From c0465ca123827cbdc934e1374d0024b57dcbbd37 Mon Sep 17 00:00:00 2001 From: ColinBruce Date: Thu, 15 Feb 2024 09:44:05 +0000 Subject: [PATCH 1/3] Fix: Update deployments to add securityContext block The cluster was adding these to deploys and outputting a warning that they should be explicitly set --- .../templates/deployment_metrics.yaml | 7 +++++++ .../templates/deployment_web.yaml | 14 ++++++++++++++ .../templates/deployment_worker.yaml | 7 +++++++ 3 files changed, 28 insertions(+) diff --git a/helm_deploy/apply-for-legal-aid/templates/deployment_metrics.yaml b/helm_deploy/apply-for-legal-aid/templates/deployment_metrics.yaml index d58884354c..4d6e8ddea9 100644 --- a/helm_deploy/apply-for-legal-aid/templates/deployment_metrics.yaml +++ b/helm_deploy/apply-for-legal-aid/templates/deployment_metrics.yaml @@ -51,3 +51,10 @@ spec: requests: cpu: 10m memory: 64Mi + securityContext: + runAsNonRoot: true + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: [ "ALL" ] diff --git a/helm_deploy/apply-for-legal-aid/templates/deployment_web.yaml b/helm_deploy/apply-for-legal-aid/templates/deployment_web.yaml index ea522694a4..70b47d3c94 100644 --- a/helm_deploy/apply-for-legal-aid/templates/deployment_web.yaml +++ b/helm_deploy/apply-for-legal-aid/templates/deployment_web.yaml @@ -41,6 +41,13 @@ spec: requests: cpu: 10m memory: 1Gi + securityContext: + runAsNonRoot: true + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: [ "ALL" ] - name: web image: '{{ .Values.image.repository }}:{{ .Values.image.tag }}' imagePullPolicy: IfNotPresent @@ -65,6 +72,13 @@ spec: preStop: exec: command: [ "sh", "-c", "sleep 30" ] # Workaround for occasional lost requests - see https://github.com/puma/puma/blob/master/docs/kubernetes.md#running-puma-in-kubernetes + securityContext: + runAsNonRoot: true + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: [ "ALL" ] resources: limits: cpu: 1000m diff --git a/helm_deploy/apply-for-legal-aid/templates/deployment_worker.yaml b/helm_deploy/apply-for-legal-aid/templates/deployment_worker.yaml index 9894a5f8f9..e892d8cbb1 100644 --- a/helm_deploy/apply-for-legal-aid/templates/deployment_worker.yaml +++ b/helm_deploy/apply-for-legal-aid/templates/deployment_worker.yaml @@ -31,6 +31,13 @@ spec: imagePullPolicy: IfNotPresent command: ['bundle', 'exec', 'sidekiq'] {{ include "apply-for-legal-aid.envs" . | nindent 10 }} + securityContext: + runAsNonRoot: true + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: [ "ALL" ] resources: limits: cpu: 500m From 32a78430d74d9069713cc0887e3780f5aa48be16 Mon Sep 17 00:00:00 2001 From: ColinBruce Date: Thu, 15 Feb 2024 09:44:42 +0000 Subject: [PATCH 2/3] Fix: Update cronjobs to add securityContext block The cluster was adding these to deploys and outputting a warning that they should be explicitly set --- .../templates/cronjob-admin-report.yaml | 7 +++++++ .../templates/cronjob-deliver-scheduled-mail.yaml | 7 +++++++ .../templates/cronjob-destroy-purgeable.yaml | 7 +++++++ .../templates/cronjob-export-digest.yaml | 7 +++++++ .../templates/cronjob-extract-digest.yaml | 7 +++++++ .../templates/cronjob-mark-purgeable.yaml | 7 +++++++ .../apply-for-legal-aid/templates/cronjob-metrics.yaml | 7 +++++++ .../templates/cronjob-reset-dashboard-overnight.yaml | 7 +++++++ 8 files changed, 56 insertions(+) diff --git a/helm_deploy/apply-for-legal-aid/templates/cronjob-admin-report.yaml b/helm_deploy/apply-for-legal-aid/templates/cronjob-admin-report.yaml index c4cfdb3601..2b0a96f516 100644 --- a/helm_deploy/apply-for-legal-aid/templates/cronjob-admin-report.yaml +++ b/helm_deploy/apply-for-legal-aid/templates/cronjob-admin-report.yaml @@ -34,4 +34,11 @@ spec: requests: cpu: 100m memory: 1024Mi + securityContext: + runAsNonRoot: true + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: [ "ALL" ] restartPolicy: Never diff --git a/helm_deploy/apply-for-legal-aid/templates/cronjob-deliver-scheduled-mail.yaml b/helm_deploy/apply-for-legal-aid/templates/cronjob-deliver-scheduled-mail.yaml index 54f3f499b0..1516497a7b 100644 --- a/helm_deploy/apply-for-legal-aid/templates/cronjob-deliver-scheduled-mail.yaml +++ b/helm_deploy/apply-for-legal-aid/templates/cronjob-deliver-scheduled-mail.yaml @@ -31,4 +31,11 @@ spec: requests: cpu: 100m memory: 128Mi + securityContext: + runAsNonRoot: true + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: [ "ALL" ] restartPolicy: Never diff --git a/helm_deploy/apply-for-legal-aid/templates/cronjob-destroy-purgeable.yaml b/helm_deploy/apply-for-legal-aid/templates/cronjob-destroy-purgeable.yaml index 0db917b62f..55743030ec 100644 --- a/helm_deploy/apply-for-legal-aid/templates/cronjob-destroy-purgeable.yaml +++ b/helm_deploy/apply-for-legal-aid/templates/cronjob-destroy-purgeable.yaml @@ -34,4 +34,11 @@ spec: requests: cpu: 100m memory: 256Mi + securityContext: + runAsNonRoot: true + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: [ "ALL" ] restartPolicy: Never diff --git a/helm_deploy/apply-for-legal-aid/templates/cronjob-export-digest.yaml b/helm_deploy/apply-for-legal-aid/templates/cronjob-export-digest.yaml index aae136b891..f1aff2142a 100644 --- a/helm_deploy/apply-for-legal-aid/templates/cronjob-export-digest.yaml +++ b/helm_deploy/apply-for-legal-aid/templates/cronjob-export-digest.yaml @@ -34,4 +34,11 @@ spec: requests: cpu: 400m memory: 4096Mi + securityContext: + runAsNonRoot: true + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: [ "ALL" ] restartPolicy: Never diff --git a/helm_deploy/apply-for-legal-aid/templates/cronjob-extract-digest.yaml b/helm_deploy/apply-for-legal-aid/templates/cronjob-extract-digest.yaml index 073b9604a9..df97fc1bb5 100644 --- a/helm_deploy/apply-for-legal-aid/templates/cronjob-extract-digest.yaml +++ b/helm_deploy/apply-for-legal-aid/templates/cronjob-extract-digest.yaml @@ -34,4 +34,11 @@ spec: requests: cpu: 100m memory: 256Mi + securityContext: + runAsNonRoot: true + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: [ "ALL" ] restartPolicy: Never diff --git a/helm_deploy/apply-for-legal-aid/templates/cronjob-mark-purgeable.yaml b/helm_deploy/apply-for-legal-aid/templates/cronjob-mark-purgeable.yaml index c827ed6c1f..5cb1ce6068 100644 --- a/helm_deploy/apply-for-legal-aid/templates/cronjob-mark-purgeable.yaml +++ b/helm_deploy/apply-for-legal-aid/templates/cronjob-mark-purgeable.yaml @@ -34,4 +34,11 @@ spec: requests: cpu: 100m memory: 256Mi + securityContext: + runAsNonRoot: true + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: [ "ALL" ] restartPolicy: Never diff --git a/helm_deploy/apply-for-legal-aid/templates/cronjob-metrics.yaml b/helm_deploy/apply-for-legal-aid/templates/cronjob-metrics.yaml index 8a96330075..656b363858 100644 --- a/helm_deploy/apply-for-legal-aid/templates/cronjob-metrics.yaml +++ b/helm_deploy/apply-for-legal-aid/templates/cronjob-metrics.yaml @@ -32,4 +32,11 @@ spec: requests: cpu: 100m memory: 128Mi + securityContext: + runAsNonRoot: true + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: [ "ALL" ] restartPolicy: Never diff --git a/helm_deploy/apply-for-legal-aid/templates/cronjob-reset-dashboard-overnight.yaml b/helm_deploy/apply-for-legal-aid/templates/cronjob-reset-dashboard-overnight.yaml index 6d015b80b5..a7cdd83a8c 100644 --- a/helm_deploy/apply-for-legal-aid/templates/cronjob-reset-dashboard-overnight.yaml +++ b/helm_deploy/apply-for-legal-aid/templates/cronjob-reset-dashboard-overnight.yaml @@ -31,4 +31,11 @@ spec: requests: cpu: 100m memory: 128Mi + securityContext: + runAsNonRoot: true + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: [ "ALL" ] restartPolicy: Never From ab0776df085510a0282bade3f4dc6a85fa48ab9b Mon Sep 17 00:00:00 2001 From: ColinBruce Date: Thu, 15 Feb 2024 09:45:45 +0000 Subject: [PATCH 3/3] Fix: Update Helm chart values to add securityContext block The cluster was adding these to deploys and outputting a warning that they should be explicitly set These are pushed through to the postgres and redis pods created via Chart.yaml --- .../apply-for-legal-aid/values-uat.yaml | Bin 12399 -> 12786 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/helm_deploy/apply-for-legal-aid/values-uat.yaml b/helm_deploy/apply-for-legal-aid/values-uat.yaml index 8a7538c521d7b75d49b2131f4a1f4e4dc05558fe..798dd5e0305072a9f175951bb289783a446fa03b 100644 GIT binary patch literal 12786 zcmV-9)|`WqPZE!BRu#Q_(iksLbnU|tDXg3435LF(p}oDz=36G^4BnkOIa{~ z?*EWQl(2$PZhd@-2SeF|g%+Z1U|OBhpoDo3ok4TR!5*0bu@rV0uMb@gK1GbiY=-OT zV4`3{@k@Rzk2H8P#orD8-83g4?;EYjRVGMsc(-(BP2yC?5G8cu1!MV%f^g~wwjPh3 z5d3CMW)=4L7~~yKVBjrnHxFPSWQwi=E{UgKF+ti*(0x7@y>s?ft?w*;+&#TAbvbGM zq3Pgo#sTpC``=X4Zn&#xP0&~rwtU9?CMm{aGT>7puzpJ^N>`r%&=GJl?5i|44DzN9 zz^^YXy4fRZqDNq}Jo_GuY{5hS67af6E42#i^TB<)bESi<;1e%?5Vo^xe~VNe)@uTC zrWx9cR%kU~x&+q>q-AJ%%bMIM>vl3T!e#?QUX9(UY{V}+l^};=(8J|gZCEcJl}o;g z+zNavhnXH*aZ7)f9-7b-ZZ^-kZ(c??ZVL2glIQhcM=L`Xr&?Ui{>SwMV23_^G{kqp z%w%rLqG6|0p@c*85i@;E#BZEyWDDVVWpqLKp`S9Npvgks5CQ=pC$OJj^=jfh^&qZP^l z$_Z?Ce1YBf)_zyj^+UIrY49m;T8_*)ts)_@ zv#DAut0V~{etDa0v^tCp3H_;V_O6#I$_eYd-e)Nm#wDczN1ub12=-%7MF?wPRM74% z1*=7fLN#SW>*XBp&RSfpj2(UPoc1LFfAu0~y^^xj4G^pw=V>zdV&O?o=HD1FrY-Dkl< zloUlI?k=lutQdExIpeU187tgRR2)Y`o*vhR0aHhdvK$kKhm|-(ei5XNc$QFAdvBxVvI7%Yf7 z!tX^lU_lzxh>hRbc*bM&S`Y0Igq*z9@_2cmL--}XA)BnEF^i-30~UJyQDs^W)@;y7 zh`1qxY)WcHtRkV?2VdsbKZZVr_|Vuv1rVba;*R1nkCkPArQw_UU6nAD*!zRwnh^?4*H{o>f-E zS$7of0m=XHz_Ci><_#_pZ@@=e?4G(ho$`ooSs+QZ*Y2u*m~W}CpKT%--(lRU@`*@! z6ttd76Ai8Ang}Fc+oJlE#Mzr1E)TWC!vBapUd4)L52OBpnf}vAg9@sUM>HRn4tL7a zHXZFV-K^Z2dy#d#f!0QOaqWtnR|z|zAi>(TVs6kLuWNlb=S^jnb`9p_VZtevP_}!V zN*!P2Jh(58RCL^YLb}#PvYI$nUFw`W?Z|OuIWrG={6d(RN#yN)Q*oaJG}Ebt?ewW} z?G&@fq*E4+BxurKGkbZfYij53UjV8fT0Gi*ImEG$7*LY1(0w_NhZzz0`QYhZg`2BXdeXb|0H@sV19M+N4lO%;sV1FQ7q7hyqYOx{UDtFaDf`_2i}KvS9{R`N zO1}Cqp*z%~N4+s(3OPz$S^cGlg5rMkpo3t-w=|4?EbQB?GxR)1b3Yk|on?v9c1DJ< zA&Ix%EtbV1kDd;l4WCyCC*j?raq!}pk}JL;pysUJ!|i2BuB2ONV%xD&=CPVSO`e!r z2$2=o(u-H(3@lxX`V;d35ou^tIg!JKE$Uls{ujd%I2`(F@(q@+QuPf6iLuoqeoaY5 zjIx2+Zll-+RqjYp<}ZT=vb}c|Fj_^V!GwH@-DN&Q7iWEA37TFIC9rBnMk@aMl zjwviWj6EV>POC7y{%g?%$bRfC@M=9Cq9pAb(ziYMdhU0DIRw;LFV}?7*vZ2IgWE{l zenaCwXLQGxrzd;RDrU0ro$rh7keU3)CSx|SBd{)sSPN0DZQG^LmYE!3OFPC|U{c7d z#R$kI*4KkvyH>++vmk>J7<C1+#HZK((7s&{C~=@z7YN0#igsyj;A^3^XC>ueQh?~c(WIw+{VECt zJ7vVYqSz8HTAZ2goRSZU@xmt?1l6!+Yc1NV&2(5rZYk$pxd53>mF`{J*znM=M@W65 z$bO<+qPFRQALmf{>`GVsBjj))?9v@@o$0zo25o09{w@Px?^W^L;$v_%gqS8RZ{ZMX z;OQY|guwy4cr)l2FwQr(mnH!9Xurp5Sd`%1I$-!fb1-y!iDoOo7M<179ENzJen{~f z-b-sw@5DUf2%Ei#cI#0{)D?UFOOO&@03{fq9^=uo_{HGPJZ|&|#I&VzQo_fYJDL-B zz)V1Ik1`|p@=fkiR^Eogyv<*_fy>aw2*mbP!9PejER^2-deWy@PM;I$+x=?m9#gTP z{47+-HOB*)tDU^B52?`EWLS3rJN|WKX;F-IkXZQcbHf!lDkJTLS-Il`I< z-TJd|2P6|#MWO2+&<`;TOHpadPN^B7{6QSMoEoE?B}bLsTZfaA8MqG(?O$0&0p^p) zU`^V;kRHi;Sw=aXKfIj8?Cq5J#CcM9%7Ww>XsU_O#W>Gl%4nS z$2#B^*TJ=%TU$sJN6)E#^7$c0Vn}-Ptjpqf!#ZM;u58xo;o(^BXHv6tF8nmB8k&?P zP?t*})v^ZHA+wx(e}m^Q0%fllykbm!qVc59q05PUVxC~@_eyW-WMxBYToy*$V!BmZ zmoSc)l56OMPf{0up$;UN%w{`J_;kw)gg)tHKZJvX*#({MuBUy_dY>FwO-rJW4TTyZ zi=4&Bl|dpI``0fKpL;wbwx&KUOR+7(P<<&^mIJtmj-g?hR72I2l{Z&{K17lzK;bQzev73fA#yTi3T!b2Yk*5w~ zy~{jI&hL2iYRC_T=kOh$C(=w1Ybp_@y@>evTA96f<^88%VaKN>VckuGe@0ZA=znLc z3nyoPf{8=M{vmRUU;wPgvFTGlf9&r_bAZ`XazAvyi?aYMh5z+m+p50W*wO@HeFSvf z8s-lP^%JspgJczkkby}^4w+tAB`AMaAAH3!4m7u1J637f0x^NYpkSOLBu49_D^O6DevEi*C1mOXl3fFq9GODK&Izl^aHtsghiWyS31XhvJC&jgD z2I@~mgc@m{%sp>F$UPNUw#xe{H_4I?F6 z#(Y66Ez)=@s%Odb8!Sb$+d%K{2NorWVJq;-f3k5J>Lr%F_9cua{*8c)m%0e&^0>(ifAy z#qjYbTt5Y12PA9~iZ&p4rmC*Gwi-90Y}KSxPGIX3>$J~& zCI<(*b7f(ZTK3%O3*|6Pi#M2a58vI7ZO2p-Q&dOZj@3zf&>fLQ^L%;EmXdD2j*jqA zc06qym6#h>TxswnE&fxvt&^*WBwt)ewhDwt9<)S&c`4~K!C5zuN5fNR38;^Zd!SS( zmUvM#aR>a>x7Z$v0jnB3(P~5zuoy>XlXQ23Ejk2*v_A5in)rr8_AI40+5C#m|1MJc z3<&GsLSp>KRmik3T0;`o^iC*=Q9nQYM&(fqD>9}z=WZzZyY}s2k@0X;0NE0PmsSci z3@(*+Mh-zkxo3B{Y_fBD65I1$Hw1g~b|s85Uj|I$oY|gA(R)N)B&wn_6`xRV$JM4Z zK{_uV9toB{yI-nj$kIY1lQ)d&TF){GV1plY_EcF~#6+pSopZ!j0lW1(MHf#h|8WpQP#!B8OVh zVW923jO=dFF-oW^)v$5RUl+15J_Ui9maIDGF1MR}YU7R%D610Rip#9?e?;qfM6UCPTnu>1gsWr`3ejH(T3__F?>?z)w$=NzQepDJHf zivljCT3P95f3Ev|ArH`ch{B1N#QBme!9fwoM_}9nd zZG43-7OV1^a}oc+Z13kqCZI+x%3*}w$#9Vuo&4H$;T3?&*&^%gFK|mCnU)6!REXOF zO5^3QKIw+oDXipQ#7Vjb$tCAfCZ%xGHp9<8JgS>&*N{1GoJptQVw64>&a}wn{<05D z4{r1@(If~+r(NQYFR=-*Nm9CbGs0o`!n<)sC2_f%a3%}W+ak->mE%;YLdRkCWdmc6 zQdE%6$i|_o73ce(tarT?O_$*Renk3W62$4pBeDQYbnI&(?X8I@^=U`D%(@#$CCbCy z8pq4gt|;fPCIX)l1nr16IOvfVh7vUNdYz*6aCbJuMktqqPmHn(Z#ExQB;wGL^1vd)2N(**#mKbzK>4BFj@dYIy4pID#!B5l*cU>zG}g5mKT2Z%>3xmx?o1&$~L-4e2n3%d2U;X+e& z{Ns3M6i_VDS&j6;vIcbWDFmfF-F`HTIOUs|XC6=2vs_~3NhTvnTG~d5^*dSBr1m1i z+e-mKgcb;dPL=A$h2J&auJsQNQc98|obzqnj@}<3y4h^ZVDLT^f&vhzDRwougTGel zxNt48f5~j|y-KQNzyy+$oekC+GS320z7fc-m$+?5&4r4N1&x_B_=*pr{;`T>rx<>Z zMa#5CbmQ{P2ciHGK<%59kaqkiVCov{q3godpJBJbDZh);0WT9ixscMPhS5!yNa`EZx94FNX zuK&53aZGeGX64OJkG|XUCq`tmToVtdvMAZ3M^OBo;s{`4z?4bt-hXeC{?CeBX+>Sn z!rEgYkf2WJfDqTsNgj(rMy66Dc8R_9|IJHq;5gOYoD)tZ{8)|R=CjkA(r84AA$5}H z;ACPy8*(jD}cM3Yf^^! zif`r=Bw?@&0vJjN{TX{{+Hk&}v&_|on%At^vi9V@)+iIv=qOnCyebFiOw3#&?WjI- z7t;Yn$Cc6|#kv^sdGUv=V?hf=&|e5;bTid|wCX<(9ju3R`maHoRA2R&G15%!LJ`ft zUXb^&`Y2@8rdm*eoSeV}-dtb>L5a8(HBz*ad9B!^)gn(KhRh#NUNCNx_Gw8x8+=V^;U0c6M8anW$kP1`?A?$OVvN{~P4&Gy z`ElWt_}#)tko(ASzp?037IaGgNcs^pr;~8yqkylLIv>11*ztD+n2-Acp0lpwjtRgYd-~q?=iGvMllXz8xR(5UFYth7B=5kcqlDx~~n(1KGCNVnd62 z`Duh0`z_1vKK8a;_D#k&zSUjNQ&}|uHm^j*UKC{|TKV_0(v`>Ta`W`Kj*?y4{9p5)7d7ie0S#o3Hr>X%EFW~xZXY8OsV_uw9ftj!e1$e z^hCE8?_jxC?vbKDI@k$-gQvWrZFMGM=mH@0pT@>X2me{7a-V_og_bq}35a1S^qg-g ze*>RiKH#SMjOwis3F9dXb=uEzWz>abRCa0B2F#lUT~$XHX5 z?)T;9VnMHeCH7{jhz#PXYH)YpTRtcRK7kBP*Vj()Huuc`o=iFsQLzR@WT-C=5O7Fk zw&FVG=R2Eppswx_A>6c3EHyfEuak@Ik!v>s+|kwVgs@D=9l#ojvTd;-yJu;dSvzb- zZFnroy5C~!`l|;h<6pG=RT#P7VanuNVpshlWy3JzQ__se7b0Vnzzxt!7cm$rmr{n~-%P{x$zv5G1!@SRwmx}e z63L>>kM^*OBHhI7ll2cQj14qv%Lt$ykC?CirM6!veiwKqE)nD77>P(Eyjkxybzq|} z&fRN{xXP=P4|O|)?iZsO*3E-~5CN+pJhlcR+|7W31XR?6r(X~=j6n3Yg7~AF{Qvn5oGfZNiQU<k7#J7SREh~$8ZHEQq z*LmDB7X7^+_8xAsFx@$$1UNSHa+&BgX?=l$n{2UNlXKP3$gz-nOj%CtJWoFMOoB$i zOtVZlnMa5~q{5}u)x#L{-iuh8@mZF9i4-)R>i*Pu(X4fW ziO3g0p36&~jMyqRR?6t(`2iR*-P624fmcNUJ^e&N6Pp-%>ZR!N^Ay-zLSLojQF-pH zU*IkKt1y0!B{@q?B7hmpb^65l^ReCdVlLk3Hr&d_LEBw*E{B%R!*n}gU+oMfys)xx zA2fvmQaKci2|Ii+thH_|fZ{B5Rf+@b4~ldgaW*|d3QtGAvC)hdXqc z^BPGFx!xi=b59iHYG-8U^Cog|IUh~?TIl0zcw&UhCq5He5fBI| z?I0SMYHV3c?NJWrtX3en7w-I%Cinl24SRF%hRj~DJPK_0it@rl9Jp=F7p3#I1Rg?9 zlWL=j{;*-37@b|~4L$cEt6zTINC9%9p$pf&nd=+zxeL0yWrz@CXCyaozawmAi|UW@S)mW5v*+mQdaVJq!oAINHNt}~3!t7y7R|qt(6o@~ zXE+?n9rgORtfZ_!5_0ulhhEcC0x6$ap!Jf-S*iKj7jqXe&nrx6T^~y)xhx_bJg?#X z0GdKl2d*x#4-yEPEYRMEMOLvFe?|%@<^Vx;8}wRh)PSsQ-{|oMeEofz;wrX)Ej;QR zhPv{qyrJP#(nm0zk2ZM}`e6Ph`);6-CV#i6hjrFr4H?-Z|hk07GI5}783=@@lKJs{TY z=`!6VB3!%bg@9fg0@z$5GqL4y{AIu%u)}^!+`{*`vF`mmrmtI>4`>f!mF9QJT~ zbGn1W&EYekt5dG|P+iXllQ^g66F0DZ%4MzVkEtT>{q0u}2z4vuT5@+-eO`}@5iP8rr(@N=#$NCGW1+M@WHBGzHLh)Wuu>B0N|uf^~5tAj6thJByIumDG~6Yj~pkqWO~ zcv4KVW>tWyLi_2=@7%`7Kg5**RY$;}qs}X-3zP06j~FAu%Tyv+&_39BURNw*Gql+S z=G>M^ht}~^skKWAAe?(`JE$m(*{$H{0yAz#91xP7{OjWQbI0qO|AOyHh^y2yD?2oM zEuC5t7?wUHN1G_P6`K_sUh%~;KU?zKx^Yk}VX!IP$sG`vXgd>4^LzzWdt|Hqzi&)JceE(?a>U^77>{2%Cp_H2vC{z`4`t{!h5b znlY^&o{tzbx}nZ1f#Ri;UW!>#_lAWMOM5b#J}?~{gkp;Ja05&<2RXZamDY%X8dDZf zMaL1gj$npr8n>wIr9%upK7E&tGO5Q>Btm_7e8*752V5ID*jc3>OuZ1+UQxrzm(245 z4j?=IWgII!eRb<4hrX zxH+R7A{S&a`ypL~!A3d43?00qQql0|;4Bu-(bE3K-AmyQbg)>q0ipEHrzytphUT8e z2jmgUF#iS;$xViqa?~nsRGgIVXwZ}_v*E17|3msaVubB2Nvu*d%6OG>%VuKdHaGoR zG;a93$m2l6y;CxTTC{&E^$kNr{2BI4B7Xc9MkA(Xd%3;@gE?$2$N4!?3-_4E4 zc85}k)w(%ahT~#QAfD5w9RKDu8u1bwpYNz>Uub&!XO?G-}@FV@=RH{g8&!J zI9A9HvfXQkfy-=Ao6|dPx#|pBFP5|!$7iO(pY^pI6#T+@&fVcXgk~@M6}5YSUW3| zUR=+Ul8~*y0v_oz_g>fFE>&C67Y1>?5(;OSw}vQSl%MWnw?m#1FdFvE$9WE5nYhFv zHXUb!1`M1|&K;PC5HqElh@N9<#78=4x7@yz`nz+2(XK z(^k=xPlrnr#^4M@sDB0G5ExK1zq)m=!Zovnr~|{6g;yMA&)xN$Qwxtx%;xgqK;g;g z$f`G+oJKm!v-N@7v95jQfgEW<$HspnFQ zW3g8+GV6o1a*NuBjGSh`+TO$q#SO6|yl7^LKYoO%eo)Z~T+J&)-oI5WAP7!m=!8KV zjOB3^-NUIQzC^jxlLy0hB2F{bc%-D-YxS6`k4v?D^oNjws4Gj2fSN&C%=-VeU$zQe z-!Jv}joJcvevbk%8>K{fNPDPJydusTRSvN7B{zUH-GxPzO7sOm z`dp)xo_Urs$`Dy5q=8`#F9KmvAw;zH_^T{O>_X2JPiVm55I|-rcMlbDzvB7 zsXk%0E|qNQ8p-nD3C}uxxVo)|Tu}Q2{zq`am2VT#(++z7{I_Z^FEW&cbTAcg9L#H# zJI@vqPSSVxBch&f^672EH@Te)BR1pY%(6ea7St*8TB&u?hEBC?>EQ(RrlK(G2U+6G zF9BIiyWpGsxmvy4IKgSZXje@>+0{rck1L2heXHy0}~b~D0hCZBhc%+#&z_l7SPK!jS5XOOT) zTy#{#_^a3w{49Th9M~=+B1Xfav+g%)uaZjZk|j?r?<-3ZF4PUv-IxR{`x?|n-^SnN z!w;8m)F%)kX{Olb-`g(j1#e}=GaqcdK-?C|M%M4nuwf*dme=McDd8t5@>n9wxLeJr zf&_zx6)Eg@q$6SW0||Mbf|MZ?FIP(b-|{#@4062c^hnumX>Na{*VfstjpW%7*?){HZU zN{}pUBl@x-NRXG^8XHox3n)g@yY5j$a%t;P#-_N@Xl_3Gv#nD-1BJGoO1UuU-o6V0 z{sK#F|2bZC?OZ_EUzTPAUtoLpY-wd>c$bps5Ry)_Q($Jflrn}Sn`rJ1*wNon-ypu4 z4_BX(ab2(0{BbK9>82<$rYRwoK0a^=Y1SW9oB*s;G1RED1%n5n!h)_A_?|Q96{O&4 zAM~RFb$lyQHXykD>1=Sn;(qi6r&8)+n*+8=7BU2L4 zu2PPp2yAskM3&WLVlGFmPwSJAtKli3l4`M-{{6#p2`8f zg|aYL%dwWwlvbq^kxtsvqi*rpiOf8ky>+ED98!e7n0&Sa!aVHa!ztW<8GW`MKHt^5 zn>R;NBuJsGMN1mcoX)T7J){eiiobQyG!`1K|uB$rcy zSW4yy;n$JT#?XNoAb7A2;o%DNqKqP6DJf5}{5+-=hM`&ntBXi07P8~|(ge@OtJwgeJoj{}|2 z{y+IGtVaHVTT{Fi1>(JTqEMNisc+XdjWV&c&?V#_CmhF)DhvOr5Xx+npBs1Fs+ zYI|v5L6(V=Eq(?*8a3Sl1%<}+i1w6NieaE?EOL&{0vdBu;vYdJ73OV{y~|2MDMgYL z)e|L4AtE(leaD+u&(=nx&pWHPF&`G?e_r0;kqR>FQlVS^3c}=|F0~!9W^1(xSwNun zmSHdvtg6GsTGlGnk$lD2VodH3*y<>6!!gDI#t06PC!tq z;s5dIJ<>zX=fjx=WZ@-j04vE(V6n37sXxgSjt^Yx#Hc2wf9E}BN(rIDpR*EB1x>CT zVa+&GY+0aXCHDR9M>XB3YIZ)7epg}NmlBIkK59nH57cmJ*T86S8J6BfQd=g;5Ea@} zW(^6=V1YE_9U6N4Bo*C)(-Ppp9DGwbRsE%u^bdyJb}}fq(|OAv4x;w@Du~f$WG=>x zCfja$lyt4`l5GQI7=*0#ZSJUPVoCzlZlyB)-(IJA67*nf5I>w(ZV&90>c2y9uw;-P zVu@6@->sGCEp5mj1O)uWt2@g#VW7G^weKSqalaqo$fzb^40wtUrs!dQFdgUchO~uL z^LQ)uq)yR5ftX<365`x&>{J(`r>*lE?Em3Y`^q~M<@(AhwmItZ#>B@(n+S4Q^5rHq zXuM&hLaKocTf&gZ=gXWr_z!2y#E^#Y8 z!Fgb>%vzH@dG!3i7d4gYAgh?x-MzEK-ANTjFd~eIGtS zS32kim4!ZhwY+8NBco@yb{u>to$g)N8mT%HP_O9KNM&tXZ(hHEZ|t-zktq9$NLmA| z7PX2Gw1*|wR2;cTcy%-A2bg;{hb-jfl9FZ%_?W5PKmJKI3p0?=U7%H5VSZ)$7Z2WZ z#~g?aUg+O)x|T6a!zw__rSj3fsv@HLdiK)*OYqMO&-hMak43=M>f*%K`Qz$41PE!u z^RMmc3j_swJk%$8XFyA@c{)Nb|16yZsX6mhj5~85QF8_b0=^^%xJ4kIUlZE$4M&2dS*E6bpGl^$ z!GW;rX^&H$ATM~WnR+&i{uc>eT%-{aO+cTXhik7%6lH|6Q92#q5o0l*V19e;r{CRn zzHz)c^_piya#}iK#l!oOdM?i+x{eMIl?$HYhHl-w*79U>p`Louw)pS3BH+xPmH1RE z*_##biU1}v0^hd;9cgA7<99i(vnN(S`h#3CV0qPHnP7Osq>>uA>NgZh9{en`=3(QH z99s@yq*mI|m<$d_^DTj#X_TEl6;Nmq<);OF3(s>p;JqSeszw5K6~Xc=b|66mB2k87 z^*MU;Mdl`(cOep-l{nN&m;tRt?Co1Ri6 zw%iohC79p9cZ5z(XL2C5r@*ZuABb8x#)t+h&IW(`IkIK5AUfEYNV8C9dAO{Nw)djo zBEIdVlSWTga(tmr9E;UHeL&;#K)w!+iM6-`*YoFZAZ@@q9&g-U=@1xfSwyI!tI7l& zdFDoUK* zW4={6Kr?abNd@nJFOp}OUme)r=zk9@63(;WnE5=Ov3RMYZi^|(P6DdE#?mt*Nyp$i zT&TUJ*j##yXpJ&ave;Oh9~WG)QFsQYSbaCF(TivD72Ol;m%R?Dx%wA#9T*e;8^s>dM|8>w{&(e7-d;nXMHZaZYH4v9f2jTp z0}4ibr5J+d@4==&4Mh??MdV#chsT>H*>Ev|AQp%E*l>950OY{79AWlXJ|X*Y>0!DwQ@=n}JlJTB4Y2Pv8j;G;V}Jw0QD9MG4yQChQB$X_Ll zAymOT_lEn}szDMbYaL{}oJpX*T6A2(`!$?JNA=Wa+m|*lu7C3G0RA|gIJ(#QM}Ib4 zO`h9^%WN5~98T9bh?^RuYH>K9ImSFfs{{Z>YpBL$cZ6=kp@LUXGJ5=liZ->iW=w&& z*YKlX!K3kXfZ5OW`QZ}SM0Ib@u#Odh9NUQMBrM?POACLK#0 z(;s%Iq7mhN*$jzC*LRShZ1la)lW%eb?YW{-Dd&vPEwT{H*Fdc;bcOJOmx;QCaODJ> z)OlvdjkZF>Njk7d(uA4>dYE>$lhdI+A zE%SUJ{mZng$lIQSkxJo}%l{%p`UN|!B$hUjsb!iEN~>pGE852B<;obfo6Yyiv`tIv zxoVw2g#$N9ydS#pL4nm$*GTdc;#vxv z;`J%}`p~*fEYUstTNxc9RjSSLL(FNg%kbgZTxq7W{gW1sRoCn`mFji!eErg@QAjXHE*ss%G!OF(bexMxH7eist4CBE-BF=pP0!oEKIE)`_2u(ZYh*X6@BB_bm)^l$Sj#KA z>eEkFD&cYnnn>8PS`*h;p*j&F>*(8iJ%CP4iV`yKP&BpC$`l7J3W!M-(IPiY4j8V6 zeX6lb5^-tcSz@<3ly} zGD;_5+vEa#hGM*pxrFsj%RtiId>kX7nkaFW5E_cK*JJStEUizsPNSH3vaQR zFUkVOXh%K~nY1S%9UJ&8;b?P?C+hth_o3{bw=TQ~Vv(R|@rEfx=uAN?Q<$N2%u=kz zyigu38J)tExyPxnp@Nv+Y!3KR)t1F>*9$_Z_KH%es#Bxz<8r33O%s7nf)1m4!ejyz z$;UEtI|^LeBVsy8;f-lsKK^d`IAjP@ZU$Fp1!<2az%(S zwgV3<{1<$PUfS$TJ%fs|2Ag-WRLKQmQrpR<{5}kE{UmAW>k`$1&!Pp&Mc`#JP~rjs zMz^J_XS~X?;^WVpk&Gto?%%Yk?vK8?8nLUrHT;2G(#sF7$Q#tW3Kn6pn#K9?F9w>Z z20^u39Ot39p)ujz2tfQO^bcIxj zaaY!}9izZToh`5}uo4!yuiAus$(+5jVPP!F{Yx9MziinLa~%Lq=*17iyteY3!=IuI zP@Sg(mE*8QJKhT@_Zoz{$yH}J=xBDM2!W@y;;MLdFAcA(SM&xyp;kl+B-zOt?OZv6 zNs5l{EfoovN%+MlZyQ%mLMEMENY~Nt!1%nUCktf5Kz;O?@WqdCM7W~6&Xa-K8+m>( zdrSmR)4JIf$9Z3&{EEZVTVFMC-`O$h7q(gkPRd+LfKcIuqCS1OqClq7cP$@ERIdm% zQj7AZ``GG&n$`Czitce%8pZbP4$LIN2qyMlzJKgVg6xN$Bg1h__SxmsCz`aPJ8v|F zEOjdv4-wu@w0r|;ROM$l_+(5GUJqwf`Yd?;)GLOt@$cosmKcu@0Rp{8nG6k6%*}$~ zAI@R+`LS1P9ChaMSvu&cCAb#&9?WX~Ff1PTu}&27Rk7YLP1M;P%!MQ|nl>NXTHkgw>g(|~WrIdffi zlXB=#%{^yBrk56*)Fh~)fxkvaUFtq*Jr#`E`V;JSbh=MRzg8`QAQ^k0OyO~? zWZf-pj84pQO^)J;KR4|qD|?$qsDIQ75UkcaII;+sX>-<5SdWQSGvry?<~kCBNNM)t zFDU3q1QamUN@2;=P+y|scm79=BnKcTAqZW)wMZq!73$)^88Xa1?5vaQ|6)V@u6~6a&Rwkq$ES z^lF@%h^zThFmYB(=9TL)2xi}Z2^&x{bbzlm-97k!5(jRRBpm?b%x!RFAj*y-X)@!! z-3$D3tt)Alh)o2Zf-)r$IQ4JhM$J`fz(&9ZrNBAPPn$?7(%Jb?reurMA>&fN8qN;IyG{7V@M zP_?uT20+{=AZk&(4tLi4A!Kht$4SRPTMZfCRtgoKWiRUtfJ%b}7>OWdJem4uPl9!) zCwa7mg)-FxH-{S$fQxNa1B1osy!Xif5FLV?jiU+!3ZbG;?cURdG&(oNAb=x^F2KsRb zFhlAsw~7rZe35*rs7JFO21IP&PQde+`vDumbq8H>^k}QEkp`~5mM?3V2hqN~1XkYW zpVF`)G?-pCxyO%FHl%j&Q_&MUl0yuJm>!1j-tKCel{s;Q1sYZ=!ii@tg=|{{1oV|m zK*7API&TBS)MnXfcEeuF`XoJ$=cQYP*g@1=TZJmXE3?pj-W%fEiI@f!3s!*DaQ%gf zqfe!jKo?9a7Zr?yxwbQ$8u~xm__4useU(@tc;X9t8Y?GpUxEM9H_XwG6@30$AV0U> z;uzhSgo1jXmMHRu(m0Ht`9$+z2k z3-hR1T*{`J^fWtWx+Bql(d_|^U+zFxphwa79_+twBG#(8{rK{tmS2%>ej3;7^;p+s0^2b8yh2%JbY>*jLL$76o z`F9gr+oN-m?w*T9(NqB8`gs$Cd+{R00@f)Iy-h3XPZ;5a(knpvt4&mkWE7#Q6=5?f zZUr6P03Qgg?L51EEuw2o_TN=OjxK$M+Lp14B1l}*g~#Uq_zz&fbFWwV=BEq!K5iJB#3n7}L20O=4R`vLrQl3%nFhffE)@~yyH9sSW|HAO%tQT8Q&*Hen5cGg z1z_A=#fPA?bfmpp{ z$HndYOMPdm)w(KtCs+Hz4@zvdg_AU__zUPMCwtxc>Ykt8#%?rNjND#s$|Ow>bM-Y( zvHe*6!Hu}8y;mQ};T#N;`CW;4)5SiIa?2Ooob(b@o?Q=bdtJWKj3ko+h3Tdx4>f4T zUedN=1|F!isp6g9%i(LX%1kVQa}%N?3pmWQMcq20SR;sRU# znwCorQIK)tZBA|LQ#C^_fqM0jG8WcKyHj7GF9iRL#>#Nx(86UO}E#I zmD%!7l9C|wrEGY~2kJkUfcAzCx5p$=ALJbtq=_Aa1CPh})$Jt<}qM2|NuRQSv zm9Yh_Z6#)iz&ZsWbFl8BBR=~P3t6F29;L7+us^TaSLbAe5PK89szBDJIz9P*ezG%G z;&(wRJrvO#HZ||*r`R=jutZP?4^AO)yK@f2SoB;@ffFiISJ(@dp9r^Ak{3NVpvL1k zP}@!TvdGdil7-7&IYINB#h)?h>r>$ZnRmOSXqQ6DB0blQ^`ZF56|n2$9Gb)lP~_R& zYUw}sm#yUMS`bcbcIeQ&UfO;ES1<<#-tA8|t%4&}i7{7j=GM+# zcLuiJBKbigo#M%V$2F?@3$D0pk`|Q%G>ZT$+#wLNIt<72k$n}*YhhCeE4K2YNdPXq zoMx!L($udWY`#8thBj{SgM|VZK0Z0i?dC>IGWp2MS=&>K9%`}97i<{ow-ayhbTWV3 z3jv?0gv*&L6Oh45y=%Z@EL4c?=qD;lL-6?os`B5>v4z`dHjF!{L3#_;j|O8Hk0u0P zc}T1o(>(fqeCoKR5!h>)dnrVRh!)FNUAZsl6;pLA&VH1^O&NPBoT%JTJdBG_VQNY| z9Ui2d^2B>(A+|GhNveiw%H9Lko7g`<2_Yc!6B=wrBJE6i0fKd*l}39&>6=$zOOGsK z$nWuJbn!_j`)j2w@*6bNPX(n6Yuw2qiVq$kAYe*n{ZN{iL-rS7ciNWP7K})ouy6K3 zEhz3lscmH9vVODB4Vq>o@$9;&W%72emxb0a(>ZD}1_a6M0Uqa&>2a;Dqbw)W`EIRkFX`n8o^t2+% z(^g#R<^psT?p+ms+Cdw;Htzhxi<{xnP=xkht5J}a!}%A_F15DrQvJ-;smbT}!0Z2} zdR?-*T2ISHk8&*sjn1o}$VCko{kf%v9j7Pp40FxP$re~|C%`9AKQ!@Suf4&V05VRjIfc8Ili9&OUr)42)jejXoo!AFS|0Z`DdH377hv)_ z8(7Lh63d;vsmYtCmIEPcsfu4=2DXgADK7DJ5xKZ90O1it=`T0g9ro*0?~q2L`-clZ z9dnHw)_Bjhl;^u&C7q%WMF|t1wl2?$;bLo<9l&9IX;cyXq@WwDqr(|TMayd%;jVpS zGDc%fdP0$M?nlQ^Q@xsiA30~mh8pTacNA#G5Z4#9COl7SM}Vb*H4iM6&P30(_eA1%QNCh3)@4XE=3_=61I^ncf+I zXMkDP@ZEb%ReJGBy;RMzRrQIyC8mD&Wi(D3?Ex7VQ!;Q)$q5w9KolMp=npG!4J->T z3RYN@d}>r2&>KZonx;UkidD*$j)r%25jj)_+oY`y@rV-gk8!}wIkFC~xR{y&;s;}Y zlxoODqnMOca$OHENC(~aDTJ1P#4mtB%Vs0q)4{4}0oz!_AiE7+f?+Y=9T3JKn16^=aTmcMx*eRK50VGUr-wLl`9EuRgS0Q!SHXHY=2RF`vBXU zSTOJjX4us6uOAlQPT&US@c8p__iu#W!UNUge>xOf0pot_{j0=3+N z>tA+_;KYwQIUR%j#r3S=U22Oi%nv9mCmDWyqr&~+ai1k=7m}H}R1RM0Pj+tTtd~NR zfg$}VwL423fGOes2>W{a-c)PDUa4mZ(lj78;tgs=h<=$tIh!=frYdB6#xvRl-b(O^ zL9X^k78hAHfN?cq7Jf~aA?db9=`dG;B_)X5a16b!eQ{Pgv)BNM5daON~lPgf}$51fU_liF(*hcn@naa4KWpi zWK?h=3j|)lS^+u~(q6d|O5%YLp{x)$P6%LRQm(Y~9Mka2q+9Gn$-|*z)|EL41A1;CMDy^X(7kdW zf!4)3zz^DdSf|a9c3%gLFKlg6D$a!)02-0UPk$CCuo6H{niOkmJV|*YWt~D(t|)^Y zLRA*vX>=RnNH^<-4#!}%e{oCe`J7wm(Ny7vaY1jHNbZt8pb>smI$x#8XJ{3|r5HSs zX6WTF0ZB_yMgb-4vXXH&-?sYD<(B}VQxe)zO z_$8Jkda1taHdoX%67K>}!{sDDf?+E#0nIlJ3gc9pj&3*iJW%2dY4!;?bP ziH|YzggxG$-H|xu=bMCy2+I zm=*@6ewN%y7ooPe|D5UGx@4y-KFe9S7B${6!H*Q9oE$qeQ6e2KX=-zR2(U%kq8ecP z{={-jRpook=1P`@)vKqHzsPWBW9h%Z!sA^7u8kkxmvk00WDGa_G$=80&{d z91fGudftq&u61uDd5Kmnm}wD;_SX2>x~j&8vufAOiU66N>;f<#4RJeWD_wizBNTkP#GK#6$or2xsb{*uA9o-it)xAqs{WC)U+N$r++v zt5Y%6&!Ub#LX1@iP*d@OJSm|njKN>**^A7dYe|!LuR`YJ8R6#|YXw$N0Ep9OKz0<0 z@=3QL2^+Wy+0*9SKAop(VenFRw@4+Z;G@LDBTK%2*)J_9OuU93IllrRlhLs5Z7Hbf zp}qd1=MM?EI~#9MU>RlHg8NBS7NfRLeQAL!J}9DZHU|2SmT5}50~Uhx216Pt&R-p_ zzZxvPj?8Ova3a~_4HMvv>UQ-tC023&6?59({GTFaK=xN}Ow(l#5bUSE07sW{VE%gz z6v*FsBVpub!X(F79q~d72T?tJ3axq}O^H2lW)aC+P?*?Lc3LU~?1QLmQ_w!vT3G9J zV>{dlz`j2dGR^i7G5F0^MD{VkAQ?n)5B1DbVeG&KLPgk%zN{8u6WL5)t6d;^(JLDDKX|kJ%cE{K7ftB2H%3>Aw5g!bq=RFGnyv-{%oK0 z!=H@1|DBJ6Tun)LYtZmCVhql1>x5k6cUR`ziNAgmA-!7q9K%!&4QpXL+wLeVU)B-a z>@h6)>P$&HN^!NAVnt$6s}NfpJ)(3=j~+4 zChnXF+WczOJME@28kzDBj}#RSa@I8odn+ubw>Q7f>BOSY1YpNMuC>lLnBeocN z`?Q>5DN+7l_aJ7`%Z3(cZcEyD%_eW>h#6sJ#M4+I_t&OTy{wm6_z7+`SWAs6nVgPA z>J-kbF|zG*fbM=qXQf`S6(7T)Y9Z2}PQvTZy3<~j_?7h=g_RR}<8G9xixRkq$L#Yu zhIBh3g@H4rk(Od>t>o(!2KQd9u{yW>j?()H^1+z!D8lU==((j-!WdZ}8rlAcHf#-r z&r)aI6KK8PBj#xteeVv7=t`d}(zB~PY9dK6Db?;WD>U8uf?crw7;~(&4h=oey5ene zV%@kQ4Eoge93d?&1^SK2K=2$Mj3;+tdqKqBx+Q==Wf@WJ_RkYNE1K$EEz`I^Jg~4FF;+u;iI>Ie&%%r~;XJvubk|#P z9C6pMY$No3X!MWx9^8XzF}aNNK3MNOSqm|TGe;$_H*b-SR0uTnL;c<9^+;@tyMJRO z6@aeRyC&)JW=NY*cyrQm!6Y>JZ90|?%0J9G;J-EpW~(NYaA^K7@uvS*#@_`ttNJC8 zah6MX1IecvP$<>Y?b$;*&3b$@1fwLlZ%^ zCC)dpDwXz~e`9S-97l*D)gKs=DMA9w0k%p@!P%*3omjNLm$@u}1+I~ZkEb{K z2cB(|3_d}Aqf_e=;RYpg+SBe{(tHJe8@lDLBB4!xK8ct)&mno=j^DvLnWVU`)rANx zTcG;Q@ae}G19)7<>~&qiidb}_ytl?=%DK++dO)8}i54f(Lbu%3gx|o?{MWwD+!gQ8 zR8mIG6s>EEk#wFP2QiO#xt5|@X>#;5+h{>N?#ddygVYBA z4a}}BT$xozBgI(i65df)GY+mZ58&-xN!SQb2-O<0uwn#>IhByn;c+}R%HJg3%BoAA z%6%##5bDp*=m=xkzSa3-KI@S@Av@cCswEU!PO9`n`KP`y$elv)AfBu%40pgKqS zY4^A}pW=GHr~fV{)(19J|4G{N(uZoL&P!Vgj~V2LvCY)ud6g{&=}zy+*dD{2aUYF3 zMwkbg2iOU{s}(NEaDVHzs>t_7gqexMN|;T#PVC8SljF-?4_S*MLIz{bfcSy|ca>l| z9aaqUeX|SG^jSmU&Gd7EiM6&@-1UF}4FlzKv&==~=rk)fuWM-#;**>+`FN)lUb%xl zfx!$x9x1}vs*?%1=XvDMADF0~l9~u7>f&EJc@Vg-sEJa>#!;D+p{cP%=`MTYRX9pWa?(wBOZtqj2sZ6!l9{4FQHdjH?D8tU(Dg`Na#Xf)%Krwc z*8)y}eyEDy?xa?D@~$*gw#yF;#pZ9`->7)H5#3DDGjO|p^W3io;G-_I)d}7YfE|xf zmN@|HJZ|+AU*?|Jf;kfyQ2R1*a)*|BH<)7&mo7E$vOl4)6U^0ZLSTvG5~=0 z>|hxL1}|zAWxaFp{^Iz^ZWd7}Wl?$b?|mK-?+EhD+RF-Zaq;y%<|B6u$w~K?imH2G zCVbaiVOPCaw5Qg_F_fc>=ktnPz=DQIm{Ep|2>q5%~_7&O;Utg*z z$(M979-)X&{UJ|@*E9>kI8z`_iiE3gLqe173vLyejWf`U%6<=*B!*-3U z@R(N+O`gO6?v1iDwlSvBVvEU-0&T)}JK9FUoD$rj_pKr^ z#|Ws6BaV&41N6BJx(`*Z27DvL!gOeA^ko6Z=JN(cqa792^(=y`^j)uHxRX#2rmT|c zGH)y0^amN@j25zkfhf3DXm~BN{D9Uuia#c~${R4V>c4NWhjlDWu7<~MzE2#|1cL)XtJjuAwcIu{iON6ao0vuh_2?cP_$NI_LQN5)?OYJ1+F{pT>kX7 z3WhKPpKu7=1*8el&Gt^u#v;CyI9K(GV8I(%Nu+xImQ^mPDjxjFQoj4dCZ}G5406j9 z02BvdKtx1A!N9*K`b4z+$V?StV4iO(w; zU7}jv=;Qnk`m3eRn8m=*-<*BRP%r&5?Y16flDjw}Trh$Mhw#qxY}hgJ(Y-RwMj+OG z=*vlr#=MU*cey-VHG&E@RIbZL8_j{ID?{dn*9X*($Ps=Jm9R01XyR;a6wc;l2~g66 zUfU&>o@SX#C8wW1HGCgcjy1oZL303bm$I!M7Tt7WzbXhu{xB$ z^3aM6Y4@c*QJ!v_Z8$(>3d$BT;h9HR!p5}pRS^S~)G2S=d!M97_YdD*jU-upfgSUj zKnKukp9~FE2f!Bv&77EH-L*JXExX`4lfD>Pg$(|Gq# z9!zadE0wR#O}J`h0^T&b^(|UGg2bGSeJvnRnPoxY^h|cM<5)@u57UJ*z-K9GOBv~! z@u;z7fBKhI(4JGQ_CE6!H`tLqtOVo%Eh~B^%Zr!u{}(Bpny?cXE=NJm(SR_C{FT9{ zQG@7qyooe*0MnsZ({G4b3(xYYt$N0cbgV8iBa(J$b0?b}DtID2#=!22CKSG|_t^S$ zBBv8L9-3{(ktEJ!m#iOr;Rd28-7eN+Bor}buoj6dqKf$84oI1?C>Jh$Vq#zZRc1aH z?@|3}3aoV#Ozx?K@|=KTwbVdK2cUrr+%dCYXMXwmyd zxEnr*;N`&XF+W%1kx;jms}G+!uwksyvR)aUle`qp@k6~6z%s;lL%*9*|vwZ zVoN$%yx?a!@V~D&AIN0z71`l0O@0K>8?W-?5xb|8OjA_T#ROSpV&c@zl^O<>-ry*C zB?lb@%UwQh$5;Oq1W1v-x~f}|sqfYpC+Hw~%p=Z0=2JgjN~rb;2uqgCWX%^@9Qa3P z9p+4Q%Wmql6LBs^jmqL(2VXc~~CQD~xChWGCzORM))F#OUUu zCS5`WIM2t=gGr1CxQYtt&U|n{_WFix%pf9hPsT1Kpjd^%jNwgt;aSCWzPVsvf4F|l zB`Pm;JK2W-Xe~k605tDc^vh`TB1x2#owKq_4{I)4C7j8gKNS47Nh=lN0`F~!6xX0d zEikCYvPkU8^I}2e29{i#w*|%sk0;mPNzUMXNVM>DNx{)WS|JvgCO6vz!jTpKJWLPm zXgzMA;MqyMWK=gkNt)PzC*gWzxG(8fiGJPeh_5=Hs3WBU`u!tQU<#whDZ~Wkf4geH z^A{z?I$bt;N%8`Qv@9G66rMxah#A00CIV$aJrgR6E;1o8s*oZR=pqpn8lYlub+nnU3A(9T= z`W;RmKY;2n+Zqtw8w;|9%*`K!V>+~ylPWvuD6SY~m1d{e`_XTQjMuix)(Mc$_Gm1C zG9J!;o!X`Iv4a8 zFrxF1|e~p_p2Umw>tW>U&A3akKH)!YYnguO!W*5x9cL zKjTHb6FZQ=`>I*5mkrHL(-P3P&@jXhI@hDQG|FWw9k%s#M@k(DN3M`zE|IfxMSc+{ zARo1O4&uKe-H1OaYFpjXnczFT(tau`46hGx3BzYnHu0kangY{o>|gObI*Ha>Rc{Z8 zWf(9b4~TUde{pdj$3-( zFy|Uy;nD(dcBhOjKuvLcrDtu0@R*`MoZwm}@SE+Lyl~qdYMEBy_jz5&tCoN$x-IN6 z;_WUJIige2R7JA=LS1kfdatv4{|=UFVhls{d?g=B+dz7yWNsXCs8SCh3UQ@P_JPM{ zn!H`0C5f_$=Fj?xh>2)}ds|S&`a#SiH%Xn+$A}NSS-u%C!)HsNGo*)IJ#K1k_TB%8 zxh;v4X~U>g6fLjsw|vS^SN&nv*si>ahPsyE92}Y1yMHa2Ky2pfjjj?wfz{TlKXL~{ zNGQ{4IisYA5rWF>U&=%r{lzZ3pTC;4#wRZDB~` hD%HB~N5^-w!m%jC)Aq7ituh;qQ}M*JqD;F#uMPzZ+1daA