From 4fda94b98495c054503d881c03f92beee181c549 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Patrick=20Gro=C3=9Fmann?= <patrickdgro@gmail.com>
Date: Sat, 16 Dec 2023 22:41:06 +0100
Subject: [PATCH] feat: acme/ddclient/nextcloud container

---
 flake.nix                                     |   3 +-
 hosts/testienix/fs.nix                        |   1 +
 .../secrets/generated/dhparams.pem.age        | Bin 0 -> 1331 bytes
 lib/containers.nix                            |  14 ++++-
 lib/test.nix                                  |   9 +++
 modules/config/home-manager.nix               |   1 +
 modules/config/impermanence/default.nix       |  40 +++++++++----
 modules/config/impermanence/users.nix         |   2 +
 modules/config/net.nix                        |   6 +-
 modules/config/users.nix                      |   1 +
 modules/services/acme.nix                     |  29 ++++++++++
 modules/services/ddclient.nix                 |  14 +++++
 modules/services/nextcloud.nix                |  54 +++++++++++++++++-
 modules/services/nginx.nix                    |   2 +
 nix/hosts.nix                                 |   1 -
 secrets/cloudflare/api_token.age              |  13 +++++
 secrets/secrets.nix.age                       | Bin 4204 -> 4262 bytes
 17 files changed, 169 insertions(+), 21 deletions(-)
 create mode 100644 hosts/testienix/secrets/generated/dhparams.pem.age
 create mode 100644 lib/test.nix
 create mode 100644 modules/services/acme.nix
 create mode 100644 modules/services/ddclient.nix
 create mode 100644 secrets/cloudflare/api_token.age

diff --git a/flake.nix b/flake.nix
index 1794d4c..485b432 100644
--- a/flake.nix
+++ b/flake.nix
@@ -122,11 +122,10 @@
       inherit
         (import ./nix/hosts.nix inputs)
         hosts
-        microvmConfigurations
         nixosConfigurations
         minimalConfigurations
         ;
-      nodes = self.nixosConfigurations // self.microvmConfigurations;
+      nodes = self.nixosConfigurations;
 
       inherit
         (lib.foldl' lib.recursiveUpdate {}
diff --git a/hosts/testienix/fs.nix b/hosts/testienix/fs.nix
index 5969322..e1f539c 100644
--- a/hosts/testienix/fs.nix
+++ b/hosts/testienix/fs.nix
@@ -115,6 +115,7 @@
   };
 
   fileSystems."/state".neededForBoot = true;
+  fileSystems."/persist".neededForBoot = true;
   fileSystems."/panzer/state".neededForBoot = true;
   fileSystems."/panzer/persist".neededForBoot = true;
   boot.initrd.luks.devices.enc-rpool.allowDiscards = true;
diff --git a/hosts/testienix/secrets/generated/dhparams.pem.age b/hosts/testienix/secrets/generated/dhparams.pem.age
new file mode 100644
index 0000000000000000000000000000000000000000..1e96e67f08932fd6aeaeee076e1b37eaf869cb0d
GIT binary patch
literal 1331
zcmZwA`B%~h008jvr6tR>tSp;K`m&Uv9D*{_jZ-cK6$DI7?k^yxz!%UwvsX(ywAQlL
zvQqP5tvu>Aon6+ZGjdb%%DI_V>PlB;`Lwmyk9%*Qf8Zlh$lx-q#Awr-lsavM&ZvmA
zAR+L0C?AEvAaPKlz^qBvb7UwLf`!r}aRv>5WsnVg7}r2j0#psnuBPJDc9ejCfEdI$
zyv%GcSgb^TB%W_cp$N#DWOEXpK~J?%tT-D^%_j0VV0L=)$3d^O!1X8$7Ru)&tGRe6
z9tn#{lhGyA9F-2RlhSlNrcp{HCreWp@+g*`Yyr_}DwF`H<ng!=xyr7Pr$h<lf>fNI
zWrp$7Y$O1%VTmL%n#}|BN-9B&RY?FfTJoPOouW|EKq%g#6=8`g89@z3M_Q9PQj5(V
zMIj@s7@Lf3)S*%p2(d;Ng&`vuAVe-s<;i(OCQJ`fvuy^k3?%SWIgye?Hp-;Mu>~TS
zR7XW|Ni;0te=ks(q|Oo30Ga|M$`N2TK1Hs?;eZ%~gdQmpB(OzNtul%Nq@qk52#AfA
z(xnoqnS-OzO*W%GNgNfOBju`+kR(7ajs);%0yTl5HlVp5FRsuCR~TiY92qoyXDp0m
zRnj2|NGXB?i!sPxI*S~Hz~OLcWCDytAanGB=tK>UATYBe3^ZAiZsBnhXeq^-AmdB$
zJU)S<x5YrTL!P2KfCBJCT3bt&=_)$=zn1uI2|m&l$ho&{O-9@Y;g62NA@>B>qTge3
zez`74nA$)oIn@G&S1+)0@3k-0PBt-PC-|3BDn<{P%?Xt!CKua2$A%S-o$Q??BVSgv
zEY**5re_PXtd6%KYM33JMPK2emP}_p+kj78&R#h?QqvH09rY@3aSv+nd5Jj>EMEYa
z@l%1l?~V*q+iwS)zjXJG=@MkZbnx~{Z{Hcl`nsiK@jac21~p%{p{kW}cU{@Os@Fw%
z;Mt)A=X%|$k)}eoJ==Z7`x6h(Z@c(sZg_st;3Wgrb*lMG;>DdARr?Ez?%bSQx9A;E
zpGfKZCrmZBr0~cM(gZq@!x0NTdr$~OpTpHyu*)#J_1yWnjNA<igyz8gH{5_9##?`u
zIPJtl;#D)W^E2u2c8_eV^Zv4ptls=D8nhip)4%ffdi@MdIrxrPrs8b*&da&_Lif^&
z;lRMgS9ue~ZH-CSYd^g2pRafR(J>nn;=bu=^Nzai2ZmdPd5^aqm;5%c(zN^A{Na!r
z;n#n67Ojn`%epz#jhOHO;ggh(<HN2gSMx#2$%m%co#DIK!YgfK_lcI^;^GStl^wad
zt1kU4bOif^+G(r{r-w4*g4fN?QLmLB_nVmUe%o?OSjl>J_>J!TgUQ>>l5JB)@A!Zd
zQ0VvQ7uCc@sP9?K#jeMh-Id%AutAnCX7tST_)lG#m)rAtYEoLC|7G%nMLcSEg(c=9
zeR{@s%-YK*rgBU7j(Sa1cpln}`Slk?*Yf(f#=VXTm;XbWaLfnwUKDiS7|`TgD1Gxh
z9q0ebQM`JvY~#eBVDic85?y)bT!w2@?Kgt04V8!S2ZVpa(ws-HM$;Y&OEYW63$nFb
z>&Ogw{)xlAamKSetjh-gTegoa&`SH7Tyg!i%%rx0H{~<L=(07`_D_A^kzO<&xRw<#
z>~;E+@kbg?@V4Do+`eRbdi5`rtZLoVeRO63x*oHZA4>k_bYI?9$U;q<kZiicZ0J#H
k95Qx6(9)sJO|knLLLKu3FBOaas^XjOtDbrsJ9cLJUy8a$X#fBK

literal 0
HcmV?d00001

diff --git a/lib/containers.nix b/lib/containers.nix
index e2ca235..c0046a3 100644
--- a/lib/containers.nix
+++ b/lib/containers.nix
@@ -1,18 +1,30 @@
-_inputs: _self: super: {
+inputs: _self: super: {
   lib =
     super.lib
     // {
       containers.mkConfig = name: config:
         super.lib.mkMerge [
           {
+            config = {
+              imports = [
+                ../modules/config/impermanence
+                ../modules/config/net.nix
+                ../modules/interface-naming.nix
+
+                inputs.impermanence.nixosModules.impermanence
+              ];
+            };
+
             bindMounts = {
               "state" = {
                 mountPoint = "/state";
                 hostPath = "/state/containers/${name}";
+                isReadOnly = false;
               };
               "persist" = {
                 mountPoint = "/persist";
                 hostPath = "/containers/${name}";
+                isReadOnly = false;
               };
             };
             zfs.mountpoint = super.lib.mkDefault "/containers/${name}";
diff --git a/lib/test.nix b/lib/test.nix
new file mode 100644
index 0000000..19d415e
--- /dev/null
+++ b/lib/test.nix
@@ -0,0 +1,9 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  networking.hostName = "lololo";
+  programs.fuse.userAllowOther = true;
+  environment.systemPackages = [pkgs.hello];
+}
diff --git a/modules/config/home-manager.nix b/modules/config/home-manager.nix
index 210ec09..2f3988a 100644
--- a/modules/config/home-manager.nix
+++ b/modules/config/home-manager.nix
@@ -4,6 +4,7 @@
   pkgs,
   ...
 }: {
+  imports = [./impermanence/users.nix];
   home-manager = {
     useGlobalPkgs = true;
     useUserPackages = true;
diff --git a/modules/config/impermanence/default.nix b/modules/config/impermanence/default.nix
index 72bab29..1b31708 100644
--- a/modules/config/impermanence/default.nix
+++ b/modules/config/impermanence/default.nix
@@ -3,14 +3,16 @@
   lib,
   pkgs,
   ...
-}: {
-  imports = [./users.nix];
+}: let
+  onlyHost =
+    lib.mkIf (!config.boot.isContainer);
+in {
   # to allow all users to access hm managed persistent folders
   programs.fuse.userAllowOther = true;
   environment.persistence."/state" = {
     hideMounts = true;
 
-    files = [
+    files = onlyHost [
       "/etc/machine-id"
       "/etc/ssh/ssh_host_ed25519_key"
       "/etc/ssh/ssh_host_ed25519_key.pub"
@@ -25,20 +27,34 @@
           mode = "0777";
         }
       ]
+      ++ lib.lists.optionals config.security.acme.acceptTerms [
+        {
+          directory = "/var/lib/acme";
+          user = "acme";
+          group = "acme";
+          mode = "0755";
+        }
+      ]
       ++ lib.lists.optionals config.hardware.bluetooth.enable [
         "/var/lib/bluetooth"
       ];
   };
+  environment.persistence."/persist" = {
+    hideMounts = true;
+    directories = [];
+  };
 
   # After importing the rpool, rollback the root system to be empty.
-  boot.initrd.systemd.services.impermanence-root = {
-    wantedBy = ["initrd.target"];
-    after = ["zfs-import-rpool.service"];
-    before = ["sysroot.mount"];
-    unitConfig.DefaultDependencies = "no";
-    serviceConfig = {
-      Type = "oneshot";
-      ExecStart = "${pkgs.zfs}/bin/zfs rollback -r rpool/local/root@blank";
+  boot.initrd.systemd.services.impermanence-root =
+    onlyHost
+    {
+      wantedBy = ["initrd.target"];
+      after = ["zfs-import-rpool.service"];
+      before = ["sysroot.mount"];
+      unitConfig.DefaultDependencies = "no";
+      serviceConfig = {
+        Type = "oneshot";
+        ExecStart = "${pkgs.zfs}/bin/zfs rollback -r rpool/local/root@blank";
+      };
     };
-  };
 }
diff --git a/modules/config/impermanence/users.nix b/modules/config/impermanence/users.nix
index cfff0cc..8dbb34c 100644
--- a/modules/config/impermanence/users.nix
+++ b/modules/config/impermanence/users.nix
@@ -10,8 +10,10 @@
     attrNames
     mkOption
     types
+    hasAttr
     mkMerge
     isAttrs
+    mkIf
     ;
 in {
   # Expose a home manager module for each user that allows extending
diff --git a/modules/config/net.nix b/modules/config/net.nix
index b1dc952..4760ef7 100644
--- a/modules/config/net.nix
+++ b/modules/config/net.nix
@@ -6,11 +6,13 @@
   networking = {
     useNetworkd = true;
     dhcpcd.enable = false;
+    firewall.enable = true;
     # allow mdns port
     firewall.allowedUDPPorts = [5353];
-    renameInterfacesByMac =
+    renameInterfacesByMac = lib.mkIf (!config.boot.isContainer) (
       lib.mapAttrs (_: v: v.mac)
-      (config.secrets.secrets.local.networking.interfaces or {});
+      (config.secrets.secrets.local.networking.interfaces or {})
+    );
   };
   systemd.network = {
     enable = true;
diff --git a/modules/config/users.nix b/modules/config/users.nix
index b9e8181..d636936 100644
--- a/modules/config/users.nix
+++ b/modules/config/users.nix
@@ -18,6 +18,7 @@
     avahi = uidGid 209;
     fwupd-refresh = uidGid 210;
     podman = uidGid 211;
+    acme = uidGid 212;
     systemd-oom = uidGid 300;
     systemd-coredump = uidGid 301;
   };
diff --git a/modules/services/acme.nix b/modules/services/acme.nix
new file mode 100644
index 0000000..62e9adf
--- /dev/null
+++ b/modules/services/acme.nix
@@ -0,0 +1,29 @@
+{
+  config,
+  lib,
+  ...
+}: {
+  age.secrets.cloudflare_token_acme = {
+    rekeyFile = ../../secrets/cloudflare/api_token.age;
+    mode = "440";
+    group = "acme";
+  };
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      email = config.secrets.secrets.global.devEmail;
+      dnsProvider = "cloudflare";
+      dnsPropagationCheck = true;
+      reloadServices = ["nginx"];
+      credentialFiles = {
+        "CF_DNS_API_TOKEN_FILE" = config.age.secrets.cloudflare_token_acme.path;
+        "CF_ZONE_API_TOKEN_FILE" = config.age.secrets.cloudflare_token_acme.path;
+      };
+    };
+  };
+  security.acme.certs = lib.flip lib.mapAttrs config.secrets.secrets.global.domains (_: value: {
+    domain = value;
+    extraDomainNames = ["*.${value}"];
+  });
+  users.groups.acme.members = ["nginx"];
+}
diff --git a/modules/services/ddclient.nix b/modules/services/ddclient.nix
new file mode 100644
index 0000000..f704d91
--- /dev/null
+++ b/modules/services/ddclient.nix
@@ -0,0 +1,14 @@
+{config, ...}: {
+  age.secrets.cloudflare_token_dns = {
+    rekeyFile = ../../secrets/cloudflare/api_token.age;
+    mode = "440";
+  };
+  services.ddclient = {
+    enable = true;
+    zone = config.secrets.secrets.global.domains.mail;
+    protocol = "Cloudflare";
+    username = "token";
+    passwordFile = config.age.secrets.cloudflare_token_dns.path;
+    domains = [config.secrets.secrets.global.domains.mail];
+  };
+}
diff --git a/modules/services/nextcloud.nix b/modules/services/nextcloud.nix
index fea27c3..db4a784 100644
--- a/modules/services/nextcloud.nix
+++ b/modules/services/nextcloud.nix
@@ -1,9 +1,27 @@
 {
   lib,
   stateVersion,
+  config,
   ...
-}: {
-  imports = [./containers.nix];
+}: let
+  hostName = "nc.${config.secrets.secrets.global.domains.mail}";
+in {
+  imports = [./containers.nix ./nginx.nix ./ddclient.nix ./acme.nix];
+  services.nginx = {
+    enable = true;
+    upstreams.nextcloud = {
+      servers."192.168.178.33:80" = {};
+      extraConfig = ''
+        zone nextcloud 64k ;
+        keepalive 5 ;
+      '';
+    };
+    virtualHosts.${hostName} = {
+      forceSSL = true;
+      useACMEHost = "mail";
+      locations."/".proxyPass = "http://nextcloud";
+    };
+  };
   containers.nextcloud = lib.containers.mkConfig "nextcloud" {
     autoStart = true;
     zfs = {
@@ -18,11 +36,41 @@
       pkgs,
       ...
     }: {
+      systemd.network.networks = {
+        "lan01" = {
+          address = ["192.168.178.33/24"];
+          gateway = ["192.168.178.1"];
+          matchConfig.Name = "mv-lan01*";
+          dns = ["192.168.178.2"];
+          networkConfig = {
+            IPv6PrivacyExtensions = "yes";
+            MulticastDNS = true;
+          };
+        };
+      };
       services.nextcloud = {
+        inherit hostName;
         enable = true;
         package = pkgs.nextcloud27;
-        hostName = "localhost";
+        configureRedis = true;
         config.adminpassFile = "${pkgs.writeText "adminpass" "test123"}"; # DON'T DO THIS IN PRODUCTION - the password file will be world-readable in the Nix Store!
+        extraApps = with config.services.nextcloud.package.packages.apps; {
+          inherit contacts calendar tasks;
+        };
+        extraAppsEnable = true;
+        extraOptions.enabledPreviewProviders = [
+          "OC\\Preview\\BMP"
+          "OC\\Preview\\GIF"
+          "OC\\Preview\\JPEG"
+          "OC\\Preview\\Krita"
+          "OC\\Preview\\MarkDown"
+          "OC\\Preview\\MP3"
+          "OC\\Preview\\OpenDocument"
+          "OC\\Preview\\PNG"
+          "OC\\Preview\\TXT"
+          "OC\\Preview\\XBitmap"
+          "OC\\Preview\\HEIC"
+        ];
       };
 
       system.stateVersion = stateVersion;
diff --git a/modules/services/nginx.nix b/modules/services/nginx.nix
index fc97783..6d03828 100644
--- a/modules/services/nginx.nix
+++ b/modules/services/nginx.nix
@@ -52,6 +52,8 @@ in {
       mode = "440";
       group = "nginx";
     };
+    security.acme.acceptTerms = true;
+    security.acme.defaults.email = config.secrets.secrets.global.devEmail;
 
     # Sensible defaults for nginx
     services.nginx = {
diff --git a/nix/hosts.nix b/nix/hosts.nix
index f446731..f069a7b 100644
--- a/nix/hosts.nix
+++ b/nix/hosts.nix
@@ -58,7 +58,6 @@ inputs: let
 in {
   inherit
     hosts
-    microvmConfigurations
     nixosConfigurations
     minimalConfigurations
     ;
diff --git a/secrets/cloudflare/api_token.age b/secrets/cloudflare/api_token.age
new file mode 100644
index 0000000..88ecbfb
--- /dev/null
+++ b/secrets/cloudflare/api_token.age
@@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> X25519 j1vdwUZ+o5coMFAaOCyiS42rLq7FPX6xwuWmoHcN61U
+m1QEYj4NW5IdNsFh26Uhwe2Sg1ggkvTYB92S4B2lC8M
+-> piv-p256 XTQkUA AhjsxoVBz3h/1Sj+cwnT7gpcE6SDMhNOBMU9nP+gfC5G
+a7E3dolF4QaxTVpJBOKA314INK32eTdDykDyRT+/8XQ
+-> piv-p256 ZFgiIw Ah49xwjTzvroi4R90URbbE0yY15w+OvUsWZ2cQdYHs/w
+4i6XZ8lwOeWinlU1IiCgUBTSWMzxuPyvYKRbz6GqNUk
+-> piv-p256 ZFgiIw A49Cv751h0WJYL6qPceFVwjbGVpF668SGKVjHq/lQ4Rs
+AAGD0jOCHIOAIBk872SJwe2mCx69xn/1ZjiswebgU0w
+-> K("0$@8-grease z`/W }"_xiVH <~Bj._
+
+--- /NUrs98fD72LqCIYVOzrUhFNhxGivAEOZ9pob65I2fI
+8î:(#­–¥aô[8@BÊ4èÝ|ÍC7!³>Ù?¬Œ›`5á‰o‡Þr
õB´ˆ°y`óAIJ;)÷Å&“)@ÝÎB²¹Ï¡ñ´¾Q
\ No newline at end of file
diff --git a/secrets/secrets.nix.age b/secrets/secrets.nix.age
index b7d4eb4b59b5652946d24dcb1a10918c8630ea8c..31c01ea685b719bf16d451978c5507d316c08a7c 100644
GIT binary patch
delta 4235
zcmV;65OnYCAf_RZAb)d1WH(cBa5q?VG;DE6SutdGXmWW;IZIGxG)QeuSvXW-SxRj|
zZFE#dRSJ1Cb7e+raadYHIYw|fZBIf~YFB1CRb^piM>#@bMK&}}R5E&XcvD(+RSGRW
zAaH4REpRe5HXvA3QEOE}AVE1bS9E1&L^EhrV{J%zQ%z-7WJGjCc2i7vRC;b}ZBJ)+
zVRtZ1Lvb%`L2?Q=R#|R(advHEMRYV;aBO2lOJ+7#F-<Z}LU&qILUKk+S2%5IXKFTj
zFlUob0Tos@XnIs`acO2+Fi3PaaY<)4Yj<K!c}+`lVM<F=Oh{@lPi{zhFmP8@c5Mn}
zOLb#eZd6liaCb0cYH?IVD_B=aM^buYcX%{6b3s{7Mp;KwcWZ8AO_NRm7Jp}9b6QF@
zQCM(vVR%DEc{4&UaC1**acyO2FhXZ)W;9SXXKpxCb1_FsFbYO?bzxyhHBD7%Rx)TW
zLq$(VZb3(LPdQCTVOVckR6|-?YIS*aD^hKGRSGRWAXIEEXL4m>b7de+C^|SIDIi5x
zEDADJXlQjvG<8ivNoiwMcz;+)cVsm)VNGjFRCZQPa#vF;K?*G`Eg)`oZc8*PXfH)J
zdP*@&HF<D1d1gmXVpnf)crao)D``n}L`rOHHfuOccM77g>ZM4jz8FJ;+;onZ7C{ka
zwpcwF9?uvzjC!nz8eUr~`zlr53j~nYKv5gqvz(EV_R9J!u?WdrynhzMf_0@Gs7MK1
zK-q?NS>52|?k$h*0PMf^Z>o6)+k609gzFnIM@YiY<H1;JHBTFgOx;bi$Jm`1G<oxG
zBEfR7jawyEjyB+yAPw-@ge!z&HU!vB3^r8Zx}f`(z?Yu+xhZvbDFwFkw>J-Zu&qt*
zd?)5z%w`EVjd)4yTz_^xl%P&z7Y>243%I<3Jf@Qg<~0%0<_pPKW+{~4Tsd<cSQ_|Q
z|9Q$14m4+p@iCY#;_=r@3~WDH^@C(Pl7MK)(Dr6>T18hvm`VvUIBEsZ)T{dc-*))>
zc45p8A+`F*#EQhk|2Vl(#p!M^@ltT--eyR#pXmrII!XNwJAZGI_!5YO!6<0<%K610
zyN^^Xr0wc#9N-&Yw@gLS-+T?1-J3!r+V$?72-e{Mkw}2cNsl~;0&(tmq4h?Pxue+K
zP6-PaweeZai6U}Y_;?K5_vZF3ia+HZ^V6BvCoK${$47_JRUQ{UfTA+(KprZ)vldLO
zl3$bE`ZZvRLVqh8O(&fw&G4Fu9O2S#{#UakY};Y``*k0rcUj%_f2%OkbXD_14zicv
zdxRu@;@TlWC}lZAlqlwC(>5eP0LR_&m;<vV>J0^k?ceyIGS(v0;a>;TYGsK%Qtmeo
znj-1dZDp%CKd%6JOn#~+c8flPX9Un@WFhp3p9WvgjDN$Ly%|NsV#a=!7;u>5r^f+Z
zEP6u?0LqLg$^DeYg+U5m=}?b~gkKQ{X#!9hbL~W^#$Vr)yH8wZx`owdk^Y_cq!t}q
zKfY&!;<T{0m18wX{d+6)Zg7>_LOu=dOb|lZe9?#ljP!gMpuNjz1rvE|EYv*HG_sh;
zp!i8yEq@eq_H$rT3oU6J=&C(j5U0}~5^wGz3qO^o&k0Y9Bo8??(VE_4cp+yaAg`l5
zQ83O3i6fmg`+eJlOR5EZ)z@778|haNRu!|-G0k6$MLyo4^nmH|{VjMXeTT%ou~pev
z2~$H_s=D>!uJ@((RW7&tIq=zsG&ln2_PYX`$$!VvZYc#$O7Tvi>z)jW9&PV}(Vy=*
zE}{A=#stjMX(UkmKGJV{`gHtmYRJ|$1EO&KmJLZML3=*yx}`AB2QrVtR@cOTtVeoc
zd29%JAhD?-C4R)YGNDjfC~T`*qq|q=TyNjed#ZOp|KoQ7_{)Kfm>*-*DbM@bHklMT
zuYb;DT!>|-2i3gI1poKOW4e<6{x4QDXN5_sT2wpWKI1r*q4Q_=b>!fei0^xEX*i%7
z`Kjf)xEz4o>|t+aW6AEMOn4*6TE(dsD#X*I%d2>+>j0aGM1V;89R9d@ixJ*w058~t
zBrd7;=Dc5<wd+!p!;*<5E98{<z~gE4-G9Fyv>(h~fL2p+UYGaKh(6i4`4~%27OE}(
zDPq+CH1km1nB`kdtUAEO@45MS5F&LLR0h?yiJXEzMfo-o2w}R`59^3DKI{x$c=1E9
zhs-UT$I$kX&e!(+j{>{MnCH7+bR+{;-d>m@7#f^tn6Oyp5AsSh@dxk@lq|&A`+pc=
zGk!z%reFJW{g7(CQP`4o(a2JVw1FcGG;1A#oWo%A$|5w|>u@Aw7!?uUpf(m_m02ao
zSN$j_afQ^W3%-iSUl3L~F>&sa`GxTxEe5b+)%1vQFD#)vprPx(3erWe9wWWFr~Pbw
zvyPy`Z-V62dNeewxNQx_Ie)WXWq+3W#@wD2ebb9{FToH`r2er?|7rtS!~hjX78SVB
zif5%^2rHy(n)1ksbxM^3tZuZ#NztAA2!-?)g3?X?eD0r|9U9^Hf_KQztDfu1tNm1p
zW&<+@IFG0Qzu3(1o<G1NJ@e4V=2UdrnzCiZt|N6eIio!tN&f1H$qk%DiGPqR82Cos
z0?^L8PQ3HAG3m;}20R5SQ$lH_<%bD9`f|&<;RSxjS=Vi**t~;JRy9Vk#&7e7?rMvM
zsj&f8_&zftK9G`l^Cxe>-$^lonJE4xE*VP!NOKs5aXZfDPtANIRQ2V7;k67e7X-~E
zllRc*;g$=ORH&;P-rI)0Y=1QeglWPqGl?asaiQbW%~ThFkmdE34m~0UYCESCHtDi;
zu`kJ<Q6KCJRL#aoteM@@-iz$WP#sOs?Rl7NSDcs6*6gF8mijQq+2w|g2PSf7oQ~({
z>b$k#GpdKG(76jAopca|GutHbF&LPI8s@;twp(RhYr0ja?`h>dqJNfu5_GPU<owLk
zDHgZg^2;Rk;38oN?O|Np`4z7d<FXVV*M)PM3_VbL=1WLUXmWXhDWOoAK6*nta6)x^
z6SfH<b|kBoLwE0#`q_Y|9g9C^Wr>&BAHy@Fp;`Tg0<5(ypAQYJA0Vm79g<S4D@aEP
z(+hfXgR@@MP*W6RV}H8fTSH{+4U_Wb$kF?9%OBYgiO_RBV(vDW=efa-U=rs+L+v4U
z_1nHUB`TIM^Qxh|@H9zRl^R=>N?X-k6ZR3l0oUUJvrGmm&+g3XG`f67d6LMXPKDiS
z?9_`x*PC+%##J@vKqlX(x^SmasH6l;48S+2pomDN7z>*`>3@5Nbn<HGgnK|K#c8qf
z`2#~ec#xVd$#K+i&h4)&?;gn`?eelbTkR;~5Ii~5g=VBv7$GxIVcf{`#-J4OKJBS7
zU^Ep4W3Wn=-o<7Ckt>XIkIHVi250W|WRH*@`(P=I``Q;(X2PIWq)f9r$UL%7(~Hr(
zH4|QV(h|wq!+#@_zC6ZGIubk?(CHrTs@HY_wD@^k-De#+9Sal!f`Lh{T7LS3^PRx5
z5d$ag`29!8aCcF1F^q!P{kA_1@nnC1*>*acY$-GG(l^K8BLjBRqZ{@J=G=@3=5GQ5
z3<qF}<~X_2+X^yiz)L_-`u(~In0`oBTh1Qo&hAkGe}8RK`p8_Igvy#TzlN()@XT+x
zQ2<<8ph1|n{~7&oU-C!jZ8q|z_kfa(8tnF-kD>`T^(x+cz!M=9?WgM%8d=ytasr|M
z>+p0H)d*jdcAq*SFQ%PYG*U?g;4nb=&ETP8@pbP|ac>1Ec7w3S^%JF9%(01VK$(a0
z7R}KKzJJ3^4*szZFsSQY_Q{9f2R!p)PA@CX>ie8nyjB!e5M6xgikfuwXjm=Q7oC;n
z<D8v)(#wU(cl_gk1t7<e%>?BR7RkMf_y5iAj1W6S*!~XhQ_#}M_`N@Ra_RmCAfU;C
zPK$<wq)ufM_yG_Mv|^zjZkNoqk`=RELG{B}LVxy!&YbXZ2RJkJmy0ughhFN^1SP)Z
z7>BxsSL9_D4)hsmb82NZE7^>D4iVmYboc3=;#wHyj+PRy(BqE%`rR{+V2pOx&tA&`
zACmsVKu3u6zx-`6-RNr3QHaJ4yucI>Xq!luN@@@!tTrgnnkr63Wkn;+NUx#hL=$D}
z^M7xTTPa*^`7@y8KqtfLBwPjG3lF=>>B_aqo;`gG1-lUn!oYV>ZEShTuww^DE`jf{
z>g5;h&x%}Vp<<1KUx%`7^C-``QS9X6HX*^-?Hmjj*CPYr%SIXQ30vG)*K4$PZGL?T
zjY&rrGJjh*1``6tW~cRAIYnTo&y>77u7B~q3I3)MBk44LQk9DMhp}khOGoW30J_EO
zkZQ@J%DA3xw`@r>z7IEJTe^V<4_m*~&jF)5m{Qmrx=7^oUx_yrr&mpHdU#+_F6eEF
zoTyGN%m$y2i)x6s=FfFmq^)DfpOg=mWi9ZEuF$w}eR1e(`J<p#S05mAgi>k2+J7P)
zEl_@-CDF`+0QadRMl*EQHu-uxVk2?Rezt^-5Hr%ym1saFkP(Eq{@4MemMIwMBXP^v
zn5zP@IJsBMGX;|>vo|f{FNDhyz|$(cZQu&x7U~W)Z?{kuKSg><#-j1Y`84qIP#}Z*
zf2-l?0v6u}ZLiSFLsq5$qjh8p(tih$pZ#-k=?2W=^NQ<h;Tl9m<sM^w_v1UIg<ay(
zPwL5vNCDYEvCC;QCMFm;THR*VW(jS1&mjQhb)Bv7eIe=t5O3#0`7MyycSAAkYG^5+
zIUHf8pT!l1v@wZw=yrwWE4$5u6J|?`^d^Qby}Rd82Ps5V>{_c^_0Q6WvVYF8)fiUg
zR(QGA8<?Y8jumS!MGGWesN}4Js)tw?_SOec!k&>JBEqDfe_XFKG9a0qJtP(bLv5~e
z;;C#hNsk+dYUycI@Q7&80(VtEttVvI@=pyYko&>o#6>)WOZau3AWt<4US>LKEnca(
z6$QLMY@6cfgvqIgD}s78Ie!GlR8Wf}zv;3jrRW<)^;p^GwFNT_c-xQwB@>L9ab$o{
zb-pR`Wo-8iuea~%l*|oql2l!|EEb-lJ1nC|<-%-gcyd+~Hf@86Q2MnWe72|o>BA$7
z=BsIPn9Dv^hrv?nVJC^y9xF{vPPc~_Mf_J5u<{3y5RKwMei<S{@P7&G7{^?3852#F
zDSmIGASe|t{e2OI{Q=Z*8FQ?rXU!vR9giHpX-HrEm7eEnN6i8e0|m>2em)WzRoOjM
zKP^`CSe@b0QIbQTZ7K`Iyx`AP^JVb)N=en)rW@%$s0EBf&$nses})!>C~cVBKl->N
z<ui|l_VV7U7zMKOSby?EBG;|hMa-_!B(d|F!ykNY#!;%hO?so}$`Zd(@Gw8w053&6
z>F)vpwkuj+d7%VPRz7DYftqNdnMm6A5KU{xT1Sg?yJV|W!)aNfjX>S;%Z$@=0qq8E
zu6PzKXO{1$oYWmkIOkX$2fl^%sXxd|=RL5dTQwbB7iLOuj$oKHf1XHse*GcPLAmtF
z>pzgxKUKDKl{(oH#!5oQMjkR3@0@=C;$N?2Uh=}zz%g_RRsqOzODr^ql(i+{x^6~i
h7L(u`3|BWk#cj~{yr1~8!u}3Ug#FzIDx0Nt=TkWt_9*}W

delta 4176
zcmV-W5U=m1A?zTKAb(n9Lrr*1Z#8LUS4U?wQZ-9!V=rh|Hb`=4Wm!2=R&Q-XM^aEo
zS!!BCFba20cTQJfbYwO|G%#>Ta4|GAGD><zFfd3&Ls(czQ!8~@Q)_Kib4D{mK?*HC
zAaH4REpRe5HXvA3QEOE}AVDv0cr{B^Ok-|%bx&}3G;C%|Vnjh>MpZILby#wDI94=m
zL`Xt<O;|x;FlGu*D^OTwc1&eLQEF^7V{=qjWHDw#LRw@{MKnc7Wi~J~VRSfhV|Fri
zZ)cNF0Txw7a$+=eLrY<HD@{!^W-(b>NN!4FY*#gSGBQkVFh+QKQ+ar7RAFOIVG4IN
za%xmLO*LpuXD?ANMsi0^D|kd!bx2xPRaa(jFL!!1RYzw-b8%#MlTHB^e>Zk?MlxYm
zF-lB1ZC6D?Q7bcTL0Wn=X)kGQH%3fNRbzU2P(gTfQCeYn3OH&vLvBQRaXCz6XJKn>
zXmLs~HZ@3VFEKM|Y))o5P&hPKQFm-lMpP?N3N1b$V=ZTLWnpt=3R-4$ba`1>bw?{X
zX?8S8c4Tj2Q)@*zO?h}ue@=R2N;Ye2dQ?PeM@4dYYE4>fMM^YhLq}^yaY%7$b2V9c
zLuv|oM0Za^W<^j<QAc%4Y(jEwR#|IjF;-e}QDbX&b9V|YEiE8NHF9h>RB%*DL{CRW
zQgb+AP&i9fZCZ0fYB54`H!EsOZcunbb~0i&R80!~<{#fNS@?Mte+zXTvFq)K4@dsI
z!Rx*c7Gu0{C)2PpH;$q$V-LP|GjxlZSQ^OJ0he|_BPJ&%YJVnDQIyJc>l)0=?nKF>
z;>O+<YScxRq1C@_gijv#oD9HCP1JUxS|Lep8C4!wy$0A}x>d)AlTw9`-8rbBYNnRI
zli6UYPCvYe;MsV_e{t^1IV``h=h~nM;_zupie3CNLz=aC<IQk8OF-=Ne*~Nc)`2Tq
zl!Mtn!1nYVF8=%BH>OJF1QFajWx6B0+{BrQ8`yIPatwe-0Z`6%KCz10>?6Q1TV;=>
z|2iGn7?Rb*Oi6+Q9p%C!3a<GU>yK9s+k1YA&kgowH&tdAe<D!U#$wy-MS9{AT1@K{
z)r3#Bh4E+=j1Mwg3TwoE$;!{Fe?i}aEhQ(^3V!`wGiJAt0**#X(eGS9|NKhIa`-lJ
zPKX|g=acI#w(K9@sX$AZJ9Lir{7IRbF%jZ9fGAmrZ3roE#-o3kMq1)^(dqZR0C67A
z_bV3vn*>z5e{)0u#>iQ}z`-GYgswCz-ywQcL<HDFAvTiz{!znbMZ`WkboQ|)oIlS0
zzE!W~1ATHTdHlwDeC~moVaKlXZuiWqidzs>cuGZO^}>uIV)L5_1^76eztYm0!cuX{
zVFmQBe@$b(H}14_l8iboR7_ar7+T||0{gES_a+Gne=`au^m!1M<>76|JcEqh2lZut
z_0GG>V7;)d`XUy}1jF4bXJsfZ!_WN-uAQ~CG8DD^+h25IX_^Z{&eD$79k=x_!Vz3}
zHKZlVKTkfbO=7v%Kr&GV$x%wI$PiwD6zhrkW8mqW54jnoG?UG1&!lhaJC@*|o41}_
z+el<De;g&N<ZS`%y*%1oPRyv*VBI!%Ip;dX@;8DBKiTOtud&=y)=jgR5mzbT$!9`J
zh{GOxUQ0YC(sR{U*ob!8M!%ll*c=QPXN30_ZZi|B2=jf``400*A19|Sd8RNd7-<h`
z1*K_tL@Ps6d6P|5WRaMBw^60X4l)4NKYQ4Xe|6#dG#iNYnL1HIyfYpo2O4`Dkj?+z
zyL0gNpnf5e38G<?e@mb-j}yv&rev>4_;RYdlAYN}|BUBCOwblo31V|I1~N<O&|+AE
z6lTK4p7&DM0;hx>+4l4%C&R&qv8OCV;Ko&u{>>&T2HyrWn4H<-{g=WW1uaq`(G_ad
ze{5!JDpNgh4A%2uIj9DhkL=9%H&OJDWux{KpOmeA=CtajDPx`g2Z&0}tSM}m>aUw(
zILd8Glr+o)vor5*d+uEQ^z9xS8}ANQ4;_@YFBL<X2%Fp;g3IQ?x)Rm;DW+n=H)pCf
zM2MI59=Q2Em!+RQkZbz~jKh+KJP928f5`bJw0g9_?pLVTWuP(@DGwxrk`qs;*HlIR
zDvUp8h}A$6{mWD0zb%9e!($sk^z4LE2N&rz+66Qu)KtU_FTO>^^Rn%D@6MW171`Q6
z;-y{Jf*$-_rUeq3;7uIxpH}D&WG5hmrDFWw=#84y;t5=BPcHCkxm7c)y^lTve=~#`
za(3ZO3rbV-X1IFaR5n?N>*j5{ThfnMGqeyYij5x9zc*|!NMdMy^`}`iK1S*Xctug>
zFP5iYV8#IToEQt2?;GOh8>S}GRe6^{=Cp+4QH#CcRL%{ts{SZhaZ`$C*kGbzdxa{$
zfE1C2eCz`gE&{?GUx2Sff_r;Of1xMpfk#^3+clj)SsBYwOo6sT`4b^%n#&6(ehxe&
z7Ur+yO;9#q-XxOGJw$UH&7~j*C#Po&%Io4rS4c#cS$r;88X9M<cEF)<#@z+~vvcF6
z6wcn9z3A$IL^@h~UoGdPvJb?dU|6Ln+?7aCF%Od#&f09H3OxaBP&d|#e-<FMFcaAQ
zoDCh<^`F!xH1$iAQqa#<6=Gno8Ft_D*|exY{F!)Ce>|JL*c1Q@8^gk*@#2n%#RLj~
z=BG$zmld<HhxY?BO&+I(Dj3eN+%TgXHEgAa{x$@jbJBH_yr|)ybmaoA3#z;UUhZ7`
z4hHeyuWCJx1v3fLdsZSqe*h~Iban?r_rb$lg`v^;q1;HMdw0}K>eqL2B@#rP3NR`l
zeiz_t^3It~pEmFR&r`uUhJahN^P}&tR~lWOoY_$~A<VFk{&dGD>&q+@e-^^1S$jYz
z?okA|m@c)^fZ@8vT55UE^YIZ>c=4Iig+ozypv5n$1yqrWZ(y;Tf8{t-idfw<3cd@<
z2o^0Dczt2n)&$e;Z=~|Kp~^`uQ7%l$d;;4OR*gmG6?q>S{{24;Ge#M)VM%+nV{Rj%
zXvqfHuyEzGC%b4r7;5~%CJg$w?Y=VQ_V)b1XLDh<g0?9@8b{9Y%#teDF^KmjXRoed
zi)Q)#s^KrL%T~vte|HoorQNQ2!~M`tFU*Z&EK5KwHx0nS!N}6SNW1U5KvX#_udqY$
zLN5P5sjj5ruQ)ek!khX*wUNq2+7BHu`Dy$trS1)?ykPmG|0jjHC|w+fcyt=>B83Vx
zt*>9TlhkkIkE!H+Zq47#NR(R--S~T?Frr5eM)B2$th!UgfAw&R<U))3MY9m3Mi_0<
z58=BFf*$INr!byp{;)awJ2tg&yWx`=A2x4LRVQuWiw4g+bC&cN2#A62JP)Uma|bIN
z@h_mR$VN2q*uJ3k%?B&FnzjegiwWc6oV|Hv45=ast}3Q;@L>csym7|oU1_z}=)fau
z1eRw27*+*kfANzN+F-N!&D**pZ#WX~+~@@E&ZrWbL1_e0Ti_RVLc@*uwb16jx|p*(
zAyP>y@o`M1Te?)u-yRd^N!ibQqz@=53qLnUgXQOxDP+W0T_`35@DeW7tPVZ9Yg3AH
z9wcE#)cEruxa6s7ri}1q@M{hWsKlRE>*8Pekk)$2e@npx<{ZrRRj(h_ImDM?$3GGH
zK<)HII#mLOc@N~%c{a@?!*DC5ft0*+eFS3ed{-3ib41NLf2z1RoN|dipR12slc*~U
zj!yPT28pQB<Q#UTOS6>Dz`a*uH>40F<Gv#-yKV2uj?V%Ih4Z+~Gd!R4W$E}-i95-)
zCd2X@e~6a%iW*^Cv1!c>fHOaE4`;EV>4v0?d%r!3CQAW^a79kBS-hatlwD_PIX;Za
zuc_7ELJ}F93|wB-GCEicx}MBD){ix|HTO8qi##MukJ$A}IP(m40Ho2RZ@IzFIS;85
z`*d@$Sq|_GJBqG*Q3=9i0&tdlbj1H$5h%MKe>ckMN9o7sWx_@br~?QdxIeho4(9j_
zlWpsvUO_Dz$L@J3K?-ZN-Dvuspg2TO)2&wl+^9B#Nyk)}qoT*Oo%S%fIG_R7f*tiF
zlfx(9UutTrch{Yv-i?j?$&-01mN-p1D#c&;aPNI-feoEREi4@y**z_YThF~JmUCH$
zf7tJ!(dPsgzMz*x-@Md+BWy|Osj9ZM8`K?^B~(UU)WPl9AW{j}T&YPjJXaj_$?xX1
zBc@Vj32s~LgMXpP);FnDfv(YGN)lv<*Xy%9qG19r^KSHe;9QpM?z)_jJx>k|>Z}is
z^A_@FY4~nUTxz8J1)v)9gT|YeGuEKZe=OCIL0C>aWG!l5y&El$Bd1<|F}ZAM)!kto
zf?LPZMoeZhERcz4@HSYC^fK;{PN&OWq%qK0zB^DX?-#h-`a-%JF~raUekCS{0rTxY
zfv1D|$E)+ebStSUfQcH}br^AAI0u_&%PaO5kICSI8?QkQq8MI+eupmcsLL$je|XLF
zVMCDmu*7Xpe~%R>p(6ukSsNYCO$QA(SMY16;r6P=d-&z}oX)=PTL5+;4sD=#k0=s+
zPI;3sZrn?&zF2qH7i=^gd$0Ldjx1gyUsplm`a~ITjeC}LC7*jMZ;CBoL6>B}CirUT
zGhJ!lN>PWBVTPuY-9e}KtkomNe}rh`g|r?rdaZAiTmy`g3N;a2ss0NiSwJ;`_oX6Y
z4MN40nuquv7g86(V7j)zLm8S{q6#Jr%JN;Hzji-hfnyqCG@cLaDP!GbMjl$><M`F8
zmNZ?+_BHJ+ntwPmABM1UMKj4LnR|SpJ^ir6j4i1rO8O>0q(V6BH$Ho8e{C?PBP?^|
zv+l=>>T$i3(5{{}xwOf}*GxJf#FT_g8N=CRnDe!&8re%M(hEBuURjNvAyGb?`mA)%
zh-`^~Diz<7ellzrTp@<cT2M;VhZ0KyJ)xtm;OoerLK;VZp^xCmG-I6+{|E+m)1tDU
zZI(3~XaC1I48j)bRC79~e?l%0D-1{~oZDa}y5V6|_$*{dTCT1{niKiLdWbv59F^{>
zAQ4JwRMjW{^1BzBPIgc%>W<pSx9+Jkb!#hXh28a%8c~G9lzcA9uI<48l0cF-XuzIy
z%W_(ul_eP4j;mRyu~$2I3%f`(z_+k?kR%X$B_~Ap2l|<U_FG$ce`nr@j#*dPRWcn{
zV9H2n8$qp!imB^q=EA|Dp~{ET)fCdO;$?d%^e0_&(b>?6aNWMxTC+n^7;I5d<8I0Q
zn`%HpGacE4FK)b3>jXQ1Z(eSwQ(#N;vm?S{A=s1~a~0a@fw-cWg#o~&H0i*A1WGHJ
zNB1d8f11?p7K<!Ue;C{xHVdbJ4SU8L%lee1*9~z6I{onz9`8*54OaW3Eqz_xH}VcY
zln^@?yPt=g_#64?5u0k*k>m=s&luFG1$5cqAV5_%d+*MaQ9W41d5i=lhJ3AP*d;Sr
zP=kb-?1g>%rF?XtCD2x}+gHAFv+LjA4oqV99kdlFgIwi5Cf#>pMd)&9lFZN*-=V@Y
a2XFz0n&($kYWDg<(7;#|K{@gp8OLeuZn;MQ