From a468278b4d5431dac99a9294c22ba09cefd85678 Mon Sep 17 00:00:00 2001
From: cloudymax <admin@cloudydev.net>
Date: Sun, 24 Mar 2024 10:19:32 +0000
Subject: [PATCH 01/40] fix extra whitespace in confgmap, fix indentation for
 voluems in postgres

---
 charts/netmaker/templates/confgmap.yaml | 2 +-
 charts/netmaker/values.yaml             | 6 ++++--
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/charts/netmaker/templates/confgmap.yaml b/charts/netmaker/templates/confgmap.yaml
index 53d0d8d..ef94db1 100644
--- a/charts/netmaker/templates/confgmap.yaml
+++ b/charts/netmaker/templates/confgmap.yaml
@@ -21,7 +21,7 @@ data:
   CLIENT_MODE: "on"
   CORS_ALLOWED_ORIGIN: '*'
   DATABASE: postgres
-  SQL_HOST: "{{ include "netmaker.database.host" . }}"
+  SQL_HOST: "{{ include "netmaker.database.host" . | trim }}"
   SQL_PORT: "{{ include "netmaker.database.port" . }}"
   SQL_USER: "{{ include "netmaker.database.username" . }}"
   SQL_DB: "{{ include "netmaker.database.database" . }}"
diff --git a/charts/netmaker/values.yaml b/charts/netmaker/values.yaml
index c8ad0f1..3eac2d5 100644
--- a/charts/netmaker/values.yaml
+++ b/charts/netmaker/values.yaml
@@ -154,8 +154,10 @@ postgresql:
     secretKeys:
       userPasswordKey: ""
       adminPasswordKey: ""
-  persistence:
-    existingClaim: ''
+    primary:
+      persistence:
+        enabled: true
+        # existingClaim: ''
 
 # if postgresql.enabled is false, these values are used instead
 externalDatabase:

From 568cb14987a805f7fef2f114f6510363b620962f Mon Sep 17 00:00:00 2001
From: cloudymax <admin@cloudydev.net>
Date: Sun, 24 Mar 2024 10:20:23 +0000
Subject: [PATCH 02/40] bump chart and update docs

---
 charts/netmaker/Chart.yaml | 2 +-
 charts/netmaker/README.md  | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/charts/netmaker/Chart.yaml b/charts/netmaker/Chart.yaml
index d20c3e5..f6363c8 100644
--- a/charts/netmaker/Chart.yaml
+++ b/charts/netmaker/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.9.0
+version: 0.9.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
diff --git a/charts/netmaker/README.md b/charts/netmaker/README.md
index 062311c..5e11412 100644
--- a/charts/netmaker/README.md
+++ b/charts/netmaker/README.md
@@ -1,6 +1,6 @@
 # netmaker
 
-![Version: 0.9.0](https://img.shields.io/badge/Version-0.9.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.20.3](https://img.shields.io/badge/AppVersion-v0.20.3-informational?style=flat-square)
+![Version: 0.9.1](https://img.shields.io/badge/Version-0.9.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.20.3](https://img.shields.io/badge/AppVersion-v0.20.3-informational?style=flat-square)
 
 A Helm chart to run HA Netmaker on Kubernetes
 
@@ -70,11 +70,11 @@ A Helm chart to run HA Netmaker on Kubernetes
 | postgresql.auth.database | string | `"netmaker"` |  |
 | postgresql.auth.existingSecret | string | `""` |  |
 | postgresql.auth.password | string | `""` |  |
+| postgresql.auth.primary.persistence.enabled | bool | `true` |  |
 | postgresql.auth.secretKeys.adminPasswordKey | string | `""` |  |
 | postgresql.auth.secretKeys.userPasswordKey | string | `""` |  |
 | postgresql.auth.username | string | `"netmaker"` |  |
 | postgresql.enabled | bool | `true` |  |
-| postgresql.persistence.existingClaim | string | `""` |  |
 | replicas | int | `1` | number of netmaker server replicas to create |
 | service.mqPort | int | `443` | port for MQTT service |
 | service.restPort | int | `8081` | port for API service |
@@ -92,4 +92,4 @@ A Helm chart to run HA Netmaker on Kubernetes
 | wireguard.service.serviceType | string | `"NodePort"` |  |
 
 ----------------------------------------------
-Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0)
+Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1)

From bbca1d4d047732a9db0c81e9188706d79e780a93 Mon Sep 17 00:00:00 2001
From: jessebot <jessebot@linux.com>
Date: Sun, 24 Mar 2024 11:32:18 +0100
Subject: [PATCH 03/40] update postgres version

---
 charts/netmaker/Chart.lock                   |   6 +++---
 charts/netmaker/Chart.yaml                   |   2 +-
 charts/netmaker/README.md                    |   2 +-
 charts/netmaker/charts/postgresql-12.6.0.tgz | Bin 56646 -> 0 bytes
 charts/netmaker/charts/postgresql-15.1.2.tgz | Bin 0 -> 73720 bytes
 5 files changed, 5 insertions(+), 5 deletions(-)
 delete mode 100644 charts/netmaker/charts/postgresql-12.6.0.tgz
 create mode 100644 charts/netmaker/charts/postgresql-15.1.2.tgz

diff --git a/charts/netmaker/Chart.lock b/charts/netmaker/Chart.lock
index 726d482..eb38a21 100644
--- a/charts/netmaker/Chart.lock
+++ b/charts/netmaker/Chart.lock
@@ -1,6 +1,6 @@
 dependencies:
 - name: postgresql
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 12.8.0
-digest: sha256:d30a9afa794d29fe3b3f564c1fafd89030705ac4d5a77c99843235449525a152
-generated: "2023-08-07T23:04:08.264324788Z"
+  version: 15.1.2
+digest: sha256:0766b5084b914ac9e7edb772078003b4727ed87c986b9265172777a14ff0b5be
+generated: "2024-03-24T11:32:00.096443+01:00"
diff --git a/charts/netmaker/Chart.yaml b/charts/netmaker/Chart.yaml
index f6363c8..0094fbe 100644
--- a/charts/netmaker/Chart.yaml
+++ b/charts/netmaker/Chart.yaml
@@ -25,6 +25,6 @@ appVersion: "v0.20.3"
 
 dependencies:
   - name: postgresql
-    version: 12.9.0
+    version: 15.1.2
     repository: oci://registry-1.docker.io/bitnamicharts
     condition: postgresql.enabled
diff --git a/charts/netmaker/README.md b/charts/netmaker/README.md
index 5e11412..2244834 100644
--- a/charts/netmaker/README.md
+++ b/charts/netmaker/README.md
@@ -8,7 +8,7 @@ A Helm chart to run HA Netmaker on Kubernetes
 
 | Repository | Name | Version |
 |------------|------|---------|
-| oci://registry-1.docker.io/bitnamicharts | postgresql | 12.9.0 |
+| oci://registry-1.docker.io/bitnamicharts | postgresql | 15.1.2 |
 
 ## Values
 
diff --git a/charts/netmaker/charts/postgresql-12.6.0.tgz b/charts/netmaker/charts/postgresql-12.6.0.tgz
deleted file mode 100644
index c782571a80414080945cfc0a8ab3510955b58910..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 56646
zcmV)RK(oIeiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc
zVQyr3R8em|NM&qo0POwycH=hED30cDKLw6Dv)i6+O7f-M8LcnhIg0FbyyA<t<xalY
zGqc<f2}u}J1P1`^)+GG~=aJ4komcoR+(>{oQ5U<rGxnNE+ays{C=?2XLRBFqj87?I
z{|Y;U8Kk_ufb;O1?f!JT-R{ZpvHZ8&?dJbII6m%vb8vio{PytV?aAAtZ@LFZ#|Lk}
z0o^UrQTmfG4(T`DjdA5W_m%v>C?XtkOd{6X0l<eGO$lA}z$xT#3>n%1AjCe37-Bup
zkD)(9-eJ4D17rLPq70L$2ObW0U>v7^9=vHEwYxh3icu7x$j6BFc03TlIqCtQ%;zN9
z0f3^IFw7+~;^SVYL(vp7P8Z%mJ0Si&qHRn%W6UEs$G#9wwgUi%Q%R`@^cydQ_+SV)
zY=3Nj+zAl#DUP{(G*ogv`ac(7SO3oT0A>J2fW#;Qj3m@YfQ<i%eC|;cN~XXN1ey`x
zJ|d3-&4f@uQHbFfhnOz_i~{))z!67Nius}q`h)XRL0BAO81a38IbcZ~6Uv!rkMJ}C
z_h`ZP!9NL(*uJ11qer$6IK|T`qD+EioKO^im=Yfa2}P{EGb4hFGtOhy>lp5|eKOy{
zzUXMln+{|Qan@lR`uD73O?f<@T7P=-1Ml##`|<GTxE)8+oqM!+Bs7rYmwjmcvE!u-
z+VOyTM^PMNU-ECq1Adq=j_A%D;)p{WA!<p(FPD#yqJ3~4`RyG55*lVbm|{Ll#<Byt
zGaW4js;xzj8axSiY3mNB2z3NC=?e=|Dnkc{?UQzQ=X1}`r~WDE|B(3iTgI_O|96j$
z4+{Ffd;FsRpX29gl(eOZkHt!Wr-<<$U^965=A`$Xe*oVE{$CD{jt>rlgM;8W`0n`N
z_^^BYm*esAU;g5c-*(>~b>H~kjsG(F?(O9G4T1;oyYb}c;O(J5KH8b02vNvU&;zZ*
z?%|Qwed8S-+#dX;cl@^Z=A`|X?$OcVU%op&{=cn1`~=?c$D02SFia480t2vi{vW(O
zesge?pZ_Os4_@Z~bNsvl0}?MNp3b<t7{3Ce;pzW)7s~eY&I1&2Ji&<eK!4aD{B$O*
zz@1mG!2gFKU##`uT}Z|-1Tmy=jyR%Byd8!JGPDmO!V%yz$N`^W1|D%30`h<;#esN^
ztY-TFM}C+DIGO@mKkWmbL=!wsgiXW=NSJClRd}WR?!0=nqy82~qM%N~)!(%798S@V
zR$+$VQ>n**d<TqvldX3Ea9Z?0t5pehn1ta7`4n-MgKS^|CSOY>%K((dC!`cAWB|3N
zZS`9op6-jVdglv6%+F|{USGjEa>%t?g1`NvjACI~!YLYrkfqd)>}SHt9SSwhIEpy<
zg@nl*?Xo?C$OfR<lIapbZwb=ugEma~Ed6^3853qENPiL7#n86QCoKSjIgZ4bQ?P3U
zhk*~JfIjRsBS1hCg8>8!B~l3dgmE%gh&Ta0MUbN+O4GC{s<^U`4H3pG_ATAF6#JIG
zszGPIX^IYg#Ej!;s^m@~B@<vC8`0O(R!Ud4CG#ng`UQrpNQn#i!(O`?K?>o|Xu;Z2
zbPV5rMvIiXd$a&J+6Iv|*govF!F3ca1k3<D&QJtCG-Bchu|H*quijxHOV8Hd9J0^Q
zU2DVnY`reWxwX#Af5dl6m1fG-Ak#Wm{1{baJ&KE8nF(z@a!IgWWc@Vg0mzHB^|>OU
z>Rmaf(ogCJnj!jtebknY6YGUNVEP*%zHvsZs&T5(c2rm8R~efrw>oVtX@XwI+!@GC
zl56g$FI0E#lQGghF>q}xou892q7mYVnN5;tWqm5~WI)8Yrj19O3i;(kAQd7SE;1WR
z?b+JWwrEe1Fq8`$NAoz83SL@V#t9=A9*U%GCUNWuGHhfyIt;)PTEwfybO<zgSUFVM
zVRT9au{Og7>IG151SIFvo@v<*i4Q{yBKpWFJVkLx7N9TeEwwUn3bntFiGBp?gGbC~
z4tsWyuq?%PQ<`jPS0u|U(9+bhx*_>+0mmq0pdSPvRKIcpU>Hga3L^>tMcRWUJ7qQO
zf!{tAVD>YgtpsfOaGOH6Ko}Hf5gdmI1Q<>u!Z`N9oCFAHSz#P<G)Y2+xPX#<bx8u`
zn%eHWHj;3ID)_sC+?bLv(wl;@_=c%AFbb53MCNnxyZJy1TY#d}9@S`iU;;yi>IgEx
z2Krx4GT{}(_{8`r%Q~;oX&_2dcz}fn#dSy_oiflD|5*#2Xl`)fXo4fm7p^w4m#`|u
z^n-HK*x#y6Po|0hMU%`0J4?pK%j1)Ihn9FuI~-0~$C6PAv7K&t3b@h@R<VikHI+3o
z?+VR0oEE<q4|nl=o^UC2f<^$TfFqbAc9g+h0g`f46@lsJdUPJ)!Z@-ZY`5EOy~Q;<
zT+A}g?*lv$tNMP)ewV{(fr2;*!yyT=U%~?M4#e_hX*;v^9L31TlZD+%E$6J*VKh#r
zS%V2s50oPauo+3hKukA1>1Csy^a`5oaOwig`3g%s>+<Nv91eK_8e<rF2L~QKc)J6D
zaS@vRwIK>-J6gpU_4*V|U=k|5{kk7M!UcORI*^S%X5h8Z(u}{}2PkB+7xMG-$ra&4
ziWrLcYX!~``ulXnX=Bm}h|fC0yz!<94p2v8V4YVnMV??Tj;5Y^X69-(h&^EAQmC$D
zb*>aH05g5mUI4Kw<@fK}Az%h~o-i&(WDcW5!cg0{zzC;Ybz|tGcC(Ig$nIGub*p$W
z3A|Jxbwp28=e(HW2gs3UhQ6cVpM8Y$I5Z1DypG2rE^}6l)L3zvATg{9l7L4kjUm35
z+g65<UcqrRA#^U+GC(2_l4&{;Qk>0-@ah%lCwwMsdu5E~990gh%1)0`JzaZ(^ok)a
zY-*3skVgsOp0UL}5_uC$8TV*XRJ9vmlrkVtLeCia&x%XVjvT@rvv<jKj@tFeW!jv;
zzGsMnK4W+q0hn%D<j7Y!f7;-h&k%jY4DADo=0fR0-$yJnAI723O2)y0nQZ6U2{r*e
zDP~1d*Yr-c!TB_j$F_J<?!gecDW>EB2PjBqLHYJBM^a;dl>wXE8s>YrnonxYp4Ikf
zB`;MvuidR|4y3i;eDCm!Otf8}zIP;}q+L%wyi32T!c#3Gd1UMHumn|k-?!z3Ygai|
z_w(M!eQBhBsN%?nbXH>BZ}EAI<pfP)Frj3wCaEH=4Q_=6tjL_pV+j~CVyt8)nR<^F
z;6oU|IMuBm1UoNI`$NG!y%lJyZ`xxV1$S{1dh*1mRTVSfL#9{MoeHl>ZXBM{`B?NY
zE%7H+)3$9t;TB1IBA?zG6z&xLVMSk<nJB45?v%R4oVQhuG3&VvuDBMMRzKnpF>pze
zh&%pE>8_Z_mpEb^!9cJsVS-^W0w{XGltgnBaqs{s7PH1$I2`Df6=jH^{tR>E^MoRs
z+0OIb4~)YofFX&{2S6zJV0G?;^q|<^_dxc!Ky_njPh+I2xT06DTt#XDk)vnh6<92^
zu2o{aXtPD+&nSsV!UkkM$6VT>)>FB)#$0+X+MpkX<PimWztjUCNF?;5GD_}X9ES_*
z??;L`5`RnY)CZ+D$z<}OlAI`+k22hv7Ytk_^D&}gB&m5M&sC*jo52U<P;3JPSA?S;
z7)Xba(1BCAtcsNiMuJcn7%XP~4TMmADBDduK0ey6T0*C4OW`M!qKJ2B5^+37o*Fmr
z5r*v<pNFsBy&rg^zg`V~y1Bl(en0XC*O!;)x9LpF4?z#K$Ydf^Y&ko6pj*j6F$DT|
zsW*%R(Rwa-Ol|O<p-B=d`y+UOkuTk5*;m@APj?nM$UQJ$+*!{Ymz_4Ohc!Oz^dsqi
zR&F}GS<gLP1#gaz4%LPxz&s=F)vIlo_)q}Fk?oz3kJ=%b{zMp;2Gs?b0zbq;b<FfL
zR@PuZqDXnDl&?~^3CYyMGV+pUj!Ut$hh!=>RvD~Q%=~I_B;jlofbmpvPjo~;a$Aa4
zN>9qr1of%daH5F0<C_OIfE<d}l0o`+1xbHXXsh~giK9!z7@P`Cu6~hJgy;c<a>qM^
z6lLCNX_J;P=>kV+NYMm;1h>ZbFT`5H!Vv<odbt}Y7m84yLK`r|_sZbi;yL;^i4aJC
zF{Z76C}ue0a2_+Y=L;|wvT8|6=8$!z!FleEZ1yT+s|hj4^Ep!w1vd5oqLfgDA!Cb%
zWOdD)KS=wru*_(NNK-QB%a#pvT(9`_^lW%@Ht64;ovP0h8iI4Jn8hmapd2+2OcJqB
z?Soi(4u#3`TDQQj&03vD&JcY-6r2wM3<4@Pyo5^iWi~d79Qjo{-&mfG30)%8s9Zjx
zd>gsXQlkJkDF9GnV;w<J8Jc6}ncON$YNS~;A#`r0&*_!;NSNV;E+rEeD2&&FnP<G%
z9G+gS$a~Q!h#dA8;NmD)9WIW725{3Y${OI~$4aSDy#hCcaKkh-H3tny*iGq#mh8p_
zp;z>a#?p9Hf+8M@e}(*%HHaUJd*Q0Kd2T4O?jYxMMP8_uea<N!CmhxCTw|HwP?!Yk
z;Q3KDt(mV5F(CVm6EKI|p8+@(ds?0oc4u_Tp(@mRudD`9J<%H=IbQ;zc1Gg;|CUUL
zjsvs++Ml60GQL;2d1fCBL@`*SGCp#((O_y0V+H~gQ{+RAg8%>j@Bdq19S@mNqm`Vq
zz5yeYI)XXTTYGSOF#;&^=_1zs*b(h|WygR@x1|wk)NI&edofUYNdKW`jQK+fzx7A_
zXxg~L>pWG%V;)Ji>OXj>w~#gGm1ZSS%K81xg_^RF<gbzqp$gRq{f+&j*Xalw>~B5M
zy?=BR{U6%ke3Ckn_R~{g!e@vo$eI5;?-bGY{>>`(zK|_Xk}k~rbRS7^?sz|gaSAy+
z#m-J$=FtS0f(Z!&Y2fS>zVCsuV@T1m6w651O~H_&kig&qk13=WF`ym`F%Zu|n7-JR
zN4p+F0uV>y6_cjX&N7%i(2A$h29o_9aY&uh#FzxTY)_hSB;g>$b8L?7#TH{W2Xizh
zbRie-9~Qt^XzGwnZWvP=J^;JYaYY!z<8YyeHQPt%-51+aXuyX~fF3$*HkT9n!^!dG
zhq_|{h0;@8S)_dKV8#-}I>!emb*(ch?O%1<qmwtsf}3nMS3#xjems4gH@46`<_jS%
z5AwBKRZOSy4j;woLTEt2&z~V<_}}OPn=QX|`eo_{0`XdNQX5VJE1$;`wI$R$YxzQa
zsx3140r15hnx)D<Wyx!%2V6l;gMc+dQj&V$;2lmk$k|ght%NSj8?8H9&15~bRq9!$
zL^*|%3HDPXc6l&`00a|G-kBT>V15&;3z<W)y2#T_6iz&brx6MijfiqQ5lc^YRO$e#
z!X`8|q9dut2RNPyef8@MNrAVbz?GtZ%@i{E9Z*eC<Rb<sR4ryu4WQaDyv~koi)czD
zMi6B8B<E;{B`(Ps<gWX=j1xte1;?^M{UZ*Mv=atd8@a`etW#C{!%9d$qeUsOd$cG8
zXnkJ^bI{K~_Nz&B7bk1#%9Y5nQ>2`BMxzToU<`~GfTDjTNO76Z&>TRUe=GQ^{?a~C
z>((6c83~xPbh*7L?=TJ1-ilw$I7<hs)A<|pK(sIE0<$cPC<9OoFtoTbq<9YLA{WyW
ztEcWv*ALr;b1(fOJ6GF9Q}b{i%psEjD<Oh`__y6|rwUZ(TdGe>kvR&ejBpvt=YA!(
zA^=DKM81x#8_4&UFkZvm$i!0W=e&;Yc-q(t!)baFPk$Q2!LsgXzmscE=hX1peUK6v
zPrca~%6??MkgLNh9c)n`v<H6oOxT5VGE1XR8h$j<G6#V4*QIadck)T`oB1LYmHC3n
z{mH>!4%-JO-?h8#Zs+hA%!4<n`Ya)*g2hHds;}oTE>)kYFesl_*&r0zeRX|%)&n0(
z#ZtT6s|UJpHkd#0O9`&&8kfOkt^l3sr%O8lc9jD}<u}PWLuhITI-l;9$k!%L-!LSP
zp7A7moOom83F{UG-h`65Cy$XlX=Zw24VCdNnldi~BxuaoR>F*>QgP<AT3<R0_6A~7
zO6XE)C=i-;?L5Lf7%$Zan?xC@*fAM>CXsoNPLsJ<Ak$PZ`8=PBW%{h%s<>1;)=*Kd
zLaS_$SyBR>vXbEa9Ndi5UtuV$_AH=Jhj)Z#Jv8niiwaI*#GqOQLo&6|=K(J#MOA@d
z;1o-MLN>_6bX31I5Db-p^R0oPRxFxC0CFIsoxqq7ZW?RTT^aAHN%}Vc^TnOOd8gjA
z*{lbC&)$lE|6iRkjyi1SJVpMDfYvDij0htIN7Hu8$zRZjz;B-#u_2o{xhd4JlWOYR
z7IQd1l;itQLTrk;@!)AQTmRF9Ua%_+4zYG&%lu|2VwmFxWQPszmGsSr5qKo@9>9=9
z)5^}tBkd)OF5^Hh<EFCva?v$HnVTeOFqqh=enh_XEY485WT)W>4W_Q~+g9MU!}OZr
zErx&@O^blGeN67gYnIxn*{Q@BnYj2U7^g49;;6hHI_*P&&O}qLX~3t1G4qXcs4E>P
zY7dh8YKEsX03RR@b&(eh`>!NXpd+M~=rnS+#QsSGS7F30XM*%COc0du5mJ(styV^%
ziDW8WFf}{UZN0T8)~Kp^D;>5DH|6^3@KYWy5nhX1|NWCN7jI_>$X~L^1QlkhacbA4
zgQE#>d1`elWst58T&5~ZcolwE0IW`=v%|t&XY5gU7Crm|DbsmHay-@ISr%QR@^b<y
zIwdAcL;~#*u-rg47AvY+?a6+;zTQdK3K@se1FbQnEz1VWTIX}Y%Q`Z+EJh7xD}}Yc
zO?xSN$MPPyVwZBn3@#h-wJMNNKi?ib6;79IC!vys()>5eDAz7m^T}?af=T2Vj5_+)
zCXdP!*vsb-RSk=@&1w+J_l>bByUn1=6tK>Ni<Kj~f^C^u`Wl4z0Y!+heLxWmu=rIM
ztAdm#u}<dNM*cze+~D+5l%7WCDRiAz77&Yo97_$Hq4*^45OrRHij9BDhz9V*iilx&
zibA*;A)iD6lUoA}LlB6Efa#|)Lc?y`0D6olCV_!Flz(jmkmETb2{#aL)t?)IoIo5V
z6y44!Vlxs3;79cU@bt+#U|Av~{xh&6^<XJjS<TLRm|GLHyI1X<awFFRM_siv*nIDS
z1NGEpUJtyHPxJlnffHp0<~q;=2c_Lk#l2Ku-M8yWY!1U}BI`D80)MH{t`4$+*scz=
zq2R6#xS{Bl0G4?G_S2Pw_sz4*u2#^cl54+PPi`IPt4XchbUEy$61y6>2GY73z=o2#
z8qkJPS^%o7?etlt$-TLLJ*be;gEuP)sj`(WoRxo|9aPRkd5o7;mrx1z$|56Cc1l(R
zr#&-OsBc^yu5sry`zpv?fJ?BC?0KkhJ9Bdt%r>w}ydj<-f8mGdCqnL7ne(rp0OY1g
zoh_rBzkG})gd(w1g%h!5)wE}8y^SoRsRWxTl3>mjl}#%T<{R3wR+6w!=5ZpkWp(9+
zPQ}uoU$+$=xywx-YUGVrRJFDn_@+~B9dMu!$!91qQ3zW_<i|-4i+Iu;g<S2@x~^hM
zD|V!gPJ_u5Yf+u(fx|Z^msmgZ<3v2@&dsm~V&j-l%okz@#L-8-jeQE!Fy$lkk(ZBl
zER~x4P~$GFiiS4drfoTx342FL5(D+$^V5{gF|iU%^UbQv2MtYV-tIxVThvqW^RX}e
zehCvZwb6*3m0)QS^;Lqh{Ex-ew25`HTneL#!zpN+$2q!Ygz<ieAw$mjjPZBHBw*$w
zSAL{`)Qo{oA|J(^b#%oe=0%7<5_*rLX$J;@hayffl4pNnd=U3Nfq;3Bn9t;|p2pQN
z9k+<A^kRr_t`sJ_)P$s6Q(%>vFoRhP=mNV|?u-V$XA`24l!X!5w44tI1v<pDt<Z2j
z9Ms|0C4eqr49LVT2o$6-?^f}bT5MrfAE?xKWY-9?e$V&G5~tKrl&cL?p@c4$_eBb6
zT_;j7b%<>8HMV@kqt#I6iyu|tov1oHvU~@x;2MDXD-g@i-2CozH1tPlVremVkdX;j
z$4N6tgAdL0YBs0+8440vj08QXv&#;Ybrs}Xj!1wyuW-Z>m46$0JQxKYj5to8*lcq8
zUmY+b7|L-&ZrQm0fGjI8q6Y+(l~$*~k{6+;=!f`kfnf14M{UK)VDZZ~U&N?vl*@Vq
z#K&74=Ja4uz^ysZEFt?IEh?#&I!p#XrU@F2NH*BdRQ+E0`@O7i=#CpYL>~ON7r{Al
zj_~hGt0C5OLKkSN?}z@#bfqEt%le{6A`46Kfa=OY@zJ5(F*Af!=Nm>!O!w+mC!l0{
zo)%JSJVBftV{vLMnb<nAyK-IFuUCZo`jok9EDPl*<T(!JujO#0OR{cLxm*drBNQT^
z6AG?UA*fyNSLUd-!Ik=iNrZx_wni~zRMN^xn5Np^TE9QT;0r6A%Yn{_NQt-TsuWpH
zViJ<+ViZ#Zg8_*crvj$viFyOnD`3A9J(H_n+6%zcS5U<rEJ%_ayTdt&rpB}71+um!
zYlE}$DwK-Mo2L8_7IH{nz&e7j;y<40lc#7ByD&p}=T-5UHz9IGWEtNocv8v5m|`Ng
zNg-rR9_<eG6QGKZTV*^D^k+*=?*hO|Yelb?h)T5Y8Isl4LXKzzIRfeHeOZkiv=}G!
zzO_;{HCY@4i=p)NkXk$6c@lCQhsaAYWxFYdw#puGMCUk?a{7)!9}OM<bn2%rx4$BU
z0+kxCp&&37Kx7Tq6{l8Flsd00;yf~O#iWkz%HAe%067|Q3OSlC3RZ`)qwHN1(;rLg
zpb1b)WEsEr^64_@`eUGA<lK=~c>cP)^hv}84j~v8-p(t9(9^xcSrmiYo1SGD-Pj#d
zo(KC$rG}Ov0V*--Qspj{R4r6-10hxcKQIWezA)>-ZrH@(XQyiAG1tees4v$cua>f0
z`j~~Ok{pHu<jXjqAh5CN=XRA>y;H5n3w{*3&#A6xP!xiI#Ok5TG-mlV@{~mu?6ltJ
zUJb2Em8ytl_CZ<*+XSMf=)@Zrk94)#1xtG1;PB`;)oX_ED&`5>W{@!`$3pRTb^htf
zl!k^^uYilCz{P-gX^3rsh2w-R#^hu6Jd53V9gx@i;C0&e^*;>G9Ku>j9+F@bBfnab
z%?GQAt!`C&@?i?77o*j8a^=xW#9r4}mwMSM)jiTMwF=H{*mND9^WhSxP0PN!@!?hh
z_d?Aa6X+`}WOW;#3}TH5Lv9eTKO=<cqVi+J9}$Yce;swZ-L7|Z`1a)Oe=i|jSi*&h
zKPlRrt!rR4-}9HaaP_m!E5T#Ax5=|6rKyZPmHSWABi{@f7|ApxkUfxl4qX{$hF}mP
z#>@b*vgr7<X-_t^iL_oVC22(`r*7sXGZb8bb@;>z{R0eP<jZbf5Ey{5{u`VRRk7zx
z@MRsc3#-kCG|d31nh*9%w<#y`I!P)NAc>@HwnY&!pk;=SXS!fB#_ei@u|OXc$Xk_B
ztgBd?GZ~dGr%zbVhsrNRAB?IoU29-m%VT}ds<o9F*|M0KX9#ioCJQ!8T6Jk&MUtmT
z@^EZ-zO*l?+FC(KMiTlBjHXB~YZNhtbh$Q2k%~|^n|?F?m^pG`&~3z;bpPRpBndnn
z^-jGBrsxrdVdoV^j8p7$PlFM=Jkb@yK(A!>ym|$ydYevl4;*yc>VMtN;c=CWIc?QS
zxkTE;;wBXMnOq)o%G|_*H`4+cv<9ddVhocg^;wP7->wtOS_*Z$eVI}+MxZ4$UQ6iA
z)<DYO`7oVZ=M(FpyzY!4Kau$=dJ3h{3E5o<ROQc_^CP*PCc$<U#sj82fuV<ECfz6c
zg%G5V7&*xvIsP~rz9COlaI%;%sTr*k6I1gi*CI{3Dg$JBE`811o}FWr4=p<Cc56DM
zVOp!jPq`%z#FWH{@*HE#%4k;KYIc|}-32b=h7RzCxg{@MdY4FjN>RmGUzurXZi1__
z6Ri)bY(?vn{F!|TMp+5QMyq1mhrbM*nOitpUxL?U@`e!4OA||nzYMhd$<+{6yPDO|
z#x)lk*dgRI83z+XUARw|FER61euV-6vkW`waIOsN&tDAT$XJTAv`9_^qFFLdNoL7d
zX&0i>AT8=SQK$eX2B<Efi6ao82Rr*kMN$d-aQKUqQ{w~6n}|AaZ>;EV#AD|gLosyv
z4ntsFVpt(tswbA_4bTKfDA;$dHdL;-|FR$bx79}9Dbey;WzAZxeegKL{><EH!$7c*
z7v-wFGoe=0ZqvX^B25L@wL<Oo#A=~YMM)U$gNPK+$^9b0EYocA_(5)DOw~LSx|d={
zv<<-SG(H4k1^achuM6-}F<=>_cR!!)i`U?Pf$JDWBM$w0_ZF?<ZIH``PT3ikBtUB9
z`YOOwJjjomGgQiM&l($b>VX>sgI_7;=sNP7C<9rk#}=9!wYV-vFIx7%ckghMe%5SK
zq>18cv}QXJ8-YIQxyTNDO29hdB1;)#PLk3irL1C|tt#`^g9@R=Odb2lLhMx+XQivP
zJ}Sy2O=8h8A@&*#<G2Ur3t`>5YqN9Mw5(%d;wwwj1iOmim+C-m1Z>#Z#}ax~X%=~o
zBerNJFVU{6woCHW#`A@$^|UV5#kQ+4=Sx;wb(%}AH-JG_8QLlKqJqq2xfd3~2UJ$&
zMKrI*W><x_3Q^aw!wToj+UCQt9VE?*XcUpX)YHhbayu!i8K<8+Nwu;+Tgp@|>)G;L
z)k><im9W}?tcsLXhqUL+TXhhB0m-Ww3%~aCRfn@{=dhOXqbZtgrLxwb*dU*^2I@vh
ztu=5r&TOrL{fAF)&Dj)d=eVvW(NC4?T8CtleAha-n<c&0LEb#`wGR3pKmFC|{hB$j
ztI73Kq{3DsSU(@O8s;WRvDHvF&5W&v{D)7Eb#2J!&yg*`|J;ePB_upwwrtKgSe7zd
zqA#8_Y1ZC%KVRBxZe3Y3cXm~qVbc`ajqx?kq^-pC$H}F2c(q|d?J`(@=&ahDlVGc<
zwas9Eru<rmxQZm(Y$AR6X|{#_Y$w;Yj2lg}Z3`rQj+9$>1zj=kwzl^bnYXU@t65~4
zD`=^+t0q4+ue2Ix;nsGkIuAFGZ;fQ!Wti*IaSP}xvrHXU{^w@p7RReDH8;n!m*m_M
z*ZUWop6eb2F3-`e@7Qx^=`N!_m#Uj1{>w_%UDlUk#%^hMzTBK$cXeBqxSKPeUQ%~U
zQg;g?(<Fa)L&k2H!RwIRFpc+VL}Bej-dq=6vU%6f=5<YtwNiTPO~a*0y{?1ytIh0n
zWpdT@Ue|{EY7%^%PA|#w&AQku&$kYCWwLKMl0R~~Z!w1D$#Q;6T$3wh{Z^5>wbWl{
z7Bx-&b@k6C8Nj9J|08mM9Ug9)2wcv_FFzHyDBhdo1J}xOT}H5_0@uh1c4xy@6N5`Z
ze?{5BrSyOODZ-`Q`U3KVOX*tKCA)IEa4FiCoZ%%5`j1T<UMemx*~44P9<GwRRa1y-
zbwh0uaVZ5anZ%oC5;tM&e_A?mDNnYTQ(Qg`K=Z6(%Rt>Auh{iJHA*hd5O1DdT#f#T
za*Qhxe({OMm6U(M*~Zm0uat6}lem|p<L65{t{lPV%{;Caq^+kPSNC|EImne*HcLdV
z=F=Y`8@aM~TT4mS0a<$gWVxnay^<gHgTTaq#o`-bPP}@x6WPt&JY(loepNN$WGO7;
zWXeagSHYVjv14G%;3^%iz6HB6mA*BU7~ftk=m^dci=m$#t^SRS|A~D54{%8$%n22O
zlYW(spBB=#SeICO6l)eznawTs+5w8VxgR+r>~#jP-GD|JL0UsyEVC=trfZneCC^{m
zW|%bk$_#{@Bc{MfYdT0WdSIT?>^PJP4XwFhW3c$p6t>+YH8am6VS+GllZ42+3ST~y
z&+=xZJ1q8><^p21K3qrP;zvs6d4bg}08K)j05FI5HPzXrF`!lvEZR?~FuTQs<=9U`
zNCBaEilg?Xbk<1!RfWha`Y}sg3!G?DtEy><F16L2+X_O3G-C1BEc02U#O<=ZjeA-;
zhlV6zpRIe!@xF1#bfSv*!mJLCek@HmaA<etOBoJh#FXd&caGNS0e80Qj^%fS)vBNb
zQ9&KJDAcIsF%%VoZfBCpt*OeYFk3u#Fne;QI*&klW>n1+^HVS-a_`fwq4c!M>6=Yf
z(Z5t9S+?b|u_lw@BUx2~r%+}!^ggLZ%XRG;m0C@Yx3Af@(9M;VTTKVo(s21c*h;P%
z*NdjhVIF)fnyzw7V#!#5qQ!tjk=hNhTXLq)VvKe}dF2+MNbE02!ly*~D%7Ekc))Og
zR4S4>0@(-XqmN>>H9x%?fn9k-`{rn`&cwILTQ28<uyhkuFjv7Tie&JN>7Y8OP+ioM
z7&8zN4tz3?A(!e{*7}i~WX%gx4oXd#N}lC*0!245%8OV2;5IK>TCg~A_R%#$RWDM@
z1<D)~=Y+}GGHXA<5Yai7PI*?cZ$8gOon&A1#B1f9u|V{|U<RY9k{|LYYu!Wvn93|d
z?bnPmUxjMF%l4FuGbT9V;xA6X>nx8=XAiyxBvRp%Lh%U-i|8GJEW9qR`F8Kr#PDb8
z$Z?epG}!(ZX_0Q_Hbqm+I9=p8t-tqTYjk7-U>Y=p9utP8Q@J^O)1(mw4yTPli*I-F
ze4cR0eGaEg9_3Qxllfd$_u6ZOG{95Dcw@Z!bA6=w2p53O;NhE-9)#_7yA6gRf(!}u
zA><ZYQogSu6!^Zf4oq^pgu~&q5wUR^W7e2p(L`&;#wb)hEVddBrW&Q50vY6`EeR!N
zJrEH89?>=?`neI09xz8A`d^RDP^eBnIGpyt!GRZ`F@}+MaNyAcUBN*OM(VMStq8pH
z$ra%;y&y`DX-Y!CU<9Bn=0+x26rb*XYL^*y%oE1t0T7H52}Q*_1V$PhcU7a4-ulF2
z(H|X(7*qTJWkSDVWyfGR%c2^U5tPyItQYgejc)ogTBr}Mpz92`o2KSMP6VE_N<mRV
z3#AH{3usEPO=ANDY5!J0VcM)%D!}r%*{EJuB(tl-Mrl*c$YW#{66xrkkT5`0*e?Nz
z<Z<8ftZ@ZZ45P4l1gJ3z$zut3n!>7N?;0uW?y}k}kKM{z@49x%HJ>30h6U3^Q>+g*
zf51_IqiMFp59B=88cr3Y(Gdk>^(ojr`xqmN=P2SZ+}p{gp6Ji@*J3VM(Hb%Ys3S<p
z;qMjAfE}rh6mIDI@+>!Z%B9Z3+dEsVx@U;h7;Ren>XB<Kx$oLaO{S4(;x926WMaC~
zFYk#}9zuaAGlp`wWEIz2t&Gjw$e}SDGRL+;?iu284rp32laUJh04hM3fhmd*mFhl8
zPh^FyK_cZ&X-|?clpi}eNNGLTT-rvCZdqYQ{N~bnOYTvmazvS|LZi>`3%pYwl1K;P
zIQ`Yjl&+PbLZ0+_wB)BSOk_@(=@@2t5CM@~ijeYWBn*L{zhj_3JWtc}YC4dHeN=aU
zrC6Hcm{w){iw?`)GeAkGPNj1#t)s;;^o_9UDSsmx3Aqrz{9q=#P~DiCDhs2bV2Rj)
zs&d0)==W+xR^p-d4)*4U{y^;k1*kMPIx7oH%?3~}=P<@{ACpfiFhZsl7;E{lzDZM!
z<lhg7j`Lqk4FTpsh*`>Fnr;E}#cP!9)kN{65pK#bmHBpQnHBxa8km^HW?X)qA*sW~
z(x#rM2!7pII}E_D{hO=vt9QNPJGnTbm?GbpZdPF6!$JG-07ze;wAhmfK0qAm4W4}c
zCVediJ7#flteqw2QlGfy79H!@FzaXjBv)3p0?;}Wl_8asXDeaNHqk)KZ4R9>{wdru
z4YzJ*m<O2d2OEMc-3+=w#kQ^yw3YXNE*`y&%SUEC)Ar7##oE+0>U!0Vt_am^T+)&;
z+up62KsC=2OTA<3whxZl&aUlc&-P4vwwyeuMbzk_QyHOVXM^cQR)1cyi?gb?KT?t)
z7NIa5`a3i9uLQ_w>P6_$)3Ce;3_a*6Udcl3JC;-P(oul`#M3+DRkhZme<esrTx)c8
zaW=RGK|6plVGi_1a`5)Spg%eTzy5S~B_Q~a!;nndGsseCcVZ-Ph^A;aZN3j)53aAS
z&IY%y_rPtgu|>%p!~eFL?SZq4(HZE1v#V1<fp~j2UWm2h$D8ZR3LrqH7ErlKle7z4
z3P)h~wJ{aDulGUv$AS36@b~qewWQB;EXy3fy`7vdH(@f#u65D>;q0Q7e;Xj?QylBM
z_x7y^hUS)wBkO1-rg#1K@6MKB8sUEzFbPgb$Y~jSS3dIDw&^Nqm*hWNwGRKVVoe1M
zp_N77!t14Yt5Q!(Yy6vx$>F=Zv;P@h-`t+v+?}3}`afKp-JPEO*nfX<dv|$udviV*
zr5rXl00`rH$rS+g9e2vQKT8R{R}68P1eAXx6JDU_?)VEDtzntHjeFe`Z|1)kxpkpd
zMGMMZDa{DDBGC;Yd^<E~V9h)(O)3Wh2d=#(Y<LU7vVMGx_Ys(ZUHdA6dZskMwXORI
z%As#?6+t<`jcy?*2f6VD1m$2q&)oyhSDxMUny!EAz#76!pXlm=3izAcI#2;}vkM0*
zfNp-*Kn37G{xt)p<7?h9u!amj#We$^u-Cs~pcLFDmkX2v-1J_7QlOvZN`ZrCyi&m3
z*FWoR0xs(3zDU5u{(N@`6s&JmY{cZ!EKvsLv+N96*9vj%YO7d?+2w=39DMh-(f;i@
zkL9z4V$FL4YBlB(RB8X*I{q2jweYQRRzF&!u1~72oVq*pVwC!R8x`WoOHLj3P0Pz{
zr;33|aP?$eE%F$7IQF0_(cy$2)>Ns<_bguyVxUUHX&+p^YQvQ5JB1oz5(oxRl0<<=
z$rz`Zw7=+zuBIG>;ZswNSaZzqq+|E7NtuRxU+tsOG_Ji+l_!%YeVK_DVCD<mDEn<h
z5JiCuo3x3tPgG6JbP7&JGWZn6wi~MWNi3_FwSM~zv=tBA^;6-~C+$YG2)~XIg*-dH
z)tP;@6HtG%WFG3T^3fhSJU2$gO5;KF8AsEUbGqn3kzAXV<=KJtL}fXZSz<=+2)sby
zu3qNS!frQ69b2U!ob2xu#qz0TsFEd&9$*O0%`cGaTzSKh>`DS9AVK*7i{)VT2}Oi;
zGSTsfW@2X?l5uAaWf7fI;wLiBMwK#-aeE%TDwAA8Wb<w*N{wA>{#AGTsNP8}A-|G|
z&{2TOtGYa4w;Upy_f6-xTEP|OjsqE~tfE3>z6v9G$;t}bD5Ze{FkV>FZj)D;mR`kk
zlYV1O9vm?aqhcQMGFGQ|3(p|srS}RK2jP|VEU!yIgM9RgZc!vjmbGzi)bGm8sZ?+r
zhqB%}lLrIL+$3f6ikpX%LMq8ut3a<F-&jOk+D{sgf}<&7c|H`tHm7JtB0_aV19Kj2
zKT8kN)8m?Ks+COxtL;h(^`B%cTNQ%DROXhBpyH5D5znf^sgNhAb`k$1V;vP1*$bUb
zoxzfYeVLjB>GwA>e}>3;rK*Og4+UMzN-gXIM)p++Xmzx-ud2MrW@0V}C`Ph+3uqhV
zPbg>)#KfpS;jLCzuhdq_Sjv)UsY}u*g4pR?)w1h;m0xyYo<%tWX6=PFhqi8E%~9}_
z3u}(5m9%t@%&lta99=3lEr-yR014$1-Xp-I3rEHt>ze24K7AA4CL<>kN`)D2RqQmj
zV5;Q{Nl!3D!jSwanWCHQmj4SlwNshU$C&m&JiVjYCwC#7{-)u7FYM5m;)qW`>rc$Y
zDzv~Zj{GnQ5NMT#b+$lzPgtg(KnEP1bi3fc!GVo;B9@1Px&0_COSEF>0a0n*`xJBR
z!_a<TFt^io&Oy4>Hz~Eh{RWm&4?cZz0-hKM;dCnO*6~6B5PbPosgO^fTH@;&NvNHm
zsymR(=a4RXZX#($&+35n>7a=#{N`)?$ppEhZvK#U^yjesPe!6G;pld|-IL>E`ER$|
z&Ha1OeS38D&B5{U@!P|bw<m9pzUdykIXLQm1G-znU;C3V4(T`DjdA5W_m%wowgW)x
zTQ%mb9%zZBwb$v0(f70@5IXIsUthKM#piqxBk`@;x2tDajlxzB{3d5c3sQfEIr4cz
zQTo(s&p5@=RJK>oF%RVnYlb>7(k~~3&Rgm%CVgfp8UdqtL6NL67Lo|5Yl^J7|3NKt
zpY}D~37?hGYxUQqx1aDCin!4vjy+yabP3z!b7dN6KFELs=e<SLn2->`42?^fJ_!1I
z%gpn?w}8CGLafHrZIoxAyxv3>b71U|(6laS1+cbCQ+dP;?E{MDgd<aez%23OkofmH
z{#=Hk7KyN!ls^8HeUYLbYND#xl9R2Re3>2@%V{0{oLWW|1QbRAnS+C_Cw6hrmsh`p
z@eD@E98v58MG(Mg-o|SEPUG9w>Tfombkt-DuC9l6d|j@c-T|1X)F7cIx8y*^A<MHS
z{O>elCZk}rZi`WncEEPJy>w7Zx-8nP-(8)WFM-I46*I_yorXsWRfcPaXzBde>b%IY
zK=uC%niZA~f4?P3u}#9p;vyMjs;10gq!R}Wpmt@ioaZwf1SraN0DzWU!c-s366OGu
z!!DOBcgeLr`Lv9E+ta7(^76?f=QHql$Ntxt6;{>9Ce}rjX~6Km*A((Xfy|Kr)rf5r
zMS-+IS}eptek9eiODy<$Q1%9XY{`Jil6UVT%mv(cxV40T=~?GWw%LtIdb>%RSDB1i
zKxg4#dOa&HZCx>3Iil-e$#?2n_QLae0jL|-<zwqI^HSY%uM5={KXe44TlHE>!(sRM
zyNVBtNL=EU^TDUwg!JR&GxB0Ee7_||bgMovjF{*6u!7RDRB)4NQzqTkRLa!(DdG@^
zY`MD9PR@<CFBale?SrfsSQQ00;%J)JXekA<es>DuOJ8CNwF@>`Xx16IDxTy=RMw2h
zF2t%e3<~9x+!{otNPJd4Nmvj!`O-<tRu|(>eP)Jb>Lgu!(y#^{L(@Ry-5%|T|9@)c
zkF@-M=9GqYuC8y-Ms5C)Z^y^9#Q%46__kZ{{~f-0@&7%?&)}#2%`Ld<U!L{AZ@=lI
zwzk~YeEPJb-u`lSGdjP%vOoAm%smo`Z~DVw*%$pdwm#bV^Pf!;@>pI`A%mG7XE@Y#
z_Cy<i85kpB)dwgJ$pQu7&wt+8`RzAPnE56KC%|wT5yr89NrLPg?$f88+Z2%4WRDSw
zGC(*2Swk?FWqtc$sIzOp3_c*;LS32=$WTO6EJOUB!XyufK2pp%ie!Pk-p-D73817l
zcc#JPP&?PPeF1g@>~pguRCUc@Zs{bm7Wj4#{0<@<1%i9WqR#+8I%Qi$D*)Ew+<B+3
zA~RQP$|@Y=1wbF=9YfJnvgAG)BcF$0in#j1^Rm-RAt?G7vYnk|e)<Hw5WqNYyK!hH
zvf}%EGf7TAD|8x@04zuX9-&$W0yIvh4rw-J;$cIoI0pYEW(m0d5#0WC28P$C{|!73
zbV$t8I1ROIG3z3f4vIKk$W^J$W}q|1QD+R<Y-i^@0)z(2uVRceJr~l5TayB&;p$H4
z6n-OdJ5uSdNXL?|X%e*skwU6a$P}Ax7nM5ERqkCBfCsFu&vFj*GI&nBoIcXiey<4$
zL-Hu*{OOg-jAp8cu$Wmma_-XBU9G@jE^2p=4%<~j+GY>F2_|ia#D}52$D<=J@~}#6
zrWy$SE1fd7f#w?7l2tWiS|;hnq^39OI+UVFYD4+^x5|Sjb3A+BmlBk^SS1mruR`za
zMudZ1G>`eh2DG;ab|d6~PT{roG8QF#)-Il7NYZYJ)CzLO+P<R<4xmY-$6MJ!V0b;c
zeRp#<y6c}_o?qP!`=imX*Egr%f4gfd8eQzF(WI^vR#UP-i>gP!KN*RHasGYlH+f@6
z`?uf9n#!XC;|=>6En1-c>C>kc_#KQPLnp_;3-)Sy|J!d4S4GQeHhhr`5W=*y|BhCv
zV}{9lu*Bjk;t!Cubm_u!%3Hx2^-{A3!0y^pa1T^5U2BG0Vw8qheWZ#_4|ZshSIq80
zV|XdPYZ$(vugnCVN9VxvI9~t{i@%Uu;J$x-g&q)n-EbvVWlE~XM!qz|;-To_`_}MX
zCJF`VXo0`$&6DRDd&~1c%>ESu&zliexu%t`H^6%jnn*720-#lG8SwP*M**!M!Trjb
zR%v`vHtN8Oo3GAlsQ+8vc6>gOHkDORJ~L5N1i3J2_T_B>I*Murxol%Bme!hfQcD=_
zshtEL2v$ZpqEs#y@?K)KB+4@wS@8P&6j(9)W}F&SLHP9P69@=WWwhnRQmy*QA}y7Y
zdf}F(Rx*=VFEuGNQ4F-M^v%ny0^!b8+GcFDw!6AMJ-a&}=5(C8o1xisa#a`RXwLrD
z{YRT|$P?Cv=GIy9O#ktzwO1fvcztu5BVrx&EJnUcsu1|hWz?TqX%^3FlTp!W&Hq-J
z0<h=$x0<2A^JM3~O?&snPHbyEbp*=31-Ow=>B-K)94-JCa~XmOdIWPECEUtUb1tAh
zAL_I5wBlSlbxZv!?`V?&(Ndb!ZW+9Gmg9$}JFv&q#{RW4Pex}qznl+Brb=V{E3N{b
z@uo>bM*N>jFXpb;NPh%oe%Y58n>#Z=cTWzw9(z5^Vq?)-L!h&s8<}ptNBi1Deqgfg
z8Y)pE2%^j0gwRJwgJ#me9{kQ~6499Jz2@Wdzg8B9gTuG&ZoAt)_+rO)MLWe33R^zX
zLYlX;EZG$W*%rfuq~U2q#0wIE2tBG4o-ouA!4dGqDlf0bjVXG-B#{ZPI`W(9F#1Qx
zK!8Fd@6Mi4l1!D>o1t)S*8Da&k4!W?L;HY)fxPHZ(jmQ%Fp>`qh5M=qkh-WEV4gyj
zP#;P3nkyxZCKKfIHaHa&$QuLmcQY`sJN$+1DO`+%56UjVj3ub8O_36IKfn+NkRvsd
z1j9Y!AIKT~kB~;P@-!u3h@<H(oMtmnnd@scttj>{M)-64&HpGrrRP6)GZYFbYV$bU
z0*?CgpQEG0<Kx`<&q??2;N|@1Ievcot@G!d0f`qBPiGwba`^};+6U*6-`*JwPyffe
zz&?r?^3Kg&V6+GN!~Wo>Gw-n7-T8AzY2nVF!2_Q6WP$Dp4v|=Azn=@{`ZLr6*=IXx
z!jxHi#6r0M|4Lw}t{Q`Jtn$<fh1Ar&hUz$$?fi-Wr%5FJ=8%JvBYF74z!>>3VF)lX
zM|PED1rwt%P&IdDu>_>UnlS^rV|8V!c0>zRD)u9LZPiJky;R2AlI7mZyr_*m#>!#r
z*$F;>YM9%Tw{&DTe^;y#OcB50`6!u8@JG<{GWz5i>{-Z{`*J*Mna%&c;pk>}x@q39
zFKnR89ruO{8w{LtHFWdQD`UG|Eau1mb9z;{nm|vXe07YaEY=|xIgT}(8SKGt8-%3{
zn}rpQ(GpX7ua-HR@TNonpM_1fT&>TliesfU*mZ+=LL+mjb&P1S+_(T<+b8XXRUIhk
z75SE#kMx<e{Og7gp0^xZ(~yi|m_1g1@2x?-iL7bZ3#T&q#=UW%ZQQG@3t+eW(wWM8
zul8y?U14)?-2EzBep5!A%4+Z6TmmzN$8{ZbmEgQwQmsnt%laAHpW3|@f690WS9;4w
ze+g6e*5^vPw8HY_jap`8N5Pg2<5JMJ&#e+ZOWW91Ow%TnmWXqPT>QM!`lw}uox9Y4
z8JW|fIWtler6yeq?D9Bl4CC89mq8YK_d~A<wrbdw+<ccmmsJO!^~;%kINF?X@~{O*
zQ$24tU|$Z>GA8CeZ_dgkcq#!kFbtcIjJ1vM(owoci)9u^A?-(=I$Og<=!$%<<Bh$=
zSSkrhett#^Rzar$x2}LJN1(^jASjia<xsq)bZ$UZ9!IN8AX;uaTd4AqTGPInK*~^t
z6-2QZ`tYR*VV=S*ieCZrih@^YzqZINrKDD9((82Akr-KBu(`k#0*szVUI;Z&IHkKU
zD~4`w5A33UE&t4knX4PO#t}nHwZlqspJTL5;ub_d58aZtrqZ7W;jKd9I`nAqZ8RrJ
zLchwUNg>8-xpb+>ua(5BiA7;7XPQW+LlY;bd~jA-L~|=+-6U1tsEOpv(5$=LoU4K-
zOQKHQ*&%z`m?xG4!Kr3jZw1>&m5uCRx2C97V5-r^s<QRcJy!mNyc)t&Fv{_MeLYNb
ze6|~K&a8qZK3b=WjJ|B<5-R6;GsmlfFo$vFZp?gX=F`BmXtoimZr*G=<W{a+#R<HI
zLQA<(sne>w<ua&{&+=8X8x4Vkobsip3@ttA4x1VH{M&f?(-;oyPxh2bT{<Xxpi%{z
zAzE8l(MK+;%5Fhw4XDA&(tDO~xt<gk!8DX+L-|vRb;%gW6lJ|}+r~gRx~*n3HswI&
zk;U^(=yGnYFtZD?QkdaIDYILc@u{7`1tc5K<Sp>hk-AM7>WEttu9mLB<!s%MO~5)j
zv}^9N+*S6f&h8FqU=ix;yDN2C`5pAxbW4vgS2<xWyKKH(pJf4o`j=KCAnOQPCSfvj
z9|cN^>@35^G9)25LqE8zat*Az%r>xkR^MV6b)G9BW)ePEQQHDUFmCInx&G&A&wZSt
zS!uzn0@84~6wN)|czcUvQRr?jMyl$)%Ig+-?BcXPwDTtG_!<T<Zu2m`-n?kT-Qy@Y
zXKBHiluxGRp0mX-yj`Nr^H`)hETYIiu@mFh6w2&AN|_~ZLRpt;^Xx99fohSlZ1sFp
z5BzSJT`D40Y_Vpf%<7J(cbExc7R@4^e+U0c2uC{NxfP5B3Ewx0XU_Z9T;>DDLLX6H
z1&fDlfYOL=#=?8FSn{oM_?bv*ogLuK?BMR$&Vb5Y0OjtIf3uP?H|JeFD+FhskR7ex
ztSItL*pbDPJLv@`eJvNE($21!S4{jH@Fs4Gy&Yvck2~#D-J<~f1N{EGZc_5O`{}aa
zJ2H=PhyV;jU;?WFj$}bShNEeSz#K6Kr$|MY`{Kh1#9{r)k`Dw=C$k2|#8j5C52bHl
zEQ|VQ&r0X9i$tn1XZgKEd`1Fi0oWW%%;IW@!W<z9w;r~NeHS18li&!n{vNfgPd$^I
zfG63vUM`^P@6j*)i}z<E@Js*V{Iq|2etp&ZdnDG|w8`&sd>Sb2Uv$rO!DFimsq{pF
z^9hhkLqbEK3X;l9N?Bn61Tvi<Lh2bHd?v5%lDP-^cG>{OD+o#T_*HC=ByC1j6x`y@
zR|yUGYL--Cry{zimeq{FUfTVAV0|ao#=nvT__Bn(j9(rTJ_8@j=N}}UAFMVX0OZ-l
zTO7}I&YLc96I1el0|X#QBK)refk(K|_X_9=Ps03AO)k})B@-e*nrkf{A0KTmC81M&
zHJQ46paT;=^CUepJ`XpSi{WT!8%Q@l^aqx8ZXR<&RuKR>wW{{QEH*nEXX8u9(AO^t
zqnEYW2iA9zixm{(Lf6t{V!4?e$=t<9Lhow^qwb2hn1tA0bYc=@7sBgjuf!k`ivNwH
zsd|PHYaYE6L$RUOcTOOxV(RO)bh>hunEhfMh6yL{P=u)5&6k+uRV$Xj&pHBxZ-XzG
z_S96`YzaE>L{+pAgsWR;SoVd?sFHSh1X8owCRX75(X{-%A&GxtO%9&xxO|Tm%{iSv
ze%>;(?``mo!=jwgKWp08WA@Kz@x1&V^j8t={!@y!50^-Gb9Us}I_RfdU7u4o7Y(^|
zb5Y46pN0iW*6daZq!k=MLJ)n5WHu2D*%r>3Z$nmb)Lbo8y#sS*ZM3x;cF?iev2EM7
zZQHi(j@_~CbnGW)$F_~<%e(ifQ?>uXTC-~1_Z;K87RgMb$qyL-DSVB&&R0nze<fmp
zE$MZDabD_4S`oZUUcc<*!!+S(4O09cYb?4vHA_788Yf-*l@1gEkNAHCuVt)2RKEi>
zZ)1rS{r=Yxs)EPY{LQP~4UX3jz&;1Vqd@+l#8lIzX`pxKKv?Fna-_W3r`+l2eRpGX
zbSWG4rgUm;#E}cjHR6p5H}ElT#hPZHNGr`0T&~{qiy+U{<sMl7el)$2@e0Hf*vJ8L
zRmsTADM~9HZ8XI1IU7iFbx8>ieMiC=ArHRco5@WH%q7gWv+7=d4zHDs`mxTXhk6>L
z-S}hw<MH>w7OPA7W7|i+`EiXW2_BarBM`2O%knA~G87(i;pF9qyb=84uj$G+7M^9b
z-(*o6XL>qInPme{)amf_p%7KAZ`vDK)i)?{@Y0j8JRo#*2-4A57DO#~0Ok3M^If&?
zEC2ksU7|IKrf{7YT}%?g2tWDXv43r}KCIt7kRB}o`8khAi98y8X}AMsLx=hzxP|f`
zcM!#aB^q3S8+pdBp9&*(e=v`;q4;i&#$X%bsdk4bj1ap8@Yz2f+!+@sIU9D%gaszH
zwJxDYV0)Su`=j@CsfnkNmNL%Vx$n(ZnM%+5_}#Bd{^DfYfv491p<dsB5u5hUCuW}k
z@%eOhz!oLEFvC@MBR_x6SsPm%xkgt%J)YIZHREi2dk3>Qy5-jAab9xdXivZpMQ`=Y
zhE8tWf$EUZ>#(EHMxSJn6ynE~-OQ!4?{t^aT2L}4+fvNwrY)QtV(Ur}itn_~tr@Ks
zgTS)F<y-#GWBnB*&BiZ+9K2sg%fOJ7tKG@B?{^63`^tdua2Q5d<$d29CVW9;h8_bi
zLYve{Z|xb&I3`|9epyo=(f+&^FRkl=rCk6zASgJ$0n2?{|JNx1^VxT31$I~=k6r<>
zp^3RH$MQm3^*1JYJ1=>AY*T}%8ym(hJ9x0p-9x1c=r-30KMgE>1HLc@e0ey29F>0E
zH+}FHesPc?PLCUWb=+keoMq)?(|EgtT*t%%0du!Jf*KyI#SCnzc#`s8u*bV76;0t!
zRjS*#K-PKS#oz4%2urJv(cO)YSAf#<ff!I=6p;QHkakr!e?_9F`JPa;VbjCaiE1!T
zY&d+1w&d!cBL_pO*`}`Q(Oo}eTl!2>O*1(Fm;U4;5`4Z>$M4-ShSnRYgjkYcatYF(
zNXxOAFFW*QKG(Eha$j=LOUH(GXXhIt<CpuT6+^i)cAAEsuxACyw9or=K?Ui0AO#Pr
zR%nx#nNx`$;Trv-*g6wrro}mdgUnmy<s}dSsoeF&<5Y0210u5wOyQ7_czpz3N<IJ2
zG%!$pHCgwa_?I$BsTOKzE56^Eub)%uen^i019?FS7GP^JXxqGVhJAd5jH_iV*A~aW
zuZ|)p^M9hxKMqR-kZtR9uTK)IQKU}!sF}rQ6Sqo#riT@AyM<-M&w3-5E)A&-rT)ST
zNroL>BFoQUUOE&OV$QDsvJ0I*b`!gI4AD-h1&^<V9r6U9q1V1nsIqY3fLL)m-~_IF
zO4o>8VKQzk7rjf7?^zc=cpaZaH}fw&)X?obEV8uCrNyVESfw!OwBB|3stL4^gNQMD
zTK}n=zM+uY)<gzsWGu~nl(_@zHpyL3jO0(&5dz8Hf%_@Nz8`?Ue<wft0QdLUfPfZP
zJ?qm-PU_i#h+?Y^3N+-7>$3wyB-X^cPtSXux1T%?DzEjXP`xEQa~bYKib59cJv}~r
z;qZJn40++xyztW{yWgvPuA=_meP_OBhjjSv4HWl|tmkMnSb%Izl*vR@te;$!_$h6>
zsp3jVsCZ^jL{4i_VlKTqktA=4rJrDid92ts#^=I)I0y*}MzQv{cuAoaak-;%(3OEr
z<Z5VAT&a+Z3xAde;mcgXt8Ji_n`$dYIn3~ByS=mQF{nHnXJ#Zt%e!nr4Ebz{wMrTB
zys5jflp~~4{$A8{AAWsUYzi-K0RNZZXQzfxvjGygZo6)y%>d)O7#<Ds4lS~ufM>&-
z8eF+eVGVn>_9X(?M7@u>{gc@Lw9UJAuQ1xMxe^sH|Cu6vDurZGzqgfwu3ICexYsrQ
z;!M<m?GQ9z%Uu1w9s!WxguRfq={E;59a1<0@!~kc@Z{X8Q{H8#Z*(1<#O~i>zsfc+
z*cM66|E@r2!m4~!m$425)+=v#Hi9-a@!3_Q0L2)6I+wJRbX9`EbSgTb-M_{&2Xs4H
zC)dY!$owdk{*ZaE5_{%Kv;GJb5c%ShIl`w%(;a>?1oDUU(1`f;w_WP+rL7AHhKDBt
z1gnaom2DKFKfVbnMIxU9vhN$thrR2>_5TzxP}8Tf$LGnpp2L1+Sj^RJJVt||Y#a-z
zM6GR=ST`at<ZCU1H_a|RNT;jf|5qOl;F+mb9<#X^j%nLaqsKSH+-;%pHZgEuk5FNi
z9Z+0~vA;lN<;y`Hc_#{o<MI!D*ma*5v!g|~{iyAbAz>@YS+%Kntsc9au8`m5Am!?z
zpCBSjb7kVOK3$L-s--6fl^NfUX*X`Pa{NaA_fX;+A+!rh1#Hy9aa}L9C@ttmH~s*?
zI=JGHVH8ckhDRqUn?b4X*7rnalRacvU*3MvHQ&^WZ&xW)d9SKoK<*gt#C*E)>|O7y
zZB-wVin8{BXd$+VbjO)xH;<B%E(}xtfrf1ga)Nal%FR>tZLINEQ&LO{=@Vx#iG~^W
zWr8L$(RdS9siC;5!xL}<2a&Tf{DOm&iY(vw=cOCHVR!OUq>f|tUpF1>;lFM=@-XRt
zlui)ex?6tQ{0freenYa|A-)Va+t({DeHi+lZvjNolvBf&Br=X=DTkV-xh3i@icRkf
zETviK<CdK(Kb|T(Cjo-=v*D|a+<ZH0SLFmaOiG903*O|vnun$yK1|`mh*Hdj(MaYg
z&S+m%=rhBnR|b^dVU^YCBmJRCOz(?x{`#xqcB^KJ&>WYb`9nVy^c_rwC#8Ni&D+uu
zCvNk!+Q5pfR!}caVei0VU2=YQb0*mQfe`yo;4}5f?WcQQIf0`S^I(MRVBZJXPjf>v
zkNM;5rvV7s*&S$vWu^U>Ith#;#0%Uvn;)M3Om5fanpMZXRJF6L@FHG4i@De7l=JH(
z)@jkG>7NSXYX?OiPXPGNsGvS#<(1x>%OQHvnP2a%tvs0H{G~dK<5#O{RZsGyOap<*
z>r6R}$ZoNP!Fq}a{q;764=`^jL|G79NN#tD>F=hlP8*p(L@<pCZR2Vx9xOv3o`2kW
zDYQ8qp9<8`y?hfjc(LgXK67>JiGd-eBXcsQf5>K*yoNPfmZ%?jg7ou~;7{_L=IE0T
zY_HgUC_E5`*Vz<cFL)og!0sKr*(})B!Hr0Tne`)iuH50LQ`<fL8Oj*E_rs}5U2I7a
zB!|&8rIfLo%Y(Sz*ktTW<~G#tBl-aSA6+DW>}o93{4Z18@pP>{&ZHxKQRFJEG|oP1
zl#dN?Z&C3es{+BdbWcKl1NuR4j&6!y^*qG%AG@qQc;_ZkR?wpH_e;#?&bw`!phs-Q
zJtw{JP)2~yp`=NyNMB!G=%643-(HX%B|fH}>{9E(TU7?|FI&{UQ`1^Mql)_hZaucP
zZrq!vOPyJmS&@k8Bby=@hxYA1LeE<1SwD<hycy0gejlT?uu;~jPoHb8rv>IaHD@^F
zW|@H3py}P)sS4pqQ)!3%c6)YOde48f6Kf(FvjY$8>ROvR(-Ov(89B6jj43^#0acxf
z%Nnh+JV|vEYq52Jn?&<qfwfM3T4~&^IkCM*y`#4Hmo7i%veV`)jKI8&GP#X!&eC~X
z>+{I>B>vS|H#?YiE)}@TN*rqfOol+eU%6Q3;D($anrEa*P^ePRoEK6oXjO3eHAp>V
zA9Otsx=p=sm}mGCFT=4_wi4V2RlNA5@ZbLH;OnIt@b2U4;UePs+Id|Yr8s(u7)PiR
zgiapPs|E%R+nQ@etd#k`ut8?TrA{~7loh^CqV3v#MjUv&XaBvd_3?Q8x{GMamfmaZ
zAFf>dJbLl(==BWna`*7=#nbB{QVE)0KgH!_++~^0DkRs^`6?ZHVxX@L=;7(Y+xmL6
zUnPk1@9E{DD^r7C#&I8%CfA-A@+kY<_;Ri-Eq4A7`fiR_AuH(x`wRsr4!OZc7cnDq
zOXX!=7I{r!x_6Fj{aTGnOzBUmO{wWI+jDyMS0xE!pMCpl;IuQTO$G-~WRej2Ltu~b
zx`CdE?_DfrYBS*&(;_XGsdTe4mi15Y0(U?q_3Mvs7ZF^Pb%f@Q!&06X*R7c=@C1#J
zNg#SQe{S!GT(m=mXh79S*eu`s@i(=UopECrmMeOy-Qj!1U!};GKuZQUR}(d_K_)bu
z=Rhp@n6zjNE)Wiv*3i~JvOqu`;lp*KhW;g|?o?jQ5z1bxt{O?V#|S$TW0rl;yuo2H
z7;`TKeEN7hySjU8);?14i3+<B!jg3vYiGPqSDKwwcA~7%OV7c!ciQinQPef7(bf`L
zRpn1<tnX~6%T-#AsS^oMWj0~+D~zqMjn*>Uutk1lktR;A2hEJJ^NEoqhmWn8GpPF^
zu&HaH*GI4kU(3J%a5yhhWjT;L1}weHM1b*)6sOHfjQgf46)d6YDD|OB;_7x2Y<_oe
z9wP?3s=f}b@q(P*x^OMEWCm#*>8}H<8>wbF#Lzvu$n?1Sxcm4%cWVRg?YT@Qcj`vQ
zy@Q*qZfW3#dy9!~`<@uo*WlHSHq14Wvn~r;GSKm{;O%E3+N{s#C4b`-XeWGX1FI!H
zJ`vi&fj>4YM@A&+#^k(PD<2)#GVb5X&gbm*udwjmuJfVy<!-C@xGMxXNSl>Q)tzs?
zS2VipLlzpJ1oSgku=(lhia&?63(%9MykWty7+5l$LylOffQ!!N<8`PwM+7@R_Gq}>
zp1+QY8cq0vh>X>(T1Hm0vS`Dj=hmhf;KdD!Od|PNm1$5Kk!sBy_i?Z*OMGq?w7~UB
zPo6BweG9ABPshxc*ECb`6ACY$ij2u@@LBJg)$Z<(E=KQxR%1%h<S+XZyna9v6FAz;
z>Y&|-uak?b2Wzno%#DGCs=X#c>)7XyGgtU-PFPq^Co~A9Qg_FH(P7~p=F>^~BUy<1
zqdg;c<nK>m_S~WoybGstp#iSTeb^taD}6mR%W8)qV~ML*+d?x|Ycc%CXbCCk<WWTj
zqxUfzI6Yc2lMoSjY0CG--c3nR$LM1=1!qew${I@yweE|8O)V`#IYDBZm&1~kT}`+>
z{G0GI5dyiJ)pFId5s~o+Z*2XyaB~y6B9L4mP1zgXeWG$7D&wRTg7^1p1}h`VJq`f)
z&;&|?hkzlXXleF9HMo;H3C+G>(CK{@Uz}R$^XXylp)Fn83qe1~H>to^Wj*Il`K;GC
zcU?t6+i&Yg>^pacE@aW)$EBsUo$o=nekJD_W+PMz^-YuS!s%SNpVP)tV7kvBp=-x?
zJO7DSSlH;3mE`5*@3y>HNj=y&=g$Y}8FPHHO=>-{v2j1y1oZK137#r}ZWVOkO&jnN
z`Xh&MwEei9pSKO$h^uT9v^^zqWZZ}Q;P8H~$P|bdzBJSgwxUZ*HYtg%o0G4%xuy4=
z3F_s=iGO-n$Weq57^B_F;OP;M?4Z>!qe=)oI?Tw21sdo+D_qmh1hk)S=Wqz-o(|2y
zDWkzr!NS1N-~1MiuCgk>2^tHgwwN1aNW}OTv;pnww8H@xSdqX+Js#1N1V?XUP*q7A
zwwhIhz7=Q?GPx)CeuQ(QJjhomom>ail{ILu<pG&#9aGOAcj%Z+;B$O+3$jeQ>wl3p
zA_>M*@7#XZLx2Fdc*!LfvQbM)W;Qh)B07}fEiuhO#A@5JrLwGxboyE7z@Ce)l!yCl
z+Qv$r%EiZoklS-q3FbF7p=744oE!;5ox-$)3t-^YeQwtSMN19x^p3z5W7Gt>?(tI*
z!Dv%O_9AuB3U2s~wyl9Ri~&#0RNIOmbV&}*h!Gv3R-V(7{POaPF5Nf#%99!X`=btr
zhu3T8v9b9iM1R<@3pXQmpHlBnA|LJKBW&M#@z8JQ+?2Fes}_p+KZG`l9M*bWYXz)c
zj?QctLh0dz<Ih~GmGHuiOiZ_zA_RlQU5zRP2P8PhF#eL6E<5TWyk$B|(Trv1wD!2K
z)N|3Sa{%TaG`^ieXE`k#fZ4NIf#ld`yyv{)Mb^aLaYe7HkZdHyn86FtTU4S?x`Enb
z*X2|=UZq^JL;BHX`U|Nm-p_BtA{Q=JTYvI(C9j0FwNImM!q>OrLw<zn_8R$7ap+Wd
zYv{m=R>%UpFIdJZ&7v?_U*Q#RnWU@4j_>wRpSY^Mxpq+L4&5A2VnLYdtg==+s;Pr{
zeo0TSB{b>-;9cCNyi>Q7G4HY~4%1IQ<S`9iN(Pmr@Vl&9z2W=9`v6h~qg@Q1FJSRO
z_836braq73U(*^{CJ<-D64n?^yw>`)x|sbD(*nZ3Mimrdno=CBt8n++rEP$-+|`B>
zTnh90<KQgnRen+p^+9gmj^czN<eeb9062VDSw=#3StawRfju2y<F$@w1*8#j-5pK@
zXulVfUc#8=V>{k8#stvf4hkc5zMSdoyMgvx%M~txG|!L-S_V??K$Oq1rNDg`3ck_L
z+vxv9WRQV`kWJ^B^rt2=YziXG;YJ%Xi_HR?Rb#Z)$%G#3eV5yDwcFcpGgn*NIU0E*
zS*&G?o3rmKv#+S{0W26ZQh~jQjHrI;sj7>i3(qoRFWN%$dBYQQS+4F0;h%FSlYqx5
z6<zU*jEu?__ezV3lO;0<_NR@dam7wb{<+rxs*mXzpv_FIOf3exz!Jqsn3_Vzk7F}w
zH=fav+9&^blYN|69nG*j;A%VEy*9nj)hNl{Hc8$JYMO_d#)R1=p#UIB6Mu#-_Wqa?
zg=V;CSuv);SA%)hy6m%g5U48w(xTZ$2%3KkU4ZwVK@D-9Ve?Vx>k8jW2r1zBI&Zt6
zb)#H;6<bx{QgfeRyr1^eHJOWI^?{0zh?rkcZv^YvlN>JX9+Q#7+Z9nA<v|PI>1v@>
z{EaB#63Ea3&y0N6_rucSG1yOeCsZ0xP;sj2%qwM1N!u{j{@6bHZAcfly*lYN6?eLc
z(@1O_PJk~yKsb~xbp03{-rtLIrh?yQKL<3r6#Wo$T0vv}Wvwi8Q2jcdIz_=Z{B04@
zv3Q|nczs&=3H1`*CcY6Q>~-y9!eU$j(_l-DZLpmG+e&x0iJ7*Z9%fs|E_mtJyBgkW
z>A;SnfCQ-g5uan!QRuRI!<ZxUhl6WS*lteKz&vLBcCpZ)8M)jzCr3wi`2%j#OT;%g
zxOS8$|HrQ5EY$Y+ZWc4aI!%!cblV)C)rV-~bm7LeCHU#zhX;NkqL#;$+S2;R9Z2jg
z0~kq^_s*`MNcVrs&p~GY3oIk&x(O&VQ#Q`hutN>ijg>5iL#%pOi{cH->~ketInDNI
zeZDpSh=GC2Cz^-hURPX@llRC58I%KfSJ+~zN(-Ci#oUKHRb;cR{YNYsQ(Mw!dH2DK
z(<f|OBV7%{M!CW!l@E<zP5++&&cdU}c6LEfU>9pgla!<AuDp>^mF>OwuCguebSs`v
zmW-W1C~ep0ny`)xs%1rSulm(V-4JQR$?MVKal*67Yi+w0K99C3_r>35bLbyL#%HuX
ze0ZDoZ9dMvw7_qw;x!;4ej6{~{~Bf^HuneHwgazPd32usPlGS=b@TOpCUEFybQueR
ze}``<+GWW7n8S5!co}eC&yYY2&g)p1VFyP1|AyVi-(95K9I{f|@+9u)?S{)z@h{Y;
zowm50(k|h-<l)&Bn?ZP3WYcm#vtM0RLb)A<TNOq2iAP|=32|4`HKdi7VJ0iK%_6QK
z>X&f%*41I4BTnz%%_1D4cum}tc!eXTD8(Tk!6v7&877kf()m|A+;IA+&+bfX+;X#O
z>rfM1TH8=dwdM49pCBk5?2oT?(<4iN$Ssx<d!3n11V;!%B*Rx8ia-ETAishk^qwi6
zF?$#B$B(~;bBJKkSPSxL8iv72Sb^W51ql`j0XYh1qtW-N8*M}zZUkCF#b|GM?3fZH
zHW4}&m0p|kh7sIE`YMSuHi-)iQQC}AkbLJ@HOr@SDfa&NBX=&<QIjdH=JL4c))zWU
zI^nX{{pR@iZhYfWDsMky-rs+`yQHFM&Ie>kQ|ot%Xk+D`>059{?vTF7-zv9InEl8+
zM2{g1P2d)|1}VyB%8HS|KqNR;I3YQx%CkNR<6dI16iPf2=D+;EP~)Pq!v&P?*-nC>
zzmcd5qtfBFNdBVS^6avR{$-r3N~W9zkM75kgHB__tfNXk=8o~}udlxu5`j@DBr}W+
zjKx581{w6h7Wna*8J<v6-^g?~yejE<iLXdSbNZTuE~u<yOURx?JThM%voS$yh;WML
zgl?`JsN>LPBPQ^@w5Jl&DLlumSOD~>3k(C8-yOi47(TU(fjwRee9o7BAt@=vDVXoq
zT>ibX?|?h3zE%H?rq5_`i8LZL#>MnZUxPns&5O)>+k|$e3G9xo^laC<CMDJEE#l<-
zj`7IOn1QMO+nt1rFQDO!cgS{^Y?h8<V5Ar(E@_}|l#`0#ZD{i3s|@4QV}n$7yE8kL
zDoIQ4D$0)R+l<XwloH3^Kz3xNb+g*F4Ug8+3Cr`fujVq15rF+-^0mGfN{vx@vO|bK
zC1zvnx0(A&VrF4^Nqr@i$esP}m+61D%}Ti|Bf2YP5M0FqVlwGd#k$u0^4d}Ty2hL>
zzZpIdM};vD+*3Z8xEk)$tm#fklKL3q)yJCYckKph@Z_L+1r?3os%EUBQkG4Pudvkn
zxTH}E4T0LT8rlK|tzqy1)K3AX@h@;>vE)SSo<G}7fgaxmVA3|AkB{%iks0v$JJ4AN
z)*u(AO0C5uGSmDU+>)J<3gs%~%xd)$Mo!8OmhT+K;}%T6V10bZ$R0QIkxhYDZ(Pxx
zPdce!FKt;Li{F1M@~A`KJ>Vh_-zaYVHF#$KeAu<+2Ikq?3`)PoDNiM}mt(i=t3D<f
zM=F~ARAP)qdh*sjmVp#X@j+z()ar)st9#XI{UX5sFQedqa?t<i1Kc%DKLR&?4}U^M
zig?W~zW=&lW(^Q@6+B`p`A$pE3;bS2&ewMbwBueF!%gsv<B?Nra`b^}V0~pRf$WUB
zyr;`S!*=<^<;yx7p^>E_759#e;&^|;!C_?C5Do*^i!N^nF7v-|GRD4rn|MW3u>WI9
zb$8Cx{^gk)KHSHypz1I3W?=>4_O?7kX_2pTr{HBspEm`)ukoM6BwvZ}R~{nNRmkqE
z)l(q3l7YTSZ8=(u6=HWUvcmh^UdumdgB{9O%}@TQeWYonA)}WWX0(U044C~p7cq7<
ze+4@XPs8})U!0O8=*KrEh&kO}E)V8VfiNjIt&lUObX!ORX2grZPOKc&o(;&$A5?lk
z$U2^msdg^i4f6lZb9%;yf%vWlGXeR>7L)J5=&Dg8L;9d)8CN2?g@Yeyc_d|4A%`~2
zX^E+*+PQSvUS!_V8dCA|E)1tFT|Po*lLLJ{VcTO!UV^E{TK%+H5B=9$M|iF!J-l8W
z=`+WA6P1sBTlEgLUm0gWj?EC?kLU4?eaz4A>?nT@cy3<49^shy#xj)zKy9#TuDx}z
zGl?r#(Ee=12*Y&iQ*$#=&Qrn{&(NT9B3r~+7npH3>G;~_g?7yZUSIwd`uez@R(k%Q
z*oNf{D97e&$9k$!xt)!7>Sd60yG^;uO2_^Jg~+bA4xq!grH^9QqsuPmelDfQqgRkN
z<J5)sao+VgWD1bMp^K5Cso=x>zQDDF%t=pVtP@#r)dP_INYe(6+$A612&g=oxp~*d
z!2Ww^1U+;YK!h%auRe=cuYpH{pNZUhI%}|$5y2!x)y%H_kIfHepK<>izjRaoE<X?i
zaCx~VnbAFR<u{7dUL>SzlVt7HZR5N~S0~mPD`e&IB^#P9$KbnNq|w8j(-AJqS;&d2
z%9NW}sR8!YEOu(mP->y5av{Uza0i;O^1@Ag4EI!f0WkBe&~25So&`7D8V$CYSgdgs
zTNt-$k2di_A#ZHick?)`88Km}_hB~xa!<aQ!?QadF&Veh!|ccRlt=DAGDZ~Ybo0l@
zwQ@tSQJ?{MeVeWRm6riMpL4e>*|s3*Yd{CYpN|3Y@djr=-bsK3FK`aby#mr!gkv|E
zHz+Bj+DqI!EU4FLM6mWepUtFTzDHB&0#)=V!(>%@GcUt$yz@QTeEvp(IUP^QaLT~#
ztNAYdaLq?&8<Fi?wL$QJ9Ak!=6#Ypi-g=Z(*G%8yFwWhUrEv&#J(i1eFOpx727Zax
ziur7KIc$avk0gHp>)UEc9HnNl=JhYM0G886Su6=n98Zo;q2bX{Mv9e9b0zVQxt>ab
z!vwdc=OgPTt@4d&Zf;WKY>Y0v$+;2gICa?WtjaEEVzev{qL$@@GH^RfCmZM8AcMgq
zQsDFzxKX^HV*m94JRk!;d-=E80y!Et<J#BTXr6lOx<BWbJ2Y+&H|}(H$J?kM_{QUR
zhE4i9*RDbV_D*$5Kb}v8@$hT|7GJ{O<n3L$TXEJ3)RMZwc}^ZM!IMS*T}U3x>-%KH
z)nG~g#9C=!hyov*i&Pn#QyrCQ2S{J5RD~!R)E}QdY09}KH?Xlj{qw^)KR2j9D2mdq
zIr}%TAlt;gSPLjN!rdZPrRHIRX_a+`e0hunxL%uMi>nQ#ovfp<*(o(T6{Q3n0}=xO
z$zJ^1^2gETj$jwt7FZr;uAncicC}4bKoD#kVSezMW>*`rCw&_Q>Hl(-S(5Ku<><d$
z1#R;G&s8{5{wRO*jwM;uW|M~#-i8KHDk}nd>C{-mW83j5<v1TWKDs^HkA4Q#hBEfA
zlL2QZ%4IT7OI|LVVuPe`OP6+W`1bM~7XP2kiJZr;eXYTctP(cdf90Rm&N{h#Z1Ezl
zdgwv=i9!-9DSyxBL?J~kl=0OfN=0_0pQ>!|ML2eE<oQu?I9Ev|5q(evdJ`FYAfqK)
z7r4ZX?H92A`TEjsW2~67H{e`thw?Hix8+2Je)Dndf~)qj)&Go>zct05pW>1sSW;40
z4w)8YeQx=)=jl2GR4`aWsj+0JrsJIzBWe=PoDmD|2a7A&H}|oHIuQw3!WLQSNQ1Sh
z&K5}SyUmu_TIVeHCp=&DUAog3f52rLX32X^Z_ux6s3Ymzc06T+^ygTe@ysMy(XM-o
zE3Gj`<J<$YdL5z`Dd{L{GFOguG%fldH)DFN!xYuNsyw0yZK(DFURl;&*_)oB2#t#n
z$p;fma^lUm4t3>G@xUenC2x8ZDpbJ|g7=AUl%I<tM;Hqa1CpMB6}>8=+3fsYi8*H8
zrCh5d2SfSbr)Bu`VORc~Y5L37Qpg6Q5xuR<W;<ut9UD=rj7m+){on*$;<?%GpNmaL
z73;GXw&Q3@M@$mB){abv!dAl>4;F!N_;E=YE*%b=Rz2%WuI6911AOwX+Zpcq&!WH5
zd>NmU0DDvi814%@!O=QZ92q=;cVTEFf6z-QHHO6MtOjEi_S9eyvMHv7wO(zsf77t_
zjfbMvpHze{#;2l&=8j2IKB_OmIF}3ZW0a8TTODTZ8G<G$u6Q;XTC!1E_Y5f|ddOWC
zUV_H84!7U5N_-4tcl~n+{lK!Dl<J0`>imSWYtpnwERVejwdb+$dh=<x^Be$su(l{8
z!hI&%y^~O6yZ5xz_bX<PDvF$%I@meOEU!G)jDN<5qsGn3z3y7oUm!eq{vy|W(jGQQ
z8wx_Z5lql0%D63FeeGtcR>HNKk<YaW{0L`HG|fm}unc9#5${uPE}h$)Jt9Bb6K%Bb
z;0c(rCs`~5JtO<{dwKS8jrb5P(huw`kMSPt@$X4KFG!WIur9e15Ay}OO}F)5CI~#)
z1ku<8kXPcp?I)BLsG5>L%GQEUC^6)9h1jvB;ld9oa%28Hxrt+f25e^oij4R$v{wU)
z!#)SaOeBj9uh^9wiby4CM=dcQ$zM`FHwYouaF4{Q%d8($U&1fX>d!%P-%p~TM~$aU
zIi9&qg}?m9lA)WU@&)P^1y4|qNP@io$?j|o%VN)Kld7_PVMB;+yl%bx)q<6#@!2dn
z*DG-7ef?nvbzrU&OYzhF_{weqe^UbSgO*11=Z|cHm_KBv_l%ohoQpEo!>W(#;VY8Q
zYq<4KJ%#q`dhdRkQB2fC+91EhID#K>DaCe&(dD~}DQ!s<{bQOT^eW(EiLq5V4EdYE
zOIp*iPUmmDf8FNBn`)VNWlvLAY#{{yi271wpJN-FIsK(*@v8I3N3bxVv>mEoDm<<0
zw+`Oj^2X~c$My4erGTo8HfUMkp3+cg$rmoh;*^yQPWuY7dLhYz`6af~rm?C5!sgZ;
zXx)YRulfu@&=y3^vzx&YV=WWJI6CYtXQ*dvXOvA<9i2YD4sIS#m%H1Omkp0?%o1)v
z(`4E^==+Lsn}kjz+P-WSTk9Z{L?PxZp|xpit(3p6Ur%>u?=kz6K%ckUkIUhu(IyXv
zUcTOPNcwxb>KNnM-o9rCh3y`$FHcwIt}cu>1-U-EmI7@tYRHfG;*hG4%tUh%r%*Ef
zqHdUa*vEYsZpnk+qVu}llnQ2&8K(!0uJ)#a=`zV(#Ywfg@}A^5V+}@$F850p`B~uz
z)?~psCPenwh=hfMw9ElhU!3jTAE%eYbEDVt@(DH(b3cqK7i_=HKMkL5dXD6HvX-Vo
zi##>c6NPoFVKYB^VXv;8g)A?MK|hmZ8OG{A+`_w>YjvG3T=H$0YijhFe$=$r<%)L`
z5>!WgL=pO0Ee0rxGMH>>@9CO8cV|f)?7e(E9Ng@j9bB%BayTSdpRA%2^%8A9$@O&E
zHtd0HaB<9UW$KvIK?03+&xJe45!@AZF-SCwZW(`fx-)9uxm!^pC~WKL;~V($atZ)F
z-EaQn#b*vA3h#Ua@;uiV>I-Yx;3wx1Z5bLZpQ=W7sMH!;sa982aR@6r%6a6swVA34
zvrDIkv^`fZ7dsmZ`w7FzY1~(-k@RQc)jC#=Rvaxlzb)}jYULRO@(l0-JbZ6&?_Tyk
zZ-++*Q|<}k88CjZADNav&3uI4h~Ol^V7gHLh0Ph<kEt@Rm^YNO|BLr0n;-$`v#Wn*
zp%;Y2zk7EhD78{PjMf0|SdV20#RfjR)qH&KsISQ&j|u*?=gKc>!wv<S*3{4I_s$2M
zs}6=xh0&83=Wi&?PFK!`kKfD3!^5v?Bl8JI{pdDU6#265;N5!_FHetob{h#B;9f>n
z`gf7P6q)PTR8pV?;{M^_0&8e$JfJ0F?$oST&IEr|!&Ufeu&C9<$L;Ru1=z!v9bz$$
zkPhO&3wFeBR?OZSeT}$<pQ}q%uOocUDnL*_-4npe+s>^C5iLUNq=`6%`k-D}YKlP_
zQAROpp+T^nljG;>;_Kyg^Xar9wHuKtdIul3g+z1{ImLp?5Wv~a$*&CO|Ms+VvVS_>
zh6#m9LDxBBx_5}>f|BEc!i<+Q4?3E&Jji%&yzS(A|LZ<kyzk$+Uu#PG@?Y~5+uY)!
zjfLIpHM0l1-ej1@>ZvyT!9fl)1WD8ib$hU)kqxA2yEas07o$3mW!wZGVV&=;?}ii+
z4y`kJ%EP|?;V!DPLiNmX{I6_WzLl=txWm3%Xjt3m3>25lq2nC*Xp6_0470qT)Gobc
zso<YZ(?aV#PV40Y?x<Wj7fKuEKD)yFW|;XbGZl{2Vl6W*Z!!Re9@{%oxcVV*TFEpy
zVUBV_k=qjzbl82WvmO@{J9BcY73EwQe@6z`AJ%!@wR2_oNX<aweY%v9PZ$(pRfhA<
z3A-lMT^r_HCH75PGvUG*Z<FS(=eV~0OV2JyiKX<E&i-W?TrZ31o^46$&KgJ7uG;G(
zW{IXW+I%`(g;V&bNF?+DCRYJEJ?<kO{dCW%zq)h;8G-5{fpGVhpNC|m-e^fQs7VPZ
z&iE*I!8?J=k&=1ut*+QwC*E4Z%!qC+sk%SR;f<3q8Q%vEOc5U?TW+dhMpAd3%Z0{9
zE7ts$lF^U%002+STA1oYgeZYWkvnjcm7?~SEC-n!ny{~{eaNK)o}QQS>V0C|>^sOK
z>)l^A0K*K!h;m6Z0o*&`oH}m^jLr;5;BBy2y^T|Ht1y8X9o4q@?zinbFA);y<>UKL
zJsP0uuIL4}B|g`Zzn9kiT=+IeU*3J(2=8IH>V1<Eo)XNx%Qnc5pOpbiIV(DR)4jc>
z5|3J!UuJ%beVi1RXCLqAi~)k1d0JpS+b9ENJy?@Y9zWft@6=|Vx5fIVij2okwbR}v
z?1SgNY;d<p1vgWmnSLR~lZs^Zx@Q$q$ta3S7Vt;?esSd#!z!J&JxEP|XmLqpfn5WM
z$UBca#n`OAeY0-G(ll~(b#%MAy}Rs+8Qf2}rk9ttc3Xp|+XTA`z_$&c`)Whl4TU^#
z6AT-`EvV?w&~t=Y|K}R+vJAT*T~;-6{;_j+ch3{Wj*Wa)P)jb+qOxh**7?q}yt!h~
zyjy8QCX(L6saM(3TF>gD-f7B?_qOHmT6a<SSR??HG89uLcwfv1PhTFsKMOs!w2BDw
zdhLyO=@0*vQ7>Nue5k8D4x3_|PhiLlkTX@XUo?-ZJe(9Kt~(Yit^knDzPjL<s6O=|
zRiM-L)e$yt{i#j=IB#5Lf9ixlc;RJVKile4C4Y(eeXVV)oCBTG5hn?rW4+<5AfpbS
z^E0z_GVORB8NjY{u&HS&=-XWx31W2~GYmGXs~a!T`J2mwUd8^5DI=fHZlMJ2Z{|+B
z@LIlHRpvs|=Hj9YeS&l=WM)7HGwuzJj%!Q-?#}^gk^O58P<x+qj(_8PMZN@|TR%3u
zoEcVNYcj!XFc{YHA6Ev{YkP9kGe<34_~+TRPi<%)PTP+de<uc#r}#aD%VOoX@?ax9
z2pptVmUa?8FCcd0s>eh>V;04yd5HzHt_*$*GzaVHNNChByhOoD70($(o|Ys--9->v
z=~W;Hd3%N5ELFK?O|~D^xBiN*WA?4#Kef*}=Gv<GTSQ27=l&-fjwzdpavD^3sy(c7
z-N9#3CFu>maCly;P4Zo3!Ko?--$kCRt*$;5zlsX5+M`5cL74+i!x4upy!sr4<e;gj
zs?QlOUNTH+@pwNkZBbgo+_q_wgAS!1Tzk4avsG)^ookPISR$J;Q?b%VCW`jVC(LZG
zuw|YfG!InOkGA$h(UBh7GX?5QTh2__>GP%cU{|GKvjGqr#*$AtKWD<>+#U<1+Z@M~
z8=Se&zWf^gO(5=CjRAf4pKW0$-^l{)XMo-JABP;<sdoZ>-c!Kt^y6nhDsXN3z_-cf
zp6T3VVAz>S<BzVM2mev9>{lZ*U7M8Eo6miiuuoz(><`_fk9Kmu+v@7kOCIeJ$=2)3
zJgwxuDbpFq-}wa|!6zlO*k_UA&`_XZePklevPe&6!6IlBA&Jqq*eRG0Pzxc1JEG7g
zJ)XhgsiB}aiHVy<ptnw7aj4(@I-GE6#OS%eS<8~<vfnSs5R!}-g+jz?ak@UL1)vry
z5Fn_w!n1K0L|_d>Z%l_5ekwM!X0%UjZ4#>SDM2`mm$9Fl0u@Lw$Qum6+p{HoC^HyV
zKD-eV-QO(a3b?0a$ef?gl4wJ+Wzq{yPxG=1&NwN4u2|&4DE`h{N<Px}&-~mbNy3PY
zNB{ODiSfcI&4Xr7og%Yy_2a&<w)+W{Ya@#yHs*sMEXO#T|5(HN$}J|A_hsUt#?P?y
z`JM#-ON53WOLVeyc}qo21X-XXEuT+Wl(AIsn4AqHys=mE4IH$&@%a0-+N^-j@f-9O
z-L8PEF2vf4ti^%{YCTRv+r-D2&xMLov_R@nI_fo2(hp4ktVoL@FAc;eKJ~*OnR~4q
zxT$a{laKwjU6s430r`2oG*hLK@V3pJCy?-^5$*U`{=TX6Ok;x`ccvmGkzIP{m)WVr
zGwtdW*4)FtKG4sl(lbdz(qbhpmyl??%C^7~&z_^DXHelY;dn!b;B<hxwP~w!9t$Z-
zH>T%uBf>8f+k6wfznl1mK698Br=~s$xaky$gq(93IAUK$$n{<y@C+(OM$Z1R+j-sO
zR9p2rT;SuZA6BC5e=Kx)(2ZR<60RK9MYmPaYL7jyv}Pfc>!$wG(Zo-P@O?~(zSwv7
z(3X-~r-OlZ-K7A9_|qyX{lFY4>(CGZz+h?;bZ7B^dnr~)f`^&a>N2%4=6blbyXA_o
zfBC%jp|PaA9Pfj}eH~jJOfD_#5qqpVv`dK_sJDi5<;t{z@|E!~o}b^wzw#MKODePe
z4zzpv3b=l~#|--fP9FR4B)kLNcxASLWyy|#et=^Ln?oIkYX(h8XWRgfVK(RKQKnzB
ziPF|O<J7;=+t#=Z*Mp{k#d3xt7*0>>zQ`1LWS0~8midHaal$xKruMkRd7-8T8nbIZ
z7Jn)}srJ+vBNO~H#1UTmT(J~M9EabHuthPES9~_;+S;1jia*cR91gNRoN9M)S$Lu3
zT-WWTh_R(Lj`&P_i!y=bB34mI{N;@^NdIV6Htz$`3-zSUf>tVeGQbgv_%Aq$@Krsq
zunFvvLUNy9NKOLF{P=$0*g?z0&9{DK2<oWOE(-ovOJ+yj`eT4#aiDmySve@nGH_F)
z&OPP{sKG$+DX@H3?ehs#Z(1tGxhelKRriCk!?d=Y2j}qPpv~r%f4(|xjA{QtfSYCV
zQDBk2gCzNH-O$QW@vn(o1^gF&8RA@Sqmg0nHs4+PvF|fqr&x{hSGJDR<T@DpBye-n
z;Ys=~z~VYv;<Yc{BJ&Pd#e}L%wc$caJU_v`-||Q;Tl*)T-k71d;%&3`Q@6WCJ-4vF
zvv9?1)P#lL!i;@a&JltsDHdN5v%KRZwX3}~s&mD3UCiLHUk2PWQh9)HF^;RN5ERBW
zjD8)uB5^sX0}cOAq&((blSVg#9!`3WJi-8yTfmk396nCBH!@Nmp`YOpHM3QkcwY;N
zpj}LU2HeuxfOVA86lGhe5&}5h3PPRFRVnNrkMMtswKqbiw*;4wX#&G-*-L!A;{1a|
z$o!d2J=D56JG5*Iyi8Ot&MMsqKF6}f?34*T^6gsoSNG29M4B`I?z=eat^ro|rd4aZ
z`E<zC5yDj;8Rp+>*BKlQ0<{CBDBwBO?K<M2U2K4i<mi0wXI9*N%);rWb3uR?K2$nI
zlEB7KQ+uyq#lq{?ciSF8;)8Cg9o-iDRuE9%cyJ89G-!(CM{!cH40Bg+SI4}faQjhG
zVO4%~MnQF1BHG!S%J}eD+~;jodvzakT9Ytg$sVeme4Pe!6aANkp81*<S(Dr`v7eTJ
ztR8&_wt-p-dtWxR3Z1{j4?e5&fcor~2IZrn5-GEyOh?|IRe_!4p>l2ED=Gv6D!eu=
zwc+cHryUU4ZD+z20kK;ZYM70}jg`R8tr~MCh1{?b{{bs{ZZUSo_l?ul>+b^(VCAfD
zLtgi<GL(10nM4t-DF&di52Mgn*pKp!Zz4^i<4$Zc&G$C|W6!8nT{L3Yu$ikO)z79-
zlPx;44j=U1jmXsMM>&mt)_bkG?NKvuX*D1yuD(@gdjpR5{o~r}_Ukz&R|1&d!b`&q
zoXq#-qzICG_P^+mK0g<LKc-2T)TB=RBF%7wrER%*-+`Y7fVZzJi13c`Di}1_pd6Y6
zp}*Obw@sk-OTRLR%<1f5@4&qRjV(ON4uH2Oz>YkN@w>jil)h#r#MCfZT8AwAT<Zas
z;)o9&)i*OVm!^&BzSY`TNhde`m%YdP^xj`*X4*6AGnrl4veQSAu<D7nplbnoE!8Fc
zCo(@JY=f;J%xZL}{3HS752q)H<X@r4U>0JOG&3qR19@1UPK**REW{OpDVz}8FiSsj
zlx#Jf`R;o$&VZHV<*lb!8KZOptl3&5GL}UU5`*pZ2y4zbbbqxa8iqmjx`%BaRKm&M
zV*N#nWVoXx9n1Ai4~cQO@rsVJvl3(QfbGP)N*O*U<Wa&msfs1;(2_RV-JTkpiSXE6
z@_X}4)sw_;?JYLi=S8*S2zUA>V6o?*O-C~lEqWwq`cw_$J%Y0VYC#|tJ!H_n-9t>X
zacU0<RZu%~8gC3h&bK}e^4-vQ;*oLZ_uqxU>+XMkTC>3XzIC5iU}O3*4ELxq$}bpF
z?D@qNsJ@WUaL_n$%8@U&U&y;|c?DHW=#r#N|Ek4}We1SrgxLihk<-MB>4u~t$$E$q
zRR+8giVN-`#7s-}1MG%!;7%z}3UsJPPXcVcPwdd-kz)$}fWZuh7AJ}ioqI}T5HOJK
zm)t|(2YZTMBQhuncAR*UP`B;&;e5n%ydZ9e1J^P4=UU$qKB?@BE~^VcpXySu;H@M@
zk25Lk_h(of0_%7Hyj)Q{fG=P!#R=b0Dj8TV9)3(brppt}t=VWX=--V_Jc~YlQKGXc
zV9b6<F~{f@sir$Y+&%F1>grx&_&wieyL;Uy2YBxJ^(f%o^J~EA-@;qltyTL+Us?Ie
zyGPmmke>;uP~Z=hhZ=sSGuNDJ++`ADR3Sp4A!8IGKN5JRo3d-G+kRp^^9rOo5_jAn
z9vBLuB}{=oj<%K2gg8>nd#dt$u8yA0i}!1!2vqS07)8t};vyq3_+lqnvcni}X>*dc
zg}Bo8!x+gq@#3LBEmbLnPzrvt<U_z{B-h;UUdF8xCg}`?BTV$!#+JrDx3xJqIOu8c
zj!0zZ&Y+KiW*Yj_J;j-tig?9v1zk2I=c=m0XGPSG42koq7AgOMFNBF&yh-d22Q?ie
z+O4EpqVI}xm0{iv#6iJRA{Lw}5?y@>Kt*FL!uLEOMOZ4ANB)IiCE0>!u3Hfp`?JXV
zi946#zby)oyYs~L?Xwp^{8xBhsS>m(DUlOy&UBpxS8~X=v#)1*JQ8-itVfT*@QZC%
zdWl0K`U}g2>YvM)e;;B`j%acd;qC6aKGX;zY%!>bvShqT5aXL7sW?$lvD{gTc^&FT
zGHPSZQv*770K1alUZNa&W29JR2(6>(vXK2sqm@a2fheVLc?0kU9EL*6i;X`I%R$?k
z<WgXwNB)>+WDXHZhjN*O99oEgaF(2c$wpiXQ4f{7hiU7=6;9`L7j<kD83$<?!rTcG
z%?S?^N!6h{@Sm;2z(1EC;<t$-f(Z*qRIYP{_W9!Of{RmJW*0c(VW1madx7HC@z}6H
z2iM`UlMr@>q7Y6uU6BaQy~H@?Rk$oh4ASJ#(Hz*u4oL9)9>Jkdax)R0hRXFNTE7_>
zQaf~2l)2M~9LGY-m5tBiZ63b3eHRD7hEm_m_IZkPp*cyL@yN`Cs9p9T)zq!!SVJN&
zC=~zTI-?40Q-8Y~w+3yl@L7$yJ7Hqpbe2$m);!=yGa#UaMJb9nn^ChV&@pO^wRgsG
zZQM|NfPDX9Q&mEHz>jkjPa)Dc)qp*3=rlo&6q*roObT?`)F27Z#42;ORT>P9R2PwB
zr?%_V^(!uqudC>`$>RMa6&7D?DK?7nz6H_bPv?B_v7YGpNy@6i2I%+jDB0*4b2gO(
z)BjOc@8uoJkzIvH9&--jsb^=53A|}LzDCT44GlBoAD*8%jCEoCD_nlYm<Scgxuemh
z0x*(hePM2v8{*(UD>ZrRjLgOXvXDm+_a{{vL8*ECH1fBT(c&c3T=|>C3diSKtEHKQ
zOM!xBhnmf9DCpcoZ+21Q&o8tc64O1%ojZdM7BXfGz~?3&IA;B^<;w}c2a`eUJpWg?
zHGtTua0qzOYzO`9?O+GZJZ6Yxy=cP|8&r@W<Z=u4F(o^jh-$xaiFn(zCrFzUP#93e
zT^EZ%rYy=QuDy(1hpjuJjYm4d3!ox#j(8*Rrz&t@4#NxAY!<@rI5FUM6Jp?2P!S`_
zrLh*Vt;MN$Qb2#S*o3LZO6E!BZl}&k1M%Q>+Epg@+$)547vU@eMJ_kke9?v~gMV8N
zsSiS(YAjS7C4bHp*I+iy$&ijLoAwvCw-o#IuC$m=E#G!V+5-qb!d<PM=+F%2EGopI
z!jF~71&||HhV;rwm0<=?2r-^C5jBR@OmX;dCkC&j_a8&(3OQ0vm?)n(EWCH0aQv&j
z%9!mVS81uz8lYr#v!UDc4&WzOvRPLOf=JpjKEb@oeVSY}fO#9X&j|bMKG85ZxvInY
z%(A~0fMuEW7$k2G(u@JynGu^%1?&63Q*Wv9Yb|9EA#e{qqAWX<cN~7_?ZS82Vzr%8
z@4lqwsM8vWvRwgy1D9tv+2nqU@=Rjk%C&v0KBWCJd%rx6HjuWjj$t~o?hR8h<w8~S
zz9c#yi)QbCWBiLIJ4i;e@!d*mEhQGEXRVa=k-TDI=US=m)%i!12$LKeYp{!wS8c&y
z%8&4lg9B~h3n5+)wvE^S2dNo)yn*XF$i&Q!g(jPuV+<YvwO*>i&x~6aU3vKGF4|<j
zUHS0!h!8rK=67(v_692{>DT}rJvVzFPzfq-pKi&c&`ED116CQH6?C{b5=QEigI2N$
zwhH}Pb5wo`wgBcQ^m-tiY7Ts4!v=gLd>eLPixRiHtWN(_V4!F=6{`qd=bJk^>mO{$
z=|U@|Mq6$w$wpLs8*2=5l5|4n_=eY6bRr_Bm3jqq*53)NHE5U#L)L-~v$K+;P1j$^
zH3qfjOe@OjSGz`8jD3q`-RWHf$MtRes^@1JZ>;fUc?X6Nk1w($j`C3cl<M0IFG_by
zzxdO|`6M!b!%%DS*-=xO(A4}&64?BnVl#qZ)vjqul3UC0weDbMl!VzIxw0q~sA79b
zAo=L>i^<|efe;3Xn;$=Yt`q~FOP~L3oI;ukIxTK&Ufymx;H8PFkQa~;S5A9c$&gK)
zNUOVb46BficwQe?`Ni@9WB>*v<Z=kBs;{fUu8|N)I@;SZX~awMMb8F1RM!*#60pto
zNa5Vp8@Ng`D??qeUeJqfDEzJzfu^1#2V4}vqG3`>1+w>CC-|MQQ3??%8MH@V!`_as
zE_{cZo$qr==BA0Pb*u<x;n2|}el9RkOfrPytXU3-Pb>ZtT`teXMY3{%O^w762%!bV
z(7Uw8IZ`P4Ud|VVZO*bUbm*o(y9-E#zV|X?vG5^^6>(2+$*_KJFPL6eiUxNjN57ei
zr%(WQe6C=a#9(Y~)C$-A0c#_l@00vZY=LB**u4BMymVAeqKJ{BTnkrLQkjQb7QFm)
z`RS=n2({Zw(5)9Ix&&vYwa)>iZa!WB{Ie>dkKd}5I%=sEDqz$lT1mVK!M5>bhdEj`
zb!i%9p!Vn)Tz)XsK|0j~a_~RP_n06zd7|bLo1&Kc*eu_eBS2lil!6^8fAgU)v?11x
zqdmG1WxYo?5f-tclk4g1oHD=u2E^T<1<k3`QYR)r-mWW~)7cxE<>#^c%LXhTBRt9^
zt+SLhQBPFQh+HNyUlmiTR3U39o4d`pB&0eK6oaCLeDaimxR+Ut-{8YbrK#N`^cYEz
zy7))$n1CB0?4aQP4Jyj%C5a#rEyA79g5cnHU@UWtzJEC>3)`F;-<y5&CC_*>Dy{=p
z38N+U8}f|D=0BzjVR-8h=`f=4y*MaKrTCL1a71ey#c7%Xlg1U%DMOs30_N*f4slJ1
zh#yMSMHbW`a9zwFlX_Mvmr3A+7ol?eOjnj%zCGfFz{<>y*V-NbVBvX{g+#AJE=``X
zHk+*(D&D+V*ksB~s5?%hGOCOEW7;X!K{DRnzUw4bsxblK@25OfCJ7@}xgK&n8no5U
zpldFVYEcuALf`ItqRY~eWm5mHmA*9<VeimC^14X}dDKK~!7$4T+jYR$J066jn5au5
zRV=@ZqOu=%h<uJe6tkpr)u~^aTKggcvi07t@8rY&BtKmS_#Op(5AI>iu}|DF3uv1D
zn79BV(f7X_uV$%mi3Ccd7jUv06aF7h-xwWP({`O?V%xTD+qP}nny6zZ6WcZ?wrx*r
zTW{{?TkGo|d)1HX?o++0tInxwqtS4$bSk|hf08JQ7|*+49!-$P8fQGjcCip~AlyQK
z!&!C_La|UIZcQZMC~p!8&HtB^bh1$dYFv}ni<L~er)%C9pINg#b_TPTG$plZeWEN*
zxNjn<_B308!0p0tL3(L4l&dO}g<<xb0URGK9e(a>?%F$+92Q;i_Us895=b2N1&hb1
zZ%{gNA`Wte70GZ~(nZGNK9%;y&jf)wuJW}GlRlrMiW%h!!LR1Z{qf*`TI>cJ6(I?7
zZBlMBD%4A_$`2Zq=#*VpP|papbrqvH5I|$kY9iAi<Xcc(OmGzr8BBUn`kix~E{DZo
zXVWOQpi3Dtz>h<DeXI45UY!YS2D-<A77Oy4DnE?`4<a8T7=6APG;AP(0<->tqSKN3
z-ju}>`K_~=yN4_`T!n=u1(GA@El~93>ub(yN2StpXF<nB1i=|0mHfsQEDY`f8A}a_
zR=B`FK9NPko;|6(qE_+NRu(56@S+Ufm+0So{`qGDqmzc4D;@<gS&d{wUyykPwF}5E
zvE|J>2dR9F<+dc}D={W9OIW-m8`M%UB9Si0OzpEgvp|^r+rUbudbQ+7KE+qqa054;
z|DBu#kE~U0vXlSNSO8MQDC8MpMQUo)J_ge<QhJvj#k@18xO`=O6-`m0ubx-r#uOZC
z0Ek-N`G#+Vq;Qrcwu;Ll$lY8>W&TQI-L`4yW=TB7E^rw8xp_Xc4*XUTpraxYVVV#w
zr2OU0tgvgKhpU&ZPmKKP`-Vwn*<D)fM!x5oTDg*~zq_NCWu476e+p+Prlf<pH4kw+
z@%8kS2K8zrV6OYsV2A3AkPW*4gRNu5%S1jBa-N!<1r3JqE>JvV@su@|WfogEDADAf
z?c{4gs39cCh26mD$(x{c@H4|B57;)WP2a`Fbz_+*`nV{F2KuP*94D>ZL)-xm9;oLa
zlucx_;DgEMPz9^{i9pQ$ygAdX0@f!Ij-V=sqBWEx!zg%9{=>paIUw;;w51Zsg*av4
zotc+E_sLPWMV=^x=6x7wa^EoC<|DsGDM?NOMyaw@k(rjJhE+Mw1;i_mq1EVY0@Ohh
zlRRHMlb2s6^)0l^%u0&)WpR>l5dez;yn;F(KNE>+d{?yLT1wO~r7Xp~C1hQ=0ZLtG
zlrf7~sNYCI5ZpB{L!qrmq`Ak}b<fswU5Wh2RPu!^D-dtqQ`R%(dQ!mzgu7<V*!ov=
z#ht2UqM%$64oQLn=s(RBOcT1(rl{!!iO6Ox3&Q4(fg`t-%*KttwtwV=q;4(_umaOr
zSPGqP;&A&OtfX@J7FV-I?5n#3ICMYfg170x%mRs4Bu;n9?c@s*XPf6%3h4vEM_Mib
zcm({?sk@xi<h?ywqp+)ZYGVwPwyrFaMX+|G;cWyeA%ff^3vjbY;IkR7Y(xGoh4rZ!
z%;IkPy!XHDECMFH&mA=}WO7L(nMje-uwgiTV~djoHg@p|e(j;;nu3D6@w<Yb=U&@>
zupC%LXihqG@a<XscDBu_97IskH7!rFLac8oFXVfpM7{yR`#!shTu#oMgM|d(FLhW6
z(zugmrTtLm_~q{c)sA)Jf5lCL_Q%6f)Yb#ohaIc)p{L$S7Lg%-qM0)#odB_N<!kZw
zmKdzamIS~*Mm;o1My(m-E^~XF0GS;8sQJFw89vB)Xb5a2EZBx*nkBfy`O!*f@=C;`
zLQ@c`291ZwU=erATNL=HQYo#2f2_7fmP^RzH~WTET(O|+T61fk#FaC_!TMn~|9u%{
zU=d~r937Qxwol(G2tZi5FrBlAS3g=Y{@4$uOCQk_nTU2S-kE4Fu->d93T8Hcy~P>u
z@a_(2Th^>ly|Y-~28j$seHx<;^0Q8?OP6>#mci<t>>3`4{Jyu_)aA^25&alEs5ZcF
zoMJ1@G#*<1w=3TJ70oF~nAO*GdqHF&zy=WV?{A-HlkIOUC0+un7c5coVFE@+zce+B
z9GFUEM=70#)Qt#!{rpua>5>20yGTJn3>z*F)9O?>I?x_%LC>AGbFB6(#0u{Sa}YHM
zyu7i0a>Q4|*k1~FS`<K-`T(MbCMJ8_31jH4YKe~ogD&l@k#3xa4jABYv(cp@wrDZr
zWDi5-3r(fOH)RN!*mO;^^HOkPgc-I*vWybRxU8+uXT2>e6w54QV?W;&FED}r-CEi`
zXYWcQNm-vqBSfQbt*W`Pn}@B51Y+j|`M(13Pi6b;gKM7URM%**AcHPJF1jtG^op_q
z7^1mX85chRQGp?1ra%zs6h8apnNpD;e%9b2<qB6@=D%&uOU<?#9M`y?3WoW_PUQH;
zKfBk0^I|$8xCo^mSxZoOXU#l9R{+_g?7LyUy$2saRASUWwv>j#WS$S#8PUCPozO(E
z96E$|){}t(ksv6Yf(-xX?bD*q$b%d{Yd3HjQMO!n977*qXifG9no||JguGo<&}L1c
z@>Q`nUzt&Dycq3Q?jEBKJ(^<~s_c@p6`drlFhIIbmEzBGpcqZN>VLhK#)=<zfBHa0
zw9Eb@ccV&@vEOShlc|1Qz=B^oQ!dmU&u{)HP3cY^$k*1ZNR^=h=N~X?(H-AYtfpTY
zEp8@c`t~hT|6_ePk6jl?TH!MHU$+z)n|>p5yoc1=#iecP3mL%CB2nqVZ-Shu{R+I>
z3-uH+8R3eQOZ|Pvgro<vHETyoT1Xo~V|ZM8yqdCxDNJ1F$wqkQrU9ZNk$(!G@gKdb
zZkJq&LlJ6LO224w-BZa!RR)2vnB@`oArZ)=DCQd+cSY+$-bFnfbMwht&e4j5n8_Ze
zAm*U!-)oj#{`HPIKp`o6qA-t9NVIbHdLR?(8R~IfbooA(xRyJi!~18UK0A5gesF5R
zfS?1irSAFZ!MBL_en@{>q+=9X%OA|yGs&QgW2I~_8O`fa>bs1nJ1(h%^zb)7Ct$?`
z1dWfNW59k^rGF>U`~q0_aLN+qiIRlQ3nXc{7ytDpo%9whb%~rA{DH+{rt#OFGnx$H
zg``4H@iMm+xzZ|oL@@mwcyk1KepcCU)Uu@`<RpGTx4%L+U3#h*jCYDHUt%@jjn;}e
zCw>HLERokt*R#Yg|J&8spK~9!IDBC2b?<D?Ax0z|f;7u1(iyP5i&;-JADUe#(sn{p
zPdY$~D!PqxK#gl&yAUq{x)K)80f%Q=EM0gx9asFbjD>4Caz~*~xdQF}kq_i@;!G2Z
zM1=rY+6Wi1!4D9{lx5|(5L3H|FOR8*$jPCKEcpu0B<slK(}rqO#UvPtlrPA|IBj1S
zX9rXk1Q*44F76{rt?N(`dp!A}z$3v(;sYzl?;Dq7LgT6q5fjB%bf}VQ&*g&vY?NJV
zYKDNxxi$r)N%WgV@-7=G;k^ytE}dr4lv&r23&`N<K0xP7GO-&p+3DdmA-U&kSY>>)
z$H>^S{*aP(S4EV=!(|r-Z~q;p!;4Ypltf=oMuj_nP*b<Q<eWSr8~cBJ&LdC=04;K&
z3HI2BZyR%QJbhS}b07-jI;?-bj8QHN(QGnVx(ilLon=V0Q7c9rR7t|kY<-5x>Sji-
z<T~W*&(FhUR`&>1k68R+gbr{~ffi!oaG>n_@}$DHro+>Ixqmf5CMDWqyEzZrh6-{F
zaioNbTYM>6YC*ge$3KG}dvWtP?fav>M+lWW3#s|(6YJ-!?-UK<KkRs=*r+cN0?NG-
zYZa51U~QWgvgi89N$M0x)}D+j!<>=2VyUW2P=z+O#SW>0w|wf;r~7*V3`PVyW*a!~
z6P@#B9J<kwu{qwp%Fx!W-=8jIz;+F~CWQM5wkW-NTJRmc=J~V?%Uq|z4^gB7&%+5(
zQEzY%dOoI^8G=0&&iWds!pZW+A)5doezP&cV;vft2Yie3;o>F&A+#H0MctmN)`-!8
z(Hr$IZ!vEGHMzr27Z^g#3J!8|NamQfEjpqHh#@^=!YIoc*L=oG=mqXks##GE=Zy&q
z5g$nkv||x1l|kI5<0@0OkmC4Li*pdJoXMqONmWxteX;{JF@=*7?=SsO>0B4^S<rF^
zIIi}I3^+tjq_LIAA7q)c!lwB3$DFkfev_c!ct|6uCRvp=T~5}uckQ)T+BmxBbQ^g9
zEX2+~L<#?NOplY~Js`MA3s>hF_woMhP1U@w@`XWKju$RRO9hBKsKv7zX@C@u1<_+^
z`L^}U?}uzFKj?Br;3U`{Exm_hS^7td{oVOJWW&F`2~vm<Hn<eRh)L_%E<trn2z_qA
zGAPvXGBL%wv%)K*Cwa@<`o#}@pH{I#jHiadxyI!4jHi`ZxGsBy;fTp%5NajZ%@9Gg
zUN|w0H|gpv@o^-qgk_Z>>KanDS41~EV_qIgxYHHLdCh%7J6h7m1HTKe*H|~yyC@fR
zAs5MU*C)tm4k|-z;UQckz%h#KIwWcTG_J2*L1Cy$BELQ+D5<oo=FbUf8kHis;GBGX
z?hzAe?9KKo^bYk6dqOg0A6&?&-GZW~4NEq5ly1ES2M>r|63o=&{+TAI83r9%C0%Cy
zZDl8GTP6k)qLB}x4&c99*(XdC0s}{fNPq<y?_=a?cG7|6PPCFu&1JB)=Y|~P#7C+-
zM034<2An7du$6RY_=Gd^!J6lSLHw9V|4=m;5iD`xn|#XNbO#M11phd_%ytoSzC@@<
zZHx1t_9tp6K)mH<z*5lT(Kj(Hd*8H)d<OU$AYu39z_Y!1Xg!0YnMnO}L5IJuMsV{-
z@Hk=R;n(^}JwE4hLS#D@k~Ww($TH=+k~Z3im(<yq1rI3*bKx$YNIY8zb+4y78W4g)
ztM<Tn795t)h!K#)Zw%J_REZN|y28#{ucORbHw3Q9_xQz6+JA-imiBH!9l?Mie?diY
zVBtgz_rP%+yJ>Fdf3vrN{j0os&nkAWMA9$+loTEE06fe1g!XQ4^PvkF@`PO2SL6zB
z1P;rw5^V~X7`#BFxQI22Iy1R!Kz!RE=2-P}Dhii43V>YMYx1fzgsqlMOiUAdn?Uqe
zFgb3R&yS9{67HcMQ8-G;G<1$1olM3@6yJF?4wo2#>q-JXp&0CYG|gh{56c-GI$St!
z6(r$*$oN0h{2vDX56cL_ik-Cbh17{#)@7;zxCBK|2@q(c|3j+(A^rc5g%mK_00O8I
zU$XA5Qi~h?6@{<-gD^z@VHC;#+T{OhQzq^-3hdSqqlNQMuKo{!NJ2kHgOtRn)qBwf
zv8>`ooke13{rn6-6U+v2w7`fTZ^g}t8Z2iM)XH>Xge089c@IWO8WFu1_avajF90~f
zMR>#rgosk`3GIamrYhcex035R`zuI^Mb?<w_^eGkMEnPBq+V!d?R`>LOfPQXO}cB>
zc=<()7O5Xi5~f;4(y4NhVu)J$Rf&f`rEX#uFxs*D`EildCV`wB9&0J!1hf%4t7z@S
zXZQ>bSE;X)fTcc}brsXA7cwwWb=<xK{cu(YrgBkJGb7of8{ak!(xiUkh7V2h%i`s(
zf%Gc$KTqMCJSAh}NLFLo2wZhi{&-s2u1P7BR6iX=;GGgJs>SxR4m4iW#JGP(zu70x
z47!YTRm8L^g+km&lA}t}P?1J)IduItkfVx8dOjdHc}m||vr5tKwL~2*<|C?(0c7T1
zb{#qzS&&By7WJxSLzb_YDwdF%^hq=#QZ9Nx1TOX;ii`h;VG=)=x`#<ME!`7DNp-LA
z1i+*$Mos`=(wUKq;Y*Jub4St=*^kdtOn!v(4(?LfA$lPqsZt|piD9OYF|Ol|K*J0x
zj|J*lv8HhG65u-urf7@eYpebbEmOQj(c@~B)0kyo?&>j#5$Hyx`NZ%wi&DHJdFvc$
zn!|aU(r6y59(zG*7m4p~3TiPS=(>EIZ6~8b<;o%cHHNB`2Q&!Mz=W!&b6kyC_%Y|P
zLP*fB*`Up<2V1(TpSNOElAlH@=Qo3odk?A+@(?Ae7|;f}@-;}$XN1j(Pp*ZGGD%&b
zr1-$+X%ph?K_M|cS#U$OU3MEGr9{(6WiCsotK$fOC{U#mKT_9KFojqp!p;SXCc>Al
zx6|PLDb)(T&n`5duL9O`oVJfL2Ww#3jMKrKx<{3B6w>_2YeUk)F30=bCMgVJ@qjW}
zs-5YJ6S{ECnK`*_k-?6rAncND9#ku3R;6^a0bHz2)1<mY;M}~VUKv*8k8B)^SxSOU
z7vxNW(<;~!JMhS?KGcbALapqRVG7>fq1bJWh)SVoq+Pc6tHM8qMMMvJBW(2{RcMVH
zzDMMk7BLr2!OvQ)=*usGO=C+n0;EB_d|YaOypzXkQ2o_(cvx$+L;B$2r&OAyM)#aG
zD?yXla(Qg~s{swg1Iwj_5%M{=<#MeJcr7x*XNId2l$WODQaQdlt<7a}4cVB+2m6@T
z$q`PHmCsa3)VB^vx8B4BT<v(u@Q9X5el1W`+Qu{jm#NrE(l4x79}*kUk4-9<*pBFK
zjH14!3^!Y^0FLw3@AWUKg${|1fQ6pv`JlaB=Tb6Qk-*BnGI~qru&kr}OGrO3Kyy0h
zS!Q*284SK_=Icpjb#i$iPfK$H9WSwEeVq%Y;@r6CxKtnvMKcX>fiAo$28`Y3CU3$K
z$Fi}|KRnfusZ$2e6kc@f#9SbJhh6K2S2@@x$*~ZHmjiH*x3d5qwID%f{LXNUYlt+t
z@g6iLU!<=>ZuUZKysQFZ@}V^Ox{P3gx@?!lGe(ZXX7Fqlll_OZo|hy={M(HTAL<5j
zchDjUN>oj6_P`PF*4fz=2um63-Py_4ZBsbSN{l{>ganswzd>BGQNIn;>KQqRdEMpP
z99Mtrh0l!ug$^nvTQQWtt?VPySvE>neYxt1I2(&y)1i`y6+R?|d88|iE-Kq>@~8ih
z-=i#mnb!oFe)pgsZbnpgM7jFuG8={|A4i+pIOPkwIlLK0lL?1uBR0mo{-Sgmbq9nA
z=Q;nZ&H{eWmL(Ubeu(}YL;Z}6*Q3k;t$})hVrQIb@8koY`ruC<SH~=^FZmr=S>&1u
z?+qh8|IR#R-kfDvq$dEL>vyLB_X%rAJu|=XuPu;u&M#CHc?!}*PTlhCo;nkjK-~YB
zM5nJnR-e$ectmPULq@iiTWxYMYD7@{FyvEOKur)b2M0iudHH%#>NZ<0OibEhXyk|;
zQlBXhw~=~Dl2GhzYP5v?Nw*zTN?_x}=vWqiaZ54|WD1mzUezL`_Orj(b3D+JwdYjo
zv~Gc)EGFSwYtnBqXi4kVR04c$jytqDs9N`U=x5Lxx0wCA3cL)`C<37ztiq)(88LS7
zaf2SgHtoQ)2E+i=md+*3nuFC+L07Xsr$*<MreVhk-TWrW;3iGN0(iPv*;#%)247)i
zg1`}6w?_T5qmK(+YmZOvNSeAv1PP)q;0v>uV7vDd4=%Cfbq_sEBVEs0A1i-9R&>H=
zjnxa9YhI_at-v$y9SLgk93$#n*x_<cb?FWIs#>2`=M?%JOpb-h(nJM@c2|w-WO)?2
z<Vw*$$Ze*1cNqpU_BHLRc<g4BI}E`58>dS6UMA|-%Cf^--!~`LEZv<s67P38bj%}n
z1NdoV;a;Ym{yY`-;J(XrRTl$)c+*6s^0Mo%Mov-1pr;_eXh*Tw=p?cGi-xfhU+L);
z0%>!U6$crZ=u`gQA>Tq7w<noOI6C#+12fK<b3lqgQZqm;4`S%#{6t+tpWDkq!a1)A
zoBY*nvdm=Pb*Eofdf5!p!+i5^b2qpCB#3Fv0R5$;>oCSY^Fo6Do|R0{THNZXYzOBf
zL-510%PQ^+S#=V$hx~(I+o7SbBmSMGuNJB!ZaMRx<=$K^RP#@3wTzx>RQARO<f8Dg
zgrx$e!T^}xA)#+Hh4(L2#9X523~pkn+;#z0qQz;s*3s@K`&#4~=}d+4_#~0n`T=D{
z3NKAi!0lWu3ZIRfJS*V9Dk-i^=&lO-qvhv)=)@X#tfa)+spBkh*`;z<`Tu>)soGIm
zhaEHgl2ndbai|vRhjxlZS9uuv;pcx1sIW6-=qZpM^+PQO?R+lr9yxNNXHIjxv5+Ii
z<fbu#gP@*RRAHCkoh-IdumHS>;3MFj8XE4=m7?KIb&Gx36$%@hi7aFEI7@fH+xO<@
z2*)Mr(HgwQX@XxSsZflKgU!uGtUpdGHH2@b5`~B<80I9fKmWQO-t{DVJOc~lHtysC
zIcpYQhK`178&@pF`e68cB0wyWWfU;IAZS|tYdhSon2YU3)B;@jja8-~Z)7cS+67Y=
z1G5770}G3lT6o<I*EBKd5ro>8OdJ@7Ch~_L8$Eq^$Ru!`Ine=^3cf$>lui>zUqwP{
ziO4^~6eCV`LY}7_cCwM?SatR@^5*Vb2!Sp`bzVj1s~$98OX)P*v|^f=7;m8mD!ui=
z=!KzIubm(T5~&xt*QccQniB>{8CRZ?FHXFDS`v6z0jR6<x@OK7Y@osojdf19FuoX|
zN!2po-(m%ZT=1Gv!3G4MLr&ujR3^L1QScHFe}KVgn3KC`EGgKaW)08e!?<rSvN|4_
z46^vGNJ(SIl^~9=_DU?AZn%IYEm^6r+!!7(@N5)dCOF}VEC9VpoTU9nj<R60e7z1n
z4Vpj(J>8T<P8ORP>m))yJk}^K20Hk!G_hz6Qu%TDrEKK%Kf>M(nNx>gsWcEDV259|
zwm^9)UOgxK71y`e9Ev|A-BDWn%GhGSBm9vD`z)K)0VfNa<O&z5!t%BlGW*&yf(k>I
zZcG8loV}i%{}JXV$jg0I2N*B^M1>B}ceis-;QaWZKkx^)z;Y+CAu#Y1HtMXIKqINb
zNF-ABU(yr;Z4uRnt7q>ZNmsd&TB7w;K=s3n!5ieg5{NumV*XcJ2ufFCsL_td4pZzX
z1!93twtUadvlgkQB)2^mYx+~0QF$&8H02h7`~hbSlz(h!n;EZX^=FvzJxU}??v;as
z&P>mC&7ZfcwWz57NH$rkiO{L?5>kY`h8&=;w#<D>fuIS+WxxD%s^jWz&sw&AO?!pE
z>6hL+xIR6dc@lJ~O>l9>0Rs(-aG0tf+Y&+dkdP})%GN=TP1@<=H4uhL{)(i@fyP1V
zI|c>8*;TY9N_a6LLqQSZoOErjZU_vg6X_?A<h-3t*=QMUzGAn25QHlsK1YX^luXWx
zDmjem1+mNO!N~OPhjW!BjH$$yllSf*5<N@}k{i2Ww*H}%HAs+z1VhD87IEftSaWJp
zBH|S+YOI}q;PCl8p&TK_h|lEY%ixV;fcRoYu5!uC1<|4Bhi_`@FTBh{zD8~kmbp%j
z!I?pcqA{gY(Q#}W8`Wu?Q(BBko)7nSg_-fXB5SRYjG`MG0VP}m#WHpOhUGac4t0dV
z68|+?E~^u!?x6LcN*qxOMLa-sTMURr1x2hZw|~fI=<CPf>rf33@jMBFZN|O<*3aw8
z*692n?`r6$OcOrt#C+q+E+tZ%p#@Sr)I!}|9_&Z8ML~$Xpy<jCL9T<?MYQJ%WAv~C
z;UGU3zwU{^{R@<BSUl;4Rt`Fg%$=!#`{*JJ9C0r*h=qH0ED|5c3YcpiCnKkeDkmgL
z26D(=gVq1Zmf({^2FQG3U^)7&@ATvk-0_Hc>HPr|_as@1QqfGkF?W?h4zCb_EHwVZ
z7jpK&UrUw_ut|&@VC=F#*&B9oYjz3^m!!~;8krG!77Z5<syKY52j-<NAa@dy(*;VL
zZhEfOEozPjYAC7+G?Ij*;pd8$#P#u#q*-aEdg+itz$Du9SWu?(T`C01VY5c&*omG+
zdGk`g7fn-5LX-pnBK>MI>-$X$uj&YaN4_$yuq=8}1eQVyjC=TY)K(xv_KT+T9)rC_
z!6}M$hb{4Wh2ik!afPhHAd-x^DuFm#q(-8g|IxIEE)dHW7F-v@Jl_b?n#ggJQURKu
z5T*v^lfh1G4n&#l6HM9DzZapIqLd`<CEJSqombOKV+h$_QeKw7fYw9O1FRUV!Qs<z
z{{Tq``}EVoKt@1ud{sXP00mznxhS8^TB$>H(d<%}G7)0V;$V|Tu7|1Ab)&JHMHsha
z!89je4m0tHb%s|MYHzAO*_guMa98b@xFaf}w$aeUV;g|2i)*PPyCOoH_x&~#5%R0V
zEX1}j?+C+1Zpo(8lc~26eLxNV$l9-hJXyiw)Ebv;7B1(&e6{ALX$i&jvqH+G?L(aD
zwO)`e`8A@X_V+b883?zEmx-c#9&%B_=Dvy~#K=pM>{#%6SY(-{dZFFevL6J8dsa>G
z!W5JZq_>s(r%<ajYS+c+)vVKASjXLp%^Zp@(Z{~u?w)myUc7#l65E7ip{6D#U}=QH
zNT6yMBims*Z#nuhs4Er|y?s~}7-=?qu^g$xMUFC+1QaM~^2f=$&^^Qb)mjs#W&y`w
zgB9DEmQ=wv-SHo-?FQFtLv^SQLdQkA)7Cbt>Xfxt1^T-9?a97p;3Grx5lnHw8T!ty
zX8EEj=BH%kZ|l2oQh666%`xFfYj^(t#6>bIx>+;HYC02Gx_}&a;&=t*<<`x_%^iBP
zzZI0pBsh@zV^*xn{Y0g3Qs9ZW@7R3Bs`s*LqrWOGbNW-?i=Ggv&a8oe1AI<<$%MdC
zZ%+WgHNo5GuJQ%0lyEpOL71CkDB9A+TmAI3!tC$Sb7tGStF)8S`q5GC?}0SYX&N~A
z=t#{hb<hsKiOI`Bni%_>>?^WQJ2?ms%F8<JTqc+wxAF`*S2&TV_y;UUBQQ(B)w{0W
z4b{S<(=$@`WxW!!;_ZqVRY~bqS^Ft_dda+(>dvX>TM3Q$XT1fDZ2CO&4&h!!KSYsj
zW>p?poVAFwEPI0ZR0H~YS;(C4=Jw8UGiis>sEjk{WC3(oBnW2f1IVktvSHb%D)t(=
z36V*WQCsqBFk5--Jw~#2Tohn7La>t`Ld!oU|2qFe4Z@s9l3N_#ejaS=DgJt;yBO#P
z4)8Aget;V|kHV1m<&%4_T$qqQK6{uSH>||Q>NKxd39Q2}dVN<88ddb<IxTIr;vNLK
z_#5+7&6Y@{aud9rsrHkqRaG<#tvIPA>&eO1D+r)3qqlv}mRArlp=)?wo|!8zV4p~@
zp2w846U%jkqV6Jfe|e@!YE6^G^j4`|6QWtLhl%{IGQ`N)82KrgBJLOw;F+Td(pRiJ
zq6LsHWc*P4wKaP7FJg@1y9;$k>3kw|uYYWM)3UK+P+{n*pLq-=T%MNBN|nidvDQ;%
zX-JTf<UcnxA51B|k9=xN7gKYrpPO5&rM>uTeXHZC{|;AFg^Cfmu#wNHbN{JmtHgd<
z=k%&2Q*cEB{JCS8@V)EM3AW?V7(-UT&?r0T;dx*as~Ky`%#WJwX;xIhtv-5rCq{pN
z&C5qD69S@29(5idWYP$-60;*g)AyQ2&aA^p@ZPw{F9fAc(4?y7!)sL0iKkwXkT`U0
zR<INCew`9{&T*igLUReHPe2<Js*G0yRSz*2S#)q}mzP<WA}&HBI9!$S)8y!*{5=Y{
zr^2N!xXJ7fXN~)cieix18>yJ&-?A`g6S7@?SmSrp(0E50BxQD>dbSbdf)vR?n8Y5t
z>0Si@+NU%vOaK}8R<<*jk?dWhe-1OIi)_4T(~j=2*(1vy+*`c(h^a{MHZ|I@@P3(U
z8G?dMNKsDQ`L(}}s?a};!U&-{l6sXE@XRw>vV(SZjh{7sDe`SDk*^N~7*Kdtd3xgQ
z`u-aS-><`qb_3S}`~D`_%UY#hOjnR)vB$r@<?~g5ZEK>7gr~9a4e}d;YIksBmio7T
zrdFy61}Z<w1d*FqLyo=m^D7Y#VEm}cMNxXKM88HRR+fABO2Fg$_UCaWdv*-wmt6;F
zW_~t%I`D8yp(<K#X#N-My9Rc#l7H<t(LCyxHV+aI@`o4&>)>Y24LBmDX*?C>PYmaA
z&T_iR<>phNvbb4UX8^n~`)ZCM*tEMnM33E@v&=K|*r6Q7UWwAmyb;HnKYCZOqloVH
zAq!OA>RoGyV+Cu3Oaa7+qS9Nrpx;R3CPZYAcL9XpoDiLxwTP9t_yFOZd-!-l+aWCx
zF|kpH*{fxxfYPj3p}wfS5BS+O+z{X9!Y|k;*H^*b`tLd->`>dlfeU}G3zEFH8Ptc|
z_?sW2DKlf3Eo9a{6+g*DgY6}Fm?{ra^~~GR(u#8bo?7(Z@`pl4JNHD&U;27yHJ)!;
zTA$aDR@!-6|5~fII!oMX-bc}-aV9&mlnVC_|LE_RREQ5vWKQqUgdJWV)>C(#sVe0`
zF6a%>sLjdI*wN^d2j@6=?bh5_&#3BFjSyEBFu(uY>}oOaHKm%c2|c8v{in9eC^z1+
zFs_nY2dXwQL-_2qPr+^q6=h~j@es<n=o4)UvoZkqF@T2lf@~!+PU4UWij`Z>w7B8b
zZzL8oc!W*u5(nvT3wE3YlaPV?b~><@j=Ia2@T6zJ{YFELeMQcKy5M@XkqS{2;6}gE
ztMyy!LN|*dtNINjT}A-MxAKSXS(jdi7RfLILep|JNJyl|jclR|T?WJ;$5O{PSr$B`
zvtNh$=>+R5FF~6C3`r+NqAR1RSj9N^cO!;sv7;{5?2j5vijvP2ktj>cXs+4}`#5}v
zZN+k`uuYNbX?gR2Ii7wgXqyde;-H*LldHgxs&i<e8X10hj0j^84v^1>D0NIyHLZ2k
z%Z4QoYMPb&VM&OQH>b}WDo0o-qFx#p>e~cfi3(l2KvgOdGWb^;teH!&1}dVN8%pmz
z3u-S*hG$rktb`cnR1xmz88D)AvRf*1S<RG>qz0Y0^268$(4uZL;3zPMZHWq7Ofm+k
zW_Hd`CUbY12!bI_$(5$rb32u}Q;E}o^jd*_v77?`LtH>?^TB>KKgS3Al?e>7IK&A0
zjY>U~s<voIefx2W1`|GwOklR$;wqAc7f2V%QFX|shux$GfQmUpk9?%!_dJsF!!C(`
zr(4vCgR+%t@=@NNfrYaY9a_EEzqi8QTTD<jZOBA7?kl;2^y_UQrKL4uE*Kt=uxo&F
zly}0(R-h|ynO{re;(-|7owV06cA{&k?nK$+YouF;4<|5|_XZEl0e_5m61bAnn#YMp
zieXowC|G|8OH9v092QMO0DndPRCt`B8HogG@k@8)teo6eshh{aIY){pk#G2Wks8B3
zb<Jb$g$#!UIM+BG4frt(LrNUhnwH62pJ{*5WGS-Rq56|k=|)1_1)Q)t5$EQQYViH#
zvQl*a+TK~~4_VUX=zn$fz3Eo>*8V<1php)RpnR_6&pL_dP@L*c6Z4Z0cywv76n=KV
z#*lN3h1|<ec{Ets4?m=i24}=zwQ%`&S=^SS;(-X_piMdS;idQtan-yTA)-6T?2cxs
z%vHaXI6zrY4ELW^%e{F-G)nk-R6=_PudFbS&O<T}GsPMI%lL$jFtMt>@x`1bY94~b
zZeZwk1#l7Pq<IuF!!VDGRC-)FBvVvWJ#?Y)FErq<s)YnT`8s;`-h6TNayBepob0%i
zg!vX&4xPjPHVkVPXv8A!?u=93`&in3yWtR&|L^VbBOQ-pXlclm*x?qKMxbX1@b+;!
z_{+`3)6V_&wBI-M{O7P$051zaTemkYHz43gbiSMa%SCV`0(r^MrwSBr)31po*Wphz
zcY${pb+aghiSpupbRSbvdV5%<iVVA?mKa7(njb8SJ-1&%E9kih<0S>TZDPjcTlU0r
zO&r;ep$t+Az`gy<=L85|9h{U{gxZaa8hT_+mD69GwoaP3;U*7QNhRCFASf5DN=;bK
zr5OUIDm(44{}x<TQXV2gJrJmy=}2g~4B0=?q#`vVULWOwoqX;v4ZaxLicEGMgEB&m
zg5mF0HXUkzHq@!{b@YUK%`diS9eGbKuvbN2gouDUeDC1$g=}hbG|WqL(WW&nH*2{O
zf%{);9)A<43qP%xS`XVqSivD!htA`?9z2+GEH4?qyIDhilGwVO@D}DY?cy&v&BY9d
zC-G?*++IkjCNQ&C*4JQ2XZcAY34B+3idyL+f9aK!f-pri*0ZG^=W$ws&#x#Uhn*s7
zB%=&IuaWW}!)`hpu#(p@BudUhF;(u{f)tx1Ust#AR+$`UZO_I>kJjJR>nCk6hu|0>
zPT!hqXn|+&$ExfoFznL$f9{?3ot`cjpdU%OMAj}<xuEl+L1x0NnA2GDRp`zj4;9r|
zL{$Il@c&o|`1}J{=-fEf2fHKmmsol#IjIhVpiKZHRF?Vc5~g9|STpPChyF^MTCnRE
z7MfRBhS8W;>dvsCVC%q#3&w{lwchB!{-atE>=n{(*_e6PS#>qDmLQ4RkS%uYw`IMw
zOK(4Q&2P4r{LVDawyU2az9HIpktJs{e+rWD^D-zp*S0O6w~wxTS2I^-amGEtXzbPR
z0rdWD=t=PlC#CZ<)eX>CMdjyyLaXl9b4o2E3z$s%*DYTfK@&Y<Ea+IKK_3G{oW)YJ
ze20ibwo3U+0Zdm&s2mK^FVIc>$VaR&1iYxPUCE|3|Iyi_@_A9ZP)?T5@1cqhbFR~K
z&<TjM{M2n|_A2Mc)FKUwt*?hU$2+Mb{pMo1plGyLX!;7~I;r3BhjBh8vh!OyFFm-}
zTdyda0qxpMa%+3LqlI8t!rS|zdsCjaY+F-am@{dmR&re>5_EH@K1Z%R;4-MDoU37-
z9(bw=W`BRd6)r#JyxgY`AO>z`yeT(F^(a+Dx<?dMniV_zvw-CeEqsSQxj*F;K0DYm
zQRtkI-gU{3pu!_=x&tL67+=Ii*qOt0aky^XyU&JE&$8uqWPVrvde`R-#S3Z?RlI~V
zaf$Eu3zWiDZcEO-s+UE<=d`Q<Uj@oyU{uc2MlzKqqUFgBC}(168UZ4n<y#aRd^#Q5
zyInhU`qA;c{)ofqgA@s@&|~`+y`@EPb$lz$+3}rBMDvk44ppae=}1=<D~QgD&dlsR
zX=NAZ1RlYtaPzPF$hg}t3LFsV73f>J1+sNNZ=SZ$-cEP_{oB1bJ9t6v>JkJv%*4vq
z$ZzN96}0Z;2RD9;3*=<s*%1j7xq-c+id<<7_bCfY#jj1+9zPK)cGN>Uu}UuvV%Ot<
zJa<Iq5dHYT;85uckGyZ}C-K+(Y1Q{`a@-C}Lg7^C_8{Q-dDZIw4Gi#bcaQwOy1Kah
zvU?ti!q~a!dOKR;nE7sLe7AmHs_e<nE;i)cmkJsDaNv2qstn)!<&`DL@s1bbOFI^R
zd&<u}7I6SCtp0X^Q(j)A05P&SI_c-yxYFm8^|g7g@5z%*II;6X<evSHg<9(EwE}Rl
z_7}O*^z(<v5E>O<RJas2pA&ov1j(=5gwrC6Z;rty-8PIYLnX!a&SuJt_cPTXw75N0
zGyqn;HRCaCRT_09Y!P8MCZ00o?)zAeDpWeoknMBv=viR7ard^~$41#cC6XeqpSR%V
zW0fV=oZ{h&5|$`;9e%2=u;IwvWDZsAAAoJpMyoG8#|DzUpj$e+$gqBIh!d8JoR-Tm
z%*`Ys$Zh6tzT0u4>~J7pIrxr6egb>_{`WfZpC<Zv3?+HTh`L$Z;K2=Td?4v^fW)Os
z|I*WB+Lss<DTn$yV2~}Qx)Y0Z?u^%K-YGywsMtd{PWULw%lf!SZ)EUkWb$Zt%oEs(
z(c~+jvGtu-;QQJAS^tWE`bW~<^WFUkyEQw;j~TaUj~<<g!bba*c2Q`t5%4j0T4tOL
z0|My6Y>63VL*d%9<nH;7wLAbw2`XybCmu5*dg6Lk{Qgl@moX?kXUKN`m<epO>Mbr+
z%467ts7fw=KJ6A%e!YKpWM-B<j}YJm9zE~)EIas#BUDJk;=^WvN;qzu&J!dNLRqnL
z&p|l9Ju+>ksCXlCx}Qsv-i>uTNo5(H#>GAQFIi8#o#xvxZ%O=Iz;4huK>%lL(d3}B
z@>|orc42$&J*S$c6QuiYy3Trgs;WQ*j4QxjCXIBcwt_nX<ozvmc24uEa4Yt6mSzD-
zKK@EXVyV~qw9H3Q?ZSC6C%Ph31_k>%@<!@R?>o?PO|Z)ck-j)R<Kkx|jb>!1i-QZC
zb40{FM4bHfe%O<HHaz8fTyTks@xGNA21izEE2GWU!<|MKWKmk9;tK?0xFXl8<B+@E
z!Akagf7>gt^$)s5J<>a6zI@FlK{shmr-e~KyIkVy^f-Ae<9sHAf>wXF5Obsm({bnc
zoU53OOm0>q46o})`l6R&>rK@t$N6P3gJygY2wEOggW|ya&y_Vu_k=%wk`t*wE)_sI
znPspa|0<Qmp~z;cCV@S0X-=4hSjRdxA-cCI=Osq^?#bJUI11Y$t`tR^Ij*kc^@Y>h
zahW36M@dsvEN0oG#FQqjNC9P0`)#{+DeCJI22nLUcg0s(#nqI?Jsso=bPs5dv}|8y
z1*k-C(i86S_a*wpr1WkVj(9)rou(c#w$nYf3=Zl?=(h|O>gF`xZ{~*|+~T#~Pjn7f
zp95xN%P7}h3pK{`bexCU3T?uFXtHhL7Hq6oZ1}WOudJY?QybCg6-Jy(?r71@T^vHc
z6BTgY6{cORfMFCHKP^1252LaRK93J8vnAeVxO2cR1mx@No+ATqsmhZyxyY5z6SycR
zQ$4w5*<f5&#?hFD;_Pwk`@)p@N--tbj$73b{)%8s6Ev>p*bTWWZZy!W%Q8%y<}Yn8
zf{yRg9-$V*lu|S;=hEc`Q8*IwNCqJ#=<{R@9aRXe>&H3=$=X8-m?mMm1a*9`|CHx^
zc(xk0Rc0Wz&DRM}=*ucQH@nyH5F<P~UyZ71bha1ixz&$iLxuisQKDU$HQ`k`T=A)E
zy_CA|r|4<k)qDe6?=b_Wk7?gh;I!d0=(^;$u_?`(w-nb3CUA0qlAxkQ&)ff`IPi&f
zGAvIkbH)xi1E{(@*W9xjpaaT(BO}W&%l1Fv9xiJhD`G7Qj1Z=0`qDv+rq*ELc8X^j
z!{uh7&nweKuG*~}8?BzjetTWVR;p(g)2hc6wp@{Y{o4p0pglL4&>DhR%@x_+G@zTu
zBX^!`i`d{=L1b4m*jB{X$8E+F%!P1?-ucu*7-2PeZx5>}Il2?S-2E6dwX)%I=PYRv
zeka=08b-_z+`PXxu-iI>+ei3ey_4>Vy9UA|kA=jE^y|c)aSppsUd<fiO)rvO)zn!Z
zJV~3F5thzbzMCUNPGW8<hjticYk7Gccq+8XW7H!u+2cnrAuxd^@)EJ<LW2GVo^kc*
ziGqIE^!f6rbqTb;RkhF|{&JH$)v5BEvmzxrhT1GnV3md8ea`XWc{5hrhAzrrD*S7v
z>|A6Na_=PA+4FrXfswz+w9|;eho-68<|pE6FE4(8f;-v!$sF`+Fw8N7xe5UMc?*G!
zNI(&El4`{&eZ8lPa@p-LF%S89-u|px4&n%fWzX(L^nQx?4k~Usnn-za1{0uvyw*rF
z>e)9IvL%R5VC-ThiQ6!z0=(x!E~P3KV=<$B<tPgc46(fF>nL9G{ysbf$lewRSo3|_
z`+go_nE86yucTieg+u5NNz@ZAb1{`)SLNyDm)m@5zwB(xVSftnQ*dG0ndzB&`u6R9
zFL3;}a5x@{l6e2t&T)SVKup&lKgX;K&S^S@Q+4su&6O&xzjQe@Cp3*m2LDws;gvnj
z^IO8yfM9)RHy%9i5VsQE-F^1!Cj-=2T@rJK8==1w2_ZvPL3c0nNjSV7*C(+!VaeUS
zqs%7AX+vPT7psD&h!i$2l74+-?bO^x52}AlO{k3rBBYZlgiLYrFPn$?!jTvjGDh_S
zYex|AA<^n2k7wEAWB)deB+EtLr4tHs`zp>E5sA9b=<>sCIY=N}_B{Da2;*8JXVs35
zbbKb_K(Dvzy6?~CWq%n|_|{y{;(fySNppU^DcZwYk8Q1yrX`Y*?T7(@&QkO@V+AQq
zxua}5e&&RxKGV6JU|Cb`Lb;vZ>~f#U?FPY|O1tV2-^wMy0Xad&Gtm9pHJg5F$e*F>
z%}xjkP#QgQFiJef6zsUS_baW9(N6VQ`)tqp#WgV^WG`t--0bwPq;ugEX-hH;g;xz0
z5eeCnOd@t{vAc`?xlSemApxQ9D;4C)0}8M)ah2kkDF9pJPSZxJEw34LNr838H|5Va
zS~e$hYCOI{^9+;s;+CIyi#Lu&!*Y-vOY?HFbQ_q<{+26G-@^QPeK>vp?=v_1c!xJ&
z@q77pGXI<F2__pbGRW~877XnSV1)Bh8pR&J%)WaJX2N_=()<>Oi=v0^*8D8qdV&Z7
zExxs$b<MD}Zi~!2y3zQJ?L`He^Lc>Yf+R~5RoebN4;@5#D9#KobJ@L6OX@33(#3tS
zk>Gh?PobwH-Mk-l`;()pnO41TiZ!;v#^&v&Pd&X;(Fr>r7#ki>&k5gOtMvShx{Qr+
zyn+U&W~g_<8z<!@b>>gk(t~~$uqC`ke2FXR;+S$Fd5G_Nf8V+~{9sWM3w7oRa*?Af
zNr5nLbvGw2Xe>`SaLx~!HFnQMp(Oa?g&fwAS_hsp6*h)xF$AN+toCkWad@Tv+1fSL
z!L?yNew62|YI)q1Aq<p*z3^|+@pVwQ)0rZWN4#rsr)_b-Cd4E>JlE%3O+NFZR=&n2
zDXLKeoLV1+&^4T0m%ynsT`o_;N%ILN{)oF<L`pPZ!NgWXz4wPez{zEq$^jR?PIbQM
zG@O;^>R*}7dgE;sM4P=2!?S~>s}DS5tIuI@d8I~2`gD!kWf$R%AT6>s?ktl=QEUQ=
z1sMLyN1D;$?-+F%nZc*E^`~mIyFBsra(Qy8EQy=J&QX6C*e`B60e2k!x*m#hkp3~r
z;fcF7SiYOw|NicRLXQJq?NL__618q#j(`Up<R46g7fvjGbfbsF&B|R(;@!*mnwV%c
z;#iQOwv<EnGJ)bSm}0oU%yLTiW9f-}I&~SrzHCazF6hcYt>p%ES#4BTze(9R<ciLV
z+(<|0HTAWPIX0#rX*0=Fo`{wRJ&=tgNbcvEzaEu(B4_;ML`5!c+TGKWWS_-|Cq_$-
zE&3IKPdB?5r2FEXHS*0iv+yl7X{tH^F(6TFU32@xzSmlKqN#FesB>d5#<Gt(v=3Kq
z-mp&;pZOiRLckwB&Yv_0Kj|H7yLSIFi_($2hYONlWGiFgz3RmAVOx?1J+oGJm+>nr
zD1O?Et2xfcrrscoG3{=iy4YYe)$I0G`mpc(rB3JJS*lqj>|?q8oMZD0JC+h=`j<8t
zS8@GeiIp63x)D{NR0}~H65OXDz+U^*y2~7WBDIn$x<zU4?J=%huSdGu0I{rd?N$t7
z+8Cb(ym<f-26+BRf8R^l(r(&`PQ&4;Dl@=SgTLc+_bp^%8&tv*ltTGPZ~-b6Y98e-
zd_hSxC^qv->$s25Du|SY(f)B749i>ye`|aG<v5~XqXp~Wl7dRe$DXAzqH^88FjIX3
z2#I+EoQG~n)1*4f9noR?jQzn{p}e^a+vJucy+C(i>z`m6sl*#)G!4^E#d`F=*Nq!y
zRK5!ZNsk3I2ZZhV(!&MuZ;pIub+@m^&dyE^?r*Q==d$nG{q+5hk-0;n0NkVB@cu;B
zL%;WMb#x~JodqLRN2s8gBsUMaZ03Fn^$O9ga*=84)Hhp;RL>Cb;0X>7)aUX>XwA-E
zblO4Nh8eX+f5$3gvdIy{q;y7zT{5SFt4{j|VVw2@PC)HA{JRIM>ZiaE+plk?c~k?0
zf4^Y(td9mvk;6oNr$6QX*-4)Me%9w5{??sf0elF2q0&H^p)izisS_y)R;M|e$uiIw
z3lj<I#gnUls*>$&BTich&SuXK5EFEH!w1ZdnK9$eE0k?i!svNeI-iQzdIG8R+47Cn
z&)UC}H|EfT1-YVwm<x?v((hKaJvYy1>xn+>EF(HWM1a&QC_Z27Eq<=*;ZkM6Z!$s+
zP`%Oh5#cE}GewvPE}wshx}GcQSMZ}A5W5{?*e1&S$d#}kTZYCYp<d<KZISyMWz^7V
zjhJpZx~9iw-$2g9=V4%`R~IIG!S>-bkWp{I*N>Pqz+`ZwCMcdv#%a3xx7L+^tM6ag
z6ZJ$!BS_l#yY0#XL|PLKxK%V=9FD>3Mnl_|U3=~sb?)K4$WhiWw!R*O?u<XxwOvfY
zat6}at#i(X(+V1$hZ$7<ESha+dK#qqM270*QgQSi$fK7ogkddcT0<?6<K_5j*p<r9
zU2_S9Qul28P^-0cTu`~in*+PFYgkY(+h55dC<w}u*N`SR9hb1kvm|9+sQkL&Z%J1+
zXBeNA9~!^-SN-k`hX1$yn>xk@gSqX_oOfE!<EE4tr=Vp*0xbv3`A=2+5ZLHO70o{D
zPw+JxYOc;>aB0j}twUbb*@wsTlK$HF^U`$Trv=>%?puKON9AiDZ6@4#$zkTEvK4|V
z!_;R9b)!pnw6?MkHI-J;u?mJ8#lpi($**l;6+YK2pZe@=K5v|JoR+s}RUwmmVs44v
z<r!s*l_}<fJftq7ge`T_AV-uw)+P3=iB|gtNpvL1+9~_T2#^%@oAU)B9}eqZ^8@Dt
z`>r<}`Qt$EE3Ih|Yrwp4<*em?-|~e-HVJYS{Cj0X`p+;X+Qa}K01b{rwitLF!1dTQ
z+#U*hA18DWZjX~TwoEZ`2kx!uY~g|zkcyhNHX(d9$-UG;4Nkf8aQ^Sj1U1{ai|fyF
zPP?xD!JBL=2u9<4yNi26$+<*Ln3>U21zSeLnTF0H7%L8Nlz(%DVlwxSE12|&E>C_S
zMgkYN^feps%Jo&Dp%%dKM|OF3o@Wu;C56^-2U0Pev%R7f7LpSy*7dDT@iHp65vi4g
z(5{!k@rv!`FykCmF~Y$ad-(`4LZsGrhdoD0n44kkmja@9t-|fnutsh^)BFI!upf>x
zM%7Lf*|-~PJqiV1G76!_Z^=f{c;4_PI^=XYuIJvObM%2Ls^_A^=9wFpq4!syOUJ3y
zyS6i;gD67Wc~h*DM^L215|SVE70>tTTKt%a<xvJV%9|_IuY&5874A={{m5X+d#i~o
z7;++&yF&&{XetePu)M(mJnC7W-&w%v@K?4&HD&Szox-`j0a5aQGMsm5FqEFqQ%DcK
z2NXCFRF!XRI4TV032b{@kf{$?R}*YiIh4g;-vzST)M<|x!Kb4)=7F5CAnZ~Q@*IU@
z5#A>{!@@y@zA6GSP@AhMvUaoyY4YH*xl_%S+>QFGWn5t1mL%|y=50K5jBpL2#oEpF
zEffi`(U-o<pRS8EdWzSS9ZdMWY^Es8;uJ;fQW8^eUMG|SnP~S{6+=P_yRK-|PUYx|
zI20lwG@6=^Ly4nP7;qD9hkQI83ZdocPQh#^#dT*tM0lExv46Wjjip-6ZU&m+56GO}
z-f|@|Taq}I;x6p7(UJeSv*e^~7#2mOf~Meweek&z_OX99JxY4{MBAI>-pP{6I>C*-
zv6&_Dm%eKha!YQrdKwVjAtAU^%uHygHR^wIlelsaOQ=<%Z|wkjL+cO~ix$+d2}9pN
zVrLr*WiL^<*U2UhsV<?oxq*BE-l;KoIK}1qe!5={M|TGL?(?Cym8cD$D`gvEr_J&#
z95A&kN{X_=iT-tBb_3#(T!$VW@fNcRFgW;iS&xP4N|EQ5#8#AlkrD(FPd&2al2ttx
zY9r|HpbK`idK;#s^;)m(_~X`N^Fz+or<#B#T*=^Lx@_)njUtR{(U{${2g`g4QynVH
zTNyiwFR{HHynkEIw=18y9#psvb4-3-ko!$E0@S9Zi(R~A{cFQ%9o%Xo8F4kz*FRmJ
zZEjsKz@kqujm0mDqyBz<xhytYu5V`wGh)u{VsrC&%rMj1jB{gnT+i+<!63iVAJK15
zUrzSxu^{gWNd|qm8S~8PcQ#gDB`#_#qup<&w+wl5FJ)P($@2KJC&R;<tOU)u5mp%L
zKlke+p+ZL1D~jeZt9LQmZEJ)i%^7)D06V!eOhCh^BFG%_&KTI=M~A5seia{3k>mWB
zJK)-tHSZHfk6>Qf+n?oHjD<L!6>iBjB@8;XFJ}K=0MZ&Q<%zBHv0FEPp}g=ZEy?D(
z3S>k+UFgI6gD^a$5^Pr8pMU<z84I`sf2Wi=Avt>4wsH5ec{d%2tVC|YiE%O<hNN=p
zRSTUG;%cDIl1T}?h9;{W{Bv8$*k#x%r|Luy;b<O1&L)LhHEJ?$A*R&xTPnbBS|BP-
z>@cn3*p<_48(Qo%^<pyb{?hdG-rVRkVrw$hGVp=!1zn_STKU|2z<KvRvlKo{{hkxK
zO)EBC=VfkS_Frdi{@tIWr<E-}-A4y}luQ&f{~vqT|J}BY<bUU1fs?Xpt7}q{oj7;y
zrTbjR-TF0+bGDPbea*cFA|VMe1+V}mTWx)R`#pRk!EYiZOSZEs{*V`o;9xKq3}!wU
z06X^QJ79u2*W0nQ8TGP)e;BXFLVD#PVpeUt75+}go^6z%DxIAI=$rd2E7LNkp$r$!
zn3P#YT;*F}Zge;gLB!Au(<v`TCD0CUc@vwVO4iwoM>7IT4wAYtVp^M1%=Ic|(F^|<
zIy&`V;%T)0A5#WLXjA*Y`~Ab``St%7+w;F3=2`yyFZ=kGOQjh=?)fXVty*<_Q6SxT
zmK@LMqw>`_t3Z0N(Bh1^TvaK=qhClK<-(6e+{?UlizjjAS9J7wDTUAMJ4~}RzFPdz
z!bMVPH;Z5CSG(vpxe%Nw(#b6?naR~Iqc%N%YJF<iN6^?YMBTS4XesBcvNc=7{`8(E
z_CG!PX0;ih#{TyXdoT0%fA*ih+}i(#c$TvNBtR@#QBVsu$?}ZRmqm%xC1)ss>>)}e
zQ$cy~T{R07tH@dK!W#Z81w&KI7e}FaW1qKGc6+G($*wm`BA<W4N!Tg>`U#!2)MWfC
z^nY{vzk2)m`+s};hui&M5ArNA{?%a~n5er)<W~Baf{}=|P2{UFooWl9R7t~ABNXd#
zzc}PJhu-U7<u|VRv7ue4sMtb?n92Gp=ULWwMNi4>17zkhb95U~7VBH>6@k0ESI>5@
zrvv22p%jh*1+29Fg<ElR!L$X;>O)y{7!6zszHmx}t$fw`L*hT4D51^(xx2e-fj_|j
za&-6{xbjrcJf8CX6o&yoWCmuCsTFmVZwA#ioZ61e2}Sjy>6yvgO>n{buE~+Iz$N)c
z=0rvzmH-78|B+V&2=`Yv*!n`Q5S&1cekgn@7aH9BDT4Vr>^Y;7T6%C`Rf%1o)+#*E
zDe;fxpXstiC6$U)tvH>DC9JOJPSu08J-2WzH_4t-e=Rk{3WQUDNwh|<Y+F6(wX)b^
zIan*FqWFC9MZ9>HTUkts>E29gDx~mPblj3P+DPrfVQ7Yt+L(h#jG0Eq=@9Jvh3{xc
z5n!SL@s`fZt6YrDp`^P8UQL<FYKZmXRTUzd0ZwP4|I%~>^@*ei7Qm<qpf@tK5<xN$
zJ)lgN)ZnEYLNWs|1cVY-mu{kR)p-lKRK9C8?`QQ;Ch#q*iJAKH381?9GAAc_$IuKh
zj(!q9$~6J`r!JM%GP`KLlUK{3@JiR5JDIEnOC56Aqh4{@d?C`V2OW4Cj_CGzl&6XR
ze*+o8WVCV!P>cWe3i$8K7hC`TL7pZ2|Bp%y036V1tS|gxGz{fFO*mTQ_9q&o%U{9K
zg6khHD2*4H_fl#$W(r9Fb`xZxWi}qPfOUmKM<2JGzm4HfmG|)jCIM)<?9-><Z_obZ
zW4Qm~@TjFuV*Yr1@%HTPKaRjf+IkS682K>@z^?GYt*avL?vBJSqRic0XAfu}gCut!
zsRKP#dQ3P642fnUqEl$$jN+guZGF#TBrkiE$)SkMFr!3moRZr!s&63DvO$cSONe9=
zuRN#8)wQ^y7S}52SlGpO&iEI38rXj;f35qg4>^Y<U~q}apvL~c==BeC_W$5{Z@d2Y
zAkPx^UuXRxaAI^IO_@orjDt*F`C7Q*u}NNJs$B`eDsadg{G23invFc!5TRLmMs|mp
zE~ip5(#D$GCm7Os872oR;X1)PxU0EU^_q;*vfU|OvN<KK$!wd2JpGn3AyyB(R$<<e
zYH#Hn*;Kez(3#u*RuaOb6g0`g#>xymo$lL+kSd#_5DeaP#NIJ9#J7#eT%)<CKFU!t
z*}-<+a2gDy`D?j4vnj07t)NUf4$ty?|KthO`CX)PjkRN5YJsRjX|uZp3t7B8k5(;{
z0bOWrW%_f8^0w+2OM$QAyYgJ-bOEN`2FNo`qQZTthHgo^w4Hxkntr_C1eWP74l!hN
zYm<<|wB@NRcr=a;#zt9g&+kIxRy$P8$w3Ru)gzdVTDCKYnwPR@X-q!tKc%V0R(_wY
z0l0IS2#ZKICbX`O*CRJ=%5r^gtXp}fH}4EXr$H~+*kE;!n1(HoeFkI{mak%4M;XL@
zU%8vKX4T(I$=sd_j0chU3i?>^CqMe^M%46qew3AUXZFoD<#PKh9sf-r!!Q^u1qIf`
ze=iUBU*zMz-ivMg_aM(I@!!uv2VQ@__UO;(){}|-OhYRpKe_wmeo>#PV>2;diAa}<
z_{{g39Gu4Em4m(<t@4l$GJlL?<i}H1x{8)($SR(vG>ymAp<|AYm}tcZ6=CBArEx{*
z$gEebOsyq!#Pn;@Oe`8x{d4X2_2KK{?=MgkVqdCARdb3Zid3IyNSyDb%CI<7usSr>
zI^v2hUUPJu;UL=@$)v3)t8B(EC|p^DoK1|hFQ3ft&?zRkuN#Cgk}e8)tuRDB-`;M%
zx<JgfJ}ql3v=#`VVo+6UUrG4}N|=7N0Wp>Fv{+*QE<jF`8E|b_&KjM8CVZ~|<`}Xi
z^i~0K8j@KvjAI(HM8B^H;Z#w%CxBzfK5_WQHmA#sv5Zr<LGWgS!!6T<`;0StMp|ZI
zReZN*U`~wRC3-e>v%kt-P1&#MQQJzE^_czp<HB%D<3E&)=vwige(!nV{O^O_%ib3M
zd5C8v{72}(>+k={(CFLsgFsrro(>3Px3(GyQf%K73$m-)5Fk_(?{a{U{(dchP?lB&
zAha09$&#pmacV)OT%)Q%rKbi6y@oLyK%W0T&_6#Epmd4M#*QMCq~6t1I-bVk(^OY1
zI*DFXz)<q%(`q$a1~0L>sEI{4fPN_q!e-$~!eZLg{Tsky>H~X_-KW-sPCXbW4{ypg
zImgT9F}d7~_M|X5j^YN8Txyo;z&Ks9fzqq;E=RGO94o&@1Wq%u#on4a8|%Z~r1Ldc
zOW4?e?^Q4XP4?@?-gG0D==W8zw+brv#ojd8Cyu=}Mrf)$=uILtYmRd&+fWD7SOaPW
zm}aAp=%SG1>+PER<D#a^Hjj%wHZ=1f&(ipxJnwb6ji7b;UoQ^w`Ct2o``i7W5Av*p
z|IIJ|=gs<ozsyO(j}QCFMs76oOV+R<m@hBP<v>39^;#f4o6?FIUm0dr&iAsZY_q+#
z*<Qs6UykU115oR+bG<T_^GTsfkDTeH6mXm8^*C5l?VPthq-k9fe?8BuL|BsO*NrjB
zCN%EtRq>@#8uvw)B+)01Ej0!)s$I8DLKvGFUiU^W)VTV}^SR31=&!Cfn?r<&HGJB6
zT&q6I;y-Em<{(f_{#XC7fd3pEZukE^%(Dvq^G@l&CO{xdy`Bsbl=4&!2c>21hY4AA
zZ3Y-B7w}T(kVWF2$H0_ODusxW=rSp9hhOzng|#=o@)YQ(sl$qu7GxKd*H#Lwc-hJ3
z5z&-lu~Nxahxx_g)p2df*jUpMGes`4@QRj@)sahSq1}sV?`3g>k}C53u|U|%0tyS2
zvr!Lh7G7A~vZn+ztmZxk$j1Rn?w><~F)<_R%YrnYi{`wdvQ0Vi%ne7GL%6Te+@(X;
zyjwJ{Ra_A10eO_T;Cz4*Zq+T^m}sue6qYmMm6OWi7G&M&To6-nr&4Jts~$@|m8Jyf
zw!v4K>zT`R@6oWP`WbXNB%+?4HPI<SRbKVIgo5TPsZW?KkCe^H<-7SlwRkDVkUH7s
zEQqHo>sXfXnxQJIiA!qCYM|8uLia?j?9O`H@Rb2O3NGQ2T~OgxZV(JvZ+OtSMH{gm
zY0>w|f@r-3k-l<qXfDuOV2`n=;4)_KbSnF(Sdvt#c3~DOuW<vG#CBF!GbLGf_bb-o
z()O&+y4iwW($eLr){t7Wy|ZhJRyTR2vF%r^E|qPnQJD&rh;qZ+)`vyq9tS^O7XM`^
zz{_3)QIr37c+kt=|F-{Pd;jCZJkBZr@P$x<&20Zw`t@Y6U&&52>?>d25AjtsYzFKt
z2(uY1t3GRn$W|uYWr$p(Irk!2Hb+QaIRP2|9R(i{;}sBHhM4t<H&frV)a6Ij7<Mc?
zOg0C*Y4V%A11Z;zR#_57r}nGj2k5ubrWt6k3U06TtDEG3<-y|eEU;pdV1T&|J}xDy
z1VXGAl3ld1crskR=jeDEkC*RHt-|#@PC0tF6q`>1&9|;9OeJ)mOu~$`s}a<s?Sg+(
zwf6h6ke!u(meaNcxpQ{OYHT}ef-5UtI#157{p$y=>tHBlU>D8R<&(m4;8Qt`dq!r8
z=#zw;)QqPtk2HapYJFo#OGHLboEwa>*5-v&Py5x~tiG}PY_aH1#>l_s$tsMLx8z?^
z+~G!|T={dxfU7YHcD2s{zIz4w&pVBKqSWoUhyIt+v%oHU<}pS+JALgg;d6D=T-d7c
zy+j529?%u%jy$)E-48shs@@*4LcMDS<73B9U;DFc{BO^0O;LcF`2YFgK|cOJczL+L
zjsG9wStb0};jkzp1N{Li#`?;4m*wTaKA~jT>j~qsn|Jw=TYlwFt*Tf*NoLS4lH2QP
zH@Tv={(5WcC$%+k`KmlUb<c6BY|5HYyz@BM4Ir{6d(+BtkmG8s@3D@l@kAuoWTZ)9
zVtFXu98SW_ZpSp(tH4uIx1thHDX*7<5h94e7zN$t+bs39?{)R7V!CabnE=MHyo&0)
zhX#IqI#sDFqP+wi%LGjI+QTs!6~cv7hrOhuE8`-4DSpX)(#_o4M9a(_^9x6NeVZ!V
z(#l^^P&*_ibJs4Ldc)R#w}a+k2Td;2C{PD(wt1$gya3l~p9Lg~7Dh4x8G6eM%Iw(5
zW0tGl%$|<8s?C+kr8W(-FsfF|#+|%Y8vJz3CQR#>;%fJ-u+IH#29q75VmRojEK_8J
z;*%+3h@_xmtCa_CAPEx7p)E!ZKQT2`NlkuqMNi4>17voRWCa^(3<IvxaM@QylxiP+
zBA<xKM*Iu^L`otZRk`9^^qiJ}*QrSK$|3-Y{LWwaPSLC-7c|2l06VTL+#(Tfy?Q2!
zYbzkQfF$rl6qc$++WXdTMt}uLJdL=f(*O6yD4gICp$y%(jvD{J_hLVH|8M{BdGGnw
z|9^<54c@_6SSl`bTlKe?b_f_uaTo|I9zp*aju7{pHn<vN4)`>RD2qAZV-$um=LJk)
z?2j=S?E!{D7~`3qHq+lB37j?{Xr!{FcNH|Dvr)l+bUbiQ!a1NsekoW25n>?31bL44
z`tsLHG08b?a3U2Hd^ouT0cPCsMmX-ue--<VH~5`(<-g{K@u(~QF@N$I>86AR(7&EW
zGWOxlHy*!<oNv4Vymr3v;z{Iu^M6hoe1HtoDF<h-Pr2hojDA6W?07gpu&c^3`o-~P
z+@}HRenqH6<@moiJ%0W3sW%DkUq{XUuNN=-`?>M|;>E#s{6EOk2H)eDzzH^^;SC-z
z;kBFyZE&1p@XL=VoMeCg-`#N>NBpSU6_bR=$K8PXyc^R9`@9>fqQ7c=YKt-*iGPn6
zokqf>C>;YK9bq2~P<(?BNf=Szd5-gj(rZyVreMkupi>55lqAq_;hsi}22+W?{~cVh
zIr!zn&o_`EaGaI{CoqN~9i>bUR7IXoCtXBh#3F_{>g>s>J^cZo080XNnDACY*K?e9
z8(h8l_VtD1eE$4dgaA%}B18g2e2jFMA)J6C-EirUXw3Hr^u1f})}#kfj$_K^M}YeH
zsM}>|gn7*7Zr=;2e~p-jso`JANmME8^(o;rM2-+QNa~-1X(asWq?lw6M)-rNe%5!c
zF$s>q2_-{3`WZ&f1jSHz`+{@DcS(pRUT|+X4MUZ?DOcdlSChGN<v{C46owRhq$~_t
ziivg`oRK)`ILDEbigKJHMrSxc96+NZ28RS=6h??~a5KjK82FF~mrX8L$c-5@6w(L~
zbffhLOhq7|w6~zI9W$wc2_$fYnCCcI^~+QsXQ*F(nhp?*BA!ya*1vcGnst?m2Pg{Z
zd?K7#;an^7@=rPhawMH7`j`Meobnhkt~BT!LlQ3FI7ZxYTp;RW1jUGhzSsY+zd5cV
zaNzBGy}zk%L>!9*4f*F~gnSG`fJros0r$sf0_B@FIGex`x}Y>pmB8qh=&yJlp(DU$
z*yaEbAnr3PW49ylS}Gne#jT(e3!)-U3#l(+HwOT83nx*CjzFTWj$^5HO;s03Nhv)=
zU#OQ&S*w4Sj4-)%oEVPk$SOK99NA?0UjNYRy8#+tNZfwUWrqij6HUYL9SyNx%c~Uj
za1Nj%|1SA3Su2w+)y{Ev1Lu54gj)$8LS{P>U5|J6)T)<=Geq&T;aeKNV~8UX?<js$
zz5q`df{ekr0|1VZLNOL|YJ%`^4!B{OC?Y~D6ZUmIU^m?<1bH$5dB<~{01c*=xCd%U
zu^<}N7P)+bhhR>p;D%1a0EGA&i8mY}fNo<30VYGrCd#0y8G+lKq!t^6ZXXkX36CN1
zktQ}kM@~CYOIzdG8B3bgm$s09MenzP)&0Qk38xKI(=|uhkhQ@(VMck3h>y~dr5BQG
z<z!Z0Re9m=8d{z$1R+Pq;W1@!gib=pd7W<lV@$aMY*Gee@PUTY2?Cdj5RjDiz}e8~
zUdwIm0lS*F()PDn+U5qB3qCmr=5qc~)>_OWn2a(Ux7?QFK;K84|4ai^$L_H#2_`g1
z6P7Fa&Qx@PVDORQ7@f-w;Q062$}aKmXo(vB^B>r8L?}~7_nk%w2WdwJ8A@i}UZ~DS
zbyTOfGu@%&+6I<ja{_1sDFMlJTLxfOwTaH2X7Z3ywUtwSO)G5_&*U>{fH2e8$y`&v
zM)RLxB)q<(JT3iu;s7d|5%PuQxkhto`Q=0)-Vm#1@e-3NCKUg4AY-&e!dAXb!fG4X
z%(ekYut-tJq~`pD=7}hUEM<cQV^d+NK8n!!M(2qFjtIvx7?xvEo}FX62$%q<8Q%k(
zP7sLk1aU#&1`;_aN8)Sc0W+1*5K+$Y0Eal9t7@f>JVu!DyflPsVS2ZnTJo-zmHgdx
z-Ex0WOJ#Lu5P%R4P^f1p7)8xLRb6-<!QZARaVpc^_~Q?dY|Jol@t<ID_#6>G+46aJ
z=VTfkL}A)u&+{})iOB3I+5Bw$^moUXmmkkBUMDYr!X|%UbaG_<2(+MO!rCzVW`Vd&
z@2D1Qpt*30LirBG{Mtsg%4;-VSmU*YY&We?@7GEbBk%5{{G7JE>><UP8&TQ8UpJb-
z2YUfj53slASErX=d>dzioO>)V_j(Vz#N6wzu*lr>%-p)f!h0__%f2}q3X3$P%oj5!
z<w**F-dHZzFoey*VJLk&Y06-TM0{F^O{FOgLm<3gFq!K$BMG$UI_g!cwU?9St5!>D
z{7$ZDLnJ?6!80?^e-$Kh=zjGIg_DdrbQ@6?1B=Y7XS*UU^y5%|Y*zeSY3Cy7qhv2~
zstdrS;0vcju=lF<hrGYZv$XK8CCnS-=<qpkgN{=sg8oV(=-VRbuSW#^4Tzwh7lDBi
z-bW(_1L3Ji6LLjC-|Klj$NA-)fVXspCIiGk|6mX7_x5{xDukZx8xR}ZKn`RGBEq8~
zCYX;=kcRjp9FM012^9(D)gWn`$1t99mk!-{j9iTeO9TmXFo9nvGx&}O^;Cu;7Y)`9
zOp+Mjk0BW$u7E9tWr+7FQlQ6}3=m=}i~?m5WiVDwY=DPDB)esZU_51lR1hG!cB`6t
zpgbr^MT|r3@=8o2sY<s1;FzOuD1s`;0_|5MB0D{Q<7un>aSY>x_Z!3zz#7s)df7NH
zhrc_H3*Ip_lQ_Emkt=y%ZZ~+!5%`?-NIrvIZ8fAE26Hf=@mPJdFWYxugl`cNU8~S9
z+5Rle{US|;t^i8HdB+34{D>G@jC2}=Q|JJUux^wq&3Z?My*?yDsRA&eQbuX83kP(n
z#+Aj_XSML|IWBlFq@dg&4XA!D@H9K{GHeauZ{4;o?Mmict>!h{hzhT=+9dekAX4G4
zakjsaf|b+#H*&!Qj3EaD;k;88AfeDOjK*+)V(iNiB|Y3RozM{?Nc8*-oGU+A%m8DQ
zAgdNOrgiK@C~JV2MtkL=)YOc2HBfM(NkY5MG}NFyXH^#EOM)Sz697filrB<&%$#Jf
zK0R{wBt1SBAp_Zo!BChkNag@@K1IBFmC8rg<47wi_Yr{%Q(+*4&DK4oK^Ob$fFdrc
zHzv!BM@Z(PBU3igR>(LZH`wf^sX-&y=8O2w3PaB&3=I)8hUynO9AXJN%3=Zary{bE
zeYSY;%=Uks9sD}MBh|s(cJg0$%8~0sj(A586a9*eROgvC#1za9w6?tGXgCc)h{?4?
zPygH0E$Z}a$UmOOlwlb1E<>D#Gvo^P_T|3^ZbW(PrmU!*?tW)eY|@(24+bF}byXSU
zik8Sa-PyhyQ~lqA?ssxpdxL#ML_m2$qq*8m@K>Kk^KZp8c3?)0<LGh$n36!}!XHP_
zA0tCy514IB`(6+1iUKYDs@3_{5o$AmbE$#C@XGF&BOBfND3T-Jr;{keDtb1vh9==T
z|I`HNAck_V3ogwxr%M4CJC2mbQMY?@bK^nDqDR@N8>%9_`{wNA^zG%TyYKbBbDZ}i
zM4YGd<X~>reuS|O;SCTrWW<oN?U;ZYhGV(V%;_+`febkT<}t&AX`B&{;R$nK7Z4_y
zfY$LPIJ<0t?~gCfF87>|XIDR-zrO+>k1sBc-(H=aUV`%raB}|k_1V?g`P)ly{sTCE
z`%m!G+1uB90AYpZ-3qJ81%r4ZXLZlHL?~0aLAewji+vD6GMd5>0wX#@jL3C&#3q=l
qX%dpa3GoES+87p^<9$VI&f91EY@es`{C@xd0RR68@Gc?%LIwanht=f(

diff --git a/charts/netmaker/charts/postgresql-15.1.2.tgz b/charts/netmaker/charts/postgresql-15.1.2.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..519b11c031f55446c7964321be3a19670fc92bec
GIT binary patch
literal 73720
zcmV)|KzzR+iwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc
zVQyr3R8em|NM&qo0POwyb{jXcD2&hFdJ6pL%&{~_O-k}D!*#OPVJO+rjxOAy?CjYy
zvt+OvBoQ?m9RMwv<M<7JkMzCM_X^*_tsCe&FOuzyxe|-)2C52$LZMJ76k@{oj3V}1
z*c;9v<=rJ*gn!!Z=iuPr;N|n@^6$aHLH_U2!OLfVI(+`()vJS}gQJ6Ie>ymP_UzS*
zKY@cS(^2|K7>D#v2OHzcH|{I>z$hXda!exD-vPjf9L)$__Q5gaZ~__H0RS)H46#1=
zeFp#lJP^SJ>I1?&Hb-G7AL>GV5D@<s(Jm&v3FZ-8;GQYhKRogRG{G?P4v#!~_|k!9
z<j_MOVnR8hO<)TZ`Ul;^7u^E~$MaGgzctdFmFyqB>>jyLzuy5M#6F6cV9Fqd{v3Hn
z-Gdz%<9CQMOrk!xJKBM9oc>f$b^;WmC_s^q5$o?5x_q)&kZ1=0iekbrm;5I_?)Q2W
z%`oG1=^b_pRQh7PvK;_8oXO7ffPUkp5bq2DN8JzI4?6*3KE*MYk4CDI<NrDXyZSrZ
z1DF9A0TQDKFp^Lo0W$d&`P`!@lyU+?5NO!|w-LD)Xr_b$ib4!0IK+GjU=+wg07o3n
zDCWy97z|I31z~ZBVZ`?V=71%!=sPCrBRq@1En2dD@GHR)+ZWVhbkFtyr+79)lu59R
z6N&;5Q{tl_p@?;N=0tFD&UwuGJ;R-@PZm4a7Y!|W(}Rp5&U%bP|CU+(-NTES_0y9D
zyrZLo4@b|QcjIWbbBmVuga)$zEQ!i~?06}Ic08coQ51*Rm;BrDfFCAIi1-5Hh(jD9
zYDvSp^Lt3qJ~)m1?hXJ64YL-^FrOzA*#IM|S_%pht~yV`ZLHnn6rrA=rep-{q%w5)
zqI=jq+WFin>)U6GpThhf690C~I2z{vgJ;i=3iJQV!*BEdV|*TFMzW@z!@r7o56=+e
zeZc1M=*7!E^k2OAE1JA`_3H2-`2Md4&(YD#m(P!$BlPU$b3b_b{mbALI(q)%@YVOP
z4yOnH3;*S-=_~*Fi-QCIXyW@jGZY~TISTrqb98X@+&g&Y9UfjE9rTZ0^`AfQ9v&Wj
z|NQ0iXRrRJ^G#jVeys6-2g3xh2Uq~qj{l=)FOOcn%8&n-FOI&A|Ht?|0YefmDW1)_
zYk52Y<I(YdduPhf^-cp6aXiI{_Q7B@82)r3P2Qa+Pr(0W$QOnUcoUKd3_%PjTp*4p
z6K_W$f(-40h;Rh>9CE<tn1Op7hJf55N^u~bBdgjzz>yy&0gh(C)=&GuC(#to5@7&x
z0urWb&J<oLzdKK!?5N+uA{Nw1xVlVNTKrd9g&Bg6r5;nO0bul-tZf!QrbZuhI+b8Y
zNf?fiPZ4K1$Oa~0^0id53_xjVLrS4S22gj_Rp0XPbX$apzgQY#enw06`T{PHL#|yD
z{QaM06bmyN&d@M~ETwjAKNBYXNT_kfQN+PJ5+)0@%k~T+8-QkuwQ7<JtOC-kKo=%_
zp8g&|#)M4`(k}wL=-Q4c(g847;7Ig21-nLY7<gX_=>1+h0t7VC89=a5B89+D7$*yb
zh!fyb1UV|AG*#Q8iYwdL5@Ebz+tNi^v2E$A8g!;iTXg6HW*kQ|C3gxbnF90Jh`t`S
zQo6GBr%#d8FEC_9N?geA_qy!}QV4%WOV*X5WBC3vTBg+9q9wr5Hi)dj_I|GmE~9WM
zU<TlRjw0~B6%*f!#W+KJ^#%)BdbIZDkbQ>cTC3|vYjru!tu<c$5#{>YSCv<BTIY(7
zQAO6HxLC>zXzP(ng7qS6r$G-uUaYO+iiE0n<(x{3)O9pN^bY%|E4@V43%kQ~86e6y
zJyumY)o44asj^hYX3DKbTT@y(^$*D+h8!DLR{&$}K$W8Ob233RLL4y=hmcPRT`)6e
z`gYB9j;x1w8Ka2J@s!&{6Z6neT417ss+*SYO7LUkClvGLkVG7P;9wvg%DIT;-e}W~
ziD4w(2Ph87av>}NPQU`*N(*d}wk$;89`kudHK2%bihYg(@9qeUhr>RgXhH4}ph+}f
zZyBQd>gyXyl34oqrq=fmDas5pjn#)KfMH1PQ2+uog-OW4=`rgH$zYNWwVdgTK}5hV
zjN@<#uxSNHf+B%85*k4}<ir?EDc{={{Pz*qjS-cYMb)f(01WTplI`t-05doVQ2=%W
zBJ5mXDrANC(tg@8qp8>ridM&@9?FHdYf>wtTlMyBGC|tO3@(i|ZHb^>h>KcQQ7OwA
z5TQHL%41FiM>r8kg&GW(nVqiu0$pjpcBe@gO5=&6h3FjwcBNHsyqc0<6iNGE;@A^p
z*vN8p7=R_Th*z!Y5NPtSa;S8N9}_{W&9I@C1ocKha*Fm%&2C717+Mg~2TtL!93EgG
zY<gw=a0;~por!j+@uS9w&7NH(#1#se6w89NDUxLtXlc${&5(RJgA)`oFbDz=s;``g
z!C{S9A?rxHgk__wihc0$Qvv26+ZU36t$m`l&@B)K#YrRv3J5TqMTBweg9Ql?(6Yif
z<Y=0N3~>P^D|Jo+<SysjcU=^z0ayWlSCAW1GC_LbIYHT=6-q{$;bgH8-%SB6YypbW
zHIGKq2U8d_R7a2jHq?JP$%I!B;}hffFKc`@U5Ltky@|y_gyK4+kj@wwh=0~XC#oA<
zIGW-J^QEJVY%8fsFa4-Ifp%H7uFf<OplF(HY0Q&}aU}X=(W50h5IqiOtY?X+gxF12
z)qmF$Kp$M4yg40TU;XXoVsL))&ms}&;=TyW_&FVDqs#H>^`(YqQB(@rKu|op#j%FX
z;jCC(Jlw^LMZ%@TiWUM$1sK6v6a^^QD^RK2s6}A<x$fF~xJ(_bu-ol+wGYO)U@*)2
zZC^}@4DtOEhYW|a0tImrh9eSUe_5nLyaTa(Sz6EdM#eGn@pNg|QuZb*HW*EkSyo{R
z)B`oO12!i~7>Kc|HHO;Hm2PX}uStE>IcIjsK9}4`HCwg$4PWEIHb$VK31%J_#TWJZ
zSjmtaiBAX8P<Sfn&pID7@Kk7c#-Hv36f)TeS^RW*LHLLwh9dq{fpbR8Z8}?ZG3f=w
zXFZ=pK8m^gq6d0U?b`RA#1wgg$tdvDBQxH!zU%`Vr$TudtIghU37BcC_Ew3RE$?U2
zjw{p0i-d8}F$)+a5{7a!1V%>X%pF4?b=x(NLv|}$r`&&DOad=$YfrR9HO`AEzJnZj
zMgn>Y{>cZph(j}p#Orw0;xeb&SoImF2@>7ABnh~eLK)&)>0V(7X)6Fn!X{LvBZ)vr
zW@%4IsW!99lP6%1@VQunszp=Iq3W=zY)dy2fx2zoCk%11_Vf50d6W?DnKh$FB5#T*
z;~q_l`g#M5QU(M{=$Xanqv8^a)I7o+v&PO;k6N9}sosP|h*b(0FotIlfa&5|_I#C-
zvI{Qx9MOBs(7s&pa0H<5BbJ#UlTaup;|Rn|)^lwQn}EI)vm&W$dQrRJbQZ~23Op_M
zv<V#*Q*ws`6r`h|+zpW<skL9#fX%ru@-1A=ce-ZFYFo6DH#HsCuFE9{((;SEb@-*%
z+SYqVGD_<8<-?n_R280T5y>N4kB23w%G<szZ*jM317JVzHQ$$p{`)G9yiZ3Z*6kL>
zV=M<~5`!rv3pGd;X<cxw+$Dm{h1@=aAtT1pW|FD5XbIkj0gO}K`d+Z}?07H|+|$d6
zt}4@=;3&9>+t8CIM$M|20Ut6wqwZ9A_j3L4kWTWVC$z!uSxwuv{n=Y2?SXvHYf!jT
z^xGDFwrSX;5wx9B_pS4`%7JS=x4{+X0#oZX4iN+AB#F4=XO}LIseFke#t{qz>k=jy
z1|xu?J4{I=y^eQ~Vlis0iNk?zSy6@v>d!GpK2IpJne9B^ea|?I0vM7Ay$6JX_g3TH
zOD~LFz7MkE0@anJJ&lp7g8iO6aTTcrME0JIS75Qwx>kwxqRW<%Kc^%j2^*5d0&{7H
zT2JNr9CPXY=z@XvlNyicdlCu#sEm>u=^3?t-&4$y_$@tL@0Hpl)9L$4a-w80&Twm9
zFmRD9CWwljq~?*_|Cfqw4)2gdu?-Mh5RUp_D4kA12hQZQDrPDe2|{6Du$b{T6higB
zY&CIze{XLo5IWOqri4-y@g7Ygju*&N{pQ`nusi3A@X4FELvQ@Ii{VdKmlv0B$KLSr
z{QUGf9clS4=z|WKPKAmsXGb3#R5DO>f&MP_hH*k#&*h4#3*Is`O+saV1a~m<rRyy#
zrH%S@Ws!s22aDy6^~`bmX~TL{v)7UqlKUje)n`}hyHNn(#q(!JYC#iVo)P!t$u>-U
zD1hR~c2dYk-H^<FB8*Fe>Ws{QA7Y_8=K2{ct1u){WcE4+L15~HWaeQR4ox%Xr<mG9
zGLsss4AwDbel<9faJCA-cqX|g8X_RMHAO9@C*>ZADk>J7C}M8^=79|%hoZJ*kp8Y9
z=`w}7stxBjI!BDbnb73wi=-k%cPNxA-Z`Ww^KeU>w1i1#I6@<eruYN6Hv0!ctR*ZQ
zArPyVyJmL>PvzbULwv6c-ZfsJe~}1*^oucV1w=8z8HbCQsWo4K<<^-cDVbB(l?Laz
z+q2oLjIAaVCeP<gJrvm32Z&Na6^4v08j{sCvxgz=$HFwD86r)|oIhMv(82bi=<&(u
z>SQ>$J~>v!6B>e3t(ev3oOIMcFipfnwGU$DKolm+Q(Xf;HFI?yIYaagQE)l}FbJqv
z@DeK3ms!{-a%8D)zOvlK6}m*IQ8|4?`8sl)rFsGA?J^sH5*uq9i^>o(GtT5vQBot#
zswtrhGklIOL?K~@7n+nzU7#>t3ud12VsUtUu_Et9r66+HUx16FV0E}S3R=KTmndt1
zkMAp`MzsoD5yB1A(9CRBAYnJ916r~h7ldBXFDgspQ3;B8DE<ohDXS3Q7uUj7b@SX%
zWZgi{>59BiH3ytiJV`jJ<+;W(#i1|>*1_{yR;?MY4lyA6Cb#&xKL>Co*0ek)>`w2L
zLsh8tT3L0XdZHIVa=ZjYt&GI`|1Fsg9S3Luv_D4+WPGo3@yy;Eh@!K`Wqjmnp~2J`
z#tZ}~rpSjJ1^@5=^Zzffj)%;s(Mrx)WxyDvj$lso(jHu&jRA^$x{P%@c0|2?*;b;`
zZD}MWH4FCGo(z;8(m&LQF+Zg6TR-A^Q^)OI=c(!*^GLE)|KOosLe}hgnwdZ;=eJj9
zYRJln3N0Hl3_|wM-`PL=y`Hea{@xeO`)5zl|Go=Or>P@pKiyd-e2%DsocX`=P7!VI
zU#(*A3)%7{>B7uU*O3(GLIg4x$B@Hg?5xz~;kE!%FePCi4V;}q`93Jy%M>+Bv5bY?
z6pSbe2@KBgghGlD1M0C51MwV$>5E;tJ?t?g0C6N<F=-m@G{NkHPCSz~kZkXmL+WfQ
z#w6Hfd(wm>2?rrwV6*ivmKgH|SfB-=OF4P}xJ=`3)LxrhFs3$q0CuJ0N=4-?b+=~g
z2)+7ZdkPJB-wV)PkIffyK)-+a{QQ00wtzzEDXuJ2KKC$V31YqHhcD}DXH?o>b=_w#
zUpyDwWb=gzes<U6>Epbyg%&Yi3URrUujQ;_8kKkWC{7o`3krVz3>m}!LTA`4`K8k@
zQ#TNZ*P4^sa1vPgBA%)xp<Y?b7ow=P$YcTFi#0S$m3_*Rr%ZRaf}94cYlfsG^}*pA
zoGy^Fr)pRUU6?moceI+xT57A*lT3+n3a3--r$%gZK!yMW6HeZkqe8%ZlTlU+C}tPA
zyNSZ7$M7sdfua#nj;CVk$+k)zKvmd;rbcuu_4p9SbD^((nIkFi)@cQ$=$|r$OqK(x
zDvEr>0EMc?9I6gf>xHM;wrvqjiNpwk?3Uyl?XbipIfvYJUzc&B2(#c=HmG0Y5J@{>
znAMR>+{oHhwF_24`WY=tf!(5IDL|`yCCuR<139QB(Vd*Ep(|%1%TAGU+8dA0bcZo8
zSptfFOOWES43mU5|5or-{k8j2&07n^=Okdx)aACOyuma~TPwbpewGear}0<lj%Z)f
z8D?21QU)NMCQHJCMieg~UFPC~V)fJ===x!|u<fN^WZP=HXl5Sng9T(VY$Zf65P!Sf
zZmK`^8E93s6q%!c$_SU?fNm+d5&<~+RfUW~28QzeIgHovHZn1j`Z=eg+nqM{LT{Ru
z#Iv6!aM;uw?RIj_>6{i`yA4tx<C!;~K-rG06>@TTqGK%zg!aMjo{74UK4xk2NxP3G
zTI2wb?z;4iEGM57%Pf|us4SLDE>8~sdel99`F;1Gd(b<24i>?SRC|_?Q^8`RAXVuF
zj7zm=Dh$fyRn`ebc3)gxpY*}|QnAz?_v(%=Yz^i&{8EBzn#N^_nJYji`e|b$WH_}d
zDwl{j0)(b!pi^|OM7}oh`Gz66_lzUi<HVaFPZ+l-@TQb3Jh_YHNh{M6Q>YAY(Uf@^
zAVFiswi0GEO2vs&Yklc3*jtE6DWQ$hP#`pG+G&J&Flp2Wn*<rD&@mj%JS>rUkj|2Y
zm><&<i}HE?#Gq-jdaFWP?TAA~xr(f^L1t%X=!}(|G0DNrNc{zd!f4Op`gC+hXr@Es
z9kQt46h;iHSui9s8+{&dGbt)F3j@bk0u-`Arlz6#rGa3m44kqCf|{{t5&_7840Zw&
zLd*dYW4SBaT~$ec1F%@$2%I<SO_$A0-XHl^{Qdv+COGP`x$_kHa{@ZY1TZ3O6dcXE
z9p{*hMg%^7YQ=_Z;N*r-%SNi9b6q@Y{JtFD`x0VP%&j|5TiN<g8+yU6FgV2Ag)Qrw
zp@?CQ?~olexL49PA4cGw&|3gQ63r?bCwH_P7+uDJ+`+KQ=F3Uf2xV@Nq_JRPo%#X!
z(y=&4<&vF7BeWR0#%)`H*N)O_hqo93W;87V+V(NWKc2GGPR%wYCdh==N5Le0Atp!V
z^w1|q6zEJe<(vk5N*GHIBH4So(to0sAh}X=Jevb}2XUwqFKO6+BZ&eXAvHy(fwLv{
zPa3xh)uAr!OOURGDS|RQLQ1l-)ygO|flQ?nre;UFs<)QJ8dWuKrN7qUrkr0Le#+e?
z!fSEs-#-a+@p_Jc{E`JGs3=>FQ+qBQ9BqKhO{;4ugLHM^@<hFaSK)RAz-mM~IxO6E
z#vX+y(cL>pnLe5%`%_JxWx+M-h)*Czr^IB5NT3}8mKVszVg*&JHQDRS%bj$tkYOl&
z(3wEmv23ucc0Of6Swn{B#h}4#rm&W`X)8tRSl$6wY*LPx;dv{*R>d*u=i8&F!sn8$
zB-DAM^a!10lxvTxDYBcWSQ5Dfqjvta$)k=5?B$OkRdtKB&1w+J_pPxhyUn1=6tF%@
z7iTA9%U3DdEPV<>e1{^$*gl{L23UO63FIK<NvzL<ZR7Ys_T1p~Qk0%X=P7i(Cl(Nk
zfE-H=oRKJ!_lG(!LB+y9Wkd`3Vn)O;JVqg0j*(BIfXSr+h9L;VL%{S?8K7a;Z2>(-
z6qCTf9m!uC0pxgrNWu-oYxQ#@kW+}mgre&?MQl#O0K8TY08gK+1C}K+;6DR9Ru3A%
z$_$g%!`z&py}fGfl<T=Zcy^$s2Al7FaHyWT%<F>}@@c;PeW0>)<{Qulho#L<#l2Ku
z-M8yWY!1U}BI{Oe1HVydR|nZbY*z=`QgBxX+){K)0Lx<l_S2Pw_r;^ju2#^cl54+P
zPi`IPt4Xb0wHbD!#I6Reg|w~)u%)D~2DGJ=7Jw>iJAGDZa&N9*4=ZH!@Wo0(s%)h*
zXXYPj2bJ?s?&4)hP}CWHWs#96+axQ3)1H|s)K{(!*SK?<eHG*`zy|DNdmL)q&e&W9
zvkj~gZ-}SJU-}{XiI7`X=KL!t0J&&VTgxctFQ1?(p-8M$;Z!VHHSO74ZzIcSD#2#*
zESRlDWz))i`Ife<eO5RlvA2K`oFSQ@Ig#gQbv_5n&aId?bU}G~ScN56;T`5JfWA*?
zpu;CggwhlOs@g8h9a4x$g!VxMBeD<J0*2u}SfBtWi+vD6Iz#*5gZ_J@zU+0CPeuHf
zowz8FsgKNn-O@MK@q5|lF(pAFeXM)hyKyc$((=l+NY31wgk<8n$W`NeCd~)y-K1o6
zc^p1DJA9E%rVfMqpd*-4zWmGDlJACsu*l{Gcq-!#xYbee<nnOzR!FN3``AT{sk1sc
zrbypoNMNAXZ@F{UDbUm*U<m1F?f^ed`rs)0t#J0ii^HRHobD4!n)9`u6>A+H96dkB
z1>V_XDgY+$4$z5rwy_8_nUmxr^nsU;mRQahcG91M$zf>oZQ7c_=$uKzIgDmVr)UsD
zAUDL8jH3mZ$)rlYEMXEgw1m!<%;%vJt6RaCFg?v-oj*{eWYTv!g?{-2UIsmh;}9)S
z#9=5~!SbZ5)xT^&xt&$b5upA(Jx-N)OswO~`D#_xY6*Y)KxKANGr8iBc3l8aY*YG5
zgA&4eaG3fz^ichLvYD2zm(alRvXqnC7BWL;I7&WTYOl`URi>o<C<#M>>Yq{!#wW5+
z>iba<8VcZQ=+ca1u6itKMwXmx4Gc=)+M$qT*T8W>A{i?0V0p?au;|jO;fX1}!y%f<
z;N}J_S=klaf?#kNg-b!*>uk6;x2m+>YPhAvF*1aoFdwQ5E}F4d)m#m~4`a1$gAwZn
zl*BUP3XmzV-{_4c@jhOayA1ilo*PjjRB4wlW7OO@T}jOH@;qAV1ujQYr7zu~o$mXl
z<0{pDz#0hohgxneu$iFQ>$Gxlu&Pz{m<`0{y2-03*xm<!?+nh)I$EzgJT>J6Yx|&c
zrNX*&_MdVaO)e2g67jLhJUQ@X-0d~FMUg%mt=|Cs3UK)jNA}EB2c|4S)u5jf#s?vW
z3^@T6W`imw0W+ajvXBDOW<8-ZX)-TDT-b#;n)P51cqrl&BN?nCrX|FEPat64J?3-y
z)zi3org0XLmD>)Y%!R^aXNZ!tYYMCkQDzP+24I6->#VB=zGoAnku)*&bTll`A)al8
zhSSlo4!=(OcMfBrKCC2wL3&2bO88cbEzEKPmP)Uk7ts2iZ<8fXsl?{;0aloCXU%Pq
zLR!~|6igi=n|zHepXG2hl=*~*Rd}Z=x1L@wmvaq3T}m&I-Fz%*Z|Fj4B8cKye@3QU
z#ed8p4c@QlBVhg<1xbjbnTPIFuu%`nJV<gZM<hVKC(_=RzYRSei~<iv9H&ogHaYFD
zj&KzW<+vrcY+QdpmK7M$2ZG8<H<7@S7omq}hxoTZuy~lGwjz|LSW+1&CB0nMB024D
zv76IKAU&N|MIe=seT$ZrR7)Ku4=bbxDqE3ku%D=VA>{X4nK|3-H*|zN_%APl3*^My
z-IiwAu4#nMt61L-UC1=0CHu?TqI)8XBlLi3%3<-*k=-!Ug;fCwMoLWc>SiaPWO|V%
zK3vm(S{ND)16!ZOs+<@0>lNX?4hyU5%R>4n8F+#DQ`sHql&tGiPFDi(7=_5^go2Ay
z2x{m1^*P!`<=9HbP*zDkCt;c`<J$WE2=X8nOI-GSMnp=yMOUR1a}tw~%$DO=tZs%R
zVw?(?q9y7LP_KafPWorXgqXGhFjWew*uf=9vd}rWAkob1PI-Y$am~8mq&yk5BJ-*(
zKT_XtPw-Xz<C!*jiYCv`DDOQfKJ%tTPLeF+TLn)lxfoMS<Z3m9jLGn<k$wWyJvUY+
zE(HB~qcvUtSZTm$X+~6{eanzcpc-;SBghd*U+>F{e?W(ELT@`OB}A3^y|Cy?Pj{*1
z16(8_$8m_f6jQdqa%ih;0Y`L!BPpkEDD=_D*<()kn#)bH2%$h_x6x1#m<b><mHUcA
zt0+pnCl+xYnYv<9M|WjwlQ@7JjX8xJ&6Wj2#F$q0LW=3a(qL!<l#)=Wx3}_X6Leh|
zC>XgdMeB&&y1evB#03r^7#7~%6NS*zt;1O)qT8CjWh-6T4O2cD`$?sSmX3XOw)tEg
zKQ2i;ti1oB_Kv|I!1^NEJG)|=JzD#;bslql+^H(L4tced<xYTGm@3I(I6%IP<qZNG
zn|^L5d)JHCdc5GZ(0$Ivok39u<Q21r&a|8zkp<aR%GvwetC5v#I^8wV1=2fL%wZDi
z#%9W0Jkn8T=N#*U!=q=<Q@v&guVS7scZL~*ax4^YSLdJJ^fWX)c>-K41uh1}OOMGE
zSU5@8azZ{>Tb*hA?bCof-3L$8x=;UUaOM!!O7e&V;~4qXl57gBCbqg(HqwoAPIkLd
zBJItGGIyf>>ctvlW(}$rTEePUJa(Zhaf@s_MogH<GA<t)()BiK=E2ih%<Z*E(evGe
zSo)$*K1e$t1ji(L%H_T|rY1RnUTF#bTj|COaCOE&Qnnz0O1dVKICjA=!pPTo<fXT8
zACM^2hHaXX%_o#1KRqht;LMUU8Xu}oTAljAC}-)>7ACbGij*8nXe82P2!8CFlIoy~
zFM8H)lFDQYqouxU+yL3l(+UE4j9yQDgz`Q2qAZ)G>vqM-OeQOnegfn3le|?75L8mR
zbxx-0vMI3wgJEdX#;VCu;8!3{j;hm0QT2D3dH<hMVVQjL>J3fwfek^jEx4%cz@H7&
zS$SI*Us-B6wl!?}M)X=q(I8!qx$o3_=`GM++2VUuhLRBV1^9@gC|C=_$%k09O)jmf
z&`8IKz*SxV=p>6`VR;%=l__{H@*mG_h{Jgk3eZXhPSzHIWu*w5Y$gGmeCz)e``^qL
z7Wdmqf$ryv@p;BW6D;vhaF%Y7DBq&Go=NC1ois-(S#{(ry?2AHhImARQrshA-#N7g
zejR38Y+t%#TtP!^l%%;6uz0e4CwJptiFvKB4V3FY>t-;sDXW)yIbX3(*?T%_fZFyZ
zL+4zoeJ5cdy{^V5opWk-mIq#A!jOAl*q;-^^gW3a#P1P`!2fx6aBy(oJv(~!^3{Jd
zkRFi$6_Nv|XmdU_1FOC7uf*Kb&w5V;kEQ!B&zh8`GWJxuzD<jK(`jHVQ<{M6fpmB3
zB(ie^gHY&MLt~j%O{?~0MVm<LRU=6&?yu@<j?q!rg{;FD5*YjlLm2t8*=Ga>V4{D6
z(~-I!DieH}vi!`dW429nIx+<8mu^)~RAivAdWBWGT@f*$Wi}AcG{I(!+te0)fwbjz
zt@N0-xpkbTPOYP(u}?>8ON!nZRb!gg!igvCOV3KnojLR5dc!k>xNVbHJ4ssgEk24Q
zPm$!|I5+JS+mfoS6@+9gp<f9@ST3K1Zbmw@JESPRl=EIKMO6P|=E#LXw-IYnKc^p(
zB=GbJdFo9uMfWfadr!>Oqn-vcB~)_IFwiR*Jx`v1s@A4M-2;aQUG?8V@924zj5&3y
zr+Q1;#3EWK@Dpj><&?QOJKjzUWYAimX3Ahnx68)rx4VC4O@+GNzDz$cL7*cvUPtK6
z&QQwW=_nmrr&H^pyuqI#KasgD^bkse)3d7?smirwLRX~Qo&?)f7<ZWR1cn}tncSw)
zFN7d{z^;9g<By}^Tk=#LWEKM^b=R5rY2#+e)yS6TC4elm)7Q*(EYbWiq-O^QH4V}*
zt=ZzI+>{4mDr{n&V~m*@i`Nk6*<nh$6I{j(eHa|(ro43OZIF6k-K<*{g;VCjLX=78
zMU|as6{xZmts?n2{t}EbX{?P_Mb3}j4Oew2Ie1OhuMpxzX%ec@yP@9Zay5iiuVyy1
zamj$g5#)2}go>ed(&$X5X8g)hC;%|a#v}K-D^mdEuab0REX7%xPqzipESaPvvt**Q
z3sEVPEb7JjMMqm2p!&8A9DxAc*_krbK^kEnj^0T*HG6G&6H$#eML<g)GfpU+A+<Xx
zx^Ao<=>5uy%m-4oR7)()8=xtUP_PedplZwS|JaZI!>Xg*haIm|R;|<72lsRA&&>t8
z3<OKjC%(#2Bh-rJ4LqHKB+^uXUF%rho|r8(swfG=eGriXI_Z}Nm}QzxMn1@ej5%{+
zj`^k75$yu7JByEin8AJ-@9VpIsOYc^(wm=8_Qh-PzvPwQV-EdW_hNX9n3i3q?2K~~
zAk}jN<vA1&^8My?m9pEj%0``f;0nRu7m7K$jQlprKqmFIh2~04uFdF0%|7^ECh%=+
zXU!r-nkcSDYquh?5onjfSr%(j0ycF01PzQaK`d!BOP1W;R+Xj-2WlHm2rXvH*(2|4
ztGcH<ovjNFsw&49jN?97EQNLJ&dp9xOH;$dz*m;0IT$OtU#bJgr!N0wg=?qAA{W%;
za)rb*m1{IRJ+{rA=d@*9NvJRIdeq=8OwC-;C&^2xtKS7`Q@1dgXAIG^MM{!BNT&vv
z=HJ-4T)Q~4XJ-!9Bu`ACV;>3%-{t9<pgFw5gsOSgy4z9Z_cpVhp;4^c<-yk=@!g%R
z3`t+~JjBtaBp;&?@miYIGEyw})P7u4Mr)wJ<Z0E=Q(`M}6w6>JxhrP)l7&)$U6Q|b
zFMna1p0kSg!`Ziz<*#nD?kg*~<`V|l4QWo+W0h?|<~?R1yhCN_jz#rqZ1(MF)`e_!
z>|oj9*{p6pFM)%keKy%5vTuoH^Q_!XuC|QRkDaZpvOQZ$*;dxF=A><vRBbDBTMM!(
za<@68J!S$o2k{q>#Vupu*Ph4C;q2PU+{*aT7R|PDy49fAAhBBw)Qz&c)xh02#aj*R
zKYX6IoK3NIvbWVF`k`{Z)gjp=@mn3-&9cAMLEbzCTpjd3ejYfd^=l@BTTQMXA}3rm
zg7p)_Rm0pQJ6tu?O;f~GL;l0(iF0kp$4?elg8#8I#+8upcxmHu#z9l=xDtKwpxNW>
zb@vyNKQ1@ve9=kd%4tnA$yLApO4G?zH0WDSxi2cGoYPAiCYEc0wT0|*O(?dIVy+Rz
z`g!JBGU!{fxmARA`x)ojf!}W0xpp`=&ONsRn#~f>t$=9rEOhOVZ6Ot1%T_&HKDu@U
zJaAIFc0_EPnXc_H{Fa{Xi%C!CZU%gw9CZ#26^ZJyrOcO~s;<zU?c}Q~<3`(zbp?_>
zN7_1fwY*~Py4u!PWUq6DyWJ5BSI|<CuF3J1w-H-sva4-UbuPO+zBLlsHDRtxX;(mB
znW@cT<-c!cyJCOUrMJs5?OTGol5O@cIK`bC^wXT@uD)T9o$0QL`dqrZ9PwXP!n>xn
z6tmuyHs{ODd*{w>P08<a2GqCocO~iX3L?`c2i~?AyR|HMPAgib!h0C$SUVYBt_j~V
z;;o+%&$T|*N{d%-EjA{`bN6Sz+U$6)Os<+D&o%45nk0EnqZ=~iWle0CE3XcAWx~92
zB!A?TdBqUc2g{pRvOm32=DaFWx0XK78AWXq=(+l5lPr3r=>IM9=s7&xG?`vG8^8Q?
zdPVWxB&S}jEPuIK^;{eIu~X~SVE>k1?=$4rYug{6FUek=ynf5H_eaXK){tqhNf5rJ
z+xsI3L929oHKOncIrrLN|4I_?S*x)%Qt!Ej`BwAqm4g0?lJJ$%|Mh3$D{a;nkdCjE
zu9Y{8SI){;iuPM-z6J*U+vewM6qj#F`nHs$uS)J#&D2+`8)|d)l~V96Vc+Hn``R$}
z-z{rjDNnYTy03f~fcDAzEMM6M>HFNRuvR(zGQ^u_@vBDvK&kvH5q|Oc{3<E`f|L4H
z)4Wn<znsK<%kB4gx&118@NpCTRSVMAv;0-Jc$=yIDzR*q@2{Fqe}trem95)m=D({{
z+591M|CRG_`w0LuoxM&9z}2bzGV%bfNB8GT2KXcNZ<E*#2a&seGGbGezzcnxQVw^D
z?=TEONM_iFAqbL1417wWU&+L9(WLF`rl556!~!`RgOMJ+OE60yg%L-Hr7#k8tZ7E!
zB7=h&hzJJ|un5L%PB;*F0vRhJWbPi)pf`d3t@t7joZlh31QXdt31-7FDq8CON+ztg
zqky`}4K<?NcoFS!_?6=m=uk9ELP*1<n0yPvLbEqNjx{p<HjN=mJzS<&(ymQIxs;aG
zKl-5ae*=gW?i%=FJ@!AsAgqROitL#6oA^;;Qsf{Do+p$FNw7{+m!l|@RbI^e)4tkN
zt;aisI7GpJk_r0>3nOTGh8LLEATO^Vk(9qOsZ6RnO{FrKCgBQXR9Di*c-3olpudhB
z4ymvLj>U2nM<@&3tE8p8hBhoq-!%&a=b<h;m~up4;|R04KJHo}dF3^fAeO&tCW9i`
zf<~Ei%1MyUlRmhNbn>2he9dVKMuie`rX5le{U@39lrCQx$=dl0RztIPPJ<QEteV$g
zEoK#S8|Y5Z`(x$F4a!_0%?S>QDGq9r92C<W$QG)m)t)DA>!MsS=fM+(xb*qw-$?&9
z^z2Lm_0z;w5+tmHVjD>k*1@}GqJ*_kt&=QaZDi{vOjrlu+DQ}EYTdRIC#*xngCtK_
zhmbWBD6BV3w~|DmDT6|}8n4KrP@YGjB9lU8E`_RW3N7*}w9BYao>QSLt3p*?g__I?
zwSB1)IE!v7nWD^VP6TIk->8`7)NR<C;Hbyu>2J?Zzjor;jaYKQFa)0GhX_W%^YGM@
z{w@YQwM%`6p%)8dRc_c)p_DxDw}f!y!7%i2AXej3jHsv)5if>}-4hxBPo_fu;k%Ec
zH^*<!M>of(SD$(rPVc*2dGzAx|Niseygx6zKL_5QfAao({&cS!&qSF9=4e-7-t<(D
z>-~T^NVe-T56*hm!f%-a-1b1A?ptjo<qn~3$MDF`1u_|xBV)Inn4EEmXVD0qW=1j7
zUPX4m)m(n-<Oi%@ntaJQ0;{M^vjo-^Xvh;Nx$>Bq0#ga9&KB6Fr?#3g(BQPv0Tz?-
zX$iGb1ZvN_og^@I#><3%hxU_vqCov3OBLwWJu0i4rVA`RKvAbxwt9%d+Ep(}f21~!
z8cEXS@{4k{c7@>msLb2@9zbSvjJ0<On#pQIiL*yOQUOKIc1{&h>TZ|fwJtxXJ;abi
z=>1+shP}l)dN%}%gmH_<U;(2<9`w=aS#z7_6Ou&5jws!zZ_#Qa(wVD5HWjPw+*^d=
zjtu|3BRBvQEy$gY7GNMqsOqda3K!a4t|P87iMrqn!8;8LEn>b@Ezsp81eJAGPM<=p
zI4*aqaW0Lkw64X*xWHZ%sq)@xwIRO!E%9w{itDY#Hk;!4t|;B#ZqX6${<ginoySnJ
znO(k}-KP8NwzC^L-Za?R*KX5N%QzIM^9EsUOj0WhS!|8`CyPYMqEmE0jfKkzj*)PC
z%4%-SOC1+8ZV?k>p>GU*DT-Jw{zXE0jUxnjBCpF4VD2*gdu=R^JfN~NnMgG@xU71%
z@juYV?tV*<;KLoF>8WB))P7umsHAm*BWX46%6tP>P*X_!>@f14P1(ajA0t#}XHz7N
zCLi@?C=%Kn1y(T+#<+KP*gZPvJyEL@%@XhK&|4r5RX2-?D?l9LkXfkHuQg!_x$by?
z^XU1dv2B-D9YJqL;bzCsThgUSviF_!PWK4W1y)C<+&$<WQTjA@YC0>?7q1mD7KlDj
zPIO5cxtCWpMS<SE&;vitM=$KMJ*5L;f+H?|aRQ!ZP8;n_e+o#X(tn7Rq@b{f-q{Q;
zyv`er?wN44!>_hj*h&pZ&q(Jtj_YWVv4~xYW|(oh1b^2vX&+pjyg40TU;XXoVsL))
z&s-O1KwfNhn}h@mq?Tx7!mw1wHsaCc`1JZxqwW#ru{jFERcJ6^H5Kd@$CX5IIBN}A
zl-<RPMZ(pNKAbUmcEDPz?zL)pfM;SdZ;MwK*D>_>P^@p@(TkUT2)o^G7mPv#83GaE
zLgukGLiW{>7{0GeSaYv~gu~&i6|r%eU!gU@qDoo9^EwpjDmb<p4yG!lNeUL}3eHGk
z9|Xj|MYM~Fer}|r4~z%E$e7wFhO<66Jn{lG!7%a;k34#)uFX;1kWTNhm3QKFdO^5!
z2xM-o5`_vQAdk?BL7e8U&<#($8io;Ob(OBF%rZ;ML3)0%yB)`wXpc_75mS5zrAtaN
zu~+J8c=7~T9p{|nT`aG3)t}K)6}W(I+@)PL%_foS{4eHej-udx;l8&Tf>ZZfLz%Di
zrjEK+eY>us;<^rZ+*REupw2ibuLrr0><Bh6C1IfQa|A-lm9gKjoxPK;vm&BaffE#x
z`;snf3#(EF9_iwPbtnh&A1j8$wFozYUlFCUMGR*9-ubazJZ1a2WzTA`Hm1XGPJVxo
zJ<$8L){}IrHrq<AOFQrGjXEo$OX<%Z6&697ZQA+pqgp#>i;1DM4YWO^Zf?^D-qL0E
z$%hzGtb&F1cJdjLba7o;%%9d_LU}^9CrHWR?-v&w(t=T_p-zOK+XPgnwOR$@w!NL!
z(5f-or0NX&?yAgv*HxBPdQMvW5`96Yz)jO%lJGqhF9{-b+*hKKmz`g0^DT`ycd-}-
z8TYBsj$+0Zno^UBna*|u6(Gz&>hrMT=+xXQk+SYI2}4=f$<>)&o1RN=n4`P){sS3i
z%jD$-+L2aZohnEoeL~b}Z?;GC<Ovw6^SE|ODPhpad{U-inB_qPL~<!Y>d0-v5cv6f
z1_q<kb#GqCw|}LRp2beB%9bx$ESt|{J{Va$SJOIHFoC`iRz2dcL?s~@;>(X_tn1`n
z`i6q>Nbp2hCF)xK3H1Ax$d=qjAn>T1KKdNZ)sKT=mgOhSE1q4SF5g*s=wOU>M53F0
z&qx_?wkq8+X--b%4MlX4FEKL&m<J(dDT@^;+STM-M5cptS6MfxRjf=*n+7iGXI96=
zEH?e}i{6qH7La-Z?TB5yl?i?sTwR=Ayy+L;sUsXQMZQ_>S;yAz4!cK(!Uz@Pm+pfk
zf_D&y+LI(-zerz;&W>4J>}z|%IY*pgpXH{Ug?j30P5m(2hvkrR0EOwh5RFclJnm0<
zHtW`SqYSjRJ}67?jxvNN8eyFSDvzm!+sPci^-P0W<1ceQxdd=HYX@v)f0K(xyN&Wk
zj~~gM<kDg}ky<sq%7avdYTPC1jV;^u4i!Wpa}ynO4_|Z-99PlvZ?2-paTVnR!Y85H
zm|=3wN=caB(v!U^@flg3icF1pVtgeL=F7DAZ%pq$nTBx2$`<w+o^-alhoN<XD|??$
zWSq7_&bCG+AInX1d*el$8@l*bnj@e`GcQ8-o(3xeA!R`R6whR6qnFJ`x~VpuX=~%z
zjXBL`&DU}(un#)ple3fIH3+%^l$m$IU@Qf59}EZM6Y$GVCl>;O4>=6UtUHG+g?5vM
zz3!&f_rcTQ<;BIx@cQW<xXx9!D7j(yUskm}aB?<20SDmZ;#g21-rh`>Vs3qXb$MO^
z1jxidRQft3?ZVi^5!iidZ0Uoi`yl;sD1I1LKi%ut9vPQqAWPcoW+Db4VKQ59=WOuf
z$yq1=HbBg$I96`A&V{v@Ff?~u99csvF})eQeRI-)X^j6>z$7>!A$QW%kRu;e(ylTQ
zMtAQZHF<-q<P+cyQmg_@vU{4!ClAN!01Tl`282a|my%GG&KlTlFwaaD=Fyv*lm8xF
zUR|GD-5j5e2S1*j+#H|09=tufzBxa+zB(O_Q)Wy5Zy$8Ts;=YYJ2t>m%~#KZ7B_=_
z#*;l|ihJ8Po;E_>uFtO#-NyHvw!^U56{qcRY<|0GBc3f>Y}(wGhr83X5%&XMXWEE=
z<C{!d46kpOn123COov8&>o6Xp$8s*rrWqu}cPK)P?aS8UNTnnX)UobF_SXcp+>CAO
z%{4f^6s4!pc?w<ci3P+WASa;)&PWu=$K5zDflT7kk|`~4;RtgK!($Y}r8z!-s-A&B
zJQN)&pNj5q>b8I$J2&d6TWU4}=w{gi*Xrj+AoYDw*K>;4oP+_;hu;BDpR5B`r!~mH
zjuU-ZKm*tv;6AKUASFH52kHPw>|O_SsP=#I846X|eDnK2#gOFbSBEW%txhGsRCe9B
zn+tCa+iKG5R&E2oQGQnk*+PO>2ij7GR|niuic0|RfZWqBT#mKgE|p^Y-R3gvU|LOr
z?W)bN8>M$Oa4jTvHGnOpb~T_aCAI)`2RP4i(wbR8rQ)h3vz@#iR>-S9z1LP?mFMEj
zF%I+|m}@b}KwaYjXU;hkmHfzZggD?DoPSrYZr8YT8h;h!F2DxtV|z?$+|D>%1+xvT
z8n1oj7V9p|c2vDGFvYTHE}ebfT{T$g_l@Tb{PpnrSFIc=Urh92Hj8}GF^2^*(@4Y8
zH(zOdVX-aWq6#ab3dd_)e3H&S&c!74S|Qy#Y;{vfUJ=w`-}L^C?WB1(haEk62O_zT
zJREya-C<xiv+f#?e9Q9r^3A51+UCfowV#oFCzE|l0>J=Ek|^*fnPdqt-)Ws<^5q*o
zZIvT-quV65&o|x<*GcaWD%@j|2^c3be8>whlgT6{BaBR<D3E7{Y@+NaA1!v-?t=`j
z^C^sNe}A!vy7#K{@gwLergrPc#-~qOQCWmv>T9ITP&_9Q=IV~W$`Pr{Gz?5#Dj$HD
z!*gY(P-z^BHj7!wP^{C$7s++bkJaUetspAh@0J<k)wf(&R)NA@ZN{Y6m|Y<i2a$qs
z@@1zen#Y=<N@laWgCRIIUm({<sSQW6yah@?g7OV}Yx?sEMTFUVTjuI8GZo5fM~;b~
z$k0!9cY2Jwi{MF_<QgK|H%n1!)-C3*Iw7xGC)I{5B~wR>8UL}H<q+AvZ90pM74T<n
z7?a2JRH$OYPyiUoOICIjh*BCT0F$L9?KXLp34E$}Zcg)Bg9k^9!^lVJ5mh@wPz|ed
z1{9|Vxdv28Cp>ZXQe9mFT4eC9Xck41WSI=|N_|&uY?j_QD#H(@;loUt38PnR+!myg
zbFdZY)#EFRh;#c%3sP`2LoCmS0@(Hx%}GS4&H--%oa|>-?o+)*o(;9KVPMr=NumBq
zCbCu`a#@}B)?vL|tPOZ}kCuwVg=&@fE1Bp}<;b4sZ0Zb_EEd^haZk%%B_T3<Q!1r|
zDk$h`N>0BI7};0%_bbzRU*!Oh)x=m1P>kfEf6z6`pHR>pih)rdYg4VRo~Wg;v5qCt
z*d$d@+1s7QRZY8Ysr<AH^DN34Fl$e&Ika^XYmS14oLF;It)!)MWNuYU=jc-L(m8~#
z1gLc`yhVUX7oEzHz$wH!FNSlos!DIot&0TBV9V?T6Ne4bNbC>^L-MC&hIC4Lf&2{4
zvO)l$4>9e7cy>dxA~zwNebn%O5O!!xam1&f^Jiv4#X4XYM}C+D2y{x%8gxK+Pgtg(
zKo2~7d2j&!!_6)=71P7v!hRH%-O$R=9iq~__bKMshoSwxU~Z@NoZuy^ZBlAKeguuw
zgHNBF2wDb0IGYK(b+Qxy1Yf>WD&*6rjwn4R3EgE`mNMOdWU+u^)$H77lhLy}V7*^$
zV%`7r?X#UvHn@7qK_-*xFJSjqMxrg@I5;>sc=`Of{CjY4ko$Xh@aoyKKOH`Q@#@vV
z(ZSKdvp*dizBoL1{wHv-CH%FYgmFm!bg(h5eB-{7&&M4AI^U^2@AN@OO!xg>PxQX0
zC4tacPknvT*%!t6GDf1T@+GKe*-dkuKKLj{YsXHqmOi!WGfr_dll9ee%tQIY(i#qo
zwB(e~MMv%brOzzoCtwV6Zr}G-mN#MOytnkxdo}fb+Sha^d|pPc)n1q0LBi)K;zqkU
zYlM2DOV}o#D|1EjLB{ep?=7MxgoFrYXk5zl=Hov)W}N?{17NVgk+2Y`TPe>#nOYP;
zkY;|>^Ku2St~$+mj~UvRDd;#dxB90!@j~L?Y6rMHYf&V^Vp96}Q&u8HJ<>!~u_Y&4
zIr%azGS=KW{5iG^JqRd_0<r*y2cB42LSL*>U>MI~lq?X%K2QV!oE~sot=(yy^IGlA
z#*>bzPr=o-(2ldt)zhmIbMivx7!(B$<zXASzlr~qo-EBMSgqNj7o=^non|+7YDtqt
zo%Nfm_l_hGnSXK)8L;!akiuQDwO!OWKDIh8ax75o|AIz^rNiHDNm6VxwY9iN2FW#-
zykIWUhvN*OZe^>S=W`qcD9SYefR3EPR2$3`<^Yu4E~hMa%C(AoYGU8^^y#|1d@#xR
z3_RYk{~EKxy1TE9bx~y+F#NAIg}iXH-&lZZ#WsqfK-wT37UCe^lj_+y7JNM{djmgo
zWY}@ZySEYM0`42!Y2aVF=em+@c4ZESU!~QnOvWsTxDX7no)wqYuIR2D(RHxoJGB>G
zcwR36b^Y4hw=Of!)waFP&sr?#2*N?tYbgy!2hYE+C}2e59Cw@opK=4zkCV^Hi{a?)
zmKbqRRlqP}k>kS(O2<;cZH7&mbX!9yQ|HGjX=t;$(vH`SmM<3KRqcc9X38oGaKzCp
zuhCKp<c*#wh%bGLDdZX2WTIK8=c;&;?@^h8YnaBk)*1$d{HAVFP?Od;%V#Pqh^u@q
z)27+Q_;??gVVOEfC!aLbLI?V^5P7#nJL3OO?R=z`|1XOfySThQ8F%>yz8xP^ga7Z<
z^Or^c-{Ijm|KDSLhCdCiuEE9N{G<;)e$?B4UAeCL^l3-EeRpy-KE1rK3%nC!k3^!(
zU^FT#F^FTU(9U1}Vlr(^5Qrg{5m)zftnZ3d7YkqpCP-NI0g6MiL;?8AUv_pre)NQy
zZ{mUi3}+Ex9Q)@a$o2+5ecHKB0f|NS1feJcgd>nu1Pf6U48l;K=mK+ihja~<=Rc4U
zjV7y<_@2TfcZl9o%sGnW)xQ0mo$Q7tAgRsmv+y|7&UI~HfZYK5+)N2oO*5D~`h;-@
ze76UF2N8|}!M*3A%>Y0;V_QWl0M_E%d82PrGRd-Kx~j<%pbyATIF4qLCAY~0`8)(O
z#8nB;%XU<Spy;j9ZnnGn=@alm0OPpp2Fsafk00{YBsl{UoUcOlmLvi9P)!2?nj|xa
zG@CN<uq9O-ga0E&3AlU>u75fKqs!y}0G<bWB<5-Ch?=%o&r+%=;&drzr7oMRYr7_p
z&3ATABS2`N{3^ysL*|xf9bIdV9cs9`5jsyzdMB7v`YY1WP?{!DR}d+r3WZFuS^W4;
zd4%No?*0#%#AS86cZc27YbSRURmHsH)~T)qR;RG(hJ@TEaVoCral75u&MjJIk_{6+
z*HC{(OV*XHT|>doXen$B>2-LgM#L@`gwv%9pg_9&);tBf=r@N!DOWmsd+vbp3|9mM
zbL7AOgVZ^@5#eB$&=kuoBoi2REf!0><}MkPE5@bCeYdwK;T5~Uty9=?0J|AI>S`FP
zbpmLFD%-nfI$k?yoR$h{vQmPj{-RXHrUzaFsbOV^owLWXuf~AB9KAZY-cGT>x=NlS
zMS$&bRY4PKw*m#=4nrA5?d+MmB5p^e>Wy>l$(@ogB==$#JHAjkUl^EDvXCvokx)<6
z1TX8sTa6~Bcme4$w@2Tt(o<b_=bJF@uDV%5-O19Em$C@HMk*6pI<2DLGBL1L9q!6e
zGOV6bYpJy{wdV4Cmsrzrn((z{(~``l0U*#_6FGy)*~RvAW)J~QBHfe9W(T9o@%5Xl
zlkv^q`26(ZW;7U&f4RIm{^7e_ds5W-OIuAqb&_bZNNG9r2>6weNUSA)=zQ!3ki+iB
zj}^7^8nFYqpFVx+fZxFcGW7B}@Pa*u`<3kY_|ajw08-7DFPI}@@@mBpJuhxUls<k;
z&y`tX^>wimn7K3CgR*AqMycBan@l&LR%mnbs}+l|yreQtH#KRJSK-dZtGcHPQ<->Y
z*e*b{jI{Ffxf9Q$3*dR2FM)@}FLjgt4^J=99imTL8mKBmT}?O2_ofFu6y5#M8NJB_
zryxrm@DJ@)@I12;@jMW--$LMdbHeJT$MSg#cyB=)Q3qaNm|XzcKqbEcKiwQvaH|P%
z3tHng4J*uq19<UDGkz)*sfqmcNx}p4@mJP&Q8tMG16*8QpY*}$R4yW6wyw<9Wa=1?
zSi|juMHb3Bhg{Y%OSI0K3&Re;*1}NT=O_q3luDa}{TBB1ondm*Ss0bz^cYwNr%b=J
zNYVA_(<cxRq^xMUXz0{yNNLEDgfo)}Rhw_t(zHZ<vVLl{X`&eDT#x{bRDa|MH@ziu
zDVe^}Q{Khp@yX5UC^yl`tB+d_4|npy94*-25B}L@9P&i05amHbB%kRYpE`R55=NI-
z*Eu5ALC<33tCMX4U!+;`sgs_qTzUNM)lF66m8JAMWm?}J{NHJI1J9F9|1NF&7p}?+
zs#*MQ+p^D0v1PO9bnw}rIU_Lm5r#1G5p6Yav_j)x0hfRaeFec3-Gc>=5^h~;X9EVO
zBOUORrrYkOdkw!pZVtK05u;q7;HhJG-nDhB-LEX)PaSnIKDl~#IxNu$tw~sYe)G&m
ziL~3r|5R>J?cyjvAAr#$p~cZIjs#o=4)&xVXnD|mEtc1v?T*`wFGj#ua%Ft&gL~8F
zf594HXpX(NoHxy&5Y6+Zgx*6Mv>O@h&hM=}I#%Ixf2B_OU)vlYhexlv2i=42;TJCI
z8!t)nL&IwLSJt4yQr@=SQ*ZM19NFIE)Xic-&`kyx5`hTat7F8W&Pj?R;0q&H-p(6S
zbcad8+;~Q{g?SH|xda{XIVH(V&4}`bb#3!@!D(cU<T11lNEpbArX?YAyAek6p&@Z!
zWty~ZcGr+4)O!*=<!S;)(<$<K7aR);MA^das0{3m-myJ}i;?h7+2xqA1a-A3UfuzB
zFvJ1mNNE<)1!k)vzmC0!G?JGxQ4)qYnq9+LrjgVNbgiltw`PJySZR2lwQVF1$#uZ4
z+^9@LJU~Y)uTCyPs4Rdcw{!EUWn9JA@+pn~xS69+2vwKI;TCYz$A3I~{_5}`AOG>{
z)wlCskMjBWvG<pqA&Hk1&*mJwJHLk%?Ss?E@9vC8$N%k}VIM^dd8Yx2IG$oe`(Q8{
z41YTDj=Bdsf9a_$nciQ(9bWWh2COL#k+4C2SP16&bJPb}v7Ph~x0!Q=1+fIbB`_4=
z0|4V#ot-Zv@0EiVsBkQ{^9ur;CXw7Xha9|oCWAj1m>?e}3;{+K$i7WT!Ne#G)WtF~
z^%K&^nlJ;qlciLXdfQHDR<S(a>#9Zy?W0cNH=9CUwlC0bf6cRII_u!^pIe?e&Rc@A
zslO}s2*!x7cri|<Q~UvRyo^9OQQOFy-Ibm-_2$2C*uz2@dvfnjGlzY7on5}qX&A9V
z-`O+K3LRL+c{@+x>;F2wDBR?yM^ZkMS0k5o<YkU&tp^CZ^ScITDbMC%^`245f@AOD
zSX3g4kHsxp!ZzYq#g_a!T)RR%p=xtXMZXp=+7i&4nx=Oi6pn(fk#CtPq^&sl>xvMb
zw=O#>E~b-<li35SH^4;Pwr_}YGuOrqa-eP8u&fnexBQma%6sPbn%Z4qoo~#6Dyx4}
zUL4B{&%mh!X0G1SH;Ji~EUiS=x{j==sVdacsbDudU5&WHTrLR>+$k<iYFU!bxUl?O
zXA>u~s6MY4_D~U|X6iUL#wvA6jT9%=qFB7rFsWsReYCk9Lo&ZddxoS~$}PSQ*yVB9
z8i*B2Xgq}uZ&t%r4ZD(~Z}Q<RDp;g(j<aJ*+A}W~^0)~LbD)|Sxen$wcq#$4FdW<W
zj<wYA(w@3S%NC|c;efD=*0H*5n}MqCN~BR7tiaxKLQ{C_N=Y*Y-Jy=#H7`6{q;mtR
z@;EwWQsJ&d9m&dzYfb%jQYnMLR+GnK+}IZ<iG>jJEy`d4_KMQCK5Z*gQY$&>C9~^@
zjhOFOlbS+A=OYOXp(c>AYK3MUl-S#o=Lg!9bb^^{yKt58%SMH<(lE&J+yS<Qk&p-f
zU6Bz@gJB~I*P%yCbIT#J!pJaYElp&Dp^5udzB4P$vd&-AG+tD(u|9Q^o>f`-=#Tex
zp8eVN2@DbQQIkA2oC~UYTLrE5bkW{Jk)_TCl>}VZ9%rgJ&*U7-_}Y&!Nd`3g?)MZ9
zQ!or*oE}QGc_3d*a1`7WdOCd--wW2-ia-wP)+)gAX*st;G_J<%ZTD8|F*hrJ_M+uN
zzqWeqnm-@xQVrpOnB}-<zaqvt`wJUz&)8ul`w33sLwzUbIaGT+tv3l2kOhn@y#uDC
zQ4vE^qusi^x_Z0Sxtjxi#SM!!X7iLGl@of^{*DX|=kxrXG;KRV0#CWqDQJ01xw)NZ
zBq0Abp8Yg|L%YbH(#?%sQ>PS7PpvJs=mS@0N4Fxs2HJ3CIX=nPTu+{hU|Pzxq5Odb
zyrd^&mK{B*ZmByQbyw3TTi`?GKHK9B@N%B5Hqr}nQyB3@iL+~%j;bBe1tgn~>@D!q
zk-rU@>IhyN&X!Kl<*eP5RlwT)wlB6Y_7C)ZlBmoX2}3)eo!vN4wJP<TTTJuBYD>Bi
zze>174rrv4ft2XDEVx&H>9hi}j=W`pCbLoL^aW0G*HuJG0&yf@cwXhbT6YFs(W+{>
z9x*yTmm1e3GFefV3n;;)t83?Ykf%RaIK{NmTv`RB<xDE7d%E&N8;I9uV|CG#T5<}_
zc6K}%+36D+*ejQxJY;6sTD0_TaTJ`gG^L`uaOEM}bC%eJw@o@ek49?9B98o%beX+@
zfM)mn%S=!vdb^F1&#svrs!E&s$~^G9;d+(GSfTcNDmq@~Fp6h4m<gJe?anj&4t`4r
zNBUetCzuE_erOxvpZ5maUGeD?U@Y_z<u%}V$c89A*uhwMi<ZsBm8066FwiHbyt#d(
zA-2!K=I+|H7P+?UZH0;T3=u4TaHe!VT4yXaVM=zm!Z~+jjxy)Mu(}k*gketTQnB*y
zz?-`HrR)&%McnJAa{>y$Kf&+6>nbJ1-J)e@Ke7QmB#Rh_2*5A|=1>5@kxVAda5M`M
zSRlsW45@<_z9=|_IBcAK@@FE_L9XF3F~ns|Pw5*N%X_x6XH{d{#Ur(xGgF@<J|}@Q
zNo)mC%;IXGCjC<Ouv6rKDEKSE5$OCQ>R3fRD_u`o*2@Jk{v&!fID30C2JZ%Er^kcq
z)60wgKO!+Rr&WHJ9o0gsztb(#w|-cu_@!?PoKAt9JQ5lLm6czfu9r!fKp>CUL`XdY
zgwN$AyYf7aIw&jZt|l$jy;!lda^1&y=e1KRq2XT5#4BuDM2$Z=BeI{eU>{fo<plaS
zk^o=cFC_!{Cxp+zdsF<qB=o&i=RJTtyC#?8g+3>&Gd;$X+~EKL2$Bf@mLPBsm-^B#
zo$6E=Dym9)`?UaR?wq^7zqfs#gwFJ}x$0)H9!&V$ll08_BHUayM&prfN?rXp7+NO1
zdCUn}Q3&J+t6EF5*sO@0g)^N%U%x2!U{+}#SOp~~E2zeW=B0@y<YIU%&wSq#dRx;W
zbypb2B*gx*7n8taI^l$;pFI&BMJWCkj%Ml^My!3TUJS*8Twe-@s5)TMsJ7Gjv}COy
zCTN&&@&-kSN{2w1Azw9%2^v^W!0>JOg#`gMspmU_5Ij{W9tH90YDkuqkVg)sB_Dy*
z3b&~hIA5EZzqcgu&uo?L<1$X)qUB25&WBfQo8h-Me8=fg&g`Ex{p&IOXS94=o(~5r
z3i#kbMcjuC65gIAdDadGDQDN`*40^iPF<Z<vdO1mftWR0Rsv}SN0N|7pCWnE4u)(y
zaU9nn%ZGC0rl6vzI5UyyGCig=v`x0DHx>JFee`fU(f>2^q;RhkYMb*cW=dyZI!mvZ
za5PihX)&%s0kLWY<g&cZHM#Ej&(ib16X@S2anGkD`jt$&OSstR7;r=W_ZNrHUgpmK
zzB+n-@a_EXV|;`RZRZ5AGX#|c*~!`0bBlfYv;$+T6Uq0%1ag1gyF1*u#Zk})LrS9m
zB$J&5;xK?5_IK2c%KeqI`grjyNER^+!yV^R=JMnyndfIm>6GvE70e}ZZCMib1)}m0
z6tI%8Gx6Iw52QI~#-0Y8xo-qeeIL3Vgw+MwADCX-TymIKz3Zy`M`V6ZO^fOm1-6s6
z#tQKQC5h)jNuqY2EMgL&h|BAhGnPswSr->S0H<u|F1rTSn^K+`7ljQ%<<_^ZT5g+S
zA2>Po9hmir{4Mtui;*vcnfY@RB%u;SC36+6Hzl10Rg@JA^?#8_mlePMheTS~8)_6J
zKTTaE)`4<a?k`7j)mI0vP*}m3LL8#tKgopsgc&Dvd4?C5*8wW8p`fuu=5L%P;VKZT
zYqepm%-4yd*)f7ah$A#cK8XS?O%*R|si}kK@c&mbxz-c7%2sP+s3d$l-@822a0gS4
z=xZEdHqY`Z0Z>t(R$`i9esuF*0l*#V#m83b=JN>Z?eGZXLc!bXxm>(_QKO_FA4Rj|
zn^Iu9D<&YH1fuCEY}dwhP{dU&a}f#97=_5^gu3<YH=EsSQipPVhJoxHHM1G#ZNv1)
zK9bpW(5x)J#fqYrO4P90vWe4|u0GE`D7x!A53=Ts-n<>3T;*PVY@Gug<UX>?`e~xD
z61a9Ivyz&*wDT1Ws_4lo+7pIMgt=JHvtlj74xM%G_37D34TVkK1bz6SxALK#@@AHD
zEbBm%60e-#*OV;soi9G=QHm=xEqmW=dgl|#mjby(%Q_e(Tv(y6GameOIlivxu$4w|
zHKQ-D)<BX^f>$Zh8KUF2=cAkB)BLcskyRQPgbJM?Lybm|&l?AbySZIGEXL!rtINyl
z;YkS(8XY#(<6Z6{+wRFy;LS=S9g-Qm20vv9xLT!B@?tBugcWS*+FQa7pXZ5C*(A<I
zhqL@ZUZ<}qy!UKpRe?*XY}viHrh2Xr-$o*Z9T{L+N83h&L@YNZZQ<ymYbY+c&+9cb
zL@>FUJidra0MxS?ec%+nv*f0tpSB~>MQp8QyOM?V?W;_cUm;h_Eml6B#To%}Ji#I6
zOU;2CeEXPV`e;QO+cRe^)}(ng^VQN9s`Z@w4KBiFD2)W_fWWBI)sey)QN$1jorpxJ
z(?DLnbJEw{SVBpALf+Qe67?GF)>nEoyGWdZtE{YI610-yybL?E>q~R%2rR*)YqeNH
z={&XlIzg<Nd|FOD%HS*-tC=BMXNToBnhKWQTEnSf!fILBglLBlFRFM`KI3J%f|Y`m
zAc`FF#p9GgmEqE@=qoN$sw}hzAblH4@tTe<dE7Kr%jd_K_QA(h`reup3#xc6|4|z}
z?OkLgv6+9gRLOtHPu>1+g!nz7w<?HhgI(bI{ojM5qr+G3{_oMji*NUTKh9^%`@eQr
zNp26g$}6jcOxZd1w5YatFYMROUT{eYMjysdn%fw$9N?^`p2;6{&$v9KBrQ|$>TF?G
zqjZOO%R9K%>{Q%Y-O`3>HG+o5lx&}VRLN(8vxnN9&tSLTpqF;D-rkUXuz=j3pEXN>
zRjzVtD<i0iTQ9SjyM5=YDd2h;8<X7wCt`RAgB!^&=CMpDkr`#`K_9$${_M!I7h*~{
z@k!VR*Tc~_gW)rN>gNCW&fhrp>rc(||Fgqa`THMUK70A<+x-6+pU*!3=NH6I=xLkv
zrHan9ErT>ZY*e;l{1z?tRYZ%qr`y+x^=gnJ<IJ;NY_|Qf1HjfuvEq-v+%UK`9SJLh
zxD}ix?fhM3Jq6^wSY0;nnYa41QJW2z9KhTTt3zXnS*h*?J|}^)hUDoJc>`nvR;!*t
z<w;^|!s;?Nwk%K4ZwX?Vg{48a+H}JID(IqO7Dipz4<XAk*QcI0zuIr4YqrYR|IN_*
zVm_tzpY#EGLd!gc{daKm>P6oEd;aX3|L0LY+qC~&B`AgH7{wux8r$={vRgA6w}>n6
zxcH_-w(%()|Jv&9rHPF;Qv*%@--Dx9`SU-oUVc0O^C+J!um74-9Tjp)s?EXD)mxf%
zseHw@rG%W)5?XBy_l0_ERqMVoSFP#RkLAg{+-zprf138Gc-sfRufKGuN7ud;mGqb7
zTT_jg-OML&`wb|;*S;0sX4ZedPwo7lON6?vA<!`YA3lG1l-vJ3eDQ7mf1J-}ng2`j
zp>D+v*h&K9ZwA2^VGxizL@5rCnIpaJO_Jrgb!$od!%mI0`rpmoy7ny4r2n72e3sMy
z&khd0?f*T>=K=Ts%5&+Krw6adx4Vr=VS`+}U(ZzV)oJ*R&Wlt?mbIm2Q*iW$R^S_c
zYW2Uqjd(-zzfu1m7484$N6)|M|Ht?|p#C>^S?2>l%yXsn&h_2vn=5(^_nVIYQgr+d
z(06N_u950PvN(5ItXw24rhil45A<oJ|Ji1NfKB^9FAwwj|KRAwH~s%8p9jkSme>7N
z+I_5Y9sJwt_6ApuZhmQKTy@-==>(HdqL7T}A;Qt>kggby_PMjK@nwwqU>GKhBYHa8
z0e~SU1b8r=ilv7eYL;(!u59TXp0DE@T&i^XvldaVlCv#kh2xuZiF3|lFB2#kjxS^M
zYfz|bA{Uvdrs{D>XNZqv?Ht(cAH7JoxYjsx!D{nKZS{P`YQEXeZr9Y#|64i$*f9UU
zJbF<$|M%+IH~-(Gd>&~2H-q)-J>B<5J=6D9ZVElzfxb;<m9OO_U)tp*$M{YobB@nB
z)Yob_!!RWGCm-a!`Jt++NOF$^eoQ+vyKl=X@B|D591uiIM!ScJytA(UIN`I>!-Q{-
zM{SE<4@VAmlJE&hqQJT~j{#2P{cxVX8I;u%)%KPxZ95ScLQa&-XNw}Wk~S$ztyC*z
zf>C8hIx1#@51c|<WVW=mTaBerZC0K7002jAj<~MY{gq3BlEg427*dCsi>Y9tmt-l?
zc*}O-YKC`Kf9m9id>qkjp$%PuZAn%kcUYQ*xaC1WKg3e{JDet{Q`NWS{MBN0F+R^I
za@&v^7i+Y{gyVmAi<bM~J2_s&gt-|_DW3#b%id9WSQV1hQn0SZsu2k)DO<0{H{??t
zK@Y*I+{4n*U46c;Monr%;Gwm#L9>cF{_Kn7Kk%n^{jc3W3ld>Y=-Li|hV}pR=LP@&
z;laxn-`4++@%fDVzgoJ^wRBZ%6=>nZ(X8teiiosdd-)9n4dfx#{pJ?nlAVKw7DbPe
z0-yr<*P9BUu-Wm|xhSeV{HAw)B@@Xs1;+fU^TC(bbf$aeSU*zC*qy&UUr7Z;2JH&6
zw%x@+*2qm=C7I}<D2NG;xU=dj-8^a6;W*-m-r4IY^Q29u7i(87>zew?r!Yp>c!5a5
zv&zonHUw3`S(7S?WN*uRmeZ=%!wrXZ3#=7;gD*F3ntFUy*1*E6hiPV!f(L8toJ54?
zS3=gqHj-5e!=a~QRV+1yoSV%e&uiZB|F>US)Z70Yax_gshBitBQEUGn9v(e^`7*!%
z_w3cT{11=v*{1!!@%4^Pn|`)D7PkEKdO#N$BmNMJfk#g7WvKdkjrqcUW2?v|)9y!!
zSSmyIl|?F<4XQpkl<NRFqqfa~&hGr~9Kj$&jHO~<;W$j<0CF_u6mm4vF-`8X(%T>^
zsy830|8h2a*;lpG>t3dqzesUyWeB!(17mZOzqh^IEgKD-e0}SrBH85la*2?YWB@El
zF=&y!X8IHZ#h)YpmL-dxbN*Sy(qjKM1HUUnYr%J2b7g4vN63)8lc-aX{im}h16-z*
zEX2^>105kz9q_vu>%Rjwhet17vSd-aL$P9GE6<7-8eM++d)?Mo<UZIw8`{dvwlajc
z;9HHqrd_6*t7fe;*A$LOFpiO*TUKs(2+)DN#?n^LmIL1>Nz`~LOtG}196zpmd#bJC
z6Her9USkK>HMvERvw}_ymzoNdOL$XxP8c7A7&7Fn+0%#HIjL!5spzBc+q)mqhC8v<
zl6O{Q_U2Tl@LQ7XTxpY%k`5y=^lItTRm4&!CIPFslgb{+8l1TaE1ecQprea*+D*QD
zl{fiHg~9Q*DYrmAB=r#qP;1gf;U?N`fQs<0C<r>Y@-ouq(zj@t8K^DFtD;pcY&%rS
z?_1v9UCX6-wl~r_2@%cDh}OgH5N~7IChai^$!s}}DT2a|VVpwjT%uT6WLxd3qM+i)
z{2Hx{DJJqRxDYaS;oO&6cvU)!)c|Nq1M}x7NJ2#2>dxa*+-}7}R8H%jMs$HADL`*1
z^w9`WEN{un?(CPnU01A>zLtPn_f?B40w3jy%W8tw8Gpja&?gE?xoEw2E1iypl@(4$
z!va6W>e7yMux~1K(wnGj4o9N*<YBP1*xsHCp|T*@wH#(CyRv-Th3E=4U#QCtEL3HA
zGluCU_V$*f{k*U`-LT2U*v3BaNxby(_W?IveP6^;ei?q<RrnP!8ZXDM7*ZA2q}E@O
zTC7}s#oovAyHN`uYA!|H&XuSY80)SFERAM-0)9atAkkAUv)W^d02EWj9S+e9$v}K1
zhyX``&oKi&WT?3(R=dmhQPteaSNOK!qq$Sui6HerZ-S#9o9CW-$j?3bJr{ZE$MzNL
ze*rxb^WFsW2rh8X+AUP?^Offd5`dQn2ldyg4iV*LclTG{Ox|><X8rBgwRc~)yi2zE
z5_1D6Yi?V3bu4zBFj@gT*3?m^vSmIk+0kAAIs8iXb`i{48oUn7%DTJ;*n?~JM%<rU
zFIAbcCGuPvO^>Gl{RVacCu2@=Gy}UeZLgd|Xc7&W+~D5Z109%fQn+|rXhCuxf%iB7
zUh=*#|Gojg13%%w3qS{SfHysQU%CdeT9Yb>^7fS7pKMT<KyJ~ZPoMf_B-LH>y=fbY
zw<iOzxD7A`Uc3tIp3p>1`wFsxlk;<Ut~V1_!sU}_T1~#10$-^q@GGQ$ilbl^aKKv#
ztq}7$I0W7TelXvyb7t$b$P*PkG37|>Xxgzzc3yT_1Y<TQyyH9$3FH5JN|Gq(fZxGC
zKCeaq-~*&H20W@qsCU(<A6k$3GT@J<0oso0+835yFW4YeBh0%3uU@?Zy#U?y*nF`j
zI(r#gM6`)1{8{Fl7Gkw}E9z#N#}u_SD6dw~Yp+o%VLxJrmo8e#0@rzAs@I+=I%gNV
z(ROX7Xboc85|C&9XI(kwmO(kFo0&)rCa<QiST`lS0evNait)3mx=wji)X_HQ%d~hq
z3Tia?*Rry&Xl(nCkt%=gmO@5y;I|So0y6)elS?7b=vCYct2+}ma{2zdIT~|p2r!&Q
zgmLVjlb~Y!8y~<%yO=pd8s<t((Y}@<n-r++)11ff$b1*;fvqxKE-<#haS3P3q&l!S
zVKj>F%58@qPp>Zq=chNvCqKS@lhgK+7?sl)(FoF|&IJNGQy4PTalEif-vnrq%o_T0
zuPQf$p=oqEzJ7CcGXAf#o6+Uf_07fG^B+&HDv8SiovTvQw8!`E^6c&T$<6U;GrD?<
zrvhaQyQk7>O38h5Jh&b-)0ejY7;<=wX&p@^#>f*eNcbE@Tv!4oZB?!vgo0i4n{zrQ
zowz!CU{_kE_UpX{hQNf+wVaGJ9KEJ$td%e{f{fi08ob6~-q&61?VHhHJpSeK>iFjM
z>DfsoJ58qEDtm{ikjLJiYclx4V1Xk;oLYI6GNNobT1j>p#jl+NM&_eP{248;(6sor
zIc8qfF9d|zpIfx7gHXbNmQvWnmciNC<u5lU=cDVt)pDkg$7lnbX;-`**Qh0XP_)wq
zU%D744AFmQDK55u1tI=iO73gdc3-o=Y^e5DdR()+5<m_okfE}UC@@^u7C#Qg)gsag
z%c`cvl{)3uU}vO5f%<dIk<Sx~K!;{^JH>!7d0=a@Y;vTe?Y}x1ot+K`*Qb{kH|Lkf
z)qF^8Viv+XVH7VQ<HD40qM)TU>QGWU(>NN!;>KHj9Qi?~ADha@(=k>nx20*y8uB$M
zn@X0frbMiu4GUtIEhB$UNkkGhB#Q;+phKq9!fs80tK+|241c=1ytsTjz8PMgpPydW
zkE(XK+YX_Nx91K8x{t>zp^uWqIHN#oDz>7EE08ukdpo{9xw;vQMmHCO^VK*4<Mg{5
z4_-^d6L2bTm20yi)%VX8of;)gIlVZ&KK}7$aP_8{v1RaA<77R-*_ikRhGNm%lK5W+
zXR9pwtFUdeDM^V<SW5nQcy&6uR?CrAqSOM>dd$~)XC<oZS8X-CH^^4CHO6W_Zqu$+
zjfeAr9MeBtj;~uc$KcSve<F;x#j}cctODJL&`Nb$$-%SZ!KlfTc5*TJ@$BTLP_)#9
zS|Zi~orq+{Qy9Rw$zsZNnp35`sO7Jer4t(FAK(^VLeZ$3w^wJC4f6>M5wp@Lw#L@h
zTrpIPPp;mz=zWQfA$r%WQVe7vT<ze-H8NC5_wc8a7Me=Y?axv9Bv-TOku|Ly)HaJB
zL)`UQ#YEOQY~?_zWa-t(>(l>k$yAD__`}L<efzpK29`|Mz#!I!H^&z%ioRGF9$yrn
z1yO6frx(X-;Kfl;z>A|Gh$<C?I`gAl*M*8VX4=`?t1lSe@3odU*|slt%^}+4nRag?
z|KpRv)$pgA!S!{u#wzbehQylx269fzUJN*=c#^CzP821tPtUGvv}Y|XQyg+sO3iEa
zW+Ru*6OdOz)pKm6x~iXI?eLOzGi-~16pOm+v$528Cs%rwx*491emc2Yn^>U|5gp4}
zY>4AIqLpih3UY=gSJ(B<iTbFyl5tXj>F1NbZGxzJ<(}&fA5lIWyv8AlN*01uY#6Lf
z+n|CC?IW6e8m>z2)!EwgUY%|1bbSH_Nq~8yUb%cD4gXdvFeo5)LoyTQew~l50@3jD
z;^Jg@eR_G(yyQ-C4XyisRzr7uI$jIoF=l=<(t;mS*FM7$8YwfV9hqmR7bk6vtTHSc
zt=?0B*LZ>cMWVL6y*@oZ`Jc;+6=WtwumyVKnH26bGHVl!@n-P$`1D$k-I7`h{AT_#
z7yHd{a6MRuiXr4MtS06Oxa4A5X(DBKc6xGgeRF<#adUn$9uMA}v>g=cR-JPkog>EJ
z46QN}$3G3OPL73upIr`)Z_ZACyc%4cwm_Y!#qk_c6pSbe2@KBgghGm|X{hjusJo}4
zyLXTloP*nlc5>jijC!gMFe^DNY9kq**S=O+tqK8EMWeh0zlP_<j#g>d&S6|?$46C}
zJ?g=(=D=%et{_t_7uKh-9ByT|6&~g;Cj-_X;ePCu2G#;Q8h5nTWoE!W?zKv!VpVLd
z3=0`^NO=;ED4FEX8(43)6scLnxP^E}o6d^3;Eh|d>zw>3!wfpczq8j~RiF=9Qol?}
zO3w6x%5%Nyjpr90Zm<`xU<%?uJiEb+A{Z=z_tw6uB@3^s2r!ZdqJoJS7e7>+#ugds
zjAd;Wl-dOcU@R05Yp^-1CsF<uEt`v{YoJUUbbvPphexlv2i=42VeTYt%h8;Z><8(C
zjrb`#@WFZ7v5%Z?lc%jzd97+Z!*?h`jQxM?{cBevInpQ!&u9M%ZK~%j=)nf+I-7Ub
zvya=*-JAi+8&fs&oSIo>Ia9VZq@^553FRK<{PweS%T!)18$)3ltzKO?Gj$7vB0>?N
zhzi;mxv$nq9P@pyfjZ_!T1_6;Fqvxl809DPOdy{L<THVMLIm;x!4TI_NS1rIP7+z@
zbqzE!Kh|m@xsLf%Q%P2s&m$v~ZO}&5w6o6r%biY7k0Kw4`QV)==J}%Ib7Z(XUU<tm
z_80~8AVR-Vdc})kf_b-|&0Of}E|<!_>&<kZrt7XKQ!=jW62`F#i+>;eHq2CZdrz~C
z=%jd!JJ+pzUuwBtZ)Uu&c))Nhc+aY?7JOHy-PEk5tpcx^Pa9?!(%=fQHX?$}RSLtl
z=_TB|gYGLo(mL%|?ReW-FSgpSE9y26zFL#%q>(VuhAO_oTwpROC7r07suK~QkT9Zt
zs>{Y|QvX|R^_KEhcji**$KbV*tY7+ycFzTd^Lq@yprxpfB$^)r!4kB>1ipVTj3uJt
z{a%BYEJZbfMrsjHejPzSg0c)DSvUQ-tHtB9Bf;F8B`ep-UCdekuFh0iu?sBd^XYtn
zPoxps>hcjsay6HYJYp+9!pI|whW0y*Jo0FQa5#i5T_z=>o#|f{ix}w)9#yeAn&?J#
z^CgnkHo{WpUkPIKb__)^9;^|3v><6)ox@q=OUxJ~69j&cJA4=XU{U1ogZEtZI3)?t
zM$I2GG$T|#*Bz(TJOBQ-?rwG4Z7KeU{OSj*WR-(Afzm^;bwU7TA!0yKphsru7?{%p
z5QIYcipMCx<2isJZDu<s9Hx&QB$-5X1S3aHm;ZF9{>GutCEBCzW%ujg<EM+>@z+lm
zCj~xNz5$sk6%YRy?){PfZ_c9`4bg`Xb2)7_nEDW-CSR9wzn7!haR6GeP(Q>s;a|{P
z!rJ;-E_H)@nWzBU%LfMWiVWf_@4E}p?+ym*yO3(3ShW)xu5A<tR5h0GezCM^ZuK5o
zIizp8rtEDU@FBzZ<%3k&{@r|#8vItKLd5N|kOmsPR!Z`SHa*O$Skii2SMt2?AzW7)
zdc1?-A<fJG;I1oGJ+EYP5J5bk!4(okS`aHVsX-_o(K8S7hcUu8^|^+1{vJm7%Dz`x
zYPpubR4laCq}=cFKa`2FvDY<V!1pmRR`>o`k>GLIbv9YO>v=ZJnGmYEzB|qeGu5(s
z+?sK&WVbC>UfOP3YU1AQwlzI2sis-1i%VToafkwV4}pr)hF1$wthaPUIO3|EtezcV
zb_o7mn(%{bl6|zusRMnUS}i&n<tH$Mam6XAe(CSm61S8U?vC?E#epmZ2XBh)N3As(
z&QBye!>)AFU1|;QZr}E^ZLhdyh2fnoy-dDV@1-o>9*ZX8vI|h<7=G}Z&m!BZM}+*<
zQB6c<v=!LqZ_ur!vwkb+7?;-1Z*q;V#&bZGmuJyv<t;)j6rUDtD68fBBe#|7mAw`U
z<0OiRUgDkQwppXWyvA6b;zMo%GZf-vb_mYUjIze4MOmL5|AtPnJdzZI(DX%4qvTO>
zkyKQ%)INC`E5EVgKm_ru5^Q<9ep*-PNvL{x7zXlDBPpsMzz^93Q<0XI-ANbtCDe?)
zKmzh=<VAi4?tCwhe1Iv@HrM<Rd}?Tb-AoZVLJ<-uY_`TX_3bobK_DLu0vO%3S>1-S
zA{PIyvwD|k7DtlQ>M6AWjPYmL0VRjv`oKW{3X|{<^s72<*^MWlT&@h2Dwfd07X%VQ
zMKQrY0M6s}cy`wHS*L5*UrlguyNTckMY&n&C+nY(>1nmO@Ywa!hCzThKcgWk<N?=)
z)kd&pRr3V0t+2YvhOru8C5{c$iPf!`JzYP5ogP<3nC!@&JIDVkLA<C);({{kh|=f=
zg@3CIbKv8Gg|zkBt!AICAAD(VciL@*0U0QDf(UY+j>hS>aZF%KTf4Uk*6#`l&Kb`i
zo=kB)uPsa1GjQ7D*Fk%VU>G5;y)RblV}E~t|J|E6>finS{o=o`-@JMKhl4k7-@o5~
zwf}1W^&j?M?Z4SS_ygEq_hhR|!Ubf1*uQgM#mQ|*kx0GwW2;BwIm45w0H4opAVa(0
zgan<|pnvqY_9+e!;i!EgHv=AH#128X-|hW++<w*BZ~eIUpZ~O41@S=(4g>9c(Q<_Z
zUwsR|4muY1(!-;y%wrfBns|XC1Uc%Q+sAn-*u-Y_J00i~vM@X987rH5z2)3sleJDu
z{55yddt*rzjN{H#GD3_Xfp`bgy@1YQN)Qo;z)Y}}7j9ahQQ>0USkm3-$}agqcFU5K
z@@#Qy9DZn^>odeAsBrd`gcU@XSHu}uZDg)>rvrA}kuH5K|G`6$d*k-taFrL}6GuQy
zF?W^&U;<zmV)eJ6Kui&Ufk<Ek;$#$IK0T-60>N<J4MT=FHyVo<V2n`|f)R@74H%&S
zCaQ7dwta)6NV4`Aj1VRhDG<ackjDT{DFLHI$Qrr!Fb5+>uaFuTr!xeu^<LwEj=^72
zOgl8Srb5L0aBpvd#WWd7=<j9d=>Ca0PY~aG`{#G>UbQsu*Q*JmcnS+RENFxn6sVmL
zb)U73NT_aV@HB6Xl_AAEMu(smC0rnO(r?MbrTP01oKqsF_X7MCfg4B!fKdcu8ge;1
z39NyD0*#YsfP{qp6kaPJVkQ?wgWIkH3c;8%)taoy;T4h~k$+P$MGW+_yQZoObd3lY
zp)qBu&G}1)l)-4e3pkeYfPARh)7?@qLO{9KNj!kjm2$X)!PK;m9Y4Gg3gp_T<~s63
zS%WL7VajoOX$;a5TkjUjq8E6%Wg?S+Y=VULjwv;*9o}eY$l4l-Le^*{0j=Ep&0?pa
z*E1-BsU^<UB-@$MdI<IRX3_Ur7Ri5i5c|@yK>mCCcE2G19lU#Y@akFqdx-LA<v&NO
z{1j!svZz;<k?KUPlCJC_<hwhFb*m`xR+jJ_`7SSwRE7CBbCVzBw8@23N|oPlol+S7
z1S3cS#FV@Cq6+6UM3NP68MvTt%EvsqWN<vjLB(yMVmp;J@`zt&a9Dmm6@j~p6(gsL
z){9+0GC|xrs@J`5oMc@kl^p*6=9GNjd7kvEW+w$(&pDm+n^&r?jZ}p8m}4q>TU>MG
z?}lM!UDS@St|~_=w|{p$#srJGmFaR18~d(o;0`0uUI~@s(682`-)!#Pn^t}I!vM&e
zqPM+BphMA?-FJQ)kC+bJph4~}82i2vv#J`&ns9BFOYEzvF_0v3LFuR&7ND+jBv3<K
zQW4^XnojFWX-A&Vhfn`}SabfPGbE-c;Vg;JosWPE&VR4=Ulq@P@829e>;E65tn2)@
zf)`VUWfv059A^yoFgc?H3(7E=bOOo{Rit7sJ!1BAjVw568d{-Fl8X+Q_99-zL36=G
zNcD+SQPXH`q_n2<Xj!tlhJ*4CWxs<J$Z6)RR$!JjW{ta_D(gE~Fq4Wi=7iBCE{Jdb
zsHc1YlBmv)-+LxCNTHf;c2Inh#_i{_uvGJZ9<M|1Ys*6Z|MqQx|GzzW{q~vvKSa3)
z{=Z#{Edyhy0?S}|1mJOpC$T)7ntX%l;ef}TfFY<ErYi%)O3$@-eK0}-rktOKHpYzB
zgRPPIKT_@TCNjpD;cFbB2?`Iv7)Bhm3Ky-~;AQHS{?b0tHw@CBm9DSpTk9X3ea`4V
zl}TMbnNlv!k+`AkDjR`(c+&6XAM{U-vIi_7UH*w9<7h5f=plG{A)j{1{G~dOo??=G
ztAC%wafD`w2pIk1hzI7=vxE!vxgIvtiqV#Jm7HO62o6%uw;B9)2;RMY`}%DQfH7C?
zt*beEVe*1fp)MrNxj-`uif75-DVIwAFA-v|aFcEZSC$DD@c)B1?+g6@)xrM3n`i$2
z5M|B$zwWM(#Hb6Mo1YsdU%J_8?+;a)lG8he)m+}Ww^YDebHTL!8j~}$imOZ;Ar~w-
zS<4x2nDk&5m|i2su!_A$#)sgxy}Fm69aat%t1lxrj`L~p!+QE}bP0DS{|o8=>(}p!
z{@?H3zI&$s4^h6O{x^S%)wLf&7EG}~fk+qvTTE|OMa9>_AQoP1eF7X|6KQ=#v`=m4
zt`4!1M;{01Pm4g`b6HIP@9qS;NdNbK|Db69d%OSonf^aSc|iJqR|?<gP5L{d?|!zl
zc3$%LayCtaFg~QSX;Y^g>1^s=eQ9!nD^9%D39c$YXSLH_wWr^LN{c+vD#GQ(bs<+>
z|FepStF9MXq1p929OVvsPr~a+ZRz!iIQ9IWXq~yXz1&FxSit|^y?ImA|Lq^Vdp`d?
zNLe%g_hRu@NOx#jZl4;=D+g)Oa=^L!IwvYrnEP_J$9%(CO=AUI=9)^43{fRQR9hg^
zZ?=jdF&?K#v4KiN%aR`<TZw5nu$-l(4RR?9c>q@9<hb-%bj<@U=W%AUJt1;0aP#Zf
z{_x+{FpB8SvANHp>zi9K>TlamMZ_ofgBPGH+W{frDzZwHNF*_J3o+%}Mr3*W+Kr3F
zsGtFj4#B6RzVD}(y?(BDnurliNC*N-2nsZw3hG?<Y8cLPd2$8Kw@^T%%)YxebXtm*
z9J~RAm}uTN;+8=kop``OnswR)>bqJ<K}+uQ=?_eDXuTF(sL%UQ6<V!UUSFIdp%jVd
z-{p)6zFR$OWSmRo@i55jK^yZZ>^ZCg$~WB3sTUmDL4?(wFu@dR7P$e?2FcC`XW7s|
zDZZYPI#!rcnpEiu&3C~MY74m;mF_UG6l$_<M;g)@S9DJ`sZacZdi#v6Ps7^bt%d~a
zfLPP0?gMCxqIx%9Y+6J}jo9!YMBDbY4Arjw^LroC?y=OL|BV{Q+`qVs0${=U|IOR|
z{o?um^})0L|3S)kwEr3eJ2MD&M>D~KdqRU;XZLl~U*ghGVfGJuX{gZo#$Ot0Z@6}%
zUb}CX=$~|?Ag7zLznb*#)irbMo99Ftg=_peSf84tW<+TiP=AD5?;#+Y<Xsgc1^mk*
zqB-ZhO6!T=s$(J$yLJyv_KDBRmuuG@<Q6Shz+j9n@eI+#33{G;>@%R6c2*n}Lu$z}
znK)vx^Keaf=^A>iF%G`F^VIa?i>e8hUfs_$%OkkA$xbPuta!X}9{ONbWgEHi)SP@3
zxlmj>yDPEK?Ei$01`YDRiNeT{xKIC|gZ+d3*TwsP@89jef0q9rqI^&LpPSg$l{U($
zlO2(J8GE0L!X;~;ITvKHM(^uTu*ijI%`$#YEwZ_i{R*y2xtTwR-%@Rl8|JiRc4wZ|
z<|b#p=+T4-dw5VBcu^K8ccWCs^ls81CUFP_8VCjjniy}W{Ikj|j7@Dc2jO~zreeN1
zc48|*n4uO@!`z9af(2<)d}-6-Ip^|q`OF&RBDdf923#HDRK#_!2qEtbW*v9&Y?Hwh
z1y?+o6>o)_8&lc^7YA2ar`yUS7yQt%nT9$)L5})ROu<$fV7TUv>DG?&i5W9GllyuH
zY)L%YQUM^<M!yAo3SYf_$CFv3v7(u})B$y!c8NkCt0jpmJa9AhG|kV%eG3OM3JQm^
z6(h^lH^0K^&@hm05J;x7IB{k1>l|&!&8m<Mat0@;pG1+)M##0pRTYU#1Xa0(2f4m3
z=@laNoUy4^?NK<_!jy8+jWFaWcK}Ww-YrmNZC5o*_GkYCeI5=upJfG4$K!cT<4-&B
z9DM3Dlp9aF)8y`K9HgnD0+-N`*CbFb?Re9s&D@;wj4gQ(g5j1QTdGfuq^OF(_cC^;
z-Fq89p&{}fy!_Z}^lqzq=q76C6`K23xkB?ynDecqzptC{Qu|1@J}9N-a-XhoKjk`G
zGeI!<Lh`)TdAP=DxLvJ%7BP+JWIl-H;~phkFo=oB&8g;-wa&0^7;Bzy%rIqG%zF{!
zT(a4$TIp3iQ*3BusnPIYiozs9EZ;`%as4RrwM)J*%i#fHGfWhY{lZ{?`iNl_fr^sQ
z#f7HN>PPC?`f@9o1<2}Y6e&9f^85$Y2rJ1y6j-U%<_2jCEvGolQIJ0J9MviqoD1qy
z2UO>yd`%Vksj1dUzgL2>JlnbM4Q@*9ZPyc0N4M(B6;+qH($98w@-5VUsG@IIL$4uC
za4DPePR(IbGOnI=`sA){(S2SzPu_9zWk<wA5YTw85`Vins+GLnbQCD}p{f*8jGKm}
z;9rqhp{9*aoPJ*IJJ+<~($t>$Dp|(Qg}SP&1xJv0RpF#(b1b6;?N|wpP=dA^hgID4
z>FZ9c+VBy;3f=B3nnlt7P^AP5DS0VWMpVoYfKC88ka{ZXOktRV0CMEHI%(yFMDhC&
z#=7y<O4L3Ol>>z&%)6$x!QKdyJw7cwZKI&@<hI~78pL2v%;G(@W%qsrdo&h%BP<A<
z;XTKcsNWYWPiHg)@Amf_wzi0P4>9o<C9vnGqIc|>JX`bPd^9ytaRA#PW`&N`>AVlc
z^iYky@Rlbd{Z7o{Qf1pTgExv!;V}-NK)kt!y&_4=8p@{Y+g=lh^C}}l6dshtR8e)w
zN7`z&+l5T-&!qkLO4`><h#KYI3Iwk7f7kZvZ6N4CFia+3y8(x4*+&{E6zuGPEtm+p
zRqigB(i;MXI0Wrvc&PsU1>Axl5uhD{EwBaJ<5$D_<CHU{lr~gPDzEa&_g~k%$K3w&
zpTpY0mCqR_Kq>gof7UXkA~MM`y9zM_?Re=9_9RVOWFt`(azWvGXT~P7e1`!g<NAqc
zw)kGN#f_fH7?W`6HbHwP=}0W5-~hB|@SFYHxns7<+}g5YTQVdiK#jMYapzukIDs*r
zQn8hL98oU*G^Pm&x4<p<`}ZXu0DOaN!a<vvo!q`yNKCwGLsjG7fl~Nx{Kgj!PbkSM
zbz84}0p7oV5B5TIy~n4s6}xj!#O03eA~$~*R^@?U%g>^TH+>(ZTVW3MG<@ZwO>Nr`
zxb&3=UOK}~s-5~HYua7TXunYIT|A-{2ID(`BJjWKfwORMDzv%=p~^>kHX|)JkWRs8
zAhoU3Y^P=EcnY#I@pc!YioE-cpn<e+ihiJGvP(M5)G3bF=`d61V=WFdAk!S?f-V$6
zzKo_~dA-ElwGh8c6=ne-A%+t|xxm304QptERW{to{95S9w7Jw&j4G!FR=U0Q54^IQ
z2VMbrpja#T)d^)?uvd+(dA#Kg?gDZ|uB%0kpH42%yJsg~kB)!(^h<#&s1cdez>GjP
zH<3iZmdfO^mDBlZY80YTGFh;)J9SYc?3nr=2baHG91s4_>DT_pi_5R)pU!?dzNj5s
z=K5S0;l{te&mT`eogIHYI$7MEhoDr`udldND{-X*|K+HA*<Co&3=&6Bz$46>238@y
zya3%qOc4?0!cEm=OnPVc3Qo%4R5oXomf3l|vj8eE5mSRPebbIPnJui9aMXvK-%u8+
z^h1l*{cFEF82t6)#nIQFPfm|(!D&MR*GWh^#}wcDV?(H57|t-UgVRU1N<dVdY-@*I
zHR7Lh!H{gxL;MSxU!ZaM?P8aDUBBck>y|4tZ)%|e0G?R52rS*x(~p1sdVJQu{O?A{
zl;R=Xq0e+FJ`EZOl)EYXNWx=B<Afvjd&c7O{FgxD??vP`o!V_O!rYPUc|U#uF0zZU
z&G5W9?w_9Yx|b&(&%d61JgUKjEgr$^0<mmts*w`rFxa`m`^ntNy;t(+j`HF5fHTW=
z?S!g{Y|>_^1&Jq;mjKc`{WQ2dzWCbh_rIQZ&*~R66S>n7bYPtRop%bZ>Flhl`ug?b
z;Ig)#nu(ihYSp(9o4fNl2sPhyQt|Uk!J)JA0$iRB7M+id&$~aJ9)B%<S$S5RBfbT;
z2;HhweERKl4^^o%y35nS*Z#%v&&L;E2getmk1xLVPWrzdU#vXXn4vLZ1H`To>*08c
z7+>NrDTmWLzPM~AGR@{44-_#y{pI+-@6u8I4lFE3fSBlYCCMco+r@&RyYkq&HDK`9
zwFfL(cDNU(E06c$^v=v(9=Jm+7LD}u<1dN~d67IQTkJ%1@+;+{iPzS2)cbgTe%zBh
zr+zn;`sz9HtC#EU=wz@`k4KmXi#sjJ6Q=elCaBNQ7=QB|=IP1#u_8GqfAb%s)5~&-
zn7UzK;u-pl5?|O}o}3;3KOfJRz?rmzHH<f&DC9n+6CeHGFWpZ^Czo>Ao}+b|Uv99?
zy?^a>FT1OZq6Y<x>Id@zd=!$cEE-Dh^yK*b^6S~j`PZ}K!JzxgvG1nPQJ~K-IYXSo
z30h_+4u0)k93M#pKmFJ}`g(fu(?$2<#G~tsEDolSp|H<TL}7S}M+`DtKZYjNsE(XY
zu0KOo686`oY0q`ysc~;MbJY1oyFK;J7Js8}o0ru3Wg*`ehP|^g2BewuD-Q>x@pfEu
z+kPZssoBc`>(j^`M_b)^?V^?*7NYM1XETW)ZdV$FfonzXuN18xxIT@`SkoG9!b(>;
z5Ri!^?lU?ndeJy<)@fHPce^g@oIBzg%l4h;w4L*8s_h<Znf|wS{D}+tmWAiYFsH)(
z9n`wO>o@J7^l*W*ZwLh(L5`}_6}nA1I1o?1VlF2=2klR8+~Ujx<SM~4+OORI!jar6
zAL^xQXB67Yxbga6<5>l89?6Fdz2y#G^7|_^U;KG`e98#K7HChw!K?S3{my>ppx|2W
zxxou4zP2TB`0w4|DHrhGVY=nITCWqPUetXtwLHbwh#<}@$YtcdT06bWcf2lwnHzI8
z#azR*8c1f8pVl+Y%x~CdqIpk5^O<Ho9L>ByFvK-PljYv6ooW`kUKiQSkGh&}u485m
zgp(C!_Q)t_8?;e1IjxT@m`$grN0AS=cJR&<8<#@S=j*w5yq?<x+z5|RFb^X1E2USw
zC|8(wYuxmO{_f&N`CYGY_%vPTyiduvu1grlDqQA$^xH5~+3h{eHlmZ_1&3U>@_ni0
zySNxQmn>rQ{qm!>&ID`FnmMso%{^9+kr!g8)=yxiTfXXlop6=edDwvO@s^9`*&j(X
zKLmm$XoU%U{~Jfk#xr=nHMX+8`m@6#?$=6@>*+40ihoz9RjJJSs_`P9dkFa4Z?df}
zf6pmbbJ_b&rKGfv=c?19q5TeTIX${-KIs~%gX38_m9ZW37qHbfEVT2l1hIKLhGM$4
z3$_gVQw`XpT{<c`_{XAEEL_`>-~3<|JK*qxjcOKxtrG$$3lRf?0=>F+lY%)-06{2}
zuXv0CJe~sx(q^`EB2W6*F<VX|I)ag-8_0jUQ}6uPqzkjO<fwbu{W|#g>7sZ1_0z>k
zt!ddhW2Tyn!#{?5f8_t0^Jqpx^dZDtPFoG8KEy}C8E$9C0q7c?PTfiMyMw_-xa1cH
zT{Ygv>QlP1M}8$5Hu*4nD+!yBDdn;E<kL{u{@vUe8jRc(`3P;PH*x!?i(i+WJ5S6X
z!o=Os;~JRK!yC4%dR|G(D1vxEgDWJ8)S@=QWi4JdF7m@z=9>Ck!#aNtdt7DTD=oEL
z%U>!MTAyj}cljU6$k5p98ZhAdm=>ygf2>IGIFz-UtVZ-W>^Pyea|fD+aaQP_m({4%
zjB_O`O}X;Y2AWb6_imf1>2XP|z+%-;-f<0wD1i4BmnUs~wTL`=bC-k4uci`TN*$j1
z$mWU466xrQBbvdu;_S0{xfW6vKgyy>Mt(NgiEO2F+v2g;X!Sh;V68q}5gAwCiV^#p
z5){`s!t4<I+h@YAk4RCq>P>kUQr$&JX;ln=<hF9tmDS3`i95?JaHG|u#^RBJHaCeG
z3UM+!1ZQYQ+1$_4!trnD6iaEQz`xQLxx=VOML&YtBwExWj)y_vo~UrHhvg}81&Vve
zey{)V8|DI&NiTwUR*5uut5jN7=!vL$c?=5Vqm(*`xW;LteiT1s^GyW;T9=fy*}hgY
zivn`wb#-2*GI#nHNIt-nXj4gk96mKP{BEX*9H9sa6na?Mng-ysWPu?c4FVXgrET4i
zvq~04ud{kKbEuIT+Q7~IeSKgSL+A1CS9RR7^eCT*7F4aMuXVGOS6Y`<GB|r=53T9g
zE6LuH;-lM_$>8nOY|6cR=c$zwhA%NIHybJdFbELmXEZFznhcUjjn7sN%31w9Luo6V
zuTmG^0nQQw2kM02*3O>Z6TF>nSH-04oRm8}{VPGdczWl8GHYyJZ1%^$Ro+_lc0MR&
zPINM8-w!nTg8Yfquxu}o4-C{gK?Hf0{nF`o@yNiIwghe!EQ1xYg0sTTpMQ8RPrbO#
zf0o_uNrc+t*FoDR>sR*gmHXJ=-`{`t=8gJye}BLD@9Vek-u>a=&D;0y_h0S5+JF6r
z{e$=KUcdhX*k9{RYf8ceWPjMdb6>^DZAg*3eecIskH&L`CsP4FpWQ%)cEJe=I;}zf
z=x^;)93a9``$Q59JjRF}f^NUt`}Mf}s<YqvaqmC>X|?{HMygMh9W0n)fdY{*1h$+A
zK1$<O5aqNGXEJEFT!C!~HBE<K2OW#Dsk%Tmz+)H~26TZU1Uc%Q+sAos(<JBUcO5Pu
z2_Xx!6I(tRa&}ci)+(n(&YjiXSl$5RxO0_^5F<z+-obP)&ANQ36tJy|Z2$jmzOrte
zC(>=~%1pgwR2@yU1&Hf~;O_2R+}+*XEjYp5Ex5a0+}$m3gF6Iwf_s7lm*IQw&6@eu
zRb8uVRaaH_s&n=}`y@S?X;b~w*=BT#AN+zc<rcXLgZ=3*`xb(5+nw89gEGry;XaTc
zuvzwHO~hMv>Dwj=5!(su<504)L{=LV5E2MzdNxocD@Pa*r2;~^u*U!k3p89pOnLuA
zl1t<fYAqoHN9d5i2vT=&ajFoQOT4ZdKfr2K!&UzaHG~h-CCPC9|DlF*^?3^@-h6WB
zx(;G^cfflJ#b!|z7dFMwcRxQ&rt)!F@gUYg`3IFLpU}tc4UvAohicen_jh8vVGUhT
ztJFgLHq7GsZ*Ay^7S$S5xhDnMak#g5#G%G%&LOLE{jj2@AHp!lX=A5Vg2_Bd2oNO*
zL!1Zv<Wx}5kgx=_^AL!LZ}h#|qC<)-F>oD5@K~XrU;>w3>L4SP7{y1qc?{l(wO5TM
z?g;@pP~2idGxs(VP!-R&152dfq9Ck!dFn)uM-CF~p&}VLk$>_9o7%09CLpgOz`8nW
zx)J*vG=S3=q4vGKI3ro2>IlDod18VgQJ~g@T!TTpL{~qPN{(jwc<GLoTy~{4s-uFN
zhUzEZ{|{y;TU$!&<*$3IzI#zaT8_Wj*&6!M%9Ql6efbCXu;1(D8*0H}|93hS`FF-)
zTYvFp6TL-71?hNoZ8?`G)0-{gp>D0kYDNWb)Q}kkN{<*u0kJ17<?C<7=dAUu9`a_7
zm~mu?Xc{gLeRlZ^XmXytRs-Qbss^&=sl)c!P#IXPG`Y3)nEPqZreqkERjk|=yI=|I
zWt4^Ls(OPhLmv~eowr_w-Rf(eY|8z9HRP101!iWi%k}$+$D@>Cbo}YnaM_|LrEFm(
z@L1Nn3?@8xE5#V_7`0Gr%rZa(J~&^~F&K26>$Y~t9!A~OaM_jSe&1DkBv}}TI>={l
zf2*pNAk|s#QgARb?{>9tx!|qGy?-;us<orHALX)Q?V+!cmPi?kXewFxE9QRq9R$}?
z`aDdUoX?V>J|$Qv!}BEgY)I0sS@>ZazU+SgF}Qd8QS;{Y4f*(^qhY&0K={*(uXp<-
zLY+;C=MEJK5|%mHe}j!zz1sbQ^yNN<JFcj^DBh7#50;XT(;i+?;OwBk2q^@L$sWMz
zB|@;`waX?t$Y%^8M@yjy1H|=(RG@ILWISo*z6nX8Gcv1p`E5bs<&B}>f*vuEzLcQ#
zWBl&~Z$y>DcGZd;VQ<`$+`U!JFAb@_FOFjn|LCO+gZ$%H$KHUy>2_j%rd>b>P1y@7
z$O`JHx*9iJu;y@Scf>X1WXx|$v)1jkbpFLsVE!OA!!T#p`;ONb{6X3)M0fh>V%`oq
z`t*^L<a~UT&Y$T4y!Fk4OYvwj!YR+0`+*tRq)>e)(OK$|K?~Xa_3uoxP0R&x@6k|o
zC3azXhn0jdoaFrIvwL_rPU$~UO03W<OYkkI-*~*#S3F=G%0J*g@flLA{{Wi)|8d1H
z%Y6i8sk68u@ie&mN}G-5RBO{EX>rjeDFhr2S=LNFRP;CMu+`j!dlE{f8B;eA62?{K
z_6uh+c?~RM=X?vf4E~954Z$4qD=qTqcNtablV2$c=~XZ@=D(wsXiU@FBcCsW#sbq1
zdcOKPJqTO=j1e6I3IO}H$n<GY-efQN!;><-VyLP2ay&)jzlS<zXJqL=+u?MLS(dXc
z;W6ymmj|Od`Fx!Oq#_V-a;x!s^nxm1k1)i*N*~{2rt&b7JKFQ+eR?bx+jaXnn1uh%
z05Gs={}w&SdN}=B&sTqYLS2o)?;9aU5;4FGZiaBc#@tz#Kh!0Nm))z^!}{6j*<`p-
z`wHws=)B|&ti-+Xzi(?LUC_CnR`y6F6-Ar~ywsYecFOr~FYd;(gStvn>GY7E8#uM9
z6J@R)>lyLq?Aj5MYnvSpe}@=lt1;Y|p8n$3GNe}FJsjNK^Sw`eX6Ea`)9ZcK%(wN~
zQwzXHIw->kn<Iq%8+#zsvn@f9c%9UfMMQWMOzc}svrvP;XYi4@pVpLOz-})cpuajs
zCUJsNsPv!=0*Kx!Bqqt%8@5p5B$6N9EsoOYJ-+1Vt^f^juq&+%Z!r<)<}JTbz2&(K
zCWJ^*LAss2jv3})eLaozoWtmue>gDz&iPxbXX^)P_59IFNS^<h`HiCVRcu^VSqFio
zV!pQyy$jpeY_kom>16omdNsIb5r4tIpiN&#f<%_fxTeJRpG*~Hs&Ke=kmYQW*4xTI
zr>A3f4{eHa#KA5Q8@?&(gZe7zd-8`#P};|i8&pvS|6FkOcS)bY<I4NDZzh;(GWDak
zsDayH#;aX_7}Lb~PF<WN19H+F{*I3pFOogU{mA!{mh=zZsIPe_i(6yU0U|qZAH<mi
zZ~g1<s=3lv4sg0QA6u-?L484QM^En`VQGHNA4l=_3DljZ+nH_K%x-Tr;Fu1%<`B0~
z#$cyt#+L_|BKxv=!Ri{r8^QX$jiaWE6l3y~M0(vUJBhxEK}N>Y{wQz1c<x=PYm-k9
z&FJQX&-?zvC#m`C^G+?%kJf8Ljb@Onc6mZ3)?~ClL1P|9|CM)E8<yzWPncxm6=E@g
zV1wO%JsqcB?XK7nwVHf{8(Di~_|SZ>s>9m9z$Y&}GVX9}YCHO&*?!3cf~_8}I+%cA
z)%@E%x*DZ3?Bs7#NoJjfvB-O;HYAu;OX>h=msrOh8xha<vBRL|a{k=XBo+zQFQEL|
zWG+rM0vTv`9nv*l0_ONOr+IDClQZV8b1L%$wkq+66wrd?bQk0BYhExisF7nvv>k^G
zBV?IChdjv+vGoG++JdMG29oqIecsaxvjQVVf{vzJ>~)UVeHvKu9#{m2rTlg5G2Rtv
z3TMg^b3s}tzgcaJ*+L=e(c!wAV&2WTAg&B1+z<L^u%tKy$<vDd-8YH8Zv?$O2Z+7<
zy*YiXef$xdK%V<9PA1KZhIO*E@^wNjv;-{`G0MytmNv>upLO66%gxm3$a$cGE@ptL
zm=fgFV9ve<3y@OXwJ-hT5zmq%8n8l$VG>U|2z<4P>n}pvG-ZSRu&96*PO(9yQ{y^J
z5{<))0*d8pAKU!(AfuD0!v$5`lRRz`2BUFopD8x3YJ98=e)Ev-ZxZ?!^kT}tmio~m
z^2D_^Nk9PJWrzmj$wYMoUi{7N{AXbe)1WWnImG1j_W03m96Xz3mgDT~>ON(VpEVy;
zEZWM?E9tBfG<qWPIiv!mfh=iqb7sNZ3!(SaqLvTVgdQ2|(R{tmD`A3%kByFRJAJHI
zA3A?_gwH=nN?#j3=AAmUGCY_)@sEeVAAGQv_d#u+@2|36YB3&sqc--#t}TyXW4X-*
zz7iA_JQ4*F;DV}p*tWBL5Q2ecMX%I=&_`Zv7D-Xd8aS2SANC4kN--C1#`Y)J>CZtW
z@thu!nd}hD07Z$k#ROUbnsda_CrvKZ{HGU~OPa?Y7a@`sbEwlUO+g$ZG;1Cr0x>nM
z?%&~lTUzWq3dq9R_hYpH37z!na%*$5(^xM}$y2{h0ZxK5>>`GgU_y3OoTPB6O7@rX
z6!WGyFvmdG^K;$SPU2HEV_M093q?0-HWCECuJPE`G8{6u(Y8{?ctEa%m~oxOEo8sB
zGkycYv249C1!E}@m-vGB*%BJd2h-%9LfI26XY;kshmoCqo<BsoZQ3FS%|sC^(Cy^r
zAxwY5#!&!sJElJoLWs|Sv2lV88+~3tn4k1VHhLKX4O3u*qVq~1FA=IiorZkFK`D$@
zm`4%<W*55|#@O$-Z_eXKyRq8x!3wg03Zgv9M((0tknrZCjcEcqt^Kq@7}3$Ah5>G^
zEj17sLJ(u&C#CyXV8->OU0!kuV%3^59Q|peI67=YAf6ipIFn)->!;27rityl;tyIp
zale~9tz<k0_;9*}6T^BWkfdjl)cF+u*!YzI_Z6yaC)5>I2y1__O-2AKZu4M;z^UhQ
zeQNE3-J2r*V_Ofhd0#6L`Cln19xJ-?X^mg@o1FRgSXZt3IE&p-2xO3yROkb;kajV^
z1Z2!K6@K#W?F}`_pOA5qo<h(l6>LchutHnHG&p324VH!E>7m&cA>K7ho=~9Bu$h{b
zAiFjX=mvqHtBXmKx7qa>=ES-vJ#&kPuM{d@=M692*}o<sXVCqz3*)itUrkpHvuk6q
z?M^<>h?ldw_f@e!sVTVwZrBbEQs3_nU$fGNO~!t_`)&&fZ1?b91rg;L2DbLc8eI1e
z@L`{zy>{e!@#DLMNKv>0)_FrAa~QfJ!_4ZRiuA+Gic*UT&|v`a=o;V?SXj3lAc~2Q
zy#kLWCdMQ$PTI79XfeezoV821Cvz=yWpoa>Xv?s`K~Cak|5;Tkts4G?T&6mbxN9_7
zslll+zK1I244rSx;vpZuW}1(v6LE@j>EqXTz)aH6c#uPX)B>qMFr}0k)}LL1i&F!#
za@Ey0a|0=I1kCbe6|>MQ>H3pI5#znbQPMA9`Xhe%dN7)k?4YVy(uG~6GgqOV(#(b<
zX1J^<k;~I5va{LM&x$9K#Rv2PGq8dmku-WABoU$+1<s1LmY)GCS4om98n5Jx^!WV`
zC|a2qX8uByg_n1Ud>8@;cnvH=s{t6O1d7%L$S`-+uS{9cLtT~wK=qPwJoNu49>u^#
zN}OtY;j-wMHGnCCMUk2sdDqNF0(3+chMR!h{_JjgG+tf!ml?=VBFgsjskx~F+^;1Z
z2swP$M$R0=U`@W<8PEV^Tya;pYtuSViV+VcEh6$b(!2J)41zzA{7-N}Xi7nr58eDz
ztOM)5(b-Tb+}R+yG&=DiU#Jtfi7Q}Qogs$T*Twg*X9aX%8PAD+C^apB*WNT~b-8T-
zOcb64&uJ#V7ix$U#lfp{Gs~L{RA<yOrj?WRhJTHtmMB6h8%djvi<4x}n^Il<E%0?C
zsOZz2pt|8LB`+0YZ&Aat!+S86g=V1+gBTWnOLiO)+ENjS(AY>O^W^tc2<!so%=?oB
zr>-%f^Ivi1@#bmX&$}E_CL>G$;~oq4EadUmzjhb3*Ph?CF4*NGAeyk?QK#CV;-%PE
zHB;y##kmR9sGeNikh{j?Q+wV{Y)N;f_5ai7br4F|3#*dfNR@FD<VNqYuBPOxra~=h
zREKe&Bb?opbP`rb*F^A`WF{v&8F3I;3N0>E2fEPBt@?l6E8oETJ>i)e*n!MjfR^r`
zw5oP%L~jTWsBsB9r=o}|>sSww*ZrE&P|-T`$W!JtFAY10X=anZRHso8Qsbd1V^%QP
zs&9l1OM*ZUhG0}8i;f#TuP)COpS6%xL_tnq5z2Wg>z91@O>(%E6U2#?W4=Hx&Sp+C
zU({9Q=$BT?w^OuGYwkSU72{J&gSTf-MC00qQclNRj3z}v*e4yQ7t=srycKrZ8mn=r
z$uU0>h+<u40q@}uAVl+2^|SsWjMJ4G-j6JH8@?O8g0D&{K|i9Vp@4(SsHQQXotSxt
z&Rr>jz0^RqXF|gj8eWY0>4)|&HiQGGqpH7VBFWB4u@*S9aa>$9`U7mL*x9T`@?5;+
zdiqnU!Q#|M<7Kvn2w^vci|>=tf1-50R@f%UNeC{F8lB|LUVPP*f#>q~qub!(3@EVg
zYxKd^az>StP@;j!0}%5;rZ}s_P$>&!C+XMc_qh?UwFn8F-5W4_;17|I118q|&~Z%e
zz^+c#$@fK0-vCC*f4|01!lYRlRlzgqEhq?;yN=qtIqFkm>Js6rlLO)p#YW&hl7)`o
z&J*e>zbK2mpBRfJryMoapJ|^5Q!*nk))FO{4b3;EE-B+_vsc&NobF-8&B0(6!|E>;
zT7rGgOdds0AMW2*(p=?6=YxpfS=YcpC<42A`YyQwN{M7Lwj1)}?(W7f%rs`Q%?)LM
zxmOSW)Q@%Ft>xw4>*8so$${EB-<{vFF_~x>I+t|ndX#z11s$bCG|osy1Wd>1uzSK~
z#7@Ms;W=ka!RVG?tjg~mMzK*rRwpKq<`i{aKKu~+N#&B4Hgb3Q;XM)U`ZMUtq(-pM
zH2N&R{DIjbObq_3DM7?nm(xckhbAT-tVhs@O<xSm{(?E5AGUyxqH9AxwCx|w7|BQ%
z9lif`zb`x<4Q4#g2y-CcnZ?qOVhwHFRTsrS4?i_h>-_%Xi$Ar3v`X6U&CdRX2qI_|
zDOu3k>2&as@0rF^Op=yYiF9988rtjo-O#JaJQ@so`#Kt4WViN%VvLf8PtLq~sJ?VO
z!&;GuKs>>Ixq}{Y0ACihAsxmrG@iXnj>;)YQx9gs30HHh144cYWjYnyMTqx}2Y={u
zW^>b+=dZg_=|b-5G$>WqS<Na&8wPz41*fZPqFql(8eU4XJaAP|5Ln%Ch$e$u9f_$;
zLqU3lf@{q<t7cb8#Y&!drp~Vl#)J7GJ@2ohtQzC0dYlO9+NB#0C1%fevFh3onXk>5
z-wgxG>4!9OLS*=g{~412?w<G3uS->zr%Zr|Pj3mq(fH+576m0okhoomJ!9%X<yLdY
zP)Ee$S|A8k3&n!x9KHP+lf~Kp`L__zj9Ac~7?c(rACK9SR*;#<vMx6TK7^b4TxEL0
zfwRbkml)76$m-CZ&1cchweRd~saSv0=sUEAa_vG6Hf?|D3<ME7?@?ik@2Hw`d6x&a
z8*0llw3>vFH1|6%vY8yfP{B92*)$Vqmtrp1nDO69#=X)lkSqt2>{`}l7W?|&qapB8
z5HZ@v)d=j$0kyCai&X71I<aaOUi$DW9ey_C(A%n1z0RcBRQ-jEK<bvXzE3HBYaFZ?
zG<r(3M3cXy|F}>LBqRtYtwhMeNZ@}9(|eg*5UZi?dW#9Ij(QB6sJc?!Y9f|r(~2L7
z^Us>7R8E&iU($9zB!qsK0QLHu=u)<_-P($fmXvz@^FqN$Ss0z=6<4n&CJ8mx7MquP
z>in^1GS^#vg`Kmq#2WS0@h`_$!wV=kISEF{MSt}g$>3jlHg*B4>Sn))V#8lQGlr^?
zQEa5xN^M1qilO3MP7M>aZdgcLJFZ=QpDA!1Lef37;H&y+aj0xHN<r(!CuPaArJ%K{
zCFGg!)tk5qsDVMEU-t*%ue37i9}cn?_^(!HUuxH<7zw_0-2f*0yp~t|T_cVR*4!cI
zT=Ra~bd8GOS|_)hFmB*V7&1pt>ABn&;hZzWE`+Xo%J<%64SS{Wi`(?+!4pwW^g<(o
zN`;CrHcd1G2jt&Z^Hl!6efa<Lg$Htm=<DSNq!8Ar{WMT`09v&}W3F^myq)lWQZcdZ
zY%A&OFzisC@G@`$Dj&;#$wRrvuNo>Ik~z`!sGAc#mt(T%W5h^ciH;aBPgAy5k6;TD
zD;1~RVH9(x7iq|c;cHOq^*CWwa-2fQZhC%|1rpIMqtA~^q9O%oTqmz7kBEyS@xrd)
z*{M%W|BZ}{>+W?1Z9%r4%|;PaB?wqE(&cpjYM?s&Q`xdbG*i5cT=s=&>?AU?ZL0q}
zGsH!u`>XV&C&kM*Mn2i6B07MM$d=C9LLi0|_qZBQcZgfQWDA8yw0~NAR=m;i0I&DI
zXQh9Q@t)}&hH@Y1sK#oL(b3ifB5|kc*I$|Y>EgRE9v3|$=xOxs)CksC+5U&h>jHpV
zYe6j+$T6yDQ-V@yti${BA^3RfcX%gJsmko;V@yRpFkxfbp;R8yb}6ey4N@yLQTTO5
za9jUAh0KCth$8nEVa*#VkFZ3eLr)ve4tW@B<^n2ImWXixvJi<d*lKcnJg8XAqztZ2
zW_#Q#np~|oj{f8*loF6OQ~*021o#XrUHp>W!(m6lL4{4Sd1`=RW1^0R6wg)xE1*V>
z=omT;6>*nhOzto7%WBhpNrPke1+<OO!(;Ho(L`ZlmC0l@v_B*B@w0y>#a`epaWb)3
zjdVmY9WHH~jAXCEr)(~PD7OGn8i&}AHI|MW=2I>nPfQ~RKnse(uq!^Xbc#*nSTA(*
zUl<iMrahAk-vE`Nm~xx#XjQe|7iZE%w1PYg9@naC-)SN4^n=6pdTO^e$~_rh#sbo~
zvpl*$(u0Ge#{1pX(!+!2%Y~o%krnK<@`?IdjH*Nnj>D9C^Jdt#!(!}q@Hp^J$ce_;
zF*W~mCACzgcQ%PM7BybQQi$2o35OmnPpB4rYjmwM@a%Fk2<pVFM$u+dldJqeC*zEc
z+B_Lm!5E=XR@z=<B|r70)QstiB-5(z9Sn5Bx6?QS)_(iw$n&P@!lvz`m2+htZB~+&
z`LPR)FA^az716<Mw}?pyBMe2v@L9kIsv`Z;`M6|E{B|z>Ud4Kl7+G-M&-`Hc-u@Wj
zF{xz|UJ@C2{)6d3|5g3>VKnzhvL(0p6!o@vv5Y{YvVV$*>yTHSLW&j_Z@pW>m1qs4
zCcmQwHe*l(TH+|LEX6#e5tM0p1S}7ZEfHZ&P5pd|OtPBX-SX-Ig{l(7=#4LH)Lj;{
z%JlbiG_9OwLf#$bX|dC8X@mj$C`yk<uq6F<oD}C)Vx+)FDXWwXWt(f3=Yz#jH8?%p
z6DEvN^|7~>*~91~4~GhNVg}czUwEUjST)LJDuVsE+ATLZdGT+Xf-;x`3kfo;$}=qE
zSmSW?w|@!l{iHP(`H^?0am@~~;)ACrr2DM!bM;t3eldvimwEoRgoXq<-BI?n@b8Iu
zFepZV7FYM|^$<gl^6o6wyRQ8oHLP!KhE1-mJ&zO%aGrm3>a?wHh)JUgVm1(Ib`~yg
z<89VoW@9lv)@K`j?ev$s+7)@kG*;EN>Z-E&+{ct7G&Xd4-CZl1p?=A;KE9gHv5m!>
zSM>x+NA3nJhAQ`uV*7lxz<YoSFeG`N2RG7e8AET>FCaoxS)rXzismC|Jx0GvxyB=8
zB<GLq7g~CV5;Xs&dYyqykreMN3B)Im@8DraY^L7|K;<)dgL!n3yRh{$?u_rItE8P<
zbC)QZaH9UsR_oHegpd3gb}l*t$xB>a9OZ}TOW9thTJcoQ4Irw_q2X9#j`iSKlRr|r
zf)DZudq<<)FnX%ivC)E6QVa&)E*G-(pQ=gRTo(Ic!9r=>CW_}>Jfhsg_n}LEEkefO
zMpHxrf~_i!)$_0!gTEiCAH8mi3KJ*f80CWSx3~0JtZ_F_2+2O4J!@S=n`~d#r;I}m
zC}77TUUl%KOvDri7ZDkH=<;s~I-d0we%u<_Id4+Px=YIrh~JC}Vu`%I{4vOq^&I;6
z;XxPVTrCvwS$KS4w$={Xd7cf5vwdlB?Kvtk6Yb5-A!Eu_CjsZczG{eT(&KOc@OhhH
z3i-K`RRrON9J5u;rTP8B!ous>lt}dsZe^JiV>&*zIn+d6-2q}{Zhd(v{#swJqeQRa
zeN35RNHAe{vuh$XidU@zi)>d8jcjIA&eAJ(%}r)xjV|dGE}Af07MqnzS^^`KRc4}(
z*q?KzV#X@b(lTI&TI?~0<ahk^{K=$PQHU!~l}I^PE3cVrU4UYC>*7C(<FfPH>=@-9
zxcs_Rt4-b3P`Nr;t-8By+mZa3eQscK^Ta6lkQH|{tf3HY6t`z>wxlqR^zG`C!;^?B
zGgFd!n>txi_`{Pm5I?Q(z0J?p-L=Sc`+sO$m%;UHM(mtnx;`vgUyOXj^-U~FH0lf%
z6ZF#8rF87Le|=43fX-X%hO5&c?x$#RHPSU#_FnV`qWT!i)K7=4M`ReNF}5JvK&r(W
zj+iP8pkXrkYE$xE1lP0k#iNN?Fu7AtAx8#I5#uTn=wIWnUI(M6_~nB|>2Nj6L=RjG
zCl_pOxK8-s=)AH`z0*!s;qCl2#(vhS$-TjZ>E7fZn2`TvlePp7Tac48SIIq#MoVM$
zo)TUB2}Ov$<2C*IXTXYQB}COppsG$R-hWDqp(OP7#^%bs0){7*Tg}guqAuwRbEfR?
zLZ2}r{)8MKgYR6*^!y#?yfK=&(l>=Ggadbe!uhs*Y#+TaKY8+@14;|`#<7|J32U@=
zqfC)nw0-HJ>S=7<iuNINOd;5!_{%F4b@MGSCpW$m<TNgD1|_LqVnsP9-$YaB<i!lH
ziDkq@tz8P$4zs9^*q)t}(L$`p8b^nb(|*$J7+gNYB>%(zF@l~0vLF$iP76R6|L3JV
z4qGO!$BV0@H_GWYzAY}j|HZ`EQ$@w(-NGu5^BqNh=4|0FwT_oDBF^n5>`d=$yrlZd
z@rbrdzWMuoN598~+vucO?w>^?k`T(AsGnr&gu_b&f1*WauESd`2-*=*=C_eI3<y&i
zQKAPNUo0yY>^zoG9A&<wJV>%x%Iv^QEVx__HF%cTep|Uvsz7Geo(!>UnMwN+iReFW
zf~<d;QdMtn9b4vJ@|Fg+DtF>^H>@*J9IVGr>Edn8?IVNAG*&O)nOws%=7*Pa8(u7^
zCLMEB%$M|0GpoLuCe%M=$qRXDECv^$u9__i5ldApO<=)}^h4ZHL|N-stF1$cfw9H)
z>p(rIc!!%p?O&Y?pWFLE6V)tUKUw?sjpp9YMN8rY$K*=?wALouU#H74X9(05e{|96
zC~YOqX^PA&m!;;Mn+>4>;>E^?2q0Gb{MaIO<=*_2KP4taf6g0{xBFSRa1Vz5(Z|eO
zmzpAZTOxw$!d!HkxQgw{oVeHuY1@@%NbPyB7*2B)n!HQ!5^X@otO||$VEo0tqKNq9
z%!J0lBQ=e0g+O(GTXh}my!oAL`b~;a&f@sG?mkPuZZnj!^lj&WT_p46Q{X6~=od}(
z{RHf0*^S#Z6Mfo}9ZI~9C|ek^+hM@Trx<NVjz#Mc?P>n&adU<%a-@NQgayw`owi6c
z#U=BY5Ke8U{wY5`t9;pn2FV(X=*aFZRK2<r`0u1hObxXZ6R%hwf@@(q)Ri4dUbnuI
zF;;o|(@enZSyjeFUmKm3%`nn-DCfuY>LV0?v~QZDm{A_o#(g^k{NUM0;YxG6cU=Zo
z8qWm>r7FYP2FcRWnPt6unTLFCfHCRpUPs5-gXXfb?Khu#z1QA~-q;m8z073l2W^7#
z2D7?f<%KH~C7&Ji8Cw1c&}z3}rA&9CIHe5QW+`-wpkp>G>d&7U96WTvX;`uw8xdCA
zXsYpuNQ3i6iCtc-i?6I1JXb=$mgcIhCC`n9n5@?(=eh;j9~<k`tX}?cYsxULJA1tx
zd@-)eaSHkt+iugQ2r5kIo>+8ILLT-+Vq<P}wK1pYKxnHIn#40Mb8XWEnTB{o9iqmg
z|DM1Uj~FJzdJ|U^Fe2tqF#&k?H^OBtDuA!EuxvXeIHB7&#=MjKTZt=<e6iXaOhUvO
zyb$nm=Iuu%26(mczCf-R1cy)bh@PO8iANx_E9YdD@$A=q+ZadxBRjQkNAx_hSmeqF
zu>nkI8FMAacors5aOW-N?4_NR{?UTmO1teDmv#0j;*ktuk2LY<_-4J50}^i}R?mOj
z&>R!qPOhPrVTb9Up~^#TJF%7PvKElDBO5E=)J3{lLsfM$ws`yu9HjwI0Yx4Yxktjz
zyKE^!>ma$m<{p}IP&r3B^bc+xLxZQL*YViL{fd2XB8u4&u^WH0gWK8VXULYxX(h?c
z|0-|UI4BIGca_Xvvjxbw;;tUJ0#LSQ^I^}jg{*&B))iR_c~KAy*i_1d{Xm3E#QM#!
ztE6)}zjQ4R%o^##Tr_57h;ZDNPN}8qSHmV64y_5bDyu$%a>&z^@aa8`EE=~hW#Pb^
zl@P+fDtD24s&0IG2s)GAr@|%ZE^)bKtM`!QDnVq+Lz{p_ow12xhrcu+T%~-0n6il)
zXeUyiIzez*VbsyEAQT^f^KB>1B1WTVPEC;ZL*+>r;iQyV;9%}fW>5%;pSD7$o8yh<
z#ZVYHn#4&&i|GJ7YsSMhM;kLn4`T+3NHmpzC0~XrA@SeSV>{abjEoO|FQ6J{)Q=9I
zRunoR1PNbP3~&ZCzPS@RxF=VAv|sSPJ8bkzbTLy4kM(=5&>+JYtY{CfmnK^kPBtI5
zr!9~lub$K@MbSp-*e@)!Ppp_|Qcu!-+a>x-@Bi<9i#$AExdQrG8fxYDq2>(f;F;%P
zatdXW0k#9GG6|aGPF>n8#M8>!`jD+@9`${EttIQAP$u;xGhRX5Y}JW<|6)o3OF#GY
zjC_Zwskl5pvIT~v@Q`7FK7HYr+XmvCNa^v?dA4!ATsGCh4b{JTrNf5@?>k=fg$TC|
z1|7?l)iY(>%mqjiI!-k;EKU$vaIkI4`{~NE#DCQk(R;u|mke4}q7c<RrKgCVSo6C`
zdf$<!+G>XXly2rsu6r~rwCR;t=)&h^sa|*+Ix4R`;GJ@zs(J6AdG`*>;OLeRuDa<J
zdpArI<o_smh&Q=5&i&WrErdI}*T<cJ39cZx$>?IUDG|q!`TZ~iUeR#^t3qAdt5bU~
z)hgxls){YdAm1s@WYBHD90d}S3wZq6bxPhkJ+DG}G#~z!n;{cOVnH2E+Z3-=E*Nw$
z=iZ6QF@;~CsI&<(e0^l(TzN`d$6pz?NPYXh@yJJ<N@5o-_sDgRui^sKLuJO!+VOKF
z8M<t`u=*G7U!B3yVQS;jW<(yNRX_d4$0ytnZ*Z{ADLa~O?-s-oKWo2_Ly3&1n%S;=
zbzzIUXH8VZ5OB=QTY`xGv>Hkzn#u!-$$|zrTtA&7Z{$Z?mI&LO$6*a1KrYuMOE=!y
z2;A3(+K|BRgOpAK6(ODdCL3zeu~q7V<!ekg?zkbW89b)SVwbo1>Bqn%Jp;B6hH?G@
zOy)@INQfyfC*rQNKT5)&kF=#e);TObef?pkOZK$E>qdVXmoQqO<6bD<<yhcs>nO`k
zXgSc~!yJc;&Z`2=wsD8cZ<w1xsTGCgb?8bC;gL2`;EIq+aV$xXen5|ik))DoefEzE
zl33WR-VHhOMaeE}Z=LtlaW=L(WMh%=mr`hrn?S&xP2P$7KVWYpm8jX3X%1Y9AB$}l
z?BLpK4fN!zIR1(Z?UwwYW8{Xos~qOMjFGiB%Veej(EsJ=Uk&ViE?TUzByE3=|3Dk}
zsRn-&x}oFM?s0yj>vfA?PTT3JXjj6Db5WgBmefjFDmTq19BK7FWFB*XOs%=|FvZ=^
z)W-eE?nar^&?n46c<<$B#QkWCrZsx{Ltp1{GH0J^g4~6wmn6R+oq>KQT+x0#tg@1A
zl1qXGtk$I%{B~#1LgC3(FnKe4>|e4Xy->}eID>ZVtX|aC1$&gf&Wzr@{Co2Wi#^Tg
zz^A?CDZ>CL88^?+LqK<(tD&e`Sj6_OZPDM=`Y<uVKS&(~RJ&#$eI#6M=i$B9l_`?h
z(=%Ame6`h=q|Nk>46Iqa%xb@YuiDb6PaNPFg3TMA-Me!gwsuV8V(r^rUd-rvEC+;g
z^9{P`wLOm6+Bx!?ucWiUIvLOgKny04*Z;c57;TYY&9vJ`v>#YD=zWOaghqBB=m4?u
z#7qmy#KfwP-QF1DV12YzWkNQ$=ON!H9#?XXDpBWE1(Z%@TTFblr6_Yt-v*@a^cW~r
zc{iY_j7-*|#1&>9)erkQN+*>hG3n+a%SS|T=d9XqAvBxj#5mdIFJmhIj{clfFqL5^
zx6JW6q3A768$Qeu({UG*QHFl*<5%!{+ADuy<|*oM;SSxzA~wIDPT5od@~;*Cf;5D3
z2xT%FL#$Qhf=!{!iROd#*EmWwzlkoc_nMr(O4d4s91KYD>VTz#7m=!b7)&-PN!`Ia
zw{h%`HpKGE>#u45TF^CDb|rd%DM=_-7JpTGy&K}A9x3|b4GF2aS|s1>+0Tp%P$4KF
zb45nG^y<CO9WWwsyCS#jv_DSwG!^C;9t%H{jF=bNog#mX{@&hBbG<$UmMgwm%tjqE
zT&DDGH|35D{=%=&np9pt4fT3YU4(wR$en6BLO}8kKYvnU>(`6I$6KKDZ(prdcVcWA
zxRe`1owVo35|8{TEP)>Jo1TPi%=xQj5A3s0)IWH#W|Lq?Y}~r(WXXV#1IBlUK0Q^c
z6WR$;4M&z#dyR<zy`FDz@etGIY$89WXhhO0^83(?{#>8dddHHL|8_IZIorcDAu}LM
z2$HDq*6v8sSI#xRl7&JWljn!+UQ(K*#%S?=b#Sm}5`G<#kmPVAwob{OR{3x+H|YA@
zGp>%N6eq0QFM-TTEhbpa_HJ158$>DyNK4(YQHX*Wv@_Nnvypo}+)Wd<{Hol|BncH!
zT2E`Q9x-V{xktoOBenM_=Td51Ax?l~2$um+JzE3~N44v*&r|Q$z*p(|_}DWKow62z
zh{iqP-&irPm;1+CEuhC6Ld3B`m+&0%_03RYIHyA`1?}0~7sJoJ(GT+3zd2YrLYgjI
zIaapHZaekJ^_pQm@hI$=d5(ElZ?r*|gYFOwG|!IdM$9+(R9H}o=i0@(wQllN)9d6O
zo;weSv`(5{$xM2){ch0^8z0!wd!izs?7MXk2d749YApurKO1%qGs})_R<+u&F(<tW
z#Xn$JcMUhC`?z%HPc-mL4=LX}tAf=R9mi9_&~}k(`>_?X)qqiXK(HVz4v`vkCMlB?
zR^S^1x9^v8O(0MFGzrOE@X8<BS4O6T$m#Y{XWBX=;er{1J9nX{I_L<uKfJ0PkTKOL
zYgAPgdQKxchiL<qj259lw!zHHosJXs)xb};SheSeDHNT8TlS%F09C0Iy`sPjWCQxX
z_AqCUa3aBBZ*U|c&Tl$}v;C!dLI#s19@|>7Tq+JpZa#(=cF{?Pte^<BKA*K#`~A|2
zA~i}s(WaRYR9)Dxa0!p^`diVyn^yQBTg06&YffNvZD5jLLIQJhHqDh8#TUJa?6Ij^
zUr<?i75)O!-DIc&@>eEu2qfT095S%jy(M9U(Ntf;S*641Et_<xy=;zA1!+~y-c6Dh
z=TU#+$LBvH@p}*pbZd@xJJ+RtjyA}cd!(CPC`cm2wK=~ye!X9TEp*srGT+la_^8~*
z`<JK&+m5swtA@{dy~Pv93_$E>mY{U@P%f*FZ_;<7Ea8hX0qR{_Yrb6POm>goFX(Cf
zn6}h&Q-4fs-Ky!6y45CG^9StZiyMR4-@p3|I7sUuElmA+-#gERvpGXO{)1&BpC&@H
zQfL-|_@mw^e^#4KB><}uNxoX6D>CM%7Ev_<3TX*jCyRkP^PI1B!B0o}W^bBKKF@fp
z0*r*-6XgflkPgmrA357}QI61!a)~Ki8(a2Wt97M?Gy!=MOr^Oax@~3mRvC{$=}}zv
zW6gA=i}`K`U&mRiMMB#i6w%a6N2VeF5S-ukl4!>P(lW7zAq$@I))w_Fpi*gCTTH2M
zl2vY*b`UvfTWoO&sxZgUSgIJ>px?~A^MxU*f$*L0s-uh(U>E4m)7X!CB<&4|Ry;Pv
zL4D^n&zG~73Rq^1PqWHY4umKu!HGVtx&WDJLs3An_<7UuP-({(6i=Rj5y?^kxTcS<
zj^1E?)C+<Of4e#jzQh6SFe7pnRHh}x26N993aNpJnP3PcfJ2i_vuS=u=fWuWr^7<X
zqPJ#+N}DYZqtlGWoOKYKr1yH`LOdk;<=!r{P;>sP)?5$%6siWW3!g>e2Y(FH+r0u<
z&{N|q|J9RbaC?@YD`d9p9(6(i{)78xpWCP3D93`2JnkG03ix=P%&+<Vj{d9G9u*LN
zVb<vFv_`ctmYF5EdXfaS3o706`!2iA(n4}0wlZXwko?!AfAwS;+>W-;O7OfWWY5~}
zcOR#te-&Qu<fLALu%g3L$DNlFA5xrIlMc5or97lh=ZXiyhH0UNY@-h5cJ|EpjyMa!
z+(B9hGbZ@CDr`tcV&Q>hcM~g^%|GQ@siqlTx)bz+k?O}OIm-c%6A(nmX&8fk5a63(
zWE+4>P9wy%u*Bw|I=}&t2H>~Fgn)yzDnjI8x@H8mWZzsTIfgmv%Hqn=iS-1FihDs8
zg6Y;_|I=V<N2VB~vBCA{`1tWF=)(O!rWo1BBt}Q(kvaQ8=;Z_tVBE}B#;xm>t;DSO
z)yzwi!jZ2)>X~yPum8FQ&>BP?g<PLvT0O?5?}~h_JFJU_s!Qn~A=>aESG)$8rppa;
z9O{~}Fvx=XUt)&8tUwiR`S2M`5|HUgNFL^y2B$!@rKO^(5+dq{5Yk6;4-V_JBkbJB
zE3R~ECr^ZB=riX}v3Kd55zh1#?-|&fkmy$;m@_}L8l*4$^B$jvmJ4YfXX8zu*x-?4
zK{U06H4UgsB(~6ECP?dyB83(BEQFyE;40A!qW=~~b#TW2X?oD-F%C3@+pbH<{@y6J
z3AUT87UkGzfm~Shb9POeAYlt&2)R$su;}+sVK7cvQk*L!)|E!%XBf#GScdP5KSDB&
z1L4>Z<$vmgyx?VGNSs~r@oN8pTq1=CXj+ve&oy{WQ1cMAKs>!s(eh$Pa@EJqC`%``
zsXk})+9<HwP9K`awaK}0)YXHYo1yOlX==L6w(cnyLvw08kyrRXxbo!SaQMela?;;I
zeF0gelR9;u(;F{W`YK8QUuBECBr^&%vK>yMZPU~HF^Mu5yaqYTl1~ic_>Lgs6jdR<
zfR?o0g@bj=H&GU#@CMNn8V91h#HBd`ooh<O=h>Y5*>HsqGp~;>Cq7kp!P*aZ?&qY_
z=%!}}tz@8<&e=*qpvRD4``p6-rw0B|_x(fmhx{Q9fE9z{FM!y#uO;98ibRa!B#uTB
zfYvhtc?K8q>LJ&lYUG_@;7lU|Sq=x(3QqDUP3jr{&d_klS7zu=3Fzu4V8=E8Y1|uY
zI~L*q5ZziAQamA#SqU+kx&0rHct(Fh{3wC4BoD-68jTvATrOXiHjEYgh8{06@{Npp
z*f8OO@^jzel{9vU=dV9Pu)&ZfASvf?0<46k%L1@2yNc0D*K(C+5)=}rGKJ%+_XUsv
zy8&8&DjZ4omnCP%#xz6v-|;dRLS26p#tH=r1CDZf8%MI3>^<bxtCX<}sLyN(w9tIt
zK=Gqlrfd&fxGT{_5IK=?E}hWI>|svQU#4UvEaoqRoxtIO2kuOf!R)|1@qShEbH>2m
zDAeVMy@1`b5NQ~vZ@dRij<dtZT_+`+l0H#gwB<RTjKMS;^u+{8%#L`Ay}&vs8y%Y;
zyH1+Kb6D1@$qNgD1%YUOf>v6f)3*BW8x)|^XZlTlwM!SQ{@9Px-AtPm@h&ylu)O`~
zgm2Aa!?Awy0DKSvZ0Pd{R1fSiy*?Lm2O$CvD+rN*y!|42m%Zi=CZyfl4~bwQO8F=(
ziyZHs?suq|V$M$qdC;l6=n9lF*QEu`VIsiPFbEb}nh)MB$5JhKH!cMcSpRsLG($$y
z3!Ol16i(yK1p_s`hY<5!_3QJKD^M~0CwFLGp`VmUKWu;oVx>NJND2&YDA--%4u5Hw
z6-yT=Wrjh11P|Q0qD_FHf{=z{qhKR*w890=ltQ<6f-daNn;M6xKhGL4|7jfrJV$^b
z{^6P=s)ukc{VT{xg%qRHe6%K%F{Ribp;fzE-FoZ&{94JeY{>AiY}ie_2_U5SrhPqn
z>^PnDHE2U$a<+uh4S>BMweazS)X+FsY0NoYtqAoV<lwIaklmM|BE6|BPi#1>$r3(n
zXAYo=kppt?O{mMDG7SQP>5luzxHvJaNb=>vEcg0u#|C7C9iEn&pi*HJ&X2#5lhAeO
z#)<Us^|*7qsA{{UU(`D`P$Y0!%26J!+SH_lT@kdfSV7|)maO@;6-Vt5oNFVg!K>;U
zEh>XzaiKlmR2JsSFNS0Gyi8X-jRQu1@~9WK`<V}c<D=^U;I54%3s@99_2VKGdgFR+
z9}qom)&4j6xx}+SjihQf>Xia&S!<gu(%CdFOrUU(XyGwW-6pop=*@{P{<dmW`2sRb
zC{$&GwFEo7qS1Yk1t`Tt0s{(9icHclD-1qp@p}z+a5>!qVpWLtdc7q~PL$ajvuQM9
z5fl08)gp=@I@4DeY|)y*#@a3F;QQ6toZ)7uIRM~O97Yvpfnec<nO8~aeBGCVr*gZA
zhU+bBK0De=c^7bv2S>Q)-v;%d7_wYp#=Lp3#^LUdQGm7E8$8k`P?G6O>G;4pj=&ZQ
zvsWc>0LQ?|@Odn_Z`FP(E$rFQgykGR?@Sf0h79Io{$ADKbBIaTVfuJKeXcXTxd0VE
zhxYFc!n#%sNfEYX;s{s7qXSZ3H6qpH5)}rE7s8fU6rZ<3G8eHNAu{=(vix*ZWpuL{
zYc9k2>eltFWy5n}LOqVG82E}PodknCe~FW)ju)EzM38p}Nm8MzP6X)&6!g&d*Y&FE
zNh<@QWVbAo;ovcZQt@8qpkdPZ)h2Y2n^ojRtp1DKJgH*Be{kq*Qjf5OhK)e>iK<2Y
zwu&M_KU0+?t_m@R)(AGz+=h$w$b!b*A#pmZ!4;WyjI;$X+@GR@PIZZk($b1sl84hM
zb02M55I5CD_oLht<yHoxPjCQtqdtGgW%jt@uR<X(fa0bK&CAT=79GBJ3WawaS8hjM
zpEE)Se@<KRxq5B{OY^Pu7Nm_}#oFffxj6|%_k1h*E88;0FKd+WoT<)mIN?c}x*M(2
zXUALdc%z177>^@xGo98Euw>y-P!&p;N);bnUM4MuZr8|j2T;>TmWgBqT&D}w%@zus
zcn?KNEP*W7sB?>bv%**lQjzJC^iXVA8d5{8TzH$ibSaW1T%qC+Jh!ib$dUgis_}qj
zjLcaOhZ8mh6;E4&#&PIb{YyyTFQ#Ug@_Uo5m964_C_As%ghqoN*IgGp+_T00icade
zaxyRU#5A1(w9-b}jLquBa#6_g5**!=2f8KUCn}?c`@xC^_?T!EC6x<yM+o*+9PEFx
z`F5M-Swtx=j6JXw`nxa)jO{t8uXwBRC0$G6?5>qfUCKgFU-`DzDo?+p0Iye5kHBX0
z4@RV*-`N)q15IV~79}JQ@y<YdmU(@{2gDR)wWoIwmNDDs7;gCMaP&dpoMx5Ok@W92
zoOUWjOz@mVP2%}*EdS|6R=LwmB&gxb<9E+GND+2vHNjH`0f;&_Wej?Ysl6dDzs8J_
z1;aUYc&=EH5fst)j-=TVmzKKGEbz{O&Eo#rgSkb;N5fE4cawe0K8FsAfrdM{Qw!Hh
ziA7!nT881Q8;{=~<84T0FpcQ0`U9IeqW-0IITn}Iut?s>sF*6J0%4E0{#y+$Vn_D{
z`6smv87nHB+|Nj(IlL%!G_Z5QE<5aPtK2#KQ?j-ftPP*&iY&}XqvyNb4SOko<NQFw
zU9_mAk%|z#i%THj^WA%A+7)N)tdbKuqG*fW(B&Wc0fIwG^f*7vnm_Je1mhB;xl?zN
zi12+4Kxws>KObJs+5;8ob$@T}lysCF9rt{}H2YJgyv11_5n!IDsF~$%lTjjeF>ti}
z7Zlo21G(cM?{Zt(K>{LZYMQ4o;Q2E>r5dwFIC<FU!E?(;Te88N6<`L8f}^oN5<SNC
zRnz34FA|{edm-LR1JPc5aP*?!mrZDGgxQ~|Te#@5@2A%)7T5T3mr@u{K-dNtd%16q
zCuUs)B&ezbg65D~1F9?j;t+;Nk&yY*WO@vdQ_PPxDSTZAQ<82xmm!zo3eiRi4eMuL
z0Xg1qv?u5$lTE`xtP<RMEMwbHcoX*p5D=N6X2R%w$3nCvO=HJxlNAxup64Ufkz8f-
zFq;q(4NOf+a^{7S;z33P3&Y$4bBwkQRx_)#FoGHcEu;U{zdLv!t<k~{jc8t=0Pp1K
z4Kmg4qs5xoIQ*aiee6@q)L8+(z&k-!T=mTt;8EJ=wL+L}<YG1x8F*(lrR3iQv8=@M
ze%A;gK{{eMo>_?YSMmCI5*F_ncx3nE^&q&Do#eB~|KoKCbn<@>dH6q_g6C3Mk5i6c
zeB`aO9kwnuRpJ;~8~?2g&YgE|j%B);Ze8pJ8P9+}tA^A6Z>M~CzQmdKk2k5%dog$a
zwM=Ff;$cw(YQl42fp`2YD>sL<2ofTKi~P?TI!29;k>M^nQ;hg&j96USQ1$*~wN=3>
zC@^*<`{u9!R@dS!@wJhGMlv*EHZm6E!H^adA%_yU$gb&^A+k;YfKpHzEEqM{kY@ZO
z?Nb{iqf4&IDDqu$PLI$35+R;mBA6Xw6soNBj)bhq_xd}z#QH<d3(Yy?uwfdRBh&yH
zh-t`@0!-V)3TnZp=B}9FW}=cOPXif=k`?s?&zfRghW;1cy#b4EiP?($BRk0CRK$~i
z*ENPO>BH)Yy_(iCAJ}nj!a)UJnIEkA=qo)aIgGY>DvLLf>~s1>DfeCah#jyrOj7^z
zuatMB(&El1GbW0hf{0G$5h=v@BUKWNpQFYNzY*mox!6T3^2J$VO-s`3G2mkU-5amQ
zE!w&|XrohzbwjffEPedgK>zN0frOXfA^dL}D+RGS%BA?)InT<ipz`iK<ayhecJ=iW
zbKE+Cn~4=zM2_^Ifu45`ksti~X^`ZpBCS(P!fL4ggQS6KV%uD`XL<iYp#@aj;}z$S
zgo(qF&M1Dy{;T@pP4BSD39BQ~g$bB8b{dfQN0LWWCO$($%UjPV|E<MD_)6<(X6az9
z{+KDFB0M4RpB3NAeK~GW!LOuGk<8SC&zx8J8`Hk5UlNx5ME}7<V9IRzAX!DX7!w2Z
z#JgWH8={)DlfKkA1M6NzZ~GFPBl~IxRORpj%qpvnMlw9WfAdn1<)yGqlo@{<Z~-~f
zNnN+kne0K|*#=j5#Z%c0u7l0ApMD?pUhREbsTq}k8T^#7R?vLrONael;H|6oBmikK
z+zcnE$)E9KxWa;DU~IGKCfLmA@DFtS(geX@U@#leZv^BxZ(2)E3+9g9#ZqF|e#p>J
zbf}w2@6--weNE2XtJBkE5r)vv=ZWwCi}w3eyM?9u?G{x5%#B`NAbuzOfA&Z~Z+_rY
zpgct-Qj--$ix)I@%x;QtQFl#ZhiDm`f<;#@gXkE)`f?xvt;k28;QtvTIQQ-AaG>TN
z6Gsq>ms^9qB+ZZKL<glx1*k!IsEW(9g3F>D^u&1p>7!O7q<JNYMx!>U#J@+2uHK*0
zk<4Bu4G4p&fwP!_glRm>q>%-XH8=5vVBO|JCbp=q@><SDWk8;iSl7f}gPSfzQsA<;
zgy<Voz~*jqno>25n~KD~l6R$O$2@|~ggWqoB|3&4ur)WK@+D~!JSVw#-}Y-|k{e<j
zw7t%-14)}rErdb{yU=;Q9<x24eL%GFmbB1>2Q@L^jI^eXySSqB`e&X|5X&2%mm8df
zuo*}Z+}lP;C(JsEP)t4n?QDixO@KF%5ffF}oajJ@_IBL}6{%Cn)+a^@@OYnO<edGf
z@(lU+I$Z#)x-TY#hdZd+krX<Qi%zPeM?n)QV;--*-}OrH?<e^Ik&62+2!-k0U(bAY
zfK}OH`OzoFHP-S11+GK{02_~HaG&Rzt>ya*c(*wjI>K3;`b3tI=$GaUCZkb$ilhQ~
zP=o9tD{}71)6A9OgzEc4AxrYY_>{7gwBi59`tagkC(jpC^oA$Wk>UPf0!lAGz5F%^
z)H*vya1Fe|23+IZDN(0F4wN1x%}D^WoYEp|emve<ktnKVNk%<^Rd_yyJRuN+ljTQg
z&}0qPU_Uva!OSdlJ?p*>wVqXbUnD|Sr%HF;|JUqT>w!J;c=L%M!#dNPD))h*Y5wPe
zA(gwgbNXfQGonEh8VnLm?b0dOBzT(BB63~Wra7MOgB?UBkjhdNrpME3WC|y*sn)Xd
zCkH5Th;|rv>i!Pb37i@>X;%}j<<DquUiOjY?GP1M6zgK`VnenuSslYGFv|$NShwA{
zHJ`jMK~U_lBvM9^_|Pq%9CU_!G$#;79pD=#jU@U`_csx?hVV~h5i-p}B%$ZPi8&9P
zDfVa6&E|%}@m19*%YbV8^$<kotMS!>Gg`^+mERg?s}EsEF;kJ-+|j=YEb_K^`<G_9
zHL~)XDY%)fNFsZ;0W|;GaYBOF{y&B!krT(4tCnH)iO0^8;|fJrr)H6wG%7=JXR79=
zqKIN4+Hwv~ddPr8T7Z_-Y|oPZ%bj@)NYpw3I%x`0gJ<SM_fS}Sh0F{q1kJ@PLBd}`
zIk@Jhs#+VSI&^QV%lQ8TctD50Q#1j@`dh#f6PR5B*4@^ddP-S_r&PeO4*#;omw@4>
zoQ}(7RTvtOoDa^R2&Od-5NWcw)a)d8v)<l1p*|QhIs;U38v<vD$1vD9U%FNKatgyf
z4Qs(D&&%Qe$KJp8w{ath;_$rYr>KW=){;kTQa3xJS>+r>b|%{RqLmb9XOlS+*bS11
znvG7Qn=&Wz^V$DD6o78@jcigEOR{kGWMnq3g+kp>sInYI9w{7~!_Z{pZep-WJGauj
z8)w)DY@n$rS8#rytnG(Kxu<ruFqB+WICi4o8J%0Avq@2oT=-FyD>&cT-r8)ymkkU9
z?$M)WaMbsD2(`kE)MF|O+y!VDx>aaf*ZE0IV&+2H26zPTc|h}t^>x<|i3ZwbaTqS(
z%h}L})12~$S{COiJ}2Jy#3z9}7a6bMEhirIb!|920yaoNhRlTtIDc#P_+`A`u2&Yv
zL#h?LQze;HgcGqk*Rfe#pW*efO7MDkq@2B?$%A`VR#`H>Jnx-U6&|WoxyMrRt&U~7
z?|D*;#IRl@1`<&)A(SxfjKN7Jz{bYATmMaz1?<=v9!3NibAy;^Z&1%eaY)M6^i#+M
z1s2rX3?CqITpWgi3c+}=-@py*3Qknzy#JRac<WBr!6gCoDYPZiZcFanKEU&Tc+|el
z<=;rTf^#|T1?0m53{|qXI(oQo-KCfqLB@1l=;$t1dpl)uzHFqr20~5_hC0_4DM&l1
zkoa&<_5$w$tkmnxLX2Bk#H-+gx!A2<br7qgj|aE4*jp+K#7whcs8bGNj_g_XLzAO0
zm+AlGfpGwP9A$yG6&4Kf9rF>1NAvEaPDd0%5|5Ao>O}UJ%=ab#z)q+K<e{4&uHd}e
zXK_HrtZUm4X2Vb<{rM0yFceAOV-flwPfadn4bGS=NXkDRZdncwMa&~Ir0AGA+xGSG
z08Uh8?Z#QFH6wY{uzgr%IT)(jxp&-~?RukNxUa7AWbGmZA0)_11!H0yQ{w#+v6y}c
zT&kjD%)vwU?<ThFJRTmaXt0kDj#qI0?LSz>)$nXQY-ax|+rCi6dvL<boU)vJ*ziq#
zdaw6r!G~oz7>Z_ZeWbpuDrUEOIZ4rU8G~|cgw=S&gnEGnOaQHZIdRY2n3jW~<e|#$
zHOB_4W8F*qL%ypmh>xo*0mE3~4C*MyRQ|wtQ0Weq>3SK$X%-Thh9<<b$<?I<ofFGt
z``(x4aYY)z@Nz_h6PIW(UYR4BL99<lWWso)Ot6whMrr_1A(*rbZeVyqV-;%NOWb?w
zR(A#G$22Ca7;fqsFnmpY8Y2*A!BE+?!_e2xi9r?YJk`~g0#3tH55v~V$_ji>+>0c%
z9yzpH+K_PFVP8|>Ml5_37b-K$6?{Y%`M`=iM4f9FxQR|4MtPu1Rn)SN=e(&swh~_q
z-<G7%=R@WaAG~B78rCA^p*|55+7TTlK8gJ4{l8wREOos5o)>$g-G~Rj^M3mHb)iQ#
zlEKLx)tzMAA$<jVo6ESvas}uA*CWhdB;Le5C{-IBvoZbOs*A!I-OSi%)7@<@;|@!m
zrSYDZs*QGe;3iQ-19v*h)g{->jEydJcP9(GwSp;ie17@B_PT1L2ZZ_5`!C)XKQa;X
zX!@3o+3et8vo^ZAySrQB4VSvyn)kd^@@SO{b&&XtH+v?JuI=t_mwH3x3eLA4%SOi}
zidisxO^N5TfX+*KJ#V9{ySu|h-e`G5JUWhjy&3z1m_|RafQiv;wQHs@R^8nlF7igp
zBiiVQ;vsA*h{2qV&UJU|3%d1k1?L|Eoh|(V?RV8iUnddhQK>CnY#c;9_%Gh?Y7^{3
zE_IG=_q;UR=%;L@X{pOtde2M4jebh0nwC1({d-=TZuC>$S5qGMMlX?^R<q^1UCtep
zx`d4PywsRLpEBsymPaIvJ*D}bRqEWd?s-{gqrduG#PF4n?yo*!GJH)N{WWKGhOdN2
zfAy)S;c>YVJ>|!qRlbH3{naP&hOgvAfAyKh!Mv=j$Toh@%Yu6JSDp?X^b?7yl<4=o
zRB!ZnOoD~{yVXXkescS*`;uonN*)}Ut}1w<yL}dP#i+gB?zrvsb~rrql5t3UA37b^
zrzC(*hYdRTE>b|J<8$J5CX94K62%zjr4vc*qtp2#;W6zH-|sMw1~D5j8p##`?}S8%
zOCEX9>Byt8_w3K3f4u(r-O<_W!{g80Y|PHHRZKbZ{IB2qv-8ck^NrW}=Eu%A@1CzY
z;ZW9*#HVVbmr6!mbUe^OULRk1M3%9oGG-Sy+Kxx`sLCVS=$lU4s42R+&MG9%duZhm
zZFEG{qjAwRYj#N(gR~1EuFE429S}J1fFjrCfk|GxN(vc?10K+I2uQ%!L5zv-ufv#n
zEE%tZPog1Rhfn%{H`O0&4xEmd0QrAe>e;#_=>)W}I;%oN<s@m~QBUP`jJTIzl8QA)
zZnT`;L)+?^8{K>{<&DOWD*`i5_-xE{MlFvG1~iffIfJavE+`xv{R}*UF&*>hemfmK
zq7(g;{bp8qM3ylfzH5<Zw5b=UauXwPepD5!;2elBEc>Ab^m>dN-7NMZs90GMpD>T+
zqUzM`_9{j+!O#-tByvYArf!@>bWg-2@QBX?dVbF$>ty8-Iq;i}Hf*$kCqMFN++2n+
z4BHo!hHcD{GU3dFh>rP0$KDj+C6PM!BkGTJ%n;zAP89CITS_LnFFFq6sfsqK>tPRM
zfNwygIyWLwe3x-Y9^pnejKBz`=yzEZM!6LaoKzRfBi!hQVIo0qbS_fl<1KaJBJX*b
zd7_)evV_u!w&Phox-(rD)AF8|nJ0RYgfnuZAFbKbE{{l$HXGeAS~sYT#%SGXOzAAn
z^n(x6T__l}8v)i;cS8?j(`S<IW+BBvN!<-Xia&}ye}ux=B-4FQb=+7{6S(#Y_H_c|
zKN2c;dP1W#9e&Kg<$+)xjgW2kS%AjxRq6~KrA{k5i_hIGi~fC8q#qIK#s_lB!tqX?
z#0EC+8A;TA?PFwRsh?PV7bUiP|Fq)~J+iYly6L^fG8_Hy_87~9-DnI3s{`U5(P+#t
z^^>^iz_4FYSXfnN28X?g5UdY0D(UiN=7JT;QY6Ge;|1fMrgt_hVD@b+hJ{vP9R$)Q
zekp$@fu}=0XsI+TMK-_ZWu{Ma4M^Eo+0BPc#L?W?H&<|&ho$PU6I!$edj!+t?X2|9
z$`za+zxl`E$?5Sw&))C9dy|hCG8?2J7ffn7^Ddm4gVgkR+pE6Sf*?KmaB_J1K?AkR
zMMsRNZ*o`Ffz)F|DjIm&GzY2b(Io7=BvTM0vbpnemk`Hs960hR5flO*Q@}JDDI;B1
zX?x>!b<-o&n}~TTta40-cLGUk!826NnIH`l-)|E3syRqykB=Z)&J~;=4&L(^y}N?q
z6UTWVJ)v$y=V(t0f>fw3Z+qRhSY}GqH6UHg%kJJe*v(i_>SH&j&hl<{^FZ22jJjc0
zwpA+Rabm<TECw!lbm4R2eQ7h#OlwXJNEZum@fF3kP~}EJS{X{>3NSu|75}Fo^FOw7
z1?Ro`a7fF5v>3FZBBs*ghUv|Nv=|=YDj)dZ@q=|4g><n;j#p6e^J9kW%vX-u0Qdp@
zkdLlm^SfULzRdczu&M2S+10YyDD2lM<G)weUvunRS8#y-<609yBsV$d(+jjWpF$cj
z6%z4Q1*z<4+bh|3F-@JLJl$(qzA?;UHHl$-04KQ~iqD`zerukRnZI+@N&+&T;g+Pb
zWCuE9J7$;5FGD45cW!I$rIlziK-Ee}5_7y>&rk7`Ur-GFfC)DQ$ZGl;zO*Y?7r3&P
z<h#Gw#|^WwYqkf`73^o%P_9b!Nh)&p7Ix~EN+$cNbccQ7&N&@+TYch>xld8yl7D<}
z&bm~^Sftg$qmv_vY*LH5rE_1{6I@A@_>J_)G~?>=_xlHct>kRKPzun@5P>TRMc8;t
z;0k`x?|fpeaUO^r8(cphf?xKJ-ygpJ$8PzX$~qZF)WrkC0{AKE(<q=Z6)@RwHaDcg
z>=U#yCIOic=IeV5{JfKX&g}`Z{&zHvm@BTu{EG{|PolsLmu5*HuX(|DzhsabF3lFF
z4%%2D=Q8OFuizvmQ49pah>zs~Oa#zRA&=sRFW5JWMU(^KV%K(h6ic2u%AokhK=C18
z+|9hF%W74Du-P@89;G1&AL2z_#l2jpRx3K@q@7oRu<5m&9>oITqq>A^?DAOw!lu`7
zdXz?3_%JWxX5PDHwW>kb<l0S-a-tpB9@Pz-D$Tstav*fMubg<B2RXRH0AdmMfu<qZ
zO()l0!j~@1Tzc~$L<L97-%WE!y`}>eP}^@(E3CTLn^?;iDocP6ok`yWlaHh^9$vv4
z^gyM-ghgBh#hH+ZNsL4llXw{VteRrpa{+RxgZz|J!7j~$88idoSDLM08Cv+12Ow9P
z1%zJ!gkN8T{Tm12*B86~CTZbU8WnyCOU+Zf^?bQWEc{9%ncpN9ex)(On?(h0Di?m0
z(YKq$+s=W|XA>GwA&w&6Zy0_p^%cmq1s=>(=`uO!wg7PbvIH&6gOCL*X2gF@eKM_0
zL$4go8Nql|WGYb(6U+~IRDkLOELU*8)4<+W55kZ}3~y*><?z3PBdqqgV5bX;){7~4
zc@Rn(z>|1346oo+ReOvuyfzjNRC@K(QAEXv`_)A83Un5Bh)uo61H>yhe|aqsiUdP{
z%>&_ys`f}h*dXa#4un#VV2iQjlq2WcJ`R?=1V=7_un9|^#gPk8eRyRFT37&K6P8@b
zksmzlbXkHU7eLsAC0BFgM*_p^V__4PT*r|g1rV3u$ORBKVaatI`LTd-QI0HP62(cl
zfQp=PWV`L-;KxfDyK*3Gq$1Dc$T_G!#IgiC$$_wuid@Z+A3W@Ixh@DBsmL`P`H{fz
zy0oy7id@T)9|aI42<J;R^&o7dBG+={M+3qIu~4~Wy|pa_^W!Ax_bz$60!E%PUaBhg
zl&5Ux7?a|Gl%<{Hj&ma2T%ksTupkIN3K%X8!V~KZ&Tnr(m^-<T0)W?ZOFH6FESzxz
zU(GsS>r{p|j+&XLm;7*}E4{UH1?PX;`1aLe#;%8-^{%v*G!#$emmA1)R}I4E@1GuZ
z5S}FtvVITjgpJSf{6`b!DgDDazFAq~AR7?6ej;KT9Ue7$G!c`SxsbMzIQ3p0T!}^_
zN<3dmjk@dmY*Z+hC7$jW5DJQ+OZEo?7O;5c3!d!J#N~)a6kMOF)2h$&kgrQxh|lZE
zm}1xi9zn#D!0SZ3&+fB#(iNObWLO3Z7s?5;UwF)Ko#vQh{DO|hgo_d9B_s`trhyl7
zcCWMME>8>J@qooVYIuXE;|iSQ+QPAB8cN%9BN9s9Y`~`?@>{_Efa%ZpJ#)ui#$K2Q
zVL--Igv6cIg?dwuwTb~HO3+-@;<YeG`<SX1jcFJ6EVIG#w9tT%1u=~##Gg$I4|Odd
zF<g$AJ4$ga%bAL3NWD9XpmJm7`XE#b*Y?1<J~b-4paLRt4{R;PS0%VUz;b;Ms*LLM
z<U%W2j84I>0)&%5;$I@D2Z9$5H@-LSQ!tE%deEQR#PME~>$8*U<SxZgtaY<M#3XPj
zn3e{p542n#gb_suuwXdr?&Mh2I^e;84V54hhW-?z<dAXbQvrQC;1SIj^Ft|1JYy_?
zQ2l&76OdOr_Dyp@vS3KXgYo#kCJ0A7;L+RJ1TlLRZ`IDCEu_zBGyd`bL~2v6FBksK
z`v{WRw6GWuP9?$8G1Foa4QZU(8dP*RAj%5+JMXKOEU=>7+#|_n367kt<2dn~`WGIg
zVYPCti^|^p)IVmIC9tpn!ezCS0xZ8O?W6$0o0JO+V12Z5VF83q0{>kVf#XrMkUfe-
zu1z^|%dk{R+>ymgl{H14xARU%&=@Z0bPq2&eqB%h{MR{<XqaGBi<rYXCZ9(M+xO2M
z_<=`2KcP^w-fEqnpSwH|+@~$O9*n1*NFV9nT5?iqJd(sC#{_sfB0^m9$lFsfa6<i0
ztj=Aw+wJC}Yjx`aMg8H+X|!73!FwLlUHB(YAfOaOaEPQYViqT{iq91K#HAzddo&WI
z;9Vr}O3|p!;gZE8AP`Z!<WT%`%999wl<QS#_0#ZWvWqMbR~}d<)|4xO!Uym@ivu!d
z>$10WzLGQN=e1`#?`$|8cQ0t<FkU^`y}s%aCne6ER!hnSq|YbnmP@t~G**n?x|ujP
zkUYoRu_TDWYzAULet%@Y-@*G2r*C%Q0|I2kga(8PGU@Xv_11ymzXKja$c12iA7Q6*
zVBr*`jLcj#sy@eyIVuFW5%ttPkyr<jxFad4B!WiBgMdfr+{C&@Xt@&(oZ5YhT<><L
z+G?SuDUo~~JnB=)`h#gX{g!~$qmN=uk>37P?I5mI?R7_W1T0>cbCdg5URpn4e%xUJ
z5O2%^xtk<r6A2FP3t$6C!)-dP@8HFYUq}?NVEEz%oX|LyOC;Hj7;0}W7kK~yy)-9J
zt(OG~%`mHJ7|{viiLkfa9L`H3^zx;M9r0wSOgVU%HO@G27#KDr=sIxU!xY&#krA0l
z$l;G>itC^;4X4iHv}f$~k_XRYh{**7Iv7wlcHp&~fvj5#ejH11f1<$4gh;3Z$MR50
zr1}+qfX&{^jeo6<;y4t$-R_XZqonV+eB9LsqpMCv7i){ItiFb_%2=vq9*qg}MXR;%
z#}eJ-7Wvb4An?!qcW(h-$|4w49!jSD7}P~^D)MAm4-MB2BR*js_26>EFrX@Kl%d2p
zr6tH}XP`%Rrey3t5zHGQnDX$Qvhc+V1r)h~=0qEJm0vBWH^H?yqO?0EEJ#0O+t9W8
zT5GjdR^T+^N#Cbp#JM~Wt=11L@DzHoV8ElXI^U$vlNd()Qi8yv#8*()t_(DacqHT*
z$5_8HH=uhitWCgJLBAsLj`O3!Fkv3e7UywSIC}QD#32o6MEvfEUv^^NwVQV&zIJec
zjyh&*4zBFya2OE}*R&!R%3)*2={Y^gq?mv)`JG45PsU*`OX7h0KEIT666O)RQ5|+$
ztqz>qk!chg3Wn5!LBz+HT0`<LjNyWnYocFhR}5JfA7ZJx1*elz?*ZOBY6V8p^>H!=
z!TwFrqX9`@021+IDq;``izPWzjI*+P$tuT`=s@(AheRUCkgh{NiLHj`Ks*xa4aNf|
zQB@w6HAgOB=<`1D<$i@EW*ACg>hO>TV#EfqgN+MO1u7QlF`>0*2_2HeT*(!(B3_q-
zJXW05pF%&P<O2DqavWp-){*ujl@&vUbQX%4vOvu`<HQae4wN*(M0)bqZHd7gLQQiu
z>{ABE11g*hzqU*GHIe*9o*%h*HO6}y%k9!pvU&e^>Sk)`m<vg)T*;9183GZLz$1|-
z9C$AeAl|7n0R#k<#6PCG7u?13Fk)j8O%(ycUnCYDQ<M+H`8xEeNjk0rbH^jfB5-*W
zQ4w+#cU@4#1mVCTN>#)cJdJ_aPY(rRTpB2xk3)Z|C<A6gMl>|XC|gFWbugmtMV@<^
z5mUY<Wefy6h&W2zIEknQ>aAK(+o##gvJ{OKacyJA`6TDP@zVJuIe|R+*z8w67%-O+
zANgRU4u#0*)8*x*lMz*iM?)l8-Hn&s#84e)6p#Hi<QVu9O-ITWv3V1V*w%~Kxv53$
z%v;1xZV?-55h$`Tk*=U1l%~H+0Z>w1MMlo#^v^)hh*9CdzAyN?>PNxD2p<tu(zu`#
z$q3AOWPz;=NQ5VzCjisz1Vb25BGE=5XXlZp&{T@DfzJY(VQNHmYHxw+ik1V+0o2^f
z5*s8ZIE!eyI%D!Xv+%hT|9(IwJd&fFk;omfm?BQwO;FgAY6;ScOP=}!o~gs*^MIb=
zGVQ_7oZ@Wc;(e+w^U4jJBw&9e=DRqvMM#2jshPF|zes^zX+2gC>q^lVF^TCQ@zJeN
z(;Y2g5wF7of4T-EB7nsL_+?OXo`U~K|00I%A{_|=NzP)Pb!0{tIjzC8UbTFO))e*k
z*o1kB<Pr#;4AYMa)_}8h`|HnI@yq{OUH3JKNuLO;n**<)QSrAh>jAfeequt3J}Q`R
zZVOPu=~Eg=sZ|OZ)Pp4Ow4cuzN#fBNj7jLA6+Zj7<Z_ZLNWv-gnottd3DpoCuwfEW
zG>Ay{Y4%ZY2+a{A9=Ifu8|rIIj!62Q3_ZOpMFPUqL^3_YO~x75VZ26;T=3HrF*ELz
z|6bU*1HA}^^l~SLKlVxKSJ(bQeSJs5{La1k6r;z0{G9Db_FLA>+KqW@b4&BnAFAh>
zfka_~sxa15&ES<z%5IG_F81&yS6TK{fZ$=kVz0j+4MiRt>i1uW|C%A<GW_?65}ryw
z<Y1cnqLDfMSso_6%j$>p9L+;=vozIAp?iKU@5rYEMJFU%D;!t-S61OI8?(4@dU1L)
ztDL&wPn3qlXA>%nAJ42Ro=<0dKHy1E7~w=xP$`OP7Z(jJYbnD~pB&RMpU@weFX_Wf
za{aTQaP~j{^FM`yCM5t$JOx4p+I?{%dCK?G1x_z=q5f2%mB@?odggWU!xlM6VU|nA
zv|i60v+5Dn3$&!Nn=;9%?GIO(d)j1CEN1;UCZSkhdHF7_l@<CeuBUD)X@#nJsVz5F
zE?529e8+Pw%Oe&$R>K9hhEo_2bp#qy<mdz9#yp~)#wRVVEHpt;5OS=^*&V8hRe9E1
z=wC^RD!uVDf>cP_mCAuQor>IK?~n#Gz?RBfbM^h!<vcr6lKKk#sBAZu9B(9YBf+2M
zzMiR{&y<#Nw$XDwouP?6^IG(HAjO94lIQ5-!KyJ`#~koYWx@3Ck(dD2ns};5YcU^f
z>K+HF1Pn4w#@1h;Pvy_6d0UOP;7R!%ZMY~%E5Tl;)j*E}VN=$#wcYGqL1o`q&vIS$
ziF=WRawn9{K#O|Dt0qc<0L|pVRJ%Y33Ph{St=5JEANrE2D64{f84xIt=*xwHftzR!
zH8+X$>ld8#Zq9nEo@~L<hm+HP9KSjF@3&`1`zI&Ad^mo+_iXhd=~FlML3w9je#K5F
zy=qSt%?w7+;qbfQK}h1!Ui(i+&cjj~J4UMg+=eTV@OilnosLIc?$NcXxqLh*Oe37Q
z(D9|F=v<`v!5qfB#>H+g8*V+~KHW2VMqz3!repDI?_bWC#sudn7xuZmrcBQp+UQS<
zpv~zp0gusRWkhv+b2#gCTq0cJ(LHo&I9t<q4H9~J(3@rH+a0T8;gB#CU<1wqam5Z4
z1}$~1_HK43>AHW`hZ>Q`9Ej}D;u8!DAet=X*LLvp@$sAYr)MAE9G@J1cyDbY{Y2gB
zm34a1=}4>?LC1yX)E#kn_Wj}M`~7!^XNT|h|MA9j_k2y=IvDa}Ev#(A#{1n_x4X|O
zkl$)l!P+tz+$U_D@8IKs)m9~8iOF#9Spgy`wExKy>!J#+<tf^kVTw6FQ=&jGbNI*v
z47pK?4P}y*ctB^Np6s(`OVWA%zyhfptIG{d(*;%Y^raM`DJ{zdSjk@J`Fto8j!0pt
z^$g4$<Oe7ma_))dr@UNC;`ZzsQmo(s4dTVggX1_Y3%h#X?)G+eH#VJ}zro@AA3gx=
z?R^KY(PmuOIy4^{H1d#0%g*HgH`iUrTuMAl-H=PpNoO5F+?q=onbT?v*yc)0^Gr;H
ze90vHni}LAut1`fx|vCDwUMp`RPQX_)uyIC5G>H7PhyxFqhQ4L1xMSRsI%@N1DCQN
zL4%C3t&4=_@6hx)H(Yf+vq9+l)w}`I=7iiuPZ1n;zA;nt%92Ghy@M@Za>+S6xzqJ<
zaT@@jjNco*-HmPM)ux5tFJ7qBg9QwK@uIca+uZE*HaooytLfG@{Nvpz{JQZk_+kHa
z|Lrbh64HSAR4Jw`Fn2+|wzW#Zl}2;>eEsHh|4?>%I#Ngi9*fY=ev0;E9qowyTRWbW
zPtL~1x_&33uepjd$=Rwmww(=qW{p+5r)1(^KLqfePw2Q$BiPtlht1w*Z(Ut#PBuX#
zA&NM1Qiw;sKb2>Xi4pZGFKZ>A(>Jv%lGG=n!v~#sL_1-`f2VG|ma~7G8S49~hzg8g
zFwp<fsd3G10iH;8#N>CJ<pCaKW%ef8B}Q&c6mq;e!W)M4MYXY*1Mxhik*K9^DISHr
z$YY^>CQ<`B*3v5g77OYRq&h|P!*^3-vI%cKyhZc*k&*rN616bQggtG%Y$qZ6sAUqE
zY@EZY@jQ{M=})20<B@8#iL=}?AhbG?8<d2ext`AVxmoTLn{EM`upRjIM;ckz({c|T
zF;WyJ<{^`WMqR$I$eko1(~Ig181=n1Bz`Ul6j`pNJGr%<1Gbe)<~zwPJQ~u#qk%ik
zwMFd=6;+K5k~pdh{xgFIX9xrJTdM>6=#OMHm@|~Ttlkxv&enmLhCX*M&XhZflt}O{
zKF%^J<pjy}t}eZE&0U!0XNeuRI_j8bI4IXGRD6UW&6sE}Ld_-B+wo?HdO-YeMEW#l
zE}lac0D%!7b2(!<_$8Sl;U~VIyWh$1#L<(9X*7njF%dD1as~o)Pw^Dq8ykdC%6&4S
zXZn+Eh&VG>7G{^V2M*@DR(c@Hin)96ba1<Gsg~ylmE)u;{((H09*y*?;R1h0WXOn~
zJcEY=B{2}4!#&gfbL25|dV|TPK3l@20f`tl^i@+rxeFrS+T%1=C8Y!;n98HzWE0Vc
zka~HfNv{r>Ip`C0(&fa(teIOaw&n>LSgl69s5<eJ&9lkY*_aI#yt^yupPfWdslZXO
zrq8zi6b#konl;26CR=9reil;fm$LVTkel<XLC@19<`E<Q4F8x|R}tNaqSG3B#cbk#
zw^07?WV6#=GI9vBX0gyxv!>tsd{}PU_xZ4^YSWHfu=3HFY<6O<|J+)eZ<gv+o27cT
zS?X_3R;gK5DgI=Y`bw-)cV>#ZNvqOQMxXMn{9KDqQ%g_PrYvf+LG`<6teLqxkKJ0c
z-1)dYvy4{p{#Ng|<fb}<<?(2de#QKZLz{j$Rl`EDud_ZC@mUy2TI^EMRV}(Jri+gH
zVGT8-6OOMV$4QLZi183aL(rIeY@k&<;_*;RQ-!Gj3u1KUl#r1;<5GUh)NzvuYc3D|
zTO|wro6Uj0ed54R9QZalaEX*C&FG2KK5^P7PFulg7d;-g$!Os%b7>%Gt98J`X~c%3
z82-cM;q>pY+1uQP?;}n;myeyy>e4p9wUwfd`n~xL4g=Sb2+`#cdX<W#FPO(jq}Z7r
z&UWC~4~aXXW+LmL&1<mf^c1&f>rd^qzqjO`kI59x73y+^31w`epIjQoD%<rq^chBf
zNzI?S3#au@-2qoro`77eA?Lalkhs<QPbn<uiwlBN#7hfbRT15{hX-%opS<a8I=$~&
zt)ByQn@tVA{i(Tq!K8uY5_kk;80q^J7Qki1<XKt=!3XgriD=7XB92%;iF4pFb7BJQ
z3OoQ3KzsiL4o}+f{r<_}$$IOT!_yx>{Co<(>>nTRzdt>Ea{?cZ;o!sj*N3NvAKst9
zhaX`7{XgNS!}qV(fiip-KtF|%oV(nxF`B2H)`>n(W^m*3uiv@3;FDmOkRgR3pHO_7
zDDe#4y7B%j@LCuUR9m`A%W?j4-D16&(xzSY)~TDBA+J3~uh;9n+}_6j?e%)a|J~?q
zZvACrd*{`w-ezyJxAm9a#><WE?Y}_p+9Nk8iHJ$`m)^C<DlYDU6f0KaZVSLAF&*+~
zx(kQFAR?)iy9Hp5?5-v?^2oOG_X{l&hUq^yosGXay_V%ny$k#Bmh~g4A6a)6@>HNh
znnZv7($42Y=0cywmy`yEd+P@ZP772Z;Ph#<BxCBeleyPWS2Ip)#K&|OjKX4>5?job
z6RP;q_4s9gVRO4aA97*7b;cyRaKd2Nx}Z~hCcWG0==rufFrt1)qgDrEIu3mj(^dxt
zNq{18t7DeX8WU#Hw8-X?Iqky7can0gBh_yKB$1!Zto8w9OSRP#&~MjdpYvPB(~$0h
zuePE!DeTynM#-mghozSOTQ6v@JH{OP-`jlovPl28H#VQ>|6P<7$RySr8Crppqu2k_
z(Sk<j5H<J#qtPzxAMGFfh$0)xzA150lxSr|Kc%##xP!y)!D}6sLFzeS#9b<c6lPae
z;QxvX78)bQM~Qf?m6ewLZ$szQ1L!9bbz`OW{2MkVx@Sbi!j`H>94<i(W}p9!&7GZI
z{`_xlY;Nv6o&UQifBxBh(W)T<O$fk??&r^~mh1&4Y`lxl{iPx)MU1_%1g<-xyO33D
z9n(08q{=8YHVC*!O{{e*q*UwAKY<0VpLi773L_m04P`6g$PU`D>M=Kl_641`q5Z>$
z4{c~G-qnUxpNSaS-|ru{<$wRTy|xCO&!5$#|NOI~2An&BY!af99#QXg60u--;*O}7
z_$(M6s%SCl=Qp3Io1m!M0_Z@P#_HH@sSr|Q61$@}N>wy6w<;aDpwnIW^G|Rt=oCJG
zZe@X|xQ>k{rE=?M{c5&l$EcF4itt&#qu&nadXnSFA>a!BNO(+(UuAO|c;@FzDzRc0
zHd^LGr@W6N5_#9!N7=#c?xPw(HZe@8`8LWPPIUO&QyPsmz&j6VFK6uDH8w8YGkMtC
z&{n7AR(4Qro>~(d0R00TIj9*^uN=QNqZ*FYA@v2#_p0z^kzQ4cT(275GhiR{ko$Z%
z{fRCBdaF^k0rqbQ<;LL6HC6Kk`$xD+4fpN5Rd&RM6#Qs=-ZGKUhukx0)|Gz;F<Tt%
zLhcpFe(E%wqMT0fh8Kiwa6T$MCgh%ufZN6=qwnP5EmkUisRFESf0Qi;i9(^1;%7Ng
zd~Ml=XN|YUTCIWbvvj?%yO(WD8=UMzR@Z`rT^&KU22SpK+NuPEik781`PQY?+g(UX
zV7e$(T%OhDdoqL+?}-id&Zz4+oBA#u*3}}?sS9RjY@^94Xq?MoSRTyTK0Ep^SX+ZD
z2v{HmDA?%b$+RYD0gqvoj>C9rZSh*MDufXW;sLa0IM46GH#n&j9ZJJl{JqF$o?X!C
zIy_V1Xm<B1kfAuEXNtigv(xP=*->d=>ttc$>rgzq##&i+$*r&&@375%#G+@90gcM^
z;^Co@WQ*!=iz99<#_v&5zBxvilbatsBg|y@uZ0mVuB&vaN!6EQci-B_w=t2rK8dOz
zP)l;T#>A;G<Si4XrX1~y;X@7MdJqUPlV9CqglNEmZjAffjq<NXx&hta(xq-r^|$!a
zJk9@0+j;9s6Z^kQLX!H@E^z}e$Ns<bvbSBd|L<(~p6vg3QNEb{-%6nKQ%cU$M|*Xo
zA%}{R4QO|hOfY1FQ~*_hdUI#F_|fjet~jGs$Et?p!}_<8?VJO9o<C)+9n*^$ptfh5
zhUiglW`stJLdQLbco;GCJ5Bw3R0w76c}zqJy7lxEZ%AXO*`9?MEX&FI%k7+?;|Yxp
z_&6jHh4z1LIGY=tUb`%x)Z>A(mUf6D1GLqU-N{Cu#$=<N2Wws3vQcwcSm`KXdg0BW
zl#49Z99XZe4J(Yph_@Nd;H4+Zf}wNqElOiI2|738!SB4^5NM|MUE)?>%81QCWvbpB
zcsxSKJP?h~URJ*`h&HzG9HmGYikk&f76-i{oU#UA6`-s~2Mr-*x427C>7{=OAhAG-
z%c3EGOzj%r7#^*w&G=;Xkk)EY#ppL*24SlQ{@b+&uHrg3!mOU4cGoQa`1}0>NK<b#
zJXKMjxC_vm>x)Hdz$6~=NT=Rd2!ykm-yA3pj$bzgpc{D$!0-B~M?#jN{X(FtX?b%{
z+dn$g;ba@aj)crKXb!^OO@L76Us@dhYTMo%7=M(g&4U=D*m<y@#9X+<r%^+wjzY44
z;J&peIJGT$EyrOc<TgvN(lcklushkrDszBaYETE(xs7jbJ3i6~!$U2%8Iz~YSY$H<
z#8HBL`zQ;=uJax-k%f$EXdw}ylQx+L`<><Jin1}`tQTM8zNa53=8`omu~JgmQM1K=
zx3>)DExr1=T%>v_*Mh?>p1>;ZqGDF+>>e45z+iKYMAT)GvC%Y|ak-ktH%C{Ga=8{3
z-s!Ne`CaaH$i0q9YLVgIm)-b=b82M4ZPe2;)Lr5RMk!Ho?Xr-iTh7*Boz^}EUc^ki
zChJ?d_9aozRZZj?e54*TKdrFkY&kvk;y!QVm)&RxnwYOT8iN250Lc=ZxBvY7xeazY
zIsIH#PKyb9Y$7nD=#YNG+isIU1^583s0a0PfX|<yPhEn!5oOO9^-n)=zo6=cuc^xd
z_|Gk8OUHE;Dr9Aw1u=~V#H9$40Z#(2ts*%)trss&F$imfDPcSn<WZ$AjET>O&xOtm
z8C31Yix&;;SBljLYp%KTXF;a@=j!CwUgvNBT6^*9|NH!}7oR^rYr|>|Ja7duKZzp=
z3F}sVE~EL9_kWG<e{-2G7ry|W^Zs*dYqNC!`)cRu{r{bmJHP*hl+#*N)uS<WW9orK
zxdD&H@*ICKDOFoP3o@j;>QEM$Ob$1hNE;cKj9NNS-_TY|a^!FS=ulG$;rvJhv{Oct
zrGG7Om&Q^ihV~$K{O&^HDIL355*Ho5%>c`R@2y0o`1UppGk_!>f5U9!Du=0QD8OeI
zGy^nT8iJd4mk1hlF*-w<8+Jru@Ho=!OCDVSPtr);ef}w*Y%*eUTRW2tI5{|IzK;=t
zqmZa7^*9pLO@A^r@Ve|)&HYUq&A{y5GaWF`jIz52PByI^2I=t&9tFA4EUlzriwxm(
z+q5;0V3q!{U?-JHi=jQ>kxScauu1~&=6aQCw(N9~qijqDYw2?3g1aw3rHspm;BSDl
zEU>V?fWU|#nG0WWtM`D9SzP+LJy6-Q+t9|;**^;!nZNaiPOe|=_-LVxBj{TeB%eNn
zD%?+DsfPo7xJdxYTT+EgT(^!bi?c}SO4w3CRn#1fyvAa{KZJx2^Njv3B&e2LeSYf2
zwHjhq{&yW&lz&%`q*ITzQQG<^8T<E2o_c7diTtP1-Y@s||1S;Xzs>De1^KVHy}9)y
z|J_BoOZgASI@M{7RmPq|?0yyPQ4u#2TT|qSxa<<?W}m8hPRkZ6o@E5>jU1rYldQSO
zX|hT}zpU1&q#f)s6*TahdhrsHc;v)9&2QZ6wNVg>Xq^7>9v{QDF|PwQQB^y=UOO{*
zlxDbbTQl5PV1^s%3`<kdr(XxvOuHB5nb^xp-M%Y!qzr<!yqG3Y>exh&F$1b}utGg^
zDUJpm(292lOiKseGL`P!;&K9O37z64LRDm4@?ynW73wi5B?Ql7OlWawOcHWj!$~`k
zih9;~M+5`Y8X>7x)SL&>j5QWPg)fMH=PbadPGu<Aa-<a6%I#AT?pVhhJ`^VKs?DLF
z;T$zgclV(ETVUd#p1_;q;}6HXm;w&ZV;J!XGm%?Oc;4*%787)2afzLF{h)i=qL=%z
z{aXOV@}6U0RT2Z8&;W=^`$A2o8<qc?`(7>%@t8~{0tA$LCYJ}DnqMz;2+TChYYY?a
zCu0h(PuN)8$h3b*B2>ogEH^F*<oGJ8rkqy{wYe}<ej2|!;+LJ6cjJgBeV>XE=dnsY
zf&5%&!RW4Ji|;7(>s*eQPdn+p==yqR#1c#VrqD<~*~wKaBjgnf2=nKNgI}6WKHAbm
z{=;mLw<rI-dR3PHwq8EPf4Y-$=klL*&lW~Jlmt+s7e>OY5<fKZ;s0cB5b>YKoLd$k
zBmcxBs%k@9nJ3!C2O%h6)bZy0c&XH;{b#09f<kLgIs?aivMYyNu$b3WHy^VGf=b~g
z<`J^mU2EK!Mq?Hz?vU>%CPVwe!8SQnKYY=~8r6fDvr*H_i`=VeQKiQh|CYmLGxgYz
zirAixwctHy|K9?yvDds;(NV>!3xnrZQf5i*Z$$SSA^%^yP`9{u)=YErDqTUAM^N1_
z-eZ$1YJGHGbN7NqaER!h?$C)!ZSWpbEUadU*LN}2cOK7`o%1O1ebq{sE5NlGhcV2m
z7mj2q_Sc@ujrIC(n`?Dvw#kvr&B_v?t>5Jl!s$tv7EgwaCpzqweE@72l`MG|EbtBm
zw8tdO-hx_IG<yzvK*CV&Z0=W#Q(rWj*~qm>Ulr!Jxz@MbqjC+?9A@h;;lqZ*d^2Q*
z7_0WnbgSbvM8_gl>=q!Eo5~d=0sF(e%2%PAF?d^HI=R{092KAw;wLIIpSGq*mB)y9
zGmd(RKHT_$FDU+V4td3V<{x$a)wM2b%-^~FepY$CQKk#k_3ngBlx|Jp(ANec1)98R
zsIAYF1?B3il;scE;xlSAn?;W5m!?@yoARLPr_vUT2hl1EhCHG|{~XZ?lfQSvh?=BC
zEEsV34;T>N?-TbzD5ozH#gHXHm?b|=jH}UN>I@Fi21lh$XhJO~MW3c;_~Dccn<x|A
z7s>%DRCkIMc?I5K4xTX!JkeEtf!)5(``yj0!On(9x4tF4Z(qK2cj%zkAGq6_{jI^P
ztsVE()<*AD|5dNoHTm?1eC6%-M(6GJHl$0+`(K^^zg2X<`s>>2Z;t-!|JZ+a@cVw}
ze@W-xzjglgSN$#fVeQ45Z1LAd^`4zuu*zvC22XbPv@2vy#Z(dS9Q?m_+SGZ6InT3y
zvcUf55w3T(f&q?7uDqY(+id-zR{w8g|IzOYmo)&*vHxuEyeip$c3wTj|G1NK_whge
zq4TO^ib08>G?3yd8t|F09iY&Yi1@x8AY}jOFwLZIU;ULytwvfsisd|nZ@2VKnEtB&
zrN13<NoLJA{jcKv)RA=?W%Zd}L^&vV10SHfhDrIRYnrv&t>rjr>+WF?JAgl-sIbZ-
z2$FH1Mr+1ZMK^QcP^XCNQ-~uH2;XG?&r;1#$=J92$I|OAqVK~ntyTami0P1)uDV`J
zz}fd)rz4tvHZH%0UZkqVET{O==45_VnZNz+-W;Fus>jupkBhWVl-+sNGu*Xut@<~!
zY5;5Jl{{jjLiSy5WbQleY>~q2Zy0pEu0w!O_GKIP<WZCItJ=zTX$)Dl)SvzFPs_Vs
zg35Hrf;ivXTJ~+=a}vMYE`B$|A*z-KypkwZA+pW3dmSmy{y36?s`eO_bU=zor_+!E
z-e>0@Ak8NX#`pV3_tI9v<UEuuH?t6Jwc_dLw+laxD7}urJejkfJt*KT_ohKF?Z78O
zAho#`JP!-KEeO|g^O^5qmH_XqLpKGkOQX0mCIK1ZjkI=Xuu`re^*nuh0)h<#>a}D8
zHejxlyFe~cvQwQ!R|Cdw-a4j(EK`_0nxs^imN}98*404nuB02<vAdbSxw7wfs%yyx
zsE9M=#p<a>eKB;}TKH`3WyYw+OGS~Y5fMMpDdf6t7Xjh=iBwb6Rd^)He4}P_s^^1H
z#=htfcTC%BHhH_(Pd~6Uk^glt(A&EI-QL*VD&7BXKi&V{Nx6IZ-xB5v>D;Rbkj6bz
zGYfZJ8QfYmD#xOo?fG9C!{RvT`EJgCVc50Y7d@Ee>1W<h?Cu##S((|mf_-7qY)5m?
zRHAL0g!|eMRMX6uiL!R}d6(N|e=w9ZE1D?E=ym$jibgsjM!I(Oe$muAsIyf(J5y$q
zI0IJ2$f*^}si38q;!!qrj%kEW1D2&TyRXQ_EjGiiRYbI2D+%h=`&b#(H@B0rqud_O
zXkvB|D#tVXr$p@B)>YQeHZR}8>|1WzO50W0Wtuj$n1g7RV?bV9(!j@8vOEAb9w#wo
za76)Bil6QXh|m$-91&925jvK&9h+K;0%GFkE6kuK`LNcr2#OUgzer75zfkbdOZ1Wi
zvDCMH&O_i68iDFelQnIi*RGFaSySondY*y>E(I1p$MC09e3RuHgNV`XBT6o;NOoe~
z=>K9JXzV(zANeJn&}dzC#Kuz0)AN#3x{R1kKVKla*2CtgrD`gFN;;N%lBQADwbjnl
zYxY$Tz6o*)c$Q%`WbVZhw;OYU)~~@8+PMEo#(pKeR0nt#Azd>=UYE!(POR6mr!Y53
zsTQR=_g2PzD)ps_{I4)$Y4Lxq{Qs)AQI!8TdoQ2l|GOx6?*IAbQz)5$WI2I0kYiW}
zlsRhIicOq4Srr`$8`~loGJIRs{4k+W#5^jgW0V9gyxhV++4v+G4A>`Vcj{8t9Yj=0
zl<H0wrzz)bZvKcCS^Cp#>WZ7rTYwhoa@HmE73_Q?+WCd3zl{WT1rZH>;!<e;wGHjF
z_VSA&Dc}Z)?@!^6g!pn_Jt?Q)VjU^kVDDHzmSf17i}V4h;A3jv%4AkUWw!F!nCVN1
zc*F#(YEZp?e<JJRO-M-HHK%nrFmFLrCuv9%3-&C#;6S)z&=NU$J=@tZmlaEfM1v>h
zV~Q)LPHlxoaJNl}&jRfO+!$Z2d8Xh{z2tdrI@jE<3s10!g}L6;xQig$Y>|I15~^D&
z8o1L3iHr57RE3S%@+`zODu^6LUqxp1^t&7_f#N?tYE9N)PqA`ir@9$)vJZ<j=!_FH
zv(^n9n-o0xp_(3@O3^u+eAU-$AEnA(Z~92>`#!(4U)3QhicoS3^~{kg@OV@OF&ig-
z%sN>mORWSJfXl~ye0`<_!X``^`>Ei}_PW(rHo?PRuFs`OEhEFASo+1G{T%SQ$UxMT
zeN?Tpu-!EpUUsIOil`SQAUbOcf#RC-UlaL13(vfq4lwWi|I1gU_)i;8`Ty^xe8K$x
z2CeXBl!~~EoLUDpfj-ezK>|ZIp#g*u#l!@sBPyu=m*Vh}ruB(nF2q#1*+^+U;4zG;
zHh~#-&165^OWe9FXBn=m5sGQf0ut~!$+gQ}r0$fbBQ1}pi7T3oi<gwwjVRH2#ZK=V
zSf!s_8pc4w5gpTr_#F}Rhz#jkI`T6E26M&G0zE}NZSB0<Hlt*+Mwqmrz0vE9+t41<
zF^{J5-<#jQV{K@chHOK7r}vJv*Gz|M6~*p$3f=u}v$ng9-sZOHQ2wVqW^UAU-kXJi
zHg{fLXWm<{c5>ZqeY@R!-eOFAzu~-h3h>_9s0UDkdA}-v;nmCf?JL8ZdMp_)IdR?F
zjm>;xXRCe(OH=oWb+0oI#hqRbQ+nIiLvd#(hbg^R3!wO?MJB$PpZIp~Z`Z@|e0MK5
zwim$h&4p&ZogeDkS!AHW%wOia+t}RvwlSJ#>VUplNGYaD_n7Jnfk!_TKb8YbRmu7~
z7{(Dc#mJ}6zY))Y1sLhT0Tj=vm%h7-D5fb@L#(P;9_wvby`WQ(&H!_!rg0H!<o}!C
z|4rmS6+7m({J%F|ZEY9jzuwNv%_sTqF3O$Te^d8wg;m;YGQ)0SurFsSF%H!yI=)er
z+gZL2w6#_$by1~HNvbkU|D5IEUFfO<Z*o6$)7V2Q{vGj^kF=bPx$d=Gz|A{r{9WH$
zqKCE;bhUj7FJu7|2V3H68lG8&O;vg}52&Uy%A=4OnU^c?U=tf@_4h=?`tmsi{+gDb
z-HS^Sd6@&g3d4vq_$vzre7EWWkPb*=Xh$4T+8q-XWFK%7SIp|wxCqnIcGxkTGB_Th
zqq=qx@TZcLUs4#6iCn})QvV`Eh1C4*q;I$F&7Q~5k^yVJSs>@Lo?6{10F>)`uV{bJ
zhOTnE1x+i)52T3o88gLqeI>v1wSxOkU|ZPCoU43zDoua2Rqcsp5HQQHHWd}A&IO$|
zB03jV2JU5Oj!K7pK{510`-!mJ1!0jQSY<f4_tt%*tYqi~Hl2UGaW7LGl^yKvfrF#j
z$F}0s<TKru&P~3>TJE)9xkowTI}(QGou>6JSk7fn%d#_CJxeED|B!d?VKZIKKWk|K
zKOR9u<A~7-m6(P8Kz>AtHw70>xn83)nT5+!UTt<<Xgk=UxiZP0L1^n}b>7E(dirAg
z#EpuWiks~<X!|r6#-lcD^l%Tk+(UdrkiWsn{XO&Xm_GU?jD=1PWuL2^e4ZK3E=N>b
zky02l0a6)~pqz0Q3O!dG2H7|dDCl53#s5^DeV6a8NR&*JHxqB7f+(#6b%wiA1QUPw
zDTLb&{K9-6(9dhYA`z>&k2I!{eh{e7r`D*{RMnn92j3TE)Kbn_ebFl&YTWc7B7w)p
zDd1E$YCE9=-*fI$66Cx3WkfMzU(A7c9*F6<&wXK*Jg4jI_Nqe6DeQ;3#6!Z2u@ePh
z`Zh-HuM%y{-J?kQ+IM1Jd`jq)0#wQ-Qp@}hyr-9S%YLnyfm~;lPzMeNDCWmpq5V3D
z3l^#<nZjJT1oRS6qm6lqLupuFu<-kr+ca<+42%QWBg>hrL%?mOgBP<pHf)~=`f?j+
z;6~FhHpfAZ`QPZLdYvKB(^aJRz{JB4k`Yg|UyC_I@=)-|!x)b`V+-Cu50U`w&pP}l
z?qZ%)O3JVyIj^FQDF90(KvDnI!vT;A`XI-`StXcVAoaO12iu_TbD>*iN6p-pr*l<K
zJ0z|cCQCzulq5|6pvEFXq!BjZ`30TM940n-UKH8D1HnWQg)(|)HbH@sdTT9!O$UzB
zps{AD6Gn;@C<C74Mj0&>X3_>cc|tgI{`jaCsb5MDiA`T^sZ4@&M05j*TZMH~O#oA%
z>WY<%-g4j=>5f0ONKpY?dd2&AJT;jrLsV~{rl}&NuDVv$OL(q6JkJqkHKA-^xwdS2
zb7iYCPfw+eXX(s#_n_T|G-jSAe1)GgI&1k3wA;4(KzeziJJu}1s=v_#M=w9SX;C;}
zFzY8J{}qLlBxb&FhBW?(PJf8_ShCDiK#{oB2B*MRE$N{2<e)SxwwXCF){sO0Wa%y_
z168hJ=ICmBUXz%hBI|R0k%Z8mNZH7!K@D!S(|+}SuQ{IV(u&t-4P?v9#%ODOM%mSl
z$C09kk$g+Fub}^O+oP@(97ex(R`F^604HODNcPvNVg^=3Kt9cw&u{H-#BXizI8_P0
zG*L|DEA{=iplyI)=2nb;tEX18^EE54scnUHsSdB(V6dfzN;}U7+AGA((y1Ksks-~o
z-m}kgU67$?=2h*HMI?%$(W~*^XbWaLOjLB-mbRHj+nQ0uQL#3zG!=|*yi{=a@~S%J
zt@v0G8C*qNubzmdh~89$_xib1Qk8sgC`Sw1h0Q;SqjV*!KEI?9tV&L`?}sA-8*6Lo
zpYM|~jhG7?Yp|MxVY$|o4wHV?t~)bWU$~5wI6++lI;5YDl^^cD@4sa+njhQ0{q~Cm
z3yf!aCFODvN3hehb31NmJB376!#ZDAAV$ex;L`#@o3%~}m-orIdNwsm|DSf2noL?R
zvQMN5*);pPTE(camIPjMqOyTF$Gxtd8}g4_hqIpNW73;U%)+=<`S>i77Obm0S(i-U
z3w!}A)>$Z&JZHoNt$;SLSt!oAsHH-W^HD!y(o}OiRTTGuS{3X?)%5bEtqBWi(Q~C+
zv-_#>aAKsmw)Nxf3R{Ioc=l+kHDZ>XEm=>wR>mqy6i$Ad%l+gl<fxmbAXVpC$|{qz
z%Mwk<f0`c!<x*R82!s)xFrJ9A?nG=QTr@fCs^+}I{>4u3g4jI|xy@<|czm-sT-FsH
zNPgA(UK;s-DDRrvivPE<`D(M||FQk*$^YXn%9qOjV8>rQQTPQI^Qn@sY6Ns;g)Hz;
znx4m{)wi)$g)FfA>=!YGp)xC!{(y7Di$AM#C->17cXb5m;*FjT7+q?Xi}IWMx;MMg
z%u8}4n&npd(<=P~9RYGxijjW}m$mDtpm)Eue`~jk_KSvXm8MfYv)a`>QT3ZFP3V6X
zUEx;Ve{AmT6yJYuY&_+Eyqod`=zrkRD82MhcS`9EQtEdV(r83Np_DY?@-U57sQ)3<
z6ObUD_2#l7E(qiUgH&*hl6DPR{JgF1+qk4QJR@N^J1|~(z_LnN0Sg`U;&LyU7!8X?
z0g0yOht=!@S8-1&-cGjv{Id<KG5;^Y1Kn^fXQ6l0cH{_t9Qv^8l32FZzF^OsW9pNb
zP3Q^M?|lB8s%!1c{M259RUPO>!7<mWtw&qShi0m_fXPYd0qkTCWn)*-ayBuh?|N65
z?u*ttoF!3qN|j<V%~4v$W|Nap?wN@L<mf)ah`Q8683n^12PWkp0&Wz?;cmA(&H}AF
z+DnS@t_UMG>`F)pXB3b96@*<!9y|Q2(aA7DvY;|bRviLw)PKq+^=OLFdKxJ{dm;;*
zW`5M!95k$RRm)cPg)$zbD3YE<gKAk|Ah^;&h;YEN!l`~Qh2pv2;z|?#udWtvE&j_+
zublsH^GW}^n{wy;Uj=h!frumZ3KLy~hBVH+V6-K+o_HyQ)JEkYjrED1ZErJ4kM*zE
zrel6=7%!n_V2cSy#_PL!&N$vFe-lhTlE?%!q@O|_#ULq&>EQF{y=SWzNuRp0kH9e&
zLF?K6%ott;OPUp*PY31JHZ<sP_+9WoQt`d^pJ*#~WDOMq`m^NISH_#FgIVE<tnmAU
z`5w?<0uvG`ryu2SOjH<-xf@vkirPi9GvjF|wdT*?nnG8W-5I~2PkiVzWGzDefhnS;
z`l}agwZLn|10v`TrKZRmJH-S<#W8H<ytcP2e@|VFRZth44y;w^$N10euCun68du#o
zlf>~dOmlU$gL8Lorn^b%J*)n;&=D(joLQIUYP9o>wS!JOe-BZ8#exhi{?Pwjet1@J
zM<|FH*+?Z9ZmXY8g`-HQqHsiX!l(+&AxUSX@3i<pJrGoOb6^1&k?UEFM@Y^&JH0?z
zHCHj&Wbzndeb}3IHIm+-OyvG$9#hY>xZnBw8D`v}sB1L?L(5k!cd-UM(lzzX1s);v
z0QVu_K}Xkaf^zk)RRve>3p(A%;~_e5FN%q|@rn-s^zzYdF#Q(M35^8(N&dLI2l}77
zRvydjs>MxS&dsY@u+6J&7CIDO4>&cRLRAQ3y#uJikb@C*FGMm1VrfEpd)h`z!f*}n
zLOH;^$nLRL4|p(O!*?WHH}4__Ji-j7EP#;b;^?mf{UqUJg1wlirLZa}g_VtOw_d$m
zn=etgdcvoAwkcfIjN4ro=QJiE-Z?Ky)XLqb2*VXgGSgZ$NuD%;GA*3%iJ(W4ilExH
zX7l${P0`v2AG26>+_n>>v@ckId{u*}ooOsrAVy?!=cU}ThoQYZmFt!!`rjpq<S|`Z
z1)QV*z1(?KivRg)`|17nos>J*|9(-(1f<WC7!pbMA>zJ|q?-(95$O~Ub^TK^oRKf_
znDclRO|I<CzB9vE)tM#KJUncJmBM{Z=eR5;P`pykf<LgpgLWtS?KkhQ&#n}8-EFJ%
zm%r>EzdwBck6k#<Ru3MHsT)%dR;3PRrHcRjc~|}->wNyawhmgx3{<Rc6)7D3JR%+p
z{V7CLE|UiOl?Rz{=9Qt1;wP~}B1tulMLbXsr}24a`a09&u5dII@Qr4i#5`ie7hQZ`
zf`P?5y7!Lky`!N=BQe{Wnnwx=Q9<L_aPw3q(4nE^oPFO8Th|P0Ok5`0QlQh;Sc0RG
z7^SFaxU1ssZ$6Q6=;J75C)!1ZaRob4F3FL33=rw`bNI)E`^lId(P+$sP%YaPg6nB2
zMhE&OFwPH%5XsmWqwyID_kDh8C4WZUL%AAN%_UnynxL-qV`+|s@7cfRAHWP^dG$@$
zshW#g+B1}q-cccU9wl*-`HI3bG8o`VI?=$-sqL0A*=$Z;%cFltF}iID$lVtpwQ9@1
zDxEgyKJf96f_Nl}&ngcnj0p=YR5g2r%yv!DMawe)iHX+hGzi)mc=At!%S+5`38hc%
z0+2IDVH=8jnKM<*)8KqI(lSs;L{)rAiHIc#30NI-tVse`5IWB;v^Ir$xzhOaQ~8Ag
zx@03sjCe9s@0hYQh(4WQzKI}aK9DG46C^P_Pi6F69Wdt|h|_o63{4C3GP}RKm+o1o
zoH9IB5N!_+-O~1|#2=iREvUp3)2I?rG-wV@&PY{tL<H!^7kld1;M?rbXD&J5Nf7V#
z*1_XAj3IO^&eomI!_McBO+<H{n?~BCIBQcmS65Hl%n`BD8hxoFu$t+uHpy|;N+ZuX
z7FGL_f4ox-78}6rH7N9_5ICUJ0|G8l{^&8s7tJQtvC69mJxOWg-o)zJJiY`DRLyDX
zot}f2arPNj;*B*gm7{SDdS$R+KIp6}d<VS;vneH5o0q;W5p*5jbF1JMNW}CkGqP2J
z<t;3-!4j*eL3I-LD#z(u-<ZM1h@huPzcHtxHNSNAHdQv#nFBwgG?_Ix($Ow8ZrT#)
zfJc^)>A(-Uf9GQJid446XV+EI3vpc@dHQ%vc@n`Tk1l*pJUl*P*S4>fHbbY7H_78I
zxil~C=2M?wGDVjME)7vf4hC$PL^xxeT&a@+!V-JC_uVPEf&OnjSL>d+L<kai5m~?(
zFz^0%W3w3lZEI`i>Hhal%AM=~`l%q5f}_HuEHi5Q@(@XpBqI0%apnuFipP{0j;0;f
zT@IVX-|1^l6UZg6X*GMBk&iHBf>I!9%@%8gfmDw&%*&;8*6Dqx=;+z1am_Q-s?Zfq
z8k{5>$%IWKB5TVd30B8&zg@N7S{1D+aIH(HLinSKD~zlM-DN4TR<1w&Mz~Q&MwHC;
z;PrnNG&+jtfPHGz%>|u0s!^dQ^Q72*Y;3Xi?4CM5X8zqP%7#2rhNEZ2*iV>&yck6c
zeXQ5aM-32_l(?W07N7o#;%)UJ&!$Vut$j0HfxPW`6U*eK^0(>-(3t`>p9UBmwD5-6
z^jq=9x;ihMwRbZzFeIOt&qy@2;+QC(7E~;evg$i_9u;D~%_MGfkBSMDJA+((0kSc7
z+MT=$X*xv<V~Vi?vOd+>D#lr}UjbLzD#~3p?&zjAUZ31-DU0pBp>EZi-h4Ci3ir%i
zuzdsScf>4g2JCZA2Kb`9Iu=Bgi_3N4ZXP46{ay&>HY+d^L@F!jwD9--^x2D;v**QA
zR<)h^FZWlqc`6OcqWa&MM2vX-g|33<=zp(XZ58vsZ}m2x^uIePUrzsfCo$>u_cyNn
z84SHQx}RBSt>%X@E3T*YnK5oh=c@qeLK>fGue&2jJX%`mEA&;Z@{!0Lv6#AX5><N9
z6(?j>FZPtgqk7e`(2r!avO$g7c+7cRqdG>`r*>}Cihd;fHE!lsABp~XZu|M_>+JT&
z>JmVrNZoSEHOjr-Q<b>5OSNiou427vtZ}3xxA=y&<J=7LtHDXyh_Xz)z!Jh$X~-29
zlSsD<bEvrMxM?GVfpi(jH)@6`UcA`LM|8|lpSE=tDlSB`y{tY|_1ITYzX1|vt!@EK
zRdbpRv9HCD(}V-wm@Vf9g@GpXUc#7Tx~=GM8ADFPZf@9&V-~T%zAtIQsq5vM1{~Av
zJvZOj<aCiUmJ{l3(Rg!<$1S&n>zp&2BQ0{UYTDhfVNRak1$H(QvmfNHX49Xuqc)YS
z+A;h0WzBF4+kbd4<Tq;n+34+T7ybXYdfVGi_Mf{bU(o&|G3oX9{}IvQ-*4Usq|x;L
z7=i57)?0$qw6AFkvWL1QgHRc~iy4G;`x`L`<@>5J2+cO*<h!Ub<IFWG6&6)*RJv~l
zq1PlPeIknOJ^k}t8I(?_dDvYxC8=+7d)iOp(VGlctbS6ws4+v~&u{9{Y!Q2jJ&QTI
z=q*^klnuh3!o4($X;SwUn8j2B`;c8{)U==Z#yAZ0oL_QbF1K%!D{!=XWs?&$ZeWtj
z$kIGxoUYjb=~exXpm8TnD|mwzI6aXk+gnp%<K}E{D17yAL~U#^?`3QPy4#0sd((?p
zVBeRuz18$`UE7=P_MY3`8e3@UB<S0;(A=<|Q@e(FW*X~2En%j)Rg>r}mE_@W&Gqe~
zX3K8hF8ZYnJafvz_CL(8vRELHdH!E7w~PK?n>(*|p6q{jQNE!4Z+i0IZ*Si4m&^b2
z<;{M$$XoUN!VzxC%vS{FVn#k}eIq75yQd{RzH*aU+TY9W<;mOY$=j=};p2(^3XED`
z+Se;bIq#KK=?i;$DFl4-^ZGKjrnx-t<}6J&#rWsXc^M50JAK$TCR{?}-CowdRN2RM
ztxMSHJ-012He%F^ZntT|xSiv5ZOer^R}b8ut6GeHaJ$*uM3_>;+w$XDwk&G@$?7*Z
z0?qON+IUs6|7^W{djEGf<;&TBjua-{h7rg@(tBeG%H~vW4$A6W&n9GzbvuTkY5*@}
z9kRN(W*C@?o+?d5sdkyxx7Dxty-I3teifOaW6l_st~A5DsCu+Y!-|t<Heb-1Qm$4B
z*?Kj<T)keetvDMu6k?`4i@bS7L&)05g|N`x#daaGr?Dec3{l*V8NgoDpfD3T8|}dD
znipoT>^>P9mJ^>n>N1a}$>*t@nB<5$S+JhxES^_JwnR|JWH`<x;klsG4j**Pw^@7*
zQ+ZS|HB2QWXWpmjY&}f#!U8>O!@>$gyq2lVUO`@*E+{cIIh8AGS>ssfsW8Q(pBl8%
zIeBbjLw?u4n5}6(2VKk(F~2{H(J4TwT&9hvVJ(6d2bu3MTdgUZu(zwlJ+<aiZ9`hi
zFK326T|3629pA92%39)r7_*$wYDP!bv|QPnb-&G5#@JC32^ZXg8nN;gjUhLy9yDIj
ztx%7w>d)zg=zI!-vU2%o&cIu+&sbOz88fbs4>mokW_@7&5*Ml-@fIkFEvzm_O7i0F
z1IFUY_1qkFvjM#zr7QM2r>h&LclK!E@+7ZPw|&6qQoE)(C{u$HVd0qD_%N&9qW0rO
z?Y|NA*rJKR=H>s|?!7Ge|7|_x|GJZMGxp!548X?{m2T(xufo!MWBbMF)SG?r^Ytvg
zYJ}S{_LhLz%q**#HM7XpI^5+txu8?wgjl!G5vCp^5&JjwbfU|-omowsiAj!$86oOz
z*s+u_qp6+G19PAj*3qtVqF9^Ts@#D7QMoi@8mu$7*UHsR{J@IF;%YCjvXh|4gl&9W
z2vn&FaXygjs*S;uo8`}f?kDkR@%>Db8qKSo2zs>8H1CBqKdYBy5W0>hVGi2$7Swd@
za{gv$E%)V3c9#EH0o!Ky&e=8VZQFSgTs!c>escEc58rS-&kUsq>?~eg%@h_hK2`T|
zP0dVodM`~*isPx|@kS9-t8WZxw8&`2d5b#MjY%Q(Y`=b+RU3QHW`ka3Cr@u-R0=>j
zf9&zOFc1|=o-+iT=#*YsW`OVZU}Jl&@lI5V9oNAB%Kj{4m(6($QO~ol)dgg(HN^|t
zHL{l+KxgS(l6MqmJ6rr<gSz4E6KmyA`ywt@_qr^q|J!`2sTE+3{=fZdtEm5Pz1n_y
z|92<l%lUt4by(IxMZZtWy1tU#u|6K`10D=|JxN?viy~j!Bml>s+I6~q>dc@;q)xA=
z#pIgNHg0ybjdZjoB43@Pr}9Ww!lr5o<<!xIZGg~X_GXpUMvl`FRicQ_m1$;e(leT5
zk$MGFGWK(?9W!OG#-5Ui6}9%1>Tv}OX@Kc}y>9bombgXp$5++#+Vo^R5|ip7>ir%X
z$n_bk(kZG_>sU@<nvXq#1;diMkm0bCZgj0)<fvs^*t3`#kz$$7dpG;E&tFsRTH3`F
z1#^$&c-pb+X40_r=hLCN+e1@OHA=lhC%-&XHBEGHXkTVXmMaWV0~t7r9LoIJDcUTT
z6mP8)SNFJ5iPUCcmW`_2&ZQA<XUfl-d4y^GQoik;l<v8oO-TA;R2~P-%5qhPG(Je8
zhz6NavE42jZb;yzltWXDg8jsdR0lO|bjsfZlaC~_og{0fk?AmSnyJgKs-jSP_qX7;
zz<48mBYq1iG#xd#nz`IL4FPAZ#?dQp0Z`pP|3*A7leIL7G4VWj-swoONUB?V&t!E?
z1>`J9;5kwY%TOcRed{*^z!D^`tJl=Z|IUc|V>S$UM6WAj&XNCnJ3GC+{J-&XYv)P+
zzmu{8M<kXsMqsXa+;7P+0_Z2q$0XY!aWBY_3a7OKrz0jnBw@&-Sb!K&-$!p17?ao?
zv0%6k5%o#TCYs@8zmvdgtw2DB%D;J485Oi2Dg6J|9QY9UQ{Vx%lv9F`M&Pr6IxXk*
z$=QiyPpuU=Km>)42PfdMNVJ?Gi@W$=HT{;;|98~I|C%30!>;^~`KOo!-K?WNaW9e(
zwHDEO;fTwy^}^|si`EM#9*3<L|Nqtsd?XR$iGah`Z$!%pBmO&e<CeobO1i3E#D8x&
z6X9}?%D&ln2m|hWG-|Q&uzPPU47KO~_|5+7cW<1rcl|Nuy#IRH+k90x|2sPyy{Gek
z7i9&$XK_Hr%$$a|tRG2v<3M6VtF;fm{z(0C{^x(Knk4y>NjPGp(&NWGWUlD?s_L1>
zrxjUe4K3Hhh$o>WDGJBH=R@W~pT?Jz2I)jpJEzrJS%K5He}8@4YMq~-OPRRk(U1ln
z4O~XG+%37{uI>*xv^Ik7!lv`d`DFZMxL`4lrn|shw%hGSbjU;;O*<Qo$K4AWIgEGv
zYJ4@k91_QMc_6q?TXGeUjz5JYl!9hj4W~y!_R$PK*=Sv`z}p3>g0tZ}61K)PCQ|&B
zGgtGj(0Sws;S3VrSI&%hC2d-br%JYg_K(!}IsC#S-)pN$yyg5t!ZzlR2nsxjfP|@|
zkdR_{7;!JbTZaDwr_mICRpuTzCBeTF*w1Ri0f~vvhuKDJ;5aTHcWDsQD2$k(YwIY;
zWIq7)7<Rx1>3&x9t2XyAh|>wRTF6?I;1foC!aOQ~7)&wNNElH+q>+Hj5pzf2l0b@F
zc-?>xD<;(EAq4bNV-X}$kXJZd!rC>%+F(oqGNh5yYUPnIHvsafUw=yal!T$kdb`lS
zI3AsJ6{34I^!aowg;6OStM2iid;oZ!4pjdv0M}1MOe2l(M-fGJU$B^pR;vSYyeObC
z6|muKZvC~@Q5|eK-#Wd&sy0#&rLqtF=SfIiMtopFn8YC55gil!vI2)=GNi|x#~IF=
zqae{Mo`!T61gc#v0FMecVyJuV!fQMyV5(b6C6k>>J<I2=)V*2&^b;9}KHY`%bhTR6
zDV#IZaat3hr}~$t!R}cjWH%VH;8Uv=li|E>RX;Hq+TCn88!w%Wjz{~91f7juCwjTn
zYK4jKA90_#bLWb{9!!C#?vK)j>0K8JR?qkSOEMMDrMi^PL&EGi+Sudg>+04@>It&?
z;ov=wk0L5)5I<M*QTP2Kn-Ga2GHn5{m?|s8?3o%R+Mj|jlMYlT5-Zc`>v3Q;d+9?&
zdH}_m(`tFNpIG4Tt1H10Xw+Kp`h^W($`iQciSL2WE~xw>C<Xc{jtH<|z@xDu5sEJe
zdy~{<p~UU|09YVm61Y@%)~CCzl@u*)j9bYO{ye^{Nch+6{t8&z5B5&9RzNLX&j{(R
zJXc4O>Wi2LF3nDsz6hQRCv$tM>Pw;5^ySz<kZ^3ZM9d>Hqz66`Vjgb(W5k6rxMUNI
z;Uo8xF@+P=5nxa2a5yly*Y32}!5-#4vZ{7l(_D`UIZpxJ6xpSs){^P5V3?b6yVGv9
zi0e`z-f@r4o9;f=gfaIrhvV9L=LR~a#QP;;G5vrWAlSd>4tB!+O&1v9+kdcDODZ(;
z`aRNCzJ9imUalv@NoS(7K^?W}E4l4Za9sflumu3D073vKy@G0(HEfErZ*qP_8QP*`
zGG~>x70&o0X#-zwvE!-k{en*4kx<HhyT!ir@2ME5`V6TnDbEF+BIQR$Aio6G$nql#
z>L#J)&-<vU%>uR(#nP#+fIZn2fYg>KD;d|CpXf9NrGzCeSWYaFl<F6$KwoM<PY^T^
z3{_%0ix~UH77<tgL{EGj1Rqm~*_aC1!6gasP!45lCD}#FAtB^Kus-uyJXOP@>^Gt;
z5=Cf8(ZcNRN=C`M8dmswr_-qxUo}*gmt6sT(x<-WP$UeSH&t8sAtZk!G?js~-T3oQ
zNFP=hbMF=OUvAUDO`mLj{@ltf+6(<`#g5}>Gb0TqyXoU)qgEX4pPc;i;rMm>0hDd=
zhlr1Ntsg-H8Xe9C`7blTWp+ocSR0B<Q4p$M7#8m)@<U$G>C6!?EX#D$0rh*U%(3zF
zXM|sC#lE&cuog~K{_xK`P4Lmaz|;rq{fE;xCr<n+&go>=xFGKJ?)Hkfx3R<}anqQ$
z^Be=OeO-)ub2yL`X}}{_a!xMND}4Ph9Pc0`&0@ZfvK^8#;!~+kmsDva#l8<x`i1dS
z-}#`Sys%Mw?e=;BmV50sV*K+$)rOY%;sDRgK|hmS6s+_0Hw>-x)X`5Nk7BU8*?YDs
z^+GrHv9Y<a>mZ#AiA&SB#2GF?hr{oJ2XcCQ?LRU9l4D`v=e8toM9`Pp(DBw<RUp_{
z3IrQA2sUm81RJ*if{h{wG|_;c!(l``DXAa{Ipwh7^qgL+_3MWK-t!3^_h|$hTkEjd
z+w83?6?(F1OxbWr1fU8c)uRCmm>5wnQ}Kr^9wmJ=en{lirqUG=lQ<C_KIp_F+R;{F
zw23eQWAZzXj5$iGddkC4$OUTwCcW5qM<f_hp$s<4mLb1qmI8goP(g^fBnmtVc|>9*
z#CmKnptvmqO5!AvU3nhGyH~Z;EhRx=FY+8}kr!<m=}>wFz+yrDfmEtU<Y~Dg1=*Vq
zZyimQe;JWDo%<z?C@^i(q59gl2#5dEYIWc!q7$^H>mP-J2NU*!6G7oTFOi(Xs-_wU
zhyE1$JRYe=o4CF$1AMC^xwXnzhwIPxxmoU0SyzAu{&dZOUw@<#oo(+lc20={BxHI~
z9VF{(sP?)fkVxghm?MlbWta4MqRy2yuXA;A?zB4avxI^YgS1)oyfmlDmXn*-fc(*2
z(X~4`xsFEjIkS-ip60Ph&O<<`)L$cPzd*nuyMKY#CNLrb`cio3kw+y$6F(f0K8=}+
zCkiFp5g+p*4XE7tOEOh*u;c(En%W92+nC0&1Bt92jkFaLuci`n+SNf}DJDtmI@G2H
zEjg>Yv{(}c5g!AQOH;VW18R7ZvGwVbvyT0VkyIIi=P?W<=_0`tm=FmS&4*Mnx;{r5
zQH4tb5-~0bgrwPer?k<<ZtZa@<nV@Mne#}3socnH8rdpPPbeHVdui&>$Z3mN^Uec9
z^OA@TXk-Z0uY53IXmrGC9(NO|+2EedK0K4nv&q)km<`nicURIsJBgqjmk27>^fA$&
zf}z?xvxb<%WJ_bq&w>sTAAA;Ep!M`W&De5G$2MZeNz5Zge9?`l;QoYm<n%W2zgwM<
zi@1|bMeTI=JG;jwtEp_z_xZ4^>d=l{369yBY<6O<|J>?+hipwdU$!g{&Hr$DIQ_e1
zW83h3#EIwfv2rkqX*7nm`K_&X2shUJhHjm5&$~R5L>@%a7tCWMVi<5p59dJ=c-kd?
zKP2vmnu)A~dA+ph^k7w1XzNeywZFF{_KnFD5n0l2#3CdR^pi_NBp@yyhdxtExM4oJ
z3#au@-2v~%1Zjp`tl^fr7Ld5rLZI$;yO)=j4#6opJQ{X=RYi2)9v-}Te}XQm-?dsl
z2R;=dW4HaOxf+o)-zS$KNzpK(ibb#hE+ZD>t+n8T_>x4l<uMUQte?a=@R&I<0d@sR
z*#l_rpTOZs8@}H^IXqc!{c?Ev<A<M5;g|j6<Nf!ihi^{c!!aCuc>ntF^zg&`6Zr50
z?7#mf{B-#K^*T_djDnve@fC7{Y>dKz(>kFvH@GpDDYGtf!6(5mAwvp7KA};7m-sXq
vGoiRG3A~oi#w^w}wX_`P-d<Nfm8bGlp2}0Xq4NI)00960Zc{*709ptD{b441

literal 0
HcmV?d00001


From 544478a954fef998845c7710ebe3f5eeb83e896e Mon Sep 17 00:00:00 2001
From: jessebot <jessebot@linux.com>
Date: Sun, 24 Mar 2024 11:33:07 +0100
Subject: [PATCH 04/40] update docs and chart version for a major bump

---
 charts/netmaker/Chart.yaml | 2 +-
 charts/netmaker/README.md  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/charts/netmaker/Chart.yaml b/charts/netmaker/Chart.yaml
index 0094fbe..302e73d 100644
--- a/charts/netmaker/Chart.yaml
+++ b/charts/netmaker/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.9.1
+version: 0.10.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
diff --git a/charts/netmaker/README.md b/charts/netmaker/README.md
index 2244834..65d644e 100644
--- a/charts/netmaker/README.md
+++ b/charts/netmaker/README.md
@@ -1,6 +1,6 @@
 # netmaker
 
-![Version: 0.9.1](https://img.shields.io/badge/Version-0.9.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.20.3](https://img.shields.io/badge/AppVersion-v0.20.3-informational?style=flat-square)
+![Version: 0.10.0](https://img.shields.io/badge/Version-0.10.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.20.3](https://img.shields.io/badge/AppVersion-v0.20.3-informational?style=flat-square)
 
 A Helm chart to run HA Netmaker on Kubernetes
 

From d856a74157d51279deb2f3e2a1ff9b5e760beaf5 Mon Sep 17 00:00:00 2001
From: jessebot <jessebot@linux.com>
Date: Sun, 24 Mar 2024 11:36:33 +0100
Subject: [PATCH 05/40] add pre-commit file

---
 .pre-commit-config.yaml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
 create mode 100644 .pre-commit-config.yaml

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
new file mode 100644
index 0000000..3a5a0ed
--- /dev/null
+++ b/.pre-commit-config.yaml
@@ -0,0 +1,16 @@
+repos:
+  # update the chart README.md with the comments from values.yaml
+  - repo: https://github.com/norwoodj/helm-docs
+    rev: v1.13.1
+    hooks:
+      - id: helm-docs
+  # helm lint and markdown link verifier
+  - repo: https://github.com/gruntwork-io/pre-commit
+    rev: v0.1.23 
+    hooks:
+      - id: helmlint
+  # detect any secrets that may be committed before they're committed
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.18.2
+    hooks:
+      - id: gitleaks

From b9ea46d9bc2a6e7acb1883c01d74b9c90fd47cda Mon Sep 17 00:00:00 2001
From: jessebot <jessebot@linux.com>
Date: Sun, 24 Mar 2024 11:40:28 +0100
Subject: [PATCH 06/40] adding testing and renovate udpates

---
 .github/workflows/ci-helm-lint-test.yml | 51 +++++++++++++++++++++++
 .github/workflows/renovate.yml          | 26 +++++++++---
 renovate.json                           | 55 ++++++++++++++++++++++++-
 3 files changed, 125 insertions(+), 7 deletions(-)
 create mode 100644 .github/workflows/ci-helm-lint-test.yml

diff --git a/.github/workflows/ci-helm-lint-test.yml b/.github/workflows/ci-helm-lint-test.yml
new file mode 100644
index 0000000..0c068b8
--- /dev/null
+++ b/.github/workflows/ci-helm-lint-test.yml
@@ -0,0 +1,51 @@
+name: Lint and Test Chart
+
+on:
+  pull_request:
+    paths:
+      - 'charts/netmaker/**'
+
+permissions:
+  contents: read
+
+jobs:
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: "0"
+
+      - name: Install Helm
+        uses: azure/setup-helm@v4
+
+      - name: Add dependency chart repos
+        run: |
+          helm repo add bitnami https://charts.bitnami.com/bitnami
+
+      - name: Set up chart-testing
+        uses: helm/chart-testing-action@v2.6.1
+
+      - name: Run chart-testing (list-changed)
+        id: list-changed
+        run: |
+          changed=$(ct list-changed --target-branch ${{ github.event.repository.default_branch }})
+          if [[ -n "$changed" ]]; then
+            echo "changed=true" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Run chart-testing (lint)
+        id: lint
+        if: steps.list-changed.outputs.changed == 'true'
+        run: ct lint --target-branch ${{ github.event.repository.default_branch }}
+
+      - name: Create kind cluster
+        uses: helm/kind-action@v1.9.0
+        if: steps.list-changed.outputs.changed == 'true'
+
+      - name: Run chart-testing (install)
+        id: install
+        if: steps.list-changed.outputs.changed == 'true'
+        run: ct install --target-branch ${{ github.event.repository.default_branch }}
diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml
index 77ce572..4ca1c7e 100644
--- a/.github/workflows/renovate.yml
+++ b/.github/workflows/renovate.yml
@@ -1,17 +1,31 @@
-name: Renovate - check for dependency updates
+name: Renovate
 on:
   schedule:
     # The "*" (#42, asterisk) character has special semantics in YAML, so this
     # string has to be quoted.
-    - cron: '1 * * * *'
+    - cron: '0/15 * * * *'
+  push:
+    branches:
+      - main
+    paths:
+      - ".github/workflows/renovate.yml"
+      - "renovate.json"
 jobs:
   renovate:
     runs-on: ubuntu-latest
     steps:
+      - name: Get token
+        id: get_token
+        uses: tibdex/github-app-token@v2
+        with:
+          private_key: ${{ secrets.private_key }}
+          app_id: ${{ secrets.app_id }}
+
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4.1.1
+
       - name: Self-hosted Renovate
-        uses: renovatebot/github-action@v39.0.1
+        uses: renovatebot/github-action@v40.1.5
         with:
-          token: ${{ secrets.RENOVATE_TOKEN }}
-          configurationFile: .github/config.js
+          configurationFile: renovate.json
+          token: '${{ steps.get_token.outputs.token }}'
diff --git a/renovate.json b/renovate.json
index 7190a60..813b3f5 100644
--- a/renovate.json
+++ b/renovate.json
@@ -1,3 +1,56 @@
 {
-  "$schema": "https://docs.renovatebot.com/renovate-schema.json"
+    "extends": ["config:recommended"],
+    "allowPostUpgradeCommandTemplating": true,
+    "allowedPostUpgradeCommands": ["^.*"],
+    "repositories": ["small-hack/netmaker-helm"],
+    "platform": "github",
+    "forkProcessing": "enabled",
+    "configMigration": true,
+    "onboarding": false,
+    "requireConfig": "optional",
+    "customManagers": [
+      {
+        "customType": "regex",
+        "fileMatch": ["(^|/)Chart\\.yaml$"],
+        "matchStrings": [
+          "#\\s?renovate: image=(?<depName>.*?)\\s?appVersion:\\s?\\\"?(?<currentValue>[\\w+\\.\\-]*)"
+        ],
+        "datasourceTemplate": "docker"
+      }
+    ],
+    "packageRules": [
+      {
+        "matchManagers": ["helm-requirements", "helm-values", "custom.regex"],
+        "matchUpdateTypes": ["patch"],
+        "postUpgradeTasks": {
+          "commands": [
+            "version=$(grep '^version:' charts/netmaker/Chart.yaml | awk '{print $2}')\n major=$(echo $version | cut -d. -f1)\n minor=$(echo $version | cut -d. -f2)\n patch=$(echo $version | cut -d. -f3)\n patch=$(expr $patch + 1)\n  echo \"Replacing $version with $major.$minor.$patch\"\n sed -i \"s/^version:.*/version: ${major}.${minor}.${patch}/g\" charts/netmaker/Chart.yaml\n cat charts/netmaker/Chart.yaml\n sed -i \"s/${version}/${major}.${minor}.${patch}/g\" charts/netmaker/README.md\n"
+          ],
+          "fileFilters": ["**/Chart.yaml"],
+          "executionMode": "branch"
+        } 
+      },
+      {
+        "matchManagers": ["helm-requirements", "helm-values", "custom.regex"],
+        "matchUpdateTypes": ["minor"],
+        "postUpgradeTasks": {
+          "commands": [
+            "version=$(grep '^version:' charts/netmaker/Chart.yaml | awk '{print $2}')\n                  major=$(echo $version | cut -d. -f1)\n                  minor=$(echo $version | cut -d. -f2)\n                  patch=$(echo $version | cut -d. -f3)\n                  minor=$(expr $minor + 1)\n                  echo \"Replacing $version with $major.$minor.$patch\"\n                  sed -i \"s/^version:.*/version: ${major}.${minor}.${patch}/g\" charts/netmaker/Chart.yaml\n                  cat charts/netmaker/Chart.yaml\n            sed -i \"s/${version}/${major}.${minor}.${patch}/g\" charts/netmaker/README.md\n"
+          ],
+          "fileFilters": ["**/Chart.yaml"],
+          "executionMode": "branch"
+        }
+      },
+      {
+        "matchManagers": ["helm-requirements", "helm-values", "custom.regex"],
+        "matchUpdateTypes": ["major"],
+        "postUpgradeTasks": {
+          "commands": [
+            "version=$(grep '^version:' charts/netmaker/Chart.yaml | awk '{print $2}')\n                  major=$(echo $version | cut -d. -f1)\n        major=$(expr $major + 1)\n           minor=$(echo $version | cut -d. -f2)\n                  patch=$(echo $version | cut -d. -f3)\n                                echo \"Replacing $version with $major.$minor.$patch\"\n                  sed -i \"s/^version:.*/version: ${major}.${minor}.${patch}/g\" charts/netmaker/Chart.yaml\n                  cat charts/netmaker/Chart.yaml\n            sed -i \"s/${version}/${major}.${minor}.${patch}/g\" charts/netmaker/README.md\n"
+          ],
+          "fileFilters": ["**/Chart.yaml"],
+          "executionMode": "branch"
+        }
+      }
+    ]
 }

From 84949cb17efaf28ec05d657e3a9b3a90769bcf6a Mon Sep 17 00:00:00 2001
From: jessebot <jessebot@linux.com>
Date: Sun, 24 Mar 2024 11:42:28 +0100
Subject: [PATCH 07/40] add maintainers to chart

---
 charts/netmaker/Chart.yaml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/charts/netmaker/Chart.yaml b/charts/netmaker/Chart.yaml
index 302e73d..319d110 100644
--- a/charts/netmaker/Chart.yaml
+++ b/charts/netmaker/Chart.yaml
@@ -23,6 +23,14 @@ version: 0.10.0
 # It is recommended to use it with quotes.
 appVersion: "v0.20.3"
 
+maintainers:
+  - name: "jessebot"
+    email: "jessebot@linux.com"
+    url: "https://github.com/jessebot/"
+  - name: "cloudymax"
+    email: "emax@cloudydev.net"
+    url: "https://github.com/cloudymax/"
+
 dependencies:
   - name: postgresql
     version: 15.1.2

From 0cd735d4a227deeb740d908f42ecf2b27b3869c2 Mon Sep 17 00:00:00 2001
From: jessebot <jessebot@linux.com>
Date: Sun, 24 Mar 2024 12:01:07 +0100
Subject: [PATCH 08/40] seperate out the ingresses

---
 charts/netmaker/templates/cert.yaml          |  36 +++
 charts/netmaker/templates/ingress-mqtt.yaml  |  70 ++++++
 charts/netmaker/templates/ingress-rest.yaml  |  75 ++++++
 charts/netmaker/templates/ingress-route.yaml |  37 +++
 charts/netmaker/templates/ingress-ui.yaml    |  75 ++++++
 charts/netmaker/templates/ingress.yaml       | 235 -------------------
 6 files changed, 293 insertions(+), 235 deletions(-)
 create mode 100644 charts/netmaker/templates/cert.yaml
 create mode 100644 charts/netmaker/templates/ingress-mqtt.yaml
 create mode 100644 charts/netmaker/templates/ingress-rest.yaml
 create mode 100644 charts/netmaker/templates/ingress-route.yaml
 create mode 100644 charts/netmaker/templates/ingress-ui.yaml
 delete mode 100644 charts/netmaker/templates/ingress.yaml

diff --git a/charts/netmaker/templates/cert.yaml b/charts/netmaker/templates/cert.yaml
new file mode 100644
index 0000000..c1141d2
--- /dev/null
+++ b/charts/netmaker/templates/cert.yaml
@@ -0,0 +1,36 @@
+{{- if .Values.ingress.enabled -}}
+{{- $fullName := include "netmaker.fullname" . -}}
+{{- $fullUIName := printf "%s-%s" $fullName "ui" -}}
+{{- $fullRESTName := printf "%s-%s" $fullName "rest" -}}
+{{- $fullMQName := printf "%s-%s" $fullName "mqtt" -}}
+{{- $uiSvcPort := .Values.service.uiPort -}}
+{{- $restSvcPort := .Values.service.restPort -}}
+{{- $mqSvcPort := 8883 -}}
+{{- $classname := required "A valid .Values.ingress.className entry required! Please set this to your ingress class (nginx, traefik)" .Values.ingress.className}}
+{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
+  {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
+  {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
+  {{- end }}
+{{- end }}
+{{- if and .Values.ingress.tls.enabled (not (eq .Values.ingress.tls.issuerName "" ))}}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  annotations:
+    acme.cert-manager.io/http01-override-ingress-name: {{ $fullMQName }}
+  labels:
+    {{- include "netmaker.labels" . | nindent 4 }}
+  name: {{ $fullMQName }}-tls-secret
+spec:
+  dnsNames:
+  - {{ .Values.ingress.hostPrefix.mq }}{{ .Values.baseDomain }}
+  issuerRef:
+    group: cert-manager.io
+    kind: ClusterIssuer
+    name:  {{ .Values.ingress.tls.issuerName }}
+  secretName: {{ $fullMQName }}-tls-secret
+  usages:
+  - digital signature
+  - key encipherment
+{{- end }}
+{{- end }}
diff --git a/charts/netmaker/templates/ingress-mqtt.yaml b/charts/netmaker/templates/ingress-mqtt.yaml
new file mode 100644
index 0000000..495b7bc
--- /dev/null
+++ b/charts/netmaker/templates/ingress-mqtt.yaml
@@ -0,0 +1,70 @@
+{{- if .Values.ingress.enabled -}}
+{{- $fullName := include "netmaker.fullname" . -}}
+{{- $fullUIName := printf "%s-%s" $fullName "ui" -}}
+{{- $fullRESTName := printf "%s-%s" $fullName "rest" -}}
+{{- $fullMQName := printf "%s-%s" $fullName "mqtt" -}}
+{{- $uiSvcPort := .Values.service.uiPort -}}
+{{- $restSvcPort := .Values.service.restPort -}}
+{{- $mqSvcPort := 8883 -}}
+{{- $classname := required "A valid .Values.ingress.className entry required! Please set this to your ingress class (nginx, traefik)" .Values.ingress.className}}
+{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
+  {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
+  {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
+  {{- end }}
+{{- end }}
+{{- if or (eq .Values.ingress.className "nginx") (eq .Values.ingress.className "public") }}
+{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1
+{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1beta1
+{{- else -}}
+apiVersion: extensions/v1beta1
+{{- end }}
+kind: Ingress
+metadata:
+  name: {{ $fullMQName }}
+  labels:
+    {{- include "netmaker.labels" . | nindent 4 }}
+  {{- with .Values.ingress }}
+  annotations:
+    {{- toYaml .annotations.nginx | nindent 4 }}
+    {{- if and .tls.enabled (eq .tls.issuerName "" )}}
+    {{- toYaml .annotations.tls | nindent 4 }}
+    {{- else if .tls.enabled}}
+    cert-manager.io/cluster-issuer: {{ .tls.issuerName }}
+    {{- end }}
+    {{- with .annotations.mq }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- end }}
+spec:
+  {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
+  ingressClassName:  {{ required "A valid .Values.ingress.className entry required!" .Values.ingress.className}}
+  {{- end }}
+  {{- if .Values.ingress.tls.enabled }}
+  tls:
+    - hosts:
+        - {{ .Values.ingress.hostPrefix.broker }}{{ .Values.baseDomain }}
+      secretName: {{ $fullMQName }}-tls-secret
+  {{- end }}
+  rules:
+    - host: {{ .Values.ingress.hostPrefix.broker }}{{ .Values.baseDomain }}
+      http:
+        paths:
+          - path: /
+            {{- if (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
+            pathType: Prefix
+            {{- end }}
+            backend:
+              {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
+              service:
+                name: {{ $fullMQName }}
+                port:
+                  number: {{ $mqSvcPort }}
+              {{- else }}
+              serviceName: {{ $fullMQName }}
+              servicePort: {{ $mqSvcPort }}
+              {{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/netmaker/templates/ingress-rest.yaml b/charts/netmaker/templates/ingress-rest.yaml
new file mode 100644
index 0000000..04dbb94
--- /dev/null
+++ b/charts/netmaker/templates/ingress-rest.yaml
@@ -0,0 +1,75 @@
+{{- if .Values.ingress.enabled -}}
+{{- $fullName := include "netmaker.fullname" . -}}
+{{- $fullUIName := printf "%s-%s" $fullName "ui" -}}
+{{- $fullRESTName := printf "%s-%s" $fullName "rest" -}}
+{{- $fullMQName := printf "%s-%s" $fullName "mqtt" -}}
+{{- $uiSvcPort := .Values.service.uiPort -}}
+{{- $restSvcPort := .Values.service.restPort -}}
+{{- $mqSvcPort := 8883 -}}
+{{- $classname := required "A valid .Values.ingress.className entry required! Please set this to your ingress class (nginx, traefik)" .Values.ingress.className}}
+{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
+  {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
+  {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
+  {{- end }}
+{{- end }}
+{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1
+{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1beta1
+{{- else -}}
+apiVersion: extensions/v1beta1
+{{- end }}
+kind: Ingress
+metadata:
+  name: {{ $fullRESTName }}
+  labels:
+    {{- include "netmaker.labels" . | nindent 4 }}
+  {{- with .Values.ingress }}
+  annotations:
+    {{- toYaml .annotations.base | nindent 4 }}
+    {{- if or (eq .className "nginx") (eq .className "public") }}
+    {{- toYaml .annotations.nginx | nindent 4 }}
+    {{- end }}
+    {{- if eq .className "traefik" }}
+    {{- toYaml .annotations.traefik | nindent 4 }}
+    {{- end }}
+    {{- if and .tls.enabled (eq .tls.issuerName "" )}}
+    {{- toYaml .annotations.tls | nindent 4 }}
+    {{- else if .tls.enabled}}
+    cert-manager.io/cluster-issuer: {{ .tls.issuerName }}
+    {{- end }}
+    {{- with .annotations.rest }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- end }}
+spec:
+  {{- if (not (eq .Values.ingress.className "traefik")) }}
+  {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
+  ingressClassName:  {{ required "A valid .Values.ingress.className entry required!" .Values.ingress.className}}
+  {{- end }}
+  {{- end }}
+  {{- if .Values.ingress.tls.enabled }}
+  tls:
+    - hosts:
+        - {{ .Values.ingress.hostPrefix.rest }}{{ .Values.baseDomain }}
+      secretName: {{ $fullRESTName }}-tls-secret
+  {{- end }}
+  rules:
+    - host: {{ .Values.ingress.hostPrefix.rest }}{{ .Values.baseDomain }}
+      http:
+        paths:
+          - path: /
+            {{- if (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
+            pathType: Prefix
+            {{- end }}
+            backend:
+              {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
+              service:
+                name: {{ $fullRESTName }}
+                port:
+                  number: {{ $restSvcPort }}
+              {{- else }}
+              serviceName: {{ $fullRESTName }}
+              servicePort: {{ $restSvcPort }}
+              {{- end }}
+{{- end }}
diff --git a/charts/netmaker/templates/ingress-route.yaml b/charts/netmaker/templates/ingress-route.yaml
new file mode 100644
index 0000000..61c2a39
--- /dev/null
+++ b/charts/netmaker/templates/ingress-route.yaml
@@ -0,0 +1,37 @@
+{{- if .Values.ingress.enabled -}}
+{{- $fullName := include "netmaker.fullname" . -}}
+{{- $fullUIName := printf "%s-%s" $fullName "ui" -}}
+{{- $fullRESTName := printf "%s-%s" $fullName "rest" -}}
+{{- $fullMQName := printf "%s-%s" $fullName "mqtt" -}}
+{{- $uiSvcPort := .Values.service.uiPort -}}
+{{- $restSvcPort := .Values.service.restPort -}}
+{{- $mqSvcPort := 8883 -}}
+{{- $classname := required "A valid .Values.ingress.className entry required! Please set this to your ingress class (nginx, traefik)" .Values.ingress.className}}
+{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
+  {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
+  {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
+  {{- end }}
+{{- end }}
+{{- if eq .Values.ingress.className "traefik" }}
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRouteTCP
+metadata:
+  name: {{ $fullMQName }}
+  labels:
+    {{- include "netmaker.labels" . | nindent 4 }}
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: HostSNI(`{{ .Values.ingress.hostPrefix.mq }}{{ .Values.baseDomain }}`)
+    services:
+    - name: {{ $fullMQName }}
+      port: {{ $mqSvcPort }}
+  tls:
+    passthrough: true
+    secretName: {{ $fullMQName }}-tls-secret
+    domains:
+    - main: {{ .Values.ingress.hostPrefix.mq }}{{ .Values.baseDomain }}
+{{- end }}
+{{- end }}
diff --git a/charts/netmaker/templates/ingress-ui.yaml b/charts/netmaker/templates/ingress-ui.yaml
new file mode 100644
index 0000000..f22d270
--- /dev/null
+++ b/charts/netmaker/templates/ingress-ui.yaml
@@ -0,0 +1,75 @@
+{{- if .Values.ingress.enabled -}}
+{{- $fullName := include "netmaker.fullname" . -}}
+{{- $fullUIName := printf "%s-%s" $fullName "ui" -}}
+{{- $fullRESTName := printf "%s-%s" $fullName "rest" -}}
+{{- $fullMQName := printf "%s-%s" $fullName "mqtt" -}}
+{{- $uiSvcPort := .Values.service.uiPort -}}
+{{- $restSvcPort := .Values.service.restPort -}}
+{{- $mqSvcPort := 8883 -}}
+{{- $classname := required "A valid .Values.ingress.className entry required! Please set this to your ingress class (nginx, traefik)" .Values.ingress.className}}
+{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
+  {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
+  {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
+  {{- end }}
+{{- end }}
+{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1
+{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1beta1
+{{- else -}}
+apiVersion: extensions/v1beta1
+{{- end }}
+kind: Ingress
+metadata:
+  name: {{ $fullUIName }}
+  labels:
+    {{- include "netmaker.labels" . | nindent 4 }}
+  {{- with .Values.ingress }}
+  annotations:
+    {{- toYaml .annotations.base | nindent 4 }}
+    {{- if or (eq .className "nginx") (eq .className "public") }}
+    {{- toYaml .annotations.nginx | nindent 4 }}
+    {{- end }}
+    {{- if eq .className "traefik" }}
+    {{- toYaml .annotations.traefik | nindent 4 }}
+    {{- end }}
+    {{- if and .tls.enabled (eq .tls.issuerName "" )}}
+    {{- toYaml .annotations.tls | nindent 4 }}
+    {{- else if .tls.enabled}}
+    cert-manager.io/cluster-issuer: {{ .tls.issuerName }}
+    {{- end }}
+    {{- with .annotations.ui }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- end }}
+spec:
+  {{- if (not (eq .Values.ingress.className "traefik")) }}
+  {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
+  ingressClassName: {{ required "A valid .Values.ingress.className entry required!" .Values.ingress.className}}
+  {{- end }}
+  {{- end }}
+  {{- if .Values.ingress.tls.enabled }}
+  tls:
+    - hosts:
+        - {{ .Values.ingress.hostPrefix.ui }}{{ .Values.baseDomain }}
+      secretName: {{ $fullUIName }}-tls-secret
+  {{- end}}
+  rules:
+    - host: {{ .Values.ingress.hostPrefix.ui }}{{ .Values.baseDomain }}
+      http:
+        paths:
+          - path: /
+            {{- if (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
+            pathType: Prefix
+            {{- end }}
+            backend:
+              {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
+              service:
+                name: {{ $fullUIName }}
+                port:
+                  number: {{ $uiSvcPort }}
+              {{- else }}
+              serviceName: {{ $fullUIName }}
+              servicePort: {{ $uiSvcPort }}
+              {{- end }}
+{{- end }}
diff --git a/charts/netmaker/templates/ingress.yaml b/charts/netmaker/templates/ingress.yaml
deleted file mode 100644
index 5056280..0000000
--- a/charts/netmaker/templates/ingress.yaml
+++ /dev/null
@@ -1,235 +0,0 @@
-{{- if .Values.ingress.enabled -}}
-{{- $fullName := include "netmaker.fullname" . -}}
-{{- $fullUIName := printf "%s-%s" $fullName "ui" -}}
-{{- $fullRESTName := printf "%s-%s" $fullName "rest" -}}
-{{- $fullMQName := printf "%s-%s" $fullName "mqtt" -}}
-{{- $uiSvcPort := .Values.service.uiPort -}}
-{{- $restSvcPort := .Values.service.restPort -}}
-{{- $mqSvcPort := 8883 -}}
-{{- $classname := required "A valid .Values.ingress.className entry required! Please set this to your ingress class (nginx, traefik)" .Values.ingress.className}}
-{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
-  {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
-  {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
-  {{- end }}
-{{- end }}
-{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
-apiVersion: networking.k8s.io/v1
-{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
-apiVersion: networking.k8s.io/v1beta1
-{{- else -}}
-apiVersion: extensions/v1beta1
-{{- end }}
-kind: Ingress
-metadata:
-  name: {{ $fullUIName }}
-  labels:
-    {{- include "netmaker.labels" . | nindent 4 }}
-  {{- with .Values.ingress }}
-  annotations:
-    {{- toYaml .annotations.base | nindent 4 }}
-    {{- if or (eq .className "nginx") (eq .className "public") }}
-    {{- toYaml .annotations.nginx | nindent 4 }}
-    {{- end }}
-    {{- if eq .className "traefik" }}
-    {{- toYaml .annotations.traefik | nindent 4 }}
-    {{- end }}
-    {{- if and .tls.enabled (eq .tls.issuerName "" )}}
-    {{- toYaml .annotations.tls | nindent 4 }}
-    {{- else if .tls.enabled}}
-    cert-manager.io/cluster-issuer: {{ .tls.issuerName }}
-    {{- end }}
-    {{- with .annotations.ui }}
-      {{- toYaml . | nindent 4 }}
-    {{- end }}
-  {{- end }}
-spec:
-  {{- if (not (eq .Values.ingress.className "traefik")) }}
-  {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
-  ingressClassName: {{ required "A valid .Values.ingress.className entry required!" .Values.ingress.className}}
-  {{- end }}
-  {{- end }}
-  {{- if .Values.ingress.tls.enabled }}
-  tls:
-    - hosts:
-        - {{ .Values.ingress.hostPrefix.ui }}{{ .Values.baseDomain }}
-      secretName: {{ $fullUIName }}-tls-secret
-  {{- end}}
-  rules:
-    - host: {{ .Values.ingress.hostPrefix.ui }}{{ .Values.baseDomain }}
-      http:
-        paths:
-          - path: /
-            {{- if (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
-            pathType: Prefix
-            {{- end }}
-            backend:
-              {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
-              service:
-                name: {{ $fullUIName }}
-                port:
-                  number: {{ $uiSvcPort }}
-              {{- else }}
-              serviceName: {{ $fullUIName }}
-              servicePort: {{ $uiSvcPort }}
-              {{- end }}
----
-{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
-apiVersion: networking.k8s.io/v1
-{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
-apiVersion: networking.k8s.io/v1beta1
-{{- else -}}
-apiVersion: extensions/v1beta1
-{{- end }}
-kind: Ingress
-metadata:
-  name: {{ $fullRESTName }}
-  labels:
-    {{- include "netmaker.labels" . | nindent 4 }}
-  {{- with .Values.ingress }}
-  annotations:
-    {{- toYaml .annotations.base | nindent 4 }}
-    {{- if or (eq .className "nginx") (eq .className "public") }}
-    {{- toYaml .annotations.nginx | nindent 4 }}
-    {{- end }}
-    {{- if eq .className "traefik" }}
-    {{- toYaml .annotations.traefik | nindent 4 }}
-    {{- end }}
-    {{- if and .tls.enabled (eq .tls.issuerName "" )}}
-    {{- toYaml .annotations.tls | nindent 4 }}
-    {{- else if .tls.enabled}}
-    cert-manager.io/cluster-issuer: {{ .tls.issuerName }}
-    {{- end }}
-    {{- with .annotations.rest }}
-      {{- toYaml . | nindent 4 }}
-    {{- end }}
-  {{- end }}
-spec:
-  {{- if (not (eq .Values.ingress.className "traefik")) }}
-  {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
-  ingressClassName:  {{ required "A valid .Values.ingress.className entry required!" .Values.ingress.className}}
-  {{- end }}
-  {{- end }}
-  {{- if .Values.ingress.tls.enabled }}
-  tls:
-    - hosts:
-        - {{ .Values.ingress.hostPrefix.rest }}{{ .Values.baseDomain }}
-      secretName: {{ $fullRESTName }}-tls-secret
-  {{- end }}
-  rules:
-    - host: {{ .Values.ingress.hostPrefix.rest }}{{ .Values.baseDomain }}
-      http:
-        paths:
-          - path: /
-            {{- if (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
-            pathType: Prefix
-            {{- end }}
-            backend:
-              {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
-              service:
-                name: {{ $fullRESTName }}
-                port:
-                  number: {{ $restSvcPort }}
-              {{- else }}
-              serviceName: {{ $fullRESTName }}
-              servicePort: {{ $restSvcPort }}
-              {{- end }}
-{{- if or (eq .Values.ingress.className "nginx") (eq .Values.ingress.className "public") }}
----
-{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
-apiVersion: networking.k8s.io/v1
-{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
-apiVersion: networking.k8s.io/v1beta1
-{{- else -}}
-apiVersion: extensions/v1beta1
-{{- end }}
-kind: Ingress
-metadata:
-  name: {{ $fullMQName }}
-  labels:
-    {{- include "netmaker.labels" . | nindent 4 }}
-  {{- with .Values.ingress }}
-  annotations:
-    {{- toYaml .annotations.nginx | nindent 4 }}
-    {{- if and .tls.enabled (eq .tls.issuerName "" )}}
-    {{- toYaml .annotations.tls | nindent 4 }}
-    {{- else if .tls.enabled}}
-    cert-manager.io/cluster-issuer: {{ .tls.issuerName }}
-    {{- end }}
-    {{- with .annotations.mq }}
-      {{- toYaml . | nindent 4 }}
-    {{- end }}
-  {{- end }}
-spec:
-  {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
-  ingressClassName:  {{ required "A valid .Values.ingress.className entry required!" .Values.ingress.className}}
-  {{- end }}
-  {{- if .Values.ingress.tls.enabled }}
-  tls:
-    - hosts:
-        - {{ .Values.ingress.hostPrefix.broker }}{{ .Values.baseDomain }}
-      secretName: {{ $fullMQName }}-tls-secret
-  {{- end }}
-  rules:
-    - host: {{ .Values.ingress.hostPrefix.broker }}{{ .Values.baseDomain }}
-      http:
-        paths:
-          - path: /
-            {{- if (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
-            pathType: Prefix
-            {{- end }}
-            backend:
-              {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
-              service:
-                name: {{ $fullMQName }}
-                port:
-                  number: {{ $mqSvcPort }}
-              {{- else }}
-              serviceName: {{ $fullMQName }}
-              servicePort: {{ $mqSvcPort }}
-              {{- end }}
-{{- end }}
-{{- if eq .Values.ingress.className "traefik" }}
----
-apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRouteTCP
-metadata:
-  name: {{ $fullMQName }}
-  labels:
-    {{- include "netmaker.labels" . | nindent 4 }}
-spec:
-  entryPoints:
-    - websecure
-  routes:
-  - match: HostSNI(`{{ .Values.ingress.hostPrefix.mq }}{{ .Values.baseDomain }}`)
-    services:
-    - name: {{ $fullMQName }}
-      port: {{ $mqSvcPort }}
-  tls:
-    passthrough: true
-    secretName: {{ $fullMQName }}-tls-secret
-    domains:
-    - main: {{ .Values.ingress.hostPrefix.mq }}{{ .Values.baseDomain }}
-{{- if and .Values.ingress.tls.enabled (not (eq .Values.ingress.tls.issuerName "" ))}}
----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  annotations:
-    acme.cert-manager.io/http01-override-ingress-name: {{ $fullMQName }}
-  labels:
-    {{- include "netmaker.labels" . | nindent 4 }}
-  name: {{ $fullMQName }}-tls-secret
-spec:
-  dnsNames:
-  - {{ .Values.ingress.hostPrefix.mq }}{{ .Values.baseDomain }}
-  issuerRef:
-    group: cert-manager.io
-    kind: ClusterIssuer
-    name:  {{ .Values.ingress.tls.issuerName }}
-  secretName: {{ $fullMQName }}-tls-secret
-  usages:
-  - digital signature
-  - key encipherment
-{{- end }}
-{{- end }}
-{{- end }}

From e36c72ff5fbc6b6f180b8d920f0fbdd049fceec0 Mon Sep 17 00:00:00 2001
From: jessebot <jessebot@linux.com>
Date: Sun, 24 Mar 2024 12:03:22 +0100
Subject: [PATCH 09/40] try to fix mqtt

---
 charts/netmaker/templates/ingress-mqtt.yaml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/charts/netmaker/templates/ingress-mqtt.yaml b/charts/netmaker/templates/ingress-mqtt.yaml
index 495b7bc..a730032 100644
--- a/charts/netmaker/templates/ingress-mqtt.yaml
+++ b/charts/netmaker/templates/ingress-mqtt.yaml
@@ -66,5 +66,3 @@ spec:
               servicePort: {{ $mqSvcPort }}
               {{- end }}
 {{- end }}
-{{- end }}
-{{- end }}

From 5d01ba2634d45dd1b4a93fc4e94c21266bf5994e Mon Sep 17 00:00:00 2001
From: jessebot <jessebot@linux.com>
Date: Sun, 24 Mar 2024 12:08:41 +0100
Subject: [PATCH 10/40] fix mqtt ingress to be less complicated

---
 charts/netmaker/templates/ingress-mqtt.yaml | 20 +++-----------------
 1 file changed, 3 insertions(+), 17 deletions(-)

diff --git a/charts/netmaker/templates/ingress-mqtt.yaml b/charts/netmaker/templates/ingress-mqtt.yaml
index a730032..a0f9f00 100644
--- a/charts/netmaker/templates/ingress-mqtt.yaml
+++ b/charts/netmaker/templates/ingress-mqtt.yaml
@@ -1,25 +1,11 @@
 {{- if .Values.ingress.enabled -}}
 {{- $fullName := include "netmaker.fullname" . -}}
-{{- $fullUIName := printf "%s-%s" $fullName "ui" -}}
-{{- $fullRESTName := printf "%s-%s" $fullName "rest" -}}
 {{- $fullMQName := printf "%s-%s" $fullName "mqtt" -}}
-{{- $uiSvcPort := .Values.service.uiPort -}}
-{{- $restSvcPort := .Values.service.restPort -}}
 {{- $mqSvcPort := 8883 -}}
 {{- $classname := required "A valid .Values.ingress.className entry required! Please set this to your ingress class (nginx, traefik)" .Values.ingress.className}}
-{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
-  {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
-  {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
-  {{- end }}
-{{- end }}
+
 {{- if or (eq .Values.ingress.className "nginx") (eq .Values.ingress.className "public") }}
-{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
 apiVersion: networking.k8s.io/v1
-{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
-apiVersion: networking.k8s.io/v1beta1
-{{- else -}}
-apiVersion: extensions/v1beta1
-{{- end }}
 kind: Ingress
 metadata:
   name: {{ $fullMQName }}
@@ -38,9 +24,7 @@ metadata:
     {{- end }}
   {{- end }}
 spec:
-  {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
   ingressClassName:  {{ required "A valid .Values.ingress.className entry required!" .Values.ingress.className}}
-  {{- end }}
   {{- if .Values.ingress.tls.enabled }}
   tls:
     - hosts:
@@ -66,3 +50,5 @@ spec:
               servicePort: {{ $mqSvcPort }}
               {{- end }}
 {{- end }}
+
+{{- end }}

From 58f295f09ec692d3f51a64825373196e38ab4898 Mon Sep 17 00:00:00 2001
From: jessebot <jessebot@linux.com>
Date: Sun, 24 Mar 2024 12:10:03 +0100
Subject: [PATCH 11/40] fix ingress rest ot be less complicated

---
 charts/netmaker/templates/ingress-rest.yaml | 12 ------------
 1 file changed, 12 deletions(-)

diff --git a/charts/netmaker/templates/ingress-rest.yaml b/charts/netmaker/templates/ingress-rest.yaml
index 04dbb94..415b8a2 100644
--- a/charts/netmaker/templates/ingress-rest.yaml
+++ b/charts/netmaker/templates/ingress-rest.yaml
@@ -1,24 +1,14 @@
 {{- if .Values.ingress.enabled -}}
 {{- $fullName := include "netmaker.fullname" . -}}
-{{- $fullUIName := printf "%s-%s" $fullName "ui" -}}
 {{- $fullRESTName := printf "%s-%s" $fullName "rest" -}}
-{{- $fullMQName := printf "%s-%s" $fullName "mqtt" -}}
-{{- $uiSvcPort := .Values.service.uiPort -}}
 {{- $restSvcPort := .Values.service.restPort -}}
-{{- $mqSvcPort := 8883 -}}
 {{- $classname := required "A valid .Values.ingress.className entry required! Please set this to your ingress class (nginx, traefik)" .Values.ingress.className}}
 {{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
   {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
   {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
   {{- end }}
 {{- end }}
-{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
 apiVersion: networking.k8s.io/v1
-{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
-apiVersion: networking.k8s.io/v1beta1
-{{- else -}}
-apiVersion: extensions/v1beta1
-{{- end }}
 kind: Ingress
 metadata:
   name: {{ $fullRESTName }}
@@ -44,10 +34,8 @@ metadata:
   {{- end }}
 spec:
   {{- if (not (eq .Values.ingress.className "traefik")) }}
-  {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
   ingressClassName:  {{ required "A valid .Values.ingress.className entry required!" .Values.ingress.className}}
   {{- end }}
-  {{- end }}
   {{- if .Values.ingress.tls.enabled }}
   tls:
     - hosts:

From bf1112b0ca065143eea1bb22e3f8cbfa8db5c762 Mon Sep 17 00:00:00 2001
From: jessebot <jessebot@linux.com>
Date: Sun, 24 Mar 2024 12:52:16 +0100
Subject: [PATCH 12/40] base64encode secret data

---
 charts/netmaker/templates/secrets.yaml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/charts/netmaker/templates/secrets.yaml b/charts/netmaker/templates/secrets.yaml
index a729ba1..b305b5d 100644
--- a/charts/netmaker/templates/secrets.yaml
+++ b/charts/netmaker/templates/secrets.yaml
@@ -8,10 +8,10 @@ metadata:
 type: Opaque
 data:
   {{- if not .Values.postgresql.auth.existingSecret }}
-  SQL_PASS: "{{ include "netmaker.database.password" . }}"
+  SQL_PASS: "{{ include "netmaker.database.password" . | b64enc | quote }}"
   {{- end }}
   {{- if not .Values.mq.existingSecret }}
-  MQ_ADMIN_PASSWORD: {{ .Values.mq.password }}
-  MQ_PASSWORD: {{ .Values.mq.password }}
+  MQ_ADMIN_PASSWORD: {{ .Values.mq.password | b64enc | quote }}
+  MQ_PASSWORD: {{ .Values.mq.password | b64enc | quote }}
   {{- end }}
-  MASTER_KEY: {{ include "netmaker.masterKey" . }}
+  MASTER_KEY: {{ include "netmaker.masterKey" . | b64enc | quote }}

From 2458021fd56bb2e8cae6ea825c2907829a6df6be Mon Sep 17 00:00:00 2001
From: jessebot <jessebot@linux.com>
Date: Sun, 24 Mar 2024 13:03:37 +0100
Subject: [PATCH 13/40] fix secret quoting and remove cruft from ingress files
 for old k8s versions (before 1.19)

---
 charts/netmaker/templates/ingress-rest.yaml  |  5 -----
 charts/netmaker/templates/ingress-route.yaml | 15 +--------------
 charts/netmaker/templates/secrets.yaml       |  2 +-
 3 files changed, 2 insertions(+), 20 deletions(-)

diff --git a/charts/netmaker/templates/ingress-rest.yaml b/charts/netmaker/templates/ingress-rest.yaml
index 415b8a2..a700e6d 100644
--- a/charts/netmaker/templates/ingress-rest.yaml
+++ b/charts/netmaker/templates/ingress-rest.yaml
@@ -3,11 +3,6 @@
 {{- $fullRESTName := printf "%s-%s" $fullName "rest" -}}
 {{- $restSvcPort := .Values.service.restPort -}}
 {{- $classname := required "A valid .Values.ingress.className entry required! Please set this to your ingress class (nginx, traefik)" .Values.ingress.className}}
-{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
-  {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
-  {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
-  {{- end }}
-{{- end }}
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
diff --git a/charts/netmaker/templates/ingress-route.yaml b/charts/netmaker/templates/ingress-route.yaml
index 61c2a39..d553420 100644
--- a/charts/netmaker/templates/ingress-route.yaml
+++ b/charts/netmaker/templates/ingress-route.yaml
@@ -1,19 +1,7 @@
-{{- if .Values.ingress.enabled -}}
+{{- if and .Values.ingress.enabled (eq .Values.ingress.className "traefik") -}}
 {{- $fullName := include "netmaker.fullname" . -}}
-{{- $fullUIName := printf "%s-%s" $fullName "ui" -}}
-{{- $fullRESTName := printf "%s-%s" $fullName "rest" -}}
 {{- $fullMQName := printf "%s-%s" $fullName "mqtt" -}}
-{{- $uiSvcPort := .Values.service.uiPort -}}
-{{- $restSvcPort := .Values.service.restPort -}}
 {{- $mqSvcPort := 8883 -}}
-{{- $classname := required "A valid .Values.ingress.className entry required! Please set this to your ingress class (nginx, traefik)" .Values.ingress.className}}
-{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
-  {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
-  {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
-  {{- end }}
-{{- end }}
-{{- if eq .Values.ingress.className "traefik" }}
----
 apiVersion: traefik.containo.us/v1alpha1
 kind: IngressRouteTCP
 metadata:
@@ -34,4 +22,3 @@ spec:
     domains:
     - main: {{ .Values.ingress.hostPrefix.mq }}{{ .Values.baseDomain }}
 {{- end }}
-{{- end }}
diff --git a/charts/netmaker/templates/secrets.yaml b/charts/netmaker/templates/secrets.yaml
index b305b5d..2cb6766 100644
--- a/charts/netmaker/templates/secrets.yaml
+++ b/charts/netmaker/templates/secrets.yaml
@@ -8,7 +8,7 @@ metadata:
 type: Opaque
 data:
   {{- if not .Values.postgresql.auth.existingSecret }}
-  SQL_PASS: "{{ include "netmaker.database.password" . | b64enc | quote }}"
+  SQL_PASS: {{ include "netmaker.database.password" . | b64enc | quote }}
   {{- end }}
   {{- if not .Values.mq.existingSecret }}
   MQ_ADMIN_PASSWORD: {{ .Values.mq.password | b64enc | quote }}

From 7af8f066657d9ffb7120161a1943c82b7187185b Mon Sep 17 00:00:00 2001
From: jessebot <jessebot@linux.com>
Date: Sun, 24 Mar 2024 13:04:16 +0100
Subject: [PATCH 14/40] adding max and jesse maintainers

---
 charts/netmaker/README.md | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/charts/netmaker/README.md b/charts/netmaker/README.md
index 65d644e..815ad1d 100644
--- a/charts/netmaker/README.md
+++ b/charts/netmaker/README.md
@@ -4,6 +4,13 @@
 
 A Helm chart to run HA Netmaker on Kubernetes
 
+## Maintainers
+
+| Name | Email | Url |
+| ---- | ------ | --- |
+| jessebot | <jessebot@linux.com> | <https://github.com/jessebot/> |
+| cloudymax | <emax@cloudydev.net> | <https://github.com/cloudymax/> |
+
 ## Requirements
 
 | Repository | Name | Version |

From 5bb3c424a3210fd1391a0065f20e2912f0f96469 Mon Sep 17 00:00:00 2001
From: jessebot <jessebot@linux.com>
Date: Sun, 24 Mar 2024 13:05:03 +0100
Subject: [PATCH 15/40] add maintainers to the docs

---
 charts/netmaker/README.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/charts/netmaker/README.md b/charts/netmaker/README.md
index 815ad1d..9a6e168 100644
--- a/charts/netmaker/README.md
+++ b/charts/netmaker/README.md
@@ -6,10 +6,10 @@ A Helm chart to run HA Netmaker on Kubernetes
 
 ## Maintainers
 
-| Name | Email | Url |
-| ---- | ------ | --- |
-| jessebot | <jessebot@linux.com> | <https://github.com/jessebot/> |
-| cloudymax | <emax@cloudydev.net> | <https://github.com/cloudymax/> |
+| Name | Url |
+| ---- | --- |
+| jessebot | <https://github.com/jessebot/> |
+| cloudymax | <https://github.com/cloudymax/> |
 
 ## Requirements
 

From fe0ca53e7b088c6ea40ec56338cca35d292a747d Mon Sep 17 00:00:00 2001
From: jessebot <jessebot@linux.com>
Date: Sun, 24 Mar 2024 14:18:27 +0100
Subject: [PATCH 16/40] clean up persistent volumes

---
 charts/netmaker/README.md                     | 27 ++++++++++---------
 charts/netmaker/templates/coredns-pvc.yaml    | 12 +++++++++
 charts/netmaker/templates/coredns.yaml        | 18 +++----------
 charts/netmaker/templates/mq-deployment.yaml  |  6 +----
 charts/netmaker/templates/mq-pvc.yaml         |  9 +++----
 .../templates/netmaker-statefulset.yaml       | 14 +++++-----
 charts/netmaker/values.yaml                   | 25 +++++++----------
 7 files changed, 51 insertions(+), 60 deletions(-)
 create mode 100644 charts/netmaker/templates/coredns-pvc.yaml

diff --git a/charts/netmaker/README.md b/charts/netmaker/README.md
index 9a6e168..f1e1588 100644
--- a/charts/netmaker/README.md
+++ b/charts/netmaker/README.md
@@ -6,10 +6,10 @@ A Helm chart to run HA Netmaker on Kubernetes
 
 ## Maintainers
 
-| Name | Url |
-| ---- | --- |
-| jessebot | <https://github.com/jessebot/> |
-| cloudymax | <https://github.com/cloudymax/> |
+| Name | Email | Url |
+| ---- | ------ | --- |
+| jessebot | <jessebot@linux.com> | <https://github.com/jessebot/> |
+| cloudymax | <emax@cloudydev.net> | <https://github.com/cloudymax/> |
 
 ## Requirements
 
@@ -22,10 +22,11 @@ A Helm chart to run HA Netmaker on Kubernetes
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | baseDomain | string | `"example.com"` |  |
-| dns.RWX.storageClassName | string | `""` |  |
+| dns.accessMode | string | `"ReadWriteOnce"` |  |
 | dns.enabled | bool | `false` | whether or not to deploy coredns |
-| dns.existingClaim | string | `""` |  |
-| dns.storageSize | string | `"128Mi"` |  |
+| dns.existingClaim | string | `""` | existingClaim, if not set, defaults to HELM.RELEASE.NAME-dns |
+| dns.storage | string | `"1Gi"` |  |
+| dns.storageClassName | string | `""` |  |
 | externalDatabase.database | string | `"netmaker"` | postgress db |
 | externalDatabase.existingSecret | string | `""` |  |
 | externalDatabase.host | string | `"external.postgres.url"` | postgres host |
@@ -54,14 +55,15 @@ A Helm chart to run HA Netmaker on Kubernetes
 | ingress.hostPrefix.ui | string | `"dashboard."` | ui route subdomain |
 | ingress.tls.enabled | bool | `false` |  |
 | ingress.tls.issuerName | string | `"letsencrypt-prod"` |  |
-| mq.RWX.storageClassName | string | `""` |  |
-| mq.existingClaim | string | `""` |  |
-| mq.existingSecret | string | `""` |  |
+| mq.accessMode | string | `"ReadWriteMany"` |  |
+| mq.existingClaim | string | `""` | name of existing PVC claim to use. if set, storageClassName is ignored |
+| mq.existingSecret | string | `""` | name of an existing secret to use for mq password. If set, ignores mq.password |
 | mq.password | string | `"3yyerWGdds43yegGR"` |  |
 | mq.replicas | int | `1` | how many MQTT replicas to create change to 2 or more and set singlenode to false if needed |
-| mq.secretKey | string | `""` |  |
+| mq.secretKey | string | `""` | name of key in existing secret to grab password from. If set, ignores mq.password |
 | mq.singlenode | bool | `true` |  |
-| mq.storageSize | string | `"128Mi"` |  |
+| mq.storage | string | `"128Mi"` |  |
+| mq.storageClassName | string | `""` |  |
 | mq.username | string | `"netmaker"` |  |
 | nameOverride | string | `""` | override the name for netmaker objects |
 | oauth.enabled | bool | `false` |  |
@@ -71,7 +73,6 @@ A Helm chart to run HA Netmaker on Kubernetes
 | oauth.secretKeys.clientSecret | string | `nil` |  |
 | oauth.secretKeys.frontendURL | string | `nil` |  |
 | oauth.secretKeys.issuer | string | `nil` |  |
-| persistence.sharedData.existingClaim | string | `""` |  |
 | podAnnotations | object | `{}` | pod annotations to add |
 | podSecurityContext | object | `{}` | pod security contect to add |
 | postgresql.auth.database | string | `"netmaker"` |  |
diff --git a/charts/netmaker/templates/coredns-pvc.yaml b/charts/netmaker/templates/coredns-pvc.yaml
new file mode 100644
index 0000000..7b9b9cc
--- /dev/null
+++ b/charts/netmaker/templates/coredns-pvc.yaml
@@ -0,0 +1,12 @@
+{{- if and .Values.dns.enabled (not .Values.dns.existingClaim) -}}
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: {{ include "netmaker.fullname" . }}-dns
+spec:
+  storageClassName: {{ required "A valid .Values.dns.storageClassName entry required! Specify an available storage class." .Values.dns.storageClassName}}
+  accessModes: [{{ .Values.dns.accessMode }}]
+  resources:
+    requests:
+      storage: {{ .Values.dns.storage }}
+{{- end }}
diff --git a/charts/netmaker/templates/coredns.yaml b/charts/netmaker/templates/coredns.yaml
index f35c0cf..1830642 100644
--- a/charts/netmaker/templates/coredns.yaml
+++ b/charts/netmaker/templates/coredns.yaml
@@ -31,7 +31,7 @@ spec:
           protocol: TCP
         volumeMounts:
         - mountPath: /root/dnsconfig
-          name: {{ include "netmaker.fullname" . }}-dns-pvc
+          name: dns-pvc
           readOnly: true
         securityContext:
           allowPrivilegeEscalation: false
@@ -45,12 +45,12 @@ spec:
         nameservers:
           - 127.0.0.1
       volumes:
-      - name: {{ include "netmaker.fullname" . }}-dns-pvc
+      - name: dns-pvc
         persistentVolumeClaim:
           {{- if .Values.dns.existingClaim }}
           claimName: {{ .Values.dns.existingClaim }}
           {{- else }}
-          claimName: {{ include "netmaker.fullname" . }}-dns-pvc
+          claimName: {{ include "netmaker.fullname" . }}-dns
           {{- end }}
 ---
 apiVersion: v1
@@ -74,16 +74,4 @@ spec:
   sessionAffinity: None
   type: ClusterIP
   clusterIP: {{ required "A valid .Values.dns.clusterIP entry required! Choose an IP from your k8s service IP CIDR" .Values.dns.clusterIP}}
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: {{ include "netmaker.fullname" . }}-dns-pvc
-spec:
-  storageClassName: {{ required "A valid .Values.dns.RWX.storageClassName entry required! Specify an available RWX storage class." .Values.dns.RWX.storageClassName}}
-  accessModes:
-    - ReadWriteMany
-  resources:
-    requests:
-      storage: {{ .Values.dns.storageSize }}
 {{- end }}
diff --git a/charts/netmaker/templates/mq-deployment.yaml b/charts/netmaker/templates/mq-deployment.yaml
index 32cdbb8..885e895 100644
--- a/charts/netmaker/templates/mq-deployment.yaml
+++ b/charts/netmaker/templates/mq-deployment.yaml
@@ -88,9 +88,5 @@ spec:
         {{- if .Values.mq.existingClaim }}
           claimName: {{ .Values.mq.existingClaim }}
         {{- else }} 
-          {{- if .Values.persistence.sharedData.existingClaim }}
-          claimName: {{ .Values.persistence.sharedData.existingClaim }}
-          {{- else }}
-          claimName: {{ include "netmaker.fullname" . }}-shared-data-pvc
-          {{- end }}
+          claimName: {{ include "netmaker.fullname" . }}-shared-data
         {{- end }}
diff --git a/charts/netmaker/templates/mq-pvc.yaml b/charts/netmaker/templates/mq-pvc.yaml
index a5c3227..f87f67d 100644
--- a/charts/netmaker/templates/mq-pvc.yaml
+++ b/charts/netmaker/templates/mq-pvc.yaml
@@ -3,12 +3,11 @@
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
-  name: {{ include "netmaker.fullname" . }}-shared-data-pvc
+  name: {{ include "netmaker.fullname" . }}-shared-data
 spec:
-  storageClassName: {{ .Values.mq.RWX.storageClassName }}
-  accessModes:
-    - ReadWriteMany
+  storageClassName: {{ .Values.mq.storageClassName }}
+  accessModes: [{{ .Values.mq.accessMode }}]
   resources:
     requests:
-      storage: {{ .Values.mq.storageSize }}
+      storage: {{ .Values.mq.storage }}
 {{- end }}
diff --git a/charts/netmaker/templates/netmaker-statefulset.yaml b/charts/netmaker/templates/netmaker-statefulset.yaml
index 0a1ffed..15b3e43 100644
--- a/charts/netmaker/templates/netmaker-statefulset.yaml
+++ b/charts/netmaker/templates/netmaker-statefulset.yaml
@@ -125,23 +125,23 @@ spec:
         - mountPath: /etc/netmaker/
           name: shared-data
         {{- if .Values.dns.enabled }}
-        - name: {{ include "netmaker.fullname" . }}-dns-pvc
+        - name: dns-pvc
           mountPath: /root/config/dnsconfig
         {{- end }}
       volumes:
       - name: shared-data
         persistentVolumeClaim:
-          {{- if .Values.persistence.sharedData.existingClaim }}
-          claimName: {{ .Values.persistence.sharedData.existingClaim }}
+          {{- if .Values.mq.existingClaim }}
+          claimName: {{ .Values.mq.existingClaim }}
           {{- else }}
-          claimName: {{ include "netmaker.fullname" . }}-shared-data-pvc
+          claimName: {{ include "netmaker.fullname" . }}-shared-data
           {{- end }}
       {{- if .Values.dns.enabled }}
-      - name: {{ include "netmaker.fullname" . }}-dns-pvc
+      - name: dns-pvc
         persistentVolumeClaim:
           {{- if .Values.dns.existingClaim }}
           claimName: {{ .Values.dns.existingClaim }}
           {{- else }}
-          claimName: {{ include "netmaker.fullname" . }}-dns-pvc
+          claimName: {{ include "netmaker.fullname" . }}-dns
           {{- end }}
-      {{- end }}
+      {{- end }} {{/* end if dns.enabled */}}
diff --git a/charts/netmaker/values.yaml b/charts/netmaker/values.yaml
index 3eac2d5..46d3c24 100644
--- a/charts/netmaker/values.yaml
+++ b/charts/netmaker/values.yaml
@@ -34,11 +34,6 @@ podAnnotations: {}
 podSecurityContext: {}
 # fsGroup: 2000
 
-persistence:
-  sharedData:
-    # if not specified, this will create HELM.RELEASE.NAME-shared-data-pvc by default
-    existingClaim: ""
-
 ui:
   # -- how many UI replicas to create
   replicas: 1
@@ -48,26 +43,26 @@ mq:
   # change to 2 or more and set singlenode to false if needed
   replicas: 1
   singlenode: true
-  storageSize: 128Mi
   username: netmaker
   password: 3yyerWGdds43yegGR
-  # name of an existing secret to use for mq password. If set, ignores mq.password
+  # -- name of an existing secret to use for mq password. If set, ignores mq.password
   existingSecret: ''
-  # name of key in existing secret to grab password from. If set, ignores mq.password
+  # -- name of key in existing secret to grab password from. If set, ignores mq.password
   secretKey: ''
-  # name of existing PVC claim to use. if set, RWX.storageClassName is ignored
+  # -- name of existing PVC claim to use. if set, storageClassName is ignored
   existingClaim: ""
-  RWX:
-    storageClassName: ""
+  accessMode: "ReadWriteMany"
+  storageClassName: ""
+  storage: 128Mi
 
 dns:
   # -- whether or not to deploy coredns
   enabled: false
-  # existingClaim, if not set, defaults to HELM.RELEASE.NAME-dns-pvc
+  # -- existingClaim, if not set, defaults to HELM.RELEASE.NAME-dns
   existingClaim: ''
-  storageSize: 128Mi
-  RWX:
-    storageClassName: ""
+  storage: 1Gi
+  storageClassName: ""
+  accessMode: ReadWriteOnce
 
 setIpForwarding:
   enabled: true

From e72586868c8d3772139f63ad545548dd12b29a9f Mon Sep 17 00:00:00 2001
From: Max! <admin@cloudydev.net>
Date: Sun, 24 Mar 2024 14:41:42 +0100
Subject: [PATCH 17/40] disable conficted affinity rule

---
 .../templates/netmaker-statefulset.yaml       | 20 +++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/charts/netmaker/templates/netmaker-statefulset.yaml b/charts/netmaker/templates/netmaker-statefulset.yaml
index 15b3e43..da4edc9 100644
--- a/charts/netmaker/templates/netmaker-statefulset.yaml
+++ b/charts/netmaker/templates/netmaker-statefulset.yaml
@@ -24,16 +24,16 @@ spec:
           securityContext:
             privileged: true
       dnsPolicy: ClusterFirstWithHostNet
-      affinity:
-        podAntiAffinity:
-          requiredDuringSchedulingIgnoredDuringExecution:
-          - labelSelector:
-              matchExpressions:
-              - key: app
-                operator: In
-                values:
-                - {{ include "netmaker.fullname" . }}
-            topologyKey: "kubernetes.io/hostname"
+      #affinity:
+      #  podAntiAffinity:
+      #    requiredDuringSchedulingIgnoredDuringExecution:
+      #    - labelSelector:
+      #        matchExpressions:
+      #        - key: app
+      #          operator: In
+      #          values:
+      #          - {{ include "netmaker.fullname" . }}
+      #      topologyKey: "kubernetes.io/hostname"
       containers:
       - env:
         - name: NODE_ID

From 84ee4f4db413cfbba1553c497beaeeeedb42e82b Mon Sep 17 00:00:00 2001
From: jessebot <jessebot@linux.com>
Date: Sun, 24 Mar 2024 14:53:52 +0100
Subject: [PATCH 18/40] try testing on k3s with longhorn instead

---
 .github/workflows/ci-helm-lint-test.yml | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/ci-helm-lint-test.yml b/.github/workflows/ci-helm-lint-test.yml
index 0c068b8..e8af628 100644
--- a/.github/workflows/ci-helm-lint-test.yml
+++ b/.github/workflows/ci-helm-lint-test.yml
@@ -41,11 +41,19 @@ jobs:
         if: steps.list-changed.outputs.changed == 'true'
         run: ct lint --target-branch ${{ github.event.repository.default_branch }}
 
-      - name: Create kind cluster
-        uses: helm/kind-action@v1.9.0
-        if: steps.list-changed.outputs.changed == 'true'
+      - name: Create K3s cluster
+        uses: debianmaster/actions-k3s@master
+        id: k3s
+        with:
+          version: 'latest'
+
+      - name: Install longhorn
+        run: |
+          helm repo add longhorn https://charts.longhorn.io
+          helm repo update
+          helm install longhorn longhorn/longhorn --namespace longhorn-system --create-namespace
 
       - name: Run chart-testing (install)
         id: install
         if: steps.list-changed.outputs.changed == 'true'
-        run: ct install --target-branch ${{ github.event.repository.default_branch }}
+        run: ct install --target-branch ${{ github.event.repository.default_branch }} --helm-extra-set-args "--set=mq.storageClassName=longhorn --set=dns.storageClassName=longhorn"

From 3e61df891e07577d706b96eefc49b10b2a2c5bd0 Mon Sep 17 00:00:00 2001
From: jessebot <jessebot@linux.com>
Date: Sun, 24 Mar 2024 15:02:39 +0100
Subject: [PATCH 19/40] rename ingresses and ui files to make more clear

---
 charts/netmaker/templates/{ingress-mqtt.yaml => mq-ingress.yaml}  | 0
 .../templates/{netmaker-ui-deployment.yaml => ui-deployment.yaml} | 0
 charts/netmaker/templates/{ingress-ui.yaml => ui-ingress.yaml}    | 0
 3 files changed, 0 insertions(+), 0 deletions(-)
 rename charts/netmaker/templates/{ingress-mqtt.yaml => mq-ingress.yaml} (100%)
 rename charts/netmaker/templates/{netmaker-ui-deployment.yaml => ui-deployment.yaml} (100%)
 rename charts/netmaker/templates/{ingress-ui.yaml => ui-ingress.yaml} (100%)

diff --git a/charts/netmaker/templates/ingress-mqtt.yaml b/charts/netmaker/templates/mq-ingress.yaml
similarity index 100%
rename from charts/netmaker/templates/ingress-mqtt.yaml
rename to charts/netmaker/templates/mq-ingress.yaml
diff --git a/charts/netmaker/templates/netmaker-ui-deployment.yaml b/charts/netmaker/templates/ui-deployment.yaml
similarity index 100%
rename from charts/netmaker/templates/netmaker-ui-deployment.yaml
rename to charts/netmaker/templates/ui-deployment.yaml
diff --git a/charts/netmaker/templates/ingress-ui.yaml b/charts/netmaker/templates/ui-ingress.yaml
similarity index 100%
rename from charts/netmaker/templates/ingress-ui.yaml
rename to charts/netmaker/templates/ui-ingress.yaml

From e0302dc884dc455ac9e97433d5f1536a9354f5f6 Mon Sep 17 00:00:00 2001
From: jessebot <jessebot@linux.com>
Date: Sun, 24 Mar 2024 15:07:32 +0100
Subject: [PATCH 20/40] change from longhorn pvc class to standard

---
 .github/workflows/ci-helm-lint-test.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci-helm-lint-test.yml b/.github/workflows/ci-helm-lint-test.yml
index e8af628..011d32a 100644
--- a/.github/workflows/ci-helm-lint-test.yml
+++ b/.github/workflows/ci-helm-lint-test.yml
@@ -56,4 +56,6 @@ jobs:
       - name: Run chart-testing (install)
         id: install
         if: steps.list-changed.outputs.changed == 'true'
-        run: ct install --target-branch ${{ github.event.repository.default_branch }} --helm-extra-set-args "--set=mq.storageClassName=longhorn --set=dns.storageClassName=longhorn"
+        # install the chart using longhorn pvcs
+        run: |
+            ct install --target-branch ${{ github.event.repository.default_branch }} --helm-extra-set-args "--set=mq.storageClassName=standard --set=dns.storageClassName=standard"

From 967c00c589f9b463740bd9a51f74e7fa04e43c42 Mon Sep 17 00:00:00 2001
From: jessebot <jessebot@linux.com>
Date: Sun, 24 Mar 2024 15:21:24 +0100
Subject: [PATCH 21/40] switch back to longhorn storage class, but this time
 install with kubectl vs helm

---
 .github/workflows/ci-helm-lint-test.yml | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/ci-helm-lint-test.yml b/.github/workflows/ci-helm-lint-test.yml
index 011d32a..3ef97d2 100644
--- a/.github/workflows/ci-helm-lint-test.yml
+++ b/.github/workflows/ci-helm-lint-test.yml
@@ -49,13 +49,11 @@ jobs:
 
       - name: Install longhorn
         run: |
-          helm repo add longhorn https://charts.longhorn.io
-          helm repo update
-          helm install longhorn longhorn/longhorn --namespace longhorn-system --create-namespace
+          kubectl apply -f https://raw.githubusercontent.com/longhorn/longhorn/v1.6.0/deploy/longhorn.yaml
 
       - name: Run chart-testing (install)
         id: install
         if: steps.list-changed.outputs.changed == 'true'
         # install the chart using longhorn pvcs
         run: |
-            ct install --target-branch ${{ github.event.repository.default_branch }} --helm-extra-set-args "--set=mq.storageClassName=standard --set=dns.storageClassName=standard"
+            ct install --target-branch ${{ github.event.repository.default_branch }} --helm-extra-set-args "--set=mq.storageClassName=longhorn --set=dns.storageClassName=longhorn"

From 0c2533bba2c952b5777a686e77a9fcbdf6790fae Mon Sep 17 00:00:00 2001
From: jessebot <jessebot@linux.com>
Date: Sun, 24 Mar 2024 15:24:03 +0100
Subject: [PATCH 22/40] add most basic testing locally script

---
 test-locally.sh | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 test-locally.sh

diff --git a/test-locally.sh b/test-locally.sh
new file mode 100644
index 0000000..512a89e
--- /dev/null
+++ b/test-locally.sh
@@ -0,0 +1,3 @@
+kind create cluster
+kubectl apply -f https://raw.githubusercontent.com/longhorn/longhorn/v1.6.0/deploy/longhorn.yaml
+ct install --target-branch main --helm-extra-set-args "--set=mq.storageClassName=longhorn --set=dns.storageClassName=longhorn"

From 32e752c796dabdcdec67906db7674668b54ed057 Mon Sep 17 00:00:00 2001
From: jessebot <jessebot@linux.com>
Date: Sun, 24 Mar 2024 15:31:36 +0100
Subject: [PATCH 23/40] remove weird default affinity settings in this chart

---
 charts/netmaker/README.md                         |  2 ++
 charts/netmaker/templates/mq-deployment.yaml      | 15 ++++++---------
 .../netmaker/templates/netmaker-statefulset.yaml  | 10 ----------
 charts/netmaker/values.yaml                       | 12 ++++++++++++
 4 files changed, 20 insertions(+), 19 deletions(-)

diff --git a/charts/netmaker/README.md b/charts/netmaker/README.md
index f1e1588..15019a9 100644
--- a/charts/netmaker/README.md
+++ b/charts/netmaker/README.md
@@ -56,6 +56,7 @@ A Helm chart to run HA Netmaker on Kubernetes
 | ingress.tls.enabled | bool | `false` |  |
 | ingress.tls.issuerName | string | `"letsencrypt-prod"` |  |
 | mq.accessMode | string | `"ReadWriteMany"` |  |
+| mq.affinity | object | `{}` | optional affinity settings for mqtt |
 | mq.existingClaim | string | `""` | name of existing PVC claim to use. if set, storageClassName is ignored |
 | mq.existingSecret | string | `""` | name of an existing secret to use for mq password. If set, ignores mq.password |
 | mq.password | string | `"3yyerWGdds43yegGR"` |  |
@@ -64,6 +65,7 @@ A Helm chart to run HA Netmaker on Kubernetes
 | mq.singlenode | bool | `true` |  |
 | mq.storage | string | `"128Mi"` |  |
 | mq.storageClassName | string | `""` |  |
+| mq.tolerations | object | `{}` | optional tolerations settings for mqtt |
 | mq.username | string | `"netmaker"` |  |
 | nameOverride | string | `""` | override the name for netmaker objects |
 | oauth.enabled | bool | `false` |  |
diff --git a/charts/netmaker/templates/mq-deployment.yaml b/charts/netmaker/templates/mq-deployment.yaml
index 885e895..d9fa7cc 100644
--- a/charts/netmaker/templates/mq-deployment.yaml
+++ b/charts/netmaker/templates/mq-deployment.yaml
@@ -16,16 +16,13 @@ spec:
       labels:
         app: {{ include "netmaker.fullname" . }}-mqtt
     spec:
-      {{- if .Values.mq.singlenode }}    
+      {{- with .Values.mq.affinity }}
       affinity:
-        nodeAffinity:
-          requiredDuringSchedulingIgnoredDuringExecution:
-            nodeSelectorTerms:
-            - matchExpressions:
-              - key: mqhost
-                operator: In
-                values:
-                - "true"
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.mq.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
       {{- end }}
       containers:
       - env:
diff --git a/charts/netmaker/templates/netmaker-statefulset.yaml b/charts/netmaker/templates/netmaker-statefulset.yaml
index da4edc9..076ef72 100644
--- a/charts/netmaker/templates/netmaker-statefulset.yaml
+++ b/charts/netmaker/templates/netmaker-statefulset.yaml
@@ -24,16 +24,6 @@ spec:
           securityContext:
             privileged: true
       dnsPolicy: ClusterFirstWithHostNet
-      #affinity:
-      #  podAntiAffinity:
-      #    requiredDuringSchedulingIgnoredDuringExecution:
-      #    - labelSelector:
-      #        matchExpressions:
-      #        - key: app
-      #          operator: In
-      #          values:
-      #          - {{ include "netmaker.fullname" . }}
-      #      topologyKey: "kubernetes.io/hostname"
       containers:
       - env:
         - name: NODE_ID
diff --git a/charts/netmaker/values.yaml b/charts/netmaker/values.yaml
index 46d3c24..f9d7739 100644
--- a/charts/netmaker/values.yaml
+++ b/charts/netmaker/values.yaml
@@ -43,6 +43,18 @@ mq:
   # change to 2 or more and set singlenode to false if needed
   replicas: 1
   singlenode: true
+  # -- optional tolerations settings for mqtt
+  tolerations: {}
+  # -- optional affinity settings for mqtt
+  affinity: {}
+  # nodeAffinity:
+  #   requiredDuringSchedulingIgnoredDuringExecution:
+  #     nodeSelectorTerms:
+  #     - matchExpressions:
+  #       - key: mqhost
+  #         operator: In
+  #         values:
+  #         - "true"
   username: netmaker
   password: 3yyerWGdds43yegGR
   # -- name of an existing secret to use for mq password. If set, ignores mq.password

From 11a76ae3f96aa694e43ae5bea8c9b1d35a27d8c5 Mon Sep 17 00:00:00 2001
From: Max! <admin@cloudydev.net>
Date: Sun, 24 Mar 2024 17:06:37 +0100
Subject: [PATCH 24/40] add missing env vars for oidc

---
 charts/netmaker/templates/netmaker-statefulset.yaml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/charts/netmaker/templates/netmaker-statefulset.yaml b/charts/netmaker/templates/netmaker-statefulset.yaml
index 076ef72..124ca29 100644
--- a/charts/netmaker/templates/netmaker-statefulset.yaml
+++ b/charts/netmaker/templates/netmaker-statefulset.yaml
@@ -59,6 +59,16 @@ spec:
               key: {{ .Values.mq.secretKey }}
         {{- end }}
         {{- if .Values.oauth.enabled }}
+        - name: SERVER_HTTP_HOST 
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.oauth.existingSecret }}
+              key: {{ .Values.oauth.secretKeys.serverHttpHost }}
+        - name: AUTH_PROVIDER 
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.oauth.existingSecret }}
+              key: {{ .Values.oauth.secretKeys.authProvider }}
         - name: CLIENT_ID 
           valueFrom:
             secretKeyRef:

From 9d2e4e5a2544ebf39e4003cd9ea72749005bf323 Mon Sep 17 00:00:00 2001
From: jessebot <jessebot@linux.com>
Date: Sun, 24 Mar 2024 17:06:35 +0100
Subject: [PATCH 25/40] add affinity back to the statefulset, but leave blank

---
 charts/netmaker/README.md                       |  2 ++
 .../templates/netmaker-statefulset.yaml         |  8 ++++++++
 charts/netmaker/values.yaml                     | 17 +++++++++++++++++
 3 files changed, 27 insertions(+)

diff --git a/charts/netmaker/README.md b/charts/netmaker/README.md
index 15019a9..e60f34c 100644
--- a/charts/netmaker/README.md
+++ b/charts/netmaker/README.md
@@ -21,6 +21,7 @@ A Helm chart to run HA Netmaker on Kubernetes
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
+| affinity | object | `{}` | optional affinity settings for netmaker |
 | baseDomain | string | `"example.com"` |  |
 | dns.accessMode | string | `"ReadWriteOnce"` |  |
 | dns.enabled | bool | `false` | whether or not to deploy coredns |
@@ -94,6 +95,7 @@ A Helm chart to run HA Netmaker on Kubernetes
 | serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
 | serviceAccount.name | string | `""` | Name of SA to use. If not set and create is true, a name is generated using the fullname template |
 | setIpForwarding.enabled | bool | `true` |  |
+| tolerations | object | `{}` | optional tolerations settings for netmaker |
 | ui.replicas | int | `1` | how many UI replicas to create |
 | wireguard.enabled | bool | `true` | whether or not to use WireGuard on server |
 | wireguard.kernel | bool | `false` | whether or not to use Kernel WG (should be false unless WireGuard is installed on hosts). |
diff --git a/charts/netmaker/templates/netmaker-statefulset.yaml b/charts/netmaker/templates/netmaker-statefulset.yaml
index 124ca29..089c070 100644
--- a/charts/netmaker/templates/netmaker-statefulset.yaml
+++ b/charts/netmaker/templates/netmaker-statefulset.yaml
@@ -15,6 +15,14 @@ spec:
       labels:
         app: {{ include "netmaker.fullname" . }}
     spec:
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       initContainers:
         - name: init-sysctl
           image: busybox
diff --git a/charts/netmaker/values.yaml b/charts/netmaker/values.yaml
index f9d7739..084d801 100644
--- a/charts/netmaker/values.yaml
+++ b/charts/netmaker/values.yaml
@@ -19,6 +19,23 @@ nameOverride: ""
 # -- override the full name for netmaker objects
 fullnameOverride: ""
 
+# -- optional tolerations settings for netmaker
+tolerations: {}
+
+# -- optional affinity settings for netmaker
+affinity: {}
+# example affinity
+# affinity:
+#   podAntiAffinity:
+#     requiredDuringSchedulingIgnoredDuringExecution:
+#     - labelSelector:
+#         matchExpressions:
+#         - key: app
+#           operator: In
+#           values:
+#           - {{ include "netmaker.fullname" . }}
+#       topologyKey: "kubernetes.io/hostname"
+
 serviceAccount:
   # -- Specifies whether a service account should be created
   create: true

From 2afbbb8795a1f36849b6546b6a1645b40c876364 Mon Sep 17 00:00:00 2001
From: Max! <admin@cloudydev.net>
Date: Sun, 24 Mar 2024 17:25:53 +0100
Subject: [PATCH 26/40] fix name authProvider to auth_provider

---
 charts/netmaker/templates/netmaker-statefulset.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/charts/netmaker/templates/netmaker-statefulset.yaml b/charts/netmaker/templates/netmaker-statefulset.yaml
index 089c070..ea4a321 100644
--- a/charts/netmaker/templates/netmaker-statefulset.yaml
+++ b/charts/netmaker/templates/netmaker-statefulset.yaml
@@ -76,7 +76,7 @@ spec:
           valueFrom:
             secretKeyRef:
               name: {{ .Values.oauth.existingSecret }}
-              key: {{ .Values.oauth.secretKeys.authProvider }}
+              key: {{ .Values.oauth.secretKeys.auth_provider }}
         - name: CLIENT_ID 
           valueFrom:
             secretKeyRef:

From eee4fecf41a92c98f7429b56def6e5f583236b86 Mon Sep 17 00:00:00 2001
From: jessebot <jessebot@linux.com>
Date: Sun, 24 Mar 2024 20:19:22 +0100
Subject: [PATCH 27/40] add current version of netmaker

---
 charts/netmaker/Chart.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/charts/netmaker/Chart.yaml b/charts/netmaker/Chart.yaml
index 319d110..a13392e 100644
--- a/charts/netmaker/Chart.yaml
+++ b/charts/netmaker/Chart.yaml
@@ -21,7 +21,7 @@ version: 0.10.0
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "v0.20.3"
+appVersion: "v0.21.2"
 
 maintainers:
   - name: "jessebot"

From 3cc4af15dd5e205bf586575077b553b95a147fe7 Mon Sep 17 00:00:00 2001
From: Max! <admin@cloudydev.net>
Date: Sun, 24 Mar 2024 20:52:41 +0100
Subject: [PATCH 28/40] Update netmaker-statefulset.yaml

---
 charts/netmaker/templates/netmaker-statefulset.yaml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/charts/netmaker/templates/netmaker-statefulset.yaml b/charts/netmaker/templates/netmaker-statefulset.yaml
index ea4a321..6abbcf5 100644
--- a/charts/netmaker/templates/netmaker-statefulset.yaml
+++ b/charts/netmaker/templates/netmaker-statefulset.yaml
@@ -67,6 +67,12 @@ spec:
               key: {{ .Values.mq.secretKey }}
         {{- end }}
         {{- if .Values.oauth.enabled }}
+        - name: SERVER_BROKER_ENDPOINT 
+          valueFrom:
+            secretKeyRef:
+              name: {{ .Values.oauth.existingSecret }}
+              key: {{ .Values.oauth.secretKeys.serverBrokerEndpoint }}
+              
         - name: SERVER_HTTP_HOST 
           valueFrom:
             secretKeyRef:

From ddf77080549417f8c92c27f0406cb42215eacf95 Mon Sep 17 00:00:00 2001
From: jessebot <jessebot@linux.com>
Date: Sun, 24 Mar 2024 21:51:17 +0100
Subject: [PATCH 29/40] reorganize all the services and ingresses

---
 charts/netmaker/README.md                     |  72 +++++----
 charts/netmaker/templates/NOTES.txt           |  22 ---
 charts/netmaker/templates/api-ingress.yaml    |  31 ++++
 charts/netmaker/templates/api-service.yaml    |  17 ++
 charts/netmaker/templates/cert.yaml           |  19 +--
 charts/netmaker/templates/confgmap.yaml       |   8 +-
 charts/netmaker/templates/ingress-rest.yaml   |  58 -------
 charts/netmaker/templates/mq-deployment.yaml  | 135 +++++++++-------
 ...gress-route.yaml => mq-ingress-route.yaml} |   9 +-
 charts/netmaker/templates/mq-ingress.yaml     |  38 +----
 charts/netmaker/templates/mq-service.yaml     |   2 +-
 .../templates/netmaker-statefulset.yaml       |   2 +-
 charts/netmaker/templates/services.yaml       |  57 -------
 .../templates/tests/test-connection.yaml      |  15 --
 charts/netmaker/templates/ui-deployment.yaml  |  14 +-
 charts/netmaker/templates/ui-ingress.yaml     |  60 +------
 charts/netmaker/templates/ui-service.yaml     |  15 ++
 .../netmaker/templates/wireguard-service.yaml |  25 +++
 charts/netmaker/values.yaml                   | 150 ++++++++++--------
 19 files changed, 322 insertions(+), 427 deletions(-)
 delete mode 100644 charts/netmaker/templates/NOTES.txt
 create mode 100644 charts/netmaker/templates/api-ingress.yaml
 create mode 100644 charts/netmaker/templates/api-service.yaml
 delete mode 100644 charts/netmaker/templates/ingress-rest.yaml
 rename charts/netmaker/templates/{ingress-route.yaml => mq-ingress-route.yaml} (61%)
 delete mode 100644 charts/netmaker/templates/services.yaml
 delete mode 100644 charts/netmaker/templates/tests/test-connection.yaml
 create mode 100644 charts/netmaker/templates/ui-service.yaml
 create mode 100644 charts/netmaker/templates/wireguard-service.yaml

diff --git a/charts/netmaker/README.md b/charts/netmaker/README.md
index e60f34c..e1b2e01 100644
--- a/charts/netmaker/README.md
+++ b/charts/netmaker/README.md
@@ -1,6 +1,6 @@
 # netmaker
 
-![Version: 0.10.0](https://img.shields.io/badge/Version-0.10.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.20.3](https://img.shields.io/badge/AppVersion-v0.20.3-informational?style=flat-square)
+![Version: 0.10.0](https://img.shields.io/badge/Version-0.10.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.21.2](https://img.shields.io/badge/AppVersion-v0.21.2-informational?style=flat-square)
 
 A Helm chart to run HA Netmaker on Kubernetes
 
@@ -22,12 +22,19 @@ A Helm chart to run HA Netmaker on Kubernetes
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | affinity | object | `{}` | optional affinity settings for netmaker |
-| baseDomain | string | `"example.com"` |  |
-| dns.accessMode | string | `"ReadWriteOnce"` |  |
+| api.ingress.annotations | object | `{}` | annotations for the netmaker API ingress object |
+| api.ingress.className | string | `"nginx"` | api ingress className |
+| api.ingress.enabled | bool | `true` | attempts to configure ingress if true |
+| api.ingress.host | string | `"api.cluster.local"` | api (REST) route subdomain |
+| api.ingress.tls | list | `[]` | ingress api tls list |
+| api.service.port | int | `8081` | port for API service |
+| api.service.targetPort | int | `8081` | targetport for API service |
+| api.service.type | string | `"ClusterIP"` | type for netmaker server services |
 | dns.enabled | bool | `false` | whether or not to deploy coredns |
-| dns.existingClaim | string | `""` | existingClaim, if not set, defaults to HELM.RELEASE.NAME-dns |
-| dns.storage | string | `"1Gi"` |  |
-| dns.storageClassName | string | `""` |  |
+| dns.persistence.accessMode | string | `"ReadWriteOnce"` |  |
+| dns.persistence.existingClaim | string | `""` | existingClaim, if not set, defaults to HELM.RELEASE.NAME-dns |
+| dns.persistence.storage | string | `"1Gi"` |  |
+| dns.persistence.storageClassName | string | `""` |  |
 | externalDatabase.database | string | `"netmaker"` | postgress db |
 | externalDatabase.existingSecret | string | `""` |  |
 | externalDatabase.host | string | `"external.postgres.url"` | postgres host |
@@ -39,33 +46,24 @@ A Helm chart to run HA Netmaker on Kubernetes
 | fullnameOverride | string | `""` | override the full name for netmaker objects |
 | image.pullPolicy | string | `"IfNotPresent"` | Pull Policy for images |
 | image.repository | string | `"gravitl/netmaker"` | The image repo to pull Netmaker image from |
-| ingress.annotations.base."kubernetes.io/ingress.allow-http" | string | `"false"` | annotation to generate ACME certs if available |
-| ingress.annotations.mq | object | `{}` |  |
-| ingress.annotations.nginx."nginx.ingress.kubernetes.io/rewrite-target" | string | `"/"` | destination addr for route |
-| ingress.annotations.nginx."nginx.ingress.kubernetes.io/ssl-redirect" | string | `"true"` | Redirect http to https |
-| ingress.annotations.rest | object | `{}` |  |
-| ingress.annotations.tls."kubernetes.io/tls-acme" | string | `"true"` | use acme cert if available |
-| ingress.annotations.traefik."traefik.ingress.kubernetes.io/redirect-entry-point" | string | `"https"` | Redirect to https |
-| ingress.annotations.traefik."traefik.ingress.kubernetes.io/redirect-permanent" | string | `"true"` | Redirect to https permanently |
-| ingress.annotations.traefik."traefik.ingress.kubernetes.io/rule-type" | string | `"PathPrefixStrip"` | rule type |
-| ingress.annotations.ui | object | `{}` |  |
-| ingress.className | string | `"nginx"` |  |
-| ingress.enabled | bool | `true` | attempts to configure ingress if true |
-| ingress.hostPrefix.broker | string | `"broker."` | mqtt route subdomain |
-| ingress.hostPrefix.rest | string | `"api."` | api (REST) route subdomain |
-| ingress.hostPrefix.ui | string | `"dashboard."` | ui route subdomain |
-| ingress.tls.enabled | bool | `false` |  |
-| ingress.tls.issuerName | string | `"letsencrypt-prod"` |  |
-| mq.accessMode | string | `"ReadWriteMany"` |  |
 | mq.affinity | object | `{}` | optional affinity settings for mqtt |
-| mq.existingClaim | string | `""` | name of existing PVC claim to use. if set, storageClassName is ignored |
 | mq.existingSecret | string | `""` | name of an existing secret to use for mq password. If set, ignores mq.password |
-| mq.password | string | `"3yyerWGdds43yegGR"` |  |
-| mq.replicas | int | `1` | how many MQTT replicas to create change to 2 or more and set singlenode to false if needed |
+| mq.generateCert | bool | `false` |  |
+| mq.ingress.annotations | object | `{}` | annotations for the mqtt ingress object |
+| mq.ingress.className | string | `"nginx"` |  |
+| mq.ingress.enabled | bool | `true` | attempts to configure ingress if true |
+| mq.ingress.host | string | `"broker.cluster.local"` | hostname for mqtt ingress |
+| mq.ingress.tls | list | `[]` | ingress tls list |
+| mq.password | string | `""` |  |
+| mq.persistence.accessMode | string | `"ReadWriteMany"` |  |
+| mq.persistence.existingClaim | string | `""` | name of existing PVC claim to use. if set, storageClassName is ignored |
+| mq.persistence.storage | string | `"128Mi"` |  |
+| mq.persistence.storageClassName | string | `""` |  |
+| mq.replicas | int | `1` | how many MQTT replicas to create |
 | mq.secretKey | string | `""` | name of key in existing secret to grab password from. If set, ignores mq.password |
-| mq.singlenode | bool | `true` |  |
-| mq.storage | string | `"128Mi"` |  |
-| mq.storageClassName | string | `""` |  |
+| mq.service.port | int | `443` | port for MQTT service |
+| mq.service.targetPort | int | `8883` | Target port for MQTT service |
+| mq.service.type | string | `"ClusterIP"` | type for netmaker server services |
 | mq.tolerations | object | `{}` | optional tolerations settings for mqtt |
 | mq.username | string | `"netmaker"` |  |
 | nameOverride | string | `""` | override the name for netmaker objects |
@@ -87,21 +85,25 @@ A Helm chart to run HA Netmaker on Kubernetes
 | postgresql.auth.username | string | `"netmaker"` |  |
 | postgresql.enabled | bool | `true` |  |
 | replicas | int | `1` | number of netmaker server replicas to create |
-| service.mqPort | int | `443` | port for MQTT service |
-| service.restPort | int | `8081` | port for API service |
-| service.type | string | `"ClusterIP"` | type for netmaker server services |
-| service.uiPort | int | `80` | port for UI service |
 | serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
 | serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
 | serviceAccount.name | string | `""` | Name of SA to use. If not set and create is true, a name is generated using the fullname template |
 | setIpForwarding.enabled | bool | `true` |  |
 | tolerations | object | `{}` | optional tolerations settings for netmaker |
+| ui.ingress.annotations | object | `{}` | annotations for the netmaker UI ingress object |
+| ui.ingress.className | string | `"nginx"` | UI ingress className |
+| ui.ingress.enabled | bool | `true` | attempts to configure ingress if true |
+| ui.ingress.host | string | `"dashboard.cluster.local"` | hostname for mqtt ingress |
+| ui.ingress.tls | list | `[]` | ingress tls list |
 | ui.replicas | int | `1` | how many UI replicas to create |
+| ui.service.port | int | `80` | port for UI service |
+| ui.service.targetport | int | `80` | target port for UI service |
+| ui.service.type | string | `"ClusterIP"` | type for netmaker server services |
 | wireguard.enabled | bool | `true` | whether or not to use WireGuard on server |
 | wireguard.kernel | bool | `false` | whether or not to use Kernel WG (should be false unless WireGuard is installed on hosts). |
 | wireguard.networkLimit | int | `10` | max number of networks that Netmaker will support if running with WireGuard enabled |
 | wireguard.service.annotations | object | `{}` |  |
-| wireguard.service.serviceType | string | `"NodePort"` |  |
+| wireguard.service.type | string | `"NodePort"` |  |
 
 ----------------------------------------------
 Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1)
diff --git a/charts/netmaker/templates/NOTES.txt b/charts/netmaker/templates/NOTES.txt
deleted file mode 100644
index 53b369e..0000000
--- a/charts/netmaker/templates/NOTES.txt
+++ /dev/null
@@ -1,22 +0,0 @@
-1. Get the application URL by running these commands:
-{{- if .Values.ingress.enabled }}
-{{- range $host := .Values.ingress.hosts }}
-  {{- range .paths }}
-  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
-  {{- end }}
-{{- end }}
-{{- else if contains "NodePort" .Values.service.type }}
-  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "netmaker.fullname" . }})
-  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
-  echo http://$NODE_IP:$NODE_PORT
-{{- else if contains "LoadBalancer" .Values.service.type }}
-     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
-           You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "netmaker.fullname" . }}'
-  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "netmaker.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
-  echo http://$SERVICE_IP:{{ .Values.service.port }}
-{{- else if contains "ClusterIP" .Values.service.type }}
-  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "netmaker.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
-  export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
-  echo "Visit http://127.0.0.1:8080 to use your application"
-  kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
-{{- end }}
diff --git a/charts/netmaker/templates/api-ingress.yaml b/charts/netmaker/templates/api-ingress.yaml
new file mode 100644
index 0000000..ab84924
--- /dev/null
+++ b/charts/netmaker/templates/api-ingress.yaml
@@ -0,0 +1,31 @@
+{{- if .Values.api.ingress.enabled -}}
+{{- $fullName := include "netmaker.fullname" . -}}
+{{- $fullRESTName := printf "%s-%s" $fullName "api" -}}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ $fullRESTName }}
+  labels:
+    {{- include "netmaker.labels" . | nindent 4 }}
+  {{- with .Values.api.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  ingressClassName:  {{ required "A valid .Values.ingress.className entry required!" .Values.api.ingress.className}}
+  {{- with .Values.api.ingress.tls }}
+  tls:
+    {{- toYaml . }}
+  {{- end }}
+  rules:
+    - host: {{ .Values.api.ingress.host }}
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ $fullRESTName }}
+                port:
+                  number: {{ .Values.api.service.port }}
+{{- end }}
diff --git a/charts/netmaker/templates/api-service.yaml b/charts/netmaker/templates/api-service.yaml
new file mode 100644
index 0000000..08ca153
--- /dev/null
+++ b/charts/netmaker/templates/api-service.yaml
@@ -0,0 +1,17 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    {{- include "netmaker.labels" . | nindent 4 }}
+  name: '{{ include "netmaker.fullname" . }}-rest'
+spec:
+  ports:
+    - name: api
+      port: {{ .Values.api.service.port }}
+      protocol: TCP
+      targetPort: {{ .Values.api.service.targetPort }}
+  selector:
+    app: '{{ include "netmaker.fullname" . }}'
+  sessionAffinity: None
+  type: {{ .Values.api.service.type }}
diff --git a/charts/netmaker/templates/cert.yaml b/charts/netmaker/templates/cert.yaml
index c1141d2..4e1743c 100644
--- a/charts/netmaker/templates/cert.yaml
+++ b/charts/netmaker/templates/cert.yaml
@@ -1,18 +1,6 @@
-{{- if .Values.ingress.enabled -}}
+{{- if .Values.mq.ingress.generateCert }}
 {{- $fullName := include "netmaker.fullname" . -}}
-{{- $fullUIName := printf "%s-%s" $fullName "ui" -}}
-{{- $fullRESTName := printf "%s-%s" $fullName "rest" -}}
 {{- $fullMQName := printf "%s-%s" $fullName "mqtt" -}}
-{{- $uiSvcPort := .Values.service.uiPort -}}
-{{- $restSvcPort := .Values.service.restPort -}}
-{{- $mqSvcPort := 8883 -}}
-{{- $classname := required "A valid .Values.ingress.className entry required! Please set this to your ingress class (nginx, traefik)" .Values.ingress.className}}
-{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
-  {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
-  {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
-  {{- end }}
-{{- end }}
-{{- if and .Values.ingress.tls.enabled (not (eq .Values.ingress.tls.issuerName "" ))}}
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
@@ -23,14 +11,13 @@ metadata:
   name: {{ $fullMQName }}-tls-secret
 spec:
   dnsNames:
-  - {{ .Values.ingress.hostPrefix.mq }}{{ .Values.baseDomain }}
+  - {{ .Values.mq.ingress.hostname }}
   issuerRef:
     group: cert-manager.io
     kind: ClusterIssuer
-    name:  {{ .Values.ingress.tls.issuerName }}
+    name:  {{ .Values.mq.ingress.tls.issuerName }}
   secretName: {{ $fullMQName }}-tls-secret
   usages:
   - digital signature
   - key encipherment
 {{- end }}
-{{- end }}
diff --git a/charts/netmaker/templates/confgmap.yaml b/charts/netmaker/templates/confgmap.yaml
index ef94db1..2ee9d3d 100644
--- a/charts/netmaker/templates/confgmap.yaml
+++ b/charts/netmaker/templates/confgmap.yaml
@@ -5,9 +5,9 @@ metadata:
   labels:
     {{- include "netmaker.labels" . | nindent 4 }}
 data:
-  SERVER_NAME: broker.{{ required "A valid .Values.baseDomain entry required!" .Values.baseDomain}}
-  SERVER_API_CONN_STRING: api.{{ required "A valid .Values.baseDomain entry required!" .Values.baseDomain}}:443
-  SERVER_HTTP_HOST: api.{{ required "A valid .Values.baseDomain entry required!" .Values.baseDomain}}
+  SERVER_NAME: {{ required "A valid .Values.mq.ingress.host entry required!" .Values.mq.ingress.host }}
+  SERVER_API_CONN_STRING: {{ required "A valid .Values.api.ingress.host entry required!" .Values.api.ingress.host }}:443
+  SERVER_HTTP_HOST: {{ required "A valid .Values.api.ingress.host entry required!" .Values.api.ingress.host }}
   API_PORT: "8081"
   {{- if not .Values.wireguard.kernel }}
   WG_QUICK_USERSPACE_IMPLEMENTATION: wireguard-go
@@ -27,7 +27,7 @@ data:
   SQL_DB: "{{ include "netmaker.database.database" . }}"
   DISPLAY_KEYS: "on"
   MQ_HOST: {{ include "netmaker.fullname" . }}-mqtt
-  MQ_PORT: "{{ .Values.service.mqPort }}"
+  MQ_PORT: "{{ .Values.mq.service.port }}"
   MQ_USERNAME: "{{ .Values.mq.username }}"
   MQ_SERVER_PORT: "1883"
   PLATFORM: "Kubernetes"
diff --git a/charts/netmaker/templates/ingress-rest.yaml b/charts/netmaker/templates/ingress-rest.yaml
deleted file mode 100644
index a700e6d..0000000
--- a/charts/netmaker/templates/ingress-rest.yaml
+++ /dev/null
@@ -1,58 +0,0 @@
-{{- if .Values.ingress.enabled -}}
-{{- $fullName := include "netmaker.fullname" . -}}
-{{- $fullRESTName := printf "%s-%s" $fullName "rest" -}}
-{{- $restSvcPort := .Values.service.restPort -}}
-{{- $classname := required "A valid .Values.ingress.className entry required! Please set this to your ingress class (nginx, traefik)" .Values.ingress.className}}
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: {{ $fullRESTName }}
-  labels:
-    {{- include "netmaker.labels" . | nindent 4 }}
-  {{- with .Values.ingress }}
-  annotations:
-    {{- toYaml .annotations.base | nindent 4 }}
-    {{- if or (eq .className "nginx") (eq .className "public") }}
-    {{- toYaml .annotations.nginx | nindent 4 }}
-    {{- end }}
-    {{- if eq .className "traefik" }}
-    {{- toYaml .annotations.traefik | nindent 4 }}
-    {{- end }}
-    {{- if and .tls.enabled (eq .tls.issuerName "" )}}
-    {{- toYaml .annotations.tls | nindent 4 }}
-    {{- else if .tls.enabled}}
-    cert-manager.io/cluster-issuer: {{ .tls.issuerName }}
-    {{- end }}
-    {{- with .annotations.rest }}
-      {{- toYaml . | nindent 4 }}
-    {{- end }}
-  {{- end }}
-spec:
-  {{- if (not (eq .Values.ingress.className "traefik")) }}
-  ingressClassName:  {{ required "A valid .Values.ingress.className entry required!" .Values.ingress.className}}
-  {{- end }}
-  {{- if .Values.ingress.tls.enabled }}
-  tls:
-    - hosts:
-        - {{ .Values.ingress.hostPrefix.rest }}{{ .Values.baseDomain }}
-      secretName: {{ $fullRESTName }}-tls-secret
-  {{- end }}
-  rules:
-    - host: {{ .Values.ingress.hostPrefix.rest }}{{ .Values.baseDomain }}
-      http:
-        paths:
-          - path: /
-            {{- if (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
-            pathType: Prefix
-            {{- end }}
-            backend:
-              {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
-              service:
-                name: {{ $fullRESTName }}
-                port:
-                  number: {{ $restSvcPort }}
-              {{- else }}
-              serviceName: {{ $fullRESTName }}
-              servicePort: {{ $restSvcPort }}
-              {{- end }}
-{{- end }}
diff --git a/charts/netmaker/templates/mq-deployment.yaml b/charts/netmaker/templates/mq-deployment.yaml
index d9fa7cc..6a3af6e 100644
--- a/charts/netmaker/templates/mq-deployment.yaml
+++ b/charts/netmaker/templates/mq-deployment.yaml
@@ -20,70 +20,83 @@ spec:
       affinity:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+
       {{- with .Values.mq.tolerations }}
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+
       containers:
-      - env:
-        - name: NETMAKER_SERVER_HOST
-          value: https://api.{{ required "A valid .Values.baseDomain entry required!" .Values.baseDomain}}
-        image: eclipse-mosquitto:openssl
-        command: ["/mosquitto/config/wait.sh"]
-        imagePullPolicy: Always
-        name: mosquitto
-        livenessProbe:
-          failureThreshold: 3
-          periodSeconds: 10
-          successThreshold: 1
-          tcpSocket:
-            port: 8883
-          timeoutSeconds: 1
-        ports:
-        - containerPort: 1883        
-          name: mqtt
-          protocol: TCP
-        - containerPort: 8883        
-          name: mqtt2
-          protocol: TCP
-        readinessProbe:
-          failureThreshold: 3
-          periodSeconds: 10
-          successThreshold: 1
-          tcpSocket:
-            port: 8883
-          timeoutSeconds: 1
-        resources: {}
-        startupProbe:
-          failureThreshold: 30
-          periodSeconds: 5
-          successThreshold: 1
-          tcpSocket:
-            port: 8883
-          timeoutSeconds: 1
-        terminationMessagePath: /dev/termination-log
-        terminationMessagePolicy: File
-        volumeMounts:
-        - mountPath: /mosquitto/config/mosquitto.conf
-          name: mosquitto-config
-          subPath: mosquitto.conf
-        - mountPath: /mosquitto/config/wait.sh
-          name: wait-script
-          subPath: wait.sh
-        - mountPath: /mosquitto/data
-          name: shared-data
+        - name: mosquitto
+          image: eclipse-mosquitto:openssl
+          command: ["/mosquitto/config/wait.sh"]
+          imagePullPolicy: Always
+
+          env:
+            - name: NETMAKER_SERVER_HOST
+              value: https://{{ required "A valid .Values.mq.ingress.host entry required!" .Values.mq.ingress.host }}
+
+          livenessProbe:
+            failureThreshold: 3
+            periodSeconds: 10
+            successThreshold: 1
+            tcpSocket:
+              port: {{ .Values.mq.service.targetPort }}
+            timeoutSeconds: 1
+
+          ports:
+            - containerPort: 1883        
+              name: mqtt
+              protocol: TCP
+            - containerPort: {{ .Values.mq.service.targetPort }}        
+              name: mqtt2
+              protocol: TCP
+
+          readinessProbe:
+            failureThreshold: 3
+            periodSeconds: 10
+            successThreshold: 1
+            tcpSocket:
+              port: {{ .Values.mq.service.targetPort }}
+            timeoutSeconds: 1
+
+          resources: {}
+
+          startupProbe:
+            failureThreshold: 30
+            periodSeconds: 5
+            successThreshold: 1
+            tcpSocket:
+              port: {{ .Values.mq.service.targetPort }}
+            timeoutSeconds: 1
+
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+
+          volumeMounts:
+            - name: mosquitto-config
+              mountPath: /mosquitto/config/mosquitto.conf
+              subPath: mosquitto.conf
+            - name: wait-script
+              mountPath: /mosquitto/config/wait.sh
+              subPath: wait.sh
+            - name: shared-data
+              mountPath: /mosquitto/data
+
       volumes:
-      - configMap:
-          name: {{ include "netmaker.fullname" . }}-mqtt-config
-        name: mosquitto-config
-      - configMap:
-          name: {{ include "netmaker.fullname" . }}-mqtt-wait
-          defaultMode: 0744
-        name: wait-script
-      - name: shared-data
-        persistentVolumeClaim:
-        {{- if .Values.mq.existingClaim }}
-          claimName: {{ .Values.mq.existingClaim }}
-        {{- else }} 
-          claimName: {{ include "netmaker.fullname" . }}-shared-data
-        {{- end }}
+        - name: mosquitto-config
+          configMap:
+            name: {{ include "netmaker.fullname" . }}-mqtt-config
+
+        - name: wait-script
+          configMap:
+            name: {{ include "netmaker.fullname" . }}-mqtt-wait
+            defaultMode: 0744
+
+        - name: shared-data
+          persistentVolumeClaim:
+          {{- if .Values.mq.existingClaim }}
+            claimName: {{ .Values.mq.existingClaim }}
+          {{- else }} 
+            claimName: {{ include "netmaker.fullname" . }}-shared-data
+          {{- end }}
diff --git a/charts/netmaker/templates/ingress-route.yaml b/charts/netmaker/templates/mq-ingress-route.yaml
similarity index 61%
rename from charts/netmaker/templates/ingress-route.yaml
rename to charts/netmaker/templates/mq-ingress-route.yaml
index d553420..e285ea9 100644
--- a/charts/netmaker/templates/ingress-route.yaml
+++ b/charts/netmaker/templates/mq-ingress-route.yaml
@@ -1,7 +1,6 @@
-{{- if and .Values.ingress.enabled (eq .Values.ingress.className "traefik") -}}
+{{- if and .Values.mq.ingress.enabled (eq .Values.mq.ingress.className "traefik") -}}
 {{- $fullName := include "netmaker.fullname" . -}}
 {{- $fullMQName := printf "%s-%s" $fullName "mqtt" -}}
-{{- $mqSvcPort := 8883 -}}
 apiVersion: traefik.containo.us/v1alpha1
 kind: IngressRouteTCP
 metadata:
@@ -12,13 +11,13 @@ spec:
   entryPoints:
     - websecure
   routes:
-  - match: HostSNI(`{{ .Values.ingress.hostPrefix.mq }}{{ .Values.baseDomain }}`)
+  - match: HostSNI(`{{ .Values.mq.ingress.host }}`)
     services:
     - name: {{ $fullMQName }}
-      port: {{ $mqSvcPort }}
+      port: {{ .Values.mq.service.targetPort }}
   tls:
     passthrough: true
     secretName: {{ $fullMQName }}-tls-secret
     domains:
-    - main: {{ .Values.ingress.hostPrefix.mq }}{{ .Values.baseDomain }}
+    - main: {{ .Values.mq.ingress.host }}
 {{- end }}
diff --git a/charts/netmaker/templates/mq-ingress.yaml b/charts/netmaker/templates/mq-ingress.yaml
index a0f9f00..77351a7 100644
--- a/charts/netmaker/templates/mq-ingress.yaml
+++ b/charts/netmaker/templates/mq-ingress.yaml
@@ -1,54 +1,32 @@
-{{- if .Values.ingress.enabled -}}
+{{- if .Values.mq.ingress.enabled -}}
 {{- $fullName := include "netmaker.fullname" . -}}
 {{- $fullMQName := printf "%s-%s" $fullName "mqtt" -}}
-{{- $mqSvcPort := 8883 -}}
-{{- $classname := required "A valid .Values.ingress.className entry required! Please set this to your ingress class (nginx, traefik)" .Values.ingress.className}}
 
-{{- if or (eq .Values.ingress.className "nginx") (eq .Values.ingress.className "public") }}
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: {{ $fullMQName }}
   labels:
     {{- include "netmaker.labels" . | nindent 4 }}
-  {{- with .Values.ingress }}
+  {{- with .Values.mq.ingress.annotations }}
   annotations:
-    {{- toYaml .annotations.nginx | nindent 4 }}
-    {{- if and .tls.enabled (eq .tls.issuerName "" )}}
-    {{- toYaml .annotations.tls | nindent 4 }}
-    {{- else if .tls.enabled}}
-    cert-manager.io/cluster-issuer: {{ .tls.issuerName }}
-    {{- end }}
-    {{- with .annotations.mq }}
-      {{- toYaml . | nindent 4 }}
-    {{- end }}
+    {{- toYaml . }}
   {{- end }}
 spec:
-  ingressClassName:  {{ required "A valid .Values.ingress.className entry required!" .Values.ingress.className}}
-  {{- if .Values.ingress.tls.enabled }}
+  ingressClassName:  {{ required "A valid .Values.ingress.className entry required!" .Values.mq.ingress.className}}
+  {{- with .Values.mq.ingress.tls }}
   tls:
-    - hosts:
-        - {{ .Values.ingress.hostPrefix.broker }}{{ .Values.baseDomain }}
-      secretName: {{ $fullMQName }}-tls-secret
+    {{- toYaml . }}
   {{- end }}
   rules:
-    - host: {{ .Values.ingress.hostPrefix.broker }}{{ .Values.baseDomain }}
+    - host: {{ .Values.mq.ingress.host }}
       http:
         paths:
           - path: /
-            {{- if (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
             pathType: Prefix
-            {{- end }}
             backend:
-              {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
               service:
                 name: {{ $fullMQName }}
                 port:
-                  number: {{ $mqSvcPort }}
-              {{- else }}
-              serviceName: {{ $fullMQName }}
-              servicePort: {{ $mqSvcPort }}
-              {{- end }}
-{{- end }}
-
+                  number: {{ .Values.mq.service.targetPort }}
 {{- end }}
diff --git a/charts/netmaker/templates/mq-service.yaml b/charts/netmaker/templates/mq-service.yaml
index 1bbfddf..0320185 100644
--- a/charts/netmaker/templates/mq-service.yaml
+++ b/charts/netmaker/templates/mq-service.yaml
@@ -10,7 +10,7 @@ spec:
     protocol: TCP
     targetPort: mqtt
   - name: mqtt2
-    port: 8883
+    port: {{ .Values.mq.service.targetPort }}
     protocol: TCP
     targetPort: mqtt2    
   selector:
diff --git a/charts/netmaker/templates/netmaker-statefulset.yaml b/charts/netmaker/templates/netmaker-statefulset.yaml
index 6abbcf5..1fbaaab 100644
--- a/charts/netmaker/templates/netmaker-statefulset.yaml
+++ b/charts/netmaker/templates/netmaker-statefulset.yaml
@@ -120,7 +120,7 @@ spec:
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         name: {{ include "netmaker.fullname" . }}
         ports:
-        - containerPort: {{ .Values.service.restPort }}
+        - containerPort: {{ .Values.api.service.port }}
           protocol: TCP
       {{- if .Values.wireguard.enabled }}
         {{ $count := (add .Values.wireguard.networkLimit 1 | int) }}
diff --git a/charts/netmaker/templates/services.yaml b/charts/netmaker/templates/services.yaml
deleted file mode 100644
index a5652e2..0000000
--- a/charts/netmaker/templates/services.yaml
+++ /dev/null
@@ -1,57 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    {{- include "netmaker.labels" . | nindent 4 }}
-  name: '{{ include "netmaker.fullname" . }}-ui'
-spec:
-  ports:
-  - port: {{ .Values.service.uiPort }}
-    protocol: TCP
-    targetPort: {{ .Values.service.uiPort }}
-  selector:
-    app: '{{ include "netmaker.fullname" . }}-ui'
-  sessionAffinity: None
-  type: '{{ .Values.service.type }}'
----
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    {{- include "netmaker.labels" . | nindent 4 }}
-  name: '{{ include "netmaker.fullname" . }}-rest'
-spec:
-  ports:
-  - name: rest
-    port: {{ .Values.service.restPort }}
-    protocol: TCP
-    targetPort: {{ .Values.service.restPort }}
-  selector:
-    app: '{{ include "netmaker.fullname" . }}'
-  sessionAffinity: None
-  type: {{ .Values.service.type }}
----
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    {{- include "netmaker.labels" . | nindent 4 }}
-  name: '{{ include "netmaker.fullname" . }}-wireguard'
-  {{- with .Values.wireguard.service.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-spec:
-  externalTrafficPolicy: Local
-  type: {{ .Values.wireguard.service.serviceType }}
-  ports:
-  {{ $count := (add .Values.wireguard.networkLimit 1 | int) }}
-  {{- range untilStep 1 $count 1 }}
-  - port: {{ add 31820 . }}
-    nodePort: {{ add 31820 . }}
-    protocol: UDP
-    targetPort: {{ add 31820 . }}
-    name: wg-iface-{{ add 31820 . }}
-  {{- end }}
-  selector:
-    app: '{{ include "netmaker.fullname" . }}'
diff --git a/charts/netmaker/templates/tests/test-connection.yaml b/charts/netmaker/templates/tests/test-connection.yaml
deleted file mode 100644
index c0d498c..0000000
--- a/charts/netmaker/templates/tests/test-connection.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
-apiVersion: v1
-kind: Pod
-metadata:
-  name: "{{ include "netmaker.fullname" . }}-test-connection"
-  labels:
-    {{- include "netmaker.labels" . | nindent 4 }}
-  annotations:
-    "helm.sh/hook": test
-spec:
-  containers:
-    - name: wget
-      image: busybox
-      command: ['wget']
-      args: ['{{ include "netmaker.fullname" . }}:{{ .Values.service.port }}']
-  restartPolicy: Never
diff --git a/charts/netmaker/templates/ui-deployment.yaml b/charts/netmaker/templates/ui-deployment.yaml
index 38d3a6e..49c8d33 100644
--- a/charts/netmaker/templates/ui-deployment.yaml
+++ b/charts/netmaker/templates/ui-deployment.yaml
@@ -15,11 +15,11 @@ spec:
         app: {{ include "netmaker.fullname" . }}-ui
     spec:
       containers:
-      - name: {{ include "netmaker.fullname" . }}-ui
-        image: {{ include "netmaker.ui.image" . }}
-        ports:
-        - containerPort: {{ .Values.service.uiPort }}
-        env:
-        - name: BACKEND_URL
-          value: 'https://{{ .Values.ingress.hostPrefix.rest }}{{ required "A valid .Values.baseDomain entry required!" .Values.baseDomain}}'
+        - name: {{ include "netmaker.fullname" . }}-ui
+          image: {{ include "netmaker.ui.image" . }}
+          ports:
+            - containerPort: {{ .Values.ui.service.port }}
+          env:
+            - name: BACKEND_URL
+              value: 'https://{{ required "A valid .Values.api.ingress.host entry required!" .Values.api.ingress.host}}'
       terminationGracePeriodSeconds: 15
diff --git a/charts/netmaker/templates/ui-ingress.yaml b/charts/netmaker/templates/ui-ingress.yaml
index f22d270..b22bbd4 100644
--- a/charts/netmaker/templates/ui-ingress.yaml
+++ b/charts/netmaker/templates/ui-ingress.yaml
@@ -1,75 +1,31 @@
-{{- if .Values.ingress.enabled -}}
+{{- if .Values.ui.ingress.enabled -}}
 {{- $fullName := include "netmaker.fullname" . -}}
 {{- $fullUIName := printf "%s-%s" $fullName "ui" -}}
-{{- $fullRESTName := printf "%s-%s" $fullName "rest" -}}
-{{- $fullMQName := printf "%s-%s" $fullName "mqtt" -}}
-{{- $uiSvcPort := .Values.service.uiPort -}}
-{{- $restSvcPort := .Values.service.restPort -}}
-{{- $mqSvcPort := 8883 -}}
-{{- $classname := required "A valid .Values.ingress.className entry required! Please set this to your ingress class (nginx, traefik)" .Values.ingress.className}}
-{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
-  {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
-  {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
-  {{- end }}
-{{- end }}
-{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
 apiVersion: networking.k8s.io/v1
-{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
-apiVersion: networking.k8s.io/v1beta1
-{{- else -}}
-apiVersion: extensions/v1beta1
-{{- end }}
 kind: Ingress
 metadata:
   name: {{ $fullUIName }}
   labels:
     {{- include "netmaker.labels" . | nindent 4 }}
-  {{- with .Values.ingress }}
+  {{- with .Values.ui.ingress.annotations }}
   annotations:
-    {{- toYaml .annotations.base | nindent 4 }}
-    {{- if or (eq .className "nginx") (eq .className "public") }}
-    {{- toYaml .annotations.nginx | nindent 4 }}
-    {{- end }}
-    {{- if eq .className "traefik" }}
-    {{- toYaml .annotations.traefik | nindent 4 }}
-    {{- end }}
-    {{- if and .tls.enabled (eq .tls.issuerName "" )}}
-    {{- toYaml .annotations.tls | nindent 4 }}
-    {{- else if .tls.enabled}}
-    cert-manager.io/cluster-issuer: {{ .tls.issuerName }}
-    {{- end }}
-    {{- with .annotations.ui }}
-      {{- toYaml . | nindent 4 }}
-    {{- end }}
+    {{- toYaml . }}
   {{- end }}
 spec:
-  {{- if (not (eq .Values.ingress.className "traefik")) }}
-  {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
-  ingressClassName: {{ required "A valid .Values.ingress.className entry required!" .Values.ingress.className}}
-  {{- end }}
-  {{- end }}
-  {{- if .Values.ingress.tls.enabled }}
+  ingressClassName: {{ required "A valid .Values.ingress.className entry required!" .Values.ui.ingress.className}}
+  {{- with .Values.ui.ingress.tls }}
   tls:
-    - hosts:
-        - {{ .Values.ingress.hostPrefix.ui }}{{ .Values.baseDomain }}
-      secretName: {{ $fullUIName }}-tls-secret
+    {{- toYaml . }}
   {{- end}}
   rules:
-    - host: {{ .Values.ingress.hostPrefix.ui }}{{ .Values.baseDomain }}
+    - host: {{ .Values.ui.ingress.host }}
       http:
         paths:
           - path: /
-            {{- if (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
             pathType: Prefix
-            {{- end }}
             backend:
-              {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
               service:
                 name: {{ $fullUIName }}
                 port:
-                  number: {{ $uiSvcPort }}
-              {{- else }}
-              serviceName: {{ $fullUIName }}
-              servicePort: {{ $uiSvcPort }}
-              {{- end }}
+                  number: {{ .Values.ui.service.port }}
 {{- end }}
diff --git a/charts/netmaker/templates/ui-service.yaml b/charts/netmaker/templates/ui-service.yaml
new file mode 100644
index 0000000..db882ad
--- /dev/null
+++ b/charts/netmaker/templates/ui-service.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    {{- include "netmaker.labels" . | nindent 4 }}
+  name: '{{ include "netmaker.fullname" . }}-ui'
+spec:
+  ports:
+    - port: {{ .Values.ui.service.port }}
+      protocol: TCP
+      targetPort: {{ .Values.ui.service.targetPort }}
+  selector:
+    app: '{{ include "netmaker.fullname" . }}-ui'
+  sessionAffinity: None
+  type: {{ .Values.ui.service.type }}
diff --git a/charts/netmaker/templates/wireguard-service.yaml b/charts/netmaker/templates/wireguard-service.yaml
new file mode 100644
index 0000000..c54304d
--- /dev/null
+++ b/charts/netmaker/templates/wireguard-service.yaml
@@ -0,0 +1,25 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    {{- include "netmaker.labels" . | nindent 4 }}
+  name: '{{ include "netmaker.fullname" . }}-wireguard'
+  {{- with .Values.wireguard.service.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  externalTrafficPolicy: Local
+  type: {{ .Values.wireguard.service.type }}
+  ports:
+  {{ $count := (add .Values.wireguard.networkLimit 1 | int) }}
+  {{- range untilStep 1 $count 1 }}
+  - port: {{ add 31820 . }}
+    nodePort: {{ add 31820 . }}
+    protocol: UDP
+    targetPort: {{ add 31820 . }}
+    name: wg-iface-{{ add 31820 . }}
+  {{- end }}
+  selector:
+    app: '{{ include "netmaker.fullname" . }}'
diff --git a/charts/netmaker/values.yaml b/charts/netmaker/values.yaml
index 084d801..f9dc452 100644
--- a/charts/netmaker/values.yaml
+++ b/charts/netmaker/values.yaml
@@ -3,8 +3,6 @@
 # -- number of netmaker server replicas to create
 replicas: 1
 
-baseDomain: example.com
-
 image:
   # -- The image repo to pull Netmaker image from
   repository: gravitl/netmaker
@@ -51,15 +49,61 @@ podAnnotations: {}
 podSecurityContext: {}
 # fsGroup: 2000
 
+api:
+  service:
+    # -- type for netmaker server services
+    type: ClusterIP
+    # -- port for API service
+    port: 8081
+    # -- targetport for API service
+    targetPort: 8081
+
+  ingress:
+    # -- attempts to configure ingress if true
+    enabled: true
+    # -- api (REST) route subdomain
+    host: 'api.cluster.local'
+    # -- api ingress className
+    className: "nginx"
+    # -- annotations for the netmaker API ingress object
+    annotations: {}
+    # -- ingress api tls list
+    tls: []
+    # tls:
+    #   - secretName: netmaker-api-tls
+    #     hosts:
+    #       - api.mydomain.tld
+
 ui:
   # -- how many UI replicas to create
   replicas: 1
+  service:
+    # -- type for netmaker server services
+    type: ClusterIP
+    # -- port for UI service
+    port: 80
+    # -- target port for UI service
+    targetport: 80
+  ingress:
+    # -- attempts to configure ingress if true
+    enabled: true
+    # -- hostname for mqtt ingress
+    host: "dashboard.cluster.local"
+    # -- UI ingress className
+    className: "nginx"
+    # -- annotations for the netmaker UI ingress object
+    annotations: {}
+    # -- ingress tls list
+    tls: []
+    # tls:
+    #   - secretName: netmaker-mqtt-tls
+    #     hosts:
+    #       - dashboard.mydomain.tld
 
 mq:
   # -- how many MQTT replicas to create
-  # change to 2 or more and set singlenode to false if needed
   replicas: 1
-  singlenode: true
+  generateCert: false
   # -- optional tolerations settings for mqtt
   tolerations: {}
   # -- optional affinity settings for mqtt
@@ -73,82 +117,62 @@ mq:
   #         values:
   #         - "true"
   username: netmaker
-  password: 3yyerWGdds43yegGR
+  password: ''
   # -- name of an existing secret to use for mq password. If set, ignores mq.password
   existingSecret: ''
   # -- name of key in existing secret to grab password from. If set, ignores mq.password
   secretKey: ''
-  # -- name of existing PVC claim to use. if set, storageClassName is ignored
-  existingClaim: ""
-  accessMode: "ReadWriteMany"
-  storageClassName: ""
-  storage: 128Mi
+  persistence:
+    # -- name of existing PVC claim to use. if set, storageClassName is ignored
+    existingClaim: ""
+    accessMode: "ReadWriteMany"
+    storageClassName: ""
+    storage: 128Mi
+  service:
+    # -- type for netmaker server services
+    type: ClusterIP
+    # -- port for MQTT service
+    port: 443
+    # -- Target port for MQTT service
+    targetPort: 8883
+  ingress:
+    # -- attempts to configure ingress if true
+    enabled: true
+    # -- hostname for mqtt ingress
+    host: "broker.cluster.local"
+    className: "nginx"
+    # -- annotations for the mqtt ingress object
+    annotations: {}
+    ## Redirect http to https
+    # nginx.ingress.kubernetes.io/ssl-redirect: 'true'
+    ## destination addr for route
+    # nginx.ingress.kubernetes.io/rewrite-target: /
+    # -- ingress tls list
+    tls: []
+    # tls:
+    #   - secretName: netmaker-mqtt-tls
+    #     hosts:
+    #       - broker.mydomain.tld
 
 dns:
   # -- whether or not to deploy coredns
   enabled: false
-  # -- existingClaim, if not set, defaults to HELM.RELEASE.NAME-dns
-  existingClaim: ''
-  storage: 1Gi
-  storageClassName: ""
-  accessMode: ReadWriteOnce
+  persistence:
+    # -- existingClaim, if not set, defaults to HELM.RELEASE.NAME-dns
+    existingClaim: ''
+    storage: 1Gi
+    storageClassName: ""
+    accessMode: ReadWriteOnce
 
 setIpForwarding:
   enabled: true
 
-service:
-  # -- type for netmaker server services
-  type: ClusterIP
-  # -- port for API service
-  restPort: 8081
-  # -- port for MQTT service
-  mqPort: 443
-  # -- port for UI service
-  uiPort: 80
-
-ingress:
-  # -- attempts to configure ingress if true
-  enabled: true
-  className: "nginx"
-  tls:
-    enabled: false
-    issuerName: "letsencrypt-prod"
-  annotations:
-    ui: {}
-    rest: {}
-    mq: {}
-    base:
-      # -- annotation to generate ACME certs if available
-      kubernetes.io/ingress.allow-http: "false"
-    tls:
-      # -- use acme cert if available
-      kubernetes.io/tls-acme: "true"
-    nginx:
-      # -- Redirect http to https
-      nginx.ingress.kubernetes.io/ssl-redirect: 'true'
-      # -- destination addr for route
-      nginx.ingress.kubernetes.io/rewrite-target: /
-    traefik:
-      # -- Redirect to https
-      traefik.ingress.kubernetes.io/redirect-entry-point: https
-      # -- Redirect to https permanently
-      traefik.ingress.kubernetes.io/redirect-permanent: "true"
-      # -- rule type
-      traefik.ingress.kubernetes.io/rule-type: "PathPrefixStrip"
-  hostPrefix:
-    # -- ui route subdomain
-    ui: 'dashboard.'
-    # -- api (REST) route subdomain
-    rest: 'api.'
-    # -- mqtt route subdomain
-    broker: 'broker.'
-
 wireguard:
   # -- whether or not to use WireGuard on server
   enabled: true
   service:
     annotations: {}
-    serviceType: NodePort
+    type: NodePort
   # -- whether or not to use Kernel WG (should be false unless WireGuard is installed on hosts).
   kernel: false
   # -- max number of networks that Netmaker will support if running with WireGuard enabled

From 3d58e2fa2a1dca5ae74371b784fca4a190b8c959 Mon Sep 17 00:00:00 2001
From: jessebot <jessebot@linux.com>
Date: Sun, 24 Mar 2024 21:55:33 +0100
Subject: [PATCH 30/40] clean up persistence

---
 charts/netmaker/templates/coredns-pvc.yaml          | 8 ++++----
 charts/netmaker/templates/coredns.yaml              | 4 ++--
 charts/netmaker/templates/mq-deployment.yaml        | 4 ++--
 charts/netmaker/templates/mq-pvc.yaml               | 8 ++++----
 charts/netmaker/templates/netmaker-statefulset.yaml | 8 ++++----
 5 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/charts/netmaker/templates/coredns-pvc.yaml b/charts/netmaker/templates/coredns-pvc.yaml
index 7b9b9cc..ccff0a9 100644
--- a/charts/netmaker/templates/coredns-pvc.yaml
+++ b/charts/netmaker/templates/coredns-pvc.yaml
@@ -1,12 +1,12 @@
-{{- if and .Values.dns.enabled (not .Values.dns.existingClaim) -}}
+{{- if and .Values.dns.enabled (not .Values.dns.persistence.existingClaim) -}}
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
   name: {{ include "netmaker.fullname" . }}-dns
 spec:
-  storageClassName: {{ required "A valid .Values.dns.storageClassName entry required! Specify an available storage class." .Values.dns.storageClassName}}
-  accessModes: [{{ .Values.dns.accessMode }}]
+  storageClassName: {{ required "A valid .Values.dns.storageClassName entry required! Specify an available storage class." .Values.dns.persistence.storageClassName}}
+  accessModes: [{{ .Values.dns.persistence.accessMode }}]
   resources:
     requests:
-      storage: {{ .Values.dns.storage }}
+      storage: {{ .Values.dns.persistence.storage }}
 {{- end }}
diff --git a/charts/netmaker/templates/coredns.yaml b/charts/netmaker/templates/coredns.yaml
index 1830642..86afdaf 100644
--- a/charts/netmaker/templates/coredns.yaml
+++ b/charts/netmaker/templates/coredns.yaml
@@ -47,8 +47,8 @@ spec:
       volumes:
       - name: dns-pvc
         persistentVolumeClaim:
-          {{- if .Values.dns.existingClaim }}
-          claimName: {{ .Values.dns.existingClaim }}
+          {{- if .Values.dns.persistence.existingClaim }}
+          claimName: {{ .Values.dns.persistence.existingClaim }}
           {{- else }}
           claimName: {{ include "netmaker.fullname" . }}-dns
           {{- end }}
diff --git a/charts/netmaker/templates/mq-deployment.yaml b/charts/netmaker/templates/mq-deployment.yaml
index 6a3af6e..75edc02 100644
--- a/charts/netmaker/templates/mq-deployment.yaml
+++ b/charts/netmaker/templates/mq-deployment.yaml
@@ -95,8 +95,8 @@ spec:
 
         - name: shared-data
           persistentVolumeClaim:
-          {{- if .Values.mq.existingClaim }}
-            claimName: {{ .Values.mq.existingClaim }}
+          {{- if .Values.mq.persistence.existingClaim }}
+            claimName: {{ .Values.mq.persistence.existingClaim }}
           {{- else }} 
             claimName: {{ include "netmaker.fullname" . }}-shared-data
           {{- end }}
diff --git a/charts/netmaker/templates/mq-pvc.yaml b/charts/netmaker/templates/mq-pvc.yaml
index f87f67d..916b805 100644
--- a/charts/netmaker/templates/mq-pvc.yaml
+++ b/charts/netmaker/templates/mq-pvc.yaml
@@ -1,13 +1,13 @@
 ---
-{{- if not .Values.mq.existingClaim }}
+{{- if not .Values.mq.persistence.existingClaim }}
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
   name: {{ include "netmaker.fullname" . }}-shared-data
 spec:
-  storageClassName: {{ .Values.mq.storageClassName }}
-  accessModes: [{{ .Values.mq.accessMode }}]
+  storageClassName: {{ .Values.mq.persistence.storageClassName }}
+  accessModes: [{{ .Values.mq.persistence.accessMode }}]
   resources:
     requests:
-      storage: {{ .Values.mq.storage }}
+      storage: {{ .Values.mq.persistence.storage }}
 {{- end }}
diff --git a/charts/netmaker/templates/netmaker-statefulset.yaml b/charts/netmaker/templates/netmaker-statefulset.yaml
index 1fbaaab..7813fbd 100644
--- a/charts/netmaker/templates/netmaker-statefulset.yaml
+++ b/charts/netmaker/templates/netmaker-statefulset.yaml
@@ -145,16 +145,16 @@ spec:
       volumes:
       - name: shared-data
         persistentVolumeClaim:
-          {{- if .Values.mq.existingClaim }}
-          claimName: {{ .Values.mq.existingClaim }}
+          {{- if .Values.mq.persistence.existingClaim }}
+          claimName: {{ .Values.mq.persistence.existingClaim }}
           {{- else }}
           claimName: {{ include "netmaker.fullname" . }}-shared-data
           {{- end }}
       {{- if .Values.dns.enabled }}
       - name: dns-pvc
         persistentVolumeClaim:
-          {{- if .Values.dns.existingClaim }}
-          claimName: {{ .Values.dns.existingClaim }}
+          {{- if .Values.dns.persistence.existingClaim }}
+          claimName: {{ .Values.dns.persistence.existingClaim }}
           {{- else }}
           claimName: {{ include "netmaker.fullname" . }}-dns
           {{- end }}

From e71ed3e6a64737c7e7906f44e979fb48c5aea3ec Mon Sep 17 00:00:00 2001
From: jessebot <jessebot@linux.com>
Date: Sun, 24 Mar 2024 22:13:36 +0100
Subject: [PATCH 31/40] remove space

---
 charts/netmaker/templates/mq-ingress.yaml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/charts/netmaker/templates/mq-ingress.yaml b/charts/netmaker/templates/mq-ingress.yaml
index 77351a7..a95a46e 100644
--- a/charts/netmaker/templates/mq-ingress.yaml
+++ b/charts/netmaker/templates/mq-ingress.yaml
@@ -1,7 +1,6 @@
 {{- if .Values.mq.ingress.enabled -}}
 {{- $fullName := include "netmaker.fullname" . -}}
 {{- $fullMQName := printf "%s-%s" $fullName "mqtt" -}}
-
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:

From 0d5da2d9c3d9dd01c9c1bfae29051ce7160dbc1b Mon Sep 17 00:00:00 2001
From: jessebot <jessebot@linux.com>
Date: Sun, 24 Mar 2024 22:28:08 +0100
Subject: [PATCH 32/40] fix ingress tls sections

---
 charts/netmaker/templates/api-ingress.yaml | 2 +-
 charts/netmaker/templates/mq-ingress.yaml  | 2 +-
 charts/netmaker/templates/ui-ingress.yaml  | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/charts/netmaker/templates/api-ingress.yaml b/charts/netmaker/templates/api-ingress.yaml
index ab84924..580f358 100644
--- a/charts/netmaker/templates/api-ingress.yaml
+++ b/charts/netmaker/templates/api-ingress.yaml
@@ -15,7 +15,7 @@ spec:
   ingressClassName:  {{ required "A valid .Values.ingress.className entry required!" .Values.api.ingress.className}}
   {{- with .Values.api.ingress.tls }}
   tls:
-    {{- toYaml . }}
+    {{- toYaml . | nindent 4 }}
   {{- end }}
   rules:
     - host: {{ .Values.api.ingress.host }}
diff --git a/charts/netmaker/templates/mq-ingress.yaml b/charts/netmaker/templates/mq-ingress.yaml
index a95a46e..2a41973 100644
--- a/charts/netmaker/templates/mq-ingress.yaml
+++ b/charts/netmaker/templates/mq-ingress.yaml
@@ -15,7 +15,7 @@ spec:
   ingressClassName:  {{ required "A valid .Values.ingress.className entry required!" .Values.mq.ingress.className}}
   {{- with .Values.mq.ingress.tls }}
   tls:
-    {{- toYaml . }}
+    {{- toYaml . | nindent 4 }}
   {{- end }}
   rules:
     - host: {{ .Values.mq.ingress.host }}
diff --git a/charts/netmaker/templates/ui-ingress.yaml b/charts/netmaker/templates/ui-ingress.yaml
index b22bbd4..7fb12c1 100644
--- a/charts/netmaker/templates/ui-ingress.yaml
+++ b/charts/netmaker/templates/ui-ingress.yaml
@@ -15,7 +15,7 @@ spec:
   ingressClassName: {{ required "A valid .Values.ingress.className entry required!" .Values.ui.ingress.className}}
   {{- with .Values.ui.ingress.tls }}
   tls:
-    {{- toYaml . }}
+    {{- toYaml . | nindent 4 }}
   {{- end}}
   rules:
     - host: {{ .Values.ui.ingress.host }}

From 9a23a74bc04d8f70e056c9e9d716634b8ace1785 Mon Sep 17 00:00:00 2001
From: jessebot <jessebot@linux.com>
Date: Sun, 24 Mar 2024 22:30:56 +0100
Subject: [PATCH 33/40] fix ingress annotations

---
 charts/netmaker/templates/mq-ingress.yaml | 2 +-
 charts/netmaker/templates/ui-ingress.yaml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/charts/netmaker/templates/mq-ingress.yaml b/charts/netmaker/templates/mq-ingress.yaml
index 2a41973..3b4f027 100644
--- a/charts/netmaker/templates/mq-ingress.yaml
+++ b/charts/netmaker/templates/mq-ingress.yaml
@@ -9,7 +9,7 @@ metadata:
     {{- include "netmaker.labels" . | nindent 4 }}
   {{- with .Values.mq.ingress.annotations }}
   annotations:
-    {{- toYaml . }}
+    {{- toYaml . | nindent 4 }}
   {{- end }}
 spec:
   ingressClassName:  {{ required "A valid .Values.ingress.className entry required!" .Values.mq.ingress.className}}
diff --git a/charts/netmaker/templates/ui-ingress.yaml b/charts/netmaker/templates/ui-ingress.yaml
index 7fb12c1..1aaecc3 100644
--- a/charts/netmaker/templates/ui-ingress.yaml
+++ b/charts/netmaker/templates/ui-ingress.yaml
@@ -9,7 +9,7 @@ metadata:
     {{- include "netmaker.labels" . | nindent 4 }}
   {{- with .Values.ui.ingress.annotations }}
   annotations:
-    {{- toYaml . }}
+    {{- toYaml . | nindent 4 }}
   {{- end }}
 spec:
   ingressClassName: {{ required "A valid .Values.ingress.className entry required!" .Values.ui.ingress.className}}

From ea40b67eea7b1ceab9adf4b256beab2a896a2f75 Mon Sep 17 00:00:00 2001
From: jessebot <jessebot@linux.com>
Date: Mon, 25 Mar 2024 06:59:08 +0100
Subject: [PATCH 34/40] update mq deployment to not have shared data volume

---
 charts/netmaker/templates/mq-deployment.yaml | 30 +++++++-------------
 1 file changed, 10 insertions(+), 20 deletions(-)

diff --git a/charts/netmaker/templates/mq-deployment.yaml b/charts/netmaker/templates/mq-deployment.yaml
index 75edc02..47531d6 100644
--- a/charts/netmaker/templates/mq-deployment.yaml
+++ b/charts/netmaker/templates/mq-deployment.yaml
@@ -36,14 +36,6 @@ spec:
             - name: NETMAKER_SERVER_HOST
               value: https://{{ required "A valid .Values.mq.ingress.host entry required!" .Values.mq.ingress.host }}
 
-          livenessProbe:
-            failureThreshold: 3
-            periodSeconds: 10
-            successThreshold: 1
-            tcpSocket:
-              port: {{ .Values.mq.service.targetPort }}
-            timeoutSeconds: 1
-
           ports:
             - containerPort: 1883        
               name: mqtt
@@ -52,7 +44,7 @@ spec:
               name: mqtt2
               protocol: TCP
 
-          readinessProbe:
+          livenessProbe:
             failureThreshold: 3
             periodSeconds: 10
             successThreshold: 1
@@ -60,7 +52,13 @@ spec:
               port: {{ .Values.mq.service.targetPort }}
             timeoutSeconds: 1
 
-          resources: {}
+          readinessProbe:
+            failureThreshold: 3
+            periodSeconds: 10
+            successThreshold: 1
+            tcpSocket:
+              port: {{ .Values.mq.service.targetPort }}
+            timeoutSeconds: 1
 
           startupProbe:
             failureThreshold: 30
@@ -73,6 +71,8 @@ spec:
           terminationMessagePath: /dev/termination-log
           terminationMessagePolicy: File
 
+          resources: {}
+
           volumeMounts:
             - name: mosquitto-config
               mountPath: /mosquitto/config/mosquitto.conf
@@ -80,8 +80,6 @@ spec:
             - name: wait-script
               mountPath: /mosquitto/config/wait.sh
               subPath: wait.sh
-            - name: shared-data
-              mountPath: /mosquitto/data
 
       volumes:
         - name: mosquitto-config
@@ -92,11 +90,3 @@ spec:
           configMap:
             name: {{ include "netmaker.fullname" . }}-mqtt-wait
             defaultMode: 0744
-
-        - name: shared-data
-          persistentVolumeClaim:
-          {{- if .Values.mq.persistence.existingClaim }}
-            claimName: {{ .Values.mq.persistence.existingClaim }}
-          {{- else }} 
-            claimName: {{ include "netmaker.fullname" . }}-shared-data
-          {{- end }}

From 531487d168339482a7b9afe49ccdae4f1b1420cd Mon Sep 17 00:00:00 2001
From: jessebot <jessebot@linux.com>
Date: Mon, 25 Mar 2024 07:04:18 +0100
Subject: [PATCH 35/40] split up the configmap for mqtt and update it to the
 latest upstream script

---
 .../templates/mq-configmap-config.yaml        | 17 ++++++
 .../netmaker/templates/mq-configmap-wait.yaml | 28 ++++++++++
 charts/netmaker/templates/mq-configmap.yaml   | 53 -------------------
 3 files changed, 45 insertions(+), 53 deletions(-)
 create mode 100644 charts/netmaker/templates/mq-configmap-config.yaml
 create mode 100644 charts/netmaker/templates/mq-configmap-wait.yaml
 delete mode 100644 charts/netmaker/templates/mq-configmap.yaml

diff --git a/charts/netmaker/templates/mq-configmap-config.yaml b/charts/netmaker/templates/mq-configmap-config.yaml
new file mode 100644
index 0000000..f72aa14
--- /dev/null
+++ b/charts/netmaker/templates/mq-configmap-config.yaml
@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/instance: {{ include "netmaker.fullname" . }}-mqtt
+    app.kubernetes.io/name: {{ include "netmaker.fullname" . }}-mqtt
+  name: {{ include "netmaker.fullname" . }}-mqtt-config
+data:
+  mosquitto.conf: |
+    per_listener_settings false
+    listener {{ .Values.mq.service.targetPort }}
+    protocol websockets
+    allow_anonymous false
+    listener 1883
+    protocol websockets
+    allow_anonymous false
+    password_file /mosquitto/password.txt
diff --git a/charts/netmaker/templates/mq-configmap-wait.yaml b/charts/netmaker/templates/mq-configmap-wait.yaml
new file mode 100644
index 0000000..450b528
--- /dev/null
+++ b/charts/netmaker/templates/mq-configmap-wait.yaml
@@ -0,0 +1,28 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/instance: {{ include "netmaker.fullname" . }}-mqtt
+    app.kubernetes.io/name: {{ include "netmaker.fullname" . }}-mqtt
+  name: {{ include "netmaker.fullname" . }}-mqtt-wait
+data:
+  wait.sh: |
+    #!/bin/ash
+
+    encrypt_password() {
+      echo "${MQ_USERNAME}:${MQ_PASSWORD}" > /mosquitto/password.txt
+      mosquitto_passwd -U /mosquitto/password.txt
+    }
+
+    main(){
+
+      encrypt_password
+      echo "Starting MQ..."
+      # Run the main container command.
+      /docker-entrypoint.sh
+      /usr/sbin/mosquitto -c /mosquitto/config/mosquitto.conf
+
+    }
+
+    main "${@}"
diff --git a/charts/netmaker/templates/mq-configmap.yaml b/charts/netmaker/templates/mq-configmap.yaml
deleted file mode 100644
index 215f3c7..0000000
--- a/charts/netmaker/templates/mq-configmap.yaml
+++ /dev/null
@@ -1,53 +0,0 @@
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  labels:
-    app.kubernetes.io/instance: {{ include "netmaker.fullname" . }}-mqtt
-    app.kubernetes.io/name: {{ include "netmaker.fullname" . }}-mqtt
-  name: {{ include "netmaker.fullname" . }}-mqtt-wait
-data:
-  wait.sh: |
-    #!/bin/ash
-
-    wait_for_netmaker() {
-      echo "SERVER: ${NETMAKER_SERVER_HOST}"
-      until curl --output /dev/null --silent --fail --head \
-        --location "${NETMAKER_SERVER_HOST}/api/server/health"; do
-        echo "Waiting for netmaker server to startup"
-        sleep 1
-      done
-    }
-
-    main(){
-    # wait for netmaker to startup
-    apk add curl
-    wait_for_netmaker
-    echo "Starting MQ..."
-    # Run the main container command.
-    /docker-entrypoint.sh
-    /usr/sbin/mosquitto -c /mosquitto/config/mosquitto.conf
-
-    }
-
-    main "${@}"
-
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  labels:
-    app.kubernetes.io/instance: {{ include "netmaker.fullname" . }}-mqtt
-    app.kubernetes.io/name: {{ include "netmaker.fullname" . }}-mqtt
-  name: {{ include "netmaker.fullname" . }}-mqtt-config
-data:
-  mosquitto.conf: |
-    per_listener_settings false
-    listener 8883
-    protocol websockets
-    allow_anonymous false
-    listener 1883
-    protocol websockets
-    allow_anonymous false
-    plugin /usr/lib/mosquitto_dynamic_security.so
-    plugin_opt_config_file /mosquitto/data/dynamic-security.json

From 0d001d2422666ff230c0d01fabc89b38bc8fd208 Mon Sep 17 00:00:00 2001
From: jessebot <jessebot@linux.com>
Date: Mon, 25 Mar 2024 08:25:58 +0100
Subject: [PATCH 36/40] first pass to get new env vars via configmaps and
 secrets sorted

---
 charts/netmaker/README.md                     |  48 ++++--
 charts/netmaker/templates/confgmap.yaml       |  37 -----
 charts/netmaker/templates/db-secret.yaml      |  16 ++
 charts/netmaker/templates/mq-pvc.yaml         |  13 --
 charts/netmaker/templates/mq-secret.yaml      |  13 ++
 .../templates/netmaker-configmap.yaml         |  33 ++++
 .../templates/netmaker-oauth-secret.yaml      |  17 +++
 .../netmaker/templates/netmaker-secret.yaml   |  18 +++
 .../templates/netmaker-statefulset.yaml       | 142 +++---------------
 charts/netmaker/templates/secrets.yaml        |  17 ---
 .../netmaker/templates/shared-data-pvc.yaml   |  13 ++
 charts/netmaker/templates/turn-secret.yaml    |  16 ++
 charts/netmaker/values.yaml                   |  89 ++++++++---
 13 files changed, 252 insertions(+), 220 deletions(-)
 delete mode 100644 charts/netmaker/templates/confgmap.yaml
 create mode 100644 charts/netmaker/templates/db-secret.yaml
 delete mode 100644 charts/netmaker/templates/mq-pvc.yaml
 create mode 100644 charts/netmaker/templates/mq-secret.yaml
 create mode 100644 charts/netmaker/templates/netmaker-configmap.yaml
 create mode 100644 charts/netmaker/templates/netmaker-oauth-secret.yaml
 create mode 100644 charts/netmaker/templates/netmaker-secret.yaml
 delete mode 100644 charts/netmaker/templates/secrets.yaml
 create mode 100644 charts/netmaker/templates/shared-data-pvc.yaml
 create mode 100644 charts/netmaker/templates/turn-secret.yaml

diff --git a/charts/netmaker/README.md b/charts/netmaker/README.md
index e1b2e01..fd3e663 100644
--- a/charts/netmaker/README.md
+++ b/charts/netmaker/README.md
@@ -55,10 +55,6 @@ A Helm chart to run HA Netmaker on Kubernetes
 | mq.ingress.host | string | `"broker.cluster.local"` | hostname for mqtt ingress |
 | mq.ingress.tls | list | `[]` | ingress tls list |
 | mq.password | string | `""` |  |
-| mq.persistence.accessMode | string | `"ReadWriteMany"` |  |
-| mq.persistence.existingClaim | string | `""` | name of existing PVC claim to use. if set, storageClassName is ignored |
-| mq.persistence.storage | string | `"128Mi"` |  |
-| mq.persistence.storageClassName | string | `""` |  |
 | mq.replicas | int | `1` | how many MQTT replicas to create |
 | mq.secretKey | string | `""` | name of key in existing secret to grab password from. If set, ignores mq.password |
 | mq.service.port | int | `443` | port for MQTT service |
@@ -67,13 +63,29 @@ A Helm chart to run HA Netmaker on Kubernetes
 | mq.tolerations | object | `{}` | optional tolerations settings for mqtt |
 | mq.username | string | `"netmaker"` |  |
 | nameOverride | string | `""` | override the name for netmaker objects |
-| oauth.enabled | bool | `false` |  |
-| oauth.existingSecret | string | `""` |  |
-| oauth.provider | string | `"oidc"` |  |
-| oauth.secretKeys.clientID | string | `nil` |  |
-| oauth.secretKeys.clientSecret | string | `nil` |  |
-| oauth.secretKeys.frontendURL | string | `nil` |  |
-| oauth.secretKeys.issuer | string | `nil` |  |
+| netmaker.enterprise | object | `{"licenseKey":"","tenantId":""}` | if using enterprise edition fill out this section |
+| netmaker.enterprise.licenseKey | string | `""` | netmaker enterprise license key, ignored if netmaker.existingSecret set |
+| netmaker.enterprise.tenantId | string | `""` | netmaker enterprise tenant ID, ignored if netmaker.existingSecret set |
+| netmaker.existingSecret | string | `""` | if set ignores netmaker.masterKey and enterprise.* |
+| netmaker.jwtDuration | int | `43200` | Duration of JWT token validity in seconds |
+| netmaker.masterKey | string | `"netmaker"` | ignored if netmaker.masterKeyExistingSecret is set |
+| netmaker.oauth.azureTenant | string | `""` | azureTenant if using azure for oauth - ignored if netmaker.oauth.existingSecret is set |
+| netmaker.oauth.clientID | string | `""` | client id if using oidc - ignored if netmaker.oauth.existingSecret is set |
+| netmaker.oauth.clientSecret | string | `""` | client secret if using oidc - ignored if netmaker.oauth.existingSecret is set |
+| netmaker.oauth.enabled | bool | `false` |  |
+| netmaker.oauth.existingSecret | string | `""` |  |
+| netmaker.oauth.issuer | string | `""` | oidc issuer - ignored if netmaker.oauth.existingSecret is set |
+| netmaker.oauth.provider | string | `"oidc"` | AUTH_PROVIDER: must be one of: azure-ad|github|google|oidc |
+| netmaker.oauth.secretKeys.azureTenant | string | `""` |  |
+| netmaker.oauth.secretKeys.clientID | string | `""` |  |
+| netmaker.oauth.secretKeys.clientSecret | string | `""` |  |
+| netmaker.oauth.secretKeys.frontendURL | string | `""` |  |
+| netmaker.oauth.secretKeys.issuer | string | `""` |  |
+| netmaker.racAutoDisable | string | `"true"` | Auto disable a user's connecteds clients bassed on JWT token expiration |
+| netmaker.secretKeys.licenseKey | string | `""` |  |
+| netmaker.secretKeys.masterKey | string | `""` |  |
+| netmaker.secretKeys.tenantId | string | `""` |  |
+| netmaker.serverName | string | `"mynemakerhostname.tld"` |  |
 | podAnnotations | object | `{}` | pod annotations to add |
 | podSecurityContext | object | `{}` | pod security contect to add |
 | postgresql.auth.database | string | `"netmaker"` |  |
@@ -89,7 +101,21 @@ A Helm chart to run HA Netmaker on Kubernetes
 | serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
 | serviceAccount.name | string | `""` | Name of SA to use. If not set and create is true, a name is generated using the fullname template |
 | setIpForwarding.enabled | bool | `true` |  |
+| shared_data.persistence.accessMode | string | `"ReadWriteMany"` |  |
+| shared_data.persistence.existingClaim | string | `""` | name of existing PVC claim to use. if set, storageClassName is ignored |
+| shared_data.persistence.storage | string | `"128Mi"` |  |
+| shared_data.persistence.storageClassName | string | `""` |  |
 | tolerations | object | `{}` | optional tolerations settings for netmaker |
+| turn.apiHost | string | `""` |  |
+| turn.enabled | bool | `false` | use an external turn server |
+| turn.existingSecret | string | `""` | existing secret with turn server info |
+| turn.host | string | `""` |  |
+| turn.password | string | `""` |  |
+| turn.secretKeys.apiHost | string | `""` |  |
+| turn.secretKeys.host | string | `""` |  |
+| turn.secretKeys.password | string | `""` |  |
+| turn.secretKeys.username | string | `""` |  |
+| turn.username | string | `""` |  |
 | ui.ingress.annotations | object | `{}` | annotations for the netmaker UI ingress object |
 | ui.ingress.className | string | `"nginx"` | UI ingress className |
 | ui.ingress.enabled | bool | `true` | attempts to configure ingress if true |
diff --git a/charts/netmaker/templates/confgmap.yaml b/charts/netmaker/templates/confgmap.yaml
deleted file mode 100644
index 2ee9d3d..0000000
--- a/charts/netmaker/templates/confgmap.yaml
+++ /dev/null
@@ -1,37 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: {{ include "netmaker.fullname" . }}
-  labels:
-    {{- include "netmaker.labels" . | nindent 4 }}
-data:
-  SERVER_NAME: {{ required "A valid .Values.mq.ingress.host entry required!" .Values.mq.ingress.host }}
-  SERVER_API_CONN_STRING: {{ required "A valid .Values.api.ingress.host entry required!" .Values.api.ingress.host }}:443
-  SERVER_HTTP_HOST: {{ required "A valid .Values.api.ingress.host entry required!" .Values.api.ingress.host }}
-  API_PORT: "8081"
-  {{- if not .Values.wireguard.kernel }}
-  WG_QUICK_USERSPACE_IMPLEMENTATION: wireguard-go
-  {{- end }}
-  {{- if .Values.dns.enabled }}
-  DNS_MODE: "on"
-  COREDNS_ADDR: {{ required "A valid .Values.dns.clusterIP entry required! Choose an IP from your k8s service IP CIDR" .Values.dns.clusterIP }}
-  {{- else }}
-  DNS_MODE: "off"
-  {{- end }}
-  CLIENT_MODE: "on"
-  CORS_ALLOWED_ORIGIN: '*'
-  DATABASE: postgres
-  SQL_HOST: "{{ include "netmaker.database.host" . | trim }}"
-  SQL_PORT: "{{ include "netmaker.database.port" . }}"
-  SQL_USER: "{{ include "netmaker.database.username" . }}"
-  SQL_DB: "{{ include "netmaker.database.database" . }}"
-  DISPLAY_KEYS: "on"
-  MQ_HOST: {{ include "netmaker.fullname" . }}-mqtt
-  MQ_PORT: "{{ .Values.mq.service.port }}"
-  MQ_USERNAME: "{{ .Values.mq.username }}"
-  MQ_SERVER_PORT: "1883"
-  PLATFORM: "Kubernetes"
-  VERBOSITY: "3"
-  {{- if .Values.oauth.enabled }}
-  AUTH_PROVIDER: "{{ .Values.oauth.provider }}"
-  {{- end }}
diff --git a/charts/netmaker/templates/db-secret.yaml b/charts/netmaker/templates/db-secret.yaml
new file mode 100644
index 0000000..73e4c67
--- /dev/null
+++ b/charts/netmaker/templates/db-secret.yaml
@@ -0,0 +1,16 @@
+{{- if not .Values.postgresql.auth.existingSecret }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: db-secret
+  labels:
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+type: Opaque
+data:
+  SQL_PASS: {{ include "netmaker.database.password" . | b64enc | quote }}
+  SQL_HOST: {{ include "netmaker.database.host" . | trim | b64enc | quote }}
+  SQL_PORT: {{ include "netmaker.database.port" . | b64enc | quote }}
+  SQL_USER: {{ include "netmaker.database.username" . | b64enc | quote }}
+  SQL_DB: {{ include "netmaker.database.database" . | b64enc | quote }}
+{{- end }}
diff --git a/charts/netmaker/templates/mq-pvc.yaml b/charts/netmaker/templates/mq-pvc.yaml
deleted file mode 100644
index 916b805..0000000
--- a/charts/netmaker/templates/mq-pvc.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
----
-{{- if not .Values.mq.persistence.existingClaim }}
-kind: PersistentVolumeClaim
-apiVersion: v1
-metadata:
-  name: {{ include "netmaker.fullname" . }}-shared-data
-spec:
-  storageClassName: {{ .Values.mq.persistence.storageClassName }}
-  accessModes: [{{ .Values.mq.persistence.accessMode }}]
-  resources:
-    requests:
-      storage: {{ .Values.mq.persistence.storage }}
-{{- end }}
diff --git a/charts/netmaker/templates/mq-secret.yaml b/charts/netmaker/templates/mq-secret.yaml
new file mode 100644
index 0000000..f7844ac
--- /dev/null
+++ b/charts/netmaker/templates/mq-secret.yaml
@@ -0,0 +1,13 @@
+{{- if not .Values.mq.existingSecret }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mq-secret
+  labels:
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+type: Opaque
+data:
+  MQ_PASSWORD: {{ .Values.mq.password | b64enc | quote }}
+  MQ_USERNAME: {{ .Values.mq.username | b64enc | quote }}
+{{- end }}
diff --git a/charts/netmaker/templates/netmaker-configmap.yaml b/charts/netmaker/templates/netmaker-configmap.yaml
new file mode 100644
index 0000000..a94b87b
--- /dev/null
+++ b/charts/netmaker/templates/netmaker-configmap.yaml
@@ -0,0 +1,33 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "netmaker.fullname" . }}
+  labels:
+    {{- include "netmaker.labels" . | nindent 4 }}
+data:
+  BROKER_ENDPOINT: "wss://{{ required "A valid .Values.mq.ingress.host entry required!" .Values.mq.ingress.host }}"
+  SERVER_NAME: {{ required "A valid .Values.netmaker.serverName entry required!" .Values.netmaker.serverName }}
+  STUN_LIST: "stun1.netmaker.io:3478,stun2.netmaker.io:3478,stun1.l.google.com:19302,stun2.l.google.com:19302"
+  SERVER_HOST: "SERVER_PUBLIC_IP"
+  SERVER_API_CONN_STRING: "{{ required "A valid .Values.api.ingress.host entry required!" .Values.api.ingress.host }}:443"
+  COREDNS_ADDR: "SERVER_PUBLIC_IP"
+  DNS_MODE: "on"
+  SERVER_HTTP_HOST: {{ required "A valid .Values.api.ingress.host entry required!" .Values.api.ingress.host }}
+  API_PORT: "{{ .Values.api.service.port }}"
+  MESSAGEQUEUE_BACKEND: "on"
+  CORS_ALLOWED_ORIGIN: "*"
+  DISPLAY_KEYS: "on"
+  DATABASE: "{{  .Values.externalDatabase.type }}"
+  SERVER_BROKER_ENDPOINT: "ws://{{ .Release.Name }}-mqtt.{{ .Release.Namespace }}.svc.cluster.local:1883"
+  VERBOSITY: "1"
+  K8s: "true"
+  JWT_VALIDITY_DURATION: "{{ .Values.netmaker.jwtDuration }}"
+  RAC_AUTO_DISABLE: "{{ .Values.netmaker.racAutoDisable }}"
+  CACHING_ENABLED: "false" # should be false for HA to work
+  FRONTEND_URL: "https://{{ .Values.ui.ingress.host }}"
+  {{- if .Values.netmaker.oauth.enabled }}
+  AUTH_PROVIDER: "{{ .Values.netmaker.oauth.provider }}"
+  {{- end }}
+  {{- if .Values.turn.enabled -}}
+  USE_TURN: "true"
+  {{- end -}}
diff --git a/charts/netmaker/templates/netmaker-oauth-secret.yaml b/charts/netmaker/templates/netmaker-oauth-secret.yaml
new file mode 100644
index 0000000..1bbc05f
--- /dev/null
+++ b/charts/netmaker/templates/netmaker-oauth-secret.yaml
@@ -0,0 +1,17 @@
+{{- if and .Values.netmaker.oauth.enabled (not .Values.netmaker.oauth.existingSecret) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: netmaker-oauth-secret
+  labels:
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+type: Opaque
+data:
+  CLIENT_ID: {{ .Values.netmaker.oAuthclientID | b64enc | quote }}
+  CLIENT_SECRET: {{ .Values.netmaker.oAuthClientSecret | b64enc | quote }}
+  OIDC_ISSUER: {{ .Values.netmaker.oauth.issuer | b64enc | quote }}
+  {{- if .Values.netmaker.oauth.azureTenant }}
+  AZURE_TENANT: {{ .Values.netmaker.oauth.azureTenant | b64enc | quote }}
+  {{- end }}
+{{- end }}
diff --git a/charts/netmaker/templates/netmaker-secret.yaml b/charts/netmaker/templates/netmaker-secret.yaml
new file mode 100644
index 0000000..67f8f4b
--- /dev/null
+++ b/charts/netmaker/templates/netmaker-secret.yaml
@@ -0,0 +1,18 @@
+{{- if or .Values.netmaker.enterprise (not .Values.netmaker.existingSecret) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: netmaker-secret
+  labels:
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+type: Opaque
+data:
+  {{- if not .Values.netmaker.existingSecret }}
+  MASTER_KEY: {{ include "netmaker.masterKey" . | b64enc | quote }}
+  {{- if .Values.netmaker.enterprise.licensekey }}
+  LICENSE_KEY: {{ .Values.netmaker.enterprise.licensekey | b64enc | quote }} 
+  NETMAKER_TENANT_ID: {{ .Values.netmaker.enterprise.tenantId | b64enc | quote }}
+  {{- end }}
+  {{- end }}
+{{- end }}
diff --git a/charts/netmaker/templates/netmaker-statefulset.yaml b/charts/netmaker/templates/netmaker-statefulset.yaml
index 7813fbd..5957cb3 100644
--- a/charts/netmaker/templates/netmaker-statefulset.yaml
+++ b/charts/netmaker/templates/netmaker-statefulset.yaml
@@ -23,134 +23,32 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      initContainers:
-        - name: init-sysctl
-          image: busybox
-          imagePullPolicy: IfNotPresent
-          command: ["/bin/sh", "-c"]
-          args: ["sysctl -w net.ipv4.ip_forward=1 && sysctl -w net.ipv4.conf.all.src_valid_mark=1 && sysctl -w net.ipv6.conf.all.disable_ipv6=0 && sysctl -w net.ipv6.conf.all.forwarding=1"]
-          securityContext:
-            privileged: true
-      dnsPolicy: ClusterFirstWithHostNet
       containers:
-      - env:
-        - name: NODE_ID
-          valueFrom:
-            fieldRef:
-              apiVersion: v1
-              fieldPath: metadata.name
-        {{- if or .Values.postgresql.auth.existingSecret .Values.externalDatabase.existingSecret }}
-        - name: SQL_PASS
-          valueFrom:
-            secretKeyRef:
-              {{- if .Values.postgresql.auth.existingSecret }}
-              name: {{ .Values.postgresql.auth.existingSecret }}
-              {{- else }}
-              name: {{ .Values.externalDatabase.existingSecret }}
-              {{- end }}
-              {{- if .Values.postgresql.auth.secretKeys.userPasswordKey }}
-              key: {{ .Values.postgresql.auth.secretKeys.userPasswordKey }}
-              {{- else }}
-              key: {{ .Values.externalDatabase.secretKeys.passwordKey }}
-              {{- end }}
-        {{- end }}
-        {{- if .Values.mq.existingSecret }}
-        - name: MQ_PASSWORD
-          valueFrom:
-            secretKeyRef:
-              name: {{ .Values.mq.existingSecret }}
-              key: {{ .Values.mq.secretKey }}
-        - name: MQ_ADMIN_PASSWORD
-          valueFrom:
-            secretKeyRef:
-              name: {{ .Values.mq.existingSecret }}
-              key: {{ .Values.mq.secretKey }}
-        {{- end }}
-        {{- if .Values.oauth.enabled }}
-        - name: SERVER_BROKER_ENDPOINT 
-          valueFrom:
-            secretKeyRef:
-              name: {{ .Values.oauth.existingSecret }}
-              key: {{ .Values.oauth.secretKeys.serverBrokerEndpoint }}
-              
-        - name: SERVER_HTTP_HOST 
-          valueFrom:
-            secretKeyRef:
-              name: {{ .Values.oauth.existingSecret }}
-              key: {{ .Values.oauth.secretKeys.serverHttpHost }}
-        - name: AUTH_PROVIDER 
-          valueFrom:
-            secretKeyRef:
-              name: {{ .Values.oauth.existingSecret }}
-              key: {{ .Values.oauth.secretKeys.auth_provider }}
-        - name: CLIENT_ID 
-          valueFrom:
-            secretKeyRef:
-              name: {{ .Values.oauth.existingSecret }}
-              key: {{ .Values.oauth.secretKeys.clientID }}
-        - name: CLIENT_SECRET
-          valueFrom:
-            secretKeyRef:
-              name: {{ .Values.oauth.existingSecret }}
-              key: {{ .Values.oauth.secretKeys.clientSecret }}
-        - name: OIDC_ISSUER
-          valueFrom:
-            secretKeyRef:
-              name: {{ .Values.oauth.existingSecret }}
-              key: {{ .Values.oauth.secretKeys.issuer }}
-        - name: FRONTEND_URL 
-          valueFrom:
-            secretKeyRef:
-              name: {{ .Values.oauth.existingSecret }}
-              key: {{ .Values.oauth.secretKeys.frontendURL }}
-        {{- if .Values.oauth.secretKeys.azureTenant }}
-        - name: AZURE_TENANT 
-          valueFrom:
-            secretKeyRef:
-              name: {{ .Values.oauth.existingSecret }}
-              key: {{ .Values.oauth.secretKeys.azureTenant }}
-        {{- end }}
-        {{- end }}
-        envFrom:
-          - configMapRef:
-              name: {{ include "netmaker.fullname" . }}
-          - secretRef:
-              name: netmaker-secret
-        image: {{ include "netmaker.image" . }}
-        imagePullPolicy: {{ .Values.image.pullPolicy }}
-        name: {{ include "netmaker.fullname" . }}
-        ports:
-        - containerPort: {{ .Values.api.service.port }}
-          protocol: TCP
-      {{- if .Values.wireguard.enabled }}
-        {{ $count := (add .Values.wireguard.networkLimit 1 | int) }}
-        {{- range untilStep 1 $count 1 }}
-        - containerPort: {{ add 31820 . }}
-          protocol: UDP
-        {{- end }}
-      {{- end }}
-        securityContext:
-          capabilities:
-            add:
-            - NET_ADMIN
-            - NET_RAW
-            - SYS_MODULE
-        volumeMounts:
-        - mountPath: /etc/netmaker/
-          name: shared-data
-        {{- if .Values.dns.enabled }}
-        - name: dns-pvc
-          mountPath: /root/config/dnsconfig
-        {{- end }}
+        - name: {{ include "netmaker.fullname" . }}
+          image: {{ include "netmaker.image" . }}
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          envFrom:
+            - configMapRef:
+                name: {{ include "netmaker.fullname" . }}-env
+          ports:
+            - containerPort: {{ .Values.api.service.port }}
+              protocol: TCP
+          {{- if .Values.dns.enabled }}
+          volumeMounts:
+          - mountPath: /etc/netmaker/
+            name: shared-data
+          - name: dns-pvc
+            mountPath: /root/config/dnsconfig
+          {{- end }} {{/* end dns.enabled check for volumeMounts */}}
+      {{- if .Values.dns.enabled }}
       volumes:
       - name: shared-data
         persistentVolumeClaim:
-          {{- if .Values.mq.persistence.existingClaim }}
-          claimName: {{ .Values.mq.persistence.existingClaim }}
+          {{- if .Values.shared_data.persistence.existingClaim }}
+          claimName: {{ .Values.shared_data.persistence.existingClaim }}
           {{- else }}
           claimName: {{ include "netmaker.fullname" . }}-shared-data
           {{- end }}
-      {{- if .Values.dns.enabled }}
       - name: dns-pvc
         persistentVolumeClaim:
           {{- if .Values.dns.persistence.existingClaim }}
@@ -158,4 +56,4 @@ spec:
           {{- else }}
           claimName: {{ include "netmaker.fullname" . }}-dns
           {{- end }}
-      {{- end }} {{/* end if dns.enabled */}}
+      {{- end }} {{/* end if dns.enabled for volumes */}}
diff --git a/charts/netmaker/templates/secrets.yaml b/charts/netmaker/templates/secrets.yaml
deleted file mode 100644
index 2cb6766..0000000
--- a/charts/netmaker/templates/secrets.yaml
+++ /dev/null
@@ -1,17 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: netmaker-secret
-  labels:
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-type: Opaque
-data:
-  {{- if not .Values.postgresql.auth.existingSecret }}
-  SQL_PASS: {{ include "netmaker.database.password" . | b64enc | quote }}
-  {{- end }}
-  {{- if not .Values.mq.existingSecret }}
-  MQ_ADMIN_PASSWORD: {{ .Values.mq.password | b64enc | quote }}
-  MQ_PASSWORD: {{ .Values.mq.password | b64enc | quote }}
-  {{- end }}
-  MASTER_KEY: {{ include "netmaker.masterKey" . | b64enc | quote }}
diff --git a/charts/netmaker/templates/shared-data-pvc.yaml b/charts/netmaker/templates/shared-data-pvc.yaml
new file mode 100644
index 0000000..a573aab
--- /dev/null
+++ b/charts/netmaker/templates/shared-data-pvc.yaml
@@ -0,0 +1,13 @@
+---
+{{- if and .Values.dns.enabled (not .Values.shared_data.persistence.existingClaim) }}
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: {{ include "netmaker.fullname" . }}-shared-data
+spec:
+  storageClassName: {{ .Values.shared_data.persistence.storageClassName }}
+  accessModes: [{{ .Values.shared_data.persistence.accessMode }}]
+  resources:
+    requests:
+      storage: {{ .Values.shared_data.persistence.storage }}
+{{- end }}
diff --git a/charts/netmaker/templates/turn-secret.yaml b/charts/netmaker/templates/turn-secret.yaml
new file mode 100644
index 0000000..d2c65f7
--- /dev/null
+++ b/charts/netmaker/templates/turn-secret.yaml
@@ -0,0 +1,16 @@
+{{- if and .Values.turn.enabled (not .Values.turn.existingSecret) -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: turn-secret
+  labels:
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+type: Opaque
+data:
+  TURN_SERVER_HOST: {{ .Values.turn.host | b64enc | quote }}
+  TURN_SERVER_API_HOST: {{ .Values.turn.apiHost | b64enc | quote }}
+  TURN_PORT: {{ .Values.turn.port | b64enc | quote }}
+  TURN_USERNAME: {{ .Values.turn.username | b64enc | quote }}
+  TURN_PASSWORD: {{ .Values.turn.password | b64enc | quote }}
+{{- end -}}
diff --git a/charts/netmaker/values.yaml b/charts/netmaker/values.yaml
index f9dc452..1ce299b 100644
--- a/charts/netmaker/values.yaml
+++ b/charts/netmaker/values.yaml
@@ -49,6 +49,55 @@ podAnnotations: {}
 podSecurityContext: {}
 # fsGroup: 2000
 
+netmaker:
+  serverName: "mynemakerhostname.tld"
+  # -- ignored if netmaker.masterKeyExistingSecret is set
+  masterKey: "netmaker"
+  # -- Duration of JWT token validity in seconds
+  jwtDuration: 43200
+  # -- Auto disable a user's connecteds clients bassed on JWT token expiration
+  racAutoDisable: "true"
+
+  # -- if using enterprise edition fill out this section
+  enterprise:
+    # -- netmaker enterprise license key, ignored if netmaker.existingSecret set
+    licenseKey: ""
+    # -- netmaker enterprise tenant ID, ignored if netmaker.existingSecret set
+    tenantId: ""
+
+  # -- if set ignores netmaker.masterKey and enterprise.*
+  existingSecret: ""
+  secretKeys:
+    licenseKey: ""
+    tenantId: ""
+    masterKey: ""
+
+  # OAuth section
+  oauth:
+    enabled: false
+    # -- AUTH_PROVIDER: must be one of: azure-ad|github|google|oidc
+    provider: "oidc"
+    # --  oidc issuer - ignored if netmaker.oauth.existingSecret is set
+    issuer: ""
+    # --  client id if using oidc - ignored if netmaker.oauth.existingSecret is set
+    clientID: ""
+    # --  client secret if using oidc - ignored if netmaker.oauth.existingSecret is set
+    clientSecret: ""
+    # --  azureTenant if using azure for oauth - ignored if netmaker.oauth.existingSecret is set
+    azureTenant: ""
+    existingSecret: ""
+    secretKeys:
+      # CLIENT_ID - client id of your oauth provider
+      clientID: ""
+      # CLIENT_SECRET - client secret of your oauth provider
+      clientSecret: ""
+      # FRONTEND_URL - https://dashboard.<netmaker base domain> <-- untested
+      frontendURL: ""
+      # OIDC_ISSUER - https://oidc.yourprovider.com - URL of oidc provider
+      issuer: ""
+      # AZURE_TENANT - only for azure, you may optionally specify the tenant for the OAuth
+      azureTenant: ""
+
 api:
   service:
     # -- type for netmaker server services
@@ -122,12 +171,6 @@ mq:
   existingSecret: ''
   # -- name of key in existing secret to grab password from. If set, ignores mq.password
   secretKey: ''
-  persistence:
-    # -- name of existing PVC claim to use. if set, storageClassName is ignored
-    existingClaim: ""
-    accessMode: "ReadWriteMany"
-    storageClassName: ""
-    storage: 128Mi
   service:
     # -- type for netmaker server services
     type: ClusterIP
@@ -164,6 +207,14 @@ dns:
     storageClassName: ""
     accessMode: ReadWriteOnce
 
+shared_data:
+  persistence:
+    # -- name of existing PVC claim to use. if set, storageClassName is ignored
+    existingClaim: ""
+    accessMode: "ReadWriteMany"
+    storageClassName: ""
+    storage: 128Mi
+
 setIpForwarding:
   enabled: true
 
@@ -226,20 +277,18 @@ externalDatabase:
   secretKeys:
     passwordKey: ""
 
-# OAuth section - untested
-oauth:
+turn:
+  # -- use an external turn server
   enabled: false
-  # AUTH_PROVIDER: must be one of: azure-ad|github|google|oidc
-  provider: "oidc"
+  host: ""
+  apiHost: ""
+  username: ""
+  password: ""
+  # -- existing secret with turn server info
   existingSecret: ""
+  # keys for the existing turn server secret
   secretKeys:
-    # CLIENT_ID - client id of your oauth provider
-    clientID:
-    # CLIENT_SECRET - client secret of your oauth provider
-    clientSecret:
-    # FRONTEND_URL - https://dashboard.<netmaker base domain> <-- untested
-    frontendURL:
-    # OIDC_ISSUER - https://oidc.yourprovider.com - URL of oidc provider
-    issuer:
-    # AZURE_TENANT - only for azure, you may optionally specify the tenant for the OAuth
-    # azureTenant:
+    host: ""
+    apiHost: ""
+    username: ""
+    password: ""

From 7c983f0616a4a0b14e12a9babe74c8457cefc279 Mon Sep 17 00:00:00 2001
From: jessebot <jessebot@linux.com>
Date: Mon, 25 Mar 2024 08:51:06 +0100
Subject: [PATCH 37/40] update secret keys mess to always just be env vars all
 around

---
 charts/netmaker/README.md                     | 28 +++--------
 charts/netmaker/templates/_helpers.tpl        | 46 +++++++++++++++++
 .../templates/netmaker-configmap.yaml         |  2 +-
 .../templates/netmaker-statefulset.yaml       | 12 +++++
 charts/netmaker/values.yaml                   | 50 +++++--------------
 5 files changed, 78 insertions(+), 60 deletions(-)

diff --git a/charts/netmaker/README.md b/charts/netmaker/README.md
index fd3e663..b83a52b 100644
--- a/charts/netmaker/README.md
+++ b/charts/netmaker/README.md
@@ -36,18 +36,17 @@ A Helm chart to run HA Netmaker on Kubernetes
 | dns.persistence.storage | string | `"1Gi"` |  |
 | dns.persistence.storageClassName | string | `""` |  |
 | externalDatabase.database | string | `"netmaker"` | postgress db |
-| externalDatabase.existingSecret | string | `""` |  |
+| externalDatabase.existingSecret | string | `""` | use existing secret for netmaker db credentials, must have the following keys: SQL_PASS, SQL_HOST, SQL_PORT, SQL_USER, SQL_DB |
 | externalDatabase.host | string | `"external.postgres.url"` | postgres host |
 | externalDatabase.password | string | `""` | postgres pass for netmaker user. ignored if existingSecret is set |
 | externalDatabase.port | int | `5432` | postgres hosts port |
-| externalDatabase.secretKeys.passwordKey | string | `""` |  |
 | externalDatabase.type | string | `"postgresql"` |  |
 | externalDatabase.username | string | `"netmaker"` | postgres username |
 | fullnameOverride | string | `""` | override the full name for netmaker objects |
 | image.pullPolicy | string | `"IfNotPresent"` | Pull Policy for images |
 | image.repository | string | `"gravitl/netmaker"` | The image repo to pull Netmaker image from |
 | mq.affinity | object | `{}` | optional affinity settings for mqtt |
-| mq.existingSecret | string | `""` | name of an existing secret to use for mq password. If set, ignores mq.password |
+| mq.existingSecret | string | `""` | name of an existing secret to use for mq password. If set, ignores mq.password, mq.username secret keys must be: MQ_PASSWORD, MQ_USERNAME |
 | mq.generateCert | bool | `false` |  |
 | mq.ingress.annotations | object | `{}` | annotations for the mqtt ingress object |
 | mq.ingress.className | string | `"nginx"` |  |
@@ -56,7 +55,6 @@ A Helm chart to run HA Netmaker on Kubernetes
 | mq.ingress.tls | list | `[]` | ingress tls list |
 | mq.password | string | `""` |  |
 | mq.replicas | int | `1` | how many MQTT replicas to create |
-| mq.secretKey | string | `""` | name of key in existing secret to grab password from. If set, ignores mq.password |
 | mq.service.port | int | `443` | port for MQTT service |
 | mq.service.targetPort | int | `8883` | Target port for MQTT service |
 | mq.service.type | string | `"ClusterIP"` | type for netmaker server services |
@@ -66,34 +64,24 @@ A Helm chart to run HA Netmaker on Kubernetes
 | netmaker.enterprise | object | `{"licenseKey":"","tenantId":""}` | if using enterprise edition fill out this section |
 | netmaker.enterprise.licenseKey | string | `""` | netmaker enterprise license key, ignored if netmaker.existingSecret set |
 | netmaker.enterprise.tenantId | string | `""` | netmaker enterprise tenant ID, ignored if netmaker.existingSecret set |
-| netmaker.existingSecret | string | `""` | if set ignores netmaker.masterKey and enterprise.* |
+| netmaker.existingSecret | string | `""` | if set ignores netmaker.masterKey and enterprise.* must have key called MASTER_KEY, optionally for enterprise must have key: LICENSE_KEY, NETMAKER_TENANT_ID |
 | netmaker.jwtDuration | int | `43200` | Duration of JWT token validity in seconds |
 | netmaker.masterKey | string | `"netmaker"` | ignored if netmaker.masterKeyExistingSecret is set |
 | netmaker.oauth.azureTenant | string | `""` | azureTenant if using azure for oauth - ignored if netmaker.oauth.existingSecret is set |
 | netmaker.oauth.clientID | string | `""` | client id if using oidc - ignored if netmaker.oauth.existingSecret is set |
 | netmaker.oauth.clientSecret | string | `""` | client secret if using oidc - ignored if netmaker.oauth.existingSecret is set |
 | netmaker.oauth.enabled | bool | `false` |  |
-| netmaker.oauth.existingSecret | string | `""` |  |
+| netmaker.oauth.existingSecret | string | `""` | existing secret for oauth, must have the following keys: CLIENT_ID, CLIENT_SECRET, OIDC_ISSUER, and optionally AZURE_TENANT ignores plane text values if this is set |
 | netmaker.oauth.issuer | string | `""` | oidc issuer - ignored if netmaker.oauth.existingSecret is set |
 | netmaker.oauth.provider | string | `"oidc"` | AUTH_PROVIDER: must be one of: azure-ad|github|google|oidc |
-| netmaker.oauth.secretKeys.azureTenant | string | `""` |  |
-| netmaker.oauth.secretKeys.clientID | string | `""` |  |
-| netmaker.oauth.secretKeys.clientSecret | string | `""` |  |
-| netmaker.oauth.secretKeys.frontendURL | string | `""` |  |
-| netmaker.oauth.secretKeys.issuer | string | `""` |  |
 | netmaker.racAutoDisable | string | `"true"` | Auto disable a user's connecteds clients bassed on JWT token expiration |
-| netmaker.secretKeys.licenseKey | string | `""` |  |
-| netmaker.secretKeys.masterKey | string | `""` |  |
-| netmaker.secretKeys.tenantId | string | `""` |  |
 | netmaker.serverName | string | `"mynemakerhostname.tld"` |  |
 | podAnnotations | object | `{}` | pod annotations to add |
 | podSecurityContext | object | `{}` | pod security contect to add |
 | postgresql.auth.database | string | `"netmaker"` |  |
-| postgresql.auth.existingSecret | string | `""` |  |
+| postgresql.auth.existingSecret | string | `""` | use existing secret for netmaker db credentials, must have the following keys: SQL_PASS, SQL_HOST, SQL_PORT, SQL_USER, SQL_DB |
 | postgresql.auth.password | string | `""` |  |
 | postgresql.auth.primary.persistence.enabled | bool | `true` |  |
-| postgresql.auth.secretKeys.adminPasswordKey | string | `""` |  |
-| postgresql.auth.secretKeys.userPasswordKey | string | `""` |  |
 | postgresql.auth.username | string | `"netmaker"` |  |
 | postgresql.enabled | bool | `true` |  |
 | replicas | int | `1` | number of netmaker server replicas to create |
@@ -108,13 +96,9 @@ A Helm chart to run HA Netmaker on Kubernetes
 | tolerations | object | `{}` | optional tolerations settings for netmaker |
 | turn.apiHost | string | `""` |  |
 | turn.enabled | bool | `false` | use an external turn server |
-| turn.existingSecret | string | `""` | existing secret with turn server info |
+| turn.existingSecret | string | `""` | existing secret with turn server info. Must have the following keys: TURN_SERVER_HOST, TURN_SERVER_API_HOST, TURN_PORT, TURN_USERNAME, TURN_PASSWORD |
 | turn.host | string | `""` |  |
 | turn.password | string | `""` |  |
-| turn.secretKeys.apiHost | string | `""` |  |
-| turn.secretKeys.host | string | `""` |  |
-| turn.secretKeys.password | string | `""` |  |
-| turn.secretKeys.username | string | `""` |  |
 | turn.username | string | `""` |  |
 | ui.ingress.annotations | object | `{}` | annotations for the netmaker UI ingress object |
 | ui.ingress.className | string | `"nginx"` | UI ingress className |
diff --git a/charts/netmaker/templates/_helpers.tpl b/charts/netmaker/templates/_helpers.tpl
index 72ce1e3..7fb9fec 100644
--- a/charts/netmaker/templates/_helpers.tpl
+++ b/charts/netmaker/templates/_helpers.tpl
@@ -144,3 +144,49 @@ Database for postgresql
 {{- index .Values "externalDatabase" "database" }}
 {{- end }}
 {{- end }}
+
+{{/*
+netmaker db secret
+*/}}
+{{- define "netmaker.db.secret" -}}
+{{- if .Values.postgresql.auth.existingSecret }}
+{{ print "%s" .Values.postgresql.auth.existingSecret }}
+{{- else if .Values.externalDatabase.existingSecret }}
+{{ print "%s" .Values.externalDatabase.existingSecret }}
+{{- else }}
+{{ print "db-secret" }}
+{{- end }}
+{{- end }}
+
+{{/*
+netmaker secret
+*/}}
+{{- define "netmaker.secret" -}}
+{{- if .Values.netmaker.existingSecret }}
+{{ print "%s" .Values.netmaker.existingSecret }}
+{{- else }}
+{{ print "netmaker-secret" }}
+{{- end }}
+{{- end }}
+
+{{/*
+netmaker oauth secret
+*/}}
+{{- define "netmaker.oauth.secret" -}}
+{{- if .Values.netmaker.oauth.existingSecret }}
+{{ print "%s" .Values.netmaker.oauth.existingSecret }}
+{{- else }}
+{{ print "netmaker-oauth-secret" }}
+{{- end }}
+{{- end }}
+
+{{/*
+netmaker turn secret
+*/}}
+{{- define "netmaker.turn.secret" -}}
+{{- if .Values.netmaker.turn.existingSecret }}
+{{ print "%s" .Values.netmaker.turn.existingSecret }}
+{{- else }}
+{{ print "turn-secret" }}
+{{- end }}
+{{- end }}
diff --git a/charts/netmaker/templates/netmaker-configmap.yaml b/charts/netmaker/templates/netmaker-configmap.yaml
index a94b87b..ac8e823 100644
--- a/charts/netmaker/templates/netmaker-configmap.yaml
+++ b/charts/netmaker/templates/netmaker-configmap.yaml
@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: {{ include "netmaker.fullname" . }}
+  name: {{ include "netmaker.fullname" . }}-env
   labels:
     {{- include "netmaker.labels" . | nindent 4 }}
 data:
diff --git a/charts/netmaker/templates/netmaker-statefulset.yaml b/charts/netmaker/templates/netmaker-statefulset.yaml
index 5957cb3..90b1976 100644
--- a/charts/netmaker/templates/netmaker-statefulset.yaml
+++ b/charts/netmaker/templates/netmaker-statefulset.yaml
@@ -30,6 +30,18 @@ spec:
           envFrom:
             - configMapRef:
                 name: {{ include "netmaker.fullname" . }}-env
+            - secretRef:
+                name: {{ include "netmaker.secret" . }}
+            {{- if .Values.netmaker.oauth.enabled }}
+            - secretRef:
+                name: {{ include "netmaker.oauth.secret" . }}
+            {{- end -}}
+            - secretRef:
+                name: {{ include "netmaker.db.secret" . }}
+            {{- if .Values.turn.enabled -}}
+            - secretRef:
+                name: {{ include "netmaker.turn.secret" . }}
+            {{- end -}}
           ports:
             - containerPort: {{ .Values.api.service.port }}
               protocol: TCP
diff --git a/charts/netmaker/values.yaml b/charts/netmaker/values.yaml
index 1ce299b..fa5a0ba 100644
--- a/charts/netmaker/values.yaml
+++ b/charts/netmaker/values.yaml
@@ -66,11 +66,9 @@ netmaker:
     tenantId: ""
 
   # -- if set ignores netmaker.masterKey and enterprise.*
+  # must have key called MASTER_KEY, optionally for enterprise must have key:
+  # LICENSE_KEY, NETMAKER_TENANT_ID
   existingSecret: ""
-  secretKeys:
-    licenseKey: ""
-    tenantId: ""
-    masterKey: ""
 
   # OAuth section
   oauth:
@@ -85,18 +83,10 @@ netmaker:
     clientSecret: ""
     # --  azureTenant if using azure for oauth - ignored if netmaker.oauth.existingSecret is set
     azureTenant: ""
+    # -- existing secret for oauth, must have the following keys:
+    # CLIENT_ID, CLIENT_SECRET, OIDC_ISSUER, and optionally AZURE_TENANT
+    # ignores plane text values if this is set
     existingSecret: ""
-    secretKeys:
-      # CLIENT_ID - client id of your oauth provider
-      clientID: ""
-      # CLIENT_SECRET - client secret of your oauth provider
-      clientSecret: ""
-      # FRONTEND_URL - https://dashboard.<netmaker base domain> <-- untested
-      frontendURL: ""
-      # OIDC_ISSUER - https://oidc.yourprovider.com - URL of oidc provider
-      issuer: ""
-      # AZURE_TENANT - only for azure, you may optionally specify the tenant for the OAuth
-      azureTenant: ""
 
 api:
   service:
@@ -167,10 +157,9 @@ mq:
   #         - "true"
   username: netmaker
   password: ''
-  # -- name of an existing secret to use for mq password. If set, ignores mq.password
+  # -- name of an existing secret to use for mq password. If set, ignores mq.password, mq.username
+  # secret keys must be: MQ_PASSWORD, MQ_USERNAME
   existingSecret: ''
-  # -- name of key in existing secret to grab password from. If set, ignores mq.password
-  secretKey: ''
   service:
     # -- type for netmaker server services
     type: ClusterIP
@@ -243,16 +232,9 @@ postgresql:
     # be rotated on each upgrade:
     # https://github.com/bitnami/charts/tree/main/bitnami/postgresql#upgrade
     password: ""
-    # Set the password for the "postgres" admin user
-    # set this to the same value as above if you've previously installed
-    # this chart and you're having problems getting mastodon to connect to the DB
-    # postgresPassword: ""
-    # you can also specify the name of an existing Secret
-    # with a key of password set to the password you want
+    # -- use existing secret for netmaker db credentials, must have the following keys:
+    # SQL_PASS, SQL_HOST, SQL_PORT, SQL_USER, SQL_DB
     existingSecret: ""
-    secretKeys:
-      userPasswordKey: ""
-      adminPasswordKey: ""
     primary:
       persistence:
         enabled: true
@@ -272,10 +254,9 @@ externalDatabase:
   password: ""
   # -- postgress db
   database: netmaker
-  # use existing secret for netmaker user's password
+  # -- use existing secret for netmaker db credentials, must have the following keys:
+  # SQL_PASS, SQL_HOST, SQL_PORT, SQL_USER, SQL_DB
   existingSecret: ""
-  secretKeys:
-    passwordKey: ""
 
 turn:
   # -- use an external turn server
@@ -284,11 +265,6 @@ turn:
   apiHost: ""
   username: ""
   password: ""
-  # -- existing secret with turn server info
+  # -- existing secret with turn server info. Must have the following keys:
+  # TURN_SERVER_HOST, TURN_SERVER_API_HOST, TURN_PORT, TURN_USERNAME, TURN_PASSWORD
   existingSecret: ""
-  # keys for the existing turn server secret
-  secretKeys:
-    host: ""
-    apiHost: ""
-    username: ""
-    password: ""

From 5c27b3bdc4b3b43923ff286aebaa1b349cc887b3 Mon Sep 17 00:00:00 2001
From: jessebot <jessebot@linux.com>
Date: Mon, 25 Mar 2024 09:13:41 +0100
Subject: [PATCH 38/40] remove wireguard service

---
 charts/netmaker/README.md                     |  5 ----
 .../netmaker/templates/wireguard-service.yaml | 25 -------------------
 charts/netmaker/values.yaml                   | 11 --------
 3 files changed, 41 deletions(-)
 delete mode 100644 charts/netmaker/templates/wireguard-service.yaml

diff --git a/charts/netmaker/README.md b/charts/netmaker/README.md
index b83a52b..efc970d 100644
--- a/charts/netmaker/README.md
+++ b/charts/netmaker/README.md
@@ -109,11 +109,6 @@ A Helm chart to run HA Netmaker on Kubernetes
 | ui.service.port | int | `80` | port for UI service |
 | ui.service.targetport | int | `80` | target port for UI service |
 | ui.service.type | string | `"ClusterIP"` | type for netmaker server services |
-| wireguard.enabled | bool | `true` | whether or not to use WireGuard on server |
-| wireguard.kernel | bool | `false` | whether or not to use Kernel WG (should be false unless WireGuard is installed on hosts). |
-| wireguard.networkLimit | int | `10` | max number of networks that Netmaker will support if running with WireGuard enabled |
-| wireguard.service.annotations | object | `{}` |  |
-| wireguard.service.type | string | `"NodePort"` |  |
 
 ----------------------------------------------
 Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1)
diff --git a/charts/netmaker/templates/wireguard-service.yaml b/charts/netmaker/templates/wireguard-service.yaml
deleted file mode 100644
index c54304d..0000000
--- a/charts/netmaker/templates/wireguard-service.yaml
+++ /dev/null
@@ -1,25 +0,0 @@
----
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    {{- include "netmaker.labels" . | nindent 4 }}
-  name: '{{ include "netmaker.fullname" . }}-wireguard'
-  {{- with .Values.wireguard.service.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-spec:
-  externalTrafficPolicy: Local
-  type: {{ .Values.wireguard.service.type }}
-  ports:
-  {{ $count := (add .Values.wireguard.networkLimit 1 | int) }}
-  {{- range untilStep 1 $count 1 }}
-  - port: {{ add 31820 . }}
-    nodePort: {{ add 31820 . }}
-    protocol: UDP
-    targetPort: {{ add 31820 . }}
-    name: wg-iface-{{ add 31820 . }}
-  {{- end }}
-  selector:
-    app: '{{ include "netmaker.fullname" . }}'
diff --git a/charts/netmaker/values.yaml b/charts/netmaker/values.yaml
index fa5a0ba..1cfbb81 100644
--- a/charts/netmaker/values.yaml
+++ b/charts/netmaker/values.yaml
@@ -207,17 +207,6 @@ shared_data:
 setIpForwarding:
   enabled: true
 
-wireguard:
-  # -- whether or not to use WireGuard on server
-  enabled: true
-  service:
-    annotations: {}
-    type: NodePort
-  # -- whether or not to use Kernel WG (should be false unless WireGuard is installed on hosts).
-  kernel: false
-  # -- max number of networks that Netmaker will support if running with WireGuard enabled
-  networkLimit: 10
-
 # https://github.com/bitnami/charts/tree/main/bitnami/postgresql#parameters
 postgresql:
   # set to false if you want to use an existing postgres server.

From 28af460bb8b12c7a1f4ba4334bc4d563495a3b23 Mon Sep 17 00:00:00 2001
From: jessebot <jessebot@linux.com>
Date: Mon, 25 Mar 2024 10:25:51 +0100
Subject: [PATCH 39/40] add better default value for netmaker and don't worry
 about storage class in ci

---
 .github/workflows/ci-helm-lint-test.yml | 15 ++++-----------
 charts/netmaker/README.md               |  2 +-
 charts/netmaker/values.yaml             |  2 +-
 3 files changed, 6 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/ci-helm-lint-test.yml b/.github/workflows/ci-helm-lint-test.yml
index 3ef97d2..ff841da 100644
--- a/.github/workflows/ci-helm-lint-test.yml
+++ b/.github/workflows/ci-helm-lint-test.yml
@@ -41,19 +41,12 @@ jobs:
         if: steps.list-changed.outputs.changed == 'true'
         run: ct lint --target-branch ${{ github.event.repository.default_branch }}
 
-      - name: Create K3s cluster
-        uses: debianmaster/actions-k3s@master
-        id: k3s
-        with:
-          version: 'latest'
-
-      - name: Install longhorn
-        run: |
-          kubectl apply -f https://raw.githubusercontent.com/longhorn/longhorn/v1.6.0/deploy/longhorn.yaml
+      - name: Create kind cluster
+        uses: helm/kind-action@v1.9.0
+        if: steps.list-changed.outputs.changed == 'true'
 
       - name: Run chart-testing (install)
         id: install
         if: steps.list-changed.outputs.changed == 'true'
-        # install the chart using longhorn pvcs
         run: |
-            ct install --target-branch ${{ github.event.repository.default_branch }} --helm-extra-set-args "--set=mq.storageClassName=longhorn --set=dns.storageClassName=longhorn"
+            ct install --target-branch ${{ github.event.repository.default_branch }}
diff --git a/charts/netmaker/README.md b/charts/netmaker/README.md
index efc970d..ec3fc67 100644
--- a/charts/netmaker/README.md
+++ b/charts/netmaker/README.md
@@ -75,7 +75,7 @@ A Helm chart to run HA Netmaker on Kubernetes
 | netmaker.oauth.issuer | string | `""` | oidc issuer - ignored if netmaker.oauth.existingSecret is set |
 | netmaker.oauth.provider | string | `"oidc"` | AUTH_PROVIDER: must be one of: azure-ad|github|google|oidc |
 | netmaker.racAutoDisable | string | `"true"` | Auto disable a user's connecteds clients bassed on JWT token expiration |
-| netmaker.serverName | string | `"mynemakerhostname.tld"` |  |
+| netmaker.serverName | string | `"cluster.local"` |  |
 | podAnnotations | object | `{}` | pod annotations to add |
 | podSecurityContext | object | `{}` | pod security contect to add |
 | postgresql.auth.database | string | `"netmaker"` |  |
diff --git a/charts/netmaker/values.yaml b/charts/netmaker/values.yaml
index 1cfbb81..fe853c0 100644
--- a/charts/netmaker/values.yaml
+++ b/charts/netmaker/values.yaml
@@ -50,7 +50,7 @@ podSecurityContext: {}
 # fsGroup: 2000
 
 netmaker:
-  serverName: "mynemakerhostname.tld"
+  serverName: "cluster.local"
   # -- ignored if netmaker.masterKeyExistingSecret is set
   masterKey: "netmaker"
   # -- Duration of JWT token validity in seconds

From 3a9cf14fb60ec537de02512f15ec8fa8f42eef63 Mon Sep 17 00:00:00 2001
From: jessebot <jessebot@linux.com>
Date: Mon, 25 Mar 2024 10:45:05 +0100
Subject: [PATCH 40/40] fix secret name determination

---
 charts/netmaker/templates/_helpers.tpl        | 47 ++++++++++++-------
 charts/netmaker/templates/mq-deployment.yaml  | 20 ++++++--
 .../templates/netmaker-statefulset.yaml       | 10 ++--
 3 files changed, 52 insertions(+), 25 deletions(-)

diff --git a/charts/netmaker/templates/_helpers.tpl b/charts/netmaker/templates/_helpers.tpl
index 7fb9fec..b808c9c 100644
--- a/charts/netmaker/templates/_helpers.tpl
+++ b/charts/netmaker/templates/_helpers.tpl
@@ -149,12 +149,12 @@ Database for postgresql
 netmaker db secret
 */}}
 {{- define "netmaker.db.secret" -}}
-{{- if .Values.postgresql.auth.existingSecret }}
-{{ print "%s" .Values.postgresql.auth.existingSecret }}
-{{- else if .Values.externalDatabase.existingSecret }}
-{{ print "%s" .Values.externalDatabase.existingSecret }}
-{{- else }}
-{{ print "db-secret" }}
+{{- if .Values.postgresql.auth.existingSecret -}}
+{{ .Values.postgresql.auth.existingSecret }}
+{{- else if .Values.externalDatabase.existingSecret -}}
+{{ .Values.externalDatabase.existingSecret }}
+{{- else -}}
+db-secret
 {{- end }}
 {{- end }}
 
@@ -162,10 +162,21 @@ netmaker db secret
 netmaker secret
 */}}
 {{- define "netmaker.secret" -}}
-{{- if .Values.netmaker.existingSecret }}
-{{ print "%s" .Values.netmaker.existingSecret }}
-{{- else }}
-{{ print "netmaker-secret" }}
+{{- if .Values.netmaker.existingSecret -}}
+{{ .Values.netmaker.existingSecret }}
+{{- else -}}
+netmaker-secret
+{{- end }}
+{{- end }}
+
+{{/*
+mqtt (broker) secret
+*/}}
+{{- define "netmaker.mq.secret" -}}
+{{- if .Values.mq.existingSecret -}}
+{{ .Values.mq.existingSecret }}
+{{- else -}}
+mq-secret
 {{- end }}
 {{- end }}
 
@@ -173,10 +184,10 @@ netmaker secret
 netmaker oauth secret
 */}}
 {{- define "netmaker.oauth.secret" -}}
-{{- if .Values.netmaker.oauth.existingSecret }}
-{{ print "%s" .Values.netmaker.oauth.existingSecret }}
-{{- else }}
-{{ print "netmaker-oauth-secret" }}
+{{- if .Values.netmaker.oauth.existingSecret -}}
+{{ .Values.netmaker.oauth.existingSecret }}
+{{- else -}}
+netmaker-oauth-secret
 {{- end }}
 {{- end }}
 
@@ -184,9 +195,9 @@ netmaker oauth secret
 netmaker turn secret
 */}}
 {{- define "netmaker.turn.secret" -}}
-{{- if .Values.netmaker.turn.existingSecret }}
-{{ print "%s" .Values.netmaker.turn.existingSecret }}
-{{- else }}
-{{ print "turn-secret" }}
+{{- if .Values.netmaker.turn.existingSecret -}}
+{{ .Values.netmaker.turn.existingSecret }}
+{{- else -}}
+turn-secret
 {{- end }}
 {{- end }}
diff --git a/charts/netmaker/templates/mq-deployment.yaml b/charts/netmaker/templates/mq-deployment.yaml
index 47531d6..971569d 100644
--- a/charts/netmaker/templates/mq-deployment.yaml
+++ b/charts/netmaker/templates/mq-deployment.yaml
@@ -32,9 +32,23 @@ spec:
           command: ["/mosquitto/config/wait.sh"]
           imagePullPolicy: Always
 
-          env:
-            - name: NETMAKER_SERVER_HOST
-              value: https://{{ required "A valid .Values.mq.ingress.host entry required!" .Values.mq.ingress.host }}
+          envFrom:
+            - configMapRef:
+                name: {{ include "netmaker.fullname" . }}-env
+            - secretRef:
+                name: {{ include "netmaker.secret" . }}
+            - secretRef:
+                name: {{ include "netmaker.mq.secret" . }}
+            - secretRef:
+                name: {{ include "netmaker.db.secret" . }}
+            {{- if .Values.netmaker.oauth.enabled }}
+            - secretRef:
+                name: {{ include "netmaker.oauth.secret" . }}
+            {{- end }}
+            {{- if .Values.turn.enabled -}}
+            - secretRef:
+                name: {{ include "netmaker.turn.secret" . }}
+            {{- end }}
 
           ports:
             - containerPort: 1883        
diff --git a/charts/netmaker/templates/netmaker-statefulset.yaml b/charts/netmaker/templates/netmaker-statefulset.yaml
index 90b1976..e527c38 100644
--- a/charts/netmaker/templates/netmaker-statefulset.yaml
+++ b/charts/netmaker/templates/netmaker-statefulset.yaml
@@ -32,16 +32,18 @@ spec:
                 name: {{ include "netmaker.fullname" . }}-env
             - secretRef:
                 name: {{ include "netmaker.secret" . }}
-            {{- if .Values.netmaker.oauth.enabled }}
             - secretRef:
-                name: {{ include "netmaker.oauth.secret" . }}
-            {{- end -}}
+                name: {{ include "netmaker.mq.secret" . }}
             - secretRef:
                 name: {{ include "netmaker.db.secret" . }}
+            {{- if .Values.netmaker.oauth.enabled }}
+            - secretRef:
+                name: {{ include "netmaker.oauth.secret" . }}
+            {{- end }}
             {{- if .Values.turn.enabled -}}
             - secretRef:
                 name: {{ include "netmaker.turn.secret" . }}
-            {{- end -}}
+            {{- end }}
           ports:
             - containerPort: {{ .Values.api.service.port }}
               protocol: TCP