From 200104bf8497faffbe62a6c58497816625904b2f Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Tue, 17 Dec 2024 00:11:05 +0100 Subject: [PATCH] chore(kanidm): Update origin uris, oauth2 endpoints and switch to 1.4 --- machines/nixos/compute01/grafana.nix | 4 +- machines/nixos/compute01/kanidm/default.nix | 13 +++-- machines/nixos/compute01/outline.nix | 4 +- .../secrets/grafana-oauth_client_secret_file | 48 ++++++++-------- .../secrets/librenms-environment_file | Bin 1462 -> 1683 bytes .../secrets/outline-oidc_client_secret_file | 53 +++++++++--------- .../web01/secrets/netbox-environment_file | Bin 1679 -> 1613 bytes 7 files changed, 65 insertions(+), 57 deletions(-) diff --git a/machines/nixos/compute01/grafana.nix b/machines/nixos/compute01/grafana.nix index 0565f61..b712c7d 100644 --- a/machines/nixos/compute01/grafana.nix +++ b/machines/nixos/compute01/grafana.nix @@ -18,9 +18,9 @@ in settings = { "auth.generic_oauth" = { - api_url = "https://sso.dgnum.eu/oauth2/openid/grafana_dgn/userinfo"; + api_url = "https://sso.dgnum.eu/oauth2/openid/dgn_grafana/userinfo"; auth_url = "https://sso.dgnum.eu/ui/oauth2"; - client_id = "grafana_dgn"; + client_id = "dgn_grafana"; client_secret = file "oauth_client_secret"; enabled = true; id_token_attribute_name = "sub"; diff --git a/machines/nixos/compute01/kanidm/default.nix b/machines/nixos/compute01/kanidm/default.nix index 3cb0371..75de175 100644 --- a/machines/nixos/compute01/kanidm/default.nix +++ b/machines/nixos/compute01/kanidm/default.nix @@ -49,7 +49,7 @@ in services.kanidm = { enableServer = true; - package = pkgs.kanidm_1_3; + package = pkgs.kanidm_1_4; serverSettings = { inherit domain; @@ -96,7 +96,7 @@ in dgn_grafana = { displayName = "Grafana [Analysis]"; originLanding = "https://grafana.dgnum.eu"; - originUrl = "https://grafana.dgnum.eu/"; + originUrl = "https://grafana.dgnum.eu/login/generic_oauth"; preferShortUsername = true; scopeMaps.grp_active = [ @@ -111,7 +111,7 @@ in displayName = "LibreNMS [Network]"; enableLegacyCrypto = true; originLanding = "https://nms.dgnum.eu"; - originUrl = "https://nms.dgnum.eu/"; + originUrl = "https://nms.dgnum.eu/auth/kanidm/callback"; preferShortUsername = true; scopeMaps.grp_active = [ @@ -125,7 +125,7 @@ in displayName = "Netbird [VPN]"; enableLocalhostRedirects = true; originLanding = "https://netbird.dgnum.eu"; - originUrl = "https://netbird.dgnum.eu/"; + originUrl = "https://netbird.dgnum.eu/index"; preferShortUsername = true; public = true; @@ -141,7 +141,7 @@ in displayName = "Netbox [Inventory]"; enableLegacyCrypto = true; originLanding = "https://netbox.dgnum.eu"; - originUrl = "https://netbox.dgnum.eu/"; + originUrl = "https://netbox.dgnum.eu/oauth/complete/oidc/"; preferShortUsername = true; scopeMaps.grp_active = [ @@ -153,9 +153,10 @@ in dgn_outline = { displayName = "Outline [Docs]"; - originUrl = "https://docs.dgnum.eu/"; + originUrl = "https://docs.dgnum.eu/auth/oidc.callback"; originLanding = "https://docs.dgnum.eu"; preferShortUsername = true; + allowInsecureClientDisablePkce = true; scopeMaps.grp_active = [ "openid" diff --git a/machines/nixos/compute01/outline.nix b/machines/nixos/compute01/outline.nix index f4e396c..65e6a1e 100644 --- a/machines/nixos/compute01/outline.nix +++ b/machines/nixos/compute01/outline.nix @@ -28,10 +28,10 @@ in publicUrl = "https://${host}"; oidcAuthentication = { - clientId = "outline_dgn"; + clientId = "dgn_outline"; authUrl = "https://sso.dgnum.eu/ui/oauth2"; tokenUrl = "https://sso.dgnum.eu/oauth2/token"; - userinfoUrl = "https://sso.dgnum.eu/oauth2/openid/outline_dgn/userinfo"; + userinfoUrl = "https://sso.dgnum.eu/oauth2/openid/dgn_outline/userinfo"; displayName = "DGNum SSO"; clientSecretFile = config.age.secrets."outline-oidc_client_secret_file".path; diff --git a/machines/nixos/compute01/secrets/grafana-oauth_client_secret_file b/machines/nixos/compute01/secrets/grafana-oauth_client_secret_file index c5eef45..6d642e1 100644 --- a/machines/nixos/compute01/secrets/grafana-oauth_client_secret_file +++ b/machines/nixos/compute01/secrets/grafana-oauth_client_secret_file @@ -1,24 +1,28 @@ age-encryption.org/v1 --> ssh-ed25519 tDqJRg ukyCbDqq1/18sjxWxyCCwYgYDavNcRq5cBvpZoqSKVQ -2lmz4ONDnXiW0+FqLwi4OVOClm96YU6NUMxeLcwyqhI --> ssh-ed25519 jIXfPA MNspuPXKkP/fUp3qoPDmew+htam1l8JczSCCZFil6zE -1ugIhchyaumzv/izKFq1dCer6QPfLt6Fv2rIiU6rzGs --> ssh-ed25519 QlRB9Q teomppq6nVFhnQFELI/sQNCRuMGNs2Tu6AY/PMWAzzI -LDLn1CsC9xqBBszdp4TZV/uCaYHBb65HS5eoG2+vfzU --> ssh-ed25519 r+nK/Q GK/IVVvWVNjq1Fa8DKvljC1pD4OUz3MsM+VjROVYfSA -jJ2vK3HFkOGzrxvQJg6PayrEhOPVyvAZS29IEfKRbhs +-> ssh-ed25519 jIXfPA jjStc+COqzn2fkEU5y9p+h3KPL7ip0Sk7wwdjGME5Ag +2eYwXQs/IbgzeEP1vFy9OLOhPVnyq4cki7voHSXKomQ +-> ssh-ed25519 QlRB9Q rqJ1GzzA5IMgZoQD/u35k/qVr1GEbicWGCpDwzbSoRQ +cqGLtH53VWP5Z21pjllWRGRO2PkMSOQftF/WHAldW0Q +-> ssh-ed25519 r+nK/Q oPY6OIrUHYr3NSOes0KGNBjZJse4bNso3nGoKfqdOgw +8CJeNP6AdhUTWFTiYpswsottSI1C25RGOMaxHsnAeNc -> ssh-rsa krWCLQ -XywRp0R34ulA6AhRloj+OonbP3ZmvWvnxko+KSBNZHUEO3P84N/UTSJLhTJrJHps -uYWhOO1VXMdOmu8+s2ymvsFFHZlQ1Ngr28/8Cb4InYbOcjc1jGsA/laSFelGG/qZ -CxoSw59oga+wssAf7NRVDY0GLtZIhdACnlfCodBnwGgr7MrO/jtv6wUcNtTQwqyg -k6JvmeXVO54sAbcICfDNHiWLejOA9B1tQ4biAtNZrw2BRh1siXVcjtrlkjdfqsc4 -4R/EDAYLHIMBnG/6Qpp5H3vPEEdwtaU2Tcd5RZHxWR+8ZjFFhLsZaGQZ5GxzlVOW -qd63AwlEvNGOSIMXBqc+tQ --> ssh-ed25519 /vwQcQ Qm4OViiUxA0eIAiP+tPi+q9Uw+dluFKGi4J35q6dr3A -Byx5ohtc05YfpZhcZew6P7g90KEMammQ0KgvtRGAhBk --> ssh-ed25519 0R97PA YKE87fWy7Gix4dk+YOqTkMMFyG1mTVjroO/I6rHtLXQ -o9O664qMLUIEwxti17O4VByFCMmOZ4vTtPH5qNscGnU --> ssh-ed25519 JGx7Ng NfuL52cirg0LkXcoF3a0GYJx82Bt50YS9cpEnDH27T8 -OdqOs4ViSnW1fWZ5GLro4Z5afqmnGya6TsoKr3aZs0w ---- oqm2jb9ZHSHAhbxUYWDxQW/FaPwiq3iFr6RIX1nHCYo -쩚j˪fFyz#뤄 zz}9(!Sہ$ z2kC揦JTGZ_ \ No newline at end of file +BseveWlNY2C1A37CKs6rUBmJWDeYwr4JE6fGtjtvJG6oVaanIQqpAA0PkML1IG1V +tTimA7j4L8RT01UmHdpcWQUdR2ZjGBznFCfT46yW2/W/uCxrtHdRJKFur8ZZVfqg +3NNHTe87liDf9L1izNAhcMOWlSWXsDbj/xUYw07yopXoH9lA9bmbDytZp5oxrN5v +JLlWjfoiKu92RAUxobfqra2TUFM98ljAX0U2jv+Vadyz2HiDV0WRl3rsymlDNyQp +rWZRfNKmM4VVrBTB6raatgfdYaj9m3xN9x6xyTfz1Jw1etClrnvdTJOyROxR10B8 +qJ10Vvy1cu1Yt3aTzmBSpQ +-> ssh-ed25519 /vwQcQ lBUUIhJo1cwZJAD8yEkPEjc3Wm5laQ4+oL47g0UUzDI +oDMv1BAaAuoWL/lWb08l7sfz7Hjt7syFGxKlJ90IWx4 +-> ssh-ed25519 0R97PA oJ/bnbgfrfnozCOWyhPGrdhDD1N2VFVOhN56py0Lvic +3MFXDBDOASpUqg9ZkBCQDc7oCaJSyc77cEHYZ41O8Fk +-> ssh-ed25519 JGx7Ng lnd0RjCT6leBvk4uLXYWt+BeqstIycHYtWkbEhUqPjI +i9IVIwDe80nRV8jk3YLqyqDXzatC0PwGM6yMmZT8DeA +-> ssh-ed25519 bUjjig MFRe8FP5AQPHAUfLr3VLNAqEnnYI8wThQbFunl8fuj0 +U5//sg3BRjSvp4NbH9RqD9vugee3cEnNDRuKLaf506I +-> ssh-ed25519 tDqJRg txHQKcCUKCAxc0/ZYL1IqeXfbjlGz74ccKZ7kj2bVSw +4YzZQw7PyPGBoWw6GuBsdQo3p3f+XEbOdpGCXfOeHic +-> IOpsGs-grease +JFzNAbIaA7nJkfBBACoJDaQsVCo5TmArRwHtu5W91+YxSoyj22D0 +--- K4Uw4L8YfGsdUQfdxwm1zxkABRBBjORNIDoHv+sjosI +@,!!?Kէ!% B*vc?:;6{?.E,;%0iq^tll=±6.xv\ \ No newline at end of file diff --git a/machines/nixos/compute01/secrets/librenms-environment_file b/machines/nixos/compute01/secrets/librenms-environment_file index 981d785bf0182bb9ced5eac8d752114b5cd22ee6..bc61140035a80afba89e7a8a4f6b344101402cdf 100644 GIT binary patch literal 1683 zcmZY9>FeYM9R_eKA{xQE6l^WEjv!v)*UaRYOt!K%$4t(d9FuG2O-(XMCYem`$xNbE zc3rTPU5XWjpV0b3x=M@37OGO$){BB@m4ZqY5lZm}cPUs}>x%1(^~L%Ze0aXcW`0p^UebJI2<L-mBj?$tIXIqTm+4+pYggk3Cmr*rgg~~R6qoyVr zMX0@8(QzEw9o8$hCgNd4MhzUYQLr2j>9qwj&=gsP;Vzs<9w1W1pe^Y9fQp$jt3ekc z=SHE>TD#6bo~s71#jI+9N3H&iS_!5ir1m(RqGhV+;EBc5Ti!>xq<$UOGxe)7b)= z-~?!A^ThOk#%MaNWri3p`vag9KrqBExDy9*(-AU1cVn5d$j0Bi&kpbxL51!)(+!dtfgy z*9>eKP!0}h6}_K;Bwtk4#7Gml0%4dMnb9B~aSX+8luct(dc?v-KIg0jJmnx@>p7yozfFU8XqO>5v15X`S}FD)J)9 z2Gv+z98$U?uTT5>-9pV?_0*oh42Nj3ZbP<7yICJ~2b`V|CbTv(daNAM$xfX0*Zh!6 zLm(UOz0}w@T((fB`!4E~a%INkUSUZAqc-Sx&Y_B{8eRRr-Co!F8i8N?lCUEZkuaKq zM)J*Mf|I$ijB(yzSuB>>17{`a0;cAuYE=M_6a$e`&0LguX}xlVX+<$@ik3+u>V|8e zjaeawHCfQ38?y=Q0iT7vzAPf0qObUIk!ZSM))N?V%QRBiLRhe)wZGQWY3*hZI|cN< zVE7xEbV1qOa1De`C_eFgltax-9@%2$H*prkiIW;PYOWE-QP?}|0&l)ub#2WBn}+?xdFJmSZ6i z%liMcnkfV=?D@nrR!f?ub3sl+@?fY_RT^d`tL<`O<{1JV(R~$3KwAYC(r{3@FpJ7; zQ!VG$T4B~AeNdl37#x98NmH>G?`x1mrvJ_Mf$CH}7O2BfSo%)o_YiG(_xlO6$9aX` ztM9%0p3#S`8t9yC;~5>;&u7-0Wmhz1Ahx~j(wU@g=y_!=J`eifTN?Mo)m677)z8j+SGi9Y=lUsG9)lvPef8Q=2%Cvhm%EEaZ_M={PSC9 z?<|Cuo;d%7xBl5U`Q!BwdU}U{=ES9!e|q2LdrqHUoPXQJix1zNocv~V`w!k;HLtzp z6Tj8}^3)3tKKJ|+1@qPS(Xad}vZZ%bS8u-X2Krx5UY6hc&_{3k+EeC7KAoI-Kzjfp zF5S_*_~7wDKKcDCzr65W>C7j;CGcPL9tXaBnYjA-OE3Gc8o&SS>D^7Q|IP{rxAcFV z`mZ1V;nfKfAs_!)@6mJjfA8Jz`TJvUdi3z-<%vIbSDt?`cKv^!y_5gSb1&X|u6toT gE#J|9n87A2X<9J!M@Ga{H{l1wI<%uX`NOj@wI zRHRt16)lR2QbBxCYrSY`^`*jUMOvr_R6MYXh*n?3;!$4{iz}N zHdq?OEk+C+tr3^XAcR5dX^OAXq>?KqO~gZ7-5Vn0$Pi1h5VSgTsg4&d+DVdL9!f)x zD3c{m1LW9qvjI&Ha54rtT_)Xbr@~{Q+QI}2@fcZveZhx}Qq@^co8(6vsN`%lYluEa zHb62YC#p`Nb_#`3FG5g~BpIDm3v88gux^b2y8d)X^$elPNMpBb&a#-pro1AS>*k~& zFbqg8r3ppYZtFj9lSt1EC!G?n085DOplpd2LAb*<+_DUJswH?N_M2H8X(c*z%wpS( zvr5J7jze6J7`Km8qfAp}inme=SW}vjGL#qE9S)xQtSQ)1)S6E9rU7OH)Q}R|@SG_d zRqE-SYtDQmY*S${&G1mtXi5Vr0mMy=UcNuWNQ0aYYsHpeLM1&=!=_$WO{i+l(-9uI zrdC&4O;)j~l%G^V-(W-4;#&ZgZx`~l?4atf< zJsrD6DzuF%LSRL1&dyQ453nqgG-JcJFb5R%{#yQS?EbG?Fi90t$;owagd4LtI-9AI zfjeN+@ydlR%@yQe%=J)A89<2^tbL{q5CLv`sp0k6!lWG);z*Qj&u35%KN zUA01Lr8r!_BuFLkwU-!Tr;-mGDB_h;V={ucf|E6j2Fp({zD5>9fxGDQ-ii0pGq1s?pb8V+Uq%Dhz zk|hFITwKh#6+02gL7hSCG35u{uta%fWLA(op6HN4d1!(bph;Y+gNgpL)Ze57{s6m$$BLJ@Dqeuj)5`_Jp|Uz;X3lZ}&&`qm`%s;tlZF!P6(g z=9Qn87Hnk0`A@&7mY(^Z`?yLU{{60|_wy@T82ZY$Z~y&(aqQQ9J1@Nz+}2+}?zyJ8 z|J3&5?-1{9`t8B^{q)(+p(A&`c6Hlz*I(ScUXvq!%> zbHVXnwyVpJTr;5+boqmWdoRRyQ#Y@^e(L$BZhtI)@#K#$eEGE{t$coVx%DD*OY+T` zCF}6Dj?LV^i&)+E!%gt!jSufW)c6WJad~y?(ykqQZaw~Fe&MpvT0U`h%P0HJZ5-`e HK>zp`W0U*t diff --git a/machines/nixos/compute01/secrets/outline-oidc_client_secret_file b/machines/nixos/compute01/secrets/outline-oidc_client_secret_file index 35e72a4..407b89a 100644 --- a/machines/nixos/compute01/secrets/outline-oidc_client_secret_file +++ b/machines/nixos/compute01/secrets/outline-oidc_client_secret_file @@ -1,27 +1,30 @@ age-encryption.org/v1 --> ssh-ed25519 tDqJRg X/tRIl6TzF09a1Tvr8vP3SocmlfwKg307he8LP3Q5mo -hWjX3AUbREbQR+uCiW8Nsj5nCwYQYy1KV/41sbxBFo4 --> ssh-ed25519 jIXfPA 6EOXJfa+aY4JjOb0SO2k+s6xnNjtm/o8au6lbN1UfxA -dVsgH99btiE+pl7Q4uiOcYDTwtv6X0jgjYXoFFd+tPs --> ssh-ed25519 QlRB9Q 4Hje1HQL+Zjm9+BGDQvb83KaizOjfKTwjiq1SJlXvA0 -w2rMGVcZcS2aLNYxHZIJZF/j50CQm8UCmq89W9K7Q14 --> ssh-ed25519 r+nK/Q aPQh4X7xZnTbrkxIaAwUbaS7NnbHMY+Q31E0x7AvwSo -rnMus4wPVugzscVNPO33rNgboN7I42tdz4dikVOvWIw +-> ssh-ed25519 jIXfPA ffhnaA8PokIDyboOZVSebOxvu46CSvl3Sk6NEqXDlgo +MTEYDDnKBVnGyMvQFLBVAedmEfdv90Lh7fFt8G4ogSg +-> ssh-ed25519 QlRB9Q U9driMnVrc6FvJkIg0FGfCqjftbw4OozLMH3hNSeOns +/2/Ripvin97IDSSpOkWiOrmMt1/WnsKDZQ9jvPpn2OA +-> ssh-ed25519 r+nK/Q TabwYz+Z7Hr/TflaeYFT+svW+AGkTYRqDPN0iRrPmzc +mi9r46HFwSjqPrW3x4Ik2Xerd80KjYuHaqy4wkLOgAc -> ssh-rsa krWCLQ -Xe2Vv3tCZy19QQt26q6T3mJkZyltU7OVOrruwxWr8hlaKgOfR/pMa7nbR+eWm6jS -++39H+E6gssE/534ld5qz2J3oPV5E6+p4wok/Owy7zE6aWrALP1Mp296lumRjjGN -6aYhmf4fbpvOWDMNujExWURggswbUplk0f7l5UYjNpcSnM9Iq6s9fTAUVTMAlvoL -cmVvPTll6QlhhM7tkJL1fo+1nEimfmwDaOhE2lAKKJUD7DTqcBGsukpysOhcmCyr -Xtx38kcuF5eaDzjT9gXgi4QtCrxf31Lfjju44HSqJFB1LqO2Vzd9rASurD2LN7/1 -uj8F5y+dmf6IqIM/kYXqPg --> ssh-ed25519 /vwQcQ Byl5reTJslEFsIdUWp+rg5sZxG1jEHVduBE/grTD/Vc -SEzFbpWUZrVitO1Swfs3/pzfaZ6Zd4Roi8anJRHO7/o --> ssh-ed25519 0R97PA CLDuGuFPHf0rgUoCUY2C1jtXAeBEqKiqaeiH4ZcRFk8 -rBYZfmS7BSKDIJMVpWTGy5wRhhoi9xR1GchVsUn7Psw --> ssh-ed25519 JGx7Ng xqTydh3Bt5bL/7R6ZnVtqhfSW2V3g1g2UWPcePt8TCU -lPQeGP4VQGU4xeGqVcIRnWZjeDp2Q4lH2CLg+C/weyM --> .-grease -l4qPzZnL/yerx8Y3VUmUoO2GgK7OUAjbhfYsHPhDFSo+ZPgvYo7qpJBEsPQqrPA3 -FF2/R9IFD+jFranJsg ---- ynZs900dI1cp+HWu6HdnUGKaJw/Wa1Y26eQSeO3fvH8 -|Ns.添KCi#Xfq[t{EkDZ ssh-ed25519 /vwQcQ p8fZnQh6objEcb9kVQ+iu49T7v54CZKES538A/3eXlo +4bchuaemw++HSOi+1Nop2D1QP96zsDdK1SS5wzNLIeE +-> ssh-ed25519 0R97PA j76+Z++DFCjrELtJuXlbXKO3GfDz4bqN4MjxrRjEunY +s/Bouc5R6RAhV+fV8sqP3bQN7cubQ/zvmTbiFkEdShc +-> ssh-ed25519 JGx7Ng FSufP2DJeNehiGWArgtLjnPTMJd1XYOGIydUDovgLjA +HpuHpBUSrEgUDZHG2T6b2wdugRhCCWnCNC33W1mz7VQ +-> ssh-ed25519 bUjjig 3lJvEVu3c8NNpm1cc6068n2pO75PLD5DyX00sL9Io1M +QV4CiZ8q2YV3FjojL4eU+of4KNuvw/kuVcykOR/ndcY +-> ssh-ed25519 tDqJRg 1++TmLtKpgOlKExGY4ZVWb82N/GrRHl63MpHsBYg83A +C1hi8qlfY8Tx8a6Ik4b0FcxXFDorvmSklR53VgPeQqU +-> i3xH-grease \0) ojM4J< +ArfqJf5FcIndzy7XQ5vxY+1iJwPtjplV7Sx5R2kWoHsXBwYyI9pt8Co +--- apFO9hGDSpGnlL3r1MliuT1axseRl7WLb5YhpOcd5GI +Їv\yoKCsAajM+2"c4518)m$XkPj)F +V*ɂ +c \ No newline at end of file diff --git a/machines/nixos/web01/secrets/netbox-environment_file b/machines/nixos/web01/secrets/netbox-environment_file index 63cf31ae6dad692d2a29500881e7d3fb81ad7c53..ea77c65ed096e51a1e36ec0ede7e57089947640b 100644 GIT binary patch literal 1613 zcmZA0{p;g|9S3kv{KcpPop}1gw(5QmmenLp)1<=0G-;cMrfHI#2;h1cbF`SPa9zKhx=)tCN+`(Y7F+@~EohXM>R1g#qb`0*9??3Q)!TbIG7@pI1 zwpO}N@*v*c6sI0kB0&3=R+jl~$L?Sl(r>L<&7F}gX(01Wjg2c^S^Ci!G-nIEPX>9W zqM*zp0mSc7c1)oz;sGmm0-Lbw_pvk^a-J_Zu8biN&S?uWGxXS-u=Zx)Q&{aC)TB@z z^raR*-u1JQG%u=%#tbs&lWbl~N@!0=EGontUWOyzibuxS0=ii_8bY+sXtO{T^?QLMJY`WrVO$xu|;abUaTrT#d>do-a87 z^gL^evy2207~f%-T|TQz(XH8@(aV($V$~RIvK8;A{Xhw1q$DRE4N?hSikvz%EKD-jV2ESytNV@IO^K5g$7B})fZBiIZOm=m@=%dA^*ybLnRNAToHtt%?47d zwy|AEhrCP_Myg$g-JILo4hKQ5;VUo;avrkdH88<>trx>)U0AR;-1^ms2O82w7Yf+} zEsEh#-tA3yIb2;x`@(LavXU&RB`$Gk*o#DFR!FN*2FZdL>l0BjxCV9HK^74+A_(DX zMhid|n1bAC>}d}TOIyiwgHxs!yj_J6=xN0qm|&fz6IcOW3Zg9%Y5nLQC3F0D)n$DohfAp;c|O! z5?cY;2Awr09n`pSjZeK6MQq^4Bm$D4lE!GJ@zm$2P|Qa@6QdyRMu_kEO|QdNL!jem zHAoOdP0##2r&~Vl%kyHNm8xAH1x~H&N4yR zA^JfLW*4$aws!7nl@Ssf?_A#I%gHjwrOmMHGa(rXC|TEHq6}5l&*l~&+hsnQZu;AF ztE{;$zKHEjBN2?DLvqw*>LDNH9-FF#@c-UMi?F(_?WK;9IW4?rv_$!+iFBLRYT5xT zS%G^_q%lJlXt&!fy$N?(I_QWtXT@7Ii6!{_DY|bJ0*jLT0QDF6nl6U=A_M%#kGyHR;v_Q{)}^0#LXmA`uAH$OZ3 z#!s%hLZH9@;_Wvc4*v7w-Qn9${r917E~-9$waveE;sf;BEAitu2mgHH`WHa(lAm5q V=@*~=`BgW3sQev$PkQ~i{{gJ;G0gw~ literal 1679 zcmZA0+t1_#0R`{}qk%@kgNZ^`vZL`u#*bd7or;%jJMBzorqg!X>9iHhPTOfay-zRG ziyK8&jl>ueFYyx4=xQ(_Jdgk{C03E|8t0)o%TGgPs8brxftAsdaNgKag# zp(&#y2a{ZnI;7@ZzHujDH6&BXf=+6AKbe7Yk3{!wIg;mSl*e?DvhI-I4cF*cH1y?` z*uh0ZCkc(ou51Izf^41GjDn_A0#{I&jku>wvYn1hVo`J+=Qg|uQ&wIHSG2s?^um12 z%w-@RprkKA-N7(S8uN45X3X$PxTYp^}e%J0OM4zkFk^a+f|BnUc$3ss{I zP(ptoCZ!a><22XO1snF+v~SHNm#2(ynr8vCo;x^adW+DSn1rIv7*4fUtw%&1($9g` z9=co|wxs5j#+-9VoTW_-LRw^rcKvN7^#^KOILD1|1aRbtOVm<>rRGGLM}!@d0^6~O z41z-d3LzRJ^fX#Uh%Krzm6BVG*b_=A`v%c?&6xC%W?TDoRy!kWT#*YWpNuMCGZJ)q zzs{u&ZnXwgDPz~y>XntwNzX9wl*?H17IU5DwW_! z4qC<5h?Rn5*@Jwg?JK(l54CK|y>g=al*!FEQW(MgI=7gOW@l|F?=?||-4&~GOja!f zA)tWTTXVxPO^|(ft`!Rg<{ctb{XobAbVm-wz*2|#oK!`GI;lZRk~n?|H<015k14ap z9>jBH;e$?~bS@|9)fmcmrCDYU4=p#*m<5(9#A2XH4Elw);>v0oRLTb5VZ|K5D!l0$pmqH+(*Q$Nx(yka(1)ZObS|}Qb2X> zgK=1S!5rk}xeD!sKPt0?O><_NAk12PFV$>4%p0ke>wR+3|KHq1)jJ>87O#|++#8*W%?)svR*||V^W+-D@uW*J(taFKR39HjbVH}I`}*w&}}*OT{4=L z5nmac1vy*=gK3*a+iA&H)-W8gF+M`v^rQyy+R~zWtxfMWX9BVN<-&|jaJZ>)LaI1^ zFm7F3TG#7|S_BhP)mMNKOV*~$273%`DM$q=PET^fo+@YuvdpMSLc>ErPTSbWn>;$| zC0nf>;`{brb=RN1c+EHdcI&wh z{`Jcjp7_h<{OJo%p1t~^?_50l*~k8zh4&@jeRtU@-~37Mk&nN0!T3G?J1<_xKN!9F z+&Sc^{OMQz_W}B@UGe;#FFemZ@ScDF^3@{0*Lt(MuDR;$YcbEg{QAXbzxqu0#?|B( z%v)~9?mV@9=$(JveChTAsNQhab7)#{b;- S@R_IXc;vNAxc?vb%l`-JZ%$zV