From 54a0bbb373f65102fe9b70752ee2d01eb662b0b6 Mon Sep 17 00:00:00 2001 From: Melora Hugues Date: Tue, 2 Jul 2024 23:16:04 +0200 Subject: [PATCH] Add article on DNS challenge --- config.toml | 10 +- content/en/posts/dns-challenge.md | 493 ++++++++++++++++++ static/images/dns_article_dns_challenge_1.svg | 8 + static/images/dns_article_dns_challenge_2.svg | 8 + static/images/dns_article_firefox_warning.png | Bin 0 -> 52485 bytes static/images/dns_article_http_challenge.svg | 21 + 6 files changed, 535 insertions(+), 5 deletions(-) create mode 100644 content/en/posts/dns-challenge.md create mode 100644 static/images/dns_article_dns_challenge_1.svg create mode 100644 static/images/dns_article_dns_challenge_2.svg create mode 100644 static/images/dns_article_firefox_warning.png create mode 100644 static/images/dns_article_http_challenge.svg diff --git a/config.toml b/config.toml index dddefcd..9cab283 100644 --- a/config.toml +++ b/config.toml @@ -90,11 +90,11 @@ logoText = "Hello there!" logoHomeLink = "/fr/" [menu] -# [[menu.main]] -# identifier = "blog" -# name = "Blog" -# url = "/posts" -# weight = 1 +[[menu.main]] + identifier = "blog" + name = "Blog" + url = "/posts" + weight = 1 [[menu.main]] identifier = "about_me" diff --git a/content/en/posts/dns-challenge.md b/content/en/posts/dns-challenge.md new file mode 100644 index 0000000..53c1bf7 --- /dev/null +++ b/content/en/posts/dns-challenge.md @@ -0,0 +1,493 @@ +--- +title: "How to do HTTPS at home (when your infrastructure is private)" +date: 2024-07-02T21:00:50+02:00 +draft: true +toc: true +images: +tags: + - self-hosting + - sysadmin +--- + +## The problem of having a self-hosted infrastructure + +I've been maintaining a personal homelab and self-hosted infrastructure for a few years +now, but one of the most infuriating pages when starting such project is this dreaded +**Warning: Potential Security Risk Ahead** page that appears when you're using a +self-hosted certificate, or when trying to use a password on a website or app that is +served through plain HTTP. + +![A screenshot of a warning from Firefox indicating that the website that is being accessed is not secure.](/images/dns_article_firefox_warning.png) + +While acceptable if you're alone on your own infrastructure or dev environment, this +poses several issues if many other contexts: + +- It is not acceptable to publicly expose a website presenting this issue +- It's not advisable to say "hey look, I know that your browser gives you a big red +warning, but it's okay, you can just accept" to friends/family/etc. It's just a very +bad habit to have +- After a while, it really starts to get on your nerve + +Thankfully a free solution for that, which you will probably know already, has existed +for almost ten (10) years now: [Let's Encrypt and the ACME protocol](https://letsencrypt.org/) + +{{< callout type="note" >}} +I promise this is not yet another Let's Encrypt tutorial, well it is, but for a more +specific use-case +{{< /callout >}} + +## The Let's Encrypt solution + +### What is Let's Encrypt + +[Let's Encrypt](https://letsencrypt.org/) is a nonprofit certificate authority founded +in November 2014. Its main goal was to provide an easy and free way to obtain a TLS +certificate in order to make it easy to use HTTPS everywhere. + +The [ACME protocol](https://letsencrypt.org/docs/client-options/) developed by Let's +Encrypt is an automated verification system aiming at doing the following: + +- verifying that you own the domain for which you want a certificate +- creating and registering that certificate +- delivering the certificate to you + +Most client implementation also have an automated renewal system, further reducing the +workload for sysadmins. + +The current specification for the ACME protocol proposes two (2) types of challenges +to prove ownership and control over a domain: [HTTP-01](https://letsencrypt.org/docs/challenge-types/#http-01-challenge) and [DNS-01](https://letsencrypt.org/docs/challenge-types/#dns-01-challenge) challenge. + +{{< callout type="note" >}} +Actually there are two (2) others: [TLS-SNI-01](https://letsencrypt.org/docs/challenge-types/#tls-sni-01) which is now disabled, and [TLS-ALPN-01](https://letsencrypt.org/docs/challenge-types/#tls-alpn-01) which is only aimed at a very +specific category of users, which we will ignore here. +{{< /callout >}} + +### The common solution: HTTP challenge + +The [HTTP-01](https://letsencrypt.org/docs/challenge-types/#http-01-challenge) challenge +is the most common type of ACME challenge, and will satisfy most use-cases. + +![A schema describing the HTTP challenge workflow for the ACME protocol and the interactions between the application server, Let's Encrypt, and the DNS server, all of them public.](/images/dns_article_http_challenge.svg) + +For this challenge, you need the following elements : + +- A domain name and a record for that domain in a public DNS server (it can be a self-hosted DNS server, your providers', etc) +- Access to a server with a public IP that can be publicly reached + +When performing this type of challenge, the following happens (in a very simplified way): + +1. Your ACME client will ask to start a challenge to the Let's Encrypt API +2. In return, it will get a token +3. It will then either start a standalone server, or edit the configuration for your +current web server (nginx, apache, etc) to serve a file containing the token and a fingerprint of your account key. +4. Let's Encrypt will try to resolve your domain `test.example.com`. +5. If resolution works, then it will check the url `http://test.example.com/.well-known/acme-challenge/`, and verify that the file from step 3 is served with the correct +content. + +If everything works as expected, then the ACME client can download the certificate and key, and you can configure your reverse proxy or server to use this valid certificate, +all is well. + +{{< callout type="help" >}} +Okay, but my app contains my accounts, or my proxmox management interface, and I +don't really want to make it public, so how does it work here? +{{< /callout >}} + +Well it doesn't. For this type of challenge to work, the application server **must** be +public. For this challenge you need to prove that you have control over the application +that uses the target domain (even if you don't control the domain itself). But the +DNS-01 challenge bypasses this limitation. + +### When it's not enough: the DNS challenge + +As we saw in the previous section, sometimes, for various reasons, your application +server is in a private zone. It must be only reachable from inside a private network, +but you still want to be able to use a free Let's Encrypt certificate. + +For this purpose, the [DNS-01](https://letsencrypt.org/docs/challenge-types/#dns-01-challenge) challenge is based on proving that you have control over the **DNS +server** itself, instead of the application server. + +![A schema describing the DNS challenge workflow for the ACME protocol and the interaction between Let's Encrypt, the public DNS server and the private application server](/images/dns_article_dns_challenge_1.svg) + +For this type of challenge, the following elements are needed : + +- A public DNS server you have control over (can be a self-hosted server, or your DNS provider) +- A ACME client (usually it would be on your application server), it doesn't need to be public + +Then, the challenge is done the following way : + +1. Your ACME client will ask to start a challenge to the Let's Encrypt API. +2. In return, it will get a token. +3. The client then created a `TXT` record at `_acme-challenge.test.example.com` derived from the token +and your account key. +4. Let's Encrypt will try to resolve the expected `TXT` record, and verify that the content is correct. + +If the verification succeeds, you can download your certificate and key, just like the other +type of challenge. + +It's important to note that **at no point in time did Let's Encrypt have access to the +application server itself**, because this challenges involves proving that you control +the domain, not that you control the destination of that domain. + +As someone trying to use a valid certificate for my proxmox interface, this is the way I +would want to go, because it would allow me to have a valid certificate, despite my server +not being public at all. So let's see how it works in practice. + +## DNS challenge in practice + +For this example, I will try to obtain a certificate for my own domain +`example.internal.faercol.me`.As this name hints, it is an internal domain and should not +be publicly reachable, so this means I'm going to use a DNS challenge. I don't really want +to use my DNS provider API for this, so I'm going to use a self-hosted [bind](https://www.isc.org/bind/) +server for that. + +### Configuring the DNS server + +The first step is configuring the DNS server. For this, I'll just use a [bind](https://bind9.readthedocs.io/en/v9.18.27/) +server installed from my usual package manager. + +```bash +# example on Debian 12 +sudo apt install bind9 +``` + +Most of the configuration happens in the `/etc/bind` directory, mostly in `/etc/bind/named.conf.local` + +```text +root@dns-server: ls /etc/bind/ +bind.keys db.127 db.empty named.conf named.conf.local rndc.key +db.0 db.255 db.local named.conf.default-zones named.conf.options zones.rfc1918 +``` + +Let's declare a first zone, for `internal.example.com`. Add the following config to +`/etc/bind/named.conf.local` + +```text +zone "internal.example.com." IN { + type master; + file "/var/lib/bind/internal.example.com.zone"; +``` + +This simply declares a new zone which is described in the file `/var/lib/bind/internal.example.com.zone` + +Let's now create the zone itself. A DNS zone has a base structure that you must follow + +```dns +$ORIGIN . +$TTL 7200 ; 2 hours +internal.example.com IN SOA ns.internal.example.com. admin.example.com. ( + 2024070301 ; serial + 3600 ; refresh (1 hour) + 600 ; retry (10 minutes) + 86400 ; expire (1 day) + 600 ; minimum (10 minutes) + ) + NS ns.internal.example.com. + +$ORIGIN internal.example.com. +ns A 1.2.3.4 +test A 192.168.1.2 +``` + +This file declares a zone `internal.example.com` which master is `ns.internal.example.com`. +It also sets the parameters (time to live for the records, and the current serial for the +zone config). + +Finally, two (2) A records are created, associating the name `ns.internal.example.com` to +the IP address `1.2.3.4`, and `test.internal.example.com` (the domain for which we want +a certificate) to a local IP address `192.168.1.2`. + +A simple `systemctl restart bind9` would be enough to apply the modification, but we still +have one thing to do, which is allowing remote modifications to the zone. + +### Enabling remote DNS zone modification + +To allow remote modification of our DNS zone, we are going to use [TSIG](https://www.ibm.com/docs/en/aix/7.3?topic=ssw_aix_73/network/bind9_tsig.htm) +which stands for **Transaction signature**. It's a way to secure server to server operations +to edit a DNS zone, and is preferred to access control based on IP addresses. + +Let's start with creating a key using the command `tsig-keygen ` + +```shell +➜ tsig-keygen letsencrypt +key "letsencrypt" { + algorithm hmac-sha256; + secret "oK6SqKRvGNXHyNyIEy3hijQ1pclreZw4Vn5v+Q4rTLs="; +}; +``` + +This creates a key with the given name using the default algorithm (which is `hmac-sha256`). +The entire output of this command is actually a code block that you can add to your bind9 +configuration. + +Finally, using `update-policy`, allow this key to be used to update the zone. + +```text +update-policy { + grant letsencrypt. zonesub txt; +}; +``` + +{{< callout type="note" >}} +Doing so allows users to update everything in your zone using this key. In fact +you would only need to update `_acme-challenge.test.internal.example.com` as seen +in the DNS challenge description. + +If you want a better restriction, then you can use the following configuration instead + +```text +update-policy { + grant letsencrypt. name _acme-challenge.test.internal.example.com. txt; +}; +``` + +{{< /callout >}} + +This means your entire `named.conf.local` would become something like this + +```text +key "letsencrypt" { + algorithm hmac-sha256; + secret "oK6SqKRvGNXHyNyIEy3hijQ1pclreZw4Vn5v+Q4rTLs="; +}; + +zone "internal.example.com." IN { + type master; + file "/var/lib/bind/internal.example.com.zone"; + update-policy { + grant letsencrypt. zonesub txt; + }; +}; +``` + +{{< callout type="warning" >}} +Be **very cautious** about the `.` at the end of the zone name and the key name, they are +easy to miss, and forgetting them will cause issues that would be hard to detect. +{{< /callout >}} + +With that being done, you can restart the DNS server and everything is ready server side, +the only remaining thing to do would be the DNS challenge itself. + +### Performing the challenge + +Start by installing the certbot with the RFC2136 plugin (to perform the DNS challenge). + +```shell +apt install python3-certbot-dns-rfc2136 +``` + +It's handled using a `.ini` configuration file, let's put it in `/etc/certbot/credentials.ini` + +```ini +dns_rfc2136_server = +dns_rfc2136_port = 53 +dns_rfc2136_name = letsencrypt. +dns_rfc2136_secret = oK6SqKRvGNXHyNyIEy3hijQ1pclreZw4Vn5v+Q4rTLs= +dns_rfc2136_algorithm = HMAC-SHA512 +``` + +Finally, run the challenge using certbot (if it's the first time you're using certbot on +that machine, it might ask for an email to handle admin stuff). + +```shell +root@toolbox:~# certbot certonly --dns-rfc2136 --dns-rfc2136-credentials /etc/certbot/credentials.ini -d 'test.internal.example.com' + +Saving debug log to /var/log/letsencrypt/letsencrypt.log +Requesting a certificate for test.internal.example.com +Waiting 60 seconds for DNS changes to propagate + +Successfully received certificate. +Certificate is saved at: /etc/letsencrypt/live/test.internal.example.com/fullchain.pem +Key is saved at: /etc/letsencrypt/live/test.internal.example.com/privkey.pem +This certificate expires on 2024-09-30. +These files will be updated when the certificate renews. +Certbot has set up a scheduled task to automatically renew this certificate in the background. + +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +If you like Certbot, please consider supporting our work by: + * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate + * Donating to EFF: https://eff.org/donate-le +- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +``` + +And that's done, you have a certificate, and a no point in time did you need to +actually expose your application to the outside world. + +Now because I like to go way too far, I can propose two (2) improvements to this +setup: + +- Using ACL in addition to the TSIG key to secure operations on the DNS server +- Using a second DNS server only locally accessible for your private records, and +using the public server to only perform challenges + +## Bonus 1: adding a second layer of authentication to connect to the DNS + +In our setup, we used **TSIG** to secure our access to the DNS server, meaning that +having the key is necessary to perform the operations. If you are paranoid, or if you +want to do a little bit more, then you could add a second layer of authentication based +on [Access Control List (ACL)](https://bind9.readthedocs.io/en/v9.18.1/security.html). + +**ACL** allow to filter allowed operations based on several characteristics, such as +IP address, TSIG key, subnet. In our case, we will use an IPV4 subnet from inside a +Wireguard tunnel between the application servers (DNS clients) and the DNS server. It +could be any form of tunnel, but Wireguard is easy to configure and perfect for +point-to-point tunnels such as what we are doing here. + +### Wireguard configuration + +First, let's create the [Wireguard](https://www.wireguard.com/quickstart/) tunnel. + +We start by creating two wireguard key pairs, which can be done this way + +```shell +# Install wireguard tools +apt install wireguard-tools + +# Create the keypair +wg genkey | tee privatekey | wg pubkey > publickey +``` + +Private key is in the `privatekey` file, and public key in the `publickey` file. + +Then we can create the server configuration, create a file `/etc/wg/wg0.conf` on +the DNS server. + +```ini +[Interface] +PrivateKey = +Address = 192.168.42.1/24 +ListenPort = 51820 + +[Peer] +PublicKey = +AllowedIPs = 192.168.42.0/24 +``` + +Then on the client side you can do the same + +```ini +[Interface] +PrivateKey = +Address = 192.168.42.2/24 + +[Peer] +PublicKey = +Endpoint = :51820 +AllowedIPs = 192.168.42.1/32 +``` + +Then you can start the tunnel on both sides using `wg-quick up wg0`, check that ip works +by pinging the server from the client + +```shell +root@toolbox:~ ping 192.168.42.1 +PING 192.168.42.1 (192.168.42.1) 56(84) bytes of data. +64 bytes from 192.168.42.1: icmp_seq=1 ttl=64 time=19.2 ms +64 bytes from 192.168.42.1: icmp_seq=2 ttl=64 time=8.25 ms +``` + +Basically, we created a new network `192.168.42.0/24` which links the DNS server and our client, +and we can restrict modification to the DNS zone to force them to be from inside the +virtual network, instead of allowing them from anywhere. + +{{< callout type="note" >}} +The ACL that we are going to use here can have many other purposes, such as hiding +some domains, or serving different versions of a zone depending on the origin of +the client. This is not our topic of concern here though. +{{< /callout >}} + +### DNS configuration + +Using ACLs, we are going to split the DNS zone into several [views](https://kb.isc.org/docs/aa-00851) +based on the source IP. Basically our goal is to say that + +- Users coming from inside our wireguard network `192.168.42.0/24` can modify DNS +records in our zone using the TSIG key defined earlier. +- Users coming from any other IP can read the DNS zone, but nothing else, so they can't +update it, even using the correct key. + +ACL can be defined inside `named.conf.local` using the following syntax. + +```text +acl local { + 127.0.0.0/8; + 192.168.42.0/24; +}; +``` + +This means that local addresses, and addresses coming from our wireguard network +will be considered as `local` and can be referenced as such in the rest of the +configuration. + +Then, a view can be created like this: + +```text +view "internal" { + match-clients { local; }; + zone "internal.example.com." IN { + type master; + file "/var/lib/bind/internal.example.com.zone"; + update-policy { + grant letsencrypt. zonesub txt; + }; + }; +}; +``` + +Basically this means that the view `internal` is only used for clients that match +the `local` ACL defined above. In this view we define the zone `internal.example.com`, +which is the zone we defined ealier. + +We also need to declare the zone for non-local users who wouldn't match the `local` ACL. +It's important to note that **you cannot use the same zone file twice in different zones**, +so we cannot define the public view exactly the same way. Our public view will be +defined the following way: + +```text +view "public" { + zone "internal.example.com." IN { + in-view internal; + }; +}; +``` + +This way, in the `public` view, we define the `internal.example.com` zone, and we +define this zone as being inside the `internal` view. This way, we will serve the +exact same DNS zone whatever the origin, but the *update policy* only applies to user +from local addresses, and they will be the only ones able to edit the zone. + +In summary, our `named.conf.local` file should now look like this. + +```text +acl local { + 127.0.0.0/8; + 192.168.42.0/24; +}; + +key "letsencrypt." { + algorithm hmac-sha512; + secret "oK6SqKRvGNXHyNyIEy3hijQ1pclreZw4Vn5v+Q4rTLs="; +}; + +view "internal" { + match-clients { local; }; + zone "internal.example.com." IN { + type master; + file "/var/lib/bind/internal.example.com.zone"; + update-policy { + grant letsencrypt. zonesub txt; + }; + }; +}; + +view "public" { + zone "internal.example.com." IN { + in-view internal; + }; +}; +``` + +And now + +## Bonus 2: completely hiding your private domains from outside + +![A schema describing the DNS challenge workflow for the ACME protocol using a public and private DNS servers](/images/dns_article_dns_challenge_2.svg) diff --git a/static/images/dns_article_dns_challenge_1.svg b/static/images/dns_article_dns_challenge_1.svg new file mode 100644 index 0000000..e81e1ad --- /dev/null +++ b/static/images/dns_article_dns_challenge_1.svg @@ -0,0 +1,8 @@ + + + + + + + + Private zonePublic zoneApplication serverLet's EncryptDNS server1. Start DNS challenge andobtain secret2. Create a TXT recordwith the secret3. Check secretUserGet applicationaddress from DNS \ No newline at end of file diff --git a/static/images/dns_article_dns_challenge_2.svg b/static/images/dns_article_dns_challenge_2.svg new file mode 100644 index 0000000..adab647 --- /dev/null +++ b/static/images/dns_article_dns_challenge_2.svg @@ -0,0 +1,8 @@ + + + + + + + + Private zonePublic zoneApplication serverLet's Encryptpublic DNS server1. Start DNS challenge andobtain secret2. Create a TXT recordwith the secret3. Check secretUserGet applicationaddress from DNSprivate DNS server \ No newline at end of file diff --git a/static/images/dns_article_firefox_warning.png b/static/images/dns_article_firefox_warning.png new file mode 100644 index 0000000000000000000000000000000000000000..50b431856c19db778f25054a151a33a0ab318353 GIT binary patch literal 52485 zcmeGDRa9Kh(}0ZvNzmZI17vV_w+ZgE>!@$7$BEr45AP1vy!N7cj zkroqHbI&+iH`l|KCW5(KrU={!SA)g*@+H>bV;{V$c(qZL`QQe+SBq--#j=;?M>Qqk z{NMhFQg+B>9Wr*(_pjfv;65T!=03joJ!}V>vZrP)d$^jp!mFy``@eVdzoI941pfGc z;?$t<80!CtZvU?Y^Z%zgi1p-$?ZUuD1?&RgM4xZWapwJ)E$z|h7|U|+U334N?tgaZ z?;4p}1s(b12J~4GCCYPr)O~sR_j`>fOS~hF;=dnFnPZ5H^?C85cF3v4;5&K_ee>8@ z=&Jq7#6Tr=8(#AARPw)-0|Vm&KXxdw$VC^9Sf7eMTAojJ6#6oD``;sfp##O}7V4wW z`Ye^1fV_^EN$Jo3JvfSgyG==tch^x4GjDv#7W#0A*G zCIB7(S7|4cX+<%2z8jXWr#T?JCMJjBhYw=W!G z9i^sbLEKYk>1D3$9rN=#+AZ8Jmi~INV3G$1cPk6~{`#4{!MlvQ zchvK16G!iSW8VBa+wLeXT`0T9=d~9I+0-lT-&{S0g?Z_ITWf$5{}h^T195P#4uSdE z(vTl73#%DFCq$B|Z!oD@Je3`H*^Uq{2}Uh3ccbWfI+u*f`%^vOH!Wj$Q3oXMzL%1- zTp0hmo8%pdV78uS>~ciD`oW7-+BkIAQxt?Hf{64vqtUOd>Y-H=c)6i~J6P>||L_4l zt@b!3cV0aaN;5Gj6%vN%d3a5BY4r(wNPVGsW2JAKJM_J7ShXU;B^aHUf*C+H7F;TG zeRF+-a$VcmCm#6m=~Msy{F{(z?1wIewqy73w z$gccuQOaB5h=AIj6dSLD_PVajyHRzPxS(G8CV4{nb-u^wWUKL}_KKr^4pil{P21df9H3JJs|5f-bJ7tKxoC<_W$YTFv*YCG;Q55OI0N(y0 zCrP(f)hA};`|wxs54M3A%EH>A`_ITU^be=xf0F;v(=1d$f8-%KEfTj}F+I*7f6_7X z*(-BdXLf2CM$TI>xJUDJJG`WN9zM{abBrT4y<+X}h^F2Lu?NboNuyXyVtk3|IZJwAlRNuz?TD3>OWm@W4 z=lnA_k4pDn+cV59r%!3-Rz~qRhn7U=qBk)y|LT5;fh%98#^GAbzKPswMiXDKDNrmrt{CSMEY2|R*QkHV)`Y1$bmzSSntBVAykmegEv z&PE=I_SWa7ER}aQ|HKqFxf~;p=0K>_wx_9XMrg%Bs@>(bNzY$e%Hr-5dVD@$wvUz8 zL5XHq*zd;>2}wHixvw95Na}xFY+eiKP0H-5u}hGX+@{LmV!X0Ch1?NY0imHE%+K_# zm=wMv0@~SbPrA*eJD^}BBONDbOBGH1k2`Q5-vBx-0jtA)bFS8|K3Y}C^Gm^l>I#;& z`3glMZZup%uIfsvY~Z&N0fIvW1Qvsqnfszly|O3BDb%SeY@Vq%KaTTdqEa02;#^yYovuqlGIm*q4qB3i;N*U^Bo z5b5L6H{2)Myj)f^%1gwsQFIkmOsi79l>FtWUKF^)wI6F|mt+sdy1|zhSryE|*Fr-4 z9!KKS%y@m*1ajHMQ>~m>tl1{C2iqEu(E>b}DN{eAu?hSudhJ44&tl>nQ%RK=<}J?PDI^yZZ;z40+s|B%s08lQw2d9hHei?!l4(JA=FJUngp zyg9C5=bISTY{r58i~pi*Jb^&+%9W)3ds8w{%XZ49Dy|_`DF-6>8qa!RfsqrRxs5xFvkpO1IrLOswvYaEOb1FgxMC(2O>CX0huNA*YT`vi4Yohj|(B&DK># zCnz1WGha9`TE&@HJN!G-H+EmxZksiI7t_&Z@$}30YRom8W9YkL>l35)(3DuHAbzk{cEQ&4tK7I1=_~aoiBr_k~b0Izbvy(Zi`O#dh@eG?fn)hxy zD3eAcuuJ;K%qefK^<^Q|kx*gEX30WTCcf;O*on^E&#- z2{su}lN<-agDk8k65*d#l=4l$qCOJ*5e2)WJB%%^Cx4~3XRV6$C#*rGqJU9&`dv@h zSUaYtr*$1Gx`9`<8chFq&=ZjF}uDR{j*5O@OxzJvjc2 z7yD$RA2qSZ3+i*7JS|*}jo`}F`j*oI1n@Uun&=6(s?m`wDQ*WD%P zlYpE*a4H+eDcu6Gp>Ed8LPg#9UnGX-b4hMR3K78hpTUHuq2**z^oKb$=)a3oj$_oc zzm+*ulc)9)>HpZrdJ=pWtHSTmX%${}o^2{TjYG(-*+#x^-FZpSe^+ARFp|?K*oTL( zFB1Qw7;DNBY+Vxz?doTYWuT{ED&t$5F&j?v4@XOfqF5Pc0i?y{ZWxXKsP7`Er3GypcI9gOlOOyLNBBWBV&Wa<0w3|@!22JK>@9S0j(1$y!1l-b5^nq zwqFrn!I^J|Kgiyl0~vWTkACTBnj=~5YJ3$474^&4X=B0m!q(-q$rnqmXT^&w!Hfp< zXod<3vI>qRi|ZcFQ$rFro=cj}-0)Zw;hxJX>>{oxYubaiL2UU@?ZY_ge0*S7BkeYVK0d~y?DSEm(c5K^S{=aG}G+PKB{q2){w4$y(*1% zaFNz(RS(}_Wifi8IrfT93y$pjrLjxE?sh3sb$HR%B7h*RqmjmICObSzw`CnmMADDM z&-_)FCs(_PN4q@xuNJWXR~nxgHlsLJhtQ#$GojqlkI|;!@hrZ4^JM|OGmRCkbcJ6De}{^s4$NF+cx%^cH`@hK-e z>la;J$2U|qQrb;-aayEb!k;)~0;+&{stDMmygI=ivweM^BRG$*J{o-edYQT$wVOEq z5{At9flx!B78gzPO_wXb;x$NofY`O8y@qy60ui8dKX^HY3;yOX)kBV8qYZaXmC`&N zgyN^`@{@_Y>O9TQwHDq_Udqw<-f+oiZYMRI#?I-W`}m3QEbf>4yHibA7DzTSl1TED zA4epkjV9!*ex9rn+Xwtkot3r_FDdCCE7XuO?-e}sJ3zIwn)-^ZlJ0vuJdU~ocjmV# zBsX(CmB-JY*3e!4F?i|K>v>2_`@Sh$;n2g)xy#!zC~fs#lvFrR|}#?cYl&zS9tTi!e=n{3dabj2OdKp7F|E0aGx>Q zR(x-I;xKI{MY~6P;ec)_+aFtKgC{E%O!Q7hhS*OZJoX%}*F==kc-H;j-0IIB3|J$x z)p1U6hT7r1J+UkHR_qF;35~TsoKx++VWSzW6|d$RxwhKRj1UH@o2-;6c$Z?Mt?}@x z)`;^B|4!ETwNK&PGL!!ExB8p2^KalJ>D;8?s$P4h!uiCC_3Q=c2S_oqg8c;e9F)LN zZ*}HPSweIqZAANtM>Wd ztDd#bMLWMYsgux}Aoy-oV+HhT#lX%1UxlZnWJ4{LKPXZqpV?Vw)pIwgSe1Jl&{Pe| z9ey@l;!@F!*WU6*?cxWGko91#66W-uhRtGQvyD6@Hq;}8u?JNk)v7|%yq2H+X!UiI zQZ+K6ltQ#+3eH>h6>nq_8j0pxXPmRP-rjxIm`JaOBrX|CRVDKk!=Y%%@(h2GX)Op- zKPQ67D|=`g8omUkr2*P23s;{puuRGqCXCO^1Mohzn}5_w*?ar|UHv=wIqGs`EM%)X zfvhy-IwV#?lmg#_D!*>~Ea`GsQlt!1gcEbo)z~VT zfBOY{&y0lE1{kyPaq%!nsO5&?TT2XCez9?b{cys-AZG4PeFu@@$8#iWF9r2M4~5rz z$YatM!1X2NAgQTxZ{K7Jx*a=Jp49CS zVu;i;pdbFTk=P|VY`G$eV8?TEwF&zj`e8tq-Shoyz?|iGa+1r8udSsq?!GcYj5ZcS z#O&_#pgx+)U=3~DOlY{7!&fh2q8__DUJaRhk;zb0(^FAV@Tg8o^31syjPfjd3aa4q z^F}78D>Q34H+UeW)?Y&e?D!9>N={t>>en7N#x6VA`sk~zSLz3<`pWo+b+$LgHOfGZ zVr3Juk@6!sGH4{Ma#>Gv5+nkC;5}XX%v78l`agASdkuEO&bq@vxqC+`^=B_H0da%@ zA!mOv$>keNjz8hX6EwMGwjA2}9lZXMbeiwtmrIEj3DJ0BB;yfiz{gW2G&9Plo$oL= zg7H=KQyLq8Qn<)aO4!k66~2b7?vMyj2V0W8025Z_ao%GqePyP_z0jdLLV%oSK5xfq zS`zV>7zts-90<*Yf9@wI6P7>>;psIa#A8*4Pk^i(s-OtOO1?EX`i&$0_)qstk*{G4(dpcAJCecRJ>okb}w znRK-ly65YxXC=W?%Jw^%z#Qn&77&$49o3gPK9d-)57>f&o!XD%HH6W6R9U|cUlyn@ixwSv7xlrMP z%wRFbCMPw1epx`yMHk74FYR&dxh(hQzt0Uzs@`y?v@ahVY zY;VXzXEU<3oES`IUNhpaQI?KQP*hN2)BAdMy>riBnaNXqw^}YX4Qp1%oi=XJ@U{+h z1$PjRWK2vIy!25}Tk91uk0E{y7oD(M@_zboDrZE3sjVy%T}2eE>2uZYaa<_-!`n>y zgI^bHZG9DZ++d(g<%3~9S(bH$e0crwsZ%oLQ@cCnR69RD^R??e9f|qsQWv9%z=T@g zd|t$x><$e5K^zNe4U=tXhN1VuGW1NzY4a=eK_7{_rH@@pH+*_lR=%~}Xn1*oS?ITP z)Z23pmCt~PMq=#YBG{)_8IM~eB>z222Ez1H}_jd&W!3HJ0x`&>Q>|NFeZ~fsQ7NP)ii3+feX%+ID-TFw|X3wr; zS$aW$B4{L5*ZfRP3h~{T69a{zf4dBK^--{i+bp+PB;a>Vv)`J`*57Ry#QcgbV%_!r z7Ma-fK?4R-3pBMIwsyKw0N+l8j^~NN;jKF88s6KM?rt1%_V_a>G(M!DVwo4T}ykB%EZnE>=K0w^w za$>Na9#8l^FM~01Uqd>5Uxa6UzqgObw*hZHH<48J6~iUum#wD5*#;`)xHK$Ijcp{=#q~*D0yF>%p`?kHvaf{%u74e|0Y5QR#xZh$}+XtWjw{o9VnO zQEn2^Kv0+Hpf7PH+Po>t=;OQDYG=D!J|EXi@A(AVfs|B{^v4=q+x+^YsRZ}B=HV!_ zqn7C3(n<7ema32``;KmFdS&YCb_C}(Z^udi_ukBk^Z~ZU`SXRTyBSWK)mV{$?`efs z+ZaBvr~Zhd+{#K6CNiM?@$MHY9<7W%pUSVLUv6p%F+nqd&k8f{;sp@UQ1b*)GUOg3&&k&SSq+*+VY6V zxU*vk{QQf*1b+OQ1v;r8a|Wc{87;QTvSzqAkO#U4DWvu+U1TO*oGzc)#DsmDL?1KP zy}k_97y-{^pKR&k2_D0~uTquU?H#1ULcJ}`Gv?mM(@Kr|)~Xy|R>uF$IM^*3Tk|); zBy!5qR`+#;A{I;5RQ<$H`IOm4_ObVUv0C!$+uZmT(Cr5H@(@A}X?YLJN8Miw`s!f9 z_BdKeQzr+I0G$vnXD~L8S{(}8|F>Y-r!=V~@~=+Pi8v?Hdq+j!(zzZhksr{Qno{Y) z0D)4!85#GO3(Ta6@XOdCsXIQukyq@7rQzaUO`fG?-=prKXo*y;=Xoi`T0|XR+@<@T zt8@*`T*i!x;z$u%<>T0^N}>KX6YZ+BNCfx85&G(*_M(G2Pq^^QPiWn(C_dY zk)WAl7CN`y@H!=EAkFTQO7Bw048iCTlZ@ird$=tTM#NMfRQ%z5k@VbVzs9&Gbh3!| zO#C&w-%+S?8smYr*79Bp5Qxze=Uu0N+b144%qU|xKtWl-8Di|N=BnIJE6I_+CL-=<0ddAgePz0>hr=ht{D~ePXFmb zZz6|`qM$YG6uQg$hULHO;&&1OGhxk*dty1Q9Ae=LxjTRgU=QH=KQ$) z(L>wG`1bzYOP-zgd$6bG&!6hK=%;VVNoSu+*a%j$RH!`+qdRWll;L}$rvb(h5hhFpp2KAS`Q(4;RI!t{P1 zkuk_3FjB6Y>3Yp)bZsVFQpM8G8mwFq3_t(`N^3>T9^N38i;LmVTX_ye;(76R9a@k` zVOyGoSV>W#zMEdQMuOq52;?CsD&ZsiPE74b{a5h|qUaIEb4(G6o*~D5fI{p;^1wyh zzD_^K{j)pn5_N0Ek-P>-HB%}tWojJBEmP_)(|e95yZdv}>jo<(B_nY`V>A_NCWph; zyh8h`il*jdoVD5AsfOuc{A@!OYyZfMl-tpFZGda+2Z?WN189gUY$_3oJ+kcVepiA~ zu#egh-!VoyDLq@t^(zN`GP3VHKbRkG+i_*w z-_;pJ%DKCLqZEvJ@PY`CTXBp)v)e)lV{_`q(z!o12e-$Lz9k%2MO_%5y()Cp9UtF} z_qt<>AYzlY**s7{<ntSHFrB{$)McO6{u81Jvx^*FjM2sE%64?O_Zq zSYy$(ywQGDE*94q3Q&dX%2&2$v5&!qnX zvU5$Xu@R(9G0PQywJWkfLC4CK-{!RP)4%MZi@`NrYm?@=;q{>jxwYYjEwAm#%yfy@ z6VjL#&=L&U`yi*;GgCm{H#w^SLM-`DCYbFMmp)=(Efk?Z3@jG>HX5&QK6dOnzDhqv z@lse~S)(+gm!^umxc7XWeYbWVXpc`H+H*;9Tr5uw`JkM|(QCpWVA!Zd$eX=JYkocKanvmImwf`RM#gG8-8k_9Jh;=nu9cn*tRUH>&k^`LM_Mr zv;0?ha$s;{3j_JDsnQ1`P9PKci7_oC#0z(Pc!DOc@+Z6ZNX2389J^jn=Cs}kor>oEqXqxJ6UTKm@ z_p&;#jH5SJ9cX*Hv0>Jt;f!wE9E}0)GW=+l^1NlT^@^ zsxXTD+2XYnm2q;Dy3yrX1M>u0v+qduk${)rAd{FJ<&v{)90g5H^-Pp|WJU30osl);`bKKXu`1DeT};IB%ll)N>Wz1<7X?EA}3-!85_O4W(RDEbXA9tFZF3!sXH2 zU9NL{#?c`p5?XMolcbCj`^f-3eF}P6N=VZA7FRZJSwNBie#Ylba~c#N6~rWMY>&ipZ{v6e)bJ>lwKtp6o0VrF%j z2U)X2SW9Z2Gc_!nSztfJ69N-!Hu-z}K6?IXtU2PVm|A47r9C3y`8hLn4!^EXn-S>i z_?l*xb%VrJhL}>_F3<+vO z3vo;iIlnbDy*aXWp+%&2(q zpCo+CzR47yq!6Lw+T{fx>WpQU^jNd8(8@j!%Tz9QI+)%jBpte5T_M-u+}^{5f?|sj11&5vbX`p_`|P ze=~rRsRZrL$~xdF(oL_6#$#7p4Ir&i3F$S?zP%TzVM?A{*@?6KdS&#!+y83OwqMmu zAA47yv32?RzODx`Y+?5H>C=#o@u5{@W*6prV6VKoIzP8GYJi-Kk(qvAkPvHeK(Fmg z)^M#t_DTELZ&zV0p+e`jfT}NoTj)CT%jE#S0B;i|R#OfYM0LOZ(Hzj*sBhY@oJE~hB=yPaQVrg)l|5d)m~E0o%yE1$x+q@6dGGeI zVz)K?)y@WAm^Aq?o;#~;+TAw%X3=44OXuWcpB+FpnpePGTLZ`qDZw!jf-h3 znPROT2y4d}|H*Cu{T7YO09+L7f}VZ{y*RghmuR{kKaN*hl2!Ra%Z7=@gh=4LkLi%cSdNc9QFmBgJ)3m*Sg0@%OJ4PLJ@JvA39PwHY<98ph92z~Z%s z&DRNuWHWkJLSh4Lu!HN$y0idHSBKDZF(?->x171b`Fz9Jlq7-}ij37(4cdo&p7`^) z9+dp&QIabhueA4rjy!HoUf~mjgJ`s%?->EFIyCz-t|_=_^GBB@a|6Zo_Uk`|%JaMM zvX{rnnY+cj(It~loWMsPj@2TXm%+im_(|nOW`92VZXcW`b2=m^Pp{Ww)z&Ps1SbEDDID%0jootWlB-Z$O}usEPKNIIn|*ItmuHrq z!0NWPXPxBwyZ-fOD(0QsfU?$J-PWDk@GE1X*mpHh-WTvyraX)UZB+BV`$AEsR^_uL zkeB!C4ZX$F9pbCpI6~9WP>zqA8=6^#M14E=K;EltL+j3d86pxq3uQ-jb+I_I`MV9R0dLGr9N^QxZ zN#I?AL5AOfZwv8~&d>9)3U~@D57b`w0?#A&K8rzXfB6;3mb)&(@w_f{YwuWB(=~j8 z2D`=i*ZoG=ZedB*)e_@3f|lm{tj5!D=`{m{GAeMW{hM6{V(voCS2V?&TwSc>ghlSV zYL=?L%Ci^NE8kr0(=%hqN@x!5{`400@{^36$kit)hzszN1dv~T%%FnVKc%Red0n&cP2f7(G@Y-hHRRaoZRMb?6hoo!Wg1snpdT& zdS7ieHdr!+jB{IRHdt`9rCEhl)}wm@0s>wxq%mQII(-3Gf_1-;L=c%#oOF12O%~$* zs7f58X~gXemX0Djbq@3=UAuA^OwC_wXFGZ|*ldiTjuxh&s$)iJ~-B+rl~KkEG%qbU?6NDfnQcZLqG8phk=cAeV!=!eFgn~{aSx` zvXtVGShd|wdos<`#*9ToUs*;iMoT{orGhxyC(t7ks&ubJWCoNESv`At?tKR)Ut2gJh;E$AxskjFL z5+*M`L5|tl()5q$hSbzu4$z1kbSy*y{vi-J&CfDa&PqLdSpd)NV*4DxUi<}uhvOs0k&^@?`&Ku zWX0Q7SvWVZ!+Y_Ki?z=6Y1u9kntfSuze2Uol<_}Uc1>qyxZtl92nI-+eN{NvWbMwD z+e@ZedyR}Ta^gYxg+qQo+j5j;LFb=r`-Fa^e+-fT1Qu61w|?q$lPb~G38UO39L!4z zMCU*5bd3JUrlnl9M{YT&nGbfpuoj zvpZp!H~f_Pc>${fu0wTzZI)6r42)m75NDH^T1@krOly*_xa$g0!G7jk>hN69G&F z#Ozxd)V$45PwtIYUCnkBDnCulzY_i37tk|$>mKr4nX8c?eBIyMGof@RqLV>pk0)#^wiPAY@si>Eg*lvp%~DgIRmS4IH1w3zjLBZ zs<8iI^PYyAsk%lL^fRl{76USx^-b~rHN*HK`A{EdB)l~=)?s0O`5nZ5Z#ULDH1w(l9}xC zM&nd=s5}&^aY~?#R;BQN7YsCf*bm_Udt+;Hy6C{^!+-K6O2Gg3-@%;!ztaEjIcS^w zcANbSgrY|;TE@2C9;Pf^J`Iw3N%r~Px(He3iJWcE0dgUpO?&*h_p|KLHx{rgnS$1ZCk`8vUQUBW*9F z!TqE`dqbtL(==hRIpu*`l4Z9aSPRtcB8C@iI7i?F|7^+cK9G&oEI@YN>-t-hy~Rb7 z*jLWw^|p&Ed{SgN-v)_DFzF2u_!`jzdJ%ZO@$#3;1-@^s3#axtc53cD&2|8#^s*(A z5y6jTprD``l01?5)I&i<(%Rx=aRTLH(003AI870-j4sMFh7&D6J4~f@sf(o^B3M~g zoWXisH=@nGrtx~Nu@uAvHwoc{YAQ)d#XLMjWT#P*U@vAF*_CZp#dBA0(BlZImbUB^ zC5L7E;^-vf!fAh3l8VWGi6{JLYv3a!URN-f9h~ot%4ah28HW`R3F3!(os$wLXM70lT&1&k6f zy*vZ)Hm6eZ10RQAm=96B4nE^q3HX02<+NJd$Lov@MGBq%b)omR%C9S14whY6khH&) z$LtB@v~e@=*e6X)z<9U<|2CG5FyTAbAp_ZZ#}j&vWo)?pvuk~YNRP&~@h4ZTxjlJ^ zaTWAp+Y_0~yHcNfWwz5}xj%kJP69 zwOgfud$8wy;k9TH}3>t+cU6e&m`PFrxm2}}6wl?zG?e9%}vzoG>> zXaYjevYM@Xg9j}{VAmPl zE~-dJq8Af=CuuPfh>NW_r54BjZocs1?VRwuAu4pz_5`9fZFaP1$YKC2^#$WdO!)k= zJBPPWogO@0aQld_$l}6>Gx^aJd-=Jqh zQxy#9VOOwo0WPXgb~i~A9v-(m{+MQ(;f%nS{n_=SdYAk!;OF$bI(Zl82u3-H&!lD? zF0ragoFXYp&55!>*R!=*6$Hj6thNa`{q0tvcT(T2vc?ffqJRPMc3~J7A)Jz$Afy>& zAGDPt^jWSH*S;cu35^E9tshKtp<{hgCRn*jgnvUnbRZj@cm8%Uqg$AK6Yi;NC^TNk z>^yy9r8@)aYQu?ye9LKiT(Z%G9u*^Q9wxhLm0gkrx;x)@DmJsKCRlq?FmMWzGah$I zd%y3>LqX$0_M^L^-Xbd2G0*d0RrsrS^iFu=UPo(Y)u#0&k~ADC{S6$y1D)gvO(Iu= z`&|fbf$(wg(bD!@Jax&UrjhcbNOhb@9-HQMp&~-eOXPbJ#^rx zBC(Pj(-rA{M4HQMb%C?!hFOCNd%lRigo-5PDVy6)ot8Q4|~IFU(yM2UAF&Ql2V8<&!8{xQC)U@#3l z8lKP|Mbr0rIX9j=L?>ywmoGG=bS*NClb4VA4;LKDJ3j4h*$evgU_Qy^6}IJw8869*0ciyv6 za0#(eEuBt>wxsRdPcFL`1WYhx)`4#Y-Jr$I_P}IS`p*G@kF;x9t#KP<^-i!e%bX{{kyY@$jczN8`?OCb2%vK@aZvhaTdFb zI$f97v+iCgz9I7NBL?OCK4f)_FL3do9eOx4d%@AiZFKEU30Hb8SiiKLYc8kZ@u8xV z=3p4uluL*~Mn^N+l(McuwC{a!mrn0>pcR$n!kX5AptI!Iogpkxe^%txv(`i2^U8AkPwOozL%GUFSl2MTSYMPAKOb}4a;HD7T z#%@@6tS6#jo-4GOvCcEuGCtau*R;yq-zyxy42P)D6&K@dn)ah^68DFbmCoUcyOrfV z8xmFi&$b6h*~8D8D`|(HZ_LaLGZZ;y^YJ#)W|lWi_+2B9k<=IM*H#A17-VQ0k9>eF zI|#o9MN6z-rtcBKH7kIZ>!de5*lVCZ>u`O5RlcF5PJW3L@ttqhr^sY%LX&J;>v9=u z5CXRQ2R#N=b$Pg9zO5Zk?K9WIY7n_*bWqlNpKJm`HIo%5oxD4B&mcSc%;EMr9=60H z?~ce$2qHTNy#^8)mF3@=RT+Am$I^K~Jd-oNY7Y99ucH$i9GZI36>3cVn9bo`s_TmC zuoJSBR!VU>?`G||4L)?umMTkR&FHXg5UBBgTJ=?Z>wsQdPD1$`#!JNH{JN9$ntp`L;xlyBi3&TJw3NL#w-uiG!Lj}+{eI5j@B6L6hc1=UYgvatmg(5%bHl6{ zujjd}aP7UE#`iN>n?#zamry0i&p2ar!DgP4o&El<$-!5Q>9kJE4n8Ex`jPh>{rC?H znzBzA%dpowW=6>fR)gNi;1ESSA^y8!H8Hz|pn2$8tZho?FnM+m zi}Gv-de!nmN4x!{1fhDjbvGnZ^J2K7c70b>X4KU+MM3baRsU#ar=v=?WWVJOypMwe z2z);vZmK+79?Zr+gneoNb5#I+GSvi*zguvws@D8N8i9BUI85M?nkHfH-I`VDpF5{s z`<#?aGQtO?Z*wmBzV<}CtWrN@N|oViXb>?ZrfUW(wRwbpbmrP@>qvNcn+YAS0S3aK zSfHqB*t1-RhA#82FZ#G$Y_xDECYI2CnY*2u!Ep6_lQ@}YU#NKoPfBvl;rf;p`)+Hq zIF&anbddt*-<^)~{D_X=&D|S*Qq_2)+B~AtHA7#BauH=;i%( z?8g{C2x<}E1JG9qELGyW?2aXE$>|LnZ3j{2YLT^BAHEDVj*?hb#WZ=~;JeS^>if2f z((XW7Y@i465cI{wlJeYK*Z&!yw37S>~z*`Y7!V(1ZMOnzSsbcXN!M@c+XC z*y-yOSMaB=4Da37>vA8{oLzwE?(sF z)!&cA5ZUt`kC&yw#_Vx_8j6@IU=rf{6_7AwDLOxVq-%47($D-a7$7z}$!MW{MI+7K zRQ^Bw)aWMsFQ}Y3V4D(FsHBwr>)Bwm(oWe6F6o&oRNEc)6Tot!D0;JmTrHA#0$j}F z-PzWYT%j-dxZIQ~=$%}}Y!W7$Pd&pAz>WB(tdKT_0ATUruq52y< z={?f`Z<`#r6wSuNN`(L@{I1+h*1Hf&lYzbg{tZ6cFVM{rn_t>rr02U&;6R@k({LIo zTV6M@Fhu%<<86Z1T7CMjJc+G3EDXMcoX|5HK80_&j$B#4p!zl@eeGmF=Xco#6H1on4-(Jj7cr&q)y7Hy#7&Q(NYW%8Xg|ak&8y&*CrD% zrEYoI#n`epYbgof%YBK`$j!Y7f23s54)W}*Bb~)ve`?7v?QH^zcKLE~wy*6;6w$F- zppv_FV!+{Yzv`FGwYLeYcGtnBT&Nk7V6xh~)A?mb1kD$q=45ONpo@=BOUqc$stGN1 z;-18GG;BIZQ2Zo9Be0YHZ%Y&9fJlECTZ+KCYgl5+s%)I;!RRaC3)Yul)LX4ZK1oo^ zq+5me#AC9ZRI127Rx8<-bi-PmPqB9!!O36`2BmW!lM?QmvX6T*?uNv6f{$m18a8IwMt)K<;__z**U-9$hMkU%-K*v=JY3Y&?e*tT9tXd;%pZacX@w=Y zKZ=ul-q3+Yjl?1^v5Fb1A?h%wTt57bUiZ~ZM51&bKZ%*79bH6(KGZ@q8|7YWmrhN5 zwd9bqUQM!k=SmK&y&HWH=*1Uu-Q&~j@V~$15&FE~&-=KXbMNU(l)ge zQ#gvydO13N#awLIhzY?YoFtMJb;YUu((6dHeRi3c{OMyb7Uafc_v|UgHW-<-VMYDw%F0WPDZ6rPrUP(x01TfBJ(2;rvod6hAX?;DYC&PZ{kiN z6ONy#>6sO5oc%mFu8Pww>D!Z=kPz*HevFwtFy-i$(xr6ELvGAmDazqrp!huSKN;G5lI3levAm@>Y8ZtTi_iQA9;&q)PPk9P8>TnoAqC|HAMRe?>z0 zh1YIq(ahe-WSF5<%e^s#!PD3G6(Y?_d3^XY_EsWHYZI6_C6QQ%RFeXa!LrArr^Fa*#?+!KWBEj>#XteEhaUg?@R_WFUGcyJ_GcRY{g2(4} z8W#3f<(T_QqF=s(vt5Cl9`0#mE zP)tOI`23I+tv#FL{49SGw!LqZz%=k3-PmTX4m_}>T4*;}D)eE+G2;tjk_mv3vH27B zHU6|HW>-n*ha%-38sBo-s0cP%RxTw;+DH~D?eUY$qT(X8kWYh|)6&JCGijE#9lzUo zhGx7+8|-MOVXKr8)3?Lv{1XnNBK9BaId<)cZ~U`JEU5YiW?h@2R8NwHS6geUXp=`! z@`;cF$5AELxi?1MPHFGNxXPnxQWAZnql22`;sfis?;VYI#x<`51Z-07NUre0Y8I(v~~xWF=w)&;CKHHKau@f^ z2n!4;`;mh!P-mTT$UE8m7r0$}D^sa--CyGjQV-S7&5!!r7koa2QcK5FAt5XJ@Lok-=S8xw*&|ce z7lG1*&(h!Ci!r0Xl+9t0qB~t%06a3AZim?>6@Ia#9qQnl8)Q$09=9_MhKDz-5X~Ob ztNuc4((s)F3Kl}8EH{}N8(RAacBjX>@kv!hDWlHVgtKu$(;XLUtWw}P!xk-Ov@1;d zbbN+dvA9Vs3)D-ZH##Tzz)-ly(n4Cz;}TGi^jSC;z&eFu{2azKMiuV-%`O60wP0V0 z4P`MHMx|@b;4L1Z`0j!R*-@JhNk_#}dm@OR*Zhb>ML>l>$Ep{zuBe>DHIYC@RHtev zCMx4z5StM9-R?0366*zsXGF*?0z7K?7-HRM+(rK7MhJSYr_ja3+MAK?p4K)N%UB9c zLZuEw&~fp_CimgpL%)ZzVVriMKM&KyD5E)ae$S)WaVhAp z0k4m3x>(bfRIuDFNehdv@30+;e#Y_r+4?z5{{wXD@+gD*P{Ma%m4Mi)wK^MieYGfM z-5}IqAnmPIlkxm+oei_CVN`%_a-TgLXrrQZr3b4r@xs^cm_%|b`Z`jcWf zjh`}HCj2k8#3hc9{5St6Oa)nO($o3>FnDQvQ%t13R4(?CqckS|7( zsa7=M!l^2Eh>?Otgr3FhIbcp--*t}*f9_9mYqr*3rMTzL0}&rd!{*C=6hC4#Qmz{h z(}uO#MZ1w#JI#|NEY2%8K(3Ac2=AYuY2AV!wt_U2^k2;cUdvO${}jwDsK=$ATbpTP z@o5Z##sE$d?=I9_9|i0jO_oTGfw!PrKU*KAh+ zIE#!n<1M#8#%p0o;~uSZd2ngp*Rt2GkwE^4QAn2i?dm4FY%-i4gZmWh1Wx+SuKNt} zt}~PuT9FIE%wh6vnM#z6H`nphi*=>;Z`> zXYN{*i3l=K888S(7pY_M>&IYR0;M;veJB6{l-!QbL#D|kuo7~tgWj!&yWdl_xb^e> zl#w0Q%&L{Wg6Rwl`u>T00@QSz20r8cmdxbZ0Kg}i7cq-xc%+N8tNJU+E?hRQb~>Gf}IYikoVWqrl|;GOFvvq-I+7(1+vE7 z$^^q6*9iydpG9?PRV~c~{!@`ws)FTgR$}E(?zLU$ijO)v3NNxH!)R_P;$T$(fQSz; z){T3<)573W@#iMu7^O8Qp`j5%^ytMLrrC#dOlnAEeq+}6$5S3<34TXkk=GDkV{Si` z^WU>H6{RID@Jmbfd^ii=dPAz2%B-DFN05Iacif@mH!51Cef-DmjAR2NH%IE9}?KR<6u#{@`X#aTF$*Trl3YJ86pHQ<}Gjh;f-)5Lx zQxlH%6I7SFIycMaQGR7+*p@t#dAF%;CVc#>^SjtGd-LBa&SqElxPKCthDoAm7VQH} zpvYpU1#OoPAq0;WS=Y79dgwBMAMhN{%~_~Iz$K33b#*NDB3p{AqjyTPU|@W{Cr4!SveI2;JMZUOg9wYe=b z^B;BoPvzXT zG;W3;An)gblJ2)bU$Ac_eVRJ0JD*Zw)6pCcV!dVS^CrvK`hT_B;#CB~g!qcB4h)EQ zJvJiu>YV?w_Y7_HnhC6(&G?GpykyM1IcAvk8<6@uz??nLcl=FGE$$VeqAvK@Z_D$H zR#v!riho@GW~D&GX%3R?dT)LDgpAiJFY1*B2fbo%55@awI@fx_7&ULOa+6XUC4jjA7loy>8V9irjHHJq<55}4L zfFgU}NpN+v$m5rk?qEzV3by~WO;lx}5jKVHs$eSeBLPHG-r=j)Z)*%+DoIaHk6U{X zN;uu+i^+OEeLYV%kp0lTpjGMqbVza)@zQ3)R`Y0Yuj*@8202X0zss@`<<^5_grPe@^$x`KFmM#H?wRJEl_pryW#p+dT?_mDk% zjOol)Obv*u# zy(`s#-@-A*b9L_7H#sdUl5*4Y)YgpA^kR`+2h_uwoIkBE;a}b3z<=H0%U|3&H`$D6 zL{|RwA&@Ui-zGMI-qv?Nz+1Lvalz3iT?&;af|idt1WdHuYn!%Th?zgTwHEITwxq_*3gK z)-Lj`8Zb(DUH-x^z-=cBZGBl8P?Oi}VMNYG#FWJY|5?c#$13sDc$bBUfdYU>XpQCZ zb^_+s!R}vZtTdcn6R&Z9Z@Tj26dUjnFOTx}H)J_z0x4k09UR0nBI(n{=MP`>cT#Pm zoZPj|zdC3XAI=V$ZSEGifYK<2hFK?^uyiwaj^2L_`5Uy5x-W0|lks}@;c`hx{&Z!B zRO3ks+~bsB@yGY)95)^#shApo>&2>NL> z-xwuLpX>_ijw~FQU$tE;u_Rip5lahb`MSNhG2FPfVX-yE)7$+#vmEvOrGfWsZhXfa z96oj*oy*HB$R*G$THZ<*cON_|8aH3rk`^2_&F?e+FdeekFh*mYnhRs53Dqwwkw?j1`*l048{sJHH(Mdn&i^ZeF?I_+oZ76ZF zIAFAPI*ib^jSS>@Qm@OJbzEgfmR7o=APxWo++13nR){Ihbxu95jXsoYxQtguU90I% zLrn7L51_9Df6m9HZE*2*yNTyq*%In2;Z>qGd8zO_?zzG;{aN>M?3)~`{k}o@dXAU9 zQ%@V^Pa7|r&L4G0c3siY|3EZ-nwcsbA75a$ z0n^G!p;DSad$tnR%KDq zizD^7KFu%X3u^t&&ePjqZ)Q%8SJ|>&gJc`48_?kJh?QC6rBPwi<1=#n_w}tfl^D;7 zJ6fx+To1t(@wSh5;LVK@M7GYuu9vhY z4s7_t%ketPFPALc8-D?!voT!1+HgHVSyOG`y^$?wxYz9Me&w3vOm1)B^+$oYM;M{S z3Q-|}?vtF?CsAyO>C~|cEIrP)b2To#mq>~Sh#0yZ(Q7B7%p&tgEFV#_^dtX`s;#~c zOGv;z;qLJfu3=v?*=l(C?&O>gQr_R6Ra})>2wE&_fA+qQgHRi1WGXIjlH#v|J{Vy^K@&M3~u0`cP8ZGg7>*wfu_W zlGreofBV7YI7%BMTJ4#t^t->{U3@mYWrAv1iU04t0iWhyPrKk5@}D3v?~^uJB@};o zgdZaGw`z`Xp?5)|T9i~|UMv-p@V8J>VjRdhu=%bxkdH@nA1IQT&gHINUMeP{>tFMN zA{YP&*4VR>q2XG) zrb&dJ@Za*`w=`!2HA5^f)PLTS^qJju=cl!=n| zVid?{tb^On*yu6zl$1FIqVS|W!lTRMNcYPYXXg(J@Z&nL_q)f!c?boZGX8r(*cmY`O%hVr&r2RIk(8Kgh zO;2$Ui;^IBTp75IW>7QPs4kjpx(wJdelLRaA+Or|si#}l!A8`{Cm?YsU%Me@nf9}3 z$w`;t7C|~bIq@O$yt>TrnA2JbgSyx9lS?tgD~K@AT_bM!MSn#Sa6E9oDX(0@>uG*)y3ZyU{FFjd}DvPsn~Hy(K>W z;rLCiWaon4P637UHanJWmr-((AK^~I@daoyC>^i?AANCbbsviW&f4*R(bq4tv|AMxfd3~9S^1rLMnv2r_* zC8h59we`Mn$aa+kdJJJ2C}=V_n!O)x&(dl6JELG7)|WQ=_F8H$h2EtE05INGxkiTF zW~Wz}2dQze&nL*6p`JmjQl`o%UQ~Sub*w2(spYr2SYV^$W*^uLO=U@KF#%hsL|+OJTl59``+|)X=}YaGrBJl=Iswm z!n3K)&R{;ZyGRv+Dfr+CPAfoVUjg!5h#L0GR;`!oRzBzQxGS-cd|I!^3lru{T@*WK>>L(_NX8_}{6Zcf#SKH=8|{iEu{ zfoTP!r7JzyuN71Uzf!TYYAl^2AlMW70he_5V$LJZELSswD8Sp~!Xukf2*}AjWeJ(- zz>y{Inx~+kK8yAOlPM3HWe!V#a}4n6AMW-Y`<+P_>DOv?_`@V$XEN8$sXt|Tm2 zTl*g4m}%1%)O@;SlM0UJ<%gtU8X&#tWfugV3_mn6%x)omlP=m-w>aM4IGSh#2dOxjLyo+yQih0m!^SLlo#EA zOLa0dMN8hJ(#goYwCVtTCve32xGxLHgQs~f-X+X+N)1b43dIZJOO7WeCG+rk(tmac z$v+?(p0DoMjUWIdO>aH>xyT9Z^*sH`Bu_`jfFE}_hxOzMj9>k?7QiA<cd=jzuJ5w%gpsJyQARvWL;`TkiX}&U?d1 zk3Kj<+PbdOLMep$ZF7{x9llW7s)pr@C!&-QsPo!D4?5-oD6eoB05K!3Pt@TiodE>! z?Hq3fJ}sq`?B%4G-`=~z<~sQm)OIxw1>OJv&Nr9kdd5uI?0nVu5>WoFgyi2vN}8{w zVuaYXIhRjw?w@8@D&OfvSlngqFeSfqx1W4;dY*$2&X4ntVaBIU-hM|DpXhlFsJN_R zjH|(n;$DLISBuDd?rex%V@B{Dk(oJp49k0iVz?dJHwp;dt73A}m3Pbzj)lxw9&Crn zMt%;i5%2m4onO?gfVsksFQf~2OB=4Ht>&U1Y(Z?6$hA1JuE&SF_ntkiWe z_mMnZnE$%2Eb8L0TQ_Ek7h~`JkVdOHDkmgDlR?su-gZUT()9dzZop@A6T|&LzgrHN z>v$37C!I5AItOW;W}wZ{cN>Q?B8jBxd2XFk(8pQd3H%-Rk_Xj2_jj}G_(PpWt>6Dx zJa>az5^E|E(;ol5BLxJ^xkk1)MXa?1r~;5ANTXjP2(zl*+$;{kTd#l_B6BH_1s!h1~yY-0jWZBjIG;nYz+>pv@} zW3`~BZ&PIeGj|o1qZ}Wa=;xDwUbmVr0s`iOXPd$q{Ul5(e~Xc~UvH$BX~msn`|Dj% zZ!`XO7oUG^*J0X{Y*pz0*URVE4`5)BiL4O8c{kbocorO3m~qrm!kvvu5G6@T}wGEz)jQZLSH_f zoy}n&g?vI>HfC_6`1Tas_Ku7i@D>-YFTLTnbHQdN<->>s2xn!5GYRi%>A>7lmR4qe zvZbD#PiIVw1VK%r*6_IDX5V9 z^5F&!Vd;_3I3?g?-*Ro6?&#_}r64VHB+PYo+OU$wb7QPn(3rn?-t;5 zn59xOYVRYQYF1Wd66Xke^6$6WRR@MVOhA{QVBv(mpmwM2QqUBzhkG2=!go0OMCA8gmw9Fn6xXH?ET1egc-NT#r$!k7sBeJDEH!Vy&99$f&S$U?V#h?5skO2G&w#|(h+*EadJchH3>G~0_ zoiKbjiL1T-O?pge7NWNBKs8}1SZl3#U{8`dXu15>!b!35imt**p!Ie;6Y=5`NPL&w z^flu4e<8$QpFVX3h(@kOW9_Aa^&5fw-RJ-jlew1c@eiT?2kGVxh@cMlR@ytVHoJ1_ z$X$HPoP~eSgT{ZqQfk&2|;p*X9`;J}T=fFirh=go~3-otA=vc>cQ;IsZH1a{=@ zHU>M~JO8R)t~rplDIYwTEJ>_EgiN802$Ie{Yi=MrM%~?HV>#a!%0#WfcQC>*d` zt^Z*E0SO7KfgpXPT4s@2b`-_&|>q>O-FCp ztr#QoYOIGvw0-k!Fj8yxA7}NQ@<-p8C;YaS?Q4zXl!V_n2b9y$aSh$1(qgk;fB*hf z2mGKbQ%aI|c2wN)QqGI4IBxf~w3@zR_HrY)Hp7h^T#*s`$nd!!a?FTLn~4T$tnT8s z=huMSOffVatz;z~zIuQbVN(nZ9a)wqUJ^^Y_g(Kg>{HJA+@p4Eow?nyJoW-;u9z#H zJd9}p(UQzp*^*LyVF2PO8X|!7wr*{|IHzW#Xf?c7_19hg`CERazr zV0E@f(U@Y^%wy0%W&9ni6hc*Pi<@4k9?IQ~I(|!%tNfAgbnprc8^+r2Z%wppz#F+{ zz(kV|%;@>?O9sbrvHSko_PmBX_QRXbC)9qw)Fk~Od_3zOgft(tpgomQ-{Pa_drM%6 zu-5xIRet~UHKnN3hf*LaswJxmR4-s#_RZB)L(HUz#thepE2vO!pB=`U2~G0q)Ec2H zC^92_FGgDy*?oH_ut9yB_|qA*S7Ku3NF}@~K4xp8$X9T2f-Nav813P*zOmd%XR^LKkJ? z@{vhSsx@-7y2b&r2$bJ3(&r~^OX|(J-a-i-J7E6;Z$xIW)6<^@G$(aj<*tqOff&)` z{NxmGL~?!3hVyr7JeGm~|US&u35}R;^^OA2@|7 zE|yLZff(}`3W@pw8IxOPN~2Li>MXBmOQk7E@j|Ck6R1hdCtV^%h=YV= zC^;s8c+eF(ytU{U=(hQFRgrf}E#BZim?grC3r@H)f}4;PempFWZdb;%RK3}DXw&c7 zDFQEprNOP{w@gesIqzz z(##F&x4*6khW)o&S2Md2q`)|h>fs9eyQno*{9Pz;NkS)qrTfzFVQ#oqlh*+?z@LPJ z`4P@1JTOpyJgZqtE)sAEO)TVPrB#%z(EXQjZ=Q)l>BCj-> z)n*Ja{bd%-*4a=KMgG|;3WV_1w*SrX5()GE0W-h0w>rX#d7lALQC5Up_#pPxvrwVZ zNoc2Ec~(*QF$?WiYNix=c=!y!gNLhjbo+|`c5$Bha0QM=r5)>tS3+0P{``0@c#u`+ zf1n;R@r!zEbO3X>mECDe0oIeHA0X06${l^K+kQzlh7XKl$Ev@wp-1 z{HEDn@%}(X*2mA)BfIa!_o($f(*hMnqF^;9>-%<-3;lwb(0IGK?+Wl_NHE0ZU&mh2 z7R*~*H)aDDvzQa?5LMaaVc9veAA=8y6=L0LbY_Qf3rT5gfWXW9ae;g7{!|Fra!qd= zo5ANZ_-_J^VJvbXt6I6v*YtXR^N)n)CF*T@Yt1ed_LAM8qTCA9$d|p{y*z zJh_LSxb=SNYVk26=X6&CMbXmngGPtcR;OFpUtFX3+*AV|^SOOn4`hb(?zZ5!Cre_N zrH}fOrbRIWw6APq^j{1#l}6rxJTHWDcoqtp+L9Q+dL8E*;jTDg_MV(h%gw0E38Cs!cDJ+!8kro}AP_C+1ocEbEZmPB1Q-Y>;IRco& z!bWLKOXs4ZL7sfDc^fF^LWh)G6=Lci}L+X4Iv#M!>)|_;3>I zu7{}_@16Oc%Z}jPnqcYqMWKr9J4r#IdRgP>1dwWXSng~4F1rq~UqGd@hs5|@flZ#F zTJ7)z`(pe9JH6)vyt1+JafXUE@uw`O@?I zbCs-boqMk9>#~k|?k^>9!&60 zJ?2sZnFo4JtO=^`b({limzIx{@@9O_=`l)Wnt4~w;?i^D{LLSYp`K_i9O&c%)0f#GjGfwFTQNv9c81c6!EkadeARQ2h3bNWOQ_bh7^ItT7VT4)2 z=E7%cn!X3gAUp#}1j>=uD*`4zxOCI&E|SHJul2Wiqi2@^@0gtWXY_CuL1LJhw|8*^l3!jNh`V4cavd3aVrwMVBpg%a zSPTV#9z;zyitxUOo3>wi7~1QB7^TMS?1FxD|%@&A6e*=7xbD8b%I^rsr>qNQy@{@D;X2p76t~EWINAGe%GBI0V?Tc<&$`Jd0Ac4A%Kun)7k4>sN4#SQFKB$iG7x(CN!?gCwlt^lPq2_L2-K}Fj zn4Ib`>kG9D5mCD$pW+d`QxZS6`6fqMzj3@4nV#&cxMq7)PW_nkL=w?gNh%(`z?h)@6(TUp=+EoMQtgGY^{6f z9=T|?`xD4pZohZ>GoA}`f@`J)SZ~@06Giq`{|%^=24DQzIr-(|@Z9s&a@cv^+Q89S zVL_nHR5>L?#z-M{Fz!cmidfoef4t`D{S;(Zd6G)!&0w@s!I#3uA@;jXKiiAh#t1`ae5Ya ziC;tcD!6UWxv!e@Kx3`f?;5kNE%#Rl{@9Z}M10 zV>~eKwtgP{2i#nGo%vG@m`qExZF2mXt11{K_xpD2Xt~q6HZBB@4=Y@EkzTJUHO5v! zY&pXca>>r&^=y@D3O;0Ol+_O>NST+Cvt!qE_7jHd(s%ety&sJKSOKL0rY&~ef zSkj)Np+SUdmZ-KCKikbGUq*L*T}t&^zTfxfaIw}e*03LL39Bv8XuSKBEN=buR9u36 zpLyBuN);`mho2{`-58{5x-{K|`PG(bmbbR8z&_nmI^I~CbIw~?%(WSjStP^7J>?AhEZuD@67HpQi9*L-eg!vO&Z9Tsq&v#RM&xeC!N?1*cx^^b1vkwdSA(~nD zdS)rplTa{qFki^QrXmWD0b1Fg+2zw}*A#rawPwr3bd)gh6-bYt^kpZZY{VkEr1MT#q_pCpeh&wMK zPDNOZH@i(N7LOoTL<*S?cVx7w}1Q=IcvXg!Mcu;CVS^ur|` z#JTb+_mdV=2rLntckc>thrVkHJO{^ zMSb|6dEoa6h|0d08)%Is?z`|oIIAKX>f?rkAdl!Xz_-t!5yjulEwaCm;tq|@C~;4b z0Nv5$Sw@RgS?=-){o+z-cGkczESMM&yn`}PXH50?Sc8S221<;BhB}LVn#bgoGNBp)N;{Ra3 z{MZm{x&NTR|C9Uu7b--Y-hWmrkMw8#?@bV_@;|FdF`N;$!v8Np;{RWE_*`BF))JN- zlW$mEii1~HURZx#WR)r|K_MX@xRDx~2|IR?Rgyz+t%tV<$Ctnc^+D{y#3YwiJEIp#@BH_zEy>6mss_6(?+4BTjc?lY-+vLxZcnZ^>#_w#PaTD^zXuC zaeC8yKSKiHGn{O5z4JGho?WINyRU3#vGW=Cg||mw3DN2c(SQ2d3r+mBz`h;-(LX znhHP%g0^)(2LM=fCnbBUG8R4tMUEMK)3~Gx?-y4x@4cK$5xfT9U#cg|a1hq&HM*oM z>4&{YVBydy7l_qEG|Bzzz!4|}C7p0TbM$ro=6KKtKpzpezC>I9^G1*dx974~y`_gW+dCAhp7j{O8BYgY<8b2&sxSYxe-Ini18bJ~0ziX-oeNpw2AgQ;}!3 zLE~;wNVk@WP2JJU?(%M;Z2r=58?WTFUpP*tvQtvZ_jZ0c8R=&x3fK$)4OLI@&^=rz z-;u4yK35;i{Waqapii0aBw62pad!~Iu>1qsYfx2*f_O4X=hdOwa^Fhu+vWQ;b$%|L zzTf-#JzIx(w7F$BpUFp12sPvIts6RmDA`TmNCP8^e!tJh&Q+dj5mFaddv#Nt+ymO` zb;>QOmn2h4lgX93t6y5TmH|Q4jg<3_=SyD{*cu`{ z-cj?PU;fJodC4ChA&zBpR8m*@NWL>|YzbN7_D9P(=_I>nGFyXmeI!C&@1tNF5Y{NQ z`*&8XSK5UkFph@GVtjKlP9a_me1M3ghBE-_oYa{p^<6veoN*d5oB2^*^AoT3EutQu z<&wHq(waTLij^yWP~|pvG5xfPUR5O$7qC62czG!L)0?mPH1A5!=OVsDeeC|4y5Gqv z^HK>2)g-qTPl*z9A&{_{M1J)epxmjbtd*xF$=mKrgDiFIdG_Zq{LKMhZ);I4=^4NLjW>+Ziyb#cNLJMXuUIwIFa+dH zRC6`*_exevY1{lT$-g=Kz|TWYqH(ltRO}{(vU?-!s;~!eUbS|eUBB8vJb+!xZ>i|5wh|7WlI$nv|zZ;)%(%@*VV$axdhrQZ%s(EJzuu(YW1O; z*95Wr%A$p^JLVbI5(@GyAHU~(TtEd!!aQRj zB^{kK5@(bZgDzwIV?Kv+W_=gd%P-k6cG-_Bc4ZS5U^ z$h)FqU+MrFx=E`W)W3;Q#^MCFh=Rij=dXGzhM&osv39v=cYVLaLh||Nz>KMYfQE10 zshn>lO#1qAY&|w8Bt-p`c^GIXmZ|D-0i$!Z1{0%qcZ_wT_Fu_<4}Ah?Z=0Vc%c*u^ zy`Qjz5$@CRHRUzp+f%;^J#G2F4Y-E*GmPX0rW=`RjJgxCZD(j~V z$Cdh~MWy2UZ!Q3aYRjgkdXk3CMB+u7ktw!gy8Mg(Rum5T!hExUf)= zRgdgDKDG?^JO8&9;C&WmDvHu0LKv>8N=(Kt^%fZoKjjB3OiHT22$U&{8-uR;j)8yF9hVDRq~w!@Sk&Wb7zWaYH0ov zIiiK+q5)ncBxGmoHHtrVx`%vfZUtR#_5(z4ekD{09Ox(K+~vH?9tM_`_x@47as-zh zH>I^D+?5nCmc`-}CWUNqLJBPwIhjclYs~Ksm!i!ENqgXt-^~XC0w>8D+mVIi&X_ix3NTNp z9-z1N!6B=T>C{1&29ax)P0UTT2J$S!qJgn@AGs{2fADh(%}>2A zG>1ttGfCMbWfc4{O}G_%b}Do6Kl|c)*zxP0d^P&b(~M^uXmpwYk-fGh15|Ku)5bK3 z>Q>G)AZh(}RFV-Yd2Zdd9?sqKZfrY`W>w!l8)(#Q?$NDUzSHH-@x-~)Ho2(^X+(G` z*3oCvbxl~}{f+80mVO0L59aq=@KgB+%Z{tra9`dcEq)fi+U(EmIyqp57$*Nl3OMaq zzSeh^VK9LwK~=X+9cH;phe|ahKiI4oZD%Mm6m#n5oV9zbTI<9hE zdQ|ifr=b71%~7NBPrNykive^lGzj67x0Y41(kO~r*7~O`MZ`#{fh^)j$|@Xx%j*(N ziB6BdiKqV(v&*o5zZ1P+Xl(LQuH0JhYGB*>&yL97EdOtn=h>J4FXeM5!Y`UfGD_Ki zOVfoE1p-!POp}LwFFuVIrDM*xoPvMa8_Uawb`%}_eh>hW=sH}pK4jJtHHC0 zu6XsR+DP#W9=?+uE{s+qQpx#Iy0q2az>g@uR~~QUM60OP);jdzubS4iLdw%nB3|)P zB+5B==KXox0vrm$zI6}71OlF(N!v-IXln0iHm51s#%pV&J0FAF_j^GH)z%<({9pNu zH9ePcv6xN5f`z&Q<~9C?Z!F8R!{Q`S23rcoY?~FlT2x*qPSVuz`4LmX?5IskOq*_4 z7ad3P{6ABv4xz*@r&Y~Kof+^K&2%tSSeId+!cP@H$J7rNQA_CZy-^W2N#^1lzC3-X z#BNf^h+?4I&=76YW4?ZAf4lQdP*QP8nV9Ko$n(e@hk%TX`@0(+;rgI3OucWSI^XNA zsD9UyxA#W)3ybnA-tUrI#SOVr7BZ(?S>Y=*J!Kk5c;}G7?EQhyw;5!-8BLgCj%z#M z1p5~G?2d0h${WU6S(#pgU{1l0E!9uzGL~bJRoK-n!~U4N>%B3ju_!cU(WKSvZkKJ$ zN!n)cXr&8Rfuy;9uIE|9Gz7Mdz&&;W|^Prp2?4Z z@9U3}VfARwOQsY7v1IK3i@C21iYw^aBti%lf?I#6D)3=llHLvV+ngHIBII|R4j z?hG(!5KW;92kKr4G+5>{yd?S|B&>|VsTIXu&i{9m5IM~&8%$Y=oxCOeqmscnEEeKb86;Q zRn{||q8kXr7xnX%vpz605&E~By$%{NY-v&-z^;?;NYK9goJd(F)QrJ}Z6TFQJcIDr zl3zUE*312Q(ZbaQM%DLiXl&oOrp#Y>%g3F`N^O?ic% zH-%{ZE05B3{mP?=S(jIh=OzCxeJ?fGbrdmWyFSzt?Kvw;?_9ynda6> z-2kA1Rfe?PQZ@u!QbVSs(2=yxNuo4;pTtyRN#pBU_dGZ1!mhz7eT2Bg*QHTR?ggY5MbgYOwL5R z#+On@+kCf9Ob~(ZW^M`{<)API5@-AC?8;t=wd5Eyo)179OPrhj+|5Cmt;=`)Mc2aVv9ui)d&KaWm3{lt;DK!ct;MUAPC&E(9oM>n1%5 zYCp(Usa@boE()I>x}b|5Q}psfs+usbQj}&=pc&?5+f5+-v#+R~)4F6FdpkbuBllw4 zHtFB-pu#K4u|gd$oGO#<{Ppf^j&mlUYxpy2EnN7^)tOUO)DSRzI$ROAXS&tDHC!+h z_?|q!9Tg53nqlS;{5#qA`HZYALqqAPx^uE;hMq%`mZuLs=yQW+=_*S$J zK7V`qVv}p+1-fcbTVNt`^j0AJJnt?`Hs*0}*!9v9#%K^o(duGG6Vt@tQ}{0kN$_#*&WtwP7bA0d!=|RST{2DTqf8G!{rte$NtnCmZKr)`Zs4;p{SGQy zKo)?N=cTh4*w6D$P;zb^<(NcFfF*u8CzeUQb+3|2Wue2Sx`ZyAi8eEBZV5sk6_CKI z`#9Mojd+!If4iIWkh?>>vl z3TkQspj**a3ueRYqw`wYd3NDoHN?;K@T^L8fw14PO7fE(Ve-(`V*9V-1A<-}n1)J;Rw!+#%8U7DeE)9i6|6ydN4EcPRLI1wO>Kt!yFVtZ@AN zzKReHt>~<<;EGH2+8qSXCs%&e!IAAVv9`v+iuL9AN3c+{qR$(Hd_nKidrn(de`{?$ zUn+{`vyrPx|0v>(7j`C*4zt8hi>RCkIcO`>y8-a0o)Bp|X(1qY7Wmxi)73~Q^F!j#MwnZXw9AuerE(e}fsnx<*W;dJkj1*w;k=OwJWkxIMH!X*UM(R_7z~`M zdZwJ&LMD-B|i8`?}$Pz9^(PqU-bW>P_DCS=R6eC=zd zAEBWd`LHyhJkfmavaqXslJj?Yn)ZU48zhRHT{bC5!FZ+T9OU60ksFN16BMcB96`6v zuj8JTois15;ARvaE%M1tr(k1uyl9dX(PFcmnxo#>bw&AZLkP}m%C!;X-Fsf9JnEyT z95MaSaiP={{hFE+{wA=eucJJdn%b~gbC$Q*P#f9OTSq&7>)1GDa}cOx;d>3BG;b;2&F;$L?-x=; z7CTIJD$$hY(XKikA!FcQoMZ2-{-EEC4E=iNGuG5GlyWe?w7i=yXME^TII}-U>2WN` z*RaX4&9`qevJmhPp+1qy_Nk%bl)h?omuo5md@JKq0kw-jJIg{sT`(RPFu4J``?@9I3KeBEyxm9wE- zR8B5@+(_2)HHtYd5|F4Ak_!wF=!z)SQ;$U^^cpsJs;pTHrl&hm1HxvQ$hj`IspWL! zay^tC7RovddT4M_aZ>VLJ#>HvE#zNV0}NE0!dy$w%9SP^{wKzyYO^g38HDf(Rw_nnFguGS>loc#@nH&-%B_^oAZvC!TT z2~7R!rfoMD;5g|W5~$vvJK^O=3(a4c%gSV~s$jN@{`BOde`)Ly{wlftLLt`ku(yhd zpFAkaN5PXfUFhWjBi!QHY7f_}zjtpr)%QxrgUOudvI#&}pKft3XNYwf7vR2j+oX30S*4Z9eccn2F!mV$RPYYOm-@SJ;C16bCz=}&|7|hzI%H& z@P~p|(P@oC@{z!@vfytwOiUW3=Zid6En%Ko#=scCPvfBxN6{BJ%LEPe1jeohBHJ)~ zm=Z1zR{XzN9$e*Lpsk-9S{k5TGx64)+ON3!)0_Om%BYaTDi0di(3~*RgrD7R^YzO} z1Yuk-pL>1Mk_u;sk#=nld>p$^UB}`H+RM1FFxOw&2AxWMM~N_#qm6^CMl|L1S+LM>V_D(|-FM)Skk)Qq*W?_l zI4u`ziKeFG$iW2jw#%K(2C0>TWQSEcuZ%}KLkQDy3F*GF@n;Kf4RddcQiV_QB52{I zHAeF{BZEomGJKN7VTO-YwhwMof6;?8&&jqsk^+rEs<`A7Xk#1v0WHAzID^0z5Ld_`WnDK`2fw3 zMMD$brOq*U))$xj6YXV;E+w_wNpxo6t(6D`nn}6 z+;iRP?@t-&$*a_PNA}@xNZ{9Z+Ix-fz|cZU%qe-S_4Lm-|fBetnF`b|Ypx z**%J4OmPhg@W5PgxP!%x=p1}{dUH%ippfcWNKW1)lZ)hGxe($=!D=*vKI3NcS& z;#_R@sF5zt$pD+}8{}8E^Hb;cAFlf#2tG$*VMV}jMA5%Ie>-%F&7RJ|gf@opic*_A zP^g1T;+A@kT3b-HnkM_$!*{LyA-^ayGBv6qGdSDwxWrvDrk}J5e!Bl6^5#W`5M5Vu zpn8QxmhtIGaWr9_SNX@WEP$I7$-EDO(Y<{s@v0&wfp_qSrWO*>@n{X0tzu?ofA_6H zyML&+^@ccc>^7p4Bpdch2mOW-ht|f(JM4bzh}zqss+@!K{;nrt?TI`$l~QWDIyvVC zSt+kMAZ2@+R=zY$cv zB{^!3o(?=;3gPQ#9k`6&6ZlLk~br=bpI7`~1#B-|PIPsNOL%bo}+x z`3?#|*jbFQB3}qCw%xnOejH5ce21$+7|8$5vcn8J_@_3AM&mduob=B0usc59e|@2e zw_{^2_Rm)D7EFS?JZ)9)swB-D7ZEz_&o-uPh3L8uPSP>8=*Qf(RfnZbR>UB4{#?Ey zZ89Ee%LcJInuKl1`yLt=hPed&tg>RX-nPN|_TI26g{3CHK=}$9`>nk8-Q)RM_4>nb znO~-U+f^4_NVV1DB*Qf*TAAePUZk`p7EJP(iyx7m8a?0YsBf(^P!EOMlUQEK! zCXUut_UT{$M{YV@?bY>UPk~lsb_%IBdPs)jkY8ZSregXZi{@7-2|2-^%FJCkW`|k) zdnM+wLE%JEJ=P1xZ*wM7Sih=ciFyV)9K~K5$sm!cvMDAkZ!OGr=llh-Lh04Ilgo99 zFDffbEUmCax>M$RqsxxI1u8E+?J|H^tRE_fm=1N9=(QxK-oZH9wHeLSh?j$sy?h_y z%G<Lx_w~Tw&DVviRS7f)2o$&b4R~-0m zyUjA*K|;2Gt4{W{Owin-tV-ed=f172&Ca?LXnsMGdNkbr)YrlzKS4`9zm%DISc=+?L`s3^*40dZkwal9^i@B?) zw)wjA38V4|5rVYwCRt@@Z0CfQg6oe%>&7ef5C%b)*%A2Sj`6W-EEd;`Y(9HaI+htdw-w0ai` zt`8k8L?xH7qAiUbmQd>o$pF))@|ydUvYq&9&GBL|ke#*Xr+Jbndb7n^loUg{UXZM| z%H1(6FfSrbZ&1-N8o*Ze>F$jCjR>bJe7qq9)HY?=PiohOm zKu9B*AYi9?72@h$(|(n^o^-Sftyw=baaU)O?;$~HPv~ham??Z9<}{<_lDxGE3IxF; z5mkS-m+%&wyzNTAd%FH>#?a)fd!N3X-LKRyW++S27_6LPtl z=bYCUOd2RrD5q+K0X608didz~sr#hl>7Ya#XsQa5SylISqF7hLHn_2{P=?M~(;`yN z10Gt;E4ztJ`ua82DV9E^zZj(Sk22QQWu7eM_ z@AD}Ix?}&Oe#J6j^Ujn@@Y>U5)*x5-dlK%!aq zP)SPO)Y$Q+3)j^|RQqu3dXidhw4=l!NR|E@_Xd6flj!k}cgI7kOxtP-j^&1!C=sC~ z^TVY|XJf;_#%qtqA5@E@72#FKI};`#+QYd};f)HYCsuPu9?F6(W zD!Lmon3wV62M+V&*C$?;oNp+vvP3I&bX5D~j+O%_orh0FIw(aJXPg#1{`M1dt6`Fw!4QD&&^J^!gB|-@Q zpPY-NnD)QJxM#?l?BaI^WqavsYCI2;1Nl%=qAK7sDI2k-2UrJEbFcRcsW44Za?s4SK#gBRBMJ9(+ z23^np+8WhuLUgXDsJIY7tbsUJ1lcO-w|ap@I`h!S)VCg8>))s78zgVVKa7J^$9f0Y zzfzU}Yi#ozf67!hI*tJm++k2N2tis^W%vK&0yH+oIV}EQl%A(6(h268oH-N=yf{sV z_oY#1irBi+smtu;Vwbp#oEkMreSQQcWiXnxnDP=EQFb~1Iqub?>UR4^xsmv*aJas&i4tN{WyL1zUJMpsYw5@MH@)@dY4ZAIO;m* zvGjB*WAcL+V{@5(|6aXg)At%5xb5>vtwOMVg?@Z9tUJ8Lh*@1KnK%@kRQ+ZM7f(F1 zR{{sO!|3<>wA-bH8w_jNE8~uUbLE=)Nh|it|6Yl?S+8P~#xAs0<+}LG>4Vi6?fFJ? z*wSnC2bHjn()A7Wgx62-DREbJw%hdGGIMSpig{S{i{~{QHFNnXfRJ>1g+-?s+_9iH<-GLe~Qe>JFQd zqpR#04w^oj1NKQxoD;Fx;oJ`nW&0*7g%O5AUaN9pCq}`sPA12lzD_+!^>BHxTPAZH zJbum{28$Bn%9#^i4@RXTtT;kyg4>!LhNqA>ogUsfFPB6+db_o@c`M4TSgm7UFLRn< zdQD}F)6X#SXM*_-`oJD{sXt?KLWpEjs?+xJ>XC#o8{DMfe0^6N&M}yr7M3 zW`G3gBemy2iTXa=Q2hK%mQ_4?KkEDNWZ0jWH&e{7q-cBtLoDO|c9N4r%96p!kotTx zUbg(UoCSp~Elg50-s%uJk5MN5X_|oId^ezd4->7sQNg zK>poce_el%b7 z3ou>dYT8!HU$}9oo{~7k#fNGmTQ`JrAa~=;`Wob!xU#6Y)wMTqFg%{UWya>e)8I|x zjEBI#hyB7md7Q^H^GVHH48tD!bASenP%IhxXtivzrHNiFJckuPO+0UwreX>lk zjF+MHz;FHqh}If7hIt10FA2+YY!78rQXn+6bL{m0lAwIw6%T<+OmJ1u%XB)OVl_8^ zqG}DQ3oxz8NQRlKtc`;nBJHWlTi@*($t|sb`YnPGWp{#jx8`G(%OmTLX8~Hw$~&+< zA!8mCZ2wrjNA&Z(8DJ)-GpIAhiG9R^_l}9`K48yqN8Cz3Bpn>G3Lo&`)uL2h2l?>D zf`So#N->pAD&?(0zbtt(xu%_nlEFje9^DGSo930a~5$=^7e>& z<#cc!JE-*Z{yZF#=NGV6O5t%9_Z*xlSe?zUetu}gH#pmAryJckS?-wUkx3e76D7_> z6=VF^S-<8-0#;t%?FYW{;6FqTWw+enD+fk7^is^y2ydr8`#o!FCrc-90Qz-r78fcH zFcSxF@BhwW!s&Rw*YWNk4pLx)Vgv12Y=D#eJE_*}jqBsQO|D(+u6Cu4@S<8;g1+EZ zco4EJ?oIS~A2L_Lr~(-2=Y%MY1~-gWO^Ten7iDpb&=?E9X&QVM>1QhwOUsCbKiF2b!|7~n3@JX zE9O}Aey9`le@uJT(2Yfx>UHtC0`4mNR2|UMijzK5aXj`-Lsq`JGrr$#uW?_jGiR>Z z<0>xI*y~NRLrNEZnL5;gZ}&5-U77B-Xc#HsfNI%U zB=6t*;k7&ozi8vYW%Hd@vp#=a-jeojekAL3DZsnqW@ZD7{+Wx?>GP;bIj{wXgj1q7 zlxiFqB53984{C60zZrxCBLi*&$(_XP*YB_X%IVv8Bc80SFk0T8-&)BAtfw34w!0cN zN|7h!Ov)VXN1UxC4@}D_JV0g862#AI0TC z)5g+!S1SKK%h7+QWP)aA%OM} z*)8QPMm2&jVcd0l{L{u;3?%%SH8q?d)fI8^(4vb-oSYq6dZp(7IM#{^z7x*>?hJpF z`~=!Bo^jG%GlNDsWl>qPf{fdf)5?m6hkBvMhNiEd=S({Ic5Wo^HLx=WdAzNoBG;<{)PqSV3R!(H6TNLX}f;HuH1syX@7 z@uc3Qkv$qpvC<2uMxLlE&1h!Vd{(j1i*oPX=D)H#&@Bi6WBrFXk*#wy*8&OQjlkyN8wUjy z4OnW^1Q^rM#3-;?oAm{Z2A5w_)XjS3P$vIJH~jwIbZ+NWwWA9xFICLubC|$?R#gYt z)cMU%_4j9fTumgGU}L~616^nj!po6#>G}qCM$~i0{e5SfRWma^=eL+*4^F~+hK&;I z(!zSIe(zlFKP4sB#{~0HwixcfSI%8?pv&B^RKd@lJ&SvT)t->g)f}0BK}155f>mcR z6uNwOaqO^xuyc0UXDhl}JDnuz;lkY;bg7QvV0kd|U}oU3_jJ}1k*kQfJ{TU3R9~ws zwf?IqmxHBDvw>hU$KIQ5ZU@oPRkXO@uk+CYAGeQOdP9qK+Zk(=R&Ek;A1iQs1(qCG zGSuLtl65=e34dg~rF9X_Owv9un~(&(e14PV?A{+A00G|eHj3r8&YmtZ^|4jOn(0PX z>xPp(b)&8EYQ4T@HXQyW%$)WOU2dqHhG_2@;~^FJ8dV9Dz*lNF_9uPlLe%15>N?vR z+wpa}gkL8*94gvuio4f$j3l&lbY2HDtJ!}RUU=?q%$`+bC&?rEod)n`|HewB_NLu( z%{BLM9%m-A3&Mhatb@e^M0JFR^clFaMI%0-kSzyxpIwhu!{Ym`mrqMJpA$p?HiguN zbPNaJm+fTII{IlKKet&o&{q3-y?DO|MfJDkW30@N_0vT(Y#blmfI>m%u<{*VxcT4b zd;b}{NE*~6uvXACdmkl~*DHzrb} zH#itl8JNVR>o(r(67lg*FZ< z!+bd(3Ra^>M%Zt8Z)GHgroUF*b`(M=y^;*CeRX`~*UcPx1%NQ~kh+QtQqokr@)v8w~e^bF*QQN}eOC428K%-XE5| zV9f=KZS(WKp0`dXKHHO&R}!U8FAeoj);pmQnFjUuUoe`V^>ML9ww_Pdc#>%A!W^WT;$3mGf+AaBT@JUCp^`;? zV_r>a^6>kz(hW|=LaN1DskXEB>D=3vG$lr*yFRLng;Y?-Fz{4JcCkf&ar%%q@ZtSn z9{lMfJDJH$2c~Fq#`XPEa9Kz8*KlhAA#az~HU7&xIV9x*S-ABUxTAfq{V!6K@j~8J zBIt9TRJ8?4JolIvwFnZje!AK|n$BIc6_mufWK0~-)HRUH#hoeo+r}DF@4mCRSk=1I z#o=uy@l%&dVu<8XiZVRxuUa7V-1VD-&4X)()9X%BQa%K_9Nq`l=lNHgO5PTw)-P%P zUmSy`mPF&>E%YuMue;3vz*xPDVCDbIQAt+M9-rm~^hkAh_j~rV66S@?svn0x_-&*r z6Ts31RGJIvB;hzFp}J-?wcFoUTdGfz&X|xL5&# zQj0LY#krClc{~3u4Y6%t&l<}^ooD9vqQnH@jtzSUgTBri3)jwsq1>H&!rnt=`{Sz$ zGXZPc7N=OtPw0if^-a8bO7Z^==%!ECcUEqT_tDUL3t`x@dbNBDf#insRum{pRBH2X z6c<&Z{WKd``d6aeh7A9wAr1PU3fcCHe^JQnq7Q z$GHj>bN5DPNSG?k(&-_M-997o2CXTDF6iA%+fA;; zbvz|m!Z%+Tix>YGX1yg2hqz<4m5K%5Qm51G{s<0*G9$&d{?#7UO^(IBY{e4~-XOTRalZn-v zH~sAqea}#jHYOD9p$Cet+nXFoN8mF(V%Jigq(2d3aUOlksa&|3HtZNGrB+KlGvdCi z<8ll%FqQ9(`VinAI-Th9IPAVa8j1%7aLiW5d^RuYZMmxKl&Yb+mX%kCa__A*ZbGpgz;A_ucuSEpY8a;m`Z7{)8Zvf&u0L~&pED<*{XgR z7TvzyWCIy<`)BnPn+o0AM-{rf&m)&zcz%;(hC8Ydp1YL#qDotyWy;Hugqv>Tuh6h| zC_H{Cf}H|t<8p5kuvRb3sNrstJdUorT&i~Co<_MC6I>mxMXmfzm#qM+mwA>Ist~2Q zZtXuyRw(dM;2j--n~4Ikq_O4YzM|p;z2cn18BK7=mpH7LsJW-q;=3|SM;F;ZaJpfot}**#6UEJ#PR}g4$e*j} zIvA(kxJ0aT!af#RRpEI?ClSbTdsH#2@tWVCQtzW)zQ8H$%FDR{?*2~hdImCsKa3XlR7?8!c9O_`LErFHO=VXETRnX|El~S zmiYhs2F9RCRANQ6(&)Z!KL4GbKP0ekDwoCkPaj31l^DAMW_*Sy2D3|*OqmEGh_FKR zqxCOb*M+Np{(N6C-MJg79pmQtIdIbJUk_=h9=t|e3Y~o#$ddp1t)ZFJ88Hx$lanKd zbiPfvySu|4=3*d>C~I>0ms%A6Dx%g%@)!?=4gH(@|GiuM-y80SwEL77XO5;9w@CEnE2emK zJ^B~2JE8YR(|$u6X&g>Qk4V}SJhR)@p$w19V52F@y5aY-D);7X+>+q-nsHlP_}iJ? zb=6e*(VBh7o2EC^1T{6I#+`lvehm(v(G!H8;iAUzNUU;;nwQavZb-;BVw9ThMG|FM482e7IKjckryq#sf0ZL*BBgj}95<`Hx5~&2Y77t86u`&iCQ|+O zp&DGByv@fC&aE*lkIRRnKfTiqy8AXbL!a*9?=kK4C82Hyd^#53if&JrazzO_AbNKUL}j8XN|$_0nyf*{F>AAL(kgG(myJ>E_fF8C4g4Bs(s;-703s9ZG3SQ@ zG%Y%5Pv^4z`@qE7^%n(3+e)VX^GDD77-riTL95Y&kUMCWW5@17`_q{P=AY>t%vOt- zsnUUz*GZ9kTN@<`F$_ zO)ir%Cz6;YHjz1_aRT$5GxzR4IFu{h95Z>Gl>D46spMuERO{Uz<5J9LH(AjQ+eCe{ z`-(l!rg#BYAn(kk?ENzX=?VPx0pWxxfs)5)+gEy=KpNdXrUccB^YMlp0aWM_Irrhp z^-o84V8rQ^h+JYu#jKdMHX7x1L+_1ay|K0VU0pb^jNuQ?6dd2%<69qex1hmQY)mo z>NOwES0^-xbDkbwMa|?WZiI*TG?{iY$0FwYx^;{FZdaB!=bg7TZttoN9-f7QHAOO0ICI0N>?79|aQJ&>oi*Olt`VxH#(4<88EgS6AI*J1 zP}Q5%&I!www%E}sLxP-6f^!5|PV(oWxuR6D++}K=?pH!KS0C2x2F0WJjn4A!QulGs zMzjTa$C01*lcm_sqRa*u9_-r$w4GKec?ObAVEXGxPhS1T{N|;~dDU}#Om|0*2>=+_ z9&~0|`wA#bSG&s7%i7PysSSZr9h9*az*FKW+gX(?5(^ut5Zz`SK+n?cpzrRB^*i5; zTTbl-vC|*h>6uA~nTD1~+Vpn&E&nHb-yFB30&F}a;=+@VB9k|>mM_Tr&~f*V<6M-L z)fspy$~1Y0*M;qiO3FJ;^fO;QiLna7xBWAjFWar&z(i1ajUgDWK~;gBBjIEmRp9)&UqCm#V>K@oxxxI^weoZ(AcZ3uJ?3U5V$K_Jp?E z6svF|hww!%azr4(*06#w$O|rKDZ_XB5|k<7JT77$%Rs``sbogeR~L$C4^SERY&kTLEvP6YFP4pNI-;6PBh5KHo zEulq`&i1m#a(asD-iI9@wEKSa45CqojU5fjcdaR$K^Nk(9VqZ!et8WlN;&wR;v0B@ z+8s<|2hZAT*luZ(s9YNC+oG2yBr_8%b#E8H82-qF)(U3Tp9fPEOg~)cr8*@gtDg?I zyiq1Bxs))T+|74f}fZ#c(WC^#AQ zaVH9!g81=}B^h8{>-K5nSzI!HoaWvFdmJLwp2*iykm>w0!=Y@H0n&Lra$&u`_czN- zBbB92Kt1`!qG`|%G}l=mi;eh$8vwSar?*|lQ|@Yh&mq1 zq;CI+dg9oz=$J|QOUiy!$mxh5Zw7Y1g3b7Y)JZsycfdN!$zYNI;WGdQx9df3Cm1<` z!h`YqWfP^yHg=~cuCIc9aRU|%Uq*<6d{+cWYggcnUOJ2y=N){i^=-!Q$eP>e=6f-MH^|~5;D)57 z@lPlD&Y5<8^P68fK-^>h((O*`rEqg`!<0=;m6&V>9q{iEyA|3j*`3*Qv@7l{=TxL%|Bkz;#CQ`AWl24Cput z!$=lL==BRKch$eRwb<$MnVl&Nrx}PzEs11q$$mn0fHjG^FlmkWdYHTrb$vd??qsT! zuyRDWYILeyM2C2n8uSLrK3EFDin2i{3<*RxN#6y?hK4uBv~6Ti^Q*Tp4-rQ4H77uH z0RUbdT!pWizVw7&!+X@&Fv>pHeBorV$C)v9re~((_0pki_))YGrMt6HjGs{XE*HOX zq92cZ4M(uc4CJABVj)n$Wg3ji%tB0?U+h_U6b)$PT6oif(DI*x4S{TYaWH30BJH>=%P>`YwCnYVeMtN`>3v(BZX z%WyJ>xvc8@hnZSSv8X_QK8G3aq=YRCJ0A*lz+O*3t9Uvg>T^Ng$qMr`Nr$E4^xt(; zm(Eoo3X5t0$M6qMi}jDkK~F~ZMHe&3$p^wWu;di)j(63mNna<#yFEVe!G?6r-&!+x zQA{Ok!jj{Uqq{Ox_KYW`0TY)V>ZZ9yr)ly`qzzjLu#^7bI(8mV2f(l)8JJ<_OmQ3Y zpI5=rV8@0Yz|00UvB+%Rmg7p#<@n2BF*^FL)hiT5;;hYj|5RN@!|v1by0q};bqJav zIV{!gJgDKJ_p6}7@DYZ2w-N}PRpptcWO~+qybaG4XloY$h&JqfjTs73=$Fr8r_v7#R$emT}s7J7k^pIV|bIxQ}E>y1sM6f|+rY%LKnVLqzMi4K6;j^~+ z9HG0MuQ)lGW5p1_FhQ&TOREK4{juHhn$hq6UzV>cM?`P4t#n7dZo_7J$Evc3wiIncK_uHyYQRv24xt%kQ_9r z%+TbtT{f@4c*P>7o8}z~&g5(LOEUiv0ybu&Y#}`DnRlQ|pV6mn^^nu}Bcj&}>lmfp_$TV7cai9k*cK-l^s%rgV>aZIh%hJ)^4Xc zc@UW0&hN={;bU^)Vlnpgm?RB3lx8h!kGingl8$~UtF?oTt8&s^%6}XW9`1P8?U|EB zK}6Pm>47817AGq1RzE;i@5Nr0*3p#sg{fX|e&{*Z%yodcEMP&!&0Dd6Y=*U#kSC;> zh;@sx!d)kmeW0;eY4GD;k@dL%y8L_FwLhANS;&tW^e+WRGaPuK`r4CFxa{z<;cSh; z8B9W2keEM0ABIc?D)amsm5BmOlh zkedr(YP=M@Vf*r27X+|8lDdV%J(0!z*}KggiV%T=n?KB_{wEyd?!}=1 zdC0PV8TZjgC(3=lhICOOLtinYQi)3gc54XnN&OhO>58$ZLN2a`Y?n8~7jX`STv=&m=HoDliOhQ!;AZLi6f*=&G%*mx3lps{bDiE-FN$v3RM@TF z<~VvV_OLP5c`FpO?d5st`Kj>0DI8ZyqBq^ndLjrEd zCAedC5MEccxbRtM_C>FKL^$+AKq52$F_|#v>xqE#vYMn0Tq>e1(9TR7UKRs4Y9C=@ z5trW3R=(JtLhp}5`q_OdkaV_nzAYP%V29!?QM55tQnhVG-Y(=~99_Lxy^0dju#$hVRk>##$y}k=n^kNR4|?SL{R_DEE#d*IT4QutLyXYZ9tA3@AnYrhi(;?s zCXsvI$n&l$zc-;M0OK(lKvjGGFad$KQ#!EdP!rM)X%IE-fZ2X;@$!zqjQA1N=mGP zg3sRcB&IoP7H}!%dQKDJeXq}m#U?BUWvvghsyR0c2dS|Ql)hJGU?)58F8JCR@&bzE z(xWlS8nNt{5+FCoha<&oanR7QrxRz;X90XvbFnyF_sF|?XdR7=rw(E=R6Vt!YFEjn z&KB|>e5i=9m?eqfq&`Y--f|i>Gb-)?@gBcY=vfwZ9{Q~WZ-|5)6vS(D~heh%_s z^LM$^tUX=m^QL!kJzjs$v*aly$;igsFOdbN3axJzU+&FbcWCyZlV!ZccRy;>-#OQ^ z?pyvYqpJaz&dr(}rj=Dw^?r8$)%BSo_c!j1Ztb5vE3CxR{YQCf+NUExNPx1bp;gZNLsWd*G*Zd zGeXRH=6|!k$DclZ+HxzaK)CXbFnH+JVgH9#(83c2(6Tn5k*Mq3Mg_2i#|q!sVgK3p We9~Q=>tH?&6lR{TelF{r5}E)m#!@B# literal 0 HcmV?d00001 diff --git a/static/images/dns_article_http_challenge.svg b/static/images/dns_article_http_challenge.svg new file mode 100644 index 0000000..7ca1ef3 --- /dev/null +++ b/static/images/dns_article_http_challenge.svg @@ -0,0 +1,21 @@ + + + + + + + + Public zoneApplication serverLet's EncryptDNS server1. Start HTTP challenge2. Check DNS record3. Perform HTTP challenge \ No newline at end of file