From 05dc39215ea2137e2d21cf85b7f62f04bb7e5061 Mon Sep 17 00:00:00 2001 From: "backport-actions-token[bot]" <87506591+backport-actions-token[bot]@users.noreply.github.com> Date: Mon, 15 Nov 2021 16:30:35 +0000 Subject: [PATCH] Docs: Add Grafana Integration Guide (#2742) (#2762) * first draft * re-arrange and clarify routes * clarify troubleshooting resolution * Apply suggestions from code review Co-authored-by: Travis Groth * consolidate variables * post-shuffle adjustment * Apply suggestions from code review Co-authored-by: Travis Groth * Update grafana.md Made grammar/spelling changes * Update docs/guides/grafana.md * Update docs/guides/grafana.md * Update docs/guides/grafana.md Co-authored-by: Alex Fornuto Co-authored-by: Travis Groth Co-authored-by: cmo-pomerium <91488121+cmo-pomerium@users.noreply.github.com> Co-authored-by: Alex Fornuto Co-authored-by: Travis Groth Co-authored-by: cmo-pomerium <91488121+cmo-pomerium@users.noreply.github.com> --- docs/.vuepress/config.js | 1 + docs/guides/grafana.md | 200 ++++++++++++++++++ .../guides/img/grafana-server-admin-users.png | Bin 0 -> 35845 bytes 3 files changed, 201 insertions(+) create mode 100644 docs/guides/grafana.md create mode 100644 docs/guides/img/grafana-server-admin-users.png diff --git a/docs/.vuepress/config.js b/docs/.vuepress/config.js index 4eecad61f..59a9f673c 100644 --- a/docs/.vuepress/config.js +++ b/docs/.vuepress/config.js @@ -212,6 +212,7 @@ module.exports = { "argo", "cloud-run", "code-server", + "grafana", "istio", "jwt-verification", "kubernetes", diff --git a/docs/guides/grafana.md b/docs/guides/grafana.md new file mode 100644 index 000000000..7c5bfbdc8 --- /dev/null +++ b/docs/guides/grafana.md @@ -0,0 +1,200 @@ +--- +title: Grafana +lang: en-US +meta: + - name: keywords + content: >- + pomerium identity-access-proxy data logging graphing grafana + authentication authorization +description: >- + This guide covers how to use Pomerium to authenticate and authorize users of Grafana. +--- + +# Securing Grafana with Pomerium + +[Grafana](https://grafana.com/) is an open-source analytics visualization and monitoring tool. It provides many user-contributed [Dashboards](https://grafana.com/grafana/dashboards/) that make it popular for enthusiasts as well as professionals. + +This guide will demonstrate how to secure an instance of Grafana behind Pomerium, and provide users with a seamless login to Grafana using your Identity Provider (**IdP**). + +## Before You Begin + +This guide begins with the following steps assumed complete: + +- A running instance of Pomerium. If you haven't already installed Pomerium, see our articles for installation on [Docker](/docs/install/readme.md), [Kubernetes](/docs/install/helm.md), or as an all-in-one [binary](/docs/install/binary.html). +- Administrator access to a working Grafana instance, including write access to the config file `grafana.ini`, usually found in `/etc/grafana`. + +This guide uses the following temporary values in commands and configuration examples, which will need to be adjusted for your setup: + +- `http://grafana:3000` - The path Pomerium will use to access Grafana. This example emulates a common Docker-based setup. +- `http://grafana.local:3000` - The path to access the Grafana interface from your local computer. We will need direct access to add at least one user before Pomerium is configured. +- `https://grafana.localhost.pomerium.io` - The path to access Grafana through Pomerium. Change this to match the domain space Pomerium is configured in. + +## Enable JWT Authentication in Grafana + +Edit `grafana.ini` to configure [JWT authentication]. Replace `auth.localhost.pomerium.io` with the value of [`authenticate_service_url`] in your Pomerium configuration: + +```ini +[auth.jwt] +enabled = true +header_name = X-Pomerium-Jwt-Assertion +email_claim = email +jwk_set_url = https://auth.localhost.pomerium.io/.well-known/pomerium/jwks.json +cache_ttl = 60m +``` + +This configuration: + +- enables authentication by java web token (**JWT**), +- defines the header to look at to provide the JWT, +- associates the email_claim in the JWT with the email of the Grafana user, +- specifies the location of the signing key for the JWT to validate it, +- sets a 60 minute cache time for the token. + +Once you've saved and exited the file, restart Grafana. + +## Add Users to Grafana + +At this stage Grafana is configured to use the `email` claim in the JWT to associate an incoming connection with a user. Pomerium will be configured to include identity information via the JWT in the next section. But the user must still exist in Grafana to be associated. Otherwise, you will see this error in the browser after authenticating: + +```json +{"message":"Invalid JWT"} +``` + +1. To add users without requiring them to accept an invitation, log in to Grafana directly as an admin user at `http://grafana.local:3000`. + +1. Under the shield icon in the main menu (**Server Admin**), select **Users**. + + ![The users option under the server admin menu](./img/grafana-server-admin-users.png) + + ::: warning + This is distinct from the **Users** option under the cog wheel (**Configuration**), which will only finalize a new user when they accept an invite via email or link. + ::: + +1. Click the **New user** button to create a new user. Make sure that the email address matches the one provided by Pomerium via your IdP. + + ::: tip + You can access the special endpoint `/.pomerium` from any Pomerium route to view the data provided by Pomerium in the JWT. + ::: + +After creating a new user in Grafana, that user should be logged in automatically when they access Grafana from the Pomerium route (after first authenticating with your IdP, of course). + +## Configure the Pomerium Route + +Add a route for Grafana to your Pomerium config. Change the following variables in the example below to match your setup: + +| Variable | Description | +|:----- | ---- | +| `localhost.pomerium.io` | The domain space where Pomerium is configured to set up routes. You can also change `grafana` to a custom subdomain. | +| `http://grafana:3000` | The hostname or IP address and port from which Grafana is accessible within your local network or container environment. | +| `example.com` | Your company domain. The example policy allows access to Grafana for anyone with an email address from your company domain. Adjust the policy to match your organization's needs. | + +::::: tabs +:::: tab config.yaml +For all-in-one or split service configurations using `config.yaml`, add the route to your `config.yaml` file: +```yaml +routes: + - from: https://grafana.localhost.pomerium.io + to: http://grafana:3000 + pass_identity_headers: true + policy: + - allow: + or: + - domain: + is: example.com + +``` + +::: tip Note +Docker-based installations may need to be restarted to pick up the new route. +::: + +:::: +:::: tab Ingress +If you're using the Pomerium Ingress Controller in Kubernetes, add an Ingress for the new route. Adjust the following example to match your configuration. Note that this example assumes a [cert-manager][ingress-cert-manager] solution for route certificates: + +```yaml +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: grafana + annotations: + cert-manager.io/issuer: pomerium-issuer + ingress.pomerium.io/policy: '[{"allow":{"and":[{"domain":{"is":"example.com"}}]}}]' + #ingress.pomerium.io/secure_upstream: true # Uncomment if Grafana is serving content over HTTPS + ingress.pomerium.io/pass_identity_headers: "true" +spec: + ingressClassName: pomerium + rules: + - host: grafana.localhost.pomerium.io + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: grafana + port: + number: 3000 + tls: + - hosts: + - grafana.localhost.pomerium.io + secretName: grafana.localhost.pomerium.io-tls +``` +:::: +::::: + +Once the new route is applied, users can access Grafana from `https://grafana.localhost.pomerium.io` + +### Manage Access at Scale + +The steps outlined above work to confirm the configuration for small teams, but adding users individually and manually does not scale for larger organizations. To add users to Grafana at scale, consider using Grafana's Admin API and the [Global Users] endpoint to automate the creation of Grafana users with data from your IdP. + +## Troubleshooting + +### Local Signing Key + +In instances where Grafana cannot get the signing key for the JWTs from the Pomerium authenticate service, you can place a copy of the key locally. + +For example, wildcard certificates signed by LetsEncrypt may still be cross-signed by the [expired DST R3 root]. While many browsers still trust these certificates (as long as they are also signed by a valid root), some applications reject them, including Grafana: + +```log +logger=context error=Get "https://authenticate.localhost.pomerium.io/.well-known/pomerium/jwks.json": x509: certificate signed by unknown authority +``` + +To circumvent this issue, you can use `curl` or `wget` to download the signing key locally: + +::::: tabs +:::: tab curl + +From the Grafana host: + +```bash +curl https://authenticate.localhost.pomerium.io/.well-known/pomerium/jwks.json > /etc/grafana/jwks.json +``` +:::: +:::: tab wget +From the Grafana host: +```bash +wget -O /etc/grafana/jwks.json https://authenticate.localhost.pomerium.io/.well-known/pomerium/jwks.json +``` +:::: +::::: + +Edit `grafana.ini` and add the `jwk_set_file` key to provide it to Grafana: + +```ini +[auth.jwt] +enabled = true +header_name = X-Pomerium-Jwt-Assertion +email_claim = email +jwk_set_file = /etc/grafana/jwks.json +cache_ttl = 60m +``` + + + +[`authenticate_service_url`]: /reference/readme.md#authenticate-service-url +[expired DST R3 root]: https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ +[Global Users]: https://grafana.com/docs/grafana/latest/http_api/admin/#global-users +[ingress-cert-manager]: /docs/k8s/ingress.md#cert-manager-integration +[JWT authentication]: https://grafana.com/docs/grafana/latest/auth/jwt/ diff --git a/docs/guides/img/grafana-server-admin-users.png b/docs/guides/img/grafana-server-admin-users.png new file mode 100644 index 0000000000000000000000000000000000000000..f41622652e6d21d1906e6aae1cf1a46cfa949246 GIT binary patch literal 35845 zcmaI7bzD_l+bv8ZutB671qGyA8gxrYH%NDPcPMPSTXKVROLsTY-5}lF@h!Zc`<(Z@ z-+9kJ{ z^7*5p%iKYev#OFr+Trrk@^X{&?KyW(O61S=l#fCv!6>qFuW&&bnSnIlC{P14_3+?> zxncF*(!M6_;O@ab|Cz?i#y`%_UoP|Ga3^giZMnhuW8F+pSSHreL*uZQ*<^uIq4I6f zQB8sJ%J{uGrav*`z{&K<250ul>chJAPAkFz{~tz5?Be~QgX&wGcT=;pXvu)xp zTD#UljuQqiYF>li2NQLIq#TJ$Bhpl}OC_*%XvI*8FDL8yqkxv9BS3h<$P2ME7Ksvt zw!&Vsy)8*Hdu}F&%Y3ZX=O5nqmeAM}vfH}89I+?Vs?5^vk*KWhQq6>%H|4ZeUo%A- zHxS&H2!SECg;3Ro-!V=}()P%R3XYfr*m5^hjeH8Q-PDhr+D^njlN$C9_2va35~d40 zWJB(${DtODuu9><8yix_LpWzzxp@LTveXsj%cbmbtmN}m^DzfA_#xeN*h0p+KY9(s zj$hj5SjRx^N!SEI<} z;S+&^?j=Rlm-$Y&3kw}wruyA#$F`ZhBWb2_Ju^qsi7(=W9ZveQQngFQMnY7vpMpq> zzg%T?_t`w@ZTH9RMV($A1PE;vOcGxm@{TS&PX11I%<4(JaE53#sih^=iSnj_vh%cz zwxi0*1>Z(st8F}B`IoUjy^+KH%4uB`<4SGQ)bq$wPI;0wW7|$7ye=8=*dr?{8X+3d z%t%X1$m$Rq3Q8sNwHzOFYW}@<^@vRAmH@@TAmc)nVe)2;&0Ml+XzWU4Qi*tYQw3%t z#l6fwBIx8(%|sDBv(<0b7?1KY-d26}-D8OejK~h1sr~#8Tu!4x*fCP9?))aHBBVyd zL%hHG=TC>s?-qM`!C4A77pe^w#|(b4{R#celn zt)jo3GeNI9&Z9y&JhHvL(eAF z@vGNDL;1-S?;^-J`QW2Db2p0AnohdI?o{{4nX9m4J9O5+y>Hzfo8j1ETKFUYRpDmGu*9tt%o#uSH48vT)kMjTG{&U6s#ipKnQW-g#Zn z>mGdxFVjhhxw7sCEhP+>F1nMu&Z`NFPuOLnf4w7Mn1agwP9Q3-&fih$_aFBwqH@|d zy6{UhFUh^&Hc#uaZ$E$^EPL+V_VUOp>P>P6B&epS^7PIv9}QB&rItQD$(ovq2f2Kd z&yE#Ik#1{*YhPd6X4!O^^OyWx^!aCTD%~+`XuknBH}d>^3r-PigbS#*yHA!rkrlAQGn|0ood@9ttgqZ%`M@-m1H+^szu#n|JxT=J2JbLPbTSws3Jl z?+dh9E3JO_raOg=j8LQ}2o0w4qp~bog&RD?LS1@caq3z`DQ`>ArT6Dne{~JU0coA9TsbvLY+7EQ))V_xBh~%ld6G2w3!3ajxn|~ z04`k_fVX*<&0#mXs4p*O!sSP;!OG5blqfwl7@}4X16^TNr9aR}omZ1Co9>gvq!#dk z4^`OLq>4ZIB*Kd0gH(~Z*+Zza-2pLP6N}?<-2Gv&-FzQY)+{Hs0il-Bay?!tmxcuI zt!*As>$9>dim+?xm+?5JA&_9Cs~33BL-AEYuOm9Z9On`40Y8!(B`bIg-cs0ag*&8i z5uLE{Yn`4ar|9a%P^$+tZQKG2Bv@31lR~##)KWa-i~ZTw+=)<}0ZpUg$XhNKyjCbq z%CZ%qn)=<(+FEgau*r5A3lE{&;X+t<_poyD(l$9WuC@Qg9-EdgG=rL;z+%|d|5lcS zW5IIPfy&|b`~sNs^H?ae(W{xJyS(l%vQC*9d5?2BIM~dm=@{rY4?&FeRbI8Mzv+kN zYNlTn$`C`IU~=VH%$0e02;mj0A4F?FQnQIcWnsl3V+o}NW(_tc$})sJc0W_EJ7Kc6pB&?^v z&X0yRd$skNJw1Lhjg?B=j;wX6c%7vSp&+c*Bx(>TLG*0z$Z}+z7@&h;VgB^a;3X;T zC(v4$aoz^P9konzmzGux6mGl0i8RW5OPE1;@Ry;vd%vu1tAN{iRY+lkMu+|!4>T3LU zigBauNN851rTO030q^N*mp<4pii*o6{sg3iU#gkAF+bic1^2B7m2ri%%u-#;{Z2)t zWI+KKxHM>ZIGKwI2d7uH?Ra=%;x#<7w0@k3s9Nyu709ug@M3t&>mWNv6tFJ z8O*d?bXuV?`crNN)A;@A^<9OB=j6JtM(**$MqkzZt7te>Dud~Q- z)B&0;T6H>YtbYhmQ3sj}OZ#MLI7|NI4bZ6p=eNmu`G+)UWNH)fNIqHYO2|OM(a;Z$ z^p^}ABLt|pZ!vC$i3LB%KiTax!AwV4y9&I!F5u~D?x^T5KWc1(_ho3ry5^IeXwWqQ zKi)mLUX_N9w%|PRwR*nY5;;`(#?tI@!;^*_?B)#OKVKp*e2ie}SHF0(m5@sl3_9o^ z`Ii1ve&~(%rqQLl>`y-VYnX?YwI@22kFaT!fAQQ1qqqk1`jT(@R`K2I5s3=xn7W&7 zp z3ZP+)eg4C9DS#ILcLC_#KPAEcKJmBUpBI650KEIpYyYo`&Qn>=o2~-Fh|D>c7EtE_ zfO?UMga{Um;2<_OQu)%52e5A?-r1A|6=O@eJO6J&Y4KF~MhM?mjwl zTvSjUzK)ZOOdd3Zr4pvO+V?7TJNWFq+Y+{X36Dxw1f-v1GjUoih!5t zx}r2fGlO+PbwRV8t6ANzBn`HOj7&B!n`(Ceyg;O{2Q4>~7s~Uv$72Yern1ogldBq6 zQ{w~TkWX9kU2EMMR6m8l%q=};-+uF|qvZ9TJLe`_f^CCVU@K=UDpdt(8e1)2LBg%< zMjXmRx+Jh)P_jCdF|*qpQrIrbpd{rFD+OSX@f4Tiz06g`t$3RTIzR()RFxIv%YDtT zS@NVtG%X@!8@dPZo8Hl*ufj5Lp16N;Kf)p8(IGT5HDo%xbNsSHRLH2^9CB^HHE{eg zSE~a#G)w}An5WJq3hL<#EyPw3-bBkx*pbxP+J0Q`s}YNAd74Nzl~SWX_33yU+B@=b zg3a9&x}Sqx`4xCJenn{T^Ne?#E4$xeo2PUp*HIZ@q}D9HzXWyQ9W5ZpKh8u-xu zte&Ca6#nJjJyqo#GxUIAtBh`JVPRhh33CHbNhuA=iw0&lSKBYRPGR0%3}#INu6uEX z8!yQPItqgOr#x?{Ip}|X4+wT3OYJVCa8N@y4kP(2fv+`IsGPe38LfrwtfrX(R;&%g zMx(Y_EMl6Q!jUW?B-wiN(({A$WL2eyZ>Ql0^hM4Ib-lch%)H$K9j zG58>G;C5I=0eAbXcnT~`glL%0elb(la#o1_d7k%dnky!Ip<4=fU)${qE2Yj^9DwCF zbcxB=1S~4{;3m%ZnyN}fa8ADPmXP>_53n+GJ90YM6+xomY2#W-3TI+>+@Ufvua_8! z+ONxbpB=Y0-l$dL~e58FbQ2gSh*EddV&2@9u3 zM#l4(S_F=PtdQKO=KD+1o6~KZQz?cb4gULeN4YeEK3R>ToSb1BDO(e+$=bEGOCNZs zgSo+t?M)8Ca4W4lwewrNcRlFb99xm3( zB@r_SF}X5`YX9SCYjD8V%0-D6L#Wyr50yVH`*88%MS4h|T4i-9iY3K3TV-`VC3X-g zzg>CZqlYWq5GW@&&xC1z-)R^|jUZ4pgMW`?34z=0@8lvey-eeC6#i4$>W)iQ_RBch zC3JPr>}~fZEz+a_%e`T^0AwhsMzyn4N_>3Az+Np}m4jCg>YI`)l};Jm=Ig=%iH~2J zX2uvBb4HC(_+xc-y2FJEGeiJc;|tk+%_lJDhz1ujHWCl=XDO7^_rWi?WC@0_Cf+bR zaxD0VcaN84~+)bAY~-ZZr}u2b-k zMA?%N^tSvS&Z#^a%4}ANeKf>dP@1o%x{MiWwZj(d93*m4;vy5+`9`5b+ZQS<{4TK3 za|`OEL?vw@Y*<)U0a^#0$*$9vMmc02kStVY{~j4JeKl9jF!gO{t^xaqEX9nHFxcbu z!QQ*Ob>4wPV00sd}LAz^aCFg8#%jp2v=Ho>aaw6T9F@YwaD|-m&z7j?GMTD-1@5Q`*^F z%Bt-_5Yd`)L5{X(xKU@DJ-Z9EZlkDCLRpV;?;Gns|HwluZyJyV070mwt4gU7pU1W2 zYsmsp5GltLPOjqOUWQV2@t2E0s7t?y@D_QMDJ>D_Y&y!V0!+NaJ!9<^;oz9H&QCTn8qB zJPSd%i;1D^4F019!#BImAb+#flzekGe-%}gr}FNEp|u>pw!mb0uFZZmk5?$GrfvEe zGPfQ#z||T=pnz6r6+$b}zZ8|7tZdUHtUSs>=biw~{N8rhn1zHPdlxfnMM&Fn9h_3w zaF$hh!l5?LE&#>~6tp>Zux4@ivTrtPDWN~jf4X67b+l+MKWU;;{d~4qIJt9ZYxT*> z4It!DHl1!lnVx`!T+bMGXc4$=<$`D*<<-ip=pfDKx*NO=$@DZy9{<%Pn!d(OPfNRV zo2ngp@;hS=6o>wxC9tTH-PX@M(oInjttsvv0yX?#-e5WJ>fbCyWrXctoI5(mfT*HY zX-H^wj&Hf}`*-@lAvO@@u=p+Jw-=UvC8u?UI%v500~gFeXa0BM&Rbd5b5b_Nb3|Wj zC3*Q`&ElM0D^fnNLw2LhN%bW>Q>y2|BV9N1gxvwZc`#NYtsc8POT7zGEf zKnf5xrUF)O4Z)AN3hjNB*^))NWw(9|p1I^+C)a}|m0Jz3gWYx&{k*)f*&pTVyy>T> zRDTHT8Q*Jm((xXcDPA-afekqVFQ+wrsilCjnV#YaXo<*eBEA_$I?ZE{8IAJFUx&_- z1DA-M^28UZWU~Cp3*+63HSyU1ZR01|a#ziV9-?%?Z$kjt*AJVyq7rP3GF&ENoUt-8 z3%Akl*0-cblVTOcZDE5RgGp`t_Y3QJ?IIzdV3&!b{9sVj1*ezWu=u)6FZ&8_g>!t8&JrS605b420HZebx&L zCMDT9!A=Oxf1TqN1C{urd{rsc*W393Fk07$6wr`_!)-~*mTXh&C%e%2w(t)v+ajpF zITmw=Yn$dqreO^pz(LnqQfcDAI5P0`jjm*vE=eDT$X!=YHAz)?#(`6`JrxI}q@KlJj0CaN$musNCKL z_;Bd=s0WkPVtMP88Km$OEhf$Da;_ojPv|gK4{^Ec#r&aW{2oz4)-27q6!Sf&RITER zhj7kl={O9y!X6`7$;EgOReJ>=lhqq)CI&m}lXLIz8wT7aZaY!iY#uYF!?&hXV>^x^ zSGxH1g!OK67c5--?HZ2Oz>JGk`&Ek;2=-0vFH>aTPQK$@E#UyT_U+)O+r|C6360me zsHIL`3^7)6kzu=7gcM}Vz1b~$?0#7E{hDyO~IaM3g8x$+^`aPMBLxw29O z-k_;hw$ZdRu#iWvqz8WC;7hzVzZ2+e=|&1agNeDI7#>+Bf~6$*i{dLTGFUykbUUn_Y~sjJ_00?RW+^57$qnwnN`#j6^RgF+S@q@p2rDt+~|ypR!s zF<-X|&;77{KBnj{Y6}8p&;1P=GDrhzKMxgr(`#MTw)HxP8_uH8si`gI5FePZ@GGQl z%l11IJXEfkiSw@jO9s#>doeY;=0#UYI4Lz-wFJo9j}JXIiYG;8<7N1Sv^^rT6<4(c znkX-seZIMOC#DtaS-et}WS;S@aKHM&KGy&QN1(e`7V=?{ild+o?FPM0g5N3p=uCal*-=Sg~EUr+REy=ew#zyZT+ zBQ`4l!CcpX@u#z3nPfUD;=cC+_coyYb}1@VTWiTL1&9M7_)N4v?3~Cx4MBKmWt*Og zbGP|Qt#w{~){8TdA`)A6dk*A>5-DG2k*FFxwlnI7>&Vp}e*#!=5#j^gztRsX1T_@Z zS~GX0oznOE*W(4tv*HC1D749m@!iGo@Ie%1uX&_zkA#d%b)NYLGac56M5{}ztiR#- zHl5yIQUc`p;eTQ){yXjPFJ1B92#o)OuXtuO{%_33|5Vrijr!;vS&|#OJqN58#74isC5~`;glD=QP0Phknu2uCz1duXeiqSZB8dBv^#9Z) zpJ((R<#M7yZySreV)(<%gXRx@xaUtO4inrKvIn%R^L$LFp8xwOzy7wi6VI1_ejAvC z$NZ&WCfOj5-1A@m(nh;)z!fRk&vIiP8LLA;#Xk>#Ay&@ue~Bo!?vbY)fRY*W@8<{ZZcW|a%{?j`BZE|II@p8@oRJZZI>+yLq_zg_H zB`CJgusnBJThF91;olJ~IgkFg3(KX){~68Rk&UH)TUS4*{_j`*H2yOMX)Nc0dY=C_ z!y!N7-}&;w-Z&wb@W{x0W%Zw_uJ2tsHLachaK?xEJhsoB@lw(IpElk9+7|zH*9HF< zBJn?jqhf@|eU6_fqeen(Gusuj9}HfTC-pzu17cu)^rN1e4%lU>?X+)SgY!Q!@*+E% z`Q$qj5V26J{jvkNqSkEH&oCj;#bsamWX&Sk&KnTpX&F57kFpqALaMi~wGD0-Gl!lC zLXPx!p77N@YEE z9<8v^6RfP|LKvRrKicRcN4(5tncaD}+A!zuM5K5gV-y$mueAkB{$FA5?p0oK^B!4u&t5kLJz$XQb8j6Vm7xWc;k1W#qEA|zOk;ayks4c&33R6%Q-JfEdu2yO5Za8V z197_Z%S2Wu=#tP52Ko7V326;TYb7`4$R9B{DQ`YO_I=sFBYQQ+J&(Zna!HlA{AgN?lk(2r zc|U(Np0OWc1}~{&fCpq=%LndKAr%RQcdTAnD)WKk?HpI}2 zo>moB3j3}PiGZhnLcl>Hnc1rxw;DGI;cYxL#Q^v~(|68yI|T#7F+aUuIM#qgT1$PIqyE53JdE_Cygn0QDn?+401`K zFJHYBIw%`8;vqy8Ds*x?*6vZQcg)95jP|)M8gKlBtGNeQI|3SGo+V- zE2$abkNmg3c@Xa7UG*S;x5r)`o3pIfUj9G=IrmccnEev4uoXR%qv@*d-nQ+em7me+ zdWlP&YrZ`LiPtd|aJ+&c(e=aF35N>U8kfD$h&D8!nN%S_We8JesHa0QSG?Wt$B?mE zLKKQ}842UgY>_gp^tWGsTrL1frYBIU-7pGL6Gg2Q+!Z&j6WZfUgv?y+F@ltg(IULm zx)r|65Y94@w97-bjZIp2vFPiCH=>?D5I|7Ca=Cc#ZwshmWi&m_?hhZ6kqE%hl?fz{ z>C4_j@!g1oN2f+`SvAwLKNPDop3$i-2-dt`Cx#+SMbcLQg39CGlSVPnD_a1B)HFRh zUWO1W4<99F&aTYme!AT*N}fINJFsXHZ&B7wueJFC8|A*!)zRG144MOcq~r>wJs8uAaEQ zZZ+4CV7Wfo(VlVBsi~6Gt>3~u@;9)}NZ^lOV80s7RI#;c$l(h8T}npV>LWh7+g!?09BI)RRaVKk5N6;&g5(yV7LQ#l3Am|uwho)-#A6zS%T&A^PM*%C* zG}F5BSF+s9r7SMNHN)!Z>Z>7_u-~U* zVTHu%&I|mAy6|V#d{EI;@uCAWuW6S#eRFa zP4p+B;U=&HoNdhD>7@+cJgqkA_=*b>~IeSg!n| zMv>fLyI;RW-Tl&=y^>~2p(wcTf#U6@YC@;zTzsZ=t>W-ZtMD>*N6cc9XcuLP#4)nfL&y}Ws31gpsU%Jzr!XYf!U z!#pwfuCtpT6ufjIcMWNv;2Sml1q=D1HWy?tvODgLnwU=49$&pA_J_^>&u+V*bkOY4 zI{AU%2fEekmu(W^G$`8~`tVr1*F(usF6i&&U{XOGHFjS$uhWB!A45C;n)Eyu6C&p3 z`1CJu4MPPWwE8d~hs)m9aV@pundZ<7(C9ZBTYe()RY8XfXRA=FzbXYMq)zn7rXRBx zh0V?3kf;ki3yAo1$GH@-bG*Of5Cwvijk9aqsDGoqns+&uT5br)5gaVvn2`rAtQ zbg1u{bJyWhoX8MbwIGHBSLw&rlX#3rIc}gU`zyRM$%GSemrS1D--)QeO4^_*a8o?B|X2SoFz zI`P~mKP73{kiS^(78`6_%n;OXqI~`hb!s!gso_32>xuK-rcda}k0{U!wYeLh$3vUQ zXVvT`Z0t6=WF)S$o~UYN52K+RD*sk-&}dZ3c+ZrWdAan8QDIHb$&0M%4`o;}I|1$O z+c#Jw4#%m;J%X#9GH+~q9H)%tY9SQf(-|8?psw(o627d#acgO+5s**_Ntvj50_GdK zgxAj^cph;7t|oV6AtS4hJ*XsRZz@|YvMNqeI~esxHMc1zp8?2QFfw95eyk7<(hw*#l(CwBecN*gri zq~t?|)X=lUdXYL49ciA_@jlaDL0aRTr50t+m-SaqQa=)kHL|V68%*hj8D}0{oeA0>x4YSPQV^r4azT?7HfA)rBBrxlLgyILhm?<_^KNk#P=t{ z^TUVYp&`0^+#zo!HivVrGt+TOU0+lP#j_Zv1|j29JU`!Is^V}<`FcC0NiCzf!}RiL z(j3=(Du*a(W}FwZ$HdC?&Z)ne+3f}}N`0<{u72%I5q?o5Db{TJr_DzhpWkFfmiZcZv zh0>2&Ag;x%v*lz^Rh9E%lDq1N!u!v9lPd<>0P$w5LT)0_T{7=X7R>CY)HF0wv=1+I z`Pv{aCgkedwjq2n)Q%+b1kZ{2WiBnf_zM^~G#{9XprP(i?o4~0x{@qjL41W#6yHSV zw))hu5_QOK%E3^Zb($F_b~<-(asQU3>Hesg8xmD-2-7tgXN~}5ZA2^lU2O@DvW?8} z)3Dnp94<_l%*@K#CZ&Z8LiAKFTIgjw$DE9(D~#BmC@S!>9}*wfKcQ)VMX+CZMwYov zC-4oHNG1ztk~=j;Ug(R<=|O^F*%=lDy88Yg)Hu(snm5wn%hEK_ce$YQ3!uOk?3=7o5KTE zQxH)R37o^;Ip>qH)cANNaq$8m%yUjrLQ8%?MveL+^;|sV zq4*>T$0DPW2&CC$q%Uk}E-?@S_!Ck!8Zo~s0T#@?-9t(&om>`)HR0NoYhfIrI`e%- zz&recoXf@Ss2Q6grHpoC?m`@00|N zc%7t75Up6GP%ItCI`Qk}r5s>{H;zfOd+gW8IDYs@1{$34^robR1u^5G*i0P0IpODd zYU-AS6(>lWE5r;^5)*=$G2@WT#{SsY;_mLGaGqYJ6dgwK(JRl)Du zwWAiCIi~i{(XVRnz`A;+f!a(jE2=O10C4)kT6(~DBc!$drvpwy{tjE& zIb(oTa4~-Ea|VCm)Mop6RDe^SmbX{j5V;P4QB(6;J9VK_%l10`fue@c zD6e^E-J!qRlIS{6^M%AXu#kWYWXrhe8 zQmq#E?E+5_tjwg*qBsP)N) zpj5x`DMtOFjl}=zMG_IlcYI$!lYsHJnK_Bz(;YP1ClW(c1@@J0MXtqMRGlZ&qpmpM zLxG7!eglTbTlbBl;Ip?3GI7I$OWQQACf3RG-C6&+lHL9j@Yy7=e3ZZlTHQvMF~uix zrr^1YVSEVV6iiHY7&x|YR!~XN`gKRQq0BXt@h%|jd?PIN_3(lba1^b+-#{Xu1xcFM z-_qih#MDILB5$>NzOrl`kI!lyzH~wf0Rbe1OpA6ZM1%*pPeS}87}vEN`d5H8*4)wa z2W(kp%5(^wt}jG7LB0%v)w-mx|ua+wm>U@Z) z)SHJJaITg9dL?4$1<9pOxi-~sR+wu;Lz0oA=K9j8rwu0$F=|k-pB*x<9>gy3oR~7A zBs9B6aGiM-j%F-L4*ocksLAB!_SiSl+$B5O8eK*!+zk&V`pTeQj&WH1LUbq$(1m_| zhjQP&11EHrK&I&j*~Jv2QE^J7#IbcH=#cl>X&j~i#~4iczIQbx?-M}lgPR-u(Lvxc zNo~`(W)DN9!n~{fM#@4Vk_LhN5k$#S1gF`Xf7#*^Om_}tXp5}4`m za2u}g|72YUAaz!1kK|Q;;m5GAd*ThLV;JY3`(1Y~q+{@Su79J+G?Qu{Hyt;l4?5)* zU`Z9K1K3#eJ0M)Y2g`GJkRn7hNPH+dr0P|m;G)PT0ki>WbvZx2C?vd%f|!=+ zO~;z8mVem22KBt^c1rwc=prk-fG)fcGjJ|&buss^teY7i8spWTyi74WT2HIlQvEs$ zKdbuk3^SaK{-aPueLbm|K{ zEidbw86rRG?w)=cM+sk)Hbwr*Et3?Z2Jh!9DyN=o5aA48v50aFDXtGJ#*)4lb-1LC zF6L=buv5PJ#kv_->5SS#jyQgjD&KZxKfZU+)SbOGC#1PJzX6+^LN!!^U|@ zuCu1nLrz2f9UC%iM0#y#Z~bk=*(II{amx%QqKK=GuO7IMDK&d?dme!f3+0D;T1Qks z1=HDQDlsF=J$k&eOA=%f$25K%GMCgA=IX32dMdJj(tQmMA3|~T`=gB-!^6?(!Y>U0 z*jQ)oH;<=%Q~>pD{T1lW3_gB@=Z+l*5Kl@fW%&r?2G&LbD9ePX{9?vl|4M%HFIWo&1Y)*@T z1^7234KRN(_gad>GZ_l}{U1R6tVTW84(|sYDiHvn47Mdnm5P!g`#{?ga-y9xskFqh z>FYKCr&i|99VTnrM+4bggtv?wLk^!j+L2hs+?RE?iBt1U^UPv5dRyP?KGzO-BxKm)595f4LVWo1tOP6c2<1pH3y5UzGAyW23rip;q=t;9qrk^*z9TIlZRkFFPKyOvUA zR{*MrB{Um$!spbt`tqfUi^8w!rR#+1xMo8HkVxZoq%~eJ`F=(gH2u?BJ8+?yQoGar zPFlcwRoQ;v3;-1C^pw$1>>^THTJ_Fej%a8AMta;hOOl#uzG&+YFfdlzFuF7=E*oZb z-YXN4`KthgAR3mft%)G_hDWM%zsa@i6K>SW3vh-xX7|>mZ$+SO6PP@Ha5gxIVKZy> z!-<*NNhStxui2o}7Tf#UriTGPrT2im37mSgT}1=8 zn~=SDC{eS=<73R&HgQ2(KY`z*m^NViI~*7qU37uy6#^CoUojd0i6!C^f;7_`FRp_m zbZ8PwRtLVPx#S1lNL=poGa7|cfWszS?9Gv>hn=gO&D9f7rU2!Qut3GeaaDXkct*LK z?HsV3_KORBC0Ems_vhR2um^B!VM?-Bo|}fjq~Aq|a;uM}^;7@g*j(#^4ZooYaFiu> z+f5d5Bm;ib`7SF`<8VnGXJ`42-!2fNjeQk3wXfvClvws3c8Xs58-}Tb5P-b9i)dIU z#4HCELflcPofOQb)R!*SGYD%F%FG*&-1+Sl&?eDajICh_=Z*+@IOsF8H*g72Ip1%& zs<0|bk}zfS?>A=PdK@VDs|ee-G}o=V^~b5&yoaD;wN1r`ZdCVSG)E| z`pKU0=I6nW6uDS(tT-YjmW!gWF}Z-xpU13dr&XUOql|~8s`h7n_6Ax?u=zBtN+)&l z*SV&l4)O;2R|y#_*V)1$*dEk~EmA%|)MggwtiPdEQQ4k-+unE{x~C*L_g}wek&&`= zwgL1HcOIF4Zc;R3LvjDfmI7 zKj**>iAVR-u1=m_HE-;0Yuh-g`(^a6$WOpNw;h-^yF0zTd`B3JwbV3EutUfO#b_}X61ceU#))?>E}FxVdIBP0D&UyQYBT)rHyb!7q*5eYWm zv+s1jLD)PJ%#VTg&mQtM!q3gOXuN7!>gz%?Vr}o|KJ=fWw(ime0F8~^iGa&?s6k${ z=NHJDr%wmqwjoX$PO2f`Ob~lLzj0z^V*NyGv8i#;EamEs775ikgwZ#-r&U^pgbwoe zi>0u99ts0ek6w2hsJql(w|&n&`ib#|#(@*Hh1Khs)No=lSKrFa#8UMKEGHdF#rdvp zrMkw(?tr8_-!#Bgu(v;7>0yY~ip+%Dtup&tZMFu5xt-!VdmrZKo5*cRxgb`NtpywA zTOA`HAEPMq7j8KBlo^|%esx1q#g_h&o*fTMM4Hnw6^R^RodB{oS4yAz^8SwVMiLc? zC5k(bwCc5TgSUxYfAx;67)g;xq9PF8j;%;(Br7{r zlvG_HrUa#=1{5D?Y>+W&)w^Gqb)6^4O_wN9z&gd2xn=zldu6Z32&6VH+#`y+udU#V9x_>qR49qV=^w3BJZNK7Kbnhdo5?9%{Di6ULgkLN8Piyc~y{`}!z{O>- zJkSO__*rj>Kpe8w#q+0;1Y7I-b-&`{w;UbG|Fr6+i82Jzy)SNyTB5TS7hjq)+#LzR zm?p>q`M_v+K|&(GvU0GGpAkEB$D7?fa69sWR_N>3K4u*PGs8U)6+p@ua3$%` z5cqBhntCFU**TZOG?viPsh`}#JAJTP2+)Sx5}G8k+9Kk%Mp6BKMFCeq$zw#k6xF27 zkL)w+br5b-=gPd)0ecKt}}JawXrCzTo+Ym(I7;nk3!`y*f7nXjZa-b zOx`9Q_gjM|=m#&IBbj1ZJd-sD{0d&;Yv=x=GaL(Zw^Bv-JeRNYaUXp#2`^P?It!3^ z-C>9g@)x8Y20KbM@Z@BrAyoP|p@eABuOVi+xejUxX+JWc48vF{Ul-%z{DtrW?^{X!5Ndj~Id? zVetuen?{S7u>166$)Uzf1)7x99gXiWPtmF{;ZDs;NAUh7n)cy7@nUWAEV9hHO=h$NXjo zLWo*FIqjXfzlESjq(kHK^E7a>c>R-3$_WV3!%+8gf)5#s!@$&HpsmA+7b0W`RpsWi zd;sf$Wx{6Gt$$=K+AQV6&JF-XCZ`E`jF;s3){pz+gdA+o*ak<~gu8Si?}RPr&=(#92j9&on{F28_&n+A@Rb?0+n3Pe~Z z#`?>lC*$^8)@F(nXb>m$>NHls4vjYk1SHQY$TA=Wa)1qU7MnF+D#O_W=_TIR$ApP5 zwB^YGr*J746q++pnR5S-+Zt7U$yBOYIME{;5_IW&#L>30SanBWM@Q%WS|B??gUuq~ zP*9d8F|D4v;n=~}d=Ks52oA(N(Km_w?z3wdx5m+_-6TE*kaG$*+8Lk@BwVytl@?ej z%mKT1N&zBWY1`iCdb+NjGI_1^zG+yNyyboW%|_fG4Zv$dc-z0+F_=_?(2Y}uSgE8~ z3GA9rvvL~7$zuS(Ib5>*?8f)RZ1i!daJoO6rBIW6cNO=A2Rl0-e8$-&&LBuT5Ivz- zj1>ZXE#WlOc6UV%@88R7xItr2Q0Rkhl8lA{MakGO!lqyZTMbm$Enj?9N(6`?VjsI7Ck_6fOVkJKi%f|32LF zgAovHe3T?4;2$Cx3;e8O!^#eDc}u=}p|#01X2wHl)~`_j_)lM&Z=T zI3x>T?kk;Pf&--H(xT&{(^%W~^edNH*ts0=?nCP2BvLg!%WB^`RfVMv$bvgK-I)Tl zE;$KNmqjru3`{pNNK6XmXV;!Xngjnind8x^C0vX4Ly~69{^g-}ts} zn@>ev@d49y0|D2GJ<;6ef8EyTzWI6l~3NOQ3B zg(OzI@I5bX2q)oBsPiP(Q|uUW4i_#Z3GW@}J-+u>XJF7?s2j&@GVwQfPTB$zm`qLO zs&KERQOA~!Qd~nmideYZoRVrkVG>3R78cCy?g}m?c#jQ^sdIk}!mNne6Yt0Aw@*?6k>SKY?)Z^|wUWFMT7y{mL0_ zL!#v~0534#aDx;9R2Z1FK%I1y>GAA*SCA`Pc2 zsdMww&FR2&yJSp=IHbRt@)*qzt7A?A@{Khx_JMGdDHNBH^Et&?{j)TB2+U`8Ap2VC zhlRc*y)29Z8l4}kEcXlzV;gX6q7@MzZ^VHRKWrr4Brq=H!MiaAX(F1-Nz>0M@G43Z z!r5cpn9l_9P*0D4c%KFf!E+=PjROoUsNlFTu}lnhQ_uR0pLt}se!@SCh~ttYp)S=j zY4sF;CMz;U&1Rs<<90f;q9?+C6FO#+B_9-@e!3tL z6z~lL7J@ATTJ=bS(4rHBFXc4Ut*_p`1BV&Ytgr0*s=Q*B10uE8rRoq=DbyEIvz1wy zzcvSQp=cL(_p`ruN_`w#i`!P>>{oB|N8ptsH(rHdl)694kbuRiyStsp6lv~+hj(%p!3ciau%=l9(Az4slje>l!K!8qsh*?aA^=9+UZn1*aQ6hTQw zQTdqHU|a@6o__0*;?l${FOg>jspp}W^q+=ySmyae+9o% zTN?pVv!fHWDh4i*A<&Olg&2R_Ytd?-6hTs~b7??8{$9}lOjABj@`lv8lDh5+rynDM zdy`}PUeF6~0g$DdY?YtBe)qXX?%y~OqoAHM(+%PJv)7gaay38}!CvE9j7$1GcC33S z9rpEkov^#5v$McTiyYtl%}!7N*j+mHPWi|Ad1N5bL*ppZg1r@ehJ|y+^|Z}qKF;TD z25X7+8@9FJRq2IDfVqT8TFw4BN(Zf-k%O$);IcZ&|DVh1F%7xY@3(WXW>BzJly3$7}<9 ziS%Z|(bT4^D&?5a!h1WI=-sDn2L1&FtOR)&)(i2$uM7;oY;3&4eOBpOIbdmC77jvy z-BZ?Bzm(y}CMkw+b%fvbJgr+X+)EO4YRB^({hS1z99z~N6n80F3O4|h>C_yCwcF8W? z)RBz6qJ+BjiupYtDnq{Sd9HU2;?Yv>d({ zwo@MGHc%y{o<#bEam#fBj*a>>qX@0Wv#oIl+(w`Kk%9x{T7$gpkhu9ztVU{&U|55% z{AIUa+LeZRiJbXKUG#qDQf+OHR^{HwVIn)NTjwQ)iDZP%rVNk4$gN z#j^5$45;`z%47vlcGrazgj+Oz7)G_jdP=nmXcv~X{v|DurP*j7oAY_aa=Vh14;fl~ zq_<#iPWLD>8C6dQr0tJk3AyaFrZgZsj7+p-HQpI5O1()yB4(4&!wNN2)2;C+#=ctp zr{w^aqs5eJgwFR|a+(j~<6B$Y)&eRFtmU;EBXBMUpr?L9hN#k^=*aYWb4*F<3d`$K z$*6O3OfUhcyVxBrL!5=ZV?g_ZzplQXfsYo^+e5KCjO`@>_>r~Fb$5fwu$?5t)^!D$ z#SdE7DyUCr44)?n9-XJ=|JP zq%R<}DtjnCU+3M9PVBJgOUntH&b>&7^SulLJnIg%Qhh*b#HhNxIz`{f1uNQ=$M*L! zP*D-GED)%4FrHGrXG|#y($fQV>?}b_GvbnX_$i!Ke2WmcFHOkn8Yx$0^ zwzf8{M0)h`FmXJCEhXDn8`FVCO9y~$Nk~LGn5O5Meo|0%4vgOa8`bmhKshr^xjs@L z<8@1b>^}KfTS!W_d*qR@>a#$l>Xkd)PSqy)i*v`iuX7yo%#6@30D>s{l^A45gmHhUf3ZAwSvs=X54JgvEZ5n5!`Q&I+C+E^ z0@QXsFPY6Ur5jysVW9!JXs=#iSpZz$N_^-p!OjJ);bU?hwHPpFXN=3 zqyyr*_XC+r6#Pp>d0jUu#j4XR2kXv1M4r|{_@y_Us59vs*35@2k`t||7o%*hOq^$3Iv3PTP z{~wUm>;VU%gkJ`@Bpss0Qz!2bf4nG?foh1&@Ks9;2IDS&O>{9f*;fygR48`=Iwah` z#Hd9@Hau*JzA|VuO7r;H(muf5!{ETb%q6_2mDl+^X>9D|N3{gyMAfhJSpxljJpIWZv**2zb#78OJu&L~zgxEhTbLG5 z+=!C^XJ+YWqLAMi1x|Ivqz`W>waNY5hGu~cm;$|eIkWt9C>#!|wdU+|uoN7U)+QMj zt70_S>%Iw)oD3oM@}x9lN;XbG2V5&_+Rq3%vaZhOc*|Utqj{DyK(5aRkTn1;$$Hwo z+4QjgCZU#08FPJ-T8cvyex7sl$t>U!fm$LfqbD{E3Ts~KODRWFg zI5>WbWe40JHC}oxhceTAfncu!_zb_wsxXKrRX?sO=V#4jsOP#IDYwn!$J~nKe2b6- z1_ML3*Fxt27RhVq*LtshkGp`wOF#F_O}SUD^<#gXS6$=pe`Nq6S9;f@h+W*AUPe1L z2@>j3ecm%r`1SUZYd1PzhgM?kJ*1;`fA4PTfSFXH=G2N{H(o#n&e`2wJwlSy&iPUr zb*y4ak_l6E%kXncmR!gx{lH0DaVf_^;5SJT#JzytbmMArp}bh1`ZG(H#cR%&Nz z1M>GI0rgs|j+x&UmiCsNd#Br=u&S_}T)y~nidtRm0Ut%BY?|>x185H?%1hpTeXCpJ zK<6}Lh4>=~5#9hOk!w6oQ^MMdl;Chvnpm+4oLo*NrWSh0s_M2zVFnpXm52o_n7Yn% zdGWM|zLfo{+S+vL#aCAm2Vw8Dvq>j}51biB*9U@uB`u|{w zHMcdrv@i2guWgws$Tfr4zPW)mQwm;!Zv5fYXP6yX=06Jv)LwzwktMYU0BA#tdbz*T zhB708=h_o#IINxW!dn?6q{jjT;07@W*(>sJ2G-*!)%MD2I`dt}gv^Og1@Q>8Bq1Fb zt18P}^>pb*YOQc6b;wJ;-1@kOlw2AtMEor?ze-EFXdJPR^hn}@{4eFv2_RkvOANAZ zI0T{Z!frqivoErH853Q#Qc&xOocA&e?MHwowmB9#GlHGL_Z4FREB@URrdGgOI2kpS zkV_Uuxt{r6qaJ&?Q^USP>!i6hq&?@gn3gpEiF18xcZ{kyyd*R(LpmjVFa>Kc#R}!Q ze(OB8=jbQ@ykrZPb_5OP($Lo1>j<3B%|H+SZItub^Cr|7gGg4DNW<+)!T5Ljy-MPV zPvJ<&@K{=ZK4V4UBsy5fWChi4Wl%&sUPcjriMoxM(LMnypDc6hR+uIZ9g)YWrn@9< zo0#X4t%b&m))Fardt7X0P&iH1eJd;rYH~OwhZrO2|CsotS58eXQKfITQz}+pXi{0C zz>~9&51Efmpj|cST0#n8HA8ikoQ*@_$E7Lste08qY01}VUlp=H+re~Kgsbh1+t-4q z!j1i65+zfCJGFZOMM;uRWiI+gR6Bj z4dRiL^fIG(lKV3!F5_nodPW|@2wF1yON|6^Q_CAJfkjeGxX{zZ%!v z1z@-e;t*B91H^U4=kxmb-N>-Oq z*@s2x1z;@+pRtA)=@u$>#>Vjgs|3j<5Voi(4`-&C^@?NC;+W@gi+-16#zHWY2>|c+ z_2k+5a(rCuMEBKnXZ8@_XZhuARZf{~$0|y%8hA`dfdl(%wNnpkjwAZtj#2vu;_&LWErJUYa4~w)~i{ z+y63nrz&GO2^@C>)$DNp#dXpGcv9o@r%0-ufrd*u=QHcK=27FBzP~UC3w=$j?XU ztlN1|pvV_lQJ*zEr4d8lv~;TyEwUuR>nBjIdbiiU{wZhSHo(iL5_)Q+(xsmHc}Gj( zzQ@2#+fN3yAZlY4G(Pp$0hw(HtC~S)H5b|b^fXnw#zUb_a_vXDAx_QCN1d$=D_ZEX z++wZH;>;C-KXEjjynait2c!z4CW?7=kQM zuSH^la2GDsZv&XinYBldU}%UmydG#N;dfR}p{u#id{0h?=01TMu%wX*2)TuynbJ6xc7~%o zSQ&%)riia3vi#8Uy1aI-!*TNtR#XcQ$iBYQfw!>SZ?)uZKA|GY3mzHKVa?keiFqIc zk4i%yjJY)9Q-k9 zB|4MFQmB+n?xn5_D8ayL^|bt@IZ0ab_)i-bbl;gNzQY7eK>-!N5qO&rKsm@&0<9F# zkE$%q_wm7sh;chvWWmi=#veC;&=@2eE~$G$xG1ZcQLz zH4E1wpZzVJrhsfosb_MA^EvuloDX_|xuvI)>iGA%?UIa8SG`6-u)aZSZHB+PK?x@D zI>^!j*blJXo)KRym*Dctj`(d3f;(uo&sHvDl1na0E|J^Ni(0Y8`BpD54P^hocJZk~y!yD)~9*>ioqKlvY#{GP1eM zDLb1?;RGqnzt*U$mHlL&E5si)3@k@E*w5>aNiWWJJ@`TbDoUOAXluhw36C*Mu`jr?_){*3;-J&}9*gGT+!V^)y-fLNq96U8e8Xtd zu5!P-7;rv2CQ`->d@qlHHNwI;{_e`)cK%bc7m(8vtdlbg7)Wao>4Qp$0^U(T+h{U! z8qp{Ha!lt#JUk_$6~J(>nzH09l#-R5gXf6Dy; z!8{hqv1FLkWLF0A)0vqZcTe=SB@Dxo4ouQ2MAhcKn}EJ5n?7Z-irGFbvHszwW0wtq zjRk-HI7Yp)nVzXTPe>8GRQo%}g;0!5F4#ddIiR^HS*Hs^Pssv-b)Vl-JILwtzBQxy6js?@)C<%#TR+ZEz7|=TJl(Fgjo?jW_ zy5%q7f0jT4a4pzcuD)SA13L(OQCY;FLs`faEZX%I{A|uz8w(Q?gzCj=L3M9f@w-2d zB$Nw7xq>E)$Jg{MpYrq#ypd(o{k~j)1chgx6Y7@s{6iWOKGOL;$j=I}ScE=ZK)8Q7 zSZ|i2u3_^dx`6Gt94rF-8=pY^nt&zNMB$>p&nw{dqduVRQjIFm(GVIxH!pe0R$g?M zadfotHLX%k51&oX8`!_lwn`0@>Hj-!FR!oa4D@8c2p^9tuv@6Go@yIKkzD%zrcJUX( zRwN3G%n50z40dk@rB>`Fmzl-c^yL)L<1OOTSS9Ujc{sfjk{wZzwTPSE=uLC7{~M`y zUNQJ0^+6<<&=C`z&@cOSEmQ!iGlGPzg zl!JuKg<0P+IupxE^KOADF#AWT9g^ph&rjuOi1Lz56ziMcNa0pG+o5!{7aH+0wJ2)D z!DK?;E^H;yzjQsvoywH%qNrD!km2QZpO_FD*Ux=gC)y+dNuf9Y0I1@0(r=aV0q4!c z_74_Wk<;HmdSEVHdu*JG1@li~lTq`7QT_wXA`&Zb9JhM;Bkk$>1+_d=$0{li@=KPN zH;Boy51t|j4j{7wUHl7CQ5Qh-EiFZHpjXIja=K*JJuqZ-?*ZvT-gIR4P?*DMJkqh^ zpl@bO+7yjda)s2t7=#=Xdh*Moz-imIVEV$Yze;ev2i{4Vsy*4xnu-<1Kx zZJq7)+jS9*N5RK^9jC@(;H9=V729rXe5V2{{=#o|9^-&eOmC_%%Z!9s(c203q;LAU zNn_$UOG~TL#R>}_|M2}uCut!YKdz=LSp+-zWIPZZ);ry+q9%HzcB-)sy2`-C_6u^_ zz_5@f24}&utd84{MEomRTr+at0N*V-&B0BMSEHG>B)469ZLXs_%5FAv_K9#^rAXSz z`l-G2zdp}Pc_k9Fn9m=Znc<%!Lvse=nH;}EoSn~ORs+#d^Gj@pWMO>a&z;Op9(5>E>%Lq;>BiJq2lMh&f8V>3@|KW zuz2*sMc%^BGKHN$Nx~e%%0a7Ef*OY`+*>r?)vWwxYSNfqo1V9$_ql#JP^+2#t;^Cbg1E>D5go_$%>ub2k75!Ktx7;XiIe`+TU9sr+%F?vVeNkLoh0(e;KOL`Vt z7&3ZL=xh%h)F6g|v^UJuOyO@Khf+ip_Bk`yj`7MQ62X!29oVMAd?tyFM*GMxW{pe> zUSO&%yNW^kwfGyk@TVuR!HDot<6OfnBNXwB`dZW6m|F2Wlh4sVI@;BDo|6dT$@^78 zJxg3`Go79O^-&m!otB`{2D0? z3*p1Cv`p>&*ZlaqS1N-0e(BgE+rAwv)KF0g(V;(b%`LFlFK+xqCmIMLO0q8~=F9 zj^Us6GLHq5)d`q_{=`X?><_L{QVTUs_sN%st%&MVFNKerDgRNgjI)*&N~&TO_)D2` zJ8T|BzBNRMTfE&TF^-7ksyrf?@4nN}HXLcbEVpG5p2%a##Tp`hfJ_J%xW>VtAp&)F zvWkZ6nkkl+dz0x2OAGyDT6hN#FThf3b8hgtXX_3ZkmXj$NTM8peVw&OYk4*2lb$X{ z0aeAEQ)d#JR5Ho*D}Zp|7ZFJ3CjFJUl#V@}uJ#5g9rbK{2U;~1vrc2E>TOCI)S1nR zm-tGvQIJ_k_wP^arL5z8s&yongNo&;6{QX)VqrCzK1X}?rOGduQ-6*E%%b**cR{RwIDL99DCJ1;wSN#&yA(#r`GH) z3;aZ7-JnhNr;P#x_Yw8q4^>L3j^^r=r}d4ZU=_%YTYu?Q8YVv{C{9~e9!7e(1=?Nn z;oRWdHmt8Jf&}1R^)}YG!wVwE;=#3kYyL2?$rgD2!tG1n=q;YPJLJpLy`x*tpczvGcxS1>r>xDUmc@|@iP+5WEsT( zJMP%6&_$0t_$y$Z;ye>QS*#9|#XLX4^zT5?lANls)jPPh} zh35A=^VoVP%!XG2Q%nMZGn(?{R8SOpXduJa;UXQep5ZriyfY6ePfhDNXi8?EsSn!9 z(YFBxj^9z$fa3CG+Ii;axcVgvmdhtN!F76qQqhR>) zK^8CoP?Ch*dWM((qh*8c7N{it_c5S-`=%-94E-*5fF!Zc>kbv5jBT5xe^uTrf2WL* z_+uI4q0dHU_F$oBZE-c{SXKC1H$XqlFfUaYs3VO;NF&P< zS*%3siMFVh~favBx>r z&ERz|(*p-&gxY~gRc?)-fSgb*&6LHadyW3BH2!pV8NfZ!Y;^E)mJ^r|s3B^3M8V9)%lBn0q06~uvF2$9VjkppI8n~RK6|GIcDFTBVkO~3Xj(GYd2BWP6 zD6T--2S|kUaIJ=-G>8!KmXgqL;^&n+NK2rqIZ4LXR#8F6O4v+g9c-RF`KG$toRr^{ z33e|){J(~OU?92z^*Cr}Aj|&BNZb}_n$95_Apk+kx>XP%sN539)V6FAIloPD?->G(ak4GHs9j!()&Hzbpiw z>j&eN$m~i(gS9q&Hy=!Cpjv>=vhCZ^f_?&xpG z+sMcsTKhr)bT|w|9%AgA_Bshk@qM7FkZ8t=&&&A)q1pr2;XtY?O%7^LCcyz_U8x<}7DNInDgGbQb3Is6@ zD_tU2)KG@j<~YD2TxP$%3=H|us*(2ru|^8r3`za3j@k=V=T$>)9Z?N6GKivn^BkA2@=18>puw zM&XZKjt4=}qe(sSRVPs`jlg;DxS^TnguG$sqtw3~#bavtWHmy>`{a-g2jLW(^y}R4 zkjRD4-Cv&-^}=s#jvL}MPwtH=!1?t4vws@EXKn{X?lSJzei`DzzoL!?f92sQ+SQ$D zZ(o_z^Eoae+S=d?o_q1I&KChLAu}CYq{I`_J!!hRwp5aET_JLJG1_#u-2|fC{CuBY z=7%zywyLI^?fZ+{eUZzx(Ol$E@wGTTZ&h8TfQupFdxTI7!Vcl8x3egEV2)mpl z`rH)eDE!plY`UFoqRX*LA;S&mSiCz+EphpHQNNQke}B7p-|)hP_Tk4qNLkl`|H~SuSMTEo;w=xpCx3|b>!Tf2tf>qm8dY? zYA59I`mxMrMX;$goR@}2SW=oU;(RVAKUknVdYG`6W3%C73AmxySQNj_j3U1+zPqCc zf0h&-I?Y#ie-J3rEOmZ__Ju~oXyQ4pp2zCMDxCsuZjt-&*xb>dXiU^7Yw74T$8>^c z$qh?e%Ym$S_gBUDi-$2e555xA&}(3_>umwRgzS3FJsxMSu$k9@BF1Jy?`cGm|*oWHZ+1tU&rurXSr|;+Y8x#43 zv_Gc>U9M8xyIu9y{8&B)u-)BZS1NaoE#RI$tWqfCnMAHrZAE};XMB1Ip6l)cit?d? z&lR54dpkv!gD;2+e`c`CPOkTxSc-F>3Jb(0d_UyzIj*`t)w@5f@;P_aVs|l{O&i{7 zKh^WP9iX^B$$3~m=<@ib!Vd--54ZTxJ$jiFY=punidPTL7}A)`up;e>%2_p<7p$c* zc#pfWtMP%3`(U&|_Mh{{Be(beJbc`m|7*w*U?{XJqPN18{-S$0`hk#gVIqJ?Tu7d-I-g#X7^lxkTQPhAteV)+S{-~Ne8 zVO8F@6Bc^PO$Yy&jA}!?%3F@>wDmA=y|SxZjH_y&4TY;c zewH2P-84D*ZoKfkx_r)AA(rDy^Xfnf30inpNy_78d($~gfptNmrV}Em9r=0CdbgmE zgF30P_b58}H0#0j4?-3X@hTnI4WvooKi&2sw{MYf&KrtfrQ|tuF&v_MxOymU^iaAh1AgXLCi<&gVTRR)0!w3IB zKRb$7ko{_7V1`4S7KwuR3X8bbw&Tm9UPUZ_g^Rxgf@fl|I=8b_2GyD`C;OpDazzp$ zXB6iP=qWoV4F@)Sd<+hP24@Q3`x3UGegjmCqTO9RV9=^ZGku`6`VPu|vdda-A2CfK zEt{3@&qX{FIT^K-%95Zf$1xO9)qJm)%C2hT>|Ay!qs-ZZU=BW@!U6^TMI3Tl8)PcV zyf`mQi55rIew|C9 zq4^w%7#1m?%PR2YIH#bRj>`D^Qd1y0(Rg!vQ>3qxG3&R>k22us3x8$F9V zmN-3|ppNiPT9LjR)sLA}U@{4$!u3Ry-BrQI#CRjT;qPD^8q9Eaa1P39E7$*$vI_Ko zq%@LOme*6iH{#_ZK?zx;z=RN~=CxlofWgAtg{=xEl}#C8n3{nD*FK)3MO3tXjl>8w2s;^7Yo_+)?17Fw4E1villKP5uva?aa1H1i$BQ zV+-ePB!nv@4RlAu;9=SKXF zXE%Uu2zap8@b0TTMk05u;-~fxbKz5W#cc`vJ|# zJ7Oc*I>EW)*4DV)BelxGgGE#ESHmASL8l3uj5#{ALjp4A)F7yX#H^@bS7eog}P0H+OS+d#zAf zdY%|BhjT~*2~aE0*3-H^0ZSQhGX2SFU$}5lcg1TohZg5wqw*y&Fxnp<&^%nLJmaBA zk*ZrC{&CIBe}g&g;kbuNqg@yrE+%8VCjN^;7mE(ZD?$ZNX`#*x{2#^b?Z4ejD6jVs zs+)JA7S~sCS`_?31&$*Ve~z@BNWkHuYaWM!(v*KK;$w5aID^2+^>iqet#Nnf+HjY! zW1oRI#I7n)*?5zvS!pruNSfF@gv9(zw?S=>f@o`PtHIRvjfu%Dm}VmOf_NtM7P`Cp z(wH{nkx2xsdYL~D?A>%imXn>t9p&+id)xubx@KhlB3iA zas*oFK!F-_)paU`V1V~UMOT_v_*wXt#~;?juRUiPUvveXW6Xd0T+Aeof%iWg-n%&T zKa&5I=r88aCTD1YNlG=0&yegn|MoZRPs{1+am91A zoG2X7t}u?O->%3KU5UqF+MAOd>&fQGaTbro+cs)JF9d_}N|7tjP;M8!+DZD{`(Xo6 zW*^W)RDl`~pbe5Y!}_ytfjaf0vzOnqJH20e zZb4~I$x&WkPaHe;kzQ71eC>#KT$H@}BX4Ryndh5w0PyqGUDB@#H6SK{(K=16gCo-% z;8d+A=j+7p9{}v%JrQ~^D2(?85cpZW$DdT&&OkuaF;ML8Z~pmjirY)3i1WKD-YbQa zC#&as4H7-Wy}jH!9e@oeY6~>=uJ2iiXKaZ{_6&5iOTApY$p_H5ZWS-)lh znv%9$zs#0aMU7;;T`DBw#OTtxT=@^vyq6cq3`Xb*dLp28p>L*nCC_{G9!!1!lLM98 zs5Q0px~;!K0!l(JR7sijYSbO?qZ%?$9xsG6xDW&|gikAUj@{%r+z2S#T#w?J z^-6?S;sQC8gZ)^Hhh{p+*qFjIG`P}k$Z}7_#@t=kBST_(hyk#7QD^TqnRs^q<m0T==ZP$;(Ov9uVUH-!Sz* z7{h}V;Dc*8c>Vu|X8)gO!AHemN2UM8zsC^we+z}+#VsYUHTf`0*<~N!>%y`wD@{_y z=$x-rwbfzlqG)2G1+?p{vI5y}Y|L&r4F~i4i)-vgj#^li9?e*cb3@XIXOHFtU%ufm z9cuFWyA0Awu;}EA7Qkq<|zO}qgX-DpLRjO?uS(AHMV2Z065F@wNpGU&_X{$Gl>k1_tr=9Bxb`x@6q@;)vU zcw3bef}qC+>9}9*T6|F;e|T^Nlpeuu$^Vy-0yYManFN$AF5Ib(`SW^8Mu3@@+grjU zLW5zCl_QvGI5s%43xYWgLUI2vni>|!?GSw6ve+QN-3{F{_5*wrXjg!!@h&pqJ3!;v z5JpW0Ey382`f0H*V04f+2=l)JxE}BFW}N|je3s$nZwwrS);KVBk`--sMptwSJ*6T) zuvj87S{MejFSa`G6Z*II8lEIWlJSR^^NO{a#LFk!wgf%*B&>Hwlaf(dM*W2P1Rt)g zS3(*v=xb)U+1BQSrD<`v2-ICRH*vEi{?s0S4Tdo{W)z^Xrlh^S^GgFWk#Y;HgnSyU zGG~tdLz=vRZSl8(!%jq%I$;$$D38qy^CvsAuwam_{7-iI?+uiO7=4!Gqf~uRd3h-` z0qC;-Tg&@^8@N1j-W>{l1`y#LoB*-x{<;94&pktrqVN7lM)7auHf!k_h&ZgUkOe^e zR@+MtbhR@{JrL3UTdIvRu#j*$TYo^!|JpamHw+jsrKQ%pwFBUkHBs<=#xyxOAq<$% z|GpR2=?4Nuqje@r1n2ttfT$xlh=A0n>_4QyyJvWE3{*|YWHJNIYSTy{{{?0-sYD4; zKTQ8_KB2YkcC(a3H`e>V1lDF@1-v5QBxC*Y@MIh5y&jg01(6m^|)`8A4)yAn5{K!Qp}+B*yw$+xwooZpEu3WBR>FVC4bq z6hyqTiIxHI{s`wlyeiVe$!sq{UkFr=P4$uTtEzL$>t=BsrFy&JDimR*hK+8QkK$7`s)D&|6a{ul%35hVE zR_T?yWd%|2bvpemY6FDw#fHfewc9ViojhrboIO?F6^!s)Q**o@=^QJ-&5#ol?6)SG z2MZ@zMDL|8Ha&N#PW=n`LwXm3WiD{aQL{mgF$is_jt1vpoAJ*aBBqp_ok``9b-97W z$k;5^(5!jQ+>p&$hM9ooZ|BJe7%2X~L%hx*0X=BBQjt_%ECY<$LhQ@}9NaL`7W z-C=F>@GLx!X-j~Ch!QFb3Tr^Xgm;}2yeZNv?jPi%#7P2X*#~rR=(e?>=LN{UQ!dxx zH$Xos5y7Fn*Vi#m=t>93$A9asIy5h|QBh$C>xtZ^h>O3>r|BbpWT6{N^=L&&xfz#7 z=;1(&SBX8ATL;Si+PHb3$YLeveweNWN{f)-1^8xQ`(fYxf`+3wJsmmlC6UMVVB62g zAAWB}aep+@svE!mFby+4lizdeTB^2V#0fTxi{n{s2srlDS#kz!9Xa6ptg)O&##HUg znsfy+6fiJ!`70_GP`-t5PE-y`MkIH&AqWHCQ92v-mf>oXU@+biaKG1$SKldXzpr4q zfAMFrVV2eU>N&3MNAm{2#u0l9%yB@1AL0hA3`~c~2xl zC@^ZEF`oea3dVd*k4=d8$h?#Y3(Q)2*5JiXv2TdNV z`-P!Roc+N8t}Y{I>jp*$p{wKPI0qmM@+)Ilt~Zthu{X8rwdIu25CEdq2IU;{!-{65 zg&0g_9_DigxzQ1_fbgqEO*=*Rw3%~o-dU{PR#6idtq5Ts9nn+clng5Ym_b$g*1LH1 zG|PAS+C^bH{%NRsb-F*wy=BbJFF0{K-+K`2=0Mkt#(L{2uy5^v!xjla3y&GbtVXd?0UgS&Q>1a zJXfYjqBshkH{D})U=*hLeAG9eb6uL@(LYDeQ>wY4ej=w8J_%*Vlx}%t58oA_XT(Vz(VFSTC=OM!6g0sC87Y;U)D5~efCe+`| z^bNNN1U#>I3E&&IM6GO!vA2iuRJ}D63wf?TMsFYoJL7`+e+JDX%7-CWMryG^Uvz?v z?UKfA4^0DdibF4^s>SLVkfF=Zf|INKWqthzSil~KB2un0}FfzYG#yA4-G5fLDeFyjZ9(AW=iy{_Rsn~rAivLYwu@Kppg+htqJTM@k;+0X=CNHb1{*NF88sqg8R6X3#D6|y*<-=tPKBI42*-iJnZ*IjHIH;i4l+b}!R(3Ri zQ!SAJ_=9FL4=pbxsV z@f^0lf!e@o9HcregX4B<_DrD0-xG140qL`1Ye49CQhoXoXRz|opY$T`byhJvBhY=o zgZ`2ElBKx;h)C>|Hk_Wpor(R8(tpL%wh_JBvc`MvkN)#%qtqpYBdwv6aIK;uD`13h z+(Pb%na=n`APX_SKg7!tg6vzu%VWXN3Z?|w&TUrnyyr1R1AT5j>%}M$@p(A7-1%A^ zz3fJx2W#W@byzXYCwDy`RsR>K*Qy_}il4h;AmBO@1XsdqFoH{@qT+8QUKj_`Q_vv? zH$S6R@U_?Hw8#!It&3IGVolAIlL^577#gD#a&?(F@;jw1*)9h%qp?cfEHG~WWV zt(yO>$dI~y)qRQ3GUxNgI>%l$=hxOgWP2sJk>3CraeYYj+#1mA<=*pPJRI*Mfe}do zRA3||z9iK(cME2h0HR$W*=t#S#Kun`g4FZby#jztb5>CMZlgE!iMD6^>U@S3wI?kM zxb%Sujvx504||akGp`}b0k?pI0p=^(bF97&R~7bF))!S#uL1{4%Xh#fByjBmZn1zI zb^zR&V|a`O-3~GV6MG~Z$w;}Jp`{g>>36Qp6r`QJSf{w%+I`)Ej~k!hHxQ!O>9Ya+ zn}|7%W$_tgT%DC&#m|C>^;epIsqE=BQC5Wc$Bdv*cmn!+pcc#%8wOIY{aA z^{RD%-W$xQ;Q}Zc<`!2wTNNR|v1RO5f)H(V|K!IC@B#+r3A@vtbHFH&6$-!Ja4qk2 zW*xFq{#GS9D(Vs(L`P@O3H1ZOe6?SB7SKWcZNNNy6lLXJwZi~kLmaOj2$l(~hB=%r zatH63A>SgtOG9BkQ*C!?C7i%*2e7H5I(d4PZ4=V+nDVQKYl#^5aoA%GDLjpc__brw zD01QQo)%C08s%=4djD)TLxBc9HcLGr&lF|?fdLJC*Kk^!01NX&A=1#U__cSKDtSJ! zd)Ti>u>!XFfW?BowJBtL{3oX|5ivh15r4mE*<)o{+^>i%%17AU9FzX}*6y_8<-P!`{ww21S~7&}F&EC%-y}+gsA^EN2wh=MF^h=K zuA5}kcREkD4HunbgM!+FC~saIc$6Sk3#-&QK0<+=tWNDRO|q+w3dySJKt)p_C-s3i z?=bDJqRBe;!?))rp1EX84d0WKcJ&@3iaGZ_Z1LRp^1au)d3)Eya<}M-4PUXK-Vu5b zNd;ZJhik%4JJ;Jn+&Ueze<`4_)AvrbKM=a0e&chnta#(Yi*yg|=t?FV|EWXf-awX! zPvP-Uo?jgi56^P4Tu)hk6=e4a>ls?y)~CPop}HR@LT390k4w()baAb-Ddl^{F2ObY z3k!P$ZW9IFH?L`bhkY$s!o+M+_^g(69cXM0!0^0m_W{NcELZRL&EKozaJPzvCql>) z<1U*h`wZ{UG07%c6i<%})N)S68ou)nmb3VP_jHmb4hcW?es z0Xc)pALTp@z-pZ=ht?6LX*O)1s)F)Fg<|*~J9avvvz*?E01o_<5|