From ebcacd3d16d5b57be60a20b187df393ac31ca95a Mon Sep 17 00:00:00 2001 From: Tyler Starr Date: Mon, 21 Aug 2023 21:05:02 -0700 Subject: [PATCH] add bulwark for steam deck --- provision/local/.placeholder | 0 provision/local/gpu-passthrough/libvirtd.conf | 520 ---------- provision/local/gpu-passthrough/patch.rom | Bin 122880 -> 0 bytes provision/local/gpu-passthrough/qemu | 35 - provision/local/gpu-passthrough/qemu.conf | 954 ------------------ provision/local/gpu-passthrough/revert.sh | 32 - provision/local/gpu-passthrough/start.sh | 29 - provision/nixos/flake.nix | 6 +- .../nixos/hosts/bulwark/configuration.nix | 120 +++ .../hosts/bulwark/home-configuration.nix | 16 + .../nixos/hosts/kestrel/configuration.nix | 28 +- provision/nixos/modules/desktop/sway.nix | 6 +- provision/nixos/modules/gaming/steam-deck.nix | 126 +++ provision/nixos/modules/gaming/steam.nix | 3 + provision/nixos/modules/services/default.nix | 2 +- provision/nixos/modules/services/vfio.nix | 57 -- .../nixos/modules/services/virt-manager.nix | 11 + 17 files changed, 289 insertions(+), 1656 deletions(-) create mode 100644 provision/local/.placeholder delete mode 100644 provision/local/gpu-passthrough/libvirtd.conf delete mode 100644 provision/local/gpu-passthrough/patch.rom delete mode 100755 provision/local/gpu-passthrough/qemu delete mode 100644 provision/local/gpu-passthrough/qemu.conf delete mode 100755 provision/local/gpu-passthrough/revert.sh delete mode 100755 provision/local/gpu-passthrough/start.sh create mode 100644 provision/nixos/hosts/bulwark/configuration.nix create mode 100644 provision/nixos/hosts/bulwark/home-configuration.nix create mode 100644 provision/nixos/modules/gaming/steam-deck.nix delete mode 100644 provision/nixos/modules/services/vfio.nix create mode 100644 provision/nixos/modules/services/virt-manager.nix diff --git a/provision/local/.placeholder b/provision/local/.placeholder new file mode 100644 index 00000000..e69de29b diff --git a/provision/local/gpu-passthrough/libvirtd.conf b/provision/local/gpu-passthrough/libvirtd.conf deleted file mode 100644 index 7818f0bb..00000000 --- a/provision/local/gpu-passthrough/libvirtd.conf +++ /dev/null @@ -1,520 +0,0 @@ -# Master libvirt daemon configuration file -# - -################################################################# -# -# Network connectivity controls -# - -# Flag listening for secure TLS connections on the public TCP/IP port. -# NB, must pass the --listen flag to the libvirtd process for this to -# have any effect. -# -# This setting is not required or honoured if using systemd socket -# activation. -# -# It is necessary to setup a CA and issue server certificates before -# using this capability. -# -# This is enabled by default, uncomment this to disable it -#listen_tls = 0 - -# Listen for unencrypted TCP connections on the public TCP/IP port. -# NB, must pass the --listen flag to the libvirtd process for this to -# have any effect. -# -# This setting is not required or honoured if using systemd socket -# activation. -# -# Using the TCP socket requires SASL authentication by default. Only -# SASL mechanisms which support data encryption are allowed. This is -# DIGEST_MD5 and GSSAPI (Kerberos5) -# -# This is disabled by default, uncomment this to enable it. -#listen_tcp = 1 - - - -# Override the port for accepting secure TLS connections -# This can be a port number, or service name -# -# This setting is not required or honoured if using systemd socket -# activation with systemd version >= 227 -# -#tls_port = "16514" - -# Override the port for accepting insecure TCP connections -# This can be a port number, or service name -# -# This setting is not required or honoured if using systemd socket -# activation with systemd version >= 227 -# -#tcp_port = "16509" - - -# Override the default configuration which binds to all network -# interfaces. This can be a numeric IPv4/6 address, or hostname -# -# This setting is not required or honoured if using systemd socket -# activation. -# -# If the libvirtd service is started in parallel with network -# startup (e.g. with systemd), binding to addresses other than -# the wildcards (0.0.0.0/::) might not be available yet. -# -#listen_addr = "192.168.0.1" - - -################################################################# -# -# UNIX socket access controls -# - -# Set the UNIX domain socket group ownership. This can be used to -# allow a 'trusted' set of users access to management capabilities -# without becoming root. -# -# This setting is not required or honoured if using systemd socket -# activation. -# -# This is restricted to 'root' by default. - unix_sock_group="libvirt" - -# Set the UNIX socket permissions for the R/O socket. This is used -# for monitoring VM status only -# -# This setting is not required or honoured if using systemd socket -# activation. -# -# Default allows any user. If setting group ownership, you may want to -# restrict this too. - unix_sock_ro_perms="0777" - -# Set the UNIX socket permissions for the R/W socket. This is used -# for full management of VMs -# -# This setting is not required or honoured if using systemd socket -# activation. -# -# Default allows only root. If PolicyKit is enabled on the socket, -# the default will change to allow everyone (eg, 0777) -# -# If not using PolicyKit and setting group ownership for access -# control, then you may want to relax this too. -#unix_sock_rw_perms = "0770" - -# Set the UNIX socket permissions for the admin interface socket. -# -# This setting is not required or honoured if using systemd socket -# activation. -# -# Default allows only owner (root), do not change it unless you are -# sure to whom you are exposing the access to. -#unix_sock_admin_perms = "0700" - -# Set the name of the directory in which sockets will be found/created. -# -# This setting is not required or honoured if using systemd socket -# activation with systemd version >= 227 -# -#unix_sock_dir = "/run/libvirt" - - - -################################################################# -# -# Authentication. -# -# There are the following choices available: -# -# - none: do not perform auth checks. If you can connect to the -# socket you are allowed. This is suitable if there are -# restrictions on connecting to the socket (eg, UNIX -# socket permissions), or if there is a lower layer in -# the network providing auth (eg, TLS/x509 certificates) -# -# - sasl: use SASL infrastructure. The actual auth scheme is then -# controlled from /etc/sasl2/libvirt.conf. For the TCP -# socket only GSSAPI & DIGEST-MD5 mechanisms will be used. -# For non-TCP or TLS sockets, any scheme is allowed. -# -# - polkit: use PolicyKit to authenticate. This is only suitable -# for use on the UNIX sockets. The default policy will -# require a user to supply their own password to gain -# full read/write access (aka sudo like), while anyone -# is allowed read/only access. -# - -# Set an authentication scheme for UNIX read-only sockets -# -# By default socket permissions allow anyone to connect -# -# If libvirt was compiled without support for 'polkit', then -# no access control checks are done, but libvirt still only -# allows execution of APIs which don't change state. -# -# If libvirt was compiled with support for 'polkit', then -# the libvirt socket will perform a check with polkit after -# connections. The default policy still allows any local -# user access. -# -# To restrict monitoring of domains you may wish to either -# enable 'sasl' here, or change the polkit policy definition. -#auth_unix_ro = "polkit" - -# Set an authentication scheme for UNIX read-write sockets. -# -# If libvirt was compiled without support for 'polkit', then -# the systemd .socket files will use SocketMode=0600 by default -# thus only allowing root user to connect, and 'auth_unix_rw' -# will default to 'none'. -# -# If libvirt was compiled with support for 'polkit', then -# the systemd .socket files will use SocketMode=0666 which -# allows any user to connect and 'auth_unix_rw' will default -# to 'polkit'. If you disable use of 'polkit' here, then it -# is essential to change the systemd SocketMode parameter -# back to 0600, to avoid an insecure configuration. -# -#auth_unix_rw = "polkit" - -# Change the authentication scheme for TCP sockets. -# -# If you don't enable SASL, then all TCP traffic is cleartext. -# Don't do this outside of a dev/test scenario. For real world -# use, always enable SASL and use the GSSAPI or DIGEST-MD5 -# mechanism in /etc/sasl2/libvirt.conf -#auth_tcp = "sasl" - -# Change the authentication scheme for TLS sockets. -# -# TLS sockets already have encryption provided by the TLS -# layer, and limited authentication is done by certificates -# -# It is possible to make use of any SASL authentication -# mechanism as well, by using 'sasl' for this option -#auth_tls = "none" - - -# Change the API access control scheme -# -# By default an authenticated user is allowed access -# to all APIs. Access drivers can place restrictions -# on this. By default the 'nop' driver is enabled, -# meaning no access control checks are done once a -# client has authenticated with libvirtd -# -#access_drivers = [ "polkit" ] - -################################################################# -# -# TLS x509 certificate configuration -# - -# Use of TLS requires that x509 certificates be issued. The default locations -# for the certificate files is as follows: -# -# /etc/pki/CA/cacert.pem - The CA master certificate -# /etc/pki/libvirt/servercert.pem - The server certificate signed by cacert.pem -# /etc/pki/libvirt/private/serverkey.pem - The server private key -# -# It is possible to override the default locations by altering the 'key_file', -# 'cert_file', and 'ca_file' values and uncommenting them below. -# -# NB, overriding the default of one location requires uncommenting and -# possibly additionally overriding the other settings. -# - -# Override the default server key file path -# -#key_file = "/etc/pki/libvirt/private/serverkey.pem" - -# Override the default server certificate file path -# -#cert_file = "/etc/pki/libvirt/servercert.pem" - -# Override the default CA certificate path -# -#ca_file = "/etc/pki/CA/cacert.pem" - -# Specify a certificate revocation list. -# -# Defaults to not using a CRL, uncomment to enable it -#crl_file = "/etc/pki/CA/crl.pem" - - - -################################################################# -# -# Authorization controls -# - - -# Flag to disable verification of our own server certificates -# -# When libvirtd starts it performs some sanity checks against -# its own certificates. -# -# Default is to always run sanity checks. Uncommenting this -# will disable sanity checks which is not a good idea -#tls_no_sanity_certificate = 1 - -# Flag to disable verification of client certificates -# -# Client certificate verification is the primary authentication mechanism. -# Any client which does not present a certificate signed by the CA -# will be rejected. -# -# Default is to always verify. Uncommenting this will disable -# verification. -#tls_no_verify_certificate = 1 - - -# An access control list of allowed x509 Distinguished Names -# This list may contain wildcards such as -# -# "C=GB,ST=London,L=London,O=Red Hat,CN=*" -# -# See the g_pattern_match function for the format of the wildcards: -# -# https://developer.gnome.org/glib/stable/glib-Glob-style-pattern-matching.html -# -# NB If this is an empty list, no client can connect, so comment out -# entirely rather than using empty list to disable these checks -# -# By default, no DN's are checked -#tls_allowed_dn_list = ["DN1", "DN2"] - - -# Override the compile time default TLS priority string. The -# default is usually "NORMAL" unless overridden at build time. -# Only set this is it is desired for libvirt to deviate from -# the global default settings. -# -#tls_priority="NORMAL" - - -# An access control list of allowed SASL usernames. The format for username -# depends on the SASL authentication mechanism. Kerberos usernames -# look like username@REALM -# -# This list may contain wildcards such as -# -# "*@EXAMPLE.COM" -# -# See the g_pattern_match function for the format of the wildcards. -# -# https://developer.gnome.org/glib/stable/glib-Glob-style-pattern-matching.html -# -# NB If this is an empty list, no client can connect, so comment out -# entirely rather than using empty list to disable these checks -# -# By default, no Username's are checked -#sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ] - - -################################################################# -# -# Processing controls -# - -# The maximum number of concurrent client connections to allow -# over all sockets combined. -#max_clients = 5000 - -# The maximum length of queue of connections waiting to be -# accepted by the daemon. Note, that some protocols supporting -# retransmission may obey this so that a later reattempt at -# connection succeeds. -#max_queued_clients = 1000 - -# The maximum length of queue of accepted but not yet -# authenticated clients. The default value is 20. Set this to -# zero to turn this feature off. -#max_anonymous_clients = 20 - -# The minimum limit sets the number of workers to start up -# initially. If the number of active clients exceeds this, -# then more threads are spawned, up to max_workers limit. -# Typically you'd want max_workers to equal maximum number -# of clients allowed -#min_workers = 5 -#max_workers = 20 - - -# The number of priority workers. If all workers from above -# pool are stuck, some calls marked as high priority -# (notably domainDestroy) can be executed in this pool. -#prio_workers = 5 - -# Limit on concurrent requests from a single client -# connection. To avoid one client monopolizing the server -# this should be a small fraction of the global max_workers -# parameter. -#max_client_requests = 5 - -# Same processing controls, but this time for the admin interface. -# For description of each option, be so kind to scroll few lines -# upwards. - -#admin_min_workers = 1 -#admin_max_workers = 5 -#admin_max_clients = 5 -#admin_max_queued_clients = 5 -#admin_max_client_requests = 5 - -################################################################# -# -# Logging controls -# - -# Logging level: 4 errors, 3 warnings, 2 information, 1 debug -# basically 1 will log everything possible -# -# WARNING: USE OF THIS IS STRONGLY DISCOURAGED. -# -# WARNING: It outputs too much information to practically read. -# WARNING: The "log_filters" setting is recommended instead. -# -# WARNING: Journald applies rate limiting of messages and so libvirt -# WARNING: will limit "log_level" to only allow values 3 or 4 if -# WARNING: journald is the current output. -# -# WARNING: USE OF THIS IS STRONGLY DISCOURAGED. -#log_level = 3 - -# Logging filters: -# A filter allows to select a different logging level for a given category -# of logs. The format for a filter is: -# -# level:match -# -# where 'match' is a string which is matched against the category -# given in the VIR_LOG_INIT() at the top of each libvirt source -# file, e.g., "remote", "qemu", or "util.json". The 'match' in the -# filter matches using shell wildcard syntax (see 'man glob(7)'). -# The 'match' is always treated as a substring match. IOW a match -# string 'foo' is equivalent to '*foo*'. -# -# 'level' is the minimal level where matching messages should -# be logged: -# -# 1: DEBUG -# 2: INFO -# 3: WARNING -# 4: ERROR -# -# Multiple filters can be defined in a single @log_filters, they just need -# to be separated by spaces. Note that libvirt performs "first" match, i.e. -# if there are concurrent filters, the first one that matches will be applied, -# given the order in @log_filters. -# -# A typical need is to capture information from a hypervisor driver, -# public API entrypoints and some of the utility code. Some utility -# code is very verbose and is generally not desired. Taking the QEMU -# hypervisor as an example, a suitable filter string for debugging -# might be to turn off object, json & event logging, but enable the -# rest of the util code: -# - log_filters="1:qemu" - -# Logging outputs: -# An output is one of the places to save logging information -# The format for an output can be: -# level:stderr -# output goes to stderr -# level:syslog:name -# use syslog for the output and use the given name as the ident -# level:file:file_path -# output to a file, with the given filepath -# level:journald -# output to journald logging system -# In all cases 'level' is the minimal priority, acting as a filter -# 1: DEBUG -# 2: INFO -# 3: WARNING -# 4: ERROR -# -# Multiple outputs can be defined, they just need to be separated by spaces. -# e.g. to log all warnings and errors to syslog under the libvirtd ident: - log_outputs="1:file:/var/log/libvirt/libvirtd.log" - - -################################################################## -# -# Auditing -# -# This setting allows usage of the auditing subsystem to be altered: -# -# audit_level == 0 -> disable all auditing -# audit_level == 1 -> enable auditing, only if enabled on host (default) -# audit_level == 2 -> enable auditing, and exit if disabled on host -# -#audit_level = 2 -# -# If set to 1, then audit messages will also be sent -# via libvirt logging infrastructure. Defaults to 0 -# -#audit_logging = 1 - -################################################################### -# UUID of the host: -# Host UUID is read from one of the sources specified in host_uuid_source. -# -# - 'smbios': fetch the UUID from 'dmidecode -s system-uuid' -# - 'machine-id': fetch the UUID from /etc/machine-id -# -# The host_uuid_source default is 'smbios'. If 'dmidecode' does not provide -# a valid UUID a temporary UUID will be generated. -# -# Another option is to specify host UUID in host_uuid. -# -# Keep the format of the example UUID below. UUID must not have all digits -# be the same. - -# NB This default all-zeros UUID will not work. Replace -# it with the output of the 'uuidgen' command and then -# uncomment this entry -#host_uuid = "00000000-0000-0000-0000-000000000000" -#host_uuid_source = "smbios" - -################################################################### -# Keepalive protocol: -# This allows libvirtd to detect broken client connections or even -# dead clients. A keepalive message is sent to a client after -# keepalive_interval seconds of inactivity to check if the client is -# still responding; keepalive_count is a maximum number of keepalive -# messages that are allowed to be sent to the client without getting -# any response before the connection is considered broken. In other -# words, the connection is automatically closed approximately after -# keepalive_interval * (keepalive_count + 1) seconds since the last -# message received from the client. If keepalive_interval is set to -# -1, libvirtd will never send keepalive requests; however clients -# can still send them and the daemon will send responses. When -# keepalive_count is set to 0, connections will be automatically -# closed after keepalive_interval seconds of inactivity without -# sending any keepalive messages. -# -#keepalive_interval = 5 -#keepalive_count = 5 - -# -# These configuration options are no longer used. There is no way to -# restrict such clients from connecting since they first need to -# connect in order to ask for keepalive. -# -#keepalive_required = 1 -#admin_keepalive_required = 1 - -# Keepalive settings for the admin interface -#admin_keepalive_interval = 5 -#admin_keepalive_count = 5 - -################################################################### -# Open vSwitch: -# This allows to specify a timeout for openvswitch calls made by -# libvirt. The ovs-vsctl utility is used for the configuration and -# its timeout option is set by default to 5 seconds to avoid -# potential infinite waits blocking libvirt. -# -#ovs_timeout = 5 diff --git a/provision/local/gpu-passthrough/patch.rom b/provision/local/gpu-passthrough/patch.rom deleted file mode 100644 index 2f88172c5301681ecd25c4738dce7615fca8c59f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 122880 zcmeFa3w)H-wKu$<%Um*x6hZb7 zdw^|+KZ|WqyG$p{4NvJP`TtR;Mru!GW0m-xQi-BQ`twZK`*qI5zihU8c-+e4D?SK^ zwUYLg?}n+AM`vXlzA1X_)gL&@9c`?Fu>$tN(n_5t-Z(@JJD7i{EbsK2@BP~f3+q^I zVi_BZUB&-)|A|vW82w4iFIUKqOER;0q*A>;Bf&7kV>4S4QMIK@7F2j7Ju{Zttc%f} z9VtX>Iv%^>YeRm~Sc)*5=tg=z+xlbMuSFlUWbr(4T}-Lf#uib;|7!zdrI(~lEDJG@ zb%SK1{(4rIORQ^CW`d|zZusl!)lV^X%$R~3#@#e!!nn#iCylvbQr;ML*M!-(<>#}C zTW?!1xw>M;Js%RmwJ?6Fz%+C#@=jaH{P6A zP&meJXG`yX;C}br58cPA%c>XTkI5T1rf|yb6Bba%7EH)nP+58Btqahf1!D@wRn1%Y z!-t#?+?RVl26GgX6{3OpcjSB_Kdy|I&k~!nKW6Bi^-A?`cR?zQv6MpMfgzkBTZ!*6 z0Z6K1axw*o^k`4mp}47gDe?Q9X@gZYlhcLEP^y{Y( zXOR?@6%qOVN1?1!t*nqWunkhXG==5488fpIT``K6ZtM$(Q5U5zM=Rtaah1xEGx=o7 z7x9!-U2iyjx4t(#?8nC5FyTxoVXTBrVk{LARm!BNJc^zQRjV2YL7LT=;dOYLZrp&U zb;uSx6GnI8X&V78p{{t~zh6h!fk+*LsZ}YPo^l>NBXkTcML1?u9iFC}7UOBXZUdeP z`F=cYxfpHreut#><-bt}BPYph84ZU^m?}YaUJuVdU&KL6nV@9o&B9Pp~!k?I`sSG{;3px$uxB6Q1;TL$l`fz z_Wz;yS|+J$^(spmGlkiQLIfF$-A+;;Si+ zQIXUQOjacpmej`)kSXv>1oRa61p+DyC+p)akl63_>Y1V@LFZKj7~Axy#MmUE{@7Gh zzeceuWx8kn=|Fr6CRwAbLAf=Go(u_cX2$NWLtW^Cr@4lF;c_H3Mv^)}w1j^hU~iPc zKUvXy1^uA7N{k0zr`PcGSS$ZeIl;ZMq$p;8-gu1XDpU-Sz^Vb~!8n5Jb$Ak+Yn)DM zDU(UoA;J&GgVzuu`zY#;soLMBc_86$7BLr05ALC!wjd^;{^aNdHCAKWg>$mLepRhA$f2 zg1ARxTw*h--yf^xQ!2^iZp;F?1bRFSuxq4>ajif+Ph(IaIYbY1Ah{s`KLsN74WlrX zUkozi~Nk;3vdGN18~5mA*km;33?vW2Q^3T zU-N|bPak$BYlTsY=2GxPKaAvl`C4ZLT{4v=SHTo*@a*XG!&=%RcEW5hE*7+q&a@gO zw&qpFP7K%bM|NrBp~bF#suo%I2K$}#2g7RP3z0EV3`RZ81L+pQ6^qU4l0LKu*+jVs z;Zpd$g)!w<6<*z2*dHl;$Jn_O$_nytoCrznMY~x;i%t;BjG)C~y0td$oH=gH9oRbD zS&)A#qZPNJLSi!jwSYRn5&#Qf{Q(#OR=^~{6u?wK1z;wi8n6P;0Pq0T0!X=PEN(=@ z+Inte1DKu><0$Bu55r!bv{pD>8<4ZSnM_Rf-|c-^4uSLq+P(O@xJRMnz4 zT45ZuGw3j4DL zX43F&BMCpQ4C-?0*g4{*El!3}f$_7kA(ROPV#!XiSfZwWIy`L~1`V@j&8%i*w>wBDHTw z9C9nQpW4^{mMld|Gdkwp9^bXXnvs}cG-jI2gl|nI{N&`Wn3jx5Ki8GZQG zTNNq8c>7{o;_zQ2XAj6WnX==oIfS1^_-Sdw(}sWZL?TNgd{f%>HH4qphY!O+j?t<5 zvn<)DDv}H)S5)w?Y@+@vro?19Uht1e1(GQ?4x1HK5gJT%ztY%ty9sikeh1$! z+xp|jUxN?%lTA89>|rSfynhwGs#5zoN=83?a{@?I)xP#2e{!rYF6B+7A`Q|f4E3%Ddy;)YwI+EXB{1wKz{qPeq2|uO}AMz{5 z>r%5;>DP^lf&9vlUqgTVbukb0!%rGU_@+L5$ggbG4a})GY|1xTP4P11SK!A+=-(8P zUv2!8vk5=84CRfCBlA0lpH&?}~rDAAZ_6!ngL}L;mCex>4ox;%wE4>8XQMLwbw}`b&w6 zv~Np1&<{VonDCS0qwLS>Kb2*hVf55s+^E{5jMTxZF~bx~_?8I%sHCI)@CQ#K{Nz6T z(l`b9`4#P!(nZO38+5S!YW&jVuKxJtgrCxfPfScJ|17L?o3Lg*A6d6pj$m)vpon$n znz(#TT)8H$UK7_{6W8~~WhP@?Gh7olUK5YGCXTbZ2z?rUZ2vgrGyA;M0bPLefQx`0fIJwMEMQ$aQ=V0s&IXtzGacDtY1i4o z6(eB!Fn0d>zxN3-Qpr9m6^Ek(5Y|Aovo6XhQ>RSQ%xYL~Ru46R+cV%qV&q}OVLe tCUl(sQlMgRQ&uZ7c< z^~y`~dgVBKNj{G4G{G$CM=V{LB~jjASzb77W?y4dwc)?jH={=)d)s1Vr6u7KF~68? znsKpzvqmbXb69fo`pg&z4mM#klVtmt$;;LvTxeY~`w0`35@$3_8dg=ds4Cw|c?0ui z-uH07y#9Ct>s*!n^MJR=HG7yuc-EVj%w7}0qlqOvYrfWAe>}>w=HFXh=GNN#KD_Uv zlklWr?y^M@y#91X+l%7$)(Mu?+N1s@Dn#c4`N>trf6%}Fcr<2tL#REifBo^0^)il^ zbxJNv)7K%!*myRRx!4Yz@j2LSEX2k!&VInAu*DFDC)hNG&62?^4#}ys^q<0%fQfCU z*h;C2g<18Js1nqvBF7SuH~Fd@S<4YjV5Gx3xZT*RAByqFn^=c*1DK|cnY2oA@~dZw zj!p4)oLX1Q=~!<(U>X`a&Hcc!XdqKdu~W*18d-}zMU{b`&2r?8V6e*kN)BpV47^_P zXPqJsZ_(5d*tlMucgpdz(JOTOq%`$9R?Rj5E83pSf{rOArTRR1i<%F`<-e-V(~hyx zGlvnx{Ub)u16~RRQ^=LzFQue}9>PP=g)y*7`osh&H8Dxj{~%dP{XwdvpEW>Aoi$L> zpGuQbPu(k}b~+_f=Mc%1I8-wIV3=f@l_i-@O_oxFWs)iAmQqhIlT4=%NU4iIluV1; zrPLpNESY|EOiEpHLNYDkQtHx9$+YwvDb>|2nOr!Rz&lC25u~|OnXwcnZoiGOGI^-- zSDemFnn*{$MvQQ}Hp7!~pR!jYh#z`J!7|aEcs6;CH(M}Rht*$T&({IJ)vA1 ze}N4XH9aKmJ1oT;7y9dS*Gz-R*c#hz$xFDH;K$K#s8D5>M-!hdVx!|c=DW;KiZVyy zPMH0P7ZYC7*s`xe5yB)gPYDIT7<^yx1%3GKeSce4G7Y>X zOe#4S$@{P39sYKG$?9L;TD;!AHoYC=Eh*U*sdLciq7viFpB5i__l9C?=S_cp z$C6(12$2ao|5@H^r;GxaCdFF8;$Mvk3n)yz>%izJKfHqxgv=)VxQ}f zNHg}iyV)M;d6_HEU6cNWbhXC3Ha1R~2{Myx4pt)~nsh&@N8&p(>Joob;fa59?@y^xePs$Soy$4@|m}sO*Q_8$ABP zZyeDGWXsVr*jrS4$CTo&Cko$=rjvhk)ySfgC0WJwH6Q-De|jWb;&h%YdHSh=rJ0Y6 zEG;M~D2*AEQ8XmeRrJU9&x^htlU=-b)fBqD@V#ywY?bH<2ZaX;4gI}E|KmhyW*iAY z)~{BLzyAFV#nm^zKHl>dE+PE??*GLRz$K#!=XB=`XQgwNbGEa}lDRpVt+N=}t9EWr zkM+Bgv5q?zIBT8roi)z6&N`&F0Nic7vJc4*pIPxxNe| zYb^dt4s)wb8Sm$0>X|gTA_`Gya&nCBy7qMW1r)L^M?lD0Fe{Wn+ zeqG`V)BnnEN#}MZVzbiU=c7=bN=>6u&ugWM(%=8?$U9W`^|{ZcF&d!UXKk!`T%qiB zc+Ta$Ci_k|)tZ~iRHCV=jCGEb96Gm+zdDdVGBEd9BSZdd%4n)pJL4sX-kr})vCjP+ zNH0s?Av2yFySB{6LndcanR!PH<7#YyA7Pg3OI@M>xASA>h;?U~4!aY!c^ELX7Vk># z^fPZ8Kgf8Y6u;(W*7*u^3~&$TkH@+6yfKD9mdKL~e1)lCk8d|nP<{h**xZv%VYijr z;;4NypJr&f%Nkt4=f%14UTiAgn&t$1)D7F?n#c3v-bTuECf9WMTT1ztCVtc`(1PWT zhuvwO%Q|-oYBTX{k(?aN091BdFz&flM}b-PEI^=x3|Nr zoV?q+Yuj$d+fq;7J*PUrGG<#cJ;gHfEYr2>;dw1GYdIRz)2bf=qrW@<#LIHWvCG{b zhIXyZ9>Quf1FQ;S6wfn^uHih3bq7?}*TDqeZvOY=VJ)sio*-fu3bzu6o z1&r@YnG=}K)0jJ%KOi|Icic8R1D!>5VZ?1|45)l0VsxnH zW;KC|8Tkiz+CX`q{2_4~`6zPiwCTXy>Hse`G;e%f;+^bwpT)aofFZgAMwglB{tQCO z?_q&AWZuJgCNfml5Xu-T@&BQ?bZ;p91mhD_eu;UmFn1x!on(RLjecn>n+3K&{16NL zPG+vbZ>W45ZxV)V+iAJG4_d6dkhg=ijR_rBJx2du*VB=>7)VwGK5KQF92Godl^7rtc3=kpySIvJ#;t%wO zmJbLxE1EZMlK3kFyzS2Fz^tn2+l&lr_YNZ)`SJea&DD4DCkOE3(y_D6^X}lj0oxSj z+xJdp?jy7Gt^rP;uKDSyGXF5uH(70dx;UXMCUYSpy(p zF?_znf5jT#O>b;VJk~iY{|x_Om^ye@n0jDs3?%bW1F{zTx$5P7W_Z3}uCxJQuCnHh z7~}W>4%t1PSizw#DWIhM6H2@9GFm|!U#6ms6#gyyork&OcrG;k!)v|-kFqJ8=XpA1YLvk=Xo8CN_|1q`sX}`oXQ=8|@{8>bHO1z0R&)4xM z5NVZo10qKLSgLQg_fu!fZmV~n=UBYA%YRn&p7x*7dwcxnRL>WR=R~~!glhWGbF9R3 z!tXyVo6h?J%}?)@_^y=Zr{9x&Eqn(8A4mm$Z!6z|;64iOi zm!B(H3dRkwQitMB^zPcnUzCt}?8=KWd6#`Vo1bo%`1L6PhvX{q?Tdf2HLFB*h}ld| ziGOovqd&8yLlN_gcRX(%X$k6Ej?1|h{%zIh+zW60baeC6cgg%zGUh#C#l{%}%XD~J zSqu|XSe1e)%%u66{))nFY))4k;^}})({ntT0I|?T;tpAY&mL0Oy(KMzTGwG70D;$__d@!6)Diy ztqTH`)A>NKzxUmi4tY-V#ubv%&d(*)1fW(7EC3OgSfH|b`=n`o!U3b9d>g1WMf^WK19sHcfGPe=71GsF%B~ZvS6%bb) zfPJ)g)J zKK~b;v*n}}TnK?xxDHB9R~x99&g-R$d_UhH^Sz9(0_zwRo}N_5T_*3ld}$(VGq+sL z|0knChr*PSoLJ-!HgDV~^KTNJ<6GRR=~;Lt&mQ)$mQRuDfYjy1tSR3^{%K_{>Y*zf9-DL*6TM_}Xv{(Knnf zS31YP`wH1 zSl|06%(LF^%3sLt?tsfHNzyBf7a6E# z?$N(!caMLu)UEJ%Bfn2?^1B&-SmLfL{D&db2`jN&HXU}w@zp*2W&oL@d0s-9g-l6So|e@_b$mKY@?#fjLCwEn4+8WQ zv+rYHIb^cK>MNI>W@7JM2kb6fWiivwSUCtKR9p#ZwfH zUlT9gqI1VNeUl~UHl~wV=aU!!UGRAKPRTVKqOcgJ0zp==$Gg|N584G=DPv@F#+)u-cM$M_~|^DJ$ zPLTCxjI)}INayOKV&R5`fGj;PHjxN94|Y&yDXntP$GkIpeB-y0E8(5m@vFa;aGvmv z6A7|ArFotiyDk2MnC5v{+$O8ME++PH?E)Nvk?62e9PUc=kUjDSNudW`8*h+w^w3k( zuura);wWmNXuJneD?Jiu50prcB+3|OS2sxcc6EzfU|0R}J(LmFnRGfj@Yluag>SSP z>Gm<3%?$?632D3v{%KW@T`2Geb-qb*tiKj4SHVx|8#_(BgEd~%EmOAY*!~V>_vIHF zTjgVywuZyMuLhSnD~Zo0;1~f%O&Fv2x7wXsQM2Ma$VtIp_?q7WD{~GONYW3G_7`Q7 zKeE_U^eOp8h?K~sLG3hZRs?Nh`63;T7--EuXv|Vz!Oe@|dyKHVUy)#gA-T>7+q)98 z^%|)XQjjlcfmHr11)MV=M>~6*bKQgZSmsLQDXbKISsKTW8K%HcA`7A2Knwp}e6caG z!*~}=KWJ3Mx8>vfLxui77KZG@CPgNnYIKg@=`u71jK^SaL4E?v%Xip6$IeU6Kg&}a`?2>g{7oig%vptG9g=Zkh2@N|Xmq)V#zdp{Gl=X~4>oC9>1xKq=eh&f2yS5km?p@>TW`z;h2lji@5el!^~PrN zFJ<36do9nPBA6x|=25Phsn{-161LW~`Di?y4m}GE<-{o!ISZ>^vPL@|P&xM`PVHGB4<7ph6Ig7AeP?qVPTgfMDTIg+5N7a@Yw@7Qt zVgwcYutXun+*|RDuq;rqHBjVVwM^aWUlnNdmt^^2%Q-8y-S6^TR$Q^$Hm&nq#_n_5 ziU+`G(5Ka~?VK}SW6ldZ@g_9vPV!tya#=iAl3g*cDV}c?m;4&-cle`_cy7h4ri)G6 za(zuvhqNRf5gY%3zUD=bThR3^)kPlW8oGncD`K)MZ3n9>VyY`~2U}Fcj4sm-c7Nl=QkRUqauuJ=TqYmR zDU2-kFzjx?jOo}|51NgAhH|79N^qLwDG9rbw-{V{<>O#i!C`RR+`#PVJO#VS<_6>V z`Krs@*k%p2+%i?a`!?w21$ud3jO!`=W<_E5MQ z+l>4@Fn4*_rFf^wrac&n{4=k~{3A;Ep=>&XW41zH+nEwLD zOAsVKRB(a1KvQD=GAx;qL`!3vnix%n+a%s7 zaSOv%g0H_qjLBQV5I>wx_ZClO+!coEfNR`k=H{@|7eGnKATa60UC~ClZ>^2EqYQ7^fZzRMql^|nNDIalG?@oqKCV%@V#&4f04;^t`4X;|2ftf z=yCpmZxcnkQD~at{5_#{W8vSrh~eZ?Sc6+D0{f5RP6i?~E*$l}$4ez=rSD^LQi7$x z{IZU{%ADt3Rh?%F_BfUHr6%VY=kL%JkGmV8@qwjg>h<`RB`OXd&Nyr4LWucgXr=zB zw3O^v1S~8lkYO@Hv3AVw8P4Pzan~K@37BmR*J-th}w!XkD zubq@tOT$K!3u81oOEk%3w7z!*6At4Owj0*G?@Z+HMK<`scNbu`5fcivOJ6uf888vO zTerK2`Q7I20p+x}%hc_XgO*CX#7d?&X@{8id`w~qg0c?=F! zc8)x7;p@jQeC_+hw}0fG0F1aaw{?8`a`VW5uYKg6kq5w~0r-c1@z{HTS+hrW`_3wd zllCl0n2e&|ELX?3FFSWJsr$|q_Wd94KRhxpX#Y1$x)j9C`#bj^Rsu=;mwp-ioP1xq z?>%2@!GYTOfnQYo92!-=aO`n->V@OV?rJ>t2WB`cUiU=b(|LDh^=!XrcAj%q&kfAj z-eY#2iTLNBm&b%RUg95w`QO9O1b7xjTEaM)dIoiXZ@C^UCb$FJY-dZ*!aoY}cd+JF z5UU}<%5y^CFX!s_iMfa!ojCYl0;Ph#6yhI-`Ojc#K+#ft-uFGndpt)K|51fEhxl7z zK1XsM++AJaJm}~5p`5b@>eg8?oeESkWO?7EtQW)BNJZ1fQ~De)&Oriv0d&TsP=pu@ zkCg)aMvBUuN&RTy_7J~4%uh2i(7i#BA!qS-QdeKbkr!L8dJhJ177~bRgn+YOhROL0O2<=mo`Y>Q%XhkRy00tSH!nHc zH#L>#ux4k^oSONt0z_&SP7#tB7X7}0Miev!|2AWG)oxse@^v-c6&V?OU48qG>-V49-+t_p_f94MjPDYn9s55zcIm>t3m;_gh^G+%M z%vNBwz=UZlyF`bl$Bp|R>e*j=>DWc@oiZv2_-2QqRSqk=G;DT{s902c;Mk??7*rWE zGh@$!+PNCJGpZ_l?b*In|Cla$?OoliWfz$5lJBnWD1F&6<)~;?Mzizcg1MbvhAOcE z^R;V~F3U#%$kA zIlHMUIlHYK7qn^G%k2dR&~$Qk!pzil``5Q*cbAXW$3J4yWqVeQW$vM*obI_a(QOi?o63gw!F121@?NB@V4UaD6gLrJM6SJdE(q`6MI=T>mb!!->H&zC zY3BMe(RCTqC;Hv5kZ){u)A9(uDAHIif2WL!+C)uFm=>xBh1BQ(^2K4_*PzaZex#8+ z5=18#lQPoUd3(5$$kGS^k&y^BrIE}Z6m?YD3;fv<7$sp+s>a6Ux%qz22|Y}4H{RM~ zk*W!xsc53=3Tg~vL_4G7DO0coXiW#R;leJ`PxTO`Fj|j=fSN2gA~V~UsemE_Xa)%x zcO>0${T(ar7=1_i9e3YRf5(zLDyL(N_?D2MqH$F!@nqwwsw9#FVj5Q$}mPceSAN3jW5tSQm3V3p%>{LluiQQnLv1AxI6U}%nA~B*y#m8!GX@Ng#_^P zSN`d&q*^d4R9>(Q4_*<(E6a!aR7k5fV%e?bBUS!;WP!tcRjJy{AyMKxt^_-28WCaq zz?I;qh%^QubPFUu-fkQ>CX^oJfOzG)byu&Meanz%)kx+_1GV2fX+i7NIo+EP z|K4d7;v*`%9Yy{V11v@h!uu^Tp9<#FM+XLt`>K#qt_PoxMx;UQN9K{u3t(nNW)@l3 zj(3C`#G?0~ASnh^#DIz@HIWJJoE?JUGJOWw0auZ66^oBtTLy{dpY%l88&i4%@u>18 ziGxgR51y<_MWIPyZ`mb{ts*R+3Z_aXrm7m5-|hQ~<}SjOV5@(?iT5Rg=~KVUR#y{w zWHXGhxpU?RrbF4y?)gWI2CDuTLguJGl8!dbCl2=n3Y9h+Q=lM>cCZ z=9|kXoYPl$3^;wvcMFs55!&}%Du3}Zz?r7td(&s&1#ZS=yu76` zm<07Q6KnlE)I3$sU-=3K1FV3V7Bc&B9{;p(yJL(mOW&Z5%oZLOzZZO@z(-ddEipmVOKL6X&Nmh%0wFG zMZ$y<5^Ft_0`&EFl~A+u(t^&-Jv0$lE`qMHFyBFj4`e)oNzi9MQjWWNTNQ?pmb8%; zN=vBwh;E2z2C*PUhv~bEz;~A#EQ44<|NJdA{!+MCWi`QOXsSw!u*c)!h}|!2#nq0v zb6qu99!1RKSm-_~BH>9gh#zthV<*;YL@r&34y49f5oJ8S+~ocP*vIJpH?0~qTPaWW z9YJ9kOcXU6Dcoa(h-CC%1H2S6uGztIze>Mb&Zq_tU1gJttyuq>^lIm$ z=l^+;E~Rr}ZxM_rTJ|lF8UsqUB=#{R?xJ6flVl8%hQiR&5lcgnO&h54+!h{7wzH%{bL3<2 zrsZHNH5)MhVO*cVR_f6DR@mdCbS|+1WZzPr=g!bt!2ZFv3Q&Y`S1yRLYg#TZ=w%B9 zr_{m})2hgmL=}0cVwBtdPpiOk5uFMp_@!0}ofddjp_0D`qZ{>plSv&YVuE=+tBQ51xrM;>4NMqR%)z`*<6GnP|cQXp@ z3KRLt0bgy0@=0R}i(hjuUfXnfoL_v~T6UVXm9^tcwykU*PInOLW~{aBloZrEr1(eH zG4Je7P2dQ-9oR0nXbl@E7(=jBb~m=fYvTh^W3v|Nu+Q!S28PO+c~&&Pr)o{iqJQ~4(v zFIwY&_7q#|JSC!!_~U=p$ky!x1|1SDkeg~dsA_~fB{lBbfoIj?dekUFnb#1m9QD<9 zH`Q)`kYxjX(<2wigzFRxy<`Xei)lTM8dzC_k8D)aO28u z7XQeekZ0v7t4jyk=z1f~cx`8F2+Exl%`_EPZX3CbfK0xe`e7cUTZiYjtXEueD=p@`^ss4Al`7X>69 zcS_{X7KeT!<;hc#R$=Mj0B2@~IN8vQjjLNAW%fN3;g!;V zZjd@(WH<=Z^P8m3e_^=Ys^<&j&L z@JIM^!phfaMes2LrOkI3P;Qn3<`UnBoV6?Cg10$hkT$_#Lg{-67e!aHb!F+n(fEo& z4qoT5qV!zKsWk@&ITDbT#iVe2$;9~LFbY~T4Zp@P14c|T`ed+)a@;_H{q zFR7W;@3Xuy_(@_mdvfIjhF`LzFUTTJk&}Op8&X37i)$F$R)SmFcs168_eWnlfA72e z_OhC7L)q8Q>oeC)Gp;MQuA63CH!XeLG<##)(56)uykGg#=Ub-bpTHZ*s%>~zB+wSj zS$9~U*{0jUS|`hfw#jNKYnzO3Z(1i0(zi~wNv)I902z|AZE`VN^U;9yhxxDC@qI`9 znxjmgN$FtIHp^v3I2rt`{%?EMb)w^uBa9lIF_4Q zCl4?}hfE$|$$j?SoTkY}dPzBf(+lmEPV2#rrpeZ($@yE12RhbH9!M|3hw~cTj9xw( z(zKN+1$Y}%6WYCY^5C_TZ(KWh?E1r1l|<-u?KKPV=0>N_Y#biKL8<(@vSr%(!?gj1 zGx61~`|+KMimRDJy4#HIyM6D!D!px=%DtbuX7S(=5NjbaJzscCZTxR?@D@Jx6MRH- zxSj7mNag?X_YYRf4#^j`Mb)HPTG_0v^`XN7p)rrwj?rk|>^ zO-On~wIV{FORd|Tz1boeY6DWd_#B(DQe8a#7K@_l^af*$Db^fkiI?zMd(ZY=3N9X; z!-oK`OK%^T|MH_9=e!-EUB|jHdgr#quX^ z`zhyhk#iR57XsAF_dnBm$$#@1K9zdxGq<{R8VhWlrUZD?XRb;V!NmcWjqW$=c-v>V zYdTn2| zZ#PwpcY$K`7(RG1c+c?>9|v_j{$uY&!TyY=eC8TOWQ`SMb?+*5560Z;a0eq8k8h6L z$vcu5f9LP}xo@Aq5S5|Q8F)*z`dC=rf6TYDR8yE#vg^c-M8;2@fWDp^*!W$&#f>Mq zH_Wd)Db&#SXoP3pw;0}0H|P2+@@Ar+=+?ibzGlUVD261NOYQCjo3=Qc!DWhgKxsJ*Q#B{+_h?O zWVOfgm}>N7Th+fBEmpNDb)nh@&Ns4F{TkIq?0>d?oy8)d)4heND=RFSxYeu`Opt*qS-@p z@%b0eE#mtnzFy+57h5u^jFpED@+&v+Z*BtZ&~)Obc-e}V+6CSC^kkLecA~=Swr^UiX2m%kI#-(j5ku zZA)o4K08_+U}|7X>Auri#6uAZ20T3mcY=nmLm?@Ehc58WbN9R*xCieW?_vSf!|?7% z?`Lry+2WVuJ&M(@B$VnBJ-Q^n?w(Sq(wlLc>bY!KWz7%oKc4G*?DKn`yH{PC?Nn<5 zqw;d{ZpgbnZv_4~fQ*vs^KuJ^yA8R@e5s&2(AcJo54q1kP{b^E>mO4+?%NuRp;}!N zH{GUgWA5Wn>w?SOIvK#D%^=;0A zFqUj$|5b*}fF=u6p4R-d@B}7@>_~GW3B2r-evlHEduzwQ+AK+t<)NP-E(=2 zdl0V9#-esJHDnCxDE|UUO zpoD?+ffNh?ZJaxMhdqq@fH6DR=cqsq{s9-_f-i2o1gY90ot=1kXqzc;_L)H7HRUZv z!vb|9za@cHy&bQp2Tl)<$HiUg z%h@n;(>s~0P5X`Tjq87wocZLo&An@^H6bx6IVE*~QT%ia%sQ)ug)4w>l?Z>qw2Fsk zt-cCB=Rd}$_DlQP_W-{IRl`yH?8$A9+ zi0iMvA^)cFH{UcizhLZ*H;x%~-RL}o#ung5iVJTka@>OdXXNIaZ@Fpg7)57@iH$YI z7~>LB1`bF`N}$P%k2P4W@RO2~5|dMHX#;HoQZZJxl;ngIOfO?f9ur zy~ckue|~NJBJAF#a>|<}%$7W_F*+%8X#0|+#Ny{xr8Za_1Gpn$uZ@$F*;n(vtKbju( zqv=sUnjZCu|2#zha~l7k|D_uJ#DDP%w}XCgo6Uwq;yU=TjILgj)9D2N3jEFg7+=`P z$%ew4ZyE0>DlQ=#S#ub_9JDXwe{-+=_wj#nrr`f;@UM}7$PdZCXkW;GAAZh%jGtq( zLcV~1UvK-<;_y>yn*8_EAAR(jd*x5)AFGgG`MzHH?ZfY{fBqwU=l9{q3;m~w|38<1 z{rAa#4&*-&X875&{;uEnOTGHzAL2*(w~zjQ_%wfzAMlT5VekA;&?cAozqG&pj_RKY z(fKF+W4|{lZyHwVgICAX*pcV1PSMKYH^^{fQ>^_wG>-pm9AB0eu?5;-Xw-e%s`sj~ zo0?Q}Le_xinpFJy#L^5zg#qh*E?CIhw*GEaQm^(pTU_5y|>m&i5UJ zomp@gpZEup1a;GK(aam*Z;cKG<{bN~CP2TDM}Oki@$kEN2=@YYLT>ybKG*xk&+C1c z_n#BtKTueNntxs&*ys&hLeJ30ay%ms>f{&C1fp}Za`g+V|NPYIl?|ao+gn2oto3Xt z)KCaXDQt-N*0X1=g$&V9J$zPj z%*j?A{>k`3g9b5&v#`FtaPJDDHxvp*%dMpHa8P$PfyZp=p>)v2@)m~{=TT|D-;WO( zS(Y>G%z}>&HBda%K;7$gHiv_1VfFR(BCWnYgui-bTj_7m_n^X7vn{W#l@-<(F5A0z z8QK$-GbGm4<=GejNp*~!#dw`X6(C2bU=b8$sa4Gt7BW3mhkiG-esHAwWCOFU5IsN~ z8O{)Vy+hyHz|856`jFYoLjE2-#T#1vJ+1IVt*8MFG$2B8JXTUZOUF+V5>Vryh?>c> z(c+2b@sA=zC+as-e}Q-8Q~yfztF<-M+RA#I&IYHm2jh)#b2`|?ddx%pMHbrWzv$l? zVxfEL8tUr0famugL3^zNtrfqLLe3%l_V&fBb#HrD``%X8h2g2YCq(>o=n(2}J$bVG z$Oo;|E?k3XPpc2nLm2AT)*iw`{SDNgm2(g6^JkU03+U@l|PA*EEN4W1H)|IyP~7cS-+wl>B3AOm~{Mil)g|4@i{6;aWp*47V}0fF`WI&V=A zvq0KxSgFyx0E!@qE&CKGnr8_|C|9G_)3i1P2<_{8kW4dm=)LEx3CDlHvbsi zygJAU99WJ#Vl~G6d)xCG#+i%BuXn5@StAw0*tq)k`f(_QXMHR4qQ|(K@=B->E6LO17x3%0A=~WLmovDv9KW;S*I+dZYa!x^Y8VI4Vzpu850|I7*{DygU4~ z{Zq)}ioF;2w(iBS-2=VR0Us*?^na+e4r(7Gx3YcjUg$NkFg5rguAicnLi`S8J=iWp z`ZGlQC)lw5EV!i5*(#Q+m4^?nWK7>cYTnNZ>%i`H#Qegc9r1^L(sHqq3H1ygS`1nn zK9LV{!(D&bKH8ZDdcVxbLerY&fT+w&sB(*PGK2yZY2qiZ9D zt@OCYk#RuQ!D@7b9BhC?p^&f>w1j$C3!1&4#iLe(78A!y~fsJC~N?m7$fz_-!oVB1VTWfGB}9 zIvjj0f7M~QpTKMxq{T5wbq(D|8q7j7X=#{wvSWnP>O*yr@r~5qOMip`dfNk%*%G#B z#A{Xbnmbw)3P>}1qS5|SEarpEph)vX3Yem>zdaPi6FyCjFpsqHA@NJ@UjRG?aUqG( zQf)RYo-4?HiOvAK#|e&h()tGnBPws%%E)?#zL=pN`#TgBPS`ETfG7wTvAL)yWUesM zn!xO5ZizTOuCBMYv%UF!5(D!SZIV4E9OjFxvfkO!j5EwaWPXq@%9CCo2V)A>njZbt z;$*b#-3zlVLyLzn89n{-F*;<$_0}(pIniUSJnAQ_t~XzVSN7G9QnbbpM4c9oj-%)d zSw7KhP0#ekgi%C=v=r1YjLGP1QF}*@2)j@eAf-mDc57t*dcf=r#PK~EzQef_J@oI? z)yROPV1p8DZi2koY zCr?K6{r<)2ee{#It2X!!KBlI8+vz7*3%O`Tkyp7fuYJHR@ zZ)Y$6k*!NEQa`>vi`u=S0?qh^IB5CT*uYvFktbd`Xs zB$g(7SvZ)$WHoDcvzCM*4)x`a6K1VuM{D`8rpSKPYUr&$GQQx;LJ-y4e=s{)*|4)U zjgRtRHcUuwc~RPCOV=vLQ&`{8@kIPnLBF#%Ut@s?{n31|K!gLxIw$))D$&A9@5>ea z7yA`aAw(Hgd&F+nnjmz|e%Io}0=@H(B#i^=wM-EwvpzEaBHnL&5RdM21OhC3vi8Z| z7mk87i&1%|JSqeGU%1{)fEJ}^WILcGIGi+@;5hT%LP`M{L@(_R$bt7rWP9f`Z^d3= zMfdW@UYJw;_yyYLsyNjDRdG~F?1R<9j2x(Y)Yrd$hWh%)Nw4*fauIq_U4(y7 zE$HiwN9gT~qkkehGM+R({o~r6ra!$}ZPEH$wbH%yVX7nJr!Aw{^VE?Fqzupcp;G!8NbN<_qI>#h+uEpFOdU({Yl8z$!N3{ zyC-b>#dxzJ87!lq4%?^#VSTcR4mKXei}lg<1NVU-J$2Fkib~i@^hgUu;(EPa3z4R; z2N9o+Guw)hq{YWQbYvXXOe!LzLD(=F0-n)rSTrHB9iwQ%q^tiTJG1BxZB}%P7WKu* zeD`tjs-%my-gsp9(jD=!H4=_?bHa((wdJqg-9?M`m5=WBqB+{GPgE62>g8oY7wXrV z?S1yr7oj^dniGlB%Fy3McU_Te8|^rRixlcDA4$HtytbPYSrPiQ-D8yg=&mx_Vsv*I z&5!OfqxsR@W;Fk%$ZiyIQAFEqil8W>?LtLR5OHmObXVF}e=q%!B-(xUcO}uHqQ2;^ zHJaG3zmcTqE;d?6Z+#j)y}Mcw#pBxf>K$*f3F`NVHW^KdZhfPEbPF8yqvfJ_S*#AIK&bClG)D)maK&|X4kwYfLW|>xT{msJH7DyEV9$4> zy+}ejPHmyz^CI>^RJ}&@6AGbW?Oy~Tvb~7Z2!&4eKU&eU5!Q_DNE|9OBP}{_{ru_` zz!45T#V$UgjztP|X79302j`K3ecn~2DY*|@V}w zi)`bov;^8Ihn-ZSS|m6f4kwCH!kqub-FrAv{k?(XuRHCL(U4FH5ecC}M##*_RwS!o zR96}@Lbx{#nxZ5cMhT%|UR!38$X?ebd;gx-RqxOH^Z9+h|G+n$dtT>xo$;J=o^#G~ z&g*%evlin&jIS*K|1h>V`UiP8G#cUz#R4Yi$v_}(&^X!p4~P9$uL$V~$*{qvMXE{M7afMqcJ5*aTNO3>2onzf4!!ms3uglcYk z9t@frn%gaCKR4TngdW==5_(MpmA9cS5l968MQ*<>bfFt^$jdmH9+2?Bs6up6DRRiG zI7q$|l9NG%aiwskD-BUDLwtGDFd*jX%btc+zJu{)NW+0GAYV|bF%u_)dLBK*L6$gSNv>uQS z0Yk*(2J-LP(SR;Ieg_W6QV2DZpbM;Qrb10QR?0~7;LPbDkarY9Kwt(wcIDg86o84S z!2JC)1$YwN=L?Sq!SEm|F3b)hCj3$lyP3LI%6WA)G2S3Yyl0 zP`tJlNNb9acZ_MH!e>;vEEv4dUMU*wnxaN87+X+EC8#1GWHDa8M&ke%AX8`Xt{yiQ%9)#|Z);ymz zj}?Og(fszK`GF1+Zjmx;j3Pq#BjcKi0TgKrtJ-OWP&m^cIXVQ>06U$zXbou2E4gSDXvbHq82;5Dc-l(>P`ey-F$_oa zvo26M#z<0ffm*HWSt{8R#>dw{dKx_V#< z4vi1#&=*==^T$E7810=Hx5_9KhO`DWkL5M- zO+!5FvWO0N1U?ey8R3_R0$@{gGKm3%6J>f{=%Pj=FmWLJOxDJ}fGLQgjeDVwdOSCZ zUfAQos0?aiAeF6Z!%WdmFHnbq0CUv_YbsH|p58A~f$Zq@6Yl;h2mwQKDItPK7I46$ zvlUpN4mQG*RUGg}GBafMAW-yBGp2ydH5kx;xr%0}Y-|#C-w2<cpU2Q8RR$Ub|?^T)nID}vs1{u=c;Z6uL)L2_trLGPQnut#;mRtk15~*9n zVliuKY%qSNn>>q}@Ih%4%Q2RLrMV%LI++o2AGu^Q5w}dP(DRxF!m|Kl)F`fS^#C3W zyy9qkaW<4WiMoJ742DbvIbU*#%#6e!yb>3u&WHqqAtw`%9}q%7N)+<779a{z3Mdtm z@wjQ+@?o!OL0Z5nmE1Hm2hyCW1auNzVlEoh1*#cUA3}z8WBv#fpmM4(1O)#Tgj+V~ zBD)Q!*j!o$nB5s&g(!bw_^asPaU^ck!;)B04+Dz=cp#Tx1obWz`y(hwB0#8I%o1!B z;b@((x*Foq%1A)vDN?$4${b~!QasZQHeq@}z8OnyQ=IgLU+NOM3B<(HS8?O}*X!a* zM4}+ry`jRdDuTWv7m)jC_g80ICB^{;0;#6tYVk^$5wvwA2D{nGU>|ET0d0kquU=D@ zsY2w6$s`C=dd)!85^*YtIMYQbn@j-7@|mu?sX~)UsH(ISDz{NCMy76S|JME5pM;Z! z>G%g(Zrdz#TPQ!3yhLOD69ZpQ+g3_V6`ScoZEE5OO@fq(f>EshD#4ExH$GDbwuWju zvvAb9(X|jm76!$e-WX7^8*t45xeYfCvc>;^>2-3WznEcirO2-k2akO@5<+^tn zlPkINngxXUNw$rTb467vBih)_T&BJ>w(cO0#=RaXPKl-y6QKw~FC>_mt?|0fnM!BJ6zNtD`HUHnWBXtEX7b%3%bEwC4aHeUMPqR*gqB8SJ#XtAKMMnuanDVl%iokj-Z%m&)|ais<8UbN-zS8UFRdRND9w{LHPw zYz^}yZ44eziS8nm*LablYxtYREFgWI%1*n#MD9rCpxs&m1r_$hv1|^rF@X9lDJ7EF z0Df^v$&7>to3GSVc5?sNN+*Cdj| z*zKV`h3#Jpk%%7=0Z_3*1)xEVkV5Zru!2b2v_!&yd=bdrlTd{M6cuvgN`+#TuOM7+ z;z%AKSFe;0*(%nNEXmbiK-~vV9;h7wkPcXX^gTrG6z^s3@nTl2ASpts3X%-Dn7Kf4 z+?UyZ3G2%RcG&&OKz{sM9zD}K5;vONN;!EzeAs`5(GR~;uu`1COe3tUAsh#jH<<81 zd*Fp3OnI~`izEh=IvKpNb@Lglv|r10eUu=eM$tbh$gl>{<`PK^rKsu*$mSnjB(Z?N zIf>}aNb_Ez(w;4X{5iJ|jwDE>87|Q0n&1U=LNcL~OfO{?H*Squ^QTF#y>(eA=*O9$ zF$#J?Hx|h1PaLy<7umT0lOYtt;H`?v$Kz?Hi&UBbls7oPHfOCA(Y7o|s6Z}|8$BC3 zA>$~s664l?b8n>~D}T@{ftykOle7!8#Q}r0;w6^piDp}A1M_R`M4wz}#}-KI=#AsE zkv81?R2fCLa@JqlXglZw0BIF=M2z>}F zG3px1MzCrALmTS)P=?BU37v9iN0tIcQw6)mhq@$&id0xZTiJh+-HS;i@Y)Ke7dF#> zy&z?pQaMxNPr_)MTTH&RJ5JgT_fIUYK~^ffx>mlDIOywjk%|wJ>JKGU%H&geaexns zB8n5Y4*@jrtf6wSj)DOOSSkd9@hHaG1jdg9R9gv+#&MnxB~^Pb?hNMH5)4eB8H7}Z zv24P|j|9w^F{Kh}HB*aL2PdzK@0ze2105)t`hi2B0s;gGnxKt>ZHuo^~2C-sYT~j+#F0=V1t5X#0v-ORHAm* z5`B>^M{%c(E>PxTfvG{KESe=OT8zSe#qvJL5WZNR6+>P^?Q7w1V;o63{TB6dR@Cp-a3(lWArP+o?&(Fc`MORv>sqFtF4Rx~V^KlrdmT1!GA&k95^j zlW9`u`#pqY+79|dFalbLMi8<0pNKk0*Bk0u&QyPrV6uob0o>n+eq;2A2O&oxq^p^l zoR};U8oUa{9a*XHoA~D?4(ZCFuH-9roCj4IbRndY*8?BbMHvSb??GpdOwf#*=>j9j zz#RlGIC|kexgvoJ*5KPC0SoUyX!27kVls=ym_uV5;hk}F&IL7`xCQ5eQd~d{vI;(@ zHMvW-pbH1>XH*Q@M7VJ}NmyDK8$~Zss=$Qm2gYP_2f4Ji=K_{Y1*Y6td!@>2%o(@P z)fHoDWd~-(=}5901Mybr;1&STHE$&`-Sve^1e?gW^3hT#rRXosiCc5Mf3uD;$ zRmtQhLR}W^U^l4PaFH42S+o|~U5i#-9aeUzDg_Yfn2nw_8aWwuk%_oPI3>`Qm{vdV z?IJUn1BUpE^!TkX9zjfXY^@Y(T6H#VOG{P6s3W&?FJEfHNqR2)!rN57F*UlQzXV>rhh69dcoS=A3?pTwdMQ09K zK|e-vQN}vj%5RwH=YTDyJ%eo&+}xCbf$cQN&Y}smA(xdRe=4?X2p0R8wYio)qJK}3 zU`1o_27CIn{OLbawmvZ2w9m6B$IUnfl`j@U+nyh7mDMrwjuHX_4NBgTu^PH#4BCis zb&QHOR9X?erT_B+T5_lp<)vYYLYW=hY!|M8GG_@y_%9SZrbrwp3M?c>n%(rDxs$%K z?F6fsv*fRI3;-FK)oeU&thS%LW!q1fxoR*gU$2d$deN{P{40BUbTR>6z$8rXI&`;0 zuBq*m8Ob%mgDoT;GP@35iS42;pjIwM8=dr$B@5`{$#m|6T!AaA>%_6cGCfZ&O{^PG zTPaj*zF-x`gK}}eOdgk1^cfd4$#ZqvR^(34{B18AdeKrLyMS% z8_?z%{0Lw&M}LM2D&2V6x(F&Lbq6xnliF4)hCsbvre2~FO-3TFl;A3d?*DI55{nXG zG{^~SL{R~(ChPievv9_RGD<|j$plIzYz|;j{fI$;jtQb^x#;KF#QXx3po^sJ>; zN`^+lc-CsX^qa)~5BjjJgsbZcX(`i``MUli6ljT|yP$mt2$5lGTB%6I40z7c8}dK= z6z$>+de#FQnza_DuK-~%vTKJFVfW{S*4K9W-!Ccfk^+1ibg<$2FmtZ8cd@W1_h%;R z&?kR-_Fj^-W553}M}Aw4!M?v#5I%Q9RKSW*6p2&n04s?AM*>6R!v0dshp<*?-_mJj zO$!RmIB4VcAPLzZaTz*lN_fA`MkZ^+*4h#-?F0Gp1`;DI�XFoD%7b-hxn zFHNH;QAtrbQNN><=zklY?0zEqWbJwF_XLETp7_IW9=NI}v?pUv7M}=4(-(WVlPnLe z|GLpZ^BjX=#{f+Csz@k?7CA+wy_|yE3=b^rRXNoZcYiJktx4Ft^*xL z%5Pd5YJ8LvNy`V>chF)UjR8%_sbm_%($ELcx%Ez^X-uI9inPUX;aPtXCwx1qq0GPv zs&-Czq0yl`v>4cFr{&XH#wlf^Fy3J#7;+3;T1{U!)I(XI5vCyXHHAua6OEqJz+v2I zjCR*(^g`-7fW!cZ);&37jb6k;Sum!+*&Ep0a|0Dm11zlqj$3gWR$VkIYT6B!k}VdyIKBoeNNK{J-4&5n`hMxian#?moR z0wEpAAERGd$vzYfc+)PxO@8QPYJxycqjZG>^u%&K3fqVL6DFczDX`0(DlpS$lzL#M z*C>@`rqc>n0RP`R&P@0($@pMlb2Cn+fo>wz1QJ`rWnXZ>g|;ENbd+2?N-h|Ufm`|n z5mV6ME5)H_T;w_QJZhLsTl31uvk(LBzY6&Man*15HKP|6mRc~)jIvpjIbn`~{&56V zbyy|(ZIoI~=#CzWMq-}EEW{|`NQ^+qI9d&ciY{q5n1QKEc<IrC621=BS~%6F)GAM5E^PkPfl)5RT;Tq62cztR zxxn)2I7V3)a{>3M3<(2H#o7{8QC@|s{A?^y4iDHx_H=eoS7c0QRKkLRd`@yDc_3f_ zgY}Ch?x(ZA~+>*s?;zkALJ&{7opxPyOqCE0SqFT zaFilHY>NqF55}Vw1Hz!&1?*-j>Z%$Z@iA7MrkVp|^G9*O5pYvwbtzs#PR7da-Cp!aL5C0)7s%iVq z_$j6M?_>liX4+k3MH;Ui_ z2r&O$j)D6mfCKssiyLeRkg;qc9#+xeY%G2(8_zICX{3}I3Hw1qZewSVt%pmtz;p;h z7AGJv#0eU-3|Z_n8fJ))#Ry0M-+{8u2>pN#2kEh6aPa*alTBoY?F4gLwb8KUSSlXX zo6aV1j!~Duo&<*Kzse5Q*aCe~PRqZ_A5Pz3T__f#z+RD%s%lE-vu)5@HL-Z18y%Ed zuv#?TEhdwHV^L<+c%~ROM_RBqj}KfFA~Adfv&WT_iB@aim2$5(K`PpYMnsE0rwXj- zsRBuwG8R}0houCiRgy4plQ`|6-;`wtuau#urf}s8dTLs94HpL6GPIfP7%Zvu6Iqf_W^k;ln^ayxNMeh`AHjwYfySFq_LF|_0zBo)S76bi7yK6* zNGz#5FvSUXpr?qbOn)C^$Yqo@{`|MU3Q)Zl1E8`3$E$EURshy7>N*a?F$fo$-x!<@ zkwxHb(M(TW2LZvr;qL#`laXFeU9_GoYxPw5S3Q+Q$j2}u6a%pBWCn-Cn#_PdcBRaS z{@n`QyhHUZ(UvH>Mx=n&J*{OKZ2`Dp&_wEal^C2uGSLYdbf_4!rPpO)X{EVfp2ia9 z10M{vd)bseouEC09v26c!n(WHCX5$s;uxEXkYN+4#O5bRXINB~m`O6glMrav!iF4x zDPaVr#2T0q(b*EX6BR7O9!E4$zJiJ7n7hVToM#1=f)`~eE&#U@#yccoL`xa;V$4Pu zX{xzHOz5)4K$?*0xd98aDS63^wgWk4g9a=qyf#){yw+M9&C z!@Vi$cAzNd0?~OPqlrK1PLK(f}1rMrM=AhmVI+2ey#7ZY-i6deI&1 zhsu11Qdi^1c(~_&NzQIMQDd171(k? zEssbzqZUP+>$>3T8)sFpq=WjXRT1>lxHD>4L==6nl<9Fcvb3{tJ`N_`@1S}A^J@Z^ z3?s-09c}_gdEQGHjeR@CXe?@w0f5gMr4!=4~)9Hsl zN!ml*fCMUd{>MR)sC3I;2YR-klFGReb;(~lz2;ct3i!LP^4f$6?{?(9wHRL~FhG0-PVu)Zz3^Cxa;BesZ;0Rdu zKk3mtP$vj^u7i55gLbD2l6`#jtlVO0=(S8cL)C^g2k-7L@8kHpTn!aPpD5z{&xs{e*0hV|M%_RFfrxt z(|`Mo|JT$dum3yde}_&2mI$JNAbPzBUPl4sHdHY%#7@{_5T#xW;(tg1G3JqkOTi$S z3PDxqIRm1}jo6s5;SjZMHWh*zn%yA>M3$h2M%heIW5HmFh#K1tL3SLQ6ZESMqKCkY zg_fbd6*-9rA}2BXkdwHB$VsdwVr^}MBdCI+I$m;0t|~)cETb$+Q_bLSS{sVcr-zF#lfQ!7OUe%FQ(TO zibLxJbLpcO1jtSm$As1bS%NkKuU6*{L_C=fkE&)uSdDuiAagPwgK^A98yL40t)){w zSfy~z$Kdv$Ar~}6%f~?}m_z*tl#6=CSctCM8@tv2(AaJKeuxhG@^$}UD zsu~1|vJliTf}on}-=6h^o`nWRJ0E`N`5E(QY=hQSCEy?)kOm6IVYO6YaX|nJ3?3R0 zkHO*a7(6UE1OgsIBuWz0(0FLBLI|Rng@~>_{eusX5B7n)8sO^BM?`?Q09Qoyfjo*K z)ZzbxL^Y!9gkTQIU~~zY@+cMP{C&hC0R2nG7y^nutaea=f5=)#{7)+A-a3ey4H;lL zaRfDHi28??|2DyGj4`v)S`0)-9|Mu#Qwn0t{QrxlL`alRX-jF-Irk?=AYwXdScC!m z)zy_%HUdTwZBAom4B;V^31|}@{PADVeFlgD5m%jAaOkB-(3CJL5N19Cemzhd`VU>n zccGQSB4!W>!{V_7SZN5gCVT%k2J-J1LI}igUa!KY4&C?!C`%2;s)iuYH7Lu#L{J-t z1x}J#O&#qNe-PnfRL7$=l_Y4bdFrUAf>l@3G{>SPL7ZJcWBMTMIlEQNv@QN(8jM5Ip_-qp9UpAV?!B^3RCZ5yBhu z{5NgtVDUDH0D^LW=#01?`W=txv#G&2*@Cbo=))w<3+U7552zcbDB7urmdzR?^#Ay; zS)v{?0lYE`;s}%K-+zvvGK?Tb8agIe&h`s`gfDS=0E3~1Xdf{WQZqOtWTI)lUkF6k z!J_3KCxiMjh>Wbff`Z&WWbZy{S;albmwTWgv4S8XLZM^FJ8g7YnwW$mB3e$B5s3a_ z$o21sTrDIsSzfVJ@P~do6?vEjyr%>Cz6iR39{kIQQNm)=;3*4EF9d0C&^eK@XmEcRcWV;bvd{~U5g*e!G5 zv&gfhWruI8?QaIG*ZEl z^1sK|tmG^BO+L(8@_e@i+{G!%_rW_pKb@noi@3ONq0~2$f9>~qRu<@CV@yS)o&MuRtx0LvO z9(g1%TDIxh>f2|_nwKPeHXZF8w|klOC5GqMhe)kZ^OB7N)WK%Akmf|ykQUnv!vl{4 z9uk#)RbAD(v#nlA`q+>4EYD1e#=W~4MBi_IG`o5+d))1tRduXq#0R+%)id97Q~9so z)7YSysa$ik7Y_N-GL!$$7eIPWya6c^buD-Pk(%JTl9yF!L%Q4K)Hk{_;B`N z!-kC6tKrdeTnI&(;GU%z)wEQ2&iQxnPtCmL?hgL`M~KiZfj}?fuGX!69}i#KE%|+2b-U|>^^<@Nlp87-_>Mi+xL&h1ngP+Bkw0F zGj3y#4aoI=S2@Eppt$$!#$zd|-^L?tBBFjBYIoy_Hkj!=#C@kV^4hry$<_@9G`9UQ z@w_jmw-*xD8`r;nC1^BjDR-v6lSnQcpHoRQ<%(+C*;{bia_aszY>U}+ll0?^tD0Lx zvL>=8SswgoBjw$FBa+P2!5E8YyDU9Lg^J{cxN=gEOa&PIl`@HPTK?g>2oLp6h*zIn@)-l<-qKH8e5#N&mv9D~AOy zGqD;b4cTU$Ew~61xZASN^mzU(Pqk8Ib)!C-<;m1rf ztL_i)bUk0)(qQ`V$Kkiq@2|+`jA`YCn>fx}r8C^!mbjuh8&9?<~3VXuVVESc!>%0BMKjBQCv_OTDCL@92|<4IO8v-+|bSIqd$Z9_|lW${_=GCr-Y z(h!m9@RiV^c6(Od_c_V8fsl1`iy}vgsm*PI)0B5lkD<(|*xX~x&8Hlc`9k6`??&x& z8$2vt`7fB6vtGCw%l8eBupF{Y?ccZ|vZ-ym>4{>sxWSQ`0J+@*DM3xQIV{7(ji+oW z;Yj0|WT$4iRL^7PS#>grnBXl>r8Uild@i0-;k}~vvoEjIWw-awxvdkYnzOVXOLCnf zZB>;JD3UX8&9`aN70LOTLfHPo*(RdFrB zeFAs)-hXi=D6nKBDAa_WQa|A}kh3(D+{dGm_lM@8jyH=D*KE?HQMb z<6LHE$fuupywin^%E=o)965e2OL~s2t0(XWH zdcN~Dguk52IT3cRBisa=h3sX%q?m9c?)fo=IeC}DZP$-C=;T&9tBNMNoDg~TIkdKD zdVgZx=MIT*t$fN|5sly6xKMk^ojyDRtV4_0=NCfGHnFATx16iX7Ez!cZr(B)?l3S( zy{distf>&Nkm&9C{Lv^B@! zkEFPv${}tsj6Zz$NX2N-luv7T%iS#;lJVmCkc>nfu?;5!ZBujKd>>6%w;d*V+b2R0K&9uz( zV3zTH-3q)`n3{nmz17VoXBUU=*_Fo2G``%J87uHm`n%6bjN<_Z9sRPY2wHaX52eGr zte;4|)}rwr6qZyzzP1e1mAvfU@X}7>S2T85+D_XqwsrS6gH$!;PPXiQ4+oU3+qO<~ z2X1wuRIVG&oiTgHzctF8yz~AkMQgUYO`|;DHm?eKbhaF{@jU)S;l`P#xae0}gqn53 zAGxL14-*GorldutzOlQSXs70-o=3_nAoB-CR)(`*ITp}a&)Zl@OU(*?y76$&@|ny7 z#{%kS9r`pzq_2E*=6bhYHAI5>gxE$=jC|1-h2Eg}fxdV9`V(p-y;jN@^F+?wVCtlN z%dU}DSlAF9z7)Asc;?lV%3X=;={lvA%C-0#w9m1|Z2Q)+R7^~~(v3{WckxV)4hi(@ z+LO0MoX@}KMzp2lpw zY!>!#W!!(AXmO9E#9WL% zh95l9=-L~Y`P9hc)PoLH>)yR@x#J2iZ|3qBd~llS`}Yl7HJkREEDNgBc3(UYD;J&r z%QMWf-71OjpmTQ!ZIh!EBagLvK;XM9yVOTc4}8Dc?V?1?6H6IPR=hhum)TuZ+vhkH*;f}^|7mePiL3{4F+@1Tp9G*s$ z-LJT9X!$`n0Bjd$*-#63mcD(ulS8ywdW^E7 z5tG5EpO;(|g%y93+h5yPs$g@{R8gQV+Axb0UtX-_z@4P6{5VLTNoiJEXKLD~PFO>> zW|%3Rh5w@2XEPCEX2%KLSA@Ma)Kmx4_X8Z8bU$kz!2A?wI zB~p||m`fOwp0y9&QI_#+lo51NT1;JFwVk3hzI=6P@17i!CjEk2&IbegFC5WlXwiLz zvy3{rZ!j)W_UxC=9G#luKGWOZXB(EAdqe);RIq7!Y$J6q@l!{LT{S0C-jsot!s6aS^}?v2|t0mg-6%jdDR=j|#W?Pv9@OgYwyPySgMDjY~zUME4TqTct$~Dex?>*U5r~bJ^4s$<~ z@=C-(w8j0~?R~2!qXQ#0eP`bCJKxMRqe-j zeDcC|RhTylEMqj%&haKEKO{}#UE67n*$F-|x(^%NGmYdP2;U%OT>V6`W?8o_A(WOw zwr2aj%j1~1AZvZr>p(%B^QSi*UwxhObLSqcM7*0|H(z;OD?%61@#I5{gc>YkgX-daqmmJXz`US~l*qV;_922JBI1|4$JY)H#cv6w_ z>qhX-DW6!I17{5O93nN288j;H+~6}B`@niy?c_O%%h_nVkLk-L$X3f?+7{*D;Hf1pHov!9V|VE4r+7hH(@Jv+sY3Cc_Ph~#{;4Vos=wl}U{FR2sF=nNWA zt~jJKYObu5A$B;1DMx*D z?CumL3w_#Uxbd3U-6AuARWj%I-5utSF1=FU=026P%{C{>bNGqs{gX`MyJYeXf1AsV zJ^Z)VQIL>)a#k39|#&_l~kv@(;^CONu!` z^q3psklFD1L~Uc^1~TV0|LexiGrP`?8e&T16=vIBa9wsLemSlD-cjVz;6P6sFG1XE z;@u-Y&*ESrCF`nT%D^=N#obt@lm}NIN%rnv*0#FzI@ID-t4Lcjwngr>XNBG?@nZ1} zZ|`@rX_!A3;K2z$&QLzH(bzgIrmRGTY=9gI%|2;8dOoN5RG4p6MEM7&6FmeB7v@_< zreUR@;)eB?iiZ8YY@Tq=U%h?d9=l}k9rBNqswS%(Z@)B2-T7n z{499e%;vSrXR%G^O!}KcH94_DCPC>_xPx;%nb&JGOqh2%Ea*_qX>6Xk+_#74p*zE` zJu{7XOVY6O;FsTKuEy6C;;Yx)j@{U;Z@!bCg))6o`!%1!gt9{3-4}wsTL(|=-M)HM zHpBPw;u(gAzP`sFczT{B7TGu4b=Um(wf-}1I$ToIVjQuF? zq{J+TtdsN;;Jlxkj`eiCY+6NO@nGKFy+Zl!z)>yXwY;>m+04XBth`Fc{ho)@l7|y- zrf0Bp((?B^j^pY-I3MUx3rfVlL}7Hq_fJ??B?lztFRk}>O2r_?2IE5FHzA8!d_8Ohtm`%}tgmo#>~Nc^jj}Svjdh8Td*Gwb z>IeKqr!kHIt~uKR>rURcZyaj!uYECnub!9Y#w@tAF}MVHNx9ntVw9TmUEEi_1h>Bz zc^{wUxj)ZS{=MHTvRRWG&rIQ}*ge~xhMH|$yL0&{og*Cz^CeC89-mt?j;CAxSbq8F z^0LE)n)lpKe*1rYBNlOLIln;Q^`nCgL>42@>!Dt3C)kdd*yD#8 z>lWr68fqT+%AIy;d6%Htob>o=gSyUm$OcV0Wi8#Uq34Yf*gOOjdPq-Z!lj(H$J-{B z^QU(uzipi}``Ni!wlK*yFZ`~9B=L~34@JIcmv&LB5b2Q}nJ;$u`tExNMX!C)+TC}oL@KJzYgfJMI`4ho7xYb3 zLlz8W(!^q($q0Dc(k>T&o-o{eS1m`vH_&S?XS?SSjrq%Om3?*&{(Anp<=&>t>)37w zd1byBsJXJMN{G%-Ofi&by_4xG- zmvg`6!~~)Ym!2gpUT)Axe-ko&Tyfh({=%lFb?4t!EYzJlFFE1VaDLZbl|G3quCj&* zRcA-n`V;SdzTxK7EV)&Za@&1{GpFY0aphWxN#C$tJIb2-^#l(Z2t*uWoR=&n(zX## zjyvrVRX^;a)H%^S6Vzr z*62J|J6Cryr1WY8o1$H<;D${B6O(QXMNb*$I@&@?Sx731mpUgVd)|q=ZsoFXbF!Q@ zchX4ZHQmd4c_O83^ys~9n+B%TcDyVL=in(tV#O#%!=2FmBxQmG|P8-=52+*dxvo`}Z}SuJ+vRA9p2( z0~>5^9{=(ekDIH$=AANf{;v1f5+)9wF~XC4*UlmF>>VQ+#czO5I zjDf5B6$wXdYBzi-y3xIF%Sn@|s5_mX`Coi4ow9S>=fZwoW9H_i4z`^V1j224BnUq~tKfbd4S|Ybx*d<@s*W~K- zW3;?*@|B^{FGbAUW1Vw9Ob>>)Wvl1O)0(<+jAYGO3G$vvhemhLWriOuD*4ue_2548 zK~To&+4oij^ZB>?Me^~*7q73gr36kU#eBgl4PoRWHtw$V{i?M5#3`rtq=w*qm(1TG=cmQy=8H#`xM*)&SO~ojmRpImwp`t(N-Eu& z%XKA|wmnQG_K_d#G@@jP(-Fjdtm#{Z%~d(oHqj{Ccnzu$CSsb6Pke`Sr; zfmzq7g0f}mBb!?l`_EMm#4xPq9@0FfZe8C!D|cY*(&fm7Z<)^a3ti*yg~WaO*<+ip zpHji!dVXc4>bklW-_KZ%c`C-w>7&8=q6Kc zR$4Xx!r1zk!B-#0y-Is^&R*AOr?-d2WZ2u3TNH=Ji#D^?N64l+CNI5NM);0h|JYHX z`r@bvgHWzhd6m$(@U8uN&-Kgm_b7JBW(eQgkm@g(^xm~rb6Y;6!H}+eubfG~d93~eWkF;iT#ANAsT=Uxz{-YqV-~Ek-7BROwZ!k)3M)^Aa-Po7wo)^YR zu_*IXNs?OEl?+kqzy2IeiPNn0XC0FyFe{5&ImS)O&&!tNtzIBIoS{*xs zUc+gneq^fUr_TK9JHZ780rA8VLrcv|itp?+{anZiag~-; zdx}R-3ol385@!^mZTJs5s^)%|J|vPjXp{Z=K~VZEoNHKDjDNouzU*r^^kKzgFk9P3 z{K3I)(&3qV`svO0PWI^fE<8VYS!I#u$W?0UQfJqU<}d6Pw(ikl?0)TuZ*3c%9nQ;W zN_n{~ZQlM$Aff)~zA#6*_UJdahpqX4E+4%Sgf)1Bu9y1`{YmO&Im*tHC5($nQCO zK7j|Mw3a;-X2}6>ZDkAFAsfZKJG%z2ha+yegS-oYgo@i&F4{8iTWr~E#;;K=-+P-c zeWH8IenqqN7`|IZKU{3~2iC-4D8;pYmf2c z*&olOR-{f8?Ye2wUT@y#%T(-fcH6G*eU2^9(#qGL$w+qzecbx4(6!Q9cZM=;EERQXJ4%47#awVTP=C^A$&jLRxz4dxt04LgfWkU$go}?~_#)Cssc0 z3)Ih&6jg<7ORKZ3mu#D3F5#Z6uB-9;A$y6p zwMD~kbJ&SM38gsx9*O1Yie-u_Rw`OB=R9Q!cvlCJR9+}(6m0j2(&}PWUC-S>q`a|0J zs0~W)jaT%7F17n!sq8zSE|cs>vSEz#=wf_cBsdg-KZ7meKYnj#W^Lz>)Nb8-e4jIH zJcF;jPLLYe`Gm85Psgq8=VY@Z$ybRk-tLE*zC|aV zky`@JC-$h{{=BEJE8dZF7BA#j9-ljKIiKwX2WQ>JOBX`wy@aNYn!itL|4P`AznwQ{ zm-$!2n?-oPN#nQFSgA!v>ZXT31Y66C^K!)=vZUEn^-8-D_K+W%+g00dx_o$;-D5xh z zQ5bIh4x5P8_?c}e$ds7Wv|sVyyw>H)?EGhj+Y-tdo|DV{8Osa_+ND)znNBy(Se&Ui zk%*7ad-Ddjsjt>}dlZ9{`>VY^<+YwlN${Sje?60ddQGI4dYbK(?L;|}%Ky8hRlmy{wc zZic8T&#xL+%yrF%_g*OyD5{$J?bNODfInXU_7VGzrvcN~^m&Mayi&PIgH99b9L=X& z2P4HwzBNWn7sa1jCAYH{dl1|zi7u7h_p57fMG|-?zeVbv=H>F>iBbQ!%>Ou`uT$rF zpN?#`#pvnj%01HV13s_#3!FO6l~>w)-|wh8)oRQ6uIRf>t>>s&Q8eS!*_62)f$}Ix zB-$vp_OiFwYSVCP-da6Bc|Iv&vfueZj~6NAd)&C-hF^AFFRl;F1=(iy7{G%^Ple)>Dp^|%bL;eHd1#yaEq@g;a0RM=2lLk+3_vkhnA&loN1Rb zr8aZf8&OGHB6g%SXNLM3%NTCg5ZA|EKXlm1aKPtTX9YhpQ^qsR zr{8(k5t?(K+wI=|ll^dwoAae#gq+2ll1=M==V@$H9@JER)SzIs_^Oe1s^Y86vO(L) z;LPBN9oca;@}?hC+ap@GYeqbHUA4V9K8CyDMyQj?i&@^m+PB{>6Q>hL6#8~Jz8%+% ztv~GBT($S`>}?`Gm0b7P(<|uElKa+rb9XV9xd$>Hg;(V(I)%lS=KB_QN&eiVm{Jf~ zWfjit%NK{OB6OxdZ*&kC*e8Fs=vXH?yxz6xMabnF!za?US>OAr*9t@Hlg&V&h=|}g?+o7iLS~1r2GENs^tW&>2ys(5;E&(p2 za8&0D!dZ@bE=2lv%l#lAEqT$AMmF($n81?W0^35xa~Uwc=*IS9bv@ zhX0LVY}VNwd0H!9*SHOE5A7C&#adBa^!o-D4y-0Xi6s#;U;7^tZP{P5U z1M>+!;*&$mvc@uc?kxW?@M=cy) zr0l3^HHBANHtv>>ZKA%xqG+SLt&(nhazWu*(}w|TGO90=70E$WbKL-PNTa6hICd?H zsTvjcz+rc4@InYq(>~pyS=@y60yaCpDdXUgi@)b|WqPmIU+NW%&d$Ua+C<6r+A+y; zhGKe4EbCwV^Dfxtc0*w&%>l}ivVIz}^E!84v{m>og7lQWKdq|6ChDoD;I1QNVTV1i3;AT70Duid$NJqpfQw^IL1J!z|cL@PK( zeKe$fF}qab=}7xhi&lX7yip6QE3@ZqP*zV$aczCwtT8R(h*tV%Tvnwq&H07p9m`sP zb)vU@aIQ>D`JVnnu+Du^*lV!kK_9L7psi}0TlA`T<;TR*F>tHN(~$@bx88ku1rKli9=Nw^jeCEWGO+m*E>2{eB`nGhTNgQ`8KspF51kUU8HbGH@KjyY;Fs z+TE~ij+}w8gPiF)r?apY_qnJK{2L) z5MIwGTeU*5>sAy(ewe**2kVx5Lrh$|rcpilqJJd0F0aw8Gmpj}KS~|jod0|b?W0D! z5~S<&qKAO}!DDwF@s&@@T1F}S=rX<|9#0l?`p1efU(XCrIgCQMORqmFm*d)meWwD| z{X1K}O+;-U=mm6FKjwN`xQrV=8IMw1rJVjl<*NL45E3I9TBbD~3Hr#^G(1gN{YWZ8 za4l-=N6~cvmRh$XH)z$g3s$-UM`&{ri7=Zedi zJQ_#ziKQbDSWNTkk&gdyj+gIxbmVyqe!!;s+Mq$jU1JS-_}d)1(YDlky%q4FJG^o|AFomKrU5d6yZ4oXjK_F|XQXT+&xeRUlBFKH zeB4RxudeP6(uv$7JVJx^K2-4_hu}>oB3|veD#44_v|A$bEVLKj8o7a-r4nmoXJAEa zwe9xVOguY=s$dJ^V0fBd9L@5$%t6 z4yo+;3d4-loJKuQZc%o1-qfKhShR_^mAhf0yx=f^C;7f?xMEkexiEprL{mEaUqcs3 z@rl0WDKEvV)dNQ0rN6e5@tuef4q%DzcNmrmCFwa^E25b$s`Y85E!Vg z1jeypRwNf>Fsq)K=pOMh1Q13b>W-_FQED<~3^XmUatSj(9#+)5t99F6yxU#1Xw`a1 z16MLYk^mtBD8X8yQm>(iqN@NEGyVVl?`9AIO7`z<-QRM=*RK4d>y?EdR>g|z!$^C_1F~wcASu7f5>Bf9Q7^&hTT1; z?wrC#1W(p|Hfx*mBXsViU*yOVE{1em+76dZq{k9&gc_bom^D^9;(ktq30dTi_)ihEhx!k}9aRBP0NZKs@Np4RY~2EBiWh1;*;hyt z&M5P12MK_Z6F_@to?{wB`TzOs@v=&BQfY{gaD^OSc>v(2e^FoA91-(`Y?5kssC-Z% z`)&mLxEBr}^D$wR>dxkJO`!n2wrlt!*8G;$%rXj9u(G#C%lZ$n>WiAI^WvJ8OWJL5 zZ-_m5i$g8tV@%j{*}N>Zje}Gxlpv+FRS4QvHc<=77>KQ1?($jaID~B)!`<`8e_?Nh z!n#rB+7B~hqiTdKMUIWM^eiLVZ5RlVjQIr?^CJ|U*kDb#C~GX)dwh8|=I0jzpQwet zk=QU8O1{jQI?(Y^rV+GJ)7onXNT;#@1X^rYN|56kmJFKNNu?<5%{=51{SMw(z~#$) zKqQIh1{N0P8yx3P8 z=!<)WF!t4~j7iDnonP__$FXcFWH%qUgl&8qlYwGuas2ko`AYlFm;2Y5*LDV&>}m_v z=S*4SSTzCoLKiwE%rphFQk|Zi_C^vo51zG!H**j5He<8L@NLP>SFag#hs-2YJ%&;# zBs&`iO(mp1pQDzL*c~gDky%6-EaHA|U09jg4zD-IIHs`gO5$sBM=J`_)Su;S=s+W^ zI0OPF>Pu?U5z%hi?7eaJ%@8Vg?&*u$BESa2+MvCoDbY6*_r|Va2 z3)3fUVlgMU{rP$+Y;izhW}V~<+bXq2_5kW_-1by}v0#rLRvAdW7f_W$r*KqB#0Y!7 zrT~X>0!VAa<$y&bVnfh7+Ip;NI=JZCztuYM_&hNd6N0GXDkF)1N4bUlPt3-lfSH)q z#S!%)ru4*X(;%`M7(C$;qLe|Q5^XO2JsX#Y%s9N^L4;l?w|CR6QHKU#)8SzA1E3+7 zMoTw|6v^o}jo-Ab5A>;Z2wOkbcdN zpm$lq>+F33;Cp)Rt?XVOpNBjTwDZp3(Tt%}Z5I&-G&t5%qd-IeVO2Jeh|N!)Sp4nl z`N2+_7#8010}OCGx#1X-^gXl21?DJk5!vN^hp()bZ4Y1kr-E<$M5j(KS{U=tgKuC& z=%S?DN@nkXmzs)92-j)CM$sn8Mg^}&_Zy{S`;dT#3ItE*Y%NJ+b?Dk(3h=9u)&AHB zUqFeRZxt!0d<1O=#HJue_S?WifdVCT$fg$Y(D=flW(7(*y@1&9hZ$-dMM`zprUSKF zR5%Oyv;+r6aH)|%gTinpND=pqg_;5zaI*6lQ`aEPaLq+? zel>HEONA{&d|G-|ER;oX|csaW`sn^_U5tiujfu8PN~}f32I%C2CKfBCiyYw2pC6Bvj7oS z!Y^?kzNMRKU0;v;6aU#Ua3*++tV|8LlH^;IGWuMEtUFClo5{Y-LgthO{BY_&BPbW`U5~6hKID?2Y+6A*sv1CUQPb(YuZRC2MV_3Hb>`8VH zJH`=BhZm6q6oD}L^5e|L05GwYv;*sM^C&sTU_Ss{+^pgC+@H;OG3SQ&&`7GLInYY;A+eNHH&ZPuR4CG=RdHn)?bL6 zerOH#jmQUcdP~k$oZhn2yA$ZCj|jGq2K?KWL;E%-w68d(q}SPv9eLrGoJiscOR;5e zY+1G}PEtI&jECv5$Hu3sZ=%ARGTpO&l%schUcN#l?V}#;@bcdgHxGmXVp4;FZ~X3zJ6`;pR!WbUGd^g1n~$=k+Rwy2^ufXxf z+@&Y)XPFUg(6B021+#C|LuXQLdo_j2w?b|U1fo72{klq@NZ&G$P?d@Mnqc&U1Bj|O_7jA4y#m5BP-W*^Vp6c3M_hC5#X zQ+&+;wE7a05Co0yqt5EIcOnn1F#J{6{L1e~xbrF(pKs7qLdI_ z><`6S#VL0Kl0zrzfRHL8o@hhEr`!(<)go$+$in4_X-(Psb1_Gu<1(01KP~i3n`5wa zqQl|nSh?d=X3hLN4Y`-tU<;v`vr_ICz(BD>@!vvBK4Xr2cFpKQ9iRwx$U;s65+nYC zD6^B+Xh_$9*os)!@yaZ%W0UsaMCK=70Z9BMBzQ~ir1g}7(WL+?eSF_?O@xsOX+vuK zBgQugvHM{k+nY^q&172GcIz*iVBwN&ck?mWUpQWFniF5siJotA^}|vKd`PRi;0kWis`hDGjxU?24Bl{QW)l!!Uj% ze(q7-)=;jE18#~BK*U&?N8`|?t%;PZ9wal|PVcjcl+6f`LepEj&x0&0OVb`XemwJo zMB;mydWq-72cbsSCZMp=0WaUu1D!T-aZoAx+*B7K?0BURxq~$lv`^t$BAv@nTXlb+ zq5zqNKc>>t=j$IU)k2&;JUNR`_N@OHEuElnDYjrLJrwI^_)y5DUTrJBObhEhL__fU z;-9c4RAt+?#nUs`Z<7Pov+O3zfROe28E!s2q;5z&dIFqr*By@IzjGBoXmI=u>+q^; z4EytN)HH|Y6TJuPjtcy`FXU9!nh?T1;(1D{llpu#DVOx>xPyf(_8fWu#|rt` z9^#8PdKhzVlO-o3ZR=;gf}iBV~Gb2=t}wkoMP?w7h<} zAA$(o_YcLo_aq=DfirfE)LNu)>*ZD-y6g#?*LMZNDwit9_dvb-0;0?iqQ>5mO~{3H zobDKprm>D9leWAGO!2H46dAO%&kK|gd!vO*uyCu-n!4ndKiW*$Hspua&ASrtI|_|h z>$a&hVE>&JVVh~Gk9c};a0I}BVO{i!VnU&zAqtU*-8clU$3}}|cTQ`+LWb>V6o>Q4 zukml_#XVUkzh*?s@Z2CEam4HmD9_cz=@p62mv^g9A@9)Ax(Q7wz6622i^Su!r*+0@ zNbmcJO)9=SM&dpvsActg~w`3V(UxWDKKV_qvT9L zYMDYR{oZ*qigrw7I~In6+2|O6xDAnnnt)g(ZyA}#JG@?Y_$2P>_Aqf|EEaoOak~m- zr6mqXl%A@AfwD_PP!QKNfr|!bg24ifIYSX^ne9Ey=Wupum*EP+=w#7zt}XU(Xhh(1fckOb7({q$HOD{|wcQU!U{~ zF_w^x>R0y!kMT_IMZ1|Lx$&~K7`W$&BbMYhs9T6@S4Fp_SWQ%QE1_W;fxb_hT>R(F zlr!f?j8E^hI**aurRP!|zuQIssdxu4@DDD*94aoo~z&V=};c4P|yrvuRl5tPT0LvN~@*knvCL zSH@u7*87`t-9qz1N3P5-Mt0DNlI1v`%0O?uWiax2 zmK|ZHJh;Z)3B;bMP>rr>qoMknY3hp|D@Mp8-dT;DUT6<87#^U>w4g31cO)8neLJJf z_WZN<6#j-%f~@)!{eyFQlB+3YDfPRY6+CZG1x}c{l(*UW#`8Tt*kMk;96boi#$Q-H zej&*qzq>zGw`_I|g*lZaIp=XW$&y!6WnypQc5EaSyhbNQHrtIKO+ETXtBUzMuxhO+Lks7$|nn`2i5z`N=f1T z!wUv`J1@*|=S8|vzO=h{BbhydEUN~Z zRf3msQfsi^>6WZG#E~I5wny^}@0uqs^`$#5Yn7SwV>2vD3&O4G`8i$~sxhTe&VPQuU!c6J)+ z?V2!r5G@jV!^>>EeqgDmOTIz{u`H*iyKEqhnC8PaWW*k+WYbxYz}qfjh*@j-zYa`CQp) zOr-*E9U~5SDJqqrJx-ffvLfVBhv;~P4Y(5vl8!tgpK`5%> zeB9|Sti1(XK^)P#!SzeiCJJHWv6JulYSrvQs&9oaUx1~enY)sGcbSaS^w7_ z(4&N{uGnqyvknZabg1t%(exz>%tDOZiVi4nDLXcd#e7+%vG03gbQ$1o>jVwhoZfhf zTbuh0B>nyo>-Gnj)=>YM*+1njQ@5<7OEkDvqiH@v- z655^&<@x>?TCzdF|1E!|f87h-Rcw_Sk3E!O_I!*YMh+22^kD?{uU~{%K%O(%uJo_y zh3!~>Go2S+p|WnDqpQ-1yiCU)4p-se!&X1I*@&oztI)cc3HA8XG{+OlGBG?dhmid2 z+b_b`4t8yaJ0{0FD17N7due{SK)(7g?HjN@DcVOXTAN^W!i04w|87}qcaCr9`H$L; z^zXz9dOrA{XBjjY+h*AZhfxBgzA zpDoBjNm3j*O3VJxr(rELtIvMFwfZ!38ZDg)Zu{nEMV5#unV!ngvG34TY}CQ~4Z}W| z7AWII4Kec_UV2;^T1aIT-cKt-9Up!q8AsRp!^8*Y9T1&O)t=uiM)8zQSaMq`DDO6u zqP18mE4bF+sILfmOX0pb1{4kR0U#FgRSTiS9J1Lj9#RYCD3tlejHs%VHVi0Myrl{^ zx~BCP?vK2#D$wGW8f~xq_QjHyP^r`ZqKX;C8m~Q?|L5gtVWje_Ps`F|#R|?+mKtJO zmkK=GF{jEcR4)&x$w(578gS}C_5nsXFkz^bLvnmXXEop0#+C|KK6HQ-){cB6UV~W5 zMQ{=?Rje!LEn#}iPMm&QW^HqV*Y$<2{@n0d`=^>ANdLS`ZRwP~G|Rc_SdO%nv>=40 zHrd7pBCV5H>i>!(6pP<_r*8+XQnrz*M!K@t!NMbHw@!BX2+Gm=kgy{6-jfaiIlJ3j9&>)XS$yWNR#y_);Y&O>2*A5+ZOpFM+!{FHkl`M^ zp57ilzti!CU7_rkFuee$sXE>=o-Q>Oha!6jGb#SHf&n96*%NB1`+uvPuq5F21LXNi zPfx2(mlj@@lp2kWWEwvyiyHIk{U^mQPyWmQ$}s*|yW}pqi%f35GUcY~mjFR17<)1O zpCLd>kQ+K<8^S-8F`_0pQ1fdA;i0`AG%?~s$rTKESb~PzCvtddgd_jdRK|u@>T}qj zs}syG`3VV@YqngAI&VFQJrT9Vi0SpkK?@d*sf)pNKATK0UR_v(!kqY`HdPHyhR>CG zW2f6S`_Ua7NM#B8%aBLKw5YtV`H}@zp1tZicB~gOrRy3r{gg+F@$=QH{d1Xe^+%T| z>UZZ&RYTKj2M{e;j|Mx~_s;)46P5e=7SNMoMBh!cC6 zKM6q008~E0$5>K?G=rN^(GLJXq#|PR`L-OyV=seCi2HFaAIMAEUi;pIMyOf$C5yE>xhXsFDB{4>t~`Q=ud4;n4Zx&3{+NmDbVN8 z%8i^aktnL+FL!AGQKD2iJ(CNf!iH6)g`JLu#;%Uy7X(<5m13VgiOUuzJbM-xSfW%= zBx`|S!|1T3lws#@7|Dvkh`rt=6RO4Ba{9lf_gF6noX3K^fF9U!=ZE`S7V+5&{@g=Jdguei&lo-^I2$)x}5;xO>|8@bf-8PCeY3kgUhRxw4v zS_F_?eF`U)hy56LLCe!@6N7`NztKtKQ#n~d5&2S2F}n&^1fVJ}?@RPQMeOQaUyXSw zGBJGq7ruY!z5PW#vz<$IT3GNdjUz*vD>jX-V^`-e@PV-AccjmPYNSl<6sI;7#Bl5o zK{i%GxZl%$@`L2<&w}oOlfaoD@8IN*_t!R_RSV$9v@5#%9U=|ut7&A@=__F7Exizv zI6anlN-p!%(RBvQ*0Z8EtJM2tq4T|RbmK+A=mWvM@Gzm+Hz&X#8qa%^bj|mPU2l(# zA-9y(m(xKVreX9aGR(Ti$_3c(vNgDRGT){#;A+_wmppHTLR-WiOaFMGx6l%&>clAe zv+bTBi988(p|2GUHS?PnUqfczTfxYwppqe+)bqt9hz{dzTs>^L>y|xkYp|n|+%fln z15HTZ6a?OHAxz*tdfFF2QHN*JI`n~3hU_EHnfl$!n!N`97X1ka&*5q$OtE2k@Q5FD z*B&tQ*3B>lv8SlwPN@#zy0mwYz7t&E;@H{zZI8ZzPvF07Q3pvZk{p@jVUy3;#FM6n zzjm z7iWPKdx#QlhMJe9bngU#K?C&Z#Ywt0xrWHv&93#Nq#(i^QjXvdp~N)x1_~R$_IRg! zV<&~WY`thWgz`1K+#DwsI*{XH(#YM{dkkob zMmbQ&X3@3XA2&`fs=nv-e;m>sxo00vXy`)sQO!VkaK>fK)Z}xV+#E+1IJciN-O7mp zQ(MUSFkhC=^wEIrhLreVJjmBmBWu>ozgq z>)S$_Jcv>z&&0!&r^bCL_S-o>Zz+X^*k(HgF;A5#4fo?5_LMh{TyCq0MOPC(1uW0G zA7~M^_#VaKz>n`ZN;kUM>~DR#Ry))wcL>_;Qn`BJv;?APXA-lpnyItT4j$hx<^{y7 z&4dwoQM3qx8TABxRYQb=9%tC887plGbPeYL9`jm$ZmiHmNJ{e<#BPLs=S0bqY6A0){$Kc8J>E2!KXWnQo4(Pd^`g<^-E@?LL){%+?he zSs$JjD&_VPa^?0GV&(Mk`iT1GVn;~!#!FaTFsq#vb22xA;Mx~HR|i7S;8Zyk1N{;8 z%Y^Lo7-9DgKH@y4vKwR0nckF=Y7%U$KQv33viX;SoY_tL6$@{10##7n5hmk9E&UIL zL0^_UuPd*B4nhF`39hn6@Jg}f-$jd2Xmd1#!JQ8l6vPU8XfC9eG8{bFS4a__$Zl1U zJn02wl6*;?0(ShC$89-IGc3#CM%7mbDLWv)Y5C;I6KbVw(BgJ(QMK8x_&kD&Oh>$z zl-=xKQ}x)9iR;jvm;7rtDZe-9`2{|cFZ&Xlf_S$>@3cPOl)%*DA}5w&Hyb?DykLUE z)=Dz%i>Q<0P8h-k|6NmU)dW#5Q;%R>7h2kaifX&`hkTsOLVSHJVtcDG>0^x7gMANn zf(>kRbL|oQ3A^ZQbaT8T4&_BDv>*c+esH zXeJH_t$`ogL4L3G6y8;K2Ki1@q8e9u?KaqV3dTRa*a-cK_0Chz#|NZF*VtREJOh=c z+1~c#TOD13_#Uv3$cjxZAxE>l-G z7yB$|l!<->+`2%8w}<*5tKrCmnj#?`6Pp|n!1tD%hV1Ng0=w0 zv~|1gdOrEH99KUSll90aU#QadCdhteMI~2+nl_t)o(W1__~!0R7ewLJQpvb(IQAKE z_oK@frCdkbBiTw4haBjmoGLxU2h{lL#B99a)Y_Xo&$VqQhByOf+q>>yV-t4)YLEse zZtRMZ?T7kmnybZ7-?jSO|Gi3G$7>7ihXQc~2Ds}8J;Fq4Fc4+RHm};Z0#mRmL_2p& z$>>ip5#lsZjA!ae=CI=esGm6~B(scO%DD`%?URN);m4U$B8>V(t)M5;h=zAkFt*Uh zn~oEdd-lW($8PVo5ga%ygE(FmG}+i$Fvu^g6F`b{wsLq>dfEel%d=4D;XM7Q*?&pt z!(E6TG|2zE`N)3PJf{bApqLp(t|V8d6{Fa@0n^I_Z7&NOi#*!R{QiVUjbMEr#f(*% zCl%hw3jztxu^;K?ro@Gg3c;L;lUH*>$J!4F%bQgknuCuN=9}HDC{1Gl91VVclWSTR0}-|18;U_%(h^h0m*zyjDhJ%DGfONg z-H)_O`nZ#af$LNg1HFX}W?CFX`?*dpwwzyiIJgMf{<3W@vj}kahhCR~`K34BVM72L z1LWMR4}9HH=p;DJ*q8J$XJubpG+nxjRyL^<1*2;?jjVVP*Kqco;w#B z>CpN)+O$1UK2GY`qJRxx-jBQZ6gOl00I@2RQ}&=k;o^t=`2U&%fXcF^{EwC05z<}(GK)>GE{}2Jx_)fN zJ^8muTRLErs(?>+Wzt5wqq|59SdpXNu9RG=7rVX<;#kMjL(Q@5*SqBC<0TgDE8Fs~ zN{4O)s-4WyB@;75a3TJjT^n4@C;st|`Re)q{%Z9Pi^n^{OG44z!@HAuxW0jCrryyV zj(_1}EVQh=sRhb^;NA-wW{`S+K;gKp(_=olF@rOYdrgsrHds5y)KGdPZ5t@G^kCMm zmBNTysS)-(U14r{atTYczbj74Mll;kq~KMj<4K9rn=v^#Svi4D-b6S1GCh_|j z@clWulRcj}9zD;b1Zk`eC5F9-Cw+M#xbhyrC#3UWZmhzKVt2jBZ*+Cghr61Ss<(1G zRU@7j2GF^dY!@7h2Z60Pl9WPl0BP-_T~dZ}WT)yPH}5Vsk#ikYj}hq=ypw@hZUM}f zS!2XX6wvgDmMnR_XU>3m)C9?Dl>7*ZbYs=@DX6JW*`<~qc{XgW$DUGMmXLa>3Bx|P z;Jyr#v~3QDqpsNtz=lz^*(7So@)d6X*uW^u3sr&)ZVvltFI+Lg@#hRm(Qv|Nem&CG zFcTxukU1DlTU84x$2CdOCzAx~6X7S5q-pVsz6h84{?K6Fs@|}X`h?;6buieeyegiJ zg;$FTjNwx8f}8t$bHmd~B6KR!Ravi`@x;+E9~w>%q-_gGsx|1)#|puzoA?(Ts`H=b zt6IkZRG54xwdjeqPr6K_lQ;X<5Z8MJN;`NjN8jXzyJ$TS@aG5INc%hh&O(+o!EYk` zq__!k;wrgo-RB2!B4GXow|y15APKhTCqv>Mz+Pz7x>VZ4 z%rzwL_M1ZXo6FD=2;s@qT-cvmb`O*`+9pt8nM}mC6kNGJ9x2?4aEUHYwMU&o zHl1VWnMXrgQWlvTruXc*mFjCR=#{poa*lDCN%4S1)Y6vUKHTgbGhs@G;|B!22Egs6 z%Gxz9P;EOao;J{y*^=6_%+p_*4GahXlFoJW^`<>u+Dw6L3 zc@r})-SMovCrsvBF{y3Bf(oeVD1v`hPmLI}zB#As{;!{tmHnWA(6~leIoiJI2ZUJ~mD& z95cuBq*H9Kdnx%;fhBl+Ze%)@O?#l985`;rD+cwKP)W*l^R8B;jz}YosOmq4qvGfP z+fnF0{iy#J%gfYx&-`jOxtaVLFaGKtKP>p1PF|z5`#<;8eGmWj9&Bne>IO9Y#w+aq zuRO_av)oD&?cDl0yLgYN7#Q~lfAIM@-nIw*dY^85cT&bXRX-A{eMEJ4Vjd5tAN)Lg zd^!s_G4Ra%Lptv!YcIlf;!wVFnK&;}<(+v@ZAt2BcLN|aagim#;8N}e!ZdN?6Ells ztC1PU;RO^FzLvKUs zSm`S{kUA7fpw`D#?eBMz8(!~>8u%`|IvcDWdjA(<@%jhVaCs@u583~^bD_83-*Zu& zwgE27O}vEHQWIUTWhpi8<)*hRrn}Y0nYAZP^fzN}@*xhv)!-PSGx&2;I_-?3jgyss zdO<)LgR(sg=5U9Y$idI3YNrea)7e7m6q1lj&x#w2hdRVJ0UeYN6ZY(=RI6Y=r|I80gM?!oQN#**c^{aua|eH*)kujrBIX}4Af67s0)2y}HtLXZm5pg*WN#r% zl$Fv1$4zW_l3`8>&gS4zsOCpD{LfslDG|;ke$XEN+-O(zjleV+UX5639!BztOyYk) z#wC*|rUo--n9Gz?C~{*HtN<-$G196f+~TC0v>6bJ1byV(3B1NlnKmV!7U1UuRyZlK zA`tOiuElT&qWs6;DB}RVFy9T)$nGC5=Dq%_>9+CYldNkKFy&TdMk(ON1C?-jvQ~cK z1tMi!Fnc&idlRLn=EGH(N2x6Io^)2^QM6I6S#G(oMDX%eO(5mTH>GB(su&`fq6oh* z-U1tl2~y@Va42sTKC3LCQpSNwCmFX1i7c4lbn1YO#agyX=`5>Lmhsl)ZZ?+T+yaBV z6c+&>WTqgakx581lBNej;f;D+HBqXFPBX6Jq^3!!TGRhaU5<@LuxI|Nyc@`wtQ?Fv zdvXJdtCS?IAOzfc5Otw5TeenB*#xN$J798z`w}UXhsClTaB}_k3M^S8s z1y*ZuYQqk3LyRxchohKZ5;nMes?E|9O70-yU(t+F$ydNg)9p%<7rX+o9j=a8Tn_+( z%hSe#_5%{XrihsPw-a>rP`SdS!xoKHuZAnrNIT%G04H3!5G`ITnz4oQr5!l|<%RBvb{jNw*tzD^WOR@gF_1K78FB+MSVT0kZHT%|hr@ zhs1GRLN>6URap1vDhTe-M&T%h&Bu4}vAzaqiNn3Xw;md@Oc3}^5$``K!?xS#m8&)2<@gxDXsdG3 zPtXPLlBfijHC7yPq<76>d!u?IW!w%rD@V7eirgE1)mb3wRocSfU-e?07y2@N^4VL*Ewqa9Dz-Y%{1{?f(?D zymS%M`A66T!}GDQ8>8NTTRQ1Lhk5`u(~`*X_@*_vg&~mY>_N{{aTG55H;3 z*XVy8e+RTxE4 z_c{dt|5()_>0Qw^PR?!&;c)~H?PeK@fFyNUHuY~WG`pkZ=XHDVWy7vX8%~BlR&E-m zUHBt&PCD9_n|9C%8w(PqpJNCC>3{LzL=mh~L71!4>|n?Q_B(rleQZpospj@6aCb?e zcA`4p-r+c!laj|@I<;$5y!jx7;&lD+@**|>^Owc3z}Pp0&LD;-25Aa%rk8&rV6*Q0 z9qLRQ##uYvp5v-_;2-|U-->&V{tr6+YJ#d5-QVA6jn@19?q+3KRaq*kN--jdFKnoa z7FA5cB2+23QmIO+Rzw9=B(V@12HVOFl~e<8MnWJF1Ofp_AQdA2fBpB|^ly9L+~?cp z-`{hb*WYuW+SfVH3%)-!uIpUad*F9k?}OcIz7OAmo#%nx_wet&4}S!E-PyTgZb&X! zM0y%Bd^5Dk-i=i#@QC6|Lgm+zHr$@b;sd-aF^Zb-9`x!RS`~V3hgQ78JY!o+!T1 z@LBa>CwaYlJVAm}O{osL)mZG!X~GFvJ2SH+o61GRGrSTI5N3X5YaH2;T9YjEV)nzJ z`cy+T@J1H2nUC~R!q;m%pr|2LrX#M#q#gO$nBqGTY!4loo+HJuR!GJ!G?S=YxQBE3 zLMwTvET@1bY^Mb9)#NY&MU_Q}P012cFeXQ#B^9zdi73LuBu%hMauEzIixgp`1dm1O zE#LF>UXq^r`Y7}}A{o_-7_^zpb4}RXghIcP#Z-z5Tk+YQxhjC^FDGWW#Fv4~hL?*} zVFl9`v1fDiq*C)%?0P}MB1&p(4?HM3`M1&JFk<$z4Va13dSNvg*W?wS$)^XYBg;`? zBWm~)ZLSc+MNC53k_*x4FL@bI3uB5U1oJD{ya6HVhkqJ{oVSZHYm_^nfHEgR7(woP4Ovt7 zMH;k{sI|%7K_s36H#d?SB8ytbG7tn8FjVRZcrUNH zoJ>rprRsyw7j;`X&fZ; zk>Sh|&KSJJXkVG&h1|OS?gqWPfyiCM8D~KH;uw2qbByDM1%3IPPM<{2W+wYO_j(s{ z0D6b4G%BJ+$%&VF!f&6ILvmI0J-ZvpFXek3vkM!|2n0|h{64M3y>qB04y zpe;@yw2mdoUlq)!MrJE4+S;YnrgbvSeI#%Z5Jy;x%g{wA?eVR$>te} zW9k`Qgt%;0vFr;68IKQGSb>WVaWS<=NuM;Ds8akyYSI+FIgaw&mDrU|6Z2H>$e{>S z?3sVba&-4q8+1FptH; zSXEV{op7#wxVUcUqDq|^s?=WpN;Ij`@f~L-M@|h{1lf@*wdxx4#O!(GZB>QjKoN|* zi7y!szPSz4l8*7vQBaG0MM6*D**S-u;ICPcvhJl9zq}e`(9WBDM%0{4Xj%qREz_DK zQ_6HDP`pg`5(8G~q+&%ohqxA*Pk(ehbY_dnY0_uhk!TYHX1nF&)Kp3+ia|Ujhk4Gz z37&A1|2ZMRYluyCEV&9A^V64k=7MQX%J~eSd7z30}r5QT8mPIJysSOL^g-VT64kS&Q0z2~2CFa;a z5!imA@0Dexu(DfFVvlej#8J^IMw{Ld8E8zAAHmj>iFyw9v0iAB)|Y!=MRzxf#!N=A z4ia|mOVgE%jospH;4#~_Fp*qIh-?f&Ht=9KUL!T+2JmA!*A?VS4jcD7PeHT=Ds)F_ zxS_e)TfQxPNJ`e?cR$u8Ry#9U^h%xQaRY+3j54!5VI%7jz#H-`6k66af7fk;H746o zpUGUrpRWa$c)Km2i!Q-J@}kfN0{n;`VMwYR|6)nqAJMttP@UmcH*#I)U5q_Bc@E4- zhA~Looda_w!QZZvO*XcTjcse=WMezo*tWT`ZQHi>#I|kQ&&mIsI(XlYaJqV?dZwqk zdZub-x@Ug(b(4SFQ`5xL1b?c)!6TQq6sSsMmft5WaaIIqw;N=3FGP8dZf;0+$I9k0 zMxGBz*jZ+!HezLgCK*Yua+;0pipA>)9iH+O973%MgIr3idnWmo;MkW9K z%_}e#5*i{=l%o`kM=r{$5D`fW&{W3$v|0aFHZTqsrqs;RU6MS+KgB1sEJQUDZkI9P zD7vD;BC~F5ivWF~j~%ac^L6cF?Rpy(RZ-o4*=a-Q0%a1yNt=F;#3D@(a7khiaE6RZ z*hb?nBjcQa!5~o69{b}e@FWaO3s(wXH=*c(llo{y(jAmCOE6P1LlHS>;Q8Z)dFL#9 zXGr3nK0Fyr8AUzp?Xw6a{V6|zbviMJ*@oy)s3zD%DiWJIftE@^hF&n(2cwCU&z8R9 zRi^TILI-!GR>^}ui1@oaguU2|x@BMv^(a7Z=D_D9Y5nt3>f^JR*i#U_({FT8iD9v} z{B=c--{98PB}>Rg4UCGkgeHy2F8&5DMNBYaL>Fm7WdoM(n0jIWhDH1LZvKl2Mr`__ zhLdn~6>>s*(1+6Lm)GHeq2UsOpp&e2Vam}}RM1PY)XzbQi2#)`MM(wlYAd>3M*$ve zF^l%Gp`Gi!H)C8C%Nf&eqo-;wyD2@PFO)c><`7|m!4P3`cd(nPqpNfCD(?|j^X-FfXv|CT< zCHmpxA3-bCgtF>v0fqm72Z}&u=*TOgRa%&Vl3QZ$`f>aZhvGj< z_Q4lS2TGdIk^rAa3N0g1_iX^05xrwT+oa=6n`1m3Q3*L!dos2IFMl~{=Qtb_e3Wk? z1D^C<`|d5`y(YiCPbgQs;xdHfh~ip=A@l<4-X;jGx|PR2v#PYcgh2}zQy*|y>@-<9 z(7%q-t2AwG5V|es^z*@2g5%<+9%!}!bYr#Vcd+6p?qsY8~W98_d~ z_sNJ>8RTKcl1`~xTU+ZXDd04Cf{ZDfT61``LPe`aYfseUEJ@8g*v5X->pMlVB$>rO zkXdU7y3zqq>@`gj$j%UDv(NzOHsdCtI;?A`f+2tEQP{AK_3`%rsc8n+&S|gd-{uGt)O+ zX4gzB5c2~9eSugz^o-veNA?FpH9>3DGK6->Zere~F38w~6umcstZgxMh zBRoZBjgSi)XWNWu2!N8SC^m$rU$mg^v|ps5udXK6vFl1|>~SVIv@?#K$+s@Q5iEs@ zWEZ2HG09(e7<^cxOoL3y1b!b%;e-VBEs^shD_7aMpGr29IL*CZv7H6 zs!z^08Y^IewT5`gMiWuc(SNO0WY1^)Dx@sUr_uQGGRw4sBLt7XVmJMA>CfI>_t9gp zq~^L2beycJXx+ffzUqStCa`Dhx_Ippw}`BPMN@slp&Emwz+rYrOlCAJ)&bY?Qd|zX zLA>_v$}Ux{fqQ9lI|(kNk7sx_V+DA}UNb*t(uS&M(cw7p<&UyHm+c$deD>~@G_OWf zG;!B{M9Be0WQ90DTT4Xsk%TQwCv02$_HeW)w zRnzOCvjbt<8Ita zwh3P(GBx(3PNVTde-}AXDqnMEEQi!Gfr7w)JvEe8n!Xnuqq}ZMV{aVC5A;d3FM|yE z^Dnm76w8dcfoz9d3DS!HkauPig`B~arjo!bjO8;z<%J^fDjoTK3&y0ym~#_;#v9ek zU`W=FDl$7N7Ocxl28=RmkVlZN8kJ#7=rzaoSQGoK34J#HdpC!DT5}%bYXVQDO(2Um ztCvZZd-wF3)QqtfB!?v(HA<&VFpe)Yu~q+Xt)#sxds;vQ$1Q0j zZv{^sQ+ijOu@Zdcn(i&!zv^a$X-U&ZX7@y1yW zeK`f(>q9*mN{~@July<E=S%gAwc;RW2+%)>J$q3n5m$8 z*!S52xis^}>Ft3?t72W~dE6iQif%eE)c0-n3+u)eYieJP$F-X!*wh{Q0p1K;gN+yRAVCLbwyXqD=Y97k$518SEMU`3EFc;zsSZkm%RPB|bJG zF+Mgb2|SGZ7Cb3V5FeV2E&@F{+8rn7Mqwg>BDN^cpcU20iQ_aAlhG`{u*86b@xX?; z4Z-s(fiIZn>+7}rOdY9~&2%&%o0OEK5T;>UKaaHVm!gTBp@Cuk&YTE9th8qr6dMLE zQ=93+iZv)qg~0)Nlq8QNe?dKFnqk^kOAxhT`M?7%(P45-TI)Kkhu zM3H~J52U|Y_A0)t;6h^XF-b8aCK9#v7M{&cp`j^n1nm_i!6*CgqvK;?%fxGKjk1{+{#;4G8Y(EMpm&Y zUtacBJVL&nA&DWe;o`A{YsB#g0JAmwxd$YI@dVzI5C{dwP}Eewubu_9_>#`P!J$zJ zVQ;F<-Td9|CK#&QxH^Tp)zJABv(5>(Iy3Kh;z2kb^QWU{*e_7P5C6s0&E2D%WHlHr z;S5UqL->ol)`Vd+9ry>Nmys<>iyAW{stufp@VZ6L-N=sun zgAmhE8re4CYD#Bggv`9lKX|vo36%Cf;Xm^7C~e5#3-hWHd4wA8+lGTAf+9!2tokv0 z6#tN8LdhcRw~jV#iQCdb9t=Iy3+NSHH2eZcpp4}M1YlO=ad+hikkyGnGNL|o+sA6X zLC3Ul;g*B1;DOiMw;!pj>iiH5G`~-_d_XrrOHH{8;6|*ntQ@+8#GT=-&YcI(ZC}8= zb{=UelwAcA_6wjdF>yvf8+gKZ`1 za3YQ1n`7+;ak3*9Ogz?#R^j&? zP1@{Xhd&S|nGMdQ*PC$M9WI-^2>{ri0hfz{OLE#i;#-T4FLd3 z>U&v>$TKCh-1A?~*sUB{N?XwP&G4IE*JB4O zdt1{?H!4riDgCgpTU$K~c+DkH**&nKJ;9Qn9= zd(r}DKc4qh8r)ELISfft5SQtHOpFAZ4>`QTe(+PBf9rOBJLCn!6UxUu?fke$&$cC|nM@FCix>6w?i$Jrk%P z2885BsZvKEckXwF2xyQq(@Exj>*QhCx4oWa`SN@#@Ymm>tuR6({*Gl7cK3RFL!^BQ z&^CYj9VREF)ql};+-lG5Lh?*bO%X+zk(2`kdfr9U5(7Ee9I}6W=zZBY1<4}fhLjYQ zP5tiH;#KS&ryu{&Y6o3u=1XA`cDaj&8XRRH8{nU-N*WwF9-^tYO$-5|ML7|y@&^Sp zL?dFPwE@3qh07`H9ICgP1`GF&TaM1dB!|Z9H)|*cY(bBm4_*w8+Ln`Ki6auNl=lvS zm<%IjgS?WWCxJ<(RnPH&4>V8^PbB3bq#Zt+19T?!9eyP53`BTN#Ob#GT!MzHu)0Cc zu34oguorYW8?ffhgdm+(#GX#l9uUOYuKyfTF&}Wf^k&bIfgmX^|BcQ{>UW)>#l_a| zGBb{18oB>g;L?FwY8sn8s*}W+V5tP_OBA!fQO8a&3=iwuva-M%yg9^|#6{77=;45LB2@BH*U}H;matR|~V;%U{O;BTDE0HTA5Lc8% z))19u{o&m}E@>c%JMX3`QHkLKFMTTJa>>}sSPd5SPa{?pGx7m#sfZl$4xbF@@~E@t z-f;hy#FXqbR<=m8u#=eGf2^+zzUha`wwo$V57&$*7K}C#S^R>DOXO+&Jevl`64_(Y zq32M^on^vj0IkjB`wJNRrguJO$RJb!*SS@WXW;KxM*}wmQ_F&S*E;b#qK+TkH+-F+ z^rIIbQc<3Ytwyer15?Vhbc6lqpx#McGjXf66IbIA_FI~n25uzI3&VLwV_A?w8#`eE zej*s5l)3K4(iA?@?zQz^UeGlxC+Cgj@jj5D5HZia=HGC)&q3zUq`GCgXk7K*jEz2y zwg6klSXgQ4>4FCnBeuufuD-e!f7=|f?p8bF-U4ke%^JGrFex88tpJK`#F~D~v+ax= zT~2sB{*dfW0*~990<@pOcqW)Z%S%Da7yX-+sfcM zKB-%+Q>#^FpwNzK6Qt`(K-hg?XeR1jiTTuQA7OL$Gqc!dkobu|va?JdKIzeAI(wO| zj`ct_8zVpm=SIMFJS@e|{X{(semuAKpv6MS}PkHE{v) zo`QXa`_l8$_XQtK0cWg*@P&wl6iu;o;fH9a7}gl4)HexDi8V=XNe>xx^71$~GI;W< zgnyE1lCy;ub8cm{r*viTb5)9UiVcd}=C%*jiLD-LXWCJ;qO||$9g;1QJyNu!>Whks zN{aRr@2NZzn;yFV=ovGNB_1*#vXHTzrFvMQvvjeOr+sBm$Y9E(6eksD7B47SQ8hQN zr`y1D5Tw^<)X3}<-_L6*!DU9-4PZ;xruj1+EDuhe)`rCvd&&Gr$7l7hnln#aV_j=p zfG(Z4Ricm?lbMrQm-(BqkiN;B`L^+n_s;wI<~{7aE26nd_SykQCOqzo`Nt~jM*KOpR3G!VW-Tti7EAYI4+Yqo(LEtue^j7FI>d4L{> zQD5Uq+-&r~LmoGGsZ(z;$8Qs5PE%hwtJO1xpY-9lqEUqIWC~g9lT_L@VO$ap?lw~- zhDnJIX5-dX2~ri?;wg%{1lo)3hGNp#%!Jnt~x(0(UP&$!2f7! zG-*4lu&57MSQgvIR8mmvpmulC_lHK zRv0^_Psj##m*xCp@jQFE%YsE?iV?tLg>-Wxo0Qo{Jlu7rtLJBMMJ!1zx3tf`b(G87 z=Oh|_s%mSZq;7D-DV>6sg)PDt!0^1jdN6#@&hA#Y*HJeN2?$UU6ohLy7~Rom;_+1l z`>E#Die zt-O^v=t+OqG5AjLQ*qS1DPmMd>qagXPl*`wh@JU}#c$9E&;h1n+?ip3@7H?Z$*eEE zgHc#mYBqC`e}fTKi>vFMP&}{9t+%sX?br^08f3e6G~o{H3U5EKMtZSM=)Ib3sapd- zPg<7q+H|4j$4W{2g^-LRNaV;h*e}jri_pnHCFyMR`hoDXsi~~{3(S@bxf2>WNmr+E zw}W~?3UL0Q!>eRvE0dwd<#dYh#_;398tcV=rr2Hjn)Mthj?@Rbu7N3aLazW#cX{X7 z+$ttKEIKC6DkwI>3Y?e3ifD8dq(Fd_h%Ls~Qoyh0r`^pTOcDtA9)uT|Ht}c^^X(7o z8xZCv2mH^-v@DxnhKJ}-0Z&fA*8{Z?TK zkT}GMKAsSEaczt0Tb)(r>sB23Tbymq6|+{uPa^JnWY4*@lcC43Qe!PeGlBRVyb-{^i|c|+JhoW>?S&o@=A zJ-#F-`+0zFyS~9BJS=f$uZS>h+Csyl`~eEGlKLwH4|Ja3`6U@LS!x?2H%sWPFRr1i zi_-8O<=d8uwt;hW4$vCMeD}|Qp}rIE4eJE7gM8=_Ea=d{4|ojRgyV5Lo0lr9BZu8> zSe`iRrVpyDde(2AjPWXNOR@TbLZb018qKv)*a7HWoT>D#hO; z_Q+2!nFJB(I(l>C{&PHJVeo~~ri$6fi|26a4N5>$} zhWNAp>CTsaHuHg=$jrH2|HP0iQ@)pepU;Ki@?Gqwy9eGs(jHw^{U6y0F5_ox-H&w# z^w}wG=Q>Nw#*0O-HM(XSBA~dxgX>F zSl{MlGv}~HdOU_9dwfckYS^*@=G0tx`1h*ts46R;-Ky89;maz=Sz4FZXI4~BAz7$b zO)Y8U(YB;ZfX&zwx9jWGs{5_GCdb^efgRE-7n^oT-JG(dAas#EGrl`_=JY!J+9qXV(ejlFB2Yd4e$q(s?Yo4meJSJMs%aDl(;9vB&=6KP z5~_Z5HGX>&(IvUo{D2q6gU)0KQQ4mUjCPY|0E6ozj=a{@Xu-GIj-1Q7H@t42=Diiu zIMaUMdn|#7OslN_nx9plNn?fh0W%9wkkg|eH182-%U$rSIF;^n-)+sESp z?4kZG(iZ#8O6h3Q7lp%0G}EiGn;n>$jARa4;MZbTFdpm0I7gx<^beUp=FR7odX8!$ z?z4m)hpqaLXal2a3vixvz~KmD1q(3nmj4FfrUT%j$h`Mtl?Ah`9~69PkF~mzsLP_A zE=wyIuJFx$zP`(W%m)6z*HH1z>$h;9=CS6QXVd`vq0V~zLiY=pUxb|0tHZ18m#T(@8k?dJ6l{@Taeav z*1d%G{A+YlzxwfB#eHw*fzjpF?U&UNJ?`^crVpMKds$uJS;hR96}<*U1ZSSO@8u?; z2oxbX8|QjtZZ@&(*<=Dnauzb_>jKE2U1oXxcB$Q?l0(ft*XU<8RX^HzA3JnfHUCtg zuc=Hdav!jDS2i&CAUt&RJaqn+wcUM%&T?k2fRkj7*1^%1$>C5d&P^P6)J&yUNMBFZ z6kZ3lvLB|Jp6Qr+wJ~1Lz2m8>VYdg)YK2<)P0C!?E738fVQU>Hsa}TjM_jG8GrWCW z?JK$ps3duQEh}v;yLGEy3*ff(+eLq1d^WeUKU%T99hC@kAKHvl_zDU)J(zq-xkkpw z5--ctb-O>aX-v}}%g+`Lyf`i@rkHrEjgtvZx8K$MVN=lo4XyoT<2+}_IW2>{B5$ZE z&fM_6=09$3Vv8UgR{+SO{siM(=R0?qJSMP7l9|Q&_%LDgGUtwF67E6_l@4RaG2j2f zi3Z&c?1HMLko9|ks9TpD<&imE! z>oU0iDdw_}^=SiFG88o<(4$Jo+SQUy&eb=<*C}mdSl+B7Yl=T`sH^7?^Vqu+`rn{- z=Hr%sg>lg1FXmm;YQWABbsBu_E&W&sb!YYF3I&D+U~<_vOKQ--d}GQ}{roK6`opph>&JJogLH+G_9T8}X``n}tyNgEFBfhvRUfML>=OS@)M zll8Qt;po4m=W^|<4-TBpIZJnL{)Byo9L~o9ZEGABb0rq9o^_`+cS*Xqw8*UL;_wWI z{snDA^me8Xzb!yA+;1W@TSJxPZse}W>8mXO$0wr-Kj*>p>g@(%*>w;VE%Ve>pkub2t( zhSniXqvH!oGo3x0h8_^k7jDud<*c|JHA}pn^Ba(Fqi)XKwW4Y&*t}G&8_xHXA39bW zqA^gcGCc83*`|kAu6sWCvQjmp;=&Wg+THoBdwvR#Z4<}+T~1XTV&S9gFByar@8sTI z_Q(~%+LopVT9NmhcD9sU4c|Q^qakr|Mh7D*@I5)ZuPxDYeAGTbH9<8%mD51`?H}6! zs|j-Y*ClxC^=Sb?4N?~3$@7SGg>*67Q4q7cHx`UQW_|ybm(3ctAeq>@nRvSBY1^vU z+L;>%1#^a3Xc9;#hAn0u?}gVRg}C5;yj&~s2wYN@6)T687F#adZal2~7K z;(Fx}|DBrl#Ga?S`%V9=_tzAG2g;8-S2myC{rU%N3v{l5b`1Cr!d-{MbIat~wN=gX zDcfC*lc@=fXYKm2u89B{Ev6Cv?#-)ne1+4isEym^a;wG{1}}CT+5UNp;E3(@*lEEb zaTE5rjh;T$7_i>E+gIng_cjDehWZ?SgL9gjb~D?U75wSd%%Ym8`6*HsLtA;5|rHrpGV4YU{oXea{zIILu%OZjHcy7xc#2y#$>q0NLljg^8 zX>s8~quDri(QUGB6Cq8BtqKcw0?hdFK*s)6UgMvzqGHJ8q*c?NZJL3-a7EY;*M9#&!&SAczXct6yJY*G%vPdou*upCR=h07-QaTvdA$VJu@I*fzt_ z8@l^0WH(G;NvCmBq35g@k~$l&vP8*96tWs22{x&k&%VQ+GT(%6newj*Qu>E?uJK4i}Iw3IA2*r7iz$>Twk}a87)6w0|Fxs0_y#u zGJwaT$@?Zhphw!uOBVo_lpR%N`lF)eK;_h458Fgqi$ZhX!kQ55YS#HVL3@Bt`O-VN z8FQl&)pch;zQR>)hhOv(pDSfL!K$q&b|bZ19PKLyh$#MYHU4%h{XGPV20ZSiYkaig z09{e9oD78*Z{ZmjyWUDvo#E<~v0;{7FPllqD2|WZGp{z%K@Y3ClR=Y*S8a*zwwMMY ze`w~e9&>#X`U4CXO(&b%uXyIhl-nk%nF^MxCcU4lN+g-{)_ptOt@XZ)Xx_1V84@pH zF&PB*$s8T}-d%8DGG#4oJH}<1cMRo>c{8C3xyht#=jr?G{miWARkt0ZGrjkP&$nC~ zp3Ca82inP1{9U|qL#`B-MCq-(E9y6lqmA|*vI8eP3i4K(v=r;6F02=`*6WzXx^?0jZkvil^z#?3R2+u8tby9>?AZ)oqhg&ctEoDZC5HS={ZC7MTwZU}+^3>ge5 zhq~Pu?2?I+9g~&1{YE_6h@bTQUA7lhd{~oElUKtp>)eQqD;3E!^WjZ%56R`t&)r`d z2EV9Hf8s_pE_|fFrHDRn5f-Otjl0wa0uBut2`sx$_cXjsT9S~jU7t8-9bK9d>0he= z{W;sE^?r%tub31}Pj5N46^9{eLCr4botH+k+!uAJQa~EexL027rA*o>cX{MG*1sUY z|4)-jxh%*n0tg5!h*3Ex$p218-*0jd5P4xq#UDu9jvydd|Fc5&dky9X0wOLaPb4TK zLZm3F%1y+`$VmTx7UutynL(IY*f}^@xj@*s7+E-(Kqk^aKz`$Zf{@$&b1h=ulRmVj?;=dh5-ZS0T)Eico|1(61!cm{S|kOswxTX#5bZe4A6 zv|QI5UJq@)bX>jnV7ekKiS1hh2`3mneYAVt-|NpM8kyox^xutd#xzhUd`5tYrto^4 zz6JjZT$aBC&MzRGzUZxgBm*7b1)gS8bxi&44-jh!+xO#)rGUV0f}G=})6sKKISHfj2Eqq8i>*#(Yl6fo|X& zA1gyYdlBM9k5UWNcbLLAI!j z-9U9eC4PKX;$in9`pxLX^c+rcmD+&2lEy$2cD^S`iz>S9A}ZHgX@7eywOai_X0N+h zN0a>xntOSdSQTCyOC4`j83g&huvqmQF*=|2BCi_^;+x0T!T$`8MKn^dFMl0tw5VHr(!4bz8B` zFMD;<9=9|RF*dN9~8}is2QiMm7N{BN5F1x3}=UDCRYY`mv!+cHp3=nRBZ+)rddX#SV?3E;HQesm4 zrGAJc98CwiWK82V8r5A37Ia17MFaWzBF1}yS}3<8yXG<^rvPTh;iG*1Ct(C#Q1Q!7 zj~*nXc4L3t(m1d<^VOzjdYKDZf2&Q!R^|fSL9B`ygmj(|1L%A7&=c2^2c{j z2B2XOG5^3>Z_Cstvg43prxy1wM7RaOhkqM&3=Pt`fVI-KcU;J55|;now>^m!osHmj2y-M3vt4u z$}{Il9Z?@Wb#2FCT_l|WBQ6{Y*3)C@H*YFuxz;L+e4{}^9ShslY?tvlsX_wqbl+#5 zAP8)Befb#vO(2PmeY^hc{1m-%$kj5Yr?qbwy&d3<5oS_&-{!vEleKc{I~kF40dDw@ zn(0!TJd}C)5|3Osc?84GWHI_8t8UG-W&;N^l9L#&pJ66j0CMXOAOPgx? zZAwF5U)!g(^@Y7V0v|c^55rx%fU{5FR`AO%pOzrEwtQw|Y_@)GrcTQZ^e0Au6RizE zDWGyShm?YOM!En9k~3jOkuV6|(GPv!HW9S6`n^YUM!HU}^O;ZY66nWJW`=oj-?gY_ z81oUc1M6gp^;a{m@dP3)-LVdE50~Xqg>U@qeUmi~%1SlRe^geZ@0wS!uj=7r>+BlN zQ7W|d=W+EjQssO;0B- zYbzVu4&mR2S7{6bJPs=nStW7gH2>*@mwR%#D}g@3tBCK;&Nd;yIkWuno5yidDq;Bo+ z|FaKpg^GAcH*?}D)5!h^R$d>BICnO+y&!YuGr&>&B-Z;I;L{ zDe!3MxlMW%vdH&MBLxS$Ac*Q4E!{FhkWlft%FsM$?Dx<34=Ria3h^(O%ZF_M~SK{7)$gq9}o6% zEFw&zm@M61xi1uyWzFIK5i^i*R44ptO1^S0*`nnan53*;8+g)D-0Ov!ec7ilZ=OjJ z%O?P7 zhTD{f5(dDphm9UJ2H@V1ps1}ZpDZ0W^24rKf&G2m59+CdyI1rIA1*snM|hA@#Dc#; zT@PDbLh-B=ZD&hSH?0!>zLD=+3K86X*9g|%fRDaDK)VM-WuR9H5vv@1 z?Cn7X(VPlK!^^e_tFf~%k) z_{|pi#{xjLDic!+@T3aRZ*67PkQVQoe_eafFiDEv9V-N zg#Uf%A=EpAcRvGYtmmUK{6_TYd@{_ub$-#&HKRCbEIpMiFW&hbNBMfaL3bwt&$_4o(p znG0qo{P7ymkl>R6A&~fUUikHCIu*YUsIdBZSC=SjhU6X_^0p(q?%x*swpGj5SzM`W z*7%T^pN3l-=sc3AYUV;hBYy@Oo?=0uk-JIHbsatlT;YLyjhaHUAK3w><-s!qJHCHS zaSTOizg$NmHpsCn11W?*3tWByTUMvgqJJ|zEO4!FvIJZ_Y?|aht4B^o=ZG1v-O#p; zGIrbk5U;$xs9n0LTlxjTMqeZ;J_+_@h_~KNjl6!^b1-$)R<#Ci^RdL?p3GqxwKZk0 z=fJ@-U=oz+g4oUI>r3Jj)fjdcM>Me8X7BnF?w{UEPpEe}|FiI={qw8%s#hKYCvF;m6=@;>duSwyV9+6Z#BOsSKd$L1L+dZMF8B!TF(i-%Vhl0}mN)iH zfMyRZhSF~P@eiiyr*eD5#-4^2`kS+U4X^yb&wIfYyN{aC$|%dbP);CO@i^Mh!i~eq zl~-VV*$uKPo`yzQh~iltWTry)Ss|0OB%vP<-a7e7N%>|Aby|OBp5CuYreP<`4|$T2 zM5dqk_(5y6m$(?_ULylP-XTGs%)OuhQ$Uq}F=O&IjFtSeVQXVs-D&F12O6~>JRwPK z=Kge>1DsA#`iFKmi>7cT9%-CrBw3bnb9E&wz78;s+ykO3JRg16q=7U3trBemfcH!9 zS24?-A`LW3uk$L=t6S`K+;VjNcB)C7Vdo;A436uGXh6dvF-jZuBo_Nnn8PTnWCC`M zsKq8b0)nLh7DGLhfZeIW!o$<|uYpQ07UhO>Un1FQPP{GZIT`67ih}|c;r*r%51eOa zf0Jf-&wW2&L_VfNudYK#|7Qn3V;Esvj}MB~9PpO8R$qM+qGt#eSWZmGslf`0d0H3+ z757zn(bWf61W=L*QrWvJ&P!pxjh=qSyPXR*UBE&FQJw5G?gVwyqR z)~$d>oaXxy6mI5iaPBICT#JWSi;&9_6BGj;)}ri5w&=esfLu!gS5&>ER4K+^1!MDD zbty@d*1=j>4u?z?)=8y{p#>-SA^vl4jIib4UQI~%ROaSy5OsZobYe>cfAx>SU41DN zB^93UCI9FkQ#t%nyQfgOl9lUH&cC7f@&n}Kw0jn@N&Iz|?Fmgy+zj1*!D%IgJtIqe zgdS|xBYrXM=7vA)fz27>OTp!*D%|>Afdcik=j?_q`Rq8qgP5(bD0l-5kvPkJk$HJ% z5m4oy=y{Bmx1W6iKQ8wa;epF?W)Ry5#@QI1Dq9)&HSSD5Oz;`3zu`pWd9X-2z%&KP z&uQh+-nVh9a`7t&NLjSPmp>v>KqZkiSnd5C?C=37@>@LiR7jvuE;NIt)VgwL>-ft1@fO zf<-$QFeDE#r4()gG+GvnEO?pJvlmF-bdyx9RSSp{ZBM=4*2;W)X_W$_V|Y9m#Eg=l zYNV07UM$pOx9rBdJS1vGGY&37Tg6`7_@v$zil)}n6&u_7=QgOohhA5~e-tIwjxsK0_S`6kocPc`0k*`;( z4mXURxYLg~UGg~oZ3E(jcgc65lUW|&kV8rEELP93z?R{%pk@k3NM4>+)U#3B@=T&T z1j;mH6ZFeB(w_gmk}5_J%|Su*Q#3bctFuR_El6L>tJyIDYC98zf zqj*=u>l%dR*YXk6b*EE&J!m28FgZ)6h3vw@g`bYX?PNvlqV2TtK+Xo##g<{*4iNFK zCurl*Q0I}1g%<{$5|kSn%=DVhb*CR4h{iTNW#xI z;0zUEkY_s7b0t29&iy}ehiCW5eO#{aen4-}ADf_^^L2ba2hPdGSSt!R!~&$%L88W+ zAk)YF$wQ<>Ssh$#I#e{_73BugPfGfUW!9P^s%Ch{pBakF7wVBV4MYEX~9mmK-6H+2hXdA>lFgCPd1HyAPenghDHFGS|U8WB+M-fG-;Yw|-Jlu9^ zSH%bx4W&!=+kJP&%H7Fw?4)XuO?e`IE*2k{XFPTqRou*R7`4R)RE*XG+Em+-RxMx0 zi+OdgMa}MqAUUjM`7h?H^I9{6rj3~GqP$y~;1lf5hhJ2|@BVAn2?owj?C%;XM4#zq zmaa}Sk0m06aF{C~nj;Y{UZ>ygj+za&+VU|*ZMo{%yoPIk!W&LktQ$Fkv)`{Sp;0)RwU8@Pflh)s=cgmo6qe!(G7J zHx=TIE?+6trBE`IyJ_QO`!%>NENhJ!IMUYw9Xt>-a{xZTo$?^6VG7V^SX`5F7K=$a@LUL;3r-hCF)d zJ4IXdQLV-D9-4PKAEhQ#r7q|5PB9TlzXL@2EVlJncKKEx5u; zN(`;?)Vu?p@W3I^=n!V(P%oW5q*zz9Dv~L6_<_kSJwv5({#BxG&ASa3M(qnteHSdtd z$2j%R?JPML&DQKlcRA6t*3-b_#5Ie=eVORZ_IlK4q8&~1+wxlbJ$dptHSai`8ZzPx zx*s^`CyD;dpIM@PkFZay(LS?8`ppyU{fixafJpMPo@$7k4uuUjtkv@;=RCOkr(OZn zS1!4ld*z*80h48(UI!BnnfnzJ&ZW9+($6`@-3X!0Is802XXixB?2V$gT%sR)JfU?0 z1934ry@7UT1G}LBpI$kiK}gL&^Qb;-p9*h0)1TO>9@CuQ7%bIIm_PQ+sQ&a)I}Pv6 z2LIV3ldGo4vY~e#s!UtcoetwsvB-A32T6Piu~WT-%eeJvt+YT#vlKt}y)j7Sh)wT@ z|DX%`;7!emIKcr&+#+R~@Hd*0%0>HsZUX;qK9_l^i{WoM)mOhGl*{PNdf2DN%~g2h z!u!qD+BBy7F*Z4i_PsK)GwpObT0iN5zeOs%?m((iJ$qFM=f!%rRnnD*qt*R&dz-TN zKz&)Z+(ovqpyqmc^k;K>Q1ZP5ux1#a|3D)zIsoQ(u8(Ql-%eRi8$ZpWZ3gQmslypU6QViIk;b9Fo&H&=c9 z_EXC98J*u8CoXpr&PKeCc*HMft2Z~E8F)SSKM&hxojeXU^wkgWFo}5JxeQU;E*`#h zUQy5QB_`jFyA#vMx)!YDq&@Vr?~-^rYG`>gWPf;%mY|-Vu9zPx0B!d%HOz zJS8JmN5K~i+jd87obL&*FmMOOO<5c-deEOoUh%Dd|NZsoHLtzH*Z+?Zx&53+Cr5LY z3!ZiA+bhI1o1jFxuhJq5)#?za;EFBi&eO2%@&fa<_mmyB&U!rj_swUSe=^p8rju$J zIp{T?y&2}-GZmZxbm*3E_iFW6X5a1?_ajDaU;V{?lxO=xKm0pw&;C$7KYat)bKbvH zC%^MuTuJMEbQAUtR<}oOe{Zn&Hvg&BZa&^h4gPc6(yI^rHvGp_nEQDsNBzgQu2o4p zcX(#Mrjk*GEOA9Sd&s})oOA{o2?mR^y5_tEz;D_8sb7h!c-F6h{@Sz})$efie&Js` z@0INEov7hD=DG~S_=TV9{k;Ch&8~lwvyxr!|8G69vumE@?BtktnB4Cr3IFN$XOI_F zz&+NXE*PqLQX1F8(1q7jIR43{<3Bz4^Yq&Dca(8NIKJrkg&D;5aL%F9aOz)W8 zH$MeiXEX(D@1<~<)5y-tl!qhFI+*+F6_1@4x%VgUIw&vZ6_Bn}q-fAy^E~XNXQ&EC zP&vP_%oK%gkcpoGeErf2Kl6}@>s>M%&Vbwb!M_2wAUB;H7UTx=qS@P!8*(z-fZOoY z^gwP@1?50qTm;K1z2mYHubgb;QN{2@3nG2KGQwktOyl6Q=Xh}g$=AiiTDH8-19?7t ztUo?ZADO|#T7G&eBBb#08H{QjE`0EO^{1Acgb7Go%ySe4&1|L?cpP=yi#<1qb8}(E>QSf@^ zu;+#zc~v~~!|Yna%M^S_oYy)w{%~lUVx#va+xe=wj#jzT2V2XKn7}Rkyj;6ga+?ssjB_-O|O( zjwAVY6A@~~8@{jWK#TNB9oI;_#9j#~yI{-zR8dz*d+>+6p!@cTMN%02P=sgi$r$p( z-~EcNLj64unBT5ANK`+|uV?Ke!=k8TNhk!l_; zut7c$4k#$@oHe)V8rz8(?K)*+p5FUf&fT7eW(#xfv)l17?YqgMUVRpK4)a1EJCPI} z&8{B-_N{Op*{%b*Yk>7gGr)h&gFFXfgFFY`pw9v85NCk($TPrx5)AMik__-1`&Lccza_f|_?b@MW4J;hAq3$4odyD? zfc%DX+YkN-oL_(_>77{h##n8B$%j4lO31EaHHIQct*bv z1@-o*MBFs7Y}MCq7~d~-&B3?Aq@K;8u|}Rk8P#N6u;F}E?~BA_mqvi*9~K6{3{#Jh zh?D33jnjyUdNk@&2-40uKZ4ZGdH~6N2bh9_n;uH2*bcC-CN%a$m0zwSpQrVNk7AIW z(4ju4)%BxRach`QfRRwU0e6F6W+$KPdW`MpVt;1vQ171;x509ii_SKt^jFK>AuffD zIJ2&H#?surF@I)aGo`*jW+&5Py?fjo9;qtTW7i4q&U<$Uuk&9iTutik`Pf&#~5XCljM(FT^1;mu&uE7V1 ze}521j?jF}Qi*r!H(`Zz8uOl=d&8|B^L*ViK{%y>wAN+HMk6iF>vj8d6tes%Daz>6 zmsiti81@W<-hmyTqTMlC9zlfF0XpoyFKyxy<^y-Y#R0CBD<+5 z_1r`hI|_ZX7l83++vfLPRx^IkjO;(0@726koK_1eHrd96{n^T{8}@3i`Whhnjd#!UAhmy`p3@5^qV z>D)I>w%NLNq6_;0_kVVLk24sMrQTinOajz+b`JdPUJJAadJSsK)5J%+>6T%?-U6=% zna=Oj5W%x1*+!;r-?D_=y%#sSCSvzgHh!3*TgsNU>h+NrgPz>sdj{RP@Ew@XRfy!( zwgC8@2+hN!?uSdDI`8su#ThXMc;D37k!+s)hWbnP>)tLt|3giG!j0blFAsli zH~V-%FOU$i)i=@{hihepezZf^^)6}z9A=~RII1s?2$~c-3}Bnpo2Oqm2{oJPBjBAB zxtbGI^OH^vr8k_jr5k7VZY2_zH-;17Py<%LwL)d z<@6Ary2A_XKwiVaoNBCAxQWAV2b3=``&V`{DOAbuGsS`X^w0`G21W_Bh-Zz^Ms$lnS@nH_~Vt zW*MLuAJCrz@0jzMp<2MdX9ciTp&0M8n0#8l*K!BhlVZx=yN*1>TJa1fdFwr7C%;E0 z!d(@4M@jxo;XEp`arykt#ryoBNaZn39HVjouIp^mCFsW|%ays=YdU&jvwh*!EAS$> zPUC7cbcVb6IK)#nCm4C2;b_HKvWQ75BTWb>y&1c%YlW~68=f1pd41KxO&6p(&+|4t z%&2I6#t_Z$mA*)>dH950 zqr24?0St7T|iB8bYDy1l@ciV}9=7lTpuluoN zKgisIANpJ?9(Pzh?6(xDCqRZPSRiz`tv34e=1(`}=#y z9oKmqOE3rWNxw;&acmOuaQ+a_K1aN2#d+cWQ@36YeQ58uNlfsLxcZ}?()-5UzkwLx zzltHxHtpGnfb99$Hs=gjYMgpf%2mAQVQ_xir&dC3K);ALJb6)%#bclFvD@@@cPN(( zgy821*tZuV^%h_gG=t>j6$sab5#GFTouK1){qb(!>fhd?Ii41?wBBQhW%%XAo%th*v5EqZXiazoq?v)iKe4hpf*ZRIbmNi*N{CsZqV%vOB^R@q4 z2E%?({}ih89xmYp901>m_>fbr5-Iq5q!iGiyvD!spr-^uk865@mVjqzy+KO(Mc`TQ zgpGLsMeop3Fp~b*Nq4XkTlk_&KM+Y@;fX5s;!1l_B^{uWe#}WWa!bYV8BVi+9@Bz> z*k8Pog=W$_q;NKec)Z{TI+^RaUi0lruX#3KYr%>ntBMmG=0g->!}8UU;s_r6F(!V# zm`SI>D2D>wc!Hk!pm`yIvpc@`$!230GP?H)M8C$u2ic^E35TWgnOrqRp}R@*y7xE2 z6e8HXrp5nvOiB;3i{7+fgzK{iuD+Iig6zomEtr9R2Z%TR7|Yjyz9A-XEtw`^KhAU` z|DzZeVL-qvQ&XHh9qu%2@@7LdOVsn3u^w%g>W7)OP8(Qe**>S8?>oO15qqC&718L= zhj@bg#Q`v`eno8gYNiH4>f0JfZ2c^?DOTzhwy_;@6w}; zapUeog7u)2vYRg>L_EwF_}PNKH>z|B!2c3wzkU$E$k$Jt^L$n)ACV^+?qQioGTJuts z$yQ&2U4$PN|Lez@fzI}LtuJ_hlOI?eZea6W{7$14f8(Iw=yl;t|Hv0I`2ogeuKbn; zXh!YM%h-tQ(X36MS=);`cLB?KX@czaq946CSk0b&knTCrqc^4EWu4@I0TpB4r8yY- z|IHW6&X3vxhn(n-PbV%XAIOzq^*P^v^igJ}{llhvpOL?R&zTJK&hq(*&hq)`~lrY$wd=d53***AeH z*S>6=QJ(lojxL?ZcGiw5s{aMDcjHF3{jz%QV=|5Y=)uk^vx~maLVkSD#T?(I{cQHR z(M$Oai+6mMYBv2AS)TX3ZP_3LWf8R!{KHo|K7L#+V?}>g1cZD;$ zRDZ$*9>i0FOGOI+&-wim+ylQSt3?YKM1_v5i*)>d>cr*r;(D+f-H5CFgaJ3EM7LMT z7U~HVh@}r=bpFlL=Uy$)xBq_N9(fYs+c;$N8akDOh|I?>HmAQN%=3eBX`^{?@jPSA z#u4XAQ#>W`FluoP^C(^4U#%+d(a_h#XG{TkGkdN*`}v)oGHhGuj3twev!=+kf7 zhs(PRn>IK8PiG0z>`#7b5Anh^{zl3Ej$0D}?yH(eeh1}k**+O+`K^=Q^4V~`u-}~r zv!`EwhfB}nG(Y#+=LNBlXh!kzh&w>Ac42DngQ5JqVhtZ%wvy~+-+q?K?D=dz-ZhX% zdh}XQGeB^T_5uuY=2Kq3mn#}wSzsJ*;mCC-#Acpi%DsuoUSWH*O+4{w*Vzv19X7%- z=!u;3v-W7mVK8C0_pjW5-8o!z17Q}$2>Tyg(wyx@j6YYR`@Ym3Y*|}4S=w!Qn4WVL z>-Oy5W7`yTY1^kv9IpsV&uQ9-u<8Y`F;KoQ$tedw{w}CR79!iG@0Ev4Nm#6^u+<2* zY7Z9HQvg}ZhJI&<7JgFzZsCNRv3@Y^279qrU0T(vRTZB0Bd5-s-q23hW+X3)>H3AI z>1HCjMN5$&eaMgg=eA|H@oik(9FzWqBXs7GUIx%cr`rb&?D}WwZ#h-hv2A`n0cg95 z(1dxdh;KR5kJ@Dn@AFxW548rYH1Q-Fm05jFRBy3J; z^NY;xbCl^scGz%u_nDV!4Ddg>szpW~Mk80y=%CUai#njPdKFMmS5L`WjP@m$c3d-h z+x*76GVeQZuQvvd zP0Yc!KQ}^vnFcMoRI59{u6H0W_Ol_|V28vd_1NC}%x`}6gx6)>Z^A+A^W_rDP*&G7 z=-^!Zk!p^Zl(YEcrKkK!NBV?nECo?Bu!j38EMtUsHV@hgl;)879TL|R?S$8DHmv6x zeB>hd&+8b!pSbrayUc-@tB(R>kRKK-=iK~4k7_Ni>Au6OivzS4g77beu(PLr%B$`= z5r3MS+|wa|bI0%!OFjv?fnz>e(qt=mw%2J?N+a1Sq#*zEw6|&74|gLTaA(Vpy0Pz5 zhoAIExT5YapXbQIdJ}~`8DvXg0TK3*ZAIdArG%JugjN<@-N6b`Cb+qcu;*fiC1t zpK{cq_L)F$x@leZgO=yYJJ0G`_RL(T*YxAe@#=~u=MRhR29DRJYiF?=JfmAM2jbzf zUgt78ydCy^QA4|E4}2U?7bvWMdd3`@ac10pI}szJL&!-g6SsC^zhS78&|>_$@I6C| z?BZYQCB;rT%=|4%6%WUo@#Y|Rt8O%Ynp1QqZ9V^dyz$ekHo5wPw&cMV$zg{6V?
    v=241*_o!PP z1AgPNR!5#Duh#s@%8vqJ9FfJ3-}9P|TvL0x6m!-TbHrV7{*#7zOgXJcshu-1PfRyG zbnvH_+l1d(Q(rmd)#)&_Yjl`eG(|M^pR=Przk)B>yV!kb3%QG>70%<|df!?BQ23fq zCyubB|F`5eP5ipH$jgkWuvi$~@|ohX=_h zc73q>*_1z}XoOBMoW0z(5e{%~-=#Kj-NrI6juk!(C(!J~8E(~O$7ci>OTHUnOuXr3 zmr$%Yrx@GUelgJR3|EdN!-od&W9PgG16NicABjjxk&ZJl{3Z@qnN%^G1uC92OkM4XT##FWURzHBGB zyekD`h>7!XPTjc2;|t*O!N~GvThCx%>!*jmsB`;^)@Q%E8hLZkjalg54IW9abBJCP z+16u6gt+9mIpF0mPdIF4`R<0GETaAJ7TKAg! zLWyhaHcr#-1w#=1#qkc;oi6g{?go$eg05FO4jaktV-$^!-NZ=0 znw>!m{Ta_LYvy(e_MzxvguD){QIGpVle~Z*^mq-EH`A@ee4_2e)BG|oLts%jBDGv8 zR%`K@PGnlB4!4_T+#TK+?z&W79}~~lO^@)n;ynD8v|AU`LPdf-(M?tM?Zj69gbL9Y zZNOYL?%wIH8>&T~8^20=G@cs~OUPR;AIHnVw`HYsF{wvy`R7C2dH)#mI)G*i6DQlA ztoTiDVOVx;bUWbXHVyt>4IB}U*H7rs<+DXEH~@Zw5=*il>4(1=s`+N2=Uo44Ag^M% zctbW@Klm6yJRMVQ-#5B!5M2QudwXM)e~;R@w&c}HTS%*OZOhYSExCeKc)9XBuJ-;n zu+)Hg_AiOlg!|b(&Wp$Xs#-;TWRu%qGeqy3-Ba5!Lyn`Z4ioEuKjVOYbOZYPU^8Op zIH$j|Jz3G0NO`{N*Sve{q?vk&Cv4Ck^^Cp<<~5P6;(a;i6&M1Ye*jcpol3*OI>&z? zX!#?l_mg&B3=@Rh68w~>C{z;Ro_dK+cuS|s+U*&S2(Vi*7E5^LWin3_La@hQs_Y+t4#Gdss` zO&!L}$bFEQ?$0B=@J=IhdjF=x#%05cG4lCO#iH~x8oS3-Wy8}E+(WRuJzGiJHUH;1 zEwQ@&KR9f0KbucM7mLo1;cK$Oy{Ej3#jw4i zFE^#pdm(|2skDkWctUij?PxR!_&VdM(G)B^nlC+RV?JEw+h5rlzXM$eYqQ@rnRKrf zc7LFi<;T5ZzK)v_+ z>?EdAf175T|6qoGpM9=7j?k7Sn!4^n-}Tz=GT-_=bYcIeO?@}gC4WHsrz8jC+#my| zr3@3}2wcm5?8dh|{G7z6LD@ySf$)@=Mmm>)L|o7Cwn3_bY%ZV%(&;QsH`f!|=@ zXTRYY*ii^A%HPVQpZuOBm;?Tm&*lqxS7&Lo{0Uw~$AmZI5B!M#c9r5+#V`0e=S4gF z30^>+90!yt-7COdZ8J@(SBmq)|I1494-P#xJ+1u(c+%%b&y6-=Q*D_=q%Dk^%oh?j z#{W^%_&rjwz2J4euDC*;AiJ9sazZEbPv!#1+KG+vVvbFUJFTjjeO-@Vm4S4d_TbZg zd`o}5%pxOt5&k1vZ$3Z7X>Ic3{6>b~p&#NxcKJd7FeDElwTXG-qPVK%YT%hce>|%T^^dbH@B!qd9Fe<`j$x1X`o_S(0DkD z`VA*eTR7-4DKj;^DT2%%%ls@O}vS*v|`Pv=&lEIH^L(fX= z^*R3~Jbu%<&(P%g)KKT6$F+izQ1YotZHz&01}BxqYPCD`OISFTx778rQuYoKm%9@? z(>O%F+cuExJ~LH3Aj6++B#&mGqH&4kQcA+8QRQTi|MZWuNbhyr@fV#LOwdB~50Ta8 znj^lwf!C`W5|1BJ?LPkZuNS|Y8>(5e_bmyf`mMj-PrcK0D1E8Z^Uml44&UdK@3hJA zDdne|VNA?u===Kdg&Ta+{PR7hvhCP8$wa=Fy1wpAO^y z0i*t5%J{Nxw7@!l6!-tMVe0-^|IZGQ*D=yEq{@#p`_?)~`IzfJF;||muB-JQRtJ59 zfu6IbpW+f%r{dGIR`9;8YCSPk|BzL(4%fLw{=m_un*3)o$D02gYufaFD$Gmo_1t8+ zoi`?bfNAY?9A5iP&;ErO)P!$KJ=*55`DbJ=?*^+gS^oAlS-|+feL7)-mOH97dG|4u z@t9)$%M4%hM-}vms`YIKEM<)6Bi`aU+x#q_@nGcmOncy9vG3&nIxmsQz|nkB=h7+6 z-ex*C(`dAm0X5x2Q?QdluTO2{u?o38vt=qc9sxfRE5s}Zg+VI_I#2v}9)qie+kc%O z?_i;`BL452qsJuUdE*PuvcK3qzgJ9=7<@bLYGqrSL-;*oCVc&CyZGqEUAo|yWbshW zle+U1W_7vNU=Mvk!0^?+{cB%W3!?uzk9mWr$;$evv7hnd(?#kTGnB2*-`uQA`w$iL zUzg_URLjWC%X{S5fUM``;N|yb0=0iKore9J?M^L+1>RudcL{&?2mXG=PQblRMkmMQ zuZ5Rs$bqf)9-sW5`KRPTesK1>g*yolVVzg+F^~MLYdD;R`j3X0&CI_(L?3&Rcf|8- ze#oQ#>VNU6*loUwe+*Op(NFU!i`#smuy)B}uJWqB+xKb9c)z8$k*Uq4D|ucKpY#An zmW`N)^_B>Tqap_0Cv9>hmoXdrd-(P`%LQT*p!wh~o!AZUhCAPlB=e+-%ehTfq)p*B zmOH&}v9A+d(vuDhO=kz%j11rV;TbI0Sr!qEq5HppJ zmE>S-bA`y%|CNj%ppr!R(RPwIACn@Sd6`Z7;iAs3Sp$tvAp@w@MUtL*7>^f9#m{~m zZ`_9yh@9v8(f?104rd!bxt2ry;!<~HhO<~ueNGm!q?|2S5&u!gA{qYfWcl(B*8%mDF!*8D zU_Ll%@A+r(=BTCFGfN@>^O$7MvEh-jFX35n^;(d&5l z0qe+^&ynElmd)Uh@9?%eCH6W>ud(d(@=&a?bYtp6?r?oh7n%PuaID71^K)p7pPZ&& z_^c=%)p?@m@d9YHLc%zX3X-qZ1+0I!#A2aj=J9Z~npC5Cz8XM2i-DlUv$c3 z-*n8fkGg3th4)P-mwnSpPrm7q%-{C3P?XET2G7NWqdZ{W_q*XnrVz-oEMHartF zADpFIpt0hFf4t!?UiwumnbypLn8trQ<0pTV)vFlyu6;mwc&{@}-2IWK(#`Hq3ibhv z`gE`M7Q5yr&n6p_2F5modK+`I?7vEk?s7o(u#Nv~89yjqJoOwY0`Z%<1;5@7ucPdN zf_uW#?yU-Z)Hy+4z8D|YrDV+6^TYksHU*z>z~J^m zFSMBIS>Zlnp>U_jdg}d^!_VG}d*Qa`#@l>5-%vMRg^kwuq<=Ae&LbzWsMaXWDS&EU zz@}V7p<-~oo5k`oiM8yoF+D&=?#37QFmSh4YvFx>!qe5L&fH;fef2W+tYK~G@G!M$ zK71~l2Mf7?z8BLJ{{=>M_<%FL(wTp@#ur80U}1M1g7{k6zqi1rfW<$~ZoRZCe$|sT ziBm=ZUgt&Tci0B)=?0U_VQv2{eJ74vwRZa5@0O!CoycN8wxc}X2&p@EG5v=uhkhX; zy@43)v2uZ!@}ZdW(5JW99hcaiXZfK&&4gw@`T@Dgq;{dCa1@e-G)My-i?z%EFzS&K z+wXzN>XnHDpc?%<`T#{+_QDbPBerL+VitQ^P#oNi_kcuyuC}Ap415kp*oh0~3%tJQn>3$DKC*5FcnjV#bJlm2 zF6e8-_-m7Z{DPWRdvs^CV{dCnh}jqo2@8g7n4) z`;#9tG{DXE0w=s8kJg1wX>=Z8Tll^1X1~|q>HQ{9GcU{M*<1wYkCrs{hyU%g+ z;J)|(O|uZW2hTV?{&*MDVg>X=jgl>!QXl38*Q9n>DZdH(@v>M16P}IyJSDnL;O{-~ z^WG+kqb^>96uLt|N`BZ#>p>nPpT{C=Y_kf+$Ibj`tjXh*(7GEhdI^h=MOYEu#qffT z1x;-Th95FTFZBT>Zpc1jQ2T+W(?XkKp3<9EhDHv#is~(cfNAV*k8$}i?Oy_2z~}Lb z7yae9Y%TVJ?*Lr)B9DSQmPF^&19R4&?2Oiq1?-2BlxA7x6x}7zMeX_4Ozq`aGi@rY zZDS7uHoZ_xda#($ibXVW<}|+-Xiam(uAup6!Gz};sgx`AB?LNhVmbLC#I{iQpeDG( zBS46rRF#g#t1JE9MOqW*6^2u$5S>KAC%_Ny%QMOorxoN~FjZUfxblG!wD}QO%bZ;i zu5o@g9&~GVyolj5_p~=0c=?d7<3}G=XuMWvmlA=6|M{g$a>T}b>h%51;gFm{mMPQt z6?$xR@~EtICEscwKLh{THIih^8HXC4VHJT{t;BkKS}Pj?|Kfy);ReZ>Htt1^EZX?G zjY-*f=x>ShVcc<9U+iusnP45xOP6>ZE~2rdL6^>iKLA_%v4^^24_0UVVd|4+@tn*( z=W&6D#bJ4r=Y+rTy#K#L>a(1wK+Rc~y#L=Z|HHyL-Gf->y}}xrECYJn8Li2g4w#&yK44wL5+3eXU0yi z`d%)`zr-^)iOrFO?)9aW;>T_*cNfXk`xk|&^IKr|`?x}`qD)8rZ{n}^inBHTmZqYH z3Tf?~rk#eAGOpP)?$QpIF+JY!*N~1wDdcN>^-FphA-V4`oF2oM>~6Vk+qF-En>zex zX#WK|y=ctKyXrJSzG99o>UDN^j5*Ij?zjJLbNSIZM0z2W<4bMXFDgFIj-6Z|Xl?!i zb$&hK`t4p$18VkTMY{IIf6Sd<;bOjoSJ#9`As^HYPjW1GA0l;nCMu-mu2l0}_!aQ0Exy~mVA+0bqHY31&BV;}gFtIx4_ z!%O9yX=Kq`@%>M4>DWwg6k##&#)}h!tMDgR*RYuMpLlSrQNZ7)SJttUfv?u#TSis) zc4I}^3mv$zzTYQS>5CtY9dsWe$Fr$YuH;zV`{~utu&V3oUDnhNaodGnB8Pj1`nQ!W zYeNy=@jk78ppIDwHx1mHEHk6(;g)}d zM)&3h4ci9Wp54G^>xxMW!|OS1*=;`vIjo*Gjv9>T1>L(M(saYH=OOdF0M)S`oxZSk z++lgNOe+syK;;{N+_foJ1#FoC;Yg?9UYto{eS8V(%a-wclP`@8-h zE3^0Q2hgDAnSuevgKf1!b^A(;5sDf$BPXAhVxniK?eybMvjo4)KT(fr-J~Bs063mzA#vW5UO(Y#SbQd+Mr+ z7v6eKU7z@AIdsOK$&Ee{{UF5LyFc=1a*{>6^KktE4*Tyt)0AQ{)V1*49dFpS#3E#h z9@!p+A^#TmkTkBG++W8HOGQ#I*V1-jE8*#Pozuz~H_^tI#;v9H0bSaES3xn+1jn2S zkEn!NAAZoZPjk$VJ!rAeIfj#tk9&b0nCX6I%Ni%o0(r&8sh7_17U_G3((!dXzz+G1 zxA5+l>bp_??r~U-=aCWQ$p6IyXu=bBiWYnp&EY~HWtIlR{e@#u`6|7mLY5ijSpUZ= z_K1Jcf_LkL41OSmUXKvJpLRUxvC71##Ugy?^hio#i@nIw*#Q~ZbgIU)Q77focm8QX_Fkk zRvL$^*O^k(a1A4*k!S8cHRcz(x#i8@Xq`~(e?}P=KlooXdl?x0kd1A&4n}xhx^G?u z{PLIitzKa#=GTRj(Tty0lKJWF%{bEfUTr-C8ei$T+6uBddf7amGOsHmC+5@nvNC>c zKRbn!^J?`XuhAJfgWuI-|7gel&Ogorosd5ruv>6P3DM-M5IwG|N*bQ>O8$W7Yh&{{ z$0r|mGOTV$?;fv%^V8^#tFvQO;M3mSv8w)ypWhcg@GLXeeNX}&kddzCk#jtSKDZ6% z7YD<*!oB;9V&u@ZwK_SN-}8~F`Ly(sH9t0=YlW%#wS7RjnKIMuLzuv{YLEWk=3b6O zm}zRkrv0j~TOm1wnvS{T9XX<8)4VeEr_zrw6DBe=dMY!U8V(5UoB_T1KmlAF+OZxcl*42t(Lv3kCiP5fhT0_QUk;_#N5TUS zX|2MS4Lq8$66)PKZ!1MGnBU@K_=?ZuX>M?3!=mX^rLqnW<-g619$xFglorVfuPrWJ{w-x!`ypgXQUaA7hIy!TZw1f9kzhXKAnx1 zge`i@9jzVu%3mm~M$FZ%DsM4^u<-hRXXC@^|EL*n1(*2g|JVAuf9DEvKAs;>^@5z_ z`rC#2Ph7`I+cI7l{4SIG!$slrpYpMP|GtyU{aq*gQZ#=ypGd|YPZ!c=#Fk`{vH#_K zvFv@$Y_ew0JRN59?JD)#aFfu9hmFw@-b6l~lS!6?n{9_S-eR3Ofh-$#IcBrD$1T@( zdh30l=KabSv%8b#S%0G-@u~Bl=TrKB|J43}|201{4FBvQ6L-%I7C0u>Rau8)f@lmY_77zK zh%xy<>44Dr!MN{(3i~nt?PjtwCMNynDHWdx;y?7!r%P%gOV_OJzH!47{kYf_$DyCu z8U5rjF4?^OR!}i7UKyXfPaRdY9AElFi?z*UXG2;`hsS?Zn{9(|r1n%TM|Qlja!y|Hf&u1MiAF zYl3P%@J1gZ#!w&WkA)=q>s=*Pa$P3TRUVkZ@Y;@5T-b=6(od;9vlBfP8`uby%~XAG z-n)xwnsg;pO0(t6zTmVCm->*y^%)S`Iz(1GA+PFagm!4moD7g(p0Z8*&4O>;*-<%Z z6)M8rcW~&OqHPcJ$VG*661#*F+rQW-@e9W{QLv(OPt~HZ%@)}WR`Z(Ri6T|}eXft|KcjOT&5=!M*eo>PAGKAk0K)il@~>5i}*PYvIGP`k*t`r_ArgVyxC6&d7%0_?O1egs!=>^t9PI9~yxu|Am^ z{?*d_U+aha?r1&tXG6;FC%D|+=gke5^DF_H9B@Nm&ZDl#qOw>jJS+O6h;ySmYAg7w z3|6i)K{F|gb~?Z9au=uJV7UK8tdK0^(e|CB@%yv0L75s?4wqYI{)Gefb)lJZ!?#fBhBv&!L%R z%Itk|>={S=h&bQ{HmsHwz4#0Nn=Ie{U()b{QuIk<|7ZWOa^HW>5IO`MZo^&Qe|Dqt z`=;Q+HdQ%R=tR`INSj;V^>RPNB4v+vEG2)Fmk3)5ullY{zhq%|-^Z~8qtoXWaP9>=CPBLH#^8|oaqHUMMRsI zl`?Kp_B2QQJ=&sFLsT|Ibmzlm49ZaI+4=>4qYnl|gdzSKOwVh=MR zfBJc3M(rZWzv{YIQ8U6tKIb5=o74;Mxs_7G)!}IO9;hpieTtK?x(6xF41eu{TKvRH zOYJ1ljQj(PU`l$=%Fpu8XPu`0xe{v_CP(uUhsJ@@9%;_Qp%-xi{U_RhhxrbeA@?Bk zIs`^@)+o-XEPqR&L~7x!_``3Ayx)jW<3|LgyO$K;l(W0X9_$#eM?mMzk3_`G=xY0J*ML*H7G}N@XTracc-{|tCH?A-9{6NyXulX}vCw?@jeZA6 zIA1obYK-vVc|l>9XGgmhw|h5ENT+_6K&)(u>X^~@Jc#r1441bH{_Sx_=^e44?YeZL zV~4r9ku1bT@tPuf?2fM@@2@;Jy;?uK$<%NLqY}T=p4FVq*(A-3A3y}Z5dY&05^y(J z$0fUc*Ni-btdfDg!rx z4Oqen`$H1FsD-a%k5(}dzthVVM~-l~h5J?GR~Z}+Jt&)rGys zJ&cX_d=NMz4;i54AbF~(V+0!r9_I&fz!1OO;+2SUv`Wv|4DKg-vbX0J9xs6!J&Eqz z5ng$})edjK^U)bE^--H(#6EeBRqE`7I)7P4Vl#MfT8<63l76=a!G`cM%dx&k67_n_ z4kg)XB%ikD@Hm%nIG6OLcw<4xT>njdm-(*%z0RKJ`9-GxMShzO4>0a>Xxlg@|H<)u4WWSxKMHXcaOSJLKMP^BFk;gx10gjm7Vf*eW z@d&Kz0~gZsfX?DnyCt*yY(L^>ry7kWxz{9ta{lu^d{+6@xn3jJrfVWFyc92lsLpS( z8*Xc%0}q6^T`mtVNpr~mUm(I)Cra}}k(n~*g9Pg{4D|EHAAVV!V%PUTNM(1%=7F}i z0R1FCy<8c7^1Tuw?_WihW!Rjbw`VewS*HizvX1(9k}{s!~5Sd@D2P$`)aRaTs-}cEk~_5*mu7e6YqR_$3`7aF8%<|`ObxNsNw{t z&LfOlQHxG61uKM__(P`xl3A9t3sZ=KS+DbREWYIr7FneyP5sd8l0rwuV z&wWT+Cp0;JXOD6*zkq3e_%%nv<4?d0bJ>eqp=$!K?W^U|ux&C+Xsm|&{q2FqAk3?#7 z{$9JSbC?Jm0#6xj&s>O>)(DATGb{k(L}AOxy8Sep_#INQoe0;;I}EFcuM$3F`OgH7 zBqyDHikh%Tm7IEbkG+)DPdppnH_(8r{5@3hIJ~_b*bcp?xs9y+77nyE}fd3%h=o|guL-wP4!Rx5r*;pCa)2gEz?hj@?>zDWS z2J^R*4!au;-xNQ_&oB+PMn1v_++_oaljn3HQ@K)xTu4tkTGpF2T%^fSH=3_u4Gwpl zkpCnb+yGJJb)8^F!$kPNuf9iv>oM0oXDg9%0i!&JCS}kFQu|@S`)cV}R@KtbieE@T z?*mGk{g`#yB-d})=GaYjaWw%Oz#RMWw}8bt!wA?ajha20EaG&uQ;45S9Eap$G-Uvl z;9@y2iRA~`Rvq_bF?_1t=$mPjMQ5td#GW&o{0d7rBP*E>)g24>#Fcq5jlKZYqAFd9 z2JNSA3j-a)&I9(=Wm(Z^U9(}Wbj>?dRy+^$-;69u2RlAFeyUzYB1>pAO_0OO63~WA z1Q)6d&p^ucq6jq_qp_pG#r)Gpmqs%Rj!%;weOw=M8NR(R9C*k74<0>^L!m^?!kG6T z`sAMDmgnRgcEipfS!kyaU51z4aD-~~<~ViLoPe^|Rr{sF&kQg0dGQnfPhGfxR2@3( zEB|~PkEj^AVEWw?`-7r&L+{^2Lz~)!$JvkkNZx%I3tq}m)7v3qf-G=8F>xPxCYnaNurv`M8FX9jvxyjse?t(Wy{BafYCcu1SWV2I(pNOEm_tdF^#m* zN>+R!JHg!(RE`w6wi~W^S{STEL4?2F&?kXa? zQmZOG_XnP5BYlXh4+o}bhIN-bRx-3=D=WvFA-2}{cP&_u_ruzIW7IP;`J)_1`&qi} z!hP0;v~jKK)P2`ST3|!;dGI^GcpR_ z!Z@xDzlrpO9zkal1^|TT+yhzWE5IM-F1Ef-l6XL`6J9VkU>CGAl*U05w~<}zV=m@% z&3P4OpSlqn{GyD{_HlnTi#^s3tKv?gF=e~Ifi=69_{H`f{?~q+Iic<_@aFWc;DtA& z6F1r{0a}pz>_T=O34nZJ|GaASkt@+3KOkgx7`IyPm5RSrYPm(K{5C4g+jHz!{>7{0 z)~~LNeAk1ow*W)e2z<|x?vUDD;JvNyM8~+n+HDeZ@+^|q&hP$K zGqV$Tg|CS_^g`am_HqcvB~6sZN|zxS_Ys#PJdy8(1KLt#P5dz((F}>l!wKyhwbfX4 zedWZ%t#Y{Kc(5239}9_d8>|D@>-3$q`(1B|w|%wq?@s@85PqS$Ud?!0=K~Pa-J}qm zeMsxuAY^##{xmN7{6I9k6{i6_-sJfJY(SI0+zkeN&igaxw`iL;o;a@`@_d z3;y4C^bRgu&%s=AxO_o8x#E5DjG^DDB@f*8*VbTOI&Kyv7LYdyvmK*bQQVGA?tQ!s zrt_P$;EkuC8&4W1mwC$C_}jP1u!h)p9D&c#D*JB63mHSW7m0+R)qP*4y&jR&&fqcW1h$t^}gHJWYJmp zhZ@;tH2Zv>V_$od%x(wUtI-nugJ2W57T&=TQS7<`VaU6ipTM)8*re>bHZ55w% zl$M9uY$+h>FOp|(R5*Von>^Uz{^@Y}_Up(G`nf{C@i&Wi9qu@kV9~cpA3vsazQ}S0bCg=-ouz*CKu(iNA6oFD<)Aw_h{V z2U(e<=Y6{RLo!{K^Ah)_IocSSj0m;AV+UCE2FX~pAd0hVpP2ie&0I5g>iJ zw*fnbH) z3I{-<|Mg6N{)PYTtnqs*Xz4wH=?G);5~KxqhaZ46{?K52|GOT<&#vqx{-fMpVsl6ZQ_TxbN!^?DZg{s z&Qi6Q62G!s{k_c-uE%nlZpWh%0nYv>)RZbK5HelICWZnW;`)>Yv9mquY+^iDLS!2XP5sb?Q{m%XJzDhP>S1h z3cV9Oy~{A3)ex`94&Cr?+>KA`Vg;^^SEWnRi(73fuTKd30q2tRm2%%=tCrgJRt#;q zqv;(vZ$RnGY{RD}&(4ZAy;84Y;*j;PhClk`J)JKfV?Qt_$jarJU}bb7@7c7Xb0|^x z*K?m59O32iVy`qYzE16nA7F>PJ=*&`?)ezFb-goOesRoS*oP(Z@0$4(jDpvEJ1**W ziO79Bn!^6NQJw!4T-(th>|N>{od13>_h1Y2pY)?Q=>~q(Xm}m~DPGuriHPWZMO@H+ zy9l2{?h}mBd9wC97o{>qH;fL1^qJoAO* z|D18c;m5Ju%%d1yue?v3s&p=MnIu1tyI-~Qvq*cq$d92Jf<4~v8==ngo&x!Wmx@^d z>(k?rctj6& zA}bnhWxZ=!+^}5dPv7uk*#9xI^TS8L>(XY*ZCF~n8Hh+^>J$$T5eV>4SR6;@2QQJ@ z-3(u=25-vuea&k`r7Djg)(TyWzMmkA%aN6~(P;GWd#9DJJFK3_xUb#^|#UKwPUMnvKl?d-0rjWr62Exlc%k1vKZU`81uRt{Ajt56dTg=|8Dty zN7w}R&~i@XGOoBM^;Sg?{xue!j&u|U)f<|zHG%AY zV0QcIXVicc^}4U(Faf#qwHohWBRAf86W8}ctZA(Rdi8!NioQi1djrw_AB43$7Vo@a z!(pj#*6h6GH7*zzPCR>9|6NBWx#=attgBj&lIR4yu#Rc2@{6Y`7Ilf%Rk2eo9e!hqDgZAzbf3ewv;O+X= z?Qidxn%qZcvrLRezeN1+eSqc3qiy=gkw``2Hn+)2=DYnRBi{o@NcTPbGwy0VeEXN1 ztoqGE`}?Dt&X!5IF;n{6rO=&ZgeSlqn^ukN1sTvW3B1p2GxY)soCq)B7X8R3E^<{5 zd;!GuhX0RWGP@(warMHVvkFeT#-6`Bz6%NOo(b>HEi(ft{ojFMjN^K14QDwIY$Nye z%+Ty*`Lc|_+V=A^3p6ax-dYzHijC{Ena~@bUHyX^#}xc6((?zF-MsjKgL(%~YsQ1@ z76$%u98nXW>I`%KyAHL>fop5Yz;+x_Gns^3%x(#PpPlv)HzUQ(6-@dQD@892Z@4MdrbDO>n z?>C#g-fuU;?(XxO-uHXpZ+tDgzkplj?}NMeXTO8n-P*|{ZMHEY;SHyN8+b!Y{0;wG zTLyt2)$`_JaygbN$b@F2fnR}b>DvIjz_<3+)ZWOKn&6s-zWy+;(^U*qGR9JT8M--F z5OnOzyY~}_5t;abE&N}Px95pOUD*OWKP=JKv=AmHRwhrx{44dw8$3`nJ}nW1Vf=SI z=AYxho6!W1^ycg3sV1}$&t0bjgXDmxK9N%AuOe_XBLOtSo3+O92f;O$6uk7t2+;iux*=SdFjaRkpLX8Ga5&Gq z9?yBO6yoi8ihML!Z~i-W^DX_f0MI*%YO93MCTxgWiop@^B=vyvDpiIAAoHd#IRgtJ zQ=U8q3aoc)hHv4Itc|o`NvU*D#p8LEg6K-P+89w)T z-qw&Qw}jEKeXPg;dM~`#1mffWiUBy?!h=M=$I4gd5uo2LA{!zB_n#H^~508jdt6nt!iiDDZsqRHnZ!YLwRpPn_Gc z(MWND!ZbkJn89leEM0RhwB>Dvm(s5^IjRjT5cfr{kw9in+(!O|lpQl(3WJahyb}(5 z7=D-wFpjUVqXkp11yimJA2+mesm4$k_3@ncyJ{C=ue|>Hh%r6TmMLG2KRt0wPZwViTPi+*Aw{Y9P!nHU**FkBcobU zHV3x=_Y@xO!S3OLN=vI!S4PCiMKAl{%aY*MWjT)Ft5;5j^3pR(#t?nznnyEdcZ-^0 z$9wa`&|%#h2$$|TfVw__J^nnrIlb4oV;XN3Pq@QtRtjs2!-YMn2J;TQrx;|V7S@!e z(DsZy+QZyHdv?JEyHZ}T%exax0UsU^4cCI{>TSTUzN8QXG}YHi@d$Pm-A+i~L+v=W z!#7vTuY3cS$4~OB;`x>~{iguI+q;JQ6T{l}MDyCrJoUYM34eI1%LHHBdEc6b+c~Dp z3!&qhfqhAuJ5icE$6VE2+CyVr_KJu{-jD_QGq*Z3F>Z!pVw$HFB?1%Q{s%haEu4Y zI}ZpJYwHM&qozGv2AFPh;NRGvUnCfNx3!XpTDOV}J-@nAF{h*oZJ`2xTomUFTX#)VH1=Z~{Js!GD{*+NyM&cHQ7D3Ez86gDN0DIsoq~*NjH1AQ zk#eztZp<8R;xPon>JPMt(}aUL4!KD5y&%&1#UC1O3@^qnIHOLCI90pBY*;bbwmpn2DjGq%JIefpyrf~MkO<$79`=OR zjMv^kU4!QAnhzX1E3;iobTZzO@+SU^IAcp;U2sDWkOPYt)pNSQbzDRE0XvMOiR|f% z{deRjItmP0xiC@}5rS^!#_$E+Uo5K!2II|eZEq;67Mt8mX}m%>#_Og6b5X##Q8V=o zpZ6iaM3hSY@-r>b6ACAPA)y1$2>j`TuZ+d|o@@;}B%juRZxyq__zm|0ceMTkL_YVi zU?KgEv8NxpGR+y5dA_xQ<@R{yv_~CWXv<`M>JB`8k(qljnS7vS?4XDB-(g6_)3MzC zO)Y-9;2XOl8^G6CQ@_^?wEchOIi9-UY{D@W;W@41y2f)~WeYe=dsTA@YNHXo&JO_ET)s^WMsN+@^&% z!(YdYCbh^MbAb(Cp$Zq{mjbE^_OmPOZh;|>4kU(6a_-(&g18;G92mL2=aef;vA=?7 z_(u*fO*sJS#Br{BC2;HG5Y73_kDPXpi~n^bSn@KjM2piPaOgWXSZ(@b1n5zOZa(S; z-=h+Qna}>H zLJz7UKL8H;fqd-)k$_Eu(=JBfU=tebfSS;VFXjPc-TA;?)&QMnae?j!_RaD=o@+#@J#yOknWxdQ(X3G>5SqwM+X2=t^M{4SsQ_dKdtJ3V-Sa8Hpi8?_cFW@ z1#iL2&E#axUcYA}UxW?430clyMmOR%|xkkg& z@q@bR{dn>H$(*gc&R3caSMwaV{kfLzCR^qDrp==bpME_bxEnr%DUdiA^!QMTc4YB1 z1o{V|sPdH`B?E490!*(NQHfjIX`Z(OO7jpYXRZ})auF~o zMqoN{lTHqQw2FDuVS;*@duKO7Iy^{XLB_GavL;I87wJbgi-Ag%b8;{#Tt@8;j&B%l zZOD#K7qF0q+=L)$f}-}w95arVG7A5RiSk1pQN|}&h|?3V0Plci^O&1~gwEm6&4bVHXOC+6*SozqJV!o;xnp}FtFa}b}J1To|?*1azf2)|!{Hgx~(Lwg{$ zwBWW7B>EimU%d_P0D$tk6nuK~5Z_sqCY8yd$iz2*{vBs6V=R?pBs?LRQ*Qn>H{{o1v>CzEN9)WdMM3Z ze_*O1+v36kzKZ4$vcci?+@g~0d7<~9A9{r)GlPS8c0h(tUt|Tjgh(>W zS5(#CD5p)(mDN(F!B6u+J7^6J$oMAiPaK{puua^9SF8zs`D89fL_=_RyM#mWR9l)f z$#FB*+g2nKKIRkB^C53O>kJcMi%P;S?@@7KlijEACV!|C3woaVi|I>PL`pkDjZJsCaxSW>koav zl;>p*COR7FB2{d$q^i^9$_0bDhktT-5zjx#7z=HzecrjeTq0-dhDq44C!_0~B^*}P z8W=(+eXI^&qv4r7T)>{@w>1;74Q+61Xcn@PR^;&V94!Dre_jQ4J$~#J$9q6Azt9^j zK14Ua7EK^^wbw`lsftMaCtp|{oXLoPer6}U57YR%xJ?Lc+U1$)_P4No%ur9kDJtuz z7@hGPQs884a_fU{$OgyKFpSLrdtcZ9(;NWtRv-^v5RBKrg2?fNGE|!EaVx0p7z%nk z?V6muoQDL3+srqyLA!W8zCQHmOks`SU|EV1`&?sDzitRlYAoXbd=}nXYN!E1*eJ|_ zJM3X4jto-n59jMwoeGRp9`++_jz%bNvK{CEaR7qQlyEBu^kB$)9x;+1_ySevHKazN zoF!4=2#%xe5hmEgSpSegww0*pwL9YbU z$B><9Bx(Dillk!L{|it?gKQ9PQxhbuo!83 z_F?VZ0gv#3R?OlML%~DnP#U7N<|{nh9c8#CgZ2|nrX>VOqMSB3y13(^8|RZ(a)VE! z4SjrBy4b=u?41tpT-a)p`!<2^`?EXwY6?c&8MVO!T-BwO&375pBH z4iCU60QlhK0zSPT1ga(XLDburspFkFED?{NL8j6&&+^AVXn;xumyg?bYvRRB`vB~9 zm@rpZO*1GKZ+`gic<^0(S^_2sA^HfI@Q`m-Gk5UcpI78V`TDq){^&Nck|v!&D59jS zc4j8ufMTq4y|6NlR(NBrm7KUHO*7JIern2FeSl%@DZt}cI?D_KwGY%XazVX zw8?bA%+&`M19zRH?^nJ$gt2(=o#vmtUl!`tZ9aH)H&y{mF>~Q6{@+M!@%L*;svQn- zV~T0k&~QC#N@TX+$Epi;wsgh-`zX`IrmCw(N6mYHLQe)S#f!DFDXNAkIT|+3cHob9 zxF|r|2$F)#NPln83Bvq%3UNF+@a|{{MrGKg?_?KZ0_TMnVXcv6wkRNz)pGBnI{Xrj zV8b^SAq{9h#%11|+qwH2wZPnXw?0JK?gRk|o1+LrV~Z9r)7as{a9vR=_O`6B6nrQi z{Uni8T%;&oBu*=_!_;w2c%N6iG>O5!KCnU)$%yx$<&hfuupPL2s|MrQY;8(G z>-{9vK!Gz5juIB)$p>J`x?+uizT;#ir&b;BPJ*@ik|+%fG=CQdXbulaH~HJpjkt4s zzn0x;+}v0{Gf!voU-o{ZwEr!-wpxFd-dOEF;xJp%9xdU{7WQDb*SIFG5w<4otM4^S zV|KUE{LDQ=?SY5q!T2@MB_nJIlWdG#6?w4!#+g<${5~5Bed81lv^7BOLl(RhmIWX2 z+zLiu>$sGU91%gqLg}}Ls0>Wc;RMyzKb(#5jb;vQ@Fd8>nRG-U2-yoRmV1 z@y*qC1a|iDztRyM>+CjXnF*`l zGqT`d)0oVw*!$G+K((#7`FaY}wF6`@j zEpES_c3$2MrO~Vd3oIf3=RzO&D{U|VK1S}q34|N;bN1lB^~j7^C+3~o_S?S@6K!Ij z9&c}}<{AX|);b*qJc#)Lp{>plA1pLJG1?xlcjOB8`IB@#QQ98X$3u~s0X7_-Lo`Hu z5YYE$XnJohhE%z_AG^%36M7S{YpYHd@}}VQ0fVbCw>HK+Ak^H%7lQ2k6WenGxRhLZ z5cCs<{x$A0l27QRE)ViSARoJ5VpwJgas+E~nCL6RQv%1M0iQnTa}Myvz~2@d#Jcl` zaP^>;c@nF2{;MkCvz3iEjm!rd+v7-&ZD;^*@{uNlIQrl^brC(}WqJWC3D(whaht_23>4=4#edvy^fQXFO*fPiYe<5X~9e#_;U99TvCs(t1YuV1O z>~(g-tG}IHwCd@y1Sty8?8bJKNRW}CnFtrkBLFcl&~YYvxe*{qK$9ik_E8_w zSE%fAnTb_X6LHxYm2$IlN+guWWF%#yluOCov9mK*X~{WPq>nH0%)O_VlfTT(L`vgh zprc^pqZH#6Cx?Q+t5G#5s!DGOII?PSW!^}DSwr}Jo%Ehhu}c-In8ufH^hj{of8(DG_Wg~KY5R-s(%bOMRBAx=2mcsN3Nxg|=1tWvC+lHHBAcOBU$n(0b~ za#Eki0W&zRNlDjE(U=SzUJcwir%wm;(Za@9xnGhTSV3La}7zu@nRm>=s0$X;3nO82MXXm_Jl0W3G*CdaJ_Eoi!ut9S}9f(S{W~)11cpSMFI3spG6V$S&(HBetduS(Q9SQ$y(BRNwl6) zZ6}nQN#!Qec}cXg+i4HY(jS|oKQ~BzZjk)lA^Et2^Kl2};t$QlADf6jHxPbqIR46* z`Y-2}%lYNA)tzN#%8CRI#;7zDO!Dqs@Dsk1B?;yI84V08JvB@u5;U8t9M)-z34NnL)pT zRghITGOX4aKj_WqYLSo6nJ2fa4jlxhNEk}|fK(E-Sp_QK6--J0*`(101H;S)25m6& zGHOMCO(u&d_&7`id>l+p5+qt%P_lAtzeKx|w|0_S|0|bsPgQBXKKP8^a+ZUA)zBQh z)2qLo?`CofV65JMa+ZJP@A|g%XJPqmUVZ);kR*Z!Ti^+RBv3*=EIh0tfO@fE6rAE8 zpAP~_k_*`q!H2NL+>`@4iWRJ6g$Nju=M@ zyHV63nNUP_F&9MZ6kH}$8EEGy<_MTz4=_iF_)w<~7B&KZ3>Gm**McNLloXvt2#|s8 z(LH>EsUCc&Ir0{0s~1a&+-9Ft5*+H^$M9f`fpJzsDz>Su=lAFe1bJ9~Z(z9E>k-(>afO zNxtQdIR9@dbOCdZJ*@9_w{v}@ym|e~e?NIdhWpk2?|i@K?*<6y|H7Ub4+9g@eOSec zrIjpHrf$V*fberCxWy^ZPjh@2!|5(fzk?(SXA=36X<@U)pEi4r`A z(}@F?a!>1j&+Jw3D*HX~{~Oc(C;tC?*hT(Nc`|>q#Q8w;FMTZ6B2UY_aZ0>nU#@BRf!DE#i)^%Qps?Cw%~Y#RA1y( zSl9@!*NvLcQh8}vK%iHrR~ zbWG&H!KwWQZ|=Jj|2(#ig2Z$v=W|Pp^DwZ(MGFdeOkvHd`EdWNAaj$hoEYPi4>CZ< zN}yX9vNAup-hs*2yLtV>|37=PlaE{bz1&iNFMfDpf8v1z>gD630vISWWTs42#L2JG z4gc_F{sv`QnCYn{N+f`VMM2->?iM9Vxt|-jOq6&1he7`npZt~>qmLqrVEMqH{Ordw)CJ zDc0$-KTHT*}2VL!pG9lEIpIl{02BUpC8=;ihG$CDfJ&rmk{nVfEoB z4(V7qlHt_Js!+=wWkTeo6ij1G<0HZ0CTAuYJkp%N%mErNl$Dj`G>E)G=Wj@V3iJ(sb0}m162=Q={emdjcW@M&inOWc_B!TAO zUvMiByfT$@V83$+T}+hV0;$sQ%BE$EU^SE8@IEa#kaH4Z56=N%)d6DaWXpDXO7G*Y z_G4QoW8oD`De;bYUt!Yo`Ki-0GN(gJRf%lbnf9XKJFROSJ`1)bT^|WF^${MVQ)c2 zDV|=BcmMu>$^F_HuTS~EoF&2-0&tud_!Qp>{hx{i2;HM1h}#B9f@44%Y1)`u}*T@%32kpc=%LEe>GM~cm*enwS#s+g5Ny9ZoflO@6Bw>`teON&}CfJa; znF@u2^7A2#m;bK2{{12p!fBcv2){03beDEk!cFr*aH!36YU9I68mdg4o^~7f?H|*W zgfmx`@>&iyNX*Q^lvaNo1a2fx3%|DvVl~9*!Vj&UnkPla&erIXVK#+n@iW<;IcNe7 z5lwr0$6vGSbRhGr`kWj^Rx5)X&N)HyQ3|0bBD$eyW+2)-pm!N24_aM5D{1omI1L3a zJC}FfPSbH_j)-57H`>#e59@ADY2V#9-hV{Msu2E#elk=op%_tGL@f=~~MBB8pf^ z?Pe$2%KVo|?>Bv~j>+S`zI4_TW5%4+B)M-}eGHCGA0vmtwCN!Y+vuh+_FMG70@IyJ zMcbuH?|O%o&M-RHIDdMruFG?_>9O|oFL3ebJ^T)Pi;Mcm;d_!t0Tl4J+2W_Do%#61 zQT!K08HXt54eGFd*P)u?PQ}*SFv$IFqxPGl1?;e;d&^JG(DvUN?Q3{F)a$Srz4Wu5 zF^kT(qYAIRR|ih(*^Tg`YT@H@e>D%Z)b|L#F@Q%7&+7c&eLMzx?YKYSbUo~!-@aRg z$9+ojv9TMu+$9B<=XbYlm)aHWwB1c&|LBDHZj$d^^zslBm;axihoSG^{jP3TiHT@| zxZ{&jyz%8>FnY>9gB;h#WeM2-U7?M`?S`uQG+X?PL({_dmrqJZKpnpPZ*L~EwGC4# z??ZdN9cA|Y5Q9jIALJY9o=#>Q?`aP9?02%x_Tuy8%fj_M=)YxtPv?JA)BacQ{W5?1 z_xk?{>*ho6+uAqo4guvSivRyHLd>amldx&a&-;86ZN&wP(XTCfMd_EsFOXifetCN3 z`nC0I_si=S_5JSuyw6IGmClyqOLwJzrGTY|rNdIlQsb#sQsrrLG``I*w@XV)tEJe| z{B*n8UM(*sm!nJDr6n^>Gi^1tncA7^n)yu$O%Y9rrjw?arpZ%KQ+m|e8fDbXX|=T9 z6*lIZflc<)eiYqWZtXHA7IqFS9awq{ADAX#fngTI7Q#`2wi!kgEHlhBj42pYFsWg; zVY^|(VOYcQVcB8fV9`%%r?u1E>C#i)so<&bbn&$EH1gE>3U##kx_tdVyH3KNSx>X4 z`Dypm{Azw(KTe*uodXuOE$mBT@Wt_s^^7YRmNCq6jAoeR*!qlftaMCh*!%2t>}uHj z?08IddYYY0UZ-=Z-)eZen$1r;Q`OYg>Pb-1P>!L-pt^@@gq08V392D#A}S+l7;3%^ zR>xJi)o%4%Jy+kV=IXk-s_jv(h6AMH?AQewkP3T{3cOGX{N?>s^{dH7(MFDq#*Df* zYBZE@^l7N!XyPc#)4OTXY2WnewD7up5CXOo+PZ3*YOn>n>TWGHWj8nheQhxqG%!ZN zFmyPEF|1@5$_GWsFMxh>|$539O z+fb8G|ENuh|XL{di5 zO;Tj3Gt`UW+%7mgWMMi;WB)7|(L|i>T&nep0?`Puv z91E_O!DP1Me)^W@t;}TXV|UV@;(o_5T|m|7B%o$(NkE6bxe5Z1AZ&XS!~5H8EN`!T z+-uBP%3;-x<%Kl|5}%)WYDr~hLl}vju>@pO%VJAN)M#vJ!>F5-2P;-g%sit>XB$f+ zWs)UKoV?7$o6WT)tZZ6a8==)nE18>_#w-_7f!lK&N_o1ZcN_FAj=!b(ae*AzxD@4r z171>FTr9!u>E-q5<>~eH_YxJJUS5(t9a$v(59`R%B)gl)?v@w$aGPN>k()PzVuEW%IN6-30HVYigUbstX6$Ik6xx;(J9T* zV>CN_m&Up-qd%dD_;_tN?_)=U%yO)rteOXZtDBAA^WkOTJQw^&B_xHbL2$tIel90> z7x;GeygZM|c7M-)8^@?$jrBeo?(Xk4$^J>?za+lTZF=EMua+-O$ly(S+pab?CriF7 zYkH7pPe!KA_{gPo&}#bko7Uyxx-7j@zNaU&_@{Wwb=~KS?M)Syjut-HwS{!o-E@M( zB)!VO)Owwm+3&YVOw-rA+u_x9vNKlAcNg%A$w+Ojb*v?$?XQ=poJQdQ75Q3v0S3RNoB1MX_1re0gpHjXKovdr}K zl`G55)$#Z}z8l1D1H@LgwrX~;HeICz*SG6%@Q*VbH(eHO(}a>Ja2DiH$uKD)S3)j= zp@5WFvTF5sykv4Y8@#(M+U^gi-X^70OwCQ+B$dlv1BZcaff+!j63>qx7i5puXRFQJ zFOoFbE~95Lk0bM_;p#o<*=+s);!s;qN~v$NKYy7p%R$7JmXq@p9A-` zc256vzO4G(?q1Gk)7^avua%!CcHzQk)Ms3`aJJ|tB5eKbM$#fCp&gJR!SX7MGa_Bnnp5LwVeK;%Uy*+W&N#Lz=N^P`E zGyPWHmChdl)WELhlXY{+#ON!k`|upD4SvlPCPNSHeV+$wXI#G3gQNH3FW4{W-(OI5 zaDRRCEw-~Go?mVItj-bXvm9=gLuTWg?o(mDkCpFb^vimj{KpFM_7t;wjM7Ty;PiI3 z&Bv(usLVp+GZWFyn5DhSo3mCIi!JH?A9I!VD(Jg+s%G$3#%Fi*lp0s0pIm&h?Wd(r z=t^y|7SB&gl7XEVBwn=Ci?pa{;QVIJto)K4Mf#zt_K_*5YI^geIxbOCvmu2982EJx zE)q^VQ@M9`yKPN1u(X_BFrwoGsP}bZFmRFZSq_$+T zFztH1r*6@~Z{Y0vw_ke-|BCH*wm)V`2iafIX>`!=^7SrFoc(=V@@eixx!UQv?)5O( zyI!9*f12dVTw8Zfbd49D9BQmz2Px9qB8q6{;Pr1Ai6(^; zGELZz$60lq`kK^ZbAFeD7pcr;wlp~0CO$UQ>WS6Ydz|V; z8ZURJTyp?o4wx1)^Y8Gu zhRDvxJ~i@{y{dtZD^o$nTbEAH>}zeEbTwUvJX5DyBRyU4#(Izr*0T1R%8V;-$ye|D zS_^%zJ@#5V`5$*dH$|EG_M1qWrf7>d9}n)XQPQ(>CGKBZYeRx<&i7A&+r#R#maAh# zU$M0LwsluuM*(%WJ$Lce^;k_V=PLmD-+pIs&U*!>tN3)6Da)qwbcavd#c%nq(Rn(k zjdupszp`z1OE~{+x7b_5={WXp4XyIGkG~n~YVI7*o7Cd;za6vP2B!^zal3V;G!{+g z)74kisM&qgKCX+9W4?=&VNX?Jj`;|K$bEFnCmw$`1=Wy9?hfLq1 z)==-IFS+Z6y77zlB0XPU<@M+z)35B^?A4k+1hnTbUaMViq3+o?{k}{-|Bb2iGBH-$ zlhxC`(=M`R~gB3DS zbuUwWbX>a;d62Dt&(zjrrmJ=^)H#g*ZnB{SA5Bi*U#H5dZ=AAwI$qT-&k>i6d7y64 zB%p4h2I^8z=>PVVU+Heb#lUsb{INb`lF?;C^4H>VOgLqQR;QafPZjHOOT~s^6U(Y1 z<5a-(dO8wnG}jpJ$G+`);a@T~o4(f(bZok0mA% zRFnirIU^z^77-B!F_N%|)G>{QJR+km=FE>RfHMb%hDe#H3-zrh!67rOQG;3%Vi2OK>2(;WKy z&Xr;5eXbl%drwoN-1?=e{l{8J{UhHBvu9hZkGo~2iBWOseA&i5+hdidb@bV_ZRuri zbasu)yZyyWqconUNR`jr{3S1GyEgpG_Xf!=*QmqmKE+ok--_7l7OKzIqrdAY@E0d% zwlMrpv$jOv7fY8Br9PeveP27mf}BB|eN@|~ST z3%aa4Ci#E2DM?N8=%To_pNjemS1~08tB`n-LWHN93s(Fr_ntSPEng5>Y)}-3^Lhe+ ztSdWHA_7JaLC_SK0^RT~AHc!R*1b$aN)o?g&?zmF7JMdkM&BK--PCDzZ0gEW_}X<( z_d@8q4z^65maBY$o>nK|-pQka1H4O<4eZ(JRd4C3y-vy;17EdQu|LC9owx;yl498KAsZo3C zKjy9&kAt7B-8k9O(ALph_pMsZS8E^Z=$yPR*T<|K?>kAFzi09G?(!d4oZE zwU;#=exBi*ErRO%3v8WBb@RQr^=m+{Ex@bz8~Q|R^~czUhRtIE(U^>4g8cH=dBp=i-XRo7o*M8y4>vPT>E-$Ng)~p7W zCA2tetOjEu$*H$M0xlLUF?^XC{#2wykMurDUZ3}Vr$4bd1^CPO+9~0LUwqrnd$9vO zl!SEo9_2AUth{1OF|8Eg5<{fHF2F9o(82$uqL3=k7ob%Jvx1WIc1ZGLM0lGPh{hSt z2F0Q~@A;Y|{o3D|^Y+7FTeYNVJ_TDx?R`?~;O$knW%PY*`^KMVu-|WGS3O^2uACSy zh5lj})4@|(c)7Wp7sEMj&1NUI5EDC?YxbqL<95h)J!NUPI7<|HEoomw?m zqjFGKWHbv57&Jev)Ha|~m=q*RL^XM(kW(c9)d@ln5Wr+$AI_(%y}s{zySv-)OTQ0$ z-SCII@OQ(m;5L>?8&9aCWHm3P_m=^(hz3NAzFb$})xr6$8Y!0sQZe1g&)dF$TX7NB z{sXNskZ{4VsZ`~Y2FHslhDM&)Lxg< z;Z>_BsyZb;C#gnIvzUu2<3!!50rZs0Ed4%qF^!>#rqv=@6@k(j1D#NrCP-8EjQWpQ zGM-v4&SVzp7?xGn5f(qa6ftWM-ru{5a>aiPizPhncc{VHu=QjH$eXd#@6~x38=KQ* zgNov*w0s#;gck_kf%E*1iV{JF__FW&GHd-Dd(ZCsYvXYyn_OLON_6A7R~Ay6Zx{Jz zph;>HS%j5d_Dls2VQ2lb)BIy*fCghHi%kul73F8uImVbs&e3|lwh0B=W=AfgnPzF=oSh;Z;3z%fvWSn;qz zXb`IL!x{_DXfJ!nUtWTuut7)qp446xQ%LLc-nljqOo=Hk?c9q$69@pn@tLS*A8ex8 zEfz+~^EBkq9L_?EsYOPeM`Y$TW6Wcva7n4Iv8Z{>R31ehVCaByv z7Dc5PlMl~MFeF{f-{mB7mmlhE>^;A@{9H9HQt1{RmnlN}gnFSH6F)AI49+FeU%X>B z!)K4pt<=-K(drgZ_U-q~%;PWy=-mreyA8o~R}!yifmz6c7VCR7W8y!MG71f%-Z zNSEE;Ed`YgA@U8%r~S&w+%oykmfO&(SYt-us6d1NwK=$MQai8^hJ(9R6I)xKPLCAr zT9K^*3pH-A4mMNMNi82mo}ebD^Uk9iBjis%rI1XS2P2Tb-h=>k6dKXxHrp@nqveJw zE!h=$?>SdB*(j^SFW#sv62aqo!~QY?@~$;eB|&c2uRI8VrM8}1pWDt8NW8b_zagQxh3?+y$4hw*hDJ zXtNfc{v%mg>DlVXD^P#sghu6>AW4NWRX|#Fd%uSnm>E(oWU2kZ+|;oIEjb z08HJ7a};_$6?OD3fHxfCTs^#_ihF(gI|DOkE*TYn2L>~_u~Oz3xmKemH%Ieik|Oyek?})a6d`%^D=qAO4MF{n7H2Fdm=ln0 zkx#z9($M8Jba#gbJ6ocs+{F`QFxoCy3y&vOb9g&l<8MizI)zhj5A2(P5zUx~WiZG> z4@^9_%$nMJCfbgb3h#h423PjTN*d)U_IzTLKO*E{(3`@!Af;{z1i@RK9$SVI2BI}- zMYUW?-)1X5ovh(@!b?$eR?7fu#DTt?u*48;FI}UVezLjDmS4r+JU!q@mibk=NHwQ6 zJ3qUELj7mY>IGir0vKmflCbex7~)@(1h<~muugs3g1i`JDqv!Kc-09w6PpA}+l Zm0Go=%RL3skol7#npS}A|NBn}`~x>^N%8;y diff --git a/provision/local/gpu-passthrough/qemu b/provision/local/gpu-passthrough/qemu deleted file mode 100755 index 5c7eb1eb..00000000 --- a/provision/local/gpu-passthrough/qemu +++ /dev/null @@ -1,35 +0,0 @@ -#!/run/current-system/sw/bin/bash - -# -# Author: Sebastiaan Meijer (sebastiaan@passthroughpo.st) -# -# Copy this file to /etc/libvirt/hooks, make sure it's called "qemu". -# After this file is installed, restart libvirt. -# From now on, you can easily add per-guest qemu hooks. -# Add your hooks in /etc/libvirt/hooks/qemu.d/vm_name/hook_name/state_name. -# For a list of available hooks, please refer to https://www.libvirt.org/hooks.html -# - -GUEST_NAME="$1" -HOOK_NAME="$2" -STATE_NAME="$3" -MISC="${@:4}" - -BASEDIR="$(dirname $0)" - -HOOKPATH="$BASEDIR/qemu.d/$GUEST_NAME/$HOOK_NAME/$STATE_NAME" - -set -e # If a script exits with an error, we should as well. - -# check if it's a non-empty executable file -if [ -f "$HOOKPATH" ] && [ -s "$HOOKPATH" ] && [ -x "$HOOKPATH" ]; then - eval \"$HOOKPATH\" "$@" -elif [ -d "$HOOKPATH" ]; then - while read file; do - # check for null string - if [ ! -z "$file" ]; then - eval \"$file\" "$@" - fi - done <<< "$(find -L "$HOOKPATH" -maxdepth 1 -type f -executable -print;)" -fi - diff --git a/provision/local/gpu-passthrough/qemu.conf b/provision/local/gpu-passthrough/qemu.conf deleted file mode 100644 index a25c539b..00000000 --- a/provision/local/gpu-passthrough/qemu.conf +++ /dev/null @@ -1,954 +0,0 @@ -# Master configuration file for the QEMU driver. -# All settings described here are optional - if omitted, sensible -# defaults are used. - -# Use of TLS requires that x509 certificates be issued. The default is -# to keep them in /etc/pki/qemu. This directory must contain -# -# ca-cert.pem - the CA master certificate -# server-cert.pem - the server certificate signed with ca-cert.pem -# server-key.pem - the server private key -# -# and optionally may contain -# -# dh-params.pem - the DH params configuration file -# -# If the directory does not exist, libvirtd will fail to start. If the -# directory doesn't contain the necessary files, QEMU domains will fail -# to start if they are configured to use TLS. -# -# In order to overwrite the default path alter the following. This path -# definition will be used as the default path for other *_tls_x509_cert_dir -# configuration settings if their default path does not exist or is not -# specifically set. -# -#default_tls_x509_cert_dir = "/etc/pki/qemu" - - -# The default TLS configuration only uses certificates for the server -# allowing the client to verify the server's identity and establish -# an encrypted channel. -# -# It is possible to use x509 certificates for authentication too, by -# issuing an x509 certificate to every client who needs to connect. -# -# Enabling this option will reject any client who does not have a -# certificate signed by the CA in /etc/pki/qemu/ca-cert.pem -# -# The default_tls_x509_cert_dir directory must also contain -# -# client-cert.pem - the client certificate signed with the ca-cert.pem -# client-key.pem - the client private key -# -# If this option is supplied it provides the default for the "_verify" option -# of specific TLS users such as vnc, backups, migration, etc. The specific -# users of TLS may override this by setting the specific "_verify" option. -# -# When not supplied the specific TLS users provide their own defaults. -# -#default_tls_x509_verify = 1 - -# -# Libvirt assumes the server-key.pem file is unencrypted by default. -# To use an encrypted server-key.pem file, the password to decrypt -# the PEM file is required. This can be provided by creating a secret -# object in libvirt and then to uncomment this setting to set the UUID -# of the secret. -# -# NB This default all-zeros UUID will not work. Replace it with the -# output from the UUID for the TLS secret from a 'virsh secret-list' -# command and then uncomment the entry -# -#default_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000" - - -# VNC is configured to listen on 127.0.0.1 by default. -# To make it listen on all public interfaces, uncomment -# this next option. -# -# NB, strong recommendation to enable TLS + x509 certificate -# verification when allowing public access -# -#vnc_listen = "0.0.0.0" - -# Enable this option to have VNC served over an automatically created -# unix socket. This prevents unprivileged access from users on the -# host machine, though most VNC clients do not support it. -# -# This will only be enabled for VNC configurations that have listen -# type=address but without any address specified. This setting takes -# preference over vnc_listen. -# -#vnc_auto_unix_socket = 1 - -# Enable use of TLS encryption on the VNC server. This requires -# a VNC client which supports the VeNCrypt protocol extension. -# Examples include vinagre, virt-viewer, virt-manager and vencrypt -# itself. UltraVNC, RealVNC, TightVNC do not support this -# -# It is necessary to setup CA and issue a server certificate -# before enabling this. -# -#vnc_tls = 1 - - -# In order to override the default TLS certificate location for -# vnc certificates, supply a valid path to the certificate directory. -# If the provided path does not exist, libvirtd will fail to start. -# If the path is not provided, but vnc_tls = 1, then the -# default_tls_x509_cert_dir path will be used. -# -#vnc_tls_x509_cert_dir = "/etc/pki/libvirt-vnc" - - -# Uncomment and use the following option to override the default secret -# UUID provided in the default_tls_x509_secret_uuid parameter. -# -#vnc_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000" - - -# The default TLS configuration only uses certificates for the server -# allowing the client to verify the server's identity and establish -# an encrypted channel. -# -# It is possible to use x509 certificates for authentication too, by -# issuing an x509 certificate to every client who needs to connect. -# -# Enabling this option will reject any client that does not have a -# certificate (as described in default_tls_x509_verify) signed by the -# CA in the vnc_tls_x509_cert_dir (or default_tls_x509_cert_dir). -# -# If this option is not supplied, it will be set to the value of -# "default_tls_x509_verify". If "default_tls_x509_verify" is not supplied either, -# the default is "0". -# -#vnc_tls_x509_verify = 1 - - -# The default VNC password. Only 8 bytes are significant for -# VNC passwords. This parameter is only used if the per-domain -# XML config does not already provide a password. To allow -# access without passwords, leave this commented out. An empty -# string will still enable passwords, but be rejected by QEMU, -# effectively preventing any use of VNC. Obviously change this -# example here before you set this. -# -#vnc_password = "XYZ12345" - - -# Enable use of SASL encryption on the VNC server. This requires -# a VNC client which supports the SASL protocol extension. -# Examples include vinagre, virt-viewer and virt-manager -# itself. UltraVNC, RealVNC, TightVNC do not support this -# -# It is necessary to configure /etc/sasl2/qemu.conf to choose -# the desired SASL plugin (eg, GSSPI for Kerberos) -# -#vnc_sasl = 1 - - -# The default SASL configuration file is located in /etc/sasl2/ -# When running libvirtd unprivileged, it may be desirable to -# override the configs in this location. Set this parameter to -# point to the directory, and create a qemu.conf in that location -# -#vnc_sasl_dir = "/some/directory/sasl2" - - -# QEMU implements an extension for providing audio over a VNC connection, -# though if your VNC client does not support it, your only chance for getting -# sound output is through regular audio backends. By default, libvirt will -# disable all QEMU sound backends if using VNC, since they can cause -# permissions issues. Enabling this option will make libvirtd honor the -# QEMU_AUDIO_DRV environment variable when using VNC. -# -#vnc_allow_host_audio = 0 - - - -# SPICE is configured to listen on 127.0.0.1 by default. -# To make it listen on all public interfaces, uncomment -# this next option. -# -# NB, strong recommendation to enable TLS + x509 certificate -# verification when allowing public access -# -#spice_listen = "0.0.0.0" - - -# Enable use of TLS encryption on the SPICE server. -# -# It is necessary to setup CA and issue a server certificate -# before enabling this. -# -#spice_tls = 1 - - -# In order to override the default TLS certificate location for -# spice certificates, supply a valid path to the certificate directory. -# If the provided path does not exist, libvirtd will fail to start. -# If the path is not provided, but spice_tls = 1, then the -# default_tls_x509_cert_dir path will be used. -# -#spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice" - - -# Enable this option to have SPICE served over an automatically created -# unix socket. This prevents unprivileged access from users on the -# host machine. -# -# This will only be enabled for SPICE configurations that have listen -# type=address but without any address specified. This setting takes -# preference over spice_listen. -# -#spice_auto_unix_socket = 1 - - -# The default SPICE password. This parameter is only used if the -# per-domain XML config does not already provide a password. To -# allow access without passwords, leave this commented out. An -# empty string will still enable passwords, but be rejected by -# QEMU, effectively preventing any use of SPICE. Obviously change -# this example here before you set this. -# -#spice_password = "XYZ12345" - - -# Enable use of SASL encryption on the SPICE server. This requires -# a SPICE client which supports the SASL protocol extension. -# -# It is necessary to configure /etc/sasl2/qemu.conf to choose -# the desired SASL plugin (eg, GSSPI for Kerberos) -# -#spice_sasl = 1 - -# The default SASL configuration file is located in /etc/sasl2/ -# When running libvirtd unprivileged, it may be desirable to -# override the configs in this location. Set this parameter to -# point to the directory, and create a qemu.conf in that location -# -#spice_sasl_dir = "/some/directory/sasl2" - -# Enable use of TLS encryption on the chardev TCP transports. -# -# It is necessary to setup CA and issue a server certificate -# before enabling this. -# -#chardev_tls = 1 - - -# In order to override the default TLS certificate location for character -# device TCP certificates, supply a valid path to the certificate directory. -# If the provided path does not exist, libvirtd will fail to start. -# If the path is not provided, but chardev_tls = 1, then the -# default_tls_x509_cert_dir path will be used. -# -#chardev_tls_x509_cert_dir = "/etc/pki/libvirt-chardev" - - -# The default TLS configuration only uses certificates for the server -# allowing the client to verify the server's identity and establish -# an encrypted channel. -# -# It is possible to use x509 certificates for authentication too, by -# issuing an x509 certificate to every client who needs to connect. -# -# Enabling this option will reject any client that does not have a -# certificate (as described in default_tls_x509_verify) signed by the -# CA in the chardev_tls_x509_cert_dir (or default_tls_x509_cert_dir). -# -# If this option is not supplied, it will be set to the value of -# "default_tls_x509_verify". If "default_tls_x509_verify" is not supplied either, -# the default is "1". -# -#chardev_tls_x509_verify = 1 - - -# Uncomment and use the following option to override the default secret -# UUID provided in the default_tls_x509_secret_uuid parameter. -# -# NB This default all-zeros UUID will not work. Replace it with the -# output from the UUID for the TLS secret from a 'virsh secret-list' -# command and then uncomment the entry -# -#chardev_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000" - - -# Enable use of TLS encryption for all VxHS network block devices that -# don't specifically disable. -# -# When the VxHS network block device server is set up appropriately, -# x509 certificates are required for authentication between the clients -# (qemu processes) and the remote VxHS server. -# -# It is necessary to setup CA and issue the client certificate before -# enabling this. -# -#vxhs_tls = 1 - - -# In order to override the default TLS certificate location for VxHS -# backed storage, supply a valid path to the certificate directory. -# This is used to authenticate the VxHS block device clients to the VxHS -# server. -# -# If the provided path does not exist, libvirtd will fail to start. -# If the path is not provided, but vxhs_tls = 1, then the -# default_tls_x509_cert_dir path will be used. -# -# VxHS block device clients expect the client certificate and key to be -# present in the certificate directory along with the CA master certificate. -# If using the default environment, default_tls_x509_verify must be configured. -# Since this is only a client the server-key.pem certificate is not needed. -# Thus a VxHS directory must contain the following: -# -# ca-cert.pem - the CA master certificate -# client-cert.pem - the client certificate signed with the ca-cert.pem -# client-key.pem - the client private key -# -#vxhs_tls_x509_cert_dir = "/etc/pki/libvirt-vxhs" - - -# Uncomment and use the following option to override the default secret -# UUID provided in the default_tls_x509_secret_uuid parameter. -# -# NB This default all-zeros UUID will not work. Replace it with the -# output from the UUID for the TLS secret from a 'virsh secret-list' -# command and then uncomment the entry -# -#vxhs_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000" - - -# Enable use of TLS encryption for all NBD disk devices that don't -# specifically disable it. -# -# When the NBD server is set up appropriately, x509 certificates are required -# for authentication between the client and the remote NBD server. -# -# It is necessary to setup CA and issue the client certificate before -# enabling this. -# -#nbd_tls = 1 - - -# In order to override the default TLS certificate location for NBD -# backed storage, supply a valid path to the certificate directory. -# This is used to authenticate the NBD block device clients to the NBD -# server. -# -# If the provided path does not exist, libvirtd will fail to start. -# If the path is not provided, but nbd_tls = 1, then the -# default_tls_x509_cert_dir path will be used. -# -# NBD block device clients expect the client certificate and key to be -# present in the certificate directory along with the CA certificate. -# Since this is only a client the server-key.pem certificate is not needed. -# Thus a NBD directory must contain the following: -# -# ca-cert.pem - the CA master certificate -# client-cert.pem - the client certificate signed with the ca-cert.pem -# client-key.pem - the client private key -# -#nbd_tls_x509_cert_dir = "/etc/pki/libvirt-nbd" - - -# Uncomment and use the following option to override the default secret -# UUID provided in the default_tls_x509_secret_uuid parameter. -# -# NB This default all-zeros UUID will not work. Replace it with the -# output from the UUID for the TLS secret from a 'virsh secret-list' -# command and then uncomment the entry -# -#nbd_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000" - - -# In order to override the default TLS certificate location for migration -# certificates, supply a valid path to the certificate directory. If the -# provided path does not exist, libvirtd will fail to start. If the path is -# not provided, but TLS-encrypted migration is requested, then the -# default_tls_x509_cert_dir path will be used. Once/if a default certificate is -# enabled/defined, migration will then be able to use the certificate via -# migration API flags. -# -#migrate_tls_x509_cert_dir = "/etc/pki/libvirt-migrate" - - -# The default TLS configuration only uses certificates for the server -# allowing the client to verify the server's identity and establish -# an encrypted channel. -# -# It is possible to use x509 certificates for authentication too, by -# issuing an x509 certificate to every client who needs to connect. -# -# Enabling this option will reject any client that does not have a -# certificate (as described in default_tls_x509_verify) signed by the -# CA in the migrate_tls_x509_cert_dir (or default_tls_x509_cert_dir). -# -# If this option is not supplied, it will be set to the value of -# "default_tls_x509_verify". If "default_tls_x509_verify" is not supplied -# either, the default is "1". -# -#migrate_tls_x509_verify = 1 - - -# Uncomment and use the following option to override the default secret -# UUID provided in the default_tls_x509_secret_uuid parameter. -# -# NB This default all-zeros UUID will not work. Replace it with the -# output from the UUID for the TLS secret from a 'virsh secret-list' -# command and then uncomment the entry -# -#migrate_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000" - - -# By default TLS is requested using the VIR_MIGRATE_TLS flag, thus not requested -# automatically. Setting 'migate_tls_force' to "1" will prevent any migration -# which is not using VIR_MIGRATE_TLS to ensure higher level of security in -# deployments with TLS. -# -#migrate_tls_force = 0 - - -# In order to override the default TLS certificate location for backup NBD -# server certificates, supply a valid path to the certificate directory. If the -# provided path does not exist, libvirtd will fail to start. If the path is -# not provided, but TLS-encrypted backup is requested, then the -# default_tls_x509_cert_dir path will be used. -# -#backup_tls_x509_cert_dir = "/etc/pki/libvirt-backup" - - -# The default TLS configuration only uses certificates for the server -# allowing the client to verify the server's identity and establish -# an encrypted channel. -# -# It is possible to use x509 certificates for authentication too, by -# issuing an x509 certificate to every client who needs to connect. -# -# Enabling this option will reject any client that does not have a -# certificate (as described in default_tls_x509_verify) signed by the -# CA in the backup_tls_x509_cert_dir (or default_tls_x509_cert_dir). -# -# If this option is not supplied, it will be set to the value of -# "default_tls_x509_verify". If "default_tls_x509_verify" is not supplied either, -# the default is "1". -# -#backup_tls_x509_verify = 1 - - -# Uncomment and use the following option to override the default secret -# UUID provided in the default_tls_x509_secret_uuid parameter. -# -# NB This default all-zeros UUID will not work. Replace it with the -# output from the UUID for the TLS secret from a 'virsh secret-list' -# command and then uncomment the entry -# -#backup_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000" - - -# By default, if no graphical front end is configured, libvirt will disable -# QEMU audio output since directly talking to alsa/pulseaudio may not work -# with various security settings. If you know what you're doing, enable -# the setting below and libvirt will passthrough the QEMU_AUDIO_DRV -# environment variable when using nographics. -# -#nographics_allow_host_audio = 1 - - -# Override the port for creating both VNC and SPICE sessions (min). -# This defaults to 5900 and increases for consecutive sessions -# or when ports are occupied, until it hits the maximum. -# -# Minimum must be greater than or equal to 5900 as lower number would -# result into negative vnc display number. -# -# Maximum must be less than 65536, because higher numbers do not make -# sense as a port number. -# -#remote_display_port_min = 5900 -#remote_display_port_max = 65535 - -# VNC WebSocket port policies, same rules apply as with remote display -# ports. VNC WebSockets use similar display <-> port mappings, with -# the exception being that ports start from 5700 instead of 5900. -# -#remote_websocket_port_min = 5700 -#remote_websocket_port_max = 65535 - -# The default security driver is SELinux. If SELinux is disabled -# on the host, then the security driver will automatically disable -# itself. If you wish to disable QEMU SELinux security driver while -# leaving SELinux enabled for the host in general, then set this -# to 'none' instead. It's also possible to use more than one security -# driver at the same time, for this use a list of names separated by -# comma and delimited by square brackets. For example: -# -# security_driver = [ "selinux", "apparmor" ] -# -# Notes: The DAC security driver is always enabled; as a result, the -# value of security_driver cannot contain "dac". The value "none" is -# a special value; security_driver can be set to that value in -# isolation, but it cannot appear in a list of drivers. -# -#security_driver = "selinux" - -# If set to non-zero, then the default security labeling -# will make guests confined. If set to zero, then guests -# will be unconfined by default. Defaults to 1. -#security_default_confined = 1 - -# If set to non-zero, then attempts to create unconfined -# guests will be blocked. Defaults to 0. -#security_require_confined = 1 - -# The user for QEMU processes run by the system instance. It can be -# specified as a user name or as a user id. The qemu driver will try to -# parse this value first as a name and then, if the name doesn't exist, -# as a user id. -# -# Since a sequence of digits is a valid user name, a leading plus sign -# can be used to ensure that a user id will not be interpreted as a user -# name. -# -# Some examples of valid values are: -# -# user = "qemu" # A user named "qemu" -# user = "+0" # Super user (uid=0) -# user = "100" # A user named "100" or a user with uid=100 -# - user="root" - -# The group for QEMU processes run by the system instance. It can be -# specified in a similar way to user. - group="wheel" - -# Whether libvirt should dynamically change file ownership -# to match the configured user/group above. Defaults to 1. -# Set to 0 to disable file ownership changes. -#dynamic_ownership = 1 - -# Whether libvirt should remember and restore the original -# ownership over files it is relabeling. Defaults to 1, set -# to 0 to disable the feature. -#remember_owner = 1 - -# What cgroup controllers to make use of with QEMU guests -# -# - 'cpu' - use for scheduler tunables -# - 'devices' - use for device access control -# - 'memory' - use for memory tunables -# - 'blkio' - use for block devices I/O tunables -# - 'cpuset' - use for CPUs and memory nodes -# - 'cpuacct' - use for CPUs statistics. -# -# NB, even if configured here, they won't be used unless -# the administrator has mounted cgroups, e.g.: -# -# mkdir /dev/cgroup -# mount -t cgroup -o devices,cpu,memory,blkio,cpuset none /dev/cgroup -# -# They can be mounted anywhere, and different controllers -# can be mounted in different locations. libvirt will detect -# where they are located. -# -#cgroup_controllers = [ "cpu", "devices", "memory", "blkio", "cpuset", "cpuacct" ] - -# This is the basic set of devices allowed / required by -# all virtual machines. -# -# As well as this, any configured block backed disks, -# all sound device, and all PTY devices are allowed. -# -# This will only need setting if newer QEMU suddenly -# wants some device we don't already know about. -# -#cgroup_device_acl = [ -# "/dev/null", "/dev/full", "/dev/zero", -# "/dev/random", "/dev/urandom", -# "/dev/ptmx", "/dev/kvm" -#] -# -# RDMA migration requires the following extra files to be added to the list: -# "/dev/infiniband/rdma_cm", -# "/dev/infiniband/issm0", -# "/dev/infiniband/issm1", -# "/dev/infiniband/umad0", -# "/dev/infiniband/umad1", -# "/dev/infiniband/uverbs0" - - -# The default format for QEMU/KVM guest save images is raw; that is, the -# memory from the domain is dumped out directly to a file. If you have -# guests with a large amount of memory, however, this can take up quite -# a bit of space. If you would like to compress the images while they -# are being saved to disk, you can also set "lzop", "gzip", "bzip2", or "xz" -# for save_image_format. Note that this means you slow down the process of -# saving a domain in order to save disk space; the list above is in descending -# order by performance and ascending order by compression ratio. -# -# save_image_format is used when you use 'virsh save' or 'virsh managedsave' -# at scheduled saving, and it is an error if the specified save_image_format -# is not valid, or the requested compression program can't be found. -# -# dump_image_format is used when you use 'virsh dump' at emergency -# crashdump, and if the specified dump_image_format is not valid, or -# the requested compression program can't be found, this falls -# back to "raw" compression. -# -# snapshot_image_format specifies the compression algorithm of the memory save -# image when an external snapshot of a domain is taken. This does not apply -# on disk image format. It is an error if the specified format isn't valid, -# or the requested compression program can't be found. -# -#save_image_format = "raw" -#dump_image_format = "raw" -#snapshot_image_format = "raw" - -# When a domain is configured to be auto-dumped when libvirtd receives a -# watchdog event from qemu guest, libvirtd will save dump files in directory -# specified by auto_dump_path. Default value is /var/lib/libvirt/qemu/dump -# -#auto_dump_path = "/var/lib/libvirt/qemu/dump" - -# When a domain is configured to be auto-dumped, enabling this flag -# has the same effect as using the VIR_DUMP_BYPASS_CACHE flag with the -# virDomainCoreDump API. That is, the system will avoid using the -# file system cache while writing the dump file, but may cause -# slower operation. -# -#auto_dump_bypass_cache = 0 - -# When a domain is configured to be auto-started, enabling this flag -# has the same effect as using the VIR_DOMAIN_START_BYPASS_CACHE flag -# with the virDomainCreateWithFlags API. That is, the system will -# avoid using the file system cache when restoring any managed state -# file, but may cause slower operation. -# -#auto_start_bypass_cache = 0 - -# If provided by the host and a hugetlbfs mount point is configured, -# a guest may request huge page backing. When this mount point is -# unspecified here, determination of a host mount point in /proc/mounts -# will be attempted. Specifying an explicit mount overrides detection -# of the same in /proc/mounts. Setting the mount point to "" will -# disable guest hugepage backing. If desired, multiple mount points can -# be specified at once, separated by comma and enclosed in square -# brackets, for example: -# -# hugetlbfs_mount = ["/dev/hugepages2M", "/dev/hugepages1G"] -# -# The size of huge page served by specific mount point is determined by -# libvirt at the daemon startup. -# -# NB, within these mount points, guests will create memory backing -# files in a location of $MOUNTPOINT/libvirt/qemu -# -#hugetlbfs_mount = "/dev/hugepages" - - -# Path to the setuid helper for creating tap devices. This executable -# is used to create interfaces when libvirtd is -# running unprivileged. libvirt invokes the helper directly, instead -# of using "-netdev bridge", for security reasons. -#bridge_helper = "/usr/lib/qemu/qemu-bridge-helper" - - -# If enabled, libvirt will have QEMU set its process name to -# "qemu:VM_NAME", where VM_NAME is the name of the VM. The QEMU -# process will appear as "qemu:VM_NAME" in process listings and -# other system monitoring tools. By default, QEMU does not set -# its process title, so the complete QEMU command (emulator and -# its arguments) appear in process listings. -# -#set_process_name = 1 - - -# If max_processes is set to a positive integer, libvirt will use -# it to set the maximum number of processes that can be run by qemu -# user. This can be used to override default value set by host OS. -# The same applies to max_files which sets the limit on the maximum -# number of opened files. -# -#max_processes = 0 -#max_files = 0 - -# If max_threads_per_process is set to a positive integer, libvirt -# will use it to set the maximum number of threads that can be -# created by a qemu process. Some VM configurations can result in -# qemu processes with tens of thousands of threads. systemd-based -# systems typically limit the number of threads per process to -# 16k. max_threads_per_process can be used to override default -# limits in the host OS. -# -#max_threads_per_process = 0 - -# If max_core is set to a non-zero integer, then QEMU will be -# permitted to create core dumps when it crashes, provided its -# RAM size is smaller than the limit set. -# -# Be warned that the core dump will include a full copy of the -# guest RAM, if the 'dump_guest_core' setting has been enabled, -# or if the guest XML contains -# -# ...guest ram... -# -# If guest RAM is to be included, ensure the max_core limit -# is set to at least the size of the largest expected guest -# plus another 1GB for any QEMU host side memory mappings. -# -# As a special case it can be set to the string "unlimited" to -# to allow arbitrarily sized core dumps. -# -# By default the core dump size is set to 0 disabling all dumps -# -# Size is a positive integer specifying bytes or the -# string "unlimited" -# -#max_core = "unlimited" - -# Determine if guest RAM is included in QEMU core dumps. By -# default guest RAM will be excluded if a new enough QEMU is -# present. Setting this to '1' will force guest RAM to always -# be included in QEMU core dumps. -# -# This setting will be ignored if the guest XML has set the -# dumpcore attribute on the element. -# -#dump_guest_core = 1 - -# mac_filter enables MAC addressed based filtering on bridge ports. -# This currently requires ebtables to be installed. -# -#mac_filter = 1 - - -# By default, PCI devices below non-ACS switch are not allowed to be assigned -# to guests. By setting relaxed_acs_check to 1 such devices will be allowed to -# be assigned to guests. -# -#relaxed_acs_check = 1 - - -# In order to prevent accidentally starting two domains that -# share one writable disk, libvirt offers two approaches for -# locking files. The first one is sanlock, the other one, -# virtlockd, is then our own implementation. Accepted values -# are "sanlock" and "lockd". -# -#lock_manager = "lockd" - - -# Set limit of maximum APIs queued on one domain. All other APIs -# over this threshold will fail on acquiring job lock. Specially, -# setting to zero turns this feature off. -# Note, that job lock is per domain. -# -#max_queued = 0 - -################################################################### -# Keepalive protocol: -# This allows qemu driver to detect broken connections to remote -# libvirtd during peer-to-peer migration. A keepalive message is -# sent to the daemon after keepalive_interval seconds of inactivity -# to check if the daemon is still responding; keepalive_count is a -# maximum number of keepalive messages that are allowed to be sent -# to the daemon without getting any response before the connection -# is considered broken. In other words, the connection is -# automatically closed approximately after -# keepalive_interval * (keepalive_count + 1) seconds since the last -# message received from the daemon. If keepalive_interval is set to -# -1, qemu driver will not send keepalive requests during -# peer-to-peer migration; however, the remote libvirtd can still -# send them and source libvirtd will send responses. When -# keepalive_count is set to 0, connections will be automatically -# closed after keepalive_interval seconds of inactivity without -# sending any keepalive messages. -# -#keepalive_interval = 5 -#keepalive_count = 5 - - - -# Use seccomp syscall filtering sandbox in QEMU. -# 1 == filter enabled, 0 == filter disabled -# -# Unless this option is disabled, QEMU will be run with -# a seccomp filter that stops it from executing certain -# syscalls. -# -#seccomp_sandbox = 1 - - -# Override the listen address for all incoming migrations. Defaults to -# 0.0.0.0, or :: if both host and qemu are capable of IPv6. -#migration_address = "0.0.0.0" - - -# The default hostname or IP address which will be used by a migration -# source for transferring migration data to this host. The migration -# source has to be able to resolve this hostname and connect to it so -# setting "localhost" will not work. By default, the host's configured -# hostname is used. -#migration_host = "host.example.com" - - -# Override the port range used for incoming migrations. -# -# Minimum must be greater than 0, however when QEMU is not running as root, -# setting the minimum to be lower than 1024 will not work. -# -# Maximum must not be greater than 65535. -# -#migration_port_min = 49152 -#migration_port_max = 49215 - - - -# Timestamp QEMU's log messages (if QEMU supports it) -# -# Defaults to 1. -# -#log_timestamp = 0 - - -# Location of master nvram file -# -# This configuration option is obsolete. Libvirt will follow the -# QEMU firmware metadata specification to automatically locate -# firmware images. See docs/interop/firmware.json in the QEMU -# source tree. These metadata files are distributed alongside any -# firmware images intended for use with QEMU. -# -# NOTE: if ANY firmware metadata files are detected, this setting -# will be COMPLETELY IGNORED. -# -# ------------------------------------------ -# -# When a domain is configured to use UEFI instead of standard -# BIOS it may use a separate storage for UEFI variables. If -# that's the case libvirt creates the variable store per domain -# using this master file as image. Each UEFI firmware can, -# however, have different variables store. Therefore the nvram is -# a list of strings when a single item is in form of: -# ${PATH_TO_UEFI_FW}:${PATH_TO_UEFI_VARS}. -# Later, when libvirt creates per domain variable store, this list is -# searched for the master image. The UEFI firmware can be called -# differently for different guest architectures. For instance, it's OVMF -# for x86_64 and i686, but it's AAVMF for aarch64. The libvirt default -# follows this scheme. -#nvram = [ -# "/usr/share/OVMF/OVMF_CODE.fd:/usr/share/OVMF/OVMF_VARS.fd", -# "/usr/share/OVMF/OVMF_CODE.secboot.fd:/usr/share/OVMF/OVMF_VARS.fd", -# "/usr/share/AAVMF/AAVMF_CODE.fd:/usr/share/AAVMF/AAVMF_VARS.fd", -# "/usr/share/AAVMF/AAVMF32_CODE.fd:/usr/share/AAVMF/AAVMF32_VARS.fd" -#] - -# The backend to use for handling stdout/stderr output from -# QEMU processes. -# -# 'file': QEMU writes directly to a plain file. This is the -# historical default, but allows QEMU to inflict a -# denial of service attack on the host by exhausting -# filesystem space -# -# 'logd': QEMU writes to a pipe provided by virtlogd daemon. -# This is the current default, providing protection -# against denial of service by performing log file -# rollover when a size limit is hit. -# -#stdio_handler = "logd" - -# QEMU gluster libgfapi log level, debug levels are 0-9, with 9 being the -# most verbose, and 0 representing no debugging output. -# -# The current logging levels defined in the gluster GFAPI are: -# -# 0 - None -# 1 - Emergency -# 2 - Alert -# 3 - Critical -# 4 - Error -# 5 - Warning -# 6 - Notice -# 7 - Info -# 8 - Debug -# 9 - Trace -# -# Defaults to 4 -# -#gluster_debug_level = 9 - -# virtiofsd debug -# -# Whether to enable the debugging output of the virtiofsd daemon. -# Possible values are 0 or 1. Disabled by default. -# -#virtiofsd_debug = 1 - -# To enhance security, QEMU driver is capable of creating private namespaces -# for each domain started. Well, so far only "mount" namespace is supported. If -# enabled it means qemu process is unable to see all the devices on the system, -# only those configured for the domain in question. Libvirt then manages -# devices entries throughout the domain lifetime. This namespace is turned on -# by default. -#namespaces = [ "mount" ] - -# This directory is used for memoryBacking source if configured as file. -# NOTE: big files will be stored here -#memory_backing_dir = "/var/lib/libvirt/qemu/ram" - -# Path to the SCSI persistent reservations helper. This helper is -# used whenever are enabled for SCSI LUN devices. -#pr_helper = "/usr/bin/qemu-pr-helper" - -# Path to the SLIRP networking helper. -#slirp_helper = "/usr/bin/slirp-helper" - -# Path to the dbus-daemon -#dbus_daemon = "/usr/bin/dbus-daemon" - -# User for the swtpm TPM Emulator -# -# Default is 'tss'; this is the same user that tcsd (TrouSerS) installs -# and uses; alternative is 'root' -# -#swtpm_user = "tss" -#swtpm_group = "tss" - -# For debugging and testing purposes it's sometimes useful to be able to disable -# libvirt behaviour based on the capabilities of the qemu process. This option -# allows to do so. DO _NOT_ use in production and beaware that the behaviour -# may change across versions. -# -#capability_filters = [ "capname" ] - -# 'deprecation_behavior' setting controls how the qemu process behaves towards -# deprecated commands and arguments used by libvirt. -# -# This setting is meant for developers and CI efforts to make it obvious when -# libvirt relies on fields which are deprecated so that it can be fixes as soon -# as possible. -# -# Possible options are: -# "none" - (default) qemu is supposed to accept and output deprecated fields -# and commands -# "omit" - qemu is instructed to omit deprecated fields on output, behaviour -# towards fields and commands from qemu is not changed -# "reject" - qemu is instructed to report an error if a deprecated command or -# field is used by libvirtd -# "crash" - qemu crashes when an deprecated command or field is used by libvirtd -# -# For both "reject" and "crash" qemu is instructed to omit any deprecated fields -# on output. -# -# The "reject" option is less harsh towards the VMs but some code paths ignore -# errors reported by qemu and thus it may not be obvious that a deprecated -# command/field was used, thus it's suggested to use the "crash" option instead. -# -# In cases when qemu doesn't support configuring the behaviour this setting is -# silently ignored to allow testing older qemu versions without having to -# reconfigure libvirtd. -# -# DO NOT use in production. -# -#deprecation_behavior = "none" diff --git a/provision/local/gpu-passthrough/revert.sh b/provision/local/gpu-passthrough/revert.sh deleted file mode 100755 index 47060e51..00000000 --- a/provision/local/gpu-passthrough/revert.sh +++ /dev/null @@ -1,32 +0,0 @@ -#!/run/current-system/sw/bin/bash - -set -x - -# Unload VFIO-PCI Kernel Driver -modprobe -r vfio_pci -modprobe -r vfio_iommu_type1 -modprobe -r vfio - -# Rebind VT consoles -echo 1 > /sys/class/vtconsole/vtcon0/bind -echo 1 > /sys/class/vtconsole/vtcon1/bind - -# Read our nvidia configuration when before starting our graphics -nvidia-xconfig --query-gpu-info > /dev/null 2>&1 - -# Re-Bind EFI-Framebuffer -echo "efi-framebuffer.0" > /sys/bus/platform/drivers/efi-framebuffer/bind -echo "simple-framebuffer.0" > /sys/bus/platform/drivers/simple-framebuffer/bind -echo "vesa-framebuffer.0" > /sys/bus/platform/drivers/vesa-framebuffer/bind - -# ZzzzzzZzz -sleep 1 - -# Load amd drivers -modprobe drm -modprobe amdgpu -modprobe radeon -modprobe drm_kms_helper - -# Kill sway -systemctl start display-manager.service diff --git a/provision/local/gpu-passthrough/start.sh b/provision/local/gpu-passthrough/start.sh deleted file mode 100755 index a0437483..00000000 --- a/provision/local/gpu-passthrough/start.sh +++ /dev/null @@ -1,29 +0,0 @@ -#!/run/current-system/sw/bin/bash - -set -x - -# Stop your display manager. If you're on kde it'll be sddm.service. Gnome users should use 'killall gdm-x-session' instead -systemctl stop display-manager.service - -# Unbind VTconsoles -echo 0 > /sys/class/vtconsole/vtcon0/bind -echo 0 > /sys/class/vtconsole/vtcon1/bind - -# Unbind EFI-Framebuffer -echo efi-framebuffer.0 > /sys/bus/platform/drivers/efi-framebuffer/unbind || true -echo simple-framebuffer.0 > /sys/bus/platform/drivers/simple-framebuffer/unbind || true -echo vesa-framebuffer.0 > /sys/bus/platform/drivers/vesa-framebuffer/unbind || true - -# ZzzzzzZzzzz -sleep 1 - -# Unload all Amd drivers -modprobe -r drm_kms_helper -modprobe -r amdgpu -modprobe -r radeon -modprobe -r drm - -# Load VFIO kernel module -modprobe vfio -modprobe vfio_pci -modprobe vfio_iommu_type1 diff --git a/provision/nixos/flake.nix b/provision/nixos/flake.nix index bef55238..abaff02c 100644 --- a/provision/nixos/flake.nix +++ b/provision/nixos/flake.nix @@ -8,9 +8,13 @@ url = github:nix-community/home-manager/release-23.05; inputs.nixpkgs.follows = "nixpkgs"; }; + jovian-nixos = { + url = "git+https://github.com/Jovian-Experiments/Jovian-NixOS?ref=development"; + flake = false; + }; }; - outputs = inputs @ { self, nixpkgs, nixpkgs-unstable, home-manager, ... }: + outputs = inputs @ { self, nixpkgs, nixpkgs-unstable, home-manager, jovian-nixos, ... }: let system = "x86_64-linux"; pkgs = import nixpkgs { diff --git a/provision/nixos/hosts/bulwark/configuration.nix b/provision/nixos/hosts/bulwark/configuration.nix new file mode 100644 index 00000000..4943e593 --- /dev/null +++ b/provision/nixos/hosts/bulwark/configuration.nix @@ -0,0 +1,120 @@ +{ config, pkgs, user, lib, ... }: +{ + nix = { + package = pkgs.nixFlakes; + extraOptions = "experimental-features = nix-command flakes"; + + settings.auto-optimise-store = true; + gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 7d"; + }; + }; + + # Add non-free packages + nixpkgs.config.allowUnfree = true; + nixpkgs.overlays = import ../../lib/overlays.nix; + + # Use zen kernel + boot.kernelPackages = pkgs.linuxPackages_zen; + + # Hardware options + hardware.bluetooth.enable = true; + hardware.sensor.iio.enable = true; + hardware.opengl.enable = true; + hardware.opengl.driSupport = true; + hardware.opengl.driSupport32Bit = true; + + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + # Set networking options + networking.hostName = "bulwark"; + networking.networkmanager.enable = true; + networking.firewall.checkReversePath = "loose"; + networking.firewall.enable = false; + + # Set your time zone. + time.timeZone = "America/Los_Angeles"; + i18n.defaultLocale = "en_US.UTF-8"; + + # Enable sound. + sound.enable = true; + hardware.pulseaudio.enable = true; + hardware.pulseaudio.support32Bit = true; + + # Add fonts + fonts.fonts = with pkgs; [ + nerdfonts + ]; + + # Enable virtualisation + virtualisation.docker.enable = true; + virtualisation.docker.storageDriver = "btrfs"; + + # Enable zsh + programs.zsh.enable = true; + + # Define user account. + users.users.${user} = { + isNormalUser = true; + extraGroups = [ "wheel" "docker" ]; # Enable ‘sudo’ for the user. + shell = pkgs.zsh; + }; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + vim + git + killall + pciutils + syncthing + pinentry-curses + trash-cli + unzip + nnn + advcpmv + ]; + + # Enable user services + services = { + gvfs.enable = true; # USB automount + blueman.enable = true; + printing.enable = true; + printing.drivers = [ pkgs.hplip ]; + avahi.enable = true; + avahi.nssmdns = true; + syncthing = { + enable = true; + user = "${user}"; + dataDir = "/home/${user}/sync"; + configDir = "/home/${user}/.config/syncthing"; + }; + }; + + # Enable the OpenSSH daemon. + services.openssh.enable = true; + services.pcscd.enable = true; + programs.gnupg.agent = { + enable = true; + pinentryFlavor = "curses"; + enableSSHSupport = true; + }; + + # Enable modules + imports = [ ../../modules ]; + modules = { + services = { + samba-client.enable = true; + }; + gaming = { + steam.enable = true; + steam-deck.enable = true; + }; + }; + + system.stateVersion = "23.05"; # Did you read the comment? +} diff --git a/provision/nixos/hosts/bulwark/home-configuration.nix b/provision/nixos/hosts/bulwark/home-configuration.nix new file mode 100644 index 00000000..3b5e7a48 --- /dev/null +++ b/provision/nixos/hosts/bulwark/home-configuration.nix @@ -0,0 +1,16 @@ +{ config, pkgs, user, ... }: +{ + home.username = "${user}"; + home.homeDirectory = "/home/${user}"; + programs.home-manager.enable = true; + + home.packages = with pkgs; [ + chezmoi + rbw + zk + joplin + joplin-desktop + ]; + + home.stateVersion = "23.05"; +} diff --git a/provision/nixos/hosts/kestrel/configuration.nix b/provision/nixos/hosts/kestrel/configuration.nix index a7050e92..299f6005 100644 --- a/provision/nixos/hosts/kestrel/configuration.nix +++ b/provision/nixos/hosts/kestrel/configuration.nix @@ -34,6 +34,7 @@ networking.hostName = "kestrel"; networking.networkmanager.enable = true; networking.firewall.checkReversePath = "loose"; + networking.firewall.enable = false; # Set your time zone. time.timeZone = "America/Los_Angeles"; @@ -59,7 +60,7 @@ # Define user account. users.users.${user} = { isNormalUser = true; - extraGroups = [ "wheel" "docker" ]; # Enable ‘sudo’ for the user. + extraGroups = [ "wheel" "docker" "libvirtd" ]; # Enable ‘sudo’ for the user. shell = pkgs.zsh; }; @@ -92,29 +93,6 @@ dataDir = "/home/${user}/sync"; configDir = "/home/${user}/.config/syncthing"; }; - # xserver = { - # enable = true; - # displayManager = { - # #defaultSession = "none+bspwm"; - # lightdm.greeters.mini = { - # enable = true; - # #user = "tstarr"; - # #extraConfig = '' - # # [greeter] - # # show-password-label = false - # # invalid-password-text = Access Denied - # # show-input-cursor = true - # # password-alignment = left - # # [greeter-theme] - # # font-size = 1em - # # background-image = "" - # #''; - # }; - # }; - # }; - #}; - xserver.enable = true; - xserver.displayManager.sddm.enable = true; }; # Enable the OpenSSH daemon. @@ -131,7 +109,7 @@ modules = { services = { samba-client.enable = true; - vfio.enable = false; + virt-manager.enable = true; }; devel = { tooling.enable = true; diff --git a/provision/nixos/modules/desktop/sway.nix b/provision/nixos/modules/desktop/sway.nix index b91d7385..2533a44d 100644 --- a/provision/nixos/modules/desktop/sway.nix +++ b/provision/nixos/modules/desktop/sway.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, user, ... }: +{ config, lib, pkgs, pkgs-unstable, user, ... }: let cfg = config.modules.desktop.sway; @@ -52,13 +52,15 @@ in { networkmanagerapplet pcmanfm google-chrome - firefox gamemode discord inkscape libreoffice-fresh mpv udiskie + p7zip + ] ++ [ + pkgs-unstable.firefox ]; # xdg-desktop-portal works by exposing a series of D-Bus interfaces diff --git a/provision/nixos/modules/gaming/steam-deck.nix b/provision/nixos/modules/gaming/steam-deck.nix new file mode 100644 index 00000000..be69a0c6 --- /dev/null +++ b/provision/nixos/modules/gaming/steam-deck.nix @@ -0,0 +1,126 @@ +{ config, lib, pkgs, pkgs-unstable, user, jovian-nixos, ... }: + +let + cfg = config.modules.gaming.steam-deck; +in { + options.modules.gaming.steam-deck.enable = lib.mkEnableOption "steam-deck"; + config = lib.mkIf cfg.enable { + imports = [ + (jovian-nixos + "/modules") + home-manager.nixosModule + ]; + + jovian = { + steam.enable = true; + devices.steamdeck = { + enable = true; + }; + }; + + services.xserver.displayManager.gdm.wayland = lib.mkForce true; # lib.mkForce is only required on my setup because I'm using some other NixOS configs that conflict with this value + services.xserver.displayManager.defaultSession = "steam-wayland"; + services.xserver.displayManager.autoLogin.enable = true; + services.xserver.displayManager.autoLogin.user = ${user}; + + # Enable GNOME + sound.enable = true; + services.xserver.desktopManager.gnome = { + enable = true; + }; + + # Create user + users.users.${user} = { + isNormalUser = true; + }; + + systemd.services.gamescope-switcher = { + wantedBy = [ "graphical.target" ]; + serviceConfig = { + User = 1000; + PAMName = "login"; + WorkingDirectory = "~"; + + TTYPath = "/dev/tty7"; + TTYReset = "yes"; + TTYVHangup = "yes"; + TTYVTDisallocate = "yes"; + + StandardInput = "tty-fail"; + StandardOutput = "journal"; + StandardError = "journal"; + + UtmpIdentifier = "tty7"; + UtmpMode = "user"; + + Restart = "always"; + }; + + script = '' + set-session () { + mkdir -p ~/.local/state + >~/.local/state/steamos-session-select echo "$1" + } + consume-session () { + if [[ -e ~/.local/state/steamos-session-select ]]; then + cat ~/.local/state/steamos-session-select + rm ~/.local/state/steamos-session-select + else58 closure + echo "gamescope" + fi + } + while :; do + session=$(consume-session) + case "$session" in + plasma) + dbus-run-session -- gnome-shell --display-server --wayland + ;; + gamescope) + steam-session + ;; + esac + done + ''; + }; + + environment.systemPackages = with pkgs; [ + gnome.gnome-terminal + gnomeExtensions.dash-to-dock + jupiter-dock-updater-bin + steamdeck-firmware + ]; + + # GNOME settings through home-manager + home-manager.users.${user} = { + home.stateVersion = "22.11"; + dconf.settings = { + # Enable on-screen keyboard + "org/gnome/desktop/a11y/applications" = { + screen-keyboard-enabled = true; + }; + "org/gnome/shell" = { + enabled-extensions = [ + "dash-to-dock@micxgx.gmail.com" + ]; + favorite-apps = ["steam.desktop"]; + }; + # Dash to Dock settings for a better touch screen experience + "org/gnome/shell/extensions/dash-to-dock" = { + background-opacity = 0.80000000000000004; + custom-theme-shrink = true; + dash-max-icon-size = 48; + dock-fixed = true; + dock-position = "LEFT"; + extend-height = true; + height-fraction = 0.60999999999999999; + hot-keys = false; + preferred-monitor = -2; + preferred-monitor-by-connector = "eDP-1"; + scroll-to-focused-application = true; + show-apps-at-top = true; + show-mounts = true; + show-show-apps-button = true; + show-trash = false; + }; + }; + }; +} diff --git a/provision/nixos/modules/gaming/steam.nix b/provision/nixos/modules/gaming/steam.nix index cbb3bd6d..b3205f88 100644 --- a/provision/nixos/modules/gaming/steam.nix +++ b/provision/nixos/modules/gaming/steam.nix @@ -17,6 +17,9 @@ in { environment.systemPackages = [ pkgs.steam pkgs-unstable.yuzu-early-access + pkgs.dolphin-emu + pkgs-unstable.sunshine + pkgs-unstable.moonlight-qt ]; }; diff --git a/provision/nixos/modules/services/default.nix b/provision/nixos/modules/services/default.nix index e5744f59..61f723f0 100644 --- a/provision/nixos/modules/services/default.nix +++ b/provision/nixos/modules/services/default.nix @@ -1,4 +1,4 @@ { ... }: { - imports = [ ./samba-server.nix ./samba-client.nix ./jellyfin.nix ./vfio.nix ]; + imports = [ ./samba-server.nix ./samba-client.nix ./jellyfin.nix ]; } diff --git a/provision/nixos/modules/services/vfio.nix b/provision/nixos/modules/services/vfio.nix deleted file mode 100644 index be975267..00000000 --- a/provision/nixos/modules/services/vfio.nix +++ /dev/null @@ -1,57 +0,0 @@ -# vfio setup for windows gaming with single gpu - -{ config, lib, pkgs, user, ... }: - -let cfg = config.modules.services.vfio; -in { - options.modules.services.vfio.enable = lib.mkEnableOption "vfio"; - config = lib.mkIf cfg.enable { - - users.users.${user}.extraGroups = [ "qemu-libvirtd" "libvirtd" "kvm" ]; - - # Boot configuration - boot.kernelParams = [ "amd_iommu=on" "iommu=pt" "iommu=1" "video=efifb:off" "disable_idle_d3=1" ]; - boot.kernelModules = [ "kvm-amd" "vfio-pci" ]; - - programs.dconf.enable = true; - - environment.systemPackages = with pkgs; [ virt-manager ]; - - # Enable libvirtd - virtualisation.libvirtd = { - enable = true; - onBoot = "ignore"; - onShutdown = "shutdown"; - qemu.ovmf.enable = true; - qemu.runAsRoot = true; - }; - - # Place helper files where libvirt can get to them - environment.etc = { - "libvirt/hooks/qemu" = { - source = "/home/${user}/.local/share/chezmoi/provision/local/gpu-passthrough/qemu"; - mode = "0755"; - }; - "libvirt/hooks/qemu.d/win11/prepare/begin/start.sh" = { - source = "/home/${user}/.local/share/chezmoi/provision/local/gpu-passthrough/start.sh"; - mode = "0755"; - }; - "libvirt/hooks/qemu.d/win11/release/end/revert.sh" = { - source = "/home/${user}/.local/share/chezmoi/provision/local/gpu-passthrough/revert.sh"; - mode = "0755"; - }; - "libvirt/qemu.conf" = { - source = "/home/${user}/.local/share/chezmoi/provision/local/gpu-passthrough/qemu.conf"; - mode = "0755"; - }; - "libvirt/libvirtd.conf" = { - source = "/home/${user}/.local/share/chezmoi/provision/local/gpu-passthrough/libvirtd.conf"; - mode = "0755"; - }; - "libvirt/patch.rom" = { - source = "/home/${user}/.local/share/chezmoi/provision/local/gpu-passthrough/patch.rom"; - mode = "0755"; - }; - }; - }; -} diff --git a/provision/nixos/modules/services/virt-manager.nix b/provision/nixos/modules/services/virt-manager.nix new file mode 100644 index 00000000..b6d5d345 --- /dev/null +++ b/provision/nixos/modules/services/virt-manager.nix @@ -0,0 +1,11 @@ +{ config, lib, pkgs, ... }: + +let cfg = config.modules.services.virt-manager; +in { + options.modules.services.virt-manager.enable = lib.mkEnableOption "virt-manager"; + config = lib.mkIf cfg.enable { + virtualisation.libvirtd.enable = true; + programs.dconf.enable = true; + environment.systemPackages = with pkgs; [ virt-manager ]; + }; +}