From 7d11fd5889e60fb2f4eb94b7a96bf0d6b6e5a672 Mon Sep 17 00:00:00 2001 From: joaogac Date: Tue, 21 Apr 2026 09:55:53 -0300 Subject: [PATCH] Initial commit from kro/examples/aws/eks-cluster-mgmt --- README.md | 464 ++++++++++++++++++ addons/bootstrap/default/addons.yaml | 76 +++ .../hub-cluster/application-sets/addons.yaml | 11 + .../default/addons/multi-acct/values.yaml | 2 + charts/application-sets/.helmignore | 23 + charts/application-sets/Chart.yaml | 24 + .../templates/_application_set.tpl | 58 +++ .../templates/_git_matrix.tpl | 37 ++ .../application-sets/templates/_helpers.tpl | 48 ++ .../templates/_pod_identity.tpl | 27 + .../templates/application-set.yaml | 177 +++++++ charts/kro-clusters/Chart.yaml | 6 + charts/kro-clusters/templates/NOTES.txt | 21 + charts/kro-clusters/templates/clusters.yaml | 42 ++ charts/kro/instances/pod-identity/.helmignore | 23 + charts/kro/instances/pod-identity/Chart.yaml | 24 + .../pod-identity/templates/_helpers.tpl | 62 +++ .../pod-identity/templates/instance.yaml | 63 +++ charts/kro/instances/pod-identity/values.yaml | 12 + charts/kro/resource-groups/efs/Chart.yaml | 0 .../resource-groups/efs/templates/rg-efs.yaml | 1 + charts/kro/resource-groups/efs/values.yaml | 0 .../resource-groups/eks/rg-addons-iam.yaml | 0 .../kro/resource-groups/eks/rg-eks-basic.yaml | 342 +++++++++++++ charts/kro/resource-groups/eks/rg-eks.yaml | 175 +++++++ charts/kro/resource-groups/eks/rg-vpc.yaml | 247 ++++++++++ charts/kro/resource-groups/iam/Chart.yaml | 0 .../resource-groups/iam/templates/rg-iam.yaml | 1 + charts/kro/resource-groups/iam/values.yaml | 0 .../pod-identity/pod-identity.yaml | 80 +++ charts/multi-acct/Chart.yaml | 19 + .../templates/iam-role-selector.yaml | 12 + charts/multi-acct/templates/namespace.yaml | 7 + charts/pod-identity/.helmignore | 23 + charts/pod-identity/Chart.yaml | 24 + charts/pod-identity/templates/_helpers.tpl | 74 +++ .../templates/pod-identity-association.yaml | 27 + .../templates/pod-identity-policy.yaml | 56 +++ .../templates/pod-identity-role.yaml | 66 +++ charts/pod-identity/values.yaml | 61 +++ charts/storageclass-resources/.helmignore | 23 + charts/storageclass-resources/Chart.yaml | 24 + .../templates/_helpers.tpl | 62 +++ .../templates/storageclass.yaml | 39 ++ charts/storageclass-resources/values.yaml | 17 + docs/eks-cluster-mgmt-central.drawio.png | Bin 0 -> 325209 bytes fleet/bootstrap/addons.yaml | 52 ++ fleet/bootstrap/clusters.yaml | 52 ++ .../tenants/tenant1/kro-clusters/values.yaml | 41 ++ scripts/create_ack_workload_roles.sh | 124 +++++ scripts/delete_ack_workload_roles.sh | 87 ++++ terraform/hub/.gitignore | 32 ++ terraform/hub/argocd.tf | 58 +++ terraform/hub/bootstrap/applicationsets.yaml | 31 ++ terraform/hub/data.tf | 18 + terraform/hub/destroy.sh | 7 + terraform/hub/eks-capability-iam.tf | 153 ++++++ terraform/hub/eks.tf | 55 +++ terraform/hub/install.sh | 7 + terraform/hub/locals.tf | 95 ++++ terraform/hub/outputs.tf | 23 + terraform/hub/pod-identity.tf | 34 ++ terraform/hub/providers.tf | 39 ++ terraform/hub/terraform.tfvars | 19 + terraform/hub/variables.tf | 142 ++++++ terraform/hub/versions.tf | 18 + 66 files changed, 3667 insertions(+) create mode 100644 README.md create mode 100644 addons/bootstrap/default/addons.yaml create mode 100644 addons/tenants/tenant1/clusters/hub-cluster/application-sets/addons.yaml create mode 100644 addons/tenants/tenant1/default/addons/multi-acct/values.yaml create mode 100644 charts/application-sets/.helmignore create mode 100644 charts/application-sets/Chart.yaml create mode 100644 charts/application-sets/templates/_application_set.tpl create mode 100644 charts/application-sets/templates/_git_matrix.tpl create mode 100644 charts/application-sets/templates/_helpers.tpl create mode 100644 charts/application-sets/templates/_pod_identity.tpl create mode 100644 charts/application-sets/templates/application-set.yaml create mode 100644 charts/kro-clusters/Chart.yaml create mode 100644 charts/kro-clusters/templates/NOTES.txt create mode 100644 charts/kro-clusters/templates/clusters.yaml create mode 100644 charts/kro/instances/pod-identity/.helmignore create mode 100644 charts/kro/instances/pod-identity/Chart.yaml create mode 100644 charts/kro/instances/pod-identity/templates/_helpers.tpl create mode 100644 charts/kro/instances/pod-identity/templates/instance.yaml create mode 100644 charts/kro/instances/pod-identity/values.yaml create mode 100644 charts/kro/resource-groups/efs/Chart.yaml create mode 100644 charts/kro/resource-groups/efs/templates/rg-efs.yaml create mode 100644 charts/kro/resource-groups/efs/values.yaml create mode 100644 charts/kro/resource-groups/eks/rg-addons-iam.yaml create mode 100644 charts/kro/resource-groups/eks/rg-eks-basic.yaml create mode 100644 charts/kro/resource-groups/eks/rg-eks.yaml create mode 100644 charts/kro/resource-groups/eks/rg-vpc.yaml create mode 100644 charts/kro/resource-groups/iam/Chart.yaml create mode 100644 charts/kro/resource-groups/iam/templates/rg-iam.yaml create mode 100644 charts/kro/resource-groups/iam/values.yaml create mode 100644 charts/kro/resource-groups/pod-identity/pod-identity.yaml create mode 100644 charts/multi-acct/Chart.yaml create mode 100644 charts/multi-acct/templates/iam-role-selector.yaml create mode 100644 charts/multi-acct/templates/namespace.yaml create mode 100644 charts/pod-identity/.helmignore create mode 100644 charts/pod-identity/Chart.yaml create mode 100644 charts/pod-identity/templates/_helpers.tpl create mode 100644 charts/pod-identity/templates/pod-identity-association.yaml create mode 100644 charts/pod-identity/templates/pod-identity-policy.yaml create mode 100644 charts/pod-identity/templates/pod-identity-role.yaml create mode 100644 charts/pod-identity/values.yaml create mode 100644 charts/storageclass-resources/.helmignore create mode 100644 charts/storageclass-resources/Chart.yaml create mode 100644 charts/storageclass-resources/templates/_helpers.tpl create mode 100644 charts/storageclass-resources/templates/storageclass.yaml create mode 100644 charts/storageclass-resources/values.yaml create mode 100644 docs/eks-cluster-mgmt-central.drawio.png create mode 100644 fleet/bootstrap/addons.yaml create mode 100644 fleet/bootstrap/clusters.yaml create mode 100644 fleet/kro-values/tenants/tenant1/kro-clusters/values.yaml create mode 100755 scripts/create_ack_workload_roles.sh create mode 100755 scripts/delete_ack_workload_roles.sh create mode 100644 terraform/hub/.gitignore create mode 100644 terraform/hub/argocd.tf create mode 100644 terraform/hub/bootstrap/applicationsets.yaml create mode 100644 terraform/hub/data.tf create mode 100755 terraform/hub/destroy.sh create mode 100644 terraform/hub/eks-capability-iam.tf create mode 100644 terraform/hub/eks.tf create mode 100755 terraform/hub/install.sh create mode 100644 terraform/hub/locals.tf create mode 100644 terraform/hub/outputs.tf create mode 100644 terraform/hub/pod-identity.tf create mode 100644 terraform/hub/providers.tf create mode 100644 terraform/hub/terraform.tfvars create mode 100644 terraform/hub/variables.tf create mode 100644 terraform/hub/versions.tf diff --git a/README.md b/README.md new file mode 100644 index 0000000..017fd44 --- /dev/null +++ b/README.md @@ -0,0 +1,464 @@ +# Amazon EKS cluster management using kro & ACK + +This example demonstrates how to manage a fleet of Amazon EKS clusters using kro, ACK (AWS Controllers for Kubernetes), and Argo CD across multiple regions and accounts. You'll learn how to create EKS clusters and bootstrap them with required add-ons. + +The solution implements a hub-spoke model where a management cluster (hub) is created during initial setup, with EKS capabilities (kro, ACK and Argo CD) enabled for provisioning and bootstrapping workload clusters (spokes) via a GitOps flow. + +![EKS cluster management using kro & ACK](docs/eks-cluster-mgmt-central.drawio.png) + +## Prerequisites + +1. AWS account for the management cluster, and optional AWS accounts for spoke clusters (management account can be reused for spokes) +2. AWS IAM Identity Center (IdC) is enabled in the management account +3. GitHub account and a valid GitHub Token +4. GitHub [cli](https://cli.github.com/) +5. Argo CD [cli](https://argo-cd.readthedocs.io/en/stable/cli_installation/) +6. Terraform [cli](https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli) +7. AWS [cli v2.32.27+](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) + +## Instructions + +### Configure workspace + +1. Create variables + + First, set these environment variables that typically don't need modification: + + ```sh + export KRO_REPO_URL="https://github.com/kubernetes-sigs/kro.git" + export WORKING_REPO="eks-cluster-mgmt" # Try to keep this default name as it is referenced in terraform and gitops configs + export TF_VAR_FILE="terraform.tfvars" # the name of terraform configuration file to use + ``` + + Then customize these variables for your specific environment: + + ```sh + export MGMT_ACCOUNT_ID=$(aws sts get-caller-identity --output text --query Account) # Or update to the AWS account to use for your management cluster + export AWS_REGION="us-west-2" # change to your preferred region + export WORKSPACE_PATH="$HOME" # the directory where repos will be cloned + export GITHUB_ORG_NAME="iamahgoub" # your Github username or organization name + ``` + +2. Clone kro repository + + ```sh + git clone $KRO_REPO_URL $WORKSPACE_PATH/kro + ``` + +3. Create your working GitHub repository + + Create a new repository using the GitHub CLI or through the GitHub website: + + ```sh + gh repo create $WORKING_REPO --private + ``` + +4. Clone the working empty git repository + + ```sh + gh repo clone $WORKING_REPO $WORKSPACE_PATH/$WORKING_REPO + ``` + +5. Populate the repository + + ```sh + cp -r $WORKSPACE_PATH/kro/examples/aws/eks-cluster-mgmt/* $WORKSPACE_PATH/$WORKING_REPO/ + ``` + +6. Update the Spoke accounts + + If deploying EKS clusters across multiple AWS accounts, update the configuration below. Even for single account deployments, you must specify the AWS account for each namespace. + + ```sh + code $WORKSPACE_PATH/$WORKING_REPO/addons/tenants/tenant1/default/addons/multi-acct/values.yaml + ``` + + Values: + + ```yaml + clusters: + workload-cluster1: "012345678910" # AWS account for workload cluster 1 + workload-cluster2: "123456789101" # AWS account for workload cluster 2 + ``` + + > Note: If you only want to use 1 AWS account, reuse the AWS account of your management cluster for the other workload clusters. + +7. Add, Commit and Push changes + + ```sh + cd $WORKSPACE_PATH/$WORKING_REPO/ + git status + git add . + git commit -s -m "initial commit" + git push + ``` + +### Create the Management cluster + +1. Update the terraform.tfvars with your values + + Modify the terraform.tfvars file with your GitHub working repo details: + - Set `git_org_name` + - Update any `gitops_xxx` values if you modified the proposed setup (git path, branch...) + - Confirm `gitops_xxx_repo_name` is "eks-cluster-mgmt" (or update if modified) + - Configure `accounts_ids` with the list of AWS accounts for spoke clusters (use management account ID if creating spoke clusters in the same account) + + ```sh + # edit: terraform.tfvars + code $WORKSPACE_PATH/$WORKING_REPO/terraform/hub/terraform.tfvars + ``` + +1. Log in to your AWS management account + + Connect to your AWS management account using your preferred authentication method: + + ```sh + export AWS_PROFILE=management_account # use your own profile or ensure you're connected to the appropriate account + ``` + +1. Apply the terraform to create the management cluster: + + ```sh + cd $WORKSPACE_PATH/$WORKING_REPO/terraform/hub + ./install.sh + ``` + + Review the proposed changes and accept to deploy. + + > Note: EKS capabilities are not supported yet by Terraform AWS provider. So, we will create them manually using CLI commands. + +1. Retrieve terraform outputs and set into environment variables: + + ```sh + export CLUSTER_NAME=$(terraform output -raw cluster_name) + export ACK_CONTROLLER_ROLE_ARN=$(terraform output -raw ack_controller_role_arn) + export KRO_CONTROLLER_ROLE_ARN=$(terraform output -raw kro_controller_role_arn) + export ARGOCD_CONTROLLER_ROLE_ARN=$(terraform output -raw argocd_controller_role_arn) + ``` + +1. Create ACK capability + ```sh + aws eks create-capability \ + --region ${AWS_REGION} \ + --cluster-name ${CLUSTER_NAME} \ + --capability-name ${CLUSTER_NAME}-ack \ + --type ACK \ + --role-arn ${ACK_CONTROLLER_ROLE_ARN} \ + --delete-propagation-policy RETAIN + ``` + +1. Now, we need to create the Argo CD capability -- IdC has to be enabled in the management account for that. So before creating the capability let's store the IdC instance details and the user that will be used for accessing Argo CD in environment variables: + + ```sh + export IDC_INSTANCE_ARN='' + export IDC_USER_ID='' + export IDC_REGION='' + ``` +1. Create Argo CD capability + + ```sh + aws eks create-capability \ + --region ${AWS_REGION} \ + --cluster-name ${CLUSTER_NAME} \ + --capability-name ${CLUSTER_NAME}-argocd \ + --type ARGOCD \ + --role-arn ${ARGOCD_CONTROLLER_ROLE_ARN} \ + --delete-propagation-policy RETAIN \ + --configuration '{ + "argoCd": { + "awsIdc": { + "idcInstanceArn": "'${IDC_INSTANCE_ARN}'", + "idcRegion": "'${IDC_REGION}'" + }, + "rbacRoleMappings": [{ + "role": "ADMIN", + "identities": [{ + "id": "'${IDC_USER_ID}'", + "type": "SSO_USER" + }] + }] + } + }' + ``` + +1. Create kro capability + + ```sh + aws eks create-capability \ + --region ${AWS_REGION} \ + --cluster-name ${CLUSTER_NAME} \ + --capability-name ${CLUSTER_NAME}-kro \ + --type KRO \ + --role-arn ${KRO_CONTROLLER_ROLE_ARN} \ + --delete-propagation-policy RETAIN + ``` + +1. Make sure all the capabilities are now enabled by checking status using the console or the `describe-capability` command. For example: + ```sh + aws eks describe-capability \ + --region ${AWS_REGION} \ + --cluster-name ${CLUSTER_NAME} \ + --capability-name ${CLUSTER_NAME}-argocd \ + --query 'capability.status' \ + --output text + ``` + + Modify/run the commands above for other capabilities to make sure they are all `ACTIVE`. + +1. Retrieve the ArgoCD server URL and log on using the user provided during the capability creation: + ```sh + export ARGOCD_SERVER=$(aws eks describe-capability \ + --cluster-name ${CLUSTER_NAME} \ + --capability-name ${CLUSTER_NAME}-argocd \ + --query 'capability.configuration.argoCd.serverUrl' \ + --output text \ + --region ${AWS_REGION}) + + echo ${ARGOCD_SERVER} + export ARGOCD_SERVER=${ARGOCD_SERVER#https://} + ``` + +1. Generate an account token from the Argo CD UI (Settings → Accounts → admin → Generate New Token), then set it as an environment variable: + ```sh + export ARGOCD_AUTH_TOKEN="" + export ARGOCD_OPTS="--grpc-web" + ``` + +1. Configure GitHub repository access (if using private repository). We automate this process using the Argo CD CLI. You can also configure this in the Web interface under "Settings / Repositories" + + ```sh + export GITHUB_TOKEN="" + argocd repo add https://github.com/$GITHUB_ORG_NAME/$WORKING_REPO.git --username iamahgoub --password $GITHUB_TOKEN --upsert --name github + ``` + + > Note: If you encounter the error "Failed to load target state: failed to generate manifest for source 1 of 1: rpc error: code = Unknown desc = authentication required", verify your GitHub token settings. + +1. Connect to the cluster + + ```sh + aws eks update-kubeconfig --name hub-cluster + ``` + +1. Install Argo CD App of App: + ```sh + kubectl apply -f $WORKSPACE_PATH/$WORKING_REPO/terraform/hub/bootstrap/applicationsets.yaml + ``` + +### Bootstrap Spoke accounts + +For the management cluster to create resources in the spoke AWS accounts, we need to create an IAM roles in the spoke accounts to be assumed by the ACK capability in the management account for that purpose. + +> Note: Even if you're only testing this in the management account, you still need to perform this procedure, replacing the list of spoke account numbers with the management account number. + +We provide a script to help with that. You need to first connect to each of your spoke accounts and execute the script. + +1. Log in to your AWS Spoke account + + Connect to your AWS spoke account. This example uses specific profiles, but adapt this to your own setup: + + ```sh + export AWS_PROFILE=spoke_account1 # use your own profile or ensure you're connected to the appropriate account + ``` + +2. Execute the script to configure IAM roles + + ```sh + cd $WORKSPACE_PATH/$WORKING_REPO/scripts + ./create_ack_workload_roles.sh + ``` + +Repeat this step for each spoke account you want to use with the solution + +### Create a Spoke cluster + +Update $WORKSPACE_PATH/$WORKING_REPO + +1. Add cluster creation by kro + + Edit the file: + + ```sh + code $WORKSPACE_PATH/$WORKING_REPO/fleet/kro-values/tenants/tenant1/kro-clusters/values.yaml + ``` + + Configure the AWS accounts for management and spoke accounts: + + ```yaml + workload-cluster1: + managementAccountId: "012345678910" # replace with your management cluster AWS account ID + accountId: "123456789101" # replace with your spoke workload cluster AWS account ID (can be the same) + tenant: "tenant1" # We have only configured tenant1 in the repo. If you change it, you need to duplicate all tenant1 directories + k8sVersion: "1.30" + workloads: "true" # Set to true if you want to deploy the workloads namespaces and applications + gitops: + addonsRepoUrl: "https://github.com/XXXXX/eks-cluster-mgmt" # replace with your github account + fleetRepoUrl: "https://github.com/XXXXX/eks-cluster-mgmt" + platformRepoUrl: "https://github.com/XXXXX/eks-cluster-mgmt" + workloadRepoUrl: "https://github.com/XXXXX/eks-cluster-mgmt" + ``` + +2. Add, Commit and Push + + ```sh + cd $WORKSPACE_PATH/$WORKING_REPO/ + git status + git add . + git commit -s -m "initial commit" + git push + ``` + +5. After some time, the cluster should be created in the spoke account. + + ```sh + kubectl get EksClusterwithvpcs -A + ``` + + ```sh + NAMESPACE NAME STATE SYNCED AGE + argocd workload-cluster1 ACTIVE True 36m + ``` + + If you see `STATE=ERROR`, this may be normal as it will take some time for all dependencies to be ready. Check the logs of kro and ACK controllers for possible configuration errors. + + You can also list resources created by kro to validate their status: + + ```sh + kubectl get vpcs.kro.run -A + kubectl get vpcs.ec2.services.k8s.aws -A -o yaml # check for errors + ``` + + If you see errors, double-check the multi-cluster account settings and verify that IAM roles in both management and workload AWS accounts are properly configured. + + When VPCs are ready, check EKS resources: + + ```sh + kubectl get eksclusters.kro.run -A + kubectl get clusters.eks.services.k8s.aws -A -o yaml # Check for errors + ``` + +6. Connect to the spoke cluster + + ```sh + export AWS_PROFILE=spoke_account1 # use your own profile or ensure you're connected to the appropriate account + ``` + + Get kubectl configuration (update name and region if needed): + + ```sh + aws eks update-kubeconfig --name workload-cluster1 --region us-west-2 + ``` + + View deployed resources: + + ```sh + kubectl get pods -A + ``` + Output: + + ```sh + NAMESPACE NAME READY STATUS RESTARTS AGE + external-secrets external-secrets-679b98f996-74lsb 1/1 Running 0 70s + external-secrets external-secrets-cert-controller-556d7f95c5-h5nvq 1/1 Running 0 70s + external-secrets external-secrets-webhook-7b456d589f-6bjzr 1/1 Running 0 70s + ``` + + This output shows that our GitOps solution has successfully deployed our addons in the cluster + + +You can repeat these steps for any additional clusters you want to manage. + +Each cluster is created by its kro RGD, deployed to AWS using ACK controllers, and then automatically registered to Argo CD which can install addons and workloads automatically. + +## Conclusion + +This solution demonstrates a powerful way to manage multiple EKS clusters across different AWS accounts and regions using three key components: + +1. **kro (Kubernetes Resource Orchestrator)** + - Manages complex multi-resource deployments + - Handles dependencies between resources + - Provides a declarative way to define EKS clusters and their requirements + +2. **AWS Controllers for Kubernetes (ACK)** + - Enables native AWS resource management from within Kubernetes + - Supports cross-account operations through namespace isolation + - Manages AWS resources like VPCs, IAM roles, and EKS clusters + +3. **Argo CD** + - Implements GitOps practices for cluster configuration + - Automatically bootstraps new clusters with required add-ons + - Manages workload deployments across the cluster fleet + +Key benefits of this architecture: + +- **Scalability**: Easily add new clusters by updating Git configuration +- **Consistency**: Ensures uniform configuration across all clusters +- **Automation**: Reduces manual intervention in cluster lifecycle management +- **Separation of Concerns**: Clear distinction between infrastructure and application management +- **Audit Trail**: All changes are tracked through Git history +- **Multi-Account Support**: Secure isolation between different environments or business units + +To expand this solution, you can: +- Add more clusters by replicating the configuration pattern +- Customize add-ons and workloads per cluster +- Implement different configurations for different environments (dev, staging, prod) +- Add monitoring and logging solutions across the cluster fleet +- Implement cluster upgrade strategies using the same tooling + +The combination of kro, ACK, and Argo CD provides a robust, scalable, and maintainable approach to EKS cluster fleet management. + +## Clean-up + +1. Delete the workload clusters by editing the following file: + + ```sh + code $WORKSPACE_PATH/$WORKING_REPO/fleet/kro-values/tenants/tenant1/kro-clusters/values.yaml + ``` + + In the Argo CD UI, synchronize the cluster Applicationset with the prune option enabled, or use the CLI: + + ```bash + argocd app sync clusters --prune + ``` + + > **Known issue**: We noticed that some of the VPCs resources (route tables) do not get properly deleted when workload clusters are removed from manifests. If this occurred to you, delete the VPC resources manually to allow for the clean-up to complete till the issue is identified/resolved. + +1. Delete Argo CD App of App: + ```sh + kubectl delete -f $WORKSPACE_PATH/$WORKING_REPO/terraform/hub/bootstrap/applicationsets.yaml + ``` + +1. Delete the EKS capabilities on the management cluster + + ```sh + aws eks delete-capability \ + --cluster-name ${CLUSTER_NAME} \ + --capability-name ${CLUSTER_NAME}-argocd + + aws eks delete-capability \ + --cluster-name ${CLUSTER_NAME} \ + --capability-name ${CLUSTER_NAME}-kro + + aws eks delete-capability \ + --cluster-name ${CLUSTER_NAME} \ + --capability-name ${CLUSTER_NAME}-ack + ``` + +1. Make sure all the capabilities are deleted by checking the console or using the `describe-capability` command. For example: + +1. Delete Management Cluster + + After successfully de-registering all spoke accounts, remove the workload cluster created with Terraform: + + ```sh + cd $WORKSPACE_PATH/$WORKING_REPO/terraform/hub + ./destroy.sh + ``` + +1. Remove ACK IAM Roles in workload accounts + + Finally, connect to each workload account and delete the IAM roles and policies created initially: + + ```bash + cd $WORKSPACE_PATH/$WORKING_REPO/ + ./scripts/delete_ack_workload_roles.sh ack + ``` diff --git a/addons/bootstrap/default/addons.yaml b/addons/bootstrap/default/addons.yaml new file mode 100644 index 0000000..f94b802 --- /dev/null +++ b/addons/bootstrap/default/addons.yaml @@ -0,0 +1,76 @@ +syncPolicy: + automated: + selfHeal: true + allowEmpty: true + prune: true + retry: + limit: -1 # number of failed sync attempt retries; unlimited number of attempts if less than 0 + backoff: + duration: 5s # the amount to back off. Default unit is seconds, but could also be a duration (e.g. "2m", "1h") + factor: 2 # a factor to multiply the base duration after each failed retry + maxDuration: 10m # the maximum amount of time allowed for the backoff strategy + syncOptions: + - CreateNamespace=true + - ServerSideApply=true # Big CRDs. +syncPolicyAppSet: + preserveResourcesOnDeletion: false # to be able to cleanup +useSelectors: true +repoURLGit: '{{.metadata.annotations.addons_repo_url}}' +repoURLGitRevision: '{{.metadata.annotations.addons_repo_revision}}' +repoURLGitBasePath: '{{.metadata.annotations.addons_repo_basepath}}' +valueFiles: + - default/addons + - environments/{{.metadata.labels.environment}}/addons + - clusters/{{.nameNormalized}}/addons +useValuesFilePrefix: true +valuesFilePrefix: 'tenants/{{.metadata.labels.tenant}}/' + +######################################## +# define Addons +######################################## + +external-secrets: + enabled: false + enableACK: false + annotationsAppSet: + argocd.argoproj.io/sync-wave: "3" # Needs to be after KRO RGD + namespace: external-secrets + chartName: external-secrets + defaultVersion: "0.10.3" + chartRepository: "https://charts.external-secrets.io" + selector: + matchExpressions: + - key: enable_external_secrets + operator: In + values: ['true'] + valuesObject: + serviceAccount: + name: "external-secrets-sa" + +kro-eks-rgs: + enabled: false + type: manifest + namespace: kro + annotationsAppSet: + argocd.argoproj.io/sync-wave: "-2" # Needs to be before resources that needs PodIdentity + path: 'charts/kro/resource-groups/eks' + chartRepository: '{{.metadata.annotations.addons_repo_url}}' + targetRevision: '{{.metadata.annotations.addons_repo_revision}}' + selector: + matchExpressions: + - key: enable_kro_eks_rgs + operator: In + values: ['true'] + +multi-acct: + enabled: false + namespace: kro + annotationsAppSet: + argocd.argoproj.io/sync-wave: "-5" # Needs to be before KRO RGD + defaultVersion: "0.1.0" + path: charts/multi-acct + selector: + matchExpressions: + - key: enable_multi_acct + operator: In + values: ['true'] \ No newline at end of file diff --git a/addons/tenants/tenant1/clusters/hub-cluster/application-sets/addons.yaml b/addons/tenants/tenant1/clusters/hub-cluster/application-sets/addons.yaml new file mode 100644 index 0000000..a170ee3 --- /dev/null +++ b/addons/tenants/tenant1/clusters/hub-cluster/application-sets/addons.yaml @@ -0,0 +1,11 @@ +useSelectors: true # necessary to enable addons with cluster secret labels + +#We are using this to enable applicationSets, then use cluster secret to enable applications +# globalSelectors: +# fleet_member: control-plane #If we activate this, only cluster from this selector will have the applicationsets enabled +external-secrets: + enabled: true +kro-eks-rgs: + enabled: true +multi-acct: + enabled: true \ No newline at end of file diff --git a/addons/tenants/tenant1/default/addons/multi-acct/values.yaml b/addons/tenants/tenant1/default/addons/multi-acct/values.yaml new file mode 100644 index 0000000..af4a115 --- /dev/null +++ b/addons/tenants/tenant1/default/addons/multi-acct/values.yaml @@ -0,0 +1,2 @@ +clusters: + workload-cluster1: "012345678910" # AWS account for workload cluster 1 diff --git a/charts/application-sets/.helmignore b/charts/application-sets/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/charts/application-sets/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/application-sets/Chart.yaml b/charts/application-sets/Chart.yaml new file mode 100644 index 0000000..3546ee5 --- /dev/null +++ b/charts/application-sets/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: application-sets +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "1.16.0" diff --git a/charts/application-sets/templates/_application_set.tpl b/charts/application-sets/templates/_application_set.tpl new file mode 100644 index 0000000..3ca8928 --- /dev/null +++ b/charts/application-sets/templates/_application_set.tpl @@ -0,0 +1,58 @@ +{{/* +Template to generate additional resources configuration +*/}} +{{- define "application-sets.additionalResources" -}} +{{- $chartName := .chartName -}} +{{- $chartConfig := .chartConfig -}} +{{- $valueFiles := .valueFiles -}} +{{- $additionalResourcesType := .additionalResourcesType -}} +{{- $additionalResourcesPath := .path -}} +{{- $values := .values -}} +{{- if $chartConfig.additionalResources.path }} +- repoURL: {{ $values.repoURLGit | squote }} + targetRevision: {{ $values.repoURLGitRevision | squote }} + path: {{- if eq $additionalResourcesType "manifests" }} + '{{ $values.repoURLGitBasePath }}{{ if $values.useValuesFilePrefix }}{{ $values.valuesFilePrefix }}{{ end }}clusters/{{`{{.nameNormalized}}`}}/{{ $chartConfig.additionalResources.manifestPath }}' + {{- else }} + {{ $chartConfig.additionalResources.path | squote }} + {{- end}} +{{- end }} +{{- if $chartConfig.additionalResources.chart }} +- repoURL: '{{$chartConfig.additionalResources.repoURL}}' + chart: '{{$chartConfig.additionalResources.chart}}' + targetRevision: '{{$chartConfig.additionalResources.chartVersion }}' +{{- end }} +{{- if $chartConfig.additionalResources.helm }} + helm: + releaseName: '{{`{{ .name }}`}}-{{ $chartConfig.additionalResources.helm.releaseName }}' + {{- if $chartConfig.additionalResources.helm.valuesObject }} + valuesObject: + {{- $chartConfig.additionalResources.helm.valuesObject | toYaml | nindent 6 }} + {{- end }} + ignoreMissingValueFiles: true + valueFiles: + {{- include "application-sets.valueFiles" (dict + "nameNormalize" $chartName + "valueFiles" $valueFiles + "values" $values + "chartType" $additionalResourcesType) | nindent 6 }} +{{- end }} +{{- end }} + + +{{/* +Define the values path for reusability +*/}} +{{- define "application-sets.valueFiles" -}} +{{- $nameNormalize := .nameNormalize -}} +{{- $chartConfig := .chartConfig -}} +{{- $valueFiles := .valueFiles -}} +{{- $chartType := .chartType -}} +{{- $values := .values -}} +{{- with .valueFiles }} +{{- range . }} +- $values/{{ $values.repoURLGitBasePath }}{{ . }}/{{ $nameNormalize }}{{ if $chartType }}/{{ $chartType }}{{ end }}/{{ if $chartConfig.valuesFileName }}{{ $chartConfig.valuesFileName }}{{ else }}values.yaml{{ end }} +- $values/{{ $values.repoURLGitBasePath }}{{ if $values.useValuesFilePrefix }}{{ $values.valuesFilePrefix }}{{ end }}{{ . }}/{{ $nameNormalize }}{{ if $chartType }}/{{ $chartType }}{{ end }}/{{ if $chartConfig.valuesFileName }}{{ $chartConfig.valuesFileName }}{{ else }}values.yaml{{ end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/application-sets/templates/_git_matrix.tpl b/charts/application-sets/templates/_git_matrix.tpl new file mode 100644 index 0000000..2395d84 --- /dev/null +++ b/charts/application-sets/templates/_git_matrix.tpl @@ -0,0 +1,37 @@ +# {{/* +# Template creating git matrix generator +# */}} +# {{- define "application-sets.git-matrix" -}} +# {{- $chartName := .chartName -}} +# {{- $chartConfig := .chartConfig -}} +# {{- $repoURLGit := .repoURLGit -}} +# {{- $repoURLGitRevision := .repoURLGitRevision -}} +# {{- $selectors := .selectors -}} +# {{- $useSelectors := .useSelectors -}} +# generators: +# - matrix: +# generators: +# - clusters: +# selector: +# matchLabels: +# argocd.argoproj.io/secret-type: cluster +# {{- if $selectors }} +# {{- toYaml $selectors | nindent 16 }} +# - key: fleet_member +# operator: NotIn +# values: ['control-plane'] +# {{- end }} +# {{- if $chartConfig.selectorMatchLabels }} +# {{- toYaml $chartConfig.selectorMatchLabels | nindent 18 }} +# {{- end }} +# {{- if and $chartConfig.selector $useSelectors }} +# {{- toYaml $chartConfig.selector | nindent 16 }} +# {{- end }} +# values: +# chart: {{ $chartConfig.chartName | default $chartName | quote }} +# - git: +# repoURL: {{ $repoURLGit | squote }} +# revision: {{ $repoURLGitRevision | squote }} +# files: +# - path: {{ $chartConfig.matrixPath | squote }} +# {{- end }} \ No newline at end of file diff --git a/charts/application-sets/templates/_helpers.tpl b/charts/application-sets/templates/_helpers.tpl new file mode 100644 index 0000000..c705613 --- /dev/null +++ b/charts/application-sets/templates/_helpers.tpl @@ -0,0 +1,48 @@ +{{/* +Expand the name of the chart. Defaults to `.Chart.Name` or `nameOverride`. +*/}} +{{- define "application-sets.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Generate a fully qualified app name. +If `fullnameOverride` is defined, it uses that; otherwise, it constructs the name based on `Release.Name` and chart name. +*/}} +{{- define "application-sets.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name (default .Chart.Name .Values.nameOverride) | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version, useful for labels. +*/}} +{{- define "application-sets.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels for the ApplicationSet, including version and managed-by labels. +*/}} +{{- define "application-sets.labels" -}} +helm.sh/chart: {{ include "application-sets.chart" . }} +app.kubernetes.io/name: {{ include "application-sets.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Common Helm and Kubernetes Annotations +*/}} +{{- define "application-sets.annotations" -}} +helm.sh/chart: {{ include "application-sets.chart" . }} +{{- if .Values.annotations }} +{{ toYaml .Values.annotations }} +{{- end }} +{{- end }} diff --git a/charts/application-sets/templates/_pod_identity.tpl b/charts/application-sets/templates/_pod_identity.tpl new file mode 100644 index 0000000..5c08f4a --- /dev/null +++ b/charts/application-sets/templates/_pod_identity.tpl @@ -0,0 +1,27 @@ +{{/* +Template to generate pod-identity configuration +*/}} +{{- define "application-sets.pod-identity" -}} +{{- $chartName := .chartName -}} +{{- $chartConfig := .chartConfig -}} +{{- $valueFiles := .valueFiles -}} +{{- $values := .values -}} +- repoURL: '{{ $values.repoURLGit }}' + targetRevision: '{{ $values.repoURLGitRevision }}' + path: 'charts/pod-identity' + helm: + releaseName: '{{`{{ .name }}`}}-{{ $chartConfig.chartName | default $chartName }}' + valuesObject: + create: '{{`{{default "`}}{{ $chartConfig.enableACK }}{{`" (index .metadata.annotations "ack_create")}}`}}' + region: '{{`{{ .metadata.annotations.aws_region }}`}}' + accountId: '{{`{{ .metadata.annotations.aws_account_id}}`}}' + podIdentityAssociation: + clusterName: '{{`{{ .name }}`}}' + namespace: '{{ default $chartConfig.namespace .namespace }}' + ignoreMissingValueFiles: true + valueFiles: + {{- include "application-sets.valueFiles" (dict + "nameNormalize" $chartName + "valueFiles" $valueFiles + "values" $values "chartType" "pod-identity") | nindent 6 }} +{{- end }} diff --git a/charts/application-sets/templates/application-set.yaml b/charts/application-sets/templates/application-set.yaml new file mode 100644 index 0000000..78857ac --- /dev/null +++ b/charts/application-sets/templates/application-set.yaml @@ -0,0 +1,177 @@ +{{- $values := .Values }} +{{- $chartType := .Values.chartType }} +{{- $namespace := .Values.namespace }} +{{- $syncPolicy := .Values.syncPolicy -}} +{{- $syncPolicyAppSet := .Values.syncPolicyAppSet -}} +{{- $goTemplateOptions := .Values.goTemplateOptions -}} +{{- $repoURLGit := .Values.repoURLGit -}} +{{- $repoURLGitRevision := .Values.repoURLGitRevision -}} +{{- $repoURLGitBasePath := .Values.repoURLGitBasePath -}} +{{- $valueFiles := .Values.valueFiles -}} +{{- $valuesFilePrefix := .Values.valuesFilePrefix -}} +{{- $useValuesFilePrefix := (default false .Values.useValuesFilePrefix ) -}} +{{- $useSelectors:= .Values.useSelectors -}} +{{- $globalSelectors := .Values.globalSelectors -}} + +{{- range $chartName, $chartConfig := .Values }} +{{- if and (kindIs "map" $chartConfig) (hasKey $chartConfig "enabled") }} +{{- if eq (toString $chartConfig.enabled) "true" }} +{{- $nameNormalize := printf "%s" $chartName | replace "_" "-" | trunc 63 | trimSuffix "-" -}} +apiVersion: argoproj.io/v1alpha1 +kind: ApplicationSet +metadata: + name: {{ $nameNormalize }} + namespace: {{ default "argocd" $namespace }} + annotations: + {{- include "application-sets.annotations" $ | nindent 4 }} + {{- if $chartConfig.annotationsAppSet }}{{- toYaml $chartConfig.annotationsAppSet | nindent 4 }}{{- end }} + labels: + {{- include "application-sets.labels" $ | nindent 4 }} + {{- if $chartConfig.labelsAppSet }}{{- toYaml $chartConfig.labelsAppSet | nindent 4 }}{{- end }} +spec: + goTemplate: true + {{- if $chartConfig.goTemplateOptions }} + goTemplateOptions: + {{ toYaml $chartConfig.goTemplateOptions | nindent 2 }} + {{- else }} + goTemplateOptions: {{ default (list "missingkey=error") $goTemplateOptions }} + {{- end }} + {{- if $chartConfig.syncPolicyAppSet }} + syncPolicy: + {{- toYaml $chartConfig.syncPolicyAppSet | nindent 4 }} + {{- else }} + syncPolicy: + {{- toYaml $syncPolicyAppSet | nindent 4 }} + {{- end }} + {{- if $chartConfig.gitMatrix }} + {{ include "application-sets.git-matrix" (dict + "chartName" $nameNormalize "chartConfig" $chartConfig + "repoURLGit" $repoURLGit "repoURLGitRevision" $repoURLGitRevision + "selectors" $globalSelectors "useSelectors" $useSelectors + ) | nindent 2 }} + {{- else }} + generators: + {{- if $chartConfig.environments }} + - merge: + mergeKeys: [server] + generators: + {{- end }} + - clusters: + selector: + matchLabels: + argocd.argoproj.io/secret-type: cluster + {{- if $globalSelectors }} + {{- toYaml $globalSelectors | nindent 18 }} + {{- end }} + {{- if $chartConfig.selectorMatchLabels }} + {{- toYaml $chartConfig.selectorMatchLabels | nindent 18 }} + {{- end }} + {{- if and $chartConfig.selector $useSelectors }} + {{- toYaml $chartConfig.selector | nindent 16 }} + # If you want you can excluste some clusters based on their membership + # - key: fleet_member + # operator: NotIn + # values: ['control-plane'] + {{- end }} + {{- if not $chartConfig.resourceGroup }} + values: + addonChart: {{ $chartConfig.chartName | default $nameNormalize | quote }} + {{- if $chartConfig.defaultVersion }} + addonChartVersion: {{ $chartConfig.defaultVersion | quote }} + {{- end }} + {{- if $chartConfig.chartRepository }} + addonChartRepository: {{ $chartConfig.chartRepository | quote }} + {{- end }} + {{- if $chartConfig.chartNamespace }} + addonChartRepositoryNamespace: {{ $chartConfig.chartNamespace | quote }} + chart: {{ printf "%s/%s" $chartConfig.chartNamespace ($chartConfig.chartName | default $nameNormalize) | quote }} + {{- else }} + chart: {{ $chartConfig.chartName | default $nameNormalize | quote }} + {{- end }} + {{- end }} + {{- if $chartConfig.environments }} + {{- range $chartConfig.environments }} + - clusters: + selector: + matchLabels: + {{- toYaml .selector | nindent 18 }} + values: + addonChartVersion: {{ .chartVersion | default $chartConfig.defaultVersion | quote }} + {{- end }} + {{- end }} + {{- end }} + template: + metadata: + {{- if $chartConfig.appSetName }} + name: {{ $chartConfig.appSetName }} + {{- else }} + name: '{{ $nameNormalize }}-{{`{{ .name }}`}}' + {{- end }} + spec: + project: default + sources: + - repoURL: {{ $repoURLGit | squote}} + targetRevision: {{ $repoURLGitRevision | squote }} + ref: values + {{- if eq (toString $chartConfig.enableACK ) "true" }} + {{ include "application-sets.pod-identity" (dict + "chartName" ($chartConfig.chartName | default $nameNormalize) + "valueFiles" $valueFiles + "chartConfig" $chartConfig "values" $values ) | nindent 6 }} + {{- end }} + {{- if $chartConfig.path }} + - repoURL: {{ $repoURLGit | squote }} + path: {{$chartConfig.path | squote }} + targetRevision: {{ $repoURLGitRevision | squote }} + {{- else }} + - repoURL: '{{`{{ .values.addonChartRepository }}`}}' + chart: '{{`{{ .values.chart }}`}}' + targetRevision: '{{`{{.values.addonChartVersion }}`}}' + {{- end }} + {{- if ne (default "" $chartConfig.type) "manifest" }} + helm: + releaseName: {{ default "{{ .values.addonChart }}" $chartConfig.releaseName | squote }} + ignoreMissingValueFiles: true + {{- if $chartConfig.valuesObject }} + valuesObject: + {{- $chartConfig.valuesObject | toYaml | nindent 12 }} + {{- end }} + {{- if $valueFiles }} + valueFiles: + {{- include "application-sets.valueFiles" (dict + "nameNormalize" ($chartConfig.chartName | default $nameNormalize) + "chartConfig" $chartConfig + "valueFiles" $valueFiles "values" $values) | nindent 12 }} + {{- end }} + {{- if $chartConfig.additionalResources}} + {{ include "application-sets.additionalResources" (dict + "chartName" ($chartConfig.chartName | default $nameNormalize) + "valueFiles" $valueFiles + "chartConfig" $chartConfig + "values" $values + "additionalResourcesType" $chartConfig.additionalResources.type + "additionalResourcesPath" $chartConfig.additionalResources.path ) | nindent 6 }} + {{- end}} + {{- end }} + destination: + namespace: '{{ $chartConfig.namespace }}' + name: '{{`{{ .name }}`}}' + {{- if $chartConfig.syncPolicy }} + syncPolicy: + {{- toYaml $chartConfig.syncPolicy | nindent 8 }} + {{ else }} + syncPolicy: + {{- toYaml $syncPolicy | nindent 8 }} + {{- end }} + {{- with $chartConfig.ignoreDifferences }} + ignoreDifferences: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if $chartConfig.ignoreDifferences}} + ignoreDifferences: + {{- $chartConfig.ignoreDifferences | toYaml | nindent 8 }} + {{- end }} +--- +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/kro-clusters/Chart.yaml b/charts/kro-clusters/Chart.yaml new file mode 100644 index 0000000..6fc7633 --- /dev/null +++ b/charts/kro-clusters/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +name: eks-fleet-clusters +description: A Helm chart for managing EKS Fleet clusters +type: application +version: 0.1.0 +appVersion: "1.0.0" diff --git a/charts/kro-clusters/templates/NOTES.txt b/charts/kro-clusters/templates/NOTES.txt new file mode 100644 index 0000000..4797a46 --- /dev/null +++ b/charts/kro-clusters/templates/NOTES.txt @@ -0,0 +1,21 @@ +Thank you for installing {{ .Chart.Name }}. + +Your EKS Fleet clusters have been configured with the following details: + +{{- range $name, $cluster := .Values.clusters }} +Cluster: {{ $name }} + - Tenant: {{ $cluster.tenant }} + - K8s Version: {{ $cluster.k8sVersion }} + - Domain: {{ $cluster.domainName }} +{{- end }} + +To manage your clusters: +1. Edit the values.yaml file to add, modify, or remove cluster configurations +2. Use helm upgrade to apply changes: + helm upgrade ./chart + +To verify the cluster resources: + kubectl get eksclusterwithvpc + +For more information about the chart and available configuration options, +please refer to the chart's documentation. diff --git a/charts/kro-clusters/templates/clusters.yaml b/charts/kro-clusters/templates/clusters.yaml new file mode 100644 index 0000000..f58b6bf --- /dev/null +++ b/charts/kro-clusters/templates/clusters.yaml @@ -0,0 +1,42 @@ +{{- range $name, $cluster := .Values.clusters }} +--- +apiVersion: kro.run/v1alpha1 +kind: EksCluster +metadata: + name: {{ $name }} + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + argocd.argoproj.io/sync-wave: "1" +spec: + name: {{ $name }} + tenant: {{ $cluster.tenant | default "tenant1" | quote }} + environment: {{ $cluster.environment | default "staging" | quote }} + region: {{ $cluster.region | default "us-west-2" | quote }} + k8sVersion: {{ $cluster.k8sVersion | default "1.32" | quote }} + accountId: {{ $cluster.accountId | quote }} + managementAccountId: {{ $cluster.managementAccountId | quote }} + adminRoleName: {{ $cluster.adminRoleName | default "Admin" | quote }} + fleetSecretManagerSecretNameSuffix: {{ $cluster.fleetSecretManagerSecretNameSuffix | default "argocd-secret" | quote }} + domainName: {{ $cluster.domainName | default "" | quote }} + workloads: {{ $cluster.workloads | default "false" | quote }} + {{- if $cluster.subHostedZone | quote }} + subHostedZone: + {{- toYaml $cluster.subHostedZone | nindent 4 }} + {{- end }} + {{- if $cluster.vpc | quote}} + vpc: + {{- toYaml $cluster.vpc | nindent 4 }} + {{- end }} + {{- if $cluster.gitops }} + gitops: + {{- toYaml $cluster.gitops | nindent 4 }} + {{- else }} + gitops: {} + {{- end }} + {{- if $cluster.addons }} + addons: + {{- toYaml $cluster.addons | nindent 4 }} + {{- else }} + addons: {} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/kro/instances/pod-identity/.helmignore b/charts/kro/instances/pod-identity/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/charts/kro/instances/pod-identity/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/kro/instances/pod-identity/Chart.yaml b/charts/kro/instances/pod-identity/Chart.yaml new file mode 100644 index 0000000..8c2b8b3 --- /dev/null +++ b/charts/kro/instances/pod-identity/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: kro-pi-instance +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "1.16.0" diff --git a/charts/kro/instances/pod-identity/templates/_helpers.tpl b/charts/kro/instances/pod-identity/templates/_helpers.tpl new file mode 100644 index 0000000..815affa --- /dev/null +++ b/charts/kro/instances/pod-identity/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "kro-pi-instance.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "kro-pi-instance.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "kro-pi-instance.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "kro-pi-instance.labels" -}} +helm.sh/chart: {{ include "kro-pi-instance.chart" . }} +{{ include "kro-pi-instance.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "kro-pi-instance.selectorLabels" -}} +app.kubernetes.io/name: {{ include "kro-pi-instance.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "kro-pi-instance.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "kro-pi-instance.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/charts/kro/instances/pod-identity/templates/instance.yaml b/charts/kro/instances/pod-identity/templates/instance.yaml new file mode 100644 index 0000000..00c6010 --- /dev/null +++ b/charts/kro/instances/pod-identity/templates/instance.yaml @@ -0,0 +1,63 @@ +{{- $cluster := .Values.clusterName -}} +{{- $namespace := .Values.piNamespace -}} +{{- $name := .Values.name -}} +{{- $root := . -}} +{{- $serviceAccounts := .Values.serviceAccounts -}} +{{- $policyDocument := .Values.policyDocument -}} +{{- range $serviceAccounts }} +apiVersion: kro.run/v1alpha1 +kind: PodIdentity +metadata: + name: "{{ include "kro-pi-instance.name" $root }}-{{ . }}" + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + argocd.argoproj.io/sync-wave: "-5" +spec: + name: {{$name}} + values: + aws: + clusterName: {{ $cluster }} + policy: + policyDocument: | + { + "Version": "2012-10-17", + "Statement": [ + {{- range $index, $policy := $policyDocument }} + { + "Effect": "Allow", + "Action": [ + {{- range $i, $action := $policy.actions }} + "{{ $action }}"{{ if not (eq (add $i 1) (len $policy.actions)) }},{{ end }} + {{- end }} + ], + "Resource": [ + {{- if $policy.customArn }} + "{{ $policy.customArn }}" + {{- else if eq $policy.resourceName "*" }} + "*" + {{- else }} + "arn:aws:{{ $policy.resourceType }}:{{ $.Values.region }}:{{ $.Values.accountId }}:{{ $policy.resourceName }}" + {{- end }} + ] + {{- if $policy.conditions }} + ,"Condition": { + {{- range $j, $condition := $policy.conditions }} + "{{ $condition.test }}": { + "{{ $condition.variable }}": [ + {{- range $k, $value := $condition.values }} + "{{ $value }}"{{ if not (eq (add $k 1) (len $condition.values)) }},{{ end }} + {{- end }} + ] + } + {{- end }} + } + {{- end }} + }{{ if not (eq (add $index 1) (len $.Values.policyDocument)) }},{{ end }} + {{- end }} + ] + } + piAssociation: + serviceAccount: {{ . }} + piNamespace: {{ $namespace }} +--- +{{- end}} \ No newline at end of file diff --git a/charts/kro/instances/pod-identity/values.yaml b/charts/kro/instances/pod-identity/values.yaml new file mode 100644 index 0000000..362a50a --- /dev/null +++ b/charts/kro/instances/pod-identity/values.yaml @@ -0,0 +1,12 @@ +# region: eu-west-2 +# name: myname +# serviceAccounts: +# - "test" +# - "test2" +# piNamespace: "default" +# clusterName: "spoke-workload2" +# policyDocument: +# - resourceType: ssm +# resourceName: "*" +# actions: +# - "ssm:DescribeParameters" \ No newline at end of file diff --git a/charts/kro/resource-groups/efs/Chart.yaml b/charts/kro/resource-groups/efs/Chart.yaml new file mode 100644 index 0000000..e69de29 diff --git a/charts/kro/resource-groups/efs/templates/rg-efs.yaml b/charts/kro/resource-groups/efs/templates/rg-efs.yaml new file mode 100644 index 0000000..087c6a5 --- /dev/null +++ b/charts/kro/resource-groups/efs/templates/rg-efs.yaml @@ -0,0 +1 @@ +# TODO: rg that creates EFS file system (using ACK EFS controller) and corresponding StorageClass \ No newline at end of file diff --git a/charts/kro/resource-groups/efs/values.yaml b/charts/kro/resource-groups/efs/values.yaml new file mode 100644 index 0000000..e69de29 diff --git a/charts/kro/resource-groups/eks/rg-addons-iam.yaml b/charts/kro/resource-groups/eks/rg-addons-iam.yaml new file mode 100644 index 0000000..e69de29 diff --git a/charts/kro/resource-groups/eks/rg-eks-basic.yaml b/charts/kro/resource-groups/eks/rg-eks-basic.yaml new file mode 100644 index 0000000..58705e1 --- /dev/null +++ b/charts/kro/resource-groups/eks/rg-eks-basic.yaml @@ -0,0 +1,342 @@ +# yamllint disable rule:line-length +--- +apiVersion: kro.run/v1alpha1 +kind: ResourceGraphDefinition +metadata: + name: eksclusterbasic.kro.run + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + argocd.argoproj.io/sync-wave: "-1" +spec: + schema: + apiVersion: v1alpha1 + kind: EksClusterBasic + spec: + name: string + tenant: string + environment: string + region: string + accountId: string + managementAccountId: string + k8sVersion: string + adminRoleName: string + fleetSecretManagerSecretNameSuffix: string + domainName: string + aws_partition: string | default="aws" + aws_dns_suffix: string | default="amazonaws.com" + network: + vpcID: string + subnets: + controlplane: + subnet1ID: string + subnet2ID: string + workers: + subnet1ID: string + subnet2ID: string + workloads: string # Define if we want to deploy workloads application + gitops: + addonsRepoBasePath: string + addonsRepoPath: string + addonsRepoRevision: string + addonsRepoUrl: string + fleetRepoBasePath: string + fleetRepoPath: string + fleetRepoRevision: string + fleetRepoUrl: string + addons: + enable_external_secrets: string + external_secrets_namespace: string + external_secrets_service_account: string + status: + clusterARN: ${ekscluster.status.ackResourceMetadata.arn} + cdata: ${ekscluster.status.certificateAuthority.data} + endpoint: ${ekscluster.status.endpoint} + clusterState: ${ekscluster.status.status} + + + resources: + + ########################################################### + # EKS Cluster + ########################################################### + - id: clusterRole + template: + apiVersion: iam.services.k8s.aws/v1alpha1 + kind: Role + metadata: + namespace: "${schema.spec.name}" + name: "${schema.spec.name}-cluster-role" + annotations: + services.k8s.aws/region: ${schema.spec.region} + spec: + name: "${schema.spec.name}-cluster-role" + policies: + - arn:aws:iam::aws:policy/AmazonEKSClusterPolicy + - arn:aws:iam::aws:policy/AmazonEKSComputePolicy + - arn:aws:iam::aws:policy/AmazonEKSBlockStoragePolicy + - arn:aws:iam::aws:policy/AmazonEKSLoadBalancingPolicy + - arn:aws:iam::aws:policy/AmazonEKSNetworkingPolicy + assumeRolePolicyDocument: | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": "eks.amazonaws.com" + }, + "Action": [ + "sts:AssumeRole", + "sts:TagSession" + ] + } + ] + } + - id: nodeRole + template: + apiVersion: iam.services.k8s.aws/v1alpha1 + kind: Role + metadata: + namespace: "${schema.spec.name}" + name: "${schema.spec.name}-cluster-node-role" + annotations: + services.k8s.aws/region: ${schema.spec.region} + spec: + name: "${schema.spec.name}-cluster-node-role" + policies: + - arn:aws:iam::aws:policy/AmazonEKSWorkerNodeMinimalPolicy + - arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly + - arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore + - arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy + assumeRolePolicyDocument: | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": "ec2.amazonaws.com" + }, + "Action": [ + "sts:AssumeRole", + "sts:TagSession" + ] + } + ] + } + # https://aws-controllers-k8s.github.io/community/reference/eks/v1alpha1/cluster/ + - id: ekscluster + readyWhen: + - ${ekscluster.status.status == "ACTIVE"} + template: + apiVersion: eks.services.k8s.aws/v1alpha1 + kind: Cluster + metadata: + namespace: "${schema.spec.name}" + name: "${schema.spec.name}" + # implicit dependencies with roles + annotations: + clusterRoleArn: "${clusterRole.status.ackResourceMetadata.arn}" + nodeRoleArn: "${nodeRole.status.ackResourceMetadata.arn}" + services.k8s.aws/region: ${schema.spec.region} + spec: + name: "${schema.spec.name}" + roleARN: "${clusterRole.status.ackResourceMetadata.arn}" + version: "${schema.spec.k8sVersion}" + accessConfig: + authenticationMode: "API_AND_CONFIG_MAP" + bootstrapClusterCreatorAdminPermissions: true + computeConfig: + enabled: true + nodeRoleARN: ${nodeRole.status.ackResourceMetadata.arn} + nodePools: + - system + - general-purpose + kubernetesNetworkConfig: + ipFamily: ipv4 + elasticLoadBalancing: + enabled: true + logging: + clusterLogging: + - enabled: true + types: + - api + - audit + - authenticator + - controllerManager + - scheduler + storageConfig: + blockStorage: + enabled: true + resourcesVPCConfig: + endpointPrivateAccess: true + endpointPublicAccess: true + subnetIDs: + - ${schema.spec.network.subnets.controlplane.subnet1ID} + - ${schema.spec.network.subnets.controlplane.subnet2ID} + zonalShiftConfig: + enabled: true + tags: + kro-management: ${schema.spec.name} + tenant: ${schema.spec.tenant} + environment: ${schema.spec.environment} + + - id: podIdentityAddon + template: + apiVersion: eks.services.k8s.aws/v1alpha1 + kind: Addon + metadata: + name: eks-pod-identity-agent + namespace: "${schema.spec.name}" + annotations: + clusterArn: "${ekscluster.status.ackResourceMetadata.arn}" + services.k8s.aws/region: ${schema.spec.region} + spec: + name: eks-pod-identity-agent + addonVersion: v1.3.4-eksbuild.1 + clusterName: "${schema.spec.name}" + + ########################################################### + # ArgoCD Integration + ########################################################### + - id: argocdSecret + template: + apiVersion: v1 + kind: Secret + metadata: + name: "${schema.spec.name}" + namespace: argocd + labels: + argocd.argoproj.io/secret-type: cluster + # Compatible fleet-management + fleet_member: spoke + tenant: "${schema.spec.tenant}" + environment: "${schema.spec.environment}" + aws_cluster_name: "${schema.spec.name}" + workloads: "${schema.spec.workloads}" + #using : useSelector: true for centralized mode + + enable_external_secrets: "${schema.spec.addons.enable_external_secrets}" + + annotations: + # GitOps Bridge + accountId: "${schema.spec.accountId}" + aws_account_id: "${schema.spec.accountId}" + region: "${schema.spec.region}" + aws_region: "${schema.spec.region}" + aws_central_region: "${schema.spec.region}" # used in fleet-management gitops + oidcProvider: "${ekscluster.status.identity.oidc.issuer}" + aws_cluster_name: "${schema.spec.name}" + aws_vpc_id: "${schema.spec.network.vpcID}" + # GitOps Configuration + addons_repo_basepath: "${schema.spec.gitops.addonsRepoBasePath}" + addons_repo_path: "${schema.spec.gitops.addonsRepoPath}" + addons_repo_revision: "${schema.spec.gitops.addonsRepoRevision}" + addons_repo_url: "${schema.spec.gitops.addonsRepoUrl}" + fleet_repo_basepath: "${schema.spec.gitops.fleetRepoBasePath}" + fleet_repo_path: "${schema.spec.gitops.fleetRepoPath}" + fleet_repo_revision: "${schema.spec.gitops.fleetRepoRevision}" + fleet_repo_url: "${schema.spec.gitops.fleetRepoUrl}" + # Generic + external_secrets_namespace: "${schema.spec.addons.external_secrets_namespace}" + external_secrets_service_account: "${schema.spec.addons.external_secrets_service_account}" + + access_entry_arn: "${accessEntry.status.ackResourceMetadata.arn}" + type: Opaque + # TODO bug in KRO, it always see some drifts.. + stringData: + name: "${schema.spec.name}" + server: "${ekscluster.status.ackResourceMetadata.arn}" + project: "default" + - id: accessEntry + readyWhen: + - ${accessEntry.status.conditions.exists(x, x.type == 'ACK.ResourceSynced' && x.status == "True")} #check on ACK condition + template: + apiVersion: eks.services.k8s.aws/v1alpha1 + kind: AccessEntry + metadata: + namespace: "${schema.spec.name}" + name: "${schema.spec.name}-access-entry" + annotations: + services.k8s.aws/region: ${schema.spec.region} + spec: + clusterName: "${schema.spec.name}" + accessPolicies: + - accessScope: + type: "cluster" + policyARN: "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy" + principalARN: "arn:aws:iam::${schema.spec.managementAccountId}:role/hub-cluster-argocd-controller" + type: STANDARD + + - id: accessEntryAdmin + template: + apiVersion: eks.services.k8s.aws/v1alpha1 + kind: AccessEntry + metadata: + namespace: "${schema.spec.name}" + name: "${schema.spec.name}-access-entry-admin" + annotations: + services.k8s.aws/region: ${schema.spec.region} + spec: + clusterName: "${schema.spec.name}" + accessPolicies: + - accessScope: + type: "cluster" + policyARN: "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy" + principalARN: "arn:aws:iam::${schema.spec.accountId}:role/${schema.spec.adminRoleName}" + type: STANDARD + + + ########################################################### + # External Secrets AddOn Pod Identity + ########################################################### + - id: externalSecretsRole + template: + apiVersion: iam.services.k8s.aws/v1alpha1 + kind: Role + metadata: + namespace: "${schema.spec.name}" + name: "${schema.spec.name}-external-secrets-role" + annotations: + services.k8s.aws/region: ${schema.spec.region} + spec: + name: "${schema.spec.name}-external-secrets-role" + policies: + - arn:aws:iam::aws:policy/SecretsManagerReadWrite + assumeRolePolicyDocument: | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": "pods.eks.amazonaws.com" + }, + "Action": [ + "sts:AssumeRole", + "sts:TagSession" + ] + } + ] + } + - id: externalSecretsPodIdentityAssociation + readyWhen: + - ${externalSecretsPodIdentityAssociation.status.conditions.exists(x, x.type == 'ACK.ResourceSynced' && x.status == "True")} #check on ACK condition + template: + apiVersion: eks.services.k8s.aws/v1alpha1 + kind: PodIdentityAssociation + metadata: + name: "${schema.spec.name}-external-secrets" + namespace: "${schema.spec.name}" + annotations: + services.k8s.aws/region: ${schema.spec.region} + spec: + clusterName: "${schema.spec.name}" + namespace: argocd + roleARN: "${externalSecretsRole.status.ackResourceMetadata.arn}" + serviceAccount: external-secrets-sa + tags: + environment: "${schema.spec.environment}" + managedBy: ACK + application: external-secrets + diff --git a/charts/kro/resource-groups/eks/rg-eks.yaml b/charts/kro/resource-groups/eks/rg-eks.yaml new file mode 100644 index 0000000..64f9a0a --- /dev/null +++ b/charts/kro/resource-groups/eks/rg-eks.yaml @@ -0,0 +1,175 @@ +apiVersion: kro.run/v1alpha1 +kind: ResourceGraphDefinition +metadata: + name: ekscluster.kro.run + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + argocd.argoproj.io/sync-wave: "0" +spec: + schema: + apiVersion: v1alpha1 + kind: EksCluster + spec: + name: string + tenant: string | default="auto1" + environment: string | default="staging" + region: string | default="us-west-2" + k8sVersion: string | default="1.34" + accountId: string + managementAccountId: string + adminRoleName: string | default="Admin" + fleetSecretManagerSecretNameSuffix: string | default="argocd-secret" + domainName: string | default="cluster.example.com" + vpc: + create: boolean | default=true + vpcCidr: string | default="10.0.0.0/16" + publicSubnet1Cidr: string | default="10.0.1.0/24" + publicSubnet2Cidr: string | default="10.0.2.0/24" + privateSubnet1Cidr: string | default="10.0.11.0/24" + privateSubnet2Cidr: string | default="10.0.12.0/24" + vpcId: string | default="" + publicSubnet1Id: string | default="" + publicSubnet2Id: string | default="" + privateSubnet1Id: string | default="" + privateSubnet2Id: string | default="" + workloads: string | default="false" # Define if we want to deploy workloads application + gitops: + addonsRepoBasePath: string | default="addons/" + addonsRepoPath: string | default="bootstrap" + addonsRepoRevision: string | default="main" + addonsRepoUrl: string | default="https://github.com/allamand/eks-cluster-mgmt" + + fleetRepoBasePath: string | default="fleet/" + fleetRepoPath: string | default="bootstrap" + fleetRepoRevision: string | default="main" + fleetRepoUrl: string | default="https://github.com/allamand/eks-cluster-mgmt" + + addons: + + enable_external_secrets: string | default="true" + external_secrets_namespace: string | default="external-secrets" + external_secrets_service_account: string | default="external-secrets-sa" + + resources: + - id: vpc + includeWhen: + - ${schema.spec.vpc.create} + readyWhen: + - ${vpc.status.conditions.exists(x, x.type == 'Ready' && x.status == "True")} # Check on kro conditions + template: + apiVersion: kro.run/v1alpha1 + kind: Vpc + metadata: + name: ${schema.spec.name} + namespace: ${schema.spec.name} + labels: + app.kubernetes.io/instance: ${schema.spec.name} + annotations: + argocd.argoproj.io/tracking-id: clusters:kro.run/Vpc:${schema.spec.name}/${schema.spec.name} + spec: + name: ${schema.spec.name} + region: ${schema.spec.region} + cidr: + vpcCidr: ${schema.spec.vpc.vpcCidr} + publicSubnet1Cidr: ${schema.spec.vpc.publicSubnet1Cidr} + publicSubnet2Cidr: ${schema.spec.vpc.publicSubnet2Cidr} + privateSubnet1Cidr: ${schema.spec.vpc.privateSubnet1Cidr} + privateSubnet2Cidr: ${schema.spec.vpc.privateSubnet2Cidr} + - id: eksWithVpc + includeWhen: + - ${schema.spec.vpc.create} + readyWhen: + - ${eksWithVpc.status.conditions.exists(x, x.type == 'Ready' && x.status == "True")} # Check on kro conditions + template: + apiVersion: kro.run/v1alpha1 + kind: EksClusterBasic + metadata: + name: ${schema.spec.name} + namespace: ${schema.spec.name} + labels: + app.kubernetes.io/instance: ${schema.spec.name} + annotations: + argocd.argoproj.io/tracking-id: clusters:kro.run/EksCluster:${schema.spec.name}/${schema.spec.name} + spec: + name: ${schema.spec.name} + tenant: ${schema.spec.tenant} + environment: ${schema.spec.environment} + region: ${schema.spec.region} + accountId: ${schema.spec.accountId} + managementAccountId: ${schema.spec.managementAccountId} + k8sVersion: ${schema.spec.k8sVersion} + adminRoleName: ${schema.spec.adminRoleName} + fleetSecretManagerSecretNameSuffix: ${schema.spec.fleetSecretManagerSecretNameSuffix} + domainName: ${schema.spec.domainName} + network: + vpcID: "${vpc.status.vpcID}" + subnets: + controlplane: + subnet1ID: "${vpc.status.privateSubnet1ID}" + subnet2ID: "${vpc.status.privateSubnet2ID}" + workers: + subnet1ID: "${vpc.status.privateSubnet1ID}" + subnet2ID: "${vpc.status.privateSubnet2ID}" + workloads: ${schema.spec.workloads} + gitops: + addonsRepoBasePath: ${schema.spec.gitops.addonsRepoBasePath} + addonsRepoPath: ${schema.spec.gitops.addonsRepoPath} + addonsRepoRevision: ${schema.spec.gitops.addonsRepoRevision} + addonsRepoUrl: ${schema.spec.gitops.addonsRepoUrl} + fleetRepoBasePath: ${schema.spec.gitops.fleetRepoBasePath} + fleetRepoPath: ${schema.spec.gitops.fleetRepoPath} + fleetRepoRevision: ${schema.spec.gitops.fleetRepoRevision} + fleetRepoUrl: ${schema.spec.gitops.fleetRepoUrl} + addons: + enable_external_secrets: ${schema.spec.addons.enable_external_secrets} + external_secrets_namespace: ${schema.spec.addons.external_secrets_namespace} + external_secrets_service_account: ${schema.spec.addons.external_secrets_service_account} + - id: eksExistingVpc + includeWhen: + - ${!schema.spec.vpc.create} + readyWhen: + - ${eksExistingVpc.status.conditions.exists(x, x.type == 'Ready' && x.status == "True")} # Check on kro conditions + template: + apiVersion: kro.run/v1alpha1 + kind: EksClusterBasic + metadata: + name: ${schema.spec.name} + namespace: ${schema.spec.name} + labels: + app.kubernetes.io/instance: ${schema.spec.name} + annotations: + argocd.argoproj.io/tracking-id: clusters:kro.run/EksCluster:${schema.spec.name}/${schema.spec.name} + spec: + name: ${schema.spec.name} + tenant: ${schema.spec.tenant} + environment: ${schema.spec.environment} + region: ${schema.spec.region} + accountId: ${schema.spec.accountId} + managementAccountId: ${schema.spec.managementAccountId} + k8sVersion: ${schema.spec.k8sVersion} + adminRoleName: ${schema.spec.adminRoleName} + fleetSecretManagerSecretNameSuffix: ${schema.spec.fleetSecretManagerSecretNameSuffix} + domainName: ${schema.spec.domainName} + network: + vpcID: "${schema.spec.vpc.vpcId}" + subnets: + controlplane: + subnet1ID: "${schema.spec.vpc.privateSubnet1Id}" + subnet2ID: "${schema.spec.vpc.privateSubnet2Id}" + workers: + subnet1ID: "${schema.spec.vpc.privateSubnet1Id}" + subnet2ID: "${schema.spec.vpc.privateSubnet2Id}" + workloads: ${schema.spec.workloads} + gitops: + addonsRepoBasePath: ${schema.spec.gitops.addonsRepoBasePath} + addonsRepoPath: ${schema.spec.gitops.addonsRepoPath} + addonsRepoRevision: ${schema.spec.gitops.addonsRepoRevision} + addonsRepoUrl: ${schema.spec.gitops.addonsRepoUrl} + fleetRepoBasePath: ${schema.spec.gitops.fleetRepoBasePath} + fleetRepoPath: ${schema.spec.gitops.fleetRepoPath} + fleetRepoRevision: ${schema.spec.gitops.fleetRepoRevision} + fleetRepoUrl: ${schema.spec.gitops.fleetRepoUrl} + addons: + enable_external_secrets: ${schema.spec.addons.enable_external_secrets} + external_secrets_namespace: ${schema.spec.addons.external_secrets_namespace} + external_secrets_service_account: ${schema.spec.addons.external_secrets_service_account} diff --git a/charts/kro/resource-groups/eks/rg-vpc.yaml b/charts/kro/resource-groups/eks/rg-vpc.yaml new file mode 100644 index 0000000..910bc45 --- /dev/null +++ b/charts/kro/resource-groups/eks/rg-vpc.yaml @@ -0,0 +1,247 @@ +apiVersion: kro.run/v1alpha1 +kind: ResourceGraphDefinition +metadata: + name: vpc.kro.run + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + argocd.argoproj.io/sync-wave: "-1" +spec: + schema: + apiVersion: v1alpha1 + kind: Vpc + spec: + name: string + region: string + cidr: + vpcCidr: string | default="10.0.0.0/16" + publicSubnet1Cidr: string | default="10.0.1.0/24" + publicSubnet2Cidr: string | default="10.0.2.0/24" + privateSubnet1Cidr: string | default="10.0.11.0/24" + privateSubnet2Cidr: string | default="10.0.12.0/24" + status: + vpcID: ${vpc.status.vpcID} + publicSubnet1ID: ${publicSubnet1.status.subnetID} + publicSubnet2ID: ${publicSubnet2.status.subnetID} + privateSubnet1ID: ${privateSubnet1.status.subnetID} + privateSubnet2ID: ${privateSubnet2.status.subnetID} + resources: # how to publish a field in the RG claim e.g. vpcID + - id: vpc + template: + apiVersion: ec2.services.k8s.aws/v1alpha1 + kind: VPC + metadata: + namespace: ${schema.spec.name} + name: ${schema.spec.name}-vpc + annotations: + services.k8s.aws/region: ${schema.spec.region} + spec: + cidrBlocks: + - ${schema.spec.cidr.vpcCidr} + enableDNSSupport: true + enableDNSHostnames: true + tags: + - key: "Name" + value: ${schema.spec.name}-vpc + - id: internetGateway + template: + apiVersion: ec2.services.k8s.aws/v1alpha1 + kind: InternetGateway + metadata: + namespace: ${schema.spec.name} + name: ${schema.spec.name}-igw + annotations: + services.k8s.aws/region: ${schema.spec.region} + spec: + vpc: ${vpc.status.vpcID} + tags: + - key: "Name" + value: ${schema.spec.name}-igw + - id: natGateway1 + template: + apiVersion: ec2.services.k8s.aws/v1alpha1 + kind: NATGateway + metadata: + namespace: ${schema.spec.name} + name: ${schema.spec.name}-nat-gateway1 + annotations: + services.k8s.aws/region: ${schema.spec.region} + spec: + subnetID: ${publicSubnet1.status.subnetID} + allocationID: ${eip1.status.allocationID} + tags: + - key: "Name" + value: ${schema.spec.name}-nat-gateway1 + - id: natGateway2 + template: + apiVersion: ec2.services.k8s.aws/v1alpha1 + kind: NATGateway + metadata: + namespace: ${schema.spec.name} + name: ${schema.spec.name}-nat-gateway2 + annotations: + services.k8s.aws/region: ${schema.spec.region} + spec: + subnetID: ${publicSubnet2.status.subnetID} + allocationID: ${eip2.status.allocationID} + tags: + - key: "Name" + value: ${schema.spec.name}-nat-gateway2 + - id: eip1 + template: + apiVersion: ec2.services.k8s.aws/v1alpha1 + kind: ElasticIPAddress + metadata: + namespace: ${schema.spec.name} + name: ${schema.spec.name}-eip1 + annotations: + services.k8s.aws/region: ${schema.spec.region} + spec: + tags: + - key: "Name" + value: ${schema.spec.name}-eip1 + - id: eip2 + template: + apiVersion: ec2.services.k8s.aws/v1alpha1 + kind: ElasticIPAddress + metadata: + namespace: ${schema.spec.name} + name: ${schema.spec.name}-eip2 + annotations: + services.k8s.aws/region: ${schema.spec.region} + spec: + tags: + - key: "Name" + value: ${schema.spec.name}-eip2 + - id: publicRoutetable + template: + apiVersion: ec2.services.k8s.aws/v1alpha1 + kind: RouteTable + metadata: + namespace: ${schema.spec.name} + name: ${schema.spec.name}-public-routetable + annotations: + services.k8s.aws/region: ${schema.spec.region} + spec: + vpcID: ${vpc.status.vpcID} + routes: + - destinationCIDRBlock: 0.0.0.0/0 + gatewayID: ${internetGateway.status.internetGatewayID} + tags: + - key: "Name" + value: ${schema.spec.name}-public-routetable + - id: privateRoutetable1 + template: + apiVersion: ec2.services.k8s.aws/v1alpha1 + kind: RouteTable + metadata: + namespace: ${schema.spec.name} + name: ${schema.spec.name}-private-routetable1 + annotations: + services.k8s.aws/region: ${schema.spec.region} + spec: + vpcID: ${vpc.status.vpcID} + routes: + - destinationCIDRBlock: 0.0.0.0/0 + natGatewayID: ${natGateway1.status.natGatewayID} + tags: + - key: "Name" + value: ${schema.spec.name}-private-routetable1 + - id: privateRoutetable2 + template: + apiVersion: ec2.services.k8s.aws/v1alpha1 + kind: RouteTable + metadata: + namespace: ${schema.spec.name} + name: ${schema.spec.name}-private-routetable2 + annotations: + services.k8s.aws/region: ${schema.spec.region} + spec: + vpcID: ${vpc.status.vpcID} + routes: + - destinationCIDRBlock: 0.0.0.0/0 + natGatewayID: ${natGateway2.status.natGatewayID} + tags: + - key: "Name" + value: ${schema.spec.name}-private-routetable2 + - id: publicSubnet1 + template: + apiVersion: ec2.services.k8s.aws/v1alpha1 + kind: Subnet + metadata: + namespace: ${schema.spec.name} + name: ${schema.spec.name}-public-subnet1 + annotations: + services.k8s.aws/region: ${schema.spec.region} + spec: + availabilityZone: ${schema.spec.region}a + cidrBlock: ${schema.spec.cidr.publicSubnet1Cidr} + mapPublicIPOnLaunch: true + vpcID: ${vpc.status.vpcID} + routeTables: + - ${publicRoutetable.status.routeTableID} + tags: + - key: "Name" + value: ${schema.spec.name}-public-subnet1 + - key: kubernetes.io/role/elb + value: '1' + - id: publicSubnet2 + template: + apiVersion: ec2.services.k8s.aws/v1alpha1 + kind: Subnet + metadata: + namespace: ${schema.spec.name} + name: ${schema.spec.name}-public-subnet2 + annotations: + services.k8s.aws/region: ${schema.spec.region} + spec: + availabilityZone: ${schema.spec.region}b + cidrBlock: ${schema.spec.cidr.publicSubnet2Cidr} + mapPublicIPOnLaunch: true + vpcID: ${vpc.status.vpcID} + routeTables: + - ${publicRoutetable.status.routeTableID} + tags: + - key: "Name" + value: ${schema.spec.name}-public-subnet2 + - key: kubernetes.io/role/elb + value: '1' + - id: privateSubnet1 + template: + apiVersion: ec2.services.k8s.aws/v1alpha1 + kind: Subnet + metadata: + namespace: ${schema.spec.name} + name: ${schema.spec.name}-private-subnet1 + annotations: + services.k8s.aws/region: ${schema.spec.region} + spec: + availabilityZone: ${schema.spec.region}a + cidrBlock: ${schema.spec.cidr.privateSubnet1Cidr} + vpcID: ${vpc.status.vpcID} + routeTables: + - ${privateRoutetable1.status.routeTableID} + tags: + - key: "Name" + value: ${schema.spec.name}-private-subnet1 + - key: kubernetes.io/role/internal-elb + value: '1' + - id: privateSubnet2 + template: + apiVersion: ec2.services.k8s.aws/v1alpha1 + kind: Subnet + metadata: + namespace: ${schema.spec.name} + name: ${schema.spec.name}-private-subnet2 + annotations: + services.k8s.aws/region: ${schema.spec.region} + spec: + availabilityZone: ${schema.spec.region}b + cidrBlock: ${schema.spec.cidr.privateSubnet2Cidr} + vpcID: ${vpc.status.vpcID} + routeTables: + - ${privateRoutetable2.status.routeTableID} + tags: + - key: "Name" + value: ${schema.spec.name}-private-subnet2 + - key: kubernetes.io/role/internal-elb + value: '1' diff --git a/charts/kro/resource-groups/iam/Chart.yaml b/charts/kro/resource-groups/iam/Chart.yaml new file mode 100644 index 0000000..e69de29 diff --git a/charts/kro/resource-groups/iam/templates/rg-iam.yaml b/charts/kro/resource-groups/iam/templates/rg-iam.yaml new file mode 100644 index 0000000..cfbd656 --- /dev/null +++ b/charts/kro/resource-groups/iam/templates/rg-iam.yaml @@ -0,0 +1 @@ +# TODO: rgi for creating IAM role/policy, ServiceAccount, and EKS pod identity association \ No newline at end of file diff --git a/charts/kro/resource-groups/iam/values.yaml b/charts/kro/resource-groups/iam/values.yaml new file mode 100644 index 0000000..e69de29 diff --git a/charts/kro/resource-groups/pod-identity/pod-identity.yaml b/charts/kro/resource-groups/pod-identity/pod-identity.yaml new file mode 100644 index 0000000..82e9e78 --- /dev/null +++ b/charts/kro/resource-groups/pod-identity/pod-identity.yaml @@ -0,0 +1,80 @@ +apiVersion: kro.run/v1alpha1 +kind: ResourceGroup +metadata: + name: podidentity.kro.run + annotations: + argocd.argoproj.io/sync-wave: "-5" +spec: + schema: + apiVersion: v1alpha1 + kind: PodIdentity + spec: + name: string | default="pod-identity" + values: + aws: + clusterName: string + policy: + description: 'string | default="Test Description"' + path: 'string | default="/"' + policyDocument: string | default="" + piAssociation: + serviceAccount: string + piNamespace: string + status: + policyStatus: ${podpolicy.status.conditions} + roleStatus: ${podrole.status.conditions} + resources: + - id: podpolicy + readyWhen: + - ${podpolicy.status.conditions[0].status == "True"} + template: + apiVersion: iam.services.k8s.aws/v1alpha1 + kind: Policy + metadata: + name: ${schema.spec.name}-pod-policy + spec: + name: ${schema.spec.name}-pod-policy + description: ${schema.spec.values.policy.description} + path: ${schema.spec.values.policy.path} + policyDocument: ${schema.spec.values.policy.policyDocument} + - id: podrole + readyWhen: + - ${podrole.status.conditions[0].status == "True"} + template: + apiVersion: iam.services.k8s.aws/v1alpha1 + kind: Role + metadata: + name: ${schema.spec.name}-role + spec: + name: ${schema.spec.name}-role + policies: + - ${podpolicy.status.ackResourceMetadata.arn} + assumeRolePolicyDocument: | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": "pods.eks.amazonaws.com" + }, + "Action": [ + "sts:TagSession", + "sts:AssumeRole" + ] + } + ] + } + - id: piAssociation + readyWhen: + - ${piAssociation.status.conditions[0].status == "True"} + template: + apiVersion: eks.services.k8s.aws/v1alpha1 + kind: PodIdentityAssociation + metadata: + name: ${schema.spec.name}-pod-association-${schema.spec.values.piAssociation.serviceAccount} + spec: + clusterName: ${schema.spec.values.aws.clusterName} + roleARN: ${podrole.status.ackResourceMetadata.arn} + serviceAccount: ${schema.spec.values.piAssociation.serviceAccount} + namespace: ${schema.spec.values.piAssociation.piNamespace} \ No newline at end of file diff --git a/charts/multi-acct/Chart.yaml b/charts/multi-acct/Chart.yaml new file mode 100644 index 0000000..95128fb --- /dev/null +++ b/charts/multi-acct/Chart.yaml @@ -0,0 +1,19 @@ +apiVersion: v2 +name: ack-multi-account +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + diff --git a/charts/multi-acct/templates/iam-role-selector.yaml b/charts/multi-acct/templates/iam-role-selector.yaml new file mode 100644 index 0000000..6379037 --- /dev/null +++ b/charts/multi-acct/templates/iam-role-selector.yaml @@ -0,0 +1,12 @@ +{{- range $key, $value := .Values.clusters }} +--- +apiVersion: services.k8s.aws/v1alpha1 +kind: IAMRoleSelector +metadata: + name: {{ $key }}-namespace-config +spec: + arn: arn:aws:iam::{{ $value }}:role/ack + namespaceSelector: + names: + - {{ $key }} +{{- end }} \ No newline at end of file diff --git a/charts/multi-acct/templates/namespace.yaml b/charts/multi-acct/templates/namespace.yaml new file mode 100644 index 0000000..97be724 --- /dev/null +++ b/charts/multi-acct/templates/namespace.yaml @@ -0,0 +1,7 @@ +{{- range $key, $value := .Values.clusters }} +--- +apiVersion: v1 +kind: Namespace +metadata: + name: {{ $key }} +{{- end }} diff --git a/charts/pod-identity/.helmignore b/charts/pod-identity/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/charts/pod-identity/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/pod-identity/Chart.yaml b/charts/pod-identity/Chart.yaml new file mode 100644 index 0000000..aae321e --- /dev/null +++ b/charts/pod-identity/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: pod-identity +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "1.16.0" diff --git a/charts/pod-identity/templates/_helpers.tpl b/charts/pod-identity/templates/_helpers.tpl new file mode 100644 index 0000000..235c382 --- /dev/null +++ b/charts/pod-identity/templates/_helpers.tpl @@ -0,0 +1,74 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "pod-identity.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "pod-identity.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "pod-identity.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "pod-identity.labels" -}} +helm.sh/chart: {{ include "pod-identity.chart" . }} +{{ include "pod-identity.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "pod-identity.selectorLabels" -}} +app.kubernetes.io/name: {{ include "pod-identity.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "pod-identity.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "pod-identity.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} +{{/* +Construct a dynamic ARN based on the values passed from ArgoCD or values.yaml. +*/}} +{{- define "pod-identity.resourceArn" -}} +arn:aws:{{ .resourceType }}:{{ .region }}:{{ .accountId }}:{{ .resourceName }} +{{- end }} +{{- define "pod-identity.accountID" -}} +{{ .accountId }} +{{- end }} +{{- define "pod-identity.region" -}} +{{ .region }} +{{- end }} \ No newline at end of file diff --git a/charts/pod-identity/templates/pod-identity-association.yaml b/charts/pod-identity/templates/pod-identity-association.yaml new file mode 100644 index 0000000..6f9b1e8 --- /dev/null +++ b/charts/pod-identity/templates/pod-identity-association.yaml @@ -0,0 +1,27 @@ +{{- if .Values.create | default false }} +{{- $cluster := .Values.podIdentityAssociation.clusterName -}} +{{- $namespace := .Values.podIdentityAssociation.namespace -}} +{{- $tags := .Values.podIdentityAssociation.tags -}} +{{- $root := . -}} +{{- $serviceAccounts := .Values.podIdentityAssociation.serviceAccounts -}} +{{- range $serviceAccounts }} +apiVersion: eks.services.k8s.aws/v1alpha1 +kind: PodIdentityAssociation +metadata: + name: "{{ include "pod-identity.fullname" $root }}-{{ . }}" + annotations: + argocd.argoproj.io/sync-wave: "-1" +spec: + clusterName: {{ $cluster }} + roleRef: + from: + name: "{{ include "pod-identity.fullname" $root }}" + namespace: {{ $namespace }} + serviceAccount: {{ . }} + {{- if $tags}} + tags: + {{- $tags| toYaml | nindent 10 }} + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/charts/pod-identity/templates/pod-identity-policy.yaml b/charts/pod-identity/templates/pod-identity-policy.yaml new file mode 100644 index 0000000..71783e2 --- /dev/null +++ b/charts/pod-identity/templates/pod-identity-policy.yaml @@ -0,0 +1,56 @@ +{{- if and (.Values.create | default false) (.Values.podIdentityPolicyCreate | default false) }} +apiVersion: iam.services.k8s.aws/v1alpha1 +kind: Policy +metadata: + name: {{ include "pod-identity.fullname" . }} + annotations: + argocd.argoproj.io/sync-wave: "-3" +spec: + name: {{ include "pod-identity.fullname" . }} + description: {{ .Values.podIdentityPolicy.description }} + {{- if .Values.podIdentityPolicy.path }} + path: {{ .Values.podIdentityPolicy.path }} + {{- end }} + policyDocument: | + { + "Version": "2012-10-17", + "Statement": [ + {{- range $index, $policy := .Values.podIdentityPolicy.policies }} + { + "Effect": "Allow", + "Action": [ + {{- range $i, $action := $policy.actions }} + "{{ $action }}"{{ if not (eq (add $i 1) (len $policy.actions)) }},{{ end }} + {{- end }} + ], + "Resource": [ + {{- if $policy.customArn }} + "{{ $policy.customArn }}" + {{- else if eq $policy.resourceName "*" }} + "*" + {{- else }} + "arn:aws:{{ $policy.resourceType }}:{{ $.Values.region }}:{{ $.Values.accountId }}:{{ $policy.resourceName }}" + {{- end }} + ] + {{- if $policy.conditions }} + ,"Condition": { + {{- range $j, $condition := $policy.conditions }} + "{{ $condition.test }}": { + "{{ $condition.variable }}": [ + {{- range $k, $value := $condition.values }} + "{{ $value }}"{{ if not (eq (add $k 1) (len $condition.values)) }},{{ end }} + {{- end }} + ] + } + {{- end }} + } + {{- end }} + }{{ if not (eq (add $index 1) (len $.Values.podIdentityPolicy.policies)) }},{{ end }} + {{- end }} + ] + } + {{- if .Values.podIdentityPolicy.tags }} + tags: + {{- .Values.podIdentityPolicy.tags | toYaml | nindent 10 }} + {{- end }} +{{- end }} diff --git a/charts/pod-identity/templates/pod-identity-role.yaml b/charts/pod-identity/templates/pod-identity-role.yaml new file mode 100644 index 0000000..5f76215 --- /dev/null +++ b/charts/pod-identity/templates/pod-identity-role.yaml @@ -0,0 +1,66 @@ +{{- if .Values.create | default false }} +apiVersion: iam.services.k8s.aws/v1alpha1 +kind: Role +metadata: + name: {{ include "pod-identity.fullname" . }} + annotations: + argocd.argoproj.io/sync-wave: "-2" +spec: + name: {{ include "pod-identity.fullname" . }} + assumeRolePolicyDocument: | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": "pods.eks.amazonaws.com" + }, + "Action": [ + "sts:TagSession", + "sts:AssumeRole" + ] + } + ] + } + description: {{ .Values.podIdentityRole.description }} + + {{- if .Values.podIdentityRole.managedPolicies }} + policies: + {{- if and (.Values.podIdentityPolicyCreate | default false) .Values.podIdentityRole.managedPolicies }} + - "arn:aws:iam::{{ $.Values.accountId }}:policy/{{ include "pod-identity.fullname" . }}" + {{- end }} + {{- range .Values.podIdentityRole.managedPolicies }} + - "{{ . }}" + {{- end }} + + {{- else if .Values.podIdentityRole.policyRefs }} + policyRefs: + {{- if .Values.podIdentityPolicyCreate | default true }} + - from: + name: "{{ include "pod-identity.fullname" . }}" + {{- end }} + {{- range .Values.podIdentityRole.policyRefs }} + - from: + name: "{{ .name }}" + {{- if .namespace }} + namespace: "{{ .namespace }}" + {{- end }} + {{- end }} + + {{- else }} + policyRefs: + - from: + name: "{{ include "pod-identity.fullname" . }}" + {{- end }} + + {{- if .Values.podIdentityRole.inlinePolicies }} + inlinePolicies: + {{ .Values.podIdentityRole.inlinePolicies | toYaml | nindent 4 }} + {{- end }} + + {{- if .Values.podIdentityRole.tags }} + tags: + {{ .Values.podIdentityRole.tags | toYaml | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/pod-identity/values.yaml b/charts/pod-identity/values.yaml new file mode 100644 index 0000000..c9a674a --- /dev/null +++ b/charts/pod-identity/values.yaml @@ -0,0 +1,61 @@ +# region: us-west-2 +# accountId: "471112582304" +# create: true +# podIdentityPolicyCreate: false +# podIdentityRole: +# description: "Test" +# # Only one of the two can be true Managed Policy or Policy Refs +# # If Policy is created it will automatically add it on managed Policies or PolicyRefs +# managedPolicies: +# - "arn:aws:iam::aws:policy/AmazonSSMReadOnlyAccess" +# - "arn:aws:iam::aws:policy/Admin" +# policyRefs: +# - name: "custom-policy-1" +# namespace: kube-system +# - name: "AmazonSSMReadOnlyAccess" +# namespace: kube-system +# podIdentityAssociation: +# clusterName: control-plane +# namespace: default +# serviceAccounts: +# - serviceAccount1 +# - serviceAccount2 +# podIdentityPolicy: +# description: "Test" +# policies: +# - resourceType: ssm +# resourceName: "*" +# actions: +# - "ssm:DescribeParameters" +# - resourceType: ssm +# resourceName: parameter/* +# actions: +# - "ssm:GetParameter" +# - "ssm:GetParameters" +# - resourceType: secretsmanager +# resourceName: secret:* +# actions: +# - "secretsmanager:GetResourcePolicy" +# - "secretsmanager:GetSecretValue" +# - "secretsmanager:DescribeSecret" +# - "secretsmanager:ListSecretVersionIds" +# - "secretsmanager:CreateSecret" +# - "secretsmanager:PutSecretValue" +# - "secretsmanager:TagResource" +# - resourceType: secretsmanager +# resourceName: secret:* +# actions: +# - "secretsmanager:DeleteSecret" +# conditions: +# - test: "StringEquals" +# variable: "secretsmanager:ResourceTag/managed-by" +# values: +# - "external-secrets" +# - resourceType: kms +# resourceName: "key/*" +# actions: +# - "kms:Decrypt" +# - resourceType: ecr +# resourceName: "*" +# actions: +# - "ecr:GetAuthorizationToken" diff --git a/charts/storageclass-resources/.helmignore b/charts/storageclass-resources/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/charts/storageclass-resources/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/storageclass-resources/Chart.yaml b/charts/storageclass-resources/Chart.yaml new file mode 100644 index 0000000..7d00b19 --- /dev/null +++ b/charts/storageclass-resources/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: efs-classes +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "1.16.0" diff --git a/charts/storageclass-resources/templates/_helpers.tpl b/charts/storageclass-resources/templates/_helpers.tpl new file mode 100644 index 0000000..5bc5bbe --- /dev/null +++ b/charts/storageclass-resources/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "efs-classes.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "efs-classes.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "efs-classes.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "efs-classes.labels" -}} +helm.sh/chart: {{ include "efs-classes.chart" . }} +{{ include "efs-classes.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "efs-classes.selectorLabels" -}} +app.kubernetes.io/name: {{ include "efs-classes.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "efs-classes.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "efs-classes.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/charts/storageclass-resources/templates/storageclass.yaml b/charts/storageclass-resources/templates/storageclass.yaml new file mode 100644 index 0000000..d0e3c9d --- /dev/null +++ b/charts/storageclass-resources/templates/storageclass.yaml @@ -0,0 +1,39 @@ +{{- $fileSystemId := "" -}} +{{- if .Values.storageClasses.efs }} + {{- $fileSystemId = .Values.storageClasses.efs.fileSystemId | default "" -}} +{{- end }} + +{{- range $storageClassType, $storageClasses := .Values.storageClasses }} + {{- range $storageClassName, $storageClass := $storageClasses }} + {{- if ne $storageClassName "fileSystemId" }} +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: {{ $storageClassName }} + annotations: + storageclass.kubernetes.io/is-default-class: "false" +provisioner: {{ if eq $storageClassType "efs" }}efs.csi.aws.com{{ else }}ebs.csi.aws.com{{ end }} +{{- if and (eq $storageClassType "efs") $fileSystemId }} +parameters: + fileSystemId: {{ $fileSystemId }} + directoryPerms: "{{ $storageClass.directoryPerms | default "700" }}" + provisioningMode: {{ $storageClass.provisioningMode | default "efs-ap" }} + basePath: {{ $storageClass.basePath | default "/" }} +mountOptions: +{{- range $storageClass.mountOptions }} + - {{ . }} +{{- end }} +{{- else if eq $storageClassType "ebs" }} +parameters: + type: {{ $storageClass.volumeType }} + fsType: ext4 + iopsPerGiB: "{{ $storageClass.iops | default "3000" }}" + throughput: "{{ $storageClass.throughput | default "125" }}" +{{- end }} +reclaimPolicy: {{ $storageClass.reclaimPolicy | default "Delete" }} +allowVolumeExpansion: true +volumeBindingMode: WaitForFirstConsumer +--- + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/storageclass-resources/values.yaml b/charts/storageclass-resources/values.yaml new file mode 100644 index 0000000..934777f --- /dev/null +++ b/charts/storageclass-resources/values.yaml @@ -0,0 +1,17 @@ +storageClasses: + # efs: + # fileSystemId: fs-12345678 + # efs-sc: + # reclaimPolicy: Delete + # directoryPerms: "700" + # basePath: /data + # mountOptions: + # - nfsvers=4.1 + + ebs: + ebs-sc-gp3: + reclaimPolicy: Retain + volumeType: gp3 + size: 20Gi + iops: 3000 + throughput: 125 diff --git a/docs/eks-cluster-mgmt-central.drawio.png b/docs/eks-cluster-mgmt-central.drawio.png new file mode 100644 index 0000000000000000000000000000000000000000..15225f8c24de87f5c056d212fd61f14ce5871a69 GIT binary patch literal 325209 zcmeEPby!qe*9QbC1r!tkDWy~C4nYA)MY^TCr9q@cN(7|Gpd_Vx6r_=m&Y`=cnPGMlQ@e-jD>`RbXH1I{4Np_E(i$;trFuja7T#5 zGYbjnjI61cn1Ym;7=?nJwUMcXArg{gP?QR~s$$c{B#pb2s2JiRx94Q>BF>B4#$etI zrC^}M#Jl|jQ?xFWDQ9f(CTh#$oVx@=SdI6^v>XlZEP1>Iz03+;yst9qi&VbE2#H^f z=RbhYwhGTC@b9#dBF$;JXK)bqpi;;`Weq;NZ7eG%rx)RhgjI-iy4Cxv4n>UJ%U89? zOts69mPK==vT5_w4}N7#(!f_H#{G|CX(ypBw9o6=f{QRmHv zMT*`CQFO|jI}!cF;FGub?Vdw2a1_#s#(a2-d`b=NkxaT+Kqm@qkOGr; zKkohH%1WXefrO$Kr!2=398!e%;f#r`VAIqvll8sWtEv}TbScpTr$1>T5)Rl&4=Sdn z8T@DS{FMZyFP_hQLNv2{r|ro#YUP04Y$`!EtoxQo3Ytup3svqLMPH#3H4GcXn9_XC z{?6C=sQ`B<_lE|oJ!CyRk{bz>O(AE<^XZ%M(CIC85gk~zLab!>1q02+*WZ;=#!u!G zy{+BQZV9*L728*=w&*}lK^WhZLy<@cGc^u!7K1+5*Hd;s|KVQXDXb4c5qRbzm+9Ms zuu1Zzm|G`q;S4nrylqxxqKFQndXHf6$Py5{NWgEP6GKZLO3I%^J#!OhTzXIKGvymi zy)e{$(E~ju)nv&UsY|`*nrH)X8?F$bp}x7_&~!!WM#AHUt=D^qw{PB-CUS7QHj?cS zPM>CUVGo>~MzgKe$6gODcxhqwk5_<;{=@z@2fnC3~Kc6d_Epp( z6{%N9zDtcR;Ln5W>#gaWd+FZOC(hv*WTLnBal>}=uyoIqWk3=|n+AyZiKZZ??Dv&Zv$_yj%jIr2|;jCaAKk#F6YP2>~R((}?aPhs0 zyh&r|gt#cZKAk5)eCJipB@RuAd(X-ce8LPmT@vdbN#}_Kg?BQSu=Pl|2G7GT@&_iq zm(!iiQ_jN7%hOk7?+qorGZArN$Hb=YZ2Lw2IeDCJqAH_m0X0LKX}K*qK{;|IkG+=z zd(ANs{9=3(G;OWT#p-Z_yp?nX(@{0vKTtTe{qPhBv+xoAn6V9+CaTJN z%Tm|!_x2s=+CI1#kHYbYYeY8B;eR;)RwCgX*Mtx1m2pX?r%zr}#s;F^q1XtgmL$qQ zogrRKS=8t`b069K*pAH|Jd`k7oW zN68k+>>M$<>WU&5rhT)bW7b6Y^fk^WL9zF7E|E;$zoUv3?cJ1zrb@3Is-%Bb72CZn z<}FJWp<4jH?di4}(lIQY_xLu*LijolSsNHX6IY%S_S30fo%Gl>MhVfC%%gQa@9f*; zD^tUC1M@{fUZhQ+4RN*fh;N_xl?bUqn(|tw>#@&e6QniehGmAO1>}~fgs8S7C8<1~ z3O225S%Zob`&a~pdaB_)2{`_0XwR9D5xjDhaDZY;A?TO3QCZS zEhE(Z28D_W%yxQ4Gt4uGGVFU4doC<6b~|N|tAH~Qk8izF>)bb?FLWQoQfFSKS|(f0 zJ}p*z$0v=lTQ&VoN@u#Q)FfKsjgr^)b6snjp0l7uAh& zBk)Br^GC|hl#_bxviY*@)#Zz%29*cB2X8FjUtS)hEh1;T=FjWXf_E+Y+JkFy?B$Mu ze7$@Ei57`$iGqBjd>-Y4I60=x$N87bto1F0nwGV1Nuj;?jy_(T^>s92fs(KlH;Yo{0$9jnnHR*%1}5xkqsEEH%e#v{Zbimd#J6U@&u$p05&Y;833DvQ;g73I z@aXj!8()3f@v3JsF)iM>dKS4|xbkwPUFAY$l3acgRa~L|CoyYw>*^h@RTlDS`MCBS zA+74vYIlek1l@DS^9DH4Q=X?d!J^Ho4cm*>EB1i$fLl|3#eL;75)%avhy!$0f&Ut1 z9^0CBxSE2If`@`mp84AF*d(QIcwTr9WuMC}0p#51KEeeuKH<%K&s|kDRSo-nY$|Nj zoTX8T&k?`nnvi>K_?jx89!vc5%idcfA;qCdL~zA3*J=1t8D?ykeEVJA8c$rZ?V4Pe z&~AV=>PCVjO{8DbrqcA%R7+t=sz-Kny6jKwMYhwDPz6WED@xJ_(eo=p(@^Eq zgj4u?IE$#Z2JbCq6r?4^8(m{|8jP6VoZp{E@4_&ZGIca1-@CJK=IO=9>Y?bG{E)Gq z!kJ|gKL>w1u=1w4xI9}Wd#{1O$IUj)_<_jjc%`Hs#+k>Ab*u$q`6Wi+rl975DE9F9 zXBFIG2{F-5sxO(FA`;^C1oXF`$YoR&iVt#j+0Q^@J@T&&$njoDX0UGS^A?6KW0BNx zKZc7=q;jpqGHJfDZeyi=wiQy0q!wNc zvV5^uGvPN9{D`oJDV3#7ZQndXu`})^IGT#tl%9)0``-Rq{FwEEG{b@9P<`F0} zB71iz)DS<$QggfPo+?y2R#DAmpkeyaG}xVcyyEfdX=Q_~Io0`MyB3BChNd^>nI0;A zS)J;Nr8DD$fkh#Us*AV#;6xmX3x@43+rWEaC?xpQe8@`D{t>3R$E-vT4e}(CsbE$4C~s~ z;m3ObTBd;M)`mq3Tk(D1xi=Wd(Pp}2-fXsDCTF!GaM`sqyDoFOLq1e^*^JXNoA0HY z!StPl&WTs28nD8)$YaP>1tVN0^oBNzhiGY&EA1F&?lsKkbs2l%K=-DI+G6#MtJ;f` zHUyk@3Ab5gXGhw&iz|xBp*>rDVx(52A%w%M96Fn&{hxRSvhY)3XusC}^X=08pr**dv^IGSw@0olLh%}iaG z*Dkzsl)Ee!ma;VcF1bZ#9z3`e)1qSu?}YDY&sHJUQa7^^Lvc<^PR66ORbK0Qy%L`q z9?KUes|y8qRI`V3U!$0A+4TXVTv8yjWJB7uCqybVK)SRxESdO{j~wTsxMM1*_?WO> z50PD7DRKwW!MwifIOL-v()KdaJFJB+MdZL#WV}`6jv#!Ag*7#+wc!jVac8bwPiWd^ zrNf%_;{_RL6y%i#=$<3;t06DsG$$Xbv0w=jpuc!&s48V7D~rScTw@@eMm~*n3b;Z> zLIM6b|LqzXxF$wI`*I%%Ng0{s`?WSQ-H-PJOp#E(y<-IYefTRJ_zkT7_V=l${z&M+ zPv;NsfKZO!#sz^+9bKbU0?&{{6~&~afWH;>?F`km4LZ1b212-^jB-QMZkSl_^479GF)>k761x#IZUUsosqNU;XYYG zCja=2UuntPnHmCS{IdE;E6490d;d_kd;HW8>ry3q zLp#6-z)A<9ACUjH`1r$L7k=4O?Z=+iIkf*(?P%_sDn?;a{L8b>LG?e0Arap7xBC@(Frs3`EBiabH#GSI`sq-@Q; z|7Lbut9*6Y4VEMSxh40FTq0kKeVfib@Xm5k7a4lhh0CZIcoZTJk&sbNe$las!Ys>* z^zVp#<>5Xu@*Ee+zhUN^EFVx%IxJEDg-}O22}DB$4Pl&IIY)FT@USsNO3wXzZHrJ` z#CvFU^-?1=7f^e`|d}KyOtMr1FsOlKzW}w-1pVNWA|Q8o%!TACUgqiT(r9 z-*BS;fb<`b{)cKu-Y%PvsH3_AM2p6?Z7?})se$C`B3N|mWCJUZkH}DY59!JXN3zIbuUMS* zCnK4!l)AGY0vv1couWM%$LQW?<44m2^oXy1Z@K=Zk9w04?AH573HFz#Vt(m$z10bL zDj@ypmz72J&p*`0i@g2UapF5OKVQrxz5Aq{>$rN;`rJ3|zoF>3>nG$WbuzvFw2G6C z0;%dWVO{v&sE7VS0)?}{OtD9ykM?Kwe@Dz;-!W4VL2^CI@|f~S;*)a+A_fMOnJ;qW zk5GSd?z%w$?1(i9#IBqOcE`mQ;Y39RsfcMM|AkKf#zyI)fZ91r>HNiiGVDnRdz)ck zh~)a03w_1#$u)&Xq2L3k-Q4ERnV_SfaB}W?@bDgLpLO&&e_VqnA`3bV44M1JUS2x? zZ)E#wlsA-s=MXPIss4tI{+w}`YG1mBlD z36y@;Z@NF=IcDjLkted+PssUy4OrfzJ#+U??1RrFK#t8*>m1!5vJ08DKYb|RcKl{Q z5edL2Nd<>b7{1a;yd$GWRk`)Ex4cIM?6vU%wHGrD+`rmEgc?;Nq7*cAbpA8mVENy=y>C))W(OSIpdGMn%l$( z(8k9~=#1P?mi)W0>cB&}v$pq=cb4;mCIfE}5jG3Pyy#ril7`MV3f}4$Ofq`Bi3ooN z-Jd(%A0Y9bGT=XkRa+;lS&j+l9d`lnp8{!p-M=g79|w~3EWm%7T^B?Cfa|}qoVOK5 zpE_Gt{9Xk3 zHPq|II4Qq^l;N>(fqAiuo8mRG->mfSl|Ufb?ui)NU#xjkL2hZSb#e0n7U2=-^D!|* zSV>a+|CdYt9q7}giR3KJ;_7TpZnGGOTBq3@8ILX=07d>Cv%r&r%?``JNLa_Nr>3LW zIf!X)TDk6W~bAE8Yi{g8`f|}mcAHC8)#l>yBIVON;)=xw$4~Z^jaGq5B+XP>T7XJSd#cOQ!te$$~ z=b{mbCde9segrTp;5+&%S0dp_i$S^)5u@#mw!s**Dt6NLBbbih<2@V|AO@zMr2=tJU%-Ns6kdur9f}V`uOH&yCY;l9#aI7R5sxC>|IiR98qJ8Q6m-AV zZ6!&f_G#wDi#tkp3KP;lzBD&OWHd!Ac$X4NfRl-;Fl|-MS`TJO<3sJ1Onr;Li@@U=^yVXc z-VIx(SmH~*wc~#vY*bzd&A3gZ3Pu5%!(B+NZ@3^_LEFP)FUHKYy!&z(|fZxuS4TIx`o+nZ#Y>m)PN~w) zY|tb59_Q)N)Z^@WX=MMzJ^t<^H6XedND}-#^dAS&uek-p3uH9z+46YKU!VM4R=!&o zH6NHW7)Q|k1GM}>Ko+qFtZLon$ZdYo?Dd1N0Z_WMU%B&VI{15%dd~no>S)5ERqqdp ze{A#5EYWx#@8PkE@Lw?ZksgTgynQ2CCv<>ge1}t0APEMGBma9K#3=&4W1mx@c9b(u zswWB&3Tc4U#UPY_4+M@hpwyhvbSgMu4moBdk!XMv(|NRi4+Imr!*;c7#pvG$1#c#R zlo}P*$#s3?2OSAObcweg`51S?s{9y&{yzhiEB9>S33&qDK~+zav3izq&yvhCIOblq zHR*S3b{|@EP#yQx$tpU!8@lWC1vQ0b1;Nf@J?<#n?FodaFK4^%98Dlh$h@OxV&BA` zFp*G%%j-@dE3OOPJt9caA%18eleeQk{K(P&4AToY$KLPt z`BAGdXT^;7e&C@^W@D6z=dYltzmNBwQV}J^DObxZpF78b%|B=K3pvmNAbDmr>gf}% zKc*+|!NXB6$)Ya7cScWqkzNi!=nbnk@(CrRlhLhzgk2*gZG9$EK31t8+w4d2MRym7 zfDyWHzT@?u?UC*;Lf|0e3hgdkG_^NY(Z~2PL^eSIB8F^UW2)pawH))^zfgz50ZOds zY(A*(ATI7GX@D*s4!tMdT*CkRbdHUVR?MMfpMB-@pG5ADOL6oR$KCR>lURtoqb+ptHmG3hR3K5Vb zpxB#_GQK`c9?S``i&WK$asQC%@!_nT>iNQtJO3!;Gf;;U zX(pj2w>;9$xX^+7jUCV)P`q(N;^MFWHGfAMJSLS$A_g#rk@rtTeM!3$>%AaVc2xBO z2g&aPm>^_K6*>`RByTJXgVRyQrxO8&y>E7)9Wjh~Sh$YAjAuI$S&?PzsTR+qCj#sg zg6z728M89qr2<_7tXF4}A^rW%Ke_;+pv1nPihV!Rgl8ZsPnGb!Fl(j;N;S==gC|Qf z6bdxnIY2i)VsJXu_;e2K)(^rM1PmP&9gi1&#Eh>c_|})N@X%ymqCXB9eCG~7%gZIX z9(~c9<3;w0=?t>WElEBLF|(nKDnFQu8alW{=4_`l{4O(78$+;1en&!eKmL?NCj>0UU>4o?lpvgksyHE_LuxC1EXFbZz16A7FEn+nn>BwST@q-(EVJYMt?Fazi@ zVPpN-l-~8{)`EvZ3Zm=U3`D^(!5%j~jxRd)vO*-v>?Vmy_E z?N+5cf;^Y_-RL4gD9qH=t4H6kzTZE=g$W+O>e>A8)T5d5Ke6C31p(&sz6;nbhGFiH zboj%!Smj<6$=0VFEv3!5j5pGRa4RZA=mfZd1bwdv1tAAjX1 z)BTBH-OsjqE*TN@hgARh~B5q0qs5o zwkh!m^XxHU=#&7pXFM7`*%6}S+7j^rPEA;c`*EB-a^jQN?yGX1F#u}6C%SsV!txkf zAko9(q47rC>63GFgvi^6Uozi-cD|?0V|qNc<=?Px2gPB5XFw_I^Y0;=0t}>Bl{#Sm z9t;1!;mS2;@Zkwn#c;KQ&(O}0&umP4@FJ_}*g))$52)Us4g;Z8I@&KNqY!%+&~_%= zY8cuvaF!$Y$Yy_JBJb0L&)<$cx(0L~r;`m0Q+ME`!V0mWKWcCh5YAzy9DhmlOBI)H zh)mAcQo<+X5Z!)P`meMO8bzZ?W|LlXAtJnfJC8zCgh-V0d*bR)Kw&=1NfP;M+4Y8D zOw8D2&+sX0Zd&gjNpK9$LGOU022?R^$Cxp|XndH2JQ4jXz7!ZyIs@dug<6c6dVl%f z;({KaDv!WTR5@lV2ZuTaombyUVuFga{U)j+Yz-XZZlQvrMQt3|W%ql3V}onDA_v_i)81-$o!m1aB#=f1))dfFk0`b_S5K!* zW^_LU9A+pxo)XjR%gt@w#-Q>oNIM*kTsvz?|2N|t;qTtvo7vbL+b}WnfNh(Ch~lvR z_nY5Ed?q$lsxOQu1dEk7;&fa{oAKvgDd*0teD>(}wo)_C;@(JmqP;7Rk=uguvDBK|LQ(*s4MZ@PA3{=p{ckKQ$oXDiJq#r%PGzr|g#FU|hp!I)R{mfu+e z&awFd$?Hnqz2DBp8US{VrJqOwa8^Wp&Cd65Ty^eG$5jf?MF^Y^yZ&pID@%BA5C3B^ z(7PEJiRUI1CH(?=@6-5eFACmY>~_GwGm-Q@#|Gk_Dvu-h17U$!ETWGs?iG0sEs0iw zAaE22CU%QIx~PXDxQE|#^>jb}nqNZb0mswN$y7T>(cz2&>@pe`ckWMivBz4nZL|Hz zYkO>RtAOS`sx+tgo1(q_2?B*2SmNxp#oDrIX^L)2OFz#aYSTM_r}}-?zvZV_>+dh> zbK1Wrv(Fd!oQJ(Lx}#9Ku>uK@jpv$P_I&pcp$9Q_^EF-V7kqM=SKtgO8_(wQ5O>yo z%bT^$b>o^yc_C8I7_-^zlF{a&Th-`r*cNuAQzF63v7YhT06)6m^}t@ejK$uLr^GPm z)}k0F%xfa=$mq@coiPi(GT7R67*-M<; ztp#3~j7e%lNv^IgyCdXeS@FD~qgDpaJ9_8=q{ZaqZa9N>3aTY5(;eFr(&L|Lqx~VN zz3x4bq}5^-V^+D#!dx=KHpzK#Ut9VHO1-r)%bNNSlG^-k?VxRG2hWB13woAj0@Fff z9^kb0k~lfRw-AZYOG!e4eSZqu?ott>yAKUYr7mt3*GWIUa&#u*F!;Gj0tF84d$V67 zp@}9C#`$%IcpJz`+5|WBNf|s2%1LVWrE>yXZdvlPCD;rL`{^4Y^e?K`Dfh2Ii zp0C|tcn2GHIk<@aDouEZ_JV`wdQd^l`_*CA&G{}`_#JnTchzo1F>nMz*uOnlSop#- zMBjG4J7IRMzwcFCVWyrHgdVtR=L{UW^--m$YQG=1nzcG~Fxl&KNey$!NDqPua+Bp1 znlQB8X534Y2z(w5-0lt;ANTbV;*%M)z29auT6QqHJdG<@$>To%D7Xe+p4ptW#pzB4 zuhBMmavQ&fP{_?lQYXHZugPO`@)V?UKW=R-nd~gN`@y+!NVSdJI-Sq~n8X@Kr*e#h zw0V7GbD@WEf6~p^S3Zf07Du36X_Y*66{20KS6gp0Py!~*sosXJ&BR+5$IMnV7DaF6 zL%L?WBjw7TxSD}iui3ggH>_0nU4K=At$)js@Ky?9xqJg>UNIyWeRGvOdKgTXDM0T$ z78d4@o9t@zlMnuym;j#*!H~pJxQeZJ>ASJdvI2GBcuYU)&)EgZ`!*1Eh;Fo8WL6U$ zS4>+XMvqV4nD46TWDmo-!!>s!lx}j@DYud*0TJ6CaMNiRe|y-&j>mc>t+u6Te9UK`$qJy>+9eG2Ab{vy-*xf;&w;4<;Fn@{P=oKPvDeP0c~G5^GMr`E>^BdiAD`{h!58wJskCX(+L`gl zerhj6{$UCCl~Nm;IpD+SL?SoT{m2EONJhZ?<$+g zrY;rRkMhOhz9c8*fj#M}Ik(Eo)CybgtI_xJWGJ{D0Mj&A!-WZYoEKbv){>sK?N-<) zC$KWNIX_+1wl#S{YWl{G*r-?fff zex7cL)uY0!&i>b2D-ww@1?`A+UwVS^6gN?}=FS?&PU3c`O^a-wA8ty%A0e@O5(ili zc#Uz^FSr`&X9F*aA-v$8RCvyiA2Bi8hIJ=;*1e(Qg-->kd(!C4oeYa139qrh&6kgI zUOkx+)?UkA^D8sH2&~|!zR5txAE*CJP!Mt_gg41~7`--T)+2RnY-97S1k7+d06|}s zKDJ0_zb{|yWq9ZP?0m>-af_VZc#+D7*ut(B?6RBycv9;tb-Aei)uzjdzd-2csGhFl z4SXm#(+S?ZdK+i#STPSW2C9yotlZvTmIL)8kdfBV$bjhJr_z>QHVqOThf7pfbRn%j zQOUR3d0wvJ3^}*j%&;2t$YnO^TrnwcqroQ({fX9mE&v)a3Emv}2VFAHuo+6=#C$6nZq0CETaD#Ak* z(ORIl_c&_2E=DFrY#`vzrl?n7};= zSCnVP6|S0B8GqZ5EVJybq^HVo3jQHzvQ};=47VYbEg6@Tt+a)AD$@or+m7?9m^60d zv%DuXc&&<@=?vptkLuXiWxFUb1Y zrs-yOdN)2#)*D1oqus%Sap#uO?2mg3`w0uKs|KPYE-}i+?Uxm z(zD+1r=nz3*o%9Y_Caj)OBdYw{J znK=l!N{*6H(P@Zxc2FX=O?YEqqjqFxG`UAcV*&kiwd=Uyc#hi&cAuu_o!$+3uZdT@ zI~K}yPadg{t`<$)TY)2zg<*z)h!k?}{k0*z9r}t?Lcb6aZhv{tdh%BeBDP|G(#3-w zqa;$JN%~(f6qSF}L5(hXZ(*`>xp91a%xQ&?X1Ua3-)B=S00*`#D>ulHmi`f}WOt5-gUGIoekC&G3X329dO=;bD^ zx$ov(yAtJmUwkp|nt)@d=e`$EIlRbTu3NKVcrX6UU?L->MQl_5bIN6((`U~FkhzOI z4~N2%ZS`*jSSmJQ_U34jB*_%PyFVFz=DqEE$4ofoNoU2EI1h?Agv}?jIP70xqYuC) zS`N0iF>8$GKV#ZB_11*-pR0p2g;?hxVT19#uwce`TJ(h+z1sCndXmv z&1Nfc@K~_gv+2TkCJY2q9Oz? zyxoakTPWxhb}F^&AZa{Vct2>Zqc(VGG1~5PN_!%a(B}J{X^ShjOYz`U;_{cHY(nct z_$(xO*4Jw93e)6y^;@qBih(^nDiYe>9!#F2)_i_cWKQ$PUN~)C;24N#8~-pFiZf(U zr8F~Xvs-~<%BoR3F|f8us71U|3Bz4BWck{Md9Pp=I;?X3epoe5g8~xJ<`5;=#>)aP zp3k*6+-UR5Uzt{!(4lJEvH9E$LNDW5E)cJR_-!tZj|b^`H1pob9&Fkm3q9@M{0 zDeLQ#wi?sp)jjI5Bm8U!PN(bqzJwJMQs&_K{{8G7{mJ@JtOHNPY)y#po_4}CpEbHE zu6nUa6EOs52%N}4LEMl+h%hgu?-{+bnt09&CXXv5Z=O2U;xg;bc3F7QM@>H{>t*Z8 zEPT{tEU?o8`lWAUHIW^la&&^U#s4G-P=G~Z8F;qJ z7&p52&XMzV&1$zT7O{dg?d%tOqegGN@KG%&E|nSaD;`p+0&1d#H@63p2-zF1>le2S ztmax*T{U(o!-7Q2_6?A`?KeHDa0aR&pxIu?g5uYQePm!%5j|3BjJajepQW*fBC{xU zRA`dwW~oebVXr->;MVPi2Z3G$?w1W+R~F`&8uuTfpnO2bxs10xV7`-O6)jxACV=?x zDQg`W4r>@lqm3RXfrY;xdY!N8CD^8()N_Xr%^E#VM=ksgp{(QHt|B>1l4p4e->x_K zQM)|fbeG;%+&V%_Dw}6E!2#KCqfPKtiz6wYflVoNJs7LmRa+$H&9}021aEF6#HsT8 ziHM_MZ9?q5;yIVV<@CUU0~jG4j)_fxO4YR0%;jYnn?~Qda|N-+3$>~Wv$Wy%h7h8t zf+qLaYJ26CTY5QRi`GDi2VQSB*ZZ*6`$)qbzSUQ-fJ4l4EiTp*r z4!%8ly@W6Zc+Ee)W}@LBz6yqum&t@LjF4%eiZ%Fzok8V`ch>|n998pK(Qk9>7_g3g7s~zVizgfxLB*909wQf6Be(Mlnc!Z#6 z<%?vZo%s>=gtQDS9auA=IDSWD4t0z2pa=JZ^|G9vPi-kPs|=$qJ7O;OqwZ?ec10GP zI-9vV3}DA0oQ&%Sn~OslI3%`#nj0xC({oqrUw@uk9igWsrS+;m9!$n!vyQ1~II;Wck!k7Ghe#+G6c68dVuU}eCU-t_ z6A2j=PvqDi-rKbA&=Z$u1%>qn#bbHKO^EoML1%~rBsnt571KiRR%VJni0kSpv4l{z zL}!QJ4323$r!P?=^*q(J{{1O-Dv&jc+1)fNt%}zlll6rR5;!M23%C8bEJmU|8C=C? zO_)FP6h%8d@}T(2$QN$@#~&TlXxq~Y4@G3;MRA{Y;BM9;CwbW_-$#LdR-|n@g)4M1 z{PhT@ivS}dW4544M|&5o9M5g-I8IuV+ZD;zEbpqvbG1I_Wz2?mi1{~d2DeL__xW!n zTRpWN-9NQw^7)hG!FrVWR2iXBlTVlsJs8#_Z@4s9dj+l@Yq0G+XdD_t#9AHKs{--o zhIq=4!gRfvblwh1Kj-o~)lno(I6s=5Y4UQnT2rUmtlWLpKbHnatK2cwdr%fq_kEFs_J1+)LYe+Hr3{-YPQ{!H2aMrk0|$ z&ub-ULOVT+;DaUAtc$%~#J)prYldfbMh>_;!2x?KAv!U4u1bjCPyePjky=zq5$orK zoq#caR$oUb>Mp2&v}&O3)dDxG*G{T+^pmDsOQyH`wcc0xgE*r2<6b5`J3#2CH%`iHoBPIvkDK#f`+>2=T<%QBsVv< ztE=45!mL*#Lj~2>H~1x8_C_V$6k_>YZYZ=mC$rhQXJgJa$j2veDdT$xYv(g%!xtD? zq|Ccc%Zek0qjVw%cC~Ho80@SFe$J7E7x8Yix*>}9+Y^P0XtO2wGLAG| zg(fMI%YDK7cTJC??SeMm9h}|mWae&;iqUcx5jL?G(Dw|e6tAruPKCEeB!0x)l6Aar zfs_Yxj)$|y8gt{yFKYbd#|~Fi*D%s9i+FnV()9P{%k3|a-rrxICfHn9FmoACQJH=` zPly&~wMx3N@iAtRoW5YTn$#4RL6P<*e#h2_h04mg*}Wp_401M$z%#@h!p~VM+nvXw z@-7o_oI_L=$YZ~WfO+5w+%sQy!OIHT1n8y_ zO(uJ$1E0~(c=P5B^_y|67;T5pIfyouR-C)%G$(hnvVD!KqGonySA<%E z5;t(k_~`E9GN`Gk*-h9gJ~Ep^1i;AOu%!O1?B=H}{9{{qiu{oA?+*5NU zu)p0nhBsY6v5`8yy)+;Qo(G6FnY)kOYN-0^=jCNcZdjIP71!I`>%=?HqN(Ky3Y=B$ zyNMCULpQhmmkho1Z3lHk>%T?0pB>|eraQ{fCYnY*z8ylpl>pXh;h0i*sQY5u0Smgp zno0}Gti|l2p`iicl5vQfJ}W>6%HNS7KS-0gE;SF#^KphG&IqeQH&^I2&R0JZoZqx3 z-5qY-MBTJ~g^Mp67^dU8us13HF_7Cht3CdpnrVLypU8YBSO-6p_oXQ2oOSyFs57#i zRbc1LUOPEF*yO3hzB&-^dG{*kpSC+z_0C;(l6;e^RYJ*(TqUL*@LGY$ZC4V;Pqf+% z>3j{Ta=z^NEnb@lAfN9bX@45~Q}{lN=Aa}L_YO6Ax|%py-OY5dX&9tT$hNAv`L@f# z0O3?f$xKVCY`o#>C|0NV0`iPT^;Uc}`sHqjr(|!YaoC5?*(q;%li!+{ubYkoA44qf zhCbDr51KKYo@V>}!Co9Z5Z8kLE(n79bK3YNiy))oSa>74>N#Pj7DQ3E1Th5>PFG!@ z?p138Say(2?Pc{@9eCyDyHJ`DDFb(k;L4Us*TYcH?6ROT$D0HxhTG8pt9qZR~cnOWnMA z^FDdVHxKXNK%oM0hcFiW=BpyifM(0mFOrt4-xynBmy1YPS}IKG%Nn83DV;ezP--fz zo;+l;2p*+UkpVYanmJC-xYxh*wZ5ei?h}Axb~k21i`oB(6`dDpXZtGLFx zwIMD^B)@6!C%bz0(&w?JC8NuK(v}m=Web{Q1-?Fha7&Pc)v zn;LE{@F6~yK%y4n%=T(#SwlBvuQx3~>-JZAG883vx1V1fq0vbCT+?D|IcO6&An~c_ zeox%%8TBD$qf7RUc`u4W&70fUh1{Mdcx{_LOLa>@~w98PQ5^ZTxIGJOZuA}I7rAsa{@@CANa_|yCcKogFCF@)d>CrW#e_1 z!FS4o9SQBF4!}Pn;uqX5EbZym4wu~y={E1pme+LZe=jB};$&cBca82hTm0Xc+~xI$mqmQ<36SI zIUVR}>+MO8Xq(W=w}j!S6?&q1jve+kSC5=~%F4H` ztTu&(x0ky#SOj)98_^*l^LvN@a%wrJ3ERl&E$$iW?V^TT34@arZR~#)H2Khoukuz` zB|OS$n&f|QQ5q<3Be*wwO(U-)*OGho2Npi(wTBezKUf{Tx*FTwOM6+6B|%^0z>_OT z^+4`QDMuNPC$mnOdNh+X;s&&)W-jT`+juTc0aG5um$s=>i@Mn})#f)2l=_DIEt+Pb z?%D76fJ(Q~$r|c^*{$_l&=eGwAsqKS=WVj|ljh<6!%)@sQKOiqxGV4*6l7_`M;sK{ z*?-R`9ouNci#~EH6OF6dGs^TOc_OoIiRYd2Y{`XCWfRgbaB%IgF9c-S&sN3nPU##p zN7*SHR0nxjz4E*Yi%m;h;_6ZBwYJF3$dC%I0ICPJ`@8Q=mzRr>X(RS=NIz9myr@D5 ztquQHApFQUhgTdiB8mx~WJ_AOA{aT|4Iz=E`VFW(r)F|!W568d4+b}6VmT=7UhZ}K z;(vrVcS(!%y|jQhdW##jG^M}@;}lS9iHH$ zbWFngX1~XBP!TrA7JA~Ob=mNFRC0%l%$nVUQiFAfVxaC<>gjo^e?Do%yyGFlic`N# zTGaatzq3g_qPL^-eETjCPn$j~c7e}%biDJK`W%3u;D)S6K9O30>h11;H)M%8?Zka{ zH+>fSW-6&&C(7KWr=}Xis=XpL;XU!gGY>SZtmTHBmSo&=x3F>ip9`a^zBQ9oCqMfa z>ZRxqK!K-);KNNHOXH$D&j$-zJkHQ?Xd_~6eF{Vt#{7UBEv#0lu2<8EI~V)6Ga|!6 zHqq0P&_nEH*q|YO9@Ocs`ZS?20c0MZq65y7COlWw(m;VG38qBsJ-S_DrDa%KFDqK4 zy|cfM^C?5$^@dw2=K`lGKC0tfIPDH%g>bztca({oMSU2R@wI$x6NonuX3p_ej4hwlFYhK(ZKSwm+>DGlYpEl_2qGcZV z%#u=OUlV1mzc`sVI0edNkFrz1t`k&<9yL6y8SDAE%&xW%OeN^%fE%YVT}7SrIk~;c z0QiT-r0_#;v){=T9)&ZybR|4RbWTv;Ep&{ZBa;Xb5U;=N`TPl~hw9*SDA)e9br=vM z7yIe)!y>?l&n4^02aah#M5)y7xZFF=RJV zq|yZ5UrW2Is2JHVfAx3o`^61%MAquy@3Ww22w6wY>0#NTS!gS)USq>hrOB%EwfzpC z=O9)5!yKv3$*|D!Hn&;9&aN&W^Y=A%hrQ=;WGZcJdv`&8{u1ynbY14A$2hy%qMY?K zrA5Vm%lU<~%DU7n9J(D5CaiW5H@9fCM1J)H!h=^<(DtQ=i94cB&2EsMR{g3|DVe$r zWYvpaMa%w`d*y4r_W3qNh@CWV7@1=_ujCl?gQc>vak+>6cEB|>H6XZrO+!y67BBnv>p z(hNuUcMLzqZRHz{obJTUaC2Ct@qleU9j$VGT-`t`6VHU-8nEu-;*#$o-H9CYa5O1F zIa@7$y8?7}Hqj&Q3Ez@}i{rK?tl>h{$Aezm=&UdqB;04$dF8TV%9+das6) zyRlwYV?rwentk9Jsd*j#Qc@%Jc4u#PkXGEoHotHF_>oZr#dX8AfcST0>!RUw65d;gTN>Yd zN4@~D0!9P~n4X7BLUwb^7tmiOgQwhKUH9Bfus4cn)3`?ytid0JX=!Pfvx#``KcAD| z|HPUwcH&kN+t$XB-_@$}FeIQq}*u zY~rxiVyet+GC4G04iYi!4lgo&0Yse`*ujom*?vo3FpVL1PtV=9v?O=;!K+H~tZb#< zOFcf~$Hg?s4~6VLtnuCY6!J~IAtVcx4O%#z`ATzbw^T*Oh_&0fu6UaaZ39Aek5RWhVlzqt6ho1J}nR9KKs zUKpAN#lf8Hwd|*ZK-+MqxxwWhJ$FeSC;20)( za|py=rrr5HuW>&lMJDat>T3BDiEjbP0q7XJWKBeWL(BuF!8Ns#xOb4 zuBxX?-^h9||7r`!8=bmdDb~6(XEAQ0*FDy=$8o)a--`hqm*}2~b2eO~WI4SE%c}|LsShhi`7#X=co=qBKsny>0MnHp#_o5F*g( zvau{Fqo7t{49kf{Higb;$Xlc^_8xRz05gj}C_%zzH^YPbRgt@inHUQCaT z=$C~ExTOiE@lG(#FnlqFgrknr8i5Yb{p@qafjmabwR#vH0OqL6Zw>l}DNK|BOiPZh ziT~%UNRii$a#N#(Hgu%iQRBXwJ=aA`>CyNVJs>BRO+C(Swgm4MJzE;pS}ZO+sD_b0 z?P4vxk(9XiI7_`sj>DzAT1B6TI(B75gOYki?P(6sb?!pzDsHz1&EPf}wUd@k z@3IO<^Lu)f4DZ9eVv-NmOYFLKtfEZQv?*e=w;bc$b0*Qx&XFhA_b$RLd!fur#@fy) z`(v~R)S10m(g}=;uRJyOC*|A2Sv{AH%GUDD+5DvRt73=<`@=#9Js~5e@q-y}pAbV~ zD?*biBW_b0Dmunqgqy)v*|eb3r&m2nC0D9f+hcE-e1qd}S@B21tFAe=7o#mZR2$SF z8@;q-64yb3Nt=j%YKzKoXQ4ae6;+}TB4Mv0u$)Equ@^KpHb_sWdST;b(43HNd-7Y6W(eoDNz@+5;9R~=~PbK<=qU|lhQJ^EC&OF*w;l}NA}wy zY|Qqei}($ohtIp2LF9Rc(D3Y)PVEo42b18NUfZ+f6O7y(&ZVBZ+wXkBV&Pzl$@(Wx z#r)4kjo121hFOgmWbTQ`f)k-YglHaG^`wi6iW=WfF*LO6@1*tLD#r@Zdu_hI&b>33 zT;6LBi(e!f;T*{?pXat)l-KHeCxbc1AG}CRyuFAX>E$({24iSS~6elb(K zZ1t(ijk^=K!zpfWv#RHVL6!Azq1sHWGZDNfG^tF~6GC1k+nZ$E(XTbtFT- z;YrJ)@oVc!PGS86lK*4vy~CQyzVBfRsEB}qN-t6cq&KA(Q924D(nWd;y*CjAkq**3 zQbd|k0)!?aAiV?$Nhs0@kkC7U_cEWEkx~54Z=UD~)uonY#K?p92fiEc-#=I>Px0+WH9i{Gi`hLq zi1%EK?~z#B?=Y;<>E#ls!W3w>U5nSh3D74HsmY&dlzGM}yg33K2C5SV<@+bnAw%M5 z17D*w?41YcU=GpAPp9=A?DoaB2N+*1byRquJ^E;i5x59{^_61c9lO3~d+Igk>P~d8 zV~Xi>$pw;Lu1CH$o5>El`79>G!z_yN9fLMVzRjN0tzt2_FpG;NMC5yQVw-$DNa?|W zG3sK>ZEUEnLnB;D-3`Wd-go<8tiynIC+OC$d9YWxTmGX*kG>kt1XyB;-NoGNRF~2W zYjxaa>u`D3a$v)`j~@z9u|mm@ZZ1iZqltpI1GQCq)$KHi05{XskBNez_oZ)^+rNWM_YtleHrbfR{O)?b>ujSH?9tDQZMx9=e{fD_9&sOM)|-*EzK6^^<6HGi zyL$sgAFM=;(-#gm3J#-UR8!*YyMZ*27(4zabM(t4`3i#MC;o2H4hi|8NYi7s(eMR{ z5k^Wu5Ta6^{4X~Ae>vi()AZa68`YZwD5VI#*)CUJ=a*=p7{LX|QlfgoR1fY;#S}KU zG;x%gq63BL7ciq*wTkrzMLOEpu?uq+>jrfPo~3h>OuK&XX4sw-5@A>R?AQ`#1xcYrtOO{4waTaD=>bp`v>8x$ys}EF6pfmK< zD9=j7R=-8D>xw@vZQFW5{S7Oaz#={Y_^M4za>L=0L(5BpcU#&xe`=+Y5CDfz%;mpv ze1;3d>s=*Z3&|tedwd*1QXFSk`vFx=+YCMM@vYb1uGKW^{vj97{u!8>#R zPvcT|L3C@P@XP(w!-F%d>|Cmgj+7Elwm$;o1ugh;de#)9a|WXF!5QgNJ<$Q{*cdwy z(kit!xoxKRQdI~PM?2;cl;XYejXb7$(($Uz2#{BA6zNnlfnkGH5{@YO5rch1S1Aaa z7p$1#Hf&tI=r}98d&KL_^qgYfRrpvu_q6a{i8d((@U8NW8c4-VxwPR=0_EH?miW|h zSHyV?OVoxU)xFV^WTsQ$kvcFifHOh>vC0Beyy0D_L3{f*D=X@nGPn5soy^v$OJx{7 zK7C^4=LU5y-o~Ayb=TCMrM<-e(>vy`e=QOTxbUlj_J^wg&KGovlI`s7Rt!+?MIOur z1@Cf9Q;Lr;>bwTGo32S2gzcDpf9`KQ_uY@TGsR1Ps6w&jC1xL8S88Nt-{K?ugA@Js z2oWy1^wDV1G-4lPvMIh?WxrYP19qL?Xt{%L3>|){R&MtY>Hf}i6cuxr!n#{lqN$+~ zOT~xo^rqIItxDu-;N0bN>pgYHXa4S;#oqD$viq(mL`A`y_*nUh9g!C{%v#<#@(`dldfK|D41OEX;Idw?ct&+?=V4^p#bIFqD={m!6T z9yJ2)6cnh|QC$d69~y}q;g2t)p;_LgTw7F?*{p2%_^rjf@qYSHIyNM`)$zfYtz~?4AUB_%%qZgdX{7#jba$)Nh>cZ;K^Q`E{Og#){pWiJ}J- zUEN((N*3DTmCGzyuyeA<^X@Q4AQxwl;wAVs7xzBO#rKwOsP;l|4tAF(focf@3yqN0 z>gp;*ZS_&ASUfhy0*F^i{;j;ne))GGnz3;qwAuxtOdqjij$OnBTTG_lmRew>budCE zg>_c_)t;!}x!opgKXEG52l0A581&&heoN*QK(3wK607x#JeEO#w=88w=}|Uh znS6B!D4o-IP08=QC5lWRliJ-tb71#2WA(*q6t#Br;UA6itc4`3U^bEO=jR1?QmiTd z{VwU)BG-k;3GOrwEAtW&_c-HnECi#ZNY3 z%4;`;@Mf(BK_4V+)~^f+{^Axthn8Mu9Kg9?S$j?~EzS%*`pf>_3KX!rPRh3>7J}1X z_Pm|;PUT7oICK0$j29!Hr+tCXJi_2oza)t{f3;{Sl3AHVzk)YV>+#*Our18CCh)EW`S?WQu1&#t=>WBU1! zIbEqU5U~A44?5t1+rNLuuZ0BArB`kx;{EvS&!c%(!03$t`b)o@Iq_zO&YxE92X$sI z1%eutFT+SWDEB-zU(kNlQr$27m}esX_fGh722h|P6GW%_Ee!`nWV}+j2{w!!@P+tUAkcb!5ed-+ku%o>^ zB7x=_y%xgKpca&8j-1@EBW_^mAS}j9u854i<^oZ_KWKj*XB^BSFo3@z!m!ty_C)6P zeXm-f5O0F5YqSOn2?IF!D>Lp*xTyyjbBi1_*GtaJ44-d*?cHVW6`DG#)s)Pj7-tPn zP6{VJzOw#YHJdTB{`VN(>ZcqyuYii$6KJL=oZgT!@ z9z*jdAD{@P4W>{cZ6#f@dD2A=>q{->{tbOk(_N%(v(|YU&&;GIO{%zbZvGX5D@z>dMTfZUrZ8W8S-p>>GKZo6rFRdS`kjCCB@&G#9p!vg)BSlHoIVN$%b{(*K3TKsXVk)>E1oB5}L^o)eY8znLSMv4VS!MyPm& zWy8#AcE(mJDKs(o2L>SWB|#$IAes}}Vm_R~1Vx1@Pjq*kPYo;T@ap1N{?-uR5fM(j zL}lA$Jg93~w_`FA!K`g&vI96E%m>}u@yJrCd9Xr;tLW|vC4mH)No;~$DC?KcO;aE< z_@hu-Yg?C62yB3fVXr)7p}y0l$zlBtn#_0pseMgKc%RCM>$0xCtWKA(mcDObUA5Kx zIr^0Y{o3Hpf`-7sx~)%26tqUW>u{$CkG*-L>6zHSa)aaZn89&ze~D?w#vZx&14J@X zF9Px5-s|g}mU*f@M#olIuONVzw#iGBHTRC8-ycrmcke0?AntuJet-7y_mK@;`umtw z-uMkx0SoPzw2hf~n=)o?tDy8b>zZoH+rkL~m)gP1h!)`>hq=^pVmgkQ)V{@}JN!Il~ zn`i7Bsv17xwdjh7@iO6It`M>vTceAWlAAs~pKy+S^cR*&^$jy$UVVcTU%W@PW&UwZ-kJWKzZs$Ad=7d7z$yXye$7EN&ka)dyWi^r|%y?vxk zgfo==!f_-iuLIL8xIgo8BkqbFNdi{M)YGvv2^!ryk_wru5F;ZU#tuCy1(TAv?7jSe zY0U%qOjHPUT7^g8ojdR9Yo}*rnb769HCgB36#e1)_5J(nz`Fy8H&H!SG9xQ0@IV~A zO$&5>nES#U#SF_URcG~ot1ANJTj{&M2+hUW!I<7jgDF}Uj7%oaEFx%{{8-IQvgR_t zF7#@YfUq%T0g;Nz60_Vc(<)z+O$^%(o2?qwLlmQ6}8L`o~(0kYWcBS!qz5ach? zlHSn(XI+<_Z2DqFU9gcMBz~_3oj~`g23C=KuNt{J-#v9u>mt|yZwcTU6}M?fr%D6& zJSB9kRo|T1Oz*OVC36Vd_nFC8E^mHf|K&!09_-$#GeDKJZ5Iyg*tzj#6==)}*zo3< zqgsLXkdEvv*Q>PNK8|N!=>W_{6QbeSdU;9y@de7P=gOb-aHbUrj!$o+s+a#gDF*C z_0?psc&Xmat=k&|j)^$-skgwY1Z9~%wVYQB_!d|3J<6It$h4ZjWOUk?{5MbZo4L~4 zbb4m&;Hfc>G99fWdRI+@|02#?3X z0e9D{4pO=aSrf+S5UbB0IXXQ|oKY?i~qNkC6oS$dI$Y*hJTxhWmnu zVWX+*`^9!CgWfbJ7?JRiF2oD4vR+kc@? z{psI@Wd2mi|@77ODEqCAW;^9&v@Uepm=j z;`{D##!Rcw)b5Comq<5}*oNG=CNkI1xQ+Kl%GA1=(p8u~m1~T}$*&vUsB_Cg$pW&| z*oU5z%qz!(gH~!WZS6TV!6k zd)`%)@u+L#V&<{5?KBRBJfMBtdtprR%SFwRN7@H?Ou}W%>x^ItTpkq8D7hf0WWX3K z`t_wtYeGgLo!n&C2Rb|v-qA!=WD}WQ%PlI#%=<0d3)@1ejn(`gk-89zx*l##8{vB)!Uo&A;AcYLm289H5At{pXy&LOE8ol4 zx%qFoEw~k|z5aJ(ig{)k~~ZxlGpyUUcn`oRz+pB@6!Ip!;4`pba%ojuAH zi6VufTg`<}OMHaS@Z671RL2`|v4@hXma9-2spU5@I`Q3%zKafr;bAN2d0dp5qI+$g zfyrl?iWlf-zAS4;_tpj2C3h6ne9&Z*8h+&Oo%k$ru}F$wB#(Ns6W{=<(y%)t-Utu0 zRbbD|;zOAIR=)E;w4GmW>kl8S#vN|x>8;pPRg}QhQx$=Qko0hz_705+0G)&Thzu131S1gFozA&RaK;u=Q%<(ZepU|jbn!Wl617ZPPw?=c z+8}#o2CvyMVof|$s=B8VA>NOzvQ^aIYV6fgUh?}-^@^gk0W$8FJwkpz2GQc{@c2a&vsHzBipFE82 zq-NB&Qg>+$@3;SSfmL*qjg`zN+Ttru(P(U}=H-ChHUvC6HrZCBtkfZA`D;hc+H#NF zO08$M6Us_Wqg2sSiQXgO0qFXLnCaAwNxboKae)@yU?U~ZIEnjYC9gIKdU&5o`B|IM^0oxR z=v*7l3REzoa`HnhLqQj7LcUCZKZJ6;Q5Y1w;gepRXhPhzwo4Gr8RYvILhYPr>^cuR z^S(=d=2|Xv->jcbM+esDHd1lDmNY*fVKw^|jWF;?b0~Nd=ArX?tX`E((1%{5MxoYC zLUh>dc2r{X8-FJ21d9tKFs#OB0h`9LAc_0))#XsoEr_bG(t93n<&gkoUDwSV&%dg^ zznR$+z)TmQOnL+I^!emY8lFGiNrDQsuGmQwO&iA%L;>fL`oJB2-+f225pEI z!Kt|%G)CI=ESVx}7Iq2mY*+>w$5#>0N|NR&Vs4IV2vZAdK*Gfpg=t0MDNobP_S!3N z#p&UvM~j6RM5zQR#f6`zzM?F-HEU;kO;)ihcy>!sW$UyW_dFGfchyNGw_^^U$@dda zsTq7t4YKW?KUAxd-JVhi61;|i`l_UIff5whU@EilVIJXR1J&k&48jYeXG<*g>zqec za;YS|#riY+tA4ip=fTP7!UJNiM>5h;(bny|{iL=BeqqFq1udC;l(;F^Dq9o(!vq?5yXwBc#3>U9(~T zxx?5_6U`b|M+uW}&Qr{`-ceL@Ta3?<8RLnDO+IB6-L-532AQ!!f+2^t=gqtxlM9Wv zO5F<_2aXyg{Si^C$Qz)+P~;HV+Jve}%lVa2@ky+q-qsS)>kHsbQFQR!h{d$(v*9v`Gq{fsMi-_Ks;TQS z)x_7aA!iSy*g^&sHqyjK&m6F+GFdvBypt8d5;Bc zZH{>_mk0_&cEL{~VWU@_Lr0Y~ZGxBdua^95-`^bI&lA0maRj^ch8~04#g7O5jIg6V zo0c(2@G+duO;Hfl8kGdh`c>x4Pu& ziQqvDg}$6vOt12)`#6u8Tn{TuL4WJC;EHamrnLdPY{?i?j^b$Kd?{~D?u<3EXyKVh zbE4P?MT<2^=#$#n)Oy&JR=eaLxeT$j5CAx4M6{|hXp{H?lPqx-*own76;YuD6WsgZ$+%9!b(ZBB`199>E6C#NB+L9CRc_)o zv9Xyf?P`>61gC$+$fUnXW5E_oZBQ}8scYmLzw&kAq0AIkk{hBX?)YBMe;-W|^GY9? zKb4>DU@I|hv}ctxm|zxJUQD?v*d;&r{>#6lbf5fKGvuL+Dzphp9ID5@3-|?qI0AK) zi?}}{&RNMLp8s4Z>OQcc@abfHYDU9k&q$a}&`a`}T+^TuTIy$7Gl2#c{WO`y1A&#=TJ!v?4Tr94eCn3%9q2RN(SqG#hPrzbnxf+0 zY(3t0MYyMZ#hXkz1$wd0vmRXFvJ^$lby%{f#j6fcuD!Qv1`#Zoo_XneF~$ngLL*WK)nWXO%_K!l0;Oe)c^Q(z1mx@^tp;p* zfvQo3!{Mfq74o76tTpisY$BsOHIJ-EBZb9=ftJ4;G@w@1!9kz8XUP`=-BU4EY}|k> zx3W9xT#!8nrB$4@XHjf?=LlfPmFSU=$xh^s!Ba$JTuk`1QLER=avYGRF+(7gyF!}7 z+)C10m6r{g!g;tFi`7;TS$(4gXrP5w#aPDem$v(#oc@fR7fBW6Z&?Cw0$8CG( z);3Gl{4jaZoa>>^ z`D9uNDc!OP8wJ6bjUl^U_C=Qm?<3mriHR=@`3`|Bhd#?6Vjm zzf)LiJhyAWlzPv)k)qL|k!Jt=T1!I9wzz=!m%eNNO5c8FuYPZUF=EA6I2mFd#6O?m zgGHSxQa2}bisVCU><6b3N*Ewq?zVpuh=x|bbxOAjccS!+bE4qZE_Dz=$ae^G#ZfPb z(=&ybDNctM(KA0*C4_Y(A|7=%G>Y5gxy#Ez26@JFj5_H&13j{37|QuV`EgS_3Aq>M z$V%Sh5;!g(m|`{5J{rbewcRU|zw4`bu|=OTH87nXzN44(bih4Y;%TiD+3x#At?jBu zg$C1NiePFB1GV6#-1i+xxD!@G&P~n!A1QLeMhmEotZGko`yYJum!mddxv&6l&H3fT zA0x!$$BhR`!|Me}S9Q&TgAu|*``d7oN}pACTU_y57KNT*XwF*3TOiAHtqEz5271M@ zt=ZfDz6!E^z>|$yS1_FHoh_SrgESIL2-HQs4|M|S!SM0B;HN4Al}&tkmIeO$Q6w$? z5TV-~cq6uPNu>^~Iu&wk;6i?uv<5~!7BAV=y|9?!&wl;W%OOmM8EI^%-C0xxNuG@;Rh|o=tRzqH#~Ft=!JMYfeWWsbZx(EKz-QEk|bQVKmG;!AW!*hc(SL z;!TO0L8(%$(1XgSX#zOP2I}ce#S2`Z^oLs}t>$m}S_c0+jAoq~HL$yfe0PkA{bT&_ z&S(jq7M8OFw~a`>iAP#nf#(K|Ok$+bVWn+jxpB!1BY9~oL0*$rPy&XKDQA=kZ*G}# zse5&y`!=(d`<6hdS@V50^@sW7Lv2=f1xW&T7Tn}v`pvcTS54Du>#^BSr{tqk4ZgeX z>|H!tfvLC_x*h67wLXG^M7R;z|Km~NqUXw z9v!FfKOiPU@U#S6_(GqTDb!d;pa8xEmd&FHK-Mrz?b%l|S3?f9gcKv*c5g|)FUT%+ z%3IXsml2e3jeisyCm)x-POUO~)U`3-wcwEw08%;AgBg&&crX2Co$7wvlr!24R#bd5 zwmo$r=N=K|*4E>?N+mXz!r0*#`bW_fsJyfEo2*xtqNfkz>e7oZsTyqw7W+H#jTWSS z9?3(FFTx4G3bt*UOattd_G?;HgyQ&{g&diPab~!ffiSH{oD&tl?CUg$3fmwD{s=!_ zT_!*hR`R_O74H8z1U~~XrB(9X$(v6|o;#g<8)IU2KFtJH=t7N+_m1# zzQ{V#nr4W6uMm=BJS_?r-iuI!czl#U7s0G$<>Tr_EfVIvvPlK#w{EuN$i&!qmYuVK ziY565Q9#nd7@caRsx@X6-RauxE9c_7nj6f=mmsyP8;cCdHlOLq*_+~$&&wnM_$kqm z&T^@0!Uw+5Cy}#_mQZX4E32v3!;%g7U}%4ocp1I?&iHj_RUg8t!1M9SH-*}kazbX? zMuF~`#wy30wYd<+5+q#=_n3?@tq*wdiDRC8OAqkaeU2Ax>aeaoCDK&CbicXDZ6vWl zHSGUyElKq>i>LPe?ci_VZ>nya$*DNz$&P7BV~kSCS1n^Mq!}S!OZYq#6!VS06YO=L zY))x9Oz}x;%Wc0XKoeJpX%tzNx)HJ|)5aolosjKTe!Ly^j?cZuw zvUyw@0|bE9Egx@A5x>KXM#=xYBA;_fo)K>NM|Z#voC0LGWT7JRUXLBE-uwVls3~M# z{G|w$Wgd^fA*b3yHRI@F#ky=KmOcctp4FqvNgu*7Y`0N5GB(7JHkKZY8Xazs3Xl-w zD*D}N9^TZ5Q$+1ust) z-%4&~N62VwJ) z#oZ|;_`zU$j`awO;R`n}FE$zErRB0Zpk>PYu_LehPLhe*NBgilSG?1ls9o!w$i2Z+ zPV=04_tKbmu&wg&8@387HNG)*3y+7KH<*UO2CrZ?Plx83gZxKcw9J`+C%ECccIn`_ z`dmRIkM?r9a>#$q5}pGO=0ggkeza5lh+n`F@5O+fzTC^qpdhW@k1@Snw-7nO-I%s% zFl&O`Y@dT&qI{F(?UG;~Y$Fv2PRK{ls9);fkPZFN*Kai+pS>3OmMPCjh>u%w6J)?3 zTY}XGa$fe>8kd(Lh+%g#FYa_@%;0NO8ILyq-ba>NWX7%h;&+jy-)QBV2L(z!;q3j` zA@&^T_uy!lO~xG?tZtjcoH?r=k0Q8d=k35EYlRh}ZXp1CdGzxO!5S+>&NHrq-T^Y` z<;6Zi*DZ@(>ssdIptB6kLyNx&(El*?pUSTz+2so-d&YA~Z`{wKrplnfsnxHa=%8?m zOXqN0p(Y_JVy_07k>r92*ClEY)G>nPi1Mjf`4T`s(2uEqs=~mZ zcqrEl=AhU37DW)WmLNT)^_kFD;y~tJbgy$Lsu-a`?|Hp}Y1)cZA)cW#e}Sao8FBBP zT#$ZKj?7jgAbBgnH+NG@_ptG3;sL-h5Y<}1R|1ufMyQM)f=(J3y zunXz98%KcR4sP8`8-3&XZ^8Ed&mt(iUHF(&xNc?VX8(J~(@zN_&Y2mmTmNX+JLVLA z5L|v+cy8<-uIE}zA`~c9idvQMDMkX2GMrPS1bLMBYZDagOT0| z@%y99nMi$sQrA6U`0cfLwbd0WM;wn>+9@V|Gt?KC$U!T{62;8*+ZZ-SwViymYR>{| zuZgkjXB{nb;?DZiW-7OOXdM!+hTc{wU8_j~Tf)m6ir@I`KW4KZ=|roRyfyBbsLXNN z(ag5ncklOZhcQ)V#2dTLvE6xzy(_L~HN#!=p~v(Ew(h0Qfb?R&8DYB4-Z0O&q(lo` zu81YGbui;M$?tFA07x6(onpyY^Zdax{&BQHVn^~8>o8<|(eO@6S6jfKpb+yVl~;Is zPNC}d?ci^y{wlF_&gj%NgD8p^ui`e$=Bm-eO45Fj{5ZA8rKnoaStfRo9;K*@gn5Hg zYf?dSOEI=@^r7`P#F)LLgx6_qOfN{N6lLNko*pOTNZ7DqV>fACyr1LrjnajEQ+Dr# zWSRbhOBYu>EHgAOZoSj^qoE-e&Whx&Y+P@K)CIdAYZ^H=xxWZ$Kd`~;w91K3A^h=; zd5))!iOLQYT}y*Xrpo1;AQwU%LgF-Z@bt{S19Xm7ALP%#l4A^6Y*7I5;aWF4<}G$^FYkt`Z%h=KT*`({o1# z{he!-ar-uD_)SbgrZyHC#8mfloyf(z#P7pfUY0r!>Xo{7+@mZ&!q{1>k((%C$oaht zL4Gg!u)b4=j85L-)Fet&_dIb$T9%Z;guDT60wt~Mq`D#jeIwX%ZuMAi=|5$Tzg#tp zqxVLMf2xC?@_fg8N>75Be@2WXHDCyG2TVY}3_i zVaJOQxssUT7$AECYD?_bkg&Ev_?8@eKB7+9!rC~UTm_imbqwJLXK#6g(h%xup|$br z@&E@CVo)2`-BCV19pg|w5!s*b@rUQ0d_;Gddv@FIcgn^F$ty<7WJa?tM{vA>-GVmQ z*({P-azT}wIh5#`e+~3XfTz)V`7#|j66cORSi-QjuCYU+%$0$<+L@#N3q&3rKQNg+ko zS*qJuSw6abOShGhvi6)6j`M#{hW<}(H-FWRBtsqEZTci~nX2=$sq}dQj|djy8t?p4 z>iN)!Vw6*MpxeTpp2d~i8$}#oQoXm3EQQ@P_qR?W6S{5fX!CiK(#g6Y6PRaDvV*Lp zfGckvl|04;QRg>WmM4Jhexs=7t6YKSAd*t5e#z*wV8i7VX#NDj=(+!nH~~0LK6ocj zUPj{?&_QV&lsL_w++UpX>Rl7KdhLS33vgfKWj=%5B-6Bkb{ARK&@k5)t9LpCV6xG! z=k>FrbYd*}7OPWbIl1qpUz3V4AoaZ^E!k>gdKf0LuSc^y6=gMQsK=%IUI@Eg&yVS4 zAc2g_TLn&HC0Sa)I2!}tVRF`=3y^;;rQd?g6`&=Af$Gt3?5IBzHEbzVeMioXkeS!H zQpCL5&Gm&%Uy+Cjm%NCxgBy3cNDDzFHuuK2I5v~%DftKsQu(EPn496ZShZ4Xu(kV& zkXoIqEq4WV3WZ71$ZK`N=!Lg6YiB#V@RYlNeQ;iNVk-(!-EXwptqA5TR2Eevk8ys# z!=BO9PwpD2=V^US%>uQ^0yQpQd3gCW>1ABatgPU^FJCA~Y?3Mj-IKu<{dHiAJwfF) zuS}pGG!_IRkf=3H91i=PahxS_+a_c|&{7 zngSDd6||62qFotcZ9IONc}SJ?I)v)RL*mITrnopL z;W~t5ReXjU+(C02Q)HqiCu`VW6MEil1e0&QbxENwMufwRn_`|V88@va;qk5%TIF;O zZ_JObMYD<@dZI?_zpZB}*u*eS1tTF}m4|dL@HRcvam<0_#>`u#8FHqx7upke;`>9) zhUJL^ufSf(1j3_P|09l)`JcI(5z%NX9P#TWjDR7Ztgd`z*AH(k*L$?QD75Y<_|sxQZs&Hazo4MbWi*NLlK6eO zDF?!j`aQSj@GIXo4K3doTz3}iILPz4h1Dx^*$Tvs@5om4l~G`0Z#sMRT4wTBJ4WaQ zo36{wSqwwN<3_IpeDWKD+>{s2p*cWS4{GTw^Xkpu0`?Awzufj@s`2aD=Oh`YQYC&P z+Hp(!5v$`+YX~K4Bo=qYQ1Fc#%7Ra6@8y4=A_Kn?rP;b8O&`xU&%!>Er{%d!@3eMH zytYAgvjiKssJEx#nHF7oG4aDTy5FfWY=&uShGUBJ!@CP3p+QELBI0)k@OVu1k&Si< z0`~78iO5GTPH$e&k;Sg3-Jqx9rI63b^Z$Rf;jiyKc;21<8}57?$FGT9nuzkQY`lL5bGk##wjIK@cWe)Q6lLT*FpD?e7;%K1VNP z`=GAz-hMFj_T2@&%2l{BL%H*hS0;q8Dc$2ORqB)?qmmB}B%S{iMSKl@_ zD)HZ*1NrG@{dm|UPw$dpTh@ktohZOas`^ivq?uMc&hI>3!g{yP_xYLk76%u6=t@Zq zf3~mYs|xh{bC?Qg^79ynANar>I&2kT;bx1`uXpo#cV3J|B5*qbxujvSs=*@mg<*P|!9>V)d^iViB}XjfTntTQ`zk(mTy|{iYcA+cgq+ zE#s8;6B_1|%QK(wvo9ueQMN;|?=B#@xVNfKK^|xnk;p%|ndBm4FA@CJYxk6IkCK&8 zo!Qldq~1@TpGjz_X|pARs^uXrpbx=pEZx!aq@#?Jrm5C1^j0eMEU({R5Kx~p%{>Q6 z>N0M46JZP)<}8O)-#;FNBh(NLre_C8e2wu)z!7Sil0Wa33-C1*cdwa?YOy_6v??-f|J zfXFe)>95_?>EG<9KrIb%F-^y+H7r{u9kVha-Vm@2K#3$PV zn^)TkMHFwV0njW@7#~h~GESXf-kngKe}?nY}F5jZXYIc(PtO;b3lbGkS5qSwgO-p2H=}XOxN8zL`L6 zko$)7r>Lu$TbNPK8Xvo|MLn!6%4^!5d=CBQ^)8CneVWC%J=T|VQdPvDeSW@6+@tu> z?t13yZlx<86t8Ihqd`=7r!V$K1km3((QV1_&pecJh0N{uhV$cWmR)I*=dI{InFv#uT-|#0=yA?G z?7mvSD6F5Yi^yBk1v|xMatJ9=SUM;&ZIxPc*)ZWnzi)`m?GV2qkasIK`t`*qzq!*{ zYt3(QL!7Qa!tDKSh+~2pZ}KRg>|j54#{P&&bi_9!5d0@Ex>J5PaLZk)zxXiT(8keI zo4|*}(6396z0ph_;zpO|wm7`bY>KqF1Q}p5e8_uwsX!gB7}P%-+HH7!&dWthcL+4Q z{fYEAs6$u|OC`?ih#G59UdrQP>(7V@k5E{?alw6o5;m<jcs8&oI z@14cPA7Kop;ZH`)3fYg#filCmY2izXZ=#w1Rv^$kM;qrCZVEsA9&xu_!Mm!AC&b%w1lZnHp*4(eg*ubYH=|5Z zSWx_iSdCEPi#5+2RBdv$WxH2?%5BB=9pL^+< z`U8CybxmwN+$^YE;!rMH(=o|uuw@`D{!P662CJe;|4v&n6e&2&04xW+T|$1vV0T9d z=e!jtZgcQke+3FJU$4CVYL@Rntx28!`#g^5_bqVVUMQ!D0EvL(xPzG@^+VcD-8ST` zGIE1xmw8?KvG&QB^!r3m@^Z#0u?M{;FC9Psi&bnG291EUH(q8gUDvf*y(=4vHV5aI zPjAK9so&KX@eEGcPd;R-dF-pTDZYMoZF3bfMKBGj!%W0)xq>_DE5@S0@w9P`X@n@7 z(SmEkn{v8>vlc!==ecZJ9G!k2KgaclSvxudjMMuOf_e zQp|CfxRmI=k^VLNnoxVUNCVyZv|7z`kQ%;Oe&+?#LhMVH9GfN*FlM+uR#&K-ReEcd zoF8{~*FXE1&EP)U+)-wt;nHZIn?>+ccgjcG6VVqWY0?A`4&1A&Z6k zOkU}1@gcjnrz_LVUF(@PPgis#dTjeFdBf9}N|5bIH8?*qG)RyCogHq1`By{29cHH( zwp(SM*9ZIm^V+HfhD!g%Z+fdQv0t9A7hrShkL?Un4@g7stIWR78R2-J##uj;X z+`eIP+xw+b-5gd;%qH!PCakSWp5-gv(r#fnhvyTQQO^)3Yi+Kx)HZF^Zzo%ER|T!y zI4kuwFZo#UiJM=9C>FHHf6KP$w;L4T9S^n2w$@DzBb!6LsRxgMhia|%p#9|&{>-4_ zU|OyX{LyD);q|Uv4GPFIS4H22)9P1ji7oxA+~0cc?SAX8Lu)14VLUsLyG293F+>VT{D`&ySyH)4 zElv5ZP-ynE{k!>ME7s%^3zsasEs7Sk)-+Iv&DwSFVkPd_!y@<9EQhsQ;4dOcACP-| z37)I3{MCfJucoPrNX=i@XA8?SV3@9mxrLNe4O(AB-YTNRM9ti*+H&zV zKGuT7o2gvlmhVSm83sOG*89xWE{9`Ya{})Wl#s;xo#x@Oo zc5KLN!!R$3?;5H+P}Ad>H0_K++?iFFjJC?jGKA=H_ad1_Y78R5q_mNP8uvMwxD9&d7MyhrFt7)mUNb(A>qqD%}GrwAwdGW{y{$eVsefMJ>7T9-BsyW8mKp zbCBFDs@6cHc}iN&rm~Y<*JpNij90XfjpgU`DYK~rc}WtAV)2idVpwJKh^c$2*{<@O zzyDb^H7$$RaNy;)`yn|#jV3c3Gc1g){Em7xf^r>Yu1Q!-6b8-J@zmB}73?7P&ap5}fi=DGE?KFH_U>pI$~6_#7k z!Df0UV*&d5d{Pvoby}9HPv~uuX+OT4v*{7Pc{Vjwut7XwW}u+F_R)K@R5k+bFFySj z^OHndYroZg?si7Q8PBI}XO`Rkf2@6HSX1k^wY`9XN|O#MO$DS&Zz3HOP^623)X+kQ zfGCJkrT5-MsF zHz&ob+FpBrVUxzvGv)7GU+|3%b73{5StOAnO2`(k9ILTVEuk%){ABkxf;_~JI%%b9 z`e}Rl6_Sv+O=#s9Tq1$D51PwvUv)up{-ti>^$m&q8_oh!ixf52?T+`UqdC-Tn)DNs zst!jE?wtT~4zs1YKpwepekzi5mwR~^CR?qYxJQKJgylmk=&OK5b3<+%YmQUJuFN%! zx0c2#jXZZ&qPNvGFwZu#S4?&!tst(TGMMsX zAxNxX$_Cj+?D|Gdnd3W%Htf|ZXw3XY0~>emgjLXlTibKDIOIJB4os`XWe|6t2%4X` zwTk41oL~J|%&n<1+4O|pajZmH&js!=xX+)TEU0U(A)&cVT<;u!o4;+7X)vM?UcX$a zJV1rRylk30!~eq`!oTRsuTM&(k6x#4rw1OLnaE$PzG0mbM*3~GD(!xSNQRAR zh0^SdYK{%=PMQ5Ab{jO8U$>T;5sw@;YlRqP$8kw%CaxCEp3c1j+2O%V`sP(6iDV*D zy{ptcZbKsySffVA+lzF?!qstxBj1&dK!o%q78Wp}k#+6R^Nn zt@zFb4){I~zqGkI?pT{byoV&$yTa6i3GVBr#p81<(86O-V!^;#6J(%z=CqdY5|x%z zz4DTVN0i5%eKn6QWP=UqVx{W@%{=o`QlIu(Vw-pXNBVz___u)bx507Df-N#t7M?3^ zmBY$RBBsH8SzR9Xa?Fd%G4)~8`JX`1OI#cs$;(n~+C7j!Tlki5r{C7H+L~JeSB(bA zkkFG+0ZK5MGDFd;X6zpSs0fQBey9B~&|YK@7xw{e$gR!0pUy2)@(C0f&Wuxt1`B zvN2AVot`~oOi^W_>*Tw;-n@mb+>#Yu?=wZu9ZAHGPCf zXPeLJj~%1{gWgr@uf9x;VzV%YsE+^zS8<`p1%U(PTnC3E{KCk_T+qJlhn3Kdxfonb zJKE5mq;XmOc|K3%;i{|EtJegTO z&bq1k8T{&|CEwYGg4UOU$;~ZrTzk_Lv3O;F-p#x>(O!9{xM*N%81%WY@)VMBjFB_>4iaigS4h!s zUZY=VWKDv?BgM^H!-;y^MTB}ay*=4{NymI=+}JHI=7YovN#gr_9g%>U`dvfq2jn0q z*z4g~R4%fad6*^xd1^g~gv;JCdjETz>Y#^60-CYpgLyi%vn~TtULmpf(#m7yDaPK0 z^!tJ-{8jk2#L$h+IS22fW75$`@`t_lfU|_Iy?0ETiQY-wO_P3 z?4XE>V1&VE%kf(n8=IJvhTV57zAG9D&OO8Yru{0kz7t$p`g|I>JPjIjng(26%<%56 zDIOzn`e%TXJoYI(W&?GM=hNN z(Eh%@p*~u033k}8TX<5`?!y( zRX*gVr&hF`G+{03Qa-dKNnw>0>y&o0Hjb8A(Ed@0Wisb1`fkj=f_=>RSZ8*2-M~Xv zoQK}Hh~#sWr%#eI$Oi=&r*Yvj#u=jXE%ir@y4=SPd={PD#fV2VGy%0|CIH~^d#U(* zX)~d<$MpWi-<~o{=Q(;?_aP=~?b)$M>;j9!t+Sjm(vgWrr&G@`aO7d-XXM=3JnVKq4q^{4;v-t@wwSuWW9|U=79<=nva|~-Qv^f?? z-MG9Ex_CYnrn@ce6X|ShW~cG-@Pepk~_6%E-6Y+0IktoY#I=XP+v_j{f=f#Q?OU0SA_LqPr4X zDw&+CB+<0LLWc$aLYmfinc?chmn#n#&L1V19rc~x7cQV|F?vwHF?6KC7;0n;&!lj_ z92OXyrjY z-NYN46x{~>G)mn=QQ4*_Co2!rBA~b=j}dmPe}QD|ePUT_u;8#JrQgRGR5|&=i}XWR zofRHE5T=2VQ5L*958x?k9M+My@5TROdEbuHJ{kRbea0s)m&wQ2;YhX1tFa zkF3jmFZG4*1ylE}3eig3xR^yA_5pthc-ofEy2rWnhO^gossA!qo$w0*WCGeNHAh;7 z32CLB&0ZIFncB)i?xzyt`g7#S0#i2EWTC!OIo%wVnwxx*xydwY$6!iq=#zu?b$J zAE->6u$$iIx-Ey;Tu{}t+~Gu3CDg1%=(>O z8Wc-ZtRYtp)ok|mZooqKA~@S|&AiM4xCZJV9LPZ?DXo)4qHUzyPIwIxw)nv{iUXU0 zJUpu!BbIfSw^}vD76x@e(w(1{MyA$5_k4;z1MtHWE`IN~dogD(=Y~vlIXyW!@MZ7p*k)Q< zq|uJA`YRKng_bxtBKpa2+b%7s*?~}A#~c{Ng|x#bGdv@H^l0BrkB&{$0=YGAib53J zoNXm-G#sJav2N4Tu&y%Ms0LfZ9Klq)ur?*pRNGxjNQJ%3tDCzFPeWt}D413z+Cg_z z9=|pwXF$41kd0KxFGnX2KFoQeW(^*_77#ug<^11AWCb81(?r}m#zgWLzXc#N()CDF zw^Xc?we5uv)9&gM+Z64{`lv1Cx;ybBVajwQpFq+nB`*gz$_`74D(Y&2Q-f#i_jnXYn zby*<1ZG+cWiJb>-$PN&``~=TPk2`zr`O;PiLxgbN_WD*|c5&QZ8K7^m5*Sk!IBT-F z2FL>2CH$F$c}85x=k2tf8r^)-+8wKmCMF8V5F1%A(;uHcv!n1@_T|8_2{RgpRVLu=RX3^E0?F>H#6es0@F|+~&8n z)BcT3S7{a#r`)~iQFR4wg+ZD%%{(cynA`!%aLhnaTs`*+d@@B~%%ptOf-j4$Usm3) z`r@6U;@BlxaQ0duwBuVj$~0)IU?sDDn=tSN%QZ$^BvJ3=4z3Sr51|@Cxr=hm)R2%o;P9IsmK$T%L@7j9^Dck5NY4@|xP0HL*HE()D zn(aFBf~%k~HvbOlCdGo$EqrRVI++AG&Djq5OIqnq>WiAqmg*i;`TRNCb3s{4nkcss zyJeGIW}0}J77&)JxWkn@1>BUE_iMAE9%+o^3cwx#21Z;MEnZ@l>j$DYyR7Q{lAz@h!Tr|Oi}R64Qr6iS(nwM zJ|pwW(Eid-IHc6rblpXx-fQde@{3YN$f~w5Mw8gnnp1Z!=cV$htCsNFKaf`VocOA( zB3PP}LZkLUqWZM^28DE7PZ7PsKHlh>k^QxJqDqHKj`jY%5i2@iL16!&QgenB6(4hA}NdBxS~X31e*?e>?VO zIuKq`C=gqnWP>y%s`ruoe~u0BuJoO<;QkmElpw_axuj~ihb}8FynGtqE=j?NZ=kfh zlo_=`7!fy)vom8N9(n8WF1ZYbDr%42(IYfDHh5|)k3-pf>3If#$cX27E-`GlMCzy~ zo3=bv>U?+JY^qtBUtu{(t;pS}ts}R6pn9%*p!9i;4ztKqohc_~yx?`14i%2%m6QANS45-&*A3n2ouBpohY=V}cslQ@FkI*0OvuUqjTFWW>K zNJPn`S*_LC*M1zzf$rveE)Mu znqy)}l5?h7yl=*e?-IIfCj+NUIGE>m#2|BCjZ1J9U_Y@S#HV`i;Q$k(O-ZMjIPmpWsa&pBBn=N&f;H1h-(K=Ugt_rg6-3g-V@d7&TFROboZehWFg!qMfvw=J8&T-!g5ptWw zAl}Y}5@P6z@dhYiuS!#;nd?q=MVbEX?zjdqH`|XOC;?s}LFm+3tL{Nlx#3@UiQA`g zJo7(k^en!VXWF$^+o9-SvY=RB!N@6SKa%zd_hwSyUw&q~LobNrq zs>U18o`=A(Tol!xUrwLR7)l%x=1JhLsA}&H9NTzqFQ=LE6&uZ{y04t$x?CRK4yLz{ zUMokd_O5~kywb;3DM)%C3hv(4#Dg{1rhEVCIh@s-%!~9)CH)ME+9mGf2xzbUxDSw< zZ<^_~Wf)ksE`)6NJO9@MnKE}D(YYO4I6qI-_r{VU+hp5`(Da&~?4)v0C3Y#0zIWRt zhC8|{^b;ey%7GT+mpJMS8XkePB@3tOMl~fS zcd?Erf%H%clk1(pQd=}(E$i6rIEIIcFG%Xgi^X}gy49p{HErV`F1v89WX-bKk&9+AR%U)VU=p7LMIP0ug* zt+Te!{`>ULU&n|4l(M7S2d=)VIO+#UuQ*#>Aw`kftaNz+BN;eEd@a1|1t@luT;!GA zTH;W2QlH$idnk2EAQ%QTI7zqXjWvt%do3D{4uY<4hvHe4xK}0v%z5V@BDrF-lbsNy3dA>@hyZ-0+MBv?R*R%bu zq2Y+F@sUm{#lS?{P=u+8AeLS3YK;LHP$e#tidMcXuB%_gkv2}QO`M!ir@@$$N8_#< zjE;V^{3NN`mCD{GnSHsp_={H}xd0Q%q)XR#bHuLWOG`crpH6@P^B{&+TDySf)Gk^~qTwM{y5AwWuOxfjYMwuVDhX=7Y|ABkgCV22ugF z_~NO%o6TiiQtT|>s^7r_WF;-0B?}(BZb<6S6k59m#NuhOH98{uW>;CY>Jj&D{Jmzu zdF{vLMTJ|(OaaKGzNQwzi@Z&W<=*C5D;W}w+J9;XpMmrm+aqWGUTUcKQoqpSF5F}mcA`-jKzO1j_69z ztbMf8mzy;742v#aduwNvvAjKWd%cw3<=o{;Z67gIvj%(nN=5J*5SU&G%3AjSa-E0p zM%rLBxt@11dBf7od=~2U`Tw!5{a-BRKV9v|BY@UOQ*ysJ@;%8kl28UEMY%az1Q%6 zriR47zB2m@m4kb)kWn!fTdI%t3U--A^El54DJU$idH$LV0N~|WrPKFPO*a(GLRr1L z+Vo}o|M?l7-vu%>sn~j?#L@Rrl*qDB-m6tX%Q=F5uGaL__R0Agt2X<%E+6^3ZtaS2+SFG(7jzkOA3j*Z59F`^K9tTAx*0Hc_X`wS(0TI z@7G6jOgFmd1enwVH0s#B$w`raG;2Mql-a7j4Qm8M3b!Xup0)*a#*xu9F&v#c9+9%W z{MC=dw}o9WJ@SRPgHBbw7FBu7Y1hLm7cK{qb!M%rL^d_r{x3S(XC3jlwcU;@2#1JFmnirC*qw z2Bu8>_*fmjuCwv?P-ZZ%)EuzbD@%`hE*$w&{?n6wNe9=}0V))pi(~ISa?q)9nd{zS zP#1*Fh0{_vX}qe(0(H->#psz6KLWZn)c-)o1Vl5+MR4F7t7iweB6d2ckJO&6H+gVg zb-sNiVtg>An~@i+A^q8FQ50fA@vg70Z%jvtG8Lsw!x6PD5EP6+N@l`t$a{s{mvQ?e zHa^U2{Ct%~w5%&M>zYLi&d#o)KVMjs1iBm82WP0BNWle z$bq?aTAu+Z*|TeTbUiaR0q%tPPyTSy(y8YE1l_rtD`Z z#pP7GY;FDg6fQETz$|46R8znt6#1(i9fkD)dO`w$#W@h#~zwkpC0VfcV5`X!~bmBVOsaz-6Bg+&WA@W3MM%-e$ z@d9;F6859d;``bOPwbc#z3q)IN&h6+uV;Ta>w-Fy1d8h9xoaGCYv{T9YEWPB$SyR^ zBBi^K_GY zct658n0P}kZw>T4ve+4`g2XvaSrM2aGkP1+p{u?H0LRUfK?SLfda4~z?8sDuTRaxG0gFH8QJBl?Nto;bT`--V;kJCXqWXfXN# zPWqhXTghXaMu5&Yg;Z@aHw@nNfM$H#V$7)>$1OFI~px|cdkj{JgWddAVPm*IwNTD)&L z+%aDQI{`0tt*e{;tU8aihdo%bwwc+if&hqZsuo<@;NB@>j?K~x_|gnwD1s0?diBbl zp>|fG?d=>XKLX#u8){xcy|LoZc1AbJdowo<+>Bikym#R^wRys7xDP9FI|euU<#PuK z%yypSC6PTr(&pjq9=F)!`bLrY1hjEh4;*bx6OhTKM&xD2KA@LrCkTMQ(uV) zSA378)70DLxm7%(qb08DQdGimv!c&eE;_rhH>3|Af(r0=bPZTi_LdPtCasCEdyI6i z?pha^t-DpXH$2J9HRKSYZpGWbRgV95OVqaKXT+I#oYg{^mw)#rO*V%O=yUbU^GySN zrPHRN#IwtED?TvL{XAMHM~u*``-Pe>O^#CQc@Ks5Z4qc2g{Gu^ zYZ7@y$4gB~4oAK+4MS(t*m{63@!jU;Hgyqmdt>sLz`Q;2z%9p7j-b>8ia5x#KLqW~ z-_-2bO`LhLb(M`zR?)^p(gZT;4%>@rFhvRbEGdQC%x+?*(+;|K+ADQU*wgmAXy&Lk zUah}1%E@8VGEO~2cf-K164E~0iGZ5yvBTDC3RVmd)$TK`5pUY&U*KkTfGD7 zpli1KkB2KrRl96uD~e*smaz|Rx2Yw(u}r!dhLE9&yU63x{e0oEX+*J>1_cIkzn3a31PZ#=q5k`qjsc2)A$}nHBU6%S z-Be%K{u>aAt;Te(o9`2bp;{KCeKxI#wsmuhHn>fsNDd7f?W^agc8(5y(IIi zgp>hjAoHqA#rE)qwcplMyhW~0Hago*2%lBSE*ne!5-Y#_BnIq1e27b6|h68`kz1}yG=Vo zOm?B&R^x}s0g^5PDWN?}Bcp)8??E(lJuP4w8E_qHJUfsYAgO(Jo~H!0xo$&()-o3; z=oJnLD26yA-QkXZbaOFmoPx9-Toh#iW;(@B<+S!Z{h?KIzN65Vz3_8~wX*SrTL-`U><6|ApIx^a~;+f=6 z{#TIbXKAGGQ*3sNusA9y{_DHaQw2OcJSBlFBO_?I zS6|TNa3cvyowB?xk`h-}#4fNA*-kW>f~hlk?ymh@*c^z|+OWve$W^l|n?elI^h5>Z zrQXGF3t2oJJa(Z_>Dm5VpYd3)WfM{x?n;y#Qn1T+n{kdV+PN9o43ai3Vdd#*FrBzG z_5wtF>ZD$Tw|rKnSB-fOC$T4vT*d}vOdW!rGT3UW)1exRF)Ito*1j4hE7;xyXiMrh z@6q{%EC&rFA4T9AyR&2%Q&Y+vhTfgY4diuFsjj5Ht-jwh%&cGB>+u$L&h&Tq`_Gc7 z-~{R9E8SGO0Qr({)@q}ps3&dzl_ zp_ylLM6bfv(P?{cY`v{it&P+6Q0GV5!+l-Dy_d+PZs&ESq$DE3sBP044(`H;UloHE z$b{1a(9-n;roDw7pWApRACJcElv?x2mztevKI@42CMwn7f$r;>@rS^tpchck6kA&L zUU_E2HbkbQskA;Cxa z(+>?AyJZuCqIN*Vs|gyn<>wjC48#{YpE}ZvuYIJgT=OIsRb$;w$Bdfu03tsn&goVF za-5Ht@O{m*yJTz9G(4i1&vAN}UA8Qc*75rc3>`uyK9|b#(B5;;A^u((J$Rq48| z#D@Ew za}ZnNqj~P!xr0a5nu7N5l6)qb{dzvD7g_f2@JoSA+_$C3qY~b&j!h0m(dGpINPMki1nc^zE$Pem5a-F;r?WW|$Rj zGiq>s=v%)QwuL_7SDuwnZie{A75GehG|OS+%F-`^CU8t3=!@pHttiL@lfJ**>D|AO z>w5PuV!wdn={=^(`H!C#!s^#KpKh>+sKFLC=Zy;8j zhJ1T-yTjLeHgN5cC9i}_F@y9sWSjh>T*n;(Ik|y5Q((gjlySWavd5jXf_}+H-hh79 zNI0JlOX(9|Vi|N4ZT;grzX*~CR9%iKRVB7ngN`8@yY<2lgPq`9+mPkF7lL=`-Y2r! zClBNb$+BwDk0UO^4VzJ$&E8{4jHOq%Z=wcUZ&5g^WfT>avUk|r%$(RZEM}hBnp`|D zo`>uxb_2l!7^L#T#x4?+if^&!U62%u3!nc>P59YDlYW8_N|c;CW{J^1fX9!I_nz0t zr37({rxDF?8zvsQ;PVykqBy#CgFekvan;T4u`wGHaPUOAn6$m{w!{9fOmdkEtoiYC zM^NTVo9R79w-PQoX6qmAc_MA3ymmb)#&tiUC)REXRonEUuI3Cd-|Py8I}Hc$o3DSn zI?r<9IBT((uo#pl1H&|M1&XQz@!@c%q&3UW_abO71&pxY5Skau|MKxWl~JwFds=Jt z3rf`Ayq1*W$u0{}SAx`Dv8V+;j8+7{+ilX5x3v70L|$&eU{9XK+%9BxwTAr1UuL;y z{Yz~Sno?mpbKDR4Lusl#6<5^dduL~|06`X9wjIF%p3?DY4?wHvVSW;$T^E|P!Qd%J z1RZ7>*O?-I?d>nK;H@^$3sOzJI1iZ`FHbP~9o<1cc4tn5JKk4o6{wg@K#7g-wL#-` zMVwUt%{o{{OR?#iIDUcL^nQHecm?I=wNjzM`q8lo$RLj^qZhDk-0dUsY{sfSO+qzr zvOHD4kNTMMf2-Z8%O+t0I%HK9JiH zKGv#zDv6>mhHKTYe{YCrz;|kPur1KA>O6URiMIF5G3fsKHO2eSnV^%ExTIS9aV5kT zXy5kPz5qkVt5xg{85tP_oe*rGe}KEX-u01GxKnU(N|mQGkLfjOa@Oy}QW#k*8xP>z4xYPrIOY zPtDsODE|0cTsnECrL6IDa2#6dFt!Le|Bd3+T+jEn_$2aC=H1&|%EXUD0KIx&kEtnw z-y|c)UcBs*!6>r5+RIxQ_R?4t58%8-aY0eHVuSeIqJfjR z%qzv3m&$L^*4i&EZgDr!zF~ZP>gE)opSKIaIMClOG)KpNOqS;N3nYrFA*N(2!k1v`{jk=a%mK z4+wu*3JPc?JvKidUwr1V~49a^_Idbz}-Tu0{;QL}JgmDC5jUog*T4}WmDr#cmh#OZ@8 znEeRH{5ZdtT8$%oir>32r!2LFL7&q=Co57>G?GcVyoOL5MtHVLP5-ny^4*@o_>Slb z(3LJ*{|K2YOdnoxLDI;%h~DzWB!^KU2wKj3ehQqeuvil=ZBdpdRSTPt8V@Ovo38ob zR6T9T{s^?Wo;t4KOCBkb5hy7X+Jcms`n@l$(Gn=Ug_3_4`1^^Ykjs9galA1=+(TeZ zb%E$mTVwYrpxr|kVsvQGwDE%6V&#|HVOP3*vvwXStTjufQSVv=_hOlh_Pj2|EpMd` zzStw~?vu}-X09Ep8#_P`42=8qaSzY!NNxLg5HBMb1Y=M9N&EgCMV@zE+-(9u9Ez-6 z;~2LgU_?D`{~b0^HYNORq>z+}wF;uz#SSkQ&)lcuD8|fuBkCQs8;7bP6?7Y-R`(ED z&wPqR)VA}xKc=ruA~;t?*yW)hI}ITC3e&HbM1MM5zZEF zQX3MlZw0?~h1B%}qaVImzUM`ykHeK;>Eyk4XL(FuGcJ(*!G+!!+QGcJ)h{?1)z#g( z+z+r>MeCn{mC*K}Uf#M?!7pncnMtxkjzO#eYy7v zon6-!saN%jJ@-%p8~NF-$H;f?g_({GqHce_EWdts;2>J!!`3B!&!YbflK%{$jn}Wn zOSweeHFQ{CKCFl{P9{=s61wH7($O?ene*Q=6+yNRisUH+HLb-qPi-oz?`gC;ova}; zZ3C^n1ahexzWWHGE{c$$*}-i>NL@kIPHECiN;}Vr2en-P6JP)1`~x_ePKjbDCWD>r zd;Fz*L^`nek7V6ra18?5uR^k{dg66LQg6~-chYPa{f=id2jqC)Rq>p|1N!XjT(M+@ z9qxS2I7e`Abc?F5(e1FbJ6igj=np#~%&Zc@lN{qiSQ|w_*d9qQHC_KRhLY9oul)A5 zJEAjNj}3N6(9W}-<=tw@Elz(OuDZ3e9aFpEjTHY&Vxi!t%A?Q2#ufl|aewQDkhr^? zHn~`PvmT%|b3QxbC__r${4w+$lZN4gD^K=0J|zZn%A^6J^5d|Zq7HzxW-+?nu|1(E z>eDjxE4K(wbAEP;Y=i7JS1D6nhO1{mHhkyH+m@?^An_3A=Tl>$OG+Uk>&y zyR0!;xs;j}4_uI^r@#oD`V&XKmTc21FC4(dULs}nMeRP(S7|u<>?=_ICKMOB&9Qn3 zrb^G=;U6r;`b3>W6>Ei1S*9Se6)o4Zy=4TJVT?&?qc?kB2!|2%ZdJ1Tge<=H8=K?& zh7Tlb9c<+^9NV({lbz5nozfBVyq@0P>Z6?^uE`G$I4 zWED=#?8CJU?N^oz3_N(pF;9&@=I-qh8=A#f$wOXfWqRK zP0MC}?g>K9%00-R$LT+@kHpfk0%#N*0A!**^^hW8SB1X(8Vew8v6S=8D122JM+?=i zf3J_v#n#egZS3>uI6{p|_&i}@@C1Q4Awi|tBp-t%O;sY?!K(WfbK)FNL3G&?`^LhC z6IX#%3Rcjh!4!j-lCB}Q&k&EjNH>Degc+Lp^v^YD>)yYkn1;D!*#jGECT|bGx z+$W^bd1lEIuBAYDC1IYmK{t18IrOh~_vf1zqr>VIXFmL!ZU6m|fL!QdZ6m-JIzlko zK}_ITRRgkuT|){CdG;iHe>yW+%mKz#+GDIK31@}2)p;7m7`lA#u-(17%nV?}NnzWG zWCOEe`<;;+n-Rvrn&Ju?QW*bfj0`EaWZC1aszzFUV{x>R zT2S#x_v1loNdO~-YuRZz&AN*(68e5BX9^wKva^#7t}jP+sN@?t1$6B;LXFm7=M)|n z>s{}UWo9VFuGd)c&yO3Jt-BCaJJ=IvHrM%?A79vN<+`O}Pl3a{0LU0+)yNe{u!j@O z8q5g3nQtI?J=XFy#y`JLsVMum^qJ&W`h0fk0n;(_-v2P>b(>QKPkDMFb6$u!nvdvn z=u0RFkr(_>fyc03=kx75THyVb<-ifi2)d0FH$#{Fu2h#~9GO>|aE`J@BIKZyZ*2}B z9ld>n$UAN*{3Gw=zWQxYL3XjL_agc5Cr;kDo%-da2`fnR{s>6i360`>>rz<>Qv@wr z_A**r`5*7_pFe8(l>S5^?r!*<0+10{XTp{=9WvFTXl*wE$c>cBtxpDPTDr$##&@_3 z_3M8D#sB=&`0VN@KrspK z5f|Ta#OamuxOr#4?X{nX#-H0tOmuVtI%=qL_S$=KcjyNF04;ufuYo`T+dVLcZHRrc zzf5d9k76@9Y%(F=6aJY&{mXqNrW&v`u+{;Q0pj4)jb6{V>d8d}l zJs95<{;|*M#1Di=X+^dUkNy{(Tn%CA6_F-YU*)eQ#ycaKizhcaNviB1FKI?-Bq@($ z&y6-$l&A!3n52IIVAi^I6DIey+*O?e>DHY8K`vuU*6CaOOqHE^kB-(8t|tP(I+u>{ zw$0^w&e>evk&76cNuHwK!w0U!&ED+!HT#a|CYoiB_nqzT!dx2mKdlhF4?o;zw^Rn(_#~jyx$~9kDOTEWvwZ!Xl7fnUtXV$RdZZx6HOO1d|(Gl99 zW%!^DXwh;)KrkZN(pz1m>l?MqA3L8GbB@27sJ^{7sCiIh=(49!HvPSOJ;3=@n0|5f+(BlRMw*!N;hO!SlFx2=?R)?Y zw5=shSk=TNjY}ns4UA^swTBQ`>+MxMgIy>}u zUljSs$Z=i!R9uN+D!y)~z6F|w&vu(4c21nyEY~o3KJ^3cW>QXGx#PRH4xOJU@BLUa zK9lKw`95S?0w1IAd`9e-KDCb~5|+z;4n>(SIBEx{J|M+SZEfEPY6+ybw84GU^j$SE zf9~+Sx|BEq)7p>^I82msDO*G&@xmL)KhzH&$fzboN5?A38x`SC!tbS6Pq?;1@}-Vh zZ6))(i?sU9LiKBXbvYAy&xDzUM^~^xsq!H`N$ro!u>1O=Ko7eKSphL-(Z4q%U&y%R zejv|Kr&{drh;ny6T6HqtK4K}sLfJ}TUDdqSwJ>fZ&n_k`bVqdxWyE7#9uU$Vzc36D zXl^&VhAPLJTcP$mFcSyqA<}#N`3YVL(NBjH-s}|QSTDW6cw;m$?yGqN_@!4#YQb=j zm}FijJ#Ko+I+Zde@MZSMsNxV9Q?bWMS&R&mbcmKx&P?lnUY7@HlcVJR^Dz27zVT=` z|HI>T8Hr=I9{(%FU!>}TTJVa#G+jN7!Z$XR}G)S>-nV5do#Y$}{N&1qO$kzK3t?YGx}N9P77;r(x1ukFdD(reO4JMCO3FG7Bqfg^ZFCaBl|& zemI4eoCns=3s|v7bGv1UNI(6|yI-f1wr9na>YjL63TKxeG1)tDqjr_}PVnwtf%EW+()NXsh4TS6 z3Xh^~qaz2-v8UHT^K{2e3~p~}5_GK7cEc*{`G_b}sZt@R)0=2Uyj^}W@d=mYyuLCe z_4_^Np}FdwGZFB`30c1?J`>Zyd(+V{Ed0H*_6$Ot0MdmvL{%~Vb_r!0=gCuj0!xl% zw12+jBhZGW{A`cV$sc257~;3er7f2-2zvExm51b6$yKq2v_XW40bE0BF96q3#fYc* zXk;+OIR#sLAR1jdDJYc<`GvwkY9cyJYK}OKrM$JS?1({1I*S z``F49q;yx{Y4;BmQW2Ib4wfa3_GxCimm*B#d^O$~?Fw-vIr_~->!_Nz1q#-Crma+? zH?$fSMF#3UQh0g{7o1%!BvCAf1=_2X{cX;?Vnzi`*3uc!)OQc9jMl1$q;}Qw4cw!g zMH0z7yL(~|u7a~|QGwa}>&(jid={!r2ja@N8YSZS8HVm$Kw6Fr1q_=uMJo)*wn$%` z)H%l{+qBT!Wa;Zm``Z*f{{t2d`R%X5M*`lT!4Y-llt8Y=`^ouPQt}=Q`si+;>T@(S3w8bJVlbB!d$TUB>qKUk&|Czl|-<^O0Vk6L4B) z#*wv-zt|6F61{7S93BS33}(as^1-+1MBTg+d&@{o-@Wrr`|YirUQ-@0wd*2cE*@X@ zQiLkkTg6vn@XW?6lI)MXOp0svb4OpfT)zBeoY2dqD`fUoRPt@n^026jo$nkD#- zwDVgv#Shti@gM}$w|1Ssez4l>TQ0l*C6x2nw&T)Mbe+kiyvFy+MXyMBSUEd?gj!Mj z#8x2Q`5;Qeg$JdolF~GAFXfQt*E&D1yjRzm?SyiPG!T}%Cc5V;%P3@%ZMRmE z~MP0b{Kbd@;&wa~}wrlOHODpZJ^~|f`XJ?!V>u3EV$HVEt+z#wArvZE0K({kB(P zSP#!0{;g)4G?TYht_Cef*27D25zX(E%*|mHRh6nBqql{~Qaxim*i%n}i54llN3UW7 z<*gmOPxZoO>KcbNr~ZYgsv&g+u3--JD&=O`a9lTgGx5xU~(?JZ+<2 z7CCRUvsZi)zrWRM?0I9aK2^oIyw=#R7Jm{iWIDl_AYq!Uqx(eZ$rG3kd4BZgASVn4 z^Mzx|9{KntK#e1ZZ4kje@hARzo`Sb&r&&evPg*Z}XV? zm^|<}(nyD!O@Jrrjbon5hN^G$0{ZaAz{s@A_6|-UfgeYL$bXx3Cj`EOt}q7{)eD?< zmtC%5DT%7pz?SI#?5bncr9q&ePdveyWcCS+v*RVgbguUmh9*w#pwhCOd%12dKt=cO?U zG>P>j4cw&Irlw4k+1eiNZ66VeQ~iDru7pWmR{!XoI!8$!6{Ia?uBlk!J9D1>8Kg2^ zv;Hz#^RnC>CbDYyHYQXFk@K6;`D^mRzELMhd@6S6F}r7ECt`{sgJNhp?mmdoEb! zI+TIEt0TqP`b6cz*5-!4wrQ{yp7ZrNzohk_+4kHUNQ^Q{^gElD(~uSa+$Oo|;m3>m zHkuMR>j~Cc8lnna>_K-=R9gp04I3WW;>uN();<0`K#wCMDzUhRnin&)7qR3M;MG)J zJjH{kx1<3t)n4Q&@!Ivx-V10@`JRv#`{oOW>Qmz{bC;92n^A{0Rz6!AV7h%=c5U&) z?7Y^VEcqntKIVrGIBE-VZGU%TbbDN^D4eHl*$jc%gmx3^a{tjo_s8S$E51Il+2s+t z^0%eczc<+Z^|NYyPWmS*ipQfl-sVPG)n>5BjejT{8Aba;zHmpLoK18=-y17zy1{i_ zQvJ53cVM)7n!U!g-iZ2C9!%lXZEl;i$Z>^+m{om>#uW2Y#mx%YC4)V4T~>Jm-V;>1 zOtDtkZt=>+M!|v$2KGMsfx^=}14iZAu2Xmyu4LDs=&t&Q>z~6T3*TsQCAbt(hKL&_ z#u7>@N(}BwhF)HHuxU&$!esZon(a*pnPsuVuFt|HO?T*H%y=8-CHS`s|I9w0IJuax zZ#H(UtN#aH9Py_Ea94o)!VrtI(Ps)1CS}E?2yN^&5~Y&E@!P;7e|a-?o}a_A#*^JB)B<;%Y7p*3Dl;ARSQDwMy=&kDD^>8`XVq7 zXkqK8mPU;F(t6a_N#WU;q?6j{i*Nd{O8WySt|DG(F2*F|$QivjrT!tPlJT%vI~P57 z4BAIktV)ujyVE`6VJ1(qmPgBVKyKg81 zzM{q8CDNKv5^<2;iO?|UUVyy%AC*0wm^kP>u{Wt{vS+2{3# zA+eG9c`EZ0HrdZdb&w6va&>)S?zk4+)wq!u((Ky&{+1wo#uO@hVOZ}?_X;S*R8c*? zN7wAQb66AT5L<7)l5r0V0sVjc4wN-sf0(Yi(7oJJ}aRF4X5JBm|p;^(Sb?9_aqtC4O?v<L4$Yf8K0I@A*Vtn5v6CX&LE|{w-$kf@y2SO zEa0<>xRE-lvTdeqHSw`WS}qU z1I0u*dmGZhEn_@Bta=qJvYJo=!1fe=b3Vz_mo>sA=WCQTn!Fuc>pT8ROtDl9b;{-d z86~x7HuB0p(e;0UALm$(2tFR8*9bh^<6I}$uOM?2;P>X!0Q2r!jX_zwWfalL;T<@) z0y3;;nwfCvHoJ@N7iJ5c@A(N=Dt+Dw_r=$*Knekn4Cz`Qw2!N;crcO2Ch#>(78j=A zW5;^S_-WMl$l*_$m_h@^_JFM0UR_;19kbfH0&-KJ%E%GQjMNqPITj$uzxRT}q=U5} zT@y9hSuNO8W1+X|O{ArPI|zj=4lu8Q)Vdj|LhtBB2UpIq<%m`%v0n*{){RLQDK1(~ z*c#!L0b4i!v9-8G~QjSdjn6Uc`B>5{x{iK1P zy`SHQy_@H=IEn@V*Cw#hhCACjfyEUJHYggv7Ah}-B^_5};w^6IomTM2-(7bDT2|hA zlwEUsTo!RG9D!3HzL<7?uEO{RR44a3%{07(8f2b)=2gx`GkC4Vv9{i%TaXg)m%+(t zF~fks8W_Az*Gn%#cQUraL}mXtMsn{4@ZLJpVj;r!qz?z~gWooG>!m?bPvo-#!^=1! zoNqa1a3j$NY z`5ITml*n9&J(aTAL^AhNxA7l? zqkFOmIYOGfK{1Iv)i=GOif)%0JU6mM452+DktJ4+Lf>~T=fg|1mN+PP-}mn1&zTuY z2qna%tj|sgx0v=OMSMf2v|jP^ClZ}0kA2j50#DbRa1|@Zls`SZnND1Zqn)>W)E*nA zVoO*!!!P`dq3Q_zTMONpA5t*T@HJo%B}MSwWLv+gvsmEyI;oQ4a&8G$SMHp?yHAPW zjryq$Q0qaPqk6>8-Mh#Z5B`t$?7%L=ji;wGpJq!Oo>q7UgY2>*R0XiByK%ILeaQm!4TeKC86B<~kl}_+oenm%S zw^z;lym}frVz=Atwm43SSf1Q7TTHFI-#H(AtMu5l%czeN$R#O_xfc(o15Q5WeRYau z(ExurPh%m3@3#TSX_sg;7_Y1k`O6l>|Jm8Q@coEvtR-F9=6cMkQTBUqr-2z-=ndAW zU=m5YZ2_z}>S-99cj zubByYIR>-QCT@zErz^8 zWvy1VkSHGAgLZ9}M?X<{bJpSef%X5VD;g?4rMmcRADF>$&9;5qwDHvG? zw%<)HSxiy;U_M$B0?m*EVsG0TC}v)AUEb{I>`1D$&x1Xf#KMAxVex=F&PqOC+>;7q zjCF8L)-Y6sp#PG;9+U?Qu$FAVE|(YSpUyY83yxZ2RXx^+*O4_%FUATO#?y(~o3aFkP=Cv9+JakFNuK8_O|lf2m9sF(m6 zI)>0*m?eAG1h76nP~*4D|71QZaitf3#ZHI+)7A7*&IP&Dv4{vEPWSN^Ms=k>`p>Hq z+gt*v23ke9_D9$WqQm>eSNvo-YNn z8@d1t`9_;3y7?UGZgT|#HnNnnkk8NgSoyIZY?lGAeWmt9h1(KyKYMo~p!*!&NP&b=S;}`){-q zLEgLGtppfBlFt}si=J%*T!anw$-uKy##@O>=DN*Y(3IBs{foHG&3Fl-PcHIC_bBAC zi~IQ-D~yjK;jc2hu-!fn10A0ExLRKV4;m%M=ZPmY-5_;Od@~7Y3e10qQNV0;W??FJ zJQpYGTe?9wyPczf$M zw?EjGzp}7H7!liPS`t^vMS|J=@Ufm6oV?14m=J$0PNgNiN@!G1Ebh9yiVc00T7=wl zIfO3uLvLP+tQ-&}iukVyqLx9JVTV6qh!bBSv)|PS{~V#-Vzjql*nz+4~EO)emOvHrR3S z9}1RGQyD%GCjTWx`&aISMJqJ*(8JdwC%#tIiQe{>eK&Dt%mn_4HEc!v^tjgDU3FO= z_NQ*|y}LS{He{v}-hOJ+Gk1IQ0=be@K}6^gzfS3Q5u#wUkVp-Nn;ZW^bVMn=~ev`mKem)p)s`}AZWhFo%qzqLdDe@PU4WtcdGA3F5V z8Xh+uu&o`TZS+;vtS}f^IHj4e98;2X_uehW zo89@4r|S;NLe}ktshHuc;aQ!%W7Xiip%Gfz0ikmJtPoWFB^iWNkmF2%OWU9MxvuB?^L^KZ!9ME~Fwr+XcK$7-Pdc8oRgAMK-NUdhPch)$$U3g6~ zEuqhPSUib`OdT@75VAIkWkQrHV>pDoNcj&pJWW)0y%rx$2(otVJs2NOKUQ{ia1`K@ z%xsQOCNT;t?U?8~&g;2bpj@}9f#Gj_<*`DULmR7LP)c+U$Y}&%oAf!!Qt&7>NY{~e z&-h#*k!k_;x8L{3iZkypICrPywlIMO|MTSV31&(uTtDdR4P`mi-WePGk@Y|I7{7(n zp&A0YjXmcZToH-L(^{4M9(^X1-;asx^fS}0b9$}<4`8Il(*x{l?6?qb1%fJ;0sK?K$YxM~KUuzS#Ec-7cAWjTm~&iCz!60}j_l3!(f zsvS|m#qPsP-$%G>UnybFd2;JGdqve$%8;|Ys=+N*oXnQe)w2gwC)|c+!5aHV$Nm+7 z{TnYJAH0tu+gl@Z5;oj|21DlUdWAtdUB&r}B&T z{>RTK@s57thYMt&7euMsMjH}%~TCX>yTTqPiqc@FfT_}P*&{7n}aWJVlTRMMK!w2G+o5Z#-bnKXcnbZ0f^XPp=y z2CY_p+P&d4b1&rP{Nfi*cLSHBSpJ86J_bFYOO?h|TG$NEUneHi;502kpO7sW_|J-{ z|M(cc_T=yI!T90{clQTUKRSe@{Tl3@@M2u<@()80A9jN8dS5gXUq0kQA&xtbb;d{s3Einms1WtkKKV{PMb$K8^9i5bhZ>%r}tHXwuPtQ?@u zW*>Q7D{rje!dGdmHzsS)=fwPgSC-rYkD!mJ#+!mHgVNM9zwE4mpOeNKV%5}>WBy~4 z`^7F;%tMEMe3L+U_TWWW+_%{6C#ODE7_){M(T6S?IS6qv=TeJ&!^QY-_^DG123OCZxGOSa5UaTxtPS{;41(sA}J?cIb%p3VCDqhhbKR z_vsqb^SUcQqsli*k!r=}ZDL(S?Z1sS__@b+caG1oEPW|^{OfJ~!_NQPmlLXSCAYDQ zd46rZs7-4KY zT|3ZI#H=cQLCLyv{=OhXGaUOhdsuO-ZjBRD6OgvCxiMbqVIu{ps`QB6D2FkQDj9+? zmTyzYoCTzZQ%K)*^Tpr`Y($6g%VE!I2tJBSRT}I{H^dJhg6n67pjBB<_J5HfU^x*w zH2rNT=<-cP!9(LO!i}arp1@PZSssv24>S;v3b;5V=01dX_p6zrE@HBRH15oqtiPGI zf35o4C4($2C|R#(a9`-Pxau_w&LIkE>d2D79Nu4NUki!TDloj`;$k>@!xiJ6f|)SC z!n9tt*Fy`4!8vyKU!#q=ZiSDKuh7~F6@M#t8JukId}{cS>3{Ra8n2vWeQ(5Cy0xwm zgk;o40da*r1pY!ghRC$GjZai$9x-#$j9@B`9dbwbLTF`3KeenRi>v--4p-u`K#}hN zA*dnMP3=X(lBA)*CAhI;hfxx7fsG5uewW^_GDgi!B52gnnC|n&z}q3QxWN&_aF1w- zQ{AlxlPCBSeqvodyyLf|^S`yU|7M$^8kb{v*D_0gB&yHTysHVRqLPF0ES~pr0yEqo zBZAdr-pG9Pt|Z}vlOn^Z)qy=$@kxLxTKhM9xQUI8b$J+n@CS17 z(~bk9@~w(r81!!(|6hELg(Gyx&Kckr(BR$a7N+w^NN2o4rw8tHysQ8qaVxezXsOmd z(2zc<5fJ5CT~BWzsZ$3pwt=W_djoOx7<1?OvmNbS^}^eiS{Yv(LP^lx$5y9Gy851O zOT^vRlfTnHfb>j%mZoEwZz@n-oIBy}>h7j32Of{GR6B(a_pCa27mlxJWj!v^)vhbM^if5XAcgXGQ$aMhf;Z*fy&dOofbtlYnDKkPh={lMOkHbR+a(l>E6*tF zTMes@;13L=OFZm%`2B;YtnKNLNhrhkRxE2;9fvR&I*Jt#v z!&;$Vm=dlK56v76nSIDdJP$}=S6+?5POSk+e;n*Ejfxyq=ervd)$-3IUI#DopRUsQ zJz~TAO?8{vA9~-c4oqABc+H@S6*Fjm5|Zk1q};Ss=kjSxtykLe<2k`aAm~g-XWUn2 zp^jK7_t?yrdM;j4#(Gma!;Ve01o({p@qtV1;}o@A6j9UkiK4F7@8eK%FhsGcFd&mkQ{ zZwq>}W!#&#?4a~;KDB6HfoNBuecyrz*H~cf;*IBtnY>&FAjZ=`>YKLh<+DOIqAzZ; z%dhwik=lqgVWHhBk_f!Ra5CVoFsy7!@V0i=)fW@BbCX*`=n?Mrvi{s4HHj$^9a;?b z(0%8v!%`2&V}}LMLYhgotHuFAvy(V}@`-9{4ln4huhTntkbkjae4~D@fnrSmCh}9C zY@G69ZQo^Z9N&H7cX{|TP$=*uF(*2e*QYo*vw@haFMsFGG>(w6r}>CuLLgWLK+7gx zJKI(V=!`+#IqkpQJD2Xm>9D@?I3$U&ys`vfcVrxUS)}rgo?w=kX5a2xmg;GTcr~y4 zUgFM6Lwj+0&=*U5U>A#-FFPbuSN}_$zzk#B47d3MZLi%LjSuXJex&=i-etP|J~XFpKsXEA3L@V zYY&3i81@unzTmQ~40!)xr=mR$vxW^fJW_eBlx8GmMVAdOw@pm14E>@pQO$jv2;bzm z8>qRU+?y&`+_*F#+p#Tk7Rbl(1B{d;>h%tcd=d54Ux{7*s>kJpp~M00>X4x*&0H5Oh4eUH$^TXkcha6pfdx(ann>@+cNCo$SAaF=du)8d{8*pL z_gqwQ?iNEeB7Nb-Qdj$NLgZ7u1fgZo>l+!0b{%Y|kG9SpWQ}5(kI?73G?_ZG{nOL= zfB(bd)=>&!7m;*)J}0{(nV`1LFjkQ#Se$u;{^VotqunYY$rn@{^v0bDOWcE#raDRSNdtXYyeTV#?&9(Jv}%3vWlgjveG}{tiK*avAC; z>5Jn=JA6zo%ET(l@V($Lh8)jpmx)#kfYG~TFfM`((o7c$i1&aDdn`uPL^m5n5JabE zRxM??M|@msTeG#Ry$dZocDrS=c12lO#Pj{KKp^c-B$Qj_km|P5*gBj|x2pyY_BRiC zp~4*8jS3Og6yJTT;EQ{O8w9Dye8kngtzA@&$UYike)b^Si&zLf&)&>i@ZzpWZFG#XmP2>PxkNudmH;3v-F zX<7=PM-?~!O8)G~X+R$Keog|9n0)>HOp%biWy<9h{L8;Z%#(${=PYLljcZ;H_sjeupKIRLu8I+oI>06tPsDoP-pc4W6l6p-=yZuRQv0 z=(bDtb%j0g?HW)}(9G$@g=McOodZ_zYa`qR4zoLEmtq$>=9xI2W=lGHosfH?SpLU- z)i_a0%dv`9S^yk|%q0xHe#nizV_VyWXJ-c5P-};-*IL$`ufT@BY|FWtSF)3S*~?oX z*ma>2f)QtD&u;HZ$XuE+kqD`AOi4};yN;;iGG#aH;!QN%CmR8S7R46b#zZmLOVv)7 z97mr`CC*rc=pWPSxdEtE_dyAu_@P;or?V{7j^f0>XGFXPt6rCWJ%N-urhBj>jiS>O zXiRwEr4Rpzjej@mKY^w^hJMm(1^7unVC~cGPv6c6NSr(Z&+^GU!*S-RY4H^D_HgZ| z8{KHj)AF^J+0whet6oDdnW*Pg8LlB2t%Sl3In&e?-kxw&dkx*DV`9oD}){F@D|b1oB3ghslhY2 z7gyw!po~kqq3C%w9?=%5zLfXXG^Ii91K`-lTT985-Va14+69QmM{u}1;@H)liZcea z`tOaXPnZ>RL={@hOag{(3-Z@tKV168(&dru@xuAF)w}C84->XX!Gbw%?^wYi#HOE< zRR3lqvGzX!dz8*e=^u~JuMZuZD-Xw`2I&%71qSC+DpFrtS9BE>P3nli4~2%F{y`B^ z<-dKqrzx|8_mo z8|+?Ta${l+yzFgNtpEi=A?gq#h z8L+M2Kvw7w%b-cE7Q8Z{O8~r&xA&21=-47v=3$&546gl%lVbUZ6SqP%Z5up>&YCP; zU%vwVEH9kqm7dsFeRKVNJhbhu^7p$Pe6pJ7Ehw~-wZFPzWicsilDbDE*u)W)>K`0g z5Rb*Aab|c%Cx4i@DfQlO`^LAB)(Hx~7t}gLq>kY@=_O_65&_A_8#_6`6@K~eTl=KJ z?kp`q@=;Y`_@7Ob`h8mt9nnUrL*Y4UpBLw~H@v$xTF!FJX@~XsqW!Dg>uoPKT^yWR zTxR>->KR|FKRQ{1UZYcF#*HDj*yxJ08r--=hVCne8~w zsrw}}3g+4=jHwEEBb|DPgda)KGd4|7Fqp^`bYm>@_VLr7?loj*Kh0>F2E>N*XB7FGrLU*w#?3tC-f8<1;m^& zme)ORPSH%a4Zc<5w|XqRIS^|Fv+q#BRD`6_^o*ZhkvTewF02|3eOWR*Ut7Z)G8U3U z(>JvI78pCwPX_G=B;JULe*Nb?`X^S}5O*y$Axo6hr>Fq-udAzDUz;_CCz(EJP-kW- ze1Gm;Vf2E(hx}VUwx|O?OB+Ed7y5*CLiUeQ*^^kdBb7pLB2SH-e@Aqx9qcC)FK^tf z@!*9{)O#2WV)DVuW*_-f%f-mSE6ReU-y9Nj=rv0T`;?HsygA-WnPxzjl0i5P$Z2sLBU-;>Z=PgUwf1&a3CimaLSN7xNTVg0_f zYhGF}x*fva8zvQRcHthWjMaM2%NF8-5y%fR@JQn{Av148?AK3aR}c^KSrqoXgtLO; zk=^y`OW7#vbPLf0RqrD;C5kMVVVP0tk0@rcGu~HlFh4byT>C~7wmt{Se~b~{`b?so zV(h0P&q%+T?M`i2FjjF9=v z%S4m#bY93@0V78?Kmbyh&+psED~JSW7wxJ zawC*}!NGqhM`<{9X)W2?_%)!5F2-}m|2oSvIzfs2c=rCY+>wU^yKbEN^~FDN`lI$? zHCZf(o$*nI#|r=O7+dsY3jYT3g^%)nsjgHqPw$yF#y3nvLywB=h{^ikBA?+&@g9VD zQal&Dy+5HOscFX4fPd#|hX}V=i-WT+DPkT58KYfXx^)HH#(I;C9~x}(y-9-2rf)tD zBqU5My)ltly(XL$l00YjI^{#H0BU?C*$Vjhn<_BqyUpTg`5yt;@!G+m;Hb$GG2j$Z zs|GT4T@=KTKE3Iu|GmmT-c<2^r?buF?Muu(L^sRxB@?I+P zi?nQc`=Gwf-<;Q(cf2o=t)epbU-|FJT&G^ z8v7Rz=cItBNDq_1)*}~h27+XVlaK#XxLhDbT5Fp69#%<#3od`xGRA3#GzjNG; zyoj#aS?7+_fo59g%iYc%3;4EE+fU-q+Jjvli7>S839w@8oKTz^(w&99t-agXsdrgi z+~WNC^n7Q(y5(_z2xtTxKU}dzmkwHp)l2iETu+k^c{Qf}0%vS)o-8dbt6R4{Uh5Qj zJ#gminBx}YUCD=A$p%@HHb(OJt6acr7~@gSvmE0xLqo$|B=I`IK2>tO4|!t)^)xIj zNWmE|o#s1qhP~<@uz20e+o@|Ss}x9r_&YQ^`|q_R;r(P1&`-uz?RM|ou%CFSu=rz4 za$Gs5^QDQf*tPi90_VbFP;5CtuIufUF4&|pJlvCY&ilMWJ-om$?P^|k*|{6FRuODG z0stJY6svqZm^Z+-4pR5QrflX(rELF{=E}`JwcRrvy}e#ht~jtp|@cFPQ1732E$ zGT49H-ydJi8fQa_>e>l$b#)z^CsW^0EE8&0u91R6K5S>_$ohvpteKz$4T8EVvhXhC z6T4DD+ZsQzRfbl}!>QD_YUmSfvsYMMigy;heYP9^2lqTY!FzylnFa4c|jbimE`$yiZ zsC(|)0 z{97vX9XrS3+l6DB;@a95iuSD2%~b?Yy!C(3n91o5Nq90-hMZ<~L{0Cr*nm!SpdK~N^RfJ4ZW+ectdD% zc@=h;b`ibjn@kACQ?i?WWOWf!oqRn|m)EvxD0{kATmvbTR$foeO6eNvm?ca5+^h86 z72BTWA$MxVsMPg^KD7V@)CaBMES@<${Mrjuz9zSi7q4&~?Y~w{`Re`cE2&qauT&n> z+jHNuBWMg9R)h8%6kTuXLR6bc?k*I1Z8~wLvKPDP8yW4WmGLPBYK_|LPW~vHYOmnI zrzns;T8eiOQ0OhUZ6XiePrYoew#+!$4?r~^Xc$xh;A-gtk+aUUhA@ZnsWWLr6sAgHF11nSsls-Lo|p~PiGE3 zDB=xr{lj%T`xw*L?ay_5oAaHBJr9d2MuG>$LqKYGFJGUC{H$I(a-x;o zRdwT%6MmyZGU#6Ut8=oSgUq_-m>mWosW~}9Y?N=Dz;7CjFOxuXWwyJ0{Ge5)-QYYv z7OyQJX^u7!t}D}W@V45tgZoI!e2#s_Lf^!G-KKb{$M^M7u}I8C-=@&V?)kmCe-3ER zbsur-FUzQC>=FEEskS`uBE@Lzk-^EDDS@~ohw$br1E*M$mI+K2+DB036*;*CM{U;r z-uTIAu`#a^sD958_U9o3ZLkOU>i8^M*CXA>ofd>?(b0y!`lQCGq|xCB7QnbQ{2n_-*g7?P+KGZ!xeV6?FHA z5q=#TAz}AsTZim6Z1;X-tS=%cb}?|jw&K82|JB9a)vobS_QO&Bu8&B`8CdG0Ig+2_`P)G}f6uhVyrQTV2$9g+PQR_)TYa)qq3 z+iQryPTGfkNO&-QH~b^}9uDn);1eVsh6z3SBz!^YkJJAC_G}qP z88=ro%)>u!9wXTd*A`HMbAY*ohq$#G*PX6Pr@<`Sl$sRY*xqqN*^{aWuf$h13u^g3 z>xBiNWS`0*-9c`BN9-lFGp#Q#~i%gd5~vzi_4H@^zsD#vw7v zKr4hU8^><`MOybyB&0#()Vr%9Nvlxepox{&G(45B{ifc_sO3V$7tL!s#7VGG1CSBIb@%c}cQ-?vflee$5xkDFcy=cBL(A6(DX&cWek0yOFe!*nady(*c^*YvoS(fH!_m_8g{wR+n zgOk0LoSl?l`$WNJ3(6$CUkS1r&kCi!S-$tf1&G_K+1T{a)u1)P?+zPxC6cKrEJ~#F z!soz8270FQ7}z68KL|%tX7SBhHD|o>RSA`#F9V9G{O{jdO1GokyOIN;jzPRBm#*H)h=@~mDR5I_&1iKrR7qX1NTH?z6{Z)ij;P0(EqXVN} z1z{_lKHs)Ypv(*!@&{GYGD1l^-=N6=HtL-k0_YMIS3LSAJWQphkhLcX$$u2bKJ%-3 z*?#>nbwB;LPS=0pb3^6o8g@%iZ>Oe75v|VE+vM!wAbGPgXRjD%pp*L;@}dKQVCIerm$6H^LaTRy_? zHNo9t`$9I=dRFghg|tW(6SI#^-a}h*sO;9dPL^uQx??Y*Km%qn{!rFNiRYsXezpESp;Wn*5PtXzf_&tTi{XS7PBK_c)T(rXQagE_Th=}0bw;J0 zu`z+==p8T4T# zb+v(?$8lqonZ42WYmIf*Kct1-CQP0Va4b$(|p`m zkCZ;2@6)PlBER!+@dK77gcncl<*}|cs&UKEOI0xJ z+!l&2(O+<3H+(e&MXR+4Vw~N%STC#2Z)^<4Z|0NSryiFnlbb|_ZNsx2$fGjIav}#`l^bY z+};Q`<9guL(*6)h&R#Xq3VdT*cC@ImsPctAAzxPNx6R$fBr}lHYynvCU0@OQWW?96 zH`&|oyQ*Gp-2Vm~+`hB_VbML@x2RUXErx>I8(|2zqb zpPk-Sx}5JWk;#XoFn z?vyv);whPLO@yrlI5^l(uzI`eKMKlENeQ-d4(L+~DFGSinvWX+jk zWazjJ=J?G@*3+0ljKHQopA7u1c&sXE3TJaD_#DX1n!#yBkf{8V?QDG_EsYxp#N`OJ z4B~aSKSbp}{@M|5YCf$xZ&()xikHTK4l@B241ZeSfQ{RvKfX873j$t2=BPyweFCpK^9E zWZKvzmDmxWb6BIrXl|=}$oIUhA+t(1<3$lM1@VfVRxC~25r{Xe=+SEu+gzYvt_@wUDWXVB1&XHYcc+ZGW5UEt+rCh24X3GCag_S8o{p8m zk@@=XwxyI73)85Bf;;H>_d~Tl%`J(6V0?g7XPN=+)m-(Sw9A}%Wu}DkBM9h|iQg~lxOo?(U z=9@(4NDYdX0;&DaU2+12i0(Q}BUAg=d92O# z{1UdGsHz1hOCnH4JR@iUuz}^dA;c!+4-HLkIgn=*<@|4L*j$%m_pl6HNQH_6Q~u3T z|75+(hU(Dr)z9qFFTe%xj8)Me$_ww%Yont>rya=w;u44Z<}-O&c}I+jdI~4VYPB8+ zYI$Q$w=lZUBE+VIr8t_Af_HT3YMIYU8y~{&yBYCKrA(7XdqeDP+)6V2hJ`;F?mb{3 zp9$ji!KnY3qHJgLb658%K6?2I*WB?rt~I1U7N59P1)n@A1t4p5CUxhFwNf0|7mJi%|~Ml^O@&& zH8|MRzQ3Z~{#PJt+(om`go@{hM^r-hG;?+WT-W^dOfytydAP55mQG&Vk3NXTc@6B( z5p)HjN@1>ZyyRdd8j5OeQ%{f0UF=<6-NolvM(0^`1!9-PCsGzId&{y z3A|(mG7=4WFoPNT8lIe^>J&CNw@@fOKq%Sm7FW{>;kjY8ikAgXa%?j+#`ow8$+^vd1TN(9bQ3`GGO0DkThP+8V`J54So0c&~pp$|P#H2ffkx$Um4EF}ma6 zY!oG`cJ3Lfn|axDWRJ4$XxOdW@9Dt1T#Cl+S8Wtf1PXiKz&+;+YH8I4Zwz_8HysDW z)_u*kw9*kd93>BION!7pqFjfe7M+8%#rA8tZJ(h z-{toE8>qn0bv!TEX{bUe1C7==Sd5>nu3m)J7sx0cWuV)fls~HPbo9@~h<0`f=ym~g z-+BK;uW{9)U8AQ)Uq!F^4~>NxbsL0ZzmMcm0BGYWsWqvuV|*&;5A*$X2MltL!8_hB zc`o_xxcWxN$UgkSCLcQCZATde?I%MQxKCn&xG6%bsuq+zgOPA>35XSABiWrn!q%OJ z-pAgxHJGl>4zN+#SCRalSJ@GpP(nJ==e?eff|)~HF07F`dZz7q@O|u^^%o`AX)IA_H}B?G76X=S zf~?FZH$p7^c1K`k_K~c&`g%nY<2~EjyN&lW1fdJ)%ZPxgjjfGQb%F;VM4&s8w9`1N zF)4i%`;-}e{a#4F&1zf^Edp<;-B?I)8lPWHI5iKo^3so_m8eFtr)|(*RsClF&^WGiNDj9`{{Ivok2o@JRM-+_XTc8X_0 z17crI@CEtUUq-{bX|FNRYH)9uXDLT!7nQA2?gs@17!#3he|wKk?t%Gx4fKrbb)I%2 z`F|cYCUKPB;E;C?A1bTg&N-o?lKG+D95MGxLVb+WU?4EYnm6ElA0enBB}`@_@AUS9bg6Fyv!UTs=d zPguZm%t}Osrx;VSeY?+cJta=yDR9!0!ch7zlw*qu#IpT-V}h=}O# zJtnc4Mv;|lNBYk#=D`iy07`yeTFcsXbBDmJspgv%3;qLsbINW}3*o*pxCvjk&2Sh+;UFkuxm&=GoXC^N{*EHttJFG|9wSZ?S~TuX;)b#@2a0 zL$w!u`=+jJ_Tj{Xd9s{|dqFD~AnK$C?9` z*rKQLn7X*GbvVcJc-{UinG$>@B7JSmag)z0wD{wr0tE$0;=e$IPDRsAI7FOFMQadquMB)nG$E}`g$iu%6sSX_B0BSJSGKiHG-|) zpkf+)z#?8+uBgy!7Z%8^>clAjKRq!`1bUPX;oHQYYe|>A=|%UBT01$R>ZbVasPRp< z2W5tNYqz|l9-dP#4&P3ZGrFl*0Z#Ts??xvYq+irDuEWs3&AHB?*{b(5>l(N{@7P}3 z=nFt zovqbl2joAhmBBze*-D3g>z+)zOlubtR59H8Gxhw1+Xtq-E81_{ke^)|a8+ETWAhH6 zT)2^R`x(P0(=WqqOk!=albZI>K!uadCI5%D?~ZCJTi;d`aX`gFlWs+%iPEHt1qC5W z3q1(Zn@I1XqX-C$B1KAqAcP+2Ef5`=(n7BidM^P2gpk5_GIK3+b;A9v_5F8N$~k+# z^?9HD?tPY=W-q|;6Vubzt%QZ24_|%Po*>cLF~C-dLn6Q2B#ioLE-vz{Vj+~b$oV<- z2_CTV>GE=4iu==7V<)}Qa-vZ}!?KWomHENRj}2_sH&WhEHlli#cQI-K`B$R$DGn5w z8!*zoCfOjh#zY)Mn{6q|0{DAl!t>nxmai0pMQa&;;O%C>We$6VE(_A&LF{WG(Kmq^ z@XHzF%xk{m$)eDY|J3WLYi5yGx~#$jxZUm-JMl^LT)V%0>B@{je}6~Cy<&#}pVZg4 z{MzUg~eaIjnD|slHt)fyyTVr-lnGyF=H5GPYkidPgI%#G`Wg z_4r|n0A^) zMMb|rOcPm`&(q+7#D)oDH^>;!G&k%NPk)TaXVnhe(^TwG>~!bLkkoDO@tG3g!wN>% zc*{)k{h`-%%x*Z{0n`kRVUr||kG;_LczYl1P;A6LE4+Q(=l zGW1zHYWcDQts?sm^D9469zG^R3~XQYB^ICh&qu&P3V(n1&kLRX@03w?VD0heeffnr z0WUCDwqgJ1p(%wvzm*`Y?}pyK7{1SR71<`I60%?v)7-`W#zTC00V?i{OW2%yHOW^N zAEP_J1V`$?#vSJ8#N1C6V!Q2nBa$kGLdDiy)%Zl0rH4uI&GsjewUwBSXI|s;&Y|h` zqpbE03Acu?qVRHjA%gw34G?0z=lLw(RRtY!7Xz!++7(@p9j4sZSsu5LRS+|+X*xIU zy2J{tyzaT3a~aQA0k2EjG@YNrtK&bp4P{^{X>vX$%iaUzv`x&6tox}WfDFFQbL1$~ zYkFz$!4%E)*~Z5SxO7W`jxh%AkfC+Gn19W$jC2lLnDjfeG*r6*R2vixs(pJtZ%Ep6}ToIrbqdc)V{Zi6B1O|0!+!&rZ(Hxoqg~ z0dsB#I2F#uv!N7kn0Tvt%xxXK3s&NHe{SJx8seY56uCzzfIApsaO`Dn+R05hd+h_~ zK#NTx9c$&P;^*YiERAZjJvZEK+q&{3eWzaIUW@4zALXj2Hbo0-G@uNKk(mFa1M*khP)7f zn(EozT_jdiVy>p$8a$0zd)5mj(2o^V@R288YN8_TCkd||Q#(J~p-&&|&{eXRtx6W1 zyWMOxGjNYj5C5FXE_cjX`#~vw zS;qnvuOzzkPOr=h%o(i@4c@s4?yu5^4yg-xS|3Ee(|*#EEnx-C4T}mkG~X^zE!1uY zH&k0P*T>moj#}geSadOS9zDhWg}WwQH1s7Hsknjg+Gn}j-NJk@qA@CaP;%k^6;*f^ zXeMjd+M&la4dFaPpQEj=%=7HkW>Ut+Jv3&xLNqE_%$VtF$A3)o(G<{xK8Go7xluST zWeF}J$x~iLBd4av>e+$Aeru4bN{wAU=&IoJ{7i4$RJszJD)S9>JsOEMx=m<3eS7q@ zgZ*MgUaEpyH#$CIYH?{5O7b3RHx=C=ceIxk-w7COK}2kAZSX1QTMo8vGQ+m~*u1Js zTQ2s3CjzI3{mx+sG15A(*LBj_s-=DG5K||9n6|R#{t1^B9(w86X!hwmEuAAaCU+sv zPotl-h3#QkvZh0$1@>1-ULbB#stg_xQVq;DarxG>RpKk_DBe@krhHFsyok8VqyAZI( z)xViNehv50uVYmi+Y=rmbw^>pLbhmqBs_-o;~IS;NpD{_=R4T?c{kzg#(keC;GFY_ zbD(M5JG$>t9dhjOBTO$egZ$0Me|6C&8062hHyIr-UaURtR^q~#lkK6AAY0zFr%l>9 z_rNvLRyj-a4WM$DS8*+mL&i+Gt{Pa`W77z)8UOI{s<$_&I`}-B)+gce zxz#KIUxZhHiQ5`9TS_xOCk6&`37@X;EW+k(8Mx*VDzhnCfr#Rv-ls^&K*U{jLT~j{ zyhqcmpk3ROAWD|nvUg>AY*BJgwX~?TfA9POR7&} z(J&s|bcQ%&q1oF7es5MPc8LktXqS z&Vi2JC9f&53;}o5JkPdsLDA(KokL3Yt&)MB-Had z2qE9#)+g8`+Bvm8L3irZ=}ykB-X47X=i}A0mWz$AGF5rAp#rP7?X&!0ji#*S!rCvz z4(S!Y*Pqq=s-?C;dLRdH2-uLnh1_3V7{C6o8f`yj=Bi#P{_N0kZf6v(#ADJ#clpnO z^?or*@%F(g&-<>eiHhaf>7N@6sy5POqRCqK2knx53ko+i;@&zY7$ij4*^kY;C9# zWwMV{g9;sQ=|^>@Yd11T)yCNe2(oQcA}!{U_#%U9RIMl1T~=+>fnyW$yeOzDArJZG z78&==nK$mSh-_h#YJ`MyBg{!bKml^YRBx-p@HJkLFSYBUI!hzY$RNSo8zUivh?AZS zvtT(otJj{ckNvJm0VU8*()3QaA@`bdB_=c%Bm$!t2obb z^xbb37E3v^j$v}m@MOF|Y@Q8R$xPXw)ao2iWiG)pV2^Px?FRAG8J<*&3}EuH$%eq#L89zgy%`& zqoI;sG_SwxA?qtM><`z|r#ssz6+~+dRh)+>A&q1z2dhd#6Vv<>$qWfih29mS#JbJT zQT3%l*rmt7E6Mc8k6wrL!!oB`4{}MJP6xelQ`8tNo@Jz}-=@@-{zq|T=mweJcU>{n zx4!9DEDT;hKnb~Wp0oIK3^=w_2*f_+@h#-ckm=~!e77$Z?fGT>^Ht-b zS|ioOKt1>0?`njv#0IXyPSGcLxTR@VZx1;mm8vP=z`oJhA)a;eQWdjau3^FE>Sm!5 zDH33$in7+b8G{e<97XuINUpp+q$#o8fZZ-LEai}}F(cLS1zuF#%0?X(+)r}oeYC)S zavA`!2cHZuU;?HwbK{^S`4g0B_JHji-{W#tI@QBPSi4>&itBoQcJbn(W$Ez4tE8b= zicDZcH(g>F(HAX;;RqznZeN-UL%lQ1`Lr~!Kvin~1*=*WI_;FxYkB)sK)83zUUC)d(O#1Yfh=N_mhI!dG2{z}oQ=4M zz4F{#C|tkStTV-e+prP|ycOue`R!}`<1zZ%7_<3X}T&}4Q`Jz2^7 zG{$RCW0CXV@ryEw>wFXqB)O%uKAs&Cq0xWq%WUj&eZ=vkBripgyz;qF4n+r>%7AI@ z<%vr|=G}Ab7Ne7{gOU*Ba=|8Ko80L#Oje4t6zZ*=${n--Hq^8yCM7~OKk;6&y8nV# z@*<=r8&WKjhcq`m&`kHq6Wh;D#bX}hX$p#~wH;-%-MvNG>Q|ciyzoY2CB0R$dI$qP zE@|h;7Ne4em#GcrU7wEho2u5a_6yF2<&_CPv*HchNJEAB2Cj96x@diHWvs5kZ6pXa zY6G>m%gQv2c%RgXBAxE3E)(y`4ZN&*|4Oi{Rm&&30eFL$CH#Hl@$RlX$a(!0QpF}A z6|IvypZ#?9+VJou7#rb9?%>Hc?~d2sUQL&IkbF6U2V~W0K1wQgA&}q6k5Bo=TpOuIQ|$u_VFoF_6VcDlV2J+0E?m8S?~ zw<%+sC)gk4hj7Oe(`*XU)INA-RgU*?Szs29uWWWUjkmpx;fN+1Yx41m+x}T5LD&ko%(6*o?8mw%{LHIh;Z#xX8 zX%q4u&V*pYH63qT{1|Z7&IYl3Hl`TZJoRJrYBeuc2VYmrmP_i6)}7wnK1t}xM}q1k zo`$Y@BE4Z9i3ZgYw)PJ;-}udIH8wcNsd`h~Hm-yQn;NrnN%@_BcKglo2K>_VsFs!^ z>yAoWxh+{ucs*mV)B}_LeX_<^4X$I5ND${KkqagU-cKQKO}t@W(o^nYa<@1vaYdRV zLSLyMWylerpa4VP`O~!c2Y2Zpl&$Rut~|)m@Keupd8X%t*suAxPeup4#70sUgjOb% zh+?`=`n1h9#Vmucv)!z{fy6LG1DMi~!=dEi);+3~e9u}l%SrAN@Zz@w1AdaF?h`s~ z{%zv0yY--`b&It1?ms?Hcg<>BJNANwwC_+v`e#RH-K%?<`TS%|KP#RdbpV4D;j706 zIz#Gb*JI>N!G@-?-F|^=#*kR@>f)#RBbKNMBReg%FT_+>bVuDa5GuF>*{yj0M6>|0 z2pU#Zu|?qitXMSmR*7Veq};Jw4j{-*^UCP~5fCBkbNX2+_xVY*^vdS+wzV-KO(`UO z#Ujh&@-R%2DS{`w#&HUpRjk>l*!Fh7{c6)_->_Ayc_ob0&Ti2P#O7!BgMbs7@;1GP zhOn_?@vs0V-9&ls^ZO2Dh_OX46e+)c#qUib|@OS#tZqW?CPY1SWg~qoI++S2%8GWkg zZRYXTV$0~ws^59h^;?VD{w_$B>sy``=6CIhc}yyx%F9V)B7PLyQ%Xq!-&^f*w}ONb ziemg6pGM#B*IMwzl)c|jsc=t9Tk;;hL~Q0{ZP2jr=n@bTYkA2W#|dtY8hkCS=C4(F zQlG$)`R8{6YI^U$cI-RF((7EbE13`F^c$7}LV>Hy6k+CP3ZC!T<->+Pnt~%9ZfrJ6S(*9k>@ITpWRu})G2Q?_+wK7%*LC-H zH}D`(`9rcDpK;9+T}VHRga_jfhD$U~3AV!4$D?!gMf zJ)0;dE2~(4*$9V0mlJ!_6l1M}Rvf2i0YgwUP}oJD8t0K4dcPjsw+!sf6)0eCC}RPG zk&uoGX{Q0s;c|RKtT~hJv>$2KawQceuT?C{n%+4jyY(PWCveSXo%zm9ck9ZEj<*7V zhmssYb3balEn#oRF#L6%N`cO+Gg`9FTIYo)!jeKAwG^Gd_%vn9%>eJ{njbOv!^>b> z{*9z;VM$L^8&15bTIWSnG`I<7pmHz5Z@K4+;dFEL6p!{b&jfERUHeY0lasiqr=fGM z>E~9v%8Tz(irW+qf-y=Ocf@Z{Lj=q3P@^KAR0l^(-8wDLudypg@g)DQsz~{pgJ1LH zDJ~z4uV(@LGHi^D(d!|+1r;eU%DED!;r`5z8w+xW12>0JM^P(susI!+`M7mKr%fO} zDv%|i#MJn`6{qtsB?5F=b6pHoAW0z$C~|@13*{{a<1mtO zj#t1CePp|l9HkVsX&CUz!@3vtSUPY!l5#Numcgqt=z)a#XsSl=I+D+HmoUko{bWy& z2es;^S4vrCP+F0isUrrZcSFj$0^(w3f++x}uboLk1t9nmK z!MEw|A$5aM$LD*T7rGu)dSJtpHvfz*R8msv%?y|fuk3gW4>%N!fW-e;_g5Ju`?tB* z1!V2L2H&!~(m6@aqQ4f47X+0a(qrQ{m1?Wo_ZAky4+?AD?v?c+R5wo9A5;+&%IFa2 zj=>_##k?&I9N%6P6BH9oNO6oE8(Ad2KGo8ewl}z-? zxIhZwj=f3ddo}Z#dXW{xHW@w^UOL3Ww;5epUsNETC4o36o0ud|!KuO`h#FSuILh5@ozELYp7=1d`e;R%W8m#kqN(;49mR zZIXZs?jRx*vOOYa(eomcb)Co3V`1Q!C%L9-nMOp6=W#k$W7Vd~+uYJc%dHAAYV=jYF z_T8Lu-JhNP!RHqINpJerQ-f0oAsZj(O^SQQeFv}rHW+uATP_DlD^+-F%WoqBrEg$7 z>~9mmsH0cm8iJzRiTFY?a_KW(y=nARKSQ3MD8`RyUkK~OhPqg&>YDg&9e&1U?H`*d{n2ak-^+s)}n(;tu)^!vZ2As$)c@EnAYwMxmJZAt#$pN;4;u zUSs;Rg}5817eZiHCvmsF!DYZ;lJQJM``*SyOJp)UuweJfeP(>AVL48&P%VWh_viDBm5) zj08jDy@uHRV=UY2lc?TVp=wsYKp498{_bza@07PBtD2@-o(o2utq1nyTDWAPl8a!@q`sMI!4Y%mj+#LRn zkMkE?@3z9eLpdaTDvJ!UI+8Tpk6&8}Gg!Jz^q3-$Zn^d*)d#dbbx*l6^e9MtqQG0+ zYpaMura*k3q~!IDnzIpDOy^c(0F=j{Fe&4mQGP7dbSphDpr3VU6;~lJEOzP{bCZ(1 zrPc;c)`ZB+-3%G@T#8^>9*P3{AX;Ftl-u##orSPKK@?Wmb>TBb-Z0){zBYN`NQzAuHxQpa%#ubh`$4InHwD?@K(cy$ z3gm!U>z{Ab0oLMq4pK+=Q>>FEYuc`v5`RX=RU-o;(!ij)ATaAw&)xWQXABXS?ClF% zwfyrf^T`IQ{d?2SupG^GjZrIXb)5Q~rBbp|!5g>E zM7tJE6>8Q6Sbi?u?tG4{5~Bv^JA-tN+wvQ7_e_XLQsBoqD0wJN8jD&*h3W-XtNloZ z|3Iw%C!e&5(RXA@1C(JR%7>Gme%RDu*AgM`GW}{=R8eQPTpo))sfv&EPVU(f&LZ8q z@ZR_ose344F=YC+CW9sdT2`^8;6@aYE@Dyy5xr*EL2kaw-tlk&C@3B-hv*al)sA*& zv%&KvH~H%Riv>GHZVw)=0^H(p`UR=5s0; zvs#Az6SG=%9}=2B!n(*rye(rAaMXwQ9VAZDNWD67>|{rZ@wc?*e=(5F6p0TX6{EWO#H3#QO*2&q%Gl>Q-Sia?I1Upcf&GWrI_&qWIG_?PGH6(Ze zV4>oqt#4EcN;zTJ&*KZ$C=&TsL4esOjd@zUcz5Ib_Aj z;j@aelIJ30MI*o%c#0z8+}^kBTyXJ5xgrzmwfjV=mS z7VJxtdU`EDh&A0krWo|u{K^V6baiztZ9Qw|mF2*ccJ`_wTstr2?md3#uVW8VJOyB4 zw7eSEw+a56ZuV9fnvFc#?Lze^u8pot?UnIhUPo}=Pm@v}`9hbrYYJG|@_yh7^d;y( zLOn&#hT{Kp11K`@aipxjV3B=)WI8N*rJ zY9Q`xXio+E=vYQ=nE8`GI{hYqw7Qo`=8$ShOHeC>e0QN1{}5Zx5FrlQBAFh zFM0CE-2U?bshGXCsntss786)}55-Y>=?`xPWb z=&xIcG;ZYXiLL`rAJj_Ff=SKx@EZ6VJfWJK!C{}bCYEjP3C9MRp6I=Zni5GkB?-LH z`<%aEIxciAO+WU$))OgsGCSwHc+%hWUR!bB*~-$^H{sC&hFp4!+T5oq*`urz;01U4 ze}DBY5L6kOnITN8>UN&k-io_sHT5kk>&^kCLkB>Lg()U)=)UUvtE6@X;aFsn9%mIE zUaRQ58w)RV2o2XPC8={x-+tg}Vv>I`nmvz&e@OPW{c{gBYj7w+vjvweqgMgXmbq=9 z$Qp~kHS0EM!E#>fy`Re`9q<7abg!YQ&n@#5?aQD4oI(LwaPbTMYFLp-9KurV>lg)wk z&^Fr~zcOJHkz}N(^Xq{$z1*M~N4(ww#1K6HzQ4DqUZq#QHy&hRc`Eum&T;}`$TjJ& zb&;>EE9XwXA*KXmpY}s{!}a89ghQ?3e@*6_qG(^(L8u`eeBz=!y=N@MJ5Q&}=cvz0 z*NT)z;mpjRcV_kGIyogwI16)-ed)-IzC4ckB<5(zbH$&9R{vNu@9d~5%9EEtcBST2 zzivJ@=~~40x*OaKj4`0LsI;KtyuTJY^sHqI?ryfult$w~^qE0-!9R-@qomiKehp>G zp#3ttt3dKM68<%C{5`cG%<1=YPuEu_I#?HDkU+Bbu>6I$?O(ebB>a%jY&)FW-~h{O z(mW={ql@7rC9$$Z94QW$z+y@lGG~ybxz}Z>e75Z&{)@Ud5JX z9;nF65p2FI9zYbIYrWl8?Q1Z6sbwJYrEE-m%u&Z@O^w-ltc-)b#n?M`+G;v^X=KyJ zIVMV4UfQIkV>8}EG#=yK@NL~5K*8c@0eETbKF~dWr)F+wZDcp7b zI}TgZ4%!N+a2`DSKips^g-ZdMa`4fopMl8EK;Xx50@WFc5zrC>gsJ{M(EsZ_zDlU= z1|T!8!v;S^MB0w_3-ee5@7_H_UjIBO{eS-JPlF%Wf50Is_RRkv^qF9~8aC0;BkFkz z!E(++s}Yq;OQpW0F0|$|2`HjT^49GotSiBS`dx!Z>Aq>7aIZj%3Dy;^2P1+AL2F)zSvCxup#x20Z zBnkS$q5q=vAO3u&lJ1z|8s%otWS#wX$E0@wX#(eV(ntKTLa_#cY8m-qay0!^@;rcq zZ}7da{BMfo7ZR|$n=HR6PY-n_Yz?&+*jZMlEtO>#XY?u3r=p1@>%DJFqqKgK#19sb zT(Wo0-u|-Q)&Ifh?ljTWMWMBqy=B{xhRfcBEzd9Rp2*c==gI4W`xWTlRsLYqKRn_; zcg`>YL|9C8$N}DPLd(;rlf0u%H~Dc~aFgVRSmj?!KNHqkn&9z^*?)haF&%LC*j+=f zY5wXjEd^oD-8sN32E3#7je>+ye|C|*^moKvMGTxDizO1a{o{Xb}X>#_2R1deH_>G>J3sSWraOIkl^dBzG5 z$(ZpWKd7?_z!M>_v+qe^0nTYiggSc~*a)+R#% zraZ;6yV1ixuWDP)+dy@FQTE(VWBtJs+al=`A7LW-s&i?j4O(~jKAU9Y55LV!a(4Wy z&VP`M@r=>$uJVI`{`m+0TV{QKUKcn29L;K^MkujlJ=prv z*0A85{R#!CD?9sz)^i>yFYe#3j7YM+cjn*5{N3$?;*Wk)>ri}Fbg{i#%wr%6N35xV z8E-)FAs|><@p+nN>!X!iEg*2|TO059oBt2e`{$3l@*V*Vx%htl<2(N~`Rv{eF%!%r z{I#cBg^x?kbQWk)))1`f5Bra8j!#2CX=ne` zYS6&p!;eh4&>zq5=$S!^r!OQ|D{>a{Z*vruB|0~+*s4fmr!=|_4sv{g}xA(B(io>@B61=YE8bBaaiM? z)@gsrrI&QgaMBjhVn{$Ssh1sFSI?6aZ<^yN@Xy%rqvi1{k8}Xej*?iiqLnZIzQI=V zhmmJj#N8Wf%giZX07BKLIZpO+I?!B{sv7yC!T|*b!6Ke8FxR(|i3OeL$c9I|_n6l{ zKO!FRWrpBvoiH_UvB66uyfQ-y^i zD}>mV(5HZuUkJy^)5l>kRdO+6Mr>jz(nE*gY6XwQ0oIn57H{A!Fjt-wRM%LLHdn;` zx7Ok=S!>=-l9fCQakUgSl~H1APGSYx(!<>6rR(c8j4YaZcwA1(NmljbvCJerZiNR< z>>*^ARr7cbncS|RnZ(-EsU5ek7%boXQ&qok2W7|K4mjC72X>5!dn{zcU2-)9pE% zkW=EqSr8{XBA|P$Y_fj7fPbamn~z)EME_-3_jNTwVzDSEk$8aRR*uBdf6movnOcBSANJk7t7s5gG|nb(kt&AR>>m zzxzY;nv&bh9gK7mwAyvL)sJM4sFK2Ll$6$`Tn{sE&Uopv9?fLl`0lrrXFwAtG{8ew zI55D`VW?#M@zg?=CNWkN`yj(j#bn)(Pbb1V68xy3r3 zp-+LklsfbuweQLKJY7!Nnjf#{a(;0}J*E~oliIw#=(9KfR*KM6eZ0Gvs$aHavS+Nw zbmE>|Vl5oqe}i^Yww)0$1xF>m?479$AAK{RMV>>+={7ZH=jmS%V1u|A@Ooj|E}Zkg zVtAUMMx0HtVv!BJzQRziu@LzS@=1o6q+Y-RE&M$?e0&thYn>}y+Mv1?>0$0(6HgOi z!0I5wFKnaCKU%t)H=H@3jMdy@K|8Qfm$`iF`-N%gNzkm*1MBJy6%v)Z`!Qx>hw zv-uNQP2+Rdnal@XhrE1@!Y}mmBuF`iTEqOMs)<9`sVgIu9*dz%hvX4AO8ki%Wq6G5 zI6G?dy09ry2D8;uTCX8J#8PP05}I$(P#W+YNj`ZWxJ{7<>g*IW zR6!1dug2H;4ihm>2E(81*&2}Oz;vT}sdK*y7T-owd3hbUk?qJe{fKrItoR_+~dRKS%4qFNl( z3OCiV(v1j^)Ji4|6#|ERqFf~%0z9r~-eOeoq$$NVJarQg+1era+qnPjLiq|m&aSoyGrxwaFe#3NRe(vT}X6*N<4 zg8fo{i8qk6vN;DvaWX5c-B}n$q4XzB50`CFuuc9C zqsD+%{o1jG30!9XZ!@#kaJfdM^?;jL0J~XN+O9I!MS&FGFhKFnl9e>8C}5{JV6C35 z>h?5IAyt3L4D@p+iSRs8AYE_*rw4?(br6cx*#Jx`90BZ^s0Z?s`E+YiK9Kw5M@WOi z6c2ggLSa6TF?fyBGHF{tnjt3ZQ;leh z3h?*CB@8!1#Hu&VGmRgAi+sPn5WNk&AMG38`=V0;{)hS^0dLAAPxKY z>#Gdgpo&kF&vebx5UERfRd)A`%a;q{WWCLS^B-h^y$F%OF1}iAkOC{S;-;BAfOhh2 zJJb6LtwG#!9y#fFOBdQAozb9To6gPxJ=z04%-^O;|BRW7vol>Y^h_Ar{oON#<{yy; zRE9#ve@n*!gS^b^GxJuz!p)Y~tJ=ISRDKy5sny3udw!ys!0L&5qw~WZpN^v6cZh=n zfCK0~t?XineA2_qS%4CRBX|`!=X+5cz@c(}0doX@{7@`BAt8Y%9XCWf3nV8{dC5!f zM|TR9yMi|8-0#M+Yr>?&oluj{ycX^ALTt6q)_;x?uxNRf}E&ZkwkL#?eIImN@S06i2La`zqzd7RJJq+T-!MG zy*~jI#?_mR;Oe8)6r>H;tefqG%gyB_{@Sa*g_(-G$<FSkm{c1mN02yg5d&`OcV^i$U8F=P0AXx=#$Fn<1mj4(~ju{*K zPd@%)K3*Tb@`R7X5A|KTEJfQ(`S0wZLaUJz`a4qdGh%d4xH!$nHuJ^pw_f`-DG~e8 z=G|GkE}P4v6csZV?FVJp0yB{$dkO!iefHbaf|1qkM14%y_?dbpE(Qa|K znKl~-hh_+XOd{7f<-Hyp0CxY+b5iNNHQ9#~H-S_vp>$C34V4ZV4FbS5Y<_ zT{-_aT;$hwww3nb_Z16jMgMmhy>e|~uv82H^*!^#oSdBI0D&bQK-%m8(uTOVY;+{A zg6y*c$6uke+PoQW@JZO*>FVvBMvOfJLFJFnMn7(zpPO6tWo!j~oMB+*ePL4RQP-1e zWC0W~)O4y3q_zbB6C&8-Om*C7=JRABYD`N@&;RBK|8@~{h<=}?Kwu=#rSnvn#lXA} zsmkm9t~W72(XJ~aPR7OjHdOv{`t3KspqB|{F5_xfW;8T3?)s&5wszi{7R(^2AXv;W zU%n*5SWuQtF?}VDMifH;BnLbsF^M4$14V8lC<@hfd5w0FuWSSuoa6P0orAE`5rB$0 z0&MSjaqntyZN%c>>ajLv9@#DtSCfV0*{)T$P{QxO9W(EEcT3!NV3$14L9M^tPP`y>Bix}`j!JyRh(UNoL`0If-fRvd?{dVOq(}a4^XebG&poz&8hiQUv0Xb1hJK zSIL`X?|-$2Hl> zO1-?@d-m1lmSQ-u-e}*k2)U)_KnU(_?8wSHMPEzh@Dy=x&=b37A)9~x4bc(EvI;w* z;d$=M4|Tq*Rv3*HEJzS4Dz@~Cr|R^Jx9SWHQ;L5r*T0=@rW6=7aWR#49}hK-wH49< z+jE;W+4+tDMRYio9*%-3`d3)9-?c1pndQ zXM*aG-ncP)2+?q1pg7yAH=Zp<)5TfQMZ<43$vO15V`uAE`N$HygT-Qoh7nzB6(Y1k zqH^Hj3@md(k?M|NZKUJ3uIuxH)5q!~BJQ3__zN=wT)lc}veYGbRBb~z7dw@v;{5;| z2@(uo-E>_?Yc4LX@zo}=Nan!JniV6|x{)}L8gB|z^v=1@wEYFS09l{jcaW1KwGbQj z+jxD?+{4^&eSN;P8?pzhfFn0< zzmceBi?!3Bl_$570Mr_Q|Ku3=>-6wFEUe`y*CYptd-lBGxOo3TQBhGXkR(>Y=)9Ee zW+|`bkvMUS8-5EGd|~r>m7*Q9OU1x3UF6<8lLXjfOrMN=`fcbP`=%mZS|TEA0c3{Y}+VXZ4|QCGXo$) zz9$w#h1ltAn#zcDx1sH9A5luk55%YvOS#%a~tgwKPjS(GP@iVE}t@7Zx&~?Co(I>&( zWQ*mJ9zr`1_u&0&aXR8`1it4NF ztgvQsQ5yx=YTchtnd~p_Qb;gtrb+!Q1X50k<%64H$wR}&W36}|vO@LwoC}=rb zFEttb27v-5h}3)16f*8nOn!Qt~XTW%27xLJ$+U9`m zXEafO^9jaj4nKLCO0gr$kM9^MP)9fvfwB-PE;5W&7pu~7g~Q-a)3nPV00~$&8Dn&k zJ{A55x7wTLrw`QPVbmo@2-+H`dg1^-fyYK^YQiquQ-KrLb%Ft=; zg57=KL}UQ8D`B+NFEIZLF8Uh?TGFjs+S2UK{X1PK$1=XKvkT3PGI|2*%`wo9+C5`i zBM2yE2hE>f)jg-c#2vQX>^PA(YivF`M6?J$q);2)$}zVgghK7(^&g zK%7#VROn}J*7Sm1wDmi{B{lJQBkLH=QL>BO@!i&48N=V-yHmhYPTsed%H~+ykgod# zoPA;k)En%Tp4hygXkCbkkLlq%U(W(yR6*1U<<3WgO+y&?{4M|tR}4d=r&SW*881FQ zVQ6@ML!k2Y77z>9F8kEMQNanNGEC)Z_pL;V^7&lXS61l zcnuqqInL4p$7W&@bycv9&(s(mBm)J+P(FZA9gHT+lS!N6#o~54y5N#b+JRw+<*+jL zY%=YRJ8FJawhsy&tw|~I(9r?wS_REc!vYlnh|{;FqADxg*44#AMWHO$uny|cXl>TD zAj91X3S87OtfHdA#>pvSW&B3N%okkhcSHF_iQ0yzqnq(}cDg}RdVpvy%+S}TGxl`r z-qq8Kr*DJ!%%%w&%g;z-!nouCK**--3_z(h;Y??5Z*MjgtlPBW%pV&?&coGI;J<;q z&8;MLR)b@h;Zg!ko;~Oo{oXbZ%gSHd?rAD(rsTtBeyTzJ4uw{G3iGeN5FS$hcAS(m48>ttqqcVX-G=VRt>EuYRclGA8Q2dFD& z{O28|c9hQPz3I0(VN8c38&#&MM8=T#b04~Ye!Eg=(hO-ZvN7M8EGMquWWA%~YcT=+pLx+U) za-Qo{$?2B&R0#aRU3qi@^br@ttq3{~G~tC(O^PX*nNN?`!cKJ(`ZjARXqIM8pbQ7p zBd3wR=cgd}-#Drbsw_H{m=rH@&q1%w2LP}6ZnIjWxQ!38F7ou7+MCGidz4qNUTHS> z;A7KwZLLl=74rMU`*(fHqMj2qELQu1);yn;J=(Q(IB=H(?7yG;cLU#d%UOG;?Ba44 z2z$qhQ*Yd`z2!os-AuhFqoIlBpCY<1J_-O5r{?7ep=9O>ApRM{0^XYeEZSW#I5zu{ z=`n!eSm;tTx&4cZ_}i0}fyMu}N@ts$Q|O2^U1p;Pn3rgJ+-}mmrr~Ee=xdps{=}91=r`gsq0}J(ZnN9LXOp^YtvpQ_dmz~2ov0wP7_E` zr}D%kxhUs!tIXo-b3#JlKw`e%odd+x%YCIo) z&ZtE`S7;p_*~aPV5F_D-FD3$FY4Bsf*vI-Rz|69I>>a(39a zqr>0dtEQ%AJ}?n-7dSHoxjJBfY`= zjD-URvb~**cUOxPQrH8)3C7PE6({x786e-hkc<-rc;7*7yqSD!opz7rxl*EOu51oq z>kUa<@(1wovh#byV&BT#IjJp%san)}ay`!ft|N-bN?ye-n--5g?A z@p+u^)}}uX2E^aF5RCL*?8h7LKcQ8QI8+zy1@C<^p(~4$m-kxy0?GGpuq+C5+ z-CapF?(WXn@jEcJA23GMW67T3N~l1vMXM_Fzp?VtV`B?!PJ{7|@}BTLt2SHK9K*=p zgm%zm>i+{HcJ}h|qz4fv)KJXg^rhuthn1wno2>*r_6YzYoN;sn&=}H_G|zW&9So*A<_sRYhkMWKimaqpH$Ek#=C4~B z(4w?gu9bZ`oGha9Xy$YOqn`Z7Zg@ga=ZsAJ;ATpp8y}4=ARJN62IHv?;G1F^vTf9o z>RPQjSc_!dkE6C3M6f8 zZ0-l=GOYL*ZX3{(9XkO|74-7uU<#Xiyy(VJQup;WPPx~9QqOf+*Zwh*cLRrlke?$(1O3vKDa&*;4xKTlwqd zQCyLUqMOcpt;|^*l3{NIAg~Zfm4IK-A*h(4;_F9Gl=Z&PN_q9mjiw%TkNqMSdd%>* zr2(;Hy@K_tQu6h5}Uw!)(*OlsA}* zq@1Z985vOyOXfft83}-bv&QV@Wy1FUuU}uAhjKqkwAH+LF{Y?UEgVq{3V5~T8Vf_i zHt~-$bD!2Nr<+JSs^fZ~8p$mGi0RPh@tq3xm+bTn3@Vr#d^Y`VxDw695hbu9oaMP@ zFayO)<7PIAWKU)&o?gpX6t-l=jk8eTqNaY%``uovL;-`|kB z)_1!Gf*IFBo3Zk*V#v>fI4a~tv#R%BAViYFaVYwd71!WGc%MM*S;NXS^TNSStH=Og z47yl9SfHRu;9vs&9sR_$MIcnib0TnarBU#khjF5Tll&RS_N712g8oFKqV_rM&4gn$!Qpk`k(1nBvh zVhbP@?a@}7IZdaN5kE?w9;sn5*`+|zZf(Q88+jUm6hgcguYe}m&%01 zl{m>!%{S7|Xbq}zXWIj7U{vPTcv;}6Nm1cZf!xz?KY?Rs_a@_4g#((JOF=ZxP{ zB5ozobuztrMcOHnKtN}|bc^297zvPBX(uGOXBuYJ+8S(LV5PEl@vg9b{aoOQ{NKvm zx1R9QXA~75M=^bV|&^>%)2gcG@pI?t~c$ zwYtHiFTW^nf|<|L1NdJ_#-MZJ;fEhsSc7vuhnuMs$mE<(TEW!6ABWTjR=HI7wRibG zu*<7S|0HnT1+Zean>##j^o>TF36_ zvCn3eQgN)+KR3ns#ao&*^nug(6{kdZcjQ$1u$i;7^AEybAsWR$Cu$DZ9G3;#XLm)e zS&WWe2Wu;`N%3E1QNP;Ef?L^yQ$69gW|stw&4cYuc&7tYn+M3sHiSjR#r@GoA5l67 zo*=Qkv$1gpfNcB#hvW}Xhc=Hfd&i!ewIoZepVNn7qxwT~?&@|RSZ2a1PKS~`;m*xV zIkL`c%J2bn2N05d=Rf@{L4VbodVSmv!V|>+5vj!Ldy6I&SLdoYH&+N6THw9I^@7Kt zdf;@UTUXW{1+WcmyA9@46oYfH%)6o%ieK0L}0W`~f`XzN^2Gs*257 z=Mr}h1T7rD#*?XkIj(A8G zKkNS#f_CJxL6rc_RmX};O>p`aRAO<08;DSV>B-kg3oZ#tA^3t@CK7|z1~rPsz&YW1 z|KyLKDeYHfr?;g1;>Zb#ETdwaJXW3_d+yfBDg9-&;!W;Sva$^ZcjZVH=1Cm*htT-` zi$;@2aXa0;aM!H1hc1gQ=ux~dRTsiG3Yyc}o)+a>x8faYzCY{Tt&3c9F|_uJJ@DMM zH}O|n?Pq!})7f>tmDFuZ8|m*JNg|jjj?bEj<)x*`ZWo33j3{oPT;sf+DCTZd-f{SI z#6nl_4p;3HPPclKw2fBgzlIea)gmmFfZlU*^LF3~>WC20;UB8{>SA@?W6e{m{7il9 zLc@vQGnRKeg>q;PAyOjjg?MsIO4czjDFCzfa$cC@%) z*B{yw4U5zXXEeH`$Qe}l
YX;42GsHQO2EO)cS8?$lYT@BZ^|1P<&XY-bN{&2)D zJHECHj!#P!xw0FKY#czll5)h=l(D%ho!5HGhMmUCl&xo)HXdek-0GjNR<8m}!s0&g>F?!~K)PR}Ip?pBGHuMam7=qeILc83%48ADP+|eVuvipqWzfhiLa2>gShLzz z=jM97Fzxze&6?sz!N7U-8;vzX90aXZrje=F98YdrGo@+_TbBzpaLa5WZmID z7j(R83WibD{PvqH20@M|4~49mnZe2Rir(M&;+tFFjqZgA1-EA6r;k9aV`I2m&ES;i zdl@97C^|Y?ldoH^kr_e7T1lH190Ov#UWsmLS=qoVv1f06Tm+-sW1u5bfl)!!%fRS8 zHE7fur9pI*&w{;VH|y{?oci3$oKPP{yHE=WtY7Sv3ORzy1gRq z!mC05qYV&`4V|Qco_K*FpXZE9e1HYjO`ML4RX3oS4E<<(8k6?8qjCuZ0>niqnlPvO zlCUF3!9_C5A)yXNBQg~L!0AtHWVIS0g`uY4i9Q2M?Ymm+Vrj(jxBF54>$#!;p?6eR z{r;BUK6ztK8A;Sk5Lk}a6Ko?L8%{X1TvpmPy3W1p3@1Kud^jK=zz#M3$GLOJHsBNuUF)C`K3JdiImkox04fx})I6s$AW(%$%e?@|e zP8`1*2=vcYkRtQ&Q#`?t`|BIFQQP*k05CF?m74+0nXjg7{vS`a3AGI?bWJD<cWi zuhgJW|I%43V*(kpSWNY}a^*@>-|(ZAB>-z?5~xYDSPzd=(iR2M{P28N9ct&uTKi@$ zSN#r7u8h8Bbb|^H^#RUf#}zAE{E+^TQ8S>x4bHV_2SKce86_M|DgAC|hTv1aT)^<% z!zCc=-w9|CfZ$g67&nzqu9ASyJWHXT;)d~pBFTJ@ME_xf6*y4E45gwxY|Vhe%7M8| zwt54amcWdR4En88<1lX$s%WOlwY{*9ueG&xW=W4!saNX0&t7hR4L)OZ2ok;f>pyiXjr=!P*g!LqV&xrynGO9 z5+QC{tp>pCBUmH}UGE>qmdgifq4C(+FVHj)=m2t0MX&0gfVj>MHHQ;#+CsqcP~B0I zzj5a6N~oF4&d!F7zwzX_CdL$0$As?%8_vvQzIDcn8!JY*KR{EQI6f>Hi4Y*BnFw6Y z=Un(r2_ezAjC<6Du~j(o+ry*tfGvr0MT(dfxRdXb%gc;VU;=ZRi@x{6B>00kKp zymf0c&evfv^H?9NZ*=+^I7~MVc$Hw+ngEFDOoLFtj^ncX_qYDVHkd0d18~ZXW#87B zMsdHv1a31S(AzrP?JZC|ez)Vffsl4I)vI|nxJ*F$>JIWd#~(%zzJ7j%Sw*~Wv`)^> z6#zmFq)Ra7fKf1j%kg3XRDg<#iom6z1LB0s#vx8{MJ39+BXfA|MMpu|T&2GSZrlLm zzzYZ<3)Y8x1RZZ7cDT_MM5t!3+jGX z!fxc?jVg;iH9r%SD!wq3<(#XK8|+1v@IS(S303YgoVG34`$MDin;oe!n4eP55=dqktS zsjgLpMCm~I(tLyQZ_OD6!EvcssJh%eh!jxUDOXx>u*!e85Y@fCa1dk?e?W@f`kpV* z<{JdbV5r4PB5vPbtk2Hj5pV?R5=i<*ZxUr(q1TquHNkmeR%rH3ud1hc!tXT4xsot_ zJm?;Wb8)2Pc6;dJ;Fp*uhUYA&LUkGRZ73qwT48JMt@@pyfSY1#R`1Xcxb~SVF6tg2 zQA&G^1q+%VJ#yC2s1nL+px^rf$urfKzCB6@xn}(kP>)2rLIMCttLQJRdb~k-$p8KO z_k!{hnp|#_?DiW?F=rfDjKyj|OSA-Rw;7;#&uy`lmXsWKiYyt`F*g?uF}r`E2N23S z`&_2Fgt#Kj-X%XMQQN*(tw%spe)F2qNd^?Grq`C%a)P&_eg3ZICad-_6ir55RW5GO!kl?&=%P5;-b%> zQf+)ZsG>ZPzgo`^`82iLWv=x|-I{)V>RbR};1`7d4h~t*29x;UHnHG3ICkJlc=BVW zDK%d$t#|>H-ciEjpGLE+a0D5RF#THr1)+f5!QJt~F9gJinH|M;% zz=?+l!ccdLWQ-eGetgJIOx{xph-lIeO2EWj`dI&q)I`|!tZ6rs#qVEUSx)uj8=qOU ztlw#CNDPYXW8J&!ae1joe6dw=t!U(aDk@KDlj6ZOzw3`5AhzXhSCNe8{r-nnGwt=_ z9?Vd3`$ZtD0(~PR?n6<$jan3F*U`U3(l4k@mu+C|>ae%AehP|cN#FxWOH#z5T@ZI0*d-L7^4o3QN~-qX%>!v7il`n` zKfs=@A}9(CmTU%v36La}lZ6YCU`|b|RYg6g#CIo%vmv^jUCzlmZu{kDib8^TxEkF5 zeXWlTMU$w-jU#&jfi?`kgQZuD(k8SxC4VA*9SdrrFMPMrmLv&i`EXjgduQC`k-T-V+SjKzEc?v}Oj1L&j zccm-i$>{)5>BzdH7q{Gh=yfTe7A=9e6Jo9kV(1|`xgh;vwdDj7m<)AF32R0w-R;-` z4!1GioJgm-(x%;tHu^;j3MvS(^a$~^MN3sChtk6X;?iD{tee7~@UQ}fj5PC|Z;wu? z8x@STobigJjNdr7hK%X|%|Y=vFkLXcj5=s%ysenn_G07$=;uBxg_14&!>+VmF)-MD z)T+TBXgO7(+~&tG;|s$q%niTnyO##2uhLubYy*&S6{KGVt2~)WYS0*k%Ho-!YKV7X zC=6pS?zXw}j`z5B^eoWF-CDiuwF*QVw+9vgosj4>8K6Oysn+Ie29?co_SzN|NlD2Y zASZzz){%}h+M#`Y4tvN0Oo2Mpz(i8UXN*Pyya$Jm>;e@i)&k0ky1F3hZ^d6Ks4e5U z55)3r@`S>^Uv3~MFsFh&WE!sgTQ&@*#W&Ys8js6MjZsaci9>l)$#Q`emFcP?a4hY; zpa>O1EgT&5lM6IO6)SRCBY^#evG-Jo@dfhj3)g4n+(E>)EPuSk0RYxjpp<@LK-Frk z);mM3si`?XFb?4CyVD6~-{9WG+l^fM%2`$godIlk6p@j+P>gmcd2c5M1h(75(~OWZhl zLw0KShXeeuOh8iDD?lxnj9F^*f%6{rkFWp~-8zjg8=NU%+rD7?J~sdD5w{5PHYdKl zt?jnKXIgM0P&;K_W2h%jdSaUx)7N|Q92_8RN`O+IVEnD&bO&0_(u@b!jrxMiO>enk z*XFKn-3s!MmxE}^nmk45LxU0n(@JXD2u2>c)gxo$>b7n6zEswCueY8xuce>D0io)= z7X`s+LDXw>n+xZbt_TB_N)D>uvuMT5Qy5_4%RzmPY@)2C>P*qS5cxc%KTnal+D@)q zxokRk{?rE1HLI6R&(&wvnfS#+9ojF-`@jCGmsc53d)#QN2rNFQ{i~C7PEihw$?RUN zcyie^Hsk(jGmvR!#i!kQjw;OQS-j4B={0~X5;076chT~Zz2F8b`2 z9MRWD0L}y5@w5Br?TXD{D?)B`P);OZj=WaVGce$Ttd5`|k^`vBs{0t5hsHn%0mb63 zZTU4b)nP%~Zi!&llEBJ~fpfX}yIuOBHCG!%_eM9bR|W_w-MYA2+`BR8`0?8(zn>wg ziLP>s1Ok*r0uF@JRqO(0I}Yci@a3ojChR-sHe-iXN^bRV2vX#VJ`__Aqe+o|;Lbz7 zg^`rC(D*Vj{zJkQm`ugrJ(c{;jk-%kVA&#FPk{@Wc4~iT8x>DZ9yF)s9ZD-0C%6s= z8v!G`PY~zSy3YG+b~(=>Nl9O5Z0iG`i(Z=cLAPi|}}j zV+&}+{vXT+c~|x>Kv57T6_Web7ta_Zw^xgQs!!%u6|~{v^)Sk zevkkpM++CH{D?R!&!Vu^Xs?15@eQu6Z`SsZ0mG@qy}vuFUTgw~zK@gLR>bGGrF(uF zS&HnZTNLHkS%DGufj;0DQEivo`=+!4vz`M~Mn8P;mPXGZ_E<$Y8{X|sR~0c{x};Y4 zy;2#Qm$uI3+W)#};on^oM-*n$zkm0?A5DEd7q9y~P0hpcSar#thwEuIKSR=m(kc1_ zI~)l|{a~g5OyfoA*VT1=P{{!*F<8m8x7^Lesn6h!^&%%@wW8@Uv!x<Apekh&)6DY$kh3E}p>kcv`L>Rd&wlwozOHeJ%F({n;6=0m&1 zE#Cj^>%U<~3Hz{cKd0)e{BI-#xIH{PT^RGT6Rmd&){ZxNlf922i48 z-D~q5CQ@^&K&8iv0Ne{pAQ5Zo=;)ZeAG!HK83a88WcgXXBl$Lh_rqkcLHf6JtHI!4 zTgPll_~tTBnds;2x_Q{SR%Bg{PVVjNcNuNH)wwORW-58;kBfnkG_PMLhbUW6*rV$& z%l$6MG!mhSUlCHEeZwm`i&@>YT`QUCpbG=^VLuX%Npk=}rV8{Om}^d_0OcC6MWn!#t+Gdw z7L}O!^%FN90NGhKeeA!lr};+?Trs)^IB{L(>idikBoqNej;pifwKI<*nft+op#ETl zP?ZQI-6=ILAmK5OP&cT5g9Z;h_iJTla&n7hwu`9j?O**!x-pi)myTk6T>n8u^U!Ip zfy9X2ucqi-7aox%rlbtcl9W!)6+QmfC8__l0o2<;(_T1|@Ea!yFl18t8I6i55t4aB z09dM=fqquFQg>IMa3z%l9z@AwRgwbXBJ1ox78Q}kj7T(6P_ZVfPpiJsRsXr}F(7YT1v z|K+oJo!qaZc7EZy&@cbRUx(=0XO6fJZnbYT#%NP+jPy6;&7a6%M-4tR^QLST^*93V z5`LRpU@nAQX$~2rpl}$Vc)TlrH(hK&M_->;z{2%`K1dp?f_Iy$?8s$Z zJ30Ar|0=lnsa&FeK6c0e+zo-PRYFZRO}o{aC+t`Or$R0{1s|BW!#xaTaZB7N(R(CgoVsJ*ZF?_Uq5U{j{j7V~R*N2B^3ei1#p>b%B zbGy02+-TEMC&`l^^atjG1|ba`@7zX0jhE;!s+;y+H78|$@>F%X**vX1hca0wpC%l` zW@i8cs-6Il_3B#$enx$r5t%?TPrWHv8_!6*nI{^PtZTb7FWzFKn4?uC_;J^38ktslpK0iRq zn7y9vIn=hq)W+>JMRxDJTpc(+?f*pR5}O@6X;o@2LSu9+m=Kw}HO8nePkOvfde>>u zOWgS4Up|&OIKb2+5rMzkK@Y%yYp>m1e;HHs57gygfT$1(j=l}0CP;I7HP_x80yOtH zwp+s_pj`u~nF^q7%UkHOwFFp8`fbL@QYkn6h#|345P%9WrO+3fBGhZ6&|PM|VczNF z=u%21flTqj3!WyvRZwk~%ErdeEv%^g8e12f1f!WpjP2c`|CKBL9eIBImEcXbb3g(_ zDX5<*6W2a_2E-f8$e06TzP%a1RrP&uGg%t2%g{g?}YtCLT{9zoM=*&0OC0`rGmhJ7eS&{BB>y9`}_VBwv@dStRwB z%jw13acC;&Lj8r`w3*-sj0UQMLQxOQY=aQU~h ziluh~Q+jL2&8UPvELXiujubs`;J~AsA&lGrfS*7}++dq2Dgg3qK59N!_tI5b0N!8Z zjA6;t)om~o^Ul_5rTOm8%v4MukWEY6EWaoFFOHN;-8O5Z40LnFa7ClT+t&T+k<`7m zyyow4mkIgDe)u0<{yj6`^|lXBZ*3N|P*C$+P3ZT9q&o2BFWOa*dUd8+6yX`c9U-7R zk&<}>K-fQ8tESk1bWlcuUFCP5kDTk`DG%F}ta;w1^~7L0uU=!G-O zcQO_W6#X(B56|Hx-z3^h^lmF6uO{kX_9#(gign+Xcv5QG>#1BncXV0V&i9`gta8H6 z;8gxB6wAxnTDfaHZ^J*{SRE2uQM#4a91Hwdgsu0yMyvxUwV)Q6MaA`B?pm-6O)+nNDG*(>%7=@D0g+dWshZ1H%KZw-=#S}xygQ-bHv1YPj?m|r=WZ-Z zB^zv;WSJflGkPxRo!F)~K;ucqC#Gu~dZ@8iPPD7>e6ljTUt|KLO^X%ovnLm@A7H6x zex2R6x_AwKEIGOQ>wobxJZ~y38z@*Y({b0MPdu#7lwWyxN;dtc7eLmXmcb`N_Ma^v z(!0L?v89~_`JV;{2j2os%54`28OgenSXEU|thCf-N{ZlC@};qO$p+hv?s{Sdd$ohB zq;A(WBqW(;$|tK>l)4OGNW4te1C>$(O~$**3Onqb;_JqI`|J999jNwn)-wVE%+~Uq z{qy_rK2SgPsmb-`K#M}b?VF&zt_Zcl?~Y_lT0tGz3}AUymUygkUK3zsR$!OtD-*;Z z$WKw>dimpybPS3<3%bsamfGh$7%!N{Z;gHY%bxwHE=Z?vLMUD}#Lh$BjV)5_oiu~m z77U@;BKP(cm#GSP$r?Tii4#Lzx5IIOT&{?*un*7xBd{H!;#jL&;DZB$KxALY>4J_gCgS zS!gm(Us`8}{p?e3YIsUJ60`q%UzOALpQ~FSJuQG+h=0FFVbGQ3vC3Uh8NzCtp~82J z`hs_nvRV1L<$pY}`u_{i`GIVvCxQEzyY^_qSFx7_l~iO4zd!t0VgRj&pMYE-Ao)WE zenSAKgYL38nav8kn~;@t3=GqGAZ!O38AGkcSpv31Ntj9} z9YZ*nCxxv{?+&@?1I5aDTO+*dg*K&ml21Q~K!IP0skWxhEwzKOO zoz%SRTC(l3dGBjG#@Tk+NC-(FaO2@@RKO2YaGx8Ughgm-0p^sbAKrKuSERe_al78W zHr~LUqkLX4Zibx?+qc8gcoWn0bG-W@{2-8ssuzt!(;ZDkn+2EGVL4N|qH^QE3;vn! z8$-Zia78V~FY1KWIx6ZAE+9OqXFm>Yb z19#7&q4w|aI0xNYqMZ3F^AL=-?ZwE6z++Wjr&RApug0c(w!FEz^xbi0aMs9@)WHy$^KcS|^ z3|zw?Xo$DC^+FO4wCA^jtH9+3_pejhwIecm4{rq0y0Cy(55EI4k!#Otf138b1?i;- z)z^LxSl!R~Bb!ZhRXdeCm;24yUpNFRiq;z3Lj{6y>g@?_+w;L)daVnw=Y)pNr-iM2 zJms8@A@y|>*jWKHBqh^FtbIC9|I8M*sGg&8`bQCI1AqBL=$vPhG!SU+m3)`&p2kVG zF#el&^`;nL;-Fq6)%H6u@6=fc%QK-U3iGI=Dx1YO>wZ&ZuNAt#Z_)!GV*{V&I~QM? zy)XI$T@)9mTvMxiYi{s0C+T6ggw{Jr|HLSFpypP0x3p}TiE^v8)jJR4N=&R7x?F97 zS7DwActN!3bCOoll2z_ATy+*KVL0e!FT5OlnPR(#eAT{0pQ4sc-=oU`%T7p0c%O{e zHSaucd>+O=tY>X5u4B!17;B+m>5?S3BU%&d-Fx_zVUGwQGix;UI6i--9)?o-QAAV+Bd|f0*=JMtmtVoXEG@; zP_W={_l2D@2GhPn{T^%1+dz`>^5lDqseN~zuQ9uX=R99U(1@fLwJVcIJ*Wu$s$jBE zBJ(C;%vvA(2pVEH1|K^(kgHLC$;5XNT&01C!(U#AZ=0$0_5-92kwErR?0&AA5mhXG zA$*V|8}KsF*=i$x7-_H6Q_sdy;uX1Gwar<+#uS@ksQ_<-%dh$UyR&lGm)R zahUmPiEY0y8aF; z)!niMVql_xi3(~V~$Q1r_S;#M+p^jOw3xwBtFCMcW!?je~qg{D63uYox( ziypFdV^)yDkD~%`9-}Yvs7TSkTXLmg5hBtg0~D*%AtwIsEq^1pm)3ptc*EbSoc{{b z;OklNStqZ!5w)!E0cdF}8yLcfddv%CM!d(uIqcudK>vT)gB^zsAAW{dLZhpy?F$dr z)YhtGCGggGQd^B~61jV3pIv3v)C@6vHGN}KCg+FV!H2$1V(Z_(m`P*-i}Lzbs_&a< z+E7IQw^N)|I0}lXb~~bFMwE8ZmO-a_NTwBz5SE%lSlttC?t@Mt#gy`;5f;66yXw0R zgh3k9#@=I*G4XJTfny=H)P!?AzHgXmGDY2WE=t`Xu_vb}A#3hCYqu*(HQP+n2(dWl z*xu?K=NX@0x>;+a_eDBM*~495e=Ev)?2E>5X$TjdH5K6q(oLR0>B9CnQMsk>)y>>z z%tYGj@?{F|eo!+iUbZ@i!3X}WQc~|`6K3HEc8loW+LS>)DFn|xi*O)EThKZIz$34H zGL1*DphLJmX+B-Nk8+*%;~+#yY$PO~tw4BEh#56x;cb!VTYY+o5igUMUt9ShUk&6LZ-Xzns`FEKO{ve%97|+kVsW$Z#ffXdw4$$5V(GAlyRs)pG z+GlklJ*K!4r|c7m_`<2QOr=#EJr}Vna`|huDj%F$KVQ_;!I(FjuZR>zWhs&WmcF90 z!LIp#prGnRt}G*lnm38uEB>HwLaA&cAiKU(uk`P%mI9?H3QVoob2oGSX->G|vY3H6 zvx>EZnhDHBex10@{itwS+;jctwcD zjd4ZZS;T7NmzqVH7Qjn6O~MEJDV_6Ul3Zk=(#DBIuI7Gj9DVr}i#EyJusPFe88ELH zSv9!u97JUD6ti;%RXF{3Uq}^kovu(n^WSS0oRHscwvq}F1v^1zmtSJf0oB3B(hI78 z&Q3hUrpF55`~pZ<&%&d2-6cmYOqdr_%uDyRrS|gzDZMWcx>R*2WamqMx2p6Ocqb6d z_i0Fd%Jp0qu)0vaZyerE4?!$rFX5G=>mB=9EG7y|jwDwXYzv2^NT8INNmI2C%Fp#w z_H{hD`i3$tWmP>{EBnmb4}Zrkua#V|va;0bC|99Jk`8ROZLdx<$AI}vZ@TSbpLGKx zxP1C3Nf`!TX7%t3yhGb3Gm~l-3yH2)SQIlTC=xT=YB2NdQ;;wV4>!Bt#16dg=O+Rc zhc&9XS+g_k!nVt|TEm=WN<~;bqFU7w)Nei|o>MA$De&USQ;unV05>yqOdt;lv6e_P z)3JUr%+D_-v7D1ZyUl?io%U0|es|A>BD2@47}RQDMD;570-2zSbJ=@t_V2?$l>U5l)NUDQNwVl65qp?CTdEadxk6o5OT^>3y#$ z*34o*T;!qML;>%lNH|xOeSdy(YKsJH;cKSmjW5jtmf$wZ((M2;=4k~u#!-Tbg?aXZ zvqwL+p>8SFwx3a8Ii^W)Vs2(JODl%7;oajs4Q5yArOZ|%%K;uz1%kmq=BltdwQ(`^ z>sGp)g@&jlOzoLDB0h+Wyeg7JaL3qvs*-tO!41!lXHJBa3W_qzP}v1@{<{-PraHJi zvB)^1+J#S4=Bal|6O(UzApeCa<|Ed0fhB4#UM`}~T80uqrGgtKo#*Fg7E8!AhI(oJ zc_-j2Ur1G8Y;S>S z&W8-0B`JneoWA%9=M|5&)W@V}xv za;XR=R1Ko%bAj_-G~UzNGVD!y9Oi#PY$|d(0J>E281=Aop@)bv<4z6Gj;oe_{D@)@ zSv=IzG1i@<*glJPU*7=-28L+kyb?bwHRyxLFKwO4*-rnITiQK7J$?NXR4k5i7Sbk?B6=&R!(+2oNB$J69`2Pg&Dq;BaLfd~zDSv#DA?;Xl#7 zvM3(Vt~lj>ee$1g{XgFFS`_DdPq+@%-+8APsQ67wozX$wjR5U7Ja3x&rvYT6B^$X; zO`LGn-&)av@j`qil}e8^tj3I&W%`Aj)zi~Ue4yLIZ7IDw z?7T6F+7q4kmcUJ;CNhadDMhX6eabovZRQ1cG2)>1yT)-> zoQU8dl7SI(a#UOCZ}7!6d7yCSeo|=7{U4v_f0aA(-`MpLqSLvb*|zLBB<97dLCV$N z;<0qcYNXU<6ox!g3?}MtXMzRvb*az8{Gj!@CcmXir8~^k}jNQh`Pn6m(=` zkarsluJq(%w7&|&cLA5EO_=W4dLheMb3{!}XkW|XO16}07KQg3(QT3PqI@E0xPMW0 z$--x)@ad1>%v(?v-tewzgue~d(=#%|R8zKG$uewF0wOL^HCN@TAffJYGt6cnZZ?hB zbH%uG{A#qwp^b?eV8gDSSel}XRvQ=bZY}HQKlIF^K91u5QgK zNF#3NEq81+;{TfsRGAL6i*3+7o_|}jpGeMM+nM)yS-2J}m-V@5n9SDoFg|C8tMmMm zNmFKVWzs&zl_l)?e$Q};#(iGA2Z@4kY2fqBo7u3;>MZ10dQVtov8a=)_~+h_pYK?> zd}ZfObcJxTb*o8|U29ug&K%JtccHxtHE)~ROE>AZF(t?xGW4@`Nb=P=bBpJ>jF+_f zaW>=g=Q*ZJ$z9K0-8>k2;r7eW@6OmuRwF%*)Dz?r0vxT2*eb&NYp>4^-;qW`R$#TG*k_n?gV2J95BoP3=Enbe3wTdho7i-pzm*E~~Ef zPCOb)K?O!so|AKZbIO71*f_*?OtK|3XC&ub&yNgvXDSFGn2HdL_Y|B#(=0 z*45(`5VB;)$MEv;9me<@?1t^%uX)E%{npC&8A4hwky07o_2EuzDz~bRg;-vC+og6%zSqCFYxup_#9nC$l#Ae{#R#R< z@re#%uR{oP_OqOG`LRW$*^XViVp?uDd=MSce9oIo7&W{&e%Oe(b z?Rd2FKNblNYC}> zKW?x=p^V-O>uc+rb@x4cGtR`|M5dy!(b4@wsT_uhoHa6T_JH-lOP4dMb z#n0*2y2wc#VUzqOz)>$3WZbZivKIb*mHu zyB=g}PMh;OMj8rtO35s@4B4_WT<~b%JLT-du@agK%42tb^Zl!l#bdTE!8B7iu6TcH zDc9WBT|9&H*>bp#1xm!`Vs5oKoHQ;eaR7dTf9qnf_VJoC|5%@bEub_ytFak;*$2?) z{nam9AD6|`MmjzYdA;>J!G1tAH7ExO)xn4&oY7AVDR=M}>!EsbqTywK7r8`#}Fk}ftVmp}craZqG zXK)yHGBh-FkD|?MPEO9(!NKvbwBM$D8S*=J=WaB-r$DdUWm4C;5>81@X$3m@4F~;2 z%#|}^+42j6827&H$$p)ZC6e5`ZA{_bl=7F2B)t*Y45|2VxZa80ofc?+1!_I^wt3*i z(LhTz@gFZL|9Ydz_S}LVEt`uOwakx`cXKof(o8%~#U|SmR|vL?Xdzbq1d+2~I={0* zUDf#!ElT|Dlqz@5(5roRcIW0Md_-H0l8W#4qK(G&LM+~YkE;+N+6DHn4pAj>U(dsq zx)BS?Ii;H)4U~*iMNWwRD+c_zF|*gLcWRfN+yARI|LbEs0C!g5SGTxun72J{^trgB z*LhA87!IbD zcYqU!Nw!Tekch)qs&T(b3O&&gcI84ngLrax%EW&*}X%E7)NcdvpHSf-9 zz5v5z{6&us4t{NE{V{}blh#(H_wk+1({&E!IC!|a+ogfs!uwE0*Y8!+6LgnL5ZKn4 zHi~1rd_JvgGF)_=1FyOwyq=ck7{0u>wMn?OQJ6gK|6`Ap>Fl(=>m=OQ&``5APv&_3 z)ro;N!+Ny|-4m=!-~GI`!{iP7^BKoOLcm#TpA|qhjiV7CJkKWQcv`5&q||L4{(jRK z`N!+{cazeW!;f6KlXO^?w1_6FtIRvgeRS%dcMkG^5sPjRnPg`FI1>qvp*4i1N{t}n zj%p(eMyx#0l(ukw6GT6%IUH3wWPiSN75YMp2lM}N0v>3tXB(9@9zFfzd#&*cl1rIj z8g8|R4bQO=v!gh1oGf%4MSJ`}fkRAwBfAFg4XWh+{XK+x__WZY3FCDwT5q=ah65;4 zK~YI5IWF!rxUk~o8(DJ#@F(l`a>6|DV=3^}10Kvg;3IbhegA&59uG4`(gy_;9Y-#y zKDE$SzBr=5DtDZ#5n?r&Cik}o4(bXR3B8r&IiwAzx~o30zwIQjiAuG3N4{rPyRqT2 zFA$F{-bo`w*>d4&+p2(qLhvuca9AV^lkn; zdC6chb=+@wtTiVV$qLtF}Gj6m1glkxhM9)mYDDbx^FIKuYmRDL~Rl3{R@5}vWYACn!8nY z3W~73crmaiA~Kn)AvE>QtLiV0FW$HjL#fX-306bm7|zfI*$a-BF9%$TOv)L%Y-?@Z z2rSbG;4*rfn%9R-K3wwxLqFX@N%u=muVvM!P7y9OPIjG!(y+w@rI3ZOjHnH`<#G__Y&skNj2)3Fw6&)x~AsUgL`mRMHD#A4t+mz%hw*#h@%E8|L$kQM=d zkzv}pl^#bp)2+-+gT{U`x0lJV_(X0XZ>^f}avGmtf?)4B+0-hqOF3|PH9sLoD@bi6 zkGVuHok$>=C!?^#ew^H({a|SeDxLju;hD zjQ<&Lg4j7CR|TEkTF4552vf5>cewY|s9%V*XhP)v?z7jHINuV;yLTTBJ63WY+y?tK zPhr{R{2vMmTGc7z!>T!`cA#L40j{04Am$L>zi;%~u=yrIbRj+^yQp~~r(Kt3hP*vZIT83E*U`F&c+!b%t8Cb*=sGp3L<;F5f9o;@ZPejOtRNnjh%6hHeA@%^i?(-$De?*Xf{I={K zUml}vBK3Li`+)+F1&ZZ*9t}~H_i<6zJjYumqS`~5wI?2qa1lfM9WLuJ-aT2z_UWA1 zk^LH>;>{`FmIVXk_N2y?V}}FkbTzOkVd3G~BfaSPw0U5f_Na}BBm!aJ7_d1~@ucUG zp4ZLSIRj7sWQt*9Z=EABrWnm?(Q4Tu@$Oru8`dG3xv{Bu8(x*z-dl9=b)RlVfq2{$ zc02LUYKp_fDi8lYx=oiPc+~# zD)((4r(r}>&?j(&`C(mrPP8l1tpHv1k9goJv17dV-q}CX_1{Cq-)j~8mL2fLx@TAV zw!D=)CckL-;TVrbB&PCm0V8dd;v@cAM0&z10+g@C50YH)uLX$;>~3L4ZJ(s&Ii>NN zxs)`h+PyRWc$8OU-4U_e?9$q(nhztSH6#EsC`(|e^2PG&O7&d%V%g=ZGn znKKOFFxd_aCEr6zhlW#ZBiUOXhhWiRmxk}3I~x3j3zu`{p!HNw3|EyTsHi7vh69;z zUIurquCiNft}bktc>lD|S*u#@uWDpR9b3R3u5PdsC>#|2TF` zKlZ+3!F=I_;2{Y#4bzOcx@hiha*D6U`_Q@PBM_CYR3oV%8J0^?$Ep{yQ%gaG0r}0<|S0QF5{qd9yi#&4KMj z9Psse`8~&Y#Hc98$BmETcNKI}pIq)X1N2NzsAm7#$K5gu9%*fg;d_7oPiHgMb9 z=XrMyex~@1q#el*t$y5c+50}vF7z=THN^C|oU^MDOHyB@jha^yN-FAG^dYJw4DSB% zN?!Z+eON-(I(_WPETkMbazsOu-xT?p7E(IV&W%XO$r10ZQdYUdfu(n7@KGhRJxA_1 zI<3-|XAWpjq@2hsFkj3HJvvumS=y>S<)LGmD}Yv=B8bb%8fIGIR zbco?q3Q&yX|e};R4236Ai`}$S_ZRlCZu|AM4@J_u$(Fk>Cov7 zx~LG7#U%-rXfW-;==($Fj;*%}mTB#_r`^M7`*Mk&Qse~QqWeOR@C__ZCf`?WSbh*n zPR_+P=N4-tCjP zE>E_^7afnLkquL_d{j0!!cK%Jcu7qc^-X0dJ4U{3YsXYRZmd_tBb$~BA`T9018Gx! z9b4eEn})`_giCvqHAfciTGx4_4np$2KdWYkp0EY z3077vBDXa96>_n3tI{pDs%(RSVrX(xU#X+OX|&lFqmPdN$Jm$0L;dalm&jI8l2W!7 ziWqCMtCY%C+1IhJSu%D8Q;IgU$Ub8U*~`vYQ^`8^eJqKw&R{Ui7=Fj+bMN=}`F!q8 z_aBcijWg$c&TD%l!DKmP4xJzLs9d=lN+f<i;(o3}WU`>2*ZLeMSdUOS0u%q{Yt`gF3%2&=F6~pQZbzKg5 zP=W74-MbQqJkg6QLAQ9W`)-{hN?L3hRBfyUb+`Aw_i#FRCimI=8CXHj$VeVt-)N^p z8^V27GBetB(|5F-*#zpdHDI*$)5-|Fb?v&U>fGaKXjfB@lWcBfcSVh<6fFOu|0c-kBg=Np~;b@DFjY-73t5K+Af_;xzi~y`v>-JN8SVWN!OF1|@55#5dyap0Yg% zMBY^CpG?1tRu-X%tq=@X9qcNue!|P0wxJaUC7e|C!9K_x=W7r-tjrrptG+JpZJn;E z;E>g(2v29HZ7QM>e)a5QmN~bq$M-z1YU{=$RLbbK-u3H`u^dN^{CGgutUTzXCou-Z% zL-nn?_|Bc<_u%TxCuNUrD62+rM`fNLEsl*W^!0Gg6KrF7tKC=ZLm7dRup-jBEv;n! z7eWO*Q=ZqXtV;Kg!SwS2Z)vvR+Jgt5)^M(EtJj%Xm>0^_&0NA;CbEP?7N#Y1TUkzh z&<9K#)N@Qz1Xldu8-;+SdN*|b@QIFpJ^^Wj*4El!DN%;`cjlgTn$?Z=p`5I|j|B~m zMSe4c${T>++s}H+lIAD0V#1CqicmF>QjSxX^5ERL)sZwE9d|+Wc!xPZK0iNj$*8qv z+Jrs4t@!huPqKIPGwe`sJs`wb>Io(Q`lB#_tej8Vc@vP*T@wkw&$|dl5vWv}o+>}6 zYAFc)%`1G@vtoVK$Kazp)q-q+1Xl@mOrdMwO_@@8>|sUeaj!xSXluu)l)K`ek@(h; z%Lb!KkYPWx;F=!Ui3w%em$Niix~;6y%RybwuKKjBZS! zJ_X_H{0Bz0*Ee6OZfEIlRTWHB=0Tne!FxQnEB{gdn+EbPD_a{6F8#U8U!VL<{aT$* zYb6S$mgnkVt{qPneb`i_Ng<`+f(48%oO-eIzUsxqqHgQ#!3{}M_y!$$B}1fp!w%DX zOF+FhY~^V7XWw$}pv?zZKw?A&(?;1~=n+K*qmQWoeV$od?0J(OlSnwk#vr}-0ozq? z+MVnje&VV(vQR0%HI4yEQjLWD5h*@-Sljj*TR|>_?xfOei$jL1c=`(4as486PRghg z7V6zTDTOa5=nrmocttl1d+O=-Id+uddy7$&XK22vwQaI@P-n%}`LYXj6D9C|!C<=cLvQa0a!2 zeebgse80W%RA9B%b*p{u+|DKoG3@(?OOijvK=L{J+oIu~z0x%N0eEMIejSC3ALS?8 zEry-1PN)0Alwz5tr|PJZFI-QRgoDbA`n3GTi!Dq@feR36W1wl<`;+lHr*TaFmypX+ zmoCi$iMviP-?9qWqox7vKp!59?rCpt&sTnmDv?Nvmg4hJl>i3*)D;glb#F!dap_15 zzYpFZ+G<1@d=dV4nW~+JGIwZtYN$HxL|4Z2J511xj6}ZzkjMI)-0=4Y8pVG47{zT! z)mHDUrj-+kXL@C1$##27wxL;3iEw@-?Rj3=6@3#ggv-WfyPaZXL!YCIOGk~FzxH-f z?`E6-oC&h8-{YpfY0&e$nl&b2@~p zBNu5vezCRHtz?r`5ntlatfz5Y`kUC7z)KVl7l0b;Fyt^xYZj4(5+O39oY0>E{R>Wo z)i`LNMon>bPHh*&f}w=cgsSl_dp!Af2NN8uhKT&sg}IDhW&mlyKQar^pS0ZJr$!yL zN=uyQR*=%*1;N+GsIEnFW`h`k?Pr97dD_n>|FHik<`;s;aYQHgIt2UTrC`nV0COdj zc|t2~lWWbYUqrOaXWUeE%1%~O%_>?)jEOlfXN`2!RZy~MqHUG+tzdU)x~t+7!zBu& zwF>KTK;i1+BOJ(_nVZ^um%P)-4|DpQXm5|nRhZ}8n-aOVQ*(3T{yw%LY;5P%B6l3p zM7d$JpswMxIOCW^5=m6 zP1V!wks7pp?8B983~d?cbNY#U*`1k@@ZlEQH>0_tUdPr8+|snI!h^nnm6DG=sj;ps^%)mFLMzGgZYWZ62;~**|4m@+wpGwl0DD zYWJYq;sCr-P;MQ+kg(;k>?MrT zg50p_L*MO9{nR{ygWqo(3D@?z*5iQG>a8?K7Uxi+DBF2y(zA@H_RNQh34~*7;lTvD z&$*H1jPWQ1yYwlfXB?M`cgsC(?NskkxPH*)1kdWXldcAQZ~Yqhkp8Tq?3mVinJ~pj z_6}1zjPY%~+1l)y?r~E&KLeT2KdshrBn`g~b*qA9K{bgvM%g9kS~-5ro@OoGsMz;_ zhm-yN&Kp8*_qnU>!Pb5yw@3xRM`J(wLP@5d>`?CvBM|oKMpeECR8EGIdX&q=|6b!4 zJxT|<$6vLg6#kKM|HoYjrkQB?=`SD8cvPw8hjT=OgqsiZWjwpqwQ1W^y6vGPg?jwq z>4@M=KW-kLRBc=J9)}F|zV#HE>_NMfl+@D;&Br)6=Du=3yTNd7u|pR>DEVgs{w5{u zL(MRH*)Yw;0D}?R`<%N(8RQE9fsP7J_@mGFkE{BZZ)@E+M58hkoWqqrWlWq14KBB9 zi9Y4yj=D>iNTJ(HOFqrYc_izV%o&f*Zy9ARW_@0^wCPNRd3^o)?L+xSWUuo;4v>&D zBUF))Af?O$G{;hslGC6k36BkjZ3&68f`XLeoUM@{5=Pl|&p;_cd8ZWdA7*x2`p?|aJ1Ml|qVCdBp*Kt@g6Mo|2dnU3Cv8{b))NnK2 zmL7a44#eU|(XR~+f*|zSD3^&7gQxI^^Q5+{=r~nR=y?)vFASG!1Frn8x%`?uAW8cn zCFL{3X*?y7ZWvTiQ(Klsj6CWL(ppU4$9$HMebQUyhmw~mouD=Q=fV8@ZielV1@w-; zS^bJ(Z3tY!K}U(C@>EQL(Z`4m`zF#)i|BS>FYObga@f_QoSZ43kD7K?z!At3$ZmYO z6(?gA_hZ7+V|~$LVHBFZyzCA{i~WsC?#J#_+yG;5a_C`NIrl@)Guo&nE%oIxJl-p4 zCS>W`oNk1E(5)UA{SnM=s|x0zp>40KwLJg3wFjJbo2isRRnAPZ_h9_@{&35uNvEmE zXbowvIzgE6JQ2EwrVcbPxiY)75|e##3F%8#%+`X*a)Th|SS8hLV*`(JaL85oa;xmc zMS|YVeRN7Wj1~JJVQhmp@TU69znzD_@AWk!fNhW5@)Y~fGC)s5Wn(zV*z=+CVxnKCWTF(sIxYR|kZybZ)oTm0Q#*$Nh}0B2_6VZM zI||_2{6Fubm}8R4eb1u2;i{lhrR$+RE}y>mB3vfZXXHv9^Pj2LKVrLoeVa52c9f#= zo$kN?`u~@!k^~UWU(*!0rjFBaGs~A+rn%ItlFb?-c;4jWR=x5k$l~VYw@czIUB@7X zBhhMZhiDkq4S7}g;zaY51rkLKwfSG%)$~fg@jgRPUS1sx)%pR>$Q5AY?WyEduf@u| zJWXe3=Rh;|XhKAAHgCn50L{fprGkX#yKFT>*-l$~@Uhu$pK#|ROkb}J2>?e~dFLqC z@qSz!+%WQK-3(8Q>x1Q&WlktSSe4D)=zdsQy_FMJ>k^3QT2JZVR4P%9Juw3c#4(_n zmMT3OpbeNSdVsKTl1BU`&@pwWJ2!SpCE`Lt?z`7LUXNGC2I;b||NkBP&wtVE^lQd~ zZsf4;V!!|OAj~7_DxP4tn#FqBrSA_;`80#>(}9P|J_cn4g`K%sxW}?}WGR`spEH1x z_pY&1w%3AS2he2#ZFsso>k%G<*T!jL5Aw8)7-urs_`)w&sW zW71}3UPi+6Th0m2ScR*g$eop!br0m-dN~Hklg-gifJ1m6n0C1KpBwhqL&+Nkd@%h| zXhY}kVh`{>n-KFXR2Qo<@8V8DLss^lG<@y021@qs-B*WY{Z>AJIkXkPB{$nBfCBEp za7;LXeOE695Hn+7fA($ev-I7~K>h2mJ`x(sBX9gjYcBR_T&^=cRd`191>HSuHqQx9 z)V=ZPyU$)Q^dS}eSC*S0L*qojY#Ki}oGRLDG54GIUNHp+XmsH++y8KW!kF(+1Hyu8 z??deAEUi+dzA+&&AcO|ydHyyIqe#i&_MaDX##ZP8k*Y30o%qNr=;Eo}-xpDLl!2?I zG4|x{FZ<)S2xWHBaab0Lem0}N;t5*W=ypN6)`|R|?`h@itAX(nHY`v9Bw*bDnE<%t zNGC(6ySFV?00i5wX8rP?#phiYVE%!rj2RVA6)`Ia_}~%`=VLueGhlc|(zDaRKNskh z_X4`5_bf`AqUU?tPXFdGF?ax9kJw`T^pE=fe_H@zFNY{V#}t26V??0~lX(yb*087H z_ih*gcnoY|Mla7KGuOCu7Brpqi7CMT?lu17!HfRf2{|_+Vh;We^00F!g_Kueu3wJ> z@omPl0_OyUBuv3cUwaQ&L|v(0aI{WOH1F@HXURl zQLkTHDhUV(2#Jf|>*(mvD<++nd%?}k?GlR7m>%v3=T;CTit@o!k7GlK8mv{HKHa5| z2>QCZQ9z_A19TT104I7@PR>prcjCyuiW7ei!~Svv+5vvrPvFqVUw-t<*NzzlFP1xT z_#Hle6Tu)9oQOoGyeK*~zx8e)X4bptX`T6@VPs!Yqk&*G*qaZAt zJ0T+`b~ijU)5nDd*Jc586_8H$n6MK3O2DG~fMTI28Sohu*)$)Mdx2k&I`NMx=RX!C zy0UXZshAk9|9V2{PjJ}&n+xFY|I>%J-FOwoB2vdn%eq*oeD7Z6y*F&^C)skdn&5sU ztas1w@I20t;^nJdJbYMITDOgvnOVwZ`0~pW5;p+7m>1aa)-$J1lP@9Y?P3@Gu3mje zJr1~R8&0Hil0$g{KX{M$szT=dZWK#-%6d$HRG(Ziw@>#Aa4|~9*OGqx9+H- zcI27%IWGP9>Ni=A(*ez!Cr|bR3eoQP=7UZBnc9UOQz>fmcY<0*IHR}&H1b{jz3=pX ze*Ygvy;Rl+-!xNx3^l_Vyn%fuf$NXOC{2oOj;x@-mH$gGir6R(^ceJdnqV;Cj0an8x!s zpaEj%X#fSY#vp(+EE9=Qv9GdLimapk-|z0sYW=~bABlgk|95c-_=v1*Zu-=K`gG?M z@&+sAVS38$Q1Ububp z=J6Fz-@;%(jtPhX@%OG=L6{z{DkRe87?P z@qTnDC?-hRwj9U$;u2-S*^UBWDfeM>?~>BeA*hNu{t?jhzQCubSuPX%sOsX>KROnF zZ~i_B0sRZUC9wj=|H0)}Gu-blYMpdQC(9h%OG~55+Z2)lDjiG{uYk2L$cDwU`Xv=5 zA61r42YzY?59(62s+Z`|d26rX0QT@2%38$}&GbPV*AkoBEP_@CI!FgTc*;O*f$FUzfDGTWtaL9>%=zF;7)LXXWU)EB>)H6%L%*g~8`8>!AkJuiYc|zgNiKzXg(xpFggki+iWl-`HM_(KO)c*vTLiwA9sK9653X zNV~j$@!~*QM#fOY&1|De$PhRk86eJc1Zj;pvhaHnV*KOdi%*KBN(;{G97S##Zi zMGEcjn*9E;_ka5qk#v|hm|K#Eoq5-s^3VUXSh{B%7Q_sL(^hgYFdx)a_b9qCWi2Q! zcoi_%3SPLdv~@L5egc%|yy!f%GDP{72M3J+q8O7m1?YLw;^H{v>|H)j@dJsFZtKui z5Z=gxbDw}?K!k#88qx|FJ3uT4yq1K7?wvbHjc)|zzOZTO7#YQ7r~xR1i7OCH1arRH z4i1?^4<32e=44h>7y;G7yXyB}Ff9{xypxc7$mVd~mff=XYgcy)C+o)tX#bbz30k9) zbU>gp>RnvU`;g0z4UC7`f&o%@PgPYF_E2(YNQ`b^r}}jmTcnq~di!wYB`^jdDV?uz z-J3X~BL`TAOZMTW;zmjUUKDJR17Kc}9S>oXbm%;r=-zapskK%2t*$~fMELaS&xeY& z00l4azG)CJ4x+vDx%wkY@KGtB<(-Esb%jHXDFvo&e?rs$Ys3uh(MMW_B-qLSCAQn~ z*t9vy>gq-AxwAM63k$Ey=z@aILr(Oa4>fe%wbO<}8ioc3=WkE(tGi^y#@B9ybIHwz zW)7R(y=$SbC_Mo_GW3!J%J=?IiAH|q@-rr8=3?_Y8dJZSw7AO;QoxBNOD1OK0CXUv za`7svjfA_!zfSn@P*Gf3>pGpUp3OQ#kY;1?u0D+q1V!-gL0|6w4|R;4EnzT2sAMnu z2AYMd+dN=Xlt#F)tsHu9d$m11ZUY3%x_Wx)!p0@`3xmZw!2y>%&vbFz>oPk zc^|NLtiMFtu14@L7x6gnUhTc`mg$Ik48OgJuCA1_gumiT#w1seITzYtO0whP_moYH zZ|H7H6afDPq;@~`d14eu=LG~B=AHuOw70-ZtorWr{M?o(w__2nhlC29QMi8VDPvY% zruNXQGy95Zr*=I)Pu?m|M*@J%t}puQlJC(pK79&mEuTlac1{P=G@|SZ+htcLr#FnL zJPLj~AmcB*HjVh$3mlfi>THkS&sVDCqJ;C=DLyHyGBJWH$;k*3>SQeBoG5$yOSq3g zjC+CjQ78C=y}V|#mWE~~-Tos* zJsyBKPNaC;PI>+2$ii1pfu+B{2YazSqc64@D*8D6M2(mMg;RnC%S7-Oo-UtBn z*t5?qe0<7MQd9R8&{PZ<1Bf?3+*@=_S=$MAWcB_gGoJ=?)+^QJ4|cCG{yX{t?O_yM zfp}*w)AS7JtoMSdC6Mho%XTS!RbvbgN$&`%1M%>0Se+}b!UXly5yUh5R^y!STY zZPIzCD#_hW;hwz&IvV0AgKrJX|9;CYX~2bS`k0jz--P7}Tu%lC!YBQQ=)L4}b8~la z*?={=64|cvJ7BVyUkrjY0GS&DI?&`tIE^ zxwA^A&*)}exP>Uw`Ev;ESAUbX5)-nP@YO&p=PM-snu5sgO*J0G;&`F1 z*Rx;lQ0?O3u%}P;0!;3g9_*8r%*tK3SsEy-c&zrN-2d%7!zo10;hEdFG~Y66#LxEb z6#K^OL-*Msu9O|I0=m=Y@qXw4HhC5nmf`L0opvP%pgX_4JQ;;T<>$0`*t|a{^o5Ko zTV>hZ(AB~awbat9NCM*3FGACuPtksTtRfrI=e<>v?==(UvN2e?`mJf(V=iODYVU9v z7*74uMj~nt9|v{u%*I=e4i0yHeapcpEahmzp#-jjTepGzw)KzW^@D;;+rCy$S(+lY zcLlKSI*e5M?tm0(YIyh!?n-#%^-S%Lhq2y{uf;*Be< zeH)xWKM@4W);6~1`S{G}51ne?@hgkvneG~MC}jYu86>lQzm&YH%#tK6E$sw4I^vj_ znHetzkZj(iWI0kozYXlNQNgvMJH?3>MYodO0>nSx;eZXIyIUvi{d@ayDHLscYanAX z%cNFf)j=r)>*MLNRjuAI$+WZQ?6o#roQKQqhG5{tTk(R^{2?w#jilkOoeJc~j~|2c zf?Xcsc;G9q4spp^y9$Z%=>dc)kVPQ#N$gr*T+a{2Z69M4-`xWJ`CA&3+7Jx7B+p_c zuVDwYi8#j!TBe}tAryf85EkYpr(Ow?1Da{Y^%(WA(GW~)VJRXI#7C_|#DI_YBOpNX z_%N`3nFR&+K%o@eqV)Ne0}&Xz-7joy1C5R{4$v+B&O6ZD;T06WXBg|C_jvG+S>kK; zeCX3|u4=6})jBRnq<`R5(!cd|>9(f&N1@?fY0257)ersJX{0_^FzePdBEs&`ps@-A zC`HU_43~EEY<7gsDq$`8=_M%VcznXPOSbQ!X$k&EDR6CNh3N z8zfkuaU})9?Q@1u%Sf5i3X#z*ga5t~|83=n;G-ZPisWH_{=3)$Va~cfD2(bjheOS{ zXA&xFt|(Oy#>1_cMdYB;5R>+$kxHNCfuNaB0?3(Zq3=AI7!%K@JE-ZE?w^`hYVw0f zc7p}QWmfn5I5Lou8q#Lo<=?^^34Y%vDOFKYsEx4haT>$MrvELPV$lSM8cs0Y2C zN6tby90&_x)?>%A9^O5}&c$V;uQUqs1z=;I6hF5F+I8!Ns7B(z(^{@eFihUd(-m(5HOy;Hu=VyXSXZ0V}L}HXrNo0QWcviFw-_L zc5=05z2<9T_~R!}&dXO4Yf`wP;+-RIsfTr?Kt_`!H03h2rz^YYhAYKzBc2V>o37kbCqI0WKW^;d9aj7!8Khp_wln;I!Y|BS)SRP9z!UDoD8omJEJl(GUB2yA#LHV-7_qI%F6HIqP4mfj-D)5 zSOfYopbg*|Cu;E!`1vT{=hM?|i;ZvW?&=XEbh6uh2dg6NexEdo&eK)<)YHh7EihT? z&v0XXNtm8?pYJ{6ns89DY2tj9j-oEcH=T^_nTZi_Es*G1fVFy(2X7ebJ_+(9kXC?z zgb|N3WMH6C8PS4*3x`m#k&UFU5He#nl#y{b~>&H-r) zFsE^cGVa55;zTA$H7TT`_wUaFz=zPKOC?qbjPdbfzThf=Xk%U#jLeu`s4g!bI5aD# zf7x3{Ryz4UZp^ojgnSsgy5CR2f2bOc28B#>h!me<8~N&^SA!*19D7%kw-*g~cCqQS zFLwO=#(4vVU0(Eu>!5v9``HOMS0My(FV_K+2os^C?CRvk$)&tRepb>Pr8>X+=a;-t zKRA!gnp1c(ZMPc`3JsskeY`jnrJV!fF1R0(vZ&AjVjefCE|UwN>?gtjr61S)eN> z{d2_`(b1v)I>nvp28h7>>o&iCXLu=mD(y9P(otquwqMOEa5oFidmd!$^j{mk{H{N! z%*#rvSU6@WTxna~oHj2~D2M{2Y}}z3E{++s_2C3c6vWI*m%+uW2T=}*M zhrd6q%6kXYJkCVDLT0UB&Ymr0f4ej51LWOkJj=~;n`vt#KwH74>FCY`Y*&VszL!@C z*JWv43@8p;Kg1nAe3(nO!#}?EZsTxBy~c3`0RdG|LzV@kx;>qpol76UY`J1~Tmb0C zIm?26ORVGEh$LH>G*Kq>N0m$vZv(fC`&&~-z-4Am8xABH-nbQJRu7%iP_D|%yakxPiolG0QiY7`d1>vvfdGca`6@PT$6Fk6G&J0% z?TXGhFo_AR+NFk}Y!0T0SmrUIJ->QU{SDqhrrUrkOcRVk=4J&uaK3t#cX-C3cg{mj z-6D(B(~IwWqQT>kx(di@qQi~Yw*m&fv9nLNblGLrX0gU2-(_9SK5`!pf8?0st29`m zoxeqKUdWdlYrY_tClv$pzG%r%dHy@5>+GE3ZH-&^p6Ol}AIwTBufZo}WjX2S>ZS_! z;(Wlcm6n&IAgoQ+=1ICHcRrvrc51VxRHWIk51Jae=yHvu^$-Hh^`EYIeO6vyHSfJ2 zsDSjEy%i^Ek<*#OR9`)uT5oObmENXAQqQKDmZZR*KYytUrarhX_b2@@oir+3yA~^& zt7PP&nXW1G;F-Ist)Pt9m0P{3xw#rPdN)gREK$_+!lO>P4br3+N^7-J^qOPZ9H?vv zcHJSG?VXXul3buq4H?8+eLm}2YO7ln8rZ211EW+7Qb;6m$T?xA-`FrUA5O_o(6h+T z%k4@bU^7ruw^v-334Y0R(TO~gdsmQIsQh)3V>D&10@~mo^u&v6+@zt-45yjYf?(Ps$@ZX zBRSr6^TiYr_N1Wj#)^-NlT-YNLHXcFmy>HwCt%I+J2kp$uA&kGRP0TJEAfIFu|F$r zXBJL?+L{MRL8-5V>zpa1X93Q;=_mSJe4M0Z>V;7BU!cjBb-z;T85drS@7S=s{y5dM z&->U67+*|4n^s?9Pu^ZBwJY|W(=>I%&yc5br9C)F%TC!V&7;&}ZNNL2K07I6*VcUy zRjm#fQcMoT`*s$EZ(W+>-pJN{wc2R6JxPRAO~-_A?1i{BZrIIcOPk`{6ZtO(QcSm< z==dpS8v!#CkhxC{+v7_L#~i3;l3*^tBoB9C&Meo}-rcvQylZ$U$Z%PU`UB}I<2{t0 zp?E*XMgO&O5v)XOYpfeJ>f;a_xR~o|uy;jUfe9s-e+DA0T0{M+wK`Vi zE$596aLy8l8~aGK`doGz%t7412vZ92ltz-@K~y|*sFB4gGe*f6qC_lXH($Njeklfq z{^HhE?hVxy;0f*7e2(#kJ)yX;;V%;sWUzT0mgki8@{A_7R3H&Cg5guo>CE6RPhHAf zuH=uyV7|n2^c*b;#x>R34V-eeMGX>h#ZZ~;({o7p?QO~%0vfP&R*k)w(O#KO+ z^|fMTuhftSyjNQDFLncTA`=S>VTGYE@TGs}4Flado{DV>c|_XP>m;DG;9^^${y4~- zLkvtx`Fz)ug&268A!ZNp^qd+?3t^wBvBTFOAr$FMfJHO;R;n^MErRXPZ{gM_YXuU`!Xf?`M=?smsENCdHOs?%JTD-?(kXR6jn&Z znN16XDJLAlpzzEhLFgnDis`9nIrVgDsfkL6{xT0B%pi-+d$QjHwc&rw#U;a={0i_SIX2 zm96!vCjGgUHCd4M7jLUe?xmR9hqCazV@xIt6gD)WcuH&3&x?sE9)H)yxoeB*3diDB z&HRa#bA@|;?XP5+0|;&TPCasj?1HRxBEoDW*0CS%oPKqkszgP!RZlxgNtgP-W9t%z zdMtMW86KCBEI`QYA$xz#7tE~}t<2zLS4k^VKbYG*eSHQBA!YNV5{VY3%1yjJY4+`# zbbo(GRKv;8ts+px+?fWSk*=Y@ftg+dwC_<)t57r7=&i>xJXBh@F z@ub%o1-0p)5v=ba*Gkrk^Ohj-`PaT}nJzTwlUC#48?og>L85sBSTpjVYeH-N8zpA4 ztg463+f|(BGpf_j=70%E*XhG3epLuXh=_Q#| zhr?5cFXpDF-vIqmP6fZBWukiyr0E&cyR<^hUq2(zAi1-H6BAT=^Gkr|am2A~aV!Ol zlP5~?eDKlFTq7tY0gkjmsP`Sc$}1p>m8!OX;X>ZD`zd(V>2nG$Q9)JfB0L?FzJ$v$FgeJu&J_Zu zvUCFky&e#;Z#rFeGd9CJ|3FQCfsv4Y4Nl$^1r3^fhgm(Yn4gu`13Ht%*+uGTHKFcq zkDIr8?QA})Yx8Tg-xAQ&zOP=ynY&e8RG*vcx4IfNSdwZWr*>P{5?i>SXJ78-fvk3K zeknq@D}l+;)?7Xx%*{~4y;!ip}b>R3nD|=?AvB(JM3~!SO_4Y;*=6sOMEnxL?Q}tqcir)TIG4-FkUa{O+j{V$_ zf$~eyRDAGk1X|jdTE5SseV1H+PR#TdV z3)C!LaELz`pB1~fh}y2usUg=iSkrXl<1*jHBjZwL2dVfcW%JT~CI#~-ay@D*J#MhV z#i~hYZPr=Hdb^nt_@22<2|cvbvEhp)pW;F+&()#)6GUBJh{Sn^TQw&lp}tgM>MVLQp@E82Eh z>`>)t+>~W`atu`6E@-DugE5ot#~fzUU6Cal{;wIwrNLBP581Z}WQySW-<@NQRF_D0 zQiVN|G`)H_u~6>wz3=5IJp}Cn)u5SH;tw_QFX|Md!%F=zGz`8PcZrV?VE>e zv3U_`?+Qv`(U>}uujN${o-KXy68ybTKH3nYMCHg9gjr_rg$qt^lS02HlKuT9KqPBy zT*#gifKSu+SkR63=Cpjszr#t!O>KUyNzEHEajz@KR%o1Sw!u{Q=hi^Db_f$~=oY|` zF?=mO->E*-*sm%l^TUkudcX#=kjLnwZJf9dUOt(zPH8cI)Cuov=Vfen!!L^qujKK; zzyBO-pu)O;#OQhxhaBDeQ!e>N(2Ea-7Q8RGt{AB5m*S@0)swr}Fw@1-qa9W?8@Ea) z6g*8HG@3+*Zh!QNZC)%VnrlyPw(1gQa=Nr0;CrVxO&h%N1-N%JZ9xBA0KZeB%9XApXHYwbkG^AmW*3Yo&xf>~``eo|RYZ?oqkDDN;?{Ap45SsUy3gM4$KpEi&@r#u?FVOXA& zq#SMLmzh^S6&DDA-rp;elj}zOt*lb1lOj{33V@sH>F)l%0+3++79J9%XFNa~Y09Gd zZM}T_vw6_-YHDdIs>wMsLS8PfD$}dff^?j5Ui_%i3^XO`+C=~Bn zsOdVaTzYGrXE*Ozn+u2!OC?YJvYo@Af_Sug5U@%accrV(7s<0Rtd_)Pbs;aY83Zo# zU}oN7prZ?KosP9cm+oDuOF$3pPmq15NHrr3d8rT1(tCsdYd zviq;aMpGTr2Y>YFo6RnB20_MssQ2(tMr0 z$FCH@?X|w#_ehBpq$Qs1RHMb4aFOZbIH+3#3+GG;jmcr~^x0w*ZuxX8@=9nvQrvPCgk#D!)q4;9Bk zOhs89cAMJxL@1jx0pcbhz(w2mlyMLgPe=R-3O#)+c#c4y(>9++qM?E1$3#q~mr19! z^1u{bWu-}eH92d_xR$5K^&x&98pg(+9Z6qrL*AcWi+b>^K ze>sapx0UG4gZUtn1^?< z(c4a5ffK;k7zLeZO=aP#4U3;VrUn|K!)<^ne`6>A1>2sXk-@JeW>wK< z*+oW2Idp32SZS@<2S~!K475jR7#TN_1PPqFt+?Im*hXvdHHyce$I*i?siRJ zTk76nGSj%@dZidXu-bgd9fPU1X`WinR;@WhCHn;B&rJ}sN9>lCCVHOFdp4{s$TvF) zcC#Y;?%umMtDErFMoM9iMUykz8}~MK0HnD}w_M@%dac}fe$?zBGT*pV^S0WXZP$)- z(I%&X&cr(xY{g>{!OyQJrU>NM=hS`zjQDFXHPsAeUIbmMR^QzRcrZ=C0Hhj%C1+=5 z>>n5n+J4?nQ3w>MP7G>+t zQu==H(2pk?%| z*U)ji9yhzPRvGa#Vw?I}z;I4ac(P9^k-zG5K&isXub)0%R=-?n6*|3dnoI6|;2tcN z4*R?xe3|36Vc?B4p&{Q9fS-TzB!uPEWnNG zqo82AQUkx|%;8~5%F@lACuP22Ov05o3(q)gYNcl>8n*q?O@m(`?(E%yYG2hj|7$=V zZ%!>xl&LKLO{;jKZqaUc?8ZKk#r{ocWS|>Bj=NTggge%a_aoz#R&c6K0;a>x|{Z+ z0#Cah#y&`T-NfTRrmp7Ru6tbsE9E7!ESS#@T z@zYj)$N&tVzZc<$p_#S?Ms#~~u-p!+(fS&1rZIZm>xx!I#B)Zzu?vxXX{pnXBtg() z4bVQ9M7dgPTz$NZA|3 z`+)jXSvRb&A*d}t;=M}_9j7}M^F8hS+BpY|=QU@b0v%s^W{`n7T&O=3&d#G%k}1Ax zn8ND-8m0oRs&y*AxH*XQ3!;|mtQ+`8&}gEP^e~(9wFYwMVqtI9*FwD?Ow5P;=xx!s zbEkumWuNRS<%P}$=QXkAm3K-6D+bQ9^YMJPo0D!NzZ~IfjBGl5v`7qn(4T9AGUv_V zoG&()eX%Ey=d|ZEH-E61+jk1$(5p3L<0`#ecgO4_L~8x@%oECebWU#a+t0 zB;vcNy*i-BdMTKDP6Ye(VfP*~z{aI%oFs&v?U7{hc7{~1ruY$yIEXe<}RVEpV6S4^8`;$~Bj8`TvljrS4J{-9z(IleelPH;nFA-9d); zFKW-Q1gY7oZ)^82`ihIZFZ<#jT{)kVySr5TzgjHp7X>D)N#ZtyCF*dkZQ~w}pm&5CmQ&&zP zU(Vh!2%LS}LRqxJaJy7*IXZCF)pM+nAj6LsJVIBo{v`i3)coTL=8C>?{6oBF1i)e0 z`ylYXrkg=%kJ4E%)6j4#QnTApymhn#JQy`i%@vl)3lK=D6JRK1Ij5wgbXU7%!alfC zgm1Z`L~GhIu@3O-PJVgHR^U8zse_=eO8oc;IVIPyJ2@?@8Si=!-?3_L?_V5ufM5#C zu8kHLz37b%)Hb20tJs0-=y#~lb$c&n+24nqje&f{=U(co8>+2go zqiPkWeNC!!aX~vm;pio|Q>~RA^qyF1WhNJYo`BXS-gm>k@ir!ngzsp5((cJIs&YzV zbY<)0P?fRW#>AV5n>C6GpEXmjQA{>kF+A^xPZB2$anO8!(t@E(Bar%!Z<%N4g- zh)r|7x=&aXj6M1mo?Nc*z)#D}BNZs}%@c+()1RP0PI&>_a@+jEMv^Q>-$Iu3WA{wC z2MrWkQQw=AE$huY2K=WnX2{y6xu6_|M*6s!1hHYO2|BbtAa8)(zB=eoH@IqSUH5|>NxGMI$NP$FN6KTIM}~S_|5=`- zv8Pw~Xl|WN+D67FCZ4mI;=2JTIo!b%ObC5p>SX(v4?tX7F(u834DVnhLnx#nd)yH< z_(5w`|M!-Q!=|bG@%lLie85>m@7=fmrYceNo!1oVvFfw%a$TQ)OumWIxG+#>?2sJr z2Y)3YH9=@{4G!$_1LIW(Q4Ixhr9=9sN2Drq<&tnef8I;x@?vVJy$&d*iA}vB(`K zMm}K_IWGUP1{a22>)k#yeNYUfA6Fm!%r&0;&H>qY=vg*3+x(ua87AjVh)QeL_m}NS zbHm{kkgfh+7~(~(sLwiE@UU(lV($V{*R>+BQqrlng=i+vL|PyP#$1oUV}EqOJJ*uY ziI~KV`&A(rMm$+@tzg-GgVeCqJb$sendqNXw}PTlbQ-f72&IQ|_L6w0^EGFOy|FNN z3#R94wX_qybP+@Oq=D!y=?1Cf1y;B&!5Gj%k7e*WUjNHNS5o%Z*6 z)%IyR$*^jNo&dCjUn=w>^ItU*5WJu=edUzNU$4gBirC$y%JIFq?_CK}i zzR5-%H~dGK^|Z{RYv~^Er$3yMMt}Q%gnfA+)a}=PmO`?WN|7x}CA3(w6N+RhMY5JX zYnB;f*Fq&rgzU1H>|186DUulb*v67&FlGj048!od^}NsT)$@HH-~Sp>KKJLo&wZWi zT<1D{m`***!cC844Cc~!f(Xv7IilvI)j(nON_NlnTYuPthKd$3}3;{4AC4WtQ|RXc*LJEYCwZzqOB$ z7ohOAsI1E0oAsJyDs5d0_|dMg)*zjf2X2j1O0ZRIRQy3|`{xv%;IqTg=KO5FTbxU? z@HWnl_C0@l0X%rrV^-}$@LvOxjI zN(^`If(R5nEwj|6Yv3K*Tv{a1oU-`iJZza^l=XhQb)1RN(|yY^#G7Z77IGyXBm~r~ zKrC(zx1&CpiVp?^Gg0VyMH8gs3jL;Z*48+58II6S3IujE&lcVCM0&ylDDjKEh zb>4C3@0CepR(l7%gtffu#2AVfEP78&JFPrm?0x!xquKA)h!=)#plV3&iiu^8rkDQH zGJWU7V~^7eRI9pee=dc%=d_-OJ+f<)yXrt~@;-6)+=|KI8%D^Og7+si-pv;MrNq<# zbGYa1u`c9Z!H`zZiKg#Ar7;6Op2tNpiGfejGrle1_!PxB%~xgC0xHeL{k%QdK67uD zjdeU&TW@vwF)zbBKZ;tA)F+1fyZnB8HiLu0x7{E7k~dn{qGz9k=n5yLx`-$D22C0-O1=A^<#Y9G!%mD)*{MREbYM1R8lVeHPY z?#LdMGY($y&HR2@ZCJ3-LCwK2CR)&MeK|bW*(t_@(*-?l482f@JErg`)5LG;UF0J! zt5s_1mT+cu#gkwzx!B|{wl!-7zJwujP8M&(bqFMOV|p?5+5GC~v5Zrmd{;%`R~YbrV$m}qIUyLT>vI6~N*t%|SB<$h$fej?Ww!SC0N2KV4Xe-DXY~QB zR^wKT@c6>@J-;@(YF`)Wi1T&3La8_5ar;Tr{-5tHAHhD(Ez-aPg~&n4LhQYAmXd{u zBk6_Crm`(-sodxMe4uf|Qu(Kv*UQ00pv$cVyoUN7K|~W_}HR%I$xx9H~qZhyVvud0Fk z-tvcMfA{45Ph-s_um?*SPGu|oH|;4`vNCM#>_D-5#4=$>#Lh{8AukMUX&APu{ zmCt*cupwu7JN{!wt!aU=Ne=ntL}65Gvx!iEKYs7pC>Yb8Bq1l}&9g;lH=Y_N_zGHK zobu&{ei}lJ!dG$$#Swhsq@=E_4Dq*MxJxV1?DJI?f2?es#9~6)Il6T+3%oBhZabkm zihME~5HN5Vbm;fqG)veNUL$Pz-SQ{rVASet$HNbl4vmimQLV5m$u@CqORl|#Zl~O= zVm)>sbY*B-}u3!Q>BXNToGvgm|^{8nxElYc!HHtXb zh$_?fAk}-5Dolh^l{bT)UUH})E9pkNRFLE{wy%V7S}1)77L_t`@Wr(>qs!*UjGqp0 zx#>Jt#c*k@nxL|`oVsiMd^+p>R8Mg6N1RgQbwC8)vm{;g#J9E4mEW&)b{Y*0=ZTxh z68>oDP==y(oDA6`-Rcd2B-U#Q4LQit&yesT5y#k77#bwaq@@R@VV~n5n+AjIwONm zCW2sok>oh)B)0`GfIUglzAuvG=1(9Wd!p(=bZRG>2|XvttQ4Sq6ml-$Kek%+DWyao z$x|$E2$dd95oSIrO8Ufo@5;oKkpRtd{kpe*?!t>|X{8m@XL)3dXN}`Gu6T08)v8}5 zp{mZdnK`X~P~BLEX4A6{KigNph_AP}=?4tf!n!x)I9!42TL$&~^%Uuw_Y=^8e6V?@ z_{ASs0jdz3Ki;2j&IcE2i`j{;T(e$#R!`vpTF#U!kAD|wuc$oibsOWCHOkRM7 zbYuJRGe~)oCCs6n)`&Q8dLS`C8BC|Q`(lyRRiQ0HBei(@>mIf_?6Kj>gU&P&L7zsTs?+lw7A=v+_B22@23vGVHG4H>T) z*K=a0vSoV^`VWKIr@Z;0Kr9S%id3;>oHy6o#Z~6QPG@YiE zLlyR>H8*NZp>zEs?JW*w|X|00r0LU}o>x%k(w7ql}X zDBshG6^?N#bXTDYPzG;YSfvwtb4@`ZnNOY~!u=3Gm=%p-Mq@6) zv9&%jZ_KFtX08OXy`b>H6N;oy^bc`=BIg>>#s8$tbOT*48%wS3F}bGNkE2=@*c@IT z4T(VB+4piv4n^`^85EsPu0d-uQG=8l_mh^Qpa}gwmNv>qMUSl~|4ij_cX&k0u%A_v zTrJjBY)<~QEJs)#Hvh^?)jr1y$8HooXq<=M!~`r^#m|o*l#aw5>P{l1`gCsiSlxWu!T38_ z4?2B1@)g@zjc+pRwFcl!->NhFa4bo;iQ(|FELvbjFfqaZR!6y+&_uQB>Eo6(D$B>l z?ZAkizwdM9?Zd45h3)y-e|v3Vreja{hFVW!U0TCXVMLRU!Ca5_r>0(zyI*+$u}^BU z*md#JT8sE*sY*6`OaD6CiMN#_Fx{qz8hK~;q{SZ&OWzyWf^mc?!_fmi;wjRv!g-?$ zef<(PrpR@%yfD*=0new)y~q6d(u2Br=5vPEMc0S~-bzI1^+5C@OTAqddw#YzFK!-m*=4&zPhOD-ETCBf zPAXr^n7tFFoUA|=zx0J!yx+7#H(B;>VRs)7QgS$8a}CqVB0bDsIqViX@VM6KrsbnZ zgpmg zEDeLoSyZ|g#1F?X=nDM*7qf@<>?vTGm8B?l`rmpvC3u5U6*kRnq;dY2Cg)WSir;`< z+n9>h4aMWBgRe0sojD7Bkpnigs>XPZo)$%K88Yi3lm+Dg9 zh=WPFcfX_D8+67$Nn^gNviYOkF>_OSieatJ3zA`cUM_$zb!$yFk2a?^vswN8#<_3g zMhnqu)lWlc_@g9t@*~zc4qWg$csSLDsWP!97$N02B8J?=9pOHT>&wc(NC*xHcz&Dn zT&idD7f@Q;l+L`K>1&yP8XJ33WP55FSr4)P>xf6f(axDU;l=}lFy zb@xs_s%c4o=uExpkwY)q^cdC7F052PcUwvG??P`}zE3w3eOfz8IMw%(J>3j`2~2?7 zW~}hmUkO}{O2Axb>It)05zR8N)l(amihTvlQd4}vEVwve1Z)PbOdc)Him+g${zZTp zVorfhsB$c_we_-GDqkd0$}tAqr4K7K%7ZC{5W^9#2)|>kor2FVYHvM3M!fi7sw#Ek z`Gwo6lnYWjUfWA{#slf08w>{Cy9S{-@oy0{IWs6q9)vklj~MXncPzi z0f_7OrzW4_(k53Q$1g6Ohf$DQf?219(h#W*7s?C9LmIEYQhPeKGaV5oX-FhP~`+G#)R+@>TO_`Og?OKkZfr0ar z4TM$qw9{tEpiVd_Wx@#JZ^6BI@HS~G-sRcbUZ~3WxS$(Bx=uJ%4w^d*CG(ti+=AJ6 zrca~uCHcz$R9~9oCVclHaz4Mgs5ky5@{;J8^YZgXyagS3wTeY)UwsKR;cA(Y>1cWJXvgw&lsUR_k_#Q0v|V7D*O;j1S8}dA6i7 z{Nc90h-c-Kdsq0*yj9mS)Z9+~eaLvXA*afg`GHbv;&j{e=$7C*#`h!!8(!|W4&i=> zY-{rjP4}(?Zp&Ff!7>8F@SGJ93H=BJ)j+cFyHF>G|Ezi~jO&zw_i_;;5Y<GrZ36Q1n21<8n^A95VIFt<$Xr1u@V03U6ke`s!3bxe#kQB>fGHDZE&bVN^!@ zW*;WCYSuyzMXu{Q`!_^?ybaOUaLa>y6_E#stO*|UoNxSur0?qHhu4+Y)euz0sgHdKT5@k&jepB=5NT*eM*4aOI# zy=MyHJRvUxMjXUgi}cas&U^iu)I2W#@TQQe+8x{3rMqsW1KP%o7%FA?tqR?GOWG#Y z(PDk~8wqAxL(llavebt%tE4MJ!n^KrwXcw+VRg{?Is*zuQzbCa|=*)H9q(wN-ojyrm zdLq})*VA96XN$JJYYuOngQ=2SbagqrT8rOTPEXTtegjjN>rp6AS>5{idDF!Y9!TuTWZ8;ne=4N~xZm;D zQE@I)rAS4sAITl9ZFQXIfqz`>!gKK#_>aJQ*y=lb)jA%L1sc#5Hx^WhMd?xZ;Kfc7 zhf|W1Md|h(U`H=*fSaa_#-rR3RggR*Hs-1DYmvPO-Yzh>0w&W`47)b6TmqJ9_Prlt ze9Nq|)(EY-xVlmGAx_dkjkontx(4bJccx}urFm;94sd%Ue-G8bn54SP3Ol&!k#*x- z4!~Dx#~SvJh%Jh1{|)%7{s-`H8DEX~dvomo21~$DUbhzc?D)R{18p5;x(0x{%L{`| zs`otrIvHp4lf*-^G28FH5|EPRh4(mPqq}d5)j4`-5GzOGZ6Sx`kKaz2p_SaQn#x&; znJJ!-F)P_n{OYc~IG3k|8RNkX`?K*bjZ}@)@ZtSj{DWphj}XxxG9GPQ z#>Z0Oz;5~!vnVeyS?~acW>Pp3u9Ga=G8JboCXM!pE_;N&UqR>>Bytu;h8aUNo*Oaz z9(bVqi#}>xU~gxE)Dg_Qu^^kliFFe}bxRk3viLa6$cc(-51Y0dm)QZVR&m%VZ`_@wo{d}TXKkgFibK9J-*rEd zF`v6r-=}yJ$bdD3Ol+`CJ_X#)qARDxBFnMTnk|c6lw(nf|MTQ&FPSobsqVl1xV^UU z2%CXMPoW`L&}gur6FLk^8YJ9u$5x7V6AVi}KQc-q?S*G3 z1Biev8z+DWJ3?kPIX>S0>7;)4%{Sm?X)G{Qok2heu}_}Rb{6@7zT?U1=^H?clLai( zyYh{txs_2DyiZ2Fe*O9#Dn1wXNY5M^m2}k{UNsLS>sB+c8ohlOLr;O~% zF6@wf|L&c~Urz7*?t%ej1%Ld~Y``WqEb`KR_7|1Px}|h;Z#7Xq5V;}xp4+&0{}WPS z*l$PA=19)Y-m)KmY-`Z7r1|wVzk7n)GoE@ z%nU&sqij=B1)3vLBQH;HUHQj*pSvD72BUuN64`;^SOD;@c|Uoa^WTu#o}j}Ak6rYA zu`wAk$`tR^*=e~H5l`QtYH@~9WMQn%?=I+QOFBn){zKk0( zq>u@G1&=hU_JO=5U+%Rq7MO&yZC^w7eDNLym zh`CG1$d;|z1znCkvYlm-_neaHDP)`|%oOpxP1?l4oa-SlV~Cq?RpQSQ){Vd5{RSOf z;(%f8Lib=hYeLI@*dK@d#B6PTJRzdUyW(Fm%?=*v%ZMAsTCZd!$X8ZFa4cTObAbMWV% zeft_lG*2*R*E=sh-T}@|9s;H-2RUN?vHf;@wA-NNd@XP2T>JQ{8gnlixwZ03fhAFMcf-Y?7QOc8CXr-fmoL-|@!7G-BzQs9E(}v@b!x{K|NJRN zA+@yh^sBt9ctIP?Y}B*Y&HRjaIK6yEuCC!yHw(QV-!|2am$;QZEOqghjCSfpt?W7p zkzbTMe-#JQ&N3d3d;6m##vv<)DNXkTSzTs*zSO!aQxjC_FT%E{j`RdP~ zH;+p>z8iLH6}<#x%rcKlZYth~Up<TNB-U#4y4F>G zDVKqxw~rE@1fP%_ET05AUXaUt2ef~tHr7C;P4ep{OwHO-4`K7990bP%Z{AD$X8+7n z=4FuIg}vrmSFeK1$8^=1yV#G4Njq{jYw3Q^!AiBHXXQ3zFx9!s zzq5X2OV0jMa^TMdYRUl_hrneV+SIv@3gMRD8X?!(s`j;1Y+_P;bflaHg+^DKr01Py zUZ$i5Bb6vKf-pcOSp(M#x1~uU>zzytuPm3vRbP-v7AW{@7K@hnUWrlRgX+ zUDzbQzvgnAx8tmyE@ip2CNf&q287&ig6JqWY;1z(2Wxa8xB&;qt@9BTT62P9XZ1Xm z-)&I&3J2m0zPGnW9ZZ!omxb5~<8EH5`Lyx&gos$IW%CWI(M?rNKHh}icmJ?^G4FHu z#2OH9!iL}f#a`0Te_=Wyxn;JHgE5O*&mMNxF4j_W4^6+2t-+%vI+RJTNbdpb^b*BR1kDpTJ=L+&$XL~nB2(nAi;|zMYcX@o@ z`U+oJ;X66|z+eyn_9P4ZKK}`s^~Yrdg>~MxOy?selgXT#!7z>6qh>W$U!F0gt6*i^ zr~A>>(M&nHx!-@TJ!1)S8L2iBtC~DiweW>`YQ7X1TU{;R^8I@*(F4dV&TXT|atG88 z;H6@-2C*&y>qA{Rx_krXuJ?|Lnx0DiWFm4T=E%WiQn3n0>Bm3v@H|0Iag#XPi|L;HDVoZ|rC_*oqj0(ya6r#_-u~oHyPxw%F zq~*GbvRI6oa>#T_H0b(xH~avv{5@cHbS{J~abYoC-EH#wn||5C90U0J=imlX`QwRe zM%7-$2ly0+gFAedX9T#?@xxW608$U4J0)juo^Rvgw7^vL6F^Q4{C%BrsbdXKrPx9H z!_m$_1m32=dK@B0o`Zs`@RG}j{7^)DhI;7Hu4UDZ9NX{?luAiF$u@EN~Tr z3fr}f@sj`I*R=|+(umYk3IdVyw7mhNB!NQ!RL9JB+xRm|Fa-hjY;r=^0H`*#jt5Mg zf^g0cxzwTYt2K@TCHvT}hpe-E#{75jOzK<-}+T<ux#7xD zH-M+ld2?#~HdGlXms7eM+aUkPbN_ir_5@{eg4*&j-$9OlKS|q1&dx6AZ1ibxY6X)S z9`tHt<%TG`?UyI@tEzA$x(%rr)j%@*_M*pVY3RAsEOMB*#6b=O_jn|3UhVaE*rQt; zV(5zQG=|bcp#nQFjbIJ|Fx9O8OuX;oeK zHLr9;)9B-79yb7kZWtI;%#ZjeZ<3l!25K!M?j+PJ{<+0>C?kIFZ)M-@Y_s`|*$$ky zgN^$;&Tzd~CYeS$7^m;MlcTVt=G6Ncm>g=JPpc!Fg#>rx9>?BL$kYoY<)L1HRZMqWY%RK5Er7%sdI)?!Q9S~AV737 z9NfU9ZW=;xEpa7F`s3V>{{$uf{I&QW0bq73y7TYf@&A5;v|{G3hkz0jDH+%f2-h%u zxJ*azyOf5F^=??HqkGm5H z>3G&H;Cj%2hm39q85>^Z3qE+-0k~6KlI-1C^o!en2AO|up?9G2*nIQ4>h9mwbY`K) zl5HT;UdW-F|6Bu6BQy7@@*Lv~p}e*la@Ce|xo7P}y!`~{6+v52LgiQ*polIte93a_ zwdT~U^QX?^`@zV#=;zFwKY#-cmy#OCy$9g1SbvWcSOSXZRuDO+TyGVhH!e3gDsKF( z9iu%)w0-%$pHW%X0aA#{brY{sDXc`UrY>K%4wqAnqU?NcL{K^Ayv~3wwf& ztZ_Y~%KvTeGIb(|2nN3^o%LZ$fy){yVtaEW{SQl-;zlJ{)rAFIy(3& zJ=aZ(XeJ?BTU*T>R@~&1H;q%QVB-Eyp--h*LX+;3LvchJb| z%b(JF@MZ%W1}g!*CNh509*)UfyIW54p9F{R;Kf_J8gDD7U1YNJ@_01>h-%fRxzDr( zd((Mo!&K8MOgqr)VV32eXoGsTx3g7uU-A;t$bIsY3N_2RHP#K-s`sOj;7%XC0fWKj z#7kc0D>q`c2~G6g8X!x9K`0_61HMhxzOmZ#iS=%~1n@Kg`Y!H=dQH1WZ)Nap5?+eX z>C%HCNJ%gMsW39TqRR`m(2EB(Xlbb2?D!Yc0!POwX#msy648T{m_TqN!gcGd%s{6s z(9+r(4Q9#coYqY_F&Z?JZw8~ieD z&QPR*C}R@;+#>%xdq8R0&Li6&+)h%6QiV$OjeXe0AwX*F3Y8&KhTdCKei78Vss5Q? zel&Xya!It6mDRUiu4UGbwb>M(bba*%-_M+rY;Pg{^xT!2cb5tuiXJ%2c4i@!qFbf} zESDOh$t;sS%%4(HQpAq$&9g=!M1*Q=rDYIC+48Q|6$g;VPCkF$yn(RwDI7T7Y8333 zCsn{B;#waFzfX!Q#IcMC;!a>F1W%})@&_wWlwI0F|> z*?k=@g3^D)!El@1zpF(&ZCnqX)h{AHC+YJ9V|H%5Rmura>J;*R^MR4jZk>1mN(7BA#37~+(mPkMs{u&z!Y zLt6Yu!+Ji-)k7ZB9uB&+>jr`WTfK8@_`7HK^_7x0l*-s5yibX!_Z7aq;Vyz4uA8Vn zaXI3|mKE)g9YYXtzbx5M!oeLYW6980s-6u}onG66xOo32a3*7oU25(&0pVCo4)Xh} z-c-PG-5#hCQ5wYO?mmr6k0EGTwk+%Hu8{)V&LS6pUJy1{9CDI1)#1CxprCG1;^Qv= z^qU7jOmpSCIW7rDfbJTFAM6_YX`~n7=nTTtv54ESr zQ3tqbFggn6@S)72^02ww#ojsbQ21JVcJ6aw5`uQwsmmezsjT^k?hH zV;4C>#TFN~3JdL<(m7Y8RH%r4N#re7u5?CEe#|R~Lg3+AC8ed->+K4c$c*#@E(Oi%2x9OvaH z9ypm#)Jtu?|47ascY*TfMESWRlc79#j62tkm-8{bQb1$Q-ubye(GdfoG1AvEbOSbaRIu zqEMK4Ijx}Xb@U7Rrq{;>D@VNZUUNy_06m9sTkFkOpdQx-;%=^6KIi_ep7&Q6_-e?1 zxfb2Y{a^O~%Of2NIe6tygf}NZCk{V|jy>8I-F>D9J=tdqdJlSD%Q`LE5y^JB!?Xj* zbE%)`61K^bP!StqBrz*)8zpAe*lV9q2YJ$I`xBOs;t)KzVV)p*0pqNYKbPWD)@l8S zQLfG7BdLrJXSNQ7cZme>V7?4%G3R3{9#fbeVTQXeZTV`)n}(is$5^1OQHS)zbHiK; zDpJ-SV8&nDjt&z8Yds%qddtQZbbhcEqib4u-rJi_p_KDpx1xm;VVL&hsaEsN5|&g> z9?@895!8<)HqO@0j8l{k>U{^x|8K1OHxmAJuAX(~@l@u2IUj2KZ^lb>;=Oq7S52N` z;1e?A#8uxLZ}xR~N?e^;yy)_y=H_S0uNQG!O$cVe0&eYZ2@n-j-SrcULK(`W)q)zx ze!9jQDLwpo{soiJGH(l`&*&d?&0Vs!-dr6Jq+jwHHa=Qoy@I$P-6NLFJQP&OC!Oa= z_*{whmhvQg>dy<)H*YQ`mJ8SNRd|p289Vk_vj!B)ET#_0ZRBe6U%srr&CP+<;uugA z&@wP^A1Hz){!BqAvmQCx^5NC1LHL;Bu6saP0ThS}h3~=ty)?AFV!28*EJ;crQG;NJ z8rM4OK{3LU!7_YxzZ%z7m+#4W6Nrc2T96=(y6EChs#~$od;*{2pR@-l-`;O`VNm-T z7GZ`}OTNTCxsqzwn?KSd^>}Wr-H-D=()@&1LCnu_w)b+F3TF$2oZp0qESgre5R(a?7I@ zU_yu##5NR;z~rzGqp$=qMlnYBEV;B&X76JsUO61;KqCeHUNki2%Q@f*#g2TzJt^=j zVfHq)vNz_Vb+)*_&MFUmir%y+udA14mM$=@39G@5l=;D190RTmrO@A5^t210Kn|ev zeMUDHQ0}_J(EJHj{M!L(@^D@XPsT@=tt-w|L#e?XZ3jD^7Y1J+-DLN+cp4bI$qrw^ z5JpivN)AWu(D3r@$bm-?6t|IA zsmjd@+$Sf%b|F?wq@|01Ir5e=I_KPSPhAS&BSTgVVpZ{jgl z#cEyJvh?|_#GW0!nJtC&3FKK;ujKstao_dc}@IPMrKR&)NRep+bw^bC`?k~9|43}Gs zkscA`Iy99V5TtDkeOY@_#)H8F-I72TWJjOA)~-e|eQo1g2$#e?!QV{<`Txy&O*Mp! zb8^U*2_Zf%|5qQ8b9JuD6AeYMRu&NP*ltk|O6hYNOvU?^52PfX?`>61*8W%Wslq`M zYlH7>bWT-<@q8KWzzy+y|9~H8a^q@$T~``5yz_0*7sz#_lWkH{mDWHCDB+ z-LsiEE8h0%;o*->s$(Q5r`m8B-ik*%?aHt45B+EME+Y=L;W6Bm_?s`DZq_XBfA14> z%IYeZ=6x(E@U_R?h2b8S{f5}`3h23^dtMf*HMZetQg}ZydV~xegIKR0$bGoJNL_f| zLEW1jRhQ!PtJV-}Jk)R8POXQnHO}cYtB^KWJVl)`wXn~II+wSsHhLY0#*#an(7#Ve z9f!_G=FFTNEs*w4)vn{C0h4j#zIX6^f4Sl2;+$L*(ABM(&?)ChPjmf)qWJS8|9jea zCZ4c{9S7ncJLUJsTy?NrxMWde4OVH!AK{occD=ehP)-l@xO|i<-8bh%jXC`s`~5TI zvk41T{y8IF&<9_NhC@t0v$YfjgnI3{_GRPv88;f1TRAc?7o>aJM#B0^TY&$yuJ(6V zMcKN|xckrPa3{YBF6#EUKu!_$n47JV+3-wiM_!56BHCq8@3hr?Bt)(S=jBYyUi#@5 zz@7X|W`o$_W5b^ulAmK3*LbSNx*qtwE{OR zQdqbC-Vt444C>ViL$`LH{R#*Xpmb?UzO_rb31W#nefG@+yG9IerF^JIj!u@?CTVCR{M5ZFm0S@SF5`}Iv0(kQ=+G?H;$$$A8e1-sn?7c zl1@(IKEoz2ZOygZCwRuoX+NFnjJJ8?m`zXK_Kk5j_k)KFDxb!CXFKaDh@w_(cpr(sW-ZW75wOdc!a zH^+TFR~gh4t-z{m=iVB?Y{lATQ)SI!{PvpHz$0!&TQX7a@{Qg0Lr^f7+A$JIc^$SJ z(ZO%A*Q1gMD#K?UvY_p~KvJS+lKP4yK8CmBofVsr6=XT);HvNjVSuWm7woxf@uipZ zdO5KwyqTO^FjwZ%Lz|Ey)iR$}RAE#UJ-c$??Rw*2b`1AbHVHTQ@{xh?wh!wCIoVg8 zEtC&0k zMr(D@4{=xzqnAl%&-M-03R;*tze(R4+~JqJPH?-e%@0iUuf0Ad0LH`C0Yh%!gtPh? zDBYgJ^4|hgZ0{rYm%BcAgGqQ~_uSa*vz${a_Ik=BTliR1wFWsukdT((_c5K2`p zL!@E%7a%By5bRfHTF9`|-q$D#w7{~5$o^Cf`DPJ_tY`xChGmM49trE=>THi5@hTXY zPvdEntj0NN6_6wx^NVo_gSq-b0v-W8`gO3v(oE`+(Ks6?9~l8R+^Npy;~&nq#6^A6 z{r-W+0XL>{6z=cdUk|5YJn()UyY_LR`=ExdZrp>$V9*{jDh6g=mS%;<6}(*wjY~A` zV0PWvvG->**}h&iZUeqZlhSZObhoS~?IMtKxFn?(;GYx-cu3#jojq4xTigFl_I7cT zp?It*(sXaFbOAkq(TjOzWE2wTDtyuT@}y3r`~@{$FEf2c^vGpZd&Z%>un{QqFqz?} zc6{^$X<-^nHebFwJpHztI5pM^di>FT9f$YihbKizPL9r$$6WMg2#mKDfx#>>beYxZ z6z0hXH!BSFv{zxY#c;qB|6HYKnjG1&N&v^56rcN;b+Zx^_udG9|ri!#4GNbrSm z*Big?8gZIV)fZsGu*6UHl3XYFhU+Tr>aWB$vJ_$w_>Tq60Ha#YzLL^Boi@s>@Q~_E zFLu3-TRxLt@0mOB02@}Ws>MDaqIBN3-S(mXh?c4ds&aYy%UOZN3eobIobthLU3$Qo zn*eD|mKxN}mwP`1uXXiWd+&6+7K%`^cGg1ImR}|h8=7i;d@`jI53rozryQzP*<7Xz z#F1N3nz?k`Ejd-@$@!#9sGiDafepUe36r|gzKWi6cjCe58xL%(@X*h2OkoYFcDo%5 zxK>DNavt3^cxFZcmiP{(?A=Z+*ne!f$R|L&p}(LS+W0n=(#^bt5f0G9qztE(teat2 zXVW?vXP~da@;~BaJn$ClKLXiu&*=!x#<7{d7)JBU7lq*|Jcp|bj$S2awYSM9`Om*j zlDcoun}fgROgrctaKAGjlQdL;X9IWb@Se|!KIBTK?#lM-#uTVCn;~+=^sa965+B5l zCECHZK`x2m{wh{ZxWb6^DSroIK@;&H9VfmCvzB{k9b)kv@RP^4n zQV!Xn%8mP1>87}{rSu;|aeW*$u0o@i=;))IMU2g~ygpO8JtCq_|IT(ygT8=K-7C3b#S zjHaO;w0tK?!hJ{0|Nls1G@O6Ol0<{Hh%3H|eog1AmYRGRQ-#URT%>u4GoJ)JzI?gW z-O2wta6P#T3Kl=tl>Y)74u(HGc%Ymk6Efn633770XRJjf{nS*p-mljCsAr`!1^xAAQ5&$t!<*0o-->RGk^Tvfw(M zq24>R&%ogvW?Shz5hnekkxl75kO5q7)rlT(=lqT!1PF!f4^7xlhuxL3=X$L~;Oevrz4Xy!legxi#u#q^AD^d$;p}Mm?eR+yt>Q>YVe;3C6GI z(%3G!)@c>5sL0VLqzCTHz~P5&7F95(PdJj5p!+4Ya5be~cYU-yLWY>o0lIITY`q_{ z=7iN6wh4L(dsLc@A-L}VVT{}?{&F@QG~C%VIik)*AIX|eC*xk^g0F&+6P~VEuNNop z+gczD;)6TTGFP0QOmhsEX_}ThqX+TcieO0Ec0vo_#8Q_?sr7iXNM_N3U37^>@qe81 z9W>5L1tLjgjR@Z|7KCeS?GQz(gmloe484{ep5?E(~!qaOpY896+D;tpA}FC zRT;>-%`(urfgtVrVWvPt&|~R6c=I?X^WI7x)Z5;By4Sl{eMNdiMrF0%xQOCU_%fHe zyJFA0s!KU4mAq}vCkvTBqZ)kR4XFN`ZnJ{h?m}M#uUn67oGNi`*$;X^UyLvM6=+`% zj@h-4_W=z1RUj#;8tlFVx%I!5#OmJi)Stw3@$hWnGyxAk?a!2l0xw3E6}Rpg++2`9 zDmlonr>$ICmyozpGmsecz$w6~klkB3ag6n5K(=l`?$Gef(!I4K8v&sYOZ%wy!c-kHX{Baecsk`BO)`He?#rz3g1l?E^Qg0tMNK_v9V0L(O*QP#yZRj~_ptF5sN+GuLz0N2y3l6#3&v ziIazK{)DHMjm==~a*CmnGk0a7D|N=VOk82O3gP6L;$3G{Y6CQq%wTY26&MVF}Wrxm-FZoX5XDo zauSJ$tfbh-IpYUxxKX+XI!wHXQLW@XELsEZCn^q~Sj2Y;(!mG&y|tY)p`tI4t4yOQDVPB%kIiH;U@ z8mfo^3FpAYh`5wUVBYj&L%nrsVk*yC*FOlw{&shcJ9E2@{qS1ayVJWdoRQ~gx#YK| zspbd$A|^Y=)(ELEo#kY@AZ3~-GeKNQhzIUZFut7ZFERpKv&+Ki~ zlnZudbC1^u%0^>w)=g$(bK-V|WwK2pU0;?8l;w5eK767N?>*$oOyYZ-ah@D$-c#As zxEC`0tRs2fBXor+gO4#L(z&U3Pc6dDTrQ`)U430T1im-8#xJWjmFqrqXy`(~m^OLX zBhzod-y@&0bj4S|-`!Ys!z^TWvh4ENWCU+}7Qy6thwQYwtR>{5xZK^d&1}3D|tX^3}bJDZ+0Nnk>`%Iz2l% z3Tp4|BNIeHCGyejecGPIcpVJfUpjE)j_5sUTGHvX2CFt9>>e&JDdF}+p4)Uy&SnDv z_@sVsUZ*E=t`stg`220+)JoK}X-Gok+G)A)ielo03EK+XNl`dU^yR5jwLa51`w~6F zWc|V%LvO%C+IIbgV?jqTzEXm-%WQtoNx? zFm`?ODT(BI(olF3U&SkZBr2k?piU{&zRy9nqYAqi-MnSjICSR-jBI*Xm3zQz1Fq7qyLyoq-ef##g zEMc8N?~VV9Kl^ua&rkos;HZ*m14W?x{)(vG?!^vwB(quqV?0dKreE)~=Mvg(N9C#S)F z8|STxlIQ@))%MdB^V79$VHOg}=DpfErW$~U9O_3|CcImy2q?MhIe)m!IQbo{@V=p_ z+5!?nSV|=9lP(3^RLme0jRmm{2J1@izboaC~|J2?8#{;Kr?(HX4Z-yOz zZ$l%UIbVx1NklLTRn}LjG7K@n3EL{VVGbKem@s?DxeKP(W&iB!UJq)vcSjD)8xJw?u5@kW?tf*7E}xjoO6h;quHas9 z(F3hMtkZWEg6)T_gb*NiN1eI5l@sR@jgh!U81$9XsV%rioA+m@pAY9xINI7=!zIY%$_IG zKW~&@9Z2hPzB7E2*!B6%GAiyX9Jm!UDUR)>VOgX?a=8T zbLHGPk;&7b%S*LBwYrZTE`A{&O+jiK=`qR)eZrMJ=IWnwP7K`ixb6ytl0LO7WFiey z;(jJUAbax}!rvtMa}KyuAE?gE)^1hZ2z74EBr9wc5kJ6DKl_||w=T8J$_=JCe3w(W zJd}b-k=7hMfN0@dtvGd8N!DbgsObI4Uu%w(gW#|8ZA78aB=BUut?7Kuk)>I_`*DlRe zYcZuZW9ia>KdoI4Er#{@e3c^0dv|_4bJ~QMl^g`_gJ^N%8ZwE)+|);;NVB&pJHPGV zZE*$Dt^`SUv-mFJ%IFQ7yl}U{`TPFx>YnPj_-i@T!pk|ji6w5MHTuGB`E%qS8@S~Z z!sc-qr#T8mq|(8SFpChCwzP-W7&+_OD=a}YTf1c9(-5#M>jda!U0bGF&(EAHSg4pI zOLUWT$i7x;h)lU*kU9-!6ZF#mAJ4VpYmvWb=L1uI@$q->TAZ6Z_rEC&3f&&C_0ydm ziQTX31E{q6-*RNXS)J_+##EWE`}FnXY=K8;?_ozYZuEmO!T#mZAr4HNf;3?zWdwpu z<}g+dco&=>VtNjTtm_@sgf!QBtFF`$KPL?%`ce?ondht+rLN)di31n`y8AQ<)^(V0v`I#gjxRfmxTpV7u2V}utcmQ^PYDkPC=p#sI_Sd z^gPykji)9HL@W3byCGi&?FWn9dA;Uf_`b^uIaM4?cDy}JKl4hKBa>CHwX$}l8!jZ> zs1%pbk_Wc}>qcmwWWuFNml{sjRg~k8Cs-L%dXm2Nk&eANyWsf5!x?E5k-b8dS-$sL`Rj3CqF>Fkz!k+K5)X^wt|_MTH0>Sfswn@CY+Ppmor`RXUoWvOVs5;BbP*G zZiB6@c{I~o(_TN!`c^)S_fBc%xepS|OhT3yxhy$`Jen<%AoF9(kIGJ_jJU5ErE_p3 z`D-REztTil-i*4oT9uUjCUvIbc^F5fyyX*`M3sAt@0r@NjLv1<6eHR)qwg4fqO#8$}bn)`wxcbA0LD6Y}Y;akDes#dJ?~$ zO+$bod_5eGD~zu`EdtjRoyYFl*!TWLeVLEt z)qw`(^1i{M${N>_{)$nbXB~)$`IwaKn)Z`zdt&$~)!|mGVF_}E-UkmjMC^a>AeR%` z-9GG-+`K=~=Qza0acBhHP`$O`Zyzugcla# z_(BJO5Xzi7(22-scD#9tcH&@1WEo1)%L$vr?mbrQJ_{)lCJZV#&;{hUkiVon38SN< zpns|ty$s7)XKTKfK^~SHszP(SFXf>f2xh1ZmB%?(Y}aQE)J+hc6;2EHFa~5p6e*!y$QDrv zWsR{#lD)F;ib!M2Hnt&4bSitYFO?;-WF3sLMA`RcFlLZ_nHl@O{GO@P`<`>&lfHla z{wYfFc|P}ZFV}tD*ZnF=a<~M$+;0fyH}?J zJZG5EQ>M1?9qv)`y-vZqmu!Zy=Q&{M*sgiVj@)Vo5hMt*bEc1p1hpPF;ob%xpa}$i{*o@89e>o*JHj;(zyt6;TVbMmqpSoPWUO zXgwj+H6zV}T1xDLu3CPIN8^N@Z9W66TeT%>ID3afZ%hlqv@CE7IVWqVmK0EObbvhe z$(|53V4!v!{&c{t1OD*J9{SA(j}@2gLnavG0!aR{QiG}t%{z%(OgG|MOnd$`^&JY2 z65_DV#%IB@*dD{6PrPdFI=>Ldje5gj)-6RZMd@-jKD@>*=pItymTfVjXKg|LLAL$!_G*1KlI7+4E5(Cf*@qrBq5?}%ZEKUP#gQMJ zon=-r(e-6eYA?)|(^Ws~1dCIe3OfUuro4^%zSbriK?(X??YRfomUQrr`*LuGzFGFN zld1!T(3>5LiWfwP+bw~ceNL0wEfGjoh#y4Nq}Yz7vxRmPdO#h_%SqbAZ>-_t%suu* z)_|fLm~>Xx13Hc9>Q*L%6n`z55h$Gvo9a#dH|9sQ^Z?W`Dw?KTk!+ ze+_(h=zBymnI`Wghfi1dPUVqF`Pp=I3QJ4e`T#LgAK^5K59NKPWE(aRBNx*v9KcvA z{MI3-pnT^5{q*!}!uvzbPb#&b#qQ%o&w2w0-se7ksF3bFBFj+)w>Ew*_hc#kr3d(a zRf{}d@`Ms6!a_>U*z{w~g@EImt%M3P_k*k=X zaWhk!G4`G8W6Joy2qyj;;30h(a7)#m*@nXYTcQ8YN8XlPAT7;-x?Cj~wmKmexfm18 z(TkR=T+irk?eo5Qrj4mZ$gg~3XY&?MxM7=o=$$7KWWsl>J2BovMfFO-{ec4<>5YW7 zg05{`qOtSW6+^zdI~Hk-bHb26W_nlH^I~u1p_r=ig{#+l25fxqvNW-~&(D zkP|4kM{uchJk9DNX;|TkW88o6o~B9Xc<+8kxG{CARM}>(2HXh;J#p}zY3UW@%{hnXQN~zCUfbvm=&$6l6#WvWsm^B}su~#W_#t1@U+Ajs3xs+}{>PHe zyJ>kNy=R7@gZ20cqMuDaMyQWA=j89a)IC|?r5<|(m+dvct$g5rZJ9L}*s?@!MWUIp z;Z^A@;)$}=9F^z&jc(9=;_Qf;@|8ZiU4?$wcEA4@p+sxh5rS(m62tlFrIyFd46lh@ z;lh|2;V*uj@hA9&%q<*YC*TY;kpVe{u_6dBYsQ)9-p5L(SfHr>TH{FfP;I1Qp42uq z{yq&4o25IRv15Mx45p|2WqLPjDfMe8WWpGuCpG(NMHUlnV*>)NWT$f~&WjJx;`*6u zuY4N3`+9CrUbt33eyKrEGL_Do(l80H@pP_lp87r$Pt@BAHpflgrZuz154`@-3p5>U-{hMLKcUuE96z_;LnS@5ij48 z=AVndiPJqW<^8G1D7N|x%*LH)i1}(xxfon=vea@`3-j{%P$}fKM6}Q|etv64NGh+E z@4U0bxNebd4y1(c3fjAq-@*6&bqCj(s}?y~EHW^C45tn9`TpX)X^hgW3Zzc@6kToJ z9v}qkGP$5jdG_#)b_el?Get}bW+R>NERK*4RN9`zTMFj$GV6LL^g6p1f?N%DyG0K2 z!sj&c?yGJ+-wrm!LlF%JKcToW=g$}0Y(}f%A-kHTY6Kx_;h@vq*8~B;VPQFhj;Q|TkXB~JE((Oa|q0w{c3w_S*|sTaki(Xh$5%Z zPY`9zd#JyE_P#n!xGk%-Fy7i+YPQglCC^t54=!h)&Bpy~R9uM{{-}k`dzncwrKDhi z(Cyb%*;-SOa}^ylpyHAG^6fZTM_rq_d<&kJLHJ%2-dFm?O%$$~Ko|_P7tprIj20Lht0ufHcyrcHi&eAY_Zo6z`L;W&4#; zIpt~W`bwl-iF>mSbPiJbC?d8bsJO#<$EE0Qv1X0HF6Tg%Fzis!*};LD(=zC{P4_Lj zBuhgoFXOY)+rJ(9q7puwpwzLkflwa%wAi+(EI?OX-7#3E?MAcJLt`WF7!X)2EOJeD z5~mZlhgFhFf!p>Z+RzSpp2uFVje5Vcgjygm6hR77*|(%&(&%Fw)0@P_fLy0o#M-I> zN6yo}UHv0R7Lv;{Z(eR_G`pn`dW!D!ZS!0HM~@y=)K&{Ncw`-^ZV{7`QmEoqx;dLY zsJ-~rXs)0352SCPYtE&a$!|S7EGk)`Go5a{fpCmIP=h{7~$y4VEcVEJfdqYw3&ceJiFl6ahcVFegm6!#gs5KAEZT z(bEBgw23jrTQ&)uE&e6(rx22hVuvR3u+|?i;^=FR7dMBq>w~N%3y>{otGGgRi-uoW zz=krW_nSe=!*NBoyXk$S9&JnL;>GEFZQ9}l_jQt+%lfW%h_6L{&S2i!4#`N8fg&jF43kYaO zu3%2zR#OW9{Mkdd+%Z&iym70fkpF$b%>|W55D^i5FppGIbPe*}!dy!!+O_CG-vd#! z{SBIPlIC9ftI7|^Cs%m29ZasiHZ#8u!&*F*NR%9G8*2R=znNF=Yd}%szlkCs|$anGKi@9Eg|l1lZuPvYQHTVb~>|+b<#(~nl)Ln5=``P3&WCd74{Wxrq$68pL z3E{&S*0aJ8=5fBWi+^`bXLp#R8vZJSm6D-;Tq9Q@{pnX5KwZ7QV-hThUq^_>6dD@ap zdPYWAX{lIxPEO?X^kdyZ`)C7%OSu8UE@8GGc6){CQP|0}mb&PC9)3Z=rG)#Av7JRM zEp(%Ya^8n^9Iu)if~D`bcIY+iSQZnbwCPXqnu6F5FMBz=MNf!qO+=~$2zK^rOx>Rb zCBLwREqZybS9R=zvslJd&Vg4k7~vjy8%jeWwxeWM&T^+-+sy1yTOzc$Vo)~#^A+)& z0b^|I2tiWXPB<@K-9W`%M$mEXbxJxuirFh@tQS<&zlFo=u?i zV@C4k1=<}dPfbipCE<&%Qj*-{}Vm+f@^N8-z8JjdVN4y11tDuWD%fjB>_ovcfRKTe% z@P&-+<xKRvCjRTEOlhRLm>_ReGgB(kJueIT4k^qdx2&oF>6V8dJHtXc^Fy0^3kD0xVH-IAG z;b1wOBo$=|g@${3dvm*8!pfm4Dh8Q}Ws5;^q7GjvI&914Zz{K&|x=1JKOk#y?9I611L{<-Ca(2b8qqAB6&y+b4!U z6}ekaJC@B(>xOCPSK?Ff)$p?U?Y80;Yi0}yBCN^<7g+UdyDG92zBTWtrJgoJ`Q}xa zZdk>vuQ|6HS4d9qW(;j(<+J>j>47Kb2cdCnj*#5LC75NgeEA&qV$ST}C8nGpF|A*+ z&ei%?$M?e--qr#2#No~EPk)LaXDhOD3#eyYZd9K0D8FKKRr^d+EPG*oM#?8vwNfN< ztT{{n;YU$t!oVflitQpnAt42A?MP~{q`AhsMJyr6ePhW|)Nbf0P<@xRDV^dh!53l7 z#u_5{Z3$NCv4-qIny2%urpWrd=040y*y$wWo1f1Wr&g$#^#?wOoLpm@f8Jj?N_c3d zgP{(LZ3r8KDd4%7>9JKobhrHveID7U!+oXnflvuo2cDK$HRp$0Cm9i!^=j>vaI+C% zt5bEx6pn;vwaNGhV%_bSoy+^xA2i|hZwBIX&`g826RK9SlLP_Pe^}Q)KTY-_QJB}x zxE|W$+@kLNFA4!7%n5aA_J-1YS6AKirf3QEH?enC^Da;&mu48`@e7Q8`|^^c!`L2Q zZwz17>??;O&xzXK+}PO2o}!vs6ANZ$aP|Up)6o_P@il4m9_;>pL^e6bpI`cUwnb9= z3{Mn0keV-?nXewPQN&Onu=|RH=g7KOo?NZBW{IH{ktYP3Za$)v;E>(Mc6jCLLJJDb zA~Y}#w^T!u=}z@RZ37%oxw0iAeVf;^QKG)^_^R`@bBVOE>jHV!;ltiW^wX9i=$4oQ z`{Ig5$^7Ui0%`F*LeD*NJ`NtnMnC_nCfdJ7Qf&}!7d&B^f7ev|d(2JM8B%nX@B;9w zdfDUDKYPmFppF$&6F{0yjEyzC>Np>*FQRW#cK?q|o${OJt(kel3siKxb?NG9R&!ec zQd@7WFhweQdU|G$9$oASK^G93q6OXojh~!~9k&v|RKy2OIypJr)6(K(*{N(^_`2H_ zQk?(Fq^_U#K61a6^>KO`+SS8?xe--QmP*%+E4Z2~dNbL3Cy2YXA{^{FH^+1OhK}-+ zC(^-obXq)iZ9yW^+nB3#QNXZ+zhisI)o#@>>y<|iH|<-ssu}(Zd(^O`xOtLSdLR6= z0{!ovWsgPEWae+LmK7JV9)UQot z+O1~mE;sXDd_2!ZL-Sa6-rLNh zMgW0}t#cp0F!g?B8Rss{e+8b!HQGT)?EO>{)m8$}JnUdAW}O`|j^Yyc%O1J+Zzl1V zKfAquKQU*Y`jDmz`5xCwdZ?dD95gxK?O$?vLD6zJp_W~a@yFMvsseeHd<)Hb9%2QK zz#!Q;>kK%I7ozFuJG#3c!XSer-O*|7iaa*QEUM_reE-6eS#j5&$ds=)+cs2eHCEKA zh+sLWV-iIyp|itWDz5(?Kv5oY}HLvK>rbMzvb>VHBtM}MaLYsD0fM31JW^1cxgXw zkqUGqXU%YYg^AlSqpjsP^on-)Ea7T;}*sdO71(F6p(&A%D)K@ z!4#AjaZ8)cdC164W~U2?CjQeg{UZ(I$N_$8beo_fx`zoWzx!Vp1z6=DmqNnBc^1c; z!eVX8jNb5OMn(&1-jjTPGcS*SY@ozpp&y!4PsLZp`qRrpp&yr4SGmmQ22L`cJNG&$ zh-M0pk0>eCz;U>#Ho`-gKd=|ua;nt z5yQu!H~}u@1nj}KX1gkWyZM5n23Azsu@gI`1#egRaqgC0C}9i8>rL_A+QHM3T98ic zO6PrLE=D^M^r^i}jZ`5R0+*HN<(v68`MAGW?RT^${VBnj1U))SRHQZ>{gJ3tj#5tA zObD2tYV_F<)4lE$B#LhEadk+}c;J7Onz|lLwT^?mYoTF2}7M zMuhCl3)N6XY>?p2>P^Q0svK>WM=9O!XfFBAme$>u!%JOLAVz-K>cd+-K7{FdVRQ**q08(A+mHk)c+De55b1 z@`<2NrBTi)k&P{pm1>(^?@&Vo5x>|%ZOyT$IvR>GRj>_keYsF zPO;#uOSF{$Dhin7)!7>sq5YrZwJ|Ve3^T#PJs=se{xmto;$jI6Jz~Zo1+kZ ze!+{rSUf=qG7@ao$-*WWRIleMEe9XaCs$mr|y( z2B;?{URS#HeX26*ocHNQx<-I#o|J(0EzO?kD{yTbRZbYnH;W2ckL!3w{1;f{z z8E>w>@z~jN?JITqD8AgKzR;n>r{In}%$xS0-L8-#1vJ%Pcv**c4%<0hHNzJ;GWM!6 zWHVo5v&wqO=f|w56e&=##?ld&t8k0r5ZPfHfj51cJD(Y)-V`AcM9{vRL-;E#jJsPo zB8|_`UM6H?sfoABnn&)q#l&r|i>U0AF!VpP5$_ab!3GjP&(N(~&C zx$k5X&1#)H$I7c7ZbTi&yW#cX37&RX!wliK|8Tzl{Ph3SfF62GZlhaxuSZDyqFYcJ z80nTxu=3DbQvOkhn_MPm-fdt%-U&Tx*yu?8b|!m*oV>)oGZ5W~7s(2dqnb`hF1};$ zkeAg+lKxAR+D->blyc5Q98Y|Fd`D-eX`)IbZFsCR*_8LIl5!+VC5=q+u-(M^n#^Ri z1d9I(Y8YGH?BT4K|8%%qlKxu2Vw=hf4jwLfZBBNvH|q)h&G87v zl6(`m_<7lQ!y*LJphqvPKxkuN3pzb3uzI5gNx`rgNo=nLnIXO811np-mfuCId=Rb7 zc2;yCdqgXPh<#OyAHTg9Abm~cDJmCaf;^wB>|`g;(}XjM;kp9c562cR>9tXMH01*~%f{jzV^Nu9Idd`|gx#*cG3 z%M_!u7#b=i`{E3a_W;wxO@IG*lVU?Cz!4P_W z^#_8x`&IaI7& z`+1Mr-b5UX)EJ}Zk|sqH-c^xE4QC|Of8;E;HM~_?Z9;1!rA|1wGRSzjteRd+yr7@b zH>lUqA#+bBiZA7Y9KV-Me5Tu=ll@|#$n6`R*-HRudPc=#|E=b5Uy*gJ$L{7}BooB> zw!6D~9%{NKTjW-q-T^d2-iq&l+e}Yim($XbrRYn-e)z&pcY!-~v*Ovl&vFWJUBzrR z7(P3qlz@|1!kKssJ*2m-OEegthU%g1tW79`I;@Nz3C3$YK53oViWfkkMOCmm-u8?h z2zcBdjz=Lo4>u-1?QB91{b}I8yb+gJ0c1p8e$#0GzazTekK*eYz=+pqKq)p_7m(y}Enbig$;53FD+|HJuVUe8GRNKs_zJomC zDXmXLNf%-&!H+ND{>1><9SUD6p>{Ubr8L~!cnf1vn#gtXu16`U=Nz_2(rn(3-Q4yi zrl4ca(#mN(HZ)`Ll3c8FuQH*_X^|8*4FZgy_@8}@e_Znae9BP*{3ORNneJY~QLlLZ zB{d0ACQC1)a?`u0GX41D*qhZsRv4~au|ZL3mUnW>($X2Wh#2(LPk^uJx&n=1AkR9| zfyKrv8)K6*yD2_8aZ=xRzyBD8xNp6h$+bA(|9LqYelbj6RDR*{gi_tCB#W+~3v>1# zWzH-I6WmASie6#|)0skN7sTAtkuM>1-a;|C_ysKNxd-1#Es>M1Y>pU=$K-&`V%_`_ z@8h`V@om+?*2r9EHAJ-ww43pFFZqWKL5296y>LOm`dAh(qWaN)Ouv)_iGxzY0b4E5 zt;!5bj;#s6^G*tq1hasJ3@50Q5~zD|6%e^dkYY85`XXsg*Z)3Z35k(rx zg1x%hejzQ8e^uRBkZnnkOC6um?aO3p2!-$nk7dyrod?vu6L4Zz&<;4)p`;~)>#S*B z^U28%&7#;2+@BkAbJ8F(HH#J>M9n+PARG>2ET8e#cA?PO3sr>LzF+1bualBYE5R`;xo8qVl`^aVMn zz@?cUriwQN^#G3iq?*GPP(~4Pn|H%*rZ3V9>TPXVvz{F4Ok>z7+O{&q450YAPI96d zE4=+1t)E#>_MEiKYhFN zrxw8W{8(^}!R~Y`j*H=*T5{N%Ghwr{S9CX7BrkAh8($`Mpalgvn3$LrXm{sm7f?jF zS`dp=!fhqh^1@;^OT%Ks2%^~-6FeDGDEtDey6Nt1B>~NS`@~^{$V||PbvBwC0K&I3 zc3y~RsRZ0iREx{_*XBPq-`c@Hd=YG$k5f{49_v-BlOvU2X@!g`uZnMjQ^licK2T%l zmyFWdFD;c=C!q=MmJoR6vKycq|DpANz~8`N-`s_TBYT_@7ib1_PGQCkzo#Exxk)MJ zJNZn*HtoSgm;Fl}9p~5IOKnL+iy%}#ri@Y7lu;~oJ(7C1vb{Ey7+cswK$pBzJuH^P)PQmxpXU^L zyJ~WF0B?F=Bvt)p@c@%No#cZv%tznOlr9@K)qCD7tI)To?Q(X@u|~NTD!GU{A8nP3 z{q0kmdl#4)i9`3Q^QXSo`6Sfw3DK?m?UVOlw1Ul9BGJf8*+m}!NGAPMfL~@BQCo4s z9k!I)Z``<1R(3Ah)@K5dt;d#f;hA&VB56BGg3GtVuB%uWQ1+LjprFVeJCRz|JIqwg zZq&n>U0pTv+`?@{a&`K>jWr1fpxv@ym|GDmwxEVWF4!}977n(c+QQLaBrxIYa~bh( z7!Dyq?IwEM3Bq}#X$Fixt_IhqLBSiJyVSWfk8~aJOYA>Z3Y$SVl)85RmZL<{p;y>m z&fSAskQxBGXr3mu+$8L^0i@Sv?F|sQ1CxJZXsNMJ5mauOt3C1UruZP{kNCoDZf>4j z=%q`%uZM^4yDoQYla_(zIZUY1GcdfMTsN92OkP>@oe(EAge*2Un|MxfqtRsmWKE$8-DmQ*m%T6Ta11Nyj};18 z5Ic~Rj)!w(F|O38e1QYMMMtwh7){=u*17(-itBGqHJvZ1$^q=j2nJX)NrCn!$wb-0 zyAkh0A_kxENlh)imtA4=*07O;=}k!OmXKB*v-P~W{Bq8>o%0m)QJYPWGRaxnh#gB< z*^Cz3)$J;DUdE8;sEj?QlY!M9ZDlG6GTGG`S$CLOEAsY?ddFmK!KB8ASI1oJ<^9%g z{SAhI9@VDs|1@%a(T^{le9~a$kHzbDCyS4Y4DGFOzR#QEblvR^r~Ew`gZKASCjbug zouzYX?L#ET_cGyU4#N5k@52m5IM~uTS_^1i5aH6l+@San7uV-}IHzpkMH$#~2EcV8 zO(n%XSD~{^N2X>(hlwE$Cq0d+HDV`LMvVekVm^K-{h-fSx8lDv!B59-t_;b7METdm zm$0LUSLZRVGt^CZ)yHb%>~2^@PK zt75TON#98?k6E`~?q|fIKDBN^iJzf0^n27WAh7{zLMDfnMt62}Bz|qim)L>E)TKqu zh4bHC`{DEdO@#H@HHbb&kdJ!PGv*CLLrDdNg?-po3ZXi^|&vSo-NwdXwop$(doK&??;OiXMPv;~TI&lRn>p;mR-yV+n!yTIEJ zNEpPy6-?u>I+-BsF}wrU#s5gpmz@$&--5zo9hhouII{6g4ikDX8QN%};&{Peo9tR3 z^;K~T@(EH7gjJ_}3}h$naq;iQsMlGiEw_Abs_*Jswv2$=^gLqe*E-&clH75rdeT%F zj|mz-_TK*=a3)Ye&WZo0f@HlcVxxg&7bMCM*lWP9qM|}tEF$W@k_nnA#-7cb-VzT^^mk*fE8&6prq^hv5*mrTPfd z90C~3G3umReP*4_5P)N{x7NyJQb9l6HZX!#8Kwfxw;cC&`}P_n@{Io~oNe(0y3>`blLrKz)Qf&zchB zmt{TKFMdQYmzuplnt`jBner{9n%rmN?o8XY<|Hs(=z>=p2d=3K3Y&c%?g~;3jD-;k zKq;PZ22P5OiwzKV8Zqt_{Psr)-%E^N|8n~liD|Kxm23X%ep8qMsX}RI$K`HirVPnHkuYa+p!N6>MSb=(xwoi#BYT zXpZH2d4?wpG?5y8$f>N(8XlO4j*dpZQiomQyK<$V7LZuBTpdN0z#4Ya;#nK&)!9CF zpw%6Y!x>csqU<`+^L}kYvsv{Eb@5-~#h4mtePf-g?jZ2vD}j&F;7#|dr&AZ7yGDk@ z*Q77OE{pJdMvKXq%})q*7j2$}7MMQL76=vy?AtaxIUcD?oXo`vJ(f~`mxy_6D~_r3 zxUPQPMo<3Fr~8#}W34AK{@3a17WVMrocpnO55sC-kd$R3H^kw;he0;56}v zirj?5y{~L6Jt$diaZeGHP%qk^j9mB#^Lm2kG&B3P@&C9w&y_&8)j(Nr4;fBx?$bJh zpKdKZM_4@?xafB0&pXE|L~gF7t!QZ(YEb5KmxfvVk+HoQN7>0`4U`jzSXcCmnkb4b znqwaJ=v)SimemX6xMN^nUYuSSWC*ItTCJ{o4vKk@A7J9 z{fsWVx{3lM45F)K!u;DuU<2=g;)v$2YbaK`WwO$lbpbVr#2pk@@R-P}d~YFt00-GtOejS^Wvp5?bn3 zFFe#Zyd3mwn3;oM&lRlE-Q5>32;0b=9nboPrjWdj2bU7>Uam#9Do=|=9sSj<`w5?% z2bWLY%`V{YRrKEyW9>`-oK|iZ_}N3gr_BnQ4S5cE$)9KK<72~lva+)Bymoi|T!-&m z{qmpF8EbqVfgS8F=PAdP-^!tiw)3yKn@3o|x!biG+||q6{yxbA%wTEEFs((h3R+I5aNyQ^lvr>@(ce7#khEZD<(pv9p*M z2`Ct(O@wl=b85-o@C}||&!}$hgJ)n}tAdlJ>v^8g!r#CrS9!=gQpfZcJAQqftXJ87 z+B9sor`GY#=2H^n87Fm9$|Ie5`QyZh2E?_NSR6f8?{nKVJ!Z_PZZ9@L=zLI0L+| z?DDUD=E)1cw%^n=X+5`?rbK=2lD@vYLBCcYrxtn#*a4A9ObiiPURmik#DNUiy0`rO zds&i&N=Qh&YxVc{pA|1DDY>VkbMecUFZb@=WdmYsD|P(HFKTA%b@Gzu!JfzPcnIu8 zxy8E(uslZ*P-e``&2B5)ecP0g{(9UYi~qV{)FY*b5_=pp=@u$e0sHR!1|7ff>x&R| zeLr?y95+?Q0%qZ{)cHjcuH?uoA>BEBG#uVI?wA=);@!xZURSrK5iAh6FSgLyIr zthVO@mpd#rl6%?VaY|uU{JsqhI9t=pJsb}uE5I!&lhih)$oBo(5RN7OE2)Xn46GIF zdv)RxZ&PH*@b!qNkR<3n!|Gu-nrDs?!yRa}#eoinupS^-?bZWUXf!YD!5qgp;czDY=# zK;A^l49EtPEqJgq7Obqcf?yBB&%Y!jWY_L&Z;q``Bu2U}j@J`+cZiLsRU9|CkrAIi zf98(K&d6w>X!BYKPc*o@3++?z-7TdmrP#1&iQ%D|hBmj%MWgK%zy7A3xzD>1Olemf zr3wDEtBh&^17c~5h*sneEcE0=p#sk@u4ZH{3rphZ{@Z961x#$iuO2smsFTVZukMMche#_WXk zE`wmVlf^mln(U(Hh}DpFi<+(9O+f7Pt_MUR$r4=Cuhp=n?@|8Sn9@_}EBmqg;X4Lg zTbU3;D5XUE3yQW?JcbMO;ERBNzqXzqH)rTbGTWXr3oaz5?#+}_ z!z4Kf6lJdHxpECV(1v^`Uw}JWbL!%y%VD}g5i5OFzK8HMlh+tkpQKQ3TTCsW}#<~)B01ivVdw-;+v(~ zpN!FCQRQSMqJ3a=?zZBKmsdUm^EfH|G@GjHnA`a?hLIEn#xBF;q+`ZQv+fK{u#oDUNC3etAtK@e$Qps0qk~n{KmGt|O$6f%{w_1ZaO9 zF~1vAJMc^I<%)j|mYc-J6=nfaEwBA+V-J(t0|D|r zb>b5;Zcu9D8A;2C2@dM?_bfqo!$GM4IwPDn1Cxoq zzP?Wif~-y)c{WR!a8s?ZpX#_k%3hY1mTm)4U=6LN5c-ra9rnWy&hthJ{cbopkIeGY zrg_=fJxsn144B)4hR2ft5=#79j+@Bg(UQpYU<_rN4bbx4R|04>WKP?tq(s$Ym08@o$3@ayFN zhnZ9so?(6Jne~kR*BoT;OUK%&R_anT)BoWbiULtXNzs<3UyICC z3eo*}sV(hu10JPpu?6yOB5wA|B_XyY`V=|sL$_>yeZPL((6f=Ch4th~`>#c+ylYOj zRgyyZbBZ>Su9$Jbg6e-O^9 z2EP@)LJS_f0wJ)09xUm#v?NGy1DAO3uCVOmjLY8$YI`qb2GOI~&HL3y7N6ta-$Lrg zO8DvkPq4&BmY7R3yGuD+ZoJtBL$QLeLHNLNQ|rwplx(Q8**K^@a3MSZbF@sx%L0P zjlUIX$#K9EUvDb9vH_blSvV-UNF)S`_EoG;27tjpV_qlcFCMB7x5!|Ojo;pVUW2@9 zx8JQ|UqBdd+Ae&x9b|t0WpetDm`$ri*Y%B)gJC>UuAWOAU8Jl>{YsKl)H(!);|0y* z&<)W-e)PE#QPB?PTthv5%q(B0%UE|-9<)_*(>G4NY``y3Qba`l$im{StbEi+*t&PS z_ub`m18=#@UdXaP)jQSs{v^k>V_SgBG2-d}(@9BR`BNq_i=vYSx83`}hMs=vp0S9M zy?q}3dp-9COlAZ>mjALwF8DN?&06AwE7#(Dg>G>`Ifj5mjs-yoAsZX(=7*N}H`{6^ zzRYei+ti)jBf@;o>kLkUc#8ImxB>E5?YAeCFMBk!8&YIdOeH6(Mvq)Ex~?X? zy}D~IJ7f&sVzjUFyUg`bLtC>By}QCUMk}?bupXPU<6DN@Z8KA8CMEur56QJ~cJUry z0q2Qr+tINX6z)5&jjf|n+uhoH=vNlEq<8gq6U*10-9595-jE89^xWR~u%VG%c|M}T z5J&yp?7Y)Yf}AKl-{NQ2BIF6t2i$*7hZ*x1JMYRJCR#{yEVDt_&Z>K`v#oV?&##vm zHlQkt>6igHP=Jh{K@lEj2cXC8wdM;-40g?2ilAuT#g{Vr59`A&kS?6!3#yd-e0_?* z<3G{EU*;a!q<%egrg0KHowOoVoRHKN4Q+_PIAl5-{krC4F);x-R&Aa(c!;t5BBa@- zJX{x7vEa5oL6p4UwKBH**=92Qa4UcWkExq1SM0*qU&=F|*uK%`@?z)H#lL)W@AMOZ z7^=DO9~9!oUxbrP3Q<9Ypv=vlG4H-@<6JZgakv%4EFqR*d|6|1w>Ij{8*^Hs7})x* zsHm6>CjDQ$e3_DzB)zb(u;t7kj2?3J@~Qx7S?~M&{7%BDLEt_UU2iy2$GG2jLeWsP zz9)_>cP(?ewZkwKUKIs}q7@n?pI8UCWPEk=c1=$1U%I)wpu@7KIY}#0hP=D|M^0!Y zDOF3oH54GVQ8KW#6Y-vNx4SV%u{NdU?y?4lzcc`tx6nCTC0jU)UD`!ol>_0W9~>7C zsO+w{?%u@p?*zq(b&97u2+)IXH*{D->vd!Gj1(PgZD6MMFD+^B^kXidy1IE_a{dj# zu{i*q{Tv~R|M?QVpB%PwbABmaz7={GF8I29BY*V||E|Kx!9$Nsic3pn`1AQkNhR#U zX#L&odvDKU4$cCG&=qd&?AM?(1;)+{F9RbhtXhnVI|ueW``4q4{psOa2dJY~mzNbl zNiShs=F;xQ1cqcmmu7TsxSB*#)`x+_5Mxw(*uQ zslC{-Q@M4kbZfjYYhjgfXR}7_>+|x;(D$`tR9*{oJMg)8tWs)^A7>!* zVU;r8A+%S3X2DJ^_eRx+$@%Y97+_%4d2Pjwj*lA@VM5lu)wbDm|4NrszmT+xH2j;a zAE}TienUo_#qqhl0>(@Sx`*{)FBa(EdD(`V@9Yeb(AllEd1y(20;B$}Wb(UrGH>{d zc}ciLrcUnXEv#}Npv1r=T1C8Q0lmDbN!d$#X;m){5nke7E%ZtfD63GNxe}spQzGZ) z<~G}o#qxkW&3*?Q`l&uiB8uOs1MZu)<_14|BDw&07I~3+wsEO z+{OLQ&L5NH{eJ2tr7D{&I_Te|Z5TZa`sR(psivl?Yb^xWw#DusEFoNecUs9F8}`gI z9+tZjyn_or$&cLWFS%|bxp zda}oayVSYmS4Ti_8`3*6NelP)r zcaY4b0wrg*zqEoz=X?LIr*0sbpQM>8HQfLM(cAIe@MKKvyM0^viePmEqWK&=63v9(to@GIDhT~c!dXevuSXfL@3sXKk9~tM)o(-v3=ksE5D3+s| zsLf0}@#BJ)#=2%MwCZ~@9G494HqV$@Xrk4+waXuxnc0+XbY}6t#9rm6B(Qs-NnNc5 zHM0)%J4wx#-enK6S$dMdI4KTfD}%g{a7hj~D> zCdQ&yKjcJ$iA?>SjhtP*oweXy9m%ySTGfyH)^r9J&AM42&P^0;%`6w{o0~&38tn6B z#dj+v&DMVd8dWZx1_Y(4P3$7rIueo$@HSDP%~W`lmR1S##koCRZCOmKzP{znLnXRC zmYNS&A!H!dC_QwI)`)V5>Dw*^m7bm+Zyf|V7!f~y{gJa56N71{&WN!!7RWW_dGtL< zkCjjoJf@>=c!5Dj(yLsKBn;*-URFChglaset>-v_huBmoj5lY6)2F0>T^?7qx3}$+ zr=rdY2PDukOFm}GaSSq>T&-pSG*zz^!a>Q5>DiGr7BU4^DurGd%8-3|l<%HjxqSYc zj}H~^#kvPKG;Sv8WM&m+6>1IYWfeYs@xnxI#>n6$Rq-d{X1U)5X-YHpgL&2Nt=-8A z<}#f19MRERL5VX>aqfU(;9>i(Iv1yeY#5d`pi?$$+qLci8mc)Rz?1stW+WnDi4+P8Srq<4Osnb z4N51alD9;VV_)$IUe{^oVaMMm^ySL~H09$ITjb`}II>`J@=+iYL<=CU1?8QTmtidD z?zryHcc}ssE)ntZ*6@m{w4R>U?y5C*F(i=!`l<26=e1EOR%MNpt_{mrcG6jjx>g+Wno|u-3DJLzRu+I$kJ|o z2K&98DS-^u zklX7!z5!h&rkfA8V`jSE8fNy`_UmOPkX*U6=8>ppd~v63i*?)0R{jExtoch5m3TX9 z=1mP-T*~d6DVn21V_!{_KUt6dQ@~V`-6St*7d4Z^G@cKK#Vx}%qn5X;)dm%!j!s%y zTGHUfQQz_!dGimn9y)q9NgC??$oSGY^6DZ}AopOq>*u)qyuANM*;U6ynYC>|Pyt0< z1VqXNX{81jQdE@g4(aX~I#*OeRJxIdAtZ(vS_GuKTZEyzhxpF0>bm>xzVGk*M`vJw z=Q+%U$?$b=Or2ebLR7%Vkm@JvgC;4eChTW*`K=vy7kqP^|Vi(zO^tSm;#~nO)6F_c(c#TRtm>e)3i~D7K&R+jmvuZL zBuxq~p)^R&%4dP+!rEI`?cQw?lN9EVJ-Pl~4}v~AJoM*c+;J-)aXOxKPo6c1i{UJIJ5WlMH~vM$^HS=fkACOLIklKVHL{81TsF6)jVwv3MLkASm>XQuE^rGI zIJWobS`ZUFss94y>}nR%QcM*=t5mLUOe{04lkha|$F=vMPh1{DM!Cdj7m;~kZ=a)7 zJ=@x}6*ZI8IAAXRw?%)8>z6+j+MB#5bk<&!*!1T%u=*{M!y~YD)-+1M?oI2HpDV_v zI+?R8Q25fwr;AX`NhKpmoudatXZE1ug$kgBprFYzxZD+d^X5(D-q!$5Fa~sczDM-R zl`GWzI@Gs!gGXmJ=r5vg*OFDz2Q}CCg}54E2xd(UYg)HBz3Z zV_%AS_fW*A#eF(}XBI*32{l@C26(Wot!C9ml~9FsgA7hqeHF6D78rH1E;#j z`SnSUOw7kBG)V?3QW0})h%*P7nj>7M{VDlAKE9!rl>_hJ%NLCu3~7RK&qQAWhSd7HqaPWlZ@H92X@`77Wl4DkH6kAQ?0=9{d zCiT(W>S`X)u2_h7UFiZ^7TPPTS?!!WdOAL906-1}p2SnjnDl&mM@PvexO}?Q)D$iE zXkfitwJtRUhw+V&u(1k9(aBOCC%V2A+%mg z+1tVRSPO$yaScIb>SN^&HZ>RWeH?OECX`nz1Uq!JA2V2%@1G^9bWTeQrYhetp3N>h zSZOq9F0d?pP~U;fPqTScnv@g`N7a*M4cr}bc(!ZF>&TZmdH-c29Zf=3##5APvEW_@ zDw=)QeOb_{bnQtzZGRB`ZZOq{uDVt0QdLwmJhzi1V!QjR0i3dZI){WzySHz?6Q(L` zIGdK9#Z>ol++4foJ?j1dC>p@^IrA{lZ3%wlWRE~4OEFpPt2h1%E#a~YPFm{eM;$Kn zJg!%+rbBa@wU2h5xmQ}tnv^e3*g&*A5!5b|WR8<%g?`FA%knCq{XdyJue~eVvr>7l zJkvUTJ4Mr+LbG@IFrjh$(?Q(e!#HR$OVVpYNS6;H?!xua+c6FuNAd((;Rn}- zDl%8l^MzO zk6b&NDv`I(+>U33Gif8FdbB)5%pm6B`xM)mf_!pIZ-WJo@{ac+s>$F$j%^>^AGdnc z-7a#L+kNkz*3jIG0k_yq+Qq47`pA39xee7k+Hy||ocCf)ep zB$$SR0#0F7AzSBn(Qa=gqhcB&JUc%>zcVV?=?vgPM5$iV`}gmc+Ll^cTZ??V+RBcY zN_@QRi0v)4VnjpURXz)$^$!eGNPZG@m6FoDgs@0}jH5$DM1=9GgeA^Un{#FAHNg<< zv8(JWUuGqj>eKLrN}lbJ{f|IQ@fL`~!ajD>gU?NBd6U2g%#Iq`hADRCXM4YeD!fpE zg#FG*@DBe5%RO|q1Tb#Sbyc#?b!ir;3+JKNJRcdNchL1Nv(nXFR3c}|?B(|c$D1kV zbJ^C0;gm?;%bqI94M*KK&tx|totfx|##{NcJU2C=UPGhC)7cu&@jhNG_Bj>{2cFrn zX7c?ETzsX#XI*}~)sDT$X`TW2u1zAeC(o2t0=^Ig`>1-q5BDWcw7V9I1xMZA5g~|t`Tq8AokHYMYg%E4{4vHQ_13$OtAaf z4>+)E{}wdB@(p1VJdcw7CbY71i^yghdb`C`qXJuFJvrwE#_V=w7XA9W(e%UBg=~S< zAPi#B?sy-Wla$O+ci_xbola9ss&xcpgnK(WZA+-Pn6codz)^9^5gvWrU=yiUVqBxt1 zf-`S|g9iWwya;HFT8x&;LSZXKf-f^9s)HyXN`Sa@m6$jg5KQ49+Ci=$7niWMH+Fy= z&(H?7T=FtTK1?tA{d?VWV10Z3?dj@U#?9Q=XT6b7%IdQiztmJT+CeQdS3D&?z9bes-4GpENSp411rCJ4U zg=?ZOCpX_)5NO3D+K2Rwsgk?zQnhDo9|{^ZtFAeBH8eOLLnhR*z3R_=gQ}3*N`8zj z8S|32x124*7f9gK$>wzc^xudhm+A0jsl_o_p26mdgSk55t5JEUtrDB>h{R?4HJj4fgl8kfF%vh8nKY7q)j2eR-BtY~k~=Po z<{2~cNE>(Gyz8*qUq63bz|h8dGOc&X>_u2+MYfrM>7K^OFNY`&e1 zp>n@cyP2H%1DVc z*c9CW=YxaNUj!5j*uDvBe~5t)#+&sW9jYE5&iCK z`gpt%fU&*YE1GavqL1hq$ZPi)xrxPp|Ar8)E9_I3o>cJqR`XeJ?}g#iWa=2+{NBI{ zsN-^1MMpKufP(HwQUCV94$LJG-!a&XJv4lw8igtRA(6l z6T*{RUkZpDMmieHJb5g>xZC2c=cit)Y8Bp9a9EyyZ)^!x9iN@b*#BkdlV~cn=)u3(KyjC%M`aISLVsy3u6Paa3lkJmXPix_nmB^~I9qjNddC?&W(W zLJvPZa7T|N={D9k6e*#LAJi|j2Iw`06xnQYy*%*o|E%{6PnwV>!OblT92K%EmVWce)fCMmX!IG^`d#pNd z+}Tshnbj_TN712;PF2{$5F6XbV0Ya8pu=brVS#3$`Z)e_wqbX0kc&6Zg5o0L_-xSm zOLmTt;tq=Y<1iDfKbkJq?qTC}@GscjzxF-MUc>Uv0P#o1TQ)YfB2c`8stot7nwjeE zZ7=l6TU&ob!d7!LGQLjemGM%Cgt^uF;6-zqg~#oWj(MZn8+58%;Tel%Rf4vTEYg|c z($WJUg5tFO_VmR|KedEaj)GjxGpPwoCq|+1Y;+C(m5T_{K{~?AUMo$?FY_@OTHn35 zh6WcinhRW|V@0r#O}OZxmv-3_t9c94(kMn~`62mz7UV~Gk50_<+sXm>{$d3<1<`6l zzxjtpa^)1c^&yiKsW&SM$j#ELc}0Qs$l2Lx1W(#%;`7-ZIIm^?&;sCxF5OH0>az(oUE5ZME=fY)V_KH*=xOW*E2tcAzB|8y?x;VoVML4LF z{SEV|iQrTcVxfsUU|8b&_u^(>WvmWdSCgf;4`MwRo#g!MJPNP1zc+wye=YRvt}#PH zmmt*;dN>d(%lU=hG(B%Pkqv~XI<7kd{V1+zL zq6tSzH&U`D(7A!$T&MOU{`P&7!)sA(eQfTtlxD(Ir22M!0gm5I%VZqRyLXZ#)TCJ= z>*o+AJ!zln$@v|)u(7chh7oWzglX#8i`Ny5BjL(<{jRH(>6~W$+(%4l594g#`qlul zWs&oy;mDwVR`7WWKCLaI1c>QU_HRLD8R!#m$T zKbnWhbMDu=ZXY)$4AnZmB%%v7S6WysR-zqwUys{ipdYJLm?kN+elWe9K`&2a|%@p}R7}nCyX?{{F!VH1^HnzGu7r zbvLb|{3ct0lbBU1A0ue&fD$eGZIhNlm_hH_NSt917h!E6C1gJ~YLc+Qpnx%qZtt*= zwYsbD#A(Q6(pflRw(F4S1idw2-`00T*v-YL7wK}5Z}-ft)UOozEOE>hq!Ff+Fi3FR4wuPo?tV9)Wp zY{_JV$(C27KDS)0Lg(@;8%=PAm2_+rK~Q;fMz2ZubNQz2VCvHpG&Fg=y$YO`ql4{U z)FeX^Ht0)bXoao+)?jq{T*HCOIlP9!i3FHBS2wg49G<}tCVg@_>W|?L_Mu^wH)R0& zV}I)?MNY1#sIgh1%At{kF?nHMkwJ&8mPHLI2eQoNExs#LIxg0u#zEDvP^E0GykNn7 zxd|o>`}QSxS~4)xu1#N!3=EE@;FrXeBG3-DVy0!m>)*~Cqqkv7vt#o!1lQ~v-3+U@ z<4Gj;cvS^Qy`Ry5^y&)EEDX%fI78V`P~V(;*hP2ZkO5O#Usx)k!s$Gd1GKDTAc`PZ zX(zG~*Q|8e=GZExh}+p-5ltw)>b9~q$;MEYFM?VJwcMvIBCIN; zB%xCa_DhcAhvTdRk4#Sc0A;d%0MG{1n)HkV=AD62g$C3=X{bULmyOB$G;Y=k?=8#_A*8Cg0hv)bTLhq|hu-OrN5pIFUbUu9eeXdk>GObdi#-q%Uy z#&ZIwqc##)40AmhB&HxsCr?>P+Vt&n+fO z&gmb~(dytw0@G%@whV-lKlX0FbRGl%j6T+s0M+1Ob2@WN)`UPc}Ty>K0UZZZy%cMU}x_<7e$2 z7nU73>&sFTf6*LJYaKElS89zN$kWaPF+JQ_KlIk^7?+W&*Zx=SQVS3skOLYFXZ-;_ zTS~k3a^g@9Kz%;w1zj4$`wUECh{AzDI7mq>q+W69qn47G?_$L&P#P#4|1DR|ZAu&A?+wPFCmU z?^2#Po-7*I3{5xMqDLEb35O*ZUZ z(5u}8GWXspcUR8W=j8#uF4xmd7`^uDuMjx6ioba^%ir!%-<(a8nm>y{01^#xSIBK% zHiE3;)wgfoOotf@IafFHvh&B&ZbG!IjPzIsSC_i<%}y2*Xyjx1nYV+<3;j8HEbtIe zM!IfB&%%!U6n!Jj0jIGj_We}D-}9PkmtT+M@mP5#qCIR%>h7mWc?eB-lzbs7wjX?k zDO61w;8^IXK?Aubkn0a_PZvdVT73POS40p(p84G=s%yiz^KyEQi9XXfs%guIku;4e zjOXjhYUO8HXvdq4^YS*&KmUz5mGwN_UPG-Q03gAMA>QD z^3fl9jo=uv5^z{h<_a-l9RZ4hZYw7JGVbPk0NMtty3&g_`ME8N`Yi^NXd<%jnZKX9 z1OL5=VPvtHf?ojsWa^IFTvMR(L~qc5w%*uMPxfH81Q)u|lVA1H$xf5*_9@0)A)EMa zd!p!leV(P}(OTcjyYQAHUY@&%(Z)~|R$)d!;d^V2E>(o|Kp$yZgX+9cC+$pbcv~|7}i043IkO&cuerCe(jh{ znTGhjH;TA1ILz5THL_-toZYB}@29eo_b|(4YSLRL2isvDw-o85V%MCAh+k>uY4JnR z&cZT|&Sx#EJjEp?!<@5Ue+|O^7Ut00(V_hC;lrs8WiP~}u=pZ0(*nAqRBZODVJetf30N7|5^gYd$6nHJJEhq*7ZFWnUsa)i>t z-W|_ZAIY<8ISo%enl;**mOg>sZ2_@;@+oLU>-|;+B|N$kDI#a<4@J@=f;&4er=x#+ zqhv8_oKBZBC8k~St1rte@>F@-O4^Hz^3&>-5{WC`Xl)Kp#Z9CU7t8I&cHMNX7Sox- z3`JPG0@5${Zx7ineowzLWU&jcRcaWykF6GrFSB|a)CqdQ99AG z0*Bswt;ox`H(Xq4h#nUPxYlIMDk+)zoy0lvldbYhHbUIfjxH-wk65ys zf9w7Dp=SloyEZoe%&fFKg86tYMtk9?M2nttuflJh(ft5xu|d};wJIz>n;`(RA-i8x zVJ=SlGNynz3k-*C|0V#$jC)I)^!ayR1awe-hofq8aDuMC$nxM9gx(*-HFOoBKQELw zr((viHySvAt2a>0G>2!$6+jvJICoK%kQ(nZBGPG$O(CQ=Cc=DlBDAA2K5uNYq2VI5Q4u@6N4*dWXMCc z@_H*oYOzILwU0cOy|5sTi0&3&t4SrR@`y2V=k*K_j6z4 zR_sJiP3;5E1F&MaZn9q4s46GLDB|z#r8h;$*!u0!nADReepHkiA$m63qqJCKxbKwj zyd9yG?@+tkp)ZrSqT660_84cfZP$7{7H_Pzyap7)+50)y*cJb0cxMfycIGV4rb01Z zix&4fm-*yYktlI6G-o%wxz7y3O=a43qfAo0cm#q+GHNVuUGu8kvd@*qJq?7sgjr76 zPrUa;L^(Et$_{3Jccp6QT_LO6-ao_}u7oAj2{2%ul-1=g-1FCr@&jAM0-}Q2L3+wvaLZFyQhNz#X{nOjsezXVfl=pO^8ljK_(2!I=11FUMjg z{Z|`49>NgvUOtwHuE3c+eS0NqYj(G){KDKh%qbh0pOCH0o(P!8C zS#SEA-~aK}ivst&5bVq?O-zKs$^5)PXjXlQ{7_6^1=IuWO^j=Wh5ds}rsYN!%&%U* zzOZFa$1X+EA7fq^5S|;_qswZ|xxFq@Ni=qyXYrT_aA2 zKL0*iltXvvQShZ+CN66&%pVdYOi8e>_`m^RS7vpN0l<>vAEvJiWm;xVHr2*LvZ`IE zIyQY-eXi}&H$WA-&SUwWfRqkdTb+Dl7oESEPBTDf=i##P-4=UfZB2U8-Q~F?6l@}Y zXhj5*u8o;MuM{T=p6+ry+8~3p1vaUohbr4JENN$8x9qr9sU(I9)Z7bm@zTcpU39@aXClFH_;p>N&PwMaLd;(Lf{VfSz@zq zVDUqt>a*;j8{s$1yiq`NsTtQtS@{8ZjpUjG5RP?N%qbb}V6?TAuI5T@YjP`buEir8 z6x2(TR8lJbddYPsDKWL}h08xJ|1V$T)AYJ97w_@n8ix2jnN$;{|urgrxT&wC@a514A^DQ7Iv_uQq$M9#AzJp6pw??6bLO&fIEJOqSW@9+b;^tc`Q zp5;}o7mIi*gi1ee+UPr27@@JRL|_R6T_x5=v#CqsfFq)2OLkh~4<;S_XcE)2u4!^~ ztY&@`zwxcWV_GS_j>7l|c3{O?m6Y;rcymHuyYRl}G!MFbMd(mxc@Qx$@37n7Ohd|A zQWz3N@g^YLP%>t&Kj!QLfVX9fhAlck0cn*Bmlva_Qz4VMdzZ}Q>s~%vaPHNRWlX&r zH@@8G$MhUvp?|MIN{$$i9$0i$l<_(&q$uU6(F+Jvtw9riYco4c1>uG_MoEg~x}LFd z##tiD4A{7HW4lj$OpJP}9h>(GZ7HTibe&EAl^+q6+Eo3X#EtS25@HUkf_4g^FV>;r zaZG+UHRYaV_2y$prG-b}4_?+koWIizAWeMFqog=J=*>FD9-S{`T3a{TH1KH@3xCdt z{zT&meO&EnUm#@|D+i$Y_mWwM4*b=~7pVKHLv4&hu{!CT!22v%C5mrGkv+o-y0UOXbs~u8i5=o+0r0jz&4Q%PUI4 zuv3Kd?ff_i`T*Og`*!e2stP|V=6a>c28#^JTUX=XSLZz$b%2kf=h#6SrEMX9er-1b z|5IB_i`{&z;nM7G?*5oc5ywZ%QMczyPx+5Vx03ncOPzo_B;(tT65WL4 zsJ71ex47`MnjBUpFTJ?&+Z$@TLFJ-PqaWSs9F$3N7&go3DtB8bnJ%8L*OHeVPRG9R zPt%p9JPCgx-diT3jxg_PB@&_$a4U`XJl-e3gDIoF$ji$szMHfmzU(pef-FlpPscV4oJ#E(H1Eo&GJHlu<}@>J{$dKTY2+uQ6bU;MNBdP>8PP7jU);k9S&{k{jV3k(FO{H`4n+gz+Ggqc|ZA!Cj-OJsRyU z0s#FEx(R+5X(P;i>206~sL#DG>0V_rp)u z+LNpu$MWhWs|*9LC9T&&MH4zdy3&R&mTqte#6>A)E|Jp8FUA1atyJBw$i+fXvAr6Mu!F_+^n1FvWgQ*?_al0mx@F>6Rqy8ae27XM zfEjkkfcznL1*SxPwO3|9%i#reDJ-RM?1jU*=}Tk+tOxp^+><-Xyu`bTXZO`ljx+Sb zj)o6Q_9{!Xx^7pyCAOZh#5_lXy1mhu0-z(YT4iqC4Tz1^SQebzgUB$NdHV>XzHDhW zBExU5AQcI#oCe^eFZOkhKgs#xwk16&G^$GE>EBtTpXM~|joYD2IHrPDy9stg zcl&Xb76n(r9qonjwg7f?Z1!pVnXU}W|c2a)R(*}jo z+=^qOG5b0M(s>QRa_%tl!Ub(NgbaH&MXlyVh6xa{Tb4Qi8lp+!3Jp~5K~A#xZR-pO zkv8k0Y=Xx+LMeMEFc5zhHLVe~NJTrgE?y0qMo|a_y>bk!p zf_!SvySf$C0LKhN)v4ol)f$!D9CsC=IY!y#sFe$!yF}ezD1gI9y*eUS8>a@})>JkTlCXQJSMlNN>uSEd4uQyN`&!)1LO16G z@ujvnyUf?SRnSIhOcCEJj{rb4ucsT4vFoF_@g0#o<-PS1Zhfzvf41WH-F$1kRjQOd zl#+HuXQ6Kz2WspD#Ho0lH&VdhVr?psdjmWYvzs&?d$mM6E1e&F7y1}an6C==@7hFY zI!0}izo;HAvC5lii7*3Uo}*0p{z^{vZ^rJTMmR0%2vdV|izOyKPf&5Nc%Mu_UPpjM(#V0K=Gsd>&#-2U5AI+2VXa6A-%_qy5%2FZ1m`F9AacwAK;*0qT1Fd>#6W0-Vv*5!Lmwh9J%hU|-)(ePf z%C}yQsLA4OrJ7j$QZ``|yt_RFOpAj@%{~z<{3~OCk8pKXOfSU5y}x=KQL;H)pJms$ z<9J!U&@hN(C_C!9y0?=dAJA^-5;hAE3{7NKhs_Dm4{3EcNZIwY0;0;m_;8VF<~V=( zh^ks0lka`TwLC!5isOD~sUB%V9+LdJvBk)zof(ia zWo6b|P@Yw4@-IC)x7`9PyI{QgLvL*Cu%$Lco!QsQ)!{G3FTmCGN`WNT4CP?d|J~0| z4&l(=a2k2T-+!y=VsC*#3TVHkf{lJiNx9>`Gh`(8jQ#|tRgp&zkQQ+p^3+S(i4M4g zCrRkrvR9G0T_8`AQX<_dDzb0W{`e@S zWL2&qvnOmh{{KZw@`4bisABiiZk7)5g7{cG^;tVqW_F0QcZ<_M-w#S*R0V*gN zf8Z+VImOz45%ETNZY6$f-2GhkV?%-NNLiR7(rgp+~A;SnJ?*eG_+Vysc38E$?$f8zo{DDbWc$C z^LbDjlb)xOHW^D>Rx5G~B6;Oez+1-szxb&LInZ;W<~$U|@oPX*D)M~38G$t0!mZp2 zPABQ%MapS{7$VI1kb}{90aSgmTuWFCikacH@uf%Cc{i|+wmX97o2%TLO;>u*?oD4Y z(F)aYiDE=Ml}42zCQkJ1kRGTyvwpC3G{i!KqQ3|+A5Jr~x}IAOTEQ>{D!{3YBWfF! zsj}I0JaQkF$k8Yi2JI=_ppa^ChY_x@>spz1bDkikMvdhn;ZI!1m0;y`L*Vm+&{ zm23ju`{YA}KCAFVv>439XF6yqL|Pz|F}L*LcDBTv4H{-L8@mhoD$?53PX4C^R-!4O zTIQ)~yZi+=XTAJX>RHa(J=p44I)x>bfk7N~24FWaDc?Al?}<8anF>DG3dlp~ZXd8U zS~oXSb1uc>Bagx=#SJ4cTG3S(=d@F7^_9=|nSIMDjH;yRu zlrbERf7wZ^g@wE42a_)0GPgUgxK$N8bA@U?J%D8{d%V(hG0G^u3n)bAblj3+1Vl%@ z*{G0^WS}lJqS{2`G>IKdu55DV!BB5ccXyG^^ppCAhAbeMoXY8t0ZBNCoU{zl8I=!c zdL(GrdJSzv%fX>w)^F8Cr|n^cmtdqS2r*!#p3B_S1$qNNqOE^?mk5WuPuxd;=EkTNyW>?qF9A+bE-qg5BAiJ;_%Z%Mj_RXGH=t3g}@BMW;5 zSkrsw-;#`L$(bn%NJ)U4&Xh` z55%}_AF)<$y%#u`yItSdsJwI4l3#$ETjk8z3!S0#^1aobC$`MpsDAIzuA!z7I)v-4 zSX`eRV`RnVH8tkMiy{hgZcp;yPMzqX(9A(RxJku%|WRb=ve z2jBVLS6H4Aq3!JxA5%v@V&Gv=7FhUga@VF$Y_lZMZen=lYuhF&R~9AM)B9JcCz9W| z0i_<}bqWNmhLLsSqc#E|V{UB+Z9B7Xjw{M8fo2IpJSMH;=5c?mfcG@ISI3lN;!6Te zr|gmV{a-JW(D&_+=Y84Z#*~HEp8PXE7z?}OGB+bw*O8qD<`I%Bq)DBVHxLCr0jnUx zynE-)+=x}RB4}7Jy3l_en0!B_T#Za1XbA`X38oWOm57h}XM)KS$iD!0fdJE@k9Mn1 z`Y`0I$jED&uFHs->&f_Pka`UYX~vs3Z!UBtzkKqB(xii#o<~w#DZ6LELH)eIZc#wJ z)4yRnnDqk12`#|WN~r!U@t;$${Rtu|a;!=%g}Smnp%(kC=-t|hPZv4*%Kf2sx;He7 zw*7X0;90;>N43s3gkAV#jU_<>2+v+6dc!?8kM~Vxhpd;oYMcUSuJ(Lh;XlNMa zuAuDu`ST<9{h0`YOP5L-2N7nE|lnkd!8?k+Nk}f z0#NVoUide(D%^4&X5ZLSKYOtg5DtK7=^f&=N{=I#I3Bw+TECgC*v!n#XaRR5)fOOe z89S_wj}gRQQgS$FK@qaFWDe%jm;gO^7qBMFUhdOMG7@WLO}DHHN@A9##x+JnUTrGjK~|mZ9Qk5BoK2FhqO0OAB;4< zNFy*x#OJxyCAxgWOgg3sbZsI4Z&fn#er>y-*4Q+AEeaqmeLw`C!)lz*z`$TAsy*P% zZ3skJG?*H}{=wB1>mcP>h&`Bq$H2rSQNBajDX1L>|E$-fbRUUgl9K6-NBxgyxrfA1 zr9ECm{fAVGz`gr3A6z-Vr7a@N>#sAbmpy4w&Xos*vrKl2%hxi_H3oH8?p}~TI@qQf zHZU}tU*4VN>6Jg_#mXRXXczY}@RC4NGbaUy>8O6hNY9_grKS*9D#d6njAwQ6xC@ps z?VP_bkeA?bw5Yv^v3*p59y{4#2g4%%>_pZ-!2tpCZ>M z3|Rs|P(b9Uq%dxEFu$(-s+CWdc;N%#4a3;wVT7HDMjA~>TP2bm8NpRbD;Yhg+5ysR zrVu=L*r>4k{_-s<0b30qGMP&C(B<43a5p{L#nPw>Mu;R5G4V71$27V)Lk@xo7fRLyeO6ONS(^_cmr)`f}7E z(DVGfylS+skgA1-K=rP$FnJ(HePDjg&ek^c-MbIK?%t)N8xdY^45leL^GVVg4OFuX z3Zi0=-34*b#l5+%WVKT34`adPqP}M@UcGkB_*^_0ZdA+-dv=yhW1R6eK8fePbI|%{5dH|0BGr(TlT5lhu>|_8allTT!9%MHpn7hFF%(kY1$bQvoMTt=tCgp@CF8H%(k&a6OP1TVbV!p!t9Pc`-Ru#CVCv#a|?T2ZuhuFh;RWR45I(t%w-r!fb*S|NXYjO{NNn{ncn zF9cvAxhj&6(myxlzucmCG}#TT%Go?@KwA9UI(XX>WUEwa84?0P1K~4y-ILw}8K5oN z|NJFJM0yB$dXeGS6Xrvm*R$@&2q2g(ZqY(?dLEhy!Fg~NaryZR-85@(DLwb*A^sLr zIT>Hlu0PQIy`ZoV%qN!~5*``nIsp<@cWG%!4Fw_7baSKY3~wkPQX+mAWEB)bTOZ=G zR&20R@r5QXQ3}9qdXr9xe1E^zKQG-o`UcYO((E&D+N<7iaA;rm*zZeONz76qdbmONLDd0yG0C$Ml@m zEKV<=Mih5rv*X^>oJ}Pkntu#(K!or&%>_!@40rE72C{nDR9}{Zut&$aXBYO~u|;)& za9nQ8am2#^^=sK!1Xk@KUH}5Jl8BIb?%{C3+wPZ;<{vX3uK+;dDnI|2{V%%^b0uqT z-sX&xhtChMxNaVHv4Qprp_*OX@5F$#j@a9UvVT5*)ASnExW4%w)nTN2u!l;4*uYM; z1PJu|m`g^J!2c!~gk4fHCyrZyYw=0YbxfJ%pv}r7St^c~{_b*$lGR|+3>@-yf3z`| zv**8Wu(gZWpd)9R7jT&VyntU{B{twn6#oIaZjb6ifv@3G?J!&Nx6%Fa12uNI5|>>p zwc^9GRr20W-q3V-%nFrpZVsgv15Gi*2(z$v@1}Up7~Yv7UEAGNen~{d0lH)`APafA zl-Y8FgIbY!&KqiR7MLgHKQ1fgkpB3FB2YVa>7%ea`{S?wZKDB3<9WW_rk3WEA2;EB z{mRp)e7UKN18~{o%iHB()Dn;z0W+TGFl~dNL31PfhJ*huK6obzR4=}lcul3Bx9p5L zuI;bzpR2HX82Ilpq^CRETMg5l%v{zf@o&b;Ivo?~>2oQ!{FQkNZY&jlsQ~Bw(V1|# z$)iY@?YT7B_c$$Ac*YB@n)BzhPk6Ag|`LF5ZpC1gn{9ovr;D)RfZ$KGE z&rJs#ADFGq#ZQ&oV_*=2jM;}^k{if`TTh>*v2q=b;kp;_up_EVQ2V*W24DNe)iFYlFk{tAAeUUtW2M z5?pp#c^C0Q_-Ca;fDtIRBs}ftY<7t0R*SLpt=t!NxNI-ewBY6mWochxXB* zK40fBPIO!zHUX1Gb`UMC?R|dC(5<7dioEW;Eo5n5eh>q}b8fzQ-))ZhU^$Q4miz1R zv+Ax(0TIxDy=Vu1y=#F#l(c@Fn4jCCrUzr9k}*3XcH0d=v|vlHsdn%$KVQ&05 zG1uLZTGTlr>P-I2tyh2k(Vu(ur+dO&7c1F~Gsp;SA-_|X{kPS}ye(A+6u=eIR1D|p zk6+>Ke|`ySts<_Jt8DyKWV`fZfZrvWTxRuRW1u8A3`8h_bR|PKbECosA&@O#k|NWs zxvrgu*y^yQE*~0Ylg1TyB};UnqLU%=f6aQph7o}NJt@h9e;e;qp@PxtsdBpTqyORZ znyfdV2{P7HSKW%?R74l&Y=5~O3~2Y7G;V9&U@V-weg8NQv!|!0CQxw0c;q-dKuHo! zXgd*(DPEBQG$WXlzwG}A2xY`E5i^hzF!{F+KF0e;0PCmCmAQ!>!s%K!OQm!fS)C?e zAAB8RnGHr`N~cT3b%U5DxzMO7OY`O+1NU4rV_q+2^8y5t@#q`9`(BgsaD_#LR6L(1 zo>8*+&j$k@HFrb}LRs^}*^3lcxrQi8v@!K~w`F?i3WM1Aul3wN9^sEok%0ja;PNqc zKM&7e4j1T2qy42fFDmFKWB{ta4*0RWVVOD5ojD-?)AzPk84mWKVtg zk0-?QbbW;rlb;6SH$JO3%+qTHp80XzKX&56RS@#Fl!Xafxho~!1SAZ&SbG400tlRG#ysUS z%*FJt0!3j?o3D?ymq(P3kG+Qr^h#z~RkBmQaRigoo%tmuNaVujC}K+>yC?v$+Xb!8 zHn`(#Qo+7@LVsJ~^9ms#rR~FQGx__&0brCr0mge8!cofF4hqWs)qDk!frk70&b%QB z(vIxG6%Q{Ecqafj2ldC)_S5rOLxE>&Yv;g3Ur%7Jl~jY}>99O14A6ldAiK+9G0cGx zJ_S|jac<5$YCABauCLnDGl-H$PG@Rrn3yb&COo@qC(cHTpY`l7CIJ*MIIM<0Gy1JE zPj3-OoIRC@`o&rZk(|HmrG=Ma|MzcTEQm-A0aQ5->5-*gl6$y#?p}({?+bl|TZ5A; zg-TD5^6BznVeVqiN;i5-F=Tyl)Z07*UVqc6`7t{O7Uh zATb_q6$cQLer&vJDmg~I_Lp13!ck>uVF1!-HHGE=`v?kM%!mq&^gs-l;Z7gbbymvyy{MjHsOLR9-bvx*l84;Y*d zO**8HuJW<2t28b^?v%cM=o3BHI^@Q9o?jUZ`D||I$%!46fI?kfi#UPx?Yr~5Aig7x zvu&pEiqi@k$;BVoC1ByGP6lqD+hXR{8)=kXT#!|V8{!5=M#`J7 zOi}Z#M&|*F*NMrWKppARlRb|nh8(pLRl06=Q#yjeU(9li2yV3Vv$OVAAO{ zl3!Lw2mu?>t9DB8TtotA zu!mA2GK_ib8zm%IaG9OegNTWhuhT`dsQL2;GHA@vMmk7&i#%onm)>q4y2T;5&@%9L zmb(WmUpRo;*x~@;+v>1<{tTT+s*ZRwyrhI?u|oEg1Rgyp(}cZrk39&0<6nCL9EaN@ zyEU270K{I=e}i-YCy(SyQ&ZuYI11deriYPG5()}4qp9|$rYF{j#8H<1>_&pi{{Dm#yg;{FlFre(EX=hsexjo-=K*P82c?xyXU>2_wkUC= zr62^w%w57Ce-hU+(Y!!?`I@=G!;TWRqy!~HN2IM?L1;{bytzH-6Y~C#B=+)}26o}o zk=MlJY9%Hyv+iXwXU=KlinCTKyng)}XjXUolQ8nZ*0cl)ko`tiZUULNlVdce^`wv) zHlH96v{IpQ+du$bVo9!qDh;<24_4iuC{qTT_aIkJZ=RKvgE1K#aA86GqJK1&kURa1 zez?l6g!K61BhayD3H8+9Ok04JIaKXfkX)fod-cj1?OIw?L@f49vJcd3)sSw8ofYU@ zv0e0=tmz6Mu;#EBNyr;uLY0%N$(!Y1FOKkkBNy;xwz;jXZ+-e1uM5+&#_YzN5l7QP zM44QcX{iIh3+z62^r6xv>=0mVu)Gypv(AY zHHC^?(7Kv)a!Ilult>Uw!;Y&%>4!cqD&ibeypcr9djCh+d&g7#zyISAA<4WIXbF*7yV6_jBXFD;C*v3At!!IEng!c$8ffB@bW^mL&*_ z<6Va(%yTcSXbec=7{K>jgsWmjT-b-sKZX?^&H)S|72*E{Y7x}RF^nAeDo5BJo>EDh z&J$ENo_|$&umX*;B7A@I{>w)4heH0Bu3|_&%WRz{S}<|U(!pwhrn7VDEcwl0B;qKm z&S7ismD7eOjrgB9WbhmwT4+(=_;4kK$R`D$>bdpYk-+Y&0Yf{O#L-6=thc_HAZ@_; ziN^(%Y7z7|q4`KRG0l=DZy-fkiqgjQvq60Ivm0k~MC@xu1*@~**!Om0QhiUkuA14N z4lcXt`;~&ixz1&`=~WDQC{TzU7RM+%WC>kk-Si4K6Lg-uIl6%pU)%HJ z+dzh!PWoxL)|qDSk09@7NV+P0+@rsL%7(~kY&_#4!ZS=B0&<*xyV#RxZ8jsSq*6-5 z<2~2cw$dv)@Qg-a|t<>4`J-xx$|zp(7bM#gmhC-9+fc zh#Nkwq{_NqF{Hbj_7E{mRqH(aHV3zrUW3zF8l=A7QtR;61oZx^#Kk&?nTZX7BFOLWOmU5)=Z+cXeAevpdG)}FgAKpw0id3;WS z5WvVIsKgGmV|&lyJC{E=d#C-piV$=ue%eX3M=Q3Ebo^Lt4vQ0<6No2yTwqVwulwMP zIgQ|;Hb+U5w(n|HM}k3btJQNm6$!AQ;qHo#K}z>fu4M>QQ>qOQ48nQqVe%s3lj+mi z(^|I}4>T9x$^dgB%Z1Phf8`KBRGAsP5W?j~=j&l`Ym-C?CN5RDEjIDkjzKOPRA6y#GHI53 zAJl;6eX`zrKVnCRI(+u5x9gslFF)igG>C2>W>0>_G+M>3nRcGDaHl#@-_`hVV`m44 zPKf1H<-5lg%N+6D%coWGk#y+vIr(8|B&z2N@9kD7XDuH(W5~cb9`gt2sNkh3&}tevs~l2^&3| zx%aGzM-Z6>pw$M-;D+m6f}lkW~1ydD=%LrM<8Y+%|kwbG!Yub920 z`IVx;c3+p{q5NiKooL=r!@YvaBbx2uirONKDc!&4p(=&I>Wf#)TK{EzSv%J>`XIf? zr}#-MzcMsQ$nvriupB|+8ayXacS%oqx@XX0bK=#wfr3qFQ8XD0p0Aw+$~x4BKJX$< zBNDJcKwXIX?#1b1a*TT}c!QLH}^-EFoc_f%EmsV6Ak z&8Jm|kWh`3m)3wTERn7|5@oQ59sUri!q*j_*tMx{W^07kZ!&x8J z6d)3^6SW!#7kN#oICu)RS@yf?vDdPT8YBjO>(lQX^m>Y4(w4&S1@*t}>}kArJID_~ zA8DZ&G5Bz0hyB1OZ)I}Tl$7*2xGubp;`z>++vSF-9fFOisK(&CK{-p!oSY#WBWLP^ zHd$h?hEA1*0rUT_g%*q#aT7B*3(Qvotu!E5T9yi7ncrT6Q`(#TMg%78Nf^sUQUac zA2kUbGMtRqp1;S_i90z4Y1i19XqUqt{dv>Y`bK>Wh~Z+sr<#FQiNSClVp=VE%B>Gy z+p+Pv@Yd)T7EOkVlzJtQ>vmD`>Ao$r;^Ro;wZ{_+~;JAQ9#ea38j| z#^S5km@gvGaqTWDhNN5Z?17z4)`%ZUb7AnF#68o^YCX939+qmM0OzI&aiFVSGr9|z z;!0=S!quRYrXmi+d>qyfKrjjCL9mksS;cx@?V=~P!FPgf(Y!m;_pAWaa$qk^+5jg~ zw9X^yo^3N(?rjfAr$$bZ&AanjK6m<85li=YU$&RIhALdXD!iHJwsNV3hPPsgJTKE)(7<-F?WVaIlLyTrJlFVttg*)zfJ zWzCJ~f0qD;OhEAxIG_9%GV%neyEw=)D?aTj`kZ)Ia`~Fk*;o+Bo(T_tM$cr2dGH2m}+)GtF~h%5*exYc{~HaT0v^y@G9z z_PA#1gvap^adH><1GkZ`zAmfuEp~PA0{cpxXzsBB4D-9Tx$SJHhJN#L73Ha8dz^^T zo&t?f#~pJooxRf1y;$=G8k@=b=BhlOBTH>e>z3Et=UzD4+gcCy3{ zMk$J4tSd|!ZztBIaZ^XN28k4n=#=N_HayL*Txsh;sM{D`*>mf9Fdp&vj#<;(;Ip`%$1OKaG1$;^ujoPTADKcjm*XM?kU zPV@JZq(43obui6{WJ7H!3t;R?)co)eY);<oQ?GQ_2P&F3<$` z@yz)+dLK5VjIo4gzeB*eURmp!x;BaaHr3K@CZCTgSFp$sLJUD#$#hq?yiquv3f5K zDJ$VrA{YG^i1#CVXUOyuLaMR;x5CMVJ1P{}F>>7{37tqfvQ!K?#GEsPt}lYrs)-sj za;Z8niv)6UxymhrVrs;kaw2qCp7myQND#KfXEC88O<*69{9tFSUqwP&dPM{h)Oelp zJ{W81cr2hfFZPvd#18(>H8a71Tpi{#!~1i+)~WL``cCTX+G=_n)V+;tnB?NI%rZUL zxuLYXVe(P<(aOrox77vycQXbAAc*pdo`gH}2fc6RZ_#7lK7rho7OXvbf9ii7AsS?* zn^o!wnSU}a2Hq=pQ2zCDZI|_UU-V%@Fg+&a;(P+#dBTOPTZky9sZig&V8&+TSk&{P zNjTl<5WP=?m4T$BQX=%Br5yP#|(?t#43l?A;U7U#li_!t0Xx#Msm;uKi zSg`oiBv|KL)5bA8VeH<4GWDKEk&oa<+~(6}yI{gUZs+IIb$P$@OVZ1{rvop40lvSV zme{5TUV2DRnr3cSQ3Sazx<$OI@ulgK}_D zavq5=%sud8R^zGB5nLtNOcaTym?jN-k=S{)aJp)8LXZ@ovn{mP(sTYbV+??|Mp40( zQVr-NA~PwcFM~^jv%st>W{nOofNO699#lB07wRpcAaG){esEx;5S|Diq?Gx__XrX0@G0qO=5WnyrKTAM!-M zygdjGM~~(tAr5NbL{I2#ngT8sM6*GBl%g$skKx55JW*wgs1X+#NIEP4*S#cA!}^ zHvvMV9pw=`B-3*iI{e97evQ|!YI!y`V(RWz#;;w$C%!5-y_K27@l5$=ZD zulsAwm2?{w)`6!D_2Mv**fp}!!`q@v^B98Jq?&LuJF(t;+^$cw(l zQIJ0CVR@0X?oVW_7Umb&YvRdRB5}OS&Gy#u`{5KL(ao2BUg&s4B+T~&?T9@tr&0?9isRj?+^m7bV41#q)313^^Qk=0j{ocn`=5 zm=`YAII~dy$~)C+{SZ{27F(BfM#bi9D^O&R)%JTD!e5(^B5yRL@W>LtYiFa+_1*LL zbFVI))lqJFwE@#jjq3fP(~{lrH;^j{9$M_4fC3 z<0>(X$Lf5y+vs-f9hXwxbS`H?HuS!)L2yUN{nm~mjEjql(h!HdQZr9}2T+x6`( z-4jj>Xfq4wN)dVR{${f&AilqVhsOJqqx;*elZW+q&U2sddK;bbKB*NJw3b{oEb?l^ z7iP^})m#v(X+NqeDY=N50xktZp8WWtUGICey)Rt%+>VAJRaAlRvY0S3f<7kR4x4zi zGAz;A6>o5(@Fqnk$0r!f_@SGmA{q^d%^BZ@P+cA{;rt+g4v>m0)T&sg@s6liZGQSTM z#sdp($J4Eu-;NQV?4ojeyz@KAlevs~tp?KEj(hu<>5h)h12G-K$($5(o}+<5UiDZ0g{9@F-jHf;Y3bzi1U&{maiiU~ zHI54|&xL;9_KzdH!2PKw%?#MO?1%~oZJ&Rq=(tZ~$RkVVkp`>-ie4_CTvnWHOaMm^ zoNjB)>1no-K;SK=J6xi9U!9bbk=ECmkTO?bB{WW$RU%%)509ToFKS!{g8SiIDR0}f zr_huUOMxBDorf`7H<;R0BU@zUl0W4jfiR-y_J`>1zk(PQZ~P*6so{LE_R0Q8joEXj z2+q$!3R8RK6&=9z?}YbDr#%#F<7Eo2s3|U5T3XM0XqJZ2ZbKPhWXL!ZHs0VvDQ_R47{cil(#X5 zH4P<8h|unm_0glp%uF*cwN_SF6RnUyWi_IiT=WSw4UO5CpgmNzebj^l@|e13j8SgV z?Qdy}VkmUc-PqjUu{?WrX-`{76JBhlo8KX=1TPlAh*UK#ekq$|bW3iGHTT_sZVx~k zc!;=Y#k6c2(6!6GBcej2X1JZ!_=W0KUlv<+pRj^}7&->X;di!$Pa{0t*(0MWJgy~1 z)m(=t;TU$rH!mN-P9gU4*Jtpfm?SrApM4~l1I($-^+{&pRP+zBUyd|jxm|9uJ^GDy zTw~|G^*OAIilAk+e_=BR*B<06Z;CWwyl$130e5iN*+X0E>4{>#>C#hGW0Ig!4Bqf+bQ z6)TLYfv-n`H>bciz&6LDT<}mXYc4QKtPeLAc{ut{(=)Yau6 zBO|-=;ZdTc?Rw&NQ(Vk^{vmy|Z@%Xf10OSJ3D?Qr0arS4Y579^(#yv@2ZIem7EvpD z-8mXa_^hWfROwh$?IBKSv}S1Vp{Ilk9bl!2E~F7th=|tA&)@5D%}IcGjLUgCa2>}_ zT*|BGW;f@N&{q=P(yE%@rth@(!5|r<^Cz?o#c>1G0ApnWZ}GY|NPRbg->ut<5nK&S7p zifW|mBpBJ{6O8QmZmG(wqx)sXx`E;n#`E~fdjjTX)`;`&35cP(gTr+Fw>>ATh&4^v znkK;*Y09o)Ym%;ocul?2(;7WeOWEO=fl!wTG}sm=bMHX^Rax!9^0FvgQzT;e?$}=c z6@|1kZ@3a!Ih)yBhGywDwt4&80IaKLl54D`>QC`cGWj_{95s#OM>8~3_uLcI($Y=d zZlEh}P%eMLiF@MS-K*!xi6QV@J$So7cQn_ot1V5s1!aB1Y>xH9FanXEvUahf59J%G ziUnucYMX5;aMwz{fW>hmbRD`?f;A>;Rh31`SDKJPp8@CGl5&p$K<3{01p;K$&0v=0 zcqKqN{GStRU7EBLnsBBW>J7$|rw24r@*M$jatv{_-7n=avLXFWVm2Qh$k>-P`nCzF zoi3R7+9z2u)O3mUayikT;b8RlE*D;Ed7%HFX)Kag~ib*U( z@sp;!krv>yY~mcNUp13sol~!ixlr#(c(8x)_5a7(KZmm)~nRzVHysl@*bjY>tW(twskercmIj8 z&fs5TD}>Fz6K>nt?usXRVsF{4zw8C+h?tK>8r&>AQlVf~?yQ^C8yW->c?k#3GY|M}oY(P5 zn{QwtEf2brm*sSBWqC~@9^A8VeCaJ&FTlfXsLys~70j)RYw`H_t6(d0m3Tj(UrRzA zYATzs=~2G=gkhQ>E)f}!D3hdrKNL&~fqfQ{+e5gO`($j2sP{@w`Eicfe|!=*$`C5P z``pciUsN|C8sbOG)}YK+ue0TBNvyA&Rq=vt{BY3S5p6RzSu7(`oi!g#glurVhQ zQg-B=lN3r2=JJ=lzwPg*?`7B4Gue|zFgb8KLFJz^^HuG}rn#!|M|JILxM+@>c3l@J z2iF^XP)OBtB=r@g7cNu*mK7XY5gAJH?)Ah;h41|eIg0oNX?ib6g7d`P=f-P#>$Ogx zrvi98w-9LZV{oclqn*uYrM41i&c;KXhZ&@HSU?K8#YT%uNuj(mRttDgc|l^4M?kuA ziNVX@@*DpLfSx7czwSj7m^c9DDmetmD!bn5cf=P*7?rG_hG+p$I+r9+p_Pj(-*4?o z#t*(_iQRkUry*0c>9IvIORGb2tU{JzC@66UVi+-eNhAfBzWMV-BXt;-E-ptcnOj}b zlkSQg$>)wBu^vME`M5m$HeIzIOqlYek6N4GH^Y?wZN5NTg8pFYYWQOov+Zw>VkOM0 z#n4UXCdD9x=RqeL9zEG{YG3;F5DM8)YvFl!kM9b{Bnp{poQAXsqU|Eq!*%>dWqsote*Tfh zP37yN3oG;phLNLrD#zArw)RXMdhS4|vOY5dRbx@lFF4q>As*%Hu;g~K+HgTdA#=cS z*u#)c&&-ymLw{I7Ze2nw6 z4*ap?Ds{c$Xm8NV@0nzuO^tVKc#k`yM#w(H2!48z*6PMJl}8$!=dJbu!%r#vb{Ni` z;ajOiz1tz$M#f zVKSqN&F^~0+M!^*lM}SX@qeE5oZ_?#(FTvgo}rjgh1>ent@U-L$~EqiC!)5hzJ4>?Z`9 zlXC1ruz-&jW<&$Xm3g%K9B45M)6V0w3kMAlfgP7<$UAR%RV>i^>}=sdKm0gs#A_Aa zB{jB+28rk#@tw_;1brbPfyIO*>*vC)vDP&L0%3X)9QE5(WFiR2hXm2ihd^tUm48?e zti%{iV_&Ua915j={S^SLvPec7WQU6%Y)hRB*T=NRPkI~hn9}?_!)c&LxEc)2(d}1q z6?Y!{3YMO0nerdOU!IIg$m&tmTN5b#ELH+dA%5gwVEi4aaDO8U{u>-k8mJ&z&Q?a8L7W1 zG4A%ld}~^K-Gf#)@cNDEO6MgV(wt3ZUU@XA*)4SB;<7?a}JjY*3gj}Jnj2CaUre~WoA1K zDus{YXflM=k%{k)F8YfR6eC*3Fb;P0!6nn!JLU;<6Ki+>B~tqro$}wh{c`Z|MDb+r zjbUe-viJkeC2_68(T=tb0Zn}n!*!c3-M2?oRKw)uIY(<$74r!~;6-O_H_Vs$kUI|I zRIivIW|=y%KgR(ek@X-XpG3`;rf??wTi>{yt0aw}T_8LMzDZ4557+YpDc<$v`%bPp)8E|17*`EFJsQXF36$dM-HuoN zmd8kZ8Vr?0POf`%;iRT=spM}zDuH|uJ=s^lerr>vbfV4uFmG;B2#P(ubhekvfrj6~ zy_8}SIO~}ELhMP%?zZ#5RL*COQcHXG-DEW3wZ3wRMJIK z2Za=R=Ts`onIz%$k_OPww|Q=|r>B**=N2=j5~LZcgaj zzZvc)!LY0*|NNah-Xq9xX_Y9N{y7~opL3Ji2}o+_-A>*#pv%d=qzdqGZ zDP#c9^p(|A#}jj$D#*3pVf(GdRo{(30i_}2>k~5bttPBvZ~xhOz_URjnDV|Za%dXF zI~lm91`hao!|4}Bzl45Q8V5_59H><-XKHqQ5W+o5@;vbHI2fb)Hnx#USd6PDU3hIG zaXW%l5T##_2~ZCOG5S``<)0SS>GIZJ5Ec0}x2`pVFtW5*?lHG5DQufKMggEnJh8D0 zU)GrcACzVvU^>&h_S5bqE+AaL#V-)W=r4&)?Qg&Em`;(MKOv$IqZ-bQINi(G)_#;n zh>zz1*PXfz8GLydeoQ4g;E6*e9nxKeawkDQI44vc-0Uc&GSuThBYUWOTV!y%gq9jm z!^s1pqVt%&YW-X)p8G}!8OK=%*{+GPdqlbS`bjjN9@mz@B14nhbH%oo=C*UuB}KZN zw+%xeAHqI{?p~Hm<|D|hep$~&1A@7UN1x`I=dTqqc$PC&s|&(1#~PfG?cSu|g8d=aD)nbIbFYtWGnm##C8>V+MUv zDdU?@zbW+qnF^|tUh=V5VHH%2psf+KUho8hIdghx+85BIn#pvVA*YJ2lAC`=`2QMy z&dC|kAA`rhWu2vy6Xl4b4H&?D2r{O^wWdpa61rK-Z~pjxDis%KZZPx$Toy&hS$SMV z%6%2OCay-4w?6)P;}F>#-XCmwxPyv1hNlubwb&iU6GBV!FoDH+_?43%#TSpq#(L^e z<7I8wcym>g=1=NF_Vo)G@W?98C~a;Hfp`o-q!whmSubEtx|^mA4`OtY%1?mwa8kfV8yQ2qBWPy<=m)nKfE!E$WIBLMQ%+iQM1pL<;B(O(t zvo6rqV99eTSn`kZWynWAvm6U`&QIcFLmM1L+Qi2P*7+~lQ#EJzum74{UPZ7+nz>Lz zdKREuoPP|#TqwR572QmY?}+t+ysnG7m#-J}_sUnlR;vVEu~ZiHr{ZO6;`(&o~w;3 zc4~SR+KJRo?MGNg9X#Q!#0VHg^#=G;TiPY)9N3lw=3H&}p)yCfRauVx^bRi^{-gGM znxp=7`$iMQ&d$!1wFPe0>gxrDNBWwpZmzB!Y&{@DL7Ry+D{Km7F{vDn1k&sHa4I^5 z(rFP0vux*p)Ph;!5L@tu)+B{=zt$l3eu`XNJoTFk5X0lS)rA7z25@h8q-R2ao%^R7 zZd2Y369y!PiQxh^>n0yCV z^@1hQBAz@E@61eeKDvwL>?!_X)MO}ua+7JVqiYPATZ~hDpj}sMT;5v)3;NujXrH7o z!3%f=SmVn6;)6vt_a{b1?g2TC`b`K_`} zWXpMouCFl}pU`sDMu2b*@u-)zL8zvePu}~fV`mhOE5a^npaz9eT6`c3IOrsGDL1L5 zNt#kkx!YHxNE8QTLgj@YeHF}+Om^Fx=niB66T#O1A6^-cz<{Fg)7l$l5!ED*jg}GC zYA;i~8QjrY3^Sc_rJgiUhmTprInZxuK=1bIe=woj@=rZ`DqH?JSG1l*gyAag zGvIaKNax`7N@{sxacxLQ=-m7vy6%}Y%MK^$uMB+tD)AdDf$N|$<)s>}DA@YkEB%Ff z5Oq{_TwDSiCDHe4QD?6fXPOk6(KvO<(+E}6VcLI%d`M2UIg$}77_wM6=87d)6Xk-s zZ?L-CeW`w?yj1)iNdW6|3mN@WtNT~i=qI^w-Ud-*-8h}(zH%c|9@EF>r3V6^j4X6y zLIxyK$WDa#Nu?!rHchsRl)W^1a4RiWf?J4ogeP9pin?{kWkOiY6A#TiPFh@=x$50c zI122d3iNkqg}0kCMNFndn->Cr00|6!L-F>ce}v~U>EnyToSb$KcB6Fi#NfG2N4f~7 zT(3j0CXn#eG(7gB%|sk87i>>`QH~Dg(G6R-Yd;JNxd(U1ANkx3FETNAy*z>eijj`F z1~+F??QxRh~)vME0-pI1&3uOc_1sBOB zVA6MMU}J7oaBGWCam0@g_48XuMq`i*R(L zuql0#z9{@S<4F=HMI22c=>vOsy=wCSeBS>JT~r?2?WzmV+5MRnx4kHBw$~qQ(_ga?YbpwwnQ`qg$j7LC-+ zcdFY5OL)btnrWZ5X5G&8Qx|C1Y2vA#V#Xy^Wl+05muw#k$&N^_*%7Ri5kn^ktT@R%c#>{1hLqOPfULRmRm8*p-c(VWoXB<}03goi2=`7Ex5W?>%gpnFMA& zt#XXQMG_M|o6gUmrAE6-KGr>AI-p)2G_g@9*!jGC3jj1^pHa)B)~vW-_eVRkNH2-e z?@BkG`Io%u9~TKY%hnV>U`Ed-Qna%iNn<$0Dbau}FSg~WNda^m2xm27y@spI+Gh7o z0tHsT*)3Syx?x__RsmKH))H{9`S7CT(;=EC-^q??;qb!AS%CFpupcFLz#CV{J+!DKga4X zf4OpN5uwqkavfOY%kW8+0pgnp}YOZT)IT*9)L%06!FKdQ-zLY;oboY=`7Dd_}Uu$Gj@g zAt)Gs)~8|V^=12kf@A){q4%&=r=b|zx_fjniC~>{4obH&a#D3aKTQdu;T^JgxOH~6 z&-?w|)N`dpcZ?9K;tdDfBZvm=O|QNOvTrB<*T;qA^7VLi>0h)t6*+t%TXefXeAyLG$!06{{_1Cz z9!>y6SJTK5w$jm~`Hs8!2M;)l)xUcDMfN*>%b}IXdut&EYOE9_p%zrRy&ku(M?NBh zfW@1Aqn@k7R6YGaN0+-=+M_-_5y@NKIwzhQpwbhy?q^LbKFRZX1AQ*-f%H;o5sMK* zLA%B2@MEW9iTr7KpZu$nkQV2E5KR9wD^TJ0kN9|)yjs7V&AwKxN_qPEHn1h^q_9mz|X3%qi22EVK3yS`!3D+g?zZyMUNu}WTO7gMIJPdqm7(a9Jl=(_{ z^?3cYA|hS5ebUD_ui`#znV^;>F zb7)ZSy_pei10(g`=9H{KS+FQF;67s@P`2hZI2sb2nD4AZ*@069Yy?AbJ24pVa1 zlKvL=nCETda8BPD$2<)c*oA>N>f*|)d|bA)S3=ubl45GcD7n;<2IGf(FM9IzUwYi} zP4XG*lI?TeJ7o2xKJ{`6kEIWMj-BTQqB!#*Przvk_UoS3a))N-O>Cm!K4Tdb;v@~< zoU3M^`Q>Ey=Xd)8atZ<>4d#tf4fGheY4y40f{b(5v-H>QLP$XdKrN9y zDYT3V@9_T?q>!in0IA6~WaCE7pH@W`JD_^DKnXJeV-twuWh<^#WvM3?(_Bkq-`?cC z4MZ(QdZZJD-5j>rpA#g6n7H2c6+B;AG%96LE#_Z|vbSW}fmsoIf38i4=hpt&YUBT& zs&Lbzk-i^Ox3PkZHBuSquWxEb#ub(4AZJuwj&4@Xd@CFGu-2_9v8ifCQW8~6dq_#o z?gE@dsCA6luD+urKck|52ti%7AGc}DK#|$Hr98dqj_>ko&t;RY<;>kFsm18T3Z$!j zoM^a#M+yf6blhs*p>DnRWi=Powhq_s-Kn*J$hvbo=qNVZA|J3^dU}do>NkqS@Fy&- z_ZvsY>rOLpa8#b>hO5Vav;+Lf;Ql-%tKloetRZt&*^)emha5QpY6-F0`^FDKlk5sS zN3(^^MZQG#wb+Vg?zW%$+d=^(Q(|4I82%*ur6AdBJE;w?mwt3yC&x6dTJ`g(J6Tkq z%G=d_)&(=Kc*b~n=}2Bt4__=-87n^5pvNb~Xs8<#_8IicZ1HLkrV1!tc{ga8ZbhnU z4Zyfx(MCoOYiRP`Rgy#6W=Skpm#+8iZR?MvBILY%E7*|{WyRQViQiH`y}|a%-VH~7v+xU*=O{L%%T_@*NJ^Y zGg7V1iF&tUun^$ofF!Cb@XDl7(S`psYyVU?|ErSA0b+U0Q>#sPe}X(9k-+BA8(^NZ z?_}}*nC#hL648NwWX87yJXfG{=IK88L})hv61KrPW2c~G0(>;( z$_i0I38e^xp2K55;r-!s-W-=eaK!49IebvA=doX|C4I zL54{6?eFbW$k%4dsR|o*-4d^T(5||f($UHnH2|K>=b$A6s@={&r+&w;o|nDle4^^RT5jK}u)&*ibHVuCwib5UpA*DmaFq{R3)``{vJ8F6ni_%^Oh1%5} zNzu`k^&wtf&!9Jjiqw5d>Xc5(OAN*bbhPzD{mrvJ7VE1G)FIfe5L?K3)Laj%$LF)O z%!SMHNcM7fsJZARXT?>@if9~uyaPdvti5`xchw?~AV#2s$KZ3~#1ZRJdDV)1FkcI|u3{c(>q zWO6&Dmfi>vF4Rn==@klcB}%{UWZyI5Hd}cCUOKbkUR;*{q}>-&^nvyRkan zguI-WU_e1mb^}z=TcbaikzOVp-tn-b8M$Z4l5q|8<)qZhsGklyLUK3u$`b`W1Oom( z!DH`sBF}t;vshk6v#(Kado@}+OMd{hM>vojp*w%J+g3?t2Vqwbv+mIF&<-DGEbXn)Z zxa(-gM;Re;zD^utzh?o|%dVWY%slTILwScsy+nWeTwT8O(wM_2TdFJBH)}7$k2V$& zZUW_9u=3$9oRy4oL)%J4XxK1X1nunV+OW7&^5VAEtr?X>XVC>W37^{d@V>v>*N4FPGaeLM!& zqwRCo!{Kg7!#lg>v^wtwX<~4_X*Go7(3Et3eN0ABvX{A!UVXJ704Z7BxA=8%D!?c( zi0+vQ_846&u`feiEzrB>;3V0S-D97I!J%RDsvN?S2%T%S>1B1`cn_Of2pO*Y#NKIa zh>D(4+%S_Ye@ofik(Ou#4i*{u!zK9eC8p{LKcT;(zq++F-~-f&Ek>-lzHdyZhKvOSHd5u#Ns z&xQXod4B}%e?MK1!N+FiwX#r%>f8C3L_-WV6pO`wc!|4Ayh5MD?74{FD|6Vg@-qu+ zmDt3o6H3^-s!UDZ-**hivmdY@T@0hQd221uzfzT(ydY5Y&G>`G zUjb+e{^YexF5Z09jAs`CKGU9$4Ge8jUI|+r*nGKOh!>$EopkzS3#(Jv1ex&|^Ga*N?SwD@5!SgBH+vYt? z)C>m&SmSpMy?1==J8ZUyY__oM=Mxs6Pzf_a+mlFAap1ZC9yRl;^Cb zTiqeEcvE*n*lE#K*b!1$x=a+un4hVdW4yLL@`e6G?Sq1}xxg3$x8W!03$Nd;^W6)N zgbE2LfIE?ToEE5{oGt&l3u{e8`uaVjcM_EpY!$yaJ8y)!OJ(-Svl}63##%@xeSCKs zbB2n4VqTtVKNkA_KkeMVon>n{KuX!u#@8q5XZX7;a(< zzwb@RjezNLQ(dMzhOtzUak~!Kxs4;~B?$y~_%`$Wy^>q~SClJnY-I5aqzoYtqf0Se zi|O-6Wq00LPXFpJmJ}d<$mDY6{D{?cy)WGdNf44iewIYs;b(Q_g1qdoWCTKA&ihkh z#V4?WZe|+)L;al1st@%F&?FSalXm3dT4Z3^onx=r6ZCfmX`W8g0_A`cSA`EYVu{ol zz9xz>-;-+8eJZQulB|Lsk7~LX*4-8r>Q}-)7?;~`iI8_S?3R2-y~5V9N6X`8c+)uT zxa8yvKuk+pzqenc zwDi+!ewr=TgdD5qQi>YfPDR2By=ZBf;=Mqs2$hw~t$N6E{7WYJBs-x7S}yHMUD|j3V>2MsgwzKWcXMl8+LUF!n$xW`TmKdxU_2}4H!PkXQHK=(&EW}-t-^W}g>T#Z z^8Zb6{;wa6j)+5!F3fJ3sBepxQCR*{?1Y@MpYsiFUh0xbCnbhprgWa19gE?-&=vL} zFtFFRZt|AIROF{D1XAre#@d2w79*di(N-F-7`k6OJFt8U$~X=lyam2F;s@8IKD%8< zNSD2((V6wATsim07&u;6!j&%+-{uB#2KJP4P=|qP5*2Qu5E$ETSy}TNn5YOdUB#xy z@~eIlGGltZ5k`bwp|lj}GT1)9^hFJdloH9o3>OXcSv)w}Np#dQsd3J5&V*Ka?35&; zMb@x4SNfFw`^GcE>tE!2h9;-z4xs`12#Z~V5ZGwQO53^j@^ieOh|m8iMgN3sr$L%A z{z;RD2^WDpj}hDTU)pzFzL6bbSj})7Px;Z6K(p3EXM2x=kEZfHi4>80We!y(EV$$$ zG98jSu4@r!WRRJ+tW?ta2-m(1<+BuCz)J1t_y@DZFSx9-H_whk%4wbtD9Wv$l)9vxNIOCC}rT20% zQ}Wk96%NiBb&is@F&Q_tSMCNg~3b~Y$+;gQvN#2?<=kivT(SNj$)*KHs3js zCKYITa9x9W;QjPe|Ehg|pWA;NvdkqQ%_VqPeLK-F(Z+`D(yyaj;wdz|&xJ5dn{n!X zOLfa@ssC9CErTLsH8o_-dT)pq-3MW5K~ zJC9>D@M*hW%p3wW-|ck|2kiJkh;uqP)Qw-ZwfrZ?YKijgYwH%|dbUqKOVzy}j$!pq z)@mSrJ)_fVhqDgQ8=(L+>N|YnGZ5w-zk?I-&9ume1MN9GGdivKFxQd_D+N)gOt#ea zaog-Jm}NolOfoLv2m&zM6pxe{Q|2Cr(rv{yUi{`~RUk5_6U%BVQkWL;c?1a}D#971q+2ofx~6N0oPGZFYPy^5dP|>r-YOKJU?>Cn`%-xRG6pdq?tx= z0Jm+=&ij_Z8jliMry+bICq?jbvh8GpBL-&oo&c;p7+^R6^cc!N+n)bb-Tv_T|ML-lVZW9ycD+xwD~A6RK_bc28h32mh=_ly2=6TQdklkHefxUvLN3u<^O6B1Sb8*oHmFhD6A`Jr^d{ zUBo|&{QoUb`~wU?#c2@m-0T!<<#ojoSp^u}DDREjWqS?WiM_5~?!x?O#2Pz{E;l?) zS|NN6#s&Lr+pxcW$MIene!+}3`iAzRtorg@D3O@VV_#_!h#a@d2`Lks@W@4JY_H{-i< zwyOqUE8RrW&SP`$$t*A;=RwYd5tdZ7@tneI>htg=H8W8D|bmd7`Hp&z(4M^T`47x5Jy|fG2#f|E4KS?&*<0% z*j4v+)xKOj{xrr9C}km=oAMpF_39hO;M|1iKuJImz+2aGlwx1|d8&PTpnlY^38M|D9b zVEYd}kCi3CGnp(}5Gqp&uc7B zmhxK4?Uyu?8u5JMWXR&HbSzLsvl0)=h}LLJ+nu{WwTT2$A&~7>*cEl_ENNDOc{nZ* zwTZt!CD89@kZbo4D!;6bU?-)Nouj8^XT=^BhAzokI}cSByzc%yY&OY2ixJH7L8aN_ z$BZ^~sJmjIF3`WoJU>{abC%iRDem}RH-Y?*+5YhexB)&h@IKCw`yyOG5JFLa@oQKd zpu0XylocYh{!hj>0=`MC)dDxhHO^f0K*G|0pCrlc&F$#+>q$$Zu)n&>j9Qv*$IDq? zu9aJ->l5C?KUzGN;KiQW=!G*U4S6xO2JWteyrrMhtO}2HM;Sgd-{flXaFw@Ie^TIG zpziU^dr!oflPSE+n<+J~|w7-Gw63pN5{1T z*SX#D+T~^a+<|*^FeGzopJQpb| zN;inE5Ks(K#^!Z$6j)v!CG@48%43{MjGCoV5g0kr05TB;;0n~~1I;TR11H}zHWc)NK1qi zbDt&O0uj+PLbU9y9ss*C^Z6*b4w^+ho-Q4BuK+iP-JF47MZbqNw+$#Xwi-k zF-yMUBOXC1nQu_y1%Wjt8%_+46KaO?|Y$voj2D_QH)lh@`Pd{t1an)qg8g-x(CNwWj%uYcBihb*C@k7?gxEs#fPZ3%AgMn4mXAJXy3!9%sy4%A_{ zz*+1lbJDzr%nbSe4`=;f1mwd+m0@Hxfm)ym?t2^OW{&eR9#~G&XAY0A&2%LrhJBDd zUunQbZN>8=Py;7T%DKa%skFefv93jFHJ*QL)kYV;)srr6Bi1~Q3EBGc%lGoT`?+;C zk1N~ncqV575oN7dET+MFZ0`iO0I}o3(qt_Ck(}ih9yJnd-$pQL0&c%_)0Yrg#=LW4 zW=AKd7^^3qxJYT9w`g#U2wC|tjqcJ3jGwAeT?>m!jV|o^4&}K9ywcK2E z!j9)+vs;Ib1K6&FMjwL*>#y541!cS|-1FvB=Pl@gE|I0Kd_O<`{6ESC2}Ptjt@?TKb}A1)jmo*K)w-SA-<0Gqq^EXFl;X;D7amP?NQ z0-kP0=bt)TH?`Ed|CBSYP7(8UyG!w;D!y`9IiImUhE$oQ%%cnbav!7kjgHa~3^CkS zZ9%=`3dq(-8N54RI5+IFby%QXtij2crHJiykn%n&e$Pv?0{Q3#eTBJ}v6YZj~3~0j2yxNe>)U}BOj$#7hhq*9_|0y2KVMrWd8||efK}%;pJmM--SYp7NRo0*nL9S^kuG;zRt{3h3`N92#F5Zpz+=F_z)eYLQzqdI+MFa6Kj```XU&M12KG zlR$^XzC?Cl+O>Q}Z=vV%IfL<HDy^?IZ9t z{^^GE-xEwAS_Z_O9G5|w5#@3tuNvs5Fn-*S&6~4=ifVbF4%AhIG7K8G?eEO^bju^3 z88=e>4ht8-Fg^B$uOM!fmUDh7>BB&WgXisZb4^Oq+e80-8kc4YK27^S91J;l`3xm# zDTam8&s28o(l1B;Wm?*qy;#*J4YKz(cRTD1h!A}jymV1iT9CG4ySJl; zU#q~+Fj=W?D+;5qu!ey0lt1#|aYRU&&M-(E&Qa{zOY$_1Y?>RY4H&YHEa>BMx_(Yx zY~rRdLAq2?!n8-qFq-_KuV){C0QJU|9=c80Q8qTZ)ZF9KWwZIDIo!XP)8C0rO#sqa z6@${+0jt6*3D$xg;qnKW3Ybyo`$6o-l~H3KO&X381PocU{qz7JmF0YyOR80TeFG(;TI*-l>s;5)I{qujsU^S6{!l zWGuiXGoN+!fEP~5lErCnHi5i^gw28`8&Engwb|4A&{>Kn%?(D2bAa}rtz4=KL&_&! z{W3K5z?XR*p|s$L_^^Jp<QGd{@3I?6+Pk&t`pRKW2j zfI?OUiR14kj_e5e+5lo+)lLT4OG)3-~;@yGV)awbLDav2N@#9*9MxPeRyyl}~H}d^+D56TfVGB#!ERSPE z9=pEqm~eOLwCc)fcyP!8QF;qJK@cJB2eM=&dm#4TT$qKVos=anH#eG-;NaNHBZ4_O z^fW>qEqz}VOrW<9^iWpC*^TaB3(c9}dJy6+3cNfJh|_}|vNt86W)`+_DI=rflfA-J zxcxv>4&idSF52&Zu3p#fNv=p+N_aXz+#Ej2Zcyis%q8{k3B`$3yD4!MxEhJZb%X9P}qa88czMFNK3%Kl6C&Q{hcQkpU zD6p;cQgMZT^zo=g+hM(jA2Si_rR`#*Z*tu!WJarV`J=q9n0M1LU%y!j)S<5AO{&r{i2Y{iyDub^P)6D>2( z!x@UXwC1nh77w@7D}z4G57jGDcYQuW8T$$oGx>hUsvv}WhP;4A-9yXJozFw-${jkt zJR*aiT-$0>8~qFb2m3EwZA1_=n@p|y!{3Ph*Ca%OESwZx39}+KPs&< zgc^THY36yur~FcJ&?x9yQqezKtz@W5FZeF#XU=Jh)Y9BesgFJKr%Ck_A&JISX1zR$x zj==WRTF&=zplnamZ&9T?`dOXfTBuI55e4rP%L3awL7X;#DTobkdU^6_+W5uJDD`F# z&5d!Kwny8})dniKN2J_4V@By@XP>nI{9^cxh3=On)su&k&HSb(qCFp_VuPLmvqERS z_m0zlt9tU0$2!?-5Hs56ME{g8J-d;?rFS+Of5xg-5KJoZSAzxLb)i@<+F6Q`|&xG zuuHIKRr-Xb_cEny_jzJ%?nXZ1LU?$8<~yr187@Ev92i4Pjx+|31}{n&t4l&oRP1c| zQMmCtPZ2=I;3b&!K1LlXlhhnIX|Uj;Ao`9QF4e8l7|(7d&N?Ktx*6ko~!Kz1GMpS%j(n)jIvYcHBJ|c(iQ+@;w;W>GnRSS z#u7{DPk8NLP3zw{t0}sZUSVV+7I({ghYQ%{PeV<8vwt}5o8J@Q2@D?jPe!ix`*W|C zcff_Ld=;{we6up(;JhYDP(|fMM>Qi(QFDT(Aze~bKzA?PXr;UD=+;luIf-PNO4 zn;pB8hT*m0v7?m}W4epW(a}%l5uOn@wz;*c^jigQ2wp6z)C+}(e06og9c-7&zF}-{ zDKo?G;)7tWhQyY+V9-=@rV!c9@{8|#5QlUx;|8`*w*}6XGmWKv4Uu{36JTe`;Wrwz z1X@kgOo1VtSwBAw-Q$*0lW$0H@v6+{39o>B-oEp?eo1C(6#2&hG-GrgvElL-sIK_{_@B3vp zHnt~ze)CO^52afCnlOI9OuiMB2cU0|**v4E|4gRE5sr5WoyBIIf+SBkioVW!(u>?5 zkOLc3X$@Wq(>Uj=9Nf|*aXM*jzp{Biv=Xr%1IFyoJkgA?;o$?az{mi8F7O5A{_8`z zNeCnR*YEgG{q^OP)PnQ2wzAS-Va5M?+ZjbW!p?2R3nm5}gN8n|Yu5^=pgOwAx2*RXBZU>5`FwSp%Umsc+N1-{>HH4$8U zkz>r~ELt)o4(?r$1n^%nprC3xZzqGr+cy}PJ6G{|BE;T^-8laI+QQ_#>MWA|S^{ej zwpc@`>~JcpDJhA~sZrBfB9eUx4MF_OlQ&C+o9ma2fgY!FW0bXrEYze!BzGu+k>Zh# z+-GbIG=Uj>+MWAW^`f+yD}2+OoiKjLDjBQDRh#>F2IFhCelR++iSLihlzBnG7>=Ut zq4QS2ewiJAhW$O+y$CnMABu)%z-Bx@Vvu9~eL6~hN@ByuUgY|yzvLfV4+gm->JBkP zvm?sWor3hSYx`Bkc4!QtJa8~n_3a;IU$uQd2^lcdEXVjtz|L?8&5}E#mu#x_ z5IW0!omsJ@vHHOh@+2P#e9~DmAHhJMDipFP_jjqmr@m1~Aje{60p8Gu`T z8=>I0{b&j^xOX+u<8M0FU;0VMZE?428yWsFkacIdC1P>XFIO$w#~9>ZhjJm3!JfYs z?FMczg+He#1;@Lx%}ku_WDKYER-O!)z-fpm0Xt^xDyoKbr-C9eKYpHIc=C|xW*NYD zY&y0gk?J<4S@ZLm?@jWI{Zz`ri%tA@mHWpF1SH^7=+=Nm!Bq@>?!6`7wd(XB|9b1F z3N(%Y;~8_Y&eak+R^Z6BfAvpJK&#!pwZ~Rb9W4y{A;7~PexIYguXYR`8;arKsCaY# zZMTZ{X!)Q$I~nrCM4Y0^nB=&^lSq?)8C+-gRg;K4r}WF`_t39iD&`RCN-H#21_l1u z>=GROY6iAs*r}TAwnSu-_QcGA^Gaf67nDz^iiLl1f>}m&H#lTKew5aeW^Sq?5O%3G zK7v`W$7|ET9fuE`_M#*Jq)R%|J1UG}dU_8UxGTsiX^{*EE-XHrFE!}L+)(L@dlWfs{ zALa!ncrv&(S&mtC>G%%+8OMYt3>PXw5QTS|mk6&&E-)GEQiezK><#Le6vZvI(?uuz zP}i%_WRh7ItLqbb``OT4u^zjo=dY!031i8SS5qszn`??yQhzD_Kdj^5OU#=d{Cw-w z@fm4FIp2Iz-)BOGckE_Z-d((DAOGYR|JK@40C8_QTUxqjQH$v=HMcGFUm8ed<1tiL=K3+r&Io1kF}y>)`6ASqRi@u= zfCL5N%thDV{t~@vzh}+5?$Iw&)b3CWa%U$l0tdD^9B15c&49-B`qd0F-4oKPTyonAnipFLx9+s2ClBMC z*z;x1WgX`WUS7mjuT;NTy$%2Vm-qckRsNk1TVx!Z)j(tJQ#}xkgJ@n^dC5T%4NO#RxOk(b^}k`lCCn> zOGZUD+Tsy-K5Mp?!kMUb77O7+8X)~*9?zODxO}n141a_!9|csvVPFg^+~ZvGvmvM2 zWE?W0VV_Ul5XsaD-XNtH1q_8>&o- zzev`U-?g?`@F5R{k zCcVYP*rl|`>yX|?FaGEEp1@j+c8UO)^@O={yLBJ6yP2wPBLTlTg+Kg>El$YS<^B!&n6Y=n z(*-hqYVO{)8fJtshST%t7y7ES>#@B(-Ze1Q;A7(RgOqKTANJ{3-{3~w3H2XlpHUBm zR{r&ynK?mNKzjrB5dCe@+Cv0I2>PJXi=Id->XujG9DUyllvU7*reBYS1aIMJ(ocd7 zQZ`~NvdL>=1M)XCu>g(zv4q|%b_R~d>7W%EumKkbbv(+j?B5ZH9UR_d;Rd?d#Tm)2 zDRr0s`~rr4jAs#kmd7)%?<;>``w^9I(;GN;aSCq+Qu9aWnFD+5Ta(m;x+xF)m5i%T z#G>S*J>lPBCPNlJE3EP2LA{|z7WtLOH5Lg~o_!aicXY_myGUknztb9}?7~3$H2ll6 zb3!{s2^pCJ+l(o@(d}qB`>E>!h&nh<5+G)w$JC#(yM6Hw$MFY0<1GHJBJ|Ki9=2U$ z@AF97Xd3eGn(|ymJj#qODRv9)cosP|I z7+*}?Lq)fSF>s%?4}t$PrE9_Qnqh6kCSFX3Y8h zb|ao&ddztnKnhw*$m6xYB)Wsh&ieCf=ig1+ebCT#QCpm36KD22jB&d!dvbtDUF z9)CV;$0TRuH6o<*9Tmi0Iw})X9BcPp^S~gL)K2hZhQVYQ5!CB+HkxZ=0Eb)Qc_Hhx z_M;1V*svbnqE?~dipk@-1$}zKBNKCo*ku*@;n%=1u*HwRsmYu6(ez!ZLk+KWw(lPi z?h4lKh3^_p_fHjuraRb`1!ZASWM1l)NC-7g0nSbA$LSFNc(UlPY?cx`i?fVJd}pnR}UP1?JzoK8ZFASa$Ktx>cKQu zvTX5v*ubh^tvNBGWhht*pV>rK-_BHCLwJHA`a&yFov`{{!Rh8@!{-W`E_ zRB3OTKp893BB;gz7;e;9maQJWcthSlLYV?HQv3`3KE<<%sX7l+5I)GL*+E*dYxgy7 zd0jNujP16DT_Y2&*@Elbx;-vGA^u1Fb9u*c1|c-Z2uZXBtxS(v*(vi0sfgEJ8a;Lz zK{4o<=#UbHgPPp@YnMEGP?OmfZ+6{2HINniCLSz&g>{@-<@Ji|$eGE@t(@f|Dq#4tyH?6?B35?>FL$n_meT7xR#rNO(|M8dYyN7 zfnv>fcMBYRh3mIt;sg+-pIbfp%KWdsYr9`pmFFX+AJ1z=^rbye^4&Re#xv+pulU)1 zeyAVAq3k%^prG^G>CnQar0Ugw-nmcsyne$JFMJLQ;d~M7_4%}Ku)=;0!M{rnSiuMG zCYv0}Ji>tq37exFJd+IbaHYcEal3LO6XCn)da%8@1u?j%{JE!yRkhYNOn&u?Z=%;e zzK(EX#obyE0o}^B7l{F1dICNg&WfAle3ktz!oyQq(8>B>xo|{bi1LS-hA`4$xjxBTB@x*N&(sB3N6!Q-%^EtNG;Eo!-$}IM_KI zi2-udjlia=(;*ML0td;SesEUn95eA{a(j>%B=rV(wWWP%fh2Kx zSeZt`KwLxUw@hIoutUv4vd8B2-SEU>!p&bR>MY8l%v1;wR9Sm)Myo=d*vJegG zZNY8EXVqUc<^FD~sP(W&0Zom>t8op3cgAMuLfjzIDt*LGB&2oH839|$U-svgnEQA} z7WOOXbLGy?B2v5ZknYnf1=lMN#9ozV#XEloqU)iuz{e- zCnAAv<>pU_30i6pEd!}1jh-A88@q2nL$Q}dVP@9tt@iI4xDX=tkT(+rG^Il_w5SfA zziIF!b0?bMMx%%jk0_-Sk*XO?b<=t@m1ni!D#{}c{}$|qOL}47HLjxTr zSmTDX&}M|KN&`uF+O~leX=&JO4|j~7D_oG;)0VT4+!-B+ucU{x$JqRkB;V5blM)(hJ)YSx^)t7(=dhX)j?&PEBYT=@?Kz{4 zHGERCMl?G`v*%_l=#(E`Y{lig{A5>_Ftwtz7(0OL>UKNDgtO+QbPCz_L|4D$U8*uU zSMJ(O4LSRQoQcBkG4yW>xHL7rK0&o?;X@g%@QZ9A>wUu90`n}!SQv%=>w2BV>+ zRT!SBAoW{M#vMs_Tic91agofv!gT$q+{V9TSoV+nIY3}<>XZDd5Wk%=fd?6iIuA)3_UBm4JKlrlBk&#O}IQ$+b#|pvRka z-AU6pA7j1$T~m=nS_oW>;=;Z?NZ%E0tV7pVP~)<6`7w4Sbzt6yHY1uKJJMpzz*cg6 zm$2#jT@UoR!IOt8>>bDxxC)2**(w=Vm%IQapQWvE1}CbI79ylKf}*MkASaG|zr*=W<_7;d3$ zt{my}nReH?9eApQbis69M4zzz(fSkC$u=I8sJm3_JB2p7Svu@|aYY!WAGOfz2L%30 zdhD9EpS-iQ=zf;;nrdHbSV)0n{Py_c+g^KE2e7FCdb3h;nYIRl$eEchoW}eYK69o3eOG0=I6EO$=<5G++56O zk4>bMXvNnW#Zku;{KSkpdJX9f3T==Mi(}%6jOawiE+ap*%lBF{b>+=X@ z5gp9aM?xm}oD}*v*3%d7^To}F$WYzaeEE7fU6Ws}}97}!}nd%|ziEjcZ|_hhHZRVn*zY~TnOZD5c)Jzn8eM0&O) zV-FEwCENp_VPQt9+dqGLF=$TIcaYR~PM&8g_nbR?nIVM+@((gaR`=w67z4szY1ee! zqvYEuG^~=>dr)%F?wXbg{L?DWufpVSMW^_kxa5hESNk?v#K5#>FipqgR^)5>H2L|y zrk6$)6}Xi7m#qy-ZEG64Y*rbHS^YIL#S!Gpoth~Cj*P3%#+AP^4T#R z8lU|D;c)Eivj+c>FdsFjLRR-9-1lf*tyfy`X|ksHUTo)9ZCl34AjsAzefhWikg|6W zbq|-8EG?G`$tL5?>c2!nul!F_!MUxM>gptSBtCxI&Ru57ECw~0ABU}MVxS<13;icW z`zJ&ZdH0O}AF}{{KkZHEGe57sg93~jt>Ib#(nTU5is#yi-dDSfv?NwBc=j-#r^~`; z>|X(JQg0u-A#%nsZQsPeTz^Pl<~A?oickNBLV^A<=vt9nC3MEb)cfi9ImODY*QyN! z7m`5N)jF$XPt_tK87C6C?}0+`Y<~Y0dg!*$zYNl)p(A)Jj#QJq-wbNIkwB9OpCu4LLpM6h zdm;H%as3Qt%Y*uiPMU+f7h6W)zTl?}zfDa2r~y6XNawLdelZrjbIYUqOl@pg!6dlQ zVG|@zuXX&^4EJPuIc(X8gG=t<(RkGR^Do&*iu$f^1+yGznXH5z3ra&P1MDTG4Da7AKDd@&coxb z3tWKE)?hOa*52&P+^bFZG*?%?2OsavI(ypZyKerI!Sp8*gLA=&>n?q-dzFDZ&C*$5 zP4Z#co^pvKe8%;$ik}ysC%Lfp0^|h%+rqS?&2go}`syGDJX8Un@YP6HS1-Bpr5z2)FwqzAZa)3(V)9^F^1c zd^R8HnQ3LQE!Kvqx?c`+HB%ndgi>dxH%Sl;7|zdrn~5w(tFN>qXH_949kW4V@8*mx zQn%tF!s{d_rjwaN$s9gOhoi^&Xt7zt!Zc=6vu_0l_))DG!H8*FbEYV+-(5pksl-&Y3mq!7$r(thR^bWhN!T1BB!D z$EKi+McnWOb#mF5N4mh=%KO0Hx08x0YUZ0Xe`H>NqguGK2S-XZd+D_|c~aKr)OVSn z;mB$$m#YO)NbN_fP&QAWoSZX0qU5J1;ph^xRA7k{+rVkZd%HFo{D}04Po6H(vTEQ< zparmxVDw%!8T~0rGx`}L^#-mXKJ>nbp&E?{kZAQy>qR>8Be%@W%dG@j1 zQO`3<1mCSJ&(pP0g=be@tfQvjA8wEe+Na)%DxuSwvsV)?QSYLz^+?;Bt ze9_WAa3mjW+p+6)?4a9dPg*}3qZVduF( z2)87Gb*~^tR=4|fb{Y8dt@{lLarD@|?d_`tACJK|1qsr250vGBBZGN_U*%VBzzJGy zvmsnmm=AUxk(^bem$9?GoYC19fyJO7FBRaI;zliiF2pRcUz4VoSvpH5%DE_zt{H#e zl0cB{dqY}p2CLT%^88j6rOypw`v<65|@v0 z%SliKLKV;Rev=%9K?AR|@9Bn0^GJ*+x_!xFzw74m*L#*g1Rc>D?Oy9;Yj*88ni7Rs z)_nt6#55zfp~#Q#xRdL)f(IOVwme@@wr`)>j~pHk(Q>BhvICFf7J`inxTsN6oxw~Z z{p?*8`4F!!YgaMgS=m3-b3UQ7?^%i7dIsrE_VD|5kxkXxSvPlc=6L0jUR23%ynEQ^ zZx7`5qM&y1$_kqGr{Flc;F_=6U3!%%o?GNh9*M^%&hqNIT@U9n)ohKBgXMY6E=DM9 zi72#j2cghkJ2>!}57Njbpka!GU#~%oqgV%08D13|C zg0I?NT?lxpIM*tUEefQahkjFJfI>+VF*dFr$)o63|i1Cd-xW{ zP^wyn=rrhWGi`?a)5<9WxEw!z4BL#Y zGwGKb0E;pg;>JaN6keK>Z}V%MDsi_4D`_R;xdtnj73r<<|bT4nz-{R>|V89+qDxYlEJSj$T z0YrpRY{u?sSTET8J|jz0H;i;^JB;O|GFnT@quD1(KIbm_=&k7n%11IhcT60|HK(=R zp_2yA58o4(5p-`xJ>44XZ(sXI5x)Gp2;T)X#PK#uWn6!DF>7U$DTM#0Th+-5Sq0}o zmWeVz=|Y#~=(Xixf4nn_-#;w7xNS~!89#Nt=+CEj8nbSk8Xq0~Qp=UUkKl0d?W`N$ z?|V#yLW5Pe5M7gR^P)e|nGrtW}U0q6dt#JHi*z3_*p!;VLlNtUR}Mmj(3g#jE(H zjIYZsslxqiUp!%yVPj~0n>+S6a6;X-< zp+*mfX560_%$6KzAMX#}HITl-21Hg5RfQy@0bM;YM3r1OFJ7lF;k4*pT7Laj8RSw7 zYW0pIrL!DnU68GI*D3PPb-m&NOF8Y7y;K@C~uw4D({{G3i8I3Q7GJPvb8!2#V_1Q8}sJSjgXfw7*eg z#6}9ZpEUaiYS|0(Zgy|TZAsDWM0UxWI$YX=+atZzpntrd(cRdhS5CIAE0gQ9G?94F zPU6h;d@QO?tA=@q>Dr#xY1B{bqv_5L+_Y-h=K~VTTQs_79>a83guCnNG8n6HS&)v? zp%MA z9k-)Svao8;*70K1AAqE9rdmHl0d=%(j-d)-j9d(0bwuO>e;@_O z?t}1Aj_|%Bh%dq)7%L@GhFhj>cZSA`|J@^#%K$;)@QjpR;8q)M)pg}8Bd4_z_X1oJ z)_pc|3vkDS#keXNl~?#&I8yP`YLs5sSWeu)Otq9<<7z zs4D_3>UG$!PGo;^0N-lF8hy@Kv@4c$I_$y%oTmpkb7C^XS8XziJbf*Hw?pDE`g7`v zk44drj79NF1$BX7`4c`sR#p{JZs1f>rjAd_UAmrRxV3fPRP0%w3UQ0}gN-BgclhRN zGw+LLM8A>(cY{FV9eJBbOAP&8cyL?*a&PVemwhx+afs*`el_EpuFws^7@X##8PhLB z?3`QjZ~NWrg)rrhK44h%nqNgju=Mt)OAAU%doFe-Dpx%3GrgXldbPiA$4^%N93#b? zgLOYLH*Y!4%Lx-AN#A&H{-ML#Eu_L^^ITPx&tXIOsgg=lX$t2qPO6dBiMM{(>;CFc zmE`={`1CUi8>`-Afjr^)b^Vf7%1k$P!GyQItl&h}%vj?W(v-B}CguB0V6~tM+lCGj zt8sYaDqSGWPH%vQm1YYC*D2=TF7?ndnXuL! z&qg&5IG2K7xHAI5xY7D%lyq9}Od7ds{9s~Km(X@(QpL&&F+d1la}4&5tO`P&+)nU^ z*tOaR+MI(ISGrprvEvGWeAl>shhZv&myYo|i!~}n1*P>pkZkH*FPfG!X}m;}9U&5} z8%?JWyw~~?L=N2QlRX^`oJJ5sXeE1wWemkkHDVO+lv&gYamJ_IXYgx{!BVAm5$!2C zEZ9>lKw8b8oqEyR_+RjQHt35pGL;!(F&(xDvoSh4@QY7Hc&kzSS-OjfS>XJE?w1Pn zG(}YilKZ4A?vKlE$7@;TUW8KoPdJ`!Z5u!M(or`0BKkhEFZq9GHo~*0M#@w&?(Ou``g>fJ?fOfTfOiCn z%f1Q8#S_~6_OG&3(spiKHwAd${`P5#G61LfBr|&O30Usw731y?z&QR+*sbZ!je|4l zQTNH%o~*e`<^Z7MR29>j6Jr^ab;S1AUUDtN(`Y3?^M=U-iIQk>oINT~!93WJ!s%;L3*4(sXQs`JSeVXP>;n5AcK~ zwxI2^Ao}39-PnAy9>M|al@D93?b?kEbvF9IL*>+})o4#Glgf%H%X^7onCe>8&~zxC z0D8qL?g_K-2~u z7YM8lw9tgo!HLo#)DRNE?N^`ZuD_fM!5;)?-Yc{S3dydJHKaL}t#CW~Zs&E3Z{g%A z4bZ}Tk&e#tD2XrTB%6rew#%Io&P6qsr<1|$qx7WiPt#*sIR-Wzilep^>)aWl{~XRM zm1!u}H_}~u`=WI{j3oU=E%+6H!r#0qf>}7YooO`!(@87Mzzma#n2;dE1{>Lf5DWH|v;&}w-Ks(hE7&=Kt-+FS; zrqe#t>Z&Z+h9@nHoY6+_V~_Oxy0}orSV#W=tNm{wJ1?nUA?obm(|u~qgO zbIr_k&&>TS8W6bZjy>6z<1Fl7#-7ZgTiLraS&%{*fESX6)94RF8qI7m=WH+hYiYxo zq#4m$G9#`?Ac9a$L$Gmw!k-hj2P9bj79k8(?}#B6Ou>1C6!amQ z5H%^iCyT8o(1eNBm_fcarE`~Zp4}e5h_25da^IYg;afG-yMcjTU^n52)ZQ~EQDs3p z=LZwqsng?CwD@7(IlkO?pILp=wkK~Fnc``#j2I2!JIzvP0ginrF zh~wVg)#)!ffo^U?kYrnDt<274c!$`2^2K}fV)%VswhvQNKTP*L8?DX0wQ()`-deof zZMUMLbhp{gXp^Jasv2eh@K1fue@@f?JIW@r1NWpsQCE6fFng2Cs$X*a$7Vg;w8GfQ zYq@d7fDo!FvHQIG5Y{N%0<$tR+&yV5sgEAge8Sib>qAkRdasHM7a2QSRfDL-Nkv#g z^X#;wvoV4G(hq!O!%}i?c*#m)vKh3(nv%_~G1lx?rsJ1GViM`7hvN$h^mKF=eo{p@ z4MQZ=T?9R8b{64ea>mAM0vU9@hGqU*7{xG@gd1S+@}Zo}Y4!5SgF^RTv_l#v`(?-G zyB%YtuOo|CY%Gt}Aua)GldAXMClrk46vD6l(FH*wEMkyae@V3vXq~efoAR6P-SVwZ z_3=YKyJ}jC2)r-&X~x3T^P=CNsVeApMP);XQtL^?)xc@W7V5>Wfm?%=pN-$^G_hgl z3~dD6IxCe3e9avby75)dBdq$`>t|c8FVCtdMBRm*oz74KCC__09`wEI_)jhbxWDphrF6UNh}xiEiiPx2pK#^9@Y-9Lg9GGq&s3T9PoJ)wNRh}kJ=g3HcT_j+ z>h5+%9>C@{0DbM)_kM|G>7zIl!%2m>)0qPh&EJdTw$I(&?hThEjTE&|Y088MTLazEVw^)G9R zD0t*NHe#!n!7#e;(W4P;QF9Z$6F?w;0(;LERh=hH-Gv&pmB{ORHCU6;U!4E!#AnQF zJFmU=_#Aj}04{TbZ5`|QUDS+Tu>5ovDaVSoy9~v3PiDzQ`Na-WAFl?zc_V~=@2+iU zWbl4V237P${sF{ARVyycdWx4h>0IHwzMmyA6*c(9KcfOH_O`p#`wac1 z*q*~p&4IMl&+)z*Me)Z-J+(3?a%Gop<*29w`(nC>F=n?O#=zz-BVqiTQ0L;a1rtZ{ zm(~MjgB=XdP}-^vB|13=8s&y8GO2UrOtAG2U)qZ>wzsMs-YK!|s1i-iyN;7R1aI3` zXd2~B+rQeiVVZpT{6vTDQ%T{Qg7Z5MJ?~DN=mA!15!#vxkIy&R_<5N~l;-GV$~Hew z+?mX!N4qa_wSVtwe;jx8bfL09!@62(s+7E*|GUEcIn4i58x#Oe zQr{-INa4FfWK+KmR$DHT@|=ro<9A;&0M;VgSXB_=L>Wa_upUAR+4OGiL5*dRn8_h6B*CP@dviU0at5{9574%_4`b z>TPfolL+pK+sf^4o(!fPwRUXU5i8jOL#jpf(OH=U)bjt=|3o z#i7XAQ8s4M_=n~q;N#-e)n5vwaiBYdm$k#R_36(E&tRDZ+AZWnvT71ltbqpPJN_`50v2%sjER{FI*C2Q1JM0kNQQ$l7LNyAEx<^ zuWUan`T{k~HSfsoPmeIsX^HNwX>Ck!FK&D)_4aZ!TyXn27f)v4!d!&CuyS7&f5)Eo zdOF%q_5-sV6EmNwy_45?2fGEcl+}lZ!$(E#V~%;lOfwJ(7WX3MHTIg*ipZ)*#ChtE z+_yW+ULUR6wweMrE${zYvAUA29MzS7QX@gI4ZU%X>O)tWZM-9wdDZraO0x&T{J(Ja z|9XR$jO7cgnf-sVBx3r``_&WI%S~#qCaquVm#clx39tg438v{1-z?``NGD`|gwWzK zGIRfRv>QHIEcT|8nBD)$nL~0jmnXq;G`k{)%k; zXNTlvE^b;Z(MLBG_7XXbeI37skWP?gY+(m96ibwx|hOp)b-WjJTS1AY1k zb=(zaak_`FjEl-tCSi}>^-qr_r!ERoGr!@IhkTUayR_N@gF7yR&XnW=$W4KajcPtue>+=}(6Jg5p$eR9m*VCOo>&~roI ztNxrqUgkt2U)vP~?Hp&-;#TYdK7c0mEf-26ar< zpg_SHgB^t=i^ni?Ea;5_Z4&R3efQp+sL(5a_Q4sj`f={kBpAv zeg`T~jd4jcX`4|{iukk7!EXLj&qJO_I$h5!2qqZ3tqgc0#ubiT$IS$JC;a|J&gnZN zU*W|OFP|x@zR}+`ISR~nPqsDH9lTHqP#mYAb)5)SbC98j8R%6&0vrFdMfE6OO1iTH)l+oGXYgHa*+ z2EV)+$T-t1$7hu!0_Ga44-FTYkN4|e8M>blKF)}a1VF@}msd=F@G+Y5ZYt8dxhY27 zDgCCx8r5Mg z5c>7&N~p)`MKg$$=T?gZt?7I9MzjU5S()VYj@Bsl)=6qP%<}ax7&cf+&DXv{sYAG zAMiZKUxl;zXmOzQ02|y-S+uTr_Ei!um7ni*vW*3vWB5W2Oc=j8)M=k21{QYuK2j{EnO*}pUg=Q9-_JN*;;ddt zv72BW+mpzsM+k;prw?nCLFL?N5tE6Vvv1k{K|!GZW3lcAN*RWcbmcAE$m0%vO1cZNIv8-}y?4 zkzuLFB-wD0{#*P=nr^Qw%0{%?LLtD~zy6r3fm1zS@K(aEBKY7mqhFd3v$~o^{cBT~9Y%k33OUEt-oNy2 zu?#l+=$4Q-MHuPrh!=`s=9y_QXYmi$=|x`_onqrn;z&8e6j$Nk^yp;tANqgq9@d-7 zdhnfCA*OKKR=9;vEyJL_Dyenlw=W<+?k1P}4)#L%XFOkEkBIzVlA?8LD7egZHjZ6( zeXv~s$@}eBvU6{qFvc?;A51uddBV&Dxx?ZKeWP}2JVJTS*9<*$;rr9I6p2+dqWNui ze9!vDVlH6xj=~*|bMLHo)~SJ*@BGR0CzPViW* zOFsI*HZk#1y7%zB=gvV-vheOy;91Ca4=9qIInW+&pcj%xshT0`Ko_tZX*NecOt{Nt;8alZ=VWA+mgBI02 zqqKPAgZ|&Gt^Yan{~w&h75w+6@&)FB)vuCwhbBY#mdap7vk{HbhuTh>HG0u{U{{g- z@IMm)GE0aBf@ajMKQ$w#6jG^G4+cm>my5j)A6~dhZ@j(+8^>nu^l#6JR83b1c`T|u z)JUni8KC)-#_!edu)=fNH=8z}ckle9kz<;{-5^@8>5}fV{bjTHoT=5TqgvocPZY=X zHENrIDWj)9!u5)|{Ens5o9ed&N|YAByMMBEjV6{1%M)@&vLs7N$z^##;==WgG>=Si zf|ALra&PXTEe&r(NLVsw);E}C2NFkwdu?}C7$r^KkHF+DMz`9PG)5oE9beh5$B2qL z&3wSQO1J=3Bx{DCw|KlDj5hlgVWV{$_n(9~w{CsnGjyNgs!yM&WCk)$xBDnp zZ(*kvI9@0KM>-JCX84a9=vUa>pyAaIYHwHmz$8Pb!r+4URqaY+ePQ8b!t8-eCQ=j^ z0qHaIS&ec?S+-I$44iVH?&`N4Z(*?S9^-?E#@fIxz>Rw zGc_ilZQYsLU5@W0pRI4y_qnLzZ$qn|$V3C|DC)AZa8=ai3zJo7h%>%#J?U! z#1;JQ?8)n*))_!%3!}$3mX3TL7pJoKWz2?@di~}Y{-apsuO+@Dk7cnL?ihM}X+|ho zGZ0w z2`J8EE+d3J{!ATc)UdbK$Fa30I>TsX*3H}oDkFqwQs_6(9#yQUah zv|H5YMpUb8^$x;Wd{3Mc^$fR?des<>WNAPa@^AKT^=Mh7Xg36w|zBeXgV} z_o-4C<>EUTKkO0S8urvwr5-}ad*q?}m7ysg({bfvmu)X~2Xqc+pgd-cDp|9^zx{}R`4 z#A2gnIHE$>JDshQ!GntVp*4|=%J+>htV#sEmG}P{tiGOgJpGg6F#l72ro{KK*Dkk; zyJF>C6YrrsqRHYt#3adnq2}W(SqjaMrS0UlE}UFu1)h-qNrh8yCg58Q$9+7`9E8WYr{JOZ zUyaB+abhZWSHp1Vwj6!W9oT|q#(z|&9=|F7fNffhxUv4$t{RoKP08a#Y4lRsGg6`tk zxqwV+_P}cH_c~{{{4`7rKb_s)oW5Osck1i*mu(pSZP{%TU#6%F6fGgad&BoSX7yu# z$kY2{2F=E;wJ-AY({H}1T9ZE-SzDR6Ik^UR1e0jc`zK@UPQm=z!9k>KXKNfB)P<>X z-p>ceS7R&>pGBxtLWBIwH`Vf9GU?$P7dX|u;`gO*DHa<0VZxKi=_Vm#dcX0U=H>iT zman4+f|gBuJaWo~xe~dXRS{Hm*|<-?E49O$cJ@D>_Xp2YE96m;Mg5Tyu3nBs8;D`KB^QX&6*IJkR_^|Na_WfSV+zVrMAH4BqC{Mv$*snmr8Wo#5WC>2dORr3=&_Bqp}(poN4o6k}V%8PX+oz9fAV!m(7wEME< zbjR$jeCzCYRnD)8hUe*(gP+? zt}A2Rh8&a%#*Y8=>Jxv7wHSB2)3^f^MEil+3}rAuWX;n%@j(#9H+$(d?miUEl{=WY zU+*U`Ytk?&+ng4-U@%a^Tae^YP^zD3XDbyJP%pIE3-WNnh04K$@xA8@yzs!jt-HJ~ksCCdL7C;kyDg!A%a0jkCx1 zYKWbiE|mMdeiI-8+Q^dt4U}OCTNPotAHGT0@!s2z!7v(sN+Wz}mZ92Li9+4bM=pl} z`9tdBg_QW9(CVv^vc6b0YWo187Ik zeVyFHjxL|mids38rDn_H8pYgcIG}MP3$Qw&60)JW{ouB;BAcy*(KnZo5_b%1!Ehl zE3l{G9@{~9&`C9&ZtGCId`3f&iIps+uZmwvEj_kA+qfhu)d34}z@kFiC z?OR9WrshnHs(O3{*C{+%H^|8ZeC^=eUl$ks=!otUO447boi{x1?N5+wvg!Rk^=PWd zurgG0>SW(@;PGU!wd}-dMU@Oj;LW z=XJ{cuOziLi2BWb1)f$o2gN_i|NdRfeE%S*rj%bJM7KLYHQ!SB`xL(RJI7IEE!L?> zH?sSliQ8XfH~1}a+o<_`B3-lvm)E9G5h%khqngz6}msnZat*wMG-vs@&O0=Ug(Lo-K+7Lg~a@EW`eHWM^I38QciiR zk=P4#eTSw03ptdCU$Me*lov*;oi*71tpF`?hE&d8jS=?R7P99PK<*{UK5AIT{`&qg z#px@2Y=;>6JB}4WAoAJD#1Gqho{jqe;_f8Qo&g@5lec_K_4MCEHS@=5?FZa4arO_9 zS@3S=VS3vCd*ZQsZNukXDR1A~uz2i?vbgj68_D;JI0-?){esrm5sdqg%isj-U@`^q zH2o;@kHQD-RPMW)Xb{%FlPLPo(JxApSXRzD!^PV!1m+L*(nr-t^xq7>w_A2A>0r}=vM1ZS4LJMQ4ZjN%(QZEFT_4j4(>Xt#9oT7} zOw@r%O)Mkd8C$gdv{}T6vD5>@b6Vr`GrG%U5`>TY~EQcM;3j32uFpQVB+Q z4_k=v3|;*wJpcc+$^V3X|0`q$Php$d(%a*8`iGkK=SNnq6Q1ncln}W9wg!HR_Yygj zzN7^?l(k~)l_Tq|zt(XoYr)S0W~OfcT)%#(WqMJV%lPLNUl{S8xWrjvMDo~<7Ex;gFbP_ z5DlAw1CsH6oh^a<@0|BXOTl<~VCiG2ielr5bvGFI0#SJBe4p8!(ytnCj^2q;L$fwZ zz^cn9AN8(PdwJ~<3vV5ggopKe)c^QA(tqIJ_xnu$-xJ}bjN7nHV6|=IFGk!*KFPdF z(5-_Z`+q;ol@of?!`#v2RwR8km)k+FIyned_4KCP$Do5F-G^n8=KTP!@$8HM%2p4% z2T%cDpy;oeKK4Pi)&n}+x*z-zO1=Kb)1=P4If09U;!hvs1#Zgs6y9>cgZ8csh9odrHrV^*C;MFC*H6cM{q)1ld@_0(Tf{i%K$!Ct^e*L+p5wu!N7P@?k z&T3{qsSdicFw}l)LD^E;qf>sGT4;>P3S{Z)Y)5^tq@+08d}Vajn>r;i;NyU_56rPq z*9b){CStyMU5{nw*WRbOhV+Rr>`8aR8r;`k2dcE0`=Fr)Az`;G_8EZs-S77ALLZh; z%cAaF;DISgg{P5ym`A3$Ccd&J{gSlwdNC7AA+XZg#8RA47i3|}qGP$|m1M_w!@te1 zwMD&1J9il-(zm`5D;zz{Ep=)QzB+42^FThm?!Nwr3JvIy{2RSlL%N^gMfDpSY~K=w zE@HEfUct_HL!XLYd8e;Frcd?_$22t~W`g(TH5OhR&uq1-Hk*U;(M1>Qgzi!9i6ZBP zM8>OM#6Auvg^!kX?p95q={J1mnH|<0qQMq{b(%S5AU*FRvcmYa+3V*R+O%crMA)X2~V$`QO2B$0s?RqV*milqt@N&0fN>7g{I7?Y3MWi;x$d%pnL&~HU_`MI@vIl+8y*KwU3}l2iNUJzLBm@2r>Up^pPe0(Uc)3No*f+>> zg!KbK^)}?46utxLbY$3KKCTxy*ICWVSl`qpa&b>-36_)dE^DDq7r$~9>)#fBGb)oj zm>+a?R-dlD%3OQFA-Bncdbyh3hO%08_Q$l7M=I976;4wqDM{!WtexsvcnZ- zw!!L2p_`6^4CsRWavei47+?FuI)w0Cg=Bs|;oBAfc{D6Ox2L)us_<2`vO)O-dxc$r zF+6!VPd7N}<3W|mR!f+iY0PJBB~98huz&qhSi8sDR-&4c_?qz1lCak0M~;@-RgE4h zfx~a>cO-u_@I6)Yk};i+=tPT-N<_<-Djmn2`ug3xEbI6`1)NhP0@sHfeaF*CGQU{x z-xR>#$7F7k{2nX#Q7V`qFI3h`iIn+%m>Pt#)@nf%kM($qo496~OQqu8Qd5a6vATCx za(TV}R$n?M{XPSyhqX(YwnrfNnVHKUhVB*T9Ql2g{CN{LS3YtB9R;sDw}{lJ-PfVD z1VIg2IMa(RmW%|RYV7;)l#|5)6CGtD8B`LtVQihpIN|XUJn7}p`3l>hHnSdeJ$=Tz z&1Sn*yx=ExWxLHrrDtMt4|5c7x9Co*^ruENvS0f20XUX?JD#t8gx2-6vOe70KZfof zcI#t?oL<6G0jv{)!xCP%14knzyojB_#ir2*;B$saCP;QsYEDf-s5;pf_%cXWLQEpV zZ#3Jf4o5-NF&!EJx)slP0@qNm?_ zW5<~(39*ueT;$ZNB%$n~ZX;b>j-QvBhSg|KWBc+y<_bym-gxb?Z3M%ocyAEiSSyv( zR-|$2uTEjc#LrU9o8RDhs19{RRbA-LuXP>3MkXusp zdbGqyVL7GLyHE%^_uIS~77Pzu}eL31#4yo28!v#)xcVgM2 zoN&^|Cf?0W;b7l%81C3nj1%(A|0gjbaQ~N9Y(t~qiuboFin<;x&Iwun&0lF?SttGD z+8&GN1~x5&rqdV^BoBW1$1H%&Slp8{@Aa%2;L?=D>x*~< zMF~|yB#mItSsq}|S?VYvXrwtljc7MeR-IJe3l*btqn8yUbm`#WjAo`#mIG7Wh`g3< zRreC;uGXaHW|IUUH_yXct@-m}zO2xxT6Nqd%tUQO*LAxJ)>@;ucF`nxfrvfV61i=hJPdd zNPH~=P45?fq;T*d`Z&Z@&jVYwteKQhGegfj zps`%^a@V)=>5{8@6epA2l8}?4UUH}Ouq;#vc%TB|@zB%Wjs#Q?-!^q%tLWtD-kNyk zom)we(5E`z3g2WR^EpqBgf!xQ(e)t-@6q|kV79;Avj1>D^3O&^c4PES~hfP-3 zDGUfFd?l|GO`gS2xQgpKhF(t@*3EWan4(+L2@Y%~+=kDrS7S}SFehG9%FTqSzNK3%F78qS}encZZ zIw^dB;gMuCUd&{^=hfiawjBVPLL-JSdQVN9XX#rZB^fB5L5>?a(zQB}$nkJlkb}A$ zP%eEn)1$mh>Dw6FcB!YrWRreh+luP}@7W5?*e&%hc%aAMoG z+V@k&{ZPO>@_T5dMNw}=#eLS5BYJr2=ei1Yuyzfj{=C;hOdWx_ zQm3Bwyjv^VlmW&V4judHmkMXum#RsRl4UBBTyrJY3c4ni0cN1M)Y?P#-pD7wAt5cjd`j!{6}rR*S9eT z^{=lYgi-IhSA+Dbu+4j0yrwEQQ(H_=T_>OR6pu$?oB5&yJhe!t5fk&Hwi^!WJ%EwY z1NeEl*S12O$&vq9;Pg;kxn?~v1uM}FJk^i5#K|{b$I)0wed$(eOMIlv-^?zM$ei^! zKIq|lz{juOKW*G~eq{AZhF2v~U4ys!y>{N+#Pf)Fxla$(v~IA6-65igY2%m2y+dSf zR*pn?c?Ep)vhupJvC+5h-oL-^M>Z~nsXm%=ll^A5#W(D?4Tv_|DNQg88@AYVNow*X z_Jfh>W_#WN@)6cU6#!%Ch?$2Gek{rAb zqtuA=N_Gu=>inuW8*u}@ea)uCybjE}WqgE#iqg;Kn(Q#~Vj}vlm$~zX9F@x}EA|pI z@Q5hx$Om1)!TqZb9H!>}ft515L$?Bga&c>w=d^Gy{#<;2@rFJZ%YOE>x3^${Uo@P8 zZBr!Dp&ho;!Td>XB=6_DzK2SAqwc(|ryVhsi|dh6FYsY$VdNLTZjOsj*V{%)1IX|q z#M%GAXPxOIQxrGpQ9Et(%45@(pciIKc(~ck&!dRFGuS^dz2J7xS%a`%yEO#pAZ?cX z&QO9q@#FD#qeFwQa^;P5z!GC>S>^+m(MdCnvJ|&zpilI&vj|TLJlb-`A_YjCE;n7& zMho$Ja#~kox2G(#Y$apiY`T34s4%&$krx1&;zmuUn$_<_5$IO!#{aEkF2&fCL%gx} z>EjM6$DffCDE$Bt-yo~364ca3V{^o_yGr^+&UCvi*zghm6HnkPms6bmp2ZGiuPMO< z2P`X*xSDbd-BRW$t(!3ytik^!_6Bxin%MCqr#*E!ORPJk`h}P4ha9cn?jB@>3+pne zA1J#6e)K=)_)g9!{*mqWnX&HSRK^IjaXLNf8#izfs&o56|HtFZ?ir4&gFL}o(yE(H z<8!F=5Cfn3Q(DjyPk-XGgTS=K@4dP&58vBv)bNHNmZN1XXR?X10R4?A7_-FUb4{;6 z>0wC<^dOMcXl6fiP|9ew!Ov-OQ+GHuKSOiL@b=BW)STb)Nx`j?41#=pPflbkKL>zp z^3i(3j4m`!fIGOxkv(8#H^6W4u@sL18S@qT5%1BpZx2DHooh>rj?3cTepGlXS7Qfw zemMbTufZk#_Xj-vJYEQOh!6kVczB_LRGg(xY`G zQzTImK#*pAH2Ts>whP%?Vaw4%i)@!hmBLFMoAjllPoL&KI;q<{?<`}x=E^f*@j>|Tj-P?IlS9|1JbS|)WO z?BdH|H*Ks}*2_D5ciUh(iw6etv*lu>jw1!MtMUZZ zVdRn{_>OJrIBi4W;^*Ueptd4e1BM^`f#lf9!L$jwJSV`zSCT&d7W^#xR^_+RR!7A? z@u_jNvY&OJbs!Y)6bKMz&wjt*GtR1l(bm^0z$|Z!pUE|gqdFgv*d+0g$F2~)2iqZe zpFqg-kggTs+pqXz_H5y zy3n^d$_sTX&N^U+Fv@aV3V-sBz-+O@XM(I+k1f*+70tS89)-tFS1`!L0=0PET=;c8%SykNkO?%ydU+4M*{I)3I z>1qCfBZu&l8YmDhn+D}9XqP4$NgDRneIr-k9xGTf;Z!=34_kgsd`w;@O)D`MA1TX*%|7@d^=%H1q{}?M`*|=uR1RiL6@AVpq41aH# z8@L+kXLd59WCiP6|L9wCoCxA5^Z-6vwZh+bE22aqIr|#+LjT%kE<9P22BkjSOldpk z-ff=W&?ImjH(4eI+xM{_PFv@asoV8dLwVhrb@Nbhu`yIKExg*XDv=t>nVmq7^Qo&; z?);(3GV+%`W%k9x_^A*br-Q$w0qNJ7$Q|*A`bwQ1C6<&Y%%NJeWPBSc`-_*Q1IL>~ zo`Ld;4envG!n@~((If9_gL{-Z>RM%a#R&Aft|1m1DJQue^ZU)rnJ=UDd*im%qlN}n z^8+By9!*mHTc8luw1ny1dR2W3|IgZRaFGVYm_-%fF7yH1uWiVINl!{Wu91Cc9tg|u zqPP7C+l;FA(_Hx+HUZq1@(|uRm{*zHt$h3F_5cF@UFAZbKidcE7BEeFhWRD+MGwofa?8JV9xkrr#F+{f2+1olOQfIPSA}zk?9-Ec^+Kn%{~IXS)6VqP#BK z^p@^R$MB=!1q`gvM8@N$#VMd9dQ2E+HD3!=kB5;BEM!!nqY}t`Hn$dXp)8&`@_8Dv zU}tGHk5vVp8}Z!*o0f^GRUT~G^U%KcVt(DBrz1Pt zm+NeQ@eq9)o2taD8S(g$Ur62r7+wNtd(Ku4DNTK7zZCo`V%k(}?LgQ$O$oH?WfCP%>|51dpPD&RQ#$3>V5o5S(B3BE_el>ptA z7>&%1GVRd?%Y_E`6j5&1S#8cul&U{-eVlQAX1h;#PG6POyRFw7T;b-MAvqD$6WpizP8@$i2STYeG| zWoq_l-6Hy}+s^lb-;y$5>~$XmI)9-@TU8wieU1NB(ddPlsm3(fP+57s`i>zagJlg& zL(E4W6VzL|3T{bEygS!iMymVs`Dxtc)VmKEfDE2G5CU5}MQ;<5=}iDj zT8m103svW8NT4nP8vOFjF8Vocbnf(v!bq_a^Qi>-ByIdwEKy}d- z3&FXYbZu3Srxh-g%$$&zceMXi!Y&eLSB)6gX=jFy-3Bsjvy^?iL2FOiNFp0no^{Z& zFgSP6e!i;m4G$_No*2b!eYE+kSd9iaVq8F+4CHJK1U>#)QgJE^N&y~DdA(kCko#XX z7za0-Lf>g;uTM%=;C<`rB~)B4FDT9!auvJi3&iiEvau>%kB{*pVA;P~sZ{_38p_2x z<~~IMX6rf6)|OLAzML;rVveoF`js1ivX8+d<@uJ*wqFgS0MY}|PJA_*1G;D_rV9lr zG|SXhkSlkV&i9$&E*e}{Vh>p~=<~yXc%5qWOFCACkuKcK-{5_(JPuC6(E1IE#H!%E zFo_8p{QO6?WB1lgY@?jqcxKCW(NlN2A`%lr4mW3W$20r)MpU=WJ{tmtRI>`V+Hd~(uP1*9eD zAzJeNY}L+s5j!-28C^in(~atq!5l{!CI}3XqX`oW-v3NO-H!l^Dpkzg30tAUX!FR z$VTt)%oz=W3lQcpDkn+l_=J8jJq7;*LD3UGju7qX!YNeEMHK#Q!G!MecgAkxep`Vg zHShL~r;Pc?^5{U(xp*kis(@%K9-hpjx@m{B%~2*_7M@HeyV6DmX(!jGuPggz_V0W% zE7G-iv8wGZiAujry8pEtZe=(5Dk8jQc7p|@AHcBxJLVgFaCSC%5-Y)qeUYz5nWED} z!cxEW$$SDI%iPy7t+zK;*U*9)Q+_qU4nzCY?16bhz1I*o0?`vPyJjZz&-x#ucCExT zJWmGt;Am@Z7t10_*hUdq{@0{VKQW$S&sz5UDw(1bLjITxU?C$p3~YCEQrJs{9UBP* zg8*2tTkJXAtzP)C-lxG)@L8{%(l>C{o~CQ&#O{qNNAHmD{VFc1neMf1jNZ(x5qKl0 zd1F%|=4hxsj%B0BCemkG&#LBtr%t-g6*S%{#mom5O0gOtp)dNC3i_?`$xk^0>Ls{mj2S z;rlXr8L1&##V4Pj{5F5O;AcPMYvK&2MX&ZRmul#Ss~#mhU=OgoDXwYH9ts-CLl+&^ zTpLMU_pffC_X(JOAMXcn3UF(iJzX6;Isrdy9KYpQs<YwRd6$s$e-FcqRpqJoN%Fj7t^_}#)OR|r|A2x30xjdh z9C)>wD1V!t4P(R~tbVocD2NAGLd_fIT4G z$JGQ+9rvDZ_mXZ23KUxujysh(dS%7o>?i1sqV|(%vnG2}8EyWxv0S*zU_J^i>Ry=9 zNWHc^VC1a`)-oPvH7N(k6&)ST-0d6sj8%ZrA^e;u&y#C(a=$UdS;L$~5s@K25u=ji zJI@Md=*G`*7ZN#$Rhevo(+=-)T>RU{{a{L5S&x&tXLO>7Wq2PKQp&$sp z9;;7Cs?el01i9HvTH<>y7u`LJ_CjiijUbNNsUX{MK{QCC$Jq0UF*3f90`25)B#j1H z_|)%mZgtwoA2) zTJDxIK`!Cy&U~%@k!fXeviIJ6c-C{Wl=H?@xkk3)vy$^i!~Bh+1z!M4#2;ev59)5) zI)N9Oq-N+#PF0TD&r%)f-7!Vz?HI!%(froJaZNF}*6e%pb9I%cMBPU=H3>VYxiCVv z{-|NE+`zwy5NN5!RH^p|`{mBtfT2(T!J063vD%qaH!axakwVpI$Y}x}V|K_THRpqa zvyY@n|C2{QXT>_u_Gy*c-CmSuPp5u{(a3{={->sSerF^20&sKbi$py*@5bl;E53CJ z3H^G81=JX;b>ro=1aJqYe1QJkr)nvyz+e}H07Gtk(*X79p)|rOjv5bpT`(PiY-A8* zgZ1p>tJ}v4BS=Ti{3Mgxdgn{D3v0}n)$dHTe)3~oiUC-&@M4fG4czffJ9jU~^DQvz zm54!d0aoj#dhWEs6Wpk0c&_#?e#?k94V2bdF%!c5qLD5p5-CTdW? zx>6$S6n>O{MeJdn*-2}Zy`#~^Hs301(mfmBiU=?M<57Z|CU7?c*tf93Kj#n16Ugl( zY2n+MYswGYQUBcg`T z7WHLhE@`G70iazB<|?`kZ#MPbQ;90p;sPDgoaA8n1l>haI* zs0{RUHS85SEwT;S@!{d#JgnK)h)wO@*87I#&7uE5|9^oalXpu8xDl40+4p_mF^x{C z${VFv9VNxy5@QCceLH9>JOM({vWd9aa;zLEeSQ720y)MyoQBev` zz83LWe2my)zqagbk=a!wmc42!zF}i6etewwEzxb%2e$`lo*Sz(AZ7Httahn!ecE=Z z!MS}#tsS$6_}PdC1)>)$5)_s!4%>|uslEJ!Oq1t#L*!1gpA~IJ23QE5+~(c3)^Eh? zRsY~mAr2^+EJBE^g+LA)b~jx%HD~Ezvj=iN=fRC)+?5UR7I*?>U*F*};M{b|83lOHJRdxGT)rXz%{(_^~H%zzLfFXAuE;vYwvkxSw$ z>%qRJf%Zz+4j-6FpvNh4_Dsy>Xj+cSsrq1a`6+5|fDl>uaPz(1&yhf+;y~c`Y)m_t z`TdF))4NfmrjnCj>+m$`3e5J|bfAE(o*6UR(c8ZVvQp*ekFe(qQU8`?CMR>yBfN{o zHdr3R0yjklc>O=rR1Q`MJNu*bm3vo*y*yODJA0$x$4=?VA)CCp3~nlMI-0SP>BZy)Zl7YE_M({QKX{c?{6wL` z{oRf_mu)-r?n-NAp<2qj4HKwsH?@@9(JLt?{fU%2Q~c&4N*DG##)6Af|Mt?Ve@49e z{JjEKomR`(f$#p&HZzc@VSq=>{~mlsFgzDYBxd4ouu*cj*s)#B##DWN*7I1;l;Htj zJ;9Cn!`+Y-wBuQGb9O!Bblvnb)wzpLy15MaKzX%-#P1r~b(>?dzJRRu zCHcYNQ`8z1r7mZbokZz;z9@%^KW;l;p1ZOH=@7=y_PYMu zf17^a6Mdj()zp|m4ed_o@HXO6#58avEO&f*&@WN{ea{Ewxb#IM!$(vSH0sUy&Fe3u z!ht7?d<$F*L}6yfACg;pnJ_BPx?4+LZ~+v!%SXwVc~(5z(=%5+wm9Kf?w$%_?v1kDI$!Gi$M4{(~C3eN|dmli;ajjJ%BaDLxYg z>(Z>AZVZ@8k0aXbJ$MDbIwV^st8o^D1Sl^f9d^B*UP$}1aj+wpic?bt^kP*b><3cr z?I&kXFnt2n926Bctc>~x>zryu`Q<)RPj?%;Ix?RhcPzFtpE*mT|6hAw z9u8&u#owZR(Pm4iUQuK#jO-;;)*{MY%AQH~u{Cd@#Zp-#hGeHn_H9O%k;0IDoe*Om z+n6z9_&q~<>rLqGdtJZZb^Z8jE;G+_-}iaW`JD4P_qoqAn0jv)>CNehfL%_hOs=QrJip@SV;V8nMWD?26nuyKlbdQIT(giK40$_}ij&1S5syK7zgw;nt?6;Ve z0=#;r*Ycbi#LR~K=|zG-Wsh?MW&2(Iryb*B7>F9;IbESb7DCH=b~MwKyL~J$bNk<2 zHwOavr=kmc`PznkXL@}*!*I^Vt+oxiDZ!_QKG~POK$1SlSbY@oMAP0VNB6f0v~ov; z>UrPU`}YggDajj&J<~mv;tY7ya{=@@!ki-hQUjFw%U$ z0k1wRU6ZH)tjg=00X8;SjwX_M-l7Z$TaMq{Oi?R^Slvho?HCFZn>{gMx20C9*=JLr z-N;$H;XRC}03F&qxC?q|Err+@n=0x^*4do@tghP7)aq4V&mKweO#?`xR#e+VTEtLK zxhiajXHZw*!6|D1OxdR1%XjvKf_?PKczxd}d0$k#TI@^h1Y}SINrAPSQWL9EnqpYm z2^?8|Y@a`%I~q>N<3x;lgO4+4>LV(937z2lK9oov7^k5m5OOs_ysI-x42Z;mZkt#v zS5~b246e4-I^_zCxy=fA{m{IEFX+Z1YSVZfNE%Gj9h%?~wij7PBh0H>i0vi>%tHgW zYG`XD6BBi{z@>oC#c#KC>ofrkyWA3Lw{cK8Zkxf+Bm8$?-3bwmM;We?+%PG1wrfYt zX$))TcX5KxLX|b7rCi72vq&E_<&!f&G8If`hw(3Ab@^oSq-?ZsDwluWDASktQ=$~J zG=+;ptrBit`ROMWDb0yHZyufYAbtQL{WeKDA>XCeeIVbHo{n&|O2757E zW?dT@?>B$_FyDzFcQWxVOvLd-IHW(GID8Vl-8C?R6v5+JtI1J~!yC@FYfYck&;bW- z9n-Gf^R_zls&1S!F)GkJRzobIqDO($TN-~7jk@GAa|Gvfeg%?qTz91QDy#hrk=#j5 ztzeZ39&FhatOeb~3K1M8e_}g36+cI&ZfpZm>yso#mU%h8*|5&K?ZR|l$_}l48s$#*MQ#KKWX13>gT!pgwL~uYoyn-@a|)kwdBZYwy{v_k09Wpfs^OekWyJqkzN zs#IR9Aop^fbZ$4{)lFCrTL{sYSh-!2^p=-!LAq*9_Gxx$18y1`bmo~R0pJRLR_L|a z5QumbaAN1H9Whh)%CZJh^rjyJeaF{(8odlVlz84En$^_NdHS3ftHzY`o}l;CjEuB_ z=VqJSFcHbkk#72fE%sMEs&el=rTzN@lPV59%wont$xErYq^GIQ-GrgnQywf!=$@UB zpE)yaEI(7z^kLw6Dl2c2ONVKYA{kAo1C_KlE81j^i5~N9=~drktySrx?{L>VU%UQb zVv9UqLzm8`fEO}iJ}_r4(YEAmHE^M`xD~7&#q(y*89pg6a;ToV-Lm=GgjM1ItYCQW zQRw(5sv#7A7;lR;Kmi~Uyc0+)^j(op{fbC(>{aD=KN-V%OObie44@&noH=*V<$++C zEw1TK0mSkYpOGoiJd1h7<2_P^BXkw_8F!8qB?E!`hw+C)myYGOc+VhQ%r*8RRWV0K zba~kV-$s!3%f9DJYdP0$ZtFA}GXQ_&y|B>lB;3+np^}iQ@OL z+;v4Kp}JSK_TPUFI&s%s*|z2NAyKBJnL_>9ZKFOoH`xgg^V`aisdP_5soS(C?qTB2 za!W^IUhC!v*wrz)jU)wa%{VE0F3?T~;C_T~eTPE;+2M4SteT)*_94&7{p<3f+qNlQ z2=6b98t47Tz(bzfk-k(bA20`Y`QsruO34~rFwMl#Z7OM9+O|R9mbC3V=N6uOHlofF zs8K01Nu!Ta|Hzsq&Y&4m@%~fO?y%vUghzZ6Kn_%68{gXgArmq|y$gex3hDy4+7$r+ z7D$vEXUDZi6=uoz zs(Aw5jpuY;O4jcQ@MUwUN$k>;8u4k=PBa=uWb#-ai{i;90FRlkjteiRuCW3Aaq@_B zyBS}}!x~IQ0v0RN7u5d|yQ~WT5J1_b7QEgWG24us3DY5ueao7eZ%aFQ5C7aSjM&MO zp4DBTD3}pP!YXboZa$R+lj3qlO!gD!Q$}7YpMf1BlZ<|=k`D7Ijh4{ogLy~aYa~Px zfa>8rXJC$w{5d!Bu(^JtFr8+{wz2rx&Wcf=hP=bBcwaUjxP+~ErQioTlzYp&d|(4c zQC@C%Z@9p%5MJ{U8Z^k!pbipI-5m8KE)k2MzKPaF|3i65>Io<4<*H@+J5rJYZ zPB1Do<6vW>ZjbRMGi8R{v8|aWEiHUi7QCo!L%8B@U~{Pe%55#3e^hgAz$K+zJzvEb zc{jTZ|7OXC3mYLR>e6iYBTJnsZVyK=IKFK(D{TSiam>WR9PGtUX6|#lGm%Y1hC2YS zw1W9YZx3c`&*iktA*oJBZ;ziHF^50a)VJa{a};>{gsgPNoG>0E&Lr)2kvpTCV+~L& zd;w?SPD*Wem&nAWb=J1pN3~fZOh9~#F8X^b{}B?h((bMyMSEM!l^s&CX|v!7;>2^q zd}4aTf4<#K4FDWi{P7SLw%&i?)_DO9+o4*X$4mnf_yh?Hp zl{`Yf=j|0K7HexXOg~D2rQkO$U~}F%=`|GD19}VKz{~q4_|OEb;zBQ>z10`QmLQv- zt7A3ZnVU?md9J7goMwcH)%%bc+|dm?jAiEV9|(XIyr)bun5{&(BiY1*>#9zU}Lud_K%pjpYGZ&ZESjmD-`Y-L-Qf@$ldV1@eA2gDgwh_5-l~P z*x0cOe2x@<2Gxq5OE0cE90Koq6418-&-8=Fd(b~I+aFTtGYYne!^!VuXL(Zt03a-|~*BiO69?Sn^ zayA{Y4{s!uXh%RBzmm5a(QTB^K5RCbD(ZAn2H^Eq@p-!g^f*2R6=97jWGhnn_-J7n zZZiy5h)X9j0?#iw&W%#zM+^TPT{or=q98?YS{M>tEUR`y*D%gxQ&S0Sgze?voySuf(5 zdnH25~9G({R)Li20ubeA5 z1%6mCyj!F#xmed1-x=wyTz=d$(&M?y!_c5MT;&JsEc^quXjk)mEtAD#X(^Hb>>U=! zK#27)_|PUq1|5WC$1CRQdzWZPK`QiYw3s3)2h%cKp`CTgxvsHnkB5@(vi9ZVIYn!E z%UK`NJ4aA6Mg#@)whZ7J1Aha zCq3U!5O4R9XXZ{x@SeQxG#~I7h;4x6TWXwFgO%G(NWi|Gt#;UWn2B=Gzud`T~#DW?A zqYwZ7PZUF(H$p*T&(|yLf(mpr&LGL>K$1>|K%oHMqC8#U%V1~njkulV>Rsx&46swp zKJxv{v~d0D&5{e7qFNE^osvQXi}Lcphs}fCRa^k7#nkq_LeCN?r*zd6270NihOChW@-aJ_d*=F619Oo+`UU0 z797pL>#Hz1w;eaSS&5cn8ci;dYjt$tNsKhkv3LR#)$bGB7QvhOOgyoe4Q5g5Mo^au zgcM@APq@yl9%{O)*JxLMu8p|s)QoAc_o;u2Y8i!i(?SEZ;A(jk$~Ql4ehujC$eANE z4QfLU4Abpq5ZWL@9+QD>%Y@=gQEa{jBK1g6S4HD z-(9sBS%dcN1+)qwBs5nOxXh22QPb^54&IgA7aI2G3*>hJwzX<9V~kdixm#w=&`97> zdR|Z6yUgSlSGFJgV~h&mVo3G1UjKsy`U8QJs)Zd;wfDmizkla~i7h}{4HFVVE!O@0 z%YPW%W6v&Wwnr7pe|jIlU?iyt4sErQ|APgp0=giR()93$ss5*x)^Gv}>SAst_vZ^_ zya4FJQDL$F3^CuHy8#JM&{(ii#e+XzpbVf3v?WHIf2;|c6=8saP9(=O{SOwn3RcTt z)Hlmr1*?_g;eQ0H$iC3Qg z*41^`r*kf+LyH5}4_5&VG1ia-lVh@1jCVg={{2-3dx2m+v>ZWnVN zh`>WMYIOb+75G7M-fRKbiqhw%fIpAGYuEvbp_FLK`@;ageymF@xbZ$9c8-z36_j`_ zaTn@WP*Z@|!D8wJ8UCCYSeyaGzSqI-Yewu3gkK;?Wv(@5AzzPX{U;%PUAgcfptNF( zcM1Y zg{{KXPa^pxLaxHq$^)BKxcVKqQVoqM3tlu}=-TZtkVs!zlcKknyJb9MVE4df@K^4$ z9>@$MBssMg3D+Cz)*h{hbYg!GqBLo%<6b|2(P#s@*rxRFytRG+%u7zazv!c3`DpXwiFE4EF*1K!3e{{XbAQKOn5L z|75n%sp%JC$cmPa0?MZ)<#cp^t1M&@NdeWwoB;E{y{bE*@#os$brIl0URgQw&Bs=> zkY7A&psy7`7tSZ%O!||%%qt*c6u=!Bt!$N6?uQnY6u=$B07i@O)A)Gh&$WSH4zL`7 z&i;_!vy#OONQ}zTIwR;ALU0I9A@PELL|33h%^f19I zi-~GvHq)Ndz)t;UdjUr9P?*bKc?bz9dx<$1e#_f3{v{x?xp%(e$4 z3B+qUYh`6`Gwth^S$mb{(ET@__wP&ZS=R)5E1i*D=h|jR(y+JG%puz)xOLaG=YYf1 zurDxukZ@wL+oNx)C@l9TL6k@R=8xE z{Tfc7!W_4oJ$-!>B^|F-C!lkQABY1KTDm&AW$ry^zs)hyvMo9pm;W63?n>(dCYW;= z@#nXS@TRW1+B z7kV+c)7oN(a?i5n+5G748i;n2>A=?_!Np}CQL+I+f;F6N;MFxl>89H0=5@a@G)H85 z__ba0Nq$%MweQ)lCo8SJJI;iATe|YE)q#3(+AC>nVJO<%6YZBGX49B@B=${Bik;`F zVVm9ie*wndjj6*R<(7k^VH!9gZqVdTImbf%@Aq0D?YH%Spo5EFJGx?C&d^IVTneVIc0i5j81wV3 zQ`<2Wp~}*0^81drEmPYev5b&7su=OXb{Ow^`(`(KnU^(mR!Yly~vu$*0e9{QU zSP59X|I8?QLv{OsDk}P-bR_E@fq9qgaHlJLH*m-UnXT zY_Oe4kbfhc>m(B>!DyzA^ZW?ud7u4dHy)C+O^=#Yy<-r4o!{rFk_~V}41w=*e(<8zOlhUp4ch&p&y2e&bB7=E z>5_-8Tq2gPp*Cs!riTk3rqv8kFO_DeJH6(;mdTNIy4q#picvgU%A4Ls^6=Pa>Lmj9 zobSS+vP8^i&_J_s#~>Ss;$U{b`SZ+?wxf<+6J#IpJT6A(5+QvrDU6!d`%F@ggp-Xg zc!q%OVgb8Y+s3~_Uz6EXqABTS>pbD5*7Z_lMmsOd;Np2o0<#byD;72#DbkhZm*8nW z0-OydBoQD$Yh5?@P#V178k;>Hy!dl}kEm6OO8AI(z7grqs!7Zd!XDtBjC+tXuwUqo zLtWNG3d1brkx2i0d(HedS7Y;Yt{}v0*sRY^mVSG)Ue>bEj#yWUg8K+X*Q)6<3>;@# zm!6jG%O)m@@@1jZpM|4Qy-%HR6RhX&eQ9!-b)xl^!C0Mh9_!~TmLN!6xg<5$CG1~f zN!tMRoz*Hx<{3;CS_nezI7Ym0ZL_a0#%ml_CC$o21}HWPF7h<~c|InhP_*uN*|Q>S zy8KXWyrJ_zGrH7iD_EHif9^~*22*vYU92;KUAQ=EEOt$cnCnN7@;?efg3V zH)2FW-A6O$=quw*(??dDoSET%&Xv$kUfVu&`QM8)||VGIBM zah=iwd(O4jQ}p$-M04!=-qt*{?Qaxt<;OQO3OM&Fw+ttphKEZev_FvmkS|Qg`;K>R z&BK7IgIikkU8dZ3Wa#7qM|1OyZUG>b{LZdBi|Ffi{Iiq59o)5UMub_pxuorR|1qa$ z!tXwO*lF7R%&e^CGo11XDUYoTyI=-iwiePvY2A=^&5iOUH+i6ATUrU3o?TDnjZx#{ zdR|j}ym63icw$PFA=0I^#MDo6pDDDJwJo=#iS7A5wb-_*&&BYmT3G?JvyfemH3RU{ zip+L;6?6y-x+0ueJHz5(N|Ze6{;1*gPg~d?Kc!13;F|`+OxQ zZ%k93G64=nA?12W!WG2zn@Lx)MKc&?YLNOcMi4|@ajLh^>T|KnW6S1b^B@Ow2kud* z<;<<>bkx4L;>=~Z-siC}^~OY)kkQdw%TYt=rVY*Br#@E=-GsUS^jn_8w{<q#Z{$eHLyaG}qvQ%uh2 z5lv?f0L=62^zDhq8?x&Bvhc<=*RQ`zo_tD^KwV=E|`h z+7BS&S3&L$-`Kez9xP^u(5OH>+!9fAQ%efRl%z znAi-dsbbogdTws9Vyn^^%ZSEIl3Cp}rCQR>gCLKGS~6qnwarI2HOz`j5<7fR6k5qogKCO1R`=Nl^$5U9p5#P7 zLxAd1tv;MD4G;`pwpKYJ9oWy!3=HF^T`FeJg%&7*W;6PMU@x{A4#ao&5d*Ab6-EXY zZtj7=#J{n~{2`y05EplOBXL$0DKRnp*t<+L@NOQu=sw(y~mFb~@3|>d_0C{e8v-jk-JI5+&m)5o$n_xe$OX?j?W+ z#Pb(GWKLAdEs{6>M(CbwgKFyO?x&Ryk22vYW6s?~dq7oPYUD2Ek=gkUdnEEN;rtm$ ze>&+AG7s-|iH~I>hVr<-dw-_M;apV**Wqol`A(C)teI_Nej=1FU25xRWm%f9T*HS5 z-PE>{L8G3WUjI>;Z~bzd7>WWIFGxf2>uIK+lxl9ew{#3TUIwXc@Yv3~Gs1U&w!K*k zgPzV4EpVI&GF&oBZaZJU#%rs`9B;R|!|2+DVRkmSdLc>sif$_$OD5_jgVMu8_uNBk zUVOM{UY>fIs}TNj&A$}z943bx5xVGIKjVXDwOrB%M<5>1JQY=(~H5FvV>^|C3JU zeOwBG#}$%6>N;-)^HsDO^K`m|1!s>p@FF@-S{0>%QK205Y)O_4uXXb%PwpkSK2x3C z0itlZj@4*)rsD@vw>O!Q4v1J`vN}JFckygeQVdfA{PbT_=l||I-$EOkVb*lrFx)#Z z?0NN%G0)F%Bi*--E*exf*DUMTzui5cr$8&LY1gY-T$4Q#)1UU2qqVJ}FQ~oo05j+o zSATuBb!?~Ba}-a=dtQ2gi|u23e#c5N%+7^<0Mk^RuicPE+>0%4bIUuWEI!;DCIn7z zkh1PZqAEaonn0V^bmcq&w4Ax_J;$XO>ztvkwLyMull}8r=KdpiAwm<)8b8E<%y|`u zxK@OEsdcHhI!fCtKk_<2VR~y*M5@At<+PHIpl+GWT!kNbHxAY(bcv9PPj-?DTPiex z)LM=95%9)YIG+wnkgnj(*jw7#_fk1j9-UMci%(Zdd^IK5({!}YWB+oKg`U`)##a>V zv1BsG07T!5fvfZnGVo~WsO#tQQk1Y1GTs|-#q{amxGFf9lw}H5<7>#;QQ@Wu=Q&Pv zoobG^8Un?ZIJHxJL?TB##*5mg>KhGxCHnL6R6{6bbrT(S`HaJ7m?|-Fc(Lu()OEes z@1J4Ov}ewDeJ(nAz3f@^W$=BrDkOOOe!+tt`&>8fIIwFkp@nm@zl}THO<^DNxJ6pA zv)5vYlOH7i765nSi#1Div6p71KUdggT3RRz-xp9**l|9J^mmRdDDE<&s>+DVP;=)K zC%^>>wHb-Erj}`KBVd z8r}K8P}v9W;-tk6-U4^>ViV(nO!n$!wsIla9E&4m$D1>5Y3tZbA%_H=^=ebLyHgP- zIQ-DEh(p~)J0f7ZG~yh-T`;qknqqjw4>VSU9?lp}ptWVZ9Z1x2|im!RC!eWK%khwIF9N!37Fu;mTs{Qq}hZWT&PAAABS;X)Rziy@1;pt|Bg18s@M zW)jJbt=5XnC*y60TaV#CB`O3)*K2F1qyQijikw>75dk|&W&nLO+p^?)$(kbyHu*@N zc*gH=tW*p`>Y-A52B9{Di&H+h-Iam|brLc$S8F+sy|C_yKjPgMSrl&7QHoa1FZC*H zL1QcQRc(@Wy6VHvjcE{b%thy8GQfyl? zUVfC>xZ`L-G#$WJ_xv@<8g6$?jmJ?Kf*-ti33D7RcOF!~>;WzR(?Bk3d+(BnRHa4Z zBi55Y8YDG+qEcd@_T1m?cor&`CwAECKbF|Kwm+v7Hk`+4BsF`c?M?-O*==+nWW1TP z$aAL;W_o&)fa_pfb2m#R89%faMClb9os`+x9H~d?Mul3&OY)GYEN1W3HzVEsH7t^R z#Kz~Aa5EAGlwCWdf(jcPo5tpq?+9`&EUrr8q=DbhWP z7)A9sj7H1K+B0fx9%Qqw-7SmnKQksbRTld~l_)VIn-?|W%Pv^=RGitqZRR79n9cUE zI0Iln;ohX-_+_&PAC6TaUfg32{Ru6;i>IJt+o)mD>%76gMV!XUMz3^ucc#K%3}vAy zARx8bh4Oj?QfdY5Y;-%*e>Rh@umX6al&>26GK1f3QZh1Eg2Sb^vHwy9_Q|{TT|LaN zABO_byF*XYsnJ1e^sHekK;R3B0#^O6x}w0acA+72n7HV8eAf7DvRROw2wl(JN8B^St~*tMBg$J)agbsRntKA&E12&7o8K7ASQ94TtwjmeqZc9}xY zt95`@#qBsN;ZCRy97Owt{^krE=$g*u;z*&TlQ;HF%H5Z*L{YUbub}XfX>Ftwta2L zv1qtnV98YlWCcWWMq>KD#MX9!GAYM;D)isf^yp9bXHwIfiaWO2_ty%W{30ex#JyL-uDiPevqu4iDGpcyeL=#D7ZMj|!jKP{G#T;kN0RV3b5fl|Q^2YEd`&gyS=$ampNl&P*&y-k zAkj_7)^wU2%lFV0p6mG-Mo1J#!@i*Uy zT5{_)!eSk>utmA}B*h(M?l$~UpD%tEe`-bKc{K1r7Wmi6VsmFfOx z9wC=?xf`;|K9Bbx_km`n>%%Gq6z)lIalJ(A<-fFthwtz}$5MJ@N3l-BaQg>6FAVeV z3E%F36QuSbDHIlbM%>Y)+{lqBlu~H_P|Gt0RtFPE8Cp)E^5d0dm$VOn*-QRuOY$li zC_B3opu*Sd2eZBPbocB*e12=*=?xMNY9*9xc--lqTIt*8D{=J>EN6$lgVpI5kopay zz2&j}dIVQAnY#bo%5Kx7!kIckL#x-m>gD-IGNbb)5a!>Zx!i@`>V4xRr#?C zfk_+3obD$*;dN$&oQpw90`1A2KO+D5TnOjS9y-jBaCnSFJGX-QWpF zz(H;VGH1yqUsvz}`#~qe>BefITg;;8Cwpn_Tj|ucy(6$Y=zn->>ywTPn9%nlsQW`Eg; zw&3+U+w=mT?)Z1%Q(9JmEemRhzh??u-rkW*?S=IXM|vBK;UZsnz>n5aNF{ptPI7=V zKCX>85qMmeo>m3Mq!0u*x%4VhW@AYtPJ|tZ1DW!j@LrZ}IVA(3Tfwuu_aA7|7xs_q zYwe>IpEySij(AZ+?aAhY5*FvSGl{=3lStHnKVFl z=t`L+mCg*-iBW@dK4hK<{XSQEUdWMf*Pd(#AeV=4i+Kg9KNV;*E+^dI6y-FC#1R>R z{UNUd0>>fv-rd|=^?($r?{gJ#mKrvvw;v*&X0}C6oiYyJqvI+m{ z*~qJt`hQGP(8*i3E0&*A0!_HXSQ9lj#b7EfMR0!^vTlh-Iro*xHh|FGx)zi?*X-#Z zmH7vtzS`2I4MyTK>WbMTYVi&GmZgc>`{GO-TJ+XVZySXQrap9l#QJjBm03na)CAYy;|Q1hL#{d3oE^zqml_<^LFT*RG2O3UY&bUQwIU zFJYrA`RWc|l_Y^XP5Mu7#KX>S{LzDce;Gebh&(`%9Ch0Mu(CR0$5v;K&^{8sM+faxe!QT&NatFxxad6tscT)c*<0{C8X<6feHs+H{bW-{{gdG?Pw$RRU;wu>Z zKHW1i3mg=taQ!F_s4)9yKGBvcBW4 zT9wqC&8&jwDtNAf=g&dKQvX>6&sFeT1<$1{Sk8m%&MFDEtA=`>Sk8m%&MFD hEt~nDx|tEA!Bg?6+dKUatpWbd%POCJea7JL{{v3|tOEc5 literal 0 HcmV?d00001 diff --git a/fleet/bootstrap/addons.yaml b/fleet/bootstrap/addons.yaml new file mode 100644 index 0000000..d4aa5ca --- /dev/null +++ b/fleet/bootstrap/addons.yaml @@ -0,0 +1,52 @@ +apiVersion: argoproj.io/v1alpha1 +kind: ApplicationSet +metadata: + name: cluster-addons + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: "-1" +spec: + syncPolicy: + preserveResourcesOnDeletion: false # to be able to cleanup + goTemplate: true + goTemplateOptions: + - missingkey=error + generators: + - clusters: + selector: + matchLabels: + fleet_member: control-plane + values: + addonChart: application-sets + template: + metadata: + name: cluster-addons + spec: + project: default + sources: + - ref: values + repoURL: '{{.metadata.annotations.addons_repo_url}}' + targetRevision: '{{.metadata.annotations.addons_repo_revision}}' + - repoURL: '{{.metadata.annotations.addons_repo_url}}' + path: 'charts/{{.values.addonChart}}' + targetRevision: '{{.metadata.annotations.addons_repo_revision}}' + helm: + ignoreMissingValueFiles: true + valueFiles: + - $values/{{.metadata.annotations.addons_repo_basepath}}bootstrap/default/addons.yaml + - $values/{{.metadata.annotations.addons_repo_basepath}}environments/{{ .metadata.labels.environment }}/addons.yaml + - $values/{{.metadata.annotations.addons_repo_basepath}}tenants/{{ .metadata.labels.tenant }}/default/{{ .values.addonChart }}/addons.yaml + - $values/{{.metadata.annotations.addons_repo_basepath}}tenants/{{ .metadata.labels.tenant }}/clusters/{{ .name }}/{{.values.addonChart}}/addons.yaml + destination: + namespace: argocd + name: '{{.name}}' + syncPolicy: + automated: + selfHeal: false + allowEmpty: true + prune: false + retry: + limit: 100 + syncOptions: + - CreateNamespace=true + - ServerSideApply=true # Big CRDs. \ No newline at end of file diff --git a/fleet/bootstrap/clusters.yaml b/fleet/bootstrap/clusters.yaml new file mode 100644 index 0000000..f67b227 --- /dev/null +++ b/fleet/bootstrap/clusters.yaml @@ -0,0 +1,52 @@ +apiVersion: argoproj.io/v1alpha1 +kind: ApplicationSet +metadata: + name: clusters + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: "0" +spec: + syncPolicy: + preserveResourcesOnDeletion: true + goTemplate: true + goTemplateOptions: + - missingkey=error + generators: + - clusters: + selector: + matchLabels: + fleet_member: control-plane + template: + metadata: + name: clusters + labels: + environment: '{{.metadata.labels.environment}}' + tenant: '{{.metadata.labels.tenant}}' + spec: + project: default + sources: + - repoURL: '{{.metadata.annotations.fleet_repo_url}}' + targetRevision: '{{.metadata.annotations.fleet_repo_revision}}' + ref: values + - repoURL: '{{.metadata.annotations.fleet_repo_url}}' + path: 'charts/kro-clusters/' + targetRevision: '{{.metadata.annotations.fleet_repo_revision}}' + helm: + releaseName: 'kro-clusters' + ignoreMissingValueFiles: true + valueFiles: + - '$values/{{.metadata.annotations.fleet_repo_basepath}}kro-values/default/kro-clusters/values.yaml' + - '$values/{{.metadata.annotations.fleet_repo_basepath}}kro-values/tenants/{{.metadata.labels.tenant}}/kro-clusters/values.yaml' + destination: + namespace: argocd + name: '{{.name}}' + syncPolicy: + automated: + selfHeal: false + allowEmpty: true + prune: true + retry: + limit: 100 + syncOptions: + - CreateNamespace=true + - ServerSideApply=true # Big CRDs. \ No newline at end of file diff --git a/fleet/kro-values/tenants/tenant1/kro-clusters/values.yaml b/fleet/kro-values/tenants/tenant1/kro-clusters/values.yaml new file mode 100644 index 0000000..ac79a6b --- /dev/null +++ b/fleet/kro-values/tenants/tenant1/kro-clusters/values.yaml @@ -0,0 +1,41 @@ +clusters: + # workload-cluster1: + # managementAccountId: "XXXXXX" + # accountId: "XXXXXX" + # tenant: "tenant1" + # k8sVersion: "1.34" + # vpc: + # create: true + # gitops: + # addonsRepoUrl: "https://github.com/XXXXXX/eks-cluster-mgmt" + # fleetRepoUrl: "https://github.com/XXXXXX/eks-cluster-mgmt" + + # workload-cluster2: + # managementAccountId: "XXXXXX" + # accountId: "XXXXXX" + # tenant: "tenant1" + # k8sVersion: "1.34" + # vpc: + # create: true + # gitops: + # addonsRepoUrl: "https://github.com/XXXXXX/eks-cluster-mgmt" + # fleetRepoUrl: "https://github.com/XXXXXX/eks-cluster-mgmt" + # addons: + # enable_external_secrets: "true" + + # workload-cluster3: + # managementAccountId: "XXXXXX" + # accountId: "XXXXXX" + # tenant: "tenant1" + # k8sVersion: "1.34" + # workloads: "true" + # vpc: + # create: false + # vpcId: "vpc-XXXX" + # publicSubnet1Id: "subnet-XXXX" + # publicSubnet2Id: "subnet-XXXX" + # privateSubnet1Id: "subnet-XXXX" + # privateSubnet2Id: "subnet-XXXX" + # gitops: + # addonsRepoUrl: "https://github.com/XXXXXX/eks-cluster-mgmt" + # fleetRepoUrl: "https://github.com/XXXXXX/eks-cluster-mgmt" diff --git a/scripts/create_ack_workload_roles.sh b/scripts/create_ack_workload_roles.sh new file mode 100755 index 0000000..1f83467 --- /dev/null +++ b/scripts/create_ack_workload_roles.sh @@ -0,0 +1,124 @@ +#!/bin/bash + +# Disable AWS CLI paging +export AWS_PAGER="" + +create_ack_workload_roles() { + local MGMT_ACCOUNT_ID="$1" + + if [ -z "$MGMT_ACCOUNT_ID" ]; then + echo "Usage: create_ack_workload_roles " + echo "Example: create_ack_workload_roles 123456789012" + return 1 + fi + # Generate trust policy for a specific service + generate_trust_policy() { + cat < trust.json + + + # Create the role with the trust policy + local ROLE_NAME="ack" + local ROLE_DESCRIPTION="Workload role for ACK controllers" + echo "Creating role ${ROLE_NAME}" + aws iam create-role \ + --role-name "${ROLE_NAME}" \ + --assume-role-policy-document file://trust.json \ + --description "${ROLE_DESCRIPTION}" + + if [ $? -eq 0 ]; then + echo "Successfully created role ${ROLE_NAME}" + local ROLE_ARN + ROLE_ARN=$(aws iam get-role --role-name "${ROLE_NAME}" --query Role.Arn --output text) + echo "Role ARN: ${ROLE_ARN}" + rm -f trust.json + else + echo "Failed to create/configure role ${ROLE_NAME}" + rm -f trust.json + return 1 + fi + + #for SERVICE in iam ec2 eks secretsmanager; do + for SERVICE in iam ec2 eks; do + echo ">>>>>>>>>SERVICE:$SERVICE" + + # Download and apply the recommended policies + local BASE_URL="https://raw.githubusercontent.com/aws-controllers-k8s/${SERVICE}-controller/main" + local POLICY_ARN_URL="${BASE_URL}/config/iam/recommended-policy-arn" + local POLICY_ARN_STRINGS + POLICY_ARN_STRINGS="$(wget -qO- ${POLICY_ARN_URL})" + + local INLINE_POLICY_URL="${BASE_URL}/config/iam/recommended-inline-policy" + local INLINE_POLICY + INLINE_POLICY="$(wget -qO- ${INLINE_POLICY_URL})" + + # Attach managed policies + while IFS= read -r POLICY_ARN; do + if [ -n "$POLICY_ARN" ]; then + echo -n "Attaching $POLICY_ARN ... " + aws iam attach-role-policy \ + --role-name "${ROLE_NAME}" \ + --policy-arn "${POLICY_ARN}" + echo "ok." + fi + done <<< "$POLICY_ARN_STRINGS" + + # Add inline policy if it exists + if [ ! -z "$INLINE_POLICY" ]; then + echo -n "Putting inline policy ... " + aws iam put-role-policy \ + --role-name "${ROLE_NAME}" \ + --policy-name "ack-recommended-policy-${SERVICE}" \ + --policy-document "$INLINE_POLICY" + echo "ok." + fi + + if [ $? -eq 0 ]; then + echo "Successfully configured role ${ROLE_NAME}" + else + echo "Failed to configure role ${ROLE_NAME}" + return 1 + fi + done + + return 0 +} + +# Main script execution +if [ -z "$MGMT_ACCOUNT_ID" ]; then + echo "You must set the MGMT_ACCOUNT_ID environment variable" + echo "Example: export MGMT_ACCOUNT_ID=123456789012" + exit 1 +fi + +if [ -z "$CLUSTER_NAME" ]; then + echo "You must set the CLUSTER_NAME environment variable" + echo "Example: export CLUSTER_NAME=hub-cluster" + exit 1 +fi + +echo "Management Account ID: $MGMT_ACCOUNT_ID" +echo "Cluster Name: $CLUSTER_NAME" +create_ack_workload_roles "$MGMT_ACCOUNT_ID" \ No newline at end of file diff --git a/scripts/delete_ack_workload_roles.sh b/scripts/delete_ack_workload_roles.sh new file mode 100755 index 0000000..bbc4aef --- /dev/null +++ b/scripts/delete_ack_workload_roles.sh @@ -0,0 +1,87 @@ +#!/bin/bash + +# Script to delete IAM roles by first removing all attached policies +# Usage: ./delete_ack_workload_roles.sh role1 role2 role3 ... +# ./delete_ack_workload_roles.sh eks-cluster-mgmt-iam eks-cluster-mgmt-ec2 eks-cluster-mgmt-eks + +set -e + +# Check if AWS CLI is installed +if ! command -v aws &> /dev/null; then + echo "AWS CLI is not installed. Please install it first." + exit 1 +fi + +# Check if at least one role name is provided +if [ $# -eq 0 ]; then + echo "Usage: $0 role1 role2 role3 ..." + echo "Please provide at least one role name to delete." + exit 1 +fi + +# Function to delete a role +delete_role() { + local role_name=$1 + echo "Processing role: $role_name" + + # Check if role exists + if ! aws iam get-role --role-name "$role_name" &> /dev/null; then + echo "Role $role_name does not exist. Skipping." + return 0 + fi + + # List and detach managed policies + echo "Checking for attached managed policies..." + local attached_policies=$(aws iam list-attached-role-policies --role-name "$role_name" --query "AttachedPolicies[*].PolicyArn" --output text) + + if [ -n "$attached_policies" ]; then + echo "Detaching managed policies from $role_name..." + for policy_arn in $attached_policies; do + echo " Detaching policy: $policy_arn" + aws iam detach-role-policy --role-name "$role_name" --policy-arn "$policy_arn" + done + else + echo "No managed policies attached to $role_name." + fi + + # List and delete inline policies + echo "Checking for inline policies..." + local inline_policies=$(aws iam list-role-policies --role-name "$role_name" --query "PolicyNames" --output text) + + if [ -n "$inline_policies" ] && [ "$inline_policies" != "None" ]; then + echo "Removing inline policies from $role_name..." + for policy_name in $inline_policies; do + echo " Removing inline policy: $policy_name" + aws iam delete-role-policy --role-name "$role_name" --policy-name "$policy_name" + done + else + echo "No inline policies for $role_name." + fi + + # Delete instance profiles associated with the role (if any) + echo "Checking for instance profiles..." + local instance_profiles=$(aws iam list-instance-profiles-for-role --role-name "$role_name" --query "InstanceProfiles[*].InstanceProfileName" --output text) + + if [ -n "$instance_profiles" ] && [ "$instance_profiles" != "None" ]; then + echo "Removing role from instance profiles..." + for profile_name in $instance_profiles; do + echo " Removing role from instance profile: $profile_name" + aws iam remove-role-from-instance-profile --instance-profile-name "$profile_name" --role-name "$role_name" + done + else + echo "No instance profiles for $role_name." + fi + + # Finally delete the role + echo "Deleting role: $role_name" + aws iam delete-role --role-name "$role_name" + echo "Role $role_name successfully deleted." + echo "----------------------------------------" +} + +# Process each role +for role in "$@"; do + delete_role "$role" +done + +echo "All specified roles have been processed." diff --git a/terraform/hub/.gitignore b/terraform/hub/.gitignore new file mode 100644 index 0000000..0216ebd --- /dev/null +++ b/terraform/hub/.gitignore @@ -0,0 +1,32 @@ +# Local .terraform directories +**/.terraform/* +.terraform.lock.hcl +# .tfstate files +*.tfstate +*.tfstate.* +tfstate.* + +# Crash log files +crash.log + +# Exclude all .tfvars files, which might contain sensitive data, such as +# password, private keys, and other secrets. + +# Ignore override files as they are usually used to override resources locally. +override.tf +override.tf.json +*_override.tf +*_override.tf.json + +# Ignore CLI configuration files +.terraformrc +terraform.rc +backend.hcl + +# Ignore log files +*.log + +# Ignore temporary files +*.tmp +*.temp +.envrc diff --git a/terraform/hub/argocd.tf b/terraform/hub/argocd.tf new file mode 100644 index 0000000..1997db1 --- /dev/null +++ b/terraform/hub/argocd.tf @@ -0,0 +1,58 @@ +# Create ArgoCD namespace +resource "kubernetes_namespace_v1" "argocd" { + metadata { + name = local.argocd_namespace + } +} + +locals { + cluster_name = module.eks.cluster_name + argocd_labels = merge({ + cluster_name = local.cluster_name + environment = local.environment + "argocd.argoproj.io/secret-type" = "cluster" + }, + try(local.addons, {}) + ) + argocd_annotations = merge( + { + cluster_name = local.cluster_name + environment = local.environment + }, + try(local.addons_metadata, {}) + ) +} + +locals { + config = <<-EOT + { + "tlsClientConfig": { + "insecure": false + } + } + EOT + argocd = { + apiVersion = "v1" + kind = "Secret" + metadata = { + name = module.eks.cluster_name + namespace = local.argocd_namespace + annotations = local.argocd_annotations + labels = local.argocd_labels + } + stringData = { + name = module.eks.cluster_name + server = module.eks.cluster_arn + project = "default" + } + } +} +resource "kubernetes_secret_v1" "cluster" { + metadata { + name = local.argocd.metadata.name + namespace = local.argocd.metadata.namespace + annotations = local.argocd.metadata.annotations + labels = local.argocd.metadata.labels + } + data = local.argocd.stringData +} \ No newline at end of file diff --git a/terraform/hub/bootstrap/applicationsets.yaml b/terraform/hub/bootstrap/applicationsets.yaml new file mode 100644 index 0000000..13bdf05 --- /dev/null +++ b/terraform/hub/bootstrap/applicationsets.yaml @@ -0,0 +1,31 @@ +apiVersion: argoproj.io/v1alpha1 +kind: ApplicationSet +metadata: + name: bootstrap + namespace: argocd +spec: + goTemplate: true + syncPolicy: + preserveResourcesOnDeletion: false # to be able to cleanup + generators: + - clusters: + selector: + matchLabels: + fleet_member: control-plane + template: + metadata: + name: bootstrap + spec: + project: default + source: + repoURL: '{{.metadata.annotations.fleet_repo_url}}' + path: '{{.metadata.annotations.fleet_repo_basepath}}{{.metadata.annotations.fleet_repo_path}}' + targetRevision: '{{.metadata.annotations.fleet_repo_revision}}' + directory: + recurse: false + exclude: exclude/* + destination: + namespace: 'argocd' + name: '{{.name}}' + syncPolicy: + automated: {} diff --git a/terraform/hub/data.tf b/terraform/hub/data.tf new file mode 100644 index 0000000..9128d6a --- /dev/null +++ b/terraform/hub/data.tf @@ -0,0 +1,18 @@ +data "aws_region" "current" {} +data "aws_caller_identity" "current" {} +data "aws_availability_zones" "available" { + # Do not include local zones + filter { + name = "opt-in-status" + values = ["opt-in-not-required"] + } +} +data "aws_ecr_authorization_token" "token" {} + +data "aws_iam_session_context" "current" { + # This data source provides information on the IAM source role of an STS assumed role + # For non-role ARNs, this data source simply passes the ARN through issuer ARN + # Ref https://github.com/terraform-aws-modules/terraform-aws-eks/issues/2327#issuecomment-1355581682 + # Ref https://github.com/hashicorp/terraform-provider-aws/issues/28381 + arn = data.aws_caller_identity.current.arn +} diff --git a/terraform/hub/destroy.sh b/terraform/hub/destroy.sh new file mode 100755 index 0000000..04b28c8 --- /dev/null +++ b/terraform/hub/destroy.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +#if var not exit provide default +TF_VAR_FILE=${TF_VAR_FILE:-"terraform.tfvars"} + +terraform init +terraform destroy -var-file=$TF_VAR_FILE \ No newline at end of file diff --git a/terraform/hub/eks-capability-iam.tf b/terraform/hub/eks-capability-iam.tf new file mode 100644 index 0000000..afee91d --- /dev/null +++ b/terraform/hub/eks-capability-iam.tf @@ -0,0 +1,153 @@ +# IAM role for ACK controllers with assume role capability +resource "aws_iam_role" "ack_controller" { + name = "${local.name}-ack-controller" + + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Effect = "Allow" + Principal = { + Service = "capabilities.eks.amazonaws.com" + } + Action = [ + "sts:AssumeRole", + "sts:TagSession" + ] + } + ] + }) + + tags = local.tags +} + +# IAM policy allowing the role to assume any role +resource "aws_iam_policy" "ack_assume_role" { + name = "${local.name}-ack-assume-role" + description = "Policy allowing ACK controller to assume any role" + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Effect = "Allow" + Action = [ + "sts:AssumeRole", + "sts:TagSession" + ] + Resource = "*" + } + ] + }) + + tags = local.tags +} + +# Attach the assume role policy to the ACK controller role +resource "aws_iam_role_policy_attachment" "ack_assume_role" { + role = aws_iam_role.ack_controller.name + policy_arn = aws_iam_policy.ack_assume_role.arn +} + +# Grant ACK controller role admin access to EKS cluster +resource "aws_eks_access_entry" "ack_controller" { + cluster_name = module.eks.cluster_name + principal_arn = aws_iam_role.ack_controller.arn + type = "STANDARD" +} + +resource "aws_eks_access_policy_association" "ack_controller_admin" { + cluster_name = module.eks.cluster_name + principal_arn = aws_iam_role.ack_controller.arn + policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy" + + access_scope { + type = "cluster" + } + + depends_on = [aws_eks_access_entry.ack_controller] +} + +# IAM role for kro capability +resource "aws_iam_role" "kro_controller" { + name = "${local.name}-kro-controller" + + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Effect = "Allow" + Principal = { + Service = "capabilities.eks.amazonaws.com" + } + Action = [ + "sts:AssumeRole", + "sts:TagSession" + ] + } + ] + }) + + tags = local.tags +} + +# Grant kro controller role admin access to EKS cluster +resource "aws_eks_access_entry" "kro_controller" { + cluster_name = module.eks.cluster_name + principal_arn = aws_iam_role.kro_controller.arn + type = "STANDARD" +} + +resource "aws_eks_access_policy_association" "kro_controller_admin" { + cluster_name = module.eks.cluster_name + principal_arn = aws_iam_role.kro_controller.arn + policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy" + + access_scope { + type = "cluster" + } + + depends_on = [aws_eks_access_entry.kro_controller] +} + +# IAM role for argocd capability +resource "aws_iam_role" "argocd_controller" { + name = "${local.name}-argocd-controller" + + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Effect = "Allow" + Principal = { + Service = "capabilities.eks.amazonaws.com" + } + Action = [ + "sts:AssumeRole", + "sts:TagSession" + ] + } + ] + }) + + tags = local.tags +} + +# Grant argocd controller role admin access to EKS cluster +resource "aws_eks_access_entry" "argocd_controller" { + cluster_name = module.eks.cluster_name + principal_arn = aws_iam_role.argocd_controller.arn + type = "STANDARD" +} + +resource "aws_eks_access_policy_association" "argocd_controller_admin" { + cluster_name = module.eks.cluster_name + principal_arn = aws_iam_role.argocd_controller.arn + policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy" + + access_scope { + type = "cluster" + } + + depends_on = [aws_eks_access_entry.argocd_controller] +} \ No newline at end of file diff --git a/terraform/hub/eks.tf b/terraform/hub/eks.tf new file mode 100644 index 0000000..e09aa76 --- /dev/null +++ b/terraform/hub/eks.tf @@ -0,0 +1,55 @@ +module "eks" { + #checkov:skip=CKV_TF_1:We are using version control for those modules + #checkov:skip=CKV_TF_2:We are using version control for those modules + source = "terraform-aws-modules/eks/aws" + version = "~> 21.10.1" + + name = local.name + kubernetes_version = local.cluster_version + endpoint_public_access = true + + vpc_id = module.vpc.vpc_id + subnet_ids = module.vpc.private_subnets + + enable_cluster_creator_admin_permissions = true + + compute_config = { + enabled = true + node_pools = ["general-purpose", "system"] + } + + tags = { + Blueprint = local.name + GithubRepo = "https://registry.terraform.io/modules/terraform-aws-modules/eks/aws/latest" + } +} + +################################################################################ +# Supporting Resources +################################################################################ +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "~> 5.0" + + name = local.name + cidr = local.vpc_cidr + + azs = local.azs + private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 4, k)] + public_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 48)] + + enable_nat_gateway = true + single_nat_gateway = true + + public_subnet_tags = { + "kubernetes.io/role/elb" = 1 + } + + private_subnet_tags = { + "kubernetes.io/role/internal-elb" = 1 + # Tags subnets for Karpenter auto-discovery + "karpenter.sh/discovery" = local.name + } + + tags = local.tags +} \ No newline at end of file diff --git a/terraform/hub/install.sh b/terraform/hub/install.sh new file mode 100755 index 0000000..65be9a5 --- /dev/null +++ b/terraform/hub/install.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +#if var not exit provide default +TF_VAR_FILE=${TF_VAR_FILE:-"terraform.tfvars"} + +terraform init +terraform apply -var-file=$TF_VAR_FILE \ No newline at end of file diff --git a/terraform/hub/locals.tf b/terraform/hub/locals.tf new file mode 100644 index 0000000..022cecf --- /dev/null +++ b/terraform/hub/locals.tf @@ -0,0 +1,95 @@ +locals { + cluster_info = module.eks + vpc_cidr = "10.0.0.0/16" + azs = slice(data.aws_availability_zones.available.names, 0, 2) + enable_automode = var.enable_automode + use_ack = var.use_ack + enable_efs = var.enable_efs + name = var.cluster_name + environment = var.environment + fleet_member = "control-plane" + tenant = var.tenant + region = data.aws_region.current.id + cluster_version = var.kubernetes_version + argocd_namespace = "argocd" + gitops_addons_repo_url = "https://github.com/${var.git_org_name}/${var.gitops_addons_repo_name}.git" + gitops_fleet_repo_url = "https://github.com/${var.git_org_name}/${var.gitops_fleet_repo_name}.git" + + external_secrets = { + namespace = "external-secrets" + service_account = "external-secrets-sa" + } + + aws_addons = { + enable_external_secrets = try(var.addons.enable_external_secrets, false) + enable_kro_eks_rgs = try(var.addons.enable_kro_eks_rgs, false) + enable_multi_acct = try(var.addons.enable_multi_acct, false) + } + oss_addons = { + } + + addons = merge( + local.aws_addons, + local.oss_addons, + { tenant = local.tenant }, + { fleet_member = local.fleet_member }, + { kubernetes_version = local.cluster_version }, + { aws_cluster_name = local.cluster_info.cluster_name }, + ) + + addons_metadata = merge( + { + aws_cluster_name = local.cluster_info.cluster_name + aws_region = local.region + aws_account_id = data.aws_caller_identity.current.account_id + aws_vpc_id = module.vpc.vpc_id + use_ack = local.use_ack + }, + { + addons_repo_url = local.gitops_addons_repo_url + addons_repo_path = var.gitops_addons_repo_path + addons_repo_basepath = var.gitops_addons_repo_base_path + addons_repo_revision = var.gitops_addons_repo_revision + }, + { + fleet_repo_url = local.gitops_fleet_repo_url + fleet_repo_path = var.gitops_fleet_repo_path + fleet_repo_basepath = var.gitops_fleet_repo_base_path + fleet_repo_revision = var.gitops_fleet_repo_revision + }, + { + external_secrets_namespace = local.external_secrets.namespace + external_secrets_service_account = local.external_secrets.service_account + } + ) + + argocd_apps = { + applicationsets = file("${path.module}/bootstrap/applicationsets.yaml") + } + role_arns = [] + # # Generate dynamic access entries for each admin rolelocals { + admin_access_entries = { + for role_arn in local.role_arns : role_arn => { + principal_arn = role_arn + policy_associations = { + admins = { + policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy" + access_scope = { + type = "cluster" + } + } + } + } + } + + + # Merging dynamic entries with static entries if needed + access_entries = merge({}, local.admin_access_entries) + + tags = { + Blueprint = local.name + GithubRepo = "github.com/gitops-bridge-dev/gitops-bridge" + } +} + + diff --git a/terraform/hub/outputs.tf b/terraform/hub/outputs.tf new file mode 100644 index 0000000..a2cb716 --- /dev/null +++ b/terraform/hub/outputs.tf @@ -0,0 +1,23 @@ +# Output the ACK controller role ARN +output "ack_controller_role_arn" { + description = "ARN of the IAM role for ACK controller" + value = aws_iam_role.ack_controller.arn +} + +# Output the kro controller role ARN +output "kro_controller_role_arn" { + description = "ARN of the IAM role for kro controller" + value = aws_iam_role.kro_controller.arn +} + +# Output the argocd controller role ARN +output "argocd_controller_role_arn" { + description = "ARN of the IAM role for argocd controller" + value = aws_iam_role.argocd_controller.arn +} + +# Output cluster name +output "cluster_name" { + description = "Name of the EKS cluster" + value = module.eks.cluster_name +} \ No newline at end of file diff --git a/terraform/hub/pod-identity.tf b/terraform/hub/pod-identity.tf new file mode 100644 index 0000000..5d58d31 --- /dev/null +++ b/terraform/hub/pod-identity.tf @@ -0,0 +1,34 @@ +################################################################################ +# External Secrets EKS Access +################################################################################ +module "external_secrets_pod_identity" { + count = local.aws_addons.enable_external_secrets ? 1 : 0 + source = "terraform-aws-modules/eks-pod-identity/aws" + version = "~> 1.4.0" + + name = "external-secrets" + + attach_external_secrets_policy = true + external_secrets_kms_key_arns = ["arn:aws:kms:${local.region}:*:key/${local.cluster_info.cluster_name}/*"] + external_secrets_secrets_manager_arns = ["arn:aws:secretsmanager:${local.region}:*:secret:${local.cluster_info.cluster_name}/*"] + external_secrets_ssm_parameter_arns = ["arn:aws:ssm:${local.region}:*:parameter/${local.cluster_info.cluster_name}/*"] + external_secrets_create_permission = false + attach_custom_policy = true + policy_statements = [ + { + sid = "ecr" + actions = ["ecr:*"] + resources = ["*"] + } + ] + # Pod Identity Associations + associations = { + addon = { + cluster_name = local.cluster_info.cluster_name + namespace = local.external_secrets.namespace + service_account = local.external_secrets.service_account + } + } + + tags = local.tags +} diff --git a/terraform/hub/providers.tf b/terraform/hub/providers.tf new file mode 100644 index 0000000..40d5029 --- /dev/null +++ b/terraform/hub/providers.tf @@ -0,0 +1,39 @@ + +provider "helm" { + kubernetes { + host = local.cluster_info.cluster_endpoint + cluster_ca_certificate = base64decode(local.cluster_info.cluster_certificate_authority_data) + + exec { + api_version = "client.authentication.k8s.io/v1beta1" + command = "aws" + # This requires the awscli to be installed locally where Terraform is executed + args = [ + "eks", + "get-token", + "--cluster-name", local.cluster_info.cluster_name, + "--region", local.region + ] + } + } +} + +provider "kubernetes" { + host = local.cluster_info.cluster_endpoint + cluster_ca_certificate = base64decode(local.cluster_info.cluster_certificate_authority_data) + # insecure = true + exec { + api_version = "client.authentication.k8s.io/v1beta1" + command = "aws" + # This requires the awscli to be installed locally where Terraform is executed + args = [ + "eks", + "get-token", + "--cluster-name", local.cluster_info.cluster_name, + "--region", local.region + ] + } +} + +provider "aws" { +} diff --git a/terraform/hub/terraform.tfvars b/terraform/hub/terraform.tfvars new file mode 100644 index 0000000..ff40a07 --- /dev/null +++ b/terraform/hub/terraform.tfvars @@ -0,0 +1,19 @@ +vpc_name = "hub-cluster" +kubernetes_version = "1.34" +cluster_name = "hub-cluster" +tenant = "tenant1" + +git_org_name = "XXXXXXXX" # update this if you want to customize the gitops configurations + +gitops_addons_repo_name = "eks-cluster-mgmt" +gitops_addons_repo_base_path = "addons/" +gitops_addons_repo_path = "bootstrap" +gitops_addons_repo_revision = "main" + +gitops_fleet_repo_name = "eks-cluster-mgmt" +gitops_fleet_repo_base_path = "fleet/" +gitops_fleet_repo_path = "bootstrap" +gitops_fleet_repo_revision = "main" + +# AWS Accounts used for demo purposes (cluster1 cluster2) +account_ids = "012345678910 123456789101" # update this with your spoke aws accounts ids diff --git a/terraform/hub/variables.tf b/terraform/hub/variables.tf new file mode 100644 index 0000000..cf681b1 --- /dev/null +++ b/terraform/hub/variables.tf @@ -0,0 +1,142 @@ +variable "vpc_name" { + description = "VPC name to be used by pipelines for data" + type = string +} + +variable "kubernetes_version" { + description = "Kubernetes version" + type = string + default = "1.34" +} + +variable "github_app_credentilas_secret" { + description = "The name of the Secret storing github app credentials" + type = string + default = "" +} + +variable "kms_key_admin_roles" { + description = "list of role ARNs to add to the KMS policy" + type = list(string) + default = [] +} + +variable "addons" { + description = "Kubernetes addons" + type = any + default = { + enable_external_secrets = true + enable_kro_eks_rgs = true + enable_multi_acct = true + } +} + +variable "manifests" { + description = "Kubernetes manifests" + type = any + default = {} +} + +variable "enable_addon_selector" { + description = "select addons using cluster selector" + type = bool + default = false +} + +variable "route53_zone_name" { + description = "The route53 zone for external dns" + default = "" +} +# Github Repos Variables + +variable "git_org_name" { + description = "The name of Github organisation" + default = "kro-run" +} + +variable "gitops_addons_repo_name" { + description = "The name of git repo" + default = "kro" +} + +variable "gitops_addons_repo_path" { + description = "The path of addons bootstraps in the repo" + default = "bootstrap" +} + +variable "gitops_addons_repo_base_path" { + description = "The base path of addons in the repon" + default = "examples/aws/eks-cluster-mgmt/addons/" +} + +variable "gitops_addons_repo_revision" { + description = "The name of branch or tag" + default = "main" +} +# Fleet +variable "gitops_fleet_repo_name" { + description = "The name of Git repo" + default = "kro" +} + +variable "gitops_fleet_repo_path" { + description = "The path of fleet bootstraps in the repo" + default = "bootstrap" +} + +variable "gitops_fleet_repo_base_path" { + description = "The base path of fleet in the repon" + default = "examples/aws/eks-cluster-mgmt/fleet/" +} + +variable "gitops_fleet_repo_revision" { + description = "The name of branch or tag" + default = "main" +} + +variable "ackCreate" { + description = "Creating PodIdentity and addons relevant resources with ACK" + default = false +} + +variable "enable_efs" { + description = "Enabling EFS file system" + type = bool + default = false +} + +variable "enable_automode" { + description = "Enabling Automode Cluster" + type = bool + default = true +} + +variable "cluster_name" { + description = "Name of the cluster" + type = string + default = "hub-cluster" +} + +variable "use_ack" { + description = "Defining to use ack or terraform for pod identity if this is true then we will use this label to deploy resources with ack" + type = bool + default = true +} + +variable "environment" { + description = "Name of the environment for the Hub Cluster" + type = string + default = "control-plane" +} + +variable "tenant" { + description = "Name of the tenant for the Hub Cluster" + type = string + default = "control-plane" +} + +variable "account_ids" { + description = "List of aws accounts ACK will need to connect to" + type = string + default = "" +} \ No newline at end of file diff --git a/terraform/hub/versions.tf b/terraform/hub/versions.tf new file mode 100644 index 0000000..8a843e5 --- /dev/null +++ b/terraform/hub/versions.tf @@ -0,0 +1,18 @@ +terraform { + required_version = ">= 1.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 6.27.0" + } + helm = { + source = "hashicorp/helm" + version = "~> 3.1.1" + } + kubernetes = { + source = "hashicorp/kubernetes" + version = "3.0.1" + } + } +}