From 2f33e2b5fb354ba1082f3d2e78ffe58c1b836e23 Mon Sep 17 00:00:00 2001
From: Jeremy Tuloup <jeremy.tuloup@gmail.com>
Date: Mon, 15 Feb 2021 15:13:59 +0100
Subject: [PATCH] Add docs to override systemd settings

---
 docs/howto/admin/systemd.rst                  |  77 ++++++++++++++++++
 docs/howto/index.rst                          |   1 +
 .../admin/jupyterhub-systemd-status.png       | Bin 0 -> 23182 bytes
 3 files changed, 78 insertions(+)
 create mode 100644 docs/howto/admin/systemd.rst
 create mode 100644 docs/images/admin/jupyterhub-systemd-status.png

diff --git a/docs/howto/admin/systemd.rst b/docs/howto/admin/systemd.rst
new file mode 100644
index 0000000..7082262
--- /dev/null
+++ b/docs/howto/admin/systemd.rst
@@ -0,0 +1,77 @@
+.. _howto/admin/systemd:
+
+================================
+Customizing ``systemd`` services
+================================
+
+By default, TLJH configures two ``systemd`` services to run JupyterHub and Traefik.
+
+These services come with a default set of settings, which are specified in
+`jupyterhub.service <https://github.com/jupyterhub/the-littlest-jupyterhub/blob/master/tljh/systemd-units/jupyterhub.service>`_ and
+`traefik.service <https://github.com/jupyterhub/the-littlest-jupyterhub/blob/master/tljh/systemd-units/traefik.service>`_.
+They look like the following:
+
+.. code-block:: bash
+
+  [Unit]
+  Requires=traefik.service
+  After=traefik.service
+
+  [Service]
+  User=root
+  Restart=always
+  WorkingDirectory=/opt/tljh/state
+  PrivateTmp=yes
+  PrivateDevices=yes
+  ProtectKernelTunables=yes
+  ProtectKernelModules=yes
+  Environment=TLJH_INSTALL_PREFIX=/opt/tljh
+  ExecStart=/opt/tljh/hub/bin/python3 -m jupyterhub.app -f jupyterhub_config.py --upgrade-db
+
+  [Install]
+  WantedBy=multi-user.target
+
+
+However in some cases, admins might want to have better control on these settings.
+
+For example when mounting shared volumes over the network using Samba, these namespacing settings might be a bit too strict
+and prevent users from accessing the shared volumes.
+
+
+Overriding settings with ``override.conf``
+==========================================
+
+To override the settings, it is possible to provide a custom ``/etc/systemd/system/jupyterhub.service.d/override.conf`` file
+with the following content:
+
+.. code-block:: bash
+
+    [Service]
+    PrivateTmp=no
+    PrivateDevices=no
+    ProtectKernelTunables=no
+    ProtectKernelModules=no
+
+Then make sure to reload the daemon and the ``jupyterhub`` service:
+
+.. code-block:: bash
+
+    sudo systemctl daemon-reload
+    sudo systemctl restart jupyterhub
+
+Checking the status should look like the following:
+
+.. image:: ../../images/admin/jupyterhub-systemd-status.png
+  :alt: Checking the status of the JupyterHub systemd service
+
+To override the ``traefik`` settings, create a new file under ``/etc/systemd/system/traefik.service.d/override.conf``
+and follow the same steps.
+
+
+References
+==========
+
+If you would like to learn more about the ``systemd`` security features, check out these references:
+
+- `List of systemd settings <https://www.freedesktop.org/software/systemd/man/systemd.exec.html>`_
+- `Mastering systemd: Securing and sandboxing applications and services <https://www.redhat.com/sysadmin/mastering-systemd>`_
diff --git a/docs/howto/index.rst b/docs/howto/index.rst
index 9f6369a..8339d82 100644
--- a/docs/howto/index.rst
+++ b/docs/howto/index.rst
@@ -76,6 +76,7 @@ Administration and security
    admin/nbresuse
    admin/https
    admin/enable-extensions
+   admin/systemd
 
 Cloud provider configuration
 ----------------------------
diff --git a/docs/images/admin/jupyterhub-systemd-status.png b/docs/images/admin/jupyterhub-systemd-status.png
new file mode 100644
index 0000000000000000000000000000000000000000..450767fb6077a52923da2eb4fb39a614a513889b
GIT binary patch
literal 23182
zcmcG$Ra9Kt*0wv5;O_43PH+qEE(z`s+?@akf#B}$8az0`o#5{7Qn((n*52RV-}$rJ
z`ESkzP>rfqHOH7^jNbe6zP&<}6eJPh@ZbOdK$Mnxrvd;FGOv$qVZdL1C)hYczy5)>
zm(q3u0Hp5UKVb3nNcaFi0!Y6TQFBi_N_YE!(f81ox!lTEG3kZ+JpeA0#7MlVfhM8*
zF~?E}4ILEDI+97XYT?;N#k!M9WGpwH^p4{iD_69PhNM;IwC|^b{fFiBRpP9Gr4vGG
zx+IVG3rQ0<Gr_SVcJ{H6qfr#n_1vEbUr|U{qWYKW9>7HB{3ecITS|p88FHFq>Fghe
z9Rf<*AJr$q)o>7?0)HB?xS>{qgmBw3J3U-0PB-_Th-6Q1-WA+DvIT?bgszPS2^p-v
z_&iPDQwBo1DbN7^=^%g9E^rg9DXn1ljvq;TB-ACT#ZU@qSm;L+BWiB=hG#i9?e`X4
z{Ox)b=)XSzXE;4e%)M`NpkT*iq%7`kk46w2SWCVoLPS!%Xx*8D`Am>}me#VAho;GF
z?i=||@1v4ntVV?%Z|`vgmLst+OuE1lg$lAF^h#?&!0-1%*g0_$07$}Oq-WD0!go$Y
z;xxk-IjVQQr+#8h4Y|IkcheU_;LJ~XaAj>^{-kE!P+n@EPd{{ZqXYNXh?AO;$FENa
z=PQT3JRx?;7>fD0^QcNe7o~46^2ah^HXEKG_L+S_m)OM;07<Lyst&Q!F=%?xNe<|M
z_j+EWCiL~%Jl>RfCnbs{)W|V0+oerspo1yC?|1yPsTGj|Mv@oJ?0r$R8}d@Ns4D{j
zoJk5^J*RZEue#g#!6N9KpQqrC5+=q(-w&I=EF_qM1ERbZ2LW??*-ru{VI>S#V*-4U
z`qmNv5JX`=7%-3<eCx$CWNIWhQR;N#eX$;*^Tj@;>iKwkr9?+!he3pK+5@)zbiu1G
zx}IdkviH8>r7xdf@szDYx2Tl9#eVHZe@q>hVW#?*+l1IR^WcYOS&v$U+!BR*2UYKs
z`eU7j9(c(<8;=>G^Hy%xt%g=GseAtK&&%4J`ek<~Y<`cWnM}y*U;s{Rz2Mb+{OE$a
zf>^Hc?z_*IZf+<f=}m&CdpGYR;wRJCUhmB7{9ZCHn4N}g7{upeAK^4-L5W027Q*t|
zEZiJ&ACZB<JUA$pXPByoxMl=GJ#b~-fAsqDWfz0P<76UH|NH7?rmlx)-hlK-t|S8C
zMtxyz3Rsr+7X*yb8W5c&K(lhQ(yIzKsjr6{cXzcbIfx6qvsU8({0)SU4(eD7x^L6H
zWSuXvl7bT}bc%g;bAzBDh3Ak%Gw?#uHr%>ri)%R)8K|w|xfu-boRChWm2oH`3VV7h
zJmu<ahcd4c$ngRu64M^9lo*eRSgoa(KxD^@s|EIo?^Pg-GkwWERQdHKYFfMG_5bV|
zQJWO3GW+Ikb3Og>sXt1In65nz3YcJI7*@@6VUUHE%4~7b&5nu_?`dVJ{AS-bPS3@U
z-)oW~__+CrF8-7GDP4(mDIyc@-<$9riyr`F=$$#+j}}ln^^B<@#jJycNOg_n<;ejQ
zsJd+YXuyg_er%8%*fLS?=yh@0`Aj?@G#ivM83VtENt!)MU4r@58TW0scw(%w5hTD;
za%jcL77i<ya-ULCl4=F}aQ22hoxR@fcHf&F+&@P~Z|#A;?=vrDhDJR-n?_z*dz|e7
zU10HmKxT{$&|eXQ^k6aGpFI%^n_ynH7trpO*<u9v56fiSe4(7|aw~M~6UiIa17}S3
z(0((Ug6lsKaI}aP$uTdjeIIX_-R31LYe6E=MfOx%49&&~16bl))e7%T>6&ABJnahN
zkdCg@`8ws~v_3nQC4Bm8OBam&!de-pSPk`pMK=x3s*`O0$f90o&dGptcq*1|%|<#M
zpI2rY8Ai12{g|Y}W%50f^~Js7^GzSkY6rkq#c&dM>@aH@gQ2{;B^5AnFe0lIo1-9k
zJ4gxXY%YQ}y^Bp#d@i_x!I2a~WM?3^dh_rZJE44;pP%{e;xh<))O^Zn+~%ufO6e{;
z$5?pSnSh!Kc$;yjPl}40>E4eXGzGAy^rQd?+ACeMJECH-zfaCqNFo4`XQcv$nk|%S
ze-6$evBF4&)_RkZ2*Z56W_DMW^)xE6Rag75n+fYn`bqBOMDCluHHt9H6|BCGN9~5$
zT!37PZ7(H)7=$$1GKM06;@@HP&Z4aCZ2Eq<D?7JWBEr|;>QY=>Qt07QNddlE+uQp7
z^H7Phan9pQQ65!<Q>DO*s>1F*uTu;PxB-rnre^^X>))FYZlRMeT2DmAhoNjNhblzR
zTDPL8u^2aGdHE=W0lw5LXedi$)LC5I^gYEVoyupIV#DP*X^|@=k#{qrVG6O9P=TmH
zWT>$As&u+~Dn_ArYkif9bal5OV#wbLmxAB$CCkXt*?tiTdRl{34UX2PMt4l*r7lPv
zQW=fQPn+N5xr%SV5`23;kt%uc5!<f+fxgPj=rV{k{;}%1=V2_)HKH5A6T<%;1Jzn@
z3Xc^Hqek>5nZ(<4zQUu&BCoc8jbe#!L9l$y+VPmM1;4R9ZF-ld>SNf%o2i&&6$?+3
zUUYblJ}0#>j*bxj2<hTa=m~OxM>-3PM%SGkJKtVfC)@?#Sh1+m7*c+$`C+5JyRNTI
zh#*BPFQS<pB-<Gop>&##Yvpd=Fj1i_Z)!R1-g0r$ERRpSr7y1z!Fucdwmy$4Py0MN
z$Yul9{N-2nfyO7<UwPV2-UkY{G8)S?p>SyrQ`PgfEP7hc7o*m*Vobijj`F(@dFJy6
zvCvm74TPvOiVL)%fqvI>Ic-tVld}BCN)m*D#Zfxm)kx><e3z}Vkg8a<0jnx}ZPx=C
zOdC4>YHCI{+xbIgPa?il&0;QPGA~UUf%Ff{AeXOy2fmf@wo^jYqj{}`jSV~3RXzYH
z7;Pn896k6Ly>S`&5-)VQwk4^j*I|x;r>_1pKPA;}oK$DZ@4jpD!<(k2&h`e|m%7cw
z!my3uZ2FqncR!N}iy70q;C1g$P8A0dBO<*Vpt9Am(x10ahvLhnGTR?w-Qqz;#svaI
zj19)M;nR1L7ig0V%*hKRdittLN|=~e!$Yk667TiXh+f9qj2j8{JdF>kC#|W(MI;n-
zgDZuOq}nLl2fNsHDZE+gr!>uo=kA9*IKhGMy8J47yxzV$rLnb=$c1%Fo_wmFA7}O2
zgUy-rdB*3oymu0v2Gq-8rZb;xb9v3yk61w&NgwT?q3Uw>j!wSOPBRMV2mgI~p5S(m
zu$#Xrzo6}j@a?Tob(c#|-3UsouN(S|AC&>W;_V|bka&zg?tr<+Vf?f>G_~0LabSj&
zJ#yc!g)sT<#OwUlMDy=0on$+)K1Ua*<>UR8Nr{wrfy9+PiUJUuK)gu!sOi!c#8tx}
z`&M!|c}GQGE58ap?QM@{rdQsPYbUGd*1;()#k;4R#1Y3IwNLJ}5yyYWLxU#yT~%pR
z(;qv^ej^YtUohCD#>74_FDg4qj%Crt8l{Q9lhqylX(OcDQf`b?<QtpeV_8j~OV?EU
zkW09K+YkBomEqv;eSiDyuT=mQxc{J4(~SRDGJ}IqFy`OI_pi%;2=!BOmu!lR&}DP`
zQR`J$GM{i@>o|KvmKSKwoU~y*0_KY2>e(*&)I}Qflxs|!if3_0kU3fmPR*c2w7J@<
zmbAF5FzbD4_q|nrUFcKuaj+|xD)uM=$-4XAOVQb=*YMIF3-h7dX>+(5A<5R}tnG{0
z?%3+l<6SE8GbYn_9&)ae2;Crl=ev|Tc(Etlkq7jBPSEi&aXEpd?ibfl2nhuEsQEcU
zmr91k9|E60e4q8stp6s?@7K}!@^D{zB@1=cvgwvXeT;^TgN;tOH8o<Z!*9P)n`Drv
zN3;SPh~4@!Es4K#cjcJA{HbootKhWtm~<^-@&WT2!>!`|3D`*maSYpO*4N;fwzD&(
znS(v`b;5Oys~+NZKP!&0i*g^BshH~HEAH8f7n9Yxw&rR0eOyp?&3KEGzHhaFxamo%
z*#x~&Tqf0%QT@tr57WO>(UE$Mh1Tkio7Wf%60cV*&p$RWBv0pX<+!stUeba+R>~~;
z?>sg5p)`?m%xC<@$aX?9^^Wjdtl;@b^L^V`+=$kdMQ!Sx@JZ&c-cwFFYadg3lyW*B
z{pG{Y_F>-c<G^-wq_2W{YQv{X0>bs_n5I(&396f%vS#Vmk5q5@PiEV8@N|PI<>I>7
z1gF_l-NNjt-LU`Q!@T3WhIE%*d~#a8_{1&P?rf=bfvwpTG2%nrl1mUgrd?}t!6M|9
zM>oRXYJQqM+*>b|6csGc=xP}h{6Q``#rhjF@k;CADV%O<G5A=OYyuMj_pcF!N}7t@
z=wJ5aVt-6i>yzLBnE8H8YYhq1#J1%Yf$jQ+-9rJ_Dp60xG`2K_=OZcFMG^8iyE%)~
zgt*lUyOj>AK)l+GO-}YSX&|ZjytEMjq<nU24tLYf(!NOajfTMOpPrBi^Sbz~jGs0T
z&=>Lykp;EI66x^sEv@Pf=DOgiyG%r;ZcNq+OOfl}ZYhtUzi2l!+eChR?k`-?N58$n
zuRLbX)>hS4>NmpP7IGPxoc!`5BrLRZi@-<t-S^b0qf6xXZu!O0E}W~>#~b#5!<KBO
z5bDfx4%LMI<IX;_N;n|w+1FMlxU;ZZ+OV4h_+wu`HYoBwUiU8c#ea<oV(@je%&QEp
zQR}Fs3!Qjbc<8Gl;Dkt{3S@Kz14v=hstqpoNT2ma9g~wHFAtUkGQHh%>TN0&^?r5U
z2<fl?ch0_pwK}5)Uf6c=Qw(D1^XnN65AFMM^#SvJY~#GrTt=e&#^>D4dj7-A+ZBAi
zi$y%deNe}}oB6bN)lT!!<9VfT6MqmiU?8`!u)RcbUC=k4?=SyE`u<B0g~_;a)w<w`
z0vl|mhUO0C(VdN5$%Lbyh3d#^9jWl}vr<eg*9=smXawu$$z5%$kUDjp{-`c5n==o1
zh(4hSWH2S`XJW6(UO`Oup90(VBju4*l|gQuS-~3Z81njIFAi>$>wLZ|8;Kf2+&*Vc
z5lBE(!A9pZ;Vxc^3&~aHSqHfye}1W_wPrRf%zjZ{hCWXT53BE@qD!3lS<oGXoe2#N
zO0%a;7%i*s?h0BuKh4g1eyN7l>K#osm_z<+MLogzwp*3%Qxpj|TmIcO)qAg4-H%aB
z<Px5Bddr#PgEJ;lt6!Bf4lW5Bxknky5=F32z3euN{r8zG5e6UcLFC&AKn^Dz9^h|J
z&}!6GV<@+?-z7v;q=M^yU6I2}X`IbqWpFg97({=4dV6729)ZE*{v&xI0!AVwZHnKs
z`xmLLmrN-xFlgQ{T*b>*8M7nv<^!DeF&Uu`v<FS3?R_i9<M?iF9dv`Y24*9f?cL>2
z^7)%EPR>>6;~buD2#d)!{dPlaSmC)yFRLpCc!ilS>AP7!+eQin7c;WgdEUrpG+%CG
zA8|jKYi49jn!G;}1%jTk_KLG<NPQ)}(`95q-Htie1vRYUJkU3JG+{BHCXI|W1qyT;
zw#Ph&#Gpj>Wfh)1ixONTlj<l=Jfg3U?NomhGR|kdE}FV|&6=y%E$dVCsDcMbHGF4L
z^qHw*ASCg*m~r_ms)B`i)7iq*IiE_DhydW<i$x$D^Fu>JAE328lC|O<K`ZM1FqqyP
zsk9N)7y=~yER081TS@&lv*)z%KfpEiV%TPyf2vb=H0w7^louSE_L;v>I)N5~1cXP5
z6DOP<3`rv-t>PLmrno!#I$4dLO=hc~PCp9h$wQcIse$<Q^;x(d4NkN%!LtslV-6Nh
z7??Jp!$a^nenr!$`KxvhvsQPm3awn53xN0c8-0<(U;CAi?Q<KDJc_%>{pj3=3nr{g
z$$a({zbTrIrpW!h&?=aT_wu;%-tgVdK+fU^sZ(9oDiP0n50Rc#Oo@7Yn)ZH}*@8HI
zP{ry`Qn8S*gC?DDIb-nHg0_N^60z0JL!q0WFb>xhSE=Zj$9|(#T37&WO`@=@nV!ba
zIy0!OT9Su*%&D}555ko&ur7ki<-&PG9i&W6X<=yOZgd9fud{#$;JBzO52%ZTaOtS1
zE4jnM5rsJ3d=C_j#{9h?=zciB)Zv~3QnOmBlQ2M#h|OLv0r#J3x^B~IMpxZam~c$m
zUFQ5$9-7oYRb_>cf2hh<z6K6=-nV>2|NpMUcG2fjGfZ)pkB}SLAOS!^J1!={8t7-j
ze&f?(^6vYkdpRDMwcpo|C3np{koNo-i&lZwFl$7rz+3N(AxKbp45yevL)FOcJTy`&
z(csfsuni7fC|wAO5Heg`1OHST>WZ@9)BQQ#=+0D~5LXiuU!mdo4`0D4?RZ$JyN>;D
zyK;Ct#|)&-R;|LqG;jF9{Vy-hN%7I)ho=~~@o@~O6MB5U3sgKYLrSB%C`3?jR24QM
zSq;j59cz9$G7=%dIFHgOHI|in6BcT3-BjIrw$p;%j6mr%M4kqI&&T=(TIFEgPr;QD
zz9Xsa^ah@p;eE4*yWYh%{4R6aSkZL7wRj1=wDu4YuE5~kEo=VAegh%n=kpJ(`D#b`
zHH-Oe4(OsV{v=>1M*b910o6G>4>`KPS6y#KgA#=?D=n6p)nMLPlMR-6tme0mXITHK
zHFxC^)H3z6@_HZKReyDG##9S3<M)t{OoMP!b|oZkiRfs-R$12t<%^ryoR^GvQZg{v
znr4X|P3Ib&^E7B`*XZL>vLredh*$2F%1ZB=c_F_G{cGw8R6YF_%44pW6dLv|GwpVX
z_kwNSSaRx6V1zXJ>W#ndGr-_U?TdYg$91ErZKIdpa*D>X%wPca)8VH>R3=e?!jOp;
z3{o}oY&ubr-d0fBWP-+WRL#v_&>&G{)`}vHk_>!U!oB4=SF(vquT^dC=jTQfdw&$5
z%l>UmV>J*qjoqe`>G9TiYOa4Axh$itXm8IvlW5RV1n}3HKv#7s&FK_)kvoHjHF0z^
z*UO~cmFfxQbS3>_h;k4Y-ji~g>*^3<4*gmo52n~%qmn?rd)R#<psF#-C0+sV`XwCm
zj=KjPfXre__r=!AOf27cKgs+-BODKX`$dwH(;?04_%73tS8+BuwtMCBwazUcI-8*i
zz=7(oAKW=WZpJW>A6Z={^}ouV)4)%IJ3ad~U94W+xz8nV0;;!Py(KlI#zOO~t3NE0
zT7@~?3!Okyoq7!{CErt^fI-H${R3(mIwBBCD-htfn3C7TawV_0gSwns^u5dEHYH_2
z(b{@OOK0eNiHv$#h{xM2=>}gW;qQe_4&VN(0A{#e;U3~h0fJmb!EG7Tuh^Qk3`&Md
zNhmrrfp9Z3S$DAL^@u_GfmvRYLDF2pz@IQS?cBV#&SI8Tp#<2ho%>5Xpwqx4`a{p?
z5mQ?8L6y;?^R)ZH_wdAN?)xL;E---7;dDC_XBj>pZP5zp*Zzg%aZ9K#jF{g<k(zCf
zu09UVoqr?{4ld|9Z@I74P3TE|!^zD_Ue%l`5bbhUO4cC!0|9SKPE$>--sNP8%59Pf
zze<mPTaaOHKut%*!O6tvlzUi!d9ero;#sCF8ArfSj?%Bp=lq#HKOI^!a0MVi{l@3~
zjzE444;Oq^Bo|6WT+`929K|YE_vpzmk*|5CrLpbix@pih8KL7|>0>Ek1*yNW+&-$U
zWqcZ3<5Bg<?g%Fcf3S&@X_eR)2I#oCzL8KL;M66C**@8}X|;625yimaWDjCcV4RgP
zb!?PlN*u_K%N94EnBna2+!=;(;^xBdSy_iq?15^?Sb6q}>4fzEASw6tfZ0Z!i`^BC
zI`TQU7YP-UDr3}Iq^SwYa;{7}8Z1shGE~<aIye$ZIJpqL(lWY2gA^g1)BI7%%Y^J`
zt70WkG%#%{zpflODqb*EdBT2KodiiD!jm~Em~rS3u8xDh6iKgVJVIfvqp>W-(w5sA
zI=2omaYfZn8+M1CM_|Gh$LlVD`JG+%6$~=HG%=TNVz32=)iWS&{A4wj^i&GB`hIip
zno-HnrJ_!16`v<_@R@z^V`YhxIyu_sHu!<9tFtV4Wzxp520fz3l~0_R1!?4^`I7Z(
zJi7uh@wr85hUgnx_|?=IZcQ)p*#;)T?VZu*pCxK$m~2O`${FOlVLQ44-rEw!RLi1f
z;vv-$l<_5uQ{MV@uR*E}BFLg6h_=g_HkhfwXWn$`E0laPe`lgngMat5-B}TSoyb=x
zxg@quMKg1@^SqO6Ct@8A@EG5_s}FV2zmt+zJk4d`DCc+86Fbo0{Z{I)SAX!kGEl)p
z1oEushQ}ksLkdAUQIzMTD(cCdTYK#86BDK&D6W?}pPTLbLxGw*-@q#mhdNWF^Vd{g
z7h23rJ`#6by6|W@L20>hdLqy5Hcm=NIX2V*4(8lUru0V&ksBd6pd^S~=CwUuY%Fo{
zdLwkki5*S))j>y3**z)Tt2Zm7D8J-md5A)7>V9%U+K16D*>-`Omzs=34cUCW^f17G
zyFe_%-M9VFfeZ$~IP9fuZzk0=KMx*Ozngq8J9QU(**(sFaeC4(y4u)LUsRQAO4Aow
zF4L}dp2=k%%r52!t?k@G@bJD8mXoo{dYOcg<h%A49jbL!Pa9cdOC6g<wj8G221a5o
z#t$4G=OB=HTyb4h$(pzPqBYI^<8o$8X&N>@`|-I&BVn#h*{D!VViMF>cFfxNq;x%Y
zS~xbxgECt(Kp2}~-evCQC#@nszOe;^AZX}r>Of;E^~mURu^fLqD=1nV1fBP!@{0$|
zPiYGVT6`jZ<GnABegCV{^k-`GkHp00oKRLfh;SegQqjY`;9C%KZ^HfH5yX2xo>jv|
zBngL|U-9$SIcviaQ}~D-Msy%J#(7hsla$kD*Q#&3;Is-axB7Qt$O^t&+i$#kvy{~_
zKa@1`Fo#(vzw9F`I$`b|z`d+AJ<Ud}rYCdWMa-E7y8FnBh^VVgu`~Cb;n?^%cs@!#
zL~QFEaR10iJl=@Dm{<p~>!;@lc)l%{%^Zs(TCAHrT~8j;RN&yk%DmhD;D~8HSwj&x
zPJ@BBMUO7qJ;MmUV1ljbXHmQ}a?{$t4(U8=0?Y(YZ0f>2Bst>S*U5msFS_sv+O;J^
z_#<vQuHJ|ND7PaKgyMQnv{geDG=OkWP-J}x9m|V_)L8MDop(3mQ)*;;+pl$T7?HDB
z;&ME1*U6?;+0*Vt)bt<W)l&Z<M3k*|pnE}^M9vNAu{U;Yg1K8mseEcxB5y~uUar}$
zu9@CfyYwGrq=q$Oit_G#s;dlRx;uTp$l%lE(0-=KHXo`H(#VZ+5gplD%PV>Z>K%Jw
z!=Aiuo9C0W3o3p-d|+<X(;{rxp{>0;{C0e3A3(Zp$kvmbchSr;v7m%S>Ued7ftKSt
zK4ix8VZrxtG&qavSK+Y{w&I^)l-e~>ENl9!3Z>Y3?F<=<`*O^jeB+fh*(>zRM2<Pg
z9>MSN&b&88;prw=l>rq0wxvr8TBY#maUghbUvQdx#i9WpkLQEVlbec%+f0#7cS805
zn@TnKbo8fZDK7SqX2kG$z8)wTn+#++2aZU#5BnQ714o=x#=L<X9+GWdn~4*lJ4Ev?
zxy)zC9JrJ4B6z0aJ1g>iky|yk-+sk@s~J;MuP7@yDqi|c%es1J^;Yz+a*#J!aO6%q
zQxMb2-t@V?KH=on@x%xfxSq9(Z7z1+fcN`f)Y8o{&Xtq~EJ=FuilZxrECR6mg1oK+
zOY0NO&b}}O%_yDE<5iLJh<Q!PboQMA+pN#avRBAp5B#qHjnv-Vt%0=FtgZDaH=g{s
ztZ8x7qvNX~7#qIV!%4g;enVjt{KVh1i+$svR+nMp4g%|WbymMzpH1r5CZ+3tGb&;E
zKQXFh_4Fgb$X8;wykYCdBP%7ESgDJ#en5lG#^{3CI1uuHOck%q4|+s`amai+C@}rR
zeO&m>SNmbz@bKoM9`$bw<)c{tdGgm{mN!-T2LZCX^zfc~Z~D3alSGlWq}>rJl<j+*
z^neb&p@^CzbB9c=?RNw&E=;_6RbfwH-F%EOWOnusKe(+;GA744wHvZJX@0~xsoQ_@
z@hErm_%3o4vZyDE{k1EhwLa>0^GUzL0)Y+$oqkP|x4Q>ZnK0$!#>Uo&ZMrP~np~7^
z)Fn2wKHM7?(boMS<lkZP{~w+8At%xBRrD2@zd^FJ8mhqDtH9i%FrR9_pV`2ijCpQt
zj{zg0_@s&@M<md_I;72n4vN-GZ{CeXR-9r3gn5uMYb*w~41KSq)Kfe>$5zCW!#Mzy
zn5Z5_rtr%v`vkZo4RPgreXp0d3Ayz+#p8@un2bRb!omI@i%Kefc$CHd34B-u=i>b@
zN|o>BMDiadW&0v81ud_Of-g|p9vr3|pa0xwzI$#x0^|QjQuY1?^e0kvSlj$@wi+h;
zG%pxy4C%%#@xmfqLOuO*v*4D45oMy^PB{AV-(CQ0L60d=x8KaM?IKfx&_(ghEadZ3
zul0kh#f%yjM)jQdouV%2vX<1AEH{URN0Jx?^~j8Y@2P7>*U}0S_&?~JfjHqcSo2!~
zVS>AfUB#gD#ph3#*zF$o-_*!~sFf<a^2o;PyMtpMDq!uiz{_zgQhV$9wF9NmjR#Zg
zPpoGDW_9qh0Iar`J2-P#tKw1FTc6pL(r}Ij_t)!%_&?xOd=KKe_HWAYe~YF}YkXhP
z6jLBPy*JV8Vr&``SeZ$xXtk%?{AAuGCV;G=!S)B8cClb8NCdgumo}vh=VkLmrqk`Q
zrH8pZ!R~%-mw?d!pJB>Kd(%JB3|Hgj1ZQ}p^Eeq2ivDmp%ahSg#C?3$LDlp&@>%yM
z<^Zs&(%If5v`x1Y#_@qbBO<*ftNiQqNHjbY-ImkV@Ivr{_7*l8(BW8Q96RuJrpN*S
zIvp-U5y!r;CKn>VxM#_juFW@x9@r*(9qC|kvRv;|cVa%cd3)4pNQM&dFUi>ynv%&Y
zSP=;r?V&UX<WD02+w3M;TIuPU(oXr{OrOhKqa)e^`Qs$HpY-sa_dw$df$s%NLqDK4
zc;9ai--1i<9#rjWMp!9?tzN4VZsYPBJ_}nPe4kwuclrwbtH7t-w~GnQ|2y%`)Pc4J
z4_fJ%Q_9D0x-f5bC;?zH$;n<Zw37z+EhCrfv~h{c`{%NT$JpSkOG;`#0X5lX$zdI|
zn--~u>jo@^Dic3Fu8>(X{gIhS1lX(W3t3BmWVy4G|4O^B+S&hd;QcHnoV2#u5<I90
z#@x>H1KS*ZCthaX>w#?RG^SY2GBv}2_LGT;Laja$r#CbXlsLg>1EcU(VmR|ir~W0q
zysy;KKP=5EWA_k#=L_+$K<O*<n^H>2h_?g!2TJ_I4|j&)g<||FV8MVW@a(AB>o>5*
z6Z;4=j2&!)IdQcgAcS2TY4$cL$piBHtSc3}eu)RSJ*f+Y_48{_wI(|L2l^nN1pOmC
zqK{VA)hvy+lrxx^npIPG`8D$YCk#^l6WY2trnA^aLH2hJ=j41P&p1=d9{UkJyF7CB
zJr&pUTu$ZHhy_$P-ZJ%IB+W9sN4etU!7_?eS{YS2@Xsqg7olJP8@<O0eu5nGYWg4{
zbd@0UVmG<Gt4e~esaDbH$^;so)Yx|^A)A9wa){u<3t#XUQFvWuamB9-%s(TrqbO+H
zzDC5K&Y50BE81_iCo737*FP%gdc75&HQnW4AetQu<}Gca>}30IJsu3;yv+_jEaZs+
zI%p!>UrsX}o3Ud^>qN8P=obh1<ClIcqGcu(tbEXb{12juwKMQf*TTB_dHv(M9fd-C
ziiamA%Op|y?VC$CBRHhIshZ#t-63$6g42hmPWYi2TcV6a@4L=B_+56ZO25efHO-jn
z1OYbBIMBJV%zV^O-`>Z~Mo-z|Ia%`tS)Wa+AQV6ZoTM9&j)L6Y-W21a!m<y)@EK<U
zx|!Oj_qIR;REtK~!LPi*N@Z#vM!zx0|D>hL{{RFZH|0)j2Z#3q$-~G;k1O<#J^*cA
zqKw@Ad8)3zmN*XnkKOh3j^!@YxI{+ZX@e^XBp4L%jot`mx&08k)#hOcK)B!w8@^zM
zFam@L@<)=cLm|&R>&<D|&xBB{;4lS(>!r+*8cP^o<nUyT=|lm9E>^N6diV}4pY_tK
z<X|z$@Nj~sj)VPgp%K2<``Kw&kU$Zo0IPZf9o-UW46;2+n99v<=c<k^Laj{87~2R3
zDqCTm1X37{AhIcPp@%Yqu$zR0)|$UEcFZYhI5gbX9sYm$47|HuK_TX9itl>0)l?GA
zix6FL$mWvu*h}1`N7HB;#dU!jzD@Gv?yH}m7wg2~RaA_~;7`+cU}#NYKgpq&k(E;x
z3s@@Zw88^u8rDdtRkba}XDeduaXI>vD~gIfwg>50hdNq$YH%6~xpz((n#>FYEm4*F
zxq!gQx(MSnV=7&6mi8}VUO5aP<m;nSe5W~t2t^JfPKK7%l{BuTQ%2S&9%j$$HtMbQ
zv7+oyoGURujaHVYrqAhs-j31Rej}eda*7lXF4uf%n)+^gl$YfhOhRUDE>Vb!Q?JGV
z$8)ry|3a+V8)3c)@cuA(U-B2ifdio`t=0}zyVqpx6qr%Cy46ruzty+_nr`_U29|4w
zB+9TA8<F8%+2RwNEryPchn7Iqx-F!qmE9>J<LJF=7kvxZr$VX=jeM+ohyYsEk1h$$
zS0Dn1Yj#w91bR(NjnQu?TF5C*d_R4XIzcC3_gf(8DMpUebbRR+4^Ko+i_qp1Vj6Yd
z6UE$Tw;cr+>e-jqR4ek)iNt$rIKa_gk-to4#*FZ>?RJ$u91D9Pk0}EQyec;e=o}cD
zlr&bFo@vmU>{0pTl&QnDh}a81q`%@ZG6;+G+@ZW4ftVO0!<*o*mUxq%)M9&5QWt~n
zm#@w>4i1gnmoODnd&pck85-(X&S12%^np!Ne%=d2uRx_fQP4^5H9@wS(E6OSTUFx`
zZ-q`-?e=+Ma$uUnOB;C1nwJg6cdV9;XQXPI?C@3KSCt2iOw$+}b`Io(z(2d8ikR5R
zHnV;+C5`v^oN&YjucFK2ZgsHWF;+%}lsTx1Ck{3W>0GuVXoX$q9&unXAV<p~z_uCk
zCS{X{P6BW3op9gRfUaF_xi)gwd8!QiYh=O_Tg)Gj@+q8sg(q7DCez_L!wt+cyQWpB
zRb6qE6kDS@_qTAJQ7y-1IiM#gO+6jS(G(m$>G(3N=4jKx3N;5#fp2WX^QPl}Enlt^
zPj^Y~**NZZ!|uMD-c8!d$*HxQBVvg%jCP)dLw8q`BPo=!<^uOQ1Sx~;$hHweQBF=Q
z617Dym%)XNaLz8D{p^;XOFvhhy-G>Rw_DA#4V-!xr--s;t20T(LkgA27;kWSTr?`L
zE}+FD?3E~V>DuxSXLe7Yw{*8#=8`NUC5Mi2Y>Zu=qg%Rb@ef6tE|*s`W0(nvZ#ED_
zOBr~dhE@~l-=mfYJuFMO40p~O?+CEYuOJ~<iI2}OW2=_DNAdc<E8J5TyR~FY^|C3O
zhjWMSY=(m6;j!iQ9v{6?O|5Lo=-%o(ZPMQ8HqZ4qeZna8d#rrShNc#}xBwS4{#8^0
z$27g<{Vif>cO=DI@~B#*rL7<<i;nIfInmfXtiJ87z;muopCez(rCGg?!*5JTzMbE-
zYu?5y?R9CdlW6Kua5-1e>We(~q0KR;s_J%_c{ir?ZE6N3?#=_E?eDw*2cJ~5Q}RYl
z&!+H0@b!l;8viMu7gevQAb%?Q)>@s-%OCnOw{8lJ*yS=z7~kXDNt(4i=y^+@ri$!M
zx@wbWTz)v)Ib@e<YiX+^<<q!*Y~{vvqHg3)e=QLA`IbP6^v|d;UxI=MFwA2HPdlZo
z#k7O^r&m>_zTS&7r*7L@KAiIr2P_D`YU;ZD>jbRkDY8C>@x4s;8yNaNC((<%;H5W7
zVXt*tk{1lp=?S>27<sU4>5BqgJ196~UJYy7ZlZ=+-qlo1Jkiy!mb_JyNMfPzcmqXo
zfKVW?KrYk)3zgA@2fE?O`Mlob8ZY*@Bg=_-|KVGWPiVT3A4q5@vu&2{wZL74a;wKd
z_>xLAH-`9{75^@PC%rn>3IFzW4Ewx6I%N@n{8vq@(gG&**Aq8bkCtzG**e$6@t-mC
z`7T!7kgEM=r9C5)@sH0Ii@R_c-BeRCqmaa2jWldbbBlUX4K#G1$d|J&eYZ_^?7xg6
zCy2j`{vZ@yuOHHRP>Rq*OEdL^H;|&d2jjath&23{n+Z!$3koL;wkqq$GJg#~D6oq!
zOg!q~sNMy$!r8QO<zl22X<~Zu{ha-IN7c7CK1>`vzlYF^W$!-wE&C640|`7~eqP(5
zn&*(y)++LLMm<s=BCVH`vJ~bS@5H<}Bzb`aOkcx^7FNZ2iw0F*mTEw^b@fkUFw$#r
zZ(=2p&u<(PhPu7;G<Q$#wz|;k5FRKgh+hs0hs0isl-|7Z2BKJ!GlFK5{Z0pn<)h2c
z4NoFiL~f?4p|zl04h~*d1vM!@H)ybl;zLk`Z~L|u&xjtr@T-Ma01N+Q^MoSy%+keF
zuQOxyy5QAmngvyU>pp^Djs~=>-a2vt{>28fz1)#BXP1B7ofG5NL0Y3i3Dn-_TihEx
zMmE#KuAYOi+G};%_5(AWoEMHt=kKFQvjx?BX<sSnd#$8G!9%SCBmfe^NV77Wm9qDA
z>3vQtbPs=v^R&z{A2B5d3DD`QbUCFIhtf{orjVcSVZ@_c`q2wI{7OakzckzTkZ2Ri
zkpk_GYEDLv^_d4WV{5P==#?M6l!1hQEJPMCs%M~Hi>0+SVcpI|{XFi#r?p~u>@v@m
zySkA+E8MJauPp6ct>ZFL6Ux;0=`Pw43fNEm!TI-k-2J(}y!_kZqvf<nK6aWUG++1e
zh3|c&<|Kg2GtECXi#?1el;ow6KcFx;QHcP5wftU36k;D2YrjxlAgWkIcrKVZX+N#X
zr%Q1+6&1ixzW`s==V6+nJ+G}6C}REFd3vp+>Xe9MBNmPYlioD6UJ&$01=w|<8o}x8
ze$0nOG_BS8Y3H5zLn1QIu_=$l_Zf*)Ia6gBor>2C`2)t~c?{~$iOo7INC_9+a)|=g
zPtvOTs_LJG3Oim0H7o>9u(GUPCR823{TS`r@}-8y<@og5xXU~b;<vslQ1)nv+@F1*
zfd2&|!gutc4Z%60*$iY6m3Qf}<gkMozUN^V|57jIzRXhv+QaRgc4H7o6`!Jgc~wER
ztaF{dNR=yD{M4i)6%IGw|Gm*)Q@CKaR_qAGEuBB;TnNXO|C1piL`O+GJyfMPD#4Nh
zF)Y-R61Xs6EMa#=!w1KgC|y9vjZ^nu!@}W5xK{bCY{gFgR<@2;<KEjx#TJ*<<}iw~
zZ9T<nZ4z)A%1!0HIxq`I<LaN1nV4x=d63RFXEmqQbYCi)DjJ6dt=#^V*N8=lCnm-v
zr3D0gxjuy$d`9T>J?j?#mJ>X;I*iI0hgI7D36(sp$vyw`!tYsqJ-Wd7y=G-a{wc?)
zu$%AwU!nWxidiK3;GzvZc6LO!PQ!7dvUZS4XKihLE+!>P!_Nyo{ttnDyo4TFQC^qt
zG<mvvUDZP-m!=~bSdhV0TU#nj7;z0e@4QHK)3ZjNkozooohRPQ==CH%W^4|ko2HU6
zIfctFj4ic{Sm-D;`TLS_30AIjoO#-Po3v|8_RA#o<HS@wc7BeWLpwTiGySjlHZ-y(
z{||o1VWtXKh(85Co#;O*1mUA}xN^F#o+EiQ{r$y<XE}ub9QmXEJ-tp4WE9@cirew7
zl(2xP7t>!JWal@3MG*YQlm8VoUhl?l<VSDs9{hJ$ank?vAB!Ly!7D5M>m^H?YiCHt
z0tiCidmX->2+mtZOi7cMQbyd8==^?%CA-VVHa8pnBjXdr3P5<i6>Hpy0!;X>73<Zr
z?Me9G5h!83%YnrwIs@Uf?fODbTYWwd*XVaJV9@vSfbj32zQ5BXMo=cyYB;wr-A%TL
zkR`a3`VzO=;<ieV`LJ#+WReO1{@h3BH+uV-xA*wLRuVlv50&;JyOcm)bIW$}X+;tM
z+%k!o_l&0DER6Mx&Z()UJ?{Rz?VgxfTuN+RtP}a$eiv8>f$T}wLLNjUmRlH(FTn7t
zukE72CG%<8eNn@Z<>=DH{U$!~MpJL4AsKcZ4|L!AvslstL=L~YV4v67q!)5P{E#^-
zNzq>8Fk8n23zMDNPOqz7(Q+K9dCDt=lCg_hVC?vyNik@<4+~Q$@$gfpU`k!Lr+t!F
zs-3M87g4RoX<1PJxRsA?Lm^4dQ{8h^<IE+(<@`y<Znf6y<YV4!XTyxZns&`;_|1)a
z!0uArDbq!T(Ea+W?BL}K72uqDegKcIZmviX&k<#d3c{9i9eOf5<~C170oM7?=iM^T
z=mme=XpthMq4KS^A2s{=B^SL*EB24Mi^$;e`WdFA$d|J|7OB6WZSnad{?LZMEEMML
znV%kk<2k4tdm0A#ZN`sF$U(kFnD2QHw#|CdsJU}bYCPM_!?Zkt&}=jq=I66)7yvlT
zRnKCf`L(<Z#cKc(?-d~cCELyCt5eB<luCjXmz?h*&X<G)6x*q`d~gSC?s>e;HoBjG
z&sF<!=i-`|;)kl8Y+o1bvGixg?1Jp7dfYzOBtBU?zPPYUBEDX}({AclK<&ZacSrnC
zz9;dc*9i}gkdK-!ue~`C*q^%ckZfOdEK4i+pFq50`)I`k04kYxNBWD^7I(LrLb^nq
z5C996jn6?1J$LVi^SvL8WB1f;H@y*$^|lGGBH&YVja8c#NH+${KME<OiG<73!VeiY
zmrnM{X>9b>yvijZ%H`OT60h8yZ^vz?SXB}p;~RfstnM8hk_98dIAi9)Wg=aH|AnT~
zGdKz=x;X=lBo7@YRN!EYhYjMJckZ-}kV7%)>^&kF04(U88~bye?NGvS{SvyhUg(39
zcq`aPJ}0#cr9m->3Pj-*=6`m?t-O<ps*Zu2Ai+~UX3=7dBFRIw0tw)$Zc}{&<H$~o
zP&)UoY}|8^{V2)Hy?|_u(PVw6f<7SD-_NezJWJ@t86#goA4(Y~Rp%B}0v4pqL)3-n
z?D`T~!}e}3ADwP1gEyo5T@>UbgRMNsb{Lb@=1tWHGU%%0;dnT}zc4neEc(U{Rmzg(
z+@ek?aa%W&y2TJ&b$dLj(vdi)n)qlu#mxL%8BKIm8ksSJ@Z^+fdz?4Cgm=GB{@hZB
zWG)>MM!G+z&#231DcuB3u)Jbeb`G?-qPFb<uSI~*aF?wu1#Rx3?wP>BF#IIUNyw!V
z6R*M3KmRG{)r3aVx9)_+n9M&sMpP`ru6R1{MN<=9Ul#SI;G{eFMNoQ@0}ysqsCnPt
zqzutoTq95QDte5;eHmKytKx2aBXZBV0P5;9m%k8fXb9MmdXslE6--Q^<8*OogM=)A
zYI|;2YiO+fA-<n75JkE>tUBjMOXs~qrhpjI`EgIxHCK@P+QcqVRNA9s^Q3C&gWF8M
zZ}Bes5tY=Umi9c1uoSp6O#hdXgHZfnI<)G3XzXy7w1?Z)^kZs9v%Dvpba$lT(89;U
z3J=c(6z*tc<)pM+<gYNU><Q`5hKCg#oO3G)+NcOg4@+qK12-!?8V-ldLiJ2N0m>KO
zsb`tO&!WE3syf-6Z+A7jJ?Um!m!b|D-X4j6qeed5H3@be2|cKm_41ob%@*lcfiO6c
z^wf5j^bn759p#D3w=AgGVot?h$JSR9g#b_@ay37?bA=7?``q?HsMA4=t*EONngISx
z|Ii&}CB4#Ap(Hh!v!RzX+eq+F9ZSGJqwfVT^#Ar^&ZpFWl7qy#`+`M!h5$Z`wLfPh
zik?T44WQWBhwKJXg+k`lu+!15;d@|+llx;yTf>U*)WQ&2Op%SxfB*moHXNvv(vgJ;
zsKoZ%=k>!AJCNOSj*7XkLXC11fLJTTl18mvu(px{V%?3h4@n>_-reKHI9kSs(P1e;
zl*CYAc}f@S9QFG57B{9fZNu&BG831P0sxE&*(dW2upWDJNt`!=jNr7t=%S-p;nH+W
z&_k6cqrO<hY@#&}Ea4uQPQs=8$V<^r#7o2Mnq|w@^iNA|!SY$;IeSF({&WF<q4I4?
z&DXz~>X<9cgwZ@&J>Q<zA*6LYvuB^)1ACi}*fHv4Z=c1qKEync`qTGp>NC8Cz{=yo
zj&U7AqVfAnu^O1IYf+!;J8M>UQGVu0!--2FW-sXA{&$c#(JXt})6C+N*qeS!y3)51
znGLu3(--o@k7>D^YW;7lBGUkW6kgs?3vm|#L?DRYJ_?%dZ5nlm-qlaCpV>DJ`TAnH
zP*D9};V_Nl-*m(sFV^lL2Nn4u3wG;X$bV$~2BClpp1d@gMSe`!jVNEPG5Xqg)6Yoc
z-`YTWBq?<7Zn9lzM?`m}<trQhUB3w(_nIKc#6qp;yYtIH7*>MkvG3{-RmSVVzLm}2
zw0|>kCYc#IL$q|Et-cldV|$X>ycc_JE`f*RYnPe)B?m28rk7WCZpWOK=k{L4D%wyT
z%-bdm+kdnH3%@nlKS(S<OT0M=V^#^|cOGCL7i$gjV&?z|1b`jEJh#toabrc}OtVO)
zR;U4CwG)zs;YZl|D(@ivSKjZ%H`tibUsO>#-OoYAVtHU)Qo_r@F0rVT`$n|zq*~?6
zKQ*Gk{9_xOtv*ZkHzc2jQeT{CkLv!xRe_?xQcq+cvfviM@0Rlhl{Y&wfhL+vuSV=0
zy0}sk{ijeh*ySq4Qb$d-I>yo0d^0#_bK_%ta}J!a-fm;<LBc+jn(=Ch`e2?_Rcv7!
z(Gj@1cMMDX+dWGF`|~CMk?l|>w2{va%+W8I&B8))!c<DtF6qYRY6yd?$RIGx<iKTy
zZZdHo3QxrOe=kvp5{_m0o}G{&H|B7~9eQsWa&V|zFfV&V<zxb5E8|6sj<bd62g%V;
zt4Nk2U4nrx*WosGA<d$rq&Rp)`70(lQQf{g8H|Rpzs>ja^87+2{Wp~fM?_$LJ0~kL
zF$^Yws8XHWwXgmtc!wm94Oiq4zJh{Ti_M0YvH4yyV+Mjkg%)fC2^B=$oN(-Cet2$$
zM?zkhvU_(Q(6|omG*<E!!*RCH#r;HCQIMl{ee5NpSPT#zJU$jltz-)g{?VTgjvXQ>
zmQM|Sv`ta;DsjH<R);t#xFAuz_wHj!&b$y14eD63UzXUUiv5-G0yJ9A=Vfy0=x&Br
zRySe~!m#MSQi=_2jNEVq8BbMjKh-qY%GtcjlPqL-O<Ix>ypSg5N5Tu6H8jQ+NL`vw
zw=u?wN<(ET;ACpYV@d)#WtGmP;+lgAF=`j45_r^<p1vT}t6~;p+_D!|Cp#l&zT9rU
zpjoaw-iJatIMXiua?zG{v3Ys_p%)nso!cUdT)7B%PzDwJP$%+yIqbsZ0M7DalP!X;
zn+#6D&P30jq$=S~r83Wyb~{yVgqGECledR@BQBQp)jCoB-8gu3+?Go6XCEjad<O+J
z7h>u_{4vtHJ&}YqXLKMs=uq|SZv_Sa^Er4)8aaND<9+W#H)JLhVE=0l7A(xs#dCLV
z)J#rAzDk%&jTz}z2_CMc9|VhQ3O_7())EIln()M4b>8{TldD81a>t!<G|DeXU_!MF
zTpnXm@J@7m`GHUh7yq_jUlO+YdYT}yY$VEgN*R(QU#^rCm^(~dXO#f>QntXfXh!~M
zqICuR{I}i%aDL~j$Mm&;QlX1S36s`$r4_F=#PT>=R%zvv|JqFkPLt{T<c?_Wbg-a0
z`Co-LulbyEHfQhrokXQ4?F`?|F0w1OtM9Y(`HDPq8dYlC<@b=8LZd*u$6viylLXR$
zL0sSJ%Z*|qq06EYmfM#d!vi!S4^CA7?@kwyNexHi<{1r>Eg-QOn^8aeuiTT1C=*f8
ziBMaQ7Yd$<+Ds9$ZVX)+5Tsw|TY^unTQx!?VZcx*08xY}$bosyrI@Lv1W_15Ldqhl
z<D;H3Ge{+k^HTG@cH*yaXnKt~b#=0&+Yp7!8SIux4K+c(im$-IvN6tJfC=u7%u3!&
zZJPqw?LDv`s~R1b@}8={yRZn>NiW~mZ$Fp<fUpwAnW(^ZoEoVxjDOYlBc`8Lp#XqK
z^ZR=N`a<VT%J;FEN+rTWE?#nDQr?cXUOy`G*tAc>kR;s)Rkrajtk)o!OlbMG1|T{F
zI@OB4gVl*`<&YuT*F5Ifx;HR5Msl3NS2%zt2orI66psJCLXkkCcDR&7kyZWzE*w5O
zNb!)08RG6K%Z}XtjtmHxZSBW<)lP!)eK1j%+iDlfWi`y^1XZ+_7NfIZi2$-_%*eTa
zQlgLogE1XZyMXzM(B&$d3o%g&EOe^a0X6SE5MrXRvKd=r5=^$zoCbYDor`)uBI$w9
zW>2EoKumq>gOg5|i%nQlG3+}eB=7)B8zpcQG-znPJdIM^3bh0S8Ab1h71P(IS~ku&
z)&|{#JA`tGef-d|liPCrepzEl=%fC@DjV-wiWUBxD2HeT$Ae^KvJ5bQL@JbQr~PK6
zgIMqGNQLDvfAUC`Lm-1x^eb4*!I~(BIJnV|(j-eYI^68U2J~o+S@J51U|n-ND^r}_
z$1N-FMYacdD)ev|ui_+sGe|(r*oS;$z|;u5w%;+)2&$8EXMQ)Kar@-S#ahROo)%v3
zvJ!fsV9%d|Hp?=h>Oye78pD{dm8OMUH#qXLgr~{l&{F*2`w{m;V|=!lF0$G**Kb_n
z@QO=D(^XTBNfG`fa~+!g?Wu)jalZ5rThR~UM9-xTE8dE%V_xwqc$yS#YRT)y;OvOh
z&r};^<5rwQ&R}uDNp@i)ot>a|2ZW`r_=)@_D%uXpazCL>uOghP8MT7lx?0_xX)LQd
z%u<EOQ2<dY<nvsW-NrEJ^S+6nj8Fi>EooE^RAE*~c`_i+-nLltZ4=j9Nmh(A4($k=
z)7bGVGQ7I8t#a^%-0T2kpo3kRBC?*Nh&29JH?S&APeOR95#j%}Zx1F4A99pqYW2Q1
z<M?~hFjOu^G7jfzqw>yrQHePX>rm^p4j6Kjj79APZ&M?~ww(50vOtEazK8XCAUboa
z$5yXJ_r^yClGl*ai990w^&MH3JO_!ck2Ea+tag)RE5QhB#w8@>e1U9K{yfd`T6+Ez
zQ7EXMfJ^mj08o%}GrWE4pSH_SpOVHM$|MhR9`VSiOulY?kbwsmWuu^oDiYM5x@O~l
zPbZr-laiB`!sJ)i$^gQ3g$VdDavt;E`#r9%7rxCw#nns0jpw+@3-rumrTzqUX8N!u
z`R`*w%*mCrI3;RsXegs!jSL_mXyF$xDh_$Der+F&O;HrW6X4k!KAmSECWrq39gZi3
zsXI_ym!qylz7kipIsX=5H#WRkV8iZB3FXD%a`%5!Du)A8A`&DrIppjaSy($z85Z$C
zhFQ}jnD=8TeiiUDYFA)v)(Lf0b;Bi)_fDlgG+$9h@Qp(lc(S)rw~!wNBVJ8n^_Z(`
z>b{UJB`Lo)WOFU8o7fnyM+;a+I}GXhjf3XqTV(1&(B_*(_xHE1X)Sb=l`G=Khf`B!
zcS>lz?0kC$@&*rOi<>SccpYcD=cG$a>gK{3_+0Wsp#XzHG&DzZMj!7thEgl88V*m>
z%+uRG)KrzJ%~s`G-TIdC^0gg5yQ(NTNz0!-jkCdb1?xW6<A-4<w6}m#dI~<JbVCW8
z<;%=MBk*F1&sp1zKI3o8YntRZjC6kWUR`(XHG`u`F(Np)_Bg-=NaSQt19fOKWh$W$
zEz!lK-yt?Xa@v4wJVPozp)^_%?CeVGpi)NB`hvz;U%!ihQr4DuxjPnIrLjnMfta<#
zMLoXg19<JlJP%qtVYr2i8JiwL$v}PWz*n7>k`f1dHR+|LE6y20r_QfBLw6V1P~*4!
zr`i0XW_QaJr7YHLeNQsG1=Ud4FB%UX$=7Avq|IP-g3?KYTN*)bf6_Xgpkd2Kdjmq2
zs~GRIabZ45Nlm2d-<n%|p~g4|<J1$h=QTTi{PA`(8(uwc><170BSs;&t}<z=-xLUH
z)RQDY>ft#|<=~jorV>zh@u3&fOcP8HxH``t(@^b$GwcWxM~!M_%r2L%E(8bKhL`1g
z3qP3h2T(hmpIdTT#BqjuR%DOvRKGQd|B27yF-l@A-Ka7IqYI^&hP$~G6{Ysk;~;`j
zjOiROXloEz=sif)*HF2}!^3@#!5LnT0QBYa#bxs-InDIQJ;j0&nXPzZa)6ufJfQnS
z_Igw8+c`|m=cmQ-^TVC??|R;sCOXlg%=Y`(6!Z~7X_G`p%7RY%?xZu3MSK_Q^vw+I
zzI}#?+vV|1iwQhg^v{AWHaq`M+g2471sAOcP^3hVP(Y+cx`&WP(4jk|yBQei9uxy4
zq(i!gp+g3S6zLkeK_sPPhR%!sUH9#-bsqM^S?jF5&$rL{cC}+~eO$4>J)<t`JICgo
zG+@d0fXexTl+OrWL^ew|I$b|0WigwrqXj*+`zpMjtpaU8b2+{;5Zh1G=Q4bTLpfe&
zy1aqIf6CI#+QiZ!FOQoIM68^cG%V-3yTdj#d(G{Qw}xPKTJ$yVPE!0dRFQRfAC0s;
zy-zz6wob$#|8E!cRPc>JLAUqrae(hSCXpg4s?#1OmTWTNO~}DVFD-+eP@2sP9TOk;
zyp8n<#+198K?Z(w=dF21BCEu270s+>qY(auyb{fJ+LSh{<A%Zuc|Hy=H}8`x$9mLs
z(8PQdM0DW4XmxRKOQAO?)1Q6>r9^F=^WyVkRFy;OrHQ|CN+vkscel}InkdlvvA$q9
z1k8rK0P3=x9k7jun;r+oL5qIKPw9-japkdeLP;T1d?pr)G=L6b!ZFYFxfqI&HB*EH
zA^H(f_*~o;uX$($&tKO<R89Mt9(~j+(ahg-e;-#|`N&~SA}uD?zLa8f>t5YlRAt(L
zdu#Su#fQQ+<*#Y6{0Fh|+Usvv3U#>UUvfMP-6Hs?n$a$TnmTlqh~p#7#2lzTA!LZ;
zIZm8;fV^>US&{rAX1^lz59jAOVxQzB_z@DMavQgEjo8Y<Z?!mo_JJREED0|QOK~~t
zm-Kl#!->kn3=Z88rVd#~B^xd%SX~*iw$`h}$hB+@=~O#uoS@%EEviY)MbOvsRhE%V
zjzGoWaa_7bi_A~c`0Qa$^uEU5bP$Lwbk)laEphJ^Aih&BTQ~99Vq+sHQ0bufA+AFS
zkLq;L^3hn6P^hYj$smoLer#4`D;ApC#4xqj=KyE-+serpIG|$c7ae%;#%r%?q4j9p
zeawq`n7$A?{|vGS`r}-CflV%&Ty5Sa-O9WO{MF#;3jvWuxHySgRtKltkIvbR`KnBD
zlBvvZv9z#qd3@G&y0KjsWp)i~Q^+;awr*W|%}ru-ycbA1F#+t8x)~I}(?2LFiAO?R
z%$|w_ZH-ptaBCvNB1WAI0L{U#ZQ!btN@5r>6ZFp^(8)2>aH@b7-MuG7WG-%ftPt^3
z*>UD`%57%RFyJXB5!16RoVm!*AC&^SJgy}-!JjGHaUfq)(xU`umc6xVwc{bqYJBNl
z99vvvL<#^-V6{$9MFA%edFhp|Z5g6~HYQ=H9jcQ|&UkG&g;|LER{(X45Os_cLf2s-
z1ZBG}lCY&w@dbA!)5>NRBG8!B59b2S7j$04|F(R3QYR-FeSc&>s^a%)@9F)Qyd#ec
z@4+gqU(MZY1R0)rH^0mLJ|eMW2&VA?Hjd(!45T}|_|iItsGWL{FI5@wFn0`iBf($E
z%zG(gvIRGb8tCT?g=Pm3_Ovt{pbXoW$o5M6XUl3~SEp$(o29S&->8-?*4!e~*)-g=
zr&Q(|$cMUoCb>`1S1EC@S%18M@;@UI0~U(?M{(|i5lMpU*eausQ+9iNw#J?y1E52s
zkT%5|q*`~zTPX*p-)CT>+S**ppFUpg{5uFH9fc=mC5rPmCRcwk(2xPvau{~a&0DUV
z904h*sCN_D^DHi^*i5Tz1BCiK{bG5yK89QJ$yxocJVba`5&2Ji$az;6C;8&rE=P?o
zPCBhD+~J<lu#rf^d!78iP_z&mIXvTPlHN<-&QC&TlZiU`wnmS1xkV3R({G9weFyjz
z|1>glijVsg*#>vWtLDrVk)y93ly|rVI9}-TVOuxy;D@`-S4rRsbCIhyZ;QJ#r#)QW
zKhAr1B?^hAWDPp7w0cM=)c8k3I&03&cPyF1--lg+J12@N8IBaTl^q=0OAM)pRkXDF
zhr|q70dkz;bxm6ne3!3y?%xOWh_7DnlJojpYUn<X`0WN(W-i|k-{6-~0pUdKI8Y|9
z=VvPS6#Ml(iH<D2l6w+*@u=o+p896l0Eq22nO9#6AY1p0s>v7a%V5v+fFrFqoVTm<
zT5B@iipDL2E%b}}F}6}zSX*?865eqgrx|#O&-~3;^9=JxOI}U0g#9!+&+V_P*A~~P
zR<fDU+-60KRATJmarsA4l36=5(T4Vfy2+@%nT7&o4cbe1nZn!T-om5n00(E0rWQNB
z>m;Z)zF;rczq`3k+?ez}xenG#U7IGmwL~@{cOpl<Z9uk%a(vQy!BQy2Tk5jn*^m;H
z*po3=q|7zgH*8nTx+QCQV6vHwFaPh`VtP1FrfAZD1{V|#(2c7ujXdJw@xEzK)qqiB
zt+l<sm+GkDS~U*A{F=5-g9O+rlKZ2i;Cu!`ZS~wWsyC~2&NKmUn(Erj<Na5=S?tU8
z===r^1@(NnuE8ug097{VTicr%8Qy|5mB=sm2Z(=^qCE4=@MLR<0zKC1Pf9z+{_?Gd
z(U{?Q;JVO_xjQxB00{AzWlT0%8_9f*qJN>8aF&?Rn35Uhg1y}Cse)5*s#>Ip1Qj}{
zhR<-8?~-D4pg9B=0z@Pe8SnWqlg;fid|+wxps3FD#AbzVYzod8>S*?7N%|l^3hf$6
zp&x#}v)V&aJdnQvh>B<n8{uo+WssFbW)1d;z-&o=Dik6k2PpEd*KWLkiQtl&&heHt
zc(d;P6{-ry1s((k?-McL1KzW8iD0&O8Uw&A<r>pm5nW;iX;>8aQ*QYVruVjUF^2B(
zJxx;#tyURP_JzJM$@%i`*SuZy_(Ytnr_fgkvMIwiIAtg^<`(GFh^>Ul`36LTR}B!J
zy?L!ceK(JPaiD9ue?Yn%ZANoE2~0R&*!wv3@M%!)-1%9GsJR$rmRAIzi2Qbar_M6J
zk*Ya62~hlEyH38jJ2A=Wi@K5hJ}}?bCstM@bMA2Ieh4D~5Uw&?7AO+sRR@RHIeysV
z=b5G}zdp!1OD845K*^C3`VTa!hQgjuh=+TQ7d#l0W_$;X#UAgU?z=?SOGlU+3$~4b
zdqAv>Hi_qVxmYz$tr$R<sO9zB639>xilf{<UMz1Ub}rXsRQlo+;dEet;&Mug!3TKM
z?PL)HWI1?)nollsGi~%qDu!JIxIUW{%WHd|CugmA82iiEHq7*hSuTx%Uw+pt%l(xQ
zfB5w?&%F(p$dS+YEzVnEX{h_^QLurz%-H(}2mB=Mm2DOllfP+*RSgziyv4k<4uq5i
zb{$|q%6cTySy2E$k@{g4{M+8l$(n-kqmIPtYx5`)ue+qeL@Y(4BQ{_}VukBD+Nk#j
z{rYZhgWH*mfcc(S()_Xzba0DtyG0~Z(^*lL;Mlf+is>4Jl3n3PPo1c{2ysCfjGs?+
zb@%sWQ^%BP(^!hkPbEeH-dpZ&ac&fqCM+<djT%rte>EoQ=ym_R?juRDC=w6QAqcXj
z5LBYT0Vw`iwv=BO;95~PrJ$e??$4LJrMBJP8&GHn_nayq9<&;FXe^(1zHj>IQ?;sb
zwB@(mx2+536L-yHG#Ps;H>jI6OI1L&xQc56`DD9P0F-Q@Z7d^?ovVZe5LUb>z4(|u
zo_DNI$4VN;=YOYUT3vcky@zN|QrstomW8UzjnAyze$HluKQ<i2`<*u%qOg$dc+&mZ
zpw;wo%eF4B{w9Ow!QorT#)jYoj0L2z_Oh#+q~hn@)7_3AibK;ZFDcDHz93rTLH*^y
zAn**;n#AGqzJG;DQxovoT1(%0C{|AxY(}wo@J>{oN-$hkM3fx|LAj-1o|N#`Y=}z_
zk8-NI+52-eW<4X3wt<v{=5RO24$Ux_P)MnCA%cY`iTq%M5);!NkuH)aeqE&BfBu1p
zPnXv7MX~VphCoG;Z5k3~w-`g%O$tW`Uh4c_Q1c@5u^P|RvrZup@B6l|SnTV7Ot6&N
ztSx9y8`^IiSHuCRSy<urVe}t%kIDT6A^&(k`QgoCPl5Armce{n`Kj&{%P=HkM>d@m
zwpyiI!`@nC@=#M7_=P8JeSq#Xzz<9}k(ulfZ?L(-CCL`6B}D9_L9D0rsumw0o9B?=
zjghF$-i0_7RRr_50O^z~O!)Ngbi{&pNa&=}eU{uMQqBjn><m4eoOcWfaWplVEvI3X
z@Am3HjUG*A);zzn^nSIGiD779I%I>fd-Fix4%n|OWPeG}Mt8r-M>euz#REL}c{V{>
zb;2K}(=$gTQhx@mFN^7br-@OD1sftFV0UYLT>ii)se+i^gg-qiC!Zo31iDJUNj1?j
z-AkRs{9p-K=E@2rU)a5v>*LL02VMDg2-Z~F)UC7H>knrPDoqZ5<%?3SXqfd3NGRvp
zKj=13uX=Zo@%-`0jnSEvM(&1dN}FeTgWU@A<tU4Jhu(ba5VIClYfunTnVNbefp2zK
zH}z)u_DG~51iwJH_-Nj#4A@%ax3ro=dK4+bGm)C1M_CnkWw0~@6kGI2i7&i@I4({i
zwOp#fRPL1T$bXDI`$A$V1Wy(^=^A@&?WTlXPX6+8c+7bJQ5C~~?yv35$w8fVJ<tsP
z_K$LC*jRw~r=O9II@Qh=ccct{XDk_U;`tHQX~hJv5xCy<VJ=l(iSAxkYH$eLudF3j
z-IrN-|1z3cDVyfRxs>N-cP#H*xwg6%RlBW(Zy#CaG9U|6yXn}jj+CTUK<8)8(Z)~9
z%5I@#%DHdZo%9S`_dZ<xeix<P*U5}B(A5W8yO_%aq#BRrX!8I7R*mS{N`aKD<7;~b
zOe(ZnAV0V4;dEhPSJ;kI5*}kYf+Jp=oie|id01y^1)*n33tX)x-}rXGp3N@XjJ?)X
zfNedTNL5;a44Hdl+?Z5Wh$JpA;<%L_%jO-cf2Wo7xEQX<sp}8xwajt-{J5g&|6H+B
z79v7Nz=NavR;RWI5s#~^qRmZB4A?kvMT3|7;g75PN}M|r*M!v`krpBvCjcg-@K${}
zgwa+<+(j2##O`}LG1#mk%i(cg?*c=xjUYE8H>4Q;^_ALdNn;5ewY+>$$-IWw1+}zD
zl-T7`4M#XL&H|x>YIn<tYgljXEzIrA74iU(kXzk^gF5#;0cOjaXfQkhq6}x$H#tX5
zlX>&=k<WKB=%bF0#(uTSD~5G?)m?rM5U81P#86f&<uz++*|i0^XqE^MhaL*baTiaf
z2KXBu7k1<s`vrV=c7DAqJy;`C-VZ*J-$h)^e!1~CeezHD8#6os|Io-8ZrYK8=F`9F
zKt=ormwUrJ2x<xn)*;ejB_8M=_?f~IUK*ojv5^)F&r6Gugvn?3yTkS4(-)wQf_rcN
z8cwIudJGs4#Go?D<lzl^v*ROlxXk6X@e#x?-W_C0%k;=6HLXAv7DR?k*TLXV1|MWf
zPO@YcM(0G7wX}@vg+#fn{C(UVK`DOf#zLvQ>h&{V9L5j(+`;`xv`T5T({hh)|Hyjy
z^-XZzA*5Z(_X9)U<x*U_J+ynfS+p#!kT;GD4x}0~XkK+8ltSRn+kHNNb$FV*O#m3y
z$}i!~=qa3^zv!%Cja;U(kxpQZ-n)rDU}R5vtPf+#;oW_EYP+c9m5Znk%n`I$+O{O1
z3eNIb{QgPRq-6DSFwIz*OK(_hC#vH~^_J(nQt{gCX2RwOcF|Wp{>)x#aH&9yIKzfx
zuEv-nqun3hi^dInc3$17bk2j98uI8r6AR)AiuGFwyeg?bol0dUz)j(%#<g8Jzpk1O
z6RR;dr)#r~S?K#lt(AH7+fYV3;mD(Dta^s)H_`A9T~qO-Se?a*TbI|=I2A$O5@l{@
zp=s?<xG;Wha}II_I@xHvPO)3vFj|_&z-AY|7vz`#;YLGK1PO_hN%}vjgi)Myj<T%t
z2A-PRsTP-@%3pGvz&per1IQw*Hzi-N51aKAAm-@a6u?h1#qY{809jVv@^unWNsmU?
zA}Wq`zq__kaF#<k)8By&6!@kG^AP(=D<c4M%7?)GPPB{WxntVTZA_iq+jiD0u?v`Q
z3xR*`g<CYDO{i@gOPxv;Bcyz<E~IoS^LMnZycNfR^`1vvcy2kIGJBymZI5q7MF!-Q
z{cQWHemHxH%h>Am9yT{hv?t%Im}PvAoc;A_flWPm!?}scRK%OeP$((s(wY+;9`cWB
zQuo-;`(7(p@`<PJM*7ro*Y(L%ZqLa;;dHOpYi{<(2s+y?1u3Q9r49~6OJ``F&HQC6
z&g%WH0epJh*X0GnuozqME}L@w$9!;Gxx;8e5=^d^(rhNCMRS?iQnyVjLZ_3^yx(}+
zug(3~riHNMh9fmJbKj$k>5tJWv#ZcYFIJ{W@9vlGHNL};A!Im*@^036mMLqKaimr2
zK~PUZov3;Z(3lIf;{AM(VLHe*>*)l?lP6tJnacpw2fF=#f!{P1M+5!85#U2kUw7(%
zaN&n&wk^^B7a&e&V{*Uvgl*H^pdY9-M;$R-kjOS!G7;m^XGM2O%cP(|a`ugGmt4Uj
z|F%o9n2jHhrieT@b4|KN3U>kIa2KhxMsix@c>?grfd|pjzJK5>4`AZ%e}-q>9zj{#
zFr;(H;J@pB>PIc(dE4BD!!F|l_BS5y>Mq`Q)tzFDX`5j)2d^gYK2iRiH>bD$D)l^k
UvSagiWB&l9H|np;<t#$}2kNJ>A^-pY

literal 0
HcmV?d00001