7P^>E|M_f#_Nfv%ycZa8{NYsXoI-G6@!f3B&P1pHId}o zl;~+S)djJDFBzEMxgF+Nd)Aa}W=!_$#Up)VKC7nBG&9*j0eZ7Mw6yQs-VC{Sq}W)Lseb#qV4_D`!q7AA2@s=yFcgJw8=V}jG2JFyF=8vNYVL=CpPmx zKdX!-_?ObFhst$O_v=%O1i$j!_4i2@qzkc$9LYXWRtCc|1TNzEiykG5Go`Jd){rJb z#yfgfTO3ikt$r4|(LlNY4voSdxI$o7z8GqnOU(`M6loj7a~xr#eTJi~rck*VEvVZ# zmk|SIBlW{QDc)`_lQwC`StmwY_GPNc-N3sambP$%s_hp#ZKh15q32hIg5?x0cb_dn z?yM61TvVA&At{xcW$v%6%;*BRF}b zHp7xj8#0(4^w5Dq)Gpa`Pel5*IOQ?F)3i3?j&+MWjQ<7|Sq1A&rF42<9?e@Zlc^+F z_lp!x$QRci)Ad809>!(t5|?@kPJlx9hBsF* z`6RU*E1B~Bs%!1fzQ$g*qmLuTQ!6XW$I(QjYs+P5EqNi=GLHHkGSwaXA-t}~^YRB0 zM(a!FCEkO8~ti@d44r@Ule_0JLA4Xp;3pkue?*&sx>ux7^l?X?stsVLhtvXk5wR$Rfb4L85!8__L zn~Apf;bOV^*bOdC(L5G&&zkL0sp9i62aI$r1Vah|qO2Vn#*L}nMde?X+k(D|4*UCg z`vvdapSCw^&^N7K^h@oz+`wNM&N2~F-YRbld{GIsW3@uSMVQxJi+(tpsp6V;wt3nR z{pU3vP1#*5>#3b2L*naTY1+vyHF`?;(3A~14Jo^!CJCOl%3yEbpJ1zP+2?bWjiPBN z*;#~_HC*Ig|0UY4@$R!GdXcn-OGkF0Wq7=_Z&jzwcg>W^;fde5LYa9* zSI_*5bvZe`;sP8>-corKpA{if*v}{QXnFf1}AU#RZ zT8q2OL!s6#WuCpof^PR1FOxUO<^DfV%Db`CUudT}hrQ}XquGbhS%7Qkw4p3CkpN8_ zD3Z}eg&cVNmpm(QaR=YYV|z!qeew27;oi7f%J!jbcajm`Gy?u67XZP{B!(|VCeG*v zIr;Qw4JchL&Ti}8gmv9hx|~^6(Cyg!Z)5s@iF^9>gdA>=yPxWT(c#}}&#rs#x%&hR zIACoBw_FaeGNzl-s!nH=_O%KzM<;=fO8@BiaxDkwTE?4)ZllRD?O)E&yH6G$kNt;McQ=nrZ)q3^aT#5<&;j@OR98 zE-;(`benEhVC+GxUDM8g)pn%M!Kac?aYUKa_)&F}mT!g}u66jJ0@yFkG!h$$r z@IqX=FRNjlZO^F^pz04@pQoRq)hUCMH~qYmMM;eHihU-J<{)W*bN2{v?`& zf8GcOh@Wz^;)p)4$VD}1EVCQ&|9l~Nr<{-{OzBbSD|3Wl>ZgFWvS?!3=I!vX>Zp`> z^3w!I&&xx?NrHf`*KWaN=}Y3)wP@-QA1G%rRu~Wn9s={=lwV{Z@x`@W+<#-NMoGW+w`18c{lPS;)H zllk%&yte!NtQKA2U}&7(JL9T`_}{$%kYm+e#$Q0vptRNJ*ZVM?^KDsP`|Drt59KS6 z21R&wzbQUJ)AeA4#gecf+rOz>RC;BuUwQ zVr{ImHt-+_CVzFA(g!?`6~iBfVPoi(8)^7^ysFf8GyI)wD3<;%NhKwZe+9ECqZqa8YMVMwz}iye7EWD# z{VAZAw7R7#FlwB0f9TGTN$LD+imfzu%cd*7q(H0@K`M25>>9G@FL<(m&8o-AjHSkJ8F6U6`95Z zNmVK#CvGsmC4l%X+o-P=wT5=0MYUZXz2)BQ`jv}8sc&jnY1o{$7;-_2=)%Kt!$U;n zx=y*{(rtTLT!HF~Sinlr0;}r>5=?-S#%7CjJt076Z6%5)L&W1eo_-7wk0wMs44XBc zQ2J_mR4Y9}hAWGKaswX~p{XIaggWCer=%F41Hr_^+!p&p_B~rVKGKobQ43wA^r_%~ z{F0xOR~lvJWucxfD;X%J6eu)#^>e|2z3&3J+d8rz_q#c-kTX|T_jp~|em&3}_PTN( zdRh0&^9ODnf^dEB-qPL{xRvLQPuSK5&>csY_n2-n-hbsCgK2_uKt+ zROl;k&@KW>9oyU-ubwUfS#N~)mECwQ=Te)OT1swAJ*MaB=QpC4URSA!*3rVsA{5dsTE(RV&^uHt_oi;hhQrm zEFLH#j<#cxG)LTw+yK@dG&<3-*g7E=cZp2L?|S9ALuc8DEQDuKo&z4+b_$_i)Wiw) z>_*~bqm!X=S70lVwrV;TCqfS+@MM_9efJv!LJvdy_U!v4P(?Z=CuibRJYasDjfO86 z0W^@+ylo)T`||WMlX`8!vH2Bm_e^i?!spdj-Z%E0bS8Nxr*jKMJwf0png0H`(>)tpO{i zX5-(#dyOx{%x~&vf?@M3r(Lj<6?-hVJIW|eRJ4{izpli89HsZL$vpIk5ha?{vlbAfk$!f-q5jFnpX4VP|)fqQS3 z@NB`I-Fv7>kkw-pnxOnYS8wK&cF#c&hyvsfTP4wi16l@*ijYd^Yje26Dh#TUfgryT zFgM`>+(qm7SP1aqn*`R=doxv8uYth&AKd7PbpYT!7*1g^)D8;cXUC?KcPIi=xCHgc zwA9rkdd(cZDB(N5B3u_+7{DNH%@)5omv1lM`?Jn#VWmvilP@UQUB*e5X+#SbI-%_X z=wOYXi@QneXX#o6GdRE4Tzsi#bt4ZZt20=_&H*O$z8^&#I2VQXaL~Bys67KxT{frN zqaOnq?`sX_@xB@x;j3AAFxlH3+u9XM3{%F_v_&cIFY zP4lw98gPnW1|#07U`TqHZ(O`UUP6;+Wd9{XA*SPafcj(Lm3t~%z)p_OmwWi)5TFE+ z1}y&iP3KA2f-l$5--&va105N;UyRUeZvxU797-bgb$ocgVmwt*|4`7)IV@6>?@m|Iukq>o7JQyIvhJgdN z%%KT$(kCTQ2!xt4B!(5HNAfeLzG4C$R8cL-SjYWwC-|d+cl^N~Qg|g@rgCnRW-8 zjS_NT@o+Qz&O8KOY$?FMsk{{!bO(6-DeZ&~$zi;Fp!oU?clU3d^P{DTZ7+~WY=5nO zO6Ijywe8KG1&cNftPx|$t4(6KGeVYS^Z@vm4rI>WZBvqqcVSLk48SK0@?gprov{o( z#1oBU}|KY?+NM=wzthrq)!mr|dATmpu}4X6G9Q!#qA z(ol>DNtx`>M-io6KoeIP$Sm3}w!GwNP8dI?jD*bH0f`^Ir8?jpRZe2+aSuf|GyrT5 z+mp@Vau>R4p1@1DRI=xdAz_bwA`mat`u8Wy*Wl|}qOi#g!l_a9oqdsCk`8j1wduub z*4_da!$&e$9^>hN`^3p-Lp2x?8Nr6?5yT{E#5)!lD;#jF_(b<0Rt`u zaLU=RZ?=L{+S!6HGKrij^edRbT6l|?Xy3^X`E%#!0(8@qcLwYcc%>dNvXm0vXolGw2ql5WDzm`Wmd+5&TNX^f`GsATfp$|G* z&?o(YU~>K&h_}S`ZUIk;M#f{A*r!l_xlMek{xHx<`4vbEp(RNREhC<1o(mep_kY z+4f2@{0+1TXvKR;$P4>nyFnd$B?4Tu2$lb!SkiGJ<7H7lY{2Z>ohY!L^Nsn9?haG7 zSL9y+6{|i;#t(@4Auz5ZumobrE^sFcfz=K`>QaOs4`xRbfZ#s$;@W;Bzb^Pb&PSwjGwv{iWBsdrnd^r-=P1vi27TC)lYA1o%7j&@GDi{kl3LIG9f0}f zGik^v$5F`Hu6CHTTXr8Ql>Eb2g|ANT)+J?3Qc|v&=Mj3>H@jNj`Ra(R!ETS*(}hdDZ)D?TSaO0 zk$=NrHA<2?a==)00?gd?8A)~GCMq%9iXY)1kBGe>-OE>A$rf-*du3YhZYEzZGXf_` z8I@$jI!aQa(=Pj{{2}Un+!b=ztk^B^O6Zrt@UiRbWOzk1;h5_|u~$Vvr7MH=DpjAhT-iB|7q$k6nkM%#aN+z1~OV!d9TlN5ckBQ_c2`WPjlp zyVrEUde4VNFm1Sp@>YZjn=?H?VFgJTi8G{#XD_Nvgg`!5_8$ zW_Gg)1HmGCpM4GX(~65Hn9Ne~BOIX+o288|7#QVcDC#Sc)cfJAP3mf<1s1zuX> zF|B_u;Xu1uiSy6Ic32aFZ(&Ew=wBl*z=@!)-x)X{^VnX+M2?TFx`S@KQ%_=dX$zr1 z=Z7GaJgD%Sr8OGV$RY@?&w-5R{gOt9oUk=oPXps2fr*wg9ph^dGxRY0AlX8_k2b@4 zovm#8<&Ox*3{h!b!5_p=)q~)Hqg9uq)-u9JPL(ZE73^ol1RBa6--=soo2C|^bHBN) zZHPbNK%l{}ozGxPEbv|YyG|8&?tqLq10C)v)7eV&jBgZ{9;ksHiP2OZ;}RFyL@VD2 z;$ws5pb^h@Xpv*awYx{1q0w@x=RjYiNKjw7)X$|i^y=tGtsB^tLn)+x>drb}1~p9Y zEMylX?FSIch1QD-W*i#?LJ~l{4(UB_%z#}#O<%_^yhc3{RZom)jJ^H$!H+h@~}F$afRhMBDP z4pyB1&!b&Rbyb-XZkpl3eCck)!qrMIxjB6u2%E zx*3?GBxziORZ}q~4U5j<6!Y9APzpU*Xs&_CeyK;B?3T8Rqeg9c2BTd(#ue`8n39p> z9VLgj?^8JNhxe!W9LuKf?dsngqyPV4H#iDC~9o z&PWN2w9(qj>Iy`z+3vw?K{GFJa=s?c1vAcBtZCx4#nv&@4bdFP_x$ftyCQ;u{YL}M zmw8K`KishZDy<@~gBewd&|UAV6I&)_2qR8!n!VgUO@6pK^3gy%wdxybPlOk)HSG=1 z3#_2kVsQD?mAWzC=v3l8BA@w)F&c9H4!11kQ3pOUBL!%Ipre3L5ya7t+a0;>(IW4t zg<=^9g!n$va z)AN;8cJMZW6-e(DQERQ!#IFOuq^>?zj(jEo)_4iuHp(A&w!ZdkOA;B`7a?qZ+ z!zpKiZf$lv4-zlXS&VkFi5kKY1mgso^5*SS>GmRt-nF^UH6l>I`9Pphg{zh15Bu<&1wuvv9{Ngi za68OLRwcF=p-LsG5CHX(anJN-_qa zzaphy2zqQ_Kx4+mPjS#%r0KE=5{keEEx6~`^SsS6*LCClcm_cKY*WPeQ7{zMUy`R zIl1p{_F8Da?E@Y5Hd4Rv$UWz~uptQyYlmIxNsYQ6DBBN@(7NT8^Mq0`vcq1eHr`r^1OVL;3inA5)+SKD?P}S3@)2GC}RktIhGWBis5v<@c%l&hBN z?GvS)WiuHBQA10uzzKs$18HuUZg#p%*S7$rehR_wp~7HYzh?MiH73Ks zx3K;>F17R(Pgq8rM<7sNr}Mxqt0;AX`h}i-2iD>$;J#@6)3}pMBh={iDMPVk3VI>S z1rVGsmdvrIUjfpe8OoX+xLj5zKL!*KIH z&uPj5TD#fxgE5__PaqU|6hq87n{=%J!+Mfw4HO}^Um{S3#}+7XKCc1=F5g9A$D>_7 za&a)o#iL7HlK$xuq^?*#1DAF%(cb(QO8ayPaDZ$v0}M9_$Ef6+1OT|6W@v|g$Db=l znr%BJcs^Gc&n7sYc7_24ek{nw{S2|TyHhjwU|b?BzX{iOAitECo=#p|+3A$nMfryP zXC0@2!+*UDrQAn#<)>H)(EM=!Ba>rRdC3<=lw(3=V25QY(XOad+#zAEj4q^^W`hJU*ly&HNG^OEP`G;Rd+J$7bQ~Clbi!`RlPf*_i|QEl{6{-zJ16AjUhb%o4EX+$+ zbd{Q$+2H5M&gQ(7D32>V{fP*J`rj}B_l#7jtedKaAn)4O6g;MM0hJ#J1@yH-VjOrl zP^-;5*#K;Da&F?PTE6f{U{Z4hd%rE4SjJLqlEt!Q8c1tWh}|W;J(bE!PK_H>JK1d3 z4n1X*Udbw?kMMQXNQVWz?0IBd>s$4jj?VxP3xl3hL)jX2N7n!r`*Lv(ThaU?o?%g( z5HQV6Dx?U?tbHFNGp|stydijLMYIG*4ghyKGKg;(L5mq33ZiB}KOurv(2ICKz27OK zlHUYNiHJ$qgAs5>M@hGNJ}*))%b%>&#`U}VvCUwX;=%YZQ02&Giki)&t%cvW@FULd z_fM0zJSbyQ%#!wZl&xzRIbGyQZp6hLZ%SVTZ2fG_TXMVkSrCu+=7uzd-&syzh3wJd&N-X@{LZDsa9Qy41~kDzy($e36^ZuS`StLa zE}>eH-U2`mo&imlk~~&~)^$s|^uubUC9$Uy5vxktUs?JYD&xyf zax2txG;0%pf4m0#zwe*0gR2@f=k)n zKi_x6gowsP0vV8edJRhd8qTeqT=~cwmYB z(0+JnfKnWasS$#R4IT;WLZ$m>1!{v8m=0Fp0b&K_NPl_TtoBYvp~$@I74PNN z7_vp42jepvm21?Il8;4kDiLj|w$dvJX-5KoA1kd`FA_~vCx zT&N}6ea<@7gs5$+N5eQ7HKpJg4GvES|6mRfx{!gyQp?|8E&50gq?WbvwWiK`)5Q6N zIYM#@KBubv!MSCDsXr;V_WVj`9I>82-|{XDXOrnyed~(qf<5{$@NV3yi;gb@nz7en z@^O|dZnxK7v9DewPtbR8muS!>A$D=O9xEq2!lRd{7%GZ!`W#5$p4<)jZ2jggiNE5P zNoMKhl(`Q8>0HLZvE=OsB(GpW$En&MS1SZ~{YQ*g4XZmgf&KGy*>y8xW^l(w+X}ep zo-+JrpVRMNn1YRT78@KhlZqa>PAtM=Dze$+oq3>bax6L^40c2e_|d^V252oST;@r= zwpm{n{jduGR(LHY8^@!oYx0);L_ zmj1m#h%F5Pd)w74pqu>$pN6-KLq*}uLxLFT&serwttHedF*CSCg&T^<2~LSa8Nb3V z<;P-&GKfDcGR+oz_~vomiby&1h?HXzgh?ZEt}EiRCgtb4iGD366PLgU7V&m; zf@P%Iqmg%(Xx;lk)ENJ~WL^pKoKl`Ow!(fEV;}N)c98-AQyC50&t-kAr&-)J3Y*3*~4(j0LTwpZ?xC zgdfEqh!LSpr}X8A!L}|UF-rnl31>PP#CrLgV4F=EPS61-xu7Hxc-zdI_fLNA64^~- zH}*3C%{R9E#NByd8-?J^MSR0Bf&-36c7ul1{_nHUdEH!sfj&QAJOCiu9ko@!1aM)K zbG`n)hmhmPB6$Q!6hDC?xRS||#1J3(Tc7L(4n%EyvNO&NNPv$x)Pm|?M~$!Uk#ZrA zbx2tVrHT8w4})t5@EcH##-n9pQhkfDe>a#&59BNU0N2@OjdF0wc^@wkaIRcu^?7qt zXyq-S{H9^N77KR&?gfAYK>i`%z21V0A(O8&@X*-;phP<0!G{1?%mh?&kLfI0-EDug zyewE1xdw{t8#EV)k*$`O8#YIat?sKm$gSRonKt9OX5|J|Y(R4UA|Nr?m96Jq<-cNn zUpR@z+t&(U3R4K&N^EU$8?cs3RC3iyhd%FP_lWx#Kv~na0tigUZhGa{?4X!=2lOCs zL;H@2F6XQhRRBb0EgAwc&(-lD{Z{iza7s8D_7^}fz0G)LXae|5@tdFZyx{Hz?!K{R z=_(}cNgr2-fxp2NxCfGLNZnn^L7*}=s!5DdL`A^GnfjM-q;6=tKfIg>3uuY6_Ql{Q z?p1(>EpjmTL*Bu0=?GNSQ%zgl%TRuHp|$`DN_C;>g)M-Z2gZC@Q;jnC>^0!8|9U>O z9}4aP&<4TxBm+<^)ELbJ1&}Xg6BqaSva&ri5RVPgW9Nj&SUdu*Gerg<-A$l_)pbAO z^VlOefKlczezO$Yf(`M#1RQ*B!saO8n#2i2IOC_UfMli$u#mL@(*CN@UEuk5mvs{o zhp@TtT`0*5W_vN;Pe zkcN=ttpQ@c>^yCN>;kg0o5CojK%WSe8>8NC^u&)I>U;qBh*wmd!MFaE7%ksRG}REE z3KuIO>E@mO!wat6v}$w9jZWzeE=x~;iLZdG{ndZgxkdsmkOez$ zsDl8h4u;b~5K-@~#2)oi${|fe2@!$HYpJ>&MWhLk$2f>#s+(7mRtL-t&I016g_r)KAM_JA}X6ccEm;l9Gpk>J|Ss+Wuimr_> zOPl{kTvyAa!GXad@HpxU0iH%LQs0_3OM6g-yytB`Zy|pL*_VW6uVBnL;Y>;Pp0JwN9flp&OVkJL?9H*3*xc8&{nt+Rl792lF zZd5$*UDW*LT9p-aBsOlXBsU4F;SQTs>0Ked8?7Xj}H zwoE=?p3Bph!D%9xdjHjN@Ih7clyHFH2(@XSx=a+oQp0myeKABML|uZy3*kaZg#Tc8 zgJWQd>oN@dYDg-ZzK(}4*l#?y@GTxKC%jp?L-E4$dGO+npJa5Ucg+Ua8TlEwCFr6G zUz-yG#UOyVgADr;v z4KvdfhF=jf^J9LyA7VDaUP!I!zIzI?Q^9@@!*vNrq2+g^{lrj8!0af~NCq0^;1lA@ z#x)~dtjBSeH^^X+6Nrsanb&ljyt<}b9|Ij&9Ke89Z!ei36jHdFC_t5;2^j)S7@9gj zM4d^p+M?Th`mx+Yh&*Y%jC15r^tIV8bw9a0$Jz>uW^N(U&haA}QBUP*qDrj~;r^7o z3qaMI6R2~iFek-vZ&q< zK5T|i$iC$|}e@sqX3l8@LKCrRrptArC82WX6>c{+7avtt4qR3a zNC1guIHjng0SCZRB_KFskIrL1{m#MhT(VX`;G|7}+~oge3`+nGNI%4Zk<-~d4IE@V z6w*i@3__@&-25WKJ`0uTCq=B(GlFjfmXXn(n)0zS1i-c+o=Eo_L{EBGdMepiD;V7R z*}^f_?~~~{bm?d@h)Z)ItXB5p-f3WI-w&tCY(|QKvdS;Wpz=`X$3w~yRO!Ct$Pzol zlysq76&FUpqYPIp2?9a}=1km+*8!om(Pk2L)GSAYjJT78qh?m!pubFC2nPHLKs$X; zgb^AcmcRr=mDBj6d~A~gR4dXqjz`)ii}Enq0}{BtVx<1z-A4G3!U!7F$|0kK!Vu~Y zsFqYKS0FdE=)s~lVkZBD(UFkQgTQB0#8I(lZRHO9>Umj6bSU-&DSTrjx>Q3xMpim9 z^nkTTz;)U5&>t&oBB1^i#XUNy3=~{c`w>1dYH;lAObeTk7JFgID>d!7@XCm zAo8$@rct1UsvCkTnucr2B3eyj>`YNzdc$_9bgnV$`!76gD(PozICAsz|_ zRX-AxKDV21T;Yr$KYqkPM1F{2ggTs*(GQaQUZzL-ArY#8eBp;HqE+*NLjg)r&r%{& z^@;m~yKSzK zWXZ^u9g2}=K`T}2$Ne9IuFI7=g`=WT#YpJKWT#^!=Wcl3wx6@xUv5MbrA>%GSpDS+ zD7r}g5#&W;K^ti~3s~C$*WQo%5`=XP__ch~R2Na6wjsFQ1e`JU_tu+o;sMm=xfie( z&}knHitZgyHxz(ALBIq1IGtw#KZnzI2in?B7S&2Y<3tG3(z8ah;Y0{Dy63o}p3i~K zG5lGI3dB;z8&rFL(F6n1-nxv2pqE2`iKCuji>NH!&Wr=ruFyaoiC=j0fngGt&=u++ zOK2m10&&D+OtU{_>Uk$S1Jdxib8)CLi@dI%QqR@A2vL$U)U6Ni`7*9p2cs3sVC%LQw2WiTxtPiW|v+FnIU-Ve&G5fCOHaBMZ524jILO!p*D*i+M_`Vocph z0qCB6vP7Rl*vjSHMn-Wt!FhOky~6dGwwpxKSbvtvL2dq@!FDG5Jt5yo;Ag5 zB=jtTm2dQc)bad!@?|nT5?=dnrF+iFR<*DRPjSMz1&NMlN2uIdxSb)E_6RE6?ArW# zSvVv>v>|<;6qbVbf{OW4Ihqe8p=-7i)FO*jgF_Z(>M-<#gNa>UR@21gOiBYs5J$Fh zL7~|K@9OgB3t5Pp?%ND3trW2uCB^T$BUODx+ec!i79m z8<;RVGOS`GpEw-G@3l89jQzEHC{&C~1ZJ@$<{X8D&mCM|YXLI=CKs@B<}grM$Chy! z*#%XlMax-x7<7o+m;Ht0t@6oM!O@9UR`&_8@qCJJnHhONr(5~Y_ves)34TCxOr#N1 zX(tlg_IF%3@8UBGFi7VoFwVJ=Pf6z*-2!p~k<{4Otpvtiz5?|c`??Ll&W~n@$x4w1 z;SQcJ?5dSqM;XA*4$7|&LL@bHnd$E3#sz?-XJP6hz*!aUu(>cIv0z5C?<72o6-2KUK&nbO|C6S7rtp`*u%gUr-(r3IjESalI- zy-yi0bcb}SvItT$^41k_?GtA1^&x^6AN}iMGextU)|~;zzc>yAeOC???lyP7uN-q_ zAZN~?za<%11}PV*CQ=EgE}?G|{#^La%IOe<$n^|EbQ;n62aiN!0}G1Ej5z&Z!o*_; zgf?&283EKTvETLA0m{Jc2$8tFC)FU{7xE9kA8!nz#nD4?9F&O_p0dib{-&D{Q-07d zA;4t8vhyrmUT-~H$zV`LWG>xss2*k;DbU>9Cl zBqgC1c~1vH)tRF04?J5$BNf}09a8AyDs5p#AQrU<%mP#025mejJ3Z#(02Xf{I4npaXt{bt@-kO3jm(J{(b{> ziU4ta#sUUJjO{v?5 z;998DIP(os4q>YX9ha(+((+W38Y{r%ONO%sSR%33VS}jR6>iJ4$h;6TrAMLiZazy5 z$GX|pC>6f%4atWPVag6o7OAB^j=WEZK4ExC(~BpVFD-hQ#%c0aD`MPZ>r0WOP`6h< z5A;ONqSl&S@TGJ)r>>T(1U6K>&o`WQ8&jSIYNssr*$(?r8&1OI()r=Sv`c+y$^E2q z&<~{gOMVIOC-19L;aa6m;Sp+iS#Q{~gk1_Q@QAOwEGFJ~K64PUi*1RMZ@fQMrjOo< z*3x}#8B7MTVyK$pV|xMo@*E2yL9=TaiN1Vtm_*lyNM*DSWcf6x z=AfnK9`spXcOq!N?Pnhm8~4=E4UKS!Ipw){oJIhLEUx*N=@h-%%LX+t{^M#2DQJ1^ z>25*dHOVUEksPGYj+VfJ=g2NjGqi69it;&IkyAljEn|>?g)k}B{vQ1P%RkRh?4ZBv z>k&P2T%b9z=3=Dwq;i#}1jB6?8-!ZhGxKk#ox=%1sN=UmhUP~{KKIjN~#Gx{8Noq%y4cqSy= z0q`s8V8;2|ljsgfMh#p^v1|D(e@y8|iv7`)mL;?P&Q1vI4#9wcdM!^3Q3YehAla8_ zLTwh-5Y3c}Jm0}j3dyd#mInwQ&ukE!H(PQ7foK9gz+Tf64DJ084@V@ugsF6CK2A_| zRr6Z*MpD!&FUeuC?e|!w+%FNpa?_wDJRhV7E&zeVU|oU7-5C$~b*hCh?1(bI9NY4L zi(-0dXJTU!doWQb@)t-1$mL()*?Gwi%I`eM%+b!g-~F|PjF2pTNf-2xRyvL`+>(^V z&iP9MRE8~;LE*`$XY|42HWkY!2O#*zB1i<*^XwC z*cIWwXQUK?K@dzLifSmW^o66(3qc}iqBOw%xAuPsD836@*og9UJGD_UcvhRqJSf@+H5P%+T9|I8*V2XI}F%?%Qo+EytMQ29j`1$;u$nCIY? zwN}JvWqq`#?$ojDHEVFpwULH%DMQS)+1&Gbztim|PadZk4tK~t_HeR@T=;p)dUh?E zLnQTRwnz%i4;~9%TXk@b#u$o6G1V~*0R8C!nNQ)dDlav@)$g(Nz)ORRHEMwu@3uA|)aYxc(|i64yD)W> z?5vW~6W1B=h2AhEEw;e?Bp@Q2IG9l3H?l;4X9{(Q#aqk=H_Sufgl@+hYaV2jiQ14Z zpC7MqCmS!?KmO_YV3gG*f1h<32s)&)rKNDuQmX=TAvqhIkPf!@TmEE72QuzN-V81r ziLLrix%9@`=Yh^1a2W>J?te$Xl5iOPC18J|f;)Y+cQ&oW^*s@<_1a2P@iE`B`X)Z+ z9r?MKugB#5f%6}2<3OvAvdEuPR%^+4p~*H^Ao8IQ+BJKu`{NuhdOg5`=CLXnhdFz} z;A{PM7e3nQ^ELP1Xk4Z(?*m=`+}#$AL|obKw;0}@|A;394Cghi!7LrYD@5aPW1ox3 zAVA=7s|s)sV6^bx>)wzWq&j$W?m6Yz_QTluE=@c-(c*5o1`2PKQheQFJ)Sbd_I#Y9 z71q@Q4-M4U94dLCS9(pJFQ5NXwgsNd5k&#EsM#Uvfn&e<+!qKxT${`HKFRnfo!@kr zTE7$Qy>M9Hor!6~GkN9wR!je=%H^D z79x5a{!J?WACQy=|7FkrG$RTJ67fi(X z52~a2^D=igcU)Q}qT^rrlWbIcV#<#YZF3p1FsE5AwYS=<*Nd%uy#D=hC(2c-^EHHJ z_a7j*V5dLMC9uZ4m%`Q3D^BzPEKZ( zEu*U5y1rpSkP@VkQbI(KkZzD}lx`4^?v~iJgp{$=W; zuJexPem}gQ-ZL0`;9#8nU;nk{n)Un5IrrUte}l-|$>-qB4rK3dg36IR;6?Y3r@61}`Xoh5OAMSj=89RdyZe79N%j2Io#m*#TkDOt1RsjHMxm3lH+h zagsRV-Tupp*vsdV+v&IHPNg;e@X1sMdnx_!$p$F^t6g2VM~NWmisDZXJqD@$`v!)E z02FhCeZLtfU3L~&cKnvW!bX2g%Bf$+BRxG^y3HcSku;fo3mtD5C;<7B062$#``?In9(Dz)|OGRAHbFkKO)1p74jA z5i%Re)teJF;Tl99Dct{f-({V~s_V1fZ+N~y@7H$&pQdsCD!DH*a|PBgEX`p3t@L4# z+@s`y3$fIP+`>TbKlJ~J4MLG1SSWIPAiw~I=S9)kw`N$g!u}UYX$tpAnW=KGCe^u9 zKm_O*>Wl@>2`_irNhm*)gFjd|)BS4L3UO{%2orE%syap_V{7LJIf!8Il?nbV3BedR z*&x;f&s5`{1ke1}dy*q^LhgS9v#*nSzr#*S28Qti5n^(TG-P;p7p9GOfejAVW2$CTP z{w}SNekX2Z^$w(@2`l?fPIy)ns0Fk?So53ZIR8FC2z#{`)3JcREt3TEvcS4o9Lw&U zOqrK-g8DgSg7HFiNn)D37OdE+zhe79R zV!vFK9yfk31@HGe$N`H@&C^7vN#S!tMJPSh0Ht3`^R2$P^S|J}BZfB_Q{Mvo=PTjW zR5{HSLnr?1$A^t+`%qrc*7J6wQXe`yfK*zPvBj?=dLU9k;+p+2V5b)zmH@Ev4-65I zQ~^&q3Y0)}=PBkq0SsMRvaQ)h%?|{O#bLE}%TfSx0YRx$S2PV3plrf@s|V1UR+GCr zD0#`YsHxqjdOf!$3L})L&RyC@fmj%HJ03m(7o`G_HXch;Yuc3o8};zKC++`1wjF%| zd&|*09+3SDL5i7HwU`76Ug7SZE+7UhgZY-hfV4_0olWdkvzo$b68DW zis$tiC)@nT4Q`wHmoV-F80ang$bC=H6wDRnh4!!>TslKS=G~ggJgc7ku0>tcmrf9SYOJ)Kr?HmkAy1iPA;A;7^ zORu{LFRr?Nb1CB60@0fML&ph`14!Ko%7TEdlxpGDp&2F`1gxR#Hh&3m)ekrM%qS2R^K- zIczY^C2{NUAN4-AmX`CJ%-lt{+=8tPaGV|sRI8=G!i_O)J<8QI0{4>TpYCNfvJH4l zTmqYUzC`t6M|go1MD5bM3IhW@vx`7oWe zbPq0U&HFpzpIiWbrc>DM<>lFBp#;3baGhUjFlF!jZ}o*@liM2$h{`a?8;}cyg5H2a zPP|Od^hwZ+3{1UGfgG#Hb6BUaT28U{y?N6y%Ik8FJ0qVwRs*aQ#jVXBU;fwk;U&6WC$}=V3OA#PQ}cVmb4OJ8KPhv5c5x4%mWxec6j&JJb;5l z)@5wi^Ksakkk6J)d|L0ktMZi~VFt?vR%jdjOkQa8GpIFURjYte4iZ>RDPVJTn>lpV zwuy^c=+ajh#LK*c|aR$>&}4Fi-~qnVvQZ;+OxfE2|H} zWA=jWb!*^$ZIcu70|djuNEW7MV6?#vcF>%zNUOHYV!B2iK-*;2jYleKVC3ih^tsQ1 zzDh;apg1)@w+6u4ZIjBQO@pY@%)0P*jq&FQ|0M&oFd5)LT66OSj4ipx9M$S}!7$S` z-2+_Nu*8yb;L83N5u`@5Ii9gxQeOeq=#%)LmeBW(@!X79is88q#GnsX2||}_(Fx=y z%B8l*8kl=Ay1%KTTXG?A+7+p9zsls6r3s8Gpg03FssZyBL9^mpZxMw1|8nMj`=f)> zBrv_Za;tY?8)Bxh#bZ;r^g~toE6eqfs8OsB&BmKRBxni3ZfR4Ha)4m} zZ~esteB=HrF|n`GykqMn9Dpm$SKcO6AdiPE%CRbt6bU!?8IYF#_& zBsZxtYX9H4)G*!5M_=W+!&b`z!64*wEzFdOADRswbX7y9)2R3{L6%-rcxu-W{apJA z-MGvKLD221G?phcjq5Z8>48THIKu1?_bA1!_kIez_j~;eO}Ba^RsS75aCqZEH}F5m zULXQ035gWdEs6RNLo3zl^I*bLP^T3i9#&+ZOP{!O8~%t`yJV_RX%^!IiTx4&$o#(y zf6mL^?d?h4hPEW!SSe@+v{NXb$28+3-)D(cGEZ5G*R}p8hZ&CnUn-zHSv769G8{B3 zyqMq~Wrn>_yKD0rPEk4P;SX>l?{)n!?SO^PBCzoJf5V9VTd?`RCaS`iZMQ67cuLIM zFtlX_IULNM900S~fr|qBzIjktR`bYl*F@e6t$PCKw($7>4_U<=)3$%Y#S9q#|W8t{HeFn|sz5EwEq z)BiD0?9Y{v$bp0Fy$drmEv&Z#2>!kx3|JGX6}bO@d;Z&Dy@db!_8{TZ*qud2(?=^G z+3fwySkB9-=c%dQS(|dR#`q|?I2+-x<0=ing=n@X4*yg}`VYqh^{?`9oJJB~qq* z`PjkiDIvxhR{g)EV;)vn(`yfi%zvJw#go0^+TnxOc@4J39{~}wmPJ;hGyZuvuUegt z>pH#edKza(tvd2#wOasdv9{QZB6RFkx90AvvWN=DVchx4@*%d}F5Dgp)eKAX=%Ug!s29*w6)(%9p#4^eV+{|L2gD`U*k49L#kOs+qQX}UWX`_rmk_R6ix z?_?=?TvtWlWaB2mVe=}VzWP)q(ZB4xJ`2{~lT!Kcqt@lNs!N3}+Sz=Dx<>IT0$iUY zzb|}Jtf?sF?`xg_tLwNw@{{C0x4K0Uv@UY~GB2>}kJ}hVzu5`;zh>yJ8AG!CI9auY z0z<3UxM4E%fN)jYLag7}jA72B@g?Y>LnpAsML@k>?!HjJG}MNsP--R{&*WU|*#h^- z_Bt*#MCsUV8TgDb&h2t>koxLwR^e%}ikb7|94d%^2%JWUTMZ6E%|~mY44~VH^oDS6 z)tVPO(1sOhhnD}L$1I+_5%v1ETy1$KsKKwIe6-Ygti4o;wK&?}3F>t&Y zX*{eo9Iw5`#ias_b@wERB6w3hcm+jIk~p12z{sckx2%3)6m8NdLw3Xu<@s~tjH_63 zUi~m;dHNjd*K~Z87=1C+?(9HxG_^kDf>EceFrN#F>AUJMc}pYPn&{cw64QsxY={6_ zyUUb#hT&+nE+K?F3jr(hiIbb{XIxeVyg|$(&KoG>hPxqPJIKuOy;YEU(7kdE9ME zdM;0eCu^)?HW=G+p;=0kAM)?%jS@K;Som@8_7Iz1n;1@(I)e66;}TD0QXg+#HxLTF z{mOf~lgPL{vY%m>XdC|i18!VZdpjk1Ld79hY)Z3Mv+Mge7}h@<MBl~-JdxY0hAl#*v#)mLK`4buHtHkqG>7>WD6zVLfOo!5o?h{YF3VY18 zW{=}<)9dWXpCMl~ROZ<)w@lD3ccyg(Cf%Xd^$NvTa%TtD9rXv8U*$v-$VL}h@UOcryYNfB3<5=k21j6 zKVc5Nt4gQ+gz;$W*?6%|&^YV&>dK#Tx!Tf$u@JUbu1?2{KPon-h3_?S(S~U!gNpt1 zy5`gT5cf^x)+<*I-1XGsGY-2P`SIPh;#Y)>y|!({Ns4D_8qAh`WuHb2hB3Z(qKfVu z^Hg^$4z{QBi(}et%0?}nYj9!F(ab_$_*Kq0ZW8ajA_`i6yqU<@C2QLQ znZCWr=F@a>+ZTNbOaYGM}4aE{KODudrx)Zf2tojY|0Xzmmu$7b=s4=75rXz5`wW6?q{f z-J0t~;eR_-?ATvuTNV&&m9Ay-sdHo4T@Q>mi~$b0Wwhf4&6|34GNb#_W)_>07Jbmh zB%E(nYW8Mt_!H09;Ms3t4t=%dIZAIQ8Vm(a8-5mv0dAT9=!kK~)4mWq+e3$f^NlvX zHqf_?TgP#OBcgD!4741Ids~eqS^hOp?R+P(Z7A2&oa!LHcdnb2;w%M{pN7qV**0FQ z`IyF9#5z+hSwk+Bmwc{7jRGwskZC%@IQkv}=g72=$$Jw5kr1*-B#K#YNWGF@czj=Q z?sE}c7j}>eFeMmtJ|bd|D#OdCm3yb2BCzTSI0S(@=i5HmYX<~$`XSo(orWS!$pSY~ zJ!fw}OqpV#FZ%C8E#6IvnY|J9m3~hd?DMKOIi!`E8<3y59?8)|`?h@XKyy=ko?!~>pCxvslwMz}u)d>#-tkmc; z{L!%k-v%E0hTbPkPc45rm4_pq6-54;Qu{JR>!j-wjr|DJZ?)X~q64u$gW{Ljaa=*A z^;fUjOOY$7{Ca5f%#${$XcYlZCj0z`DQfNm%k?R3+lfynNZuRq?BO(GCYa`rIVhgm z6PJT|k%dYuSRjx#owpjX`pNL9FM<(9PMi(V={P;fjZMhI@Fu3+wfHJgJXnBK4 z5f@r4mxZKMG+^Pp{P7Xwp5$5A14$yv^X-OxM9FA*>B9oV)I5{ng^V1j;n?k%A4qd& z3u}5lq#8^{#7@aUEZh5S{_6IuAB}xFKzIc7(i03=lwrTi=305_1{H9*?##FQc|)*V zbr$(Yu<$turn&O;8tW=lRJS=yKJgAWrk+nKdI`IZO8fd3gpz#pF<}qHEFxCr(D}uV zN+D218YI`j`cq^PaSI~s_tN(c(n3o;IX4=k4JJ*~oV!SngbC(Oeq7V5t7+qwM4xB8 zy6BAi5*cmX^^@4H@$JT#_adB-^eO=Tld)o0RkEU7*`eI0q&jxwVGC^&P{Wh2CCw5= zsE9E?{BUPchF98ZsRB_@8p(j+r=~h4C&d@aS}hIKaBr~U0v$xku-7A2CR}xpO>J4S zLxO{fhnRNX%;nz+NajUqWYgGbWb`b&2r%(mldf1rA51fDCNJerg?7Fr94RTNqZYw* z{eZvX-4XtXd5G;XZcnh^%9sA2?R{xvJwEQr*Zl}7%>khf&9a-S-Jn@wW<1sv*L>xP zzCxC<3}M00H|SEME|I`sd+IuZz~l1+D6{#w2#wa3pn3%b?TT7Yd>55nUhQ2^xaNfd zdS-=`3%)rW2yUuGa6fiFoH1Z_bMma#g9GdLyfAjn=h72vPdM2*o9_KoEfh4~%Btvv zwlZzF=|t>ve3vOl2-z*yL5FHyUzq3+ZLl;2{g(z*yx^H2ZhtF>Sbq8XDsKnoU}vDh z@hI6#eXC!=cgjPF_|-(4e_4OsiE2i&=iv>w4S`$85v+(dYi-NNB@cc^b|Nu~c*;lh zs4caHB05V1%uIyF31~4k-yDVWUWicDQW~Oi%)(#Dz>Fo9bPMR5LQp&=Yu44j+LyZ) z58{+SNy;N!p^tJw6;isED~Au3E8{W*F1jQlo~zZU_2|7Tb<0)K!DD-mtJMFDjl>UE zG0+0@S%b5!h!m}Y;-Ej|g=j+M#v2zp9M^cU=&9$8>54~B`_ytNQXSX>nK6wqO%Fy- zc=Y4PXj%kuryFhvQnkfdQ4yYbZUNO9@!_~TvBb;0UQf5>Az6~pOHpAyZe&{{Vb|TS z{Q~k(v!gMCNG@r1>0`$p9xXs=jKdV3$W@}tk-yj>NY&4$A*x&-Q1*XFVd9Psk1G-q zX-NBHRaaa*_}&zzJnM1exZ&5_YJIu)6Z`wd(pd_X0S56bZNwJYKC;R_mhX%TaQm~& zNH9FyDtHY?zCkT=Cj;x8G5b`-NulaUUnG;uXdxs=o3TV#VS%iNqrk#C^*a{;f^p?B z=4eo~c7>odgv^qM?=h|i%)oO69ELyQ=@IA=*6oD`f66P5LsqaH%$6m|GCNEo&wrq+ zp=JpxB_e;>!h(f)cX&_jX7Z>Nt7ul|X@+n0D)OWtE$uSxFLNd6QGXEUV4)>9lvOKS z?w9}@MF@xeCCV%3PQcXbqA4+JyFJkJD}RkKGmOHuv(S6x>Z^$(N0)MUb1Z`;@$;YM z_>jlX;o+NwLkr*Qy65{nv}m8F844jj^UuffM-F298P*K9yTJZ;uKccOA$|nkI-CS5x zJxx#RFJONh=9mwfcY~zQIEj$F2kxr4@C?Jq?!l-IWMADtF*ID6XuEyJ81l&XM|@2C zy$2G?JnnBw5_kw0FY{NhM2MjE{mPnQxww+$%JlK#csT(rC~3oH!)&`?$5EI>JQK(0 z8S6utj%W37O|#g#XG^TsJ$2oQ#Sx$l;~@OU3gJnYsD55wq1#NzuYYVYk$1 zXea*BP_-sc40B-g*aKs_z@wh{U%eS(u1iQ!Mo8{_P=w656W3$Oqv_(GF0^vzg{v#{ zDfQHetHL#YUO~rSrG-OX-``!_4hCj%=gdmki-kjP&ygh%na;)Yu=vaM4p*8tQwJu6 zN2==FF^~VAD5mgW0|4e`?%SeQB15vg6WaHAZhVx2;=Q#2|fe8={Y6)|_AHGFuKBbtYY7xD+Wmu!3N{_Z!DnRIlCf_*_8ZDFpor>dCLV@tJq<#}7-^O^Vh{&?K!rrFs}SnNy8)f`w}w{%ZQ=VK>t5edYS> zb2AC9P^|g;rGql>+q&I@8U_=Y9k$tCx;9_dDSzj8o;z|ZYj(*I_A;MqD7Mh5SLjl8 zmEhO@!kkTPt_pdcoZ>!mz_;+Sl4mKt`7XXYPgP+KyMXtpw~{LI046&R;d&`j2&pC0 z%^b0S@OEF&Jv~hLw46Zf*Wx!fZ!+hE+)XDAB?-9}a8jT4pcC<$izgtZvuhJm*5Pk| zyPxtLadkHnqP{e^-sFz!OV)AHkr4Qua#z*r-0_y9AX)i}UQmvq%OsdSo)(_}nkDddCGuHkJX>hP5IeW< zd-$Z4ePTA_L=rwX^@MR68m_XonHd@AvPsyj27gKEeF}U+GvV#@hO+}=EJL;|#|ws1 zCq}mVH-K*zOz0#k0_sE-PO{hDA5vx33W>agyCFykVz_L6b7pkJygKvR9-U%fCjJL(u-9qKVel?>At=&?z$LR<*3BV73CU_6MUY?!V%mR;I zX9_drAa|{?Vx9R%;$64y9#b48RyBPT8|spkswvMk8s#auLU245DxKPr`bY-jbwHX9iWX59vv- zbbn6Aksp3gdF5le>dBw8;onwmkXptEI5gGLO)}Ymr?S3m#$H{Rp%>Iu4!ZIoMV;Y)v9GvvT3E;2!i`xN($|4kE-vh7%3BYV{vy*0LT7^?@5+w;noKrg1cLw>CLK;(EIhf@3bI~%*ND( z9R`mncpH(P5NwKdbI z9mDi8`Bk~zFrfv%0XwRVH?JUX?C)T0{(Eh3naQXXO%g}BgBx$%EDg|Q2JEZ#zG5@s zN7Acs=Vr6Pjr5nYtcJU>y1QxvZ3T6E~iHBZZl_P zaMz37&gSM3m7gV_JCm4=goKyx8-xYqqjC>cc8o6yiWpafXJZ8igA-V^qh^V=MLffq zN0YsoWGyZqsH2P-R18)M+NfI=CO}M$kL)7BCxV(jnk{`=2^{Na%=GsIv+maEpWD+( z(Fd&qeZD3Av_E)|TK|KB*}g{piRYAfHG+u<3B|#S36*9ITP{13)G74|Hz=ZY;y3?8 z`Fc!)0D~w}*Bq8!8Pjc*F+FXfbT0z!W~hI|M~Pg=aEF23FC1mR2;+IOKlckp^8 zMFf?i=asWuEn}vfZk748#^r(ww2;%L`CHX@Q*YzjJ}Kplxun z5cSVF?$y@T(+q7pJ!&Q@v5CV4l=&H10Zj`Ln%IIR9C;ylt?)j2C02a1XgyzaTUuy%B|o3hy4zmXeEBU$ z3hEDkBG#VG$yVCie4&`0kE`nh`BO=d+9j^XPdy|i|DbJKK*%#oL6omp%|GP17x+n& z^*y1;o@~mQauTaj2%8!Dui93qZy=AwvxUho>zy}G!-JeNKE7O$c{1iDT-35*xTAPo zY*UJ4IQDgSv4=cF4|*Om+E-V*+e_Weu@g>sl7}NEh5t=J-{My=zSZa&IT#}ATh?qM zs?@Vbf9mdkxO-M{?o6iZgm4hDr*^9|qs>3G^c!lp92A?H@l_tSIP2yxIq^dR!b-EV@u4hB1IbkKjQxXg zvBriuXHUV}#jp_{g7)1ebvhh$`TLAJvpj6)&vV1HW#o0y&_xe)SSNGaDm}{6PzoZRxJ+}rSk06OQi!~)TCzKx*P&D}ts>#E zBQuhip=%L*Qgrj$)|=Bm&Z@y(wOB=Zh$zuHiA859j!`}L!;Kp|sGds|(Lnq`e(hfGICQzm9Z~5JH$fADGgDdkjR+|ns|CeS**1$pg@`F7A6KY6 z@usS>n|T(~EAl6*1?sBVeLC0!l;O2A6*`D8@QQnP_ToS~rZs+o;SyN#-vZ34Wko83Pt|`pVljok2dDQ#^{%g!LA*7NCrj^h+a8P6|N!=TJ=`p zFjZph^RgDIYgkHsie0hVExGHNO_N=uBrs;Q5pQ$o{M-$yhdDR@ZkAmOWce zhZYSDsMm+uNzVE|HE)LeSX!{#*`hfrG|183sxfC*toR;>7aA&Syr&Mvoh}I&cqDVX zXsx(2t2gOzij(dnhoL8)mff|-`a1hucurZ@^|KYphD*AWv3uU-^$Ll=Z>$-a(c2V_ zqjOZ?I+pyE>c>Jtg@Ry!@9W)n4OO=kd45SfqoEXwOB4Ci1~CD2*@8t@zFs(htj4~b zFsf4hvrrj{@VGVloi${*oo(nkh}*+izwq)kz2LrepuQ0lm=Vs*^d`&9ZNb;UC260o zxG7PQ>)X>84DBUub~fG*srvqi?7~C_+2N%PWX@^g@07?gfuHwB4~X*v3mw`?^+MPUnUhGAhIzW!}o77sUY zhDsLu8bIZcN8x z28P<*K9g^FCXv6b5e7V{`R6qcCRauoe2u~;@|sTlw07U8N#U4SbS6SSARQ_}NN*-$ zL#DqHaZh$}WUh>&WuXqFE~DbbLNi0nn-vE|JRjCy>e=5rEO2TR6ML&|j_18PNp_!t z6wfpv*E)vE+=_1~`xROc>L!Cld9Ro@=8QH&BUz{;5Esvp$0>WfR+}25>)Huz$1cl<**Zy zAZ|LG8RZ6D=2#Jvr7}BB+(h9+!Ysk>Po>wT|3vTRWQCI{Z_GNB4kbPs+u$3Md1O7v zE|*Yc{DCfAoLVMzmjk;vDx&?vRLHxgvF*UHz_Ov&XeAnXZZR)HuS4RoNwEy88tbbH zjPKPy(rt2(XEyGAibt!eO3eEPzx&jgL^XX)k>S#76)wbe+K%3AK$n`qz zSLS6Lwq|BcKdKk!x*(2hiW4s>k&kYw|ip*{ns z#JG2jHbxQ=BcGG$zVDW$Z#(Dt$+Ct{_K&otAiV5mY}^b_H4&qwvf)_zZqz*KLF`}X z8f5F3r+VX(lNFnOyjoAId9MeGdbt4S{Y86yxX#CL{O!o3$)Ro>N9-`AFAE2(pb!M) zNIr@nf5uSxnO!+DLnd@Dg4yDC==-nFKB^baXBb>=*B=~AwX{Ag2hV!JfrcRH2FK$^ zo>_CJm0fnK85q;sg?Ekb8s6S@@617- zEBQ00VM!W!vVf6iadX)P19Z1|?Mnr!7hiVmeT1ebOs%(%aUz+9i}sE(UHcmtfBVmW zeA=*h?}iq}BnR|K&K$U8>czN&CVEVtay)CFQW{xB@F>hM^s^T{43j<}`q%#bk6(gB z-V8N7UMgw6iMY1xk}BRZrD=I@PBNQFN=5BaM|)JjPlkB#7H!NTxoeLaecQu$#%~++9rBEVUfzl4TJwz0ky4@;i?E^I-nH6>liLd)?%^+DWN1 zPp{OMC&k*_b%JPe*)i_O?DAYE%BX!&+-ac9;+@HCn0C@+PArl52j0<3_ysZ>=!)mT z{#V(94&CvrpNmwPHnTn8T;OKM+1h(%7y{(9Bh9j)l6gowl7&`#b^l()U)M#1V)4^c zY|M&}7SYZ)I^|V#$T&0QJgZQ6|47)kRl}}dd}0`Tq(f=8wJ)?H;{JUee~_*IIIS;< zEr+6s%U!#klB@or%dMA_K!c-Cr(Q*rS9k5F7EAQnon?W(uGbi=tN*kTjHh2V2e{NL z&%P`*@-!a0lsWkD86s$Xy2rfH!pIEi)KNw&*8Wx&d2qa>SI5lw8>9W}%fP<+b5zTb z=XDHWaCPpKHR&UI3PV&wPzr-%^Q?-WmEB;%+@kAs`Wv}C`Qz)?GW%NpByJ)UdsnfP zWzczb8hwkpfzb)~R$T*xBmp5J0fD1#WfxdQWmdi$H;>3xRdyPABVYu`msROk6X6eXOpzD3Nr(}$ROP0*S^m)iI_CJWRmnA~_ zadPC*&oJrO`_4Z;g3O0Hvw0jKjfF;yWmJ)JGd}jL6rZ%vDDYdVd+w`p!7BC_Mf2|k zevWHdPi5@B+;yVOc*XIIHVf6L+#TRhvGVJDHiJ_cW%}Kcou3#gE8H_PGo|8%b`ec} zhm(K5oG;P5n@i?Ca?M%9NvqyOPZ`=vFPeE<7E8j(b-zF`emmVjYB#?mO7qT|Jx_Jn zdp=~3?jKGLP7?(viB}lOm&&Niolp8X++NI^gOtp}_$Hh_-E+m+WIQU*YltvyT+egE z;4hDo`0FY}{`(82;Y^gRMq5nSYANJMkzZ-VMOY9jB3Xcv-IgDRDPNA}8JV{?8@o*Y z5N=n-m;ZQrf>@vtN>bqz==AinR1k|s`-R(UCjdmhm)(_|v*w|PHibXxIahxC5#FVc zV1M{0j>hjO{qGmjKZi;=F$e?wz>aWD;63#1M?lotBNebAAkJDaw@*7O@Pd4lt zJC2^W_vIpnkSa|6MJ@k_IBZedtYtlobAltR62VKSgP2P zbO;<0WM$BY3<-9d%{+ViwD1?JSez)%QQvpzn?9=9+F(NFQ2Dp_7vH{DM{_8AFR0lr z<>`9P`l8ng|Dd9384^joTKjp^d^7%T!QOUTjn&M&M1EtJlJFfk1k9KJ z@!=gz@#XTJ^aGWlF}qcR#q;A}F4?e92a7WV8`6x*=DnG$oVpY9c3Kj2q$5e@;va8Y zuDx>u@4zFIdHv<%{^ytMx+AX&Ot+U%$2OWSUu0YFXl;)NojG4AT!u+#A@pSHSCQReHu zTI`aA8Y#~4ol4K$49%jiLR}B{g=ElzO#l104XnbO=NX^7&}S^#wP|#!K5jca+IC)k zNVGB4g*;y;W_j~cvo;d%`&ER89^M1316r=f@^bXBuqT_DX(|5tny|NCB`{%4 z&|s^dQ5i3%ZL&zEaA)+GM4c`6zglH<@6*L@NyaIT^QdY_8NQmUikYR?7&hAulr=qSw9~e29H?in)LK53BTN*CBr{&Ey_bl4WOFv?djV817LWJ5_vHtT^VTb(23qc{iK_Q;c^3!GoRdLvQ z`ALRU-}OyAGTii?MvEM27mKh=2EHycOX!jG_!J6=jMUksATMj{+N5yLvB2sVuePq<%%|LXpr(V-YO zp1Qd^Gvp~2D07dMg{?SuJxAE17I}$#58+wRU*re21y0B#GV{k4C7H?Y@;~d5x)QGE zwv%a^x%6GzxQ&QvmP!pIG|e$vCc7r<+p6rvH6)iSO0@@uEfzw9&LQ839)y`#jEwJG zQ6AK29n>VR*!|eHnsbJtkvA4}_WVWYVcXM!;Vo94CskQ&R%vwZ@2HzM>Y(PD<@@zH z=_682$olD0=t8lmPeL+^857o+%)61Wb%(-xa9SNEZq+um3LJvdX$mW5M?7xg`QwR= zJbFg{e|sGQjh1y11y)uw_-ZDqp3#lQlP$c%e?+~2ZVj=*vDR_ChX}d7MoH>V Zfg}p;HY6!B**oArNl`hGVxc!a{|9XIy}ked literal 0 HcmV?d00001 diff --git a/offline/wiab-staging.md b/offline/wiab-staging.md index 39c77bef0..5a0da3bab 100644 --- a/offline/wiab-staging.md +++ b/offline/wiab-staging.md @@ -4,12 +4,14 @@ **Important:** This is a sandbox environment. Data from a staging installation cannot be migrated to production. WIAB Staging is designed for experimentation, validation, and understanding Wire's deployment model. +![Wire in a Box Staging Architecture](architecture-wiab-stag.png) + ## Requirements **Architecture Overview:** - Multiple VMs (7) are deployed to simulate production infrastructure with separate roles (Kubernetes, data services, asset storage) - All VMs share the same physical node and storage, creating a single failure domain -- [Calling services](https://docs.wire.com/latest/understand/overview.html#calling) will share the same k8s cluster as Wire services hence, all infrastructure will be DMZ (De-militarized zone). +- [Calling services](https://docs.wire.com/latest/understand/overview.html#calling) are deployed in the same Kubernetes cluster as Wire services. This setup does not implement a separate DMZ, and all components share the same network boundary, reducing the level of isolation compared to a production deployment. - This solution helps developers understand Wire's infrastructure requirements and test deployment processes **Resource Requirements:** @@ -17,19 +19,18 @@ - **Memory:** 55 GiB RAM - **Compute:** 29 vCPUs - **Storage:** 850 GB disk space (thin-provisioned) - - 7 VMs with [Ubuntu 22](https://releases.ubuntu.com/jammy/) as per [required resources](#vm-provisioning) - **DNS Records**: - - a way to create DNS records for your domain name (e.g. wire.example.com) + - A method to create DNS records for your domain name (e.g. wire.example.com) - Find a detailed explanation at [How to set up DNS records](https://docs.wire.com/latest/how-to/install/demo-wiab.html#dns-requirements) - **SSL/TLS certificates**: - - a way to create SSL/TLS certificates for your domain name (to allow connecting via https://) + - A method to create SSL/TLS certificates for your domain name (to allow connecting via https://) - To ease out the process of managing certs, we recommend using [Let's Encrypt](https://letsencrypt.org/getting-started/) & [cert-manager](https://cert-manager.io/docs/tutorials/acme/http-validation/) - **Network**: No interference from UFW or other system specific firewalls, and IP forwarding enabled between network cards. An IP address reachable for ssh and which can act as entry point for Wire traffic. - **Wire-server-deploy artifact**: A tar bundle containing all the required bash scripts, deb packages, ansible playbooks, helm charts and docker images to help with the installation. Reach out to [Wire support](https://support.wire.com/) to get access to the latest stable Wire artifact. ## VM Provisioning -We would require 7 VMs as per the following details, you can choose to use your own hypervisor to manage the VMs or use our [Wiab staging ansible playbook](https://github.com/wireapp/wire-server-deploy/blob/master/ansible/wiab-staging-provision.yml) against your physical node to setup the VMs. +Our deployment will be into 7 VMs with [Ubuntu 22](https://releases.ubuntu.com/jammy/), shown in the below VM Archetecture and Resource Allocation table, You can choose to use your own hypervisor to manage the VMs or use our [Wiab staging ansible playbook](https://github.com/wireapp/wire-server-deploy/blob/master/ansible/wiab-staging-provision.yml) against your physical node to setup the VMs. **VM Architecture and Resource Allocation:** @@ -139,12 +140,20 @@ The purpose of secondary ansible inventory is to interact only with the VMs. All ## Next steps -Since the inventory is ready, please continue with the following steps: +Once the inventory is ready, please continue with the following steps: > **Note**: All next steps assume that the wire-server-deploy artifact has been downloaded on the `adminhost` (your physical machine) and extracted at `/home/ansible_user/wire-server-deploy`. All commands from here on will be issued from this directory on the `adminhost`. Make sure you SSH into the node before proceeding. ### Environment Setup +- **[Making tooling available in your environment](docs_ubuntu_22.04.md#making-tooling-available-in-your-environment)** + - Source the `bin/offline-env.sh` shell script by running following command to set up a `d` alias that runs commands inside a Docker container with all necessary tools for offline deployment. + ```bash + source bin/offline-env.sh + ``` + - You can always use this alias `d` later to interact with the ansible playbooks, k8s cluster and the helm charts. + - The docker container mounts everything here from the `wire-server-deploy` directory, hence this acts an entry point for all the future interactions with ansible, k8s and helm charts. + - **[Generating secrets](docs_ubuntu_22.04.md#generating-secrets)** - Run `bin/offline-secrets.sh` to generate fresh secrets for Minio and coturn services. It uses the docker container images shipped inside the `wire-server-deploy` directory. ```bash @@ -155,14 +164,6 @@ Since the inventory is ready, please continue with the following steps: - `values/wire-server/secrets.yaml` - `values/coturn/prod-secrets.example.yaml` -- **[Making tooling available in your environment](docs_ubuntu_22.04.md#making-tooling-available-in-your-environment)** - - Source the `bin/offline-env.sh` shell script by running following command to set up a `d` alias that runs commands inside a Docker container with all necessary tools for offline deployment. - ```bash - source bin/offline-env.sh - ``` - - You can always use this alias `d` later to interact with the ansible playbooks, k8s cluster and the helm charts. - - The docker container mounts everything here from the `wire-server-deploy` directory, hence this acts an entry point for all the future interactions with ansible, k8s and helm charts. - ### Kubernetes & Data Services Deployment - **[Deploying Kubernetes and stateful services](docs_ubuntu_22.04.md#deploying-kubernetes-and-stateful-services)** @@ -193,7 +194,7 @@ d sh -c 'TARGET_SYSTEM="example.dev" CERT_MASTER_EMAIL="certmaster@example.dev" ``` **Charts deployed by the script:** -- External datastores and helpers: `cassandra-external`, `elasticsearch-external`, `minio-external`, `rabbitmq-external`,`postgresql-external`, `databases-ephemeral`, `reaper`, `fake-aws`, `smtp`. +- External datastores and helpers: `cassandra-external`, `elasticsearch-external`, `minio-external`, `rabbitmq-external`, `databases-ephemeral`, `reaper`, `fake-aws`, `demo-smtp`. - Wire services: `wire-server`, `webapp`, `account-pages`, `team-settings`. - Ingress and certificates: `ingress-nginx-controller`, `cert-manager`, `nginx-ingress-services`. - Calling services: `sftd`, `coturn`. From 5eba2fe6758de29421de90f2f8c624acbfae8f22 Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Wed, 1 Apr 2026 13:43:45 +0200 Subject: [PATCH 11/13] fix wpb-23987: update wiab-staging documentation to add information about internet behaviour --- offline/wiab-staging.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/offline/wiab-staging.md b/offline/wiab-staging.md index 5a0da3bab..199ed69ec 100644 --- a/offline/wiab-staging.md +++ b/offline/wiab-staging.md @@ -61,7 +61,7 @@ Our deployment will be into 7 VMs with [Ubuntu 22](https://releases.ubuntu.com/j ### Internet access for VMs: In most cases, Wire Server components do not require internet access, except in the following situations: -- **External email services** – If your users’ email servers are hosted on the public internet (for example, user@gmail.com etc). +- **External email services** – If your users’ email providers are hosted on the public internet (for example, `user@gmail.com`). If outbound internet access is not allowed and no internal email service is available on your local network, email-based flows such as verification codes, invitations, and some login emails will not be delivered. In that case, you must retrieve the required codes from the logs instead. Read more at [I deployed demo-smtp and I want to skip email configuration and retrieve verification codes directly](https://docs.wire.com/latest/how-to/install/troubleshooting.html?h=smtp#i-deployed-demo-smtp-and-i-want-to-skip-email-configuration-and-retrieve-verification-codes-directly). - **Mobile push notifications (FCM/APNS)** – Required to enable notifications for Android and Apple mobile devices. Wire uses [AWS services](https://docs.wire.com/latest/how-to/install/infrastructure-configuration.html#enable-push-notifications-using-the-public-appstore-playstore-mobile-wire-clients) to relay notifications to Firebase Cloud Messaging (FCM) and Apple Push Notification Service (APNS). - **Third-party content previews** – If you want clients to display previews for services such as Giphy, Google, Spotify, or SoundCloud. Wire provides a proxy service for third-party content so clients do not communicate directly with these services, preventing exposure of IP addresses, cookies, or other metadata. - **Federation with other Wire servers** – Required if your deployment needs to federate with another Wire server hosted on the public internet. @@ -320,9 +320,9 @@ When cert-manager performs HTTP-01 self-checks inside the cluster, traffic can h - Pod → Node → host public IP → DNAT → Node → Ingress -> **Note**: Using Let's encrypt with `cert-manager` requires internet access ([to at least `acme-v02.api.letsencrypt.org`](https://letsencrypt.org/docs/acme-protocol-updates/)) to issue TLS certs. If you have chosen to keep the network private i.e. `private_deployment=true` for the VMs when applying nftables rules aka no internet access to VMs, then we need to make a temporary exception for this. +> **Note**: Using Let's Encrypt with `cert-manager` requires internet access ([to at least `acme-v02.api.letsencrypt.org`](https://letsencrypt.org/docs/acme-protocol-updates/)) to issue TLS certificates. If you have chosen to keep the network private, that is `private_deployment=true` for the VMs when applying nftables rules, then you need to make a temporary exception for this traffic. The same outbound access will also be required later for certificate renewals (after 180 days). > -> To add a nftables masquerading rule for all outgoing traffic run the following command on the `adminhost` or make a similar change in your firewall: +> To temporarily provide outbound internet access from the VMs, add the following nftables masquerading rule on the `adminhost`. Replace `INF_WAN` with the WAN interface that should carry this traffic, or make an equivalent change in your firewall: > > ```bash > # Host WAN interface name @@ -402,7 +402,7 @@ If you observe HTTP-01 challenge timeouts or self-check failures in a NAT/bridge xargs -r -I {} sudo nft delete rule ip nat POSTROUTING handle {} ``` -> **Note**: If above you had made an exception to allow temporary internet access to VMs by adding a nftables rules, then this should be removed now. +> **Note**: If you added an nftables rule above to allow temporary internet access for the VMs, remove it after certificate issuance is complete. > > To remove the nftables masquerading rule for all outgoing traffic run the following command: > @@ -416,7 +416,7 @@ If you observe HTTP-01 challenge timeouts or self-check failures in a NAT/bridge > > If you are using a different implementation than nftables then please ensure temporary Internet access to VMs has been removed. -For additional background on when hairpin NAT is required and how it relates to WIAB Dev and WIAB Staging, see [Hairpin networking for WIAB Dev and WIAB Staging](tls-certificates.md#hairpin-networking-for-wiab-dev-and-wiab-staging). +> **Note**: If email delivery is not working, or if Android/iOS push notifications are still not working after you have configured the required AWS credentials, ensure the required outbound access is allowed as explained at [Internet access for VMs](#internet-access-for-vms). ## Further Reading From af648c1f9f073592d6d3a56ab22c7c043fe60228 Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Wed, 1 Apr 2026 13:44:36 +0200 Subject: [PATCH 12/13] fix wpb-23987: update wiab-staging documentation to add information about internet behaviour --- offline/wiab-staging.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/offline/wiab-staging.md b/offline/wiab-staging.md index 199ed69ec..8c3d68486 100644 --- a/offline/wiab-staging.md +++ b/offline/wiab-staging.md @@ -120,7 +120,7 @@ cd wire-server-deploy A sample inventory is available at [ansible/inventory/demo/wiab-staging.yml](https://github.com/wireapp/wire-server-deploy/blob/master/ansible/inventory/demo/wiab-staging.yml). Replace example.com with your physical machine (`adminhost`) address where KVM is available and adjust other variables like `ansible_user` and `ansible_ssh_private_key_file`. The SSH user for ansible `ansible_user` should have password-less `sudo` access. The adminhost should be running Ubuntu 22.04. From here on, we would refer the physical machine as `adminhost`. -The `private_deployment` variable determines whether the VMs created below will have internet access. When set to `true` (default value), no internet access is available to VMs. Check [Internet access for VMs](#internet-access-for-vms) to understand more about it. +The `private_deployment` variable determines whether the VMs created below will have internet access. When set to `true` (default value), no internet access is available to VMs. Check [Network Traffic Configuration](#network-traffic-configuration) to understand more about it. **Step 3: Run the VM and network provision** @@ -230,7 +230,8 @@ The `adminhost` must forward traffic from external clients to the Kubernetes clu - All other inbound traffic to adminhost → drop → default deny policy 4. **Masquerading (If [Internet access for VMs](#internet-access-for-vms) is required)** – Enable outbound connectivity for VMs - - Any traffic from VM subnet leaving via WAN interface → SNAT/masquerade → ensures return traffic from internet. + - Any traffic from VM subnet leaving via WAN interface → SNAT/masquerade → ensures return traffic from internet. + - Controlled by the variable `private_deployment` 5. **Conditional Rules (cert-manager / HTTP-01 in NAT setups)** – Temporary adjustments for certificate validation - DNAT hairpin traffic (VM → public IP → VM) → may require SNAT/masquerade on VM bridge → ensures return path during HTTP-01 self-checks @@ -283,6 +284,9 @@ If you have already used the `wiab-staging-provision.yml` ansible playbook to cr ```bash ansible-playbook -i ansible/inventory/demo/wiab-staging.yml ansible/wiab-staging-provision.yml --tags nftables ``` + +> **Note:** You can use this playbook to change the internet access to VMs by modifying the variable `private_deployment` and re-run the above playbook. + Alternatively, if you have not used the `wiab-staging-provision.yml` ansible playbook to create the VMs but would like to configure nftables rules, you can invoke the ansible playbook [wiab-staging-nftables.yaml](https://github.com/wireapp/wire-server-deploy/blob/master/ansible/wiab-staging-nftables.yaml) against the physical node. The playbook is available in the directory `wire-server-deploy/ansible`. The inventory file `inventory.yml` should define the following variables: From c862217a7fbd41162fda89e159b10e37d2380b30 Mon Sep 17 00:00:00 2001 From: mohitrajain Date: Wed, 1 Apr 2026 13:47:59 +0200 Subject: [PATCH 13/13] fix wpb-23987: update artifact hash for wiab-stag-5.5-1 --- ansible/inventory/demo/wiab-staging.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/inventory/demo/wiab-staging.yml b/ansible/inventory/demo/wiab-staging.yml index 1ff9bfc62..a3fda05b7 100644 --- a/ansible/inventory/demo/wiab-staging.yml +++ b/ansible/inventory/demo/wiab-staging.yml @@ -6,6 +6,6 @@ wiab-staging: ansible_user: 'demo' ansible_ssh_private_key_file: "~/.ssh/id_ed25519" vars: - artifact_hash: deed80d356cbbc2274de3b125313dfa506a1034e + artifact_hash: 8cd7cf27c149f990a9bca54f196e21fc326cde04 # when enabled, disable WAN SNAT/masquerading for VMs on the private network private_deployment: true