From 929aae54ea1782bcd5734e4d1fd76174a258155b Mon Sep 17 00:00:00 2001 From: waldek Date: Tue, 23 Aug 2022 11:04:55 +0200 Subject: [PATCH] adds systemd --- advanced/learning_systemd.md | 1053 ++++++++++++++++++++++++++++++++++ assets/systemd_sequence.png | Bin 0 -> 55403 bytes 2 files changed, 1053 insertions(+) create mode 100644 advanced/learning_systemd.md create mode 100644 assets/systemd_sequence.png diff --git a/advanced/learning_systemd.md b/advanced/learning_systemd.md new file mode 100644 index 0000000..2b28989 --- /dev/null +++ b/advanced/learning_systemd.md @@ -0,0 +1,1053 @@ +# Systemd + +## What is systemd? + +Systemd is a collection of programs that aim to unify the service configuration and behavior on *most* modern Linux distributions. +All of the distributions we've used up until now come with systemd and we've been manipulating most of our servers and services via `systemctl` which is the standard command line interface to systemd. +It's worth pointing out that systemd is not just an additional piece of software that is added to your computer. +You should see it as a sort of *glue* that ties the system together as it's responsible for launching and monitoring all services you run on your server. + +### Some history + +As with most things Linux there are multiple alternatives to systemd and believe it or not, the introduction (around 2015) of systemd to Debian was a controversial moment. +A lot of online debates were had to discuss the pro's and cons and Debian was even [forked](https://www.devuan.org/) to remove systemd all together. + +> Devuan GNU+Linux is a fork of Debian without systemd that allows users to reclaim control over their system by avoiding unnecessary entanglements and ensuring Init Freedom. + +You can be for or against systemd but the current reality is that it *is* the most widely used `init` system around today. +This can, and probably will, change in the future but for now the world is run by systemd. + +## The basics + +During the numerous hours you've spent using `htop` you have probably noticed the first process is often `/lib/systemd/systemd --system` on Debian machines. +On Raspberry Pi's that first process is most likely `/sbin/init` but a closer look at this program shows the following. + +``` +pi@camone:~ $ pgrep -a systemd +1 /sbin/init +122 /lib/systemd/systemd-journald +150 /lib/systemd/systemd-udevd +295 /lib/systemd/systemd-timesyncd +378 /lib/systemd/systemd-logind +16414 /lib/systemd/systemd --user +pi@camone:~ $ which /sbin/init +/sbin/init +pi@camone:~ $ ls -l /sbin/init +lrwxrwxrwx 1 root root 20 Apr 1 14:57 /sbin/init -> /lib/systemd/systemd +pi@camone:~ $ +``` + +Every running Linux computer must have a **first** process. +But where does this first process come from? +Below you can see a nice graph of the **boot sequence** of a standard Linux machine (taken from the [Debian system administrator handbook](https://debian-handbook.info/browse/stable/unix-services.html#sect.system-boot)). + +![startup sequence](./assets/systemd_sequence.png) + +By default the Linux kernel will run the `init` program but this can be overridden by passing an argument to the kernel upon boot. +For those who have played around with the [broken machines](./exercise_broken_machines.md) this is probably no real news. +At the last stage of the boot sequence, systemd takes over and launches all services that are `enabled` for the requested `runlevel`. +The runlevel might be new to you but we'll come back to that in a minute. + +### Interfacing with systemd + +Your main tool to *talk* to systemd is `systemctl`. +It's sort of a **client** to the systemd **server**. +The most used commands, that you probably know by hearth, are: + +``` +sudo systemctl start sshd.service +sudo systemctl stop sshd.service +sudo systemctl restart sshd.service +sudo systemctl status sshd.service +sudo systemctl enable sshd.service +sudo systemctl disable sshd.service +``` + +Just knowing these will get you a long way but there are a few more handy commands to push it all a bit further. + +## Beyond the basics + +### A deeper look into what's available + +If you invoke just `sudo systemctl` it lists all the units that are active. +It's actually a shortcut to `sudo systemctl list-units`. +You'll be confronted with an interface, `less`, that you know pretty well so have a look around and maybe search for some keywords. + +At the bottom of the pager you'll see a few hints that point you to other commands that show even more output. +When we disable a server such as `sshd` it's configuration files are not changed at all as the server never tries to start itself. +Systemd is responsible for that so if we want to see all servers available on our system we type `sudo systemctl list-unit-files` which gives a clear table, also via `less`, that outlines the current state and vendor state. + +We can add more command line arguments to `systemctl` to narrow down the output a bit. +A handy one is `--type service` to only see services. +I advise you to have a read of the `man systemctl` to grasp the full scope of it's capabilities. + +### Inspecting a running service + +To inspect a running service we can run `sudo systemctl status sshd.service`. +This gives us the following output: + +``` +● ssh.service - OpenBSD Secure Shell server + Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled) + Active: active (running) since Mon 2021-07-26 12:14:35 CEST; 2 weeks 6 days ago + Docs: man:sshd(8) + man:sshd_config(5) + Main PID: 576 (sshd) + Tasks: 1 (limit: 23851) + Memory: 2.8M + CPU: 112ms + CGroup: /system.slice/ssh.service + └─576 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups + +Jul 26 12:14:35 deathstar systemd[1]: Starting OpenBSD Secure Shell server... +Jul 26 12:14:35 deathstar sshd[576]: Server listening on 0.0.0.0 port 22. +Jul 26 12:14:35 deathstar sshd[576]: Server listening on :: port 22. +Jul 26 12:14:35 deathstar systemd[1]: Started OpenBSD Secure Shell server. +Jul 28 20:13:38 deathstar sshd[175321]: Connection closed by authenticating user waldek 192.168.0.222 port 51542 [preauth] +Aug 14 09:05:36 deathstar sshd[1001518]: Connection closed by authenticating user waldek 192.168.0.33 port 35448 [preauth] +Aug 14 09:05:56 deathstar sshd[1001567]: Connection closed by authenticating user waldek 192.168.0.33 port 35636 [preauth] +Aug 14 09:06:20 deathstar sshd[1001648]: Connection closed by authenticating user waldek 192.168.0.236 port 53346 [preauth] +``` + +There is quite a bit of interesting information here. +There are two **blocks** of information. +At the top we see some details and links to the help about the service in question and at the bottom we see the last eight lines of the server logs. +To see *how* systemd has the sshd service configured we need to have a look at the second line, the one that sais `Loaded:`. +The path that follows is the service file that systemd uses to know **how**, **when** and **where** to run the service. +As with most things Linux this is a simple text file we can open up with `less`, `vim` or even `nano` but there is a sweet shortcut supplied by systemd itself! + +``` +➜ ~ git:(master) ✗ sudo systemctl cat sshd.service +# /lib/systemd/system/ssh.service +[Unit] +Description=OpenBSD Secure Shell server +Documentation=man:sshd(8) man:sshd_config(5) +After=network.target auditd.service +ConditionPathExists=!/etc/ssh/sshd_not_to_be_run + +[Service] +EnvironmentFile=-/etc/default/ssh +ExecStartPre=/usr/sbin/sshd -t +ExecStart=/usr/sbin/sshd -D $SSHD_OPTS +ExecReload=/usr/sbin/sshd -t +ExecReload=/bin/kill -HUP $MAINPID +KillMode=process +Restart=on-failure +RestartPreventExitStatus=255 +Type=notify +RuntimeDirectory=sshd +RuntimeDirectoryMode=0755 + +[Install] +WantedBy=multi-user.target +Alias=sshd.service +➜ ~ git:(master) ✗ +``` + +### Modifying a service + +What can we do with these unit files you might ask? +Well, we can have a look at the command line arguments for sshd with `man sshd`. +This gives us an overview of all options available to us. +One that peaks my interest is the `-p` argument which allows us to override the port and ignore all ports specified in the configuration file. +Let's try it out! + +To edit the unit file we need a text editor. +There are *two* ways to do it but we'll go for the most straightforward one first. +I'll be using vim to edit the file via `sudo vim /lib/systemd/system/ssh.service`. +Notice the syntax highlighting, nice no? +I modified the tenth line so that it reads: + +``` +ExecStart=/usr/sbin/sshd -D $SSHD_OPTS -p 2222 + +``` + +Now, how do we take this change into account? +Let's restart the service. + +``` + ~ git:(master) ✗ sudo systemctl restart sshd.service +Warning: The unit file, source configuration file or drop-ins of sshd.service changed on disk. Run 'systemctl daemon-reload' to reload units. +➜ ~ git:(master) ✗ +``` + +We can see a warning but did the service restart? +Let's have a look at the status. + +``` +● ssh.service - OpenBSD Secure Shell server + Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled) + Active: active (running) since Sun 2021-08-15 20:00:49 CEST; 38s ago + Docs: man:sshd(8) + man:sshd_config(5) + Process: 1108166 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS) + Main PID: 1108167 (sshd) + Tasks: 1 (limit: 23851) + Memory: 1.1M + CPU: 15ms + CGroup: /system.slice/ssh.service + └─1108167 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups + +Aug 15 20:00:49 deathstar systemd[1]: Starting OpenBSD Secure Shell server... +Aug 15 20:00:49 deathstar sshd[1108167]: Server listening on 0.0.0.0 port 22. +Aug 15 20:00:49 deathstar sshd[1108167]: Server listening on :: port 22. +Aug 15 20:00:49 deathstar systemd[1]: Started OpenBSD Secure Shell server. +``` + +Yes it did, but the service is still running on port 22. +This is what systemd means by `loaded`. +A configuration file is loaded into memory and used from there. +To take changes to unit files into account we need to reload the files that have changed, sort of like we restart `sshd` when we make changes to it's configuration file but we can't restart `systemd` as that would freeze our computer. +Luckily there is a command to do this and it's written in the warning notice. + +``` +➜ ~ git:(master) ✗ sudo systemctl daemon-reload +➜ ~ git:(master) ✗ sudo systemctl restart sshd.service +➜ ~ git:(master) ✗ sudo systemctl status sshd.service +● ssh.service - OpenBSD Secure Shell server + Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled) + Active: active (running) since Sun 2021-08-15 20:05:53 CEST; 2s ago + Docs: man:sshd(8) + man:sshd_config(5) + Process: 1108694 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS) + Main PID: 1108695 (sshd) + Tasks: 1 (limit: 23851) + Memory: 1.1M + CPU: 15ms + CGroup: /system.slice/ssh.service + └─1108695 sshd: /usr/sbin/sshd -D -p 2222 [listener] 0 of 10-100 startups + +Aug 15 20:05:53 deathstar systemd[1]: Starting OpenBSD Secure Shell server... +Aug 15 20:05:53 deathstar sshd[1108695]: Server listening on 0.0.0.0 port 2222. +Aug 15 20:05:53 deathstar sshd[1108695]: Server listening on :: port 2222. +Aug 15 20:05:53 deathstar systemd[1]: Started OpenBSD Secure Shell server. +➜ ~ git:(master) ✗ +``` + +Nice! +Now, let's first undo our changes and explore the alternative way to modify unit files. +Next we do the same changes but in the alternative way. +Just as we have a handy shortcut to `cat` unit files we have one to `edit` them! +I'll run the `sudo -E systemctl edit --full sshd.service` command, notice the `-E`, why would I do that? +This opens up my editor of choice and I can go ahead an make my changes to line 10 which I add `-p 2200` to this time. + +``` +➜ ~ git:(master) ✗ sudo -E systemctl edit sshd.service --full +➜ ~ git:(master) ✗ sudo systemctl daemon-reload +➜ ~ git:(master) ✗ sudo systemctl restart sshd.service +➜ ~ git:(master) ✗ sudo systemctl status sshd.service +● ssh.service - OpenBSD Secure Shell server + Loaded: loaded (/etc/systemd/system/ssh.service; enabled; vendor preset: enabled) + Active: active (running) since Sun 2021-08-15 20:24:47 CEST; 4s ago + Docs: man:sshd(8) + man:sshd_config(5) + Process: 1111232 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS) + Main PID: 1111233 (sshd) + Tasks: 1 (limit: 23851) + Memory: 1.1M + CPU: 15ms + CGroup: /system.slice/ssh.service + └─1111233 sshd: /usr/sbin/sshd -D -p 2200 [listener] 0 of 10-100 startups + +Aug 15 20:24:47 deathstar systemd[1]: Starting OpenBSD Secure Shell server... +Aug 15 20:24:47 deathstar sshd[1111233]: Server listening on 0.0.0.0 port 2200. +Aug 15 20:24:47 deathstar sshd[1111233]: Server listening on :: port 2200. +Aug 15 20:24:47 deathstar systemd[1]: Started OpenBSD Secure Shell server. +➜ ~ git:(master) ✗ +``` + +Notice something different here? +The location of the unit file is no longer `/lib/systemd/system/ssh.service` but `/etc/systemd/system/ssh.service`. +This is the actual *preferred* way of modifying unit files supplied by your distribution because if at some point in the future your distro changes it's configuration file and you update, you'll overwrite your custom changes! (see [this](https://serverfault.com/questions/840996/modify-systemd-unit-file-without-altering-upstream-unit-file) post on serverfault) +Think of the similar situation we encountered with `/etc/dnsmask.d/` when installing a pihole. +What if you want to `revert` back to file supplied by Debian? +A quick `sudo systemctl revert sshd.service` should do the trick! +Don't forget to `daemon-reload` when you want to restart the service. + +## Writing your own service files + +Imagine we want to run a custom server each time the machine boots. +Here systemd comes to the rescue, plus we can run them as *ourselves* and don't need to interfere with the standard system services. +Let's give this a go! + +A simple example to a server would be a small python3 webserver. +Let's create a directory in our home called website. +We can do this with `mkdir ~/website`. +In this folder we'll make an `index.html` file where we add the content of our *website* to. +You can write anything you want, in html or plaintext. +To spin up a quick webserver we can use the `http.server` class from the standard library. +I **must** note that it's not a production proof server and should **only** be used for small testing purposes (and for our example). + +``` +➜ website git:(master) ✗ python3 -m http.server 8080 +Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ... +127.0.0.1 - - [15/Aug/2021 20:45:30] "GET / HTTP/1.1" 200 - +127.0.0.1 - - [15/Aug/2021 20:45:30] code 404, message File not found +127.0.0.1 - - [15/Aug/2021 20:45:30] "GET /favicon.ico HTTP/1.1" 404 - +``` + +The website is now up and running and we can see all requests logged to the command line. +Go to `http://localhost:8080` to see your website, or to the IP address of one of the other students to see the logs grow. + +Right, we're happy with our service and we would like to offer it permanently. +In order to do so we need to create our own unit file and we can do this in **two locations**. +The first one is `/etc/systemd/system/` which houses most of our system services but **users** can have their own services! +In order to create your own service, without root privileges, you can add unit files to `~/.local/share/systemd/user`. +You will probably have to create this directory. +In this directory you can add as many `.service` files as you want. +For now we'll just make one called `website.service` where we need to define some things in. + +``` +[Unit] +Description=Our own webserver + +[Service] +WorkingDirectory=/home/waldek/website +ExecStart=/usr/bin/python3 -m http.server 8080 + +[Install] +WantedBy=default.target +``` + +Next we need to `enable` and `start` our service. +Notice that I'm not using `sudo` and that I added the `--user` argument. + +``` +systemctl --user enable website.service +systemctl --user start website.service +``` + +And we can inspect the logs via the trusted `status` argument as such. + +``` +➜ ~ git:(master) ✗ systemctl --user status website.service +● website.service - Our own webserver + Loaded: loaded (/home/waldek/.local/share/systemd/user/website.service; enabled; vendor preset: enabled) + Active: active (running) since Sun 2021-08-15 20:58:15 CEST; 5min ago + Main PID: 1114451 (python3) + Tasks: 1 (limit: 23851) + Memory: 8.8M + CPU: 92ms + CGroup: /user.slice/user-1000.slice/user@1000.service/app.slice/website.service + └─1114451 /usr/bin/python3 -m http.server 8080 + +Aug 15 20:58:15 deathstar systemd[585]: Started Our own webserver. +Aug 15 20:58:23 deathstar python3[1114451]: 127.0.0.1 - - [15/Aug/2021 20:58:23] "GET / HTTP/1.1" 304 - +Aug 15 20:58:24 deathstar python3[1114451]: 127.0.0.1 - - [15/Aug/2021 20:58:24] "GET / HTTP/1.1" 304 - +Aug 15 20:58:24 deathstar python3[1114451]: 127.0.0.1 - - [15/Aug/2021 20:58:24] "GET / HTTP/1.1" 304 - +Aug 15 20:58:25 deathstar python3[1114451]: 127.0.0.1 - - [15/Aug/2021 20:58:25] "GET / HTTP/1.1" 304 - +➜ ~ git:(master) ✗ +``` + +For those that want to dive deeper into the syntax of the configuration file you should have a look at the output of `systemctl --user show website.service` which list all of the *hidden* settings that are predefined for a service. +To see what you can change them to, have a look [here](https://www.freedesktop.org/software/systemd/man/systemd.service.html). + +### Deep dive into the logs + +All logs made you systemd go into the `/var/log/daemon.log` file by default. +You can override this but I would highly advise you not to do it as there are special **tools** that come with systemd to inspect the logs, plus all logs in one place is quite handy for grepping. +Have a look at the file and you should see a similar output. + +``` +Aug 15 20:24:44 deathstar systemd[1]: Reloading. +Aug 15 20:24:47 deathstar systemd[1]: Stopping OpenBSD Secure Shell server... +Aug 15 20:24:47 deathstar systemd[1]: ssh.service: Succeeded. +Aug 15 20:24:47 deathstar systemd[1]: Stopped OpenBSD Secure Shell server. +Aug 15 20:24:47 deathstar systemd[1]: Starting OpenBSD Secure Shell server... +Aug 15 20:24:47 deathstar systemd[1]: Started OpenBSD Secure Shell server. +Aug 15 20:57:38 deathstar systemd[585]: Started VTE child process 1114299 launched by gnome-terminal-server process 1027574. +Aug 15 20:58:02 deathstar systemd[585]: Reloading. +Aug 15 20:58:15 deathstar systemd[585]: Started Our own webserver. +Aug 15 20:58:23 deathstar python3[1114451]: 127.0.0.1 - - [15/Aug/2021 20:58:23] "GET / HTTP/1.1" 304 - +Aug 15 20:58:24 deathstar python3[1114451]: 127.0.0.1 - - [15/Aug/2021 20:58:24] "GET / HTTP/1.1" 304 - +Aug 15 20:58:24 deathstar python3[1114451]: 127.0.0.1 - - [15/Aug/2021 20:58:24] "GET / HTTP/1.1" 304 - +Aug 15 20:58:25 deathstar python3[1114451]: 127.0.0.1 - - [15/Aug/2021 20:58:25] "GET / HTTP/1.1" 304 - +``` + +Systemd comes with a specialized program to sift through it's logs called `journalctl`. +Just invoking `journalctl` will give you the output of the log file in less. +A **very handy** argument you'll probably always use is `-e` which scrolls to the end of the logs. +As an alternative you can add `--no-pager` which will not pipe to `less` but just print to STDOUT. +To only view a specific service we can add the `--unit` argument, followed by the service name. +For example: + +``` +➜ ~ git:(master) ✗ sudo journalctl --unit ssh.service --no-pager --since "1 h 25 min ago" +-- Journal begins at Wed 2021-07-14 22:35:36 CEST, ends at Sun 2021-08-15 21:46:42 CEST. -- +Aug 15 20:22:14 deathstar sshd[1110635]: Received signal 15; terminating. +Aug 15 20:22:14 deathstar systemd[1]: Stopping OpenBSD Secure Shell server... +Aug 15 20:22:14 deathstar systemd[1]: ssh.service: Succeeded. +Aug 15 20:22:14 deathstar systemd[1]: Stopped OpenBSD Secure Shell server. +Aug 15 20:22:14 deathstar systemd[1]: Starting OpenBSD Secure Shell server... +Aug 15 20:22:14 deathstar sshd[1110849]: Server listening on 0.0.0.0 port 2222. +Aug 15 20:22:14 deathstar sshd[1110849]: Server listening on :: port 2222. +Aug 15 20:22:14 deathstar systemd[1]: Started OpenBSD Secure Shell server. +Aug 15 20:24:47 deathstar systemd[1]: Stopping OpenBSD Secure Shell server... +Aug 15 20:24:47 deathstar sshd[1110849]: Received signal 15; terminating. +Aug 15 20:24:47 deathstar systemd[1]: ssh.service: Succeeded. +Aug 15 20:24:47 deathstar systemd[1]: Stopped OpenBSD Secure Shell server. +Aug 15 20:24:47 deathstar systemd[1]: Starting OpenBSD Secure Shell server... +Aug 15 20:24:47 deathstar sshd[1111233]: Server listening on 0.0.0.0 port 2200. +Aug 15 20:24:47 deathstar sshd[1111233]: Server listening on :: port 2200. +Aug 15 20:24:47 deathstar systemd[1]: Started OpenBSD Secure Shell server. +➜ ~ git:(master) ✗ +``` + +To understand the `--since` argument I advise you to read the `man systemd.time` pages. +An argument you'll often see suggested online is `-x`. +It adds more verbose output to debug issues. +The manpage documentation is below for reference purpose for reference purposes. + +``` +-x, --catalog + Augment log lines with explanation texts from the message catalog. This will add explanatory help texts to log messages + in the output where this is available. These short help texts will explain the context of an error or log event, + possible solutions, as well as pointers to support forums, developer documentation, and any other relevant manuals. Note + that help texts are not available for all messages, but only for selected ones. For more information on the message + catalog, please refer to the Message Catalog Developer Documentation[5]. + + Note: when attaching journalctl output to bug reports, please do not use -x. +``` + +Last but not least, the `-f` argument does a *live* stream of the log so you can debug on the fly. +This can be very handy in a `tmux` session. +For more information I highly advise the man pages with `man journalctl`! + +## A sidetrack into cron + +But what if we want to run a quick script or command every day at midnight? +Like an email report of the system status, or a `apt update`? +This can also be done with systemd but the *classic* way of doing this is via `cron`. +As always, have a look at `man cron` and when you're finished you'll know you want to read the `man crontab` as well. + +In short, every user can have a crontab which is a list of command to execute at certain intervals. +To inspect your own crontab, just execute `crontab -e` which will open your editor of choice. +Read through the comments, it's quite self explanatory no? +Only the timestamp syntax is quite annoying in my opinion but there is a handy [website](https://crontab.guru/every-1-minute) to help you understand it a bit better. +To have a command executed every minute you add the following. + +``` +* * * * * echo "helloword" >> /tmp/coucou +``` + +The `root` user has his own crontab you can edit with `sudo crontab -e` +To do an `apt update` every day at midnight you would add the following. + +``` +0 0 * * * apt update +``` + +I must note that this is not really the best way to accomplish automatic update and upgrades. +Have a look [here](https://help.ubuntu.com/community/AutoWeeklyUpdateHowTo) for better alternatives. + +## Systemd timers + +As you can probably see, `cron` is a very basic but powerful way of scheduling actions. +So people really like the simplicity bit for others a bit more control is desired, hence `man systemd.timer`. +We can list all current timers with the following command. + +``` +➜ ~ git:(master) ✗ systemctl list-timers --no-pager +NEXT LEFT LAST PASSED UNIT ACTIVATES +Mon 2021-08-16 00:00:00 C… 1h 40min left Sun 2021-08-15 00:00:13 C… 22h ago logrotate.timer logrotate.service +Mon 2021-08-16 00:00:00 C… 1h 40min left Sun 2021-08-15 00:00:13 C… 22h ago man-db.timer man-db.service +Mon 2021-08-16 06:52:37 C… 8h left Sun 2021-08-15 06:34:23 C… 15h ago apt-daily-upgrade.timer apt-daily-upgrade.service +Mon 2021-08-16 12:45:13 C… 14h left Sun 2021-08-15 12:45:13 C… 9h ago systemd-tmpfiles-clean.ti… systemd-tmpfiles-clean.ser… +Mon 2021-08-16 12:46:51 C… 14h left Sun 2021-08-15 19:56:29 C… 2h 23min ago apt-daily.timer apt-daily.service +Sun 2021-08-22 03:10:26 C… 6 days left Sun 2021-08-15 03:10:52 C… 19h ago e2scrub_all.timer e2scrub_all.service + +6 timers listed. +Pass --all to see loaded but inactive timers, too. +➜ ~ git:(master) ✗ +``` + +To list your own timers you add the `--user` argument. + +``` +➜ ~ git:(master) ✗ systemctl --user list-timers --no-pager +NEXT LEFT LAST PASSED UNIT ACTIVATES + +0 timers listed. +Pass --all to see loaded but inactive timers, too. +➜ ~ git:(master) ✗ +``` + +Let's add one! +In order to create a timer, we need a service that we can run so let's do that first. +In the same folder as before I'll create a `monitor.service` file and will add the following to it. + +``` +➜ user git:(master) ✗ systemctl --user cat monitor.service +# /home/waldek/.local/share/systemd/user/monitor.service +[Unit] +Description=Doing some monitoring +Wants=monitor.timer + +[Service] +Type=oneshot +ExecStart=/usr/bin/ps u + +[Install] +WantedBy=multi-user.target +➜ user git:(master) ✗ +``` + +Now, let's test the service. + +``` +➜ user git:(master) ✗ systemctl --user start monitor.service +➜ user git:(master) ✗ systemctl --user status monitor.service +● monitor.service - Doing some monitoring + Loaded: loaded (/home/waldek/.local/share/systemd/user/monitor.service; disabled; vendor preset: enabled) + Active: inactive (dead) + +Aug 15 22:29:08 deathstar ps[1122931]: waldek 1099261 0.0 0.0 16300 9880 pts/2 Ss 17:54 0:00 zsh +Aug 15 22:29:08 deathstar ps[1122931]: waldek 1101477 0.0 0.0 17468 11496 pts/3 Ss 18:31 0:06 zsh +Aug 15 22:29:08 deathstar ps[1122931]: waldek 1117521 0.0 0.0 16744 10068 pts/4 Ss 21:38 0:01 zsh +Aug 15 22:29:08 deathstar ps[1122931]: waldek 1118424 0.0 0.0 17120 10052 pts/5 Ss+ 21:44 0:00 zsh +Aug 15 22:29:08 deathstar ps[1122931]: waldek 1119048 0.0 0.0 40788 7956 pts/4 S+ 21:50 0:00 journalctl -f +Aug 15 22:29:08 deathstar ps[1122931]: waldek 1121204 1.9 0.1 45280 31108 pts/2 S+ 22:11 0:20 vim learning_systemd.md +Aug 15 22:29:08 deathstar ps[1122931]: waldek 1122718 0.2 0.0 12848 8716 pts/6 Ss+ 22:27 0:00 zsh +Aug 15 22:29:08 deathstar ps[1122931]: waldek 1122930 0.0 0.0 10072 1168 pts/3 S+ 22:29 0:00 systemctl --user start monit> +Aug 15 22:29:08 deathstar systemd[585]: monitor.service: Succeeded. +Aug 15 22:29:08 deathstar systemd[585]: Finished Doing some monitoring. +``` + +OK, that seems to work well, so now we want to create the timer that will run this service every minute. +In order to do this we create a `monitor.timer` file with the following content. +The `onCalendar=*-*-* *:*:00` make it run every minute. +You can read more about the syntax in the `man systemd.time` pages. + +``` +➜ user git:(master) ✗ systemctl --user cat monitor.timer +# /home/waldek/.local/share/systemd/user/monitor.timer +[Unit] +Description=Doing some timely monitoring +Requires=monitor.service + +[Timer] +Unit=monitor.service +OnCalendar=*-*-* *:*:00 + +[Install] +WantedBy=timers.target +➜ user git:(master) ✗ +``` + +Once the timer is in place you should `start` the service with `systemctl --user start monitor.service`. +There is no need to start or enable the `monitor.timer` file as the link between them is in the `monitor.service` file via the `Wants=monitor.timer` configuration line. +If you now watch your log in real time with `journalctl -f --user-unit monitor.service` you should see your service executing every minute! + +### Pro's and cons + +The following advice was taken from the arch [wiki](https://wiki.archlinux.org/title/Systemd/Timers). + +#### As a cron replacement + +Although cron is arguably the most well-known job scheduler, systemd timers can be an alternative. + +##### Benefits + +The main benefits of using timers come from each job having its own systemd service. Some of these benefits are: + +* Jobs can be easily started independently of their timers. This simplifies debugging. +* Each job can be configured to run in a specific environment (see systemd.exec(5)). +* Jobs can be attached to cgroups. +* Jobs can be set up to depend on other systemd units. +* Jobs are logged in the systemd journal for easy debugging. + +##### Caveats + +Some things that are easy to do with cron are difficult to do with timer units alone: + +* Creation: to set up a timed job with systemd you need to create two files and run systemctl commands, compared to adding a single line to a crontab. +* Emails: there is no built-in equivalent to cron's MAILTO for sending emails on job failure. See the next section for an example of setting up a similar functionality using OnFailure=. + +Also note that user timer units will only run during an active user login session by default. However, lingering can enable services to run at boot even when the user has no active login session. + +## A sidetrack into runlevels + +The world of Linux has a concept called *runlevels* which determines a target state the machine is in, or to which you want the manche to go to. +It's a complicated way of saying fully operational with graphical interface, a root only rescue mode, a reboot, halted etc. +The official specification of the runlevels defines them as such. + +* Runlevel 0 or Halt is used to shift the computer from one state to another. It shut down the system. +* Runlevel 1, s, S or Single-User Mode is used for administrative and recovery functions. It has only enough daemons to allow one user (the root user) to log in and perform system maintenance tasks. All local file systems are mounted. Some essential services are started, but networking remains disabled. +* Runlevel 2 or Multi-user Mode is used for most daemons running and allows multiple users the ability to log in and use system services but without networking. On Debian and its derivatives, a full multi-user mode with X running and a graphical login. Most other distributions leave this runlevel undefined. +* Runlevel 3 or Extended Multi-user Mode is used for a full multi-user mode with a console (without GUI) login screen with network services available +* Runlevel 4 is not normally used and undefined so it can be used for a personal customization +* Runlevel 5 or Graphical Mode is same as Runlevel 3 with graphical login _(such as GDN)_. +* Runlevel 6 or Reboot is a transitional runlevel to reboot the system. + +You can inspect the runlevel your system is currenty at by ececuting the following command. + +``` +➜ ~ git:(master) ✗ sudo runlevel +N 5 +➜ ~ git:(master) ✗ +``` + +You can change your runlevel with the `sudo telinit`, followed by the level number, command. +You'll probably won't see that much difference between levels but try to change it to level `6` and see what happens. +If you change the runlevel to `1` your machine will probably freeze. +This has to do with the fact we haven't set a `root` password on most of our machines so the single user mode can't be accessed. +Try setting a root password and reset the level to one and see what happens. + +## Systemd targets + +Systemd take the concept of runlevels a bit further and they are renamed to **targets**. +The mapping of runlevels to targets is as follows. + +* poweroff.target (runlevel 0): shutdown and power off the system +* rescue.target (runlevel 1): launch the rescue shell session +* multi-user.target (runlevel 2,3,4): set the system in non graphical (console) multi-user system +* graphical.target (runlevel 5): use a graphical multi-user system with network services +* reboot.target (runlevel 6): shutdown and reboot the system + +But, there are a *lot* more targets available on a machine running systemd. +Luckily `systemctl` offers a nice way to inspect them. + +``` +➜ ~ git:(master) ✗ sudo systemctl list-units --type target + UNIT LOAD ACTIVE SUB DESCRIPTION + basic.target loaded active active Basic System + cryptsetup.target loaded active active Local Encrypted Volumes + getty.target loaded active active Login Prompts + local-fs-pre.target loaded active active Local File Systems (Pre) + local-fs.target loaded active active Local File Systems + multi-user.target loaded active active Multi-User System + network.target loaded active active Network + nfs-client.target loaded active active NFS client services + paths.target loaded active active Paths + remote-fs-pre.target loaded active active Remote File Systems (Pre) + remote-fs.target loaded active active Remote File Systems + rpcbind.target loaded active active RPC Port Mapper + slices.target loaded active active Slices + sockets.target loaded active active Sockets + swap.target loaded active active Swap + sysinit.target loaded active active System Initialization + time-set.target loaded active active System Time Set + time-sync.target loaded active active System Time Synchronized + timers.target loaded active active Timers + +LOAD = Reflects whether the unit definition was properly loaded. +ACTIVE = The high-level unit activation state, i.e. generalization of SUB. +SUB = The low-level unit activation state, values depend on unit type. +19 loaded units listed. Pass --all to see loaded but inactive units, too. +To show all installed unit files use 'systemctl list-unit-files'. +``` + +Notice how some of the mappings, such as rescue.target, are missing? +We can show the inactive ones as well if we add the `--all` argument. + +``` +➜ ~ git:(master) ✗ sudo systemctl list-units --type target --all --no-pager + UNIT LOAD ACTIVE SUB DESCRIPTION + basic.target loaded active active Basic System + blockdev@dev-disk-by\x2duuid-4a77d180\x2dfc64\x2d4057… loaded inactive dead Block Device Preparation for /dev/disk/by-uuid/4a77d18… + blockdev@dev-dm\x2d1.target loaded inactive dead Block Device Preparation for /dev/dm-1 + blockdev@dev-mapper-deathstar\x2d\x2dvg\x2droot.target loaded inactive dead Block Device Preparation for /dev/mapper/deathstar--vg… + blockdev@dev-mapper-deathstar\x2d\x2dvg\x2dswap_1.tar… loaded inactive dead Block Device Preparation for /dev/mapper/deathstar--vg… + blockdev@dev-sda1.target loaded inactive dead Block Device Preparation for /dev/sda1 + bluetooth.target loaded inactive dead Bluetooth + cryptsetup.target loaded active active Local Encrypted Volumes + emergency.target loaded inactive dead Emergency Mode + first-boot-complete.target loaded inactive dead First Boot Complete + getty-pre.target loaded inactive dead Login Prompts (Pre) + getty.target loaded active active Login Prompts + graphical.target loaded inactive dead Graphical Interface + local-fs-pre.target loaded active active Local File Systems (Pre) + local-fs.target loaded active active Local File Systems + multi-user.target loaded active active Multi-User System + network-online.target loaded inactive dead Network is Online + network-pre.target loaded inactive dead Network (Pre) + network.target loaded active active Network + nfs-client.target loaded active active NFS client services + nss-user-lookup.target loaded inactive dead User and Group Name Lookups + paths.target loaded active active Paths + remote-fs-pre.target loaded active active Remote File Systems (Pre) + remote-fs.target loaded active active Remote File Systems + rescue.target loaded inactive dead Rescue Mode + rpcbind.target loaded active active RPC Port Mapper + shutdown.target loaded inactive dead Shutdown + slices.target loaded active active Slices + sockets.target loaded active active Sockets + sound.target loaded inactive dead Sound Card + swap.target loaded active active Swap + sysinit.target loaded active active System Initialization + time-set.target loaded active active System Time Set + time-sync.target loaded active active System Time Synchronized + timers.target loaded active active Timers + umount.target loaded inactive dead Unmount All Filesystems + +LOAD = Reflects whether the unit definition was properly loaded. +ACTIVE = The high-level unit activation state, i.e. generalization of SUB. +SUB = The low-level unit activation state, values depend on unit type. +36 loaded units listed. +To show all installed unit files use 'systemctl list-unit-files'. +➜ ~ git:(master) ✗ +``` + +That's better but still, some other ones such as poweroff.target seem to be missing. +Those are both not active and not loaded, but still available. +We can list all unit files known to our system with a different command. + +``` +➜ ~ git:(master) ✗ sudo systemctl list-unit-files --type target --all --no-pager +UNIT FILE STATE VENDOR PRESET +basic.target static - +blockdev@.target static - +bluetooth.target static - +boot-complete.target static - +cryptsetup-pre.target static - +cryptsetup.target static - +ctrl-alt-del.target alias - +default.target alias - +emergency.target static - +exit.target disabled disabled +final.target static - +first-boot-complete.target static - +getty-pre.target static - +getty.target static - +graphical.target static - +halt.target disabled disabled +hibernate.target static - +hybrid-sleep.target static - +initrd-fs.target static - +initrd-root-device.target static - +initrd-root-fs.target static - +initrd-switch-root.target static - +initrd.target static - +kexec.target disabled disabled +local-fs-pre.target static - +local-fs.target static - +multi-user.target static - +network-online.target static - +network-pre.target static - +network.target static - +nfs-client.target enabled enabled +nss-lookup.target static - +nss-user-lookup.target static - +paths.target static - +poweroff.target disabled disabled +printer.target static - +reboot.target disabled enabled +remote-cryptsetup.target disabled enabled +remote-fs-pre.target static - +remote-fs.target enabled enabled +rescue-ssh.target static - +rescue.target static - +rpcbind.target static - +runlevel0.target alias - +runlevel1.target alias - +runlevel2.target alias - +runlevel3.target alias - +runlevel4.target alias - +runlevel5.target alias - +runlevel6.target alias - +shutdown.target static - +sigpwr.target static - +sleep.target static - +slices.target static - +smartcard.target static - +sockets.target static - +sound.target static - +suspend-then-hibernate.target static - +suspend.target static - +swap.target static - +sysinit.target static - +system-update-pre.target static - +system-update.target static - +time-set.target static - +time-sync.target static - +timers.target static - +umount.target static - +usb-gadget.target static - + +68 unit files listed. +➜ ~ git:(master) ✗ +``` + +That seems to be complete. +Now, how do we switch form one target to an other in a modern systemd-like fashion? +For this we use the `isolate` argument to `systemctl`. +A quick test of a this can be done as such, `sudo systemctl isolate reboot.target`. +On a Linux system where root has a password set you could try the `rescue.target` as well. +You can get and set the default runlevel of you system with the following commands. + +``` +➜ ~ git:(master) ✗ sudo systemctl get-default +graphical.target +➜ ~ git:(master) ✗ sudo systemctl set-default multi-user.target +Created symlink /etc/systemd/system/default.target → /lib/systemd/system/multi-user.target. +➜ ~ git:(master) ✗ sudo systemctl get-default +multi-user.target +➜ ~ git:(master) ✗ +``` + +## A deeper look into targets + +What is included in all of these targets? +We can inspect their dependencies by invoking the `list-dependencies` argument to `systemctl`. +Let's start with the most basic one, the `rescue.target`. + +``` +➜ ~ git:(master) ✗ sudo systemctl list-dependencies rescue.target --no-pager +rescue.target +● ├─rescue.service +● ├─systemd-update-utmp-runlevel.service +● └─sysinit.target +● ├─apparmor.service +● ├─blk-availability.service +● ├─dev-hugepages.mount +● ├─dev-mqueue.mount +● ├─keyboard-setup.service +● ├─kmod-static-nodes.service +● ├─lvm2-lvmpolld.socket +● ├─lvm2-monitor.service +● ├─proc-sys-fs-binfmt_misc.automount +● ├─sys-fs-fuse-connections.mount +● ├─sys-kernel-config.mount +● ├─sys-kernel-debug.mount +● ├─sys-kernel-tracing.mount +● ├─systemd-ask-password-console.path +● ├─systemd-binfmt.service +● ├─systemd-boot-system-token.service +● ├─systemd-hwdb-update.service +● ├─systemd-journal-flush.service +● ├─systemd-journald.service +● ├─systemd-machine-id-commit.service +● ├─systemd-modules-load.service +● ├─systemd-pstore.service +● ├─systemd-random-seed.service +● ├─systemd-sysctl.service +● ├─systemd-sysusers.service +● ├─systemd-timesyncd.service +● ├─systemd-tmpfiles-setup-dev.service +● ├─systemd-tmpfiles-setup.service +● ├─systemd-udev-trigger.service +● ├─systemd-udevd.service +● ├─systemd-update-utmp.service +● ├─cryptsetup.target +● ├─local-fs.target +● │ ├─-.mount +● │ ├─boot.mount +● │ ├─systemd-fsck-root.service +● │ └─systemd-remount-fs.service +● └─swap.target +● └─dev-mapper-deathstar\x2d\x2dvg\x2dswap_1.swap +➜ ~ git:(master) ✗ +``` + +As you can see, it's quite basic. +All of these services and additional targets will try to be loaded and started when we enter rescue mode. +Now, let's compare it to the most elaborate runlevel, `5`. + +``` +➜ ~ git:(master) ✗ sudo systemctl list-dependencies graphical.target --no-pager +graphical.target +● ├─display-manager.service +● ├─systemd-update-utmp-runlevel.service +● ├─udisks2.service +● └─multi-user.target +● ├─avahi-daemon.service +● ├─binfmt-support.service +● ├─blueman-mechanism.service +● ├─chrony.service +● ├─console-setup.service +● ├─cron.service +● ├─cups-browsed.service +● ├─cups.path +● ├─dbus.service +● ├─e2scrub_reap.service +● ├─ModemManager.service +● ├─networking.service +● ├─rpcbind.service +● ├─rsyslog.service +● ├─ssh.service +● ├─systemd-ask-password-wall.path +● ├─systemd-logind.service +● ├─systemd-update-utmp-runlevel.service +● ├─systemd-user-sessions.service +● ├─wpa_supplicant.service +● ├─basic.target +● │ ├─-.mount +● │ ├─tmp.mount +● │ ├─paths.target +● │ ├─slices.target +● │ │ ├─-.slice +● │ │ └─system.slice +● │ ├─sockets.target +● │ │ ├─avahi-daemon.socket +● │ │ ├─cups.socket +● │ │ ├─dbus.socket +● │ │ ├─dm-event.socket +● │ │ ├─pcscd.socket +● │ │ ├─rpcbind.socket +● │ │ ├─systemd-initctl.socket +● │ │ ├─systemd-journald-audit.socket +● │ │ ├─systemd-journald-dev-log.socket +● │ │ ├─systemd-journald.socket +● │ │ ├─systemd-udevd-control.socket +● │ │ └─systemd-udevd-kernel.socket +● │ ├─sysinit.target +● │ │ ├─apparmor.service +● │ │ ├─blk-availability.service +● │ │ ├─dev-hugepages.mount +● │ │ ├─dev-mqueue.mount +● │ │ ├─keyboard-setup.service +● │ │ ├─kmod-static-nodes.service +● │ │ ├─lvm2-lvmpolld.socket +● │ │ ├─lvm2-monitor.service +● │ │ ├─proc-sys-fs-binfmt_misc.automount +● │ │ ├─sys-fs-fuse-connections.mount +● │ │ ├─sys-kernel-config.mount +● │ │ ├─sys-kernel-debug.mount +● │ │ ├─sys-kernel-tracing.mount +● │ │ ├─systemd-ask-password-console.path +● │ │ ├─systemd-binfmt.service +● │ │ ├─systemd-boot-system-token.service +● │ │ ├─systemd-hwdb-update.service +● │ │ ├─systemd-journal-flush.service +● │ │ ├─systemd-journald.service +● │ │ ├─systemd-machine-id-commit.service +● │ │ ├─systemd-modules-load.service +● │ │ ├─systemd-pstore.service +● │ │ ├─systemd-random-seed.service +● │ │ ├─systemd-sysctl.service +● │ │ ├─systemd-sysusers.service +● │ │ ├─systemd-timesyncd.service +● │ │ ├─systemd-tmpfiles-setup-dev.service +● │ │ ├─systemd-tmpfiles-setup.service +● │ │ ├─systemd-udev-trigger.service +● │ │ ├─systemd-udevd.service +● │ │ ├─systemd-update-utmp.service +● │ │ ├─cryptsetup.target +● │ │ ├─local-fs.target +● │ │ │ ├─-.mount +● │ │ │ ├─boot.mount +● │ │ │ ├─systemd-fsck-root.service +● │ │ │ └─systemd-remount-fs.service +● │ │ └─swap.target +● │ │ └─dev-mapper-deathstar\x2d\x2dvg\x2dswap_1.swap +● │ └─timers.target +● │ ├─apt-daily-upgrade.timer +● │ ├─apt-daily.timer +● │ ├─e2scrub_all.timer +● │ ├─logrotate.timer +● │ ├─man-db.timer +● │ └─systemd-tmpfiles-clean.timer +● ├─getty.target +● │ ├─getty-static.service +● │ └─getty@tty1.service +● ├─nfs-client.target +● │ ├─auth-rpcgss-module.service +● │ ├─nfs-blkmap.service +● │ └─remote-fs-pre.target +● └─remote-fs.target +● └─nfs-client.target +● ├─auth-rpcgss-module.service +● ├─nfs-blkmap.service +● └─remote-fs-pre.target +➜ ~ git:(master) ✗ +``` + +You immediately see, and probably recognise a lot of very useful services that get launched when we enter the graphical target. +Mind you that the output above is from a pretty lean system running a minimal i3 graphical environment. + +We can also use the `list-dependencies` to inspect services such as `sshd.service`. +The list below is everything sshd depends on to succesfully run as a systemd service. + +``` +sshd.service +● ├─-.mount +● ├─system.slice +● └─sysinit.target +● ├─apparmor.service +● ├─blk-availability.service +● ├─dev-hugepages.mount +● ├─dev-mqueue.mount +● ├─keyboard-setup.service +● ├─kmod-static-nodes.service +● ├─lvm2-lvmpolld.socket +● ├─lvm2-monitor.service +● ├─proc-sys-fs-binfmt_misc.automount +● ├─sys-fs-fuse-connections.mount +● ├─sys-kernel-config.mount +● ├─sys-kernel-debug.mount +● ├─sys-kernel-tracing.mount +● ├─systemd-ask-password-console.path +● ├─systemd-binfmt.service +● ├─systemd-boot-system-token.service +● ├─systemd-hwdb-update.service +● ├─systemd-journal-flush.service +● ├─systemd-journald.service +● ├─systemd-machine-id-commit.service +● ├─systemd-modules-load.service +● ├─systemd-pstore.service +● ├─systemd-random-seed.service +● ├─systemd-sysctl.service +● ├─systemd-sysusers.service +● ├─systemd-timesyncd.service +● ├─systemd-tmpfiles-setup-dev.service +● ├─systemd-tmpfiles-setup.service +● ├─systemd-udev-trigger.service +● ├─systemd-udevd.service +● ├─systemd-update-utmp.service +● ├─cryptsetup.target +● ├─local-fs.target +● │ ├─-.mount +● │ ├─boot.mount +● │ ├─systemd-fsck-root.service +● │ └─systemd-remount-fs.service +● └─swap.target +● └─dev-mapper-deathstar\x2d\x2dvg\x2dswap_1.swap +➜ ~ git:(master) ✗ +``` + +A very clever *reverse dependency* list can be show by adding the `--reverse` argument. +The output below show the dependencies of the networking.service first. +You can see it *needs* the ifupdown-pre.service, system.slice and the network.target. +The second command shows the reverse, which services or targets *depend* on the networking.service to be up and running. + +``` +➜ ~ git:(master) ✗ sudo systemctl list-dependencies networking.service --no-pager +networking.service +● ├─ifupdown-pre.service +● ├─system.slice +● └─network.target +➜ ~ git:(master) ✗ sudo systemctl list-dependencies networking.service --no-pager --reverse +networking.service +● ├─multi-user.target +● │ └─graphical.target +● └─network-online.target +➜ ~ git:(master) ✗ +``` + +The combination of both can give you a solid understanding of how all services and targets are interconnected. +Just as with services we can inspect *what* a target is doing by looking at it's unit file. + +``` +➜ ~ git:(master) ✗ sudo systemctl cat network-online.target +# /lib/systemd/system/network-online.target +# SPDX-License-Identifier: LGPL-2.1-or-later +# +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=Network is Online +Documentation=man:systemd.special(7) +Documentation=https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget +After=network.target +➜ ~ git:(master) ✗ +``` + +This might not tell you all that much on first sight, but I urge you to take the time out to really read the `man systemd.special`. +It will explain you all the intricacies of the different standard targets and how you can use them to your benefit. + diff --git a/assets/systemd_sequence.png b/assets/systemd_sequence.png new file mode 100644 index 0000000000000000000000000000000000000000..62fc1b449a1fd8ea8b6fc6bd8f898704648084ab GIT binary patch literal 55403 zcmeEuc{G;$->!C(Qqic8p+Pdwk|`QA3K+@HO2copYN{`vl@Os z$3{VMVrx+a6E1UN_gm6G-~Oi|Ak%RQ3#&xd4_bbj8ER5ZHC0m!8m8a5bBeiW0|mu> zS)Vt9Qan7DRr#)evP^p2oorBFk!fRVD>1zjQ$Vrm{brCDXL%pr?2R|{@7%d#nzQiE ze?v}Aj_IF3&f$k+|gg!Q2haIgU%;^IWpCvNSX_7)i?$wc)Z%;x;wsmqNs>%lf_g zD}#@?9+g z=Lktjk@B3^-@JLVGDs*^J?&1x!>umP&hIXVI&~Lq4R&L9W#i(yo}~RHOxnf4(eb*5 zMtgfZar3aSuuVHzjoZ^FM!#k5{`3S-S$4&-ulis@T%7Up{KSRl+zpKySvC`0Up$Q( z;{qk@tv=qW9L;p=Eq|Un+iLXS!Gl&hm%JNE5x&0lQ3~ObOT!=I;^Mw#TF;Gjc4~jz z&7o5AAS#N@_tM0~gieuHhSf+=>O1^Gi1@m zFCX#=3R-MX)%x<~%T|VCHD#~XU{^m~WiqI(t>s@FnprgKF1k0=Seci{a`>=b?VHo} z?=IO-e4&lEzAPu#k#44Q?bI(K!NJvP1eLX&LnGw_O-7_uvp_^D#5;P3>R_M1p zRE|~I#PYK#QR;RLbN3~T+g567o}))=2Q60?XRwo}CMHTND<6A%YkjIO-mTJ;C_uguxwdgUu>9@&-j=&p0@C$G-ss+KqRRfTX^j6BzJiat#$?d&9#K0Ca-rSyYd zIs1%UHJ?rqCClX0l!!^IZqB{lGJo?t-PY>%3=4dU!_@i=D-n1E(sZq?jC=WWo<#Mu z1jUmQq*aG&*8*v@zeXwSAshba?!NMLpFAFc<}F!P<=nZ_#(4DyG)_)VC*8IQnbPdp z)0pFEKO|;=LDD-?=)F(iOl1A0@UXnr9i6mKD&yiM!v{LUmgmunhAa`dFpJuZ4YRjR8g@u;815r^? zZ{NPHtE)53T@gNhTuoi8BbkY7!n8HHw9A1-2N@&otNi}``)RqHv z)Xc6zU>WPkCXrY1kA!AXtjZIVw^qeJBwIHdUD2w@$jG?X>EWNFvV}=fL$cOLe4)Ru zG8lP>hD~3kA@=ppwHsH*3#fnm_+dUOFDF-p6?d!ZUA@};a4WsBgeoqc;Ks;jfjv4n>fqJ$cSyc^xcK}*|TQ} zn%V67hxcuHnATx8^d}=N5^^Im9`ld2YkPHHxVpMdcIf9~oHklcuUWf6(D3V7$|S=E zc9*>Ip~PIqbtDB4L2thEK-qT-pGX1N%G1GSHjkV~e=e*ECmEuryz94Qyl8YaD#r7+8O>Q?ou>uPF-9jqK2L)mj3Vou98 z5f78>=SCk;(f0N9yfFP_Gx5fOCIi_D`OUwT3;8ifiPWvHso8)v3UURR+5!JCDe{(GPYrKik_iSPK1) zUgp7RYioE>zLVqX;+uA(a#ihWF z$!TC@WaWEZE{%4@3qAq;D!*DSKYQ}(o$V* zig1VUP3jM^W}L1~DV36Ozf~FZZ7$eF%zD&eae5HB=rNs8S!ZYGw{PD{OQUZVJVX$q zlX6-P5;8)lYQzpZ|CoiH{bzHMPN>u3AW+2GKmM4u%MK3@kBscEzbqwTQ1=!A-*I`O zxYv=EAA@pnnMHW(K7QS)zRFp^>Y)u=_A)cwqmel#CPuqwPph>!9=hoDEHz#lC1ZQmEF&y_FLEAzbCaaeZ|TuRRcSOo0Btn%m%Ucad;+aCxtg70sr5x z5g?!|g|g2o0S=Up4bIrvd#`Co3=8{wgSSL)1j*61n>9$RN5gr8(%XpbwOJak77( z(Ty%#02umNIdF#6{tL=au@b!5L`2d=IvwiIuhr7(bQ9hiX4Q=Nds%Abkk^OR050_> z45A0ll7&twC_L4O0`9XliaUrYXH*y+9UaRh=VZ&S`O2vFqZ1HjFfvqFvwL*3Bl^mb z%qQD+o6nEm%-}_2m~6aSoJFj@!^Rz13!oP=?svX@5hB{rqZB6PD)- zMpQ&^ih(Jz>vVQ@PRv;}tO=6_kW2XW#igFQg_>F``F1T}NStNX-5)ZRmX<(uGj@(H z8@9^G$mFap4t@CW!A-!%mzE|(+}0fFW~4P`YJ9wA&~m6LG4TfdU`3z+_}DGCZTkV+ z$A127eRJA#`@u6{FtuH;iyza2_96b>X-~iT!C#<5Gv;WYt7U zlO`1IZT8JDoWuIkBF!JdKH3TB~im85;iC z+k+mFCs&s`$pO}{v)rt67k_fJ+!$(%H?K_6DYiWR&7xZ32vUa7@Ix2 zb8|t*KGaF+6m3BqVZmalMb2=g8OvEpSUzP<+VJ&E5w#;SS4T&|n)~NVDl7fT3x=)9 z26{`M($oFs$YRLl0BY%3PwZ!hCuV246UScg>3GqPH7A`+2*tj^O606c*)MK$*UW6< zYOZUW z&2I0px=>9jiwDRMX;D&CBoIr+J||l>(^xXf zRc{pMR09^)u3dZK!iC3(Qj?(s=LRO^vEq)UvP8{rOn!punB{={LQn~KOS#a=hg+WRF2L2U4Qm%1 z26$3&aB#r9A&dc+EtYX4-VO#Zb{zjM&2sA0sX~D081r4FeOeulsJ3jubSxu;_UN}_ zdx9&Jr~eroto~~~r0JChV6B1cKYc)AaSaXC0-1|diDy@vr~SHWbkvYcVVDr}bv5nI zw;2CIuMi1)VP@tNls`sBt}7|&W*rp}xT13N-tlj;Opdx8E1N6qoT0&Di<+LMUtiKg(g%3 zs?D1#s2AHzbFb$(v^Y4XykFRXU|v;FaFX&zU*BvwPi~3-#%&Bf{R2Zo_P9t4)0c-@ zn)HTbMRW5H8bo07+;1XAmD#RUM;bY`xKZB1V33@Hkx-rZcBd`%(rjyzj@!hd$Ic^V zGf;YVxBHuUE&Xs~s-VApuM?z6$-z~{PXr_5C$hFD$3)X^@NfnpBK4_Phf48~CBOIe zSq(LEbzkZ(_I|!UQ6u9`yx*Fkq+&+jD=t3~rWlM^FTdikXHLi$-# zw>h?MC`jvc;&8ot?_P+cqn+MdOSmkx=T57F{QMpnJG)O@Izl>Tn&=n|hZ$*H9n?q+1X zGjSI*BK}I`6Po;_<{CaGO~= zZ2R|*JW=XpQ(o?kw@M9paD9|#>Ti6LOI{gMp}VbRX*!HG2R+E!+gl1z17Q$h|0116 zj>9!|NykM?0BD*6hYl4kie2XX*_smjWv2D*Pl$8MhHn0JSssrrhNm^NN=RJKQ95+! z(A%v3YZ&-UhXr$%Q`qJ1+Ycts6kQ?rGSQqzCh-?-avh#<I`L08ZQP$0BjL6nsaH$f`FUXboMRK0<${8B(U_ zP|6lZFyKdH@gH17e)RWScb>dzYypm(aU)`H=etYvzD3W{($XsCuoC=@o-j(VZ#+8X z2)x9B6%qXbS0WB^~;a;A#?fJ2ET7 z|3O8XRB+q)mi_tJ7}dlMU|j&Wo+}y9S`Z2OZ4><}Wuv=zOlLkUa1NW30vFa&L>=zx z>VmRq4cRnX6MS|a2(GW@^+^K*1N~|&zgc4_^u{V`YBBd}4+KF)-zpndctLoy_+egf z%{!W_HqTa1ro5MXMCfB;OFBVWsmBewTZB{oT&t-q# zoqMn`w;=D7nORb*#*CP93rTqG#%;?8Bl!gdy;)BIHVAa`QdHpBv2;vxruA6D*ADio zz6-iYo3~nXV*zX%J3DhfJyHCk)$vo=-)Lrhj37cOj!DuX9Uz2@ zi;I)f80s&8YlD+~FwfI>adDjN?B_2OVG}G(mh&9B_(Gmb*7ihhmWpKRHH9xmGd_Pk zyNQp#|GnjTGnPUOeWgGkP1o|mR3Ar5U?Xd_i==Mq)|^kbJN+zYhg&9F@vuDR(!nPa zYx~CW@VjVfjeJ*o%dlL^JoW(|V7d538mRxswKGUeYl@lKeX~=n_s5S~2*{9Mn2#PE z{MisYsT{e%C9h{@s^LrO1zlrMCJzq}8F%c*2EbfOKHEuM-%g=mZ|ydoMB%L!%N$V= zC>@;NdNO7)We4@d>N5n6lsuGhdYuC{UEG^%s!*SBT}*V-5=65-N4TXJh(}(xVMAHQ zzH{f!^-4sAU6SGrbsz5SJ~hIyK;b&*~Fmo|`;B>-+540jBYp$w{@3w;nIARgjj>8>kIO zUW|3x)#hZI((l4^{gZA|9=1AXLQ|j7K2Ar+tGg5ZGd9|h&XFnZx1I>DO;C=0tf#L} zLTRFJ=-%-Vhod)fnI%xR6SB7-n7AZzKY8*5fMvT3geqBkp`0YdQAm|)L_TdyGu4{f zz~8BbFf&*eA>)qhl5E^kr)y+r7~_x_Wg}=vZjG<5t_}spS#RGmCl^@HDqmV`7)v~U z844F(UVfc+kb&FYp7RAu^4c$^LOB8KS6o<#aFn_-xdFqs-g9cud%xHoCMMIQaN)G# zu2bPL8XO#qH7kcfF%4Y+`h^KObUQ7rzG8MJ7A_W0d9aU!UfHh8moNVk8YLHcc24DY z01S9(-6AtLi_ib$$NXMv_44p|dPPVO3x+}1_=Q7wuj{6rJ$4pFx{MC^#G`;#Y)ImI_n7MpB4+g}|@UYYAuU11Ym zp0pZnR;bcc&vnW!edp!n1)=R4=Li)GN(n4lg|^cJ3Z7ey#XQ~alE5dMvJq6jWg3yS zZGX}tWS5nf`(D1PHZhtxc3e!1ipcevq?H-O+2?+K(?1)Act{Hu?%sXx=~-SaMb6SK zeTFrSde_1|an>La(;SC|N!-uh&u_V#iF_450^cFEjSLLT16CbAasb&N$cdo6s7>HeBn-bsfl+3D`t&X$!V#a<{L=*lqF!~eN&{M16}C%tr0$}} zp*CH>P;yt>4P`qzI*ghU_8+@@modJb8|HltE;Lc&3j6)t$R6Myt^2vJxN#j6YzS6jKk7M+T;Oo zu!17*&z~|gNmG>~2v8hHkM4t#55f>EXrMi%;Cd-H3u~Q_OTp|hp-95vZ{9#Cc;x9x z2)ZbLf&8PQ6sM6!Q8$W7hk z&C0W!jQJ~$vn~3Us@wymDDJBfl?U}y<7;4nXV1DvMn*zPPfQ#`G7>>8(rLwRmya;)r1VcvXMxrd!fb? z3GKxSA`7kj2P2PM3bI5| z1=Q(kWWDm3^d+U`9sU6UPf#Ju>6*fOQszzC`S|!G?51gCj6vQ}nG*3U2Uz4GPDlKXXF`JY#2Phf!#V zRb{GKC1Lwv@r8g6uNh&&ORQuU6Zu{t0N|rx^s^TFf*Y3heFxtNK4zv3kjAZ*(~hlW z*e-xqGah|Q4$?&-22m~;^M229Lyb8ZB}{yEI?jDF+;@a{)g`>@5F6WV7*b^1v1i$x zHt<%h;5|EKmZ7gW{fv%`u`R?aZTx&zjb7{%xHVvTJj1w6pJJ+=#})G3E+lgbLy0=l z)^LBa&~EaU8+>yYe*IGE#A2eYS2>w(D0EF+kCXHde25eKj(3b{?nLSTF6OP*DaMG$~}d>W9DoB!oXr7_~A`E>YHPvp*Jf3(?y&dnN!|9Vx)xV z|Mxn{?{djM-~KKf{l`ccy-!XS43Wcv*Vfh^me^y21mAnC32N#uV-j0sX~$ZdC@93@ z;^GxeLzc&>sl9=#Hm+ZP`plWx!TSCm-j#)fn`d>=h~?C6;wviKjfiHgC*r5I7+vyw ze0?n@drFbH5jh+X0b*4XQ|Cp0yv_iaA%sT$Uxuj$nOdRX>mUIQhkz|c@)L?B*KrN>Ff=yw*cZ2(1%1 zc`u)KAxLNZScY@Iajh#43V>F3ic=+S=}x3MtzrBqCys%muB8ge*xfc$-i- zH*BR7U+D2Q&6+5JAQ#7E1YYH`k$QG=(%j6<7L`@h3m_flJ=((mKbo#QN1#z2<@tgt zyekbr4b`})cRpeP#Hnt)xgwsC5t*J!)Ub=X&zmQH#_ zgB{<}*H=wy!l%_;5hh+803p}M2nbp2`pJ7{W=F@;w{6?TL|RVzvKHAdXR?fAPi7Wu zXwZjzr4rQBs}5CSPTe{KJPREH0IwP~ zq`{F9fMJ`3$=hFEH3*_Kw4fx#d!0ys=NM8cNufcT!aa{z(IiQ3t;-3mUy zV-e6isi_Kq4`Xm7#B^|oie5_y<tg9YuY9a$qzawiV2n8_rS65-=|=4O-r*z zL9bLE#E|9+3DBhgfAVox zS?6L`s95Mk?l?dup5#{GI!Pb^rKfKOJ0IP@e;<&*&)+}Lnlu>kTsL@Osz2Bi=Buo@ zHxOs+7P+^{(f2-8fMRyBCv@x24XTw(sm3j! z4^L&>p|*@d(__z$8CbJF8KBV|4!+as*Ax{$+#6CMRP|0mpRmWArJz#PwM{kdDvRrF zcu8z*(!Xr@TbF#3C7p^=!}rgB?q{(lZ@_&&HAH})1HO4-Qv8jO{ky9&2TvBosB}3#Tb~ZNN zLHmVCy>6Y}{(dSJnUg0grTEW*+$|#{UQ)TGtE-V|b%~NFwNcS>`&o1UhhUhR?r$oM zMHIE`bUi2(L5wP!IzQbrDs|( zWhH+X?rR@<9*cDNFfo?-`uc`*X=Rw7=1w+jh{>AWBVyn|Liq^_-UstzEQOW9B3ub` zQ&S&1wqrbsc3mR(5@lJUs*JsXJkF(&&dbXB4$et)-`R@${;H$!v;+&L#;fjbai~d8 zN4zfDgyrn0tE-DFfcP=g5PL)``r6g2^C-ShvJe!JyS0B^wx(7`66dyVl&p43vM6Y1 z7@KALyTGdOnPIT=tB$usBaD#POQ`OQBIKjeWu6ViS>wGTZ4+cMlOg5P!c0m|O@IEU zj`r#5@+cQqOZkFSqqpA0rTOiD$zhX=xM~>P#Mi|2YS~h#pQs}|aM8kcrmk5G)^nPB zetupl0w2Jt20R;)oQmb)w*7{TD-UQu`9-v%?^TzSu#H{CV441L>B0q$#Df@|7}~*3 zXXs`bH^h?;@$$+yW`F<#r06GglFXk{<#HC}$j#08eKQ=7zXuezX zFS?KQKn+VbH}oIMvhZb=Q?QtU-lm#%avO~xgTa}V;aks?P%Tg`E&%F@ zap2&GmGU~t2-DNhP%2Zp@Z>U`*4VZg9G}hlhkt$n6@sy zJT~#MS`q`lZS!WkUVl{-4g0=-_j&g013b`3qVPMQ_!($DJv*z3bPg#JL`lEm#ddmn zF^BoPqW)~~EFL@v7$bW0XmoONGRmNh)o>e9_zPqD#Yi*bYgO`84MCFcA_n)4=;F~> zLpKY8rDE0+5;Tcgtd__-_>TRz%Dp_s(sVK8c#7IKH6^8KtOYe=rtRBbS5|quyYmiS zRa0BkBF|{`WkZINTplk#fwGi|OS1t!RgTWx%&vE>t)aK4o6(MJa>brh6Q5{}fe*A* z&kQw|xx0WNl?4@{9m7rqe<%vKdOr^l~vDHlk`&g_Q#+uw%!LE-a4W;o+enF`M!4Nak@`xtcjMod+;0 zs0*XwXMzBJDM%2HGdnd!4^aTm(1{|_kjwDDFBKRcbHw<*sM$y6)h+SCbG8|=QN$76 zomp#YeSQ6f`{>6w@kL>YuuLgQFaGoG-yVV=y2}L!SlDm3h=vsIBS(t=;%C8C9cw9W zP{DGLpD$zYjWGR{w_+L4{=W|J4?$FY35%O4lvtu}P>%UtXzN_P)j1K?Dtc_Zc0b+| zRCR;5*?vou6OdaKoYdurq|lbr2m>9(I9r$lCBFaTQ2b{I{*S9bO9u`#Rw*g+pNw5Z zN{7)S%ngg@{{E+{Mq8MeLO*~0OkN#>(PgeP*0CRTHg^w?!RDlJZ|}<~V+?quH)S2^ zF&yp_$R|$oKiptkiz}+8;GbJsS|WNGcCuc)Yhe)^@C}Rp`}Vg2d$-Iou4QM3gAd`C zf6m^G4A6nzGoH;IB(UzlF4s z+=qPJWFz)TYYNX9r>(z~s@+h6Y@q}RO^#7?IxUSP=B~0gC7ZO(R+Cmg+GcB={G~;0 ze@mt_0F5Ru_e;eK-o1O5je|o#D|G;bED-+ddry9O84qD#bhDSWj{dse*Sst;U1`@a zsg3s^U5(;@(A6vv@sj5Dj-Tl1@9)gEZ>p@kl-Sf}&l%+e`RqB5R_b5PHC@7lq zTUs*Szpv>C$4V61LYOE1#Vx##Tmv!#;?qiGI5C(f5GVg?H*{HHS#fi9g|)Lq^W>Tv z-|nwji#pfMF$FArIxpz|_|ATo{Li<4X9x~(ab5b=K!`R1d++rPUcpop6gT2hBgp8) z3Y-NFgwnPYThf54(n!n4NaMb-F%n89ZlW?6VDXD`vy2qOgOJ(Kev zz=<|2LG%QQv%Mw37`9S+B$Sec=mnJsaD&&y2*~%`g$p}n#33bglE{t_CPw~x!-=<~ zT6EaK^wn&?i@FW?34LfGPoJ{54s>KMA<9TdNc?{3)fAHsDfX`6mXGl9@h`ePc;JZY z=P45IyW3~A+>xsS)U9_Bjb)oyxHZyg_V51&vYf5i33sZGj}Jn`r?|KZ2REVxOs^Ov zwQJ&CFdZGHhx0&LJ@CIcS38ElWWXVs1})*7M9C~^!Qt}DV`$4VAFMn4%WeQI;7!v| zxzWqe&|Fkx(fa{~qXD@dwNPnk>H5ga@L4^y)$!%9g3<^j33h72RTfzvPY|9~_U!sik@@32qejsWAR@OeaLSW`2N13n&(sZHJqlr$i@Nga5$LNoPZPNm+UM80m z6ch}Jub(hXK#&mymYrOL7P<^4F$X8-*T%hDHuwq)Yc#}cK@$kYTk_I{OP3tc=&@zP zNpNYfNqk+oas^5T8ncp-C5SM4B~mUvU@h9AIAA716C>CFtdfr49LbkZx{@Ro6d#`%yu(m7WZVfp11tqgdR7tilYh5m(WFDUvz?uC2X;t(%K6wIUs3^FH-qn=`yk(E~ zJjSqW158n@!5C;Xud=uzS1#eVJ!LTAl;|uhF2Z*I(Yar5zPkavu$ibWF7vUn7TFa; zc@ex_1Ha_pV1{X@q;EW29avB@?$}3=5)6kPCtk&Npk|UZ&e0DhRs{Q4U!y#PhNgs9 z|0!Aat*Dk@BM~Y});ox`JlWIFXu443Lzz4_VeJBvIC_A72~nWBFh0-YNkOCG;|2|d z(bi{E`Ue=}g}^18o&R7dB&_}wfjZeMuxRuShhh3=hFj`&jlfN%76%Tp5b8M!i27#K zkW4bi=#@C`DaT44!eIKWjwRv=u)_O>ep~zOgc!Nm+1dH|6)B$v1s%tBZ_>0M!3L6X zx9+el7N1d($8v*pi6+0exY$NU!B*wJ)xWf{ru)=Epne$y-J*t-SV(SJ;Rs;YY*y+ zn>TGjv3t9Wjg3v5T1pJN>7Kfw8LSStp`hGCL>fXx34zeIKjO>KF9TX~>EbKXjx2+m zy6Wn&f4#wrg)7@tIy@G>3mP?Elq_O*wE;g}Sy_oqF9646J#=V(ad9&XI&oLgw6%=h z!9D6_bB|PfUdrp{m(fz*X8(I8R$X3B{_O>ztjoRb7Z9LkDzBmfLqNpo4n#PE#7!}q zNeH;;=7<)8xHm<`lXWBMBKj-1X-Ag~nbG8|$0#Rcx6W-HaN5qNtFc-Hf0u!P`(*>{ z42^TV2z@9~{Oa^Ta{`a+3vt^?$S$#x!V7D{AkfITL%p0CtS?@Ey*@*k@@YVT%FIC( zPuaU?F>ylM2Xhw4TXo2rmL8VGz|3|Sl}@|VTd}n08vV)MVH6>J26j&2jF^wwb_pf5|wbL9g60V z%_bN7`ufnHSC;tk@#DuRcO%J=ikRq+3$wG_E#kl@mC1mvM?Cb|LL=~5csvNf5R8%3ASJ&$hAw$19 zbv{f6W_L6gSi>q{xUbq#!kNelQD%lC^iorklMq91MMz_3Y}~SUoOv7S2t*@2rr^21 z|IA362sR!YTNHMD$^1xfoj6F_?~U znAQ<4`s?hdn327+m%Kc?jOUI?W`3?y{`}DSk$ZO09-*s@_8xSP6?8n4(xRHF^wu0c zqjQ*!YL?CWj85SWbwMkIgLMAx657%VyPke}-~Z+1N4NJ>2RJj|Pc7w?=)bVH>igr( z>RhY+Xi`hE0UDcMS}l@LbLXDCo!z|^s+VT&^( zO%t6iXz55o7v$mdeyC}p&M*nP9X4V$R+Ax9=&M(fNb_csD+rcQRudd6V2XmBd>1ePk^RV_L+&RD$pNN2BIm=RhzW0NX$cGtM!yD}ZMPxE z!Iji4yGhB?^AD9(0=W7p>FxHUK} z;?RQ*0$4NuK9l1&zE=9HI2-*}Q=Z~qg45f-+AGhl|5YsY`Rg!{|Bv6uTfO`Ri4*AU zcAO$b&oDMb5jV)rE)#woS_)>KU7JszKmRBx7Q=gb%U@=I|1zNY%LsTy32PQ1u@Y7_ zk2W}Ba$yNH8~U@ORJT1D6=ca58NgmiM)y}sdnYT}mIH7HX5L??arkWebso$A$5Zgn z`uxAxyjr>d;yU1XFlcgxO#z&tv!)$Y)caM0HWGetg?3+xVZ(8-J#+vf7J@;{*z`g1 zT(@qWQjF3d`Xo@qtnUuQ5|oefS@ql@C6x>IkAND9&JsIYYUVyCRHh+OrKca0l9F=t z1Dm)n^JrSjkEr;ePVdazLzXxZ(9T0C1Au_ergxpre_!oI#mGWd_Qsm3l~#S!9Pghy zutLihG@E;7v~#WQ^QHB41n;dovB+a*DLiQ5MD25OwED+O{EnB8KSj-Cm~K1|E(8m- zTn?WJdHHgkG)nLh^Lo*W5lZa-RW&?6YhD+i#5sMPD4=cLUq^a64cMU@NcLrd#-`Vb zLAbw*cPjF1-K&*Q{R+Zc<+II>eA+*!l`Kf87;jxVND2|pXQdt!JoMb_IW5=T+?C6} zq$9wIjd# zezNWN-8?#SkIskvep~6AInx8?ovV=(cueMN)2o+GasT~7ua4Zol1odWMOX~?{c4v) z_K%tTzTz=EGV9^LZ|xC2XR2ua`(_l`q$|GH|9TU}z)CP($O!4z2-Dz)LnFU$ONkpP z2K@fP9e;UO@%PIDiIY2;g~CoKC2Fp~4h}<}l@jsgmsI}eD+DVPn)YQ9=SUTncwMKs zpC!+>i?EO;AZhO6tN2yQ_^&BtszM6~%;#eztOX3|@pU2rx4uA&1_i}GdFkIu+9Wxm7tXg-m%jz*gQ|a%=Q{uMGf*0A?CjtM z2?`AKkoprHu6r}NF{q_{B35hWwcvPxPi5!2*Vw|)JcO-8?R=j;oj{l2Dvr1);s&9B zXdrVC*f?70QQJGeRXEC3`4&}URZIY1afXthhzRYv*RWd^ac@N_%ls@^6eTlFbfqy< zf)KC>CGO zWxI+s<;+~tYi^cLL@_V-=}_O{fPn=9#H|2x?q2sJ&t)U5UkNJlL7)kMS?Cl5E(S?7 zx6OBVrwqIZA|NnvAwu!!Qktvlx)D!+b)u?_WQ?Yy=cT$JQy=?W5jMAO-MXJo`xJU( z_cJhXa&n?*iL5VT)>Q}@V{ln6<+3DP!LS6QV?kB52{0RevuhUb)#5wQX$o?Io-tEB zJ>?AZUSRrMhXwwrO>@I72VafjL=0!+ht52Y%3CX^Tj5KZe&&UQ(?3>3?Am|>MMoXHg<6<(p1vWY!gc%DRvl%uM+I=BVIS5k^aK95g zXCN6+BphpqvwM6Hdvi2CSsGy64O8sk#{;@mVA}<7ivHjWkf|_mxiEl%fn?1cLQb;7 z8B<{RIKYUTG9PpZXOHnS-7qo=UMPph2XsaZC+Xl{_?XIUyHF8%|KUR&gU`#C8Zi2! zY|#{}T8%SIDk?b96Ax^Sy0>Dq5=1*|D=QfE!>Y6)BEC0j;-;b^dhx#|YDsZ%5v6f> z|5T!tFtWsf1L!@l8g0J@N{N1k^iQ9NPCpDF0r24mg-ntS(Pu&&6avrtl$jE`jueI_ zFt7!KCa7w5_b!dd8Lz!8XUK?MB%FH%s(`7rgCzr-N)BBGn6)|bHY{Tw5meLV5BkE> zcwxB|r@I`STE#^Soo@THD-)!yuNM8b1r-$+X+k`-mXk5|1pu3s_ zA>{BY6&hDgsm&>BgtjV81CEnCga)Xm<-N|#f~FnfM~|Lcx?k+gge9UsXL4R1GNDi| z>jRma!{*rHwFOz^Wpu;J0y7AV8Q?eyaH#dts8xBmyR*4_-f4c%;wE$wQ^Ef3CufXO z^anIRO4GcObYzz+ZesN<1!+YKQGjivV)QO4bxLY#_-t#@jL%I@P5jvq=?(I9T)-7XI;wU<7H-8?jj-sM7ADiVob{sBTTc|gmVi3Ss_68@Fbrk_{ zyet^l=$MN|y+aFqnyo-2P}NoXWzON^HMFCPmCwlBfwqY7Blu*vSbJdNoO#V2o($KaRr+ zI&^St3W+y!p**b?H@2J*xOpZL8xoe)T>H7IqM}>ikA%AstQh3d39d4jp74+B;+$ww z?Jw_K+CMm_K8nzf zQ97rj%)qpPzU5%OX|U!ZHufX%VYY$m;0D!@C4YX6Ci-clNSYCf*U`=dc?r2^_*-UL zk`a;$?{?sivZ?-RL?~8D8R7tv@LXm}%(#G!LWZ`fX(tRgPzkZ+ej?s=(S;kP94`+i z5`hoXTXMdPK=_%E!RTxzc2?Fi?IojunSo6+Jjv$+IEffFvDytGRo209FJ3?CJ*{=M zxuwN}9zvh3q(@)CeKb9d)HXLaBl7eu^lW%%>-^$;1pl4Gcr~jFUabT*+~HIcIN+4S z4&Yu$BhoYwPGIf|wk6zFaOgdhNgas>;-3#~-hvH0qe$5dEk)IHJQW)ivc5^YT9BMc!kp@N1nH`LR+htWj2 z1G}7>PLS}stzU3-AhzV?7rZwywm89wIQt2@w6Ts3nnmnk*{Z3jfemW2GcWRJMfGkV z?GsKuv74X5ZnVq%#gtEBqo5&F{AFQ&zBc;c zx(Yr5IR^OoDIrwDy1Zo{|69=E^%K)c;)J0YV@L=h=mi6N>Bb}@-$R4JoXk#7Ge|nv zVD7yLNPqv_Q@zzUh{7-?@~Ir9FmH^wKwBAeY4d{vhYx>ApTR2*xMeyKq2Yg{;k?qw z-TuHsfx|>cdwQ$`#Pu#^7?%|8s`4F1d#|s-0tRub3dL{Xqmgillz5zvU{{HIfm#dB zB}g(lYKdTq<1yGMo%=*jms~^98BN22TF{(&u%8}s-Y3fAK0D3Uo9L)2oaMUu{&Vx; zU3~n3ai=_X1o3<+X4<#omq=i~1MTa>J1DYQh!c@|dLR}-R;ZyTxIXVYY+Ir$Pch@^v?5=7VhpG4F{3WTf|d|2QPGy#S_M{L58v7;2QF!vDjYD7Q2YU1 zQqnYxQciK%O68~`eT?lv(tsE?Gd}(vHHf67Xao;9b>~p+cO?F%#}A+93XbZKeN5Ne z)1!p`D<&o;X&N92#b`^Qlho8Zi17gav*n>uBuShQNli@+QyTiBpl8C9rWB!w@f~rQ zg8Z(u&5g1A=W7u5TPINom##b{L;SJVXvuP;t-{Fs~!@9Q!^i7hhoa85MhHz$U= zzWyW7)1Ezhuyk-h4g+>mRj1O;uW*A4-OrD~n}ej{F`Ui4*bO+q#0hI4D7OWRB4dHv z`4nKN0D+*Q*yv3M0N+Qkex!^-9Y}GZp+?aSKk@!-5i!_|AoGIRENlB;;d0Fj)?29PzvMTf; zVm1dZWi;^ou?o)dMZ-Ifn-Y=sRdIlJgvSmGbqVel0MjF^`9vuaH^zqs zwy4dzm*KSXsqX_I}}kVq7yQ7KWTT7j8JyX=?~y>+Qerk z7s+sCejyHlS;PT*SdKVE0j_(GC8*^7y@ze($k<*ucgC6dA_6NGJHa?65x1&fL;dn- zH|k^9g{WgzFF!*Rbl0bc%k&~E`bHIXb$gKO&{Qb68~IbD`~k#>d823Ly=&I2K_0_# zJdd6{*|upDfezQ@b#$yEPmZlTMeDe(=QQ=_LI(g7XJ*Tx#!L3MF~Z0SIDN3Hj&*Ks zj+RXKwZ(Jy5qo5Ba#I}~=Kjo-$VSzbBKL4Qidk7DB4)B|B)T$GY$kioRaS+CF`M;6 zll~$RboN`0qrF)*Osml$4~3HM!PjfNR7&l`@U%82To1Nb%)R@=+2#cD0ge_G zpvFWK55gdUvq<}1i${`D)VOj+(EM@<&D~HbKkBY9RIyU#1EhWMdNg(fXz$UZvMe%+ z6+j#czvPJ*KC`G#h|j!F;8FOsK$6{18`{srM8?tuT-R&iv9dzB zI(mhj&jZBt@jd}oa#L9_1|X)v5Uy1-$;*3C+1#$b#^CZ*+I7Az{PYH~kC_sC3~d2K zMG{QQVj&+1>9%BO?Lb>vV*2)d`vPqVzd9xp)uiLdGn_nwHLqRLiKC;axjHBabIRvq z?C{@H%G|y^0PVhk{L07Y+y2;y^Zs;jb23wcN?I5j8~44&VK;ozI0G>f}|paFbxy)>J0j1nF&MHWU>B{az*=)aPPP2_lVC1aiRUL;EdMGJC1_P60!ocwF& z^a;#I#S$7;V3cnH%CB5QhbFnMGbnD3Cf?x{AAxIRZ!v@dWNtXjC%@2Y!DbKo7y)R3 zrk|s@;kLvetaCIZoIj6JTM2T%;1bvk?ZnD`t0m#;rn0qWvkEw-sLGU`QPLqQ`-(3e zAZy{{3hEjm0f7rR4hFl;e8))I@dI$6F>JwB2)vPeWWY!${t0`L1>7@7Y0| zI(~xz{1l}*dYFnq&v5P}x@gf2L?=xH096C@i{qwlIUR~QgDYU)lCUjswh z_<+!L+zmyTp02KE1x6N^H7aCj)`f(+x)+8zpbr-P&YG-R2Dk5cR7F&9Z0{`s{Kw%= zAq({{4*W^Do<85k(Jtm7S73ZP0Cm88JC}N~F9Ok=16Gd;W5kp)VDz4KKTt;sS`q@R zT0*giszq>h$|9cnjV(tV67gJzL*U`Xq3iI0{P{|2Y+7u6d0AN*sEYTI3TseRi1h(KJ2PKJj}U44X-IokQt5(@@AA$j13)!GI_AA811c;y zgVTt14Ma?N5RbT-N>;WQteiOfqpSN~Cu*)}6B{Xj)&&p9dg){Ey`bp{5jfqo3U(m> zrRakhS&eQxOh0FXQ*Wa_)JV(sPReHdME|mR<^&F_0Q=nh>6J}Hq7ioUS@9f# zGR%!;qk;kci$mXWK6xE@hQ4UJ%!AEcYdsJo)RS)~0g8aPpdSJ$-_F*SIJexHSqbL= z^e^o+k4DVtTDt~4V*EHW5rG3m@^2Xy@KcCFzO4KqtACc*wx(YsF-~C6Ryfq2K+rRU zZ)JMG41*_40|InFGE6lbx(&$t_H{q7Xu*53ur$#FhH&-!gmm=1RP606BLnR2lImH& z>CS@GudYNZLF>R7<0DZ1aB%Tq%6ve9&ZP|}G$seoMhZR69uBi1vQC(~n?3ZY(Ebf; z+2n)tPi%G$lV|g~zKx=%34H#Gz3yq?*1+d^&^7?g&R6Nv6eKfK!pDSGi1n87FJ8RB zPz_edp$)or;Thngu4W$Vloe9Tm%v3jK%p*qoQ9MxJH`1PrURpGJA(`H%Rnu9M#cn- zFV)ze4CpCp-v)!kLh%cxAlZdm+(MohSV$qaR*!H_QIkOR*!|BhDMK3A73%pCS;t}G zd)`_zb%zh;d%D_0)z#ZHoT!4lX;ImKRWN`R%0HHiL$CT+eb4)|6Vs~EV2Q>Ic7H#9+Qa>Flg?=S~hlDp(Ybr60wtV_U)ygQz$OW-Mgr zSEWxu<@|kc&=v*;90fOv_>8a(xEiYvUW67!gwYt=;X8_o&(`F6lc1!?p+QkGS{!mV zo(+vL=*wJ&?*$tRBnuM_Ihg6VB^y#||Ka<7=OePSSD<8WwMrb%ZB!nq4KD_;*kW;$ zf++^Vd(bvlnb&MRRFBs1W`V$53gkbGv!6sZNs_0$h{cEl=(Ckx>0@aS#u&(;%kxQn z(iyyOnVjaOUp8C7{D4rqFOwmQDI1yl;whrVet3ApHimf|SLU3f0=c+Q_Rc;9ob8C? zYM3cOat0(d}eD#P~BPd7Nq z+RzAz>f*FhUpq~x5n{+UNKwEI7ie4&NzkJDzX&_;xSad9|9={i6d@#|>=i|dGAbEa zNixbPE|O#=l1itn$jGKd!)VCL$Vv!>C`u$Uq9KY(MD=^VPv86dxPSNK9{%`_>pGq1 z=kp%Nc)ec7akM$EJ%(l=G{JiX1~%jL%qt}GbS?t;asi2XKcT_P*H^a=55#xLVs@p? z!-oTE(7L;xRI<|NJ4;U2w^26>AKf5RH<*6bqGCQy6KrkKskvPQg>cCKyH5W@?yS`s zhh(iyx5R*z@snvMgt(LTAd?N4t8n+eQJZlXdCCisB=CGRdAYQr&}QiAqwCvcopM+~ zc^dYH>wXTN;XKXpu6)N;0erO8)^;r|DOZ?Y(XdB<{=?!8!=C@7#) z|GW3^BM-z%+70Bplqa;Eyql;xE9}CfVHQUChewNEzs@z(6D%iw0AeoqrA`$By5DOZ z#wj{$iP)^mtp^X>NO1()5*GG)bJC9}n$J;;uNK)$QX%t{EPBxhPFG87Z*XwA<(c!B zFE`cDKoqMV&d)dRy_U_cAuuob^2HC9d&u=wd>IPCH3p4jlLR+rI3IgL+1oJsI=z`a z40R-sRmtTp(x?>qx;w3R6*5u`I|?c6*!H)M5}`M|MmUI5SV<%OoHXaT6))V6Uh4 z&@w&hMw?4Q9fO1Y6|^;kSl+M!rf2MN5%7sRwkYt9^6%e6D86UWJ_zEZj5p_|py-FJ5d9c+80dAB`F6=Hhaq;xGnV{KHKTbszbWEflo`44jamcS)IYszapdOS-&5oY zB-&`68z(vYa=d;Mm;m*~SClDl94>+fZVhsRVTBb%rL}nQRq#VKJ+&+%D$i8jrdwY=8PubMtFme$UHIwtzJbDE~Lpbmukdyqj=Mvke1)>`q>+ju$e(U2*qFYq96xN;$KYC?cWy514S&*#*JbrQiej%NL%tpuA$GrdWp#qh+ zi?^DARMdH2D_o*O?sL8aEX`~*6MD$o zhSJpv3heD|$-0I7OK5!8l`jFbD{04}EG3x+NTpZ9eDRq!;_ZfBTT>Owt3kzOyIuU@ z%7hxq|A#Hf8w8JhCr8ENy|}MM=@f=Sw+N1D*RF`6C2!vv5`)opZd27NNxQN9n-Zb; z>|&VmG-2YzoDO}ao_awL30*pNZ;v@Yb0rIr%2_1k-Sju7gEO21VU|zU^XIFOqjD@o zJ2l_MQm_cEWkUd_j*!Ga5hMM-I66K)9+Ni|zy&0~ZIX$UA=WXuAqk)ZEydY#Fyf1& zaq`d{!}zC!iEa2;s)G2orsZ5BZtW6`G8ABL6!@rgoUx4VTRkRFXeqwJ5(9e+yj6zos(gv67i*(Ob?qYEz}wD$=jf7>u|6Xz-!VI~p36 z6H9ZhQCM48BzHgRJD1(Ia1zg?N>mDJ^B4bn=54_)APC3GE)pNPDLyjhVQMOEkf-$8 zhm@Xgp$w1Pfk)7osV!+KV}&guNge=5MDO*y#E1$Ruh(Y z7aiNvq5AXZw$xl#$k?NrU%&hSw+q%v-8P9&>?aJQwaA9en?JXM0w}Ml`hxkP-O0Mf zN|KTg*d2RMyv6k*naMOQ!6AJ4GL&gkD^}DkS9U)CvvCvLE_u!e+%A3L!lLM2!x?D< z0y;cGET6M8%O~sExM|bsZ{JKki-I3dLdS!Y|SjcCei<#?ZE`G)IXw$I)DmkOjAO008V6h zxp@DrmpJwfR8$0EO;wdoR&K5kpral@|8U{mA|=^vv64Mvp{~uSp(4;cL5t*_j*gDJ zp$AS3pCTSjtveeRUgS-1f-&d3(M0jsP`5dA`hmNW6JLcCO8*nUs_iGSaoo%)zf@bO38%PD_kk z3~^tQc+*G`tM=H&MHk)Yw6p})AJ)*bB#XgX6hPfm>8mbn9Uy*j*_a6vV03G#%15}f zvP1dN`aeV{H>m;;9~v*nG~4OX_OaaFhAJv=Zu&bFDu@pF9CR9jsB_Q{s`Ew3KY^Yh zg!Ya72rIp^L&mW&EvRyU&(}#bMEWQ8u^+&6Y3{{`coSB`tZ6h)%h!-FK;W!fq$EAF z;&N(lMuv0E3w1;pON$SQo7x8-5;x7j!(1v7=F?fZVbczkxD6^89%s@SxCXcJIcH+u z18v1`Ef&9JNjtwsn0zGFW}~4@O1TZd#oUICic;-|vZ;8M!)7ZV@DVI8AF+=XWff#w z%z)Cq)K?1D6w8xLL+)FA20X%S^uv9<2hukXXAc-ZyX7)2fL^GpC2TEm%;UJ}{s54cTBg z*j`C)dJM21q6nEZl@^{0cjkf=u`1kEU~b_*Bn=)-&xz!!Klg#SJA#6qb=ddtqiEl8=FC#c*@S`6J0QNT+IswW^(IY_sm);sl<*#($ym4!)6N_b zi|Z@)Qf~&ZDNc)i8@x)Uw*__@gAN2g4}&gwi?dh6G(er^&HGa$1jT@ZA>6~kaP|jc zA!UDrov9mn+)hC1dU|hBW|%dl^AORwV0DBkF3{zGmfz$u5E+YN&BDj+!x|1)oSVg^ z!iI}W6>cC-Xz;FG=Sc64+mSv1BZ>yzG4?c-Psh+omBKvkJ~1`!Fa1a=V;t6y81_DQ zhqfW;0##0HNa0?5QSfOXr{6U-aQ_a4uE1A*ettK9zHfYG<`VHNaDS;g&{a5IyvKFL`r4q zh@B!6AcmM3VXMtam)#s`Qk-!;-ov|p|XWrw`~IhhD3NIzYLQiH*guatwDb;gLH2=TQ*rd zCzght65^?yXoIK;&3yRq;lJ*J+|!)+z+U0XFi_`EtVLoZKhAY-W`16tFSIp&(ELxiQl_q? zhZLg?^?@jl9MRr^`n;KVgq}0-s5$IEQh~DW4a2FWT+T+|1jL~y;n+XP$S46RFTM6? z#dezg8x^A|*$&!O7o`3dZ6AMR$V=F%on;Csd31OB2#`dYP8q}dHKu)Jip@cIH8lkU zhshwjc4@<90}#3ac7?Sj@}9d_O+ngtXnbLXlkFf9EBZe7;qGcG6DAO}?*xS|OfaRV zFgRA{B{-f6@XXx%UAlEUjTA-T3H|y7=+XLzu=Z$WQ!PhaTVwgHeMh!_Q8+se#J;if zk%|b<86F*8?X-80nVHQ&L(9CiHI)mGm^Vz#D{C#ZMZ^i6YLqsDemw>BLDPZpjxnm? zqEv}I->a-!jgsUss_bT9T3%gFMqN9-Yj6Dbuf3_V-9LQU*fC?k>tA!2j{+=J$VkjY z%LVk0;(FSS$oy?ExBumOV~+|`+2g-|=Pbq2Gp?;#OxTKLIAc_U<1WD#4)XnJ$gTzZ zRMrJ`K%1@cZG{Zpln2=AL*IHJ$Yo#teuM3pi4*IQ75u5KHTK_{;L4CwoF9mU@S(}d z==6^fT)BI$35`qPrWTrw_?7~h>DO^ zu5{}1F|V#(Z$RC;+ZORt>mgSNvyt27cv}$OvaX!ue>vKN%|F$)9%HtkzEH!cP9cg^ z+lj9O8jClo$%&rSnet2WQ<~RzVHLk``L~`vIgvWE(hnb2yt~~XEDBPQVXMFRA<}gD zTiCO5v6WAS{9XGY)zyw9J8LJ5W9!Q11{WbbFEc) zFz0>_+!k5D!-|LKcDvaej=sM}D!9j8V?J#T)EF7w!krY-ijplnC68=`p3B!8eb%TN zgWKO<%76F;T2_#Srvy_QnEbRzosquuUX&0-MmT@odNJ9B#%PpQQw{JSM3-v z3(o4f14tRqR!cthuzsVoo^pf>AFqhI0>f?m+FBa6>-tq@BBh9JU(0I)JPRQ&?f)aq zZB?tv@}0KT@%Bg$OzHDTIL`MuQ9WiUYPJPuvTN6z(*En3T9n;PeP|^L1)L>bb!xAD zB0?-^ogwW3iIH>JB0NGw9cJ*z4)*kQyva5Wt3Ep?(ep2V3TY2l(ppP6e@ zT>J~xu~EP>EaCF1BiJjqnOEx^$A%`ZI=<@g6LevqCx9_nZzUFnV`%QI4uMnJvMyJznKpUKw9zb zAxsCk18u+sA;|MK_i~%K6_wCbI9L=eeb@Fp@bHfO4@i=L6TZYvcW`JFAR2@bjh&ix zZE9W{O-<291NAy(Hp`#jVe!mC{NMD(tfc6IfMS$v&+X_XL1JxsY+hy&F|sUQ%hy)y zq^%|=$OIJ!bUKYUCk<93@Z8aM;8!FIghZG)9nkdVQS|^D^#pqeOUa9o(vV`;!YsGm znRdQ1-Z7rnx~W}@bBA(k(V_)}D=Hfgl4Qn>xjKz>f0Yjh1{8CXe4ec&qDCFUI?{(R zk;Vy7Nr>5IYHlEUqS>ld#cgJJpdWC-X`2P*3^^6Whkn(u=EpXTp_*s@lIL|^%a);H zxOgt8!FVAIMRywVdgwL41cn1Zx5>eRV2-YV))M@d`u zxNUml2%){Q`kj9U$;_3+#3J8pZfD5rIFN+k6>XFFo%b~T+?<%nfHZxd0WG$kUk$0i zQEJ*@h|mfPeVX3J_5|OP`2!QK)5J}O;j`hBOEWzSO9e1(oz!@3N7Lm zf62rq7A|XgI&u6-JyoGg-Gpv0an6DT-Iq`g{Mq*lfufN?=`-X;!ugkE2QBc3N`3b_ zws`eYaomFa(bPipz#-ygax5ax3|xX=TD#7`CQ#n*9W1EO-DvKlJN6HO_ z7;@sF{v!(yzlHW=+_@7^nLbU~}i_o09_7`ZRc<6nW6AQJB*Cxu}_W`?(JKq|1*&GS{9H|oRP<-#$g-jS4e-W zOza%8Wlp+I;%(5zMgf3~jj`rKLtdv}d+%t$y+K5n8|9CLH0c3ayAZ4{7c=Fg;^!`J z1{`MKMNQQrzgew&xE}LwvG=(AiS)>uIG2?$#FS#fU~bys*YP)?e*TJHzIInpGk6P>77aza_&b(nh()*_=;be2i_zOQ)Oz9IC*!LPNAa0eKss?VdBHXX?# z9w%#q&pc6AKB|smN!Um9c^-GZmR=sXHSEH^q$5iS6wW~a6Ww(0)(zx{KR|#$fvN$9 zyYWw_aa{Aj5KbgPu{n2_F7e0$F$1tUJ8=Z z-OKNSNC}E)Gz@&^Q{nu;eY(1PGvJO`^#aOSxuWb^F1C5++;!M7UYC^0q#s za@hN&mYTFJc!6_KysD;WnOD`=!jVx}5O0-Oh@x$EAgn}BL0h-N^=M`4o}h7s3zwy) z=B8uc13TLew7K5Xq~7!KQ`q>B#7Q^Sth_O^fvm`Ba<%*7#QMyeW74|x>zDar ziq;$iZp7u()Va+{I64k9M?D=rdFwTJv2ZafrKlf>vcnDV|D^RH;kqqbuKfLD@r}#s^xwV4 zsCN$2jl=P@;eNmP8k;MMHaO<`efls*5S&44`Q0b**2N!(O9Lubyc#BH+58VMdH*LV z7MYN{L{PIPWVEjTO-8GD!xcM02dI94|3it;{A@MtJ< zP*AbfDP0Z|(>KvJd`m?P9c7*hMatyK;6Bf|MIfc+gBFMDfeRfB`9IKk55__ro&UoI z8IO=!+Vnl}5HaFU%21j*_8T8z`}5Z?8pYmt+rb+qzHx^MO4{l?cJXR1C2viD6latt zqT|2NrT$XcZ9QrON%0(9%7*yW*gF+^d3eMEL;$SBGD>p^7ULsO0aoHs?HE$^Bmhtp zN+of6hF5C$&tWK{YzzuFD*@C9>J6t{Ao_Eb_V&VPC-p=#q zf24_zir<7h+Wj8;v5VaP!AH~i{a@1Eq*dRUslBGlwt(OF$R!fJ=$aXcq`2sC`#B(_ zAk)AvkdAHNfb(FqF@BfI>fWhY=s-65-k=l^)jKCL|6 zC$u55h1C8&_wU^4{3QJ+yb`-~qxvlT6k?^*ERpv$H8~d?Uc@M$|Am@xzCHW;>Rnxn z0DY_1e+^GxH#{PmQo8*w2Mhh#!?clQVL$#^wCLJT{})6*zdJ|C4if%jHPlP6ibdG1b zlEyKV%@Ym3-;#_&5USMg4h&1)6B6>EddXyIfKGaHvTVVR9RQ=J-0#<&%=>;p7cB_N zClL-q@4GpQj0Px=X|e%@%ch<;MvAHCtPy}f3?SDH6}zVN&kGA>g{o0D@g({*^8 zn?plFe;_(rizR2od$U3%>3u+nuGFRVo-{5(B|Z&QD!E!l*00i_0a(9X%9eHZ(Pz#e z@P2#f22FYNPkqDod!H!ABU_h#Sdo-n514`+rgu&2W|H2h=sE?9=I5rLq76M=pjg9- zp~-1!JsI1BBCwN48hhJaO*06=%#oLa zK{uHDFucu7!ketDz3dxtnSH(Y2k&xo^qW{X6n=rdbtTQtVpV$%YWJ8d`W=#rPw8!w z8d60FT}UbQgxJr9u6yp?yC=5f(VL$7`dZI_5)%wb@WLpQ@^?G+t*i3onrXJSs*M_f z9Ja4(uHfk)R-qG(IpDJl`u5$iGz*fH*-liZFav~D7_sTjJ1s4(@<(r&y{5D$P3ytW zty{Mu+T?p-JU8@D>;iwRR~C(~AK>%V$%*7A%F_D{Y*tDsmWw2efBvB@<3p;es_+y` zMjLEw(rK!L!=WQb-dxC-IBr}VVzCErnbQ5@#X;VG%a$=Y*L}9_*ufLfP>jIpv+o&W zDLlUXW=|+9Q z#^QRrlrd{=9R8=rdM`zG`|FwUi=n+N2Vp{)X_CIuN!jH#e8_p8)?#5z+NT#v9U2s361NbV`H}t8~8RZF_ATX3~=+gq=en$_+Gi<{jAqb z@E=hi(1xDAj+=NJvkX47J|F;;=Dyd%DJY{^X%SbFI=b1OoG z|NhPWmW0i)vbw`-hT1&iyJ&3R{P|BdPFxv%{jeCn51Te!T0GPY$jO87LaS-dbFvA4OLh zRKgeVs#($7wuxi}Nd+iK*P1-Dbz8TpakfZWr%ahLyv<>olc6CYnBRONQaa?Dh4tP0 zO+m6yjKHucOqn_r?>4Ygr^r*Mw&@&yR!n2I^6F}U%$9yjo<^TL_l+h2yapZcHW(+J zIMMCN06!Ls{-1NUQ@dcNkZmqqaKL0?or!u;6OG^g)b#>81w9V=6f|t$!f(aTy7NGI z5#OBA&1DFLH*Re3q_jPnn+SFK2H0tcFR`38>oqo5^eUJ>J+)d!O0V3Y0U{dPlr3Y< zmz21bl!jsGU>{TW}aA?IP6Hf!K>Vf>zFm<+mz{X8ft3H4{El2 zZu5R2BM%=e%Kp!O_VR0o|KHE**KMJ=x#J!GKCs83={wj=b@lOM#=P^f05(@rQX)yj zt&WhTyZEC$#zb*@4eUf#l<}|nvhS93S2$?0~H$=bh*ZQssSih zjv!u1BJNN#2Cc`{P-jjs9AnA1(7>r`h6$QrG zU_6Xs?A78cwi2;2l*Ws4#iU7CF`|FMe!3iP9dz!*pmsKvmI^!vC&uv5_=s(1qN80G zE=)7>8O^WtSkH1;cVjtcjUz!v#>3Y9`Z_EwCZ?D){?jKhSNMHOuim|%J$n|~s)k$4 zWGDG8#`NKi0cv+W{V|_<@O9!*dZ8nSBVnTF&(kyV!CbM?&;@a^v8z10{TDBmG_Z@J z?X+paydod@mUN#l3D%6Rv$Q*m#)v#Z*^*J5=?D8+K1$Q9r%%obSDYIw40k&Wo>AmWn*8&1=17!n&M#jbUe({qFh#E*!7m@oYF>G|S9 zcay;b2Oi)rty*Q0KXRRNcx2@8up6BNj5qQG;il1bGlK5UrICFd*&BpK89Ros=mNUv zix)+YW|v0?kvQ!#+U=mfKPG13?Ab@?e~R~85qgY9t}kA_YN6bZI2fhQ#p33C!BXT; ziB^Py9&IIS&K}2lf;rdBlo%524B}-lT>d%tmpK3ClGkP>B|WeyM-1mET51w3N5P9Qpq4v*dm-if<$_~60mc6M`}osolTk?yfWpVsas%^N~i zEsFWjeE}6yRR_J+(Q4C$lFJG`co^btWP!IXU)gVS60*ujPcJz)m%iEh%vf3&LA%Pw z)qU29Q~(xswM!W>Z-(oDh;2A4={7?UwVISy{Hj=h2%yzkPtJ5e-TB;fY~6_t6Hf~L%PNGq-wzNxD%SR0xwc?dn=!LzC&kA0 z>eA)dm9~9!wtqtQ>}&`=+uyUuwtf4s{q-*{Y}v6xAWjDu>q7Jas#Q=>KoqmQUJU4X z`?-Ns~}M>O~}8?%yIEz zq1m7Y$k@2Ok<0iQ2GAl0_Uvh)tBd4)UVxsqI%J8@vu~lNgFL{waTajXI@?Xe4BZd+ z+GuOrPo0YRt)3>bTw;`CCB)-1XU&T7zL%0R6X}hO%@PD12sdb6#hzYYQP^Zp8tCR} zIRUT$ScC8d`e~uN`%GKgW#~-E5gEA$=JTDfcZgDd?QL9Ons-sX29Ux5$SAJF|c_N@7XdLvDDHPt!E2UgepF*OZDn6Tmy zL)P|8A%o2&Ao7mnX}guRV2X9fu*8qUes@=;gGxZ*3}-{_d8y>CdV%01#wI2nQAlf{ z`3e-cK|>nt*<-=QL?aWriPg*ZtZg&o_fnf@3+mgivpI>jX$1)*ri2c!`K;&pgaqzv z;?1QzzoyQb&8=F5S-H4$d#U^jaCP#@TbjyqoSl;sR=>yaH41pUY!EnhR0oQGn+53M z&Qs$TH@G%p(TGu__V3%*Oqu$qE${AZt{4G5LP9-Oa|Fbey}eeIr_T0O#Ik~0tu-_> z41Odk0O$uGim2w#um7z=pza4wS&&0}wAK^*w`;OlFOYu^P&hz?Zmt!zmX@2JW@WYG z;v#huq4r;W!PIHf7Pz411^rku%kQe^X~2`-)P%9J6sHy(frFzF=5 zDcETc-=^8sX)wdCcBfvPPp_@ayiSGy%fqV-v^>pbVHh7hLdv=pu2>s=@|G=)s)o^y zPP(dh{aL*k_5Iw5U5mUBE_zUnS5i`f#;lRLI%&fE6$|<}oZpa_T!bOWYuZ*vhjNaQ znj3cQn)J*xFJM;W{JgF8LfR6_<+sutv2bC}l^Z@C(eMI=-l&wAd7|yDPaJ!v@>2uz z?HhM=ZDA5R3sT|56^8V(&eFnaB3OxyeSa|864(e|i9f2wTUg;S)&RSgH4 znAn;BDS7t(xw#F&N4J}AA1{w|yK3J|b&{p!EzB`A7TvSsA|mE2UObeqqpgZDt{^FC zcHT=KM`j&Sv$PMO67mZcn2gQa$ERs~v%RIOCLl|pbcoX)b29kGP5o9u*LDvz{j!;T zbvQqw#{pLbuRCW*;e9XuzP2&Oa`>(I(ityiZ1veJ#dmzs*Rfrb?#9Nnq)%Y6R;*ez zb;^{L9v+SybF3v%*@laE`?&Bu@q34{(hZ-1XZ{v|<|i5v@93 zXJjO1fhk*xBS}Yd@dTHT59-(N+=T9{l$RI@41dM_3z~|(XvM@0S(RkC(A70?`}SIT z;DM;RE?N`^62}4f_;Dpv_}9k0#YG!$Tie)%q_k6~0Qc>+KfiT0U6<5TXZs}@mj&nv zMHZGAWzep1vrWEKxBS^W&tYJ}L3@Ph1=s(eEDrR$bU7@ny=h?~w{S_{cj6zJ^o+qA z9-xuF*VmazWeTnXauGN}AUMyPm-Rq_{1;9}6Xhtn9a2tmW7Y(ySiIii5Ni?~sd?jU zf1l+8FVF3ND60rKEw%3pY)Wv2KjC}ojpSVKMqg8o;2e_{WV#OUX!Zol%PX7AnpA{q zCkL|D9ARVgn8-c4A)r&^#&xR685!lG=fhF+lYKK%-Yr8i&Xo|+1HcQKXYiQq9fmqi zm=M2jJx>pdp8e_-HN}}&Lt3Q~w7t0L@9*xeuOpuCm{x54nQP?gm@lG^=m;jydn}j< z5eNlXq5vL-T%)_Hu)XXjm)`M0bn%bricYt|-exuzQ^M2de=RN^^R-G0L!yUCtDuoX zPtctU$zR8g5mziXY`o`;)N2qid~D(G-9D z$f!8@`Q0E*1OvdqkFmKO6CF*S zjw}6zM|aSF4r#iv#^}SHmoL2$-Q29!?$YT$`T|hgMnPv()CYoDik60-d`3fjNDR9v zQ|R+|j6#1ePo1!q+ed|xq&7AGBM2)1?Qfpb{C}3u5guT3)1BM4l~N2M4}h!4!W#tu z=K52w!XvYH^tL>-fB*9kJGins?tb1!R}MixI0u1-jULT^E(rw#ldLa@8jY395B3e5 z8FAATRPoN8_318`4Fk4s*YGaKqHbKh1s*eWW{16_ffkEYF&Z|~kwqpk#PwyPfmR1DDgtyYEYyfv#$&tAP^H|n}fd+xbY)!X~m zrzZFagl$doT_leiF+#fG^_2ocqR(qwQ&DI9w$q!`R9EyOd7IYl_%(-TmFbn2)_;bP zU$As(JpwIinYwlD+EPm^D<>x|I{IK}C^|KF+%m}1V($%PWss|y>D9m0R&9ZnqJRQB zCSe*I$Md>fKCLA<<1lU`3_1b&{04FI4qv9Tecq10+D<=*7`*WYk`p3A@gxOF$}JRar?31HA4g^)?>#@M%_%(Neoj8&P+bp1v5NB3bMND|eIMKqAD$Z{ED& z>B4P(PntZrEiEKj+B7H9t=(nHuz|q#_q{xH$R@=fPtO6Cn(RexZpd%Pw^a3Z^tvdH z_qm@(Pp*e@yh2f0qFwQ+7w(r19U=_fap}^kB}@8_)zy6AmG5`oG3L4Ee~8BI0| zLf*jO47h_^7P4dBmKuabAG2S&ucDdf!}>kJ!E~L=IPs@Z0O$?%w0dRAfSdwldvUJ; zKdGl}U*G;K%Kd^9H&Jsm(a>n=Wu|vG*Rgg_Y+M}L+m@|b-SdjO$O03DnGG6r!T8YC zt7hlt$f#3zywIgjPOIp+xIG$5U4{<5acKwNC@l^sx%tnz>H27hX-4hf@RD8=z`Fq9 zcH_^M9NoKT&j%{wk(;`02i{14wSN2783bb83KA7U>&|7$%pp%}c{=w25V%iwRF~3{ z&V%`8)yA>)O}>#Y<5jUA6!PMd59kGAK|6@X2HxvD7fr01xQ1H_?U%TyYQXW>*pd$) z5>S9lJ*|*?9*pU07>dSrSC&i(_H#e*dzZ%OW$etjh0*4|?I*Mi=QdMoqY; zeqD={bDe5iDBpUwjGjJ>)Yyl!-wt=UVdKVHW&nK|Tj>u!#N5oU=@!F>D|*d|em>dW z9!iSEZr5Hwgqen7sU?;=;8Y!%EfFN4B9)-|M@(BvT_Wu3k73H#C}e6$<3`e2rWXZS zZ{Ey)`)vkjM{8Z(C$Hz|;e=$H6iDosd_Ef$)wxb|)Vm;1`p&9$wn?W?H)9_cBhdrzIfu zu~7}D5ILTGS&GSq0>eK|jv~s1%;!uud;ZaJ%iXzMyLVr)RD}e*!6NOV{F~-pA;H*x z;jO}ZgHh`lo1L!d4(7XY!v-1`l`mES|0GNOQ}XzE`;(V0?RVGKoA2VHmSGqk6O-oG z=WRj3vH1Ac&0-X>bwnwWT~t(@za1k%u_FRdGEpLu)kmq)eCwy(yPJPqw2qKJGP09` zO7Y8t?$tKo{`Ga>=fj`0U>PFese*MPW9r5rnGtoqpoGy8h%G2$y?W)!mQ!uQjY*Re z&op4R1}FCQ^JX~mv`q@T2`=RCPyr^RXFS3|92b`a>>fl=y4Q!<5Ha)*L?5uywMoF7 zbJJ1C<>e?+jXAzsLj3w3J$s@GKI&tX0WG=1x+Ra20!nDD(QI1%G1i>KVAO~aS=rf> zq6mv=;#!0@U$uX;>4ep|lPiPO=dmV+ftZPB?Ny+AFMd2=%t8^gTU*y4LcmJ zAz#)smV_S3aN~(If)>ki4P7Il*<<@se1!4qIpH*%iSG>P0>`zadKqw%R?C)yJ59k# ze3Gx~?y0qV(1q!$tZ$~PJ5eJhE{<{o=upR!5QU_zcisuhLU*F1wp}id$AEKeU%q$| zF5H}%j{GeS{cAypno&QI)MrH_gI>M*ClsR&U+j5)BLbrjT^Id-pckob(!TiT=C4@g?d<>L0oh@1$x3r_cTb9c{^ughOcW<5>5E-&EQ3~v6pJ@6Go3?lefFJ1%=>z8Kl z;2`|*jW(bh&73v;{Ay3|Rz;as;^@mNA-VL7kDaUOj-g(?dUbhi;Yg4mREE4$k=t=- z`?qfzrQE#>et2=Evd(sw`Sb6-o|Am*Rs<)z{jOeEqQ>&YT@&a3l==Z}^-*{Q<6|)~ zXvfde*N5B47PSOqr}4Yj=5=68su_lQ1_n!)E`4&NO%Ys{FeX=p~eye;S@de*3l{6R>de3@AAY+h=2< z1i54zg^Tdx#YmY(9z9se`3VdP`f$28K~e8yJrxy|30~T8v@O;g!Dp?K8}^f27^ry) z`B3FVZQ}YPi~Ueoc#?BflVY|GtH2WOJ#gUiN@cUKB`nB|Hb2o#W#IQROyxTpcB-cP zYpR59IfLWv*WpO1sjAZNv_XhME)nU;Twbc1?;^tjA^wId+A{3i4+J4%$b`R0;=dWL>1hdwFA|V44RC~JAeml!?;)F-*mJ_V4-~M(yF&|6^ z6f&>93US-WsLZ6bH2C!-aKqbuw#Vff9(qL1fB`}rGC2w$d<#W6L)Tm=YVjG;u_Seq zf*mJq^PPpC_4vPRZ^pA{p9Ae73meE+1PM#^3bNzq%%w@cx)DqvxvJb^ z*_ijI-GuO%^X75s!XqMXEpESxCM((5U&M-BRTRsrgo^=ducQN+$6TnNBfID*_k8LXW_>nPx zg&#gdK|j}|giin$z2c>aiRQw($=8JXMRpiHVNkZSg5)TV$iiz*UM1TBOa^a_=?I<< z?}QXAyp4t9+3BYW3g&U~>4NC2p#*hPXw#zqz=5Oh5I#&6`>GP_pTt^_(I_e^!jQ&H z0zx8sqtPNB*Yzauv54aj9qMUuN5*qiUzG7P1QDZ;sY!Yx>rU2OK701yfQ7pg?G$AD zXHjcGeEvr#+k7Y23nzhX`|jsBgl^V=VM6IUte@uo|0Bq)stys$3Ec2 zt}L|Wm=07qP3TN`rijs@OQS`SJ!@bw(1)p14MTc47UR8>`h8|Z%>AzAzp z``^{RKA!ei!%dXR{hAL!D8dSbhK2^QLdOZY2t!3W+PXEaneg{-7)pJ_@FxjYLqW4Z zX#smsA)XPEnr8~q^2kO%Y?Y;ypixms5Vj0%T#SgS^y}9;nm$dkq89Mg**WVkUmh5u zaCHZx3Am!fg%CKoW&zweNR`BKji9B+)Qva~^P-`#ouX)P5C}8)@u0z-CC#=WQsZa^ z$vVuOKBvJ#|4tH-I8dp% z&kWIBk9dv_UT4mrj%5I*=JEwyI*ji&8N+F1)tN3gQBM?u$8#>j<6QC9z*J zv;*YMNx3Q3TV?&bj~}zqEnqTtZ~2c9@F)7HOHDcf%b2JK(|>lvOT*;3=U`C0 zXZxC(nSl)u7*3zJFz_`g8w$ZU&&_6^O^~{1(F7^(Dh-wQ?Q5Cu-uvI!jfDBYsky0?OBCW?}{fKLjb0CS|6i6bKdY+FG;x_4wPm z?EGDDvzP1j5j<0Okd?)S4f(wvFPHYEbq(KfNw<~E5Qi`88;_m>Ne%)P-+Cuql6VCC z;^D87ZUOCl1;V350(!(LzV)xC+1X*VvR$?efky2VDuA1Le|>d%XW4Ol4=#A{`>js< z4jo!JZ(d3|km-&;b7^}*N4pwvp&WzS=OpzScW40t zn?*S5)JOMMU5seeO9wgFTT#M<`Hbj-y?c6lWZ|PjlV{E9v$yfZ4qn9(z@~5uyO0XD zY>86$X>sLI|GGo!VWulK73wphrvCuSKH*c&zjSZ1893PoRonLp;Ii+BZ_n#5TEjkg zklGvd-QG!f_8&*5I60j;d2+Poh8s8hR^(Tam#PM2WMyeRFVnXOWv!*3^|(c9M$#`E z+S%Hc|M+oYn60uaa4L}bV3H(kD~PxL^q}~|hx53yXopv_NFZiE##TGk%~8|9%zdwy@FS{G_nZmJ_Rv9zHxiDpNIJdV-6_%JInXzMuN^CRYRgTTfNo zy5qSg61XL)?dZcYb~{zIJGP;oyVSFxG>3c`^$uct5lbXp+y!1qxRs$UDJ}wAkvDu! z202Gjq5NuYB=J16EI`lEoj3mlbwU=O^ZhO98!J{EzVztklP9}-XL5YLZ(vsvjRIE3 z`m3zB)ZDkb!4aLI_eTqUtOo8g>4k$Il8D0A2q5Qx%dQA;gwS;sIi317v1@=L7a}uYu|;j zOT#=c)m8SMS_*fj5dE4Q)f2Uf}cbFU#~WAe3-)RDF-IgOSM-tU!P$ zzU-tr_vx`QikAbW3kMRHnoCj_doC=9qWec%E{~oh;xy;9{(J!x)SGF5tTw`=$L!M`4 zU2rMK(!i7S>qApnWiMY)4G zwz)FY=z@sC&NHDqE?>ITP4zuFP(gRB`Nw60F#1S7TQ73U$QA-j*Ooy3lprA!=;M@h zI9FY>ZQH>#R)Q|SxOTR&EZKg_6dJFI-megtz|RCV|K_qn)~wI9VLy>sQ+(9Jz@YWl zR4$UTr7r^iGOaLB*l$DQK+=>gkDWLH9p8AM?z_lLSK=F(D*`~sqw(GLbTb@M1bkZ-PQTRQu zEuJrANx-WPqA-^#N5?k?r{Ysj=i_prGmmKQNt1iSgw!?_cv66W-=>3Bm1;{gL+xc{JbiG)a~M`0_W@k}%n^*jlJq})eL9AG;b@Fw{B2yQvC zJtu8X<9&f$hZa4+LNE}5FG8`9gJ=YqCjW_hTnW5Qi@ty_h8ANdOlS|!hH!7gz7lwd zGy{sYQd_7o4&lLr_dd_D7!N)rO2ZF)ksYsVwS!&k_(#=Cq%z?fJ&Tsay>?2u8Yg_ z$LH6Lih`7GJpaix^xRp28DaZxEdMZS-n?VPH!E1+R)~xrKI~jJ z#hN&1>F+0vEK-U2qzgIJ{O)I%S>9ubCtUJ*(8O^9>WDtVEob9XN ztb|_cM9$^iK|v3pS_Ih*Q44!>`t&ebSM!gEiGnKpTNM86n|B4XgL;d4BDhn~Oz3FJ z{kUYXjf*Hl>*F337Zt@|AyIt>NQnxF5ELkj>LBK81^ymuIeoz{mSXJMbD#!49$i<| zY^BrinVo{Pp%C1cUwi!M(XmbFJCJZ9xq4k`+Eu1HV)W=IXeR^fKhWyImu6%lD54SU z2IFo!Mem1aCtD~lXPxkfUKvwHIO9klzQ8B=eH`+8n}*V?o02qKlqE>zh}EopBo=sqZo zr6$~`RdLhiich#ZW+`kSnh7QaS-#HLJ1Q!j;E6|x&p+A7!VsbvOUsoG2s?f1)DYS@ zOq2id@$re6IMac$dT?QuP|)ASW-x^~JfdBOjF9u(z7gFce)f$TtQ{8)SNZv6!bvhP zJ=G!1%`DO*uE7R!^My#qdpORGW5I1)w{D%QifqRnmjv2TA18K}@WnMD%mh@;w`Q<0n;>_1;^<$H(8v<>oDxw1VaJ_@Ev4{0rS=$Gh!9Dy_geJG1h}_oW$`Rm%f8Ll%!ScU40X7IomEH+c zrnuZrEs~_x_r{E{v~Ou_Mzdr1b8=YH!l$1J4vBo0vtTsh`d4zlWxaU#N1O-{kTo<# zax;>`Y>omP(Q6OzGG%vL@V@@SYjhb7B@MSJ0&NX63Dgqbef_$9I=n)Ljr;=*Hs4{w z8miL;Xl;$*@VJ&WA9k8Yw&63%qL#(tJXLbL(&L+NNVSY0@`##mkFoDoww+eCD|P zGXt=PTyvp5A|2A9K14MAq00#2za+(rDj^Fsa!7botXdGPC8-TD-!rfQ77MvY191|w zQXf8iMa?%xB)Z=7S#jmY#;up+C!tuMsDA|j(q8_|^I`3^)$b9P#6)1xx$H|{oK+AD zliXUItl~TGmeo}pt!KsHAUErv9qs;7T~EBV#cdJA1W&~n0b#rWCYUfm!b${4e3&|wTBCiCN`Pj*p=1o+t_CW}LgT7Y$@iFFB|Oi7V=5-N5;sQ=Br z1F`Wa%HmPXB4D#2dvtX4waWqLzHFIc2&}N2-I2ncvl;{4U%>N?bK_uUlg^SM zyRx!HcJfDc`D?#WQu8ob(G=%TpZ)?#%HL(tmw#q0=Y;+dz@M1PtfJ^iQ2_3A>Hrgx zq(E)fR(AS5Q6dFiA{*jq0VwIIfddKbIuO=QLqub<9+FWabHw8r6UU7*QDRqt!}#|K z@_*kXG<_KJur6QrTDx|bvD?ChZCbT5LFz0&2<=66jYVsqq?Tm5LOIFcwUMX3~8QfLEH_d}1c9Db(Kpg5Xq8L#6iC(AK`dc*AF*X*n&}b$E3P3C?|BRw2 z*OJobCcFfQM;i7SgBqPlaJZQ#VLYDvNd%D~B~L@e{FTs;%gQT5gdi+O2n~hEb&eMw zv54a&-y+b#?Pmp_I#o)J2*$~2mv7;P4&r*at|v9w4D)~g{$wjaa>3tCJ2T1%!ZSrc zCDLMC8wk|b4&cUyOO0gl@r#-3mbm-_&QY>BAe@n8HkDGIm+HU;7Td)fMJi)p1X>CEI7<-OlIBK) zG4y>Q3Z7&|!bXd&Zxt1j3A5#&k^4iqB^M4y9PN3hE6B6OUpvO8B0q$YO|1-Pux57%2dY0ows1>39evi)X0|%TgFA3YZb0<)gShnE4 z^7HJLN1qhHa@vq)1@G8l1AYmLE6!_%;E^a;|DX96hG9ZHAkv&js7ehLxgfLy9bZ=h zrjQbf4gBkwq=ox-?>0yvHw?4N-ify@_kC~ok-F6dL54gI%l2n#RYsyC?#}S2uhv6T8dbx1D(3@X25ptGvAG z8IcklfvAdx+qYi5YKxc6m@l`BHbscYflMh{>t)PP?a?Mmkf7om>CKjZ!wSLF|4-Pz zWU)6bH8nH9ia14-I?-*9a$_^EBSXsqWp)&T}vsRn>A`~+JHWMIBw*~k-|oMwiBly z<9IC%|7lV(cH+d7n<}fS&`kF8uk+>hSez8zUb=b}V@GOlJZMlN{IgE`LCa7fi=r<1 zD`&{BAhm}-|NKgz_7GZ|qw)t)BaRsao#!CbFf%D;&dO6(yH*VS#a`2$s-7Cm%@z1S9ub5CGf>0ehd;2^lT>#QyL&fU4 z_7=+`#iKQ8i2(#dn{34bAW_;rs)hKSc+@R8jf*9pKXVzbVYnzEb@K$4#i&5U$c;+8 z+>wSaR%_gt-rVGZLPdKQ!yakvn8pI z+>Yucf={5lH>G+;2Zma$QKLf?lMokJc*x(#^#I}mvL^TZq#Gh3TDfY~j&0jKSFMsi zi@p4ZHoPUs;VnYbKQ+p9y#VZ7ns?XP|yYU6&@sy8!{%5 zkkdzO4UH?=LPAYul$_+KO!rWdokl(-ya%8_OX80|Kl>RUBPJ*=zOwLHH}+NB)xZ8p z*5p2QZjq4;vLOYGp46hn9-J9n$s39Lo+&?Wf!6;i@%b;wjxFJ|2J+6Z1}$1F78^wT<{85u8%|qbjYT8Hdu7y>PT!UHM`J^iFXubU7~^pb8aL(dJ|AZ zP5ar#C@YR=5~6y4KelgQHhCE_(uUQUAp102R9$W%1^dd6K$ndOzu^=}5SGrJd%J~* z6R)m}W6U&Dde6RjHI0#0U|P&x7~V!hI;JRJp+>`_GQkG1^3AoiqfecB)FS=CgBolG zhoBCZ{KF{@tDqMMh5)V-QyZo5H|de|mP5uOzM;zjdGfef6@>sZTv-|sE?kg3d(tFJ zQ4dp043%rtL|zKSTQz_1?;-;*X2Xer=`Nx-!Gi}B@r`)vBAu@RSOtrK=vzANw4~Qn zzSGthEZ3``4z1+Txn4sekl8axine=@$c+s9n^tVz@XK79r7VA=F~H=2O0`^GnM{Hv zJyOKGxWL*`MGLNFqVdr0$3)E$c<4{{lBYa6l#Z=uIdR+QNMPBb)1`Vu`T#N92-LPO z9w>xPMeH&Yz`?x!*Un`g4gOzQ*B%XJ8i&7-)QP4xiZh{_Ixfpt8JCe#JTN%_=6pf0I+q%`-QF~-luA6O@+Ym*GS(lU(-t?|k3)e!utk zKELNe*(~hlW@%q}*`F~IhB~KjDcHDRnPZDbU3$^c5q11l!Ir3<=p_8-nqnCU>d?Pz zo!jb%!nX3m6Li>&9SX->t>9>!>3}MVlLYLlNF1Fq#v!KB^uXyK1+0Y6|6fnYll=+h`V`UVoE@uXy6S2LJ-x zC!KXvp;VEWj)TSq$)S;OdTV>CX&zp*O@~N@@+00cpg##ZJ5l;4&{RR5gZp#+9m5L% zgCqEhLPhS!60lz4;^R@;yZ1bh;JPkc=N&_Og|Y}D1QaDeP2*>Qj>A^$7>5%9p;Cd0 zzJU|mv~ZYaYwV$DDhpT2SOQssL7+RxWH=ZBe6pX!P6Cw%23e;k24!1CjVeiZUx-0r zg)Rb;!z4^$G5SMcM{AFzkEI4_EIeJiPM&ha8(1z)Qh88x@x6dEZyY(PmfjT5dkq({ zgDoA-@YpjO8%d59?#^EvA*=cT76ep_q7R2d-haC<6+@JO$xM&p?Ch2h9&vOF9~}Lr zf7K4g;Qli`>ir9?@d<2dnA%!8J715i$1#uiY&^iTf&joV5e$Efn~a0|q^29-4HiC6 zqZo0=8lpz$*bd;A!q--4W+UYJYEAd6#i za=-|>89JtGsxly^fW9uLsC(9~5CLU$cGweGtrMr$FXhr#yn&%?`~VjcDq9k(8fffS zV)gw`KWS<4L6btP<)UIYC#O7k{rHx^x&p?q_NSji>L=(8Dm%E$-y~D@0x$~1(npJ4 zH8u{zG!QSV&sxPKQV;l^H zHG2uB0a%{iygVT2v)Gvw78&{Q z-aW{23SEj~|H^Kh!Ibm3M^w?2rDRWslKjztfcY724U>5JXQzR%h@&saN4fW<&(*U8cli9n zr3Z{0=T-9es;4)(^pwE90~1)xVX;LZRN^cty@n!9Y0t+VxTO;*EDY-hYbpk$cwDQ}yuSE1{5iwyeB-7h{#Fo7mpO#N-^y z6q?zrb*EM@JLes~NaMR96^i>?lHhH3zn;WQ4LmP=c1RbFE;5MpGL z#IPah-PKScPDe6}o*&Uuf)D*grE?a0PAFCjKTgfY!^*A+Sr91)nOD0;nte-v#li?e zIkB#Ptik{%@1fyg#$2uj36r{|k5LK|+QRgh$X}e~iZ=o zx%Fd0j$1cr=A0D65lTr>r7_6ips03|&O=cSnn)YL4!|clApieyo~m>0FQ?A4#_%I$ Mv)#_B*y2#kf8JD+XaE2J literal 0 HcmV?d00001