From b0011607892d3710b229d24da3244fa35eb6e97b Mon Sep 17 00:00:00 2001 From: dsvetlov Date: Sun, 27 Nov 2016 22:51:26 +0300 Subject: [PATCH] Search guard integration (#58) * ### * add var node_name for search guard * add search-guard conf * add search-guard conf * add search-guard conf * # For Search-Guard * add search-guard conf * add search-guard conf * # For Search-Guard * # For Search-Guard * # For Search-Guard * # For Search-Guard * # For Search-Guard * # For Search-Guard * Create gen_node_cert.sh * # For Search-Guard * Fix version of elasticsearch for compatibility with SearchGuard * Update main.yml * Update main.yml * Fix SG * Fix SG * Fix SG installation script * SearchGuard installation script fix + more integration of SG and Kibana, Logstash * Bump versions of elasticsearch and SG to fix some bugs, more SG integration. * Some ideas in comments * Fix tests * Fix tests --- .travis.yml | 7 +- lightsiem-install.yml | 6 +- roles/elk/files/elasticsearch.yml | 452 +++++------------- .../files/example-pki-scripts/apply_config.sh | 9 + roles/elk/files/example-pki-scripts/clean.sh | 8 + .../example-pki-scripts/etc/root-ca.conf | 102 ++++ .../example-pki-scripts/etc/signing-ca.conf | 104 ++++ .../elk/files/example-pki-scripts/example.sh | 6 + .../gen_client_node_cert.sh | 66 +++ .../example-pki-scripts/gen_node_cert.sh | 65 +++ .../files/example-pki-scripts/gen_root_ca.sh | 76 +++ roles/elk/files/kibana-config.yml | 12 +- .../elk/files/logstash-conf.d/99-output.conf | 26 +- ...ty-tcnative-1.1.33.Fork13-linux-x86_64.jar | Bin 0 -> 145515 bytes roles/elk/files/sg_internal_users.yml | 14 + roles/elk/files/sg_roles.yml | 57 +++ roles/elk/files/sg_roles_mapping.yml | 23 + roles/elk/tasks/main.yml | 143 +++++- roles/elk/templates/99-output.conf.j2 | 26 + roles/elk/templates/elasticsearch.yml.j2 | 165 +++++++ 20 files changed, 996 insertions(+), 371 deletions(-) create mode 100644 roles/elk/files/example-pki-scripts/apply_config.sh create mode 100644 roles/elk/files/example-pki-scripts/clean.sh create mode 100644 roles/elk/files/example-pki-scripts/etc/root-ca.conf create mode 100644 roles/elk/files/example-pki-scripts/etc/signing-ca.conf create mode 100644 roles/elk/files/example-pki-scripts/example.sh create mode 100644 roles/elk/files/example-pki-scripts/gen_client_node_cert.sh create mode 100644 roles/elk/files/example-pki-scripts/gen_node_cert.sh create mode 100644 roles/elk/files/example-pki-scripts/gen_root_ca.sh create mode 100644 roles/elk/files/netty-tcnative-1.1.33.Fork13-linux-x86_64.jar create mode 100644 roles/elk/files/sg_internal_users.yml create mode 100644 roles/elk/files/sg_roles.yml create mode 100644 roles/elk/files/sg_roles_mapping.yml create mode 100644 roles/elk/templates/99-output.conf.j2 create mode 100644 roles/elk/templates/elasticsearch.yml.j2 diff --git a/.travis.yml b/.travis.yml index 4d58399..109d47b 100644 --- a/.travis.yml +++ b/.travis.yml @@ -36,8 +36,11 @@ script: # - sleep 100 # - sudo docker exec "$(cat /tmp/container_id)" whereis java # - sudo docker exec "$(cat /tmp/container_id)" export - #Logstash + #Logstash Cisco - sudo docker exec "$(cat /tmp/container_id)" netstat -lnup | grep "9020" + #Logstash Ossec + - sudo docker exec "$(cat /tmp/container_id)" netstat -lnup | grep "9000" + - sudo docker exec "$(cat /tmp/container_id)" netstat -lntp | grep "9001" #Elastcisearch - sudo docker exec "$(cat /tmp/container_id)" netstat -lntp | grep "127.0.0.1:9200" - sudo docker exec "$(cat /tmp/container_id)" netstat -lntp | grep "127.0.0.1:9300" @@ -50,4 +53,4 @@ script: - sudo docker stop "$(cat /tmp/container_id)" notifications: - email: false \ No newline at end of file + email: false diff --git a/lightsiem-install.yml b/lightsiem-install.yml index 17bb5c0..3c34b2b 100644 --- a/lightsiem-install.yml +++ b/lightsiem-install.yml @@ -1,6 +1,8 @@ - name: Install and configure Elasticsearch, Logstash, Kibana hosts: localhost sudo: yes - gather_facts: no + gather_facts: yes + vars: + - node_name: "node_name" roles: - - elk \ No newline at end of file + - elk diff --git a/roles/elk/files/elasticsearch.yml b/roles/elk/files/elasticsearch.yml index 0c9be77..bdd7318 100644 --- a/roles/elk/files/elasticsearch.yml +++ b/roles/elk/files/elasticsearch.yml @@ -1,385 +1,165 @@ -##################### Elasticsearch Configuration Example ##################### - -# This file contains an overview of various configuration settings, -# targeted at operations staff. Application developers should -# consult the guide at . -# -# The installation procedure is covered at -# . -# -# Elasticsearch comes with reasonable defaults for most settings, -# so you can try it out without bothering with configuration. -# -# Most of the time, these defaults are just fine for running a production -# cluster. If you're fine-tuning your cluster, or wondering about the -# effect of certain configuration option, please _do ask_ on the -# mailing list or IRC channel [http://elasticsearch.org/community]. - -# Any element in the configuration can be replaced with environment variables -# by placing them in ${...} notation. For example: -# -#node.rack: ${RACK_ENV_VAR} - -# For information on supported formats and syntax for the config file, see -# - - -################################### Cluster ################################### - -# Cluster name identifies your cluster for auto-discovery. If you're running -# multiple clusters on the same network, make sure you're using unique names. -# -#cluster.name: elasticsearch - - -#################################### Node ##################################### - -# Node names are generated dynamically on startup, so you're relieved -# from configuring them manually. You can tie this node to a specific name: -# -#node.name: "Franz Kafka" - -# Every node can be configured to allow or deny being eligible as the master, -# and to allow or deny to store the data. -# -# Allow this node to be eligible as a master node (enabled by default): -# -#node.master: true -# -# Allow this node to store data (enabled by default): -# -#node.data: true - -# You can exploit these settings to design advanced cluster topologies. -# -# 1. You want this node to never become a master node, only to hold data. -# This will be the "workhorse" of your cluster. -# -#node.master: false -#node.data: true -# -# 2. You want this node to only serve as a master: to not store any data and -# to have free resources. This will be the "coordinator" of your cluster. -# -#node.master: true -#node.data: false -# -# 3. You want this node to be neither master nor data node, but -# to act as a "search load balancer" (fetching data from nodes, -# aggregating results, etc.) +# ======================== Elasticsearch Configuration ========================= # -#node.master: false -#node.data: false - -# Use the Cluster Health API [http://localhost:9200/_cluster/health], the -# Node Info API [http://localhost:9200/_nodes] or GUI tools -# such as , -# , -# and -# to inspect the cluster state. - -# A node can have generic attributes associated with it, which can later be used -# for customized shard allocation filtering, or allocation awareness. An attribute -# is a simple key value pair, similar to node.key: value, here is an example: +# NOTE: Elasticsearch comes with reasonable defaults for most settings. +# Before you set out to tweak and tune the configuration, make sure you +# understand what are you trying to accomplish and the consequences. # -#node.rack: rack314 - -# By default, multiple nodes are allowed to start from the same installation location -# to disable it, set the following: -#node.max_local_storage_nodes: 1 - - -#################################### Index #################################### - -# You can set a number of options (such as shard/replica options, mapping -# or analyzer definitions, translog settings, ...) for indices globally, -# in this file. +# The primary way of configuring a node is via this file. This template lists +# the most important settings you may want to configure for a production cluster. # -# Note, that it makes more sense to configure index settings specifically for -# a certain index, either when creating it or by using the index templates API. +# Please see the documentation for further information on configuration options: +# # -# See and -# -# for more information. - -# Set the number of shards (splits) of an index (5 by default): +# ---------------------------------- Cluster ----------------------------------- # -#index.number_of_shards: 5 - -# Set the number of replicas (additional copies) of an index (1 by default): -# -#index.number_of_replicas: 1 - -# Note, that for development on a local machine, with small indices, it usually -# makes sense to "disable" the distributed features: +# Use a descriptive name for your cluster: # -#index.number_of_shards: 1 -#index.number_of_replicas: 0 - -# These settings directly affect the performance of index and search operations -# in your cluster. Assuming you have enough machines to hold shards and -# replicas, the rule of thumb is: +# cluster.name: my-application # -# 1. Having more *shards* enhances the _indexing_ performance and allows to -# _distribute_ a big index across machines. -# 2. Having more *replicas* enhances the _search_ performance and improves the -# cluster _availability_. +# ------------------------------------ Node ------------------------------------ # -# The "number_of_shards" is a one-time setting for an index. +# Use a descriptive name for the node: # -# The "number_of_replicas" can be increased or decreased anytime, -# by using the Index Update Settings API. +# node.name: node-1 # -# Elasticsearch takes care about load balancing, relocating, gathering the -# results from nodes, etc. Experiment with different settings to fine-tune -# your setup. - -# Use the Index Status API () to inspect -# the index status. - - -#################################### Paths #################################### - -# Path to directory containing configuration (this file and logging.yml): +# Add custom attributes to the node: # -#path.conf: /path/to/conf - -# Path to directory where to store index data allocated for this node. +# node.rack: r1 # -#path.data: /path/to/data +# ----------------------------------- Paths ------------------------------------ # -# Can optionally include more than one location, causing data to be striped across -# the locations (a la RAID 0) on a file level, favouring locations with most free -# space on creation. For example: +# Path to directory where to store the data (separate multiple locations by comma): # -#path.data: /path/to/data1,/path/to/data2 - -# Path to temporary files: +# path.data: /path/to/data # -#path.work: /path/to/work - # Path to log files: # -#path.logs: /path/to/logs - -# Path to where plugins are installed: +# path.logs: /path/to/logs # -#path.plugins: /path/to/plugins - - -#################################### Plugin ################################### - -# If a plugin listed here is not installed for current node, the node will not start. +# ----------------------------------- Memory ----------------------------------- # -#plugin.mandatory: mapper-attachments,lang-groovy - - -################################### Memory #################################### - -# Elasticsearch performs poorly when JVM starts swapping: you should ensure that -# it _never_ swaps. +# Lock the memory on startup: # -# Set this property to true to lock the memory: +# bootstrap.mlockall: true # -#bootstrap.mlockall: true - -# Make sure that the ES_MIN_MEM and ES_MAX_MEM environment variables are set -# to the same value, and that the machine has enough memory to allocate -# for Elasticsearch, leaving enough memory for the operating system itself. +# Make sure that the `ES_HEAP_SIZE` environment variable is set to about half the memory +# available on the system and that the owner of the process is allowed to use this limit. # -# You should also make sure that the Elasticsearch process is allowed to lock -# the memory, eg. by using `ulimit -l unlimited`. - - -############################## Network And HTTP ############################### - -# Elasticsearch, by default, binds itself to the 0.0.0.0 address, and listens -# on port [9200-9300] for HTTP traffic and on port [9300-9400] for node-to-node -# communication. (the range means that if the port is busy, it will automatically -# try the next port). - -# Set the bind address specifically (IPv4 or IPv6): +# Elasticsearch performs poorly when the system is swapping the memory. # -network.bind_host: 127.0.0.1 - -# Set the address other nodes will use to communicate with this node. If not -# set, it is automatically derived. It must point to an actual IP address. +# ---------------------------------- Network ----------------------------------- # -network.publish_host: 127.0.0.1 - -# Set both 'bind_host' and 'publish_host': +# Set the bind address to a specific IP (IPv4 or IPv6): # -#network.host: 192.168.0.1 - -# Set a custom port for the node to node communication (9300 by default): +# network.host: 192.168.0.1 +network.host: ["127.0.0.1", "localhost"] # -#transport.tcp.port: 9300 - -# Enable compression for all communication between nodes (disabled by default): +# Set a custom port for HTTP: # -#transport.tcp.compress: true - -# Set a custom port to listen for HTTP traffic: +# http.port: 9200 # -#http.port: 9200 - -# Set a custom allowed content length: +# For more information, see the documentation at: +# # -#http.max_content_length: 100mb - -# Disable HTTP completely: +# --------------------------------- Discovery ---------------------------------- # -#http.enabled: false - - -################################### Gateway ################################### - -# The gateway allows for persisting the cluster state between full cluster -# restarts. Every change to the state (such as adding an index) will be stored -# in the gateway, and when the cluster starts up for the first time, -# it will read its state from the gateway. - -# There are several types of gateway implementations. For more information, see -# . - -# The default gateway type is the "local" gateway (recommended): +# Pass an initial list of hosts to perform discovery when new node is started: +# The default list of hosts is ["127.0.0.1", "[::1]"] # -#gateway.type: local - -# Settings below control how and when to start the initial recovery process on -# a full cluster restart (to reuse as much local data as possible when using shared -# gateway). - -# Allow recovery process after N nodes in a cluster are up: +# discovery.zen.ping.unicast.hosts: ["host1", "host2"] # -#gateway.recover_after_nodes: 1 - -# Set the timeout to initiate the recovery process, once the N nodes -# from previous setting are up (accepts time value): +# Prevent the "split brain" by configuring the majority of nodes (total number of nodes / 2 + 1): # -#gateway.recover_after_time: 5m - -# Set how many nodes are expected in this cluster. Once these N nodes -# are up (and recover_after_nodes is met), begin recovery process immediately -# (without waiting for recover_after_time to expire): +# discovery.zen.minimum_master_nodes: 3 # -#gateway.expected_nodes: 2 - - -############################# Recovery Throttling ############################# - -# These settings allow to control the process of shards allocation between -# nodes during initial recovery, replica allocation, rebalancing, -# or when adding and removing nodes. - -# Set the number of concurrent recoveries happening on a node: +# For more information, see the documentation at: +# # -# 1. During the initial recovery +# ---------------------------------- Gateway ----------------------------------- # -#cluster.routing.allocation.node_initial_primaries_recoveries: 4 +# Block initial recovery after a full cluster restart until N nodes are started: # -# 2. During adding/removing nodes, rebalancing, etc +# gateway.recover_after_nodes: 3 # -#cluster.routing.allocation.node_concurrent_recoveries: 2 - -# Set to throttle throughput when recovering (eg. 100mb, by default 20mb): +# For more information, see the documentation at: +# # -#indices.recovery.max_bytes_per_sec: 20mb - -# Set to limit the number of open concurrent streams when -# recovering a shard from a peer: +# ---------------------------------- Various ----------------------------------- # -#indices.recovery.concurrent_streams: 5 - - -################################## Discovery ################################## - -# Discovery infrastructure ensures nodes can be found within a cluster -# and master node is elected. Multicast discovery is the default. - -# Set to ensure a node sees N other master eligible nodes to be considered -# operational within the cluster. Its recommended to set it to a higher value -# than 1 when running more than 2 nodes in the cluster. +# Disable starting multiple nodes on a single system: # -#discovery.zen.minimum_master_nodes: 1 - -# Set the time to wait for ping responses from other nodes when discovering. -# Set this option to a higher value on a slow or congested network -# to minimize discovery failures: +# node.max_local_storage_nodes: 1 # -#discovery.zen.ping.timeout: 3s - -# For more information, see -# - -# Unicast discovery allows to explicitly control which nodes will be used -# to discover the cluster. It can be used when multicast is not present, -# or to restrict the cluster communication-wise. +# Require explicit names when deleting indices: # -# 1. Disable multicast discovery (enabled by default): +# action.destructive_requires_name: true # -#discovery.zen.ping.multicast.enabled: false # -# 2. Configure an initial list of master nodes in the cluster -# to perform discovery when new nodes (master or data) are started: +############################################################################################### +## SEARCH GUARD SSL # +## Configuration # +############################################################################################## # -#discovery.zen.ping.unicast.hosts: ["host1", "host2:port"] - -# EC2 discovery allows to use AWS EC2 API in order to perform discovery. -# -# You have to install the cloud-aws plugin for enabling the EC2 discovery. -# -# For more information, see -# # -# See -# for a step-by-step tutorial. - -# GCE discovery allows to use Google Compute Engine API in order to perform discovery. -# -# You have to install the cloud-gce plugin for enabling the GCE discovery. +############################################################################################## +## Transport layer SSL # +## # +############################################################################################## +## Enable or disable node-to-node ssl encryption (default: true) +searchguard.ssl.transport.enabled: true +## JKS or PKCS12 (default: JKS) +##searchguard.ssl.transport.keystore_type: PKCS12 +## Relative path to the keystore file (mandatory, this seores the server certificates), must be placed under the config/ dir +searchguard.ssl.transport.keystore_filepath: sg/node-{{ansible_hostname}}-keystore.jks +## Alias name (default: first alias which could be found) +searchguard.ssl.transport.keystore_alias: node-{{ansible_hostname}} +## Keystore password (default: changeit) +searchguard.ssl.transport.keystore_password: changeit # -# For more information, see . - -# Azure discovery allows to use Azure API in order to perform discovery. -# -# You have to install the cloud-azure plugin for enabling the Azure discovery. -# -# For more information, see . - -################################## Slow Log ################################## - -# Shard level query and fetch threshold logging. - -#index.search.slowlog.threshold.query.warn: 10s -#index.search.slowlog.threshold.query.info: 5s -#index.search.slowlog.threshold.query.debug: 2s -#index.search.slowlog.threshold.query.trace: 500ms - -#index.search.slowlog.threshold.fetch.warn: 1s -#index.search.slowlog.threshold.fetch.info: 800ms -#index.search.slowlog.threshold.fetch.debug: 500ms -#index.search.slowlog.threshold.fetch.trace: 200ms - -#index.indexing.slowlog.threshold.index.warn: 10s -#index.indexing.slowlog.threshold.index.info: 5s -#index.indexing.slowlog.threshold.index.debug: 2s -#index.indexing.slowlog.threshold.index.trace: 500ms - -################################## GC Logging ################################ - -#monitor.jvm.gc.young.warn: 1000ms -#monitor.jvm.gc.young.info: 700ms -#monitor.jvm.gc.young.debug: 400ms - -#monitor.jvm.gc.old.warn: 10s -#monitor.jvm.gc.old.info: 5s -#monitor.jvm.gc.old.debug: 2s - -################################## Security ################################ - -# Uncomment if you want to enable JSONP as a valid return transport on the -# http server. With this enabled, it may pose a security risk, so disabling -# it unless you need it is recommended (it is disabled by default). +## JKS or PKCS12 (default: JKS) +#searchguard.ssl.transport.truststore_type: PKCS12 +## Relative path to the truststore file (mandatory, this stores the client/root certificates), must be placed under the config/ dir +searchguard.ssl.transport.truststore_filepath: sg/truststore.jks +## Alias name (default: first alias which could be found) +searchguard.ssl.transport.truststore_alias: root-ca-chain +## Truststore password (default: changeit) +searchguard.ssl.transport.truststore_password: capass +## Enforce hostname verification (default: true) +##searchguard.ssl.transport.enforce_hostname_verification: true +## If hostname verification specify if hostname should be resolved (default: true) +##searchguard.ssl.transport.resolve_hostname: true +## Use native Open SSL instead of JDK SSL if available (default: true) +searchguard.ssl.transport.enable_openssl_if_available: true # -#http.jsonp.enable: true +############################################################################################## +## HTTP/REST layer SSL # +## # +############################################################################################## +## Enable or disable rest layer security - https, (default: false) +#searchguard.ssl.http.enabled: true +## JKS or PKCS12 (default: JKS) +#de +#searchguard.ssl.http.keystore_type: PKCS12 +## Relative path to the keystore file (this stores the server certificates), must be placed under the config/ dir +#searchguard.ssl.http.keystore_filepath: ssl/node-name-keystore.p12 +## Alias name (default: first alias which could be found) +#searchguard.ssl.http.keystore_alias: node-name +## Keystore password (default: changeit) +#searchguard.ssl.http.keystore_password: pass +## Do the clients (typically the browser or the proxy) have to authenticate themself to the http server, default is OPTIONAL +## To enforce authentication use REQUIRE, to completely disable client certificates use NONE +#searchguard.ssl.http.clientauth_mode: NONE +## JKS or PKCS12 (default: JKS) +##searchguard.ssl.http.truststore_type: PKCS12 +## Relative path to the truststore file (this stores the client certificates), must be placed under the config/ dir +##searchguard.ssl.http.truststore_filepath: truststore_https.jks +## Alias name (default: first alias which could be found) +##searchguard.ssl.http.truststore_alias: my_alias +## Truststore password (default: changeit) +##searchguard.ssl.http.truststore_password: changeit +## Use native Open SSL instead of JDK SSL if available (default: true) +##searchguard.ssl.http.enable_openssl_if_available: false + +#security.manager.enabled: false +#searchguard.authcz.admin_dn: +# - "CN=node-name.domain.local,OU=SSL,O=Test,L=Test,C=DE" diff --git a/roles/elk/files/example-pki-scripts/apply_config.sh b/roles/elk/files/example-pki-scripts/apply_config.sh new file mode 100644 index 0000000..a30a667 --- /dev/null +++ b/roles/elk/files/example-pki-scripts/apply_config.sh @@ -0,0 +1,9 @@ +#!/bin/bash +set -e +/usr/share/elasticsearch/plugins/search-guard-2/tools/sgadmin.sh \ + -cd /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/ \ + -ks /etc/elasticsearch/sg/admin-keystore.jks \ + -ts /etc/elasticsearch/sg/truststore.jks \ + -kspass changeit \ + -tspass capass \ + -nhnv diff --git a/roles/elk/files/example-pki-scripts/clean.sh b/roles/elk/files/example-pki-scripts/clean.sh new file mode 100644 index 0000000..25b7edd --- /dev/null +++ b/roles/elk/files/example-pki-scripts/clean.sh @@ -0,0 +1,8 @@ +#!/bin/sh +rm -rf ca/ +rm -rf certs/ +rm -rf crl/ +rm -f *.jks +rm -f *.pem +rm -f *.p12 +rm -f *.csr diff --git a/roles/elk/files/example-pki-scripts/etc/root-ca.conf b/roles/elk/files/example-pki-scripts/etc/root-ca.conf new file mode 100644 index 0000000..bdc554d --- /dev/null +++ b/roles/elk/files/example-pki-scripts/etc/root-ca.conf @@ -0,0 +1,102 @@ +# Simple Root CA + +# The [default] section contains global constants that can be referred to from +# the entire configuration file. It may also hold settings pertaining to more +# than one openssl command. + +[ default ] +ca = root-ca # CA name +dir = . # Top dir + +# The next part of the configuration file is used by the openssl req command. +# It defines the CA's key pair, its DN, and the desired extensions for the CA +# certificate. + +[ req ] +default_bits = 2048 # RSA key size +encrypt_key = yes # Protect private key +default_md = sha1 # MD to use +utf8 = yes # Input is UTF-8 +string_mask = utf8only # Emit UTF-8 strings +prompt = no # Don't prompt for DN +distinguished_name = ca_dn # DN section +req_extensions = ca_reqext # Desired extensions + +[ ca_dn ] +0.domainComponent = "com" +1.domainComponent = "example" +organizationName = "Example Com Inc." +organizationalUnitName = "Example Com Inc. Root CA" +commonName = "Example Com Inc. Root CA" + +[ ca_reqext ] +keyUsage = critical,keyCertSign,cRLSign +basicConstraints = critical,CA:true +subjectKeyIdentifier = hash + +# The remainder of the configuration file is used by the openssl ca command. +# The CA section defines the locations of CA assets, as well as the policies +# applying to the CA. + +[ ca ] +default_ca = root_ca # The default CA section + +[ root_ca ] +certificate = $dir/ca/$ca.crt # The CA cert +private_key = $dir/ca/$ca/private/$ca.key # CA private key +new_certs_dir = $dir/ca/$ca # Certificate archive +serial = $dir/ca/$ca/db/$ca.crt.srl # Serial number file +crlnumber = $dir/ca/$ca/db/$ca.crl.srl # CRL number file +database = $dir/ca/$ca/db/$ca.db # Index file +unique_subject = no # Require unique subject +default_days = 3652 # How long to certify for +default_md = sha1 # MD to use +policy = any_pol # Default naming policy +email_in_dn = no # Add email to cert DN +preserve = no # Keep passed DN ordering +name_opt = ca_default # Subject DN display options +cert_opt = ca_default # Certificate display options +copy_extensions = copy # Copy extensions from CSR +x509_extensions = signing_ca_ext # Default cert extensions +default_crl_days = 365 # How long before next CRL +crl_extensions = crl_ext # CRL extensions + +# Naming policies control which parts of a DN end up in the certificate and +# under what circumstances certification should be denied. + +[ match_pol ] +domainComponent = match # Must match 'simple.org' +organizationName = match # Must match 'Simple Inc' +organizationalUnitName = optional # Included if present +commonName = supplied # Must be present + +[ any_pol ] +domainComponent = optional +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = optional +emailAddress = optional + +# Certificate extensions define what types of certificates the CA is able to +# create. + +[ root_ca_ext ] +keyUsage = critical,keyCertSign,cRLSign +basicConstraints = critical,CA:true +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always + +[ signing_ca_ext ] +keyUsage = critical,keyCertSign,cRLSign +basicConstraints = critical,CA:true,pathlen:0 +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always + +# CRL extensions exist solely to point to the CA certificate that has issued +# the CRL. + +[ crl_ext ] +authorityKeyIdentifier = keyid:always diff --git a/roles/elk/files/example-pki-scripts/etc/signing-ca.conf b/roles/elk/files/example-pki-scripts/etc/signing-ca.conf new file mode 100644 index 0000000..b53f0e9 --- /dev/null +++ b/roles/elk/files/example-pki-scripts/etc/signing-ca.conf @@ -0,0 +1,104 @@ +# Simple Signing CA + +# The [default] section contains global constants that can be referred to from +# the entire configuration file. It may also hold settings pertaining to more +# than one openssl command. + +[ default ] +ca = signing-ca # CA name +dir = . # Top dir + +# The next part of the configuration file is used by the openssl req command. +# It defines the CA's key pair, its DN, and the desired extensions for the CA +# certificate. + +[ req ] +default_bits = 2048 # RSA key size +encrypt_key = yes # Protect private key +default_md = sha1 # MD to use +utf8 = yes # Input is UTF-8 +string_mask = utf8only # Emit UTF-8 strings +prompt = no # Don't prompt for DN +distinguished_name = ca_dn # DN section +req_extensions = ca_reqext # Desired extensions + +[ ca_dn ] +0.domainComponent = "com" +1.domainComponent = "example" +organizationName = "Example Com Inc." +organizationalUnitName = "Example Com Inc. Signing CA" +commonName = "Example Com Inc. Signing CA" + +[ ca_reqext ] +keyUsage = critical,keyCertSign,cRLSign +basicConstraints = critical,CA:true,pathlen:0 +subjectKeyIdentifier = hash + +# The remainder of the configuration file is used by the openssl ca command. +# The CA section defines the locations of CA assets, as well as the policies +# applying to the CA. + +[ ca ] +default_ca = signing_ca # The default CA section + +[ signing_ca ] +certificate = $dir/ca/$ca.crt # The CA cert +private_key = $dir/ca/$ca/private/$ca.key # CA private key +new_certs_dir = $dir/ca/$ca # Certificate archive +serial = $dir/ca/$ca/db/$ca.crt.srl # Serial number file +crlnumber = $dir/ca/$ca/db/$ca.crl.srl # CRL number file +database = $dir/ca/$ca/db/$ca.db # Index file +unique_subject = no # Require unique subject +default_days = 730 # How long to certify for +default_md = sha1 # MD to use +policy = any_pol # Default naming policy +email_in_dn = no # Add email to cert DN +preserve = no # Keep passed DN ordering +name_opt = ca_default # Subject DN display options +cert_opt = ca_default # Certificate display options +copy_extensions = copy # Copy extensions from CSR +x509_extensions = client_ext # Default cert extensions +default_crl_days = 7 # How long before next CRL +crl_extensions = crl_ext # CRL extensions + +# Naming policies control which parts of a DN end up in the certificate and +# under what circumstances certification should be denied. + +[ match_pol ] +domainComponent = match # Must match 'simple.org' +organizationName = match # Must match 'Simple Inc' +organizationalUnitName = optional # Included if present +commonName = supplied # Must be present + +[ any_pol ] +domainComponent = optional +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = optional +emailAddress = optional + +# Certificate extensions define what types of certificates the CA is able to +# create. + +[ client_ext ] +keyUsage = critical,digitalSignature,keyEncipherment +basicConstraints = CA:false +extendedKeyUsage = clientAuth +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always + +[ server_ext ] +keyUsage = critical,digitalSignature,keyEncipherment +basicConstraints = CA:false +extendedKeyUsage = serverAuth,clientAuth +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always + +# CRL extensions exist solely to point to the CA certificate that has issued +# the CRL. + +[ crl_ext ] +authorityKeyIdentifier = keyid:always diff --git a/roles/elk/files/example-pki-scripts/example.sh b/roles/elk/files/example-pki-scripts/example.sh new file mode 100644 index 0000000..7cb2308 --- /dev/null +++ b/roles/elk/files/example-pki-scripts/example.sh @@ -0,0 +1,6 @@ +#!/bin/bash +set -e +./clean.sh +./gen_root_ca.sh capass capass +./gen_node_cert.sh $HOSTNAME changeit capass #&& ./gen_node_cert.sh 1 changeit capass && ./gen_node_cert.sh 2 changeit capass +./gen_client_node_cert.sh admin changeit capass diff --git a/roles/elk/files/example-pki-scripts/gen_client_node_cert.sh b/roles/elk/files/example-pki-scripts/gen_client_node_cert.sh new file mode 100644 index 0000000..1d145c0 --- /dev/null +++ b/roles/elk/files/example-pki-scripts/gen_client_node_cert.sh @@ -0,0 +1,66 @@ +#!/bin/bash +set -e +CLIENT_NAME=$1 + +if [ -z "$3" ] ; then + unset CA_PASS KS_PASS + read -p "Enter CA pass: " -s CA_PASS ; echo + read -p "Enter Keystore pass: " -s KS_PASS ; echo + else + KS_PASS=$2 + CA_PASS=$3 +fi + +rm -f $CLIENT_NAME-keystore.jks +rm -f $CLIENT_NAME.csr +rm -f $CLIENT_NAME-signed.pem + +echo Generating keystore and certificate for node $CLIENT_NAME + +keytool -genkey \ + -alias $CLIENT_NAME \ + -keystore $CLIENT_NAME-keystore.jks \ + -keyalg RSA \ + -keysize 2048 \ + -validity 712 \ + -keypass $KS_PASS \ + -storepass $KS_PASS \ + -dname "CN=$CLIENT_NAME, OU=SSL, O=Test, L=Test, C=DE" + +echo Generating certificate signing request for node $CLIENT_NAME + +keytool -certreq \ + -alias $CLIENT_NAME \ + -keystore $CLIENT_NAME-keystore.jks \ + -file $CLIENT_NAME.csr \ + -keyalg rsa \ + -keypass $KS_PASS \ + -storepass $KS_PASS \ + -dname "CN=$CLIENT_NAME, OU=client, O=client, L=Test, C=DE" + +echo Sign certificate request with CA +openssl ca \ + -in $CLIENT_NAME.csr \ + -notext \ + -out $CLIENT_NAME-signed.pem \ + -config etc/signing-ca.conf \ + -extensions v3_req \ + -batch \ + -passin pass:$CA_PASS \ + -extensions server_ext + +echo "Import back to keystore (including CA chain)" + +cat ca/chain-ca.pem $CLIENT_NAME-signed.pem | keytool \ + -importcert \ + -keystore $CLIENT_NAME-keystore.jks \ + -storepass $KS_PASS \ + -noprompt \ + -alias $CLIENT_NAME + +keytool -importkeystore -srckeystore $CLIENT_NAME-keystore.jks -srcstorepass $KS_PASS -srcstoretype JKS -deststoretype PKCS12 -deststorepass $KS_PASS -destkeystore $CLIENT_NAME-keystore.p12 + +openssl pkcs12 -in $CLIENT_NAME-keystore.p12 -out $CLIENT_NAME.key.pem -nocerts -nodes -passin pass:$KS_PASS +openssl pkcs12 -in $CLIENT_NAME-keystore.p12 -out $CLIENT_NAME.crt.pem -clcerts -nokeys -passin pass:$KS_PASS + +echo All done for $CLIENT_NAME diff --git a/roles/elk/files/example-pki-scripts/gen_node_cert.sh b/roles/elk/files/example-pki-scripts/gen_node_cert.sh new file mode 100644 index 0000000..df80e13 --- /dev/null +++ b/roles/elk/files/example-pki-scripts/gen_node_cert.sh @@ -0,0 +1,65 @@ +#!/bin/bash +set -e +NODE_NAME=node-$1 + +if [ -z "$3" ] ; then + unset CA_PASS KS_PASS + read -p "Enter CA pass: " -s CA_PASS ; echo + read -p "Enter Keystore pass: " -s KS_PASS ; echo + else + KS_PASS=$2 + CA_PASS=$3 +fi + +rm -f $NODE_NAME-keystore.jks +rm -f $NODE_NAME.csr +rm -f $NODE_NAME-signed.pem + +echo Generating keystore and certificate for node $NODE_NAME + +keytool -genkey \ + -alias $NODE_NAME \ + -keystore $NODE_NAME-keystore.jks \ + -keyalg RSA \ + -keysize 2048 \ + -validity 712 \ + -keypass $KS_PASS \ + -storepass $KS_PASS \ + -dname "CN=$NODE_NAME.example.com, OU=SSL, O=Test, L=Test, C=DE" \ + -ext san=dns:$NODE_NAME.example.com,ip:127.0.0.1,oid:1.2.3.4.5.5 + +echo Generating certificate signing request for node $NODE_NAME + +keytool -certreq \ + -alias $NODE_NAME \ + -keystore $NODE_NAME-keystore.jks \ + -file $NODE_NAME.csr \ + -keyalg rsa \ + -keypass $KS_PASS \ + -storepass $KS_PASS \ + -dname "CN=$NODE_NAME.example.com, OU=SSL, O=Test, L=Test, C=DE" \ + -ext san=dns:$NODE_NAME.example.com,ip:127.0.0.1,oid:1.2.3.4.5.5 + +echo Sign certificate request with CA +openssl ca \ + -in $NODE_NAME.csr \ + -notext \ + -out $NODE_NAME-signed.pem \ + -config etc/signing-ca.conf \ + -extensions v3_req \ + -batch \ + -passin pass:$CA_PASS \ + -extensions server_ext + +echo "Import back to keystore (including CA chain)" + +cat ca/chain-ca.pem $NODE_NAME-signed.pem | keytool \ + -importcert \ + -keystore $NODE_NAME-keystore.jks \ + -storepass $KS_PASS \ + -noprompt \ + -alias $NODE_NAME + +keytool -importkeystore -srckeystore $NODE_NAME-keystore.jks -srcstorepass $KS_PASS -srcstoretype JKS -deststoretype PKCS12 -deststorepass $KS_PASS -destkeystore $NODE_NAME-keystore.p12 + +echo All done for $NODE_NAME diff --git a/roles/elk/files/example-pki-scripts/gen_root_ca.sh b/roles/elk/files/example-pki-scripts/gen_root_ca.sh new file mode 100644 index 0000000..7b2defe --- /dev/null +++ b/roles/elk/files/example-pki-scripts/gen_root_ca.sh @@ -0,0 +1,76 @@ +#!/bin/bash +set -e +rm -rf ca certs* crl *.jks + +if [ -z "$2" ] ; then + unset CA_PASS TS_PASS + read -p "Enter CA pass: " -s CA_PASS ; echo + read -p "Enter Truststore pass: " -s TS_PASS ; echo + else + CA_PASS=$1 + TS_PASS=$2 +fi + +mkdir -p ca/root-ca/private ca/root-ca/db crl certs +chmod 700 ca/root-ca/private + +cp /dev/null ca/root-ca/db/root-ca.db +cp /dev/null ca/root-ca/db/root-ca.db.attr +echo 01 > ca/root-ca/db/root-ca.crt.srl +echo 01 > ca/root-ca/db/root-ca.crl.srl + +openssl req -new \ + -config etc/root-ca.conf \ + -out ca/root-ca.csr \ + -keyout ca/root-ca/private/root-ca.key \ + -batch \ + -passout pass:$CA_PASS + + +openssl ca -selfsign \ + -config etc/root-ca.conf \ + -in ca/root-ca.csr \ + -out ca/root-ca.crt \ + -extensions root_ca_ext \ + -batch \ + -passin pass:$CA_PASS + +echo Root CA generated + +mkdir -p ca/signing-ca/private ca/signing-ca/db crl certs +chmod 700 ca/signing-ca/private + +cp /dev/null ca/signing-ca/db/signing-ca.db +cp /dev/null ca/signing-ca/db/signing-ca.db.attr +echo 01 > ca/signing-ca/db/signing-ca.crt.srl +echo 01 > ca/signing-ca/db/signing-ca.crl.srl + +openssl req -new \ + -config etc/signing-ca.conf \ + -out ca/signing-ca.csr \ + -keyout ca/signing-ca/private/signing-ca.key \ + -batch \ + -passout pass:$CA_PASS + +openssl ca \ + -config etc/root-ca.conf \ + -in ca/signing-ca.csr \ + -out ca/signing-ca.crt \ + -extensions signing_ca_ext \ + -batch \ + -passin pass:$CA_PASS + +echo Signing CA generated + +openssl x509 -in ca/root-ca.crt -out ca/root-ca.pem -outform PEM +openssl x509 -in ca/signing-ca.crt -out ca/signing-ca.pem -outform PEM +cat ca/signing-ca.pem ca/root-ca.pem > ca/chain-ca.pem + +#http://stackoverflow.com/questions/652916/converting-a-java-keystore-into-pem-format + +cat ca/root-ca.pem | keytool \ + -import \ + -v \ + -keystore truststore.jks \ + -storepass $TS_PASS \ + -noprompt -alias root-ca-chain diff --git a/roles/elk/files/kibana-config.yml b/roles/elk/files/kibana-config.yml index 34d8f71..b954dbb 100644 --- a/roles/elk/files/kibana-config.yml +++ b/roles/elk/files/kibana-config.yml @@ -1,5 +1,5 @@ # Kibana is served by a back end server. This controls which port to use. -server.port: 80 +server.port: 5601 # The host to bind the server to. # server.host: "0.0.0.0" @@ -9,7 +9,7 @@ server.port: 80 # server.basePath: "" # The Elasticsearch instance to use for all your queries. -# elasticsearch.url: "http://localhost:9200" +elasticsearch.url: "https://localhost:9200" # preserve_elasticsearch_host true will send the hostname specified in `elasticsearch`. If you set it to false, # then the host you use to connect to *this* Kibana instance will be sent. @@ -26,8 +26,8 @@ server.port: 80 # used by the Kibana server to perform maintenance on the kibana_index at startup. Your Kibana # users will still need to authenticate with Elasticsearch (which is proxied through # the Kibana server) -# elasticsearch.username: "user" -# elasticsearch.password: "pass" +elasticsearch.username: "usr_kibana" +elasticsearch.password: "2FgeR37e1" # SSL for outgoing requests from the Kibana Server to the browser (PEM formatted) # server.ssl.cert: /path/to/your/server.crt @@ -43,7 +43,7 @@ server.port: 80 # Set to false to have a complete disregard for the validity of the SSL # certificate. -# elasticsearch.ssl.verify: true +elasticsearch.ssl.verify: false # Time in milliseconds to wait for elasticsearch to respond to pings, defaults to # request_timeout setting @@ -73,4 +73,4 @@ server.port: 80 # logging.quiet: false # Set this to true to log all events, including system usage information and all requests. -# logging.verbose: false \ No newline at end of file +# logging.verbose: false diff --git a/roles/elk/files/logstash-conf.d/99-output.conf b/roles/elk/files/logstash-conf.d/99-output.conf index 28097a7..ef565fb 100644 --- a/roles/elk/files/logstash-conf.d/99-output.conf +++ b/roles/elk/files/logstash-conf.d/99-output.conf @@ -1,12 +1,26 @@ output { elasticsearch { - hosts => ["localhost:9200"] - template => "/etc/logstash/template.json" - index => "lightsiem-%{+YYYY.MM.dd}" - template_name => "lightsiem" - template_overwrite => true + # http protocol + # hosts => ["localhost:9200"] + + # https protocol (use with search-guard) + hosts => ["https://127.0.0.1:9200"] + ssl => true + truststore => '/etc/elasticsearch/truststore.jks' + truststore_password => "trust_pass" + ssl_certificate_verification => true + keystore => "/etc/elasticsearch/{{node-name}}-keystore.jks" + keystore_password => "key_pass" + user => "logstash_user" + password => "pass_logstash_user" + + # template + template => "/etc/logstash/template.json" + index => "lightsiem-%{+YYYY.MM.dd}" + template_name => "lightsiem" + template_overwrite => true } # stdout { codec => rubydebug } -} \ No newline at end of file +} diff --git a/roles/elk/files/netty-tcnative-1.1.33.Fork13-linux-x86_64.jar b/roles/elk/files/netty-tcnative-1.1.33.Fork13-linux-x86_64.jar new file mode 100644 index 0000000000000000000000000000000000000000..39217b4ea70fd2f4bac37aa684e7daee45c0e0b1 GIT binary patch literal 145515 zcmb4pbySp5_bw9BB`vKIA}L722#5&M-QC^Ij3A8y3J6FHf=Gy@l)wy)G)PGfIU^lI z%)rF;`_=t^H@>^>yViT&f1bV1Ir}_&@8_)b>c1o+rXV07BOur((|bYiPY*c(F@cV{ zv5JVM?sGBR2myiqe?Z9y_WnYrB-|`dZxIko5)lwE{x$nAsE&%R=5uu;V^N*wIYv5u zOHb*#tj<8JJJxjo9_qF|-Ur5|gsFt%eAU&5M}+M29rKZ|GVNfuUVqXGO4gh2ltH?# zjitBE1(`UUS4Ni?jq|!_vaT$p{qz|gFuXNDc2F-&b=0|8={&pq&*K$*z*4&`un2?j*MprnQ%$q;YZQCa zu224Y&5~VF*1kwgR!1RdVtcCT@ksK=dSOi~O@$kda*Gdh52M0LCB&4cCM0$ZEOw)5 zB+srhDHx86bGq?T7ztOYOgZSE4t#* zI@d)ZCGmCcg>IXKg7{MHi&x6Q{?_bsw|rfYw*0g;9sxfd;biZYu3?9L5_`EK zCzBkuRL6gbei7Imc%O&s%ug{8n>`^Xdo7Nl{7;Gy{2N97iA)5v|4b1dhfo(^vHv@m z^?wI@_=)&GaSvnY0U0{uAg5V=Jg)3a+`)*vEhJ$cOt^E0bfBMp}# z{`h8Yh(_N)WAHGg{*cDEXc(yN_a-{ulOi9n`Co+o_kehy1nIs11|sP1`{bVk^6!NH z&#;L7FKqMo^ZBO$asKR~=oP0Tn2Lhlt8XfAs1*OLxpGop0Lb()NX>jPMsX9B)H>vK zn^`*0)_%$U^T?f#1|*Ti1bUhEI=P`k7niS`dV?yxVWqzu`tyPg=GOB1MuV{{xwY<$ zp)kVyT!C>23_zny8BxUn{Ld8o_vPQ^T(0vZB_J^P%N^1GzvYMfc+Z(z1ueHR0VnI8 z%0;}e%=(^Hq&t+8ZQ$KLXZk_%L+4`Aq3`W`yyOz(^#tw~9b33dAi;~2_wG*$JlvK# zpLMsdTSJ5XOmqw>-lx^}5LK6vP17aneRj`ClzDaCH%XThKB&PHt&bsAgzVhSQyCtm9FY|W<$O%W=s$cXsn(;%Yp^cm7fA0pAu~bWDD_1)V{6Wn$-ph>!Q8!Cn>QMLX+7bO z$sCZ+|L8hvdzJnMXw{l)xq7KmvVNFi8yo+V`a=DWs>Bo>D{G_S3Jj(LguiS76w{D01O~kn z^&QOZ+dXl8GsCo-0pbC%r;F*4sg0e`MG0qL+)4~&H~R40xz~HP%cGe-X!q?el9#AL zffHR}tsnNzyzg{xRlMjio@gGgNlbY-avza+H!Ac8jdhwoXJX|*sgR&??bK?Cmbxx? zo;&|m-*^Z{C)o4RQa~}l6SC2gV$~HA?We0Zxp`ct!9WI=+E!(^dX)JKW8E?OPP@>> z?u0cWz0W3|78Wg!4Zf?iC-tWXtSf5tAqMfN6Tuj~S)?#(%yZHE8!RiFEu7}CwDtH- z3sgQJW^31&O}QeaC!s8fpI#gnn_#OW;Oig$uDUPMZQA1e(kGa24!gLliY!4O0r3^biQw?mt&7cR|>rY?Q zD%TcBW%<(hCR4e+<qWw4_;_= zKML0Mf$ZPION}=^@iba#n(a!Qs2OiEvASi7@AKL2{q9sm8T-C6xG%pp&L>32`;$PI z+_+TSeB0?K-{jwE7Q;>QChDg5Ugd}uDv92J7+kHP57^Z0#^shO44e5StCjAywLBYp zM`EK^IO{M%WvNv?1)%fEwrybKrR?go_38^e%=|#;1`l%mN{Div*;<0oq+1Y%eO9AJ znJN1k42Pmj@kK^C*-Jk=J>(cdi7gnZdfS_LpK|5%h~E7`>;@MZoU0ZwHdZ-PzL55l ze)PMQkLh_%X&|m%t&lFtIi(dCwJZ5_&8om!(Bos^sG8)N4}Si6kNrn71+(u?Cq;32 zV~i&Il@9Qu`{PzCLFXTj9TzkeSIbyl_Lm^osrYs>I)o`x0++kK`bM2_iaUZ1Q~O08 zbGAt$(hR57Bvqami{vdrLml&~Zl@*e-4+8~Ohmt&(+CzmDvnd5C&TtqDvTM_Kl|EG z@x@zrbnNLFMSR7pei6Tc%Z9r89>-^gS=MK2kF79$zvmcfrZx| z0FLxJM?KFcEY*xw_AT(=r25x?3ZYRbmCTrv&2^J>+t!*EPOz39`ayD(sZ(;~bN` zXI4BMx}!$-Ew$^DflXlf>KIrn|03`(@K*}0pq(XVr~+A9eb_>8gEVH2-le*_iN%UP&uy)t zw3~iAo^_e#-P~sCRbP<91om0<^5kWu=l|W%3Lel_^ygFez0&F^U#@fN$d`14DjkaO zpvyAOTaxxkr9(eG%=6Eu`uaV7YQ_5lP2@Yk!A|M@F!q3SzgOO?UyVzoG41pWi^&6@ z2H|H%hbuPg>|s$4<-4;+I71lq3*8ke58hkytKN4u(M)>l%(3~Vbv1`3kyp_6gVK>lALl3(d#=M_;VC^ zvKttl<_G6*#*U*}m9M!Q0;Qty0Pl_Qq#jngw|LTq8WF76AOq%*FDf`rk!UF@-ex_8 z_Odt}PfHbmtfLJea*-iD`2h>%`_qMD`R`r3+2E4cS>P4{q=<;%!9REH|4^si9*+NA zZ-@r@)x?lT8>^q;GYOs(Gtf)id(mA46XfLEtZw|)wy_TY zY>m^&h|-Sd^Q$h?A@pMXk6smWv0Km*XC#}c63{czCt$u-e|6haf=l!Pai=qvH$b~E zXzkJ7(Ox7rv13MZC^2N;bq2K2!tNbk%9uNbnGkV+NDa3r|y`-FFb6o)r_M9-;FpHAQ~E0o@e(GG=v@`!?o-4Kp}fnC|SAUDv~!y}r21D=pR z4(Qa7YjQ^rq=3h6GV7-sZe~(}GqvmSifaeiW|PWqJzizn6C=91TPp(A<)eg{d-k-} zu%8j2+edV!X)}zy*wI@6@`Wz*S^*wqf&iudC|(Tl#&M=-#_{B9)a|2roVD)#^{`lc zJlc#0Lbdr-c9N2gdnYPt{o1oF^t8(f$kf2OzVEy7d=ZqWPka@~^XByl-3pF~=zBlM%;!bWcp3A4Qe^o8@X#yQS0lYxG5z;0KzZv$&vc^9n!xJAxCLbrD z0(3!7to2@<+*&UcFZZlaEBeZNL}D$}@28SS)CIQBQqCyVdLMEbUz>j7hjh;W6W+#W1D`kK8~gLpk? zUC!qfKKTdVHI7oZgK#q(&Xstg81Mb!ihl3M3mE&aA`+Jb6cCC5wo)xQA~L6~|U z@po|%d)$7?N`lFtgRA62)uP$r@95rCKhz`s%uTdwyK{-6iBtQGrbaPE`?1Dbq1G0< zZR~|8@wi(n1n{t@AKU%A$ZEkV`R!tX8$WIzamJ%u$^M?QZ}RB+TBs-@S~rSwh5h!% z6SDg}<1D3hqXFJ(7}kDHx*zLnz8qeeS8B-%K}tfe!ZtBv8#djb1Xb5$=qxvIqjb=WGqpU5tGm1q;$G*rD{fsV`DX4dJF10z>&r4aeu7rEBO9s>oo+AQ zHJX*8!egp7<$~oSzBU|S9n>B8s)Mq2K?TKiaxa;b(CpSJUAGAxDB)tgvuXWD%4jFu z1$g-@$EN7|DxIT$jaoEGe;O~2`Dn6Rj-c0W<63zFaA$KMQ|wl+J{fn3=qE*gtQi@W z2P7N6*lj})5Ju*E;Ma}ly->)+ac0$86QE>sxv5X>UxYpKH`<6~=|5J9e(0Z4dVEa) zWABw2Q&(v#+=)qV5Anylkr}a8oCHBhJ865j=$Hu?2sebu?q8td11A!r%IS1TkF1mN zG@oc{L9b9^bVoA7_7^N%io^ITC}i_ThWf`K{7|ElFzPE0)y{sJs_=dd!HN!t-5p1^ z2D&r!5AhdEGuq}~XL!i4sB2mdn5)4c8(rd4Rsx6Ob)@#LE74)TpRm<+b_(<0xH(mHrgbfMy|Mxz490D?(!z% zKD!v_$R&OeCNLBhwBq=q?n;b150xRCExV;TsliFS z#!pdPy&zs|va82D)}#v{=E*7&Ux9vTUNK&7sGS2gaB4{wK!>B=cz)Um^jBh7up31C z7x9l2^m(v|L*AZRxo187{a_@LuGY_Cg=kZWPUdOe*wr!d(LD%WELnjESbUm6XWA3O z5g(|_J$%JQKWRR4Izy+drohshOBbjU(?Ho9Gp0m!8VtEqEu;xhh>vW0ewE6p`UtU1 z_38Z#v)VyIcuj-*vIt#hZ`Xs!4lhx*`wGsCg&{YRe^&!PHIA7oJ{k}~HBR&Q3 zzDW?LJFzAMCGJBqFIhzWM22!5@yU^TNm6C#HSMy%oueV~GzZOWLqyi@)dw3`Vf5Lr8lW{IQQ# zqS!Zu4WzFx;RV4*uvf6e??JqZv0GfdcUO#hx=4A#_3a42w5R&XS+bx<{gY{pe<`0s zca*fR$0MBJ&%Yf-zgdUIHPL}?pPGe_M`Q$cviEX8AS`D#L>~D5L%d!xKJi8o0=4}! zyr5cKoC%jnp5Xz$I3dSi08b&$l4(`U1@}NACk@uFVelXxNI^SQ8}QCD<0e$4X7%eI z-&Hbezu)f9_S~K-zN}?`RdDM#4s|O{LJZ&A6ZZx`{PP=I@=dC3OLXz}1=m*UQL0|L zL9`$IYETdoQM_5_gsXV4g?ok{=jz|-Fpl&|DjdLg0&83N*u`k9by3f9AXP@?3ztK! z4Y4y|IeBr=VS9BU%FtvY9NyJMSOEelE`T{7E#1!0Y7RdliA7(`5FzPhh~aj7J_dL} z6L8+cYUL&Ac40aH>ujJ<%*$deK->i)%X+{K{Dl!gr3;M~&jpzAX*=T3nz5sR(Nb7l zd*X##c|$S6#@S$EF&5oAiHJPAS9O&^=|@ut2{W~aG*$=+c;*Qqper=A&x9Zs{OYqv zSs@oC578%k5keWcuC1{|w!T?wqk3qw&tb zqZjk7ER1zmQKNO#))S=6(Gw4R!Pvn7c_0BY=Q*}LZn^1+bqETY2R&Ws-a(`r?t0l8 z?}X>U)?QyA9S5%LyRS1%>6(k|Z~>bgNp zPUQ{+6%`cy<**{f3SpM^%GbAj-9j(Z5xCVNdReTAOcU=_=e->1Sf+9z5to{@-=+b*=>Yr3_P%JTu@a+YxxJkNEs#k zexa;|tgLfi7+xMFe2|K)b&IguKxd*w)bi{~!Vm3~WfFH{Oi!UfG8vB8l*pbo+m)Y4 z|Czbeg_};9sN1!Za3m3uw3ciP@VMw=e)bqI!{>iZ!hEUsoy5-50iRL-0+4sZmv~5g z*kLz<)fHp(@vKV+`B{uDw-kgIqYcUzaD)r5x_23b=XVMsiZ!LjC4HE$@sF41Bn||- zGSSAi3rlOp7@{$|zqu6Vb{lTjB`?nH%e!zb1w0D9u*TvxMABmZ07T$Pzh>GwfQywe zm_J6PXhd`iZGK(rRO>49WhnjeYg4nT!0&b(uv=4YvM*1YE^q^?AR&IsKM_KcPMBUi z5N;%L8DpVFggmyY(RkvWBx82>u=S-cRUvS25yf?CZFSbMcj(jzJVJHvcIZ%#(E{Es zC)q{U*yF;#sN*fqqp%jSXct6fB-cvKUKJvVD-v||De@>1KFy+~$bD4hc5`@}5{ro& zdMTZe>k02-KE$jWi-Kvt?8a=exS9XXuK^F&fUjc^)JlXE&|y_T*^Slt{RQZk**4sz zJ@gsF4WFnJFn&NjM0&DM;!8x^OeyE4$T{Xt8jvHDciF7<>-C?A3!k+GDO%HLMkKrN z{5$qq+OcCQ$}twJF*7}jH)(IpEPs=G(+=ewY#@Y}hKhQSzufp0J{-=u<_16&dmUHt z@mSs`t!y&@w+6Aw`n;>_h9WiwuX7oQ_q1J;@b-@xN3N$JPi+F6Q`+@;E3&g;xlK35 z$pMgL@kdSJMr8St4Xe1@IXU7AHM)%q3KE`wk`}XxU_KQ8p=S@7E-m(>rWxaInp!?( zzS(d6O*_*MWX0BoF0y$apQaT?p?K7Okb(x>YmtM@&(2)Oer%)AH;0+g z#Y5+dNqo#(M_mtmlMrtY$yd4b*W7Kno1)kj-W4exH=lLN#Gfrw6sbc*{#I2YKvdLT;>P%osf{n~iRe+hz=ryJ@pa^Ru zR-9XFgfZ*PXe+*Ya@tup?Ka3Yz8MLuK)EeWM#Lt>G`_mB__q9Z3!CqNv0gid4Pla) zkqC+TNz?hsD$I(V@VVqlFHOX7?}VLq0}a3B&t{_=C-gvra>fLoRHyDv6$D+-U`F8zs?w=TkH0+YLEvXMT`!fCsC200GC15agzAs$)Y4Ag& zo7I6#n(*3vOxD8RdI!6RnsW;;PT9QrmNEvDd*CmJX1>H%k~1TzZseBvS+R1`X)*bI zs(PXg<{1;;r&?npi=*fM$jEkI22p{c8{^Rp%)lnS-*q|Ombu6F3L;V9)2?L{$NX2( zGUz@J6!aEZhy#jh-jGLCU+)L808V8+*Q!Pq+#)p26hBxy z6w1`L{I2kBtyiP5I#6ga|Ba_+z8ubCzA1X?XaPGiyqHC7al@|^NX53Ug8;tu<{-&M zyP~cMS)iX|jC;hKEG^V|8X6;fso`dIzCf0CA@~l_x1BJEzT9fEphdpH{tAg)4-9OJ z+0;2?2))1GcY8q05eOZ?NTwe$AOxO+TqVFPBk2+?%L|?OR11d{(6}azHIQjpU;^=W zmlPTG;Y$+};O$LAIyP#8xRw@~Vf7u6?=AB@|6q_Fv*JAyBw+iuonM7Rx3;nA%82Ns z0mYNj1Z9}pr=%+8$T{#KI2s5GkU;K>Tw|Z4od&*INb^<>zGkSqNs1`8Q2O0w_uEB6 zjI*)c>Nygf%GxTV0oH+J!>pPWdvJPiyzd6=&v#jX|Hn1%)5vOA2j62*Cb}sfv|Ng* z5P{=KMJ_p0{+60#EEoC9~OE#_(4NF>~R5< zF$(t6Vj2E1?{#ke3?=%5PH%?z;j~RQ@5Z?quGRwrIG6ptbsp{e(ePUpf~;H{YF(`U z%q?{4?$SOGMO3P@c(ace8)%h;!W`{FJJbOXk57O(=3|GTW_*su->E!@3-&s=?2aZQG8$f@jaSA-7y@NoLuL-sW} zW}p_I!Ct4fyA+fiF?j>B*Jk_~9d&OmPZ+#u5lu>CGjG2QmO?Kr$IMzAx@`I`TX4kz z$?Dfve>+@H@8pS0%T?pz+DkX(X-C^1H=ai@Q02LwBzOq$*Its#5BRZmJck0|@hQiY~Lnxs!9AK+t ziK4Ihz7ml6dYcN+gXbXj>+78w0ouyI^ROY7L1gr@_j#5~6If{NJ7fW=sNXcyR=1eh z8@j;1^+QsO&tJ)I=c*SSjWY$M0jmbC9}hcn*0qGg5O8ex-?CjZSXWOaX|Sy z3)F2Gfn<%0iAcdd_*Tb;Z4fi>#DAQ`Aq1tr(~9HE|0?V|T*tax$Jgwe#mu1t&S_U< z!z;%+7$?9r``kU8FCVCUnydSGq!P4&3%SgDxI%3IS&vijpDJZa_w zGTFUo^-}w-n|!?@%YE4r4n;n0)tm7xgM~2EWuWm=>H87h05>Gi8e~-LGkyF>1XGz| zG3L}d)L{Mc?WO1U1Q47KOf(FARu1dI@T7(GI~nLIK(D^%FMS)?RO;PlhV3$1b#jB$ zj%Q@VVSaw}M4^YW2N3ZN6X7A6&#(|T!dor~{VQ5`R=&C%AQiuWVZ zj(1BV00rJ>kG@z%LnU7iIbCuNUZUeKn!fbNt{s1`XEosex%)h}er47@o{kEe49Hd^d?uE05UV~zX7McdlPx@M=5f4R^h3{TRF;GR9#5Cvad zOfLbWCf%V}xwYQf^@~~8Uwu{4wi0W>wx^tw9Y0cpGKC3R1dSPVc~9EHJ2Q5H}l&$1LcJKOj6+|Z3X%R^BVQ#j= z$#2Y;=4g`GD=5t3vz^0fS2tF1tpH*=xjKxoE%sZ!WXG}&Fz>70Io2=*d7cwJsE2*I z(AdIYIBvL2oA4^&ims8~qw85mJ7m{D6q~|w7rIky26~b0zM+RoQ-=yWLbV>__lj|= zr816;$5P{FUqucu1B#-a+FOpb>M@b#s72ggiNlFmbGwi)<8Ger^@S#3i9~2wv1T%- zIH_W&QFu0DGR0C4{zw)7e9dEc1=^`M3!Dc1IX*%w=*QHCmmjfYVe1q3Vczn&j|UwK zeH&%nnwNWNp);!Z$px6kP!(biR??AucoMBFHgt4nIg+yD-iO0X=9%`Hfle{6j=na4 zP)pvGa>EI-aQM>GOKd9&u`K*cqn`xs=d93qC}9FN1lq~{DpmFa_g$ZS*MerCQ}f4oP7r?euO<25SQC zSSyQL7snFM_mFblNq>$fiZ??lQm}>8V|st`THQjM0*c!g9Pz*vM{u$8Y0N2-`S@K_ zzrT_W@TVoE!b#o$2J9@6z9%x@!OMKX;dg5L5IkfS)HDrK=JU}k7);W|2+SD0gV;4kNz)2>9buw65IR;@L(9oHL}^n(SZYdei06fP<0 z^yck84MGOW+IU99E+6_Y53-Dj{QMd?KJv()nK4KHOwoi%ous&PF~=oh(PU>QLS0lN zcF5t8|Bti6SF1D`u|k4kbwZ61sX|Ep+#l8Oa%aTnNwGj#B^Q$%p!BGL!H(rRl>Q)p zfTnfGq`CV z;FsCHf6u%&HLg*MHok=XQ~z-B`p!6o$lv?r-hQpn$Jd_vwmZsI+3kh8p87fSm5M{r zY7X#cJLz#Fo^G}-&2{gHzvirh1c)!z_gHgYGRjvRY>!W(CG^OKOKj9$?1+B5WHcLB z@bH6=z@=xGm{ePO8%G=$r{Z6`JsP_Fmd%z=Uff(lHq`zpjEO1G_T%4BnlUkFCoQe0 zo8;uA-zx(?W>OWCRrO?;0);s^xRcxP^4AE{Jh8F(Ns?&mSosir%*Cdl^9zh zYjE<*I=xh%D|J|P*Fl>lwLV*PJDwLHx1G&bTTQWOt1KEG>VCMA3FmkrEBZN}tC={_ zR7im4+cu$|daPHvL!!R6yQit4>5;e>Q@|%T+L(K3IK4=0PvHY!WLY7Hq`SvUr)oqKI+^fnr+JEx3poa}_ibBLlgCUS{@gZp)TF-Tq+b=8sx_S+IC<-S8DUvF$T|3{f{IGYPEJeqN(y;|5r2j5#H+wUp6?p7 z;~PSc1i|Ju24s(O`Ixs2Hs7RV%?yI$F`)E*;55SZo#Nz;R+6JOtX() zJ`@d&HQdSRQS+YiP%jsKqiC`Np}%EC%(6<`Ec_yoT0`BD_fFD>t}&0uA4tYxpFDSo zuw)C)Ruh)I&!)!i83_}`R&B4O5)+uUL-_tIXbND)s!IuBIHS4Z>%J=QDfoM3D`tM;tXU&#TT`-S#U*o6J+g5I$B|Nf zhF`?&s!W_rDis=bS|3GKU*7fZGA36kD0KOx$iW~VA?MFLRhT9&;Np1q&r6j6E(;ps zQ=!R#k!2=#Te~Cp zc1W6L)#_sz4Py>NC%*=!K)Ol#wkls0L7ZZjKV%h@a^<<21?+uJaY71Jr+yvf^!4PM zIy|phTmqEre_AEc_vC7kWc6q{FXXtqE?J(~lF_3m)YXzu{JF%>5~k5JyvmB3ZCB1B zJYzi|GE;Gp_@4Cog5#0N;TJBESEVDV_7_5Ti+{>Uu(|3>#_)+O@+rEQ$y-;}gm+ZO zDM-E884(&)bQ#$Ylw!FZYO5LILa#gN>nVOWTD_J;SC5HZ!?#-DR2*#9{wCPs)7S3i zSE;Q!Bf8+^2Q`|r^dvh?)lZML9<4;=n23*lKpEq z!IY^OAJ6-_)H5NIMvAvUpw?K)FQJ&kZAeQhGtPP1lH#rc8-G7}dWoDrYdPAeVt3f6 zQno6LEAr7#%Z6=;G{e^h26K^&8b<$Ce9Vh-Z;_Ji~IWZ@C}jGH@p4{Jkl7Q+_#RwWfP4bUGXft1*f<*Qfc-f~rk@`HPy%k=NNyg#Oc5v~`qClYV)u=}SKDk>5fraO&b{A$F~v16KVZ zDkVL z_(^;PDwTHg)OdFT)TDc4^vguQW6MZz0b$ZR!bA2DA#7&SJahb1DW~RyW2Kw9E$(Wt zW-9B0sfnyV*J(;Ad39Fav*-e%La$ldP|r}?%lPvGraKdS3yQnHDEx;^yf4j9sY6{H zhDm6`Y*if%Z4DggH_o-rgx9a%3g~3UHGBvkCo52T#P>uGiTZoB(QKXJNaPS$K+jfd z(Te_bzq`oq2A|OR`Eu;5f4J7y)EL8kB_i9I6+wh+*FFD%JH|{St}6EhZ)8fYMiiTj zgkBhhpLKkW-L8CGa}T(@-T%eK4tz&MCGAUz-9&pI-wO_3?Od`ZW43Fnd>y^R#99_j=e-xY>_6xuV)1yOHZwx^CbEc;aK%?SWI$ck5m%C<6jpeRmc?@T| ztJwfP6xuUQvBK6Y=NMF5&6(j*WVyvy99dk`XwThRn3oiSG4@K*95f|G2lGtH=2<6d ze6*+cA0qwzYCLFqZN63c4_mUZLd!$SYNc{}%j}0+>PLXxkaYRNOaWnKVRD#pf#AFA z*?HRL)Qa0nrSD_=DP0ZR{T}Oim%ed?Q>h1y&d9MtI0Jhsq>+Z6K{p$ZZuLwr_K_?x zOI6G#X*{ba!J3*{9OU^OJp?c4ID+pJd?=u(2xQGHmW|QSnmKSD$;eNxSh_>`NKc9r z9@_)mnTLYyd0L!biE9kn6a=)mZsX6{Oy>r7C*?)t$+O2rw~YMk57Tg^hBupg)98KiOLd z!Ph@YhiDCh0_&cwP?*M{5*wbauP;W|?*8>5WXc3y7x@S5uWZ4lsHSxHG&+P(VL4N; z3IpXiYbnBN$F#KT{p5^Yl(=#w#3XokzIBsNXXfT*p8aqDULo!?8jpEqOzErkG(O!= z5sr_eHFM%0bm_7J?|M*a+ja1y*&hv);~u%dST!ACWs^*n*N!CGB4- z3eS=3??m$WMu=KV%xRXhxJ^!7$ZbR9Nu1p8Jyuiozd2|=DDI%i>3RiEjuXU&a&j52MHeHDud z$ls5zAY{2l3Z*Jh7N#?J)uJ*-ABKjnucesq%5NL~ysf9s0w?FII(!}ImuSfW^w>^Z z7Dz>OFlbpsr~tx08P~L4cMz=^?+zta&PO0AMlc~Jg4x0kcXq-LrCrOB2;I%sOr?<{ z;G%$f?{gVfJ|tjP?J9&HW??j`yg70m__W&BU;wLg060Mz2B2pP{D{yuXQy9Na%>2dKfB*OxO%d~( zI0|y_XO+2A3kT_WZijcR1OS*n5u99&Sl$)dp=_DHa2qK4&c$)g#KuhL?2QV#xxC1G z^t)vZJboPC6Ri>>Za5Wjon)6?f{cqk`FM!;C|)0q!(M8KCIg1mc4sy6x3>)d zo=bS-E0o{)z)80R?iwpHD;ZwbqxF2C-?+XdZWZnK8RYV4_MAc0;+0yBiu>?(ok?N+ z$HZ)fpL#JbP6tife<2i7buq$}rg%ltwScrb8pK_Q3NatW-e!4FLxjoE`P3a#c}3m| z>YdZ}^9a7m)!{ojBXgw4UystNQ=8vf>|7Qt1i9n3%hw%p0+ZV51`>^*`+6j-bhl&0 zU+_yr{rJZxqIO2aKhxV@-lJpwFi8dM@{@6ec~BcA@mMqz;{B2An%y?@!@P14y^3Hy zg~uw@uW^-TP3+SF!q)WNrUk{HW+qaB&c(|%#`+P4cm>9dyklWmbR$7Z$)B@oi}NK) z7ST4EhkcrMhQ^Gtm(Z=p{QmCN^)@=1CMY z@BUe@I@ZUg9EcCnNdPM4tBrxh8IC;MyNPyr(=Ie3biurKl?L!-rNk)518H8>=@~9+ zpC-tGy3=#bEXP$8=pR&EroJ3mM3~4e_@QwW-bgK z`8Di5GP}l%egt|>`{p;-4Uoq1NHgQcCH3{bGCppj;!&KdX|ek5@CN3aFp z@pYHj=QmsnaZe+ja0+*XKNJci1wHxbfkUZo(>Q#)96q=)kj`4^fsj-XMvL81hue!W zv~Tjoo_StBSR8sd&T!rPgSC3_4v!b-5a`=- zWmf{p?+Vt>@{oAjDpJ4;bK!ooF> zLfu5=-i2RIa2ej1!*zeKkYcYD+ZS_%4eN_p*n=Lma6!Csycppeb zrQ0=fPeG|4X|lMNUlEY9vANi|!Znr{fPNk^_MT^NIHLEHb%9_jX>P5SN`91nyHehC zm^a26YW;C~a@Rp}gz?CWWo)%*rcyzAj|C)R?1@XdQyK4Ht3q3?CObE3r$uWA`yJhk z1iWnZ4Ksj1>-yBc?h9Pdz5j#XfB)mgvIo|2U8U5fj)|c=@=EikS*4CS@JsMrVL7W> zjqdttbRoX7-!pl@TU_>}I!R|9Qowr&qr6gDwKFTzb=qA`XxYF=T_1%Ym0&RbABWzh zPmFgR5{pk-KLHyj=#Qd)Kw~=CpQj8q7DXk~vmH4_qO^8*_lZ`mAjX?!gVyw4KA-{=7!C@g)x8fc9i?Sha%Kp7`=eZ= zq}CwJK#R7R$yqPt>a7u|E>z}cC4zM^>W9qE@8*=kMjLF50P+TL|L-3}E8w~g73HlN z%p+AjyHO`lJli$zSgDV^pDAA1nJRwomP>`x!-dJIt3Ge&DK?x8@ge7;2ZS9`Rtpe{ z33~@A@aYf~gEuZJoqEWXc818@;FYvOprorBzGNHXR>~Ev-=uLj3*QX1*2oxO{n2ky zV9~X|a%36s6Hg?7X_p5^Fy9wxouKEUmM=NuN|$7G~ib*K+7_~=!XyeHkVzi&o%j# z(X^?0(hEs5%R13WssXnG6hH3DsG?vLagOGP?6?kyEqcGd5*U!lN6kSW;tUwL`=Xmt zCgFjmA5qS5vw~3v;J1_vH^@MLE2bLt4Soi4i;>I?dUjgw#h8H{7Lmq-jZRuAfROd$ zJJD~~kC`!ddc^3Xv(}GUFlBKd+mrD)I{{Qq9NzHcD+%c7i5CgT`a~q|cz%4+j|syT z_jkyTgFQsOB!Tgx*ok4HD7iR*AnGsO&xEXh8c+K9fvtz#dq^wt@o$JIMi=s40@E-&#EKZu#uXEx+ z#|oS@&dtLfQ62Gwy%T z_8#t3zkmFA-m-T@w(PCU>=3dym2r&9rYK~bW0O6T2u0aj$T%lCi6paZ$I9l|$2iXU z-KWp>y?)pC5BOe}&h@&Vdpz#veXDa$CReaWktWQc3G>^LCXAuY^WQ0V~#OF!@>MTSF*V&zngz%o^T}JVraCE7Qp4fFMP(c&sZ788{=545OkGpEGVyU}Y z$Z>R$DAAM9t`AP-M!kX@|oDtH>1k4hs-mAcfk4 zU7xP+PP-H~5?%vfGfJgjrqDiz!q6t9*A==yQy zOP#0_f=ea@cTNaS5Cj+Go+?KL%>}{Xh`MT-vE7jnG0+(l?}<7Ev~r%C5!4RPd-66C zrn&1K>B}72K3~X$)#$=o?do2}XU%&{ou0zTl{9z7NI*wQN&XK6TnP|>QGw!Bk`(fv z$bsTvsUlmbaN1q2RJcck03Uz=aaTe0aB^MBB>1*@ur%r#Cx>><=a55-=kqR0ZFlRE zAoKuAQQ`olpjf{n0R}%s!fXLbVY<7vBzSH@`K&JRK#DxQm+s zs~g$UxwWd!@GN>hkV;K|w~!JPu#nJQ2s!AkH)uDOt4oLi=h-Dhg=6oUCIR-nx&p~T zcQKS|5b(iNsjFBu5FY}vdq9HkocFv8y9?ll{}&%#@3$@iL<5na&0rfDfo!EP(Jn8m@wagD*>F};DM2nq}cVQSqvjBbp z`UbCtCe05rhUU+ck%I!RQmN_f5|b2)pJ)&Y_#Y@BG=9F6O3ixrG!k(abQp0Dzz=lw zG%^R8&DKT72(~#y@PaflH3v%E1t58Ux0?iEz6)ymXoQ3LI)*^1P#EZBmH;VTAmtCl zp$!B+!KS-8oP53kOog5rR5&RyVBoIn9;LF=xzVkdrJ zRht1;rGSqT1WqIYCD7o4rGwyTl@KMcv5CcQ|MQY>7KyL`3{MaW+!{Qf3GPUN4#Ebk z@&FkJ1uF=_6dl2z7SO}j0qb}@AdmwrV+%p}I4J_X1kh^> zf{+jp!26dmojD$IaG*}e$b=AUBXGn`P=XMY;t6g=fe!>Bznj1WnoxhW0xj4m3CalI zi;g9sdLj?72`0$j^Tnu0fJfcSg*-vin@}~gU4}?*$rIr&2;YfY zS1LWge=Q5Zzb;{bC{P0Yix8%7#s8VU0GU+Kd=R`Vp*BGv?mj~00X0SpKP>tsSq*G7}2%#6>zyq4lbaR5V1fckX!ock|@a#~yIS{V|%Q-?D2v{r> z0}oV$%Fzi@4L6hOe2&>$f~jxj(PZx6%^2_%@_1#EOsoe%_`uwEtjP6i?XeUM!# zf{h0R``SR^e<&nmPCy}q5CA*D;y>I0mq9OZ6*{|ULjBqaz$gG_T0qbpDyUE9yWE8E zbpid~22&^OD-(h(e?oKw1ga8v1i&g2j24dJnbrRXI)Y*h-lg<$}96+QyU%p!fSU?;)lVE5uOI0A5y5D|b6a7?`* z98*M*z6{t?!m$uRxT)}Tp_#BGk-m&r$F3H_h$kaazXLF)Zn@ih1O?L)obUvb2*cgs zNQ51@2p}|fkEg;IwrziXPi*0p|H^grrr4Ld{<;03GFIL1iL~8y$!{f`-uAnJ!`G3m zncHpx9V|CJ0(7YsRO9z3I4dd8nn~QD&tw_rBCe%|2FNnZrCdvG2^gcF3%^!5xxn8+ zdy|V~yH}`#bZJNmo-jgQE6!lCFmGB88N0lJ0F~XL2d6Bwcmo_vBLAp@Por z3*X}R$lbnoEyc6&rtqFpw9^-A?=u!8w@USyw9@ZQ@~ba^&k?0#qy6a%we}ggQd`yg zOoFHv{q>+P z;#1+Yw_=xtLdo~&GYWSdkXk@GgdTEtpK&hc)~jWq4&ps+AiW(gC3s5Vdpnc@*yLQi z1!UQfIT_e!o9kRU`-~0|C(?lAhs*)~bFRZ9fg;mhHc90;wB)4F{FZkFq)yneI~c4_mcVXzGL`WB4a@0*38!g;U@-B18KTNOJGbA=?;u> z#*YHcX@*n*LMkdLAV}K!x8RlZDJc-Wy0`~~uEq<2P;&Twfr3eC<%8NgBn0sS_RU2- ze!STR3<+A`#Il%o7y7l4VHLBIqaqSVjUPF!op<;Ryp;HPW zUU)8GQ14L#hAC181VT)Y0&(sno>*rTK9NGgKxyKx|KdA^eZax4K2hs4IiX+t4@f&8 zV?bQ0@rl4#J3R}ia3D_r@Y}*CdHr7^iG)O+ihvkt771+-MK%KSV)TQ6Ev0K`3{r?~ z{nwJG0{;>b&A^i%sXGhxnM}l-$O8>8q$G&py0ZdclRDFZl9D}@1J5dppMmR}@v8uD zy4MRp3ytq|g#XJ!^Iskky9yt%|!2&s)aFoWVHf*?`=2Bq8Q*aJ3T3PyAFBcu`)&^Zf%Ca16jD0L;k6cY;@|_}dg&y?AcmJyios4xBJ8 z>VgWrjK|;kw^0-UNqF%)Pz0ZS2jv1i83Za0@p#Z6S}pA5KD^8kUMxHhD8-|F) z2~eV2M1a-@UWXkvK2(`73M}e5ow>w^fG&uJjgD^>vw*Qjx1x2sb=tu?(%Dn)#|8@&L2Si4^M+Qh7NN!NS z?|e8gmsCjiz5|k3d>|k(GQdFT!3<*oaS1QZ0tQjMI&hEC#EY|)td7R;_7s2Pl!(Ug(CT))0h25U*;<^tON#`bWd3*HumuthoD*53 zF@T#c&o3~}ZgOet^a^%RK9xfDMceT7m?Zr>Zf4k@QZGD;Kj%r|?O?hI4W4o0>$rB4 z>(S1wpm4B>nEq`daZm#VyL@f{+)0;X+>swlG)Btv7%X zf1&~yH;}|2EiHyZfF`c+Ah7LPr4}_nS`P72|K=K(;Xb+)2V-~whBBCI*8!_DJ`Qvm z!vjwPHKuw>*aBpWgh4UQ00F25Ib8vkm5@(?tX#Yl0ehM%NkI0$y+?rbH(rX+BJkw^ zKv85-3zVUTET_{iQFV4;!Fl!l@|%k zAVoF;#Z7v`SRUt*BqXJ&lJ~DA1bFx%|AOEi#ft$U0|px)#KKp@dpcc?XHW)VNg`W7 zhOT@8;FXG@9Z+QGLx8Aad?k2ZVi*K1PSsEWa8se&3k7qJcaa3xbBbpHmg0EfV6K9R z#tBI9cr@WYqZtau1DI&D{P;jH(Jm1#5n!T$oe3ryA$Gb&!c{^N`5fqQ#uM%hU_5gJ z2Js@n@g}_#C}6F|)<0}@WDyd1N|=O-i|W8-&UGKcB|tlrFdc3#p5MiR-~JdBK=k(U zgz+$_(*fXU7k@$ooKPd_fQmo8I^jr3J#hl0Ye>TO*S!t}hQU5D`Iigfh6JWFPz1RU zHaG7b^9khG;z$qINPdIWkI|xV8e|w`q|8IOD;U=Jkl>&Tole7qtOA>j47EUvg%?@?Vk6$80-791DIolv4+_o#fUtf*GK(JvBt{0r|K>AiAKf+7 z>Lh#cOq+B3fCFlgV$N~o?$lylX^%na_6GQA!PaI3#S$z@b0tx zy`gG*?-Lx|h?My{OTyu1YV>p``_?9A&JF#?1BSmV_ejl^iz#4V0 zYb6}%pnUeAl}0-Vv3J<4kmS%D9A6!#{@QN)15ZzNUI_B`S08mB@h*fIA6aEB_PXr| zW7>fKP0Jm)kkwyO!-z9#61E>39-W_D*qG=QTS-R)4Z}AD@sJ-))V?-9#>CMfA{OQy z+#d~p?ZRaQ6b9PskGF5QRkmhzOU!QBjySKk*l#8Otv5?QYMtDNW~|R|UTu z-0q_opg~#~?rjs@KTC7#yQFtx@;0VaXL&b=r=4n1ocH6VFNF|~2^PDltMtKfc{>4B zS{{}mw^XDS>So(n3dV7}HbbLF5>NP)8fY>99ruj2N|YZ)DZ0-ocFJ_JJPw|{`9z&o zQ)R{|@|u>k-SqXIG;hq#^S{u)DrEpo?>K%kzpD-h0J&6$#mLpOLZCM4~?X+qHRK43XgPewyn6t z|9OXCWlX_kUrAXT8T?*wv2p8}&v(P++oMe~{q>sdawo(T^Wht9Q;3X9@zz{lJ;OFlok*hs zkJqL6x0eDfGPY@4GPaT%Gq-Hbw@#-1s5PiI(01k@$Fk}j$6CI=96Q~)cO3g9Bue?~ z&h!7$uRQX7rd7|ls6WzCPTW$mSTnK$V=lWx{ReT;&TY1^9&zY4NZ*c;4(UF5*vtNI z@nCC?wNL+re8r2eBo*>AbMpx;Aqx>qkV`Ll+7!zVv`|5F85!UsH%e8{y2}(6iF-qL zFcZq`*>(Kw3UUfXM4rlMo>S=x^e@cYCpfG26AOoVH4T&61S5M%{R@@+ zrq00pp*e-2dy!`;FV}Ac&rBR^;=W_f-@pq!$h?9pyzl68Gn`U(<_7pmg=oP-y6*(- zoREjONdC0A;YvdK${-kgi)5Nug+fPmrGU)n^G;8HO5h99F)l@y0h)qF z&(zj&JM{XtJz}K|qE@bI&YFu;OG*>=6&w3gFd5XY>c4De!YgOE6wU9U>ediT(Ki-K z^SP*raVsJAW53a_LrrG%_T;V0L#u@jfwvlb#MbM{L?_eO-WKf2rL6vp{XCpICm*t$ zXEE4R>$_QC7Gjej(Z5-*{V?c!Qsus|{<#&8hEDecKjd+Umb{8wBp3O}R5^=Gr{2ci z+wS`*3C@~jzy7V_xhpiJQryXROF+plpLSc_Te6H1V+4Pn+3MMl-`a&1nxP4D~QR=C5KPsKqH%+_t5l zm{m`&)_s~z-c9&Bc~qgMdf%1%akYBVP8vJUPPg9{+ZS+H-#YIt4or=aPy8jU^vb-Q z;>`!la8hi3d{V4g0J%q*h<$a;zl|0as~LmzLPuxPO+-&I~9#l6|PV(8RD^DE}lk z-sAg))md*LdM=(Vk~4c{`|d>g%S>7^Jy#l)lD2A>nnAToF-eoc+Xk=c1b!jAW?nPq z$nA#>mdyN&y?NsZkyFP$ru!G7e3|{3%e4(7y#$57kx8*xtyQt3+qOL%9GVByuldqi z&Rjye-RDfM1e65_1;SwuS9+pfB^!M{j(vJV8z1{vT-M9)vcqAM!VD+PE2UoFTJ-*5 zy|3Pf-0}-L^`aLt{>2)o4t$r0kBsrt@8*KtL2nl?(jKGEIFBV}U4B;$`sbDUZV&s2 zNJYO0{?IX0dF*!Y!NaqHXF+%T^u28ql*ZpO=LYZ->E>YC4bdUn#E36?eT;Dd6PRrq zXv(0%WV}bght#{u3X|+LsbRz>-c0s zYQ8k>8dfWP5vRY|xP1LC$x*XHfklMaJIulHnaPuaE|Cv=Zw~6{Yn8bMe46UaLhG*5 zNQ8ePwoqu`G8+43_SHdls(n15-rlnz@Z6JYYcvJjr?&l^err^rSNs${t6|M;Sq~R$ zpoQqPz>Y|KcIFa@pVPaP>m7~a!zjO9kgckFe>dJJ`}Vn_&kZ42R|i==39_0a7asg| z{*pGesio*tnhU9;CbV}=&R)<9e8=-xHJQ<$`lDNu%Xz5_2c<*L)-LR}4Qd+|ex^je z``TXZPy1!%z3P(fPnve7p?3eHv|Eg%#I!HLslJ(Ve0IT=e?Bc!?o`ulwEfdodG35h zg}Zx6&3psPu5#s15kt|$wu`zpN!gAkS#m^`nT*25;oLv~nq}K1&|*nv_?}Fb&AF$- z;PXJ5@(a12qqWE5yB|F!;!<9=uuRH(guo1$Hnc99JtoFt<=oGyd)naK-fw)r=-XY} z4x{5w-tka=ao&MpZyNl7D(Y>~ogW)24qLIo{b7r;;B({f`fL@lowog(j-6tPda4`` zMPYSmR$EdTA1L8HCwwy}j~%`*6T3+Yf^U=h%RVQxSCzSN5gs5p%uhF{^hs}4B?|SW z)A@X`a2Lr?-Sm5WE&vU4YrB+KuZpW=e4OMTD$^4KXXRT!vMxEvxmZetYgpSG%X~Y~ zS1kNon04^3xFnxP_1fq*{)B#;iEd*xurA66wa-xA&0$XF_Px>R#C{^FxIkAW1zOhb zJ9a)zMH;pmHiY{46n^RZfsIhgfo&TSetdpB7+B%GYJ9C+gO}e zJ8A{Yz-G`U3sBXfvm*rvLX-PF7sn;{Qcm;Q@^_azgX)B7s5i;2)OfS$?1zWV&Sp7g!e1Ss_FW(*bR+Oi02U1 zsZqqS0%l`VHGR&$viAIu&9-mdqp9%Ct@kaa;++9!t9-JYPQJ{np+aY2!5sK4j_rOVKV;!@6_DqQ*z3 zN6K|JDmh<{e-m$xyAQpvH`*(8Dj0j6%kESk-}Ox9h3XqUx~(!?`08fnN@_9oDbYTp z_@LCVUsUOR7JucM!B8gM?S!tOKFB zb?pZ-87Ed-Z;sg=e+Iy{?Ds_jw9l{J?GU}-ysteioiO#{3>naSc$|`46*7ck?ll%5WoAp#(lEi_FbPqxj* zcGjkf%Vu3)pdiV#5yd>~!JReT=I!<6K6$QD4u2fhw@lB*9U7vtYY$wm)P((@wQl}3 z@bN-C@Oj?OhVaIQ&8PLqH#ouPqR*Z_78{ z&V+qMw{*UwNO{a>ZRlp37URRX9`iVdBBevS-|x(NXpKJNkVjX}{EK}?pTlvXt-r?# zkE*RN%I9E1{DoBhA?9kEB0lflu?K%Y!#bru#{?dD?mV0DO5LH1)0UTLhAf8#-6npk z6ZC|yaW8iwsMmaYj;7T3M)rfY2vS+=JM;3Yk!O6w&4~6VtFP8c7#%GvZ5W{k*$cDz z3)?u6nV*MTAC=kL%XKHYzr8(oy2nB{Vt=pVLE7=hmg(Ad0r~f5_d~ilO&5B8PP~ro ztG{^i-T`lQ>l#OEVb8XIv+B3@&lJ+GvW7LLC_z_QyD&u+mB@r{m}ZySe&fdA$R^!V z73Wf)QMqbLLQcclt>@!R@9Pmd|NTYR^}B_ACO3CUrHQ=OzQu7*^2tl0vOm}4YQ=-8 z^6nYldakT8xE`sBU&H2q#QjRWSe#&o6s_E;Pa1hPQ^FE|Tsk+(iFLKW!z0?8o}pi5 zm9rjZc=|D)zH{6iVJ2V6S1#VtcCY_XR=XDFEfrQ;S@|wdJb3JDpY6W(MKfsB*O}kX z>V%F*1VhXod#SDb^fK(8Jv7^@_2JyE?RF%pq_`p*9o5Fd?-gZM^<&LL>Ax47n9(0^ zo7P^tA*NhhtKeOXwjoJVwa3@wAuzPVgQ8TYr9Mnp55{aPb&+)<@ooRbdiI;!$;#4e zVRTKJ!)HvdKTOA90*B$kvhHpX3yRcqL1%`!fjg1|UM1UIT>0-b{?u%3oxNg0pY^tt zT4@#%My9ux{&ubK$Toekp-;S78TbuH%P%t)dFuJF* zw&ZsNx81B`ZKql@d#;e%t0I%l4)0Hp*mA)ytX-C^bE)sUp3}D}B(ray*L-C2lKoWm zX)sh*Y=r$G-l+T7T+&}F@msDfb?WWg79X@w7Pei2&0@-2&yQ@q4|JC}6i>etyc`BKV=1s<4I9Idq;f ze(z=fXov26x-!vM8C&I?vp>YwCMH$`2Q<4oFDAXc8hui#Li&4-3+_`i2QfbmhPguy zB&QC9Pw!d@&G=V7(A?&^AFN87+}lRvHf6Lva=tniG*Gg*ai9O817sYChrf#grv5!z~j?S&*`{5ghW?TDVW8Q-lhImMFOq))$LkQ zHutJB-?vu3DD6=U@H6PUjga(OI6C)_OXtUWgr|TuPt_-qjrf=Gs zzTDiK-u(4F2tNYdvmO%jNEN71{WV!(mC_N_bL^Ju>_*-6&LQiV53XRe2hUs&8<)*Y zI)&KYUK@P=w+?%FBo~1R_XtOr5i?ypqznB1c8FBnw&hYkLc1T4^%wR2Z=q)f?7>Hj zszb86{=@<#74`S%7TfsZy2oSHl{@eVtmp;@~d zaTLz%fbtV&zI-pxsfxe%k%F~Ed(>FNG(@63-EZ>IMb4%K+6Ljq4ZlwpVUoP$@5D6Y zdvw^Mu#8-~b;o4ob*n6zROQA)+r(1^Hf(+M6ied$$@QhrH#0fj9lVP>{xUV1%^8Ke zUl`JiTr0dd7hEX(@Z9*Qzw--KPR$hBx-j*ZWp>ejS4^|ln6iTLMmQT~MaRsxDShKz zZhTKW*I-Q6wFeKx+>SnsL>L|y1RD-AZj^3>%}dDChJHNs=uoA!&Wh$V^}77aSt6az zd$)N+{MpxYZTY#JrioskR5Nb~%k;>5S|;Rhp10DVsd5GTgBN{4A)blB3kBY&k%sw8 z6Ou=HU!VBWQq9%(wn=?;v;J}DBX4_d;)RSLO8mCatAzdDFWpOdI`>*!bYHE*rbW2{ zClY^M3-Pn3)Y&sbgOyHqE|Fb8>CUA*5-*XErKNg&7s?%UQEWa7Am8xohDN!0@BtuNX1rO8vTfLu6r+MH%yII)3Q%}lrfo7 zUA;M-$-J_31b8th3}aoK)rT7BB|dw1@?6=*lM>{t!`UV)}E#3o^jhMqLQ z_qZn_?+ND8(tqqenpz0u-Z?JRJgawq+3Xb!qnD!wJ-t#D>M=C>mKQ1Q8ILMI2!%>e zin=fQ=|59s(NOg5^HYoQD^j{KZBnu%VEf=ngE?vQs`(>pIxFj=(;sC!WIcx)n<`;j z+MC;mtwVI<6WRE3Dw4q+?61`p2_@2EPlYeg%W(^v6%vOpAD22I>IYLSn5c#A%B9!o zM_x(Xdf>>f{bzjmtDHJzXYS<0%FQOeuj}3CA5`=;9c1|zbBk=y+pthu&YjQ1)*m+A zUPO)HxdVNppGA!V7J(FdIF6Vy23a zbTyS&%Rh}5nd?5X{HCQAQksZlo+&{&&h_ITyS`SDg+JroZ)mn2KdJK1MEkwnPhb0z z6Owh^j^`j#l+v-fBA(87G@3y>B-Dt%ZC|~tS1QFQ+{vo-;TVQPl;2W|w9od5#DA+* z4u893jZxM%_bzZ73713YX+~69#kT5?G;G_hl5#PkQzx+;rmK^7I)z}eo0k?j!41YV6b2V48w2WE$+@xx?Hl|+w zw?F42A2oW2=bc=(#amotSxi3sSixa)MKw9Un98;`(Z0f$X(37+&wsMon77}z#|1L| z$SFE!MKN!P?KZxBJ89S$=hRTTkoHWZCC(?j$8;hjTJ^|CHbIdXv1rf)zFqgqWEAtp z{tZD0h6Ey*ckg3Co*v$iTt&RaeUJXr z{rrM)fK`%Gxs|yGlXz!PQbq7*oR|bUTWn&*DCnn?YJo0;A&&Om6_ty`{`y)O)3@6W zWYvQ!OVXe413J|gMdcSXRpozhK_2)bRX4dN*z4!-k5e7b8|yB#$WxM%O{U{F@4ZY$ zktesO6W27u{ir?_5Hq?L$>W)2=lf8sFCEPdQ>Z^r@jtyqox}|P+vA(>QCf~}jYw%aFRJVrr5To{!Vqo3z zkxlim`@X}=UT?2w?qb$r{@&ac`JRy6F+0kt7X65Z%Pn?q7$;n%9_e*npY(v-e-i~` zSsuGW;8u20d--m3CLw3gAZtIuS! z+YPcpS`Ec83BoO1_h>PhE9ZCq8wgB}VJ=JPd{A!nljZ7F=uSny%vKl10vUO|Q`^(j ziEb|COiNvJ`^)u^`Blr1T`spQl67Y5#gTV;i(dpPRo80c)GxIfm2$s4p65MFe@OSM zn7hv)@{#vtzNz!sJxX~sf>{ZW57=u#q zk*q&g5ss9Mr?n5&b~)Z?(&4C9h9dBhdL?_18;N&tR3D#;=R&(wa04*8CNhOxNb;6; z%aSm{%}S5z_{#-=wIFYwO03Lefe(MT>YYSJQ-}b?j6Nq{G-KEP~fXU-QxRO zoa*&Yp+#2VbUt%7fXO;{x>H8eZnP(b7=*Lyr z|Niloo@X7R0UyDCLZy>OKX-l7nCr?-6gP#!xo4 z&gYC59Sz2ts|>?~uc$~*74sy{l;2_EOwxR#?yXQ-!&FgG-&odEqkij6Mn4ywP;e&p zsT@J2=~*T?Y%H3bG9ESuMd~}rbiZJEvOrX9+7J;PseWI4QzqDR%HZA47J2{AA=+2D zJu3|!tXqmt#V4Ev%%7jXly6+sc7JwFP+z&@hb8-_FzJci2emH}P5r-Ld!aZE1ZU_h zXa*X1O`|O`&lJ_DR*!VI<@jYFU*g_LmlwqBk_1ma-iwO5QR9?Nx>U9MU!3mi*enLF zIO)1o_0{eK>$UEU&~z6nZp(yBo4#YB*Hp!%RP5bi^X;AAOuze?*?O*0!vAo-w|q+z zTc6&2f0rj3>um|B(d$#u%!x=-uRxq;Cx9X zH^^AL=jI#kE9s_Kh1Q4#qE(OWu$HS+b5hg27^npaYGCtME(W&`DC&Fl%^0b~5k#S! ztan5U= z@joR-ry+9xPzCb%Po4LmcV?&4Q;Z=Vhsm= zd8VyL(Xc%X<}?mG;e9aAK@;L62zjUP)=Gxs#i!gqNmNk}Kth%oM_wX&ZTTDe5WMQi zC$unaE{@Fwsr~IBhVWsV<)b|&94{=58kSz#TR3kcc{qhu(e&{s5xOX`ZdenN8;yXP zE02$uc$6t#l)PdaF=4C8hK>YP4lbCmJ&A^n#AAj{-YnCe=-rc{b~gCr6qb&*>1LI` z1A9pJOMq8Ye$~3jol0jw-8F(1>rGL`T)SkOOFJmwm>WSeNlI-$6c!$>A$fQ%aJ+(0 zU?Fej^f|rp_0Qtf=m~bu;q%IjFP7<@O_3I~1B#7T&-x>w#4J~c-mDrw`}iLT-P@D7 zch|$3jAIVr9}c8=9KI_b%YEMrX7M?35eyUV(0O;B_A+lfZFd4qRCYj8BP88Q^g>Ei zB8(^N)yf0OJl8Z$@@A!RO;Bwm&Z{tVn327NoF%t-`ea1V@qGDrfW(i z&WXHLT*=0~_#rtb(uevQXBn_VS-!1UzJs7e z*PH*-tX4dgBawG+4>1w1(&I>aMU@<)6n@xnPf{pKH^9?Bu6lKF-x4wz zI*g!Muk*Wk%yDPt>q{s6$wW~W%l+c%aZ4>{E$6+Y9#s*gHwOZ9)*%cTRo^@Wv#3^e zNJQj_q%0j%4mSEb_K6_=lIpClwckhvYBLKoBNL{)a6UrPU zA^9aaeY{;iv6;9&VFmK`Eq~dsMGO7El;7%)eot}AW3#7v&Vrvmx?Q2+o5^|4z!Npm z`~DYm=-N$ul>s96FeP2DDKT53R4CNFd_J2I`_f5*L9EnQ;?I=^m%TQdhL>VEN(;S5 zGf5&nbh4ha-z>f=RNu%&GaG3C_M}f5Xw%Oyx$6m6lv!JCfy~XP{qR6`>bZyLL%CKp z*~Xb;paxdUiLGwu;?u21)OrSAm^N~^q@oK>uU4#U4^o$l<}uBYG&;oi9(XOxp*I4` zPA;%EH&KOe5P{VdLu&9oEH%{>l2^V09Og!o+AefGEiHC(6+)KQ5 zcSOtKFt;X7ylJ#>_%JQbEx7lzerg@3SeA>sJJ07xM z;0*5Ie>7FxA+N+p^7@Zj4F4qYp{~T{?^F)_w7hb&$@tsPb*CaM1K< za9A>g%*m+Zz3p#1-O}Ib7gH}%%kjJ`J{lc(r3nK8;=)a4^g&myxLMP=x!*yO*{Dy! zN}+h)Xl=9x!NqQ zeOt}!O#E!u_hG_sFuJh)Arj(uL_0gNw3I_W&%T?d##+fhO!-XjP#}xNUpbk}-E+vL zN}4Lb%VV@cv&}Nd4Qf~X_27QrWu5z%Q_`JZ=8x>aQj>05zn6+(i#aZmVAB58uwEUV zy0&}y=*X&?V{A_+`NH^cV>tf*~HH7AnFCMJ!&89W9z3L-InN5H~Zo1rW8@} zKrJE5&#ma)y3r|Tk8Zx@pDX@ZMT~*O4oY^Dh zX7f{*phuK;Xzw%sWS5vx-v;hmMYLHxuT>sO&u%Dl71>@$zF-{kkuApuo{>pjIJ#B@ z*G~4CI9Fevw`-6P8w;^Irga>@xXe9VwTduQMsK`O75wFCnl*liEu>Jlb1BmOiFud) zn9LpSntltj4w*^vJQv7>63@o9AD!QLc$$rsGu<(=U|xcEH9pC$ljc2drZD2O**Ibq zH4=71Zv~1rTCB5mHQeNO6pm;#Lpi`tt%IX^D-(!azn`nW#J*o34i}b-4zz<69t_4! zsy{o42)MU`%?!7T4y?L@ZJam@|CRqmdgv#1a7gXHSkxuYtkFE*mq)tJ4M(#YcUw$Z z>(bT8HcZ}=y8H7*%l2;4D=4jLh!8#PQa=;&YxqHb#3xR1B%*;3OY z++qKDy5?-{1Mm7!r(ze=7iXM>wiOjgI*Lv+Y?9JWu%T7^>1A(WkMJKHY67Wm^yeJ0 zo!iWWxT(1^kUvx|OAbhRp@0uZ1wUHtY?|5GG!^mP*E|VAc2i zV-rJb8Uy#o0n)7WY?yv*e0O))+)cPp1fR8@$lZg|Xp_!Zv{}%J?aec@-epbqWUO+| zZ_!+;k40uf4992ceY@@nrQeWNPP)YwFLvBBg-RL}=1Mk_ zTdPu^E$oG@uRKJt`(B`^X(tcpQVMef&VL%0zaR3HYUWDxWG``0i)Tc)E9iv8vYQeD;r7T#$9M@ z=`E$X+~k(3tM*!JcCcMkI(l<_zAL7CM*izVj-!IeodYRHiWaQ0qvf#!!zIyLGtUEf zlwVEp*77EQ)mP0=r{c)qJ33dS+LyGt6vbUV9lozLZr57f`O(AFNaeflo+Y*Fl`Tf1 z?z_j1%%nwqyYS*^FQNC)(Y$%cEdGpC{xKzA{~j+5T)yU4G)GOAKD=4 z8s@@{Co)w*PDYo~(x3C~aabdeLYwC9C8AV;E5kCy6+&mspG?tKs^y~<1#80mO8J9{ z!p6i{etW^!JcinDdHgu;;;YGN576*Qhrdoi45_`SdIR)9eY?I^STR?Su}p8uXl2Rr zoy1|0%CwILmhoQrr?E(q1=lJ*ALCkubP**q^R3foiBK~t%ATmlyq3nB^}6TcuQV^J zXM~gPFXU_g`F5uMG&^IvQ(D|et9PEF??d@XzC6T6?*&hkE$icsT4$H#zW*GX8>l&_ z>z!J&*F^q<{MTe~Cl}`aEN)|xzd-HUVzeiP>Heqa*}e#4)qP*Mq{Ab@8c0fq))H;# zF&E_Sv+Za`DSn9rAAVR28rOL1CWohlm7R0T6G8iV@Gi6Iz5=POY|kLAqdQtZhGc6) ze--}>e|KI=_E=M@Tw}hlU{~-n ztL>7bqt&pi5o4`s7!nIAzjA6IZ%aSa=rBy-HlRx!l2-aLVNAAQ<8Qe;@9!>)xSAr% zxVuKH<&!FM_9c&Z#{$HtF%NRzezVBiw=@@BL>>{{qd8`%BAvca>9qCj_@1lMoqQIh z?^pQLTb#Uq1y@%+rP__#*Pmo? z1SJhwqy(g-Z9ceR+WA*bsU{l{#pIa6QwE*)9_|qwVOjj}D}mTUC5q`m!qVs^D@@MV zYScXSfs{k^(uoui9dVq+1Nm1R%@NYlHNAeK{roDe>@DT}|ZH`a+(;B}& z4lNnM2%odjG7){AUfPA>YVVrXZ~s0C8feStJdy0QeO=b=E^yiqH=WkqmQJoZT&TjX zXJV1T$huD(u-%WW`cxl69~9Syzwwa<14q(BtTPlwF$|irL+zBxryPdx>nY+e+dhd< z?X)=iW<>VGS?Z$lEf(F$&wn1R*1EUf$2EJwHk(oJ$&z6Y#Jv>?8d}6Y2+e0*;Fin# z_t2_`IiErk&#R{mLLaWg+$7bHxTUOC37y~Sh*S=z&b5iOa87l^bHiQo#XC&)_pXF` zPB^#TvrJjD5@z$cCO}d2i89%@g{!{ zF6*n&g|NHRv84;8Fd4C6misnj-@dAtx$L%#S8Yjh+7Ev!4E`|TNScf~lNFRf)|8l>xD{(B=3tKy)SlbvWtrdJ{IU#+jNRPwWE+Dj>wZ$hb|pY;)6gxyO&&^f+R zPI#AyLodZklR2&kIxjx}??0wnD&No^Svbw zQ6K9|=eqetNBX;nh79!^%*>TUEE?m4MY1!b-AqW~-&uv-*H&~L4INxXmotkV_nmdT zAMrZRs5o0)cofNexm#wKUaohe>b1^$t9#ZNzRzzt>T?o)ds_wvri8V6qMw4(a)Q{7LMk&K`!f=M}^C09G81KHQf-95EOA za!rHV^=q5_yMAkfJ}qX4QkgHyy*5J|$>@diqN9g&$9Hb9{P4nYT@jIu5miFm*tNN? z`d8Js!;vo}=ZOHdpS~>Q#M8{_o#P~i@%C;cDVd(1#kXdulI$Nu`HH`s-&HURoy)~Z zHc37SaIlNlcet94e{z9BOre&9@clRyq2vpi7~^>E3_cFr_O)g9dzB_%42z~Y&VRg} zII2_MVpERZ@z?osN%q3thDp>nv!&scDT{vZ)%qCAGp?R)-J7j{gfG{RTwN&6*jk^C zwKQE;h}O~Gm!YG-#cAw3Onie{PXx)Jjd9=hZ&ay+&}Hg(zg%SQeo21kbXQ)sZ^e^{{!oNYV`yEd4rcz=fu8sA zHNA+Tq{**FMSJ$1O-tT(-H%a-#W*AmW+Byp_Xz z@f3+Pb@8IFyN?I0Y3}mfF)?&ED&=ywXX>HHvRc^Yv>*C`~j%Bx!EAzBD$xo{T<R_>>EMBKxvt`bDn!fuA16G8?l*6a)1cV58_LeACMdKfhUqax7z~Lflmwl|f#x#!2UN*1%!U zF>(GINo`^Svm3}dyIa2X8$u#kid5&Ft;kDPUYt1^s*|s$ce^CuOF9jtHntx*chY&b zJZ+nB#P-Jr?PG}du6HxBM~{Bn2zKoh z{1Y<07<3XHz@_#gvXG2Diw^PWp0daMA7IYR=|Jtf0Ee)n#`i^)I4TL-Ob<^HYpbI@r2W;XCt@Q2pjZtzz#^=5vS zx7;jLJrhq62?vmeWmnNyBM6&~TG?MnY1!tZ5UZ;3%|wsdoL}6U>QwySr$6|;JeHUj z&Ny_o^D%qZD%Fo8!@$yOvYa?-%P#^}jyVT$PVE=W?-H5U zTQW#e#Mdtk>wWg@pWNS17pm*SUJ>h4_-yU<0z`mPLo@lrQKfuMr z0GF;0*Tzx&3de)mQnQf*!v4DZ**n|7yPOD^PE6z1X^jtk(cJhukE@O2`4{beTTJa9 ziO)YZF`up_lw=osb#YX+YUuPV*Nxg>UufajkZY5qG@Cf6jfLFS?sXlF7LO!O4|4R# z<`mFiQkZ1*@O9(vu&Z=E5XVy9WTkzQ6Z;3CsBJo`Ydwr zy@-sRlYbG{BT!)lWNj+(fSMrV6uCL8sZA7Q^oEYyT@KlcCX*H{=^L6kVWMEGr9#ZS zmnQejz%~|FwV0N<3M}LrSlj=+1oN2n3@z;Y8a=7Y#551bz8SclHH)IE?dJXB;cvNw zs6*bX8*#)!L36?sVW_%~=)FRC0qZ$K=8R)DX$f*-_L&@)7IM5e@(b6O%gn+te!q~$ zxD(+Kj6_92(5$~jv4(mSEH$DY+%F2hKdlM=E#dI5l?tB!8PffNW^Q{C`kA;e20k0> z-yB=Nqim>OjP-Adtq<_mcP$=zc?&zfSgZdNG%-Bf?+HWw{#gIl5cfbGBfld6Oam#% zk-vuKa^XmqzJO}A7ttKTH_R=+j^QYPMlMKk%O4?%kIKhftKMhN2^_qHDuscI)*Sni z3MnvGvLM~wth{R*ivUU-4Lp`JB0Tg-O%JT_Lks^8)yUr{rlO(Dw_Z?D#PIDQvwr$q z8+(_tOWvT5AD-YCR<4A{1>e8O0uy{9{71_FmN?@mN~j7~FEXr4)(eRLJgvQFTKPP! ze5J9x4a>i!me=3ss|go(5baaN7B5n9A#MMk$NhiWynlp`Y63uxf8tSiXrTsK{{6Io zECrKMzmaZU@?8R~9Cz*E_YZkXs2}_j!jqL8F0r3*5Xuk>F>sGZ7iAIL$hF8n1j?DBOqB2>)^1pDCR9H0ck+Ef&`VFp~naL3kc|gWuqrhv#uT z*HYo+0qgQ4?cVjZIW<5dXtzt~6SLWhN&~?0Vxgyrc~XZH%! zf1vuBrVhUU&vE#ElBnZYe`^{vA{QZ3aqX8C^J_FnfFK4#AUIk9MDiV&(}ja0BP{aB zjC`;eK@o>MsX{wUrAJdWtvr4%RxgD`8O#T_O}&P#a3HN0@_}5YX#P&b*@0^FvD!6I zZ8a&!{3Q4{5!tLCqrK1b)c09hD&FUP@*m=R)};dfhw|aiJLZgxB9%5L;jH zTU6Hx8Ju5(Xq(q*qthZ5i^paum&msm>4VBYuvSk{XYK0pn;-^}p`RzA{|V#JY%A8s z;s5-X<5^hrr{i(N8_&wQG#*Es@$kSdra`3{RnZS?HZT;?;1@JYd3d2P@~dkYCT|jk zadgCS2shR1)%_&{49x&U6M_%qowOnp3NHSQ>YdkZImrJt?)%O;QOzC$Zt?!w_93;~ zKQ-&Gw?CuK_Fbi2Hm_N5xz%FNUC-fz`P;C*x(0v|@2a)V73w-4V>btBh+XTtg<|BL zVn&{3xR-qVD`!V_|KOhxf2=gJ1MjC%Kgu2)Oqlb$Z0;Jr|J*2dlwZ{|o5LndT@%o? zH_%<^oc2>Wb80?b-YR$dsT@!EvVEbbb2;lZ6SIPp!l7`5O$uB}^_S|J9@qL!njS(c zq@mxS6%tsxn%3+_1O&G{p{ikh$}wq`cUl!#t#+fV-N;i))f8wnmEDFDs|sw?i(x$Y zs=zi=smpn(-FhiTrS^#g*58LCSbIXNv3CyDI3WsD1o6>C=!7br z0(RMh4|Bn~M~-TKV~a}Vat!HZ4`N*2b-0SG=PaE+kH#BCd+ZA_s<6@TybVjb_Hesb z@*j)3Ug*4)JCCjK@UwS}()jVKLQB*!bGR>!P@@qpNa zcw*Rf&|i-7B%T1&7x<9;<2;E+!=tQYbexCDWb}&CY)IsiZumhd4){SX!qVXfNxU=QhggqS z9)X#x@@X@H%VeC&NAO^>ta<7h^mU-FFvBHi@)!|U))u9K(gd8Xncfz|V%;9$YhgNB z9OK)}{k>|zgLZHwT|~@PuQ9FdPcBA9kx=r9Vw1-hJ)Rk^;lqizU^P~IusiaRR?p+q z!-*&H7FN+Y&O`8QPb3_UEAaG~XE6H06noK~Nvc)Gh$Pi2qifQCVU>ZL`0a^EeaRC# zyXEOwUKtIk+OLT=uoSA`m`E*Dnb-{%GP}A0hTky}yCr{6{8y4a_$Jw(RoLvoRp{j6 z5P-O^NqGh%5UsITQh7sc(QN+OP@+vF&NU_`h{UnRM5{;~q$lF&N>G1?-C-yRD^$`B z6WeNuKrY^dDa}PnNp==|y$HaMy@kL(Gzd_y?yVIv6Tvtir6rB9{E=C7=j}!Ji-|}| zX5X9I0KiAGoHTa>NLJ%9sR}Gn-;318#e1q`eg&o3)Y;niX!^$IBSfzZ8q`^-c%ybV zk$iO!g~FiglRgz;C~~nfpIu6FplE-%5*SnvHTN_=3g3+3O&@-NKf<@W`7`4boQ@@&r>jfgoxdzN`pCS@`V z3V4JyEF!C$vua#Yw)PR;*kaMxKQ4+mj^aF7lK6Q_d{it=k>`@(xLHzp_CYuTc$SMg zn{sVDw-R#0S6!m`AZk_u&-wtf4qVjrt<-!g&sQ*iwU)mQBS*6_^TkO)r%mucm!O1< zjYJdx&coP%c8)reUC_Q@B~l)RHT=S^y#yB`pY8y1CicxGEWbP z^u;1QQ5^gUB7L?}}PG1Tn2-*88=;C_bp6qxN-P#(HURVe+XG!kg+1{ozBoV^!pXaAYLxr5*hDB_=@;B` z<(Crvw~CE>lyLY;3^xgN?|odayLF1Fd&p217Oo^g)TQ|wsoiRAK~Z&hC3@!&t`KZI z?5oigf(=$T&HU5>PUBCcOnm3)|%WdJOQZYrJ-QsqG$}q_;aiUb|kc-9u!L z%@m)YvU+C&{!ydmR@JESrvyCV$|ZMeM>!V-Rk122UGOw>Ext;2ate2?iYGb8{#r$> z4xg?;;>HA&HfU*v_;+}N9LRNnn~OSrl2U*kF<1{j5i73|!&B2=6X#j@L&%di7&zN$ z@%fq_O z@!+4QO-8lohvo?1?;8E|B!=g*(#Wegt?%n8Y~!ltaJ|$!$nVNJL^a__%^>Gj^9Xuh zhq&Q<92K7-`yNhQxT)}9x@tCZXeA}N-6$jy!;z6 zyMt2R6|)=$I3^QWReq{mhH zscTbY#h79$Cl3Y~|M*M}PT{w&43pV%M27I24!R`wkl2qiL{j9{F-HCJe+m7}O{DK# z7cz1SnV!H!dCrHRt>^^~5&uXnvz9(4hri_XI*&BIHL;SEM2Cvll5u29@Uo&Ks-^-2 zR~ta^20}9)sTT*$2z==*gm%fNzHP=R0DU~PDqTudKSX=*RdsSB9ze^55(+!znJ_LK zGJtHev5v2UM_EUlVdSAqK<`D!uOyBDyAM}Rc@ncL3rVjPx}`wv?g|23Zl}W@yp>}@ z_FxC(B6PHH_FKmIsOkx>yKT17>fRo7a(*9mi>xa)Xf&q}_DmNl7H(&n2!96ezhey^ zJk4zT9gZgzJS+v~IMXfM(eLU+%AJVpz=_B%zR#Hs7hGw!tz{e14WPRx%taH{$ZI;l@* zi;TJGDhb!#0c-yPxl*PO5U^1|hM=Y|*2&OXzH+2mH^aVQfH-04&@_66he|9{YaC8f zhFU;fY`}!YFfzQM{*67MCA9X`cHdCLU0whvS?rMsXifxWaIK&`E1tpGo@wmX$>h7- z;f4QYp@I}bg1$=UUB!eyoSDG+#8no-{>D^~@)`BQ+UE1z{o;`o7{iJODEXOD=#-RB zz|;xa2`HM#-`Ck@Eap`>+~JIirg*O1zioj=fpi1Ik6*-kxR$hTt!PSfaH*)-j=b4- z9}{Ql7p-MCw!HI#Za+jL`f0p2qSF(o>X(n1N7NAOy&7BZ9lhRKUhl1#df&ql439x) zyh?Iv3vTI|9)9$qy5buq8YdFIg&P%}o&j^bp+*$q_e&<(1za*#JW;=2{Q3}6JCp>c zs94?b4AYIcW)!~>Z%@&0gzwQ>w_(Nv4ljoAGwZvPjw*nL&zqx$7$5Q@k8p4`R8nJZ zIM}5LT$Yl7=Mly;b!vDsF|?9frtwKTBA@c=+qI%q*(Bm)Bgcu85$+CCW^cebx;|RxE>1k%tQ3j8~JY+0XgvD$ziE)H;rVxi2@u5%nte}uv~4r0Bf}OC?(pvgz=Z@NkV7$ zm6PyQdcyQ79reo0V|Q2K7AEHvMg3R9fy5Rg+}?c!QQm{C(RH(&`N~Qt9)A6SR5Y? zKJ3QJmA{0#%?sVM6EK}Zf>jIo6k&(@64RquWm7(-sP;Y(r@`^}FjTG3}jrVg17*rEh-ivO>Nd5)T^qFfgjsnh?O&X)k@o|_gyEK~S_{0pu9ABJF zb7bVdomab6uhtil)wNEaoeOdKNS7N1Sd8PAyL!}P9(j2J7+KklipU>l| z%ALvq9=7%QXsxZy&@9X4ZQW`d!2U_pRt8Afn9nuxc#ZYNQ|q za;N&9BkytuJrAlE!~UcN8VhF|`1?cLas{b7h87XI82XeX^r#NCe;<)4xk}G0`GfB* zoKR6_V`!Tel9KsglQsgA4WAiq@c)=OO3$d7pq(qukt|02_gAZa#oi^!?h94dvBBlp$jcgh<{?!@_(FO96luf)affY+g5qyShk^|yw98>PlWe9RUeHcnfQ zAu2N$uEnfdc2RZCLlqL#H9ZVh z_Dsa1q?Da&jouH-E+n?yq6bdRFPB2yvZb;kN$l_t^w9(qe!=)q&uCs~M5-rL0RQ|B zPiQC!*hB8@M5%0F(p{m38Gxdu=P8$a<;(LFkIgH4Z2dwFQy?`_Pwf|Knt(YT#NmD}1~)4na(_8?cbwy&mDw`2zl9{nV)hNAuhr;Yw}X%sI^q#_BvZ$z7=*yeiC zW-C65Hz$fw80?EF+YI+T!4?qi@6qRh$!Lf6s|X;}XNJ|Tc^=Exh^ z+aoz@<{<6p+pgu>(RlbqlJWUL;sH{CdqA4g(PJ9gAmleL^0NolUzRHU=h`Djz|vu_}mnLEcsO%@*HB#7N1kWiRI zC55q0vCA;eD9z%LHU{eoY!fx3UdfLNBd1X2& zZ&W&=fO$%DNhvO+^2>3suF{<7qI9dMk%OlEKWT1tL@UR%1Snm2(Q03UJoK#i{7QJ? zmpu?wZ6%RJWod-o6gasZhbSEYZLeqe>ai%5X6U%vP1odMVkPtZ)$lRIlz#-19;AG;y;5Ku zxgo1ev50uUunO(&i>i8{7S$D5mT;Iw4&WB2lE78CDvNb>XAiz;;f3S6yPKz)zvI=p znf7~cWq?RBmOY5~ELX&Mz$-dhkfz05Ie#xFyXyfV6*y`&dhJ4gOv>}v0UQisM;;wa zJ+MOqF@!~ACHE(Ibhylf|2*`E5%uODrZuq#$u13fwEu!N@%4}bUy=HeuYV!r_!}aZ za{Rq?`x|S7DH{v$p+}|rx+snBv4Q-BRORU%+Sm}mDY?7Tqibce!Zgw&m z*}px|1A_l&_>s!_)JlS=Z*n_>i$SPMUw^y+HsIYbp`r9+?vRBn!FhH z_unOrc`jQxh|7=sV*?ddz1buE)n)a6!+s#FWIZe*^qq(LHDxTVTYZ1``3H#jJwMTZ zi$VUrb|}^LSL2!+l`*vaWE=YnBOcRZq3MUHik%YoFl%EA^7spydY`u2l8GNj`bxt% zOYROg*-YRxvWG@RjKe1Y#;d2mJRYuEddM`syYE(wjQ*wTkCWLp=^~5w3Nf}4Z&VF5 z8Q`!A4cKfCM0xbXDmHfnY9%j4ZV*ztxytAG-iCTuQQPhbJL=tqdLIj%O`JJ2a6ZvD zs_3YH672zO+$VV)kX?&mrd>w~EhP6e?8&=Sq^K&J^!Ht*?k+xOLwmo97|q(^oItdt z@2#SvzV{+c$qoS<=ejg5KvRl6fw|ch-#VQ3<%13A=fMX!rk08^o1VX)0u5%Pt$GIW zaRJNHV#RXRX)R*xnzNksKF66=Fgg#$JCfVdUXh2dXOuuYav-n0R~2f&xk^PJ&6xUh zuV@r?&5=FiuyTEJWtM|A?L{o3;7zD_yP%g?B{sN4bvm z@2=`W%+Xi7e=W~cSRL?OIRb|qzQ#&VC*1gys-8}D%yL@&Kj3XV0L^w!y%ykL zO7~Rc5bc8Uc!eWdP4xGCVo=HTl=;Z8k`u_IPdxi{G)_l7e%SeuXw{KQx;|*qn=6;P zj`j;Vt&t`<_LWt+_LbjQD?HYJcbVuMIb$SzcERA(Hc#jtYhIVb)AvB3JMu!4t=aaK zyYfQ5W)?`DS&@?!_3z`DC`+cj^d-CHXyj{7S;%c^YuyXF#F&By<~YY%NqFc#1T9wO z$)`MR*VBFV%Be)5WG~2qhp3A9>>Cl&%2Q;Vwp%GiMw}Z3+DakKKgr415CWBH<)-qx zdHI8S`F*1NYPCGZpP^XoTfHb4+Z1lqCl0^Ekbi%Vc=`5~C&Pn#X#B5KO}}qmPA&ev zXfJ&5E*=L54J*@!8{hL?VVsZg`|fP>_wJZ{)>r@LrkZ1hXnaSWklRDxvpK`^P`;ph zRI6oaSGOe?THNJfEU1(G4Po>8{IT7gIgB%HzOetxjq3JaW#;!>l6R8eBS()#qdAgh z*LbxnmPdAJVIqAh*>3}AC=NV~tamhO?plA(c>lK=`~RBs?XDZ3#XrgA$3yq-U)w%W zr9a6uQH__RyR7n(J36vIAMp3%C81)4U=oGD?jNIX1N&Dcr~+xwZ~%nCtlog}%v@2k3Ch<-{|+crwrPXZ zJO)rtI`+6!P`_e|x-_ z4f?+vZ%ll#f4To=d@-XR#k$Y0TRXq^<^KKiYdF5wi-v#cZPFj-sz;_vPM!dU#u?fv7@Ck`b?*09#+7PN zch~qqsoWQrngv5TlBdZ}1_?E0;m3x;-NPH^Yv8I5oJ&A&sMc!qXwx}I#8cOz!x`<^ zdu2!Kh!1BkIgiiLQkCBkbH3(s2!FY~L=QSwsKU{`?AV=#cB#H-FH>z#w>PGHqF*h| z!M9vN4vq05v=^TEpYMXa-9%i+FSsVQxEwj$-FNJ%Gt1BO%kuKi!XOAry0)tvL${El zW9R5{M;!qArKp(IyKl(X-9kn>XV?)B1?(gR+*d#D$i@n-3YY`odZyTS!Tqpw$^Rv}+v; zVlga;=4s39C&;uO)IsDmqyGVlck}fSeMN{VEgt8b=pxgqwBW0<-;@76E=cZGb z3v#2tt%*)ZJ+phbTsA`9XygZ(#E22@QR!?X$*^JtXg`IO}Cz5u7id5aySx)*7 zWO7SjiOi0P<@r$*PKl*=i*Br zf4iQKWd47#o((e1>p2tvL|*<0NqE7<5Kx*40)@gzL4d($(I?b7gFqHW=VaezA==vn zT?18kmB(>leuwrBxi;lQx2cbVrbk_@<LT7ekq5n1fx-IMP!7mDl3yTnM z1@Prip@Y5(p8Q?JRoIUUvA|P%A#RMf5NWmXt9a{?=GMbnz=}LzqPPE7@are(zky#n zi3G?Q;>{160wL(qb#zmJn5k+#Qc5^ob)QhTbb#pYw#Vqa+@^X`Lj#+@B`Yu8V$+## z1N#%i$tDcn7}TRyJSZ5C$K;TJ`^V9TQehg(K1_qoU<3t^sa|vdm0~@*bGKF%fCd<> z*Tg;)JNRfEZc}V0A~6kH>!Ft&t@aUGK*xGT-C|yQmyBKL1x@i4V&^O9>ECbD@g)^C zL*HQ8QNVa5`3>0> z;ahT$!@xsJ??7_;Hz|~vH;_y$F9Ak1h}`{NyNe)wGY^F3Px>NN9q}y%j&bFey zTM^@oWJg6DqL^+|xlpZ>?pOsD;?iyULd3&guetLN_oHKG?0!%zJRl6*@}}@qgd^H| zCUimhpZ>i*$NYUDi^~W9UOeS5-T%9I%5&Ui{s2Fo^*X8iAO3wqhWY!sF6Qr{9d$jm zUv0u?-7Yo-&xLSJA_9ZK-&FB8P0%kkGyhRX2E1~`Ag{ayQG#qC78Gt}9QgiIedHUN z4LOi?j;0O$6NI-E?kWXgNq0mYko}%xe{BPv)qYgqC%r%oFVM808~Gnu%PEWPzRQVE z?!#jn)vPmcRHkTHFsP<jH2yESlP`Z>D|Wk5=wsi*S=%SG7AdHtGrGa@!Gc zt~`icpHc@smi8KX`Y87}0f(`#ob;Q9rg#FCR<3a1?dk(uWWAJ6LJRkX4E`29ggfNAj=Do5qv+E{dmpI(U(_`*_Fu`SLjQea_fbM-0u?|=R#Pb) zKwg(as7s5jR|Pj@5N?LM5k^jMnpb(+IV&55)j{V}+)J`~;fnIrjNMFTadNq@DNXH^ zd8IK(YSH$BTahb_0gbXy;KTPd>|m!q6Zs!XLG>x0BvZxB*!Y9#pBG@Ryg!+nrd;a5Addl+xCQAFDCM=LPb~ zEthG2K*{$Ty2$}(f9I_v4Jr3sj_-yVb5Zz5Iq3U^ho9#BP&}T2v(|zgdLmj+?ZyRa z>h$V~o8(knF}Z(|Bm;~oP7}|P+I-CWE5?^6Z;U&{iS5M@8yngX`rb$5jc@n=?f3w= zZ0c!{$8dPFGgIeJBm4w_8-B1mho1y}RPQyC{EcRP#`YnC3&8PDAQFn`%Gn@-{D4g~ zG6`Cd6?)7=NCWacRex3mKj>*VZNyUY$mLU-gsgu`-=w1<2FY!#{-ZI11=}@AKT+$j4u*%xI;uhf|^+% zo%U<2p4E_N{dm51Rw~b06DO-F&w4&iRvORp#mV9-dCdmI$x7#09phwW@T>+gSss)E z^DK5wWKGqxvUyfToGgiFy%{H~KhK&MC+lvWb)PW{V}OnX3eL4jDysG>?`K1ruOViW z$6C^&YIZHvI7VE-9av-RAJ?FwQ16Gc4xlG?i0-HI#IMfs#*{)Dn!!M|7QJIUA#P>- z)o@BM$Y66IY7*?hUoAx5T(%l%3b)xP_lq3%BHjkN2d)o#GZArWQVCp~CBV;f8Sw zU#k`_O3NK?$GYm`{^@$_ z{$Nli!Q|$eyc+;|(voD(>m*2=tJL9ZL`g@}c{ye{FJen@AyR*j zMpdf^M~cM~EcK^<)v=$cl5ug=*14WjqIPv6-!53l87+up0x9A&h7?0sf#>g&m0puy>o}^B->}LYRCY3<(WL83a9J$Hd?~#y-6HzwEdC+FJdR{&=7a zHtSMg|5;)sO(c$jP4&(%U-k2_L{WiVLE;w{~}lM z#@qZ+g{`XWM)<+r~?x7MjIVp11b*52R`>%Sb&;7nDsx?uGT@6$*X_VHvlL7!i{x^RN4!X3Yr%Vf@{TXkrt5hIGPc~N?V?3#Wf=l z5S!y+=<=KPb#)e3e$&0xAINXusAQqh1vdN8)qkYlG^S-OIgXON={tM?G9q8buHV_~ z%w4-RKi19yp zT(N>HwTDi~|5^JRxZdkt*5)deL+H}&1qD+Xt#zrXt*Sjgo95(b6oPA|lh{(ttt##p zw?`68X&v&nxQ+vR=N|)m4ZfJ)liKZVy4LWL+}D&h-ujOlk3skA!jBD3?I_gSrkHDQ z_H3tK`@89&_|w#Q7TY znklcx!o%2wN&Bk{b7yN2KLjr^#-sKs>3=ZzG;eMDD2xmHwP8HrNZT0v%tM0i8#|Nl z32sc=KSSKDwuCm~a{}*5wEt8Cr;CDdBc>T8d}ufTkk`M#JJkJKXll(3kV9p-?O)j0 zR`qYngU1@KG{(sKvJ;}szgip?G5}QvU=RL-aF#vxpe!Ju(gOXfxD%t^F6F*{OwYvfZX<~7ucY=qgrxs_&r0XkW8qs8Ehvu!$@md_3M z5oxg94n*4}c?n6=B>8C)(s|{eGn@WC?UWp7M`&*wboPf|_O?$uN7COV&Z+eG6=xy+ zeal%)e?N4-PJcghE~md=I!m$T5a|+pfrgwIqroA`r%G^6r=<^2BzS_#5b?biWw$6A zLO(+pwA^GTA9Ok#{3DHBLU4h>@s6_tt;j%mw?oA8Q}HS2EE|6Sv<+pZ-eNI?EQAeC zAW{rF=kyEhG@0?9qUAy>^fNBH!ed+(iwedKM(A_b@J0^1;USESHAmLRz_TyxcD^-8CJJGSaRmG((kR7ynN{Ccps(n`q(N)co{f1%Kqf@#Ntlg2rD9QlJXla zkgOX8eG)i-B}S&!;9KDQ-KOvP=gXllND7=!vM*U*f17xh=bzu8rcXDf2hNW*w|8J~ z;Cye9MER3>+>ZI@XJS;SU?Tml;Ek0R&p*FjZMT8BKlyTAMEzb6^ZjJZ_Y*PSMKRyO znD0Q$_q>?zf|&2QG2e4yzGuaJm+^UtdDGO${&+@AIe*NzFXnrC%=fgI??+<3yY;h} zzPrYJ-yZYbCFVOT=KHpo?^|QOGh@Cx$9#8+`F6#8XT*Hp9P`~V=DS18_f0Y1?PI>% z#eBDo`A(1dzA@(ehM4c`W4@g+-`B=`w=sRYN;%y@Hl^iy{4tw3l=6<&(RiVhvn_R$ z_uJ!?C;UXUFNsB>QtR@U49L?-!i|oxy^a17J!#bM74iQX*KKe2_vrI(j{hBfezCQg zJ|}xdM=gHA-;4h@tjT{#XLoF5To>YN!gv-mG}D7;FE@X`kYX6`V2vV?zhea{!pMCC zE5BS&bd@L|ATkNoO5m9)gDP9~SE1prfddx;=dJqrB>h^Ga_#(IiPHKL{aQPWffQNi zHG_u&)C#Zp%Iwz=sntCL}1Zwh6s9vAo?-w{=_2)?Bw)7jq z=Y12{VIX1LfXf?{YF(RzvJCItthSqtE>j|F5Wf}Cp4=kb(>swvG(K}oC?&E>yu<6r z9>@?=E>->EP=Ao_9Q&>T-~>yYNIrQmhT%5J{;}IRk`#o+$5^f;OkY7~A(fxq6o5&aY; zqcYvm@MWrh%v?PHj~gTKtQK*Z%<+0Yyrk-VY#!2*vf#V=g`ENNUN{XX-%DLq>nS0&O7sZ#g|dW^jBa&j%jUAc-T+f$v5 z**)wQ?ka-UlB`=jvd`Hc+rbD{dRuo(!}&! za#Ddn89o*WPOnB;k_aMVgr~%zH}UV4LX}tPs>VdFp<=X0DB4a#Ai0Yfj0?eBdyLSA z$DKzmsGqD#Ux*Oa{j_7_1h7KgH>3k{u2l)|Ow#sICw(<|ZHxbu<%EVr*QF4Sn>6z> zz=!uiqe?dnDLgSZPv{=O~ApzkUbMQJO2lf25qsZv#Mf~R;$dnvsg z@Xdqm;W-GLO&~+mvx(^Lz>2O@)+XUvJePpnsw1o>g~pzY?%j`L!ieVNI8B6D-CG}@ z-&|7L6b~WsQ(#dv6zR7T^ieWI^)tryG&Y18%%ayT%c{O!y{zi%)zJEX+uBv%G_xa8yHAa6mK_^!qnVo?SB7YH%Xxn?`e0WVJq{=-V%-KR? zN*-r7rs8rSKEj@^j|~7EgJtQ21&*^#&5>>Mr4xnz?51cxjN2XzXIs;m&X|1Qxy&$F!;ltWv#SWR@_Dl7+j~q za~PT$Pi1tJ9 zENAFyBnXUd)%r_;c^MX8E3{ZqW~L(twQXRYGtu9*s<#85|J4uki{C#UKLe6i-)%83 zotroS02EmsKA7E{QQxkdz(sh^P?gyJ%ql$ifr|-ia3i@!o4sfewpMg>bp!ZY@GL2Y zOG;08^Jiy_fk(X?de5Pa50SF_VFcgV>>?g%D1uHyp-L*74SOHCLZ`>i!r{!0s)bH+ zc+Zld8X6o}{Xdbld5nrE&i)xmepv%OYp>ltS@+&**5?u*h>v)@La2u@)Fj)3ui`4V3)Ix} z4}mOy|Eiu2p&6CF8Y%x+JL^!dn!s5roDPK)-S@IjFL4J*7>Wfd+y?3619gE zY;C*k*{LKKkH868mVm06_M(|kA4ga8AO$vxjG`4KYJ&6bDHSi4U3j5A6kB;Z!63sowmyx z%6z8{^0(lgvV-*vyH>+84ZF6&xNF^<+$|n!(vZvX6!e@*o~YlbLFQS#nUcKTli&0? zuk}>)0J2u`MB<)hh>6pFksD7qm{ETVqzMCO$NKgK&N_U1;FLE^vIi&V+l2WP3X1lU zKWv9C@ZEG9cJrjRo=3E`4*#ddOivEsRID;374?nA6;;b8)F;a~2;Qp_9#F^dXaS_; zkJkPRH59(mV>LWl=uQ(S|5hsb-4evD4v*nUj4b2wq_nv5B<`P1)rY|+6`xY+FF&Py zVO02Xern;$K73q9F)1~be0zzVU(VtURt@}70K>ht`Xxih*1r(<2P!i#@lJ!SnKRq{KJ-p^hegacr$8W;P z>L<8yl*8nxze(WySl@xbd57;uWWxqWK~B+jb!q(ba$VJV)-zIx$cLGR zgD@0%TlhgePC=gxTFyY11YbgVv9{N6C+FtA|(yTzNJrSrB%&Aa1oTnF9${ zoxl%U!AJoZ?7_>hz&{hXboCl3)c=?SfM-TMDR8!>|511uZGqM3#xK!7k(%gPUz2Dr zg@iP2k#&^Nn+a)J+%Z_MREnPWK5pQvu;pZH<5tp{>pbpU;=GA)H|E}k;UMO5K#p7F zD&_wA1aKgjF6>!!HV>^wQzr*0i_Y+6ZD+z)M1Ax%R>66YY7fCK~yggmez3-mGVa;noeVOfzX)liu>?znsAGasc zk@0WGFA}}6BP2nAX9uq72N%WBT0xcO-AFHMCCfjHyP4pB8Fxg)*WAl4{Z1UDtr1y_ zhdeLtO5mrm2w#be((pL_9Up??EXyFSgAh0eU5!t(yLV&Qw1yG^i%PZ(5A_8B>Kg`r zz65aff)#z`U1DNlSMwsg@Hc3g9SuR{3N9N zl$U(V7R2L?&bFzIL08q$#_e(1_-S+8Hg2w~jcQBnHlB*xMx&2gkP!2YrbL4jVIeG` zt6KNjjKQgv=rsbo#{3pkV^HlHsgUFw19>-6UNTit=1@xP8*vnw z|AIegiC?_WqO+pRTDF=dw(5t%ra8hxd;sv7-{qa0LvJ!YFbt?U4T!nr{W@Q|P#8{1 z1}$EKcPZrDzB7%l5PjPtM@!!i0H96C0+0A!8sA5i+X!6xcUmaZc=(#x7raU9iJIE4 zS2=`fqwAw^#l;|ZQVO2`8Q%Yp}AHmKgw=_vnGKNNmq43jm4LJNMZO3vpgIY~7>eEDG^?UxTi(7;T*N+k9{PSM$9AQ6UnCBo#xhCU72bZ@= zfvy%`GWVCg7;r<^cGo5z6u=Mj7kZlT>U3rP<26z4_BED&rX=tG0FQ+Ic|4Tg`v;CE zNfAPlEK|x-VUjKDRER>7%5E$P5!v?{Dxs{|vQAPY`@YW*S!3)wBZk3Xm@&rezj=Ru ze}2D@*XN)6emv$rbIx_0=kvPGxzByhb@66}Hx`WgQXLNE%GgSXUMEJrW`OKk8KO^7 zk_UXv+`=!~^6FNU#{6HJ2b<-ny!%Er0VkKuH!a*>Yx#$oeC_6NJ@2ZW*wV}4t$gsypb_LaS?mIvHzwGH$%$<6Xy&sI-AcyNUZ@JKJ+xUE3 zKD-<3C%;W749+*Ol+=7h)-~C!>2$nSNys?>dR+ZMtxx_7@CfZ!HZi6Sj48FMuw|Pu zXRqoR)7dY7+d|e6v$C0w;Gsu)Lx4dGX1{896hzAfd@$a%guaDQ?9-jCu{iT>>-Owejv3lhhC z1qFYiWm0W$N6bwIoQj1uBRG0jb}Ib`+Mo^KAyld0Un(MU((QU`8nn9S5>)NB$3(8z ztbb4f8Ih_>;tD(#80P?GCESTQTF#!j#aHKX6Vo|qh%VB zd6D+k1r?u_G@2RQ$6Q*oC;pBWjf`s)x#1ow^JFYU-(Dlj!-9Ras{=xS9zB4LpOA+e00M*Yji{Q zX!y4)#hQ+ngvmo1V>;t&25yM`3_iI;ivbJ3ln_rFxG^kny2u?kSN}8Pk1rd`NF96L7f12`|~A0T9uT zxt_{>jD4b_p*Qi7gWs$)1IqFJ&W|78o{!f(aKB{Y^!fa+$;r4g_1AOan-hk-Zhc5p zS4~mek$&`I>rG8UL5^q5=29i$GKFI{v-Yf&1ArUY{O2oj8wp3EYuwQ-{ zLkpu0^;!Y1e|WFpVyJxLcRy+HqIJ$^z_)e2o3rmGBn-nOm+nkdF+*oo^IxJXp8c)( z6$m6q^56RNl8`9$Yn~o$3zOX7ELDY?Iz?5;Th)jR*U$hJ zhYyK<=Z)KKa};^D-)>#Q^DtKDMKVYa*t})M#(M0bgYxF$18XmN)XuuS5|)0xQ7^j- zJj>P1zT~jXi?}(VRQ@uBTyeeY-;Z+s=Pj+*;winFB=UXrANEPXX1bW-3}iKFa!} zx@(G!!d41A(V5W)+Xs?gXPT$omA;uJ4`%-{5jp>@YGK^fPHK#r?E^CN{?vy3W zN@2@?cj`;9A7uM_+pW!*rV12*RQRH+{4!vxu<~GRy)cMl>O+3!QO-J#-C4EtdeDV4 zdXMFHd!8$!N*Bs6Tb-jAG%jTm(|(1QZBl)+V`_*7t2MIpv3SdF)T!e;$9^3zP*uJT zYkT|Fd%uUcFE=ak*0B<~=r-oqg01s4qVGi1jCmc5HdRf@t@~>W@YIQ1M-#6Lu5wd< zFyEH5n5r!M>9?VW?pcn}OjT~p)VJ>F_whD;Wv$vNd-{s^SEQD3t#;q`=RB#N&;;IM zL`A4c{6J<^!CcZDskvBB@^0acN2H$i(CMhKkyqL5qsp1}TQ{wrHa+m4{Q09vUo$yk z6!0p(!C=K-SP^9X{L)e)?@mIeOuVR;=KI4{UFb-dIv2Ol=r^cleg@fvOJ4x)uJ82>1jHnTVbts8FXyyQ#Mdho4Q1P@NA$eq5F#u~xN5RC67Gb` z3-EHPw9mf!4W^3z;d%8N9~{i8}9g;8EaksqU#qd}s74 zd&MSqc?vUu!Zi7oy7@4>{qh+?Uy1S2f=B)O8@USbIo(f;`)4j#3%>p6(0cy2Ec@nc zk%LnY{yy}7JB4yk7hx!6i=>T%hKfAk;+8xn^U*;%4AA7n0Aarran?l}9)9&3u2*mp?JZGU{y z20eBzw$T0{)>3P3?t*Y3z+U~kYy3_Sl~c4scXoR{MFNrJ!chmok4<=fw4W$k#S z?xo<@-9~NDGnLPR<$Fs-D)obhetX=qciz7kXTfIQ8z>{dxgW}1X%RSBHy?b-8homlnKdUt z>aE*f?MZ6gzGd>S?z+Rs_G5F)fOd_ArU@)TpSrs<1298EKLdGy`|8sc*T&LUpG9X< zO{dgL7(z)-lG!rcd!F#gI$t_dYta z-PrHG=y0~_bQ2cPD`*gz&eY16?a~VZRIyvmhH3q~2X6-eO#RuolK`e=oafoYBE>sM zk=h;ijN{*h{8TfJC$SZ?8&RYL>^gXtLmh;xI4u_dKHVivymIUx2^A_G_QG4w9dwTV z^?6?kUM_m8_f0tXlx5(>F`kE4H6mT!rJzo2h<-MF$|YxfHSic88y{N`kIB`Q;;#JE z6bZ}QX9DB9iRJ=vpOwyX=Us;_H_Qf5w+Y4T8pPbA*4Vb93p4U4?%0DJ?e@;ZkX ziK9h{cSLlUbl5vM`bbuPyRgP)%eTO>%{G-6?eBV7yNa`EFpu@+P-@C9&F~!T-GNk< zsHG||DN44SeTHqD&FlDi`;YKra%{XHVSERXRh0y*ZoaDT=K_xnMs^{)BG`-~13ET4 zE>-c)u*I{tM%w*9W%`5Da#)90NrK7jyR1qij%V1hkw>ezn>d^Jf=|tG`{yP3X2nz4 zGT3B}hec{eN?Cl9=w;O{X34pI{A3iCCAGxz<>fGz+`y{s>l>}d@T^979mK2lUZH`( z4wcJ;UxVbf1e;D;hVu+?vkq6tuP04Q3)rxrxY7|YT@Vhur+sYt7+-qVBZvKSXg;~D zY{L`44-g08o2M2|*m7!}SWx33nZNa~eT>Sy}vVG8WxIfo6@O(X4>H5?p;<^WX}f=^f; z7vn`d4`<&s)e`2hW#2yL#ddfM#V&EYMfzK~@K+F9YoyPz&a$+_0~K^+z@6zeLq55a zhsSP2xv0njS*-!8xM#SvPL$=m$8tNWRj~)3YC3Hh%(2UNTinuun;MzprN>Bh#7Ne$ zJ82t~g(!$oyxvB1tmHT%pCz+ssTnC4rF{o*GuTM7n%nYu4AP=7HxkFj z?HwI1GR7`*{6>^Y$EBOHNAn~3EcjMD9wYAns=D7%j~yP10duz#t3;c4n^=;_!Feg| zBiwQ)pR-`HiIhtCDZH!$(CKHt>?8|1g=GyE z_xY+gFLaBQz0?@6`-_T<{$j!5dP%#AJ6QH)*o{lm9|MouPJciunJsk)IIP`T090`X z>n$%fRa#Y%%w1#K+>_Kc{Q8>1s2;M-8Ri!F! z%bN3n>^Gt`BkwNjus}P-VpP>hGE18db`` zfyWw;wX!JO-tpNcnQ>z|s=ec1KvPn$BcQ5D6z2Vh4iSPyX@hkkjh%3r$Gj{nV=aJJ z8iX7pv3YFmld*1`9W6YvYCs+Kpkr!m+@i^REOn1~W;hm3EXV{qI9}OajKy|5bU16t zY0Gxz_%xd)ix%x2n>rgI0z@vklRZ&V9SRO2Z?sum&TiR!nm(HpdTjStU<5aD;ysmf zidE@5R-;@Fz2i;HKO=@osZatlzYAu5pyH?;hJdem*7{#rKtuB__*Ib7PMhk7D`& zEM6X)Vw*np?tlKzNBgZmkmXMP1@6md z2EEa^*(6Am-s|o27CC5p>&v+tCKM``89~JO1aRfK|H@d!&C# zduQJWkJJmSvHZZU=Bd^w7r?Rxi^c2XO}wnOJKNm;CkFch$C--X0W4@0*B`9dhzv$j zS+3;@OU@dq4}wK=1&6b&PCgze{#KlCnE^V%a(o}JxJt3i`4)@HQY^XIXSf$m$c3E^ zWcjboq-4O}*{TX|N|cYoKUfN1)diMq9^YmS86*~22PN)lIPg@VZ*B?S&Ly$!}j!$aewxYwbVHuN9|H5WVUPmsGw4Hq|sZJAm6O*(YiL_PdXnw{t_dk3vO( zb5w=BPaRc32Va zE`A3m9GI7{X+D+Kv{M^0{7Oo^Tqfu46=jCRe#IzmWI0ws_gXuJvx0qIItd?HbW|F8 z2PH^Ts|P)sJYv0KjIh|%i0PAqHHvsxEJY_ioa=SqvyZx#%Q0V$6dXm5=*uuAVsT7- z;DkP6*?!YWWl^(Z?;K`pDn7j}N6o2J%?g70_Wee}cZl%HdeS9~Wf>v#1K^ z*a}G1zvB4kK&r_aG})fSGzN8S1*I~iH-m_3!w?Io`JcmNBPKAJC`-Y;X#;BeYVG^c zbw1M#E6f=1I}OGltc=>Prv{&Cc6K2jln9N9VU?s}IN7?nm$#ZWi}b#$GSl5BtcJddYD9 z60I@4IU-vr-&f9<+3(iTZ~u{D@hbPbXd7Z7z-U-pU-iA+*Jc}9rVe*FRcyObS> z|86hWS1R~}M8kA!bNd!N*oW|64-BVHJED~>XH1>^qt^AZX&s&5@lEluY1G@1urr~gF9+Y2xZ*=azr5D0^o=;wn{U2QoES^R zYUiItnY^OK9V_3v+MTnUnY~3=g4~~Zlkzgo#vfYPEB`JviaU>T(@)hIanS|InkyM!*xA?B~Ho z0Fo;{W*)bRyEw;uPb;W0-&P8gPLxq4&04Kdit5ahm>)it59vvwo!~Hf9@cL9-CIef-yrW~3hAqGYm-Cuo+w`}J+Uvqp_cw{OV^sl^&?jy^$iP|BCl8WQj@czT}i@nx^YAY>zgBtlM^f3R!)8F3- zuGMn}?gEXk?hc)s{+@-vo}6xlqqRKRAGo6 zNOo()+ok*qRerJGSe`&Lfkj+cybPBA*$-M|ZaUwW^og4y$sE}&8@vVec7J*zh`F+` z46Mo+CkM7iA9>56PtG2E1dswW_g32e7;@U@B4mA+-*ve}%#ww=*63eCMkS_rGI#!k znzwiCax05)_g~c3HEMv_)yas4R0qlq#~6R0@tZ>*A(o0*!(wZ=dZph34~Yq19uRS} zylgsu{H$p#?$#(SsOem*rP7e93mMMY?A0gYiunV(01WH&W{1Ky8T^?3o5Nxt-p^|4 zHmN=mImIf&sk;$BGo;U@6>Q6gxIY)ftMoK}gI0=01*6mSoU$O$TfeN`XI#sQTmEcb z?hUZg)}%8ETtNr%b@i?Gdz_s~HTzwr({)|NmeiDGqYeN&^kbYb!?DG3OhYB5Nq2lK z2^*@;#q7w6stYe`yAlme#y(lClcT?@a^>4e`m!A|6I%%U5*JsOUVZO8F zM?X^96m~X9-UO&l8fBURH@s^^7O=P449hc$iZ{C2w-3A&7OkWx18dr7n~&kemIG^N zGCtWJ@gEB1m$-kr6!g)F0gLzkyi<{pwkDWD3MzKkGU znH!g&VI)!v!|x$r1sR7|cS*4$G1zxy`#!3qoP}wT;BTbCBg>gtpNu2>-|uZ>Zua0D zBS_V})8I~G0VRM^co*ODlO$1uxNV1cgVhm#d1k`+ku3_isZU8T1YHA~P=*;|=eD^m zec$3MR#m*D<0$N_nxX{qxM196_D5|IJ`n^x(rC{uJIK@~TJ?8b?sz|gnw2}x!TLM} z^f((lk@WED+w6=bge6AwM}>&>I{E%xuugklF&S|i5WyTQcjreF+|6~?gRc&?7&ot< zOFEOR&XcU3b-w-cTXwM%#6#JOBm8r#YO||NUZExacK z#slcO%C$`X=~ed%ZeZ1iX=2D3<_W}UT7y|`G2ZmOjAn;7CyrXK3WxLyB`|R7J+q1+YoYr5^M;_?k{fM7!V17(x2XUy$%U)P%+91jdkTC3` zz|hm2=g{UXzzo~Y`*I;o?eI--j!1{;+hz@YxrQ%?Rn$jtR!r^w@z#t?So_P1lS4 zvtJj$izixp@?Gozw_xL=qTxZH>5z>1)E)Z+n65GO^AxGLl9>y{O}pm`(O)Q62>+vW zE(|(9YiU)^jFDhog7qew#tp%V%W5!}GE`re?FYo!nw5~a9aj;oCo7Y!bfLxU#Yc); zmK&PK$%|YOzhP$#?$iLLFiHG?9+N@#Kt#C zN&aiDnka-0vp4!ztvYxOCW{eZ&FsL=1ALG}&vnJ8N;?}^Dk@nRkusZI(Vl_zqjnzl zpT-1TQ7PVg*rTjpqiBUu{temBH9~u0HKO56c1ZIIoJa@iJt%z>Q7~yArbRwIbnALe zCGV5@tBeCW-xe&#p7~R7w6c z$)HyLmi&`$MQSqAxep`d(Ofj!ING|g4$(^gJk&EJWSwE8Ay>)k!_0J`Mcb8{1O|ve zZmxyvm%!f?+6HBgrWqO4?s{<*`ZN7ckZ}eKi!7|i_jUiJtL`oK%nK#FE#}iE#Yw4@ zr>iA=(|oPvt0iun;>$@<&?jb~{s02wkm5e{4T8S+=?gd(bA1r0vOBE-y1te$KgDf+ zcse@&vysZ{nkPsR>#gAAUk1i1DD(Sl zv*BU}c@4B(Cp1TU9)hxxEDf>ubmo&y%j?5UKbHWjGb(Rb!HWpM2yK&%dCrJR8fdJz z5o)Zpq%o}lJxlZ7Ykl1&+t{*yiy2_m=$#ltv{Lhq&|0`Gt%s2k_@`weZjs*7oh0bRiD>8bCRONZ)cL zBrztJCuRHq>>+dhjgY%c!(&-W6T^8HBO~Ct=Guf)M#}UNtm(FVB+biI7i#a<8m1%` zk{Ro<)d6Vhn`wNYG+ex^JKT5}c~6ENeI_oW==3T7uwP;7Xp| za*|!zt^6V@<{0k6s(X5dbn*+I!6=`v88&TK=1RN;R{B4gQ(Ut#Zcpf+!q0w%m0rSi zOUr)K{)iKrv2@Cn>ASYuX7Be=vm9$p=H2m$e8)=beI+=&>^%BP- z!k~KI>a78J(z|~(tT=A>oh56jpY5Ye?A$C3*iyG%Z@Lrur);`}NC%&&n|DNl%T^6l=}PK}8^n3_K4N?Z_U=#k zei?V5aekViG6^}Gn05%EpKb^m9sb}fiG>U7rNupH z9l=d=R<$ovYvY8A(q5D@AL#_8^gwNpL20dtSXhEHE-NfO9$KMKwo5mp4Zg_Sz^#P& zytFG%oUhFa+6%!H`|@%h*?ycU_Os)J+GZHi^v1>LK3lYmr5$tYb%&og^(f=d`qsSp zHh+O(4kX2y_U;!!lnCOBaBbx0PxX;<)F{bEB6f+)ihm)71RZWtZ84$6T;g>(n%v-++}7RIqf-%qh;O(&7=P`*`J17JxVp9%asyw7Bz0-zRf;$WsQuCKfT{6vy?3M_)kj~ zpYI}THGVvx8QpXVi@=HDq_Taz^qG9xq6L`eHWAy$phwob)Gu4Q;h?ELY#Ft|N-M~2 zD^%kXC7JrEtFA1xbh~ne+MLmqZ*XhYnWW@b|JMfqg9>5Q!;($a@S8)d42jbm8U$PL zq;Ejkt>d$wgYIEvDH_;|v_|MhO8D@x!bSUy882eqy$D)N{@aqNfYXY*Vr<|OjDS>z zpf&E7FzS?_6V-)6^FFzfP!gWlB_=L{VZLd%^08Y0^Hl(0*%vvt*;sS{97nu*^-2r# zD;eMA8SWEZOVb+=o;e!ea!<-5MJ3(d6BoiWwrLkxY@!u$S=k>FmNh#pOzJ7_W=LuW z@;Kr?5aGElSmKl9QbIeiWd&lYnlB~ICdQm$7VnbQoa{5~5NeNBi+wERgdLNP7&>ME zrf9ya!2ae(tD0~LWP5&@k3;i~3g|H8uml5?@Z{ei_cN85*QXa{J~O${2r^U_N~dW` z4^oR?k{0qH3~_wSWdIfE4RTLJ)Y4;*A~<)zIRWG!6{1Zq$o(m*nGl^SVAK&%o)Dml*m}4rCHF!#8f^O~PY%u_# zf%CN55tP|A9I62}5U95B3vs6$%6Z_~xH-KFp2L~fjo-bmS>L;=B==`^hSGiXMAc%B zDdN#8>QvV%21hzP8s167#;xcC{Y~FtJ~vmdP=MtF}wA-BX zxH%jg6?)%__?;{P0w>h;7&N2ESd#{)67tErhr`xT>@i~e@jORVm+{(3x zdc!_EKY8~qd^hVFnOCPE+-`QQw2~<|R%fMDPDO`OIl($g^$^Vt)BLQtd{zhy4yJf2 zoloR2NaRqnEH%U3O5%~v(C5i7A?A&Ed! zIkf8=4@n8oaXN7XjS$a#*2~+zSck+G$%=TRhxx>-@Y=7;K<;)aVk~N11SNd4V??uW zBqtYyf6(|@?%?Ag{CH?1(nwwHYQ%jMDNxi@v-URLICKK@;XQ-&6{>WAO0$Q?6*8hW ziC7G*{RvaXnD`aS6hE?97oi3{_0V!PpDAvP3~iBx);vgBo(^*%e+jAP9cPD#9z81x zW#Ftp!&)Xnhm$IOhj_%O4u8^tY9E7uxGXV>U{;xpKOY+O0^C2?$-nQ;~q5g zO9p;JGz{pp9Mc9672=u2x+wwg?OlXz^BEbF92q*2_s!Hicq1OBbzS_90s&h?S}gAf zA_~6`nUWdO89Cu+M;&3m8STye)Qh{*b>GM(B%9;#jwsk}COIcW(X^Z$>X}aK0ItTtdVZJeMgT6(zw&)M4grhAK;#hGk0?YEfbFU0{0_AENxC{^-e)mI}-uIa> z?*x#Z`g9~p3q@(aXV=4sREIYk`e`7pm>yRm{98B5wnfbxr_UEKVN-!Hjf(FLVeRr> z3PIYx)*9Ff8gZYGt$%tJ*KIR(xLQ+(>oT{ke5ew#e!oV7$(h2qG=_4`^Pw73;IN~uCQKun&9LQ@99C7 zAFKyT=GU@4%OQjJwxW4mWG6N;umULP0JMmxT#Td4azMzx({LPpwdfm&v+h6X)R6-e z)AE=5kjxkRy1|Fv!F3}V62;z`{lPKfBS(STWjQ}=nfmaQXr|`Mg$TN^I08}-pmh#% z?Lyj`bAHgvwak|;j>XsPX9d&N90A3A94@T%<33K4UX^aWf8@uOvZTX?kef0XGyDzh zF-o2_0yC-Ub?0iAa&8As>(%OB!zNdf4FOL;hX#cKnbA!8+ zp+Dt!XB}USlNoT+Sqy(1n&OZB`^~=L66zQ02`&-Y40bHfyq9GTiV1!2@-k(7@8%r) z0qBd3<_=XS(SJv|7soG%<-ocp?T8JR+}dx>mV)n4?LMZ_+jK{2!_5XD60jIx!BCi$9$GZiE%B5@*L=${{b;QlHMEQr6tD70W=YOG)Yn5ww6H3 zPO*|XHO_J__S#&!kKydjm&&_HSlMdG7C{&v1{+#!-e2A^ux1^H!v&pcxCGu=*IRk% z0cTGLAMfVxsov$TMKN~B5%GO>y)XD@4>xZAx#5MMG-7@n+Q8%X^ZC{|YTUYds z{LpNpbdU9i+~E;(nw0;N#7J6HLn1m8s{?wPKTQOGNc}XgTzu1*!mksI(}D>g3R_Q6 za4N(ry-i(k`j)oHqEpdn`Di;jTbO-lkuDTQ)Ul%MRo#IA69ddU$+j0CTc8_ zxcWCUowU|J#|AIGs++lUa8&@MR$mCmhj0-0An-e|V zEyEh$p=UNZ4{FgivgMhkUuNLmuF47hjs6c4P*Bc@Pi=8}cN$~XsV^W-3&8Fd?pG?H zgLC<*#B?!IIq}(6i|L@2w`w`yMJ-N_GOaN~_&7~jSkV0d3#y9|vXS(A;G9UKvu~i* z>vaHyl~DO!+OP-R?u41K)ZhEwqv+ zug$>iaVQ>~XH|u$*KZGD*6SglYQ4)#8qnGRsppRg@PPVAb1TQVOhi4exg&4&)ym*( z1jCP$a%Ee4(jV~KyR2Dvi5Xo)ee)$|FhFo#%NE95ygZ*oS10NIMgIL1JQ7g+*ZZR+ z=y~lKhaK$O0}_QSyy5QkCYTXN*}-;+2R#hy*&;vLnZ@hqg*PWs7@E_9dWZ{4m*=OU zM6Gsq5v}#d_8uLTtXWGGc&!8Xwf&|2L2HC~4d~0X-|kK(?SrK{2s5DzW;Wk=rjto5 z9B6$Jk!RQ{L|hEW^yFhM66NzRex#{Q1nqfYC^kMpujrc?=57Yj5z{zguZh6!PB3J4 zaqX=xOeGNDg+$|LWRxW$X6T45LoQLYiV1zv;7SN>aubG|4jg(i#FYtf_ComRlXj^y z)8my)zA+{W#iY~!p9_=j9b}fDSQ>YT$SY>8Cs}m!#Z{yTe2No{WyMC^Y0fEwfomfe z2|EOsCyY6S?6KOY^~!M53Im7gecKmj?cw|!cooY1f)Ju{!B4e|0CNvtCpygs2>bB! zDE3rL@(3iLX5?K*Jhz{{cY`T%Dne|KGoN#4@qdxB<oMJC`c?DmJ-ah7+>q*VFmV{gQH#EHh*#A(Kb#c{?O#F2ZyfPBvQ2vond zH1d>e;I|N%7En9eC=et-65u$`cn z%e(Ws+q>Dj3%hAhCFsh9m8(u1)fqE-o>wZaR!DhW@{-!Ux+^7dNkVF!bnCyLL;wD_ z1kl|7?gCKffBzpD`{KlZb^+o4=pw4(e=9(8WppccKj`LilCO@Nxo`Wx)@b3*!o!6J z3r1RZv>v9}xc2=wM(qEG0EDdn#*p*>=wacT|E&O@(|;=P7w~@|1bYA92qBXH`#JOK zy6JyXtlZnt48?ou*oZ!R+Q_f#oX+gu|S%%sYrW3zeM$uvU$n*pe7xw~Y@H zNO6y9WKG8@iKGt_c8?iJD{-xeUHe1oQY)NNf}p)7V@@vA?CiKMY0^jAhfo)6kMIPn zmnL;-L#cRyP>(?9MC_Y$A_5MtI1e+i?2BL!9*5M<1FN`_sL|XO+5rypqkIYx8=@%d zQNrW3{RYZ3m|V3Qjc5<{?2n1jxlODHF(cK`h{a-5a`zq_2_*GN^_9=SOho;t1QS ze=~U&;$;2F3?mzGR{iVM-b(GUz03hBLd|zS2p~UOjXC6oiLEk5p!$sBFy;soB+YMS@3r0qQ0&2DO>Xmbb2-o^#{RlCGkB6XjD-gK6Mm3gZCiJ8f&gJm zy2UR<26HTlsgBGFl%d76ORsdVYr-@eN1%_Oe-iHJ=Ku}Alv?1o&R9Je}Md*`mtBpUU{=Q zRe?gyk^w9*dSTkF4(sY*IW2P6y!X-Goi1R~B4OjVu<4QjQCl$V6;T*Rc4sEp!2LSy z0A=tUlKwu~!~WtMukC(wJVJSbu7m{Hm(%bxXuB$DwfpmjUOrejG1Zl>@}}VM9iJ*R zWHPA|8tO+ZsHl=8BQ&X3yRoDKu$q7@rBS<%8%kD>$=?p8vr!ysE`@D0v<;Y z7S&~h^@>oCXP&H60@zn!@T2XZijckBTA&1FBMDx&LgEYqw&9jydM4@XpODb-qj6w( zSnpKr64Ofu^r#9CKvWeDSwFl*mkZXp6f%mW|hfHoRq9(rj|%>^|O2mg46 zKupps20Sxq^nLk8#$n2@x4I}YBieLQOk{6M z6Gru=4ukATuU>3bS}=pBuc4R+12>R5gkomXZk;QTG3f^k7yCln;>pbQ`IGLw6hNxS z0Ii!|2G9$GXv9o=Q%2`oc{Pa;=fN~PP1PNBE$7KnkY=N=hyN6xQyvvs`|2SH%(#s? zG#5NlBDqps3z^e^6o?Z6A=MK13_Td<<#f%53JPh@q$$QJ6`QmUXa}yhMGLpcB<5)C z`kIIedw9o%iAL`K?0&gwSF1KvmO!YFxg@D5G1()}Tc7AbFmR4~(}(YT=V1mNxp9K5 zAQ11ddc5EmBZ->1%9IZ8sINkbl3uOShVqMkHvYl6AL>(e`p-#tD{sBdycSO~x_DXo zGuO_@w|VsI)5^aS-`FxuUtXJ3>vo!J>Um@I33QGXBdnGoh+ShhCOVhB6Fpjb<3XRD z9zsr{FE;rsTFR(Z{d(dA9k{TWK*VyJOn1YocfGz=4|~yO4Mg_Kep(V#$3(FUC#TkI zb{bdfvu$-v8<3f0Gv<+^tz}+K?1X3>9eUQz#Fm(ot?k-rMXK+_ptyvG2sj!c?rJ zdvv0!O`X1yTV0gPE0^LC8a5RCmFEjO1J}VXy8bjAWLG2fZ1=1ELRTyQWGu~0E51oK zS@MF$ZzkZeFE!XLay`?7=EqR(Mj%QV zYS6%sJ19!Yi$+2(*LzWZh1p%i$!mCMnO=>vmnjU|f?y=uqm#da3@FEr5rPXQ{&&4aM2U14V%pw;pqv8s5W};2QgRbwpvBQCeD12IXF=} zUxayJr&BKhHd~k$J`!rzlgT!1CO#8`U{}M zxCDMc{wDgPO;K#gc*%tE5HCMr?lnICh#Wc~x=XD^Yxc9^?|Uk5UuE7T@1Tv;ZyH}_ za_jPu&1YUiTsQtvGWdC!d8}q9A2Du+INOzd2!}woE;A*`sr{l@4;}m!*6j^K8Y)5F z3HXeNrM+j=EGTE>@D~qX0>8L{6#a?0NzCn`@;rtw6&2^<^=QEM*cd3 zev6Q+iXZUcVurJ3IR$nZ{Hm5H(6w_TagP4Z+XK3gms#%-)s1y1kjj%X2d~-(_ zThKz!`#j@j?9t}|`>f{!Dy8%1SfI^kVfY{Q`nMd5Vp6Uc=@$FXBph{Z}vEJ*{OG~T-g1uKkrjV2boHW>F6($K9?D4(~_F9D+LTVDA(cvWt zO!bh)1ZWP;P!yU>oFt#5E6x8y$%0>`;-o5PkM5FLu}83oD}8{veM~aSdle|j%t%1Q z(_V^#@@TI_!TONKAwIQKTtiY4x^W&2(uI#pGuOf~hlsnKQ1ecxK_}w-GI$Wv#I&(8 zGwMU=LWthw^aB`|b_n~Q2;$I{_<#?;qlWQa=V+T;knKAeGV^g}UspK?f&&P$n-}5< zZ5B5UjGyfhIBUcbEmupW@jp}<3ivfuhzj|-DDy;!b9;L#t+5{`!<0G9#Ps2GuAlyJ zZ4P-RtZ4~?;1^C&n_BbeWBzFZR$x(G;hg7gCQ3npWPWr)0KKsU^Y(b6xn{Y~Hu^XQ zpZnwvV!x$64=DqFvFiOl?WNFsxElQ6|CGPchilx2-ALZ~z9HwK8IntLJbAn)Lac-2? z+ttV?1dxvJ@pkaKg2*B(DDN5-xOO;PLu8A8 zdry1cIgC%|V!YhC_PSwsFk1*ecn!=kPmp7tlgxT!T@-Xag3i__wO z$`JLI(n2-*KzAXU^Yi9tsAFHF^*nUxaf9j9v^`!p1x&9&CqxwG#AwV5{-7~X)|fxw z$9Woo&Ed;_8m#Tvs8we(*>B zKDsd#mwSzz<=MzmL_25o_Kt|+Uv*SzjG1Zbxig==ud+}FJl$X=6|#WIuO+xpz}L~B zui?!@mHFWxYiS(CRe8wj#4GjaR*dB!CY4J&N%p8x_6Q?H^NtU<0`?HB$;F>h@??$$ zEs=mG#m$)Pzk;d6N4^&^lOa+grP zrb_dtOv;q64t^OI+R4JN9S}VFfY17%PdY&bgc7Qo>2);B75-x(=w`k_gz06F+jk|9 z(^YKs<8_atQjb1^`-XJBWYV>RvLf2QKTno|;RhknG>L&q$io3>J`K>{3QK9LhTYmY za|pIk&&>Z<#^MypbK_do5>6nR_K*XS5y}gNF-Dre@4Pc<&(M4%ntA< zCvl*{Wkl#Vbmr$uZF9xp>qnYGw9qYJ<0REo2+t`*OEw#(sdF&|IG}XdDb3aQLTGQ9 z%Gc>@d$-BG=R)BoOUcal!zL!yBUEo^ymMKBhvriAz(S^Y7F--q|e7#jvT+!AgOdt^4T>}IH z!QI`1yF+k?;7$d1cMlLCcyOn1cXxNEa44w1?&$7^+oQk#;fzra^|JSxXRf){UT1FP zfNQ>}SN?Ek)nQ`bMo9uj9`&M%($c7L^QGN-K?2aY$CG2LP%ZOnX&6|TuvM`QDc?p} zpPlT3j_b&mw(I5rQ=YqIyT-R6-Osdp&G3#^Z%ipQrT`nROLSF@OWB`gCPY;F34=aZ*$y`_3BfD4vE?%Kwg1asy8cwXM!`7Itmb07~e zi#5xq+#+k7Ob1j<-+GREZaSuV#(Si(XkPQgmAn;Ioy9)V?E?$80l&8&V?6SVNwtRK zdGiDI9L{*%H=ZX!ipcNerz?Qrw#i#GkfwoWmg2j6Xx<~9-#ekzyCA%XVb50iwl>`p z6s8kq%Qda&9LZoKP~(x2;<@Ucbkcgo|+8*ThR#SDcqmL}aqVmqVgu#;l5v3Hl6F+(o zITW{gW?+-T_LW0;_Rmg+pqG9@sH}vn4EtTY2KDmh zm|eQI^y!Vcmigl-~&3{OSK0m}oE;QnY`^c(=uQQ0Xj zhzYqX*@p^P8)v6XzyGM#m2;*yxJULTpK~y!eeH_tC)oq|-s8#eR7Jx`p)Uv)fT|S= z*4^%NuG~7uiA~`%A!3`crGzKF^zk2yukoHI98b9vEpwV*OGb{Ou{9CohtY zZhS8$)vVr(OZ?1}HQ(EjpD7rgg2TwOMMV4shh$#Xv~{nR;X3_SF-9N$%-JKWtl~ws6 z7>zt!Q;%$!EqfQ&=OK^E1XvhO#U#|YK#eO<_BV{{CxJ%V$AG12NQ`E{u_mdNa;hK& z$uw<3d`zj(zEkU{E`)uQU}bl(CaI?G;1wq{k0;iTZ;PIK3u0^aJcAsN7G(Tq`%Rm} z=pZ26*%4wA3SPnm-_ENK9I40sTnD6s4_zy7Ln$pLeFo{DNXB%o*vd+?z~4b@6h|*# zpO0{THdU^HMR`7PrGs7iJ6z{i`>|V&Er-NbLOk?O%Jff-$nUy``c47>5chNW?|q;` zz;xrJ53RwN$K?By0H`_X>OFct_U%rY{?3iz$qEmQetKo@@7%5-V0w*ZC+IQhKIv24 z8TS@_t3@3b^={qJRr*8)c+12n+JF5j$JZ0tX<4YZ0~ zGuAr(4=F1Ng|D!1yL558l-Gm*l--eBefQp5pRo@GSEVdRReHo@8XZB_W*zJ|50-55fXlgp0He{amIjsbMmD~A6d2i?O zg8|cGAgQgSjvIrg?UN{8$sXgf?K3>TCAUqMJvnM-A81w75Ok$_EmHcv(d3GFm3&p% zc>Qg|LUynlC5$4%*$PGvC z{ko|4rw0)3gI=E-163cP;454|@t%B6c{ZadQ=sn>F^2ER5(jxn`wY3p zvA1{+P*Ny2raAUV8H0XbIrCy%S^GM+eg&QAYT`2hDE{s|YPXdD5}|}}KVRIz4T9aK z@1f<5$~8xg6`;B5sF`k`qR@};@g&AoMITkDVa_Y=ggP`Yh;I@s3vbLFevx+19tz&& z>urWAYydNL$@J~-AgFi&j{8wt4f}aBD!fL3-+{WXGd8LA;Vk+?xo6*U@25)rj^r1; z*EjYXBiuLd{)kUu&;c{gItQ2jbjSp}+GzoWtg8)bmK}VRj$&Go0mA7AP6FEXvXl_H zQM;J4!(>1f_)?}gk0lAh^t`aK=nhi7{bFoOvNbm1`M$|tV?(?3R_DI%?UrZi_Xj#| zxy4KkDG`4+Mt*O2o_sYfzFkqWe=RTpT>|x9$INbX@0|*v|1u-o8=D%wx~#1pdiZvS zt33l?pMH-34`@z;lIbZ-06bm7aV3E3zRfJi|V)blX_#8d&&#X;pa}6c~+rP_zA&{>dhKnWFPfq+FLp##5t`*&P{?T@A+2?w%ZLdi2ck=%zTy7EjSe}OjW1;>R!7Ptx zDy6Q_hYqI;WAzd3mC=GsKde1bv#o1atFb-vsr*!h+p%CABd=#??}I7o8a4%2Rwub9+DCS zxa8hks;N9nxJufZI@*f8W&P^CJgHxK=9KP@`?i$)vJt;qvpQ`i0GwCq%6TR}c=+fY zyVr}hZwyU(wK9|S{NB}@PwxZjXL#=hJy6nbystEFO0FMWt?w*2MxkmUO4=q3Yl{JVQJnH3%TyBjR*y1%?p3?DYLdxkiX=6{FeyervkfZ9}kn z6NZQAo}P4!5^Fyuh>X9{?ioCah2{ZN19(2oI)Z3oCqWz}-atX%ojV8%tWz4hRYE=6RB!l~W_`3Z5sJA!eEF22B=9>ZpBR?y_LlAEb-}1&EnLx&$fe?u^ z{y|q{As|!>`Y*cw@)H?@IB7xrke(-?uiE4s^Mk zjgqCq0v4~kN(LtR^&i%N6(@b5(?kvT(P+re4vLd!_AGS!kneBV`SsOBd0or80pq6h zz&F*i7frHfHQ~~0!ndQ&eQlQXkekN(EgE3Ftik8;bjOeYvnX46x`F@5%)gZ>503heZ^i2=pX;u-80( zZVaO6NO>XBCOqlUa_u3*6^#or0T% ztlZ=hd?u3x;}2{a#jJeOzCA(v2kB)ZvkskGJR?_@aQ0My{CD!dr6*}e(PJ9U+0ByY*Jv(@N_7R_RRmY7M<`rx z8k-s#s3T93ORoqF>4=d&1+(()$Frcwr0*Is?nZ`^q`&O3j$ffQN^?4Wu~iXsY8NRV zFzpfjOOI;uAx|2>d3h5ms0t`Lynily*FjD1WmC4JgW8m}31UY)iEYOg(2`rsiw&jo8}FAancF<6mBL=;h_5Z|1JJ)T&e?jN&Q0P6!$`jdz~plMEkTVA!bg9 z6ke?6_wWR+_2OK=w6R6w8XQoDAtDGd|F(u0>I_U>Vv6uy1N&PZYeajNQG9S8raI6iajFr{Fpv`uE$to(#;0 zPj^kV^IMlT_S5AR3>FwR63*O>C_Rf_p9zZ=rP9-lPRgn?fjAw$a0eQ zOhor@%Jx$S$k@OV54oVYW==k34W%n(9E(9Oi0txv{y1gYk*VWz@FkbN(+~XdZ6ahg zGWn*Ym<#c?qqgO|U<|fkjMnQ9PgGMd4qA^NJ+9SNs8}paktQeiry${Y5n=~qo03QJ z8A(N&KLSX{sK^uxxQj5top{ka4u4hi|ER9U2D?#ZsZxb z%FdD_qt1I8Xx0arx6}F^&s;L~^27Aq9uuIr0A(~K|`xK_A%yYTg6BiXgerK$rE5ezwSzG zaa%Dke2Dg96++y1trP7Y%ttPreo{mpe%+-%BcoD4PBVyaf!uXxnMphLZAP2Tmg--2 zl;&M8?R8{ zu^Q7mKCXuM^Z4kBdZ{;UOg8JKOJ_;x0%KBO9cs$mWs&DSDRQ|uCt1q8J)4o$={Hgm z{GZHeQt;!L@Qk^R_-K_{2!1EytZk*_;$psyWm`UXf#1j32TFAg*An~me*`Hbq#~|g z&_GWpcpNz;(|+Ye9xo9dx!R?cq_J#Rx>q2+aV#Wk5-Dtq$MZ#;xVrKtJ$O{i=#zA? z0e{-AEM^IB7FPL~FUSAYY|*x37&rHr-@3m8XR zHS4+Ft&A<7FI6f$F(+MRWJ|HOIEgJ1^qoC-n^oVBG0yk4@#(X(@7ZtV`Zh=@G(<|4 zd;PSqiF%;W`uzz-5jCyQasc{~CYq${i1KEsw<%aoAP}YPwpk{}C|s_12ikV34uz?3YYE zFf!frisot4xY96KKaN(tuVdxYiLYIyp^p4DMSaP`H?Jp-!e6T(q>4a_SJm^o8kU1p z^6g!v&CRssF{F2la5j=YTjZ2*$pWXk;VzV6#Fl_VvvW2%b%rqR&pqU&QxZIrmT{a! zKIc-1*j(duOK6td^*s;<(1R7EKcM0%_mdk^hI^Hg%1kkIdT$Ue=wEma~%9dn{ ztP9M-u|=*83p3CDUaf3HxR$h+qk}odl`<#L=$;iQAYNlN5cOB8B|w4fZR}$7-rc!g zd5UzJSZNX9Tfvi&11`S7bMg41#d$|0PrSfUoIR$|s%g@1ipm)ilzC@e2J0Oo|`BngL> z$=ED!VRn~kVK@P`M&*jY4oL1nV1__iMPEK-w+TO-P2AW?0o~W9GUuS>!%}9MU1Wz9 zWy3FL`M0@#*t*7#{oze9iTSdE5Y_(3wNGt$ju3+(EZRd$YQ!Q-)hAahy0YmITtuln;&`n$bViE4%fi z&HYDs)k(RRjyvS?sSZ(;)Jy+t4&vwQp4IHVR7zCj@!cS^^~3R|7H(b_iM^ME8SU2JnydZUSgAAI zAr#Zaz^X*yY01n-k7MEigtqH?gBoWSw!)p~UR8j43CJdSM}*+g^n&f=sV+z2=U-0Z zv|+AUVmmEPjMn4$!){FguF03}G5-2cQ}h*LSs<3_T4>T6hr5B22bIw2Np|X3GR*ry zmd%xJi|62+QpGQS0o)I$zK5sm@o4_-NNlLQboXAL4`sA%hE2BqjB*b~wU*x%Qb9xs1 zH`&@fvQ6B=3LpGV-$h80uYr0bsQ$L{m@rV@@-EJ5o$H_ZL+k{%5%~9LF$2;+p1-;} zAJXIy0zttawox=|5W>c&PcQ8cD-okgPwHI`<^D2Q9g|J^QeCv;ldblWP!`P_Tm7LWewym_Sy8B>dms@s%INoG;=R)pOf(^MOok|udtfR|0+SUvO{X7b}Ozgs}L(x z$ci;(36!Nuo4a2fvC(YN<7oCS)tB8<8F!TU=-73L6S?-MxgVf=r!+*9p)inCHkl=BXyI&PwOY(ys$RXV-J+(aGU9iNgvg30Lz zQ*25M`r-;D|47j|*x9#;Va1R3L{SrMMBK)X>bxJ3GUp@EDV<2%3GTvO*7n4PG85Ro zU+RMunH?iHB3NG%1JJ2&dw=oP{chKnvC5{G9kY#9!JQXu@Oq0`?byHUa_1^qVc#FQ zXr|c_9Tt{km8rFruqryeHVq=QM&>-^KH~7WzQ@s*gSIzB#Vb>-vOFHSe)vC6U)sLc z^HJ#+M0}MrQFuIq%UA~7{;3uv)+ITBor>|&q)DyB#dsqCYK}uzO+!`&JkVMucZ^;&PGwS ztCLpYI*#f^Kd&?k|6`?20AnMf-WXnQ+* z6oCX3SzVmYbCzx1OgfJZ9JnSN9f{sSU#0zf_;lE9SId8m9W7kWfxp5y7I~Q0W|-u$ zE?43(eWh`Qm1tpOIV9&q<+lm-wI0zV+uIM>q-k**fbYb2VlGXpgnKww2{VJ&EOGbI zcRQ|i&;7+RkZReS)Bxj2E3Lvz6B(JYd>b9=vJR?{z1&pNuB@;yO2T>@t{K=LRdW=J zxL)G8kO{1eQ@V;>haI*c;uo%}SyRO6bhQ1PW1w~>;If>u4jkU+V|Y;_GiU3fp0x?o zw!oPtNV#{XQD#jj**mR3x91<({)~C+C2{@j=FVzU;fOY-k*4%TQYMO@lo|htM8Bw3RDTp%GOfaMr81!Ri4mQhCY)f?8uTZ8DPUHDu$8l0 zXhmlWS!(j^y(F1zWKQp;==-duQnn$N-5~6S!%wj(Z{bQ7-qYisn6A2tj>|_)Kdl%8qhz*J@^lAbN`5`{FX4RiLKLWC zII}B3OT!;hDt4k9ei)fqnbjDNZjw$pzUA>&b%y4%%Jfq^;@12@&Z}ATR$9jPgPs4B8YXQ zUc_nSwCAV^3hWB_BfCZWj?zFy<|+|S72;2zQ88AXNR?XO8k;=PKB zgHOafai7V_XNyZ?)zHoDv zQ6}D^{v22~R~x;&L$`?k9Pe`dz)`2J5ji9hF=1b~R*KiTyYRI73x@@-cqLHpkkuAJ z*;ufFV>fY6Xc)RfT54hMeOtk16BY3lN0EqHt?p>>Gb2~t8-%~TsY=@M^YB-T5rTh% z{W*;3FxmSKaXrDA^-tLG6M?|^7pgL@qD;pLeP#r~y7|-c>Tg#?*1B8vkM903-M?ge zg1q?S81@=J%ZM1kYS0{K&) zff(ZQjpWG|yaoq2t)ry_6p0FhTe7H%HSq5|SvKT{iX0vk5Qpy3kfntkNlzeg9@ZEW^Yg}ilMm%$T<`3?1uK!J)-!=i)u(AB7eBa!+;y1 zw|qq9)*sgsKfW^oM5!YG~6Ag#}_~Ekph2g*%&Xr}j*j$ejwf-B~JKOtAwy z9Cxv~?rYSknXU9{-u0ezM*_h8RI_em!)P&R?mHWr1 zSK;V-cfKLI_52e5fE2@eJGJ>Ia7@8cBOS#P!o)*U)fu9t-QEYTC$Cvnt9~I;GJ3?| zJ{m)oqFZWKz7;vdI55ps?6}JGceUC+nBJaPcykv|==bI_vgIzpF$zzsL_`UlSz0-u zTEfGh*)g9-o0XG*;0N)G`cBD6Io6GOS*`0`wl6 zvlB7VRw)f|tEdM#j}#?PlAS%Z{vxor^Cfb@x7oY7%(dt6-t{};yI1%*Ab}=Q<^Igx zTV!J>=J)Bv?+UkZ4B3qN>DyYL%0E0zdtH{ltPq8s@C-5QJ&fUWGrFO_vIoA5YR(!_ zTW3BLu%0F4j0Sbt2)AS}Geo5`ha8C8OHmedWrytI6SvX<%2eb#3p)5OX?34etOM=+%-JL=EA`(k3YHUv!fi(k*mRb6^n9C z9fba)_XF3l3q79aXQ_w7x|UZHBfwki54^q#N&jhWR%MA6bl++Ci^~f5eZ8pQiKSuj zS5jEge7=udlw);sjDQ6=&^)&pk0%n~gHLY7`(!6>m4V`B&)E zdwtMd<@ezCc+!r)-1;i4!HJ_xRTVK`g4AQM)A|*@@Xh(P{Mz}_Sn%QXm+HqL@-Okl z^mEi-#mq1UEm&2r+OK?gjqd&-TPm9kW;|NYMjeL-vP0%ooAkA&B&&3-=E=3Iku#zR z@INBkFY2QMJ2iWA$vOJ;U+wQH$0hZq997VB?^GL;1(m3Lxu(Btv?cWEk5>k{m3j^S zBVem2b;KkQ%Xc1&>&DXKH>#{knS8H!(do+n9(s31I6s;^7`Gd~nm|dT+Uh0(kQ*F% zi-ijhui*u(BKn-}9nX~7< zIA+#aSb8^fQSq1lq-L)$j|gQ-u~y{9Z0nf0B>%1HNZxbynEgfhY+;3AjL>&6gzf-i zO?~d~M@Kq8l)f)Y@};tLT4e~Gy`21SSgWw)xADWvFf)2UcPGl5RiqLZ5c2Q1T4&xu&Z#%%2YOP4KV5)CI+{d{g z*lG5`;DSQXGgbMz5rcbodKxK0!E_^~N{5SF_g>{sJ8J`#{jrP*Ivw)S8k>x>W!oZI zD|)-AUZV96eKVS^`rs{#3FTRq1jk(S;0-CwB7RzHtze$R&uIN9HSQ0>Ftq$c-Csbm zFApQCbrKT@I-ssCan6zFTf#}$A{0|5|E{m@>~#FLYstP-d~Qi6;gNuRPEnY$vs{mV zA9+^VKgb@a%?GszOH36V8Ir?cHoP6&gS2RUJTn3X=A_46Ic;7SV5QF*S|p=TP+4{G z6p$YR7Y2#)zmiuxRY}}2Nf6gruc8DKag5s@NROZ`hdCX*#C+S{ei zPxpm=$4p{*xK`)0QHzbj2$on^sk%{6J$~z0$A6|!k%#+; z3LDdz>vVez&N>Bv6%ccF|)Q{adUDoGjU@P`{}}LW^dx^ z>Yl8xOe}^w1c4i-s+JP#m|ld{`dDj!l|IkOMoTO0BgaPTPrAs&Xz0N+Hd~Tk67SEg z$ZC@u@GIbN2}C!78;jy$JZEkEDu?6s=xS;UhI~hg_?B*pDh>_JQ+-*XD2NGdfisDY zK~>(2MF+0zpg1c`|jLBca3oZz+tm}fNn-EYjccfhU0qbZT zEXYA!&sua7$~DClsich^v!@P~oZ-&m}l>gB#r;$hi?V@qXqNb_Cl>&xOcnptsfJn>J$0kzV32gT9<& zFoe9NAN;qjv!}%qw()eKcCp&VwfAPftlQST+;~ESXQ1aMBaY|uAt@4VY5?9}1HdhW zHs#6k=sAoJf5G?CblnvJ37xzSW3mCD#K+;FMWV3+a%4T90ltL>gR9NZ&7TWRF@4b#g3Qy^uM{THgUxU#Z0$SdS~ z17h*NW=blG5Ie*nuHN3?<4%7OBh!no`#az%Pb55(P5vF0;MURV2@$LEpwEAvS(dhz zrfY3Z9EisD4bJ5q*_XPn4^Q3T3nc?n5h{Z+{i*&4Y}I7~94~>rvVCL}V&6V>4&bqO z5&R`XqS4HCginVLSbiB2)itn0b$8EMeKv>FXmo_T3}RAzDRou?AoZCL66VjdTb%x6 zBM?^qZR6pWfjc)GZ9k*;{Y04sRmztv&<LZlEb!d3e8F!t5Gs|=!7PG>DVuBR*=u~Cx71_z5jR6eu^5N zM2gY2Rg&-p3_U|(kEcUN05-i}oX$%s^J6{Y_0f)9MJ;A3-EexPuMze9DO&8^Qo)Q{ z?~8+8k~a2t2L7EA>N-fasn|C12)Nik`FQIPHG^EhMp$@Cj*GzwS6{5;~>O|sH;K?ETn z{o+(_nT$Iych8D^dlKuMh8}qg0$CVlgY{&~EjlEAI1o*YGn$dfu zz1@{CERh1s_6peVVvT!swM&ydz|=rEd^1MFg8cT1%D|?Gh7>(O`bac-Z(y08TOmG< zyixp2**+$jb~`wivVW8)8^v3PvZQxH7k%(aGeZwp>rjeWUKI4rw!1bD6gE0=jEuJTwHQf%f z{CDhUM2hC?p)m(RpRfO8?8W7jB~0w?O-;<~{#X1h;@XjWMKPtWY!&>>_C76V4l*%b zP$7Px3@u)0VP<2aHQ6`@>OOr4NZ}P0?V&$J9nTzFzf5QNMgKzHM(zU}TQ65>8MhQj zfy^sCm!_)qK*vhTqRyWoe$m21JDV-8a+NYq|O z)bR=NXwx*3R&8vegQ*zi1QSK5^8HIo|Ci&nLQ!4r&d%8eVLJGF;%*TbC%=Fm+F-PT zTKmjhRirj45f@@Z()4TZQ`o-F+A-47QZqiP`Sw(A3fu#)KW+ZB%{-ueuXy9oSC>Zj z4qF6F^{6PG`(r6QZTu`TkHIlNRz9curHc`TUd5Y;bz55VgN1XXyZHFa2rV~Vnl|h= zM%c<<*cOaDwW#B6^?hf*-g+%BUEpLXAAc=n#XfAq!Eyg<_nX?8^-thljd0y4#(%I zgc7)=5hlQeZg2fT{rfQ*Z%JT--^g#39SZ)8#Dqj2F}a_=S`^c!|6^lkWoKpk1w)NO z4aWh85;4$?{3Vlc`TtsE!Na<^GZbQeP>9j|kBgMFaj`ISb8_+i-^8lgsszV|=?^D| z-%ECxjVnun-1Hl@a7V2W@r&r)q-juJH5niJkd-Q>>h%XdT+8n%Fa7lVNQQ4`*`XGuztXk*So~ud6+(C?OH)@;qXk2uutXXIW}{be;ai|y17EmMK~lWHn~Tn*M(h;d{x_MV$d7?z|d3ox8p~LBD*^;3peJTVmsB zT4D4xIbAi6?3J<`ndje;DUvvVUm~MkmhED2B-|@}>3mzBT^t-h2>1#92gTIw-^?Fg ze+kw^4WT{+wHQNS1*+;F~QtN_BNg59pu+Zjo7 zwpT(4EmQ|zXp+a@ohlJWRL*lj%IieVfMZhnljlAH)YkO8t1@lW3XjK^fX=A| zK2(GtliH)_-HrWoo#98Y*B4IX?Iczu5M5j{k^62aYO2xaaC8dSM@imqysoV-O8!$P z*3R>bgvbk-NQ!IjNo}H$4-i}JbDyM5Kg>biIf7GmR&koW9(fNQEE{rooRcUXs4by% zOB%D8PP^Wl&u%P&xE`I!RIk}N#~<|aRbSH`dhWYH4wPnI|Ca14Iag-YSx zo9`3c|1@_^VKPbmwn#^eL#5cX_=NOu16u~dJu$V6vQK`ecOe+&89ibpo^ZwOlFDhO zZbGeMO4<1xWoU1P;Yp{STbmf=au;T&>WS~&28aT?YwTX4>vpC)_=VpbBncAGU{HzM zX<_29ulGsAwp`yMxA>EdBmb$!UYS^S+zF6;`7G`Pf&Xv1yOBCt@j!rq`GfgC3Gn|2 zENL5ii~mIevFVS1HA&p={9V+qWOAO___77?rJ-#N)3EfI`e|f*QTFBnO2nV(;*xl4 znasv)#%#wneXlyTbwgn--Ucb)JKB@?=4cAuo^EgE9;HsqS#-;c(1VU{rf?!Pbs z?1Hz}wlR>j!jqsgcZnKz&JsvcUlKHsv_?G2PBUn%mKo<6DZ=Ei-M9to!?Ls@+T?<& z!}JDG6}HZ2!jqoJD1Cq*?MPl45@#%U3deA;wCc_P$y9bbhy?;SIuCX{cU2CSu( z>y``6YX?S5QAQRyQ&u$eQa_DEUfwLGL+!WQc`ZCB4_?C96MOf_&@4Dze(^)9w!W5= zE5_KB3+ot%eG8jCP1v0oj^?B+*_r(_-zSbaS7~caHTrKzVgU!sDP}TiXEw>~Ky~|Y z=OzJ0Fp!N}%&~!1ESGZQ_4*LIBeP9L#VWJSSf#=RF&_!L^QJ}oZaQJtt`O>MN2xi4 zmCxwQv27?t3tY5x!FKZQ zTdw3a{A6M>uDjE7?k)c_5eaL%XzMY_h?<=$XrjGxKE7XpZ9jKD>Nd@o-Acr8ygZO| z^3h8E`3I-*znAGTW_=pJtd9-4uA8X%O=y5u2>5bh`S zpfrP?>LhTW7t6a^g94uI0#Rin?~#twx!IgrnRUrxlxD*bo7)~XGbfQx$~cwJ$Fyr5 z+7dpi^mw^xUn8t<`h$#SOUZ=#)qK1~i`_aI2jzN;q&vJ78OyHAX1_A^?TT%pzr|^Q z(9=#Z`iFYUzdLAfQT8l~=2YpAuJv5A4IwX;lvIAFaJ4ISoY5=zm2B9O_jhP&PXg05 zE;N#*ev0GhFbX|y~SCfJY^mjGyh)HtX^;@Gov`l>kSjlG8)^KgdY=?WX{>FUP^!t3pLK)icKjqmyy-|~ z63xT`aJ_;WCPvP2pAxxxguhglqTGK8@ktg3@F2aB^ghcY-Is=Xn}ga?^vFFAaIU|kD)-E32=9UFnMFQL zsXqrX7`t7tv_7O81`Hf%?{IxH9$M{W0Pc9)(soE4tX-q0UiJEFbYW1aJX88f9t>4O zzE*>Ag^NJ0PeG$BI}9eFHHPu(*RemI@wiei7fcjT0B8af3wS(; z{CCbOD8sfifvQ(Ms2ck6KPsXB=A#6K02gZbF};>7IEr&RUyu*^eT(> z(1v~9OGZbk_P-rS<31H8^V9^x){;>#~ntJ+8};zcw)#Brq0XSQGr0Agee7Io4`L*Vt9Cv zHARY`Ri^7WyKA1ViB=}cxKwq0zk%gq2E({!rFS(44=+od!?2?&?h_$hPM26mQgR>n zN}=*%twa-ux|^B!{WVXU3;5x`LqwQ*tt0~t(MM>AsQ$+g$=ExYn%MvE0I4V{!$PZz z)X-E6c-0S~8D4N0mp#;j(PD5b#~=DS^@-`2_0^&h^AAS)gGIV2EOItz*x35X4<|ah zGQBUB9*4gEVrW1f{=Ku?KR_>WsV6nM$!fluixuozF_ctrULh-7c^Js4EQlCc_M&(F zvp+WK4DDpOOpiV1c~wEMYuogjP{mP@z7szEmGJxrjP?de!VxB}`L*{L;7^wQnSK(z zqC&Z5kz-Usiyg(f9U9Q`prBxsX37zL@2NTWVg+hAtzRywI<**XdUc&KFu;T1Ru?# zGOl`n#ol{9Ah1kABk%>raKId{9ap{##v2zVO@__nA;J~$F_OLr6wW8gHAC)rZ5=$s zmQ<2vUk>@d>O69$tU-Jf7?@_9|G)N`f{m$*$^WVHVzrUHG#2pQS?Vp>Df>jbBj)M! zb*Q61f0!8=4~ZF1vJ4Xy%~eX0AtbaM%tVUTbEv3lYHEyb{La+akY?+^@cV;Q580!? zjp3SJ`-+quLAusUz5okl|M3z_D+IFX{g~%_xw4rZF5Gef^UM2`kYM%SSmXxtdCvqM zVWhr6#P6xVPUhv>3fLi&e8KjGz%|n4tL_UI&v3X;204Bz+e%+AlSVw-w+DsL*BN*o zk=9v$4u`UNbw_@Zx{)ZnHu*&Eoal)p`0Y9)f`Y(Hd|NKC^kW{rm-M!7;E_4#*5w{0 z&=|Sn^L1gjJS+=J2i2`nYK1WpSZ|vLwgw5Twe23bg#`^662gBIh!dWRj9!duuWI~- zP@AxmwnMm)ej!25!k2irSe$>YUZ;R6a}r;^%s#!~rysBOv5oA3y5U(&n3|)RcKQ52 z;cQ35QUR2*Uad*;)N7e!tSzG2CUf6^Oyp5gcp86=$)nKI>~t$wcAWUAZlf4+l@Wq2 zf@xp$*22CqjfK(SuBe1kk(B@Y9>Uc1@PmDRwd)stwbozyvE31`=o%(MS?Qoe9sO`| zcc9?REdCw*@z<&D@gJPiq{yG}*53+c`KF(;v@Am0B|! z3l0=ZtBe?%4UFyUYO*kp-P;R}>nisf40!IIF*5*C;j+dnIdO-k-JDYz&#&vS$l98{ zjRi-x*!;<_j`@T$@*`OU6T~nd#k%99C~f1hyd);z{jMU;C?uUX@bqOBwxsIWu$S$dO}?eluW4fh0w_keXk0wkQuQ_SNhRT*^H+l~De<0H_)| z>lesL6tgiUyLPqJC>L@liw?I?Dv%bOBG{s1Tkhfxl0B_>Z6?d=-D|+})w#c*~Lm*vD!?6T*tM{R9%$poYooct7 z$fId$ei^(Cc_pViPK2EabqqG1DwFxt`k6nmRchC)7lxgVng# zw9cA{52nSKLS)fYZag#7>bD(wws=gh?uq?u=t!1X-5d{)+8i&ZR6oK;L}J?$Z%c+= zx0q6xV^!SzCIn&DkLcmmA%7-gLUb`XDVD8M^=QyASWTIn4Gurej#af`s}gd>WMKNc zeMwy9QWa0Tmj1&C+m~6*a{9rv^TF4aMbcx_vI%Qnm8DIWs(9o!WTS*xX}o&4!oju* zsE}{hs5#=RrPBe|_h4AE%CS&LzquDHfC+3GiCv3;qE3m-E}?P?SPQfTDvQcKr}qVz zuNQvv83m(IHh?z3_M4D?HGga`XFyZ0X8 zz`U_2QG85IGIf|6QR3rmgoP?GdxJD$Yt0WOI8Q3`+8M7h0CX!#+2X z?{$dRiCLyT2Xa&uE-tAv9B{Pop5c+Zq_~CPWh8nqeK=UN+9!@geWlKUO-OD;;Q z>MaGI>zbOwXlJ4U#>yW)$88CTUwSF+_K7MCuqyoaNo1~ zS}nFmOs2v)rWnsba5OZ(+-r{-T6eEej_?wa_FJEDUbH#d9?t;zLx%zv$K%vbea0H z7_iB`sn(QoUWcPsY{Du5;Vpxnh-Kiij5|yri8|qp4^#>V-;Xs(vV*s+(>1BpNIO0)OJSN zbnjrvzChW|`a9A1SSDV^#?*caLHM-Gh>u%~LxA-HVci?xu|;_pE%r zYmrIu&LYQhs?>`+!^e@_F%c)?B2_3J1n?M_Zn+sS_BOX+zzTZBsQSv=gwRbGNPEcy z_h-1vrYyl@>(H?Weis`;u^=`XN_2R7r41w1p(+H~0h!7Z{oI-DJc(@2^!GMRn4>G# z<1Ls2RpzIS_0F5dSZibbRv$BGFDKXNSzDxvHyiQ^o@rnAqC39Y_DuRuat|Q*eF5(1 zpVvgSx&y>jrD8X%cmr?l+8Wov6@!VE%sGntH%%E~W{WV~l}EcAOJT=L>Fxq9dm_nw zRGc=OhZ}QaP}xLcx2YLOKXsNu+bMmc9h3W?6&fYjLk@D~m2MGtdTZK-z+9N9#> zt#s!`T?HsHtWr-h#~`!I9;A&jgc~uApv08pII$l&PVT48I53U?P;;D8d+I&&1NF)J z;CvzD{~PuIHHya#+Q%P3AI(2Mn4>+sLuifh zbtcsgExb2hR@YN*SX#5#fjM8Q2=laz=bT z2z}fTy|zg&v{LH}b!7P{kANbP**^Z(p(`+LA_@XjHyMEHhW;O`n|~dvW$m0r?Obe) z{|{t7T46#Kn*oJ~?ckdM0k@O~R0Jpqf$5w{rEQ+LGBF9L@fC?Jy|nd#L)aSR*8J@?FyQgJ4pxk;*5k&kE`oJNm6iRh6X_I-%c-G>nq&f7F zpP;V-Y3%fzPJ*2!;%^PXeMEvu6)C8Xe}wOiMbji|2CKuA@;h(R8ztR(5XSYARsUcc zcpclk+7xY(pukIuAz6mc-xh6KNqEs}mfyolXC6YLjrrnHcSsFQJs}x&*0&*EN?~#> zSV5!fS)l%C7v7JN)^q!%WmT0*+TG{UT;n|EH_sGZUOTdl_R z0XnV#IHA9PJR&eJtN_9;65?qGaev6X-?R_{=E>F~&)8;6F{<{jaut3@2-A!zelUo~ z+4R>Z(_Lw<-W5I&tpieCR81@~{s_zxRdI5+Df!P2h9Ea1vV{D2a+)hOx$;STj|@Z$ zQqgPcNhg&>tCQ7qK($InmMiMrHzY0kn;X)$uw6CY3Ud}NUdmQt8#0l@??_?zff;L6 z`}CCH&j?K4Wn>(5Wt8sg$=r_eDWni-)c$82xUr>0v8(XaQ^vI$ebn=aNlT^ zBjJ_uE}cCbZA7+eF*jCpo$d_jihV*q{Pq{Cm&snWJf}AlT`Hrnl zO;YlDnJ6!krsJFsco6}pD%3{IHOvFWEu4AQna<0+eP#F)e@GxduWO$b$MW%Og8%l`|JB)dQPOdm=SSgbl~;`O)zq{(7yAgVm$#-1QM@v`#nAmTUj5a0G0jd57v}vAAr+~{Zv;)R~v^It57w={r?URYsU1?5R8p@O< zG49_r+%5Krbx&WJJ8W&V%NMaaKjB+@R`ik?lh_B5?wL&Nu`Q_Yij42S_v-&j*wHv@ z2kq(O&fTe;Tt@QFei03{b7VdJ9z|3r6)_eX4N00V#UnSNNz9cMQYBewwK1FyI&sBrr~-4h63Mb`|lQSbrr z_MbP3jE#Z)|6)ll06s)NKY$MrAo#64T#a_i^?&FP(%*jvgC`O6kz$SmkrvwkI>Va( zrb9Gg6^f$sm`$^NrGHJ{KU}_m^-{nwg%y?<$_?=f)vTV!c5Is3EiPxK!c@sr9dc5Q z;c^_f66`GwVchEVclvte{bU}F<8H-~(xo3fk0uP7cl;5UKUxikXAF&7k1C=hhl){)2>(Ush#P~b_TW8qX%+_KXJWE(|I^&|&whEL<#D@O#} z3MTn$M4voVaO!AUx)YNwSfW(r>-YJut5{r#&LY5b$Nu)V) zrt$FoA9W+*3597@BtYH*MY~j`hZ|JM}Tk=|;?LvB_w`ITn z=FODar0ci4cI$ZSpgc>R0^wU0^sZh{lS4mU@t zOebTyfttU8FAbS&^;QL09X@uy>4|v$t}slII6X+2E^A`z-4lY!#zrM*XLy$$Cslr= z$=)eHA5Oxw=bFt~crdP0$5Ky59Q?tM+ZTpVq-pCtyg|!Bd=e{$x2$NDTCZFS=6OrL zCsBHbUhe!Y^5&$k#;MpYYP;~|X`VhFdzByT+wOgC^>>>qwDL*QJzm)+$CLcQo_#sg z1EV(8cI2u-tgP;!t!G8SHkNNXi*2mFuw}%+Wihy9x^As&!j-eEk5HHTxgWtnM3>ip z>;FS3^)YM!96%Ec2ng>VqothEzg$4sN@+nJVN(j~RHe$(DRA|h|?#c->%-pj{scELVzd{TCX)yp5@gqlxc@h=eM>#%e2{;4a zdQD7q85X5>mkqaeNMC)6-2BIHvC0!o-AZ$C8)>6uf2sY8$bRSb+l)^N@LOLInjK^r z&aL>^SkbL*g7g-?Yy-$3ikEE=x@lfoL>0y?O=?6BXrS7erMe?N=_6!@<=Zk#?tFouKvLF2j7_Poi=?m&?TOO`NSPy z1|kaFfyduEaN>ruDO<3O>D(E{i%I?-W99cZjQi2|3vh=X5YPZ%QU9Y~$O98kO#%j_xcuNbs5DhT0lR{(mJYC-4m#)+2rr+7^jtaDhSu&l97i8(PRGBN+R^{)KiXJ zu7$4xZr7t`MW*WNP2MHd5toyaN}x$Rbl1;Zz~zeVG6XuXUNEpUbovjcWfMd{U42NX zR8JIpWQgTXFiKu}GZ9vr`patP7+fHv_jgB&wXwl-e#7|qp=-4v7UC={B^Y3tt_~ue z>uIwd;Z3W6S=T(S1dHveHBqOV;CMtlda7$M$_R~$B;oV$+IJyBmujo0_d~TNg+=!( zInNLv5%3JRfHsiJO&SR_5TAkJ_%+amjt4vZd~?9n)j1vE$N4r>28A!3Fv1@Ho1@7< zff<*0(zhg6og18*eOPLBm)TKc3Yq!`Z4XmXX%mo|es=Hcmzi)LITA}QxKH&QE+hH} z+h=yIm;y#0Y#PW7#B`w>7UMG{`5rPTstaqrQ`sFP%`G%!x4$PteyTh=vM1)lIL8+> zqz~dlvC~`S@oO#Vy~&06Ah-P{e}MrB2Gja>fOjHAW*a3^O`nQ3v>);gmiCAo4}_Mx z2Qb^vUB5f@m`xk8+n;_OOey&k2kbu+&p>$NZ9$j9-k`B2-hp&_gJ##-!|3%hQUDpF zB`c2{w!ixwvgzJ&4ItM~{nta8yq(>@_om{6Ei$0!wPnIg;H8i^r#OT~M#~19ARvh# zKSMxWRMx3;!eMhcSc~5mxHNN72?xXP6(g*{wex3$#@}A%7{U8`fB1m#Uv{4x=FT|+ zP-!`Y?xGpTdrZ>kI7eWjpIpf?RXxW?gI=u(HWBg7$EzNyc3#uCQ1_CopOsilR?alo zC|`mjl{7rP$lB;eM3eQZmUI#jWF7I>A}f>_j0L6sm=a1H32{73>(V!oZAk3%NzTlw zF1U%x4=I|dDytk*twJT1gqW5wEbCt;CIA~%uazth`*U4hZ3t{cmRL_&{B`ttzOR#4- zv@@jHquGdYhd4*P+S46`-Gg=K+eO0@-WVPTixrP#HRfpZxW)d@19*5cY%7XPllk4_s2^4SHk#`iWyIOUel2{;YAXt-NHuR2I*33iM$taV1OEmBtGdMc)I;@y3k`2v5HOFLXOccbJU9mw0!`@3Qj= z=_}u6CUt@i9~Rbe5@eoX;CT_>D5GZ=`L=HujmDvlNa@cheL?rF9Q$%ofjl+Qus^L?EC~DU)R|D@SFTn5Zb6 zt(nf$`>E)?1wfBpS36dk+NIcx`%XV8GC63QH+zy+ss?dWS3yl*OQk0qz81@&`$Qxj z^~rrCYTLbkR1uPvbbzw3ou&xwOxl%%Rl3vGGFJL-luB+oERan*Bhwhz?&|N*PP=HS z=+m-{>mq8YG*owxBcv_=fKF1O>1(a0*DAK-woJvjxM3CQ#N>`jOc+EiVh0|W8Bk5D zLdKY+Vf$_z;z)N+0$Iy#x=un>#o%az1V$}}eM9N!y=+4^+%3DM($ zaFF=yvmkf-vzlJdYGjH9SjZP;NM>?cC4~xOYxvTw&EB?DQDa!nv~3mc9dzlp6YAaU z*TFGyPjjwYg6qnf-ueq&MPbs*#ZSn9cx{uPP7>0RfuixufxKc%!e(>b1OlD&N#m1U z(1qWtk0_yHxNa0WF;RrtCm1w-Q7&f%b8qy8zI%1L+xlfTy21yU0!PvV-BwZeal7h& z_oAonam5heUJDvQh<)0D98Bb4k9-z}&k^LVKFwadH)ZCoJk6cIm$mXVYkFyJT zxl)Dy746;(AG^ntLyvPslsF=Oz-M|$6-P&Th!-;uku@;!{o1_@)Ex-^MiVng>{@;3 z$F=g1SzXDVlY9OiXP5E~syr%NuRNQwKzXCye})N4SEZ9gfLpZy7R`Tkum1r<|1(yY zL^A;9Hc*6*t)vT*lko&>Hu~okQBVX3^}p^k4EHjUXU=x1x&414!G1@RWsttXyYt?} z2Qob&6GtivR$gh(Iuyo;VLP`OVq=Xt?>82h=tz@;3)VfVrF2!{l)|`JnowLi->a0x z4yV7>#Q0T*Qw{k^jU%m+dIbOD-jA-cs{zRnI6s681#vAbBV@W%E9`G5#0P!ZbQK`s z?En(qKhuun0l~w-+42|^~NI8y|duY#ByWA68|f>QhB*1CrJn5@}9Ip++~lgAK}T8enaD!SGtr`qOXhBfWj;^(t{G&!Zlyq~C~E}Xxpa4r)Idong)ekiWgU>n5I8SfHn9~reb zzK))F|EbIX$;Kw+qh#BC%*E7gZ$P6gW5oIN+knaZ!ZKo4*IjVB8iG_k$+h3+Ogk5_ ziY^En4O^OksKam45a73(ikwj>ZB`-43n1&oQoobTY=UygPJ*?5O{B5*`jfOl^8(|Q z^X6Q*ADKWWg_qSqa{f1W z#wU4IaS?z!$xSdq=Y>JF?ep%l(uP6Xrb~lh3KD6Aic~9ObPmf437Q0w>b^+oY8-|D zpka-iKbXakeVNXFeqYB~e`HJV&Yxm)fvyp@(DUJcJJ#g{wSvabQO~o;EupTLw3wxr z2>F|XiY}60kocxCzdypA4~Pry2rpk~qOst}u|#v&DggQZOAE6zgh89Tt6#v z(LS||^pwadr#B8mr?}!gY`#!ELn`#t+{sEi{Y*vEwY>R=1!WU;cp3Cod)Sg?TF*g? zeSPu8tbg-txF(H?X<=)U`B8zlLC^O&kLsyV8=;{%eC$AhT+?~0(lXR=R}l)wlBz^y zz_3eBZJS(ls&N?-#!1)FMGTp|YC`9n;A;KcJ0(bbCWu~K7wLp585{I<=>%lp(Q%t8h_P1sdR5E;eJ{59gzsvT6m^4?aoj4gDZya ziKzj5>^}%?*I&po`p$HX?e$|BkO7UW49qcw7__@?(|qla?9sW8K)w?}@2tT%j=Fom zjtYB(2L|C{aj}x#FdodwSMHSC>Xe_sgFoWsB)DU^32#VlEy8CAvXh^2Zau>32=tQN zpQ60RjRe0)WN;n1Ga&r2hqyX+St*w_<_|(?~VYT&1r#q+}HvaMc_AxH*MO zlI7fDa1&c|Tx)1@P5}gMNkzO<$tS=t1J6P-tIfjA+A`}VV6x%KcEPuImmHzsLl@Zh z>+9Pyy6?_~*Hz~mp5Q26#veio&NY!KT1$obcqb4vML`=$)r@4vYF+B(yP=mM@&~^6 z{35>ZS%JGz9wAv=r=DUPD5``>_bdm#`u3PACaTm{N+zNE_8OG&tG^X^)k0L6CNab) zG)4^4#?Z)CQI63cVPoYRbW`Erqc3a-@i5mqdqUi=W&_SCG%6#i9ey#k*6FOHVEy7$ zbD>td!ELK>YLB?;SJ6qTQdPN*jO;9~)n%n_%b6h8NaoMwAfmBC7C_LPoH~Z(%QH42 zG8Svh!Oxh4ry&+TU?quYVi*&R?q!YEW}j|7Q%e#!SvNgt)N*Q>X>%-XAo;vYpBV0% zWfjclk(RJ4NT%q@PGHeadgz{I;t|vAX^{Yr!?z&aD1;XJF$zCH!U7GAju1QAVI5X% zuwHCnn)Bl7SwRrlsh2#|QllnfKlP|R5RWN6$S9m-Z6h))2(}QHZlkG{Y>atFv6?SF zA9{&$!JIpt43@*24m3uOo7pZNV%1<8vNLj8XzZ1hBsk3KLw7wdP7NIxXoD*1WR#>$ zvP26FvM|~Z$Pq)p;1)IXO6Af$V8)in#7#g;j(lLR?vW}X-l(G;&ca#YEh~#R><@p zg3*-x)PdTfD8d4H2M7Fd{a8f~7sAc%=~ei0(tQ}@5Gjw>G1rzX^Hn=_3*(x%6;=s z)KFSD#so>u>-Owj=V3w>W?+U3GVj&r1X(g@e-~m(wme53dY(Eb(Je`i91|C6*DOXp zAlV88uW@K_E8%3(rIf@$tJj3h$QqoWa`qWw+P!#4;gUsrr;|@N z9h*fVG#k`A&*!ELitfPCrG{RZJGzn2Q%{VNQ1%aEX_QfBzp*uJBoG*xY0l1RT!`LH zxT7VSsU;64lO|$1bxo3&Xw28?bE9jz8x2N_xL#FHun3s9rR-`kUc53Re+<}g%+XI} z#YV~uPr5EhnXR@IRSRPM5Tz{;e@^em#akIshbG12ggqqFf!ux(O|o8KL4%gwM)MIC z6*Esfmmwp}L39&t;%yCC`8{|`eQr$=vnu6UpesXn9Qv7Lb&Yc+&l2V_%8k!@Xu}+m zRq#p-=N-oE@(M0*6xat$jX|TGDgz4Toy44hg;GCksi%r zJpgH(PqxRvH8Y6xPOFix`t6DS7%+K5LoFHD)}iJEkG7p*#F}HCpWTu^!{MXptPYOO z_lMXQ#QsB4qs#J@Q6l;pJGugz`MWso``&9y2~y;PM-Ex;6Mu%Hj$K*0m4k^Fba6nW zkajUHO>&u4&4sms%R5c4iw+I-^gdD0aetxhl8Hu8#e|IvE!%h4)b$MQlvmQfzHG~k zQrFkC$dOamIW;K(&zxE~xTlUEN_cfvKWYrO3F#pYfSg zQSPb1vt-+9-<;AgJ%70i9eEGa@eBYnG=bpwTWLB@I?N1s(J-mlM-eD{Mm(?h4-V${ zqpYmKOQ}jyaFR|q?#dGB*%lb=Z^Z7|#ET5ZC-x(5A5GoQhw|oxZhL(GK{^|Lv)e?X zLf`9*&z~D*qAl9Mu0hC8OeR2i#xfL*qYh^Bsdp@HONn}8AE1Jo@_&MeM);{jYHdYU z1pAT$IY~gbE=BNK)x~QZ;cd#;gdi0kNzb?~HoAZOHBS1?SEAL(d(i%+HQQh;La~T3 zL5t;P&PNDhR=s;nTQ!4JEvLWvl6}5P-8JfksKVTcv1(k9aY6<;m}nY2X1y=OOc!bkL89Vgc*$RHfzgGR=W=N$b9^Ujlo1x-`jVhzS9kFw~{j&7N{eXqK31+-OS-A=#NRXoFHUk&GhP_BL<+Q>D&ok%yS2idpTw6(c01 zF7GtxIGzP6TqEwK*1sXKQ(nl)i{t|^6$g)Kj?Y6HTdL7^=h+4=ms*nQ4+{y<8q z>PwPw(wGw3$2rT*s9DA%G{H;T>-}CT@N7}9%&t~8OBhSi=CKc;aju}RR?`5n$cY|T zK(*8L{t-NP8Zvg`jlX&6KPWoJ_c%l}`8&v&y?jvtqgM_TQeql)xXE~Udj9Hl>kg#vV(5J+)1qZ?c5^_S{dO6$@1(J0J z0<==LP;sLyMm@*!z(NoyB=2qT-Oxt%{i1pdYzWF~DQ@To{0M?zV-r2P%0hBQo=tBc zjU05^%R$z|wDPb*d^3ka>n3UN;IM&Uf3IVq(}Q)hVr|=;H5i1nH_}aX)JupX!j#y8 z;5@tpYea>qa&@NDkfH{t!;?*G^l%GV$9y=_moSpR>Qr)N0u0%4Cv+e}u2y~gyP8Qn z{_hN6dJRxZ5t%jxP6u6Uvq*ZUl2!t~+1HZeLc`{7F9|XPaOhtN`;SdfOJ|z>P-yWV zX`Z{Ba0OVg713!`->gA@SM5+Cc|my@j}-)uODH3{>oU9CIKjHP{u-WM8lh_L&^nki z@1}ZUE29Q9gq_1%S8R(uIAza?`3U%g$Mou!h|HuWJVxY*;!hBy3Phbq28yDuTTkvr z(YTd4?HAl`kHJrY|EOL=?cjku0Y6c=lU`GT)q?+7KB}ENs$Dv&U3flc`2>&dQCPQ2 z3}gebQ@B>mvw_-z^NtUs1K-Nu$?i=xf4rE#Xjg7LX0-V{g!%>iEC~h=bftQ&(yK=G zjJ0Fc{878`h`;!VKmU&Z`vPU9a}iFR10q*X9dElh=0f2p{m7KiV!@ z^=oX|qFH+%So0RTb5p)sUfi>@xG{s01&O6_$5~Om2E8r{#NCMs)X|sg)7a5My#RrL zf(vkhng+pFxK`Mq0K*6QCDZo=@~bBhA4psN8YCbRiWiQ%dIxhyyzhs<87en~w&JzK zj#6(qxSy_fS=P}P9Iz_pKANHeh7%1Y^mqn5a1CV}xc0K8xk6fMz?hF|RRyI0`R zHgYr5Ey-mRw+0un+}!l25{p-E$?BW))Rvj~Bd=29lSW4O%z>oFW}3 z$H@!GOCi|{@=N2+r$~$+sUPzG_88ybv)nD6&2Z0{AM=>sm`~sv-;JCA6?ydWJZlD$ z5!WSxk(o9AWx}oP_(Y5d`7?tI7{WOExw!;}AyeW5X)aQgL4+#uUnvTaH0_3Xkxmu}gO z-+$s1$JNNYlmIvz6Bf`W{BI?Xke#iwiTl5J7tv~3ZpbPqpR$RpGT%vy?gP!E$>Zi{ zlOn^Ep)DjW1j%OyiH6omIAlU)P4^~?Y_4m_w;ojReQs9KdnYPh_k#Gwn!7HXOxLur zQZ6;KdEVCFF1lxUw|N&nUuNX6fn@j2fgX2U@F#WEzd858q5Q@6xn;mUlmw>V;vEbHc%XN$MauU>0O+bJ5`;MYda1PEb}KjWraUHCC8k%a;;J8BXc{ zWLc=#Wft_jZ}y~@{!>+ODJ~hjzK$h(v?kZiIhgeMagckMA~GcoWoW##uIby643?}JI7;dAdQ4;JL``v)AxxA5j)sTOnC|3 z^3F?wSf6O$gGE3Ol=cQScb<^o^jN0S~*IQ ze(eHwcBPw$DnrLUmbv|1MNOJZ>3dD)LeooCHHs=Nm5K+%OI&hN4+qVNcc_{S?Fq$e zr~HD=*=T`f`9b=u%Yf=eI=(fLjS=i2_Q_%!>At)3LR`E***4QOUXUY^Aqu`E|;R6zZmz*PZqW z?RESrCa(t}GJ|)q3`rb|rD*`y(`L@_44aS$CLsc&*WtlT=cB4puH%+NjrVGtLM_MX&_j((o8xl4h{{acqc6Ep zus=33&1r3_e^CtI!1DtBewg*w(4X8n7vhU{_^aCb=vm>H)Gd!0iz|P&mK$7CBakg* zvrZvokgeO(oR7_?*-H-AS!5_4{+aBYI3Vv!emjushO4g+hl3T6=b?7bgZ3O!EPt84 znd$soQhR@yeFQ1PsHq*$PX9Y=GznM4JaYLi3=o3YT|Z!kx7g~-;%hJ?5w=T zwqO_o;v&5gw%Qf!BL@*hnGqFjVo_XvH0b+tftXod_m9sW#OqzKM|2US4-Jycyh6cw z;qdtfPE0t0SBXMbTr_qG4v{A}s|?aCN0CwzsZN1vq@G1m z57@{7L&%1=y|%W6+fuZ}damVfP`b&tER-rZHaQovr%X+vNq9KnA#R&Ovu{A1*dU~z zr$BG8ohw%|Cg82(Fa`cZ2J4k~kzVrS2~-nFjm?rS*pARt^J+pOk~&cYt1uc04}AZb zZTk420+Io!cq)K|2Ef?#_q)aP&6IYvyGdpic8A`{l4UmlNnnpUhxqiDXZm`C1c+fqG1)kAIF|VyDYQ z19ebgR{R@Tej%j~3S00x(v{?6M98RC>lrw}?Y(l@T}3nl@*N*k6~{xPR)*O;v2= zkn}kWPF}Yfa95)i{7OgppKE*R<6TbcsB07W0|%`Cz(<|Xn0DNYP0e0G zNwbUDlwxwMbMw?*B9593-M~yX6d&S)%a{!%L%0-pp{S8`q6{;{_iJP!r#-`WP*6`i zC#E5#z4ip5Vt8f!`qeB(*~MWqO|9s77O?4TpL`Y6*I80;1Ux{%LLswym!|p% zOiTHuO!w(b=Ud+DS7MfXxq5uv)qrW7+)Yhm{85hA4l=%EE>`N)J}m@;t7hiw&+1(D z9WzTPici8#yKk%T*az*|U+Gz1p=b1&eyGbI=OB|a0#p0jB4w;bME4r1*F-N1(ebrm z?StLmh()R+?&W1J^3qBdE6*LmYgfu|$Ly>8k(jH2HUZ?!Q3f#)E+`~9LhwL9*J4Ux(!SQk)M7a)ixlZJIh!0>R&!l3{EF6A97p?9g=OW&v z_tXgsU=1mr&MdR3qnfGQ;g^(J{S%Vu0q2w1Cd(v7%i#-2YZ8NBgB&1ipnNsUhJM%k zY&Tq1->J*?dtUyAnghk4%oqb2oBV*r=07uc0Zy%CXJlpaZ{}{i6kuK-B}C36===9y zdZTdK?9izg=om7g(#{N_(Upuz`P`a}D203z$>Gp{@$lWv2=q7DCA`*ZOIwdkfBoX) z{ieM~{gXXrfn8!hiO_{KnRyxJ#FG{F4K%iki%ikAX=DT!Z`8gg z7?LTDDKw)HWP4BP4{Wf>{owvE7Ntdd&Az1_iFD%D?(i&!P{Wojn|0{MW#o?%QA-x7 z!tpp<`=w0SXYwkoSZeG5`Tk{5Mav;;Uv$n1;k0n!M6Yd71OS`tY6K{L=$f*%_ zWi$FifmCLilVHkSfo;gOR0FvhsupulI3i^@n$qqR=}A0xb9No(reLX}@;%K8Hh)c3 zX}`tO{LE6LX}!Zl)%j9(G_Wz4yuA|IYn|ad{72Cy5Mrhu&Ksn$ zR|$wo<-+_RlTJ%49Gg1(ft@=-qPl5XV!fq(V+|UN&|-VM%@UW4!P-k}278Od2)z!9 z>89;q)iOhSm3pUvOH`1$%wWo&aZW0j#*d^exUVt8w9_BXYFx^PNCg7gDI>vIE}vhn zLkNH1>y)@qGNyK7Cbr43=pOl!FH>xPFC(c?3w+)HfvF(~e}_4SY^RrH=MJWW*&PM? zB_0L<)Z<&Sz53gEl9(h`VU&V>du3qcWpe_He-XxULjT+*z6Yz>40}V#skI=SJX~F z*;d1Z`UP?v!c1+xV3{zNt2$^iSl3EaRV>_RU@tp%`o-1a6 z@epkQAxIUlzyC|)&fMl-jXMPyIRIBAYiSL*fQa(>!$IhOv_e2cks$$ME^jS529TEt zmxhae{}v1JwvmvAxxY4b+nSvIb@?=NjP4Jel~fl70{;^)24h1CmC9?VZiW4lfqj`X z3C0Q+b>dCpKCKn(TIsZq*FAFQubr|piK;; zeT%u68T(OxD}HiAhqUESqJrs>CG{DIy zot=e49#l&n)6E7Sm)F2RNWpM9Z3C1<+$tgb$U&s8ShakOqFCAcfImv_sRD~flw2%E zATf96S0ProXwY^PT$miu!72{5`G=8uBh;tUQ1@{9RSbX2k8z%tnYIN?`9)M)l!khS zt}AWi!)WT$Np1aIFfKJt(jFUNsS?2YXBNy~nZf{|%KN|O@{#Y99pFdEnizoVBP8q+ z49Ww6s>uVLBOnZ*CXbreyCCK;+7>yM0?ic(5$=PyRtRf05*BN0_WscvV$1nD$7nUvmb8YLZ|mmX5QmOi0~%~J976nGI_JEWAOJQsJF*x?D+ zHmM!7coEEUD{pdCgPGb-WT;;zBNX6M*4(1I4R4AyOi&?~rf#UOtBA5{I5e%$XNQT- zc4R=mk#;n@RcFt!93n>MizKOUl4fIs#-6}d8Taf7Z*;r_;<2X3dEX8)xOUqgAW5zt zK*YMo?ggn1Wc6@{e~02?sma&c^^6wK85u7(enYvT1Yaw?(ziQcrY~CuCbmw1RRzN^ ztW2;|Q{npC@tXKh7@-*u-mL(V?EmF>{ePxmRUfT&WfVTlkd*%6i6fMBr#l;yvkKci zXr~$(Aqhwc>3JfdY6~oaS+cYe81MDP^4yUgZ@jN-kmr1F?&G7BlD^YB`RR|3>9=+^ zwwLoOzE4p9^=m7<;hj=y?y>$EVCnRXwk>8FAxfL?1f#%N=pa4ltG=1rnX;E!T59z5 z3Ll3O!j#)e7E2Bh_`0TzD^nf5QpP|1EFxrOe^K|33^Hz@u&kgAPf^A!eD#o(T4b;g zQIymY&lP&@kNbUogatUc9fz@yC^aA*aqK`Et1PlQi!_ilQ78mzDC^eUTn$~vyqU$W@U*E4N zGcOm+y{ra+0T*=AzrQ8Z(X8k(g#;?orecw%_`OzQVQp^M9hLf7kAbp0;*#MJ9_ zEH_Sp*aj3!&_Evh?8oaZxBenG{+T0G2Z*WLnNe~oF z`R947?2uI!jI^QAKOIoA#}>debv!J6ZZ`fO&fY0Vv>?b9ZCj^p+qP}nwr$(S={{}S zwr$(C-LL1~c@cLe;!ebS9~Dviw=%OTR_5Ak8HI(LoM^|k{-ZxNOy8wv+#=Uiwn&KU ztj2mYas@~y6%#pFbWozxUt5LxHh60!O9K8k6RLjTd`u6)>CWjkmh&$f(~9?80Ulb8 z;$JK{Mu>5;%|^mh6K-WP4R)e@Lf;x$&abXkEh6w2<2uf`Kv0~haq4`@Y5BjC+O7`Xh-1Fmh#(? z^4p8z>x1G8yzCQ?^cG51I5#Qm=Y~MZxW?K4F0&`-7K`aEeOoeGd(e$aAHo!Xg!}-! zmpEKrKs4|bv?o#;WjS3m6f@}}m%a^pUEZu2cGdV^3D*c3m%a@) zhvAJQO^-imjIOOQZ>SL1hE(Ue1-L`{+JP@_<7NOb3FnmY%&Eu!0>18f4ytD#CB)3~ zMqrTHhu!erV4M(s#J-2l;#-ki3GP}qT3DN@Mq(VO=HIk=%M%$tJV&C! z9RY8YfSOyc7%gGO%*7)&467uiUbJauus^#t8EVDiT52~8n&-1Ygz@qzMM_wbkCG+1 z^83u?lp1$rTdH2!3lt?kbv9C7(TF6`Hffb5rzmB*yrdXLR&&_KrNDI>x0GLx81G1x z≀VPLG+t08n5SD30H$6jd=&;LtS1za%XCQ0H?Yx=A%yZ`}l>7*x;~FskNiX=AP^2Ar7Ks4b-q zsWq?v{@Df(Z{?x=c-5HV^P|?y|mn!dCx^QMwn9Fx1>CaR3vD-a3$~d(HuSn zIC08M7^h;TlIpZ}=xFGH@>oxRjgf~;Q$>{(q z)gdrC1v-<5j&t;7>#wOPVKcO55<3WJ z`mEwXHkGLo%ea~uN%tV>P%1H}$Nf%EX#E`Bkaty zQE!^(fSz*CjG2!XFor55L%(ul#%K7I04IEy(|}SmZ(@4*g5Fh!5-r|z&vm@#+~p$bYCJmGn|a+m$Baz zS;AmTnmz3fb|*dD5N^hlEySJX0R3fS!X4+%d$1MpqTfk&ryGria5LqOx9@{-Bi6}x z035!7PDiXe_{zT@gpMcOneGti4tY>C7)Gxv+L?6+wVx8L_NT_QGt`~N$fakQ;T!YL zb2#h|-t;P=tyvbaEJJey7rGmw8-r_joc^XvmT4A&D~8vg#;_jQGY0q|$FRpf?l4w( zobjeqXTqJrpcoTx=&SlL=>7pZS_B)zH4$&N1K%BFG#iqg0XKhV${kxcIEEb&t|7N{ z=fAs%L854}2&w3ia5sA1h*#s`9b(>)yOvYPg!7@2n-V1w0X~wiO07r#_?J@(v)LC< zoh+*9!W)@AkUN_@oc9^s0w|b$REK7EGEHMh4NF-ctE(Wx{wtM=OXG^gD5o>2wG+S& zxK%m+4{v=ofDa0DKls%Sz>k;NZ{Iat%r)4mh4X-K@M5;)C+PTC&mW>iI$=)BZ;MjB z;KvC5AEZS(QBR`ToPc-ucwWfU8NshGaXX-QC;1+bv!sA;?nOG0cjVk2fTxLgUX)Wh z!7s-`IpFu4JYUfH%z$sSQoV>r41Pbzb2S1V(pkOG_a*Th&_}ggU)Xsw;4hU@y{JbH z{vWEv8liXX+#ax}i-c{UUvCp%;CZcpZ?Hwb;71RBKcsU$(Rc6M9?+*8d>@S2oq%__ zgl_E98^JHp!Ww{gFZmwGGpc}Z-bKIAM-~1bfO9^vcgtKqh$lUKAK2L+u&2y~Zq!r1 zuy-19J^07CTwkhrc;NRD`5xG_FyJqw(w$gm=+hj*FSx=D{vYtg8(~lI*&oQKj`(fJ zM?Zlt+d?_d5O@fTyr{T>wwmMLf}W2mYFncOr2*pf0#m#ZS$d_o=l1 zirKBZ=fY)vQQ+tA`X9iGv$3^>;eX=5c&T65jxh2AU3650-;IK|842!nTYBdoA%T?- z4g=0%GXW*_j&CwI^B=e!uNU4VOD9~+D}85@?iUPxeZPGI*@wuYh-7iHJK0a`?~E#! zYlY@-;4rGYt*O&9zcZrz@=B54kl>9Nt9()K+((_tE}9w_m1)ssKQwsnUbDoM_R6Ru zTJKHE9>FZJCvN}tNeCxG^A=CyJOTB5Ov;nKq)L%A!ie$^*(5^ekvjnU*|=ky{n=@l z$VHu;q47s6GOtXlE4>8ih9N6LJTD07OXEwW?-3@FRRuTUj}#i7{!KFSu6$z*H-Cnq z&yqhB4roQLsHhWgW+*H(Y|AX;=5XvD?K8}aMeH#_EKD4Wh3Uqo>pk>;4Tco(XV<~+ zK;}PGZ2s@TP&RioF);qmV8}82FHkOnoyi^$tc(m10Y}~%h$tK+{0qv%=WFOnUa3dI zVwryO1@m_SxuNP#gtX$n-|A~+&y`&*e1CgP`2W}0 zm9mA+e@flE$p5;k2q0AM)rIH30-$*3qdo3ocBY$0OWyL!M?k1CRuaLjfop($QNm|S zbN?F3MCch@YS3fOaX7oEm6vlpJm1|z>BDCpgd6ZceI=HR1cB|npgS^H(@WZiXKWGmHQ}1fG;l<~#XEk)bQ# z9GQWXfGFCQFNg;;kywQYAB{nVg#keytRdK8l7NNzMp0Y5LQM&RBd%u?i*FNb{&4a7 zjc+UAkDKq})V_LdCbMZgti46}ggODvfMtCBGvt4bU%}}Jk>hXty8p-csW|<=RxBvY}WNM-p6F+}A-kTL-H z$B`?H0I`(;j^%-cP{TEn(ITjiMj2I$M=fJ3k48CJi^XZgSS=`-hMwiN1$-0*Zfsqn zy8c^FcT3}4uaXD=;8x;)npZgeuV&VN_zM1?)1@kHNN?q(CBBpHwFi7?Vg$tcTGOD~ zQB>DN{61oRL|2edWB-Ksh@@WuVv&j^)w$&=L6NHE;pWvq$#55|rlDp%wzTEu^`+~a z-><5C?;od~Og1`nOj!nmsY zRnoZ9oEdlpe=VWTe;dG^M7=nSu_3KVbP)F3gF0F98Q1u#moRs<+ca@J1l~S*-YyB9 zt?V&;!)YLA4c=v)t5k6lhYoGrytHvtg5D&4f}Uz`Z|4Ahin+d&!b9FM{%xx9TPG(M zK;Az7d^BF(qWC-bbau?L-D`8)s>&R;Xh$Lba8kfZ(*MW06*$r zauWv_e0)^?zKNn&pGs#ubd8_Xy?kh$egxs&_#j>A`+D~^hj&&O-=dy9Dcd)NFNryR zbcde;y`KuWbPz*+P`5dt$9l$ldPjFXgq3MFo>)*6>H;=X#DRTE0GIA#SvQy$O47LSK1!A^9U~1s(V)EMWQN zaXs8kPLs0nxXSqdLY2$&7X?_Gyf5MRU|y=7NsD?}Q!RwQKMZgUq-;f)dy$Yfi*hxq zE*HcMnlXW5rrA_h+gMr*pSxV3GK7?;v9K|#q%<*}8DLT;O{g}ungUDXW~BInC9Q30_c$0xP4u6W zpq7G4^Fk*_KQq4BprZrfK~Yy$SL@hbRnR{#v$D`w_4ft^)U^9*H29+Qj_xRT)Pfo7 zrxOgQ$hgof*NTT$)x`=My9Gi{hTB!axP@x9h)^Qc;Z*GjAHCtsjaRE*Jd5W$8kluz zyp&hL_cH%9+ly&=5nrp}8;s_=c7iFTjjV5^snhYR>xhXF>u%v*pGP_~sQ5MV48s5* zeY|rrB-=0%0D3oQ!)KWK2%k=u03p@OIJ-%R)c_`?1x{@k>O{21(l8X?;lX%EbjkBi zMYswhJ){>Wdkd$gRtIY;kE|0)pFPdRiW|MeP9?ZYxjS*0)}I?y?LDXLxhoGp7n0S{ zKo!n76aCTTo^LNv>1L5M?%^j~&I%72krtAYq`|U)A7HK2@Mb9G_+z`Zjc~o_MQCom zFdi7=EP@zYh~_732%cPpKX_G(&Tkv-LY&4wIY+Be^3m&6mCpKuOK$CwClCGk!}loV zuSzy$crOM@$&EV9Pmn(Sg;33I=~SEv(7uk^blFTaA4wzF)S*T6FM@m%>5`_C1kg*W z`@v3zQ1RWsxD|P|g9=xMUjT^Y0(EJLh9=|%`VvYEiDnKb-Q<(T@k|1zGem@lt2vx5)>)qrFpAMN*p28ISgI?|no0bolE5{10~A93#aV>2 zFhZ=~hA~9U)Qo!>^X%NRUs;oC{gwJBae~$>r4Z@cwwsQWU4BgxIPGo50Ox@e9{Zb!exS9t|FwdFqRfJCdS{N}hJYsxAGA zY{|D)#x}xs5-3Q~UJIj!R)3(dK@l&+gpfOTcR3v~GdCbpY{(mgfJWOtbgTg4Xsttg z%fi&%VyR-TLRP%SZCbm!9u#oSEn65~qOTuk6~5W0YC`eny|+V;`TsTu?~ZM&f()Zh zgrAwk=o-0G$svpX5^@$PA97i zh^a4fBfF6fzQFCGiO@C5HP4F6!Qs?mjA5WHnyZbMy%p#*-MPb@%bM)b*q=0i3hCi#~?^}8bFA7mrK zZmpn1+#suQmUbW&V@bSiy0cBP8a2dl5ejn8DaKikp=l_LFu_t`1T znKwxCmF=NF1AlCkm|2*S_6+syXTDT^qdSjnZjpdvTvT3rqztBzKj0!$?>c`z1yMRG zHSlHGRBp2bY1KPa^O&DuJ9~KqSBg2D^HtF=7gRAWH)I(<40$Xs6Rlt<#;h2ATXI)Q zDOFTTxie3iK_UJL1-IK}A+0%ikgh%f>!D;*0X@mEcEqf&1^mQjc1dYn$`3D9OUPvb z6t0LUE>G?vr8pJs1Lty_bb+KRsEMEALHp^1Y@tzgS&Y?lC0u6#I zbz$14WkOlGN=%vMl3_76Rzo=k_JxP0>K2pl0EkbD520a9KW-Z^v-~iFI{ht=_)`rd#Nwl|J>wH_MJODdGOB zaxk#JjUexl>jvd;C`>9P?Y%Yogp#Y~X@9NDgWG$Rx5|fDx+)fzir)+W#zA$y{LOpH`6F#B{~_&Cpzo2?K2*aS zHM4|X?9gkTA2KHlT@dlVH)2`E?J8F-syP9-2ACAxbQ|8?a6lSmWyROAa242^uX-gv z(oEk2g!Oo-V~LiR7)4srNWAmKoIEzoLM(*zoqw<&f)iiNC~oLZFMC6b4eZZVe5B)L zqy|%kUC9(?Xf-(XInvko6s=LP>;D9SYhH-0&*tSFbm{&^-K748FAV>&4)I88G5p;*-7*eoNCPjltDyT}-jNwRf z$z{(so5eat6;l*3+t5Jmj(b!~=NXN073VY-NOdeAh?Isrlm6!4lo@02!f!LmjHa23 zWtCz}&?2A`sU|kbDwLLbQV>d8&g37PH~wN_$K6&5N}OT{?UN~yp8N<$as9bzl2m8H z+jBR5*3?-$gK>F1gS!LpP-C~H(Aw^`zk1~KSEMs^QBZ2WHvaptGizL@bdJb1q?4y) zMy^FBoG=?kMsrt7K2i%9A9op@JNrakZB;39%r}csRGD5S1)jI)==?@fqC=6KFoPB3#ys9-s{o#QClnBNZMe0sD7BrbWJ zEQ3lmlP7Ct1Hf_*jMh7>dFAXPpQ*A=#v?OdlZ8_U3pn(78vso^*V4c6T6O$R-0P1G z?_bS%RosX{Qi7`SU8y|&!^}fQHu`%-%iUDWpc5rLbAD?NHjoiodQu~HY$A&T=hQq#TeqQt9|&^C1WV_h}A zQm`}?De7+IqGi>|aa0ZZOf^wiW$H&Sm9*5oFdaAUem*OpEDSQexLGyTV0998Zn!co z&uNWetTqHY);euwR0We<98^aOQ~$BOY0*HimRm2e$az#7X+I*T+j;N0pJ71>LwR^~E_K5%S)FpNNUGcen`vtW2+}4h1Mf zjDuRtdFRgx{;vR*{cOS3JO?tQ1JSkg4`*WLhp`imaZ7eR5$hZ+;i}2ha)6VlSPAl$ z`g&{U9~_t`4oT1aE~#i&6Jody6rg!6*?$>7e~ca}0D6Dgeoz3Su8q~R-96RVW_7Sp z7P=lu4Br_|79coS@dcya(XQ;@F>!`Fh#WUWUyMHetv>OG#dHpIqvP6!ebD(1G5v53 z!gLPA=zSMid|?hobPnwFKV?>4A)|AgV|spD%Q^=K=zK?*e&7c;?ZZ0-)Eut!X}Ns4 zB`zN@U&1{f6w6~dCue4!pHAtnAUKwS_JJ;HVj$0+OaYYhAK_XUO2tv&rt^kYMN zaQE`ypcJA#!{j5HGCg@ama7C^9ol5yvAXpJ)x&Po*mO*>i3-DFV?^+F8n@(cg(q@X z41wP6!(&o9{wcZ6=f!!ANsbn2+cS;$Yaex4o@*W2hBu5422hn8qJ8z?5>JZee4zF7 zo}-y2&-3_`Z|~;xo*HM%v!?|xkDe4t?ndU=-k8%O)nBITA769%?nOD@&WhoW3po-7 zyCpsPuWIjlSZN-tXg>V{c9HGz*;~-(v`!8)C-yU9bV8=lYdsvB8|6285t1NpyD}eT z>f~O({gDOwjByC}ck@xoujaVWYR>)Hgb=!j>RbY65|mjob8elh{IWq2Bz893q?*}^ z=VCMf&_AxaYk%L#f@Lr;(k{t*O2W8B-;%;G$8##(v8A|cOR#0cs%>G@vbDonR*aq( zs(Bu?y$qKi$M1i2zTFdYbVokePH&!{Q#6AhDDUw-;JGe;g(#Dtb5|6C{bn%+`j13j=-8`Lu|$p4mZ zj5(*;(lo~fDIjjaN?!+@dey$`QU-5efrhC8rm^9`)nHE34*6rIu`?PFl9A)wn+G#* zlg3HdCAqxlML*+&mBM`;0OZf{&phBC3DWQ{K)gnEGTPA{)lfb>&W|!4praHj*8!;i z!M1>abEd~OMa??2XCFzh4=>n7P-2g{u1O8jQLoL?fx|bRDHHTHy>^G!!5`^3%KmHQGTUIsj2%XzD&*@cF9i{6B@=YYJ@ujhi!kz-W=w= z79hl7PZ5%U(U+xvTO4%A0+(_G;$@)?|5gz=oR^*SqQ9c4DS&0*Pi4_%OH(}=;wGpSM$`{X}eLwhJKF{dNirF8^dfk(}TM63Sgx zo}#1zDS3}00@Syam#@m?*?kb+@zjRjKI)uDwgKgsWisLsD^dH|*b8jGeq_jG29T0m zOX?I7~lUn_P5I|Sh>|)vQoLuI9Lceb(*Rn<)BTJLyb3)^m z&S}>mwO;|^V4Co)PCjVhFIX50ESwdl^)g7ADAPg#h9Y@(MYP;J{XNN=e@Kl4xBtvHh~b@p445H*3{}h-u2DPM;aem0=gf>EO0{!%bi*Q=A0X)2v{BBFUAdM1aI@a25IhczaXKIj(JpPKu-y}nNeKk&jq|kv+MsnP- zestbytUj%n-(6`dpO@-QQ*77TE zPZi=?6?q06J_YPY9*QVuT>3#DL~2!tCjQ8BvF5H&8CD`g zcu;HIZ^ruXaU@@@$qh8{7%F9$n{EpbFeBX*=H0@WWHho_sDq`NPPGRGuHm|nF|O;D zD~8Fkl&(qaSYRZV^ayb5R|GNe>f?;Z8a>m}%zEzs(v3%?F6%gL=7u)a$L>?wuNY!5{-l$rv z)@r$~31qDa&8{gxFdaY%+nRa&AbabM#`0iGOpc}q zt|z?Z&7d=xHjm=Xp)=%lX4xHGeMFTt_-V;+INiLskRlIP&wK&5; z@6%S<;_*fkl{U#r*93R0KK2fn#%P(%S?Ma8M4mAZ-}_6O84>`Q{3vTrvwU61`n#nr#-l`%ir*X#FR3)yY?53_SijZsEooTzk$zI8M|MAZ|}>j)2GNg&yG~h zErDm$jZo;@lCmT`lf4x46$na%FgWaZ4zG!E?KUE{Dy*C2>6_~qV=485kqOOhVM&(N zEz#{wT;f<)x&Lz1u|ZV!zYe$#*Ry#(ix$5JaJwDf2%@Og&A(2hwESmDpo{T#$REJMkm8~ zD~r+kyhiU4pQnAEi8zIagY}r^Q};e`V5r^DzwZW5z`-AQ3IspshCY~Y<4&<a5mj$3k8j=EM>sLq#qyVIt>hV z#@{;1#yuEkYsLe(Z4%qM2KF;!JER6I5IK~=2Dyfql66A*3#2~T>BcLH$<2dw_==qn zs$Yl+`zy2GJG0Eb5vaF0@mrrEm~Sit-cpuW&;r+jC; z-)Tq^v|*gcXXApVIRgTayXK3nUN&Pub;Pe*Y)k|!+5e6IeTC}9n(k8{JKLgy{_BiH%k_trDX z2h8UN>y4uABjnmgB8f}{XlGx?cC#K+^A=tGz^LEo)x`>}Yyz!n4(b(ajP_MiI#3TC zqp>?du-S#u2&}>w$raqpnjU4+Z|0#;@-a|~ILE1FeT#+Cma0MKU6O8$(-_G^2kzXh zsd1+Yg$I_jGAD?}RbVVZRwmljS8hR5EM@SNrxm@U!eiWk8I|*&6GS^5%!4y2zS)no zpr70sRNpe&BEH%4dSxZ~m@P1NXaG_CP}C+{@HDgK=T`-zd&y0E9nA53jXg1C1jx!l z6f&>{d6w)Z71|@i^*XGovpd7{sacd04esj}a|(%EZ@U1?*zfYrQ2w$6vlyVxqQL(c zelR!}aGbkM$@WzwT9l7liwNV6(weEsFAJ(-kZ=oa!esAc6-KyXLVl$4%V$!QDU^${ z?o~ihDj=CzI^Dp=q58%qm^@Is@oG}~2n)*jFtoN$+RCvBc1%Bh zEF>6*IgJn7#@K&uEhxx=Mu|b+d$nZ1L74>lsO9BF3Kp#?)gG9iMby*avuG~G+U&EJ z@lI|(?6a?SKZP=%pp)3;T#-K>Q%b{Eql}7*r%@h!z3SI;QwE40_ zu?`4&5WqS)lgJw3U_Zh7LcV+yM>Bf(7PkYR=kj+3M~EeWaaIgDcO{QjxVTwbFd92vyd_tga&(axPi>j>N3ugBa>Xqf#a} zXYB%8rMkkk&YLNE{w^upJv_#{Y)?bCTv)Z&kPxQsz$~8KPY|VG5(82smAC>y4%GRs zetOMIsja_6t_f#?JK!GP-YI?!g@%GAin_L<6QO(Fedc;`iBqtzyKdp)me=9cw6wDz zg;sr?=cH67iehND2cs8TLr*y4TRVTH5K9Lt{r;7E@As!IOD0(e=t)|6{m zJD5eyU`j^a34D38=-Rcu$NMnWMc#>n0^(lLel-_D<&0x&@w)l#CXeeC+Xk-xDdSM6 z=tAK9gd+k({GKY|b42tCaaGi+so->=wznEryuT9$DpEKSTbI*^AkkYLP2r?Zdh`U0LghK?EeDHU;psJ>dt%1|x!6ldtggx+`|>$^_$)7^L_$9ETZjTD9XpTIDub zwCC(+XM(jhY7bkx9A@oqJ*^1%O!bz@W!N0wm%Fb~>bvQCA+<_ONwxgS=y9AzCxX)i zEq)G|cF9ixAZD9&#upxeq;Z*q^alcK>o;ds; zq0_@S^HfjFkdcN)Z60tYpKRU&Us3QSXy+EsglnaqLc21(1-C`JvyXEUPtC9FYz4nu zvn9MUk0&xufv*hTif_RlCAtN@rHaQ;&!}zXnmMg=7f-FOKHMia-16KW#3aq zi(J}<2x%2a+IibYoKLuH=%ELmIYrJ_AnDur45ubSQSmSRI94kYF|4Osw6HD7u8oqvw)l{>#jK|61nf)*RDS7yA7f%8%aKoXDU4J$It~c z*kQ{YQoKfNaZhuw@3q$CTdQJhHOxAC6}{L8=m9^-Jf^Lu1>-^_J@SalAKJkEeCsZMJcaTSJ>IZOa!DB zW?W-&-7Adq2@%G#^h8Ob=tAbv49UY-9Lz)LqE69&8V5%UY8Cjkq6H(dhMe;lLaXVA z=c|UAP(=D>Z*Ewf~F zjUZv!&drk@;AGg&Edu8FpN1JV&8SOahT9sK%=2jrGOAgY=Kzg(wk)#5^qBgcd+HK! z=~?H9M5%a88t0;hRo@HhV!my&Zip8y%9_sSzKF1)JJuGmih}ww% zRcv^a!ksAeNMRU(PZk1ON94_(<^vH46p6B>V0HB7Zz=zp2|q+fWl87zN4lr@04iM( zR{M7@4*?iH>En7U%E~@gMY)v06aG$MGDo#+2+dNfEM_xAwnjdH zl>O_W@}zy)SwJmXv(jZ(sxHEmhKtnO(~2?EI_`5aWWSk`RxBAf`0~o7zk(wVe-)S1 zbxYk6@V44&u>s=p#D5`g*u`?p2wCkTmEaYpV45MyK(!S`pn6iyS9lFmD~Zr zA0jy&S~VFIL`G&@F=j#yVElZ)K2vRI;b(h6U3=*-^g z%(B(ip}Gp@@x7SmBJ+qKy9nqVZ;nHBNNEqi30ObAL5kkYEURcJo1{{KhVE4{9{5?} z0|m_wfHS?%x(hMOh6K%-AU@cn&mSY!g}A0V_p`9hf4+y%^9|-X1KM16Cnw$l-I*;F z7TvjtKYLSC-Mc^k&H3FS7AQ64m!akGs}RBRe`VSIch=8;iW3nt{BLezin5K|uMnwk zYN{@W968D$nlN&3vwAF>2o2$^K69D5fBfrR>qcYPh;4(L$ag9pwJ6eonvD0G$ncsK z5=?I1%I4*!v#V*g$H()>ff>L9`O7Y$BdI5Y1-_jj5Gb$`X*)y4u#OKZOUCjbD?^Y5 z667RCI$N#&F0K$|`P<$rOps1Oxh0p&NRonpb~|&{_9hLYJnR7K2(U;eMDx zL^bVOe_SfYu_Mm*)D1oH#QXt_4~pJx%dkL%`2`O(RCG`W6Pg6Mf%D^O0VevBk~z%oN&X$F`qlMsTbjYya`rw!sLklW5S5*H^a*5rwtcTS@q zvOGDfp5$AXJut>cktfhN%XudI9YNG6RK`=YboLxJX!zTBgH!Y?)xyzZ%>j6BS^B9d z_7P&trdtRSnN(`-;rakFRMlEb1K6lVH=N}-0;kKzqiWZFd2XhXOtOj3$v?We1yrtw z$pi@tpsYA6M+7nxFjEuu*Ef=2^_nD=%)(2QD@9TqPn>ADZSNg*ni7;pauMquRR3n} z_C9KSITLCAu;^Vk5?W}#sih;EjKa6hZ#k+agS2Vg#fzaAu`EaptbnJEor>mNEr{5m zripX%Zvy#PMQEgZ!mF|iu5_rI#hXVu``5HeFGhMG3AKXpOs_C(Hs7YQDkV&#q_F%IN6S35=(pYna#*fAv-UpXs%pVQ?~~gcu344IGbz6kbz(d9Lv><< zlttS@@1vQQo3*2EW{c%=Cbfu=-M7RhCR)9F_-}Sx%Lkr3qrZ86^ZzT)8UJ^l|5M&j z{LOP7A_C|Ms69k^XcPn&BnT`7I`q!qiaCE3L4}Z`iTVsl)TFh=YvH>&zIjU6ROL57 z-(-^+QbK*)aQL+|jXl zw3FpiS+ZFkA)8Bc0bb`$dIP|)(3rT4!X{&|qzf>r+YeExI!*r&TME@2tSzpfSD?60 zXwp=h&+S5%>&b}u;xY1R+xt`EFpei#+ahp6N9)ygVSGH)Zl^R&;yyN>bu;1vI!{)Q za5mhQx*?z^fPyVd-fY}hS6D~oKb4aP z&rcA``oqfQGvpYQrm%gHsBF`)zo)7_;B+6C6YiTeWGKL#_m$g^>+VMGgQbzwNwhR&85=B#=Y2kp``pv*>NsaByaKcGl9(>_?nV|(EW zc>r$Uo1KAV(UFtooGWMAwf_W4rW&`v&4%~C)jsr?W?#<(VEwxE_D|+J+F80-13|IT zza?FQkB5tDwTA?>-f%v&b8Jv7_=c_0&3V?Rt$`KtN(Y$LY((C|WHJ2sPQkHTWkkZR z@N*mpRYFp}fFHjTqjvDe0~neqez!jz9zke9Yj&F-sCdOG?G(5+4X zownL6h1hChgS|e#NG)5jF%oKhSD&KzSP!;oGu)t2JT0}zxCRdOE*@Lm775)A?xIA` zCs{z0>zqQ_n|w&2)R<1Q4pKvFGa7drKu@N}`1LOmTGZaiV7_3v#!PvOBzmO`Vl~p} z&nUh3)QR75cJfaoD=ET78EFtVCEoW}FkrW-K%Rhb%Ws@+Y1KVi{>v-WggsKxX6Rz6 zwajD_wW&El%f@QzF=dxBdS5oi6g<&E`*hjX&7$R8bp9HfO);2 z9r_1ZCEBtTexJ;Ta}*PIKOvMMx*~m+K7u0jx@W*F{Syyw3gJWNWE8m^+AT3kMuQ|> zBNgV6MI~B*Z=J772Cg(y>eyfSe3jz%;<~!>2Sf zbJo|e>d!bpYr9(H9o+|@i8k^8M+}0JkT&Dg>tn?V^dY&xXeO50f}IK1PDDBk9pKGj zyHv=9&$wpKbN#o!{TMfM_7BXyEuk8DTf990SGew!-*u@NNUw-42x6hxd#~zEZV?PI zj@>Vb;b4MGVFGAz!~r#q7@CZRUhF08aV8`!FP-JDGmH|*DxF$!`fPxPRa-N6CWx?; zpqRj(>zW>Uq4-D+vKRUTEa3>)mq#KF-HjBG^Ir=|_r^)p4f5BP7!d$K@c(xq{g(n# zhxSfVL;2a+EY!QdLzz!a6@+%~#h1y=qe-5-uLb2)6!JhO$B(plR{*j=?D0O@vwCQI zThF>tWjpa!HsCCi=PVccm!Ekv;ysh+MekBSRfZL$F!PpJToffar{~AluvUY}k-Lu%SLV*Mox307js)MSF$CK>7t*p@ zHQ5z2wt>c)O2fug%P_9e&ACN-q(t=VU$ z&3w?nedR>ydFP>f3r)KZ*Kipg*>NXAs^_?e>%A6HK>2=)g3C3`6vwnOb2tbBv#Zw;`C1-W1G$RiFo28z7!V<`wOWHkb9dVfd*_}UECX~NF0U_0T%7rIbrqT|4Rx6A zML5O*4f@&FI=2V^Ya7hdz7y>hDpc%eN4+mMPrUWGLRNX!-bRVb^b}-@Bcp>FAu@>q zw3O{I4V!F7Qld7r;SwMra9`3^(ICUd8n&KKJO)2JkaxNq|7Xuv)7*^D!s}_THk*T4sR^1*DK%FpQ>x=jue(R^GJuBZ3R;KZ0UC z1A9AjzfnBcA6RQ}Rwb9dd&~wjv-u^A#t`&v0X`E{$@}QS3D2Y{C{LgPUUEd zmlq=#y>+!I;O=t9;=hVM7zSMo{RC9lTvdT=g$A&gES-n~uotuCd!Cg`2>OmtdTO_@ zusefaP~Am)8|+oPT$tTa;LOYhRe|6duRNeTE4RR(@&j?VMzDN+a-dMuwS*3S`aWRP z0Te_C&FP}V%X70R5zQB1M>69Lk5~2P|NIj~Te*(vh>*?1^a4+W$dA?kwCx3?=U@YrVK?GJz5x z2O%J|ZloX>%dUkEBXtbUhbSS{7F-$xaXrYI1xfv)gCyPUhM|*Uei^4m6qMM~#+m2h zAh^uN(O!ZcKAIA5qCU1P!@O}&lNGydyi`&&bCykSHom7gu`oP3TT5YLXc05)H~>=O z>8pFwL4yFHMk-p9ficQ=4@HS;psKbbDB_=}rkM(`QAXw(9dqxu-fQE?F6Q@_+MXUF z+P!6FabP1$7C)s{j~}YJPm7o@5*Je}BfHHBm8$n@9j4z`9-S_(D zj$BSsDWK0B(GuI&b#ieqlUFid!NgF$pC4kZifh`UhQ(sQ--lzWbHl`JlQ_W z_JRILJ;Lm=DP7ig!k-8`hOA86QRwQ5MkfLU{`A+%WGkG3YPvezSD$^QB@Szvsz>I{ zI?rn7a=*Or@qiOj!wijKtPyyimD(iUHFgIJI)au7@d=4{k9J_zsF+V!iO9gOYY9ZW zX@D~Io=UYilN7Nas3Zyb+~{hhq2%#64><*AGLF+x>;K{Goq{xpzb)ephx#8`-^%8)}w?clh%J7OR0&zC(2?lpEp7 z=4MiNlt|hNi5^`ex|qK7zeuXgbdHgU2;t*Hy?!0~pHszMXDYe?xh;ZKVIr2@*mj5| zZj4tF49v-3_YNKvZIz-A7G4F|+VJ>wetdW%B|aP2d*d+xljalq{Ds$!I{YN%_A4uy zCmt;@118m@*q&1sZ%`GRxg2-|w7$_E7;VSZrEQJg2&lm_UQhhiOaP=VL2uU(_%K_X z%(O8S*jZW7*avjB-hdouv5WWllfpBcHb|-KnF`Pa?UDWMV{5gNF-X2*Q(Vs;LD+ya zt<~b4eMV?rqt+|20&fuy<0!;-5d#CnN^=q_WyT@iMP>#*)XR#h5#Apm$>B>3L9t0q zCKB}%lxXZd_QSAr^)<`E{h52O%Nigv?hnFtO*&F>V_)T{y6vF;0e%U}QfB3%vh41dXOpT zU5N?TUSyilnT7SCDVO)sdGL3FlwMjFvtTzvE-rj+ihfnVPR{O+FMC$#ss)Rg*KeSU zVP--l7njYjR*8rFT^T6WD@E`DLKFeDb1VAm((DKf0CR0lC;=7);3$VMRlTP zOO+4(diqb@Ul@Us4dooLv<`wZIZYV2eSY`1J z+@@`0By>!LeW-ajD>iN}2e`uJSZ_y)=k7S>VI_O;xHXnuw9jYh-?w|qQxPYMfGf1# z`~%fY(SVU$MtQ-bYkB&cTnYl!MRCFqeS0TZ zf)|W-%sWyNa@VK?S=HlKgv#pdI!7ayDDYF40Hy*pQzM`Vy0mmy@2?c}cL#yO?)6s6MSrP8WZ{m8j~Y)2d{ZxIu+2998Y-|23=2GhVv{h4Skc-p`Ia zuK#&kXKVjo3xEIjl;e=Po2TMa(|2}T&sZ0O17bYyEF69Sejo%~ESH{0>>wO1E_kU? zD%2QnY8V5e;CrQdlDS4+l|`w%8sV}(l{h~fg(#)^kXD(KjaEfd^USjv@)XC(cG?(- zKkOwAEYIeH#>~y-#4e%^&kL<@+@lNX@`29%E6%GYagNW#iNmYs-muJVQ8a-y+Kaey z_ww9cFqqDLU@l@?oRJLH{oG-Jqka3_g7&m+oOEyo5A|!S(|v1P3=K3rx_q%`J=8f~ z#v14mS|Wu6*Vbah{pMnZv>ijTLfWtK6b7$NMP9F0C32+4lChE;KJ9=vOviRju7TX& z^*+UXz((An#6s2>lH9P!3vgM%?R3e(=!*Ce14l*h_4dh#&pDTey5SKJXlApdeGKcl zbk-OW2k{-_xp$yR7>dTTAOXY}jAK#>X5q1HO9Bg~?Gbg^RSQtC?!0%9?jB9)ae2a(Cjj!mPywJ2R0+$pNhXOPV_0=LrgI0%LZVz z3LYXP$w($2(3>OSD?|QC8F!4b)HI$wx*vBjy6G`|{hQToGMi+*$*VFpy#(r&Qx#S{ zccz|IO~A^}1VT+9pi0tXSxCZf1zkyvzRut}UGD?awwF>L$!zqPK zzQz3Q(`hKgs)!H)q6~UKq=1?KP${=YIGoW$k7k*wj-!s92{3~ik%>IMx8+pDjJ$V} z0cOCc6x(zfqoiBL#5Di7!(~Xw3a+C^ig;+6FGwcNgc?J?YnQd`wdEg!*iHxNxvz|N zpd<3{$$BE}Rpuvja=8As@Nq9BCLMyEt|NxC3=P58OExqPB|?f~W+ud%hc}{e5(=pJsI<|G{WAnp{c5qg z6d|K39H2&-Hn&R@CAs~Y%$Bogr7V?v_29B>eWy59xC4erF5g*b(4x!{X+ z!FH|);3AP&-Y9zeEhDOQt^Bglq5^E-dXYH1lZCASS_t*@xI(?y0T8VHvj!h%I~0h%5&vh%MtMCH2m*-e&vSm-tZJ zdyIpqry<1N(H!7xSuMt|22Pg)#Mgtvi2Ny|aKy}d4PjLGYvEIY*;y(j!UbOwgfAJb zm>Z67abi5ffCTG8C*rD-960H-NQ#GjIp=hJM~wRbEdPBM~2tU zLAo##mIG`U#fNfKS0YQ5#dS}j&Ca1npTUoV}hcm_5jf@Y^?r8WwnQDj>5=-PM;#I?GxCCDCJ(fCNV$9P-K z+nhQlIM06)KhFb8K1H6JOGtJE=9d3apy*<6N?jChaS(4ndnEoFD-WOUGX44hv0J)F zRTIy)L&Dm%a3TJ>|3rL+GS@T*$O15$(Qp~g+nD`)wR&*(b9L$lf|6%YsRNMC0;? z0+J?y_rCu37$_z)kC&BAe`e+$9BboI%7PNZ$XJW;F~Roa3T*icYXOlwObV%olX5tg z5}G7DYilN-dt=%uIcZR^XeOMG+hqRX5$GXnvpGW6rZ+i3jAmXU^PePpq>JPmaF^vg zj?nL))Vd|?(b(fj7b8;51L!#cU2!FzS|3cR*%6oxxrDn~dh*&})#7fHT|ey^6WWk7b@aY-f~F?Ciqq;UuJcChns&-5 zwPt)YU86&Q#$2rjGF7r8_hTXHQM+FSZ%3~fQFdLtt8{m#6a`c;WN^1o07cA58PdFW z^CxYDfvMcloMs9%w=o%f>ja3+D~lCo-YVzBts7blVbN;E=_-e(YEb_KK_*%UfgYcV zljg9~GP$%_m?4qZ`XwByK3xU*zG8)1bbS1Ns||?|HQ1Y@&rr35Qox_c{P1uhv<>p={Fv5Daty%ApHgTs$dd88nR}>qNTQrVT9L^za@y~lPi#BvLM^m z2&Mt^8KgWmm`F&QC--!V|Cds-9n}{x-s9zQ^5Qmq#mVXZekhu{_nM+yTu2eSffVhm zX`9J6^>(cCBVi2fbH5E|?+r*5-h-of`)>JKKvl39+QP*pW61)Eq;*S}-J4i);ubDh zLuzzr5n^zb?LeJt9dg0nb{=j4eCiBllbT$v$&2ZwiFhNemDc`s<2;kej5=N6C#dPV ztswv#!SggEWpMrhfbDt88dGtP=;-EPXs0B*u?OdULRfhP`FLzvR3xaZu)}tBiRMY< z3e9_S7LSMPEDWHQnagj=!e4ed*Ad}X{AM_jt*@k9EUO3U7*$9H>!hwd42Ug zWm=u?*ZTM<<$=3IAZ$B8cdO@b@Rt!5z#qVn-?dEvAm+48-z7wn)!JJpUYJvh0Efj6 z<&R4@O*$lKF_J`{DK`zQnEQ(a$(t~m20cMVw=6fP2Yh7HRbxtJ>XJIpbsN&!(<}3( zr%95B{mrY0yi)3Bf8u%8aIFLI{Eqz-(&)-*FZyo6XZ=O#Y5`;~V%k?c=o#?Gp{S_= z*Tr6Q^Sgh&BjRMURP90o!S?3{n`HKt%q%J`q8N|+9gjPT?X~FwDcMd)%17iD+<_L% z_L(IhDemzW)M0!p7T3$;I+Ho;RI1TKJrr1vM%)gE)CIQ5BRv_wvpL_k^u-bSnth+hKtjq>P&T{yiI%csc?7rp|-sXsj6mhgze~leaVT{|a4omx|fKlDy zTT@Y9nN_5dTvGs(#(W*bNKG4t%(hRr zD&&%u{YYl0)cD@zLaK+ReaW5ta^TK=~AHlsR_eF zv5eHg_pP#^1D8XW%87?CEhB7IXm}bXYYY3zk&S5yUHz^U!c>dHrJPEwY3hOZoJW-k z5)#AgO?03$45&%%fgzLI)69|E0dz2zBdhXUIY(J(H7)v^Xa(rN3*eYDuw#4kg=iD^ zT31twR6541Q?xr>G&(cJ$v-N~!L7CkF-lp~(kJ z-#8Oyz1h#ybWeK>o}?4Ap~uYzBg6YqcemipoH14t=l#jcD|?-@>r9iP!VcP~Ftz@` z31fU31<3+U$pZdjHF_=A-2~yz@*WLpk8-3znmtkFwmuilmUn z9`>pd8Y=Q}wht$VWaS(-*>-WsUGwdRD&#?@F2yF0`EV(tWrQFo`I&@UXA^6Y ztMjju-_99CuhJ0{Si!Gs@98m@rrh>6$OLUTs7Kn9%kNpo1eo$L`4drDSTHI2f0XM| zYWj&#G)MF#ffkryl!00dN_fkQGtQ)gTjoF^x5YC4uwUDK4B!140K>8ZYI<6)Qb!yh zwkqJ&^rgbGqaI|oO8CPRCd>$Ts`G>x$G`r*IYZK)zbHa259eo-wo8SGuCYDC`m-Xmlx4 z^oW_Bw_bD5-xLhH(E@j@>EEYA_Tn?e$ zK)!S>XS7ZYxKU1M5?MsLaxqUwj#|Nsn9kG54O)mz@ONa&U_XH<&*hj6=At!aN!sPx zcA862^zG_A&RZD^3UM`Lf7_$`NES(pM(F-W8&hwJ)TD<~!gKTz`BbMPOnCsr*-sGF z5D*4zYNBOVC}ZeHZUqfEVgc_l_~eR&&xVNvIb#J6i5_v}-0t&O)@(Ro_qM_ED`vM% zr^Hrd&yEF_@%D?Xq4gJ$nXEN_O9=(|iD9Qg3BVxStqIuwV(kK+UL+?CD*$GHY;5R- z&#W$xfINt-rcEC22GS?)ox4hn9A2cjI(ED#jDtk4 z6Qub8p*ehag%PZ$Y1C&?yX=p-c8+88LJDZfMb4u|Wb;iQQW9m8RzkMaJlWTG0wkB2 zS1LZhDM!?)Q}z8@6l&GhihMffXjP*c5^jR(Q2O=0XwO+@zHnY903oCQ%?A+)LmW=E zr(5E^2%kC8@H#ezmYr$!4q0((t(-dWGdzMG-cL*-nBD@mc{B;A2ir_w!HWUgjCc4W zcZ4}ER@rs{{4N_ft0W8~%<!SaqWOBJ+^}G7^X7C8QRcmd*H_#kEz)7t7xiHMm8ilx;QE zhxC@%e;3~v4IYc*5+GsX{%A$UseJpUAU;1=8jhfmHtANr_ zJ~!poDM)cIPnb7t&D+92ifVHW_ye;>fnx>Sp)`{Ht9$2Xs)MlRO@3puU&^{Ik3!46 z))%tu2X9JCs!c+!o!T#NF>+r(&>RzuFHEY8rJ7Ehs65Ivk>Hs6O8ii^c@Qi5Xnt8* zr}i|4GTTWT7NMXvig-YdFxcB49P8ZYQYDDeSJt;j50T<_e}&uF2_{@e?U1Gvhb-9P zDwiRbMsDIrLm6uPXB=+dYH?|0muAzaS2~Cl>_9u?e>U6^VC0N5ak(-o$Dwxdui=jS zSB`lfZ8h%1qV=Srhio2T5U2@NVo9J?`br{UZ#@xerFiU?(Uy8f>FdEa$4%BeAA#I%DODe_I<@@~z82+f+qq>6Of z4eQ87KYe|P_%O|;w}J|__K`;C$jf)g*K?++QK`IpWYp{7rY-TWcAMDF0Ih$X)LKQJ zU8DZZKiQm!HBR5`a_p|f1IjIuRq`Ce3eG_MC#2wV6IyYuiM%~FNu`+r^{!q7Z+NG3 zBEiLp&@vwVDEFv@Va!a%?Ln9)5{Y~6iJof-v9IpHLr7ah?F0X*zOQze8VNgNvjfRi z_kD^?@yk|jia80d*zEHLC=->UPCphzaWnma{g>#fbwZ87Y2fBTr)w-iDhvG6ZYx!a zPneU0LLf?r3b83PT^71cF&Fcos4p;#mB0Cm7pTPUaZqPM^v}r5dYz`mG}fw#NZ+s> zjg0so1s)k&FLT^stJWy(JL5#C8nZD+D3UV^Hx7eekSFJ`Yo|Q?*>7kjr9E}x+f2h}zVK0toz6t^MT-1}ZRR zE|6{nGhsssO-&T6EZ0V=pMQj|I=8n+u(v6LNA%jr%8oic5$c5b&MsTg$?aZS7+$1T z@C0wCtf7qwLXRq*nf!%oC7weO8oMu35CrX8{EsZ2_E7mi!h%~8#T4RD{ItfA2a z`v(MXU|$`WQrIDN)am=5GF3M`c*N@=XR0&Xge(oWt)Yq9bMdpd##^_tZ6{Hp#W4n)#B5W2P<|7NRNgF-G|LxW%$#BX1FeSYPMzFC=O<%x}RCiGldG$miQ#AGM zu(#@APO?s@*RZ2{ruuPqW9aP(2Lt;9$&9tNw?&TMPaYt9u~g{X=|BVd`tEoA3!P8E zE6kM7T&m2iAd@0!tm;HrSkfMX<~^*k)xtcO)D?{+kTc!%JO^5^k zusEZ~qC146;6H(2!%wj|-RXn{@k-(DxYHOjv_{fsIk>z3yXeAxP8b3n+hf3a^>zOH z!^J0XFGM?#1rR1sMxY{xg&G(D5#}G*^ohJwQg$uWwO9qNgvRLjnFvfh%hLcm2bU{u z|gl9bnT z5!7?k`_J<%&G+A!Q{hcNr!2e%f_r9I?p_h} z)gjy4K(Eqj#qx@`|E@@;^uJ6&4F2~Ybi2KQ71yJ$LC44$sB?W?=rHU}5?LG%su|XJo_e3z5M@k1 zkuk!W_TSM@+71IB@Ep=bCuit zUs?3vr#PL-AF)J##1iSVI+E^LrInw;sw!;5c7G2TOLBPn~QQ64e z%-HPz9AK&cwaNy%Z&p(*q)ebf7Rl3XmG?DOMQdsh#^8~Y@l zWzp^5CwHOBuwGXvP82J`#zdX+wyst%;KK=@h71P+M{+Rt@A<;dTbG>r=o8A_L;q)G zb<9(zkP!X)^)3JF7sLNltp62f{@>Kjf8A-FV~0jTgdhlLu|yOQ9Kk~Mco2Ak2+qjF zV<4dYl9_40>?+hPmX^DyXT#O2R>_m7@Iv`3kgJ;4r<5(;o7UHdsGFObs8zea+is@f zY3BlybK3rOzh85mY&PV)AD=*eyX~{WPt8(`7i!rBt zVP;{52=BMQyCsfBC1emrou^Rm$K_2Jl1S0B6xk+>OQlmUWGR|To7gh=XT)t90^!2P z)ML?Syvwyu)+M~oWRr?a(6vuG&1>4Ni!m4hXwWC7SY>Inq}jBkZO0uB1+y~-rwpx& zZ4+uHfJl@KN+=VBI29%@B(Uts{}sWg9mg(U*|!T!+m5ESXCB2iWG#}O+^)B6W^AeWB6-*D^VA?|8|5}qL7$#LN8$~5Bj}Lv=dLv}TOE{`s#5zge zPZUX;Cpci$Yo|Ut_kl`I@QqPLW$H3q;yW zr7EQ>R3}}yntS1=Lt@|KmvpLH+m1)gUnNr2FX3&xG>wpL91&-)RX&HC5e>?03$_Va zAIXW}m+lNl&5(W8C!A345%0$Gg+Q^Lt<+0gHGN+|>!)tCt>sN*Nw;e_Kfu!%Icpxr zrZ9X_q;66;y`qy`?XBF5R=jYkI5>1F z1nxMFj?j&jx0WR{_4VDeOLS8QjKk z#M@>Mw|f!Q*8Z-7b!>YP*?x3W>@O*Q;T0P@88YdlqeXJ7)6G8ZShYQ$N@3A3OGDH z*qrb6>8rO`-le3&siB1NaA)}(CdvBFO(H-yh(s}bfTau`j=1H`3vXsxR$!$Wg}8w< zn7z~d>Msaqw`>`vY-d#wa(TrNOv0w1g$vcHQ6N%Azb}?`goi&0Ok5^8;_Bd+Cs;b; zzhCeW>YmB8?~v%VS;T8n*UmAxT?%AEaHIw=vNzE56$lxf8J^d&D!(98U|hL;S`P!C zY_|D@1T0Jfde#^Au0f&wsB>V&{p4s@>n3+V9nZQ;`!h)V4ke3S*QrnM9rdOLU*aKc z6e@fx^uQ;A-7$nZ33mU5V0?bTnCfQbg1~7ZuR}C|Ke0gaoj@mu0bl-YmFKOSS->!V zwtjf&;HM1$MK#{wyt=NAzNHLoSvokYJiWF4Cs=IxB^?7hSnunG(82tV;b^bI%txhn z@ekZCrOdMQQTDASeGP)ft zNlSD~@un}(p=J+_j#lR8c4ForMe$ z6l>{rVP7@U5)-Yivrt5&`c7c`hL+x!`WE=VVmk_UtPL7o6_0N2>&n$0J@&Gz${ZKM zQUSy12KeRq6m)*T%5EGi9zarB+i<(*7-BKa&sMB#~~1e zLAmmV8D@+pYK-uOt;63@knlZ=3@+&ZO)smW5TB$kZ1knbHYb>&}40THO zji0L`*B;dvY?5VwP6A)BKMQ5c3Xsqm9_N%Tcgj56X=q?Z!e9e(7oIGuFiW zuk-Xv<(%NYdugAh^j3CnLD#@tQ$h9%&Uv_db`z{jvfZdzMfetKU0dZ39hgQ2G3WH} zo5+?;v9jXw`YsG6vAT7SH^;AI!Cn~DJN$Xg-A!|!>scv6CQALhv)PVT0T7t(vU#BG zNp^#1BDDj?VhHa&!ZXYZBXg;U zg1vj?r9Fg+sISU?Qsl?)|?sSQ772d@@;L~Jb&qd?RSu5&p$C5i1uOk!!qs*nLu*S`X) z*Bg^hD)bwkn&S_WGNfxWUu4#D;-hq+L)hI{6Kl?fo*giU-teuS4i zg61oa{%7wvv%ir$Po~2g*VNU&LQ`yO{goKNg*7hd*V=7Ma?&Clj`gPGMV8c8HE+d; zBp*E(bAntpg}FexfT@NCckT)_~Uz~QYyk}ZZlAO^*jA!h{}g)5l$MF;_K z#+Zp9{#+DX8v(LtDNul}aY*6+H`o#;Sk&Z}ARm()=(h`t!!(?lq$YFEObjF((Uh`` z29F#jzDy+3AgeX;Z5^>aLs-U`XEVQCpdsa7t1ymM^rt|)aG@}~WBUFe{{2n?3Selv zY*oY1pT?%G%vh2Mim#%yhGkIyH&HqQs;WaFA&kjQ`$rj`53!EWClhB1XVmLgI^J>U zTCnIK+tG{=13jBSH?>dRgbv32_hAjx4?u`ku$z=tuwImIkdn@0HMRKSekIsbpxZ1| zPB-}@suc+UNV|GI3;w9`oN!O|>u&2dxD=c3Cf;sy6Q{2bPK0l0&v(1`+^^d51q2InFSUYGpg61srVM!?9kNn zj~AN=1sHOJ)$2jMy5p608TilD$#+f7f|IM+ps55f{qz?(hZQNzrfEoB_>eV&ndK)K z8!2Dds4`^e@TCEkrUk38%Vun|SXPX_ZPPXOSGU2;?;ZTq(p(RaP*zYD$KAha@x}E* zZD^x4t?ymuR%N7>oUAJIq82pUnYU+&O;38w$h2$sRsYSpvdqEFL>LQX6iT5mo=`5Z z3S{(yoE;;o#@8U@`ZzYddI4z33f3o`v^l2ybSp>>`JXTt8`svc1TreJC`|dwNEX$@$D0$a zNL1I)sl%A^%c?YAiyw6iO^?<&1vrVGG1ooqTJW-WkJaqvXHiTc;{cfJZu|HG8ih(| z>O>3Xx`y$(=K7vu{%svmT!{?(@qT80uM|SEVP$X{s^2IPmb7Wyxxms`UE4aEbxVnkyJ<0BShKW5jw3 z0S!ObTqbn&h7WM+(WAR2r?;-|Sw&)V^AMK|)bSAm$a`_^8THf#>7^FYHP* zKx!*(@R>vk)XQ+~ZcjTpCi9yg4&DOju+-{T+R^b^B3gy)$B>L4+=B|g)9S*CB9%?4 zwZHwa%;|tcoXpK+O;y!;FQ(FN^(k9*^b$r;i;fymxTG!FKSHw9yyJhxZTmhR|4@d2o zdK)Xjxo|dp=nBfg%rO<8>oV?F;I9MiX`45gsP^Mhl+j~$ts1t+NcDp+E#aOwJ7YT_ zC&RxP1!wp4U53|?Vu5*V9qvX_HleM*dJSQNH?a<<^Ft45plpk?u6;)WTLrgJPliJR z2)l!Cb~3>WrLtq)e2ivl6j<28Jkzl4L)!h1!2sZ#MB`x95wefL9}=7#1O4NN6!WYr z`vssKYrl1C+EH*Kxi7dUKzlvwrS=|>JlDOHCzD=JUm&G0#eMTSUemMXc4yf;qut_; zpwe)nGg5yIA�Vda6$B%{{IcLsMXyuly?RS=da9)lsQ9f9rhNz-MV>yIWk$7ifuB zgUhR)my&<2{{@i|a=^{N9nCd$06Fpu=Tia&yh|Fv-Gq1}a89A&(7W|Fw&4Ci8=7H3 zf_rEg6r-kl0K3+^bN0yMOxES3nMxEtcFn83@6!}oRI`BxmIGK#S^=R(+B zsBHC86Es7yNN|G*J|yO1c|||VMYGj)Rdy}$avF|$N(fIkZ$;9`u8q%Ux0=z>%Fw?T zb0bFdlZd0ACXK$}1EK>hY0WW2Ow-7#{%8mF^wsHtBI&b`Zav&P^dTfTwT@6Dr$E`c zxvUDthHzr+yab&tj(S7oPD&4!P`P#e;hKjNWSIT?4sseXT2G4WnFQzo{|vPcVz8%qY`RbPI&)s zoAcc=`41VKfWc^Y8;M@*-I_biB)6&>6Se^NK)(9c_1|UZX~9UC(59SE^BjVT!UeC_ zXy3w+c!UsrJWFx?!hs&J@=1%F&B8kxwU)_9wcrI`>-ea?2qZqn#kH<)Y^;T$up zY!YZ!p0#|3@O+K?q;h`+(r~10eK~|a4rHIAe95R1wNFPnfhUG4@8r~~=b5^h*OMgQo~&F6r)3Ij<^z6_`yY zeX@1;+fy?7my&b*AI?D$iaA%JvTNl0%05{^h$UK#sz;#kbF7@{MV=(5$sSur2nbKi zK5>W((e9LKC;EcGbN?V<{D`=QwySSRzyOkA_$hY66AkANTORE}CLlg2KZID{8Nrz3 z-z*Yn%1qR7Q~_;ORY+!#SsRz4uTqez(xSl7oSv8?E7M<1nnjP&M%sePkYZ$G$(uZM zR~Cn=>JO1hvonn0|v9IC22dX|WaEVfs2^1{=iB+Hz8J356;(Uc>H@>RZddrEcT`x&S^ zmd*1IK`r(=Z=f;c?G(@bZ^OtL1Uui%yvr%rBY78pPvMFXLl@u7K&v-M!fT!BFQVku zLHoH;c4}%k3Q0Ntzhaaxf&8L*jPCv*+k7=;TWZIDEm&ey%|LJ&f2Tl{B<8%D+y;e| zJ=Xo!^#&06U&7-n3x}$rNeniU!b>x~Q`9fifZ-V?35}kES3XdwPSbhhg87~px~fAl z*$nsE3+u8a{eh?pR!I;Yw6)q?U<1p(X0elLk*8WZfJZ!C!vY@6s z%M+5LABm5C_PYH3b<5*Vos&=ZNXPiW!}te@Zkr#`Iq<`?4&EAsj3A3()7BJ$!$AmA zI6c4o391kEX`l=Q*2Dz0nQwJKHjT@w9}!l0h*$Lo7Z2*U1fw!l%Pgd-Wmd$aZGSLF%IsJBY70kZ6@V2Dd` zsNtPpR-u;=jp8iSQ7u$Oj?zHC);CVgw_C`v$#xRI4CU-nXNG2z$M^R^pDzSm?PF-X zqab5b4t6xgX#bcmtq~lGbwlG4>JJN$N)=nSmFNk*>Ga%L4gpc6Hf7n65?W?;Y48>O zX%9k6YI0iDSQ;(J42Fq;t^kidq1c$7J~@LSthgdZ-JPv9)D}2Af>a18Aclw$#?B?2 zw1~d+Sd%V_e9*Bx0D~zk%`q=k2q3s#71}U|=qxC`iuX}D8~y+zJ}NFDAtTf0U?P~r z!jIoc(sAmlzUGza8HurCtZ5sloT=+&86Kb9*NlJ6_v?X7ixR}_WGHtsI(HH!r8YVw zC@Wfz7vzA<|J&>2J@L;J zu^iZ{#2(cJ8FB-GP(c3yJ)YpLVHo!K?^{z6;Y+oSp&~oZwMbH+g-Ye&C&LsWqzcaG zQwGph1(3j(5$(!R_z$L4{|6SV5QPjBI5|56GN|_a&CY_xVd3|fId#D|r`hT!bkzK@ ztD*?^vweF^WvQ_`>>}v+ZXwKxE4Jr^#8`uo;3$i_cks4}tK)R6cRBMpQzmU;Lmu?C zUty4V?-9N2QHuDRjl7MxpO!@!uJw?D99F(K=Cb(8i$c@0{X6u?D(Wu*#q4?!t$%|{ z9xxr!_vtBx#-aPV#Gi^`&SHnoiGCJ}% z<0UnUxft*ic*Lt6UKWDRNnPlo z;Mt*T5my&p44Isw*dcpqX-d5hHPN+u;`W~ai@z1?h~jE^JKNW_{xOKAwMy+#+B6<( z#derHY2^ROHaPKlI9PTydg+?B#v$M#4l^xi;`Ak<%(XR!P8X@Mr-UwS!bmlcWxA-c zW>A^L%Y%#58>rDynx35RlL{*&So;ZWiwCz-4Z9Tz))tet0+l#~((siO_S=>O=~2+u z1CGd`pbv!QU2wFTiwU*z*E>C(AjX3!#6jJwIQ(v{e{KKqX~ZP|I6@nAgCBJJpa2PC z)xa~Bzv<^jykp><7+2S7bY5E!3ONfOq`AsR04Sp5*|zQD76mTtiI)z%aKAyZ7s0FS z?VazNJjXX|YJW&Ze-8fEH(*UU2Hy5mFLYN>BCb^n1JkY45mLUxC2tDhomw#sc1=AF z6)6?>9(ol*?;MN1_+k-40PtRgcuDundhu^1`G~=K0Ok( zV}5QuA}=L~3hyr$zgbSE>UTjl;e>hBrrG?MXdxJY{5l{%{zv(|(|~Vo&^c}~2{}z2 z+~@`MJF9h4X?fYsUo*E{?c$y|+j~UqVx5vLVK}p1`y!=R-v0CF$Zu7yNne!O1ujD~ zXNfOF_QyJ5f_I>|-*SavEJE!sQKLvb$ZPvlbmAYz#KnE{> z70G_LdB(S*HedUmeQ2oV3tGRHuNELtiFOQmp{>bvZBt*5uw$2r`MdH``YA{CuK|4b z>s830Crkd+^laW>@P(Xzw6od+~@+st(Ol3}zh!uytA zn4%tuTe(0jWl9XH8EX)SB2qZqW-h}i1J2*boZB5KSeYB!U>xn=zj&p1F=TxaxR1_!JiV-c4yv&@ zbe}NDmUmYEZZyM$5Sqc-orurGUrjeqn`0Ov=|6EBifm*v#`5UB>^9Fjz=H`R84HSL zz&_;HNoZV;On@D!EMqSlFDWl*RGB?TJ9!C3Z%7!}yC)Y~rYDxb5;`r|I@Hx^%Oq(m zc!ZX20#u!lC05QP*1EVu`Mm4vdLz@%x6@r7Cd7V ze=^XW*i6A&DbEEn<7$cp`vka0W)FWHIPyQqEHsq+z_T56xYh{WxE4k^nw21>@tz@| z5Fm~bC6w}FC=x4}MoSh2(Fc$lVknI}s#A*0)2E4D7%?}E&K<@TlxiK%qNGWrjB>V1 zwx3$F#XXOTu|6BRYaTBs)ca;91U=?c7N;0Nd`czHb=Z@CDkRUp+hceUnh5H<6v@Zh z@B^ojKMLpx0cTi}qbvy{PbHpGD{LgXr=_D3bO0A~;|_6~hEtWtg8h;$kt~-7 zrPY2y+;wTI$sa0@p(9{Joo7uE9<>+M{~eV8Y38p90--pEpoXoWvN)W{9c5WU3TYy_ zZVJFr_EvpVZT^Z?YGVls)3J|*$s)wQ3hNgP90H7UiH5i+?DL(k31Nws6m8T_Ap@Lm zlYVwBo=i6bn5MT_d|!yg6Q>f%RrY^bm_kiDr+0>;j6yHsYUqdBoV%>#MxoKQd@(@PtAR>X8q0Z3;6z=noc zxC9ecY|V&A%)(g)2cg=A#707yiFd(Xy9dI92qdm!UgVv8<)etyPiDIK|B`2``Th#m zWAkr-pp4;G#p0{c#$tC{@sw;y7$_Ec(FOBCaXvID~fW z`M|&YFlNWK$ul{+dgOW~a+lhcvKiZYjNTNu8G8?;#zB#ORni*;6Ds!nY+lBDTUHP8Yz_nF3QPw&;^cw zvzr%FQ0|r}^@CPG%Bn9T11Xv7=VtcV51qUe7t}6HiSgnUQ%**o8{zWxVa&9VuTW|; z!87rGBShcqiy5HH{giH0mnZA+#A@!u$>icSyN5FxAE3Kqd(Pi`6Sejmr>n{#&)YkD2?B$Wx><+?{Q<@vZHN} zjqeD84MOD1?b%Yn^--&ju3U45FZvazWGwADWHhaSX2Nl@`G)ILJWRe}5J5UA!p^Ze zLVHuF8CcKUH^M2QL@nXZ4jrwzLqS8}gYI*1*rHU*0dC5IQh86tuFLGdS-GVQtWGrT zj6?YNdf2yDkfTupMrCd>g+m2K$WP8!D%T;K1<+T<{TYTvDQ~d1SIVG6huOK4vxfT) z#|Te9>m(XHK$qmdahzF!`;bPRuh8s7o@m1;L{bqfg(Xjp`wK`P4-u3VC2YZ_~)5E_gvV>E+Qj7Wuwq;8>mv$qi4n{!u2Mk8&^>q{c0M?c)7s)GtjDA*B{j%U;ZaIrj z-_+M)#C$@I`zFTi?cOfmT9^=5gU<=w&D-@}Z+y%r!5IWQ#zfZS*xS?gx3uz?(J2Bc zU+k2gUfs4&=0tZg4{62e`hs&gq-0f+LS>znM`3rWe5E=5wwYHAHrd85Lc_};7uRe? zBXKxf?@!CT?Q_o||J=ZHZ0aL=m!EZhn3>nE+GTY2UQ++Ni(ey)cBlB(*mwM9bJP7n zj!w=5-NV|jtwgLq(<@zA>SDMrW285cDfy0~bLG&g=t$`trwo7qY?jC0;O zX*MJzbkuG{z`Zjb+~-me)%L|H_Mbt!{KmtFv@@Sd)~T7DIsMp!ZIUif;yg;O^+^)! zH!839N#UYbs$1qC3EV8Pxsq9}dksOU|#HZ&Zv|C(l}i))ZP?N?5rqu!F2qMV)x zWo%X_6!L%JPb@XA^5$J?bKPKR6;deSEAGlb}4_Yo7UhV%0U;_zoK< z-z`&p7_Br+inv9r^o7#TMM2439?BU!w#H4A^RI6GX`h=I~ zl~uH8tGQR*)ov>c8E4zO%3oY7OFHVGs_vzUiK4$ZwK-GmjU^7Kx4iTYK|)VC+{?A&0eL+J$L%f z^)1D8g)3P^q%|*FBc8|pF`K7zn^gX-TU)O+QkSoJNgTB{G2?w}B~}(;+jy8w^vOQe zG;9(6E}N~5bztw9<3z+j=Ixc0dw54YDz-iP)a5qlvFo_Z4?Jho+cWPt2ZMvQI z+YP6JVXDSi85 zl6PM_n;dV2Z;7G=XT`S*6}o5g0+y%YC9kAp7d-H~KKY?_jqL4rRZ*k{yNjvBT8wYh zRGf-MO5nwvvPb!&BG%_Di?jK2R9-jqR{7;riIJWc6V`URHwKEe&Rw<~6C?I6dg^Fx zZ)R_}nJl3nWFey*`?74Yf^|XEGr?6j{_g#TdezPt_FfBObkMOy6(yThyR9W{srO=9 zlneHMsMpOX_dh!x{+M(|%$|^l3yG@aU$#=-xonltU%iU2c3R@sHgLsdmS2tyA<+yl zcq8r7ny<*{>~-G2PEYZYNKvMhoQdz(cj>S_reY!yXeQ{yHZdAMW^4WI9j&kMg9E8coVUOROvX;%D;b=Y-XReG0+D=Eg0L#gai8t@- z1h81h0>6k&a4|OoaY9fZr};LZ((J@In20j9+H8ohpasRpo@e8RyEZ#!xZU+2*mOvr|5Pg(c zRThC&KKyfKPcqhr=;wEkC1ov)@)rxrcb1Z$ix0uiGl0kv$_Imv%!mGm+A{+JL5yCJ z1wG9O)n(Nc%V6@1rfWW4)->SS|Q0fY;%N)WI+`=o{b0y=Wmo@R^z8$hH`J;^>)tS^P^3nH35 ziBu%gb95cQHvmyVVPx%|dD229L4M;|JTE8x05=gG+OZl-TBSBIRt?WC%K&bb-_30%$R62;5(VWt7XjxUD9SLN4iLjUs-F?M590PgkUtR~!H!QkE`t&0XX@T3r3K#t;r%-b*hz^+Od;F`dgV_^E$Z$U#EQYd5;6B;t? zX$kZ9R|JiUp`l}o-R;6?!LwF3&meWe}8ipDs~#GEK{{(~9gJjxP4 zl!obd6puzU_9iRoZA$QXX5EhA)t*%id(MqQJ`P~P*4S? zAYu2v0L{pLMr3~RAy z5t6iVbO$s^&~z!7a?c&mXr?5BFY}R+-?OG!9MFc3p*`Nz6e;O1wFjgpflF2Bv$n(7S!+=hV8FC#=w;i6W zXslbz9%W3&02Ay16OR;(D(ZzwrI1~iw^%;Fsy7Z$@<0Ju4`-jW(1RpawC`@mTG2_B zt5sQ`GuuID!soMHKCI9LKR=ZDw*Of{4HYz<4}5rl6AgXQh&zbxo>V`y3CJHZCgt%! z5W6(+#M#C(R@reX8qvzign3`~+*t8i9*oK=u(gqc!TOJ|fK6Yq!kk&G%N=?iH2DJX zLZIX9lNM@!f(6qs5XGyZXu)dW7|<3lDDa6w=0O@IQ|&;2qw&lT*#nYS0ec;bF1ut3I|3g-6!T^f~ zhF5CVvKh`NoPx^pB%y4dQhT4sPyns)Ct5=)8qJ1^wzGX@JMNSv13@2fNTWWHjz&YC zS7qLd$a|P(8lDy!T=rkdh+CPE9gDmIXHEpMVxb~bnYRLYmB^fkBh?EP!RlfWWYds0 zFU-j;tNnlFva(TRO5izpNi7SO2Tu@;Y#K5x#GELOPYV@=dR`wX6q!k3PAG18p+aZg zfzQvYfRu;KL@+1s;OB+PW0jWxDHnM>e@<@8$U@~ZJFJhChdkjvCy#4%q4JoXcSj0D zo)VuEs4=!cfy_M~`R|Z90of94D9ilxj5uQ$%)!W4)N^1ehHdT@*W3$h3p_j6WkHYu O;|sjB;+F ["localhost:9200"] + + # https protocol (use with search-guard) + hosts => ["https://127.0.0.1:9200"] + ssl => true + truststore => '/etc/logstash/ssl/truststore.jks' + truststore_password => "capass" + ssl_certificate_verification => true + keystore => "/etc/logstash/ssl/node-{{ansible_nodename}}-keystore.jks" + keystore_password => "changeit" + user => "usr_logstash" + password => "23shjY67" + + # template + template => "/etc/logstash/template.json" + index => "lightsiem-%{+YYYY.MM.dd}" + template_name => "lightsiem" + template_overwrite => true + } + +# stdout { codec => rubydebug } + +} diff --git a/roles/elk/templates/elasticsearch.yml.j2 b/roles/elk/templates/elasticsearch.yml.j2 new file mode 100644 index 0000000..64a7a59 --- /dev/null +++ b/roles/elk/templates/elasticsearch.yml.j2 @@ -0,0 +1,165 @@ +# ======================== Elasticsearch Configuration ========================= +# +# NOTE: Elasticsearch comes with reasonable defaults for most settings. +# Before you set out to tweak and tune the configuration, make sure you +# understand what are you trying to accomplish and the consequences. +# +# The primary way of configuring a node is via this file. This template lists +# the most important settings you may want to configure for a production cluster. +# +# Please see the documentation for further information on configuration options: +# +# +# ---------------------------------- Cluster ----------------------------------- +# +# Use a descriptive name for your cluster: +# +# cluster.name: my-application +# +# ------------------------------------ Node ------------------------------------ +# +# Use a descriptive name for the node: +# +# node.name: node-1 +# +# Add custom attributes to the node: +# +# node.rack: r1 +# +# ----------------------------------- Paths ------------------------------------ +# +# Path to directory where to store the data (separate multiple locations by comma): +# +# path.data: /path/to/data +# +# Path to log files: +# +# path.logs: /path/to/logs +# +# ----------------------------------- Memory ----------------------------------- +# +# Lock the memory on startup: +# +# bootstrap.mlockall: true +# +# Make sure that the `ES_HEAP_SIZE` environment variable is set to about half the memory +# available on the system and that the owner of the process is allowed to use this limit. +# +# Elasticsearch performs poorly when the system is swapping the memory. +# +# ---------------------------------- Network ----------------------------------- +# +# Set the bind address to a specific IP (IPv4 or IPv6): +# +# network.host: 192.168.0.1 +network.host: ["127.0.0.1", "localhost"] +# +# Set a custom port for HTTP: +# +# http.port: 9200 +# +# For more information, see the documentation at: +# +# +# --------------------------------- Discovery ---------------------------------- +# +# Pass an initial list of hosts to perform discovery when new node is started: +# The default list of hosts is ["127.0.0.1", "[::1]"] +# +# discovery.zen.ping.unicast.hosts: ["host1", "host2"] +# +# Prevent the "split brain" by configuring the majority of nodes (total number of nodes / 2 + 1): +# +# discovery.zen.minimum_master_nodes: 3 +# +# For more information, see the documentation at: +# +# +# ---------------------------------- Gateway ----------------------------------- +# +# Block initial recovery after a full cluster restart until N nodes are started: +# +# gateway.recover_after_nodes: 3 +# +# For more information, see the documentation at: +# +# +# ---------------------------------- Various ----------------------------------- +# +# Disable starting multiple nodes on a single system: +# +# node.max_local_storage_nodes: 1 +# +# Require explicit names when deleting indices: +# +# action.destructive_requires_name: true +# +# +############################################################################################### +## SEARCH GUARD SSL # +## Configuration # +############################################################################################## +# +# +############################################################################################## +## Transport layer SSL # +## # +############################################################################################## +## Enable or disable node-to-node ssl encryption (default: true) +searchguard.ssl.transport.enabled: true +## JKS or PKCS12 (default: JKS) +##searchguard.ssl.transport.keystore_type: PKCS12 +## Relative path to the keystore file (mandatory, this seores the server certificates), must be placed under the config/ dir +searchguard.ssl.transport.keystore_filepath: sg/node-{{ansible_nodename}}-keystore.jks +## Alias name (default: first alias which could be found) +searchguard.ssl.transport.keystore_alias: node-{{ansible_nodename}} +## Keystore password (default: changeit) +searchguard.ssl.transport.keystore_password: changeit +# +## JKS or PKCS12 (default: JKS) +#searchguard.ssl.transport.truststore_type: PKCS12 +## Relative path to the truststore file (mandatory, this stores the client/root certificates), must be placed under the config/ dir +searchguard.ssl.transport.truststore_filepath: sg/truststore.jks +## Alias name (default: first alias which could be found) +searchguard.ssl.transport.truststore_alias: root-ca-chain +## Truststore password (default: changeit) +searchguard.ssl.transport.truststore_password: capass +## Enforce hostname verification (default: true) +##searchguard.ssl.transport.enforce_hostname_verification: true +## If hostname verification specify if hostname should be resolved (default: true) +##searchguard.ssl.transport.resolve_hostname: true +## Use native Open SSL instead of JDK SSL if available (default: true) +searchguard.ssl.transport.enable_openssl_if_available: true +# +############################################################################################## +## HTTP/REST layer SSL # +## # +############################################################################################## +## Enable or disable rest layer security - https, (default: false) +searchguard.ssl.http.enabled: true +## JKS or PKCS12 (default: JKS) +#de +searchguard.ssl.http.keystore_type: PKCS12 +## Relative path to the keystore file (this stores the server certificates), must be placed under the config/ dir +searchguard.ssl.http.keystore_filepath: sg/node-{{ansible_nodename}}-keystore.p12 +## Alias name (default: first alias which could be found) +searchguard.ssl.http.keystore_alias: node-{{ansible_nodename}} +## Keystore password (default: changeit) +searchguard.ssl.http.keystore_password: changeit +## Do the clients (typically the browser or the proxy) have to authenticate themself to the http server, default is OPTIONAL +## To enforce authentication use REQUIRE, to completely disable client certificates use NONE +searchguard.ssl.http.clientauth_mode: NONE +## JKS or PKCS12 (default: JKS) +##searchguard.ssl.http.truststore_type: PKCS12 +## Relative path to the truststore file (this stores the client certificates), must be placed under the config/ dir +##searchguard.ssl.http.truststore_filepath: truststore_https.jks +## Alias name (default: first alias which could be found) +##searchguard.ssl.http.truststore_alias: my_alias +## Truststore password (default: changeit) +##searchguard.ssl.http.truststore_password: changeit +## Use native Open SSL instead of JDK SSL if available (default: true) +##searchguard.ssl.http.enable_openssl_if_available: false + +security.manager.enabled: true +searchguard.authcz.admin_dn: + - "CN=admin, OU=client, O=client, L=Test, C=DE"