From 3b6c3f6d7025235e4aba9a1d7d7df45c9079c269 Mon Sep 17 00:00:00 2001 From: Ryan Lahfa Date: Thu, 8 Aug 2024 16:33:46 +0200 Subject: [PATCH] profiles/gitlab: init Signed-off-by: Ryan Lahfa --- hive.nix | 17 ++++++++ npins/sources.json | 22 +++++----- profiles/gitlab.nix | 49 ++++++++++++++++++++++ secrets/ldap-bind-password.age | 67 +++++++++++++++++-------------- secrets/matrix-shared-secret.age | Bin 1605 -> 1715 bytes secrets/mautrix-telegram.age | Bin 1917 -> 2027 bytes secrets/secrets.nix | 3 +- secrets/vaultwarden-secrets.age | Bin 1589 -> 1699 bytes 8 files changed, 115 insertions(+), 43 deletions(-) create mode 100644 profiles/gitlab.nix diff --git a/hive.nix b/hive.nix index 009775e..fd93914 100644 --- a/hive.nix +++ b/hive.nix @@ -117,4 +117,21 @@ in ./profiles/netdata.nix ]; }; + + aragon = { name, nodes, ... }: { + deployment.tags = [ "gitlab" ]; + deployment.targetHost = "aragon.federez.net"; + federez.monitoring.apiKey = "370a181d-6b00-4c3d-af27-ca65e6e4c1b0"; + networking.hostName = name; + + glucagon.networking = { + nibble = 231; + wan-mac = "BC:24:11:E3:12:4A"; + }; + + imports = [ + ./profiles/vm.nix + ./profiles/gitlab.nix + ]; + }; } diff --git a/npins/sources.json b/npins/sources.json index a651066..caf69a8 100644 --- a/npins/sources.json +++ b/npins/sources.json @@ -8,9 +8,9 @@ "repo": "agenix" }, "branch": "main", - "revision": "417caa847f9383e111d1397039c9d4337d024bf0", - "url": "https://github.com/ryantm/agenix/archive/417caa847f9383e111d1397039c9d4337d024bf0.tar.gz", - "hash": "0g240g51w62r7j67dcc73xkdnhd26nk07043qsqqavl5mbh40swy" + "revision": "24a7ea390564ccd5b39b7884f597cfc8d7f6f44e", + "url": "https://github.com/ryantm/agenix/archive/24a7ea390564ccd5b39b7884f597cfc8d7f6f44e.tar.gz", + "hash": "165am10r61wl5v4hz169zrlljvj929hgnhr9sn7ak3bz73cr1m86" }, "disko": { "type": "Git", @@ -20,9 +20,9 @@ "repo": "disko" }, "branch": "master", - "revision": "d07de570ba05cec2807d058daaa044f6955720c7", - "url": "https://github.com/nix-community/disko/archive/d07de570ba05cec2807d058daaa044f6955720c7.tar.gz", - "hash": "18rli5h2xmzbbwambrcrg7r22vp0rmnjm55mcqc00n3fq5kscsqy" + "revision": "285e26465a0bae510897ca04da26ce6307c652b4", + "url": "https://github.com/nix-community/disko/archive/285e26465a0bae510897ca04da26ce6307c652b4.tar.gz", + "hash": "0clj35a0rwxci2ss6401gyi3w803bz01ixis6pdxvkmap4i65h4i" }, "nix-phps": { "type": "Git", @@ -32,15 +32,15 @@ "repo": "nix-phps" }, "branch": "master", - "revision": "509bc62c91ecf1767b0e0142373d069308cf86c5", - "url": "https://github.com/fossar/nix-phps/archive/509bc62c91ecf1767b0e0142373d069308cf86c5.tar.gz", - "hash": "0s548v1vylqdw8a5vlzz12gxjklcyqzckvbma2a3z539sfg4iils" + "revision": "d40b1a19f521b1c495f60af2a9ac40e5c27d0925", + "url": "https://github.com/fossar/nix-phps/archive/d40b1a19f521b1c495f60af2a9ac40e5c27d0925.tar.gz", + "hash": "13rxp9l2ik360r68kvdnm62bdi909bhfw8daz1a18n96ba6k0fhf" }, "nixpkgs": { "type": "Channel", "name": "nixos-unstable-small", - "url": "https://releases.nixos.org/nixos/unstable-small/nixos-24.05pre583675.3560d1c8269d/nixexprs.tar.xz", - "hash": "0r5p2x51ibw6sy3h76c4hk3763bixwjsid9jsmvc05589mnw31sg" + "url": "https://releases.nixos.org/nixos/unstable-small/nixos-24.05pre617751.c8d7c8a78fb5/nixexprs.tar.xz", + "hash": "19hh0a2jbgjg8w75riyr5lmj4x4m7l6rg6j432imyrlxcbdki3mc" } }, "version": 3 diff --git a/profiles/gitlab.nix b/profiles/gitlab.nix new file mode 100644 index 0000000..cbccec0 --- /dev/null +++ b/profiles/gitlab.nix @@ -0,0 +1,49 @@ +{ pkgs, ... }: { + services.gitlab = { + enable = true; + databasePasswordFile = pkgs.writeText "dbPassword" "xxx"; + initialRootPasswordFile = pkgs.writeText "rootPassword" "xxx"; + secrets = { + secretFile = pkgs.writeText "secret" "xxx"; + otpFile = pkgs.writeText "otpsecret" "xxx"; + dbFile = pkgs.writeText "dbsecret" "xxx"; + jwsFile = pkgs.runCommand "oidcKeyBase" {} "${pkgs.openssl}/bin/openssl genrsa 2048 > $out"; + }; + extraConfig.ldap = { + enabled = true; + servers = { + main = { + label = "LDAP"; + host = "ldap.federez.net"; + port = 389; + uid = "uid"; + method = "tls"; + bind_dn = "cn=gitlab,ou=service-users,dc=federez,dc=net"; + password = "xxx"; + active_directory = false; + allow_username_or_email_login = false; + block_auto_created_users = false; + base = "cn=Utilisateurs,dc=federez,dc=net"; + user_filter = ""; + }; + }; + }; + }; + + + services.nginx = { + enable = true; + recommendedProxySettings = true; + virtualHosts = { + "gitlab2.federez.net" = { + enableACME = true; + forceSSL = true; + locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket"; + }; + }; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; + + systemd.services.gitlab-backup.environment.BACKUP = "dump"; +} diff --git a/secrets/ldap-bind-password.age b/secrets/ldap-bind-password.age index 6bcb93b..202bea1 100644 --- a/secrets/ldap-bind-password.age +++ b/secrets/ldap-bind-password.age @@ -1,34 +1,39 @@ age-encryption.org/v1 --> ssh-ed25519 GxF6ZA OjQmqOJccj+MF5atvDBSFQ1JMKLBYWhKr0Shr2Z8Bws -wdwMQsgMsIOCMayUrBqepQEphbJKK1WThpg69adSkOU --> ssh-ed25519 Kw53Kw ITayxp4Bba3lr4UYKz0QOIdzJX3ZZ9ufODjHaXL+SzM -Wp7ZQrxHPN1/K3DRV3RiHcgpBpM4Qxjmp2cv6NvfBQE --> ssh-ed25519 FCRFOQ 9ex8FuTdbUuhZvk8TvBD6BBwymPeJ5Efkt3ioc3M32Y -uGOuUeGXn7cD8xWhjpz9qb7lHzsjW2h7QBdv8a5RyoU --> ssh-ed25519 B36KCg EGp4RxQca6dtSgwQYGNLdQ9BNSJ+fHWmr/Q4mka+6h8 -V2djTR4or1M+mbh8d4R643CvP8dQU2jbwlsoMKdoj+w +-> ssh-ed25519 GxF6ZA eVhJxY3U7X2/1+ea3MhmrbTptCi7Rvj6ggSYQ0RkokQ +QB+2uJ2MEjesBZsExtmbtb9o8K5LefxgE6VQs2YodFA +-> ssh-ed25519 Kw53Kw SK+QhIRleYsN75d+Yd8Yn3l9B6jKySgXBpIxGeeyfjE +nritb1PfdRrrAsAcBO5x5Vcl2+Z/ZJJgdm5lDZQkxAo +-> ssh-ed25519 FCRFOQ LbVXdgtrIpV8glXMv2brD5BZkyK0qGQOCTvOIljxzRY +Ge7V/AIq3X0Z0MnHr0q1cD1UsafNmQxaqKQm2Uz8SW0 +-> ssh-ed25519 B36KCg mwlJtL7JPVzY4jAzuljKbABc22aGsIvgUiOdzNK7FEU +9M4wnm/KrI94d79N+u9+RqB9GG8P62u5rJItcDzz6jc +-> ssh-ed25519 G5TwMg dokYM4Mj3fReLXLW7qr0Gr043/5hy3oj0M3TRQnryw0 +kS8exFEwHnbmDd3LWp4YcWYzbkpqDoWLs5HDKGJnNGQ -> ssh-rsa krWCLQ -bWGdQA+nWtvvzNRiyvzHfZArfT1LVDT3NnttMiUJC1Jo6eMKje3wS0fxDbuDZ4vo -odtFhxK2hH6hR0DxIK97mzr4rfr521TWn50KCcxqIlZ8q6+i2Y51RpDMDB7tTHJv -MBlRMEDkt03atFyaCcBYqxCbosb8hQI0Osr4j1MDyj0PrUZJNmpr0o7immWkSCE1 -0VV9JiTDwkdR/lbJ/qkwhA/0+wWABeYEXZYvEmsQ3I7Mx0oX3W41DClhrfNkixTQ -VLc4o6Z1d7HqCdeOadqmEx4rtWuFZ7jMTaRV0hqEDr6MWe4KXNxR/7pF1O4a+Mzs -nhwG+n+4ta603MPWpkWnoQ --> ssh-ed25519 /vwQcQ ynKyWE8qqquPN6WX7PsLuwUwtlNS/VBluDHTpXrIOE0 -VivMdBXUYl6ZHlgPx4+WJKPmiobgVXsftQdvClmIOLM --> ssh-ed25519 0R97PA 5pzkJFYkvjVQYOgjIZPgdhEH8GFaHBrE7PHEg//lQVE -/Bfvwlo4CbUjv5uHjSAtfPxTBVfLoA6sIF2poDI4S68 +GWIUHPR87n3Ronw7DVTEKmXFGiabIGlTKuVnXktcXwDD5eQULpWFHoInEES/sNm9 +C2tbfhpaF1vQRu/Gno55CdU1tN1hh8cK1MR/IoEEJfZmmL4z7v+eIK9NxqTz2IEl +Re6vx1eMnG6vd6mQbuY3owQOnf8exFPkFyo1StUasg2qkZgsjqFYy7IU8pNQzoCc +KqnBChCmB9lHjxBx/xcaNgLWFpxWWFZfLsse/bmzEm/XwFwLiEgQNsaC+GiNYU6z +yR+e8Cu4VyFk2NHMPOzqhYHtUhlqhIoK1ssMpUKKoMOo7Oct0TeCvfpDnpAaV6hp +fxM4x8MjncVpd+I0v0kODw +-> ssh-ed25519 /vwQcQ 9ld5Grs3T+mRrImgjHpKcrzO9pkOkmLl4gaQxs1lpRU +4cJffaxOnbcd0hLRBOS+I+nKxzNCl3PkCRv9HAMioU0 +-> ssh-ed25519 0R97PA Gxl4hNPUBbVYFoDQ32XvHHCRf0nxUDj1nsj5iFktbF4 +3fx/9nlvg3R+XVU7BX5kSibSvWKec0/+/emXKoGuGu8 -> ssh-rsa jL+Elw -gyeeOmvoxeIvxQ0OGsRaFVeF/fkE6TxpYGHsJdA4w3yJSlLCtk+WYv228hx9if3+ -bXvBZL5uRF4psP36i0gQto4NjHEUP5hfdjaRzSIai/xdb78UD/UtvyOOhhpO1NRE -fmNYn5uAI2zCOzqpncgYTWaoI+Bl2LrBoNFrYHARgRg2dmx8kNIA/1cFTIzM+EC8 -GSRAHe/UI9FrjIPw32zYD81Y9SuTLDgnnyZQ+LJ9BEsA6xkmx6PwGt841Hwjn22s -HjI3EWHoTwzrjFA+CGN1TmR50jl5h90F19fu6TGbDPYnmQdm+9+xhTEGxIwZBblN -MAt2xbQbNSVruooRaB+0eKXCyQiHgn+2aSM0m4lq6i27W5KK9fFJoZpFRyYNVicS -z/3bbn5G37LNRQ7S2uaQpO5E093Q/TO/cAiDdpexxjWPY74BZQXpuCrd0kwQA5OA -YZqRrwnsbyU/1PIik+CfkoSzVieru8cYnZp9gltdLu998LoKh5tW3DTmTe5/RqiF -2fyZk+M/6QKQMrIX1HnOtZWfAdN+vh7E5VB2W7Ysq8SYHYHAG/a9rH8OJgkDIbpW -58g5Weidb9SKK3Ubunl1Ok7mzOmK5fLu5u+lM3UVqdVMhaxX1uwL9pgeei5aqIUo -+KCsjx+0Wb554MitUvSaw00yS0A+z0H78nKv3waZL8k ---- NNyRDQ7VL64kPyPUtiUkjKts16ia4Oz4KYJdOsykT9Q -àÒÁIDÌžKe*µ]¤Ö4ªuòýüPhĈÜà9ÔFȤcz°7–‰†zš&ž<EÜZ(^Ñ$™#]¼ \ No newline at end of file +AzeKXeyrYk5PjrPTuu2Oyk2tVUvyjcA87ZslWhDS3bO3CEX54+5icgSbSXlsdkRs +vU8f+OghRbDTryFjK6/B8ekBkuEekBxjsG9F3/J0CPiBZ6Wa8Tnh6GmQQC5hSggH +eJB1bIbe9RkzWR9OR8NI9WDl0FVJgj49u3OOHHw5imJsNNM5l5fnL1VbzdSyp31n +jdS27krdRo7VG3vd3v6x9uHGMhITpWB2XXmN9hAE/vILPvoVQZ6FafHkDC8/jD+P +rG7bjo3uw4Ky3wQavEm9pifziCGHNt5qvd3PxYpvQnBwTkaR71gBuRdhdTrzpQs/ +sAfaN9AgF5IwP/2dcJIWSbcOT4nmWfyoZQuo2wsHxAoWX46+Bjxbok+AUlzRd4z+ +uqsoKbpduxKy1GtkiIBrpztX2z1LFHHUGzt4SgMTc0tbVA7MGFGZjPDXdszGsqqy +U76wa1Eu4TYkbJh/wZ12JKg0Jf5rK5xG2PPBuzHU5SIaedMfMiZ5/ufc8O0dsL4P +4FD43vnUwdM8nNrLqCiMJIqffbnail2dokZvFF9wizoB49aFmJCavvpZ23UJ3LBD +3OTzEX0AlMRTj+mT5BDcgfi7Aux1P4BkHdwrzUvHrz+Z1ekOeevg/mCrbUOzR1ej +++2LczvCewkp76DQhaXQ2NulNoJDeZHBC/v+2qCtj98 +-> ssh-ed25519 jIXfPA OWWwVNOFOQqF3l1Q4qQzg+NMa9rqtlltYu/oI0SFDTc +5KTYzI0YRvfCi8A465kx3ro4cKdbjKobJwpvBR2DKXc +--- PMaTKbs1ooYCprys3kTPYUEDpFlGN/9NTyAFaJAsVBA +Æ}Ž:Q)£ÚC=M©¼b·Å¡ õÐ] iÀf¿» N-pKpQ±8q F¼×0¶¿'ÑÄo+þ +¸óÞ‹¥ \ No newline at end of file diff --git a/secrets/matrix-shared-secret.age b/secrets/matrix-shared-secret.age index a5f248562e466af464c743d1dae28f5f5aa9c8b1..93fa8488f802cfd3e3879634edcee40e286b1785 100644 GIT binary patch literal 1715 zcmZ9MOUwKQ6^Hq6vr#HYMT8d=6yj?#xsOUU$t07^cJ*Clj@segUPs zR@)-t!i6ZfDT1I2cP<2xf*=(v#oE%1EyZ@>>*C$`1i7vqqHM~$# zzT?3q0$_JchK&a4y*(|Hp_x3n7nC5)b=E>I5O)?!o+d!PY@$b6*9Uh+=dh9nsInzS z`JQ1wa1^!(S(2T;)vO!Mp`1lZVW@L<5NQ)j21u!3EaO*JTrk^VHJloRJwU#R_?XYx z(es3lxb`u zmFs+THeguqJf223)dF9(Dn<3qv7)+QPa;%uQ+=0fL&DJz8iR(I0rCPm?yQ@+AA}le z_MzLg{G^eczy>EcJ=RmDpgZi;H04S_Y?|Iw^wziSRXNFXml+aZXj;RVQd%sFa@+;* zx(%>tYA#C*l6AiX*(~H?Z4xU#TqAWKw9u-bj!bM9VkVAN227K9V2GJMwNl*Lsl)}s z$fS>HKi(FaW-Ze0{4r(WO5UnraAnVNYprWCE>~Rb-P-h&=wNtoICy*IAzWx>E@$Q{ z=spsiHjR#}W^RjwN$Vr3ZbQkziH4YO8lhqTPlNR>d7|&qP#30kn!RpfDURC`Tu5yc zOH=5hal+z@g=l3ydFXi&0nwlJ-I9SDGxPWv(|K|+U85u{4q1p<;iLl*Np5hUS?-bc zzb0KIkSk|^)-0tIE!uvJ6hj%m#HjG#e^GN+K=gMsW>1U z3hk)$UX^zz)sQ{e_VSZyj0UyU!MV60syVXeK=iuSw=7%4r;Qct-M-wJ1)jS)P(lmM ziJN6l>y{L)^~xh))#Z>X6*Xk$%fV}`u`vt&1g%uLYsz$Vqa8UmbG0b1?AmKzR#C7 zi1c!c@12lO0o@dPZ*MG8Qx;l%qwLY>z@e!UqVlB%U(3BtOLTK>(1(w3e}9)iB-mxT zLeS}$Q7Gu5ONmdFX`bkebqCxw)+Adq+*_`|51#w-vw!|8y?*~I$LWnHueCq@{8jwU zk3Ra>Yj44ydGiVI)ZgBI;fKF|{&z3E{N{JR@chr;c>O0I{^3|`u_|oUb|9txC7oU3N cQ=diOfA{0p|MGJErw`5Ne)GzB&EKm33kxGhGXMYp literal 1605 zcmZ9KJ;?k90miMMLN=jv5QKM75#!r@Cl`@IzLUFrUXn|4|DojjJGsjxxg-U_K`B-o z+(eOfsNh;uEG|wWqKgU+QXJ}{C@xYF5qvxR7l&tke(?OBFi#)TE*{p)SoYn^{g6X5 z0zAI*aJvJo>b{j1tH85uX=_xv=|a4Cnqq?+(Ja$hYiLThG>&yk_^g1<5Wu_hRE817(&`T5539k!&q*%hn6KK7uFaD5&45(O;l(&0f&Rr<{v zWwzz)#X>{>!VMB>K?l>1D3?5L!-QkHRS?F0tu&d91JPPoqTO}C#gQOnNMsL=sKpIv z&MXYghAz5xBC?&T=gy`!X(op$-|Or3WE&fc6ZSpruv7ZuB{zF8msa5GPKJeoqpQ#CeG{%|tM~Dh*2lsKU`~_h{3gMt6zn9Jxhxl0RSj zxm#$yTe0drj+39up4p4J(&`d18`4Sh> zC~LyHf+RJj2lt(kl{q%p*xFELv9JH11|Mn4WF9KI0~bRwM!3Hh(hwOe%5h6R=NuJa#^z<#AdCvqgON>T+;_dksc8iQ~;l>0LbBxnIa$t>wg`ArBxaY*Un0 z5s35g;7<#mh0V0=e39_>-iQ5dY!OuUYn!c*106v=hf8C*JmWa>cradbWK7j(In-0}`Tp4VnGP^$KmF8#~@9&9(7D%cQn*<2M3eHq0U^g#IDMm3tbDALYVV_t1IhP{s2u$g!BNe5`Ml^oP`htM_ngD+_ad929Al96^* z$vqq4c^Z+semcg$Q`{GY$QRet>!pL+M_fBw;nUw9FC_1!ny7ao!i{_@>#{`-Zm49}8xnBlMA zd;Py(`@u(Edad}w7yoYGgSUV8>G%HhI*@+s+s)hWyz#5AYVZH?hi`q^&HmXjKl#UZ uzH$8R%kuY`PbLcZ>^I%3pa1=@cRzmPgEv2;IG_F5FF*0E=}Vvc`2PS0NgXHv diff --git a/secrets/mautrix-telegram.age b/secrets/mautrix-telegram.age index 80ea67cea46c5e161636c90c62c7a5c60fa86bdd..b6c4b328501182c4e9c3c30ad5e91d282cba3053 100644 GIT binary patch literal 2027 zcmX|=?eE+K0mm^*M7w2>IA6%v_M4HBrT)COch_DK(YtG}z3cVvdVQ`Bp}p(1*Is*l zx?Wp|u)%x^b0O-BZAJ{bEQlB$UZ8`>Kr>kuli>qXH{3D|h#E4-7@Kk8eDU)y_$1%Y z=c`-hs_BoSJV>T<|5NkGDy1;6de=%E+pFdnsa9cph00o}R$oEgYB{hx+-Yc}kvdU_ z2#c-^LN;x)m@CI(3^7o9Itzsu;O$yK<~UxH@ltLOxx|Q~+v@rZ7phs6gVwnOIR&EK!OHJiw8ZgP^_|YC#tvgMv+vS;Oy{gW5cH z=WuO0nEPyoO_>l_ATc;&`%b37R%nA`lO9hNoMUl$G)Ovn;oxnLpR`DX@%og>R5$xO|div9*|-#ii18K zcN&fPKym>tDf^1m8swB=EYLAtHL6MX|7)+gEu~9t#I2MT(|+8OJE@`-iN!*(9{5By zHv26NN>i)cEa6 zOgsi`L?qrItZ60cS$GZXSyGU;F&uZKa=h$yMBI}};JP6-^Ll+*7+1j2&&i>@F~BSoUDX-fjQsij2M37BR~>*~apQop(&!uq&1 zMB9*J>dZjHogNNxIKOD{)1d9*URM|FY|@=38V0mXnTp^gIF+Sw-Z#ByM)l%OMbJ7J zYgrVb$Zk)plYX@&3la$`B#h zB+v4N-^sL@nega*-r~V%$dh?q#kp=&c3j3=0FzqgqD#15P3VRkKsC2bM~0l2G#B)` z1GMj#Wn&UbeVxtg;~|#!1I}u}HC;?aLP@5504CyT?Aq=E7G*Uc^0M7s(kUeJ%}F%C zgC&}G(t$cEVS~|H$7`=~+REhmYjVo3+Dm+9GIkcSbAO4+`e=c7<%tzK)rr%n>PlIt zu%mngz@1rzC}UC17pS1Jl~RZ`(jMyC4s48IX35ux<`6CQWN-B(fv z)6!Sam-js${_=QZxbxWNqt`xn+e`Xfdf^Lip+~lzy7sF#(LMIp>p1*GfKD>3f&cPl3(M^v#cmLw$*H7#$o)*|0 z?;WSU_wLq<;h#2~JN!=Xfip+s|J;09a4wtP>5HcyR@Qy|sgoDpxWmof2zpl@-c+Lc zFYY??G2FdM{PFx}{cOM+z_Q)P_{Y$^Su<89>`?d2| z+)aOb%zfpFjURG;cmI(cdxd@XKl9zEf*F4iL+I#%<3I%L{KmGiBA3U?s-iK}e&E>y7c4-y4y#Mxtm!cbge)X-} mH`}EH=k^}UZaP<=JaQ`OKey5P#>M8Bo;|$&q2BX9+3;Vnh2Lrb literal 1917 zcmZ9M{ms{Zj z*Y<)UI?XobL#7*JDr^(Y*dAX(z_^S-2r}d)fdoMr*~m13u_a6~n=Im@_``njFZd+i z&nI8m)ED)M8fN~~_9l0Ep$X0Mz~a{yqR3j*wL-C&FE0>jqa;-pB0@Ri9i6PQRDsYSm@a~s4`GJ(GSStAcv{-Ic<-yqUiFa zFszevFL#v|M)JZa9MmWlm`54i?hOY-tRjIjN?i&J2XGqt^`R^yU>X%=ES7X*YTGzW zbC(Cq1l|TI3XX5knG%^Smv1^I(R6C5JZn1&Kd=lr8JEdq zhNpU^Y53Eeo2gVB184=xtb$aW2HjNG2A+Upc#UoeVA!vk9l@K+uvN3ld^&K)Jq8}r zWpZw02H_ws+>><~5Nc*$w818oXsE0NV%)`Dq(!8B#WqSKwJl2B)~MuU)k>*J#x`R? zv$!_}r?E;&L_Z{f`9SlSnahxaaWI@R1J-LMig|VIt8SrL!m8|oNApq2%$fr^^4e`I zAFKIlY0MFBl?o6ltSQ4FLLsGN*dzcGh)GWDPH&VF1SZP3OF~^{j?;&aEhJ(CHmpw~b+8|~q4$F28S#1I9u&@u8AuPy=+Qx|gy zT1XQ(u!}8aW?_@wxA_wSEFbOnTYc? zoz=#4|TBuMDql#tGcJU^SH!MroD(r zjY2b*O((QbjYe_}&tp1bPJ{%?%T!p_X;Pmw^tjQb;syx=gikxVty`*Ysv#!dKiPF*Sz88%hkJAf7II4GZ0?v3@MH~T0vBg&*6LJPVMN~64z`FgZ zAWRxg7fMAJtW0XS(Knr}hE+($V&Y*aInDXXgKr{2ksR?Iw@ z>9RFrnO>n6*-+YJuttVtZa(qsk)n9K$JJ@XHmgN$2DCJ+t)on_p~WQ)pAc?&B&z~b zC$sjvlWT^(ip%!Pc#9V5ZFXD&$r+EfiU}rie1*|X3kXG|(_zsuJyEf~FcUZqvr#N^ zhH7o#rEzGErRt|2;m!2~SX^9O=uQldE3ga`5`4a!2^=i(U>O-s8}L{Sg-*;@Tmz46 zK0tuw{p;U(;NbRs-Vgrv{Yy*R_PqHW<@qb`_G{~m*Eb)E2j^BFx@*lJ`_M<&_KT|z z>@^ZOp0ZhtQN`yJt}&uta|l&!t{p-X?bU%U9! zsT;=G<(2Hgb4NaOJ~^>XJ^S$K>n<1e?0vHJ#0%GL+#P(G3$IFMWS^xQ?%LniM7kR1i+k1X^an;*r-(Hx0=q}Tf z2d=DL_r^8j-Oqq8@7VYHjY~-G$G@&W&VKWWJH%V=Kf_k(TfemGmAH{GzXD`{?<@4EcSLGrJUZu-s5dvE`G?lWh8^6YIN?EmReZ}q81*BsE9h ze(di2?A3F7;}0HNvHBSTdH2T6=U-WRZ_TOmgV*+~d2Rm4##i?&tqJZ`MjK9U*mObr W(SO#zRsQ)~$KYP^SO=nh@ae z+Yfzze~hm?3`58VWybc({2;p3Ko4y}`$HacMhz#bu=7-nKC4Q*(GxByBADfc<-$O< z^uy_VJF#U5mJrzlIxW{Sb(8K=7Q1|}6caJL=zDx?*3?b)O&rw$xUryZNCLD_*3;9h*OoNVhf8tVz- zJFv&Ox$Z;RK#z<7U8&9=Lnbhk1j~|=JViOKV)WSP3&Do|TmUx8YQAcL>NM@WXkW9C z1J!bz@r!Due9*Ytm2vYT^GqDyM{bcrWP&b@z=c(22Ye2gRkls;k??#*X0D67^1+Ny z)=m)Nf{KIv3j}?k_!)ws&z1Y-8FSRC2Oz5Ha2!hI0dX@DuI7OUjNQSIod= z9rZa$aP{lGR?FYI+<$H~(`B4Cq@tad*jrj8c$T7dwXO6V%f zrIklM62ha%cGuM8a-+=7_Zw%Cbh&aj5^B$^LqVdV^LLh>FGB0DO*f}0z{DJ)%R-W5 zyw)L6A!%~KtSJOJZMQ1Bq|&F>zAUEVBZr^>%g-G`(n6wP#}06kQr` zQf|(3eKT@?LJ6%^A_P86eZ(>0=%j^P9V{FHk+bU5z$Krm8XoOJDW zn$R;{8AdG^X((y7{ZPjmc$7a)++m-ojl_Jn)2rN>pAnEr|CwxzhFREOrn77|| zehA_yiDNg)kj>Z~RFP{=wC7TpN-M{}En5BvD0~#LTpXEAdD+B$Xhk>FJU3&fk5!?a zG7T)u^j4is_kWN0cZl73V3{W;?9uBcc3v~*KSSev^v#7iNsphc4g*%x8-F`=M|3$gP3L$H#}$pj7tS^`wpXD9(Ly zF=b6@xu7k9D#s&I=zOMynXU;v@a!*tf9ajCy?uTCJK#61kH4a;KmGUDvzMN~;nBZ+ zi+yJN95H|S;it*B|M)%NooBy#@z4MK)O)Xf<8vSU?(xfidi8I=&tCcHt3P<*^Ur_u zo34BLuOEHpjemXNy%&Vn{_({h|KZoKeE+-ee(C-FFJ3&q_SR>A;ym_0d-M6rKl~39 CQ#TX< literal 1589 zcmZ9KyUYCs0fvi<5`G{QJGjWVsT@9YzoAreKRHQGPLh+HBu=>}C->_)NgdR|K}9H) zA}&I~#YIIaj$##&VzF)x-CSIRE|tg zzWgwb`C}3zI1bYf$_+=A+k?a74WgnFQy&(Q6tvKBjkO^1qs7ueI{N6^8q-CttIY-m z|W=h>^1T8bI0WrQ&a9b^|wdBI~bJ{Ql59M&-R0CMXRuCc)&2~hS zW|2j?ax$2z<_sI+Dv^gcJ6)G5ABr*uru)s6uqA9Q%GH# zXSA$w0k!Y6q3gz|LhzhKyKP|A+A~i2V$L8=Q9J^3k$$EtwgoJ?Dw8utr zr*kXH9y8B{uNqOIhpm#%(5~tv5~PiV*0-3!SXj1!@NSWou|Ku)T@R-M+lEWe9!eKt z6)!V3X5sPidSxdz6&q@YG!z-;_o?z3g73{_W`Hw6u{^bs+SCwCVVSNd%1ZWp?dRWu z%gu<42MM|u(S>I)3nj_$>>Mldm|D8D9ld0?puK>_Q?>5E*tr2k>|ofqT`VasK~oy( zr0tE+pI2`Hdvc=Lx(P1m0^U92|7nm(lPBguMjc)*jj@cXxHPrZp6qN^q5ZaXxDIdF zqF5qY?7W$=ffXkLjcj0bD9jKms@CJ4TCl~waZX&fccnwp@OOHhZ0$Mi(~_?0PN;4` zKBOGhANaw6rdbzgGGS9H;zgD@`u%-l`)pIvn;QF7dC`e6Ob>>%U~N1_BFZoCHdI3&*~e#g@5iQIcTZWVV6$xbGYDfn_=ihu#^12JX( z5nH75?DOU<^h`F7aLJ0kLl1|XHB_ACQ@kRZ?cLlyKQkf0~%f^dU1 zv#bqePCV^T)RT%3yIhIvI9}wz#Tn&tXqP+DtbD-J3DsxFyg5;LC;)G3)-8d0w^*fH zXX>MD24Y%<_Hd`peGR3~yy#`uh!-8v1bS2X%M}%wvkY=DiTl+?YMRZik%2UO%|X%7Qq*AGfH7##&bf*Q%=e(Hl3fy` z?wCG}cZqQHQg6JSy*0eCIjzgs#IL?F;;J6YSczzAKpp{wUk40cEhUSniR?bI^T;KymsMuZzv(+ zW5Gm5ij&*|1+&Hr65$SrE`<;Ih2lP?nJZ5r1*=p9r8eu1cn2p>v5p;)UBJU?rM{4| zGC$L9n$M&n0FRH44?}Z3j5KXD{76KX;yyuwAT}%KF?F=Nolpc!Po;@S#8d)b{jRu|8c