From 2b28d25f204ed9d1571f4dd7092f4c2a14b88016 Mon Sep 17 00:00:00 2001 From: Kim Ngo <6362111+findkim@users.noreply.github.com> Date: Thu, 6 May 2021 16:26:31 -0500 Subject: [PATCH 01/23] docs/nia: simplify api and cli url paths (#10199) --- .../docs/nia/api/{api-overview.mdx => index.mdx} | 0 .../docs/nia/cli/{cli-overview.mdx => index.mdx} | 0 website/data/docs-nav-data.json | 4 ++-- website/redirects.next.js | 10 ++++++++++ 4 files changed, 12 insertions(+), 2 deletions(-) rename website/content/docs/nia/api/{api-overview.mdx => index.mdx} (100%) rename website/content/docs/nia/cli/{cli-overview.mdx => index.mdx} (100%) diff --git a/website/content/docs/nia/api/api-overview.mdx b/website/content/docs/nia/api/index.mdx similarity index 100% rename from website/content/docs/nia/api/api-overview.mdx rename to website/content/docs/nia/api/index.mdx diff --git a/website/content/docs/nia/cli/cli-overview.mdx b/website/content/docs/nia/cli/index.mdx similarity index 100% rename from website/content/docs/nia/cli/cli-overview.mdx rename to website/content/docs/nia/cli/index.mdx diff --git a/website/data/docs-nav-data.json b/website/data/docs-nav-data.json index db215a1699..db4591421b 100644 --- a/website/data/docs-nav-data.json +++ b/website/data/docs-nav-data.json @@ -584,7 +584,7 @@ "routes": [ { "title": "Overview", - "path": "nia/api/api-overview" + "path": "nia/api" }, { "title": "Status", @@ -601,7 +601,7 @@ "routes": [ { "title": "Overview", - "path": "nia/cli/cli-overview" + "path": "nia/cli" }, { "title": "task", diff --git a/website/redirects.next.js b/website/redirects.next.js index ce9d89e5f4..e0d56f276a 100644 --- a/website/redirects.next.js +++ b/website/redirects.next.js @@ -1177,6 +1177,16 @@ module.exports = [ destination: '/docs/nia/configuration', permanent: true, }, + { + source: '/docs/nia/api/api-overview', + destination: '/docs/nia/api', + permanent: true, + }, + { + source: '/docs/nia/cli/cli-overview', + destination: '/docs/nia/cli', + permanent: true, + }, { source: '/use-cases/network-middleware-automation', destination: '/use-cases/network-infrastructure-automation', From bbda48f7c57d7a1694ef92362d62ac6321eb4b6d Mon Sep 17 00:00:00 2001 From: Brandon Romano Date: Fri, 7 May 2021 10:51:37 -0700 Subject: [PATCH 02/23] Merge pull request #10203 from hashicorp/br.hashistack-tweak Adjust order, remove titles, on HashiStack section --- website/components/callout-blade/index.jsx | 2 +- website/pages/home/index.jsx | 25 ++++++++++------------ 2 files changed, 12 insertions(+), 15 deletions(-) diff --git a/website/components/callout-blade/index.jsx b/website/components/callout-blade/index.jsx index 6874d27fc7..104bea2370 100644 --- a/website/components/callout-blade/index.jsx +++ b/website/components/callout-blade/index.jsx @@ -21,7 +21,7 @@ export default function CalloutBlade({ title, callouts }) {
-
{callout.title}
+ {callout.title &&
{callout.title}
}

{callout.description}

diff --git a/website/pages/home/index.jsx b/website/pages/home/index.jsx index 3934a947cb..acdfc7a40d 100644 --- a/website/pages/home/index.jsx +++ b/website/pages/home/index.jsx @@ -71,21 +71,8 @@ export default function HomePage() { From f612195b2b97ac8fdca2831d592c92dda673dc58 Mon Sep 17 00:00:00 2001 From: Mike Morris Date: Fri, 7 May 2021 15:03:50 -0400 Subject: [PATCH 03/23] website: bump beta callout on downloads page to 1.10.0-beta2 (#10202) --- website/pages/downloads/index.jsx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/website/pages/downloads/index.jsx b/website/pages/downloads/index.jsx index 16fea92a33..435eea6a38 100644 --- a/website/pages/downloads/index.jsx +++ b/website/pages/downloads/index.jsx @@ -72,8 +72,8 @@ export default function DownloadsPage(staticProps) {

- A beta for consul v1.10.0 is available! The release can be{' '} - + A beta for Consul v1.10.0 is available! The release can be{' '} + downloaded here

From 29d229ceea1e8f52423839616f766accd7d8f91e Mon Sep 17 00:00:00 2001 From: Joel Watson Date: Mon, 10 May 2021 13:20:35 -0500 Subject: [PATCH 04/23] Merge pull request #10214 from hashicorp/watsonian/raft-protocol-upgrade-note Flesh out Raft Protocol Support note --- website/content/docs/upgrading/upgrade-specific.mdx | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/website/content/docs/upgrading/upgrade-specific.mdx b/website/content/docs/upgrading/upgrade-specific.mdx index bffdab6344..5e78de6af6 100644 --- a/website/content/docs/upgrading/upgrade-specific.mdx +++ b/website/content/docs/upgrading/upgrade-specific.mdx @@ -19,9 +19,12 @@ upgrade flow. ### Changes to Raft Protocol Support Consul 1.8 supported Raft protocols 2 and 3. Consul 1.9.0 now only supports -Raft protocol 3 so before upgrading to Consul 1.9.0 users may have to first -upgrade to a previous release supporting both protocol versions and upgrade -the protocol in use to version 3. +Raft protocol 3. Consul has defaulted to using Raft protocol 3 since version 1.0.0, +so this should only impact users who have been using Consul prior to 1.0.0 and +may have the `raft_protocol` config setting set to 2. Users in that position +should upgrade to a previous release supporting both protocol versions and +update their configuration to use Raft protocol 3 before continuing their upgrade +to Consul 1.9.0. ### Changes to Configuration Defaults From 3c8a1b34fa0976383f698a172faca79462d83e15 Mon Sep 17 00:00:00 2001 From: Daniel Nephin Date: Mon, 10 May 2021 17:01:08 -0400 Subject: [PATCH 05/23] Merge pull request #10219 from hashicorp/dnephin/connect-docs docs: update notice on connect built-in proxy and native app integration --- website/content/docs/connect/native/index.mdx | 5 +++++ website/content/docs/connect/proxies/built-in.mdx | 9 ++++++--- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/website/content/docs/connect/native/index.mdx b/website/content/docs/connect/native/index.mdx index 53dd514e42..62db534960 100644 --- a/website/content/docs/connect/native/index.mdx +++ b/website/content/docs/connect/native/index.mdx @@ -9,6 +9,11 @@ description: >- # Connect-Native App Integration +~> **Note:** The Native App Integration does not support many of the Connect service +mesh features, and is not under active development. +The [Envoy proxy](/docs/connect/proxies/envoy) should be used for most production +environments. + Applications can natively integrate with the Connect API to support accepting and establishing connections to other Connect services without the overhead of a [proxy sidecar](/docs/connect/proxies). This option is especially useful diff --git a/website/content/docs/connect/proxies/built-in.mdx b/website/content/docs/connect/proxies/built-in.mdx index edba97692c..7c57dbce85 100644 --- a/website/content/docs/connect/proxies/built-in.mdx +++ b/website/content/docs/connect/proxies/built-in.mdx @@ -6,10 +6,13 @@ description: Consul Connect comes with a built-in proxy for testing and developm # Built-In Proxy Options -Consul comes with a built-in L4 proxy for testing and development with Consul -Connect. +~> **Note:** The built-in proxy is not supported for production deployments. It does not +support many of the Connect service mesh features, and is not under active development. +The [Envoy proxy](/docs/connect/proxies/envoy) should be used for production deployments. + +Consul comes with a built-in L4 proxy for testing and development with Consul +Connect service mesh. -~> **Note:** [Envoy](/docs/connect/proxies/envoy) should be used for production deployments, or when [layer 7 traffic management](/docs/connect/l7-traffic-management) features are needed. ## Getting Started From e0fca93675f208d6740b0dba1c3448cbc919bccd Mon Sep 17 00:00:00 2001 From: Kyle MacDonald Date: Tue, 11 May 2021 14:28:03 -0400 Subject: [PATCH 06/23] website: add /form redirect (#10227) --- website/redirects.next.js | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/website/redirects.next.js b/website/redirects.next.js index e0d56f276a..bae01767a8 100644 --- a/website/redirects.next.js +++ b/website/redirects.next.js @@ -5,6 +5,11 @@ // Next.js redirect documentation: https://nextjs.org/docs/api-reference/next.config.js/redirects module.exports = [ + { + source: '/trial', + destination: 'https://www.hashicorp.com/products/consul/trial', + permanent: true, + }, { source: '/discovery', destination: '/use-cases/service-discovery-and-health-checking', From c922a1d186ff88de004fe1db43d423e4b8965ada Mon Sep 17 00:00:00 2001 From: Brandon Romano Date: Tue, 11 May 2021 12:49:27 -0700 Subject: [PATCH 07/23] Merge pull request #10226 from hashicorp/pcmccarron-patch-1 Update network-infrastructure-automation.jsx --- website/pages/use-cases/network-infrastructure-automation.jsx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/website/pages/use-cases/network-infrastructure-automation.jsx b/website/pages/use-cases/network-infrastructure-automation.jsx index 64734913d4..dbc57adf1d 100644 --- a/website/pages/use-cases/network-infrastructure-automation.jsx +++ b/website/pages/use-cases/network-infrastructure-automation.jsx @@ -32,7 +32,7 @@ export default function NetworkInfrastructureAutomationPage() { textSplit={{ heading: 'Automated Firewalling', content: - 'Use Consul-Terraform-Sync to dynamically configure and apply firewall rules for newly added services.', + 'Using Consul-Terraform-Sync to automate security updates, organizations can elevating their security posture and adopt fine-grained access policies.', textSide: 'left', links: [ { @@ -71,7 +71,7 @@ export default function NetworkInfrastructureAutomationPage() { textSplit={{ heading: 'Extend through Ecosystem', content: - 'Consul’s open API enables integrations with many popular networking tools.', + 'Consul’s open API enables integrations with many popular networking technologies.', textSide: 'left', links: [ { From d109a713bb30c030dbb357e8f8a8ba8fd2b5aca2 Mon Sep 17 00:00:00 2001 From: Christopher Poenaru Date: Wed, 12 May 2021 21:09:32 -0700 Subject: [PATCH 08/23] correct website documentation typo --- website/pages/use-cases/network-infrastructure-automation.jsx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/pages/use-cases/network-infrastructure-automation.jsx b/website/pages/use-cases/network-infrastructure-automation.jsx index dbc57adf1d..bcb180f2aa 100644 --- a/website/pages/use-cases/network-infrastructure-automation.jsx +++ b/website/pages/use-cases/network-infrastructure-automation.jsx @@ -32,7 +32,7 @@ export default function NetworkInfrastructureAutomationPage() { textSplit={{ heading: 'Automated Firewalling', content: - 'Using Consul-Terraform-Sync to automate security updates, organizations can elevating their security posture and adopt fine-grained access policies.', + 'Using Consul-Terraform-Sync to automate security updates, organizations can elevate their security posture and adopt fine-grained access policies.', textSide: 'left', links: [ { From 6e7e6ed78ca114965f4050bdc451ff958b294706 Mon Sep 17 00:00:00 2001 From: Luke Kysow <1034429+lkysow@users.noreply.github.com> Date: Thu, 13 May 2021 10:20:12 -0700 Subject: [PATCH 09/23] Update k8s fed docs to clarify role of acl token (#10233) --- .../multi-cluster/vms-and-kubernetes.mdx | 203 ++++++++++-------- 1 file changed, 111 insertions(+), 92 deletions(-) diff --git a/website/content/docs/k8s/installation/multi-cluster/vms-and-kubernetes.mdx b/website/content/docs/k8s/installation/multi-cluster/vms-and-kubernetes.mdx index 7ce18b1885..b85cfccd1c 100644 --- a/website/content/docs/k8s/installation/multi-cluster/vms-and-kubernetes.mdx +++ b/website/content/docs/k8s/installation/multi-cluster/vms-and-kubernetes.mdx @@ -20,70 +20,81 @@ must be the [primary](/docs/k8s/installation/multi-cluster/kubernetes#primary-da If your primary datacenter is running on Kubernetes, use the Helm config from the [Primary Datacenter](/docs/k8s/installation/multi-cluster/kubernetes#primary-datacenter) section to install Consul. -Once installed, and with the `ProxyDefaults` [resource created](/docs/k8s/installation/multi-cluster/kubernetes#proxydefaults), +Once installed on Kubernetes, and with the `ProxyDefaults` [resource created](/docs/k8s/installation/multi-cluster/kubernetes#proxydefaults), you'll need to export the following information from the primary Kubernetes cluster: -* The certificate authority cert: +- Certificate authority cert and key (in order to create SSL certs for VMs) +- External addresses of Kubernetes mesh gateways +- Replication ACL token +- Gossip encryption key - ```sh - kubectl get secrets/consul-ca-cert --template='{{index .data "tls.crt" }}' | - base64 -D > consul-agent-ca.pem - ``` +The following sections detail how to export this data. -* The certificate authority signing key: +### Certificates - ```sh - kubectl get secrets/consul-ca-key --template='{{index .data "tls.key" }}' | - base64 -D > consul-agent-ca-key.pem - ``` +1. Retrieve the certificate authority cert: -With the `consul-agent-ca.pem` and `consul-agent-ca-key.pem` files you can -create certificates for your servers and clients running on VMs that share the -same certificate authority as your Kubernetes servers. + ```sh + kubectl get secrets/consul-ca-cert --template='{{index .data "tls.crt" }}' | + base64 -D > consul-agent-ca.pem + ``` -You can use the `consul tls` commands to generate those certificates: +1. And the certificate authority signing key: - ```sh - # NOTE: consul-agent-ca.pem and consul-agent-ca-key.pem must be in the current - # directory. - $ consul tls cert create -server -dc=vm-dc -node - ==> WARNING: Server Certificates grants authority to become a - server and access all state in the cluster including root keys - and all ACL tokens. Do not distribute them to production hosts - that are not server nodes. Store them as securely as CA keys. - ==> Using consul-agent-ca.pem and consul-agent-ca-key.pem - ==> Saved vm-dc-server-consul-0.pem - ==> Saved vm-dc-server-consul-0-key.pem - ``` + ```sh + kubectl get secrets/consul-ca-key --template='{{index .data "tls.key" }}' | + base64 -D > consul-agent-ca-key.pem + ``` --> Note the `-node` option in the above command. This should be same as the node name of the [Consul Agent](https://www.consul.io/docs/agent#running-an-agent). This is a [requirement](https://www.consul.io/docs/connect/gateways/mesh-gateway/wan-federation-via-mesh-gateways#tls) for Consul Federation to work. Alternatively, if you plan to use the same certificate and key pair on all your Consul server nodes, or you don't know the nodename in advance, use `-node "*"` instead. -Not satisfying this requirement would result in the following error in the Consul Server logs: -`[ERROR] agent.server.rpc: TLS handshake failed: conn=from= error="remote error: tls: bad certificate"` +1. With the `consul-agent-ca.pem` and `consul-agent-ca-key.pem` files you can + create certificates for your servers and clients running on VMs that share the + same certificate authority as your Kubernetes servers. -See the help for output of `consul tls cert create -h` to see more options -for generating server certificates. + You can use the `consul tls` commands to generate those certificates: -These certificates can be used in your server config file: + ```sh + # NOTE: consul-agent-ca.pem and consul-agent-ca-key.pem must be in the current + # directory. + $ consul tls cert create -server -dc=vm-dc -node + ==> WARNING: Server Certificates grants authority to become a + server and access all state in the cluster including root keys + and all ACL tokens. Do not distribute them to production hosts + that are not server nodes. Store them as securely as CA keys. + ==> Using consul-agent-ca.pem and consul-agent-ca-key.pem + ==> Saved vm-dc-server-consul-0.pem + ==> Saved vm-dc-server-consul-0-key.pem + ``` -```hcl -# server.hcl -cert_file = "vm-dc-server-consul-0.pem" -key_file = "vm-dc-server-consul-0-key.pem" -ca_file = "consul-agent-ca.pem" -``` + -> Note the `-node` option in the above command. This should be same as the node name of the [Consul Agent](https://www.consul.io/docs/agent#running-an-agent). This is a [requirement](https://www.consul.io/docs/connect/gateways/mesh-gateway/wan-federation-via-mesh-gateways#tls) for Consul Federation to work. Alternatively, if you plan to use the same certificate and key pair on all your Consul server nodes, or you don't know the nodename in advance, use `-node "*"` instead. + Not satisfying this requirement would result in the following error in the Consul Server logs: + `[ERROR] agent.server.rpc: TLS handshake failed: conn=from= error="remote error: tls: bad certificate"` -For clients, you can generate TLS certs with: + See the help for output of `consul tls cert create -h` to see more options + for generating server certificates. -```shell-session -$ consul tls cert create -client -==> Using consul-agent-ca.pem and consul-agent-ca-key.pem -==> Saved dc1-client-consul-0.pem -==> Saved dc1-client-consul-0-key.pem -``` +1. These certificates can be used in your server config file: -Or use the [auto_encrypt](/docs/agent/options#auto_encrypt) feature. + ```hcl + # server.hcl + cert_file = "vm-dc-server-consul-0.pem" + key_file = "vm-dc-server-consul-0-key.pem" + ca_file = "consul-agent-ca.pem" + ``` -1. The WAN addresses of the mesh gateways: +1. For clients, you can generate TLS certs with: + + ```shell-session + $ consul tls cert create -client + ==> Using consul-agent-ca.pem and consul-agent-ca-key.pem + ==> Saved dc1-client-consul-0.pem + ==> Saved dc1-client-consul-0-key.pem + ``` + + Or use the [auto_encrypt](/docs/agent/options#auto_encrypt) feature. + +### Mesh Gateway Addresses + +Retrieve the WAN addresses of the mesh gateways: ```shell-session $ kubectl exec statefulset/consul-server -- sh -c \ @@ -108,7 +119,9 @@ setting: primary_gateways = ["1.2.3.4:443"] ``` -1. If ACLs are enabled, you'll also need the replication ACL token: +### Replication ACL Token + +If ACLs are enabled, you'll also need the replication ACL token: ```shell-session $ kubectl get secrets/consul-acl-replication-acl-token --template='{{.data.token}}' @@ -116,25 +129,31 @@ e7924dd1-dc3f-f644-da54-81a73ba0a178 ``` This token will be used in the server config for the replication token. -You must also create your own agent policy and token. ```hcl acls { tokens { - agent = "" replication = "e7924dd1-dc3f-f644-da54-81a73ba0a178" } } ``` -1. If gossip encryption is enabled, you'll need the key as well. The command - to retrieve the key will depend on which Kubernetes secret you've stored it in. +-> **NOTE:** You'll also need to set up additional ACL tokens as needed by the +ACL system. See tutorial [Secure Consul with Access Control Lists (ACLs)](https://learn.hashicorp.com/tutorials/consul/access-control-setup-production#apply-individual-tokens-to-agents) +for more information. - This key will be used in server and client configs for the `encrypt` setting: +### Gossip Encryption Key - ```hcl - encrypt = "uF+GsbI66cuWU21kiXLze5JLEX5j4iDFlDTb0ZWNpDI=" - ``` +If gossip encryption is enabled, you'll need the key as well. The command +to retrieve the key will depend on which Kubernetes secret you've stored it in. + +This key will be used in server and client configs for the `encrypt` setting: + +```hcl +encrypt = "uF+GsbI66cuWU21kiXLze5JLEX5j4iDFlDTb0ZWNpDI=" +``` + +### Final Configuration A final example server config file might look like: @@ -192,41 +211,41 @@ You'll need: be routable from the Kubernetes cluster. 1. If ACLs are enabled you must create an ACL replication token with the following rules: -```hcl -acl = "write" -operator = "write" -agent_prefix "" { - policy = "read" -} -node_prefix "" { - policy = "write" -} -service_prefix "" { - policy = "read" - intentions = "read" -} -``` + ```hcl + acl = "write" + operator = "write" + agent_prefix "" { + policy = "read" + } + node_prefix "" { + policy = "write" + } + service_prefix "" { + policy = "read" + intentions = "read" + } + ``` -This token is used for ACL replication and for automatic ACL management in Kubernetes. + This token is used for ACL replication and for automatic ACL management in Kubernetes. -If you're running Consul Enterprise you'll need the rules: + If you're running Consul Enterprise you'll need the rules: -```hcl -acl = "write" -operator = "write" -agent_prefix "" { - policy = "read" -} -node_prefix "" { - policy = "write" -} -namespace_prefix "" { - service_prefix "" { - policy = "read" - intentions = "read" - } -} -``` + ```hcl + acl = "write" + operator = "write" + agent_prefix "" { + policy = "read" + } + node_prefix "" { + policy = "write" + } + namespace_prefix "" { + service_prefix "" { + policy = "read" + intentions = "read" + } + } + ``` 1. If gossip encryption is enabled, you'll need the key. @@ -293,11 +312,11 @@ gateways running on VMs. With your config file ready to go, follow our [Installation Guide](/docs/k8s/installation/install) to install Consul on your secondary cluster(s). -## Next Steps - After installation, if you're using consul-helm 0.30.0+, [create the `ProxyDefaults` resource](/docs/k8s/installation/multi-cluster/kubernetes#proxydefaults) to allow traffic between datacenters. -Follow the [Verifying Federation](/docs/k8s/installation/multi-cluster/kubernetes#verifying-federation) +## Next Steps + +In both cases (Kubernetes as primary or secondary), after installation, follow the [Verifying Federation](/docs/k8s/installation/multi-cluster/kubernetes#verifying-federation) section to verify that federation is working as expected. From 114fb73a29f1f62b7990e2e8ed2878c27e710618 Mon Sep 17 00:00:00 2001 From: Brandon Romano Date: Mon, 17 May 2021 15:23:10 -0700 Subject: [PATCH 10/23] Merge pull request #10251 from hashicorp/br.hc-banner Updates AlertBanner for HashiConf EU --- website/data/alert-banner.js | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/website/data/alert-banner.js b/website/data/alert-banner.js index fa1aa1b426..48fa31ab93 100644 --- a/website/data/alert-banner.js +++ b/website/data/alert-banner.js @@ -2,12 +2,12 @@ export const ALERT_BANNER_ACTIVE = true // https://github.com/hashicorp/web-components/tree/master/packages/alert-banner export default { - tag: 'New', - url: - 'https://cloud.hashicorp.com/?utm_source=consul_io&utm_content=alert_banner', - text: 'HCP Consul is now generally available on AWS', - linkText: 'Try today', + tag: 'June 8-11', + url: 'https://hashiconf.com/europe/?utm_source=DocsBanner', + text: + 'The countdown to HashiConf Europe is on, and the full schedule is now live.', + linkText: 'View Schedule', // Set the `expirationDate prop with a datetime string (e.g. `2020-01-31T12:00:00-07:00`) // if you'd like the component to stop showing at or after a certain date - expirationDate: '2021-04-14T11:59:00-05:00', + expirationDate: null, } From 82ac9f748194dab859c270576d8dc2f8b027f3bb Mon Sep 17 00:00:00 2001 From: Kendall Strautman <36613477+kendallstrautman@users.noreply.github.com> Date: Tue, 18 May 2021 12:48:47 -0700 Subject: [PATCH 11/23] chore: 'overview' nav item links to home page (#10255) --- website/data/subnav.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/website/data/subnav.js b/website/data/subnav.js index 1c3b5de40d..cd7e091941 100644 --- a/website/data/subnav.js +++ b/website/data/subnav.js @@ -1,5 +1,5 @@ export default [ - { text: 'Overview', url: '/docs/intro' }, + { text: 'Overview', url: '/' }, { text: 'Use Cases', submenu: [ @@ -39,10 +39,10 @@ export default [ url: '/api-docs', type: 'inbound', }, - { + { text: 'CLI', url: '/commands', - type: 'inbound,' + type: 'inbound,', }, { text: 'Community', From 8713a4bd3f3321f32d0e7ef19835d3cc00391f56 Mon Sep 17 00:00:00 2001 From: Dhia Ayachi Date: Wed, 19 May 2021 20:24:54 -0400 Subject: [PATCH 12/23] docs: update register check docs (closes #6635) (#10261) Update register check documentation clarify that Id returns as CheckId in the response Co-Authored-By: Shaker Islam Co-authored-by: Shaker Islam --- website/content/api-docs/agent/check.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/content/api-docs/agent/check.mdx b/website/content/api-docs/agent/check.mdx index 67819a944b..e332a435e0 100644 --- a/website/content/api-docs/agent/check.mdx +++ b/website/content/api-docs/agent/check.mdx @@ -108,7 +108,7 @@ The table below shows this endpoint's support for - `ID` `(string: "")` - Specifies a unique ID for this check on the node. This defaults to the `"Name"` parameter, but it may be necessary to provide an - ID for uniqueness. + ID for uniqueness. This value will return in the response as `"CheckId"`. - `Interval` `(string: "")` - Specifies the frequency at which to run this check. This is required for HTTP and TCP checks. From f1aeb9ed20f5a1ec27947f259ed1dfba5228fe10 Mon Sep 17 00:00:00 2001 From: Paul Banks Date: Thu, 20 May 2021 16:28:38 +0100 Subject: [PATCH 13/23] Fix doc note since we switched authorization mechanism in 1.9 (#10266) --- website/content/docs/connect/proxies/envoy.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/website/content/docs/connect/proxies/envoy.mdx b/website/content/docs/connect/proxies/envoy.mdx index ac7e6cf181..9b391d4dc5 100644 --- a/website/content/docs/connect/proxies/envoy.mdx +++ b/website/content/docs/connect/proxies/envoy.mdx @@ -497,9 +497,9 @@ definition](/docs/connect/registration/service-registration) or overridden by the Connect TLS certificates and validation context. This means there is no way to override Connect's mutual TLS for the public listener. - - Every `FilterChain` will have the `envoy.ext_authz` filter prepended to the - filters array to ensure that all inbound connections are authorized by - Connect. + - Every `FilterChain` will have the `envoy.filters.{network|http}.rbac` filter + prepended to the filters array to ensure that all inbound connections are + authorized by Connect. Before Consul 1.9.0 `envoy.ext_authz` was inserted instead. - `envoy_local_cluster_json` - Specifies a complete [Envoy cluster](https://www.envoyproxy.io/docs/envoy/v1.10.0/api-v2/api/v2/cds.proto#cluster) to be delivered in place of the local application cluster. This allows From d3ecec169f9ebdc72754d3a791f6d6b2dc66edb1 Mon Sep 17 00:00:00 2001 From: Daniel Nephin Date: Thu, 20 May 2021 14:44:54 -0400 Subject: [PATCH 14/23] Merge pull request #9309 from hashicorp/docs/example-snapshot-agent-policy docs: Add example ACL policy for snapshot agent --- website/content/commands/snapshot/agent.mdx | 59 +++++++++++++++++++++ 1 file changed, 59 insertions(+) diff --git a/website/content/commands/snapshot/agent.mdx b/website/content/commands/snapshot/agent.mdx index 5691e095ac..8edcd5eb56 100644 --- a/website/content/commands/snapshot/agent.mdx +++ b/website/content/commands/snapshot/agent.mdx @@ -51,6 +51,8 @@ Snapshots can be restored using the [`consul snapshot restore`](/commands/snapshot/restore) command, or the [HTTP API](/api/snapshot). +## ACL permissions + If ACLs are enabled the following privileges are required: | Resource | Segment | Permission | Explanation | @@ -60,6 +62,63 @@ If ACLs are enabled the following privileges are required: | `session` | `` | `write` | The session used for locking during leader election is created against the agent name of the Consul agent that the Snapshot agent is registering itself with. | | `service` | `` | `write` | The Snapshot agent registers itself with the local Consul agent and must have write privileges on its service name which is configured with `-service`. | +### Example ACL policy + +The following is a example least privilege policy which allows the snapshot agent +to run on a node named `server-1234`. + + + + +```hcl +# Required to read and snapshot ACL data +acl = "write" +# Allow the snapshot agent to create the key consul-snapshot/lock which will +# serve as a leader election lock when multiple snapshot agents are running in +# an environment +key "consul-snapshot/lock" { + policy = "write" +} +# Allow the snapshot agent to create sessions on the specified node +session "server-1234" { + policy = "write" +} +# Allow the snapshot agent to register itself into the catalog +service "consul-snapshot" { + policy = "write" +} +``` + + + + +```json +{ + "acl": "write", + "key": { + "consul-snapshot/lock": { + "policy": "write" + } + }, + "session": { + "server-1234": { + "policy": "write" + } + }, + "service": { + "consul-snapshot": { + "policy": "write" + } + } +} +``` + + + + +Additional `session` rules should be created, or `session_prefix` used, if the +snapshot agent is deployed across more than one hosts. + ## Usage Usage: `consul snapshot agent [options]` From dff27ad8fa2df3348528f802105803f84b216fa6 Mon Sep 17 00:00:00 2001 From: Sabeen Syed Date: Fri, 21 May 2021 08:48:58 -0500 Subject: [PATCH 15/23] Docs: Add link for new Cisco TF module (#10268) --- website/content/docs/nia/installation/requirements.mdx | 1 + 1 file changed, 1 insertion(+) diff --git a/website/content/docs/nia/installation/requirements.mdx b/website/content/docs/nia/installation/requirements.mdx index c64527e65a..3f53b1aad8 100644 --- a/website/content/docs/nia/installation/requirements.mdx +++ b/website/content/docs/nia/installation/requirements.mdx @@ -101,6 +101,7 @@ The modules listed below are available to use and are compatible with Consul-Ter #### Cisco ACI - Policy Based Redirection: [Terraform Registry](https://registry.terraform.io/modules/CiscoDevNet/autoscaling-nia/aci/latest) / [GitHub](https://github.com/CiscoDevNet/terraform-aci-autoscaling-nia) +- Create and Update Cisco ACI Endpoint Security Groups: [Terraform Registry](https://registry.terraform.io/modules/CiscoDevNet/esg-nia/aci/latest) / [GitHub](https://github.com/CiscoDevNet/terraform-aci-esg-nia) #### F5 From 43a50f63389b6affa318fcbcf4767be65a4c28b8 Mon Sep 17 00:00:00 2001 From: allisaurus <34254888+allisaurus@users.noreply.github.com> Date: Fri, 21 May 2021 15:58:13 -0700 Subject: [PATCH 16/23] docs: fix Amazon EKS service name (#10280) --- website/content/docs/k8s/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/content/docs/k8s/index.mdx b/website/content/docs/k8s/index.mdx index c5becd9fcb..ef208aac44 100644 --- a/website/content/docs/k8s/index.mdx +++ b/website/content/docs/k8s/index.mdx @@ -67,7 +67,7 @@ There are several ways to try Consul with Kubernetes in different environments. - Review production best practices and cloud-specific configurations for deploying Consul on managed Kubernetes runtimes. - The [Consul on Azure Kubernetes Service (AKS) tutorial](https://learn.hashicorp.com/tutorials/consul/kubernetes-aks-azure?utm_source=consul.io&utm_medium=docs) is a complete step-by-step guide on how to deploy Consul on AKS. The guide also allows you to practice deploying two microservices. - - The [Consul on Amazon Elastic Kubernetes (EKS) tutorial](https://learn.hashicorp.com/tutorials/consul/kubernetes-eks-aws?utm_source=consul.io&utm_medium=docs) is a complete step-by-step guide on how to deploy Consul on EKS. Additionally, it provides guidance on interacting with your datacenter with the Consul UI, CLI, and API. + - The [Consul on Amazon Elastic Kubernetes Service (EKS) tutorial](https://learn.hashicorp.com/tutorials/consul/kubernetes-eks-aws?utm_source=consul.io&utm_medium=docs) is a complete step-by-step guide on how to deploy Consul on EKS. Additionally, it provides guidance on interacting with your datacenter with the Consul UI, CLI, and API. - The [Consul on Google Kubernetes Engine (GKE) tutorial](https://learn.hashicorp.com/tutorials/consul/kubernetes-gke-google?utm_source=consul.io&utm_medium=docs) is a complete step-by-step guide on how to deploy Consul on GKE. Additionally, it provides guidance on interacting with your datacenter with the Consul UI, CLI, and API. - The [Consul and Kubernetes Reference Architecture](https://learn.hashicorp.com/tutorials/consul/kubernetes-reference-architecture?utm_source=consul.io&utm_medium=docs) guide provides recommended practices for production. From 4801c1640b2d4130e817d04484aa92cfdfc7fb0b Mon Sep 17 00:00:00 2001 From: Jono Sosulska <42216911+jsosulska@users.noreply.github.com> Date: Mon, 24 May 2021 12:44:03 -0700 Subject: [PATCH 17/23] Updating Consul Glossary with more industry standard terms (#10074) * Update glossary.mdx 1. Update header to the first section to "Consul Vocabulary" since these are the terms used in the context of Consul conversations. 2. Kept the header "Consul Glossary" since these are the terms useful for practitioners in the consul space. 3. Removed interlinking to terms on the same page. Co-authored-by: Hans Hasselberg Co-authored-by: Swarna Podila --- website/content/docs/install/glossary.mdx | 307 +++++++++++++++++++++- 1 file changed, 305 insertions(+), 2 deletions(-) diff --git a/website/content/docs/install/glossary.mdx b/website/content/docs/install/glossary.mdx index d7daf70d12..42843263d1 100644 --- a/website/content/docs/install/glossary.mdx +++ b/website/content/docs/install/glossary.mdx @@ -6,9 +6,9 @@ description: >- the documentation. --- -# Consul Glossary +# Consul Vocabulary -This page collects brief definitions of some of the technical terms used in the documentation for Consul and Consul Enterprise, as well as some terms that come up frequently in conversations throughout the Consul community. +This section collects brief definitions of some of the technical terms used in the documentation for Consul and Consul Enterprise, as well as some terms that come up frequently in conversations throughout the Consul community. ## Agent @@ -73,3 +73,306 @@ over the internet or wide area network. Remote Procedure Call. This is a request / response mechanism allowing a client to make a request of a server. + +# Consul Glossary +This section collects brief definitions of some of the terms used in the discussions around networking in a cloud-native world. + + +## Access Control List (ACL) +An Access Control List (ACL) is a list of user permissions for a file, folder, or +other object. It defines what users and groups can access the object and what +operations they can perform. + +Consul uses Access Control Lists (ACLs) to secure the UI, API, CLI, service +communications, and agent communications. +Visit [Consul ACL Documentation and Guides](https://www.consul.io/docs/acl) + +## API Gateway +An Application Programming Interface (API) is a common software interface that +allows two applications to communicate. Most modern applications are built using +APIs. An API Gateway is a single point of entry into these modern applications +built using APIs. + +## Application Security +Application Security is the process of making applications secure by detecting +and fixing any threats or information leaks. This can be done during or after +the app development lifecycle; although, it is easier for app teams and security +teams to incorporate security into an app even before the development process +begins. + +## Application Services +Application Services are a group of services, such as application performance +monitoring, load balancing, service discovery, service proxy, security, +autoscaling, etc. needed to deploy, run, and improve applications. + +## Authentication and Authorization (AuthN and AuthZ) +Authentication (AuthN) deals with establishing user identity while Authorization +(AuthZ) allows or denies access to the user based on user identity. + +## Auto Scaling Groups +An Auto Scaling Group is an AWS specific term that represents a collection of +Amazon EC2 instances that are treated as a logical grouping for the purposes of +automatic scaling and management. +Learn more about Auto Scaling Groups +[here](https://docs.aws.amazon.com/autoscaling/ec2/userguide/AutoScalingGroup.html). + +## Autoscaling +Autoscaling is the process of automatically scaling computational resources based +on network traffic requirements. Autoscaling can be done either horizontally or +vertically. Horizontal scaling is done by adding more machines into the pool of +resources whereas vertical scaling means increasing the capacity of an existing +machine. + +## Blue-Green Deployments +Blue-Green Deployment is a deployment method designed to reduce downtime by +running two identical production environments labeled Blue and Green. Blue is +the active while Green is the idle environment. + +## Canary Deployments +Canary deployment is the pattern used for rolling out releases to a subset of +users or servers. The goal is deploy the updates to a subset of users, test it, +and then roll out the changes to everyone. + +## Client-side Load Balancing +Client-side load balancing is a load balancing approach that relies on clients' +decision to call the right servers. As the name indicates, this approach is part +of the client application. Servers can still have their own load balancer +alongside the client-side load balancer. + +## Cloud Native Computing Foundation +The [Cloud Native Computing Foundation (CNCF)](https://github.com/cncf/foundation) +is a Linux Foundation project that was founded in 2015 to help advance +container technology and align the tech industry around its evolution. + +HashiCorp joined Cloud Native Computing Foundation to further HashiCorp +product integrations with CNCF projects and to work more closely with the +broader cloud-native community of cloud engineers. Read more +[here](https://www.hashicorp.com/blog/hashicorp-joins-the-cncf/). + +## Custom Resource Definition (CRD) +Custom resources are the extensions of the Kubernetes API. A Custom Resource +Definition (CRD) file allows a user to define their own custom resources and +allows the API server to handle the lifecycle. + +## Egress Traffic +Egress traffic is network traffic that begins inside a network and proceeds +through its routers to a destination outside the network. + +## Elastic Provisioning +Elastic Provisioning is the ability to provision computing resources +dynamically to meet user demand. + +## Envoy Proxy +[Envoy Proxy](https://www.envoyproxy.io/) is a modern, high performance, +small footprint edge and service proxy. Originally written and deployed at +[Lyft](https://eng.lyft.com/announcing-envoy-c-l7-proxy-and-communication-bus-92520b6c8191), + Envoy Proxy is now an official project at [Cloud Native Computing Foundation + (CNCF)](https://www.cncf.io/cncf-envoy-project-journey/) + +## Forward Proxy +A forward proxy is used to forward outgoing requests from inside the network +to the Internet, usually through a firewall. The objective is to provide a level +of security and to reduce network traffic. + +## Hybrid Cloud Architecture +A hybrid cloud architecture is an IT architectural approach that mixes +on-premises, private cloud, and public cloud services. A hybrid cloud +environment incorporates workload portability, orchestration, and management +across the environments. + +A private cloud, traditionally on-premises, is referred to an infrastructure +environment managed by the user themselves. + +A public cloud, traditionally off-premises, is referred to an infrastructure +service provided by a third party. + +## Identity-based authorization +Identity-based authorization is a security approach to restrict or allow access +based on the authenticated identity of an individual. + +## Infrastructure as a Service +Infrastructure as a Service, often referred to as IaaS, is a cloud computing +approach where the computing resources are delivered online via APIs. These +APIs communicate with underlying infrastructure like physical computing resources, + location, data partitioning, scaling, security, backup, etc. + +IaaS is one of the four types of cloud services along with SaaS +(Software as a Service), PaaS (Platform as a Service), and Serverless. + +## Infrastructure as Code +Infrastructure as Code (IaC) is the process of developers and operations teams' +ability of provisioning and managing computing resources automatically through +software, instead of using configuration tools. + +## Ingress Controller +In Kubernetes, "ingress" is an object that allows access Kubernetes services +from outside the Kubernetes cluster. An ingress controller is responsible for +ingress, generally with a load balancer or an edge router that can help with +traffic management. + +## Ingress Gateway +An Ingress Gateway is an edge of the mesh load balancer that provides secure and +reliable access from external networks to Kubernetes clusters. + +## Ingress Traffic +Ingress Traffic is the network traffic that originates outside the network and +has a destination inside the network. + +## Key-Value Store +A Key-Value Store (or a KV Store) also referred to as a Key-Value Database is +a data model where each key is associated with one and only one value in +a collection. + +## L4 - L7 Services +L4-L7 Services are a set of functions such as load balancing, web application +firewalls, service discovery, and monitoring for network layers within the +Open Systems Interconnection (OSI) model. + +## Layer 7 Observability +Layer 7 Observability is a feature of Consul Service Mesh that enables a +unified workflow for metric collection, distributed tracking, and logging. +It also allows centralized configuration and management for a distributed +data plane. + +## Load Balancer +A load balancer is a network appliance that acts as a [reverse proxy] (link to that +glossary term) and distributes network and application traffic across the servers. + +## Load Balancing +Load Balancing is the process of distributing network and application traffic +across multiple servers. + +## Load Balancing Algorithms +Load balancers follow an algorithm to determine how to route the traffic across +the server farm. Some of the commonly used algorithms are: +1. Round Robin +2. Least Connections +3. Weighted Connections +4. Source IP Hash +5. Least Response Time Method +6. Least Bandwidth Method + +## Multi-cloud +A multi-cloud environment generally uses two or more cloud computing services +from different vendors in a single architecture. This refers to the distribution +of compute resources, storage, and networking aspects across cloud environments. +A multi-cloud environment could be either all private cloud or all public cloud +or a combination of both. + +## Multi-cloud Networking +Multi-cloud Networking provides network configuration and management across +multiple cloud providers via APIs. + +## Mutual Transport Layer Security (mTLS) +Mutual Transport Layer Security, also known as mTLS, is an authentication +mechanishm that ensures network traffic security in both directions between +a client and server. + +## Network Middleware Automation +The process of publishing service changes to network middleware such as +load balancers and firewalls and automating network tasks is called Network +Middleware Automation. + +## Network security +Network security is the process of protecting data and network. It consists +of a set of policies and practices that are designed to prevent and monitor +unauthorized access, misuse, modification, or denial of a computer network +and network-accessible resources. + +## Network traffic management +Network Traffic Management is the process of ensuring optimal network operation +by using a set of network monitoring tools. Network traffic management also +focuses on traffic management techniques such as bandwidth monitoring, deep +packet inspection, and application based routing. + +## Network Visualization +Network Visualization is the process of visually displaying networks and +connected entitites in a "boxes and lines" kind of a diagram. + +In the context of microservices architecture, visualization can provide a clear +picture of how services are connected to each other, the service-to-service +communication, and resource utilization of each service. + +## Observability +Observability is the process of logging, monitoring, and alerting on the +events of a deployment or an instance. + +## Elastic Scaling +Elastic Scaling is the ability to automatically add or remove compute or +networking resources based on the changes in application traffic patterns. + +## Platform as a Service +Platform-as-a-Service (PaaS) is a category of cloud computing that allows +users to develop, run, and manage applications without the complexity of +building and maintaining the infrastructure typically associated with +developing and launching the application. + +## Reverse Proxy +A reverse proxy handles requests coming from outside, to the internal +network. Reverse Proxy provides a level of security that prevents the +external clients from having direct access to data on the corporate servers. +The reverse proxy is usually placed between the web server and the external +traffic. + +## Role-based Access Controls +The act of restricting or provisioning access +to a user based on their specific role in the organization. + +## Server side load balancing +A Server-side Load Balancer sits between the client and the server farm, +accepts incoming traffic, and distributes the traffic across multiple backend +servers using various load balancing methods. + +## Service configuration +A service configuration includes the name, description, and the specific +function of a service. In a microservices application architecture setting, +a service configuration file includes a service definition. + +## Service Catalog +A service catalog is an organized and curated collection of services that +are available for developers to bind to their applications. + +## Service Discovery +Service Discovery is the process of detecting services and devices on a +network. In a microservices context, service discovery is how applications +and microservices locate each other on a network. + +## Service Mesh +Service Mesh is the infrastructure layer that facilitates service-to-service +communication between microservices, often using a sidecar proxy. This +network of microservices make up microservice applications and the +interactions between them. + +## Service Networking +Service networking brings several entities together to deliver a particular +service. Service Networking acts as the brain of an organization's +networking and monitoring operations. + +## Service Proxy +A service proxy is the client-side proxy for a microservice application. +It allows applications to send and receive messages over a proxy server. + +## Service Registration +Service registration is the process of letting clients (of the service) +and routers know about the available instances of the service. +Service instances are registered with a service registry on startup and deregistered at shutdown. + +## Service Registry +Service Registry is a database of service instances and information on +how to send requests to these service instances. + +## Microservice Segmentation +Microservice segmentation, sometimes visual, of microservices is the +segmentation in a microservices application architecture that enables +adminsitrators to view their functions and interactions. + +## Service-to-service communication +Service-to-service communication, sometimes referred to as +inter-service communication, if the ability of a microservice +application instance to communicate with another to collaborate and +handle client requests. + +## Software as a Service +Software as a Service is a licensing and delivery approach to software +delivery where the software is hosted by a provider and licensed +to users on a subscription basis. From 575066d918d75389fd74fc65a7157ec440768649 Mon Sep 17 00:00:00 2001 From: mrspanishviking Date: Tue, 25 May 2021 08:14:39 -0700 Subject: [PATCH 18/23] Merge pull request #10290 from hashicorp/docs-rename-enterprise docs: rename enterprise to Consul enterprise --- website/content/docs/enterprise/index.mdx | 2 +- website/data/docs-nav-data.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/website/content/docs/enterprise/index.mdx b/website/content/docs/enterprise/index.mdx index dc1d54ac74..7469717e63 100644 --- a/website/content/docs/enterprise/index.mdx +++ b/website/content/docs/enterprise/index.mdx @@ -1,6 +1,6 @@ --- layout: docs -page_title: Enterprise Features +page_title: Consul Enterprise description: >- Consul Enterprise features a number of capabilities beyond the open source offering that may be beneficial in certain workflows. diff --git a/website/data/docs-nav-data.json b/website/data/docs-nav-data.json index db4591421b..5f64d6c33d 100644 --- a/website/data/docs-nav-data.json +++ b/website/data/docs-nav-data.json @@ -755,7 +755,7 @@ ] }, { - "title": "Enterprise Features", + "title": "Consul Enterprise", "routes": [ { "title": "Overview", From d745e2a93dafa7ea6681920b2ca1a0a5c5ef0314 Mon Sep 17 00:00:00 2001 From: Jono Sosulska <42216911+jsosulska@users.noreply.github.com> Date: Tue, 25 May 2021 12:36:09 -0700 Subject: [PATCH 19/23] Update Kubernetes docs to point to install pages. (#10293) Adds more clear indicators that the collections on the learn.hashicorp.com sites have specific instructions for single node deployments. Co-Authored by: soonoo --- website/content/docs/k8s/installation/install.mdx | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/website/content/docs/k8s/installation/install.mdx b/website/content/docs/k8s/installation/install.mdx index 41052e1eea..c806733f64 100644 --- a/website/content/docs/k8s/installation/install.mdx +++ b/website/content/docs/k8s/installation/install.mdx @@ -30,8 +30,9 @@ all the necessary components to run Consul. The configuration enables you to run just a server cluster, just a client cluster, or both. Using the Helm chart, you can have a full Consul deployment up and running in minutes. -A step-by-step beginner tutorial and accompanying video can be found at the -[Minikube with Consul guide](https://learn.hashicorp.com/consul/getting-started-k8s/minikube?utm_source=consul.io&utm_medium=docs). +Step-by-step tutorials for how to deploy Consul to Kubernetes, please see +our [Deploy to Kubernetes](https://learn.hashicorp.com/collections/consul/kubernetes-deploy) +collection. This collection includes configuration caveats for single node deployments. While the Helm chart exposes dozens of useful configurations and automatically sets up complex resources, it **does not automatically operate Consul.** From 16a57d93c72e87e8dd5a1680e4e8c52779b91976 Mon Sep 17 00:00:00 2001 From: Luke Kysow <1034429+lkysow@users.noreply.github.com> Date: Wed, 26 May 2021 11:25:06 -0700 Subject: [PATCH 20/23] Consul ecs docs (#10288) * ECS docs --- website/content/docs/ecs/architecture.mdx | 45 ++ .../content/docs/ecs/get-started/install.mdx | 412 ++++++++++++++++++ .../docs/ecs/get-started/requirements.mdx | 22 + website/content/docs/ecs/index.mdx | 33 ++ website/data/docs-nav-data.json | 30 ++ website/public/img/consul-ecs-arch.png | Bin 0 -> 90967 bytes website/public/img/ecs-task-startup.png | Bin 0 -> 15140 bytes 7 files changed, 542 insertions(+) create mode 100644 website/content/docs/ecs/architecture.mdx create mode 100644 website/content/docs/ecs/get-started/install.mdx create mode 100644 website/content/docs/ecs/get-started/requirements.mdx create mode 100644 website/content/docs/ecs/index.mdx create mode 100644 website/public/img/consul-ecs-arch.png create mode 100644 website/public/img/ecs-task-startup.png diff --git a/website/content/docs/ecs/architecture.mdx b/website/content/docs/ecs/architecture.mdx new file mode 100644 index 0000000000..5c1e9cd592 --- /dev/null +++ b/website/content/docs/ecs/architecture.mdx @@ -0,0 +1,45 @@ +--- +layout: docs +page_title: Architecture - AWS ECS +description: >- + Architecture of Consul Service Mesh on AWS ECS (Elastic Container Service). +--- + +# Architecture + +![Consul on ECS Architecture](/img/consul-ecs-arch.png) + +As shown above there are two main components to the architecture. + +1. **Consul Server task:** Runs the Consul server. +1. **Application tasks:** Runs user application containers along with two helper containers: + 1. **Consul Client:** The Consul client container runs Consul. The Consul client communicates + with the Consul server and configures the Envoy proxy sidecar. This communication + is called _control plane_ communication. + 1. **Sidecar Proxy:** The sidecar proxy container runs [Envoy](https://envoyproxy.io/). All requests + to and from the application container(s) run through the sidecar proxy. This communication + is called _data plane_ communication. + +For more information about how Consul works in general, see Consul's [Architecture Overview](/docs/architecture). + +In addition to the long-running Consul Client and Sidecar Proxy containers, there +are also two initialization containers that run: + +1. `discover-servers`: This container runs at startup and uses the AWS API to determine the IP address of the Consul server task. +1. `mesh-init`: This container runs at startup and sets up initial configuration for Consul and Envoy. + +### Task Startup + +This diagram shows the timeline of a task starting up and all its containers: + +![Task Startup Timeline](/img/ecs-task-startup.png) + +- **T0:** ECS starts the task. The `discover-servers` container starts looking for the Consul server task’s IP. + It waits for the Consul server task to be running on ECS, looks up its IP and then writes the address to a file. + Then the container exits. +- **T1:** Both the `consul-client` and `mesh-init` containers start: + - `consul-client` starts up and uses the server IP to join the cluster. + - `mesh-init` registers the service for this task and its sidecar proxy into Consul. It runs `consul connect envoy -bootstrap` to generate Envoy’s bootstrap JSON file and write it to a shared volume. After registration and bootstrapping, `mesh-init` exits. +- **T2:** The `sidecar-proxy` container starts. It runs Envoy by executing `envoy -c `. +- **T3:** The `sidecar-proxy` container is marked as healthy by ECS. It uses a health check that detects if its public listener port is open. At this time, the user’s application containers are started since all the Consul machinery is ready to service requests. +- **T4:** Consul marks the service as healthy by running the health checks specified in the task Terraform. The service will now receive traffic. At this time the only running containers are `consul-client`, `sidecar-proxy` and the user’s application container(s). diff --git a/website/content/docs/ecs/get-started/install.mdx b/website/content/docs/ecs/get-started/install.mdx new file mode 100644 index 0000000000..5766314d21 --- /dev/null +++ b/website/content/docs/ecs/get-started/install.mdx @@ -0,0 +1,412 @@ +--- +layout: docs +page_title: Install - AWS ECS +description: >- + Install Consul Service Mesh on AWS ECS (Elastic Container Service). +--- + +# Install + +Installing Consul on ECS is a multi-part process: + +1. [**Terraform:**](#terraform) Your tasks must be specified in Terraform using [`ecs_task_definition`](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition) + and [`ecs_service`](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_service) resources. +1. [**Consul Server:**](#consul-server) You must deploy the Consul server onto the cluster using the [`dev-server` module](https://registry.terraform.io/modules/hashicorp/consul/aws-ecs/latest/submodules/dev-server). +1. [**Task IAM Role:**](#task-iam-role) Modify task IAM role to add `ecs:ListTasks` and `ecs:DescribeTasks` permissions. +1. [**Task Module:**](#task-module) You can then take your `ecs_task_definition` resources and copy their configuration into a new [`mesh-task` module](https://registry.terraform.io/modules/hashicorp/consul/aws-ecs/latest/submodules/mesh-task) + resource that will add the necessary containers to the task definition. +1. [**Routing:**](#routing) With your tasks as part of the mesh, you must specify their upstream + services and change the URLs the tasks are using so that they're making requests + through the service mesh. +1. [**Bind Address:**](#bind-address) Now that all communication is flowing through the service mesh, + you should change the address your application is listening on to `127.0.0.1` + so that it only receives requests through the sidecar proxy. + +-> **NOTE:** This page assumes you're familiar with ECS. See [What is Amazon Elastic Container Service](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/Welcome.html) for more details. + +## Terraform + +Your tasks must first be specified in Terraform using [`ecs_task_definition`](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition) +and [`ecs_service`](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_service) resources so that +they can later be converted to use the [`mesh-task` module](https://registry.terraform.io/modules/hashicorp/consul/aws-ecs/latest/submodules/mesh-task). + +For example, your tasks should be defined with Terraform similar to the following: + +```hcl +resource "aws_ecs_task_definition" "my_task" { + family = "my_task" + requires_compatibilities = ["FARGATE"] + network_mode = "awsvpc" + cpu = 256 + memory = 512 + execution_role_arn = "arn:aws:iam::111111111111:role/execution-role" + task_role_arn = "arn:aws:iam::111111111111:role/task-role" + container_definitions = jsonencode( + [{ + name = "example-client-app" + image = "docker.io/org/my_task:v0.0.1" + essential = true + portMappings = [ + { + containerPort = 9090 + hostPort = 9090 + protocol = "tcp" + } + ] + cpu = 0 + mountPoints = [] + volumesFrom = [] + }] + ) +} + +resource "aws_ecs_service" "my_task" { + name = "my_task" + cluster = "arn:aws:ecs:us-east-1:111111111111:cluster/my-cluster" + task_definition = aws_ecs_task_definition.my_task.arn + desired_count = 1 + network_configuration { + subnets = ["subnet-abc123"] + } + launch_type = "FARGATE" +} +``` + +## Consul Server + +With your tasks defined in Terraform, you're ready to run the Consul server +on ECS. + +-> **NOTE:** This is a development-only Consul server. It has no persistent +storage and so will lose any data when it restarts. This should only be +used for test workloads. In the future, we will support Consul servers +running in HashiCorp Cloud Platform and on EC2 VMs for production workloads. + +In order to deploy the Consul server, use the `dev-server` module: + +```hcl +module "dev_consul_server" { + source = "hashicorp/consul/aws-ecs//modules/dev-server" + version = "" + + ecs_cluster_arn = var.ecs_cluster_arn + subnet_ids = var.subnet_ids + lb_vpc_id = var.vpc_id + load_balancer_enabled = true + lb_subnets = var.lb_subnet_ids + lb_ingress_rule_cidr_blocks = var.lb_ingress_rule_cidr_blocks + log_configuration = { + logDriver = "awslogs" + options = { + awslogs-group = aws_cloudwatch_log_group.log_group.name + awslogs-region = var.region + awslogs-stream-prefix = "consul-server" + } + } +} + +data "aws_security_group" "vpc_default" { + name = "default" + vpc_id = var.vpc_id +} + +resource "aws_security_group_rule" "ingress_from_server_alb_to_ecs" { + type = "ingress" + from_port = 8500 + to_port = 8500 + protocol = "tcp" + source_security_group_id = module.dev_consul_server.lb_security_group_id + security_group_id = data.aws_security_group.vpc_default.id +} + +output "consul_server_url" { + value = "http://${module.dev_consul_server.lb_dns_name}:8500" +} +``` + +-> **NOTE:** The documentation for all possible inputs can be found in the [module reference +docs](https://registry.terraform.io/modules/hashicorp/consul/aws-ecs/latest/submodules/dev-server?tab=inputs). + +The example code above will create a Consul server ECS task and Application Load +Balancer for the Consul UI. You can then use the output `consul_server_url` as +the URL to the Consul server. + +## Task IAM Role + +Your tasks must have an IAM role that allows them to list and describe +other tasks. This is required in order for the tasks to find the IP +address of the Consul server. + +The specific permissions needed are: + +1. `ecs:ListTasks` on resource `*`. +1. `ecs:DescribeTasks` on all tasks in this account and region. You can either + use `*` for simplicity or scope it to the region and account, e.g. `arn:aws:ecs:us-east-1:1111111111111:task/*` + +The IAM role's ARN will be passed into the `mesh-task` module in the next step +via the `task_role_arn` input. + +-> **NOTE:** There are two IAM roles needed by ECS Tasks: Execution roles and +Task roles. Here we are referring to the Task role, not the Execution role. +The Execution role is used by ECS itself whereas the Task role defines the +permissions for the containers running in the task. + +Terraform for creating the IAM role might look like: + +```hcl +data "aws_caller_identity" "this" {} + +resource "aws_iam_role" "this_task" { + name = "this_task" + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = "sts:AssumeRole" + Effect = "Allow" + Sid = "" + Principal = { + Service = "ecs-tasks.amazonaws.com" + } + }, + ] + }) + + inline_policy { + name = "this_task" + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Effect = "Allow" + Action = [ + "ecs:ListTasks", + ] + Resource = "*" + }, + { + Effect = "Allow" + Action = [ + "ecs:DescribeTasks" + ] + Resource = [ + "arn:aws:ecs:${var.region}:${data.aws_caller_identity.this.account_id}:task/*", + ] + } + ] + }) + } +} + +``` + +## Task Module + +In order to add the necessary sidecar containers for your task to join the mesh, +you must use the [`mesh-task` module](https://registry.terraform.io/modules/hashicorp/consul/aws-ecs/latest/submodules/mesh-task). + +The module will reference the same inputs as your old ECS task definition but it will +create a new version of the task definition with additional containers. + +The `mesh-task` module is used as follows: + +```hcl +module "my_task" { + source = "hashicorp/consul/aws-ecs//modules/mesh-task" + version = "" + + family = "my_task" + execution_role_arn = "arn:aws:iam::111111111111:role/execution-role" + task_role_arn = "arn:aws:iam::111111111111:role/task-role" + container_definitions = [ + { + name = "example-client-app" + image = "docker.io/org/my_task:v0.0.1" + essential = true + portMappings = [ + { + containerPort = 9090 + hostPort = 9090 + protocol = "tcp" + } + ] + cpu = 0 + mountPoints = [] + volumesFrom = [] + } + ] + + port = "9090" + consul_server_service_name = module.dev_consul_server.ecs_service_name +} +``` + +All possible inputs are documented on the [module reference documentation](https://registry.terraform.io/modules/hashicorp/consul/aws-ecs/latest/submodules/mesh-tas?tab=inputs) +however there are some important inputs worth highlighting: + +- `family` is used as the [task definition family](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#family) + but it's also used as the name of the service that gets registered in Consul. +- `container_definitions` accepts an array of [container definitions](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#container_definitions). + These are your application containers and this should be set to the same value as what you + were passing into the `container_definitions` key in the `aws_ecs_task_definition` resource + without the `jsonencode() function`. + + For example, if your original task definition looked like: + + ```hcl + resource "aws_ecs_task_definition" "my_task" { + ... + container_definitions = jsonencode( + [ + { + name = "example-client-app" + image = "docker.io/org/my_task:v0.0.1" + essential = true + ... + } + ] + ) + } + ``` + + Then you would remove the `jsonencode()` function and use the rest of the value + as the input for the `mesh-task` module: + + ```hcl + module "my_task" { + source = "hashicorp/consul/aws-ecs//modules/mesh-task" + version = "" + + ... + container_definitions = [ + { + name = "example-client-app" + image = "docker.io/org/my_task:v0.0.1" + essential = true + ... + } + ] + } + ``` + +- `port` is the port that your application listens on. This should be set to a + string, not an integer, i.e. `port = "9090"`, not `port = 9090`. +- `consul_server_service_name` should be set to the name of the ECS service for + the Consul dev server. This is an output of the `dev-server` module so it + can be referenced, e.g. `consul_server_service_name = module.dev_consul_server.ecs_service_name`. + +The `mesh-task` module will create a new version of your task definition with the +necessary sidecar containers added so you can delete your existing `aws_ecs_task_definition` +resource. + +Your `aws_ecs_service` resource can remain unchanged except for the `task_definition` +input which should reference the new module's output of the task definition's ARN: + +```hcl +resource "aws_ecs_service" "my_task" { + ... + task_definition = module.my_task.task_definition_arn +} +``` + +-> **NOTE:** If your tasks run in a public subnet, they must have `assign_public_ip = true` +in their [`network_configuration`](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_service#network_configuration) block so that ECS can pull the Docker images. + +After running `terraform apply`, you should see your tasks registered in +the Consul UI. + +## Routing + +Now that your tasks are registered in the mesh, you're able to use the service +mesh to route between them. + +In order to make calls through the service mesh, you must configure the sidecar +proxy to listen on a different port for each upstream service your application +needs to call. You then must modify your application to make requests to the sidecar +proxy on that port. + +For example, say my application `web` wants to make calls to my other application +`backend`. + +First, I must configure the `mesh-task` module's upstreams: + +```hcl +module "web" { + family = "web" + upstreams = [ + { + destination_name = "backend" + local_bind_port = 8080 + } + ] +} +``` + +I set the `destination_name` to the name of the upstream service (in this case `backend`), +and I set `local_bind_port` to an unused port. This is the port that the sidecar proxy +will listen on and any requests to this port will be forwarded over to the `destination_name`. +This does not have to be the port that `backend` is listening on because the service mesh +will handle routing the request to the right port. + +If you have multiple upstream services they'll each need to be listed here. + +Next, I must configure my application to make requests to `localhost:8080` when +it wants to call the `backend` service. + +For example, if my service allows configuring the URL for `backend` via the +`BACKEND_URL` environment variable, I would set: + +```hcl +module "web" { + family = "web" + upstreams = [ + { + destination_name = "backend" + local_bind_port = 8080 + } + ] + environment = [ + { + name = "BACKEND_URL" + value = "http://localhost:8080" + } + ] +} +``` + +## Bind Address + +To ensure that your application only receives traffic through the service mesh, +you must change the address that your application is listening on to only the loopback address +(also known as `localhost`, `lo` and `127.0.0.1`) +so that only the sidecar proxy running in the same task can make requests to it. + +If your application is listening on all interfaces, e.g. `0.0.0.0`, then other +applications can call it directly, bypassing its sidecar proxy. + +Changing the listening address is specific to the language and framework you're +using in your application. Regardless of which language/framework you're using, +it's a good practice to make the address configurable via environment variable. + +For example in Go, you would use: + +```go +s := &http.Server{ + Addr: "127.0.0.1:8080", + ... +} +log.Fatal(s.ListenAndServe()) +``` + +In Django you'd use: + +```bash +python manage.py runserver "127.0.0.1:8080" +``` + +## Next Steps + +- Now that your applications are running in the service mesh, read about + other [Service Mesh features](/docs/connect). +- View the [Architecture](/docs/ecs/architecture) documentation to understand + what's going on under the hood. diff --git a/website/content/docs/ecs/get-started/requirements.mdx b/website/content/docs/ecs/get-started/requirements.mdx new file mode 100644 index 0000000000..eae69f257d --- /dev/null +++ b/website/content/docs/ecs/get-started/requirements.mdx @@ -0,0 +1,22 @@ +--- +layout: docs +page_title: Requirements - AWS ECS +description: >- + Requirements for Consul Service Mesh on AWS ECS (Elastic Container Service). +--- + +# Requirements + +Currently, the following requirements must be met in order to install Consul on ECS: + +1. **Terraform:** The tasks that you want to add to the service mesh must first be modeled in Terraform. +1. **Launch Type:** Only the Fargate launch type is currently supported. +1. **Subnets:** ECS Tasks can run in private or public subnets. Tasks must have [network access](https://aws.amazon.com/premiumsupport/knowledge-center/ecs-pull-container-api-error-ecr/) to Amazon ECR to pull images. +1. **Consul Servers:** Currently, Consul servers must run inside ECS on Fargate using the `dev-server` Terraform module. This is a development/testing only server that does not support persistent storage. In the future, we will support production-ready Consul servers running in HashiCorp Cloud Platform and on EC2 VMs. + +## Future Improvements + +- Support EC2 launch type. +- Support production-ready Consul servers running outside of ECS in HashiCorp Cloud Platform or EC2. +- Support Consul TLS, ACLs, and Gossip Encryption. +- Support Consul service health checks. diff --git a/website/content/docs/ecs/index.mdx b/website/content/docs/ecs/index.mdx new file mode 100644 index 0000000000..e3518beb3e --- /dev/null +++ b/website/content/docs/ecs/index.mdx @@ -0,0 +1,33 @@ +--- +layout: docs +page_title: AWS ECS +description: >- + Consul Service Mesh can be deployed on AWS ECS (Elastic Container Service). + This section documents the official installation of Consul on ECS. +--- + +# AWS ECS + +-> **Tech Preview:** This functionality is currently in Tech Preview and is +not yet ready for production use. + +Consul can be deployed on [AWS ECS](https://aws.amazon.com/ecs/) (Elastic Container Service) using our official +Terraform modules. + +![Consul on ECS Architecture](/img/consul-ecs-arch.png) + +## Service Mesh + +Using Consul on AWS ECS enables you to add your ECS tasks to the service mesh and +take advantage of features such as zero-trust-security, intentions, observability, +traffic policy, and more. + +## Example Installation + +See our [Example Installation](https://registry.terraform.io/modules/hashicorp/consul-ecs/aws/latest/examples/dev-server-fargate) +to learn how to install Consul on an example ECS cluster along with example service mesh applications. + +## Install + +See our full [Install Guide](/docs/ecs/get-started/install) when you're ready to install Consul +on an existing ECS cluster and add existing tasks to the service mesh. diff --git a/website/data/docs-nav-data.json b/website/data/docs-nav-data.json index 5f64d6c33d..acb9aafd0e 100644 --- a/website/data/docs-nav-data.json +++ b/website/data/docs-nav-data.json @@ -547,6 +547,36 @@ } ] }, + { + "title": "AWS ECS", + "routes": [ + { + "title": "Overview", + "path": "ecs" + }, + { + "title": "Get Started", + "routes": [ + { + "title": "Example Installation", + "href": "https://registry.terraform.io/modules/hashicorp/consul-ecs/aws/latest/examples/dev-server-fargate" + }, + { + "title": "Requirements", + "path": "ecs/get-started/requirements" + }, + { + "title": "Install", + "path": "ecs/get-started/install" + } + ] + }, + { + "title": "Architecture", + "path": "ecs/architecture" + } + ] + }, { "title": "Network Infrastructure Automation", "routes": [ diff --git a/website/public/img/consul-ecs-arch.png b/website/public/img/consul-ecs-arch.png new file mode 100644 index 0000000000000000000000000000000000000000..8e6dc96ddec7b702bcb0d9e82d9d9c861a9bdfca GIT binary patch literal 90967 zcma&NXCPc{)HXUs4G|%XY|47 zZ7^fz49|PcdB1<(AMCd3wXU`HzHeb#8j7UEbi@DvfK*xOl{NrCi2W0flL#04YaldK z`sT<=PF)TF_!~`vGRMar<2Y$6z66vF({E!B!nM?N6*gg8S65f7t83rCf3I(78XKFy zUg@7+!eB6ad;6!Srx|&FewSCrrDU~qbQ@THTU7G>TMrJ3PX6K%JHOQ1KlIVj zJ2EnA-uC{E56RjFtZiswRm6>onwpo7PfyciRzF_;mBR9$F2}FmmZPgyoHDmZ7xw@4 z&m@{pd5O$cM4qi|G*}nAb;B3|0A_&lD>+^Fx!py5Czd8^0xh~U9=DFke?_ZjXbjYy zw8wu$&UTi=y)-El!sWG^C3Lhg5HwcE<*ySXs|!vT_` z19N^cVAdM>yg8TwD@S_~pu%{d9H65!?QLnc*h!xsAdoOIiNSP7d3*jIkeu=DRNZJA zH~x1(V9$iG4Tb@a*)e3Qlhe4;cFzfjLqx`Y*a+2i6UJ(ht>md+87OdO2jVeHhI;6J zJvh!_CX!vgr(WE}Z*5;J3O`Z|W#)&$bD<<8CR-B-0SZu{!&kiBV>T`F`rQquIe!0&Yb01?RRu#Yel9F3SMkS6D4_hb{9-7|$ArRD4I3h? zlkyh9j5S7Kp|;5dw=yaI%0~|md%ms-*NS4bVhv*^vttO*2zRl%Mh5>N(*06Zasw>J#nd)wr?gsnf_ekIGg#Wvs8F)pw=B zdGHHrUt;wPPwC%8U8c0=cVP8p#VJJ*Fsv`c16Pq>cf;9rW+xoAQqTjDd1lY>gI_Qa*fo z`uj}I<`tOsHdJ+CBnc7K;mzB=Z-^H@=e`~mC1A%U^WaG&gQxC9aqhnLd++k9I9PsD zS>c~WL5JG_6@`C$)wF$9IXKtB=ldugBoGd6I1|Y23fJFX8(0 z213kwPFy+c6NmR^pEm|4naE3)l;7Yc^mr1nD_$rDKA^38~jaM1hQ^Fyc zsT|oi(zjytr_*7GxD!0%n`$(s)yY?P7QD~dSf~-t^v?7K$Rmv80rJtFs$X#w-~O@J zI?tShRwncGL z3K#W-Q}`Vg4k;40XYVIIsW{Lg{=tLxIk>tlqC>aRILiVWkC@}*5)%P9Z<*=C_&`9Q z%pa~Km;Q9WoZdLx!$!D%*()rK9lW5#+-H=d*7wD`;=c`dpbTt{vbW}5wh@wiu;=QA z5mp?0s`?>zL|v=I)8tWC8OC1M&0{wZ1u48q|K;~f!St2PqKkq|h$P(0b?=N+5Xw6)ohJncFisR1AC^I5W9%fH>ORruE_tSwr^~>^iUXk(Q70AJK_K7ZNKc?8MyG( zz(4=`uIPK~Z?VAW*X zXk3Yji&4ZtMrH&*zV~GA)sdAE{e?Pt_3- z+RK)Yo*%b9<+_7I6m3o?ar*nWe&%9drHAd2L#@HDJ;qEz75^SMAvI>$*MALLt8aHl z@^eOSVvQ*0Qmpne5gfpbL+flh^>0Diq1NhrP_v!WU%fx8490bk1g_14H8y?!9yRGU=YHf@N z_mL=cYH^xn={)hI#O?Zh;&Pob{MH?^NYLypE!?@g-jRN}<0Z06x$zZR zHKp_Gu@3~ulu>IMrX<~U=~Jk5!vP%(eZ@BOWGAvA#biwxUf%Lk5pOTLF0T_pPxh@j zv!6$Td)&qld}oZ=H)UB*L*oOd9lbM9B z8(7e1K+q;h4y_axC~sjYEig?_m;2<@6Pd9GyCj`Dd7Yko*?9k{`u|T>9Yb_mULsn= z1MoVco!QpC)a*3UNxQgj4!)q1Cs`5(brWI7xbjIiB;FB8$LKk6@}SlI-jH{c3vkUjg%>2`~U0hD+GIge)7DXc4}*jIas8jw_FPc@$0i(4X3TAFAi}; zDD)%An)zaQu>;CV_eX5g@0#)%&OUgrX`nwRCxlgh7Lv z2Zn+bcI&)4mi=^S^nudIjL0wFL>kQvdJ;mHhCZw2J5-3zAknOk3T`HWz%&Yp)2;QA zHEbGXk$X#Dx4*pCY#pD+jKE6UlFs**l=;6f%s)f!mRLC#CtL17=z-*4WKH%hOuwD7 zf+l(qYu`WfN@iuw3oR%oV7 zly~>JR73;S%n1fFd%&Kfs5XF%=0c~JLN9Vd0D;A+(P+6}8?)I5vomS%kbUb9R~ZWN zK;-%R5N$Kvql49JMYlUrm+QA~o~h|rCR&9U7p63Yzp4PLtLwyVz@S;wdmBJ4I+-;jdkt_jE>3!VM z)LZ;qHugMPjraz{b+SEI^|?4eqC@9aO>;a3;MZd*p?m*C5%N#e)$SPC;eT-@;vkj8 zJ27T*6P5+wWc2?-l!$pnQky{mFnV`O#q09xe-kzw*7q76u%DtA=G#Uo#S zA3s?ll!zq#E`f#Xb0V--+gBdP+F^r>jE$v$!;`m}2?)t2K&7euOLPnQ57kaC6NjckK9ZiW%4JYuEzUxW!ZWZc2ki5?OX%hzw-(xxUt&70Zv!B7$h?Xi2934*bulvb*XC>;GsMk4zOYTG1%>;AA>EqCh|C!5%NtIf zuD^icTFUh|%J4`Z2#e{~IpoK_b=cksVTja%K((4)iM-Z*W7G zV6i)k0?+g8Y9FzpSjUtnoCe)$01I=GQOpFpTlSaZKCX!+RPr zt5F0*%zh9W@UXL>&U783g0E2&)0hssSe-g>DV5!(hYljt#1%s&=&=3`mus?reKz{4 zl~AnVv@iHo8Hiyn{XrK`kcNOZXG+f%lXnpg4xZz3-jS5k7lqP`42GToA(iVQiPV_^ zox;ST5!L^&QnIcRYx#snjwxf4yu!4>CiRu|b(%z~*wACWRJ?s_Y$-hCj%R}mZ+W=} zN`gbrszy&=r^0B2G=JWPWC{vaiM5uFl3tH}h2Z&;3(D2t*Lf` z*6=r^^1M9uyRB9&&xR5s3Z@oCc=*rqhkCjh<3Db7ZDhtG51e%gZqX}jl%SeqZO243Imv)3mt z%Hy`v9xn5rC9W!Te5xeo4wJqwF{syI|*@{(F!8V8i(PN)?U(^k)?9(L^de3C4_pPfomOe+i zpVbVS{5m_W4S(^;8-|Vd!`6*I2$QEvrVUtY91x%99OtJHyX0r3a>~~Yt)&zZS9}ea zs3EYze;nd|D&^#jkFis*@rKarD?=3pCSi(|xG`{;?S9mG{T5pKczcB+w*kX=^T=x! z08XGA%$d058UGj+REW&2lB?A!N`V!lOb>j@?h`2cz*j01G!sGVP%?Tf5|0- z?|-!S8jf8IH3B&+3e^C|8}04-t_35sonPEgOvk+Tggt{V$I_NpFu=DC=u`zzvAo}} zegC1%MES!o03P{L%qW7-ouusWk&io=U#nOm)tRK4@{51e*)5$pD6zf>jERalV41E! zK908}yY$k#e(qMiNY?H>eM^V#LL9AD8?(rVz5;gWp>Fc4^d4r5X{N=|M0knssu#5* zX5#~S+?7JmO@a=kDQ%}x`mYK8Dnf-~ESoQwn}-?fT{~%7tr`%_DDO#F3t8iD&6_Ge z6tI37Eoty(Bc%Egv8rdS=T_ZPI^z7FSqFYgh{4Gp9uFOmKkHvV8vLC(j+)O$j}W7{ zNC#SADduqa+D*kZOSZ)RJNgI;%q0_K4EgAyI4^b2rbYS&`yHw}Jj%>=6$i6Er_5iN z_p;$+rEPi-Lk)>>zYh5~R|9cy0+ZNlE;DQz<>QLkTdi0*RSQeYgGZa)ca2T2(GUr) zKGhYzQdzsgm@GC~z=}d&!kHkdy0s)S$YpFaq^z_w$;xHED>jpLqOK{obO}^9lB=LK z77y?GA`y4X2hGeu-^4e68dsmkYeTD~B~0n_@--W=#ao#>QCENSNN#mQ@5lG13mGyu zEVR<4v?w3l*rTW05P6USf1Mxx7wH~4s@RnN&Z@XY>_X49g_JhVSJ?5F`Im zBE}oSmP^J7USr>JTGLzjyW_@-ed)8^c(IL**6wbPoh6j|rYm+7JD!nB@xTWb)9qBD zLPr%HsuN5Bv8fYB=%(iwYD}9mxEg#BERgUPQci${APzB=nVYvgSYwd##`bk1WoV5H zI1)ww*Ef?}mG{sUlb!~OP*_$M)|m{J#DwcHV{IBAy~t>Invo*dl}pyn@!?TJ979bj zH`lf=MoN9yk_-(EO6((+_o=*zeWtojkZJLp%C6TrcSTCshMa<88OTl1um$76quk6N zF)?rHrIK)hlmp=S@})>g~ABU7RxT0${(D>*bI8?h0E-_$CPrmUo{kek=jr|z z?pBqR*MRylN43=X;D+i+b^M8#+cekEbzZ&P9p=XecBhZGC_h!6a1S%-V%DOE8PvVQ zotkv=CKF5_V8@`i)_NVN(7}sJZ${65^rjP6je5&!)z2_5T2l^EoTHu;6Z^iw3M5-; zM+_EI#q-HWU!|w(nzW)_R-*KX(~a^po<(C(e`6MI`ay~lul1*6GC|1iv%-CA3qj3v zgMycWZx%+e{hp~U^&rKN*ZTQsFTeU@+A+!;ykfBX|3~?+5{~9y0&wm{Vijdm#a}-S zWQ>8))S$)g$Ecp5EH>|~Vn<>ieR6dyTX<4Gz30UI{mHocu$_={LA7`{7ezzGR4#`* z#vRyqKs+%%SEx|uBLRj~5Yv6PicKB%7>}c?NGYy9GtEShN(OlR4XwdVoF4bZ57?a5 z_&n(u$vwkGd*p4-8%{F4X7NqY`}#kOp8;O0c=hH;;}rlW>U9x)X+#YO##xrF=rdMr z;8xLSA1mDoXz~7!@WXEjABH9TOx|-j3Ryo^a~m|jsegq2%$C=tueU*hi4)A z>whHX5Yp=(3L$e0!qOnkPT|`a;f{I)GY$=3D3fCyd#Rb z!ls$w{fU%Q?$<{?@7xIO=A9CEyCZJ+R;{$Hveg~-Y7paJNp2j4{p>_k@hIq~&WeVn9i%|6*-%t5=sph05Icusdo4}(Xvi{u#Y>M!=?eTtRiC)q zP7wda|K5M#lNeFDCzrQ&p863~*1!a`an;JKD*|su)y_Un7Cs~&bi=kitZ|$|M^e1Q zOFhd@?@ywihH_3pS_5JWPH)C}*v&XULzq5U?&%wig~s?h?BMPjFf!a~b+>~l2Yr@J zRevZo&_cKZE0#X+8To`A*Ri+7ja+1SRDYNBfhMTUhtjUSF?CH;>7$Q7!W)=~skh+`Y@p0TmM&z&0 z>1AJq1sD%Z{?A5m^a}e8gNQt20Zrp-U^>;IE3v&L4_ihiOxn}H&!9DD^V4+=xwIKz z!>v&kE}Qsq3nE?+?!7Jwf!-~Z#imt!a zN>#(RM?xf;C=XqYPL-Hz{NLk!eePpFK-voS`|MOwlhkBEtJRn}&W?kYDLkt73bmLD z3cem&l5j3!#(plsn+ep$r{}A$-GTC|?RrfSro*@98ljtKnm+2+#V@#Qj#2-M`n@rf z*zX(6ew5gbwN|$6Xz6n*^&nCjFU{M2{oZSzYnczkDvdIj<%*E`|H%I)=YBuRh{1X_ z|8c)Z8OG|sAb$LHZ5G?3<}oFfmt;olW$81+Wf%;JAl;L#raJii!d8|}s;?>Mh>x;4C-kG@~<6U#Ilb$&5_CA+yy zaVQiX;xsH35K?Q6=71_Lc>0c&9WgS_%CDoi$40S}yqOP(R_D)!L4(!r93v617(=8{ z*9&7R?h;udX284bI4{e^p2-2JV$1yxxL_UM7%HXRHTY&m43a1&iU0=>a8eHW5xf4l zSL#vBM{TbMK$ONMa@(5XXrS*eT_3u}@>r5k}obu|2%2qJ7F%;u?Qu zrOWf+gVud)Isy?%uP0Y4y?!Um_PTlaU-!pc;`=`GwK%dFzkie`-W4?FEacFXUm`PE zUVZstw}@O8@bEL!V1?{r+Nd+j>Zp{i`_L05=?B zv5q1Rh{fh&Wby6iU`EpY?BND0OY*?a>hVZ?^rPjZ!rXLb$E)i7tWCxVo+tc~NB$uI zVB3b_-;KnP(wgED#a7Xt$Xb_p&ZW0FzJ(}Ad5&}S@Yiyu*L?P@RbDk2Q*WN$hNkV# zcCil}HS8?g^a2{m)gZ(fQVTH;=$A5X8!Df8p2 z9!qAIfVqAs2}Y~#0?1{T%_%A+X+acugHiziKg`VizuF|s8!XSlxp3DW`M&eV-XYg+ z$n@G&&c+Gih<^v&o|VU4F3Y+@#Ra>?A0x%24UG0}V4D-fqJR5w3#ECU(`U>w_#T*# z!Ty{jnF)P&+ZronbmR|ibnVoqt^D``yOC z^RB}MA#M1>oLvx#6`21!Z?N*wQDW@&W;h{12_1^+ zEj#6j?Hdc;H5|On$03nw_?zxgyz+ljgg;n4wa_}^bGvIl*HPAC*f(WW@b$-d|GZo$ zh(JE#gx&rdKKS=fR_M&cKIYP4o5`;Bndm>2kW?)y30a!K?Cju zY{M!|5H6>zM_l+9SfjCaVI&Ix5-o_ST#FjXaDP0~;0zw|e$bPQ(Og&t6@j7M-rJx!=Q28!XnQ$BJllJa zij7cA9~bxFl*|psRES+{%18gnrV^6dpB=vVHl!?0Gw+8Hxp=#6U3q4efM99ns_9K@ zzX^H8lRUl6*A8`Au#8Wx8&uS`chJbSa<*;jZ#9*>&P?z86Iz=KNbjnA2LMUFyNoHs zQzkk8nG9^OTDR~y6!gm^Q&I8hJhQSybMLFdJ6yN4DR05ZhfDFud^hQZ#Fxj6&k-ez zI{I()J+w8euD@dlE*B^*V*cN~0M7$r4d9R&6r2GF$=R;*9=uY#Ve5AQyaub_x&rl~ z`U4ik;1NkXhzzwreCiB`JX=?DB>S^nqIK9w9Ee?!j^bg&7$o+rFH|u+wtSIIwu6J& zJ2o8~&4W8^=x{8(&URp^S|qqdjd8AJJQZd07m+(dsNDC;>_=y+Fo!?N@iU)=!E%eU zs~49w{1h3&b%Tz`yw;4#8F?(y(pfC9>kV%{jQsNs+}(#tR}ouJHM`JP+`^$ zgXx(S)&FBlU;fS68=SeqNQq4`yG3}&x0?>(l7>QE#JBXei|i^y?7mI<0=u|OlP{@1 zL**H-Nl8|Q^j_-Z<;ns4k)76!M()0 zp?YS}p6Na*Rs;ph4NELgc)wO2d$^u4Da0A(2OfYXgTh{-O=68v7XG?Aa5(C6z(m~O zmD;y#j=sB>qxZ3&K=$!-vIREvLd6hw-zU~}lt0I;svlc~?Y^Zs+qt-$$J)fF8Dntu zkMGT`D@}fUogIV3+@G+7JC4_End%qUzPc=P3?BpwL-$R0vxkshQ7G8|(SX`YSwF^m z*k;=@{gZ6EymZ-w4v6S8+(UTfQ~lQPc0r+VOuhbhL#n%*`G&*xWI?D){atAq*M37f z7kUd7B7=q>(g?SnJ@y6hb{qO%!8kSIZ~GMbfAy(_C))N!emf6LXxB5i$N!EooY1eu zTs}H+DCBVnb5l7Hyl#PPiLryP`zYfV7Cke^-!>WWTCRC^T%1Alx$ zn#VlKN2xJdW9yNgUb%R1Vk}v3u$wzPUhlzv4tjkCVq?w;1?N8hD?>| z6H*$YY;L^LHQy4S&Fw+U5 zR{DEp8PrhS!5Eo|-B00oCA?{R{?`O!5=37Ng`ds4t~yt9XM&XqR5zoq3P>dmpE)6JbH)f90o6a)%?aKnYkkZKSMgXcb_0v zz(Oy@Q{ga8Lt}qTXtY|dxVtUH^Bzqx9T!)tA2&qTbLAm}NEjXg7ULC95X-v^)OOalGTyL8&& zMK*iK*~y7c`OYtw|LLwEYO^1r++2{NKK*bpQri<5Hw>B=zd zz_Z=sdHp8H*pakEdV-%~f%wE_Yn9Z&jSYXC1)BAW=c6`)V0TN^z}8?H;bp7a$;!&$x_Ce zFec6TW5M;AC`C>@es!`DrPu3vz7yWeqzNAe^)S)#ItsP2cU&UN zw~0?5;p7>;Vmysz@gwxDekBX=Pr)|j*QPkz->{wgg%EfUWmhB3RW6%`yHv0{(Hdxe zATtoz$o|p>-(-)t-q{JC?oGMue@)+vIxmj}5Vs(duNY?%&OAmtVYQ9oIf3L674%8j zrGPqlN5&zK;tr*1H5HrYkdX3ieD8^6F|f)D?2kJWjOmB81mPAf7U2+glri4&Q#?@bD9V&Wjz;%Z5zZanD^ItHenA9 z{DtsvoQL1HEL0`9uzDjVtbEAkU_CcI&ha@>Fys4oj}sfLfXu{0+@L>cmxW<32bRbb z8!L4VziCSe?kOYF@2+4cF{lx zggKG@dwZ12j$N7(3lc!6Eo)RqhI1Og1Cq9XF)q<<-Xnocr-J_aZjJV+Ok9dK0~rjy zo7az3zxsH|p`X?h1;x0ZeEJ#nT1zaF>bDDB4-C6VFDna^ezGU3b~C!DvGXGaPj~_r zikbU(_2*3!I8`^N(?AU?Bdq1Qj`w*hKmbWHmDt)>^cUEX1}jcQh)ek|dMKFjjDX!m zT9)9ikn~Mx{L*ULfN@aj&@~FqUMb!m9Nqd+V}GfK%SAD@4d1pXAX1Nhp$zW3qidEZ zD#jVw$46V&QC`NlMQ}tW^uGQ%+?3m%;~6b`&@7Bhj~S0VnZEUMB-hqDNG;yW((}z$ z8?k{1*#EL_^q!RXMn-ymsZZzjHRAgE@-k`d1S#<|saI)ibQpCdryKAf3V120VX1I93TJwzNDpSvPKP724K~zne#c>6dFol|DH#jLL?%L0!@y1*uAmx~v zL-=$iNCqsWIYaACA0OX$nWpjw_5zC8tbFG&O!qtCQz5dAxa4%>xjpku8&)HNXDhzZ zHd;;L7?R2rA@PGQp;S*^V)y72r|i<43rIv`JeOc#hCREYa3cDqsg%QE#2-glM@vM-cO%5uGv%rpMH#`u6^5Nd+_9Nt!Dx4 zdvQhm3f;nldln6zGIdZ}TG7sXur+OAHvCaNXEzd~SvVc?BbHhQ^H+Rs0&bdydc@|> zZ(X)vHhiY|S{cuelI$_Yl1@`!YQA_8*l0x}b0k_y76&TxJZ-mgf#5Y%?NqVobeJ07 zRX>h-b=PiUl&A9|?2OFptvAyZPw zSH1K|_uOAht?(RV&I1zLn;9wQ>T!U$VOrk7mQ=^6zT|!8h$V zPH>%fU5t#DUf;%D2Jh75ZyFb7;+=Cld^@n*jYh}$-S z20-a4lHqr>2ccmMNZ^wrX6K43(nSlNQ3M)PJhy1rd`Ss3A# z{)lZg?{t5T{T6nqZ?(mj&@ROikSETC!`wBv!x`N9F6ft0cvvS=aau7Bl&~EmG`K*w z)p*vQ$&Tuy`*bWN-iyxa$ zF9#+^M~r_(!&%r}gt21QuJYNNl7&BHc~Q5zM@3CBm4Jf#WNP-`Yi(yl;uK#tZvEt6 zRO>0lh>29HHDYLdxJlOpvpT0bU`*4ml~>OK($*fhKq{O96BT!?u|OekU?O|SP7=01 zdzU>fS?YW_YNW<2_exOdl}yZRZR{HSh9>rXiw-0}ld+N!4&xkx%3 z=Ahw&h0foznmgFVA=<&;`rG)Wrln-Dpr&Paf3@i5(cQ+8yW_5HMiFIv{Uv|4gNpq& z7oAS3;Q_Q7azyJaO!fLdUbX2ikHJifa_yOxH!I@P@QQLN0NQQS(IH1d^S_-TzV(?V zXU^~%xIEI$$PX3Z4AGEZtnxLkx*YjF*HV*zB{xmur2b{^fkPM|vE@a_V`{w}Yo1Pb z2A67f2v|?C^Xig+n{z8h{Knj86XM4JDx94R|ENvI;nB20(LWdHi(p2-V(Eg}8ng0w znPfa)@8Uigv(uH9Nh!D{@7<#(khw}r{rz3{cJbLJnYv|0Wo6nf`+k+f)>rva=Vgpx ze%O+i0*!FpadlP{@5e1ry{)0_P$4m)yc`z#cL+Y$w^d!gi#8hTD8eDpW>+EYJ)C3J z(z6Ex)mCWqBK}JG82^i+IYYpB?z1U)XykPSK_&^nUGwgV8lY|esBQ^rffm)%kC?LC zkRj7mG`vEk6A7zm_r|?&EdCKoJYk*iIF}758{T)7uTgiZ%Mk3pxFs9V5WosvUV1IN zSbTLy@*OE~**DWba0aa5x@(ek9RRRaJjXkmW=Rsp{is~*TdTQ#D3Th$wC?A+4g`cg zQ}GG=5TdyqiugNveZ1*D-J`5?S*;!AH@&`%oc=xhe4Po~1OW^^5ih@%_>(%8#QEC< zFBdB=#2Nsc1^={8FuQ$Fvn`lMYCOEGCBBu6UjC5WJx!SP8dz%1(B-#koI8+)(b3Y_x z%VT*}FLfX~JmaZqIOje{&-Lyu6F|1-XvuYK*MSS)z{*vPBe}M(9K#JMJ&r85#Lcfd zLpdOaYV2_V6H2Qz(x4RaRPv)yhdba%&_5$k>N?cSCuw4o2*7Q7?4W1$PF_LD86rF$ z>ot&$wE56TLNMpYCJ@SsXrw@)iP_{({t8OO|Bt{4}PMSYC?;r?MKg^C%Q}JusHndJ{2bdy4G=^UB83LsO zDl>cUTN@L)_*m_R{j;qCGvXyOzsoV3dbt?6L61Ma-p#RLN)N5GzY75FSZi|0@lK9b zu#fQ9;`L8+^8Cbl)$Ma?&UmLh+lydXe>(6&itTmWW5mzb0i=?>DfaZ zts$bnM0Sa^FMNPC9nIViTYJA02Ck-ig5cq_Q)9J#uO&h~x%BSK`s_PEi3{oH^V1Wi z^_AGffh5uPg=x-Pe;!ILR_%?}lcuGRMQGM$_Xy36@Vj+y1^k@bj>b{?-Imk8`>YgX z%QFOsK`O?AULy$sKXv@iXZl)HPL6d0+kDb-s6XxKFT6YRS58&(pl6w`WdiuQFi3bG zUq%PXr<}hyF<9%wI&|;DG{1_r&TPDNGa5BS|%%f~Cy)GOx1B>WrOLgq@UN&$M zkbHf@TrhC0wJiUw>n#XgB>VPEw*?gG?$yLs2O`s0c-n1 z;!_yzK#u?y@<6i&kk%Zb2YMOK^h`zD2;^Cyh?~pi-y+jqDa5O-$O=IHUC+!vc>-rk z;9OvKfmp!Z$J{*!JK}WH`>zc^J||)D`-Ia_p;R-09$6AGH*JqWReR68wdaKkph~bo z)p<05>;l>ar$Pw3VAW9Z#qawnjTF?ArDVU@>zLGQc!6&51~--+re2GM!;93 zC>9hA#kqZrFH`PbaX3R5iT(D_WM&K?3YY5rvvO_4v_|xgQwt;OulG6)hgn~->a}`i|8b!%V%HzQwQJhRwSCgAn{{zj9!M-gFrB%bhYTgYD-*ei zlFR|#0e~jTM|HQ&;hEwdd5Sw3Lk|-}p{-M$fTlN zbrX>1dS;FZU8b6PQmw$v^e)40Nih%0;ttGmfvmpp!T z0!1MLLQKz6f;DFuuN;mm!5TaHcloG>z9-$ud?y&N8^1?FP4V7cwy6dfd)%GQxF-UQ z#l_(n4__3B6T}f9A(WQ3d*~H_SQ}a$r{bI9$-fr|=`!7ohgNs|eqA%2hx-c*oJ{*( zzjqTJMQWy@9=!1v0@;~=cqyI@xK14raP!25U zOIr3Xv!D89fl0t_puSiZ1N>eB?briE>=q&*!2;z=gN=}yB7+tg7#kKlS`UYhhHxG{Ot)Llj;hEMlG)E`joi2lJ89SvT5HXcTI5=ba@s;RQh4f5n)_OOR3=stRBB2uYY$wmDQc1CEJ3SFW!aU!(nh$4hZw$a(*K zY3avp03Q zdotYN_Uj0s)ry&#v#K}|ZALTTQ-ub$eoC!#*jnqn#Pb_(G(L8~y~JziV2bgP#ZPL> zd3{s@yVh7wed`NuN>XO&;PkVzHqx^$91*kA0AaSDKC1m*fTPudiH5=43NLfYvhL!L zH|2J%UI{LRLx*K=(fx8Dxpv^MpR-r%R_OXTKbo|DH&~I zl1MTL>E*Qg^tLOcAM;q(> ztJ_>1|9qg$_#we?DB$>F|8-GtSwiS+0G8x{7A%vUc12D`eLG}Z{(ypx!oYgKo^B{^KW0n4Mxbt?;1Aqp+n|i~`vV^rG zTQQwNF*yoid6nN*jc-xug14ttZN`RO^hxu@b#D2RPxg&r(cg*W`2vVTAActkMC!M5 z-Gq;7>7lxtxTp1)YGxlw0N`~KHlSppjRge*tdFmXVIGRDXjM01x;(Ct)HL`77gVSs zYDDoyZ$Yn2XdK=H&v-z(ks2oqyP-0Ql=xtsh}lzs(y*&JFg07olUIG{d+cw+-`nVc zAD0a?S=tB`FV;iwYY9{hK`Y$@b`2g^zziPy={8XgQ`qQ^%k8cO1!x za?E;H<8Wt;L844hGdHk z-NXK$IImkZ5db6(u)e-};3iDtj{XS;J1YikUPh*HZh75gu`x;VR7nn>{8%$*S3@^! zpD6J+gZXv<{OgX)KM{Ga&&=o@Vs;9GewmcZh?n;%1T+BKJ(6+7t1iQsJo@W{$i`(3 zE*rnv$vruiu=*w^0MSFF`9t6`?Rj%c-o6$yv`S-(0{R@U=u-A2KDzc7hA#nRHSOEX;y(A?B3GEPNDNaL zlyUGLbw0|%B5<+P_{o%SHz0NmUv`=CJ4o*6a#O(<4LGjjS>2eD{&NySaEE7c^gE|M zDyhs<_jR}SJTdlCxQExTPrxn=xIt-cbN#{Uw}i)sn2V+XqE#f#v`e5bHV$R z_6;s3^^rfX)0sjT7Y{sDLhhYrqrNGR-z^tzG1^oTW8!gBj4L^5Wb$M?*7yA>rkIAu zen;bii$o6Ddq;JP79+P0F=PGDVS`mCD5%qTQP58 z>nH82;Q9Y|F94Gv(WNN3r_Yy>^JVjIl$K{fMR~yY9=?1~(|dHWvYEH7Z`^Leqn4ak zyj;rp#F8d_!=^-j4A80_iKrtI3cS}j9x3-I!iQk1<+yEGFsCeW(AHQMFr*pnvN-zt zTeR(~eKr0nud0l0y{B@LILp;#mZjhS)tk?m9QRKDaHXPPl!Xe>dsdt2g4Vs9`|!4= z&CH^>7D~WoufJyV`c%la39LA~d;fU%cA4>K;F~`{p_3CD9OlVGwxMCSFA-Im_~C36 z^S~HtQ+&TdphKM{j4U6R;IoTU4l;HVwq+-?w`ih~mR-W!H_$pp$^5%Pq#-k=L^|rN zE?~{8U}$QZ)d3xc`}q11R7h{0lMmfEG$IV6_WxL*yGYGC7Lq%pUP=36{a)~&s?Bv0 z-ur@^FbH8=V|;{!Oq&?2`9*ACXg~d4BpJoJI~WK+2%_3eE-%UC@cWT7xW}q^8P7M2P!w+usZ|4yExbP8l`W^% z&3X#Bx^Gj6LSe_tNOLf zPAg07rxb`9059OUoFkMRySs5JcV|}_82e{&Z7s3~Pxd8RY9<2%(9LQV1-9H^A#g(R z;(~~-&!|*#q|?U@*k*IBdhC$962;cw>;C}RMY>Gkh|7EtPjt6jhj`^ULu$@Sqec-z z^P0zW>O1E)>FI(cdiIUNpGOsBxjfNFqh7bd!RAd937~T@sFkng{;0H z|DLdoJOUg}C^7LtKtyk|B<9Y_j|e(Zf%WY#Isrtqy?lpcK)La_A9mMC~q`XB0U9+@p;b+ivH?O6LR_qJ9Pu3z=(%Cvx-^+xtbgaW^o z3zOFb_3vN_x@!E!@3pdhCm@Iaho-NLi|YHnzB6=5D}p#QNDC<4UDBWk0*Ztvpa@9L z&>$UxgtU~D(m9k80z)?p(%m&M@yz%4dH!$a<=k`kIcM*E_g-u5|E60fFn~^(Rs?h=Vj5*+#h0!w*%}sWls-CuyQzJI;=jH0`hc7XTgsP=r zAM$6*=hWVsEN@929Ha@y<)9My+u82#>5ph7S$*h4SfOY8YMJbo{2WEn{m+NOLcd<$ z*JLx2RGCNKh^Xe*DpBtWZausfBu*o~es!hfUCYn+pe{k#P;iOlXItRzVDJgFN=@w+ z`unWU;&XdnCl@86Hw0`Kna&qUgAUlkm1ljvD0)H1{zfs)6 zOSsyzP7UJG0Ib{If04_xayGnq!%CdJy#8=jOT|{^jPxOPI_FskbbDd-&x$$si)h#; z#m=+PdiaZ5^B=!JHJ9~AwIZoJGzCJEeDg`I+5H>VWLw+rguOry8~O=j{M^b3^g@f{ zq<(x+b21Lf03rhr%$y3$YJEEiQj*-tIc(qBTvQ#-qSv!;U^qIxdjx zE8-fygL#400mh*61db9r@j>#kWBJwJ@-%17_ez^@)z#W$6!|Rq^f>zN#RQ8zokd5l zNlUVBtCE+I=~XnsOqb;fYCcevkIcL+pgwSSGMOCZ(~K1-aOu+Fqt7`aalJVZ@f z&Q_#;75cM_;BXHnLUkWbevnLM%<#?jwil29G0rp>U|a+wmQJB2|9wCR@Zbs|13mG? zNyf(F4*Dk|TZw`4d~bPd=T@ne+!|VfSTPx38eFV)O|t~3^jKc z6xCKs$`P^LM2v!dWoP?C(;BD9FGi338I+crc%w$#HOGOD>@&N1tCVjDBFoBz2nXH0 z%)rZL%eYtJLc6c1-($KLN3l(JALCH);{Uvhg%(zM#ZV5Sg$1qJ-o_^#Y;&a0Jf#ZM zZ!h7EuYr%Luk>zgwHwT22RQV7 zi8i)COIKN%&(VlGUr!7eBU$1!h|Cpccj0k+=$zXm&uEgY)-Tyju&jL}Z(DJ?1|1)x zRQy{NC;>c$ydutAMHak)(k3vX<#iR=wF^wiN}6zGs=p79S>$)WsUmp)8iAu) z#K+^-N=D5;i>QNwyeTdg#&P9BBf1D=ON+etNq>hO1kmPA%ees}Wgac@n&@)e?{9>+ z$f^(%6EKde6$TY(bBt&(rqnhnqDX|E$*!Jq40h}f-m)v&*D~lZY_VuA=m#a7%irX* zx$L`|P3Ail{wComos6J)FJ4;o3NJi5b+`E*`CQOYghR#n`$#R5Wd5v0Kuk zWglJjUgRuv74S z$$PJQ=iMH5UiSAsd)W0-PLA+(F4Oj2d%GR01qdtcb>Ns;P&PqfhU;SpdW}9>{)ih# zFt;nbt}zNy5BF5oHbeh#!9VRtX^|H8QmwcIii;nV(l|EsO+Dn`t^mI#0& zKGQ)5y8WBvZMX2`e7Oe?+Y?$;jdY{;y9q+IpPkXi_$oLq(ooWNHc&U+PX}#kDUp1v?TgB3T+onsXu9XQubS9p>Kc6)7itf+qVjwCJ1 z<n7l!@fd+;lR66{F2pnIneo#NDqCpD| z&9B`9h9MpFspa{@O*_8%BZ?mDyt*6k^D_iO26TZ}t;~x(VSUalmHD8p&IaK;0SvK2ajY>uzPMu30!M{%N?ZDef+tlrQlr?hPSL^l@yqw`C3u)blaWE z^UFW?hawrbJ8$SBJAYKUG+j;*0{B{9@}WCt$V`R*npwF3`9OpG`%q~{z5$^NB)$Mp zCo_k=LHfK4JH@|`#%?*t@-F`(iK%TKq>5IdyqE$I-px+ylsMz-LNuhWwOnUEi{vIn zKelcn2H5q?ogt--Zmvlr=CkL%-}kEr|K(iQ>+yGpj}i}Xcs`5zS~+)9$qE#uZ^JOV zr%rHJ7YFqbB<_a{fAwS%yxc-enDUl`P3;=Q2P0s&amw)x_Rr!X*IhFiY^(CQRqwn( zMa_yb@>V;Sw?j&mwC-0x{qfDAFQ)Ee7hYf{eA8efu1F3y-Um+%bbfuWnE`{}Jp4iJ zJfVyBHpzYzOX`TM8TdRcB4*{unt9-`0AdS$PsZIXTCovCkFgH&uMhjE5M}ll2r)7S z8QVp*_*F0hmP2MvJPwp4_=1p46+dvV0F0WwQ$i;H#s;2{{&Xvr&^SysgA%X^KFe#* zprt9YIw4nHA-v8mXcm3&TyvyBUJ>%<(NB9Q#-@(o^&;M~+Eus_R(($_Z!(mhe+-r9vhR-BHRe?~VI1HA_N%HuE31*VXn+Q{Tc@5fJt$VTT z+iEpz5mi!+8jgQY*9hd+^-q0U7}dDIiDiZV+bPpiCi;*>+QdsK5|Gdy(@iK~w$dt2 zslyCrJD1m$@uD8Rch+?ZG{pKuw&n_7oS5In-JiI8&9KJ@4!>-7PsYY%leglDQ#**r z1E+ygH+w*qULZmI%G&BFzWe<0T@O@97CS+-rs)) zxuH^~)XA9g)fVF9okBTirNEV%A4_2QVBte7$bC1z;=cE$PBBf*s~em$iTH17NuPm- zE+V^n17Y9G_e*2_MT9fq7gaVJaZ@BpbiN-?<)aP9W&#hMC=k?p;Z8-%=F&&3Rhr;5 zb|;G+^!t?uPMp(Lb)bM(2}Q@>e|l@~T+CQB$bL!; zjB+G_RUTNHER6EcW2(?K5`0l2RZ}1M6K=I{HRn`0b{@^GOw!l8J|cz{X18cVT8r9W zxvcy6xZ#-1*b2)!7EbvjNoo3Z!8Y!g$U4MTuWIjUfjl%QoSaYx`75dcI*p9S5CLhg z4Y2R56*`T!Rrkz0oBV^nuR(4rDqn(VZa)mi9N!+n|Il0+1pI)H401YPz?FnVh+ajd zaQ`z!n$^JWAxhx5oG~;oL!|*XdCp-(bWLPXU17tc!$G`gAUQt~-1k`0-je91wd}D#_LB$LHcpXvLs}!lRu7`8HthDBM{XqQ-dH|H z(#^8v10!Xu`~NOg7P@BtUqid&lxfdYRQFMoZQ9HSvU>vn-V409>gV>K&P3^Mg2tzO zb4UN$RQ@96`W*Q_olqE%5{Z~tQkfiQpcl3xiX+i}(VFwwGzy@VqUCVs7uwMCby;H@q8UWTNCi zGq2w~3++ILxkQ7GZ5=R>3t>o*3pugBiUfaHzIM@`^_B324&)wpYOeZ3J z<=ZV-O^#xdY{n_WCZz7bgdrPo5zdYJw*j+gGaOIT(cA{gD>bE%hKkOa=%iko_M z8Yf5mtB+HRquDMwN9hk6c*T#$!peZCBi++}&Y3(JbNPBISHXaYPCN82ajOE0x1ybI z`x!mKgW$1_t1qN5UcCJ-4YSyk9Blc1-K>b{O^Y;t9?>q!=bapiz+X1o68+C;{5G)l|`x936ns?1!uE z6y^c=($>a_`@&H?PPt&q71)B(tP>a(^RKI(ASi)NPrAe>CZydu4mU`-ldHT!@RtLp zooO2-`cOzX(Me#Qgs4J0$hKdzT~lqV{jZT(8cd;Log>tSpCL%6GMeP-9sHGs=zac+ zg@wWH=asqO!=1HPl>ZrVCytotq@p+Ct8`PNOh07~u2_cypEG?nd;6O8ywr`o=`cMr zt+;>7QWx9b%3ua)Esnw@x`Rqlm0XvHAF$&opOo$schX2CCO~-rsj9TXCDtKVTvdoO zQyz8M2Tc}k0RxQ?fl^3!jIQZV53gwlh1-QN_<_^ z=s`!T@&XXmOiV)?)&%5!ajLmE+CgfW{>f)xWX$7?4wI*>O#uXUX7dWW9^jo&l=H3I zm<$jndmUSz>-8Iah<{3?k^(VwxOblH8n)zI%^bCm4!}-}$hJzA<}tnh-=^c11Bk-HDq^`A2CFEV3){qu_GnGWg?RK#OR*d(&x#5Vwy0s z->@?fM+>H*1v~!#mzFPEC_VUv=a_TxzdZBoz;PvM^U;o<#z{|Y?}QMdToX&RLH-9w zFbpyz`zZFs54WjwCSL>Y@Ht)k10)#-P2Jf1%q`63uih~UT4hpl)WOZ=-W*G91z+sF zG&a7fFqq(L!DlF8mEL+`wDuR@eakcWRlZy$_*FP%OBFu!a_`mY7;vuqy?4z5;167U zQ$f=PYABueir{|>T6=^?R=fP(^+(hWg!eocZQk_bNf(5WbO`fl=k4!m6Ll^lJz|nO zh=4<`fNC#I*`|*<@g%YQhTCydci~TUAfGaNdf}{;me$#Iiw8_prDS|{R#^2cz4vl z=hT!O&N8h2A}>s@9qxX%<9@wtcx_7tqcQfDm|TdC^p!LXWg_V$1h@{K8uM@68tyk) z9M#BC^wOy+Qz(=$L9psyD6elHZh$LnCe|Ncd}!1LVqYi*a;d+~1R2Oz?OvWgS0&ep z>PT=2AG2dJ%xe|m{>gh8-n4lxNz#!%4B4cS-HFrKk!zB*%xYSIQgUoUQ~qbTIz5&6 z@PNoJz7y-0zt&P0^SN;`Ktf{y>LohyEk_D<^5v^{m&vODw;p0}E$5=Y5$fwXB;uf& zXTj-RdyUGINA*U+!{z04cx;Q{fgO~iUW8XmyU#z&H9-d+imEt^QxX_$DRQX63nCju zXsTy$J|OqhQ{MNQr$b*Agk(#$LzwRtVc7WHK^=!G*z*=D^z**nq6u15WB;YTnB+;- z1RnVU%y?+-$_51AzsB?~)d@+K5h!<5|2v=v_xxgIE6e4F#Zgdmf`|o!3PJO;>IVJh zPoMRbq;GF$M-*v}tBZzA2Phj>FEHgOn)`mEjpDFp;eKtib$&UkN(y3KJQtV!nk8x_ z@Swp$>6Yopai>Rx?jlG35BIT053rL)c6`P}!*w`cKcQZmFHI}SjI*Bw$){^K8%icBIch63+lbd`R`O)89U-FHP>bta#3?xG1#Ukt1-0-Ro+VI3t6hexB zWcjfUM}W74Q%VmW4gT9-I>3zyb6zamUz$}VW9E{%OLMJ?UzOI6kfnmSH%~lmeWYtl zJoeG`Aj`iaO*mbG<+liA3BP;HqzmQ+gWStT)7+|QVU8PG(`9m4bo}6y#_&$&Cfl#q z6W_=-{r>bRqE@7d078CI3Burro2sNWhyjV#;?LXoWv8gc3`65YlSoyVYN_6+RJ6;^ zIh5JHwnRzZT$4pFy1r*5Xx`qR4r_ct6&BWchbT~~=93e5qU@x4t&9I`_K?{8~wjWRU>sEDu zr!58YV$e&-zP{~zGeCOqlmeBly`kK@iR3I*;?qY3_O*Gk9W|@!K-y{VP)yr^?pF{9 zIRUSNgo8c(`$9&%^n!T0Ui}td_Ef>mcxVsA)Kl2~P(ou102&-xySadjR!}F2)B}5! z9p5bHZVsS(`{7(-v=*yl_A?~z6PIsq1AB%+a`I|kpWm{8V33HlO97Dk2dts-JjWdJ zaB=kj-)ZCnTx(H^mN)4_)qx04;n=_FihEbp`lv5L_itMA?TKfzb-$ksKG#SgQ9s1_ z5wLv+8_Y@pFUiFMAmgI4D48} z^qilDGio`zGFEmjZ^1f5t-{Ed_a=%GqB(uo(rz96H+}S@KP()Y*6JGkmkO*sZ6s6z z?u}DOKzlqeB=eSdOFq$Cq_mAbT;y{m>R8v{3>e|eQ;EEpmpg(>8>uc&PyBF4kA%57S11AxYVCT(v3jj@`*?T#t$d|_M*VmW( zJX~L5p!(HaB)9#yHSF~PCne8r%%)Fz21n1i=Mhe@{6~st?!6;vjvBu)7$`Zqn zR?2*F_~oD2B)ofY_5(R>Icdn+HwNS zmNz}U^;d$pRL(t#(=aKPxZG6&-B{zCkuJzKDgkWx$H(Q?_2}2vlA@Lvk<#sC_)}6u zvf5c!YtUhOfneyNX25{YNGE!GUWWt!SoEMMmCm(tjkIRJLe20!Fw}AC9j2c`?q79qbbMXO_*e93;y9w8U)k+X zhu}Qe;L)`UiRr@|T&lSfnEwbbdG!Wg8AiM9{O59l*N|JfiSAEnQ_=L9$HJOeJ5aT! zrpb}~O}fL(OMaT;v2JE=v+CYJ+flZ}cPSIBPcA0TC0QYF66N0cX38poiozc_T^WLM z4M6cLT%e7F$#~yM=w#}E6*|y)D|xW`CnCpHeru6+f8AjQjY5vIz9Z_GjexwIOZ@b7 zo8T9#agjFmAE-K2t%vmL$2|M*@!Awo2GwYu+Ra``ow|0q>IH-u9A+b_nEt> z=^U>e8Y>cC;PgJ|xX&6i6&xGK7iGqXM$ujwh` z7QvN`V_h6I2eQ7QyCn)GUg;xi{I(yJvGXQCS@eeNJ$>0}L@Dz5RPcyAc9xZJ^*}Wp z2+b*HX$P(nnL@Q^7HWx?wR<%dAz+MxSwiFq}k|Pc-O@;dz$`$ zt}AVxP`!^0V_A7(97Ohuy)yn?q^u0?#wbVt7?%C@R9bck6KvZL#}JMysU+|Wt^56v z{#Q1>MaRi@6xs=|{tWs2!0XMLf1F79Yw4F56TR^*v=&~pli+e*fD`;1FTwXIM0`qI z!Ef|B_RpH&eC@y|_f9V#Ww!U2@%_qdBrNf9DeGh)nI{ANC4>srxJj+p_3pvHxNxOL zGJf|YXMfrMJm}^<`;6^J1qCHMGaVOEf0LZ(`|NIB@dSfplX;6rF z=PQb=a8^1a=4u(aQ&MpB^YS(&d}=Ei8|F7KG*n|QF&+G)gnQJiT(VdAM~<@RW< zk#W_?}CJ|&e%8iY7oBp+gKclsNgDqn(8^wo_)cx=)qh=c|++;-Zgq4`}0 zwSDc2kEK{4k%6y&iOhMWd-l{RhaU#6mYCavC5@VHswiMH_>MV|2?D{)U7DjVUuRlawEjD!ux28!0}krY{7=wbA%0 zi0#H$m$tK5OmVBq#t|!=05EP1w&GN^2}Q{de*}@mZFpf(k%t+&v{} zzT1sr?sCw)U^)bOlim-1;R9Nu6`4H+L<#$hOWl}K-T)|z8E@A13UIN^IwL*)1J-mo z@B@w{i8PL1^zX(TwC!B=R!yUtvu8)r&ZY@HMYfZ1?b;vD5q_FJ_>|EQ34#Rme^`J! z=NiV1IA)+x6Thm_9LSqljn#6JT4U2@MZ=)kk3RZt*iU#Xz2TFTKPgyU{O0roDgN!{ zJ`-;MtbDAxL#~v@`BV@HCHQ43GzH(>9ah4AyB;Dn_(f*cd2P0F$1sQ-1vFs}H72(}Ox5;$^k+uU zuVAYejWk<|Qe{JCKRJnDeVfz>?C}O(_mBRY;us#jPc9Lnwu$zm=65GjLPtJY^)VN3 z4LwZn3j1_oU@u1Gwmx8*D+Um=1(2RAN?}ssrrmnfNJNdrl1Ser*Wp9(Y%Od6t7sf# zit@I8iFbE^id1bJ&i8TZR>tK>0~Bn?nnIF*bzV^49{q|a7-!{eAG zw-x&9r9IX=7io{r33DK`p`(*--z{>>qH61+cc%TLD<@l%|q$3 zp^v!l01XPAhyUo=;LX?2{&w2?@FA;P0K&9>_P{7;mK>(&|A~F$)^(>>^ohJj93MaX zlIiKIKKN;43&R(+tW*LeHeCJn(NG`Um1Rkp!6}P}N6Mwq<$;x=Hqp)=l$ZKCcHgIE z;@Tu_t$eq_CVKvK6#3f1`B ztbYx8|CCrAF9+Sj!qr(fSGYb#yFsOp;U5y`99c&R;1ibG(MzaO!^fG31{_7oO0?=A z>0woyW@Ewj0W_23yF8Z;#v*rp%D{?*=ID0IGNA{-yA}&oJG)v_WY=YmLtdI6c7(RD z2c1IxQ6uSV3F$2s`)Ly3|z5IX))`JNxQX`{O>Vv7iNW<&7Cy$l{`&-gvph|U40tx6R5 zC^jjW=+edmlf7&B?ncP7Z3pyMM&Th%Q_Ick&4@D(`*~e?=nTJc7z%aZw8cM+D$`PR zB429tw2OKXfiGkl9o>_1zvW0$Cy{MI1s=W6E1|elKkvI&@x~y*tnC#A2C~W|Q`zdromdFHKNN@yj0-i;X+m zR}KN#bXiMCp>OW%(%mck6Q8pFqxdhfPjKNxpO8B|K9c7|cqYM84+++hK z-fl$aigVsvSll$EOFUW_-I#~&pBHb8Y=$*raeLM-9%V8Nu};3~_Z4V9hClg1k{H;C z!9fpy(Z3+m{=_vZ?%fw*^4yPyF-h>^ggn}%JIDeXntHcgVQ7R zzb2un0{TLul6Sd<0IAgsl+2qQl7FaOj3;CUefDHA*JL5?xZCU~ z$B8=ELRC{owO4bNSaNIxVmr%MoDErH4TF3yk^QCHv>1(|IEPg%0*&7OJnlnQP~da5 zJ9ubvVn7ay;(p~lf0I*Euus`2J@X;?Q?v}eGI=>d~o7(sLjYiyT`FIbA2~(ajotL z3h=*MtxwyrR47f&x1VrSlXWu-I8#>rX#}DuXPKo0Utr_CRkuBA$nURoDag9_cElrv z=lODp$!w*CuR?iT5wX(Pb#7uHK|xXFF2S91c8l=PNeej}?;$PS(1yS*>CeTA+-P}< zbcsQCUA0YWwdZ(MYI*y$(*_xla7)PAsbcd{1l1wDbNd(Mw{za;&@l%YJr=ZxAb;dpWyxTP0O4J+tF->Vf9W&x%?f>lw%6Z9h0OCUS@-RZY0PbK zbv%HK_hTX*qxbh1`xbDMUZ-Y^4*7Qi12d0EVh@$?5@~V~QoicGF=*-R97G>6l!NbD zl(~jK;r({%W?vI}W9f-+V`|1vzPE=L9Z5%QWxvz-q85>8$oe2sC1vNe;-4_#-sptS z($<3sB3#tl`a~Trlh;S-6lVg55&t6m;?OQDaE`xXR;F5MUZaLj$;Auf99F;&D&fL_ zxw>eCo*h}Qf<@oxy9H3!#@ z(~Ck6tbTPCwDiAI`Kp&;ydY3pG~3>ni$;2E+?pfxa1}uf8h@GOPo~BFmjT#If|3cX z9)=T#1P|v$qB+^pFk^}TCWKDVl7H_NtHAT!6H55Q%L-=YV%Mi_Sb)EEN|nfDS+9r^ zrOuqSV69DiNITpXqdlirIW$M1cc>VUD4u-UtK!V`Xk4=IRv7~B9PBJoi0`3FsAEgt zd@~fCJYl_m+1!ug8+mrDcKOzF{{Bs)kPlxDGWv+!NRu9%i`dS7ec7E%1yGZGf1v&f z71!A6Km}dz%XB-D6R^76^noM)aqrXw3rF$3+gP=qMgjoGnaPXl)*QRl(vF}TB=b-D zx?j`&fx1W2`{?<%D!oV8Ol2a=Z#G<1-4T9z6?$@JVwpeAvjiDW#s0T@i%%54Wr@CX zL%H5V@fuuZPRg^)){L-QDIgrjJt28&tonqo-N0SdVImmGZQ7>p6mFd5RkR1)jdV#z zddP!|LLHpdR&M$ zbvg%ze)Swed7${tQ-b33hc(AQVs>!&kw-}KFseA0i18F&!u=A|@o)`UK2RvbIJ}!3 z>+oYYN#yX?Xuo$1FJ5>C`p2^>BQ>(!$QS}d9i;D3_w4`)Ls1u&BGqhP(vu=ZMEa=7 z0R_@aLnPo~c$N~8GI9fYVL=kiQ* z9hn&7M|D- zduggDpHk6IO+&2NK*<<;O9_Pd+LvYTqCS-XG{F>MoU%QE2tOiNKG)Xj4-OpRAI*f*!pPLo zqj;s4M#Le6C%@=!K2-nJkIo?`5-%=}yQtP7I+;ca0y3CX(ig1nAOYlka4K$Gd-r}^ zQV@3Pvt0V(xkV!M-9@rnz{nD``Lg!_twi*~Y;;jr%HSeuxkSlg7d~&H`5Z6|Ac^Cg z2wF2x;>TN!Wx4z($RQCrh_bx_$hAF-DS^E816kw297r=Kty!kRJ&ob=@nsT9Hh{Sc zB@$qkVnd#R8Kf`;?mP|iFX8(~6Zpbi%$fR!5N%E>NOX5AxW4yg1i75e^^ViQH;>{;Jxp?K=RbU=B+QUN z6DacMVOWz*i7&`fRA3G%B1Q^A-BR|iDURECW)NiTNUA_>X%bW%pcIqTOl`F7HSJ6P zNa(0UZfDHGKQMF6=6Z!;t;HmFNc9(`{YR5r*+mAvbfhpNzA@{*+bu`;Ddr$uCSW#c z`CseVAIn|aKr>pE2{TO>AYm(8y$ki1W}ofeqC*EF1MPCeAFGN)a=qsaF*lVSkzx3_ z2(972nZd>!SFjL=)vF^WBh6F{je) zQJbgXPbgQX1p$TT)WZcd-PNlMQ0JM`qM2uuF~ke*z34MMTbleLp@J zsHt?s-DYmRxf%CHcvji8+M$t4#G|YUn!?w;Zr@4&lopJBPCFS5R&H6m-8ZM0Ss|^@ z^mmt<8R=I+E%H|NlQ)Z66*tFropRR4Va57$yC*Da-ht8oMalt7$k#!s>?u+i%gaGy z&bQ^d*tSO6bf!OkLcj~3zutk^>NK4FjxAeNbG$4~*k=>6z`zx$-cxLrp{$bHfNk}v zEgkqa8v#KZwdb7paNxX~*5Xzh6{y8{Zi27hsc85OryLYe@EE<`Ei15Q@sx-J!JnVk zFzkD^oD^C@Eiyza7ZGl6Izi}CD+m@Dd&I$?V5YhH5plGp@#*nSW){i%MtntSfe^rV zFE5pWW{MkkR+vDnAFq)hQk9yI*UriXg8+G>T~#O+AqYJo)ye=VzdbYPQhRfZ@{+Z2 zE$(?>a}d%vU^`ZMdCw6Dg#{;ohjvx&fD;-gsnpd`2Q|xIYWhWBG8s*&q(6+EK8JM+ zKaRqy{}C{vBFtrR$4`^3$c)HvGgap1itwL%juGhH7KJOE+XD%sj{cH@w&&#f5^!#O zXGn<%RqW4~Xk*+qMN&xD%{r;%H_3%t;?SV{@EQ`&bp%7xU)(0$6fsI5BXV~8-O&4} zoj2_{&Fb>6OZTX-Vi_qxQD#m-8xE~iuhS?!D8tU?)`ucpsdSZGYJp86D@w57m zmoxn6mhm@Vy)fDnqlU?-)<82$rxAf&6^5&kc#u$)qWOi%@^x+#?o7L>VG!L_CxzVX2P>ow211~gJE(y4C6z4>0O#?{|Ff8fh}vm^uJa3wXC70>~0QX zVAqWv5Fcagt5g&;(k#Hx#G6y>8=wZC6png5&&)w8ee9oTKdZ^9-;WeLgzEFtJg-${ z)+FNJxEuk)MA&d2DcLPNJP~tajzX$~v(1k04zp6(D{&PBp!?iOt@6 znPUA~7lx&tm?$C{vkhCHA2!#Lk4J#XvE$mh=NYlNv+;lVw8Hbp zJ!VuHhA(P%4eU~CJ;~0j7lnA@g(jH6maE8mY`Cs&mEL}I?s;b=`@Ze|rtD_#`ZjIb zJdK4kyulI}Ine6rpWSvnI4hgIcE2}pmORDgx0a*WQ=2d)=uGL&0#tYYgnZ6RIZfkx zn%%2qziy%M^w2E<HiK#nq~nEhzjB1?SQ(|p22*4u1cG~t zFEUPIB**FAS(l@bmOT6O8vY^QmcXsp`J1&W~S@Q`E_vi5Y@+Tt9m323A z>Y6^PNDG=ildrEfAbNTH8xhCHKbu^i(qGCz??OUqY&0VJv0fC9pL~dM^@D%D&1yBP zG$QsjhaZ3HNtS+yG4)sqn6U;~7*GJ3RyeW1D7xppHguRIwgk7&%OxGYiQnhHvgM{7 ztejiCBmX()dcR>_CTo-~uL;YO1jS56aFKt!$O+oTVNp>=W38udS=+RZDLp;Zoc509 zfvrI9_n)Vlb(vBxedGw59XB89%If#*Xc_i?|KazTyiw(+4C5%P0B70R@k0YP6Avsi z@bIEa+W=GJ^F>9TFTAg6;jn?v*`3mg?S$?ucb59a`qxPV0UWB-{$Ok7kRkGB zVZx)nWqvUQ)&ts*6o+kYZ+X7W&{b~;VEg+}3&M(QRdIPDQ5&Qd3f`V`?J>Pf7%^8Wqetz z8x1IadP;KQroP-E{Z6jtOB0isuf*_6*3|}3BCT=hazk7zUTIHt=Hxuq2mNbuo^BIV z8xvY?I6S?VV_>a9lF4Lu=j+FbF?{i2A8J9wzW}9J8yCgxSeg=f=?W5qjUF}^Ox9kX zdY!k9_)*CRL$fsr>BuJ4YUfql{wYmNVUT**y8+m@aX92i;CFXTlY&W|?>C|3<*9#N z8i#Z)2w+|Y!PEGeoHyqgv`?O%$ z*pL1JhhqNea=Ebcl@@~wM%-SU@SSzhrFAE~`I>8OwA6QaF3>UCWbbzcyMgPY9IsFw z53x7(RrD#QRd^YOVcp%yJl&r{-n9^5L8m-b-6B~x0D))8ob$YB;UDvr`YDQEx3Pt& zsi5s~7n6(x+u&w&y>ijBn-4%JjWv4_h~cV-j}I4J!a zE_`k;DBP;Xd>R>A)}@c=z+jLn*t>z)g&5q@KK+y5(>_?||KVO$f2VF%;h9emAO$~~ zq&;q8ulY#+`LT+}iCaxSgAekAN`gau=PRuR5-v4l|5n*iq`j&oxDj`zeL)ngXkQf~BNg6!gZo zWR6sPg;9KeJ{JrHswE6lb2-E> ztSNMrv|8h_zh>Gj^+PbtWTnlfHF#*yD!9DPwhW0%$K zxo6*fC(N_oev_YmRS1bAIuSV)f@1H*;jsITx~6RWxsG(GCE*0~`L`aX_U8n!@U*c@ zy;Ck3gnl8lr_W=VfvU=;bjk3%mI<*@{q%}G$5M_hB_j~8uaJ`^=#sI zAbc=yjI|i(i+0VhOvf{!f5gtPP(o@ zxiwi_gttjkMP(V&Rzk}@{7U@&yc3C}zmEs&IWrUT0F6sXpB18=k0e0|<>Gu&BF3ke zZz1i5Ow_YYu~jc|dq~`~ld8a9tXW|f#md@`z1<&sC4`$UixcE}OUQIz$RcZoG>

fzMrCcjTH(I99SHEBcd@xbqEfyVi-?^nlaUP zPaah6k}TjN5}*dZ+3_xvZoAv-7UHXF%mcCG)kM1e$}sDm+?-$pw4|0bzXU^ zF7@oldB%Tbm16H8Fi8gA-K!FYP!$V52<~##0)}ic_BcfJi)#$P8~l+?0&^6txEj8-IBsJ)7TLLEaBf6Q7A1a=154Ju`YK#sCwiXqn?&f)-vCP1{N+1cyPDL2BGzg^F=GdQ zdRxVXW0o2NKq`=u%29Ui&SaJGLd1ws==K!jIXUBbpq_Wp8d3&WSb&<{&s{}D6o5BP zgJNXoT<%7YS(7auN)qE-8~m8Pev1wtKrbb;(Ldg_44U255V4_Xa;@`_v-Oa}S#v;Q3ob)5z5ZWx z&^8UKTVSma32!11TA+1S>#3Y-8(YVuB|!1ByG|RruW&^B^xn0fh%2W4hd32Kqg&jH zyNCfwPH0ACKgXH1J7%~Z6m<>{jBrl7UN5Sv#1kK#{`$9Yn)<4;)uZb(Z_u{UoHhsL zyaj>y0h}3Nr^Jsq>wq_r-*j<3^K#9&_ocT;I?aESA|kyLL=*%9n9rd+v@g7|W-J>v z`?x%stzE+)Bhn9hRLl_%vZ(@}roDE?570v5$WXjw@*fz=4?duA;TL}1607*}49;{V zXpoZ7c8GTNWclGN!AUC{9`j!EVLnCtFgaZpOcaLJvl5^+Tm2`FTQ^14i-Q#xC>1km4IE&f8(X zl(qXk6V#TUDvbob)6!^ltitJD;;4iYpty56#fbg!T&{6B#WbH_7A{%@G3>?56sOiT zzxtB5S}}CrxYv*a10QO}JXZXs{2XryTZmlxr4egdprtz%JE9NyeEGO(Q-vj{VN!hk zj!V=8;WpL5Gxv$JGg~=u6M?Uc2`!79>AnKFcH6jld=V!biabmzQBuIClbQnWn&UmqN~jGlOWAc;GoE0?{&-EJ2$4(h!H1o#tLMtE%?IU02O;e~v3(kK$v zM7MYrD9b*}?HplZZgm}Rad(+?Ip`)fY`h@|0+=R1GkmpCG6iFl@@2~AT4~$PiFXGT zK3wNsq7AQ}=fwCIkMvwpR<}F8AbkM&6jBRJP-tp0VY%_sY!5*0?wYF;G-grID&Yy% zebY|u3a1R>AYwp<8P{I_z6#Y_e^kd6#Z=m{r(g&x{yWN!ez*o{&idZ&Sbq(_ygFQH zSHut4zV!LvEn&(e4?XAHv}h`jrvii%pt`RgO*H)<7U1USq?rc~KNYjz@T(O&)9R{y z%7!b8T79$&Fsp!JWXf$!y}&}!60L@m6W4)LF9t|>uer;K86LXJY82!hxIKEwD}O$^ zvd!BKvV=g(_Wm5&=Ae3Q4w;p;KmIhY-(}MQ$?)Jlt=sI>$?seTbHC7c@>*x6W0@4!KGW1|SZ!f&&T+bJbht z4FTrMhroWX(oWaie;E7IdKSRzz)6s2)i9Drkto3k9*+xb&1V}S>Da!qdGcqTg}lRW zQ1Lj4gj+d?T(8-~P!Gg>VdLRFc$F=^k6T)WLvQdla&76I^i6dUstL11OqxHOJ8(jP zV58R)ln#AFNbw;vI*(PuFJ1}s8h!AMV2*}BR7UB~FJHsGI4{i`Q0{UZabcNa zz=<1wNVNoZ4W-Z?5`j=eshb8J)^#XEnX-Lrn8Nq_*C6;guC@Pd6LvrPz-c@`s(sBP zOfx2hJf`8dx~b)6t^ok+9ZEdBT6lKgSL99W%|X%b_&g2K!#XhNO^z4a5GO+QzWqAa zl(FQ>7Na`y8V1R|LvPUc{PD4Rfykf)c$F25*G;0gbCemXBgt6H(IauPLu;NG(7svz zge|Q)ytF}5B$2MfZQ$uA>e%Bkl41z09}lfEG0H;ko4h4J@iwd8MLlU_6u}R63%#ay>X3>VaE}CC^>F9zi{vNs>aiuX z3R{!LcvHfz?nxNB+&=cB#P%*tx;I3*C%`qAw%<#f+9E*;09UV) zRVx*1S|4CC{Q+oT_3L>=G+c}0&kROSdJSmu}`ol>Uts{`c-=T5qASG zf@6c8=VqD(L+%29ABBdhzd?%s#&&!O9Tr4Z*tUh_^2E4o(XP}-RYQLN-E!x^WoIv~ zexFu)5fK5`66`R$ErpLn(m?j&DDj!iFY$22G=0&*69?J%m~9b2U0HkkjkvoeOCoxH zSOV8nh1*+=#`oS`gPoV;0&qc~>S+=dx0reNS1j8hxl~Q{PO7)w7E*H{g`yvywVunb z7Tllg4<4@1b>|VK-T+3$h|7beTc(|Vb?Vnw}m*~CMh#G{jYV;sl5FsI2 z)QA#o^&Y)NT_H*kNeDt%B2gnc(XwiEi^VEi?*0Dm*Z2JiNW|1{mEf1=pt$3qAm)Sg{)@8seyxzu8MkkAc9w6Dgg+MHljMQANk_QT6*6bZ zow~b7w&Wn$-|}TJP<;&fv$&B~u-cR(eIC6;^1^n7f^sORj>;fT3Sg8Nhm4I5cra=J z^zQMq5}ib@{frLymAE~DE9JEaEtgLe4~kZ;m5jf9U;-NaeUHh?V64{DjXs2 zAa5OjkPkvRc-^Zv!u5LPXuAIL-ZmHbjA7aXg&ofQmHRD28_t*|nN1=P#IN5?UZC@k zh_3=X=XOFz1_FR+SAzXiq@*3U&*z6ny_U!2@1_6C$8dhGoEpO;FCrxTeB}27^R942 zL@*gTZOQb$*lcKzaxS$YE}25KQMqhwEle>^H9fZpT^D(w%@yV!pzjjRg<@VyxBf*I zB^um94M1y@g$B>u-qD@?ICC>0i9GIa@(5NSvxH@1I?t5f`l?1Q6ONJGi7lh{C&(wD zaU+fBwAOC7xmo9jeD5N+v-Gb3Dwk*BWAtCh-allStYKh}d&rWc>~OnOm4gW&0>Jso zCKdpOL|lQM)fhL*HJCzBa}Br=+(j#urZ^e|-M=!tV1}t;(+ej)A8P6!Qtx}vyljBg zp;F26j{2ou6n*&Y5Hmo&q%Y7;+Q zdMeW-Yjtv==(&cFPd795gtH;B+@v5Ud3-@k`&{lUPzXMU7>xUZ+HnN(nCeN>FAH~U zuRH9n+KCWD1UYpI<>#MVgM)C+LVRTg{NW!6^h_(G5GM3~qI$tg{9@53Ws?Zx6c^FR zGZypQlcS9U zB8V`?tBG>V%L-0U=$fYaw-IE38g{%gyP26gW(a~EB}rDzQUj{%b)c0Bd5T%N9-K^Z z0yN^pPYdDabZ>6TxU!~h@2mD7Pqq|6vivbQ##B)|5K?~hw>{GwD9a?7(ivG3{yy_X z|9>(~zAK(7N`S*ADKznl zKq32`-=7ZeG7x+T-uI-}Jr7ubnFHp~M!A|>!(IjCmk^(IDpXtCXAS9pA)b}>$U-S# z5;ZVu3F8JtMyVZTSFYU55b`!>TQHoe)d~QsjWAndq*P8ol1*dm`G3#h);FFz-*6M4svJ%rSh~Pl8m=Z2 zTQ7BOUS3E6GX3_c32(T{Z}Cr~8(LTM_T)^T>j7fO=d!znJ3HGd!7@TEeXes*Y9r-b zl9X;E_}L^S@Cqer(A~7d^q*J4Yugz#6K4i%sv zJO7~U4{LVYp_3dZ8&e(AjY;?%cHu#{GYcSA1YzLsCUYioGQtT*?a_(gOJ>X0eNn3= zl$Hd-Qj3|< z=!h|is8KH!vqlc0l@4&BKHc(HchNjWF>?PnsO2@)+JG(}gRcGoRIWn19}p|XCzwTV z76Jq(|9Nz`M_v@+g_td0Jm$Q4RlCEZvn!YiE3;GSZo_muMGT1A3Wk)6>V#kS39M}Y z_W(>G-4sCUp*xSzv10nSIAQ$vr_NwcG;P%FgkOC9^`0O>yp#Qo{du@H5H3!c=@;pz z{#-bJU+!>Ll(94Rtyp&BMXfWviVJyE$|ao3j&*VZI69(4NkB7%~l>}%Fl+wsVVaQXi>Kzzgtv_o(S zg=^L&!bvPNmTwr&bVO>k&hQuZ%bMQLS2vX8_UYsg4`msg&P`C#1$puYXYJ~E@Goj$ z1~v9~v{vH=ur!|qZ8`A`uK4~-5Mgzuck{|h@54*czV1M5a5niYNB=x!0yjPdIuJQ$ zv>|1h+S7ZhcJa98aqsfVg)6YFTSj0V;#V@E)yJq{nkWi)x=Ul+@*kcn;*Ii+MZaHF z%}jG8x4AhK2l%3I`nmII0*fDTksi(9?ogV+g_nJq|3Ncf|+{FoaJ~= z%bZf>$Ml(FWrWf92;=WhUX94(4hj?|OW~j0RG#2ogdB#k8Lu=sbT-)Jt8oz_ns1uE zu2@M2$r$rF=#V?M1~+unjz4s;ydN=^)+zSYgHkkD!B)aYXcbe-yt*m*+-EmN9oQW! zZ}IqG*!JJ6Ae!Xu06DF#_1pf217jaDykh;-!)Mlp8(Q1j?oRbrj%>l)T}7~_2299B zsvbhR-mzvV;aVI@lvKLaf%6V!f1in;yq28hXKJWX_~J2%$zFGjM zGJ^(DG-~hNf*#a{-KRVn7fi}Y5i@Q2v12{G7xPe`=@?pI>K$L9T?DwR;BPZXI@tj2 zglye)TmVbMX|Ffd+rT%#l|Y?C&OT6&c0EJx%|V=StbkXUXRJ1LWLqE}aeYw)C?Baw zN>;k!2>RHL&rC#1qQFV`*l8UB520X*TTUt9`89HbUg%G#M+(uiutRrDkeLEzzvpht z^=m!c8vr(nNxsuY%3KSIlDZ_j1i7e|o%T9l2_@;fudEM+i%&-dZtg*)4-!CQj+9Xy zXv7j4-<8os616mA_!b`1ck|MQqlpj60kpBLiSRgUZfBJhs|fh)RuW5=FHJx3pj}3g zH%>9RB=7Dut1kHYTEyblFUsaYuuvRE5J~{{%>Wl8OK4+#oO!p~huw@7$yV%TDm?V7 zcf%gun=No<@n8-b@bZz@EZSjU=Gk=aAd9t<$8RFT+Ps1`9~*-Ml$jZDYF=j zT1WC-sgFq8%j?TaM@jNWTb%4b+0sPjZw~t8knaz8?$ncNNFv(m30_yyD6-m9kP!j8 zHtkqgM6kO@=t?oSe`&&ZJzyp;!RsD;bSs4Zy@TtG5%-U4(n7{p4C~95u#-yhG{u z-}B?I2hFee!q58n)p0k4M|$26+=aZ*PnrBB_v)Vt1iVZUr#oPvEH*ncZcCe}jNU(DtQ{bK11G;$tcU(i z{-(ot{8CH`$Si3eUWA27UN`4sEUwGu=Nt)28Vta5vWK|;J(BLjmxN2M16=*}<39sk zb9enIFkP|}^u%D_Qyd(9T+9s1Oq{$?ud5Z@GOm8QZ4Wr5-F6#+j`3CKsbnE<55M@J zYIX%Z|DdC4E|fy~RG|J~K_t|#PdFKmkI-gjn(j7pS}~TF7o8IM)WOu=9gOG-ev=lo zOvL9WYQKHQW@>{M6ndMjl{#vW`?X^Czs`u+3O%Y)YRhr3cL(&)MD_QJeWQB)E3|-& z`f?GNk6LXQ4-P9lEG|N88l0FCl9o>~L>q`!X75_end$zd1y7B=>YQT_W5mxsa{3}PqfebtF3qzPZqL}v$!Q886Laac*8jX}=CK;uHENqIVj@jU*mBvCvfvAlBzXq=UrC4H2i5Yav%*2 z96zG@PJ;-IVCLYsU>@?#<>i)LHguSkGfZp}BQ^x@N?%g^05SVRvD?nY&O7&lu{tR6 zG9XmrHb$2aG#QGei@?SZZRk&?QA-kbZn7r0+sA60GC)xRPge82NcV+y5O46&;iO#T zXkB8pM%@d&qYAD>_=_Wwa9w#Bnk!f+@UWxuI1hSPBdxWF#o3*_KLkI05NhDedzUs( zNQ)`=2T9Mi@l~1BiahVxh*S|~@k=;P^F%t__c#-dt6+J<2l1J6SjTQDO{vmbDTlM6 zP^r9;BjxIn7m@^qgW8&L*egOKBNT|WM?*R61I-WJQE-LJxk0qoM_@Zqb=`mBN|>zM ztv?GH(%0#L;Fkh~$eXa9dD{lOj7NdZb*@fn!VDciQfDQ_v*_)NA?wAb9Yx^Vix7XV zhZ~X^YCGwzGekZ6ug}$Db=DT`tM%Fso=qky{)WgCLdJjPcjJ<|nU!PSlIxmfhu{Mp zQN766m~!!ir^Ds-6^te+>eZ3F{|&ICNi<_7YvIUraB4fph2J6p6)6U&m{%^pwQkY6 z;=6lS;e-iy_BiP86O|s%4fCCAE1OVWVI(>SPiM>CN*k4@$`Q;#${ERUT{iTL{_460 zM9;@ZM@*4S0Rzvgi%~`KohA{uN53B$F`wHP450W)sA>{X{>iK63O+2CAHr~7^l%jS zdoMhAxO)o*(q9|o5cwtar+G2_6;M6$UiMDG#FiR4rv^|Q0&($5!P{q*1@Q9b86JJ-4nqI^Nrg+Q(fOH zSf~mA_he0Cx4m-$$L;kVb*}d;;-9f;2-7#mJ!0QY zv1m?9LND+!S6zRuoR^8bu)kxH426;=GNpTPE8Rfpg7v*4{%fPe(FZsb&M2E}QA*2r zhn(S~#O3|D5fW!w?uU&3;Luq8UCi_7pb0R|O?z15br}scpcJr?KIKAAni}pKBy^ji z1VakEPt>4)AKe5=yS9~Ou)~^|_l^TPIf1>1|q@#^^@ zPT?d`W>+5{G{RRj{$7UnhrL}V-QcZ4Gi^DhFL|`0unw;5rW0P|)u9!FBe#rfpNpYQ zGoc0GUT|DgaIf*!twMDVUN-VFojXGZ6^D_V|4p@T{A@Mz^u~l$Bo?gEcCLnErLtfr zX1-J}lyxCuC*FPTGd^bsGJQ@ogwp!9rD{69JJ{&OidlO_JfR z!X{n+W%~5i71`)qe%<5UTjdNmG4;naqC_Df4}ZM%*6FIC?{<*zBPP&ut@yq`m3pe^ zHn&9!n>02Z_&o=E4_|C)uAoA-aWK=12r$bN;~%9Z374XAZA{;Dtjhg)TR0KTy#Sx+ z>0lh?OYb50U;7G^qy!PKpvV9{HIurYYCw7ZM@4EV%!f_yzgF5-FmLewJ^3~A$+*&m z*pd&>@YzuH#j^XzS+wj>MXW5!N)tORgAs&^Dk)_uu_8F9D2rhquOMF1po)P+!4TQ zjWq)rs`C2+P0_^P6lMfznz{M~%{Nq=BV$$_9|iH4nH0{&tnU`*SdYQQ90dbBdN)I7 z2j4C(QQNPbd2{E!47hVG9Zh4~@p1fYi`a!WFvD^s^WSxe?c_I+@JF8L{gt-=H86o) zaSZLHgvA3eUP|19%6L)=PZQi3AFY8#I}BD-71x4!ZuQ$cGCNevQY_bI@%ux-X(v7Z zVUHtwV$~nGWv932ltEEvmAt`*Y8URkR=aJ)Nq*@VM(~k!MA+imW!n%we~X4&f%>-S zmbDOri6dSyCOb+j=1i@aaWe7g%N#LM)Fe$?B11;t-W{7?Qs=Kq+f z9}4P!6P7z5N>d?Awo-zwBw6Z`^<0fUIM#rdttWQW>>SxR>gXBobrZrK5soiT<0cCa(=Tu4aE8UPi$okzHt)R-IkEUf zN_psKX5|Wsw&%nUO~%G1D44uAGG%3H!@qg|I;qJqKSX>vpS&59Ma-EwMEw^kKJ}So z12MR@#SjY}xMEqxpdEj<3_pe%1-C43zgS1YVf#+q=EO~KjN(=JBNWlEZ@@);s#e<2 zI@iTbkAsSTrm;8V^erC!Ep^0CM9l@G&=BiR3q#sjwAXw!(iREw;}&21asQhgRjS^| ztNqc7b<{daPr~!X`et?glr*$W^F#5E1qQ!}c}y22e%+l{B)qpgoiVce(Y}qw<5@0X z{U3HrZ0gCU^VH2phB(_L911HMhCRz7mw5)s`5LEZ?0$qZ>ZWm3b9-Jshij>(xZBh$bh05hsYbWi)=YA3h`F%B?z+qyq8@;`#$Y1#A+^DC-i66RM>&v)Q{s{kq)4>#l& zfUS6`)i(G;Hip3INOqg(T)ir!77)CKISa%OZD3iKOXX@mZ*9;_;p)2)#*7nA_{NS( zt80XsrKUllD#wSdoNTC$>K6fgk|@wuML0b>@S+FKgzgt@pIps7w>+K zK8Q}8FF99BeGI5}fqH)EZ|M^P1mcmls4F^+emCscRz?gZX7Pn&Wcv2zTh4Z7lJEjy zUM{OY;SpQ$kJEjqzbN$@^(C`h>ZK|Dc-wQD4#>!z$?@ymP6@Y@WQg+ome8qwE6!B5 zB3qAgV@?DKUzxJSrL8l}oO6A$bUFrfMxLRs3(TVvy4b?;Dw+mA&k~LN>E!-T3$S;o zb9_`1IH`4KtEB?_bY`-IzK%ae;bgp_hUZc)DX8FAu`SyMkD2CpOKGABe&wbZjnHnUyPDA{Itw4-%=h=N=I#>O z>~8x;f|*>x4@J28=mtB{E5cOfM#k$10WyQ|Wfo~19|L(^PiKnk-!B1I2Y!#g`cS6S z_I$2LHo18u>w`jlV2}Gz{2UO>i&uR(2ef-De#4YlhKYKkoUYh5OKKU-vAVpmjaE@zzTd%Gc7>D$N z&52?Ud7#uT_lTw8I1>@;t551Jr3$<=4RsoBLxe3~)AuqSfNub8-29w!c|v2O(_wo8 zJwO&4`H|AnEL!U8jV#mHGm>~qr#q7mIxP-J%<1fKa{@V%Ayj7_q&-JV58KIbYsqSt zHNKzwFMlQtY8z&}R6gXF4ac*e_)>TDg`jfcHC58vFAQX?sw`OS4;=54cxIhou#o%E z`zQDQVSi+)6Vo%BnsL?c#>wsTdzVNRFa-r*;cKjmkDyrIS95Pm#TZFI&+^-jK}Ao} z%^A#dFnFX?TW2)s6~$Y5(UN7MN?C5chfDTt@1w#w5(KK~u5=L1a7G}9!LkN^KPF54 zTL3lm0?vW;V?AxtVSEy|9&7m4dofrnUCeLAP{32dPu%QsUV=j32y{tA`ew_;5TK^5 zj0>x`xDl%G2mM?p{k!KL^8T7ePi$i_t~1!}3zFRw*Ykmd#>(KwAhtkXV1rPE!;XD; z>v2E7jE*Mt!R^v|(kSMzKUWn4L2hRrbMU__e@Eu%@~Y?vMe*n7+8NgMZZVVfAeplP z4C%k{&cfG}YDHaBe+YpUG%<`4e)8{`%RfK%9kZuzx2JSDc&%zxPHCB~p0xZkQ|PG@ zH&BMIY*!^z17k22{x&zd!rLDH!u%||k&wFjDu1^W+A&IuYHuB>#oMJhQen0^7zVYU zyi$9CALyt|MniC5iv=!Uj6D9*mh2S`H<)3Fwx<9*u zu*Op>5GY`ox zU_cy5hIk9k8-$zfN^@7xZYlt5k!fp(`r8vvbx3ab445U>{;>5{+B8r(B_vgIJtXg0 zxuEHcC4)XM!pJ}3S)IE!X zPkck@t}*F~G0-l?k1@S<1W5%|W336vm8Yc>MDPf-K}Y?jwzIO1$SLZsd?KCCQ$(|$ z9IX*;k1!_sc+nHY8+#Ofb@500=E}g%z72YY?VV|<+_rPmQKEJ{PoVkO3XE@EHd^TE z2Cg2<7Oh&e5Fb!yA<&`AH-RD?fAdCWFlp+{6x_*>yrcCq~I{PI-%mav2j zzmTK+Pu69IeetU@@$SCH+qD|c0OFm$IB z>`VvH0~d?%m0`+mw*yeY37+7V?&Kpc=y33Ndd@@|@uXRpK@ja2k&?TfUaj(TFh^%P zwEO-;C)$sjh3#~^ce3{~fMO4x>$JD_-+5ZunYWBE>lP(_vpU1_4+byxKo%I(!SF7D zl|80cQ2=rpLH{~^c?}y%?|#o1!97BI8&b!Z`4gn5ELIK98Q2SXP((@n%F-!r;O?Tz zt=lKQjUVm;25|z+wd7IF{+Er*SA)I4@#POkd)hZ%)<7Wx-@SvU8vm^`A$& zkMrm2>^Clh^KEC+jLjc<)vzV}HvrFf$ORKri#pP!er6{*_eS-&9ySw2|F)SS4z&6J zw=?(m5_IUJN->$uX5G6e>yDfzD7Te5@@Gi<&^KR^&~}jnCJ=MKfz`c#VS=+A_eq0e z!r`jRrW{1}#RS9-!ay?!Kl2X!HJf}R-P%Idlb}&j+w5hm7XOz4?(wU2c!nBznW)OM z>mq=>%DerlxzhaR9lTDxxrt7Ht)zqs%B^<(%0eo^zSr^V<{5;KsW-5xVEvffk%K$$ zn-O?@$D=aqx@k{nDnQTT^16vZ=I5+T3Dvkl-6S%#ebBOSusC+7!I8+R-pw!>EZ=Sr zyj=4bZ?|YM*G32tNG|i8PYoXqyu4damK|*PSA*fZ__~wKBl6_K|{kPZ=3LKU3YIQk~ciLC?nZj zFD6`%j}8Y!(gOY6qQL_U`n<}`Gbuj*{-7I{FI^=0BZK+PmdLCgJ61YQWa%8$X=Lg& z%w`o4c9&+T?IgjD}=`ou*y5FSHXDvt%c}EdER4dCK3a zI73|;XFsiD*Z`)BvO2Tq)*iI6_?Txfk_Adl!&gHmQ3>WP-Hp?!ZSGMNTB(gQcBXvj zbaP9KZ;Rx9Z=^%d!>ods&K;0WR$YLUY}K^J4We)U9jsCADnq`(-z9ul0YJFh?SX_0 z)3xN#jn_!-qds2Wxu(6Xt%Li?p!s42G4agTJbMf6Qo}s^8OTPZx*u5agfNT-V(BK@8-c3`{i_0mg=SBw$fliO)NNbPJgslCUrq9W{>XI z%!weQW_yd6%=HUCC@yA1+hA>ycn;3PtbA~#fuo2R6L^#EJ3~0l`bG>~-T}nWYBwH4 zSF08qB#1_2wKnVGtiCv29`9-t5V!6zI~^%C6TK(QsmG87T958FA%;g1nfd~8>on7~ zTKjiUQ%lEByMmSVA3qf817!GQcZeDxGg=vzXhQfZa$&>qeHhMOHX2)^!RDh@!}Y2h zM9l|QP{sEdckz<+a5*jm>;!kN2afBE9>V2~1Ygj{A~69=BIHF8Bs% z`;j?Z4}tb-4*kSBZ&9F>D{$j7V*KRIyw^oklUkUYHyon2MVT*yUfkMZK16d_(w?OB z^lBQMul(!G77}=4v{bk4_NZhbAcfn8H-Xp^Mi5P51YIW*K@Q3@tF_u5~A*4giQH4s(D(D>%mkRVp;ck*%kJ@@)B^si6(uNP($ z+^;($+tU*=c!HNF1S(XSb5bfwQ%wd$ko|6B6Z^5ZOk-d|w}8W>QxKiMT+Kt5QJa}y zpLi_qc38h4K5h%5#vjX;U@ImSpR_k#NqIb}Oc`^BIw*61a+0XgP;(ADtdDLMA@w$7 zpqqB`xm^jncY_UnA4^OaWFsBVdLDpoT62%X~s zc~}=NMUQ)YfWGGND>{qDSfquw%^$iKM{Z9{{?|j#cplj+*arU{VC{Zz6En{e`!*UE z30L{&7RK1}UGqKHx91O{8_x8yc|9%p%2RgkZm7&waP<2bkE**TiP*jb2xPYRX9;ia zHe$}-xo&5L;}fsSjt3zVL%5Z~XZVFVM4s06MEVEZ+T|6n7{qM}bIoF;SMQT?x8pn3 zzTdA#V+mGltsuR79dXd6=&kr_Chrcjm4AZu9_$_q2BF^^ojdXsaY`#$t0nU{k zKh4+D%KnbC>}X2b`->W!x@6^QZh@yea{sw*xBSusTZP^jS}lwpSSV5%NEdorMrTE& z5#FhdfS1fKoATigBbbTfUn+@_Lf9=~vsWd>a*e90UtmH(U;Em{(IwlJ>2m0oKgr?B zhwjDzwMw^JNWKO87|v;R$=Ik>Y#B<(Bc0nf&Gy7$ZTT&uBe<4qDs3Cb1q;K(t%Wa0 zlAlQ_rJBUN(jF(^ZR} z#ydar)k}Tt;F@l9cdl~a;qat4`e;LiNyn ze}qJ$y6Lsi)sOQ$*2z|pU&)>27GkWBUrRysU`j12rYB|QpemC$i7cDV1u-7k z2ap`feO~BG{Y1wbvw8O23@1&c`Kjsf9s1JP9sS5~Z+XMfH;OZe;}_vM+B<|r^Y5RY z^;x}cw+^kdm&~&?7WK%mRuitR0RYBIy|7qBd0LxLD+h4&f8%&Xi8Q|G%nSBwv!gUu z(y-S`vVW!YPz&L9NwpLx%y4#v3&O$RyOu-TjjAVu?7w0O0Ew~iY7-Jt-Ue8eI*{zD+iaQ4*H75EBt?$DJiu^E9gumvDk_d?Db8 zCn(hHx`)yGw}Eyp<3NGGO=^slpr{|*?n8%>fAOM7!(7gv6)--2$-_^we<*H|4FvDw z@!d1=nQvr&bIs=y>CCCm+87m`cmnoCE@7DfoL9&g_8kOPQU8U9_cboPyx|h#vFriRbl-5RaQ(7HuC3} z>VaxVQ`NOWCL=_R0Hyt1e)GU1_{&r*<d)YWuJBJC8cGz#Vync!Kt9RUr{Pc- zQF+J(3G1sZNwL>YX<3IzJHuJFV~IXV90lAb_Hx7@uu0JKigpQUu{rx|6T0UH_h)PaXR92oY!REZ`tr@>QiP8Td-W=~sUePOv0!6dXdJ4l`spMMwK1=7D zFR?!v^0AfDIFP%+>_U}@%Vjhf|J}@^bT<#Ve~CnV9u^sz{n3NhSq+R8RiYr=lTv{Yv~j z-i!Pijd{&G8lmn#>Aer#&2_c(EPM}c9lD!nliwnapFDqAfr>ZOtZz~h%hMrb|NKw4 zlj=dfS?duV8DWqw9^0s`N84Mw;pp2sOi*)nehvu>C~?Y}Ay>g!q;F|*Ke~**DW08X zfpCR#IlzB(f1%=qfDc8qz;=biab==vkxW9#m@H`{A+9%Ky!HvTTH>s$ z4QF`ojS3$GP85HpyP0kcUNKJ#_s!)ezJ2Ok+rUX%>f065Poy?c0SLSxy1cG6 zKVs|~P8ZgXzUj}0xee43RI2UkY#rrAo*yLvpVQ?rbg<=N#K?i!p7jVgd@lO25k(U1 zCie-2)C5s?=)*@VBj{2wxXdN8<)K7!vos&j0a)R+0?UPagX ziA121&IiT&rhvc&zyw5JBxq}(P#6OT3y=w_eY;Ni%Z(Xd7W)gQJAYd24r?H*-masjsPJT;y>#kBbu6IeQ(h_qZu8SU;Cq%*NHSG`Mi6T^9(Be#{%M z#4Vflor(58*o4Fr!PYN0Yu;n4B85Xu4O0YkZa-kU5dnKB4rU3DJEmP!a2&6^D`>!A zGu|{`9r`K&Sb?4KN+ts5 zl`Mjc>Q1nCuE(3nFEwc{k~8|!QjAyu|JUG7IXd&EKeoHl?{IEO`?W6Jy^-S(- zK9Pq}+;z5>zkg29mY~=Y4F@qdYm(95_{57ct7Y{09^BGWQUFl-{alv>EKZNh&b~AL z%>3q~%&re>0*~(qJQ(H^3x){m(-6NbCj#^u{+o*VPp_RV6K_$PJR1KUa`zFj+?W?# zkaDzJmcGU#mC#4t7kUg3%%;Xt*4EfU#F&a%bp2VqA&!I|#{(!_mPswdXZABI0xJUN zuYr&ohCOIiS7L~Zv{_0dGH^UhA$hgFs>eC3Moo0GD!ERhg03SiWAxDd7j|=`E(a>! zVx+KJ&M5sUlr%sJLTd>u)p>(>K?-R>+PU=6$vZd3@Cc~JtH#QAbg4nrKaVr~1!nZ* z{=-Ua?AB{oc9Q6>UO#!nJ{}uP;-wts$ z`KWQNz&J-7n9ICECg)SDp*V&Y( zbM--lkobjdRN=$*&4)~Bwvp1xpO43zm}rHFSchIb_maDnlTB%79bOgs=dH<({U0pG z;g_ZlZn2mMMRYQ<>VAvy?9k)@B?SqI zzj#QyC;v2s_RRb62mkdl$0B;3%16Jfxa<~)Uh8k?Qaz7!ssA|RN&fI*&Fa-y5I%Sb znt;kV@JJ80iP^2v9OyvKOT-_|0kFN`l#tKGzs&6OTZw>w=P%-=z00&AotF;1$70Lc|;HFY( z5J8cRCi)Z@)Oh68-o@v$zH;2{|0Ep!BPbo!ER*J3M>6lzZ@@c@oeTLUhdj}58E62( z)^#e%B^!;dM*B>yBV9XvcANYk_&chf7V zp9wzcM@OmrPIwNPwAjPfpUv_#xi;-h<#yG7`$zI5e4_fq*%L(AgXf=T`G}4-AMM@LURuQw1^S&705O zzM7xk^`LwIPb%;$P9A}G9?NKR+Zqg(GXIjsO4$4Yt4L5!ZNcwPgqT7rk9p!Ks`$Tw z-J`;UNT()dDzP2Dap(`Bd*H9GvY1bEW#@A@EI`|5^@r~EeYG*7ea5RAbXGAfr(nNY zq*b|j^1=NS=e2?Q{j9E19L9dEKEW6wxGk|f7T$B!rdSv8_2yQkfF0m+=nkv+oI0!P z-t3$6-E@<-)*k)sR>YVqagXL4l%V(Z#O@$Qn#dd|LZrg-eeCl6jmPHJ%}(+=9^u`V z@PfYyU1%Cab1-k?$q~($!1#ICgVM)hhT09kAFGA}(=->4?div#MwntY?=?KJ6xPWj z6?@M$O?L5VM|I_Hqbg$r_AMc|hD5kguJ#{4v!cXrBj%W8BT!aDC|T=zq%EI-g8|9H z3+0ttg&53JHqx+7d`_^`g7=yo)05n!n!Uu2^248#_Y{Mc2xq|5A4X9?S5oP7>zY#6 ze)G&s#jX8-b6Uo+^uu|XOVM_`CQxO`cX)aipPCe-N!?84NMIT{v=JC#w1U_CD1vePoxkLUaXblgXrs z@%~-h8MbrzLyzoz5x^>eK_K%c8()c}ah(1;#+TndJZX3;u+RSydiXxpj<;N?Z}5G; z{>Jk*^~~gs1Rb^vR%StM0!?kAq}zxXOZCWYF?S-a1@gD=_(hJ2H~08#-#-e@|I-49 zmg;NZ=7}}1XS@lPh9pn1mv|{f!?#}~d9CCTZvGeBUSEfO#WQX3zKi(Kb~RL-)-L z4z5WWiKN2O8Zc6`9VaQ6yx_wvq zE(rE6td-LNs>D@4^g7rX(67_@BX2m2zufwu*dY9rRdia&qc|utW2EGy!z}=S9baWU zh$gUgV^NMlB$U+apeszyfbS*9=QBQ>uNjBv#xoBfIBmPh)VJU8^qwtfjuA!u7?dr1 zUs)H?O%&y)T4u;Q9IKf9=O%;QORR%$JS(Pg4teDJ@nX|6e|W&Yc`WtNaaKlM;~Gr% zTLxNcB6o{nX9eih4N@s}4sMagMRZ0e-BI7!LW~i0A0?tXe{IbS!V`iX5tAbeMu;y5 z$?G07nxdyxh%_Z@LWX zI>{$NdB(oUs9(aHum>%`Hf55Yv5Y)(pR7&4-arWMmD!T@@WqiP^xjOeRxtDg@x5sc zJ>^C#uBBM^N4;aSDa`YOjGstAtDefq=)4_ttt!j%-fcwz@6D|Eta1tY?5E3 zm}!s-7S7baCKq_j)43g-YtSH`j*#u+I}Lvw%>SMFc*p(?{>pG5XS}JB%gLU5bcZ2) zliAf)hf9e9m6`b0N-WE+8akHZhOVd6)=hd{VptS8o!`{u55+bUg6-UKp(ZTYbdIm@BPg2`;M& zOr*26AEG>cVWaRft3NOLNtUQj+MEbf2O*L?RwIbjq)l|@2@#p(wTyzdvfr}|!Zk)% z65`uF@o6PsiaRn4045IM+sn~^Z>8qA7n>{k=`NTY53ya&RcW}b9eF*7)(Km0FGv4@ zqW|I_^g2JX>u!1}X&u_(HY7s2{R*JJ$6;0SUE-}@>4PJ;bd>-# zF}^4t9VtyrSk1;HJ{(_*KCKi2iT3B;3iqgUAxy^_3<2e1%*4V8_SD+|;ERh_u~P+%WwG+h%)9P;OhKy*{hzjmfEDyF zcwk`5@uetS`i%34`yA1Q#=ktwn^Lp51O4i{yu5I*TlSTlKr?B5Iks_q@gqWr08Ebs zYG?HXVPJfx-1iKYu1BgWGD=0bn_4|tvxx&c>+Bb0*_KW`$kh&!$${MCdfdj;=rBG@{Mrj~IUKqkLO%0)Z{bm+)}RRXYk7z!QR5J3hVr8^NJO+~Fp! zWl9vqH*NXCV>nUeOI3Eq9bw?Tr1+`5fcr_#3>3`t$VY*zfj-lY&pi8x123m4-DO8m`&T-%p2yIk-`G#b^H(5*98w$kii+bAe%ABm< zL*Mi!_GeP=Nxm%L!{-7YALu?OXlT^bu zTo9FcV{=qqmu=urzWrWw=^Yp zn;P>9+@~CkR`MA2SJuZ#Lw;9gW8GEcF61p?`@88!qxV1&S06hFhideB>;;f=uiv z>M7&=v=>|E6!^l@G1pGZ8(jgtvEg%xoGBijHNQrcpfHXtQJoEcs*ZY2g`<%1u+-I-7*5|ygGH+xP${iR* ze=E$K?*hDRnbeCwm332^lOT#f-x zh$o*2b9;{fb=n&MzM-}obzdBuO`pYxyblSxoPwU;FCICNTw1o1K6%jDASE~MTDZ*| z;M_ilCaXrLKvFl}|9pX|(_Tk!16zIT#Fk7Oar*VFYQ7R^`kGLK3Ih*|2FV1SS3a5Mj6?^UxlPFadE#BM=!ig-rC&{$O(%#3LRX2GmxwEXL zMT}B$s*zL~hxcN!QX zD`8YPx=`gq1S@Sg1SqudGZvL%2ykfj%wL zZm0bl9S5%|DEywsZx%%*UUmXiq9|h7*G<1{YY1w6((bgc1RN-fViN4h?B=mN%J>M_ z|F|Iv8M#TMbYD@+ymlt*@AmL*&lEAi!n9{Z+TwjK@x7oMqhPVt!g*iV^hQGLjq$XE z_Xm!li2(fCcPw_DrbM+N=rX@sO#?-vSsq0dWDYi;T`r1T!ws2`-e`oC9*JFOR_BJ) zBcJSX!%$ zTwIl5ReNNtA~l>oEyxel&V81bwQ>lS=eZDcLbfIB`A;_K=PdIxkBT()?Zoo_Xp^!W zc6(0WNpxhK^jDj+VmVe3T$0!{JM#OC$N-UoOTSKH#Ak_#dfu5@D7z%`X9i9q3&2)U z(7XX|h=+8MUZ1 zt32s~nDMs{)=)kJL4v@O7TFe5qPcr$Dhp!v!;w!`_sO=ck*2G_$M{v)5k@l2m1%RZ zI~9O|TTQQU5eFdLX4O|ikNI;U8O|Ldhpu4IU$r%g2Dp0Sik%wSo6_Hd{Jt8M0^rWi z5G!1`&EfY4BlgW8;o85VeGpF}8&7`g=eZm>0-_L5r4m^4b^-t>u_=02wV-RvSy?s} zxy-|Ix|W069sC1l3rzcH!rmTR;P&I-n3m4Md155H0vP#-&y>F^$l;IA(U77T>w{d zrFCQja)q5bl#Ivitkh5bt2E%%eYU(MeqSfPuvKP6`1$BuGeHnwG?9&7Q{;zRn`)=24`bWt@2?`O&4v3evvhZ!X6@|7 z{{Bbw#VG#y$~W=c0G+aO6M)OFE9C)#XQ@No8ayGpJA(zM^O zyePR`@n3b0P(F5b;^dufPN<#_h@u3A^N}5-zhaAD_!*XEq3jlYn!CTUdGRH!VS4SZ zK;pn*j@Si_;7YL`cvAC@Z0_y+-D{KF&L8O21 zZ}|HBsYB6OQEf|AojYGDqgKcylyK7~$wQ$dptvn17AJz}127C5pv78uD?Hn86hJeF zIQ8ypdDD9qvko}FIQFaVogBrqpiquHGd9Qsm534}#v$+H3T#!H?8FZ|SOF#?UD&P_ z25^NihoVO(G^;S8pLFwtBxxg5iUuE56iZ6Rf6|rB(8KK)sBy{!gVC`iayIDL8DW^` zw*kSh)3Pb#J{JEe7Ni%Y?{VF6W^DHjnHFB6BsI(f3M-_Gy8qW^htp!zPenG&sm2%@ zr@_mJb$1L`qaQG~`cjG8QX*q3N7Vk#P2pWmm(Ku)?`+Z3k~%}668GwcOD4yv|Av-hvXSRFEtFM*ywrkjMOF9o zp{4%naq1sS#Mn$sRemJzwE|RlxvzX4-MhC`h?kEEna9Nz#(DCD_Ad+TmB`TuUFumD zkxgHwhxppVBV9s?lG&E$Z>i;{HpG3zS?(S}d?!fp-zy+}lPvx?)jJA#5*Ol+P4ZHL zp|~xO+wr1&x>-!g$6ygY_8Mn77`vMs+nt#zdXsqH`ifAnb_23?2z%qF*O$<&4-0fB zqTSQO4|~iv$-j8jFV1@6R{2_*pBkEA&%)@~oO z$Dm_78>#;-=;GdGoj>WxulJVAlQ&cYAkR(^qj>E_Po?+LrnOXZYfAU&s-A%?$1Q#x z8BZAtfkM&8H*dh0;5E3edpO` zqIr9(_P?OZi#w8%@_SzeMuZDN<&Gs!erNeDy0q^{%^Et$s0nO&_#@`roBdT97!u16 zQ9)*u_cHtxf~@ZdMH%r1@xUJfyFw!@G4HiIqGLsVhqR)1)`$HFCB!qcQjB= zPmA@XX>n3`uOBV@Z8)@@Y$5f`xNNb3SV-8XTda+Vd?RI?l1IhuLR`V!r88;WG!07} z>8n{6R``Qbtbk<{`n)I$`g5`XpcVa?J`6#Z!am_sCq#~)yY7QE0bm^>dQ@F1TE=}% zaUq%i9f=y9=paXFE9pEBcZTXlLj@ux z;z{~}Q6l6&UaUj|KRXVa-4|vaC}0gHuwju@`&iVT9m-f0p0H?KvJYBv)mXfp2WyX` zc=}X97R5yuv;YwmgvQ`HC|%Sv42ywY zc6YJ|6}0y3g>J+N{TZwdSAP%eNH6FLq}r^76z*vYr+~>+zk~(l>%0v=Oxv+E)U85I zE@So%1VlXM$Aa0obQ$2aZ2aLBE5Nkaxa)$M#g1`h#=>Cgw251FN2JD$`62oPUypqt zKv^4(SK^(AYZgHNRhT7?H(2!n5&BnpV&cc;y{{56QBsQ;@n|ep_q}o$9NqZU55`+N zuZ}ZaN`WYgjekx}26y3g9?G-NbNr-7WA2#Dvh@OX)B7bhoZ?le^X>{Yh%Kj$a=+q) z6+fn@LrBma(RR8|QK(?(kG5DK5S$*CYAlaSM@3i)VvnNX&ZZf6HsEd@%fHd{vL@{Yc|M` zQpaDVFe{=mi4iPH7$!e|?4&GFhP0)=Bx;9x|ISQ3nt7-Y&73RR##>o2bM z3|9X<|EQTTaqVq{4-jReq!XD3d5peYA(Laz%@&56>jjwXC0SdA;?##UHygD z?FYShVqWLR2MqGPBJbtID|ZIt%Baevh()HEEcr=D+Tb>de5!*@5_m8Ddvw<9nX}XG zT-ZfcU)PFNccr{Pb)W#^@+KPOCv+xM<{zfW9q)&=v3$n-YLBRhQ@A`1N4>OJe*FII zhe(tJBG$m2!(knVF)pb1V7QkjC`l9M^p)+P>S_T^I#tRn_~}kA;w5vrIlRS0on8fq zt`Zge#8d>o^++{`D8W$V7CX1#RLE?PecIFF*+bzF&Ts>MSb)x+z6&qtIqOWUcph^L zC$CEGpIDBd3EGT?l-5oZqt-BIwr|$go#d5_ zdy#jMaw*CR8)O$!0yGev*6yAH(^LCtvkmv{oY~1f+d~Q79l^!%Pq#V$8)cy1p8i4y z;l*Je1vBo2m8)TSa!#8f9v8>J@N2(0ZlEOm2^Nz^82NMy3Wl`+QpFqR4n|UB{8}jF zQZVr<3dQF0o@<9+-|K0TiJ6TfXsbb6Aep+w=AdY+?g$Ngo+z7qRf72Y$?IJL+CKaMl5WN4900s)=< z*lTFC-^Q?3Yt(i3A5nvVo}^#F8h$PNJxH~6{>UfcXTIj^`~=%jfRTXRaBB_-1&S5V zx5&&Yoeh{dEqU)0LQW38{IDX*tZNQtF#cGI?`!)>b*zo5zK zQXF?@YC5VShnQtaYlhBq%PHF|AA(7B&wO1e-)3h>$7aginS8?4!;ofg_yR9X+ONt- z>m>>3-7Bh}bXFPMfrDE!AQ#6e1gcFI2Z)y_CGcCzwpSs_kkYeUZh*~adF~I|;mo8A z*ps(^9Ou=VmzXNqNh&ygT-$e+O}e>TEYKXnj4U(c+es!7BO)f#XiF(ux%%@9_un>Y zqJ)d|LJHmoIh1W~+c{*6Zfg>9s0`Gq!N0%n$X_1T;5B>r%>g1l)hQkI#GP$SCn{`H zL))-M(c;r0X>JJ|tiI0P|H6bu;C8F~(EY{UE8;#ofJkErK-1@%)eD;0u%%)=1rYn*2AMjyBbicur)+ ztf6iLK^r9Daa@&L&gHdS?i!g3mmVb~s%`N@HO9vmvlk=I&gxB_D&7?O<>R_zYtqqL zlQbG=fR3xa`4m(XM5CBYZb}}I7X-@`Y1oJN$qn;-`~x&6KhGeiYPPw5q1x-W6C-y# z0N>}ro*!saaZerc?6$A*{5og21xc8WO}}V{|6x_a>tK3PIj&WYOQkS)y%Qw39sO3EMXp1;jf!@>IM5!68ZtA$c79*wty zSjGRaOkcb@O@2XDfP|%d*oz##uG&fXFP%`GOX{vc9^_IK3)(Gc0ex{pWLJc|>>O)U zI0{??4w~JxQ8P_dy5uND|aE2#TnFos&r=YV+7HpPoEbD$M!Emrx75*XSiJ zse^5QjAEIR=q4p1zR*%)F+pvQIn}-Yffdi7SyH1JekjsnQNUX@x}CG4heA);+K-GVz|xs*DKkXcF?hN;V&V8q7; zKLpjZgHR3Dpv&@KFX*ZQ5QCSR+wVw@4bt> zbSxSU8Z~N z;hObCshQ0sS5k_G_w;fMIAkKv!z>s=*wd=1LCE8hjX|oEeAKuW;i8O;lR6#hh+M_? z!Mkqaf?bKWfV-7j=n3j#{zsBj4n;hU1ohSoBvTNb$Z))WIQeD%8PE3(LG9&jLM=svsIxUgGlR32bp~yHi z_q9bx{9$2IeyQbY8*6=#-JcsOz(YAo`^Xxjl#6#w0lg@8PI7jfN&d(|@0Gg=t>%Rd z?Wd1VyC2VIFYXkJ*;GRQF2tfK^S2y zf&tjXoOf_+tuzQ7ulssQKsC!`fortl27muVU|KyDh!tkZp>X7o-`9X#)F@D52lnP# zA~Q~x+-U_j4hmUXpD=q1YxR}*QA(b_M!d#z(eofX1Uss4l9j##OVVUZf|F6(M6d>5rm6T zz67Wo$@T2jjU#2@?nghj^Q0sQ*v4`G4ru+$wQ4e#Zb|JuG+bW?1wy! zpp^v)X{j8i92II{g|+Io0#|+MTL#!`F6ZC0e261Ha)4@$>y9J%7I`hA992yUBQMy} z;4kxj-6i=Z4h8hMRr6(WsxSwJJG6&k3o7hlHjwF~qt>KLXY1@;C`L&DAiCbfdr3r6 zm*6gP-EPGyKC`$HN>XeY84i+*lSUd-FX!wwKzxl;q^0}dUjLa9Dt+r5men*Ofb=z8 z3`O6VrnT50MlUHB%WH`_@HG^C5J1}M>%Z_hHn1xF`MaYk@1gF7t~|MNYmfIUJm#lh{o%+xnwGBK_v#n+oQ-t;yy~2MgaEf^`C*;8URSP zS&L>((D1^W=$~{J&n9udT2XQ_m(>{}?wMfF@#;>%*`p{xK>F)Lh95C1$4|}kB^u_NOtwCdz>uPvCY6V_Yvu}Wi@adTyL1|In@?lmZu_S z=kCH=71Uv2U3xfjLM~W@2v^TXpf}>(Jd*D$$&GMew~qe}evb zy%@6|lP1gat>Czi_t*L6b%m5N2azET;QrOAgQM(5(KGX6Up46ts`*JM7n>G0>{Q_# zkfNkbN+C+x+>;wTTfV`r8T#t3dDw8|@UjZcJ#>+dKhHU-2f0MO+Pu5gd?E};4!!fu zPn+dkQ~jm!z0& zCpH}=-FZpz)Jd?D@?)}0Qe%5Hd|xotU#y^~VSInt@P_T`yq8QtH1(eTotD*+133Vb zd?md6Nw>G{f^v3Q6kvbP)Xd{JakOl@u^t!Dzdwx5E& z;oJaC-m_ePC>olPY<7OY4~wtWQyNH0yF-ZsTPASG6fQ1%S`;T6oSgN-w8!<zyd*TH>oeoQGm;O4huLKh$Yn=WhhZ-thrG zUtSv~vF3B$LTQ`=TN+XJ{=$PUtV&!{7A^NSUl)spIcNA#z~+I;r$v5Wp_fQBPucJA z{X;D!i$-}6>j%VjEZBM2$m*KJZ~RGwr+c779W!MdC)oASYDAmPwtmorrXEu|?Y@^* zh%;iVI(^ka@3jxiKaR@%^mWrJ^>dk0?xv%mkv!m zhBP^zsEKM3L_Qr4yMQl+R}z?rxZYmau(Z2iX{;q}Q0RS}8Z8xsCMTu=Kg0dtpMB@g z4FMu&#{`R#RDQ_i=}!BFB2=})42xY(9*?B_*pZM&;v3;2CQ?7h;MT5_SKx}S)D708 zaruLSF;vZ)2d*OI=4SpGOkDog!l0dmN}W^r&OZ*Uc$!zgct{-jHeN(y9uzN7A7>eN zPhTeAYe0`7Egym{Hic9~vGe+_+3Fq_qV@c{=11!$44`pX4mHjq1Kq?b`SvNwG|CgD z!m#IOI0x?1?o%}q!}K3fdh((F^@Rq`Agr}Pt(t4Ug*gEI=Vhto@&bw~i1t}mlkiiK zu2@C4k6mDa#Kk3C3@hW5;D84f|Gr<}z-7rd^GXG(8n;}wKCt1DBC#-!@gxF=Z-T7_ z@9I-tXnNprZyTa=59s|@m5shVx<%J;F(h8D?dpeNv^SC$HMU6+{dT}TPdCV!b(S1Y zwgig!k+jYC`A2oqn*FG#hxx@SeFTH!uKeY0lslJZCKw_M0AMCEHn!s}VxHOiyG0nI~4Th|hFLbI8!lW*YqPUO85bXWO z$h}k+(96WsM~q#Ufoe$A;-3G2!Fl#Vo^ZTjm@7z;PW$i&OeuUoYzDSj1o5Wp?WbRk zUCFf6s`#d|{Wt*rh_zZ#L!J^~t@_MGS2t{vl^rGnpAoeD^~=l7-a*Zwp{ z-ft8oiwmkodAI1Hv|exg>rin~c`9f@7BG(V`mINxc|#qhp4PPAiT(j|t^`ZAM5<3a z7tR)ftT$-xL2L|O|I+V3&UD(JTP{e>qQnx!OlI*C%SN@)q!+a@rE|q71rjZL(6s8w z$j7{4H@E=yc}d+ksPFi9RX_@#>;^~fGoFsnCe0A1H9)N0wVs_mb@HM19j0UwAeMrqV>>Zz z^ik6urzJSSUv}Wm52wZLm6m**)~oQ)Bo|bcpzGMpdw+R0`#n97c`q)0`hXqtpN4(= zb8>=@g4Z(C;Bs1wipBLib5gZwSk&z|(nRl81O$JzqSMq+Q| z?Rg0iV$U2{?+qh8g}ALYzXYHhgg2kkp-t>hEoy$_J*|MsK$HuKMDWmVl?T$|$RS>i zSJE4%x8?VF>JCz!@aDie2V0v$ZDv(!*~$M2i?cR%0_Q(QxmuQuDZ z`K-lO(EzA?T3V^FTL)PD<{Sx6YEN7%1fCf==5&+ACdpLs&<-p#f$NhMHQ_NI1h65` zuC1jXJruT;O$Dca?Ma4&S`C0~rm_YRGOBYt)@>xFmFkVgvl{B$>20+mH(I@io3p@*-VLkkA%lWJWTfPI&DJ z8_@q}yE0qMMCm#`9skBW<1~+jWvfeVjMpOMNtRKf0HiuUGZ*`BY!aG$w>jd34QaG~ zP+HlO6v7@@$>ZSrMmVNJSA9ox4Va}dEv#h4y^(}qgk_P@2EQHoO5^W%c#`|G-nUc< zK(fW~ImI|zKpG9S1uwAt(cKAfUz7Jo1@ynCv-+SL9e_MQZyzG-)AAf4x1S=G2bu6s z{!8AiQehohLQ2`7%A}{Hn=TtUhxL8WQt5I03*0dOk)aYuissTmsQD;n*|4vDHb-Vvl0n61UMKY7|S@Pp^`4^h|{X1qYQTFG$@vTc59zU z0B(g$=qu@x4&40QTYp2#$*@8MiFhZ-4kuXW8x$G2$?tZ1{~I&ot=xJPx~Fu>u^bJg zR{Y}tz7AGGC6OwXI|4;Sm*w{@s_fMeKGPFfM8HcUc$Cf(fY3Q`udQCrbY%f8jF|5) zg&9P4wR!CpIw@u44f`cL_rwd(IdUMxm^A0XjW-Zyrigw=>6l~b5X0PIV(cT}F~ITn zT}+F%3&LkGMap6uQv7aYpXKPX!Z%i5iiovS$mUt$-<}o!++*~3=nTy}N?R=&XJA*X z^?nLkaVAFL&-614=Hs(CkMc$BpJd&uOvcwrh~MG;Ns5jZ};23e<~(}USr-jiY)4D4{$5l{tCS)HvdY1IO-)BZpy-1-{hyHUis@*Fu;|n1&U_;{Zfx68l6A$9Wf34<1mDZQVc7~PxGb`!W-LEv6NyUJ->L6OdPlyjGCXrcP z3*<$~k%iBBzIXoc2D|(07UoWXyLz5S{3~8ZkihE^ebr9S>a0myIb`{zS{JT2qflxp z4jqf3(lxyUQFPmd=LfK>9s1_&fn2x4Q4kGxEO z_3T7yJZJXl5jZ+oMAj<|K~lKG1Rm&MlHzm_dhjm^nfjpNqe&|6Ig3q z$*3yncDJy;S)vwB`X z@!1=^H7cpQxNxFUtgei8oM2VR$9bO^=lF|%;epA~oKEYL{TTD_X(@w#rKFM-oKMdP zt8gQ+@NXvsw6Mv5u{z;s_M3}7JxE)Ye@e%J4@=ZfQb@offjwmTiONi&P3aP+*dGBz zGmCwjV^P_S6gyptdP?D!#1)z?6DI0qmm-r|M){&{cveB78T+I2?FX+9KNHX7jt=<2@)2hEVv&`b>~NX>0}6^pHd2h~!>l<~PvGtA zuCy2>paf<1U&S(IO%Zd}7eCIz?&%(?)01Zpo!W*;OV5gPI6USBZadG#4~hFjp&nMaFlW}wA-rwc1anK7o$%k6 zU)yEYeq4v!VqwiPFo$aUp9DCaME-~srLifa_fi?Z=x_3@EP~1dv^l?#=5G%}9{0*` z&r;|j0ry4KmuT2u>;VIkrs{y*%WUio#^ZJP(}*XG`UZN5GQ1ZWvv*4gBkKenj2q5| z7adfSFhust7Jes$@=TTnivll^l0)9pF@aN=X6**v9)E;A9!`eA#OGK0=M~?57R!u> zl$Vq(Vm=0({=tZU4lHvD>0Rmz4_e?7OqGgda-%F;u{KxysVoId$ifaVPieK0XAR3q z9u8o}xBLfTT8CPKk=_hC0A>S12eF6RD?9raXnGTttYPDIkg8kD1G_-^6A18hDeEyv z7|r?6AyHdLN$GOMYJVqOY0BgnObr8?bu$OcPgmD$-18#XOLo~| zCH#?kc$JREJQjZFAU1Hf4eE5l>aNBhtN_Z@O#gIo?J}d^Xt!6xF1AB(qM2Deq4H62 zRFGXa(xXzTBqQp(`71p7c>St6>tKB|R>3b}aSg3|=O$t%M(S!T8P8KvIIxQPM(Ghv z=lh?L{V7Uqi~lP3>~MO_w@jU+Z9ZSe{QF|rxqvkxc`P_MASh_Wd$u|w89^={f34{~ zhwJm2sI4?de!8ayL^v}u=6^LfJfqcn`PFf@ETs5FuOrNoADM3gShPUyA8!Jx=DuVE zU$|`-{%8bj`LpEXN-R^dL*GC`j#eWO#x$*Td z!|i<|{yiYOrRK6rudQtZGvwL(?xN_Ah?5#f@vKb&Og*V~W2TH7@4v*PDFSe4H2e|i zDvWUTPmfGMkrRxdxuy8t_nPjy3*fy%kS?PU%5cj#^sJ5FxQPrDRrW+BNZ@K$qVgab zmn7z`;91W8bm@yi z7+VNN%*BFqRuHDcY3|GDlO%PTR#5R|fd(;4sa|nZvfZF$z8qixRn2XEcrpau^i31y zg%P>vUCPft^;5cJjFeBHk^9Q<;hQCZ# z7&X0u_pw_gibaF#2isOZ{4_v4N_3lv+g_DQt|7KTZ=b}fD2s6A&ffooHn%&MgP(mo zDQi4p(T4XnSiUJ$8i`8w6*zcjrVJpWnY7P;@Fpt>{gM=_qriI_lKAUvV9H=eauFFD zv}bzDXZXKBf8YlGo}EdP`L7!7ZbxsbCtPs6O(z4>rX;1=v8w1{GUI%SjUZ+GIB8jG z2TkP?l=78jy@cl;SKsNxn6As$hu`Yyyjco$CT(B^ z6{`@?PL?XKyp5Sk_pXipb>$F>Mm;mrz9!AfT1C_FaqzMScP`VGDIuBIu-?xM$+FXK zpT+ztImmaV-F{sa;8?~C8)aANGU-+@E`3JhLXlORx0_2Sz`_xXGrdO^zso{>!DGu+U;2~jbcvmOQF~g;;vd8Pecd+y zW^(yr=E?o#8Lvv{SBAY}nrQ-S?innjM|+ zsN|0xPCCK~??I`RWj}4F8Q~+hXks14u|4aoNN3Q$+64&xc42Pk(r3|GrX06QrFBh! z2N|0v@_S9M#Nyhh!{Z}YI)q8X;2tM1C%N@wkr7O?Of%3*O4w-tMlY-+s?t29wntqJXQ+NcMAw7o2s+dkTNuERW0&SlahmrbM_+_E{4S z9o~{Ld12G5f=U%b$|`=lmKM!P|vTEWp_NyD4?c zZYi?r8j1xJj~++zg-2)5YoaGAPa;_*$M_)DuYM&#=%3PMB+l-f4{y)M_uZsI-xodV z>Mh(7O|vyymmE!sxx5%~SCj1|b%iU9NTP2Ep>cj$qCUzO?~n>ha*$$w8CzB_Lc(4e zU$R_0a#Hji<6Bu7&L6~RU4%I$##f-j^is(~ct#f3=}VyCh3>>Z~CWb5((vxb|9{&CsYX=Uz@_AecPNCJUE)Yi8Jfw>- zDk*sHFziQ<1p9bHF;S(Cv?{wWE#toDa9D93^~6T%4ntiI z&$z>AXp+Rx150v}v+_*LRHg!kvo49nOoV%qw9`!0q_gB?oOP$uCKtN=wJAE3z|q^y zx5ELLUv@#$9>Eim`4xhvMccaqM-l$X%|cR7UpAy-`>wD@XRPMz%j;@fUEK>+c8G>y zWdUqjF5y|;EkhteDi)9W_+C_<#U40CB3O4kjW2lE*PWlDL0vNn=S+a9C;(e}vPoed)sH*ufF^0H!R-;FPH zWA48ArvOdPwonLP)rFybpm%09t?o}?AeV#T!c~08#QfT|kczl>xD9z?tUS|V$4kLKjXIqfn%=&As>PUl&beuUNX-$9mg9$x&ofEPdDiyQAD2M=$&Y zC(-;mXlD~89ZQ2Cg6bi8L3^!8>XDUZcT{X@{Fn8*lam!KHpvS)kKeJp4!9|AsTRYR zVtKqPTwr(fG&Gy=g1P@nnd?&bMc0dQu8tb%UTIz$SBv z4#E^+yE3vMPz8ymvj<-xRFx67F5%DINTSt>Mo>$lV1Yl)Ug)+H?2$>cZu-5#6}ll`T_C5g48ZK#|UVLiNR)BQf zB+HnUIjLhJqi4mt@b=i!bu&nhI>26x@(nUx;QDo#(Rfuv(9NOH{kJQGW#bC}z`o|V zJ8U65=;i_A-&>`DKh~IHCN6H*&wGmGtTwdbUw)XFp;|G40bXhbC-A}h_D?y%4@z;kAd zI}uQSc=CeClapMIoUlgLNoz7)#?EHxvgKDIT@K z%BA6r_t}9@s^F{9F}CGxV+?A&t{gD^YKv zUTmD=_~cgQkW|_*E7r%4LihZbQ8Hfdalk#-EvJ7mneVZrA8gR{>WY~0#_0NWg_iGG zbL2%=Tc6ID>G#V@MD1lS9F(Wjlt+M|d)()^XxbJ7%F&S+v}RWg-JBSYx(s38(Qp6a zJkVW_(U|RU?nlvrPM6$X^dbhKXV`4h0_<@aP!_e~?H8}Jnt+Ey{;d0Gc3td2qn3K3 z{o}A`5W@*X3#gF>x^8IC-uNQuu zhjcCBS?y{evT6`*-9CM&WW)LeYJ!`)iHOjQo6k zKfZQxq0;|;iVPQPSf0zB9LZ04taqhE{$+%EzJKo$oVf@uniu`b;CtL*y1^m$W@vR& z@qEwcpDY(1z1EP-w-a0Nfz3ieRCEYq5YE#I%Nu=-O|GmC^?V!oC)3EYt-d_+4sUv< zQpQXSJ5Km^>aBX>Bv1DEy(eq*d9mc1I|xOTr7FM&s}ZI28UCF0AF@4(XRe4i8KlTX zK$=*F_5Mf=pcH>w5mX4sdO1%I-9kXPoe`p^kdG*A)g#VIGx&8_BtSvlj5{WowKkMH zPIh~Bxc^ugW7xd3%>A(AHaNL@;BCChDzf`p7@tNn?$3b<4CfJ9Je@@(9YVS&p%^yP z*S^XfHcJo>i4=c<4JzDZ@*YhA^gx9N4mQ&<2z|%|xo;tkmoOLPng0rZ**-x`(2EHu zlqGDbadmHyfw%O)fpV|tN{jt<-v?^k!Aa3f|SI0`%GD_l}rc-+zx1Yu&iU3S+vH*hd7iK*UM~&nUoaIs*js7n5Uk~rs zK-0Xbnanlix5e~<|9GloZ38@r!kmbHY4DT!O_Tv{?70MpXI^uLz0@ym*h08TM$^7- zL6WWTC+%x?X-2|dV*KOgV4}hA!W7Gk?B`HDS3UisC>DD}ozX%hiti;L9}y77E8eZ5 z1VTG2Hc}yVFY^@pI8(jLy?rf-XH|o}N})8%%-(pR<)!H^t&Roi5Rofh& z0&1RV*%+@|;QRaellJ9v{2Dv~(!<#GrLCL6hppqqfMY{GS$SDJ;~VTe{hshn{fRk)VAQo8eNn%uuB`6fiB zjo1WYbtwl9z6Ms^E)~Dh2tJ)Xr5qMaWymnrvt?<(6=n_?Ez(JGzd3xlK2s=lWf04o zzo!L#%NDBFileOZ^04~lqfaerFV-tG0_ZcMx9YT<_TduwbW96!4@5?z{+cWSSeFg% z?MT1N28TZi6X202a1Nw#;F8T976FKN?nr*7y7g=3nQTgXv`*x7MY26;>R3)(EKkwn zoE9$iD|ZxlK&D!?a_Q_tIiyMY+*)hJ4D|!v)&oYXTc`*vX-TW(Q1|{%<&*p3(Vwkf z2BeEp`2?c{cO!>;apzu059X^-pMs^}hV^Z=bWO;AGcj`e7mrK7N|X+zP*nl#GbR6W zj;-y>7BUAB$FYnp@#fXxYL>}Z-T5&Mny2ZGQtIpCtae?Llzixt9R?NPM{~jZA zZ=s@0sA&>3`IY9&;Y|d}1&W%G!+Tm0L3ZblhrnAdY^%x-(DH~h0}ZO&Tu7--u-o-WzITg*D^9_oL)N!zcr?}Ws?el5_JWdkOXO6Qp6MugC{W^*iD7|_)M*GY5{NBX7CD1J) zmsLVK$FZk!C#<=_5!203?2bk%<=X@zWa?2yQKIbja0XTApJ)4BmeMcS* z1e$k9Nc+~o+X(h738iz%j7aRIX~gnQaHa-uJd4Zb@d}Dhn?nXNzmW05e7Ao0sulLV z436-9!YC53JIVLvx95Ra9zKZQSG2;ZNP)4lGoEi_su;ypY!H*cgByhY9vg0=rJpZQ zBnMJIaE}s8=UIWE-`088(1T8m38lCD;qpq6&Ce-8EQdkCk{oXu>e;ZhQxnY9Cy-(2G8gGb6NW1dH>0)hSnsz72P%F&J*6`jj7Z6Hbt zl#+)UxJ^QZrsoN(Lv6AVxn)Bc^6iwN+TqlARZly$oIWi6m1`~aNTjUMiEhGCWJ`js z9KyRx8S53VMQOqtn3y_RLxCBPL1n6k)W>|~t-P75t)X(D^~=L)jCV^z0e3O^kVCGI zg&_Cul!p!ica+$Qh)Qtl7tSP{$Ub!M1Dknxq@jvdnigQS!~Rc+Qp0bEQeu$ZqC(+m z8{ed4LL@y1ZBDckUqiA7d4Q)ck9bZqGa=81Fzt9Iy%dzT(@Xj_q(-QqvzK=D0{!aQ!5NxWTSjJcEq-T z@eVvvZO9?Xko{X8@CnYA6l_=z<-?T>y#KFNvgb9Zloj+sHYEb^!ID7Cgt-KT5`?|B zr_6!u2#YlrGs~y_;~UCQN+tgwVyIOeZv647Ph5o5ZX<#X--NRmUuFA16YyG@duZ`i&~m46Z$W`3*7wUR2GOz^A@Oy!JgOGpt;mE z(0{Lg`&Q}r5wmvNy5m;IA=7IrTpp(-s8}wpePynR1k+*m>Zu3fOlSd~EGfvB0<*54 zbs=pYSKXRFVTYi7K6F@dC4UxQX^&|13Nvtgf!Q+6&%+)^)*BvVAXcZD3ppoPhRB}g zy5^~mMA7PNU`yfx9jrl&Vw6)Km;R5ZuMTMP`~DxDQW6RbkWN8K>5`EW3P=eC0t(U{ zqY;piqJZQ`N$DO)sl*s5B}j)fW7M|aqwml6_y6|Xd(S;}&v~75q!W%J(zubx(JQ!= zMW%qjKu`gmGw_#X2=57&7<~`vIG;dnrr`041yKSe>$i>TGTx+@Z zvTYw9($`Nwjl+L0P6wlzi^TnLZJF@YWsoVL?t}twv%Xixz=?E1X3vm^3WHMnc;q$RqDUarQ z!W=zmuwl zwN4$#MqX*$`^9iDW-wc#OY(}yZnm3=Np3AvAY(5hg}L+qSIyZ-HM;Fc1?pYpta&Rw zu5`JEjft;Qh(FFH9fyNLIi^ZsjZ(VL%Haf)3;o}Z)5JFJZ9DRY}DNe7;mIW)-h5-iL%v! z00gdZbV}=e2r2jSVT03r=KI)h$I5a@vh4`l&c9DezTm3|bkg?DEpWaS-O=>yl2>1^ z>;TdUO8PEEe`0-gwW@_kgKXRT9Lj zrE{#?@LeSqJhqP8p^c$p>yNkz5@#Fq9X?YZhubbfA7k{9N5S5>L;zVTwV6W#@@kQ< zfHl_W#?8H)eR{7VaJSxr!v8|o$-=hh6Q@cFunGH6iy*7GoLzp)NL>Q8^h=E{zTeBb z7=0p;(AU@`D23^tt3hY9^~12*Wb%g~O)Z_nI#O1m$NX;y+=B6wF>_H`+;mI;*11ND z(`&iy7QTHK@qRA@cb*urX8}^(FIO}_(e8bb_9%0=F_uzv=npr4$IX{l3G$iaAvfaw z?9_g|M|E~!PIO6HeVU~EI=Y^TZ0AQ7NsD3rte_{J5KUy&?$J1XtFEs>Jdrwm{E*+y72}+e1WUpEY0(;CG9#00eDZ4zGq0 z1ud0Nl?8u>D?!VU36pO`j=ruRk;@dE;k3AoXui4W3fC@Rqd?8^JH=%y+2$Zd?Y!eXt*uIsSg7nc_;IiA16<1j z^!xn}S5~?Bggpze7m^SZU}Xq&KB7{TP8cq9GG3hm2^vG@1ajyOH1F~Ke*Q^g7GHe^ zj79ub&}~}ShUVIu|2XB%ww{=^TDH|apS)K`Lj1(}fOZSEz}M>FkO+E9z0#MypK_-B zO(o`%wj=L}Ge7zWm{Iv}sba!5$L}QDtbC~RTqMJ$pJu4IumluF_`rH8yD_1eCBxw= zP>sSX=3-p$4F#R43TM)i?ZBttCF-j(;qb<$2KkRu;p=FmhhO`%vqLLFuxER@{}tuM zEj;_KN6)%?uUaW16*h-lR`P$$pgfUgF!r{9XmBLNlp*;?7u0=qOCQ)T zY$xSaqj=gVUVK{ZF}Oi-+Xr`L-^I!^J$?|`MVN7b2E9E&M%8A8WZ5zP;psiB)+&aG z&q1jcBzuk#D5ah7ze|~m7Qkfc!rCq>Y`)cSMtt-QG^QGmXg3Ngy%r<~)JBA1Qf;rS z>hm!i16)3S)Gmma*Mg-+Y|2}k>~jaunm=ev0ZUp5wrq>i@2X&;`w3yFw(lRk!U~gf za70qmH|=GfAd5#Tm$Gxv`n`6_I@t1|%tyPOLnR+rKaFN;H| zgQys4I9D#{t@l9Wdjmwo0i|d7@|g^9*q>0g1MR(VkDv2wu@_VuE@@XR78MBqTDBvCfV zJ^yAd)?|+v1QD)zR>X!3U;mU=bEoPObyxiv`3u;#T_*uu22F6BZe~tj%^KfRouI&R zp4`jC^1$LCT%toWaJxhk#Gs(Vf(aBId4J^?Im}jp7w1t3>*rOBw!Y2!z)ktnZ*9JF zwvgKkbz41iYSekv4H~oApUZB`nS@b)jjgXAs-JlO9GzDP9d@~BW-|(#1-hj3yTUCT$VVEt@hiUJ-N*ne=oHvqj1RD5&@SFv7U@)Z)PUzw?gVd?Y zQ7~~$+9*(xJ*`YgfiV=r#ZiuF)VMh8Zld1;fz|!~`$4;tzSmXjW5_&tpAjk^NQo|* zgt5YD)!}*ZDxe^32nyudBW7K_8=wr+1J6id4P=R>Y z;dRc#T)q_aed9b1vl;rUeKC@4Qd)p?L4$)-zz?RmUH7aOyx8DW{~WO`+~5V z-ZbSzeu3yyMip1v+}s!kwrda_gF7MOFjs3bFjtLBmp)1Dc3vdqr&Xc01W2Cgg}E#f z{kKQvkcVWd6@jFyhilgZa#q#s5B2U|07C@G&K=tD66e0P|5Nl?Kqo)2OSo#Wd}j17 zqB^6`Pg^Ixly(Vq=F77hiQo2^%s&#v&p%SYOu9Ao;H6Kx%Vsyjo)OygHl5=l$iA`1 zKAu#g|1MkZX$rmbCnG^w!VA%#Onyz+=q4!n*U%HOPWAjTA|}CDTd{8{eg~u1NJeBX zT_=>{MMv=cCxZ9L{`y<4UyfQ6wz~aliV39!Y-As)mNd=DI_mU6wjGW3MV3papM1qN z3f8_-x^pI%KZ6L$6e?_e-uY76Sm4m*Tdw3=g;%`c7MtbTSpt)ve}`Vd=k%mXRqul| z#W`}#C(qI=g{Lq`ZhYyl4-*5&O+Wuro3#IQrf)GJ#JgUI?A=iSg<5jw6uqhVZi84S zWi$J=+1}|#ka124JL!0qo7UZ&@1~;Z>w8bl8SlMwtqhb-)a3G(l3_YKegpyVwo=|m zIn%z$&~A4>gJyv$5M4491Ah<{^)#wKUp`Y5H+AxD@K|=?Kh3#+11L|pq5_>g0Jv`$ ze8*{AD`1r~k@9Wm_cxG_Ly6UJ*i_cZ`x6_YOD1en$?tuJFIOoA)I%!Au_0fLgW|V0 z7@-`oUE7Y%!bzp@->`%Ug7bktB4v{kC`OQx@`c^Rbiu@(=OK8LaUOBx;tPDy%VJ3U zF%t0oS8YLEzE;}cguA-j+m6O>ewOOrR?OV*4%j9ycfx;T)Cb-n6dz)4P1A^#q5y5oTO9Z>$) z9o2mz2wH-ExoG`0{PM6@P^i|uUF=A(!T4MQI3Lu+7*amMe0SU}hjpYbQWwwAX%mz- zY&vR{W8kd&=KA7e%&TC$F3?h+%=_*|mjFUIt(8Cl^k`J6&e73555^xWE~9jGc!fUY zoS%E#NxK1k9+2koKJP0a(1Ya)M6(i|uDh?$3WE!`TR6(#6lGoY4RDhO<7kU7f1oV` z+;xS5tO`#%Pj!-&*1i~*m);M0c;pZmj4+0*ywl9nbaO4C@nI^DCn%H8ya6)xLI#C| z?CdxlxxNlqT{+*Org=gWqvz}%VrX@=&#s?H2je%EiaZn?pqu$$tqwZ%6v(R9GpY}nCaK8f?woWM@hQkf%aGeHlMT(tGA0GPjV2> zNHH(uP-}ClC%D=hxeO8njzJ|{Qy7#|@NjMuMgY`1HF`#Vaf2ll!PWy{!U|#xU4r8o zaN*i#cT^7FvredW4AFl!3aie5YeXO7e=1BbOaOWAmC=)*BP43Kxr)L+FJp7vm+63k z&WnyE4N&%k;_8j$t~iJ+NN{zfPJgrY=^fgdPVCfi3lx z=%RR2*M{yn{#Ltt$X6z{&mf;^1RCsV<3GYq^0EwGT*v$wRy_Ik6t@`kKt&H0_)^DX z8Av7dD(MlPL0MlLjmS6ZhqtBOxaP*zo?9)W@c$0Lj*ft7S%evs zW4TMdAJ<9YWil&7s+LKoiuBGQd?Hki-~@>&A7WrtKfNxF>++(;2z%(4oL zQZ^1grzHi2WfP~Qzr}Ruf+(JCFjdmtdV;up@^&pJDg)nbkFz-5A5*ACe81A0uj36x zY_8=#Ao8Y>#~GK-|FL%U7GWA$`mA5Zt+Tq(9|~Ll9I8|lYTKbrxP$&o7=6z2fj$w7 zmrd&!M$hQrEaYc#n?W5Bt-@nZ&rYTH(i9X#+*%ieuB+DOc7lht2Uv@%7rU+op+By~ z5z0S~*-jrr6)~d!&IwIy7y4P+^?PE~q(RERNe`(uoXMAz29ud=qSmc7>H72wb;$5> ze4Vq^bqFC_J#LsvwbxR2F8T9um`SU-0rthb1XM|r(_-(-V<3JKx+>80wI-zf_Y=gD zdSVE$-V#g1D9`!D;B|~B#gaHXkWPDOKo1~|P&Yc~_%0P!zWGytU8<^!;r>EgUHTkX zm0#;iO$|EOnD=J9*|Hh6aNpjawbGA$nYy^0rOGC95HywyCm5<8{8C-S^mEj!{ys=x z&*HhI%C=j%IE~VU&@o;D?~#iZAXn1;M^`(LydZ@h0JRuyvl(T0N}_*VF5yuy33#~e z=CkKJ!Rc_)j?cExEImr z6`IS7oORnj=eb?t(g%;B)|s2Mv!Y?%(W+#y1 z$rY-&XB(I1QT>KzXub0vO2^@d&5FF}nN?jGlJquJHhI>z1$yVWgCprBGY#jKfmWq0 zM_Ph*x8(hc3-=fs?Ds2?t0Bb4<3%b3yy(=T`=HXG;ck+$Y$^zsd1oATa0Ho>(KDy} z{9tO|N9*X1j+2|5srD1j2}Q8jP#0*wdTxB!tMU~u7e9l ztFYHUE6KWZGb)+1ExF$^X%pAbH7IZH41i_O-uaM4MLhW4o$rcMw&~3dIv^-k5GkF? zLVIz%b$-3X_wpIZv!>>^QL;Q0oa2F>nc#d8niCoYmMD-h``Ibepr z3{%Y}0^W5Zec)9;yRe-Tq>|Xx^*t_W3Rz$gwu1L*LJXH=X*>t;Xb&LOB-GxVFAJWN ztaoM*_e*+7+{93I!;~rc#pi%Z6}Mc~85*>$g#I>^SQ`HosnUYJBvqUON@ZUEw+_3F z)zj$Yga-}?Uxj}1OJIn>UG0hlZe6`znh0Y%6}_LPB|}Mp(K#h>4ml|pY*MOZRD6`1 zZ<(`9{EF6R-dJLb?Mppj{FYvSrCTXpSj6ZdzUO`5X~Frv{XBpNn0A}5d$^nf=#>Ty zRmkfgc^e4!m|j(t*hmi&|C9s<-4I+@Y7PPc(7~0eFV-Qr7Aj8~`4CWJ$pIxoC-%(f z_nj!hQDaE=G*yW5#~zx!Kg7iy!aP8i5(|(wT6Vr}$yF11-sBieN86hPjSWmEJ}^%V zC+0)hgf-Y0F^E9#B&u@i)&C^s>$?{|=79uJMYrq`XsRre>rXQn3z=|Jey8V(#vVy% zp)?GIK`k`17P{{;15Z03d6^d#=jIOdi%^bv$wV{|l;=AZ2PBzu)9c4a11`aN#eMs= zup1xj%tVrcsP8+*-eBH)gra8M%K%ZQUUEd3ppn1DFOAHW?mr{>aXakYTsw03ivTw= z#`*)8@CT9>LHtl5ilgHV&U`Op<>H?%gn9yU)b7Y7e~&A%eU58tQs!0d=W9Ha;NkE< zW<@4$OSZ_5F#dW%dlwLqwe6pP!>D=k`;8m9-LrI^`PaB>&o`9tqL`tlSc+x`gMUP4 zThX=%8~@hlB{jTNVkheuwDPBN?*IA%Fbq~TTF<;qTnum0tVsAKzi098(ObEM16GmI zLi!-aR+IS)iJv}%(axGsf1Y;3O%&C7t|Y!<+V(xka(WeJq?-(WAEam>3OM|c{g(U7+%gu7;_ip>NS=)eC=9}OSeS9Bl5xHQAc;VXq&LRJuZ2$@M@-? zJ{=lv)klZFBj56Tc8Q219JnR41LQ&DWbiFOCb}NiTD;qo5BbM-u9jhF57Ia$HJ$!N zNi31ODaKf16h->`eVaq#CCB)YmM@X062Zq0h#%^NG2G9%KF2cs{843X(gF3wby9_| z64>nD)6D*WJ0l(=%}12(G$jwKAkU{YJJ~7_r&sAi2;NX9MPB=2c%}2lSlD{L8>@)= zppAksn|sHWBP3&7UC<#i&@5%DVq*c>Cd0Js9?|~^<}-0msn0}3*L(@*_F)_qJun@5 zXzy{^PV*8OW0%c<6nr9t#jR_ziNe+-I^q0B@V!wWj-AAnoJoWC>WL{J+ybC$ zrz%vfvx^vBFb339=*}{ZSIJ1csx9dJ!1Po0{gsH))|SBHm-1q$GbQ~TtDs2>-@Vay zu;L2*6-;HC_BDy}h+4d-l`zo?{SXab-2j^p`O1RCp8MdXOAGO;BPjg%mtg3wl_nF51@b>nWdEg{!rVSA+1F+08KmBeL1);%=Qajdsfu`}X0K zLsmjp!Gy>Dde(9awBVxQ(z$AwCS-gPnhCu>u5|~mxB-0?ya||qzpLwOI1i$opSLH$ zUeX8fDhf7`+ic%ATQcEnL!m@zSQ29hdm@U_1TJnUdHGBm?17n`cd4L=QNZX=tktHS zV+TjzoCDo8I7i4Zr6Yo@Vu)52K8lh;JMGP!m2$fyKW*4P$K9+zjLVz|x+7CS#fN8a z{9Z{WFgeaR4O-B5EWBEoNGVf6q5eE5h51bD^()bgvwq7Cx$Eq_#ewR;-K$}en<}y7 zK2g)z@R+B*ONh_VP~0Qt6b~S?X?adi_1VuI`C^@O?wn=i{Bj8YL&?(`+Lsfy`^?Z6hjo zI?J;ME_O)f>t5ghdOimaxEPuIs_z=PO0}TRbF*;KOkG0@$Y(xHI$d(BCia;SfFfpQ zDVFjZmKlbYysC>_KdZ_xnl8!-ZY`=%=gcj#hX<(aUhNqg3{?`3ZasG1Im=}M#8l2g&E3c@;HZ__rZ5wWd-u{qJ4|a@~*$2R^6u2 z?{nUh=rwb8cKBw&CC_?1P2FN_G$z+28cIgqN~5Mq^l)DW)jX0^rwXW2Ta6(^yu^uM z|8WzpPrvuC3RA@V`SjOQ7+=br+^T;*BhlAFtem`mBWynAuC|oLlf_cL0%e7##q>kd zv{yTEDm+51Y(A%?9IVB-Aoo5M!Ps(Fx-_X0Zl%V+rgtazsX?dHXexpm&<8#@{7Txc zd7f;!(5eCi#W$C#Cq7ezww;Uf&P%SK2VyvMbo8Bg39eRnR9If?am|p>?9L2|{PeGq z8Q$O7bkvw`wY*0@Wxh^I-t{qP)%UVIEg@k5LaH+WI;vK&QVT(dS5;H!S}JgJq#f)i zkYb{KV ziTbJjxJ0B3`MMGKB(ch8B4z!kB`G{4*fvVB8|wVL^YrmiQMT|Zr+eB9Xp?SMxnltqVcF{Wo zMW!DG$paqB*TE2XG3w`pHjNeqHGC<0I*e<;Ls{aMos9U;2W#6olH11RC3kPnciAcr zVxIRZ&-S(C2ByEV=)~)=RCg)OP2UG+$46}$le@~&sgk2n32c0^GW6c2nXp?1%?=?O z z-P&&QWU&!iE@=}(+N^Jio3+cs1Ys$>1~M~0i6LyPPOcn?T;76qoSPZt)y#>`a@msE zh|_}dgLZ;?*Ti#{Wna(D1Rv**naibE|KCqmE(V;M`MwwS7eka!ZJ%7drryKbAG(ex zDG*?&iRsi;v~4NbXCx@$yldle?X{W$K>f2t=9RP-fF_#b$2i}Wl1qq(=|%ohm?YAZ znh+r&{irDZ_Ui6C8VbYkXD6*oWLne%N@6ibe;gJBAi0c^O$?hbKKYFt>;kSDQvX9q z(r)Xvej@A2bzWlfCA|NHy_P^smk`*%QloIYqWHm~VY;c!=e;c0l%Ir|z(dcsH!;-D z4-u1s%vyYVjBPp*+pQEIZ4mt6gnC00@bby&K5NsD{$GX7dV%h8Ey`!5GA^=PLIDCH zKZn)E4Zh}`VZyMsTcZohIa{q|QdHwS01O?Z{zs7H)T{mri)nxi^F}QOO?yHBzL6Om6Ve|={OHLovJ``+BJrk+@-CIrJFNm z>4aqoa77&&L(T{4)k26>`IVexUwXIYEIRiN_}9Fy1TKfg=rLnOY2UP56iNm{_KMw0 z9=g`o)nwJ*fmJGR8yUUgUyYeb{GdGnJBpoK&c$PMnec`4b=J}Y=0hzG^lnI1&@CTV zTjQFW;9bG8;(=|GwtB`=lyK?~ZRW$4dWm=DFV$!lc)MQrXX`Dy(e-M6WQ3GnZo7>} zkolB^iY5=6ZEV;asfdxh8AEM1fw`KZHp@fJ-vx^JCo^h#CD+JzvCk(WxE*m;Xiix{zn$2c7%09k`-|yEWST1^?(pWEmn0KL z^dSI1b;GwM9xGRkF5?oz0!ax7Hx>E4>PG~fvSI0InTB)y_YCJeLLy*O)r&Xz)}Am* zsM?%Lic4N>V{Qbc(1i>wq>}1&58V1XewRy)nJD~SHR8vDuxI>Kpprc6%`L}jB0HFc zm>&^B`%cb^*KMDqx>VC~c=Zfk0@WC_*o-&VPYewtB_y}918>@=@s_~X_zmZDIVQ+I zHkvpwPJI|fRUGGGo$YMt+NU~d=}{^NT8Da!w9^B8u6;0uSsZtd_0x|FJmojfnZBhr z_|lFS!KHoON8FdM&8I%|i&W-wD;jg?ReCM@kaz?GUCP<*#D6G;bSXuE2)wRWl)w{Y z=x6*3d>e#neW!Mu-o<60@?Y+}22cR?k)1n%O-n_g{o@k;b#C1J_SoiQn0?vK34f!$NN-jDThzU-^67d0fn;y&|pa*S0hcy2P^ z=s7G)v%}>ce*7NM-c4fiye3CEut9w+dAWz*S8X$imFGo*{_BNOLvin%s}qm-z{56n zQlI>*D#^XwEP~PJ<+tqR5H4>G(x7Z4o-UbS)@Y zxrL>_^4bIB`X{&3d=tCN%X#P_at?ZTGAU3pgIAY3{Gurtz3LEkEP&hBufn3tJI9PS-MJgZX zfx!mdO5*^gpd5=d2YPp4RNRnUsvwo?-tST0wTZ<>iYCXkC>qY?e(26z{L&43XBWU? zO(3LovT!1_stW1oMP|s%XWP~G6o^tyOLFFOfUo_&kUx7C>0W(^=~+wR(Hdu`}H@(ucX2#F&;rTK8mpEHDB;`_$S|}(W4me6F$&|g5q?4Y|7iLupT$(S- znGgxhi;oWo=PRqJgfV|9rLX|519N?nW!JCJHT}r$$x2WMIsZZRoSu~{qd$Wc#n1phHHNZU z4Wfs%NN@`*o4Lmq48!a-Z90q*d)98`ILUVZnZYLqHXi>a3+q3!TqNeeWXy;nzOuKx zP$9jeyj!0Hd+JrBI<0~~mN`4^dtX&LmrApc?bT)+iKL)wL&t29K%Ub9TINbRy30{E zS~WoB9dRA)ciYgQBSG5Wo|G@W8U2iB(?vT5xL$aEyqV{kW_n>;DXVqlg7Xmxj<~}e7V`$*wap|`^`3mSi7WY z&I_7dX&G9Syi=}u9xdanaQ=(uyw66!R2RkrB9P}$E=EDA9PE%uVjqx#wq47)x$svA z1aSb%gh)I#CHIo5FNA+zMG8;{@|-=gTQ8=Q!n^0zvxW8)I}wVqZ_U>I7F7zMwRC4s zAn{F9*R~tt&$hFh*B(^LVknj8iOB{&tH4^)GGUVmT8i zzzOkokDU^@&KopRf)H=srI=AFS3Fd+bl?HMp5X}yEYS*l-rYfAt z@iON>amDiz%Ug;^fWgD+zZr|@_or^dPt?QPfK z>5{HHw3gspE3f*bW%lFb8`W@Hk8$|bks=4T%Dg1YW%YWF&>r5oTS?@H?L(Nn3OEtQnQrvbVuk|n=w^qMOBGuWr0_px$JwtAcVDBJF;Pd4ppPxw6`sh}{g^2OYtM3j%~&{Egx0HG zE^+L$KBJZnfjGgshhoXKGfDFn=~LCr3aPyVU{#K$a-`wssxr&>}0Wl6;0_jX1{xve(AD5;l*m+E2y zJ7lqUz`HL-pWMBpC0_x?&z8sMQmJn4)+n*K-+k?>GXm2K+r41*lIk#H64}dutp#4c zXb#E3x{~hAj9jV^{IzaN(^|uTY~{U3RZru3F%pous+aMl@8)nXsOWn!0h4E0vlIw zu7JNlKzKHZLZLKe^sUVtcb`t-Zu!xPrTzILw*p-EVkoSi`cju1#@D&e212P3ekY{q zIX!8pDfW6##yG{I#eJKy$M60?T*g-NNpnWk1Dt;gPU#Xceq_^(ALPS`hRf0b2QVio zfg5~E36N)QNm6-XGZiDXNnV*DBTw5KY2fJJ# zV!f}en1|WJnjJi+W6G3X70X`Ti$3~NQ^U17yM9Sn0?Kq=D2qas`S!0RX|gJb;B6He6DAGL@Cqa@IaZf zT#I|QX}Hs5jGZLa2j~NqnxQbpv)po9-71P*MM8LK54~6hMMxGjPVfmD!PFHmf5> z^?3Ia@X38FQK_C$P|>~9mT;RM|HZdzFk#t9CRMN63ZQ5E7n_kh(6vRHjd`!1d89s@Cx1bIg7glq?ra9m%04 z(KW!3vFUhQO{aZAN%8vSb6G>P-Md9&W_b>@TNgrH*qjXZTj8gR4$A7a19g(QSl0yz ztsVrjV;NRrU>W8!jM$W|UfhHaBm}O{_dIb&9^K{f`>HC@)n@j{-YYVqHVn4z=4jv< z_s|tuT%z5U$J?!~8Tv5Nd;_N3DgN%$_S1xc>(7e8W7Upwrz!eGC+2 zw7^fxUh?-dkr2*;#mxtZLS9!PFQ8?GBm3$K~dysC5uS)Pq39Rsxp z6P}TT@|LCdYTwZRc;oqkVr4dbF-_sxML)x=Gqw4l z{PM;7Mdgj0`%|73m7#&r>zu?yLDUPIjt|9+v>^{e5N-Qpnpd5gflm4g}i8Q(6_HP?N7w) zC~7DoMM@MkUvu7sMeE5JM$Jo7rMt9JDt)H>cYTntmZ6_NNvy|Ft7C=tHg}O?2G6K< zKg*Jv?Z0Q||261#5XHA4uJ-T%`xW{1I&*QmMP}F#w_h<$Z2RooVhp7xlU%o}1z0+cM#7|bKX-8ZUSKdYi zZ6pbDTGSIZ@X)uSVq`-wl5h5ZU-$zlqLw!>*FL4Wh(OYA5a($wLU8unE-2uU*YWe< za@#F8Qiwf`LB(fVOESJ0QGz+tcIS+v$F%M6f#YJ^cXrpEo;j{yav_JdZ@X?ZuqPefp&xKOsTbnj3Zy2s z7NuTPuOyhWc|y5mXOXc#4?$FJIz|!Qn=3iTP))l6k?0mYpkM4lk%D8lly0i92jaAUT#}9NV*~2U zmMVTv``a-KthU3mcM{riQPY2{H|=x1nUmI~D5ROb$+oMzFFJ>(oJB7}O^a4?hSd}I z{#?NCVTN$H_^Elxf8tXzmjC^`Gk?LGxZG;Fj=2FdF3tNAavPgNisVf)fSZ z)!B4x2`oqKU-}c1o>ty)3Z8}5EdC&D;rk`4va0H@S^AR*lYbGW1QwORR5ldBothm4 z1ome3ZJ;ibSJ&r(7G@Tt|GuQ0UG2I%W34EbIkvO#E2`|$zjoV6at!s=ic7B`5t$re z(DL;B;?kz1+TCO{3ucyne>35iV(bGdsmEN zCDfd#H0~gK#7_%yEZLPP<#sH-gtmI8tSxhs`2X0$bo*wSR1-q1Ni~KctAVg>x9;Ks z4&e#bRK4Fev2bWOhGn-cAozMYM`-haYH3px}PbRWDx>R&0mt ziPfYfge|)oqn5CJurtxIh#ug<3?1UGyCVg2XaN!aE;eG!$P0k0UOj^3O&BYy5BpJEAz#J4w?riSqQhHeg<)->0Qs4VAqO{ zszn%({x;{&uc`m6bB;I2(rviBiE}t^!&RMQ%z$9SKLKMggFvz@@oM{QLAgb|`|bmPY^)8 zUl2aqY#34S>QFP(E>yfI4AxJe4*%gutozH2f^5BOVhZZ~yT<}r&eWS60kBtTzRXG)< z`}ZMj%DaqKr8cC!=4lhA9g{1zHo!!?5ARFGXB4HEfd>&HXjrNIpMX?XT={+Ej7}ay zF(xu!&uYIdn^2mN3}hB3eBY30MUBkLR}G`@bdY2ZmEv|c`L`h{C^DeC(jOcVhB}-; z{WUlNwg`0(aM-uU`^-`?Ie2s8vL8 zqOqMSx`_j{xi7(gIf?G>bONm3dDF2jDr>b z3^vJKo|wzs5*oWLs3XA;_Args1_%W-15NTC(C=sc^HJN|0P+-CwMvuSC5p@`A3KWr zZfXquk}@LI(j&bv7el7r1ReaqUj0Y!`H^CjTWmr(*j>+@|#qv zC)P6jN11V;hWob2E}4@-PHy*JiD!(gx6p{*fSrSBI;>$YuPEZP3so?>&mdof!Lp+KnVsG$P*J9a*>mgw+Qb= zq!deY%`nySW|UiHYF2y)6n->cX&P*5I?;w`1xtH2z$U%;q%cI~f-bNf_kVsC`T1X; zBCgM?enRS*LG6en>=O_qe}mRpq?~uVRzIkB3oI&fTmvT)H$`mZto5#-$^Oan@B7ht zyl;5bRUv~eIWpnFMk02ZdE?(EWodLh(m_W|Zxv2IqXW|k(0IGcj85h;a>hKeK0!wnpFE%b42%qEgKccm8oLWl=yO zd_h#=^N&LcjkbL(i2G+Kn&=OP-7xy0qD7oCQS6+NjYhsGO`rLG9?h2JKDF$$*rFht*{hHkPY1Hj2C%slBA;uf9l_HXbjL22_wFglqso}hCO9@pABd;I=GS)fV>a}0xFlT z|8v+>H`^L0bh#zL26L3W?*A}K5u>PI?An3oi&sE#*=2RxpPyI%nKf6V+7dXQBzU;z zw^SvUnD1^Gd*o>`TuC~+3a9+8zi+&6X9qCH7(>7|(fqr@UxhEJb-A-DcxQFQz6qXe z(xrI`7Q0-(_Mbhzv~+2JlnSk(3dqHuEWQgY_QOwR1e*PO%jIL73gDI5U4>;pV}-u4 zm(NloGw-(--Mw-2Xt9CmXGw)jO*(FB%6RjId9~}1QfdeEANf!G15l{-cjOcRKn`>3 zA1LS5{mQPQP9AWjl#2B`b%8cNY;55AA#Uc*iQvxY74T9ToinYGUr5ya^w;8!l$aU4 zZko*o=J4RnEXPqf0JP@EZ8wpBwv#!c#qo~8X zmo0w|Rr3%#513mOJG%4-K8F{9dl@~KuK)dq>@|SYBFn#5eI51eWjn=VeGwrW?q8&a zW)n?$aP)1A?nU~z>On*KH1ZSoqU_(>A3R|D>k!b6X+q}aqcg0+V%h#c&zHv0pL-M~ zZ~Lp-D3krbrbwBtsvJmZ6MZRdqfO4T>%0R~Xsv#AS%HM)?dCk8I3`su~-V)7Mf zazv|L8Pgtlb9{8#=6vLJcwtC^89Kw}swW<`_7@NWiy|UoUiOeS}(#G8uhfdGPvH+NoDx`-!*Y-R0bEuWQ}Xmly> zSv~Q-vnv}AoI1+0b`0Fz4Kq4`ur{XWH_|kxGTvH=SrH=U$A~jUmB^&o(gh0v1VhN) zjT@YHU0jJ1SC_>XPEL#gyii=r|3Vz(HWmur$5FcDZ)LwLBjr4v06C@|f#)I; z%Xd~Qm(}HOu1!`Zx`rli(+(q4OqUO@c0B)QOk0~7T1oi~F1t1|U}iHFKHs{)Eq8M;cxH(yL(fN z5k2=4h|Bbdi2`k)cWCG9fI6mQL*#z}1=US5r+j!apG0Q}_IkC#8pgqzzNQxHNV>r&W<~;kOQF9ZqR$L`rm%liB78MtZSns zA(=pV&L2~9^~C@7W@tLoa9O50m{-_=?NcQDf0bQ%Jd{z}9$OTVh>Agqlr2ljGPW?; z5+#X9g;5k?EMrZU&?u2?Lnah4#n@#HDU2cezSP+F8oT$*!~4B|e}3}^<~+}HpL1XL zb=_xulJ&khGFff1xQ*hxRQ71M>^czE5c&?l)&FJ-mPBQwsz3Q#9}mTLnoWzuOu_%f zt##1km1O-5A-=Fd2ck$YCm8#$?S-Nc0g~2#KVO^PJ35AlYGsb)6%6W*QoX3+Pe+a1 z^9O;#9TOuF7zlRw)NKDNW1n^{X7G?SV;?mF)5JMd5gavwCH9@9l-=S(Ss){D%6)cV z0(Afx9uCB=hu)h zXSn2k@VlWh}fX+K{sM%Zo2~ZPu*+#Et?gMW^f9DzxU`~lCh%S@hfIVA@CX6gjMzc z0+1m*+@bG!W87)+DGZrhaRW2U`9RN$D5gnTx9gXyTPC#h=O5oS&B`=t1I=-HoTjP| z?!LC}GsK6LTn}MRo>DHNzjh<>rp1s>8s4i@PZM$OWN`lADJ-s|BX{r-C6pMcnB%vA^8tr)eE2Mo~jn^swzKFRpOqi4j%$3 zKBm*-xz7+{hiBI`ldlt~h$Zalw7OrOTzPMAn3QTY(GrZu8p!G7xdLL+zNdt>PBn0@ zQc7h2=FP}y0g&0X(p=q{6c&h8D5Qti?t8oNscRez1~e8TJf1+@5@PTnpy+e zcot%27NyNk=g|6SPvVk`k&p0@?yGUtn8s?bM)k3%hOQ|kuq0z!Ll^fq&0kKcQ^@#P_R>AS;-7#1%t~Ee*9_FpDq0 zHgM@wI`PQrF@y?rV5|w@I`qg{gS(b|q$Jj+@UcR!&*erQwjfNl-Y3uI+D*D_gO{HXK zO}c(EQ#);AK-$=<0g>(I>H}6qL&LGpgfayM>(^~LF54+3Y+954nn}jws0U@sQl-o~ zD4iO*osMtx&Yz#Rt$aa8HCO|ER=JQPFj`9{KB;IU>#&x0sXZJF zwwHC1Xnj^@{v}v*W#`xih0==ORrja;=iA8N!T7>uq`2Y9Kd1h0k621%PE{DD%AzjV zP5y^?3ON)Amx#bnrD~`EG<166yZ-*)Ydjo)8ImVZvCR*}FESU9b?+F^u~S&`Rt3y}h%xzeIc=xF}+tZF;u0-I2)3%+H^TH z*NnpLJ?%_hE7@wc>J|1ziFLuz4L^avzkyQ_@sAUJ&NfLdC7u=FW_2T_*q#kg32+i8NM;ps)LU4i z)S_P2^udl$GBabsIOM9DJXbXG8jn1qwJz<(*!tA>lE>?1#T+VkBD@%t%o(>*zPk3g zbnL60c)Rc8+m~X0+^U_1c8>8qfkl4#;)0cX_%Z9OyBrV3p7MHaaUJ&|0R z(YPJ*H6CslEM7Dkr4c#w&qOiG#`4#>fn}_Q8y{9$PR;vc1KV+q4_R(O7sbvP0yNbzR>qC>rbOPCrp(CkH8{0-s zHl8FU)mJb^q4LP*@YzyUgR_K_C{oU)yoR}ZSS`0#?w6(J6(4 z&QIgj*ZMUryEZ<^`Uk)z^A2^*B9@DHvId$%{XI!A7Ija>3(5)n9)TFDnDbvgKU?m? zsoTnm98Zx&T1huVeFrMkj-&k7OQsMOB|9|>xY*r`Slvwxn0n&UPCaDwiWO)MkG6}* z!8U$Vd<~zzAcL=R?fqnxz-`O*8{yi&Q@w&S-Mxx8bj&Y{ITo#)FqS=VT9njhNC+?c zCK^=nsnUzPTO@1gq8@omz9SEwL&d?r{o823>{Ex;WV(F88?KMW&7$ZkUe__F)1~V- zw~0C5RQq|Mhx~+6+uRe>)<24fDE4<(Y5r=@wnM9xTzuBy91+d&hW;_-fg^M^C)<LuechfOWedc=ecNcen!N3( z$HpdMe72RRFX|xA zY|AKOxxyd6B36*#3ays@N7N zZq`Cgi+nOQi)yc56(x!_`ZE_{Z}w@FMnso7nHD8bKZW&FOL>yS5cI%|OPrv#&wMW% zM;EHOwk-IJ8V$O*!gsuoos30o7Ra(0-|2a#9yb^Q#k*KVivia9s_J|??qv4UeNHgLtSd`Mei0c}QjC)JSl zo=G|3WJHn^yTD>mj^W+U`193+a=xqf**;XKd{kr`KJ7hJ`0=PS03 zD*td68;sKUD$$-%MB>36$3eLi)l0gQoPbj*1IitVy2I;Y&cB>> zY@9wEM|CV9TLHwD@jzTPw7PgLt9^YGqnxl6mpM)FzR1-wW*YCCSlTIlZ|re1=8xsj z3eMP@5rC*D+A2JH+*5QkGf%rpQPQ_!Hix9K#jbz4j|6Fmsl@#)B2^gqy&;Ssq_4LseBMYF6GT3e0VETs$R_(7ns|a?I*Y$zBwy40 zo!ZriB~Rmu z0S5Iu!K<8*q;==^8=2GKeW_er>S-M6ixq$6c1=9Cq-z}AeKqEN0|_G-Sf9Il&q}R~ z>uK-7wZOy@8ZfgW<*$_^sSFTX6jzPn9^R$|6{z3fZ(RwpNE#@Dg#W#@bQ(Oi{owA^w0s zHaSc6Y`t&KHDUjRr_8^xNr`MbY3lAHO!Jvs|17H3we|gy61}}(@z?k4XV6=v^7>H= zkn$9@Mnt!q=>8N%pJExdv7$NnKQ>==?VmwCd4P1q(wlMF*>V>tO)8ggq&4JPAN{Yz z{?Vmp-xuzW(SGh%lnxiK z@~yd7XL4B%3&j6v8gIx=fmn@>=Yuqw_*_u_T06_(kzAQsFI!$q?^6+z5+uRQ7IKC!^FP$ z=iPr_wBZ@jk)VwO{+XLjAyMAM&0=1e*lAfVhe+Fe()f2;38KknI-?L+bKj=W#nzLS z-TNWviP~8yr@I6~^N97&1&#n1INUnDw^~tb&c8NsPRR zU&!gl@#VAL0Ka0a)hXvd-S3?E7;dl}^doH`c;_v1MP13HWZUiR=n|^Lh!HQisk76- zBW+#a-ckt$)@8T(o@o*%I)e(_4-kAOHW6-EI*V$Vw%;iEY@8Y?-w45wuJDziPT-Ql zffYYKTbZ11)0Sx^#@^Q81jIn!R(KM^Q1u(e$hO|+a z^?4U8J;Exsr_4Y~e~(uJB;R+Xy)JLwPAA?rfGc<&M21UKb$*bIJvym+t zS7NPYGi=Kp1~rAJ0#LsDd~ZJ%M(Xj!H@^L;ZG3!C4oa~YJuhBR?!8PSo96V$Gm$$N zAXTL=4+9ARKL=9?kI3XkWic`pikN_|S7%};+)LI9J+9ofekxOLe-NtYa6Af4+#XUp zYpKYCVY^$6xv^^%?x%z50b)0KrU~s^P14w{@Z)zycwL$8{QIYC zDjwc^#NS1B=9&eFcdQyGK-91{jZFC7>HcPr3hPgy%k3vgA!C7U|cs&*+$tkS%2e3nU zmHDkdyA8$hzM_|0&(`#7#qlYNN3sJ+f0q-gLZ1}iU--3xxPMdAgyFjQEaT<^P6ixp z2cuIB9>iv74>w~)3u6&%ye2f2r1w!sHc{(+#qz2M!`bdBE@u-XkRCfKeFOyQg1J0c z?ZT)>Hgy6A@bvO;7eIMq0BP)3A9>&T$P{=p`>vHmLNo!@099q1?|CP|SXm2*r7G0K zOgm$i-j+O9KwD&Uf(^+hr5v}q64VEbT&-j6p&Sb3J!uNn< zFc=+0S4-o1!vZdOHynnlfQnp^b@pFT{Tj!Yjy$sa?6|9O!AZyS?9uYdw1D0m8vHsV z#=>ytDBRHU=Dx7>A2n2e((_cy^2mq1uARA&jl7?>XDw-)wEDGM>3LI?%It*#Ud9c08n<1oUT}ct_^EE@({@WG772Ed|2)>b zG(f=3UD;Y5Ng0qkr2f773EauU8ku;YsEAgoXMHxYBZZz45#9E4&io;5KVlxIm6YD` zPVx+G*WO&qNA`BPJ4d_7R%lWhbcdFEaHnYKS1}FuGBF3M#w)S3FT`qO>bEvAt+p^} zG;J%KeLHx6B2(+!F&3fmIe9qK6*?mAi6Wk#@B<9pZtOeiuy-t7+)+_5fxD&NNbuL8 zTBTme0NTaxBr*$iV{6sGU9WuT8>HQXd%}@s9qj-6p<{&o_Y)AgN#{1KBDu3L&Z6rx0v?@C(%UC91gkhvm z*_ScQWNEXFvCm)_-tUxCr}KNS-}V0W{^hyG%=6sO{oMEW``MnGh9~rd5StM^JUl{w z{dw4khliKQ!?SGV$`$ZQ*>5ssJUr_3zYZTX@v&xf{YFH!E-sF5+kANC4wIGd%nmEA zdw1up>Rp2v&F zT115)d@25DFMLJk#P%^>9-gh~YkZdR@Z4!#3B%@j>-hihvorejajK04Zavu4Ev;$C zCr=i22Q3D+7P;Aw)bbMjhBBGe(Uep(y!EF32uY20kC6|ZTl_zUiq(Cp3f~tgc64*9 z_6TvyNo|ftweRPes3P~~6kUPIZvW93W#{&D5(2Bm;ig?O_u5rI-ge}cOIzy6B&~%( z`%iCf+Sf>WD~VZM3=Z0vC#*Ho%e~O&g4PrH9Jm^0vxl!uSbbotahgF4 zlNvO~D7x()CL-nPMZ>6y`yh;aIpZ}_`>H)h%ciM&4@}nW+r$tQLl$sQRc+$}TYM_! zInzCa<26~PIZnqO%AQZcKX2KXYS-Rl7lCqLi}AKKeHb9=)}9^1IjEz>9@uV7^tt5D z>b#(rRMIrqLt6A(Y@hV=8187+RzCmc#v0bB;OgzX3Ris4flM+TMVRm#e*RiG)BR}F z7R+ngn`?Kte8r#6J8R#lIjwa6kK?xvxPP3$2XSgm6({puIu+gPl_?#v{U5`mTx+Zz z^WyQAMXszyW=>J}gorr`XYwxNqWUOtGE#H2xIb}HMAU-AX6DoAyWm*@rXuoi{>2hLHojjU9*7d!r1&P0@=RZB(J%#N*!!^9y`OzN4a;G(Mi1Ir*Os1p zckgykzZ;1|NDxHjPqL?_3cVN>?(cV{cPuQoesjA*aBFFGg!qL;KIhi7h@iKA<5gme zOY)&N{Fr1j%v|rQkbP9a@TApBOmWY^B5|*8r5KeO~t=BF{43olkU?+@W;qfYbf}MK@&ClN*u29~AjUNpnW@Sx# zb_=O~xYKNXdi{EzKY+u>RUulqxsZ<8HYf9Tgh3mCN%v zELz-1S83cI$75IftWkyMJ}kR)Y>Q{xDX%V9>jL+KT_v8JzC*zkrM4w6|FUbZ3ba^p zUms5ARPM(bcFZjuQ5T>Ts0oK9P5o}QMXT+ZqgN*4MXHa{6>_wBq)`Rmis&1 z6bTkH*IBw%7^*^#VU{4psV(E9su*HD7Ye zqy={ELi!`KJv&#eB*skbEsN~&Xg$7=5^oGQ&$45ea>!;j=L_i9SE-*YvT6_&M-b7a zUWGLU{e<@M(l9S4L$Vo38+OHf>y`S0OSenF(5Rmm5(pk-0+pljLUhCOZYA`CwAHDf zW#TVh%|w^7{6x?%AIc#RM5vwlV&`NB9J_Ma&Ph(8M0L-h4k^~RVYAMZf4U{t?mr9@ z>V=$|n;R)@)E4THSb8>`PvHu~clTvzr0vvO`az3w zCK+cIg$Dlkz4)ANu&VZMN1Y#YHYF8L^B_SfRv8|OuPhNzxUwicwoMue<_qVRr+*Qs zo{OC6xiBLWveDLV-~I$fP~`dA=t6R?Rr&MZR=%1U|I8pQMoMb1!zRc$lwAJe!rWYa zMfBGH+Qe>e+I#j|*XTvoa3_ln6}JN)CM-F`T+YL@(_ z?lyn%hBXHz9KK+hV^MfS+hDiV%ZsTCt0u(Ltu6cU=K0my%XxH=+s3ZDc+!W<+Cl{-F=)k!$MY$vH=4z^p&*{WMH?hR@+0W%-NSf+Pj0`dbr1W#Y6xUwwG zq4`M~%(Z=QMR4EeC~Xxnn}9q9w*Yl&P4?CAgRN59i7Dzbm>%iEWVGSg7L1;t#WIF> zPvCUtrp=gtW^ztz!(|#D>yOr36hi>tO~o znQg|#2YdLf%NE|rB)Pbj4F2KYpT}+ageXZ36=r-({)LmY1pqvqc;%CRjLphU9Zk8E zW|6f{t(g6iVm?fDc0Q(?SnLbynlVR7ieNi6OchqST^2^)3O;fE>pDNzLK{yqisj62 zhr)V>zsoQ_p;k3qHr<`MHS<7RJ)e5Y`SKw9;hhHy%ow%mZvQX(&Xs^b| z%h%W(r{~>fuuqNp_wTc>dtS5Nu!`Rrbwc$z!J*aJaZ?Q}8`np+GwVHWi7B`?Xii%# z-Vx%&ikL0)cF(vn)H)%ID(c#gURe%Zi$Sqa&2f)YcHW>_Z*+y6=RZ zxc9^h)uSxno5QH;JM|E)J&@^_D<#Yv4O_j6=jNeap-`leQSVLDbCU9I9frN4sAc*O zcG}XIO>8P`@mA~jKe)J;5p`hV&moDV_CDFSvt&IzI!bgcdd%1p)i}E_H%h}7?mkq5 zerO~`FP*;MqwDNg#oulF`Z{N{YJp@Isb*jH4ckR&F3wMSnTI%=&5(_ji_LV!yAGu6 zkwcEL51POTBMl*y42dTt-LRol>cU#vT^Uz%(~ zH)O`*0-Pe8twm6N@QC;uccQ|aDY*&bkChyahF*G^G*Qpw%yt248+Lan%k#QsI7X%j ziK|$RdUn0md?ZNplhR_yo+7w(wjJ@nJ*98kuU9MTk&CNZm@KWC8f@j>9H8+;b?sxd z<|ZG>@lFYNw$pKMj~ITH2*FZzY0j}S9HTZ`ezJ5K&w|?WZo`b0f?8y0hhSy^Zl~+c zu@edE1kI=x2Kqbz{3dQ=pG5f^tSS&dxQ_m)pI|}W!LBZOkW>Z&8rFn@*reu0I{)?E8%!zmh zxp${5a8oU7Yf1V$+67J4AQlVh{>BWiO+4s*88A- z^ZIOZgY{_Bz*$YyYSPT7@Y`OTm?0u`h+1rdO|Pez;EBh3q*Kx4ONDxib%Y04pXQ!? z!x{32rs`3_!1+oEo}194Z{iXWNr*^`aGYSq`oo3vR{-RqbqDMM7<8OxvPE1*^3!n7 zC$;OQ@=Bt&4jkIY2$|~*5sAg2vZ$V^)CL2S*#kovslzRy@IdQ4hT7gO;P6peYzO}j z{a$yQj1Wn(85Y9HdmYpHC_EeNsMDslWYT61G`M|cHi3mg;X~<7v$Oq47p6`< zHtF!9Jshmu%RtBVNVa(7uPBoWvQ)Y-@}byEKG)xkdQ(T^s)P7nN|XNw9fP*GE`*q8l0OIxEX z5_{3`Vnnx3CC7XyY(o!lJC`Hu3O*5odVlDHDn6>j`jq}w5#5xt^R}=CLzHk`f3D>6 z(ae%(fkC=eGq1Oh_6Rtdl-^y5={>RaHOYB+n^Nq6AQmmO!HJ-I$z{{*lPM`Eg zgxwks)5O{eUwI?V<&N(k$}u)Lq_oTw23lntlKRJK$6M+TdO@ouscpQiJv=Vxe&=YR z_-_EsS1T~;v&HSMEuE+(!)rSix$ZGcg-&GIR;ZUhPQvrMaIlyTF?zT8S+AZz z?|*;J-KDG!JCPrs|F|eVR8TDT^4IsX^{-ABIIQ_B;sXo(=_$t1LqJ5{=!+(31+r)A zU!D17#z4do{yujtBB`M3GM_30`5)&*o1Z8^L=$K zeO{lSK`{a5?k2qAvxxscuk73quVxRRh#41>G7ccQ(@ps30C!nNIH|6^%AIyOvs@*& zGG=s-#H#O)9h(A_JINphsyEf+(0AJ-589C>xau8?{NZp774$vJU@CM6mqlWqm;0b*d$xJ2oACAOpf7jz z*!8bga?AJ9>ds?&4z^Ue6m@x}nPeK-!wOa1p&woFir(ejbDTLl)q1j?%PT_8JUjN# zWrq>Tt>bx$P}&JV`;1g*ysVdpGO%4Bq}9veiT8%muM{_G%{>Md)h%(cVp-auPz0f8 zZ;gcAC=3th|X(|bYJ+oVBqYW4R@@y3_2 zUSLL=pBxEqb9c!ErAzH|qoUF;HKwXvnX6D0IGp0DbhKm{P*+lgE+PsMNx18>ZM%|B z#3)v=P8k}XH~yIIJK2}nZ`^^R#au{q%&J!Ooj8}z1s^&ku3hT1wC5SgY8M*f+loQP z$?w-%nEA}2yDYa3Jr!!n@7#6iPo;8;LZ?oi>^wJvUepzo6siQ+v>Q#uxqUb7qDWU{a~cIUeu0J>^n6kHbQw?lYFyWdzsA~#itrrzi&|tps{Kg#hVuo^ zv{OELGR6gk}nd zjwczAu$(&8o&Y;i!_i){yfQN$q>WmK#V_|y8hoyfz%WyjE3$@iyGxPhCI>lmEBRBa z0eRk*K88>C;xzSgRT;~ba01Y>zr{Hmb{yoYHsq0 zXED3)6OM!+0(CE<$f3>2_m=fXsCMt+N?_IloaW|FhY{u0{V> zAp%h!umg)?@=2{N>c1m`#Vjels$hQxKzeQJVHqN92g&;y#i&Ddb#1 z3!`MMnl1j>7|Mw?Y<9Gz>v+Q+ufGmrgS~Y{t@($cSv_lTFAz49HgUc$h#=YojE8Ds zp(s9!?3ej1*sNAYX~fWRzO&r%&wHU-(2`pYWq8s3vs{z1ll=kQ8h`vgIfBTS6{c>Y z>ZvP)B^*eOJD-adTsJEfd0AKtBk^pG&ANItb8Y&0;U~Q~_uQACZr#?hU?;QYc}K4g z#3ePLdT(ErHnq$UUGG!Ke5@tg8tSHnGNx1TNhKRG#(a3BYdG!kUb_h^Hwna2dvZ_m z`J%|U_Ih(S@X53E&6<7%UC$1_GAk9hf!v>ET~>momq3qfLkh7ou+_IW5u&^-o4o81 z7>n&+U0iy}xvLRWi!Hr7m&=YhnunzJ8`0V_jTw}Zx5q!4j{3Uujsm4%9PzWL{)jAS zotcV7J6^K|1ky2RTofT;`MoIE+?u_ZK zVDx9H$Y&WEnsj7=j4x{v?%J2^#We11A8l0YmzYzJTjz5`wbYPbXPMb&01E}2GFPND zh|{RAOv zpQ{H9o9=LEk0^5>Bb(L=7;i$Mi+vQfip_jfqQ&3Yna4ffVx^$MR9wg!_D`toRz90nJn$rZ zzVAQg&To1I6RYI-3F;4&voqgr@F&8Tw}n$6ZmtVUzMtXa@&Yc@TK0zi^^uK=nboCG7<{6pzv3^0haO%Gq6Me#%+9fW3m3U% z`Ny-h_8Z*c4ra|<{i~)Ke94e3EEp~m{y9dF#ZTJz)y2S7!CtEPe%1dzk^3(u54JoD zhq1uJ-TTk6`1QqHFaX67#&Te8IR87W`?fSYEVyg{e>!om-Sr@c)Ig9;S!ya|E@Sas zCv##-q-q2jr;6%_iy_>nK!VQuucvy(d3HFz(ctd3Bf~-0Mw{!l69 zz`%_#>;5p4>t;8=jFzDujqbbQAb?qv?4rM z7zA@znZ=+9)-Mx~ID-QNlUnF}VS!CoC`}}QM3n|@qz`stQBf81c$`W-az_W?Nf#2B zZ2iR>2>#O}eb?5Vcpf;lxjt5TpL<{3Uy|Oz)1V>j0UhvVpe9rE^X+|gdQyQ8uup`1 zdV>Y(cBRMPV_VQKdzRz=vQW($9}FC7I0{cdpV?Z!RY}A(0Pae$ltGB=bS-7L_)~Jx z#(~SWBENIYFDmHWDR<1v{5*~G?T@Jd6 z0A@c{4+2Xy4U9uBu}Z_x2wvtDuLPuAjy>3Uw|TUDZX~}S*4(o`_)ICsvPeaPQE-2k zO*wHERFD*kyMZnzPph{b8{2coH7(o zb}Rn6VRAHRkyd`{~YscI4WTQ*l37Ib}Qx1hPqs0tBydo4!u4p@%Vkp|`5c&xiLea;|Nr9}r z&h6QG7`W8?4C4DZw{pkVE{h8s1_e1bbb!&(yK{dQI=E!3FTZsH*RoHmmf0La?TSTf zj~ydKD;)rytKt)O?6Vsfr9JVj3-gnWZKJvpq^NIvJ^TZpP9*DAi{cfK;oGw<3T4Rz z0JP$N#3?zRC7GUXD`q#=rhgS|*2zRna1D4ilm2Kt{uFWy7c23sDVtI@{GwKoI(g5g zS5ocrxu=vxq^oi1p(2<1in+JjqaItjm63q~r$%XQ{xHLI`>WR7L(p7)O-s*Lhn2#| zZv+WU{Jm1$gQub6G&*Sa$GZ>T2{vvpL|F21Tx7~6MT<#`^D?RR9JQ}(-Jt2h<$scT0KqXt!h;q$-qlvu zw&F>ADNnvp>1{>D6&l$2ncH6c-HPYmpDXxFX>6!cF(FGi7qQz{vpP~TPTfrG`e0mX zW$wafO7S!OM<>vC2r1~zPl72q0+Cu)sQsi04S&|KNgPN?0t8OdN+Ph{B3g3j5XB}) z$aQ{XG_(Ca{p_EiWleosW#5qaW>c0fjrpsWEG(j~icb(Ph%{TwR3mX%memxC_Ay|P zv?xEwN;uP0RK{HYv|UMD8Fh8U{6fNct=TW@7FYA?EtLh@y^1WsT9ZsozzdYQ(*(!X zG?uS6XUe$L<)Cz%NVdhgZ1mOwRLt)HWL3k6eLNi|Cj0J6eOEay)1sGKUkWx7D|SR@ zNAGc1=UF(YCV|dK-Rd{p(E3Y|NU?H{z&L|}bTqb!D$D zTB^zdA0SJ@SJ0ar=5bSD-!A<_$WTBfKl*1C>891qj@sn^x3_PCUIF@{tHQa$PITyy8wk_o$ ze_!!U76eTCpg)XpZ}mTM5~$3X@{vX6^e`6dn%bm{c|WS^ok;+@=IE znRqxK{{o~e{vOT})N{s{wI2Y}1#SXtwUT7MpkK8!?&|b~+6g%7-$>;rmi*_@w_Mj& zYv`0hewHufa$jy62>1A*K*6H|mcFmdj|q?J5;PbA$?rIE2{X0mD=33J!9|Ju3m{@Z zf&7=4_sHtxnW6&Wpb3%lr(sSR(||rH9L%Rcu07dGN z&rN&F%CYs%RukYCQi~(?!RoGq=JQomKsT6VL&E-Z0k6SxlLsJkRjoixXBehj^@Xi( z6gXkgvd8tqeq)f6+tf6MpN9;#Ww!bSn=KpXZWU0&447R2Rt%uP*4qSe9uCRqUSG9W zK;oiKwZ9rDK9~x3t-0ZS?r){T&P_F^LLJ-`Oa$4-OWp#utx+IX6>7VbG$M)D()63! z1HPjB5Z6nWu|uxEOvb_(VgYv2dYoMl^N3pSE>E-S(?y;3;-&Rbho0}ObL!?gplK(Q z68*Zt0q;;dF!6SKJt$j_!Ux85@*x~T>%ZNi?wCL$`cB?v$zK9DI1WG(jk~;pwYi0M zsoEV0Sbr4YMUXqRo;WB0l`CptWwfp6P4J?=n+FS>kR;_J2C(>jw7fHm>Z~Acgo+3N z^Vk6NHy4saF9zre26htNB_mG5JJ%NgpUY|@z)NG!9|n)l5J22>A4mzKQnIN&v4~+^@C>hu`xB29O@xw#2>wUaGT+$PlDD`4ExxW0kA|Lb_m?^Lf zMWD*$2QsmuI?OFo>R?`zSP6<9%89a>bs2$%w(Gln_Ze2y`)i z@|-&<6t%v`b}q@Nikwra*Av_mwu@*^-3iQHv;FAPhWqJBSSo=o5czT*QU)sApd8SK z>q6oymiDTnv`MKL(rQ3e+IJ=KMkA!(TwdR=JkvJz@ioTBcwoKum>1}*SWTCX=L3!^ z^GEpb(a4?4AxAd2iE~)=JvS5~g`IhY%_);&79MhW(5(lk9kY=_-?dR#Qe7#v5ln$$ zx;3QuGFAAk3%RP%-Nae<;36oTVBBj1D#O zq&3e@kJb(uI`>-nqK+QD=}NK>vjiusCmA@^?B&99M+okKxhuY0VO_vFkmqJHDzkPh zN5mrH*&FpgHunoyqvTK@rzmVEw3E^p0OV4Zv%I6>#oJoe0pmyf>o7s7&-g%ia+w-L zJU!2gTUClnukPKsUUsLRtK)f@X)^uFQWb|JiL`{$TYX=CHqe} z=H&7cURH>sgLb=S^9cyoIXnUpy3-C^kva#nixiQSvH9G}DzQ#JrpaQE8^JMcMdcwK zB2~h8K}%XITaVX@Sc&@9>vprT*^7F|9w9NLM&U!8m0 zB|_x(Q7Fx5H|K0_N(PG@gZNiFwhK}$V4+idfE*i(IXYr;qm^fBe_y|~FkVMv_rO_% zW)dG9PNUVDAq6i5ZMRW@myx^`6i@UbZjo{915+XXaZm>H4{=vJIWD9?P$RyE*(ge9) za)zcE{_9Q`TnR3zvXJl+BmzPduB2IO#8dP}LcI`CUC%O14abw!m80CCFy^$SfEHSr zCpi9OItSA>bvI^i*+Ku6bUHT(9m<_HSi(!=b{sWJ^e6u2En_C+k4yQ?FAJ0s72YKAhG_a|0jTNAo@2LdS$` z*>c2lL;#|)8S}27E9PoE_DTCfrpJ)NZ6yBL=^HaD^8A0w!W>V#gMEr%uL_$>g zZ**t0%SC!l5w%OGfbkgjnyPWy?jq>w++Y;pNj60r5>A-7?jk|fEWh0xPkrgQ-|d z=d*IZT%s#)N>kRw9OY+2={pc5&4=5#^xf|`YFmMlPXFMOJTQI_fCl z=SC%o@w~YC-Df-(B1rV*9}kMfm6Nl~rsI}v_4+O}Y!$z^!3QNzITA`$)2%&_7_{I^ zg1~<9tqQ?&x-Gn;$p=G*=bClrwmCE02o8gxL4u#}IAlhQAUFQhFt>^qgj^*oT%O}y zY%M4aan+dTx>*`;&foW{ywT0tuY{Q2t{3?)#9E@GP{OC@a7bkSSJg||^+U%`WI1&(;r4KqwqLbPcupehCxuY%cMtqJ6E`S8p`6lABmh0p z4Gwz$01Tb)_U{iiqz>X?eYSZ%43F!G{o>-nix`~;zh?}79<9bp1n5cx(_U!`EL>QXPn^Y5%}sLTJ(Vj%!&(n^*y8U{kc1XR+P8+F$@RT;~?Hv z`0s2ET&j#kt#v)J9@q45<|8U=vIl7Y{cltR-l+JSIQ@t`z`G6>_T!(bV33gz$H{kS z-uACSR*rRENQ!}YAl}S39>5?*N*f!1JMPWz_w}Kf0VHATM9r*hqxuUku_69y0MgZQ zkO46yNLQXI>rYZVe@in6#7x$VCk1_Bg~*opW*G&GwPPK2QJwwdRETf)feBtWun(Nk z)=Xm=?n0Ubo05vfPz&~gS6Mqybn#lBh8t;li??Se?#E3Vhw_wsY(KA^bD+Ejf5-t4;ORCEjR=K)@Y%IA5(W+|pNavAFS(Yy0dw{(ToekZp>5>Q+RwZk)7 z-qPNwJ=-y4h?|Ly6C{E~zHgB;8pKeohCw1dBS*osQ3QFQ$Xn)eqcpYVg+Yv>O0qhF z2oclb@{;|BgDpnuQGV!NREMOplgUs(1d7Ae6`aCDaD9+LfbhxEg0t-e+p@k&%*J5s zxXRMVL`?#7z6zYO31p&%Dg{x&AR1s!fXaGXOEF+(>~_CqFrG64*^5l?SyPyp`Lo?9-oI_luE^$G! z9rzy41JS*K@Is1Fzdod$+ci`zW;s9^>pJr6>h%@M&bg8}Uhd!)P|pkF7GQ2HoKkp3 zXdp8)j8o(4kOFg&&R0StOp2aqee6xGFo_lfT+)HjNy4+P0b`i9-OX$eCT}ip)+(NPDdM>(@dZvH$OtR#<`3mu8h571f zWxtc%z_0T14Z#LMs&}@F@|hR!WpX2SkL^|Tt<`}$f5!#JVF-C-yPVkwq;iv&4Yn6$ zg9-_>81-*AztGuJT9Nf^t(LrhQ{H|B*=GJrph?C-2LiP?4g`iDHd?6RxJ)nCO1*Z_ z_T(#MN$b@Q5Z~DpJl(7(RVa3QR`e#QH#97Cmlx6|VriMTaN%`NOx}^JFrcQqu;~}` znM}=j+h#*cII?TiDEROMi%&0=iGC+fNd->b#c*>i!?1*)kI!!6Om(B4X-zfh?xX%N z7OvUCJ83FYl7PS<>!j8Pw5}k<1C~R>N@DIOTE?l=wwehX7WWC~>6^P2_f=>pUCtf7 zzy0!WsH=sM`VVb8+bU>y8&cb3iRNV{79v0fAT4`qMW=l!RW*ZI;;iB}x)u|W7JU#biNP_b8{2$Q*b&!M4h9GTAARsk(I2S(Vk}O0j_!zB(?01or00jo_G_S6``4TL ze1%Qi;DbkwIgRR}9+7SIW#`f2R=p^ch1eHI%1y}0J?0nOaBeC*9M>d`cWiCB&sBw% zl&)`jsNv}&e52P7^NqGABVI_&>#qHK*?#vTgDYh-gNuB|KV>p&q!GVD6&>4WnjVmN zBX&owE$3<>SgPY$=cX>&e3#rIBS<$gqaR-ThI;9XWA0_t2TE{{xVD Bmwo^M literal 0 HcmV?d00001 From c6430777801d9532558999c1995a7988cf644877 Mon Sep 17 00:00:00 2001 From: Luke Kysow <1034429+lkysow@users.noreply.github.com> Date: Wed, 26 May 2021 11:48:11 -0700 Subject: [PATCH 21/23] Add tech preview label (#10300) --- website/data/docs-nav-data.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/data/docs-nav-data.json b/website/data/docs-nav-data.json index acb9aafd0e..a87da54f2c 100644 --- a/website/data/docs-nav-data.json +++ b/website/data/docs-nav-data.json @@ -548,7 +548,7 @@ ] }, { - "title": "AWS ECS", + "title": "AWS ECS Tech Preview", "routes": [ { "title": "Overview", From 0f8b416052098b997e1d9d449f8810c5d69b799a Mon Sep 17 00:00:00 2001 From: David Yu Date: Thu, 27 May 2021 09:22:17 -0700 Subject: [PATCH 22/23] docs: Bump core downloads to beta3 (#10309) Make 1.10beta3 available on Downloads for consul.io --- website/pages/downloads/index.jsx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/pages/downloads/index.jsx b/website/pages/downloads/index.jsx index 435eea6a38..911ee75c73 100644 --- a/website/pages/downloads/index.jsx +++ b/website/pages/downloads/index.jsx @@ -73,7 +73,7 @@ export default function DownloadsPage(staticProps) {

A beta for Consul v1.10.0 is available! The release can be{' '} - + downloaded here

From ce2ed0a8f54d5f15e816e2a57f0b07cf4802aa5a Mon Sep 17 00:00:00 2001 From: allisaurus <34254888+allisaurus@users.noreply.github.com> Date: Thu, 27 May 2021 10:59:28 -0700 Subject: [PATCH 23/23] Add note about new ECS ARN format to ECS docs (#10304) * docs: Add note about ECS task ARN format to ECS docs --- website/content/docs/ecs/get-started/install.mdx | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/website/content/docs/ecs/get-started/install.mdx b/website/content/docs/ecs/get-started/install.mdx index 5766314d21..d0e0cd87aa 100644 --- a/website/content/docs/ecs/get-started/install.mdx +++ b/website/content/docs/ecs/get-started/install.mdx @@ -141,7 +141,10 @@ The specific permissions needed are: 1. `ecs:ListTasks` on resource `*`. 1. `ecs:DescribeTasks` on all tasks in this account and region. You can either - use `*` for simplicity or scope it to the region and account, e.g. `arn:aws:ecs:us-east-1:1111111111111:task/*` + use `*` for simplicity or scope it to the region and account, e.g. `arn:aws:ecs:us-east-1:1111111111111:task/*`. If + your account is configured to use the new, [longer ECS task ARN format] + (https://docs.aws.amazon.com/AmazonECS/latest/userguide/ecs-account-settings.html#ecs-resource-ids) + then you can further scope `ecs:DescribeTasks` down to tasks in a specific cluster, e.g. `arn:aws:ecs:us-east-1:1111111111111:task/MY_CLUSTER_NAME/*`. The IAM role's ARN will be passed into the `mesh-task` module in the next step via the `task_role_arn` input.