From fe40fbf6b20969094cafc4b73eab17da5d409635 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moritz=20B=C3=B6hme?= Date: Sun, 6 Apr 2025 10:58:33 +0200 Subject: [PATCH] test: add local dev authelia --- Makefile | 41 + dev/authelia/config/configuration.yml | 1693 ++++++++++++++++++++++++ dev/authelia/config/db.sqlite3 | Bin 0 -> 376832 bytes dev/authelia/config/notification.txt | 0 dev/authelia/config/users_database.yml | 37 + flake.nix | 2 + lib/putzplan/accounts/user.ex | 6 +- 7 files changed, 1776 insertions(+), 3 deletions(-) create mode 100644 Makefile create mode 100644 dev/authelia/config/configuration.yml create mode 100644 dev/authelia/config/db.sqlite3 create mode 100644 dev/authelia/config/notification.txt create mode 100644 dev/authelia/config/users_database.yml diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..ef4298d --- /dev/null +++ b/Makefile @@ -0,0 +1,41 @@ +SHELL := bash +.ONESHELL: +.SHELLFLAGS := -eu -o pipefail -c +.DELETE_ON_ERROR: +MAKEFLAGS += --warn-undefined-variables +MAKEFLAGS += --no-builtin-rules + +PWD := $(shell pwd) +AUTHELIA_HOME := ${PWD}/dev/authelia +AUTHELIA_CONFIG := ${AUTHELIA_HOME}/config/configuration.yml + +AUTHELIA_LOG := ${PWD}/tmp/authelia.log +AUTHELIA_PID := ${PWD}/tmp/authelia.pid + +.PHONY: clean +clean: authelia-stop + rm -rf ${AUTHELIA_LOG} + +.PHONY: authelia-restart +authelia-restart: + ${MAKE} authelia-stop + ${MAKE} authelia-start + +.PHONY: authelia-start +authelia-start: ${AUTHELIA_PID} + +${AUTHELIA_PID}: ${AUTHELIA_CONFIG} + mkdir -p ${AUTHELIA_HOME}/tmp/ + cd ${AUTHELIA_HOME} + authelia --config ${AUTHELIA_CONFIG} &> ${AUTHELIA_LOG} & + echo $$! > ${AUTHELIA_PID} + +.PHONY: authelia-log +authelia-log: + less ${AUTHELIA_LOG} + +.PHONY: authelia-stop +authelia-stop: PID = $(shell cat ${AUTHELIA_PID}) +authelia-stop: + rm -rf ${AUTHELIA_PID} + kill -9 ${PID} diff --git a/dev/authelia/config/configuration.yml b/dev/authelia/config/configuration.yml new file mode 100644 index 0000000..366ed3c --- /dev/null +++ b/dev/authelia/config/configuration.yml @@ -0,0 +1,1693 @@ +# yamllint disable rule:comments-indentation +--- +############################################################################### +## Authelia Configuration ## +############################################################################### + +## +## Notes: +## +## - the default location of this file is assumed to be configuration.yml unless otherwise noted +## - when using docker the container expects this by default to be at /config/configuration.yml +## - the default location where this file is loaded from can be overridden with the X_AUTHELIA_CONFIG environment var +## - the comments in this configuration file are helpful but users should consult the official documentation on the +## website at https://www.authelia.com/ or https://www.authelia.com/configuration/prologue/introduction/ +## - this configuration file template is not automatically updated +## + +## Certificates directory specifies where Authelia will load trusted certificates (public portion) from in addition to +## the system certificates store. +## They should be in base64 format, and have one of the following extensions: *.cer, *.crt, *.pem. +# certificates_directory: '/config/certificates/' + +## The theme to display: light, dark, grey, auto. +# theme: 'light' + +## Set the default 2FA method for new users and for when a user has a preferred method configured that has been +## disabled. This setting must be a method that is enabled. +## Options are totp, webauthn, mobile_push. +# default_2fa_method: '' + +## +## Server Configuration +## +# server: + ## The address for the Main server to listen on in the address common syntax. + ## Formats: + ## - [://][:][/] + ## - [://][hostname]:[/] + ## Square brackets indicate optional portions of the format. Scheme must be 'tcp', 'tcp4', 'tcp6', 'unix', or 'fd'. + ## The default scheme is 'unix' if the address is an absolute path otherwise it's 'tcp'. The default port is '9091'. + ## If the path is specified this configures the router to handle both the `/` path and the configured path. + # address: 'tcp://:9091/' + + ## Set the path on disk to Authelia assets. + ## Useful to allow overriding of specific static assets. + # asset_path: '/config/assets/' + + ## Disables writing the health check vars to /app/.healthcheck.env which makes healthcheck.sh return exit code 0. + ## This is disabled by default if either /app/.healthcheck.env or /app/healthcheck.sh do not exist. + # disable_healthcheck: false + + ## Authelia by default doesn't accept TLS communication on the server port. This section overrides this behaviour. + # tls: + ## The path to the DER base64/PEM format private key. + # key: '' + + ## The path to the DER base64/PEM format public certificate. + # certificate: '' + + ## The list of certificates for client authentication. + # client_certificates: [] + + ## Server headers configuration/customization. + # headers: + + ## The CSP Template. Read the docs. + # csp_template: '' + + ## Server Buffers configuration. + # buffers: + + ## Buffers usually should be configured to be the same value. + ## Explanation at https://www.authelia.com/c/server#buffer-sizes + ## Read buffer size adjusts the server's max incoming request size in bytes. + ## Write buffer size does the same for outgoing responses. + + ## Read buffer. + # read: 4096 + + ## Write buffer. + # write: 4096 + + ## Server Timeouts configuration. + # timeouts: + + ## Read timeout in the duration common syntax. + # read: '6 seconds' + + ## Write timeout in the duration common syntax. + # write: '6 seconds' + + ## Idle timeout in the duration common syntax. + # idle: '30 seconds' + + ## Server Endpoints configuration. + ## This section is considered advanced and it SHOULD NOT be configured unless you've read the relevant documentation. + # endpoints: + ## Enables the pprof endpoint. + # enable_pprof: false + + ## Enables the expvars endpoint. + # enable_expvars: false + + ## Configure the authz endpoints. + # authz: + # forward-auth: + # implementation: 'ForwardAuth' + # authn_strategies: [] + # ext-authz: + # implementation: 'ExtAuthz' + # authn_strategies: [] + # auth-request: + # implementation: 'AuthRequest' + # authn_strategies: [] + # legacy: + # implementation: 'Legacy' + # authn_strategies: [] + +## +## Log Configuration +## +# log: + ## Level of verbosity for logs: info, debug, trace. + # level: 'debug' + + ## Format the logs are written as: json, text. + # format: 'json' + + ## File path where the logs will be written. If not set logs are written to stdout. + # file_path: '/config/authelia.log' + + ## Whether to also log to stdout when a log_file_path is defined. + # keep_stdout: false + +## +## Telemetry Configuration +## +# telemetry: + + ## + ## Metrics Configuration + ## + # metrics: + ## Enable Metrics. + # enabled: false + + ## The address for the Metrics server to listen on in the address common syntax. + ## Formats: + ## - [://][:][/] + ## - [://][hostname]:[/] + ## Square brackets indicate optional portions of the format. Scheme must be 'tcp', 'tcp4', 'tcp6', 'unix', or 'fd'. + ## The default scheme is 'unix' if the address is an absolute path otherwise it's 'tcp'. The default port is '9959'. + ## If the path is not specified it defaults to `/metrics`. + # address: 'tcp://:9959/metrics' + + ## Metrics Server Buffers configuration. + # buffers: + + ## Read buffer. + # read: 4096 + + ## Write buffer. + # write: 4096 + + ## Metrics Server Timeouts configuration. + # timeouts: + + ## Read timeout in the duration common syntax. + # read: '6 seconds' + + ## Write timeout in the duration common syntax. + # write: '6 seconds' + + ## Idle timeout in the duration common syntax. + # idle: '30 seconds' + +## +## TOTP Configuration +## +## Parameters used for TOTP generation. +# totp: + ## Disable TOTP. + # disable: false + + ## The issuer name displayed in the Authenticator application of your choice. + # issuer: 'authelia.com' + + ## The TOTP algorithm to use. + ## It is CRITICAL you read the documentation before changing this option: + ## https://www.authelia.com/c/totp#algorithm + # algorithm: 'SHA1' + + ## The number of digits a user has to input. Must either be 6 or 8. + ## Changing this option only affects newly generated TOTP configurations. + ## It is CRITICAL you read the documentation before changing this option: + ## https://www.authelia.com/c/totp#digits + # digits: 6 + + ## The period in seconds a Time-based One-Time Password is valid for. + ## Changing this option only affects newly generated TOTP configurations. + # period: 30 + + ## The skew controls number of Time-based One-Time Passwords either side of the current one that are valid. + ## Warning: before changing skew read the docs link below. + # skew: 1 + ## See: https://www.authelia.com/c/totp#input-validation to read + ## the documentation. + + ## The size of the generated shared secrets. Default is 32 and is sufficient in most use cases, minimum is 20. + # secret_size: 32 + + ## The allowed algorithms for a user to pick from. + # allowed_algorithms: + # - 'SHA1' + + ## The allowed digits for a user to pick from. + # allowed_digits: + # - 6 + + ## The allowed periods for a user to pick from. + # allowed_periods: + # - 30 + + ## Disable the reuse security policy which prevents replays of one-time password code values. + # disable_reuse_security_policy: false + +## +## WebAuthn Configuration +## +## Parameters used for WebAuthn. +# webauthn: + ## Disable WebAuthn. + # disable: false + + ## Enables logins via a Passkey. + # enable_passkey_login: false + + ## The display name the browser should show the user for when using WebAuthn to login/register. + # display_name: 'Authelia' + + ## Conveyance preference controls if we collect the attestation statement including the AAGUID from the device. + ## Options are none, indirect, direct. + # attestation_conveyance_preference: 'indirect' + + ## The interaction timeout for WebAuthn dialogues in the duration common syntax. + # timeout: '60 seconds' + + ## Authenticator Filtering. + # filtering: + ## Prohibits registering Authenticators that claim they can export their credentials in some way. + # prohibit_backup_eligibility: false + + ## Permitted AAGUID's. If configured specifically only allows the listed AAGUID's. + # permitted_aaguids: [] + + ## Prohibited AAGUID's. If configured prohibits the use of specific AAGUID's. + # prohibited_aaguids: [] + + ## Selection Criteria controls the preferences for registration. + # selection_criteria: + ## The attachment preference. Either 'cross-platform' for dedicated authenticators, or 'platform' for embedded + ## authenticators. + # attachment: 'cross-platform' + + ## The discoverability preference. Options are 'discouraged', 'preferred', and 'required'. + # discoverability: 'discouraged' + + ## User verification controls if the user must make a gesture or action to confirm they are present. + ## Options are required, preferred, discouraged. + # user_verification: 'preferred' + + ## Metadata Service validation via MDS3. + # metadata: + + ## Enable the metadata fetch behaviour. + # enabled: false + + ## Enable Validation of the Trust Anchor. This generally should be enabled if you're using the metadata. It + ## ensures the attestation certificate presented by the authenticator is valid against the MDS3 certificate that + ## issued the attestation certificate. + # validate_trust_anchor: true + + ## Enable Validation of the Entry. This ensures that the MDS3 actually contains the metadata entry. If not enabled + ## attestation certificates which are not formally registered will be skipped. This may potentially exclude some + ## virtual authenticators. + # validate_entry: true + + ## Enabling this allows attestation certificates with a zero AAGUID to pass validation. This is important if you do + ## use non-conformant authenticators like Apple ID. + # validate_entry_permit_zero_aaguid: false + + ## Enable Validation of the Authenticator Status. + # validate_status: true + + ## List of statuses which are considered permitted when validating an authenticator's metadata. Generally it is + ## recommended that this is not configured as any other status the authenticator's metadata has will result in an + ## error. This option is ineffectual if validate_status is false. + # validate_status_permitted: ~ + + ## List of statuses that should be prohibited when validating an authenticator's metadata. Generally it is + ## recommended that this is not configured as there are safe defaults. This option is ineffectual if validate_status + ## is false, or validate_status_permitted has values. + # validate_status_prohibited: ~ + +## +## Duo Push API Configuration +## +## Parameters used to contact the Duo API. Those are generated when you protect an application of type +## "Partner Auth API" in the management panel. +# duo_api: + # disable: false + # hostname: 'api-123456789.example.com' + # integration_key: 'ABCDEF' + ## Secret can also be set using a secret: https://www.authelia.com/c/secrets + # secret_key: '1234567890abcdefghifjkl' + # enable_self_enrollment: false + +## +## Identity Validation Configuration +## +## This configuration tunes the identity validation flows. +identity_validation: + + ## Reset Password flow. Adjusts how the reset password flow operates. + reset_password: + ## Maximum allowed time before the JWT is generated and when the user uses it in the duration common syntax. + # jwt_lifespan: '5 minutes' + + ## The algorithm used for the Reset Password JWT. + # jwt_algorithm: 'HS256' + + ## The secret key used to sign and verify the JWT. + jwt_secret: 'a_very_important_secret' + + ## Elevated Session flows. Adjusts the flow which require elevated sessions for example managing credentials, adding, + ## removing, etc. + # elevated_session: + ## Maximum allowed lifetime after the One-Time Code is generated that it is considered valid. + # code_lifespan: '5 minutes' + + ## Maximum allowed lifetime after the user uses the One-Time Code and the user must perform the validation again in + ## the duration common syntax. + # elevation_lifespan: '10 minutes' + + ## Number of characters the one-time password contains. + # characters: 8 + + ## In addition to the One-Time Code requires the user performs a second factor authentication. + # require_second_factor: false + + ## Skips the elevation requirement and entry of the One-Time Code if the user has performed second factor + ## authentication. + # skip_second_factor: false + +## +## NTP Configuration +## +## This is used to validate the servers time is accurate enough to validate TOTP. +# ntp: + ## The address of the NTP server to connect to in the address common syntax. + ## Format: [://][:]. + ## Square brackets indicate optional portions of the format. Scheme must be 'udp', 'udp4', or 'udp6'. + ## The default scheme is 'udp'. The default port is '123'. + # address: 'udp://time.cloudflare.com:123' + + ## NTP version. + # version: 4 + + ## Maximum allowed time offset between the host and the NTP server in the duration common syntax. + # max_desync: '3 seconds' + + ## Disables the NTP check on startup entirely. This means Authelia will not contact a remote service at all if you + ## set this to true, and can operate in a truly offline mode. + # disable_startup_check: false + + ## The default of false will prevent startup only if we can contact the NTP server and the time is out of sync with + ## the NTP server more than the configured max_desync. If you set this to true, an error will be logged but startup + ## will continue regardless of results. + # disable_failure: false + +## +## Definitions +## +## The definitions are used in other areas as reference points to reduce duplication. +## +# definitions: + ## The user attribute definitions. + # user_attributes: + ## The name of the definition. + # definition_name: + ## The common expression language expression for this definition. + # expression: '' + + ## The network definitions. + # network: + ## The name of the definition followed by the list of CIDR network addresses in this definition. + # internal: + # - '10.10.0.0/16' + # - '172.16.0.0/12' + # - '192.168.2.0/24' + # VPN: + # - '10.9.0.0/16' + +## +## Authentication Backend Provider Configuration +## +## Used for verifying user passwords and retrieve information such as email address and groups users belong to. +## +## The available providers are: `file`, `ldap`. You must use only one of these providers. +authentication_backend: + ## Password Change Options. + # password_change: + ## Disable both the HTML element and the API for password change functionality. + # disable: false + ## Password Reset Options. + # password_reset: + ## Disable both the HTML element and the API for reset password functionality. + # disable: false + + ## External reset password url that redirects the user to an external reset portal. This disables the internal reset + ## functionality. + # custom_url: '' + + ## The amount of time to wait before we refresh data from the authentication backend in the duration common syntax. + ## To disable this feature set it to 'disable', this will slightly reduce security because for Authelia, users will + ## always belong to groups they belonged to at the time of login even if they have been removed from them in LDAP. + ## To force update on every request you can set this to '0' or 'always', this will increase processor demand. + ## See the below documentation for more information. + ## Refresh Interval docs: https://www.authelia.com/c/1fa#refresh-interval + # refresh_interval: '5 minutes' + + ## + ## LDAP (Authentication Provider) + ## + ## This is the recommended Authentication Provider in production + ## because it allows Authelia to offload the stateful operations + ## onto the LDAP service. + # ldap: + ## The address of the directory server to connect to in the address common syntax. + ## Format: [://][:]. + ## Square brackets indicate optional portions of the format. Scheme must be 'ldap', 'ldaps', or 'ldapi`. + ## The default scheme is 'ldapi' if the address is an absolute path otherwise it's 'ldaps'. + ## The default port is '636', unless the scheme is 'ldap' in which case it's '389'. + # address: 'ldaps://127.0.0.1:636' + + ## The LDAP implementation, this affects elements like the attribute utilised for resetting a password. + ## Acceptable options are as follows: + ## - 'activedirectory' - for Microsoft Active Directory. + ## - 'freeipa' - for FreeIPA. + ## - 'lldap' - for lldap. + ## - 'custom' - for custom specifications of attributes and filters. + ## This currently defaults to 'custom' to maintain existing behaviour. + ## + ## Depending on the option here certain other values in this section have a default value, notably all of the + ## attribute mappings have a default value that this config overrides, you can read more about these default values + ## at https://www.authelia.com/c/ldap#defaults + # implementation: 'custom' + + ## The dial timeout for LDAP in the duration common syntax. + # timeout: '20 seconds' + + ## Use StartTLS with the LDAP connection. + # start_tls: false + + ## TLS configuration. + # tls: + ## The server subject name to check the servers certificate against during the validation process. + ## This option is not required if the certificate has a SAN which matches the address options hostname. + # server_name: 'ldap.example.com' + + ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the + ## certificate or the certificate of the authority signing the certificate to the certificates directory which is + ## defined by the `certificates_directory` option at the top of the configuration. + ## It's important to note the public key should be added to the directory, not the private key. + ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not + ## important to the administrator. + # skip_verify: false + + ## Minimum TLS version for the connection. + # minimum_version: 'TLS1.2' + + ## Maximum TLS version for the connection. + # maximum_version: 'TLS1.3' + + ## The certificate chain used with the private_key if the server requests TLS Client Authentication + ## i.e. Mutual TLS. + # certificate_chain: | + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + + ## The private key used with the certificate_chain if the server requests TLS Client Authentication + ## i.e. Mutual TLS. + # private_key: | + # -----BEGIN RSA PRIVATE KEY----- + # ... + # -----END RSA PRIVATE KEY----- + + ## Connection Pooling configuration. + # pooling: + ## Enable Pooling. + # enable: false + + ## Pool count. + # count: 5 + + ## Retries to obtain a connection during the timeout. + # retries: 2 + + ## Timeout before the attempt to obtain a connection fails. + # timeout: '10 seconds' + + ## The distinguished name of the container searched for objects in the directory information tree. + ## See also: additional_users_dn, additional_groups_dn. + # base_dn: 'dc=example,dc=com' + + ## The additional_users_dn is prefixed to base_dn and delimited by a comma when searching for users. + ## i.e. with this set to OU=Users and base_dn set to DC=a,DC=com; OU=Users,DC=a,DC=com is searched for users. + # additional_users_dn: 'ou=users' + + ## The users filter used in search queries to find the user profile based on input filled in login form. + ## Various placeholders are available in the user filter which you can read about in the documentation which can + ## be found at: https://www.authelia.com/c/ldap#users-filter-replacements + ## + ## Recommended settings are as follows: + ## - Microsoft Active Directory: (&({username_attribute}={input})(objectCategory=person)(objectClass=user)) + ## - OpenLDAP: + ## - (&({username_attribute}={input})(objectClass=person)) + ## - (&({username_attribute}={input})(objectClass=inetOrgPerson)) + ## + ## To allow sign in both with username and email, one can use a filter like + ## (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person)) + # users_filter: '(&({username_attribute}={input})(objectClass=person))' + + ## The additional_groups_dn is prefixed to base_dn and delimited by a comma when searching for groups. + ## i.e. with this set to OU=Groups and base_dn set to DC=a,DC=com; OU=Groups,DC=a,DC=com is searched for groups. + # additional_groups_dn: 'ou=groups' + + ## The groups filter used in search queries to find the groups based on relevant authenticated user. + ## Various placeholders are available in the groups filter which you can read about in the documentation which can + ## be found at: https://www.authelia.com/c/ldap#groups-filter-replacements + ## + ## If your groups use the `groupOfUniqueNames` structure use this instead: + ## (&(uniqueMember={dn})(objectClass=groupOfUniqueNames)) + # groups_filter: '(&(member={dn})(objectClass=groupOfNames))' + + ## The group search mode to use. Options are 'filter' or 'memberof'. It's essential to read the docs if you wish to + ## use 'memberof'. Also 'filter' is the best choice for most use cases. + # group_search_mode: 'filter' + + ## Follow referrals returned by the server. + ## This is especially useful for environments where read-only servers exist. Only implemented for write operations. + # permit_referrals: false + + ## The username and password of the admin user. + # user: 'cn=admin,dc=example,dc=com' + ## Password can also be set using a secret: https://www.authelia.com/c/secrets + # password: 'password' + + ## The attributes for users and objects from the directory server. + # attributes: + + ## The distinguished name attribute if your directory server supports it. Users should read the docs before + ## configuring. Only used for the 'memberof' group search mode. + # distinguished_name: '' + + ## The attribute holding the username of the user. This attribute is used to populate the username in the session + ## information. For your information, Microsoft Active Directory usually uses 'sAMAccountName' and OpenLDAP + ## usually uses 'uid'. Beware that this attribute holds the unique identifiers for the users binding the user and + ## the configuration stored in database; therefore only single value attributes are allowed and the value must + ## never be changed once attributed to a user otherwise it would break the configuration for that user. + ## Technically non-unique attributes like 'mail' can also be used but we don't recommend using them, we instead + ## advise to use a filter to perform alternative lookups and the attributes mentioned above + ## (sAMAccountName and uid) to follow https://datatracker.ietf.org/doc/html/rfc2307. + # username: 'uid' + + ## The attribute holding the display name of the user. This will be used to greet an authenticated user. + # display_name: 'displayName' + + ## The attribute holding the mail address of the user. If multiple email addresses are defined for a user, only + ## the first one returned by the directory server is used. + # mail: 'mail' + + ## The attribute which provides distinguished names of groups an object is a member of. + ## Only used for the 'memberof' group search mode. + # member_of: 'memberOf' + + ## The attribute holding the name of the group. + # group_name: 'cn' + + ## + ## File (Authentication Provider) + ## + ## With this backend, the users database is stored in a file which is updated when users reset their passwords. + ## Therefore, this backend is meant to be used in a dev environment and not in production since it prevents Authelia + ## to be scaled to more than one instance. The options under 'password' have sane defaults, and as it has security + ## implications it is highly recommended you leave the default values. Before considering changing these settings + ## please read the docs page below: + ## https://www.authelia.com/r/passwords#tuning + ## + ## Important: Kubernetes (or HA) users must read https://www.authelia.com/t/statelessness + ## + file: + path: './config/users_database.yml' + watch: true + # search: + # email: false + # case_insensitive: false + # password: + # algorithm: 'argon2' + # argon2: + # variant: 'argon2id' + # iterations: 3 + # memory: 65536 + # parallelism: 4 + # key_length: 32 + # salt_length: 16 + # scrypt: + # iterations: 16 + # block_size: 8 + # parallelism: 1 + # key_length: 32 + # salt_length: 16 + # pbkdf2: + # variant: 'sha512' + # iterations: 310000 + # salt_length: 16 + # sha2crypt: + # variant: 'sha512' + # iterations: 50000 + # salt_length: 16 + # bcrypt: + # variant: 'standard' + # cost: 12 + +## +## Password Policy Configuration. +## +# password_policy: + + ## The standard policy allows you to tune individual settings manually. + # standard: + # enabled: false + + ## Require a minimum length for passwords. + # min_length: 8 + + ## Require a maximum length for passwords. + # max_length: 0 + + ## Require uppercase characters. + # require_uppercase: true + + ## Require lowercase characters. + # require_lowercase: true + + ## Require numeric characters. + # require_number: true + + ## Require special characters. + # require_special: true + + ## zxcvbn is a well known and used password strength algorithm. It does not have tunable settings. + # zxcvbn: + # enabled: false + + ## Configures the minimum score allowed. + # min_score: 3 + +## +## Privacy Policy Configuration +## +## Parameters used for displaying the privacy policy link and drawer. +# privacy_policy: + + ## Enables the display of the privacy policy using the policy_url. + # enabled: false + + ## Enables the display of the privacy policy drawer which requires users accept the privacy policy + ## on a per-browser basis. + # require_user_acceptance: false + + ## The URL of the privacy policy document. Must be an absolute URL and must have the 'https://' scheme. + ## If the privacy policy enabled option is true, this MUST be provided. + # policy_url: '' + +## +## Access Control Configuration +## +## Access control is a list of rules defining the authorizations applied for one resource to users or group of users. +## +## If 'access_control' is not defined, ACL rules are disabled and the 'deny' rule is applied, i.e., access is denied +## to everyone. Otherwise restrictions follow the rules defined. +## +## Note: One can use the wildcard * to match any subdomain. +## It must stand at the beginning of the pattern. (example: *.example.com) +## +## Note: You must put patterns containing wildcards between simple quotes for the YAML to be syntactically correct. +## +## Definition: A 'rule' is an object with the following keys: 'domain', 'subject', 'policy' and 'resources'. +## +## - 'domain' defines which domain or set of domains the rule applies to. +## +## - 'subject' defines the subject to apply authorizations to. This parameter is optional and matching any user if not +## provided. If provided, the parameter represents either a user or a group. It should be of the form +## 'user:' or 'group:'. +## +## - 'policy' is the policy to apply to resources. It must be either 'bypass', 'one_factor', 'two_factor' or 'deny'. +## +## - 'resources' is a list of regular expressions that matches a set of resources to apply the policy to. This parameter +## is optional and matches any resource if not provided. +## +## Note: the order of the rules is important. The first policy matching (domain, resource, subject) applies. +access_control: + ## Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'. It is the policy applied to any + ## resource if there is no policy to be applied to the user. + default_policy: 'one_factor' + + # rules: + ## Rules applied to everyone + # - domain: 'public.example.com' + # policy: 'bypass' + + ## Domain Regex examples. Generally we recommend just using a standard domain. + # - domain_regex: '^(?P\w+)\.example\.com$' + # policy: 'one_factor' + # - domain_regex: '^(?P\w+)\.example\.com$' + # policy: 'one_factor' + # - domain_regex: + # - '^appgroup-.*\.example\.com$' + # - '^appgroup2-.*\.example\.com$' + # policy: 'one_factor' + # - domain_regex: '^.*\.example\.com$' + # policy: 'two_factor' + + # - domain: 'secure.example.com' + # policy: 'one_factor' + ## Network based rule, if not provided any network matches. + # networks: + # - 'internal' + # - 'VPN' + # - '192.168.1.0/24' + # - '10.0.0.1' + + # - domain: + # - 'secure.example.com' + # - 'private.example.com' + # policy: 'two_factor' + + # - domain: 'singlefactor.example.com' + # policy: 'one_factor' + + ## Rules applied to 'admins' group + # - domain: 'mx2.mail.example.com' + # subject: 'group:admins' + # policy: 'deny' + + # - domain: '*.example.com' + # subject: + # - 'group:admins' + # - 'group:moderators' + # policy: 'two_factor' + + ## Rules applied to 'dev' group + # - domain: 'dev.example.com' + # resources: + # - '^/groups/dev/.*$' + # subject: 'group:dev' + # policy: 'two_factor' + + ## Rules applied to user 'john' + # - domain: 'dev.example.com' + # resources: + # - '^/users/john/.*$' + # subject: 'user:john' + # policy: 'two_factor' + + ## Rules applied to user 'harry' + # - domain: 'dev.example.com' + # resources: + # - '^/users/harry/.*$' + # subject: 'user:harry' + # policy: 'two_factor' + + ## Rules applied to user 'bob' + # - domain: '*.mail.example.com' + # subject: 'user:bob' + # policy: 'two_factor' + # - domain: 'dev.example.com' + # resources: + # - '^/users/bob/.*$' + # subject: 'user:bob' + # policy: 'two_factor' + +## +## Session Provider Configuration +## +## The session cookies identify the user once logged in. +## The available providers are: `memory`, `redis`. Memory is the provider unless redis is defined. +session: + ## The secret to encrypt the session data. This is only used with Redis / Redis Sentinel. + ## Secret can also be set using a secret: https://www.authelia.com/c/secrets + secret: 'insecure_session_secret' + + ## Cookies configures the list of allowed cookie domains for sessions to be created on. + ## Undefined values will default to the values below. + cookies: + - + # The name of the session cookie. + name: 'authelia_session' + + # The domain to protect. + # Note: the Authelia portal must also be in that domain. + domain: '127.0.0.1' + + # Required. The fully qualified URI of the portal to redirect users to on proxies that support redirections. + # Rules: + # - MUST use the secure scheme 'https://' + # - The above 'domain' option MUST either: + # - Match the host portion of this URI. + # - Match the suffix of the host portion when prefixed with '.'. + authelia_url: 'https://127.0.0.1:9091' + + ## Optional. The fully qualified URI used as the redirection location if the portal is accessed directly. Not + ## configuring this option disables the automatic redirection behaviour. + ## + ## Note: this parameter is optional. If not provided, user won't be redirected upon successful authentication + ## unless they were redirected to Authelia by the proxy. + ## + ## Rules: + ## - MUST use the secure scheme 'https://' + ## - MUST not match the 'authelia_url' option. + ## - The above 'domain' option MUST either: + ## - Match the host portion of this URI. + ## - Match the suffix of the host portion when prefixed with '.'. + # default_redirection_url: 'https://www.example.com' + + ## Sets the Cookie SameSite value. Possible options are none, lax, or strict. + ## Please read https://www.authelia.com/c/session#same_site + # same_site: 'lax' + + ## The value for inactivity, expiration, and remember_me are in seconds or the duration common syntax. + ## All three of these values affect the cookie/session validity period. Longer periods are considered less secure + ## because a stolen cookie will last longer giving attackers more time to spy or attack. + + ## The inactivity time before the session is reset. If expiration is set to 1h, and this is set to 5m, if the user + ## does not select the remember me option their session will get destroyed after 1h, or after 5m since the last + ## time Authelia detected user activity. + # inactivity: '5 minutes' + + ## The time before the session cookie expires and the session is destroyed if remember me IS NOT selected by the + ## user. + # expiration: '1 hour' + + ## The time before the cookie expires and the session is destroyed if remember me IS selected by the user. Setting + ## this value to -1 disables remember me for this session cookie domain. If allowed and the user uses the remember + ## me checkbox this overrides the expiration option and disables the inactivity option. + # remember_me: '1 month' + + ## Cookie Session Domain default 'name' value. + # name: 'authelia_session' + + ## Cookie Session Domain default 'same_site' value. + # same_site: 'lax' + + ## Cookie Session Domain default 'inactivity' value. + # inactivity: '5m' + + ## Cookie Session Domain default 'expiration' value. + # expiration: '1h' + + ## Cookie Session Domain default 'remember_me' value. + # remember_me: '1M' + + ## + ## Redis Provider + ## + ## Important: Kubernetes (or HA) users must read https://www.authelia.com/t/statelessness + ## + # redis: + # host: '127.0.0.1' + # port: 6379 + ## Use a unix socket instead + # host: '/var/run/redis/redis.sock' + + ## The connection timeout in the duration common syntax. + # timeout: '5 seconds' + + ## The maximum number of retries on a failed command. Set it to 0 to disable retries. + # max_retries: 3 + + ## Username used for redis authentication. This is optional and a new feature in redis 6.0. + # username: 'authelia' + + ## Password can also be set using a secret: https://www.authelia.com/c/secrets + # password: 'authelia' + + ## This is the Redis DB Index https://redis.io/commands/select (sometimes referred to as database number, DB, etc). + # database_index: 0 + + ## The maximum number of concurrent active connections to Redis. + # maximum_active_connections: 8 + + ## The target number of idle connections to have open ready for work. Useful when opening connections is slow. + # minimum_idle_connections: 0 + + ## The Redis TLS configuration. If defined will require a TLS connection to the Redis instance(s). + # tls: + ## The server subject name to check the servers certificate against during the validation process. + ## This option is not required if the certificate has a SAN which matches the host option. + # server_name: 'myredis.example.com' + + ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the + ## certificate or the certificate of the authority signing the certificate to the certificates directory which is + ## defined by the `certificates_directory` option at the top of the configuration. + ## It's important to note the public key should be added to the directory, not the private key. + ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not + ## important to the administrator. + # skip_verify: false + + ## Minimum TLS version for the connection. + # minimum_version: 'TLS1.2' + + ## Maximum TLS version for the connection. + # maximum_version: 'TLS1.3' + + ## The certificate chain used with the private_key if the server requests TLS Client Authentication + ## i.e. Mutual TLS. + # certificate_chain: | + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + + ## The private key used with the certificate_chain if the server requests TLS Client Authentication + ## i.e. Mutual TLS. + # private_key: | + # -----BEGIN RSA PRIVATE KEY----- + # ... + # -----END RSA PRIVATE KEY----- + + ## The Redis HA configuration options. + ## This provides specific options to Redis Sentinel, sentinel_name must be defined (Master Name). + # high_availability: + ## Sentinel Name / Master Name. + # sentinel_name: 'mysentinel' + + ## Specific username for Redis Sentinel. The node username and password is configured above. + # sentinel_username: 'sentinel_specific_user' + + ## Specific password for Redis Sentinel. The node username and password is configured above. + # sentinel_password: 'sentinel_specific_pass' + + ## The additional nodes to pre-seed the redis provider with (for sentinel). + ## If the host in the above section is defined, it will be combined with this list to connect to sentinel. + ## For high availability to be used you must have either defined; the host above or at least one node below. + # nodes: + # - host: 'sentinel-node1' + # port: 6379 + # - host: 'sentinel-node2' + # port: 6379 + + ## Choose the host with the lowest latency. + # route_by_latency: false + + ## Choose the host randomly. + # route_randomly: false + +## +## Regulation Configuration +## +## This mechanism prevents attackers from brute forcing the first factor. It bans the user if too many attempts are made +## in a short period of time. +# regulation: + ## Regulation Mode. + # modes: + # - 'user' + + ## The number of failed login attempts before user is banned. Set it to 0 to disable regulation. + # max_retries: 3 + + ## The time range during which the user can attempt login before being banned in the duration common syntax. The user + ## is banned if the authentication failed 'max_retries' times in a 'find_time' seconds window. + # find_time: '2 minutes' + + ## The length of time before a banned user can login again in the duration common syntax. + # ban_time: '5 minutes' + +## +## Storage Provider Configuration +## +## The available providers are: `local`, `mysql`, `postgres`. You must use one and only one of these providers. +storage: + ## The encryption key that is used to encrypt sensitive information in the database. Must be a string with a minimum + ## length of 20. Please see the docs if you configure this with an undesirable key and need to change it, you MUST use + ## the CLI to change this in the database if you want to change it from a previously configured value. + encryption_key: 'you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this' + + ## + ## Local (Storage Provider) + ## + ## This stores the data in a SQLite3 Database. + ## This is only recommended for lightweight non-stateful installations. + ## + ## Important: Kubernetes (or HA) users must read https://www.authelia.com/t/statelessness + ## + local: + ## Path to the SQLite3 Database. + path: './config/db.sqlite3' + + ## + ## MySQL / MariaDB (Storage Provider) + ## + # mysql: + ## The address of the MySQL server to connect to in the address common syntax. + ## Format: [://][:]. + ## Square brackets indicate optional portions of the format. Scheme must be 'tcp', 'tcp4', 'tcp6', or 'unix`. + ## The default scheme is 'unix' if the address is an absolute path otherwise it's 'tcp'. The default port is '3306'. + # address: 'tcp://127.0.0.1:3306' + + ## The database name to use. + # database: 'authelia' + + ## The username used for SQL authentication. + # username: 'authelia' + + ## The password used for SQL authentication. + ## Can also be set using a secret: https://www.authelia.com/c/secrets + # password: 'mypassword' + + ## The connection timeout in the duration common syntax. + # timeout: '5 seconds' + + ## MySQL TLS settings. Configuring this requires TLS. + # tls: + ## The server subject name to check the servers certificate against during the validation process. + ## This option is not required if the certificate has a SAN which matches the address options hostname. + # server_name: 'mysql.example.com' + + ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the + ## certificate or the certificate of the authority signing the certificate to the certificates directory which is + ## defined by the `certificates_directory` option at the top of the configuration. + ## It's important to note the public key should be added to the directory, not the private key. + ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not + ## important to the administrator. + # skip_verify: false + + ## Minimum TLS version for the connection. + # minimum_version: 'TLS1.2' + + ## Maximum TLS version for the connection. + # maximum_version: 'TLS1.3' + + ## The certificate chain used with the private_key if the server requests TLS Client Authentication + ## i.e. Mutual TLS. + # certificate_chain: | + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + + ## The private key used with the certificate_chain if the server requests TLS Client Authentication + ## i.e. Mutual TLS. + # private_key: | + # -----BEGIN RSA PRIVATE KEY----- + # ... + # -----END RSA PRIVATE KEY----- + + ## + ## PostgreSQL (Storage Provider) + ## + # postgres: + ## The address of the PostgreSQL server to connect to in the address common syntax. + ## Format: [://][:]. + ## Square brackets indicate optional portions of the format. Scheme must be 'tcp', 'tcp4', 'tcp6', or 'unix`. + ## The default scheme is 'unix' if the address is an absolute path otherwise it's 'tcp'. The default port is '5432'. + # address: 'tcp://127.0.0.1:5432' + + ## List of additional server instance configurations to fallback to when the primary instance is not available. + # servers: + # - + ## The Address of this individual instance. + # address: 'tcp://127.0.0.1:5432' + + ## The TLS configuration for this individual instance. + # tls: + # server_name: 'postgres.example.com' + # skip_verify: false + # minimum_version: 'TLS1.2' + # maximum_version: 'TLS1.3' + # certificate_chain: | + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + # private_key: | + # -----BEGIN RSA PRIVATE KEY----- + # ... + # -----END RSA PRIVATE KEY----- + + ## The database name to use. + # database: 'authelia' + + ## The schema name to use. + # schema: 'public' + + ## The username used for SQL authentication. + # username: 'authelia' + + ## The password used for SQL authentication. + ## Can also be set using a secret: https://www.authelia.com/c/secrets + # password: 'mypassword' + + ## The connection timeout in the duration common syntax. + # timeout: '5 seconds' + + ## PostgreSQL TLS settings. Configuring this requires TLS. + # tls: + ## The server subject name to check the servers certificate against during the validation process. + ## This option is not required if the certificate has a SAN which matches the address options hostname. + # server_name: 'postgres.example.com' + + ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the + ## certificate or the certificate of the authority signing the certificate to the certificates directory which is + ## defined by the `certificates_directory` option at the top of the configuration. + ## It's important to note the public key should be added to the directory, not the private key. + ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not + ## important to the administrator. + # skip_verify: false + + ## Minimum TLS version for the connection. + # minimum_version: 'TLS1.2' + + ## Maximum TLS version for the connection. + # maximum_version: 'TLS1.3' + + ## The certificate chain used with the private_key if the server requests TLS Client Authentication + ## i.e. Mutual TLS. + # certificate_chain: | + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + + ## The private key used with the certificate_chain if the server requests TLS Client Authentication + ## i.e. Mutual TLS. + # private_key: | + # -----BEGIN RSA PRIVATE KEY----- + # ... + # -----END RSA PRIVATE KEY----- + +## +## Notification Provider +## +## Notifications are sent to users when they require a password reset, a WebAuthn registration or a TOTP registration. +## The available providers are: filesystem, smtp. You must use only one of these providers. +notifier: + ## You can disable the notifier startup check by setting this to true. + # disable_startup_check: false + + # + # File System (Notification Provider) + # + # Important: Kubernetes (or HA) users must read https://www.authelia.com/t/statelessness + # + filesystem: + filename: './config/notification.txt' + + ## + ## SMTP (Notification Provider) + ## + ## Use a SMTP server for sending notifications. Authelia uses the PLAIN or LOGIN methods to authenticate. + ## [Security] By default Authelia will: + ## - force all SMTP connections over TLS including unauthenticated connections + ## - use the disable_require_tls boolean value to disable this requirement + ## (only works for unauthenticated connections) + ## - validate the SMTP server x509 certificate during the TLS handshake against the hosts trusted certificates + ## (configure in tls section) + # smtp: + ## The address of the SMTP server to connect to in the address common syntax. + # address: 'smtp://127.0.0.1:25' + + ## The connection timeout in the duration common syntax. + # timeout: '5 seconds' + + ## The username used for SMTP authentication. + # username: 'test' + + ## The password used for SMTP authentication. + ## Can also be set using a secret: https://www.authelia.com/c/secrets + # password: 'password' + + ## The sender is used to is used for the MAIL FROM command and the FROM header. + ## If this is not defined and the username is an email, we use the username as this value. This can either be just + ## an email address or the RFC5322 'Name ' format. + # sender: 'Authelia ' + + ## HELO/EHLO Identifier. Some SMTP Servers may reject the default of localhost. + # identifier: 'localhost' + + ## Subject configuration of the emails sent. {title} is replaced by the text from the notifier. + # subject: '[Authelia] {title}' + + ## This address is used during the startup check to verify the email configuration is correct. + ## It's not important what it is except if your email server only allows local delivery. + # startup_check_address: 'test@authelia.com' + + ## By default we require some form of TLS. This disables this check though is not advised. + # disable_require_tls: false + + ## Disables sending HTML formatted emails. + # disable_html_emails: false + + # tls: + ## The server subject name to check the servers certificate against during the validation process. + ## This option is not required if the certificate has a SAN which matches the address options hostname. + # server_name: 'smtp.example.com' + + ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the + ## certificate or the certificate of the authority signing the certificate to the certificates directory which is + ## defined by the `certificates_directory` option at the top of the configuration. + ## It's important to note the public key should be added to the directory, not the private key. + ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not + ## important to the administrator. + # skip_verify: false + + ## Minimum TLS version for the connection. + # minimum_version: 'TLS1.2' + + ## Maximum TLS version for the connection. + # maximum_version: 'TLS1.3' + + ## The certificate chain used with the private_key if the server requests TLS Client Authentication + ## i.e. Mutual TLS. + # certificate_chain: | + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + + ## The private key used with the certificate_chain if the server requests TLS Client Authentication + ## i.e. Mutual TLS. + # private_key: | + # -----BEGIN RSA PRIVATE KEY----- + # ... + # -----END RSA PRIVATE KEY----- + +## +## Identity Providers +## +identity_providers: + + ## + ## OpenID Connect (Identity Provider) + ## + ## It's recommended you read the documentation before configuration of this section. + ## See: https://www.authelia.com/c/oidc/provider + oidc: + ## The hmac_secret is used to sign OAuth2 tokens (authorization code, access tokens and refresh tokens). + ## HMAC Secret can also be set using a secret: https://www.authelia.com/c/secrets + hmac_secret: 'this_is_a_secret_abc123abc123abc' + + # The JWK's issuer option configures multiple JSON Web Keys. It's required that at least one of the JWK's + # configured has the RS256 algorithm. For RSA keys (RS or PS) the minimum is a 2048 bit key. + jwks: + - + # Key ID embedded into the JWT header for key matching. Must be an alphanumeric string with 7 or less characters. + # This value is automatically generated if not provided. It's recommended to not configure this. + key_id: 'example' + + # The key algorithm used with this key. + algorithm: 'RS256' + + # The key use expected with this key. Currently only 'sig' is supported. + use: 'sig' + + # Required Private Key in PEM DER form. + key: | + -----BEGIN PRIVATE KEY----- + MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDWRCDFwx66u2zo + vPwgINZA0cGUoS3i1HP9m6okKxHyOJR5zuSF046Sycr4t6pYzmcIKZkh2BjCFdH5 + zUN4YLikuBqNlTJYUKGdWer5+SexsgmtlO7JEtzJMx5OF1GWcexkxPv2UlsVKTxt + JIciya/r16raYT+SJf2XYjeyqd/UetQ0b83d4auIeC4P2aIJJs7362fafIi5cYAU + wj8cDsZpEmoaq6hyjPJrh75+pWzqLMgBcbTogPAMOEkiQ6uqEJj7rwd/bmdGRD1X + KUkD2NLhQGMsWOy6i9F3Qy1VNTnKzBc6lQT63WMWrwhQ8U5qnxCNRGchoHmlW7DQ + TqOyXHyDAgMBAAECggEAB9HhClFWippy3URMcABoIWHRDqjFQR002ywhDQSKDqI0 + VQURKmCFYw5nUHrPhkHeLm+U4vsn3X7TX3+3dyoR2GfPBvIg2L/0mLFildtF220z + 1OMgcIk2Mpz20wMfMKjuvOIYOgNZHKVudaNFeqZhZm+ZZjKcvIDox5Yc50czipBx + 4qTxecVrtw2ZBG174UaHiIH1QerYtQoeYsQjJ5qQK5AyP53VhLIaMgGV38hI7Gju + o7tK8FLpNQAj9V0N+C6ArCdPjwFvSmLzbsYfCMF6GQxzetJ/1+G0lvXhlGc2Dd2C + iWuPmMk7ZuJ7l/CFKZHBZgzeUl+l6TIhFaz5dNiqgQKBgQD+Sjo/dh3LdUKuUMqc + pYReiSXQ2hIdYNqqtFf/dmi3dvqq4tNU1LjzTpqTtXdCxZUgkrIPQjb9aizJXyed + C28z/d2XURgvk8hW2Bp7vGqqWjgOiKADX0QlUOPXfWS/rLQPe0i0Ds2xFZ4MhMaz + c2e4BZDxvCpks+6ldU904vLIgQKBgQDXtP9eM13k6XyqwI6WNbpc/BtmdWg6zUoQ + jyY9LWluh07ewj60fn2m8ZEUcsoWKSyr3+xVAdWMZG3mh3ljWFBsZUPnITnpcOtp + A6U8iG66GsP9BfqXyz8zxqLrx9p9LXa6NfwhXP9IGjse0qEvQ+UPcuP+MQmFpTvH + twl6ttqjAwKBgQCQvj+Zj+o1vXFPN72cnLpT9U0JLJfTESZmtHDCgOvqQlc8nhAc + 4VjFZaCnI0vXPhA8kkO4W8BhTuZfWUJ7Kd8KgR542zghHMWUaT3p4L32aZQu8aXj + RX7MntaR+lY2pF950Hr5wtNiUSO9jHZt/uqy3Lg8YRbga2sT00p/Bg+cAQKBgQCL + mAqbP8rH1YJkTnD4LJUKj+x7hgeJ5kjEJp+sf7L3YIFeD37c9+8BFtu4zACUDtll + 8WfUK3ezf1rQEWQxMnn5bB9heFMuC3GNaFqKrhBaR/AF0tS1X0brjuToiVGQKNfo + 8f7U6IYcdz1DWTQOjnWyZbu+SKXM432oZX+w9pzPWQKBgB6xm+iNlo7+r5+MpbY4 + SbdwUmzBcSc4XjR/OZ8+dCMNuRjWcALs2EZAJnsjqfkRZgjtcsTSNjBolT9hFuU4 + Ue6mKTDYQ8wTEOXFLSU2BOKvDwoyyOrOj8I1MKIWzGoLeob6jDb8LLR485qNo+O0 + DFuAA0HXSSD186CY1kbi9fFj + -----END PRIVATE KEY----- + + + ## Optional matching certificate chain in PEM DER form that matches the key. All certificates within the chain + ## must be valid and current, and from top to bottom each certificate must be signed by the subsequent one. + # certificate_chain: | + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + + ## Enables additional debug messages. + # enable_client_debug_messages: false + + ## SECURITY NOTICE: It's not recommended changing this option and values below 8 are strongly discouraged. + # minimum_parameter_entropy: 8 + + ## SECURITY NOTICE: It's not recommended changing this option, and highly discouraged to have it set to 'never' + ## for security reasons. + # enforce_pkce: 'public_clients_only' + + ## SECURITY NOTICE: It's not recommended changing this option. We encourage you to read the documentation and fully + ## understanding it before enabling this option. + # enable_jwt_access_token_stateless_introspection: false + + ## The signing algorithm used for signing the discovery and metadata responses. An issuer JWK with a matching + ## algorithm must be available when configured. Most clients completely ignore this and it has a performance cost. + # discovery_signed_response_alg: 'none' + + ## The signing key id used for signing the discovery and metadata responses. An issuer JWK with a matching key id + ## must be available when configured. Most clients completely ignore this and it has a performance cost. + # discovery_signed_response_key_id: '' + + ## Authorization Policies which can be utilized by clients. The 'policy_name' is an arbitrary value that you pick + ## which is utilized as the value for the 'authorization_policy' on the client. + # authorization_policies: + # policy_name: + # default_policy: 'two_factor' + # rules: + # - policy: 'one_factor' + # subject: 'group:services' + # networks: + # - '192.168.1.0/24' + + ## The lifespans configure the expiration for these token types in the duration common syntax. In addition to this + ## syntax the lifespans can be customized per-client. + # lifespans: + ## Configures the default/fallback lifespan for given token types. This behaviour applies to all clients and all + ## grant types but you can override this behaviour using the custom lifespans. + # access_token: '1 hour' + # authorize_code: '1 minute' + # id_token: '1 hour' + # refresh_token: '90 minutes' + + ## Cross-Origin Resource Sharing (CORS) settings. + # cors: + ## List of endpoints in addition to the metadata endpoints to permit cross-origin requests on. + # endpoints: + # - 'authorization' + # - 'pushed-authorization-request' + # - 'token' + # - 'revocation' + # - 'introspection' + # - 'userinfo' + + ## List of allowed origins. + ## Any origin with https is permitted unless this option is configured or the + ## allowed_origins_from_client_redirect_uris option is enabled. + # allowed_origins: + # - 'https://example.com' + + ## Automatically adds the origin portion of all redirect URI's on all clients to the list of allowed_origins, + ## provided they have the scheme http or https and do not have the hostname of localhost. + # allowed_origins_from_client_redirect_uris: false + + claims_policies: + # Add this new claims policy to restore the previous behavior + legacy_claims: + id_token: ['name'] + + # Clients is a list of registered clients and their configuration. + # It's recommended you read the documentation before configuration of a registered client. + # See: https://www.authelia.com/c/oidc/registered-clients + clients: + - + # The Client ID is the OAuth 2.0 and OpenID Connect 1.0 Client ID which is used to link an application to a + # configuration. + client_id: 'putzplan' + + ## The description to show to users when they end up on the consent screen. Defaults to the ID above. + # client_name: 'My Application' + + ## The client secret is a shared secret between Authelia and the consumer of this client. + # yamllint disable-line rule:line-length + client_secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'. + + ## Sector Identifiers are occasionally used to generate pairwise subject identifiers. In most cases this is not + ## necessary. It is critical to read the documentation for more information. + # sector_identifier_uri: 'https://example.com/sector.json' + + ## Sets the client to public. This should typically not be set, please see the documentation for usage. + # public: false + + ## Redirect URI's specifies a list of valid case-sensitive callbacks for this client. + redirect_uris: + - 'http://127.0.0.1:4000/auth/user/oidc/callback' + + ## Request URI's specifies a list of valid case-sensitive TLS-secured URIs for this client for use as + ## URIs to fetch Request Objects. + # request_uris: + # - 'https://oidc.example.com:8080/oidc/request-object.jwk' + + ## Audience this client is allowed to request. + # audience: [] + + # Scopes this client is allowed to request. + scopes: + - 'openid' + - 'email' + - 'profile' + + claims_policy: 'legacy_claims' # Apply the new claims policy to this client + + ## Grant Types configures which grants this client can obtain. + ## It's not recommended to define this unless you know what you're doing. + # grant_types: + # - 'authorization_code' + + ## Response Types configures which responses this client can be sent. + ## It's not recommended to define this unless you know what you're doing. + # response_types: + # - 'code' + + ## Response Modes configures which response modes this client supports. + # response_modes: + # - 'form_post' + # - 'query' + + # The policy to require for this client; one_factor or two_factor. Can also be the key names for the + # authorization policies section. + authorization_policy: 'one_factor' + + ## The custom lifespan name to use for this client. This must be configured independent of the client before + ## utilization. Custom lifespans are reusable similar to authorization policies. + # lifespan: '' + + ## The consent mode controls how consent is obtained. + # consent_mode: 'auto' + + ## This value controls the duration a consent on this client remains remembered when the consent mode is + ## configured as 'auto' or 'pre-configured' in the duration common syntax. + # pre_configured_consent_duration: '1 week' + + ## Requires the use of Pushed Authorization Requests for this client when set to true. + # require_pushed_authorization_requests: false + + ## Enforces the use of PKCE for this client when set to true. + # require_pkce: false + + ## Enforces the use of PKCE for this client when configured, and enforces the specified challenge method. + ## Options are 'plain' and 'S256'. + # pkce_challenge_method: 'S256' + + ## The signing algorithm used for signing the authorization responses. + ## Please read the documentation before adjusting this option. + ## See: https://www.authelia.com/c/oidc/registered-clients#authorization_signed_response_alg + # authorization_signed_response_alg: 'none' + + ## The signing key id used for signing the authorization responses. + ## Please read the documentation before adjusting this option. + ## See: https://www.authelia.com/c/oidc/registered-clients#authorization_signed_response_key_id + # authorization_signed_response_key_id: '' + + ## The content encryption algorithm used for encrypting the authorization responses. + ## Please read the documentation before adjusting this option. + ## See: https://www.authelia.com/c/oidc/registered-clients#authorization_encrypted_response_alg + # authorization_encrypted_response_alg: 'none' + + ## The encryption algorithm used for encrypting the authorization responses. + ## Please read the documentation before adjusting this option. + ## See: https://www.authelia.com/c/oidc/registered-clients#authorization_encrypted_response_enc + # authorization_encrypted_response_enc: 'A128CBC-HS256' + + ## The content encryption key id used for encrypting the authorization responses. + ## Please read the documentation before adjusting this option. + ## See: https://www.authelia.com/c/oidc/registered-clients#authorization_encrypted_response_key_id + # authorization_encrypted_response_key_id: '' + + ## The signing algorithm used for signing the ID Tokens in Access Request responses. + ## Please read the documentation before adjusting this option. + ## See: https://www.authelia.com/c/oidc/registered-clients#id_token_signed_response_alg + # id_token_signed_response_alg: 'RS256' + + ## The signing key id used for signing the ID Tokens in Access Request responses. + ## Please read the documentation before adjusting this option. + ## See: https://www.authelia.com/c/oidc/registered-clients#id_token_signed_response_key_id + # id_token_signed_response_key_id: '' + + ## The content encryption algorithm used for encrypting the ID Tokens in Access Request responses. + ## Please read the documentation before adjusting this option. + ## See: https://www.authelia.com/c/oidc/registered-clients#id_token_encrypted_response_alg + # id_token_encrypted_response_alg: 'none' + + ## The encryption algorithm used for encrypting the ID Tokens in Access Request responses. + ## Please read the documentation before adjusting this option. + ## See: https://www.authelia.com/c/oidc/registered-clients#id_token_encrypted_response_enc + # id_token_encrypted_response_enc: 'A128CBC-HS256' + + ## The content encryption key id used for encrypting the ID Tokens in Access Request responses. + ## Please read the documentation before adjusting this option. + ## See: https://www.authelia.com/c/oidc/registered-clients#authorization_encrypted_response_key_id + # id_token_encrypted_response_key_id: '' + + ## The signing algorithm used for signing the Access Tokens in Access Request responses. + ## Please read the documentation before adjusting this option. + ## See: https://www.authelia.com/c/oidc/registered-clients#access_token_signed_response_alg + # access_token_signed_response_alg: 'none' + + ## The signing key id used for signing the Access Tokens in Access Request responses. + ## Please read the documentation before adjusting this option. + ## See: https://www.authelia.com/c/oidc/registered-clients#access_token_signed_response_key_id + # access_token_signed_response_key_id: '' + + ## The content encryption algorithm used for encrypting the Access Tokens in Access Request responses. + ## Please read the documentation before adjusting this option. + ## See: https://www.authelia.com/c/oidc/registered-clients#access_token_encrypted_response_alg + # access_token_encrypted_response_alg: 'none' + + ## The encryption algorithm used for encrypting the Access Tokens in Access Request responses. + ## Please read the documentation before adjusting this option. + ## See: https://www.authelia.com/c/oidc/registered-clients#access_token_encrypted_response_enc + # access_token_encrypted_response_enc: 'A128CBC-HS256' + + ## The content encryption key id used for encrypting the Access Tokens in Access Request responses. + ## Please read the documentation before adjusting this option. + ## See: https://www.authelia.com/c/oidc/registered-clients#access_token_encrypted_response_key_id + # access_token_encrypted_response_key_id: '' + + ## The signing algorithm used for signing the User Info Request responses. + ## Please read the documentation before adjusting this option. + ## See: https://www.authelia.com/c/oidc/registered-clients#userinfo_signed_response_alg + # userinfo_signed_response_alg: 'none' + + ## The signing key id used for signing the User Info Request responses. + ## Please read the documentation before adjusting this option. + ## See: https://www.authelia.com/c/oidc/registered-clients#userinfo_signed_response_key_id + # userinfo_signed_response_key_id: '' + + ## The content encryption algorithm used for encrypting the User Info Request responses. + ## Please read the documentation before adjusting this option. + ## See: https://www.authelia.com/c/oidc/registered-clients#userinfo_encrypted_response_alg + # userinfo_encrypted_response_alg: 'none' + + ## The encryption algorithm used for encrypting the User Info Request responses. + ## Please read the documentation before adjusting this option. + ## See: https://www.authelia.com/c/oidc/registered-clients#userinfo_encrypted_response_enc + # userinfo_encrypted_response_enc: 'A128CBC-HS256' + + ## The content encryption key id used for encrypting the User Info Request responses. + ## Please read the documentation before adjusting this option. + ## See: https://www.authelia.com/c/oidc/registered-clients#userinfo_encrypted_response_key_id + # userinfo_encrypted_response_key_id: '' + + ## The signing algorithm used for signing the Introspection Request responses. + ## Please read the documentation before adjusting this option. + ## See: https://www.authelia.com/c/oidc/registered-clients#introspection_signed_response_alg + # introspection_signed_response_alg: 'none' + + ## The signing key id used for Introspection responses. An issuer JWK with a matching key id must be available + ## when configured. + # introspection_signed_response_key_id: '' + + ## The content encryption algorithm used for encrypting the Introspection Request responses. + ## Please read the documentation before adjusting this option. + ## See: https://www.authelia.com/c/oidc/registered-clients#introspection_encrypted_response_alg + # introspection_encrypted_response_alg: 'none' + + ## The encryption algorithm used for encrypting the Introspection Request responses. + ## Please read the documentation before adjusting this option. + ## See: https://www.authelia.com/c/oidc/registered-clients#introspection_encrypted_response_enc + # introspection_encrypted_response_enc: 'A128CBC-HS256' + + ## The content encryption key id used for encrypting the Introspection Request responses. + ## Please read the documentation before adjusting this option. + ## See: https://www.authelia.com/c/oidc/registered-clients#introspection_encrypted_response_key_id + # introspection_encrypted_response_key_id: '' + + ## The signature algorithm which must be used for request objects. + ## Please read the documentation before adjusting this option. + ## See: https://www.authelia.com/c/oidc/registered-clients#request_object_signing_alg + # request_object_signing_alg: 'RS256' + + ## The content encryption algorithm which must be used for request objects. + ## Please read the documentation before adjusting this option. + ## See: https://www.authelia.com/c/oidc/registered-clients#request_object_encryption_alg + # request_object_encryption_alg: '' + + ## The encryption algorithm which must be used for request objects. + ## Please read the documentation before adjusting this option. + ## See: https://www.authelia.com/c/oidc/registered-clients#request_object_encryption_enc + # request_object_encryption_enc: '' + + ## The permitted client authentication method for the Token Endpoint for this client. + ## For confidential client types this value defaults to 'client_secret_basic' and for the public client types it + ## defaults to 'none' per the specifications. + # token_endpoint_auth_method: 'client_secret_basic' + + ## The permitted client authentication signing algorithm for the Token Endpoint for this client when using + ## the 'client_secret_jwt' or 'private_key_jwt' token_endpoint_auth_method. + # token_endpoint_auth_signing_alg: 'RS256' + + ## The permitted client authentication method for the Revocation Endpoint for this client. + ## For confidential client types this value defaults to 'client_secret_basic' and for the public client types it + ## defaults to 'none' per the specifications. + # revocation_endpoint_auth_method: 'client_secret_basic' + + ## The permitted client authentication signing algorithm for the Revocation Endpoint for this client when using + ## the 'client_secret_jwt' or 'private_key_jwt' revocation_endpoint_auth_method. + # revocation_endpoint_auth_signing_alg: 'RS256' + + ## The permitted client authentication method for the Introspection Endpoint for this client. + ## For confidential client types this value defaults to 'client_secret_basic' and for the public client types it + ## defaults to 'none' per the specifications. + # introspection_endpoint_auth_method: 'client_secret_basic' + + ## The permitted client authentication signing algorithm for the Introspection Endpoint for this client when + ## using the 'client_secret_jwt' or 'private_key_jwt' introspection_endpoint_auth_method. + # introspection_endpoint_auth_signing_alg: 'RS256' + + ## The permitted client authentication method for the Pushed Authorization Request Endpoint for this client. + ## For confidential client types this value defaults to 'client_secret_basic' and for the public client types it + ## defaults to 'none' per the specifications. + # pushed_authorization_request_endpoint_auth_method: 'client_secret_basic' + + ## The permitted client authentication signing algorithm for the Pushed Authorization Request Endpoint for this + ## client when using the 'client_secret_jwt' or 'private_key_jwt' + ## pushed_authorization_request_endpoint_auth_method. + # pushed_authorization_request_endpoint_auth_signing_alg: 'RS256' + + ## Trusted public keys configuration for request object signing for things such as 'private_key_jwt'. + ## URL of the HTTPS endpoint which serves the keys. Please note the 'jwks_uri' and the 'jwks' option below + ## are mutually exclusive. + # jwks_uri: 'https://app.example.com/jwks.json' + + ## Trusted public keys configuration for request object signing for things such as 'private_key_jwt'. + ## List of JWKs known and registered with this client. It's recommended to use the 'jwks_uri' option if + ## available due to key rotation. Please note the 'jwks' and the 'jwks_uri' option above are mutually exclusive. + # jwks: + # - + ## Key ID used to match the JWT's to an individual identifier. This option is required if configured. + # key_id: 'example' + + ## The key algorithm expected with this key. + # algorithm: 'RS256' + + ## The key use expected with this key. Currently only 'sig' is supported. + # use: 'sig' + + ## Required Public Key in PEM DER form. + # key: | + # -----BEGIN RSA PUBLIC KEY----- + # ... + # -----END RSA PUBLIC KEY----- + + ## The matching certificate chain in PEM DER form that matches the key if available. + # certificate_chain: | + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- +... diff --git a/dev/authelia/config/db.sqlite3 b/dev/authelia/config/db.sqlite3 new file mode 100644 index 0000000000000000000000000000000000000000..58aa37f215dd06be881ec46336d048fb2411e412 GIT binary patch literal 376832 zcmeF42VfJ`|G<;3bO$I9Het2}QZBj7vg}Ap_g<`UNiJ<@o1{rP84@;#fFc_NM20eC zZbGHci->3_df5v?_1w{FD)frZN%9st-cU5 zvQb(+8l6sihs~zZXrsYzKk#e)p$otVH`_PxFP-$cx{sr2Ar(dL;I0SrJR#GI`JDM1 z^Dgr`^B3lM&(AzFJ(@9m++Mh!aXsd8)pd?1!;?{6Q2)&9Bil0=tfVCRXps?<7vM5^ zzD|~rEXza?geNmBD+38{7@ltl%TIJiagS^?` zN3CSXB&JKFrK#-1q;z&-MtnRwIW;CBEH#H6C(U7pWuzy?B!a*bq>1TW%qqnOT(7|j zadu`{YDDj_)F3W`1lzSOGHQdN7}q;USZ-hixmvy2m{(}OC#=+EM@pl@GUC(OfoZ+N zxPcZ8r8-w_G*peHO;%_T)8TrxmLf4WF%+@L8E}OjH?qUylfs?ioRJulk|AXW+0qy6 z9c<#(W3bw^p^xC0vkBKI^yNAtLn=SjcK}~`{muDSVQYza306>y*A#C;55yU*@4I!3@bKj&EI8}5tMN&KQ|Z=%rqx-R7-P03)Q*Sf>-&eoOkjZgif$++*L6lxwh7(2E zQ5sVjL78+e?iLwyTomTYCM&UoZZDx+p187%f9kHO+_=p%B?tcc}#&y2JG--Sotak0_BiotjD2uf+C0?QiU`QW*9hi`Aylotg94ryBryS)~ zrrZL`84bxcSp+C-guvH>71ORdVx+XmxTG(Bo{6+Q1gBALETxF2vT-V|{OIk#iFD(y z=44Rl)n-Fi35#Uo?R88V;K9m4t4ljoJI1BB*wA+*&68-SQ@lM`c(3Y$b8OQ{Fl5|n zZ~2VK@nW!g^`egoGh?n+u-Y4rS>V*Lk|OaJH>gUyj#(0ztXCIe`f_XQnU9yt@-U6E zfU@b(70V0M3K;G{>MB$Sj9^8Ozqr2R~n_8Qp`OZ(ACK!N{F>BFVN;1WO}?% z3wl9nolLDPqY!YnmXw&pNNF~kLclQuc2Xjh5Ie}IF2uXA?N94smXaCEb$GCe?aE*! zfLJC}8%tY0Ruf6LS|dpgpq4n=M9EQ1cJW|!?o7`yS2JtJ(SR2fn|n2uex&WIt3%at zk_{p{qFsP!@W?DWgN35>F&XACDZo-(a&ZWoLg39SEs;MI)yUqQRnyxv6e~dY#h@xK zV239q#Y@8y?RDEydE}Tz1FDYmO?$XeVex6w*Ql(Z2%Afdy}pwApY}ilxlv(OBX2Kp zb_JBMAk-C7Ph_dVC@a>h+3C`3>!8kdmFNM1n#D6kfWKW#-N4@<6AJz|F?9rgS*H5n zZ=)hV;;&B=8gn0WA~TuU(EqgmT>pXo?ftI#t?<+N@qM5AZucGT8|mxmbJ%B!PdX5V zKac<<00}?>kN_kA2|xmnz<-WFXd@3=8lB#mhwua(gwH_)Y_24fD-IP%LIivX!WBq( zXlH~MiXaUemGDDQNeGvtQJ3lRa}A*lYtj`uz5D{B+>o;)LtzVGA|3 zAzvV}==w9Ab^UA9MMYc@-x_B>e`j64nsm8*J`WLDpX=-Atm|8&F3Lst622wQKEBSn zJ~ingVgY!vwOo1oIO}@XsEdN^rsO)k1OU2gs3%-+&!Fi-D}Y0O2iUA%H>+}$j#kZ*R3X9 z1muuNU`?;9o3pNK4Z4T~0a+xm>bkf(=}KIHu2(fS2NCnce4(vexj3nc=pM8bPcLe7 zg$VgPiP&m!oD}{14$$iRO>()bEwQmieK7H~;4T z2mH7H=Zri|5F`KzKmw2eBmfCO0+0YC00}?>H4zBu>Z+mj-ZyARH6H z$4XCP{}!%o=#|c!jr^|C+&x*rt^&_eTuwwtBLn`iW*-}@z~JAH*2EHGQ^Zwbd$vN` z41A+IJ;@qz|5kk02wN<4`3fBPPFNP4tpcr4SE=nj@S4=)2C&#oP6ik;2G|}�dBc zci_4v*`8;;RAKSeRA`mBE&YBC>$`I3glhxYAJfIZ0Z4MCud6GQL-VtRuWci6jkbkc zO-`_yyP|aBsZMSsO#gbW?L0|7eT|u}s3(OB6SI)!W6sOw^rp=KMsp0cIt*X|z8*xV zDmAWe;_oW*q;z#*9;J1t%pR*ZC3CSgP+3M}5J9ijpm5j{LRC0?o3?b7*tp9JFhzcW z+F-<$GT@j43T{{D!bT*R2l9?0gNWh@RG7XEY0NK~6-<%;BmXu28vo8<^?$LS+^@Co zdEeQ-S>QJOfdn7{NB|Om1Rw!O01|)%Ac6lVfiR{wScmj%8PM9#&+h*qWOI>FfiM(B zLxg;xSS%EZtZUrn5mkX218&S*o+tzX|8c|os||u5%9DhMg{Y7x0PD_{C0NQJ{AvgS z5rpvgs1W4~Y~BG>LA>MZO-rFp2pTF7gh+%aDiH8$N{3Iikw8OvNC;TJ<_ZN|#JUVk z6^StK>Vn_{hZ5j6f=ajou0Uw@kf030tJ)wyh6qErh(sh13B)zU!n4{S016@&C|Afw zY-`h$v0zje1S$v>AR(xL3krppZ(V4n48o(@AoxUvARt49BCbSOL$PqLE(jjL$qV61 zxMB&2h;@;jG8S&t1|bgR6Pe0K_#%m*rW|ptHV6^$5()v%L44qhA*qRlOSM4=LlJ%m zU(83vVnkR|rqU^bFgq&o&`>@o7kpGC=89~NJ5(&ZfemB&UZpV)GiNa6OpgCk|K0wR z{Byt?0C)Yi`i=2R@oNEY!yiZh5`Y9C0Z0H6fCL}`NB|Om1pX}q`0i;f1L&_enZcw~ zs%84ZzZ#_)CoKF>_mry9t9gpTm-0ciOiK7rDb+R&;Z3Pj%fy2hrBW?Z4W3j=wM{NC zD3xlNPVk^os%-+nol>cmDFZi3rCKHlTq%`mnHF$Ci9+sWFXVNa2q4z~!KQ!k2NHk; zAOT1K5`Y9C0Z0H6fCL}`NB|Om1pdPWi1mLs{{IhWFiaXG00}?>kN_kA2|xmn03-kj zKmw2eBmf9l{QpnWn1`6tm@;Ot|3m*T{m1&J_&4|a)$a?x3cpA{f8Wy(6(j%&Kmw2e zBmfCO0+0YC00}?>|6BqB_q5h^a`?AzSpc>#U{Y#PdHj>L{HxKb>he$4^5eUwRE;5p z&p%nom-10mPXA;rA1WDPp+do;$i&Bfq@1LyYNu@>U_)peiP-;zu$4CCkN_kA2|xmn03-kj zKmz{@1W51yn?L?9q#33W5`Y9C0Z0H6fCL}`NB|Om1Rw!O0226LBVh6Wze8i*`Cm&p zOfMt=2|xmn03-kjKmw2eBmfCO0+0YC@LwfR&&7?_vXSlm0HfBZBNqMX%!f4azwduF z)i7O<03-kjKmw2eBmfCO0+0YC00}?>kih>S0bkdablVhw3$gz1>OYOfT+eg^|G*ze z01|)%AOT1K5`Y9C0Z0H6fCL}`NZ|jEK%uKUt%E5tuMktn^6_#RSf_5<*?UtbR^LUx zrKb4p+Soc%m*9oBpEcI7e#gOw%hrwg>eYA6uY9SJ%)azM^CBc~W>E8bzs{elInrj} zrBClaUdVsX`wRBE)LhBIEssB^wNdpSDqHx=lR3ZF8?)(QirB<)0nZyjex5>&PL7dfs>A^o*mNWc`P;KsztOALi?%nebop{p$Dd}qjBP(^?uC0_={_DgYu@?7)2E()_u^?>+s>X> zcAU%YKS@7M#m+Zw{@7pheZTNq^Ew{<-4yHE)cf}ro#r*ZdGlTE0$FJX#^=(q+ipJ$ z@cQ<|=gs{l#M0eqER(My4_D;BNdKnv)VAB_RD~x;Z<@I_y0Hk+tW_?3Iq}-N{es45 z@K4%|?7Dt!hw0-6=ASG(U2@{_gh?YBx+F+Sk#>fDNo^Yw>;JCIlQiZN<`wV{{DA}@ z0Z0H6fCL}`NB|Om1Rw!O01|)%Ac21ifqJeT=;X;0SEmaK7f)A~mwEocw*NnKA9Erz znc2|)wEx_HOEO_RApuAL5`Y9C0Z0H6fCL}`NB|Om1pXTYLOncaX>@vL9sql6!VNbkf(=}KIHu2(hbMZ`QYUnt>Qp6lYI zDgp-prg(Z$qe6syoTA!AY z(Nd9-CJ^}fd3i>^rxy#w7^*@g99$sabAbI5bL0~6Nq~zLs6Zj+<2)cC#N{|D;P4PG z&fzN%AqV5ic^pKpQYe82U#<}9ij5Vz0!$NyNaB(UEA$ckWVt*lO;MbZ8d*>f9v`12 zACzY(SE718mJ|`LQmXlNIf>M6<%MiS9Eu7<5pf7GwOmAi@PL&^fR(o#Z#qP$*Q(S7 z_z=7hQx{NO%hh8Vqs&;Y!+Q`fI%)Ol3e2e1YGewn5#Y%U=66c_sA;c?`sW@!?BntEtm%6* z_wJ(?7ealn01Fw!>Ox#T?_~hmIwS^ro?a|HM!XIUt`%}cr z)vwy{wso34Z@IX!;t&-p3t&(C=QvhYwG;ZQo(of)$+(B{#mXb}6mig?kU~ zz1N1>wOM1~HYSJdb>cv=%Wy?u;?=A*VNDc+vadJH+}Qg!x3b^ER<C<<$czW_E64y`%X`{N;ensxQXcU$ zmpqqFTCv;Bb+~rNx@-57rYB98S9T43rC%L{M~Q;d(KE0wBzu_9np{WEmyWEW-j*e zdRHEtK5Itfp6_V?IQ{hKXWO5w@Gsr?;R^M^@a`)XHfbE$AaLFMT_xG|Pc~Q>bu(uS zN4@RB@Ar>))t}O>_v(<`QT0^V{aW5{LmU0l(raqUHq-pTVfk?ZGZr%fR&& zEa<&w+?h{3Sk3U0_daWT`rz*1F@q+KK4h;BY z{sp7Y&}J2_CJ9T&dAm4U1D#MH;2}z-k|W{s!QsFHm7F72f;x|gxB`VhCBPMO5r*Ls zm0YO;2MFUz4qw9OaxlJ<&%rRIT#2J{gpa6f)}T*TZtpmQQpQb59aIrlmXcXi9*%P5 z89Yf!UO8G2B`zt+D^utaBGdBUz#8yF1>z8%SS%I@xnjv%v<8oF&h#1CF7`@V#Qvaq z2Oe$uy470IyFES)dO7S?wywqP^z0TN%~~~b=$Xz7=MTAdIcvsb{H5#4lCbkze@$o* zZ#Z7+{psT)U-x{k?c?7TJpAMHXWwsYbz!io=%W+jS!?T=NyD~{!2U$=bs@caEC@S&YnRlV* zvr^NOjGl!<*bS!UEFHR9eEZ(I+d;}BuLjIJJR6(#@ss8++wpouWbOO-PE=ZO?*R=b zOl{QiY=P`hbc?8cS#j&He>bl$KBh@(^PS4!f86}!K@&_gH_5;0q|5paTRS&wG?_m) z#}v6NB{<3_xJgL3u*ay09wlwVmQ2xeD=x*)`Brpn`q%pxT+P!4yDV6`krUgZqaorK z-`So=BSs|*H9Sf^JXmEM`iQOkX}VwjG{Ho1e)FElZ+(Uh{XSW~?clQu$$R^6z5eCO zD+LR^HfKG$Fjds{2i*rR5WR-*dQMh}PfPYZ+%ciWo-pOTjy}5frgtB# z`1b6bo#JK80c|6Wclx=LuUGl6_10~Ad2X{xP86Xrb_p8IMj6O^)AKdkKCEo`N736icI}) zcbv2I!|m6;+I!ab(QZ6`oDbdE80awtA6H0te2y3sOE`R`O285GcybOV!X>BzLlB-^ zCFi3`jE~?PkzAY(bOTTy)vT(z#!_Vs7`TVO_Pp5R{UAZ!5X4If2GkTd;?2X^NEstN^ zcGx$Jb3Zus>(8rNZ27LgNHf!I${$&Y^!gtJWYUo-y|(^1_{ELi4WGPU7USP{ zDH^`#rW5VYx);%*`#+nc7s)+iGR0Ga9p3Ocfa1h>cH|nv)iVRxpHCm zJMGrF+#1?L`=0#sY5iZh@ME5T+r1%noPSysd$d{Guk!jm&>V|ve0jQH*5sDAd(6KO z*jUwm%go)^BA4D6_`suo>ySHN+`W*!kXS&=ILiIE%bhV=flz=7p7_-Y!LMCHEx#dgJs(HZo0<^vuS636%0)rx@_M5BV)WK z{r>dZ8B24{Os?OiM3UbLuis_D?_ZuQY1M+8)imq5p+`D4E% zyj?S6yB@t^YWGgc`S`CJdUZTg7`toq$jN8K%la-ou=vQ1YyG}<-M;*XZKu+j^J38T z(GgFP3%*OHKIA>_mKd^OTg3Hw9}FIQKJ(XwzvVT5@b0%yQnw~3dVITwQ?I*zAS@DilpD{oxEpX=Eq@4*Kek8e6`@=skD>#XkEV%^pBN> zb{e;HNy(zn$aCKYUM-$_@@&Y|9}7ndGrstBOU2jtz&5?^q+j{qi@6^mdmj}3G<0r{ zK5Kp7-`CmTjX#_Isz-wN=NsY>j~c%FYRx#$ zZmlNA&xva=nF|I)8D8K|st5R!;%Z<2fAT*%Qi92b1Rw!O01|)%AOT1K5`Y9C0Z0H6 zfCT=#1giM||96uLQw9k@0+0YC00}?>kN_kA2|xmn03-kjKmx@6f3$j#10(kN_kA3H+A{_<7Hw`MCZI1L(lCaEx8w|u7!&JdnFWx*NRT`EqWv7RQ$4l9- zsmu=YW`iHKk{y$nE{&F^vJ;ci*@+qP@$BT(n1ry@9Cn;EhaHxYo)nV^9+V(WOz&b= zQRHC-1-K>`mjUI7-eIXhs4&>BZIRLAMa8(mNJwOcrJ9BKh_jHQKutg<$?yaMXCZ?+ zR|DSZ(&P4ksDz5;gK&khme}A*8D?Zh0%Yki2~vBE*^$zyu#EV0c0@*MDoCY_xSN(9 zmXPd_7NBiVfcL)*>~v{1AZ4XxkukpmUZaGS2oZ;3B}lgdw}wLyx5XeZ&@s3=h++z( zx&&v3Cnd#8!xHV$vIiLz7M~`yC8R`~k1OjWtJ3NVWlGG5QKi;aT+R2x%pd0g$!1kHuMn;b4{yMtNi5eP(LcKzj@Ioo@_6NTm%WWfGxoaia{1Qf-rd( zFj&zXx`|^ZQEb5VggsH=dJq%bAR{i=Qs{iskBW@5kV6OrBWD42knI`4rnGzpi^HLh z$T8D$mURB^>p;%=?wj+o#m9l6z3^CI8VHlCl&L_$*6L-2IM`94(ui=mmG;3qxMUE6 z)uSEV)YME^S*(>Q@e;K&T+;Q1R9s2-s~{!aBh$=MGg$4~(MJ@UX_ACU9|Ig1l5YI9 z_$&nMfKgs0FbiL2q9ohx9c*fx$6zI(bd$u4)CkT(A{xWW7SOTWQru@yA*PV4f|^2x zgnVRdF0d;oeM~nqatdLJOCAncKq2tvS)tJ5nDGr8lmZO2jG!twHAm!zfM|y;*;SV+ zqc#|dalJjyD-9D?kPEgWG3FK8?~!ub-b4hZ^$z1&TOOr4S8X&@?GxBqD4``*I$W;? z)v`+0!6t?x_R6fsja5t|Qw2<;$YvVVO3)2Z8_Q)SAXJrFVd-iOGOCH@g7T&hRUxC4 zlv#rz>?5TBI|xVw6Wda;L?ZeaFLUvtl%%}q?NG!hMc%xSftcAd4)n1sNY!uBhcTBB zrA)1>3{T>081OP()y`4f3n9@F(Q54B3#xYaK&QI65cEGPdtlT>p6GoOf>omHEbdL@ zTmK%QjkUA@rMR5vEo5Kogz@FPaOxFY3RaM;s%9YZSH3gv5F;{`f*|AqU;iPV&JIe=J~2ZHCT@&W+M%ipIjVfC@QbN`RpvF(}4wS@^q$c0o^tW zUd@6snC7;u_Tylc6|bB`cb?v~Og7o1F_jU_@jK7BTV%{pvCf-YVJ|C4m*56!WB|IcLD^yH&YBn`@Bi@j@+_>QU>!(tH_(fTtCuWx47d^=VzqQs#}+gH7xT%Q{p-wXw9#epVAn_gW)K4xpAe+C<4w9GO{eS&>RJ zmpO_QQe1L#D1{UPZ(bY;nxv`qI+jI4u>wry8C1muRontBMN5upG1CBUY+ZYH)@05v(v!3$d-a?cm@*E$S2=Q68xU*+G?0 z4mR;hL1hL}Rhz2`wFYS&f?A;QYeds=O@cZ+b`U^DtiyL{`GKS&{@Q79BW$%0P0GUL!dKi0YFO z@&?HOA=W+mAl9@k3>F4romOkCZJ7cVzH5#)#~SU?3GXskadGqs_06`%nowd1p2`8X zmfKAoY)UP{f5MK`$#Jx1pU^+!zymxb)Oz5;=irG^U5}*hK9|+Imsa%yCHl?g>Id8; z6a|>N(B_s3q5;ag&1u$l&+LIKpJjYvvNOHU000}fj?tFBPk zErts8gv>6&glBP7QmQm2I??P!9AvA2_Pc~csx(Rp9Bw0|X?5xA5EUjPnON9nM}(zC zghfh;E0NN8DY%jf9ClM@I*`f1BE$SE?sb)I`2|7l$j0raBhnjmqBP?#{)B#gptw&YMsyymV-Mj5kwD)n$ z<;KC?nX&@ZI^ysS_VXG@^L9B)V>I#@;&PT*xj&VmwZ@n_g7v8~yvpO=G{ec!tlAs345938sl8CVz8Ai&^HImqq}4`M z8J5}yi4LCaHe2XmlATNB5K|z7)vW{F)WKY6%nqS>z$j?-<)lFp`En1cqCpn0>5Xk= zYRzB?1oZc1=Iph*S%G%OJZQuU3{=-TI%F-C#Ghy;|G#`x^*Yi!90G0?m*cvOh)6DM z_A*x0@Bp_v`(26$VOVZ4kf?kqg=h`U^#U^*!TTr{&r;&3K6@y@LE0{XDe?+Iug885 zJl}H92#)wO=(Ku=TlRuzYcUDS2?k`vAOzbqovl%|y2C08v>IGiis?0KO>Uh^b^)G? zDaz|4s#Jpx1epCJ-fF6%U`Ypf|A6S$Rk>?V3aL(kkcgR%y1gzU2hA&Rbp&&~xoWD% zQ$4_{L*z=;_);n8isc1rh1u#lzH0%dTK-X9Sb%!GO@s%BG=~IZZ)+!Oiv7= zjd&RtMB7?tQd>c~&!;j5wFN_JAV@)xdjg}PO^q2WE|)$|LT(vI(p8_~IC!sm|ILkt zoq@d;P+0oPQHEXW4PWo7?8O4hZGZ8~K3ifh2GvZZ*SX7VZ3-;aAP>_h3qVg0)CL_f z&@oR)+B(nF zzJQ~+<2TBe4>aai!whd;q~At<{R(PB}D3SCm?m{PqhLkh_9#*FR!Kl2zK{(%G_ z0Z0H6fCL}`NB|Om1Rw!O01|)%Ac6lR0l5GFe==KPq96fC01|)%AOT1K5`Y9C0Z0H6 zfCL}`2Lhz^e>S+$8vGLf!XHQg5`Y9C0Z0H6fCL}`NB|Om1Rw!O0225Q5pV}-aRZzG zgP(rP=gh~<`<5^Np(MhjKmz|S1jdP7185l;Elp_|X##@dP25XD8^6~D&gP) z0iVN1xnho70zL_Fu>ut+#C)6wB!sveM+F=n!o@j!1tR2NTse<}$W;m@(BR7zLS3=3 zLRWxkh)o-aojYZiLdI1Z(ZT{W#+b#;%1O$~%;RQ6$?^*e3*yBY>EV&$oGfl)eo|s$ z?{FlfcWE)A)<{*U`HBcMU4$yjA|tZ$<#|SVYHEd4kKujfQ6*V&Sx)a1iCioY3wQz! zSAbz0zFffL$OSmg5%5tQ#|2^)A47NuxR3BTh>(qlLs4NUA`U@CBA!Id6-qiINGO6> zUUD6x(`!}g0(=Nwh^Y&xuGzP;=wVA^M~xPoXwoB5$X9BzVpH?WbS343B9p^%b21B3 zI@;gxCAJOdLA)K>(frnN4@=;ktq<&MeqiEUALg-(x^K=TocXZ(bN=CN9x-9`F5yk? z4!fUy>_~)Ze^1FH9Xo8+gVm?^UtMyp=XCep_pb;quL&2$sE0=V+V^90`m6Q>B{+L| zztfFk6sLX0JUR0V|M}M^=&PB{1-EDKI2`mc_EhxaaYv4v*qoPn=&bj*)6Qi4IA(Xm z)k|j<40va2i)WjD>K2g`$y&O%S>LSDUL^?U_O!69UQ?pDV2AEzjaKkWO-m>H>OhO#x!!g(=Jp7; zWoJ%54QYPA^Z5(MN;Wi{;P+(qOLq8Z?g;X%l&zX`e^tu<@!d|duXhRU)7dZm zxT5E=;k2@69X5Th?Y_KY+o>z%s=nV(^c{yUANp$L@59pn*nKZhHg}u);LyeUg?(Fm zDvx#DC7-KW7JlyfkIT+{d*I%@9ffY+Et&nB*VpTwADi^xa)qm!d7%B;scv_7e06G< zBC+!|?!BeoM>d>sd|89d9fuG6Dduomg?!2xPV$Z6AKVS%?aTCiW$3&9+9&<5=ebTU z;>_ALQHTti&^thR^xSu!ebFfSZt23?UFOCtde;5a_dhp@`YCMY`(4^{y4=q6Ix=bc z{>v`K{+YpBmLv7QT`-{0mjO}g;0t#fp34jm414)fyYoTlgyfE$StIk#?8f`=9{Y24 z%xJ#%ruP;H%n~1%xbW13LuZ!;w14q**n-dL>T9aKsmde0U#<7r{H3RN-!b2}Ui4|> zUb}JcPev9Vd6k;-`GpC+?w4-9(mC%{zv-&du%`ysnNKF|pbMAG>9wxo&qWvbA0BJ+ zEcU~$l7it+HvX(GK6|Fwl@7j%Bf<`C%gTJ(b)3Y-*>uEB$P@|$JVdEfawL2{sD}cT zoFi8P1A&OR0);>&z!h>4hT#>&V(e6<2cj5KpS41&&kg=6lP}YF+*-qQDIrJ_64c1RNn8^S`~JNqx}^mkE`7QOtj^XjI-J+XPg$GX&nvBe)3u|&zxIvS z`mVn`9nt+~MEc>niQPxEY9(5QevF-|KYZPl*$#1h`67K=R-M0ATVMQ^PVH$nA zY+IM>r_Vns^&NI((K+qQ_|;=i_kQ)^!R(%X4F$h%=pt>$Kew}OO2C#Ze7m^o!{m^P zq_g9>U9L^K*mwE7ofBTf&n@4*ztpR=_4~ioZ=AZY>HI~{Q^$YllXT#{Ve`WMyG5;i z^6tRKgH}g(IPLEB_003>rT$%yeQ_o8RLPQFQ&+!u(Il?(@ZR`JTD?=7cDQ}$-RzO} z)czsk!@d!;HwLV`GNo(m?3P&_2aQ<1Z+O4H?N-x%;?KP#jmT>`pz(q$E=AbDo${eW zBY*mIPwJBfDowAgzp?vokAIJ${WazG;O{ym%{WhIMm`$ct7T+bc<_km;w7CsF9=ITXyQcNQdNZD$4mq&1wDtCV_s5R7 z5W8Ku+cz(C{`9UFwh9(a-Zg{XoUyLQ{ry{qY;IKeaA(~8l9yxNFHL!IxLpi(EVSdL zo1r%&CxrJHmC*Y7y)I#*CAkUbkMKUZ{PFg%fXFTHJrG?P)MbhLA78cXYm_E5mWEw+ zyTfgeQ4;N1pSHjo`*Bab?H7`_%?O)c7UuCo^4JRcoJ~s0 z=I^*ZrfK+{;TzU9I_$AN{zl*SKMo%kO0Q}=vM~i8S4en#ju;b5IDDl_z!CF!atJ5T0Bm=c7uDkKi1UT&Uvkaa6&!la5gU6>#)2`k~DSV3e(L4q=c%i$CmLXg57o+33-u8c|v%Z@;`241;3DY0CZ zB2ZSuB=LlXKH)hfg~sBfJ~^*%J9wf{9ydfH5^zx-pT~bowj*Cxj%I0jMMZtoCHW}@ z$%P$w;VB7;xvytCj7Lv=RQ_oHnNjVp_RF06IJOvE?ByA{jhtDl_~Q(4%qN&^vCq`EjEq88CC>voIaX+O?%-l&qx$b8#tyo^tx!ZP+rU&bf7^c93GDqJt zjh^?V>!f4NejYq!=BazT?w$T*P}-!tAS_USFROi*OHbE!>e6j}4@t(4>vc=gXZ;cB zKWnqZWgv>;iouOMze;`9##7c|TG+wzV(u>AL70cUP1@PpzK`<+bK*x|=(IPW$?|@E zqdvv z_l@>L&ZwCKUJBZYww%0oaZvN3z{|HsUS3_CJhk<9q<&!Os@SF<+zBi@u;E_WutYQnvx+i@%lzJ@cQ@E-pIuQ`)nKlI}6*cK?>ZNtyaZ?x4$imS5VNo>+`s zar5R6dDQjs)GhUymeDf9%PS2X*_Bu(rTGakM1d+5 z3J%Xa4{2V$K$KjLQi3TIA~1C+!Vud$^wud`T#mAA+C~Ax|h0ajCKdh}4iJIYx~_M%MGJ%n)lG z5i1a|)~Dif5FQV#1**6RN1{|992F?lDio23fhWP6*Ac!j6h%UWLNS*wk#JGU3;`nI zYU@b8hF7Qs1v@-0T7c)p6$_CpV`N11-(E+I3Xy=P*M}*>3ZnF~Ql6k7C!$!Fs>;n% z3@VQ;Or*k3b!}ulMwKiPqFkj|0Tx_^N}&*BiBQCm3&B?<%2(kkRD`H7<)6qBG*rM1 zL3yZ1zz3#_GE4ZO2)EiSNso%efQc!IDolt-&Ks0cEX>o!#>)TpS|a5p6b&jLlpUX* zg7bJOgG$vE0xVmYq0p%iMNGV!3P07gk@Y;PWQkaaqe?`f1bKj>U`30k1X&{H0v{Hh z2oZ@9IVO<5d6uAJ;MEc$kO&b_OL*3$YR8s@5aCsuB_#$`6qj*6>9cw&)C!4qJAB1?p!JV6LgECDW6Je1OK0pBE^u-YsM z2f4s4D=hDWrX+~;y`y=NNMv%Hp71jITeBpiT$Ct^%#x($$A-xfxiCBjS1LH=Ihy30 zh>{$YmI^=BwUPdAm04nK-0R|!_NTH05rznP2qKj5P#%@xGP{danU*y#rhqN1s2DA^cE2 zKLizkS|UKGs|ewPQ*D0K;7jwj=14Kmn3Jp%l$Plw{M6VixjA1EPl2MNlEQP zMW5>0NTy4b9I1=@#GB^`@LM2;BwUowlSr)Il8)_&*|VYA9I3%W;cv|mJUuZ!J1wI$ zS&**`N5gd`$%%P9NgPLFh%YQih)$rQPjziXF5R3Xo}Ov6k)6R95eyPhVBy8UF_nWL zaxsSwoMt(46!d~cIFAdOeJ+m6|3q(#CkPdYLPV&LD?|~#)o4}AKQc;_nh>TJWfx}W z8osyr(rA|8n?ElZ1zF(&7ys*B4q3ZnH+q`|O0)0?#Z z|5k_jFfd2}5`Y9C0Z0H6fCL}`NB|Om1Rw!O0227;5Fqydr!!B}!2f*k5e2`*zdY+_ z;(G|`J8_--OWfmt-_GE-Blv9#eu?{B@QZ-oPT-dauLbypKac<<00}?>kN_kA2|xmn z03-kjKmw2eB=D9A1iEH;)x|HH82|hEmC~5sGUqY#nGz<$|D^vS|04fh{(gSv{5}J> zx&jemEZ@NTFY%oi_tyu%#QXp;*6#^^TY+El&nQD2gB2G?AJ^ZA$qR5T;Q-H*DYO~` zt})7Vz;RxyQK@r_^_Wqu)zoskYecFvEM3Y@4-1c%vTG4$2YIu>k6Ou&NlceUOHS$&bM*lG07ZYK;;v zvp!OftHAbSc`~CmAJ@nXxWNG8F0-r248`(6#2W!>WsMr0t;vZ=jFe{ElJgp2vy&2Q z)M5wOqtu0MjZ?5G&g8{lX(Q;SB657`PlPA<<>kHM0G>Rdb!t|tSL;A!-m4cUwN17H09rkgt*>5{x}g=Cd_j{1x=IdBR&Cvx%9fT=vJ+LJ zC?!ehaZCrLG${$eCW*<1!BT*jXOT0AQqSH6a%gQSMT6@e^~#2ZXu?T(Kp8MQs8T+7 zT$st5!IDbpQ{2f7E~R2kz1J30O)h09u+6o#n)c@D4clC%2eU_u3l1udU(p z+8W-kt>N|B8lJDM!FX*AkJr|4e{Bu7*Vb@-Z4DO$lq;{-DObe!-`{UH&3_8>wBK(3 zT>neVF-*RHPiB9nkN+0GTg)%~8<7X~f8w(#DZJJJwTG!Ou`eNQRJ5rvgT>|2$4SVx zO^4};2?QfvX0(kVDzCJrvSSvFafznp=CR3?cI4pfBVW>3-Wo2|t>#n@pb~uRc9Pu3 zCZ;inPTrUbQ)>oGAfUg`GN-8&mlN$an2Z2#E)pFvtiV8Zt)oLKs3iVG^z}GK3?trT zm{Nd&=>^c8bke3uI-9N6fw7xyWCnJ2a2|CL-BJx!SUKq8B2|WOO5C8(t98WWlRYRQ z-#MiGnjeH=xy25{NNet}*_hD?CQK}SJYu7I`!i5pu%(j@Brru@A;>HHJ@970V0M3K!f^#0kr04(WoCkGr{ddiJRFekVu=k%Z?*aTTBjK#OeYu2c zrmfalcT*!1i@{3Z(oGWbIG)s9l-cKD32R=p^T@Ya;f%zXlng0oO-buA)doWvu9IZg zLH1__zvX_cx##=lt$;mVb^}i_VO=@HV3&HsW`HzhY-HOfrR{UA_7=LDF?98_)lSpO z4l~(#m_}IuEVjcTL6mdec8NkT14lJY>>wah;wr4T03@X9?71HQ%O|G6{Aik~5rbuj zrkl#iWn8NZa?PNlm|Q7R@o^3pRmh1=R^%KBhJr1ka0xiV2^=3K67&5DL5w(TN~yv* zN+o!Ao{tCw98Abna(EI23bq;IiV&g7j}Qb0K5>;`?<8=*lLQ=Fg$TGDu>|9BBq9Z( zQc4gNS0MK#1Vus>E(Y2h6+&#eqZHsAF^bAL;B+g63R6fha9)%TAy}7P-nVgDcxbBJ}=)duXN2jW`Kq4BXsxqiQ_?$+(@naK&KW_Lm|1N!%#{%*f9 zL%Cf7ybErH+;!h~Qzz}$yzOUE#;vi-IHQ06;T-RV&$bZ*7v0WNoG3MY7RnFGSpL~B zgTD~Cr^E<7q$h`6+Y=!bHeSBFL96lIK4x5Vo5c94^^Cx2+G{iUPjaXIk=Z#5%U^wH za8YQ^#)6p(FURi++wlD_vN^inzDXb7Aar}ZX6^5+nfS}y+dIFSUOJxNy;GFQH@M-9 zZw_@@7}?`?{>HD~Z9ekbjvu6{LVx+JO+oU8xq}TAN0Np&e=ho^kLLrQLpLIRKIOgZ z^21fJ$#>NB!F|7Z8tJt-v13cGlRuoy?0swVnHz%a*!{lEKbkE2?yDr>dqJPi5O-W{ zxccJagC9IYQx4uv?wP+;I5mQQD?PzC##A89S=H7*eU3OicAAIXs&=q83qf>FrX>E=y>=nTOv}uJjD133w{kC6C z_@w=q8TrvawwYc3i#>h)wo4B#T_kApy@Yw~{O#t`_X&0)H~MYxofMWe;bXbaPYcu? z`~UpajZwFn^jRFx>5~ML&skdW*qw8pA}t1`h&4Oz14dS?rdKFas5ro84W)FS^DC|-0wCmT68yR+&%tA zRjA7xf3F{S`Q`ehsr(}w)@`};_=DjWGH&c>SrSs;cs*?ndUlp>#>YEOhU^~K#ife9 zcf4sf(hVe_$G15&FL+FhqS$k>E z^urZvH*abj`PuQ^-YKgW#_ZZ0_^N2<#E5r<{Yyl}`I8uuvJX4`66wCbr?>9&2@Cgc z*it&@>voK|oZ|~(v+ln)<6Lme7W5qzZLE)CXZE0-i(fUV*q+eh*fG)SSMNRU6~7~= z-RWhIz197v(R8yD;y=^1=+(e~SV4Byi> z;I3*>XOE06pSShydhYVp;1}Djue`_{*OD{Ar_r|A&sAQF`LXMF_ysLqwX0W3{hae# z4C9YSEbOh%m8Gq{DQxH(U_yNdynEvJ(oku)hFdzeVW2kxKIpw*>-)iT2c1*Zd(zmY z?D}sPuTH)8lX83L{3X4cHXYh`P(Mvf6#D&!6RRbyLX!th$qsGm+v8r`S93(iA58t! z6q7x4Sf|45lmK-C>qxu3=;B+$CI*TJ|Jcg7KU4Zq$K(698#nYA+~N46C$29udM$Eq zd8h1?i?hDXczLPE4|tG$wBz8Q*1_dh zMLPq=V2xUvzSx=erwRy(=(&V<& zugZI$H{BR|;&{XU+b6X}uT)6D>FGmy(&-rrF%Dl&l15?$WSAh72fl3=$e%iMCv6eu z=oq?hvk}?ak6S!j)c0W$zv#4lY_IxTuvwi`Ztt4e_Gsw!CntQq!E&+N4`xVL4&8Qf z(u={j=dU}{>WLtCTGsGRX#0Vk|nC z*6>RE7PQCrt|iYp@xw-1x2|1Rt6AlrbsoQdV}@Zu!MjJ?a=#lqdOr5*;~_sJUojnj zYP$SW*Y)>)jS0N?f%;MJCfinAWj7CZso%wG)|m!Pk1f4-lkIZMcxnvy%IhG z?Xh*3?)Qx!&z+#TzpB}ZsR2v79-jA{t{=L6UP01Oe8X7zlQ{XK_<39BBgPT)&yN&8 z{U~6I=MUkZF1vE{?3(4F?Ih;|mntu$OxZeZT;HQ7M|QZfwgvajcGD#e#vZ&SDC7KT z~>Uj-H7!6x3(H-d!vR4-)y4vdMy}R=BqZ&6Jb?&q8$_IXgos=_+=#r9_ z4QI~V|Kb`Lo@5i}|D_S<|0NRZ>eXa_%tp6)eM2R54g#aN0 z5rKju7I1|eu}CCFaS=~|A|mtpKdM0FDlQi|6YwzLqaXnxV!)+f! z^?z`nl@OBy*8{K}KMo!(K{yx>97TrX3a&uJ6`_a_H?RNmMG_H;iBOJ`%N23>7;r+6 z;Nb8dL;#Kiz?EE_kEzV-|A;~Yo+Ly#xLnQyJ_=k32NQ^R90ekls4xT-gTtH5>;HUI zB~eKvz?lK(gAhSH2s{`E1;>twIOK`bFER=xQ3wYolH3dK@mkSld0R{qzL?y;le9XN5FUEwp97hF!BghoK z0ugdBE{H9Frck0>F>vA#TGszDkXdr2io+G)O284EIE9&y%)^v&C63AwKB6+O|I7KP z65}H{M`S)$4@VUoOd{fPL_7?Y1FA|)&NYw!nb|bvBj#1+S>_Su4(2-M66P%CMCQ9p zJrf7F;147K2|xmn03-kjKmw2eBmfCO0+0YC00~q>z}K~{}BRp*#G}Ol2VuqNB|Om1Rw!O01|)%AOT1K5`YB$76Pxm zvpd}X-&mn5z%+F^(+=+cUw2l1?)fwZtuKvf@{zc0q4o97^P26s&Ri!<-W|P`dK~rG zWBKM|VuRC01awoddHYGKjpJotvvgv6Rm;6`eM|_0m6Swx+H}9#({F5B?^i3(j%usy znhvWmpIQX=v$k!HZa==GwqpR{cG>WVF!RZdbw47k`f~X1+A_O_bo`UH%{GOYx-wXO zC3I5;c{^OE1JoSRSML1mB-XZu-JhLAtAt3}1lmc|>GU=l&9yg!C6Ul4Ysp6jI4N0; zpwm^#Ljs&+-h5wZ@*#88oeog9!w##QV@Q2`hpmj&@vH~y>4bGUvcX}~={Gnl5gfV! zj(e@sAtW`PF<2Ro>i4n!`%YbSK7F^cg{01~swW~k6+ZjHw}1VX`X+@5{r@;sFVJcf z9QJ~@mE5|X-AA$x)vJ<@q$8cy8*Ab*SoukGQ!d%SRUeAuF?h9hrr!L}K*xjXs*eyU zS;3|R6PLj%1gXidV`?h*p(jqpt2H_8Uo*EHgRf&YRVoFKi!_Cpt+`|G)~Q-RYi>Q8 zmUPSywB~R74BgkT=4@M=qbR`Cg|>4M?1xtUlk9wT2i@9^jI|svReOw`>C|vkud`@f zkLz{TBhJ6A`P^IU`Muu3Lrj4TR<{mxQwOtMG-{1HS)STp)auJ+1zIg}#uezck}vn5 z>a3ClNP2`_Bi~{N*-l0S4UG}k1rzK4zTk*I|DIsqKOe9Q;1;m^U#@>6xclGVGA{@p z3JE|0kN_kA2|xmn03-kjKmw4!|1W{MZWL(V|F13^1)BH&6V+j(K+E}mb=WA-vj1Nl zHVQQF|5uld0{?gS|MO+y)$afI|6B0j(;xvz01|)%AOT1K5`Y9C0Z0H6fCM0ce=z~_ z?tA~R{r}AC|9+p*nBOwzG4q)cCd2=v|04e)|6cxne&@iAzvjn7Kpa0vqm9c3USZME z^eJ7*F0oo2t^scn0ADH%t}x0BxPkD+w)#?0-|T92ibxL&kC(D*6#Z-cWGh|7*qLFe z5xv7wgZM}=+xF&x#c8E(&a~=W4Q4FXiyTS(MfNy#VU+ z>gYyZz0)k&HM?4Gq_#47zD|~rEXza?L?EMfI&ACYj!w7+WmM;5Wpz)g&c&*lH2r_S zA7JwYBa#v+jhCiN*|tmG!N9uoWkp0dy?vz1SKu;R9d$G;RJS@&nHAl*ej>|@O@U;q zRlOsuHAAWwpmguAUL0C5Xu)g^irs{hJZ#^x1*^UwzEvwmZMNQ`)v6&K|0v643K71w zH=FoW&Z5+$9WxU+osyj5o!r`;GGz=dFuTG}#L4#1Nr(EOEvO8vljdJ*?&{VT`-i>Q zWbdcFh9M-q*+f#Oe%}W#)2a2iL53OGwaV6LZT{Ik$l9I9|1pN)wRa5geQgb&*VgcU zZ4Iy2*6@674fy{5YrOyOS3&c1SxoZ^^3*c6c-(MV%#83K@3+xBI{#Pyf!hzT*>!8% z-u67h8@zQ}RE&eyQIs<3X@+rOCNbE1LQ0?FPVQjnaTREz@?=IZwAVPz5>ei3K-Jlx zl>BSE9JcW%*qP#=Hb?Z<^NtOEZ10>==Pn^p*-gNTm1bha86$5+KE1gS$N4YV){C6G-8piUUUd(foU!+9n!N|b@* zB)vv*YEFi2w(E70;q)?i&Cw4w2~1$9h=EwA)f($cD@lFHs zn)r;W(}`5sWvy#ex9U?hKvaTnz5OBEQNpM?%(`H{Hg>lw|70U=>N}red-grEY}njfZ`YmdaLuQp2{E>d*{OO4iz( zQEE}QXF^jbXc<6~99jm-07#FmB`G0PO+y{RBsC3`(xfB=nkU%X2 z2>*XL{;vfRybTFJ0+0YC015mbduIYq)z&_KQ|8D#r6gk<&OC@R&+|NUM)NVxQHW4c z35g7qq*79fC?si8N|{2DBqE6<%Ky0Cy6#Q)-rnDR-{0H+w{-7^z4x=$de(RE^*rl2 zYoBKU0)PM@00;mAfB+x>2>j#(K>Yuc-$0-~AOHve0)PM@00;mAfB+x>2mk_r03h%; z2!QziZ$JVffB+x>2mk_r03ZMe00MvjAOHve0)W6zP5{LJKlu#=>H`9R03ZMe00Mvj zAOHve0)PM@00;mAe}lkEnhYz$03Am?2MfCeTl@+vQ#fNa!vO7H7aiT=|3CV}9H;tu zZ@>Q!lT^~tF|mUrl}obi|7Vg^(jGyzAI<;I9H;&3V`vqp#Ud1}M;{ltG(G2cwy^uN zWU0#+S+`uC&gDgy*(?|ENS?+gsIDm zZu*zH^Ml=xk5h}&U=bqIw0HU&H|4i{rAv~gF0VfJ2h{(4wM){bE?>2T+;0WslXc_N zKkr=1v2;s{yR0mO3Fa5=%{YhGd! zmn*cqUxLSNT4rC0<;pK<^v}Bi`xmn2JiD_{hzg-m4ii%VUht(A4*rSGWFM}Kl?|c|9?oH z+2~8~X87-n-Im?(=sRn>yhM9i;HLeL$8F1gsJ)ybe+UJaxY6aL zf9Hj0D+#>6Y$wRL)C(`%hBFWXN3&I2u12k<}NesBijHW0Uc*ZV9ti2lvKXM3;_ zi;$5KeX`3^i$L_J1}|>?8W2RL{Ymli2o1uAc==O*wF=+6{ACNj-&uz53I7kQ!2mk_r03ZMe00MvjAOHybg9O0(|33&5R0RkC0)PM@ z00;mAfB+x>2mk_r03ZMe{Ff3~vi^^zsfhY7RTHQM2mk_r03ZMe00MvjAOHve0)PM@ z00;mA{{sSx>;EfPzM|tA;1b~S;O5|}=Gw!JpeP^!2mk_r z03ZMe00MvjAOHve0)W8(3IRDr8+t4f10x|&WC#vTL_?4S7#TuM3PMpt z2o?oHL$DYO7D2|qQ3xo8nJOP5l(Q3qFad-%ff+1lja0&rN!Llz3 zB5@Qno`8ZwFbG=vNCXZF!NZAI2$@WTp)fEE0*WTH{UV6LVGwu>0z!hpFc2i3h@k06 zBtf7kI1EcB!N^EFg>_L7O2pAxLPH^B0s#&|l3+Lp9)*EJh)^t!f`=loND7+eml_ci z90i9%KqzD+twx$2i+J!51R8_EKq*8F5shYE6hzaM!BY?j2myga(Q2f1h5*AOArv%` z07VnXL;{SkVo?xBCg8AW98G%^90x%XX$T1fG?4}Yjl$t5SUd%ZXId1*;?ZOR8G)j4 zq}>!G5sHT3VKi-N(1;`i42vWX(Tt0Ncs%W95l9pW3`Hi2mk_r03ZMe00MvjAOHve0)W8( z3IP!R|F2*NjRFFI03ZMe00MvjAOHve0)PM@00;mA|4{-<^8fuu+XamQ0)PM@00;mA zfB+x>2mk_r03ZMe00Mx(e~tiH|Nqai1}y;sfB+x>2mk_r03ZMe00MvjAOHve0{>eC z7UTbw-1c$%TyALGv9-o?F@JBXW1y99m!0YCr{00aO5KmZT`1ONd* z01yBK00BVYI|Mix#pwe=L!ttF@zj+|4>*?|a4bDwUwXi{^ni8g0n5?@=A{QKmL4!I zJz!jVz`(&M&h}Nel_%)9=v?Sn+gR7I_%au*@MM}}#525RAk&Y~xp0?qD{<9)r;C4m zI)N?DltpOmTKYtM2%g|eCg7=5GRe&=;Oid-T9!H*);bc_8k)vB5?@bC$gxY%e!NH$ z2By|JdODU8re@X>rZ&dL66Tf$CK{Fw5=J@>5*jwvW(KCTDok`ttrdSM65{1YmasN3 z(Xq1DFfsqFn6{3thK;ecgqDq^B~94vtH|eK5S zb?m>~nBNIYn3*m;FCq79j};|;h56+Vl6)L@6QxBgZ9 zoAwvAqvHL@iW1+~#6Ql6MM#aN2*)>yd@241Rdm0r%F+VgRYpERFwT%gX#INn#Nef4 zV6pI$TcGo6E592Di!%SmM#2}Se|VaI9sK|7fbfnp_&gxket8y%c%moGIFV?k%5Cv6 za`PcaE;*m9N&HL$SJq1mOyak1q3*D{Nb!jkh6a*LJ8$D`u(e|ZeH!+v=TmPjo5 zQ|ot+!IBIA`eQ((nTHTszwjXv+B8eMX!pJvn6LKjJ616?fJWmxWk27G#lC&LSMYC4 z6PZd3iVUDt@wd!i7~VIOETL&^rukJvcKJBHI6W32KMndgzh7>XKRz_X6YfSLhj|gn zZbW|)*)5nH9PH&!btC$Ek*SM@%q=*S;7um}V$;4aulc)?{e8LR>s`Ff-!CH}_f;81 ziC?vmk5h`%Wf5|rb;aoKcZFt_zu%0;k9UDq-``eUJ`NVA!y@EH)7b2+guu99u|e@HbPnU#<1$q4;;Z_}SWgot=F(1b=0!XttY3n{F+dxgRh5D_&ahV4{D( z;xtglo;Kb5o!9XQ!c!M*;rAtes|6oQqFEx^r0sJ(OXp&;vY)YhsqSxx;)x+%VKlq= zHztxlGU=rF2l@Tt?Uw897n8c^4S#QuKdY~0W@=?^sX?2a|A`TFBQANy-6%AF`pXo3 zab~Y;W~pPKXZp)5UT&$F{8y1hF-sj?9olqVOULR6bRY97aUDAg9qLr{Q zU-WYlS{hbb8rnLGXS8*Ub$&bZBOUnSN4~H77u)_lwSO5({sDNJaik4&n&w^^FYf}D?O@0kazSd*(y+*%^{-If~fIo{|tmDj>g&=F`eg4q0 z*V5R@E5PtOt$r5!rbT)1{{LTpi~%G70YCr{00aO5KmZT`1ONd*01yBK0D+&K0Eqv8 z_B#ml2Lu2CKmZT`1ONd*01yBK00BS%5C8=JngEFZ|C$ky00aO5KmZT`1ONd*01yBK z00BS%5C8;zb^>7kzn}dM0{sC2KmZT`1ONd*01yBK00BS%5C8-KfxjjI*8l&S5s&}` z00BS%5C8-K0YCr{00aO5KmZT`1b%h`VEzARzk@)3KmZT`1ONd*01yBK00BS%5C8-K z0YKod34rzgzh(p^00BS%5C8-K0YCr{00aO5KmZT`1OS1bodAgcfA%{F^alh00YCr{ z00aO5KmZT`1ONd*01yBK{+a-Y|Noj1kN^Y#0YCr{00aO5KmZT`1ONd*01yBKes%)j z`~N@t9R&IV0)PM@00;mAfB+x>2mk_r03ZMe00Mta0IdK2H6tJa2mk_r03ZMe00Mvj zAOHve0)PM@00{i-1VH@%v)@6WKOg`I00MvjAOHve0)PM@00;mAfB+!y*91WP|JRIw z1Rwwi00MvjAOHve0)PM@00;mAfB+!yvlCeS{y!sQARR|5OA+lC_yGg}fqy4~WC$ZK zosEq+(Z&jeTDg*yHGX}nJr<3{BPa+Qgp5KVAxH!a3nAcWf1$`&A_7IkBFS)?1e#1B zBTx`H6h?+1iBL2I4w&fFOU0moIq>*$?mK zyWBaVuNRpb;^swC`=YB%5Sio^L?(u~g$8-4d4_}pNFy|);kvZ{U~r5Ql=crsJA;Hm zp|n%@&=61Buh3v}5bc-07l}ywMa29167WPHT2;XT{?uTyTS#O8S&isVBFh95X=d@lM~Tb+|)V2XU~zOR&CuV@|(&~X-%EY%IUWOy8s_@U!5e1xMW-u=j!C-Gr; zT&W6D&gNw4v*ylYZ6=CcelrLkODn=PB^KYRc=2PMQ+_)-P{rYb?}4I0G-Z4;ZrJac57fqbchUVj5^wCb&-fOcJo63l@J?eO5tN*I1YXoI)c!N`Hf4bZKD`x1OawoE}GUdT9 z=KCi*SXC@;jhS!qxrENpLcY?naW82!fR#jda0YJKeM?{hZpfB>+Gpo>acE{L>Rox> z90SW(^gBrYQ`?VXp>dFAwehe6qMt@rE9qYqQZ3NgeT|QwWw>P}s~Hz=)aZBxTr_2d zBl-QR8YP33Hl}CU6usFi>6%M4%{b}$H1ih3o(PYuiK-BHJa{W z;yAkLLU%OezK5=M?{%B%RT}#=n`@xiae5)_j(l2;E2qtcD6gc^SWGN|mAWo?kClUR zM~D>tnw`AkRp;}0E|Ri&PdwF`pU=C0@yL}`Y)0zE!<2YJURvcMx^n`u^XnfeH6|-Ed}A+c(I^xgN+OXUI3$ubXi*dbgg~NM z1t1Knr5i6=L3Tl_O zHL_cj7a3fwl3fUF*rlb8b_v6T`lPYoBKB=~roH0ECiZ|6sYN#`tHX2a*0UHnv=tiK zz1f-lSl*x-p-!RO!9i@W_iiX&5RR%fS>4)-DPP$6ZnJT{!}`wS@7TRuGU);ini!V` ztlqf()II(lHm}~oe!mW{%ZXPtjdYt+O&_@8E_1%pa?3X34Gfmt|8Pf@$i^AT8j+MF z-p6JKCoCWS%wm0HzYR{(48zZD@)V4KA^1Y@UQDC;IJ|W4j{CMz^{Cv&J zvVQJlaY!nMK+VB93R^MK@O=GBx#H7TH(T&H^i~I_v}qOT2YI+zRg9wf8TsN6oUU6R zeh635*~nilvyKHZ!naqy@X~JiJnzSpRWpJN5ih6vUt|nFA=RoB9McyOiE;9FrW)uX z9#lRo$E{H@ci&^LBEqRQVRR)I(>9rLG|s?2CU%3Ly#=3_iBQY>>xkl4vAblk(LHNI zZrJMVmuYLR4XIR%mTsGxVf<*b`N#_K@rc9yIrnTn4ydIk$$k>&XD39l@BJ9%jjAl> zb#IT3VVphv{=@cU**tkeHrLyI#Pi3w_orT+3-3DXQ_lNvlT%(f>JQ)Js==HO4v{^YxLr z9bSg--K2+*wbJWihn*lw+4NR(HGJcD(XwkrPd_xXyK+qLJV%eG`sFtx%)OTnEL@$= zK=Mu6-<64$TPq*=0@J{kgcn#Fcc#H=X1K*qJLZ@hNtRF?WoL|}ksnz|l?qIT(0^kt?D0e-nTUfUAy_;X2SJi3Cm7 zA^d~kkzQt|k!}_!Qj~!i93AYa=@8}@5^Cn?@Z;tJj!}WblyDdn3;{>Nkw2}un24&H zU%gK(r~0wqK?j=^sh7lTZiJglX1yTj_r{IHJZ$54sZCqo9WDMbR%SPnt#vw6os8E% zw{24;UT9$N@n`eslNXgmqO-#rJa%4i(vj|d{IHuGDtcP}!lOcc*RJI43+K!hUc>xz zSG_vzamlHDoAw%!DK*J~aJtNz+|JxfduF1K71{P&L>-DR<9VSHbTZzx)zba$#rxJz zypJ8gA9SYY+;Tn$ek>q%r)|;k6PM%twmDo*EAxCuyqV#}YA5<>w%yN!uOR=(o72v1 zB5M7v?}z0vZjAyT_LhVURTV|;kKdbT_O_v_VueV$Uc-Wp)|scLLJyBjZ4Q&zEG=tr zAlp(_yY39D^TELly&K|KqmR2M=suEO-CNxpQSE>zV@+o}E+(GU&nO%D=K0Ng>t&G{ z2O8*(K<*~dbBe~>`{%EoJ>vA%3>nx-*s+hg;XUwUli50D zF*W^Z^U-4k=epL+pgc0|wrxO2?XOq8dH2{n$Mdf@JO=y;Qn!Z&qIMvn z>G+4FR@1$k7&gy&*l~ewqq1_jmr!J>Ldy9IHo>XBTU(es?nfsU;1}|@beIptwY`rU ze4>1Q;<tec_r@FC@e?8F&=ga=Lg$T1zHIB^X*m+LK^Ijn@hU#CarJ&*1|; zT*%K$rM@{W`Y?m9METC4Ir^ZO+C#o(G33e}gc&2kl<}cU1<;WAg5Ct|`~7^?tR0$1 zj}P7LK6_GSJ+4=_gw$uT=Tc^})7?i2(nA%iVdJ%N0}#AKbhVsKZzuGoQ7PnhK%Unj z-Y^#aHOB&4q?N7*7+_wkc`@;t(7RnwaQoxZ`;qSZ@s9}Hf%LdAasC5`Zp;tgNtA+8 z*)gz=a<_sLK1Q`~$DiRp$NvF~@qZy>z`rx_0d)fcfIu>Y`CI>tM!-l|B5i_>CZW*~ zBn6Fu5YV(k5&}sfQxF&^1y4dEC^!lZhk#JXNX()P9zuYT@DKzVgP{o!F+}v&@ZZ|g z!NNiZiwrWc^Nk3<+o_(B6wo}oV8em2-2_s>YA3KXV(pz6|;MBA;@$_Fiy1`^1M}zgf z>&AI`1h>G(x(?}{Ipvs|G8L16%!c`gRCk@4>WhzJjV0dkiVO<-W#V%-yEjBnDl)7+ zFXNUSAf?npK6pj77k)P3$kFKyN-Gb%s@n|9&ODO&Lg>K(s)e_G<5feAwFk>sD)=&< ztjZW~QwW{xIxL|JTSF1sDY8}FecxQ#Db3fasi#f(H^emAZ8M4-9$%$8Av#$)c*JL& z+Svek*}dfqnKvvo%vZ;5KXkq^{`R3t;ckQdhoL*uw~HODb?2axL)BFdW^&#yFm70j zw_wn*laN5}R}Qan+%_1VIK321x+MC(FEEj1Teyv`MfF4(j*iU zq+u9F^$Edil6(z(9I0?eQxYm7$lC#}<%JI+8|s;w!2*dtZZ8m66)0Q@jzFPMFc=K} z)7pzL<)-Vp(z^wEl5LL1?)_w>Uw5^yJU*RW#Kk5dKdme)>5LWT8q@hR83pIhJvHo^ zs%H+86`m=JS#b9|mlpq8=gH<2tLL(udJCzm9_}cLnKenUjoypy3iE;-OLP&xCgjme zj&CVw^>7!L4jSdaTAO0e-`u%|wN2Bi5|i5*B|4o!y>#q&;`_0K(`BAdhgfxL$J`-% zo2+Iz)J>&GEj@CgkE$Mq3cq2dHI6_x2aYOr^+`@WaylM*f2wBq z#Yy8eRjK(~Y=SIi%tk{fH`y1O4(u^v&A~%h1 zH&${$V0%!xSMbSQu0HEV@`EDc_ZWvJe#ENplJ*uZdvqU--?)Fh;_a~}L9M_mU75nkbNRRxtTaykAJVgH=%rn&aOiujw&ghr@y1U$*j#Fp!+PhXL)l% z?3)(@>&|%ZIH^`fO>!0F-)BK@p=keEnw z3pWQ%V_(O>AhKsbBuNwJZ$Z@y(IiLs8ER^4=>IDp7ot_*XeBHRLyP}0SoBY8FL-5I zJU$)}8L&b>-K9V34X-;?9ZRQM!#RbgcIUKRREZp1X}%9hF+9~5!4uHqlz6joK;0@N zK*ohI6E!#8q5saA8?TAlNGwRXOfGby4cdpZaQbQ?=vn50#e$v55Z6iOJ7J1EYiyfATg!1P35GR80Y zrm)PaxlAf&*IqTnB9ct7$O+QnA-Q1It}Ct2IrW&&v1@X)-?D69iPf&xnu3(Ik9S;P z+KgDCe&tBT;M+Xoi}D|36Af;c#caJTM>*U5%)Q~}_;{EJ=HBpul(deK{D+z(Dg8DDS*@R=^*g*jM1*9rtj0r_xK;=<|_Ud`-#xH_Dx-G%sYe9v-t-vpvn7=-54VI}1&0 zjeVCq+AYU97BoBRd+p@s_}`e0qmg9?qcMoj00BVYUnP)?W#n62+K;pPytdEA7N_^m zukA0cfRlZ_@NRgb8;lf!@bg6&gxJCC9L(%&Jz+MwZa#i~zQ$M^YfWvegB{G&$IR4J zUlXeIQ@s;F^`{caYNlu;iE3wP=@StU7U`{RuHoTe>ud32tNf;U9New_0oS@ry7sBg zA@9^M8)(ogY6`!OePiF+q7`>z6K*O%LL+Cgyz|D3V~;mwttP+PC9oA7!W%-l4iP|A?NBI(wB3Kp~eo@-;w)h*sk|3xuxY{m8b3PZuWbb zT{b;Qjan}Tx(Z#@FRh-v_++D&gSJq~bx|j~M7A&}WGqwgO-d)DP+*e88>I*FMHWr{ z+pme22y6VjHYii{aakzr@y@e(G5)KW+MmhZ=hj$I1aZ!5JmM$Rl ze3hQ7d$%;h*=NjV?ZJ9^msno*>>-Bkb2^-qZP`VTGK=WuzWqTC*)q7Q7GW?J&vd-2 z^SzST8-?D!*04(c)Ri*_KT2pO!s5A32(WmZjX0hA=Cs9)l#QJdFBMfB6;@ie5jVAN zql=i8zWBgj^`wksMj3(P^k5ffGWlf8LfMB{>ragnvTk`bUbkY3Z=ju4A0-$vUM1vF zj%z-C*>k+>-pz?a^?pqEj~$$5t2;N>nl?EY#puO-Q>r3^>2>{;_Nzowg<;r4$pdZv z?6%{)RWjS$pBUV+iX!akf|!qN+xuD$-fYXc5bSh*_^``MPsa2>NY2$=XlQJzJ|F4s zf!&Id5XCWDwwAQ48-om?T(Tmk#e6x~o4bnIQ*U>d z@JY?Tk1aew?=?)hZb@pGLGSoro$-pA7AEQYC530un4NQKh;s&4iB>?2is`+86r&s+-!n^$e|P+DoI;2 zFr2C#NHx_^`l((I_-s00j<)(ChIlvy9!xZ%m^#wl5<>gq^}~P6cw7{5=u*q-H~eto z{o&1zCfFQS9JpT4T5KyNO%m-NuX;5S#a=>izMY&|x%0tJ;eZlfW(G%9zH)mii*#?0 z@tz8EXErMrk&46z!`Il(D?fW5ulf|Kv+vw4)%Z1QFsBju_%5Dp=bk@|s$V;PCT!St zJ{;*y@}h5;lu)jCeEg7QB>k-?q(Cz3tv6O$KCHWa*TwT~)>(kH)hFr+j*T}8s0_YH zRNA-h!_Cu?vsYA)zS`QXJh^G@(X$n`79tW=0@`O`827TM3nzJ^2@F2#>eJwpP*_dz zqdUY;?m+MJ)u3)P>&}$verQCXE$hJM~*yfD#`FUX@g>CxeGP+gm7weh!v5QXm zx8K;3qHzr+6~cFJXpgetL2)}7@A#9=+nk-&m(x8#<_+j*d5XIV77j54;@ukvF)`Xt zjy74&@KUIoFHK9h)Ee((@qcbH7JYw%S#~cyxAs)@W^rvRP5BmivFHO2P?IOG`ymQ8 zRlR<&;q9rks;!1&$0c9O@m{pbzex=EkKhRRVr*8;stBeN5UNZZUsny#c;eMP^`BWmG#=Q*FD+ z+LsfG8kl1qCcQ22!-M&?8hqN-J0~$i-ipUoe7Yj;6ry7ysG~8+G!Emn3DaZbp(|v^ z_cX1l?K7{*)+mV3VD2#A5k;SSQ8&cj{6wPS_2S0S&=P9=e-g8LjSGp_{Z1$m)Z`jn^mNZK`_FC9Ad5KPtmpaGmA0`&_EfP;ltnvysvhY zuL;Ql27v?yEB#dO3VgO5J^_&kJAZg!prcoqkA<(fpEO+4!o<|$$81N)-G}=lr*3p@ zmwMrBoA=IM&|nkGV~1P}cV_J_UwO6+?&z%%b)~nD+Vyx&RMxpQ)TC54K5DUx?0(fP zliz*a=CFIHLiq?^V&49fXT3iv%vZlNJJtCx=Fsu+TIQ2`2zr;JG}c79uZkAGP*~D% zK6XNoWKkgFTDg#ze`7}jgaIq3tbgzRk$Q)7A=rg$hq(F!7-Hv|<9cMoxt?b``Xfgp z6$@%rh|1T`R|ut=jG=`SrtRbwo^Nl~5wB7%LmsIfA5D#j4~~Chp=gkoCg-uDd*IZ` zFolh^%p$jV;$w+qIorgExWq%38Pi%tpGNOF&^~c>qVuq~Rhp+9UN&gLPD*j$eZ>aF zjpx;HHa+J9j#=k?(&oyk!ZElb5M*Ms0P7XY*>$XL(wQ2!B12(UIlb}BgmqTkW1R0i zQMty6eH*Ux37>R!(mjg5-W*?j%E%|p9F<_~4s$a|F&Y-p-ZJYjwA=G`Q6*VQ1=jER zh8lioi){T6!-s8xq4!&z$u|gwsxJ$7kEFLekBZ*DF*$y}mfmpc#kHG#j^-b0Wb!>? zer{%5)#Aj!{n)*1F}StF4&_zZyZe~WhGg2GJya3f7+HIDNTC?B|DEv(_V7)!sT-O^ zGMwK{T=U-t*?z$FBWgXS`q4zcw^*R;;8?<7d8m2D+FB@&Z1`zIk-g)x5jQI*B4TU( z+OQi9Z|!JKN!#ceSzM%1J|uhL-9jQ z?8q%s%I`9&S7oFKF=d8j!(S(0GYD(mZ!CUfen+LnX+nlhmw5e{VU+&M4fNy3J$$y5 zSRHuT7b{$N@FZ6PHy1`O5GraDir5pj2Fvgh(wRS` zOy8IZZ&XEmj{gl7X-_oUoySBCqAK(95+Z(ve&P*dmY#yHowP6Q1)#>v%@`dQq^^j=hY0nUAaW9-RAA%ZxL$c*Yg57*49Uj zj_8j1`}uKI2CpF8Jx1c4GYc2EpK5QC(!0LWq^62JnuWu%Qc3OQLDrG^%E}PiV?`Z` zUXIEb zX+F=nqa*b0R_S8?%SNHLnQ_d6NfYb3oUoclOl}Bo(X&P!TvxRzQ9mT9fjQlA_w=Vo z?8dplHbYX$C4soRr%p6jQ7;`&%8b3fr$7^#PN zeR~R5)hkPO*9oC{5z63zYhgfzge-pL31NFAr={HP4O^e9pTG%evYWFh#H6w!^Cb7H98fwlZM#(7;82JnLF9ZZ*I+a6}p z`SA2eROxSA*)SlwJt*`Xtq%VGUe*Xa$1)evetHMrPk3dLvI<0)$ zmd-A%^{IfhFkaWGXdTa;r|yRZOD%QwcFfqvC9AAh#(4bG%lu1?hn^=z%O_GF7p!4U zqOAnNLonV*0*tl@sBiC&vp3O$+xVJ#8le$>nnh*xn#v?44qKmM>`}qfIpmoSJ zGooQ19HwFagH!mIEjkM94X4w`2J??@sBz2+*D9hUWvd&al4nEA;Kg`v?vUKUoF;kw(s5`^=1Rc_STr9Ls@dDg*2PxQF5mb9eXT{zYGGr`xJ~jg5mqGfguZ<34wjG-+PL>YJB?lkx(dACb-NJ7Jw1E%{dMiML((&{T==E(Tw0=|0<| zFdhd+%QxmqT9rGQVp-=%n;6Dt@vNZb2#Meyu9w(_N|Iti0C} zj_g*^h1NLdlhV}ZO|xw{rFQW$pW40)F)!Jbwcg5p-`ot>Ro})#zT{4FJKXVk&Xxp6HJi4 z9$Xu$ZEh6wg9{IjApSS=UwH9forTG5!sbP}oV}j(zPZ-&_{9o^lQX-`aQ=HP=O)ZI z6Aip>Xdy(y$|vqn=l4|}+h%oPk8zE2ub7o=dEeaKyz(lw1kY5>eDPx3YU%Ys#|Q#XL`e)Ir?#1tNy`p|Nbh^L<9RaLYZ61S zD}!$tO&37Lh)3HKYkYFjugepyBLwn|y|(5a6lR-wemG;#(7ApKtu)U2Ts>&Py?2kw zc{ep0R}M3H_-_hkdUwTO++o#TmfPnVMzWuTj$S=rFj?b0)DdIcny6OLp42PmqqenT z%0xRvsH;1E6FGejCn1=&ZvA0x`ezUL6cgOz_cCp<(<$L9go^M?ZLYZD*;m>!EjXGZ zesSU|cTFh|rCj>m%@)nI<-6W1PYUOAdbKf~zI6~aQg1g#kk3lld$wo?3ezWaBEN^- zzHSWa!}e*nH#Et;Ygd$pezC;yOwY&F@mmvO73-&J-U~$5Snb!of|H$$UU5Ifh%&sv zvh8sQtCWBO|D13{*Li0x+%f(IgRzT4FSJC(R<5qdt~xX@&7RYHl8-L9R9SRo;5LQ9 zw8l<`6SDKo47G;iLA5SNd8_+(=60AG?g`SYJMH2e^FZtI;hhXFy=4mxR~z_ydZh|Z zZHu~lVTJX^qbWU1EBT^PkXK*A55ro8> zX=zeOUdVspt>Isi3?Pwk7!(DCV}9%{K#w3iEyutwIRF-?E&f4XQTPxqf2!MJMu7GW zH+e@)cq5g!Gv*4f`!9L*b3j1BF&SD`28?5$= zY>wi2JoVO*xh^N`y6yF5`cOYT6{+~f4o^t>HWT-$BWl+#O|r?H+0{trd-!8Yg`dno zQ$Suda(i6f6RnTs3+v!D8x9^iiH+RA!3eK=fA3&3Y}>7s6I%P;c1lV~#}=O2aNAt4 zucCx*Ro}$q#Ljix%A$hk8g7UL+ryio4BLo)rZ4QyY6ug(?O*cSUeKRriuj;Ww%X4y z0n)vH%K^UdhYJU^coO!UGTtnjeY;>cwq@J39pjz(Nj;4-&@B5M^HnF#u{G8=*&G;1 zy22-a!61-_u!4C77ro*8EXP1O>Oe{Q#gqMw(?eODMMZnLt}+?sUM*`EfG5~Y5{72) zh7>);A@P`M#+BNjP3McAoZMi+-1$-R5#)>Ow`)k0NDk151ZgA8~1m+W1u9b&yZsz5l%_(d<#mm90 z_m(eb(}-%?V_3oEGPQIM{)?yDEXz2$#4|1*;jw(i@LrI#^DGqB+sk79rYu#Qys;8T zA$iab@28d?J6Di>{%(lh_V#!8r(HH>n|RmX>95zDYCcI?9m-wI!M2qkZ=I7ZxJljr zQ|J4;rL{AsxWX^&JLPptQ}tAlu%I@t?74!gVfH+ac#CvL9g-kkHGLo6v?&L*2b^b< zHkYBiN2?BdPR9s56KBh?sEI3(jrB3&%Vyazlz+sQEf~g$D%5XE?mEgWBuaiXQ7YMa zt5H6Qjp43S7O(i(qSAUfzBt0$n@BMgoz)LrrUbkhU%H2ltV?z`!3?JAQ14?bD=y(? zLfR_t>NxK{vGT08^%ceNHJtpO{Ig;23Lm_1=Q~``7s3%E8nq@39iGh2@JDM9@K2`@ zaJ2K#Hwq@X!7MDjql_XfYy%@T5io)c9B1JfiSX6MhJ|@X5CcrKt$h9kYw$UR02Yfy zp<&n`OgZwW*5KXf0giNf3^d^cVA_S1>k2Q_Q@qA7v(vFYh06A}0x3iZzh7eHuMHDU8SDnQ@7v4F*YHQs5UzN9H-i zX&<+c*X58GR?z&Q6FrZubXM&S!je|d(&k_!;S)iS|a&o~dV z-qqS}5)(XSc_*3@5;G-1dXlx$Clj>`>m#-aI_(%6^T3=?b8EKG{JP7fmzT?ie2dts z?56rMFp?bsd*@A=7tUxfM89}gO8W{k1>1>hdRw2mx=DjHA;S?M6}NTr)V=QU2JCTe zS4pk54No_4vPC{$b?)NF(ImwF6YmB3ckF-IA9dH_ecEQlqPi#71D%R{*HW%d-VUG2 zT4Ay3g53p1O0>Q`t1m8WPKW*4(M|o3ixK4#5#i#)k-}Jo0GB!z(zpLReUzDrMxdKEJ|tAv!PpC8PWDAbYH8yrI#@?LH!V~!RNE3` z@Z-i{F+l)a35vwRU{KmOivGc=f%Mh4y6PKn59_wrsJ?#K{_%LJPQjxv()vze+X6Pb zpo8L$+t?~^1qh26x4HJs#(G&f3+ffe7Q(uy{2?P1?CiGEr?qdFoS9WBs(f{4cGdWa zD+}-UD8q+_k`Cy43ukYRJ9XW-s>Tx;D!608E&M@*Qr_P7=TA?suD$RUc>^)-D-wpJaAft2BP*b)WqOdI@tpf61wPw(d$h z=CCvU#W>!XIfF;sRH_uKYkyT%_dpT*-1xrmEqxjOla(l!&B-}#dyo6?99?06wx{cQ zj*2mjIezFyOA=e!hxhlgOB}k=dDeyDd^V7I6jMK3eiXK5HOx-LZZ25O!GPEBc+==7 zmjWvLDNp#iSvyZn4 zH9c84yui+AYp8s8ByPRBMXzxkKbuUKpW)TSg!C@#ai@}-#Vz&2&UK8nCp&7|t;FC4 zi1T_{@1cF1$1>i+-)%His;tp^d1!C+j$Yg6Mbn;QlUwi2SY9$As@-dXtWpiSaImr= zlCQtM>%7<+f32OT(uA!-2rJg#_m@4%eqZw$tFga8n7~{Q%blznmu{!E9hq5o>zYCU z)#dH|z6>mtwMOtGk(=`v=Mc{MU;}*ivX2qo?B%HSg@wYm?N*N_=#;OaTnu$oHY7J3 z3p=8s{rH~ji_nZm-AWlfeu-$CGtaA|>d5ZvHji5m?LCvXA9{V#?@3Ianqvj$?q-Ex zcJgf2f|?2YiOScbDHBu<&jH&9{$uqcHzP*16U4YGs-&j)w=SGbX5F|Z-8k2XHy!o} z|Gahn&Hc*rGcbzHcA?MlfBRzmKgihr|3~lxdI1Rh-zJdE!TgPn|EFI?Fd@Q>p*Ap- zaUjVE>jw|8^L6lbAW>~KL# zc%6$+OW?AH(@whbcz50d)VAH;$!AX=-m~J^?Zo$@hYEcl>Fg&!mMmIDJF?CXB!Zp?A#p?HSstji^-|9Fe-(n^< zc0|?KKxNRxxgl_E#QGl+ zkfiuwTSW)UJi+2tQmXHhXPXT-JR(0*3L0|DLRB}yoc+=bdb5lj z@Bl#(^-q`&mpoNpC9I!z9$78^TCuWlW1*mEV^;GalK-SQOPAlJ+nAow$M>d3w+kt^ ze|%+EquVptlVawHkX^PW62TR-Y+b8U0P5Nw~@2e4Z@?B{^{yf zf`q(ZNM*|U=WqO=Sz1oWoTslF?rwY2RI2i1^c>GQ3v>O$7Du#b>+!I{sr@sfVz&29 zxs%G&jJV2u=`N5TEv&a#0d-8)t-rEEh#!I4&vO`IW+WD?o)c7;jVaDQd8b%$n@SHf zJ$bbE^8O%hMdbQ|TeULg>()^3lEBN7fUUoj(E@^V!lEj8!ZRsEr8C;i*G{nORF z@6()%-?!2kuZXZ_rDVUe@-EQ!$C1P z4CV*F68xv(zt<#d7XQ9a7F~@!5LjT+<7sGZxB4nk-`Z=>B%7L~JmJGD>YonZf}c<| ze^q0g%@)etC6%PmAm?lo22Fj$s=n5_J?(-$T-gnCdi~V-poZ25f~!26Vp?^1w2j|& zKT_wNpFV8Yy%46%lxB8MWX;-(y~nytw8VAq*3H`)L_Mf)dRtQ!WcvK!R(hR2*=zNp zM0?hE%6fN&x4M<{M}BcVtZVr?FMEj0N$xh{VIt3Osgt5BMxH#q;()-;1n%2^Jht-XAz4%nHcTZWab(-AP=Y3fH6mos zh3dVd?{+<^$*EviU3d|9b92(*=+LEGOag)2M=u;%#VLym&qhYbY?zVoJ`8VMm-^)F z`+`nR>^8Mhu0#0viQ3C4=&IhmYMOdHlGj6}JnHv68+oUo_sRFx$43XS?ePjw-{vyY z1kuZS`I^(dLMOJNE0R67tR`n`b?KzU%_-j~yuUWtC&SA@rQhK;^GCIPLFvKBCJcGv zkWziF#+J-2QXhgH({S`JPh#_&q^-KEv~Z&w%z7h6_R&x5CEwNLRCX zge3xwMq7%~A@Q#gHIp9ta(hzO(0gZinM!_qY+DjZCnUbdUpB_#ywCv8decs+`^_Kr z3-)a?RNO3bnGNQmCMl1aVr1!j;d?9pj?bEW`u!`Ds6--j=llV#))Y*gPWr|WUNi0c z^dZB?-q$}+Z=B~6mWaHPZx7vl0^U5er+&T{jxxyDb^-P6K8B-7=?9o#G6w?{H*+~p?**g3pa0+mq}oRE-hamT7zu! zFC+-0{j&eZv&YM%VLe-Rc-*7w_OxW$Enma0M^+b(Y{4t>Ye^pO#$8y4V&C)N`k7Da z;{tw9@5wlRvJV{++^fPnbo7?P*{a8i5vw{LyBFONpgU~8{#K9G$vXx!l-Q7+2AkYp zZrP(ugs%=`lY7?C`~qpcBdA2^Wx+$!(4CT-ZLQ>!h2or_h_+aYG)_l_8ibjD>N+-2 zFduD@BGg%k`UKz6K-|>NCB!hMNKPZSp+01-j;i;{brNaF6}bH=_i*mOnF2#s#Xuz& z?A(W47d3ZNDW$~BiLCe`_`Bnhwv=yH6D-71!I6GLAvCX9^YB)WpdwKW#Q-4=`v+m`T$ME!lq%AuxS^8)Enp}(%v6l#3Rza@s@XgCD z3)jwoVUEtB3J;|7SwAVUF07r=KkaB0f14jnpdz@*(TWmID_1r)f$G zigAv_kvzBJUcbq-Tp5ixHw93Qp5nH3N|DIk*b2$dVTjYoxxyt!@>Bl*!~gI9?|kvc zcmMwifmi_XKl}4QQ9v}r8jX?R{>6LuFD~6cYmEON5`{*?F?PLh6i@_-vHbhy&JTyc zF!ui#M_vF5jK81KmIhp7wrfKC&=x1j<+*vmd|; z0P@#F`)C>J8o`u|O_0CC&kG6>1w(|uFdz^C!!+lATlxLJk^TRo^IPTveXi<@SG&&U zPpbIz1s3343v%@L5@yRtu&;_)Dr!jI-aB8}&EiwTS7!N4wv`62>yPD5O+S9l15KnE ziejAkEO+oa)k4|bE#{G%|7H1}%w==+)Vh7nmCNaQj_*MN`nxU-{-0?j4iw%wUEq8i zfb;n3d;SgiI?Wsz?;+~55tCb9tkidK$+U^5!#enTgPbM9`5(xK%pEEYTz{dJ?mo6; zU^|#zUE1v2A{Fc1JU&8zc?rgZp3dR!M_VB$>7WBf3<&tQ!;!H#^2}oqxEeOzi$K zL_XFE)}Gcz4W8Kc_;LzC&aciDoxCv`5wdHQ^0&nO)ak{*~}f1kAm0TMk7 z>tbrRjv-8uQXQ3>&^*8+{IYm4tzkUYg`b_Rc&hOg#mB*FH~%+nl!Wq4*EhQs+dM#i z8A${pum%W=et))~fryRVz7Ua8M~CHvQ?Lks!mFJD<&f~eDuzgN{zOaq$YayPkBm65 zLYih`b9M9EHp_K^oJ(JV{G4T~fgJFL{6E4V%|#>o)SWlGiIa%OHZdC=UK|{RsuT z9#k#V8+^CcerUOSimzkiZpRtcr1Uzra}DEpmh!Dn>Gfp(6#;Xg4#Q1q*3S|ImI1&Lzfk8+Z93+BCl_4lN1YivUVf;c-Xb1pl zgRu+*Lct(}4Q5$@2e(5&`#b%PUr}{?egd zRj?3Gy~hw%ORX>r%;tqmS3pno+C4Tf85t3Ch2@o7n3##j3~xzgm@{#x9K6wJ3%T5` z)FEtEW}}edNOa%wsui#_q`HOO|l=8b#;Jd z@Mo7Dt%F~sT;q7H0&P}h)_7f+rt*F+Rwa>J*ID`THMJKylVF-aR6q%@@PT)l#71N5 z(Y$be>A>+-lPfUZ*bel<(~j}&*N_=Q%}q*dUEWRmvCsEVc)X`y>Krb| zEiyaOQnsXO`^yqM$7i)jO|FZ1ta!>7bpLHttf2*~h`IF0A`RZmd3e^#m-a;B#?@C} zS-liDJ{}q#VBXluGUp8|6k?=g5oWdv*Pe;bZCLKR`(##S{owvWt!lk*f?i`CIn7A( zLiqvp)x>pbdoagHz{so0!D@jyvdH4kgs4GuO)$NZ>$Y|;Z&MXXSx%{Te`!kAB->f4 zP!}fsI6+7CSBu(_nMEEB*SjRlz>RnL;_nPdcHe*E_j0)SiC;x>J`Inlih@=`0Y0IH zkug5kTwj6H>5YPcMM&^Dv52I~W7m)qVY)Wa*>2icySUE6CHqo#8^c||(8ME(QMvNc zhiID2Tif2<5_Hr{X5^JyN742$ohp_}oys0{mgLmFc%BhWBd#i)lC52)F9eO(wspO^ zY*(8r7>v5tJMj2uc`e&|C6oJY*NCu`g>h4b1bF6Z#bW`4e;Y4|e_Ahu24dEM*n$8+ zFc`Bg#1;euAg$3rfGrqvtAGHJ2+W2dAR384qF_LPjTL68kcc%12|z*NU;rA3K-!{! z5Cq0@_^AD$L6P;G(Fe@9N}e1yv1@4{(43&@g`sTcm@xx}t@$tg1fH@ORuV zL|~#2gb)HQg2e14fc?hO|9_+Vh1n2z;Ofp2A?J|3V}{e}=GRYiCs(&~LUhbKxm#3H zX?rTL#X!ScT4q=ai)rQWV?|F@@uBEL-}o)3ZRHz0a#reDqe@bu{mEVfs*!jNk}`W2 z-R;fL2PcFL&5!y78~3x0rQLB4zQU(2wao5x(FuD$As6sWpl#{Rc`LlW)FgL>#Yx(w z=`e#K0P2a;;#<_#Pr|SEz zDBCRzFXz%HFnnmBUMCKBBn*YG!3uvTxN(=FQXpT1uOVw*Xy^EPIQ_cc2=*r?j_oX_ z(c0Uat+#G!jKloUI)i1a&LIz7h-mxg899t0^xudtG_rge-w< zM#@Dm%-(ORTKdTNMM%lAN}H15T6IG^YHm{GyphTGGEB{+I!cu{Fy|bb=#{Yw44EC# zJqvBJ%Y97GJ^fh|2U{EC<|2Iu93H9xX?i@O9PStGDHc4-$a1_fxiV%dmRLZOoz>~3 zcW1tVdJjsx3cI2CB2MhZP-o-VlKw}aLz2aWdId;V{MMG}bYwr?jwL}>B$*!J=2yNX zf>*|ZE6?YAG`dIFh532eOYIbVz!T*k2bp{nr;5l_OxS_Ehwi6sll2z-N{j~eSHF;d zNbAvwaS0Tvdyrk5+UTsDHFBu&Sv(86e#PI^{J`F9CFXdJR+xNDtnIF=*sx~S?IXN( zPcwPjv0hcG(qIpipih@%H$l?8E$` zy{&2@X>Nk%DW@}YNrF0@V96pbhVGg|)#;YQ$MN^*J)Dvud?XR5NnI%)PbC$v5Se$n zq)(G;7I61e6`XC=_@6JXrw}=%Dyf9#a-Fi=u&|8K@5a73=INX*a@@Q}T;~kPe^yjl z6%4U7xOtL)q7a~~`Iph(WcgqAZF$Lu@4c(Gk;$abt{#M{3V(MCQ=;7Uv8k+92DGP;WH@16D z0psPi@zI(2TLXPL?x|Zo{&ZEj7k1I!7t)CSOM~Em!#j*htWL$(wvv&CsXJq6+{&bidVWd65C8r@mWAEIjYUB!!Vi83D7(6iE zp?`Ry|2N*D9$EqZR;nH_eEGr`cQy~*Ao(6lNk8YPfYXe)k zEW9JxfPT84jXG7{>Y_W^hSZs#yUJ8A_OJ;}RhKt>5qD1TI^a7euid{&w$0kom(>@w z7A2XbLg^r?|FA+Vand~=oVqq6&QMjqkyL$;=~RCYXmAFq7*3z)#^-WeMyJFqD}FQp zY122kzp3R({Q5welFw27%_S*Ku@W-msw%Db2mL8OhhZ&)ImBOl}aDqu`LT{!LaV~6}vuY4}9-(JR-8%Gd@60 z*RuEWpxS{|##81?MFnhWmh#EuMTpCiLKVsLkx>Dbe5gzhRZ))BqDM-iz6<u|_9Etzf1GsL!k*zgxVxuCqP78MD-tHAYu@QCxE z8c%kyz~)0}ehbwpS(kH*%a@~&w=X;GC?8**-DoC%_A&I1J4f@_2P2cdVMVPw&Jwu# zea<3<=K@Hp6PahSPYL;R0&9x`#?$zlV}>YNM)erIO;#%9tSYa~JZeY?hGz*zS(9>0 z-8!!uyAx7&cdSMw=MW~Ivst*ik=q)F!_#5vX`Ph}jE0Vw- z9cYj6>p`Zi=!yJDc*0`0S#sKQ#d>A1zW+^wP(P$1RK6qTJ%6* zo2F*BqN>8tcSn4mIn>pqU!Cu;&&z+1pEs$=$k#9Wz7{(=5yk0M|y( zd0n|XIJcIJ?is~NlyKQHTB8rigrHB8O)_|lUa^u%oOU^8TJT;?xwxNM_O(+~74X{f z`my)u8?1q;ND^zB7Z(n2PPDZj&AcMo9@W+4QQgqO$sXle6Z|^Wq~n2-ycH1SyFGBz zbmV>A%SV!IUKPr0QEz${zOeG#jB$~5GIp6Pmc+*P;G^0e4RZ}zXq79~?)9|RSjxVS zJE#G1D41!xBrosTG4Zt47Ua!H$Nx59O_lN%fe_S5=;~V<_9)Va= z;(yZk!C|&G2qdNrXbb$dG|U=m13*9^RsaMVg0@AWktis_7J>#^*@8eKn5{o3E6mPt z%+fH-#$XfxWDB>3+k$PaK(>g#HUVrrk!WjYH@iR&J$n;PD+iYVpfMCCBQ5LY@8%?{ z;H~fDuWV#vqV4Og{@eBcP|T7+xDXr!go81i!{4|w{9kJP#0}Y>N)PU5(0`&XO1&F$ zb5)r*6-g4Mlrh*_#emOByg}@*Prf4d)}3MS*5)u8r%4@40t$~eKCoCx<&(CXkB{!g zZ%-y3O7yc-F%11QAAQHI>SpBZ)m^zy@b7JNRA&; z)gdZ-z{&ZT|V*0)M+5#LDC6fIfeB(!^1QWU*!inb(&LY;<0?2w}TcRb&`p4UU)T*ZA7DwBMZ z`mPA+Bd6ilhYz(pQ}f@j#(hP*>Ac@&HP`Yp7Qf>D**E2#e|uG!-0=E<@FehMpXx3P zO>2v;RA^=u^V?LG&u`G~d$o>j_?e1S0|0-|9emMMOUh0dY|VA&i1B{q$nobIPNie* z(x#0Asr$^Y$R8+J3gg^C_5o6S*gRFSAFLnfj(q)^qc$EyD{9a~rm;_YfjH__pqOlH zL2X9k70>>s*dj@DAz#iJUrVmoHAc@G4Jk^oM8|$r2>Q$mnW!-ZbD!_tXTFE0-_9&Y zpBrmUrsrUgVgA6Zs+{AQ&%jx;nwwyJj!D&HI1NCs1I95TZ}#M+R^AuuXLU%$>JA$tm!r-IByBCU3=7QzR@PV{kt0FJ9Gn1fKlK zZuwf{(HH@q#hn_pApd?}wzw^Ev;OXsblwr>!ql7xW2}l@Eg`boH56RW&qu2nMooN; za&Hi3q$X#mUXGwIiB)a8bDeTPp7291S9;c`@dlcr>}b!IwYTx{rdqn4(uG#+>#(6* zf^IfQJ2Fq<)fCPfX_C}OBxgdgq(uJ|4gTn|q^*JtR9?r*3GF6}urTp+an+R9P&0CM zRgn)2@K^P)wT6I!#y+|l4$8k{8t5m<5d;i^V^l}bKQbB&7FgV?hPB+7c_3Q)%-P6M z$XRu6^v=h4HhI&9vIw>a#Q-sayl1SsZcnVbQA(JWKu)@3q*fxjtIIv7EgARQS5Q z_nl#inwEGN8!jDl>0wtdlznJJuUhj_UhGkOLOd!<5ZB(|E#>oN_2hb;s`-hSY<`H% zGr*&ebm8`7yxsL0LK=dsr2BqfIW~H35qM!grhsFK=Jle3X+2k8k~Gy`q;|e{E=7Sn zAD+4+k#WtOjXbFdb$MEHPjq-s7#cDIm^rCwnj!4`p!ED+vmedA`cl>!&1b*#<93Af ziKXeh1IhTMw^7$}z%@(o-cMn+)q~ z%OpG*6FY;1k34wC`P!RTGdr}29i?Rx=`kVcEl<4qmH1kl()iDvF;f@W^(q-1yq=NX(C#++ zkc9gvHK7MQH*|8XZ7?kS71ynM5^&#>P<5f?ke1^#OTFpPvIW=nUCXYAoTMx<2?Mv$ zB6enG^;4KNF9=_1wSHR5X9;fYnLfsa3_A2X4tu6e^e zje&v2oWRH9Q?ARZTIz?CTl=x3g#Q!`{^&ZRiMO?aY=ADr(F0}=hdbyR>#1Yz0j}Q4 z2&5a--o;nfPBuUU;-Fz;|2q~0{wyfMh@8L(F!VPHivH!@0M{gV9=%Wjih3q|ZGg`C z;YmE{RmpiPY=V}8F9eEBa{@{sS?94)^VB0f0WR)@j!0D7m&*r5VWnv+&8+sh+0{IF zwsxBFX})Jel6Ni^B0I#T5p4o9++Lky^sVnavlh>8xtDD}x;QWShA7&gWUKRo(Yv`v zTMvi`T#t2f=nRZ(*~36J*Zqv;7{XSs+?v_kea*5yIV@iOet0y4<^EWfZ z7j-C9rwCzdn~Fsd%@xObelfIPQ{a&06S_F@4(IWBJ>$q1WpEZR{pXFdXhxL5gvz8~ z(7njG=__wb16qe&3nLTN2c-=guPz~O64_5r`z0^?QR`YC0)yN3dp21^cw+cU)gFDl zNmo);*~DYBhvdJ}+$_jVpwVZ}=eF`<$VZo*!$j#JFWb(Z)9av4>x*Y7UaX-}FRqhy zwx6SK&hv0zoVa2{}(NU!JZdBYWFMrpU)D&|vurVcH?)>v1LY3EkR} zp1y)EhzkiRmD-28S&X|43t0?Xj_aF#o>!|K&@443j2LPn-lLI&4X)<)%-p zVnWTz_IDL?=T$86IAj?JN#7GT=dEmR_?zY0L4uuqZ5H2ORq@Mx|AK8LX!_38bhJVa zL6<)|I57(7GXQO6O5y8k;+)2byD~o=r@3PvA!8YE@+3ZknWf7@a;_nJDr&#&ir!7V z$`^~aSvSTf->r0tDK3Nr>=+-$cMv`5BPI!W!-}s0W9t}Xp5G zXmY8>krKnL+qw7)FW}&0uY}ga+M;Ol6QI=>RApocs}S=wtp>3~%N14EDJ}^=Eh@M+5=;mO zVKku-Bn+eQg8yvc^7oW{i}H|Pq~sU7JAW!6vVJN^Ux2QhuC1z}mx!E&udNfn0b!?R zFYjh-q~jU*J@CJG7D4sx!v6Qq$gipA{~Ls0M0Y?T7-osM2oeeUd8Y0k2>GVV`$aj^^Ti(#w*Ir55S;WE1S0=#6z|+%KUIw9Hr~=XT`5ye=JBy(D z<}~p4l>D06;(vn@%rG!i2#i1?p(0?&cLUd7=7oQel7C_L{ijl*9{|^Y%NZhdoK&Q( zfL1UWV;gHUAi&sF%UIUe*w*cP@PF?tg5uk__s^94{Br*_PO$$LB|w-E3=9OqkYEV- zdw~l>3GkQSCBL}#^-m>4QPo5n1~76nkkwN}skm6!+1eVb!JV}gG~K{~vRWeF1OIzx z5tQGodA|{&{a+X0Ut`AkZxA9PDk35TfnuH#DDeA_$Txq@UwlOV#V*Z1l@TAXx3QKx z)X(1&DWaodXa%(jbc9==Aci7Fwm@wilkcJby|W0)Z}zBv&&aQFMEw1XU@Q#3r6eGT z2pEa{+0OLu-y`2l4uAR8{x3EZ{;7=E=wXV!y83=vP$z2{h>W|hmWDkTsR}@Psku0- zE2@7F{qLRKu>0mw$)Zn0q>B|HfXNXtNg@Oj;Sp8{Ox6apLSPzHFa*E~f|+E2+h7LT zU^XBd8!PL7gAu4G6w`2mz%Y(eK#`w=)-OI0atf|G>e8NYBNrnlFRehJo~oTP^xJZo zKNo$dt`b~D-&V)UP+wLJsN(03+5P3M<)q`_pV}XpDMG1ZD+5q9B-A zZyO{Og~DuTgCj(K{|y-m7lpuu5J1c|Tm%gL*@W@$la_CP1o?}XW^G3;Z9i!b8GmIH zUoRgAMMYyT|G!LR{Hd4bKr3A*A8l`hld*$hpn;2(laIHXp(hletLWvd8{ne)y-V}= z&LXJD|2H8&_q9-%Bn4${YXh*h#w02tKqwS|f`P07V2lh8Q_}^(fw2Gb;P@SVEllYP zAq0klksuHZ@!bM36jQT@{URYy8xLo9FL?)yFOaT=FQyx%FC(KQ3;Z@D^QTgx1zgrkAB)<~c&2x|3jJR>6CypfP_BoGFLz<%~d`iEykL=*!4MM@m(jg{=t zhAL2bA0?29l8c77yDerA;ZLW;S=G=<0VNL%P*HHV(gSO0qL3o6KqY^$s=lY8s+`gH z;Q!uP1O@5;rsU^pkFepsqyEXg2h)sWy5iumOCxnZId!qyL<;$;W-m$TLetIBD3dHRSbhycOg1OIzx zKk5I8ut-M;^Kgm&TfXXk{HJ~(@P8eFI6AVw_01u|_~s<=|C;wV#0rYST!(A`Rv-un zf~TjUmjOls=c^>+<*x(vcXmPg8<+&@ z%Zb>-Wo*$1IXQhd@bB==`OCXr2n@#DGGIv1Z`_gfo#^*x1-R-_Vy~Lo3Y*){T-$0t z7Om(yUXL{FEUUOI&@l6nfS5Sgzi zD{tW&q<)#U@mL1=vWOC@JvwLGIe_Fct zY5ZlW%#sf4>v;i?0#1HCD%PtgwfT1r*LGg7n6!;NPMza57b*<7C(r+u_bc&bArsCr zXKx2Il-TUap0Gl=o1TAUNTVV|UuJ#3&c;hrB`tKgSzCL~zp%b(kiPl$RWoJ}Rx|C|szAjj0>8Eg2v86c)8tg- zBPpLKC$7AyjT?M}deQ6QW%nHWmTP=&vOzS|$yJkbH8-WO8?jbXvDE-*DFZ+3s_{$h zRY@LXBP+2rD|C|c(w$ZmMhm8i*jd4I{4z4eQm>!yjos62gWx=22y7$qHyhNJymgH$ zC;2)>e!+z*W!+aE#7ST9id$Ytll6@_o*<5VbNDxH0txx(AEiNr7s+>QfUX}I%Iea3 zkF+|+>(&FRUGc6(MerN$WH09SDzXPf&pl{%I=UR1Bt@O|?E06}cj*CRNi5_HKD)7k zq(28H?QhDgZ-FV^=-1q0;b;iZ8VJN>8^CXY2?#|45Ks^dfPljh5F0oc3IW3Z8knRN zoV4L`9!B!276Be8eSI`i#0{Zl1(GoVDkvjSMqo8%e-D2{H89|J=yfsID+pK!)4YL# zFjAKPSpPo?3FQ9zxR|G>T6!*|_=zw6hx-;x+Apa#r%LJW-?!yQgc`Ff+-#O2t%&?; zrzFyN<5EG|$MXOchhunKc$dv?rbR-9f!$Z%w$H6GiA68WUKMb~)0ue}ZmFd1Q51jN zx#gvx-en3-dJ&^GGAt(H>dNYJ-+FFhbF0>+88nKs_x!$XHYtaGIzE??R0~;s|EPyl zU=DVC;Sz=XqI^ypg)P&Lm0j7J2f95G^&7|g%Hib;cU%3TmD-?0= z10fWT<-#jUVH*-K>4W#KNaI*-a6*0v!I>Y6R9aIc7 z)pd{#Ko?&TC;)AQ)Nq8_xR^-)o?)NAjQ(L15paxnMC3o$U)agwZcDibjXu6alJk9TUXv_2#ot{Y5aQ}e@WQX^{{BfVX z2A-Dd1z|k83=Sc8b%a2bOSY+@=nK8dm8Y-3nuQeRlZg3_(}ooQw6gM6mM2#;PQ%qy#eoMT+jI^phnC3rRR1d;BL!ti`LF3uFIVFwT=db z6im2ZUD&hWe1#}W89S1_5 z)zrH03x$l9`9Iq8qiD-SUp*V5%c2WHL5W3V_^6a{%yIYF5;`T!>YG8i#cPkx%1)%1 zDfwkgW*_Q@6e@6OY_zpx1oDK^Kx`>*_r%rSjp2$Iwd8b6nT-^G&PUhtFn&g}!1v8U ztTp=XtwqIz*XKBO-F!)SCbctUAMz(N9mQ~#OlGK3z2#i~+jo#syB-#OzJ*dI5Ls7P$!F&KU3T0Hv=Rd^ z;2(SqZgl88i?O?smCcHs6vx1jmCoPVe?~p`Mr|URw)`{DdjWKQ9S1hpRw4+M438+; z3sh8NepkrPH}16!88xCNJiU^hbJpWd%rY=G-MJ>l-qB6Wl>TyarhPx>FZn;tDi-Mr z!Z^&AADAfS)2I5{H?X|4=na>=kK}b^b3~^HVX9>s#T!FWWZ>K@d5_ILwNit?aP)m z!RyMmGQHZKmE2FcSOxMi2vzzl9$$K`Z#_5s^Db{`g?=g%<DUp23IFduUG+2m4rj9!POF-p2ebJvc^BnCB9q|XTt>-Q| z@rBEE7UgNEspBTh2h1j2=bIkqb3iw@KMAZ}rEoua>c_C&#bsfdR$F2 z^7C--3fGs}LLkE4Fa~1}w9~)ru61Ivn2{H?zgtH4cB&kqFNMm%DlJc&f8_48Mfpse z_wCJHKXq@@Xyw+?$M|E!FIlU~FM{Jo+Q0`?Vdb>TR}_xEXmSr$Q#UJ1jS*X?Tt(gN z{VMvF;!Ui~?&jwk)r3|zf(ju#eVrd(R#(*ZOORAa>iPE6H(+l zI~BBN7LH8B2LV3CMa9o)nnv3!fIZzW^}NeBMF2E89V?_SR;@ixhMH9ZcAmWxy=;Hc z|BQ0jVabTaIM_C@_CPJ&cdOw*7KP*29;g_YlrN()p**)^@u{$#Tw5`>UCnO<+Udh-#p_L$iRWZ8dXM<9q~mY7Yqdcqj>rctPRvW;7FOO{{qV^t zzJQwMf#XGU*VEWa<#9nVl0hJNUlM&{OqBZL6aBx9QZCxE{z$N$hg$%` z#RCpUszW`U-7)PiB+5obM<1=Eh)}k6gz0G7T6hWlClv^O3R3@~llB{e)a2&ap-2#_ zYUYSh9DEQt9b^gf?!C_$8z~0IwGpYjYtM5b8rx|75ec0(xxMy|^C-39RU11Q-9Cu} zY(Y*EI)O&XR5*#@cwUPudGH7T6e&XTxnhy&Hl?*v3|D}lFmhs88(d1-4S!poCSc|QZOS42dTVY8$vLX90?GaX9O(^X_1uVm7Asn*X| zzQi*a7oM4t*LS=oUrD}QB$D%>-5&NEh&x-H2<)4&`2a<{)ukq<4Ar<3Be_5P%%6kUKPWB*K$`5B^Y0t z#8;@l9UF1RB^`+9aYD#1vT)Oz?$w;P#k>iOAGlwV_7?A~M6xQ^Ivn-Nj}xRljUdw@ zlN__j=;qKy8$0z`sT6IP$C3(ROyfKk=97$KMxQ9vDD7~B-xKF$B2&|_9`@+j+lU(d z2zyhqRA7li6Q9*0%p{x0NOni~ZXuUlGnL`TaucL^n@f)r$XxzGN8GmY0cYx~^v9VH znVKx#wEbujM6xn1$yCrGcH5CWkzWP%K@?YKkeuL*U-C@PTcez$07|{$MA#KgKbJA8 z5&83=$pZCGAS;H2lah>!kvUQFT68yS^BpH+QW1&e5?m{t6v zp|mEyY(}R9Y&Xz>`&y)w#tO zH4)axlXT*oH1gO=AMFy3N#9ka+5PAFu&(;+zoZXyfa+M;TCDI`F-3)*rc|1uiG`9^P4ebMet9=Zh^L6r#_K zh9sO)jUz)`d5BO^1*1WGq))FF(6K}@k`i}X2IrHdpXZwed5hm|pb-~4KP)8OjZS{N zJe$l&{!aSL+#)VbmSs&ry6nkQti!AqPRoY9TVDvxBl{iL%#Q~tol|zAuqsc^p=6UG z=E}GXiiN|^YSEH5dMdMQXvx>|dYsxb&6FL!`qU`%Z(YDlH#QJ!x*KMASE{v}VTR1e||0LN^zC$$m zP4DJqT=xwwe~MfJ0UPu7Pbt?aUMd5!A%ZTp;7o&?c!HDX<{{@-ZgvXcaFFHpdj(e8 z@{?9PG_aNk&cnlU_~4l=Mt{>a#^<5zxJR{wxO#zpLa@@M`3)s`*NS z*={s7#E8N2Rlm8R{xLu8b3hh+7J$EZKA2NQ$a=+L?jp}VYAZNYC< zy+k;Suv!x@a_OITGVb|`%^LdZt*Pr1CV<}i))#d*=|)&S32;Q`eSZItW%jy=I{AC$ z7>LT0>`WPrxS-O!Sh&j2vACJfzF#OsD~1&)iu@&ug6K))Nh-dP(eKzF7>$K z8*&9vz5P%)58_WZjdNdId6e)`b@h3Ot|_g8g8tc2U$k>-PZzB(y|7w{HiMv{eNP*3 zn#9AoVt^>+LIdd@2lRTh-GL)u^dbSFSt?{M;BElBjk|G=y^HD<7GS-P_GVCU|6dBWf#$VazLFLdMf3vLIc&Ib)oBukHcYa(A*EW-gUZc`a#9rv6sy)3=Zo(m(E`k!hRgl&C zeq@$2`CE8Z%haeQi}yV;Le`?YJ9h{KC?|)gn032|JVl?=f6&2Ee3)-B&^u8x!c1VG zhbM2);%~hw8d2$lt6EjX(ilvYDDi9%aXBl-ZTp!~-)^uFFuPKWzd!25o^G~)-SkHb zqRER-sqW#Pjgb?^F^`}$_^v0)Tc&SV%g|P}%>}FV#dq>>4rFQ(*Sck>656uWOi884uVx-`hL+E%R-y7nX=#o#LX3w}~6Nn>85oJ%|>hjRE5 zUZb;Y>FynLd194skL_}~dK%2N5=5tJ#B@6)VNl?FSN0=eQ~BVB7oTcNTSnJ-e$8Oi zXb$Tjfpk>L+)tduzy)pPx;Z{Bb@0ymIio5)VDQJw>7l#wQ*Fk3ji2O z+dv$Czv2ji(Nlos!~epvSmdS-Dkx+Zv*XN=}IeGufZ@lRFD{e4%CP z%Domk4>U}^)%4!1|B!b5wjD~jx^P|c#V1eVI@MO@i~Tx5#=F*wp={vC#alX@B0~B* z(X7twH46-v0@8+fPv)PnUsz@`HbG_9y}72?8Tuwl9cNa>a?BjO9L;&f2=&r`@MdM3 zc}u$`DK>A-GC-)WKiN( zu|}a9PCm;N4@yj{Ppm(OJaxF8|AhtBoTe0t6LS=r9Co>69@{^rpmJV;0idWK#r(7$ zPritOq=_?ut}y&wB&(kb+;k7?#w}Gu&Qx3HeB;bl{tcZ#hkhO14{TSCYNAfUhsiUh zzsf$bwX(H#KR%yY@W+92^>>YJ%K`2Ii+2OiIS~GfYG#+eevqY(iXi9^98BD%Il6KE z`NN~ZiJp5vr%fQ?0K70NIr*lEHW~KwyDA?j>2T^VSzo#P(3OyCBcSh-Qkb|PzxP%S zEwejW(M#NcoYCyN&~;=}a$3wzl0PUsRpqVmwMN-?Y7|3n_{#xq zmjJc#g%VuC;GrwGXg@iO#VUp415T;|f)w{d@ApS_l*#w#i(rw_hVdGHIlTSsxo4W= zO@|edsWX^X$JzF)vIVWXgqD%a!_2Lapo=;14!Kv@tifsVmn}NSRm-- zP!at=8}RQF2w?O?Fdz&BM<7IgHjnzAw)uN!|1#`!l4JQ@)^fhdUp|gTQ@hYlf1%VKFIlL4O|6y5y1j=oJ-@+t{= z?iE_$IvSiF6Bm5%LK>S~`Gt(IS<}6*0-42EovZ^$IbFrG6a8PF`0&a(pFqR+Un}s> zUO-Si1+6JbQgU&}Xthmek;Ji-bNI(6RLHH4maizg9 z6C2MY*b%FnH@n`7oKkz_xVlRneJ7gxT#NsTSIX(L9a39`aCv|g4Ar5Pgt04 zmwKAlOA8gGoEUc%iq~)Q7f;0q z(7F|m8#VB%4SUUI-RJD`kdTJ{r1KrMQw`) zWINPVS`SGrx|BzfKij(dML>}?Lh=;wV6y=|H7Z18bT5(`Tz+GxovGKFf9x*d0851M zgA=y3R=`4m*V`t-qlK{$26;6%0ur6icQQD765&o2{;wYnBd|c2LeA3_<_I=1b!g!1A!k1{4of` z(UJe7EI)z&kM1$315^R3j+mW0CKe{r(iRAPgshf}oV+5)M9)dl5#fgNR8;`Tc{s_* zA%1s{0SG}Lkchv!Xn!xm{@&Stqw&Ik3la58TI)Cy-KmzH$bLwpM>gFK73X<$*Rtit z1BcPtmwu*H@BO$xIND~KpJw{PdaX)DP-*V+@l%Hqx& z5n#j!zX*6b)@n8)OjWgp}9fyvk7^uh9=cisv&hpTy0jYI)|lnv;*U- z^cBwgLGSQq$3J(yR*UhIqk9BDHBNhZE^_f0aUr`(pIV+YAn^0l>k0$TQ)s^PJIe{{ z202!o|JBaDzB8e~aR5J9lg*48Wje^^kozS<;;`mA%w==iQ7&U9Yeq#FnUdUZvn8Ar zr{s1bnwnxlBt#gMzEnado;z1zob29uQ_}ujA=r1=~)SW;d0(>LO zalH$9mWr4!g&8mQUU$zOz;Pc2?u9Mf~-FkAz zc2(8nA{f%;7@iz33p;o?^U&^?!p-esWHjK!PJE4Q!_=|#1E`qvG!%3svHWaDprK=) zocY{HL0!3BCObJbGHz`2Oh0TI)rl^Q9J)m#r_D)=>n0 z0o5T*hmG@!Ox=txXRa|he1!6fGQvVG?s4FJ3C&;dS-+L1n`bOvyR}c$*spYgwb4;p z#p&99KLd}6Y?94&j_27;53f-Gbh8oMNN;S%)pk5;a03Mv =*MyDgg!hoYGiaAXO ze;aTYPn=hdq-jNj!;8|8P6_4*7i4zYO;O$Bd<=^O1%fVZpjXv0wSKw`ucC$#*(s*C z{7I_rbMeZ&0*NP~TY)^1$%5uC?RY=`G*~V{Z2UmjVtC_oEHzE?Y2v%cqf$9H;|h}f ze}X|7%|>DEZk?$>f&91pkNW|P`#y_KI7KKR6c7ps1%v`Z0il3UKq&Bk6-eI?`CBdj z`=|cD*7EJ6ksc@m3=vB~<6S+;LAntncUva|5(Gaq!_anUzUl6JYk&Q;9O~GHOA3lDBQ$_H&rTErp&BKo3cYR z^mm-1V9RqN&f?WV18GHP$7XlWnr?BAJn)`!sgZ@pYcn`FaqVk3p>(ODpx%{oB7r zf!T^@l4wXXqo-?HY0EJ@i3lc(bOJ%$l=8zyAxsp9uDsAzc?C|)bIt-;77RfH5;mkZ zd6l_QIUFzT_+{?VA7L#XpPGC|MftCJ2Jx5WD{rX30jic{au<3fizi|m{7M0#Mc4m|whKcy=)vZxg^N?^>IR7G0NGE0Q`zxkgZ9Q$&Zs<&*x2 z<8AS(Gx)(bulpGm_Iw)ECPW;YdpL)um|~~VW=csaGzF4@^WG<_!^?{ekuOgvYHnT} zQ+MD(6;8j?(P_bQ)PW0zA{mdN{Tvy)_2VueOr`=y1n9-NJTw@ibWMaIxv{w; zTDPv6BcmmlF5k1;$RUv<%kmgqYX=WdWiQkm J;BOSo{Rug76<`1W literal 0 HcmV?d00001 diff --git a/dev/authelia/config/notification.txt b/dev/authelia/config/notification.txt new file mode 100644 index 0000000..e69de29 diff --git a/dev/authelia/config/users_database.yml b/dev/authelia/config/users_database.yml new file mode 100644 index 0000000..4ca8a69 --- /dev/null +++ b/dev/authelia/config/users_database.yml @@ -0,0 +1,37 @@ +# yamllint disable rule:line-length +--- +############################################################### +# Users Database # +############################################################### + +# This file can be used if you do not have an LDAP set up. + +users: + authelia: + disabled: false + displayname: "Test User" + password: "$argon2id$v=19$m=32768,t=1,p=8$eUhVT1dQa082YVk2VUhDMQ$E8QI4jHbUBt3EdsU1NFDu4Bq5jObKNx7nBKSn1EYQxk" # Password is 'authelia' + email: authelia@authelia.com + groups: + - admins + - dev + given_name: 'Robert' + family_name: 'Zimmerman' + middle_name: 'Allen' + nickname: 'Bob' + profile: 'https://en.wikipedia.org/wiki/Bob_Dylan' + picture: 'https://kelvinokaforart.com/wp-content/uploads/2023/01/Bob-Dylan.jpg' + website: 'https://www.bobdylan.com/' + gender: 'male' + birthdate: '1941-05-24' + zoneinfo: 'America/Chicago' + locale: 'en-US' + phone_number: '+1 (425) 555-1212' + phone_extension: '1000' + address: + street_address: '2-3 Kitanomarukoen' + locality: 'Chiyoda City' + region: 'Tokyo' + postal_code: '102-8321' + country: 'Japan' +# yamllint enable rule:line-length diff --git a/flake.nix b/flake.nix index 779cd52..eef0495 100644 --- a/flake.nix +++ b/flake.nix @@ -21,6 +21,8 @@ next-ls sqlite + gnumake + authelia ] ++ lib.optionals stdenv.isLinux [ # For ExUnit Notifier on Linux. diff --git a/lib/putzplan/accounts/user.ex b/lib/putzplan/accounts/user.ex index 804ab6f..5cb206b 100644 --- a/lib/putzplan/accounts/user.ex +++ b/lib/putzplan/accounts/user.ex @@ -24,10 +24,10 @@ defmodule Putzplan.Accounts.User do strategies do oidc :oidc do client_id "putzplan" - base_url "http://localhost:8080/realms/master/" - client_secret "Kc3DkJiIrIr59HQhDmneqqB3iy6H8gxH" + base_url "http://127.0.0.1:9091" + client_secret "insecure_secret" nonce true - redirect_uri "http://localhost:4000/auth" + redirect_uri "http://127.0.0.1:4000/auth" authorization_params [scope: "profile email"] end end