From bcedf69549652b9d201cc9e02f64c086d6501d14 Mon Sep 17 00:00:00 2001 From: nixbitcoin Date: Thu, 24 Dec 2020 10:29:14 +0000 Subject: [PATCH] readme: update and split into various parts --- README.md | 199 ++++++++++++++-------------------- docs/hardware.md | 8 ++ docs/img/nix-bitcoin-logo.png | Bin 0 -> 45002 bytes examples/README.md | 59 ++++++++++ test/run-tests.sh | 2 +- 5 files changed, 147 insertions(+), 121 deletions(-) create mode 100644 docs/hardware.md create mode 100644 docs/img/nix-bitcoin-logo.png create mode 100644 examples/README.md diff --git a/README.md b/README.md index 71b38f2..3c5b718 100644 --- a/README.md +++ b/README.md @@ -1,144 +1,103 @@ -nix-bitcoin -=== - -[![Build Status](https://api.cirrus-ci.com/github/fort-nix/nix-bitcoin.svg?branch=master)](https://cirrus-ci.com/github/fort-nix/nix-bitcoin) - -Nix packages and nixos modules for easily installing Bitcoin nodes and higher layer protocols with an emphasis on security. -This is a work in progress - don't expect it to be bug-free, secure or stable. - -The default configuration sets up a Bitcoin Core node and c-lightning. The user can enable spark-wallet in `configuration.nix` to make c-lightning accessible with a smartphone using spark-wallet. -A simple webpage shows the lightning nodeid and links to nanopos letting the user receive donations. -It also includes elements-daemon. -Outbound peer-to-peer traffic is forced through Tor, and listening services are bound to onion addresses. - -A demo installation is running at [http://6tr4dg3f2oa7slotdjp4syvnzzcry2lqqlcvqkfxdavxo6jsuxwqpxad.onion](http://6tr4dg3f2oa7slotdjp4syvnzzcry2lqqlcvqkfxdavxo6jsuxwqpxad.onion). -The following screen cast shows a fresh deployment of a nix-bitcoin node. -

- + nix-bitcoin logo

+
+

+ + CirrusCI status + + + GitHub tag (latest SemVer) + + + GitHub commit activity + + + GitHub contributors + + + GitHub downloads + +

+
+nix-bitcoin is a collection of Nix packages and NixOS modules for easily installing **full-featured Bitcoin nodes** with an emphasis on **security**. +Overview +--- +A Bitcoin node verifies the Bitcoin protocol and provides ways of interacting with the Bitcoin network. nix-bitcoin +nodes are used for a variety of purposes and can serve as personal or merchant wallets, second layer public +infrastructure and as backends for Bitcoin applications. In all cases, the aim is to provide security and privacy by +default. However, while nix-bitcoin is used in production today, it is still considered experimental. -The goal is to make it easy to deploy a reasonably secure Bitcoin node with a usable wallet. -It should allow managing bitcoin (the currency) effectively and providing public infrastructure. -It should be a reproducible and extensible platform for applications building on Bitcoin. +A full installation of nix-bitcoin is usually deployed either on a dedicated (virtual) machine or runs in a container +and is online 24/7. Alternatively, the Nix packages, NixOS modules and configurations can be used independently and +combined freely. + +nix-bitcoin is built on top of Nix and NixOS which provide powerful abstractions to keep it highly customizable and +maintainable. Testament to this are nix-bitcoin's robust security features and its potent test framework. However, +running nix-bitcoin does not require any previous experience with the Nix ecosystem. Examples --- -The easiest way to try out nix-bitcoin is to use one of the provided examples. +See the [examples directory](examples/README.md). -```bash -git clone https://github.com/fort-nix/nix-bitcoin -cd nix-bitcoin/examples/ -nix-shell -``` - -The following example scripts set up a nix-bitcoin node according to [`examples/configuration.nix`](examples/configuration.nix) and then -shut down immediately. They leave no traces (outside of `/nix/store`) on the host system. - -- [`./deploy-container.sh`](examples/deploy-container.sh) creates a [NixOS container](https://github.com/erikarvstedt/extra-container).\ - This is the fastest way to set up a node.\ - Requires: [Nix](https://nixos.org/), a systemd-based Linux distro and root privileges - -- [`./deploy-qemu-vm.sh`](examples/deploy-qemu-vm.sh) creates a QEMU VM.\ - Requires: [Nix](https://nixos.org/nix/) - -- [`./deploy-nixops.sh`](examples/deploy-nixops.sh) creates a VirtualBox VM via [NixOps](https://github.com/NixOS/nixops).\ - NixOps can be used to deploy to various other backends like cloud providers.\ - Requires: [Nix](https://nixos.org/nix/), [VirtualBox](https://www.virtualbox.org) - -- [`./deploy-container-minimal.sh`](examples/deploy-container-minimal.sh) creates a - container defined by [minimal-configuration.nix](examples/minimal-configuration.nix) that - doesn't use the [secure-node.nix](modules/presets/secure-node.nix) preset. - Also shows how to use nix-bitcoin in an existing NixOS config.\ - Requires: [Nix](https://nixos.org/), a systemd-based Linux distro and root privileges - -Run the examples with option `--interactive` or `-i` to start a shell for interacting with -the node: -```bash -./deploy-qemu-vm.sh -i -``` - -#### Tests -The internal test suite is also useful for exploring features.\ -The following `run-tests.sh` commands leave no traces (outside of `/nix/store`) on -the host system. - -```bash -git clone https://github.com/fort-nix/nix-bitcoin -cd nix-bitcoin/test - -# Run a Python test shell inside a VM node -./run-tests.sh debug -print(succeed("systemctl status bitcoind")) - -# Run a node in a container. Requires systemd and root privileges. -./run-tests.sh container -c systemctl status bitcoind - -# Explore a single feature -./run-tests.sh --scenario electrs container -``` -See [`run-tests.sh`](test/run-tests.sh) for a complete documentation. - -Available modules +Features --- -By default the `configuration.nix` provides: -* bitcoind with outbound connections through Tor and inbound connections through a hidden service. By default loaded with banlist of spy nodes. -* [clightning](https://github.com/ElementsProject/lightning) with outbound connections through Tor, not listening -* includes "nodeinfo" script which prints basic info about the node -* adds non-root user "operator" which has access to bitcoin-cli and lightning-cli +A [configuration preset](modules/presets/secure-node.nix) for setting up a secure node +* All applications use Tor for outbound connections and accept inbound connections via onion services. +* Includes a [nodeinfo](modules/nodeinfo.nix) script which prints basic info about the node. -In `configuration.nix` the user can enable: -* a clightning hidden service with [plugins](https://github.com/lightningd/plugins) -* [liquid](https://github.com/elementsproject/elements) -* [lightning charge](https://github.com/ElementsProject/lightning-charge) -* [nanopos](https://github.com/ElementsProject/nanopos) -* an index page using nginx to display node information and link to nanopos -* [spark-wallet](https://github.com/shesek/spark-wallet) -* [electrs](https://github.com/romanz/electrs) -* recurring-donations, a module to repeatedly send lightning payments to recipients specified in the configuration. -* [bitcoin-core-hwi](https://github.com/bitcoin-core/HWI). - * You no longer need extra software to connect your hardware wallet to Bitcoin Core. Use Bitcoin Core's own **H**ardware **W**allet **I**nterface with one `configuration.nix` setting. - -The data directories of the services can be found in `/var/lib` on the deployed machines. - -Installation ---- -See [install.md](docs/install.md) for a detailed tutorial. +NixOS modules +* Application services + * [bitcoind](https://github.com/bitcoin/bitcoin), with a default banlist against spy nodes + * [clightning](https://github.com/ElementsProject/lightning) with support for announcing an onion service\ + Available plugins: + * [clboss](https://github.com/ZmnSCPxj/clboss): automated C-Lightning Node Manager + * [helpme](https://github.com/lightningd/plugins/tree/master/helpme): walks you through setting up a fresh c-lightning node + * [monitor](https://github.com/renepickhardt/plugins/tree/master/monitor): helps you analyze the health of your peers and channels + * [prometheus](https://github.com/lightningd/plugins/tree/master/prometheus): lightning node exporter for the prometheus timeseries server + * [rebalance](https://github.com/lightningd/plugins/tree/master/rebalance): keeps your channels balanced + * [summary](https://github.com/lightningd/plugins/tree/master/summary): print a nice summary of the node status + * [zmq](https://github.com/lightningd/plugins/tree/master/zmq): publishes notifications via ZeroMQ to configured endpoints + * [lnd](https://github.com/lightningnetwork/lnd) with support for announcing an onion service + * [spark-wallet](https://github.com/shesek/spark-wallet) + * [electrs](https://github.com/romanz/electrs) + * [btcpayserver](https://github.com/btcpayserver/btcpayserver) + * [liquid](https://github.com/elementsproject/elements) + * [lightning charge](https://github.com/ElementsProject/lightning-charge) (deprecated) + * [nanopos](https://github.com/ElementsProject/nanopos) (deprecated) + * [Lightning Loop](https://github.com/lightninglabs/loop) + * [JoinMarket](https://github.com/joinmarket-org/joinmarket-clientserver) + * [recurring-donations](modules/recurring-donations.nix): for periodic lightning payments + * [bitcoin-core-hwi](https://github.com/bitcoin-core/HWI) +* Helper + * [netns-isolation](modules/netns-isolation.nix): isolates applications on the network-level via network namespaces + * [backups](modules/backups.nix): daily duplicity backups of all your node's important files + * [operator](modules/operator.nix): adds non-root user `operator` who has access to client tools (e.g. `bitcoin-cli`, `lightning-cli`) + * [nix-bitcoin webindex](modules/nix-bitcoin-webindex.nix): a local website to display node information Security --- -* **Simplicity:** Only services you select in `configuration.nix` and their dependencies are installed, packages and dependencies are [pinned](pkgs/nixpkgs-pinned.nix), most packages are built from the [nixos stable channel](https://github.com/NixOS/nixpkgs-channels/tree/nixos-19.03), with a few exceptions that are built from the nixpkgs unstable channel, builds happen in a [sandboxed environment](https://nixos.org/nix/manual/), code is continuously reviewed and refined. +* **Simplicity:** Only services you select in `configuration.nix` and their dependencies are installed, packages and dependencies are [pinned](pkgs/nixpkgs-pinned.nix), most packages are built from the [NixOS stable channel](https://github.com/NixOS/nixpkgs/tree/nixos-20.09), with a few exceptions that are built from the nixpkgs unstable channel, builds happen in a [sandboxed environment](https://nixos.org/manual/nix/stable/#conf-sandbox), code is continuously reviewed and refined. * **Integrity:** Nix package manager, NixOS and packages can be built from source to reduce reliance on binary caches, nix-bitcoin merge commits are signed, all commits are approved by multiple nix-bitcoin developers, upstream packages are cryptographically verified where possible, we use this software ourselves. -* **Principle of Least Privilege:** Services operate with least privileges; they each have their own user and are restricted further with [systemd options](modules/nix-bitcoin-services.nix), there's a non-root user *operator* to interact with the various services. -* **Defense-in-depth:** nix-bitcoin is built with a [hardened kernel](https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/hardened.nix) by default, services are confined through discretionary access control, Linux namespaces, and seccomp-bpf with continuous improvements. +* **Principle of Least Privilege:** Services operate with least privileges; they each have their own user and are restricted further with [systemd options](modules/nix-bitcoin-services.nix), [RPC whitelisting](modules/bitcoind-rpc-public-whitelist.nix), and [netns-isolation](modules/netns-isolation.nix). There's a non-root user *operator* to interact with the various services. +* **Defense-in-depth:** nix-bitcoin is built with a [hardened kernel](https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/hardened.nix) by default, services are confined through discretionary access control, Linux namespaces, [dbus firewall](modules/security.nix) and seccomp-bpf with continuous improvements. -Note that nix-bitcoin is still experimental. -Also, by design if the machine you're deploying *from* is insecure, there is nothing nix-bitcoin can do to protect itself. +Note that if the machine you're deploying *from* is insecure, there is nothing nix-bitcoin can do to protect itself. -Hardware requirements +Docs --- -* Disk space: 300 GB (235GB for Bitcoin blockchain + some room) - * Bitcoin Core pruning is not supported at the moment because it's not supported by c-lightning. It's possible to use pruning but you need to know what you're doing. -* RAM: 2GB of memory. ECC memory is better. Additionally, it's recommended to use DDR4 memory with targeted row refresh (TRR) enabled (https://rambleed.com/). - -Tested hardware includes [pcengine's apu2c4](https://pcengines.ch/apu2c4.htm), [GB-BACE-3150](https://www.gigabyte.com/Mini-PcBarebone/GB-BACE-3150-rev-10), [GB-BACE-3160](https://www.gigabyte.com/de/Mini-PcBarebone/GB-BACE-3160-rev-10#ov). -Some hardware (including Intel NUCs) may not be compatible with the hardened kernel turned on by default (see https://github.com/fort-nix/nix-bitcoin/issues/39#issuecomment-517366093 for a workaround). - -Usage ---- -For usage instructions, such as how to connect to spark-wallet, electrs and the ssh Tor Hidden Service, see [usage.md](docs/usage.md). +* [FAQ](docs/faq.md) +* [Hardware Requirements](docs/hardware.md) +* [Install instructions](docs/install.md) +* [Usage instructions](docs/usage.md) Troubleshooting --- If you are having problems with nix-bitcoin check the [FAQ](docs/faq.md) or submit an issue. There's also a `#nix-bitcoin` IRC channel on freenode. We are always happy to help. - -Docs ---- -* [FAQ](docs/faq.md) -* [Install instructions](docs/install.md) -* [Usage instructions](docs/usage.md) diff --git a/docs/hardware.md b/docs/hardware.md new file mode 100644 index 0000000..46279e8 --- /dev/null +++ b/docs/hardware.md @@ -0,0 +1,8 @@ +Hardware requirements +--- +* Disk space: 500 GB (400GB for Bitcoin blockchain + some room) + * Bitcoin Core pruning is not supported at the moment because it's not supported by c-lightning. It's possible to use pruning but you need to know what you're doing. +* RAM: 2GB of memory. ECC memory is better. Additionally, it's recommended to use DDR4 memory with targeted row refresh (TRR) enabled (https://rambleed.com/). + +Tested hardware includes [pcengine's apu2c4](https://pcengines.ch/apu2c4.htm), [GB-BACE-3150](https://www.gigabyte.com/Mini-PcBarebone/GB-BACE-3150-rev-10), [GB-BACE-3160](https://www.gigabyte.com/de/Mini-PcBarebone/GB-BACE-3160-rev-10#ov). +Some hardware (including Intel NUCs) may not be compatible with the hardened kernel turned on by default (see https://github.com/fort-nix/nix-bitcoin/issues/39#issuecomment-517366093 for a workaround). diff --git a/docs/img/nix-bitcoin-logo.png b/docs/img/nix-bitcoin-logo.png new file mode 100644 index 0000000000000000000000000000000000000000..72d56833863b0be9de57abccc5b70de030b8268e GIT binary patch literal 45002 zcmeFa2UL_vw=Uddkt84>If|&HCetL5C`l#f+zn06IW?k0NlFkz6eLH<5*q;lK|skM z(28Ub1j*@t!5PMxalXSj=Ue}G?_Ksd%i?`^?W+CkP`h?jW9TgvIfAoPXF(tk!3}w7 zRS*cX9RxzdIfD&6DGMXs1pdNxkk@erff&+`{zvO~z|jPOZry^bYrAMGD?!ZcZ8=TM z?M=Fojyc?ZlXtYZ{ms;O1gXTKvk~$_`RcOSrt36I9Jh zMcvHH+DzD-NkaUrs0RdKU<-9IVeqiEv2%uah%p`Wg#hiN$6QPd$0RP+VoZ`p12SkU z-(rxmcY-qTa|&>nafA671cf=l`~rf)g6s@Dz|UOVLR>uD9NfYXeqIPS55sRCCh@aC zOVr6622quk{cSklCov{V7Z(Qz7ni%cJEuD@r@fN}7g$(Wn2Vc-i-(5;px|)!v~w}> z;IMOM{?6ogKGINUGbgx%3*6q0;fSw^slBU<7!%XcKqsHyXRE!57%8R!T8X+H-`dl!3WOZ$Hq^5peD4h-l- zS@~q_pU&6T_NPNTyU4f!5c~$|PkTD6dpbb5RH4rHu1;o988<)_=ATLL?4k<&Lp!Hn z1(5%g5g?5!+``hu`Cre=>6qrHQptF@K<%92&a(D)E^0svdcx_*XrRBncc^JP)4zjpb~w#1g`YU*@wESm$$v;DAXfYh-v5?7KV$HpljZ-Yxc5C8{yEhD2=)<7 ze_J7rR$OIe$PGJZ7ZW=(=nZLc-~lHbZVrL*@S8wQgrFQk0{o^NCQv?p4k13UIj|f9 zkNHf^%wYUx$II}ayZ>RBzp<9KH*-BoBmvgnb8d5cGl2acD~UNTjK_@E6wJYAV#3b> z2189bguwzZ4w$I`zc3%K2_KAy@ArXzVD`6xZUU(l+|I=22bv>U%#UOd1pYJU<>r9# z!C)Nb+$q+wb^S7bo;m$z55*f8 zU#0$gEA4TL3o$V}O8dpljuI@WxhU74p8hedKi1Xn1n{4z^HdQ0t@}TZ;cf}F`&S9t zcUH$#|IEbM9_He1;slkn04(G*x#M@PfA02I_W$0r;QNTbE5hE+4eIpYQ3a4%0ZEd} zQC={fP9BklbCPzBvacn|usMgh zsR^%%01vkSKOay!`##klnEh-l`~Ph={e6_5u=!)O-}NB<2i!j-&quoWUQvZ8n>bkm z%c`u2jWhJP)1ROJz)|L}HB^YRjq6{EU;o~c*xyGys>><@)lTu74p6(Jsu}|agSxsX z*T10rLxMk2`Ja%R*urf*#WhS_?Oa@c%I`bD>A2l=b+LilL1p1KP&K$0R2;C3zYqCW zqSLXKwRg2M2lhuC96#gv``gp;(gafHqdgEer_fJl`1||QaZ`jk*}?5Bq%5Ik*3PcB zKNtG1M5kkYQjRwQbMhFSjKC`-#KR-N3l;!&n19FjA3B|G#8ZxOLUuZ?x9pu=)Q(S_ zjw>_&Y;Aub{44i=?>6k`(EW0=UvBo@k$Hr{ynOt;+`>N%68|1I``2UqJKT&z8EOu9 zwf$M7_#b)O&ufBz_ocrqlA=dPgb<(-22^E^s}tg2QLeu|`@`YC(`z4{9oe`ZSFCuz zJYb-T#|7pFKEL(-@%>->>iidde|-PfzJGMpu!FmZ^ZYj4UmpL^>*yr&`!SmuaGL-s zepHCy7v=iv z_ruZuabooSDR8j>xYNLOa;f2moarQc`1d#d5b58~`-J1KK~A7JP2(3_r$On2<`-Ni zP@Jam3$D|kbVBnBt`jIu)A$9~X;3<$`32Vr6sKwYg6lLWozVP(>ja9^G=9N#8kA0G ze!+DD#c3M9;5rRTCp5p{I)UOejbCt`2Bj04UvQm3ahk?2xK4x83C%CKPM|nV;}=|~ zLFt6%7hES$oTl*$uG64&Lh}o*6DUs8_yyN#P&%Rc1=k4_r)m6x>oh2x(ENhy1d7u% ze!+Dblul@V!F2+~X&S%aIt@xEG{4|Ff#NicUvQlUr4yQ8aGgMLn#M14fGNTqjVRrtu4|)1Y)h^9!yMC{EM(1=nd%I-&Um*9jD-Y5YsL&i?Uh z0-<)m?*?=SehJ_Tme)M+3j`U=z6F#L&|) zKYss3?dZL^hZ|Wy9V^vmPr+#kxC3mK6)4;q$J5hOdPXcN7%Nr<(U@{7^ZQ|$KaUH zqJ2hp>L8{*22D;H*^xMo4+4)Svzvtem=rnFg;t0G%MOt_>hU3+;Sn&%Q!F7|Ata)f z9g7fuwzL$faZMpu|Cl4kF-PSGU__d8fIqe$$Od}{k?hDEppL(_mVkbkoy%|}=BM}@ zSI~)xapkW%h_bT9uOIl}v)&Sj6+k(m=&!$7`-mLnc)o`Fl&Dk%816`bYexc57V&xC zF}_qR$UX2LHRF4h^xBTynTaVM^Q<~BcUQ{|Y8V-WcliWvEt#e2c(XBxe*dC9)Q7H`VY%rl^LQ7kA=dWlW+ zMG3wuIabHuRmm{7OG^hPpc`V+N zHh;%(SpdMTOIT&-t>~>9`!pCz^waC9VLk4DKDdvk-kV<;_dM}NE~qZ3>Tp=*JY*RxdX?C6KF_pju~&> zV#%!NHasx9sd}H(*9*QyL`mxA%s(^n#7r%oU9^-six@O3VzF@`Hpcb$lzvjljlBU9VY!B|rs>C57efgG*_wNK) zBLp$JWuEI}2lNKqN9ISb@lf-cF1$6Ye+7w@0;bd4@o8$|-tLTO^jE*?0K>S4$4($n zXdp0ceTw$OoEkHppm;&ONQ8k0UI@H<8Ow*Xihj!obpb^H@KQrLrd+qvt@SY= zo^6iUIjgFh!2wL=llYR|WhR~qGRDj?e0`$M&|98Mm|Y+`CkC#!NH1ef-D0DS1ja4U zad49kI&$K4k#in5+dPHPODCafL2qoY!VHR+0GFnNwJMIP!BQJBg^sn&f_?-#w8{r8>YM0xzSFcIvx@g}Us&dmI zsfQ62pRH;})cTyOO0mT1sE-=XSS!JN!lacOcP{ikAIv$pWRsbR$*SSvy)uUe{Ql|v z&lfzCcL@>$ba1h{SSZD@X>e-C5ViT}U(oHsZfzS7(hxm<^b}HxTcw;8DQ|9{ox3Yl z&{PXUE?~HNN>qO(A-=uK0e(6cuL@U!aHqEvHnFSLTRt4*LgU=919b$IUZ@CBt~m)| z{0`xLTqllcSJ(b3Brj18xd#XCfthlDp;QuE;i@Ou`<1T z_hmhpYV55CZqL%#^9+s0OiTkV#(@Ttwhbcvet4GE8C2&F2XJ*ixpIaln&dG#x(GVZ z71JeNa55}GQlaoaXkTa`C-U6h$9gxCQ)(#jhMeaa4hC1v$7j-yA0{-I)$6iSM)9#0 zm-l6L>meR}Qj=Cx4GF;<^KS9ul*G>Hzd+OCj$rY5TqhlgN}_;G#RcJB8J4>ZT^ zmz-?6ZCxkXnU{F+bv?+ZBc|5ptcOwan`QriqUJI?QQW=eMjv15tpR$igb!dM2-L z+nQgrUWMTa$1ZGTpQR_O0W+iMLUiibgcGyUHoci(v^DuEMmMVPVbA=ig0-}TUO%aXH?dc3UC1sabl!=q=8kOo? z8ubGF!?m}^?hb=p-0|nHw>OHWpmkEM+OHw#&n?r+%E-pPK4=TjwMUb)C-lt<>gzLPPwv7X&ZW<6abvtF7nwD>$zcAe0+WV+XIAk zfR;=?zC_5QdMcTVIBPDF1cTe%XcqI|;xOBT9@<@fH@q$qO!?v+VtA|oA0K@T8F!6{ zN{5lD{biPo#=A=$EMy2OGDW!i+&Ou4e9$tQpPW#yXYSjtT{VJeT++|?+>Fr$8Zf41 zW~(I7_c~vQW?0pRDx0{~en8(d%qnI<#zyZ-i4n%hyzWq&x+G<*=v-zT2!)qrmxm0M zvNe~jMV3#HFdW7DJy#+JPGAKFf37tLqeb(A(?O3DILzI|w^603qdPs$TKI&7vQU$4 z)r#ohN$n><=Abiaos3ur5Hv;iV=zj zqqEF1JN2hk(V%#bqyi=b%<59j0wxi|I1N_hYMFvxR}A#h9rAG;opYz&K#U}ass?I8 z#|zc8Syr7AQ5uoPaspWzeN0RwmyQ-!%*k*hF475Sbrt@UXzR&R5MXSg8w5cb=w_v| zbqf#=h)Bhf`9eI}VANVs$=yzR+Kyg)lrKT;vUF!#(R;$a+STlB^=yF~V5LqmkWkq#}IgiJO;kZyez? zoRYh)aq|hT5Bb(}6{DjVe}f9EJvLq989Y1)F2XwNfajpy<_UkD|GMhrpkJo(uo*Y^F1K4AGMW)(O0 zfIiyhryWFx$n(W%V75O4jQtzBqLh*zOAZ}c7f1l4cD+mSDr@$dfbmeaT17Nk=|?0w z00-?I+osFlf+!%d2@eoO9{x{)9uazB!@R~S5r)04c^eRRoVF`TnaZ#ON9P+Es)e*#6j{3DV9CO-N$7hZq3c;i*%F^e-=>6w z@D*w;RSrD`oF8)6BtM|eP=*UV5$j#UXL&v)$CU_0ZSGwi7QV1$-5NH#gcMDc;KkFw`zY`#2~Hi7d_7niShxnWpQqg< z2Q-+`0~yH@^UD}o+Db(RGMpu;XehBD-hJU!RZ`VX2|q$*wUi-u7>|Ri zk^8m=;peGqfn$%S4$34So(Sd%~R{aq!V`W04MDM8r9uu>Q+x^7Zk#RhmE} z#V-;8Z;{HmcS$g0I=u=w$af5&WR)QyMN6Bu+?Fg z@Lo!99Tip^izf`j9*q-I6HO33%44Q+Ilvx7k1>vGek-6;%b6FhJFVh=Q6%-t0%wC@ zkc*bCiajIDD@$JAuI%g<^|v}{LG9zLDv2+aefUk{H60w-8_D$aHx(Ys%c?O7`p1FF zY}nsrNIy=cYMMhdBxTh7>nA*srY?oE+GB$T^%8n*L%Qk}xY~Bx-e1rQHQqkBFxM#B zJd3FrG3hMevH#4FEGHyn#6FZ2s~uA*I=|QYLRjLQarw~ax}xVy537IxBWIi`L$|PB zxaV1+(5g(znrSI!!b$XDM~G{Agx1Y139+zS-QoX)!@NRQe%T=LarQ}Xy*`$oR z!H0FJhDD5XS}$LwFNdclWgH;T~uHm*$f=gSW)-*!zkj$gX)fpjM_VGXgo?wT+W z&tV=&H(tRLwCtW?^|)D^l9a`IbLX085&gp=FXf^^ocVY6<3d8zmfYX%mX6rN69dh8 zR58?4!SWx>@g7xT90mbVNGr5i(YfP1q5oSOx|cI>iV|m@6?>!%TBaj6tUx6B$*Tw! z(i?$>eCx8((o2;rVMiNemTl@z&VaMgEq(b?M5w3Cuk5cNBhqkK|pw=5Yo6v>>o_y$$^fqqM=Veii{+Zd*a7LfhSgXXNy;5@=kl)9i zw@AM{9U86BxHmc7!)IH9Hw;HFoC8ed%}lqi7>rgd`2h4S=iboV)&e|-dSCh;D=KCO-F)*xx;$?)WnqY(*K ze{X7e{-?HB92V>;Xw$Ee%_*g`) z@rE&eu6ce1s8ujAIcCY^%dmV=!Jf{$U^;mbMTfFOMdnTrZMY^F(M|bMpyPq@#)B_o zW&$4RmL`xsV5JD|rE9xv@v1lehy5w!95sYp~8T5y!zEW9_L;dSI4* zIIt(k{F!nz((JQpS6AwQh&2i<)m>B*575WyuNx}nW->9oi2dpZ@wLobVMr0R~?3L0uO@u^y(3U)oZ zPxfnIZ$qx#HEAEG*60NZK&rdOi)?Z|yW#|sypNvLnXyPqiUGgT|Vq}6Zu93kWC zr{XH23g_*+*LTUN-)%+?UTQ6jEvB(qCU!;lg|VeSvxEYD26_K_g}?lmTNeu+R&w4I zq{|%w*Mj)SRe!zOdv&cMY<1%kGA#9c{qO5j5@U=vLB1Ldf@=KGq9T#L=}jvJJfByH z)#_{jIPZ$+?Iaf>?d z&0CG|4413EX&D-{eF{cwq5IDsyW{V@UtSN6Wgv19N~)CqrbRV7p)nG{yG63JfPz;l=}6{M5^IC9Dq7FM5|jhP=<(bBZ{B(vZRyXQ-57R??4!t$;REy!POodH1P8U>{#@bbv#-x z$IOB*N;riQVVSq%_>8_k5I2!yz3@d|-Gcnh>vqLn=t6|Tf!^9vu@@u9T{QApc9>0j z7YSZh=@0ZTok?sw6G#1_s_bH%*}KSndLvrQL zqr@xQBcEIeAv9b#%H=eTUktp5Uf5pZvYlv&w5{=gkE(3ciVAsrPNg5|IKZ2g6T2Xg zGy}%lJ|s^hbuyd=9jz<&o#Z^D_qGqYN7AplR&4n#*=|N=EYJ?V!D!|%)H4d31LMwP z=c(Q^NvSFE7a?zfJkGJ=O%q~!MpiYnJFMz@XEe`@I9tZBZaKd?l_PIIQe!v8WFkO2 z(vnC&SLULMS%zVjis*9Ed{}(ZPN=u!pea%Wl+t`vd!S`@p>o?q?10d>fbUE)M||&` zw7t3sVb$CBFJp#*s>s+(3uVFq&q^l{H_X6jPo%vsUZ}985UEHu9y$`wbA}sSbp9~$ zE!S2sOT3!V<}|tk225IOs1R#BnZq1A?_kNY^Ne^hHNis!GeWG8zM*3R-0*Re)3Ck} zqpI_|fZ(~M;QNjQ@#}iC%ZAs5)ZACERaUPSd2qbL?J}=jvz1Ybl6fc#X_?Z_->8=p zW_4woOzC#CZ3wPu=qMFr7zpFjFA_Yixv{GA->NjZXUQppRuV>Dw5I=h|2FTsyc{3F zXv$h_MoE|{WjSiYXJ7h0(`cPF(ddr*N|s#e%!}Q_=IQZERl9>k&Vz4>zM^bzuFU#& zuXHkZe|=Rda*rswk>O6e!Ba6k?VkIG3%mmJ_!~qc=U+6C&QLL(V+fDVj(Tn15~0L4 zd5BS5yzA*W>wH5rQfg$O)t0p$jb}*YeU8$S$mCr|c8Hk^yQarP1~03vDl6lXJH>7* z{5->GgQ5GDZ$9hOr`iQ6*$Tz%MW4=;OP2Y5NIx$$i~O>4M#aqrhya+VTA?Q(am*&! z)jS)M#ydCc^h@qy8DZ3ak#{?I2CS_*&;6M;?$qD0)Ka80yy`#;3saPBVf>Wrwk&QY z6IkzzXBYV;k0w0aOnaKbd!oP~OP_^JMJ>6bw&MBQBBH*ufpvGn8bn9vU|UHxo2mai zQgu0K!Kv0}b?6a~Iyj&v9d{K;e7kVgRr$fURw{n3A{V+S?6ZtB%-`25V2?VD7Obb@ zkKvY8q4gW}b}O)%1GURurQ=JK!pyNHjwn_GZyKF<|ec zgaJbr2}nWWAt#ZfK>fYWFnPDtc)lmFz;`V9CXOFL=b6$#rN^R-50a2R9qr;oK1K;t zIcu_t`;0Lo8FhYBu|Ww^3Cyi&(ks+SFLPImnWHE*28w#sOpS?IZw<)aY4pHqe?3wB zE!)h}AO=;jN4v!Oly);v%5$;s5o(oBu~wxEzjc+5?}FyG0j%xS>`hzBExwQJJ$6m+ zkZ@!U@)IPg7q@9|R1*b5wIYeYl6*!0lsh}sf?S)Bm7L-$Dqde)RC69K5l<`x*j9JS zW9&a04T!T86N!2E`TA^AwIveaoki20G7r%|eA!yl`d+M{Im77vm}P^sB+nt_Ue@G6 zwT9!na7wZAH%`^G<6uq^Rl>P*^ZLYd& zcyxGQ0hqLn;b*TK(`6k3i-oDhSeq0ZqOCImw$$UgCist7g}aQ0IPXdv4!W~^N&Lf7{^6sM|d{GY^BoerD+D{S_r(XJzoTx z9|&H#sPr`7sD-$y#QjB07ogf8ktH75S2B4Q5RkFi!gwy@K(>BFu?T_#4Xf!MFM&4f zWvyQ_2YXd_RyXAQ7Lx-fW8p`B>9Zd6tWSNgU=|-J=J%t4V75{J<*jYv+~Z*F_N}1v zb9b^vIg7-$D#Z=(STDFe-mD=xXI+r)=R?cuyIon`Co^z%88ZAVEjnl-@$$8bA`Zs& zXW?wuG>HIpt6afI;wk^odqsY_L1rB5MRrdjxK6>byDrt(Cgo8PZ`Z{6grex3v)&Uf;&&tX$!^BvRrFC(0p-Zc#PCamt(bic z*n38(7O(Ng9PC>Lz$%Pq`(d#g!cvwK&-~~PC7Bz$w_Gr-;tKNu;YMNlB{R2BvN7{e z=^Xpqr=2S{l~}@K5AG{o%Tm?g%`|iJw8A0Asz=#vApkp*(dv+zLNs!nA%@;Z2k`vyd954Sk<6U<9JDXQ_Pcv|^+V*-B z?)UadGrhlb`MzfArR)gw^6RwM^G52zi`kb!_|giK{P}yEH zaDhtE7_mS5yE;U3jyM-^E+_Hc|B5^;3qkH3#`xTmvJqR#8F?jq;*vryd-|7d?(|rj z>Nj}b`W7aU6b=@f3KB{!`ENA`A^t$*1d3ndFFz$uKT=D4FREkFvZ4xHPSBJghD#c8 z$-L@AjNv5R?lZfbB09pyc!nbVojD18M$CbfWC@Dnwwb907feugw3=ILvET_3?Q)u{ znN57Ttu>WLcWZ!uAJUWCAUC2)Q7-T z8u3XQoX;4gL%P2ZR`;ockPq;gWG)SV+XVtgifjFhC~A#-Z3}PN2l8h1g*HxYC?wMc zFhje=h4DQws$=pkG6?rFP=OlM0aq|1^1#-wmK1t6#{)e*Zf{c-NId*%H)N2qN;dGN zCsrxBR@|iFE)vlp-~sK?TlePMX0#2X-_)gM_Z?J`8*O;AZ`*yLl_41S`V_5g$DQh# znAz+ZeU-_LvYCyKBg;1!$*f$PdM5Yj@+P&y6u#SW0)};Zrq6dcBeDWK4XFJi`aI_rl!_*B$N`NmM4td6;MZWSS z_i(v2V(Se?5iY~NXCnWbvwed1SEZ2e5@Re09=Xoqrx34ibFXk2iiL*1kss$w9r<*S z+ihJ`-R|@eyQF1-f?OkxdD$se>Yq5#9x8iu)t6 z%&o7wy(bKpvwE*CyUC4wRq$gO5it35aVntqvbO|KMyR$m+$DBH<_kSHD6L@CdF1ef zd_xP1rQy9Xa3sISd0ZJ)s*F^@DS}YtaUL1gZ6snDw~Sl zesc6+_5J+>4SzrUtsB<_FD0P)8+KCzyAU-XgWT{URit;iR=a^;Zsyv&)__&jT;sS{ z{6Uh#doVjNA&T2I`-)=FRF1Q|d8!7^Qw73@az%rwO5Xb+^8$qusIp$h%1aoD!B9`d zCC_2Sg>UD+IOn>i$?UbH9{7)2^S&zSuJb0LxHf0}*t&H~W6M-V;-lyk8^6apdD1Ss zc+-R>lhvDOf_+;f!$=ArmBWjjpAH)^4C$s^rBay)X#K{-J}=v&v0~pce1JI2?7D~x zOxt#R9a{Wk6Ry>9Z@$-^DQR;)c|_$^%BS%=o*oxq$lK}dEc2V^O>*)p2R>R3KV+|T zTnZ9Qvwtuc?{+uZEkTRuRT4*kAYECwKLpII+H_{GLgVmaP9A2$nM=3gwZ@2KC}3Na zOX0FPjn#1H?5!zGi9Lf2R~pwy)z!vIV4GI{1#?RW#gN+DfW>?F>wP49XC~I+r+she zQc(@!k{p~jl{S;~!e=UM;Z9vM*LHHAg<78ccHo!;Fq-!|w^Qj+hkSa}nx*dQcdzb% zi4

c#S^0!a@A-Qmw0truSUlA?!IW*DW<%&3LK3gSsGUHfy=`_U6MK8 z`wWd&2YnryWk{36lobxf$2PXEwewmw6_oj!6v zSL!{@j-o|oFnJ)wE!z28Cu3h~m*OS>^7S|SK@1;%zOYrwq}-uHwp zoX`@+Y&to^j-a}Obb4xEHmID)hlm&Mb=B;fxnY$GS&VhUT-9cJd`&03P>uvF{EAYh zLU-m(@hdjc1a$NMO^D|!+=n@a3g>)DMw9WUjONnw_6p=KuU%Q~`DW_>&A6bKQ*p@m z>;PR%az)iP-s18Fo!qakc!*MTd4GzPQS9+b0^ZyuZDUSYy9>2 z__aI%(?vNEe~-9|s`T|BBZ1HB-X<5>O%Ra|Ta)m8x=I^HHSBSmMVc>%7PM(O@dVoG zOvNOiV&4?~p!oD?OZi|2jzP}P=@ZhU1NTOI4R&!YHk5An-$u{wNQvKN3J5eOqb2XP zk`xiXTR^aTQyU^H^o6ox{bnzF6EEqmUdth7Y3Yip|?v(rIgMA`2O)ZZ>>+vr!n|4U)+JTHe7iW1G*Pp@Ot=;BJWQ z-UF}bqDBH%ed>v5Ta!Vmm*ua@YZj&SiMwj2dEUvOMYgz7=4MW67vt_W&a=Tw9~*)L z8}FKSMuoCSB}};)N|r>QHA=bW&RJ-pT+?Z?30LoX;@9#v2AK@pWTKVT#M89tMW;$@6I%N9JG~FWM*`6js-0KM~-WxP*@|p$o-gy0) z8Xvl7oJVP&ya8}ef<0oH;f(|--m#)h+H>nXFP~i9x^*~D98ZZVLKvYp;HXee*45Ol zZg^vMe!S);N*~Q({sdb^Vx@<&#zmp8;5pNof)BQltk!BV;Y~IJ-Pzbsn-^pL%OMUr zuFZQx@;pOUM9xnchHn|fzt>4ibDK{rs(3t2vPd}CKvQ5roOyK1ay%55t^bpHE2j%D zLW26^;Q@XX@zyR_{16LegweKnd2&Ah5PhrjPLdjgV}A8KjPxw7TvkgN`7@l*Pni)@ z^?F%hKI*pQy<4teD1R9!{$~rQ(idr?VAKCd;`HCXLaQKw^ zhpyR6Po(bP^z@NY%EIKr248FHJ9QmZ5?R zs_>$HQiS1;QA;3%FLX`_cZ*@=A_^OIn@nqVux*{ZwTz<9x?< zo`qP+JEek;{C-7|{w%Qb4*qwRje_=LyiL5%SB>tz?AU!t%JGVx-vFtqcqGXuhGfD0 zi)59NGS`;2&W5+juWRpBpow&7PLZ*U8Wk11lEZVV&Kwir3^!dd7)W1d*LQ%x?sFv1 zKeD2H{dU%JXFeo4hLCI`Ldh9=O6 z&TFy?ibenUolF^8sIWf~8d22h;icQ7vqd~B6K1v3>uA2g+kE6K)~1V>(+WokY+%cl z#Wmb$FT4Y6A!B9*6E&Wd>*p>93p^%v|ID7*pYe%KgUWj$hM+m0cD`{uB1iMJ;Hshd z^MeKgO04#K%V!jTqw@q%9@8FeSZ=FIBF-Lgd1~*!=T@Vp?xJvfXDPfwd-& z?&bl)fWHCRa84f+?&&Zz%A2+uY^?#9JG2s<#0zu z=j)?_rNMGUY}Kpj`+h}XqmL>WyV7_1BEusJWh8lGUfA1pREaG)k@h^3n#$8zBnZ%u z4WYZL(NNN#dp(WAV3fAJo*8h$h^-! zb+JUQLzWgfli$^a*K#DR7TbHVF&V%m|2#MS<{O%BmKxFQlmvBrh4j2h`J*52rDZqu z6$=A5h+P>LwNcR_zEQGrF?Gh^sPq&m;HwxK`(jgLiJt>*VhEbLmF=ywrGC8t8!K8i zaf`)&VQ!x<%BznWV;x#N%%i1m5KWq6I;ebr!0{ww z!RuxslQjPZ(lWN!D)Ms4R?~RUG%Uiic=XMW$VPW>!m5hKO>yYuD6;~&jcIV9oITDs zwh!7C3p1BM1D+60RSIh0qIX*4pa6!&-CLLHpQ#y|IylE^I)-EL0EVySDAK)(P*ud?|*;QQq|B+FEiC zioR|ch7Gfrlm)E20h_sgG~a~a1&<}lp)ne?PR>dREoTO_%Xw#5OnBno4?j<%Q&W*a zg&$maBEeJ-7~=B{JO$#aw=sJxo=H>Eo!7VHu4zMw_wVvmtQq&+w`e?&(0wzhEm`74 zr{Hsb>k4f1bxb~Rn45e7>Hac3a?gB-CURDiSsABRXE# zfD0mW3#4O!y9({7Mv2^om?%shTS$eSI(otBsSfYWa%qNG*#3Kw{ z9;7PmgAeSWw1zS7fLj-;sf3-^4@^{QJ_P6_ir6J_hnH!go64a*(3p}f$1Wu`Pyf<1 zVPNVNKsKIAgr$PHb3v?_Z@|mE$y5CKYJFYgpdm=9_;Ew3Nv2-d?Caaj^uYH=<}_}H zhg6vW-^+P!XPbz;t{rde9~4Hgj46)wI28BcFo;qen}j4xi5&8xbmsGS)+T{3 zpG}$mJTr1F-EUGYo(|;KgWP?RzVYnPJAi1=f%hvUkn-~W z0+mq$(KFsdJ{X6<(Y=onR|Dl&AvStMyUw{4Br?Etiavh?r*L$X=BM(F9-2;ho}72U z1sPE3#^7NDz+@8FWE zm36`k_ttBH11jLC{J`f9{ia?g)24IlqXI27e+1>Din>M>_@j|P+SZ`0Tfmq zV@jxqbGdgjb&tQu5wU5gD8ryys`AR9*k6dY*^F)NtVYpDdFP|9pwL~uiPR2qo-F4GE$ z;Te>3CB{U~*YcKgxy^#Enn!nj?(_^AHPhd*ya*OhenH);6gM;XRcn82uT&I zUK?LY{iqg3*A7?kUL66i%nI0;gWH=XweH+3Yt>u&dc(;D;J!?pww$eX25?GFgvE@XUV&Yk-JYmyW?z}VaBbpx%m*Su~3M1=Ej2?r5;Z%=Qk z7II$b{=S^mJ{HWkh{gfQo$4tBTMJtTxr6NS*_H({8uC86J_uNo$|eC$J8cy5&Pb!j zr~%(wsRH(mG4Dj!6J*#L;?~>Ko@ZNW)&QF>KILTn4n;2D<}`iI+N3+W(HXV{v8Fw} z`uXk#Y(u)$!vwQT;&E(IqDAy4uNRxQ(O1sE9?lFW@(%|(dEPG)AtPNWo#X7ZOJk~z zp}>7jt~mGn=$4@!kZPEJ?o!agT&oM3&A%x??NOPlyL3;d*q<*2xO(*v@?eYJ*cqfV z!Tos|FJK$EukC_rW;_&V&*OEjJ*@mlf$X;Su>}WRd4{!nvCB&x^HV@c7(>kJjvZ4w z@Wr9F708Rq?2HLcW~!UJ-7SkjY~_3dq^i$n2FR$B&iDud=QkRy-fkfJa);6y^N2$U z+)_h>L__QmYwtOfP3Obg$!?~ZZDB(X0c>VJoV`&5Xag98qJM z^fN^SEE5G3KzN&Zk_Y4b$SQ@9nqoG$Z;SM^em2#Q6xO(S95qXdBHW#6Tni%oqb3o9 zIo17+7P=Ga9aeaVJd@%lt~H$K2cOjjEQ~Wb#KRwHdJ3-$=wzz6TPfjPOpb| zm@Hc50O;TgbiXw`8U-fSnNuaFQ8By}=A6Kj*{akm2*jbqyznj2w|Z!0!bz3P>it%N zo^PaKok;>uqC9ZcIo=$yvEG`_x{Pc`N`TgK8|WO)_AKuER;{<$jD!wnIO*AP(fin* z5fmW8km!HJ$k>*BM%u;i?sH(V@rmdF)AyROexe3Ucw-(!-m)kXN3-OzAB1vKjY#>% zh;z;A1N~YhcU4K`pg+;pO+2IJg2a}usaSqf8I;pr=KeS~`IGBcr65I{vz_Ngm5Db7 z=080BL@xJDTj^@nC%Oj(W3s$p&L*YK$heSYAXTO`OQck;4Hu_s0mgtKtAJW*4nWvTCLTWj&2 zjb9d>hF0hm0H03u%>we?(etm|Ydha{4T6f#ACiYgrIh)nw_TYANdz@cQyBq^$=hO~ ziLwJKAzIS&`EuZ(+JmUBv$!{s?Fw0**(g(6OCm~MeA89BO5e0vx}EYSw~$2RfjVZI zio{j+%*yr!kgG|clz^)zd{e{?pAHmnLe7+$edVQ=)%CD%ALb-|zTqNuFNl(=-r=u3 zV0?-itEzaNpXiTOi|0{aUr9iR{n$#ls2gP9JNE92I}DF9<-@xNjbD;ds$Wty_>m#( zy*LbaS1m0DUqoV&N6CEnZ040O?UNB>9{WwjzunXeW6_tysQDl;zMx8Yi3CM~yhu20 zO#y?)yoPG3~?N!}Pf1iqi(F0__qd4IEu|471b` zB<@}}h)sKIs;dXoR}=)Z;c*#7tGU%(G~qJM)@X6>W6b$8;Hl%OA@%#_X^R(v1%!V$P@p+CeAvn$^VP{un{69AtBu&IY7FU zRzd|ux`#-LbPqu~l?G{1YIKblNC^lcIdY1lV>FV_J-)x^dY)Yu{I%VmbDvM2^FA*M z<_N|$sDiY_;MLbul|X8ukW|Y(rm|PxdC+o4FSQ-{{qjWVvJi_6z}0ca+Amf$pkysI*5W$a_N2>J#swoR6s@88dk+Pu|EP(cIE}-6G~M_giCZ)?PNj$I$M@S;e1{IYNAS|9+aiQ!MG;={HWB@uQoe`dpW_1O?b6hD@B7-h z3GybI{tFzx5g5}4sIqzd#HLvSe-?7m_Z=AP!sC2g?_xBVtjZ`Yy5$XG-WANeNxHN1 z&43_TS;jJ@=b*td)cxBUlB}YUvC45**20;BH7f_1fvkviy+~LAM0awK2i1?1%gM+j zvA!DArf8R!Ybq4%DUVQ^rHr*pm<^7@mvKA3j3)%xx0d8?KB~hPCNK;#kZS$ai?I9A zg}FoT&b4$t~!&u%S(j#l?*v{*Ri@E&^<(O_B5Aca4i31eoTCOVZ%c1;3>F$;kz zu4LPR2URLX>Nk_Ms8QQKb&%696$ReA^)iQVzfO^CcwkSQ2z9|hF(l~NWg~6TO^Ty< z3IwsZ&`&+Jp)Ue}kU?x7>b@W1XeCPdmBq7lhgTc<_boEQ&D#JKW6s(UVr1{aOq2!D zCvl!3GG%eQqXXzrANJA%iG5=;KTiI4^FN#$fNHy^wRbrdYy19qn}zv?lq!Gg@9X;P z)#WR_eC%Cir|fB1p!+~fE0bc7rDf1@6`R%;v*XF}QH|b3I59xZO%bY4NXzR6l%l*~ zx#i#W(45zj&Y=-HgRi5VvtWxDvPdwZaq-RB+33^$a6yE>-d~ z1Aiicu$AELJM&6!`~-KMR<3lSSrSjvh!)N|kXf)s&{fDhf49mO{v`fY*cFp-t5Vp` zSiiv_|E8SIFLgjwd`FE=hjCEqMT%p-s-7?~iyAhTsU}YJzZ`zJ;f@DM?l-X50c?-CYcf zFA{RW31$3I*k^^SC%T6wn9RL)^{ z@OnKr5N1y%@ZHq4G1XhrL;FKE(osR{`g;Rf^bLVIfu zo|*LhGXf)17DfyJC7G1fr1Bt0F++z1u(X`C?;AAH ziGMT`Gz)DG00x^AP;UPwt@pwq^_yqp-gIEJMTQru@?LF10p_4V*EQo*5v@K1+OU$P zeo6eUc$hNf`HYH65?^3L5WrTEkF;TTQ_y^!XmqE+WMTL7oi-(pg`6gvkim5i{ zpDw1^+WwxNR$JY(Qh$VUg15A`EWpolt#)8720}a(wA>$>Hju!eEYPDL=7bt#{2;yR zS?JM`y4MRqG6|Oa%RvNRVBb4&yyb9_j~le{DnEY`;^5S``O+_9>CnoK%k_>V!%>&8 z*Y-3Y1D)ZNb!avesXZ*~UE7^vBZ~C3ytzshgpB_Sq~wDWRd_r>|J~@U35_(X;sZx?LzM(?fl0 z6|V2x!z@8rarJCtf)R**O!ZlJ&21e-d0pI!iSEAF(R|(SrS$Nb#Vz#+N34tH1!w-@ zZ{}8VVxnWRcCq{JeGNI#kJF@x>3S{*3~sCtjaoA(c+O*G^R_3=z#!qGq;nAtoLB`0d8%iW-1(pbPuEY;8Sef= zo8RmM{H7iwP}Mq}Rk8t0(}mV<=EI2ZCbZV9vYreeO3rE7b{1|Ms;lHbup$4GNck`uq`{>^( z=E2Phf5le0v#D%-?BHIe)<8@!sxY~yE;JpmivGx3zjV_Jm4rMMXOjNmo+*W=M{&#s zEStnYrdteM64tSVd5C_^5Fk}0_lUS2kOq^yXCY-aJUmOWOh57a_N&C&?L{vl-}sKZ zBGJ!PFq2;u(~uFS7{z3L;nF8qZoaqf7mT;&;kOoc+t!7!1t!qC|7G#FYm^YG1A? zJtn+QQl=pwRC3IRKCLz%2SO@vU}<2+N>O|qPIGyVYptdNG^TdZcG z`FM|NShGEL%HC-|sFCc$hyV)l;NxQ8YJB2s^P{#!G^Us@&tq?4MTDez!9k*`J2ljn znom-0PV%!6#YFgpLz`kH$L_G2Kh)yh&YzQ}!{r4+~EGc!jPN1k+cKqfO4UA8UfZ4)|{ z(z3XtV$|rn@q|S0t46^R8GFgz!5z#jk0WwK^EK!GF8&vTl$L9uNb8Yv`l{SLYTc8fuergX1{HvcFU|mwej+(yNR`pl;)uNYrYz^jYVXHz=iufd_@l#%PLF5P(HBa z)>*X#(c8OC7E=Ofx$hA%E-lwv^xTT3{;j7%YVyf4)Yfk3OXl-ZsONXWarkCud4%^H zf`Pp7RfW6F^2^6yPT;66C@T+KJ*T3W_IF~YgI}YxTD=i<3KQ;9OX-=DK=CENN&h)H z_Brvu_JQ-rcGEUcwz&PEvx*z>NR7R)2^1$mrcVMSgz%4(_L{_>3EXripm%cU`{5A% zw8SAb`9=#Y=}Rr@3BtqbZbV|5TDP~)VJA`!NOHeLkM0I21IvR_2)y}8$e6v3*^HR? zX))5_)zb@ZKY}K$9`-_0rP=3X`NvF?e63{0BwiVzoKWMkab6niN~0AtBvOe88yxYH zif@fqy`VhuqUY4?*V??#^!S654NJn`0hq9pR3-}`4x+p;eq9(gicKWGIucs zBwjyYq*+MXq^hO>a0p~=li2~M8`Rr)S6_N*4Cd3<4#(&SL{81v#y}7PGj$X`qi{-K z^;CM7vCMEfwgDvdAy+5O+UbeU1X7sWkSstiFVAGy?+iQt(Y@mT?sQ<$Qq?i+K>OUQ ziOiVqGHyYyV1l6bcX(tia74O0VClV!qL>T1xd6LBYud-I>qEjM0(YE%jdzD=xYOyz ztx`ZUDjo3q!RxQdDuw;FcM1FFCbF<0unIfbM|YpRh{^70{{*r-G>KDJe*^+9B~Qm4 zAQd`IY`50?E9&c>_=-fOjzRX^e$&U>6v3@ z3#Y408#V8f&t@XWX{29wN|aHn$4Y9q-*E%wrqn!Yn-x62_pC3t*2sSsEH>j5d#W2_ z@@VJOu}yr|o3d1Z;`11krP9%_ovG~TCH#TcvF~voncv}(29h2|iRX$GERbiDzFo^T z9gN=r`t&sEJA>47-?|vP@wyK~IK_LB(cW;9P^niwTg-q$xcbSKE6>fuC{ZmncB)@i zkc#0*ucKLr{tag#qKQAnD5}ny79dJeo`d43orj;5ov%tqWfh2F8|imVHlyKZSeBUyBMN%O!`v*=i)G!$Rq3Z8*lm zzs=+Ew3%%8p-mFS*AX+&K>E`ZEelo8yi%cCTJmv#_wRy$gwV`GiFb-VIk7lpj)sSX zQLnq-2zaqE!_vaLnNpgK*sC@B)29I|xZ)EbBR4NAkmVww;yY9#C$ToMIe9jI0O%#@ zIV=%mOD&L9>T<%E` zcm)tB65W)xWOQS6i}M~kOOAdVAc>wwuZR|ka-W_;9u#sD-rS=&m~iKolh#inmAR-f zWE0l2L|Mdt9*EflDy5@By*A0;Erc+7u^bM&L~Pm6c8=Q4!o*=3g2je6H)4QelTrfX z1KJjq1ldF|ROfk_q+$orFri`uN&7+^qZTi9-NXX9b4fI(*J)c8rbuu(_YFIx9en6R z`=OIh^@Ak?Wo$ik4?GJmX6$}DH-boc8nvzP_z+Kd0*k^F~` zPOT!9PYM0kH&W~{V_WYOcgBvTy8Z5Dd;UG2tpKAQD#tD4TDR0Iapc0NxbPuL%)C9B zPLK&%!Sco*#ncqL#7k<@x|6CQM->yRiF-MU$7|($=KH&Hf}iWdS1TXy6I;qa8$0q$ zZ(~;yzR&LNNo>YtGmUm@(e!7FrbT`5Ah{Fq9BJ~LY^fH|8&g=~Lr>9ub?QH#q@Z82 zRv3QZHcQXb$yQHs?j*<;Gr#(>Sbcuz|8F2M+Y;qBXEs&!7b7IxS3u3|Ro|+Xoh-ZC z>KKho!O#8ZTX4H#*f*z>z2u~VtUBrD=^5dhA^#8_{Io&PpX0DrdO5ilIqg7`mB!{i zy~Q0K_2r5b=Wp?HDEo2~*Z52z6FlGaS^ian7XSsA$~c9fzAGB9L zhWZEqg_ti&3BH%=`6<=YZ2cRSIk(83EG80&+@b#qaph||{2twX9OWBjNv|g4Vu~nV zu6Zl1N%ZsY{TA1QU2!G6fU#nc3?bVEyz|MFb9wiXG5NC-QsJo>dq~XEBH`THg)VrJ zh*vhT<1qbx7$<~RMj+u&p(o^#63V4fe+{XQ?PfQja2mZNJY~N}g`3F`@ z&XLSGSuL__n?6qqWcAi)elf|o@%1z+OM4NN}iA0H~Bb8u1TSyLR$pN5(D1fD@KjoZkoAEDj>X}x= zKASf3eIE$6ND@-Eq}&|j04NU&r{_$Q7b+c| zQDjX`h3b0&q#Qc-^1t~CZ4>r?#EXrta&0P z{Z1^~J%RIFM{)exx-a~(fqcR;|HAeA* z;@Z+m!}tdj!Ju^TCR5nv(|<7p*I>enLjZ}iX&o@O_CoGtUbnB49~XDye%obwc@oiw zs-1158cwhYwLH^K0p{GuN%~<-h)u{;glQQ6Q0DDpaN`=S*EUh9Y2U`%g*fL#he(3r zzO(t_f*TbTYmC3I#>N$eDl~dfRp#$0EioD=`!6wY8xHHUc2zZYPO)+}5L@Byng=CV zO6H_3x{~hXe?*mrxm^P;J2R3n98v)YHrNZ<`t$K(o2b(1-KiwO0QuoPqYxi{sa?~h zv`ZC$Xqrp_30ti*{vP4{!vN%cRMi`9zPw>Njr50uj+zeafNOXFnl_CTSExZ@p1Az| z$A!w3<1O*HP1g6kCN<;!gV<@n3PTzv|0x34 z9zZzZ)`nbx{%UP?9C03z-m>g zoQ1O_t&~lKG=gP4t|4cpr_`v2yy4&Ug(74(Cx}@Cr^_f?Z=D2&tq(K;g5|3muRQATp-Jfz7G0wF*e4lM;3@nFwerdU&`C9yuaVjX z7yC7TkNQ6_<6MG~_vhw(km-*Jpc!M`2#>x-t@uZ_5kH+t^0iT7vB4U?wm*vjNkF#0)&sTeV`rx1oK# zpKoCP@xVXH|4}y2gdHMH|L@O$gRrV?fD4ggq@4bGX&ZSu{Wq}@@zZ4zVLvh-5o`h2 zHzNYITccG1$8}=AIgZg4yLbn!#4=9q^uz>Y>@{?Umn3j5GNOI}=?zYD~6IsYW2 znGI+IHW1eJv^)G`EqoWnC+ z*EFY?SOXZ2oSa&~eL7OJwUtJC+C6izJLjpU1$cqE+UAHyV*p+>rh$7pU!I0(FnH%!3lS;QQ4 zLqcP9I@~M>SVDgBbN|0)1F~Znwd}^$OO=$ONe(vM@&s#;jUfhM@fPWrM)m(a^?DZX zTKSh^SdSsCV3O34XJy{kpEKzVg{B+JNS7?WUez43pI zN8;Y-&Cf8SgrU#&u*#>G!BTD%Zg4PWEEcu9S9ODBY#z`(9}{K|J1gh@51xA6FK7wN z28;w8x=FZ99CGZ_@lBGF=57{U{*o-3WtM$#=TVL#&JCQ`Q)bkVjN`|%I5>h$np9lu zo)et-GV9frkFN++)%+Hwk%ngT8sQ70a zaZ()@H>OMVHF15`jl)QD&kPgu8tK-KBmLV6%HI?XDMn=UGVokQqr!jb0iqe)7mKbD z!J|+>jG6{3yA!YzjueVFJ*x!OP{~aOr7r3t6aEL)-SjU6*vz8`yq5VGiC~aC3hi$J z8pdONleY=A_FBoN$zQtQ#G0e4i59Q8-Dt2o$TOIkY&fnF)uT)t{5q=K`i4Wiw^Vmu zh&aq8Pv-BQ|81-pdMjORvk*tpjF&9C`B@ws*sd;hjvCrb7`b5sB zl9zE!r*v*0tT)9+On5r_SBKi_3A{5W?$))1)_`gVAXFLygWT}++&335p7`V(_vH+7!)7JmA3z4Xi0NXuE!3 z@-@Y8wV6Ha=xiWF(HqYv0hq!L=m_PQ(rfOM<{oavp%&ub+1f96u)ShLhD;vwQdG)Wq(AG2mgAV{!a$x#u6rpTjgYFi%xm%hFp zjsX4=SPeYLK$IY(7zcC0RwqbX4w4b6Zuu!8*O!tP@5RM_Rp~Y1H`3tRdKMA9$1sx+ znbco`;aCN>K7s+ikY(9LlU@SkHZqoC1H29P`uZQTxc}94cccPU`l6)sQiR!)J0S>_ z(@%{cHiAiOuLI_FqoW*7UpY5EY<4NG{{SrCLtLk1XnJTwpI~g-&IrEaITnGZ@ zAJSgBn6>LFk$L@8&7x~FMA$&_L<GvDsLi