From 50c3646e5b1049f411250a0873ab9c1c8d7ed4bb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Patrick=20Gro=C3=9Fmann?= <patrickdgro@gmail.com>
Date: Fri, 12 Jan 2024 17:16:37 +0100
Subject: [PATCH] feat: vaultwarden config

---
 hosts/elisabeth/guests.nix                    |  21 +++++++
 .../secrets/nextcloud/option.json.age         | Bin 0 -> 1032 bytes
 .../secrets/vaultwarden/vaultwarden-env.age   | Bin 0 -> 952 bytes
 modules/config/users.nix                      |   1 +
 modules/services/vaultwarden.nix              |  55 ++++++++++++++++++
 secrets/secrets.nix.age                       | Bin 4635 -> 4662 bytes
 6 files changed, 77 insertions(+)
 create mode 100644 hosts/elisabeth/secrets/nextcloud/option.json.age
 create mode 100644 hosts/elisabeth/secrets/vaultwarden/vaultwarden-env.age
 create mode 100644 modules/services/vaultwarden.nix

diff --git a/hosts/elisabeth/guests.nix b/hosts/elisabeth/guests.nix
index febc144..4ed3527 100644
--- a/hosts/elisabeth/guests.nix
+++ b/hosts/elisabeth/guests.nix
@@ -10,11 +10,31 @@
   adguardhomedomain = "adguardhome.${config.secrets.secrets.global.domains.web}";
   nextclouddomain = "nc.${config.secrets.secrets.global.domains.web}";
   giteadomain = "git.${config.secrets.secrets.global.domains.web}";
+  vaultwardendomain = "pw.${config.secrets.secrets.global.domains.web}";
   ipOf = hostName: lib.net.cidr.host config.secrets.secrets.global.net.ips."${config.guests.${hostName}.nodeName}" config.secrets.secrets.global.net.privateSubnet;
 in {
   services.nginx = {
     enable = true;
     recommendedSetup = true;
+    upstreams.vaultwarden = {
+      servers."${ipOf "vaultwarden"}:3000" = {};
+
+      extraConfig = ''
+        zone vaultwarden 64k ;
+        keepalive 5 ;
+      '';
+    };
+    virtualHosts.${vaultwardendomain} = {
+      forceSSL = true;
+      useACMEHost = "web";
+      locations."/" = {
+        proxyPass = "http://vaultwarden";
+        proxyWebsockets = true;
+      };
+      extraConfig = ''
+        client_max_body_size 1G ;
+      '';
+    };
     upstreams.gitea = {
       servers."${ipOf "gitea"}:3000" = {};
 
@@ -141,6 +161,7 @@ in {
   in
     {}
     // mkContainer "adguardhome" {}
+    // mkContainer "vaultwarden" {}
     // mkContainer "nextcloud" {
       enablePanzer = true;
     }
diff --git a/hosts/elisabeth/secrets/nextcloud/option.json.age b/hosts/elisabeth/secrets/nextcloud/option.json.age
new file mode 100644
index 0000000000000000000000000000000000000000..18de8987075e6749aef66ffefcaec1df4289eb25
GIT binary patch
literal 1032
zcmY+=du$U00LO79W9f=G4H=@#LKP>0(On;Ry=yY3*T=1E*Y?_8d)J#WTf4jKwRdgr
zvFjrXE)X*v2|8gw44MtXHZ~+;LWmI(XEFsNt3gagSWLi;P0;|NAq*5BiGS?>U-HTC
z+s!dXCYzK?d6my)n{zS;XlA{!)j(Mw$ZR(dnE>aHwj%)^Oeoe|6A}s8v8;ul5v-RC
zLTr*V#~oe|uZfDDAcJv)L<=&Nq8Zjr**eTcE{Z8}QZb3BUnvDO!a{I4jr0F2<ay1Q
zw?H-nMT9a@)PUOQfWuxCIZK2CB0faHWNV7C1`?!;(O>|Cdr%ey6G;iiGWxvg@QYCz
z64MaTZdUwWI%3wE%zPVy3E@zgw+MOJmKGBcj$38X7{|9445&2=Yk=gTq#PNB-3XF5
zQ8pWx;E@zi&SqjL<7Fu)uS6Y0PR}wp%XMI`2!je?j22)|z|N&qu+&C}@>#?NNG_KP
z4hV82zRH3$5m!S7RPCj#qEE0m?PWYmxM>GzPOt<>m0~1cC=xst=l~K>l2$XKUPaY7
zTZ+&?N{OS1oF@*5xDY1YaBtA$^P=980Q#*+hP9&LD(nAWO-hku<g!Fl3SbSFN_K$9
zT>(Z5LoSO45GAL{&B-Fr6GULWV9Ki<k~6HD7{Clu=|o(`6d(){qKU!_)?NmTCfFhc
zc%lCq#xpNkokmV(x)nz6wx?}KPy$GYS7t(Tu1Nu<0LT6_G#U*yffdOD3r9Uphcl$a
z7|LZXQ8}PZF3R3ukC2pMAJ&Z`zLKK9xb5__i~Qm7hu3EgJ-nX*UY)GEF<$9AI&kU4
zR}0~pmLK^CN6vrwJ=j_QQ*ZP2CEbC?2hKE)-VtivTE=(%?wuLAJ96GxwZnfc{6=N>
z+=tIRlICLd(_LI><;Ke^<CB;7ZXeru=)i)Nnko!m=$gf=vdx#V(`&}|HJtll!1B^>
zQ?Gx}zmC#L_?G=AZk>$2w!OCQ>+yGly3WNlSD8OXmmYJ$6KmJfP4vWl&wTNA*RrYl
z-o3+b?(D!jVX$sb^zNxaW}$O4z9SZ$b@es64i2{rrY}6zR=wDI?O1*J=DF{df{iuF
zE1K`G@ppwQy4vLJ+Bu3Gsu@{P<*i-s!MX|g6W!-$2md^!9%;oVrgvA4-`u=!VCa>-
zw~#$gJpBkCtNAn|w7d^|Rv#;F`*nT)Y}?VsgX_PTP6vla_<ql~8!tXLI+fZ2ty_9>
zvB7?Jd1D1gzkRas^N_t>+|YMtruw7f&l@Gt`=DV{MfZ)cY5%2<cPVEke|e!?M#*FI
KSLZ7pQ2QI-+>QzW

literal 0
HcmV?d00001

diff --git a/hosts/elisabeth/secrets/vaultwarden/vaultwarden-env.age b/hosts/elisabeth/secrets/vaultwarden/vaultwarden-env.age
new file mode 100644
index 0000000000000000000000000000000000000000..1ee2049a5d09380f1558245962da699e516b1293
GIT binary patch
literal 952
zcmY+<>uVbY00407aIjD+xDP6d1d0rrW$7ikJP?PM+$Fioy>iJVcd<T_%jI(EJ#vrS
zr8h*SIAQ8w!_El$p~Y>u7kjx)3&Ly%Y7ytam5GJ1Y+99y=s<+k%0Bp^f5DGmO%j8m
zCYVzlTh_H*x+#Smz!%)@=fWTeB>kO=KqhfKZ-J3?R8R1E5HuOQTf{0fN3})RvXQzb
zqNz!b@OgMx?J;#0uEq0Qp0B2@Jg&y=aE)xC9E&4xCF#Y`@kGvH?+YE-33kF@%+Hky
zlPu(iRHB#ZRmvcxla-=tSID>!ld&lTvY?zH%1xY!V0c#px<=g>B^bDstB@HTZ<7tV
z%5fZA29mh|ZZrz6XVNT+G;_sl7`8T9)r=&gt{)0x3Bw44r6l3tQIU|bu8Jljd@7Vg
z@?AHd(i=SFMj9f;WPEP5Vr4S1Ou0@m)t;W?5uUajl~r4W0%WT;7*Qk_qB*?cZn8i}
zrR{<r8pjPU+>B_H=87^!FgaEXWP357CTpA`Wk{#Wks&xFpklyR>^j1@<*Ly}(S}Pc
z6AnO@qIzm61{J6Xo2GbKF2GpB#E4DS|1UF3tJQK50;*a=F9*bUtF1zkIL<Lmqa#FM
zCebW4bT#TAQC~0Vrdgw4Cy+Qz^#CbVcg(OB<MBkVC3HB~f}wmwh^lQzzi(mkj%+(9
znPSZn{lW`7z0O33^BHYn94><pPPd^V;NS!dVuIqe+`3&tC0{TY^rxq~44vXbUMkVD
z=t6-@H!HFscX?hZPikO^H3dd-bjgVcJ|r}lKW-m>>Bi*|0sZ<FavA+6HT3xf@iXA%
zE7-`*(0ip9PkA#N`{3NMUxv>wEIu4hY+a9jl{~ulX8NG^=R-S}79TJ#pi9@@ebsyC
z^^IS(XZNG?=a<i{>^emJE>8QeCZ@OXcZ=tw-iOzp`=Ed8`%BHmpU-~x;QEh!{e5b7
zFnt3bdS-NH_!^1MJ-vE+ZGCQJX)7}P(?#JC;Nv@pl2w%_4$j_+jLMnQ<=^6i;LM?g
zx4zsC{Iz4>-L*g7?mxeWUyF`TdvEOhA$ECX;_;^*JNv14di&8mCx=cd=a#Fpr;fe$
z1#{-afw4zV0LQ=G*4@~$I^#S!_V<;GM+Pg0hm<?l2U~U@s88I!r^#>j=U2YD`mg3*
VB9E+o)Kd13EqucE3*5c%+<!)6Z)^Yn

literal 0
HcmV?d00001

diff --git a/modules/config/users.nix b/modules/config/users.nix
index 44af1ce..772af05 100644
--- a/modules/config/users.nix
+++ b/modules/config/users.nix
@@ -22,6 +22,7 @@
     redis-nextcloud = uidGid 214;
     radicale = uidGid 215;
     gitea = uidGid 215;
+    vaultwarden = uidGid 215;
     systemd-oom = uidGid 300;
     systemd-coredump = uidGid 301;
     patrick = uidGid 1000;
diff --git a/modules/services/vaultwarden.nix b/modules/services/vaultwarden.nix
new file mode 100644
index 0000000..aa99fc7
--- /dev/null
+++ b/modules/services/vaultwarden.nix
@@ -0,0 +1,55 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  vaultwardenDomain = "pw.${config.secrets.secrets.global.domains.web}";
+in {
+  age.secrets.vaultwarden-env = {
+    rekeyFile = config.node.secretsDir + "/vaultwarden-env.age";
+    mode = "440";
+    group = "vaultwarden";
+  };
+
+  environment.persistence."/persist".directories = [
+    {
+      directory = "/var/lib/vaultwarden";
+      user = "vaultwarden";
+      group = "vaultwarden";
+      mode = "0700";
+    }
+  ];
+
+  services.vaultwarden = {
+    enable = true;
+    dbBackend = "sqlite";
+    config = {
+      dataFolder = lib.mkForce "/var/lib/vaultwarden";
+      extendedLogging = true;
+      useSyslog = true;
+      webVaultEnabled = true;
+
+      rocketAddress = "0.0.0.0";
+      rocketPort = 3000;
+
+      signupsAllowed = false;
+      passwordIterations = 1000000;
+      invitationsAllowed = true;
+      invitationOrgName = "Vaultwarden";
+      domain = "https://${vaultwardenDomain}";
+
+      smtpEmbedImages = true;
+      smtpSecurity = "force_tls";
+      smtpPort = 465;
+    };
+    #backupDir = "/data/backup";
+    environmentFile = config.age.secrets.vaultwarden-env.path;
+  };
+
+  # Replace uses of old name
+  systemd.services.backup-vaultwarden.environment.DATA_FOLDER = lib.mkForce "/var/lib/vaultwarden";
+  systemd.services.vaultwarden.serviceConfig = {
+    StateDirectory = lib.mkForce "vaultwarden";
+    RestartSec = "600"; # Retry every 10 minutes
+  };
+}
diff --git a/secrets/secrets.nix.age b/secrets/secrets.nix.age
index 36fc00b21dfda744ddeb2307b439930d6cbbc2fa..f80f0ac0deef5accc9c99300475b56fb9cd4e534 100644
GIT binary patch
delta 4656
zcmV-063^|MB(@}wAb&VlV`)NiGgCN6cV|~QGe$#YQA28YXiaP@R9bX*VKQqoPH=Bb
zRabXYO$t#)T4*auQAA95Q)F~6T3S>zXli9KLq~dgM=yC;GdFg4IAUXUcW*^;X9_Jo
zAaH4REpRe5HXvA3QEOE}AVG0ecR^JzIcs%dacEXBc{oi*Mt@~TR!eJlSX4<)O-^b!
zWm9TeZERIxVpIxhH)KU+Vr)llVRkEQN=+|kdPQq+b2MvjcUp0IV@g$XZf;^qIa6n7
zW?2d?J|J*ub}eu+H8vnxMrUbBcOXG}aA+}2PFGEKF*i_dF=tm<OhrXncxZQFD@8bW
zHA!w}ac6l(STS}~MlwMPZDeL-F=8)dOlxa4D{d=RPc$${MNVu{Zbfx;Q9@^TFi~?#
zQ&m?sXl`?pPXQHwYjAXHc`|ozY;|c`RY^=nH%v8CWlB*iSyobJD|JUOa%)9Mbu(^8
zH&Sj2a!xB*RXIm)c6e)5SXVYgVRS@hMN?!mM>u0*Sw&AdXgO^wQ)E?fP(eWoEj}P{
zX?87eGBq|JT1IDSNp~PYY)x%-RWN2uM=*GJL1u7aWJXJWQdMwSdTUW}X-6wjVM%B+
zN_A;vX=QS53OIC9O>$a6X+ttkWL0D^bYn(NW@J`EbxT2FYEL*$MP@d3MN~B~F*#vT
z3N1b$GdnY3SVwd^EoX9NVRK~)Pj^meO-W2uV{BAGNN!3nP<T{PFJf19NK|7qbYp09
zSTAF6T5(i=W@k%zYeG;%ZedzYOlNU(YgkcpFi~MKcM5uBHFHU8RZL5AWOH|S3N0-y
zAbN9WaZPb`b7^`wdSy~)D^5gOb7?eFSxIAZP<3Z;F=#?{Z8d9GD^F5y3KbStS%|#n
zFbYUCi7?uD+HWd*>)>YL(2hrV-+gnXZ!_@?fdr#}0+jc&;Bxogj<<DFp+?9v9={I7
ztLhlDnWzQ?>BmfOg2R4nU1=5sfB?JasQFg&+9t^qh61s_k3L%v(Wd5t?AXt?;pjKh
zyfAH{JF5MKxWY)1{CwrhVl>kxG9dDN{im8IIXT@PW1?yqD`#Z^<KzX4I$x~H0Zban
z_ZmBYKouUPZZtp}*x8yXMTkuWa6AKs$n)9xsOZO5Y7p4fL@$W=E_(i<5-R>!5M2u=
zz_5fhhW3w4vG(B&6`Ivf+X+4Cz^Y<kjIS0$MJIY|)8ufZIMg<;D$_D2sk<k@$NpS&
zn+D_)-4Ly0DVX7&Ch4kftNt(vcHS#I<iz%Wo6keTX8e@=N@3AhI<6x$y2kgVfwk?D
zNPGowgfG5>5?%x@$mq6x=4mz<!oiTPyKL&(bP(*Kw6flfZx;cU7n1PEsb@$#rKAnb
zgiaWj<pyA8JnR<RJIm}m{qSifn{GCJxMI~DOuXM|YA}WX)r$0IaN;8!>VP~ioR`#p
zH}zXrYpSO%I^|9OJZ-Y&o%YK%SC+^^x@T{^^>jPiDk6|FC8Jc+6FW3PsyrpNcqEO5
z+|!RkHlWILXE+mMcwd=M@UA(XUS9MPfaQ5KrL|BcN;p^R5M?E5cT+b9!k{%`$)~$2
zC^r<+mH>ucK$&7_ZE+LrP*oe-R)TSVy=UsUgOS`Kor*qJf0sP=41$yzF>4#Y28*Zx
z!kHlexA)h@N$oBrDc|{?b{2R}ifR0IE}oDbwkOPj1E7@@I{6WnPyK@GQfZ4Mf<UhA
z%}5d&@jlNZ3eIsa82xX~=v?4YwxbmqW4DKApp-<oZx0hcUrOE9z#F}*g)<O;qst97
zQ@=59c58B=CIslTe$P7^H+m-h>0*Hc?jt25|2peP2}yQFr~+>GE%bqx0|Gd+v5SYl
z>ekqNEI5S$Yv+xd<Fp6*%t?;jm8Jc^EPtQao|#;uE(w9qf2&u7>0v05yx+J;p!}Aq
z$8BjGvtPz(0jgOn(71YaLZ&T$QH0PMy;E&4QVpgHA@+`DdFz5n?6%;80I;H~7CH=D
zoujXEl_~WxkBXH*^Qz(rpJ|YLf^-O;*_REXI-p)VzuMwH!t%&(Ce{wY&PGk{0=j&M
zLW1x^fz?EJqN8ba#eUJ>{<X@PU+UybjY2~X0Epn5aANM$-wiwfJKs}(@wQ#n`<U4n
zaX%eXj-Fn4=nDiXhx8zH!N4vFK5=^eAg;PFL8&?>7KH_=o7z_wtbpz|?S+hG%<YS`
z-Kd%STu<Tg1<zp6z++8GN!DBuA#g}(xO*Rlj-bk~TK!yWpZKN=9@t!cC~Z(4+=?6I
zFqFETntZuv{cJUGC)AjKj-}oEi9*5OlnydJ>B$CM!?Hq}^fvCmVf$f!KLCEjL(gg&
zUPqemcXKD&yHWg{hxl?ATbMf^_#QrV`F~J6(Ypg5Y9l&UwRsP0Dw($qq}AlHfc{|_
z+vej;H+DMZ_V(~BcVnhiH%p@MN|64~iQu~!Qzo+`rD?$uZvbC^0RUr{;Lm)Wsq`cQ
zn&OMO;lY}L2sd~o&?YO`g26(6+J3gz7xXM-vECnhDj)e_%?h(33?4NKDnJ1DG>jXZ
z!8@kRRpjwJ<*za@D;Q0RPvq?Z+h+7rShAn-{A+_!97_F`0$C8)I-qSB)AB)i5qsZ`
zuhWbE3xdv7n0FU{rdQiDRTo<%pU&2Sfsj1=w0I1$(5B2}&fGrFrgh7QXxH!xcTFdL
z0ue4)p~^~OKr$<vvdDtEW;3V-DJ0w%)<V2GvX-ij%ytCX1K1!iP7KkEB6)=)sjx$U
z{`i-12GsB}?=Erm$TZb67tKEic^(7?D&BtYdV~rzzy!sABbBZWKqAtGZRY4k6yC3c
zHS!J;Lk||k^AH*69-9dS!*=zs%#SUJggdb7!bQ{&g1bZwQXdM1W?GpG<NJy!e<GN%
zP8zeL|4C_os03Ro#_PZeJT;8!Y!2np@$2-&Xh>I32h`JLJAmO5bKXf<Sh|N6S85!)
zkQqC`&d*kVJSnWbR2e0B!%MIAXukW$wDfv-tW{KlnRe^eXT1PMxGigGPnMp~-8M(0
zA8I4*tS*C?!(UCU_aRGW{yIa$m<U&vLBGpm?r}g`nAueuaV7w2+b`~$96cpt7>YO%
zXP`A>kE>-@ZOSt`B2SYO{tu#3sUFRP3<3cp8^mLOAvh>qmP%5ha^=$25}sh0;$M6k
zkp=AK;eD0m2Pm}mA}gV?tTH4&X(wg>{y<%CaxnbBLTX4*mN4M>pDQxr!vhUQ;*HNA
z)?iJlZ(ol_D!x@R61}<I+cCHkt2}O-$BmF8E~d;2+R#`+mrDghdxl<XQ*jWx9Q=>=
zJL}4Sauk5YjVi$s{0NB~K2}6MOdh6rLFI+|W|UghHO8-tK<2ky5jY@+pv~+I_q^hs
z&7!plEpMHe6v)O|+hPVgUi|V^(&qA%uAw9SB-yG&h&)OFKK2x#J)&+X3mpmNxiN=p
z|CbN&7Rw-*M1<E;`bO7mG57+cFX-A7;FOJje`n>T?R_T*U~ege*T(-9+L}*<eKufn
ze?RE#MDVxQMTfyDJ<vUUpe({g`4I#c=Qm7o7*$G~jOsL{&RFE9LWZ<%SN<3)D<k0b
zSwan}5d5wI9!TVx5-F$SOer)jRV??zlP;-N?%1R8#rY)Hj?5(LWc<HpQ>^-f%;D63
zoJ{?Nd)&%^I{nl<+cE{r=^-@v%^qzADA@sk&6s}%xX!<Lo~mOZDqx8*=PyfzR4Dg*
zBErYps03j9)#IJy@#H3Y@=9-r)`103KEOh08H6mjhM8%zu#~;6_4ZLLVp|$Br(8>E
z7e&k|wKr>rteR1+=hxmG@@qX%;b?$=wMKBeL{k&a@x5^Bex$=u0=bMU{yb@hq7GC_
z`-X5%Xj^V5^^#R$OmR1|<pKVDzD{<}XIRPv2q33H0Y+Ty#M2BHF=+2$(EG0XJU%7J
zF5G-_Pzu^#wmYM){Xq3>*G_r*D(4O-rMNtJ-4E<WKt3t!&l4rJ)Ui2)bbjW48iK(H
zNj?_|ORrNOl<hwqhQ!%ZslkH8I0(fXF0Vd@^7-N9+i~7eGb#NfPN#PRA8?U;*4T~9
zy-hf|vP1cnUPrKj`}ppm2|IyX%de6FB{C{ReepmZ4rWesGqZwuky`+WVd{lRTX%_S
zcvsw(;xWDVZ8{UX$V^M*9@&_GRbU+9h=cNN5KUP%YDx()RyCGjkmJ*<lR;9G&PU)m
z@ga_*dK3!uuxU?6IpI%SZ4MWR+3cXvA=MQ+d0sVhfCAys-uqpr(f9XrkGq>k^xPOx
zf@_jg#~vsF%nIbp8gz53=c9T}9y-HF<>e$8<+G5ZY_a=aK?JFfq5rFY=1<kgU;&7D
zNk|mvVG@Th;+<atrfP$H!x(Kxmk*k|tO7~{#ME{J?9~#em$i$>uD3a1%`j>BBJ;$X
z?AmhmXVV)**ERy^I%8G54{onXwKOKer7?X4A*!G6)^WZO%5gh_CYwV{g~o<;`eIke
zeg+AoaPY25OE2=@S||^HT87;A(v21p_G#t$=9N6^1x5Z7KFHXzH?14TDF@|d30NW!
zf`gB~8%p8sYCq{36`8h$JL9n@K$pj-dxB($@0X0)u(muGw0`2takzHf_#hvF{PWlQ
zW2(vN7}LfAPA;$ePv`IvV~4B$nCz2>X>CqXQKB)EaUaR|18LHK0wa<%x_1kLMj!yG
z%RecuJFHg?0ft22{5QK&F+?oE#NIU=8~3qCw|x4S`X~E;31EIf&g6bvE+7EY*AHgK
zfFQ{$@p50{+lXp2O)M@@b+bAtjsYb{kAAcDiODA1!z8sdwgb~?DTkdjo5YaM&bTGx
zgc}mtqIF`uD;zU_J29U)WKeL`diLHD>;!=-sJULepcSHxc=7W~OqC+W{#W@CV9!tE
z8ce_Mb>e7uyt*F;f!zPmz5CqYal5b)nU&-KkNa2s<VvsN5xvJ?;y}rgmiM7B>HwU(
z#MpzWU!7q$x!SVymhAN-@YhB;AZTRkIYH0iuVax)`)k2}Kbfl)!`0j8ygYsA+I1;C
zzf*l$Be4wU7pHgW=`PCx%?k7u7CM&ipUN{viGF~JBB3Xb@6P=kz5a!T(eJqMdKWoh
z#Btnrp`<6RB|Xm-7)RY#G0wB@+>oO{>hA=exy+1eM2d)D@8Hur0S;^ZQIm#?1dUuW
zq8;~~c+LEOL>k)@N!3EOh@|F)4uR(%T#vf-Af#3i$*bIhMWyS2$Q-hV%yjBf?jPlD
zAT`CoYy-i{%8J?XwjqIngdzs?4%#it+CA#c94wiB?&mubEGX}VU1)xWRefa#MB#3K
z$vIAy8Q0mwMekaegR;RG4TAVZx-+-aR28HcgX(5~fhJgERN+>7xi`G(B!_3$^qTr-
zZEEt8m&{z5;hkL!jXZ>&S~Z2jqw7O`H3_Uywrc>>03ogP;7t){9%LN+aVLc~0PwsH
z2je=VZ~|3?AcXf6)`w;@G55G21WY{CKFFPX9qjDxC|6t9GF}n&g~a62xj#lWD7Ncq
z;@S>>WeiaB+V{akqw;axz(yin2fY^@3LdNPZ7cR^H{;Eu$Z}t-${}%o>=$>0Xk<mO
zh@9Yf)cAtdZ@H@6by$vT)oaF4KVSp6k1Q9|Aq{*2`vC@Au&QH(!>H@GlT0_nOQ7zc
z%0kCqU@E~H=&n=aCer@t!I-ONmR%bOpZ`vO%<_z-wmHVYq$g#X;~Z<OuRw|Hzn*?O
ztv!aj2rgmjSNk&mHh7@)xeo(rczUwVg11yJnx`^$oJ*$B8j(>&94FK)sO?}O>vbjJ
z`<%4V>v*(^FKF5fn1s{$XJHdeu+9$q401pXq`vpQkW&)yZPRVx&)L1Vruj$9jPZeg
zxaCWTCL6xzcCos+^6MFqrcCKWxNZbNBH$>x<o*v>WOT`q!*NtV&`|A$Jns0~HB@7|
zRDy%QvgQw}%_zy8>74&%K+NLe?n(a}!Vn?TycCSe?wQ%H4WB3hGfieiLl_Y-MQ!As
zH6T<yX^-~c0Yo{4&Nif#LHRe*QZScu;w^rFJ;Kl1P1b+&C9)xSQ6frGQ+Dv{;D3nE
z8mC0Yb&=F#&OE?&RY%(~tfhnrS<VPoM6>kmR+f@%?y^)5sP+<y2KJ0VApFf1ueZ8q
m&{sgatMjh@II%cRK5VoO<Pl5GNLGFf$2MCN(Xn$T60G;C|D}Tf

delta 4629
zcmV+w66)=?B%36VAb(^rI5KNvb1`B#K~XPuWm+(AVR3GEYISvMLo;b{aZFl8FF`V9
zRdPjAGzwENc2q+`OL28LOfN-wMp$|)W=J$wF;ir7Mo3~SV?}j(PikgYd2caBK?*HC
zAaH4REpRe5HXvA3QEOE}AVDy6Gg)kKcxQBIW@K|jNpn#}Qh!uqb9iS^ST=VvMK?H3
zZZl1HS5ZW0V^0b-Ye;QMWJO3rQ&4kDI8AA5D`Z4(O-OT6R&Z=)FIYEALRdIrPEcA>
zFmDPiJ|J*ub}eu+H8vnxMrUbBcOXG`IdnBlLMusFQAA>HO)_(HW_C_#Vl;MSac)>I
zF-}cRZB=w|QZac*GG;jnOG!#ePdQa@Qg?QDL~Jx!Qh94{LStb#Yguw?Q7dXoM>cOr
zW-($+LvC4<PXQHwdS+{QYC$wgd3kbWM|VmwYe+XaXJJWZOIJlpS9n@6IYmQlY-v_c
zSUFM(V@pwDZ(~I=Mk_IJZAy1JYd2D4IAT>YP;qKwWo~geb7y%>IY(1DOKU|6Ej}P{
zX?87eGBq|JT1IDSNp~PYGH^v~LUKb|L1IQ|R#Y-YR#7#7Nl8vHb8JghL~~hha5ptL
zVM0YuRc$p%3Qu-#d1q2WacXF9RAonUc~@jhMP_zSd0~1^ZbD~yVsk}EG)6QlNlz<l
z3N1b$bU{i&BP3QWXL4m>b7cy5LwZwTSY|mmQCV0tb3{g2XL3+hV>L%`GFUHTWmj!P
zH#JInXm)IWR!Vj`cV=>NFIZ?~W@k+@H8eLiN;P6d3TR0&Pj@j=IcrmCD?@c{a5y(>
zbaH13EiEk|MR`?eS#D4;YEnpLcSck*V@N?cHh5z(NkMgPQEym9L{V-qbV5xyQ&ndQ
zfsg#5(frc^6P^q127z6~uo>j=FpJO}>QJg)$&1{7#%VnL5KQMrja<^&)^mp@S!GGP
z_%Z&4@RD$e+zH3WwIdiPtD8%d$0p?Ze`eP03KO1=JYNdf`xu;&V%Qlc6Vz0QuB{(t
z+(}za)Ci)Xm6X=64hpcn{q%_|cAsR5rk5g5afp5f?<~$CF;ZdDE+W*LDDtMNyBL;9
zVdPPNs3wN;4#+qid-Kl<+p~&g2Ut*Va*C40vx7wmM)pA}xcp7c&D{Yc8<hea2?a<O
z4C6SpqfFO#lQ+HQx?`pWujM)EuJ}i14#L(0kvrz-s+`xcXiP~SFQ|cxgeYw!{2z9%
zMm+R)tBa){LQrlMcNQ>iKM5+KkjZ@7F~cT*e`l2+P@1yi2wbcFR*rSJLwj$!L;fg_
zbIkm*J7D+bGG#RS8`)LWLF8_{2_#j^R_e0hF22hEP~};PMq?>ST5toue7yl5p`^!!
z*~h73J`e?H<aiGRG7@%i$x5(UE4;w*Ob{MvNWe+bB9)_aaXU;X{v!-lt&y$*<DX@J
zESq!k0Z3UoRvas%4$kg#s%|Qd<i;&F;zI5Gq7MUavkr`dDz{14iKHz<CE9yV=Cc|R
z@A8kqpFg<|4sUmp9im9zPuKyD4CxFG)YOjY30PH3gN8O=A7@jH6SB{OlU^&EoNXW7
znb1sT$SH&3%rvf#{`!Jc6Tey6c+N(DJ2LwC<toywxJc_Lerri;_4mc@QAf!l^suwt
zZZxNHX)R8!X6|8xPZ~LZQsKD#8w^~z(ifE8Ss^+R7*yTIDXY*bsr&?2qssCw4%m=L
z8gd^sF?atfIJ0-QHRi&ah0SIYj%!!{Gb;(88+4W-73;S{WI}jTY#Apce*P+d>Lzg*
zuO}}kwjo;PP@Ussp*On?ROtufD&!+0F<u;3>GBR)<u=LJ6}@QoWqt0jy;~1Ud-s=P
zB6d2)ANMCwZ{g{h_!u1jrPYgEoVuvXyh70Vd<Y_VDh#}Bn|XpS#Lf;K*VC8A+gDI4
z{FDXIv@VGNO6KWk*lK3wfWj7k+}NV8n@8iNM66V?!4X8|r{PtpG5n!J&WxlnqsNM#
zlS%&Sc^>I+u{$SRKUM`naG%$A+f&-n#K>WBw&7$^c&1=}z;atj6)1_=o^biq5=&%|
zvGdtD70p244k|jXo@tcv1Hy}1x_x7545MD_`!_W6#Ta>*OGct`S1_=D#QyV=7L?j7
z#F`Fg2Z9$N_rkfj?*DK$<DdYmj6IFH#?t1o49>u6_jq>~UcA5SPNd6oYBKTP6rEPU
za?Xj&Es!L!7sW5rxZSDRRX(+&_Jz+WmuPxF3IRZw(o6n<Q>|eWlZQg8Ji))A5RA@Z
z^%sCK0zs8kZ4D8wAnfIT4W(FZG?3OWv(*}so5cvfUtUIAE|cYAY_}r$KRwpU4b_tG
zSpB^*3I|<&thnxnpp?_ruW6}mE8?ipx#MTw<L3@8GYa9?xCcS-`@X`>A+%Rjzw#tq
zqLb5u4Tj#;JihF;<hGN8Wby@FY~O0S{94i`I+Fu3g<n`%gn2`M93O!a3KmU?b8TYU
ze<}xR<aVt_)rRqpD<SVHw$J#+AwCH8Cej^^Pps<af^!c*D$P2}g<|7B0TW48RHpSC
zp&YwP_jSxrjs*Z!0nB?$6*D$uH@m=;sBKl7#nW<8VH4!;K9)QxCSUMyboGE5o|bod
z*}hlrB+CnxJiB*)yKA8+=}-%X^#1$RNjh4n@K{a4FeHSJXLF2j@I&!S9BM=?T)vEF
z!e>AE$~xABbGc*GI@Hw<IqoWNF2H;vd1|Pa3$!SQ-p{1%t@TalPIi$@q;EAdS?N(+
z*A-M&(mLcSn4(NpU+evQ6MqA*;?$IyAVEJ$<OXZn|Iagj<?1Tn-&7s3kn)FR966!5
zk0-PMiO-`&_dCD~4Ue5i^g9;r))BE@ZTkR|w~=tVf}BCtXh4da8jK)1Dz0(7NL8j$
zsM=O>^{RduR&=bx-iTz0QzyO6cJV>-IK}n;9YZtTE6Xb1ySxQ(IKy9oUT;ehTb*7e
znj9hAdGkMir!)?m**>k|vj{S#M<r%a-wgd%>rtLrh~EWgMBR04C^HeG^X5KjkV&KG
zSy}BEH+Ty0asWGO4<SK37LvAg8R!)3Y({p@R53^_uwfc*bn7-*Q>aG;h5sHGHQ1Ky
zGX>d6-Fp>qh2YZhG#9Z9$mC9@$EaY^N}mLVo<jtGb;{q`V&bMP&f0;JZ&!dbq6`<!
zP>yN|1z3L6ko%ySC$(lpFJp0gzenw6PvY^4pq@$Vea#`#pXc1_Z<t_^OzvNV$XgMa
zy%i%<^`o62{3NE?$1n3vk-o^O!A*a(p8Z~D4Msx2XaO4IGq1#R@5Mu89(?|(p@cAP
zvlE_wCM#B?PJ}-Znjs40DLI{lIK4~Sz8!ys)brL)JFeHYXN7A=yB0&n48-ziNGRlo
zS*C^lUgdT|(H#_fL*WhA@P6`j{R3r-#0q{?22GEWUQZX1<Gd+3hTQ*I;#k6BJ*!&*
z{`}kG(IjjSy6Be7-yvI!nV|D>!02;i$L`;Mf5mUW_F{834(|I`r5_*|pHpm9fhc=m
z;J3w&Uhf|ntm^_3Fl4g!L$VKwAsSTEWyhhde#5pRQ~Cly8k^TsLZ{d1n3tSg7JL!&
zS)FtW)&1RC&`}QgKG*oErqYkBzZx#pL~{d}JLz)9z1hvMaSm*lwZBwA9<9gwY#;}J
zYa059@+{o_i7Bc+zPP}!mJ3#%{a8ArQa2IBp*6x+TeEzqluzI*v|BWa8T%;8f@BAk
zXTInFS+<%mz*x<gEro?o`k0Q@r#mmO_}Np${7&!;z?o(m17DKLG(%Z!U67xi?7t8i
zv}ULBGq`|qpx&!*kHNT!H$=e<)WU*)z&b8dHU(#J#3==3Hg4Vo`LXS~4y{ea1CLd=
z$ZD#DzPYD3Zok@Ta*FlAzRI;P*>II?JTuh!a8hBzllN_IJ|nXh)APpKr3hTZxpFyD
z*ydn+{$$&m3MD8y*$7`=uBWF`V}mDu<jbeEi{?>g4{pnMwt=mNOwH9=PU;$e5D!Ry
z>AkdSW-_tQ&G(@-V%2zQloaE<h<3~pVM$Fv5=9Qp^yr01i{LfsWFaK@+eL+sWW5%1
z(>8C`v77r&tsDvKqqJ0UOo~0R<Idb7Q$iT5N_K!6C<QBcJJ^rvF<p{<E&tX~>WhqG
zrQusu80TRB>u&r&tYaY&PVsSnu>b3HH>i?~i*o7#wj&tSYV13D&vok<p#6=X%busv
zWNsUzHx&uB9xz~=4eHWK7?5>@@g=GU&Bydl7SWZSqXXEa8kL8C&iCErgxf+=<?fg7
zcj_n5e5v`g5+r&SSfcTvoiI^wR(D$mestu<J+(J}PupZ?v2xb`C@CU;2f<h&X5mQ5
z__y~vId^zBZSZuK21Be2PiR7UYcWDe@t=c{`LYes&NA}LIhPDOn0Clf7pv5Vo3ptw
zmHO4Xyku9V^dK_QpJ_|iGxFzGpp|CT`X+IDi6SnqhFx}n`AV27RCvo!y*j#%xFfnf
zyYzILr=cV?w=x;-#UxLE(Bwl$sG%EIs;^I^1>t-!P)VkV(Esq_lLXG2m|0f=e!6UK
z^wilFnuu6kB_{~4O<r1yL;w8?=CyP!k@2v*#>KzSb!bh8ls9$#g^2@cA5indV(zy{
zbEMj%RAID(gCd~%(bbY7`BAuaT}s6G7;p`)7a(}7cb%FSW3%;t!EC9lg6W$#;Eqy<
zB`!(BwBTzTN%`G*l<zi7xYae5blQE4qM4#A+s2v(faGf%aY}5mMf)=fhV||A8{(-E
zt3AgQjcd@GV6-?b5z^tTwb-q5TK@aEfc&3Zag}ZjVB|3<sI3Q&tEEPEQRy(mCb7zo
zq_*-@_40fHk^*XfALb_}o-^f!BJ2{QH==lqKO!S9F3RPyH7@6#ZwOqDN|@50r$+B?
zp7GkG9`g^;QgbdnzRwCnzZq>_DHyNK`BiLSUCdzL`at7<TH&rlbTwfW=NV-3qV*s#
z!@MDd<Z!WCT2&e*UT`u!+T+Y(=4^CU)$O(Nd5vTj0dA{*+Se`P1aJN+`Pl+;Ron!W
z{t^CbZ=$@8{49f$oE5ibn12{j=={!-Z8A!xF|uD2$3GxmVCo&9>Hk{ljD=YB=F6hN
zjzBv=)i6#et&SL3vmhgIsMH1EPf<$<iKvp5dxn+xK{0+SYY?pCR^FEE{j6(kjkfdx
z@!W}}zv#$+aE)f`e^^}`#=$~AwkH-`*}vW?2T&=NKjBm4_C05vH5~*G@NWn=Ud6&l
z5~2I03#BB=g;L1m^Osl|Zd}KU;TD`%+O>dL@5HSCJCAvZRKD4wW}%64K^glck7Cd9
z`;Y8zeb?ClFWZu;5*>w=2?01;{xl6WTBil&?dMK^dlJAQN8?CTl5*;L4buT8`trXP
zutnG_ZC^wlYG6an9hD}(1}vh9OVPQEht0%!raq3bK);#_qwgx}yp3T+Iv8r?p(vC6
zz!dT;T|xRT2+f2S&j5rTNzSQ5%jz8Ec~H0&>Ihzhmjl=12$qz%KbIb40TYcmLezT#
zw;Z{DgI8iE_~IHov`TA3`U{f;;6U>LXiG-Z0bm=z$`R47X&dA6vcg<Xv23l}kU*}e
z=AqnDVJ*H>I2|A{bwluwFg&YfA%dr>uoscsx4aODOUBQK3PzzdYKSwU43{VWw>MJZ
zi~(-^G`j8PKHJolV*%O5B+hW$T=@*dH~@WrX>rll<P(@|y-I#tc}q~<pBvtNG@Qn+
z?|!#dX6L=9wX>Z}AymJje;^iQL)(Q2c6;oQPILPfZP0Ozg&W2*KSNf|!b7b)g+qo8
zSs*j+iX1KPOrichQ#j5oB;aaiHdV?Oh!@gCi(12xqj*0DDBGcLA2of>b~_46**K<u
z3^Vy*9e{#Y!VPO>?)ndjXDPY>ySrltEI3m+4brCj$#Xv|n6gzpIFAD)SpyG014yuz
z?rk>H&ASX<?=!zdU+3!f{Zg|V6s>PKGRYD;qwnq{rGuZG8;F2SfeNLfPiMILu<y|&
zhHY%0b@YZ|*C1!q=Ft|4QSm>EF~C?@mTeak{CeX3=vG46wT2?&Fd!bhh4dQHB{$PH
zFGCx0zC$AhVf8E7D^)vK2T;CQteOPzca~GHOlyt<4!EHw0o3kd_fvF0Ykg)+R8QtB
L|HV7v=`Hht`d^Q2