From f1d8069dc64f7573057563d6c78c39af30db932e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Patrick=20Gro=C3=9Fmann?= Date: Sat, 13 Jan 2024 19:23:51 +0100 Subject: [PATCH] feat: ddclient container --- hosts/desktopnix/net.nix | 7 +++++++ hosts/elisabeth/default.nix | 1 - hosts/elisabeth/fs.nix | 2 ++ hosts/elisabeth/guests.nix | 3 ++- hosts/elisabeth/secrets/adguardhome/host.pub | 2 +- hosts/elisabeth/secrets/ddclient/host.pub | 1 + hosts/elisabeth/secrets/gitea/host.pub | 2 +- hosts/elisabeth/secrets/host.pub | 2 +- hosts/elisabeth/secrets/nextcloud/host.pub | 2 +- hosts/elisabeth/secrets/samba/host.pub | 2 +- hosts/elisabeth/secrets/vaultwarden/host.pub | 2 +- modules/services/adguardhome.nix | 4 ++-- modules/services/gitea.nix | 1 + modules/services/vaultwarden.nix | 2 ++ secrets/secrets.nix.age | Bin 4662 -> 4681 bytes 15 files changed, 23 insertions(+), 10 deletions(-) create mode 100644 hosts/elisabeth/secrets/ddclient/host.pub diff --git a/hosts/desktopnix/net.nix b/hosts/desktopnix/net.nix index 7309a48..f9f94e5 100644 --- a/hosts/desktopnix/net.nix +++ b/hosts/desktopnix/net.nix @@ -12,4 +12,11 @@ }; }; }; + networking.extraHosts = '' + 192.168.178.2 lel.lol + 192.168.178.2 pw.lel.lol + 192.168.178.2 nc.lel.lol + 192.168.178.2 adguardhome.lel.lol + 192.168.178.2 git.lel.lol + ''; } diff --git a/hosts/elisabeth/default.nix b/hosts/elisabeth/default.nix index 47f19a4..8989a61 100644 --- a/hosts/elisabeth/default.nix +++ b/hosts/elisabeth/default.nix @@ -20,7 +20,6 @@ ../../modules/hardware/zfs.nix ../../modules/services/acme.nix - ../../modules/services/ddclient.nix ./net.nix ./fs.nix diff --git a/hosts/elisabeth/fs.nix b/hosts/elisabeth/fs.nix index 5cf1d03..04a381f 100644 --- a/hosts/elisabeth/fs.nix +++ b/hosts/elisabeth/fs.nix @@ -55,11 +55,13 @@ datasets = { "safe/guests" = unmountable; }; + mode = "raidz"; }; renaultft = mkZpool { datasets = { "safe/guests" = unmountable; }; + mode = "raidz"; }; }; }; diff --git a/hosts/elisabeth/guests.nix b/hosts/elisabeth/guests.nix index 4f67f1e..c03f2f9 100644 --- a/hosts/elisabeth/guests.nix +++ b/hosts/elisabeth/guests.nix @@ -75,7 +75,7 @@ in { ''; }; upstreams.nextcloud = { - servers."${ipOf "nextcloud"}:3000" = {}; + servers."${ipOf "nextcloud"}:80" = {}; extraConfig = '' zone nextcloud 64k ; @@ -166,6 +166,7 @@ in { {} // mkContainer "adguardhome" {} // mkContainer "vaultwarden" {} + // mkContainer "ddclient" {} // mkContainer "nextcloud" { enablePanzer = true; } diff --git a/hosts/elisabeth/secrets/adguardhome/host.pub b/hosts/elisabeth/secrets/adguardhome/host.pub index 46da641..ac25d6c 100644 --- a/hosts/elisabeth/secrets/adguardhome/host.pub +++ b/hosts/elisabeth/secrets/adguardhome/host.pub @@ -1 +1 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJrtGpaL39TCloyatv2MJ6H+IUwMBxwO/PdugyYwCPvN +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPR1b66yEQQSmvFPk4PZTtcyKCyYt4vuruByOoHhIjfu diff --git a/hosts/elisabeth/secrets/ddclient/host.pub b/hosts/elisabeth/secrets/ddclient/host.pub new file mode 100644 index 0000000..3280aff --- /dev/null +++ b/hosts/elisabeth/secrets/ddclient/host.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICDzH6m99bGJIy+9Ffa5djFjYryuV6CFmGtY2zUxBiuu diff --git a/hosts/elisabeth/secrets/gitea/host.pub b/hosts/elisabeth/secrets/gitea/host.pub index 315c751..4db5ee9 100644 --- a/hosts/elisabeth/secrets/gitea/host.pub +++ b/hosts/elisabeth/secrets/gitea/host.pub @@ -1 +1 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINHGEV0vuqSAvT07Sl56Lo3o5U6EU5uSrfTFe5BF5QnX +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOWoGqHwkLVFXJwYcKs3CjQognvlZmROUIgkvvUgNalx diff --git a/hosts/elisabeth/secrets/host.pub b/hosts/elisabeth/secrets/host.pub index 93d4688..76c29ac 100644 --- a/hosts/elisabeth/secrets/host.pub +++ b/hosts/elisabeth/secrets/host.pub @@ -1 +1 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA/1vC6GL2Xb9eIQaNKnSOQgN5bglns2Nh5dykkFqYMC +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0dFbC8x6Ev1R/nFvG20fp2tapOQti0lK2iz4gsHDRr diff --git a/hosts/elisabeth/secrets/nextcloud/host.pub b/hosts/elisabeth/secrets/nextcloud/host.pub index 3479616..bc54fae 100644 --- a/hosts/elisabeth/secrets/nextcloud/host.pub +++ b/hosts/elisabeth/secrets/nextcloud/host.pub @@ -1 +1 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKlZoZI1rYOR8wLywWIjtLQLpnflXF7fHhYPZbgd0Gq1 +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGMAQzrtwi+J6+W21dBPpASsWnhzYkvscwYGycu57lUo diff --git a/hosts/elisabeth/secrets/samba/host.pub b/hosts/elisabeth/secrets/samba/host.pub index cb1c0d1..a393067 100644 --- a/hosts/elisabeth/secrets/samba/host.pub +++ b/hosts/elisabeth/secrets/samba/host.pub @@ -1 +1 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINnHM1ElW8cdCZaC4D3q5wS0P9/6A6VvZ7V49suxNWaV +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINfdZq6qJXMfwobfphbMj+63cjQXHkbJmsL28zZB08xX diff --git a/hosts/elisabeth/secrets/vaultwarden/host.pub b/hosts/elisabeth/secrets/vaultwarden/host.pub index 5e240e9..19b29f2 100644 --- a/hosts/elisabeth/secrets/vaultwarden/host.pub +++ b/hosts/elisabeth/secrets/vaultwarden/host.pub @@ -1 +1 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIHyOMSi8aRtXIEWoMuUfGQl2H6SGSdpl8VuxiEKD9F8 +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGlzWJBIfmwzxnUuJI3kxTFBYRzI+duJ+QSWHvNAwZRv diff --git a/modules/services/adguardhome.nix b/modules/services/adguardhome.nix index 5b2587e..b30e502 100644 --- a/modules/services/adguardhome.nix +++ b/modules/services/adguardhome.nix @@ -11,7 +11,7 @@ bind_port = 3000; bind_host = "0.0.0.0"; dns = { - bind_hosts = ["0.0.0.0"]; + bind_hosts = [(lib.net.cidr.host config.secrets.secrets.global.net.ips.${config.node.name} config.secrets.secrets.global.net.privateSubnet)]; anonymize_client_ip = true; upstream_dns = [ "1.0.0.1" @@ -34,7 +34,7 @@ users = [ { name = "patrick"; - password = "$2b$05$Dapc2LWUfebNOgIeBcaf2OVhW7uKmthmp9Ptykn96Iw1UE5pt2U72"; + password = "$2y$10$cmdb7U/qbtUvrcFeKQvr6.BPrm/UwCiP.gBW2jG0Aq24hnzd2co4m"; } ]; filters = [ diff --git a/modules/services/gitea.nix b/modules/services/gitea.nix index e7dfa12..0a40a6e 100644 --- a/modules/services/gitea.nix +++ b/modules/services/gitea.nix @@ -7,6 +7,7 @@ in { # Recommended by forgejo: https://forgejo.org/docs/latest/admin/recommendations/#git-over-ssh services.openssh.settings.AcceptEnv = "GIT_PROTOCOL"; + networking.firewall.allowedTCPPorts = [3000 9922]; environment.persistence."/panzer".directories = [ { diff --git a/modules/services/vaultwarden.nix b/modules/services/vaultwarden.nix index aa99fc7..e092413 100644 --- a/modules/services/vaultwarden.nix +++ b/modules/services/vaultwarden.nix @@ -46,6 +46,8 @@ in { environmentFile = config.age.secrets.vaultwarden-env.path; }; + networking.firewall.allowedTCPPorts = [3000]; + # Replace uses of old name systemd.services.backup-vaultwarden.environment.DATA_FOLDER = lib.mkForce "/var/lib/vaultwarden"; systemd.services.vaultwarden.serviceConfig = { diff --git a/secrets/secrets.nix.age b/secrets/secrets.nix.age index f80f0ac0deef5accc9c99300475b56fb9cd4e534..c9151bb6b617f8c0eb9eb0b8b78e377787175756 100644 GIT binary patch delta 4676 zcmV-K61(lTB*`R@Ab&|QRcuphY-4e7Q$lTaP*gT-VmL=+GIwJ{Q&)5|MR818Z+CPw zQdc-=a|%&-Modg|Lr-sPMnXAcOJ-CxbyH<+MM*?wV?;4gVQDa9ZZTA^XIY}^fLQ6C^R(5SLOjS!rQZ#8* zVMa(abYe$BFEMpiS4D3Mcy&uuQCV|xbwqGDbvbTmLpD=lPeD;;Y*kcPP&P?LMnN_< zD@|!hM_NsjPXQHwa%NUaLS#sDF;-MFS20;?Yfn!_cUeYBV?%IkYj1gQZcJ}aGjdf{ zL0CBoYgkEoG;S+GRV#N?aBFvYVmEX&RAM=IcUVX(R#I$jab_zsP zW;bhjH)&0OWMf8BS#)%5O?WtMFnD%JGcZJ2bW=(-QE*8#3N0-yAZd9;Ge&rBVsUn5 zOK(F&LUC+3I6+8rXlzGOPF8O#HbpXOH&{qbP;qWS3NTWZ9N};HY`eA_q=9Eu)mfY! z&7|=ykTOZjHUh3?6Ju$%CnuvRl_$$T1r?0++XMQQw%-%N+@Os>U_7B|vA z=K2hF@%4D%t!Ytf`OFUei3VE8VFrCDt%sF!Uy`+BrcazF(6Ax@_@XCm|mWLjHGW!jwtpr?`tJ$5zAdw1SUb>1G-04gzuH2#ulW-DMq3we8y(@Uc z`*2MiT0)T4$0m(HRj)n3Gv84T0N$?G?9!!ez<59|U3MV`>>-Sxo3$z&wPNrrh#SB2 z819l8OT9hYEz$37P`_h|TsN26ibS2FuN<0xvMK)MSs~4&@a9>EkK*?87HuW@Bq+j> zZ*IpR<}$2r5{xzEk7!fiaQtc_A6KHMkA+<;aZN^bi0WjqKeo5{t4s$}I7=GBLJI=& zN}N8Y@=6ySW%{RTc%&;2sO(t2x$3=Fmmwq2>#eLl23Re_iM5a>47O`~0=A+sww9rP z9pLpdGYg%9%6ymj(883QE509Wzkm_RQLw^foPQ-cpX|yNt4b=cjLUcTqA z-7j03&Tm!;V=(T?iq`t_e#G9<@dJ~M2rt&x(Ucq9J36=WPD|W;9wNw_c zoB88p)H|gg@g_3f+p<5v%}M-*c_dnYj|kN3lgWKs1W5{75BM!`JkQ9b)%!uG(k;J5 zImbM=jz~U|Qk97xpjY_7$dQ%AISRfo?+ZWFs^9v1f|m-@sKDTG5%&b5D2^@tXO)IK zDn8t>F(FnH9TE|UC#6?gnq^PC5RC>l&zthxDaK2A|7^8O)-dtL)G%iZY4faq`OMhD zHSV^wb%R^T@E(I!90^(2J{)qkigghej0^vm)K2zYsjtWvS_H4;Ob;J&V=%qDKZ*Iv zgIB+0Hc9mGqj`gTseHnmM`IuC2g;&ne%q&>vB@U90SW0*Uz-{GV^kC;0>*wFH!5^Q zpZa+HF_hi@h&E10mkv)xrmeAmvK$pH9@z8qx~^*${p~xU{{Ri)sRvoi&20`!&|d&V zS@5$Zjyv?&qU%Td3}A+D)62g$Le%uTdk9td(SGeYW1%D!h*PSIJ)gqws{anhoZjbD z`?1Ys851eC5puy4*jRv)>B@foS%-E-6?(1?QGtMbHA?~xz%5n%q=EX$J|D~cd2ru-33v)eb9dwB|Fl<42iI%&hB8Pw83N^hcPbMbKXIESDBLIS zHk*>wv+0tVnIN7hMiyf1=ty=ZL8$5^g287kO`yA0TX9?Gq4w*Vl8Db|xeug$M*LE;lt;@O=r_RWCu z9#J}18|`ZzQ0S}3!UxBVIFER#!PP}bP9R;II(rW6qn?$GJ?KhgHBj%ZQ8!hK*)`B5 zG8(~ox9LG}JQ9=Vw%@gjhSJ3zp;NP!Gw=6A%85$X_3U1Mr3=Ibo^kI=xAJI63>VgY zTSSS8L*c6qqDqQ=s@`$WjPZB+S2~G-H>r{BLNvg z)f4eg0XwZQNGIgDiTibQCbCNO6K542LLAz0zCKfNA^%aj;Nhq}4XGV-8u|I-P_EQD z8X_}x0K}1hL5Ae^2;dxg@q5hdDpb-ZJxYYCNkBY{9P|x?6(6ZQ=Gcpeu?0=`*($3~ zo+$)v-@?!jiJ2yUUVoHFqp6*o{_)Q<*pP^A4-0PumF@#bG|*Tv7!UYOG=@3^n$wko z$({!$sw`W>aA`?Pgem#5bS^JAF-*Gw>Fl{QeEKV)VqyY4T0v*|9M z5gEzb2asC7RKi-|Z>jE|S4u3}GFaC-daC2kgRYfF6&TmJKLkYnYA9b6T+9Kv$E=K! z=H{r;eb3Lfq!EG$dmaWV?hq?v;qW#FJ zgqR-=f6fyf5z2R-0s(CJNye!SxsPqXcrJUkQ$7H4)A^WjSgjarAv$InQ-o{qBC@h6vl0n5rE& z+$sBKrn0F`?Vs%y{;M@yGVNsUX*(vDGCJ@{qZJ@KxgrP;Sj0ijX5_QY{1->t5FHug{~ z9gCbShA@D+Rl!%I=WJl;RApCQFF^e#DUfG2}$&+e4NTHD;s495j2hE5sifUIP{ z`TlJw97+dIx)!KMQ~_jlnUA@8?yX}@Q#9Zesp{3)C@&!l9R)Ia6Ot%VVmndwYl_=$ zuj-9Eq}bA-E{RI}IabMkS)iyS!nFznXHCgRc6wDDPfaCQut+Xs>>yEf8 zZ8|wbOB)}cY?aK@Im^ZDo3>%NwR~Z+)!D`5LmV`B6$uIWn%oHO_8woqQ=fe;x?qt> z>ceSbJ1H3LnIu%^%-cMGV9s(ucr)Ov^lqpxdIWkas2=?O=vr)lGtp(QsHB37all5^ z+>h#>#L|Z?o1ZizO`qa5QO4$vw(~0QT+PB8)=NP%NV=PiBITAYNLsxjD=0h~4Rwh|B>Eavr5iA|OE%hcA#tRPmU#a=m&}qe}N9%MycnAz8BI;F^Qj^GF z7c7$_P!L^{rAZ{ef)ccQNzyzWk|btEPJ#D(!0qUb|0&n<9Aeo$4KQGmITuqd8dFha zS|*9Cf;2LJIX3ftlj0^-nvHB(h=alog9IM7Pe6zb;WO?*K@Fzm>|D(W=(f#mr!T?vdv%?Q>XLoh-fZC+|-< zPi7t{o1NbRFqv7y8RmyV;C*uz@h}A33x~R&!AsPCu0|vP8YLqzVD?wrq>m&Ixb$M6 zto|>cNSv9WyFRFRgGTa}Me5g)WN%PIKPvr;rW?4rA)KW>s8B%)0XTyaxGC`a>Q`qE zRxIt?HU(8;*u1{HsRHaT5}r`g%dL^N%xOd2a8i}WcfxwC+n80ga8*(0L|lNhSaaE0 zUU#~GZJ?dmP9;k1!;N1z0<4r6fyN7Wx4+EODgOEGVmcXN_5G~anDTrh|oqfluD+>5w8 zL=ub@xLt)P@!yNWm@e#*WvGDvy4+PZ7dwc5Vf&&Fjr;+n4NN)HfxgBJ*&L{=%i;as zUf28lhqos_sDo|(h}Nh)pL`pDe}pq-Zc2Gy`%yGpU;Agz2ITiTy?DW9WM>4JEf^ft z0@>Jb6G<>p`#L1U?EX}lWV&8kRGjQ-q;f3&YyT$8FES=*wiR$?^ia;}b(cgsIY4LSVOwI0fioxbkb2WdCn=oUnoT=ii z0HZg({!)p(fx)d@mnSEPme`F>CZEqNEuMP~F3G&X(fX{JLh7=VMogjcQD2o2oM5Gx zq;74}3=V4b+N5^C?Ai$b?Ilb+w%eqCRyKrgTd>71VgobT)efF!5?<7h4EJKmV{=eD zd!P?V4GP5$OqtYPIL*;hBfT;%me@pGVji58O084c*3&Q<^{vI&?^1K2)`G4Agvu&r zUE5I{@*V>sS4sEbZ8KR|i?sDU2~IbTK*Vfeb)4|3>0^FD={1azXli9KLq~dgM=yC;GdFg4IAUXUcW*^;X9_Jo zAaH4REpRe5HXvA3QEOE}AVG0ecR^JzIcs%dacEXBc{oi*Mt@~TR!eJlSX4<)O-^b! zWm9TeZERIxVpIxhH)KU+Vr)llVRkEQN=+|kdPQq+b2MvjcUp0IV@g$XZf;^qIa6n7 zW?2d?J|J*ub}eu+H8vnxMrUbBcOXG}aA+}2PFGEKF*i_dF=tmu0*Sw&AdXgO^wQ)E?fP(eWoEj}P{ zX?87eGBq|JT1IDSNp~PYY)x%-RWN2uM=*GJL1u7aWJXJWQdMwSdTUW}X-6wjVM%B+ zN_A;vX=QS53OIC9O>$a6X+ttkWL0D^bYn(NW@J`EbxT2FYEL*$MP@d3MN~B~F*#vT z3N1b$GdnY3SVwd^EoX9NVRK~)Pj^meO-W2uV{BAGNN!3nP)>YL(2hrV-+gnXZ!_@?fdr#}0+jc&;Bxogj<BmfOg2R4nU1=5sfB?JasQFg&+9t^qh61s_k3L%v(Wd5t?AXt?;pjKh zyfAH{JF5MKxWY)1{CwrhVl>kxG9dDN{im8IIXT@PW1?yqD`#Z^!5M2u= zz_5fhhW3w4vG(B&6`Ivf+X+4Cz^Y5?%x@$mq6x=4mzVP~ioR`#p zH}zXrYpSO%I^|9OJZ-Y&o%YK%SC+^^x@T{^^>jPiDk6|FC8Jc+6FW3PsyrpNcqEO5 z+|!RkHlWILXE+mMcwd=M@UA(XUS9MPfaQ5KrL|BcN;p^R5M?E5cT+b9!k{%`$)~$2 zC^r<+mH>ucK$&7_ZE+LrP*oe-R)TSVy=UsUgOS`Kor*qJf0sP=41$yzF>4#Y28*Zx z!kHlexA)h@N$oBrDc|{?b{2R}ifR0IE}oDbwkOPj1E7@@I{6WnPyK@GQfZ4Mf0*Hc?jt25|2peP2}yQFr~+>GE%bqx0|Gd+v5SYl z>ekqNEI5S$Yv+xd0v05yx+J;p!}Aq z$8BjGvtPz(0jgOn(71YaLZ&T$QH0PMy;E&4QVpgHA@+`DdFz5n?6%;80I;H~7CH=D zoujXEl_~WxkBXH*^Qz(rpJ|YLf^-O;*_REXI-p)VzuMwH!t%&(Ce{wY&PGk{0=j&M zLW1x^fz?EJqN8ba#eUJ>{7KH_=o7z_wtbpz|?S+hG%B$CM!?Hq}^fvCmVf$f!KLCEjL(gg& zUPqemcXKD&yHWg{hxl?ATbMf^_#QrV`F~J6(Ypg5Y9l&UwRsP0Dw($qq}AlHfc{|_ z+vej;H+DMZ_V(~BcVnhiH%p@MN|64~iQu~!Qzo+`rD?$uZvbC^0RUr{;Lm)Wsq`cQ zn&OMO;lY}L2sd~o&?YO`g26(6+J3gz7xXM-vECnhDj)e_%?h(33?4NKDnJ1DG>jXZ z!8@kRRpjwJ<*za@D;Q0RPvq?Z+h+7rShAn-{A+_!97_F`0$C8)I-qSB)AB)i5qsZ` zuhWbE3xdv7n0FU{rdQiDRTo<%pU&2Sfsj1=w0I1$(5B2}&fGrFrgh7QXxH!xcTFdL z0ue4)p~^~OKr$I32h`JLJAmO5bKXfYO% zXP`A>kE>-@ZOSt`B2SYO{tu#3sUFRP3<3cp8^mLOAvh>qmP%5ha^=$25}sh0;$M6k zkp=AK;eD0m2Pm}mA}gV?tTH4&X(wg>{y<%CaxnbBLTX4*mN4M>pDQxr!vhUQ;*HNA z)?iJlZ(ol_D!x@R61}= zJL}4Sauk5YjVi$s{0NB~K2}6MOdh6rLFI+|W|UghHO8-tK<2ky5jY@+pv~+I_q^hs z&7!plEpMHe6v)O|+hPVgUi|V^(&qA%uAw9SB-yG&h&)OFKK2x#J)&+X3mpmNxiN=p z|CbN&7Rw-*M1T?R_T*U~ege*T(-9+L}*^-f%;D63 zoJ{?Nd)&%^I{nl<+cE{r=^-@v%^qzADA@sk&6s}%xX!E z7e&k|wKr>rteR1+=hxmG@@qX%;b?$=wMKBeL{k&a@x5^Bex$=u0=bMU{yb@hq7GC_ z`-X5%Xj^V5^^#R$OmR1|*G_r*D(4O-rMNtJ-4Ek^xPOx zf@_jg#~vsF%nIbp8gz53=c9T}9y-HF<>e$8<+G5ZY_a=aK?JFfq5rFY=1uD3a1%`j>BBJ;$X z?AmhmXVV)**ERy^I%8G54{onXwKOKer7?X4A*!G6)^WZO%5gh_CYwV{g~o<;`eIke zeg+AoaPY25OE2=@S||^HT87;A(v21p_G#t$=9N6^1x5Z7KFHXzH?14TDF@|d30NW! zf`gB~8%p8sYCq{36`8h$JL9n@K$pj-dxB($@0X0)u(muGw0`2takzHf_#hvF{PWlQ zW2(vN7}LfAPA;$ePv`IvV~4B$nCz2>X>CqXQKB)EaUaR|18LHK0wa<%x_1kLMj!yG z%RecuJFHg?0ft22{5QK&F+?oE#NIU=8~3qCw|x4S`X~E;31EIf&g6bvE+7EY*AHgK zfFQ{$@p50{+lXp2O)M@@b+bAtjsYb{kAAcDiODA1!z8sdwgb~?DTkdjo5YaM&bTGx zgc}mtqIF`uD;zU_J29U)WKeL`diLHD>;!=-sJULepcSHxc=7W~OqC+W{#W@CV9!tE z8ce_Mb>e7uyt*F;f!zPmz5CqYal5b)nU&-KkNa2sHwU( z#MpzWU!7q$x!SVymhAN-@YhB;AZTRkIYH0iuVax)`)k2}Kbfl)!`0j8ygYsA+I1;C zzf*l$Be4wU7pHgW=`PCx%?k7u7CM&ipUN{viGF~JBB3Xb@6P=kz5a!T(eJqMdKWoh z#Btnrp`<6RB|Xm-7)RY#G0wB@+>oO{>hA=exy+1eM2d)D@8Hur0S;^ZQIm#?1dUuW zq8;~~c+LEOL>k)@N!3EOh@|F)4uR(%T#vf-Af#3i$*bIhMWyS2$Q-hV%yjBf?jPlD zAT`CoYy-i{%8J?XwjqIngdzs?4%#it+CA#c94wiB?&mubEGX}VU1)xWRefa#MB#3K z$vIAy8Q0mwMekaegR;RG4TAVZx-+-aR28HcgX(5~fhJgERN+>7xi`G(B!_3$^qTr- zZEEt8m&{z5;hkL!jXZ>&S~Z2jqw7O`H3_Uywrc>>03ogP;7t){9%LN+aVLc~0PwsH z2je=VZ~|3?AcXf6)`w;@G55G21WY{CKFFPX9qjDxC|6t9GF}n&g~a62xj#lWD7Ncq z;@S>>WeiaB+V{akqw;axz(yin2fY^@3LdNPZ7cR^H{;Eu$Z}t-${}%o>=$>0XkH@GlT0_nOQ7zc z%0kCqU@E~H=&n=aCer@t!I-ONmR%bOpZ`vO%<_z-wmHVYq$g#X;~Z&94FK)sO?}O>vbjJ z`<%4V>v*(^FKF5fn1s{$XJHdeu+9$q401pXq`vpQkW&)yZPRVx&)L1Vruj$9jPZeg zxaCWTCL6xzcCos+^6MFqrcCKWxNZbNBH$>xWOT`q!*NtV&`|A$Jns0~HB@7| zRDy%QvgQw}%_zy8>74&%K+NLe?n(a}!Vn?TycCSe?wQ%H4WB3hGfieiLl_Y-MQ!As zH6TkmR+f@%?y^)5sP+