From de0330e95ff08ea6480a90d3eb46179ad1db1343 Mon Sep 17 00:00:00 2001 From: Kate Osborn Date: Thu, 3 Aug 2023 15:42:09 -0600 Subject: [PATCH 01/30] Custom nginx container --- .github/workflows/ci.yml | 47 ++- Makefile | 32 +- build/Dockerfile | 2 +- build/Dockerfile.nginx | 19 ++ conformance/Makefile | 21 +- .../provisioner/static-deployment.yaml | 53 ++-- deploy/helm-chart/README.md | 38 ++- deploy/helm-chart/templates/_helpers.tpl | 14 - deploy/helm-chart/templates/deployment.yaml | 53 ++-- deploy/helm-chart/templates/nginx-conf.yaml | 23 -- deploy/helm-chart/templates/njs-modules.yaml | 216 ------------- deploy/helm-chart/values.yaml | 10 +- deploy/manifests/nginx-gateway.yaml | 300 ++---------------- docs/building-the-image.md | 35 -- docs/building-the-images.md | 50 +++ docs/developer/quickstart.md | 27 +- internal/mode/static/nginx/conf/nginx.conf | 17 + internal/mode/static/nginx/file/manager.go | 2 +- internal/mode/static/nginx/runtime/manager.go | 2 +- 19 files changed, 236 insertions(+), 725 deletions(-) create mode 100644 build/Dockerfile.nginx delete mode 100644 deploy/helm-chart/templates/nginx-conf.yaml delete mode 100644 deploy/helm-chart/templates/njs-modules.yaml delete mode 100644 docs/building-the-image.md create mode 100644 docs/building-the-images.md create mode 100644 internal/mode/static/nginx/conf/nginx.conf diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 663ef8b766..37c9eb3cf3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -55,9 +55,6 @@ jobs: - name: Check if generated go files are up to date run: make generate && git diff --exit-code - - name: Check if njs-modules yaml is up to date - run: make generate-njs-yaml && git diff --exit-code - - name: Check if generated manifests are up to date run: make generate-manifests && git diff --exit-code @@ -160,6 +157,15 @@ jobs: runs-on: ubuntu-22.04 needs: [vars, binary] if: ${{ github.ref_type != 'tag' }} + strategy: + fail-fast: false + matrix: + include: + - dockerfile: build/Dockerfile + image: ghcr.io/nginxinc/nginx-kubernetes-gateway + target: goreleaser + - dockerfile: build/Dockerfile.nginx + image: ghcr.io/nginxinc/nginx-kubernetes-gateway/nginx steps: - name: Checkout Repository uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 @@ -178,7 +184,7 @@ jobs: uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175 # v4.6.0 with: images: | - name=ghcr.io/nginxinc/nginx-kubernetes-gateway + name=${{ matrix.image }} tags: | type=semver,pattern={{version}} type=edge @@ -191,7 +197,7 @@ jobs: file: build/Dockerfile tags: ${{ steps.meta.outputs.tags }} context: "." - target: goreleaser + target: ${{ matrix.target }} load: true cache-from: type=gha cache-to: type=gha,mode=max @@ -214,8 +220,10 @@ jobs: . --wait --create-namespace - --set controller.image.repository=$(echo ${{ steps.meta.outputs.tags }} | cut -d ":" -f 1) - --set controller.image.tag=$(echo ${{ steps.meta.outputs.tags }} | cut -d ":" -f 2) + --set nginxGateway.image.repository=$(echo ${{ steps.meta.outputs.tags }} | cut -d ":" -f 1) + --set nginxGateway.image.tag=$(echo ${{ steps.meta.outputs.tags }} | cut -d ":" -f 2) + --set nginx.image.repository=$(echo ${{ steps.meta.outputs.tags }} | cut -d ":" -f 1) + --set nginx.image.tag=$(echo ${{ steps.meta.outputs.tags }} | cut -d ":" -f 2) --set service.type=NodePort -n nginx-gateway working-directory: ${{ github.workspace }}/deploy/helm-chart @@ -224,6 +232,15 @@ jobs: name: Build Image runs-on: ubuntu-22.04 needs: [vars, binary] + strategy: + fail-fast: false + matrix: + include: + - dockerfile: build/Dockerfile + image: ghcr.io/nginxinc/nginx-kubernetes-gateway + target: goreleaser + - dockerfile: build/Dockerfile.nginx + image: ghcr.io/nginxinc/nginx-kubernetes-gateway/nginx permissions: contents: read # for docker/build-push-action to read repo content security-events: write # for github/codeql-action/upload-sarif to upload SARIF results @@ -259,7 +276,7 @@ jobs: uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175 # v4.6.0 with: images: | - name=ghcr.io/nginxinc/nginx-kubernetes-gateway + name=${{ matrix.image }} tags: | type=semver,pattern={{version}} type=edge @@ -269,9 +286,9 @@ jobs: - name: Build Docker Image uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1 with: - file: build/Dockerfile + file: ${{ matrix.dockerfile }} context: "." - target: goreleaser + target: ${{ matrix.target }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} load: ${{ github.event_name == 'pull_request' }} @@ -288,23 +305,23 @@ jobs: uses: aquasecurity/trivy-action@41f05d9ecffa2ed3f1580af306000f734b733e54 # 0.11.2 continue-on-error: true with: - image-ref: ghcr.io/nginxinc/nginx-kubernetes-gateway:${{ steps.meta.outputs.version }} + image-ref: ${{ matrix.image }}:${{ steps.meta.outputs.version }} format: "sarif" - output: "trivy-results-nginx-kubernetes-gateway.sarif" + output: "trivy-results-${{ matrix.image }}.sarif" ignore-unfixed: "true" - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@5b6282e01c62d02e720b81eb8a51204f527c3624 # v2.21.3 continue-on-error: true with: - sarif_file: "trivy-results-nginx-kubernetes-gateway.sarif" + sarif_file: "trivy-results-${{ matrix.image }}.sarif" - name: Upload Scan Results uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 continue-on-error: true with: - name: "trivy-results-nginx-kubernetes-gateway.sarif" - path: "trivy-results-nginx-kubernetes-gateway.sarif" + name: "trivy-results-${{ matrix.image }}.sarif" + path: "trivy-results-${{ matrix.image }}.sarif" if: always() publish-helm: diff --git a/Makefile b/Makefile index c5b3807f9a..2bd87491c6 100644 --- a/Makefile +++ b/Makefile @@ -3,8 +3,9 @@ VERSION = edge GIT_COMMIT = $(shell git rev-parse HEAD || echo "unknown") DATE = $(shell date -u +"%Y-%m-%dT%H:%M:%SZ") MANIFEST_DIR = $(shell pwd)/deploy/manifests -NJS_DIR = $(shell pwd)/internal/mode/static/nginx/modules/src CHART_DIR = $(shell pwd)/deploy/helm-chart +NGINX_CONF_DIR = internal/mode/static/nginx/conf +NJS_DIR = internal/mode/static/nginx/modules/src # go build flags - should not be overridden by the user GO_LINKER_FlAGS_VARS = -X main.version=${VERSION} -X main.commit=${GIT_COMMIT} -X main.date=${DATE} @@ -12,7 +13,8 @@ GO_LINKER_FLAGS_OPTIMIZATIONS = -s -w GO_LINKER_FLAGS = $(GO_LINKER_FLAGS_OPTIMIZATIONS) $(GO_LINKER_FlAGS_VARS) # variables that can be overridden by the user -PREFIX ?= nginx-kubernetes-gateway## The name of the image. For example, nginx-kubernetes-gateway +PREFIX ?= nginx-kubernetes-gateway## The name of the NKG image. For example, nginx-kubernetes-gateway +NGINX_PREFIX ?= $(PREFIX)/nginx## The name of the nginx image. For example: nginx-kubernetes-gateway/nginx TAG ?= $(VERSION:v%=%)## The tag of the image. For example, 0.3.0 TARGET ?= local## The target of the build. Possible values: local and container KIND_KUBE_CONFIG=$${HOME}/.kube/kind/config## The location of the kind kubeconfig @@ -21,7 +23,7 @@ ARCH ?= amd64## The architecture of the image and/or binary. For example: amd64 override HELM_TEMPLATE_COMMON_ARGS += --set creator=template --set nameOverride=nginx-gateway## The common options for the Helm template command. override HELM_TEMPLATE_EXTRA_ARGS_FOR_ALL_MANIFESTS_FILE += --set service.create=false## The options to be passed to the full Helm templating command only. override DOCKER_BUILD_OPTIONS += --build-arg VERSION=$(VERSION) --build-arg GIT_COMMIT=$(GIT_COMMIT) --build-arg DATE=$(DATE)## The options for the docker build command. For example, --pull - +override NGINX_DOCKER_BUILD_OPTIONS += --build-arg NJS_DIR=$(NJS_DIR) --build-arg NGINX_CONF_DIR=$(NGINX_CONF_DIR) .DEFAULT_GOAL := help .PHONY: help @@ -29,11 +31,21 @@ help: Makefile ## Display this help @grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "; printf "Usage:\n\n make \033[36m\033[0m [VARIABLE=value...]\n\nTargets:\n\n"}; {printf " \033[36m%-30s\033[0m %s\n", $$1, $$2}' @grep -E '^(override )?[a-zA-Z_-]+ \??\+?= .*?## .*$$' $< | sort | awk 'BEGIN {FS = " \\??\\+?= .*?## "; printf "\nVariables:\n\n"}; {gsub(/override /, "", $$1); printf " \033[36m%-30s\033[0m %s\n", $$1, $$2}' -.PHONY: container -container: build ## Build the container - @docker -v || (code=$$?; printf "\033[0;31mError\033[0m: there was a problem with Docker\n"; exit $$code) +.PHONY: build-images +build-images: build-nkg-image build-nginx-image ## Build the NKG and nginx docker images + +.PHONY: build-nkg-image +build-nkg-image: check-for-docker build ## Build the NKG docker image docker build --platform linux/$(ARCH) $(strip $(DOCKER_BUILD_OPTIONS)) --target $(strip $(TARGET)) -f build/Dockerfile -t $(strip $(PREFIX)):$(strip $(TAG)) . +.PHONY: build-nginx-image +build-nginx-image: check-for-docker ## Build the custom nginx image + docker build --platform linux/$(ARCH) $(strip $(NGINX_DOCKER_BUILD_OPTIONS)) -f build/Dockerfile.nginx -t $(strip $(NGINX_PREFIX)):$(strip $(TAG)) . + +.PHONY: check-for-docker +check-for-docker: ## Check if Docker is installed + @docker -v || (code=$$?; printf "\033[0;31mError\033[0m: there was a problem with Docker\n"; exit $$code) + .PHONY: build build: ## Build the binary ifeq (${TARGET},local) @@ -103,10 +115,6 @@ njs-unit-test: ## Run unit tests for the njs httpmatches module node:18 \ /bin/bash -c "npm install && npm test && npm run clean" -.PHONY: generate-njs-yaml -generate-njs-yaml: ## Generate the njs-modules ConfigMap - kubectl create configmap njs-modules --from-file=$(NJS_DIR)/httpmatches.js --dry-run=client --output=yaml > $(strip $(MANIFEST_DIR))/njs-modules.yaml - .PHONY: lint-helm lint-helm: ## Run the helm chart linter helm lint $(CHART_DIR) @@ -116,8 +124,8 @@ debug-build: GO_LINKER_FLAGS=$(GO_LINKER_FlAGS_VARS) debug-build: ADDITIONAL_GO_BUILD_FLAGS=-gcflags "all=-N -l" debug-build: build ## Build binary with debug info, symbols, and no optimizations -.PHONY: debug-container -debug-container: debug-build container ## Build container with debug binary +.PHONY: debug-image +debug-image: debug-build build-nkg-image ## Build NKG image with debug binary .PHONY: generate-manifests generate-manifests: ## Generate manifests using Helm. diff --git a/build/Dockerfile b/build/Dockerfile index 7ecbf97681..3cebe4f25e 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -31,7 +31,7 @@ COPY dist/gateway_linux_$TARGETARCH*/gateway /usr/bin/ RUN setcap 'cap_kill=+ep' /usr/bin/gateway FROM scratch as common -USER 1001:1001 +USER 102:1001 ENTRYPOINT [ "/usr/bin/gateway" ] FROM common as container diff --git a/build/Dockerfile.nginx b/build/Dockerfile.nginx new file mode 100644 index 0000000000..e2cab542b3 --- /dev/null +++ b/build/Dockerfile.nginx @@ -0,0 +1,19 @@ +# syntax=docker/dockerfile:1.4 +FROM nginx:1.25.1-alpine + +ARG NJS_DIR +ARG NGINX_CONF_DIR + +RUN --mount=type=bind,target=/tmp apk add --no-cache libcap \ + && mkdir -p /var/lib/nginx /usr/lib/nginx/modules \ + && setcap 'cap_net_bind_service=+eip' /usr/sbin/nginx \ + && setcap -v 'cap_net_bind_service=+eip' /usr/sbin/nginx + +COPY ${NJS_DIR}/httpmatches.js /usr/lib/nginx/modules/njs/httpmatches.js +COPY ${NGINX_CONF_DIR}/nginx.conf /etc/nginx/nginx.conf + +RUN --mount=type=bind,target=/tmp chown -R 101:1001 /etc/nginx /var/cache/nginx /var/lib/nginx + +USER 101:1001 + +STOPSIGNAL SIGTERM diff --git a/conformance/Makefile b/conformance/Makefile index 4520a19c48..af9bc4f90c 100644 --- a/conformance/Makefile +++ b/conformance/Makefile @@ -1,5 +1,6 @@ NKG_TAG = edge NKG_PREFIX = nginx-kubernetes-gateway +NGINX_IMAGE_NAME = $(NKG_PREFIX)/nginx GW_API_VERSION ?= 0.7.1 GATEWAY_CLASS = nginx SUPPORTED_FEATURES = HTTPRoute,HTTPRouteQueryParamMatching,HTTPRouteMethodMatching,HTTPRoutePortRedirect,HTTPRouteSchemeRedirect,GatewayClassObservedGenerationBump @@ -32,22 +33,18 @@ create-kind-cluster: ## Create a kind cluster kind create cluster --image $(KIND_IMAGE) kind export kubeconfig --kubeconfig $(KIND_KUBE_CONFIG) -.PHONY: preload-nginx-container -preload-nginx-container: ## Preload NGINX container on configured kind cluster - docker pull $(NGINX_IMAGE) - kind load docker-image $(NGINX_IMAGE) - .PHONY: update-nkg-manifest -update-nkg-manifest: ## Update the NKG deployment manifest image name and imagePullPolicy - cd .. && make generate-manifests HELM_TEMPLATE_EXTRA_ARGS_FOR_ALL_MANIFESTS_FILE="--set nginxGateway.kind=skip" HELM_TEMPLATE_COMMON_ARGS="--set nginxGateway.image.repository=$(NKG_PREFIX) --set nginxGateway.image.tag=$(NKG_TAG) --set nginxGateway.image.pullPolicy=Never" && cd - +update-nkg-manifest: ## Update the NKG deployment manifest image names and imagePullPolicies + cd .. && make generate-manifests HELM_TEMPLATE_EXTRA_ARGS_FOR_ALL_MANIFESTS_FILE="--set nginxGateway.kind=skip" HELM_TEMPLATE_COMMON_ARGS="--set nginxGateway.image.repository=$(NKG_PREFIX) --set nginxGateway.image.tag=$(NKG_TAG) --set nginxGateway.image.pullPolicy=Never --set nginx.image.repository=$(NGINX_IMAGE_NAME) --set nginx.image.tag=$(NKG_TAG) --set nginx.image.pullPolicy=Never" && cd - .PHONY: build-nkg-image -build-nkg-image: ## Build NKG container and load it and NGINX container on configured kind cluster - cd .. && make PREFIX=$(NKG_PREFIX) TAG=$(NKG_TAG) container +build-nkg-images: ## Build NKG and nginx images and load them on the kind cluster + cd .. && make PREFIX=$(NKG_PREFIX) TAG=$(NKG_TAG) build-images .PHONY: load-images -load-images: preload-nginx-container ## Load NKG and NGINX containers on configured kind cluster +load-images: ## Load NKG and NGINX containers on configured kind cluster kind load docker-image $(NKG_PREFIX):$(NKG_TAG) + kind load docker-image $(NGINX_IMAGE_NAME):$(NKG_TAG) .PHONY: prepare-nkg-dependencies prepare-nkg-dependencies: update-nkg-manifest ## Install NKG dependencies on configured kind cluster @@ -62,13 +59,13 @@ deploy-updated-provisioner: ## Update provisioner manifest and deploy to the con yq '(select(.spec.template.spec.containers[].image) | .spec.template.spec.containers[].image="$(NKG_PREFIX):$(NKG_TAG)" | .spec.template.spec.containers[].imagePullPolicy = "Never")' $(PROVISIONER_MANIFEST) | kubectl apply -f - .PHONY: install-nkg-local-build -install-nkg-local-build: prepare-nkg-dependencies build-nkg-image load-images deploy-updated-provisioner ## Install NKG from local build with provisioner on configured kind cluster +install-nkg-local-build: prepare-nkg-dependencies build-nkg-images load-images deploy-updated-provisioner ## Install NKG from local build with provisioner on configured kind cluster .PHONY: install-nkg-local-no-build install-nkg-local-no-build: prepare-nkg-dependencies load-images deploy-updated-provisioner ## Install NKG from local build with provisioner on configured kind cluster but do not build the NKG image .PHONY: install-nkg-edge -install-nkg-edge: preload-nginx-container prepare-nkg-dependencies ## Install NKG with provisioner from edge on configured kind cluster +install-nkg-edge: prepare-nkg-dependencies ## Install NKG with provisioner from edge on configured kind cluster kubectl apply -f $(PROVISIONER_MANIFEST) .PHONY: run-conformance-tests diff --git a/conformance/provisioner/static-deployment.yaml b/conformance/provisioner/static-deployment.yaml index f2a3415392..4c4c644798 100644 --- a/conformance/provisioner/static-deployment.yaml +++ b/conformance/provisioner/static-deployment.yaml @@ -41,11 +41,14 @@ spec: - KILL drop: - ALL - runAsUser: 1001 + runAsUser: 102 + runAsGroup: 1001 volumeMounts: - - mountPath: /etc/nginx - name: nginx - - image: nginx:1.25 + - name: nginx-conf + mountPath: /etc/nginx/conf.d + - name: nginx-secrets + mountPath: /etc/nginx/secrets + - image: ghcr.io/nginxinc/nginx-kubernetes-gateway/nginx:edge imagePullPolicy: Always name: nginx ports: @@ -63,37 +66,19 @@ spec: - DAC_OVERRIDE drop: - ALL + runAsUser: 101 + runAsGroup: 1001 volumeMounts: - - mountPath: /etc/nginx - name: nginx - - mountPath: /etc/nginx/nginx.conf - name: nginx-conf - subPath: nginx.conf - - mountPath: /var/lib/nginx - name: var-lib-nginx - - mountPath: /usr/lib/nginx/modules/njs - name: njs-modules - initContainers: - - command: - - sh - - -c - - rm -r /etc/nginx/conf.d /etc/nginx/secrets; mkdir /etc/nginx/conf.d /etc/nginx/secrets - && chown 1001:0 /etc/nginx/conf.d /etc/nginx/secrets - image: busybox:1.36 - name: set-permissions - volumeMounts: - - mountPath: /etc/nginx - name: nginx + - name: nginx-conf + mountPath: /etc/nginx/conf.d + - name: nginx-secrets + mountPath: /etc/nginx/secrets serviceAccountName: nginx-gateway shareProcessNamespace: true + securityContext: + fsGroup: 1001 volumes: - - emptyDir: {} - name: nginx - - configMap: - name: nginx-gateway-conf - name: nginx-conf - - emptyDir: {} - name: var-lib-nginx - - configMap: - name: nginx-gateway-njs-modules - name: njs-modules + - name: nginx-conf + emptyDir: {} + - name: nginx-secrets + emptyDir: {} diff --git a/deploy/helm-chart/README.md b/deploy/helm-chart/README.md index 07ed4d41f4..8bae0eab54 100644 --- a/deploy/helm-chart/README.md +++ b/deploy/helm-chart/README.md @@ -105,23 +105,21 @@ kubectl delete -f https://github.com/kubernetes-sigs/gateway-api/releases/downlo The following tables lists the configurable parameters of the NGINX Kubernetes Gateway chart and their default values. -|Parameter | Description | Default Value | -| --- | --- | --- | -|`nginxGateway.image.repository` | The repository for the NGINX Kubernetes Gateway image. | ghcr.io/nginxinc/nginx-kubernetes-gateway | -|`nginxGateway.image.tag` | The tag for the NGINX Kubernetes Gateway image. | edge | -|`nginxGateway.image.pullPolicy` | The `imagePullPolicy` for the NGINX Kubernetes Gateway image. | Always | -|`nginxGateway.gatewayClassName` | The name of the GatewayClass for the NGINX Kubernetes Gateway deployment. | nginx | -|`nginxGateway.gatewayControllerName` | The name of the Gateway controller. The controller name must be of the form: DOMAIN/PATH. The controller's domain is k8s-gateway.nginx.org. | k8s-gateway.nginx.org/nginx-gateway-controller | -|`nginxGateway.kind` | The kind of the NGINX Kubernetes Gateway installation - currently, only Deployment is supported. | deployment | -|`nginx.image.repository` | The repository for the NGINX image. | nginx | -|`nginx.image.tag` | The tag for the NGINX image. | 1.25 | -|`nginx.image.pullPolicy` | The `imagePullPolicy` for the NGINX image. | Always | -|`initContainer.image.repository` | The repository for the `initContainer` image. | busybox | -|`initContainer.image.tag` | The tag for the `initContainer` image. | 1.36 | -|`serviceAccount.annotations` | The `annotations` for the ServiceAccount used by the NGINX Kubernetes Gateway deployment. | {} | -|`serviceAccount.name` | Name of the ServiceAccount used by the NGINX Kubernetes Gateway deployment. | Autogenerated | -|`service.create` | Creates a service to expose the NGINX Kubernetes Gateway pods. | true | -|`service.type` | The type of service to create for the NGINX Kubernetes Gateway. | Loadbalancer | -|`service.externalTrafficPolicy` | The `externalTrafficPolicy` of the service. The value `Local` preserves the client source IP. | Local | -|`service.annotations` | The `annotations` of the NGINX Kubernetes Gateway service. | {} | -|`service.ports` | A list of ports to expose through the NGINX Kubernetes Gateway service. Update it to match the listener ports from your Gateway resource. Follows the conventional Kubernetes yaml syntax for service ports. | [ port: 80, targetPort: 80, protocol: TCP, name: http; port: 443, targetPort: 443, protocol: TCP, name: https ] | +| Parameter | Description | Default Value | +|--------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------| +| `nginxGateway.image.repository` | The repository for the NGINX Kubernetes Gateway image. | ghcr.io/nginxinc/nginx-kubernetes-gateway | +| `nginxGateway.image.tag` | The tag for the NGINX Kubernetes Gateway image. | edge | +| `nginxGateway.image.pullPolicy` | The `imagePullPolicy` for the NGINX Kubernetes Gateway image. | Always | +| `nginxGateway.gatewayClassName` | The name of the GatewayClass for the NGINX Kubernetes Gateway deployment. | nginx | +| `nginxGateway.gatewayControllerName` | The name of the Gateway controller. The controller name must be of the form: DOMAIN/PATH. The controller's domain is k8s-gateway.nginx.org. | k8s-gateway.nginx.org/nginx-gateway-controller | +| `nginxGateway.kind` | The kind of the NGINX Kubernetes Gateway installation - currently, only Deployment is supported. | deployment | +| `nginx.image.repository` | The repository for the NGINX image. | ghcr.io/nginxinc/nginx-kubernetes-gateway/nginx | +| `nginx.image.tag` | The tag for the NGINX image. | edge | +| `nginx.image.pullPolicy` | The `imagePullPolicy` for the NGINX image. | Always | +| `serviceAccount.annotations` | The `annotations` for the ServiceAccount used by the NGINX Kubernetes Gateway deployment. | {} | +| `serviceAccount.name` | Name of the ServiceAccount used by the NGINX Kubernetes Gateway deployment. | Autogenerated | +| `service.create` | Creates a service to expose the NGINX Kubernetes Gateway pods. | true | +| `service.type` | The type of service to create for the NGINX Kubernetes Gateway. | Loadbalancer | +| `service.externalTrafficPolicy` | The `externalTrafficPolicy` of the service. The value `Local` preserves the client source IP. | Local | +| `service.annotations` | The `annotations` of the NGINX Kubernetes Gateway service. | {} | +| `service.ports` | A list of ports to expose through the NGINX Kubernetes Gateway service. Update it to match the listener ports from your Gateway resource. Follows the conventional Kubernetes yaml syntax for service ports. | [ port: 80, targetPort: 80, protocol: TCP, name: http; port: 443, targetPort: 443, protocol: TCP, name: https ] | diff --git a/deploy/helm-chart/templates/_helpers.tpl b/deploy/helm-chart/templates/_helpers.tpl index 5488944e85..c067c5aa33 100644 --- a/deploy/helm-chart/templates/_helpers.tpl +++ b/deploy/helm-chart/templates/_helpers.tpl @@ -58,17 +58,3 @@ Create the name of the ServiceAccount to use {{- define "nginx-gateway.serviceAccountName" -}} {{- default (include "nginx-gateway.fullname" .) .Values.serviceAccount.name }} {{- end }} - -{{/* -Expand default NGINX conf ConfigMap name. -*/}} -{{- define "nginx-gateway.nginx-conf" -}} -{{- printf "%s-%s" (include "nginx-gateway.fullname" .) "conf" -}} -{{- end -}} - -{{/* -Expand default njs-modules ConfigMap name. -*/}} -{{- define "nginx-gateway.njs-modules" -}} -{{- printf "%s-%s" (include "nginx-gateway.fullname" .) "njs-modules" -}} -{{- end -}} diff --git a/deploy/helm-chart/templates/deployment.yaml b/deploy/helm-chart/templates/deployment.yaml index e1cae67599..acf87a9555 100644 --- a/deploy/helm-chart/templates/deployment.yaml +++ b/deploy/helm-chart/templates/deployment.yaml @@ -36,11 +36,14 @@ spec: - KILL drop: - ALL - runAsUser: 1001 + runAsUser: 102 + runAsGroup: 1001 volumeMounts: - - mountPath: /etc/nginx - name: nginx - - image: {{ .Values.nginx.image.repository }}:{{ .Values.nginx.image.tag }} + - name: nginx-conf + mountPath: /etc/nginx/conf.d + - name: nginx-secrets + mountPath: /etc/nginx/secrets + - image: {{ .Values.nginx.image.repository }}:{{ .Values.nginx.image.tag | default .Chart.AppVersion }} imagePullPolicy: {{ .Values.nginx.image.pullPolicy }} name: nginx ports: @@ -58,38 +61,20 @@ spec: - DAC_OVERRIDE drop: - ALL + runAsUser: 101 + runAsGroup: 1001 volumeMounts: - - mountPath: /etc/nginx - name: nginx - - mountPath: /etc/nginx/nginx.conf - name: nginx-conf - subPath: nginx.conf - - mountPath: /var/lib/nginx - name: var-lib-nginx - - mountPath: /usr/lib/nginx/modules/njs - name: njs-modules - initContainers: - - command: - - sh - - -c - - rm -r /etc/nginx/conf.d /etc/nginx/secrets; mkdir /etc/nginx/conf.d /etc/nginx/secrets - && chown 1001:0 /etc/nginx/conf.d /etc/nginx/secrets - image: {{ .Values.initContainer.image.repository }}:{{ .Values.initContainer.image.tag }} - name: set-permissions - volumeMounts: - - mountPath: /etc/nginx - name: nginx + - name: nginx-conf + mountPath: /etc/nginx/conf.d + - name: nginx-secrets + mountPath: /etc/nginx/secrets serviceAccountName: {{ include "nginx-gateway.serviceAccountName" . }} shareProcessNamespace: true + securityContext: + fsGroup: 1001 volumes: - - emptyDir: {} - name: nginx - - configMap: - name: {{ include "nginx-gateway.nginx-conf" . }} - name: nginx-conf - - emptyDir: {} - name: var-lib-nginx - - configMap: - name: {{ include "nginx-gateway.njs-modules" . }} - name: njs-modules + - name: nginx-conf + emptyDir: {} + - name: nginx-secrets + emptyDir: {} {{- end }} diff --git a/deploy/helm-chart/templates/nginx-conf.yaml b/deploy/helm-chart/templates/nginx-conf.yaml deleted file mode 100644 index dd64888508..0000000000 --- a/deploy/helm-chart/templates/nginx-conf.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "nginx-gateway.nginx-conf" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "nginx-gateway.labels" . | nindent 4 }} -data: - nginx.conf: |- - load_module /usr/lib/nginx/modules/ngx_http_js_module.so; - events {} - pid /etc/nginx/nginx.pid; - error_log stderr debug; - http { - include /etc/nginx/conf.d/*.conf; - js_import /usr/lib/nginx/modules/njs/httpmatches.js; - proxy_headers_hash_bucket_size 512; - proxy_headers_hash_max_size 1024; - server_names_hash_bucket_size 256; - server_names_hash_max_size 1024; - variables_hash_bucket_size 512; - variables_hash_max_size 1024; - } diff --git a/deploy/helm-chart/templates/njs-modules.yaml b/deploy/helm-chart/templates/njs-modules.yaml deleted file mode 100644 index d67650d584..0000000000 --- a/deploy/helm-chart/templates/njs-modules.yaml +++ /dev/null @@ -1,216 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "nginx-gateway.njs-modules" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "nginx-gateway.labels" . | nindent 4 }} -data: - httpmatches.js: | - const MATCHES_VARIABLE = 'http_matches'; - const HTTP_CODES = { - notFound: 404, - internalServerError: 500, - }; - - function redirect(r) { - let matches; - - try { - matches = extractMatchesFromRequest(r); - } catch (e) { - r.error(e.message); - r.return(HTTP_CODES.internalServerError); - return; - } - - // Matches is a list of http matches in order of precedence. - // We will accept the first match that the request satisfies. - // If there's a match, redirect request to internal location block. - // If an exception occurs, return 500. - // If no matches are found, return 404. - let match; - try { - match = findWinningMatch(r, matches); - } catch (e) { - r.error(e.message); - r.return(HTTP_CODES.internalServerError); - return; - } - - if (!match) { - r.return(HTTP_CODES.notFound); - return; - } - - if (!match.redirectPath) { - r.error( - `cannot redirect the request; the match ${JSON.stringify( - match, - )} does not have a redirectPath set`, - ); - r.return(HTTP_CODES.internalServerError); - return; - } - - r.internalRedirect(match.redirectPath); - } - - function extractMatchesFromRequest(r) { - if (!r.variables[MATCHES_VARIABLE]) { - throw Error( - `cannot redirect the request; the variable ${MATCHES_VARIABLE} is not defined on the request object`, - ); - } - - let matches; - - try { - matches = JSON.parse(r.variables[MATCHES_VARIABLE]); - } catch (e) { - throw Error( - `cannot redirect the request; error parsing ${r.variables[MATCHES_VARIABLE]} into a JSON object: ${e}`, - ); - } - - if (!Array.isArray(matches)) { - throw Error(`cannot redirect the request; expected a list of matches, got ${matches}`); - } - - if (matches.length === 0) { - throw Error(`cannot redirect the request; matches is an empty list`); - } - - return matches; - } - - function findWinningMatch(r, matches) { - for (let i = 0; i < matches.length; i++) { - try { - let found = testMatch(r, matches[i]); - if (found) { - return matches[i]; - } - } catch (e) { - throw e; - } - } - - return null; - } - - function testMatch(r, match) { - // check for any - if (match.any) { - return true; - } - - // check method - if (match.method && r.method !== match.method) { - return false; - } - - // check headers - if (match.headers) { - try { - let found = headersMatch(r.headersIn, match.headers); - if (!found) { - return false; - } - } catch (e) { - throw e; - } - } - - // check params - if (match.params) { - try { - let found = paramsMatch(r.args, match.params); - if (!found) { - return false; - } - } catch (e) { - throw e; - } - } - - // all match conditions are satisfied so return true - return true; - } - - function headersMatch(requestHeaders, headers) { - for (let i = 0; i < headers.length; i++) { - const h = headers[i]; - const kv = h.split(':'); - - if (kv.length !== 2) { - throw Error(`invalid header match: ${h}`); - } - // Header names are compared in a case-insensitive manner, meaning header name "FOO" is equivalent to "foo". - // The NGINX request's headersIn object lookup is case-insensitive as well. - // This means that requestHeaders['FOO'] is equivalent to requestHeaders['foo']. - let val = requestHeaders[kv[0]]; - - if (!val) { - return false; - } - - // split on comma because nginx uses commas to delimit multiple header values - const values = val.split(','); - if (!values.includes(kv[1])) { - return false; - } - } - - return true; - } - - function paramsMatch(requestParams, params) { - for (let i = 0; i < params.length; i++) { - let p = params[i]; - // We store query parameter matches as strings with the format "key=value"; however, there may be more than one - // instance of "=" in the string. - // To recover the key and value, we need to find the first occurrence of "=" in the string. - const idx = params[i].indexOf('='); - // Check for an improperly constructed query parameter match. There are three possible error cases: - // (1) if the index is -1, then there are no "=" in the string (e.g. "keyvalue") - // (2) if the index is 0, then there is no value in the string (e.g. "key="). - // (3) if the index is equal to length -1, then there is no key in the string (e.g. "=value"). - if (idx === -1 || (idx === 0) | (idx === p.length - 1)) { - throw Error(`invalid query parameter: ${p}`); - } - - // Divide string into key value using the index. - let kv = [p.slice(0, idx), p.slice(idx + 1)]; - - // val can either be a string or an array of strings. - // Also, the NGINX request's args object lookup is case-sensitive. - // For example, 'a=1&b=2&A=3&b=4' will be parsed into {a: "1", b: ["2", "4"], A: "3"} - let val = requestParams[kv[0]]; - if (!val) { - return false; - } - - // If val is an array, we will match against the first element in the array according to the Gateway API spec. - if (Array.isArray(val)) { - val = val[0]; - } - - if (val !== kv[1]) { - return false; - } - } - - return true; - } - - export default { - redirect, - testMatch, - findWinningMatch, - headersMatch, - paramsMatch, - extractMatchesFromRequest, - HTTP_CODES, - MATCHES_VARIABLE, - }; diff --git a/deploy/helm-chart/values.yaml b/deploy/helm-chart/values.yaml index 28158bcd8a..e80a726cf3 100644 --- a/deploy/helm-chart/values.yaml +++ b/deploy/helm-chart/values.yaml @@ -17,16 +17,10 @@ nginxGateway: nginx: ## The NGINX image to use image: - repository: nginx - tag: "1.25" + repository: ghcr.io/nginxinc/nginx-kubernetes-gateway/nginx + tag: edge pullPolicy: Always -initContainer: - image: - ## The image the init container should use. - repository: busybox - tag: "1.36" - serviceAccount: annotations: {} ## The name of the service account of the NGINX Kubernetes Gateway pods. Used for RBAC. diff --git a/deploy/manifests/nginx-gateway.yaml b/deploy/manifests/nginx-gateway.yaml index 79837d0253..68814053d5 100644 --- a/deploy/manifests/nginx-gateway.yaml +++ b/deploy/manifests/nginx-gateway.yaml @@ -16,253 +16,6 @@ metadata: annotations: {} --- -# Source: nginx-kubernetes-gateway/templates/nginx-conf.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: nginx-gateway-conf - namespace: nginx-gateway - labels: - app.kubernetes.io/name: nginx-gateway - app.kubernetes.io/instance: nginx-gateway - app.kubernetes.io/version: "edge" -data: - nginx.conf: |- - load_module /usr/lib/nginx/modules/ngx_http_js_module.so; - events {} - pid /etc/nginx/nginx.pid; - error_log stderr debug; - http { - include /etc/nginx/conf.d/*.conf; - js_import /usr/lib/nginx/modules/njs/httpmatches.js; - proxy_headers_hash_bucket_size 512; - proxy_headers_hash_max_size 1024; - server_names_hash_bucket_size 256; - server_names_hash_max_size 1024; - variables_hash_bucket_size 512; - variables_hash_max_size 1024; - } ---- -# Source: nginx-kubernetes-gateway/templates/njs-modules.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: nginx-gateway-njs-modules - namespace: nginx-gateway - labels: - app.kubernetes.io/name: nginx-gateway - app.kubernetes.io/instance: nginx-gateway - app.kubernetes.io/version: "edge" -data: - httpmatches.js: | - const MATCHES_VARIABLE = 'http_matches'; - const HTTP_CODES = { - notFound: 404, - internalServerError: 500, - }; - - function redirect(r) { - let matches; - - try { - matches = extractMatchesFromRequest(r); - } catch (e) { - r.error(e.message); - r.return(HTTP_CODES.internalServerError); - return; - } - - // Matches is a list of http matches in order of precedence. - // We will accept the first match that the request satisfies. - // If there's a match, redirect request to internal location block. - // If an exception occurs, return 500. - // If no matches are found, return 404. - let match; - try { - match = findWinningMatch(r, matches); - } catch (e) { - r.error(e.message); - r.return(HTTP_CODES.internalServerError); - return; - } - - if (!match) { - r.return(HTTP_CODES.notFound); - return; - } - - if (!match.redirectPath) { - r.error( - `cannot redirect the request; the match ${JSON.stringify( - match, - )} does not have a redirectPath set`, - ); - r.return(HTTP_CODES.internalServerError); - return; - } - - r.internalRedirect(match.redirectPath); - } - - function extractMatchesFromRequest(r) { - if (!r.variables[MATCHES_VARIABLE]) { - throw Error( - `cannot redirect the request; the variable ${MATCHES_VARIABLE} is not defined on the request object`, - ); - } - - let matches; - - try { - matches = JSON.parse(r.variables[MATCHES_VARIABLE]); - } catch (e) { - throw Error( - `cannot redirect the request; error parsing ${r.variables[MATCHES_VARIABLE]} into a JSON object: ${e}`, - ); - } - - if (!Array.isArray(matches)) { - throw Error(`cannot redirect the request; expected a list of matches, got ${matches}`); - } - - if (matches.length === 0) { - throw Error(`cannot redirect the request; matches is an empty list`); - } - - return matches; - } - - function findWinningMatch(r, matches) { - for (let i = 0; i < matches.length; i++) { - try { - let found = testMatch(r, matches[i]); - if (found) { - return matches[i]; - } - } catch (e) { - throw e; - } - } - - return null; - } - - function testMatch(r, match) { - // check for any - if (match.any) { - return true; - } - - // check method - if (match.method && r.method !== match.method) { - return false; - } - - // check headers - if (match.headers) { - try { - let found = headersMatch(r.headersIn, match.headers); - if (!found) { - return false; - } - } catch (e) { - throw e; - } - } - - // check params - if (match.params) { - try { - let found = paramsMatch(r.args, match.params); - if (!found) { - return false; - } - } catch (e) { - throw e; - } - } - - // all match conditions are satisfied so return true - return true; - } - - function headersMatch(requestHeaders, headers) { - for (let i = 0; i < headers.length; i++) { - const h = headers[i]; - const kv = h.split(':'); - - if (kv.length !== 2) { - throw Error(`invalid header match: ${h}`); - } - // Header names are compared in a case-insensitive manner, meaning header name "FOO" is equivalent to "foo". - // The NGINX request's headersIn object lookup is case-insensitive as well. - // This means that requestHeaders['FOO'] is equivalent to requestHeaders['foo']. - let val = requestHeaders[kv[0]]; - - if (!val) { - return false; - } - - // split on comma because nginx uses commas to delimit multiple header values - const values = val.split(','); - if (!values.includes(kv[1])) { - return false; - } - } - - return true; - } - - function paramsMatch(requestParams, params) { - for (let i = 0; i < params.length; i++) { - let p = params[i]; - // We store query parameter matches as strings with the format "key=value"; however, there may be more than one - // instance of "=" in the string. - // To recover the key and value, we need to find the first occurrence of "=" in the string. - const idx = params[i].indexOf('='); - // Check for an improperly constructed query parameter match. There are three possible error cases: - // (1) if the index is -1, then there are no "=" in the string (e.g. "keyvalue") - // (2) if the index is 0, then there is no value in the string (e.g. "key="). - // (3) if the index is equal to length -1, then there is no key in the string (e.g. "=value"). - if (idx === -1 || (idx === 0) | (idx === p.length - 1)) { - throw Error(`invalid query parameter: ${p}`); - } - - // Divide string into key value using the index. - let kv = [p.slice(0, idx), p.slice(idx + 1)]; - - // val can either be a string or an array of strings. - // Also, the NGINX request's args object lookup is case-sensitive. - // For example, 'a=1&b=2&A=3&b=4' will be parsed into {a: "1", b: ["2", "4"], A: "3"} - let val = requestParams[kv[0]]; - if (!val) { - return false; - } - - // If val is an array, we will match against the first element in the array according to the Gateway API spec. - if (Array.isArray(val)) { - val = val[0]; - } - - if (val !== kv[1]) { - return false; - } - } - - return true; - } - - export default { - redirect, - testMatch, - findWinningMatch, - headersMatch, - paramsMatch, - extractMatchesFromRequest, - HTTP_CODES, - MATCHES_VARIABLE, - }; ---- # Source: nginx-kubernetes-gateway/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -382,11 +135,14 @@ spec: - KILL drop: - ALL - runAsUser: 1001 + runAsUser: 102 + runAsGroup: 1001 volumeMounts: - - mountPath: /etc/nginx - name: nginx - - image: nginx:1.25 + - name: nginx-conf + mountPath: /etc/nginx/conf.d + - name: nginx-secrets + mountPath: /etc/nginx/secrets + - image: ghcr.io/nginxinc/nginx-kubernetes-gateway/nginx:edge imagePullPolicy: Always name: nginx ports: @@ -404,40 +160,22 @@ spec: - DAC_OVERRIDE drop: - ALL + runAsUser: 101 + runAsGroup: 1001 volumeMounts: - - mountPath: /etc/nginx - name: nginx - - mountPath: /etc/nginx/nginx.conf - name: nginx-conf - subPath: nginx.conf - - mountPath: /var/lib/nginx - name: var-lib-nginx - - mountPath: /usr/lib/nginx/modules/njs - name: njs-modules - initContainers: - - command: - - sh - - -c - - rm -r /etc/nginx/conf.d /etc/nginx/secrets; mkdir /etc/nginx/conf.d /etc/nginx/secrets - && chown 1001:0 /etc/nginx/conf.d /etc/nginx/secrets - image: busybox:1.36 - name: set-permissions - volumeMounts: - - mountPath: /etc/nginx - name: nginx + - name: nginx-conf + mountPath: /etc/nginx/conf.d + - name: nginx-secrets + mountPath: /etc/nginx/secrets serviceAccountName: nginx-gateway shareProcessNamespace: true + securityContext: + fsGroup: 1001 volumes: - - emptyDir: {} - name: nginx - - configMap: - name: nginx-gateway-conf - name: nginx-conf - - emptyDir: {} - name: var-lib-nginx - - configMap: - name: nginx-gateway-njs-modules - name: njs-modules + - name: nginx-conf + emptyDir: {} + - name: nginx-secrets + emptyDir: {} --- # Source: nginx-kubernetes-gateway/templates/gatewayclass.yaml apiVersion: gateway.networking.k8s.io/v1beta1 diff --git a/docs/building-the-image.md b/docs/building-the-image.md deleted file mode 100644 index 8f63e895e6..0000000000 --- a/docs/building-the-image.md +++ /dev/null @@ -1,35 +0,0 @@ -# Building the Image - -## Prerequisites - -Before you can build the NGINX Kubernetes Gateway, make sure you have the following software installed on your machine: - -- [git](https://git-scm.com/) -- [GNU Make](https://www.gnu.org/software/software.html) -- [Docker](https://www.docker.com/) v18.09+ - -## Steps - -1. Clone the repo and change into the `nginx-kubernetes-gateway` directory: - - ```shell - git clone https://github.com/nginxinc/nginx-kubernetes-gateway.git - cd nginx-kubernetes-gateway - ``` - -1. Build the image: - - ```makefile - make PREFIX=myregistry.example.com/nginx-kubernetes-gateway container - ``` - - Set the `PREFIX` variable to the name of the registry you'd like to push the image to. By default, the image will be - named `nginx-kubernetes-gateway:edge`. - -1. Push the image to your container registry: - - ```shell - docker push myregistry.example.com/nginx-kubernetes-gateway:edge - ``` - - Make sure to substitute `myregistry.example.com/nginx-kubernetes-gateway` with your registry. diff --git a/docs/building-the-images.md b/docs/building-the-images.md new file mode 100644 index 0000000000..4528530264 --- /dev/null +++ b/docs/building-the-images.md @@ -0,0 +1,50 @@ +# Building the Images + +## Prerequisites + +Before you can build the NGINX Kubernetes Gateway and NGINX images, make sure you have the following software +installed on your machine: + +- [git](https://git-scm.com/) +- [GNU Make](https://www.gnu.org/software/software.html) +- [Docker](https://www.docker.com/) v18.09+ + +## Steps + +1. Clone the repo and change into the `nginx-kubernetes-gateway` directory: + + ```shell + git clone https://github.com/nginxinc/nginx-kubernetes-gateway.git + cd nginx-kubernetes-gateway + ``` + +1. Build the images: + - To build both the NGINX Kubernetes Gateway and NGINX images: + + ```makefile + make PREFIX=myregistry.example.com/nginx-kubernetes-gateway build-images + ``` + + - To build just the NGINX Kubernetes Gateway image: + + ```makefile + make PREFIX=myregistry.example.com/nginx-kubernetes-gateway build-nkg-image + ``` + + - To build just the NGINX image: + + ```makefile + make PREFIX=myregistry.example.com/nginx-kubernetes-gateway build-nginx-image + ``` + + Set the `PREFIX` variable to the name of the registry you'd like to push the image to. By default, the images will be + named `nginx-kubernetes-gateway:edge` and `nginx-kubernetes-gateway/nginx:edge`. + +1. Push the images to your container registry: + + ```shell + docker push myregistry.example.com/nginx-kubernetes-gateway:edge + docker push myregistry.example.com/nginx-kubernetes-gateway/nginx:edge + ``` + + Make sure to substitute `myregistry.example.com/nginx-kubernetes-gateway` with your registry. diff --git a/docs/developer/quickstart.md b/docs/developer/quickstart.md index 12f132df05..acd338f4ce 100644 --- a/docs/developer/quickstart.md +++ b/docs/developer/quickstart.md @@ -60,15 +60,15 @@ make build This command will build the binary and output it to the `/build/.out` directory. -### Build the Image +### Build the Images -To build an NGINX Kubernetes Gateway container image from source run the following make command: +To build the NGINX Kubernetes Gateway and NGINX container images from source run the following make command: ```makefile -make TAG=$(whoami) container +make TAG=$(whoami) build-images ``` -This will build the docker image `nginx-kubernetes-gateway:`. +This will build the docker images `nginx-kubernetes-gateway:` and `nginx-kubernetes-gateway/nginx:`. ## Deploy on Kind @@ -82,6 +82,7 @@ This will build the docker image `nginx-kubernetes-gateway:`. ```shell kind load docker-image nginx-kubernetes-gateway:$(whoami) + kind load docker-image nginx-kubernetes-gateway/nginx:$(whoami) ``` 3. Install Gateway API Resources @@ -95,7 +96,7 @@ This will build the docker image `nginx-kubernetes-gateway:`. - To install with Helm (where your release name is `my-release`): ```shell - helm install my-release ./deploy/helm-chart --create-namespace --wait --set service.type=NodePort --set nginxGateway.image.repository=nginx-kubernetes-gateway --set nginxGateway.image.tag=$(whoami) --set nginxGateway.image.pullPolicy=Never -n nginx-gateway + helm install my-release ./deploy/helm-chart --create-namespace --wait --set service.type=NodePort --set nginxGateway.image.repository=nginx-kubernetes-gateway --set nginxGateway.image.tag=$(whoami) --set nginxGateway.image.pullPolicy=Never --set nginx.image.repository=nginx-kubernetes-gateway/nginx --set nginx.image.tag=$(whoami) --set nginx.image.pullPolicy=Never -n nginx-gateway ``` > For more information on helm configuration options see the Helm [README](/deploy/helm-chart/README.md). @@ -103,9 +104,9 @@ This will build the docker image `nginx-kubernetes-gateway:`. - To install with manifests: ```shell - make generate-manifests HELM_TEMPLATE_COMMON_ARGS="--set nginxGateway.image.repository=nginx-kubernetes-gateway --set nginxGateway.image.tag=$(whoami) --set nginxGateway.image.pullPolicy=Never" + make generate-manifests HELM_TEMPLATE_COMMON_ARGS="--set nginxGateway.image.repository=nginx-kubernetes-gateway --set nginxGateway.image.tag=$(whoami) --set nginxGateway.image.pullPolicy=Never --set nginx.image.repository=nginx-kubernetes-gateway/nginx --set nginx.image.tag=$(whoami) --set nginx.image.pullPolicy=Never" kubectl apply -f deploy/manifests/nginx-gateway.yaml - kubectl apply -f deploy/manifests/nodeport.yaml + kubectl apply -f deploy/manifests/service/nodeport.yaml ``` ### Run Examples @@ -155,17 +156,7 @@ make generate ## Update Generated Manifests -To update the NJS ConfigMap yaml, run the following make command from the project's root directory: - -```shell -make generate-njs-yaml -``` - -Additionally, the [NJS ConfigMap Helm template](/deploy/helm-chart/templates/njs-modules.yaml) will need to be updated. -This is currently a manual process - ensure the content in the `data` field matches that in the -[NJS ConfigMap manifest](/deploy/manifests/njs-modules.yaml) `data` field. - -Finally, to update all other generated manifests, run the following make command from the project's root directory: +To update the generated manifests, run the following make command from the project's root directory: ```shell make generate-manifests diff --git a/internal/mode/static/nginx/conf/nginx.conf b/internal/mode/static/nginx/conf/nginx.conf new file mode 100644 index 0000000000..54a275b924 --- /dev/null +++ b/internal/mode/static/nginx/conf/nginx.conf @@ -0,0 +1,17 @@ +load_module /usr/lib/nginx/modules/ngx_http_js_module.so; + +events {} + +pid /etc/nginx/conf.d/nginx.pid; +error_log stderr debug; + +http { + include /etc/nginx/conf.d/*.conf; + js_import /usr/lib/nginx/modules/njs/httpmatches.js; + proxy_headers_hash_bucket_size 512; + proxy_headers_hash_max_size 1024; + server_names_hash_bucket_size 256; + server_names_hash_max_size 1024; + variables_hash_bucket_size 512; + variables_hash_max_size 1024; +} diff --git a/internal/mode/static/nginx/file/manager.go b/internal/mode/static/nginx/file/manager.go index e991a455d9..560ab878af 100644 --- a/internal/mode/static/nginx/file/manager.go +++ b/internal/mode/static/nginx/file/manager.go @@ -11,7 +11,7 @@ import ( const ( // secretFileMode defines the default file mode for files with secrets. - secretFileMode = 0o600 + secretFileMode = 0o640 ) // Type is the type of File. diff --git a/internal/mode/static/nginx/runtime/manager.go b/internal/mode/static/nginx/runtime/manager.go index 88be206d5e..f835bc0968 100644 --- a/internal/mode/static/nginx/runtime/manager.go +++ b/internal/mode/static/nginx/runtime/manager.go @@ -15,7 +15,7 @@ import ( ) const ( - pidFile = "/etc/nginx/nginx.pid" + pidFile = "/etc/nginx/conf.d/nginx.pid" pidFileTimeout = 10 * time.Second ) From 0ff01e9d91fb8a2d2fe26dcdd44c67d9d4388d42 Mon Sep 17 00:00:00 2001 From: Kate Osborn Date: Fri, 4 Aug 2023 11:48:19 -0600 Subject: [PATCH 02/30] Fix yaml lint error --- .github/workflows/ci.yml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 37c9eb3cf3..968268d73c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -161,11 +161,11 @@ jobs: fail-fast: false matrix: include: - - dockerfile: build/Dockerfile - image: ghcr.io/nginxinc/nginx-kubernetes-gateway - target: goreleaser - - dockerfile: build/Dockerfile.nginx - image: ghcr.io/nginxinc/nginx-kubernetes-gateway/nginx + - dockerfile: build/Dockerfile + image: ghcr.io/nginxinc/nginx-kubernetes-gateway + target: goreleaser + - dockerfile: build/Dockerfile.nginx + image: ghcr.io/nginxinc/nginx-kubernetes-gateway/nginx steps: - name: Checkout Repository uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 @@ -236,11 +236,11 @@ jobs: fail-fast: false matrix: include: - - dockerfile: build/Dockerfile - image: ghcr.io/nginxinc/nginx-kubernetes-gateway - target: goreleaser - - dockerfile: build/Dockerfile.nginx - image: ghcr.io/nginxinc/nginx-kubernetes-gateway/nginx + - dockerfile: build/Dockerfile + image: ghcr.io/nginxinc/nginx-kubernetes-gateway + target: goreleaser + - dockerfile: build/Dockerfile.nginx + image: ghcr.io/nginxinc/nginx-kubernetes-gateway/nginx permissions: contents: read # for docker/build-push-action to read repo content security-events: write # for github/codeql-action/upload-sarif to upload SARIF results From c2e963b3946b6293ff7195de913fb63ac55cad64 Mon Sep 17 00:00:00 2001 From: Kate Osborn Date: Fri, 4 Aug 2023 11:57:09 -0600 Subject: [PATCH 03/30] Fix unit test --- internal/mode/static/nginx/file/manager_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/mode/static/nginx/file/manager_test.go b/internal/mode/static/nginx/file/manager_test.go index 4ef6d1aae9..783a3314fc 100644 --- a/internal/mode/static/nginx/file/manager_test.go +++ b/internal/mode/static/nginx/file/manager_test.go @@ -43,7 +43,7 @@ var _ = Describe("EventHandler", func() { if f.Type == file.TypeRegular { Expect(info.Mode()).To(Equal(os.FileMode(0o644))) } else { - Expect(info.Mode()).To(Equal(os.FileMode(0o600))) + Expect(info.Mode()).To(Equal(os.FileMode(0o640))) } bytes, err := os.ReadFile(f.Path) From 42a37b035a0b10f189d01ccfaf743c0ec852ef71 Mon Sep 17 00:00:00 2001 From: Kate Osborn Date: Fri, 4 Aug 2023 14:07:12 -0600 Subject: [PATCH 04/30] Remove docker bind mounts --- build/Dockerfile.nginx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/build/Dockerfile.nginx b/build/Dockerfile.nginx index e2cab542b3..a45bd85734 100644 --- a/build/Dockerfile.nginx +++ b/build/Dockerfile.nginx @@ -4,7 +4,7 @@ FROM nginx:1.25.1-alpine ARG NJS_DIR ARG NGINX_CONF_DIR -RUN --mount=type=bind,target=/tmp apk add --no-cache libcap \ +RUN apk add --no-cache libcap \ && mkdir -p /var/lib/nginx /usr/lib/nginx/modules \ && setcap 'cap_net_bind_service=+eip' /usr/sbin/nginx \ && setcap -v 'cap_net_bind_service=+eip' /usr/sbin/nginx @@ -12,7 +12,7 @@ RUN --mount=type=bind,target=/tmp apk add --no-cache libcap \ COPY ${NJS_DIR}/httpmatches.js /usr/lib/nginx/modules/njs/httpmatches.js COPY ${NGINX_CONF_DIR}/nginx.conf /etc/nginx/nginx.conf -RUN --mount=type=bind,target=/tmp chown -R 101:1001 /etc/nginx /var/cache/nginx /var/lib/nginx +RUN chown -R 101:1001 /etc/nginx /var/cache/nginx /var/lib/nginx USER 101:1001 From 861340b1a07f60ff434a15314bac6a3b618d670f Mon Sep 17 00:00:00 2001 From: Kate Osborn Date: Fri, 4 Aug 2023 14:41:38 -0600 Subject: [PATCH 05/30] Add build args to ci --- .github/workflows/ci.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 968268d73c..6124f48d61 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -166,6 +166,9 @@ jobs: target: goreleaser - dockerfile: build/Dockerfile.nginx image: ghcr.io/nginxinc/nginx-kubernetes-gateway/nginx + build-args: | + NJS_DIR=internal/mode/static/nginx/modules/src + NGINX_CONF_DIR=internal/mode/static/nginx/conf steps: - name: Checkout Repository uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 @@ -202,6 +205,7 @@ jobs: cache-from: type=gha cache-to: type=gha,mode=max pull: true + build-args: ${{ matrix.build-args }} - name: Deploy Kubernetes id: k8s @@ -241,6 +245,9 @@ jobs: target: goreleaser - dockerfile: build/Dockerfile.nginx image: ghcr.io/nginxinc/nginx-kubernetes-gateway/nginx + build-args: | + NJS_DIR=internal/mode/static/nginx/modules/src + NGINX_CONF_DIR=internal/mode/static/nginx/conf permissions: contents: read # for docker/build-push-action to read repo content security-events: write # for github/codeql-action/upload-sarif to upload SARIF results @@ -300,6 +307,7 @@ jobs: no-cache: ${{ github.event_name != 'pull_request' }} sbom: ${{ github.event_name != 'pull_request' }} provenance: false + build-args: ${{ matrix.build-args }} - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@41f05d9ecffa2ed3f1580af306000f734b733e54 # 0.11.2 From 07dda1d8c18a3b1036064510a959dacde5ac7829 Mon Sep 17 00:00:00 2001 From: Kate Osborn Date: Fri, 4 Aug 2023 15:01:13 -0600 Subject: [PATCH 06/30] Don't use matrix for helm --- .github/workflows/ci.yml | 34 ++++++++++++++++++---------------- 1 file changed, 18 insertions(+), 16 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6124f48d61..a5be9d678a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -157,18 +157,6 @@ jobs: runs-on: ubuntu-22.04 needs: [vars, binary] if: ${{ github.ref_type != 'tag' }} - strategy: - fail-fast: false - matrix: - include: - - dockerfile: build/Dockerfile - image: ghcr.io/nginxinc/nginx-kubernetes-gateway - target: goreleaser - - dockerfile: build/Dockerfile.nginx - image: ghcr.io/nginxinc/nginx-kubernetes-gateway/nginx - build-args: | - NJS_DIR=internal/mode/static/nginx/modules/src - NGINX_CONF_DIR=internal/mode/static/nginx/conf steps: - name: Checkout Repository uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 @@ -187,25 +175,39 @@ jobs: uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175 # v4.6.0 with: images: | - name=${{ matrix.image }} + name=ghcr.io/nginxinc/nginx-kubernetes-gateway + name=ghcr.io/nginxinc/nginx-kubernetes-gateway/nginx tags: | type=semver,pattern={{version}} type=edge type=ref,event=pr type=ref,event=branch,suffix=-rc,enable=${{ startsWith(github.ref, 'refs/heads/release') }} - - name: Build Docker Image + - name: Build NKG Docker Image uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1 with: file: build/Dockerfile tags: ${{ steps.meta.outputs.tags }} context: "." - target: ${{ matrix.target }} + target: goreleaser load: true cache-from: type=gha cache-to: type=gha,mode=max pull: true - build-args: ${{ matrix.build-args }} + + - name: Build NGINX Docker Image + uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1 + with: + file: build/Dockerfile.nginx + tags: ${{ steps.meta.outputs.tags }} + context: "." + load: true + cache-from: type=gha + cache-to: type=gha,mode=max + pull: true + build-args: | + NJS_DIR=internal/mode/static/nginx/modules/src + NGINX_CONF_DIR=internal/mode/static/nginx/conf - name: Deploy Kubernetes id: k8s From 89a716d366caf7d3ce5ff7a8fa0411d8b98ef4ca Mon Sep 17 00:00:00 2001 From: Kate Osborn Date: Fri, 4 Aug 2023 15:14:03 -0600 Subject: [PATCH 07/30] Access elements of list in install chart --- .github/workflows/ci.yml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a5be9d678a..d5902b357f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -215,7 +215,8 @@ jobs: kube_config=${{ github.workspace }}/deploy/helm-chart/kube-${{ github.run_id }}-helm make create-kind-cluster KIND_KUBE_CONFIG=${kube_config} echo "KUBECONFIG=${kube_config}" >> "$GITHUB_ENV" - kind load docker-image ${{ steps.meta.outputs.tags }} + kind load docker-image ${{ steps.meta.outputs.tags[0] }} + kind load docker-image ${{ steps.meta.outputs.tags[1] }} kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v0.7.1/standard-install.yaml kubectl wait --for=condition=complete job/gateway-api-admission-patch job/gateway-api-admission -n gateway-system @@ -226,10 +227,10 @@ jobs: . --wait --create-namespace - --set nginxGateway.image.repository=$(echo ${{ steps.meta.outputs.tags }} | cut -d ":" -f 1) - --set nginxGateway.image.tag=$(echo ${{ steps.meta.outputs.tags }} | cut -d ":" -f 2) - --set nginx.image.repository=$(echo ${{ steps.meta.outputs.tags }} | cut -d ":" -f 1) - --set nginx.image.tag=$(echo ${{ steps.meta.outputs.tags }} | cut -d ":" -f 2) + --set nginxGateway.image.repository=$(echo ${{ steps.meta.outputs.tags[0] }} | cut -d ":" -f 1) + --set nginxGateway.image.tag=$(echo ${{ steps.meta.outputs.tags[0] }} | cut -d ":" -f 2) + --set nginx.image.repository=$(echo ${{ steps.meta.outputs.tags[1] }} | cut -d ":" -f 1) + --set nginx.image.tag=$(echo ${{ steps.meta.outputs.tags[1] }} | cut -d ":" -f 2) --set service.type=NodePort -n nginx-gateway working-directory: ${{ github.workspace }}/deploy/helm-chart From d714148c0a3ebe7c6b34eac99914c6818e4b5fd5 Mon Sep 17 00:00:00 2001 From: Kate Osborn Date: Fri, 4 Aug 2023 15:30:32 -0600 Subject: [PATCH 08/30] Kind load multiple images on one line --- conformance/Makefile | 3 +-- docs/developer/quickstart.md | 5 ++--- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/conformance/Makefile b/conformance/Makefile index af9bc4f90c..7233627321 100644 --- a/conformance/Makefile +++ b/conformance/Makefile @@ -43,8 +43,7 @@ build-nkg-images: ## Build NKG and nginx images and load them on the kind cluste .PHONY: load-images load-images: ## Load NKG and NGINX containers on configured kind cluster - kind load docker-image $(NKG_PREFIX):$(NKG_TAG) - kind load docker-image $(NGINX_IMAGE_NAME):$(NKG_TAG) + kind load docker-image $(NKG_PREFIX):$(NKG_TAG) $(NGINX_IMAGE_NAME):$(NKG_TAG) .PHONY: prepare-nkg-dependencies prepare-nkg-dependencies: update-nkg-manifest ## Install NKG dependencies on configured kind cluster diff --git a/docs/developer/quickstart.md b/docs/developer/quickstart.md index acd338f4ce..71f3b38368 100644 --- a/docs/developer/quickstart.md +++ b/docs/developer/quickstart.md @@ -78,11 +78,10 @@ This will build the docker images `nginx-kubernetes-gateway:` and `ng make create-kind-cluster ``` -2. Load the previously built image onto your `kind` cluster: +2. Load the previously built images onto your `kind` cluster: ```shell - kind load docker-image nginx-kubernetes-gateway:$(whoami) - kind load docker-image nginx-kubernetes-gateway/nginx:$(whoami) + kind load docker-image nginx-kubernetes-gateway:$(whoami) nginx-kubernetes-gateway/nginx:$(whoami) ``` 3. Install Gateway API Resources From 3052f04f5cea6ee8737bc3a40721b28a1504fc48 Mon Sep 17 00:00:00 2001 From: Kate Osborn Date: Fri, 4 Aug 2023 15:34:33 -0600 Subject: [PATCH 09/30] Add separate docker meta step for nginx image --- .github/workflows/ci.yml | 32 +++++++++++++++++++++----------- 1 file changed, 21 insertions(+), 11 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d5902b357f..e3dcbbf8dd 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -170,12 +170,23 @@ jobs: - name: Docker Buildx uses: docker/setup-buildx-action@4c0219f9ac95b02789c1075625400b2acbff50b1 # v2.9.1 - - name: Docker meta - id: meta + - name: NKG Docker meta + id: nkg-meta uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175 # v4.6.0 with: images: | name=ghcr.io/nginxinc/nginx-kubernetes-gateway + tags: | + type=semver,pattern={{version}} + type=edge + type=ref,event=pr + type=ref,event=branch,suffix=-rc,enable=${{ startsWith(github.ref, 'refs/heads/release') }} + + - name: NGINX Docker meta + id: nginx-meta + uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175 # v4.6.0 + with: + images: | name=ghcr.io/nginxinc/nginx-kubernetes-gateway/nginx tags: | type=semver,pattern={{version}} @@ -187,7 +198,7 @@ jobs: uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1 with: file: build/Dockerfile - tags: ${{ steps.meta.outputs.tags }} + tags: ${{ steps.nkg-meta.outputs.tags }} context: "." target: goreleaser load: true @@ -199,7 +210,7 @@ jobs: uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1 with: file: build/Dockerfile.nginx - tags: ${{ steps.meta.outputs.tags }} + tags: ${{ steps.nginx-meta.outputs.tags }} context: "." load: true cache-from: type=gha @@ -215,22 +226,21 @@ jobs: kube_config=${{ github.workspace }}/deploy/helm-chart/kube-${{ github.run_id }}-helm make create-kind-cluster KIND_KUBE_CONFIG=${kube_config} echo "KUBECONFIG=${kube_config}" >> "$GITHUB_ENV" - kind load docker-image ${{ steps.meta.outputs.tags[0] }} - kind load docker-image ${{ steps.meta.outputs.tags[1] }} + kind load docker-image ${{ steps.nkg-meta.outputs.tags }} ${{ steps.nginx-meta.outputs.tags }} kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v0.7.1/standard-install.yaml kubectl wait --for=condition=complete job/gateway-api-admission-patch job/gateway-api-admission -n gateway-system - name: Install Chart run: > helm install - helm-$(echo ${{ steps.meta.outputs.tags }} | cut -d ":" -f 2) + helm-$(echo ${{ steps.nkg-meta.outputs.tags }} | cut -d ":" -f 2) . --wait --create-namespace - --set nginxGateway.image.repository=$(echo ${{ steps.meta.outputs.tags[0] }} | cut -d ":" -f 1) - --set nginxGateway.image.tag=$(echo ${{ steps.meta.outputs.tags[0] }} | cut -d ":" -f 2) - --set nginx.image.repository=$(echo ${{ steps.meta.outputs.tags[1] }} | cut -d ":" -f 1) - --set nginx.image.tag=$(echo ${{ steps.meta.outputs.tags[1] }} | cut -d ":" -f 2) + --set nginxGateway.image.repository=$(echo ${{ steps.nkg-meta.outputs.tags }} | cut -d ":" -f 1) + --set nginxGateway.image.tag=$(echo ${{ steps.nkg-meta.outputs.tags }} | cut -d ":" -f 2) + --set nginx.image.repository=$(echo ${{ steps.nginx-meta.outputs.tags }} | cut -d ":" -f 1) + --set nginx.image.tag=$(echo ${{ steps.nginx-meta.outputs.tags }} | cut -d ":" -f 2) --set service.type=NodePort -n nginx-gateway working-directory: ${{ github.workspace }}/deploy/helm-chart From 2f0177c3adf6ec4e697f9f723382d98242cc329b Mon Sep 17 00:00:00 2001 From: Kate Osborn Date: Fri, 4 Aug 2023 16:00:24 -0600 Subject: [PATCH 10/30] Don't pull images for helm install --- .github/workflows/ci.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e3dcbbf8dd..1e40255f07 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -239,8 +239,10 @@ jobs: --create-namespace --set nginxGateway.image.repository=$(echo ${{ steps.nkg-meta.outputs.tags }} | cut -d ":" -f 1) --set nginxGateway.image.tag=$(echo ${{ steps.nkg-meta.outputs.tags }} | cut -d ":" -f 2) + --set nginxGateway.image.pullPolicy=Never --set nginx.image.repository=$(echo ${{ steps.nginx-meta.outputs.tags }} | cut -d ":" -f 1) --set nginx.image.tag=$(echo ${{ steps.nginx-meta.outputs.tags }} | cut -d ":" -f 2) + --set nginx.image.pullPolicy=Never --set service.type=NodePort -n nginx-gateway working-directory: ${{ github.workspace }}/deploy/helm-chart From 9851e77b95fec42d6d80ca9064aec975ee655e94 Mon Sep 17 00:00:00 2001 From: Kate Osborn Date: Mon, 7 Aug 2023 12:30:29 -0600 Subject: [PATCH 11/30] Uninstall setcap --- build/Dockerfile.nginx | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/build/Dockerfile.nginx b/build/Dockerfile.nginx index a45bd85734..72929c51e2 100644 --- a/build/Dockerfile.nginx +++ b/build/Dockerfile.nginx @@ -7,7 +7,8 @@ ARG NGINX_CONF_DIR RUN apk add --no-cache libcap \ && mkdir -p /var/lib/nginx /usr/lib/nginx/modules \ && setcap 'cap_net_bind_service=+eip' /usr/sbin/nginx \ - && setcap -v 'cap_net_bind_service=+eip' /usr/sbin/nginx + && setcap -v 'cap_net_bind_service=+eip' /usr/sbin/nginx \ + && apk del libcap COPY ${NJS_DIR}/httpmatches.js /usr/lib/nginx/modules/njs/httpmatches.js COPY ${NGINX_CONF_DIR}/nginx.conf /etc/nginx/nginx.conf From 6edafd7c33f9c58adaa862de3afd21639cfa518f Mon Sep 17 00:00:00 2001 From: Kate Osborn Date: Mon, 7 Aug 2023 12:30:49 -0600 Subject: [PATCH 12/30] Change makefile target name --- Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 2bd87491c6..e3ec3f8316 100644 --- a/Makefile +++ b/Makefile @@ -124,8 +124,8 @@ debug-build: GO_LINKER_FLAGS=$(GO_LINKER_FlAGS_VARS) debug-build: ADDITIONAL_GO_BUILD_FLAGS=-gcflags "all=-N -l" debug-build: build ## Build binary with debug info, symbols, and no optimizations -.PHONY: debug-image -debug-image: debug-build build-nkg-image ## Build NKG image with debug binary +.PHONY: build-nkg-debug-image +build-nkg-debug-image: debug-build build-nkg-image ## Build NKG image with debug binary .PHONY: generate-manifests generate-manifests: ## Generate manifests using Helm. From f8d50f8526c41177c925a76f4edb093955e1df73 Mon Sep 17 00:00:00 2001 From: Kate Osborn Date: Mon, 7 Aug 2023 12:31:15 -0600 Subject: [PATCH 13/30] Remove i from setcap command --- build/Dockerfile.nginx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/build/Dockerfile.nginx b/build/Dockerfile.nginx index 72929c51e2..2293d61f1b 100644 --- a/build/Dockerfile.nginx +++ b/build/Dockerfile.nginx @@ -6,8 +6,8 @@ ARG NGINX_CONF_DIR RUN apk add --no-cache libcap \ && mkdir -p /var/lib/nginx /usr/lib/nginx/modules \ - && setcap 'cap_net_bind_service=+eip' /usr/sbin/nginx \ - && setcap -v 'cap_net_bind_service=+eip' /usr/sbin/nginx \ + && setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx \ + && setcap -v 'cap_net_bind_service=+ep' /usr/sbin/nginx \ && apk del libcap COPY ${NJS_DIR}/httpmatches.js /usr/lib/nginx/modules/njs/httpmatches.js From e3e147b214c7110de097c1fbcf09cef87bd689b5 Mon Sep 17 00:00:00 2001 From: Kate Osborn Date: Mon, 7 Aug 2023 12:35:12 -0600 Subject: [PATCH 14/30] build-nkg-images -> build-images --- conformance/Makefile | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/conformance/Makefile b/conformance/Makefile index 7233627321..841d575e12 100644 --- a/conformance/Makefile +++ b/conformance/Makefile @@ -37,12 +37,12 @@ create-kind-cluster: ## Create a kind cluster update-nkg-manifest: ## Update the NKG deployment manifest image names and imagePullPolicies cd .. && make generate-manifests HELM_TEMPLATE_EXTRA_ARGS_FOR_ALL_MANIFESTS_FILE="--set nginxGateway.kind=skip" HELM_TEMPLATE_COMMON_ARGS="--set nginxGateway.image.repository=$(NKG_PREFIX) --set nginxGateway.image.tag=$(NKG_TAG) --set nginxGateway.image.pullPolicy=Never --set nginx.image.repository=$(NGINX_IMAGE_NAME) --set nginx.image.tag=$(NKG_TAG) --set nginx.image.pullPolicy=Never" && cd - -.PHONY: build-nkg-image -build-nkg-images: ## Build NKG and nginx images and load them on the kind cluster +.PHONY: build-images +build-images: ## Build NKG and nginx images cd .. && make PREFIX=$(NKG_PREFIX) TAG=$(NKG_TAG) build-images .PHONY: load-images -load-images: ## Load NKG and NGINX containers on configured kind cluster +load-images: ## Load NKG and NGINX images on configured kind cluster kind load docker-image $(NKG_PREFIX):$(NKG_TAG) $(NGINX_IMAGE_NAME):$(NKG_TAG) .PHONY: prepare-nkg-dependencies @@ -58,7 +58,7 @@ deploy-updated-provisioner: ## Update provisioner manifest and deploy to the con yq '(select(.spec.template.spec.containers[].image) | .spec.template.spec.containers[].image="$(NKG_PREFIX):$(NKG_TAG)" | .spec.template.spec.containers[].imagePullPolicy = "Never")' $(PROVISIONER_MANIFEST) | kubectl apply -f - .PHONY: install-nkg-local-build -install-nkg-local-build: prepare-nkg-dependencies build-nkg-images load-images deploy-updated-provisioner ## Install NKG from local build with provisioner on configured kind cluster +install-nkg-local-build: prepare-nkg-dependencies build-images load-images deploy-updated-provisioner ## Install NKG from local build with provisioner on configured kind cluster .PHONY: install-nkg-local-no-build install-nkg-local-no-build: prepare-nkg-dependencies load-images deploy-updated-provisioner ## Install NKG from local build with provisioner on configured kind cluster but do not build the NKG image From 459f1ec6e8b27df624f0090ca9320a665bc664c6 Mon Sep 17 00:00:00 2001 From: Kate Osborn Date: Mon, 7 Aug 2023 12:36:18 -0600 Subject: [PATCH 15/30] Update makefile help output in readme --- conformance/README.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/conformance/README.md b/conformance/README.md index a549e055f6..51c4e107e6 100644 --- a/conformance/README.md +++ b/conformance/README.md @@ -16,7 +16,7 @@ make ``` ```text -build-nkg-image Build NKG container and load it and NGINX container on configured kind cluster +build-images Build NKG and nginx images build-test-runner-image Build conformance test runner image cleanup-conformance-tests Clean up conformance tests fixtures create-kind-cluster Create a kind cluster @@ -26,15 +26,14 @@ help Display this help install-nkg-edge Install NKG with provisioner from edge on configured kind cluster install-nkg-local-build Install NKG from local build with provisioner on configured kind cluster install-nkg-local-no-build Install NKG from local build with provisioner on configured kind cluster but do not build the NKG image -load-images Load NKG and NGINX containers on configured kind cluster -preload-nginx-container Preload NGINX container on configured kind cluster +load-images Load NKG and NGINX images on configured kind cluster prepare-nkg-dependencies Install NKG dependencies on configured kind cluster reset-go-modules Reset the go modules changes run-conformance-tests Run conformance tests undo-manifests-update Undo the changes in the manifest files uninstall-nkg Uninstall NKG on configured kind cluster and undo manifest changes update-go-modules Update the gateway-api go modules to latest main version -update-nkg-manifest Update the NKG deployment manifest image name and imagePullPolicy +update-nkg-manifest Update the NKG deployment manifest image names and imagePullPolicies ``` **Note:** The following variables are configurable when running the below `make` commands: From 462dd1ea8d8cf93139e354f45e041c670e938240 Mon Sep 17 00:00:00 2001 From: Kate Osborn Date: Mon, 7 Aug 2023 13:03:56 -0600 Subject: [PATCH 16/30] Reduce nginx container permissions --- conformance/provisioner/static-deployment.yaml | 4 ---- deploy/helm-chart/templates/deployment.yaml | 4 ---- deploy/manifests/nginx-gateway.yaml | 4 ---- 3 files changed, 12 deletions(-) diff --git a/conformance/provisioner/static-deployment.yaml b/conformance/provisioner/static-deployment.yaml index 4c4c644798..91f7910897 100644 --- a/conformance/provisioner/static-deployment.yaml +++ b/conformance/provisioner/static-deployment.yaml @@ -59,11 +59,7 @@ spec: securityContext: capabilities: add: - - CHOWN - NET_BIND_SERVICE - - SETGID - - SETUID - - DAC_OVERRIDE drop: - ALL runAsUser: 101 diff --git a/deploy/helm-chart/templates/deployment.yaml b/deploy/helm-chart/templates/deployment.yaml index acf87a9555..db2724f1d3 100644 --- a/deploy/helm-chart/templates/deployment.yaml +++ b/deploy/helm-chart/templates/deployment.yaml @@ -54,11 +54,7 @@ spec: securityContext: capabilities: add: - - CHOWN - NET_BIND_SERVICE - - SETGID - - SETUID - - DAC_OVERRIDE drop: - ALL runAsUser: 101 diff --git a/deploy/manifests/nginx-gateway.yaml b/deploy/manifests/nginx-gateway.yaml index 68814053d5..44a5a3c2b7 100644 --- a/deploy/manifests/nginx-gateway.yaml +++ b/deploy/manifests/nginx-gateway.yaml @@ -153,11 +153,7 @@ spec: securityContext: capabilities: add: - - CHOWN - NET_BIND_SERVICE - - SETGID - - SETUID - - DAC_OVERRIDE drop: - ALL runAsUser: 101 From 1b7841063f39f3a29c72c64cd9ba3d965d0a247e Mon Sep 17 00:00:00 2001 From: Kate Osborn Date: Mon, 7 Aug 2023 13:05:16 -0600 Subject: [PATCH 17/30] Update readme --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index b33c7847ca..a8a6c5233b 100644 --- a/README.md +++ b/README.md @@ -59,7 +59,7 @@ The following table lists the software versions NGINX Kubernetes Gateway support | NGINX Kubernetes Gateway | Gateway API | Kubernetes | NGINX OSS | |--------------------------|-------------|------------|-----------| -| Edge | 0.7.1 | 1.21+ | 1.25.x * | +| Edge | 0.7.1 | 1.21+ | 1.25.1 | | 0.5.0 | 0.7.1 | 1.21+ | 1.25.x * | | 0.4.0 | 0.7.1 | 1.21+ | 1.25.x * | | 0.3.0 | 0.6.2 | 1.21+ | 1.23.x * | From 1e9f144781fb86a8791f6d58feec09cf30248c1f Mon Sep 17 00:00:00 2001 From: Kate Osborn Date: Mon, 7 Aug 2023 13:06:24 -0600 Subject: [PATCH 18/30] Fix link --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index a8a6c5233b..6cf2a3faea 100644 --- a/README.md +++ b/README.md @@ -21,7 +21,7 @@ Learn about our [design principles](/docs/developer/design-principles.md) and [a 1. [Quick Start on a kind cluster](docs/running-on-kind.md). 2. [Install](docs/installation.md) NGINX Kubernetes Gateway. -3. [Build](docs/building-the-image.md) an NGINX Kubernetes Gateway container image from source or use a pre-built image +3. [Build](docs/building-the-images.md) an NGINX Kubernetes Gateway container image from source or use a pre-built image available on [GitHub Container Registry](https://github.com/nginxinc/nginx-kubernetes-gateway/pkgs/container/nginx-kubernetes-gateway). 4. Deploy various [examples](examples). From bb7b2627dcfa656cc18944fe2bdef3dc5818dbde Mon Sep 17 00:00:00 2001 From: Kate Osborn Date: Mon, 7 Aug 2023 13:07:39 -0600 Subject: [PATCH 19/30] Add go as a prereq to building images --- docs/building-the-images.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/building-the-images.md b/docs/building-the-images.md index 4528530264..14ab698c3a 100644 --- a/docs/building-the-images.md +++ b/docs/building-the-images.md @@ -8,6 +8,7 @@ installed on your machine: - [git](https://git-scm.com/) - [GNU Make](https://www.gnu.org/software/software.html) - [Docker](https://www.docker.com/) v18.09+ +- [Go](https://go.dev/doc/install) v1.20 ## Steps From 5b47519186a1e567529c654951230f49e9666608 Mon Sep 17 00:00:00 2001 From: Kate Osborn Date: Mon, 7 Aug 2023 13:16:24 -0600 Subject: [PATCH 20/30] Move pid file to new volume --- conformance/provisioner/static-deployment.yaml | 6 ++++++ deploy/helm-chart/templates/deployment.yaml | 6 ++++++ deploy/manifests/nginx-gateway.yaml | 6 ++++++ internal/mode/static/nginx/conf/nginx.conf | 2 +- internal/mode/static/nginx/runtime/manager.go | 2 +- 5 files changed, 20 insertions(+), 2 deletions(-) diff --git a/conformance/provisioner/static-deployment.yaml b/conformance/provisioner/static-deployment.yaml index 91f7910897..b311285182 100644 --- a/conformance/provisioner/static-deployment.yaml +++ b/conformance/provisioner/static-deployment.yaml @@ -48,6 +48,8 @@ spec: mountPath: /etc/nginx/conf.d - name: nginx-secrets mountPath: /etc/nginx/secrets + - name: nginx-run + mountPath: /var/run/nginx - image: ghcr.io/nginxinc/nginx-kubernetes-gateway/nginx:edge imagePullPolicy: Always name: nginx @@ -69,6 +71,8 @@ spec: mountPath: /etc/nginx/conf.d - name: nginx-secrets mountPath: /etc/nginx/secrets + - name: nginx-run + mountPath: /var/run/nginx serviceAccountName: nginx-gateway shareProcessNamespace: true securityContext: @@ -78,3 +82,5 @@ spec: emptyDir: {} - name: nginx-secrets emptyDir: {} + - name: nginx-run + emptyDir: {} diff --git a/deploy/helm-chart/templates/deployment.yaml b/deploy/helm-chart/templates/deployment.yaml index db2724f1d3..abd3874dab 100644 --- a/deploy/helm-chart/templates/deployment.yaml +++ b/deploy/helm-chart/templates/deployment.yaml @@ -43,6 +43,8 @@ spec: mountPath: /etc/nginx/conf.d - name: nginx-secrets mountPath: /etc/nginx/secrets + - name: nginx-run + mountPath: /var/run/nginx - image: {{ .Values.nginx.image.repository }}:{{ .Values.nginx.image.tag | default .Chart.AppVersion }} imagePullPolicy: {{ .Values.nginx.image.pullPolicy }} name: nginx @@ -64,6 +66,8 @@ spec: mountPath: /etc/nginx/conf.d - name: nginx-secrets mountPath: /etc/nginx/secrets + - name: nginx-run + mountPath: /var/run/nginx serviceAccountName: {{ include "nginx-gateway.serviceAccountName" . }} shareProcessNamespace: true securityContext: @@ -73,4 +77,6 @@ spec: emptyDir: {} - name: nginx-secrets emptyDir: {} + - name: nginx-run + emptyDir: {} {{- end }} diff --git a/deploy/manifests/nginx-gateway.yaml b/deploy/manifests/nginx-gateway.yaml index 44a5a3c2b7..a419e9df58 100644 --- a/deploy/manifests/nginx-gateway.yaml +++ b/deploy/manifests/nginx-gateway.yaml @@ -142,6 +142,8 @@ spec: mountPath: /etc/nginx/conf.d - name: nginx-secrets mountPath: /etc/nginx/secrets + - name: nginx-run + mountPath: /var/run/nginx - image: ghcr.io/nginxinc/nginx-kubernetes-gateway/nginx:edge imagePullPolicy: Always name: nginx @@ -163,6 +165,8 @@ spec: mountPath: /etc/nginx/conf.d - name: nginx-secrets mountPath: /etc/nginx/secrets + - name: nginx-run + mountPath: /var/run/nginx serviceAccountName: nginx-gateway shareProcessNamespace: true securityContext: @@ -172,6 +176,8 @@ spec: emptyDir: {} - name: nginx-secrets emptyDir: {} + - name: nginx-run + emptyDir: {} --- # Source: nginx-kubernetes-gateway/templates/gatewayclass.yaml apiVersion: gateway.networking.k8s.io/v1beta1 diff --git a/internal/mode/static/nginx/conf/nginx.conf b/internal/mode/static/nginx/conf/nginx.conf index 54a275b924..02f6c9f91f 100644 --- a/internal/mode/static/nginx/conf/nginx.conf +++ b/internal/mode/static/nginx/conf/nginx.conf @@ -2,7 +2,7 @@ load_module /usr/lib/nginx/modules/ngx_http_js_module.so; events {} -pid /etc/nginx/conf.d/nginx.pid; +pid /var/run/nginx/nginx.pid; error_log stderr debug; http { diff --git a/internal/mode/static/nginx/runtime/manager.go b/internal/mode/static/nginx/runtime/manager.go index f835bc0968..88fa44afbb 100644 --- a/internal/mode/static/nginx/runtime/manager.go +++ b/internal/mode/static/nginx/runtime/manager.go @@ -15,7 +15,7 @@ import ( ) const ( - pidFile = "/etc/nginx/conf.d/nginx.pid" + pidFile = "/var/run/nginx/nginx.pid" pidFileTimeout = 10 * time.Second ) From 106df3a8843987f6fa18f6752db81301cf6b1a99 Mon Sep 17 00:00:00 2001 From: Kate Osborn Date: Mon, 7 Aug 2023 13:40:37 -0600 Subject: [PATCH 21/30] Try fixing trivy error --- .github/workflows/ci.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1e40255f07..96eb132203 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -258,8 +258,10 @@ jobs: - dockerfile: build/Dockerfile image: ghcr.io/nginxinc/nginx-kubernetes-gateway target: goreleaser + sarif-file: trivy-results-nginx-kubernetes-gateway.sarif - dockerfile: build/Dockerfile.nginx image: ghcr.io/nginxinc/nginx-kubernetes-gateway/nginx + sarif-file: trivy-results-nginx-kubernetes-gateway-nginx.sarif build-args: | NJS_DIR=internal/mode/static/nginx/modules/src NGINX_CONF_DIR=internal/mode/static/nginx/conf @@ -330,21 +332,21 @@ jobs: with: image-ref: ${{ matrix.image }}:${{ steps.meta.outputs.version }} format: "sarif" - output: "trivy-results-${{ matrix.image }}.sarif" + output: ${{ matrix.sarif-file }} ignore-unfixed: "true" - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@5b6282e01c62d02e720b81eb8a51204f527c3624 # v2.21.3 continue-on-error: true with: - sarif_file: "trivy-results-${{ matrix.image }}.sarif" + sarif_file: ${{ matrix.sarif-file }} - name: Upload Scan Results uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 continue-on-error: true with: - name: "trivy-results-${{ matrix.image }}.sarif" - path: "trivy-results-${{ matrix.image }}.sarif" + name: ${{ matrix.sarif-file }} + path: ${{ matrix.sarif-file }} if: always() publish-helm: From 438fae44c4b44e734c9eab774411cea82ef3a9f2 Mon Sep 17 00:00:00 2001 From: Kate Osborn Date: Tue, 8 Aug 2023 11:38:40 -0600 Subject: [PATCH 22/30] Add nginx image to conformance ci yaml --- .github/workflows/conformance.yml | 38 ++++++++++++++++++++++++++----- 1 file changed, 32 insertions(+), 6 deletions(-) diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml index 54cddbb02b..60b74b618d 100644 --- a/.github/workflows/conformance.yml +++ b/.github/workflows/conformance.yml @@ -42,8 +42,8 @@ jobs: - name: Docker Buildx uses: docker/setup-buildx-action@4c0219f9ac95b02789c1075625400b2acbff50b1 # v2.9.1 - - name: Docker meta - id: meta + - name: NKG Docker meta + id: nkg-meta uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175 # v4.6.0 with: images: | @@ -54,6 +54,18 @@ jobs: type=ref,event=pr type=ref,event=branch,suffix=-rc,enable=${{ startsWith(github.ref, 'refs/heads/release') }} + - name: NGINX Docker meta + id: nginx-meta + uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175 # v4.6.0 + with: + images: | + name=ghcr.io/nginxinc/nginx-kubernetes-gateway/nginx + tags: | + type=semver,pattern={{version}} + type=edge + type=ref,event=pr + type=ref,event=branch,suffix=-rc,enable=${{ startsWith(github.ref, 'refs/heads/release') }} + - name: Prepare NKG files run: | nkg_prefix=$(echo ${{ steps.meta.outputs.tags }} | cut -d ":" -f 1) @@ -67,11 +79,11 @@ jobs: version: latest args: build --snapshot --clean - - name: Build Docker Image + - name: Build NKG Docker Image uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1 with: file: build/Dockerfile - tags: ${{ steps.meta.outputs.tags }} + tags: ${{ steps.nkg-meta.outputs.tags }} context: "." target: goreleaser load: true @@ -79,6 +91,20 @@ jobs: cache-to: type=gha,mode=max pull: true + - name: Build NGINX Docker Image + uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1 + with: + file: build/Dockerfile.nginx + tags: ${{ steps.nginx-meta.outputs.tags }} + context: "." + load: true + cache-from: type=gha + cache-to: type=gha,mode=max + pull: true + build-args: | + NJS_DIR=internal/mode/static/nginx/modules/src + NGINX_CONF_DIR=internal/mode/static/nginx/conf + - name: Update Go Modules if: ${{ github.event_name == 'schedule' }} run: make update-go-modules @@ -104,8 +130,8 @@ jobs: - name: Setup conformance tests run: | - nkg_prefix=$(echo ${{ steps.meta.outputs.tags }} | cut -d ":" -f 1) - nkg_tag=$(echo ${{ steps.meta.outputs.tags }} | cut -d ":" -f 2) + nkg_prefix=$(echo ${{ steps.nkg-meta.outputs.tags }} | cut -d ":" -f 1) + nkg_tag=$(echo ${{ steps.nkg-meta.outputs.tags }} | cut -d ":" -f 2) if [ ${{ github.event_name }} == "schedule" ]; then export GW_API_VERSION=main fi From eb08aba92a4dbe6c43c91e878a0b400c5f245d70 Mon Sep 17 00:00:00 2001 From: Kate Osborn Date: Tue, 8 Aug 2023 12:08:19 -0600 Subject: [PATCH 23/30] Fix meta ref --- .github/workflows/conformance.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml index 60b74b618d..d14a18176f 100644 --- a/.github/workflows/conformance.yml +++ b/.github/workflows/conformance.yml @@ -68,8 +68,8 @@ jobs: - name: Prepare NKG files run: | - nkg_prefix=$(echo ${{ steps.meta.outputs.tags }} | cut -d ":" -f 1) - nkg_tag=$(echo ${{ steps.meta.outputs.tags }} | cut -d ":" -f 2) + nkg_prefix=$(echo ${{ steps.nkg-meta.outputs.tags }} | cut -d ":" -f 1) + nkg_tag=$(echo ${{ steps.nkg-meta.outputs.tags }} | cut -d ":" -f 2) make update-nkg-manifest NKG_PREFIX=${nkg_prefix} NKG_TAG=${nkg_tag} working-directory: ./conformance From 2e205d940f62e8a2f996bbf1ae608134bdddd889 Mon Sep 17 00:00:00 2001 From: Kate Osborn Date: Tue, 8 Aug 2023 15:06:35 -0600 Subject: [PATCH 24/30] Update architecture doc and diagram --- docs/architecture.md | 42 +++++++++++++++++++++++----------------- docs/images/nkg-pod.png | Bin 111265 -> 116210 bytes 2 files changed, 24 insertions(+), 18 deletions(-) diff --git a/docs/architecture.md b/docs/architecture.md index cd081b39b6..7df97f6b7e 100644 --- a/docs/architecture.md +++ b/docs/architecture.md @@ -98,27 +98,33 @@ parentheses. To enhance readability, the suffix "process" has been omitted from 1. (HTTPS) *NKG* reads the *Kubernetes API* to get the latest versions of the resources in the cluster and writes to the API to update the handled resources' statuses and emit events. -2. (File I/O) *NKG* generates NGINX *configuration* based on the cluster resources and writes them as `.conf` files to -the mounted `nginx` volume, located at `/etc/nginx`. It also writes *TLS certificates* and *keys* -from [TLS Secrets][secrets] referenced in the accepted Gateway resource to the volume at the -path `/etc/nginx/secrets`. +2. (File I/O) + - Write: *NKG* generates NGINX *configuration* based on the cluster resources and writes them as `.conf` files to the + mounted `nginx-conf` volume, located at `/etc/nginx/conf.d`. It also writes *TLS certificates* and *keys* + from [TLS Secrets][secrets] referenced in the accepted Gateway resource to the `nginx-secrets` volume at the + path `/etc/nginx/secrets`. + - Read: *NKG* reads the PID file `nginx.pid` from the `nginx-var-run` volume, located at `/var/run/nginx`. *NKG* + extracts the PID of the nginx process from this file in order to send reload signals to *NGINX master*. 3. (File I/O) *NKG* writes logs to its *stdout* and *stderr*, which are collected by the container runtime. 4. (Signal) To reload NGINX, *NKG* sends the [reload signal][reload] to the **NGINX master**. -5. (File I/O) The *NGINX master* reads *configuration files* and the *TLS cert and keys* referenced in the -configuration when it starts or during a reload. These files, certificates, and keys are stored in the `nginx` volume -that is mounted to both the `nginx-gateway` and `nginx` containers. -6. (File I/O): The *NGINX master* writes to the auxiliary Unix sockets folder, which is mounted to the `nginx` -container as the `var-lib-nginx` volume. The mounted path for this volume is `/var/lib/nginx`. +5. (File I/O) + - Write: The *NGINX master* writes its PID to the `nginx.pid` file stored in the `nginx-var-run` volume. + - Read: The *NGINX master* reads *configuration files* and the *TLS cert and keys* referenced in the configuration when + it starts or during a reload. These files, certificates, and keys are stored in the `nginx-conf` and `nginx-secrets` + volumes that are mounted to both the `nginx-gateway` and `nginx` containers. +6. (File I/O) + - Write: The *NGINX master* writes to the auxiliary Unix sockets folder, which is located in the `/var/lib/nginx` + directory. + - Read: The *NGINX master* reads the `nginx.conf` file from the `/etc/nginx` directory. This [file][conf-file] contains + the global and http configuration settings for NGINX. In addition, *NGINX master* + reads the NJS modules referenced in the configuration when it starts or during a reload. NJS modules are stored in + the `/usr/lib/nginx/modules` directory. 7. (File I/O) The *NGINX master* sends logs to its *stdout* and *stderr*, which are collected by the container runtime. -8. (File I/O): The *NGINX master* reads the NJS modules referenced in the configuration when it starts or during a -reload. NJS modules are stored in the `njs-modules` volume that is mounted to the `nginx` container. -9. (File I/O) An *NGINX worker* writes logs to its *stdout* and *stderr*, which are collected by the container runtime. -10. (File I/O): The *NGINX master* reads the `nginx.conf` file from the mounted `nginx-conf` volume. -This [file][conf-file] contains the global and http configuration settings for NGINX. -11. (Signal) The *NGINX master* controls the [lifecycle of *NGINX workers*][lifecycle] it creates workers with the new +8. (File I/O) An *NGINX worker* writes logs to its *stdout* and *stderr*, which are collected by the container runtime. +9. (Signal) The *NGINX master* controls the [lifecycle of *NGINX workers*][lifecycle] it creates workers with the new configuration and shutdowns workers with the old configuration. -12. (HTTP,HTTPS) A *client* sends traffic to and receives traffic from any of the *NGINX workers* on ports 80 and 443. -13. (HTTP,HTTPS) An *NGINX worker* sends traffic to and receives traffic from the *backends*. +10. (HTTP,HTTPS) A *client* sends traffic to and receives traffic from any of the *NGINX workers* on ports 80 and 443. +11. (HTTP,HTTPS) An *NGINX worker* sends traffic to and receives traffic from the *backends*. [controller]: https://kubernetes.io/docs/concepts/architecture/controller/ @@ -130,6 +136,6 @@ configuration and shutdowns workers with the old configuration. [lifecycle]: https://nginx.org/en/docs/control.html#reconfiguration -[conf-file]: https://github.com/nginxinc/nginx-kubernetes-gateway/blob/main/deploy/manifests/nginx-conf.yaml +[conf-file]: https://github.com/nginxinc/nginx-kubernetes-gateway/blob/main/internal/mode/static/nginx/conf/nginx.conf [share]: https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/ diff --git a/docs/images/nkg-pod.png b/docs/images/nkg-pod.png index 7ea499cbe6d01c99b14464ed795cda39067c3b46..8fa7f6c3fd04aa5236457884e487e61b5be10d91 100644 GIT binary patch literal 116210 zcmeFZc~p~E7dIMfEp09G_N{_|NUaD?fQo>OsjpQV5wM~nAVft#WQY)ENP@LWDRw`t_Qzji@9E7$34zyNKYaDykN#Hz|CPXh zCGcMf{8s}1mB4=`@Lvi1R|5b0C9rbFt@h@Xg2F;4H#cT)4x;oyz)0_gwHUSKq)R|R z!0SX^vfj)

vdQc7RvrlzX~;RkBpE)MJ(BM=wd}(X|Y@p2R7>SoXvC>jXQZfBj4@ z!;jLGZWGv(VG%i%=CioEM9VvwxSfF$k5&i=-SUpbZSs@*t07l!R>;7jk00n*HRo|l zitUV>4tu`7-~Q&|PLj?}#NMP&akJ~&mv=UrT>bm^5AvZhPm<~_L9>kiL#^QkmMRUi zx68fk>hT`yrLNQIhxh1Mg>_B8%XW_J>L_WJ&g!As9_TD(>&kb_r9!uHAHS7L-I|B4 z{oJe&QZ#7m5q`(URM#F=`%ifD>=OyD2J{h@3smZQz}+zSA#C@?%AeC-`j(Q`>sr`|Oj6JqO#iCE?}L93WRH z!r;Yr1J0luraN}s`m;_>N$+39QG~8TqYdGX^b+^JDnI%%mu?KC+1+kH&iLay19hib zrKpA)AX*(B9zN&n?9+O0i(d#8{KM2%J+?#tWAYKJ`XepN1}kFt7@&;mr=N;-hCHI@ zs_LY(g(TI6q-)^VS`Sa{JaPYe^{XiGP(9Co$qt^)&zs^Pm65ihvc%#fAGq0-#G8ka(@)}p z`E{JBKMb;V|0=LEs(Y5|+EiU#{bie@jj(?toQ?Bpqxbh$4lS)K#ed5FF0bze$Cwe$ zibN5yJr+L2xn`KHVdB|=eNbU17l1kJc_9C5U~q71*pJc;R69xU)m_znqETQ>s97so z9FW}S?*oP_+v_-4Zrhw^<1P!6_|iAvwT+#?Dnj8uosr^RBG9;mApFPJNXql#o_XNBb(5c4ZCEJBR91qtufupq#)CHDv zB0;O_H4WQmZ$1g0^Jn7zOSPrbEF(?Zn20abwqI&Q127?80|F0Rj9UN2H*cPyk`{Zc z1bV0iTJEp1^P#ot&qzWd*29goeBlkXi$+i^=?R@OQa&3S&^&PYM}C8#`BM03C~9{7 zJg}0((J_0zH?j|CZthAwxD&!d>Os$YrO`n8@TMmcw`XE$HZ}h4^Sx`vnnY)YF$0pG zeff^llS$H>VO01ewW$H4Z?e@z7@my#q;jzkcy=7Sdkw5wx7=$-f1WMv*he`{geH}j z6?Fr`M@HzNOC7(So1VdH^r2;?9rQe*ZtO8KAq2W}Nu+omr)xC06|KGV_F zYj;#tRT;`_@2p$@g&s<=%0ZgfQ8)jsrgeBXs=Uv^Y8T48CxbDuu+QNZw&dv*q4|_#o zor-BdmZUqO$49?Ch-CGjD|J-G7$83{mA1>;O%^R@^fREj}K-`t-{xs-zp^ z4WPwKX52XcQm-9oCHA$Z&tc7f!DW3if=+zI-o))TgIp8Bj2-$E5onq|MEqZ{z@->9 zE%&ZLv&qe|7QObshPewF(K9(I>M!u2p+c<<62v(pzkie@@bBNh)im=Tingo)o03Rq zge+j+KE2OSbsz5SgBGVQ69a|4zs=$h04=C-_hjE_9?~=M>DkXs=L45v1h&Zo2*ede zHiXT&7NKo{Gr5G9Oj^vhtT%~Tp8k+pL9?~e#$3|Hu9*#fdHS8ERhWO2i05+Jiv<8j zzk#~$d5q;p|9pA<+YxCW3WtbcMRJ-re$ZZ>F9jVZN*(xCg2oDe<=ZF6Ou~3W-{{&} z1DACAEZg1v>p$YY(If&uG8T`9v!m1+?0_vj2LGl^I~d;?ZHf|h0706BOusE3rz+(F z4bOAH8c|95InERhsD+CFZ-wjgHDlFSN(m@IEhHuzeYU1%L!|)hp<4weZ*P}E1b`3h z@_>6oSaI#}x{K7$KWZZaaZb-Eea-d|h%*oWr>mcU7=hS=`s5H1KOX=0#}oMf#YcU| zlZ_D1zX=TuO|!sy1M6_D-wZ_;d+%MDXWKH5VRHWbc|-TFTjD^m?qW`Tef=eDw`tmu zpsRK%Ycf7lCS9IMY7(=oqWN_`;Ntuf;5X8%uC){IZ$0=!yoPb$3@C$w*WO{ELWh89 z>U|rvzUbIzn7>fncSf0Fev-Xe0JC>;tw88MuUPCMHXg>gGO7zp>i5F9Ma0Cg!P_yr zSILCcab4y0nIB?RX+V9k+~OK_fy!L?f!Pj$>LSRG(F9gI-G009=uKLz3KqkTm?>G+bRR9SQUao=za|z>7lbnWDXC< zF>-hN=Y!^#X-)BT;E@Anf)TcxKWF{8)6~?ol{*(LKKR&TZO;g8y<6s`r%3+8)j4(_ zuf*#Aw+{OMRRX=Q4c!qfaqrj)QBC7w$3B;8e;25>r5^ret?D!V`A%lTZ^X~(DpbeM z5V~P_^5>V`zl{L8Nsx4+7Yosfy%j#RHTAXqmleO#Qv}d7gg;W3V<$N?FVjQJ|1vH{ zAy~$@%v&rMXA3D){04pxTCtdtY_tI}wtnfuM&qeg4UaBo$CVql!hFZ75Q{C{f+R%C z$%kx%brBGLxGleK*cjZGU~W3hs&3n4=&prmv8;*t#Xi|Ms?eV~8a|rY=YTXM`In>Y zQk);A%W&nKyc++RUIb#W?heMVn~7<5s)ma;I)8?V4ZZyGx39be4ZLQwrGE`pk!bom zB33P*N{KKhxXimw*+!v>1cz4nBtaf*mvZ6Z1qE)g;x;nVQOpgrw?m8_4&gosOFeGm2J%prbMbwZ&(WZBWBwJ;|~A46)J@Q;!yxi{U{90OerinX@9Y zBSs741{LpK>-x*`19V)nJLd_ktu+`0!y}S?xd@A~x|sg4ytH z8)TE$0t?8k$PgZ1e*vy7*=QX&HSr$~?(uXirw5qpUe`Fsz`@>K2t>@7Ww;-@Q3Oui z&knkR7THHgSn zxvb*~K7Hc;)*Zau9}GPjk9f8{=mz0@Il$*+BcG~IAtz9}L*e`pfY?vpi9DL3yZ|Qq z&Mf}r0%C+n%w0(~%#C>|2LI`s|nP z7{~0mt)gaBZJ%-EU}uUkSTKFpr{)k)Z(x010u@!Q{@z_LqRTE7@fFcOt);vtzilh5p)0*q3<8=y{E*kUb!{9_yBvMq=^6!rVeN1{S?K z>C?5nWmq3tCuzy=tg~~?@Oa98*K~6Z{aX9e9Q!~57T>*>Mky@x3%Qif8pv!g^PImT ziq~cRN%_WNr=!hc95DBbc9bTO>q0$%dCP|Ui_n)aYcLB63PJ7%HwUA(A2+y22Ujau zMeeqP1t1*xPt0~iOMN)s+2}N}lKa*yg>AMMe9?Zpn3qK36zGno_VpllMDwZ9*>XE| z!|t7Gwps1p2!812m(pE~HQk77m0i|-!^=)Xb3&9tUzhW0oT^>$L~zaOoc8SK?< zcXes@k4)YlWk3qQ!RGm>#Dsjryjbz16IpsL*C8`q59Y6;5iBj)C?5r5zvn-bLZ%;i z8rSV?^9Vj^m$G;(GCVSXe?&0UxX2T@)o(tl8%Bwzd2-#6DezNdd9S&v^dTZv_05Mn zc8hOrJ2vKFq13<4OXz5-v3^un!O5W+HDOm$)OuQQG6Phujk%4OwRq-4hFQTc8shYN zMY$XOxm)8inb~OYs^&=zj@dv{Qw(Eqm42MAk9vR{pT4)TAxUcdLx$|}#w8Ico<$FR zU?qQkDQf9BLs(%|v%GWN{I{Y%9Alp5*j?NSyOMi*PnBl&7q9DCw(~d(ZUec)C^v4)i8|j?lJ-VQZ;J z7eSI3$tm8zh@#VWp*+a8rp8E9vj8(cGAmj)qq_ma0C2}NH z&zX$p2cc#gt{}m4vD`h}LIy>{*qg-7Of&g4P6&f<5*f`eI;V`h5mek;w~OMCnM#!l zGyR(fsuN}<(eCcv_ECpX_p}C=>*&uE#PAe)?$m&0tHoT+>bYu0=$Ya0QA=&p)X#!m zJB=@P^yd+ut@zAX*d;fcA~$;ApA50_osKz9i8_n<&Fi&sMwvCt{C6oEE|_k&&vb6M z_KUi4Dk-urtNSS(ZO`$r%HeLpb@mjym+xNkC?bo3nd@YaZTdPwDXZ4qzAFra_BLdh zFTYKxJF9Vf9?!#KmNMAUjo<*Kg$h z$c$7)Q)lAq+sW_mDj$?wY_?wV$jC7FmhU0kIOJI%{J-2}9m2lfq%0e`*&1M>{9r;~ zX*@fG8+#&C*BRKy1&4UTBlIZH=DnmU_I?btZg*yV$ffbFEWp=0l1HubfKqmrI4$baB z&6RU@2kZ;QIT93;){+Jkqi8gj!TF13%KVmk?Oku<3UB#``|R>)j(>%Gkl|b7m@*nJ zDW8lKwS%J3dJ)6aB#(yb{a!l-A2&#{^YaD^Wcnv~0+S^wC^W7}rtNYaV zZTaryr9%U;_7YcHNFVC8ml9;Y+v{@iO;m_8x_$%t zoykT<)sH_D^j3G*44XBHE%Y2&qP`P!DKE&!JMTrD22;1r``mEl+@J4}&BgnF&p0CO zXgt7oo*DF^e~=bdmRg;_$Bc;7+AgBQLdgNxvOMPk?LrR<(N{ckkXXoXCzqP1#4Ak!|>0 z17EPJ?9?Z-Hahwr_O=lZA*0DR0~tOmFKeSa@n2}og6;DNvv*ooO87pUb|&6cRMFSZ zDO2vz*nCTzR3qPSd|!5+VPhw7-Y(lU$j zJmNi3ul*N;?e!g=%xd<2qz-N&x}eyZ9DoIA%^BP$=pf()1u;qv+haVoK0wyJNHDgx z$nKG#N~G@+7(sNF?|^i?4#0epUS1~QKS|tsl#YIs@kIGXihrei#pHp}#v9z(+2ENC zNLnQ)H$}(!>wGok;tLDj%I)|$sIBLb^#|L?K_OYVSxNblzO9+XoMmPA9p{V`2X{;L zw&aoM&SNN|9i|!BUgarwclRFIYO>F@44FeBRx(Uw$lP1Eh?qLuno0_VZW~+Gdq1I8TlL{_^ak0ZXZD7n|?9Z-cX zlE`1dy6oBs@Lzq$tU6PKB3ehvXhc0LRmD|@+F82AOnuPWvroAVs1#6|=HozFlO_Oa zmZVpqZ!>uP8|Zv~tF!t>tA3Ui$}bvORBkeU%^R}gze!OpvEc5zfT`VA3-{(*;hTp2zVNRZRLtCBNjG1z2qs8zwl;5%1J-*whQ6x@3qojF`fJ3g#7b_uC45 z?dz&_2(B}T&6>k{7Ena15{Xxmp9iH#Iw0M36U1ADCdWHX${n|ROO7$SGHr~LUL)PA zF`+tareMeS#Fk*zqA83~x-u=&X%KGH;+#hBY3M z&iI8_+V?z_oCk67Z|g&NIp*kdMFDt$q1t4QhL2f&Td_0iaU`|?J1jAnxQkZq*SI9= zzIsChfm@G(RgPkpQVDnYDXf@ZVB~R7J<)pQCw1dXL_Ra5lg3|Ny9#|zkf1ko@NX{- zkF@GJ^Ue(^I1~B^A+o1#`u>NCR12I#&MU zO&q6dtV0v^^MV39d=jlp0GesHhK3;*pXmv2dCw7#w+5|`BmeT-%e9b$KCtC|5bp8_ zK7n78D@?JBWxIQjj#H@VS! z(#IcM$+K1mRLE|+6G#BZFm3^XN&VJ1sIT`=a1>r$ zT;M)i=6Z*Q(u?9K!FN6O#C{`}i=T^gWMZJi+aliyTWRdTIQ*`YiZQ94Ftc|bJ*l7I zd)XczmR>P7snLr~lvewkdpR@Z>8G^+Fx_i&r43knJ{#IK}jS0MhnlwY55%~am;jLQW9_Mvc5BRu`#(Ceh{ zXtsgH+})u+CpOOhx-D$=h3`Q9`D%8Vk3y*Z3S@g%jnUQCohgRK51PixG3sq$v%Lpl zI&xJiRw@|N`T{IVjr!0=%(emc#K5;@X-ZqA#z=>(16~QU83zL{tmQ9R%7Lf1n_z4| z@l~8Ut<20Xp8#A%kH|`Nx^S?#H@w9`62hKKdRDYiZZ7UOF6{S7VOfOt(>wXm?e=VA zZSv!)0IG|FvgZ$r`L{Sy=3X6y*=88z4;Dfk{pIJTP_|8y-V!>hdFaCI@1s{Jx3%0s zej;+^%ECsUU>LH*svAiF9Q06SxglqD|4RAK`vvpWBj24wr$O8X%16EMp53KX{WqzA z`o8+?Wog-kfZ!Hi4fPiR$4CKXlgjN42M8`JQ?mj&)#(z(>N5L;Ov~YlJmn4s9_>?; zy3N-NggR_^!esfZ@@27<<`j?1IS|ueqjsA3!%sG2l^eD1^ngIh;4La{b`02;bAEkbbI<|D)7%k-p|8h*Iju zv^}W#-#A0X+?S%y2FRW6k+7fZb8T;L7t@u=)& z!5QDCg}e1aMrak<41sX%3Ch!b{LD5r!z!A!H_^R*B~uT@DRDborv%6}m48z4c7iN^ z3J&ewrb#9~NbH*FcK-b1+lh*l5AxWiaCdIWGRUeQ4fMVR$Jo{FSpt9Hah3ze+1hM0 zs+CAncf%h-rR$78rm%%hZt86m)DS@$?$9;EwkUfSY9{D!j*x?7Zg9Fz4FuRHoZg6; z*$VL(k~&Y@B<$rjDZOYX+G=i$7Cg_X3=BV3Ncy)f!c1=vR1hvV4PRwCnm15{-gDXk z%;ltnhF`S4$N>I?z5DyXQ?LH2sqM)N-{a;}|Go^ySJshC$0ZPK<^b1yoPHApaLL}` zmYiXX+ZixiZ9MoWut0Hkh@`hqQC;NEUQJP^x+HDyd^v03r6cewxT3ORA|CCZNKLN4 zr_n=7>b7ODcqiImUpnIyc&?@zsr#{d;rAJVu8{1x6IZ*R}Qy-Smjlr`E+B z6K2wcp3u{2$%~4*X%1NM(T>WK0vbr7+zXd3T$nAuJkS48mf%7-byk@JpfvQCZ23k` zx36fsJr1=VF?6#MnvIq6w@booZESluKDiU4T{SE$*EmOgHzDfPdTZ~(%>UcY!CF?k z>N{%(L!=l{?7A6%ET)ziP%-i19!~^$PfRX>Y-)>?a5nQna@+K}E%|kbR}P}#oZBnU zQ%~^NWMdgqYd{9l2ov8`lQi+{>Iv@el!UCN8s9K9GmNB8u@gtE);M}~^diI-y$My{eZf!r zG9|$|&!G#P6o=q9cgDPPxBPEk?yk@T*NFMr!U-+5#C39)~X_9!Zu43@W{eTF{PQp!G(rEiW zzrJdm83<_CqC^j8=OU!X*Dq`M4L;Bg)X!6iR705^@ft}Ht-+z%;%N1{QlJ0X_;ohwA2mG||hT!{Af^-teO&~`9jRm*4BFW{4&C~H;^EYyeF(qlD33ZIEMKy=WRZlG8o~p=sj-wgbm;&JD`G$dwK+;bTZyg zs;+-8W%zjp^z7R(6kmXD2V%^HpvDRD)taA0IvT!ieqTQbOGYT%87jM7c_D0+?r|M2 zZ-eEdXZTTmZ^+b|6+D>J^U@L9<8ED6bP~Gm=e^$I=bCcZbU+HMC7y0?AF03t3pp2Z zQ_Y4O=XE9g6^`rbI}O3+yaS&7-es0(lkfcYg^BGZbW&h!$ zlkyCIWAUz^AB6|piTXN$QpWNj~W_a)j-$ zK(R@OsUb@*z`U*`C|I@Cet%FLd@UEkbcUzgG{`RMe^OU?Qf{+RXoWIpu~HbOh8X%6 zj8uod=N+zXUJC7?2zGDO13{%*(T*nDMw{>pjQUX$uG}unidTpto-Ap;oXE^cw36M1hmx zPpuPS)kZJqiqwWEL(X6OLbT7d2__Jq;poNj@|?gAMohsa^?qtYV|8k7<8t#8P_ZMy zVg-h3whyjTK1}~ zeQqBml6BMnlwTlapXzOy#Ms<}yZ{o&WCM)MCENIO1mZD3l0+zeu2nuo;*~9jb}?+x zW`N>1O+Fa`xkFhzPFDWqs6(5Iksj!~jUq0;B z%C$FVK8tvL*Y7rcU|@2Atyl_|-7$?HY;Up?DN<~>ZBq+Aq}BhlBsRAGPtUQ$9=JG!*8tA8$2M`~hds=>M|YN{CK9PlR!g}y zB&ZmJyWGDnwbOZ#V_F?ARfOvZdbxLBh^p6%y5R%*CXSFDY{K5;k}wZB+v^QY$oRGL z((o=F7zZqNR8SpjbYv+Tq;gw=|8`L6dKcN$T8$fAS(>e2KZyjH@jc&nVv7Yg6cHu9 z!jb&D-AWsWXud`1XbNN{PqiGrPxk4+QRyc0^A!2P_LFdTb|8;1rF&C&{n z+>zp7^8>7CDzR;^P()?)`}S7TQ*A8Z4>Xk|HU~{TXl=TY)uTgSE#FGp>3C5dY*lzx zOQv!%vE4^)>z^g$;X@7hFpge3Z~=!zind-%B5guEu0O?c+kOgIRUgPjpu2z-R?857 zYESNWx}~&|){4v(31(v6ST}>Fx;+(Wc`(T8y@s)UebuA6$4|a-@abW z`cJ^Ws1DiF;`%SpIx0On1fu^#JT^XEMKRt5lgbcoASlF3QcO-xz3#I`Z>uS>#*gQ; zo|{sob6L*|_NtJhefbhGW%8lliJYY{t71{JD%bJs1tlmCrMfBD?@@}nsc_H*h@Y>x z;uB1&)(M_CZhj2}QIijr9<1q>#%uXrm{Yhsm&|WrqlhqlfIW~0O%o4B!ry6nc{=wN z(@Gd~Zz+!gn9mCe_V;_#Y1dUg2tTXKGwTO6fX$i1IhLoy7SkEJoCKG?dk?se>5o{T zORsB{)KQ+PhtCZh==JLPKpFig8(^sv2tc|^Z$qM|J`%~qxwjYc9t9$&gO z?(CZpu<*5-SIz0bEZt))o?M%DL3ZUyH=PzP?}4>cSjHKgsGk=M;0=^+!~TQKwr9{Y zER;OzgWn;XHKO#2-`4BqoMk~qDsB6L?_p67#9?%Q#9DRU?>c28fI|yG9Q)1heJ4zZ z&A|yDnyZ`fr9TNch>LWBwLS|$A-fx#{@`_+d6>#>EMV{cY~-%k7UY^-x*_H!&&p0o zbfYxxgMG#4So~R@ANaaLaL0fuD3#RqC3gJXrmsPOfi|yB$%i?r3Aj%%_i^|nsEzLB zTPzlA>@5(sVLP7q_`qHO_?ZOlyOIi;=fru9i8i*v7e(>G6po%&AwbhD?C||en*q8EcDh)`Ml^fzSid$=8!UH>r^cmoveaM zW+Z3Myw{h+@&(}@?C*qUg!>aG9%<_uK8T)Vunkb}ZjJU=Pu;lD4X)`pTxT_NV(s8qZZv5Arn3E(itF!>-oRQB!h-If|$gK78=xwxGXd^{kWjuh<6B_^3{v z@=mj%`@a!}&nxkvPC9RQfex_YAf7+q!}LBj3@A>G@~NlisM09d&DCokY^tYJ$FG3E zDcAc2b7m-Vsl27O5_evFnwX#D@dnM#H;jJJiw&rFBTDm!Nm|_V3Ce;S#f61- z!osDcVcu+G#j-KuYNw+&X|BeI zq~#$5as7@|tMEX;Yj}4(n&Qz^-mXt78mLk?x|9ki=BB9L8Vnn73>$NF)mRmKoN^}s z)%JAx6(uHl6D$G68!>VEzWREwq@uOKKj&XJL8dLttQf5^6d7ii8=&Nm26lnoQSL7X z82#1f2P*6HJG8@al%C;1s=lfDmj6@(&|(;kg4|@5-X3^UaNc(od$F%<{{To;UeRks zdTFLJ?*K}tf+$X86ITTLQ0~>TE-l}^XrD)K*N}4r1t4MoBKjmiffZM@U&o_8$H!D-4y zy%9I&R8g;_$mo%@I1Tl+uA$iYYLQb5RwKoS4=pZFes z0Y1;*uYgDrtNI_{gRsE$On^>S*G~HV4)C*g@T9{m{kjL~0XMlw37a1vcJ)0zK()1r zWYQKvRc4C--qvsA&L*%nw{N5l+sOjF;OB5%I9D92dScIE{Gx~qa`fY{7YEzcGh&Hn z#ayi1wZ2geC+9lRY($PSL*!!+K&`y_LJ3y#kARf_51}bW?ySDUQ$Kb>vS;a0h-(@iOzXN)($gR~$-%Z<=ALKuQ|8F{n08Bjz(sr+%{cb}-XXTJSkj-@3o{u2i&_Fi8dmIIhuLu=iKH8K1@8ZlpE zU$vayQDy@?)cno|9&^@V-&OTLG+} z!HzcDG8bD$G(AMoWZdIp2MQgB-+Gt_y6sWk8J%^JnqnOnJZuQpJ2g!=%y!{@Hwf;=7%E>Uv zEH!OvjX!1fFHp+{t;M++c5)MPb^aCh?NODS^Mw}xgRp3jxXW&_Wxd)p-cT6;KmVl4pHY5a7il}*=KT8Kf8@BP7`hGi=EUgDz}=I;?kPO^Q5BsvUe+Qcafw;c zm<9ZTpGmo-+NwIl1>RY}1R2{fuerE-c&}`(25lM6U%fS08L{wTb;1CNA_8Krt)Zo@ z-_vtkI2SWm>{b(Ep=+`Bs1mN*Kr5F&+Q8-IUIhUfoS1<;Wa6_x3Hl@1Ha7IbLYppn zQo+PfZET{J-y{-NJ+Bx+axG&1)-+hoE(Ia51ODP(i)=2<_*q|GIE-qL-q(G_#m%#t936+rSNUMtQ!ZJY@Plp4yT!6eOOaSf{jz}8Z` zBmR(keTZ*)G6>du80B8A5>+nyN}LX;Dh=?OK#O}3Fs)22JnZ+37EavG+OEj{@slwj z4*P;SxhGgrqh9|ug-fnS3blW8&wN{HNg>{rIqnS4pqUW2ERM5Vd}!3Xip-2 z(*UUxav|LS)x4Zzyrr+ypdHXSmx?jCePI3e-@f`zEA%`q&BTDcI%OU|2f3x+7C5FJ zc=CJ!3?^ZL3Oxe5O1ZNL+@*5~RUuuABIxdo5kc>SiY5V$vXx|ulV0mItmzWc(d3i5 zxXPjnEUPt#Gk+^OK*X(6=Eg0hXN z;XAV1YPPB1{CA-ixoBnm5WRF?0|>t0b7r?RyiXsc*@!PO`uRX4i8EdFgP)!#s-j-M zM#*zds8-u{q%_Cw_W5*kj7N4)o(vOp#2~}mnmkkqNS`W*`Q{if`O}f?Hb{6VP$R4y zBTfuBqq{RKu))jkPMXhVIh_4`6wIr1k}%CK{sh3G)pnnpLy54E%NIBj%fV01b|(jvR=|GVyVMbEohwnn!M426IFY zC&*5JP)0^aGR_`wcjZRgyT>em&PndeNg@EQE!+r7z7Ft02@j%$1ArAm3aEC;#;G=R zYg_V4UqP-i)UHln#0JwrR# z$TS8M0KNdKU26i}i*AoTI@=~pcdfksi&Qj6%6H0}(q^xm2y9$|sm5fZuYh}>8Lk2}9YE=Ct?uP+w~3knt2u!2z4)1WQhIM= zKSK@-y=0&X0&|QYnr#Q3sQmi7r*MSJOJ>fvmZT?q5dlWKdO?unt!#A8X^}ze&BlSb z9FNI5;9nh-3OTl8Pu@gH1OF62l_WiY)Sa@`bGrep3!t-ZsyUjn#{fKmD-;|8ZZ2NV&A&1~2l zzq;~`w%L9#z3QEf1M27iJUN`T)oTX=@~FNb22^q9#w;WOpS=XOm;na2fLr6+Ae9%~ z0v_wRls{V##N^};Yr6tB2PUxDyT8GV)`#NfZ|iQRy{O*-q7l%j{<~n1ef!i~FrM~7 z*l4lDZhH(avVgO#xcuT*P&oE_@#_W`ut2UoDS4xDW9gTrYL?S~=?T$_eTMdjgFgJN zC)}~JvM>(euyFcn;MQ3Y(EN)^S(gcIe@PvTR~A#Kr->P1!@k{v(51&Lk=Un+Fp6mh zzW&}EbWy|!U@H4I)__nc851+EEde9QnGj9|k^ZO9Au%A@s;DS#g*upTjJT-B!y5o0JUG zo0DxsLpy;E)s6kSF&J1+iv4;Pm>6H>`5-$p!&zw>9uYg>1H)|rBiRSX)`KnqG$a*s zfiW3*0GGA{IyYcxDIj062GhvlFxU9uqAdvf%DE*C-YM>&!FH(~ndgFeUKdROcGii( zFOjUlL<4lZ5EI}oRCGelfXnP_Ky0mAQ#qDkDe)>8%j^Np^pHRKi27#?OfAR zFhrL49E|9SZOBZp<&5BtJrFvy=D0vnlbB2}|2!djoakEuQvU*dF${S@oawiGx^Q+S zkk11D?#`n3i@=*OYzBvfyC7?9L_&@W0x`Ce^QjhuB7y=XF7wh7XlJGYdJXYfn|pK~ z;9I&%53(!rwo8r?pLue+E94Js;^$zs(yyXWJAnPRIFS~8tO|4|_oGEMfE3^hNayGM z!7zk9s1M5QmpZ!Wwui>owZxG>reZ5U!?}SInM+A}?eEdHwf=0U#MK>6Sqe|$MC=vW z;jcqsBnz1Sn_q;z@&qFbhn?lqul3p?jSQ4xYlmIIu9}3HuVs7k)xn6H%c*eC0do99W~z?|%34ReJv=-4nSd-GjrrFL!m9=O_n)zL z#V3~p`)l2pUZTFMFSL$I#Q4`2lh9vV!0hrYWq?DViO-VU}~um zxVH~)0|wb0YVFEv$b2fJu(y*@TAx3}^ibL%aTU<~DD9Al|M(R(<|b^Lfh{d+Z5X7l zu1x(9u|Lf!+5^;Qoj>n{y?r}1mnY}Aph)K?Fm+<=C3@G^NwLepivH$}w=KatUcp-$>DEVJ^eIM5FK#6!) zzJPCJFS#^(f3DfSru@f-Cs=Cm6{2+PCKyk!-@XJ0T~iNL$Z+Z+n3f=>ly^o0I`;A1 z!;n6;P&8g1nJ3D}hvJPSJv2z+g-!CAnl_*GZ+bwh)x*q7SOD;IS3cS?v?j;0l{pdAzoZFQx50r8@NPhPUvxm$75l^CO`vX7=kT9NQ_VI#Mx&Dq z4q~**W}VSA$U&SSlS5IUcGWE4*bx_~5?qk{E}EFSyi$Q8u8S79`V0DV#w|6~E`GP~ zLebAe|HiVPzrKiErEG-SKL2n*7W7>_J%`UH_HKTQ)(k$8#Hj|2BD57}B}Cqze0-&; z92g3eU!Aa{;SlWh^Ov*JGkayAglX&{kQ+yxqM#_CQ7Vj z6HAfPC2Vg{GKCW!Co(6fEALfdqv~lz6u4M7VTH6itNTVkc=K0ziwGE6-TQk?*fX$D z+|LF|c{{x*T+wKLj}9t$`v-q>AO^Z&7}sy`K-JzTw--P0q76H=Ana>P$qk~4ljGnw zXTb5Ta?S6WTNI1!jC;BWO8*d8?+0IT0PL8lzbg{=ZN$;NPZK9VSHSyk-|TzFW^nf8 zal%PoG-yIC^}W;3@LYy+`Ii#*oNhnZHsZf>2_%*N;RLWm@?119<{o(m14Vr3?0)97 zHd-1P11`N@oefU|f``pC$oKIviyL10?B>K|qY0h^u9^`E-|^}1P1qjNcT6QdvppBM^@0ahIaxS&xOpO1kawPY!Rsi-DN4}jz7Qp{ zqdbFEPU}E`W*QU|#~0Z>5ZH?%?s80EOWEK(NO zUE%a~$F&X(>K+0MEN2UoI6>e?9Dz+i`$0D_+Mp*qDoVe8#Aa2W6mYgt!KVWU_LL0l z8iE|CqPsOKmoRxC7y>+;y5(QVDel?txo0`6!w*pHwko)i2!2{0XR~J$z|g1FXXlZj zy&I2*hn-cn#(}2IZioOzwLB8{ntYDPq$s=?*g;Sgcv@k!$9wbc?jLVL#&6~>g0D!z zitp9fc}naG&f{P*(91unnj>jujAshA5)54%h)1xFpuXJ*|3brhl}%kJgUm-Do-fX^ z`+V=n2`~Z+Uo9#*o4rNsLNr5Unsy=DK99wh<{Pzg8OBY$yr2LkCi#|3WXwW`y?-p} z_|s%D8>2kzDIn~JOinAjbjetQ;s}~mP{X!xAiwKs{oGwRJ_1R@@Hs$;+D}(S!}cuX z9ve{u&NbiUz18PtE-vdP>490bBV+F6E18Xe{IY^&7YlFQM9tVCRM$^J04=FgF8)xN z34~jK&Llsx{mp0t6;k&DSA?{Cf8sxQCM`kz(@p}k4t3A7Ur&&a9-}i>&0_qQro38f}HxQGxt377{N=a`$(!KZOSQeYZDyhTIKcV zZlOgEBnIv$^=@ZTV27cgu;dhorTakJHUs>H6$uQf_PbRV<=Cy?`zP!=K&SlVO6*7- zS4wiIdA~da=5tCrJRJd%Zh5vMKmiHgr9q$@9M9)LksRC-@oLNzrJq0m!$vYr2xoxO zV=Q{SE%N1)e<-(*D*K%->C)#t@R+#XM)nm=ZMF@MLvbmPo7eqd6bwd~TXoBzLw;U( zDKXH4Fu$>L!ALVAPxF#wJiQ>tHsl2 z=PdzQx!jawcj`*eF;)6K*fIN1k6L`q#cZKy-yO0qwrB>R{==UF@P;YA8O(KL`=1iu z9i6ndc~#+PLx$sckTVaQX5D*@FSTqPUmb`Fc>V0!w1yZCn)m=u3g<^%s}vCn8)CB^ ztPi6WK{Rx4+^#R0!UO2vT|#fFPIpD(CVe^Dt``~t>#wjg(0vn}hJva$R|3GFLGVsU zG!!KkW z?)VU#Y?1KRtv@8oalS`R07GZy+S8PT>N%x_Qwus-k;51dlTK{s3MF<961v)inIWI5 zlu_YdL8%PU)UE`Evbm3pX_idEY8m|VBVxjpv16b?0PQ12@9;N5S64WQW6S?_zeg?L zC0BM&)+FrZUgKBT3Cc}Nlcan$L{AW??sJQagaf)^UKIbMLTxXBb{O9wQkvLmYUgy( zd>M2W^%AT~NNdvi)Lw^B4A7S%#&b_~B(PUfbhbMKsm(tLD$SH#d z0nP*lb9(LGb7tKOKHKEYub=h1BOx6?VNRuaE2CF$#qr&W=qx}3JpQ~H(CAxjwD7-N z!ASw@#xs4q!X@P>W38X902KwXsp$JGP;kx^4P%ZSolvc_vUBKm8mioqVW7nr8S z5+3#~Cs;N>-JdJm9yzd~kS7YbVY6`djRgpkVDQ&lwlpOXkP`w!M!IGyk{*R0r*weH zu5?r)k_3lV!Km`Z- zGVtoboE0!{g3Y{-+7pWzLfKv>FZw2_@S6N!6tO*W{*MrT{c+1MmbEhUT~%w!79+rG z<=U)x00#(RGU?gYLcK`94c>wb7dZRg6T^@MS7ZAK(rT2etn)DV{%2O9$#!Q^5%@Dr z7E`I7MU$#U$)AAa&F&42N!tl#(94uHG<*7IBl#YS)lL;^UVd>LK1kU`a&rH?50&27vkXeM zY%Ng8;#S`n-3#WdehTVFUyAYUp{{gQ!Yk0d0qMi^;-E0nx9F7LMM}&_9lEZRR|{fg zm-{d`@&T@o-Iuxy?#07_urA&&1%h>&Vztx0T!|cRhc+ z&wmfsrQ*yd_g-u5d)2+Q$|g2y>?07QK(CFuiD21?8;&Xk3+p*D(CynLYN_fq2%XhR zf@PmG;*TRsGx#zuLW`$PSXUi)!ewfSyp-08u#xl+Zjfw^H#O2ympe*|_ z*CY>#67l`rs}uIK&)HWV=2XlNH=Mf7hEu8)>h}Uxpy=4DZRcP79@|!2T{s^o8-kE+ z*<@H#ODkt{hue*FDzZ&hr#Zg!l}0LBnM;e~^)z8}%rtOCs zvB*Q*cS^;?6$LrzqbVjSEE5`zHPfi*8w_?`%yeChO&(V!+!Inf{t?B_hqcAehBr0O zhZfo?_BTM%K5Q-gkWJ^v?LlBzaFegwS+i7aDBd(y5+UaNW4HF=4LOJuJOS1{ASZdc z>lb&nIPb!VOv46@O9#&cw}>t|M$#@&OgyVy7l;nDY>E3i^VV5#>!=+Ec_E>XT$H6v z<=GvEOYTlsT4>vJBtxM!xW<7Lw?SP5_DK<{4UGMV(nqW& zak6-Rr-dJ&AeTMZ+@?%?O)Ha#Cdzb}%uEO*u;Ri4#j{?85TtC#S}hI`J!o@wl{1oq zta@b^vi`!uQO~U*{$)5^|A7m8;$E+y$;eO2Ch@bW>UovD+G&g%4V&O@tHqPoYsC6J z$)u~>7UTD^i3|XDn>x^2MKm`z4*(6|5xXta-;#Gnc=+2tjBDZjCo{l{YkdH%g z+W4M(m~H!x2SJDdQK+$x3ba2B(2)irb%e@d!L?Xw3zw*z(Rb4rBA3klc!TFa><5j$ zJ3sx?3VEfhY2sh!9$9;owT zfUFB~&fy0jCb=xKJAQr2Lt+3(b83Or@=C&I=iVAUhW58hWlKX{aEW|jHkOjkk=s+yjl@z z3NRu{xE%=r!U}Y;FmRYg>OYjRP?DW#6I?T1yN_{KLsB{fl9%U!TF^9mz5JNAEdKc8 z&zs6~L0lkOoidgW{B!TUtI(@daTlgsEYb#Q%@R6gQqY+Py{>xzs@Ct3)CKZ4=;{Pc zNCQZ{!&}QD8oo0T4u5U1py`2~T$->i)v%jjUz_qkFSfyN$CNw|aeM=K=wJwZ`_a$H zg+VK)W$CJ?Im)o&(bzfmJl)RgI5VILnNF1UMg%Z(K(B@Wco$wr41~t;) z%c`V2Xc%5be5UY(A)Vy+FbuN6yqt$l%Ni|&#L{_y+OW;^eJ$b_1%A{w*PNjQCNV9| z;&3B`d_^#g5Y6m65o>-yzO-bT$cordm&$ou@0*1}LdX8*8a?mC2Wxod&i#y%va z0667>uR2=$(JUO&U*S|#RfoW7;rTKbvsSfD0*(wVs_;B=!Mgm2>U%b5T#^^+eUWMW zLxxrge0A19au^Q`Kl$rO@PGhO53ywSy*}fa*v9H=@$-!%!DZ}`><49W!s`KLs_<+z zA334J9&V2`<_!&TF-rLyS9|dzP|L|!PGlqoOR6Y~nV_}-nmZ2#s1M1TsqPh%xWM5A~l6nK|JsZ2~QTyB0UAOd^obK66wcL9U2T+ zAYAYV@WI|yU{6TDTJz*Ps8|@VllIM;B>(8@Xzs~? z12#kS<{M0=R$?0e((?Ae1{7x@!e8!c~AmvLL^vk4OrIt@RFk z5wu0Azr@K;uAn`L5zzpQ72+fH9BB^SRY{&(0)o{LSX57Aw(Vtk|3T6t0LKrRRB=rI z!~DZHfRt1ZLhc2?`=u(n*HMu+N>10t4*(IToC5ocZiw$AP|0i3oPcVo?m|Pms_LU-W=Et;iDLiIJI?91% zrj0^23o+Ju`|zZ06^H5k3pzV$f$|d1Auq9N8*Q_F57Rx{kSl{wRlpOviw(`$;xH=Z zU_Z}lS!7i!M(h08PlM^^`qBv0c!McfwUt1&Nj}>d4%Q8SxanPbiY=v)zi;pJxwy^k zuTIXvX&JSVF2JvgQTSu+0xJ+FBfANal%tAop+&YCCGYpa7z>106!+QyEoQFw!en-n zTn#CJ11&<)60x;ojSmEEA(6@7uChD>B&b_tbvH_}*mcx(fK@CO%%c!!hcs0GApT%P z0gN(U2ex&CyM^d;$;0Y*aTm{EfCKnV4#96`f1yU6#oY+RstcMGy`za73q=h47+&D! zR6aolVL5J7eYu=}0PH6cx6^k+-lGf>#4)t=D{RY#%uIGo$9-9YyMPGp;lX*NCvpL0 zvVYwM(s^PF83%XY7YYpG)&t)VS0W-u_K{dy6d2v76`EKg696Sv139eQ2B__muCzjg z&nNO#hH&HU0zk-I`E>hU1Mdm0aj50FgZE+)7~N7z1O8}~g3N7Q-2`LAgV==FcY(D4MpvRq{D1}1 zfDgNbt2ZRVk2&jKus?q#EOW(QRm(V&h==T2fthyV7Q%;|o$WGp-7rj2*gCY9EcSY+ zIu;|KhIAg^3AA3xMXF^(DT#^3*>12_)I^Ayl2UA;1gA~Hv?C+6jMZI08H)`EYG*;o zS9>rhj8^Klj<`yXX+FLV$Rks3QUKIvo;S3Lj#dX)nBp2HkE18Oq;msaS<6cXC9?n7 zdJL8NUeu@@SWQSxb&=;Qt}jBIQYc`3Al~2Y=|hMN2aAlnESl@9zNnpB)LH`J*(dtn zm{HWzx;vFIb*3GHX>|}-n)$I30?7`6!t~yG)jUi6SasAtN$Oxqy(bCIQ!#Bx=eU=Y>zV-Gw-z< zOL>scWRY0stGnvQf$AYEa{>B%95#`F6qlq4-M-gNFsOs9_B%!~%-Q6Dx8BApHk+y?5MwHBmLKv~%!Z4!vBubdF ztkPVexBwN0!8%S})Pfl?eP@`GmWHYVLRV+H-|&lt*j~_j<5RjTY6LtN&-;k3epoVgZbCmGF`4{x@u%hzN)gk&_P=a ziuZJ}ELtO}OOS!2Viu9HWzZyY<%lCFoimE)g~%O4n}G2E)$g+JLRB+pA>t?)z{?=G z7_d5M3xvA})FPe5@IL(Po;lH@aBsC$_k`Zj&25qo%K&h} zhXQIE0EXjQGE^OLe1~E1bhd|q%dbF1BPlR@LTj&BLniFbg?D^9pGjjmjOVB3<-V!t%zS=AF>(r zSN#EGiq%l|WkbP{AtGCO0?bugLF{^o$}_brgH-Evl+XUjH*7`+m=h7RW*>oIE25PK zmUARDh;49D;WKcESC#CUBC=X$&-J^;fM5)kauWnGD9nb~91@e0t02@v*zpg2tg%qY z71Cq3j9d_jLx-D9UB1C&2CgpElZ^7hZ6&XL?^?{@@K@>05|V?!Pogns(|PqrCHjLr z;5X)|OA7+rVa!b`tFwDxQ!QjO8NJc!3MAUl7AnLD_&g}hwm#~*@JNgwVuMHYg@Eex zhXS4f0xBV-=#G5Z%_EC{v^oO3)&sB{N#jpTP6D62J}|MD=Rk$Qr{hni{z2Y{)g&le z-dLD|!xOaZLWyblbnN(r3tNW(XP=Eb4uWrnj}wg$wHK47#eQiFKk-=~n4ARUB@fu@yQ7)A@{<}n2d@Re5q|8>amK(sbVEI0T9$@(tD zVoscm@spFrBUe?wDR#?e0>BGKjzmVBuTbCL;Ls5D>GXN3>QP%Vi4^w}!3SS05U&mu zFjWCfX01`kd{pj<$}j=5KZuUKBdxvP8O-u506s&Izq=8t1UDNpC_4A(Ic(NpqdKTp zg{kx=w8&`Rp#n$&mQbq*4yb%kYja!oTkd8@C8e+*K^(Xu3f4zOo^HY^16a7|zf8s4FXSf{eV4O7niq29}N`FNMiVrQvVj;^xXGFQ< z2!w~;aq3Ws4XISRh09r#;sP?YdZ-Y9&<%W&!1O#&D@^UGs${HT={%&0QMeZ}3iIj` z;P=-MC)c6$m(}M&dJ!*jy`p`^Lr_o*QJ{l$_1wRl5bYyf>blAj4p^}?%xN^S+_n?S zd!e`)d=5lcZ4ETnhG0d(4V6To=E=CJb`@L?4|Ju1>b}m+3HOn$MJg>DakU`d4V9^V z*?ES4`OSi#ytptFqG}^9crWm^#GDtZA#@!6&-3l^<{i0?;8|3y9VCFKhY(2vr3ki_ zK=(q%KiV`9JpwBI*MjOhRGo+5Va5-8Ks<=QbI*yZ`3+04QOj_3?v5@fjzYIUg}lgF zg!Ki$;7Js@$?UKw6j%yuMs5M3VTLkNL#Vw(SKGFS>Fw|BA)@PI=YmsLj!nhZ8N!*~ z#1jlExq29vOZl*77SSgP@2=%p10Y{ohh6F%lm?fG(;a*CPKmzW`ShCmC#KCW#LjNc z+@W&#$dR1@@YvJuGpm}%RO`ZKYlZ8C53mkJ47q@3ZB(=d&h}Wzal_TjjwI#e!zWIp zRaQ!)QaGOCIs9cwPrW5xP30={n7FvnHTq;8tL6N+Q@%z}QbnY~z>YvsBpE7tyn@xu z)C_eqUM=NjWdW=BJ&^L|BF9-T=ge(iKbr@7KT^nUFr(gbE~XWP zd0}C?%g4k;*D7xF#V3A(ZUwh)H}Y~|R4JFV*hK9gi>wvScX*FSxDd!oPS3gDw8T%U zmt?;!qD3t;;@0ZMdJbe%3O$isD%g7d+lBYq?&&vE$vSn#}mxEmfhs+MQi(-m!h9|4o12MYo6`ydrdgdRsmRAcO(8NWsCw0bgJsy%y zLoNDJ+v)L>uBX?pNl-*=JYV^+ob~(Od{*L3x{5_}TwNX$Ib()#uIbRa!_AXA0X$ER z4jdURhTQ+~IKf}w+EIP*>!^*NAy&34Z24b>q_0CBDI_>U87q7$=8RV zf<*VDXU?COzJLEd_{~z`U8*gMt*sBriA0enJ;#}thWW1s9+wbGzgv@KSZ6o979oO5 zqHOO`4tM)e9W0=A>e8iqfYa)M|8{gvGle!e_GE};IyhFg6w;;GVWXsah=E}!M9@4W z!;S`cD@7H!yeoPBR`X^NkOuw@-Y+ePe|!{*$GA%tA7L_g8=a92ih_a$4A9cML5Bpd z?zY1k!NI|Hd{MA3iVR@c20(Vv&CNfJ?C-n zjeeOewXWi%YisXrpSTa6&3k|USg11XbRgEco^gOZW;oPbJw#}`A44!H7yHeUelf%| zeJ$@gbgz97h)PByrOX^YtZtP6qXXmNE9~?OnMpC_Sh2^Pz++9^CCEF{7HfoX&4J%S6 zTxwztlTZ*Q}5=^<&v%d+Ep~gHx(7fFUfC>`0IQdA67xgN@pM7~@6{xmz>AW2f)#GWcu0r|Ez5Y9w2Vwn-}Acn*@mSgm)wlnlX-k3Zj9DD>(3vhwkKon@hqedC1Q{8$rKw1jdBGuoc@#`BHz zTuY_5G$vaXQ(}1=f4QrDr#aPEzFSp4pIc4jW9n1;3T`&9kks%2JU^}6qa{n;-rqmK z*zL=v!J(sP9Vh>h+F6um-fnEh<3PtaIyl|Iw=d=L#r;)^BOMNwJ>4&S69nOQUkM$($L~lz>$<{m(F|judb_D8q(q8ITnn8ha-xfBq z@+;iSz|{@~0`K3w)46D$2@}Dkkt>Ujm0W~c0Wx@{YRPgBsp=&B@y*H|p9Li(x?6K! zRYE){Rq~qYxLj>*ZJM>o^sBSy&NV=(Y71Ck4?5W9X4q505+>yiB&5mU|9GpzFX<4H zxQ}ACsUoGE#&o+Xr4B1AD?6Qnz`#K0@fh3h;I>|@AKnk~OQGt{gG@|Dwo#LmLUL~b znDKu`2>mMHp_?=hJz#&i^m2L3k0|m%VCOe_n=F%b@MmV4!KeXg06+sHK$Vp>H7!6^?j;bBs_4n{;M3;^(S;&v zYHD~T{T)|rhwmX{2SN81=%yJbRf^k>nq%z9qU=xe1fn3wP}I~9I_CsfLRmrKBb0`p z7Z=ykcA59j%*yf>AQ;w!DEBK|&ZV`bhW5X2sU-=@%gbNMMO_f*>sEn6Ug$|dPh6-) z(hN)Om#N*HbUmLE%^a-@UD~Pa2k}&w2+=b&)`V^f1q*{+A_bP$vg{wQWRmCew9RE1Eyq7^EOe96P2(kh zGXV94nVbB@^XC<;tuviy6XT} zV*a4_De0@Q4S_J0r#%?D&r}^8#g?O>^u2Zhj{h%vV7H%pHUd2c|*TI{W< z!%?!6aW$!j{FihC@U#>Bq+RO|8?2#{+34w$Cr=I^J!-IGk*D|lAO(E*7hOgwjZICk z!N|dWoULtkS>Tz_gFlO&8R|`L-MYnW`b0HHE1NHOlO>LBF4>nPlAo&hl)l(3aX6(C z7RQU2QP>D5ylZH15UrJ(qIP5V?Cf#_xUuTGf%Z6Bf&HYGhZTuuJM=+t5ukxDDK$3H zv?Dk5#7fho?a0@Eyc>J5{xdVyx`hc-*%{`nyVgHlXxnlBid%s)UO!|a>MetAQ4VWS z+@B(7-83JM$sO-GAygDe3F%#X>gvsVm$vp|3o&%qGULUO z$yHS{XwL>{)K8eFl2ut9IwGR;^ILlzq@<+$Cvgj!EFT3;Ga`A$C7;<+#jcEyoGnc1 zS-NCYc$%Z~AH-LzJ+3+quhp80HQ%eiw~xJvwT_$ggC}qFfm7V&;st>`IeroAO6e*u z8{FSJQgiqDeb=)U*SK{na&@TL&czhNB4YjUc|>=yuN)c9RB^R<8WBG0nFg=~7DP&d z&Ipy=xM@g3>8+|!XGiBT_OzCQZh*oF4$lr1FW?I2^M}A--eMd!r|kj2B=}{eRma7f zXYT{@5gOwhpX)Z2>nArYcW>7|3jk)C)t-rMo;2hL0QZpHmTS9@Ffk=S#Kjnrop$s? z2M@k~`?hCv#$6;>)IJUNRBD?#6n@(xjT^<((IR-3i>n18g{`}f8bOzcvJXV0!!yJn z;b2l{TzEQqoY11sg6$^Jj*I>fqF8|xXPECb@z~3H8Y6x8uCl&Vn2NV9;J+^4B(}-n1U-WU@w_e1pyINRm%<=-lEniIG>@+D$$C zj7$^4vPIPlvf5fDs11c)BgE9EAo})YV_2eCgmv;SPkj3jO|-kK7$OtEZK07H-j_=u z*JWlu_YP;B8GodlAJ>U$`G9f_YU@sd{C8mqS7=`s0JEE zgFS<||TomZIQHA+{t|}3+>92=8-@Iue;Hc1z z$s?Sq3z?4P8t`jiUR$x2ElJAIsF=rr0Z)K8jSawrrZdbo!i5~hBaN~9us2lRy?cj` zfn>18p)=|?vKJQ}FpZGr>%FuFsI(rYE*?~F6`FMF&GRU6&=YtTTpd^!M63t?hE`2I zue{a2K0_`r4U%W0(0H6l4J!o)Jm=v*n~`V2%*;$!U!(iu@gJcxODZujai74~@^a=n zYgpbx_zZm>>FO%0sU^aF#h?+-q`RaTk`pTN#xBR0xehoiSi*o=;sV1p>V8(%WN;?^0|PJc@hL(>RTHQOtLvkvT`-W#;PrE=mAq|- zWSvOlDVSgYE4y~?w3;7pX88?&{;BQBf?h%<{;Y&HQJYVyKb<+cB9iV`(w!;8D&8Ga zqixafF58Qx+f>wL$xTZ$DX=Saa{qph7diIJT`);RrOrI)jhYfSyn0pa@IjUN><(pY za!G|rQX;{Il(Vp`HKgt4R^{N+f5w-TlZTC^t<7uq=V!^;`+dJzzn393sIai`uT!VO z*R;0r$3Z}h>8U+L%;umijnu-4-T&{37AoOZVo(83(V`~$>*Z$LlF zJ$3aEYisM~VrP3Su0@&U@}n1JIS_aIfZPanx0MW1x^_Cm=uCl4z|-5?KQc0MVS-|M z?1r*+jA{bE-&K0GZo2Y1$O$ z{i7z-Q1*~zu__M_4;Pl81RLd$Azt_1&o3IH%_b0S^L+jKzLOK7tl;CvkJ*pPcR}-} zGy>lc!{rC*z(R*8a#ST-#gMG15AE8$+h%zzlyEX|Z}Z!#ZKDm2jOWHb>lCj~`W|5# z&>nZ5SX|`_S+6*TJnivNJ7ciXIRsM08&&B{TYE;fmQVA!8d_#^PoUu}ixQ+ERkNZ}FfU>j6TZ0*+H+xenzR3^ca zq;YRbxRTYD0->q?c_^#W#5VrVgU+2lU)jq2(?dy?**rQ3X2mYOtgHCa=6A}xN^7e80J9qBg zxbZBxYRjk|B$Y?ovf`7g@}vGU;0z3@>Uw%HAVeltiiPXL7U^`;t|G@&?y&&Gx$^tx z@c+r~W3floKXrC$u0pZ~9|Q4%WZ0+~Cw^N=={>B4M-CqB8||=S{^fR{EAcYvacM7ZdDm@cO?7fua85FGc$K0wJ9L z^%M-(vVQxH8{ZlQ{3}&a@4Q1E7bMFV9drQk?s;PRpE7hzU;PemUeW)o_{jfmYW<8e+oP{;%X|CdK4y7M6;}u-ma&;m&zaP+Ndn|AyaZ z8zbhT_JU-M^nIh0Qom<6o?xNwk>9zzygZHj!>xaXw1=0od{Dh)QNurs+aAvU@l--= zWb|Oj9}$vOiq-^8i7}CnaOsBZZtoBMtPCth|B+|8tX~ZSpnsg!az{;;`ndMdUCL@q zs7qNO4^wZR^`BM_(A3MbTUknSwI*!nKVxq_z|*}#=SRH7MMW1 z#y@`ii}TExWB|%(+`AL9p!lP`cpoF9Jq}Y75SqNvod`2gFT&RD*4es`{XyE)rWcfJ ziY+9W(W^x_dbiYZOFTAOw^DwuN+9rO^SZjadj9?QB`qGc%$wi8e@EB!o13%cQp^16 zz{bYL<@bGHG&6+j7d~ZR(0nX>X7{+32XTMMrkd*>YyOp;I6Icve&&MFPO+~o`XBsJ z;UK^Bf?0o#fY4ZXsRX6Vs1ZUc{y{+rDJd5VS0TSsoGfEX`d3giALl;JQ|)0EDST?s z_t%wk2^z81jTfhHII6u&mbr1^@WF#0flUDTMwb3hF3iX%Z-@Ze_hjRzM?veUA&k1a zh|w{pg~>5r4>C`GVr@{1pd2T&C0<;$0QB`!Zc0Z!&QK|z(1CogVqc<}EFz;K&6IyfZ2&cwErn^O<}yR|F2 z?*CtPLC5~m(R;h$K437>M<8*+8#i)SZ-tKWjPWCffk)-%Hw=FxHP!r+PMfsH?YveT zTw}n=$;q7FK^vYN-C!Al<2H^7yS)kP#M%Kah4h^}k8zl5#T=(kw-+y1u>bhq2bveV z46+@!C~}4P@y_CgvExFIukn;Dew=PEwc)`I7+B*rn3dql9644vc*ZFG!hvPA_N5=% zUSv|wC2npxKn-c!j0ugvzm~0Au}@!5uXTL#Nn5%mY&OYo&ClvbHS_BG;Pj8r@FJzO zuNj)EfsC+B9Cb%;6Q&xmHr_%bd1OyM4;)*lsHnIgF5cBLxCz$?9}bW+3X`kg-j56L zeb(b^6K`ExabH_v;gcwTT~yEfxN8YFmKLGfZM-qn+4Bp^W8uCB?7)Y}NE&4f3<+onqIV{<=RRbG8F21x^ zd`M$*T+Rc-0cYR6QTzP{mv&LPPN`+Snz@);T2n!#CwJpWq-IL1wGx8E=8} zw{%^55q;LSK+DpL7{W}zNE+>71P<3u}`oJNOYYO?=%9xfab9Ho)Ydyk>wAdP!xLg2uFULkp0 za?8dOGt{5oSZ4TjMN3z*Rp=12Jl`qSo+RTdN2JEe1fD;6^18mhJ{ZD;BY-2)OO~aP zSY}M(H;D}x^y#A4`Fx~3e}faRS-a7m8aBb|I-UwAFu0$`+R**giyj8c9Xl$6KX6>? z=1n6=d(TWyTj5^2KL?u%o(IH#yLumVwq6I}g^L;GZ0KD`;!LB0x%RBK$0`h)YTo+1 zK!LLpfp8OKb!K6@aiH+@=&GtjMn~kkcd%(_AZ)o6MQUGiGM&L5I&!e9YeP60Qjgkj z!36LtcBg8pr|ZIRTf+%<^>b}`!|?o?*j@K{uuis(bGI$-$EN{;+650#pR@tk>Sbfi zx|PN=8Wi1NfMM%Hl{*g3=zR#wxmK0p?~=VFD{L={Re|l@WSwQhiFrB>BU9%pkG#4>IL{oaLO3QaH$X9zy2HRY)xBr8k(l_$8eM zpODVN=rFKU1tyb3DF`&V&u*ZRsNlBw7U}TX^a9gSTUQ?>SuKN`0bM>SrzeM7AZ_@( z)J$wa$`xgS&m+5Hs|UtI`5&+7sRlwNk9z)?pYZa@lWh*Gk~cEpDH2@nKxUy#_&-oY zVTcwX6af1;plA9CJZh?Gk#3st8F@7>4K17~9cjfml2v;495;Dla^Hvt z_V%wyOZX`@2W<3XC!F@(oT5)_4z)!;z35k2t)lwScd)@BD^(34vU!eXRO>Y9-P?^Zi^0g?RqGl_A_pJ!_?kr6N^r zjk9TE8+9Se|9pKxd~vME3yFa{;WzlZ7H-~A6iw3YzhZ8WD}b*U)X)A#vCS9=Tb3+$ zzf$+r&T~5T>w-MLED0RSF9FeD+gAIb7`2uY2xqtxrGEKb?jpb!NGrWiX~-=w{EQY(!cPHx_?tLR9E=BAz;GO$M_U)ZWca$=Op$?3#myd-bRBa(-@m~ zQ<=3#eX>8Po953EzMOHVJN@cK3=7VX$B|wj>e9_T%WSUYbdPiE;Hb!@o5ei4ZA8-Y zqclSUVjw(Q^LN^eRtj!UaHsM=;Vxl5ZCQen6^sMQ^o!IBy;XZ+&BQ*urd1%_te4%; zQ1sZ>#NcxsGY`92Me?S9^ANXj6dh<7*e+8_4T-}+fCWGX>R-~7N_&n z!#nKUtaM(+tvEjPrs?c0dM-*&$p3VM`L*zQ?v%$)SWJ82M9@M?&D*@v!i`5-i5PEZ zA`gpweBLzl-YxSh(;=p=w93!U{XG9TP99)mSttW-=X$15CXW;q{VbZ?$JYkcH7~j3 z>e$0zhAha2O}J5a)jZLSIW2L})Yiw4KDjK|W=ULU@h zBX*8)Kvu?O+AakbD7i-X293-;t}!@k2;Vnd(7OQ*(Tx?Cql zMgDwXrARRDTfL0G*t-~!!;B+HJ$@0Z=rr57CF!gHdD+EW>@K1AvW)5?k@K9$yzV=z zF|Q>r@g+JphSwww6X-h5iP_#KFC^w_G=#z6Vc6vK4=3hFb?Q`4Z&@OW35Obpt?Rv> zj^_@;CUe8MFp*QM_{4R^72~JDN*?$ZpI+PI9cuOZsKlpR&Ljh)&*>s$r&U8!kGXHg zV##~GowbjiW}Fn9F`rC~^6A1QnNQ`s6Dgv`DC9=e6R!Aq8CRK}%Fpuci?dZ+nc;Vt zp<$P6ByNAJ8HlTqVN4P#)%@pxIExcjFSWL11b+>KMrTGopj9lI?+0Jyo$C9KU-)j* zW=-VLl4*V|xpkjnYO7SWmq$*Q;GZ zPW1X~p5=u4xXn54v*gCx{mNn5X$|%Zyo8nu(lzSykDl=!v>78h(+jDuDz>$+%FfCM z7)@`{Xf}07cqKcLB)?W7Q@%7PX9^_2Ik!C!8bm+*Z{7Y5l8!KwJ~K^r<@wE6urb)}^hEYIUXPbT+Ez`m@*47f4dxc( z&AFA*TyOPuW{S?u1r7+!7YG~R1M4Q`(l_WPposO2!qfPRl%||?^5<)L@?>wXSK&a$;yTs@o0(|krmy!6Ws^i#2dn0K=>5kDtx!!(`H$5( z^%xY=RLgBz{gF5IM&z9f`BC%pUWKj0;$4Lk55l{s<3nlFe9_)ykh=MhSB2DTGWntJ zf^?4&Cb9NP_`{9ms(3GMlMe31=1I3q(bJfn+Uhr^waO%qbY1w|I%!~?m0U*<&rfaL zd7#CvI`VR4L(;KBVXr87{kygp774y~3o)xJexcj2lw0^D%{Na#8E|WvAUKbG3KTXZ z2n@ozKkOIor}uu4ZgaW;CRVAC+t&F0t(>9dl@=HH?8`{T_HK67q4rK$3xa{28<*?D zH-g-l`{bwp;C5mCO2sV9G@fftn#66kCrW&k=~|nBfl{r_c(fHRYjwRK9@EEwH?x0Ab?P2&)guBsF!V5Au>r$_>IoIXiL)I21 zRpGHA`)dAVAg;h80vjlrT^Pwx)jR}Cp5m>-@5>^Shi6PsB)6pBhHyd zzlrBJ_@RjjxaLe-?`ruluALn7rz-w%b7ClA--*QQev|J5wcV|KV=oLDh49iQAs)Yy zj(uxRb+CR`vRI*uk9p0wM&UlbzSi%?N}dom^CEW9Us#QOOXF()WK_a2LX2OFj{4go zsq%w4tCzWHj|kl{^{Z&WR7P7Qdr_o z^KhTNa)SbjglsmKtI->frEGi3Wsg4#PD}L^ubwHtI}%q`c(KX*_FiG|7wH969o>|m z<&|OADz_{oVte0Id0q(DN{-`R9{uC?;;@p`J7l0hEr|peXi~q~UReIl{aIaDIcqyS zqCJU%0yPg%3v>3a?vhzX3_eghim0{m zkISu}9hdBkoonG_# zS9rvtJQZyGb?buahW(ZbIn+o+6R?WIG95DaPy!PmH>@aev}I&j=YGJ%xFYi{Fm|j> zx!ZBsjNWu_DhH-gSS96@a~7wt+}1ABe0}wqB$A{=h~CmXT(Vv`wODV7}?>7;#BWssc&-QGPvE7G{MNdLH03WuD=u((#aSn~zH$32ep;ZzgP zo}Ss=3@>@FVmM22$$WkBE(UM;IEcW=dJ5A{7{i5M7G3}ITNTeWE!P0!d0syn6a7M^ z^w{Qk{4-7E_u=8owe2~S%T7_9vZq1a6?zjd>dL}j{)Y#Iiw)qHQ^VX`)mhGwEzDVJ zYTIedo7R@BiDo3oW8QRm|Fql5sWJtjQkk!f#_VS&PsvY>I0>5 ze~4m9^?kAC-9}~_g@vnm{8Y5E*>;fqhw*fADV}5S1XP$b z8IIvZvdy1M@3Nj(R9Em<^sr}ldU=rS@-ZyhIO*(#`x=Zq`s+dGzw;^+1Z?ZpE-UMZ zEw^uN!)|*JC$!S@PJ?TRMUWUIM-kae7{A;>#@k*r4itA7P|;3w zVP7&R#hVFA3U~ntHr;9R38{Pm&S(s-Zi_=cWMBeX3=62zT2dA)|g^a?TV^xGs5=+r4g^duqeI+Ri zO#VHvQ@i$9#$Q*pzYoR?z~XSBej<@hm`m>Fv*9Zkc~!6_XSk~dT?k;aRK3KHiLT}0 z?`$Ib-EQdIUmIn%&zSZ?YX`gq!rpU%+`2X3Th^Z1Sljy4;t%K9-IpQxj4>qM)>ej< zYf34=XG~bMc(I<R1X*}>kE`OzPxFD2Mi@7=r-F7jx}owLY3WwWT% zXnpQp5!}~<4v|;G%!;lQsk+fa%t_R=%AjBy@A=&4A~?mdbPHu8UnWdrd*BeuCg*$c z7Be%u>%oxQ8g*==5PF_V?JNfM%O16KyQIZPnBZpX%1{%&-Gt`cZhaDqT{f+nqYk~I zP&~ABXj&Q_60S`<3U!H;DEybJZ0))KSl7152pG+T?@fc^V}|^DW?Re+0aAo4n1zY2 z8-4_nJqK{ACBhPX41u%)tOmFpAr5X{O{OaELvohcojEbllVkdMt~uu8;P2d%8Txtw zQ0@GQhU?hve~=xpn9)x1!D||kGVwB-*@)Tm{LEA%jR^fS9+$z7^$cyiJ6+Y}C2`>L zb(o6FL|La#k&+Lz$wT~0?;fOTe!9&Ha2HnFT@z!`Q(Buw1+FTAhztYN&2daD{OjWu z|99_AJHa#R-%+@UL8uOS%-7x+?v+o)HV?HIEjpfhxB&KSN@GGXKIkNII`@R3=#Ckm z^#_AEGxBt;Eao1}30oU%LnFharKK4o*&#T5)8ykLA~xM`yc+st|bbBw^n004(!;uEEbr00o`r;Z}ed-l!sG z$bV}l*_-4*FF?p;bZSCTdTk*;(>Fr!Mpw@c_MFLPIqddVtvJ^!0TEWmOe>PIK4i9l z1yTaD_jk~r^Q`2IO4@e7daxiMP?LU?vxN}a)=@{{uC_axAfr$nRbQF>^yIRRVjRfE z`^@QJG;XHXrq)0c*%EGY8R`r;jYDKQi)xnNB9ET2- zXMSrEz@pm+b6I*FB**A8r9?;bEw-ld&Y0_I*1U~}_ji>$?CTBOb7`VQZMch6RyC|y zCk(~uYa)u+?Y>GC!%s&K^Sv0U2H03XaCOnOrc?ulC$S|zZOb!L%1QHNn!b))VM%hk zWmUV5YuY)t6A!3V-;%7rjH8ZNp~8uRM`vy_DgJ$hl$AVTXw@=FR}mI)R;HoT!G#k-m+Sf=K2?9iD@BTT(TZ^SM2OpoH@(;{gJ*KJ>7cye7M5P}jIa<4HpcZTH$=p;J zE5pfIqY#SC4sXv4){e{V(~{W5d)%jCOO8!>2hr5@t%mmHev5m31o?}KZt0pI zBLeTf1sHX|?A5JV|MjNJV5i#>MjEx(uV3y@OP}sUND{sZKM`86Xo?$lSt#jp>2cZ% zwx^J4>vbX_YKKe@8z~DQ+PDHpJo-}it}T_&r{b@#zdRc0c6k9Ej4>>IT<_8v|xHTYoz4?B?VwdE#@oc$P@wmN$OR+0C5;|jSiQrM!mpI`R;PHZizK1H+xBPpO& z*IsTu=xnuJw?l&e%fy4gwK7&)ORKz2!_KnWBbKaeltU+iEMJs^xS7AGhqp{nZpE^i zixnYUbD5BrN=6VeiaOEg?-pd}#dgU!gjgMB+B`bK8r7k_rUWgK?cq&;Ap6~DG1E>% zo_T1@V9xyktV_v7QvORyHi{j%w0wK}y+4V9yYzB?_yT4ZwLvxSDlI~K_pHD3MeJbt zErg^bw@>$CyO}z2u{FvgSEdc-i_D%)6H+}O(K&c5O5@m*hehJ{l{jjK;6%i}A)H-x zjUMmBb^KMARZg`y3_Jgl+qV^TX;}u9ssP-(c4=0KyJ|Y zXNDg|CwByZB}b}fK78c7DAwqzE|sM#H+%vedu3fKzNz4hH-kj>ZP{qq)!$R`GswrK zg_fe`HsqjC7U$f&bYbk8NoC2EmvTO)d<}Z`q#kGA!o<`Ok#)XhYu>!D3T3|C$sy5Z zJzrfSIm9G=!lea!#)=Xzl1bNKlWC6y{|_7f=+)T~sxoofMwCL4J-xKeXiO_tT#(CUKWT7g)a68sM z&~>%XjVX)*9iv`u zobgkN!KVK2(vgisz0oFv`B}c)V-sADal*e2eSG~tp&q_Kx6GRmhfbE1cU#)#cow2f zJ`;7yS}GZYIn#8xz(0~w zsC*H#Ysak0P|5X~1)KETqZkp_KebPEnKwgBugMC+Yw!KlqaZ|&;+lkgdr)ZYnTS(W z&A<;^i2VwmzmUeipsf5RD}&8xxk}<|Rg1)Vc&l&!#`vRxMd5Max<}g(N z07aqfI5Aek7iHxy2bcSDZesA-pW?-xtUWjq$y4`EO?5%|22c`&Yam(;LDCrPB^Tlo zsSeec3lKx6v;rEy(ks^No;pL=M?APxCZ5;R%Y_sY?k!P7e_x{hKBjNQ+Cv?dH>0`m zVlQ&=IY;$X-(tB6sjq(+1NI;+S3m}YWn)#}7~$;wxgVwzjK%zySLHpmBjVt6E*E|+ zzIB1dUNP1#=>T|QKxQrLl{+v2^{p&++ix!#Ra1(+GvLmLORwJDq|-I(q87v<)4Dp6 z<^29#&?$(Wdxwz}!I6?)Sw;c;`aX|bqftdkuYIPbt>fd9X{;w$6LPgqhu5BK8g&~} zmU`qPzEVX)F!g>k)J6k-3G^EK(^A_${Hj7i%X(`v_=wH1+Ro8_Ps%jDqu3V!p}mXB zhPq>~^6&`cK;&ME0`_s~-(orUqk4dHrJ`6n+it_vq9CquA0o}*%foe+~NT^ia^Y)#(=Un_vnp?DP^r#!@y!QaSB<}6Zmw{S3vI#?=x zn$fcAHl=*)pcHvgUoqN?dm5lHL1*Hc`TE?aWVfp*T38^ka`>10yT^T`N9`{p=TcQV zH|Bt=*j%sS{-bJyu4cL$^ifp%_(v>bqQMb5}rc~)FAia}>4mS8yiiRdgDAIec zA)ufjAiV@a7pWl$J#@}osQdfQIpdsr#u>kR|GF7NMY58ttTo^H&h|V{N*rstlhW%d zU^w21hVtsq0+t4t%H{^%u2Wb*Lwe*odkr*t!yf-Ll%~7i3gfI9$ngbg&i~SlY1VO} zS{uPjI8$$^Zm~667?`a?)u}zu$;{V~HPz>m9pzrAZMh)acE~q7A@0SeHo4ar@G;Zw z+319&LB$3sr$P_p?>wbe8MvBHpcJZ$D4zXzn4cBGI;Kkx#F_bUt_e`4G(sZTcT(Z* zRF^cG_3h4MwC83#gyugNnvxY0gWRDiV)xI_k9~d-3g&vnqRu^37!uUKlr({ew^HfS8t5S|nS`6Vlr_`)e=On3x6(Dfc|4yEU5sp~b ze+E!tflo%cd=^xNGOkXYULMjA!Sd}u*^fu=vQuDl!q_PwRSU$@>Y=W=9?XUONGjpH zi4~a(&(XnxaeW781b2CrPOIn~?oZaxzmtWOqeNlPgK|E&oYzNEw$?C%Jg$mi&@W4Y z4k_HM0tbbcMcES8QBo3Bx4^ZVFUl_Q2y->>uY#5mlFo7|jF`zQVs}cqAnCK`!gnV2 z0nd8dX((NvLgo8HM#aAm2~4*ia)%z^zDfOXJtx-)8~vh`o)X=d3*a(-w$PBi>a#8_ zsE($Z^?k0fg7uIjBl;J|<{%v@Rn_ltpRQ5$;_P}W-wy_KYK*Dl!aQd3XMNSE{E_zt zIJc7{&|gJ11?23J9p^?S_%>)dc00!Wr~*JWwl!`q*(oOzO0FW_zq;;_0J*Fcbv|2L zy~tZACwqSEqWF9PvM187okf$;ify0Pj5&3ZuFBHinj9#M_tnpUD=JyukT-ya-11=H zj01_A3RR>@L4%|lQmQ<>qDI&bSicYMdNHwgf`>u;E6T(!P$hu{d27jq-&#JusW>?K zjeJKH{5-gpjHvizIHKtG!TL^EYmx>>C+;ZH8mc-vRJe$_( zVkb+N#35I}$RqSW=A!?nkma9Gg1ab}|LKPw4*cBm6~%G<{iL8#Qqh_7+X0aMwSNX> z<%Ee{?VR4Kg4*GbV%mSaocJryfmi--r>p;KhHnvz`>&h$O%(eD5sL-&<<(m}Uj?z* zl|f1U7^i>{1Qa)AYQ?1xY#R{^U_b-it;)^KFiwl5n;>G_Mq4 zD$mrQ=LVjlYcsADa#BcTMC!fU-#|j)xWM4rgmXXqxp@RL_(%=+dD0I4&U7sMcETiu<^p&tvB7y$C)2f(0ZtjyYkA_9@d z7#e7qhGSgDVT@mtyK&;1Ohl-SxPS#FFV{xwT>#M`eqV0@{m{%C04@OrQA0~tppwDp z+ytPF-t<^&HPv19oUPldpmxpcjmjg_Q?z^p`7J;_Je^Z{8HPnoH{Wup3aTcHMoBf1 zb{GLKM_!wwt4mpf;0L0uH6Z2z8mr+l&g8s3W25}r&+(lPdmi>~SmTxuK=;`POL5a( zjDx%YKEyiHpH@OiXs%*)jCT>(7LZSa&y`{{Qa&I2e&2!?&;Y<~i$mxFIJxI*N3bTR zgH58&jhjTzZUU;2OCg`;aUGlZu9vN#HsDMKa$J9I%7kr=Ro&5q=8E|P$Yo~a5dLeA z>vM#nK`djlrX-ncSE;MrFOhZkDGe@ffm6d7Jo)c7fMKA>8QcH}!17(AFDc^}0B>Ex zdXVZhLtJ&4y$vVwpf7%LrF@+z?k~uF4=2SAF&P5`@h3|!gU_K)l8GgSuSgMjZ9>MB zDfk$YKt~bo`c+Zx%zCHaP7gG97oja_y>B=brdZnhCoGG6hl->rn6oG(5!!B zdEY9x?ZW*+W=1Thv=`08bCqfaSd}|}5d#r=5@0Y%0(t^99SfcKtHdYe*YV`Pzy^TS zL?KMHQ5?SA?`t2cMv;{Puewz86)pjOav)R2u)M8=UefwBV7v(7qR5fX{ZTe*xwLI= z1&24}4H60OWH6|c;BF2UslU|2r{G-4iF8h#CnM>$r_C^5#nuP%ZDM?bPJUZBT|{;< z+jP+fbV|Ttd8T@T85p0Z6c)g4{($y1)1U9lnuTkN@TQRS92^cFJYZiE2AFfNweEiT z`yK#Em-ll9PK{O@8_G+Wnd-BRTO)_C3FrI**>F_GT$^?kY;-Oa1U(N=H5mC@D-$% zq$GSqAv>zM1mc)=Q)8OnYPwuCFx_(nCKLlcv7ux7wqU;e+O9p$lbJ;W704uFY|j-q zr*kF*)L4j{>WU3MkY2&AFx8*!*P7aw=zbwIs_0o^*I^IvI|^+rZ+79Lvn$$zfapM` zf>MBbI!Zqdw*(=cu)sLR?;hBuJ2?7KZO9>RS3ka9on?ZbB;BYMEOIw&>XWp3iMWEAVPoKGvCi;31AcOI;VZ{? z)(@;5$fD6k(y>^U)QbWg)Z(qAm*1{yhd+@=*Ro?u%65z7!T;F@3l(ZHHf=3yn<};9 z3on2fO3 z^V*bItY~IB5?8YX2;2JhhWyr;M6kow%Z9IwzRyHumV1_eAD*-=mwB@ijQB`gbgzlf z{rfC5M1(8dxKG2c-5QZn}gC@okx(CWC7W%<2Z&m&RS5r}kye z%DU{nBl|c}XYNusiPF2VG$=BZC40;bfYrsYp&-})DVv8(uk9Gn4ux={X#JhtW)z0v zGxN*~Rw03=y)CXSrn&OOvgGjO%Pb`*X{TO>va>ZxW%@A{YZ0&n8mz@m8J)<DuwTuYsF`f-4#}UW^p!?@Zjm!1h6K$U3>e z29qlcv%*nSL0*30A{%@%&Y`HOz-GTKe1kO04Jzs7nU>zSOYUS}8VgH*W7eyU$$hL7 zk$M*_iCqNw3u_3bedh8F%d2#~Eth7CWLIG035dB$61e9*L3BcqzjBk-N3}*If#l;< z^9XiRng!Sx;7gO^jG8rTzt|f`Wo8)5T5NI{z2@}HF)y{nUAYPDIsqfZ!GWAq82^FT zjOoW9s(`F%JMQ|9k^l%gdMU;WGC@rJ)=G8R*>Z`kFNzmq|~vAVr_ zzYoR(Upri4Bc5j?VcSr4qS)ksgVj-Sw;ZT;A71Z6eZpl98n9O4oR(hc0Jl{4y-Ifo zEMQ?2&p90`0FUZ#f5moTNcVX^7C3Em;A%^(=Ng`SZ*@x+z`vr@Cr8P2q0c2ihZJ#tCG5;Qmx=D0Lel z%*uN<(v)FTSl3N$Bd7-u@eZpdBT)k~hUnTVDZj~qTg`hv0$odvl&y4^jL4Va@-E{d z_7QMK5K!rlMt$8dUA0#<=YVy5#&e7r2)a6ol%-G(e)mz7p2V8T_W1Ysp3ZT98yf@! z3#${^$`Kb3p0XcBW1q}9Q3fGL);n}zR+&Ro;AzP;paJV;rx#9gazHrd8^D$Tx0V|M z6`8)sxPEdKxpagf1052`VH|p+aNfqu!{HC`!eA!mO6pXOiSd?6q?R0OVGNw@@b7{2OQisx zWRN?T&zNp=V|uD18Got?R*vrcz*{Tl$9mONB&0bs;Dt3qY(+%)pBPdO{JGm=wHXk2 z7?SDBdzL3)S5?G5xxQ21^H8H9gcZpB-Of1}Vvqc)sOsN`Z-`=}0gJ)wOOipzO&HSO zhM2%l+Yj@90E%+)|2lByk@baW(%27}QNhk%pT2$M{{@`s=V$ysWId??>4#EY<>d(> z=r&;J0NjKqP~ZhuRact|Mf@19|M5;Oe~P~PfRBxp+gc@7hJ=KCpHlOYdWrSbr5 zF;+GaIW#&t3M26C07~Ul0L&Gf<|abr+<`dXUl0E4!ML_QYcT}gjR+J+$h!Lyp16(PL#Fpsb^f}Zd*k^669j2d9{+mqN?#QR> z#!KGXyGZSTT(;-;dIcl9$ix0);UcztXY=pb>Xi$e3wt9=s*c&--e_xgVIN2&^z|*f zA7Zf2{3mIJyz{tdh0>bLoRFd3(}Gyr&^elQ7R_RZNM7EPS0U~t0k<6~)s$=DH%rSz z7#RM2#=d^E<|)xs4eoSl%F=j3;awFr4uhS_J)*^o>i3f6w%6IO6cS2jgDt{Sl4W0Q z-JBSd!?mR_$`M{CABZ!=)(u%P&bX8TkB*AQLg>HoSa!T%vHn8ExbPlJFXxL1ZK@qfM(L&5$3 zv>Unjf9ijCF6^lVJkbH4L*K@Q)gFxXROY{t21`8(@V9@!+HwKwRgE=h)4H4W4MXua zW3POXeYAxUjg@8}fXean!P`F506H z+8{~(6SsrB?hfyn3fXjGf?8t6QbBJ_aF_fQ3y+TdBBsPXF{KB%odyN~Z3+l1RYVSk zM@OXH#7Pvp!6QH|`Xn`^p`6u`g3%jrCb99FLJ$BM%IUL^a3vsZwvv?Q72iJc9%&~?_HvH^^6>-k)y8^fo z%%S&z@*7fnEx(HXfDS63_{XG?Gy8wd;s4)Z%;k=$>7d`F!zGFB`GxL5_S8D5heAcW zo{#{v2InmD%OAx)=asOvTvlMvKP(&b=Adx%CN5z5vpj(c&`p8bqGoa z5Qhy&4UGYn#ei^3hK=mU@eKA}`mWV-{CXulE;fv9Ps%jwD*-$?x?}mK&c~be(tYw= zrAxz0u?_FHk+I5Weim4u61%br8$hq`q&Lkj|CjlQ{14`%e8ws6=LhlM19xO_IW?w# zVT>VCARA4M6xtA~f(X;{MYaPpPaZXEM5Py9xy7kqdiL&WPy7_~+|?jzuK%G|UClOq zlmWXXraL$9B(&2FG_*K_f>W^xFJlFS+@-dLhTqpaM!a>Z{B3#;$~a=w02!&TQ6W zj=C6WXeA6O3qq|cA#dnns4pEQdET7t-BENYz1}MP8C`qR=N+fGdM33YbG_iMo#xjw zGCckjBsFz@B<}XKXMn+{Noxni%m;e*L3|`FaCWXBgEL!q2A7FcX_?u8v0I zl8Ua#*7FKqGmJRk$Sa%KH%#v+4J_ZG&c0Nr*q>1JT<2i-MqIrRx{F+n+_}i?03$D6 zg~&~*>-|o%)?ky;y0B?e3W-37>oKqV+}Bs~v>=)L6`aQccG@L#92yWa7Jps2pNA(Zp^GkrewcadA2A*ieB*zc30 zi9SAKQjB^q@c~mNTndz(H@-izWNSYn-dW}od0gJe##wspeCFK;Uqu&Xdrs!>tne-- z<>+BOn7nM9(b^co%hjf=7lu}D)i#}onT4ucvORNDH=w&YxXUwDPXsnOy}yA zS`fpmeX%k3g(MiHo?2fvMyqj`4x(O;4%gJN4>`D|Z*yP@cQqKjPdrVzRiQLACagA9 zW0djjl!$+2O2*$Z`zp2Y)q}Xq#c(RdDxe6iXM-K>HeUC3)tVHgOPpoA-fTpRY=>Q#RsIOL_t##IpcNqhEe_nzIm&4I{7=*ahuFQm@{ z$N7ya^s$NR$mIvwol@J<(J;$FC)@C%9_y}D_2dPRN408<6eX3r=C7}>i#UxbX%8Bv z&$Kzs7dUL_?%7*N?B&RKO%&v~6c!R0tC*k@;3W6wIUu0K^)kj%4sCB_#is8ELbxDQ6%(mU6>Dj!7DeP|Gu z3*TI&*K7(u%CGR6x2qw)X*WxUIicBAJl#-J;XyR?8wjc*ZU%Dduf-Rbo@aQgP?)@v zzuBHMS<1TQ<5-jN!N#s(M8mT1K{01(%TMN zF_StyFOh5H^qj+A}=3)0$$9s2A|58#|6 zow8L^8tgtlFVzpXd@?XKOs8sK#Xhu3@|jVKS@E|KdZD}D=&N$iz39qV;$G-%^@`DQ zde3)AzcSkeL2z5zPMT9S71SCufj$jwJU2hDsjJK5?d|Pn+;v9-+s>WM)v!Rau&|JH zolCfW{dxy*JMrM3DJm)guVNzTIQ@+U^3cqoq5FOe6$J$y6S_+a3nBxoCr%^*536K{ z^S4h2kn~M4TmYD9GUi-6##Uh=OQNUW&aQ$qgbHm7{;vP>r3IMItjg`k%fKQxa%B!jdq>-o!QkH;<>cv?J&hABNP=jVRMnAXRhlJo>7o8J5WWZ@-AWPGiz ztq@m2J*J>We_)&@U8!oHaycnrt;d_y3*b@!Q8{o{B2pwD6MN7-Fqrljb+CIgFz?o8 zmaY1`-e>)fm}4xfZE=@RvDbxqv5K9}&HTuwAO3v7USc|YSr$iiOT8`0{H90hZ!DKc zQAKjjxC9HPQeU>%p_m*cgV9|cVmxHR!>gv?;>}_pbnOvMZj`yC&P8j-V5QZw?oGUm zGwGxqW0kZ@Vw#Og*^$j+#oj*^nEJnU*-L>n%JWA@tN~EMvt0QWAyq>AEICHKWr<7D zp)*)1j!FN1@_Zg@>e*=JDPJR*u4P;k57{Lt+I7`o1l5-quIRafV`A`G<$*m&drJz4 zqK!7}p2FtCF4Jrsu+eT8QH(icr8Eh+}fba z7caur#;qW)OsiPS@&b~2UO~ZT7dzlQqLz#>F`l{FJ-nJ-KKHW!o*A)NhB@7dHfSwI zM%c1RJ3!{>Z|Q}W8|cRlU{)YOa5FJES<1f>7*;K(zseB9jdYVPl+D%ivaqqG0W~8$ z%ge>}c{qZo1a2L0<*PwmJuiTIOHmQxOUi*YZ@jqO_EUX$wxk3MzA2u&yo91|L?^BXtJ? zsW;k>o+z2#bd+_yGa5%g-PL&m|HCG%UlZFhqC8T25R;A?8@~3?KYO| zu79@j(^lODQ^Jwg#Ve-krR-BI*WO58SyB~pUp+aVi|&ZAAlry{O|z#Q({Ac)wjr>U zqosVxdhuS*Ia4$7er5FXPt>=id1~IS(?KeOM3Q&%E{52Ot}K0;^WgVXZG4$X_(%`L zR;wkYWj=@E0JeQYrbhFZ zv3cKFt#`HAd((J#12`tCZ@Y*t5FO#@0`gJoXO-J_Awgcuw0f(J*#OSy2~bGi z@~49w=sWoq0R?91h1Yl6A+%ZqlbnFpg_%U`-2mIk!xxE8M~hfsqg}^N65wbzcvqIg zhhu>jebC~tVJMtjrXfKW>%1}=X7L*hEK#9tABV>sT8uGNuyZLCiUDmtN^o*=(hZcq zI*aX$JV8VwOCb3gu=oZ9M)lfO_P+I+t35Y4MdH6r^C-C;U#pTbw}ELcAMDxfuvnEZL1LmlekJ1PB7Fa{VZWWtTzmgq>=WXjepmCQz}&FX`WJc7MVD)jD|EfHWnspKek=^r%WmF}5EJ<`&#$j zZ}k;iR{a_;cdKu9MN0X6ZB`#H~*7rAcp{}Tvr9YYD6%0RC3pDyGpPAtt*!#?iUJE;$8q zkwmCqqQDS&MMN|}nB-DTuL{c<@O`geAI{Xtm!F-T?Nq6@wdyZJ)p*{c@t;30j|INq z`%3PLpq zuol7JAam%kb(q_EN*5{|2WbBGk^rN{ie+frNzPhKYe!4Y0>G0+w6Bdl2H>8Y7BG8l z0VC-sz*iY(+FC8c@c2a-Pi9|x;CFe$m741uUlb?abO+#jHJ8a&R<}wyjol$!OaW`) zkaZ{q)Ly^{GR)s)nr*erPd{0>gH;z|e+b4KAe-}gkxr2cPQTmj6s1D{-NxB%pPidd zvb^;D1M1BWmI`&gjrjMRwH9R=@5v0dNuR(TNNXTokHXcK`J(Oy@kVuBP+-{+xMlQ+ z@*!&mGq7Q9aIDQ|Al$zhaFbbcFaI zLfS*4k4xqAo9bz5=ARea?%9?157RoRGnkt0wtqcd)XQg=dwP0pc$zKZ+Blyp7IL9% zLb)7vq1$MTJZ4oZRbH98t}_0WEGV1J(h%N5>4iN@EXyc;jl<nayB+Mi)YCKjhr7@6-0?hUbT4fD_bJ z(3CTp#@#lixcWB9=cWc+)ZTd6fvr;`izU4L-nBrXRI@MM0Dp7xGjTH$uIpde(Hl)S zQn|5wRsqn?@%eDyz_oVQHfV?2qWX4x!wTTQk6grXh{+dMuBZAAI>s3MOJBQ7v?%kV zv%#C&JT~5noiGYYJL>Es4u;VmK z#3ls$1qYCs08rAuIhPDz5e>kc6bZN!2I%`le4lKFRR$q-3E4OLBQC}-?Zkr}{rb7` z{emDGIM}@y$JHX^*VEqIEf#u0;{@zL0Kc^ z(pV%j28F$bu3g&PW6H|2d!Bzyg1)> z2--RpkeSpsH)ABm_{#bC_(X~z6Qb;N?p1kY1~P2JIoVF*P3ZP#y=bP6*Ov9zPvqoybwO8B9saG+|lK**6Ry$DQauDX28rtx$!?;@Y0 zwlx5gM`LKH=-$z;z^JsTiBphD6nJm-q<)}9EK2R!XOw{+kdddiM&kx~lk75lnKS8yZd2075B=&FS3# zo}8w*HH>~hud5D|yO^Rb?z*xE`DgUBvO0KKJRRQWn|)TSO25C#Oc{xuIC`TG;8mUT zc?Z(?1Ur4KY>5~e;XRnzL#xkT#QXPOTyljYfl_T!7c=D1RT6hwy z=Xm*~scY12&7q>=0MTTdT8(AjRGSB3j7^=cOpz|geJZY5!@v*ec!urj`6TFbR zsnFT1{25^(B$C&Lh&)sw|J24EtTRiq`R+Ej`f{t{ivcHPb4m2FRg9$B5~at&dXWCX z`dm)s1~r02aKbw}<)N1Eq?MtA+B})RcG+MC;@hxCM_xsN?TMAuZ9y=HO?cKHX1ffb z23!9yUHVdQ+^f?JK2z4fO+_*;R*LyHb=1IjJ5}%aw#$xO06g2CtIp6(oLm`?DSlUv z&)vOmpVYJ!v1u-@sIZ}rMB%HO;LN)1mT}C3;XViJ#dq z%}6A0iX+Q*Ag4)UX*r%*(tqpGh?_FLVJ`7S!PC0ivIRyfrO6tzh4Vc}m}oic?0`NC zdDmF!zEe`dNVZt)y8EXn0=>FUK4k!vV~T!0Gms0s2ai~b069(^U>cv2wp1fnrd;H` zT-Fi9MQPg?)Hii$?EA0@iprr)TieZ+Rsi){Av99D^a$?im?X%$FJH8q$?o)OxUTp% zGH;-5hi!c9ph@9i-W{Y+gl)PJwfBp!@T1aD@eHf7%lDG`=n`)-+Ej9xYBSZNV=Syz zq!a#3dDZWwm-J14WxDv8%AO6oOEtPdSClT>QbLLkBna~GVwI@qYn#nyWa>|P1w9cb zShF@6Y3K+X)syKcQsEy+Z0KRW1?A{Q%jR)DIlGI!0t*N+Icagq zvdjyVrV7Bylp{sz-X82f+1oPE-mYHU=lIIDZ1Q|!LV`JMfPm=xg+xbZfr5Db1Acom zs2>FQNDB&PlX5mdZK9=JRhCk)RI|B4{5&_>Q23yFFCw&b<;s;snP$)sFr?ADx}<33 z@qU~3gRWQTz#iS?zA?^r$voxEYWoN_fup_MpIL^^HC?op)80I$$V``=`IpB=l=p%6 z5Z!ET5@lg-U4-U1DZvsN(w!MVIi;_>+{sWhE*%m5@Y&SaH(@%=8MrY&jJ1}|8`CsX z@@oJ1)KRJOkBhreQ%T)MSN0CbTw}G;lC5-$Is$l6DJl$y2&lJg?cFXjPF?OtL9p1$ zMRmWApaIwi)kAuP5dGiG+@m#~#Wq^`SZ&N1-mM<8_{b zPfc{2ZD#)4+v@}Hiu#f{meX?!US!h4*Kc8uL;1pv->q?Y8N$8HWm?5$$ry54u6MH2 zdBNhb!S+n6=NG8G#!5J^{t&$mDM@*b3VP8Idr-EiuZ~As`96w~Onf`^V9`y$y!6jM zr7V{x;>xyKBP=?=-V=1oyokUFy@YD!}?vXz^gn@!X*q+h0&YHpU7m*;=KcWQZd1k0!XO3`uu+Z!;s zu&Ts1vI@EqD4C!-6C{RvA0Ll`+TmoJ-x)Qi|A1bky73Uf7MG}aPDn@%c5dh#0sl7? zrS3whGeAAx$Xs@P=4r+9w?n{PU*DNn(l?QN45@67j*p71n_$<|by(Zb{)NUDGj5dJ zt)}973y0GM{U^nY_c30UDL9Ru9MwdhBrNn@RZ!EzFdMXar|iVvBLB6dFyi8x%jJ=a z)(b!WJq_qmY^3?N1inaZ8b76$uH{@th(nlY-PRdLY$-!Uo7t$!?;aaeUvu(sB5a;0 zV1)p}k>jEs`ti{m=6qlwaM#a4eWsJVk%)VUk`%mwc(7QCVu)uCpXTnHY_;=yRYa3I zn4sBIuy#WeHqAD14V#0i-6(nOWnXT)3HC)p4E}Pr@4~g-@RTZXr9}3J-`$6-FPJ=7 z=tLWIuk1?ZacOU`#4Jk{O0DCNqUQMQUn2uA-Bj&=Cx=G-fmq(s>ExJx0u;B6pb)M( zeCkmIT0hL<>!F_&&;e*g3~y*0IeZq{hOQhhiqjL@1ivm{*=y(4W1BJV&`|LCxpb|l zOFf36kl0n-zU-NhSN^p-hTcHKlwRpkk&0$cPMosWO>6(q%Tn2XWj@_1OT4UO9ttP| zwD^;^{4XQj17O*V_WE`gP~)2w`}mA9Hf9LL0S<{=To6);B&iiQIh)+Xh+AUccqyH< z^G+*F?;_KK`Wr&Z<#>zc@%@Et?QAy;wp)MN=?BY!ZBJ5nyVm3~ya$QcARWkiC-1&6 z(TW)3(PPKh2k?%g^_I<^Kn(5oVa<=j>oq58szU+G<;=W){~gHFvBAOYPrj|Mdw^_B zvLRWQC~t3{A$Sm4Xd%K{BgoZFY?6Y0b7VL4W#YNRbf&I(F7mY#R`iQ3JR#8Mv)fh&02k zn)aH_h*yU<*uUlWwYJcG<)l)1=3K(zpDp#muJFGrwN`@6E z0xioVa0MWN>auAzFR(KplsD&+Wz}d_I|EWn8ZH$|Ef==#(bs<7TB-J~Duyp^DUd!b z>5uHY)EW2huFgTEL|ZlJ@r(p%LM=V?`I44}%i#Ik3TJ8#zJod>zjEfDnRfb0xJ94M zF3-B7N@mat+#xj(oSN}vf2}HppuvUn>wf+f;z*enT}_S(zEVb0 z6=w5tWN2(EYZmL2c(gJ8ZlR+g2w&E5DDX!-F|`wLc;KGZ)YJ;x7A^fO3XC7}ar`SG zIoYZagJ*|ryfwn~}$iA`>ia<_fDnOi%L!asQ)5%iQ6^g6t zUfytTbLaJLbYuDE+&mLb4v(=Vva4r@nymPAkQf&lYZkG59AaI5prG@pf9v(^Fd3=d z$ZnZdDA|xE0`X>(xZ)F*Bddkz#of?$P00mO6pz0xH~w&@HSuGM%%L8}P5xjAJOifB z`gQ>WkfGOO;A-duCI~C2lkpR`OpQEo_%j%2XPq|e^_^mOqi53#fet{ptTdBu4<&_; z+~)fuG6+{4ns(r~pb+4}I6>u4p`%(QRH$2q`(*UKO$jx^N(HaLH*Pq$&ajxN0w|Lz2mZa6+NrjHZS5Y4S(i#a2 zYUGe{R_@giU4I*k&E?|oPOCO&7|QED5b*M{*I>$WVuKWL* zOJ!V1PA+!uZ)|DMpph!q&dXr6HK^>B6oBR+Mv0&W-5%7|uAqqx%%IS97Y+`NfYZV% zuyle=Dw9gGV`2^-;;R%y@LMm_w`kVp5r_y8v$R7cR73OX~-lT{zMImL#q zOnILIZMS)Eqw(?M6X{zvEz4Fl9p5tecQx;YX_QROy#rXTdyQYdAj%@!?S|E<^f@{` z9E?;x@N{b9J8^Pqa&(@1P@!-+57HVLfMEz^YpSX6@nPr(eLXbp3!*U$CYTLJpBl;h zn9B)$lC5$yCvj|5yx%$aGQ{NVCB+a{{hgN~i&T6e62HAg_ufi|l?A=jTIyA-h*{I= zbC)=-y5yW!j!Xc-LaUnJ8pK=AojVsA9c_CxJ+eyA>XHmp%kYICag&`5d4UeF+rg5z zjN<7JMN~PZs3kWreGYzx?i5jElmKQ3Twl@FsjTj3M%u15@0OO~uo&-{w_cqU&2Hrh z37;mSN<9|3EeD0&rl0XNOFvrwi|Yaxo4Va2a9;QP?3M9WzUK`v@mkr-_qOzAb0H~3 ztxV*yi4R+zi;59(eJLa?TbYtb#3{S=3TA#jjv+DIai*efkn^5Tvu;G`kcTP2q zN#p`#n_s4<{%lgu>?$m?`rOEwk7;Z_MjY=$rS1CQdTfAfEunYswKnA*nP$T3_x$8q zWEIUB*^Nu3Z6v?Ocut}q8z&JkQ`xk(nIrMjlC2zT4IY_>v$+GVR&i7)ciG~^43flb zIt0xp!uMEwV#*SXf&fM7bh^BDSm>Fqb2XFWYZsEu}<0#sEPEmpLMV z9jg8`JS=PqnTO`AYi?E*Hfs_Igw83sL9kNe;luX=gatKZ-sm7BqiBHNGxZgCA$zo02&{oiE~)miN^!S1ev}a+lCS=d+d5 zb9q8!bjw+3K*p0k5{TRw&geGz4a#1<Ab5P0YwfOqAbV_JOXd5(shxaTF-_TpD`uXOb)iJW5GtG`>w^-S}V_b3OGbMoX zjQs`MaaJ-+tm-qsHE~#8^O~+zGRAAioXK1o+=rB~<%SqV)FDQH0b)xcs+$`(xwv$b z_;|8YUTgEqoMxo`9(P6cYx`%A%p$$wzX{xVdu}>AA;?e$)X{#sl!J3l$dsU0@~)=Rc+q;fIzfm<>Qq1s)RO53T!LPi_y^^6&XMCo6YM z)Ml(>UI?hzq4{+1=ghCq`82)etf@Bs_caa%Wj9mcKUo5-$RPsTkWu)-=e+gz&~VZE z-;v*%zxXu=9GUZuT9S3Q2KlX=;xApRmS-q(kLHm#?CDp}9O-$pO-9F1@JqOsLAh_H z^#K-*~@{nI*}7Q3Wx?`K{@GR~L=Z z{;gSNr7zc)p1pp1_>Z&q_bcAJA-8Au5tie}Z)#**=YMju;H4%<0_k9-WhN=@rasTN z+o^~C&^U7Q#PghEVTUhq%Kfo>XHT8{UN3Kdr?(2{PyG>mfJQ{QE`HUa&P!ide(Trl zLF?@SfErv+^x!eJ@Y3Z z){PM;EQ0{%*Y_9rUUuXu?g!39gzcZ-CeVGNn|{b5u`&L9@5r3Ks6W}eF-qLM%&7|+ z&+{8T-n1X{cLt3i!hEq^l)>#xHh0f}n=bhKg|u#68>wesh?R-?+p;72+o(_YWaX9! zVY32H&$6QRkg;hs`!}L?wrcZZ=gq>0Th4i}=jSWhU(wm8%0nJf$Xv4xs_NZCu90#} zcby+=5Lgv%(!(guXk@ARC~i}_A;$M;ZPnS7 z{i=nB?U-TQ37eoV$D_ul+Zehf^o9kTqAPivo;WXsKv#P!I{sk5{yX7@lqds)uwdxu zPg5{|D70jHs<(01{Adp+4)h>;6jS-SLwoPfW_>;>4-u12*savd2W_a3>LBxkUwxwGpTGM{VIpltaGygJz z*dv!#aC(8U83k26FjWor``?5<$d|+ZvUB7)27&($9`OG^`G0bS9xKK|RNce1eF3-s zQU(jRKVVHNsOt`V@xlRp<)5eIf?LdY(Lhv}trwyr$da1`4oC=sGG={Klb8$)j7Z`+ z|2a5T!MxxxrgK}lY5O>sY(mF?HX{x};rx8GaEg#V^j25jaBy&_8AtS)K=m#yCB+_X zAxC)I_z3b~6_C&rU*bA{zTQOW3Lcg%LugFOeJwT-4tn(&YR6d8*xD z1-dMxjf|keV^qh~|Je^L2ZI9*T$;oN8f4^5kPR<=r)J=lKCd%Mo z%YBfCL`Dr7Ms)(vx1G|VkYNFprrt}g&}n4y!8Y@cSoDDW5jS zF?Z(7nI=Rq=Eq|lNp{j3@9`s6FXrv7l^xUifIAj11)e4-^a(tr{|_V0}6{5 zXbE7R@us}IWp~bl|9BUMmbOGiiVO^DHck<BlL^8Jmi|gKuNvQ31o4BKJQqRN0pNhQVMy!*tQuJ3Fx@X!oR) zm-qD~b{_hLWPz93M?=AWS_URGr0|?Wzm9%d8j{7nL>hX3Imd|v$_BGLhN&YA$)x;5zSiX8baQAm60yT+zEd2zOVCvy`tZ6exa{z@fy$7fqase zg6M!YHju_mY-)Zv9XEJ;WxTPVH z9;t@V{NnPO5t&RYCUm=(L?SMRglE=;}kVFIrhdrH^!g$@2MT$fg7`Lx=lCG5iT=Wrl#h>{ zNzBOw-li}5JR?(yF0zZb!?8{0JdU5CrNTeXl;F&e895(LOxy7dC-T{!Fq(@UuMm}8|ysB&3VHXSX{VwlWq22^F1DW*Li4*Ad6r#4tlklZ% zzPlfXZ~HYHI86D!42obm-d{B=LW2%Sb3@9VYg&nc6oGI&#;K4x9miYdDiQT$!+#|s z4-?93Mk{S{pdAkGcN%5Cnt9{Y?SPTGLx;E&aJQDbGwr<0jZ;-d--Z(M^}%Gnvp-bp z-JNYoFC=S!WggGvY%BXAz2<{^Z|$BMWQ94ltMYou2)G-o6f&uiTE=#r>heyaoHI;Jmjqg^a2db04nW&IX!i@)0(_*5)-@ls8$wAohu zQMiNm=~ugq&uW*QvU(4bY2EW~Ha@tU9Q^IAUqMfVTUE6{O3P47p!kHXP(;(l;QOle zKRwsSytx#1`JTTh6GwLK7r(HUaJ}jY`D$}xqcY)`yTqDkXWbIvH-hPFNz~-fG@v5o zjv-;)2h;cSnaq|AQq62Jnb&lSFz&dS^UHhLUWFyUI_^02+JkqFvQ$i%f(UspgUTq2 zxtiZu{zCW)Mc`vL)pwHh+esvg)2->l>}`xJvR$gO<@Rc@!dawq+9u4ig3vDvB`cEq z-m3Mp31QeN9*v-jGo-s@gM;$;TMdk(Nh?l(%JqLW_!{(0B+e2Z#ZD>Bod zp~M(vXx(D28{l?(`Ile_-*O~2N69D-|Ggl|?8p&sDcSY`eN`o%)s->e!pvK#E5j+d zcV70T@6O1pQYWKdZX<+@>_-`{{ee}OC>wF)zhFtQz;&kBseX5KtsM}b+j{?rl{;OG zJS`VmMt(12hq~{{D;a#ph$namV}4|y+j(cV{g<*}{(X7IH!AmNyh%H%8j}su(?e{a zznoB4t=)BldvBE!x-v9HskF@Sv$<7?Ph>Bm894_c-Vi~Fp3a*uOOAV;=bD8mSA~@K znB3d7&yWND21C%Vp{lg$;ICQ=(#pzJjfj6KAWJ-Rr08K`%SLX!pOqS3A~2v=!~fGW zu?c0Wz9yc&D)jPVj=|X(i*l|~(Y7W^e|*;5uj2gT`NkMdfJONcP_aCyzfKvC3x_V0 zka+|qiUJ-q2se_JI*@-VsSQU*nKSoHU=BAG|g-kl~f8%!> zp1}LwtA`27p-D6OZo?PaAAZa!zB(hrE23;ZEY9)GkdywR(B3aVLscw-&r$Xe0QNA- zGdndk^&NQ?a+uBX;$^u=bm}EE^JpwtPhtwV1Z2axcNR4nUpq$uuKbgcz%Gv7Dcbc)QO4!=j!A@V4 z>b~WhqUtjt`_7EvZjjFYs`#AO-A8%LLgTls$;OisG$i?52Ob*v-759vWt6PAh15Nk z)!4Ub3c2fe!=uQAZI$>T4p`XE_eC!#1Qzeqw!%Y3t@nLdK7!VzphWxUI~sbdF3C+} z;>XT*M?BgOr?~A&Fgf)IkekUU$f}+m|L_j0G_!*}Hn>`QuB__%xNwA+*6D-_9|H&D zu%n8RV;!YhX77`234YFf_b5*;?G!$;5Xcg4wb{%TC&h}(8-aA=%_}c#xf7`Va_b2Y z>JwEbK*S|>=yOBKTjw4b+nWBdL*IXCsOznFfF6P@jS+H(C0xgy(}X#!&Sw|q7u<1Kc3e>rIaCQUjw z{(hl<47#Q8t1!8&gjcI^Ys)d~xjsL+@$BXU(-@3f`cx^`l~ObNv?A9WpYM}Twj9R! z9M0-ApR+VfxD|p0`BtQwe9Th3&c@_5JS?i?4Eo-k2-vJoZ@p(Y;$+;7&tjZ6H`{?2 zNB)n_1eQdjz?SzF0n#U^XWku|Vr@;)A2Cl{Gce5JlX|8yW}#3guz^RmZ<^dosq&@p z*$;fWRyzW8D|$9+(s|Cgh9zlkBkcrXjgTM@xm*g1=5A; zK>;UgCj}Yk_pjyt*?XV0ayupI6=gc$u?EH++w-` z8>r`Yhhod>Xq#@ISMs-ekha)+mMif;-*93o)bdU^4?_S#RraPil(y*ru<@ifGoo^AF+)jQf4Njy=QzLBB2*I_lMF;GJ zua9$iuT&vet9?Gi99m(VG)Lxjr zT2H?qXB4$ItB6ar9bTEBj5Bt-W&3WO=OK;N<-5;C^+{Qrc0v35U28iyT$VvD7uvME zjFtQ>e*;5)6;Y5-F-#M_Gf@20$3AF~wUQ&so}O<-Z?k>V=L|Z1IzeAJX*jTM;?u1| zpp|4?yPTFdT;urF6QH?lgC~^vM+AhpI8zVPi`EGFQ7)Xv;sXImGut2B;Y#n9@5O9K zcYDxt^lOfgj>GC3{l)c4bJsBe#ymvtc`AeuEXl`tl=i=P@ghzm$d9lBQ68@t^t$Qa z=M%lYAh9l1?nkIJXxI-*wvSQWyJYbM9N+fj@hQHRIlh7oCPHYPeR)gP1a5_+!AeB| z{rU(mwSj7qj_8jI@;Sa2<`hSZE(EIU3w-iVOc2=$iIDWK{nDhhBJ0$v-2;WK=gXKnZKFgPn#<)3MylZQ5 z&Gf9cECGA!mdwKzVXX{K7+VuhahvSVM`6<=HcvDPPcBRhP`b%r?NZbOmjnjrd7JB{ zRSyh2=U5l|xZe-k*mt+m_29U$irbr7?xcRx;S%EfL%f*>*Jy`epQ3GmHR!U((1o1g ziN)kDF8d-Y~{?7PNY|D)p_|9ih4^!nImRBKv z>C_+VaH-F9ptT;kiYQimaV7D^wZB>}mV{|%sfU;bpEjc{|F$k!EJohOjSU4WPg4Ll zy4gH@y}z&2^T70`mt)JckN>1Dy>Q@OEQQ5^|7JRl-skUFs{7`mj&1Ol+?Q1&yh5wD zl~k3D$Zat!4|a%AZsB`H9`On6>ND z*V7(GP3vn)PRGl;h!1$%schM@EhaR1q4dhRIUqt}xqKSNqNVOYKEhOGytaz*WK*hZ0eB?O5| zxJqJQA;W2)`~|@a>?bG{6p9w}rtF`5z|Fa>#C6BSe}w*CsH&-%Scffly+dDQ_r*X! z;49c}h%1JW!%-^s_&ypE6yO@&CapEa|1b+gbUH|n8~2xb^l2xlSfL@zvbh#<%9-9d zhAR#TsYb#UY=>}|Ux`orl%+#JwO*|oQ;dV(}bbVxHerdcYDAC{AtTxk7m^FC<_VU~x90-l-|! zl@*ha+rbbY%lNFX_l8d8+pkX8 z+KbY@7A)m7{Oipn#?)IK4Z2!*#5uF~co1w!JoxQ`e}cS5&hnXzXYrS=SPy`QW=8c| zHTt`6;>3GxP?e%U7(Efb^Nl}|Vm3wXs=W*ghM26NOPB6sES1didPnPLqCVCGWA2z0>ODxq%IXuMrL>T8+nBj-&X`qfN3MuyvWEzTgtrg z*!GM+vF#Oa+CPq>*g3O+u9-7=K4$dhm|>DHS+zP|0Ro(_m<1EZ9wA35tBQ_0udM`) zy4J_Wfj@UHO8iwkv*Hvktthaml#Z@SPiGOOvRM51a7IKIzJU>H<+=Y6U6IU7bu{nXK8cXv(2RSvx@3#ZM5LeXwOgs;X0HI*2D2rC5h?1Hattlz@1VgdjTH0x|VD^WMc?3lwe2Zp;-OQ zEK9R;g8Bfb=oq%)C?lx!NcB0h5b(7T&l4}sFFb6_2-_^LLg#dv@Q(_(wrMxckJ=4% zSB*kyReeq2SElBmnay=d<054DE)Y&*Tc;&9u#2Hr8g!9J z1JMNS8ylris{JZ|;Q*21@=_MHxdRyZ23wOYldf^^B@o0^>^W%pNmOv;0`r=lhDCv@3J=y*IO;^YJzq zHMM8fRDYC5&{&w^r7jOcfqpP}9-Zd^B57_wpThQJ3+G}c2)0Z-?P<^Yl zldIjy7)te(49<>mS=8);M;4fd?BDYZP&q2HM`hldukX`p)%U-+&rvl}d7g!D7qVg5 z)?nQ$ZC@PMM$pSH&8M+S&aZZDW*5Y7rNFh(t2dG)50(UJ+pq0rYvmvk4<@Z{3EXYJ zD?ZqdAI^%{2Xja?2z~ml)R%iOYR~bKV5{caUf#W+gE9lxp_(%Gp~+ElAaS z9sfDyBErzys7S5W1$EuqbH6H^qwCF>qF7H+n?^)T*J^fUW!>X+j*baUaIH&}a}pJQ zBP(G%*tz(<;Crg2#VH<;v{`3i5%%LYe1tSaMXL#w_~BqSDm6-IiNK< z3H~&@Xh=!};#qCw56su6+9HBax@-HbY-2m7`=|4P`P$+OsJ^u`^rs6wBIX1t+jLvmRpkT|-{FYZ(pW5SbuOKz-4 zUje8_-JU5^6D{Dhda);|l|XXNX+iiYX^%EWem5PE@)7`au)nUb#OI?`i`5h^9m^mm zVV&IvG_M#}dMjS!HDtpy1)HUVz?8Kffg&`9J^7 z<7d9Erh8feIIf~%-QX_J$(;a%%zFBC50poepZrJI1zc&Ro&%ayGj$>|($Zdj2Vqvt z&zmGad7*LzC+XV%p)bK^tMDtFkrZboI(kpr!d9fn5_{3fDcz|h(Z(Y*I5_xDJ#;{K zygGCL<;r;;`Cb3r!*ZJH48`JzRu6W6?jY$_v;2A<`K&aZ*j|`2JR08x2%{Gl(>FyC zuw1`iJd?Nlge33?XTf^DwE0E&!BiFTQ+>VFa7YmG_LJAO$iDJhUjzIiUSyyzz{7+majeR2BA zPijU;=AM)|{o^jJJdma`iF3wGD@Q&ZeF5K*gywoSMUWq>p)34NAZ6=cR9WMN(-6Q$sl%m-PkVz7t&;)=4;6?glwht~NoG+$>dSAH5&4vOJ7+eXlt z`@$Kz8(p{h1|znW?zH9AqbQ3=6NXre`VC98?Pn9Pmr#9hiyun^f4G-(>D9s^*%JDv z@4+GwK2c`v;~1z3TzMG^u|H;#*OP`g+{nXSIj{3Ea{3ZDf}JAC2l&-qr#eBfmv%a(92pi#Cp6^X6v?8n2KAu?{3 zXf~#QLB3m8v*W4RV-#j8=4LP?fpCYe_>kMGp?HJBsqreJ$*=!J-oKhZBOEjRdh&ut zu&Ny_v(E^x=GG`SFiP(m#WRz%UO`%P)^j)=Z0obp7rtY$CyDT656ek?nNlaJk%Xu5 zMB&x5^RrLmgA@_#3l$P@>Wpeox6VaCs_N-N?Lmf}#p@)qmxi>Rn%Pi=2v0b6ur*Wt z1l8ydnBCHV)P{1>Hy!6{Bc-dsqd#iRK#&FIJC*&h`yYinC^ypG)%jtbO z2>uX|Y;C?FWRJp`C8LgPBhUYRk{EoKxw-E#Sw^~I)HkPZzGTO(#%(QveVX_j_U|`J)l^r< zjbgmL7fjFNPUrdL`-R-7%z(Ut&?#2dzQ(6tZ!xSgm0GMBNy*ZUf*UQK)yUmBOQ|~k0&|`&v9OUKen;EfJ*ZF%Qy32cZr@oq?!Zom&R)s3D+NYAAvUv`F(i*ML08Hn`Fdsx%jDOd<7wgUZj@{Wr2aZpYf_GV1`kpbI z)QuW9x5rTP@pacP-|1p?X6}`ul@L0JSgzV(VsytCVuQ%3L*${RG(Q?&@S(q3k<<59 zO8bYhF}M%%&Br!dKFTT!6=}39==S?7XtApjXYHC;Zh36d<>54(JtW)nUIy*1el>`B zFE5KBGP)l;3rHB?+fNjcDsi$vSZ{BBt(3|2VM%XJB;%#NHES7bc}&piI|kF0#!L_)hrFF%(j$2CI`;vMDX2l@&%_M&swoFTx&pjK;dM37 zAnIfZ(meage*aX~_WZ0OPh5cyb#BZCR2Zllk@{a!`svE&pokGsFw2*?tpI|=@2Ao` z_e#KD3OX5npqbKEyc&MZkdT6ps{RkqVZ(V-O3YDmokv)Zu0i@c$PJLcj$yuJ?--p;dr71dB)*XSfP{ z^A{OLhxM0qq?hW>8|FOU+eMOua`4FxCjdCSc##EgPFJ9EzM!XPdh+DWylRdcV3Bp8 zYZ^e!1mgY!2ei?o+$WL}(|WqPT|iOR2?RgRTDz?G{78MA)Ywpheg(NsND=JG&&ml} zocn_i*#VXpDxH~7AhGYAsZje+JFLME0TU9x*ypVT!--1K(|$#i^Jk8NYPSN#hXkPw z+gdsWtyLkP^o0;3KUL8T3i|seW%YZv96Wx!2NMeI-;lG)2H)laZgoCGD@#8~lMsnC zKO*>fei!#y3EQsJ;G(Nyr1rN@-2CiWf!k#MtRnYIMv_n^W-M|l>D&k zC+{I@?`HZ(l}SFJ=dxR!6#zU5;C6&;1`wP!@`g3bBMN~-cLm%MvimJMoIjVh|LS-@}NrdZV zrKMW|*|IOu2sn-G>mv~c2H?T*O`sv5pu(`(&3yY>fi5lrYYLtibQg6%ThRej!D~52(;y!uS#RUUjde<+Mj3j_w=vp@K~u-ED=c!wXdL?6 z__)Pz04z-;V0%*P#Y3&{Y~nq-Ab!m2WGJU2>1k4u9V0H=W>`eUy%lioxwqDDM&!I5 zAuaO{2@bAA5Js)720$-zx`s<(hTDfOHQGsjE?a|-qy!`;qQ|_Fd$HQk&;cO!dv(qkftxZi4CgEx03Zr;2ZaqHJs*);?>$gt`;&Ay+nx&Fj;cD|Ku z{b1PzpYN?gdpqzI!7XYgu$s%$XHYS3xaG7&MYYcv`bl}94yslb`Z&O0#Del$pG|C1 zQa+JcZ8cmM5$#|hUWq2>#i@A2A@T!j@!8>M&s`SWtd5o~I!S7thgFpD($~?En8rAK zA6|-V9lTB^@QG_4LLqc*p#jer8SSSZOVwN)$1A32~6EeO-7Pw6%w@ zXyclf=)1}0BQGw-srhD0B99>>E6eSo9{JzzRn>p3UKARA4L||H z@krmeZLi=T)A0Pom*4%O`~2`JKsLg!TVdBl`X6WjzYwbZKvM8)xGodM2jHOOl}t+v z(o?8eE<_}Gco}wclU6;vpA-tX2G_!|Kt#|9tsr>d3VJ91MK!*uZe^;PJGCt?T~t8) z-_d@^o&&XhYUx0Tm1pJ5Jw%HjLXs3biz3WH-_ksA`- zkq2S2^E%aX1lru;0M{)#55Bz>r-`jVwgI_YN4jpb!wXWs%CeY7;Cx!>cqaeA`ms0DL4gPXWajw70b8N%U2S?%H+Le+ra> z4`@F+Je&!{(_6Q0MG$?yOsWkuP5Rjf1qPamkYfn(eI<&0(3TmcwOR(eHh}$t21rR1 zFzy+X^K1xcvb;z48)TgkkYpfhA`RZXokIEbr`|wB&E-v5*)dc*$oB-cnkAg`L_*sQ zh=}=Gz&If$z?fDBgii3(ff4m+H5HfE-|rKULjeaizd&9|{-?Y6U2MI8^7#8V|9px4 ziPHb^%m1!@dv+QUYcev@F)*pFPD_b2Wv;h?f;qf5qhN%`K3h+)_3_aPKdRbXMa4*$ z@!KP~)F;FDApiH8s%%kTymiYqzX|ogxqK!HclGOQWdL;8hnhN7Y~42NQ&MQ0q8(wV z*F57!zGt&@s(z>`P#~8vz6OE z2^qC>s+8cIyqfWtN4v&s|E3WAT)NmX3KG^2-*N$)iBPgm_)dXF_NnDnwVu|1-r4!F zl&IbaSroz|YzsXy_G`*y>l9ISKbNKJjahtGc`1!t}KdkGnkwReveZeyO6K$!SDrp#UJng%qn` z2SFX?yXJk1AiCjIwNwYX7v^@nQD2CEutWIPEIiNa(os2s7U~vUYGr?PLwAy?MqATp1%0@enPuDv1)AoHnk(?RES|R?Km40&m-8peb(A$)XJm~w;bTNfZ+vt%cQ@69bsEQr(O zvN`kkmI(RTPno~2%-nUY>m43(9N}<^nDYPv3m=X;q1tn$3Jwh*c>6UvU*9EC3a0=5 zR$gvn9##b1_Zo9w6d}!2 z<{R`GC$)9Q4sz(~oH+5|XFNL;;cXNX!}wQ8BJH_A zF=KXXoY*62OQTIRC%NuwED`C(mynD-lrWTEwa~j!>i|#dzh3p*jooEVIZ#6IAj&U9 zD_qPu^3?A`?VNQtoyL^-9MVL8Ugl!2E+LOGMrGUt1S{>z8H&qdT@LZL>GR>_{I z_q*c%7g1JerTPUQT_etQe37-o-GrtNtN|T!ib+bEY}EOu4qKjzzdYRhD{=D?S~%G{Y=wk`Us~wt)$&xx5OW=h3iJG8R5ew{a_jZWqSrj>q14oiynbzUM ztwU8cOQRwh({I8v#rbw_sLE+%#f9tHlFVp_rCo26)>uywZ3VE5 z{wr1Y+ZE+nn06Y6buCLxWzB-^m*)moVg`G%t)i$gNBG1JFH|Xe-dbh$^aL({_Fl(b zEv~|)VuSodxSESCyO4uZHJk4*Ws!bAC=)}&*9bc=Yz-MAk(_~*DSwFCVM6V@+Z%z|+T_NKvUB0b*tD@YbY2^;YJW0N zQ#22SpjCrRfW@y`Qb(H&)0B!%rl2AWc7M~Lj?b& z0noh3>J66}ft~} zI8o}C=KqM9C2oc{xHeO+uqQPw?fB$%&5-3XoAcN|FqJdsh%G?3A9wi5`+TZRl|R$g zUj69N_Mzh$dI|0H{FrML4JSCLuP!gMeH~OO*FC5PPxp7}&U_aW#MH88SfVxX zrzIwWg#BQs5DBMo30iQWMhpc7Sp3RJq3Ht~$NbL))b@K_Y||0C?KL5Je6xyFoD7+x&k4% zKtMF$f3m(B?&IfAtE@aBXNTD`2!SQx@-0W1 z`LM9CZMHPE{dF_N3|QcY4<1|sH$*S-L>3Szm~z=nRnnf=)GfRByHG0wSXCx?NMm3; z`pYf>2L_Ul3tX7YDy0@yHV)O^NAd>3CvJE}kX6y7$=99hlE>Yqel~4G$-Rf7tgItQtJU0Im+96acyE<8r>}SF0{cpU?<}#iW_1a7 zw7p{wD3c7QW;hEmY+*PrMYhZLU%$2o2d^D@&(S#r;f^G-By8I+cba`Gw9nQX6VoA8 z8Tj?Vfj#^7<&HGQid^vrxwZ{i8rf7cmks@e7Q+QxX3apiZFO+@JwDNF$HtiP2L}=# zOD3EMFjV)OEE^P-Jb2{Dr6Q*$Loj|Sn0}Wq3b^bXkb65C%ef`73)tV~FUax4?N@{T zrGH*!JkYKq_>KXXj)>;*nwHRN5*=cokR?02D$b0%qi6$ZC_GmM{jrDsSYYfvXF?>kg+Sju zg8#uJ9d5u>{vokByE6B*SmG2U8ZYeY*FL*3ZFXkM;XK|guJ|3RMIUB!`EHM7@*Sz0 z$>y$sHwTHUq&AMYnJnZ7Jo*T#q@_GYWhP%2@zrjQ9X@Q;OqS~sW9Y{)uqIEP`yIn- zmFS4bo6e>NhTdwppo0#M+$(1})~wF#Oz@{>L8b>rewy1<_*}YtnQ^584?VCj^1YFm z8JNH*fdA-m65A zk9#7RR&eFKs4ZJ~2>)U`cm{v*VNfhUNP+sJb925zE1Yo2EX&K*B1q3H;xHVyZB&DB zWM}pOMD!Q;8&%b9-?FWwb4KS^JAvWg&2AI(dHD5}6E{p+5@zTBN=tJXzn?~{c%X~H zblo1wc2l1k8AEB2!-SSTn!M{|3Cc_7ylnT$IRe*wsAb!!{pMb zf+C$$yE~8M-FdA}h>aHs_1M94^31fI-jCCod3Nf-iIr>Z7p3q$-+(znsBET$&LV0v zjWWsv5wy}xoy!-ze_s5K#QV9zcaRcBDRZb^{c1%~nHKY)Jf1`v(7m?&yY3M;%UkQa z7v`_~`yGE=tRSUZBXlIIceSl_d(K>M758ZI0cBm>o?W|Ab2x0jh2i9#MJsbxS@*Z- zk2fkONoSfQ7d67Ll}kSW1j!H7yc-&!z18JrgM^u2pT}#<WZW?J9?W zu!6^>^9Pps=6*@(59Dsmpav`F3mPv0?i85GVY+?dUu~8jFEoQhQGU%LX>qxYt3WSh z4_wNBBXUffDp%!0d7PufRfrPd;z;g>pR){+e!`O}=l($_oZP)@&sSLmrnk`_v5X2s z=ayqc86LuMG$wBr+g3+Q{!Ki9;Bdj)S!cli?UeW02V1~V#XjKH4Y;ub<|^<=i|oyF z5&!rTH}|JIukqC_^cYcPDD5`MEpU0?qlrDE zle52%)1I!>`O&%s14R@IOGL0t0&Ff6R&Y0W&c#`k?+buR)zhtK5s>ILR; zna{fdlQc*09h?75uo1qg7FN2=G-|a?K=U{GY+3cQ$B7%Poj5QU{HzWjQc67fvxwq? zbfoRlrT9ld(B<}~sIl~R+*Tk6L5K-DjhH!CJ5xf7<5Zmu&kbG|5FDgULKlvg(2w{? z=@hWOk^ffbW@je1jk-d$89BAD~HBR`5utzk=? zQe*hsooQz33CF$9Wjt(vU6VIh<0A|A(b;Q*lh@-mI9C~Y+UZx6gK4_C?ML1LIzyq5 zJInGMpFHZdb7rn`@kR#R`6hZuHuZ;?Bmeoo^YZ@&bI31&MBo@PY|}sEu#q2RexzcB zI9Jk~g~)_|TXfFrO&H;Cj)Ue6<} z3iTv=b*OeC>~k0QM+1|BaPI5Zr+a#O>S$1qbdEJv_)qb{*x8J+F&APBRCB%jP;UcJ z`ue5ZePUu$lemeyd@!QBHPyr7gx!+%4ixU5UZSi2q)$NBMa+~NW-g+y{e3W=`^^_+ zSif4^siN7|6J?;_$&k)1@g)1(O_=w}->vg8A=5Fweh<1PaM^1JnCE7lw4~&DI8~Hn z^uknQYhq{dT(wxNYM+)CkFXZPpzz^?v|Q6H6XD}dOHTg%thRO|g+l2WS?7!JSH8J& zrCmWHJ2tP(i$|}m+G$G4>=R= z)z_$SGC-S8n(b9lxZvKQk-toq|IObgNA#iMs2j0=kd+NgqcIEDyV)fK4xXYK11imoMVgQf$d|wutjvJvl?sk(l-uXE`1JPoC(=BZhi?C3PVY9U9oEUpm9C-E zI3-&ZONtCj`$W|%(a{Aqmd`UfM$+7dhNMtx3v=?r=8Ml}2-K9u);2eRfdS0G_^hGC zMdlG+wl*cyp6>Is@(f!Uk- z5uunH^Z7t8_*9a?nc9{huYmV!5-PIj(PHM#iJd)ANI$_0@5$}|GVjKXN_F>WCDL0x z|CT%mJ8aWrvVJ=HezR`A|KWhD0@2^7dTDo;WYnJEL1c-}k0sYy&)@Z%%x;aeiC76D zhuHfkGJH)*NB;3Ug;N$7ee@^VVwZx0m+$V_bnFyhc$}Kz(tz;fIPvMG@7zU7C~k-) z#@&iYY<##?$)SBa|30nPf0x;ArFZLkR4jB6cbKa^WP2{Z8+%{Em~C!R%S`?>rp6o} zP@GM(uK(~M6Dsh4y?J*3{{13xS|y@+Z|*;6KPQZ$ z{bK%k*GV&8lt;$+)U?iFdDJ@(`*22X)o0e$${hIoh{=FI-4%bb54nO12?WZb=b_aJoKtlzZV%kQ|$`x4Iq%myk{ z_&T2+G%{tv(~P7b#v*8 zGzyW0OD&bJ_KMjytOjJnEZ4ZwSW`gs87_~Z7dbNso&A3dS=vWT!OpvleS0BuEXLKE z?y`bG*OzDH*VJ;6{T^t+QpY%AY60ojzHmO?g-3T83>(L#ZVatNX^$9Gd~`m9SotK^1hwN|ePOqI>jJOZ3^B($rUOxL#Q;ckRTk_wl0Z*Ho5Di=sX& zx&fRYd3h~;PipDvIi9t^*XQ_YvBj`8fl(Fty#a~U>u|=*%gS&Pev#z^tS9(uMY#AtAG)4yAPUVbbs^_ zKkAe94b;*zxRv>tlDxko^4B6f_VrZtbeE6}P1+u~lV*RwP2^$EkWK@`fj51o2JsyH z0A)Cx7=EzCgIVN6)e)Zg&{!8hYQCmWb21|Fct-Cr%v2&SRWklyo99|%P1pOJG}4!# z&v_}mesR;o<3W?@i<$#~Og{bkY6K&paSiQmRXdWYx&B$uF`N7T9!Dq2XD38NBOTQ> zg3okUv#BXevy7a3X6p6ohrd-O?fhqvZqm{Jq&4JA;!d~1xIEL!ncSJBd)jN3=?_KXwY7YHfcf^frIM{hIXz9aXF$)MGxG+MyJwG( z99W{RbaT(4A;%517Fm4}E1{QfikuKaSEIIIaaGyGXA4GXPH@~|j-@5g3u%O)ASi!I@W6u|6w{^DA&Bkaf*~vUn zFLo^$j>oCqwAG`8fHS;h+$;9F%r54N?(phDf#r=GS!do8EZH+?T&hB1e5#l#C5>fL zQI55;yAoamrXO)!z<=-?4%K1@*l>w!MmOAdjEL!(O%3^A;YaZMF3?Lp=Fz@eS#U}^ z%bQDmMLlKF1`0j?H?3?wb$(@h<%%$6T;J_GdtiG>uRi9iAQ%^o zd|^1(h|w7iL65FbFg3oSlg~U`RNha)QInQFYAJW3vJ>n@cmZNzUURm0u4jfg`&cr; zOURhL-Z?iK#7Oj~)aM_})O~8By|9$Y>Bske?AC}+VPmVWa_pQtiJ(D?xm=iynW#E| zuH1~C_9zcc&P!5h9EuzI@qy*VkuVLcy#3mhbKME?FY=N-k4&GB)GH%R&4KzOOivqLT%+&lSW_EuN|&{#Tb}*EGW6;bB(m~0_s_k# zx;fH-M0Ft0+Xlvx#byUDjyR;s9DZF@x&BONze9WLXT@h;TxKydW8~rA^fXf2HMPV< zLk}AUqGxQVzU6(yY0-S4-_g5O=*=8SB8a1ewC1?;M%%nDU;;QB6j4Zcl8d?)G+SuTW9?2xuyb<0Gk3yU#vb?%=hrp#jz+E2YrweLCjW&Nb!cje z^xP}lx21HgxhLxSC5t=DvR8qaY3q;8us)3R`#_%ffVC_r4pe)T_;QLZx!cbl)Lm$F zyjsv;*a081PExNfjIsUamG_-~>SS~mtSY0WCZpkDVW6G;b#F4_Mxti8+xR^I+K}-R;s5=81d3fd_S>uP-(S}=a_lF=De@b65n#fv^Sge%5Qe8Cyl4nx zTVYXAM9cU7qt6F_LP_CTub#gnBTKlIFha*UcEih9sI(DVhK7ck<^QkCy!`!3<2g%^ zeKG_pHW?Y2mo~x%3IM64lkgqOOLGxeAijeHQL}v0!Ty&v-#_8^FJ1>J0ki}TO=~Ud z>({HOqql3pCt@-B%m69p9;gBvAk<-v{!efE81K)9CitVl!j5WekjCsM2>>4Y|3AcgUyc7wogmll zfpOH=hU>;7)u#;f^df=W&UdW!59ips`wzkJ;6=r~kk18}n#vdlP(K6=#S+#LAQoN= z!%AEKN1R%g`~T_Y;2Q1!P42+Qys7iu=zd=(_);eMvq$A-V{d6tjh-0HtY?Y0mp0Ee zHZ~A|Cj?~(&4WP5M4*4z)BmWT})?0|6Bk1bNR|rXA7?*%s8la zXy1F&R|B`eau#S0UBvT%55a($6DWOD<}}i@H{O?&1I?_^dm5+ge-6(^SaRw;S4-=L zk6ddLK2})+7&!T*xzHL10zz8>1r8QprAJbRb`8ewmJg)#y^rIJkNFL?9cQ3-F{NCg*$Cc?0az~5o3hH>_rH3IqM*j-qf!p}r8wTjgkgXA1^4{>~aBH(`?C zeQW(S52E5~f+LIU5Qix4x1X@rn~k48Yi1!>xhjGoJG*V zP`rO838Wr`oB*JI@}oJ4HmH>NWAu)c^!d6N(KQf$7idH6y*m!17M*m_&Urq14vgu7 zQm=p#sFb()S>MS!m5%=u=C>ou^ES8w55^R9W0QgAiZ+x zWff`CK-h!8!`9vK$ktm&4Lxsn_gt|GU=16^?6a95Gig(c7He3~0=P)}nitG7P_696 zB0xLkfjqOH%vP+4fhx<=8-O>%s(2QFRFFW(4ks=JZ?CMbxmMHvG8lHe(OpG^yS#n{ zI><9?g)Gih0dq!-Bvfxc!IpZivNV1`t14L3ot#0|#)dD)UN1G$1nVVrRN2^C@j~Jn zd^H4li-YVrDkiJ5bh+5ZE~M<@{{U&xly#R2a)*VfbW>hpz~3C+$&@z#h{qWjw165} zGhb;%9o(Lfv*_~j@+??D3vI|u_MW?^4m4Rj@@Rm-9xbuIdiAA^Ui9}&3341`i5`y&w;@;K48Jxg_|m@C_Hmmc~lz zbZfYFicdD{S`vDG{W~f6N}Qz5-w4XD?l_z+K=@@t0ntrhx9dehVkHbDdJ%vTo(8xK zLia;knS!cI1OrHAVCDLJy$6EHyhz{pk3yyikS4*7oX2sjDYY1+5~+6m_r|eo&rFa{ zAv?i0oY`7OzOuLMpJKinX?Lji_;jC2X5J3;^8~Lh4_s=57WP%ilc5H+ z!2a%7taKK2I3YhG9_PFG_ehIz{NINmUK1Qr=Xn|Rlkydr02uD5%424D>C&soN$(nj z$5V}%y8qU|VPwfblV0Dq@eR_#zEIa?HD5Q!6g=e)8&~1nAPVS-XOhFAcygEX3Ip1$ zpG9Na7nh+Zp;GZ$Dhn6{Q0;(OiNHb=b#mCLs`-V1QCa9WM>ucbp+Wb|x6np~X-!Zi zgl6pgnwG`bg3&T%!GCI6&2*$T_`dI+E39JI?XMib;Q|N8tA(NPL&F+`M-KqiHJ$+w zBxuGy++3=6AJYhoC5S>%xfH2>U(^?C^$&vP&Ds;%{>Iu4ia9-KctVaQdZX|9$oF-N z(%I=m{$`BI8m(S=KwX>m9{KjoR9y^m>Y*(wIlDM@c7<`(=Ec??f4-L=*I2i#mVNIw z(*1FB-TId{ds{F6Ai#YQFmm;0Q}a!o0-Jg@;3ll~Ha%o31vO=juQWqSHc>r z{c%*1J@6DSybM`fX8lbQOU3!azv5nw;C2yGqa3bW2 z0I@HLvcs~T-M)Q$kEo~|WHp^*H+Oyp3JPeYf|h~&aKxqfV(j(gXM@Arv~E2c+ug8G zP#8V~P49s-S>&gH_k%Wl!nR6@UYl2dM>{tbRBgM~^2kqg7+3^wlEA;zt80OI2G{){ z1p>tHD^e?^B&FX^=6cr9tt!0OO2t7~BDfT~{y+WN)%Vw3kb+wCdUfunYsBAs+w2{_meLm5Uy!&=n7 zm!4)uZ6nU@b!%Tg9Ks@e5IM?!f`@z<*nAP-CG@gCmTXGWvcn-xNHvz*s~g0pwDb-08sh+PXc zKVxt6hb$`4nI6E8Xl)$&jNxNO&KMJ;KGDp}?-nw}xdNvRlvpwDtpeIKZ5@V$ z^?tV0uU{|4U5HAvh{s+HU8t9j$CTC3-A?&-T9|kz)nF@7O6Z7+)a$5}QnJxoczCg! z$umK#HByq8?Zhpm>aaAJF~ThN2{@(^XC?Vea9TyJOP>5D@1Imyk^@I-u;}#S=WfQ7 zb%y?UXbPFy^;9*y!mU;*s7jqafC-RlsGs=MDATg>efJqAd2eVkhlX0m*GJ4drQBuy zYiny_(0|bqFH5usJcAM=!s+&2)ILG!&Ug_R2tdzj+c$83L;3=f?|Ed`=gP@Kk$nUZXtZ;*(`ZSN?deFMxehom2Oqv`QlG&dqUfffMMk6Emey~dI>EbyM_}7XimkJjk{0_!o{nZN52o2ozN={ z^k}yy_wz|wO^3uR%v3$qpIb3ljApI!y(eM{y;~;E7tG6{w#R6^)J;_c9W(?tF$_D& ziHak-w<_;1?RK!%u#UE`o!$;riRFCJOWA_W(O*%T5E5CI^$Es!dEb-x6vpM$(a&2deb7{qOJkUQON{EW`EYcJueAY}Jc zziL7H%-XVeP_;!g{3*zEnC5GE}KwT(ASSz zd%ZA00z1Ri#*muo0no&RBB=_3v&tc%U`;t6s@4lQCnDQAaAWzOJ``QdRG=22# z1PYssvM_PH@N{h`h0H;h1CD0+Fq9F$;s_zSkV|EH&6tF@OAapcUshMoRge9WH80Cz z`3BI+(I}v>V`?{V-;TJctsNc_F*a5BkP|Xv|HjdGm`pIl|5YBNcb-gxM(bA-k{iv~ z>3M(77HI~I5M#&cWG3~uptcelQ|ajIm2%);OZF#qY*H_9=Vuvr<7obhYs2xD=Wwg)8zZ z$)piGR!NJPc_T?nFjnd-#_*SXmhBY6D~2tGJ?vW68uo)1-H*AaP)&0l(TsRTufQ3P zSA3`-)u!IEkvJ|Sq#I{y8klcT=yIfdsP8o zNOJnpkGCv$HHRjzY^=wKrg&Znzd3Y9@13}fB%aFLVtE18%=}lJ`G@;|l!v?@ zT>!+tJCT*3f8W#)!8}9fJCl=vD)zjY*w<&%OWDpDfF<13TN1ac8miRY0J&0Na-g4B zGV|ub^{dMH3zUW;oa5qc(`=t7o;DvTX8>)fG)o8^p~{EV5`ZAY z(RQC{YXhcH(Cm(1aeEK*U>*`&znGnyd|oS;4PK5b?VRB0JFo#%0*frmg9i`Tyl?;c zD#qGv(B=uDK3riYzvMZNH?P0ZFmi+^Lf#Z)<7oa9#xv>;Yb0~QlERxy1aFNJ*C5Hf8g)sw;sIBEw9MKua~LpJ|v7YFl8iZ98wLP zDW@J9Hnj2go?fI|erw3faJCI}bfCH#9TLI)JQ;xSxx4HDLTIYipYyw{pgbT_v_0o8~tkJX@E0E&S_499rEy~w}n_| zv~BV!>|YJ2-CyDS#d!e`GabhY%>;EqF5-`8G8c(J*gf?Kvaw*Pv1 z6Iwc!*_}=!5Uufn4pE{yGoTSp$fT>yYKNc-tYjk$w6CZCo5-M;8TmYXdH4j^Ky}X1}8_+8RcXD&9eX0ai+vR6# zh&@>rky2^Kk!CK>b&V>kX~XEjl!TIiIaL8K$Kn=@r@?xSG+HraRIoeIHMQZ;&m^j8JeAW=j=g_8TFmWtRKcQ zT;yp5M5Sk0{}_l+V;nu37KsB5%p`|t2YxTpZ4=(Lb7yCKx0t|4{Khx-(BxUSkW7ie z^=`i6HKMpDw$%?V?Y_%PzdwJr>PvLXdfF*oK1Qk8#kwnf);-35-lS+S0@nqo9c!LH zOvbOF2$s<_Zl-PQOfJr#ugO+|3JAY|RX3CCaBb$K=K?hqOkn28u1A%R+rQ)cz1=Zk zJIh6$LJ5kv<;jJ440+jLu|p^T2UQdfwUw8O*4N$$s_HH?>A@YUc~wap*dl!pOAG6M z5x&X|K|FeP+_VVe3cG~|$Q%ZFV~y>+9aOvF2wqcvkU?Z+eQ=eac2L(OAcyDW{Rii$ z)z2@@4;k;PjJ0vD?hM&^K8*?5d;;N<{J`*(a@mA+%oV27*Re53K57t5+;D;%RGWl6 z?V~9b!!v#d@e*1lr}d5VY<}9xgsBy7H1Koj@@s}%l1ER0-~>%{43>op9wv3F684l| z=d0c*6l`9YO1pmDrg|(o>&%9aEvbZ|>sbWO?9Ct1)`!jDz23TZ=RvhJ4m#`|YhaB< z%{yXKHE8zru03xnAg16pz|2RawUnINBNYrr5$ORF!pjO>@jXDMe&dLJMe#hQ_Qlfp zlNU4zh9q4irk(0lLzAD=N%n57>;Vy{vh5PVV%4*o^8c=>auaMFnE``d9%7})$C-Jf zT9+UZ<5eS^zDDd9?b1QX$>2&psGuG_%7kH159faXv_R}43dAw;zf>aLuJ%(KY=%?K zuuxm^jO0>_EUL2=Lb5Z zh#G6(wx}SAeER3lhyh8nV6fi;qCTTvcm?eoIlf*uyB6T{oL+5WDxIJe_$4KqPsV@r z-T954oXUZ_(*Q-?H-Q0v%dJoY`@Fket#Osk*yzC#$VsuWhDVProUMnfc@W=5&p+|< zht2KT^75(a>DQ260isVesF$(it^{IVU3j8PJ-7w}VX}p=k+{O=^A6oJtRWNg%q=*m zBcLcjGcVqVJGdjuf?dGBW@Av4l{QP(Fd^``$!6o^?UC)#$HNCcDe0V3`fMNQ!!hvQ zWW}cSsu!B1Lz9V0dn3Wb4aNK9Hf$_!ARBp@FH4A*5y$JhP};iQ0f)Z*hbs?dW5?HC z;QN=m*!R@5da5lS%%O6RgO~CSDdp^>2AoH;IwpAfEw~+A1K$RK1VZFj4P@6R91u$> z7Y1i&Hyj@>OUku37(JL4WJir244#?&SjvY2R`O{)Py)oHa1$>BlX1uUHh+HSs$FW} zQM%AMAQ?|UrxY6-rj!$GoejmRAvl+O{PK6uB*Pje$1hySes!j#rpCr@=XrH64&*%E+H>+k zKHkxqE2+d3?1ho(-+zIO2m25BR^XV>B3J7TT1-!U@vunkaxqj@L455$<@pa9)nMSX zE7d||Wi2NFZw?6-VZMJC^-wj}Az_9>Oso89>soi3o8$+3NKgEiDK3!%4z${jP?iYE zw735e8JmG8?;lp)W*q8&UuF8Ay3Mk~sJtHx2ZSWL>{owMh+!5q?&)5k8Y<^AUklAj z3i~(F^k!S`7dbi4Wd#khfAvyHa3(z8)3b!|&mq|L;&}ib!p>Cj;OTjQ=7X^2$8QCh zZFh(T(Ui?03suQ9G#~H%=#S}DWmVWpx=r2Ctpx!70cwhgYdJ5<@3C?~&lxeX5{v=7$TfInM( z&N-MZ9mU(yo8H5K|!S=!{B2HsS71IB6nI#kP}ZZHqMr=r#6i_V}1a11Ds zFRqk>qVJDZ9e@LnUYvXbLQ9tI^N9S))_xFUWQpVAAyZ;M$&UESFcQH>LJuCQBVX^{ zy0}YE;iCa@TLo;a!gT03ItxK7==4$gTmvoQsGqg+>?+<%d7_?}SG2nrd6@MJvwYXwu7gm{PnMCHsUjNz3TM5}_kRL|fWx1Q@+lEk{jku9 zKlD>)jkCq;A@u+VmXP1k{TsdX3O0A*jM z6$&ah9C&$^zaucNw@N<>Bn_i+Tz#DHucIS!L}!NJ53Ksj(l+sDSHokba#6Ek0jZtU zDhnFbH-SOh>=Hi!sqlIA9VS!^F2YEGE=c{@#3n#Yob6ZSlEKywFWMTFe!M_~ukHYX z&Vc+B1pQIq3O-n_uW4+8Y;hu>(w^C<+{o8z@Gl^!hL+@#@5+SS%3CK**Fyy5-k&7# zC_o*B*lI797kqS;PQblPgC;An_%i^t4-{j$WGbS|h(a}64-fu>^zuGMukumW_Wau= zcOSs5A&0%8FxY0nT{Yd7XpR+|zf(P9C4Ht;Flku7@aHV*6b+g4Kq2 zq7E?YCDJR2oUytH5OqIab;EMi7;#Z)PeO~qX_b?wk4pqwOi8B$ekx@5GSk(kfxzzm zIik$U8!jlo4H+(_Ahzk;vlV?jIpL&zcuZ9o#Ij$f32~AJNUNVtRN1{DRh9s*(Twy$ z#AWekBphVdti1334(QjO42SundOxke&XXiynJnoq{>c)GT?8gU$vKi7Bw=J58G(P` z&eq;JayQ~Vv5l-8O5w={;dmTSjYG{O$37|33U)uv*-{{0oMSycb^zQDltX}4X5!(7 zSCEx5t+aN-VREMD?^Xu8frFMb_Pr!RleB97Fk3-6h;<&0mizBQAdsykBp;YM;fCLjmWH(+8?XQTZ|1E#2#N1rbLg8n; zS>orC&3-7!wIj0L<6($5A;b6YDeFWECK0*RDte-I{dYrW#+sqX+RV$Ao@&chAGa z`qI^Q(q%a&KjlwrmhMRxQG^>1R4tp~n-GFhjmjQqRzl-#K#+&S~|)KM;aF(D?Jig z+UkF_q+-P7FP@MD%Lq*bBD*9L0&*7FKuU+rFPOq+mo*4tw1_R5SKv`<^vK$kw zq`$gQw)bzKp9lV^3JZR|c4m`4m+*WB1YQIXv2431n7NhdLai2XfjH3N22f30MBtA& z-96wsqt2b-`52KqAMQiT6-s$Qsu+!aKrMz^&4IeSP%o1Qu}6CtRN!a_(g}S6^?D8W z0d+wJvAxKD@3Gelk;A+H}w6fVl^M{v&A0ioq`6>hkpk^9S`F&Xk!vbO?H91;i_QbQxv0 zAKzDo7OyyM4}$A}$a}&Yr|Oypn+gj6Mke_vw?zUbRpZ>#hZWt6wz#LQ+M@quZt9O=1Mi=@*!8sa4r1;-`Fr>+OWF?>MPKy))@;Q8XH#7*6``_ma~`np zlOLrf;G>P8xDZixe+Be2v9NH8|EQB;N&i3~H}o18o58TVQvkj!ydOdW;F+~74_I6h zfy$`=^cca`Z|Use824RBDN_Aleh&g0m2Dky{V=QYe|%(ON@?V8JC?-d+Q55VwI9`x zx^)!D8H*as9cZ9^9l76ZL*!*+z`mX?;j6x1R#YjS<_a6w&vb#Rc+GuSbh6V~8- zwDA{y>4thsNN^oE{8e`tNA{tEW`Lv@c-{kjAy1S}iqvYxNYL67kDkipVUUvO7g2Eo zr|iEweDFK8c^SviAN!oY7fM=}&9FjoC#q~Kxb?{CwUB2uy!L?ld$km88|Fm-%tZxa z^87(eEG*&^JtD>?*()GgT&s&z|1#%y{KEuWKDK|6!cP02+R-kZk*cekNGVMqn2gJ0 zEns&PdysD15zD&z%-`*tjA~c2>%W@b_R!dRa(Wad0JA*!HxUEy!O%5DIl!Kz?kHNp zcm#0Sh-UBo4@FY}|5MS_zk7st{x20(|E>S{ew(Q7Yv|E}FD}cUE9^qEroVppC+fy7 zNE?r&IQE`!7}sMw&7hBkQutm}g|6Eihwm#N}#=lk!5 z;>J;%y<0%!P^Y5KH<2ohqU2AXTf$8CUu}t*-?%TK(?b>_U`v%z#~3W5NEQ6H<(^n* z1*&%F=Q*XL4*7pl7Ot&a&6?Zpk^&TM%<&CZ7GQ6pPr6 z%StfNm8Jd9s8dZkpBI#TsiH$POH51@^Jp@|*%9%5DP=O~%`A}uo1ZxjV)ZLOAinmz5jAz8 z=9HcUe7zled369S4?-aiqK+Kj^4%sNFi_`@Ki>A^Y=kx|9=ejhGXyzbY|LzBF=VUN z_=!dM80=;FpqRs;;k$S5;BmLETzL!>^nl~dLX0yJfFIFR=7+mK(ZbUAY>;-aeBCH@ z8=ut*r?0=SwbnVSbLscfyS5Ziw!O=JczV=YtJ~8c%U!GAhLnEOrbnM@Y)!Jx$tk&2 zU|+pHkX~kJV`Nnw5m#~Wb>_As4-0?(<##q)1t#;AbVHQcZ=o;GMt%3GHLi*M0>B}F zvqHWolQ1u{gGKH?Rg80?KjiDfD#0I6k-v-V{L!BNS@mBI{Quwj|Jf7RRt~{D7L2Zz z78{>WelgzsP~_>Rd+7Q(n2YScmH%hO)Jg3VU57?zy3QQTn;sF z%;L@nTj*=EeD>X3p*3po`>cS88tg7kWobXRyt$$%;DO)w_LzHWcSZknsrjoLxHNC? z1K~fEDNdPGQ?uE{a>j3SUD1d!=5*}3VxsW}So9CoGT>bL{x^SA`{$j!|K*)`O8$9f z*yb}S$RG7MOy`x)~f#y4)!ph9>-Jfv#=2VKJqru zdk>XxnZ;u3bPYfqSuSYs6^DLJYE_NOe!g4+mEguKx_=|!Xn-oEYVG0WCrQeVZTE}T z>y8H8Tlz9t@R3zo5wK}X%c?8r$AcgF?aiRCQZs9)0BI949>0r7OpR{Ah3X9#)fk~6C@o_sm9Re`Cbpz3wQsU#e8CacQ;A6v7PE%+#>7jvoO zy1BUxKYt>YAv;74kvS>lO3}%KK*Pv>IF{gyX}7>lR-@AbAsRDT~hUvB@w)xohb(NOZ;RgSZk4{~GLhq^8J zrc1_+%kAw0lGG)I8J5FYG`UQ5Lhcbpy6N+Jb3Qw64Vk5DQ-q@9@VE$SDp++=0&r0| zg>X^9T%uybHHoc8_a@jwK3A;SSN34Vt}BjS`*Ss&wn`;F!dELhhUL~Cna*gFu(qd? z?Mgp*`qryeuaA|W&8bzR|1xVIyu=p2BA6s#0VVfs-*ghi#hzedqQ>OO50L<<(#k3+ zqsoZ<5UGe>C$BjVK2qmu+WN}qo$`AgbM#3QzJuELTSPm#SS+<%mjMP^z6B%jaLl|u zkVEwDhd=%OFHE#wcI?+1b|MMB<&d6TPCBRLO2&{C7US!oFY95dsMXL%j;{Cw_qhy5 zx&zhC&h71Nm4ug)jJvNnnfmtflY0Xfuz4&nyL^o0(vzH%XAZi86c95_QVMyVFff-j zLKEWk5`_C7tI&f46v7e^>)lwNOc`<28W%=sh==zl0*l&$;GjZlyEe}3V0lRcp1brU zJUmCmp5W4ggqu?q;6~NFro2pAcgkeYnZ&{_J4O~5k>z+$M8`3AKwSh zfLo9JoAcn;XgsMFdtqjM`eV60!Z<(@ZI6WY!kfe5o;Px1KwLuH+_mZ7mXeX9|7VXz za$@u6|IS-e9vec#75qF*MZ7JyUM9oOFXb|I01AZ5?SF%Xo&5k;myg)E^OK(`df@}D z%I#UG_H?l z#2xmUadRU53XUYw0-UyAzbV{<7y1+WDbddTfpdAu_#ABDp*6sq4kM7koM!L2Mxg?y z(WYY_OlSyJQdES#nHV$X)vH$v06Y+1@dbL_x#39F=2qWFWGGPfjYLZ&vu#H& zFVe`hagms|?WW&ch?Jsg66+`*<`MMlO2`X=Hs`CKEO<)Jq!cZE z^^tWZ{kh!(I|E|vh(Ztcop4;kWZZ`g)^8=c8h1;JH(1rqU{HFHcClqCbkS4Q|Y0{4t2m|<;6t076Yq-WOj$kRp#xth+W zX)+lfMrS*osde;r(u?|~{?z9Ai&W_r0uVz&0?9W7qBpwVt);SND4cmD^_tv$1UCFO z1?7Lb(S=CZ_U=2Sn;W<{!e`$opX5w;P+xM$Zzn0e5>l9D!#OuX>-2dkW0)IcFjX9; zUXhv)3nTP4lHOrs{Euh4ZX99K2ZuZ*Ax)EQwBa~M7us01IBlR6v1U}Unsle!+GviB z53ae6`I%5mUXp$505iaVMsXGg4j#M;Z4HU}`T30{rxw##?P|M^MDNB}GExvp?L~rM z!vc;KAip^Ie3tK?7SGq3zEb?MuTs!EK# z$?)7{Qr_)Iti%f_^lq|=@mZUdzxQo}WdC_0BYD`(b&Ofv@zEkQ|7(Rk8W z5;-Uu>*Lk?mU%uxRZTuxPMLV3s9*!}xnA zvEpPX`&N{Aeqwo>$s@-EW#UZw<*i4QsHxJ8H)oIV^Rr61XvVtY%M2xVzU|1qQ@}sy z&J1#AOqV8ARaLdN5#4CH9VzK{2WUN_<@lt@^NqS0R*Kq$!P9ybCnNF<*=g0a*{xI< zQx*ud+Vz)r@EwSgc57WUXgWpNm#$Er%KF!mp5ILTcj_BiXHP}NSZu3@==bkOKv3F7 z8pp^A@K)6p(lG6BFN@m8*62RWG5-^6k3W!ET=dGPh&KHfyIUWF2 z(fY&1ZvjDE)N5(#4Gahdil}?}P9f2x)~DRZrX^bH=L9W3Ck39zZMGp8OEAA?KbeLo zDt`KG8p00Ldj@6gE%U)t3uO)Sw~Tn?25<#3v&;L%jeX~w?eyzjeq0K`(q}lY^0*PA znqBi?IhNYJCo3@a2`+2)$H@my>E?vc2TcxjtiC7t#DC9d%n)fCU;W4lhq}UpHesWOgbfexpNZYaj-@5`Ix2S&mC_a3 z?{vR=29I}42Z_-ViMCa6==7bJ9p#k(T|fM%>E0mwIO2GP)k^}B77D909=`>$w49;V zAq`o&wNrI7;Ef^ziCJ`sCx%M>tfs(|DUJCh`WeX0cJB)<`{04V=Pw5atI}XG==;f<- zgV9`xWSd?j(LB<~iPViAT%W?)lOXkT5PGns4@ipluJ7Ldk(Qp`8@tAYH_xs$`v#4h ztlKE+7`Hjmh7uv%I)yO}P!G23tJAf*+^&DnmYJ$~4TT3!2HcNhVNr}yQM{~UlO?-8 z$Y{>Q81oF|SscLFa>Yq`3wyeXypVWWS)W@u6-zDsDQG6lckR5yYv13X&@ZsFhp(>b z7IkQ`Jb3y@OEWEpabx1`F7YImYx$MP zQ}(q4Np*|aSFMzktwwW!+osTQ}Mta@+R8uH*wWoAm(nvvS;%3~36B%0CC#H!d&r2$45d~jzD-RUE zQLh-Yhn>L(4sy_Q3^p8Le=pbK$abV2v=*9)yxAeTAW*nCaO zWaRquGqn0OaRLu)q_%7GVEdA#HcAAs3%BI-bW)y($LI+8NEmb#kY6JK*FsO2u*Y=}Z!B^=+{tMYBuO@9j+YyVQ4J#kAi5STrSrV>f*b z7MA}@AE`#OabReAa=FfkZbMs#Uu?I&gwy<1U=kodFe|R%y0GqzF2YHp? zEAzEt&O??cZj)-Yk{UjxcbNXioB7d<&hp;>u*hK$m|2m;H zaGszB>IWJ4Z~uZ=;fucWY08RvY+IwXDLg}fe`q8u`1w`_ErEIrcN}oU zU+myp!Ja<3@;g6&>xF5X0u9=bq2zAPmQN~eb+P3%r41iO-Go-dSjENnu9T+PQl&pl zIm-SC?>zVSublC^2J)}?@aA{lZ;RzcK_G}iK$vIS;FBSUhAFDXgZpqyY z_ttz225$jqIjTw@GMUAKOBUd} z_PKt+Y-M5j!%Jvtd-Rjgqs>kvl(9;egg6k(+@~1l!RMpRs!6Jm>W+VGFq7b5tC*$R zM4j<5S|zSnMMZAuxd2g@?|+Hs4u3R1W!gI6X4+ItNVJ%Zcl`8yOGlA=-tptT8U3pQ z{D4?{An(SCs-lj%%0P~d7LMV!SNgQ;pvU+fokB5VFH_?$Q4D)U#f8&@=asP26PDx} zySdeQ_Sc`*wgm|A-}`!(d7f8Q#e^J&A01cTjljs?72zw`0K;b4LWbY z@CtjH4za%d%}p}X-`_NtH^N(aeU374M`!M`qRx!3P}~C-99H&d^_ZgKubl3Ga64%x zm_fy`@AZ<3-`IMVRu=jXuyxdsW*k50*1Vo&YG9QGtn>C{V07(NjjAt>$GOw1pK_3g z7xbgluGWpcxyZz!W%^|ccu zQYd<>U-palq;wZf;^ul^nFQ8s;4AT*yV-hdKGX++om(sNqR}^Y@T+OmN7iZf9SbYo zK@I2F`sm}fwZm|LVygu=)X3wR6#dFho4X~n@g01*pWXLP6Q_9vYQ)OwC6XOtmZn`p z_R1N)s;aHPw`bxq;G$oj);mP2DLuPHEY;=i_1zdL%CM^z$NFF{ZkJn0Hl-BDL9`|c zxr-h{1q}%y?8h`V=~pXFcIZ@6jgegx`ir&_4*)(*e6bE8VacYBgzEk0XDX?K&pYmh zxXw;&E&bFtoD24ns<70l$+M>oD&=x3#!CGC%k0;-siax2GBq?R1nd*OKRCC?zCuN# zW*>cH?AeG1&ypp3TCA%h*qNoP!Nhu9uU3qF)XQvYip5M0-Sy-tgUx?-!cMuA4tih3 zt1o19nS|IlR3-I0-<&@Dz_PY%U77v9i*=gA6R(*nVRYBlL`hr_ANFg6V5}-O_yioB z83`z2>j;)NQ=vAy@!ABP5-8^4hekN5U;l5r<%WNj;UX!Q`vU^@|_?kT~4 zlD+|V!Ha%hnly@KGfO7qEd0)oP0(;K=vhqjwUDQmOUx2?B)nMJeLe9b@AOaxnOV_4 z^-Ejrg`;|e97z+cJUg8gqcwBf^l!6zIbW8d&CRLz2DZt!R>%tQXB6~ZDR}Xs#c^Y+ zhFK1efby?FHo0>0!$sG~w~>IDl|F0x`AA1iuw8$eo8y27ac`JJ3Zck0L8~u**ZAAp{SH^>>!;;XFEM#&cLRDTpT8g6+=jq-wMO^h+d38{m#pUA?4=Z#1=1(JFytmVxk$^kqRQGEnSsO zD@V9moJNDQ;=mZ9o10xomOi)iv~niy&ElV1(kXCZVPvXp!?_}pI4H7b=Ay(?Ln24W@tkns7?U7j;tPu1b;e ziEOEa&#s`G8m9?^Z*+&9!s5M;@SoJESLG49rDGdx?43O<4U2r9lKvEC5a?Wy=Bb1Cwqh8zUqNh>v58UuL9rPpk?!bDD%{~YIwUu zc;_hMjPW?>W2OwGL}x18?p2-ju&ytTlwav1HI`&Z?Q%{StShi6ZB_YQ&UwkC=$T~} zAv>pJ&ofrJ3%T6BHt6j#Qj>jV-ONW!ddNhr?~SM>{Vyh(zg2r-9NLSU+cnW8Anu#v zxsboH?pSXnRR8u{66ohSzBG&O5I;Wbv2rYM^}SE8o+LqR;IP#4*9)`(QOEky+|N=; zSB!|~oIbUeQ3{>IIs)AWB;<~%dkWjH*Hw%9URJRkC_CYi4UFgrPZ-Lyu@68hNNuT zMx+v=nl6t1rR-y36QeFS`R0Pxz^ww$mVWouy#SV{)u03+`XRWaqnHzktG|39CvTf) zkKbq+5wFCYd4X=K5J%m-&#K*dLF_)h8c&vXl!$%_-_v>^vR z@00u|Ylji3CacQ=`^}EUx(#)n@{RBg@j67)%PWBk2nD)cl$M)pWY5G#sspE>Ybv8e z6GJmvPMwr!@L)IQVhe9LhYXcCVm=7Jk&$RWp>;XxtdeIA=lNCnPzKHS>+_NI1hR`& zp&Bf+>B2FuyK~)T>(RT5YJ9AJUZji2m}UuUyo`=Z5{`6E&+8U_usYk{{?`s6%o+ZB zT8*9CjaYX;9PU2EB`@)=_UkI?aEW$((Tx&I~yW z5(I zd`eIPgDkM`h<)uMg){A^+{U?sSz$z9FN@2#2KuBCxArml!+Gj4ui37os2}45cFWfG zKm=z+1$}o-i8mtr*0YanY|1;vK``6Hj zt6EpMg@K7tipJ&Wnfzj_=aTlT$@&HkaJc^I+*%7oCIgYhE0pG1BU=8+p`sIV0{kx^ zV6o(m_-WNfIFOoGes*W}ph;P=I`Q|O=f>KWvR~VM^oX%?JeI5DEaeN~B79Mc>pH&| z0yhfoQ`xIz9i8iKlR88Lm6a_pyEKKrSYCZs!2{QjS1~m(k{mTlSU(xXGxS=kLEO@e z{C11UHFeu^ut0l+OZTz$)C`05aQ$)4w~yPq%Vrkd+nQUM=gWZ~5!$eKg0Yg_#^p8E zsM69jCOz&`-H)A2&{a!tUNuE>)AhV%j6L`-h0Bwrz=Ipz;`KtF*IhP zW2{|yB+~r3|Akf6gr`flG?qa9#&T1UxnnKFhX{yMWV9WdCv4z79Zhk>rd(m9hWcF5 zxxQLr4DL!;4U~Aagl*QrXsQvOOp&s@K!DsF_MeV^oUy=4TICe`{yv+|j_FUrk0bk| z^`ec-0EYHSa7qsB8$D?oA$8B(`c|sW;n%z3rKUP^Ti>aAzKp0?x0Beh!1Vr<+(ZPG zpOsTvlD|7TCYtg-;-^>9>bn|UAFCMgcz)laMV#aXi4vJR-G{zJrK$1b6c8rD2Fa8FG^yCF4#6xK&2ZvimCxlLB-mys)) zx-WIG(;~Gm6#0upajZqj*hoyY`o2E9QanyB&w!9vHj-Eb=RXj`-HgN!HRU?R=`=tE z5=XplWAx`s$C$Dg@fSgnXO;wm1unXx(S>~7d*DJY#_Oe~dU}s88`yZOm+W^c853+e z(+8~oME%9cd5Z*R<3O3EWq%Z9`F=Zh56jyXlm^@*0r8A7YE9FL_)2$PfB_dRLkE7T(@XPpoqQ6WViUTUeC6x2-kWc4^G)9E z#}{WDqmwaMq*qNl!$btNW!m6N+(^=*=*ZK2hyTpJ%xBis&auUMwYA&j+#lM~lYb_K zy#kri_1Hq2U>Ze>Wo-Hgp;j&0TO24(;(bc@&@;x3-0g1e)kcp2lOqJQ=sBe?7TR5y zHXCc_9#@Cm;w@rVNPA?wul))yRO!$@0WRpJCyU2tIAmXVja6`TE2s&qbf$49z)2mJ zrSwYWIj_uh`ky3pW@jakphSgCV2-pdkDk%JMg2LiIXwrIM?ha*YmV;M2stO|YVC3f zgY(e`=k!W4>a=hEW!;mXazb`v=yf20QJ1$ay`2|d+uwM~sKO=F5g(8#v;}cw*>K5h zf#Yzh`*e`U?7(hc^$+pLG0Cf$bwvg>+pCKKbr&syf<^eGy#ws*$@X;r&oUlgheISK zCYTn|k4{wI#^cl$GprET6j;PVo=@iDn8@+xktR_*zH8(tmG9Ud@zSdh8Ok&=;V609 zpQ}cCZO`oSwOE6Hs14jfV^}>2Hs?Q=Hsu3rKp`0|t%8djm*ef4zH6&jf+qd=J)m{t ze&7YC2lZ5qxb@XTTWQhvSJE?leu5l7%B}SVSJghS!n0{ER^!c0-Ph|*sJwg~&FX^8 zQqU&Zhsr{DF;j;WmaDy7L*T%IdTj9b<6LE87TPmxr&l?*(iUEQ%~;%3(>I97vM6}4 zm;=e$sFWkShbL& z>3xpZRxvdK{HDkJHjNG`BjQd~gTfpoM_nD;T#VR7C=tBhfT~^|ruL+$rh&rai5E8- z$7Lk@-AW6T5>^V4k`M+j140-p>~x9am!#j)#>0rGRCRT|suJ%xBcHL%X)Q<8vD2CD z6^B$0UTdAg<)Ex+_UFw#aW4+esaPvIDUOL}b=gt(-#-baUD<9QZnki8<9T&yQDmg} z`@dmQ2GI5F(WgQDClQ{CW579v2U3Fl-IqHo`1zezM^>MSO$vQUPS6aqrz{Y{z*`$m z^~|HE$g4RlE9IJVnLB^!_=vRPRmD*Y&D$lpa#>H$T;HfRE_Ct0o8NEsbdD*p8m?D! zoDOnRR2)4H!-j%`sP!iM*w}#49kYZ_JeX5yP*fD`icU*C&j*H)wNT|3ll%+iMqP_V zzKpNhL>Ho2n4Gz1iGC}Gjj+16F>LqBgU{gsyav=JgF7BR+dlKewWd?Ze` zaBT;ePA4glILG-W>|f%dbMmdh3Cy9Iks4(2 zEY&QeP4+zAjKskC2wwIy5-!!mRA;bF-U2UDz5lh;icrh~=PEMg+m9sO>-BfA75zj7 z8)bQ5yuaIq@iD@Ms()b9w`W5P4u%K{)itW{;>u@)_TK~d8imLld(6j`6h|BRGNL`e zR>d>!96QSFoen?YtD^KOgoDY~6QL$wP(W$)0+nn!lstZ}rnLOb%-ekJP(U+KKwLXu6ov- z%x7RnM6MhP`6AwPH2T7(%$lnk^Y-Yqy?0u9-EMg^9^0T$S{b9J0R;#6G-pLGwQI7DTkDFqMo^bInki3Xnqz8L5qg)VTT}y7b8#W-Wsm< zdaj1gV7Vy;7t|T4kt12HR=Q59g}|Bmx{69|{rBnpyuo`Ta{}QLC<=c5N)<#CHIy79 z!*iP7;8zmoYpu5bYF#Yea5$+(;vBymqq+t-ys_ZRi8Q0CI;(Xq?NxKV+?q8ahfsIyME>CTUt5U15W!%YQe>4!P!?$TL=!r3}` zEYpEq>VcB$QX)H@JEfm%XFgNju|$?HpSj;-7uJcWbi=`Z-%!30Cph~fUL0B%>+C6t zFa4YL>(2OoZA3KYNv909NA@M6&?Q6y{QaB$U?%SmZgsB$qq&TU&l-N+C5)VU>~d?zK9r3LMIIxZt3_eTnv(rbdP8$A z)?eEQ3i-U&>e8EJgd(TI>BFZ)LONdy(Natz%prJ*v?@o48&&^xcNhv2m@4}e^q<2Z zR^w<80O_AwKm1b5ge&SsQher#$xYXx0}ORXkTFMz(2cHZH8)qKKL~<%3*Gi~UdC<-(Dzo{}fvE$vRil|dG6tU#L-%fGS9;$u@71=^ zvmLQH2Gg7<4($Ks#Ce;F+SKt9dz_7;;@Y=z-B89&?I>Lg3ev#m`1yx2(l!pGXuOm| z65?uzoHuk&<~2BrtX(w5GIN?b!jggm*i1ONQ4#^)I)r3C*y8&&WSI@_i$SGf8S=^y zWP*4lJBl>m$9pWebc|9{+jd1?LAD8&&&D7%6B#gmJpCerSckhPsZ;Dw>V>i<3(V5N z4ltj}|AS8K;#nYbkCPV^g*D?{@I*1D`Y3jG;dBk5_^+btwK`GdC(gk>PRA zWUX4NuX=+_U>6S1ILl3uA%T$TY35`_j!gV2DQ_5JHhcls<*vm`LYxT&2zt}pLO3-B zE`q&*5)NkF@klp_CT$3ym=Ugou*A`mrY2q;sq@Q5?{J$g<5y&pXfS68v;AE2_r|g% z!y!_SYr3hVQS-MP$_&TmJ=wnJh2!u-^-s2EP@b`5D@uM0dNTfx z_O3gssdU@pn^AO}K{FOa1QZmo0HV|=M6Z;KN)VAIRZu}OASHAXog$Hz5kyp)g3^m3 zEwm^K5fBjxgc3k0QUXMf&;sP`FXOy>?^<`(yYG+t{&?$Ud1SH3Ip;fH*?WI`|9-#2 z#h7ZBrCmOPIzGCq+I@RBDnQaJu$s^p>wD>+BQCS*?4Vpo3weDs#H*Wa(3()q{`7k0 zoJ}CaLr>3-Oj(soq~(t?)oMxK)o_F6r&XePhay)9x=zQXV))}-iAkm7!#IoKItG|DD2KHsYF;iy6m2Nup zc$sg6rHPy_RB2soExYQrh=@E1K>(C1;D<)ZI}=}_TxqD7#3oGaiq=tex0o*IZKu5W z@6-+=^SNqUrwU5%B0GR~tFi|;fOcM@({`|oSDt+mgV(}N@VN|BdQpX{MBU?!S<($m zA3MT!r?C;|J|G^rT&zK3dgRH$tn_y+V#pDZD4x8tGaGGg`?$dRbdyopH#x0|!iP6~t3PsFY+yMA^P z^bup5&b}z^Kr21HU@&vPE&FXZl-d97^tRJS^L~eb9BDag4iH?jEx??m zu)bjc9Rg@7yo+%QK*`nG`=a#`yFqxk)fU=nrdu>vh#9A8#u z8xLL57+tR>Ma*z#?r_DyF-cqJt@alV2IJXR zmtOn)W#~Yekwj-PA)akt>_o67ws8CI%2lmDCORfg_|9gqEa10UbhFH7y+Z6??Gn63 zppMvb{|7)q-oX}LfLkj8ws-q1+Ng)OrW#U*TeB_q*_Q67ap&U%Tbt;MEQCb-0}6)? zdMJ%9=qDb$<(a+1dW5U(>=$B(bpi*G3X2`w(8MKTjp! z0KKZKUxv`Wk(@M-uMOc(bgR!OD~I8wbj5Yb#r5N>?VMS5zJLP0F8`$tw=5x9kGlyv zw+17l)INZ3S{v>&H@C9d5-RQMx-D?{p{Z5-VxD=2ZN{-D7XZ_AI@Ga2hz|Wk2(I5eV+&pC8p+MTmDT=euLcb&{EQHj#si zDj-Ux{En;IZJ%78Vb3ulj?Ms5f2Pwdzul7|<-OE4^%M5n(Nlnb0#hwgs0UB$SY80K z?gmt8ofJc=G`g`Oz?^1#$v9oBg`*WqGhOPwb7{;rOk0t6`S4k$au~Ka50Fj32kW zQ(GUqms6N`VQ(?}<_t|Ex9>}38EjPLQe|Z&q&8sysJF5??TLAw<`0d}5sF;lsQ247ug#YRE33wrI?wfBMf8NV z?Id7f9Zw(_#3kR33vt72nzzpcTYG`WiDT1&s%=Flh2+?jD5E~R4Qm-v;l7nDLGz6T zlekiV8K(m2pboeaU3>c{nHiZI&B8QfGIt+rd2As0xMFGI{lLtPDU(s3#Mia&0Mu?; zYIAOk#!6}i21I+vY~0-jau!$QQ3EaO%&`hxFz!}C#(j>qX{?TH64EGzSwmJBxb8L_ynkX^9p zg1T;!?tMi&XX?Jrt(m4qnPO}TWum*>P;dBEqx0ygaiBF&($d9R@lvM&B>4IV7^CMF z$BB2%$3^gQqu=5q!@}lr-`k5(s^ zbR7io{-aVUV5xu+0K5|oTs#crjD z-2!C(?$J~3-)~XVqICnGEie8Xk$0}bgd&k^x=kS|__E%4-=rtREZ&A z1oS2VT=^g~@?w>=?oM>D8XtsRkqY}Eu~U_3_g1N{EtAb2zVa);aN`>HGOF9H@3uI^92`gh*(pOO^-X8U{g8k`Qo z#zF1(`GXg#Gi)yS3ApTeRp4&<_dPX~m310;%2Q;_lfbs2OLEyk1Gd3$v_pg zb&)TwM@`Z2Je6$U{P1e%03A_JXA-D5Whx^1CHartvel%U?z6W25%D75BxzT+4Uz(1 zQd5t86jQzOL435Z2Ts8kJA=`WDMZ43A`fUN;_G@-`phJ}-{AYmUiN&0;wXC;{_s3= zuC0`704zapq;KyzP&ZI7;n6O2LX|5Mq# zu=!m`dZt|-cw#Z8omAcB(77&tL*GQN?l#Tkv0~vbkpXL=)E674z$kg^D$x?>5gC<; zt@$hmAi`G%O>owng76cYYbr_rw)Seb15Sx$EQFat@P#@IBjn)?a>%;@Y5nMa#--|&xqT0Ik<89f}E^@bWrfL z;)FGU_LZ$GglPitbn>Il^KH-ukP#TVGL`5K(T ze_Uqv)58l2)K$+9e{S~^kh57D0GN@f*{fm_6`v;~)60LcNxkZA>N*|BJ%)%4Cr>Uz zpExhvwsdMvnN7XYc)z`TR(FzXD7{JQ5V5n*E!`s~t1AaMR!Kph$S@0;!>ZQY6O}V% zM7Pu+YM<5v!S%XgTiXIfdx(8pdr4HSnYsKnEm@t)C2(Cq6H=m5URIIg4iJ3__~~)c z^m1VQ9TStZ>PO^IAOs}$;6xnb7rH7+oXjs>YJ2Aez0r5m#Xf72hUhvl5gJSLGrZ&G z2Bl^#);6mMmRC;3A0prL?7bkKETf-T{;J=Ez6Bm7j*a_DbYz&g&zr-P(~-EjTwC!g zaA3Bec{?%Iav)!h5{EQ3=pPPB*&ANP=Dvb>I>nq|2w0v9xBoT|{Ql|9*( zvGN@J%AS!~FnPA)5HcMR_y=^ldGaoZTk>s{E2r+yz1W0%Q_6ijlpJY>U+`)x?gol& z9Ve~$MH4yj7~5xQE~mldp1MN+msPOSYL3+G-E8ULeN0c!XSj4Q#u1RDzd}9o+Nwj) z&$W_YHVY5o+y@Gx}AUtlR-$ zz4J`S^d#<8dALRGGl0UNxr_du)ld~jT*3)PctW~T@;3{NlG+f>k#CQ$E0+mbTsH~5 ziY|yQj#gf4PZMf?Sf35rpW=CMbLy0$@_8jH+x0qe^|E9Ln^$vvEme4QI(m)e|lX zCXs&Pxo@nNALVcBey{}cif5x?jq6kUlA2RXT_T_DTOl$ahd4ft5FHwY*4;^~Q&v=@ z0FEi4Ef^lGnKu4bb!J-CbM_Yp2Hd}Ggm;59Nx6G~laKJy=`^kl z6ZDbhBAenh@EJ^kIIO5J;M?Eq)#2F!+EU?g$oy?I$WVMKU?;+od07jr#( zBNdVYcEj>eK|EZo{xQ$Gq3Pj%^6Pf_OwMhSZl)#40|GR)gZgU|s+Cvu>?M|KgE#fSm?)#}%YR z&hIozJ-D2N_Fwbn-)zf=#HetrAohOzGZA)&eM>W)GeljM+^M5 zpI|W+F&Ig@X`S9Z^Icu)dHJ9KVqWg??!&ps`i2-zQTJQjp$ZgN^bO%Eb|IszyiTVJl4p`v+T)Spi& zC-bki4KY#F(Knq>J#KK;@Qi&!Am}7y@B%ujThCZkdDTpvAMn&baRhs*D-^lG6BF53 zthTIop|>5XUwbWm3Gir))D@i$r%*&E=#VXgiDzh?95?>x`m_e@!YhpobXn8d;{uNm zPEnFl;+7{LQ>oFj)71?J`(Jxr z0dtKpA{WBpfJusZ5(Eb6Y1v{63Lpw@4BK2`34Z+m(>IMK#dLM{{5F zW8|Xnz#hMyN1b-Nh7=tn)h0&C1;H;CXR~tCt61YCux(lN&{ZUjA|t|3mRTOFxbj)# zPP7b>eLB{P^tu_N~nG~475LUl+=*=ijI%8!A-JQ$&f@BC}Wz#?% z1Hkn290#>w9j1ODU!XSs>t$*_bRX)vH}_SQI@0`1=7?=ELZgTxQJ@_T4&pSdg~AZm z*eGN*Rt_nfLT+eF(867RXr(hmGPhxsqDc)6j%rZW#mUN|1`@06{me5tc7|tG4S$WL zwLod3uOPgM`q2HUeGnL=#RjJz;vVbgb`7 ze?N6E%N&g3w=ImwEnDNrf}hU+!hg6lN?w}q5fB$TzQ)QF3R;*P--V7`C_cYJQIoTY z%mx(9qO=!sXZ1!7Q50}<6}vdzACfAwzXSk-jB8^Wu$XR)y0IiSck=j&eX zy-m}}wE|`;z=YlU{7iJ>Y`bW14%Tk(A_%&Kqs~J%#h68`A#t-b~mb2 zO=s=&5i};!BbEX;@7lq$o7G`{m~9=pMyeYgqEN!C$N_DGXbND65i>2+gCK$D!bbk@VzGWtbyh4uIy^-Te=}&VKw^ zOlo6#qPjAWv(Eko+Xnw}m1ljK46=B(MXdZR74T0e%C=Z5-vGK7i2f!k3yEtpLdaL$ zAGC>-c=#pj{d@nZ$(v{oxg}t1@{g!Kj8e}DZVD>*Vtz)_K^FOYA`$KDE9pzUcnQU( zn)YP%<>j73%}<@vwY*-v)*AlpWi&6%=8ri364Q*U0xNs|j(xWL2%)K1CrkMdVRSFL z8Ti1YN`bgo)=U}9vevm}x6Y^-dEJEO8=bo8Oy`caFwm_?lg~{%L5=oCLCA0w_;3B(2T5jPu3*D(UZ^TgoEL31g=57`l zVyha+M>7NF%M})}z`yG`&q-EyKFjuIjT7xjf21KmIZ1Y6nb7UB0eS8?2d|?sxww@1 zaU=|7hUB5>A%&hSnOg$Bt9N$GeAQREB8~GP1XYXvILS)pB8?<=9xi2ara6;L(sn-Y z2U~g1{>GBlY$X^k#EWd-gFGzqZ7p=&JtKd$2GJse)%LBeEcSW~k$WVYU`MkOKwOq@ zDcU`DuZ6?g%Ci$d7KBGy#~XRz7RAXo5&giBiPIcekh|Zjd$yOS$wU7ewi`-%FJb2C zRE-j>6l!NkTQ8IEdaTVuhQQ`^8A_6upxM|vua_3$on(|?t=jts+-QdSL^!HXIA)^= z<0S0JoCDE}xgUzmY1*6n8-x%!knfCq3k-z^rl_nT|1+ME3+Bn2p;A8^_+qi6*@~Px& zZ-V#}^ky9Qzwcvu)#Wb3u3~~XY`gE8qGu?6nVw8qxRfWkLQUo1#W$2S8|1+Y91Rr< zYk9jh?yC?GgvJ+}D5Bi_u^=fm*HaOa>D*0@Zuj1UdMo<;FYsp(o=N!mmsrC8=fC>k zez$Lz5=}=?Ngpf|hIS%K)miU1fxgv|aG*VBjR5`9i=WElIK4FFcz5qaJ#wu=bG(Us z++D{1!*$^B9|?!oreuvUGtCMKT^jRz*mvIkW4w#hvrqKH+0pdb4wq!4(xMNENNcHp zfm?Osn)ZnjDvKX?%T)@;WUFJ34LQ;+e}OdR2U9B*ltyXpn~#J)`P9VC=6zboa)y!E<)d%q zbN-yq1+25z1^6LyVE=)GO8d3o-}L~9GJs3=pE zQDqXDWF7*EN)ef70t6D~Foghtgbw>S3`YKTT-iB&_+agI6eE5CKFwupc-7s7e5uwa*r?_o0 zT9mqqaXt~dHCZm>vu z>u9zOMawCX;FD^Wn9vxn=k($CZzlU3Z7l2v-r?xpLZ*O9Ch)t{s_30FWic8-i!(tB z8Fs4K>o8iu|Dg1uAILU7mLDH0QgDwuE_7A6Kch}-rNw!k=6BhLO}(w$^c+hfN@hZ^ z!xprqi=&P4u^ZIO-`3c>ei~0pOh|gHdjL1re9rSxMPPmtC(7Q zG|OTd4u@#3Y{hleX`>)B_~d+=X`ga+`Rqpps~tYFJC6OddEc2&Y(qimRDP2o5-gHo z97wNpq0>s^cK^Hf_Vyd?ug@tM$on)U7_?Oc3cR>X0}!p*iHF}mJ#S{9*_LW@F!;7~ zM4i+?w4y@}lX-QBoT|Ja_BkLzFja{mYjx;{=Pzh>y7g#{a=)6oC^zQ)bw z7jfR5mJRM3-UZ(OBK?2uIq~pE-SnLDx!MzxfeRBIuZAK&Oe;?+{1oinyrEuycKkLS&l}&(!6ygW(#)DHsB=;E&koy1bZmGRef%Fivw8x1R!NtAlaY~8 z*SRp&jlVC_-bl%zOqVS*hKk{2_Tkpb?(Drq*YlqnR<3z>Z*}Mogwguv$Js)-*Icua z?8q{&scEyB{<*JNLmwX<48D|;m8JS&w#^J{An5b8>*i}}YG(NmFs`=$n0nW5=osa# zZ~qcL3~Ob)e%YW9+(%fNuQ7zPWpY$Z<1V|3+%vMW8Vc#QvEOXor;I!Cc!y;sMKn!` zX!lJB`~L8&^&c38E@WO4me!Ts{?c|y4~N8505;hrsk4*JQHXAs@<6S=XM0wZ@ZG-I zaWj&xcJFN?q{%fADo%g@`JHM{&e1qu6B85ko=Z-JRvH-ZT7jrJ#ISvMZq@3wM@!*A z2e#??xQ6DiQ)At0VV_TxEsI<&TPkdh+-iTlQ9&!ykLKE)r(DAf3>aN%6->=E+Smr&;hP5 zE^xXO7jCRpdgFe4{p3=ZbTJIs2k04+PSV-H<`=(I#j#R$wbRp%dM%D#+MZWl`m&P^ zhpgP~!*HvUsHu9qE-PEIN#Az2bJyom#a-2|Kfl{^yhUmG_VWENxSePiZ%n|Yur9t60K+OJ& z10kU?E-o(kZU^#SoUZS5+%Nan?#1z0B0TWi!Pk4g@=n7bKedwn-+Cc_#TrbhAyY!XztXGN;v;}VLoop4URxwZ z$2hpN1AIQHDQwj&8=O$kxUpS;#jUmdeFB;UYEaUO!q63i#uOdu=;(mBdLH~ey(cBP zs7R|WTGd!E-FGnC2cxBa?{oCQV7Asg8U6exmo3va{9b)_9Xt zli1Fllocsl$RvuFMxGdLs`+J|VmrK9p0>XHo@17E>5-(9VT}*A9=t-?g08&#Kr4_x zRi9v>hx?t0iGA`;;iftMnqZnBa)@`klLJl5q-!yX zJUIVec?a_X_kRKO{{O5JTi^}nJ!3mhrY-MPub4N#lw;e6)Yer_Z|bd4nb&xDR?*y! zh0%UC4%1)J*c5?rJ@A#sU6V00($aY%zb(<>{cmfsY`(?3qg-#Q;Mc!jrxXWn5Yhqe zH^hXmF-(tT{cqms?VVZM^&eZJaHN+&?-RBqN{|^~%3Tsj(?We|FHhK7V^@39aPDcR zTG}h2|GzPQ*g2juh8y`#;p*ngWnRwiWwWU#>KKBaBv3g_*Kp^doSK*sk4RODD4T-+ z_}uA6tXq*YXYPPG9&5&zj6Ke>*^YU)uXyUwMStExacwl*^lq_nzs%cj&cy2$P7#V% zZ!%8n<2Oo=tosf#vvZ-ikkpVEO$|RD#v~6b8Qmcb*ioB%QZ6QYlMnW@53JS7{ zBtI8T<{FnN-oBjc3gQw1uxf={$HA?4NXEtaY@*(Vl}lxVZchd!`;vo#x=w~Vfc*M7 zGtz`r%$IaKQpJ>5%f|N>Cme%eYR3C8C{to%^@{eMy({sc=G1S)Yas+gR|r6Q z3b5UoO#shbswTA*v2kc2F66HZqTq4AqzGNgoFYF&}=-MR+D zwU}~}YhlNwadC@cr~p=R)gGD;S}(N}^@@GKw7F%n-s86Awves3kk7a168tEgYOCPU z^um+XgN2DItGX_)SSIu78`&Z^WUjBTy7g>7{N3GRvwr~d|5>CPtgH;; zvpRyqHs887Cj?GE=X1b2Zd3Sz#xb#7wNVFo?^esANQ|zE+@z>`1Hrx{H%SQ2spfS5AIJ&Xly|e`72t%j zmO02h|53OXmb}r1I>;$57P-!kwQK_{A!kru`lW@V^>m$5(Az2T+iR6a{AT)tX6`Gw za$2w6XM$hWUm8miHh2&tlBo<)5yQRixl=-SPl{&Umq7dWuQRb)S$+ntU2k^~7Y9DL zANUBD#hMZ4BDQI{f-?0KI9ujBnz)cV4}FQqu3v@9sU8T#!oxrxn9)YE1_e{%I34^I zO0pyBA-z78!Mq&qVrqDZ9v5^O;uiN)uZjvgCPKC@C%Y`U(0CQ52$Q3pUNdQYE6;IZ ziSoKL)3)su=QKm@%G+b`0nWyzZ*8$%Y0yPmJM)OBIt$Ix<%PYPlYO-8?CchwlmP7l z?#JHyg1p2aL2%HWMN9v=r>sJs{qIf$j6_*Hp!bz|w{@FTy?OKIv{WJv6_6ynL@QX_ z^GaxY9r*M{J35);qd0d@ivwYCkcYu&Rq$wjcfym6()gu=MY-v3-rVw}q>*^8*-Okv zIzt~K@XgJuw`ZXh?ew3St$(Jg5h`~`&5G{9qITQoFt-KF?{a3{p_~vg`4JQiPVTmC zUSoITgbnAntD1%L)N~Gt*G+faaPy#2%S#@|sysFeFXvAvY$JT^l9?8L;PH;|%axRI zAFaL51x&Xl6=K65fnZ`XttFR=xUIR}O`H6rV*sCA$QbS?0v`fv3}(74RUELDgoas|G4&r(K=&a2ZYln^_?w9OANk?_J@B9v9)7rGy8phPUK z`>s(sSOso!ggbUjB|-Sy+K0Edn>!R(%-_3e#*qI~mhigJ_~v&=#kM+Uym{j)7;x{N zuI#%)iS%uFL$?JJzj?KL@Q>KxV@fyM)EI;ktDZt`R}c6a*K6*IB#Y2sjK}LOJ~@|* zj@;j*_(XvyNwW4E@7CcbCwY!)o7FUIu4d=Os^daTIr-PSYlEZ;*xuLuy0~1fqJ`8e ziLW>K%%}}c(=yl9A$ytM@u-t^yUGpyw!~p*8--=p>v%Xx_ySk}N6($C)~B0h!qCbh z;4p8iG?H~NnAoatc~W9A^KwkQK$NCjlYw^}sZvo%>GM%+6Ff=EBQ)8>_HiGPM;*s| z*?D;B{Z{*?RnBy({ivZ1KydA;bv*@jcJy|+_(H;_?a|6rd2ZNV%|0K|Wv2B}YzHas z;*N|0kD9vtRH&g44>Gs~E=d8BOBQ5do03WRtKeu`U*idN;bcrtd%1pbSK82Hr5ZJn zjA`|>o>RtJqaPXxo}RWb3pc{IkjUBjH#!uI^X9AA4;B=Cmrs?=_v}#`$G&c1w|W;> zY&SUcmMUs#Cl($gJ5{wFx6~JnA0jP`cyaPA%D62wS5{9{UH+nQ>6*H)qTl6i%`7WH z8NDqoIFS$@G-Jewwizm`COVHsSn3K&^8)kQY}ZA0HTJ}TW+m=T=@vdyo|R&txu>z!eZ^=P`}Eef~!yGfMhW;c7stbP~W|EK+?hGdaa zos0!DdV{(FrAid_VS3MFor1B~wiaafc#Y9Fp+}Y;=5}Wf`5^TiZ_UDoHr@H)oY;7g zML8TXO*&MG^C-c*cjMw=EZsXgD2L4ydd|10ggdpzj0%T9NfeVl7{rOe(@dj8u{!|Q6#8=fb zt=Z7jWZclIU6-9yklDUq!0wjk#oC!P`6w1OJlP{n?|!@p&T~YV#@=#m`LO}Tk=*Co zXe%NWOqIJ_%Bg9i`D@{h-2Oy-uI+T~Ry6f_@g?#8lRNNZCkQ(+GwvwadTXgK%@7^o z7Kh#VTZh#UsX$GH!++r2WFoOFVmZ@;CK&X{KYYykNce;@Zt9@8oMjlUyiMqVt=~g$ zZxZ-^DA7ZHHZP##!F9|1Gis^~Vwz2x@23`FgB#Y>D>E$7&xgO=$2xcUsmsSy8)cw@=QSKe9_}u*P9T(bj6#lSk>;bXgUZ<;lMs1p9Dz9;z?X0z;qV6_CbDctp{u z0HtFE>rb%_bxK`hgW;E>A@NHd-EZC;2zA27r%hA#i1$NP&Z^UAvw#A;mIdy zV$b$9*dO&iwoA*7cuJpJ8;*y<>^^JPqBVXb#WKIA1muK70SEb#aE zL)wq)2D{DJLn;Xs@83~;M&^3)v-=-STXI*2j6R8IQWtGZj1BVW_I>ekrj-RGKW8!ZE9(-n40gLwbpm|TZMC+BWSHF3YO zt)CWbpl{4jNg6+?U|>DdT$00Xuo%@YWBPFPMqcyO4>G6&w3b$<#Qy;5vHEkfsnjbK zEAdLY>PJAKb8FqDeK~?PVZW{V|VO8b%NK0+@R?xVd+Gm_GogxVQgArP?0OmIjrFn_+b2O zlzg&rabs1{UKCHlhmmh4yStfNSdceR=d%WR&H)tC*YmW1tEW>9wDvez`+4S;gWei9 z)-I4)S9~&Y0&H{wW&Y;8<1l{13|M}GtyR8*X!;(g}bUT2!(ZJ z?xfDeg1bF`Lc);6&t1ee{fVc>A}NAA*~rImqRSUWyT>>!9<=MkX^wA?rtC6{ zmR`5ENjQ3t$BShUpH&1C-W+SRtu%~Mey%a{{yHUWUMUjZJOJKuWL804R4oY|l^+;} zQ+IFiE-H`&C-~2Fwr5*MGuLfuke9G3bT}VRYRs{S&pa=6euV)3^=vZizXiJJ&vJBbL|d1zF0;_ik{&ARwDl=Wy%73bojSzVdM_;r9%)1 zBdhWg8(G^ox(Ml-g~$IatIQUME7MBFCvo9uX)1OLyr7Y?niad`>vgPqlcO)7Kv}bi zOPV5wEA!H@ont!@Som&q`mo>MOIZ4G9==YhlU?G3fP&p3NsubIXQYArzz15w<@O4+ zw3`)TQ;HmmX08faYGYl=5KbRm@Q>X2@bbdP@IeuN**Ck%B0JXFXSzGAH!(V3f*LzF zdT;|c=cdLQ3vv0BD7SxnPRGFbnlFVP|9}@gZN{l}C}p!~*8I}wGo=HfZg3X)u>V>( zEXH6D=57OEg9CPk++^h%Mf!3dSD;+;i;?W7hRxFN%Ix6JO8o~H2W|D|`Zpsm0qAZIwu~2u-hEg)@oKO)WvJlq z5&1AP(PPHQt2$bO%QS5_+s5fd6@H=w$ht54z*Uvs>OQH^}>+*8T@R&kPOAI_3~YyU=7 zZ+Y@4+fWid8G2V87g2dkdjuR=d|2XQ;oz}#JET#{3-=s3wIfwN_fN!M{QZM^Q%p3i zqhss99m3V#+~aH)XK~7=ep+^V!<>bkDY!hx{@FA+HhP+8^Xr^_>9QxJoxcgUq_OaB z;Y&0AQhVy<9g};+>%d=4-d{%En3R!W47fyIFp%SNE7U&HFqCLCsdq2hf_5P@!{6UM zd`WF0>&=@7BD(0^OP&73oZ;1OJq~d6UJQ6WJjbjMS5PW{wX1LIX@4-uSO}+ zujE)~nGqpp@_C5+K|@AmQ%T7)!4kM*vv9D!OJ568cml)QHy_i6mj*?}(!+N3v#e4> z93gGKY(aTJR;FN>(iWGZZb(LU+T5mA%Qx_CxODMiRVf1u45D7%a8+~@$FE&TcF4I_ zJpxNgVYn-~964q;H^>bQ`8V7-c(9z)<6A%AWNjU^&bV@3`vS$&^6@rtVz=~}x|ZHi zeN40Nl5Fom1W~~^Ybl)3nip+bz;57lmAcQt=MXxUG^jLv^@oG5q*NGc#^Q^wemuI7mDsN9WD>t z)XSD9tBP#Oyc?gh^i#fI9;RzpU10Zi z^EAeqSLuj9sBcxAGVmRLI%H;;TJreOb7L`clN@X6%EECMt~2GQicAHIwd` zi3?66AIz&J7EYB9xi5v~iSo1gip6#C;JpAUZsr@M03!Pp;?z6GLi$@X&2Q6vr%7kS zZvcvst2?cj8@MCrMw0zhIrqH+fjJ#GuO27`?QP8_q$%$ojWnHDJ#YS_{zx#_spt1u ze_oVuoY3F==v(Qi*z8Hy1+fe{>Z>-{0%tNh`1S4zJ?f*(%@ii$w=%sTP-61Y4DPEFpD4xJJ9_WnvFw?h5cQ@|AzZPaR z)ZDk2`}VozDDPLe6iAWvJ*Z2wi`U3-6`9lL6GD_I?g6 ze@dYFQnu!WZ^aQeI$UzJuGmfd=Ha)TO4Vx^$2UW!{jthq(;s#LT|-&g(e5+HOgdtf z70dW%%%x)FI`f7WKv5%Pog*bOQKJeTuK}rOExuiaX$~;e=V{<3?$vV04_Qc`BLk0CBIKZg}x}sQg}?>mF+!* zCMI%1z4~{8koH8?u?}>4Pqr*drrr*PL?m|ymQT-8NH?mli=uxQI}v%2E7`1~lSoZ5 zl#cS)<8;E`heNcs|4K|;JxSUm8Ny4)&Z<`!4kyaqDj>ubxjndYn&+ck@N(Des;kD= zHv#!nD?`yod^3Nt$DN+rg7TXZg_LXWN+Fg!`f4!s=*EE1p&&0-o`0%>y9fmd4|mZu zWZ(rZtn{(%YUwtm8@4!dsyBW`f)E|IgWzzQ`;OZJwRD&A%e zRite9xr_B?nV2x!%q?c~sy5{Jg-{%d??3*8AgZ=)OsqSFkokRHP|mf)10Pz+3D2+8 zTi9%ul-H>d>K=>cGM)WrYjBoD&lF@>QuSDH!U@rAGErAcQ%d0>MIS6kG~;4h>O@D1W(wtbL2-9aT1=aO*%b5weu< zcI=j!j0`pB0wScg4GBrAdq>Ak?hn=}CYQ4R72*c%eivXjLe!*k`Pa@Fy3FH_D4^ODL0<~M!MI@*>nn`Oo}_l zZo+6F-beMfP84Fq_7dOkJOyLLthFxcih;9JY3Bi(1LC>tRYeXyXP4NKacN7A_R;zv zAU~usL)kmOug;XcM0$Q>{vUSvC*E)qV3ys?+llp4CEI+tH2w+68X-0l!Mq$>_CR zCLBf_Dp(C(yB{1s%kb{fg7ngL4|nOKzsi6v=E7H~`e7AmF7Iii`pr+Qzd#%#FY6>N zEfs$JHh=%lg1lV~#h(j2NiEdLwY{oYB>x5D<3DvLv4}czU%a+kD2C;!1) z3IIL);x>8tN!tX?teT$UH*abY+-2{R9^$29V=96bEjBvYZa+aFfE~Z|t9Yp<4W5)- z5wZ6bcUxccHOC$$*5t~Esb{dGrM&b8&qg05p&s4Z%w4R5V1-bxMaO66JW; zwAqg{NHM57#a1)${4kz~`eV7$C>B*$-ZsD|v{CfZZBofxT$w4aRpK_zJSs2I+F@Ew zsFqnbCgb*FKZ$@dvFs8nVI?PWn`%cgv;zAH%)L%-7uZ4JUgMqq`JG>5V#9Tyl-czv zvh0aMfSwV-;~}J^X+9%)^WdAmyM+xJ(GC?BMJ&DZfuP_rpSH!EJnCmF3>eaR$?|h{ zPjc9hKz!BZF*Ytwma*!)Etz_hdsr0p)znCbx&w3mWE+IFSNO7{8~qlPoVE(61Ld9S zhC2IkgtMfsbm=9ZUW)`5qNJJ{vLh;)$eeDyJ!-JTDSrQ$qwJt4FfsV~?Qj*#X*wbz zR42fE`<}+hNDp6o+fRmEN&eoG0!!Y#UyU$;yC)>$sBuY9XD& zS`{MxX-LE(lxZbSbCfHr{p`4B$;6v;!FZRP$v@cat*f|FA%ENP8C3Z&HCH-S>}5LJ z`j&ApI_r$heP@7nYICj2!+R_HqfOi&Hz-TXQj4A$1>pVgEz5cSlw#5C z;;EJ7B+QzC3k^HJJvy*4a-Bkl-NX&|*9}?=v_E?xIjH@LfAX%=0f-XUt$ zIA1rKV>)5f8S;@}&}2d_&dfHyE3P*x?g$aDmOa=R^=l9K`WTdvD35m$*w+c^u_cV@ zK=PUelFfOmjpuCxSj`Cf@%1<{+IG(q;XW0a{OBLu^dPu6&{2lv-!DywKbgIaag%{H z6(3IuG~fQgU_W;UiE^pDsHA3OveBP8!;Bp5WnS36R$y%Fs*fFlSayzxXM}Ax_!kCq zAsS`sx?Z>JSU5t1nL<_$7#X=qZ$HkHt13G}wNkpZ|HF=+u%dl|E>nZb^wD$7R z_U%RW9ISe&7S8kIA1Y+;@5rME%)-GV4FwqSg4u`GEVrdaVwLqg8b4SsR4Cx9HL(qy zN?p28Zo2GBnGWg%j|J79U&3XY=zZoHE*A1R#eMFvgWDAvWo#k$t|ke?5;^3KLo8*s znhu2WH#F@qY~S$eRV>j*Sv)IC)&UZd*!l7q+p};vFhzEm848C_Nd19qVMPh@V;x4t zP^;g=WTauoe7O>`2^-xE&0KBT1@de+mqilIw}X zl0yk%FH{kQ8fejbdyd4clGjeqUP;nFY8XC+!bt&hDNt7b5Gtlr>6A?uS=cTv{H+g> z9%c6d^9*%V^U(>zMxrGYff{Ypm$cW5ID1w+9^;pj!>E3WYOEC}gS5>0e9y}@5p|2> z1;p4zziU7LyZY7MzI?E);%k8G>Gu?T9PH_;B! zs=dYwPZsqNL-cvgZs;*+hv_!m`%zIz-9S7!--Z9#@&&C)#q`r2`a@OS9N(@&yHIQn zF+?!}5~B3)P94Y)$N5Efq{5m&G@DL#?~j zI3&AO)_Y1+qwX5cTZPF=+H%tlN;#RAi}GsRzGNm)qxpo&|J%+xIlg-@N_G(_hAVqy zEuBvw&UIhE$wev1Z(O2VM7#F<*n1&YZ)fAHH73}9Ek+o7)I%o$)zNisj;(sssl8*n zSV|DR$$LqQJs*Qze#7m11}b*LkhGMhfvS}(U;Q{`Axl2-%8sN0PSy~&HqvfcS2|aC zF5Pm;ak^wQtxBvf8J00C&Noa6l=lDrmvC`lb(?sPo+B-c8?S6xaP`i6>*KO*~DJeQ{I9s?w@JG^|S>;*>%Z9n$ zz&ayTxGLbjb!%y%<{Fh&2Dbdq*52FiR&wg^kS;x3E>;@7Ck^zuWubPk%)1y$pv$~& zd(WY5i9Z%GF6^Yu=3W1h7tHhaxOg!tsgZU_uq-0;K55#wL1A6Xj~Tq6vOj|aK>=bT z-a4FAFYL=ERPSDP?Rwq|5n%_ZM#fS^?kFAlZS!33aN-D*K10eXqvpqo?fBTyP=~rA$mTW_(m5y88iwNA*HL7=AzeP6=9B)o)&H?R zR|J*usaHb*eL5+=Om5->Ix33h{Xj56aEh;JDd>fU5SDmO1X-6Ss@)io<5|N7!o|Ow z(pcB_uv!Fc$l|vOUT!(!i}G-3mpa&`+!k4t$cGSZgr}sxq$g--Ae~3Mj*XL-aCE2I zNyZe8Zs)p*$vD0AM6>d}mDQ^;Rz<=0eDICSqx;cu;>9DyjxE1cHLPt$Fzj#$KlLn# zZv$0S_|VYaHOU*5;s42ft zxcq$)Qdra(LI^LHEq-yC4tlZ74K*WFU*rAdMBLZ5Gxpr_m*$=)Iod;s`D^Q=Thb9@4s<=+P z?0wmq`9HWfSNDi>Xi_nkC^9zl8UWtJ=)l`9{ zXyaO`^qt+~{bmI|IPj%=)g^`=6}bg9Z~gvh+aTwV3dM(mRssk|mJ2-@{*w*#RtGW_ zb(AhuX7x9>Fd_QsA|WWjD8rZ~3XmQn09Vgg}l@EN8p7C;1j@>AqWCv@|PQ4f$DA3a7cHcdry~m1%oXx*^g{*SjV$x`H{zs$7yhQm%pKv$m)^l5aEH zGw9Xz@?^fOYbKX9_VG&YRZ}_Xk~}WlK+vO+D49=VwahX-woCN8MM-*&V=AIzkbl9e z*5wWp@1Mz;*3>u8M5Sgln^+m=$%%=%(aE~=;<*fePKS25vYueP^u5}kd_p2QCdDHa zPv_KqHPkw{5U+uAG$E;xh#5swx~J)dZEAgOc=FE4igl<)d2quUZ9k>$0RTux8xs;! zI&xA#k=iI8Iga<2A=W#*-=L0ODd2-!ODFl=r2^AOU$I&b(<@|gs70(Vj&+L7yaU$b z%*X~%mOb8jhn{I0q0>ZtMz0M{%*r7&|c%1Z~j6!@5Cyr{a;%{rcGeGHra%F*U71$F~{EUu7Q@Q%a$`*g{}lm zx0|o$f^Ap|dASS4$)l;ieuC1y79)iMz+bH2Ez?+GXhPVeT0u^^g1SkeE@t7vHYF1% zC!^$t<@0F?m6F_w!wScC{oY#C{jNws)aUFc8?&SjUh`JbM{ueZa^~6#I+@&jT&J|J zubHY)wh!~dyHNS2D|Ghd+$_K)LEG2Ei#`VhWz)`YOz6cyHc$myD9X-AhD1c``v*BL z_SyN+XlW(&+k#QG+7~%9QoCJlW%D6OUCBq2#Lh*g~E^~cg zh&pgXWE7&`-(SbRue98MLdgYDxBF$v^*#rm&TPx`8*2>a3ql|K%xyT%(||&linD$J zKRWpuBr>y8yVnx|IbVM~u39Q-;6OUSn~1ZlY92H)qd;r@E1>=<*AzInJ)lZ zUxLP6Ek1&Dsay(?p}1s&BG6{E(vFA9MO7&2``rfqkLwD1)9Ru5&E;4IDY7FY+6glE zeCQT9CYr@Pv01mXvuC7&J;{ngy}Exo&_e`;WtaeXI|5wQ&m4|GtIB7qvw&g*YeWSf zo#lt2R+NVVH*subwb}9&U_-!mMu5>LL)rT_&>2l^8<9e=;uOY)IkeJ;P+VOUOx_; znSvu<_%>VZTV5SU6DCO`hQvcmz1&9-Q#ImkJOk^Yf2tE>Mv21ozj;x}#6_ zeI^wHClSUU4pvRN_mx#-U8}z*ko#Y^O9Qrbmd#gh*L+#V{~0^C$Q@4Yu7FIFW~pV^ z+C0-d$a3YFU%jt8-K(v%*zA*KvofIGyb&Half5{ZXyMRO5W<^iI}hZYt{>4Q!rLry z>w>*fla@_Dfe+*#7|hSBgO9=p4TUE0znD-uF8!90eu^aKy(wRskE|~jQiO1y!Y`NV zman?oFkzOX-dGti>rJHEBH}n}BYuT1YPB8~ z^wzRsj$s#Fft@ZH@*IA85;(b9zzcM3{(l`aZh}(5#(J9Zk1Y*%s;yA(|Ae08-G-@0 zI%ZpQ!t|y~cED@^aIa2?_#AvIPGzKI=<&hmio@*mcCiC+uaE#{5(#(Q7H*PzUe35Hr9C-_|`r3-z7@cZt z!bz|}S1l4Tsm!l0-^nb#??NV!t2S;w`XkKs7>BoK3Gs;b2iA+zmn;rV+K@z?;xt&G z5Fm|uy+bJamI3BggMj&)oPYN#BF^}Cel#6!sh4nU70`C!FW>FsaitROcz3>2ciu@Q z!cnYL*pv^`K4%j2b>Md|7xFicP}$(cnxZ}*SQVnyUCl?=C%vpY38edEY8@~&r*CP^ zWJBrk)$!0dHdd+w)O43nz4v4_n;2yUgBtB7NBQgt6vJdmiy*1(@f650893Z+5Q~ChjEf#qKIQj z4e|%$ul>-UVoY{~sU%AnG3z!Iiv&%Ft9L}885Lb-Yl<=c{Tlfj!nu*EJflrI%4{GP z2HYPF2TuPmpW$Iv{aBHgq$Ga5zQC#e*;8&1Tkla3mqjC~m5sg1>ldLxrJ*ovLJmnh z=?`-Zc#yOFq^{4@Gqa$<&BA&o!}FKSpdX)V8Xq&6L!)N$fx%f&ql>n0e)^S?k`(5A z4%w7>)xe}$EW?9lfNtJe>|xi(jQw+kGI?_=U@kDoRw%0=p(0Q{p_)#UbMH9?6xDy@^(RY z(2B8=*|6g`%fU={@1V}N8i$S;1#heYdyB4CBI!$oiPGmV3X@#31j8ULH@c8s!5JCi z=7dco>i5A0xL`m4Br%=T@ZpaQ8X)i!HXR$})#~Xq$-;HvlU+s+&Jrft(~m!bnIxtB zAmN-BXxX7iG+%-jFVNY*j6S3{4P^fZ*#Zxeh*4EBPS3IP>Ah2JO%gBo&$pbcyEVf3 zJZHx(vydx~5qSh0BVAcw!x=N9vHHC0l9~EY;WFJYD&D6%x3F#%#;-bN`zHN#?%!yp zgLPAF3Jn^7#y0>Twc|BDpvgc`4`(w6b2R1aAF-Pf?RMl8WDd8VH)~k6ZpV{&UuJ2| zcE_d!n|5uOf7?A}8m`UsOByS;)&AL?QRHSQ9yepJ!!G_pTxv_y(s{U8R(IN{1no$N zQ_vQ!jGREIw+tl@n!lbfB%}Rpxk6*NxL%_vQifxAp~AAFZM*W`WmK^@YBidS(D8#jq-QhuDsR^Z1&a@ zm3Nz-YpCGFyE(jyU2q)_lTd*W0~UfQSpI zFrrSKrjMITyGUvzvF7T6rt9smP@r+-I}D?s2R{r45Aa|scz(AN8$3!A3_G@hPg9nD ze>$jddUQ1MxA9hMma6x73Rx~E_FJ-Xw7Q*b{ZOAdnokQY3KWizVNlks*d__&-k_ih zL#BwQj4*0dVlq*}MV{tSS+Bon#RtBljCy#J>XZ`vbNxt6e|8E7F7ttNQzWk>=Ij#;SHyedJD&z7^&WR6&#Mfm0kkN@wnf*-#iUH&CZ=3zW)K zk5jN*M_V=q-&(2DE_ zP9c31$oW2C`%xoxWcGuD**{v*8nhV7>9Qa7yvClu#DbQH%{j1!iHuhv%PRMJRe-<^ zR=alN_fNprsUp9J9JzAoNVFAmAnn(`R@{{zy|e?YmCw~dOgQmt6B)g11QCXVy1^gf!oiDWw3NZX^bMF-(}DR- zg{(=S6hnyftl3Le#_c36&*qhu`NGi;E`;wj-p-)`DnQO0YQ`R-CEp%rptaUUJtB=B zl<8nLLnza5sEs^v%?~yKnjDl?vPny31r;_Q=+u_(yzm=v*tg`!t6R@)di*t}c?rc@ zh>fWbdX33y4d@0ijAR`&TXp;{0l?F~bkbtZQOy=eQ^3FXgFV&IB$G5bn|c|eKJYtR zd89;$AXSGgGA}-{wz*IXLQ3s~-<`DKlfT0m4Jds-;+rovZ^reN# zV&?XcjoZRm;%Q(1<=JY49=7oO6Jhw;A1oCCq@W=M)+xXZZMpW&?+A5&wW}R zl&5`yS%e2V^~T;iZ@*h5gt_o%FsbV}@ZpatLr81X7}35b0MD-caLzSTc$@ zo}lEKSLl#Y?j!q-HNS*jj(eN64H%qBHiV$s*XNS1c$rL2F1ke z8BPL&K>0djfqUPGRawKrbC16efm0c#3K+n)No|?qP`v8PbvCfH1*`80v_5BFGgMRq zdT791hYKH~-oDUXrlKUYaRi<^F1+&OCg&|<*_IXi@Ck&&w8X=DsEmp@I^s<|dQc6= zA|g95bQ%!V6L$o0et5BIu5S}o#$WP(`og`$wL-mWJeLPGf?@mC6f5?nQZt#HqyfT@ z9sa;QGb!GwH(Zq1+c$OCXR2G%D9rFi=z56)ljXao-=;LEBY_;zuU2MQ)yGS^>2$pp9|!+*Lw@z(Y;X(Ok(I zhD%C7sg8{{cT(N{FwcUD-E++hY3pmgcOP^CR5wYr(?DqH(le~Rs-@a{R~DT{G|<4I zjzSRPVYPYCm1`=ofyu7^aDdeRx#U@3)|@Gm<|;4r^`#6X(D&cYO4%PpbcK01wbWydG=gX}5^q}1 zx6w^q8ri!|(4gdiuJK;BIlj*SyhwXTUI5`r9w)fS5(ZOd%dEl_K^^QK2!LL8R_=uw zl*CJ9q00SqbJOyf2>M%3;Tw~lRm@&ZMBy^|_W^oG$KLeBSZ@N%m>eee1>t6?OCuJc zYLiHnB+gwgu0zpG>fRkn^7s{Q8TZS|Da_5%Xv34Iy6f#(B zL_~vO3gPfKdpv;?(5W!L4{_6r{0N`0N*BED3wl#dB3|-nN@-{w$AvT4lyjw1iGGRv8;eMABsl9AeJN;h3&MK>!SYCP<4QEsm^$2 zljB&+{n$+3nnC&lIv9gR{Wm~1*q@_!)CWW_S6Pjn>mPy%lBHe4#+4z3;Xf-1) zNijP*MbIZ->Bd4+{Lr*?KRe;F+%1oK16(+a_%y+^fSjy$?+i~VsxK`6Bw-I~oujTe zu(0I>WAuo$t-B*GMPV)+*{2 zHdPe2vx-6NOZ%RaD8q;?ITZu-^z&XKawAfx70$eKN8*E!^;&03PKHNd>(yc$~H(x;43|HZb-!f7%jf{ZSj|K+l>4EHGi$%#7uMb zHx5~&UdrtZnFCANx@!!^t#0Iqu~#y=lBe!flWWw=+o$fVumDt5YJe}?Bp;F(g>+qC z_=$^xKpw}qdIAW-jU_X~NawZ=@IWmN1~c4mc04HdY!F)v1HIVx(7}fBxaFZ;cab6h z>AnWMW`l~^_boRn@J>LLoyxTs>c=}TxcEa$VwMe}idr+iZd1B!;r6w))r5i9)_CdG z<3A!%lna;UlxrX)g*Hthf=NveHGB%kxdU`A zZ=kISZ4r2jYSg*k_K~&e{zOp+R#lgw4t9b_)rbI&n@c2HGsZ;gJ?QYIK=_V}77p+3 zt{U$x#iNrLMz}H$z&h09UjGc`KX6%h1%Cuzv!PFOU61uy$g8T_BDb?iNhjI$)KqYe zf;%Jfe51i(!V)J&N*x;5-F3*jW8cCqr}WU`Ef>harxFcE#^)DL6~BroyO!ozGpnK$ z0X6>{5Y?T4q>V^rReT`J?EiJ-~o)589SH}5t6WAvvPb)T=zMa;RP_-FU~K4*85j zl37o5G==%ZzXo@j39E8Kn+l;7Q9Jr>8e+GpmS=6I^k5~E@o5D61=wEqsjm=y zxclskOvqC^;HNW#2>$u2_#aILf zh@q3)Z@`eqa|i?S_XOaeF4Sw=eya@TY_0XTPfeVYo$D4q?Ttpz&@XhoJVPF>FfVss z{MXOt@sD#L3auYT6jeDpmOnY}qE>R?{Hr? z;-%D|fK4;#&81Sd9LtJbIG{`J?FEhvx&mS??ey7vfX&r!_lS`P=Do>=GC#N2l5 z2JO1x1TYLo7~hsdvoMdJ<04hLJQW8mBoy!>8!E($f2-i3?VJizr(b3RP7?Tu3W^!f zJ){R_yD8Ks#Vg0_`nndSdRM@_Xw_uuSHr>gq_5V5YQWGMe51!(g|$r7;#(hujKa~y z4O&%sKa}lv>nZX-DM%i$o}{@opJU$c0}QdXZmpv352785x%(y-uWChkhta@_2Lo@T z)_4CCF(TMC__Wb%8VK^8h4c{F-ek60t+O<*+bs9^Vvckv2YokEmd!^w)X%G$VMBS1 zuq5CnqC}~%?yI7oK6g3#2`>rNZmbrGQ`pjpmVqENpMcI9;+x!>e3Nugtq*g^{XAfN zjP^bvyCaX3l+6UISP4*wzxv0dD(5HnV{v}ruB;UM?y}ay#=M)_^R>TCC_A_R!i)sJ z{iA}RxaK6$Vu#3n_0m>)A)81DEu&Wi?>Z@2>G~s#rI|rTxB?znr^%w};PUL7ve7{3 zk(noA)Xish8aTHVnVe&{nHk1jl=8Oiyi@JtMyQbPb`{u%JaSJoD5jyj@n_uBXVW zKKve#YnAaZW$-2z(rjg#w>b1_*aj^h{lBRe>y_m^gJr*&4qp@Rj3Ebp@R_4;* ziQ);xL>jOMm(WUq23L!crs-I0E&3hE&Zh)nUJPaSz3A_My883SM+#)9CyeG+??i*` z&mpOVF2_5$Q=h*^X@=SYL?lG+IYU|=e`TfR9H2HH%+pM~Gf<-g1G}|4Ld1$(ucIdW!0IJy)ROXECLMKTyF85Tc0zqE z(?ts}jr_K9%f@=$UBuDLksp+7bXKNg7=;BDoz6pzh0;#t6KdSiP}XnlJKxRjF>l4l zt#tP+{x_7o6u88&fPG63zH6}ef8M_D1>++4D)HreC8g327B0Fjm7Bdd+Q8Xax#l^U z1Y6rH9BfzSxMR%p9n7=_>$b++z>np%L@&-HC>E60q{q2fE(PYzmJ;xMPqyr?SQiX9 zQ6Nw_n`+xH*R@!^g)|Dpgu--KOtwIbST!bmwsox{wTSGd%C^rq5;R08-%`Q zieb{G`PRUI3g|9~L_G=XK*M8Y;&GeR+RG4JZ#9IiNw>jHISKa;FjIsG#a3?nnxVh| zy^5NtE(B?tt^#L)owpGUjJ9(F)P7TTN+B#Sb1(rKG8zDSR*-EYb}B~bbVBVNZQ@7v z_q>-|`oS7(zUoE$aA$@|R#2gNP9O9sGl$Nek^-w_WmoWg6~rXR8k89Bl6QL;?LNY` zSd|uURu-*~I@yM4B&{}2J!eXNw&bq#7H2gM8&aX_GMdXtS4oL$&cC)1Pr>S4f&E|k zWOEA?_e?Hl*nV50YZT)~tGBL}?^F5!ogLGJt?>_HHYtX{;z2YXT6gc76_`%gxrHi0 z+Yv9cvj+7rx8c0d0GZ53>3T%f2EFtgGp-_zg5s0HV!7HtR)cEgHN~a6W}yR#7k+!) z-dEjQ59l|Nn0<7#R|EfHfpP-1^kF;?QG>u2?vF}G0PY}e%?XkT*b^ia@x;v&*(KT# z-Nq5F+tPu^45iTk`QgM2tWC6ZVVxJ`MWjx5tsQ|8x-BrWB}~085uFSgwcr$|PRmWW zcTQSph)!35P8S)DMVY0N{vd=Oiy2RgkwaD7?w&0xs>FTa^{Kjx4;N6#Kr{_vg%69| z|4Kd2e?i{icai~zm7|S%Q)tU4_?ou9!G#j}z!xnjL&_FDeD6gqFgYH;Kp{n}KoCko z;zM6-?gjoTJu?J$UmkL|$@dQAaqpkf;H1%ZPZ&r+$I2ZL`6G`K-PLO9ShH9!hp+br zFa*#SzND`hG^eaqno7@YbpRrQ4}&BZvV{-ad+`zJ3y!8r6OmMOMkiY(ub^3JDx%=>% zLB1E=zbgky(4X9cehYV#D&W^n1-Cy#uvcpK^UAsJ23bj0A(yk-dz zXCqf>46jhAlgJvE`nA2=$bg<96DW?Ls<8HteBct!L-v#hf>UC4Jzx3CC%TIR`GC0V ze9-MUyz-M3XKBrc>cc1Z3Mepz+4YtlV90@B8{gGWa&U+r=qL_GI;iG!F7YbvsEU*k zLz$98_=0+bA2Pxh9XLFgOa@NPC6v>@7 zI^$wIrpisC+Q-|oD^ZbYr%>(@j3^8{T&?6U6;835^MQOwK@^lFGhy(R%3@%?Vcw{H zA~Wk{2%=6lZELn+#eeSA*uK3TPy?S(($rc|mu^l%ZT~Wt(d_ z%mvDD0+hM>0*hg@^);F=b*P>T%*lnGH;8{wa2fAScZjJ(TBJQpxW^ZZ@qvAj4%HYu zP#2r7o;wecD0)zd4wG}XNvDDQY3JCh0g#_V9D7BMa31uqAgw)iMuJKh9%=Xe5{-O6 zu3Y>|5l&&k2<#gnqzMiDDO?q-zvG{+tXy|@!ESuT)$~>*6=|6<078EzrGAHRL{qx+ zIGVNf^`pS66>Mt=T=L!R1;rgH*8t#;2VmOI!tQ+L`Nh7#N*_=(TLTAF`HbD*4fw5| z6(s3;QZ*8!IZONgJr#Z0$JBNqZ(S~k;feZD=KauW!Qk^81_yvdu(?HIK-o14KE9uU ztjzDQSp2psVJKgC^a~i4Lt+cdXI#EW3TAX) zXwsot<`kRa$^?~Mh;9b7M$s|&2WT+FOjS@v!~KX;(Jsd@u6GM+6qeB&7(5b{Es1Kq z5jBcd41UR%1++fHpm71|*yjECdneLVg}$f#F~wvA7Y-QBg970zbb~VuYHI4diD`1* zJ<36w4F({*XWBB+s1=D5f)pqnOVdTpBUThLNVs({!vh;e!1mXxnALKO?{I$+Q4tjP zdHPjnM?4p<@fL)SD`19NlKU6X*PsT9A5Yj&5eMDnv8UJ}5QV&<-etrDm8L!Hqsep_4=701nlIPu{V4Wj6TUR< zv%CuwfH6~0-pr{h+_aVTtZY?;J#;Ar?|!!42$k;*;P26V5L)o499lQ&zBHV`ZZwSM z4@62IfXJud4(CvaAbcec`$qY>N#cGk#YYN~9_1KqV?s*{cFM{SYG3&MkJrd(++Z$| ztX9dNeHhQJv$=M?_Fwm0%QDZM^=Zi)B~m1HidqcZC3JQ1C=B_p2FYeB&u6?v4I_0K z^~Iau8pZwAyTI~aT0Gmp(ixZoVpzzNqW(G1>(awV?yBP9 z_Sqe9r}~dNz2uP(?*QvmK(1s@yzOod(nU5)v|K^rH~!4UlN zmPQDu^(#A3&c)bgNl3fE4HsBubLf?=WzkYo8lDeG#X+U<77&9(CWj`_($Z2Cq<&3( zt!>M3k~sf3-%V&vYe4O)ibstk$r4OQD+e{g)OZYt`NvP1W7+i`Z{Z(6eUY)07Yfqa zNY}Kfnhk{VoDU;EtCk4C9M+nYG@odhhkPVYnhWcDg9a%FPF@Q@77Ct>Nm<-T5R$3I*f-peN}bo+ot6nY$aPE5Bq~8+ ztSn9=iD=U`YwNNc*cYq=f@`ucqgWp{-e~BPdH_t_VI)TiJx|}EmKPXp1p=)RCgP#a z_aOj*TJ8P!F*24`R;Wh?f_-wX@TM)hzFlS4M-|6RYyLpzcR4w8SpS(z)1Xu(X~^ZJ zsT6Z-mE|++i5CT79@p+gS8Y($N%sJdh!SK(x}sfII*fGGJPoW=A87ReabV@7U)*bJ zP9tB>Ug@JqS?9QCiOhohXx@61{Q?jIsi-1lSLaSwvrMYQuCL$?KF#uEcGq_7E*`00 zY$nz4t}T=)jUE&>(90LXiH82o0G}?o^lS>1?GGBRfjo9FpA1-XWk?!;h#^bG>F;6@ z%s3nti-k##<}0@=<8Co$qWUdx;1agU5tMEZ+KFpCt`EQqZw*g20%coU!g4{<;+GBg z^wCHn&x{ZjQrZOogS3vp=OUP4xLBcuYPAwe3?^u@ih(RP1bNbe9<*bb2V128?s>Ff zQ@G~>1H^09)K|L}A!S0s*$7b~G>25oAs!$q6~!+AU;T;i11x8{hG10@=k=_;5H0cI zVB?zgqOc($CIc}Ei=D7bwjn@93hI3d#x=_qRpkacj&;}oUA0R#%PTqB-PYB-V8ev+ zv_bizVZQXB_hgSs%#>pr8CCl3Iu{=x1*f`u^aPfWA%ir2pJoNy&=$*`ZNCA@P34;( z9_~7?+c-UA8%;aU3uIiXDq3Hs{*$kM0Dcs8pjUdy=tDpZ6EhotS~Ijea!G$ok;~nG zXC0bUUjIxlKNX|5l0jWX6kBl0wxz(l0 z+xLCDzove~8}w0wHaDR%41Pb`p`ZWos4S_Zsts3F=)7Y+U<34Tu%VAtU);G`*O>lLy!~qeV7m^azF`HCuSzGZi{G z)?CZ8F{py_4Ryog^_T?_s1l38BWbFfBB9hgIt$sFQdh7+N6Mc^=SY?Q@u!yg>kct8D zt1$tYMId(v5v(Z=W(C_sMy-DPHhKyGa;7HBA%6piDj|69R@XRuwVd+ zCoeOgiR2UtZUMNl^s)i4UL?l&!U4g5ljWc&v9`>2e2$t5ESIfC_6p*7N~M-Kt`pm6gLoWxGC2nrN@7&K`a-Sr#p-F5-I4>e3O z>UhZnV+u{}0w_}PHyuzkJQpDzoTr#+qp$1qV2v7r;K7yAOyQ%q)P~>0U2uo?a**S$zz!;DqHtOej-vYMF&bBS2y6H|-+^F?%u{8jnFi07A0LUYE{iLOH!gKiTS4iuE z^_P*0bf$MG&EHp+Tzj_p@N`;l#zMbV1Z^NMVHJs>oLs!-JP$PA^8f}?(?R415lW2r zV}@^!T-!7P#g70G=)p91_0!_95yw8R!mjS;{Q{wBmRZjhI!$AqKu&As$lC z7jJYc#_jIv@+@Xz@Fl_pI%6by9-We{@X63QarTAAoigWwYH$l58#7L&p*efQ2Put5vqp>>NcAz(4l|F zbmGTn*Pee*p&YGe1vTk_Kk67_9|ygAOI8rfMe^KX=Zr47&C{b$FA=o*D?``#G<N;Xlma+rdro5&ynhGHP&iL~+SR^wuq zK;2$Qw-b8RP`V0=u%4@m?#?_s8m>j&E0UYqzNy~7bR@+{mq5GYv?6w3ba0lH*UrLbL_>VV;kBwitzn;>D-@xA9eqxu&`_#S-eZE zZBt-BlPpAxmKh9lP#FAR9_g-7lj%Nh6ZheRIRHO0fNlwwiF*mW>SbTQn!`OV0jhc5 z*mwsLS!MXM0qCFifYszy^imWvcPc(2t$Lii5#Bd3wt*%0=EcV+4t=kx(ztr{S%bHh zYV>*Sz*B0H21pOy$uJ<(s|{NfF0q4+P0Pe2PSU0$5kO7(o1<4VJPs3+`z6)Y)n_1M zX!R$#K^v8X=aOUZEHsDDf@4J2R;nVHlaiT!x7dT)rVTMYrQ`*>6-e%u%4=`x25)(I z-rJ}wCsR0T^Oh~L-#dE7baHU79j>E7pI!zC}BseQC5c{qla22}v@g^Ih2dnmS(G<$<4qXUkOF zvk#lDiQjuOy;j3|_`v%a<5R&gy0L%fUs~L}Fw)xHi$6=FZgzcEQ6pHJUR)+|?{1d9 zG`Cnj?3MR73%#D<7#X8ddDF}0@%=K^TWN*ze#Y#DA!i>?bJhqodA_Vt|Ld+h_v&h5 zrz`H+o)PaQy4e)lOas;--lFx*MbR)7|EbK@k8Uq=yb5W#0m0s}G0`h!?{{p^^ytn! zl6I5994%7vT~1(l#YfO{Rm-8!IaBYxlQY!`3bxID zs6#SK`t|GA&;9%w$J#PSX9|-`!DLRKJXzYkY4Fph3kltMeG8vmv6j(Nw$Yd8=OGIi zS71pSSplLTX_DjdR|s!{wZb;QnPP zak_J3>5lUTxF(I#!ikB8H^Rls!SG6+A1K``++^n@X!R!Fd(G?k(;S};UsmpVAX)r{ zcS|oX-rcka4(bkoY)wwxvo%>nE$yzF0*n6iDuv+L667`;xDGTZ5X}N}^g9 zQ)Mx4v(8%i$zJ765iK@iUaau7=2KO@GcoL;oD%JBi^8_8QJIMoDIrCxucsV#X7%Nn zINc@#dn7JVQc^+`daL=fIKgt^g-O)me!xt%;Ncu0QMUjG`P|=M1Bm%3pSK1E22R|c zfwGd4ja9yW-S0?q&I{R-CzVK@ZiGDx?HR;ikV!sQF!5z)X&!W-8aW0QL6g6#nQjsW zdY$+4@Yr-*yK?2}WzrnDixU_C7$mBqZRh!3gA`?dJ($ChuA(BLq80mu>^sh>CzL}D z4Z01z^=*v5!RgN-aUHN-BXl5_t(B#PNMzs1(3DfbBNu>J;_PV4=;N(C4|5ZO zg7$ktyT7U&>9)H1n3v>@ixw71nw}G3d*^xUOKWl(W%`^-+ph{@pg1d@(*;YBzCzo@ zt%f1(4Bt8ReE;47qn2BG=KKCJ{N}{X`09xnX(IVLd1o5pPuvq0;;-{*(hZ8d7lvQ? zLBC?0FY%Bx>zlwx6V(en%U##}iDDees^puM9jJ#NC|dZ(ZFc-^M!hKabH$XEj*Ta{ zrRz^Wp0AEc@C^NM)pkvTCz=QU!KrZEFX@|Ygxrmjf#oi&duXyF>1JNG`EbL&ABD@6ixln>rv)^a<6r z7~oMwo1CnzQ}plB`}^aLUiOjxqqED?OncA;Vgsuf>5na2IJk#^HGJqI1S;S5WO{BB zaC{uIGR@bFyxuA-_bHG2Q`2w)Mb<$M2D$Os!M+K;@3zd{>M7)lOx~WKI_i=DZ}t6A8Q#{MR7jZ}d6!Xdj|n-~VJ#^z{Ao{bM|G>u6wZkA ziY}wFxs!XVxZOzW7DZ}mjIC63n8aAf2cg${O6Tf6h~tLqU;=XH`?`mX=JQjRy_Wl| z1y_o9URQKdFN#=wgD!+I#KR$FlC`qYgHun6CDuaDZ6=YR%ra7CElFjvg6j7@tU>2A{%Y3E-2ddTuCT1zJGrPHuDfZe7FLQ;kWekA|p< zjs5A6GdJhn@f-JaV$h{cvNN-*8tUu)#$ku$y9x*BL1|$%6v_p3Ovv}iJh!4=UR_Za zY9(pWv}`r&>7iaw;0JQ(WB<-;d?exouYNG?jAE{Kh{z*9H^-2o*(a?C}_ph z+BIZCQvB%oC_Tzkwv3K5FRL6cUD~`Lt76qjuw|n;mf=cgCjMQ<2f-O*3YWv^?$#l7 z<*Y2`GS=Q|XZiU7bKrqN>K(~=Br9j%_YZBfbk#Pv6p6Z`A02;)WH)}|m}c195sb&* zPf0_}nT)=0dl-+r+Z|Ug-MqZK(j46GiJjV)?XBK)zDdz<1i~@VDKa!P6ark_t@lb6 z@T4C8GiU1l-nZ``*^nWFbwG}pS9f4mk^x@pBUq_WyrY30qn;hW{|b5T|Fj&bX1_$czk zzZP;SHMuCE0+G9n6E>AL6tg$@Hb4zFbO>(03H`lIQlB&*EZRwKKKCJkFAMDsT zb%HG<1@gQ{2fvk-T{AK=DrGo9L7)Nl##|lpH$5RJcmw_vGq`s3YMY>cL*uWi-y=-{ zQPKLly_DqHcTwrPT?kZL&b?YqpRrLpI?57O-`>+uSY0s2r~}#^oly`L7M7p$~-Xr>5+U zDG+PYqk_XyU7h96l<)0Om|G^{v zuBa~ktakh+P>~|DmGDaDU|aTf6-~#UROKds`()0iHtiU9$rEDysW;yKBU@r|z^>Gj z3y@U0=0c9J^C9CDqe9&EgO!66U`<5`a-VoJM``?e*8eksl-D8r!~P zF3r$tf&kfN)MvOk7j0q*CjvEg8`#ds$#xDd)GH@~ zmcRNv9~~^0y)h5Z-jcw!i&JoM*c)%oT~s?i`IHYC++nM~^c%dW0So}-z7Etaee9~6 z>DESithYwq@b7*O5@*h2VvAn#TJd#XE&Nqa?r`cBu>g2nmOJdva zV1HoU1A2Py`}PhG4{H>*v^iM()1Fe|m7c}6y&gN?nM|b@WM8y$5!R*LePV1J$+OJ# zD+9oKkK}{{sCoS9jgHU{GPijpORqVOCfeO5iW-Clha9GIAG<_IEq)++II2eT^{v4* zZ%ayHHs5Ye`NWGgjKVTg1ZMdaNf&AqR-fCDdu3-wsKtp!i=(_2qk~k9S6b#O+zM+Y z*DP^#giYYz$ck&4H_b+#j{GwKkf8@UK6X(6vi;5}nz|?gHpv-{(``9V+OcDM?V7^E zB>*kYsTtIvM3O=cfZ2eLoGdztu!^gqFjoAqqVeX+AMS z$Lt+&Kc5-F!hRXTI*;4XQ9+%ozhJ*is(lAEy!ej;VSLA3l`3%<+mafROkc_=9PGoC z4F^C_^T%4|=eAPK7M z=E#{hX14uiYVvZI^Y?`Q&>M{px!djDe zvbuSv^JYVD!>TtDH);gEbSP@pP5WM~CPsMUJfFzLroOd@fEHF|YP=?x8854Hi$~7s zpVfu$jPdxG^IkJg)AbvI2Jmq&sG2wbdX$c(dJ1BgK361$I+gr5E!lUN#Zl6B9GF1YQLK%57F3dtC=J0QgZ7!2NDfSmB+F zcYYgi_hW3iFKsXP&)xa4&vxwEB_1ze2zI-&vLX&a5I5eg0fTuSxZJS%Q4rk3R72+g|`K4BFb-$nY@5*}gzEeo0A9*a6!J+j9G| z0)Xw)gUy|3*)ScH(NyhBC3tjU2%iO{3Z>bbHf{2^64oc*0T&&_2b_0lNZ{Pchit7NZhu`}0r~~zo4ZFl-Z&9XluN+U4^tsx&bn0ew84puWMUUHGaUAdhU! zahPlo5s@9+x7*E*H*);kyTW3geo`$uC9P;xXSC(-g$j4bR9P@rF5XFNfj#NTTvCuB zRz*nF*mObPWFn_c?nUqi&5*if-}}4~1$ijA!sEO~4F%-nblK!*UWvdg&LJ*>n+Vrt ztYVP|p*z*EsFS_`&wTN_Nwox?_c{h6Lc~fq)Ac-ImYkxx@!}x+fPRN}>R|7%IDBod zZ1cH}5P$=AywJRwZ2x=?43s%XD$3p&c}nF?EHW#Ya!84S`QTY}y6_OjCko7&+bCUy zq*EvT{xf|VyU#3gBJdE#c-VAx0U0~c7uY|3Xrc>OPB>k3_oRWM>b^AIgj3PW?+dAg zS`ms}$yh_1mdVB$jxH4LxjolXS!F3T*~Wv;S3&yd>4fUUeEQbmjY1Z6Vcf9XTc!|qEk4QkLg;`nCoc~~WI z_ml>S55>jBXc*(-;?BT}%w^qpr+|O|t%K@ImSqz^8kUO}FLH>P`VsR6IJgzP^Z@3I zmg-bR%j?2Z8M8H0b>bi{_V@KAUVF*2&SY6Op7yn>f%i!r_Ad|=f$_t@cCk9BRqx-o z@3^9(BDeIzPeM=Url#sa8Y&6MA3aC{+?h+W9PkvLV5?BXX$T3aZr{GWJ=gAianKk_ zO7Gvl&(+xi=_7cnPj60kx}`x1t5fKar%BXHO4TLtpE`A|x9nvLY@^7HHs-0s*~$7QAdqOqrQ+5F#Lg;)~fxEMRi+Mx5zetm*{uQ_>DCeryXlZy>mnw%$ zkdx;d=eY1AINlpK<_%~wUmadHOB1!ac*3P|DLbZLIEoM7P2I=<ZFvPMV3Sf1mv6UQ1Dy-xgaJsy=vHOkq>#B*K~rrp1#uy zBhfIw*+Tf(4;>rg`ljNapJjQpbmV7i_|Lz^l~pX(OXl#W|7ls5-1Ml2rU?YtX3t_? zH}ti7_E1{7ySx8ypX}@HegE;}x!zeI{jeUrVvw)&)>1bl&=`fX(TA{e|EW6(r z2QJ_d0X+cM4GNupEzLh3Lg{y;A>k#Va#M0pR8;EIr+=83nzoM@L0+$?-+to1=WoG* zngXysp`g(OzH@x8tgK8xL7}s$e*;d`d({IT(_7hOqNo0U4mcc;3c)j6!IMmz8Mxrk z!(gNV;g&`IsQd2co?bK_EH_nD{9s|-F)$$d`R(F9?{X7%UgL1u=AZ2y9A=@8@)y3H zWSa(7*}TYwn8$zrz4g~${}61;On&(mbe2akd5~$s*CA{{P`~xS&ubp?-!;a*_78ImCMcWlbpez7 zao?(UmxuMg z^X1;b*yYW6y5H$y$kX8gX z2B0tN_z)*k^`96KOX#<9{>F+pD)-#7PefDm^eF(?Kg>2Ks3f1w`)<=!5!Yqjo^tDH z=ffm;FeaJ&M{MVJ(@aRe{aT>I&Air7<>*KSi(cZpE3(-| zsa`5sE1Lynbcx&%tQH-!oAmTKbiyD^b5O5dy$Y<7Iy6M+=^wmlb}fJ_-JP3%P0W_$QOqO%aRD!W|LZpYLn4<qjAf@3sFOY7W@9XQ;2>k+)WzVw7%gQ3EOuN&Ilef#`d#@$&T;y_(u{paUr-aQiX z^c!DU@hB-PqmcPx4InEYGjJ!dIs9KgnA2G}#mXvWPy|m6e%fj7#LBCX0{Sy`F5_K! zBq0Z}Jo4FJXU4bZqMf+48Txh&dgHFsYskNzgY*LsD^Z9ou^wo+Y*cegNT7~0&QGxu zkv3Iqxil1dy}p0bx^)o~)#bkQfJmr>*}JfFeWeQVtF6tAI8%#d7d|V)eE0P1XJ;Qo z^F0hNPK~w}H<`ef=IZ?~XMirFLL?5xC3k2=cJ5}{C_Q6+s@vU``3H!Kdz^r+|F+jD zO>b$pkraG7{13Dz@6(Ar_9Zu;>51GKm=cYul6@;y?yhl5uWuwn$FJwzB@CYQGL4{Y zackuZMd0JLtn*ANg$z%*eRT5ZDZ)*GP#fn~2B(dtZcWUHBQfJ$rQ_VSK!PoLaBLM9 za<;i2ROmc#$xl?;o^jq|JX$~o^h=8>C z%nv+&uG6wtUPk+wQ`+VC0{ZI`SnK9~!GUB&^NzBC5&6;6PR0?^Y3WvP2$gw5)|+h8 zJ~=p|v5Lj4;|lWuyfYR@-pz91c3*eDjdfW`Nx8M;x&c*GR0Ksw+vEof)zvkf(EqjW z;G&MKLy1^z0b#+W&fNt67I&!>O;?K~Lghx5*z4>*e@95!f*-t4z<1(ATY(KP$Iu8o z4-|su&*KhLr~4DK+qc43cGK%L_1&CA4M1>2Z*p=H2nPq8#f8*2Ri@b1j~5X$o6dOt zSiax1$5;|h@#(-%i)3ju>>+VR(K+pkvB>5g@#}k+N$8NxpH&|`sEpskrF7+rITYBY zCMWH1|2}#Gs|^wmfWOt!>`bNsBQKpt+IyELbnh3%y6!Q7l=JrK5s}Wk@fxVrb>$A<0deA`-Fqru5 zE~0@!nlb#gIf{&{O>q@-Ecp~o6xy5^DkLvw(fnSlF-do;7AQo)d|R$NUGdxHlpIZW z>#-R_3i{S$IIBTRmz_V6;`w)m+8{r32ot4J=?DPgQOB4bM*ZIM1+7r~TaIHKC)eh@ zo)6XCqVvELwANwaI;;~{9;mo}Vmw85LbW|l1AY%{pBUv~i5-T;eTFZ;;L;bWRjmdS z4&nGQJJ=b-M{_N6{CQ2W!S}8^z+9P{w~$}n(R-!UKiTv5c^ID8gi26nOZ^^?)6KS^ zHT%SDgF9fc{57Sr8D{S9{SXK}+ommZT~+#B-_zq2)fIL>J(zP9{*%IUb7qyl62nqvp1ia7ujjz@Rz9r->*8!7ghrq0?~G5vsI+_~RviVq;uj z7GZAm{>kz7Uu=aE}o`& z_m}IAfhG3V&x<_{qe@$=*x}2p>5^}2jh>%lcPgt;R_><{50BJu0B4so*DD-JKR#i@ z@xM?BeDxzG)TGN&>-Pr8pPGwWnsV{+z3{q!(z&9WP_pKlJ9Uc7NN4)wk^cuL^zrg9 z=<~>Jc`Q(va6ZRqTq|6}Dx9Ef-85Gg*IvNNdxuy%1oPj_)N8wTLv~%Y}G1u7|Q`v`LeZHcnpSuB^(~24F7|lMr9xpb5hpG6}`I6-l_HV z>RO>~mi-S7z&H349oHkwh4;sQ0nQ5rDTW0}w@QEXeB7O1u(77D4es{Q!T%DF*$hty zz4v~fO9l_PR5zVKU%x@l{Seo#7k z^(Oo80G*f_MRjU%v+iitUpE>U{@*bFk!(^*N~6yjmN>iMZ$&znibCt77w`NDJJC77 z6sI$-$M5@kI^PJ>9k)ZTm|OpMUf6)$ZvN0(CEM6ic71*MKVFwqLLXzn94>d|m%g3M zTCmd3+tWW{4<{4+FK4{63h4UECAAKZrn${d4y4;Q>cIyNh`_Ldqe0H{Nh-^cUP6JtUhQ z@weQvGOVtAXft>HI#g`3Wl7_!JzsX*Se}mMU=(w>Y;~Ty zWoPuPexLmvy}R8rWW3|OUd*^*jF7Fj^ZF$%%2TsNh;?RnwkFh^Q6zjlwC_+SvEq|^ zWzA>Tm|NT&bH%Ve1^?D9Rs(;s{?q!A?-tzY$ch5>qnwkDbCt(QO}2bo_CUUf&TU?Q z5!teaefC*a8af4*%4*+k)z5vGEg1As-1Ul7M1ku-7vS4#=5<>1%V5Nscwz++i?J8W zJ8ZNvxv5RHjEm}C+N#<%`@TVBQTs%xlQ~-jtZN~pOmz%C$*_tF>q(=?mO=?)4 zOHo+e=&`mmBddR0`b+(p z0_>uZMo_pFvoI(6ByHuCverU~NxAIw<=1v&k&BTEi^~QWQA;8wbang$T&}8|yqBX| z2wyq1OW&;i#T~ty^m7A^-5$NskvB4IrsB<(b7Nq*rl;82Pio${**t7)=058m`^ z(7>-@tG%$#)bMQ_n@!8=>@df|i|TBHwYK)7@@}SSmX~`Kju-cJ)07Iwc z=e;Eaj8~~o1vIoTn7$Lix?=x;sT|9qKi3UQR$DF9Dq0;pofp=D4DP^SsDSjBYsEHW zIs^wC`PfbTok&CCO3Ge}nPatwD%i-5fQhN=jsWz^Dh!Mkf%#qG7*%WbK1dHdOetQL*!_^X9mS}AUv zw2=dGrm3zX25@qx-U22KHyyL3jj1x7c|B|9^Z1DTu{)O&oElDfcM*D^K|%r)VcXyT zmz8sTQ~auI%oq{GEOkv!W{0Y7xR0y*eY*2(2&pJ;c^U3LlISml;p|dr40Ei^oUpGKv@zjyDpMV`c}hd8ccy#% zy4ttbV5y~@O}eliH6K2G`Fy%Edu38Op+FeeOY|E z?QV(6^V+mEnF<>Y7qbSRQw-_Uu$r$U^Nawo!jy+^!I|l|V)fPZ@vLRcM3{g|#~DRK zQq8w>v{jN(X|Aw=@`rarmyMShY7d9*Lq>r69ls#t$GSZ$Xe?(~$+ z{(*095ty@ozr66NG!W;OMv9@Fto~QjVC%JoMk@}w&6Bg;Hg1;!^oP9e^=`+g|HW>I z5hW*LDL-z*gNNyF_)5GjwwJiS+@|5eU@ovjO?j7cCGJ^>#8CTYpKnzU?A^w`Slw|RyA;vsqJ!VhaX58o zyHp#uu1Bn$?Bx-41glvFPks+jce_u-J4b4QKTnR#kUd*(NWRxje^CXCP$ckJ76c;6 zLf5|CoX7loh+#v% zPZZNC<;PaY9dG4V__X5{7-FI-;1`VfCseim;OI@Uax?5~Y8lR!onyTT<^ka@b97he z2d9fX8qK*d7wI%-mE2sK6chMU%r__V(%wxP}d%Va0w$@F+ z_so_kuJU2RS8BV)zf3X|R!Mf_JjG=eE1qf`WdRHtu}b;ib-a!1h~kdtL&Rh*T3%ag z&X&%>@1}9^EefCC?ikg^4gQ5~YZkMq_P835=-z^mc5Qq1thmL@cY~##>_4z~@rj0O z4nYlepZA2|5(Awhn?Ecs%RWtRStZ8k`?`2({u`o@Tkv_-Kf3KUgc1Q5Qw&wiDl$Aj zH@0IN?o{=^>IniHvw!-Yy2t*fxc}}8KlFH>$a_F8l@c(Xts=!EGvo1Ne0&gvZR3&Y zeZFVcst)eq?h`*NBtUd@OARLv5s<4B8@`GzY4f#(L!&;*>bftdCBCYT5+9vo@YgiF z4fQUtf~%J>-VI2ymfvH#T9FT9;PrS!VayU!KTx730AsDxDu{t`%rhzCXLpk*)rI^=7&;Manhn1EisMzD^x7I&M@nS1ux|CZ&I&^r{ z&Q{m!?t!=gc;2vBOv9<2^Vc&{Txr;QAKTr+#rxl`;?G9a0(MAlm@PggNTZ@ye9KZY z9?Ldj&dV_$Q;Wd|Ib_@|V|$=%AGsrcep_W$pGK;$*Ri^(E_d3NChU&MH<&$Srfsnw zj-m)bo-+7AF4*1NSrO2hWsV>m>5z4F3TD$d*AJhe}d zx7}rN^GMEB-bCZZ#iSJ{&y{$-aw%yQd7qboeB*Z~$<<*|-hcM>vmX&wtjuydj9K<) z9xyrK^w$Sq-cCOx@t4iXz#TOYl3~S*#KV8C@0f}-$b?@&0{P%TTS3i8 zWLwJj<6He%*6z!gNsjt1rRl`WYM)lwtf{^d*;Lt}qO6tjwEp z%R4aj;INd~GgATE_!kgJe99AgdN&Qm7wuIev03fp-Mcgyd)}f@UMjVZz(ums2(SLY zjFv5q{s_}V`0{XUa_TKT*yK*zBMk~*% zS8m=J4+Zk(LhpKxTiX*yZ@+J?OQA3?A9pN{F}zh5)-clQ{0}T`$0`Q9`LJivE580{ z6|v3+=M{fhvP0(e9rm-vmiL2i`_3P7%HAvK^)7N>Qu1kmTe@t*CTp*bm5XYSB^+y3 zk6tyBUvAsnroTleUV7z69rf%WheGumRhsN>^0)}K1@9kz z?OHNJDpmB-nvAkw)WkD0(d?1oSBn;+(fuLdPfitBtDMoge{qqPU@Xf@G9F)DJX014X zukz;T`|~f|1SMe@-=&r!QiNB*NzbyU$jQJt1N&O@1TjbT&yL#bT20J3I}e5M0Q77x zQqV7#Qx!OuAGO7>J0Irpap%dwboTvoT$u!_752vxP=v_gGD7GY1^^DE8YX<^!@UU+q`yqpO1_Ehc4^TF||S2CFam( zr?KSsa#Ew;?Ua8+;m(%3*t#$_%t=sFTJ(b<9B__ex8g>KAT1VO8(oM0Fe_XmwQ&w& zLVrJdEIMwex{8dg+v>m9O)Dtays8TtRCzplX|g%)5%#JdMjrGSj4yXl$WvM&!!5$Q zDDJx`?eu~iw4V1kT~o`|KJm;ISy_LiRjAcOBZWgx4i?zMq}DC%)wy9E2!wgA*8Bmn zeh6@7vV2$H)^}EV4wRgHW(UeQ5?WGDOIVF7vi^k!EJ?LtT2k9>R~wE9dY@N?u_x3d zvW`fe%Pk$fu0H4$!qUE^C#%0_=v;hiLiycm)Ty&_GJcb6lj=Vazvarm;58wHikMbh zW^#X7A}b^$y(~4KeaCFiIIA5++;-=o8Sk@s)|;@fQ7UPe9}kP z0;h5-Ja^;jI_IEs-pa*t{9R#fPFxM=hRjgISf%f|hEeZ)Im)PRk&GkXE?sYA2#%s%tpju|do(^kit9uwJ=x&DqoB zkIpb(wnH`ZTEeSZ;1`!}kei6g`Wa7$nq#isOrSq!y6#wtK7KMeKliVTQDmuH#K!(m z&)EHp&@(PD^t48+`XB2ci7d+QU6SvUzJ)cZQe+tmoxTSu!yuLtwweS?qdR`J5gyV;aLSw`L?4Zk(RLrQ$N7=_9?+@9jU`zGbLcbsqn>UjK&#{v-J>Cb_<(9Ww7AWY!j>`i9o!MLQhRh*>cS zAn!h$8gT1L;~BTp4PlV)$CkSeF~hw{tn{(l1UuT6EiL5B?V1p~RVjspcH7E!=zNAj zzcV`e62eRRL05fg3jG667CxF+7W|iwaIl>(`#_zn^Lne zWq{*jpB<97inh_6d3;iF#u=mjrBrQZd^xS%e{yE`t2@(odTBm>lBH2qRibmtTYTGa zc7q=hIP_Z!uIZ0HR7d+h+TN3ne^d^n#^$0 z^|tg|@sjkZ-K@6(cZ02G@+qIzyQSGPpL5<$k}#q9&Q--_m@9RQT>xN6J(Gn7i?-1_dewN~(C5(UNN?sa*oUDa^jOY);K<=(d zJ4B;4k0P`%;qN>e-X(mllr>WHcJIJ4p-pLTe#;S)QjQv~0Buu)&Dc8~X znQy_!Q`dyI{0}Qx?=lfIsM)j6|D)XWw~Nna$4+5(jJBzXMZ2rTJzK1h4~w7bIffgP z`}+3DLThK5KbA@yNS=vVQJ&?HDR-eY7gx5q;& zdU*Z_Cb|$%cf$wdvX|6W<5W+SRMIF>?al#Ngpx3!Cra&2T7e(oDWA0W!ikWdLeka0 z&oQsA30qn9K)vsu?I^nljuI4)PRH%GrK--uXJ%rY!QBwof@xhy3ScZNo!U2VId$1v3nuRRilx8Z$`@51kbm$>vVN%ZjT}MG&Q`kOVkogN*tAmk!;`uyCS;TkNKPb} z3fVdCo{_!3cv11oDX2K8^Ne0hlx%*vIuPaEID&Hc(mO-h<8&W~sI6Z|0zwrf;)O^) zv?sRtx8?0RugXER)dbN&h@sA|nst}dioh|NI^ zx0m#r_xa!NW7IFaA<53~#FJv&v$OxIhtp0?*t}n7uI0=W621p*JP>)NDZM~@MDp|% zND6k03<*Mt&@frX)|Z%)Ti>dsAy{4NG}JG=_NTDcS|Vfz$A8x`pkPG@#uf2zK>7sp zonS~~xu}3YJ6Gx9i`FT7SlQV_MgfZPVZ1&^FAb$pPGAbIJ>_^j56KXKq_*MN`w6&~ zkDQeD%?*g_gRG}VGrry5{~y-+-QI`pvFEb02aN_kbH|-5_||Hc+SaxJpu)Tue+Bqe zxyHR>XD$I{iOsM6tGc1xo9m&h zgc`aQz&bsyBfrjbp(1B*|xMjMQYtCNs(DGfAF-2P?$EaA_2p8Oxg zy$4WJ>-#Q>y=`S%5J3Umf=Uroq*ognkRnyOiuB&4W5ulk8k%&F4gyj`3sF#z-V-2H zk(Llb4=v=pi>>?j|DTz2&)hTT&RsJW$jWNpx8Cn<&+}ZHG9u>a+e$qz(OM`8a?9mc zY^o{wo){tZ1_yUGV(@K8xMj6!+R?i;%;kOe>6A%7j!Yz73iC%1vZ}get&j|p{D`BN zISHql%DIXgqmQ(I(?K%t(-#aq!5c>+?~D7(&C5l>Rg7_NdOa&?E^Gc~amg9Upm+2` zm4Dy0e;Z;7PZnDn>o0O1%>2obrlqGj?C_D8aIc*3?fE#NatYVhaK8dWU3pvfp-})O z85sjMe)qhaUNCNaWj=KM1Umj!V;AH-U5>^3{P+ku*aHHP&`5>&AF5q;F5ziYt9Ra2 z3+jwdoP^k|XUCM?88JvlDIsA33^jcXGnlSplkN$(^ak9s^V|M2l_v z7Ozt23X?*g8?PYGUBbs7%|qVXm|CCwr?|84UEF(p$}AM-xO?0!b<#d` zPW|Zs_J^YeX8#0C1;`>|qObO|Sz}h*;J2A#~7`vh{ zk=?WfOa8h_rL`*mUeP~V76DG*ZWC--RK6 zesLI`ESn^GEC2S>X@MAw$`v~bw`y-(MvJjb`kQ#d9t;%NEE^k*&<~$YLYY*hRYoU!Vt}qaA4ZNdFVU}Ow?%<5^l!h zJk_8$hvW=k&UHfJ44vF27tn-0a&+=6WGG`%LZB4178pd4N`euA!M6L@BePs4h)x!y zKYb%lAH>lWAO-3QiT`gqMv;mZq(X|UyDpCO!K#47uhtAldAL%AKcTqx0m>C`xs_uM z^Pu)l3}wUnv54d$x+{gi~PgggULd^j)h+mZ+ z#%? zjgvn44!JOSCt-nE_-4ICh=(QTqAZjOkU|lpK*&kBX}5F{u;eh?^rt&o48c_5S#x>B zJMZ}%D0YSDVl4PS1HRjSusF)a&)78e$OP1!N6liiAZR3A6#r`1ZwL8m`9ki7&~aAI z5P?LupREnBB;BfA(!&#{|5-Ryq`uLwRa_>gypt?Ds}#w*f=)KdOWgZcu0Tfxc$i(hZQQo~&NQZM1C4QbM>tvT zfH$a_{$#U4*qsnG;NlLiX4QXrHGh~nX~3Efd4_a11DNC@aZoJb>C0)lTbIA#4!)idcZa&owzPjf`rn`8-vNOy{6BVK|F8RQkyHKO zYxYg~)l&nPUZlIRdXukF2%U=yHXC3xu-77>;Ua##5<0c>Kr`oLs=kaAazq^Fh4atD{v+9V-7WBwL#z61vKeYeQnDnlCkV|VdF9e+|(BC8-z~BTV}h<_WW8d;DC>~*_I~))rRb*my7~^*c$;u;mY=M={KCXX@!3Gc z;p!1^FMu8h9en&F0k=IoJtVV-s~qtMmVuokEG)dCy2H?SOQoAhgJMId%h1azDffg9 z#6`Dw@Y|IXJV=~2Cl?L^>K;fnm`&YnHdFwJh)(w6Tn*z^ilDjTDirLc%QfK^_~5*j z%T|{nkBEEwEdyU4N%0L;CL zshIL0FwBzLn5J0hT;{Gjq%?O20fkmY4s$Fg~XePBV4YmdN{6xIshTlmVl%J zojlMc^Crj4dbgdIAkq5PrK;)7M~}*g{lUOJf>4;OwVp(^AEuq}L`X*fL3qQ3d=8L? zKEPZOCA@ea9=k}r^ZD=mh2<)ppJjo}B;=uPhc|L}d0YZU83;NQzGcz~kDxGmx}P+X zk`?F`%pvvlkzIo^vv zs-k(sE0@CexYgQJQ|VI7R$ogJRa)+s2f5cUryV(jAGq5>l)T{y(^RrV>JGr&tQpNu zYea;m*j3@#iuF6jDyY2F0yJfH5kU7BqviTdw$~uQbeCJKKUvuO@%WqxnCD$paup|0 zk^sSMn;iI43NwANINo@v@M=|WgN-P8WhIx_(HM>JvrK#+D6-AvZeS;=ZkWVLOUoR= z@m~>=T`B9A*f+PAQkgIVr#M~E^RdYq7anXc#ljkPc{9(-v>$1ZljmRTkSN%znv(JH zWNlYU!n?cG(;u%5mX;m4tR^2JYel9IXAW;+ii(A661j>ej@{0pg$@>zA93}?rpwa3 z*kkJrJzdo6bd~N}@Badj>2L(T`+ahSBtF+c_SH0_2LQXQTc-*^7dfVA?1pPAWMO!_nyhWJl3PqGeW{jE`JRZTh% zKwbSED>slYeEWl1D~TX|2%z0<1a~pDewTFJ=U&F>aF-J<4hVGQlm$%kUCNOWG|yBZhtzd2iwIc*hn(kC zG>^p+7zT`yA$Q%~eSPd(X~z$ZI^?83_91ap5LLqLVpIF^)Amc`nn;4kgzixozZM{I zI-n&xPNkjcQ6_M*`x&TWyL5bP7 zZa5|`Vd-L8M_9{X1o8n3-qFRA@D6?^bq-`p7P)7==x4Y~R&GgnF5xIpeV4g6^J8J- zZq2hQ9Qvla^)J4J7&QB2{jY#=n^DRL4*)ku7AN0u1=<$$OfB?*p+%-v5SL6MkdXA! zn|u)h3^0U?1Go+A+xMs=F<)iajdbilgjB!m6&T%vpC(a}M z1%$G+h_s6=C9X2gM5eM+HOi%m2s;BzCNRRsjgNlHQ5HlE$4YfSA3?~7@&LIiF>uo; z5zKiQ`hDholbsoWDJydvbM^dD`5Yn9fIO=M{>L- zcbmLM2i_plu5=g6owtyqr^J@6m@LL!g1+-DOzfY9hP=}XZQb*PA5*r)Obda1E4D39 zi*+n+F0|ckM`6NbTG6L_U$J-BzF+dH9itv$>*~*WO^0P_a+P?-ni{lC;q2NkTWl>& z(`P(tu}t%LsOgTZ#e#SJmUZS`i7}SFOQQ!yBw^_ly{{SAGetAU@D0Myxc)1>V_Gv+L37Ykm%4C?t0#??$8fB zH?mj~icc*+C%=@^$CV5E&M&VBnSs}#ZbF~lVc)0&rWYZknj^?vsu~68wiSz;k~&Oy zAP=I<)OrTOtQP@L9^VK3n}A20fQ6o&P>QSyR^{Wv#%%Xp!9uLB`z);Ir*Y);failC z$!kgw>kZD!!`r-m$SSo^0XN2U`GD*w^i;BlN1NiBM;sY1eBSRFYQMGbr8cc^zJoXx zf9sAKtujY&A5$ySHHB}-tmVPH_9~x}1zv_%Yy)7%Pq>?bn^EHy!5M2+F#zy)_VIeg~*XI-4=Es|(bOndbXiIeEytHq?$Z zG9<8^lMT6V!&8`5 zL4yUTs4gm(f(LLd4XM%krv`3@4*q98R{fkNff#vUqv*%t{drj$@zZwVVveM{2yZ~! z4!iy3_COYK-g7NiS|7fc5V=_ifd360Le7p566Ckf>EUXHKHo&VUG$M7hlWV{7E1^z z2aIp|CQ^hc(EnE)F?48t-%NJLqfMxDn+MYJ!o>OjY2p99K^*Zr<->l%WyZloYPeBF zCjxl|6Ic@d4PfEN|L?*PTLVLR!_crWz<#1O3AJ{l-$_%61;Q)Akh-5F_21VDd65j= z?E^b@?109Cjg+rnuS4wBsS9LDskb9PynMO)ACSU7yBD5Q_Enq*jw~|pah;q}C}3e_ z1-$s9s{zbhZmzul9#j5xd$LqTM@L5y;I#wj!1L<>7?UEEc-d?OuI9r4C1(UJwz9HP zS|vEiH(!wh-u>nruR! zetp^EVANFT7|;?pIy%;nfrV2EXj^&ii$(2scXwZ$?6?WMh}b-#ix=+z0_}hLqRmk3 zyLb0#Wk6G&Be*9$0!T-RSQSM@r+;Bw;90zGeYlMZ?G15|D8a&TaXuvM*l#X)qidNM-$orK(T`J!8q_-3@`||voFa~7z&nbIVBH4WpF-3e;9Z#-$Gw)|! zz68m6CV%UHqvn#I>s3uPZl-mn^-AMOiU|_m$<$o6qcUus8|$NykOMWns`)Tz8FibiBhjNI9xKqvK;i9;6k zIXIt^D#;yX$b0r4_^dZKfAaE+I1Nmmsar?%HjA=~-csw{kMExK15oT~F6vi%s6)n* zOrzCcwSe<;&6ttYKFtt5B_U^5UHR8{v|S>bH!RTHE6W~yg(m&gq}HGnMj98*$4O3P3gC7GC{Mg2=}niMb@Q&dntFcYHJI zIomj+*^RBhyA@^0^vo4aJB z|Fke+I&6+=lS8%KaydW$NkgdD$3R6VN;T!n>C*rNf{Whl4@J%-pZ#cgBY8kWF{}dL zVdtk}b$m2=?#}7fP(!~phv%+)U0m6~2ap^S{FO^mv#v}W@3ggv1k5;7lwhvgbd;zy z_kAEn`}V^+;-710A|?AU7xdCDG#H#>886`#>q@R~Zvd=r>w{1h!_)#fXbYD0joVAP zOZy~QXyPwP+x;#VhsmJ$ssEYe{HaR_ELOhY$}eOS5=Noj`ySft z+Fs<0fXOaf{=R1UeL4>Hoiia!CEUJ}XIac*7*fO{opb~pnSlDYhNqVhWcW0YQjcy3 zjcC64Sl;=qU;75tO5O{}-J~DDjsALj&%cepls~!Z{f5A6?0Lv@o3g>MrC5shq-Dhc zYP*r0-8yy$Q-UNcWWNT?|Mf^z^e)S9KWuBPt=}H)#Hw$^HUY5kb4&eRL5=A=QNFq& zX3VbOHvqzhtM>TMRgaRX*<^dJ90nHm@APRq`9Dn`kH+V}F0An0{n)Lpi=i9;v+ZH( zJY+lqhQ28-LtMw!IYelBlH10YYSXaMODyBxWu&xH3wknlzf5=Yb`{JLh`4F?p~D3B;?6J{hvJMp z`7j$x&i8Z&txz4lwc4vGXG}8-lluS*{&?@cz1*luU*8+NicKJ{`kn#>~Z{U}&C^5&q9bcHyys zV7l8Sdanx5$DL5^oyJWruDr?zT6RJ{@agCB$8+=Zi(}FDis-SX=y7BTv{Asa3LHpP_3R%oPPcYz^jFv=S62K zhhH4$MuG5U>eXx4ID#U=!>vFozP_QM0~qrcK;wi!mIT_E-eTKm?ydGZyywq%0mZ)( zDs$Gn)RnA_Fo(LWfx5;?Aecg_gA0X-cSzA0Zx*pYMlfc+pGi5ir}}1U{$DG#xtjQA zwa5Ery>(4JVymVL`g1hzcM46_Xs$j-!T%jGcZ&uq?{b=}cM5uhG%s-)r|Bt5eG~5| zh@Nc{r<$7H=u#OsqF_abutgq0_{kB(oLvs8TE9wJaf{ERkf~%~B={o^IuNpzUhl8S zG7*hNJgn1G8x6)AKj59vXuIfL7lMX}=D!!=Z>Kd2eQAAgMuC*2qvHvRHWlIZg=$#rR4 zx>P}_I?L!NpTPH!()@f~x{7(uM@?;fFxrZ-W?{m|C!l7D%4?YBVrrH4S*nY0BMO@- z1Gry#=jQZI>Dn;>9w+EQ7#{&%IDdbprg%ByGf!gJb<4Y>KZNn?0QIsJP@ItGTjU5J zA(QFT^4zc&zGB`S(+0FdDXwI^C5#rlBOO4&Zs6mUU8MvebGR~@$axdl36al%XS!qJOe(SE{4!Eqw0wlWoO z2!oZhOvSzP+$d-W%WorZje1gX-<|JahqIOYls=0)7f*q^%+^q6vmMjk`Y;5U`^$Oi z=(jVuGZGk`?5g?)JGEF;@Vo8P6$jOd&Nqfm+7wq`4DJZ{88IUlK*!7XWeSL^!}kRI ziYq_H+;{JJUK^nm&OcP{KI(Yp2Abzh_`}<2abgPxl3tf9UrF6MvT<5N_gy2WET8>g z_3rP)GwZ6HkpWYw#_n>l$q9xHZzTDAgmj{-xB@MQTHbiH?jFkKps)rN;eGG-GYQ6? z4*20Zwt(`%`30o5l=LshHe1cV5IRDm5YWlT?JBj}=ntYAsV=&@a-`68fukt=y}d*)W^zUpZhMyn2$cYnE ze|`q5#BSIC$EjHZT8z$OTm672Bw9*N=60QIzX1gC*>fJ9W2+D_NqWpB&jRgehYFPe ze=Dl05`gN=y275k3?y zB0dF^ESBPyqA1B6)+2Qb&2zc9GVK##I}5EuQLe}lLyoC*&|4mAdi@ZVJ6Hf&3@@V0 zsPd!C6=h=fp?I)FfFHWK8|e{ zPu(S-3gw$v@BvOm$7!_Ym`eIkj3cjdlzeR-GbJ}#Hu#CXDY2@Um5S9G%lJcPe&KKp zxtl*1y*euek;fuTlg#}LDaIh<_y$H7)}90L=EVxqP&Czx*FOA6YF~Nmj(lXn0%_D# z(2KbavI2QhZexvX2wfREMuigl{(U;I5cb_?fDT*|a5R$ph+`&LGO=ehxFI(y}@S1r;Tw4uk~{p(dLJ{xz?_*dEr^Ii-e$ z>jVSmKv-tGK;a9aVv~^Q8IB}q1BGiKRu*g(5OW+JjCWwZ~<+59k?C z*5IYHo?3>!152!tm&d!Dm2dkGaD9|K3|4U4&N#-}+xUnqA1^l)T07eyG1|{#jfXms z5iGdvCfj3oqZ-E@H}0n1l=b2MV%HZr!mBW3xIB_EPvyGsVRf8X5I-xM9KQ6Fg)WCe<_fp{rLA+Ka>2My*RX%3XXV#0?wF~{jY#8zR-J9Jl$t2) zHrLgtmDP-Fou>r5U25*TM6=P{MXofpU?ZJw4q+Wceqdo&8r7PD>)67iW=z(xcPg_d zEszZiqZ(#yz_;@0Gcf#|qDK5wp7`-T4Iz^RmAigBKQKD8k{2(w?JnQ-$FT%tPUTk2 zy#lW$0cHR~JSirbVM`yEV_bYP3Icml-u$!fxPsf(>mV>T@$M$)#i~Kbr+l*mjRU+$ zV^;YF5JxXEHU=5O18d;jv0o|YmI0X^1!W-UZ$suJatgF5`vRiUFx`v)lehr!UFs&7-<+&w=5^F z+OBUhbbiYtg}IfC*HTLy2!^X@GB6GKqxI;FhL^TbN2*wyHtI@T|3xyn#dtkwcEeVQ zm8~O_I6%Zuv6=2%6}r4qqM{QU{yUw8dF{XF0^YK(a%%ij@fo~jUK6Kmk!P+x%BX1E z8XO#k41dfJ17DUqZhWk2MSmblhqrz5%jv+dsVjJVw0q^SixmdbFp z6McLFI9#EGSB)JmTM>6*lsWGH_Tkj{7Tcwncls;3k*}O78+V^tkt6md$K&pvtfS2+ zcyO)Zr+eOGw^2wK6%MM`qa^Rc8|Gq5XPLRG>^|=RXxc(GE!^_j>9VEJ=xDm1S&kuA zy;fc0vct@UG^#xxu0zYikB6tXVt8K@*6T&;pg78JjqFY79bWc&1jaGjXeE);YuQ&B z=ZFr+(NlvslpT+O7k0TB<5A7Zx>mc5$s)1XJ}9fJ68~~@-RPouBlQ+~;L*r_RQSC{dSz+%$;+}w$> z1ly+zf`(-i;OxJ4tc08&IRdwyGB-E(hPTZ&SMJ_trt;b594he5K@xO?y;vji?3pv{ zTNa-iP5~EF*+`I7p)FCgA5^}Or4(qH0%wago(H^m!N<*gos7@cFfcGE>i9%Ns2?4< z@LsQjg2K6hDT>(dY&g|d+R?%mf4T<7v&&K{c6oN0 z3gNaEJIw-z;mQ(Q@Sd zVo_0&0Xh#stpH#lEjYg7CIEM9W}(5_s`eE@4)?5RDYmZb z+?2=_bFUx~N$gWh*RIG3=ZoL9lqx%^9hSWu5;o^KW zb0-OpMjw({j@ET+n5~${Kfoe?mV0q5{X#WPlq6oy^>@48IJQXBpUHYtZOa)s+n5s0 zz)GoynNtd&0|!e+no->v4-^L^iiK^QRpRWPG;e)7p=`Eg=*o(aX*5;RD} zwswPeh|1sR146QT0gH*bz-)@TBpD&(0xyKN2OYGedShE43BNly`;?`xFW5Ve`7sFt zKM%5=Y|_XembSc}O5OWpifQx@<&bNMX1AUTw!u)(pq<3Xu7RhkWV7kByJ#o;5I8kurn# zU-lRUFQYD0xnwUhGn9lD;Bw+rMuk7rweDkg+qHcsIZBF4bKzMu4+^I7al>W+Bm~Nr z*3LMVjf|=ybI$FQlc6pFaNZrzov$!)!gW#8!~npF<&H8h3@HvdfFdPb^p43{@1l-Q zl9zA11N_h?N@o#*rPi1fV-z|+h=+~90Vo9Im;g9T2aFY9e?75OW{W>|Y!mR~!e06@ z>MNO1Gh1_H(C*CW0h~T0NFwWB9r;ANrj+2br64Un&zA4JgSgSrqbVO}{R-DKj-JrX z^{T7bpw`595H_?T2@J#1)6-h_7Z$Z%0EJ0L;5@TevqxbFcWGFxZR@MJOe7-2_jU%)4a=NTu!4+gV&3JPd?DKZ$Cj}W3U2IU% z&P^9K?daez2ZX~Q33-f&TkEF^>P27*?1l!gUe+K41(^tU@iBo40Re%_#Y##_l&vmA z6*F_srK!nJxxfqR*71z!cA)b}9KQ3E&yTMw%%;V5{d%J%)XFs#@Ppr_rKQ>7=x$iX z#+oOCPFtkY2CYHF7zjNx=37ofeaFMYWAE6O2%hu?3(_LUB)?X1F{OVwhfs<-ZJAiF9MIH;IPXtWLK6=JRUvDRMvNQeZ`px zhBrO=q>j0B!O!C-Qa={XbEO)|thG1^M;?)Q@C1SIJ((yYUAp(oushbZ@zCxat|UQd z0fB#z$qA4iGg_re+cl16md=dwwmn8VyKsfxFNqhe-g*YcB-hWW@2}W6;IlTs&j+}D za4G;pO>(tMNc6QD$*FkU!SacE?N>(1nqeju()`9l?Tfx~cx~hn2;PZzoqOGGKevD1 zd(^C6YVkOWf-%*>XMRV=n|Nn?!Z}*kpZF-^k%yV>Esjx6WXT@WL?3R{m>UJ4oqMsx zRzxj(tw~lh-SKkTBXEI}6F3-mARo8Fsh2wyZ=H9^YZu9eI$P82kLA)Us|@x|`5{;x z*?Yoai#?ZIIRT&1Sne9!S@L&CmQQY$Uz+pS(1uLS5}mnOcr&@gkQCqfbL1cvbD-*8;WJ0(FTIS<7 zqL&6DAxA_4$yF^7O$h=)kh&b=k-Ks;gbz*yE9R>5yT-}m zcm<1=iFul@K;7=H^8I;@Ie!kERRH=2N|hUG?px zT5FWoU9g<;O-grK`rC+`hwFP(m!%$m>RRs<+=1eQ#wv$C$yST3m-gjk z(ZK^9-H*NYC7QKPQ=6Oi@iZT^>$*9I|Lf|qgaW~UcnJQ>lPUIl}Iq%xU%S;`SGJ>v|e)z0X>6+Tv)wzTz_ums@3UkU&stEmJiZZAma*h z<`I|e2Pzb>+MsB6?WOP1$I)xH%xnC%2mJ7Fr7@p+?-T0 zjXG$Iq;ErcHQr>jf-DL}Mn*=&q~;GqolH?h1zEHgAgtp9Q57V}uhtuC4u#y&7B3(X zFS@_Bi_1F!{M}wlN+5kc_ccr}D_F)63V0_cCz4NGR!&*w05v-sbZ>7mGd4C}J57WB zwDH2K5aO`Qtk<69M#&|ouyc8Hz8N&9-A{{eir_>Xo0U}w#-Zyd)ZZKQTt9#ySPqQV z@8RR)&C@?l6f23E$=YJm5*-$9^Ne)L@O%O1U8$yE$^eAP4Vn%3#d4ue9<%FD$$Lnh zh8J-Te^mH95hV0&_%4c{W+y`CVUl#nAobqoroBB2F}+L+vegavDA zZw@a<#iHrx{+Ma$>&>W;!N*Yq*yV*=4ip5}(_PSxa*#`G;P0O^GuGembp?j2aohrFYt@bsPXJiD>Iu&O^?nz@sr`jXzgkDw(M(V(gQa3!*kniEd? zCMS1}zH$Y+Lyy^c&Ir}CpD7+NUg82GIyEnB(NB?p5w1#FG2;77c;{r*Y{WK4R`f;r zsbX?i;v5`s7hP8&b(XHGS%^4=r-zyw8o~l@Qt*E?$vP{veW@ld8nimyaG|6hGzpk| zTsxNTbL%b8j}Kjq&o;=dTCd^@hGr&GK^R%Yb=5UTa1lL%IFFu1%b$tiI2?}CZ`~0| z@gWrska*S{jcNmF7laGHUzRv+VGh~Iz5SDP2 z4F;xvP0dhn<6J;{f`oW=;PF8+QO9Hm>zI_Hlmv{~QF4Bj9T!0|V^eN|i_3VVb1I^j zHt3fNjG|Yq@gE&sc?HG5;Xv|+D;}l$FaH{lS%n5JPlN+t#oT;}6)88G1COW&+jjC4wFWQV+n2);9>rzdL>AGHK;; z&4Z-_npYMUAv`d~4jA|HDwxl=BPMKbZ_(|Z)8m&0x^zT zZKYPZ$sppxdBiDRn9hbt8IWhhHal1UQU^S^)w+HqNN@jyR5(lJ{cy`#)5w|%*m(uq zJxE(>vJV)uY&i&|y5Y20@p3&rdexhF6DZ$NYCPleZ|fU$TVH*e=DkbJ%T`7@aPTHy zL&F=ohaAH|3N;b|UDai;45hmtj-}&|(JM1;8bqR7z zlV`a?9`5-;^=qB`*2_HTMLedXr~bj;U*3ezm3;fAwu^hxnMupDVH-XT|OkghePlm>IjP5=1_M2%_aWR+M+RQ|JRSTvzZ2WolfYicnNZ_w9h1ZzWb@9qN! zM04Wbz8zA_U0eli_>7BRi)FLGy942xfa#_Fa`y%zQ6K(^0ACTfo5P}_GGX2AjU_(3 zgz!~&j0DTs-3~E|1#S3S=*uAMz-Rpjgz!)fM9MgbhG)HyXvtO37hD7ZQw=0MD|5+M zn(9eXm7^D4i5+O_uaqgDG8!Kpg_`Vj^qUJHovjm@c8MDmXJk~fD~RoEi{HVNGPZr0 zb2D7=YU`E#^-XnnVO6=rE7t<}Po7lMF>v%Po56%vqy{jSpB!?OnKI}vuw=Y1>@ZeAKsA3E%w?8 z8Gg2fAH{^`Fe%Z4fTlI8koM+tFiF8jmVEZVgr$-W|Sa$60eZOTIBI{YJIw z*2`)Z5pk>2IQv`ZIj5FmYxX58+TV;Omua(+Y3D&yyH+({YML}S8N(*L!G3zimp(ea zh>Vr55s(U4|9vr4pLUDoC<`BWq3BSzsq{;#rspmW`?vLulxo6d}mAF=q7)WUm~|0a#$ z=vJ+IAOWDqJ$Uw7n^o_uIM0k#po+04yAlA9#Mnwk&Y=}7e$d>1zYX8!=F)&!c1I1I_3 zmiAj74sadxq47di0IHWDAJhS*h7>4xVnMxpZec;w(J>EniasE3)a#??FI8Cq#DH0L zSsv{|#nQC({T@8{0PZk1$ZP7zH4WNg`cvV3g#b(i6j7{`a(f2Up!T)eWbb<#ahGovH`yp-cR0PJz8C}Is;NIeY-eCWxain0Uu}RpVNpI zEdvMJb3FSSlEg8TL8=pG>mu+~w4U5o_pXtZx#bH1s`pk_dJ ztHxz4B8;W3$so~rnnLP#w1I^S3gx*3ulZdqY8yjVz7Y<>lMr@E61}{$t+RKNGCx|6 zk@M@Fpm`#!rz5w1W?+gVeJYPxalG+T*wKlY4BIY4irpEA{c@`&$brr}VwD$GJsX5` zzIBI>G5dMxV$&L(T-p3%TfbY3&;nn@mscdMeY-_JQLE=S{tC*?N&EDj=v0^H?c29o z4GrDz#h6D_d+{`Q4uj8^J>uk??>fG4{0J0rki5ZwAMO0g;t|`QA^gZ z)>cYbwTkTo4E&!Hrpem@OvUMGKPo?j?^1SS-JItgT^qu*kwEm zk%}6Ka@SAG;G1VM5l!vQBmzvg<7->DZbfEmuj^l+R-*{hJr?#hdxP0oi@tpCv;XVf zcLveqLGZ(C9;vFTjtn4v6)JqO7QCg!P7T#b1|7#pgLf41wcN(vB_jp8-Hic%uzi4> zm<1#vqGX73$_pTK1m1hoBW;oA82mkNsEfE+Kb7hz$Cz@AKrx2r>{)`iRvAB{&L^-7&mklfqR!Igfwv32%=0A`=u`=&n1?4Ar2YvVf+mocb&9o?Ma~ZLb7vZe;iAk4wQZ_*&4I{bNF;Y z*6Wg6MS28M4vSbw#lOtMVi2{IJdaD@H{o*|-ox&ZA~i)_ZXs0LNn+ zUn-ou;J1`Q0Bta9+Q1~PO#ie(U>^B814-!iYH^WcF-OVGUSp)<$byGf9SU@lo#dyZ zN<63mS=m?9tVvyD9KN180@=+PCVAONoCLfiI;)<$O8oadn~WmYMk${U@nVxz~{pc?9LT zjg=NZMKmH)XWo2b=xF;&UXY;b z_o8A~p{9n^cPF7d+gfPZaoMUfolojD81O|1Gmlw6rBR4F;63R;9hNc>0<~l4JIPRu zmyNn)`l?^zBLS0LhllD&SZHXn@%j(e1CMhli}UmIt`L?=Vk;j`R{26O3&jI-jN5bl z_z@5^M0SOBDBX{-fv975SoQ#b5*-qP_*&3w6jq>*~NE#b=3BODxtwl8hh=8=kt zRgv8?1P+TxF}fwE%v?9*MTI-mJrFz3gUZXxQ!sb8{b*3Cj)?8O*nivwRF29`ny}US z=&=ErYfx9}%=St?ioivQ?6N+lHKd z*OOCTFNCKtM$leY8%&79u{}9imCUy5er`-9;#Xe>@vhcV(8)uxPbX&-LKcQigb_|6 zkG18=ATKU>l10YGB^m1~|mA51Eqf3zThXs;7P19Jpxuei*t z^mHF;o^o-OkbmuD`g1$WPZqqDjRxKP>$j=`%MJBI!V6t`4Neh0No)8?THTmgOAd!# zW#?RvwV@pUP9|}}1F4GG=QvhaOFudpfSNdE>r7@dnM$?C*n_A71Z%gmt=_zPm8nH= zbR7|_*mw@z`RbMjB7Xi(Jl`9@h%n=f~+A^N#NpKE`q?|93W% z#o`}+%uIg2MXyaHfExc(KgVcM9KGVz>%F0ojvw$;>pCb$vnsXld)`8W61bMGZic9> z-qcMgCL2hckh(@&h?E9NABFkpA_3yUxcPX7`(T_~EhK-fV@~Dq3_-NYw2`&jLgC|< z4NzE2hT1`fJ_evl8DBoEeM<*Vj6+GeElWr`iNL@br0RL!E10VuMe>Ds%IiOsW6RB@ z0;7eE4R;1Y>meMg=umrUK!wk`rh#TcE^hTIjXw5Rn<2&Fkhk4!9;m78 z`OMP_I&1+r>RG?<7mB@TlpZUF$7hIMn4mdd*!3HW4rn1M%oA|9^sn0+LT`++u*_wC z3rHH~IK2S*bQh1i@AH-(C>=b~W(fRwo6<`1vDX*5QlG4!a3yvAJvizAI$im=2Kb|J zSxo151G+3?ANfzC@k#z#<(Mf_KAh@abw`7KoY4TOCoQ+4qQYvC(>HBfrjB><^?e)5 zF%?9Q<72>%Z$L?~Zm#|Rs9{?EgmF7TpF0VT^$d$<}{qFs3z1|cfO#gt;gE0Ar zKl#-(p71wmAS=4eB{<#DAY%F;@_k(pUU+_&A%6FGB%D8~wG^G_YGpO0uPiB&)Qm~Bjfy-9zVlsOlaLf`vr?_p zk~ChnC;U&&Nu7{Cu(2T?tA9Z13FiT6F2ZP+Iio@@K$`H5P&z2~>q`8O9}_jRh%H7Q zw!9JoMn$%voi(?Q>89Bt|8GVAZqhG#oTn44F8>Lq%e;Gu(4BSjmkN*r?{BIOF~`xL zd0K+VGnH5Rt*$V1W+(G;wb4t+!3s4w|5dJY6<#9U0j#rd1M*30`)?FT$-9e(6+kl! z`K`sJ-$T%Mi;?JKXt+5qFSGsXl)h{d$>t&XNyyO4?F70g;cM4u!okom6d-0iN2tbS zWufdMi>pzuUaFiTc{_T!P95UI`4=N7TEHGi{XWJu*u8i5T7I!_Jiv@vzw2R&(_O7! zXEmg^KV{6b>O>5=sWZoElD>rW&MX?;aM{}yMxg0H!Q9aBC>&@=ba`PDQY9~}p{<=N zv{4ZD>9~V%#x7MW$}5nXKputz{~Lsy4#9Huz?tB1m&w`EN}Z`AcXY4jgRGaolS;&+ z`f!$n_BZ!p1uf2^dU3S(Rg&8?Z{k$`QKE6!_xpN70Z%$UG%ct>GhfK|WM!V+b)IIB$KTOCh`q@8k zUSN0r+#NH8I7FC-iK%bvuX)jQt0wP6+9F=|8<-t=j>08g?JTz)X0e+uSo-l_10MAb z{X@g7r+woYr1#XA!#^7ocuR|v`E1m z7$vFml|sAaf7xpj!{V>tAh2TI6z>ro#6xlY59F-y7&4xh)lhfd4R|l89Co8|I;JSx zre|05iUw-`Xz9N=@Q>`t<`Ysu-oaLRhR4#yj;i&b(s_}eQO6Ap(IG2xV|*r5Gm8Ff z@xKggAV5>(hG-v_6jW85$Y!)`MYYe6sWwjc;iCW9n%IyV*#CBB#jkO$$Zr{DJ7NKl zE#U^zkDsu`CQXqW73;;UrjKL#2MUOMD*t*Duzq@m85GF&AiqJjLh)ad^PeC8w<8#{ z>-qENIlsX#@Ffek-4&1L??LL{OybNL=#={BK*--sS3~w!K=REx+qeV;0xQ9M+pFJy;ee?SDO=Qcj-4b*y@*iU& zA|lG%sdo5?^ZKcPAq4-hr0jBnij8Qrs7*H_QA@OW9UL6-?SUhL&G@y+7Yq%PwpuxX zz_|tfqi%g&-8=5XCtd^uSPy-EtYX{pIQ7G)Pig@NINCwlke?DQ?)U*DCVzi>{4Qi2 zAit+|_wEEq-CxhprR~P6moFWNSE7|AXONx-s14^LEf2P;(6I>0marLiie0| zG>i?TxI#jbkh_Nj4xo9mLe32S#^J%!w#Y<=(XP(|4>=>Z{Tz~^pN`vALpli@_A*ES zH5JQvEv1)~ba$n6?fGT!kU???SJ%*p#U~{tfl``-_D*KbslvGT??IZ3^z1hr4R#Y( z0=>nH4IoPj-Y*Cneb&vpE1)vp%q8dB*TwVSj@Y^zx}(7)w4UUUa=YAsLZP5zO6B*O zhMbehiddYTrIarA+gKvM^Vi=bdq@6@Y$g8n6xSRjli06{Tne5(K_~;uXSb`rhZ9+f&^6sDF--bN8u9`L}{FX`+@~YC_@9 zLKT)!2@V}~wKMv4lX@-Z8SI@)Hlx;P?)Z~R*|~X1L1ml>=?;_fKRQjV&x-QGN??_D zi2TuaDckRq2KvZAgOa1zvX0kOG0iD7-mYUN;Az$$b{g(SCnt*kGCdQYS=b`h_+jXr zsw-Phas5osool&d5Uw0Iv@B1yqVl6^X-BOIXz4U_@pqaZ43!{#7a@04-F5;?9+6I= z@P*sIzj1APPv)Wszi~(F+LNEGM)X`?MI{yMrjD~st0fYN=8Wphv$YXSyL%98c=^bA zL_5|0j6mVcC*7qz2M}=C&?U?AS7Ecxjzw!eL>;cFGugbYIXoWqw`Eg?CPYccs7XeI zl?;=LU}+zHUb+6%Ysa&DSMKE0+oZK*R`x5+lU%*8$6%_wJWyy+p~jrKN;WxGe%lCo zF1gdV0w~vTEh_=nR$27 zpFhMAD6in~q&2gryHHb>`^nhCRQWX>*7^=i*lPce+{Yc;x@@21{`I2*`A5)iVe9@? z+XQZ2;g!(h$`EJmMR>C6q~;Hvu>|W^@q7A02&|G6{__&HR~O(`y1cjx)9m>31~lS1j@?lDRc4d|v)aY_Fz=fm)g<`vOs(q8px; z&}^%z=TwIGz&4O2dQ^!=M@i#C^IetEI90kd)*6*^{(X3xEbHQ z(+FJa&pwEg+q$*TlAKn|dOdySIsj2rd)X`mD$abC6v}$eV845w(gE$ExzZza7wy!k~D0G zuypK+0_6Q_{P{na`VOe3vhQmh3zktv5m6Kv2N0yH^lk+M0wPViiqfkPdb8qCH3~=v z=`Dy5Iz&`NdJU1#l-@$92@pcQ^Bn#CzpUk~0RnmN-Fr{j`<#7rk=^{6eLZSIqRgtV zWN}p_YAjj0VKS?q4+Xy(xBj`HPdck}Fk&2Q*^eU6JzR^Zmz$6ukL-g-{y5;o)QVz+ zKU`3pTqpmT`DevGeI1WP%}Opc9L&y^Q0J5u5r5++|27oUto0sb=Yc)vSw^Athgx@`MQ74H|?LqZ{BX9fd@~Nc-hm0;vw|r&6HCO^< z-|K$&cUOCP{N)g{RAM>Ydeb!DG4z4v8=gax1t}4ZEt`X*6Hnv`<9n)_EwaFp1{mq5 zzRW{SJSZ*tCdb0 z>B~zZ5Gi^i9keM=7Y^>xDLlc`g=IB&Cvls*T==nz1tOOq&Xvl=Q|q3xD)?_ZgE9pt zujTwRl0Nmr5iMJnyXhVeCyhv&QIM$T_M$&cq+0}fmD-!xrh7O(^z-(2KG;zvo+Nq4 zv%!n!srd*YCGPDr904)3>StUl4ccDbge_^{RT$S_=ov=q+;z^eGC~lN44Ci?3GIThx;6na2~Z3+bS?Y`r&1AM9&YQZ&iw-)S+< zBd%|?lw%i29dF-0W7+soo1eic6gef(s4P$KYhY$1X8MN5Hj#jL_c*!Di; z*ry>pa^I_W&29T`2Zhw?*RSh=Mng?IV?4&f)J(bK?N2N5Xw7r#EtbuR_);_Py06u6V%06K6(PtKXaGhk5&h=F(zyOUBx`E?PgXAj-UHs z3rR!zyNTo~Z^W;h4-m^a;spzHYVM0s<240a)f2F#@r=aU3boC>z-$A6f0 z?k~1@$yXnF@-|kd69m;(>SlRBoyL%|Y3~}IRvj7|A~iejefk2((WJ~$64JA=iLX6Y z%9Xu6pHdyPd)^u<-%PHn5yHup^*N|3y*};C<@kIUHRl?qTP5^Esb*z4W?iUJrNA+C?v9z4xcJr2-e>r}6l>jazxa%?&gxh) z)1hi#lY~20`*%?EG`&zJ?ta6RQzN(Z@ahy-NZ8B`$M0On2^U$F(Pe!4C%g<#j++ho z4Pe||n1|RrEPQ8oYS!L=)Hlg9mF3GFk2Uga*9~qvq^{)NVk*E(POoM9q#1}adu>bB zzoB^1qh{8ZHg_?-w0%njgaXF4wXP-iSsm^RD2sAeLYe+aJJ7SBhecxIQ zDVunz$eW!TOlz%0j!d)i+D$p5ip+3dFk*)TH?J~{7IF?|oh(?9*QX6^`>u}gx_BnT zd3j~&0JQASv_LdpO=r=sr{w!(cHdN^J1b< zndBSu!kxVu`(O z0eJT(gX0YAx~z%j?Jsq>dQ!WelFB_o;aL+BRKPrXY;(bZh>rbGwRco0jDIH3jg5?q zkY12Hp1n3jzw((NlSS}+5Hs3>bs(F^WgU`G%2ULeWh+&yua~}Sl1mnjsC7DFTGsgu zS8>lzA%iS-(`xBV#=J;wQHD3fUedKm{HTz`@4|Q&*44NXP-Z_2aog+a+8gI$$`ode zPx2kZ;mo#^Fh$Y_x{HdDuKBXp>0XmzmZQb#SC|CaHn)dhFz!f~rS@d!&Jl*K=4b&2MG__tvNERc(eo zwIdcUST{oGd`OPZHc77L7;#TyJfx{oUJJLg#4ivC5nKxJh&klxwYQM48?;0ZADR>$ zJ{zjOq%G|2Pe^;OaPWN@f4g?snbFCS4b$3-#$Zt<@6i)*DuJ2QJ`yTror+B%cfT4gYco=T#g zd4-Qq+rMUs>^%PbjmmFHhw@ECjvm0@ea`1wZnh=Ib&}kF`P1bVnP+s0{w$~L9Anj*W}Qc zx=Z&^%Uj;ambLTyB(vA5g7K8&&G-_{sAjW&c}f0{3uft=neqi{YHG>jQ7}#X7YO%3 zbbY50Bmmq!dI`FuQ$AiMyVUw0_dr6t!oW-5mU(^G{9V%Y6;zrCm6KX=@2VhM_0e3k zf4xyjxPe3!71oefkM&`f3T?!W4{O2Qz~M1g5mlm}9TFe-6!t78Jw>pcGm^IV{a2Y5 z?wgDfNo^w*?K8HT4{KxHF2$bVpODgK=G=nRwz(OP`{?VF2dPIlmjav7N1%GbmLG& zwO@I)Ww%(dsdAXdNfSdgR_?rR*T-rrGR-JoOzVT0RLNpLY2L=|-~ION-|q&nFXz`! zzlVeC)x!!uQ#mOTYTf#f`Y!m=_1iP!7OS3g-jQl{$ZsI`W}l2gup`H6lg6?dweV#l zjjn}Y^74(coU{A-i)v0o+;Tl{eyRP(9>2UiVx9QFWq@t|0ThYTBA8?sa&oGG8slZ) z^K7OK>akU0RD2!+bPyF|o(th_qG~E@g}}A?3Ttz>29Eu(4*DvF%_2)byv(e3-a`q_C|q@fAIU2z#^3Gt(}oCH7h9Oy%DuUF7Xe9k*)8 z^t_lcYUsBTwHGt0cA)1AA)a3@5-S$i(n>QG2cOH%k+}X|y?&uWQQTR4kTKumje={v@%+IUif=TFsZk%eU{KghkclA9j1LQe!$T5SzypY!w~){ifdU{!eG5q}I(MC9B9NfJ04iYr zH@$tEae8VROYDVpaJW}h(J%Pmv9EBpht56FDQH+@A(?muF89e7i@vq=Dv&yGTLrMAZz1utdq5kc{=f<5u5XjIoR40zuv^?~nE*r=nYu zbe>2-TkZFEE7h8t`*qESk|tvFICHq+j*v$&?>A+|zqJ+`!K08`$Gg$2(&23v{ARv$ zLOueSz?yREf5>jhH6^;I?u8e4$hC2Pi|P_hRerw9Gp0S$AB`iCjOdS5d*{R(_ivlA z!yZDDJFm`kX0){*K2E6HN!8Dp_aQj49$?Lp6si&{42>y^8QHy>?-8g^1QOe3&uQ6T zOjO4|Mj}TCA+zH1on3$o)VXI?+-NPwsCKFH95%odU;wLse*@PSLZxi3sO;Lgu7Md^ zCyuCAIn{R#nh%*{1N45r?-x%9yq!pB{o9H{rPPtP7}XkVU`k<X=Z0@ufZA!SWD^qakf336bOIT>;Ar}rJO)|1&LSvoLaiqu__imfAor0Tfx zn@|SBo6^`148#_L5-2Pn01D3AY%cwNhC!z%9!^W}p}Oa*fk#N$DdOZh9| z{3|6J38dhlcZ*`vye?lDxl}tP5=HGVfyYG%m1pRt2)IZYMS`(uXX>sMtZMI1x)+ zozb;M)3Dhs9+ho4*@%K!9AMO(8n6`21^#lZr7MT+HClLVu@UB3qbEl_)`cdAD#S%3>|n zf-9;|Yj$DcAAU%C-5px8J@(CjEk(u>L7Bu~yuaos*u5;Ry0+KZN*KHyAm~dgIFsuxhHS$pRwI*f*Z zI*1Rg5nf7Ey+<*7>HKjXLFLcq7C;IfJId-*B5&r~J^K?kMt(oZ#ef46!mQ71gD~SfgU`LWMi@H z(`M2u5`U1vY2yhu0J)I_?#gF&`~J74@Td)g1BMU;@;}gfY`S0lvGvYaPKA29AjD_X zLa`q4ynQ{u1OV|7Z{N_q=R8{Nv$ycdVfynWN6PqA7yYprBMmVy|2Jf#=OOQ0bb4>J zK}bb)qV2ALe{w!Q={(3a>Mw-bsok$Hf&yr|!Bhj|_ednUYaKF-S{!|>b z^b@bvNzx+H{!0(1U$2(<{Xr(mRi=FnaBx471%1|+#1}FD#X$EnUJC+N*B8K5V+K*D zcY}JOF{Z(E2-_ufGUP#Xf?eeEW$elvvWZ-3|F_!@HU(E7tm`DSoA~PlPX1LcTh<~% zFD+EuojSP78XK7VA;95FJ3l79Lqk!R3&CBr7L`wDi+z1pc7%0iK($xIBtxZ6hiX5T z9vwI7TB55B*ei>Sah{{b{101aOY;~@WZA#_-F@;OhkijccYi6DV~a!pR`Fy1r#yWe zF;7Ub@Y`WC%<)6>90v44m!-)5$8(Il{jFb@b7dd7HY(dGF}-qt0#P@8S@@Y91FXu` zgG)LM7nQZ7(6uE6Ku37U8@w;mrgSt^HCZDo5absA%Y3IiJX!ayzF2=pp&qVlq#K=I zmkEbKKVpxkOUZ?pxjH(q0K%|yrhP*-Q^W58l6XryHTLyY-#K*Kw;}AFfg@ieB>^B9B`zu0KGYi%WU#(H~$J5W=H^ zec~HdechMnspSYs`ubB}!HFdgFj7d6it2hu*)QBWPKM-5zMhWc>FWEMkeovw77{Q; z!TH@xx8f;2_DAn8p8Uqt==o;Z~z%jMJ&XK-YKw3 zQ85N~e+00!dlV3?je{zj*JqK>{;>YL`s4-+T-2M6DuCPpnvxk>_^O0c?}Q<8&++5 zm;VetoR5HcK(FcMw6USG5@wWY%Wj=8Z|edxE4*v0qG9f$KfrU{TR+8P+c=Dop?L7> z`G^oOuMZalrrrXI=XGGU9{)P^yNt&p=fuZD@L7Z(JLv;N#6HNhC<`g5402xr?Bl^c zEP`S~5^t3>_i3-edMWKJZ}TTGc`ru+75_yBp}~9vOB)l;4XLd+XtXYZ}#}WP#vXEHE2p@jm(3P-c4P@2xlH^lix7l&nxyqN$e)GU7DZ{lImjjDF z1xj&-puK!rD*-x;fwPDD1~ft6Fz2T>@gb+@zxVIaTC!4)>$^yd0mqvlBHU%@?r)Rt zvFea+c2|=yO0T)kNnAlpZ^__Qt&5&s+Rl&#nPnJEfqB#Iza4tBRur-GvFlmDyf2u`)VlZv#=9PpPFem35N=r*_4jkB$e|=kjL%V+B7Gz$? z{e^D$D(qUX$y|$lQRUaa60xXU`FEyfhFl|@@Q&&}2Wc*4zgvhpRiGetk6AC1v;o#}DxYAKv_+Mbl41f+s(iW?{buTzly4L!szTQb>V_`U0 zh`B|6mSAGw=rRcS;klT8HCLhskT2WfWB`qV)&O+{&v|!JQetAkcr#4&TN=ltt1#Ew zInUm{5KgR|$<335mYDi4Uy_K{vM%3)xV^q_uUY(ZBI=QMImfS>gCHNf{EFOJU*z)a z%p$`oGT&9@+7qQdVB3q}lWfeJf(IWye7G@d!OVqH4Tw1uxjN^vzb|0_U%bZNUuBezv+%je83$;24Mbrr5MP`$z_JG zL!piHqxoD#=!4i82^E)g_;%LY*VoW@;DmE^>gp_UHZpKCO*QP;ol+iImkWrZ3DVUw zoe+}tMaGeoj%3- zAr^-}m_+dJ>h50su!HrDZ}@Qu)kJx87c@a3dk_&8*DqCPE;jJs;7jC@dJg-SL2dhL zry7qf(v$?6p-4-%nM>U+q*>|u6e65u1g(vrJMn^#K_6x!ZQ9qpxDOwG3ne~`VJ0Iv zTHFE~z}O(ji_5i%|K2BdYdekJCNK!0b3Ha%{+jgO5?)tZa zkA8W4wqLU!hIz{<*-xApfWKx*Z>yybuIt5>t9I)}T zQ_jJ`p+I!thy3qsW7~`ffXL==7$JPqkp8|QLw=DL6PS0k(2oyQN$;H2fA#}G@X;22 zg`du-u>(o#;WYcF@Ww~u=E-fCvelbHoD!k|JN;0Uv0 z$1`=9i6v^#t6ll|ZWn2Fsm`$hT)RwQt&ZeKjIfxRQ^ex&WB!5Ty;J z07F!{k+B09ochn7uVDf}vcAuuRGs`qSV%}Hm$+v(Bq?CS_URKnrqTCD`^9WltV?c* z#7R5G!4}JeP7fRC`XIf#^B7KD3UXXiQ&VR^(Ist|!#Yy#_XxKh6tIMBe8T|YczgSz zV4Rq;34+82j0M@Xi;4+J-|>VLKFRAx&L_ni zmDQ`Tryg8s*w4<%{kCJ_FThed#!ODX=}-Vnh8{q2j%dB6kdqN=FqImg+(F4w&b8*I zXLSbz!$wSJ$yCZ5*7n!KCvRk14Jv8FhBTQj2i$>}Uo|;R)8!!`j4Y6Kd4Yf_B(Mz) z4OLEO#`B?=v_NJSEQ+3YLaSAGwfFLCa92S=K|bN1sZ^=~+$(>d8paS!hCUyH@Rh>G z##aKZOTf66K%P$SD{h!R26hn6j|Im4`-klyvX@v)Jhu8fe%+R$Rq9uE83SW#>TItN zLMg4f11U*TNhWWcrJ9G7slAy;L$7Xauf?Rp9*kua)rdN?irnF4$+ZY>UhskOB@JJD$v^qFhW;s%Wx?X4KU)g(-4Uiz%A$Fa@JaRZEi~R==55q6HDeSja~v0NHiJ$2(Q#Ty!LLuD$s^vExFb?4`l&F{`d5^B9Y}Sy|jN z&HAm)iLavUqj}|@#gD)CXR$xf&3|UK<6N=nJ<+b>NM^IC1b~hJ;qajVqQuWLiup_w1=_V!uOJYzQw41|stX`Vpb}FC68r|2zq#X2Uo zL3_i9j9prycI9dl<)2PMNu2-E;pu!55Hef=A&s1tK=gLXw$j3vl<-GMLkFu$RbsOSISKwLC!XbKb&)MEwc{54T zducteQ-}9|=L9D-Y^*5q*1x7*#iM-QQLUL}3avzW+E=Joq4f7x3r{7VU?U4!Jq^PL z&~D=O_8!*h*qM%Vroi&4zmMDoFxpp@mg(&fmgm(3kV* z5}`6lw28A>rm(ehOEZrjC266ODB>!3Q33E7SR&$gYjYKV4p<}4X3wxCt$TL?+Yyyisz1L z&ffsR*+dhM#rWuEFSRPJfKDQ+kD(}e<52vkS~Yw*<@^# zhYzKGYf1I7-Ma}Z+u5$N68E+mq2fMM29(SPsT$n8*_E;^9uji4c{s2}2U9}HVp#Ri z_?4<8jSJFFA4K45K3lMKXCO4`o7{ts{w*;wZs>+Eoc}Ju$?Lfwd8}2We&jiq2Yn z8}A43t@0b)N1vJv6q9@tgi2?|Qu)S{uNf{}?c5g;hFvN@AFtWC*S;sUVcYr|i;zgB zb$A+7_PQ8WX*)bX@6~eR@hs%C4ZIryWpg&A%y&L+8J5i~AD{q*9n3rw0D&JMAOT6y zr|Hvr(dk<;)N{Z;UTbhK+*rP#2~jKe`tY!Q?;yyJiz}_hZ7nTXLd3@@`4*3qenIVu z&uSot&D7Mz4Lrxu*t7JCvPs$Sfi3VbAu}WtQqIz?guD|Tw#2dzLb!0KK071wwno{D zVVPwKqFy!+RGOa&iM+Gx|H9?7TEXmYYpp7|(|USPajVRS(kx@^1~f^V@XzD@p_Pj< z-69@RWiH<)V&Yaj;~tO|5ED24SRvp>`#EB7)ovcKnTNcfBN8XI=e3f`<@c@O?UAbWE!_`K9W zF+a03Yy=1ZM9F>}e6rf_-dtl{*`z1ML50JAJ;fg?6Ojl5p%EZr=$Z3$347}ys3PN$ z_2z4Ft`xYK5w(LI@Lq(%g_CCE3n=J|FX<&u?m*)2^%M&DNo^BnbiIHL_l&-{tbHCLd zvdHXXZ6UN*1$LI@N!!d3(oD^gnnirZdB?}cn#Dg5rzy|*x@|wGbd-IOo0I6$GLWBu zKPPHYeG?<;N|MdOi{py=9GY6bO3#ifu$6zzV^&?jFq%aoBKBim`^Xwq$Qj9-*%8K2 zuU@}&t?sJ$!J*o-Dm~en#S@sF?7BJq|V9*1c^$%pOf%V5mSf{a- z5Nl?3ns4cuwYN4`KT~x!OMD5WyD#~0i%UAN`(Squf_{kr#pR{A<>$#fQzo{|MApH4<;RItZC>8Kwo9UH?yKRW zINw=wGU>fq&2D!?J))MDn;&z0yrE^w6@T0@2~Abu*6B*R=hhDHg8|=v{mv<#Dv+5? z44R+m!^e9#59UE4cj@CJGlr$YB)0a4IzQ9z!hQ?$bOD}?_>Fp+&NZ9m!1)j=qr?Kj zSK-EW%9URwvfUgPnmn()m^(#lVg^{Y#mreG91E!b3n3E^aecyhPAVf5?^K;-92jg| zuP#A~3kie5<7BT#TQD_Ul%tp!)cOYn(bX6GmfZ+d+JX1)og_Ny7Uobnbvn;g&dk`O z>-C9}>M8wysgSpH?D0i`$A9?k9BPQKm|3f~LNu)a9o|)I+v?IV`QECz2T#z}E>=uEc?-Q$^iWRevl0 zr9Lk``$C%4w?NxT8(p!+5@Q}^|4fqCy5Q)C_6Z*u`~nZI^i~gJ$$n+RxuJZc0ci|7 z>o@S1C>$$P7v^d5&#I?%^&e)M5K1CNRd(%-t!)y#8HF|IOX0kCxZGR}8=Cv`Nc3AG zN0F+j@{3BdIDD?Ju}HLfyWSu=o|l!CRg)g5Te2{IwF$~bsc1xs&A3Jvm23V+TYU+bTMZQ6v zk%yqDD1ucX;uQDq%Q5@ATsKGRsm$R@_oBeYe}siK6g=i`+{7?&6kwtY&?o|RZ6YggJ&Y@I(aa#Tcy8TR^|R(iNxNB=Ma~-( z(s#q^DjN>onvV0wR(9qT_)v>3TUBgcb1N3T6As?fH>%IUcvD4&NQzTjeqQ5m17}l; zn>Nm@Ns%@m3THk_Q}2B>-Gu6cvQ3Y%pz~c3k_#cC%|$(W674^JeA<%tai;JzZjV)0x>*VX^Aqw-vvh{SPeG)1{GoCGlvBzX)U7gth=Qu82DNm|bL)rI z(`Qhsu!nuUWL4UN&oyjf>yxgh?U(dmJ`~hp#9ImsxI9HLnZ2=jvo5zqW!b*NK;Sp` zA@A;EzR4Mw+f-kELIIpioLNP>e&#O#pa4&rZkqk_W^~ARRRyURh0+y5i#Kih@j6d@ z^fVNbuBd3M+|JxBC??d)p;0T%b>g2i`Kh|BdF=b4uo5;*x^$AcUH6x6TZ=2fU)9|_ zhkYjhbR3TR8?|wF{pKJ&#os66HRI^RS-PQQdHzT`Xe7SpWtX??y-L2YEJg2 z#{ToqKge&$kzDS0riUI0QMHNG_IWD9=Vt<7~rVo;erCsDJx)SQ{I z9xZB3B2r+kEF#Lbw~?RzbpZjE4+Lm!`)&r^?%z)qMMcjnueaN@j>zb}cr`uqpyN7v zZYYc7-#g$C6@4Vf>_+zS1A~?;_t+GDOO+(r@3$?c*_3tcFH3EZ?P zUyebY@6wuqRQ$~<;C*(4Ec;b>A5s7vWt>duOUe#*3b+Ia>^>+}1{4t~g_;?km0FM9 ziy4!2hJnK@=qdM9K<%oUd?L9@Bi9b>sZ8l53M(jRxLK*#^|JgK5_69!vu4(v6-(w- zi|lSAo2;}wTKBQ8^J7!CwziJ_ZiG3l9c%T+5(_03ON+^WQUB@k8Tu>9*-jNb`T6mf zB*J8~a_44QF86(v@n`YZzt`9|7#!ey5X)yvf$(VH)5ni|DE#J9=#cj$7Ydo0gUqNv zRC3Gki~?@&u|t}P^0;1N8n%gri1ANHufL;XtLD2l*Ow7V8bo3ca11>Vx@q-5amqL) zfQZa#@O%f3pHJ^Xia$dT!{x?=ZMlnuMflXIi+lI(-B=rqJh3Xbz2y2&|37&Fn#f`F z+a4|rc?tDG%gEY&A~H+tHh^WzKHE=pX4g~|8UHn;e5^(3zkI94J@;GgtYOIu8OX@Gg<-y+}h3vo{4W!C;; z+j@d6cUoKK2|eGzIkM=R)Wu>UDm&>GGI_6WGI?Gm-ScrF;@*$5i=uwkD~|7&XZ(AH z(56EfCucx`)opC?OgGMo&x2N5#L0};L1M(clThi$KiwiY2QlPRv`rzBOaP{?Z>ndS zGx{-HBGU$F03onhyq=0VU|0*xw+i-F)8+@P=VbsKeg*nVdPMgjG@LOf`2T`6zF$AXvEE#d?;sOMZ znN)Ir^QTXjp#!;c7F&g&sAe#+cBVTk@*iGaDf?a#QS<6s08A%?eUrTNaVMJt>j~-W zqYaTU_gGu5lBFv!u9KLhDkSPqgJQ8zexmEtjeSe}a zIz2y)Wp2{!h}k4Pns`pkoU4-74Y_GaV7Hx_;=OzbONC|6lXfm8GsxS~#}%8x0Bf+{ zTG58A=iHx)7?La@U2euT?W}FS2W7$K4=(ijNy~7VJh9LZa{9UFl)bBefwP=52%I2%yyi+#D+bQ z#jar>w7PIkX_L8?&ap*to)lRTQwhWsT2$>evme%`C;st6zl`=7zr21Mc4%Bb;CQO1B!|GiPv=cYNe z$tbhVblqBvXrr`S*cXkHU}Q^ZY0T?9;WLczG{8Zt=-m7BlSF6DecHhN6*M@oPw) z&Rzauv&pk%ID2%{tam_!ytRR!>8MGTU#)2gJIrGIeo#RAjIDNVuL!f~2M178;Y!OS z3xcOh!i4gYr{mx|Geg#ji;sg3=;7MvfBf} zw36McHngg*s(CmYKuCT1wdWpuc}xI(f+(Ldx37f0eVK_GeHFz5G;ABJ5#&!Dc48$Va-52fcyu4Jtlti2*HwN81BC^#mJ|Ka>34Y5;$Kvb z*pQc0Be=70!}*d8^7pK*&z$WTy5H2$payt?IwY!JJ4aWt1SScyt5dxNSrGcZj`HrZ z9rM27@?2gG-RWs>*hr*ZFINGGoYUly%(E$*NhfoQKn8Aa)v({PCNgH6CtxkLyLu@6 z2S%gKeHs)^&NYL6Frs4&=`EDGtU#V{XxSo258{oxUs%#^73Y~DCwI(v~ zcKD=cSZJXu-tx1jBhIke;DmUxdi$TS3Ss3V=L-f(^-Kc3Wfq($ogMpkPPHb$Rp;eD z3Nj8monTpxqq!jcpj$Jsb-Y#9L(2UkDv-KnRp41qb4fQp4oKwjg9ajmqq7CR3MzV_ zVg>@6Y=%(5)>4?24;1G+V8CSoqUW8deP1j!ycBx zF#k2*sF)9R>eQ*3zV0plQ6N#JHfsF*{3LBU{ze2D!CH5MK>yf}AE}WlTi>3{f__cH zm$2iy4~;*PGWdsb%t;#ty`88-Q4bj z6jR1ASf~qWvmJ|<&{MJ(Uu9~^PSQw4wlN5j-fO`a-W3&LwAcx%o3=50wkuM+_e9^t z`2!%X<>sYOUDL(=JjR(hXzemC9;%M1zuSp0{z$1qBX@wBD*8sS7Kf0GfW=P+E_gQL zwo)mreqs|z1`wp2w+%oXDH=||?$7GH!zvGgkTL>jAzOv6Aidy-AI7WGB=rWlk4vTc zB@%^A&zl>jKGBA5sz1O)gJUz)O32R^J2%ryZo$`4;*>SZ2EAjVMa}LS|BGK(iU(Tu zf&6@(Z{}>K2}N=ltd32-Mt_O+ssoAv$LW8oKsfGO9gPP*owH0_i z%>=(hDn&zb7Kjd*pV`$EMct+hOBTw}Z<5N&DVbfjY})WyZ?JR_qA(E80W6~nSnk!a zSK4+UC~2kTii%VAuRJPddW&d6n97WIx(RCI7|hRbE8BUvHcn-D%Q)hMj25q2M9Dwle$?!%aF}2`Y%Qaf|)Eo856)5(KR9t#~>Cz=6 z6KC@Xe)41rif#-q;~e`-N&cP#uE9p;AW5qVQz6-f4UiduFZmJ`y>F^)tyw;{e~}Ij z3lT^{mgd^Evv)kNUk{tFDx}VPWoak(LRQ9^adcZN+s~@?AgjA8gT+!C^L=RL+VGf2 zC;w?YRt%}Bb@9Ed#(KVvT$@adf7#t$qm=b!8N4~97H>5gJ`;UdQKbK>F=n4fNCnQ>=<2zL$$QK=Osr$4%d^Fz)Go6^TD$u|#dX_;n>cG4l)My|?fuL(@9&a% zoZTF9;G=n8?Fy)JFn=fwU=uqSz(6Xp42ChXgfunQUAqV;Gh>Lg{=R^bFmTyk=Ij3C z{xVOJOu(iW0?UCwroOv-$v^+hwM)TJhXW_1TTBZ5F0w;Wxkru}W?&0G0%;R>gYo6K?!BU0c1jI* ziv%SVKbxy@P41FuFifp{IV2Untl2COb;_PPtc0F`Mbm&4)AWIoNRI=tGy9dMV)$E zW>`BiqqY+!+5fIe|M~GBM9)EQLeTDGUgN7X-)bWLc3cMGg5OsrdJsMqh$K>l4u12U zI!1CObGW%drDIOGxDQ;J&IxgzEVo*3M`-w2_!u#xGEFV6EepJsy?Oc42|ea~p^A=A zmlF!m0qd#}{+}9+@RvV`BJDo|#<8uL=>1z_kb*rD50So8#=CPEZ;Rv0xl9X~>7hYi zqeC@9BETR1S%h$tsL{|!d9)x@=-k@cTg7S)5uNI+Eg-K8uMo*V7kl7(@3ppK_{==|dHDJsk04-1 zx2qb>0m&lyP)ZG^d9`fLok@h`rnvZwC;ZNO3hzk`DmNgbct2r#*mxMGzx|B9KNHgB8v7@M+#2*|` zO5#szQ)xMelo@QjqMV)WkEzK6GP*$YD3XKl*)lT;O$sj!$o`doR+?gviw1VUL8Y9b zkTv=~g8OXqah3q-W{6zjM+QUxN@mezqj!A#haDnVV7r%z^n1c`cfz|}$0@Vl%TNFJ z6rjqM9WhT%vtCQw5|veO&6sqEZ&xd3RN2|bQ12rrJibBg2P8RqFQQK2_kSeh3};vk zLlADz@1f|^aScgyFzE>^p8z$|gF96XQ&0`EKDlPZH9EqNI%CqSfq`{}NR6k!VlBbe zMA_~O8 znrnj;Jn#G5sA#^c2acIf`$XtW6ZVEqpMe~&cnAW~r}f{|0x3qzv9+5GqnQ!kL*L>6 zLqK*^34K=EbdwEf=0INGHxZ$=@`5?b;Fbpvf!alyKuJjPfLn`m0#)u0TeS;jQA>4R zq*@++)HHrBdd2=2!(Mo)g|`vPC|)P}bR?J%HV0w9F z)79FhWdj4A8}`YwGTJpx9~VPJdw+kp%{)?*;*=*SZh}$TEKrBj!`{BtS;9hrWOF2t zE1djSM=j93c1aE_YG(u7+ogd&kS||mfnD}3;?O9@f6Q}zp?Y)5CHUJRwsFskUg4+w z^|jbd60!a+{WNt5*FL(c{SS8U zu36r-T<>*Rg=EifBvk*eSXWXC0Vm7Y{dC-;3cfZ&>v57wmiZk|$EL`hA>5J*oH!I_ zlVl-?LQDe}d;mhIJeq=A$*Ycz4E%0H_=}U>KANswd)Z8!%W(RbGd}2x-@pHRdR;cQ z2jO-ua>;AJl}H)_GBtYdr0q(adsuEcR^|>rzMLpj zs{Wp3Jc2W1*$p0A`KH*OnBc53x!#c<-cIHY$fH7Daeu2KHZ3~RB85*M>QMHibM;m) z%4Dr_rwIrH3x~N!iX>j`3HqT$3wchqjOOC~z{QK_KXdkNw~zw4nFs&W?@8cl*JcCrmloy2h9F%MZ(1WjU za$bxwmE>quYu}K($u@0;=hd4(@1<8j3!Rb4C(&bgwu|+tMa!f=^=T;g((Q)gETm`# zv_oRFVcv@88*;=?I-iZ(yY?dOf3|uMDSZB3+SG1aL!n23h4=9G^0w^>6R=YhpBsS^ z)s|1zs`eI&_Z$jn`@^Qj+{ybb6HTHmz^Gn-0~L1Bb7@Tq^#^j6DhcEhKnu&)A1Er* zqS*>J4)s<;Hc#*z5tV=MTl_#G;>-v}c9)v!?{>$a=x5Ll@*P2ik#td_tAe(6;@8>l zncn0%ir<_?KT1%wH_XD--yFq#0<4BX5~?{zC9H^m?L>!#s+5VJ{r$i+Pa^t!PL3UD zyhO7~z`9Oiy9WJ!OavS|6z6%ex$(pQnrh&fKl^#oS}BiQB#5iM8P3ysMKDz!G17c} zYMyGWl>>yx-y3UN+aEvwuJhVTtW`SXW5rsN|Bt=5jEbsl|At4sYyksNTBSrlq)WmA z0Ria-6=^A9=(4~dbP$k6x&Bpug*Vp3Qi1yZCSabSAKGSEJK^X5fb zVZvJxI&0`Rh(aABCGylI9`8=BpNik>$9r6Y<42mFJmK@XL%;i)e&s-p)br3?@%eY1 z?rRC|T^l8P-C*B8CM$O9jxc?tle2j`;;JoL6=n9cyHl%bGp51WItlCA-MUvUnsoe+ zN(&7sy@mTU+IDc}abLGK)8VTajvD`YYLiRy!Cg}5DB;sr2??cF>W=Yl#^Ah)aMxjZ zUoHMvD4s?M(5+ZTJT!gV#a}whyFc+*_hkFCyXwJ*qA5;A+-x_#YgfsMkYUcrKWXp0 zw-{KKF}YuEL$_q4rWf75+j^czc{;r_-Sh_}i=o=j{xOmo?n4y_-@_@1(NXfL=A9F? zYomg{1e*U@&skDg6{GDaH2?Jc*7l#>gl4jPhiOv1wZ9u_p*+=s4FIPMrXASz&x*#? zjT)_cZ=36EEAdhnXEaEOh+9e8BD6yCr}ePJ@fIA~eEnb!y0%0YJuv2nKMU_l$kwRe z-MjEtA+ATg*Q8rxZRwx>Zt3f3^!9I|HGC2^81!ce$S)|=6?S$z^iiVZpZ3~&e`_9V z2y1u>UPfwN^1lpS)F3-lqJ)h`h&cQ(%HC^Y`|;yP2x2#+K@Knu7bpC;J{Y-5qY{|Z zZ5xpDu7h+eg`$s$PKHaDbaa&>{#9g+GOmTGy2->PXes*YRR>%WPpy2UCPY4lmL?{LkzEwZ5$X zH88>I|3B&l%lkS#?)zTD=&!!eo&vHPQ7C~w^k(utP2WBQKw4l$gvtd13YNZTjx8~w zqDz5Hqn{O*lr%h@eHMkrrPX&Z0fmPP7{({6gu7LwIZU)i@{_7 zPl^#0>11x6#RlOhmVGE9(&(K;W#N`%C#N_L#|TSaO1QB7y3HAKn^R?9KQVde6>Xo*2^0aLoHF^5#?rnc_Z$wIJooSGx?mphLlQn)}qYSJp|`dTpyA70rp)Hr^`j`FI?@CB zv<}k9lIlj0{fyl<37(Mt%1X$Bvr+7GPJ=l#P;C4h{;>oT7gIkhys>=_+Sbd}zv-hM z4U8C@;zkXI+qzOfxf$TEmZ`X=fDp=cq&>ZQutTSO+_($|<1W)dMW3)Ebgq+q9DT5v zcVsNwRJLT>n~_%hUgGI?S~$AFX^Z~iF7}#l-wJRv!O;RoP`nsOt(nRwnp5(R6y5V0 zzdD^cdp5pku235~7{j;;dximvsRxgo27|^^ zlAMAf0R{?9bem&UB_+K`>8>Y1?OYL#J^WUUAI*Ct4!lrjs&e}5+4OgulgP70x7?AG zyaM1El(}J`iVJpCEwpF6mQR0O8dFipIg;HfR6#fvoh@RdFK@5q4;{AA(pQmz5#th|M9#u;poSAtw!U|a4$?pyz!?Aj;Hy3b z_xB=!LME4tdX0AH0AV{T{&5{L+lY7_F$MSHHH+r$j% z5X$tThlYmWysg!sDSAes?KqTwW@KEgivL&fq$dUI_3JwD7;R8@g7xt^0h6ByNW+b* z#~U=%)PmMM*clmbL&1SfNu&RpH;Rx9cb1x(jgym8U0gokZ_PE_*OQ_FAR4$9NN!{p zPiox_9%M+`8ApBBg(}>5Bs5yY^u)#^#?PPEZ-C+NZ>ZkW{}SAP(1-t{H@`aF-($Q` z+JB2!K{9@;{wF~Oj~?mh%4h$3rOc_I=!~2oFEgv_2~0u|WP|?a5C-KTKr3;W_o8_L zO!hx7i2zkD@?Ic6=uz7!1EcWToFO$RRo0B+U$#K=V^BRvakPL(R-G-|b%(lDV!={ipqG(WqcP{QQ z>i}dkfRRWor~#Q1#%^-~2NT1-W#>bFb(5Z(j@F(h^4BtIe*vGbT-{c~@IGA@JmZ*1 zE8CGkGBCAd7?q@~a;}PuHepuOg>9?ih*O?v>^f&zQd)fgm5_7z&hkhx)!c`OhD?Zee|LpD1exl3IhyRi_lYlq<6?}IO(`9rM|qOM!NE@ivUz2Jd*H&KzB z*3w86uiHvZ272<$^C01(qFI-_3QZyL$Q69^??DXrli8f&cCCeQV&k+_1J|nP+Ut!K`p2DRdWAPJyhDpzfUSRE z6csgAi&iRbOZx7Ld96yp#T0x87m;gPm;Ps$TGXRFjDiyHmE3`@`w{W5 z2bk$!%W^Us*Jm`$B4#PY?LGmbYPEBHX^0I65I>_d z#L#kK-hypfdX7qw!%XwQ&f?3A^I{V3`kiBcY)<#*-oh3yhbPF>C9-*uHM4PwCiWHC zs|Yv3qqJySO}zbeAji2Q`08;yVt_~gr*0OV^Q#DriA$O|zrMD17qfr=i~1edI>;+! zbo*lR`Di%{WOuEQ(FxbH&vk7NYj!+Vg&rTqt*W$8|0lrU^QoXxXO90bU^r3KeGBbo636+c9+97ag(^C!k@AR zI>h(nz_q`uK4r4m`Hyt#mk+TG{18cO&@cGuGf`^3!F%Sk)Sa3M0fFAfek5hrD%h=h z=Pe>;L!6ht>?OK-IFIa8_GW~{9DPg?4ZG3&gza@8l+c#0UG1w|?!QI_ zh&!0GZ{OxMvFrfF8LS8ey?B0$cQwRg;#~(dnm9uEhzTE=qTeHt^Lz75kaPV?tC6mj zP1AC*)ig?>CvS?Tqw1eV(n?7`H4_t;L<@*36OZ{0XkHumXX0$%>L7zr-12)|5(oYS|#dBK4`yHSprE?L$HEqjVJhn)3UU#l-k@ELm)|7Wj zn1CGH&7eaaJRZLu-GLAWK~`Lk9qPvmVj~ybdow#|b|HNwWH=S0JFDrkJZ%xgK}Sa< zokmDxQ0Mmu1y3U*VhX2R>WKG_aS-J;YsAsa{dEmOPk;<~mLfkgqNm$6^LrPH%&-=a zZ7f-BBfaAEu1>#bOU#NsN@g|5QvXhr`_^ao4YZ{}&0Xba)}CC0RL#=O9q+Rcnu7SR z9c=a9vP=1HKz`QboUGe*;3^=0&f1;TVMrki9HDt2yV5xfEO7QLZEUi@fa0X^Ol2ig z*8l^}!&M81{`l9VA2#Mo@>57MmlmH!bY`a>-9aAW>)GG*6iu0_mG11^$S#e9{O^4Y z`Yn1Ib1suYtPBF2QyH5(7v6b$BLSUmayYDV)5u?o+}wU)A7TR%@3obXHS%tDrmuJR zid+`FO@CF_bcI&fQNlqk3i|&&cWV8Z+#yz}P~^dj4k9a7$8IQL?#&+#x7yd?s%S9K z5yq0O)@-WlcAwTar;hwo#ss8n zyC^M)RxBJ02C+F|rvvenqs3sDd?4WXNH6UYN5*;2)ISpBW>(XOR58RwU$kPcVP0 z%|9^EN$E!UMdv3gI&RBdR}LQZzKcZQ}Tuh+#2a+#8ywXH3kDMRPW{!c@j&+wx4e)pA9hRp{y~P5+%6 zum4)W5Vq)@}VdvJ=hZe~gRJH}s|2#z8ecVGn|6m$s{kv=6#zf~^E* zuPxy1zhiPtEAu<@X#MGh>wPHTQBxpb51A6&47Xz;4h(XQx9rQXqtxAT6KsF}?gipo zg8A%b#|DRdI=)P+tSaZeLxIH<-yc9*FgBQBW?sMC;k|PoC`ghpNKx1{mS6hI_6m$VBGIRzdk2Md1%tJYnjZ_yFYx{ub*`jeo2Dd50h`B2E;IG z%T_Q-gx%ik(UQ)eetw~E7CEYD_i3-6`nhn+JH%5k=2o1S4u3`R9ouyw7XjD&jP9>R z17FLHgdlAcky0b`H>6j-tf!=6JCO1gC`?O|R!$K1?adI3L2q`x)anrt2eBpQI>*7I zwSr_4qSh9?-`&%oBd3XJRMgFJGk=bd3qq`8oA#f<0-aeyliS$^zth!~k1ZTZF|QB4 zE4E|(A>=?0JQSSR+o{tAd8!ape|#7P%0unaw@b6>jw#a`7}8dho+t+E`LiR!P2arIt;6_g+9X zNgLQbgh`=nUen%dZW{~U^7zZ*##U&W@&Y^N#{-$@Y@srTs2xnB&y<+mg)WHJyzcxE zTQeEkq&AsK)J`cLNXi`U09Dh5Ggw~9($|hqh~$==$f~D#zS}Sl7*6U`IIA*fVIhkM zU5ag6npNQb^{f0qt+P>o0P-`Y<=1WP4vCjj86s9KQ~LV5yAF7_#g!F%w5G4wk9O_) z#djW2+KIMT{ALqI#gKLJlK!@*P3)ktKsRRo1;5qC4N%%JjOfm%r`x`&mUBOay4epO z^qyE?84r2XqP(h(cPTHfB+(RXi2!HS6+V@1Nxp3@{YRtTU6@s#lqf$5e1TC}>fM9cJvV-1oy{iPe)RaX8oEvl*#H0@9P&}6 z+vcKUNQTZs2gqaSav%C;0|q>us7~T0dZx3IozrpKFnhXS2Mn-4On4k@s@yfvvA1jx zTB;hJ-Z9nMp&S!iA_F@`Gv0vTa!p=gtBIa!XMb$}?AlCU=xY7D21~pATi`Ur>7m8@ zYihiOM)%ALn%^E@^X1ZA`-s^B)3@9n7F-pqm40IsxsteyUfObCOxwh`eBg1|#qi zOezX8GQ{HHo8EN79xZnG?dKpV8GxJe&8DO_4Up}}U5j~PS+bo!)rMW+e25%0s`>tJ zXq{>rZoxcF3WN&@PRTXKySZI{(@#={Hb|QhGm>J6RN1QZ7UF3DiQ0i3Ob(hsQWwa- z!Sp4uTwhx;m|j#j;#9Cd`dH4eHz^P3znSR4_t~L|MO(SFRwo%_#S*-L zBLp70t)q4n6dKz$ch{$jciBB{O>4d9phZErpfn7VMusQBYf$O$0!t|!K7DbiO0nwT z%L@ZH`GfQFbUI?YtBpw;LTQGlQ~S>a8Bu2qBoz+!$%uRn$#(>S$UUx|u6E`n8MP3u zb2BiiM*AsgEt^*l!&Um8Xk%(V`(i|if-G-F>~|2uNDA~a^igh1FRxQR$xPk0rO?>TFphiV1gb*M|VS)`q}nrx30>6*+pKXhJ?H)fLV z;kSAk%DEOK;-2^>0NYktA})<_CQfpKou9bmu|^!fEbX>ImPT|3c~6KSYx0RCC9#;x z*#)7K{M{^&@u13)uXB)9GaGKBABa!498mUf(F5Ze!#JmJj*J^essIG~xpe_1Py;sw zXHRH}ZW%#V2NQ&T`(-BY4Wrzj1X+dch^Pm*#UP#|$Tia$0XE1~JjVx~p8U)Y5U};v z@n^eaWRX9D%P9p3;EA1^prOd!AKu=Rz;R~J$FsY}hliC}<2dzYbSzknz3 zM*qJzA@WZI3waKRa{n97_`j<~w&edmNA}ydc2K;3KRSSgJ3KF*UN(@?(Aa1SB(VHu zcb-M!@te1Fb@@@eSNf0d8{A@rg4C%N20l9F1vi11$~%kmgLqL?V|q$|)DLW8BJJ=t z#BRa`Tq}SL{3uEnQX*Z4K3rL~=w2(?u=ju3ZBLA2btY^xA-qC$cJ39*+FjLEKiy)t zB|vRI6KcHbOL<9PRIvJJsfbm{=T`pyC=eTkd&y~26P=S~srUtD%Yv2;rUMeO!zCwC zjr34&rt45ChZftxQCni5i%n|Xq2~RLj*cd+xdQF$Yi|M)=64`?(@2S+rc;+MT#y*X z;u7R*4jnp3n5tFQ(d9<*3hzA}&b7Y4_9;7xx4pT}3%~vo^oKpV5T1l`Z&nnYq&`=v ze2s76kc@ipG1T}8WcfSyB9&H8eIyD|ps1#B$pWm`E*Hqx^xF~a)Pn&%2<6(l>q8k@ zZ5jFEF|B`n(b2^PpPXF{i8X}xzJkt!rqFJAU$g8^VM`$(_hD< z3-_KEd-0ZchjV?w0z@mBJt>l|S~Ph3(u_`V??XxOAU&ldL_0cv1XGlvwD#{kREYDE zh40f7(8(H?!*w-;T*XH1P6Otd% zAt1(a+H!*eO{Ks?2eCuT@A%_Ijn4j`@ zy?fmS!sFlmx%AN9rF#;alG^xDf&(dL=JFzt@c0`kv<|wGw;2D5(=+Jx>P?iO2d>)Q z_V)+m?o{QCmWT8)!kf8RIx_kBkuGL4+RMmr+0Ny+v9@lldNlTq2@`X~;{ zJu>krcJ};&c*JI(b2T^;c*T4q=MDY?V$(9QYU(rcJPc zo=(tvPMC#n%V~BX7Xl=3%&buREp1aFX$b~c_R0#q}ePNN;SsA zMS;t{X#4N=ew&u5nMd9}c<`VwB*FUDke@q8SX&q#AK8hBF?gIE7@6Jl3XpP`POI)) zlVjQ@36_%x%PQ=i9I|_Z#g|!G6(2tQ+?EG1G<9Lifl{}?yt5SKSD2WpI{XLoVq#+2 z^K^S;dKefO*tT!x4RMmK-PzY%;K*r5+kgC7!i&`kFE+O9-6&ajc$8V>!;|cGo_#!Ug&YvIr!(uW#lqt5g?uRQDod&tjI?Pi{G}XK%~MFN^Qz zxpocO$diWi6raPl|4 zX34l};?TJ_IQtp1pgIqmB#6o&vsa13kRkg7$u|h!`7paS`gq+6Bj9c2uYaB*>3Gj! z9L~pC#QwT=O>4HUu9r<-8O=mXwl`z4Zjb$xwc=rEj@vRn>dA*-@aBAV=yJaOs z{)Cj$UGbgp_s`#ZUVi&F`jhaf#pmHX4OXUlIaY2Qrnu7nCzC5PW^!pd95Yhx*=js2 z>8iK}t?lko+{2BfqT(NBB)O6%%w{o{F6ljA+jro`fz9n3FlOvEpj255;1%BfhC`m?Jkzy6+ZRxXKivG zUgP5$#z!dywyWzeSgy5@zkX#wpLsHgHuK921I2zmo*!?hd9r*{$V=rP>r>N26E=u; z-REe?qbJ1rdLyYRPN%)U8X;P$V11tj%az6P$!%3GS8Tj>6sxLbUps8Tbnfa8#UVPD zCHZh=(-2$f^~yryWmVHxp`pZGO}V2_8MrLjMIN3YjY$(mp=L{$8UzMhhY6A>6J4?O zku&KUnGnagZj)ow1U}OTj;mjL!r`_%RlW4NC&aE!=7kQK5 z#>FKDQ&SdIRdp5DUoq=T@pbxyWlisO+lMXcR|M4`?ez9$w+wq#hjeg5fh{==Ox-*bH<@@Dsinu9o@hm}*nlu~pO#x?Ql8Dikm0C%QQ!Nn5u+1!$w4hxeQ~1iY^q*~ zGZNTTsfGlvfCKCeuKzukEly73>+c=%@rGw{_q8(GjA^^0++ySnTOps!ZuloPGD(~; zmd^$!8$GEA5m>Dcpn}XRcY6lWIU8ShKD?!;iNE+_qxsFzBpkVpqsAAn6VnE>Y)?N< zX}CXIF^-zoSZug#D`YrD&cw`|a_ewoY^RsTk#@4oFBX?5_7iWhKXCz7yFAE86d`bLk5|;D=OBr&w8_n7$rAb}VPM z58b`APS?k`eHD0heZv6okPFCq0|ni;3U!0ex(1)-l8J@YcL#H~G37BV%J`RRlKP z-Inze5ZU>8`luDkgo(d2zh!b9`EZyOO^iG(b^+an>RDVOAP?D|D)q^-gjLUFg}!a0 zA!ICR#ea7pvvhYG`W_pw-DLkKlrFQ`{q-w}HU^4r$aL{j&T;`NlM4$?f^WO_@qX=u z9pmNxTqeo93|2B}`oKritNRqy)DpHgSC#u|P!D8J;P-o~Rp98lns2z-5#$!^%=XKD zZ^FJnzOmLafbRBK7`me`Ktcg@?R4t+%rlK6yqu3764bS{%q%z8(ak>4kFeG<`VDdF zR08Ghg4_D$X2>RF_)HLt_QBrQL;jDNiT=t_(QJ0P085$Xq*Ix8*86?!CKvJD4%Y_K zpHOQddzu4#dK;dIBD0z9sxI!arMjwaOLpBrhg|Goa}6Dz4JoNLoRjAaZ3A0#OBsU@XRVx`Q!?MX>ju?NaitbFTy2y8{vZj9 zl$4CibKit$g`KrT#OnBiZLO=a!2B+{1bMss))Nz^$UEi&Mt3oi-)b&f-lxB_azxot z;~I}!^Q@|>uHwS0cfvvX(V%DT1Xq3V)Q&&Tflj3aS#be$Dg#BH=+2INN?IDX$4*Ml z%`owey&omwM*ns!LwmkM!N$sL!eBH?Ux0GH5J-zw+)4g7yFV+G&u7^ek)c=>j|EbN z+M`!6qax>~fB)_QT0y%CLQ+qkW=*&ev(9g2tx}eBgy=V&0$TcPcRUY6UkmeDAsN-D zzhY>Z;(_IFCLVuF(D7SLXnDcsJc8aJrtT65{?CMAo&Bed_mDlhI0&YI+iUt>DS;F3 zI(AFTdWHw^=Z`$*yCf!gs_$mI=$2O1?K_tRlg=D?-ps6v+sc)xyE+Ln;MluTrSd|I zuzJ?(=~F2^R`*gVZivzr_CO%$ORY?wy&+pDz zfCgXj(KvD-^W+R==1I(Q#GI?ttwSp<@1MEVFD~zPM<@^bs9GH@d$!GRmZn`AOozLe zM=>e*1IBNTP@wXe)LP_f3ER551zscRCoGCikOT4Cv3ND(LKu1KrYNd)j5BHnEUB^Icz(^>T{ zIB?VAUK-)vOsGb%*klXG%iT(pC;vMjo1b^B?|TYm_1z!2+yNh_71vam>mu#+YYMfD zyX5ln3il-yOugm}Onu0WL&6`r>CL6$73GyMZF0`Hq$2Uvx%V#8-k&*~c`}_O^JJ+6 z`)%`E?6+l?{wvTB!7^QBrDUr4>R6+$$^8%)Y4qC{tsUPS;l44Oc08-pJk_c6vCk!4 z3_hL{IRC;aF7<$OT!QrDBJR?t;X_14IQ>gF^usSysA%1b2=kqzqez?o@*uHM-r(bx zmX^o88hpzMQ_Ec&O<%q=p2qZw?2k*$_DY)wHxrW7lC8Z|oajUcZD0(899sic@M-Wn8=7)TeLx?p7W$ zpeQUy558x-@+9X1A)59Ddfsp3x@S!@O|7|=Ph1|?*P6B2$L}doD1@fvK%zgechs_4 zHXd*bh)bo_lB{JP_9|mF)@fJc&o0#wIh^K`6~?#F?)2brhQQDM=_avX#LS@LeONMs z?d#@=0_GE+Sx+7BJ9S)}{?Wxy>da=~Kq62>A?2>WGx3P6OZ}%nbI}@~rKF35DwkpB z9lkNw9JL;6!}L!*2*E+SDMrG-dV3APTNh?D^gUD2bW7jt3+}9`{b; z+npYBR2kZN$~4lN$T=1D8V66s}ccU>``~oMYTLK zrdm!~;?23XUwiS?QL4-UN}2)-o%s?HoKGiO_aXfM1jSNE$4O!AkN)5>0Neh)9>@X>{rv@n%DWAM=0C6h`zCC~|H&qV zN*Ef(W5fP#+zct48URPakq-CD+$}S!Jv<8B1uasrVS7Pm_}GkJ85Y^-2Q1#C?#Y4J zT{ZeAeQ{gEPGdW@`F*p5gg<8@QFIGAkZ20zWBL7CC3%+43R1SD_%$7wzZa9JLnIYy zu-tFipJ>@_wmtk}70oV?*of6$3f?uhbeN%Wft8!aM%Nnr$73hQHX}gnUyFf z-8x5uu|%P`?n>Xjp)y>%3JJuwF*(L_H?}QijHFv_-vu;`W2JlIN;JDHH)rZMG}CKP z5_RV9xDtfU*CexIxqJzoMTrV6UtX4%?z~2Yejsl6+m=oS2CGj*?5^w6)`_r6=}HPzX>|;NspyvzkktA z4}JQet~}#h>|`P2sG(tJ(qbF4p@Ez$Y^l66-r~wF>yK=a_b|XxU%f%9p_=aou=oY4h*nY;Y>Oul zo<%X4FMrA`wLEq|HBz)Fj4LfY+r9Ivr+ld;X>*26!#}77&TG*DPBU%U#t!-diE>>l zzvOwkM6Yn^RbuHY9N>_}5GC&^`N#-UBDY>n8@e8qoy$w?kPPIVYh#f~F54{e^1Z7f zA>oM?r?}5jdHPU(*kaJkWcL2_KA*T`m8yN7Midkj6(wdo(gT@wy?QGZXO5j1*&zd# zXFv#KKD{SV4nNbDAd9h&^GI`OQzOvR7h??yg>p;t3=-w*r;rGmr~S*vfTN}#Km<>i z&6M4<6(d7gOu{{?#Kpy9hV)_yP2Aab>~nE(Q>R1Q66G*uWl=S&)`Bw2*rpY;ft^ZB z+?zAiCe3Ir=ylN?S#lUXcJH(E%JeL+to2f-o%AA39H`Fuj^w8q9?2Kpuk2eyd3JS6 zE-_qpKQxTafDO-?sf@tH4Gv!LrRAx>dzZ@LY2PN%M>HmT8nbY^4A(R10j(xO~gIK34NSlelj+rVjV!aiot74Fgwb z1=FT)6?TUOroUXfLFF)fcS(bKZnuQ`G}Impt!UQx7nM(kKbdf-S&1l8)zV^?4t1Amk*BvF%OgkkB4C|M4BtJ z45$p3MDX!f-(Kx(7?xsX#`$k;Z(r|EbuMDgorO+JhjeWl_$={>TrDMmcH@kR=D|1} zyvBfw#FK$T>82L0QRfHF@NJ8|Ad2-1Mjl;w(O#rZ=8ylGQFGziHHk#|bC=y}GN}BY z*@W9ZT`Jr5X(92;2N7n9aBmJJFki08LLDZ>>a}sBd%cc&-50|id$;h&&v-p~8<%aM z7-GQTb3!xP5qXNp&|R^|fcb$K(P*KN|2$72>mN@nyi+zN9R8yalt={B1Yscrmb z#Gbl(KhM{*zc$)L2xvwYgltV+P3;Ge<#<5 zAd8-}{d_8^1A1efA;!K;>nx3eRhVk#;&huf?TQ}lBJ~Wd*v;|AW`*%y-MInt?R%a4 z8tL*qN$v3ph3G9cAkJ}r4n;|$ptc2VoNJ&YQ#GL_YWJsW8Hp*D6^di~-mip){LI=r z2)WH)P1oHW(t5tg%@r@0Cw_Wjkxy7iO-pO7tZhn}aLqjQP11ab!+?sIzh8@*P{^|o z#AP`iui`daywItYzDt-3KiyHy7dYZNEBIS#FLALAhfe!rIg?i(P!F%Zav90ns-+1_;rsnWBNrC{U*sq}a%beI|1BKFwl`bY}(~ezs>5y@*YRiE_?b_p! z4kAXFkGN%4Y*bB8Zerp%ys19^Pkm^P+}LVxBEQqSbq~j3D>|&LFJ3NEFevMX$!gjv z=2Tx1u8J~wBRnL;F06(iqA=d|L)E;VAT=yzU%pjnq+?C4KY#vs+NMBUNrJliR+T}o zoOb>ltDPOEB{ZCBgL#GGn+3YLZ1LBMZ3uDSq)yJ5zlA zcq>WmC>Q3gNva;_6FX}gr`>`=M!Edbb#kjG-TOASnN;;z1Q`3F-YfxMjtB7=EyV81 z+;NXP?y8&2YE#7L`Hat)IG=iU+FBcV6*^!x8GEwVzMb^?`Z2XkKxwBr+l$rzlB$74F}0D#V6)8S$G|bi5puqBnMQ>&KDwFseEnqZ)Sx zVMM{PlV0c{{o{JNyGuw=Ts=>evR$dh@hEBHMrlT^C4(4WzIQ-WAR|wtpNx+Hy>_9Q zuTX0IMP!j((vGmmjbVapc>k^g+s^a~6+W(e+t%0wE(e653N+~yPCb;#qQAV+X9G-B zvncWba7B1P_u zzYBC*(}?J2vFKCd`S9hzj?VT1k*OPKS~<=2(J$F6oLH0lBJUc{5lVMcBAp*%kyl-J=bgU&yFd^wf=or}HS!qD zx$D^azD=!Zs{$u;oRhDqs{)5~NTPUY>9;NI44qs_P7aUCNiH)a zAZ#oK3X7`5jyH#nj*N*^g&^O#t{ykFk3WOU5>!;axdek4;IW-AmUenv+2drbOS-d1 zUf~<|-Kci5@_pBtn^IYEv%XxAGDOpIoCrd{;e08hplN#$_A7SEq1O9f2d$js(Ev6t)Q)UcgWU1EYnotNe*H%ykbr6&ax=t=FSG%ah$%O z1N2x!d4;2#FLJia<-P*Dt2FEjG0~wDuR&VE3@by#Jca1GCndeUi%?a#p(D`Y=;+xo z15&9sAsSCbDb83?#-BQtmUtJOP$%U_p%;zN3U3ywKYl6c zkJHN@+qwyN?tK)`=QQg)BSetO7iqveu?!4U)!Lc4Agjm1A0-gCT=|HmOInYoKb`6>=Ib+v56AuZUf=qB-8Ld9>PvMMnmSLYYBzXo2ht4RsGnG)$V3E!o$%Dk%DSu;@19c3vb@crU#~Wn!xkoTsFv; z){5s_>FW)Ksfs||q&i^fjBakV`EXuuJjp4nKW%>^Ez<)YgJ*?I_B=b&3AGJBU13Z> z;!k%)l2TGIDdpZ#LJ*g~wrzU+>sM5^?cfU!SF>48POSBn!U^X}VfKe#l!sC-j_o+& zv=0wB9IgrN*(4Rj9v5XWO%Y<7XkpP)0l~*_B`0u36q_K{@T6Rg`GO~D@5*2#Wxj06 z?D-|$BSwV7A`KPW3^Z-c z-qp^pn#ojGjtWxgdsqyDr|rp(m)+Wad)_Nt{RU5Xj7CAzPoRw=e!+Y~{(OJBItLf` z2M;_ucZm)^dOxVm*@}XZSqPOvZM}y+FZ;jY&S%-`G0Cs-J+Et5`jfREah+^8VMT@8 zdLAC)+tbgW3v!y93(=+WJozxI{6B{dO@MHqT4G5KR^TbUR_3B7=hi*rQav!BfE?a> zcIIq4W8gjf-P*4keA+Tgwc`=BQF)ma4QCD~?I4v-O;Rp+8mU z>}xD%Pi?e4VGp`p4O}5r)5$y19f90w2joO`8T`R?PgDAp{Pg`VKl)yTM)2b#v|E5_ zYaza|L>OZ1UY}KH=F z1^5AR=XRplcDaQdc}VY zNV;r?A9xhofC+g=QI>|tnlgh(7v{opi+$6Nw+a;LR<-MjD99-~*65x++h-&+2UbG- z_06|6aSpdMh658Z*|&x>c=E00Pu@!7!u4X>b4fof^Pg;SE;0V*V7~Z0^hy3(zqe1C zjV)etl8t@p>5L0g1+M3r)sm$d;8_}AQmv^8$);~hZaXNCU0PjbXdx;1!mLEnxzE1S zjIWb$(`xjGXop;o~~I!f`K)G!=O|&C^DcEwoWv!Yr{>kjR>hnCbXBK?~O@7F_Vc` zwJuA%lSf4Et@a)VGdf%W3Q8`DKRLvY%Cj3N)5NINLMtM# zB|WV$H@uMROm9k7mQ0k9>t{Lbo#gP|E$1fkg`oSI0eRAh2VOc>SXC>x7$RyT*NPZc zAV?#Ou4{=#x<>U3MtwVVi$D}fFK)1-7q|S_Mm0b@wc4lQzgglYa6UmHEY81;=i`SE z!)gMU)wyd=T)(OpGf_JsLO7`7sfCi$Lx+U| zfAO{Feft_sc+|Uso~6+kHZLamw7jyJR?A?X)tACF?2W#r_#+$JPRIqFP`_9WN(wF2 zdJEwMZO}i6hdc3}kR$cjY7Tls)~Ouk-W*I)d|`4S}88xrW=9*@E+! zJ%L!A#VdOjFXk7zP>t`3~Cb&8<~N{yyX3!rYBOW zT9&M@biQf+6vCRzBxA-6v}{x;n2bBY65-`(B^Q2867+UxyoGPvOW1M3y=mpd3^iDVj_`moo)EBf@?HaW-KmQ_=pm=O=vdPMofZNd@XY;{6*Sky{LFE z=1<@T+BNy~G?YCAZ4^~seRvwi=1EYu>b2>s?e^V^e*D;om4QcAHW=HQ^vzKe5s|81 zNv09z3P2RRUbb z9Lq}n?5#!6azHSOVAdlNxlds8YR1E7l8Zs@xq9aUbuOplT@D>~u(Wo;%!WTERl;Pb zxmv46nX6j8xG36{zdM!n0A1q6cA5Ptwe|gha!s(|(MZG${0xR6|FOtU5MQ6$>;4K1r+XhgVkJk!r%s2s5mlzdXJdblPdh($MZLK?$ z$@Mi+Y@t!uwy3x`Mt=2sY4WpK=kOo>_(*=W|=g<(TF5M4_^onRF2*H73q$n zSvhEJ74S7=^)y=2vibM5*MrWHc98D`_YFDD22dO-jjr9aXTl@(_4FQ!@$*dbCvs1C zy*pP&-Al(%+pKdv(EVe0s=@gK-d;>6I=>vU5A6)j_meX(qH24iO^=vFpk~JIRU^j7 z_{Cxldj`v zi;719HsDayQSWh><@XqGD|5Xo9$}jg7=kQ@PTsxK`0Pzo5x7|M1s)4+{+||zzWJRS zxDZT6<5jGwI-IJ{7~(94H!St?Kz~87TtCsK0@h%4|Is0dwrfUTq&v(VsB43TR^=UBEPEXc z8fE~Rv-HA~FUXo~j;i~TVI|Xe*Ag~k?VWNFfQ$8{&0bkS z|D+%Hj{U}NDCRVz0Vw0m){X+OzciAu#T}Pw4t*&ShgNJ%{h#7Y#kWH6arvLc%!~OG z0jvI?;+6rB_6YyicsS}Z?FD1$j?AYM?^BP`8a${6Xs9nk6u`S)nSM|DcAM3czm7^^ zXSvZi|M4PdMQyvT1JYV+_fq1f3WB!2L(i7UHs%m~wZGWHqmsj0n#1o2e36W9p$o4N zjfXfD&0pOyDTm1@%a#x~pR2{4k)_E;Q#_I{{f<8bl}t2|&2R1q8vu3-724$DxF_8K z3q$^+l_snGb=fpCD+kQ29AS%CMpHls68SEj1D~v-$V&#--Gcfm;PbK)c%^>dm4NH@ zgL$MWPQ&TB-Px>+x+ZAh3|zDemqAMixyK#!3xJ zW1vO8_R>>O#4xcgF-n6D2|(j)-UfD3zS`w;@G7*>aft-Mj}QQ|R_#0sf#C=? zfY51Z-cnb({##$Ot zOO5Rn?vjriMkV;$X;=XJvv1j`JSy(d@&+sSuhoaRmvA;|-bdEH#~n35bi>j(SXuH1 zRMOm6zIt2%%McFWNrthRTi;M3eG3RO1kXk61^^l3;J~!1)*}EmMCbzmTrPvS+!>BO zr-F?cLxdIqcu|9B3s1) zA~4aO1PqvEv#B=ZI^eK}j0dOIo~g;xPcXcE2 z6sH*x(2V)}et~Ie2Z)>&U?OUX7VSAA%bOdc%}Dhp$u0vYek;q$uj&+Fts| zbr==xi-d7Zcp#W!8MJj3r2Hq1FJd(v05qplpB@f$yQ~hn|13rKo!Bygdko%WieUNU zm29dv0Yh3W7{JYjsy>il$sczO-wDx7SXvm_yk2Sv(18()3Ha<(0Q_Svdy<{!=>g^c z(JnV9oyDNWr+L#ue^g~>t5dt$WauRqVmKk>3SbI?w_%RQLtMn7`k)n8f>_!DGlaMb z2ej|;x~t#ZLgF_!lVzh?A?^^nD&Ct6(uOMVJa%DN(sUz7nq=yFTAlGC#Vr8Sa(1v~ zZ8eioroV$1_mMBth}{OgUDBA4=dNZ|^A$JHV;(=nT{S6UZwg?>+c&coLEQP=M#3ck z*I-hHUChsaMezo1M2hrB8h{U}HMi>)xI^sHi=X=$4@e=}VYD4pa*rW8|f+JQOctVNGv_57CxW$2b|vNQ-;QcbdEUlPJFmKZ}}^s8T_g=Akt z%94qMFlA{$C5&b4B4rta%03kLIi-HD`+D8q>;3_^^Wx<-<{ajH&-Xm%`99D4^E~2= z3X)_jtVx}14n#C>&WbPxw@*6Z5ON)uL1edL7x0E=hI^PX(a8mn4T46a{%0xY^~M*e zPO_>QwrQfY`1Qn@XNS}k*M~Kppf)h9gz!ycKEf^)%a5k!=UctvrCYKE?MCbWR91=e zH->}^N!uYPTzBm`YCpxbs3Vv*gvOJ+Y96hPep7O%7(5XOH`c4yT5~; zQRoQ>I;J@}Lw*p4EHtex2cxqalX|@S!)HlEwsc$YooFx*_mb;mU_4qND(Kn7Qc}~7 za!Yx@SzWrLhE6yUXr0;pM*r$blMi0&6dp8Kx0ZOV*yHH(dA3c3a7i(xI6rWw=dOV} zjf#Q@hC;`p4`2LfX+3|UFef-}?L}1qdd3ZenKh^+Xyg7zxy&4rRB93Ll;VZHaT(&W z6ii1cCHJK&s^44b_}gg(M&oNpBcqA~AlZb6P#dnL*^w16F~oOqv2F#D z`%a)r1i&7gy2VrJ36bppc+4QHq8=_!u`V)V7~y#o2mT6bLP#DQmW4P-HA7Gt3OlHg zs2WjxVCmqHN>35gfHm0Cncl%OYNbk+5G{rTC}y4=Uvc2BsVon#0PU*gWt8D&*m;qW z@?^GE**_25x3wWUQFkF_h^7K;@tu1qIF^FaU~Ur-s7^;$OO!oc^G7Wbez^^g%(C>m z5FPosRmUNN{A+W+id^fT+yC>M#ad|-uZ;j5w8OIFqq%peyk|#=j_d>z0np5sc@hjQeGnM)mCA2XcN;{>8M53T8FSW0 z@rLfQEY^N?PCO;^{Mzo@-iA+#A`+Jn$%By47&GhHrSAlBh8h6X!#Yy#-=JT^+lf|} z>m{Q#Rc>z@Itb%AnuuP5G>z(!l+L5g-Ej9<9^IJzO?xnOf$9o^qklkj5-%=sBH^^3 z`*AvUw(7!&Hm+qA6b?8VntQU25Y%T<%@4@#=y>^-3AM8}fb6!L-BB89k*1i?hsZ&Z>#(F5B@(^KV8??lqUa1Mx;q?7R8~Bhv&~Kp zFh`j7;IlCSNBv9>m&)`GutP6W76BmK*yupBa@JaXc|RK+&=?Hgbe6lG9Sd;$rlV5s z2jMfn001`vD(`u`EAC=`=vcQNzd#evnP+5y4j|;p+9m31jXWbjH-T9lN>$2knirl{ z>a4>6avv_F_@+b86YJ*`bjSZ4Win7$EudH=D6-NVg_i;WQE%kuxeDm^1|1I6iAh}_ z8W0LP-_Bt6`ZdE(uktrAS`w3kiq8WPivYd)X(T-0)WVHwCqFbi*|mGO7O#Z9Ayju$ z@l8j&6F_F*1_YldeBuUB57}8-Cd$dn$FeN50PuGsFT=-LR=co1$Q$zJo z7pDDo(|nuKlRDna7xH(k!w_M_D-pVrEMw-fZA_f$Xv@%X;d)sb0=_2OrMIrFQ6WDr zJN2m*ge#kbRF8Rkd-uNV;rqb|0~6jY@30HacoQqB;yrlThe%|me0?m$Bbo{LH8R!@ zBTt9;GET_tcx;a@(Uq}@$-HX;glfmB>a}CnexfZ_gAlj@Mix*FlrmzJ8oH5YZP?E9v>HGM@BYTok zn_XSs*50}c+&DV-9de75b?8vk zCA|8ogb9rh+vwbfqmo-wBwc9(B6%QKf_l8U{%P;V`l}B8Nrn&$KUn=T`_NJ{$QY5f zwA@!R^;1)4oqA_<%@1ni&0k5(94Kd9$#`Yt=D8iqXrXi0w>;7%?aMP0J+j9cN((~e z*P8C@6EOA9A_l09i@EICaQI3 zhQ9E(tvmPznA#W3ss*4Re@d+M>y$+4+(unYn<*4tq#pI{sJ_U)m4_z-%6+a|EH*~e z2tPG7bAF(yv3+{Z2-IWub8?`JZLqd3zVi z*p#J1z2#I@Z)2xz^+`d7kyzyZSIUWI5qs0s^>1!3dbKIW!b|POmO-<2Hq{oormFEY z*T*jsp7@kYD(jK)-oVLe6fa{d@X=8o;fcSiZ@Lp;KHYb$ix_Uu4+?t9N@!-BXS9fK z<>SkN3X4dw<~B6;Ye{T9MUu(2Te2gs@DtLN-a^oL(b8f8NuG- z|N6eL4xL__63)2Pv#+g$U_Kq1+Ni6ruJEDXOD(t~)E(?6!b0HG$Qc=h>TS2ATW&KnY zMiL?4egaeM2IIOGba@dLVOfYSPY~zr7+2=2xL*cW=W~-z4OZ$dMP}*D_1t%l(T~D4 z)waAIp9_WLCT%7GR%T}%-f~2xc$FOq7aID)s%@zH*vqz4*?-M3UyjaO`|E2lX9qNh z2SMEqy|u6xCR^@Z2Ybe~w;OB%1%T&*u#kt~AXmr@rYUk;Njh7A0)+u-#5i=(rO@}# z(N)ENGKD4oXXtpgT~+Ydj<&9^T{%bWG3%y|IbZJEQC-i}r_qxlR-;zvci2i$yqPkZz#$Z2F=`Fs8`4hxMgGEnepc(?aJea> zHZ~hTc-}hz!#$9s;ZHYa#*`k&|C30u;cZ*TJV9XRB%n~^hzz7UTQzoK%Ir;^jPSjZ zaxgnE9Ra(vm2BV3(Y?(f!v+2}c^7}c5h;%D%?6z9p>fm$?RyKtv(bSB?J3~b+d`4g zY|Ef!uoE2F@bkbeYe;dRaOfxy%O`7)_x<##ASoh^@MFKW?;59HuYSJ?L-BhMehA40~tPGaFj6u(fFaJgl*%BK}de)%_tDf&$ zPtTX8%?%UwFG5*VWfV;Ul9K~jAjO5}#{LVz^92{?NYSgiR<}29+d7uFQGB?GeI3_l z_Mf#@A|;ZTHRG6Z=0ZC zE+}mOB_pG6OZELiBEqR4`N&_}!+YG7K+ONOZPNTLxA?6&LFU8bnH9D+Sv2thNvsH7 ziu>wV_@1%%by9Kkae^NxIgFgVH0FRbM$tr0P6eX~Uy>M%3I;Qx753;q4)E|gk From ae5cf7216666c5bec098169539317afa19562c9b Mon Sep 17 00:00:00 2001 From: Kate Osborn Date: Tue, 8 Aug 2023 15:14:38 -0600 Subject: [PATCH 25/30] Fix nginx-run volume name --- docs/architecture.md | 4 ++-- docs/images/nkg-pod.png | Bin 116210 -> 115292 bytes 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/architecture.md b/docs/architecture.md index 7df97f6b7e..c73a91189f 100644 --- a/docs/architecture.md +++ b/docs/architecture.md @@ -103,12 +103,12 @@ API to update the handled resources' statuses and emit events. mounted `nginx-conf` volume, located at `/etc/nginx/conf.d`. It also writes *TLS certificates* and *keys* from [TLS Secrets][secrets] referenced in the accepted Gateway resource to the `nginx-secrets` volume at the path `/etc/nginx/secrets`. - - Read: *NKG* reads the PID file `nginx.pid` from the `nginx-var-run` volume, located at `/var/run/nginx`. *NKG* + - Read: *NKG* reads the PID file `nginx.pid` from the `nginx-run` volume, located at `/var/run/nginx`. *NKG* extracts the PID of the nginx process from this file in order to send reload signals to *NGINX master*. 3. (File I/O) *NKG* writes logs to its *stdout* and *stderr*, which are collected by the container runtime. 4. (Signal) To reload NGINX, *NKG* sends the [reload signal][reload] to the **NGINX master**. 5. (File I/O) - - Write: The *NGINX master* writes its PID to the `nginx.pid` file stored in the `nginx-var-run` volume. + - Write: The *NGINX master* writes its PID to the `nginx.pid` file stored in the `nginx-run` volume. - Read: The *NGINX master* reads *configuration files* and the *TLS cert and keys* referenced in the configuration when it starts or during a reload. These files, certificates, and keys are stored in the `nginx-conf` and `nginx-secrets` volumes that are mounted to both the `nginx-gateway` and `nginx` containers. diff --git a/docs/images/nkg-pod.png b/docs/images/nkg-pod.png index 8fa7f6c3fd04aa5236457884e487e61b5be10d91..5f5804548017285d33b812a84d02b47869113b3f 100644 GIT binary patch delta 21227 zcmc({2UL?=w=NvFTiq5wYzPQ!QN)5EAiXLeA|fJ9x=NKQA_NTZ+Cgaw3Q~ih(m{F& z#X^x9dJ7OGNDv62CO`?uQd@(2;pH*Gmx^Oy zFI&1>Dz(RpTdwHVReG=a9h$qXJpL*wP1D_P`^#?4{g+?x-a_$y9>o)@_<_t*Cshi5ncddY6}*UP`t=wJ8$A8z&6 z{r^s*f88JTcl!GGTmALRztbr4e`i|%c2|*+|Gcl8R%XBtmQ2mec!eri)`{p_ zcoRzYAwmaYH+cle+4)#W+Xk(ma9p+YE&Sr)vCxJB_7Yc=3Rsuq-zOBd6&#*b}H}$D+!~hiP-XIk6 zD^7;Z@#ejIQ082}8ovY^zv6xJR|8h;2A;d6vw*@ntVU{6BkZlK*ozi9*^$9i*fzM>I1 z)V-4**{g%)24Cqp`0g4Qdc}|65R)B@r?a$P7Lnwj`!|rLJdw$Z}>Rwu9mVA(eb2&*clG~QuntajLAD);O*p{N47;71bv2N<|T3|^AGYa zz2R!xB3hu0*KpVa4^*=8pe#`Uh3fR6weZ+dt+nEJ;0B5ulkN%=t@bn#Vj5d2%2XH&cSC#t|mdyY!kR2N(J7hGuqoyR=A7TBh7oI2T`kh)ZQBhJO4R znEV#BDGC*rz&nEa=wN1TvQIngfHkE&C3pD7atvo{IrEZI40lCg2zRKuOPzQoS{T9>il+ z_o-PP`3;3?SAKt~yk@X~+#rbD7+NPh872rgDN5jDdFdloGBicIug_o0cl4k5I9>qk zN4ryVbJL??U`|fc5E@*zKd#kMAAB{X#0I^Ui2IITC?c6l+5RyB8PA zo@YUo5EATE@Z>{La7mHa?zUz3i}EDg%FJdkWM~M(WRc}>*CoLdeg+>F$LRlD`WEmq z`N^|q&z2k1)(yzASpRvQm(kI(%~YFGcPmZJA~!;b*`UPn&f~+QXNDAf2JB;;@x?d0j#S+Fd4*D*h#pZW8ScHI`xdMC zQf+dlkwMVBw!m+wylC(r_%IuYJ~oYx18@H6g6E^;lJNe>beKP z5S)&jFwG4O4(`b^ZOAmv5*{twKG+PE2TUPs&SWF>l@AnY>p`0@>qJ~ zX9}S-0(KY(+?@%~u-5iu&SJ~Sofg}@(|=qE0`l*461ugp=Vq$X(i?9MS9s^!HAYr) z4F%>}#V`9)-FuQ;O#6>KLsKnn3E>oi79$beG;j&`S-`eIpaf4KJGql0Se-{oSH`HU zV41zxF@Lw7$zp?QXT318?udn;%kfN!H>;(Oh3XqzdbJIkRof={cDC*Koj%cVXs`rv zi*I>e5bCs=q4D!QXNE@3eZ`mVlh47B+s%O)K}}vZFyMCS&3@Y1+3CxwqNm<)>k=P+ ztxFSolhQ^>)lI{TsG+HY`GX%_f)dfsC?(S8`wsXFU1ykYDOd7#<>A(nNm9G^Q83;W z{pAT#-_+w0g;iT&sNMKkFh52v*oz2h|C~2&#K$W!j!W;fBzO`$h=B%WhS#S{814o} zMtdlO#UYQ`xN|Y$R$^N#9;a)#Zk^oeZ4lJItNS3(GZ-}V zJLg!ION|6FC|3*Y8Xa1%G_|NtmeOaq=LWJ3*;GFR(9GPj)T%e7iyzPO?# z@SFEhV)wy*#i@2m6e8f|&>9>Z+;vG!db5zS7}4rMPG_^1Lwyz6G^~n~SL*PQOQ&hu zK9oaa!RH3dCMlfY9v&PFOj7+L>FRi@c#rc)rQh7>B2Q{jQBfO3s@aW3z|bc~ifyNd zkX*N-6RuIz8I7nWu|sj?bO&0MY@bnfM2|~vU8ntzxq1s~PlcEh7!(+~=y*%)Ztzml zb@{^tu?DGDGY@&s`N^^S&D!OlZ_*aF0&&0~E6=xY1QX=E*a5I%au2i$VI_8+I#Snm zai5f$%}q}a))owW+sn`o%tfr?_xrSu16_478s==V%qK0Vmf zvl&evOvN0KUj5i#?9$+m=D3n$bv<4l=$+@sdn%(3!94aGN{G;L*+}ojU-A5LAE}Sa_u3mz1D{^C<$JFJ9@NV+;65; zj@W`OHQxdHfmJk;WB>ad_1wk*%yUk!DAqqxdE~=)tY@8s&{GMH0a4mi-wE1L@g_9= z&!v%*$HMwXuI@qNj04n53kswVqLqte_dzG?$@cf4Kb1hQ?yW)Blw)%J`t>mK`su0G z<*sZwk{4yL_QOM3col6zunva~r<4@Va=11<;b4VE(xV#)RPit#)|!cbr9(g)#i##z zkUzS(?s8D_%?u5WG|n?!z}BM71p!k2U<`+G{Dj!=donHP-Ky%5E?GT!OXK(S?tvc95YEKYm>!FNf( z*?e**Fi>Dw=HasBoMi?0L_DNT?Pe_uoyfm4(8QNl!<^~lduYnoZDs6(LY>*Dqj|=N zj!^e%B@(n_E@4BgRi33-eGktkaT3UkRP`vvUk1H4MdY19$tdZlRrPV}*wS=sDrKZt zV~z2hpKp#|r z11a6-zq8QB>@s;r*x=?e+8~mODLOGExk{>ZqwsQ3~At_|Kl*&C)& zEE0VlyN%x4fT`WEkrvFszs}nno%ifra}xPDC$)|i63vrTr9Mv+^g z#vMxMLEti{E29{;oo{7bmmRY$t7L_RqhIBOdQY(gUHaBl_N}}8Sz0X}HCX`sZ-)nU zI2F?u-cjs@X}Gofa*&f=_nSMwTj)WF%7H;@f2LdMa7n&PUpRb1#kjFHhuA!m**leb zXJzuJP4STt->Isr<`q)p0&H>Pj&wKYYbT|54&{E(+d~~u@Kcr6$efgEe&X&X)qK;z z&f!lj&6ky>%5YkP-}9CYU!~^?q+kq!CV=_x$Pd6BovbWml)7)2+<7t#xGsYrr<>hx z#ywlTwB zjj0L7{VzxWz`tv1==lEZ96g7fa$ah^$c&XzeYldV$JW7p=LAynyAQ@aQ`EH0&^T#I z7Pk^U+s=V1QiW!;14P29A3iMoJ{%v(iy{Cs!z{XGBW(Mm6 zoe{A=G!W_ACpQheEKGCa8z>BwlC{1oQyA)S&c)_Z)S5w1$tAFMPZf*2q4jXO1XB(B zTuJwB_pK)_HH<{E|EFt)nBxs7_o-M^Y(W87B!|zr`w89FYYXN%g z?cVj5Ady|%2-7>QaCg$@DiOxRPQDC{RtWIKDxhu)4ZO*Z}5q_x9T~*gN@}ui11(LDnb5B zJ=NIAs1{@~^2_WD#3W8MLy1JC*FB1=*Gl{BmSXr_R?@qPxiZ5Eq6U~F38R51NMIv_ z7Jfef)1XDhvLhmJ&4*X;Yxd*s=1yV!^M95+&G?g@WuQLS(5?r`m<4t?=?sI-2m*pZ zs&N}o?PI_Qs;7qWDv8&J3dB&|*TSY*=eR+tz8Hh$4ee)xYUwNuft9bU45==Y%aB20FnDgO~11w|D{D?yujuxjS+! zV*Jr*#<8>@UY&lGiI3}&vmpVt>a41T;ge2RVr>WW69r=~RsidsTd|hlkDxc1E0c9V zfG61RAN^wzkce#z9<=}Rx>LA2m%Tr4Ep>bDC7 zwL1voFbMuoyxV8v$uo_S?^b3&Mg?{HHAoSmj?E1Y$&tQrHK$mVisuvW1*BB^8&}Tt zZIX1MxfoR6_6Fk*6jv^^E2Q-9l(X$a|~|o zsotCjwdz@NaJqSvp z+$1vB_Mi>`(&gk0J=V=%-7$Do6@G91sir25Ib?OMrY=Y*S_I!iV@NeMo7PRM;luif z%N7M{TflPq086`rcd-t3qBl@bYBbr2P@?Dmq3E==@7xbX`WXi`iK}H}HrRamq(ItZ zKF0pIE8`w&!lPdgojZ&iLIQ7Eiyik<6V42;A%!cX)aNI?u<{ZXezIdkf^&broB~2C zB;daqn+m7YOJc3!fzS2nR|sF3jLBj$9oNqtn#|>hEs>ki4XBc(xB5;|9`~$=7rNMs zzk0=gqc@?Z)`n<#*$wG6QJY*11Z}KmQZQ>^9xHLPRlcl;_MWvdK_*!;96t@;C)wvI z8(3I1xyDGAdbfyfbiIX#L}(R#Qh>qHpVn)hy)hAWol=Cc;~i&z^_$@x$u zkIl7z(QlCMdf$-#;!A3Jv-n((Brzku6@IeSHvE}T0_H+kpL-25^`?x{cC04}2mW^4 zjNzR7rqb7NbGJlTaPR_NMP{pclWA_au0)L_5ZHt}K2p!)nQJ6NkEijXM6B4uc(=(^ zeC=>exuTyU5_m@161;h3mF7b9DsRZ;9M)W^_{glN@Au%g;Nb#?M`6Sl;Ag^Q1M?P$ARD!Ui%&?zd|rR(*`7m6mF3hy1V|s ztIG9n-J-TY&U!``77Hbe_-h4ZZu<^_h0J%vj$WPXXnO5S(~s;Mqz>htVSeEPyu3nAikl{cHVCqaV{>y20%mSPU_#^vJT|UUhbKtCO-^CRRtPUu z?C4YANE!r6t$EY1in4I=g)`3*`^c=EL7I@*$((&YRB)Yp+05t|b+YJbOuZNKnwy(D z;4a~>sX|o zHhX9>Y_Qfyh2uu{|2Elohr+&toVD#;OJdt0UFpRpk@<>v<4$NP! zNsOs~k<_LAh;>+nrCIsGYV^n}9k;gWz83miOVQ7{S9w@L(B0MnBG646iqcJjLql+S zT%DN(R*E>FwEaTnQig3%Vph+);BkuZJsC+s&E{R%-4VNWKZ~G!c0Qs!h;R{ zk^96fcR40`X=(cVR7V9Q-613zI{Zn^mQR>cKDOJ32!tfe+W0%r4ZXHkaC$4er#jy<)V%V~vI47fI+u6f0RjPY}+*yQ7w@x{Q6w5PV!t3T}S&E?db%#@9vkEvPB3r^?ju3UN2 z9C^R@y9PZ^_E3T3c;#t{HZ^*;v+hA5zuMsCwt<+2gqZQV)Cm2MeA{!P1TLWpB$Q7< z8QKSEZR{Kj!Q_^W##sobI3wr0HDZLtC2Wk{OuAzoL$gYdyL+koN{1Ch;P1oLX1?07 zEEx-gsDQ#bu@)#O?l>R4-{#D`)+41gEx>~DF|IAQGf9y;a<$O9J~YH$bQq=r)Dpab zQM+BD`T&$L)hf(s=K*`CYz2wd5GD62sTKZykB_RJ$o#Uc?bn00hlFnovf9#3)Mk*` zr(<(aU7>Y*@PKjyHr^s#U)M;imM1^kwnS-$irKjxf8IfU1lZZvQcD?SGco9Tu*5fj zhBmsyo|@=v_6P+N8xhrjsAM>*)qI}`PG7aCUi>W0*Byc0_wq3IdqGIGAqAoO<5lZC zKYpzC{Jgvnx!qeTPoH7hE@a^4W@sZ3eu2td5B+%%yv znq^zPkavyMn~-%~S=#L`wA%R|M7(MIra9*zZrz}CB_7T8BH^j-f97=H>cRn%%8~%YL9Fy^%SZ|!}n;v-2 z&zLmj%*p2hz9M;$jym}%c_X8*OzqB@Pd<$;ljMT4L&5lHalDvmQa}QAu<9sWjrblc zSmUa5-)@67Y$Smp*-(n7Hx0aw^6!g%o~NpM+$M36Ns8#}_GP}Gk_aUZnQZ6r-Eyao34q=G)8NYD0=S@F99(8HLr{_1=U$J5~R;?s>jKOZ}G%j;JF z2+`QRB+2cwd2z`reGUDc@ zid{`m&UGuFx1{u#(xhGua5kAo`wp+_J1;Jc^NRzFVs=iA^}|XB!AjsJl*0J#C9Y0L zHbZF*H_QxA`rEkiJRYm~__msJ z2q7lmJ&w2B1V#mlINN@GdkYaq!hyn8n|OwU^5Sfl0%7Hof~YnKt5TD%;mW2{sI>}Y zkbHWv#sX&47FkS}sN1lS(K})2qrNmj>T=F8_;F&2^CiCpLZ7I@B<8VbBMqY<92>F2 z!WdDpmqe!kbCPKouQeC!@eyzS3di;##kWq|Fsw$t9QNqzfg5Z}d#cEV<@f z!1*Z2RH)fj2Wm6`g&TT6rLqbbK%j7QTwPLLO0z#HNfw^cDqXuWb3-+>_p8pctrq)IvjEE%E!K2r}n3nC(Yqz>M)oh~vY93hAf-0vG-%#cMB zeT>iYcguCGs}YwSGjvMvb*#J_-%NRfUidwL-}9YxDA-2_lsTnWF{BL z759$eOnOW8IWlg79pkhJ)zCKr#KxrLK*mooFMG-510nzp-vT$u>WxwvYLSS?$(-5(l^{^WW|UkzcL z-E}w-naS`RmY{}0a1tbhDLMB|6}W4?C$pHvNp3IeIGz)#=CNJ_bCv}fY4fkLTsSHV z9TEG%z5a#8e$23%9|=|Q0mO-u??8IN^6p9)x53_N2ZsYT^CW)fM`vKH`e}nJp~MYB z8CwWv0C)+uT_@ohLy>W==;+?`)Q}4!c}pg{%k3oW*Fd%)%$(ETFzZUT`I6_u)$YsC z*+A&^$S^!24I6N9MK#ci{4(MGfwyOF4rnW|+^qw>*Y{DIyYSV|vt?fdBrSp%r8~WD zNkQNFxL$sw_P90h675DMt>`TvX=4p`nRNvFWHr2W5sB-u0w#$d+Sm^v1egeJZa5XL zM)#rv)S5aAfZ@&qi6EG=5s$s2aWQt)NYjWb5zbH&`O2U##}Fp(S&1tew{zl!a)QNL?nMe{B%>&v7{;V%a}ap$XCik&HSi) z?;(%Q=?9I1FwAzY5imkolJ{0XvZ!<-0DVYUd}WS<+rXPT>(#buqN#ZR-NLPtyvE!f z7$@zU*?jO2=LJEc^2$2jr#Jwmj3Fvq{SVz zGu6dzgd?#}=`chAcgU(*{{*(u*XT%pO2FM^B;PTrrqO0?@xhqjXza&g$?NSfhroTP zhBqpAx#vh}YjxR?-RfGJVF6KdiG>mo2CP8ywY3FIu)>6U77Ufojt^_trt|F+=Qy z=m~Zd6WfVw+C-?62)uiy6VD&GWW(WH>PC>&SzZLQ<=KMx%fY19Q3;#9hVNDPnp%44 zYHET|rgCt;o@f2q*|2~@fETWU#OOur+y#h#L40&a(67IJ^U_xHhn}`96+i#MT3wQo zqm3Z!4uN|2Xtm`aFwGMp zU6NN6&V29_gycL>cVK1@ME0RNrfbJzwfx3;Nqj{S1*LeTD1JB%j$8*T#ly0*!_QRu z%`@kKh`><;(;-?u`@O|0H~6QtwT^>lOibQ0@apN7G*w=1ZgSGn$rIO}n{p)H9|D-o z`NSSOtY`pvx|sx`bQ6mQN{p14@#g^scn}Q4_K3kzaH;h!e)j@sAWAV1$V)8(R|-VU zdTl}OIIjy=9KmvmcyfV_j+~ERB2J806&>Ch=K;PN@*%$rPTzJbw}$p$zvO&8$o1ON z-CKJjraw#qeeC(8!G~hK2WAjpL(1|?jq>AJHtv`2`G63Q)Kk-<|2d)McJhEMX9SJ^ zgZ^!gmN2^BIRs|SK>o};_>0L+U>c)pnu9adk9r+EuW9_J7hNR+Ms+FrRKYN&OuP|@ z`Y)~1>VSRC76MAyV~u}wMl@7SV(Y_6j6MNaNKx-^pEC51e5cgQa(YQOCt^YNCm#S) z=+bl&TYc8c(|XGymUD+gMqy^B>j+}a$NeH({RIUKL1tNXh@XDU6vxeNdPxy?4hwTu z8INO`r<})T*?<@XHs@#T13~_Uyf!SpLpVp)JLyi>QcV4Gje7UCy!05oL{WQ_LSNwP z*#2bWW}4gl_OR;po)_%*FahLw=?(}aQURK~on*5CL8+^W92Qo z68V*Y#^$GwF@uABr{`EUL2@A6KF6`@|bpst3atTBsRQ%fw|5 zN0>dn&p@dB+{Qe)W2^B)f1%{7M)QF%4e!5nBB&RmFndwJcco_qKxGS^^U467%=P3Q z*auQriPHWf;1XpT&ZeP?YfT@{lOGXc+S(5rZ-5lL3&&e1XfV6fj3-oiE zX0BL+1^0-XQoc#7#zugIbW~v#K&&}dIQJ-OYxfU^kpGP+vJN?6Dd(t7xuP(iPtwaN z`VT1>_t$vgmMK*cJi`SzA3v0rtN_NSS}R)gUbH>nw@CWUj|B(s z_x<*KKQdVhwmy;###`fgB2?#{G&QHePI;)>y6(!%m5?Q1Z0+jDLHdt4-Mp)7wNjZr zyo?xToh=Sz&_YPzO5#K-XYP_GicoE0SA3!DV@$mHfM?$Mt@q74ijeowQY7aMr%Y+z zcy(-c{p@nL1z+X-Zx&qMf22pmkXu4A)LcG{fRx?&iwRECdw(UUKJ4{f9pD*Vl3U-$ zZ7lszmh&h8AA$2%`#J0|ZZq*PYh4HSLr7c52?qp}O7du{;9X<`nD=<AOVwtS$ZsJw%z=Jzk?G z@?13*Q&zp$G&R>x4NMd(Rtcy-0Ue*FW>0{-)v1kdJElC=KwSMS*e>=K+*f+e33qLC zKFaB@(GP!!Tj;Emzt#U57_xK_GD`U&{=hmd3>zmu9snyN`4{?Sn~WP{a)(mx0v#%2 z$eEIHS*Wnvz-&i;WIziOQ8+b}6!0uj^u^uXm-u-8xydH!FkJ=~4VA3p8V_l(KV`t) zX-CGb_z9yjy^HdV*K~AyfvxtvK3FB=aKs+j?5VHj?Fxl7I&IVKil3{xB#;Q!24?Xv z-hLA9UXVUva!Xqzo|^+SSFuztq@WKrdG|H#fWy*+s1oWPM1}wZ7??wD>$8eGQunrZ zXMliDemKkPkzw7<>uVsb|}SF(&( z((jfG-2dlH=q9#p74K46HZh-dD4m(FvZ9?{`TWJfXdZn?W?jDo~fQ&ZdfGIpUK#aA@k)vRl{Zhq~}Ak)%LmT>^67Y-iU4ZctTm zeAACNUp35E9WkFh(-LTZrV?_N^5`?eN_T0~u~hdG*s_Xu`gPFqT|n(sZx#kX+Ps)` zfQ6NGY)kN6%}C2qVF9vS)Tazc^4LhH?1gkKNNzH0@L8FWE!uygsgKQRnje|>MV6Md z=H}uCV?L|gUVI_x)Sm2*F0V5Py0(z65w9=spcPW-id@-S*ZilQE-y~?Nm$?g`Ofzz zUIGvSwTk=HtP52kOUxNhDb}X<0|HmYomERfW!gj8h7J`#_p1_xHpR7yA}sCfjOD}o z00XUHuTTR{ZJ);ln9T;8)~lKW+s4mLJ1e1@A5gUF!l&op+p{04EJ71LO#l zYy+fZ&#woAYJ))lQbivLfsEn<)2&~V=3ct7)~iwg;|{Vd@3<1h2dR}&pKPuik`Bf> zFAYLw(FHaWx3}TM!akYw#Fk`t>PVF>eHe{I08)}HQRw8}?t_u77+R?m6&*HC^-*wZ}6f?iV$IWejLN&beN7jv-Kar-ZK(bN^;(zf#-Eq`? znCbkWSlxIXft2DaL7f`xe}JYB=`Yu^Os-zt&t%Xe)|rfk7pW1UH7q98z}i~y-Me>l zfNZU8cGC<{#Cx-H-Zjgr1k=iW+(s9wa9Wy&rBj84V+Hnd1Ag144#0$|Msu9}7>7Jt z0+gl`hlC@|&U3$L(R>!XO!&+-RT*KY0qSP7Vp7EO`>ZjL7=CBEUy{x1qdqgy6G#y; z3@YIS?3`G@nECh~at8{gKYZcr04aot!D5$1DpAcZ5Kx05;rwc`vvDPBgkg|hB0S>D z4BK4Fnu~iP5mVMDh_Jaijd&()q-t;~*36JMdXJlel&*tAbBk<~FDVDOE|=q~8GQl5 z@n>rS7+T*iJ)JpJsSi-F!8X4n_D+p3?z6r-{Y6!&lKn9LY8Ij+>=jPy_o4bP?&l9Cm_XEZ4T)= zm7d`8p}2$+Eq)?zX=!>ub0F@nL&x~nmJ3ZgzMa!t1l(=m&wsi<%h2#P3<5W06EV*N z_RpVcFdrO$O!`{M9O_m{%b&L#OpIzBH-6&g4%sI@IL4Hc)3$ZE(owKy-@bEsBUMPI zpd-hSgTo=M{guOU8UL2xd>hhvTsQD@{iZ!8_(ynfI$)0?Ya}7S_G%Qx8pZDgB~onm zeiZf}6nh4#1675ghbL}BUkIETD)*W$Xclk815M2*g&XUZxYsag23N1Xriyo6NY}7S zM>NJl6g8hHz7zr#L3)Dp3A2QMaRsoD3h-0*bN6h~?^ovMn(zj6@H14r;Gb<@lXPCW zkv5RRWX7u#a?XII=~*4D-&nvqARQvLqdn4O^71+u4h2wy4TH?FTOIx7jwH+t`=d94 z0vTuy&++@ue%OzIKmO>4VPkxkU8g(4V;Q&IFXW#25nX@ngsZ~jW%tRQfBi$Da$W$4 zavpiEhGoT<(l#!p3l472eJgij$B{K$>FE1FqOGy#7#xl%X zn9W&|-$FJ*l;F%v93Y$nnUR1yi()gzwm4YG)RxUF>GZX|-@9~}^pH*rDP31odlD}H zcF^@_i;o1$&*#9c_HPpiArF}@#`D~!NvAk(r8fw!TfK}y_I!CFvzPwS{=}F8gtlr1XF6>KIHeo)+mTSMkdd(Y2-RmQtJAzJpZ@P1 z<+?F?>od~<1#_xdz;L7`EmJ{UBkg0^MwY6<^kly300orDw9>U2I~#Fvvpsm_CCxja z&MZ`Q)up)YJbnfNR4Qvs?Z=IrnZ+zn^ft;`pS7F^8Go=}d*-3bFuOQgeU+EF5ml02 z(}t*k638DrPHq8J3W9#4<>o{s%y@_=*s<$LIsw+-z2Zk3-@#QaHF>2#uPHr1`I)UO zL{idSN`05-98;;)%qTMXF9cRbTeYc6Fq4jqoycpm*$;%l08{|)*5|ijs*aYLFl~qd zTWVAFFJ{sFq|VUoc@lX*Ens$UpKUlZ;x097BPZVhAbwgu3%E!>)bMS*Go~gc^}}c* z?{V!In&ne#a^sPAM^oYE%Ig(D#eJo5ug60c)_3p zic%M10`|vPFEbM;tWihPI#|F7hXFOwZs$>@>A>0V#D=T|p86=H>%BH?9jHd{vU1Jx zKo6Xk;7)s?dUzv=mLz^2%iDf0#Tg&Y^;^U|c<^9(ol61;AJ%$_lt8FlBM%r0xXUHJTrU^!=`_?hcAY*}b!Vts<9OwQdTlA(0j& z!2N*Y^u6WQ964ixXzaQXcrezbuG0?&g3i68-3=I87(7W zMZ12-ttQ~2{7uUt)fJ>qlC|Wwv>NcG=8jY4DTV|r#)D7KDFI_$KRoCipycY7V8$~< z0bOH!7FdV9iMTsY0a-MJs6qqD_+e3H3?mfISaBcgxbvkn2dJRjCfep;mMbR3qrpG$R( z5ghEyqhR-$0Yx2_9Pxg|fdSP+t1OC@l~e_FXbvmc&@`(DLQj5j{55I)kf8rEUFYix zEQEbbPTYHFGgq+0bcYIb9Fse0^p%(`&T2e+_8cyZE~E}Ce-EYBKYOMR_=ize1lmA# z;84G_8Xi({Ge7r*#q5zddNdf)@r8v0>EEgV;Q7R$iZs9G;*%;Gqycl#=$MxW>V9CH z2F!LxP?`}Y2UzBmXSdyhkH2NHdRfg#y9Yr_r9%+Jj6ZTBM-a#sr|n8g8UKjk~M z2Yal+yko0D>p?g1Alz5&;*cX+r?O({>~#k=k=t0eM%$=$4_0NN&Y8f1tHUL+ZqSA) zW&4kxWI<5nvCr`GWss=yGdd7B27s~wx3u-LEhq=mol|2mZ$SZvCV_3gfzFNZI7%1z zU=v2Bt(>hnjC^Y~0axg&%n|2i9-v1(JZfTIp~U|`9182QN#0d81s{*Xq1$OL-pHK^~f>`NJ8v2eI^HH8|}Gq@R(JXM+E zu$r`svqUs;gG}@#O4GJ;5iRi0-a^%mk?wRa11w~wE|Y43m>dt@}>pEku!JlM)XY1eACMaH#rTz0F!! z$-{?KGiVXP!I+t9z>5a7x&{Se%v8$#Y1LK$O3WNo`)De_Nd|H_gB{w<*(=MWF=>^B zwHDvmYRqVwsopb)XI64K74Fzs`cWhz1AwUjoMmxne9a%VSyj~PA*DmS+{WKMX%~r4 z6hWT#@N^(B+*b|eZmum2zf;gy)T2$=99#yr2-@iE1%#U$gS_!bq*MXR7q)tl$oeh< zE6tkfd zz>gpiHwH2hwsD901u>Hl7Q3$@U@6!EXTzq+KevI=_W%TY8HO_vA%VAi54ubQ(h&#E_%<$8(9pTDW8g>& zXcp(-l5?r8yJ{M>wt0YT1)Nd!X1JYK65K4VC;?r&=fGofPeto6`r;))E&)XeP_q;$8o4~un*63dq-0cH@+UQ5!-jRJiS?AlZU4`K*yQl z$}Zj*gZWS=pMmCAtnuFX8$kC)fddNtVQ&u=9D@E*{dI3k-w`u#9px!8i_WZ&i!LX6 zYZ~9P22ch5qCqgg7yiQY>zhMhd-60WeC)Tw0CIrHo1f_#T;W(NW)uQrIxt$_nV+Jh zN2KaqJV|JiY%7Z%lQU<|?7AofwizrJ9~MUO&TOH1EHiP1OtMazmS*kGG=Gp&3|CpN zO4#R|K)x#5-2s{yaG2clgV2|#!Ph|^``s|ob|_^&Nx;=ui_O;2LsVFge{k=M66 z%a*4AFKf!n^}>5rtgVQ&3*y+paL=%MRsyXr-GMC_{REmf6x zWk%%_G#mdr&4JkF<37*j7ut1Dj)BTgsD3ZYs~xF&mf~oDlV__|^|#1oQfG7CNH)) zOcG7g%PV=i;>Tkd_h_c3eCd5Z&eUMn6{ref>y`m@3brLMJXoH-h3ChRI{@jKlqpy) z1HzuDSvqi#rnWRj{WfIVwn$mnFueKzm~B|R+IZ!At39|RlDP=oS@5Tg?9d0K4cWbf zK>`Hg1J`&Kq>Wp5New< z)*))m%B$RiU>L0vLrA&q0omI|JAglUJM8)okY5mbcYHz1s8yWUP0iHvA$n0F!b$@? zSA}drRKsmhtjxG4!I?dW;fWE;Tw3TW5lRCgq`A=KYLZmm4`;OnoZR|)flc#B5J)P7 zfwOw5>ZcchkRLT$b}z=`=I9_VZ-HxSYFhq=FzEmki;Hi2tnBC4)>1~F$;|INsPUw> z_G!KK2HBX8{OM=Dah&dksNl2S+Or+f0?Xvk=3>E ztFlGG$i&2i;Zb5;MFZ8R|KDK`h|=`zm?wxg;NcYu!y@2f+1qr1sMI?HL5=v0T=GZ3 z;Ug#~DQL<&6wyC-!Lvr@7k(l@kKKVKO3%)2LHB{HO74P46Pm*YfTCV0qo?OY&jD~d zKP-c~cf^o=vd2#!Si%Ur=kqoH?|zP8``*WR2dndqcXisqjbdOsr0<)mj3Xm0G03SXVY)!O!2#gSrc$_cX=rSoFu%dz;6+*DN>a?gjr{)6jW-l+`E&6F z%-}_#)RQ@v*xfwOXblLJeGmHvPR?;#rF8{{D#m<87_FY6`@AXp@XBgk)9#=&J^wAD zfch{1K`sbNN(aHl46JE_Yg2g&;|>t}D{3yJb-}|%j=+feSK6U(ct49CL{6z(OAQX5 z==Y4_Blt`Xec;{1KHI0nV}=H1cQBa(QSW}4)d>d|1Sl=X>JE@lORHc$nd~mtEi4i0 zm=8zb5kEt4Fz8U(sv`Cn(wOidqJMV?9t;lSKFPuAfS~=pAI~^=gF5X&Szu#+rmf8U z-d@m>pdfujKj{EB_eQP*yGZ(pAkW9n0lgjh_l^tz6iW8_C%}XM*OiL@i4y%&hrsmx z_x7v)y8nNag#+sH>+#=f^{p2Cv(F!L!T>+c_^NdY zINkx}*74o`A)aU zgQ&W)@`5-V^N;l&)IQNP3a*aC(uch8a2MMc(C-ukKnA~&WNH()7r(YHDP0Bl58%Of zeSHdfdP1CeX5I_r)l+q2#8+nasb_uor~gvsmvs%+i8@jjDWaRHLJTMsoU6OP1zM(s zVPKP?Ri=db<<%*9u!_OyO2NS%feZ1T%in{@I1DQ10Wjk|lRa6aPF;yG<17=mKwEeX zs+Nv`{fp&Mo|@NyK3T-~n@94cEYrO31|dW_2{Tjfj|O!?;C!CqyNeUtq=twHa6-ok zqSXc`V=zTk@Dv**YUS>{Dw=sU4wfB)Qe1E9h)RVIg^#(q6ao)^Ar5bFf(H%$dc5r{ zVIL^Res}uGNB+O$@Bi_sgTFchl@9suq<-0#{m*t4VP~Pi^8LR(cJUt*z}$*#s63@` zvE7S5=5pNzVJ=B&#nY!woI0g=>eR56>dlz@|J#Szs3$!!1$7%l`2XdXjJ;{wV2e6h Mmo#(FUVHGr0O#Ik_W%F@ delta 22152 zcmc$`2Ut^CyDuJRMjdrT84Cge3M$xOkS3w&fFL4GkX{r-kSZnguNdH&CLZ=Pp64D9T^*1O*Fd*AhY*U*!l zOTjx|KHRbWh-xNH{$XHw;5Ka+WNJ}2lD_qhV6Xp&{-tB*c5f@5-Tt=V!MO>0U81jP zuD9->!*JFOhh7t^h5fL7etyNxV(0p;p{y!12lIRNQ3*ANUgvB-{-ETSUypG*Dl?g{ z;Dps1|R=5X}6*0ox4qTiLv4?ifPKFI{ofznibCOiO-`&{&pY5hS> zpm%NUGS=5-llgu&6pi0@OnZHJCkmC7aJqdPYU%3b%a{FE91xcA)C9q;AYS4zl@+zKIh2G85vUBA4Ij#6j7*4820N8Fn^C}f;}em zLmAYiM2)1shF`*#=qG5rpWJ8uevvf$MKQbGhQY`xwCsI*aD9am`KM83_t_%200(RG z0EqU80D_n$QtzTrcWs+NTZ85NZ#m$J+?mc^`b$Imy0tF;0$%|Qf z_j>TjV2#ePj-Ywl~JQ-}Y`gx}K1BaYSu0eifRecRzB z6BENtC9Wr-#RPO^BOTn05tSZV>WVqyj*!);wE+yf1yZ4w%)&;TuRuO+Luf8Fw0_HM zF14JwklSP07mxp$GwdXfA9J(ryCV|@{3sjXHa zNgBO4u1D>?Od?V(>vPIRl3cN9RGcr9Q7- zNyq9Zbj)uE9o3Lr1%H>SWHiOO9Ps}cb-p_c+RRJV-S#(!87t=ot@_)e>c0<3R693# zy12Han901o!u^LGa=#$%%P7%SV7_9?qT1OxI8{qVlwmiPOH<6zA{88GWLZCNvJr4P zsx7~Ib&gaj0-hH|%|M|f(L!LY@=L&4h4G3@j^R@}%&n%maGz>6oojoslGjuwu0Gkw zqHR#g5BuuXTq6ny$LF&T`D#D?o`rZ7Nd<2HOH!`=@Cyc7Ce3s}lmI8gD8>yjUmgrz-D_*ifj+mmgaVUBnimOxs>h zqAoqoKXd+&C-4T6)~Twv=Sf3Lx#Kipe!mky2PSKbQK(Q=;3XvcSz9ydFP13ZEKxn%J> za7TOl@J#+{=bzZWB8vl!`|IPQ{_pQ&|Mq3{Uj_*NC$?{xfW5e|HUFX7c?arJDs*jo zrR|sB9Fg)xt{23y!|glIRxquobvp9|GgK0X&t;`w=>KsfajdtOC+;^3L=&wmu-LHzmu4>R;%QvX6PU&?m; z#uGoZFp_%lufYKqn*1L6q66BBQi2!cw822^ESeG-2}k@EyxfL=Lr@P?VMyR{{Q6DV z3S8iK?7>#(6@2^OtA7DZ;emZ?TiaL?YtuHr&3~yyxY%u?^^^}YlvhSoMTOdzA9sg& z<;s;}YC&yZ&F2m|+EE}>&83ZZQQ69~`^RI^X&l>7F9q0+e%6w;VVGx0P#nV}-QC^& zW%u-&unv8B&u``$-1OT@c^aHjS0_($5fVFe_^@iHg+lHyrP#W;-x{ZIVZi|eN{?CM z=`sAU7e&EysOyf#xDrOhi+DUMjbkDV{R`@n`*9c$ijmDRfyKpU0X3Bs-9KsdbPG4e z*b>hATLV~ZQC-U`x0;#{_}GTVFB^X$<1bw3K0uIZeK!w))D4qHW=d$z2QGq>Le zT*9GMG*USx1Tep%9!&lTwEc@pUx7IH2)M$^v_mCp~?=z zh_~aaW>O5#!!p;gCZm!&>K$^Ua5XRuaiWj5xXamyvt< z48O(31&QQ%vW_$9Bcr}DE?b6q<}BAGx-i08vpr|38?|X(vyp04ZEwCr?+e3U!~8-j zqpT_wSnrXu(CmKl zBeaSW@p#2{s1!{Qf>f9~kP1TSBYt90=Zs5kroO%*^m1dN(on@;dNwOv`*BM}^oV$T zfM0(yQzA-3Qz=%_WEPqCidIz_R=axMtg6W5Qy2XKzN_Ak-tR@hV%DU8#{~JOa+J%@ z?q65s`w5kt!>7muk;Q%Z*JPgmE4tQR4h2+%?$Ns z%vYw?)zx)$lD%jJUFlg)2Wh?H)qSZm5-o<=_f+&qBj=23&LB~RW?Zy-LS6?|uNns~Bz~v9QE>NFQHjTP_=tc1ejK<=$7qW< z1tI=ALJ1A?CHbpyanuqaY{?0T&Ab6y!x%bULK`LJStx#xRPRS zGFFy6F)<tMm!Os(DMdQo2$|;tFfa(B;_E_{UNxFe<%6yMH9dQ^tfXEg?4lle`5-<%@{4N+q%4pncPEp^mmgMxvGfI=D|}w0 zm^RNsFdjR-{xdZg=Om9!XA#Q5vxfON`iSM>o~oR&d*C*nqjw+l3lpLS_1Iph#Aaah#s$bp6U{ajdDO24aG4_P%! z`HKzsWih`hjBW))_YU-xEGSc^Bn4vRNns zRC>e@F}}`dtA$?9IGSt|ZSFQqgb!{?=jcsB{}KuxY!?7L#yiiqNb;@BtgQa{O(wW| zakC8xowD3=P|>&Obfb-?Oc&b*f~y(o07>&%JXr^S`Y=*-23+V7G2^B0Fx1by*wLz$GhD5axfNrLxr{nF^;?mXn#>(Pq7!$PivbBYUkpql|O|pL?D|I(yx)CEMrn>y{$1*cQ3SO#8VXnRi3Q8P4TZjw* zzimd)%<7sg*~`gUY}e8n6y(hqPA`7D8DT>BS!w{RfcW>XBgK|9=ay*#X|gVfTG>CB zt?Wo6z8%sF>>q(~?R*4$|3cYm$3svBIc5l6aIK7r?aj|2rn-k+2(@KesTXhXSxKGu zyH7~u#@+^r#SR0@wmzF7!jpx<+2mA`%&*!HQ}O=JO}SJ zPxn<0i`>QihgctPL zH$zE0$8WB`xu;wylRYD;2OPbi;I*iN7r=A{Q(V!`xwF8&JlIZSvAiIqQ*PFRK=V>6Cj^w9bBmUtGLz>+f`W!U z&wj?Z^JvC37_dm$HxEJ?RwI~!XKOId+nj9;r*8CC{*WyT=Bf3 zmKIg~xuEu7*&D5zNoO!M@P$L%^n6p6E12NR%>>0k5hVRI+QA`w_M@gbuH0d26+(%) zM-?%;fp#L8pr#a#E}dDOAHBtTnL+zKfCt5~J!nHigUC5Y*~|2(H1s>*94+UIi6XC; zJL-Uo=HcW-EUV-d2aB?G2X)GY?mM7&=<#6(($K7m6WHaOipKiskEP=Dg#)Bbdx{at zYiQ08-UJ1W$L3^fA*o{~J1|*jOqP#spo!u?egdhy5`;&p5K?4@?#`ZDzAmu$&?_IO z_sd~lm%~0f4Y*c0UimSXc0$ir&EL1#Z(~}D^ykSx`BG-Gl!=jO6+K;G3t6FH0=IYv zfJ=+e)t%u(-j^GjuMQA#*)z&|C7Rm@-lS&Q9i2%Hxsjt)9~-MGk)E!dslJeDngBxgbB(e34`*~!rA4wA9lm+3zUVG5cI{CrQOvwElhdz*zqg0V zJOMpYfsF3sxmquhonDngejBufMnBBw4aA6QP^&VfHJ>v~+ej``nbqmh2~1ufzRh?G zaLtz+pdf)Vsgi!0pQ0J1kx!Dg&zN0KB@aTU8uZ8clV$s7_rG)iYK(PLN3pbYLVguL8f6VH#{zsaF zROn?$vPXS z(*IKVmyt3N_ep#lasNY^muJIlK+(_!X7@U&efgfDuY{g~)G%5!!EHGHu+36ZhVX6r z17$|zWy|RUOvZdP_3q_Vip&_o?U)SDXz(y(_ie4wt=;4I|Z~WS#_RVdB|7t z)#)A!4QI+yghnccY5-uTWKCCUm{f@z?sa6ohH66&v+TsGEy!#KJU?T8Mxk!`3D50_ zeH?zW&29J>Aona8P%A<$eT;J-c|Osmk*X1`<$8<7Oa-Dv>X?<=#ohbjbSpfuDk?|i zmV(7SzQ30$82eyz*1BWJ%eu9Ulw!M>==$;dwysj|LJ^Vv?76b`a_*q+gj$t^fs4Slwkx<3XPuo%OPD>j zX!Z3rQ-WVZ9kHY<*853L$M!+t=KCNxFu(|gy>I>Nk`jzKRm^=fzmk>c*tx}A4OXbd zgkAm_zkmC7x!(ScZyz{KhG&Z;>jX{+dyEu^qv0-~neG%+(C0skt&u&wT|AtriB(&@9t8=ntI^`;X` zW{~ow{#TYEcvfF+AI~1nUWbOJP=J03VlP^d_>r&HF&{YQxppqE`-e7P;2fY&ITFTz z3?(;;uWM4Ka%N3xyB%&<(57|@6nygDH&34D7s5+cHA$zr#I4SI;`S+;y{aSB^nJ-G z&jySA`ke7$8ou(6RdS`_(SC$AUYdO|ps+mmI=Lj|y3qfW$YV8c!W(cKvaS~2+Klk zdQ|ozf_I(VXSMYxJjBN0jl5K%zptCTH$^*ldznjzk8n2UX`Gg?wBQ*!3oHje{CRc8 zJf8DT8YzGIm>@Pu+r_kZB@?k#qE|~Vl6NM(Sl@FkhlgMO1F-wA;!ms+3@?1(=i)-lv2~Fi?jv@>y=of9QsY~ z<%gy@3RA1Q_6bWZ&8T}3?~y@rEbqhAMBoaSg^x`#BARa{gIoJ^P8J$*byH3kdJx%h1sg{MKxgsUf|?gy*qx0 zX|+s$G96oVvhF;bBgk;(ZM>w=QFKQ*GJ#(U7V1+U3@ylY9%&W*!D5 zPI`&H8@QJF2yOH!Yu@>u+KU6uVDU&_nLo|W)^b^LLFcDfA3T;QR~QV}3o1Oq8TpoG z`eQ4xcoX=syHEBomPNx%UGRcJ-rh6XJwk#hUWE%Q_H8}Ln%?i>@$P-oRZ|^Qt9Ngi z;mwG`x3}Y-AQ5$)a#9KjY8`YN);@J7FBe#PNdX8xeds?W<9>+NN$=_@RhPt3u&P1v5(an6sEcS(~EixX)U{(YtHKs;BeN zNuNAHplX>Xjl3}&bBjpyKQ4GiyGesj_@=&Nn1f5+Z+&{rhoA#001{Eff(@|wLVGh8 z-+n&My^5!@P2y@iW{AlvcS>)43$Fr;3o4t=>wv{vR#;H$t7nxIUrhINIS@^`g#>x6R&(9Q!h<_n z-|Sw0lN#7qDOPprE&+|mK$p{G7x(t@zA&(6O~7QE%4J4gg}k{=%i{x1%~$)1nL&l< zt_f%#QwegXtQjz-F4TBg)&1dP-&7W@v_3H0Qjv|`?VdE!SZrI_p?*x!ebut`nO!a^ zFTY~%GY-Xz1xFDFc)L7$X5bEy`H)G+O%ssoG03XPXG@*m>-{h;U&`9P=)iS=M!3Xx zv52+h+H_C2DfwF}h}TO3nYKh+paAw%H5OR6)yG$lQ$g+E2zu@7McRaLsP!FQ>>VZf1w)9RV*LaO>Qxeq zU@$zyw8~DrS3?3U9pbbUXWm@&8@gHS+dk;Mu}`cSz(!S2(jNs2brN$rW#iY+l(g+X zxDr|I<5IPl^Dp3Hm6TK2Yg)IbFqA6*(SE$TvqB8uwS3QW5|gjTB4YN8Y>^*@&_-PZ z{LcuUA&fzNP18~UR=7AB?={+e7K!r5A%2Hx#)TDN4Z?wTugEFRv~cBMqqTs+z@@61 zjU|U?x1T*D-R#3)AnrEmrf`TBf(D~aN9 zuS64!v-RRBzuQa1s;$^PrT75*UsmX1^47Vc+Am`hQbnWPvkHmg$o-AQ!7uN33S-U- zTIsfQ?=a`s3F>usK?U;?|Hh!9sy?qc5x~Cj)p4bO!wqR(VTtSQ5jmKj_}!O_Lb}BF ziu)3ad(l$+HvUW+U&#&Yu9=+u5ur6q6lpg_RwykZRMP;rd-dc$z`P>JGq=53Wwe;M zBfy!592J+8c0|@L3Z79b$Y@BAAo$$q;}`*=)lyYU$4TeUp0!j=8I(REJ^nJJb6f1= zZGo$~o(VmV9wmgo>J>|WTE&^9X`UEcAdgj|^_7c=qFHgKy@^nn%Cr6U0d;Y!oxR$; z9E%xwN>T+FEo9)hGht ztIN~#fm(Nu3ZmatRsN{Ro6kOQa;ovkR+&^mxC=cooJE;Sw1PJb$`DW4V}zxCs>qP$ zV`D2kjUZ6?L)t{ILh&9$O~5H@bxq8r`pjMY1>Jtl1ndlD=S@aFqQzo-d!Cd~rweR+ zoljx*(<~`f5t<(H)#C_)SK*YS6z3~W&&;%dW)ROz=e;%?eh^}g>Y1;nnu45YG1KCD zSakub>*)%If9K|;I;XDB1)W~w%PzjpO5oCJi01vD)j*uol6TCSxJN zGt|YtC&(~or0|K~`26pu1`eO5$kM63gGNL34t-9)fKrh%C>6a7?0!sq4W%AN(!X?w zQyh6eI_|026KQK|X`ZfqId-9_?A~)3=Z!QIQx_oLpsb_1%cYh>(PitiZ3J^#(V5ZG z(~3fZFF-|O)f-yXhJ$DbwXph+U3nvxNL85@`B?9B3q3o9uU`U;$?=MOb{kWu>g7l= zftZyo{bMD-C{OHH-=}IHTj1}IF-ijgEKg{0b*@jgy8gDZPkD1;&D_vr4#a z=xg0(DZ4wAK~UK6J2vH|DymnzEgXu z>|(kzziUOK)lXnG9lft{-qDH^zeIV;^NNa}00rNPd5p zN9V!}ruI!iK++-W;4y@ueLOLz2mp_7C0=|Bq>{WB>tj^9dD2dt&2aXWvEr^eR?scZ=sEb#p%7@7s)Nlx}sgeACJoWS4q0 zjM#VXctQXB)L1o+0Mn$o#i`N)VJVCY#3{g?he1RoD7eo0#Hl>i{|d1TQRbM{%h$AV zAPH9{fmj$SmE-6%|IkgDN*k$P%~@HbD6Z*Wk69f&OfGZn5$?is6ncT=)f&V)7*k;M z`k?AB1aSFL%MJQvn5Sm!&lu^p%@_!Wxg=Q%Yg;in9v7>%f554-uUxUvl$266o>B^y zU?>hb+6EmFHT~MG+qoV*mOSoffHC<|ImuLz?UMz8J*OfJ0CVwm?H-s3TY>y?CDAw| z!`FXe&D6nPtKxuL#pH?B^8>&IJl1+KE@7MGZV@8Cx)uZrG2aae_M(#4;r8KPX;AT~ zqT*XmC)U!xbS3Pw-;L1|;zfi6`|>F|&E+@kd+t{5sI(=L!n86dp+QI7TNjO^<0RvL>CH)Io`20ao+GI^_Rl7 ztb7nif(Hsa@(sU6DI#ui^?KFPrV_D-mW(U18})9yx9=@VKdrzTeH}t#G!|~j?cnbt z47Qv#ukpxn?F-Hk-Ubb`YOG?h*mW$!dp^`>acB>s)sP4?mO}iZC&byDuVjN8Wo<*l z#02F0gPoiy&h(&9@;+b3a5B=wwvG&gpi#y#=Xa3Hi8#2=K{bWVAV!f zw^)|@a-vh~cRj6I5LZ8Z5AI;y4Y}xczlo}yu(fgcXIkvt^{niGp8!VyZprnBA$5fN z_xd<>R_gm~ti87yPpiLt9n0YX!72zXd55cT{Fu4J%4_w0o;V=0&|ZhWy9u81am!z_ z9p^WAex@zI`kKA68$U1tb+a^Vr2Wb#eGtmnDSy^)o_a!Ig_~XZuFXzk5>W~uuB~v~ zg5Vt@Gk76}=AO>+-;*fns**^RqfI%wCTsk$Z>XqdQkehNqsG0l9R3=mH}XvBx)EXC z!@$bsfFEm0^l_61D>VKCDse7$M^SkvKsZ5;!E-Z$g$2vmlnAsmrR?A zAfMGRH1w-Wv2us`WR=@yzPM|*JLfBIbZ?*T)-11!n#vvI$&I}UFAgoK+pD;#OiJbU zI8hJWJp zP|$s2eB+tqjPU2QB%KK7*=14$NaV&cd<*I6N}4Wfss%Q@HtwIhKEN1xMPu7 zvx>@zp4iL`2>}3=?1gJTTNYicHt$&}MHpZ8$R6Z75sEgx6(-^Qvp=IQVcC4cs-HLf z5C6hieV>{0v<1{wY~w7vWCTZ%R)Jw2&PY8M3-2u%p_C<_H`$lg{h~)+OL^zCgL=Zr zN*7QmD(@i1l(J&Ya9#wg-xU>`Tamu)mfGGT4qp-j_=b82t_{+|S}z@-DM8~7YSp2) z%hK-1Z-G2@aamxiOq0C4rYCla(gLxu+ulX}ufD*zdKqa*3^bKzp=+ukgjGXRGil~{ zEXd6hh6-w&Zs4)+rNoz%I>M5eqxf+=#6YX~<;XS+5a0m6xh>orh-4t^ey*mmS;q+Y))al*&%8gMZdOyV`2!288qJYoE}@{d43jXcO{AP~tw1|qq}qD6JhVGnJ71<=vvO;e z0P1U6Tk7hBrtk9y_`~)^=ZAo=z@oXtpLL+@sIBT69hu+urf)sv2jSk1-|WkznvbO7 zr7s97GV1Zb(p!o@pUyO|YrMC`tG8ieT!7ysa|@@NVFs!|$-Y*)5*G9N3c`>U6KMoUlqW@oVwg!hrm99 zHBd_xu+LJD)JPi3b$`eKHC@B=N2wr>`Ughz_UJB!#c%yW)O<*fR*1|NT5Oklx7>5R zoM&n~S1C%>3wL{+BD$ffvRs_^j~1EpfMUS7AGfY-qw}oF%b?Z+h6~8o7N}^x^x2Uw z(E};4#tA9~K|!szm}v*XI=qoOfTgRLeYs<=dqiQ<4>Ov)o)tGesz&ca5K`lwRNlO~ z*IlnC0nQa>=+FD2a{Exf)(kIU%8wCI_JH3ZBEOSK7wZMFrLZ zv-&b_D|4vZ-?o>7V6T8M*-$kh9DRy(fq=k*Ccfgp_A(V4sgi z1!i5s-D)FF_hNF|4j-I5NT{30`NtN+$CU7W> zc}7O(?$|#eSiuT7m}cZaL=(t2C^mw1xeYgh%3Lb_;6BSTvvQ;hz-*(U`|9AUWk^z{ zMP>z)FzaPIIY(%EyHj94NJtCrFtir_&R5_LAFS8omnMW}<@vmGIOfS(L?7^dl%maCAT18^{;-D)N#h>?o@)8R#ZMuo=j8mb^91D)AbNJlcv1ve^RJp3r3&RR$=l=u>vix_#D z(@AGB-Ej0fHd|~2;W2ONiF7JpRpSI=`z-Bcu2K3zF}zc)9P(gUx1K`@60S2 zRW79FHD7?cvqM^;_F$L4VjtM(eK7wnJiRT#p&JkU;*cvDSp)To1Udux10=bu}SxZOMmEEL9I zu)}L>W=L*1fKcRFS@ zH)A~tS{nY^&lUkKF%gh=E%}1a9dv&jLo{R8?t6#~9Y-Hr*l(>(GVYEqcOE{IaXp}D z@YeX_x@s`FM?e)teD!lgDu}{)=gj#yIj_wpFpuxNfN`ut|d4#(yyD(0*_E;S;^M{Ew7cSnh{(-N7+7DOtgHye6g{ z5dA{6`Emd~od@t6QD5p{8`I%=f)=9?vSj61LqE9b1o~DI#q4E%CTnx7e4mW~bb)_l@6uPF(!fy9Z`6)dRYLx2RdlrrLau z@>2mfNzw)KMjCnlxOHiHo-AX5UFr2+5i3;n@$qRI6L9K3h$OCSHDMVG!&0lFqA#@g z6uA^?xvs=Dm|K&~JpsG;;i(@jO2`&BZ>!StD;fr>Gqbo+zzH>0J9qP@k%aJBJF5&&b&qvFlFDAm&%;P ze$=aZ%vcG5#3}E>ur9n)oLw!$8I82?W@`;$s7hfa7~T{>(Lw-6>$F8uZI%U99W%QM zIssM(9SZwhoB7LKJ<0t_X!w=j4QwS5c`Q_6kn$?B1o?Gr(ptB5W!n zn^-Ag&eY8_D;EW%L*6!nJg4t9d-m)}b)n#kr!4%MM*L__E`RLaSqncVH&r-_@Y|d5;JzuSs z&L90zUjwpOL?~5IkelxiCm{Z9@5(5;Ss=5w{T*b7wkVwu6b#qB%K0ipGzw&{1ZQw`#RJ;uPC%5q4k)&_G$4`Up67r~ z^z=}*yT`(i?8XW;dWhgTKWIb;g>| z{aE^Ns(Gzv^~jwkXcfT4wfhwi8DaOy7a|-G=1YNjZQ75sy^DU`>cR-frl$Z(4nL^@ zX3Oz)Bjj0*W-kX}!*jpdov^fP(TX`|;sD2%lwEpJ03BJ1spu;kDmi2$rI@G~D`IYq zJ2%Lat*f5RF%%TEFkGvqGX1gLdRAv1G)@F%WODRs@!bHd!%us`GQBgnhIw;y9;FpM z`-@iSix+EoLKg)QtFDGCrgavReRiL&o{5bHUTu0H*LGsQER0OFOZzpUk}QDyG#rmQR}hrW+FH*>=YN}{Zb z&?2anY6{E$XmY8wZVoGM2906}7humL1+@lR12sQ7@wIC4J^JfEpd;cWY)mWa z^@#rov?*+Z7wVGp+?&7qp#YIg88Rr@pZ~DW3i%&JtA7(K|HF0&z~23<)(s*Mq}qXf z<9EsL#aD-DAZCC;+z|(TV&0?0YJ!4Rb4;d4#Q0*$$r2JR1Z{F`Fphe8D<~; zJM>97F?Klp^c<*xky(jda2se0426VEaJ66}cpLM$d)P2(VHcqTqZf;bV@qQe7DXH- zkVA(KiNn!uGPqQ5DblVwNfupi?+1<(V8iQbJWfdz2fGRrz2{z;$q;nU8JqnMTQNT; z%GUQy1o(cyr7C~p5O@5_HCr|UzM@rO4FW(!*)I5!IMY%52S5u>U92XAjsSjEoj; zuI#Ym?um8@4NE{beis6)#E%l%O2*WZU_|3^V_hX6!F@b!sdS#C$)}*Z9E>h zH$)N3Xv8yErhT5O`dZ(%h+~A{k`gKLJJa9$y;w*tNgD8O1RBqZX@|uX2nbLZ?+;1g zJ5u*4fFdQ9V>)SZ3rNL!_FWWIsAqye=C{DN zlh4g4blwsGG8Q8LKDV{V zS*(U_K|mSWs|vH+qt}oLKDxo4E-}{D_Qg0kB*v9u!<8g(C874?m^R@Em`wDL(%-$6 z&DzfEH-X+Ma6jK_s(T7rZH_?YU6|{+P$(2&JHgsG`b8{Sc zYQAv%S`uc&An>U4A1}~e&m+%9H9H_Nky1m2Sy@2{gO=_1d0%0*cr^l;&13NrghWg| zRJHtVz8lijRD590_K{q}$Wv6U?ISaE;QY+y0gAfB^7a{Ya9y$CGGv&E)-T1by+5S% zxr&xPl@zL{wc*xRF$_9;Tc{Zo?>iA+k5^j95%FcS4LD+ zJf^EAB5nbG>Qk_j`Cx|}5OovpkHhQ>+-5*6feWneE$4WPl?6U@YQolvZr9X2jAXxZB_;hH1y(67)`0?(OB@Ei_w8IJ~Ws;Q|=Jl~f6y&9}G*!~L)Uo|Lj@Rwg% zqw(C{_h|vC;#9U?;}o)L&68b>Fby~ammV18M^0sq=g?n-IECA5LrggZC{BR_;(`Os zc&UY2u+5)Ok4{9St$EWL7HoyJL%q22KO1eO6&@W(IyaFODXiI$kWVll+kw=Zs-E3I|S>OiE!oQ1Y`<>s_Wtq5XrE({% z3J>JO_GCc+xs<9#1B<;Up82|riL)@O`A&FtU>OZ5Z9XYfK|sD$0v~5OhUaysnEno1 z!Qn7Ymu~SWRZkd#MOm5Pk}>{uGvAdGDxBzZ8W@Qf?Ek$uHs{(hwTw)UA)oqBWm8{k zCoNrD+H`2P1Zn0-S`mQO10;q-oxiW zPZl>`&u$E_J_+{KDq;?3ZFG7A6+Cf#>HtpR_h@tffZurgmA0H{1&ckr0cH+s*j3pn zn@z-AN9SdTi59{0N54DaKyI5-zO<&NW?Lp>P(4**D-kvv>OU*InR!qQESEKoWe@6l z3tci{;5*OP7n0mp;xc}~v7@v#FE{GgdZyJ1bD+2C0#^b|m! zTUHCuPV1l@5Es;XpOF3MSLA?JYkUQkHo`bjxpNEiVir-L3aZ6hRQT0L;3mAQffZ5`QJd!gzax5h|z=(Gp9PV)x^V!vv zDBgSpDDQP3+q%V#+(ibJb{*kXz$UZaE1Y2%S&&zZ{eU~7>y);^*fR-is=T>5Q88oCePo?XmMSO&N0HpD zb@}r3_F`*W1hss)LvgAO0*%orrFuoU-s4+=EDE!CFoEC7YreuZVUXCL6QGrid?j>l zW9Dimcz?S6v(Q3_QF)HrvhSIXVL?^j>xwZo6<>D=Gi}}Kmtp*dP2@0~Z8Bb|Ik`@< zan&&b*xq^&51L1>H_)IcK-&n15yFts)rQ*Wr%MEQ3qg{dg zK`>In7c3d?RkBh6l-VR<@^9?(f9#B}-{U|@?twOJIpXR96s~zj2uq~`-xN{g2Ru`8 z&1Mfo6eZ85O&v+Br(eNRaJqapHKHP%oD8OEk_idMZmDSnEN!PD=$K$J<`viwrW$IU zF0oppJiAY?#QcXGvu5~ardeltn6Z{LFc3tESW_SDH=l5h4E)sQ*B1g!FEFeS=+HC@ z>rTOdWoVIjR2VxkeX7<1Y{Y^yHB2E;Zhm8j|-eqb7aMwE1RlJSXvqf{U)V-ten=vg9L`whY`{n7Fq~I{{Z(XG0-V2pXjsE z60~;iS8esA694y`^ql-mJZU}vc)1)x;En+4a&@Pv9K8ZkMSW@L322Sb(ZCh=-kjkQ zN^$cDP}Y`&14PBjz^qi$47=V4gF3gNrKf9X+Yr+EWPJ7O?GL=mXaQ`QVl}oworT0K z8u@yg8dPLxQ8fg%C!Bv5Ftctu2C%A@s$S;KiZ;c~W7Y!z+xl7(!`q?;6=#Q<%0SW>bo67`MDfyDDkKj1+Kf`S>~kPg7rU#D71PAd?v z_%c|M>rd@*g+PF92$0_ASn=}%8D83Jn7#Zbu*i4uBN|Z`fr4N5uErjS`yre z`=$n(`dYtK)z$e2QxPg?0@|gi#_#IAx%^B(4LA$!k}A~%x)uuzkpd%rrTTBp#o#~;cvK7g1`4aKAEOSCzjWB)_xt`kb(U+D7#gVDZZ12 z?yoW3(Bc3n98W7wq=_{LCBe1j{`lp@9Dcdg0f98w{u~k-gb}bgx8~_w>wZ+m z%B~LRE8rhHjCyG+M4OST!I#kHXE(v=GQm)O(79-ma5(-ePVjjrLE;Td&s~wIdcYvbk)GHg!qHIWtaZ#F3CSONgm4Rfd0*_LYPTa z4)5L`40NrX*x%E9qEr#$ZBzM&hwXTNa(U2X3yyh9et$~S|6+{&#*&8UCs@%1pZ<=2 zUk_mSAO8E2^xqZf{xGn&--0;+3&H=sm64~Bs6>dTo&t}1364Cu(nJ{WT^*8Rck)TH zix^wXPpRQ#2!er!?!ZKVJF`Z&{7yj-9zocL9xq~-uDgD%LjdBZ_Gjxs*wR9Q4R}?4 z4TY&GDS{+TkV^G0+|<|qID8<043euobia42-u3jC4H&#WOQk zjlnres=r$F_L7G7b7E+ha-GbpjaUGy6&mgwo{QC1BsmOtM25wNQKK z*JgoenVAitSc;+vWkqHM{;Srn#_P`HTqoe9E75##px8bNkzuFY=OW-Vv_e+nMVMgR z=%`Q34J6J=;5@Kd3vZuiU0_Ee8187?%7u{QI>^?neWBXK213u8@j3PYn{js<9In&> zdLWW@;YJ9%$rQ}25uUUpa@Omv+jE zK?oI*j{t$M_#*p;{SHp8Y*2GS|F>q%R?uYS-vR|EQUQTR)Bd@b33z+58o9!W3uNVQ zbm1f_K4c~ZY}_m0-6km}arbl3t^=n)M7SKt@uH`LC;IP`i2z`}+ld72q!rHj@k!e0 zgz#q44&8Ey={^dk3_ky(%Gf{K#`({V8ASf8;@tm*5g?G9#s2(<<-vdX2$27y={Pxd z*pqy|T7gwhn5bdHJ=FPzobE&5*sV*!pyN7c2DE&-F;Z8kRv*-;?!zbkS}B?NPUM=i zfcMvj;0%FF!N=f@#B9AXC$jW910td$-~-~ZtzQ+g$E zXPz9$o%L*4TYxhcJ6^3?opg6sY4m<0aAZ8HzW+O}<{@|d3E~(BzxwOz>&JnI zs>$l_{SvfpHn^`jVLNasfZX!AWl?W-zu&hrkISJOxT^Ejnk`#Qo}HgBpTF;C8dT+l zH>GcHnOc>#|NLB)Szn+1T9rI~*Fi=legji0 wBNJ@{11kdq<+ppProToL4BEhQY`V-LMpbDfm8?ruB|(;Wy85}Sb4q9e03z2*RR910 From 48e89127d915f85f81724a2ff81b54ad22ac4dd2 Mon Sep 17 00:00:00 2001 From: Kate Osborn Date: Tue, 8 Aug 2023 16:21:22 -0600 Subject: [PATCH 26/30] Remove STOPSIGNAL from dockerfile --- build/Dockerfile.nginx | 2 -- 1 file changed, 2 deletions(-) diff --git a/build/Dockerfile.nginx b/build/Dockerfile.nginx index 2293d61f1b..41c7a26d4d 100644 --- a/build/Dockerfile.nginx +++ b/build/Dockerfile.nginx @@ -16,5 +16,3 @@ COPY ${NGINX_CONF_DIR}/nginx.conf /etc/nginx/nginx.conf RUN chown -R 101:1001 /etc/nginx /var/cache/nginx /var/lib/nginx USER 101:1001 - -STOPSIGNAL SIGTERM From e8f0c58b1a47370d6bee050f36d70416473f7a01 Mon Sep 17 00:00:00 2001 From: Kate Osborn Date: Wed, 9 Aug 2023 12:31:35 -0600 Subject: [PATCH 27/30] Workflow changes --- .github/workflows/ci.yml | 45 +++++++++++++------------------ .github/workflows/conformance.yml | 8 +++--- 2 files changed, 23 insertions(+), 30 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 96eb132203..826391b8d2 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -202,8 +202,8 @@ jobs: context: "." target: goreleaser load: true - cache-from: type=gha - cache-to: type=gha,mode=max + cache-from: type=gha,scope=nkg + cache-to: type=gha,scope=nkg,mode=max pull: true - name: Build NGINX Docker Image @@ -213,8 +213,8 @@ jobs: tags: ${{ steps.nginx-meta.outputs.tags }} context: "." load: true - cache-from: type=gha - cache-to: type=gha,mode=max + cache-from: type=gha,scope=nginx + cache-to: type=gha,scope=nginx,mode=max pull: true build-args: | NJS_DIR=internal/mode/static/nginx/modules/src @@ -254,17 +254,7 @@ jobs: strategy: fail-fast: false matrix: - include: - - dockerfile: build/Dockerfile - image: ghcr.io/nginxinc/nginx-kubernetes-gateway - target: goreleaser - sarif-file: trivy-results-nginx-kubernetes-gateway.sarif - - dockerfile: build/Dockerfile.nginx - image: ghcr.io/nginxinc/nginx-kubernetes-gateway/nginx - sarif-file: trivy-results-nginx-kubernetes-gateway-nginx.sarif - build-args: | - NJS_DIR=internal/mode/static/nginx/modules/src - NGINX_CONF_DIR=internal/mode/static/nginx/conf + container: [nkg, nginx] permissions: contents: read # for docker/build-push-action to read repo content security-events: write # for github/codeql-action/upload-sarif to upload SARIF results @@ -300,7 +290,7 @@ jobs: uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175 # v4.6.0 with: images: | - name=${{ matrix.image }} + name=ghcr.io/nginxinc/nginx-kubernetes-gateway${{ matrix.container == 'nginx' && '/nginx' || '' }} tags: | type=semver,pattern={{version}} type=edge @@ -310,43 +300,46 @@ jobs: - name: Build Docker Image uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1 with: - file: ${{ matrix.dockerfile }} + file: ${{ matrix.container == 'nginx' && 'build/dockerfile.nginx' || 'build.dockerfile' }} context: "." - target: ${{ matrix.target }} + target: ${{ matrix.container == 'nkg' && 'goreleaser' || '' }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} load: ${{ github.event_name == 'pull_request' }} push: ${{ github.event_name != 'pull_request' }} platforms: ${{ github.event_name != 'pull_request' && env.platforms || '' }} - cache-from: type=gha - cache-to: type=gha,mode=max + cache-from: type=gha,scope=${{ matrix.container }} + cache-to: type=gha,scope=${{ matrix.container }},mode=max pull: true no-cache: ${{ github.event_name != 'pull_request' }} sbom: ${{ github.event_name != 'pull_request' }} provenance: false - build-args: ${{ matrix.build-args }} + build-args: | + NJS_DIR=internal/mode/static/nginx/modules/src + NGINX_CONF_DIR=internal/mode/static/nginx/conf + - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@41f05d9ecffa2ed3f1580af306000f734b733e54 # 0.11.2 continue-on-error: true with: - image-ref: ${{ matrix.image }}:${{ steps.meta.outputs.version }} + image-ref: ghcr.io/nginxinc/nginx-kubernetes-gateway${{ matrix.container == 'nginx' && '/nginx' || '' }}:${{ steps.meta.outputs.version }} format: "sarif" - output: ${{ matrix.sarif-file }} + output: trivy-results-nginx-kubernetes-gateway{{$ matrix.container == 'nginx' && '-nginx' || '' }}.sarif ignore-unfixed: "true" - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@5b6282e01c62d02e720b81eb8a51204f527c3624 # v2.21.3 continue-on-error: true with: - sarif_file: ${{ matrix.sarif-file }} + sarif_file: trivy-results-nginx-kubernetes-gateway{{$ matrix.container == 'nginx' && '-nginx' || '' }}.sarif - name: Upload Scan Results uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 continue-on-error: true with: - name: ${{ matrix.sarif-file }} - path: ${{ matrix.sarif-file }} + name: trivy-results-nginx-kubernetes-gateway{{$ matrix.container == 'nginx' && '-nginx' || '' }}.sarif + path: trivy-results-nginx-kubernetes-gateway{{$ matrix.container == 'nginx' && '-nginx' || '' }}.sarif if: always() publish-helm: diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml index d14a18176f..be73862a7b 100644 --- a/.github/workflows/conformance.yml +++ b/.github/workflows/conformance.yml @@ -87,8 +87,8 @@ jobs: context: "." target: goreleaser load: true - cache-from: type=gha - cache-to: type=gha,mode=max + cache-from: type=gha,scope=nkg + cache-to: type=gha,scope=nkg,mode=max pull: true - name: Build NGINX Docker Image @@ -98,8 +98,8 @@ jobs: tags: ${{ steps.nginx-meta.outputs.tags }} context: "." load: true - cache-from: type=gha - cache-to: type=gha,mode=max + cache-from: type=gha,scope=nginx + cache-to: type=gha,scope=nginx,mode=max pull: true build-args: | NJS_DIR=internal/mode/static/nginx/modules/src From 318c72db162ddccf9c442b904a99aa2b2782613c Mon Sep 17 00:00:00 2001 From: Kate Osborn Date: Wed, 9 Aug 2023 12:41:31 -0600 Subject: [PATCH 28/30] Fix dockerfile typos --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 826391b8d2..ea5f16f02e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -300,7 +300,7 @@ jobs: - name: Build Docker Image uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1 with: - file: ${{ matrix.container == 'nginx' && 'build/dockerfile.nginx' || 'build.dockerfile' }} + file: ${{ matrix.container == 'nginx' && 'build/Dockerfile.nginx' || 'build/Dockerfile' }} context: "." target: ${{ matrix.container == 'nkg' && 'goreleaser' || '' }} tags: ${{ steps.meta.outputs.tags }} From 6efadee90a4351bd550b0daa6f99b1d7c76e27c8 Mon Sep 17 00:00:00 2001 From: Kate Osborn Date: Wed, 9 Aug 2023 14:02:11 -0600 Subject: [PATCH 29/30] Fix sarif file typos --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ea5f16f02e..35d8d4111f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -325,21 +325,21 @@ jobs: with: image-ref: ghcr.io/nginxinc/nginx-kubernetes-gateway${{ matrix.container == 'nginx' && '/nginx' || '' }}:${{ steps.meta.outputs.version }} format: "sarif" - output: trivy-results-nginx-kubernetes-gateway{{$ matrix.container == 'nginx' && '-nginx' || '' }}.sarif + output: trivy-results-nginx-kubernetes-gateway${{ matrix.container == 'nginx' && '-nginx' || '' }}.sarif ignore-unfixed: "true" - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@5b6282e01c62d02e720b81eb8a51204f527c3624 # v2.21.3 continue-on-error: true with: - sarif_file: trivy-results-nginx-kubernetes-gateway{{$ matrix.container == 'nginx' && '-nginx' || '' }}.sarif + sarif_file: trivy-results-nginx-kubernetes-gateway${{ matrix.container == 'nginx' && '-nginx' || '' }}.sarif - name: Upload Scan Results uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 continue-on-error: true with: - name: trivy-results-nginx-kubernetes-gateway{{$ matrix.container == 'nginx' && '-nginx' || '' }}.sarif - path: trivy-results-nginx-kubernetes-gateway{{$ matrix.container == 'nginx' && '-nginx' || '' }}.sarif + name: trivy-results-nginx-kubernetes-gateway${{ matrix.container == 'nginx' && '-nginx' || '' }}.sarif + path: trivy-results-nginx-kubernetes-gateway${{ matrix.container == 'nginx' && '-nginx' || '' }}.sarif if: always() publish-helm: From ef3bc13f4a9614139ac601044f2ad14344163ecb Mon Sep 17 00:00:00 2001 From: Kate Osborn Date: Thu, 10 Aug 2023 10:12:04 -0600 Subject: [PATCH 30/30] Update apk --- build/Dockerfile.nginx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/Dockerfile.nginx b/build/Dockerfile.nginx index 41c7a26d4d..6053430cbd 100644 --- a/build/Dockerfile.nginx +++ b/build/Dockerfile.nginx @@ -4,7 +4,7 @@ FROM nginx:1.25.1-alpine ARG NJS_DIR ARG NGINX_CONF_DIR -RUN apk add --no-cache libcap \ +RUN apk update && apk add --no-cache libcap \ && mkdir -p /var/lib/nginx /usr/lib/nginx/modules \ && setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx \ && setcap -v 'cap_net_bind_service=+ep' /usr/sbin/nginx \