From ce0eda65e0a586b7eaa966cdf798da2ffb14ad97 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Patrick=20Gro=C3=9Fmann?= Date: Sun, 28 Jan 2024 22:42:27 +0100 Subject: [PATCH] feat: new domain --- hosts/maddy/net.nix | 14 ++++++++++---- modules/services/maddy.nix | 31 ++++++++++++++++++++++--------- secrets/secrets.nix.age | Bin 5224 -> 5390 bytes 3 files changed, 32 insertions(+), 13 deletions(-) diff --git a/hosts/maddy/net.nix b/hosts/maddy/net.nix index e554caf..92946e7 100644 --- a/hosts/maddy/net.nix +++ b/hosts/maddy/net.nix @@ -4,7 +4,7 @@ ... }: { networking.hostId = config.secrets.secrets.local.networking.hostId; - networking.domain = config.secrets.secrets.global.domains.mail; + networking.domain = config.secrets.secrets.global.domains.mail_public; boot.initrd.systemd.network = { enable = true; @@ -52,9 +52,15 @@ }; }; }; - security.acme.certs.mail = { - domain = config.secrets.secrets.global.domains.mail; - extraDomainNames = ["*.${config.secrets.secrets.global.domains.mail}"]; + security.acme.certs = { + mail_public = { + domain = config.secrets.secrets.global.domains.mail_public; + extraDomainNames = ["*.${config.secrets.secrets.global.domains.mail_public}"]; + }; + mail_private = { + domain = config.secrets.secrets.global.domains.mail_private; + extraDomainNames = ["*.${config.secrets.secrets.global.domains.mail_private}"]; + }; }; users.groups.acme.members = ["maddy"]; environment.persistence."/state".directories = [ diff --git a/modules/services/maddy.nix b/modules/services/maddy.nix index e75bb89..7b34468 100644 --- a/modules/services/maddy.nix +++ b/modules/services/maddy.nix @@ -1,14 +1,13 @@ # TODO # autoconfig -# catch all # service sending -# trash domain { config, pkgs, ... }: let - domain = config.secrets.secrets.global.domains.mail; + priv_domain = config.secrets.secrets.global.domains.mail_private; + domain = config.secrets.secrets.global.domains.mail_public; in { age.secrets.patrickPasswd = { generator.script = "alnum"; @@ -20,13 +19,21 @@ in { networking.firewall.allowedTCPPorts = [993 465]; services.maddy = { enable = true; - hostname = "mx1" + domain; + hostname = "mx1." + domain; primaryDomain = domain; + localDomains = [ + "$(primary_domain)" + priv_domain + ]; tls = { certificates = [ { - keyPath = "${config.security.acme.certs.mail.directory}/key.pem"; - certPath = "${config.security.acme.certs.mail.directory}/fullchain.pem"; + keyPath = "${config.security.acme.certs.mail_private.directory}/key.pem"; + certPath = "${config.security.acme.certs.mail_private.directory}/fullchain.pem"; + } + { + keyPath = "${config.security.acme.certs.mail_public.directory}/key.pem"; + certPath = "${config.security.acme.certs.mail_public.directory}/fullchain.pem"; } ]; loader = "file"; @@ -83,9 +90,11 @@ in { # SMTP endpoints + message routing table.chain local_rewrites { + # Reroute everything to me + optional_step regexp ".*" "patrick@${domain}" optional_step regexp "(.+)\+(.+)@(.+)" "$1@$3" optional_step static { - entry postmaster postmaster@$(primary_domain) + entry postmaster patrick@$(primary_domain) } optional_step file /etc/maddy/aliases } @@ -149,8 +158,12 @@ in { source $(local_domains) { check { authorize_sender { - prepare_email &local_rewrites - user_to_email identity + user_to_email table.chain { + optional_step static { + entry patrick@${domain} "*" + } + step identity + } } } diff --git a/secrets/secrets.nix.age b/secrets/secrets.nix.age index ac61579f270bef7285fd6ec512a461ea441d9c67..59185ae79e4e78c82df0753d895129d0af64af18 100644 GIT binary patch literal 5390 zcmV+p74hm}XJsvAZewzJaCB*JZZ2F)#{3b5?9)HezFUXl*c7MQBSureW@tw^ zZ%$e^H*rfrXEjhZFh(;kO;&U(QAuZ7YBexoPB=(0YHbQiad|ONdUj}VcT86>Yid$e zadU8ZHaAEsLSaK|M?ynRT5DNYN@7tkaajs2J|J*ub}eu+H8vnxMrUbBcOXGBcX~2H zGB!dmOgUFYdTUxrcw%&UXfH)2gTRZC_yaac!3RWw&_YEyYxG%{>dQdl!)H#9X=K~H8#FHs6tM^r^baCBC1 zS4MhvYC}s;ICpthd3tnGcx!ZLMo~61Gd4*xPcTbsT5}35J|J*ub}eu+H8vnxMrUbB zcOXG+QfOH)QZj8~Q*A{vdUZr=W_3h*Vlq=lH8*WWPdP$mbY?I{FIqxvWpoNNLv&A5 zPDe9gL~J)pF>_>ea&kdJGgeqkOGh_DLuE%~L`!aDWNB_RXKM;AJ|HA>b#EkSUoB^H zWnpt=AY~wRT5vBQId)raejsymWC}$&WO-q1XGU>Rc6C@oWlk$~L~~bVD>76#H8n(6 zWOYqrPfB4|GHx(7P-atNT6H!-SWH4~Pia|MWkhN(S91zzF=1$9T0v4*Mr3VjT0=y0 zHAZAmXERJTY%fSSdRAgjOG7YHNH9uyZ8b71PbT3d&cM2^nEg*MrYB+O3ZfA5k zS6OCpOG8OxVp&*PI5}!*Idm&zGdV?9SYu0bHezQmV+x-~DfefUs3)cM!%?17#d6Xx zrc96hge&yd-HPb>#|o=ul==6BiNvWQRlvgWLuc$a4HS%8JC}^?rql2xR{3d~jEBz( zv6iSxhDqv_Jo`%jfYa(Nz{Hcu zJ;2!8lo*pnJpJZ@E@Ic+MkIjLgQAj`bI<64DF-jOrnk25N3b6feKIUxcCh^@rAZIJ zY}XyRFz&f@_bDenSBO?zOV*5I>j#whNzHi<2Rt_(G2MO|J$)JyPVd1Y8)iTsd-{^VtxR=f)}t_#pBST4T`uI6w2Ln zXb`7mP&dRSo1J6XX_IWLW$Bj)UPQaDF5=97tr<+5UcSTz{iR`YUQ)t zd6F`+4t9nvgl45+#vlW6Dq~c4_Qvbc*C+tFo=2>Ad?G5Hp_%G-NoBU1`2sSW?%#Oz zOkb|b*zej}z4NTLB=~r_`*JkQh8)FCgmrEw?_@s$i>fWP`T*yqJ4}=6njni`sbjxXm3|~qF-tnD2L^(iGqF)g?7eLj1?UvuZdVA^YwDtSty@;f*O-UfVhsTkb*Dr{Zd<(^2#xj3BLl!3U-3ysq5ax9a_ZXvKf z!1=-Jd__3SOW~>Z2>1mv<1ZAeH}VIF)+DS#zB|`)EJQX{;@IWmdy zA^A?d;#A04PthMda+S&cs%@9tAuS8px@!Be6;O0yppNHeSs|PL5&E5-TV`s={4}ZD zc$gYYh%&|oKe84*4S9xAJ2i7pvnA7e!G?FB>ED!<<4tnRM6!ICmGKv?xCn*lxVBB3 z01>P{v>G#bIo5KG#1~nLks(9R!_p-E2eKDREH!m48+!sW%??t@v1)oP zTS<|rGI9bDP_``-z)a8oUPn&D*Ir5fAZ#ZX=J{wB0@ZQo^%DZFalyl$&iygZBkr(= zdT!=2;0sWqOl)dfm4?~Y&gwMgslFwXZJah+kp1H%j4Ag@x+X_3I#dBTWdY@6rxQz* zYF-3ULPvM#;qRqwOvU(#Kc|0GMLCB}^xGW~>x)@N|9R`l8vGyPk|J-l`8us(b_S$Tnhuo}j{??0Eyioj zTev_hj~?ObBW**!0?fcdeL)4qRK7#ryF7U|wJ^tuzDslPPP3G0O3b>x8Ae?Nr*fPn z9|~(AZU{8a)W5u=dFfk5|8c(7cWT=@{bSSn+-o$yF6TK?pM!6BVY58l9rB0BqO-Pw zPLyoib8yFLO$ejY@t6Z-(yo*ch)2?F7V3=QY@kKNbyx>>&6}Am^EVdnw;i->P1+*P zM>RAWbU$oVC88DSk%F6i5gzJ5E|u^qDOKgRaXG`p)eHE|F2VS0j9n9JrjD7XdGtJb zC@~R&dA-M?nt8qgr*S|$$`eSupAI5B>^*mCTiJ|9_Drz^Q{~^M0m2|?GE&)ju{uHi z1(NPL9zD^u*IWF`L!JTNR=8<0mK$okWrCaqbh|bO{u8~DMXyaxu&oE0a%S6e;?A)X zZ&^G_Sa{8|jqe8{8krj;*3>WNR;ZGdJbEX-`ej>?rs#q2=@jCsZE$9DafG*5#R7h= z*{jrJ7UbIc3S;cnd+R$=@BK1j;s`WdaBCO3Ro{SlqE!UlOU46^RK;ZwR)9@8R6d6ZZX@GIlVLDN!@Cv_@rCv}YGvnaNVF@~R~FcU|tKT}PC)vq#-hl6JyJea4W zBsp*|SAP*^B!R_0wm9o7hi2RqO6%4g&gB-(=OHCOlL+HJlx%{|-2By3C!*!8JL$P8<0z7PwrWvJ za5}Mv@qUHw>i}2ktA`6s=zSG^D`e87pm_5$$?V(IZ1>i`x9R52FBtuBhGEnV#5RfG zW1Si3D&|$K8Z;k!3L&|^E7YJr29~jL4%ynr5lWP>mvRg)b1(J1u!$;wzMMg=94Ayu zvgssn=U;scF7TYd-r?UKK(G(IDreYbCUHGi8emf;`4tViTd#d~Ju=v67E}r$#uC?j z9}=5o&7>ndiP8{wy1=fBi6H6VRJ*C$tX+X8El$0OB(aF53VYamT z2C4vOPa&P-9v&bf)A%$%+UWQ}Mh8aXy^ zWPK<$O*tXL;C??&f1=jRC&-^x4a=pDm8=EBquTsmGtyyiXxteMTwGsswD(T;=sT)K zMq}5ZjcBzWq@d(tr{{Tzs&#Fxej-4pqn`^hz;hgNl~m+XVAb;O#@m#dh%ii&cjk6c zz1*?l-xi|pA#bsQl|9Qr^v5SkQH())k^b`kQV3br&DQ0v;>C8-RIp)BAYLJsh;pT; zbUR!5!p5McF){i5@gu@iS(9rTrrY;AvZKZPt>B}rf_OA}d3A`&(A@rZL`2wz!CZrF zB0fa1Y0R?jic1y(e(;)B23QtHZb7g#AWnO;&;^U4Eg%AsZ)iY@Z1|5t7NODH5^WYY zfw8V~v$E^g>iz9U*JCoc=1Bu(BFP-(a-DWNO25$rG z0VZ`=Vb8PbmX*?M7Ck2+D4cZvG>t7_)nRTTpHeY1&hsW6PLD)RiHE6F*PB^^N$Zjt z*+LDFQZDnzukbo+VP~+Vs{mbOykg+~o-5}BarujOenaxjT$<9HxoYD(t&VeNcs$IL zb>G9?FngS$5+y1s^|_zN~Nxa14hKSg!|m&omnT`as-o%}%HxD$p;W zNY@WpZcbB`MI^;Ba0wujl$7QBp7e((7pI0Qe>dnY6Gh1tvzOp$iIXFew&rpuk@fqq zC}B1u+-G$OxNqN7{SHB~e#A%XQPWJaw~tWMt>uPxQ%QW)8np=H#NE7T@8Qq9(hMbn z{pAGN_{0}x1Sxs4_1w8zc}?MY(|#?an2cE|EQx_F&Xh3JY6lG}u@Tyw8*fq~yKD>m*LUCevlzp%UV`v^yt>MsnqaY)Mza-=5kA0HL zSDJe&de zOsl@OMn+CQic12=IDMh76NpPKz#+i#btEEKi=k%%qMD|CW%;IFq~^^qBcJwdG9qUE zlN6W11_+e?`nona`BEL}nDQjkd3TjEjgf%fMK9aNUu#5QmQ6^t-MNhAp4Qo+u9Mk4 zrT#yFRjvD69WVR6)1HKez+Vj>S8810&*PIg_DKZhG-fAY8l4j+lBbh>s2sWkmb z2Ep{kC6y4xj4DyB;IUP_sq9yZ2TqW#YhR{z7=eSC*k1Wk;Uf>)GpF8wE3d#z55yPZzlGbwgjI>t!L;0?NNng4x12DpcDsz{P z3Ux^ItF8wUIs8ziS@f4=;GZktoDQ0`1fl!*u4QCezmc;(T}Ljm+d`#hQH5O_#_9g8 z8gEjH8hfBH3r}SRyurW1kJ(q7f6%9u8k;E%-?=1B4>a`*M^I9;gjO7CohGlJtOlPCYS16;N{W-Ut>WwFgU5r`Q9hmtb9U`Swy_= zE-cwoslPIOzg@~=K_SOFUV7yP!kJ_iRzbY?RZ=T3vMcvz)}SuGa&5Jq)5p?|s}0!2 ziBNscw<9h^N`Pj|Pjx8Y;GRq@t}<*gFh^0|9G-=JE7m{8Yp3+kTFIOA;7#a}X1Q|} zIvE3(HlYS7O#gKewy+$w*wtN9mm|@r!RU$R#T-Skwee={gGs%j)tVV78<8+VUVS?YKmjJC~EB!CVFi( zf_@>mH)#{2Egm-BeZf+gU2gk>sE?1WLAtCk@?$V-L3F;|DDf_67>A@o+yrN^%;n3K zNzF5k4kZIvL_as@YkYg(__#yg+PB4Vb}R2Zz}HcUZ4eXrJua|onojc>ZK7Og?0A4M zN)nNBu>&D=kS6in9^i>w>^Snvt*zb)yJK(0$*Trb@|r=FLH&fB@FZ6rs2FCmY)zBE zO|54dmiloU>`%l)cWY#^^F!G(rg(57#ESSzskW+$dxX*1pDJA||Mua?KupE)6dy4% z@32uY;R6CzS4yb~XEFSXU>pmF?@*sJ>VBTNJ!-ZcWf2!mHts*~L^YuG3QUIH%`kR8 z6UJYafvZ*KHS7J%pBwF{=4j21dNpu2uG^)))==A85CHk0He^I1G<%?{$O93I5eO(h z%F>58zupTWrBjrMz|p)Iw=DI$U(1vYqhYA%r|@0l8{&_ky)&vxF^B8&O37yC{KS`_ z9>((*AXIGSJ_k+o3Vub8DOcKAP`ZP`4ws_DF-O4#7^We6y;OTj(YX!&na*Kk5~3;{ z`1#A0ZqjW?xj4Hs_r0yR@lkq*BtyBf4Rw@};9rHRMrjbMe?LUA{57|7_Pe5pRAan5 z>o0e<1+J55r!^^&Odp7Q+tr?W^KBEEz2$3<)4{=b=Ijb;c0K!KtUJe_2L}$&l zr!xyA8zRa!DKFpBpnkd65JZdF{->G%_v7p)cNByNbJ6KqdT(!$tngErjq6FO{@tQs zC8elCfXmAZIN!6L4pi{SU`!>Y8TIA$^*Lx&BgF?xEQ0j$Rr8sprPCz)NJrZy$)t{K zZ(RhKC3sjD6ALZX5#lEsdV&*8UNFPFQHpcQIFIM^RTVWq37g zRzp`-FbYIkL2YhYc`IUWb8j{^cvvrZVP{HXMrcD?L`PFsXk>SHZaFY?Lt{d7NeV4K zAaH4REpRe5HXvA3QEOE}AVFtrIdw}>NpCn(G;L09NP1^sV}EgOc5-M?M{+l8b9GNa zWoR{GPjqcfMK=m?d1EzCXizp{d1Nv&IAmrtWLH>7PEbZ!SwUkLTqy|Sw&Sv zFEm05LsL&`Rc|&(QAT($HBVD=X){DmQ89Q+WLIQbOLb3YHbF8+Wl?EFWpG6bEj}P{ zX?87eGBq|JT1IDSNp~PYGfXj6M^|b}R$6CqLU%%EWiL~ISVL(sXlF=zH$hNQX+%e2 zN=`#WbXamR3RXCJb~#B)F=aw@Ok;IXOiXE0bZL20FKaJOGjmsRS41~fFl=E#R$@0e z3N1b$S}kXCWnpt=AWD$a!G7!F;+7QEiEk|Z*?y>ctJvIbt`agI7V(Z zW-&%|FK%vsRY*5TFHK`@LRv;LbT>FMXhd{P3XuF((}yee8WQ7YQc`2Rgw-TCw!yIR zV~XMT8S6kJ_$a?{LyD*BtAG9GB>F;|O}Gme50d_;Jfa#eZN4o87j^&gi5`%#t@yvU zKDh*>MT9aihb@k==qf~i;M+vYIjELXCH=B%?ppDGq4HBsYSy@|U~!xKwd5UK*qt8N z>>=@cp;Zw)rN@ljNVkNYGDY1~nm7a(Nvr7|;7~xxdLD{GkxS!;5N5`yaj(W57;mi{ zIXpt_W1@PxwhwF@S1`3ORR8y?43wvA?)B=k#?ZM8)?P~is_iG1ZjwwjY=x%}ULr-Vu~(&oyJ zky!pZZrqwk(x+H!sI6{d=40Kyr4#m-cpS{1m{%^EGU@Rj(Xzl#Srg$slhB@XQg&E> z)C*pqkuV$J&XnhF7-CEZJrl1BL?d_U(p=7XiugGqPjtLc8E_Bg_MzB${0R~J(9}MX z(m@w;xHNM0$l`P@4{2nWRAb7)Lc5wvXQ^pg2=?T-55j5}6^X zEqK6ut8ef+ULqP{ti*3(HtF@<_L9x`Lua143~g;tSgojM#&?TCBwK;wqCH|m7|Bbd zFDI?Hya~ZsFp~sasy=?wza3QwxUbYf3}NPvuWQMqj+9A#pOHYXs545Z$1PlctkX$b z!Ehf58%ZBRF&^s9?F|mp)n`y4V z#??z-{S?lbH;JGAB4>UadnrAYdb~Z{w_CQYOzNk)_Ijg5&dgJFbD^!8`NLphAXGWR zAZK%ssmwGc6HdF;^Fuh?JGIe&oU-kgP`0@!c-&-7rzc{cG)=Ae8Q!Wn{5WV9V48pW z6m}rkQ`|TU;k#hiWp!H^rVlx`Fo%^h=iqN~a+M+zAgFMG!c?4LG~q6Yj;?Yzf9X

qRhuWzRqazj>;|ZCu*c$RW8QKo z-doYB6oYJFliLhi0+WjAz(ma2>DB8FS4ywZtt^$-^LH*<9{=7BS4^ssqn?VW28I^h z6Wvdjw$+1TQ0p0tC6+^(8#RO=z4_EoUSyh7>*DaD;`iJumkt!ZTnM^(`lC>lxZoMj zalxVStIIX7`Fr_JPtm|zq+BIBiKKqNukH>#Xdq~ZsC$BWB`M+$7n4K1`EmF zo<>QVG5B-yp;vF~D@ZzKEpZoi>!Oa7PJNODv!>7n4W@cOBt2e#atePxWl&raSx`4G zahLNm{66mRUb5ZQ`dZ9l@#lK3mzb^Yojql_UBF$O({^sb#DAK~&jTzjS?GHL0rfS; zM4Okh2@^=ARg+Ak@*=U(lBzf?9Ji$h5~uv|rd+^k0}kcMlV(f!IL`7FM0MqzvvaO% zj~swBnH*Q8m&{UsXnHk0UaUcTCR}EZuw*^lL`xI9 zlOB!4DDi1T1k0i0zq5T+t;jTgh=oK1G5M|Lwj!yFy_9o*5_j$$WY-v|>w;{mrZ~b; zYlamu%fV}qLhm1NX~5s*hwyi9RK|^m6fIAFfFrrA<}^1tZ(yF!*77@cPuy>w;y~!z z9+`qwH@b(TswXQqX=o;aMawn?#spv;q*4L&|Jm@+Qe!)ht1x6!AGatHN0vxG>?^Eq z6&jmyng2q6P~$19rq=3ssq|rVVSN4@%fxivxDhd1=`ADM_e0+V>6U7Z4pt`S6}62@ z1`fqXG>MI*r?zTd^kF4bKe5rq_;&bk+NGZc$sdLT{MA-&@s8F&r;@7h@MCy!FRchk zqO~Pln3xVSi%S@yRhxD$-DMiVtJtFjXC+eSO|zwcI$+jnZ%b<&bZEw&KSw|x4tk{& z5PzjAgOFW{MzS0UB%;G6&3yMdMJy5lR87hG=2;J#(PNO~afi!60O2Kyl0Hk1gJ++P zdW!tfI6A)}1f#5Dy!6-?2gWOB_egnNW;`A;=akJmm%TNeOU~f|<-E^xocsZ?YSFO~ z8TmqgX#Y_{q{!7tiLHK7uw8@u!8zstAK{msiUG7jY{C9EIv;C!^e;c07#qB1oc-oK zkp)QytRRN??y~5Mf3egZ{KT6U3`ZU?=G1~jZU>9e8I}(#@7Me zCHOfzXe`Q!Y@q9ynE;70vG2vGhuX|?I+pE!W94CINwMVvh0S~s?ywBQIZZCxF^as7 zg2-*U(8FYv|VjlulZ4+UVZ5wXl_!3X;s`EW{eQRrt- z5UanmQnhQ$!@__?o3LO}Uj=uzm^1YKb=}x3;=j1s9GLEutmPnqJw3lEa1s?Q)sdQi z?UqtJmAZR|qq7DH;d16>M62nyw9|Lo`XsU#DKPFLsu~8Y_ z=Gy?b2E5o{l4k(#TAdBP`iVrf(9>xy(Y6w`JmxgEjQ6&HNY-JBwb)+6v@Y!_<*JuG zMe)@ZA|-vgAxc6zoh~9QWhT=gZmP*LJM;~^>d!Q}vDmTlURd()rs%6d#Ku#x;*e?R zO_qyU?wK-$*HESr4<_QPMD%xm>K;1%Rllc9zeOSOZgnj^LH$VV`J++F?>GQP;SU(a z=%WyXvCvV9^#|$T={2R4@d1Spu+gSLnlUW-M;~nj&+??v@$ib|WG1s{`G79W)CB0E z(mS`Ih%i&%$b`ShSBS#oPcu$oJr1RUPHBZsOMA-pMJyhN8^nxpLXFRV_eOP>aM6?( ztEu_^2?PPA)-8{b+zZ~-l!*=82xC|9i)6__T!2K1fL~@M-~?XGhX9kR+BwHM@@Yf& zMEP%jhZek=DAK@(Piy!qc$bxJo1>Cj@_ff#w?bk+%SGDSb*nL`|LBls_5;2DpJ{1x zmDmIC6}-o8pu1jc*$ldW^Wa_wxK*V$EUWRMT&0ndRbMA1D~)MK$w|qTRT+h>cU*4P zL_on%$<^sl^2`Hfl;im*(SY)aD89LNLLc;tE5!L&sa|w9LzH0u&k8?B9<3#=(jp$r ztsV!VBNQOX>eIuCY}Y|Iz`TgJ8t2{-7Yz73sKd-DAj-4t)1fkdo+QlcJbr`fw3gP* z`?a{>=s63TMxmk=Bbc5yMY)q7^TkR?q7|B=EKX8DZ?de;+B190^%?mjGSbGMxGMf@ zpyp$jJ(d{PWouXe*X_k*c};>QzrqQ2A1S7 zE(YjPDCSHs60cnp@1MDM#iYeKHE~}I zt%AvHgm6;o=>72Wjm0ncKMOOI6W~4}K&{(^g>lDsa~EcO->2H1GI>CUrWp1v^wo(5 zgC%nadhc<`>%ZOr?%J;$rR7O*W<3vq#>QRyAlxq5z8Q3XoBg1aq#=_`);n~G@L$yV zAnOV3KI-X803ru&xh@ty49Bn-Rj6+4#rW)MuNGGgxele;Yo0&@rrIsMKW)yCyvZ^| z!6k?h3(QWD#e6fYj&Z!>J^HAs>C)bQM5I0sDNcPxf=>CiJIwUNj ztiw0Ua2&CJjXr|di(e~0S-ucPX!xUsR2GO17M=MgOQNNGf0i(vU{uT*Qx0$7Xilqz z9m*zz)7ZlU!3igZ)PIx*1x&#>pMzV^MWKUn+26Fjy2epRi>c{vqJk8CuVwHk?MW(m zK2`7ot~_=LwNgSt1EYZ`A49b}D4ZHve!xpzR6QDhA7-tY>b!;ZHN1tnJi^MUAG+qD zjz;*NM$OhQ6JO|ye54z3??cA$g`jtjY$)GLZCtQZYcPYm^$oq=wn?s#h7{vK3t6w^ zH41rZ-!mgQtDG$v=!o&el0UN*b;{Ok?*TKcGYihSG0R765`8Peu~&Il0UY<($I zcozYz5BY^5O(Ru>qeTLn_xMT}Rn-3*TO82!0mIf)&?RH-t&1M=rsibMh}x@vZ4v{h#zaN|84Ev9!ynQ~lx%8uR!V%Q zl<;y-*t9pc`q`?BPdeiWMz~qGDL{UTm~JiUq`=;5F1@g;UXNo^yk^4@cvA)1$+R-= zc1YiAwoz|hgAYf4?;p+6rW~fSlLN198;a~dB*V&$p9uG7;;ENitYQGfwVK6m+So*Y zC!tPyq#1cHd2MPF#bR1Y*AYM`^Q+6eb&!c+u``?n6wotq2N(xIN&qGQ&k5{$tbP=qOM7InkXfU$f)KB#~9b_)R=Ash&m!$k<pM^9+pE3ysTrR5LoK@w2%w5RV z-0(J`P~BE`Gg}LFk@cw^Q^87aCGbGyjC@V|0gmyS#fk z*Ww)3>RWZQE!Oedp&@+#{OJ|XLjC;8H8#i#rNI!O2C)?zX^|@p1d{iE9od$BeBJ6) zv!dzfU{HzsqyeN1g1+SHRa+o5Ns_2m|93B*jdD-}XEG94;z;kgBcbO?T8cNb{;i^1 zc|C7zx4%?)B?b3Z^(6T(5u%#L6eMH4q#Abo<6d`=Ib2aIU$4R@V&Y)G?XvKucz9xO zol|MDoQ;lW%ewtUqCjkaH)tTR=JrGEOT#|y>Z)s!^*-hg*SEORE}O6u-)ueEahKtz z0wxq68cybHwXv9Tk(K5b8Z*FfQy*ReiT5N