From fb0bb721f7e1597465e7aec7b25de49fd55564ed Mon Sep 17 00:00:00 2001
From: Zoey <zoey@z0ey.de>
Date: Mon, 9 Oct 2023 18:38:58 +0200
Subject: [PATCH] rebrand to NPMplus/improve security headers/upsteam
 changes/dockerlint

Signed-off-by: Zoey <zoey@z0ey.de>
---
 .github/workflows/caddy-latest.yml            |  16 +++++--
 .github/workflows/caddy.yml                   |   7 ++-
 .github/workflows/docker-latest.yml           |  18 +++++---
 .github/workflows/docker.yml                  |  23 +++++-----
 .github/workflows/dockerlint.yml              |  27 ++++++++++++
 Dockerfile                                    |  41 +++++++++---------
 README.md                                     |  38 ++++++----------
 backend/db.js                                 |   2 +-
 backend/doc/api.swagger.json                  |   2 +-
 backend/internal/certificate.js               |  22 ++++++++--
 backend/package.json                          |  12 ++---
 backend/password-reset.js                     |   4 +-
 backend/schema/index.json                     |   4 +-
 backend/templates/_hsts.conf                  |  12 ++++-
 compose.override.yaml                         |   8 ++--
 compose.yaml                                  |   6 +--
 .../app-images/logo-text-vertical-grey.png    | Bin 13636 -> 14708 bytes
 frontend/html/index.ejs                       |   2 +-
 frontend/html/login.ejs                       |   2 +-
 frontend/js/app/nginx/dead/form.ejs           |   2 +-
 frontend/js/app/nginx/proxy/form.ejs          |   2 +-
 frontend/js/app/nginx/redirection/form.ejs    |   2 +-
 frontend/js/app/ui/footer/main.ejs            |   2 +-
 frontend/js/i18n/messages.json                |  14 +++---
 frontend/package.json                         |   4 +-
 global/certbot-dns-plugins.js                 |  13 +++++-
 rootfs/bin/aio.sh                             |   8 ++++
 rootfs/bin/launch.sh                          |   1 +
 rootfs/bin/start.sh                           |  12 +++++
 rootfs/html/404/index.html                    |   2 +-
 rootfs/html/default/index.html                |   4 +-
 31 files changed, 202 insertions(+), 110 deletions(-)
 create mode 100644 .github/workflows/dockerlint.yml
 create mode 100755 rootfs/bin/aio.sh

diff --git a/.github/workflows/caddy-latest.yml b/.github/workflows/caddy-latest.yml
index 3458dbb26..319c82846 100644
--- a/.github/workflows/caddy-latest.yml
+++ b/.github/workflows/caddy-latest.yml
@@ -14,6 +14,9 @@ jobs:
       - name: Convert Username
         id: un
         run: echo "un=$(echo "${{ github.repository_owner }}" | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT
+      - name: Convert repository name
+        id: rn
+        run: echo "rn=$(echo "${{ github.event.repository.name }}" | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v3
         with:
@@ -22,9 +25,14 @@ jobs:
           password: ${{ github.token }}
       - name: Push develop to latest
         run: |
-          docker buildx imagetools create --tag ${{ steps.un.outputs.un }}/${{ github.event.repository.name }}:caddy ${{ steps.un.outputs.un }}/${{ github.event.repository.name }}:caddy-${{ github.ref_name }}
-          docker buildx imagetools create --tag ghcr.io/${{ steps.un.outputs.un }}/${{ github.event.repository.name }}:caddy ghcr.io/${{ steps.un.outputs.un }}/${{ github.event.repository.name }}:caddy-${{ github.ref_name }}
+          docker buildx imagetools create --tag ${{ steps.un.outputs.un }}/nginx-proxy-manager:caddy ${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:caddy-${{ github.ref_name }}
+          docker buildx imagetools create --tag ghcr.io/${{ steps.un.outputs.un }}/nginx-proxy-manager:caddy ghcr.io/${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:caddy-${{ github.ref_name }}
+          
+          docker buildx imagetools create --tag ${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:caddy ${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:caddy-${{ github.ref_name }}
+          docker buildx imagetools create --tag ${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:caddy-${{ github.run_number }} ${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:caddy-${{ github.ref_name }}
+          docker buildx imagetools create --tag ghcr.io/${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:caddy ghcr.io/${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:caddy-${{ github.ref_name }}
+          docker buildx imagetools create --tag ghcr.io/${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:caddy-${{ github.run_number }} ghcr.io/${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:caddy-${{ github.ref_name }}
       - name: Show Caddy version
         run: |
-          docker run --rm --entrypoint caddy ${{ steps.un.outputs.un }}/${{ github.event.repository.name }}:caddy version
-          docker run --rm --entrypoint caddy ghcr.io/${{ steps.un.outputs.un }}/${{ github.event.repository.name }}:caddy version
+          docker run --rm --entrypoint caddy ${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:caddy version
+          docker run --rm --entrypoint caddy ghcr.io/${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:caddy version
diff --git a/.github/workflows/caddy.yml b/.github/workflows/caddy.yml
index 908e23d7c..f2248574b 100644
--- a/.github/workflows/caddy.yml
+++ b/.github/workflows/caddy.yml
@@ -31,6 +31,9 @@ jobs:
       - name: Convert Username
         id: un
         run: echo "un=$(echo "${{ github.repository_owner }}" | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT
+      - name: Convert repository name
+        id: rn
+        run: echo "rn=$(echo "${{ github.event.repository.name }}" | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v3
         with:
@@ -46,5 +49,5 @@ jobs:
           platforms: linux/amd64,linux/arm64 #,linux/amd64/v2,linux/amd64/v3,linux/amd64/v4 #,linux/ppc64le,linux/s390x,linux/386,linux/arm/v7,linux/arm/v6
           push: ${{ github.event_name != 'pull_request' }}
           tags: |
-            ${{ steps.un.outputs.un }}/${{ github.event.repository.name }}:caddy-${{ github.ref_name }}
-            ghcr.io/${{ steps.un.outputs.un }}/${{ github.event.repository.name }}:caddy-${{ github.ref_name }}
\ No newline at end of file
+            ${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:caddy-${{ github.ref_name }}
+            ghcr.io/${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:caddy-${{ github.ref_name }}
diff --git a/.github/workflows/docker-latest.yml b/.github/workflows/docker-latest.yml
index 8837b7e37..d149e40b4 100644
--- a/.github/workflows/docker-latest.yml
+++ b/.github/workflows/docker-latest.yml
@@ -14,6 +14,9 @@ jobs:
       - name: Convert Username
         id: un
         run: echo "un=$(echo "${{ github.repository_owner }}" | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT
+      - name: Convert repository name
+        id: rn
+        run: echo "rn=$(echo "${{ github.event.repository.name }}" | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v3
         with:
@@ -22,11 +25,14 @@ jobs:
           password: ${{ github.token }}
       - name: Push develop to latest
         run: |
-          docker buildx imagetools create --tag ${{ steps.un.outputs.un }}/${{ github.event.repository.name }}:latest ${{ steps.un.outputs.un }}/${{ github.event.repository.name }}:${{ github.ref_name }}
-          docker buildx imagetools create --tag ${{ steps.un.outputs.un }}/${{ github.event.repository.name }}:${{ github.run_number }} ${{ steps.un.outputs.un }}/${{ github.event.repository.name }}:${{ github.ref_name }}
-          docker buildx imagetools create --tag ghcr.io/${{ steps.un.outputs.un }}/${{ github.event.repository.name }}:latest ghcr.io/${{ steps.un.outputs.un }}/${{ github.event.repository.name }}:${{ github.ref_name }}
-          docker buildx imagetools create --tag ghcr.io/${{ steps.un.outputs.un }}/${{ github.event.repository.name }}:${{ github.run_number }} ghcr.io/${{ steps.un.outputs.un }}/${{ github.event.repository.name }}:${{ github.ref_name }}
+          docker buildx imagetools create --tag ${{ steps.un.outputs.un }}/nginx-proxy-manager:latest ${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:${{ github.ref_name }}
+          docker buildx imagetools create --tag ghcr.io/${{ steps.un.outputs.un }}/nginx-proxy-manager:latest ghcr.io/${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:${{ github.ref_name }}
+          
+          docker buildx imagetools create --tag ${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:latest ${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:${{ github.ref_name }}
+          docker buildx imagetools create --tag ${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:${{ github.run_number }} ${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:${{ github.ref_name }}
+          docker buildx imagetools create --tag ghcr.io/${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:latest ghcr.io/${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:${{ github.ref_name }}
+          docker buildx imagetools create --tag ghcr.io/${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:${{ github.run_number }} ghcr.io/${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:${{ github.ref_name }}
       - name: Show Nginx version
         run: |
-          docker run --rm --entrypoint nginx ${{ steps.un.outputs.un }}/${{ github.event.repository.name }}:latest -V
-          docker run --rm --entrypoint nginx ghcr.io/${{ steps.un.outputs.un }}/${{ github.event.repository.name }}:latest -V
+          docker run --rm --entrypoint nginx ${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:latest -V
+          docker run --rm --entrypoint nginx ghcr.io/${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:latest -V
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 6857cfaa6..18c88469b 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -42,6 +42,9 @@ jobs:
       - name: Convert Username
         id: un
         run: echo "un=$(echo "${{ github.repository_owner }}" | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT
+      - name: Convert repository name
+        id: rn
+        run: echo "rn=$(echo "${{ github.event.repository.name }}" | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v3
         with:
@@ -63,15 +66,15 @@ jobs:
           platforms: linux/amd64,linux/arm64 #,linux/amd64/v2,linux/amd64/v3,linux/amd64/v4 #,linux/ppc64le,linux/s390x,linux/386,linux/arm/v7,linux/arm/v6
           push: ${{ github.event_name != 'pull_request' }}
           tags: |
-            ${{ steps.un.outputs.un }}/${{ github.event.repository.name }}:${{ github.ref_name }}
-            ghcr.io/${{ steps.un.outputs.un }}/${{ github.event.repository.name }}:${{ github.ref_name }}
+            ${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:${{ github.ref_name }}
+            ghcr.io/${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:${{ github.ref_name }}
           build-args: |
-            "BUILD=${{ github.event.repository.name }}"
+            "BUILD=${{ steps.rn.outputs.rn }}"
       - name: show version
         if: ${{ github.event_name != 'pull_request' }}
         run: |
-          docker run --rm --entrypoint nginx ${{ steps.un.outputs.un }}/${{ github.event.repository.name }}:${{ github.ref_name }} -V
-          docker run --rm --entrypoint nginx ghcr.io/${{ steps.un.outputs.un }}/${{ github.event.repository.name }}:${{ github.ref_name }} -V
+          docker run --rm --entrypoint nginx ${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:${{ github.ref_name }} -V
+          docker run --rm --entrypoint nginx ghcr.io/${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:${{ github.ref_name }} -V
       - name: Set PR-Number (PR)
         if: ${{ github.event_name == 'pull_request' }}
         id: pr
@@ -84,15 +87,15 @@ jobs:
           file: ./Dockerfile
           platforms: linux/amd64,linux/arm64 #,linux/amd64/v2,linux/amd64/v3,linux/amd64/v4 #,linux/ppc64le,linux/s390x,linux/386,linux/arm/v7,linux/arm/v6
           push: ${{ github.event_name == 'pull_request' }}
-          tags: ghcr.io/${{ steps.un.outputs.un }}/${{ github.event.repository.name }}:${{ steps.pr.outputs.pr }}
+          tags: ghcr.io/${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:${{ steps.pr.outputs.pr }}
           build-args: |
-            "BUILD=${{ github.event.repository.name }}"
+            "BUILD=${{ steps.rn.outputs.rn }}"
       - name: show version (PR)
         if: ${{ github.event_name == 'pull_request' }}
-        run: docker run --rm --entrypoint nginx ghcr.io/${{ steps.un.outputs.un }}/${{ github.event.repository.name }}:${{ steps.pr.outputs.pr }} -V
+        run: docker run --rm --entrypoint nginx ghcr.io/${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:${{ steps.pr.outputs.pr }} -V
       - name: add comment (PR)
         uses: mshick/add-pr-comment@v2
         if: ${{ github.event_name == 'pull_request' }}
         with:
-          message: "The Docker Image can now be found here: `ghcr.io/${{ steps.un.outputs.un }}/${{ github.event.repository.name }}:${{ steps.pr.outputs.pr }}`"
-          repo-token: ${{ github.token }}
\ No newline at end of file
+          message: "The Docker Image can now be found here: `ghcr.io/${{ steps.un.outputs.un }}/${{ steps.rn.outputs.rn }}:${{ steps.pr.outputs.pr }}`"
+          repo-token: ${{ github.token }}
diff --git a/.github/workflows/dockerlint.yml b/.github/workflows/dockerlint.yml
new file mode 100644
index 000000000..38f5a4dd8
--- /dev/null
+++ b/.github/workflows/dockerlint.yml
@@ -0,0 +1,27 @@
+name: Dockerlint
+on:
+  push:
+  pull_request:
+  workflow_dispatch:
+jobs:
+  docker-lint:
+    runs-on: ubuntu-latest
+    name: docker-lint
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Install hadolint
+        run: |
+          sudo wget https://github.com/hadolint/hadolint/releases/latest/download/hadolint-Linux-x86_64 -O /usr/bin/hadolint
+          sudo chmod +x /usr/bin/hadolint
+      - name: run lint
+        run: |
+          DOCKERFILES="$(find . -name "*Dockerfile*")"
+          for file in $(echo "$DOCKERFILES" | tr " " "\n"); do
+            # DL3018 warning: Pin versions in apk add. Instead of `apk add <package>` use `apk add <package>=<version>`
+            # DL3013 warning: Pin versions in pip. Instead of `pip install <package>` use `pip install <package>==<version>` or `pip install --requirement <requirements file>`
+            hadolint "$file" --ignore DL3013 --ignore DL3018 | tee -a hadolint.log
+          done
+          if grep -q "DL[0-9]\+\|SC[0-9]\+" hadolint.log; then
+            exit 1
+          fi
diff --git a/Dockerfile b/Dockerfile
index 4c5ba2430..d935eba3a 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,10 +1,10 @@
-FROM --platform="$BUILDPLATFORM" alpine:3.18.3 as frontend
+FROM --platform="$BUILDPLATFORM" alpine:3.18.4 as frontend
 COPY frontend                        /build/frontend
 COPY global/certbot-dns-plugins.js   /build/frontend/certbot-dns-plugins.js
 ARG NODE_ENV=production \
     NODE_OPTIONS=--openssl-legacy-provider
+WORKDIR /build/frontend
 RUN apk add --no-cache ca-certificates nodejs yarn git python3 build-base && \
-    cd /build/frontend && \
     yarn --no-lockfile install && \
     yarn --no-lockfile build && \
     yarn cache clean --all
@@ -12,14 +12,15 @@ COPY darkmode.css /build/frontend/dist/css/darkmode.css
 COPY security.txt /build/frontend/dist/.well-known/security.txt
 
 
-FROM --platform="$BUILDPLATFORM" alpine:3.18.3 as backend
+FROM --platform="$BUILDPLATFORM" alpine:3.18.4 as backend
+SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
 COPY backend                        /build/backend
 COPY global/certbot-dns-plugins.js  /build/backend/certbot-dns-plugins.js
 ARG NODE_ENV=production \
     TARGETARCH
+WORKDIR /build/backend
 RUN apk add --no-cache ca-certificates nodejs-current yarn && \
-    wget https://gobinaries.com/tj/node-prune -O - | sh && \
-    cd /build/backend && \
+    wget -q https://gobinaries.com/tj/node-prune -O - | sh && \
     if [ "$TARGETARCH" = "amd64" ]; then \
     npm_config_target_platform=linux npm_config_target_arch=x64 yarn install --no-lockfile; \
     elif [ "$TARGETARCH" = "arm64" ]; then \
@@ -29,31 +30,31 @@ RUN apk add --no-cache ca-certificates nodejs-current yarn && \
     yarn cache clean --all
 
 
-FROM python:3.11.5-alpine3.18 as certbot
+FROM python:3.12.0-alpine3.18 as certbot
+ENV PATH="/usr/local/certbot/bin:$PATH"
 RUN apk add --no-cache ca-certificates build-base libffi-dev && \
     python3 -m venv /usr/local/certbot && \
-    . /usr/local/certbot/bin/activate && \
     pip install --no-cache-dir certbot
 
 
-FROM --platform="$BUILDPLATFORM" alpine:3.18.3 as crowdsec
+FROM --platform="$BUILDPLATFORM" alpine:3.18.4 as crowdsec
+WORKDIR /src
 RUN apk add --no-cache ca-certificates git build-base && \
     git clone --recursive https://github.com/crowdsecurity/cs-nginx-bouncer /src && \
-    cd /src && \
     make && \
     tar xzf crowdsec-nginx-bouncer.tgz && \
     mv crowdsec-nginx-bouncer-* crowdsec-nginx-bouncer && \
-    cd /src/crowdsec-nginx-bouncer && \
-    sed -i "/lua_package_path/d" nginx/crowdsec_nginx.conf && \
-    sed -i "s|/etc/crowdsec/bouncers/crowdsec-nginx-bouncer.conf|/data/etc/crowdsec/crowdsec.conf|g" nginx/crowdsec_nginx.conf && \
-    sed -i "s|API_KEY=.*|API_KEY=|g" lua-mod/config_example.conf && \
-    sed -i "s|ENABLED=.*|ENABLED=false|g" lua-mod/config_example.conf && \
-    sed -i "s|API_URL=.*|API_URL=http://127.0.0.1:8080|g" lua-mod/config_example.conf && \
-    sed -i "s|BAN_TEMPLATE_PATH=.*|BAN_TEMPLATE_PATH=/data/etc/crowdsec/ban.html|g" lua-mod/config_example.conf && \
-    sed -i "s|CAPTCHA_TEMPLATE_PATH=.*|CAPTCHA_TEMPLATE_PATH=/data/etc/crowdsec/captcha.html|g" lua-mod/config_example.conf
+    sed -i "/lua_package_path/d" /src/crowdsec-nginx-bouncer/nginx/crowdsec_nginx.conf && \
+    sed -i "s|/etc/crowdsec/bouncers/crowdsec-nginx-bouncer.conf|/data/etc/crowdsec/crowdsec.conf|g" /src/crowdsec-nginx-bouncer/nginx/crowdsec_nginx.conf && \
+    sed -i "s|API_KEY=.*|API_KEY=|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \
+    sed -i "s|ENABLED=.*|ENABLED=false|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \
+    sed -i "s|API_URL=.*|API_URL=http://127.0.0.1:8080|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \
+    sed -i "s|BAN_TEMPLATE_PATH=.*|BAN_TEMPLATE_PATH=/data/etc/crowdsec/ban.html|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf && \
+    sed -i "s|CAPTCHA_TEMPLATE_PATH=.*|CAPTCHA_TEMPLATE_PATH=/data/etc/crowdsec/captcha.html|g" /src/crowdsec-nginx-bouncer/lua-mod/config_example.conf
 
 
-FROM zoeyvid/nginx-quic:197
+FROM zoeyvid/nginx-quic:205
+SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
 COPY rootfs /
 RUN apk add --no-cache ca-certificates tzdata tini \
     lua5.1-lzlib \
@@ -61,8 +62,8 @@ RUN apk add --no-cache ca-certificates tzdata tini \
     openssl apache2-utils \
     coreutils grep jq curl shadow sudo \
     luarocks5.1 wget lua5.1-dev build-base git yarn && \
-    wget https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended -O /usr/local/nginx/conf/conf.d/include/modsecurity.conf && \
-    wget https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/unicode.mapping -O /usr/local/nginx/conf/conf.d/include/unicode.mapping && \
+    wget -q https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended -O /usr/local/nginx/conf/conf.d/include/modsecurity.conf && \
+    wget -q https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/unicode.mapping -O /usr/local/nginx/conf/conf.d/include/unicode.mapping && \
     sed -i "s|SecRuleEngine .*|SecRuleEngine On|g" /usr/local/nginx/conf/conf.d/include/modsecurity.conf && \
     echo "Include /data/etc/modsecurity/modsecurity.conf" | tee -a /usr/local/nginx/conf/conf.d/include/modsecurity.conf && \
     cp /usr/local/nginx/conf/conf.d/include/modsecurity.conf /usr/local/nginx/conf/conf.d/include/modsecurity-crs.conf && \
diff --git a/README.md b/README.md
index b56fd3818..5a9ee9fe9 100644
--- a/README.md
+++ b/README.md
@@ -1,17 +1,5 @@
-<p align="center" class="items-center">
-	<img src="https://nginxproxymanager.com/github.png">
-    <!---
-	<br><br>
-	<img src="https://img.shields.io/badge/version-2.10.4-green.svg?style=for-the-badge">
-	<a href="https://hub.docker.com/r/zoeyvid/nginx-proxy-manager">
-		<img src="https://img.shields.io/docker/stars/zoeyvid/nginx-proxy-manager.svg?style=for-the-badge">
-	</a>
-	<a href="https://hub.docker.com/r/zoeyvid/nginx-proxy-manager">
-		<img src="https://img.shields.io/docker/pulls/zoeyvid/nginx-proxy-manager.svg?style=for-the-badge">
-	</a>
-    --->
-</p>
 
+# NPMplus
 
 This project comes as a pre-built docker image that enables you to easily forward to your websites
 running at home or otherwise, including free TLS, without having to know too much about Nginx or Letsencrypt.
@@ -20,7 +8,7 @@ running at home or otherwise, including free TLS, without having to know too muc
 - [Screenshots](https://nginxproxymanager.com/screenshots)
 
 
-**Note: To fix [this issue](https://github.com/SpiderLabs/ModSecurity/issues/2848), instead of running `nginx -s reload`, this fork stops nginx and starts it again. This can result in a 502 error when you update your hosts. See https://github.com/ZoeyVid/nginx-proxy-manager/issues/296 and https://github.com/ZoeyVid/nginx-proxy-manager/issues/283.** <br>
+**Note: To fix [this issue](https://github.com/SpiderLabs/ModSecurity/issues/2848), instead of running `nginx -s reload`, this fork stops nginx and starts it again. This can result in a 502 error when you update your hosts. See https://github.com/ZoeyVid/NPMplus/issues/296 and https://github.com/ZoeyVid/NPMplus/issues/283.** <br>
 **Note: NO armv7 support.** <br>
 **Note: add `net.ipv4.ip_unprivileged_port_start=0` at the end of `/etc/sysctl.conf` to support PUID/PGID in network mode host.** <br>
 **Note: If you don't use network mode host, which I don't recommend, don't forget to expose port 443 on tcp AND udp (http3/quic needs udp).** <br>
@@ -54,12 +42,12 @@ so that the barrier for entry here is low.
 # List of new features
 
 - Supports HTTP/3 (QUIC) protocol.
-- Supports CrowdSec IPS. Please see [here](https://github.com/ZoeyVid/nginx-proxy-manager#crowdsec) to enable it.
+- Supports CrowdSec IPS. Please see [here](https://github.com/ZoeyVid/NPMplus#crowdsec) to enable it.
 - Supports ModSecurity, with coreruleset as an option. You can configure ModSecurity/coreruleset by editing the files in the `/opt/npm/etc/modsecurity` folder.
   - If the core ruleset blocks valid requests, please check the `/data/etc/modsecurity/crs-setup.conf` file.
   - Try to whitelist the Content-Type you are sending (for example, `application/activity+json` for Mastodon and `application/dns-message` for DoH).
   - Try to whitelist the HTTP request method you are using (for example, `PUT` is blocked by default, which also affects NPM).
-  - Note: To fix [this issue](https://github.com/SpiderLabs/ModSecurity/issues/2848), instead of running `nginx -s reload`, this fork stops nginx and starts it again. This will result in a 502 error when you update your hosts. See https://github.com/ZoeyVid/nginx-proxy-manager/issues/296 and https://github.com/ZoeyVid/nginx-proxy-manager/issues/283.
+  - Note: To fix [this issue](https://github.com/SpiderLabs/ModSecurity/issues/2848), instead of running `nginx -s reload`, this fork stops nginx and starts it again. This will result in a 502 error when you update your hosts. See https://github.com/ZoeyVid/NPMplus/issues/296 and https://github.com/ZoeyVid/NPMplus/issues/283.
 - Darkmode button in the footer for comfortable viewing (CSS done by [@theraw](https://github.com/theraw))
 - Fixes proxy to https origin when the origin only accepts TLSv1.3
 - Only enables TLSv1.2 and TLSv1.3 protocols
@@ -67,13 +55,13 @@ so that the barrier for entry here is low.
 - Uses OCSP Stapling for enhanced security
   - If using custom certificates, upload the CA/Intermediate Certificate (file name: `chain.pem`) in the `/opt/npm/tls/custom/npm-[certificate-id]` folder (manual migration may be needed)
 - Resolved dnspod plugin issue 
-  - To migrate manually, delete all dnspod certs and recreate them OR change the credentials file as per the template given [here](https://github.com/ZoeyVid/nginx-proxy-manager/blob/develop/global/certbot-dns-plugins.js)
+  - To migrate manually, delete all dnspod certs and recreate them OR change the credentials file as per the template given [here](https://github.com/ZoeyVid/NPMplus/blob/develop/global/certbot-dns-plugins.js)
 - Smaller docker image with alpine-based distribution
 - Admin backend interface runs with https
 - Default page also runs with https
 - Uses [fancyindex](https://gitHub.com/Naereen/Nginx-Fancyindex-Theme) if used as webserver
 - Exposes INTERNAL backend api only to localhost
-- Easy application of security headers using [ngx_security_headers](https://github.com/GetPageSpeed/ngx_security_headers)
+- Basic security headers are added if you enable HSTS (HSTS has always subdomains and preload enabled)
 - Access Log disabled
 - Error Log written to console
 - `Server` response header hidden
@@ -85,7 +73,7 @@ so that the barrier for entry here is low.
 - Allows infinite upload size
 - Automatic database vacuum (only sqlite)
 - Automatic cleaning of old certbot certs (set FULLCLEAN to true)
-- Password reset (only sqlite) using `docker exec -it nginx-proxy-manager password-reset.js USER_EMAIL PASSWORD`
+- Password reset (only sqlite) using `docker exec -it npmplus password-reset.js USER_EMAIL PASSWORD`
 - Supports TLS for MariaDB/MySQL; set `DB_MYSQL_TLS` env to true. Self-signed certificates can be uploaded to `/data/etc/npm/ca.crt` and `DB_MYSQL_CA` set to `/data/etc/npm/ca.crt` (not tested)
 - Supports PUID/PGID in network mode host; add `net.ipv4.ip_unprivileged_port_start=0` at the end of `/etc/sysctl.conf`
 - Option to set IP bindings for multiple instances in network mode host
@@ -101,7 +89,7 @@ so that the barrier for entry here is low.
 - **NOTE: migrating back to the original is not possible**, so make first a **backup** before migration, so you can use the backup to switch back
 - if you use custom certificates, you need to upload the CA/Intermediate Certificate (file name: `chain.pem`) in the `/opt/npm/tls/custom/npm-[certificate-id]` folder
 - some buttons have changed, check if they are still correct
-- please delete all dnspod certs and recreate them OR you manually change the credentialsfile (see [here](https://github.com/ZoeyVid/nginx-proxy-manager/blob/develop/global/certbot-dns-plugins.js) for the template)
+- please delete all dnspod certs and recreate them OR you manually change the credentialsfile (see [here](https://github.com/ZoeyVid/npmplus/blob/develop/global/certbot-dns-plugins.js) for the template)
 - since this fork has dependency on `network_mode: host`, please don't forget to open port 80 and 443 (and maybe 81) in your firewall
 
 # Crowdsec
@@ -168,9 +156,9 @@ location / {
 ```yml
 version: "3"
 services:
-  nginx-proxy-manager:
-    container_name: nginx-proxy-manager
-    image: zoeyvid/nginx-proxy-manager
+  npmplus:
+    container_name: npmplus
+    image: zoeyvid/npmplus
     restart: always
     network_mode: host
     volumes:
@@ -234,8 +222,8 @@ If you want to sponsor them, please see [here](https://github.com/NginxProxyMana
 
 ## Getting Support
 
-1. [Found a bug?](https://github.com/ZoeyVid/nginx-proxy-manager/issues)
-2. [Discussions](https://github.com/ZoeyVid/nginx-proxy-manager/discussions)
+1. [Found a bug?](https://github.com/ZoeyVid/NPMplus/issues)
+2. [Discussions](https://github.com/ZoeyVid/NPMplus/discussions)
 <!---
 3. [Development Gitter](https://gitter.im/nginx-proxy-manager/community)
 4. [Reddit](https://reddit.com/r/nginxproxymanager)
diff --git a/backend/db.js b/backend/db.js
index 5d5886b08..228e61f81 100644
--- a/backend/db.js
+++ b/backend/db.js
@@ -1,7 +1,7 @@
 const config = require('./lib/config');
 
 if (!config.has('database')) {
-	throw new Error('Database config does not exist! Please read the instructions: https://nginxproxymanager.com/setup');
+	throw new Error('Database config does not exist! Please read the instructions: https://github.com/ZoeyVid/NPMplus');
 }
 
 function generateDbConfig() {
diff --git a/backend/doc/api.swagger.json b/backend/doc/api.swagger.json
index 130455982..4d97d5e06 100644
--- a/backend/doc/api.swagger.json
+++ b/backend/doc/api.swagger.json
@@ -1,7 +1,7 @@
 {
 	"openapi": "3.0.0",
 	"info": {
-		"title": "Nginx Proxy Manager API",
+		"title": "NPMplus API",
 		"version": "2.x.x"
 	},
 	"servers": [
diff --git a/backend/internal/certificate.js b/backend/internal/certificate.js
index 154ce7c9d..58a03512d 100644
--- a/backend/internal/certificate.js
+++ b/backend/internal/certificate.js
@@ -788,14 +788,19 @@ const internalCertificate = {
 	requestLetsEncryptSsl: (certificate) => {
 		logger.info('Requesting Certbot certificates for Cert #' + certificate.id + ': ' + certificate.domain_names.join(', '));
 
-		const cmd = certbotCommand + ' certonly ' +
+		let cmd = certbotCommand + ' certonly ' +
 			'--config "' + certbotConfig + '" ' +
 			'--cert-name "npm-' + certificate.id + '" ' +
 			'--authenticator webroot ' +
-			'--email "' + certificate.meta.letsencrypt_email + '" ' +
 			'--preferred-challenges "dns,http" ' +
 			'--domains "' + certificate.domain_names.join(',') + '"';
 
+		if (certificate.meta.letsencrypt_email === '') {
+			cmd = cmd + ' --register-unsafely-without-email ';
+		} else {
+			cmd = cmd + ' --email "' + certificate.meta.letsencrypt_email + '" ';
+		}
+		
 		logger.info('Command:', cmd);
 
 		return utils.exec(cmd)
@@ -833,7 +838,6 @@ const internalCertificate = {
 		let mainCmd = certbotCommand + ' certonly ' +
 			'--config "' + certbotConfig + '" ' +
 			'--cert-name "npm-' + certificate.id + '" ' +
-			'--email "' + certificate.meta.letsencrypt_email + '" ' +
 			'--domains "' + certificate.domain_names.join(',') + '" ' +
 			'--authenticator ' + dns_plugin.full_plugin_name + ' ' +
 			(
@@ -852,6 +856,16 @@ const internalCertificate = {
 			mainCmd = 'AWS_CONFIG_FILE=\'' + credentialsLocation + '\' ' + mainCmd;
 		}
 
+		if (certificate.meta.dns_provider === 'duckdns') {
+			mainCmd = mainCmd + ' --dns-duckdns-no-txt-restore';
+		}
+
+		if (certificate.meta.letsencrypt_email === '') {
+			mainCmd = mainCmd + ' --register-unsafely-without-email ';
+		} else {
+			mainCmd = mainCmd + ' --email "' + certificate.meta.letsencrypt_email + '" ';
+		}
+
 		logger.info('Command:', `${credentialsCmd} && ${prepareCmd} && ${mainCmd}`);
 
 		return utils.exec(credentialsCmd)
@@ -1103,7 +1117,7 @@ const internalCertificate = {
 					'Content-Type':   'application/x-www-form-urlencoded',
 					'Content-Length': Buffer.byteLength(formBody),
 					'Connection':     'keep-alive',
-					'User-Agent':     'Nginx Proxy Manager',
+					'User-Agent':     'NPMplus',
 					'Accept':         '*/*'
 				}
 			};
diff --git a/backend/package.json b/backend/package.json
index ec4e3490d..d029cb99e 100644
--- a/backend/package.json
+++ b/backend/package.json
@@ -1,8 +1,8 @@
 {
-  "name": "nginx-proxy-manager",
+  "name": "npmplus",
   "version": "0.0.0",
   "description": "A beautiful interface for creating Nginx endpoints",
-  "main": "js/index.js",
+  "main": "index.js",
   "dependencies": {
     "@apidevtools/json-schema-ref-parser": "11.1.0",
     "ajv": "6.12.6",
@@ -15,21 +15,21 @@
     "express-fileupload": "1.4.1",
     "gravatar": "1.8.2",
     "jsonwebtoken": "9.0.2",
-    "knex": "2.5.1",
+    "knex": "3.0.1",
     "liquidjs": "10.9.2",
     "lodash": "4.17.21",
     "moment": "2.29.4",
     "mysql": "2.18.1",
     "node-rsa": "1.1.1",
-    "objection": "3.1.1",
+    "objection": "3.1.2",
     "path": "0.12.7",
     "signale": "1.4.0",
     "sqlite3": "5.1.6"
   },
-  "author": "Jamie Curnow <jc@jc21.com>",
+  "author": "Jamie Curnow <jc@jc21.com> and ZoeyVid <zoeyvid@zvcdn.de>",
   "license": "MIT",
   "devDependencies": {
-    "eslint": "8.50.0",
+    "eslint": "8.51.0",
     "eslint-plugin-align-assignments": "1.1.2"
   }
 }
diff --git a/backend/password-reset.js b/backend/password-reset.js
index 2c7cb8930..b0451705a 100755
--- a/backend/password-reset.js
+++ b/backend/password-reset.js
@@ -9,7 +9,7 @@ const sqlite3 = require('sqlite3');
 function usage() {
 	console.log(`usage: node ${process.argv[1]} USER_EMAIL PASSWORD
 
-Reset password of a Nginx Proxy Manager user.
+Reset password of a NPMplus user.
 
 Arguments:
   USER_EMAIL      Email address of the user to reset the password.
@@ -56,4 +56,4 @@ if (fs.existsSync(process.env.DB_SQLITE_FILE)) {
 			}
 		);
 	});
-}
\ No newline at end of file
+}
diff --git a/backend/schema/index.json b/backend/schema/index.json
index 6e7d1c8af..28bea1b28 100644
--- a/backend/schema/index.json
+++ b/backend/schema/index.json
@@ -1,8 +1,8 @@
 {
   "$schema": "http://json-schema.org/draft-07/schema#",
   "$id": "root",
-  "title": "Nginx Proxy Manager REST API",
-  "description": "This is the Nginx Proxy Manager REST API",
+  "title": "NPMplus REST API",
+  "description": "This is the NPMplus REST API",
   "version": "2.0.0",
   "links": [
     {
diff --git a/backend/templates/_hsts.conf b/backend/templates/_hsts.conf
index 4f6fc9354..18b4f450b 100644
--- a/backend/templates/_hsts.conf
+++ b/backend/templates/_hsts.conf
@@ -1,7 +1,17 @@
 {% if certificate and certificate_id > 0 -%}
 {% if ssl_forced == 1 or ssl_forced == true %}
 {% if hsts_enabled == 1 or hsts_enabled == true %}
-  security_headers on;
+  add_header X-XSS-Protection "0" always;
+  add_header X-Frame-Options "SAMEORIGIN" always;
+  add_header X-Content-Type-Options "nosniff" always;
+  add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+  add_header Content-Security-Policy "default-src https: 'unsafe-inline' 'unsafe-eval'; upgrade-insecure-requests" always;
+
+  add_header Expect-CT "enforce; max-age=86400" always;
+  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+
+  add_header Cross-Origin-Embedder-Policy-Report-Only "require-corp; report-to='default'" always;
+  add_header Cross-Origin-Opener-Policy-Report-Only "same-origin-allow-popups; report-to='default'" always;
 {% endif %}
 {% endif %}
 {% endif %}
diff --git a/compose.override.yaml b/compose.override.yaml
index 02b3a8248..fb75c26dd 100644
--- a/compose.override.yaml
+++ b/compose.override.yaml
@@ -1,8 +1,8 @@
 version: "3"
 services:
-  caddy:
-    container_name: nginx-proxy-manager-caddy
-    image: zoeyvid/nginx-proxy-manager:caddy
+  npmplus-caddy:
+    container_name: npmplus-caddy
+    image: zoeyvid/npmplus:caddy
     restart: always
     network_mode: bridge
     ports:
@@ -10,6 +10,6 @@ services:
     environment:
       - "TZ=Europe/Berlin"
 
-  nginx-proxy-manager:
+  npmplus:
     environment:
       - "DISABLE_HTTP=true" # disables nginx to listen on port 80, default false
diff --git a/compose.yaml b/compose.yaml
index 2f3e0ead0..dcd701832 100644
--- a/compose.yaml
+++ b/compose.yaml
@@ -1,8 +1,8 @@
 version: "3"
 services:
-  nginx-proxy-manager:
-    container_name: nginx-proxy-manager
-    image: zoeyvid/nginx-proxy-manager
+  npmplus:
+    container_name: npmplus
+    image: zoeyvid/npmplus
     restart: always
     network_mode: host
     volumes:
diff --git a/frontend/app-images/logo-text-vertical-grey.png b/frontend/app-images/logo-text-vertical-grey.png
index 7182983cbd650816bdf8b1d09e270cdadf7bed8f..76c03176fd9853dbeb48711d615430a3f7496b26 100644
GIT binary patch
literal 14708
zcmV-)Ig7@LP)<h;3K|Lk000e1NJLTq004df005Q<1^@s67&JU*00001b5ch_0Itp)
z=>Px#1ZP1_K>z@;j|==^1poj532;bRa{vGi!vFvd!vV){sAK>DISENbK~#8N?Og|8
z9L2ew+1=}>E*H5QTrtMRGKnGd1OkLm0x^zbf~g6iKSChbRGaeXI6wfCgoI|odk;ba
zBtQZLuxXZU+<Wh~x^!)K=Y8K^kxtS{vVC$xpZ#lhXZL1j=9~HFpRzOJn+WyxsNbx)
zdDy4#A2smIgwr<;GI9JyAo}9SAK);>Rj3`g_JfF6@nKZ>3$?$(ZSpbyT)Mz{=o^A>
z1o0qzC=OE~=kXfEi?ts{Vk<s~x<EXgh({oIBLh^$FAr{{Vtp_Iga;uH;B*nhA-xe?
ziDMG~1zA4x`-6WOzdX2c&=L>AufSm$<R-_Vedq#t66AjcIW6vVaN?jNK00H>$&u%e
z{0yhhKuR3P#!wKCm}Y8Xcr>E!mn~OzrEq@dgHr~+_V4cv9Gq}FsBqBK@oMgnL#$1%
zDfSM1yc4UYF(cuIcu#u8B-gofzl=Ky@&0iGhI_sGR9zQmDLliU*^rQF3Ad(+-a)VE
z;&uPGt<==q8MAAh9~}fZ;E7j@2OIVlW0JMeHA&TLF6jep8ffOfq()O>we*R}uJh-<
z>|D2i4^A9-w%4oO6Ef{#3OS&g-(&X<c!l54HD&_%x(SJOXWoq2(-S{Apm9JGZ+|@O
zr`A^eZhNP3h;S<*Ar9S*p~N#F{aTP7O}L2at43V})9!M&Az$)7H2Zf6X9r)NG4!53
z0q?Da9+xt0B_p<-o=8%BE_8KU-iu}LC0q_j9FWAT1%r=Pb=uU}eBa3erBnJ_AUpx-
z5+}MYnEMgWt1lmQlnjV_aC!=_6ZqKY)qZ2#|JA3ws2w}Hm)otaXDM$HOfg*vdyRXB
zs?jDF&YQV1e&fKx0cG5&IYW9vo<pc-3R9jeG?4DgOgh}Rz>ss|SatEJ?lLI8z-eRB
ziR0=+_9yi>m-gp{vPIweOr)n{9AruP=%ep~G;JF0_c$Pk2iX$x8=SIvcBw-&OCCd?
zPWoEN3y{kpql7N{yUv;W0dK&l^JUZu@XNAPkmoiYYC#Q#6UU}7Ah$!7f&8C3E(Zwq
zd*VU(SR9r>?uGd2)&$!iPe4wD9O9lZ_h*pjAamT~=Qa?g3lo1SnGj1HTf%ja6Ckfb
zLUd??evlVI{`-(`$DQ_X?6<^&@X?Te;*^O!$Z<@^Ovr_XF8hPzYaky%*b-|QF{gA=
zT80$v#92!yhc*8n$T(prRtdj?tZ?q6<GYa0K>pK^ZgHpm6Z;+U+ZK=RqP{qUmNwhk
zr#g;}p~S~1y=Q92Ec%XT;+z+?@pI}EchV4jVdTK*iz6>L-yS)@anQt8{Fc=~b7<l<
z5WgmIRhKw6MoLrUy->Cl7X8BopL{kD{#^nmRzFSgbD^|lRo@xNZs7eA`xWtPmLGF{
zUZifR(2ZXtoEm_(IR1{8qm~>mhb(<7?wAe`eJbQJkUkGhxMf;UJR4gfPvX7Y-<8$p
zJYM!QoPH1T72QDgeCU8PavmugoAW?fwc}=pfOAX-2YH&I@avg>#9;{J7D$9{^i)by
zXzub{D^mRM<^ezddPA?tXUFgDKiDstbIVqp@Pn>(mG|U@Yeoo7M}2H4G}CB`#WSW7
zkHI?swH&sjSv|b)-T{YpFZTYVu+TF>MeV^Rnp&C{#@bF4(=}3<o8%5@h=+2YF8lAq
zPaM?z*QnD#_&*Yt4yrCF{W(%(GERFzSZ%N?NU)DUc+?kavulRE&iHfT{F(4Q9Z>Ck
z@%Up>3!NjR60zC=cC>o1rffrKMh%|O-o~HXdaix2%=y7S#y%x};o4J%6x5YZEeTbf
zCv2p%(X5)?faJeamM(cWah<~Q2L}yD=&wifYocu{Ef_FFmtqf^*iuE;2xYF9QpJQs
zsgK7}iN*MPd(LBJ|HI!mM%DSHr=g_Zh0|}vT^x{d#WuT&Nlk4vgsNhuRF&}WS=@W9
z@T*yyohKV%XX&xOjFgu?X@$EAY19d+LlLM3#j2U+6Q<8MrT2<^X_W3W>=WWEc8(92
znsHn1rUf^<s}X+>jCF}bb<#Qos`K&k$R%+VoWQdC2Ni1|3HrbpK4k=K{49dDx7VYq
z?wi4MIT~m|I5zXr!MiZyZiZ@~TXlBnU^MdXgWI|BTTP(h$F{Vs708hFQWNYmAct{3
zX<Kl}cM38<no+sF<lf;>_5X*^#qEnm&|;>D`F+*pgATcC<lC2V4!}OaUMId{$4@Rn
zC3u(8j9&R0=L;FCL`nA~?xyfC2&d(oh7}JDx)g*nu?yoajR2BtR0Q2N1%(Uj*d#3z
zT;Q%kys0YW={V2a`GV3eqMEQ)B_3%xwP@U31M<_f(#F0wvFZ5+B(1|JLA(I*yqqs>
zd-8~XT=AxJb1!1A5f8%I4xS1*mOUmmiY-dKFzPFs5`POwPpgkB-x{2|@eB1wcToH&
z;nWP!@Tgj)=(;%|j2MU~X_*iw9)jq%*5^h);Fq-;53w_^6;oJq)!v^!Yd$-f(tr%`
z3J&b$bI^o%0pfY!^sh<C01J7sH_+i$JqYg&c^;=9LXLGDGvoTEq^lJ}zJrXy1j$JH
zZh}p;R&vKKLTR^b8T_;N*Y~`uAmQQw#@tVEcqx9B5w!Xj%scJb2Ov%lVn?Gxi3j1g
z;;<BQk>k)hCWG|H6Xy=poFVK6{RBcQJ9{L>!Oom)Ydm(~%tI+pYyN@!2{@q6Zxfs?
zv<&258o%r~bO`ZQ)kR|~cl?Beb0o~?IHo}Upz2{^$r#S5>ZEuGr1RMnK>F2q^hGqI
zgl*VnEShFNr2$&rQT3+F#xXl=vN5UaQuqV9@EJP%lr82wx>3A_DROiJHHW7++5vMw
zKC8AAK>m5Cj6T&6Ul*Di!iA)7IiMx*?>UhF>B=*wvm3fYkagnAR-Q7gJW~6rOLq-2
zP>;vwLo~ofgWOgw<(4~byMU25{!flvk~S|+l?}NP_3Lj%5JZ-1%2(}?c?E`wL@i}n
zNWLZs7WLSu(}l{b@Ysflq}7~0fJ|Wj{jZSdER|0>E{%}<WiVG4nkLn<rM32&@><(t
z=*n-zdwi3gvo+z>ZBgKfsjYPZyR5d#4rvuCPX;}@&_CSJ_gBX!9(CX~L#HT1ZmBd1
zP&iCmLzpEqKqJs^A2M8yA&=P<wmx|2J5OC1zmr{LTh)ohYfhLMw(O&GJOR7FlaJEk
z(PA*SO{XpEQiiBiF0ox0vPQE!zIDFfCw=3;j6=;Ce1Y(*86ql$waH~$8(q?nn$!YH
zRa8aQ&dR6=M=cFR2pfc3AUROu7Wow(<*j#VrpscfPpSvTuW=logWQd_{QCGM+VJB_
zN8><kb1F&q`8A;%Qf*!zQR`NOWkop}@z7a?K9Aii7!+N6J{h%ai7Y5`@UEJep_Wz#
z)T(N~42zJ=bqUo+_EdfK63rvrDrDCk)_vVW9At7Z|F8!St99irbcI7g3+T391kLBy
zrEMzdMouE><uPTis<Y&#h{do!dEJ*+UmgE-_K<br7p^&(7V241D<*WQseEs)%5~?V
zl-g)kZ-;`f#5>VAM#%>b_ZH1eS+cQJM~*QnYG&DW9${^8DOICM=>;1`e5lkw=`c;3
z<g1GMs5HQOL4{8QYh2X!lBzxfI9uj65dL}mvN@0e#)0s=BO!a>+7%(OWn)x9)k{Az
z0!v{C);Nx;o8Pbc<pz<VrC3$%5lboqvO22E95?6a2@yets8?Z;FLTrYy|*k;{%xCr
zUHc7Nd~<44uWb0^S0hHhRjj_GR9c>)+=YmPCdIm1Q>_WvGGZ$k#5>^S)XP4*>bAsB
zvxam%lSO!R<Ybi8ZS|Gf*7~i&E7w7GYBtKcExdf>w#KA~s*cOGdIjE#)#eCu4vI}!
zN(oi(G^zL>5{=jhu$0|Oyjt&Ezv{L&D08aZTFkIBk-i*q0SG^}HPVT^8M9~L9Yg2O
zuDyNZnn)xN)Fn$l)w!bypys^>^mJXFwrJ-zIcuw5e7U_4+DytquZc{qgoOtUWN)Z?
z5kdsMip&=CjoPl3r%T${!l?PzaTs}~^dL3{Dz1u{W^Ihvb1P!j!g@<Xp_jQJotYi4
z?htes@vPfXUWHpn>9r$J$T5&kJI{&EN|4SreF`#Wy@ekHZQEr@)SE5MpJUx_feF)M
z*3mUhNg45=flV*d!O}GeG8lya#c^o|a$fq%I&saiDS;fF!@z$c;Ysk6uL-ye5k+a-
z8CF^ls@{XJGIKNr<L;Gi;gN=@k*s?3lTga<NZd|hY|>L58Gvz$#B9M*4&s|eJ?rQ&
z;v2vWz`oP8{?oMPU3lj)S0Mq8WeT!NXfsss#sn+uouiI#0`?h@@OvS<m3}90SibIr
zHOnUAl$N<O7cU8VXh0=<8J$+Z=cuUNFgT=g=Jnh;d-${?;&+88oqz2{9GsR6GZ>Vk
z<L}<WULd|1-bZOqB_>EO#(}Dj*e#+G_z&a+kbN;EWxVYPK>mLq>~!L|`#Q&Q&+xyA
zqXUr7k-*CM)!xOvApY9KF^Q)W$K3@<CfOvN<YyfqpX2WQqJ||jqXpRx3_z)G`fXma
z3fQY$bm+_2<-u9$5d+4W3%XI0|3Yc!@Tdcn_QP>F&nf2=wrM@Il6bdG@E06e8v??q
z-a8Z^KMY|B<;05_j$^B!+K$1-5fCo|n^I;Eg8bC@Gc5VvBF2@jdQ(~<Q`wH*Pu%Q4
zbSUv5!!2xGQ(dYmgsZZiRruYBTS+|Plph~rT7;l%j48R%l)}%7zEyCl)R5dK%Wlni
zysX8kR~>~D)+}Fs-0D^Af9I%M>Qk%+&>Bb66|H&=O}cF%Wmkl@tDrlGI@~~gt~hF!
z8hIQ&?;53tV$-S*$r0ZEIl6@97^_dr^y<J2kagl&%A>j=!iHPrh3o9Wl^az_?M|U@
ztzP3T_%x-8LlwskhP`)+C`OTpDkc9Dwza?4Nl|X=PDY5U)TS9=Hso~IkLQl{UNN_&
zxo&$6XKwiS`{!-?D<^JT14+%uA>lAkRoE)FLu!bq3>(^_ZF9tmohxihS$5D96q=^p
zG-vRmDO%Sa)9tCPL-R#`zg(^7utMQ4^4cWdjI`Kd$qKSgd<?nTYsEzW$}Q^9icQiV
z4a2ncz!cX1ka)y_w5?yGEhOZ;h^@U@FXY^)2EwHXBBpGvr-y9|<ZAbXxuYRz)1~$`
z&e`}j4bwqVm{005Vnyv-RUPZA>Z}qpVU_f`*a~pT4b>a81zYCxsB}x_3$KgQ#vT0N
z#R*%DI`ciN2313@TXs9FP<9<sAY48}n4#8YgzrAGPQ2HQiXl7Ki-J(KCJZ+kr5yZr
z>Nif4cA&l(=yh+e9It&;E93{r7$(|0T@VyDVAIPu!$+4BL3p!%_1#7F#M0X<&-%`n
zJC8V~J)?$g0_2yUz46_v>#gor)tG&xrM#LhLny3h!z1dN)C5(%rEIxk(-N_)cD2}2
z+O=sn>`N@&X2=q;uqgxGe4_iXB9YrSC+i#$S@+aqA%{Bi=h7xuERshqX;95>{cIUF
zy>e$vs6428Pcy<BgLk&ZPxlN}<4Vtl%vZ|3%dQQNMy>RG`RJoRfE=B8WRDQGik701
z2GN`ony#Zcca(L!PxHuHJQMb7$Nu$~|I<5hoA^5<{)HwoOSCRNuhiGYcVG~2vwICW
z+zEXHnofs4U+8$o+pgC$De~f{y9bbc1mtfx<y0uNBw&CUdUD1thdyV5{AVG}7gE>-
zXfj&RB;L(|^l`zsF=D9COglBX<gDNSgmwZKbZ{W?987#+MXWYF+&y$iZfXI}*Q$h?
zGlXNCoZH^v0NMEvPH3D5X}YvoqHLwW@9p>z<c;ymy@Ky2j!FDGaqMvH4dU4<Z#+P9
z6eK@>+HnBktV20SbA#j1KIB3k0{QbHXT_a56vw`K=_`$A{k1xflucxv_!y1Q^v{f!
zqJH0zI48z9e?2H{?C)+>k+Ir<hkE;)>Q&=QPp>+^lwZpH7Q*h}bntx!{uroqGrybF
z!Cx!BHR}H=zCH4=gj<`4kEgW)R)dx$G%E@dh>;gL2*XI{UL4d+4%m_7^|(ZCpveTL
zEFtT}7os+{gI-uVF(pjcWm0mfu?D!+Na44I+K!a3(`-osnt_DF&e3b&nOmuFuU4~1
z64k#LH4zE<HeywpaB2X3ptoE^A*?CEv3@-h^-^g37{UmjYu5K&xS{vt5s4eE!dA%)
z-y{Q&a6k*!^FtvO_7&Q7<xyq8#xcD5k<Lv3_56AezTV?DL~(vlR8-Z9*^5?ZHhcE~
z*(W}rM6`FYi1o-<iUwSLl<GDG6_$sZOS~es7?~pmE0D9ZkY>D<N-(_+r!i%P`wFXe
zxUlQcOl}9%cG=(YEk1W5;b#Jz(BXnTzg4%bCCE%wy5S6+r9Fo-tHCOFR|+dyV28FH
zFT&-cz+0?cU%uL?)i^UJ-skMh4Z(l-84U|9Qm?GsB0D;Gl!_GhmD?BY5Zjkjz<M{+
zG)hrka5aZ$KmU4_dVkg;v2fLfhB#yq*;n;ZB_slF76-Lx-$G&b$W0q5GZ%S#*jo%C
zJvPi+#7Q|}AOXC9sT)-)R&3kVBb8k{7*2-fWQ6v>C6Zs=(7%MA-~)uK8qKzsyOp)p
zr3niej#UkUiu;K)khat!Q2)A$l#jCOw;eCd`W`6xwYX)q^i6yVh`*90-&PzrM#CKm
zqTF5;=`&P>`yVb%Uyi0*5ox%ktle5Kwk|5~6aQ@-UoTs~{@qU(pro(iJQh)u+cC4P
zvrc?G?qD+%h3`_BCAsDC8)%z8J+ct#(oF_f1;C*pFUJYcBG3puEvssjR922A`LUrh
z6_>Yn8F4>dO4{2Dg;Fk6t)@9kr?8H1csGGW4oln2vFf*-WJjxpYMK_6n!9m6YA^V#
zGd!i)(K=}ca#U#GXb~&uE@dQ)yp_m9Y}WZv0HjFMCZB)3a#MXc>Zp1b=M}b86J`O~
zCq4<*Yn)gSF&n-tb*lor(cdJ|8^I>w_@#wPmI<_5gg1p0bs${Bk?KAZv>1pF3Og2*
znx_)Kg1UBUg53pFylqL#>(i8BAYV~y;r&dPBzURGv=&Zo&{xhnzM}|FqT`5fK;w@d
z+b~g)DD3re2IsOudK@g_jA?6WsW_X@bn5s$BfJqnvV;{c*_+vz@N{@z{LZtDZ|;>v
z6!!-4jgfgNl5Z}We$m5R-{IIB#5XQy9W&H)V8fj7=@pI1-YbQ1Z@k2rOPxUGo*345
zT%FSIMyOB-vQfv;3$`5E>?lGqK+P+wMyYt;L&ALzKtG`3rHQJeb^n^S7!Kf%CYi_-
zPN>Myx;t)!E!cy{bwL`y=Rl0cj-MJ`nXAzV&|*sZ1MvjgoeYrh)9EOx)0C)#(a>UN
z4GG~p@J`EAntzbg{cdH4(7K3!)3@tLgjt3VP2HvJ++thU@o%A9g0%U;b_1f3NNy||
zgEzbL^7bS9#3u<aLdx&3h5RtoHGTs|{bloL=y6g-{5d?P<=}u;OLVEUBeQ+dT(wO%
zm(N!A_AR#bc!c!A9&B$SB>WWYox_#A0SUj<gC-){l`Q%3`qMdaqOM>^**nno?5C7*
zfzW(M8@}E_&C@NP&)IeuhUPA2JQ=BXI&AEsUMf0djIatyq>P0bD#y?GL->ytj~+#P
z-_SVCI)#1%4k`8r{i43EUYI5{Mh9hptP`*2qiCV&Ek6k<?Oi0o*O7)2A4i;c4Yspe
zD034C|6CKX#T?63Qp@uS6$)$SiY3xqx=`4))k-ElR%{cR$e{(Vw(H7T2G2L~8zh+M
zXv>3crXU4OYET8pgEFXu=XA)q2zXDaVkmsJE!|!6G+&=?(v_bB^=}E68EIFCIS3YZ
zpg_b987X3YhYRKMqU|0c&3tb%t@+`dl1iy?fmhUZ3#1WWSX9_|z@UMmPyfD3*L6`}
z-!W4Pvrc@~S9QYuPDseIh;;1LE_!_FhX#D;<an15v1OWyd?}?}Cp4;h$>-Vj_jrZ$
z`K4W1F05sXq`5pbF}HPSYMs5-CG1shDWXVhmVCyrq0q(&P}NfChnT`UK?&oC_%$^y
ze!?+uI~0SNp-X>{0^uns7Fz>7+BFd**7tB>_CG>Ey$czxWl2wPo`QywuJIeWy6yoH
zDyBAbMi5g7)rSUH$ZXwvbe97L4-_Rmd!~7iEo7bex}_nZ)gq<4K-HtbLAj;A9*Mp<
zaySn0Plv&;Rf&XvHkT|<jWudQy@Gs{MAQSdjk^LeBk!fMKd3tWN5ZWZJF300pJ_m*
z)Oz9tK`HF*xTXefloSZIGA*H^vA1-;cf{~zx1>hRT7#X_C2r6;oi#)YoZ(d#GL_}g
zB~?8#!u-S?@z^=fcZX{4N0Wf6-sLhx_wFUMR<e$)6K~`|)u&IT>I1_2LpUe>Ye;Ir
z0I2$S+GHY#82}|lx|%J6mJx-sXTDxIcP0luxaeR8J&CkbFs2nhm2WW#_*wILd7s>T
zX5oKsWSH9pr-UcMoDsMMHIH2HM4A@;9G)b=Q9vg^tlL@gBjIqy?7Jt(I`J)l^T@e6
z2Dks(Ybg9`7T3}l2uYjW+Xk3XZYliq*Fz!gS-NCTG3)v_CN|ETjn~=hQ0xujS#vj@
zWwO@*@;5=ap3HHOj~&Mbup~7un$BlZAUtjHr4B~Zg&UpaSN8_8PP``o)y%rRH3da&
zXox@K?UQicu(Wtn#HmrpHhZ)QAjtm&LfhgJc(?(zEZ%Rr;*&z13~@XNzXXDNdxSQP
z5#}^qiTiMT1`7XQaaX5)N5eLKRWPc1jo+Gg0J2W}mKBx=g>B&qYQkVu+BgHmiJUKk
z;vD0=xfcbel--N!mLDUw{OucOXlt<5E1mt|_81@^rP>}Oly90@>t7=5=%pZ=q&L+D
zy9-#1EravCT$=t`K=%y2Z041>UibRMU)=EeMe)Uy<KPNkj%Fm)TzJWX9T17OZ@Y|L
zMb>lEzpfelSC?O&)w{$HeY(4p=9bbzMu4$fuKC3j*ZFfFOFWu}n(IfgL~^l&;}XLb
zO4UIsQ7pq^Gu-aZ`^)S-{j#=0Fn!FEY?sh@<%R}a{hFpN(^isjU20$C8vfgV{P9Gt
zzuzKI;$Oqze3WoRTB#^3{z$}PbAQTh|N1$1!N@AIUgG^Zh%buyvQ<&><@}J?yg6p-
zntaTiF9$Xzz52>g<7;jhbtedSdT02FGvs&>JW)i%2DJ?dumyRadq=rN2}1h2s&S>C
zL-xwl?DhhrUyK7k7U7zH$tBO70tM1HyQS+Fm(Kd-w;PjwMz5dTc6RRzf1bE>5by=A
zLn*&M8neQ+wNVuc#T-96O4VoG)0w{+;w*l|;D#eg#7wo})W?^lz8I;#Y}6nbfQ7Fm
zmI4uC6@;rwr&fQgI=}P*+`B20NoaVqmqQii<l;Bya1Hx?f>(}x>bM;dd#YELX-k?l
zh9<SAE}eDdRf$V+X5R^C`*kl{H^XhtGLzanp=fB*-!{CIYSK;l?lbJI8p4vFz|=|a
zU2)(ne#E-n>y{$NuZe%&G{|{R?CQ~{${ev6*)2&r!JfSrYi=CHrO4vYP{vzp2S_m<
z{xAKy=b$?m^cmd#Mt&AB|BUIq7oYhYTLAp>HzVnUM>A5fIJf`A$NakI4QPSkRR1*G
za6H}T@s<6c$2fj=?LbGdZ$x^Bp~HwL$Sp*ATygVR>EZ}DwERxhs3{|zv9-3qMCED{
zOBVJU+~GSweSOAs9m0B?YMtxjv<bvL6%Vv^PHxES4L}_ZBiP_aCP{QW>p+JR-vU}|
zmc<8eb{*Ut=tYqKZ%9@?eryU5J|2f;CsgD41-pXQ;+L9`y0@^miEr)W$35M(i5g=j
z$e#|$*sR(Wfbe4=Y-`j0IMi|6eKZ}VY>ejX?{_fv2JtGASd<+)Y=Ps_5@cG>T0>8N
z6VP^G#o_g8jvj46eO?Ax3i5A`U+y~QpY>c15Kfzet8<;~I3~b(n1*E|Qk**vhYX52
z(Tq#Q1IAqH!_me-6(CGI#+5#jXsJfXIy#JarbiU5*gDM;-@j+MlK`&Azv5~ZTs*k(
zzA$U?@I^Tfm$6wChithwkEHwky70I(wPjn>4%<q3@ghbdJ+-ue64w25`UMs*?KkH9
zgkzhSec0o2-YL&al5TA|!VurlG652<gJ~ZK4|!cmcJbMgiz<h$W@9q^Sy1<gs2xk}
zOeMq{YyNaiOvM-$=aVuLj?D3H$gVx=t&OjyS~SuSN;43n4yM0JkoO$3(3~@cIxB?C
zo@48(SJZ8GHC>M(9(Q{mZ`gmm=DJZAI=yyMOabYs1gg5A^ai-Gv?gcnaD71G_DJCc
z>E%0O_KKzTV%zqp^muiVFQwv2xhVZI7EerJIZMZB!Y2+Fel-HFu74<DPVTw(!Nw&k
z4YP+&J0HdJ9(XlKD{u*;z{MgfZ7!pVz<Xkrh#8vNk>^$A`5vjeG!fewQkCm!MYuYu
z@gqpCM2$Pbts$JzkXli@eRE|jJo%5yA7m>ag&*~wcqe?@{@2wnrB?a4W9ZXHC|Y;B
zJI{TSugK%pJ-TMcpjj+6b<+FUZ_Z_%_;+s{_^H>Y9a9o<+dZRh;Z;&&Ca{FqjF;Vs
z_BwZP%806QrQAw1xy1*Ern#o9v@E4otq7_0tHaVXl?(=TVZ%dyXXC+h`5-y~m#C<L
zx!+p_)M)7z{ZMCc!X3xQ9p&~E<Zfhu)Wix9&W{$ke%<L#YM9765Y4aKS}|IceqHJ)
z<rM+9+EL&YArRt@+D_>={D!biTUBqaS5+HorB^eA<x*-*UAf#Ga=PuMPj|8Kehgo3
zdwkK|Evoz5hCMkxrlM1z1rD*`w`NG&o9~v$1k!LDPyG6C7juE7tRm~guYBO}r}Eaj
zt}H@v=0~Y9sQV@_;WyxukO7<limG!<i}PNe-S{(VlFuC)ALhB+qp9jD)1E)4R@T;-
z8aECw40dbsZae~9+JY;}285-0tI@~+r6Ajq@sdxZg`nDHMQ^R}cX_MAUwjSDo9_mR
z#}&T;1gUzFTWuebFUo^%=`wBUVkt~`$1rfkVJ=c6Lbh76aFbfFWs|gY8-%-A$2%G*
z2@w0dCgmNEFPh@4l6mK_XGTX<h->vV^hWaCmJ%%O?f_b>0d?)vS=aHC@2ny%MY4s^
zWu+I!0%{8CzO=RI)1ZlI_BOd#M8ti_BY(=9G5h+&9S0zv*N?JfuUHl`7tE{G3ky*c
z8qzThHt6TB7l*0yp#j{uVy)70^gy-%=`oP+;(3d}Pc^9dC{*}{F<lWvXn_o?k}v}l
z6a>VFWlO}OWgA78Tz>YR;aOpaT*7lpKo%9@{Ps-G0bfX4PQG`^bzE{i>*x^U&iCBx
z7m#jT0h)s@%`NmeAJ^i@J!JXq*mWQ}ZCg=f1orD+%JzWEB@K@!zJz#YaEc$25~@D&
znR47YGg|8#BtvoXS)yUZw+0$_X4DdftqHfTuLGIfA}xIyc>{dVPLD$}4ZLt8!e8FE
z==yJW6zN2VS@k)Omqnq@X_RmYP>wvc1rEZbZNdZc|A55j;zUf0HksT-@T;Cyv(l~t
z0i30jI{Jyl_s}?Hyr)6ZX3@5RM<IhjItxUHBHM|X5jEG3It>RJZbv$Ah1lEihYh#%
z4%+KLI1?;|mESv}c=5d2Kl=ju=?SN1u)!l&Ss0*B6J970vz7TB2~}@G)$2IVm<Af^
zSrhg5=21n$M#;~l>WQ3y@6nT{ozu)-xO(U$&az2uI!K+QL)k#pJIRnx^<3&~G6-+i
zq|R(0W28F@$N*IFcY&pRhj>mmY~C~f0LX9F0rT&E1Fu0cQH?h1HdQd^%veYavd<Jj
zcL}Whmgia0)byGm5MN~O2$bk<E0URbTJNyjH+-v$h@c|ZTPB{Pi`Sm@`=6vO>2}qS
zTVcmZ&f81dNt(nX3yB=rm5IL?#7_d@uP1KrHSBfbiJBWm6(a@i2Ju%q<L%9fr`zjj
zK>sxFg|f77%l_Ht(7rBByBid6OK{Y$+}$B0>Z033aqeMifOfi46;aJLEVQd(Z70qD
z1QN!a+LqJ9s&nURh8=5G-SHP(FvAnG)kZJc?jwpsu+XDf^(McxN_N=LqX%8Oy!-TL
z$E8__m-fA3kk{vX4aBFWmJ@8$QoJIk)-Us?+`H&nX5xK<eL{Q^RX;8rjm&=!LUC%s
zDW2-wmIS7k+NrO$*69<A=6u#{9s2kB4j6;x(v7AaIiD-2^e8-9^yzjI7aCBZ9otlF
zTeYymF->}0Lh7gltQhi<rE1-|3Tj@)bhMFeXSEH!k?G)^a0?tiY`Hp^@oPZ(Mzq0n
zrDQ?(fXFHFGap54OFaX^A30<CxU~#RV?27+A1++KcK!6K%1V#R?S^6MVs|a*j-euQ
z3!lt;)+2&<OkMQL-5r$53ic`SNx-P%g1%Eg`XFc3il|ifX4vTEs95<)lqRMYeKo7a
z-m7<dl^lLV--(xW&p&E>U3hc1m<kEq>mlhPwxdc!cho4i9hIifuPVI7s@9V$C5SX^
z7E&kr<eQy?Eae)B-{6sAjawu6BFJ7M(-x81*rH%p-wWLiFMRQgC&xCMl=;XH|JXwc
z^{8$bV>M*7@*O+X*3DaGBo-DPuN!{nyzi5_x81Yon$+r*`x5&F@kvx&IO-NvsZX-k
zyMj)y3^M^0F{yFtLvbrI0GB0ghMMm^?TcBp-$#_rK(RbY8pZ(0T>`3V#LgWtvE5Z9
zl;IMn)A2MtOpiJj&0uZ6#HWcJF4zHRZ$a^JQ=1QP`yZEoc2&kzCm%cOk2l~suEihZ
z_`0TP!t3>lNHi=qZ`iuRs?sJuxa_9XBF_5*_ABCvisQ!gP&@RyP}D9<5Z)C36n4!6
zg=Gs`UH-HDq=$#&_eXks+KAN^p1xI8s*lewyP$^V_vf6oL(75<ewzQ)Q14qex#jA)
zer;*4<$Uoo7i71(56#0r`qKo>wAsDfY!O6cfUq~{o*Jzb_h0|cgbtZ0yC>N1h)<$C
zzM?ccfYOFV9oV%fqP_ktbACA8kjASy?_be!7HI*qhfm{#NKV`)@odY7OXpwPba8@=
zc;=`lickTKtuOLj74sUyw3a(}I9>dX8{WJ)8ygsP2=-gzlRyUG>=&xhhKUd)-ql-(
zzz<NgqATIRJ!0N0{NTnf;tymO)5ko?UOsjt(H0piZIuh+1&Bx6K8<)9p_4)Q$MMVk
z7yCW&1jy$UY))UMz;a6?9!{ym=L}WW$xQe%WQ5(?zU0|4Pr8vXRNtHn#|f4E&@(kt
zm;(k)h^Mi48wl_4O_8#N1A_P@kO4U8bC<AcFOohI|3jgiZ_ry*w=@w}`CRsj4Hd4H
zJ8JZ;9+%>pd+bA}g~uOJ-NS@bxdB^ttMhuhe&tnzr5QU!ld=cyH3RDu1H{)A`$WWJ
zDBZHz8#xuEXYMN84{<;dpG3t`!%wiSK2v4h8OL&`XFCiYIhvE`Ss^)`p$uMxX`yMh
z(-5I3Kj}(01$f0S(|pY%d`gPXta7m_CnyTtK@pCIkTclJ){sOzqv|n1d`+S6FSggX
z?Z!7Q+NYZ$?Jf>T;*(g{{q~D}JzaOZit~DrX*(S6Ky$Ng2D`eV&QRNGbPy$_OLKa~
zQ}MNN<(Dpzr@6&CvqpRx-l&#@cE}u;Pxa34t-1ueaq7DaL8BxIC+dXwvP!8*lRm$?
z!$!{b1`cTAiH#*!_%(0A9Y*(pU%LzZP7hs8y;9q2U8*{yNkdbTdmSdqx|1Wg&2NF`
zkx^x-S>es<tMFD?uT0rR_d!F%1h+sh@E6!U@_UPXU%qCUVNs{lwrZi>dCO;4cKFEI
z-oOD*d=hJlt{>_z$+@R0P<-xolya^*5ij}85zt&}U984>yKa@X!wzc&npb$a^j0!^
z0O44?h1Vm$r^w0c`EY$in{vzSpYPG<+WQj@8sd|fHRO>WY98+tmu-${nRX$%7(Vg0
zx|OjHYd0AE-Fe*TJ8`E0tlLd1`lhL3lb_h|d}^JVg9Qg2@kz`cHtl+$3C?mUh`ThP
zQ1^-tLL1Eg)UDTxjQF;eX;5l`ZQGL{UH=R}06i$tVKZ>{HA)v=`<NN49SHrM+@icq
zpxjs6%Kp{EYkxQVU?!b7Xo)Ajz2w%N$N<;amKX(6-$^(-;5=QJ?WxiZlVEyS)DM1i
z?bFWe-h&+nt*UPcUk-chJWa|eQ13%Os#_;M2yYZcn)lym!cTf+&F}V$;nGfYAXbii
z`rh9UxogqIy)K@RaO%W20Uz|c(>s0m17{>IJJE?wbfOcT=tL(v(TPrUq7$9yL?=4Y
ziB5E)6P@TpC-yp0!?NSXjk{ARbvDPSaohr#26_Lr*IrBe_WRB|@6;AAUi?Gcy9AH+
zfpC8MTb5=0dDyUFt3LejL#<o4ZkNOT0=TE`jot+O-8$R0XS&_)e|G88W!a;TKFYc2
z&OE3e|M<r`FdC;<;$0&cEXYcnKRIN`kWUbfwl*l1<HwKB$Md(~9j7v!z*<~CfpGq(
z9lviE5KbTbJ_lj_Dg5VBs{GvZGr0W`Y4SDFZ@>F)j%Yj)qb~wG5=SQTDToL^>gUc2
z&7f&oKAstzc%IJ{yId|CiD?fSG)Uq;*KHjJ;dWY?gzL+ljc4ye0==+h%a(ByCr(VQ
zb-R80b_sWW=Qc3$o{=E!WJu423m0aZPL~1*ae;^v@%$;tc;Q`#7>1!|i*&;4^}<`N
z5btr)19CW|1a4}7C7ozYe52VY&JLKzBk)|gs-vOdUCbmm*Vosd2qdSlHwD8NM3_$Y
zcsv8*POXAp$#D79JzX66phSyPuaIMTU@7TG)y|7O0f>!4xHLCcluQbDQBGDP8cOG(
zc<=a<l9Fbh95;ePCNx27D?t-77K?GeyP<e*YE$D*G$0eHWWF0p*C?pfJxw?Zg#HUE
z_Oux@W^|{3xSnw1g1%hcGPz2T4!3WCsD6p-mO$+=7}AqAK*FsVsOF)9`LW|L_?bzA
ze4~-EG$V1T?#H06Z@MY)9)oqCX__CwZ>}NhY{3PBnAy7GP|ymge1;|YNc^_Nj~a<k
zC`7V5)qE?+NPL0_8gBhsD_y$_k{^vm%kY}@2`6SY9V(xyzBN@&Qb*&tKJm+DkU2Ry
zooc=fv{iqzIWz_qd#}WGhk|(x)eBn^88;YW=D=YPs*WBlWk{-dWQuI4d3nVZSGeGx
zFCkga{8@l3EiHAzc;=aB`guJ4^wT}<vCCRb7$h=F{ZTlw-fgzD*S<hP6BWWv_%@DQ
z2|I1M5vut>AV4+WmI3I*Z|vByxi}4?>d>Hp6f#Y1Wo2c!ckkZ0H8nM(kP-Xil?unQ
z@#DuY4+ev^&p!Js+v>Xnk}-Gg+*}l*0N;i1vmb*iE!QTSeeHQB0SSWL2ulINHWbeu
zigRi?D?dMf3+%E5$OK$UHI%7I*;>x9nZ}UeNT5TR`xEZ_0}O<#6p~t{A_3|1`Mhwa
z0myAhnQ$4~{2)C5&2bBaONp*?yWLA*6yAlF#VN=H|BZxy1%7dj`=^j0-i1u7uC5-@
zN|Q4qmMvSBhi2$xki_rs*5SAinTacWr1sBQwQ5xX!hc)x8N7P|!-w<6d+bP%nhTtU
z=bnZiuOqJ0;r=+}37o%z-@FF*s}cUbnKV@<;+a@nIGC$PQ1yPduC9(-a_?(6L;{Yw
zN5s>tdl15w!3f+x1V_e=D_|sd@ox{<YUl;I9=|^yiI?noq?Tdl(z$TIxJ#EVt+hNl
z6o@Z-j7~&2evQi?K$>pw#Hx;+NY^1FPfS$P41XFj5)XU^Sq0&bhQbP`2W{3J9R&sm
z5n|iF29aXMEW|bUTThh+5aL2+7=`=P1niw#0!i&g(GGa<TW&edUPWfID!ewiFdpH<
z_4kmN!!nhmjs&^DySsw;ALDWq#9+Dr^^kH%HN-?5$QcdW3y?-9U2@4KT;eSa8HvPi
z=RsCMY<R{UpGQobIFa>X))0wA81S?(FyJ^etCtWC*0bDlVl^Ve2vXe-1JNb%C!AbO
z?ZoB68EFg8tiW+Qq`hE?XB@d<5LM@Wc*j5SzU01e3~P@>hHKM?$ToiVv!D5)zK_NG
z+1m0VtQ^1C388Ag8OMhp3vrKW$gp<D^%zuJ&6>WMh^L<%(BSr4oAG1Tn@7Wgtf@HK
z41T}=F!<Xz0b{sc0Rt^<tCB`=$V4Q!<2i;s)tS>s&9fQjft2I9kKnc@{?m5B#&6c(
zxA)ALG2`|jLxwzv5_Ub@xFK+IaU+)W9&pQQA!rYf$z6y~350vivoNsp>t6`VW3RmO
z%5$(!ehar3;N~p3ig*~vB;BB`o#z`P6Y)+7gOR{};^+xGa}Gmp>&4MG=YjSEUP&*0
z+Z6<nq@F+h=}&vXW?+}_Mez4<K7=E|(z*WcfB$>SYmUcz0lAYD$z%!dj!2I{IE#~N
z9&Wwy40HTq9CvA<V7xyD`5K9}nb)wg?Ql5EFma{Jq~>5+<S<T&>%9hQNE}#tll3~g
zyjLN-v}FX+G=g&)hBQ`JB8)T;BS@oWoV7|kJSoE|)m{YG1DMFLcv~B4Z3#>$67mR$
zd7A=%-$q7w6YiJ8oz^$s$I|{K?zOfWB&&cW_}xMXn>jj;9JOPe&ia?lII4Mv_*g8q
zEA>0WV8V~}DCM*z9H11zN!377TcqtPAY8OHnE7dcaEmTxeikaHm4T*P=+#$WeHYs5
z9LNC3P{_EKUw*mS!jG+%-ob+hvu^tmvI)Wg?c<;}cGbFP;Fv=>(#N{#2qfZg99jP)
zn?;PsX88XWa_#cCQ${f2iy$nO{5}0V6p6yjMdG<!X$be3^Y`h};MoQW9y9({X2irb
z+wNna@kWdvKfVAOs@=`ZR*Apkjyq^PP~ES`kuN#|FX@LDXUn2x38R(195M~s;2*81
zc?ZZGCc@yTdxi;MfBb0VdTxEflF!6hgy)u`In%0N2O1EcC^%q88Ve*#KYKViS>+zY
z_vS^57JYldgb5|6PJ?Z=I$9+j39C@TxxvookXlGryr2}fc4hE`0i;@Hz0BrSQn>u+
zr+CM6@b_}O=XWqr+M}8+7==slyTu3#+vv>YN8y^A3bWdvnqP#>;ndRy6P|tcSvK1~
zKwP<GE2|@>tqX1(-?#~x;&oJSe}wj%i1-h=@WKl@k)=hBTP2<tHf$K1QB<4k0>nEd
zyGprrcY8rK{xM4P*hHO^l*1q=LjDW#G3%%J<85R8`t`K#+0>*_!zSSv2vxoZnIVkx
zG9*B=%>)hxpn$L``xl(Pha<^PHhsxu7o^Geq5U4hz2D*4^Ugi@+~UN&G_*-P>J659
zHtSeQY49BmPdQDi&EIwu(A-1ZtOW>%v$Yq(!j2b~d{#{y?OVMo8R<X*;uX!!&HWPb
zzXx%h4q>6B>gV`@)6vBAz~N}5&n+I0=WNvfO?&s+CLW+?w6xjGsf4F_5KevCRqH-$
zK$Fshwf%V_(y7IR5m82d4#Ig*mi8n#NQ4Y99~pq#wM;;~AB21aSr180SfwW9TnhHy
z(dbP>yGkw9J@6IOH4Q3SRP@kkhV3it*s;TDvO$t|0ZV%r)za62K!B}~gC5KPu!|O=
z33opXzjF}x>)^~acG<(p^kB&!0`B@W9b{`4@l^NllzsP1=v^L?><CcZBPX-Ovvf0u
zQ+U4c`RAWc?k2oD;QT+Qxv;;1!?v*23&)Kc*Moxd?h_|YbUKn=c;SUQRLOtC>CNDY
z+qNWm@`1a<(M(P=$lF^_E4Jy8AZ$kM7j0vzd(>ZFAXl?*nw=}u04osrUFn-|3T_e@
zK>f**k^(dx-P>)`AmQ2P(N^Yxmr{cT-tJ7sp<R$T5x;wwf^gklUtd3x8G`qr{yD2@
zC!S#eXmwPw-H~CN9!&&i+#2E-5&Ifc_ekJ5IGqWZgT&zE%{|!%hHc;8NYJ80VsdW3
z8}DFmAe%-G@E-O*IK5{C&Y9_)Yn(Ha<U#^TLI|j0YE72Hq!rG0b%Xy-KRPoD&V6_n
z-_v3n9KYw730p8@A>$w%I{wz0HEWXN1`>sVb$fENC59E3%7%vIWeV*ko*r!4w2AFU
zmiqm|Vt(hHcOt0Yo<Vc)yO1%c?|zG1zuP4q3B-DkJ&VULUc7h!R4GT|*dsUw!e$Y{
zVNdolR`Y_H56{!4aISHWesG}Z_=O7>9zm5%bzELv&L$}5IIvHH;6M^Tz!-hO1s5C&
z%X=`i75AWJbGgL<AY=@VC2UH*8^2}G-3j4vxD;XSf_IhR9>+jv%rOJ8fU-Zo0`6&?
zwVQb2#1l_su4Yf(L1{c8A$ee1_$tVKDEU*7(2tNrxU&Q?A?uNd+)vgSs->-g=h&M@
zBa@|>L%Tg8li<!7JU8K){@uHGXIC>bWs-PjSQ*C$QEEA&_Iq64n{aDUqatI3aeqF9
z>5o?^68~Kse*-_b7w@e&a;p^X;KlGVqcCi9-gx5;XCNnuT_T?99tTc`X2esf?jQo=
zL>q<)dM<?Z=@Ag8&PO7$^vuVx44TDRyPmd2Wo0FMCE3^E5Q66k`q3B9_Cf~mpni@b
z!|=EK{x9_*38Wa;N8=vb-7M+M7|Hu-K<la=rT!zF&cyRocn6)?y#6laMx0*-;pb@#
zFXO_D_8xvizS6Ku#KUv7Wy==kxY-a#-5g|Kg414@g@k2^PG)X!qBugi9LN6!kxLWq
z4p5@&W3kwqIOUGgG_0sr(+UPN2<rJ2@Pj*Lehq(8<kEAvvyWsJE@?-#IK}{*fqt&T
z<G)AAejDf8aZdZ9F_P+?;rJW;d=;6rncdTv_|*`O#5n>FTbv9*bq~zM{r7RnXTO5y
zYY=f~*b+ILk=O{K(UtU%BW}Ag_l?u26cU)3i%m$!ANa{?rro<lAaSUAS3*+1N4Q(d
zuuNEveoe=3|BUmw5dNOw{}8`_2=1@JmPkt*k~)0&aE5aVgsPUAfEkDdWCco`LnNDA
zu;RJP^fdUxZPK`r5&dVlxJ>#qq%HTG=WzI!i2oe8Z-7yq8WIMH{2Z+e!d14Pf?uED
zNPk$WsZAJ;f5D$e@!tE`&c}5#q?!`=0sL_0vVCI!gD8kZorKfN5&t3_>u`Jq2|f*m
z?8cIkk^#8xiR&;Da%oe-cNetwVfYo{-2>n+t@<4}U-8mQFYS^Rr9boL%`4_dqzEUw
zWgR;L;a%C5U+r!~9*k&>_?KUPdB6CMprf!$b$lld9&{4_4MivM-%xZC{|!Ya@!wE%
z68{awH=THn>92vXvxQ&Xe4=R@J3$VpEx~skLi|6wZVg+j771Pe0000<MNUMnLSTYt
C5Zev_

literal 13636
zcmV-KHM`1*P)<h;3K|Lk000e1NJLTq004df005Q<1^@s67&JU*001=$Nkl<Zc-rlq
zcbuG8b@#vL-sgFy>}*jlmWy0u8!)CB2-r@50D%w;c;h7W5)winB)s$vHZ^hL&`fc#
z=@^z?LI)EA37F<4%a$!!lGRq)KJ|H?d)`0pGppIznbpc(*^<4-pZQoj^VIvh=iGD7
zJw;TNg`{6>ei{#1UZS2lx?R~Iq$s;8`-oji1f(LQ#<Fg5AIr+)5QN=tB0vf_fl$E!
z4iF{Ym`7^{3A(>mxYWG<_N(eo+5F?iyNgTBx4Ipds$xVqeV~V&F(j(~-d1s2BXq(*
z)crmtm?AE(r#A8sOi=dUB?(EP!2S*E0YRMWdcGAHiye>t!QU?kHX_o3!F`MV9QZBp
zE*y^nz6pE{c))#Z9PTr~pAHNG-vS<-NsT!B?L6Q*;9{VE5%_xtm4NpFHv;FkOZ>LK
zUkTg-ymS%xqnrK?xEXl$A)K=U_z-Xn@Mnv_AL*n(ppaL9#{&Ngd=yyI@z@;iPYh=?
z>iV7*eW#TkD)8Tl>X+)NJ9QEGBN1=|^f*Z5#PrtOXKBcf#OfnD9&7o5lz6xs(N_$(
z@cO<b_Vwj*`atLSMsos4c4#?CvB=>1-oj0hG4DxLON+oCDO7L}YT&kqZ;h|d-<0kM
zpNRkl%?!LI=v$<~vn1dN$?fv%^3R0cdccDp+QYhI^4G<QJFixAPZQyWYU-#ZDXWV)
zcjmHQx2`9TQ+=(2O~8v6fxo9IP;@MKR&qmbQ*v|eZ5m4`J+8^JGW~AKN2S1Nt}LIc
z|HcqsFW`7yUEI~y$UmI2zQ6-d@1d_Z`1(X8eL!y%yz2o=dpWhgM<QcPIZ0733DyE1
z%a)PHF9Lthfc{5XGe3$q<v!y^?TJ!yNT_u37)iwE-6W01HG<pESyJNr5^{yWqvJ$B
zT&bo%>+cI5y<tOv4XcZsUh27YNiL+4q|$JX4l2MSfbRpJM>uH__`8RW0WQPv3le!O
zMv+2iz%y>&O%CHm1UJQMDe<cg+<H!>>aMndtY5bxLLJ9fl5{@L^4Gvkz}q{RhKs;2
z5DD=5%shKhQ}$wL2mN;7)7e`55G?Dd@)I`(lBdvZf`~wxYN^_AxNMzhqgprF1H2`B
zu4f%pLh~qi#tVQ8fel@L-wS*Z@0t6bR;5l1XdTiC0ZRfTbG&mr$1}Vl<L;LNPX!8X
zzn=hn26zGRM&SPzIsVSm!+`GrS9SsY7r=7@E9;HO%T>8*h9(ba0@4G)8ikl(&WSEW
zbBx9a%Fht~nn2eBuL3rAIPP(o^7j#7)gtioG|3w_z=>Ib>ZQQ1fhTl0@PDv8MSA4X
zVIZF=SJO%(aac3!xKn@^OOcc9N(I9nluvgVg)bp&&3L}t;fMsA$&0GlL!=jDI0fZ}
znV4^<zeml@Vr#DyTLU$Vz;{}_8z!J(BUYBj{<*(i-h>Ta(gE--z%%LPTtvP-xy^CM
z-Ws>>s*pIv28L{+T!QikDR8qX@v(TbJSN^`kdO+(bAdm_yJSJQj({g4T%h}z&`E)S
zo(_+BI-#P@klqsEwugRO*m5~=8t^)x-h3mG1QU()rS;_($5ZRC71KCxagCn_TuF?j
zYy+0pD}TPSJoe81+T@uS3pP-Epg_|Wzl0pGp-5cbstjKb<^3rVDPlM&j@{p2<=H_h
zrzTc0c}Vv|vQ<cS%DW_BsT6o`rriAq<t!|JhUL3D2|6Lr04#qGyeWG`H|+|F^j(Dd
zG-~n%9G`N#gZ&bzcM~fLychTam`lV|pN1%ni3hmG#HmJIaE1vczXs+zz?<>g!uPzk
zd`|^pGz9ie4WG88JaW;R>iGFM2SL<+=nfn&qKEI3!rp6@{hJh3h)SG+@XzXazH@3y
zJpn70=ddc;*or3GMKnfCiKbI$W2S)*VZ7LOV*(Wb{)~XP0}pRoeH5!`EJpVP=(q)|
zV+bDuE&+DU7)(>grNx)lM;`j2w6+on%80Gc5cMWWKA02=7w+G%e(!xQ5W@*QnBYAp
zPwn5hW_-{2h=Cy2e%QBx`%~cijZwJm`;NUgC_$d(xn4d5T#NETBN$_Z(a8qec2>0d
zTOr+SjD(2kZGq75$$ts>9sv*1GBD1m1bl^n|84`_3nin5RB*RNPKPa61;YUFnoPNS
z>wz&84}4Pma9UgSKogB_78B22-<6js+ye5-``Q}+Lf|F~uMJgwh?UGT$S($-0!)yH
z@@{2v7Ze6~kytjV9@sP2%nr}z3@%nl8|t}ywvFGUC!qWe;p+rk2RwaF1tb-NVkqc=
z9UM<Z;BCN0;0a=@G$v0YDW8N1$FBo96Zk=wEB9sZcx`4L-m8KC<IK+fFJPVG<Lo-n
z>oRj`dZjfHePMwwt8y8zw4+s^V5}ek-933T>8bPbxXGN8h|JXdo|xp_X=8wRYCT8_
zei3<sU;De#8Nk=^;a~T^w*h}Fa0T#F;Ov7O`_Gx8)Jl&=<Objw3;bNkyr;;#>{0VN
zG4T(@R+li-_xCrzXAg4rdBFAfXra=*0r)rIw=<tNk7M5i{Ab&D&jPLn)-5PV2P_&{
z;A=h(_(P^ow9>PIugv58S5Ld8k2c^PhR6gLWPrbOwtLe%+8q%RD>w(jzh%d^(#udj
zLr!slOX7x`!!!XEB?%oW3xlRASSu8JEQP=#NXMC{*(V<)^xA-s+_8%OE?e4K>3l_g
zZk!|37(&zSLDwi;2K>BW<xlcPjt<~^%+&iw>Qh&SHrx=HATx7YCq@pZp+>Ubxg`c9
z_zLyp)wq^jHsv3%`T<G~9Wh#%$VvZ_K<kZElT>L}4H`LzvuOWl&IO5a&dh0})__+b
zoQ{vLn*}&Psn24J=*^p^+}4pPmkX>GgP_Go0H=_*jwQKR_mq3wZ>Ppx)r@MtlyVmP
zQ$^2J1fz~HZIDl@kJmtUj|EFe#}j8PDxsM*kqTDm4dhWfYw1rmmD7JXDjYZk+j!WH
z$-VUEdfbxS0EHlDVi%LB0YVL!(vV?-bkd~D3fsi#`F5g;IQ1hb{1rX=VH!fZC35K<
zp+sWr2`7X)I^NLzV-2m=Q<DoUF6T&%YR_cEz-UhMmCz(%iVAL8w9MqI%Yb(P+oz?9
z*FW9~JV6x-MS~4QcWtlhw#_ve9f^%8R2fg}Ze6LQD+&c^q)t*z=#Nq+<3O+9+pD)t
z6s5+5><xdb$EC-(<Lw&LOV3ZMu6)1P*qf$ueE`*3SbW@6*mpy?t74J~>+G^frD(+^
zDv?tPRv3xZ-BwOzXFZj}rSt_0FY4`ZWG$2RvZ*wxI*{*keNjJwI4nDe7!z>f$RTz2
z<YY;abf5qVcC7NqV07{eZcmPMN2oe!jO3LxNO3W;q(740o<R4HHQZ>WAwk{f^3ejN
z$xswb9HreP*$*<WS*KmIYk(&Le;tJKj;V?Cl-oB~W%nHotQG0+4^UvdRySj{x~?h~
z^@P5X76M_@SPwUi^~glSn%*d-WFqRC$VRtCcDa3evOQMTXz{B3g=Ht~FRrSFu7P#&
zjX76)xkly#uACZIsj2A?G+G*x8sWytM7LI*)SXHx5DbhSRmxq?Mu-^MTNyKZDtpMw
zHuAFHI0A9x$$+>)QU?lZO<%gM=LhjrFUjvhv?d}Y=ba|%MR23;Fo>*LlQ+lq6?N6^
zCFvcHOdL2#!j3w?Ex=!8X4RZqrPj(9R5|^+-%P#bj;-~2PsvK5X#5JKPzVC@K_I)!
zWpm^Hz4FUFMSeZJ)Wl9?X+FV<lByD5>6a2!t;sd@-*8<pwKC1E_;w+lB24O7m!ilA
zfnP|@Ab|*@u}SZ!yWfw-=?#_CSV8&%X>%JKCBQ2_?<}%8Qdc*sv2hfd{?l85i&_^}
ziPLXmq~u(figiddJF-RuQl})TBabykMe4b<laf@$?~9*`->dH^n`YT}iKZfQVNb8!
z0DQ7lQ)sRmJz+q@sqC+*DTOIH>u@^z-SZNWlYmJ{QL&G)n!dG7J-ncKQJXU)siPh{
zN`YYI@Bw}|+VP4J3)t5A+iu?dBf{A@MZ_KasT2}boKa-<2wjl@{;rM;W3opv_CUg=
z9++6hfGXR7=VzMv&)b!+zzBJJ&__ftL@J0n6nPu)z?MVqXj(F=AVvrdlLmjJxNLve
zHkiwS56<wa-#PkO2Gk2$l((54xG)>#NsE@3<Awvjl;m};Yo49CnYS&#yMMWZ?_%t}
z;;a9sw!c4e7q7QH1N)CNpgOCt7IXsKE<q<eH@Z6_(pw{R($KQa+KDdDq{urvt`YO6
zlbM~H_ttv?i^F;|L2(H6AVfn8Mt+2mjV*^f062fz3lbX0i88MsR}^?RJ`m!H&KesK
z`4!*o7IeQHh`I|L<QzI_aGN92?IARTIw`4k4Y+($cE2yo=j|aTvJlyPt3Tskv!}{D
zz48H3#==S>X*E&T%)vjJfv*M;&Kg}YK1w)N!71+`b_cv9@b5UFAh6899kI$CiBOb-
zan+X)PD6MD%^mgjw~Bxmbg$s{idXkC&Tm~*BvJ^KWUoQC<~XjWgbjphlA@g>Zg0u_
z?~liahs^?9a9F8fq*wP=)s0q%wG@>IOn|BuGY68lekL1gtMU6MPV6PWzSl~_X<SJT
z%$>tT!QtTYx(#t+w7)i`Ybv7@YgM6ax0=0^KXbi#8taxIjr3Fz_js0C7)w>IsjF;k
z2u2Jgaky!b+B!LZlX2a5yFNhZw_kKLi>!&W@9aUCGg4e49NW{&(kRci$ti{_RYV|X
zZ8u%zhnW-TZNM@BD>W3WwRE}GbcNJviJ7SXPFIyyyS065DdkG0np9s+Eq=F%=-&G+
zp*9eGxV|*^mH`pd(--O39c5S9S2Gd_LCzi>93Pv2d>XTUY`2~?x>Jgcnjy+TU_T*A
ziU@d5UHTew7WqTnnQv5(-!}{e5lZ46{xhF#cQ(Ken-g>aooW&5J~Os6=LEA~U5!#r
z67oU7sY?d9|MF$@MG-Zfz!4*zhwFpD1|j*7m3rE6eL4{zujO=&QB^5~5SUPQOzbe%
z@4ilUOzcpb$^iNBf;exfF3B;qrno04CqGChW1_xDR^4x@tUPTAVId%?CPxRy=aU8-
zM(+UU%ycM~7wuP)4>419qOodT`+{dCTl26nHS`IrFkWqPvnHkk{v_M<>Au?A4ET|3
z9gn)$2_m5GEpB+?FHk;+@X7Ye)zcIMEH7C4gVk)?dj>oCUs5wpq<zq$gcwN>+=$cg
zWtDWrb=7qFM+7HUs$TvnUWi2{;xv}cJ8#ml701x?*oVI?wtA&$q!dQ$0G~y8d{Rxp
zAU&%J<Ogz$?<t$3g5z^(;&<F;hEm-K+&mpF6WQ~mmgHrBjP_f|$y~a!1NO`k&CPt+
zW=Lk(YNL0()_K5ns_yM>s`fCHD}bK>f7I#nm9&AAm^J!v)+c{Ss6A9=A4XCFsbeG|
z(LCj3H51A4)Y4^}tTZqZ&k{4LN?-yCCMQ$UpjI?zYiN&6Bh!5MZvn1(^G4andKXp{
zjt=0RNT*P$Z?_#bh&7O(*X@P&+BB{O<feT-w}112%qVmuNMM_pGk=0l&iEK@g%kuK
zRYz5Z>31h{a`GJd^+c-Lpz4-WPS!A$tfS_ZqF9VHmK@X-Awq~Hh#e+z&k#4Q#qY-_
zV`PU3>Xfve>QMoF7rLr#dHK`3<O{5WT?*lPMctgPp8??C@xc*K=`f*M&w4RFP3r%3
zntN3lCe$8INuJ6??eXkxtRvL|pjc@j^Rz+R=!tEA|M=eIz)9OSNY2Utxoc1Dz?GRR
z9`0qC>Gdy%aOFPW-|$tio;nkHLtVxQB;Z(10I6dn?h>9cZ#tWqaex1J)B+zTz|1t`
zO~AgEzaQz90c~^NcaidvfUSV3PJc|XO1j^XjvAyV8@h0M2%m&<4e)`?9XwkR3={&@
zIqv-ckgtRLirC8i{CO79fQr^R&IYV8Md~=D?Z1PGdD0Y<HkxKyFUo^jj`+j$YNkp)
z7t+^LI68n|+7GUjhgz&84n%I87OdW0eh@{64hO1b<0R-5Eh8Wfv6J8;)!I7M#u~J-
z8jV-us%waE&7q?yI)?v@f{yZhl<#18Xh*;Wq^M9c%A^soT@$A<K^X~ZPfsex-=G?t
zDYlH528q<k+n8Q~x=V1H&iHinyksFmrdGjNv{qQ^$|DU8@`fO9A8Z2SlO2@pPIY@O
z3Rpf+Vsw0p-`u#x9S-0Z+?-q5qcn=kv11ht_LoH}javu=@)ktUnw*s0n#1i4kU$Ng
zy3C&`nXLu33~Dv49WPp22WdfQI`fR*LUVg>K=)T6pKD#?*Js+j(jI}6_vub<k5#uP
zfLH=@s;Do9n%y5UbtI^g)>gX4#Azm}uEE&KDr^kuEqNyiF)>aZPTJOXbr>-SRx|w&
zY19yxYTCD4<5kBIM<uD<u#d`$Jbi0=?uUVVE+n4|vBqqfC|8gDziV&PO<Q(Jxn9?!
z0{FP0h;by#OU9LQ*vaa4QU^CES{6uTtyT?EaFVUh%~jfmJeY=Pyj-<%JT6`$V(SK5
zKEOprz#1fSXdvxxFww?x{<@)xP8!u+0dB$=3A3d}rzeJjI5BlWE%lLyXk+R`!3CIb
z63{AY+XQ7(w972f;xt826|rjKSTxGhSa}@Dl2xLrVjDGxgsD9hs-yMe0%J&fLHi9!
zE!}?e*4+$`PD*c2o@IT9C)#@9lP1MGY)rKQ){v~}8=<0@i78~tEv3jR>2U|bQ)yWU
zOx<a1U7D6pwPG3~!6ZJ0R_^SR2%)Om8>rhJh*(4l+Q|wKF*RJ$m)7<_LR_QIns5?=
z3aA{S(_EVH8*S9o^)A!K@n?t{Bc@(O)Oo=sLRbvYR9EGU<>sCH*tBsEITP&6MIp-v
zN;p-V>QMrG>$>I?sVDo1)fXp<bO}a^-IXdQn)Zs23Z}YHyA(p%h?r?{-$mPr#U&+N
zToRKT%O<AWrQ3>2CCL{=g8);RoCdsA?+_yc7$M39^!DV*+i;|*+#T)a+(gU23kT&E
ziSg_C0&YzOdayJoP=iQ<n8sZMeCFhrG)2+`r0X^FZ7(}@Z?WU=9tm^wQhP>^ySD(}
z%4f+U&a)_K1KZqNfX}xma+SHJheV1LBQQa0u*O}Ra^ZX&MFu26(@E9D%_Wu(O~*+S
zBxxM%de!O2_3wNXCrvhiE(r9R)$|)L&>Z`K$yvu*F#X^rttMMWz{D!Wp3JP*J9mEz
z6dhVNN?9Booi&-pt|O2pYKj}g79(}lI_lh=Q!}z>mg*$fP+i}0hwEPULY$78RM8|Q
zNfH|MdSBd#XH>5^I@a7K;6(%56Xe$VN)+$04`c!#RMFeqPBkUa2ClJ5NNz8PR`(h+
zGU4p%W7RBQX;9Ecz3E?>cHnfqw*d+Y4N<ovM27=1vyPe08Us2BT2t&vXmA!LS{D?K
zoz!?#U1M|-SBs5_f-W4JWm+^RrevCYy#fku**Z;Doq$FKkwz7!Jx~|~Bvnk}Nb<oQ
z6>;<}U&5)!Er&Q+KD=iy6JryEQAikuM+fkBz>-X*n5(NQn_{8tRuc&H8Xp|t*bSV5
zK_!A@r)YAkkd9)csF?mdTCJI6^G#~@4`bFItESk4rfHj{+?I9VLGL9{bU5?QRYW@M
z2`CsvCk)c7M2}JI{RLDs9!0E?Xhpx+-lE3)CrKu!h)4_467wF3!KASl<?3d5?Oe|i
z(v`>K`d304i`1*li6hxs?j%(aRccG}Qt!*%p`wIhSrP<@k>mUO``I_VPxtQLBb7?!
z=m38FnlekaDCyor=r^#!o;a<#`2YVD;T#DezS(HJ8Ic@f`ZI8xBDp-MiW?h2rzXYq
zl$hRsZA#~Qf<)l~aclu}o4Y+k_XVEAi`v;yq!WrgF(G=QL2?E+>UAtJs8h5WV?ry%
zwM(c^<k>x8_oQOHMJP~oQ0rTRi<EeJTiE-Vw6qkpAyS+2Gjpc2Fya(7qLmdz;$n!2
z-7UsJDk*6_MO9C>*0Or-YU%6mWB<MpIVylJZ>qAakt1DUo1s*#*&}BF=Vp8-=@=q8
zkV2dCm5EO&6u~*%)WpmIv>>?<ts5|UK*Y!L2`$@EB7G-;p59%ds|)5BkdokbW+$5&
zOTQ*5n(DW0G5?0qbl}>0YOvz{%VP?oB_#-z1FLr?hmtxHHx;@Lm^nxzD{0PR8!0H)
zwb(wZMdSqM9F=l~Fbr6|dd*>pwp?)KF6g!B%uuT1fc5z3*lTGi7$6aIN6x6{7zraJ
z2oHQri1dOjd57+dEtx>S3fvE0OQ(yRw4hbcTDKv%3E#ZvDVn6$hG~Py`A?zVU_@$6
zP$jI_k+}J(A#rW`ndkITsUkkGrV9M7<<~Qt4<sU_X-d6TJ8C0viugVG3m0lHKr9eK
zqmd#a*qorV_2%~irvRTggsWGw33ECfN|(48BorE@1<PvuW!vO@_}%3^xI2IkScrP=
z&45Y)lM0R79NT|5#hx3y79I7PPL|(Jd_9?S@D;b(ZGcwRY^F)Qx03>&HXtYng>{BA
zmW3=ah6M<R`+nQsk2z|A&-Dlr9E2kjB;ZpR-iUUs1>b~52^q&_xo>*~9X7Zrzno0m
z-eAWsr)W&2L?tuZSLo^LOt*L;$PP%6APId?DF1WdH+FPdZqiuE4H){4HJH%5{zKEz
zw>mKofrVAxE$~rAe$?_)FKt!9L<D0Fk3qlS!0+CiQmr|{k|D5d{udAAbyDJK+TeLw
z=UrG%rCaV>4lo!UV};u-=sxkKf-Oi0CKRGROKmJ=`~OT)-W?O=ZL^?pC%PQm2DI@0
zWU6=*uJIy-b2~@_0Kzmy928esde<1#d2ydkS8bU^$8?{=N@(ntdTj1=>B+qz%oko#
z%J*Co1rg4#Q_pHjMiF0lDNU7nBS{aJ7+z4?b5qJlvBt4$0*+f9YSbf=)*NZVh$(U*
z!X@brA=x5m4J2e6KHK$je6fUcvTY01DOAVAP~$2B-a*(QvsNMMF(h?m=WomO^d=1S
zl*mURN$N=3`pSq&s%g^yipJP73dITpv%Q0XOA&?fT%PfK(Z|OnZZ5s8kSVXPXfa#`
z5Jj<Ke$^NByk#n>eec&3o7p`+#qsHSG)d?$4X|Qh1(TJ@#{n24sH)a#3H5p^s(N&U
zUKM+VI8koCt-+q*gyYtR$(m)s2kihC)<<+Cy;Vqe3j{n<@@zo42uM(VhUHug&!f&o
zIw8mCWR|rQu?D!5105iK*slEBoS>;NIaQ@rYfvf{=r5IsLPH!U%=F?o#HJaFIxUO>
zQEZx0wIO4LA`^LEn<t!`>0W>@sI;z4qNC`pNW!;=#(s3;<aRbq?O?buLEw1v)YQb@
zTBG*S{!$+g*>D!i29~{|)~IZ*H`0Hu*ODkroiWB7J)&L}0xR^D4Aq*-^*7gd|8{fj
zUq-jO5&fMd-6b2O$d!`kvnX%PH2!B{yjxfI$tT?|`MgdcL`d7zd^o<4(PuLgai-p2
zAQ$>#MWYi_?Ao`F$*CA?-E<pox@dTL>re;7`4T$@mNK3%5Tq%g>k9fg_<Vs+w1GbD
zD6(R|Dk2}fX6zPzy6-y1<MMd}LC>|NsOKGF5Pqb;r~f<EdhNkiUwakXc5mC6#^&|a
zO1#xMHP#vqr@Q{})xc56M?!DWux~sy;~SMAl_y9q8<DL3i>DKT&tSL=2kK+xqdDyW
z;hCyzQsr&5<eE==Zbit20rg~pkx@%+|D#E3t1;muVrw&$`J7P#qm0%9woK$1&h=m{
zL}}V>kLK8HS^C+uGpd`SYl3hjo?z4D4*J95B}JS2nxbbY>N91~Clzvq->T~0+_LRv
zs`VIat(d!^B+6km=Q6*F<U%pIqM()sX2F%64t|VxzyQL0yj3B-n#4_X=m4d71t|<5
zsji{A?~&9-9*ibENHB#ZB@(5QSZ<%pv28L>BNg(R(xpD4&DQao@%3@$^ZpjZR{%pE
z+p#jHDuE5oilV5=;de_RoVzUoCwuAfxeS6kdFl1|4p2X)E%~uIh9;OqOoMpx6e@eq
zA)Q>0v%($K99zb7OvaX+bp)nsj>R)uoKX2g^fxt;oa_BYguAcs(cKDsM*VaAc2~PL
zJqDlr`0?3hl~2$x;RNa;bYcVJGQi#>!s3WbSEs|HfFET##YuNT>H(~t<FKWNzrfku
z54_gJxmXnOrMbJY#{aYkcsG~sAO`Yz(=D*(Z!_+EtsnSw#!bY;i1k4)p_yG57r(x)
zB`YM1Z%cmQ{sKYj(0c0Y+evr3-HLHV8={)x)Lqs2wS~mRzey#*h8FIo8F1Ku7oZ_Z
z*`zE>1J~mW3Hsg44?fg#=<Nv4LwJEsh!5D1&fYv#C>AZb(CF^H4OerjdFd2DYkHLQ
zJt<=w1vA*G4ob&lM@2~78znNgAX!Jt7Qn4j3iXs~K2%vzaMDOMsim_fj{+r|qv7KE
zo?3;0a0v)6k2M~|*9yq0Ve9v+ZtARjSorJ;Sw}n`BLQjxbJ*bz4hP@~O4T@eoz;`-
zg;gt)@O=vJXoyaUSH}Jl<vCbRMYs@4UB?9-1w#G>UjVWB>Y@&!oRBYCM)t*S^QH=W
zhZ~a1TM|*%pY87Y+*KuI1Td6%)M-UM^GizoyWrl0uc6cJ!3PoEne3`>a5YD;Bvc|1
zS9chNd?O_ejP6`k)RBRl^n^yD{z%8RO=)eSVS=1RLPJh0k+F<4s=9e<_~~PD?KcDA
zlFN&>z*sW&<yu<%GVr#Pcvz4Rtq6}{Rdg(o%Lik3jK3x7k4`8o%Q>63#>EazkCKFn
z$ws<7Uofn%=iM=lh`dTzHSX0ZJX?H`ppRv;=F_C0V_D`&Jgw2MXj$)_b5JN6NmJDu
zuAS2DTWXRdDy5Re35=*p8Fd2~?ID#0lSCY+J^C<-H~~jl9OXX)^Jl<^GiOU{g^dT}
z>(@OAE08GZo;o_2s97FqShQm6Df|0!x^GFIYR;Od;gC3?xU3-g{+v$is<`nTQ<6&z
zN$7O*<UZL|od8%{3ZhRW8owYk(VJIBtF9`iWya#sw-u$tif}Chb~y?0GwV{l(B|xk
zjft3~lDPapq)~q)VIdqiDn$KBt8#z1-*}OeYdIreri^R)FV_Gc#aDfJ90uHopc5?D
zGR+2l;JaEhixZf9!7x6Sq`&;xxZb*{VuDbl)axTBMZG&e2D67m_7H1H&(@{-3<)_#
z5{AW5X?@L?X6D#G;`_l~jPC>YqysjfAbEqUIg@U!NW7=6+gF!#+nSQZfiZ=eH}_Pa
zQAu#A%97)I%?S@##aLL^U+&&2J1S!mnLr9QYKpCMQcZuFYI=Fm7LHq;Tg&>~>Ga!W
z536bA2Z_d?734(lb!`Dt8LmlXSCxr<6E`0fz@NA#|I(hSdG4ffw<n_A`mg^G<v&qg
zLclEqT+$Yh@$X~>4WdwFY$Va~u|)d&1FRL=iwpavv8hyvOuz;Mbx9e6j!BL50Urdt
z8F*#a-NQ&QR-|5aW+E4uT%1afxEV<{zK)VopNc8=<z*t*FjMuql!83QJ80S!zUL>J
z++?x;<Zy3qXzkauR|m=J+S;7`m22n|_TRDp14jk$X~Pj){j~V*Oc!<3(EZ^36T+qV
z>KLy8+S`g=0=&pM2tx^SIWwzDbo)gE6vt$y$sg1%4i9RFiSKL`rgQI;h(OXv37jFa
zcAKK_qdkngWkbi|{?p;!(&hKPnPhr|SouK^9iHT)!)eYn@HOdA!#Dan7+uQjCOn@&
z_>*if7TUwHuwAJ91O8G~|0pvhPXpeMuTni<`VV|C$ffrNJN_1Y5BMiBGrp`7T}E4x
zV+r*t74DDfe{%$ri2O&ICXaHd+nFUp?93$Djq^DDTfl>|rDyEk=DGVW@Q`dU#^|1Q
z{-3~m5g$>l!vRU+_SH3gviM0+>pbv=I4P6Hb$m{AHwo^W0~t*_SE_9j_c<U4%v_@3
zHsC21_sU|ihn1^VfhwwM@a5GW-+qES;8fa(@2B?{wA8=3H@a-e#NR2TTslXEu-9Pt
zisZCV-60H&_prP-&tx2bAaU+Aflsvpp1L}d)jQ}ZuGT`|3YSzXXp(k}nuyXmPK?%r
z0!BM)4ZeXi^nmVn&Xuc)%NGO8OvSPRyfd_NdM=P}?;5RAT(X=ME0$8JR5oPN?Ywrt
zQxXDlQ-Zt}9}WD~dqP6pGyUTY`)Ke|8k~h`3pi{hI_C80I$>{!8}8g533>2}<(%B#
zk2U7@a*{mHss525LrLmGnon8vRL(r%#Zo%qSP72pbz+Tkl{)Ht*i7IOqO`8%sMqZn
zSWh|X4FcC_X18eb)<&T>g;>z*`vSc_XJmNeh#9-phtnA=byeOU7}<~y%$w?oYit{7
zuyucpYCWcqkDk*%FmP?HT76)WB+czt5*ipRy|UtCC0Tw7===0;_Rr6dkPF>LJpIH&
zsr(8gKZiPIy})+E(zLiP04_w?Kt9WR+ZCWARtOX|Toj7DIcF{9Bw_nhg*(cl#PJwW
z(DQ%?9{>Cot{yn+ndRE9Rk2pF`5dkm6Ym?Rv2Ri%*N~)8)Y1HMoyzrzs7l}(Ob5zj
zc{(}8ScM%qVQXY4TPQh!#8ID$Z!E1We0tRbmVU-sv!hy$8JUb3t)|4OBeG_#p#Ncm
z-~wX}Bm4I2o?UyS9@og_BXZjN!-Dj^IUxGql!TP{;QS$miTW7tzvayfrH34Gz-I=Q
zzD~#N8{PJ>M2s(8a=;P4QQ-|aW4>l3VJzuoTg5V2y^S+ZcoF$vpb)21PXu`~s*jN%
zI9VbK<CE;)7c(3#LxYegtus5a+DFdT1#T)B_Ju;;;UeX?>TBJ8H;vtogPdi>h5_nh
zb#~PqQ^t@tV1<8C?-4AiD#jS{`8@STja@tTY);3`n+ieim5wwsH4Sbar2-Bo@JCjK
z3d4JJ%zlcxyq%K!+qS&7(*?fTaPE7!^85PpYk&NJ<xgj#vISI0T&)W7HQ;NAplN!B
zR?-LO`U+=O(}CmDaXqdewH1n#vK$_p`3q~nM5OH57s{65P&W0YTnqeOTl&y6BX@^4
zjggca=;{*rf_b({-0Rh^)zgEks#GeKTD}xrw0ik5@7XgtnkK~Djd2!tzpwr-kze0;
z66lLjK9M<q9@}=*6G5I>OKLxsWa{Ik+?p#BS5c=)du7S%5Uz7^ijDpHnrZPpcxByY
zwtNk!x{T}du9H0Q+K@{Xb-FCb2NxJC|CnmmE|6D<$XnAS-PVW`R9v@O_xB)=9l7*N
ze0Sz&0k?LLTaQ)M&&O%`7S;43K^{JrXRU?Gzz8sm@8Vc(op)Wme9GfR__(ohTejKL
z3G`+h-V0cmu2uIDj_*vL!#53lL-xtF{eBWY<ob=7UHlV#g2Zp}8!~r>qRiAfD+BV6
z@j;f|Xh-Iyyn>^Ij+QD^30`^nB=B~W=lLFn#&72y;ONt{&r357zReolY=m1?*@LeM
zKZ(!BahbT!E81s}RVABSX^oz$NqnM+tnIcMS*DAxD!#GdMco`ri@+}o-3~lo441na
z7fH^YZHf`DR?qs-%QQGfARp+7Nor24#ey}RK~$6hlcONQ4YmC=!V*h!C2EZ-E~`%6
z;)`$gIwEm=(RePunWK=7%DQtBnX8f!dro8L?ib{biQW+|?_Y-zT&)2>F7W=C{Zm%=
zPFfNt5?ZA--OZsCC8Xa(Y)dBjMQx{UtPV?GxuEgDvAUwPN<@%qT$_&i2AG0hk0Eai
zo&F%771db;{%+L%B{aBte0g=t=#}wk`K{rqf!9P!iUeuQWJPp%D$t3lk-%sZ^l2tf
zQCVVg($G}DTiL4D)b>b46Il@!Nzzz0@4Z>}PYt`Z1IOw>VZfwGjk4<ANs+fz;ZhZy
zrD!Yyf470JNN6!(R7u9muT3Y)SFn2EoqKzhKYe)8il|CH)OKxM0O>Q4Ziy$7@04#d
z`&`W|F?m**2!|5bkidqFSI5kFb&RzG$585Dck#IBg{kUz1f(4OWVkoHL@vYxW@B~F
z#4|?5-BW|m{2>$f9jRynxg{CZok>~N+8!b?xHe<15Eh9{@Qqy)yB|2>;#UP?#_vt_
zSk1lWO++xcfGFUbf<8!n=+<bbLsM0HB$OT#l6JP<uUGVGBIdkYkh?B8LcDE@z|W5^
z!Pmg~;31qd0lW%do$KrO;<33`15akRzZ@R`^4}e-xmH&GI6my@V(tTExNp$!fF}ck
zz(xVYxiHi9o5_}c$DL2yTm=3Ir!NEdOX1xv2sc_W&%y5p{O^5i9PWFK0|bcGy+d<_
ztD|c89aTN-m7<TxaZptj={^E>%LF%z!*SoFMc@~KU!+Cg7ikgrMOp-Ykrshpq($Ht
zX%YBES_FQP7J*-+Mc^0dh#@)u{PUat4)EzpMGgchIN-nN-UWII@K+pYA}07k#h<$i
z&$I#Go8{E(`ik$Vz6H1e_&?@qPTZM}$M45$%Y@$wd}p5L{}H|(o@+V(H`%jvqbK1D
zEH}>);CuKA8eQ=Ko|C<Iz3uyN(;+QuXlRJR!NErW4`pVdsa3#7hK7cwYx;G|mJNXC
z0?S%JRD31MtL6ay@7sXib{Bv@17Fqh+-%VLvhU0IG^HEyMTP!518%-_T=tx;!2j$J
zfPW;uRCz1#zc>i+PsA5iZUz39g8;Ai`g?zij~;3TK94Vs)QO%4Ji6sx%^I#Boe#$s
zvjJ|WQD9{ku0I3cM6i`A_>9y;U2;Ce?2>154bVIAl``i;=QFc@F2JwwHTUL2AJ4#O
zr)SME$$yToe%(sX1wK8GNqT#i-yX#5S~<_fr<S$T8;6F5-Zca4F59xo%u=7NT>Z%|
z57Mcu!yR`5^j{qU=uHlI>>(Uq?eN{+LpXo5%lDte*Xd)P*PqW4wXMU1Y0@{_{$A4s
zo3FNmerJ`tXJ%{U;h@X1_32RQNQjRMI!Ka*pkLCd@uAPyZ57|&>Tt|RrgtrvR(~Zd
zc;?Va_+0W%bOrFVOtCr}cq;IEe3hsgz5&pY5Hs~Se6zxZrq|)qzT4^VGCk)n@zKNW
zbl%X=P&}U*J6|eg>)H7W_;P<chhp^oIYixBd=sN1g)YmuZ|?$M_s_d1gTL;=gclDD
z4PAXW?D%H@PhY?n>(op2-@1U_N;~mwLywezL7_tv;su~BWV!wwn6SMT@1~)lp;sMF
z2hQhOwD!Bw+dKkJ?(qFbj#8h<qq~4~SLsrGuf6$52NnwWYiaB1nAwwGY_YHJEUnIb
z2CcM*ne}cSn$7wxnaFE?n%_O*9s*f2U8DW|Kg5A13kw;#{tSH0o=(&NUNkf`bn8L_
zU&u82Ep6XFIa9i}-i4Pbb@;B`ob1gU8Yg59o#v<cUH?5O+Aq$WLhbamgP4GKhNkGy
zTQ8&Gp`oEq9O?xR2K))xOnYjF-@cM@<j%XmHSJ^%@%ifaplCl4-<GUh`FbSq6nrNv
z7MSZh(b~bm!M80m@NwqAxgPJmY8TaC;Lg_x80m2C+BOk6g7=C4Dzk0JkDxWZSsbYo
zQ+y^fw-$<?M|TI80B_Cw^$P}kb4_pBkL}!jGIN&!n~U}WyV|~6f=_L3((i$XWo!AP
zGBf5#p{A{T1JK@Wq8~VOf$p=0`IS-o#^B(fEF|!)TzTFCD@fOM`2JM~SzC`px{%p>
z77In+oab>Xv!&;-m~+?A*_C)_=^Gusd*K}5AIaH`PdyCRd^4Th*$=~K{<hQK3=R%H
z<8ayWuUkOH<<oR-C;G4W?chuB6)P{w%%?{l!NA{+Z)>(tbOwG0vYlR=={+y&a^97L
zgM&*CcJVuFYo3<@b62UHnM5D&@Y|``=Wsm#;i3=YH%QK1fNOQyfcanGec8WvXG-5E
zJB-QKfpZp`<DsQ#?*h<e8He8$1?xznXTV*qd-zfOzI-dW4$H}>=v=Gk?7_joSI!rB
z!|Ybx#W}d@eO<KdQ|`ozz6SUkI`2kxqMreOotb#^q24Y&ibK(?+i7{1WB233r#jJm
z98RywEU0#R7M;C!f0a3S+UerK!NCjWBPwHjM9UI<w2j3FFigzxkWb0he95%`fIGiW
z{)Oyw9==-ii5v*Mn!*Pt{2sqKbEwPAwfOE<DF>QUUUvxRe=!3zX&JZg&T;(bGA;Xr
z>>SC)^O||+TmyL5Z>{BCTe7j4MMFbF^})fx$KpM#)BSa_$$re>;Ghf*4b5_vwT50T
z(osl5L-UUVS*(b$NQ=NP0>4O$z%SAw@Qbtv{30y^f7eNlkZas$DZo2So`Db7jWP$o
z+nKq|n8WYN9fx=H^y2r3zu4iLj{yE3K5PrT!=-&kZy9ho-b>ZG;q&3_zRiHkv+w~3
zFKRjF4B$=pT(;^Q@3sctA?n}od*-dw>>71ZmvjFM@0IKp`1uLEL!~tu_*wYah5zbu
z&gJ;s$ho>lzXTsNsrV?`Pct(`>rCL)Eq^Z=931@Y(9qEIF@uAHXW?u0H}mbvz*~lf
zhHh);_<zRdUwsE3FE)jbcv;;xh_AqV&c2DS_<SYabJt2w$8RLuj^8}^W(ID1$?(x^
z;BRV?I`0JjfthaDE%<HP*5<0;#V1o7tlii0Y;s)O;rlnzJxu)J**)Jx_bB2Q;4@!a
zcfrobd(S%2ld@-d;~dZX1>imSoVzQsN!1>qbY6CkZ)bRYh1qWIzXUGGj`=Fy`}vE(
z!NGOy9ACw|S(`oCKb1{{Q#s&%wfHt$@4-iPg5Ov<zU`)0WE|EyD?gcm^f=&0*>`F7
zfWN};EB_n5nc$gil4f7V0pG?4J3JX5@^s8Rq}f1r{nPPXA)8$P@|FqIiQWtRQ}(>C
zWcCJ99{4;yo8{-(^~uI+vdcB!j`zPmH=A(nTz@v+=RUyP;blPv_~)Bnbnx6c;Oe2F
zq0eLzU=Q#Y9B_Y6b9|hM7LyIo)%fVy|7*Kgk`4OPfG^>rJuYoIW(7X@v0XgY@%zVr
z(S^H?$?ka$ougR3lRe7^GtvCwc`jpp88AQ1CQWlPJTeo<of-<B06Y-*0Pyd0&h#<(
zeS~v>v1}}$d+g!48H0R0W2)D6IOfms8&3y|Dcq7RfB%{>%cX;ZgYB(VW1u`ZIM_cp
zIQWuGlD>FoXz0dH%H2pN&OeIZlzC_eQJQ2N_~}d<Je!%@kIjbPowg+19ExN!gLJN5
ztmol_9LDh5xbq>+Ce<4=jsm~;za;~p(~jGl@Okfll1<bN*+gi+ZXZ58{9JtVgLCoC
z5W)`Ed`-42JPjX`{%~gJ6Ljihd;xPuB1tx;os`@W{7&Gdz?+7KhA!)-)i1?w`Tcn&
zPDeUiteA1{qca8T!EL|q!SC!1b~yK}OfP7sp==pBKhq1=c6re~_`L9M9D?Gi+4Xj0
zpj?<u=!-Mpw98ujo=k^Gv*qD!9ga)z37>H`W?#nV`)zMKZfQ17@64{bGg}fa>>$<7
zVP-zuIn0jRKOvKzugVnYzaJVJ>QtQJgrT9KZ5fkX)@{vLo6Y`4%lh3;VJ5Cl&cyM5
z;G6cI$joGmS7e&G%M`j}vRU_g4kQ}Tq9dH2O_s52>9`|1XJ;2>ZRH^V-@}0j;D6#k
zWsh4j1*v_KU6NTfKhHj7&%QOAFu!Txw&PnAzwh8<6W*6ygEswUJhNPy*2|AFCU|$t
zM7cVf)I0ELSbxZt-N_D;^K5*?u?2#`!NHwFLqnU|ET-eL_5a0#gM)5xaPa5A6KKi&
zY3?iEevm<&%(Twt8uZGH>n~_C)h^AX#mloB1=&ls2NtZ%l&8mLppz{fE3#`|(%~7t
z!J$R6Zfluro3gdI8LhIB*=10cv?--z<8pa6(7$Qn_AfCrDB@r70g$`e#BsfYxc*5d
zAs*f)A<n~xX}=_6K+PscEB!cIR$h|<pUd8(75HnI8JToy_TJ}qu&x$qkrwGbLH{40
WDf2k)J6ZAo0000<MNUMnLSTYL{=c69

diff --git a/frontend/html/index.ejs b/frontend/html/index.ejs
index ae08b012e..3af1902c2 100644
--- a/frontend/html/index.ejs
+++ b/frontend/html/index.ejs
@@ -1,4 +1,4 @@
-<% var title = 'Nginx Proxy Manager' %>
+<% var title = 'NPMplus' %>
 <%- include partials/header.ejs %>
 
 <div id="app" class="page">
diff --git a/frontend/html/login.ejs b/frontend/html/login.ejs
index bc4b9a27f..2fb2b1193 100644
--- a/frontend/html/login.ejs
+++ b/frontend/html/login.ejs
@@ -1,4 +1,4 @@
-<% var title = 'Login &ndash; Nginx Proxy Manager' %>
+<% var title = 'Login &ndash; NPMplus' %>
 <%- include partials/header.ejs %>
 
 <div class="page" id="login" data-version="<%= version %>">
diff --git a/frontend/js/app/nginx/dead/form.ejs b/frontend/js/app/nginx/dead/form.ejs
index 6b9a2aec9..75007ecaf 100644
--- a/frontend/js/app/nginx/dead/form.ejs
+++ b/frontend/js/app/nginx/dead/form.ejs
@@ -60,7 +60,7 @@
                                 <label class="custom-switch">
                                     <input type="checkbox" class="custom-switch-input" name="hsts_enabled" value="1"<%- hsts_enabled ? ' checked' : '' %><%- certificate_id && ssl_forced ? '' : ' disabled' %>>
                                     <span class="custom-switch-indicator"></span>
-                                    <span class="custom-switch-description"><%- i18n('all-hosts', 'hsts-enabled') %> <a href="https://github.com/GetPageSpeed/ngx_security_headers" target="_blank"><i class="fe fe-help-circle"></i></a></span>
+                                    <span class="custom-switch-description"><%- i18n('all-hosts', 'hsts-enabled') %> <a href="https://github.com/ZoeyVid/NPMplus/blob/develop/backend/templates/_hsts.conf" target="_blank"><i class="fe fe-help-circle"></i></a></span>
                                 </label>
                             </div>
                         </div>
diff --git a/frontend/js/app/nginx/proxy/form.ejs b/frontend/js/app/nginx/proxy/form.ejs
index 325657549..ee27c9660 100644
--- a/frontend/js/app/nginx/proxy/form.ejs
+++ b/frontend/js/app/nginx/proxy/form.ejs
@@ -128,7 +128,7 @@
                                 <label class="custom-switch">
                                     <input type="checkbox" class="custom-switch-input" name="hsts_enabled" value="1"<%- hsts_enabled ? ' checked' : '' %><%- certificate_id && ssl_forced ? '' : ' disabled' %>>
                                     <span class="custom-switch-indicator"></span>
-                                    <span class="custom-switch-description"><%- i18n('all-hosts', 'hsts-enabled') %> <a href="https://github.com/GetPageSpeed/ngx_security_headers" target="_blank"><i class="fe fe-help-circle"></i></a></span>
+                                    <span class="custom-switch-description"><%- i18n('all-hosts', 'hsts-enabled') %> <a href="https://github.com/ZoeyVid/NPMplus/blob/develop/backend/templates/_hsts.conf" target="_blank"><i class="fe fe-help-circle"></i></a></span>
                                 </label>
                             </div>
                         </div>
diff --git a/frontend/js/app/nginx/redirection/form.ejs b/frontend/js/app/nginx/redirection/form.ejs
index 803e395d8..904615adb 100644
--- a/frontend/js/app/nginx/redirection/form.ejs
+++ b/frontend/js/app/nginx/redirection/form.ejs
@@ -109,7 +109,7 @@
                                 <label class="custom-switch">
                                     <input type="checkbox" class="custom-switch-input" name="hsts_enabled" value="1"<%- hsts_enabled ? ' checked' : '' %><%- certificate_id && ssl_forced ? '' : ' disabled' %>>
                                     <span class="custom-switch-indicator"></span>
-                                    <span class="custom-switch-description"><%- i18n('all-hosts', 'hsts-enabled') %> <a href="https://github.com/GetPageSpeed/ngx_security_headers" target="_blank"><i class="fe fe-help-circle"></i></a></span>
+                                    <span class="custom-switch-description"><%- i18n('all-hosts', 'hsts-enabled') %> <a href="https://github.com/ZoeyVid/NPMplus/blob/develop/backend/templates/_hsts.conf" target="_blank"><i class="fe fe-help-circle"></i></a></span>
                                 </label>
                             </div>
                         </div>
diff --git a/frontend/js/app/ui/footer/main.ejs b/frontend/js/app/ui/footer/main.ejs
index b56e8ae7a..eaa57d99b 100644
--- a/frontend/js/app/ui/footer/main.ejs
+++ b/frontend/js/app/ui/footer/main.ejs
@@ -4,7 +4,7 @@
             <div class="col-auto">
                 <ul class="list-inline list-inline-dots mb-0">
                     <li class="list-inline-item"><a href="#" onclick="toggleDarkMode()">Toggle Dark Mode</a></li>
-                    <li class="list-inline-item"><a href="https://github.com/ZoeyVid/nginx-proxy-manager" target="_blank"><%- i18n('footer', 'fork-me') %></a></li>
+                    <li class="list-inline-item"><a href="https://github.com/ZoeyVid/NPMplus" target="_blank"><%- i18n('footer', 'fork-me') %></a></li>
                 </ul>
             </div>
         </div>
diff --git a/frontend/js/i18n/messages.json b/frontend/js/i18n/messages.json
index 543c6d4f1..dcd60e782 100644
--- a/frontend/js/i18n/messages.json
+++ b/frontend/js/i18n/messages.json
@@ -41,9 +41,9 @@
       "title": "Login to your account"
     },
     "main": {
-      "app": "Nginx Proxy Manager",
+      "app": "NPMplus",
       "version": "0.0.0",
-      "welcome": "Welcome to Nginx Proxy Manager",
+      "welcome": "Welcome to NPMplus",
       "logged-in": "You are logged in as {name}",
       "unknown-error": "Error loading stuff. Please reload the app.",
       "unknown-user": "Unknown User",
@@ -60,8 +60,8 @@
     },
     "footer": {
       "fork-me": "Repository on GitHub",
-      "copy": "&copy; 2023 <a href=\"{url}\" target=\"_blank\">jc21.com</a>",
-      "copyzv": "and 2023 <a href=\"{url}\" target=\"_blank\">ZoeyVid</a> MIT-License.",
+      "copy": "&copy; 2023 <a href=\"{url}\" target=\"_blank\">jc21.com</a> NPM",
+      "copyzv": "and &copy; 2023 <a href=\"{url}\" target=\"_blank\">ZoeyVid</a> NPMplus - MIT-License - ",
       "theme": "Theme by <a href=\"{url}\" target=\"_blank\">Tabler v0.0.31</a>"
     },
     "dashboard": {
@@ -87,7 +87,7 @@
       "advanced-config": "Custom Nginx Configuration",
       "advanced-config-var-headline": "These proxy details are available as nginx variables:",
       "advanced-config-header-info": "Please note, adding a location '/' will overwrite the proxy configuration",
-      "hsts-enabled": "Enable security headers",
+      "hsts-enabled": "Enable HSTS and security headers",
       "hsts-subdomains": "Enable HTTP/3-Quic",
       "locations": "Custom locations"
     },
@@ -129,7 +129,7 @@
       "delete": "Delete Proxy Host",
       "delete-confirm": "Are you sure you want to delete the Proxy host for: <strong>{domains}</strong>?",
       "help-title": "What is a Proxy Host?",
-      "help-content": "A Proxy Host is the incoming endpoint for a web service that you want to forward.\nIt provides optional TLS termination for your service that might not have TLS support built in.\nProxy Hosts are the most common use for the Nginx Proxy Manager.",
+      "help-content": "A Proxy Host is the incoming endpoint for a web service that you want to forward.\nIt provides optional TLS termination for your service that might not have TLS support built in.\nProxy Hosts are the most common use for the NPMplus.",
       "access-list": "Access List",
       "allow-websocket-upgrade": "Websockets Support",
       "ignore-invalid-upstream-ssl": "Ignore Invalid TLS",
@@ -201,7 +201,7 @@
       "reachability-failed-to-reach-api": "Communication with the API failed, is NPM running correctly?",
       "reachability-failed-to-check": "Failed to check the reachability due to a communication error with site24x7.com.",
       "reachability-ok": "Your server is reachable and creating certificates should be possible.",
-      "reachability-404": "There is a server found at this domain but it does not seem to be Nginx Proxy Manager. Please make sure your domain points to the IP where your NPM instance is running.",
+      "reachability-404": "There is a server found at this domain but it does not seem to be NPMplus. Please make sure your domain points to the IP where your NPM instance is running.",
       "reachability-not-resolved": "There is no server available at this domain. Please make sure your domain exists and points to the IP where your NPM instance is running and if necessary port 80 is forwarded in your router.",
       "reachability-wrong-data": "There is a server found at this domain but it returned an unexpected data. Is it the NPM server? Please make sure your domain points to the IP where your NPM instance is running.",
       "reachability-other": "There is a server found at this domain but it returned an unexpected status code {code}. Is it the NPM server? Please make sure your domain points to the IP where your NPM instance is running.",
diff --git a/frontend/package.json b/frontend/package.json
index 513471b20..6ea27b003 100644
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -1,5 +1,5 @@
 {
-  "name": "nginx-proxy-manager",
+  "name": "npmplus",
   "version": "0.0.0",
   "description": "A beautiful interface for creating Nginx endpoints",
   "main": "js/index.js",
@@ -41,6 +41,6 @@
   "scripts": {
     "build": "webpack --mode production"
   },
-  "author": "Jamie Curnow <jc@jc21.com>",
+  "author": "Jamie Curnow <jc@jc21.com> and ZoeyVid <zoeyvid@zvcdn.de>",
   "license": "MIT"
 }
diff --git a/global/certbot-dns-plugins.js b/global/certbot-dns-plugins.js
index 64915942f..d94c3a5af 100644
--- a/global/certbot-dns-plugins.js
+++ b/global/certbot-dns-plugins.js
@@ -447,9 +447,20 @@ aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY`,
 		dependencies:        '',
 		credentials:         `dns_strato_username = user
 dns_strato_password = pass
+# uncomment if you're using two factor authentication:
+# dns_strato_totp_devicename = 2fa_device
+# dns_strato_totp_secret = 2fa_secret
+#
 # uncomment if domain name contains special characters
 # insert domain display name as seen on your account page here
-# dns_strato_domain_display_name = my-punicode-url.de`,
+# dns_strato_domain_display_name = my-punicode-url.de
+#
+# if you're not using strato.de or another special endpoint you can customise it below
+# you will probably only need to adjust the host, but you can also change the complete endpoint url
+# dns_strato_custom_api_scheme = https
+# dns_strato_custom_api_host = www.strato.de
+# dns_strato_custom_api_port = 443
+# dns_strato_custom_api_path = "/apps/CustomerService"`,
 		full_plugin_name: 'dns-strato',
 	},
 	//####################################################//
diff --git a/rootfs/bin/aio.sh b/rootfs/bin/aio.sh
new file mode 100755
index 000000000..d6452d9bd
--- /dev/null
+++ b/rootfs/bin/aio.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+if [ "$NC_AIO" = "true" ] && [ ! -f /data/etc/aio.lock ]; then 
+    while [ "$(healthcheck.sh)" != "OK" ]; do sleep 10s; done
+    curl -POST http://127.0.0.1:48693/nginx/proxy-hosts -sH 'Content-Type: application/json' -d '{"domain_names":["'"$NC_DOMAIN"'"],"forward_scheme":"http","forward_host":"127.0.0.1","forward_port":11000,"allow_websocket_upgrade":true,"access_list_id":"0","certificate_id":"new","ssl_forced":true,"http2_support":true,"hsts_enabled":true,"hsts_subdomains":true,"meta":{"letsencrypt_email":"","letsencrypt_agree":true,"dns_challenge":false},"advanced_config":"","locations":[],"block_exploits":false,"caching_enabled":false}' -H "Authorization: Bearer $(curl -POST http://127.0.0.1:48693/tokens -sH 'Content-Type: application/json' -d '{"identity":"admin@example.com","secret":"iArhP1j7p1P6TA92FA2FMbbUGYqwcYzxC4AVEe12Wbi94FY9gNN62aKyF1shrvG4NycjjX9KfmDQiwkLZH1ZDR9xMjiG2QmoHXi"}' | jq -r .token)"
+    touch /data/etc/aio.lock
+    echo "The default config for AIO should now be created. Please check the log for any errors and try to resolve them, then delete the aio.lock file and retry."
+fi
diff --git a/rootfs/bin/launch.sh b/rootfs/bin/launch.sh
index 943a12ae3..5f744100c 100755
--- a/rootfs/bin/launch.sh
+++ b/rootfs/bin/launch.sh
@@ -38,4 +38,5 @@ fi
 
 if [ "$PHP81" = "true" ]; then PHP_INI_SCAN_DIR=/data/php/81/conf.d php-fpm81 -c /data/php/81 -y /data/php/81/php-fpm.conf -FOR; fi &
 if [ "$PHP82" = "true" ]; then PHP_INI_SCAN_DIR=/data/php/82/conf.d php-fpm82 -c /data/php/82 -y /data/php/82/php-fpm.conf -FOR; fi &
+aio.sh &
 index.js
diff --git a/rootfs/bin/start.sh b/rootfs/bin/start.sh
index bbae02ece..2aff09d68 100755
--- a/rootfs/bin/start.sh
+++ b/rootfs/bin/start.sh
@@ -121,11 +121,23 @@ if [ -n "$PHP82_APKS" ] && ! echo "$PHP82_APKS" | grep -q "^[a-z0-9 _-]\+$"; the
 fi
 
 
+if [ -n "$NC_AIO" ] && ! echo "$NC_AIO" | grep -q "^true$\|^false$"; then
+    echo "NC_AIO needs to be true or false."
+    sleep inf
+fi
+
+if [ -n "$NC_AIO" ] && ! echo "$NC_DOMAIN" | grep -q "^[a-z0-9.]\+$"; then
+    echo "NC_DOMAIN can consist of lower letters a-z, numbers 0-9 and dots and is required in AIO mode."
+    sleep inf
+fi
+
+
 if [ "$PGID" != "0" ] && [ "$PUID" = "0" ]; then
     echo "You've set PGID but not PUID. Running resetting PGID to 0."
     export PGID="0"
 fi
 
+
 if [ "$NPM_LISTEN_LOCALHOST" = "true" ]; then
     export NPM_IPV4_BINDING="127.0.0.1"
     export NPM_IPV6_BINDING="[::1]"
diff --git a/rootfs/html/404/index.html b/rootfs/html/404/index.html
index 7c342426a..377251c13 100644
--- a/rootfs/html/404/index.html
+++ b/rootfs/html/404/index.html
@@ -18,7 +18,7 @@
                     <h1 class="text-center">404 Not Found</h1>
                 </div>
                 <p class="text-center">
-                    <small>Powered by <a href="https://github.com/ZoeyVid/nginx-proxy-manager" target="_blank">Nginx Proxy Manager</a>
+                    <small>Powered by <a href="https://github.com/ZoeyVid/NPMplus" target="_blank">NPMplus</a>
                     </small>
                 </p>
             </div>
diff --git a/rootfs/html/default/index.html b/rootfs/html/default/index.html
index b9c23b125..64f6a6a27 100644
--- a/rootfs/html/default/index.html
+++ b/rootfs/html/default/index.html
@@ -16,12 +16,12 @@
         <div class="container">
             <div class="jumbotron">
                 <h1 class="text-center">Congratulations!</h1>
-                <p>You've successfully started the Nginx Proxy Manager.</p>
+                <p>You've successfully started NPMplus.</p>
                 <p>If you're seeing this site then you're trying to access a host that isn't set up yet.</p>
                 <p>Log in to the Admin panel to get started.</p>
             </div>
             <p class="text-center">
-                <small>Powered by <a href="https://github.com/ZoeyVid/nginx-proxy-manager" target="_blank">Nginx Proxy Manager</a>
+                <small>Powered by <a href="https://github.com/ZoeyVid/NPMplus" target="_blank">NPMplus</a>
                 </small>
             </p>
         </div>