From 24413642692f7bf25a691b6d5a21ab5329e70dc4 Mon Sep 17 00:00:00 2001 From: matthieu42morin Date: Sat, 16 Mar 2024 10:23:34 +0100 Subject: [PATCH] save --- .gitignore | 22 +- .terraform.lock.hcl | 45 ++++ main.tf | 27 ++- modules/matts-vault-starter/main.tf | 89 ++++++++ .../matts-vault-starter/modules/iam/README.md | 21 ++ .../matts-vault-starter/modules/iam/main.tf | 120 ++++++++++ .../modules/iam/outputs.tf | 10 + .../modules/iam/variables.tf | 38 ++++ .../matts-vault-starter/modules/kms/README.md | 17 ++ .../matts-vault-starter/modules/kms/main.tf | 20 ++ .../modules/kms/outputs.tf | 10 + .../modules/kms/variables.tf | 28 +++ .../modules/load_balancer/README.md | 29 +++ .../modules/load_balancer/main.tf | 95 ++++++++ .../modules/load_balancer/outputs.tf | 31 +++ .../modules/load_balancer/variables.tf | 64 ++++++ .../modules/networking/README.md | 15 ++ .../modules/networking/main.tf | 10 + .../modules/networking/outputs.tf | 10 + .../modules/networking/variables.tf | 11 + .../modules/user_data/README.md | 25 +++ .../modules/user_data/main.tf | 22 ++ .../modules/user_data/outputs.tf | 10 + .../user_data/templates/install_vault.sh.tpl | 83 +++++++ .../modules/user_data/variables.tf | 43 ++++ .../matts-vault-starter/modules/vm/README.md | 30 +++ .../matts-vault-starter/modules/vm/data.tf | 3 + .../matts-vault-starter/modules/vm/main.tf | 205 ++++++++++++++++++ .../matts-vault-starter/modules/vm/outputs.tf | 21 ++ .../modules/vm/variables.tf | 86 ++++++++ modules/matts-vault-starter/outputs.tf | 71 ++++++ modules/matts-vault-starter/variables.tf | 194 +++++++++++++++++ modules/matts-vault-starter/versions.tf | 14 ++ modules/{vpc-secrets => networking}/README.md | 0 modules/networking/data.tf | 3 + modules/networking/main.tf | 51 +++++ .../modules}/aws-vpc/main.tf | 2 +- .../modules}/aws-vpc/outputs.tf | 0 .../modules}/aws-vpc/variables.tf | 5 +- modules/networking/modules/bastion/locals.tf | 9 + modules/networking/modules/bastion/main.tf | 0 .../bastion/modules/aws_lb_443_22/main.tf | 89 ++++++++ .../modules/aws_lb_443_22/variables.tf | 23 ++ .../modules/vpc-secrets}/acm.tf | 0 .../modules/vpc-secrets}/main.tf | 0 .../modules/vpc-secrets}/outputs.tf | 0 .../modules/vpc-secrets}/tls.tf | 8 +- .../modules/vpc-secrets}/variables.tf | 1 - .../{vpc-secrets => networking}/outputs.tf | 1 + modules/networking/variables.tf | 96 ++++++++ .../{vpc-secrets => networking}/versions.tf | 0 modules/vpc-secrets/main.tf | 25 --- modules/vpc-secrets/variables.tf | 32 --- outputs.tf | 35 +++ providers.tf | 15 +- variables.tf | 71 +++--- vault.tfplan | Bin 0 -> 58451 bytes 57 files changed, 1853 insertions(+), 132 deletions(-) create mode 100644 .terraform.lock.hcl create mode 100644 modules/matts-vault-starter/main.tf create mode 100644 modules/matts-vault-starter/modules/iam/README.md create mode 100644 modules/matts-vault-starter/modules/iam/main.tf create mode 100644 modules/matts-vault-starter/modules/iam/outputs.tf create mode 100644 modules/matts-vault-starter/modules/iam/variables.tf create mode 100644 modules/matts-vault-starter/modules/kms/README.md create mode 100644 modules/matts-vault-starter/modules/kms/main.tf create mode 100644 modules/matts-vault-starter/modules/kms/outputs.tf create mode 100644 modules/matts-vault-starter/modules/kms/variables.tf create mode 100644 modules/matts-vault-starter/modules/load_balancer/README.md create mode 100644 modules/matts-vault-starter/modules/load_balancer/main.tf create mode 100644 modules/matts-vault-starter/modules/load_balancer/outputs.tf create mode 100644 modules/matts-vault-starter/modules/load_balancer/variables.tf create mode 100644 modules/matts-vault-starter/modules/networking/README.md create mode 100644 modules/matts-vault-starter/modules/networking/main.tf create mode 100644 modules/matts-vault-starter/modules/networking/outputs.tf create mode 100644 modules/matts-vault-starter/modules/networking/variables.tf create mode 100644 modules/matts-vault-starter/modules/user_data/README.md create mode 100644 modules/matts-vault-starter/modules/user_data/main.tf create mode 100644 modules/matts-vault-starter/modules/user_data/outputs.tf create mode 100644 modules/matts-vault-starter/modules/user_data/templates/install_vault.sh.tpl create mode 100644 modules/matts-vault-starter/modules/user_data/variables.tf create mode 100644 modules/matts-vault-starter/modules/vm/README.md create mode 100644 modules/matts-vault-starter/modules/vm/data.tf create mode 100644 modules/matts-vault-starter/modules/vm/main.tf create mode 100644 modules/matts-vault-starter/modules/vm/outputs.tf create mode 100644 modules/matts-vault-starter/modules/vm/variables.tf create mode 100644 modules/matts-vault-starter/outputs.tf create mode 100644 modules/matts-vault-starter/variables.tf create mode 100644 modules/matts-vault-starter/versions.tf rename modules/{vpc-secrets => networking}/README.md (100%) create mode 100644 modules/networking/data.tf create mode 100644 modules/networking/main.tf rename modules/{vpc-secrets => networking/modules}/aws-vpc/main.tf (94%) rename modules/{vpc-secrets => networking/modules}/aws-vpc/outputs.tf (100%) rename modules/{vpc-secrets => networking/modules}/aws-vpc/variables.tf (91%) create mode 100644 modules/networking/modules/bastion/locals.tf create mode 100644 modules/networking/modules/bastion/main.tf create mode 100644 modules/networking/modules/bastion/modules/aws_lb_443_22/main.tf create mode 100644 modules/networking/modules/bastion/modules/aws_lb_443_22/variables.tf rename modules/{vpc-secrets/secrets => networking/modules/vpc-secrets}/acm.tf (100%) rename modules/{vpc-secrets/secrets => networking/modules/vpc-secrets}/main.tf (100%) rename modules/{vpc-secrets/secrets => networking/modules/vpc-secrets}/outputs.tf (100%) rename modules/{vpc-secrets/secrets => networking/modules/vpc-secrets}/tls.tf (92%) rename modules/{vpc-secrets/secrets => networking/modules/vpc-secrets}/variables.tf (97%) rename modules/{vpc-secrets => networking}/outputs.tf (99%) create mode 100644 modules/networking/variables.tf rename modules/{vpc-secrets => networking}/versions.tf (100%) delete mode 100644 modules/vpc-secrets/main.tf delete mode 100644 modules/vpc-secrets/variables.tf create mode 100644 outputs.tf create mode 100644 vault.tfplan diff --git a/.gitignore b/.gitignore index fc4c2ae..29497df 100644 --- a/.gitignore +++ b/.gitignore @@ -6,6 +6,9 @@ *.tfstate *.tfstate.* +# Backend config public ignore +backend.hcl + # Crash log files crash.log crash.*.log @@ -33,22 +36,3 @@ override.tf.json # Ignore CLI configuration files .terraformrc terraform.rc - -# ---> Ansible -*.retry - -# ---> Linux -*~ - -# temporary files which can be created if a process still has a handle open of a deleted file -.fuse_hidden* - -# KDE directory preferences -.directory - -# Linux trash folder which might appear on any partition or disk -.Trash-* - -# .nfs files are created when an open file is removed but is still being accessed -.nfs* - diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl new file mode 100644 index 0000000..b41dc7d --- /dev/null +++ b/.terraform.lock.hcl @@ -0,0 +1,45 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "5.39.0" + constraints = ">= 3.0.0, >= 3.15.0, >= 4.0.0" + hashes = [ + "h1:isoOv/JipnnPD3j8Df6XwGU1i4egjlygrgBv0RfsZ7g=", + "zh:01e405306470ed784bc9d38dbaeff394bd2c0f7d58e5592c5d0165c87d84e4b0", + "zh:0328fbd42a91e50601318d2c364a80ebd3b4e5755c85df6fafd2fed80bc54598", + "zh:042420e08d1ef1e2ed51c394539a6db27e031bedb9eaa19db9ccaf9fa93b9b36", + "zh:47dee460b2c06676e16f5070fff71e5e9eb24b74bcd7b4f7b53eea8ebd3c972f", + "zh:49c34f21a05bf5150e3a0a87c997fcd831ae81e3f2df86191e2fdd231525b585", + "zh:4d5a98726216e260296bdc13e562179a743ef4738b65154da697c2d9e9eb5c9b", + "zh:7fb08af13c868d8d20519b373eeb6707a0cea078495123e28e71727993474f53", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:a57e7e44f79991e55be02f2b147a433b5a2690188be0510409b79e9b00e37009", + "zh:aeeb120cd6245f67ae3e52e13005c2dc1f091787564dd6b39ee6c05b2c239c53", + "zh:b5d39c6e55d0355f9fd93a802355166bd27edaf9acb753b190562474447674b2", + "zh:cfcc1922b380db5f90fd5ffc1e49fb9f316e6c41de4603f65b05d20ace72e15e", + "zh:d221d8cea09229743d2647944c0420a8e9e5d7e3ff088b30cbce85a8b051dcab", + "zh:dccca0239df6d39686b0f0947040b3c0e1270a4bab268c402b742cf5a7759296", + "zh:ef0564fb70e8210db9bf472f662e093a1a1f204a1c1cb46467231be1a78882f3", + ] +} + +provider "registry.terraform.io/hashicorp/tls" { + version = "4.0.5" + constraints = ">= 3.0.0" + hashes = [ + "h1:gthwVUwv0WLGMwx7GR/N6XyIONzrSJJaXD6dDJB4FlY=", + "zh:01cfb11cb74654c003f6d4e32bbef8f5969ee2856394a96d127da4949c65153e", + "zh:0472ea1574026aa1e8ca82bb6df2c40cd0478e9336b7a8a64e652119a2fa4f32", + "zh:1a8ddba2b1550c5d02003ea5d6cdda2eef6870ece86c5619f33edd699c9dc14b", + "zh:1e3bb505c000adb12cdf60af5b08f0ed68bc3955b0d4d4a126db5ca4d429eb4a", + "zh:6636401b2463c25e03e68a6b786acf91a311c78444b1dc4f97c539f9f78de22a", + "zh:76858f9d8b460e7b2a338c477671d07286b0d287fd2d2e3214030ae8f61dd56e", + "zh:a13b69fb43cb8746793b3069c4d897bb18f454290b496f19d03c3387d1c9a2dc", + "zh:a90ca81bb9bb509063b736842250ecff0f886a91baae8de65c8430168001dad9", + "zh:c4de401395936e41234f1956ebadbd2ed9f414e6908f27d578614aaa529870d4", + "zh:c657e121af8fde19964482997f0de2d5173217274f6997e16389e7707ed8ece8", + "zh:d68b07a67fbd604c38ec9733069fbf23441436fecf554de6c75c032f82e1ef19", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/main.tf b/main.tf index 73bec56..8469303 100644 --- a/main.tf +++ b/main.tf @@ -1,20 +1,20 @@ -module "vpc-secrets" { - source = "./modules/vpc-secrets" +module "networking" { + source = "./modules/networking" + azs = var.azs + shared_san = var.shared_san resource_name_prefix = var.resource_name_prefix } module "vault-starter" { - source = "hashicorp/vault-starter/aws" - version = "1.0.0" + source = "./modules/matts-vault-starter" vault_version = var.vault_version node_count = var.node_count - resource_name_prefix = var.resource_name_prefix instance_type = var.instance_type # user_supplied_iam_role_name = var.user_supplied_iam_role_name user_supplied_ami_id = var.user_supplied_ami_id # user_supplied_kms_key_arn = var.user_supplied_kms_key_arn - user_supplied_userdata_path = var.user_supplied_userdata_path + # user_supplied_userdata_path = var.user_supplied_userdata_path lb_type = var.lb_type lb_health_check_path = var.lb_health_check_path @@ -24,13 +24,12 @@ module "vault-starter" { kms_key_deletion_window = var.kms_key_deletion_window ssl_policy = var.ssl_policy - # === Supplied by ./modules/vpc-secrets === - depends_on = [module.vpc-secrets] - - private_subnet_tags = module.vpc-secrets.private_subnet_ids - secrets_manager_arn = module.vpc-secrets.secrets_manager_arn - vpc_id = module.vpc-secrets.vpc_id - lb_certificate_arn = module.vpc-secrets.lb_certificate_arn - leader_tls_servername = module.vpc-secrets.leader_tls_servername + # === Supplied by ./modules/networking === + depends_on = [module.networking] + private_subnet_ids = module.networking.private_subnet_ids + secrets_manager_arn = module.networking.secrets_manager_arn + vpc_id = module.networking.vpc_id + lb_certificate_arn = module.networking.lb_certificate_arn + leader_tls_servername = module.networking.leader_tls_servername } \ No newline at end of file diff --git a/modules/matts-vault-starter/main.tf b/modules/matts-vault-starter/main.tf new file mode 100644 index 0000000..74db698 --- /dev/null +++ b/modules/matts-vault-starter/main.tf @@ -0,0 +1,89 @@ +/** + * Copyright © 2014-2022 HashiCorp, Inc. + * + * This Source Code is subject to the terms of the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this project, you can obtain one at http://mozilla.org/MPL/2.0/. + * + */ + +data "aws_region" "current" {} + +module "iam" { + source = "./modules/iam" + + aws_region = data.aws_region.current.name + kms_key_arn = module.kms.kms_key_arn + permissions_boundary = var.permissions_boundary + resource_name_prefix = var.resource_name_prefix + secrets_manager_arn = var.secrets_manager_arn + user_supplied_iam_role_name = var.user_supplied_iam_role_name +} + +module "kms" { + source = "./modules/kms" + + common_tags = var.common_tags + kms_key_deletion_window = var.kms_key_deletion_window + resource_name_prefix = var.resource_name_prefix + user_supplied_kms_key_arn = var.user_supplied_kms_key_arn +} + +module "loadbalancer" { + source = "./modules/load_balancer" + + allowed_inbound_cidrs = var.allowed_inbound_cidrs_lb + common_tags = var.common_tags + lb_certificate_arn = var.lb_certificate_arn + lb_deregistration_delay = var.lb_deregistration_delay + lb_health_check_path = var.lb_health_check_path + lb_subnets = var.private_subnet_ids + lb_type = var.lb_type + resource_name_prefix = var.resource_name_prefix + ssl_policy = var.ssl_policy + vault_sg_id = module.vm.vault_sg_id + vpc_id = module.networking.vpc_id +} + +module "networking" { + source = "./modules/networking" + + vpc_id = var.vpc_id +} + +module "user_data" { + source = "./modules/user_data" + + aws_region = data.aws_region.current.name + kms_key_arn = module.kms.kms_key_arn + leader_tls_servername = var.leader_tls_servername + resource_name_prefix = var.resource_name_prefix + secrets_manager_arn = var.secrets_manager_arn + user_supplied_userdata_path = var.user_supplied_userdata_path + vault_version = var.vault_version +} + +locals { + vault_target_group_arns = concat( + [module.loadbalancer.vault_target_group_arn], + var.additional_lb_target_groups, + ) +} + +module "vm" { + source = "./modules/vm" + + allowed_inbound_cidrs = var.allowed_inbound_cidrs_lb + allowed_inbound_cidrs_ssh = var.allowed_inbound_cidrs_ssh + aws_iam_instance_profile = module.iam.aws_iam_instance_profile + common_tags = var.common_tags + instance_type = var.instance_type + key_name = var.key_name + lb_type = var.lb_type + node_count = var.node_count + resource_name_prefix = var.resource_name_prefix + userdata_script = module.user_data.vault_userdata_base64_encoded + user_supplied_ami_id = var.user_supplied_ami_id + vault_lb_sg_id = module.loadbalancer.vault_lb_sg_id + vault_subnets = var.private_subnet_ids + vault_target_group_arns = local.vault_target_group_arns + vpc_id = module.networking.vpc_id +} diff --git a/modules/matts-vault-starter/modules/iam/README.md b/modules/matts-vault-starter/modules/iam/README.md new file mode 100644 index 0000000..5f6c896 --- /dev/null +++ b/modules/matts-vault-starter/modules/iam/README.md @@ -0,0 +1,21 @@ +# AWS IAM Module + +## Required variables + +* `aws_region` - Specific AWS region being used +* `kms_key_arn` - KMS Key ARN used for Vault auto-unseal permissions +* `resource_name_prefix` - Resource name prefix used for tagging and naming AWS resources +* `secrets_manager_arn` - Secrets manager ARN where TLS cert info is stored + +## Example usage + +```hcl +module "iam" { + source = "./modules/iam" + + aws_region = data.aws_region.current.name + kms_key_arn = var.kms_key_arn + resource_name_prefix = var.resource_name_prefix + secrets_manager_arn = var.secrets_manager_arn +} +``` diff --git a/modules/matts-vault-starter/modules/iam/main.tf b/modules/matts-vault-starter/modules/iam/main.tf new file mode 100644 index 0000000..a3e4d43 --- /dev/null +++ b/modules/matts-vault-starter/modules/iam/main.tf @@ -0,0 +1,120 @@ +/** + * Copyright © 2014-2022 HashiCorp, Inc. + * + * This Source Code is subject to the terms of the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this project, you can obtain one at http://mozilla.org/MPL/2.0/. + * + */ + +resource "aws_iam_instance_profile" "vault" { + name_prefix = "${var.resource_name_prefix}-vault" + role = var.user_supplied_iam_role_name != null ? var.user_supplied_iam_role_name : aws_iam_role.instance_role[0].name +} + +resource "aws_iam_role" "instance_role" { + count = var.user_supplied_iam_role_name != null ? 0 : 1 + name_prefix = "${var.resource_name_prefix}-vault" + permissions_boundary = var.permissions_boundary + assume_role_policy = data.aws_iam_policy_document.instance_role.json +} + +data "aws_iam_policy_document" "instance_role" { + statement { + effect = "Allow" + actions = [ + "sts:AssumeRole", + ] + + principals { + type = "Service" + identifiers = ["ec2.amazonaws.com"] + } + } +} + +resource "aws_iam_role_policy" "cloud_auto_join" { + count = var.user_supplied_iam_role_name != null ? 0 : 1 + name = "${var.resource_name_prefix}-vault-auto-join" + role = aws_iam_role.instance_role[0].id + policy = data.aws_iam_policy_document.cloud_auto_join.json +} + +data "aws_iam_policy_document" "cloud_auto_join" { + statement { + effect = "Allow" + + actions = [ + "ec2:DescribeInstances", + ] + + resources = ["*"] + } +} + +resource "aws_iam_role_policy" "auto_unseal" { + count = var.user_supplied_iam_role_name != null ? 0 : 1 + name = "${var.resource_name_prefix}-vault-auto-unseal" + role = aws_iam_role.instance_role[0].id + policy = data.aws_iam_policy_document.auto_unseal.json +} + +data "aws_iam_policy_document" "auto_unseal" { + statement { + effect = "Allow" + + actions = [ + "kms:DescribeKey", + "kms:Encrypt", + "kms:Decrypt", + ] + + resources = [ + var.kms_key_arn, + ] + } +} + +resource "aws_iam_role_policy" "session_manager" { + count = var.user_supplied_iam_role_name != null ? 0 : 1 + name = "${var.resource_name_prefix}-vault-ssm" + role = aws_iam_role.instance_role[0].id + policy = data.aws_iam_policy_document.session_manager.json +} + +data "aws_iam_policy_document" "session_manager" { + statement { + effect = "Allow" + + actions = [ + "ssm:UpdateInstanceInformation", + "ssmmessages:CreateControlChannel", + "ssmmessages:CreateDataChannel", + "ssmmessages:OpenControlChannel", + "ssmmessages:OpenDataChannel" + ] + + resources = [ + "*", + ] + } +} + +resource "aws_iam_role_policy" "secrets_manager" { + count = var.user_supplied_iam_role_name != null ? 0 : 1 + name = "${var.resource_name_prefix}-vault-secrets-manager" + role = aws_iam_role.instance_role[0].id + policy = data.aws_iam_policy_document.secrets_manager.json +} + +data "aws_iam_policy_document" "secrets_manager" { + statement { + effect = "Allow" + + actions = [ + "secretsmanager:GetSecretValue", + ] + + resources = [ + var.secrets_manager_arn, + ] + } +} diff --git a/modules/matts-vault-starter/modules/iam/outputs.tf b/modules/matts-vault-starter/modules/iam/outputs.tf new file mode 100644 index 0000000..09ff44a --- /dev/null +++ b/modules/matts-vault-starter/modules/iam/outputs.tf @@ -0,0 +1,10 @@ +/** + * Copyright © 2014-2022 HashiCorp, Inc. + * + * This Source Code is subject to the terms of the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this project, you can obtain one at http://mozilla.org/MPL/2.0/. + * + */ + +output "aws_iam_instance_profile" { + value = aws_iam_instance_profile.vault.name +} diff --git a/modules/matts-vault-starter/modules/iam/variables.tf b/modules/matts-vault-starter/modules/iam/variables.tf new file mode 100644 index 0000000..ba71329 --- /dev/null +++ b/modules/matts-vault-starter/modules/iam/variables.tf @@ -0,0 +1,38 @@ +/** + * Copyright © 2014-2022 HashiCorp, Inc. + * + * This Source Code is subject to the terms of the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this project, you can obtain one at http://mozilla.org/MPL/2.0/. + * + */ + +variable "aws_region" { + type = string + description = "Specific AWS region being used" +} + +variable "kms_key_arn" { + type = string + description = "KMS Key ARN used for Vault auto-unseal permissions" +} + +variable "permissions_boundary" { + description = "(Optional) IAM Managed Policy to serve as permissions boundary for IAM Role" + type = string + default = null +} + +variable "resource_name_prefix" { + type = string + description = "Resource name prefix used for tagging and naming AWS resources" +} + +variable "secrets_manager_arn" { + type = string + description = "Secrets manager ARN where TLS cert info is stored" +} + +variable "user_supplied_iam_role_name" { + type = string + description = "(OPTIONAL) User-provided IAM role name. This will be used for the instance profile provided to the AWS launch configuration. The minimum permissions must match the defaults generated by the IAM submodule for cloud auto-join and auto-unseal." + default = null +} diff --git a/modules/matts-vault-starter/modules/kms/README.md b/modules/matts-vault-starter/modules/kms/README.md new file mode 100644 index 0000000..6242581 --- /dev/null +++ b/modules/matts-vault-starter/modules/kms/README.md @@ -0,0 +1,17 @@ +# AWS KMS Module + +## Required variables + +* `kms_key_deletion_window` - Duration in days after which the key is deleted after destruction of the resource (must be between 7 and 30 days) +* `resource_name_prefix` - Resource name prefix used for tagging and naming AWS resources + +## Example usage + +```hcl +module "kms" { + source = "./modules/kms" + + kms_key_deletion_window = var.kms_key_deletion_window + resource_name_prefix = var.resource_name_prefix +} +``` diff --git a/modules/matts-vault-starter/modules/kms/main.tf b/modules/matts-vault-starter/modules/kms/main.tf new file mode 100644 index 0000000..ef47765 --- /dev/null +++ b/modules/matts-vault-starter/modules/kms/main.tf @@ -0,0 +1,20 @@ +/** + * Copyright © 2014-2022 HashiCorp, Inc. + * + * This Source Code is subject to the terms of the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this project, you can obtain one at http://mozilla.org/MPL/2.0/. + * + */ + +resource "aws_kms_key" "vault" { + count = var.user_supplied_kms_key_arn != null ? 0 : 1 + deletion_window_in_days = var.kms_key_deletion_window + description = "AWS KMS Customer-managed key used for Vault auto-unseal and encryption" + enable_key_rotation = false + is_enabled = true + key_usage = "ENCRYPT_DECRYPT" + + tags = merge( + { Name = "${var.resource_name_prefix}-vault-key" }, + var.common_tags, + ) +} diff --git a/modules/matts-vault-starter/modules/kms/outputs.tf b/modules/matts-vault-starter/modules/kms/outputs.tf new file mode 100644 index 0000000..885ce50 --- /dev/null +++ b/modules/matts-vault-starter/modules/kms/outputs.tf @@ -0,0 +1,10 @@ +/** + * Copyright © 2014-2022 HashiCorp, Inc. + * + * This Source Code is subject to the terms of the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this project, you can obtain one at http://mozilla.org/MPL/2.0/. + * + */ + +output "kms_key_arn" { + value = var.user_supplied_kms_key_arn != null ? var.user_supplied_kms_key_arn : aws_kms_key.vault[0].arn +} diff --git a/modules/matts-vault-starter/modules/kms/variables.tf b/modules/matts-vault-starter/modules/kms/variables.tf new file mode 100644 index 0000000..b6eb6ca --- /dev/null +++ b/modules/matts-vault-starter/modules/kms/variables.tf @@ -0,0 +1,28 @@ +/** + * Copyright © 2014-2022 HashiCorp, Inc. + * + * This Source Code is subject to the terms of the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this project, you can obtain one at http://mozilla.org/MPL/2.0/. + * + */ + +variable "common_tags" { + type = map(string) + description = "(Optional) Map of common tags for all taggable AWS resources." + default = {} +} + +variable "kms_key_deletion_window" { + type = number + description = "Duration in days after which the key is deleted after destruction of the resource (must be between 7 and 30 days)." +} + +variable "resource_name_prefix" { + type = string + description = "Resource name prefix used for tagging and naming AWS resources" +} + +variable "user_supplied_kms_key_arn" { + type = string + description = "(OPTIONAL) User-provided KMS key ARN. Providing this will disable the KMS submodule from generating a KMS key used for Vault auto-unseal" + default = null +} diff --git a/modules/matts-vault-starter/modules/load_balancer/README.md b/modules/matts-vault-starter/modules/load_balancer/README.md new file mode 100644 index 0000000..521bdd9 --- /dev/null +++ b/modules/matts-vault-starter/modules/load_balancer/README.md @@ -0,0 +1,29 @@ +# AWS Load Balancer Module + +## Required variables + +* `lb_certificate_arn` - ARN of TLS certificate imported into ACM for use with LB listener +* `lb_health_check_path` - The endpoint to check for Vault's health status +* `lb_subnets` - Subnets where load balancer will be deployed +* `lb_type` - The type of load balancer to provision: network or application +* `resource_name_prefix` - Resource name prefix used for tagging and naming AWS resources +* `ssl_policy` - SSL policy to use on LB listener +* `vault_sg_id` - Security group ID of Vault cluster +* `vpc_id` - VPC ID where Vault will be deployed + +## Example usage + +```hcl +module "loadbalancer" { + source = "./modules/load_balancer" + + lb_certificate_arn = var.lb_certificate_arn + lb_health_check_path = var.lb_health_check_path + lb_subnets = var.vault_subnet_ids + lb_type = var.lb_type + resource_name_prefix = var.resource_name_prefix + ssl_policy = var.ssl_policy + vault_sg_id = var.vault_sg_id + vpc_id = var.vpc_id +} +``` diff --git a/modules/matts-vault-starter/modules/load_balancer/main.tf b/modules/matts-vault-starter/modules/load_balancer/main.tf new file mode 100644 index 0000000..c01b340 --- /dev/null +++ b/modules/matts-vault-starter/modules/load_balancer/main.tf @@ -0,0 +1,95 @@ +/** + * Copyright © 2014-2022 HashiCorp, Inc. + * + * This Source Code is subject to the terms of the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this project, you can obtain one at http://mozilla.org/MPL/2.0/. + * + */ + +resource "aws_security_group" "vault_lb" { + count = var.lb_type == "application" ? 1 : 0 + description = "Security group for the application load balancer" + name = "${var.resource_name_prefix}-vault-lb-sg" + vpc_id = var.vpc_id + + tags = merge( + { Name = "${var.resource_name_prefix}-vault-lb-sg" }, + var.common_tags, + ) +} + +resource "aws_security_group_rule" "vault_lb_inbound" { + count = var.lb_type == "application" && var.allowed_inbound_cidrs != null ? 1 : 0 + description = "Allow specified CIDRs access to load balancer on port 8200" + security_group_id = aws_security_group.vault_lb[0].id + type = "ingress" + from_port = 8200 + to_port = 8200 + protocol = "tcp" + cidr_blocks = var.allowed_inbound_cidrs +} + +resource "aws_security_group_rule" "vault_lb_outbound" { + count = var.lb_type == "application" ? 1 : 0 + description = "Allow outbound traffic from load balancer to Vault nodes on port 8200" + security_group_id = aws_security_group.vault_lb[0].id + type = "egress" + from_port = 8200 + to_port = 8200 + protocol = "tcp" + source_security_group_id = var.vault_sg_id +} + +locals { + lb_security_groups = var.lb_type == "network" ? null : [aws_security_group.vault_lb[0].id] + lb_protocol = var.lb_type == "network" ? "TCP" : "HTTPS" +} + +resource "aws_lb" "vault_lb" { + name = "${var.resource_name_prefix}-vault-lb" + internal = true + load_balancer_type = var.lb_type + subnets = var.lb_subnets + security_groups = local.lb_security_groups + drop_invalid_header_fields = var.lb_type == "application" ? true : null + + tags = merge( + { Name = "${var.resource_name_prefix}-vault-lb" }, + var.common_tags, + ) +} + +resource "aws_lb_target_group" "vault" { + name = "${var.resource_name_prefix}-vault-tg" + deregistration_delay = var.lb_deregistration_delay + target_type = "instance" + port = 8200 + protocol = local.lb_protocol + vpc_id = var.vpc_id + + health_check { + healthy_threshold = 2 + unhealthy_threshold = 2 + protocol = "HTTPS" + port = "traffic-port" + path = var.lb_health_check_path + interval = 30 + } + + tags = merge( + { Name = "${var.resource_name_prefix}-vault-tg" }, + var.common_tags, + ) +} + +resource "aws_lb_listener" "vault" { + load_balancer_arn = aws_lb.vault_lb.id + port = 8200 + protocol = local.lb_protocol + ssl_policy = local.lb_protocol == "HTTPS" ? var.ssl_policy : null + certificate_arn = local.lb_protocol == "HTTPS" ? var.lb_certificate_arn : null + + default_action { + type = "forward" + target_group_arn = aws_lb_target_group.vault.arn + } +} diff --git a/modules/matts-vault-starter/modules/load_balancer/outputs.tf b/modules/matts-vault-starter/modules/load_balancer/outputs.tf new file mode 100644 index 0000000..b23c333 --- /dev/null +++ b/modules/matts-vault-starter/modules/load_balancer/outputs.tf @@ -0,0 +1,31 @@ +/** + * Copyright © 2014-2022 HashiCorp, Inc. + * + * This Source Code is subject to the terms of the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this project, you can obtain one at http://mozilla.org/MPL/2.0/. + * + */ + +output "vault_lb_arn" { + description = "ARN of Vault load balancer" + value = aws_lb.vault_lb.arn +} + +output "vault_lb_dns_name" { + description = "DNS name of Vault load balancer" + value = aws_lb.vault_lb.dns_name +} + +output "vault_lb_sg_id" { + description = "Security group ID of Vault load balancer" + value = var.lb_type == "application" ? aws_security_group.vault_lb[0].id : null +} + +output "vault_lb_zone_id" { + description = "Zone ID of Vault load balancer" + value = aws_lb.vault_lb.zone_id +} + +output "vault_target_group_arn" { + description = "Target group ARN to register Vault nodes with" + value = aws_lb_target_group.vault.arn +} diff --git a/modules/matts-vault-starter/modules/load_balancer/variables.tf b/modules/matts-vault-starter/modules/load_balancer/variables.tf new file mode 100644 index 0000000..319eaf0 --- /dev/null +++ b/modules/matts-vault-starter/modules/load_balancer/variables.tf @@ -0,0 +1,64 @@ +/** + * Copyright © 2014-2022 HashiCorp, Inc. + * + * This Source Code is subject to the terms of the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this project, you can obtain one at http://mozilla.org/MPL/2.0/. + * + */ + +variable "allowed_inbound_cidrs" { + type = list(string) + description = "List of CIDR blocks to permit inbound traffic from to load balancer" + default = null +} + +variable "common_tags" { + type = map(string) + description = "(Optional) Map of common tags for all taggable AWS resources." + default = {} +} + +variable "lb_certificate_arn" { + type = string + description = "ARN of TLS certificate imported into ACM for use with LB listener" +} + +variable "lb_deregistration_delay" { + type = string + description = "Amount time, in seconds, for Vault LB target group to wait before changing the state of a deregistering target from draining to unused." + default = 300 +} + +variable "lb_health_check_path" { + type = string + description = "The endpoint to check for Vault's health status." +} + +variable "lb_subnets" { + type = list(string) + description = "Subnets where load balancer will be deployed" +} + +variable "lb_type" { + description = "The type of load balancer to provison: network or application." + type = string +} + +variable "resource_name_prefix" { + type = string + description = "Resource name prefix used for tagging and naming AWS resources" +} + +variable "ssl_policy" { + type = string + description = "SSL policy to use on LB listener" +} + +variable "vault_sg_id" { + type = string + description = "Security group ID of Vault cluster" +} + +variable "vpc_id" { + type = string + description = "VPC ID where Vault will be deployed" +} diff --git a/modules/matts-vault-starter/modules/networking/README.md b/modules/matts-vault-starter/modules/networking/README.md new file mode 100644 index 0000000..564247a --- /dev/null +++ b/modules/matts-vault-starter/modules/networking/README.md @@ -0,0 +1,15 @@ +# AWS Networking Module + +## Required variables + +* `vpc_id` - VPC ID where Vault will be deployed + +## Example usage + +```hcl +module "networking" { + source = "./modules/networking" + + vpc_id = var.vpc_id +} +``` diff --git a/modules/matts-vault-starter/modules/networking/main.tf b/modules/matts-vault-starter/modules/networking/main.tf new file mode 100644 index 0000000..df0f90b --- /dev/null +++ b/modules/matts-vault-starter/modules/networking/main.tf @@ -0,0 +1,10 @@ +/** + * Copyright © 2014-2022 HashiCorp, Inc. + * + * This Source Code is subject to the terms of the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this project, you can obtain one at http://mozilla.org/MPL/2.0/. + * + */ + +data "aws_vpc" "selected" { + id = var.vpc_id +} diff --git a/modules/matts-vault-starter/modules/networking/outputs.tf b/modules/matts-vault-starter/modules/networking/outputs.tf new file mode 100644 index 0000000..50bcf4b --- /dev/null +++ b/modules/matts-vault-starter/modules/networking/outputs.tf @@ -0,0 +1,10 @@ +/** + * Copyright © 2014-2022 HashiCorp, Inc. + * + * This Source Code is subject to the terms of the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this project, you can obtain one at http://mozilla.org/MPL/2.0/. + * + */ + +output "vpc_id" { + value = data.aws_vpc.selected.id +} diff --git a/modules/matts-vault-starter/modules/networking/variables.tf b/modules/matts-vault-starter/modules/networking/variables.tf new file mode 100644 index 0000000..dfd9e7f --- /dev/null +++ b/modules/matts-vault-starter/modules/networking/variables.tf @@ -0,0 +1,11 @@ +/** + * Copyright © 2014-2022 HashiCorp, Inc. + * + * This Source Code is subject to the terms of the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this project, you can obtain one at http://mozilla.org/MPL/2.0/. + * + */ + +variable "vpc_id" { + type = string + description = "VPC ID where Vault will be deployed" +} diff --git a/modules/matts-vault-starter/modules/user_data/README.md b/modules/matts-vault-starter/modules/user_data/README.md new file mode 100644 index 0000000..eee9832 --- /dev/null +++ b/modules/matts-vault-starter/modules/user_data/README.md @@ -0,0 +1,25 @@ +# AWS User Data Module + +## Required variables + +* `aws_region` - AWS region where Vault is being deployed +* `kms_key_arn` - KMS Key ARN used for Vault auto-unseal +* `leader_tls_servername` - One of the shared DNS SAN used to create the certs use for mTLS +* `resource_name_prefix` - Resource name prefix used for tagging and naming AWS resources +* `secrets_manager_arn` - Secrets manager ARN where TLS cert info is stored +* `vault_version` - Vault version + +## Example usage + +```hcl +module "user_data" { + source = "./modules/user_data" + + aws_region = data.aws_region.current.name + kms_key_arn = var.kms_key_arn + leader_tls_servername = var.leader_tls_servername + resource_name_prefix = var.resource_name_prefix + secrets_manager_arn = var.secrets_manager_arn + vault_version = var.vault_version +} +``` diff --git a/modules/matts-vault-starter/modules/user_data/main.tf b/modules/matts-vault-starter/modules/user_data/main.tf new file mode 100644 index 0000000..b5be321 --- /dev/null +++ b/modules/matts-vault-starter/modules/user_data/main.tf @@ -0,0 +1,22 @@ +/** + * Copyright © 2014-2022 HashiCorp, Inc. + * + * This Source Code is subject to the terms of the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this project, you can obtain one at http://mozilla.org/MPL/2.0/. + * + */ + +locals { + vault_user_data = base64encode( + templatefile( + "${path.module}/templates/install_vault.sh.tpl", + { + region = var.aws_region + name = var.resource_name_prefix + vault_version = var.vault_version + kms_key_arn = var.kms_key_arn + secrets_manager_arn = var.secrets_manager_arn + leader_tls_servername = var.leader_tls_servername + } + ) + ) +} diff --git a/modules/matts-vault-starter/modules/user_data/outputs.tf b/modules/matts-vault-starter/modules/user_data/outputs.tf new file mode 100644 index 0000000..8ed99e9 --- /dev/null +++ b/modules/matts-vault-starter/modules/user_data/outputs.tf @@ -0,0 +1,10 @@ +/** + * Copyright © 2014-2022 HashiCorp, Inc. + * + * This Source Code is subject to the terms of the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this project, you can obtain one at http://mozilla.org/MPL/2.0/. + * + */ + +output "vault_userdata_base64_encoded" { + value = base64encode(local.vault_user_data) +} diff --git a/modules/matts-vault-starter/modules/user_data/templates/install_vault.sh.tpl b/modules/matts-vault-starter/modules/user_data/templates/install_vault.sh.tpl new file mode 100644 index 0000000..b2464b7 --- /dev/null +++ b/modules/matts-vault-starter/modules/user_data/templates/install_vault.sh.tpl @@ -0,0 +1,83 @@ +#!/usr/bin/env bash + +imds_token=$( curl -Ss -H "X-aws-ec2-metadata-token-ttl-seconds: 30" -XPUT 169.254.169.254/latest/api/token ) +instance_id=$( curl -Ss -H "X-aws-ec2-metadata-token: $imds_token" 169.254.169.254/latest/meta-data/instance-id ) +local_ipv4=$( curl -Ss -H "X-aws-ec2-metadata-token: $imds_token" 169.254.169.254/latest/meta-data/local-ipv4 ) + +# install package + +curl -fsSL https://apt.releases.hashicorp.com/gpg | apt-key add - +apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main" +apt-get update +apt-get install -y vault=${vault_version}-* awscli jq + +echo "Configuring system time" +timedatectl set-timezone UTC + +# removing any default installation files from /opt/vault/tls/ +rm -rf /opt/vault/tls/* + +# /opt/vault/tls should be readable by all users of the system +chmod 0755 /opt/vault/tls + +# vault-key.pem should be readable by the vault group only +touch /opt/vault/tls/vault-key.pem +chown root:vault /opt/vault/tls/vault-key.pem +chmod 0640 /opt/vault/tls/vault-key.pem + +secret_result=$(aws secretsmanager get-secret-value --secret-id ${secrets_manager_arn} --region ${region} --output text --query SecretString) + +jq -r .vault_cert <<< "$secret_result" | base64 -d > /opt/vault/tls/vault-cert.pem + +jq -r .vault_ca <<< "$secret_result" | base64 -d > /opt/vault/tls/vault-ca.pem + +jq -r .vault_pk <<< "$secret_result" | base64 -d > /opt/vault/tls/vault-key.pem + +cat << EOF > /etc/vault.d/vault.hcl +ui = true +disable_mlock = true + +storage "raft" { + path = "/opt/vault/data" + node_id = "$instance_id" + retry_join { + auto_join = "provider=aws region=${region} tag_key=${name}-vault tag_value=server" + auto_join_scheme = "https" + leader_tls_servername = "${leader_tls_servername}" + leader_ca_cert_file = "/opt/vault/tls/vault-ca.pem" + leader_client_cert_file = "/opt/vault/tls/vault-cert.pem" + leader_client_key_file = "/opt/vault/tls/vault-key.pem" + } +} + +cluster_addr = "https://$local_ipv4:8201" +api_addr = "https://$local_ipv4:8200" + +listener "tcp" { + address = "0.0.0.0:8200" + tls_disable = false + tls_cert_file = "/opt/vault/tls/vault-cert.pem" + tls_key_file = "/opt/vault/tls/vault-key.pem" + tls_client_ca_file = "/opt/vault/tls/vault-ca.pem" +} + +seal "awskms" { + region = "${region}" + kms_key_id = "${kms_key_arn}" +} + +EOF + +# vault.hcl should be readable by the vault group only +chown root:root /etc/vault.d +chown root:vault /etc/vault.d/vault.hcl +chmod 640 /etc/vault.d/vault.hcl + +systemctl enable vault +systemctl start vault + +echo "Setup Vault profile" +cat <@acYCjYJ9fm5HD>0QBXiCv zCkYIK0s!&*6vi2-0sLeH&#ZPyj$dtpnrBE>An0k#r1RXoYWUdw;_pQzXhVZ4T4g+UL{F4sGn^*E#7|Yv6vM zDk#Nqz6e}fJUm-F9X;Rg7mw|eBTt?XMb)xWW_r8)1H`p{F~&^qTlAed*F{kTT9@2= zh%4iprM9&XVAP%r4;}B|$>)^2?yO9JLUhxYi!1*68E-+|U%@MUpMS|8c(7e;yofA1 z7~ky=N1+vGZ~E!q1s--z4*_qT1hCi3@lP9Dc2Y0eZi zNxjfBY8QsVxa^-b9URgY0@*Eq6=!?$gJkZhxzG#40zrF=;w##zc;r$~7dy7sE+ys9 zGnVtyeEo_&>xpJC2FR4#KhXKYE55K_-nb%2Y)#Mh$Y^C{0q9HT^=^27iv(EA{N9h1=G^Zht(U4bPNE`1JOhv-Oi&ybBXj7{>|)x{u+_$lgTttC zabObgnWe^mpNLE+4b5Kx_!4$v& z5vI)wF=z*|Dl+y2xpc0_nI^o*;GYIWWoHaoQv-6;00LBDg`$PzZTQW7B=@8q-lK|U z9skESCN<;{F?p#pl>^yHG9sSfl2!ZU7`gwFpf-Mp9H7pa;gFv$Y+n!_=}-eH$F}in zNJ~oqlYqvehs>g2mJZ@lP%BA06N#i#Pl8CalN%LDMhuymjNza7Nfu<3#yO^Jr!w_^ zO5V1HM|O=+F@V4n|IR+%fxl>s_sy1YAc@I4ifxr~Uu)8B z-H~WCb~!8zMnZI$41VU=K#2CR_TFHyVE3#^e^Lvvprmz21BmRsWmR&TBuY$M@lI5! zBBzCDbdKjEsYwX?s&f@3+WM}LT)gkPYZ>sO548tM^B`csnF6HR^MV_h6zfC?!B%Nv zgNZYRw|7l|-Fq3iSB{XOj{hQtOaeOf))LayCs1560~A+>2L(Z%$boXh?S1?k-zPlQ z?vM5X1QO`!)SfE+u;9G{2(r}Yx`xviJG?=LK{->EjwGjQV}&xP`T!o!g$upi|^E;w$=UOUS8jS~kKT&f*`U zr%=Kn8TGgf5J)EV&$2TEFoY7^&=>skU2Y*RfM!lXyh{u}<9Ca`qex*_gapC>3>FBK zNIsz$a~*}jLq8!QcZ956Cl?jJ&@~pEkEHr_t=UG!982Pc&OGx}2p0DfV?zl230x)w zRvNjIb+y-g3_^1JRI^(1R8Wkv-NJtbgq+v9I!SiiK|Q#B0`c?`L&WGzS9}^fNR?R! z$D_H`3q2jzA)+)5jk^thH?E$SEWx=g+v4Xo2bkIY< zsZ8S1dT)Qvy~C%mB#nVOCILXfAVpbyM+X8VUrmRpvU8pYni1$kw(c1z@3W}$P6KB} zgp))!?|11%h8A6M_}%6x#{nMPYf_25fvtv9pJ8AnPC%o@h{MbUl9G6MtJRISX8}h` zl!M`nNLT(*B_(2>dDVPxylaoIVk0e)tB5G|Iw@^Y!PYfZv zs~sJ3r|BI*h=Gy`T2vUy`^ViWwwuQV0K2~thegLqVVP z=QRBu8aDq!P7$fG+b1gcyrIgURjiar^pU(9F@W9HG03v#Ld1B&^hs!W=HF$)deLSNY zPC=jeor(fzO+@2xoBG*%6tDOA;e^raJ=#gqjrv{<)E?|&@Z+$|Y9jq%%d<&G9wfgi z9r#CkGitN-#rf9e#!4nzOGf6DmFbTvr}0hpSJ&EjPjvRZqtT9Bk1iYlt?CvhVdnhC@y$hQSEPpn-PPJtoSdEHi=^xgsBo@KoKby6^NfD_drfVq=YMIIZNr4Q zpir`FwEN}VAhP1c3v0O-;!I1W83t76CyYj04rH>2Hu|hU)TV_w)-7wNXokeIFxdXC z?AXS!jk?y+0*phj5sH*wZs%=5?oCB&wRz@GFrli-agv90{&~ilD}A%7inN0Aw%RC5 zEtE=wJWq>r+R}T{O{D$m-NbdORmCaRU)4i8*J2-%RejqOBir~Tk0%;_U29nOs=>7$ zur~5IOMzEV_9&4fzFSz-2Yhza2cZ{Fz8g%`hNQ#q=K98u&rYUnN6kB|Og8`G>nim$ z8!$TCOomG{4N68Q%SPMTG!F*q=F2A&-}$~ogalSD@%Xi8c^9b8lKl*Tcb8LjagIGR z0yz3%kYLi~L15tg9WHr2yZ^qh=HF!p2$+Hk?ex{qwp0 zx6wD%`n`dE>7xkMm+36U`(;MexJi8M2&~?$R;6bLN^2aRbqLm3jM*g2cL^)R%~K0} z+~mQH4foM}U*Zv*?SwYVM5dw_KDy$@+LRDQSV#_g_t(WlV*Is~y{Q;RoKP zsM&JQqp&ZPQx4Wt^4J8vQ~}%mO8jFkE!S(i{wv0h)q?Mmi_k}}8VZ+dNQIFiqG@WO z0KXwbodOPBaHn3o$g^~YAHpDMa#&nBq8D_=vf5*A!XEGlI1e*RY++gMucz6efFh?t zS1|$%8&-@6IxPGbrOqvGPJKaUutuE)J14|mQiRb}1~EJ=SrAf1RB(uV$n=m~70+UL z)+$XZ2;{%C*3(6&uW|)vV;#Xjc;C*b*Ft%lQrK$&x?Q`}5d_pAy6)?tIaFrn)kw+C zs>Fy|GeTVjssGjBe5Q2Vaq)Ol*^$5HNM|4oy2@N4nM5EL5EzM81fxGT|D+P4x&*d# z{D#`3FpP%DT7YBOC*0P|re&47#7Hq3%fqZ_-&^jM6^*aF(g*>l;+Zk*S3YxM`B&)F z*bb5^0-{}miAx+4Vfrdf8!r@ihps8)Mp!2Q!Pjf&XJ7f zJZODx&s5@71C?Kz+aHTrea_2^Vz>4o`+b*eT%o|X}m7N8SdK?ROt8gqYq7u+B< z%-U)CfLfx_lQmxc2v_CbAvv@FInaUICSFqymh*>2i52& zckvI+6RbE8d5nU++hIKy1f&2O%V9q4fP?gof7+ZL5siR~9p&aoxixX^m~SjE8yOqc z*(s>m^WzPgsnWfju9&7%0JYYjW>i){Fc8by7;f_woOJkt=>3vj2H&qgMt1KlAvS$= zY>fUJC|+zqM2GjaJrb*E1ZucP7`8js5px~eOQlrH9t|Z9VhNIE1I<9tGB}jqKiJtW zz41f~{5tt3rX8Z?#{|{x=L6%~H*x;w+@$wQLri;bF76wgfQv)|54;(ENAQ*2Oam3@ z@edI}Ryd+e@z+#IjDsY|r?zI0U(as_Y(Fm(?{2J6IKSf~D-aNUc&EY3j$RDGN#KGj zKt;qo-yj7Tr$%DhUul#2F*epLv97{mKv?Q3TjD!$VYo12 z6l|4TggM3=h7w@@C9BjUFYB8!T?xuul_RKz-S}Z&;x=ji8@5*F`~4qMtG|05#{%oK$M z`coZri553S zfLV^e*N46@J>+I*M1y=(muDWm&+TR^Q6#D?w<}@DV*sqe4vHi*DiJrF=t0WI&m)7a zgh3mX9_QPd%+>-G{-Qy1N7s0EvTkFR9_N;L=v2;I^u|)a0xw;ZsW#il2}%CfAQZJE zOKe_L`aB#|TGO319F@dZ4aimYT$Ha3Ww<|`K&w(OX5$iNeb#8Uoz}r7GRw7WbPUhD zryDB%p-1tT1XD@h6N|7{*Ksy8fcij?AH87_4?Z zuA<$W_Uz{-Z9&LXL8_VV`{sKhxhfv#1w)Lnt)gwT*-g%1sxp^ zQ4cuo{mepfB-(&CrrT@8Q$h&@l0g^EecWzwP+C+pRr(&Ex6H-TZS)%IG;A zJQl=6R9haF}&;=-Zj0%~^Jtm@+;pK=L z^wRYoeOsyZyX(fec;e7yeq28nNH8=_1Jb3O1DxwBT`lK*?{Pvj4Y`GhGR4LlorYFs zZ~2w2I0^mE=M@?kJWa3%+&RQNENGnm3CEw$0V=c)U71p*7+wTi(0@$836h`2N{^7$ z2j?Y05>!Vb;6l7z3R76r%CW7WC|z^kPs(n7uD{Ls$CIqLcDk7$mE1YYWER@g%Wh7) zipWCB(01~)E~C~zZTtPoi;&~J+pGU5-J{v>E!Um-UpkF6pdi?b^rP;&O3l_7EkkyV z;~chqx5V?jEqSoxBc2Uw3#1TMDhVEzk8O2g>oeo`^?ec`^9h!k)&~Zj76_|9KWV^e z>PYU>AlkINjpht3;VEZiZ_8i3hpatk8n=qSQF!C1P$2WErr8^(@%u--ED}WY z9+k((Gxj#DL@qHj2bL0){X-JlEv+}PN-e$Bz?b!V1R)WKSQZ-TgT+d83rn?Bh{mCuiimiCc6CF&&h#ieoZ? zBfvTT1y)S>qc5S-!ZQItDQJQMP`@Q0AnB+tFP1Q8VNFGI92ZlVi7H&%L}yvyw3U4o zL$IJ@`#kkWI47 zm3mpqY4Jg)?FIqM7+l}GNQELTUFU>~CR-$Z`JAxpT0ugJnZ=ZX784>;nRn!Kk*acY zh2vP)a-k=8&?~O@MLygXv=FDS4L4MjPvFCTAh6_L#S z7&Zi;4uQ@FSZM4=@4;utU z?So#EoIGK%zL>5F0b)`ibV4GoY%u|KvHqZ!7xnH;6XWiz1@!JiBhYO(|9MW?Y(n%m zfQ8<9l{Iyw(|(wS2_L=VG&N0CK#lCi-X^Ks_R`%l&u~GCkXY&yxsIW#B$X>d^JI_a*l}3EUn-9bkoo7@7nvr z1+AQ0d6ECI%&SV!g&!ZyO=!0*g%y%Tqox1le5Ao`Oi2{hZbJ(z;ITv!MvU9|F+&|5 z&$ZX`ZIS+&9=F@l-I1zFD}(&e5~S{uUM~}W?9pC7wNs329v;*?QGRePaz=?~5qlQn zEIYn|i#ede606qS?ju1Q3(EY97~2#>M8smB;O2o!G8YxC5$I)J+|4DnYa$suvQmVR zcDqRhvmE-%T;O-SCA}`CgY9^g5ougK{BwlD4V3p~RM-}V|F>-7ELB4ktfdWFcyp`GR+d$2uQZB4ypv~6j zE)ijZKhDA>nM8Z7A(F_%DhNDEj&dkdyfl7jggpHt@z-x$d*J4JBzI(`{!`6eZm+-c zLY>Qv)m|k{t+(5MFik|xgU(>Z#Upj{I~n658a5hJptIoWaX@#r-dMLDp~g8Rbaop& zdYlXoOWgh)Tq9^2Cfn65XJ?l8h^Nz7+p*h^nU!$rT&rO>_cTMnz6wjlE zd&=f@Rf|wREPNOtq^qdUd(JWCDPPHNn#3-=_sH(de%p(&q8kP2V}N2p0dT%gDyj98 zjt`PS!`T#|jpBy7bG~1Kj**Hu&_99@^JYN=>gJ(l@mGuPv|gY-IaE_d_=`$bv!k(% zNen(klFpd&eNHdtS$@E=P+*0qJoc8Ky3Ji=_u8=c?>-U`1sJ{d1`Np{yY(LSOGR*& zSNAvN7nQ_QE<6;f?ZrQkk!z_e9a;@iCR=y@h1rb?E|Ut}B@AR*fu<`bg+d8nW{@3P z!QoBZg=z#e9%YHh$^E3jZ9`ik)bax{K*rLF-G~D?PKa+n$YjL`x?4SwprEhG`=?d% z$DvzCs`qpOr%M2(oq)p*ha+$F$n>kC68)wEr+qMt&_0)d_HEK3v^GAJlp#zDNh?B= z!w-fZ4gOG&bRFJjP4w?;+v#Zf;MUxo@fVI;h@NUM^8r5?O)tL^)B6+iCPUbafr#eq$zStMfeGuc-{Cuzq&He5PvN0QNHoqM zJ5QL!F&w|t$N;7WI(2VYH!fJO3@06WHOSunr~_l@iG@u0d_3d~SP8)1D76JlwHtHB z9SUHKJ|QQ;{e%)G84&<4`v`ws#e8RcWK!EG4Z3aB zQC7siRt%?ZE=M-?Y^sDi-=wLwJK`7gCAMbR2W~s(ZjMwp^wC2i6lQ^p3qvq?hJ8{X zpbO5{GM~^HE|gS}h`b}3-)}6scs;O{v_L$0@MNLrX=n=#uiBE(;GU({?44e{o)~Fg|d}uMHQQI;`t~co2 zd^q*-g-M0l{7i%EWVvqqZ2$55;$pr?nRh7e*v;oRvIPUz*`-=!;ITAfk1 zlY8>a9T!VC`-4@C-UYF6O!Hp%S7P9M>lw;U3MSz50M$nStjI>lWjg+=qP@vRy%839 zL8_7P)M`{A?;gZ1Jp?zYnBqk|t~TpuSK=*G(_Yx~7>%oj=XIo0671mR&`1{I7~I~BA>o7rNurLo%C7Ppl#and418OkCed*f~O<72o|7>mREdg@b$ z!`T3>hfa*V8Y?dr^8wPuGPQCv8*%FUF4@K9>UHLyGmyLUG>Tr|p)0bike6E>X3f~d zxIv57)@Hw!jGh8Dz)P4cdc63Lf{y+%y30ud$h#hBctWC6R9V(^zoJV3God^i$U63S z%#U^heS=gw8X!W7!MoOXsw#UcAIsbI%DC(9vSxOx(2avhS|~enpB#j=7h9P+EeAzS z7+C6Z$+6f_Oiv`?KGv31v_I533WXG)-S4_)IeHvln-x=`y(#Qjv57U+jUzf2`VP0Z zf4X2#b6TVb5D&`03i5!$$j*fO4Pnlg7M?@Q#fqTHRjFh{>li6ytB^D1l}+8TzBl$H z%9rIQC@eCDFi<#C`oy}P`8Eai}Ui1L4kszNH5*Wxpuvwp^NoEYbI} zbRaR;M=3-$QXr7Mpw(Br&Xk`MfY~IN)>}g=VMK<`LP7P0VQwdFO>jR2*XLDMuEwF} z@0SHRQ<2s?`mtKC&tRF%Xs1Q3+jrumMG_OtdMa!6S1Zs&*0>H)9mQTYGFx&P+E#-B z?SAFymD`g6@vEQ@g&S=+nLrZ9XM%VlfZe|UlTw6-AV7SA6^5+v&r+QOL5c*67yHyo z>7DB^A{sRWhF#>rhXRksU=yqIA~rR|DCsBI<|*;!=D{(D%Ru)?|B;Oxbvv2+MSa$d zn~^zaB9p{lgxxa=H!T{T6EjGNLTw1jz!!-?NqItlprhWB0y4K^0Z`cLdB8)`aq1N= z@YKJ?QMkK==I!9JVIzBKu)UfzYPa(BGSI1v>~dD*VrvxG z&x=&x*V%%YvNq!{w%50~KI8CmU(2UBPKZn@(1NhX zVlwHa_QUh#dZFuJO>{jz zj^$bNN$8Eo5~L@J#oM-Ihj_gdIdj(uXX#@+p2D3f6$l#-FIZ-amEUc6&7ba%<)_R} zWb0Q)kBS(}VWrPrti~7Zch5)Iy?yuB1rJ|EM;R@mtho?;E#S$Zs3^F5IA4(;BSoHI z;ysi!@FeD=>f)%7VV$QwV#rHzr3Jr9sOgHF;l%&76rO*y2Ag`Q}~loO+Eg*BNd(; z4V@N~4??4aZDpz2xv%Jqa%1>@l962n6a6nYhFtI_@cp`^U3o6^aJ}n2qn?|Rq<$Fr z2ui3@J#$6e>yMWnY&Mj&Ms}p-YpqXSIUcrnDTyF&4;EwlU^WV42yaso&z#yQ@g&5k zS;Z359F#MvMu`fUapN9&28f51tK)Qp3iY@KnSSL~jjeh_*iw{yufUei_Q<5FerJn# z9k!?JzrmMvv=;F{O_s1|vM}kul9)ep#B3tMDOMd>YD>Ya<_^X!QP{@iTkjZ~o{zXw zfs{oQLz8C7M+LL*GF@$+L`(6)IIcem>s5>+!DmY~bRpDf)KpOLR`Ak{o^)Q%K)f*0?L$Y-R_R6|8@xSY( zR#8#7|E-nTrJP*LpIf^19Sx9yGxQk^}i;yW#vuxKbK657l zBf+brEqmcQzI)0i?p(5BdW{8Av@spYkPBbTxl>UA>RS3u(!|%ryCCnXGRAhZkZSGh zYQf|zE8A@9sM_2@z2V5-(!|$M%$NBw{{ssE@be=l2@avTX2-2T3;-}x2mm1W|2&oh z{-4Kk9G&!?jQ{7koIw>!+kJNQ?`>VgqlezOpo!iVxUNp&;?r#N7U1l0hb&|Uc9&(B zJoBZW?r~6{LF<9Qq%VB;XvOkbeIiVwsvH2(B$1U=NEoYQ_MdBb%y?vz+t5L zyU|z_whS0yVTwe@IF@FYbZhL7GHqQ>=e_lOU67ze{Yiz^INS2GN;=4*uj+Q4^3p^F zY%Ie_g6~G{zL28^K`@8`?AeXl~sLMBY2F>$vz@J7*sH811jv z{wk$gXHWeuTvkswJ2yC61S>d!QDx(4WiTa&agiMtmMmGDo8M_#8-IEW1TCaeVB81B#o%_HQQ_5q^Cq`U9PnxlDuX~|(2 zda%%9BS~yhonw-WF*E30QRefZ>S4)Q@r*TIW81*PLNi}rcv;8gO(8OT=|k(o9_M-- ztJrf3!u+6@&O;0{AYpWxt9ML&`(bRT2s2Oj%ZCyn6ai$Iy%kZ~iCqEn5^k!KNiL`d z&Zub^0)RIVc!){Lf940ju0ypG{-X`diJ=TP(`+cd!p=4x;xsrsN0C7{_TY9}Tkcuc z+Rfveu_g0#=&+sxqdCK7YUp|ylfri0`p28M7`gg%5xefJ2LIB6GG};VVd}N=T^nAs zV(kkVn(pS*h{NT@_@F`2c}UdCYu%G) zJYO;Pv*}!cNwV#fvx*H?g+@7+m=WW7}A?N@t_2xVC1s=L$HpV@pDjLzwassx$*Uy5ui~p zNmsoMT>2-$Z>7V+q* zAISfi@}}LXMOL1&ee3#4u%(`C8U!XLy8+isKvOHvv^eAUti%6TIWW7-VWDCTAQ^o_$hx7puA2fV#h2V3*>?FxWM1!TrD^=cO6p_{I7tZf~%X zr#uSOa(a2jCZ=C}tWFfLVMY^C#3Fj7x@6H8DyFw$`>tk|k9-QCCb=jk)WcYcabinS zC)T3E)1^tiKox{qizEe$A=YRpp`K|Opl&(9L`RV%r_C%3Jp~@56c}F+kR3%LJrATy zQNH8zSV=+}TjBYRo>+7u14&F=KcG_S{XyDgE>BAr#eCg=Xpy;jtksJ+8EUto zBrA0(G|su48w}u6`ns)tXJX*Gau)?*v`@*oVx z?te*Rk(YhjiWO`UQWbX@Mb*)~rB;V}DASe(_eOywk_hUJ1-tGw|HjnQ_VLNym6>+8 zRK$hXm}5gPnk{eI+IkhGkyr}Nik2bWNtpZjIbMT)Z{OIe7E4#rli6p-@pU&ESaD<3 ziQ#-+KX(+|jV8qVc885k&s!Q=zq7JXL0@&&ae_jeBWjvl|VS`rDr_a>|rq|2cE;tAmx;!WwB>ugn{#1jozVpDcdVbqzHHJC@6e)H>Z_ds!v?bj%L z&iu3Gd+h3}#0wOo6}ddC%QV-tZg?&5x?;We)M~RH8g9DC__nF(M0wlH!9@0AO&}xgzN}XHsf1Q zj_5k*6`X~?JsCSlghQl^^1B*(#15|~nP+$(>fgbttE+dxmCVwLW@d7Ee4C9$YPE<+ zz^a~0dZp^18rF9;KDqpVxP8HPpZ^FxxPmTY=CeL#71BnPWzRxY6THo;0n`J`0l7uu zEU)_+W=6|l>qRU8y}NzQplGzPhNG=aN{TL96uRGku9Xsw({@can^n%9v$*krPFyW_ zx3n^<)2h&;(~t13O`CwRk#j}u&GD`#n;{SdWXB;nfW$N{dLHJ2$M{q?+8=rS2{C9K zj7mrL=T3r{)X*gauLqD>Xd5)73=UpD)vdLQtQ!#B1Q)<@X4hi^$&e!8@I>cja)*m; z4b6aD08cFO1y?~aqvb&z=PZH3DWq~zHc#egu1oBtQppvzJJAKVpRt&=40{$UVBOVI z0P6y?1x}_T3ql6qm!qjmi;J}$=`98Gmg*6#Xj+YGsEPhl$RCry!@1?+xw&A-A|Ye` ztsd|P{HR-7ser*ls*W~YAV=M$emMwK-(R2+0Bs6Qx)QS52u>?pF3%qPpC>^$!AOt> zzhzj8=6a{`Jn>~yET)mS_5=?DwBXXOrE6qahw>5|1NtZ7NUzyMEM|lweOxp}#EM!q zGD_~ifBdDGuE!@=xI*yfAdXp_9MMS|y9-sx<{JiTOD0n^FYZDkf=DmY!NWl1>6tVL zAq=U{FfJMbx~dfde!nC{#`D>}_6sNhOz!>xbg0`bfIHS?7Q?z8s>&GKYTy#Xd|B|Q zs!*Z?HTb90M-Sb)H&OrzN33{Z8tN)Jb20T^ImRU5X6+LAdjdMpi#4!CA60%QHEu!L z8Z>{G^GpBtga(-S8Er-xxqm10LQF#vn#omvlrj=r8QJO3!={V+j5dcj zZ^JEBgKn=juOZ#L)QYF`jwR~nt%@S9K6>0(J!Q0aivMmc>X=$+2`Q4)K6_tS=&&ZNiBg%zf~x_V4$ zC~{dcUBWl~7xOg4YQ9eG-j7=rs&djyXzW_K+QwG&$~k38F$@ka!>zNy$#Y>o!cL5L z#AH~fPriSbwgN;+@G?SsRSQcLxei5P?FLIYtW}&oUUlnVkKa?R^>w;ePQHekWF!;8 zC^qmt7N{50$`n-9TR~iNBSp0~?7>aM*CQr+oKo#HZ5TWg2MxI+53NZaqL9@NSEw^k zebG}!yp&yx5%evIY%Of~1gY(AFaltFvu=Q%LX|Z;!5+G3`3x_Phg_d4H}a2m$I~=T@+>S#b>yGg$6#x?XMGiw!L!= z_M+`RUi$h!_vo@~j_Hr-Qz}*-js~YBj@84Z+L@>&Xz<|AJ`VvPn5lFu^ZQw_E^#8J z@M-^o>)|^3+>^y?*{G(v*wP=2_tf@>)1qY@EJYsO!#jy^@8EY6CysX1=s=QceK_ya zttgqtAVE4cBS&0p&AnB`-af@Ac9>&fD1%Qwqphyz`)gBXga|9EsX<`GvDI*Bn0oDH zqz5iHvC*+xmQLbq!O8bs%(ixGgMFMt8WD^&s$!t0*5R*CSZhzxqJe3%Ek03uJWy4n z8DO($V{_Fdym*Vwc#kw-!jR;!x?z|6UXN=a%WZrW1mBGqx8_OhK zmACE$>+|VM?8Dw1TSJ{aZLDgEzk;O?Z1dDiZJqxrld)lxGbdPAG6DR}`-r^dv1PyY z3MRj_9>);ufK|P-3BJ3<@AKkKG0dVt($&2F;r)+povY6lDmUZxYN~E0nG9fA#46nA z!ZDZ*dD92*vi9r~pP;mlcys&F*3A0DzCHM3=l5F8|LF0lN$heA!2keCQU1G%h5Ub2 zENgvpoBzF7c_qr*Y%sut?7+Ul3BF`Kg76OEh5F}_x}XtB0#R~FhHiVuk+v`vEZQFb ze31ypIWj~NKh=wPBh5>R>n!$kD@ss8LR%^XdT{ih$>_jq_1$VO4zQJ>zD3Hi};603g)*7%2Jci8(WXLP2DXrVejAlJIJz$SH2|~1)Pz+ z!uA8!3+#CcBShe<5?Sd$`p*rWA|@Nk7`DH)zAx&n*T@&0I`IZ7vOi5>Dadjd)*`XD z&tY>(Bowp9r;yf5vA(U}hQ6?NN`pS7hBkn7)@9~WTX3l`UfYzkSr{P)AfZn91!)sf z<81fGEB=2ibwT+%X#THN0SEo>mKyEUxvY#k1h-*K~mNC!GmNB;9$s>qG+sbugPpG9W znxC2yBC>-(OPYpZ;W|}`k9|HGtHGHcm91HcLg!?;=Is5DMDPEXBeNtTJ475Nk^OQ( zE7ep)zz9c$4fiqGZCLU(6=TM+7^*Wsc?Ij}GHKLQi2c$tb)-1Q#c^+7J^lszzXZMy z=G;R06&M!yzZ3ZXc7Jvbwl3yI#t#37#947OmYj?TLpK3G1H?Je<1f%W>J*Ff#R`(i zg0d5fxXyQ?ms0f#5kH>d3rkHS)1-$}6JFbc4G^?hR(ESQfW6pLE1lGOkGbVdYPj4y zvO4t}h$b&pncO*7mfyVyB?Yy2TV1UMu0-lRa)ZK8-lpR(!n_1kLodJ zL|i2I)^_YAFbRNl-(<2pT~DE9iTdu7;(Yo*D+0Dl$s;`YT5$LH&$k23hS2~_%ma$X zqERiOr`-<8hJnd1WenOTbJ$El(2%y1`RrD{WndJoiG9VZ0}U~%DXzLY8x>Gehm?6( zV>j}UnhB+`VZWftAvN3^ct`rc2B{{uz4A+iDuq;+j?3`76YSsdKkqMuR zTg)i{PAh2yEvTw(dC|<%bFaSe2$61bU22-($OlvF32ysT?_ZDHVbwQw?00s5fgJiA z6XN#Kn|@zhxr9J-#LA&Hb6?8 zGS40!5_(TclSfY(Hs8@4zGC18a#lHbtBf}D<}UR(-*j(%M*k9MU`Jf+gyX_O1h*P6 z8vpoIU(ue8yS3D@{6arzi)~QtQarh|+HId}K0(N<#j@RHAr$$&pmx$?_T!!_4PN<4 zRabM%PPq7ctE%SJ_B95w+Ip5#Sg?IL#QHeur-z4=g-Nm|(+<^8>e7hBut7QjD82iG zU{s=1tf~aUlE?jc8HUu$;-^)1o9o^wG&;xkV8*ArF4`q!t|~vWK%doi678lk&{qw@ z7yQ3cSRpf}-RhT%6fpl?3KRc#Dg6Iai7J!&Y%W+4gkQcRpiR*a#jEF({aeJcg<;wK z<-xU`h~*a5420r=IFxo(JK@i5A19zB>JP>p5`peymb2STk0YdPZB1K;##zBj$0P1u zbk*p5UhgIx>a_OJ_o$odtJ?0nIZ9%Jn+>DsCB49r>u6#7>@f>(-Hqn-JQUg z1;Yi^lvyLPkXmQs?96ocEOjpOdgcp}Wu?=2mU}ytaL_LiVW=BRITwN|mPA+%r;b1H zRzYMiXPXA!nSO%0pD7KDV|fjI?wNJU`)R6IZ}WXiiar@5c_@T=JJksC7Jy2L8~H}7B}R#Mci(N&xRwoulCEA zb0=c=M$wMC=Dz*pV|D1>zujvva3%Cn^1`T{Ad2G>tt%%q%S^Y6E?~dTvS`TrfBKPJ z1@l^C{|qHM4f00FkQ2_3aHx2a9-Q!8UV*Ljcj)pEp$!g!%6>V|HrV)t#6+^hv$>>^ z;9(?49<0H3|3F9o6`(V`VwSBYb>-GWcIuE|r>gDn1yT*T``0KUL!m5r>_(V#LS401 z!Nfl2ysEh(P0U@Q&BrjKwB=SbT+S+UA!HNAto%y-VC6~ZLAVV6&4;iqLYA66vJGse z0!=L8a3jh?g^|No8v$9$D77)V$0GI0r#j;KPtv->!}PgZ-S$rQf0}6K)ppOo-`XVg z8}9$_DK+VT7u^59GoVJb4IAP%MDG<<6c4{a)}oZkF#|u?s9r-`m*`RE;n5Cv3>qw} z`l90uX&1Nn0?6mUd+fLRyjAoTy6yO^%CCZJvI-gH?Dn{W$Vfn~-so~x6*_46pEous z@>E|eY4Qci&t5G;+o-A#yHa;fzt-2fIJjdnwHP}?kN~G$!Ea~>_-#LW1n%{DfAzso z&j(?upwi6K+7}e+oG=e zkVRO1Lm<17zQY`GSP^0d_~4hNmIHfrYME&5m>YbP19MJHHjyasK-7kWBPhbU(}F+g zCZs0GL&2Y>KtEUjuhPM@pW1+ga}$7m{3BJBoh(?@1nyy6dipet1%7`y;;?)?S^>+^ zQ#fpaU-}G?NNLpMx)HM~PYE$UIZp>X`lbIqqEdJZa8fkI-dq}fjxBOX%J>&3a9W(ZLlYW=3x7EWIWDP z?$A_2H>(SO)u0092h1Z8;6Id2h@nzapBs%yn^;6*v4w)8 zoCWFQ4ejqnbw0R{%?Z=^Low-2Ij8wB$Z^cVepf2qQJ|R|rmaO9tB)hBO|4K$NQ!PW zvwPDbCWuVs`JlN?Rh~5K=L65#!axQ({u?kcaQ zv!^S=ynsid%9LY<=n}EAH`~=l3;=43q{3cSt&&?5?*(gp(Ixr)+1}g#A7}3rUiZ4L z4>vX%JB@9-NgCU>ZL4u(r?G9@PUEDpoyK-DzA@*#7WUe6^}nz0U>y7o#>s>GxgWkO zJV6D$@vpo===Byx8y<-P3pnXXM|fI>R{DqGrc{Z&3ThEx5gOjB92QGyX$0a1hNeTM zF$8(Zh$hjlo5Prx*_VWZnrN7qmqhf$ZVw|HG}(&%cdsvRIkMR-%$yBdpa!Bd*oUr4 ziOD8sb&*Ne1Fp3YFJhstXiuNyd+y%wUE;}|NUp4`R>oZ&stT@ZmX%OF2907 zb-`&d)VX`h)6%GqExQRdmqKdf9t=1TQMwW4vmAnjEc{sqzrR3=K38I#Wfwf&%iLsx zQ+_S;D)dQbB%K@MklrNV14ak-n_&s^@d1^2sB~vvt6brjxvAN`RsCXZ)!XVDuk7h! zHh;k-^5z1#g$`{&g!sr8%{7*|qRk`FMIxgR1b?g4_cqHB3DP8)(qtV^hz0v8t7 zPnXFLl~o6w*2_I)Rjm251?TaRR%>sd-6%FEHm2gBXx@tW^`Z&PZf5q)xzl9nH>1eE zzfjzRre2E-!R^UW6jSDk&{31PbS#D`X2A^;;{V*)739U^P9xo&-(Rv>Yteng9O~32 z;sC8KN*E=iq$b|v6(CWfY#YugOz!eoW2&lb1VtaZa-nNvJgJ5k@v*<~~XFxt0;nkm5*}oVd-kc!0aFDtVTcxxF z44>L5)q7`5Bvhv95-QG-onfJ;!&Wl4?vW^2j!r1D#E?YwYUPVrjom8d%IFLtu9wEq zx8{rz`d#EG#E$1h$mgRQYhX*kC$HePbhXB)x+&eA`p{0ZinD_AIfL9n>VB3Xd>302 z)4}QVKZE0?QQK3*bd2Ip*g>bbQgWEgr*COLBP?1$+}q9U^#d~4zfw}{$i3(9z;JJi z`MZ!$`rD8X%=sk4_M^?Z z+6=dL=+9~XAy|2hJ-Bxuv(g0S`~RIwQT;}+^cDs-f8SF}RGP58VMp$Gp@QW1(Tg3a zno;t{i`2Fpkd5TDi2)ULF~moPj#Fx*dg8v^^;>2RR{@+&hIgbH(J~U|HJ| z44H9Qg?PQeQlBqw%ix9!A;;(Xy_fHysJpJX-*)~|)Q>Kow#410{9O(ykua%J)n)Efz$6kBzGn*_P zchCSor-XAe7MTzYTxozITrD{IbTFfLv-&Nn15uUE>HX?pnL7RCclB{ov3+%w5Joi$ zJ#I^lQ@rlUuZ)O6H%>7FcB|O(35(I8J%$c3PX?bR5UeWvxb*|_iJR#1iaq&X&f<4E zANF~o3LVuPc+U~t3qGEFFV;qn;(RU1gOO(%(P_v^?EPG2cA-%L81Sl9Qbn<;T;qg! z9Jt-*Vn})lpYROLtSc+T@nWhNMk}XqBc=3{2vXgi?v33 zpO?>;W&P+?=oir2T^z%X2^tOp47cR0u9$za^GMrg zY;*N1iA7(w@qJE!(_aAB}?|K zoH$*-&wo$&Tol8fqbBIq+S3XI!@51?v^&dj9*Ke&6$Tg9M05+1+N?H!%+diPgK2IG zKrQ_Z`yWPo2-m)>0!#o-fW6=UZnVEcgFlV-e-){e*DZHN(Yh9uG7vkNYfsranN#XG z3lSz}ryDvo0yqiqhZ7=A2QpGyR>+WkE*>Q$VULEL-BqCrEBZ5WJH2-iPM9-}=znn1 z;*edh;(dKVk{-J7#gZLLfO!q*P;@#uW@%w$p87-vs8xhtWapG%Y$o$J+^T6I`PHj+ zNdqcZWmq$Id)@1+s7az79IT2$pG4a442i@geeHmVDfKzF$uyUu|pmc4e9K93BVva~??hWeL2x@K*xWjm5c{5=*GVh4pBDZJlWHC-Gll*R39I4D^d7cLPShR5+*Fye~LmGCjoMhagN$qG6 z@`-D-woh(hE6vG*#vy^3u>SF-jE;K%H0URLA_Sye1W);Rw1BM37da&O-Jb?&&#!Oe z(Mvi>GhCJTVu_o93tBIMiFhgitLuae>8Y?nCAhYu>B}lOcD%-T#Q31j0Vy8H{-Ecx z;FE){aA&O^&#`+5Yziq?y{iP{ZpFEa%Wtf<#`6 zlg1^3ueUG19pf;Nm5ezs0%NZgVDs%{rK+DKNiaEW4zwIgJ5cMDSG+f20S`-Rouwe> z=X-EqFB&^zIgTmJ}E@bKvkabi~H5yq54uZv>4B@6!N3D+~8#pmpgT^0?RWg*y^ zW3uKe611XBm-HrlBO@#wY&~H^Kiqrtl6VyGCq&X(JnXvuDN(7rd*xeT#FhJP#QiOJ zS=l)KuL`?y+?3_2G}_?94cZ~QT)fu4SIVoXG12lZ)zb`XJOZG~DbWvh6> zombKs-H3{<-~F-Wy;tQka!~Ter8|PURK$ntF=u=O^u^3ldo${$EVHEp${UgBRRriH z_}y}Smr#5Ub(oSUq{#}SEgT+H&7eeJuytUGL{W$ft^mV^tA&R(7sjdz&l7+=+)3N< zbx})v%5$eupxj>~E_IAF#B0>lf)w2#_J_`zr9MrzbRmd z?Gu}|-a#RSu;_m9amFbsiql)h<}=d>ujbTGe`|!MBwUI`X%K6R^{ZP@3V+@Hs@mMi zdeF#4u@Zj5FZN6z61aS9kxrl5J=A@lx;$qI?TY-0(2z?c*1cR2x)os7cKtnNUjZ+y z@pG;Xg;{r7?nb@@2XnRub6JS>65p33pLHu_i+){Ka+h=ijo~kcbE&~*8UTJR0S)HA z$F|=(+#lxgHx3sRGa<>sgcbbI8h+!V@l3Y6RVJ_PY?K=uaQ-Dkn*3~_$V2$r^arJG zZ1Z-K#0k>5c2>WWJEtW#dWxZhgS71?%f_a>n%W}Zq^!!J-031YaRq2J; zKgpOj`KLxpr1lDh6_)hYMt}{s>GU}Y`|WAR;!^SgPhcYpyD?AyCxtOd!^XgnT+Vm+ zCaVl*(NCg>%oK|lP583WUYE-RsF^M-k;?kc9~vukK0v@t9Hs7Rm+ls;E3TAJxK>(f zlvblkLQ~_x898zu9Ow^=7Blune1JTQ7z7QJtuszf(>A=Fbe&*817JW8dab?oPUOlx zwZ{e0XAzc(l`0`u?~wdM&<&V06mUR6`~B7rf6ILT5cJkk^3eopyKb?Z+}dqu@`Hfy=`+ zg9Os;XVB<Y21dTHRM<_mae0H94F!DoyIlii+Q}_PJ<~Wmd~DW>SgE1xAli>xUr@muB8lOl z!`8VIj-r`Tza?9wkTd2Qu=+#56D=XB6uJ%+I`}j$SCy-@R@{@9<+Yf})`+5*Rx12B z;;z}4x|IK5P#5&(20M7l8#eux_kr_i0R}f{hI7!`H%W>dbBQq>?{qqLdKw#w+=Tl! z_2hIF0q+Sfi@^-L+DIXUZ?WI#>an?jXa9sJ%~CcVMUD@4V&XAP8ec{Dys$53rdAsc zVUiqa0m2arY6g+(oF{D-ng!zOjg5j(+uCW@mlkS0rThpCM@ZO!bk-fIh--tM3{cYy59v-YdZsDLj&MJR-?b^uvVy!+3vEVt)I}y1{+R8hMhXJQ-Wdz66;8RmHx;o z$Pox47^jATn}#O-qYC#i@EP~5F5s3Vd9TGm>tg(c|B#=xt!2dCA9uAPBW)hU?=5Wf z@$Eq^;mSB5W^M6!sOJEp}3s;OB{-c7LHnfF>AfZ#992)=XI1+53f(JutF=rY6jwUj2+Bg>D&y)#<<< z(mwE`33;t2*`Ef?3Ys?uF}IZ<>L9%**rk4^_@#ZO04t_RB(iQiZu4jCO`%!VmlI|6 z+SGcR1QNYVRj8sdyeaHY)>feG-BcKB=xxRZ^THSD91Ev`X3dO%|FQ=IM|=m`u@w~uQi)(t5X`s(Qw230$I z?3>Lv&OjIK84RU=rv(Ge_K;?x;K;YDE4hlyHY#8d()UTF&2Or?X=S5ri;CGaJ(;^? zUbN)yNug3&Sr{Q&uoHS+Zzny}TqPULWFb#48r>1&OJjCO zE8-b9oHFy%6#^=6Xjwma9=}?Ub;bxhIB6xEqWgO%?8Y+h3VQ}=9qRQs%(2H3b5q2( zEq4{FxKAgw=(N63*nR2}?+ANmfv-G>dX5FC(&vr3WDV6!doI2#;&W>n&Z(FaO^WWBeVUdOZC97^|BNAjLlQFLd&5_G z(Sjd*!vnt)b!Tomvmr~4(&CK3=VG^+Q;8;DEK!G7#a5v(7yij2(Rs4`n_wF5CLf=@ zv#Vse(oIqf2H(-77vZ}6gc~0L^M3PrWtXah8x@?7Tnn<8*hAZ)8(&U2A!O7Yq!>Rk zv1LoZ1rhNHQl64LI(WD4QW#bCv9m3hTSt;(T0{%`m#L$v3kV6;3v|BLtZ$VN&CAxMr1NOAy&t7+?)0!{u2kUS8_r58CCi8g;s$4QeQ(pt?!t8yM<%iW* zi`*w^mF<@o;VKpeS4#PGz&AE77`euKaSor%FvxD-VZHA>J6x4A(%EjsH)8r^FU_#+BJ~FYf)A@B((3#U z!(s79m+vf@2!?Vkw1lOCK9;a3P)hShYlRy*RFA#}ai_~vK7ITLZ4vyyBa{h@DjC0x zBh3G28~9uPlA+XVyDEy-aY6&x#R{V=q2dJ_8<>x0`Pmj>Ogv`5@kzYPv(>Kl#asp9 zTJSB(SEE*{Fv_IyYZ)rld3q`bPrdhzX$Z%XIOmsh&%taz{m$p}P`kzQI~;+upEsh0 zDZ4|fgYf&8!c#Cj*!g7E1w{5jI463e)XF)0f>ekwv&rAJo-#98T5zp~F|?ZYP$#Y$ zdOT}2w~B)Olk6Y8wrnFhB`)*KIW6`)l`U(`&T>=vzKl9M;TZ?95h#`$AYFmyAF1@O z?mMP@!$fJ{KU;Tg)vZV#CQGhgP6)HM6l-Cg9L-7#_o2(TqaKryR(oUxyG4c`-sItw zeWpIST0g;_mamHotaI<^pHEIWKxgM5JXheUjiGw^NQqd%86cc*q19xb5C2q;I+w#f z=`M9umeXYF>{)P|?^HjfSKi1BzeB^et`QXo1E9Z}pW2^kS!`h=ipZRfotc&la-i>a z4nBGQj!#_ZIB#*KxK=zhRoL2AhnA$(BwETmldZ&A>P2<_{9asfWYFHPM!7{KKE61m z3$d8Kn&%|Vx^M8(r49FVx>1@ILhQmNNS>gKz~$5;KKm(OjS`6!%8RsaC!Li6g&%{W z=^~fhwcsc(l1T5@MonIkDsk`qklSfH%4vZI(WnO?FVgUdlPFP|b*6^F4^~uw+;Wl= z@Md{uxSSO^*Hy>2JWP#s#;|;wOA%`qP{Tk+PYI}alIa82bH#GPlKnNO?llXTNndCE z<|7xE^#J1KipZ9myS4XuLTY84)gf!SWF+<;ob@~N4^)aPyKRXF6vDWA!ho?*R-F5O^S*o<0 zslvnRe_|-+%sLh_~+A?2u`*z6oO{eS19f=(Ik?#cEC+g_dX-hy-RofNH9D zn$e$?|HS$)MhoKjKz9U`E6r~cDEj}SB>yHB{kt%aYJVE*@WNzy)=movUXZ1~p1s$t z3y}IXRs2t3eutE*Ae%^)>)d&PvvC60FS6T2nCW@yO3Bh#5B(|3EI8eQgU{+xr1pZP z>$niXuniQH`%eCNb_Ns|yzm4sD+qWs`=5<+(a9qg*fG*ccmoQa{AxCLcHl%6zR;(& zmP>xbTp;kAS4yU7?xRKTjfs`zi;0cfLhrQnbUuHD(;B5{UbWM)!hLY-!zNKtQlTwE zL&U>;WbD}sm2?-nJ+ACd>`x4!W0jW=PyQbQHE~NPJp~Gs`L_c7ZFv7T)BIat2a444 zgb^8Hy0dF%$7H1bZCs0Q&d!>G4#q$2q z;DyeUvAbu>W4K;+GcuiKq4+$osS7QM=0Dm7?xEo*9G>W$dB)jEz8P*+guO^u^o(;0 zReMT1?k}ht2h@YimhXRn0WZf=*#(qw19}Pzlo~HwRg@OyeZH8C50W=^QlNc5(sif2 zwEdt%yzPsteP++x^Ld#p`Ugslpu>@-H6de6A~Y0_$Kd!zJ_S5lCoL=5LBIDuN96X1 zl#Zc*lGgpLw5fk*zAjECj(Wxh&IbPr2dv|IEmuDyhg^7uXHN^`t|ie3Aq8i6Tl9bk zd+808*EUXAs+~rjw*6I#LzfB{pMxIw^tRb7(4XAg3}IUwJAXa5K5VI> z@+dj`sPbbS6lo?E6zsM0D!{IED!NvZtskyn^IgAq8r%l!M=N^4`sG!M?-Md~x-V`= z{|ZlZ9~>S$bv>*5lK+;XTUzi0ju^^7K}o0i{i<&3(2NyWXOkP3&Itx*Awe|ptm>#( z!N@0({1qRnF;`l4s*ADViMERIx{PGX2x3w(L3{eIV0VHx3>h{uk}bo@K?0i&&ZP$r z5FaR;bw2H9BFzzQ9jv#K*hr@z^IsNvn-<(EBns8^kBZ{t>$GS{uXv<=KIoMDSe@mC zM~TZFj(>w4^Yhy35qpZZKWT}^xP6=l;Dj*@ft0atvQGJ)FfpV=a~~#`?D$%JEW&=% zM_(UqLp7UqvlsP>yL<{!lvY3gNtKh36Nx8!BYoLeH{>a|rR)2S-9NED4V{=N0I1&K z-`3K8n{)q5#eV}(Ut<11d!UwI&;7+aN#v!knJzN@8IuK~AUQ{YkH% zBB3d7cso5NW>dBpy-0n;UDB6>va5Ug=fh2Vku46d62Ys`EN4G6x6=0YEB9k0CerK4q~_h&98o=7tY+kj$?DH+7F;rW<&uz@eXzW5AmV~H$OI& z6&$IfC4eR6*o29+jalx;l&KFJin|Fz@q(Ri>$;Et|w5d(e2T`R>6Vm zT`-+O!?4a(rISjI6+wuL8vCRxIh0h5MgHk_P>mk_I2S=!W936PE=Tiwdu_7)Cgwuo zQd+#umeZ+{^{h+y2|je;MTkJa3mqcbR!1JQ;2>J3V{qUMB+jqQ$8S8tTV9EKTX4YY zDt;hZl;wkMqa}s?aiQ+|hMiivb7xw*I@xH}fV=@V9Cwg*3;PD$B?*Z05!Q{H|A?Cl zs4|`;Qzp)Zz5n3;clZR@(2(G(RL}A&W?1$r(ZS3+Ftv!iC$iI0geO!au2G4G^i_Bc z-mU9xM4v5K9tM^;&%3b=2=bS3lT_+tZJQCWv8+Lbv0`}vF8&Y{9F(fdcY0x0E-(2Q z#gxS1@OTm7S0+y@!scZ|UI&i0jvhloObdMUG1DXU3I^%c+e((gYJ4gN{0Hg{IwYa0 zCR&T5l07vWm{5o3>m}I@n2Ygdr8du$yKkP-&)wh4loy!<993w)jZqy-py{TlW{4nY}V zE3lfbK;6+rhZ>Y+3_p(uF-4XRmwo4w!&}sPsh(ka^`1hJ^){P}B@7;Qy5{+ZEheAn zosa`9v*EWb;ol8B)4SUIFBtDozlg?d{s`!jW72{0x5-eY8LT`33;NW8@ePE6aVJMF z5=_uRtUa=oRBBR^ANS$2PZYm~;JLtCdjeX!uHR)C9-^6VcPdfn+~E|eJ0i!>2A75^ zIN%Lw{AM{~ls9{7+w7di!ziOOU{TW;=F9db&9CiDi;T}LOb`LLTj~3Rl+Yu<^eM0{MW*3fWE z;$>g^&KFW^*3s8eA;A~*lLrbR^FMM5iWpZH&$X>{vQ%ZfU*AtSXYJ2ThFQd;WpEaF z?_yV*z*^K>v$9cn%YF#5U=@6!)1S~;aCaW(SfCCQQSUVd@zeNfn;1Yy6l#@1_M!1= z01x&jINYa2{rC?R1;ow@EME`UL>nz0X`+m*s&H;=zCL7PD{0)IyftVpqFzK;@NjEj z_s$zIVT+cvH`URjF?*eD%qCw-64(2n$F}~Yu8-NC#at}TDf|i zFaLhyo!sqtb#3AaC$|-1m0!3;-71F?+Jz7TT_iTcDdAS(TvSU{V6{PMX@Fn(bnf(_ zQE#*lydF{QdiSkBC-y@{B{XF-c!NNI!N8clYE;!g@l5d4rPZ`|^hOwiQcL$SuUjgk ziw!FrcmGzs5+c(gLQ4LXD10(D7(o_iZljD22VuI4c(`tHs>Rs=@!Q#Q-^8? z{!^UfwDqt`suOr@gP+l=C{2wDmG^Fu{(!?+XK#`3LfGQgLcA!p!dwyZ+zr&y5Nvyo zmSltIoUd+ySphvE?Lx=bur2gk99_heQ4h1eO0Q-}y8;lWzKchT^=BxXKZ;`S{UTL-L10}Z=I7K+3>jV1vdKQwecgs%O7$jGGgHKTykgg{ z6tcNjaG>c6qQ%pKv^T^?=sglV9uZ>KOlk!5vOQXBJ9=rnJJT{X8Y?o$ANZEF5%w9Ro)ugR=Hj>}6;QyZEW{%)JNvkPk-k4Q_`A(XF3?!%%2nyCiXivb3Y+|lI7 z)s3_p;BGoF!W9UGRg1jP5$-k-l{+LeA6JG}r@xENs{30}#m=v3mP&2jZLgP{ul%&| zKPhE+q?OrWrS}s2+NdD2-diiIZQ&>GX43K6K*JJ2#_FxiHJ6xV<7&ACYU+1JR!~cT z*ah(#izErFEIuOS7g?3uW|P-;PYk{G5CajvXstiNT^|qIoc*cIv*zkF#kjgqbSDl2 zb*_E5fVd9c#ULv3;SP;WkD7MYA$c6?XV)Ort?O*#+(YPcA1<@5J(*t$P7D)B6=(EvS!uAdGD*G~G{!TIAO3NW|svw7%4x=sTLL?SUk59cQP- zZ8k}QaVXjQa4E4-b?j)goU=Zd8qvem8i{VNei**Sfq~ErqGO}@{`cmuw~O0x@Xy0# z!np~j&KJh{#3zyaWE933+%L^w?QAtIa~;W`iaRDNscp>BgD*FRfHz86xO^Bk1Yi7z zaCdBKmFx+zOju@zq6BV(t2c}idz^)YZvt z1o`g>6fkK04Ka<3?TwxTu8dxIgzNFCl2Lu6DBw#1OKK~bC9aA)kxmed9 zN63OFqpHavwy~}4O1-ErziaEk;ej#Qt5SP?jP`tao+$U!T6DKloZ<;H2<&V&@yC8& za_URiGl$`^fXRrx{>7s4X9hh;Bsh69mG5nE2p|2lx3trf?45@|Pj>96W#|{;pTzi1 zz)4`w2BV8cM-k=yLz1qlg3q}wlrq6KP=UGPDmDS<9$AhtT$in*vdrM)ca-+yEB6xM zpV#RX(1VQ;G-{bktvayHgR3E?75^;E@#^38!n2yBR>W60obos;II5%f47NzCcR{6C zS!NkbL?&S-WG2tO@2nCQvn;Q6Dc}UKNFp@5oxQjvc==z!4QUYb%UJ1Y-o>0P44mEM zJyl4o0~E7H4o0}?3205Ef?c?%24Bvd(_c=wOz)=tnNq|;0ViyLeAnx@DFx;KLuG$U zb}N#4fgQX*$u1!mnV@B{s2tpB?W*sQgUX#0p(7oI5>)T_nplnp;XzuVl)FEm0Eb9dX$_Wr(-D`<}! zrG5~rRS%Jr)%YHeTpC{z^pA9g!r%5*KWOcLFMJDZOjdUZHVuYSH3nTbU>S1u78uG4 z2&%JvK&kQUQH8|9RdD>46+y2UMmG$}RLWzQu!is26c`WL^erBtf@tI$x#)u}v&BQ7 z(aFiE;~isa^aX{_$AlSk6237Z)T)97SE)jMrKQP4A%|c6=v|RtTbzR49|+QfJ7jr_ zy0AgWAoiC>#RGBqU18i~Y`TMrtGl3kY+-1s_wbfnh=?&uB)s z;tp*o<_XpsPv#uRj|q*VBg>*kratki>Tj}V8<20Zsr;z0V79s}`EaqJ4aguY?CMo) z+neRbRcxxDYm{YhSx9?p3n`A36T!;%yxl)RJ{wF8at@;tm@Eb?#RrClWm{0hOMTz- zF2c_+2COU_0Fc7P4BOlX{St3Wmv6{UAceD#f}3#>ttWV}!nIDa*J|}n=WbJ zK75iXkZ)qS((Wv>g1as@&%X8q^{E~m2zBp~R&!T>RLs=z! zd3;m8*i8VK*nY;LV`nR%nhUw*#H!0zb@unB%184Glj8LKC0wgFaa=uo8W|6*bBvxO z)I{6T@x``DTmNdC(dtQ2fNRK3k173Dx0!TqY{rx=axW=!B;Kgp^|o z75BBrQPhj(%4nNDo+|gaeyG$001x*31%ZQ5ggRG1UkZW#9Rw2mhdVT9*om@LM&#fJ&p#SiYLYT)!RcE>n&oz4zpWYt&k0c`F)7wwep!@@8@bj?AO zvD=US0Yca-9}^`Rw&r&04z)V8c@g`sP{3T7-G6@=bU)7q32Wj$A5HuHB(-gDB=_tol6NUj|6#@ zxg6H$>Iwq^ec&q=ebexTI$z13%9thHR7!x$+!+pjOuw^|%as@3-_*hEQE}_O30@I> zeOUH`1uX7p{S)a1ng()2fJmqITcjiU@0$6WxD@n9caah8j|EbxWTHl;ITZs83)7j; z%t59pm2vyuAAz^cW)p-ppZ{zsIb=}f?y_&dRGqg%wWi3jNY^^Q<2_Ep`o4YP@&jz^ za4|@EtJdxp!uf_I&3lAMJ+|(D%ajsCO|Bxc{~~>-HVf(yoBRna`lGEMm-QM4yQo3B zWj~J9f-%X&^giW{NAx@a?8?(kHry(kEOj5ZV7~(BqC`n=SYhz3Gof}&`t~VGL!Esi zWs`k!4tV7^fI8YRNJhIoCHtz2!okfBwSsY~)J}rF;jyF=@W0tL&r6lUJJ)x*P5)Zt8MGv~#{+ zdRHe;RnO4-u3rva1}7*VTFEL1^Z@tY&#t?xgcbBM-~Q>GS2~#l zn)r+YTg6J!iKz#Uh=>Sm`kLe=ibdCuY=Ih0-8T-sKUM_Uo};ah)>k$`NGx{X&*`l>8S{~0t8K2zh>uXafeSdDgdXa*i- z{IS17YRHt1Psvrro1c?!i`pzJQERO*z{Xb zD_)QrrEe@Vj}Lf~Jd$hHNwS`RAFq)kSnW#4MIMyJU=-jhEEOcU_2pcth7>S+d<3Gu z1aVY{HX)#m%|W8c`|A9?6sPX=>ilsD}uTPRxg z6tfkn`8G1lH>mcqnJ#g*H`{Oe<|;MV?&aah59MXCjyT)IbT#P%xU^q(+$LzzhZ&O2sbG@@C)I$H5}sqjySG=v*KeM)BDGYkI2ItI_CGC z6YRszd9eC_+wh6hNjSzC1Q(#}j$?q6B?Ygm7~{e#OOeGdQkV2o-DnPpaZ}!Z-OMhl zpk51IyH;$-Hb}~I!`dEBW+5=17FU-P-iqY?IfaHmUX!d}5DLE>H7u&zdIH)cyzVfN zMp7uvg2zX#=UL$j{cSe8JNOKzI5uuz+Ma#ilhM-N(8^%Zv)XZD!af;fD zKrY(}0CRAg=2YZi(6pVNS`VX{0v5RA(=U7bl>@lr17Goz7hi%!st+`w9pa$t`X=lJ z=9XH_R{Z7&WINIBQcv&MkvV$d4Ts@;hac#CfR2$wT<1dF4WC8$a~}bJrtgjz&Gt#O20$M=6O26E{b` zLufecd^TlsN_9fwShYs6u1PRJ^tMH3n4-MC5a>epP}pjYqPrl4*E;nwL(vuh*l_K{ zMD~7kRYc_^j-D5Aghe-(l84m^VqF|oAXxH>m{a#~<*do)pT$TJG;j>`0fVFHe?`nd zY+3rIi^e8~pdBU2MqfeaT#F=#v5rw6Y2Os8Y}p!m3tn!n5}K{CP-#fAoq;bGTEXaX z&rU1_yoI(NyCOwfc_Jw$*lJ*wq*#!E-&y1?{gvp_IOzv~)rhYKJ9Ksyn^M!B(5I%Brf4M^($gX--?y^QtWerwB)y2?cDfZL)SFl2$IbT&;M)fr=QN zYQ*GqAjCJABI|`K5byzZ_d*uH3zuLYy=@4d+U;;6jQlJ+`g?g`g{rmh+Ak>A#ov`aPG{w*< zs0ZA)&4{u`sDmbw(m%`cg?fD)Hi-V@&d=McpzM!8)^-F{9t0=DOrxzyMbC=f)zQr4 z^%z0^nRFOzuoTOO(u3BUQj%v>s8bmAvkjShzU?cvjP9mOlVJ{JR)6=QR_x$CA^@L# zPU5U`cl zH$2$Ar?-c;6u2veaXL6aq&9=oSP8R>J+n@-8^kNGOCpD1?A1@sWNeEtucJ4wjD!S1 zP$Su|@tVu=M>>B6NCzB?=V|6PWBq>UVVGU(ihjJDME!NrFVuZ~^={!yOFRuz2u8(`$P+K{ z%myMiZyS~9IZX+a2)k#k%viIV@qCM~delW%-dNSE0`Ua}H_7zRU5#y`BtLzY7uX=Ykq~Gsf zyU@}dRkmdR(|7qt(YJ$vUwyw-^8W!rovr`J5^9CYh3#q+=37-UXASUq0vHs{nE)58 zEs$UVYY4?p>JdKJu>RzBwB#tIafvL|BVcE2_s0E&d&;Vjp2CN6>>hv&r}Ng^ombv| zF4d}akNQ&L_h(cQUl$*ZJrVzGWfk^2Gh}}k^iQ>b%sxxXyrBq)6C(X2(lnzj+)1D zLLWbrABIlsX4kpvin-K^D5=@vk~q|-5fE8oXx*(xo7Pop?_2Ng=2cJmr3*`(w$3`5 za5VmV+@~4O`h7d324VXtlceHz-#f@~?^B`_N@lrSHGPZ|dBk7)U}vT&R9yYV@UeG8 z9;oGzQsch90Mld;{t-tT!w<=n*C!Ws6ry$9E1`{8U`EOhI^UMyd+yN0a-OT;O^qbJ zYny?ag4bGy5y^aoBO4^89J}Pzr~;u}WSvY_WgjR=MAKTHR{+1(x)y2;k>GdOQC$#C z9|`VoXsggZ1WR_;*-P0?$J0C)N;WQAC;3$eH}KG1B+3$!U4qq~ssnG<#n1UX@{2rC zlDz3)l5)W^?1*Qlo$JO`3pKKSkEuK}{*LTTwhYsx>yWh4l)r#FR1NUrEG@M_;cr>$ z;TcT$2_x)<>_jx|A){0PUvsQYJ&tfn;TCs5*N4?5iY*tepq`7rrE}N)b}h2s{hXlN zof`&%tBBH5#irb~wp#nv53x$8ezbo*i!&0P5E!D1^+p`^*1>Cw~0w2@VwDK3UJ2;37=@%MdctI)muU#!y)9yJ3J8aZ6m@wB}KnsJw z!WGgX-?qh?huP&3Jk+)po)+z@NW=>tG&$m&RsS4`EGe{tL8iH5yTbC$-tC8pxlpv5 z7ArhFjS5fpC(iI0*X0ei8}?Cg?9lhFUQ!&x+cN zra0^&Zm?7bMVboEw)NsYMapmsXeGPgV_rC&l1+@^aKQTv%;eF6o1;<)swYs|``s)D zpZT<=B@X7l-l_omd6vQuSfUqZ*_)tp);n=?4ScQoz|Dd?#(N%FfLN!h$zF1i_ZQ6$ zzt;V*3|QBWn6T}JFGF=^`y3sB6Yr}+8>-UHgY{V z!D3VK8DGn)blwNt4q4e#2`g!Sep`J`DsIFKN~vxKN+?O|W}$5>?ZRb7Z z4wWKo#VqPUUXK_(*dk;)IBEE&`$qSV)Y48)61rjgqaH}up}lfB8NUp?eYBM6Fu#nx z)S*0^i%pqmR$WRbW=mp9ALpKRFNTpSks94&nF!l|MTJb^YO z-#vXnjPmrblc2)%nbduU`3Hl1Mu-8+1x6sX-=3BHO%!sqH~PDlf%o*3#-%v{kGLS=Nqu5UZoO6ycvadDu&+P^oQzT^AwCpkbVWf7%<_ zv;%SnZ$7mj;7KJ(CD@M}QQ7HIigmICzWLHN=Nlj+pthv7Ip_CHK)ks z_WklTSX91fdRrVkyKzN?YnVi?Vxf@J*AN50CoFRg&J*b2fUG?5Wk20A2VTJPqQo;i_%8WYXX&ipZby-mOTi7PT)a+-4?nKI2y@ zAe~X`+?CyX1MVvxLn7;Xj zwl}@cq(oHB|BJr&d@a}{0#bls;P1aDQUAG|_iy;~hw%RvdkT~`ZRhy0I;WKIp4{qX zbl%^}U}8P}e?TO0ml~pKTbDTEaWIiKnfU!O|A;hTb!kj#@gtrYJYes~FhBpH_vYcz z4sj2}!O(dIwPas&wfL^FXX=ne_~P1kOWTZ0{ag{O93F2i>KNQPP9i3b)}ZT4nR`K4 zP;7ZB!P$8N(>c1T30)QR;j&R`vKnO}O9qOi5b=J_0YflEgVS>;gT?`{hv|@58aY`L zgi$=Ca7p=c+f0jn@}*SB0IQV9mRUy408~lh7vk{aKznoTk2=-K3OGXwgv77`bZ+5h zN#MI)QUH4(Mezx(H+tHtYKdJR!X!a$#Sg>dhPUD~uEQjd0O7q&s-W?Kv@kt^(*dcK!A9~c88$1R(zWnhcKTK_7Ui~}n;V{>; ziIZHYxBNl5?OxYEM-Zn81YE9wreyK|v*1DhhdKRcCTJZu5uMKX=LSc9NjW7*ICr|_ z8F_kiVjOX!mopPbFZxolk3V_-ua{e34=D-8=8)oa%bV~}mq)J}ePM~q5Aon9tS>-F zqXSSw7g0BW8D6>Ey2a7b%&nBNZC4rgcpQ?0&9lfT{RQv%q5@*)6P+;U?ZUq>0Xdlh08~UTX*7e(943W;QmAdnggA`&6(9Rj+rWC< zoYB5{As~5#gwgy6V48ZdayaOt^5Z`1{_If^R`T@~HEB&@)jJtOi&HsqgFj93rJImk<%bu8@UTL7E>=8QN`<5TLDPEPQz{WJxNG#8BbLEyeTV z&@tr+&)jAO^pInppPp@X*v9yoJdRC6V{^b&${HuP%z=5ekM&{~*rTtx?~`3D_N6Y! zw1VyhM%Y3_z4m#}vA}8{l!=$;78mGXJ&I>Lj=Mn|SBR{*@Y&i62Lfi=GG=%WwDs|@ z&#==punGyntl?tA0VfRL*_Fj_0cr5y40@IuWF4c_Z_`OXN61-F8-_WxN-bphu zS@|4PV8!^5-gVt2ld!u~2jN1}{g1^SoV(popVtpw!#`gv*|)`tK)S>8uK4`or zG74G?_NhylsXN#zHkyGl>?vYf&e>j8ayHynG1+$i3Xdb zo6CgZiYU#$D5)kH6~OIe7C265KUCZh8h#_ST-cc^NCGSKCx%v?E&$r>v;`&wJ5nI~ zmh|zl#O|vH`E2=%np;K{6K!!emg)dkT$+?g1>mk;~DpSyR|Qw-^eOdf-`%iu|Acs@j@rrQnd zEcqvsi004gLmcP^RM%*JI1VHUY^EBQ?bc}|+u;V2e9I?s`@BA%YAAPY6wx1uK7(mU ztw_%~qJ)E*PDp6S>ks^FcOn7T0^j?o7^7Mmo;wu3^SKC?C9P=a<5iMa4uU0=uFj|> zdDKH`e5$itahpI2KYpoW6=4gT!`UVre71H(+0tHz9cDY-7KYBS8^<g)Su7zKTlF z-SOhJ_bZ*`@(yN*hSzj*Bh}cA z-*jo?&N=9}qT+(HG+e7*4;})NRf~r8^8FOQr;l^Zb|}Ec+L7r(Z_vt*f%nZx6eQhTj(Bor9QTID4UV>VdD!7 zX=>_I?IYffX|pAk`}hjWO@HRMmPI?cmXFbS9Wyz5xRqDT9r3xQDg084pIY;jGAdCJ z6>I$d0uzQ=G0l=AM<%-s73VCSZRN)aXa#vhP>~d5j?KYirZCNO@qvskM#E)OREN2> zfz+GIUlBm1t6OBoZh{;f5k;$1%hc#QG@RLd3@2{1i7JP zi=y}QPSk zyK`c&1C56YmlX<&0BOs%zyH&;j*qDGs(w-m_=Sbw;0dqK4Shs}rX%5t-gXNl;) z`3=3&dzOE^A7KgW*%j@qKhFae8bx5&vrgcPv&y=cx7DxyM%Abg3xQDj_pQ>KE_Zi` z`Kj=Cun2WgSyQpS5s;46D%oX}WX~aIB>enXyPH5R{O85fuUw7ca!11>k3hB}(cpFv=vsyY^UVJP4P;c6IsGyl$9Z?>a9wI%4A9Q=r43+3h~$ z*7tfS#>Jb%vE$gwD6F+>-V>?oTFp81zP%SPP4dn8QFD7BT6b02CC{#Tx-dUVO`bY3 zo(2=_PAc~G${1#H{C7B}DZFx|t7&t6w%qCxQ0TJJxN(EyfmgIaHDc9HH+j)`CvsGL zYNa__{9+Y^3(#pNX9rm~3pZGl7cyKYh(nw<)ONt2sHHR07_3`iE`c05L;7v4xhaXS z9ePVqw@m0imNLls68+(7z4D#F?b_SO@O1IK0ivto(0zWqyV$9&9 z{6L}qE`7`8UqEQy=RU&U#pM18z7+$%+yU!+BjK{PFZl~?ubM&s#o0&%Zes{ptnxQR zR-ZoP+fk%PaHv_lAR5F%o)mDy8gDM)p{5j?sn%YXYpa-J4kfGsCDhsPksiw4@stlb zEI;!d4~G3jxq~Bb)A(5Q{BGd%iPz&dv~XKoBkMvu?Ru&YTB5H6QQ8?S@)o}`4y}|} zQ1-Copn!j!ukWldN7zh>Rw4LKAP?`&0;{Yu9}6QsLzcaxP6Jp)cd?`A*9;t)-5Yv( zT_59C>#}duCCdKvN86# z60q;|%p4CS3KOx8TDyo;6T@hz)5%gHE1nSfR(d0}sK`)JAW{VdzYs@%@o$0V}>@vVfU9 z;t~oo9i({z?<1s8skmvZP=6@KYt$fps2T#}nlfebie6&#n*mzt$iN&Zk&L;JUNTp_HyrkFhSASaZ!4a@xBdJRpA7 z=M)R(f&1PXTWz*^4HmIRqjHvcO*cBx7jF=n+wJ`?be1ZkX_k>Re8Nfz-f6;09FH8K z&|86NMEeXO^t}o_>B(UhIK{|npWaxm`Mkj!u6agN{VL;$^iahn0Xwv6&u}slct$Wy zMcM)S2Wz1q1Pu?~>`>r+Le;~dq2SC_K6!H2rk_a4olxNxISIOj1PMEWFWh;AeK7nE72c=8;Z(3RxtoebAuGqihU}A;) zOQwCx&Bi}sMr{)dn}zhonB2N^{FU@9(T7=WQJTq|O69(D7=jDoN|~bP#YCff52=X=9f*sK5r5x6I0EcuRX!>7qN5&Y6bh7YZfe= z1?S4y9>wamlCi7*(UG1fwYY9v&dRWtU>u!QuxB)F!*B?VWf$1*HgSp-&%Dlb;}!qNg? zL}4BB*+>BC9`{PB01+Tg=?f%lyGu11heb;KY!M4B8)=h$2(M(nfx-ueyqCnT8`m_2 z^mRT~!LNcDWQy&L+uA4;a72B_1S1#|fCva(G@p015L%pqzPKePX+S#3K1kPVi4 zsIsVrgkrI}mG;luQ(^~Bqs)%$PB#cjoQQK4G@un1gzLM5rM75n%xNf+QaY$+7AZ@9HirtChqm~d$vCD z4$byAU+NS}{o(4m3`0NJuq~lnYTq1jxVjvQezXG|AVRvW(XRAwN{hF*;JiIl?M~DE zW#ak_vS3U+pTr%z%--0Y=|w*=nXroNC}asQ0AdNFY}5`EI~eQ%a0@tiS8uqP9L*QS zvol+2%200QlMg5v=qB@^h|AJc1pyMaBwoVLvWQBu*@)ZL>J+R*~5*QDwEuh=ZBi| zqPY&kZcKd+h2Na;0u8%9>d*UZy7x^JdiM|*X@TqHc#>VRP1^5Y_u%>Dy_y<7zr4uS zjQ7yH4#T*3vfU!zy53x=jky+&dG-ceFfO}kG4wreMoiiJa=e_rcI1YpR{4J$j9wrs z9kdj8LDHQ*%{OVV@!H6ZQ4E6&Jbg(HBM)UwYSC|QwI?vGYg_Z$x)QQH=l}aQB>YJ^ zOfYHE5@b1OIN|tg$ z+&zVDr$nQF5pRZn zq<_%Mwd@}Os;-R>V>4J~GmIB0u2{GdlOv|0=BsSVpsWo5+9iO;raGPGD;$dFKdVYu z7MjKYOy%f>9$rz>WY>(07M9wzyq)PmjV&U6Y(t(!O=Kk5TzkuzS24w!E6QEnxpaoi zCo2d0wvirBDqLW*WQUx%IK0WBv0p0H_sT`=sN5yvps-suuXBf(nDDecVR&gYoseTy z*KFD=#ts7?n1#_)nZ`T~Dx~mPTOr^r5$s z^iCy@_veeA)ve@R5YfbQ=FVw1^unEqC|rgr<*@*F1bmd!dG~9UeSW$VahIT9l3za=TUqf+Y1_RKr@l)h6Xf z;_`NaNEzXAxvY>v;Z-ZEqTilFEZg&_nQsERjxPjU`FO9tYC_|jr<*p+L(`dgm&7>G zkC!kIwNvQ$5meRaOh*nNHy^^n)kO9v;Ly9Vu`=vSa=WVs z3?kW}PZf)n68aSmIe%4%T1mSSIwOhPbz}TtB6*HX7N|wiwX!@Z^%LV<>uDMDSjeik z<2|x|^*@ij?%o2!1p@43lvbJaBv`qwm~nzq`*gxs8XlAc%(yMDANhgp#OFp()5$bE zpq(|&Cu|=0VrYCb3}DGPJ$@xRekUBo@47Pl)7QHtmqb`z=I-kKQ91E#v?rQ%@=N4` z)lPL+d-J8P3?d77ac4!-|#Gf&Ka$7q%lD_ol8pX>#*9I++br89l3hl zB%ych+v0+LwOZyo0nFULmV6AF_MK{7wgC8eA|Xf1UzPSZawhiv%-{IgnL zoK^fnh=B4TbI2i)$_$7%6`}380N(xBW^}NIpZE)xPR*KTBagK`Xc0Z0jSv&H!Aipr zhB}Ez*x(+B5+Xa6MO1?i=%JQAvMTSeAN&Q4$X?>N9KC+m2KqyFXXnVx6`7bEC`Zd` zr~mW8ApEh-pYVsvt|>kA;D+#yk5oU;&IG`I9f4F8@f@KcZ50=yn}YR?h#^~>!Sdn@ zy~kg!ZU-?u%^hbSn6HvV9qFq=o=P^NlPRm;NCzmIg1Y{+P$l!Sza;oJ$+kY+eXOV9 zpA8Kx1#~zrfKj5XBz5`8Lu=$ z`pD5>GL%QSiq#y(nFVT(sz-TK>S>ATL3dy_aQANB7yDe|9mu}Hn^EbA`Wk{Gr$w

C4rzqG*w(+cDaE(n8{lj2$PjS}(TImB{ovbS1mzmu~D7I`Cvz7`4SI#}tfq7TN_>kfu z7fTTTrm5s0)c8tN0_>w|CEk<B)z?WX^X!f0|R2BlNe&D~MoR@y1N@7#IWED5};0X`u`>0nlaf z>$RBIS!!;V-b^t&{g{}%!!#=H&|`UMc^*%Zn4>?TN+G>c7Fh?TBB#D_#}o2# zvEWI^dmM3!1ZT#GJ;mPVo(ienM@_+kGF2_mxE-wO1NPHRUcyiG=AG# z-jEd>=|~_mCG3iFV?M2+^&0=DbFeC$26Oso9c7DxZI=Lts7*K!y}!evJlYB&bn`P{ zW^HKqFJcPPoy zZnwPyJqd<`z24e{Ra&x}Z{67NlVyu?FQY1?7#!Oy#Kgnz2Sj=#9~h;uef?KLPh63CKuM#f*%%6mQB?FyeernF>6&%m>9iIZq&Mk+^Z4D z&W6`*zuj^j#)1Q`EL@Tm+E$ZGnk?{Z+sZ8UOhKzTghF^jp9QUw&l}IBPR^arw_D#p zFH((>?xMo~SqT;4_Llw4Z<04)@rGEH zCpP)K$}TWL!lF}_gKrLgTFCeK?yuh~^ zEnjVD25w`jj082Z^SH&vAB})gz-5<4yF0sclv^y((J|=iR1t-0*fV-(SsTx7_SQTS z)%w1I@zzZ8@O^FW?g;zAd=wQ^f@7%{Sfn8>KoDK7O^AfI&UWvE<=n1s1eC{x!hQC4HtZMS|P z-Q+67M~9uLo4BIxo#R#x{PA~OU?$J%jye^R|2Ja2A%&({n%j?-zIh&mmJZIX@yLmX z3k}LO^vvwAHh|eytF=t__^FyZ+(ZwZ3$A`+7AE>WruoiU1^$ZZtplyT>(!yyi&be} zZ6G&O-@@t?IvjHRTO8fp-<^{}E*qiflsb*oNon!*=MT&7|8XTm7zJ~%Y%&u`gh^rB ztPD~W8SdaZ`^16O=19+{T1)8cHO?gTa&m_qXeRmgI?c+b+Ce^(f;Wc=Y7F3k8Yv9F z4+JS)InC$86_Mro40NWj%)Qxlrm15p2c^w`nudoC;U0<_B`BABa!7k}?QRNo-oSTx zN88M3Y(BEu2OgCab+L}JY0fX&3_t-Ew-Q073VPgRp;=>}lrE{ITxcRWLn`H6;5p`P z0*7L5Hh!OvBq3F6+g9~t?Iu5 z+aWz(dRzv@9&h6VuCUyK(J_9t+96rwJdqt30aa?g#fGgCIS@&%@}A}Wh*>TA9c)KH zh2HgVtFu1?*T(Am;IjzY8k|a9{7Jn1IK0VEqcK<`Q5LO2j2SU`o}B5nlB-}1EGn`R zPswYMN)23^LQg!5Qa)IIi=Q=55twFC&4AR&I-HKdI4JB2x5Rfkl_~O0M!n-bPc`Ex zR`He@-~}FLQZAnr%$z`)WZkb75o__n7$iLH5Z3C?_*uz2&7$hQy`ln#+=zbz=YEaO-0Cr3_Sdw#?p z2OZ?s-)}gTQDNL~IA%QGB{bqZM(p|yY!(OPv}W%{YJeb|I@#+CCa=b{$&>0FEM*N$HzXm!d(As^!8Vn7rFzeBd z*NM%>P%$@{%p^IL{U*`PZ(_5qcTx0n`-2p}P&u^^y>kz}@vv^te}Tn!pmIJ)8+x4z zab4Tf{!vL~BVJegf!Y8SFVvfhV4@apuwLWIDB#+{r!M<>~sm6GF!MhFn3T^XYJHmN*9Xp0u z#Gtb-H}1MkQNNO>Ra0t$B+L|?IVk^aK7ZciE5!3@?rwe*=v?}o%Ai=OSe>>GwDKt* zd;b27xuX>wL5dh?VK=a4a=kRN~7;aC`Qvh;l5h+gChi+&OFr{#56K=3R&QDSNp(5iF zMUlmKCEQ(m%MNJK1<7IH!?9%cp=_DbQjj_bk!MT-MW}!VoybY^I3Z%dWjw+M$IZ{0 z9McVIatU@*YFC`ug?`gsHYb$6oF)p40a0Zb3p7}<4il#LCBWbU7q%I5^?MxqgT+B9 zOOb;)As`cR<`N=spLvv zfZqFrmjy<5lQKd7iAp7`0UHXCeAW);(%gX}&zjt|Wc>gtCv=7}PWU0cKpp2ob`y#^ zRhb&Pxqk9W$n%I}M295BenxtJtPJ?tUOm5WI{*ob5)WqpEe;ZtA^WIs2Lyw$2UJN3 zAqhvLBL{|nN&R{joyyW%V0eifV4d66i8jC#!-WNw#*8IoLb?lyKQh(L^80d=gAfi8 zWgQ3@K%KQe4HE!+XJNe0#^za85sXs8p0WoEmOiR^R;>T5uQqyU6v`K&t5BlSB1A6K zMn-83{ugBgZ0QJP!x0Z8{Pz+7UAV4*RdTjXSU{Y{MC4-b8^@8ZuHdABP+|+4y37&R z=mPc0eZGqV(<7Qe8a4it+DTc55UcGl|DYEf@(ohSqk=!ua71RexJH(lI2MIF`TRAG zb!2c2@Xy6A8OBjOSn0?qzxafywNvZS{apUU z28B^BiL?$?GeSw@VXX)61K4|@yENDsn7EfHoi^DX>a48_R&xH8?g$UO!3>Zv*s9MM z0t%aqtAIH*t1b>enL;P+i%&T2z@&1K6tsW(DZJnUMldM+sDi&RWK@%iWVu(P_C=f{ zl1r+^ZMO^@K$?mP^=p-lxAu=xJn)^zU@H=&AvP$7MBQyl`wHz>+5_h8_BWGlkWQsEfd=jFOBnV|$CiQZYxbpcT%yp!^ zWm6c{XO zsYXZ0515-D{4t{gZA9~?&6Kx~H_b7H+&B8OVdBb9pnu^_(`rxjaMRM-q3APl>PBHH zPv)OJU~gp-IMXV9Vo1*D5+(v0-h2#L)NCXvI~ZA^p+^Tf;5hA!lv>Kp82RW+NY^F{ z3VLznyzD&@0z`m@5JVJvYC*EooG8Li*<-oHwN2evd$GO?!(ZLSO6+FJx?M7cvL*4F3fjwe#mCzpGFEYel4^e(TDRFqhU=^lDTA{h z+gHZ)q`gL1tq~}L>ms^Mh#p3?gh?VJC(*L0JAmv|#4CuC1ITi&_$vYGxOSiD7kI%e z)_(H!W0?)+bwmOrgzk(^-gcTtNXSri^?Z{K${V;_d4xo7I_M77lOi-9%nSKLfT~U= zs%3)?QA(_6Z|n;x&nTl5M8Ccrp^P^>vWFPa^Mr{e$@=o)<7B<3jrtsTvXnj^>Mwi9 zptW`tx=7;--@mngCyM)%qs2I9SlUz>Ddb&W;lZ@rAf96V!8bDdeOqeSl(rJu#2X2I5A4UtSv^ZY++@y4(1iiysnCU&OP3mW z!X!p8J6H)=Zo*{)-hslj%++g-eC)gZ@o4oumgXLnG8S}Yz&dRgsy!MK68cY@6lp1F z@lIODb{|Umnp94AV&Dba$`h*L*@aN;qODqHmFN6My+&wt4e;S*;ZwD;T;R1uj-h1G zGJWeeu0O7i%am2EygM%V3~7w*9(~ACu&r`XrqH8tZw|0OM?wt}j0nRCj}@ELiD}eS zxg{GC$5?T{UVt9yY!}e7@H@TDmJ=7g*ZEx`P#}1LKi-WIvH^o}0Dv;jyKt|pp_PA9 z=`U&@c_FO84||tY*+X4^zVk?PNnDcFAE{pI_qF?R2*h6`d}iqb^74#22#zhd$!xMw z5jRtAxNm(t24}m?gAD>IRc8@?zop2&HRZv`Vmt}g%-?gTYD(3eVw!Qy~L zF@659dQU6c%T`vVy76lI$;|@P!BXLZ8~NlIaDm)S@86WmRnBzcgd}3r_J>E7t}TzS znLWv#)iau;T&ix^xjic$eD`9pN%P}PNs#|c(ay7rwdly31q~qkXgLbY=Zv_duzME4 zZg}Iz6ECRiB@-1h*WKWVvt>t8L;sZc&4(tFuDrZU>y=hMT}3ozFSEQcmwi$BU@fiv z_Qc5}?Bx~I=jbiI$i{h>=S(N*3g+oh`4WT7*v7WUsCfpN)}(eIbb+X8l75sE+&1y) ztgc{v^R2t1pwJG(xPDdz5nBPvqSP;j!%5-xo9r*Y1J)d`YQxm)2*XH{Ds4?&bJ5z1 zDXo>OR9kz-HVmK9PMMPoKyU{5B8e|b%QsWQ?DQ9IDkbiIL4B+E1)c(YRK5c=o%{)Q zA1l?12^3Cx@;J?&r#E6zrj7#ieAIQ#Y)GB-Q@Z3i6KPFqU*A?w&oB62i37g|FAY6R z8D929Ki5yBG^v*ri>zE1OiHARdm8an(Gwh9@Kd^(Pq(&CurqaC53Ok1@Q~Tb1YIYW)q*GuWm&RtHU{CRP*;f8&;n*{QkLF&Yhb?M7@gZo*`2HT=Cy zIkKL8fjo_i)Bm9)w;|&;&K+x{s$KZj1avbi9tbD2v!ky)1kAdmVIjLwy+c8biH9 zvU@9sgul4E4zsT~N%!X8I+bEUw8-XR@$K& z&n>3q?Is+~+y$+1ssi>EbBjgk!QLr*FC4i3HjN|joc*Q}=C~_Y ziK`nx%&dG3${3GVva4lVNrK^_89j#2JeTKFM5|RYQ=McYSI94aSEf`v_n0>7N$iog za3F#E2P=KVM=^2ZX*oH=dHFgnqe{?oV!=ceO~SHHl_54Dvr0s;QUrRqu{9_uiCkdc)QlIvd0j_yuVzsv za`zYhg6ZB4-v*beMYY1?7p)G%DS_}qHj)GW=)0qX3*gCT#zC%v%S3!C=v8veN4Y4= z9IUx-+~Y2qPtghg&s&{Smq|H;ka|m4SYf5{MJ|z-LUlIgvLp^d-zB3n*@9IfSLNoc z8LuwVVM=+M8Mqti5HGMj#fAn-AN+#`$^bq}S!J_UD(N|J?K;#y>fJZripE3!^16Z? z0)M*mqt&IyUwB;gZd(zrBe$&OjWkY2^XKurR*Dy%AL$%nTnaFk5z;YFVmU~Qn(Aw^ z`W+&DRZvGv%BEy|xKedy#k>%nRfQV}L=RKpwFwhGRJ8@EZ~P-QZQStb5H$IG$OhY} zz-rj-e--qLvkU=6>QWJ1&gxvFr!vl`OD++W!DW7LT73>MNx) z);5z^PB-{}gDGQDj~>6;ELGOcd}5I5WDCzm*5I@A#e|s zCWw%msBv!KfiE5@Xd&QxXe{D)Q~iJ+e*j%j1ysZ<%dgl7HRCOlICF`+!&au1^wt>L zCs$E~nfT7*iszEuKFSZ;rVmZRJ*ti`e2VsHQf~?Ni+zO*aOUgFe_CLwzf4WRSB20M z-%UERgbDngwfIoaUv6VImKhr7UPjhbSXYz3D=O|r{5|R-8#!w-aQGC^FUI(k?#%Ch zjp;rp?eR=hD>HXKpV!~TO;htG^Zx8EB`?iVS2ZPqwa7;@&uG!K0WOoIJ%x(x<7~W? zW?UB@^U@U3$kgmZkJ9xX25LLYL^){TqB5vDENkXY{rNQKkIvq$Zf@ilX3{Ym)Wb5ZJJZ4?ew zmAX;HEQ2c6O2l+fbJFfH-IUjnMzA!5@$T^OccFKlSC^@8ow|vhZft>-G8Fnl)T_WW zf1ZV>&4h_e?zK5m+03=(>aL{*J7KpXa4SRXku9Pu-G?fQy;R+Zhq%3DOx39#3_KfJ z(M}_jJNzEhf{e8P=`*JG8q`fOVSpcOE?U_9stk15jvd3N$Hh9EaK+ek$9S(Jx;?uA zl@4ZJr0zNfiA&1bI4gP@1PH_$xI6v*%h28T(_&5ScxIbzioT+kYdUqw1A?UM>MdlT zn#DFzK)ollI($6)m{UJ4Cd?rv$E=jO_fG6-uT$QHMp`V*_QyGAy*ob-KuNU&FS$^I z?o@8w7B0;kR*WWTT%kUF6Q{QT1NO(>U$noXrxYvHkQ&R>DFvoQ6Xwscz0F-TMt|mc zYP!do7<1=ipxlGHa_ZVw!^BP5HAb*Za#stjofgAcUC0aLA?|#XiPPpUyXyCFzptaP zWxwk4JWh1E*E}^LroV4;rvCD0eVC6u^EX@CDS71{A||H$g;3~nVos6C7_ql)nJ7ov z9jC_KT(Z+L00h)BpXxosJz8wT@3OpKH;AVY&4I5T&b5*7V>H94at;O|u;@}NzfF>5 zqBV#c3pt)C3%2Z4U@g?}y68<-T!m`!#2Nl64a8r=!~927&B1HbP)#|n^iO^*#TLm9 zFWQ5u86t1B?h0Gso@`e)@KV5h-OxF+KKh8kKFyIh)h3qwgb_uj`N}n#;&ORL3(M&H zbQWt}i={X)MqyH!o$l<&vUL;wu5V? zX(fo_Hh_uw%IULxk3@~$*UcUgpQ&jd4`%1BJ=C^r=?+#*N81Tz^QO8nbV7E$54ld4 zkA0itAK^Pj+~@gl^!RXe<*;woPEXg9f1^NCl?NzmZ}pdo&U&9hdo|zuKr1Y~!bEpT_NmqS+QXi$+alY&mSD)4+7XP{A8BSUA53)YdPcZ{rwb#0ot9`L zqD!UqLLvVoJD~c?pdQGD2XN4tSl_Lijw&7S4&inw)@ua8kL-6XUx4}RCO5@HJz~1R zEVvI>WL@vM&%iCYd^jZZM|iV?+Ld61jxY;Ufc@XGpw0aSUGjZp6x>TW%3+`siIr_R z+*-|DEvWFyn$ES_e9w;k&;w9)k z=+-4$!u7y9gcZ;KJ`TaIpauiO=b@yWxruP6(|V-m4JYPK9`Hx)U9sOOnA(1y52u14DJ4`=gbNZ|JPF#tvzC$M>~TDeWP{C(4{^`9gnb0XRZ?WK2Zc#U9bR@}f6rBnLg^-+y!NxxIG4 zvNIinK})x0TTbhk>pg#C>ZasnraoIYfB!Wr%Fu5`nANlpdgNX)dutA;q1wU-%!Q-D zz%ubEO_b(T*V zkaDlks@%A-ru(B6>$XJ3oO&%@(DlNVlD1Yy6OQdBqEW>A!GV_55sxk(Q6|W%qB zV_KppAYI9EK{trOX_>tLE_D3CwOa?!=*n_tp8wuMWns@Dlge~& zwU_XFcQ(m5Q#DovCma*~p>=@^4xa2|KZZmYx`1#6#7VY9g?>^KW`Zj|3I#P&!oi+6 z^&6M~Q{8ksxN}lNP!{s}AcmBa*rMmHj91dgtkMbo>Fe-E+rAsI=B%bi~U)E(0AcO!&hyjQSnIvQnS z&_tf2MQ^_FE)%$20bJNWH;x{>Dg`Q-fD8dj*%1z+Z7SN*M-TOhEG(?pmUqHVC@nK z|3?Tef%Tb<4zI)Gj|;pHA!Y{|RDRRXxiCa+=aM>*0L5pcu3u^TlEZ=4(8|9BMtZGY zz^iwh^5m{1qp>^iulZB(NPy|ghtM~2Gv2bvUh#G(dYd+DWfe!s);-wt@I>; zt2QB&=KxvQ{u3);tr}UDK9hoTSypKt+Pk>b2J8qpvk$*x*M{?e(u;1-FP+Q_Q%s%p zM##wfP|2PXhFT7m#<5+OfAl4XsAtJxl~*?_i3r0|h=xLa*@={=o%$5=CT~eR=KI9( z%mFgLU*{2Ka9W5a-^DYY(Q#agO96&hHQB_ElCvWu&BXxH)y;Ur>s$#-pWjT0fXwG< zJVj0yZfnd-oA@J6dn&2dH-kOTeq49Ovf)0m*cRJcU)i#3j6wU@x~g)ENl)*nrse19 zOW*Ut5@rL?=Fn8vZWpFgR=@TB&MyWT2PsAR9GBSBfpgMyCac~Gv-A8+r9D@(^u>bc z`r}C_iBb(Jm8*L7o52_#0)?+*a=}z99g2rHkY-pg`XtI@RoIw111QErS#IidMfZOT z2(a!oT(0;qB7fw$oNxNWHk*Wv?M??$Jms4${@QYd4Wgue^iqReH&3<6J=2eOwr;#a zwsD{eOx}_FmT+C(u(tfFK=qj~h%P+RJw*Rb+XN5j^k<4si-K}@Q3mZ`d+lrm1lweqGGEq(U(?UpMB79u#}a)DY^yUrP${3$DNC1s;4{4b9lM`gzMYB_IOA15 z^QjMqo8i#mgfJ?qy*KcxxT$ZlvDxG}X`*9nC&un3t{$z65(9U($&^i-B*k{j8BO$lKzgnMKw24UDq-!0cJ&-ANimWa7 z#5rmOFH!j{lZlHshJ^Xq-rSsn0Uqc0>*#`pczfcP}Cc zi3?-Nkoar`-5Fy}3$Xs|EGkt-Z_0=Dkp!yW=IqBwkeXW`mtH)`Z%=&h%*WX?5zBA! zdwu;d9sO@_PRCu}M)Kp^k^e{GI+UO3rgt`VbTl-xbF`tiwllV(w=lN;&&f_oR*Wnj zj{cD>Qpa6uE|E}@sz~VdG7M$osk$7*p^z7*FG^r_l5O`o;b%#781X~U$DLpz4aln8 z^HxPrt!T#gaeSN1yuUA>es}^Z1x$IKF&-CIH;tI(wCuQd|$0 z5&(|F?hl`?juPk9ziy_k0m;YXwJ-ZrXU^X*-dx!P@}F0CSLO28TP6BuuUAJ$m-GAY zPD}HrPvv^KxeNe;YhR(QYy$m`+hdO7&zFa%5I^@WzR$xWXHR{=^zm@m{O$XPGmTsS z)y~tA^I9yzbZV(_^Yn1o_uB{S)ebyA-=|OTT`UoSAO1apE1vSVyHkzr_Kx}S@vz-i zx4Vn)`^}9X!!W|R>G?B3*9ZKx&Og7F@0YjJM~v&;b>FXk@6XrEQUQkd(@AsxK|;_Z z3YDqBTDsw}n=|~O_=bG*F>0hjI_R>x<%z*T;N>!*N|N-A8ZcD*9qBcZRScB_DEf3_ zFR7*`HzjrYa5~ziYDHODg&O3_+A<}31Y@kD454}h1C`KZ9<9*JOPfpfKBE(~2y?Ys z;Ted<@{lzUlr}FTDNS$(*_aHs}h zD^^nmvHpUoq5xs!x&!Rwy(V(1d~~X~-v>jA1;O*)cV$OhYGrx$ZEG7zuGZ>JKVV+h zp1Yyi)M_0mLJOv&GMH>eJXfwCX*J10i^Tz{dFz{l6o-&H!8^S^nau?nr^ALp;7!t1kv7`uxSw)luS%DB^L_iP~S1n^ykGnhb_S1goU%z?%rhBGm=KYT%ouH)i zp?Bta-;wAReuw&6U5lblC#k4gKXT?l_$HP?@aClwkC_|1(Q4xhrG>0xlbO3Tvdt&` zPiU4_dbuBJ%-U^ZTIh8AWEo2sq#PJx;SeQh^J4|IS6Z|vtBB{MMxu%F4Q;h{sUvp| zGM;E?v)FofRE8%_{0ozKHsc0oc4mytKJrdxe&cz;MSY1u*9pHu*hJdyH(=-z&W=8Ox>bBCvzWENQFKxFoI}0%*l25U zRcEZGUQ%0|igkyDG|bVbzEYz;YQ(^0l(lkaSHm;cmTemMj_79VU`0uFm-K(O2(t5j zdGs?+a}$UDoVCskVjEx8IeiZ)a{;3!Yb(dvBR8tEv}K@M?Qv0h{sOUhV9@5ris25^ zCfBY0wf9A;mOa{2tb5NLq`YhA&2G9!#c?<~8xJc5lUmPW6b=dtUPDK#Tq@Y4hN)Ku?C|;mNn<7 zon4K2-j2$NzQt?h@|@Fi80!kcQ^L%B{A@)RuSOQE5U;4ctkqwTosh}NPdW6U{8G1P zzTvX{>a|SO;j?X1gOO}4>8f%E?ygER)83A5eQWzzi)NT zx2a5E)RX=){8q1;V275zty#!ASAUNh|G49pxAJeqxBoU2Z~vt&>#oiD>ScT&mwE-% z-TH4rwy0Tr$_@O(-vIL3qNJ>c>0#>NSCY;9YIlFElb;!e{ZfKq3@|05CJBuND(?T! z$>hf0KB`x70VRQ)budf~X`Bm?l2EaPD+!U?di~hLVgYEK1avRumE^ z7h!20Tf_&;Oqm{r86k*YSK$c0FeWqth@V=?u4P3&o^uyxRg1yOr3Qk9uTO-<+oCvf zEh92%D#dX~50G@gWrqPm3bjK?GTyu=!xkG(1ZV=-2cS?7dX(*K6c#HI#zh2!;?i*8 zV=|6YnAIczeldYKw+Z5#i9Ldg<4Oe*D=>&6uui{MzKM*r?Q4op1|E8XJ5{{WI$=+M z_!%@7D3-?YFUfd1n+vEh;I0?17e`p@dIe;e@2Zi#_VRtI^$r02Kzz*+_9a(EY#9Z- z$>?FN%l$qeAfq71@lP-a)7~r}y*h#$O)p!I#Q5&h1>-maWO`87uX<4MsnU1L^c(L# zfxp{9RPZ8kgss{}fu=E@(&{Cw>ww$`f`dAKV7mf(RP_5I8swPQ8Crg#1<;A_IevNv z1)7HAsbilPECf#Xf~cb-$^b7`%1iOpxZ|{vaj)w$!#@B!1Du(-*e7999|e4YkQ>b7 zf{B_><1~e3*>Qzl!Ww<)_CX_5uzEGF@lIGXQ0|Z$D&$aT#S9jA#$RA1>}`O8jv)PE zs*?d$JH|z#33Cgg*8`1s!6Lutu;g*+bwVpzu+S{NMMxNfub>-3T$UFF!+sQ0=9|OHT cZ|K4lZYFzeQ3bmM7-kKAZ*(!t?JoZBUy)`h4gdfE literal 0 HcmV?d00001